From e2c0c9d6da90a9d72226a372fd03f13e20d88c93 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 13 Jan 2025 15:03:17 -0600 Subject: [PATCH 001/940] Update README.md --- README.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 180508b68..965fa47a7 100644 --- a/README.md +++ b/README.md @@ -2,15 +2,13 @@ Welcome to the Amazon EKS User Guide repository. This repository contains the open source version of the [Amazon EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/). -## Important Update +## New Contribution Experience -This repository will be temporarily taken down to prepare for a new contributor experience. The repository will return at the same url by mid-November. +You can now edit the EKS User Guide source directly. The AsciiDoc markup language meets the needs of the AWS Platform, while also being easy to learn. -## New Contribution Experience Coming Soon +Use the "Edit this page on GitHub" links in the right sidebar of the EKS User Guide to submit changes. -We are temporarily taking down the current GitHub repository to prepare for an enhanced contribution experience. The new version will be available in mid-November with the following improvements: - -- **AsciiDoc-Powered Documentation**: The guide will use AsciiDoc, an intuitive yet powerful authoring language similar to Markdown that offers: +- **AsciiDoc-Powered Documentation**: The docs now use AsciiDoc, an intuitive yet powerful authoring language similar to Markdown that offers: - Advanced formatting capabilities - Robust cross-referencing - Enhanced security controls @@ -26,9 +24,7 @@ We are temporarily taking down the current GitHub repository to prepare for an e For more information about the new experience, see [Contribute](https://docs.aws.amazon.com/eks/latest/userguide/contribute.html) in the Amazon EKS User Guide. -We look forward to your contributions when we launch the new GitHub experience. The improved platform will make it easier than ever to help us enhance the Amazon EKS documentation. - - +We look forward to your contributions with the new GitHub experience. The improved platform makes it easier than ever to help us enhance the Amazon EKS documentation. ## License Summary From cc148bc1df20a9d4083ff63df50124798955ddd1 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 13 Jan 2025 16:33:18 -0600 Subject: [PATCH 002/940] add github sync script --- github-sync.sh | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 github-sync.sh diff --git a/github-sync.sh b/github-sync.sh new file mode 100755 index 000000000..09d716db6 --- /dev/null +++ b/github-sync.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +set -e # Exit on any error + +# Color codes for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Helper function for printing status messages +print_status() { + echo -e "${GREEN}==>${NC} $1" +} + +print_warning() { + echo -e "${YELLOW}Warning:${NC} $1" +} + +print_error() { + echo -e "${RED}Error:${NC} $1" + exit 1 +} + +# Check if we're in a git repository +if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then + print_error "Not in a git repository" +fi + +# Check if both remotes exist +if ! git remote | grep -q "^origin$"; then + print_error "Remote 'origin' not found" +fi + +if ! git remote | grep -q "^github$"; then + print_error "Remote 'github' not found" +fi + +# Check for uncommitted changes +if ! git diff-index --quiet HEAD --; then + print_warning "You have uncommitted changes. Please commit or stash them before syncing." + exit 1 +fi + +# Store current branch +current_branch=$(git symbolic-ref --short HEAD) + +print_status "Fetching from github remote..." +if ! git fetch github; then + print_error "Failed to fetch from github remote" +fi + +print_status "Attempting to merge github/mainline..." +if ! git merge github/mainline --no-edit; then + print_error "Merge failed. Please resolve conflicts and try again" +fi + +print_status "Pushing changes to github..." +if ! git push github; then + print_error "Failed to push to github remote" +fi + +# If we got here, everything worked +print_status "Successfully synced mainline branch between remotes!" + +# Optional: Return to original branch if we weren't on mainline +if [ "$current_branch" != "mainline" ]; then + print_status "Returning to branch '$current_branch'..." + git checkout "$current_branch" +fi + From a87180c22ad96263e5a1b85ce30abd77393e056d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 13 Jan 2025 16:33:41 -0600 Subject: [PATCH 003/940] add github sync notes --- team/squish.adoc | 126 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 team/squish.adoc diff --git a/team/squish.adoc b/team/squish.adoc new file mode 100644 index 000000000..0804b43e5 --- /dev/null +++ b/team/squish.adoc @@ -0,0 +1,126 @@ += AmazonEKSDocs Git History Squish Procedure +:toc: + +== Overview +This procedure outlines the steps to clear the history of the "mainline" branch while maintaining a backup. The backup branch will be named with the current date (e.g., `13JAN2025-mainline`). + +== Prerequisites +* Ensure you have the latest version of the repository +* Have appropriate permissions to push to mainline +* Verify you can build and deploy to alpha environment + +== How to: Squish + +* Only one person needs to do the branch work +* Then everyone needs to reset mainline on their devices + +=== Initial Setup Steps + +[source,bash] +---- +# Sync and checkout mainline: +git fetch origin +git checkout mainline +git pull origin mainline + +# Create a backup branch: +git checkout -b 13JAN2025-mainline +git push origin 13JAN2025-mainline +---- + +=== History Clean-up Steps + +[source,bash] +---- +# Create new orphan branch: +git checkout --orphan new/mainline + +# Stage and commit all files: +git add . +git commit -m "Fresh start: History squish for mainline branch" +---- + +Verify build functionality: +* Build the project locally + +[source,bash] +---- +# Push the new branch: +git push origin new/mainline +---- + +NOTE: If a branch with this name already exists, deprecate it first + +Deploy to alpha environment. Verify all functionality works as expected. + +=== Production Switch + +. After alpha verification, deprecate mainline on code.amazon.com + +[source,bash] +---- +# Clean up local branches: +git branch -D mainline +git checkout new/mainline + +# Rename and establish new mainline: +git checkout -b mainline +git push origin mainline +---- + +=== Troubleshooting +* If you encounter push errors, ensure you've properly deprecated the old branches +* If build fails, verify all files were properly carried over in the orphan branch +* For any issues, consult with the team lead before proceeding + +=== Rollback Plan +If issues arise, the backup branch (`13JAN2025-mainline`) can be used to restore the previous state. + +== How to: update local copy + +All team members must execute these steps to sync with the new mainline: + +[source,bash] +---- +# Switch to the new branch structure: +git checkout new/mainline + +# Remove old mainline reference: +git branch -D mainline + +# Update and switch to new mainline: +git fetch +git checkout mainline +---- + +== How to: Deprecate branch of code.amazon.com + +. Open package on code.amazon.com +. In Repo info tab, scroll down to "Deprecate branch" dropdown menu +. Select the name of the branch and choose deprecate + +NOTE: The branch is just archived and hidden, and it can be restored. + +== How to: Add github remote + +Ensure your SSH is configured with GitHub + +[source,bash] +---- +git remote add github git@github.com:awsdocs/amazon-eks-user-guide.git +---- + + +== How to: Merge in GitHub changes + +[source,bash] +---- +git fetch github/mainline +---- + +== How to: Publish changes to github + +[source,bash] +---- +git push github +---- \ No newline at end of file From bc1f4e1bcf60eedc668f88b9f1a004fe173254ff Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 13 Jan 2025 16:41:11 -0600 Subject: [PATCH 004/940] update addons and contribute --- latest/ug/contribute/contribute.adoc | 17 +++++++++++++---- .../workloads-add-ons-available-vendors.adoc | 4 +++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index fa868a907..048684b19 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -5,16 +5,25 @@ include::../attributes.txt[] -{aws} is building an improved contribution experience for the EKS User Guide. +{aws} has launched an improved contribution experience for the EKS User Guide. -The previous GitHub repository at `awsdocs/amazon-eks-user-guide` is temporarily unavailable while we prepare the new contribution system. +You can now edit the EKS User Guide source directly on GitHub. -The updated experience will use AsciiDoc, a powerful authoring language similar to markdown. AsciiDoc combines simple syntax with enterprise documentation features like advanced formatting, cross-referencing, and security controls. +The docs now use AsciiDoc, a powerful authoring language similar to markdown. AsciiDoc combines simple syntax with enterprise documentation features like advanced formatting, cross-referencing, and security controls. -When the EKS User Guide returns to GitHub in mid-November, you'll be able to edit the documentation source files directly. Our streamlined process includes: +You can now edit the EKS Docs directly on GitHub. Our streamlined process includes: * Faster pull request processing * Reduced manual steps * Automated content quality checks We look forward to your contributions. + +*To edit a single page from a web browser* + +. Navigate to the page in the EKS User Guide +. Select *Edit this page on GitHub* in the right sidebar +. Open the GitHub editor: press `e` or select *Edit in Place* from the pencil icon dropdown menu +. Make your edits, and then select *Commit changes...* +** Confirm your email and include a short description of the changes + diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 1b5d266f5..cb0604fd0 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,11 +1,13 @@ //!!NODE_ROOT
+include::../attributes.txt[] + [.topic] [[workloads-add-ons-available-vendors,workloads-add-ons-available-vendors.title]] = {aws} Marketplace add-ons :info_titleabbrev: Marketplace add-ons -include::../attributes.txt[] + [abstract] From 2a096ecd72aedc2333e61897686725be3a3c7d05 Mon Sep 17 00:00:00 2001 From: lyuin Date: Tue, 14 Jan 2025 13:01:29 +0900 Subject: [PATCH 005/940] Update updating-an-add-on.adoc --- latest/ug/workloads/updating-an-add-on.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 56f8714e1..6902fc9a1 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -113,7 +113,7 @@ NOTE: Retaining the default role name enables EKS to pre-select the role for add ... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. .. Expand the *Optional configuration settings*. -.. In *Configuration values*, enter any add-on specific configuration information. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>... For *Conflict resolution method*, select one of the options. If you have set custom values for add-on settings, we recommend the *Preserve* option. If you don't choose this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. +.. In *Configuration values*, enter any add-on specific configuration information. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>... For *Conflict resolution method*, select one of the options. If you have set custom values for add-on settings, we recommend the *Preserve* option. If you don't choose this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to overwrite, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to none, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. . Choose *Save changes*. From de0a8e346abd4555a13ca9e97bed38de126a8082 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 14 Jan 2025 11:23:32 -0600 Subject: [PATCH 006/940] add callout for SLRs to cluster create --- latest/ug/clusters/create-cluster.adoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index db3350e77..dbbd39f77 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -73,6 +73,16 @@ Attach the Amazon EKS managed policy named link:aws-managed-policy/latest/refer aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy --role-name myAmazonEKSClusterRole ---- +=== Service Linked Role + +Amazon EKS automatically creates a service linked role called `AWSServiceRoleForAmazonEKS`. + +This is in addition to the cluster IAM role. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. The role allows Amazon EKS to manage clusters in your account. For more information, see <>. + +The IAM Identity you use to create the EKS cluster must have permission to create the service-linked role. This includes the `iam:CreateServiceLinkedRole` permission. + +If the service linked role doesn't already exist, and your current IAM role doesn't have sufficient permissions to create it, the cluster create operation will fail. + == Step 2: Create cluster You can create a cluster by using: From e51af0e0cdb864aa04a46e537db772fa328bfd4b Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 14 Jan 2025 21:27:34 +0000 Subject: [PATCH 007/940] fixup sync script --- github-sync.sh | 55 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 19 deletions(-) diff --git a/github-sync.sh b/github-sync.sh index 09d716db6..d980ede3f 100755 --- a/github-sync.sh +++ b/github-sync.sh @@ -2,6 +2,9 @@ set -e # Exit on any error +# Configuration +GITHUB_SSH_URL="git@github.com:awsdocs/amazon-eks-user-guide.git" + # Color codes for output RED='\033[0;31m' GREEN='\033[0;32m' @@ -27,45 +30,59 @@ if ! git rev-parse --is-inside-work-tree > /dev/null 2>&1; then print_error "Not in a git repository" fi -# Check if both remotes exist +# Check if current branch is mainline +current_branch=$(git symbolic-ref --short HEAD) +if [ "$current_branch" != "mainline" ]; then + print_error "Must be on 'mainline' branch to sync. Currently on '$current_branch'" +fi + +# Check for origin remote if ! git remote | grep -q "^origin$"; then print_error "Remote 'origin' not found" fi +# Check for github remote, add if missing if ! git remote | grep -q "^github$"; then - print_error "Remote 'github' not found" + print_status "Github remote not found. Adding it..." + if ! git remote add github "$GITHUB_SSH_URL"; then + print_error "Failed to add github remote" + fi fi -# Check for uncommitted changes -if ! git diff-index --quiet HEAD --; then - print_warning "You have uncommitted changes. Please commit or stash them before syncing." - exit 1 +# Test GitHub authentication +print_status "Testing GitHub authentication..." +if ! git ls-remote github &>/dev/null; then + print_error "GitHub authentication failed. Please check your SSH keys and permissions" fi -# Store current branch -current_branch=$(git symbolic-ref --short HEAD) +# Check for uncommitted changes + if ! git diff-index --quiet HEAD --; then + print_warning "You have uncommitted changes. Please commit or stash them before syncing." + exit 1 + fi print_status "Fetching from github remote..." if ! git fetch github; then - print_error "Failed to fetch from github remote" + print_error "Failed to fetch from github remote. Check your internet connection and repository permissions" fi print_status "Attempting to merge github/mainline..." if ! git merge github/mainline --no-edit; then - print_error "Merge failed. Please resolve conflicts and try again" + print_warning "Merge conflicts detected. Please:" + echo "1. Resolve the conflicts" + echo "2. Complete the merge with 'git commit'" + echo "3. Run this script again to finish syncing" + exit 1 fi print_status "Pushing changes to github..." if ! git push github; then - print_error "Failed to push to github remote" + print_error "Failed to push to github remote. Possible causes:" + echo "- You don't have push permissions" + echo "- The remote branch is protected" + echo "- There are new changes on the remote that you need to pull first" + exit 1 fi # If we got here, everything worked -print_status "Successfully synced mainline branch between remotes!" - -# Optional: Return to original branch if we weren't on mainline -if [ "$current_branch" != "mainline" ]; then - print_status "Returning to branch '$current_branch'..." - git checkout "$current_branch" -fi - +print_status "Successfully synced mainline branch between remotes!" \ No newline at end of file From 7d238a2c9532df16bb5d4669bd4409e35a5a0bb6 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 14 Jan 2025 16:02:59 -0600 Subject: [PATCH 008/940] update code owners --- CODEOWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index f0fc64426..62a690ef7 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,13 +1,14 @@ # default rule, unless a more specific rule applies -* @eks-admins +* @awsdocs/eks-admins # lower approval for specific non-content folders /.vscode/ fincd@amazon.com # default rule for user guide -/latest/ug/ @eks-contributors +/latest/ug/ @awsdocs/eks-contributors # guide section assignments +/latest/ug/automode/ gcline@amazon.com /latest/ug/clusters/ gcline@amazon.com /latest/ug/manage-access/ gcline@amazon.com /latest/ug/workloads/ gcline@amazon.com From 2bde6535f353737a28c27fee6015e7fa6764f6e6 Mon Sep 17 00:00:00 2001 From: abroodav Date: Wed, 15 Jan 2025 09:17:15 +1100 Subject: [PATCH 009/940] Update auto-troubleshoot.adoc Add troubleshooting for pods not scheduling to automode nodes and automode node not joining cluster --- latest/ug/automode/auto-troubleshoot.adoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index ee9897bfc..311a9375a 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -86,3 +86,22 @@ You can use the {aws} console to view the status of resources associated with {y Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, Cluster IAM Role, or Node IAM Role. You may need to attach a new policy these roles with permissions for {eam}. //Ensure you are running the latest version of the {aws} CLI, eksctl, etc. + +== Pod failing to schedule onto Auto Mode node + +If pods are not being scheduled onto an auto mode node, verify if your pod/deployment manifest has a **nodeSelector**. If a nodeSelector is present, please ensure it is using `eks.amazonaws.com/compute-type: auto` to allow it to be scheduled. See <>. + +== Node not joining cluster + +Run `kubectl get nodeclaim` to check for nodeclaims that are Ready = False. + +Proceed to run `kubectl describe nodeclaim ` and look under *Status* to find any issues preventing the node from joining the cluster. +Some issues you may come across: + +- "Error getting launch template configs" + +You may receive this error if you are setting custom tags in the NodeClass with the default cluster IAM role permissions. See <>. + +- "Error creating fleet" + +There may be some authorization issue with calling the RunInstances API call. Check CloudTrail for errors and see <> for the required IAM permissions. From bcd5e2701da16af3b9ad6eb3c63394bce57ed4ed Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 14 Jan 2025 16:43:52 -0600 Subject: [PATCH 010/940] fixup syntax --- latest/ug/automode/auto-troubleshoot.adoc | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 311a9375a..8ecefb740 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -93,15 +93,13 @@ If pods are not being scheduled onto an auto mode node, verify if your pod/deplo == Node not joining cluster -Run `kubectl get nodeclaim` to check for nodeclaims that are Ready = False. +Run `kubectl get nodeclaim` to check for nodeclaims that are `Ready = False`. Proceed to run `kubectl describe nodeclaim ` and look under *Status* to find any issues preventing the node from joining the cluster. -Some issues you may come across: -- "Error getting launch template configs" +*Common error messages:* -You may receive this error if you are setting custom tags in the NodeClass with the default cluster IAM role permissions. See <>. - -- "Error creating fleet" - -There may be some authorization issue with calling the RunInstances API call. Check CloudTrail for errors and see <> for the required IAM permissions. +* "Error getting launch template configs" +** You may receive this error if you are setting custom tags in the NodeClass with the default cluster IAM role permissions. See <>. +* "Error creating fleet" +** There may be some authorization issue with calling the RunInstances API call. Check CloudTrail for errors and see <> for the required IAM permissions. From 6e131b616b35854a7049c0c121414f49b9aa9d1d Mon Sep 17 00:00:00 2001 From: ad1mohan Date: Wed, 15 Jan 2025 22:23:26 +0530 Subject: [PATCH 011/940] Updated BootstrapArguments section in outposts/eks-outposts-self-managed-nodes.adoc --- .../ug/outposts/eks-outposts-self-managed-nodes.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index d16c40965..8a82eeff5 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -115,6 +115,17 @@ NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack creat ---- --b64-cluster-ca ${CLUSTER_CA} --apiserver-endpoint https://${APISERVER_ENDPOINT} --enable-local-outpost true --cluster-id ${CLUSTER_ID} ---- +To retrieve the values for `CLUSTER_CA`, `APISERVER_ENDPOINT`, and `CLUSTER_ID` of your Amazon EKS local cluster, run the following AWS CLI commands. Replace cluster-name with the name of your cluster and region (for example, us-east-1) with your cluster’s AWS Region. ++ +[source,bash,subs="verbatim,attributes"] +---- +echo "CLUSTER_CA=$(aws eks describe-cluster --name cluster-name --region region --query cluster.certificateAuthority.data --output text)" + +echo "APISERVER_ENDPOINT=$(aws eks describe-cluster --name cluster-name --region region --query cluster.endpoint --output text)" + +echo "CLUSTER_ID=$(aws eks describe-cluster --name cluster-name --region region --query cluster.id --output text)" +---- + ** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. ** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. From 44643b84e1cba4cbdefa3f1b164f5db666510d94 Mon Sep 17 00:00:00 2001 From: carlosbravoa Date: Wed, 15 Jan 2025 15:52:28 -0300 Subject: [PATCH 012/940] Update launch-node-ubuntu.adoc Removing `ami: auto-ssm` as it makes "think" eksctl that it is a custom ami, throwing an error (needing `overrideBootstrapCommand`) ``` Error: nodeGroups[0].overrideBootstrapCommand is required when using a custom AMI based on Ubuntu2204 (nodeGroups[0].ami) ``` --- latest/ug/nodes/launch-node-ubuntu.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 35909f2a2..4ad3cf064 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -64,7 +64,6 @@ nodeGroups: instanceType: m5.large desiredCapacity: 3 amiFamily: Ubuntu2204 - ami: auto-ssm iam: attachPolicyARNs: - {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy From 80be4b6b9a387997a32a6acc049177e0592d0a97 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 15 Jan 2025 15:42:11 -0600 Subject: [PATCH 013/940] update platform version table for add-ons --- latest/ug/workloads/eks-add-ons.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index dc97b1b77..0ad07fb1d 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -39,13 +39,20 @@ Consider the following when you use Amazon EKS add-ons: * If you create a cluster with the {aws-management-console}, the Amazon EKS `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` Amazon EKS add-ons are automatically added to your cluster. If you use `eksctl` to create your cluster with a `config` file, `eksctl` can also create the cluster with Amazon EKS add-ons. If you create your cluster using `eksctl` without a `config` file or with any other tool, the self-managed `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn't install on hybrid nodes. * The `eks:addon-cluster-admin` `ClusterRoleBinding` binds the `cluster-admin` `ClusterRole` to the `eks:addon-manager` [.noloc]`Kubernetes` identity. The role has the necessary permissions for the `eks:addon-manager` identity to create [.noloc]`Kubernetes` namespaces and install add-ons into namespaces. If the `eks:addon-cluster-admin` `ClusterRoleBinding` is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the new `ClusterRoleBinding`. * A subset of EKS add-ons from {aws} have been validated for compatibility with Amazon EKS Hybrid Nodes. For more information, see the compatibility table on <>. -+ + +=== Required platform version + +Review the table to determine the minimum required platform version to use this feature with your cluster. You can use the listed platform version, or a more recent platform version. For example, if the table lists "eks.14" you can use platform version "eks.15". For more information, see <>. + [cols="1,1", options="header"] |=== |Kubernetes version |EKS platform version +|1.25 or newer +|All platform versions + |1.20 |eks.12 From f5e8ce194b7f82854c1841233b3b0fcfd94aac19 Mon Sep 17 00:00:00 2001 From: Vela Wu Date: Wed, 15 Jan 2025 23:11:23 +0000 Subject: [PATCH 014/940] update kubelet binary according to the MCM cr: https://code.amazon.com/reviews/CR-172230233 --- .../ug/getting-started/install-kubectl.adoc | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 384eb84c5..4dc27d89c 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -76,37 +76,37 @@ Install or update `kubectl` on one of the following operating systems: + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.31` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.4/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.30` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.8/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.29` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.12/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.28` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.27` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/darwin/amd64/kubectl +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2025-01-10/bin/darwin/amd64/kubectl ---- **** [.noloc]`Kubernetes` `1.26` + @@ -152,37 +152,37 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.14/2024-09-11/bin/dar + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.31` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.4/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.30` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.8/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.29` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.12/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.28` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.27` + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/darwin/amd64/kubectl.sha256 +curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- ***** [.noloc]`Kubernetes` `1.26` + From 70a9d5033ab7424b8a4d5bb814b83a6d1892eca2 Mon Sep 17 00:00:00 2001 From: Kulwant Singh Date: Mon, 13 Jan 2025 17:03:23 -0800 Subject: [PATCH 015/940] Release CVE patched AMIs CVE-2024-9042 --- latest/ug/nodes/eks-ami-versions-windows.adoc | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index a858c1a0d..68392ce8d 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -52,6 +52,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-01` +|`1.31.4` +|`1.7.20` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.31-2024.12.13` |`1.31.3` |`1.7.20` @@ -93,6 +99,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-01` +|`1.30.8` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.30-2024.12.11` |`1.30.7` |`1.7.14` @@ -152,6 +164,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025.01.01` +|`1.29.12` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.29-2024.12.11` |`1.29.10` |`1.7.14` @@ -241,6 +259,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-01` +|`1.28.15` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.28-2024.12.11` |`1.28.15` |`1.7.14` @@ -354,6 +378,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-01` +|`1.27.16` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.27-2024.12.11` |`1.27.16` |`1.7.14` @@ -1036,6 +1066,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-01` +|`1.31.4` +|`1.7.20` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.31-2024.12.13` |`1.31.3` |`1.7.20` @@ -1078,6 +1114,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-01` +|`1.30.8` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.30-2024.12.11` |`1.30.7` |`1.7.14` @@ -1138,6 +1180,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025.01.01` +|`1.29.12` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.29-2024.12.11` |`1.29.10` |`1.7.14` @@ -1228,6 +1276,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-01` +|`1.28.15` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.28-2024.12.11` |`1.28.15` |`1.7.14` @@ -1342,6 +1396,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-01` +|`1.27.16` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.27-2024.12.11` |`1.27.16` |`1.7.14` @@ -2027,6 +2087,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-01` +|`1.31.4` +|`1.7.20` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.31-2024.12.13` |`1.31.3` |`1.7.20` @@ -2069,6 +2135,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-01` +|`1.30.8` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.30-2024.12.11` |`1.30.7` |`1.7.14` @@ -2129,6 +2201,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025.01.01` +|`1.29.12` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.29-2024.12.11` |`1.29.10` |`1.7.14` @@ -2219,6 +2297,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-01` +|`1.28.15` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.28-2024.12.11` |`1.28.15` |`1.7.14` @@ -2333,6 +2417,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-01` +|`1.27.16` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.27-2024.12.11` |`1.27.16` |`1.7.14` @@ -3018,6 +3108,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-01` +|`1.31.4` +|`1.7.20` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.31-2024.12.13` |`1.31.3` |`1.7.20` @@ -3060,6 +3156,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-01` +|`1.30.8` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.30-2024.12.11` |`1.30.7` |`1.7.14` @@ -3120,6 +3222,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025.01.01` +|`1.29.12` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.29-2024.12.11` |`1.29.10` |`1.7.14` @@ -3210,6 +3318,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-01` +|`1.28.15` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.28-2024.12.11` |`1.28.15` |`1.7.14` @@ -3324,6 +3438,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-01` +|`1.27.16` +|`1.7.14` +|`1.1.3` +|Includes patches for `CVE-2024-9042`. + |`1.27-2024.12.11` |`1.27.16` |`1.7.14` From bba392141c844fad758e805cd47b68aa9fe74b2f Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 14 Jan 2025 11:18:51 -0800 Subject: [PATCH 016/940] Sort add-on container images by region Regions are alphabetized by name, not region code. --- latest/ug/workloads/add-ons-images.adoc | 78 +++++++++++++------------ 1 file changed, 40 insertions(+), 38 deletions(-) diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 001cfc823..88c2ff184 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] When you deploy <> to your cluster, your nodes pull the required container images from the registry specified in the installation mechanism for the add-on, such as an installation manifest or a Helm `values.yaml` file. The images are pulled from an Amazon EKS Amazon ECR private repository. Amazon EKS replicates the images to a repository in each Amazon EKS supported {aws} Region. Your nodes can pull the container image over the internet from any of the following registries. Alternatively, your nodes can pull the image over Amazon's network if you created an link:AmazonECR/latest/userguide/vpc-endpoints.html[interface VPC endpoint for Amazon ECR ({aws} PrivateLink),type="documentation"] in your VPC. The registries require authentication with an {aws} IAM account. Your nodes authenticate using the <>, which has the permissions in the link:aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html[AmazonEC2ContainerRegistryReadOnly,type="documentation"] managed IAM policy associated to it. +[role="no-scroll"] [cols="1,1", options="header"] |=== |{aws} Region @@ -20,20 +21,23 @@ When you deploy <> to |ap-east-1 |800184023465.dkr.ecr.ap-east-1.amazonaws.com -|ap-northeast-1 -|602401143452.dkr.ecr.ap-northeast-1.amazonaws.com +|ap-southeast-3 +|296578399912.dkr.ecr.ap-southeast-3.amazonaws.com -|ap-northeast-2 -|602401143452.dkr.ecr.ap-northeast-2.amazonaws.com +|ap-south-2 +|900889452093.dkr.ecr.ap-south-2.amazonaws.com -|ap-northeast-3 -|602401143452.dkr.ecr.ap-northeast-3.amazonaws.com +|ap-southeast-4 +|491585149902.dkr.ecr.ap-southeast-4.amazonaws.com |ap-south-1 |602401143452.dkr.ecr.ap-south-1.amazonaws.com -|ap-south-2 -|900889452093.dkr.ecr.ap-south-2.amazonaws.com +|ap-northeast-3 +|602401143452.dkr.ecr.ap-northeast-3.amazonaws.com + +|ap-northeast-2 +|602401143452.dkr.ecr.ap-northeast-2.amazonaws.com |ap-southeast-1 |602401143452.dkr.ecr.ap-southeast-1.amazonaws.com @@ -41,17 +45,8 @@ When you deploy <> to |ap-southeast-2 |602401143452.dkr.ecr.ap-southeast-2.amazonaws.com -|ap-southeast-3 -|296578399912.dkr.ecr.ap-southeast-3.amazonaws.com - -|ap-southeast-4 -|491585149902.dkr.ecr.ap-southeast-4.amazonaws.com - -|ca-central-1 -|602401143452.dkr.ecr.ca-central-1.amazonaws.com - -|ca-west-1 -|761377655185.dkr.ecr.ca-west-1.amazonaws.com +|ap-northeast-1 +|602401143452.dkr.ecr.ap-northeast-1.amazonaws.com |cn-north-1 |918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn @@ -62,26 +57,26 @@ When you deploy <> to |eu-central-1 |602401143452.dkr.ecr.eu-central-1.amazonaws.com -|eu-central-2 -|900612956339.dkr.ecr.eu-central-2.amazonaws.com +|eu-west-1 +|602401143452.dkr.ecr.eu-west-1.amazonaws.com -|eu-north-1 -|602401143452.dkr.ecr.eu-north-1.amazonaws.com +|eu-west-2 +|602401143452.dkr.ecr.eu-west-2.amazonaws.com |eu-south-1 |590381155156.dkr.ecr.eu-south-1.amazonaws.com +|eu-west-3 +|602401143452.dkr.ecr.eu-west-3.amazonaws.com + |eu-south-2 |455263428931.dkr.ecr.eu-south-2.amazonaws.com -|eu-west-1 -|602401143452.dkr.ecr.eu-west-1.amazonaws.com - -|eu-west-2 -|602401143452.dkr.ecr.eu-west-2.amazonaws.com +|eu-north-1 +|602401143452.dkr.ecr.eu-north-1.amazonaws.com -|eu-west-3 -|602401143452.dkr.ecr.eu-west-3.amazonaws.com +|eu-central-2 +|900612956339.dkr.ecr.eu-central-2.amazonaws.com |il-central-1 |066635153087.dkr.ecr.il-central-1.amazonaws.com @@ -92,24 +87,31 @@ When you deploy <> to |me-central-1 |759879836304.dkr.ecr.me-central-1.amazonaws.com -|sa-east-1 -|602401143452.dkr.ecr.sa-east-1.amazonaws.com - |us-east-1 |602401143452.dkr.ecr.us-east-1.amazonaws.com |us-east-2 |602401143452.dkr.ecr.us-east-2.amazonaws.com +|us-west-1 +|602401143452.dkr.ecr.us-west-1.amazonaws.com + +|us-west-2 +|602401143452.dkr.ecr.us-west-2.amazonaws.com + +|ca-central-1 +|602401143452.dkr.ecr.ca-central-1.amazonaws.com + +|ca-west-1 +|761377655185.dkr.ecr.ca-west-1.amazonaws.com + +|sa-east-1 +|602401143452.dkr.ecr.sa-east-1.amazonaws.com + |us-gov-east-1 |151742754352.dkr.ecr.us-gov-east-1.amazonaws.com |us-gov-west-1 |013241004608.dkr.ecr.us-gov-west-1.amazonaws.com -|us-west-1 -|602401143452.dkr.ecr.us-west-1.amazonaws.com - -|us-west-2 -|602401143452.dkr.ecr.us-west-2.amazonaws.com |=== From 8a124e7afd4294e8a61a87617730bd4ebf387a38 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 14 Jan 2025 19:23:20 -0800 Subject: [PATCH 017/940] Add new regions ap-southeast-7, mx-central-1 --- latest/ug/automode/create-auto.adoc | 2 +- latest/ug/automode/migrate-auto.adoc | 2 +- latest/ug/doc-history.adoc | 4 ++++ latest/ug/security/security-eks.adoc | 8 +++----- latest/ug/workloads/add-ons-images.adoc | 6 ++++++ 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 10221587f..4237fb19f 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -25,7 +25,7 @@ This chapter explains how to create an Amazon EKS cluster with Auto Mode enabled [NOTE] ==== -EKS Auto Mode requires Kubernetes version 1.29 or greater. +EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't available in the `ap-southeast-7` or `mx-central-1` {aws} Regions. ==== diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index fe53704b7..8be336791 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -22,7 +22,7 @@ You can enable EKS Auto Mode on existing EKS Clusters. [NOTE] ==== -EKS Auto Mode requires Kubernetes version 1.29 or greater. +EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't available in the `ap-southeast-7` or `mx-central-1` {aws} Regions. ==== *{aws} supports the following migrations:* diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index cdacfe8e2..4ba153e50 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -31,6 +31,10 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-01-14"] +=== Amazon EKS {aws} Region expansion +Amazon EKS is now available in the Asia Pacific (Thailand) Region (`ap-southeast-7`) and Mexico (Central) (`mx-central-1`) {aws} Regions. EKS Auto Mode and VPC Endpoints for the EKS API aren't available in either Region. + [.update,date="2025-01-13"] === {aws} managed policy updates [.update-ulink] diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 1211a1dfa..16f8d901e 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -84,7 +84,7 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser * You can access the Amazon EKS APIs from an on-premises data center by connecting it to a VPC that has an interface endpoint. You can use {aws} Direct Connect or {aws} Site-to-Site VPN to connect your on-premises sites to a VPC. * You can connect other VPCs to the VPC with an interface endpoint using an {aws} Transit Gateway or VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your VPCs, or with a VPC in another account. The VPCs can be in different {aws} Regions. Traffic between peered VPCs stays on the {aws} network. The traffic doesn't traverse the public internet. A Transit Gateway is a network transit hub that you can use to interconnect VPCs. Traffic between a VPC and a Transit Gateway remains on the {aws} global private network. The traffic isn't exposed to the public internet. * Before August 2024, VPC interface endpoints for Amazon EKS were only accessible over `IPv4` using `eks.[.replaceable]``region``.amazonaws.com`. New VPC interface endpoints that are made after August 2024 use dual-stack of `IPv4` and `IPv6` IP addresses and both DNS names: `eks.[.replaceable]``region``.amazonaws.com` and `eks.[.replaceable]``region``.api.aws`. -* {aws} PrivateLink support for the EKS API isn't available in the Asia Pacific (Malaysia) {aws} Region. {aws} PrivateLink support for `eks-auth` for EKS Pod Identity is available in the Asia Pacific (Malaysia) {aws} Region. +* {aws} PrivateLink support for the EKS API isn't available in the Asia Pacific (Malaysia) (`ap-southeast-5`), Asia Pacific (Thailand) (`ap-southeast-7`), and Mexico (Central) (`mx-central-1`) {aws} Regions. {aws} PrivateLink support for `eks-auth` for EKS Pod Identity is available in the the Asia Pacific (Malaysia) (`ap-southeast-5`) Region. [[vpc-endpoint-create,vpc-endpoint-create.title]] @@ -94,14 +94,12 @@ You can create an interface endpoint for Amazon EKS using either the Amazon VPC Create an interface endpoint for Amazon EKS using the following service names: - - -* +* EKS API [source,none,subs="verbatim,attributes"] ---- com.amazonaws.region-code.eks ---- -* +* EKS Auth API (EKS Pod Identity) [source,none,subs="verbatim,attributes"] ---- com.amazonaws.region-code.eks-auth diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 88c2ff184..9266005ea 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -45,6 +45,9 @@ When you deploy <> to |ap-southeast-2 |602401143452.dkr.ecr.ap-southeast-2.amazonaws.com +| ap-southeast-7 +| 121268973566.dkr.ecr.ap-southeast-7.amazonaws.com + |ap-northeast-1 |602401143452.dkr.ecr.ap-northeast-1.amazonaws.com @@ -81,6 +84,9 @@ When you deploy <> to |il-central-1 |066635153087.dkr.ecr.il-central-1.amazonaws.com +|mx-central-1 +|730335286997.dkr.ecr.mx-central-1.amazonaws.com + |me-south-1 |558608220178.dkr.ecr.me-south-1.amazonaws.com From 7dcb51ae79fca7165377cfeedd67e8bea950bf39 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 15 Jan 2025 20:31:55 -0600 Subject: [PATCH 018/940] Update retreive-iam-info.adoc (#832) --- latest/ug/workloads/retreive-iam-info.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 4ec80c3e0..44d154d2e 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -132,8 +132,8 @@ The following table indicates if certain Amazon EKS add-ons support EKS Pod Iden | N/A | xref:amazon-cloudwatch-observability[Amazon CloudWatch Observability agent] -| No -| N/A +| Yes +| v3.1.0-eksbuild.1 |=== From 713762f595f11509e94e6bec2a8715f0c270b2fa Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Thu, 16 Jan 2025 15:39:33 +0000 Subject: [PATCH 019/940] Updated getting-started-console.adoc to remove steps for Fargate --- .../getting-started-console.adoc | 145 +++--------------- 1 file changed, 20 insertions(+), 125 deletions(-) diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index f593f89c3..e388fea82 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -20,9 +20,9 @@ Learn how to create your first Amazon EKS cluster with nodes using the {aws-mana [NOTE] ==== -This topic covers getting started *without* EKS Auto Mode. +This topic covers getting started *without* EKS Auto Mode. It uses Managed Node Groups to deploy nodes. -EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. xref:getting-started-automode[Learn how to get started with Amazon EKS Auto Mode. ] +EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. xref:getting-started-automode[Learn how to get started with Amazon EKS Auto Mode. ] EKS Auto Mode is the preferred method of deploying nodes. ==== This guide helps you to create all of the required resources to get started with Amazon Elastic Kubernetes Service (Amazon EKS) using the {aws-management-console} and the {aws} CLI. In this guide, you manually create each resource. At the end of this tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. @@ -35,7 +35,6 @@ The procedures in this guide give you complete visibility into how each resource Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. - * *{aws} CLI* – A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. Note that {aws} CLI v2 is required to use the *update-kubeconfig* option shown in this page. * *`kubectl`* @@ -62,15 +61,15 @@ To get started as simply and quickly as possible, this topic includes steps to c ==== . Create an Amazon VPC with public and private subnets that meets Amazon EKS requirements. Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. You can replace [.replaceable]`my-eks-vpc-stack` with any name you choose. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes,quotes"] ---- aws cloudformation create-stack \ - --region region-code \ + --region [.replaceable]`region-code` \ --stack-name my-eks-vpc-stack \ --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml ---- + -TIP: For a list of all the resources the previous command creates, open the {aws} CloudFormation console at link:cloudformation/[cloudformation,type="console"]. Choose the [.replaceable]`my-eks-vpc-stack` stack and then choose the *Resources* tab. +TIP: For a list of all the resources the previous command creates, open the {aws} CloudFormation console at https://console.aws.amazon.com/cloudformation/. Choose the [.replaceable]`my-eks-vpc-stack` stack and then choose the *Resources* tab. . Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. [.noloc]`Kubernetes` clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. + .. Copy the following contents to a file named [.replaceable]`eks-cluster-role-trust-policy.json`. @@ -109,10 +108,11 @@ aws iam attach-role-policy \ . Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. + Make sure that the {aws} Region shown in the upper right of your console is the {aws} Region that you want to create your cluster in. If it's not, choose the dropdown next to the {aws} Region name and choose the {aws} Region that you want to use. -. Choose *Add cluster*, and then choose *Create*. If you don't see this option, then choose *Clusters* in the left navigation pane first. +. Choose *Create cluster*. If you don't see this option, then choose *Clusters* in the left navigation pane first. . On the *Configure cluster* page, do the following: + -.. Enter a *Name* for your cluster, such as `my-cluster`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. +.. Select *Custom configuration* and disable *Use EKS Auto Mode*. (If you prefer an EKS Auto Mode cluster, refer instead to <>.) +.. Enter a *Name* for your cluster, such as [.replaceable]`my-cluster`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. .. For *Cluster Service Role*, choose [.replaceable]`myAmazonEKSClusterRole`. .. Leave the remaining settings at their default values and choose *Next*. . On the *Specify networking* page, do the following: @@ -140,9 +140,9 @@ Before proceeding, be sure that your cluster creation completed successfully in . Create or update a `kubeconfig` file for your cluster. Replace [.replaceable]`region-code` with the {aws} Region that you created your cluster in. Replace [.replaceable]`my-cluster` with the name of your cluster. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes,quotes"] ---- -aws eks update-kubeconfig --region region-code --name my-cluster +aws eks update-kubeconfig --region [.replaceable]`region-code` --name [.replaceable]`my-cluster` ---- + By default, the `config` file is created in `~/.kube` or the new cluster's configuration is added to an existing `config` file in `~/.kube`. @@ -170,119 +170,20 @@ svc/kubernetes ClusterIP 10.100.0.1 443/TCP 1m [IMPORTANT] ==== -To get started as simply and quickly as possible, this topic includes steps to create nodes with default settings. Before creating nodes for production use, we recommend that you familiarize yourself with all settings and deploy nodes with the settings that meet your requirements. For more information, see <>. Some settings can only be enabled when creating your nodes. +To get started as simply and quickly as possible, this topic includes steps to create nodes with mostly default settings. Before creating nodes for production use, we recommend that you familiarize yourself with all settings and deploy nodes with the settings that meet your requirements. For more information, see <>. Some settings can only be enabled when creating your nodes. ==== -You can create a cluster with one of the following node types. To learn more about each type, see <>. After your cluster is deployed, you can add other node types. +This procedure configures your cluster to use Managed node groups to create nodes, specifying the subnets and node IAM role that you created in previous steps. +It lets you run Amazon Linux applications on Amazon EC2 instances. -* *Fargate – [.noloc]``Linux``* – Choose this type of node if you want to run [.noloc]``Linux`` applications on <>. Fargate is a serverless compute engine that lets you deploy [.noloc]``Kubernetes``[.noloc]``Pods`` without managing Amazon EC2 instances. -* *Managed nodes – [.noloc]``Linux``* – Choose this type of node if you want to run Amazon Linux applications on Amazon EC2 instances. Though not covered in this guide, you can also add <> and <> nodes to your cluster. +To learn more about different ways to configure nodes in EKS, see <>. After your cluster is deployed, you can add other node types. Though not covered in this guide, you can also add <> and <> nodes to your cluster. -==== -[role="tablist"] -Fargate - [.noloc]`Linux`:: -Create a Fargate profile. When [.noloc]``Kubernetes``[.noloc]``Pods`` are deployed with criteria that matches the criteria defined in the profile, the [.noloc]``Pods`` are deployed to Fargate. -+ -*To create a Fargate profile* -+ -. Create an IAM role and attach the required Amazon EKS IAM managed policy to it. When your cluster creates [.noloc]``Pods`` on Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS [.noloc]``Pod`` execution role provides the IAM permissions to do this. - -.. Copy the following contents to a file named `pod-execution-role-trust-policy.json`. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Condition": { - "ArnLike": { - "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" - } - }, - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} ----- - -.. Create a [.noloc]``Pod`` execution IAM role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam create-role \ - --role-name AmazonEKSFargatePodExecutionRole \ - --assume-role-policy-document file://"pod-execution-role-trust-policy.json" ----- - -.. Attach the required Amazon EKS managed IAM policy to the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy \ - --policy-arn {arn-aws}iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \ - --role-name AmazonEKSFargatePodExecutionRole ----- -.. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. -.. On the *Clusters* page, choose the [.replaceable]`my-cluster` cluster. -.. On the *[.replaceable]`my-cluster`* page, do the following: -+ -.. Choose the *Compute* tab. -.. Under *Fargate Profiles*, choose *Add Fargate Profile*. -. On the *Configure Fargate Profile* page, do the following: -+ -.. For *Name*, enter a unique name for your Fargate profile, such as [.replaceable]`my-profile`. -.. For *Pod execution role*, choose the *AmazonEKSFargatePodExecutionRole* that you created in a previous step. -.. Choose the *Subnets* dropdown and deselect any subnet with `Public` in its name. Only private subnets are supported for [.noloc]``Pods`` that are running on Fargate. -.. Choose *Next*. -. On the *Configure [.noloc]``Pod`` selection* page, do the following: -+ -.. For *Namespace*, enter `default`. -.. Choose *Next*. -. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. -. After a few minutes, the *Status* in the *Fargate Profile configuration* section will change from *Creating* to *Active*. Don't continue to the next step until the status is *Active*. -. If you plan to deploy all [.noloc]`Pods` to Fargate (none to Amazon EC2 nodes), do the following to create another Fargate profile and run the default name resolver ([.noloc]`CoreDNS`) on Fargate. -+ -NOTE: If you don't do this, you won't have any nodes at this time. -+ -.. On the *Fargate Profile* page, choose [.replaceable]`my-profile`. -.. Under *Fargate profiles*, choose *Add Fargate Profile*. -.. For *Name*, enter [.noloc]`CoreDNS`. -.. For *Pod execution role*, choose the *AmazonEKSFargatePodExecutionRole* that you created in a previous step. -.. Choose the *Subnets* dropdown and deselect any subnet with `Public` in its name. Only private subnets are supported for [.noloc]`Pods` running on Fargate. -.. Choose *Next*. -.. For *Namespace*, enter `kube-system`. -.. Choose *Match labels*, and then choose *Add label*. -.. Enter `k8s-app` for *Key* and `kube-dns` for value. This is necessary for the default name resolver ([.noloc]`CoreDNS`) to deploy to Fargate. -.. Choose *Next*. -.. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. -.. Run the following command to remove the default `eks.amazonaws.com/compute-type : ec2` annotation from the [.noloc]`CoreDNS` [.noloc]`Pods`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl patch deployment coredns \ - -n kube-system \ - --type json \ - -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]' ----- -+ -NOTE: The system creates and deploys two nodes based on the Fargate profile label you added. You won't see anything listed in *Node groups* because they aren't applicable for Fargate nodes, but you will see the new nodes listed in the *Overview* tab. - - -Managed nodes - [.noloc]`Linux`:: - -Create a managed node group, specifying the subnets and node IAM role that you created in previous steps. -+ *To create your {ec2} [.noloc]`Linux` managed node group* -+ + . Create a node IAM role and attach the required Amazon EKS IAM managed policy to it. The Amazon EKS node `kubelet` daemon makes calls to {aws} APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. -+ + .. Copy the following contents to a file named `node-role-trust-policy.json`. + [source,json,subs="verbatim,attributes"] @@ -337,7 +238,6 @@ aws iam attach-role-policy \ . On the *Specify networking* page, accept the default values and choose *Next*. . On the *Review and create* page, review your managed node group configuration and choose *Create*. . After several minutes, the *Status* in the *Node Group configuration* section will change from *Creating* to *Active*. Don't continue to the next step until the status is *Active*. -==== [[gs-view-resources,gs-view-resources.title]] @@ -359,16 +259,13 @@ You can view your nodes and [.noloc]`Kubernetes` workloads. After you've finished with the cluster and nodes that you created for this tutorial, you should delete the resources that you created. If you want to do more with this cluster before you delete the resources, see <>. -. Delete any node groups or Fargate profiles that you created. +. Delete any node groups profiles that you created. + .. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. .. In the left navigation pane, choose *Clusters*. In the list of clusters, choose [.replaceable]`my-cluster`. .. Choose the *Compute* tab. .. If you created a node group, choose the [.replaceable]`my-nodegroup` node group and then choose *Delete*. Enter [.replaceable]`my-nodegroup`, and then choose *Delete*. -.. For each Fargate profile that you created, choose it and then choose *Delete*. Enter the name of the profile, and then choose *Delete*. -+ -NOTE: When deleting a second Fargate profile, you may need to wait for the first one to finish deleting. -.. Don't continue until the node group or Fargate profiles are deleted. +.. Don't continue until the node group profiles are deleted. . Delete the cluster. + .. In the left navigation pane, choose *Clusters*. In the list of clusters, choose [.replaceable]`my-cluster`. @@ -376,14 +273,14 @@ NOTE: When deleting a second Fargate profile, you may need to wait for the first .. Enter [.replaceable]`my-cluster` and then choose *Delete*. Don't continue until the cluster is deleted. . Delete the VPC {aws} CloudFormation stack that you created. + -.. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. +.. Open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. .. Choose the [.replaceable]`my-eks-vpc-stack` stack, and then choose *Delete*. .. In the *Delete [.replaceable]`my-eks-vpc-stack`* confirmation dialog box, choose *Delete stack*. . Delete the IAM roles that you created. + .. Open the IAM console at https://console.aws.amazon.com/iam/. .. In the left navigation pane, choose *Roles*. -.. Select each role you created from the list (*[.replaceable]`myAmazonEKSClusterRole`*, as well as *AmazonEKSFargatePodExecutionRole* or [.replaceable]`myAmazonEKSNodeRole`). Choose *Delete*, enter the requested confirmation text, then choose *Delete*. +.. Select each role you created from the list (*[.replaceable]`myAmazonEKSClusterRole`*, as well as [.replaceable]`myAmazonEKSNodeRole`). Choose *Delete*, enter the requested confirmation text, then choose *Delete*. [[gs-console-next-steps,gs-console-next-steps.title]] @@ -391,8 +288,6 @@ NOTE: When deleting a second Fargate profile, you may need to wait for the first The following documentation topics help you to extend the functionality of your cluster. - - * The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Deploy a <> to your cluster. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. From 849f8bce0d9f8efd6993431129ba2c93355395ca Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Thu, 16 Jan 2025 18:37:39 +0000 Subject: [PATCH 020/940] Fixed typo in auto-migrate-karpenter per https://t.corp.amazon.com/V1642215381 --- latest/ug/automode/auto-migrate-karpenter.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 081d52538..976ef7ee9 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -61,7 +61,7 @@ spec: effect: "NoSchedule" ``` -Update the requirements for the node pool to match the Karpenter configuration you are migrating form. You need at least one requirement. +Update the requirements for the node pool to match the Karpenter configuration you are migrating from. You need at least one requirement. ## Step 3: Update workloads for migration From 8e3c3a5b3e7d858ea5f5f1584ebcfea2471e50d5 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 16 Jan 2025 14:35:19 -0600 Subject: [PATCH 021/940] Update auto-troubleshoot.adoc --- latest/ug/automode/auto-troubleshoot.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 8ecefb740..aa301da42 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -83,7 +83,7 @@ You can use the {aws} console to view the status of resources associated with {y ** UnauthorizedOperation ** InvalidClientTokenId -Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, Cluster IAM Role, or Node IAM Role. You may need to attach a new policy these roles with permissions for {eam}. +Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, Cluster IAM Role, or Node IAM Role. You may need to attach a new policy to these roles with permissions for {eam}. //Ensure you are running the latest version of the {aws} CLI, eksctl, etc. From 9f11932dac90c2a9debd2eb710b350c1c38874d9 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 17 Jan 2025 00:04:11 +0000 Subject: [PATCH 022/940] Split up networking topic. --- .../ug/networking/alternate-cni-plugins.adoc | 59 + .../aws-load-balancer-controller.adoc | 78 + .../cni-custom-network-tutorial.adoc | 628 +++ latest/ug/networking/cni-custom-network.adoc | 36 + latest/ug/networking/cni-iam-role.adoc | 270 + .../cni-increase-ip-addresses-procedure.adoc | 227 + .../networking/cni-increase-ip-addresses.adoc | 65 + latest/ug/networking/cni-ipv6.adoc | 76 + .../cni-network-policy-configure.adoc | 305 ++ latest/ug/networking/cni-network-policy.adoc | 65 + .../ug/networking/coredns-add-on-create.adoc | 66 + .../coredns-add-on-self-managed-update.adoc | 132 + .../ug/networking/coredns-add-on-update.adoc | 79 + latest/ug/networking/coredns-autoscaling.adoc | 276 + latest/ug/networking/coredns-metrics.adoc | 17 + latest/ug/networking/deploy-ipv6-cluster.adoc | 507 ++ .../ug/networking/eks-networking-add-ons.adoc | 4600 +---------------- latest/ug/networking/eks-networking.adoc | 23 +- latest/ug/networking/external-snat.adoc | 54 + ...kube-proxy-add-on-self-managed-update.adoc | 110 + latest/ug/networking/lbc-helm.adoc | 179 + latest/ug/networking/lbc-manifest.adoc | 353 ++ latest/ug/networking/lbc-remove.adoc | 113 + latest/ug/networking/managing-coredns.adoc | 112 + latest/ug/networking/managing-kube-proxy.adoc | 93 + latest/ug/networking/managing-vpc-cni.adoc | 85 + .../ug/networking/network-policy-disable.adoc | 43 + .../pod-multiple-network-interfaces.adoc | 34 + .../networking/pod-networking-use-cases.adoc | 49 + .../networking/security-groups-for-pods.adoc | 74 + .../security-groups-pods-deployment.adoc | 95 + .../sg-pods-example-deployment.adoc | 212 + latest/ug/networking/vpc-add-on-create.adoc | 97 + .../vpc-add-on-self-managed-update.adoc | 75 + latest/ug/networking/vpc-add-on-update.adoc | 80 + 35 files changed, 4762 insertions(+), 4605 deletions(-) create mode 100644 latest/ug/networking/alternate-cni-plugins.adoc create mode 100644 latest/ug/networking/aws-load-balancer-controller.adoc create mode 100644 latest/ug/networking/cni-custom-network-tutorial.adoc create mode 100644 latest/ug/networking/cni-custom-network.adoc create mode 100644 latest/ug/networking/cni-iam-role.adoc create mode 100644 latest/ug/networking/cni-increase-ip-addresses-procedure.adoc create mode 100644 latest/ug/networking/cni-increase-ip-addresses.adoc create mode 100644 latest/ug/networking/cni-ipv6.adoc create mode 100644 latest/ug/networking/cni-network-policy-configure.adoc create mode 100644 latest/ug/networking/cni-network-policy.adoc create mode 100644 latest/ug/networking/coredns-add-on-create.adoc create mode 100644 latest/ug/networking/coredns-add-on-self-managed-update.adoc create mode 100644 latest/ug/networking/coredns-add-on-update.adoc create mode 100644 latest/ug/networking/coredns-autoscaling.adoc create mode 100644 latest/ug/networking/coredns-metrics.adoc create mode 100644 latest/ug/networking/deploy-ipv6-cluster.adoc create mode 100644 latest/ug/networking/external-snat.adoc create mode 100644 latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc create mode 100644 latest/ug/networking/lbc-helm.adoc create mode 100644 latest/ug/networking/lbc-manifest.adoc create mode 100644 latest/ug/networking/lbc-remove.adoc create mode 100644 latest/ug/networking/managing-coredns.adoc create mode 100644 latest/ug/networking/managing-kube-proxy.adoc create mode 100644 latest/ug/networking/managing-vpc-cni.adoc create mode 100644 latest/ug/networking/network-policy-disable.adoc create mode 100644 latest/ug/networking/pod-multiple-network-interfaces.adoc create mode 100644 latest/ug/networking/pod-networking-use-cases.adoc create mode 100644 latest/ug/networking/security-groups-for-pods.adoc create mode 100644 latest/ug/networking/security-groups-pods-deployment.adoc create mode 100644 latest/ug/networking/sg-pods-example-deployment.adoc create mode 100644 latest/ug/networking/vpc-add-on-create.adoc create mode 100644 latest/ug/networking/vpc-add-on-self-managed-update.adoc create mode 100644 latest/ug/networking/vpc-add-on-update.adoc diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc new file mode 100644 index 000000000..0e4952c95 --- /dev/null +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -0,0 +1,59 @@ +//!!NODE_ROOT
+[.topic] +[[alternate-cni-plugins,alternate-cni-plugins.title]] += Alternate CNI plugins for Amazon EKS clusters +:info_titleabbrev: Alternate CNI plugins + +include::../attributes.txt[] + +[abstract] +-- +Learn how to use alternate network and security plugins on Amazon EKS to customize networking for your [.noloc]`Kubernetes` clusters on Amazon EC2 nodes. +-- + +The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Kubernetes] is the only CNI plugin supported by Amazon EKS with Amazon EC2 nodes. Amazon EKS supports the core capabilities of Cilium and Calico for Amazon EKS Hybrid Nodes. Amazon EKS runs upstream [.noloc]`Kubernetes`, so you can install alternate compatible CNI plugins to Amazon EC2 nodes in your cluster. If you have Fargate nodes in your cluster, the [.noloc]`Amazon VPC CNI plugin for Kubernetes` is already on your Fargate nodes. It's the only CNI plugin you can use with Fargate nodes. An attempt to install an alternate CNI plugin on Fargate nodes fails. + +If you plan to use an alternate CNI plugin on Amazon EC2 nodes, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project. + +Amazon EKS maintains relationships with a network of partners that offer support for alternate compatible CNI plugins. For details about the versions, qualifications, and testing performed, see the following partner documentation. + +[cols="1,1,1", options="header"] +|=== +|Partner +|Product +|Documentation + + +|Tigera +|https://www.tigera.io/partners/aws/[Calico] +|https://docs.projectcalico.org/getting-started/kubernetes/managed-public-cloud/eks[Installation instructions] + +|Isovalent +|https://cilium.io[Cilium] +|https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/[Installation instructions] + +|Juniper +|https://www.juniper.net/us/en/products/sdn-and-orchestration/contrail/cloud-native-contrail-networking.html[Cloud-Native Contrail Networking (CN2)] +|https://www.juniper.net/documentation/us/en/software/cn-cloud-native23.2/cn-cloud-native-eks-install-and-lcm/index.html[Installation instructions] + +|VMware +|https://antrea.io/[Antrea] +|https://antrea.io/docs/main/docs/eks-installation[Installation instructions] +|=== + +Amazon EKS aims to give you a wide selection of options to cover all use cases. + + +[[alternate-network-policy-plugins,alternate-network-policy-plugins.title]] +== Alternate compatible network policy plugins + +https://www.tigera.io/project-calico[Calico] is a widely adopted solution for container networking and security. Using [.noloc]`Calico` on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use [.noloc]`Calico's` networking, which conserve IP addresses from your underlying VPC. https://www.tigera.io/tigera-products/calico-cloud/[Calico Cloud] enhances the features of [.noloc]`Calico Open Source`, providing advanced security and observability capabilities. + +Traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon VPC security group enforcement only. + +If you use [.noloc]`Calico` network policy enforcement, we recommend that you set the environment variable `ANNOTATE_POD_IP` to `true` to avoid a known issue with [.noloc]`Kubernetes`. To use this feature, you must add `patch` permission for pods to the `aws-node` [.noloc]`ClusterRole`. Note that adding patch permissions to the `aws-node` [.noloc]`DaemonSet` increases the security scope for the plugin. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/?tab=readme-ov-file#annotate_pod_ip-v193[ANNOTATE_POD_IP] in the VPC CNI repo on GitHub. + +== Considerations for Amazon EKS Auto Mode + +Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. + diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc new file mode 100644 index 000000000..b9238c1b1 --- /dev/null +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -0,0 +1,78 @@ +//!!NODE_ROOT
+include::../attributes.txt[] + +[.topic] +[[aws-load-balancer-controller,aws-load-balancer-controller.title]] += Route internet traffic with {aws} Load Balancer Controller +:info_titleabbrev: {aws} Load Balancer Controller + +include::lbc-helm.adoc[leveloffset=+1] + +include::lbc-manifest.adoc[leveloffset=+1] + +include::lbc-remove.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to configure and use the [.noloc]`{aws} Load Balancer Controller` to expose [.noloc]`Kubernetes` cluster apps to the internet with {aws} Elastic Load Balancing for [.noloc]`Kubernetes` [.noloc]`services` and [.noloc]`ingresses`. +-- + +The [.noloc]`{aws} Load Balancer Controller` manages {aws} Elastic Load Balancers for a [.noloc]`Kubernetes` cluster. You can use the controller to expose your cluster apps to the internet. The controller provisions {aws} load balancers that point to cluster Service or Ingress resources. In other words, the controller creates a single IP address or DNS name that points to multiple pods in your cluster. + +image::images/lbc-overview.png["Architecture diagram. Illustration of traffic coming from internet users, to Amazon Load Balancer. Amazon Load Balancer distributes traffic to pods in the cluster.",scaledwidth=50%] + +The controller watches for [.noloc]`Kubernetes` [.noloc]`Ingress` or [.noloc]`Service` resources. In response, it creates the appropriate {aws} Elastic Load Balancing resources. You can configure the specific behavior of the load balancers by applying annotations to the [.noloc]`Kubernetes` resources. For example, you can attach {aws} security groups to load balancers using annotations. + +The controller provisions the following resources: + +*[.noloc]`Kubernetes` `Ingress`*:: +The LBC creates an link:elasticloadbalancing/latest/application/introduction.html[{aws} Application Load Balancer (ALB),type="documentation"] when you create a [.noloc]`Kubernetes` `Ingress`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Review the annotations you can apply to an Ingress resource.] + + +*[.noloc]`Kubernetes` service of the `LoadBalancer` type*:: +The LBC creates an link:elasticloadbalancing/latest/network/introduction.html[{aws} Network Load Balancer (NLB),type="documentation"]when you create a [.noloc]`Kubernetes` service of type `LoadBalancer`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Review the annotations you can apply to a Service resource.] ++ +In the past, the [.noloc]`Kubernetes` network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the [.noloc]`{aws} Load Balancer Controller` version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. + +The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-controller[open-source project] managed on [.noloc]`GitHub`. + +Before deploying the controller, we recommend that you review the prerequisites and considerations in <> and <>. In those topics, you will deploy a sample app that includes an {aws} load balancer. + + +[[lbc-overview,lbc-overview.title]] +== Install the controller + +You can use one of the following procedures to install the [.noloc]`{aws} Load Balancer Controller`: + + + +* If you are new to Amazon EKS we recommend that you use Helm for the installation because it simplifies the [.noloc]`{aws} Load Balancer Controller` installation. For more information, see <>. +* For advanced configurations, such as clusters with restricted network access to public container registries, use [.noloc]`Kubernetes` Manifests. For more information, see <>. + + +[[lbc-deprecated,lbc-deprecated.title]] +== Migrate from deprecated controller versions + +* If you have deprecated versions of the [.noloc]`{aws} Load Balancer Controller` installed, see <>. +* Deprecated versions cannot be upgraded. They must be removed and a current version of the [.noloc]`{aws} Load Balancer Controller` installed. ++ +[[lbc-deprecated-list]] +* Deprecated versions include: ++ +** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. +** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` + + +[[lbc-legacy,lbc-legacy.title]] +== Legacy cloud provider + +[.noloc]`Kubernetes` includes a legacy cloud provider for {aws}. The legacy cloud provider is capable of provisioning {aws} load balancers, similar to the [.noloc]`{aws} Load Balancer Controller`. The legacy cloud provider creates Classic Load Balancers. If you do not install the [.noloc]`{aws} Load Balancer Controller`, [.noloc]`Kubernetes` will default to using the legacy cloud provider. You should install the [.noloc]`{aws} Load Balancer Controller` and avoid using the legacy cloud provider. + +[IMPORTANT] +==== + +In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes the default controller for [.noloc]`Kubernetes` _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. + +==== + + diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc new file mode 100644 index 000000000..b87d10f4e --- /dev/null +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -0,0 +1,628 @@ +//!!NODE_ROOT
+[.topic] +[[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] += Customize the secondary network interface in Amazon EKS nodes +:info_titleabbrev: Secondary network interface + +include::../attributes.txt[] + +[abstract] +-- +Learn how your [.noloc]`Pods` can use different security groups and subnets than the primary elastic network interface of the Amazon EC2 node that they run on. +-- + +Complete the following before you start the tutorial: + +* Review the considerations +* Familiarity with how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary network interfaces and assigns IP addresses to [.noloc]`Pods`. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on [.noloc]`GitHub`. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. + +For this tutorial, we recommend using the [.replaceable]`example values`, except where it's noted to replace them. You can replace any [.replaceable]`example value` when completing the steps for a production cluster. We recommend completing all steps in the same terminal. This is because variables are set and used throughout the steps and won't exist in different terminals. + +The commands in this topic are formatted using the conventions listed in link:cli/latest/userguide/welcome-examples.html[Using the {aws} CLI examples,type="documentation"]. If you're running commands from the command line against resources that are in a different {aws} Region than the default {aws} Region defined in the {aws} CLI link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-profiles[profile,type="documentation"] that you're using, then you need to add `--region [.replaceable]``region-code``` to the commands. + +When you want to deploy custom networking to your production cluster, skip to <>. + +[[custom-networking-create-cluster,custom-networking-create-cluster.title]] +== Step 1: Create a test VPC and cluster + +The following procedures help you create a test VPC and cluster and configure custom networking for that cluster. We don't recommend using the test cluster for production workloads because several unrelated features that you might use on your production cluster aren't covered in this topic. For more information, see <>. + +. Define the `cluster_name` and `account_id` variables.. ++ +[source,bash,subs="verbatim,attributes"] +---- +export cluster_name=my-custom-networking-cluster +account_id=$(aws sts get-caller-identity --query Account --output text) +---- +. Create a VPC. ++ +.. If you are deploying to a test system, create a VPC using an Amazon EKS {aws} CloudFormation template. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation create-stack --stack-name my-eks-custom-networking-vpc \ + --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml \ + --parameters ParameterKey=VpcBlock,ParameterValue=192.168.0.0/24 \ + ParameterKey=PrivateSubnet01Block,ParameterValue=192.168.0.64/27 \ + ParameterKey=PrivateSubnet02Block,ParameterValue=192.168.0.96/27 \ + ParameterKey=PublicSubnet01Block,ParameterValue=192.168.0.0/27 \ + ParameterKey=PublicSubnet02Block,ParameterValue=192.168.0.32/27 +---- ++ +The {aws} CloudFormation stack takes a few minutes to create. To check on the stack's deployment status, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation describe-stacks --stack-name my-eks-custom-networking-vpc --query Stacks\[\].StackStatus --output text +---- ++ +Don't continue to the next step until the output of the command is `CREATE_COMPLETE`. +.. Define variables with the values of the private subnet IDs created by the template. ++ +[source,bash,subs="verbatim,attributes"] +---- +subnet_id_1=$(aws cloudformation describe-stack-resources --stack-name my-eks-custom-networking-vpc \ + --query "StackResources[?LogicalResourceId=='PrivateSubnet01'].PhysicalResourceId" --output text) +subnet_id_2=$(aws cloudformation describe-stack-resources --stack-name my-eks-custom-networking-vpc \ + --query "StackResources[?LogicalResourceId=='PrivateSubnet02'].PhysicalResourceId" --output text) +---- +.. Define variables with the Availability Zones of the subnets retrieved in the previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +az_1=$(aws ec2 describe-subnets --subnet-ids $subnet_id_1 --query 'Subnets[*].AvailabilityZone' --output text) +az_2=$(aws ec2 describe-subnets --subnet-ids $subnet_id_2 --query 'Subnets[*].AvailabilityZone' --output text) +---- +. Create a cluster IAM role. ++ +.. Run the following command to create an IAM trust policy JSON file. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >eks-cluster-role-trust-policy.json <>. +.. The cluster takes several minutes to create. To check on the cluster's deployment status, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --name my-custom-networking-cluster --query cluster.status +---- ++ +Don't continue to the next step until the output of the command is `"ACTIVE"`. +.. Configure `kubectl` to communicate with your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-kubeconfig --name my-custom-networking-cluster +---- + + +[[custom-networking-configure-vpc,custom-networking-configure-vpc.title]] +== Step 2: Configure your VPC + +This tutorial requires the VPC created in <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the [.replaceable]`example values` with your own. + +. Confirm that your currently-installed [.noloc]`Amazon VPC CNI plugin for Kubernetes` is the latest version. To determine the latest version for the Amazon EKS add-on type and update your version to it, see <>. To determine the latest version for the self-managed add-on type and update your version to it, see <>. +. Retrieve the ID of your cluster VPC and store it in a variable for use in later steps. For a production cluster, replace [.replaceable]`my-custom-networking-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +vpc_id=$(aws eks describe-cluster --name my-custom-networking-cluster --query "cluster.resourcesVpcConfig.vpcId" --output text) +---- +. Associate an additional Classless Inter-Domain Routing (CIDR) block with your cluster's VPC. The CIDR block can't overlap with any existing associated CIDR blocks. ++ +.. View the current CIDR blocks associated to your VPC. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 describe-vpcs --vpc-ids $vpc_id \ + --query 'Vpcs[*].CidrBlockAssociationSet[*].{CIDRBlock: CidrBlock, State: CidrBlockState.State}' --out table +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +---------------------------------- +| DescribeVpcs | ++-----------------+--------------+ +| CIDRBlock | State | ++-----------------+--------------+ +| 192.168.0.0/24 | associated | ++-----------------+--------------+ +---- +.. Associate an additional CIDR block to your VPC. For more information, see link:vpc/latest/userguide/modify-vpcs.html#add-ipv4-cidr[Associate additional IPv4 CIDR blocks with your VPC,type="documentation"] in the Amazon VPC User Guide. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 associate-vpc-cidr-block --vpc-id $vpc_id --cidr-block 192.168.1.0/24 +---- +.. Confirm that the new block is associated. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 describe-vpcs --vpc-ids $vpc_id --query 'Vpcs[*].CidrBlockAssociationSet[*].{CIDRBlock: CidrBlock, State: CidrBlockState.State}' --out table +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +---------------------------------- +| DescribeVpcs | ++-----------------+--------------+ +| CIDRBlock | State | ++-----------------+--------------+ +| 192.168.0.0/24 | associated | +| 192.168.1.0/24 | associated | ++-----------------+--------------+ +---- + ++ +Don't proceed to the next step until your new CIDR block's `State` is `associated`. +. Create as many subnets as you want to use in each Availability Zone that your existing subnets are in. Specify a CIDR block that's within the CIDR block that you associated with your VPC in a previous step. ++ +.. Create new subnets. The subnets must be created in a different VPC CIDR block than your existing subnets are in, but in the same Availability Zones as your existing subnets. In this example, one subnet is created in the new CIDR block in each Availability Zone that the current private subnets exist in. The IDs of the subnets created are stored in variables for use in later steps. The `Name` values match the values assigned to the subnets created using the Amazon EKS VPC template in a previous step. Names aren't required. You can use different names. ++ +[source,bash,subs="verbatim,attributes"] +---- +new_subnet_id_1=$(aws ec2 create-subnet --vpc-id $vpc_id --availability-zone $az_1 --cidr-block 192.168.1.0/27 \ + --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-eks-custom-networking-vpc-PrivateSubnet01},{Key=kubernetes.io/role/internal-elb,Value=1}]' \ + --query Subnet.SubnetId --output text) +new_subnet_id_2=$(aws ec2 create-subnet --vpc-id $vpc_id --availability-zone $az_2 --cidr-block 192.168.1.32/27 \ + --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-eks-custom-networking-vpc-PrivateSubnet02},{Key=kubernetes.io/role/internal-elb,Value=1}]' \ + --query Subnet.SubnetId --output text) +---- ++ +IMPORTANT: By default, your new subnets are implicitly associated with your VPC's link:vpc/latest/userguide/VPC_Route_Tables.html#RouteTables[main route table,type="documentation"]. This route table allows communication between all the resources that are deployed in the VPC. However, it doesn't allow communication with resources that have IP addresses that are outside the CIDR blocks that are associated with your VPC. You can associate your own route table to your subnets to change this behavior. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#subnet-route-tables[Subnet route tables,type="documentation"] in the Amazon VPC User Guide. +.. View the current subnets in your VPC. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 describe-subnets --filters "Name=vpc-id,Values=$vpc_id" \ + --query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' \ + --output table +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +---------------------------------------------------------------------- +| DescribeSubnets | ++------------------+--------------------+----------------------------+ +| AvailabilityZone | CidrBlock | SubnetId | ++------------------+--------------------+----------------------------+ +| us-west-2d | 192.168.0.0/27 | subnet-example1 | +| us-west-2a | 192.168.0.32/27 | subnet-example2 | +| us-west-2a | 192.168.0.64/27 | subnet-example3 | +| us-west-2d | 192.168.0.96/27 | subnet-example4 | +| us-west-2a | 192.168.1.0/27 | subnet-example5 | +| us-west-2d | 192.168.1.32/27 | subnet-example6 | ++------------------+--------------------+----------------------------+ +---- ++ +You can see the subnets in the `192.168.1.0` CIDR block that you created are in the same Availability Zones as the subnets in the `192.168.0.0` CIDR block. + + +[[custom-networking-configure-kubernetes,custom-networking-configure-kubernetes.title]] +== Step 3: Configure [.noloc]`Kubernetes` resources +. Set the `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` environment variable to `true` in the `aws-node` [.noloc]`DaemonSet`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true +---- +. Retrieve the ID of your <> and store it in a variable for use in the next step. Amazon EKS automatically creates this security group when you create your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +cluster_security_group_id=$(aws eks describe-cluster --name $cluster_name --query cluster.resourcesVpcConfig.clusterSecurityGroupId --output text) +---- +. [[custom-networking-create-eniconfig]]Create an `ENIConfig` custom resource for each subnet that you want to deploy [.noloc]`Pods` in. ++ +.. Create a unique file for each network interface configuration. ++ ++ +The following commands create separate `ENIConfig` files for the two subnets that were created in a previous step. The value for `name` must be unique. The name is the same as the Availability Zone that the subnet is in. The cluster security group is assigned to the `ENIConfig`. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >$az_1.yaml <$az_2.yaml <> later in this tutorial. ++ +NOTE: If you don't specify a valid security group for use with a production cluster and you're using: + +*** version `1.8.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, then the security groups associated with the node's primary elastic network interface are used. +*** a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that's earlier than `1.8.0`, then the default security group for the VPC is assigned to secondary network interfaces. + ++ +IMPORTANT: +*** `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for [.noloc]`Kubernetes`. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. +*** If you also use security groups for [.noloc]`Pods`, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. + +.. Apply each custom resource file that you created to your cluster with the following commands. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl apply -f $az_1.yaml +kubectl apply -f $az_2.yaml +---- +. Confirm that your `ENIConfigs` were created. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get ENIConfigs +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME AGE +us-west-2a 117s +us-west-2d 105s +---- +. If you're enabling custom networking on a production cluster and named your `ENIConfigs` something other than the Availability Zone that you're using them for, then skip to the <> to deploy Amazon EC2 nodes. ++ +Enable [.noloc]`Kubernetes` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. ++ +.. For the test cluster in this tutorial, skip to the <>. ++ +For a production cluster, check to see if an [.noloc]`annotation` with the key `k8s.amazonaws.com/eniConfig` for the `https://github.com/aws/amazon-vpc-cni-k8s#eni_config_annotation_def[ENI_CONFIG_ANNOTATION_DEF]` environment variable exists in the container spec for the `aws-node` [.noloc]`DaemonSet`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node -n kube-system | grep ENI_CONFIG_ANNOTATION_DEF +---- ++ +If output is returned, the annotation exists. If no output is returned, then the variable is not set. For a production cluster, you can use either this setting or the setting in the following step. If you use this setting, it overrides the setting in the following step. In this tutorial, the setting in the next step is used. +.. [[custom-networking-automatically-apply-eniconfig]]Update your `aws-node` [.noloc]`DaemonSet` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=topology.kubernetes.io/zone +---- + + +[[custom-networking-deploy-nodes,custom-networking-deploy-nodes.title]] +== Step 4: Deploy Amazon EC2 nodes +. Create a node IAM role. ++ +.. Run the following command to create an IAM trust policy JSON file. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >node-role-trust-relationship.json <>. +. Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the managed node group <> and self-managed node group <> options before deploying the node group. ++ +** *Managed* – Deploy your node group using one of the following options: ++ +*** *Without a launch template or with a launch template without an AMI ID specified* – Run the following command. For this tutorial, use the [.replaceable]`example values`. For a production node group, replace all [.replaceable]`example values` with your own. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup \ + --subnets $subnet_id_1 $subnet_id_2 --instance-types t3.medium --node-role $node_role_arn +---- +*** *With a launch template with a specified AMI ID*:: + ++ +.... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods `for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. ++ +[source,bash,subs="verbatim,attributes"] +---- +/etc/eks/bootstrap.sh my-cluster --use-max-pods false --kubelet-extra-args '--max-pods=20' +---- ++ +If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. +** *Self-managed*:: + ++ +... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. ++ +[source,bash,subs="verbatim,attributes"] +---- +--use-max-pods false --kubelet-extra-args '--max-pods=20' +---- ++ +NOTE: If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, [.replaceable]`110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. ++ +Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text +---- ++ +Don't continue to the next step until the output returned is `ACTIVE`. +. [[custom-networking-annotate-eniconfig]]For the tutorial, you can skip this step. ++ +For a production cluster, if you didn't name your `ENIConfigs` the same as the Availability Zone that you're using them for, then you must annotate your nodes with the `ENIConfig` name that should be used with the node. This step isn't necessary if you only have one subnet in each Availability Zone and you named your `ENIConfigs` with the same names as your Availability Zones. This is because the [.noloc]`Amazon VPC CNI plugin for Kubernetes` automatically associates the correct `ENIConfig` with the node for you when you enabled it to do so in a <>. ++ +.. Get the list of nodes in your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get nodes +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME STATUS ROLES AGE VERSION +ip-192-168-0-126.us-west-2.compute.internal Ready 8m49s v1.22.9-eks-810597c +ip-192-168-0-92.us-west-2.compute.internal Ready 8m34s v1.22.9-eks-810597c +---- +.. Determine which Availability Zone each node is in. Run the following command for each node that was returned in the previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 describe-instances --filters Name=network-interface.private-dns-name,Values=ip-192-168-0-126.us-west-2.compute.internal \ +--query 'Reservations[].Instances[].{AvailabilityZone: Placement.AvailabilityZone, SubnetId: SubnetId}' +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +[ + { + "AvailabilityZone": "us-west-2d", + "SubnetId": "subnet-Example5" + } +] +---- +.. Annotate each node with the `ENIConfig` that you created for the subnet ID and Availability Zone. You can only annotate a node with one `ENIConfig`, though multiple nodes can be annotated with the same `ENIConfig`. Replace the [.replaceable]`example values` with your own. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl annotate node ip-192-168-0-126.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName1 +kubectl annotate node ip-192-168-0-92.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName2 +---- +. [[custom-networking-terminate-existing-nodes]]If you had nodes in a production cluster with running [.noloc]`Pods` before you switched to using the custom networking feature, complete the following tasks: ++ +.. Make sure that you have available nodes that are using the custom networking feature. +.. Cordon and drain the nodes to gracefully shut down the [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the [.noloc]`Kubernetes` documentation. +.. Terminate the nodes. If the nodes are in an existing managed node group, you can delete the node group. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: ++ +*** Replace [.replaceable]`my-cluster` with the name for your cluster. +*** Replace [.replaceable]`my-nodegroup` with the name for your node group. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-nodegroup --cluster-name my-cluster --nodegroup-name my-nodegroup +---- + ++ +Only new nodes that are registered with the `k8s.amazonaws.com/eniConfig` label use the custom networking feature. +. Confirm that [.noloc]`Pods` are assigned an IP address from a CIDR block that's associated to one of the subnets that you created in a previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -A -o wide +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +kube-system aws-node-2rkn4 1/1 Running 0 7m19s 192.168.0.92 ip-192-168-0-92.us-west-2.compute.internal +kube-system aws-node-k96wp 1/1 Running 0 7m15s 192.168.0.126 ip-192-168-0-126.us-west-2.compute.internal +kube-system coredns-657694c6f4-smcgr 1/1 Running 0 56m 192.168.1.23 ip-192-168-0-92.us-west-2.compute.internal +kube-system coredns-657694c6f4-stwv9 1/1 Running 0 56m 192.168.1.28 ip-192-168-0-92.us-west-2.compute.internal +kube-system kube-proxy-jgshq 1/1 Running 0 7m19s 192.168.0.92 ip-192-168-0-92.us-west-2.compute.internal +kube-system kube-proxy-wx9vk 1/1 Running 0 7m15s 192.168.0.126 ip-192-168-0-126.us-west-2.compute.internal +---- ++ +You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. ++ +If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned `192.168.1.[.replaceable]``x``` addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. + + +[[custom-network-delete-resources,custom-network-delete-resources.title]] +== Step 5: Delete tutorial resources + +After you complete the tutorial, we recommend that you delete the resources that you created. You can then adjust the steps to enable custom networking for a production cluster. + +. If the node group that you created was just for testing, then delete it. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup +---- ++ +Even after the {aws} CLI output says that the cluster is deleted, the delete process might not actually be complete. The delete process takes a few minutes. Confirm that it's complete by running the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text +---- ++ +Don't continue until the returned output is similar to the following output. ++ +[source,bash,subs="verbatim,attributes"] +---- +An error occurred (ResourceNotFoundException) when calling the DescribeNodegroup operation: No node group found for name: my-nodegroup. +---- +. If the node group that you created was just for testing, then delete the node IAM role. ++ +.. Detach the policies from the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy +aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly +aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy +---- +.. Delete the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam delete-role --role-name myCustomNetworkingNodeRole +---- +. Delete the cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-cluster --name $cluster_name +---- ++ +Confirm the cluster is deleted with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --name $cluster_name --query cluster.status --output text +---- ++ +When output similar to the following is returned, the cluster is successfully deleted. ++ +[source,bash,subs="verbatim,attributes"] +---- +An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-cluster. +---- +. Delete the cluster IAM role. ++ +.. Detach the policies from the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam detach-role-policy --role-name myCustomNetworkingAmazonEKSClusterRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy +---- +.. Delete the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam delete-role --role-name myCustomNetworkingAmazonEKSClusterRole +---- +. Delete the subnets that you created in a previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 delete-subnet --subnet-id $new_subnet_id_1 +aws ec2 delete-subnet --subnet-id $new_subnet_id_2 +---- +. Delete the VPC that you created. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc +---- + + diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc new file mode 100644 index 000000000..0192d4cfa --- /dev/null +++ b/latest/ug/networking/cni-custom-network.adoc @@ -0,0 +1,36 @@ +//!!NODE_ROOT
+[.topic] +[[cni-custom-network,cni-custom-network.title]] += Deploy [.noloc]`Pods` in alternate subnets with custom networking +:info_titleabbrev: Custom networking + +include::../attributes.txt[] + +include::cni-custom-network-tutorial.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to enable custom networking for Amazon EKS [.noloc]`Pods` to deploy them in different subnets or use different security groups than the node's primary network interface, increasing IP address availability and network isolation. +-- + +*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances + +By default, when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node's primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both: + +* There's a limited number of `IPv4` addresses that are available in the subnet that the primary network interface is in. This might limit the number of [.noloc]`Pods` that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available `IPv4` addresses available for [.noloc]`Pods`. +* For security reasons, your [.noloc]`Pods` might need to use a different subnet or security groups than the node's primary network interface. +* The nodes are configured in public subnets, and you want to place the [.noloc]`Pods` in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. + + +[[cni-custom-network-considerations,cni-custom-network-considerations.title]] +== Considerations + +The following are considerations for using the feature. + +* With custom networking enabled, no IP addresses assigned to the primary network interface are assigned to [.noloc]`Pods`. Only IP addresses from secondary network interfaces are assigned to [.noloc]`Pods`. +* If your cluster uses the `IPv6` family, you can't use custom networking. +* If you plan to use custom networking only to help alleviate `IPv4` address exhaustion, you can create a cluster using the `IPv6` family instead. For more information, see <>. +* Even though [.noloc]`Pods` deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. +* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. + + diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc new file mode 100644 index 000000000..eb50a667b --- /dev/null +++ b/latest/ug/networking/cni-iam-role.adoc @@ -0,0 +1,270 @@ +//!!NODE_ROOT
+[.topic] +[[cni-iam-role,cni-iam-role.title]] += Configure Amazon VPC CNI plugin to use IRSA +:info_titleabbrev: Configure for IRSA + +include::../attributes.txt[] + +[abstract] +-- +Learn how to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to use IAM roles for service accounts (IRSA) for [.noloc]`Pod` networking in Amazon EKS clusters. +-- + +The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] is the networking plugin for [.noloc]`Pod` networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to [.noloc]`Kubernetes` nodes and configuring the necessary networking for [.noloc]`Pods` on each node. The plugin: + + +* Requires {aws} Identity and Access Management (IAM) permissions. If your cluster uses the `IPv4` family, the permissions are specified in the ` link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"]` {aws} managed policy.If your cluster uses the `IPv6` family, then the permissions must be added to an IAM policy that you create; for instructions, see <>. You can attach the policy to the Amazon EKS node IAM role, or to a separate IAM role. For instructions to attach the policy to the Amazon EKS node IAM role, see <>. We recommend that you assign it to a separate role, as detailed in this topic. +* Creates and is configured to use a [.noloc]`Kubernetes` service account named `aws-node` when it's deployed. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` named `aws-node`, which is assigned the required [.noloc]`Kubernetes` permissions. + + +[NOTE] +==== + +The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + +==== + +* An existing Amazon EKS cluster. To deploy one, see <>. +* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. + + +[[cni-iam-role-create-role,cni-iam-role-create-role.title]] +== Step 1: Create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` IAM role +. Determine the IP family of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --name my-cluster | grep ipFamily +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +"ipFamily": "ipv4" +---- ++ +The output may return `ipv6` instead. +. Create the IAM role. You can use `eksctl` or `kubectl` and the {aws} CLI to create your IAM role. ++ +eksctl::: +** Create an IAM role and attach the IAM policy to the role with the command that matches the IP family of your cluster. The command creates and deploys an {aws} CloudFormation stack that creates an IAM role, attaches the policy that you specify to it, and annotates the existing `aws-node` [.noloc]`Kubernetes` service account with the ARN of the IAM role that is created. ++ +*** `IPv4` ++ +Replace [.replaceable]`my-cluster` with your own value. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl create iamserviceaccount \ + --name aws-node \ + --namespace kube-system \ + --cluster my-cluster \ + --role-name AmazonEKSVPCCNIRole \ + --attach-policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy \ + --override-existing-serviceaccounts \ + --approve +---- +*** `IPv6` ++ +Replace [.replaceable]`my-cluster` with your own value. Replace [.replaceable]`111122223333` with your account ID and replace [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. If you don't have an `IPv6` policy, see <> to create one. To use `IPv6` with your cluster, it must meet several requirements. For more information, see <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl create iamserviceaccount \ + --name aws-node \ + --namespace kube-system \ + --cluster my-cluster \ + --role-name AmazonEKSVPCCNIRole \ + --attach-policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ + --override-existing-serviceaccounts \ + --approve +---- + + +kubectl and the {aws} CLI::: +... View your cluster's OIDC provider URL. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE +---- ++ +If no output is returned, then you must <>. +... Copy the following contents to a file named [.replaceable]`vpc-cni-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com", + "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node" + } + } + } + ] +} +---- +... Create the role. You can replace [.replaceable]`AmazonEKSVPCCNIRole` with any name that you choose. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam create-role \ + --role-name AmazonEKSVPCCNIRole \ + --assume-role-policy-document file://"vpc-cni-trust-policy.json" +---- +... Attach the required IAM policy to the role. Run the command that matches the IP family of your cluster. ++ +**** `IPv4` ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy \ + --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy \ + --role-name AmazonEKSVPCCNIRole +---- +**** `IPv6` ++ +Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. If you don't have an `IPv6` policy, see <> to create one. To use `IPv6` with your cluster, it must meet several requirements. For more information, see <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy \ + --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ + --role-name AmazonEKSVPCCNIRole +---- +... Run the following command to annotate the `aws-node` service account with the ARN of the IAM role that you created previously. Replace the [.replaceable]`example values` with your own values. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl annotate serviceaccount \ + -n kube-system aws-node \ + eks.amazonaws.com/role-arn={arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole +---- +. (Optional) Configure the {aws} Security Token Service endpoint type used by your [.noloc]`Kubernetes` service account. For more information, see <>. + + +[[cni-iam-role-redeploy-pods,cni-iam-role-redeploy-pods.title]] +== Step 2: Re-deploy [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` +. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The annotation is not applied to [.noloc]`Pods` that are currently running without the annotation. The following command deletes the existing `aws-node` [.noloc]`DaemonSet` [.noloc]`Pods` and deploys them with the service account annotation. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete Pods -n kube-system -l k8s-app=aws-node +---- +. Confirm that the [.noloc]`Pods` all restarted. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system -l k8s-app=aws-node +---- +. Describe one of the [.noloc]`Pods` and verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist. Replace [.replaceable]`cpjw7` with the name of one of your [.noloc]`Pods` returned in the output of the previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe pod -n kube-system aws-node-cpjw7 | grep 'AWS_ROLE_ARN:\|AWS_WEB_IDENTITY_TOKEN_FILE:' +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole + AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token + AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole + AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +---- ++ +Two sets of duplicate results are returned because the [.noloc]`Pod` contains two containers. Both containers have the same values. ++ +If your [.noloc]`Pod` is using the {aws} Regional endpoint, then the following line is also returned in the previous output. ++ +[source,bash,subs="verbatim,attributes"] +---- +AWS_STS_REGIONAL_ENDPOINTS=regional +---- + + +[[remove-cni-policy-node-iam-role,remove-cni-policy-node-iam-role.title]] +== Step 3: Remove the CNI policy from the node IAM role + +If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. + + + +* `IPv4` ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy +---- +* `IPv6` ++ +Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy +---- + + +[[cni-iam-role-create-ipv6-policy,cni-iam-role-create-ipv6-policy.title]] +== Create IAM policy for clusters that use the `IPv6` family + +If you created a cluster that uses the `IPv6` family and the cluster has version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured, then you need to create an IAM policy that you can assign to an IAM role. If you have an existing cluster that you didn't configure with the `IPv6` family when you created it, then to use `IPv6`, you must create a new cluster. For more information about using `IPv6` with your cluster, see <>. + +. Copy the following text and save it to a file named `vpc-cni-ipv6-policy.json`. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AssignIpv6Addresses", + "ec2:DescribeInstances", + "ec2:DescribeTags", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeInstanceTypes" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "{arn-aws}ec2:*:*:network-interface/*" + ] + } + ] +} +---- +. Create the IAM policy. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json +---- + + diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc new file mode 100644 index 000000000..499b26af5 --- /dev/null +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -0,0 +1,227 @@ +//!!NODE_ROOT
+[.topic] +[[cni-increase-ip-addresses-procedure,cni-increase-ip-addresses-procedure.title]] += Increase the available IP addresses for your Amazon EKS node +:info_titleabbrev: Procedure + +include::../attributes.txt[] + +You can increase the number of IP addresses that nodes can assign to [.noloc]`Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. + +Complete the following before you start the procedure: + + + +* Review the considerations. +* You need an existing cluster. To deploy one, see <>. +* The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend that following: ++ +** Using a subnet CIDR reservation so that even if any IP addresses within the reserved range are still in use, upon their release, the IP addresses aren't reassigned. This ensures that prefixes are available for allocation without segmentation. +** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both [.noloc]`Windows` and [.noloc]`Linux` workloads can run in the same subnet when assigning IP prefixes. +* To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to [.noloc]`Pods` than [.noloc]`Nitro-based` instances do. +* *For clusters with [.noloc]`Linux` nodes only* – If your cluster is configured for the `IPv4` family, you must have version `1.9.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on installed. You can check your current version with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 +---- ++ +If your cluster is configured for the `IPv6` family, you must have version `1.10.1` of the add-on installed. If your plugin version is earlier than the required versions, you must update it. For more information, see the updating sections of <>. +* *For clusters with [.noloc]`Windows` nodes only*:: + ++ +** Your cluster and its platform version must be at, or later than the versions in the following table. To upgrade your cluster version, see <>. If your cluster isn't at the minimum platform version, then you can't assign IP prefixes to your nodes until Amazon EKS has updated your platform version. ++ +[cols="1,1", options="header"] +|=== +|Kubernetes version +|Platform version + + +|`1.27` +|`eks.3` + +|`1.26` +|`eks.4` + +|`1.25` +|`eks.5` +|=== ++ +You can check your current [.noloc]`Kubernetes` and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. +** [.noloc]`Windows` support enabled for your cluster. For more information, see <>. +. Configure your cluster to assign IP address prefixes to nodes. Complete the procedure on the tab that matches your node's operating system. ++ +[.noloc]`Linux`::: +... Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true +---- ++ +IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. + +[source,bash,subs="verbatim,attributes"] +---- +InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request +---- + +This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. +... If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. ++ +If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. ++ +IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. +... If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. ++ +Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on [.noloc]`GitHub`. ++ +You can replace the [.replaceable]`example values` with a value greater than zero. ++ +**** `WARM_PREFIX_TARGET` ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env ds aws-node -n kube-system WARM_PREFIX_TARGET=1 +---- +**** `WARM_IP_TARGET` or `MINIMUM_IP_TARGET` – If either value is set, it overrides any value set for `WARM_PREFIX_TARGET`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 +---- +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 +---- +... Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. ++ +**** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. ++ +[source,bash,subs="verbatim,attributes"] +---- +--use-max-pods false --kubelet-extra-args '--max-pods=110' +---- ++ +If you're using `eksctl` to create the node group, you can use the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl create nodegroup --cluster my-cluster --managed=false --max-pods-per-node 110 +---- +**** *Managed* – Deploy your node group using one of the following options: ++ +***** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. +***** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. ++ +[source,bash,subs="verbatim,attributes"] +---- +/etc/eks/bootstrap.sh my-cluster \ + --use-max-pods false \ + --kubelet-extra-args '--max-pods=110' +---- ++ +If you're using `eksctl` to create the node group, you can use the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl create nodegroup --cluster my-cluster --max-pods-per-node 110 +---- ++ +If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. ++ +NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. + + +[.noloc]`Windows`::: +... Enable assignment of IP prefixes. ++ +.... Open the `amazon-vpc-cni` `ConfigMap` for editing. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml +---- +.... Add the following line to the `data` section. ++ +[source,yaml,subs="verbatim,attributes"] +---- + enable-windows-prefix-delegation: "true" +---- +.... Save the file and close the editor. +.... Confirm that the line was added to the `ConfigMap`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get configmap -n kube-system amazon-vpc-cni -o "jsonpath={.data.enable-windows-prefix-delegation}" +---- ++ +If the returned output isn't `true`, then there might have been an error. Try completing the step again. ++ +IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the node events. + +[source,bash,subs="verbatim,attributes"] +---- +"failed to allocate a private IP/Prefix address: InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request" +---- + +This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. +... (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. ++ +.... Open the `amazon-vpc-cni` `ConfigMap` for editing. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml +---- +.... Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. ++ +[source,yaml,subs="verbatim,attributes"] +---- + warm-prefix-target: "1" + warm-ip-target: "5" + minimum-ip-target: "2" +---- +.... Save the file and close the editor. +... Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. ++ +[source,bash,subs="verbatim,attributes"] +---- +-KubeletExtraArgs '--max-pods=max-pods-quantity' +---- ++ +If you're deploying managed node groups, this configuration needs to be added in the launch template. For more information, see <>. For more information about the configuration parameters for [.noloc]`Windows` bootstrap script, see <>. +. Once your nodes are deployed, view the nodes in your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get nodes +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME STATUS ROLES AGE VERSION +ip-192-168-22-103.region-code.compute.internal Ready 19m v1.XX.X-eks-6b7464 +ip-192-168-97-94.region-code.compute.internal Ready 19m v1.XX.X-eks-6b7464 +---- +. Describe one of the nodes to determine the value of `max-pods` for the node and the number of available IP addresses. Replace [.replaceable]`192.168.30.193` with the `IPv4` address in the name of one of your nodes returned in the previous output. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe node ip-192-168-30-193.region-code.compute.internal | grep 'pods\|PrivateIPv4Address' +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +pods: 110 +vpc.amazonaws.com/PrivateIPv4Address: 144 +---- ++ +In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. + + diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc new file mode 100644 index 000000000..d74e1edc7 --- /dev/null +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -0,0 +1,65 @@ +[.topic] +[[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] += Assign more IP addresses to Amazon EKS nodes with prefixes +:info_titleabbrev: Increase IP addresses + +include::../attributes.txt[] + +include::cni-increase-ip-addresses-procedure.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to significantly increase the number of IP addresses that you can assign to [.noloc]`Pods` by assigning IP prefixes with Amazon EKS, improving scalability and reducing launch delays for large and spiky workloads. +-- + +*Applies to*: Linux and Windows nodes with Amazon EC2 instances + +*Applies to*: Public and private subnets + +Each Amazon EC2 instance supports a maximum number of elastic network interfaces and a maximum number of IP addresses that can be assigned to each network interface. Each node requires one IP address for each network interface. All other available IP addresses can be assigned to `Pods`. Each `Pod` requires its own IP address. As a result, you might have nodes that have available compute and memory resources, but can't accommodate additional `Pods` because the node has run out of IP addresses to assign to `Pods`. + +You can increase the number of IP addresses that nodes can assign to `Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. Each prefix includes several IP addresses. If you don't configure your cluster for IP prefix assignment, your cluster must make more Amazon EC2 application programming interface (API) calls to configure network interfaces and IP addresses necessary for [.noloc]`Pod` connectivity. As clusters grow to larger sizes, the frequency of these API calls can lead to longer [.noloc]`Pod` and instance launch times. This results in scaling delays to meet the demand of large and spiky workloads, and adds cost and management overhead because you need to provision additional clusters and VPCs to meet scaling requirements. For more information, see https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes Scalability thresholds] on GitHub. + +[[cni-increase-ip-addresses-compatability,cni-increase-ip-addresses-compatability.title]] +== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features + +You can use IP prefixes with the following features: + + + +* IPv4 Source Network Address Translation - For more information, see <>. +* IPv6 addresses to clusters, Pods, and services - For more information, see <>. +* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. + +The following list provides information about the Amazon VPC CNI plugin settings that apply. For more information about each setting, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[amazon-vpc-cni-k8s] on [.noloc]`GitHub`. + + + +* `WARM_IP_TARGET` +* `MINIMUM_IP_TARGET` +* `WARM_PREFIX_TARGET` + + +[[cni-increase-ip-addresses-considerations,cni-increase-ip-addresses-considerations.title]] +== Considerations + +Consider the following when you use this feature: + + + +* Each Amazon EC2 instance type supports a maximum number of [.noloc]`Pods`. If your managed node group consists of multiple instance types, the smallest number of maximum [.noloc]`Pods` for an instance in the cluster is applied to all nodes in the cluster. +* By default, the maximum number of `Pods` that you can run on a node is 110, but you can change that number. If you change the number and have an existing managed node group, the next AMI or launch template update of your node group results in new nodes coming up with the changed value. +* When transitioning from assigning IP addresses to assigning IP prefixes, we recommend that you create new node groups to increase the number of available IP addresses, rather than doing a rolling replacement of existing nodes. Running [.noloc]`Pods` on a node that has both IP addresses and prefixes assigned can lead to inconsistency in the advertised IP address capacity, impacting the future workloads on the node. For the recommended way of performing the transition, see https://github.com/aws/aws-eks-best-practices/blob/master/content/networking/prefix-mode/index_windows.md#replace-all-nodes-during-migration-from-secondary-ip-mode-to-prefix-delegation-mode-or-vice-versa[Replace all nodes during migration from Secondary IP mode to Prefix Delegation mode or vice versa] in the Amazon EKS best practices guide. +* The security group scope is at the node-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. +* IP prefixes assigned to a network interface support high [.noloc]`Pod` density per node and have the best launch time. +* IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix [.noloc]`Pods` getting IP addresses, or IP addresses from IP prefixes with [.noloc]`Pods` getting branch network interfaces on the same node. +* For clusters with Linux nodes only. ++ +** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. +** If you're also using security groups for [.noloc]`Pods`, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your [.noloc]`Pods` communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your [.noloc]`Pods`. ++ +If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. + + +[.topic] + diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc new file mode 100644 index 000000000..c753d9b9c --- /dev/null +++ b/latest/ug/networking/cni-ipv6.adoc @@ -0,0 +1,76 @@ +//!!NODE_ROOT
+[.topic] +[[cni-ipv6,cni-ipv6.title]] += Learn about IPv6 addresses to clusters, [.noloc]`Pods`, and services +:info_titleabbrev: IPv6 + +include::../attributes.txt[] + +include::deploy-ipv6-cluster.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to deploy an `IPv6` cluster and nodes with Amazon EKS for assigning `IPv6` addresses to [.noloc]`Pods` and [.noloc]`services` instead of `IPv4`, leveraging IP prefix delegation and the latest [.noloc]`Amazon VPC CNI` plugin. +-- + +*Applies to*: [.noloc]`Pods` with Amazon EC2 instances and Fargate [.noloc]`Pods` + +By default, [.noloc]`Kubernetes` assigns `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. Instead of assigning `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`, you can configure your cluster to assign `IPv6` addresses to them. Amazon EKS doesn't support dual-stacked [.noloc]`Pods` or [.noloc]`services`, even though [.noloc]`Kubernetes` does in version `1.23` and later. As a result, you can't assign both `IPv4` and `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`. + +You select which IP family you want to use for your cluster when you create it. You can't change the family after you create the cluster. + +For a tutorial to deploy an Amazon EKS `IPv6` cluster, see <>. + +//[[ipv6-considerations,ipv6-considerations.title]] +//===== Considerations + +The following are considerations for using the feature: + +== `IPv6` Feature support + +* *No [.noloc]`Windows` support*: [.noloc]`Windows` [.noloc]`Pods` and [.noloc]`services` aren't supported. +* *Nitro-based EC2 nodes required*: You can only use `IPv6` with {aws} Nitro-based Amazon EC2 or Fargate nodes. +* *EC2 and Fargate nodes supported*: You can use `IPv6` with <> with Amazon EC2 nodes and Fargate nodes. +* *Outposts not supported*: You can't use `IPv6` with <>. +* *FSx for Lustre is not supported*: The <> is not supported. +* *Instance Metadata Service not supported*: Use of the Amazon EC2 link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] `IPv6` endpoint is not supported with Amazon EKS. +* *Custom networking not supported*: If you previously used <> to help alleviate IP address exhaustion, you can use `IPv6` instead. You can't use custom networking with `IPv6`. If you use custom networking for network isolation, then you might need to continue to use custom networking and the `IPv4` family for your clusters. + + +== IP address assignments + +* *Kubernetes services*: Kubernetes services are only assigned an `IPv6` addresses. They aren't assigned IPv4 addresses. +* *Pods*: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node. +* *Pods and services*: [.noloc]`Pods` and [.noloc]`services` are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because [.noloc]`Pods` are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. +* *Routing addresses*: The source `IPv6` address of a [.noloc]`Pod` isn't source network address translated to the `IPv6` address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. +* *Nodes*: All nodes are assigned an `IPv4` and `IPv6` address. +* *Fargate [.noloc]`Pods`*: Each Fargate [.noloc]`Pod` receives an `IPv6` address from the CIDR that's specified for the subnet that it's deployed in. The underlying hardware unit that runs Fargate [.noloc]`Pods` gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in. + + +== How to use `IPv6` with EKS + +* *Create new cluster*: You must create a new cluster and specify that you want to use the `IPv6` family for that cluster. You can't enable the `IPv6` family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations . +* *Use recent VPC CNI*: Deploy Amazon VPC CNI version `1.10.1` or later. This version or later is deployed by default. After you deploy the add-on, you can't downgrade your Amazon VPC CNI add-on to a version lower than `1.10.1` without first removing all nodes in all node groups in your cluster. +* *Configure VPC CNI for `IPv6`*: If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation and `IPv6`. If you choose the `IPv6` family when creating your cluster, the `1.10.1` version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see <>. +* *Configure `IPv4` and `IPv6` addresses*: When you create a cluster, the VPC and subnets that you specify must have an `IPv6` CIDR block that's assigned to the VPC and subnets that you specify. They must also have an `IPv4` CIDR block assigned to them. This is because, even if you only want to use `IPv6`, a VPC still requires an `IPv4` CIDR block to function. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. +* *Auto-assign IPv6 addresses to nodes:* When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can't deploy your nodes. By default, this configuration is disabled. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the Amazon VPC User Guide. +* *Set route tables to use `IPv6`*: The route tables that are assigned to your subnets must have routes for `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. +* *Set security groups for `IPv6`*: Your security groups must allow `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. +* *Set up load balancer*: Use version `2.3.1` or later of the {aws} Load Balancer Controller to load balance HTTP applications using the <> or network traffic using the <> to `IPv6` [.noloc]`Pods` with either load balancer in IP mode, but not instance mode. For more information, see <>. +* *Add `IPv6` IAM policy*: You must attach an `IPv6` IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see <> and <>. +* *Evaluate all components*: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and {aws} services that you integrate with before deploying `IPv6` clusters. This is to ensure that everything works as expected with `IPv6`. +* *Add `BootstrapArguments` self-managed node groups*: When creating a self-managed node group in a cluster that uses the `IPv6` family, user-data must include the following `BootstrapArguments` for the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file that runs at node start up. Replace [.replaceable]`your-cidr` with the `IPv6` [.noloc]`CIDR` range of your cluster's VPC. ++ +[source,bash,subs="verbatim,attributes"] +---- +--ip-family ipv6 --service-ipv6-cidr your-cidr +---- ++ +If you don't know the `IPv6` `CIDR` range for your cluster, you can see it with the following command (requires the {aws} CLI version `2.4.9` or later). ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text +---- + + diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc new file mode 100644 index 000000000..bbcec8ee1 --- /dev/null +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -0,0 +1,305 @@ +//!!NODE_ROOT
+[.topic] +[[cni-network-policy-configure,cni-network-policy-configure.title]] += Restrict Pod network traffic with [.noloc]`Kubernetes` network policies +:info_titleabbrev: Restrict network traffic + +include::../attributes.txt[] + +[abstract] +-- +Learn how to deploy [.noloc]`Kubernetes` network policies on your Amazon EKS cluster. +-- + +You can use a [.noloc]`Kubernetes` network policy to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. + +You must configure the following in order to use this feature: + +. Set up policy enforcement at [.noloc]`Pod` startup. You do this in the `aws-node` container of the VPC CNI `DaemonSet`. +. Enable the network policy parameter for the add-on. +. Configure your cluster to use the [.noloc]`Kubernetes` network policy + +Before you begin, review the considerations. For more information, see <>. + +[[cni-network-policy-prereqs,cni-network-policy-prereqs.title]] +== Prerequisites + +The following are prerequisites for the feature: + + + +* +.Minimum cluster version +An existing Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster + --name my-cluster --query cluster.version --output + text +---- ++ +[cols="1,1", options="header"] +|=== +|Kubernetes version +|Platform version + + +|`1.27.4` +|`eks.5` + +|`1.26.7` +|`eks.6` + +|`1.25.12` +|`eks.7` +|=== +* +.Minimum VPC CNI version +Version `1.14` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. You can see which version that you currently have with the following command. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 +---- ++ +If your version is earlier than `1.14`, see <> to upgrade to version `1.14` or later. +* +.Minimum Linux kernel version +Your nodes must have Linux kernel version `5.10` or later. You can check your kernel version with `uname -r`. If you're using the latest versions of the Amazon EKS optimized Amazon Linux, Amazon EKS optimized accelerated Amazon Linux AMIs, and Bottlerocket AMIs, they already have the required kernel version. ++ +The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. + + +[[cni-network-policy-configure-policy,cni-network-policy-configure-policy.title]] +== Step 1: Set up policy enforcement at [.noloc]`Pod` startup + + +The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. + +With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the [.noloc]`CoreDNS` pods. The default deny policy isn't configured for pods with Host networking. + +You can change the default network policy by setting the environment variable `NETWORK_POLICY_ENFORCING_MODE` to `strict` in the `aws-node` container of the VPC CNI `DaemonSet`. + +[source,yaml,subs="verbatim,attributes"] +---- +env: + - name: NETWORK_POLICY_ENFORCING_MODE + value: "strict" +---- + + +[[enable-network-policy-parameter,enable-network-policy-parameter.title]] +== Step 2: Enable the network policy parameter for the add-on + +The network policy feature uses port `8162` on the node for metrics by default. Also, the feature used port `8163` for health probes. If you run another application on the nodes or inside pods that needs to use these ports, the app fails to run. In VPC CNI version `v1.14.1` or later, you can change these ports. + +Use the following procedure to enable the network policy parameter for the add-on. + + + +{aws-management-console}:: +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. +.. Choose the *Add-ons* tab. +.. Select the box in the top right of the add-on box and then choose *Edit*. +.. On the *Configure [.replaceable]`name of add-on`* page: ++ +... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. +... Expand the *Optional configuration settings*. +... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. ++ +The following example has network policy feature enabled and metrics and health probes are set to the default port numbers: ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "enableNetworkPolicy": "true", + "nodeAgent": { + "healthProbeBindAddr": "8163", + "metricsBindAddr": "8162" + } +} +---- + + +Helm:: + +If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to change the ports. + +.. Run the following command to change the ports. Set the port number in the value for either key `nodeAgent.metricsBindAddr` or key `nodeAgent.healthProbeBindAddr`, respectively. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm upgrade --set nodeAgent.metricsBindAddr=8162 --set nodeAgent.healthProbeBindAddr=8163 aws-vpc-cni --namespace kube-system eks/aws-vpc-cni +---- + + +[.noloc]`kubectl`:: +.. Open the `aws-node` `DaemonSet` in your editor. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit daemonset -n kube-system aws-node +---- +.. Replace the port numbers in the following command arguments in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. ++ +[source,yaml,subs="verbatim,attributes"] +---- + - args: + - --metrics-bind-addr=:8162 + - --health-probe-bind-addr=:8163 +---- + + +[[cni-mount-bpf,cni-mount-bpf.title]] +== Step 3: Mount the Berkeley Packet Filter (BPF) file system on your nodes + +You must mount the Berkeley Packet Filter (BPF) file system on each of your nodes. + +[NOTE] +==== + +If your cluster is version `1.27` or later, you can skip this step as all Amazon EKS optimized Amazon Linux and Bottlerocket AMIs for `1.27` or later have this feature already. + +For all other cluster versions, if you upgrade the Amazon EKS optimized Amazon Linux to version `v20230703` or later or you upgrade the Bottlerocket AMI to version `v1.0.2` or later, you can skip this step. + +==== +. Mount the Berkeley Packet Filter (BPF) file system on each of your nodes. ++ +[source,shell,subs="verbatim,attributes"] +---- +sudo mount -t bpf bpffs /sys/fs/bpf +---- +. Then, add the same command to your user data in your launch template for your Amazon EC2 Auto Scaling Groups. + + +[[cni-network-policy-setup,cni-network-policy-setup.title]] +== Step 4: Configure your cluster to use [.noloc]`Kubernetes` network policies + +Configure the cluster to use [.noloc]`Kubernetes` network policies. You can set this for an Amazon EKS add-on or self-managed add-on. + + +[[cni-network-policy-setup-procedure-add-on,cni-network-policy-setup-procedure-add-on.title]] +.Amazon EKS add-on +[%collapsible] +==== + +{aws-management-console}:: +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. +.. Choose the *Add-ons* tab. +.. Select the box in the top right of the add-on box and then choose *Edit*. +.. On the *Configure [.replaceable]`name of addon`* page: ++ +... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. +... Expand the *Optional configuration settings*. +... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: ++ +[source,json,subs="verbatim,attributes"] +---- +{ "enableNetworkPolicy": "true" } +---- ++ +The following screenshot shows an example of this scenario. ++ +image::images/console-cni-config-network-policy.png[{aws-management-console} showing the VPC CNI add-on with network policy in the optional configuration.,scaledwidth=80%] + + +{aws} CLI:: +.. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.14.0-eksbuild.3 \ + --service-account-role-arn {arn-aws}iam::123456789012:role/AmazonEKSVPCCNIRole \ + --resolve-conflicts PRESERVE --configuration-values '{"enableNetworkPolicy": "true"}' +---- + +==== + +[[cni-network-policy-setup-procedure-self-managed-add-on,cni-network-policy-setup-procedure-self-managed-add-on.title]] +.Self-managed add-on +[%collapsible] +==== + +Helm:: + +If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to enable network policy. + +.. Run the following command to enable network policy. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system eks/aws-vpc-cni +---- + + +[.noloc]`kubectl`:: +.. Open the `amazon-vpc-cni` `ConfigMap` in your editor. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml +---- +.. Add the following line to the `data` in the `ConfigMap`. ++ +[source,bash,subs="verbatim,attributes"] +---- +enable-network-policy-controller: "true" +---- ++ +Once you've added the line, your `ConfigMap` should look like the following example. ++ +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: v1 + kind: ConfigMap + metadata: + name: amazon-vpc-cni + namespace: kube-system + data: + enable-network-policy-controller: "true" +---- +.. Open the `aws-node` `DaemonSet` in your editor. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit daemonset -n kube-system aws-node +---- +.. Replace the `false` with `true` in the command argument `--enable-network-policy=false` in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. ++ +[source,yaml,subs="verbatim,attributes"] +---- + - args: + - --enable-network-policy=true +---- + +==== + +[[cni-network-policy-setup-procedure-confirm,cni-network-policy-setup-procedure-confirm.title]] +== Step 5. Next steps + +After you complete the configuration, confirm that the `aws-node` pods are running on your cluster. + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system | grep 'aws-node\|amazon' +---- + +An example output is as follows. + +[source,bash,subs="verbatim,attributes"] +---- +aws-node-gmqp7 2/2 Running 1 (24h ago) 24h +aws-node-prnsh 2/2 Running 1 (24h ago) 24h +---- + +There are 2 containers in the `aws-node` pods in versions `1.14` and later. In previous versions and if network policy is disabled, there is only a single container in the `aws-node` pods. + +You can now deploy [.noloc]`Kubernetes` network policies to your cluster. + +To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernetes` `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between [.noloc]`Pods` based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the [.noloc]`Kubernetes` documentation. + +Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. + diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc new file mode 100644 index 000000000..cbf1d1bc1 --- /dev/null +++ b/latest/ug/networking/cni-network-policy.adoc @@ -0,0 +1,65 @@ +//!!NODE_ROOT
+[.topic] +[[cni-network-policy,cni-network-policy.title]] += Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies +:info_titleabbrev: Kubernetes network policies + +include::../attributes.txt[] + +include::cni-network-policy-configure.adoc[leveloffset=+1] + +include::network-policy-disable.adoc[leveloffset=+1] + +include::network-policies-troubleshooting.adoc[leveloffset=+1] + +include::network-policy-stars-demo.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to configure your Amazon EKS cluster to use [.noloc]`Kubernetes` network policies with the [.noloc]`Amazon VPC CNI` plugin. Control network traffic to and from pods using network policies for enhanced security. Covers network policy considerations, requirements, setup instructions, and troubleshooting tips. +-- + +By default, there are no restrictions in [.noloc]`Kubernetes` for IP addresses, ports, or connections between any [.noloc]`Pods` in your cluster or between your [.noloc]`Pods` and resources in any other network. You can use [.noloc]`Kubernetes` _network policy_ to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. + +If you have version `1.13` or earlier of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster, you need to implement a third party solution to apply [.noloc]`Kubernetes` network policies to your cluster. Version `1.14` or later of the plugin can implement network policies, so you don't need to use a third party solution. In this topic, you learn how to configure your cluster to use [.noloc]`Kubernetes` network policy on your cluster without using a third party add-on. + +Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are supported in the following configurations. + + + +* Amazon EKS clusters of version `1.25` and later. +* Version 1.14 or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. +* Cluster configured for `IPv4` or `IPv6` addresses. +* You can use network policies with <>. With network policies, you can control all in-cluster communication. With security groups for [.noloc]`Pods`, you can control access to {aws} services from applications within a [.noloc]`Pod`. +* You can use network policies with _custom networking_ and _prefix delegation_. + + +[[cni-network-policy-considerations,cni-network-policy-considerations.title]] +== Considerations + +*Architecture* + +* When applying [.noloc]`Amazon VPC CNI plugin for Kubernetes` network policies to your cluster with the [.noloc]`Amazon VPC CNI plugin for Kubernetes` , you can apply the policies to Amazon EC2 Linux nodes only. You can't apply the policies to Fargate or Windows nodes. +* Network policies only apply either `IPv4` or `IPv6` addresses, but not both. In an `IPv4` cluster, the VPC CNI assigns `IPv4` address to pods and applies `IPv4` policies. In an `IPv6` cluster, the VPC CNI assigns `IPv6` address to pods and applies `IPv6` policies. Any `IPv4` network policy rules applied to an `IPv6` cluster are ignored. Any `IPv6` network policy rules applied to an `IPv4` cluster are ignored. + +*Network Policies* + +* Network Policies are only applied to [.noloc]`Pods` that are part of a [.noloc]`Deployment`. Standalone [.noloc]`Pods` that don't have a `metadata.ownerReferences` set can't have network policies applied to them. +* You can apply multiple network policies to the same [.noloc]`Pod`. When two or more policies that select the same [.noloc]`Pod` are configured, all policies are applied to the [.noloc]`Pod`. +* The maximum number of unique combinations of ports for each protocol in each `ingress:` or `egress:` selector in a network policy is 24. +* For any of your [.noloc]`Kubernetes` services, the service port must be the same as the container port. If you're using named ports, use the same name in the service spec too. + +*Migration* + +* If your cluster is currently using a third party solution to manage [.noloc]`Kubernetes` network policies, you can use those same policies with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. However you must remove your existing solution so that it isn't managing the same policies. + +*Installation* + +* The network policy feature creates and requires a `PolicyEndpoint` Custom Resource Definition (CRD) called `policyendpoints.networking.k8s.aws`. `PolicyEndpoint` objects of the Custom Resource are managed by Amazon EKS. You shouldn't modify or delete these resources. +* If you run pods that use the instance role IAM credentials or connect to the EC2 IMDS, be careful to check for network policies that would block access to the EC2 IMDS. You may need to add a network policy to allow access to EC2 IMDS. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the Amazon EC2 User Guide. ++ +Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't access EC2 IMDS. +* The [.noloc]`Amazon VPC CNI plugin for Kubernetes` doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: ++ +** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. +** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc new file mode 100644 index 000000000..7d9667bf7 --- /dev/null +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -0,0 +1,66 @@ +//!!NODE_ROOT
+[.topic] +[[coredns-add-on-create,coredns-add-on-create.title]] += Create the [.noloc]`CoreDNS` Amazon EKS add-on +:info_titleabbrev: Create + +include::../attributes.txt[] + +Create the [.noloc]`CoreDNS` Amazon EKS add-on. You must have a cluster before you create the add-on. For more information, see <>. + +. See which version of the add-on is installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.10.1-eksbuild.13 +---- +. See which type of the add-on is installed on your cluster. Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text +---- ++ +If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and don't need to complete the remaining steps in this procedure. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of this procedure to install it. +. Save the configuration of your currently installed add-on. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml +---- +. Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <> and specify `coredns` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. ++ +** Replace [.replaceable]`my-cluster` with the name of your cluster. +** Replace [.replaceable]`v1.11.3-eksbuild.1` with the latest version listed in the <> for your cluster version. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-addon --cluster-name my-cluster --addon-name coredns --addon-version v1.11.3-eksbuild.1 +---- ++ +If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. +. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text +---- ++ +It might take several seconds for add-on creation to complete. ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +v1.11.3-eksbuild.1 +---- +. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. + + diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc new file mode 100644 index 000000000..8abf9dd8c --- /dev/null +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -0,0 +1,132 @@ +//!!NODE_ROOT
+[.topic] +[[coredns-add-on-self-managed-update,coredns-add-on-self-managed-update.title]] += Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on +:info_titleabbrev: Update (self-managed) + +include::../attributes.txt[] + +[IMPORTANT] +==== + +We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +==== + +Before you begin, review the upgrade considerations. For more information, see <>. + +. Confirm that you have the self-managed type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text +---- ++ +If an error message is returned, you have the self-managed type of the add-on installed on your cluster. Complete the remaining steps in this procedure. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update the Amazon EKS type of the add-on, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. +. See which version of the container image is currently installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns -n kube-system | grep Image | cut -d ":" -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.8.7-eksbuild.2 +---- +. If your current [.noloc]`CoreDNS` version is `v1.5.0` or later, but earlier than the version listed in the <> table, then skip this step. If your current version is earlier than `1.5.0`, then you need to modify the `ConfigMap` for [.noloc]`CoreDNS` to use the forward add-on, rather than the proxy add-on. ++ +.. Open the `ConfigMap` with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit configmap coredns -n kube-system +---- +.. Replace `proxy` in the following line with `forward`. Save the file and exit the editor. ++ +[source,bash,subs="verbatim,attributes"] +---- +proxy . /etc/resolv.conf +---- +. If you originally deployed your cluster on [.noloc]`Kubernetes` `1.17` or earlier, then you may need to remove a discontinued line from your [.noloc]`CoreDNS` manifest. ++ +IMPORTANT: You must complete this step before updating to [.noloc]`CoreDNS` version `1.7.0`, but it's recommended that you complete this step even if you're updating to an earlier version. ++ +.. Check to see if your [.noloc]`CoreDNS` manifest has the line. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get configmap coredns -n kube-system -o jsonpath='{$.data.Corefile}' | grep upstream +---- ++ +If no output is returned, your manifest doesn't have the line and you can skip to the next step to update [.noloc]`CoreDNS`. If output is returned, then you need to remove the line. +.. Edit the `ConfigMap` with the following command, removing the line in the file that has the word `upstream` in it. Do not change anything else in the file. Once the line is removed, save the changes. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit configmap coredns -n kube-system -o yaml +---- +. Retrieve your current [.noloc]`CoreDNS` image version: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns -n kube-system | grep Image +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +602401143452.dkr.ecr.region-code.amazonaws.com/eks/coredns:v1.8.7-eksbuild.2 +---- +. If you're updating to [.noloc]`CoreDNS` `1.8.3` or later, then you need to add the `endpointslices` permission to the `system:coredns` [.noloc]`Kubernetes` `clusterrole`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit clusterrole system:coredns -n kube-system +---- ++ +Add the following lines under the existing permissions lines in the `rules` section of the file. ++ +[source,yaml,subs="verbatim,attributes"] +---- +[...] +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +[...] +---- +. Update the [.noloc]`CoreDNS` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the [.noloc]`CoreDNS` version listed in the <> for your [.noloc]`Kubernetes` version. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set image deployment.apps/coredns -n kube-system coredns=602401143452.dkr.ecr.region-code.amazonaws.com/eks/coredns:v1.11.3-eksbuild.1 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +deployment.apps/coredns image updated +---- +. Check the container image version again to confirm that it was updated to the version that you specified in the previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns -n kube-system | grep Image | cut -d ":" -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.11.3-eksbuild.1 +---- + + diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc new file mode 100644 index 000000000..bb3d5c6ca --- /dev/null +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -0,0 +1,79 @@ +//!!NODE_ROOT
+[.topic] +[[coredns-add-on-update,coredns-add-on-update.title]] += Update the [.noloc]`CoreDNS` Amazon EKS add-on +:info_titleabbrev: Update (Amazon EKS add-on) + +include::../attributes.txt[] + +Update the Amazon EKS type of the add-on. If you haven't added the Amazon EKS add-on to your cluster, either <> or see <>. + +Before you begin, review the upgrade considerations. For more information, see <>. + +. See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query "addon.addonVersion" --output text +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.10.1-eksbuild.13 +---- ++ +If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. +. Save the configuration of your currently installed add-on. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml +---- +. Update your add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to update the add-on, see <>. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. ++ +** Replace [.replaceable]`my-cluster` with the name of your cluster. +** Replace [.replaceable]`v1.11.3-eksbuild.1` with the latest version listed in the <> for your cluster version. +** The `--resolve-conflicts[.replaceable]``PRESERVE``` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. +** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"replicaCount":3``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"replicaCount":3` with the setting that you want to set. In this example, the number of replicas of [.noloc]`CoreDNS` is set to `3`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name coredns --addon-version [.replaceable]``v1.11.3-eksbuild.1```, replacing [.replaceable]`v1.11.3-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"replicaCount":3` from the command, so that you have empty `{}`. For more information about [.noloc]`CoreDNS` settings, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the [.noloc]`Kubernetes` documentation. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name coredns --addon-version v1.11.3-eksbuild.1 \ + --resolve-conflicts PRESERVE --configuration-values '{"replicaCount":3}' +---- ++ +It might take several seconds for the update to complete. +. Confirm that the add-on version was updated. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns +---- ++ +It might take several seconds for the update to complete. ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "addon": { + "addonName": "coredns", + "clusterName": "my-cluster", + "status": "ACTIVE", + "addonVersion": "v1.11.3-eksbuild.1", + "health": { + "issues": [] + }, + "addonArn": "{arn-aws}eks:region:111122223333:addon/my-cluster/coredns/d2c34f06-1111-2222-1eb0-24f64ce37fa4", + "createdAt": "2023-03-01T16:41:32.442000+00:00", + "modifiedAt": "2023-03-01T18:16:54.332000+00:00", + "tags": {}, + "configurationValues": "{\"replicaCount\":3}" + } +} +---- + + diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc new file mode 100644 index 000000000..7e466ac32 --- /dev/null +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -0,0 +1,276 @@ +//!!NODE_ROOT
+[.topic] +[[coredns-autoscaling,coredns-autoscaling.title]] += Scale [.noloc]`CoreDNS Pods` for high DNS traffic +:info_titleabbrev: Scale for high traffic + +include::../attributes.txt[] + +[abstract] +-- +Learn how the Amazon EKS add-on for [.noloc]`CoreDNS` autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. +-- + +When you launch an Amazon EKS cluster with at least one node, a [.noloc]`Deployment` of two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the [.noloc]`CoreDNS` pods can get overwhelmed and slow down, and reject requests that the pods can`'t handle. + +To handle the increased load on the [.noloc]`CoreDNS` pods, consider an autoscaling system for [.noloc]`CoreDNS`. Amazon EKS can manage the autoscaling of the [.noloc]`CoreDNS` Deployment in the EKS Add-on version of [.noloc]`CoreDNS`. This [.noloc]`CoreDNS` autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster. This feature works for [.noloc]`CoreDNS` `v1.9` and EKS release version `1.25` and later. For more information about which versions are compatible with [.noloc]`CoreDNS` Autoscaling, see the following section. + +We recommend using this feature in conjunction with other https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/[EKS Cluster Autoscaling best practices] to improve overall application availability and cluster scalability. + +[[coredns-autoscaling-prereqs,coredns-autoscaling-prereqs.title]] +== Prerequisites + +For Amazon EKS to scale your [.noloc]`CoreDNS` deployment, there are three prerequisites: + + + +* You must be using the _EKS Add-on_ version of [.noloc]`CoreDNS`. +* Your cluster must be running at least the minimum cluster versions and platform versions. +* Your cluster must be running at least the minimum version of the EKS Add-on of [.noloc]`CoreDNS`. + + +[[coredns-autoscaling-cluster-version,coredns-autoscaling-cluster-version.title]] +=== Minimum cluster version + +Autoscaling of [.noloc]`CoreDNS` is done by a new component in the cluster control plane, managed by Amazon EKS. Because of this, you must upgrade your cluster to an EKS release that supports the minimum platform version that has the new component. + +A new Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table or a later version. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: + +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster + --name my-cluster --query cluster.version --output + text +---- + +[cols="1,1", options="header"] +|=== +|Kubernetes version +|Platform version + + +|`1.29.3` +|`eks.7` + +|`1.28.8` +|`eks.13` + +|`1.27.12` +|`eks.17` + +|`1.26.15` +|`eks.18` + +|`1.25.16` +|`eks.19` +|=== + +[NOTE] +==== + +Every platform version of later [.noloc]`Kubernetes` versions are also supported, for example [.noloc]`Kubernetes` version `1.30` from `eks.1` and on. + +==== + +[[coredns-autoscaling-coredns-version,coredns-autoscaling-coredns-version.title]] +=== Minimum EKS Add-on version + +[cols="1,1,1,1,1,1", options="header"] +|=== +|Kubernetes version +|1.29 +|1.28 +|1.27 +|1.26 +|1.25 + + +| +|`v1.11.1-eksbuild.9` +|`v1.10.1-eksbuild.11` +|`v1.10.1-eksbuild.11` +|`v1.9.3-eksbuild.15` +|`v1.9.3-eksbuild.15` +|=== + + +[[coredns-autoscaling-console,coredns-autoscaling-console.title]] +.Configuring [.noloc]`CoreDNS` autoscaling in the {aws-management-console} +[%collapsible] +==== +. Ensure that your cluster is at or above the minimum cluster version. ++ +Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. ++ +New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. ++ +To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. +. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. ++ +Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text +---- ++ +If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and you can continue with the next step. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. +. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. ++ +See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.10.1-eksbuild.13 +---- ++ +Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. +. Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. ++ +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. +.. Choose the *Add-ons* tab. +.. Select the box in the top right of the [.noloc]`CoreDNS` add-on box and then choose *Edit*. +.. On the *Configure [.noloc]`CoreDNS`* page: ++ +... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. +... Expand the *Optional configuration settings*. +... Enter the JSON key `"autoscaling":` and value of a nested JSON object with a key `"enabled":` and value `true` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows autoscaling is enabled: ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "autoScaling": { + "enabled": true + } +} +---- +... (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. ++ +The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "autoScaling": { + "enabled": true, + "minReplicas": 2, + "maxReplicas": 10 + } +} +---- +.. To apply the new configuration by replacing the [.noloc]`CoreDNS` pods, choose *Save changes*. ++ +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. ++ +`kubectl rollout` has the following commands: ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl rollout + +history -- View rollout history +pause -- Mark the provided resource as paused +restart -- Restart a resource +resume -- Resume a paused resource +status -- Show the status of the rollout +undo -- Undo a previous rollout +---- ++ +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. +. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. + +==== + +[[coredns-autoscaling-cli,coredns-autoscaling-cli.title]] +.Configuring [.noloc]`CoreDNS` autoscaling in the {aws} Command Line Interface +[%collapsible] +==== +. Ensure that your cluster is at or above the minimum cluster version. ++ +Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. ++ +New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. ++ +To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. +. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. ++ +Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text +---- ++ +If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. +. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. ++ +See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.10.1-eksbuild.13 +---- ++ +Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. +. Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. ++ +Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name coredns \ + --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true}}' +---- ++ +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. ++ +`kubectl rollout` has the following commands: ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl rollout + +history -- View rollout history +pause -- Mark the provided resource as paused +restart -- Restart a resource +resume -- Resume a paused resource +status -- Show the status of the rollout +undo -- Undo a previous rollout +---- ++ +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. +. (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. ++ +The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name coredns \ + --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true,"minReplicas":2,"maxReplicas":10}}' +---- +. Check the status of the update to the add-on by running the following command: ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name coredns \ +---- ++ +If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. + +==== + diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc new file mode 100644 index 000000000..a405075f9 --- /dev/null +++ b/latest/ug/networking/coredns-metrics.adoc @@ -0,0 +1,17 @@ +//!!NODE_ROOT
+[.topic] +[[coredns-metrics,coredns-metrics.title]] += Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics +:info_titleabbrev: Monitor DNS resolution + +include::../attributes.txt[] + +[abstract] +-- +Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or CloudWatch Agent, enabling monitoring and observability for your [.noloc]`Kubernetes` DNS resolution. +-- + +[.noloc]`CoreDNS` as an EKS add-on exposes the metrics from [.noloc]`CoreDNS` on port `9153` in the Prometheus format in the `kube-dns` service. You can use Prometheus, the Amazon CloudWatch agent, or any other compatible system to scrape (collect) these metrics. + +For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. + diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc new file mode 100644 index 000000000..132da8e0b --- /dev/null +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -0,0 +1,507 @@ +//!!NODE_ROOT
+[.topic] +[[deploy-ipv6-cluster,deploy-ipv6-cluster.title]] += Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes +:info_titleabbrev: Deploy + +include::../attributes.txt[] + +In this tutorial, you deploy an `IPv6` Amazon VPC, an Amazon EKS cluster with the `IPv6` family, and a managed node group with Amazon EC2 Amazon Linux nodes. You can't deploy Amazon EC2 [.noloc]`Windows` nodes in an `IPv6` cluster. You can also deploy Fargate nodes to your cluster, though those instructions aren't provided in this topic for simplicity. + +== Prerequisites + +Complete the following before you start the tutorial: + +Install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. + +* We recommend that you familiarize yourself with all settings and deploy a cluster with the settings that meet your requirements. For more information, see <>, <>, and the <> for this topic. You can only enable some settings when creating your cluster. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. +* If you use the [.noloc]`eksctl`, install version `{eksctl-min-version}` or later on your computer. To install or update to it, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. + + +//[[deploy-ipv6-cluster-procedure,deploy-ipv6-cluster-procedure.title]] +//====== Procedure + +You can use the [.noloc]`eksctl` or CLI to deploy an `IPv6` cluster. + + +== Deploy an IPv6 cluster with [.noloc]`eksctl` + +.. Create the `ipv6-cluster.yaml` file. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: ++ +*** Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. +*** Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. +*** The value for `version` with the version of your cluster. For more information, see <>. +*** Replace [.replaceable]`my-nodegroup` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. +*** Replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >ipv6-cluster.yaml < +aws-node-t74jh 1/1 Running 0 5m32s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal +coredns-85d5b4454c-cw7w2 1/1 Running 0 56m 2600:1f13:b66:8203:34e5:: ip-192-168-253-70.region-code.compute.internal +coredns-85d5b4454c-tx6n8 1/1 Running 0 56m 2600:1f13:b66:8203:34e5::1 ip-192-168-253-70.region-code.compute.internal +kube-proxy-btpbk 1/1 Running 0 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal +kube-proxy-jjk2g 1/1 Running 0 5m33s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal +---- +.. Confirm that default services are assigned `IPv6` addresses. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get services -n kube-system -o wide +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR +kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns +---- +.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. +.. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl delete cluster my-cluster +---- + + +== Deploy an IPv6 cluster with {aws} CLI + +[IMPORTANT] +==== +** You must complete all steps in this procedure as the same user. To check the current user, run the following command: ++ +[source,bash,subs="verbatim,attributes"] +---- +aws sts get-caller-identity +---- +** You must complete all steps in this procedure in the same shell. Several steps use variables set in previous steps. Steps that use variables won't function properly if the variable values are set in a different shell. If you use the link:cloudshell/latest/userguide/welcome.html[{aws} CloudShell,type="documentation"] to complete the following procedure, remember that if you don't interact with it using your keyboard or pointer for approximately 20–30 minutes, your shell session ends. Running processes do not count as interactions. +** The instructions are written for the Bash shell, and may need adjusting in other shells. +==== + + +Replace all [.replaceable]`example values` in the steps of this procedure with your own values. + +.. Run the following commands to set some variables used in later steps. Replace [.replaceable]`region-code` with the {aws} Region that you want to deploy your resources in. The value can be any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`my-nodegroup` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`111122223333` with your account ID. ++ +[source,bash,subs="verbatim,attributes"] +---- +export region_code=region-code +export cluster_name=my-cluster +export nodegroup_name=my-nodegroup +export account_id=111122223333 +---- +.. Create an Amazon VPC with public and private subnets that meets Amazon EKS and `IPv6` requirements. ++ +... Run the following command to set a variable for your {aws} CloudFormation stack name. You can replace [.replaceable]`my-eks-ipv6-vpc` with any name you choose. ++ +[source,bash,subs="verbatim,attributes"] +---- +export vpc_stack_name=my-eks-ipv6-vpc +---- +... Create an `IPv6` VPC using an {aws} CloudFormation template. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation create-stack --region $region_code --stack-name $vpc_stack_name \ + --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-ipv6-vpc-public-private-subnets.yaml +---- ++ +The stack takes a few minutes to create. Run the following command. Don't continue to the next step until the output of the command is `CREATE_COMPLETE`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name --query Stacks[].StackStatus --output text +---- +... Retrieve the IDs of the public subnets that were created. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ + --query='Stacks[].Outputs[?OutputKey==`SubnetsPublic`].OutputValue' --output text +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +subnet-0a1a56c486EXAMPLE,subnet-099e6ca77aEXAMPLE +---- +... Enable the auto-assign `IPv6` address option for the public subnets that were created. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 modify-subnet-attribute --region $region_code --subnet-id subnet-0a1a56c486EXAMPLE --assign-ipv6-address-on-creation +aws ec2 modify-subnet-attribute --region $region_code --subnet-id subnet-099e6ca77aEXAMPLE --assign-ipv6-address-on-creation +---- +... Retrieve the names of the subnets and security groups created by the template from the deployed {aws} CloudFormation stack and store them in variables for use in a later step. ++ +[source,bash,subs="verbatim,attributes"] +---- +security_groups=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ + --query='Stacks[].Outputs[?OutputKey==`SecurityGroups`].OutputValue' --output text) + +public_subnets=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ + --query='Stacks[].Outputs[?OutputKey==`SubnetsPublic`].OutputValue' --output text) + +private_subnets=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ + --query='Stacks[].Outputs[?OutputKey==`SubnetsPrivate`].OutputValue' --output text) + +subnets=${public_subnets},${private_subnets} +---- +.. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. [.noloc]`Kubernetes` clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. ++ +... Run the following command to create the `eks-cluster-role-trust-policy.json` file. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >eks-cluster-role-trust-policy.json <>. ++ +The cluster takes several minutes to create. Run the following command. Don't continue to the next step until the output from the command is `ACTIVE`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --region $region_code --name $cluster_name --query cluster.status +---- +.. Create or update a `kubeconfig` file for your cluster so that you can communicate with your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-kubeconfig --region $region_code --name $cluster_name +---- ++ +By default, the `config` file is created in `~/.kube` or the new cluster's configuration is added to an existing `config` file in `~/.kube`. +.. Create a node IAM role. ++ +... Run the following command to create the `vpc-cni-ipv6-policy.json` file. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >vpc-cni-ipv6-policy <node-role-trust-relationship.json <>. +... Attach two required IAM managed policies to the IAM role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy \ + --role-name $node_role_name +aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ + --role-name $node_role_name +---- +... Retrieve the ARN of the IAM role and store it in a variable for a later step. ++ +[source,bash,subs="verbatim,attributes"] +---- +node_iam_role=$(aws iam get-role --role-name $node_role_name --query="Role.Arn" --output text) +---- +.. Create a managed node group. ++ +... View the IDs of the subnets that you created in a previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +echo $subnets +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +subnet-0a1a56c486EXAMPLE,subnet-099e6ca77aEXAMPLE,subnet-0377963d69EXAMPLE,subnet-0c05f819d5EXAMPLE +---- +... Create the node group. Replace [.replaceable]`0a1a56c486EXAMPLE`, [.replaceable]`099e6ca77aEXAMPLE`, [.replaceable]`0377963d69EXAMPLE`, and [.replaceable]`0c05f819d5EXAMPLE` with the values returned in the output of the previous step. Be sure to remove the commas between subnet IDs from the previous output in the following command. You can replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name \ + --subnets subnet-0a1a56c486EXAMPLE subnet-099e6ca77aEXAMPLE subnet-0377963d69EXAMPLE subnet-0c05f819d5EXAMPLE \ + --instance-types t3.medium --node-role $node_iam_role +---- ++ +The node group takes a few minutes to create. Run the following command. Don't proceed to the next step until the output returned is `ACTIVE`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name \ + --query nodegroup.status --output text +---- +.. Confirm that the default [.noloc]`Pods` are assigned `IPv6` addresses in the `IP` column. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system -o wide +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +aws-node-rslts 1/1 Running 1 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal +aws-node-t74jh 1/1 Running 0 5m32s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal +coredns-85d5b4454c-cw7w2 1/1 Running 0 56m 2600:1f13:b66:8203:34e5:: ip-192-168-253-70.region-code.compute.internal +coredns-85d5b4454c-tx6n8 1/1 Running 0 56m 2600:1f13:b66:8203:34e5::1 ip-192-168-253-70.region-code.compute.internal +kube-proxy-btpbk 1/1 Running 0 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal +kube-proxy-jjk2g 1/1 Running 0 5m33s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal +---- +.. Confirm that the default services are assigned `IPv6` addresses in the `IP` column. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get services -n kube-system -o wide +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR +kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns +---- +.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. +.. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following commands. Make sure that you're not using any of the resources outside of this tutorial before deleting them. ++ +... If you're completing this step in a different shell than you completed the previous steps in, set the values of all the variables used in previous steps, replacing the [.replaceable]`example values` with the values you specified when you completed the previous steps. If you're completing this step in the same shell that you completed the previous steps in, skip to the next step. ++ +[source,bash,subs="verbatim,attributes"] +---- +export region_code=region-code +export vpc_stack_name=my-eks-ipv6-vpc +export cluster_name=my-cluster +export nodegroup_name=my-nodegroup +export account_id=111122223333 +export node_role_name=AmazonEKSNodeRole +export cluster_role_name=myAmazonEKSClusterRole +---- +... Delete your node group. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name +---- ++ +Deletion takes a few minutes. Run the following command. Don't proceed to the next step if any output is returned. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks list-nodegroups --region $region_code --cluster-name $cluster_name --query nodegroups --output text +---- +... Delete the cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-cluster --region $region_code --name $cluster_name +---- ++ +The cluster takes a few minutes to delete. Before continuing make sure that the cluster is deleted with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --region $region_code --name $cluster_name +---- ++ +Don't proceed to the next step until your output is similar to the following output. ++ +[source,bash,subs="verbatim,attributes"] +---- +An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-cluster. +---- +... Delete the IAM resources that you created. Replace [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name you chose, if you chose a different name than the one used in previous steps. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam detach-role-policy --role-name $cluster_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy +aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy +aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly +aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::$account_id:policy/AmazonEKS_CNI_IPv6_Policy +aws iam delete-policy --policy-arn {arn-aws}iam::$account_id:policy/AmazonEKS_CNI_IPv6_Policy +aws iam delete-role --role-name $cluster_role_name +aws iam delete-role --role-name $node_role_name +---- +... Delete the {aws} CloudFormation stack that created the VPC. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws cloudformation delete-stack --region $region_code --stack-name $vpc_stack_name +---- + + diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 1bdbfbdde..b2c274cd1 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -2,17 +2,20 @@ [.topic] [[eks-networking-add-ons,eks-networking-add-ons.title]] = Manage networking add-ons for Amazon EKS clusters -:info_doctype: section -:info_title: Manage networking add-ons for Amazon EKS \ - clusters :info_titleabbrev: Manage networking add-ons -:info_abstract: Learn how to manage networking add-ons for your Amazon EKS cluster, including built-in \ - components like Amazon VPC CNI plugin for Kubernetes, CoreDNS, and kube-proxy, as well as optional \ - {aws} add-ons for load balancing and service mesh. - include::../attributes.txt[] +include::managing-vpc-cni.adoc[leveloffset=+1] + +include::alternate-cni-plugins.adoc[leveloffset=+1] + +include::aws-load-balancer-controller.adoc[leveloffset=+1] + +include::managing-coredns.adoc[leveloffset=+1] + +include::managing-kube-proxy.adoc[leveloffset=+1] + [abstract] -- Learn how to manage networking add-ons for your Amazon EKS cluster, including built-in components like [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy`, as well as optional {aws} add-ons for load balancing and service mesh. @@ -55,4586 +58,3 @@ This controller lets you connect services across multiple [.noloc]`Kubernetes` c For more information about add-ons, see <>. - -[.topic] -[[managing-vpc-cni,managing-vpc-cni.title]] -== Amazon VPC CNI -:info_title: Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI -:info_titleabbrev: Amazon VPC CNI -:info_abstract: Discover how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on works to assign private IP addresses and create network interfaces for Pods and services in your Amazon EKS cluster. - -[abstract] --- -Discover how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on works to assign private IP addresses and create network interfaces for [.noloc]`Pods` and services in your Amazon EKS cluster. --- - -[TIP] -==== -With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. - -For more information, see <>. -==== - -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each [.noloc]`Pod`. - -A version of the add-on is deployed with each Fargate node in your cluster, but you don't update it on Fargate nodes. Other compatible CNI plugins are available for use on Amazon EKS clusters, but this is the only CNI plugin supported by Amazon EKS for nodes that run on {aws} infrastructure. For more information about the other compatible CNI plugins, see <>. The VPC CNI isn't supported for use with hybrid nodes. For more information about your CNI options for hybrid nodes, see <>. - -The following table lists the latest available version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. - -[[vpc-cni-latest-available-version,vpc-cni-latest-available-version.title]] -=== [.noloc]`Amazon VPC CNI` versions - -[options="header"] -|=== -| Kubernetes version | Amazon EKS type of VPC CNI version -| 1.31 | v1.19.0-eksbuild.1 -| 1.30 | v1.19.0-eksbuild.1 -| 1.29 | v1.19.0-eksbuild.1 -| 1.28 | v1.19.0-eksbuild.1 -| 1.27 | v1.19.0-eksbuild.1 -| 1.26 | v1.19.0-eksbuild.1 -| 1.25 | v1.19.0-eksbuild.1 -| 1.24 | v1.19.0-eksbuild.1 -| 1.23 | v1.18.5-eksbuild.1 -|=== - -[IMPORTANT] -==== - -If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. For more information about updating the self-managed type of this add-on, see <>. - -==== - -[IMPORTANT] -==== - -To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first. We recommend that you update one minor version at a time. - -==== - - -[[manage-vpc-cni-add-on-on-considerations,manage-vpc-cni-add-on-on-considerations.title]] -=== Considerations - -The following are considerations for using the feature. - - - -* Versions are specified as `major-version.minor-version.patch-version-eksbuild.build-number`. -* Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. - - -[.topic] -[[vpc-add-on-create,vpc-add-on-create.title]] -=== Creating the Amazon VPC CNI (Amazon EKS add-on) - -Use the following steps to create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. - -Before you begin, review the considerations. For more information, see <>. - - -[[vpc-add-on-create-prerequisites,vpc-add-on-create-prerequisites.title]] -==== Prerequisites - -The following are prerequisites for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. - - - -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* An IAM role with the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] IAM policy (if your cluster uses the `IPv4` family) or an IPv6 policy (if your cluster uses the `IPv6` family) attached to it. For more information about the VPC CNI role, see <>. For information about the IPv6 policy, see <>. -* If you're using version `1.7.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` and you use custom [.noloc]`Pod` security policies, see <> and <>. - -[IMPORTANT] -==== - -[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` removed compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier. VPC CNI version `v1.16.2` restores compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier and CNI spec `v0.4.0`. - -[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` implement CNI specification version `v1.0.0`. CNI spec `v1.0.0` is supported on EKS clusters that run the [.noloc]`Kubernetes` versions `v1.24` or later. VPC CNI version `v1.16.0` to `v1.16.1` and CNI spec `v1.0.0` aren't supported on [.noloc]`Kubernetes` version `v1.23` or earlier. For more information about `v1.0.0` of the CNI spec, see https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md[Container Network Interface (CNI) Specification] on [.noloc]`GitHub`. - -==== - - -[[vpc-add-on-create-procedure,vpc-add-on-create-procedure.title]] -==== Procedure - -After you complete the prerequisites, use the following steps to create the add-on. - -. See which version of the add-on is installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.16.4-eksbuild.2 ----- -. See which type of the add-on is installed on your cluster. Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text ----- -+ -If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and don't need to complete the remaining steps in this procedure. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of this procedure to install it. -. Save the configuration of your currently installed add-on. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml ----- -. Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <> and specify `vpc-cni` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. -+ -** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <>. -** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <> that you've created. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ - --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole ----- -+ -If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. -. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text ----- -+ -It might take several seconds for add-on creation to complete. -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.19.0-eksbuild.1 ----- -. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the EKS add-on with your custom settings. Follow the steps in <>. -. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. - - -[.topic] -[[vpc-add-on-update,vpc-add-on-update.title]] -=== Updating the Amazon VPC CNI (Amazon EKS add-on) - -Update the Amazon EKS type of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on. If you haven't added the Amazon EKS type of the add-on to your cluster, you can install it by following <>. Or, update the other type of VPC CNI installation by following <>. - -. See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query "addon.addonVersion" --output text ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.16.4-eksbuild.2 ----- -+ -Compare the version with the table of latest versions at <>. If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the latest version table, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to create the add-on before you can update it with this procedure. To create the Amazon EKS type of the VPC CNI add-on, you can follow <>. -. Save the configuration of your currently installed add-on. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml ----- -. Update your add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to update the add-on, see <>. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. -+ -** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. -** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an existing IAM role that you've created. To create an IAM role for the VPC CNI, see <>. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. -** The `--resolve-conflicts PRESERVE` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. -** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` with the setting that you want to set. In this example, the `AWS_VPC_K8S_CNI_EXTERNALSNAT` environment variable is set to `true`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name vpc-cni --addon-version [.replaceable]``v1.19.0-eksbuild.1```, replacing [.replaceable]`v1.19.0-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` from the command, so that you have empty `{}`. For an explanation of each setting, see https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables[CNI Configuration Variables] on GitHub. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ - --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole \ - --resolve-conflicts PRESERVE --configuration-values '{"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}}' ----- -+ -It might take several seconds for the update to complete. -. Confirm that the add-on version was updated. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni ----- -+ -It might take several seconds for the update to complete. -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "addon": { - "addonName": "vpc-cni", - "clusterName": "my-cluster", - "status": "ACTIVE", - "addonVersion": "v1.19.0-eksbuild.1", - "health": { - "issues": [] - }, - "addonArn": "{arn-aws}eks:region:111122223333:addon/my-cluster/vpc-cni/74c33d2f-b4dc-8718-56e7-9fdfa65d14a9", - "createdAt": "2023-04-12T18:25:19.319000+00:00", - "modifiedAt": "2023-04-12T18:40:28.683000+00:00", - "serviceAccountRoleArn": "{arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole", - "tags": {}, - "configurationValues": "{\"env\":{\"AWS_VPC_K8S_CNI_EXTERNALSNAT\":\"true\"}}" - } -} ----- - - -[.topic] -[[vpc-add-on-self-managed-update,vpc-add-on-self-managed-update.title]] -=== Updating the Amazon VPC CNI (self-managed add-on) - -[IMPORTANT] -==== - -We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -==== -. Confirm that you don't have the Amazon EKS type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text ----- -+ -If an error message is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. To self-manage the add-on, complete the remaining steps in this procedure to update the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. -. See which version of the container image is currently installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.16.4-eksbuild.2 ----- -+ -Your output might not include the build number. -. Backup your current settings so you can configure the same settings once you've updated your version. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml ----- -To review the available versions and familiarize yourself with the changes in the version that you want to update to, see https://github.com/aws/amazon-vpc-cni-k8s/releases[releases] on [.noloc]`GitHub`. Note that we recommend updating to the same `major`.``minor``.``patch`` version listed in the latest available versions table, even if later versions are available on GitHub. For the latest available version table, see <>. The build versions listed in the table aren't specified in the self-managed versions listed on GitHub. Update your version by completing the tasks in one of the following options: -+ -** If you don't have any custom settings for the add-on, then run the command under the `To apply this release:` heading on GitHub for the https://github.com/aws/amazon-vpc-cni-k8s/releases[release] that you're updating to. -** If you have custom settings, download the manifest file with the following command. Change [.replaceable]`https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml` to the URL for the release on GitHub that you're updating to. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml ----- -+ -If necessary, modify the manifest with the custom settings from the backup you made in a previous step and then apply the modified manifest to your cluster. If your nodes don't have access to the private Amazon EKS Amazon ECR repositories that the images are pulled from (see the lines that start with `image:` in the manifest), then you'll have to download the images, copy them to your own repository, and modify the manifest to pull the images from your repository. For more information, see <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl apply -f aws-k8s-cni.yaml ----- -. Confirm that the new version is now installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.19.0 ----- -. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. - - -[.topic] -[[cni-iam-role,cni-iam-role.title]] -=== Configure Amazon VPC CNI plugin to use IRSA -:info_doctype: section -:info_title: Configure Amazon VPC CNI plugin to use IRSA -:info_titleabbrev: Configure VPC CNI for IRSA -:info_abstract: Learn how to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to use IAM roles for service accounts (IRSA) for [.noloc]`Pod` networking in Amazon EKS clusters. - -[abstract] --- -Learn how to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to use IAM roles for service accounts (IRSA) for [.noloc]`Pod` networking in Amazon EKS clusters. --- - -The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] is the networking plugin for [.noloc]`Pod` networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to [.noloc]`Kubernetes` nodes and configuring the necessary networking for [.noloc]`Pods` on each node. The plugin: - - -* Requires {aws} Identity and Access Management (IAM) permissions. If your cluster uses the `IPv4` family, the permissions are specified in the ` link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"]` {aws} managed policy.If your cluster uses the `IPv6` family, then the permissions must be added to an IAM policy that you create; for instructions, see <>. You can attach the policy to the Amazon EKS node IAM role, or to a separate IAM role. For instructions to attach the policy to the Amazon EKS node IAM role, see <>. We recommend that you assign it to a separate role, as detailed in this topic. -* Creates and is configured to use a [.noloc]`Kubernetes` service account named `aws-node` when it's deployed. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` named `aws-node`, which is assigned the required [.noloc]`Kubernetes` permissions. - - -[NOTE] -==== - -The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. - -==== - -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. - - -[[cni-iam-role-create-role,cni-iam-role-create-role.title]] -==== Step 1: Create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` IAM role -. Determine the IP family of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --name my-cluster | grep ipFamily ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -"ipFamily": "ipv4" ----- -+ -The output may return `ipv6` instead. -. Create the IAM role. You can use `eksctl` or `kubectl` and the {aws} CLI to create your IAM role. -+ -eksctl::: -** Create an IAM role and attach the IAM policy to the role with the command that matches the IP family of your cluster. The command creates and deploys an {aws} CloudFormation stack that creates an IAM role, attaches the policy that you specify to it, and annotates the existing `aws-node` [.noloc]`Kubernetes` service account with the ARN of the IAM role that is created. -+ -*** `IPv4` -+ -Replace [.replaceable]`my-cluster` with your own value. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl create iamserviceaccount \ - --name aws-node \ - --namespace kube-system \ - --cluster my-cluster \ - --role-name AmazonEKSVPCCNIRole \ - --attach-policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy \ - --override-existing-serviceaccounts \ - --approve ----- -*** `IPv6` -+ -Replace [.replaceable]`my-cluster` with your own value. Replace [.replaceable]`111122223333` with your account ID and replace [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. If you don't have an `IPv6` policy, see <> to create one. To use `IPv6` with your cluster, it must meet several requirements. For more information, see <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl create iamserviceaccount \ - --name aws-node \ - --namespace kube-system \ - --cluster my-cluster \ - --role-name AmazonEKSVPCCNIRole \ - --attach-policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ - --override-existing-serviceaccounts \ - --approve ----- - - -kubectl and the {aws} CLI::: -... View your cluster's OIDC provider URL. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ----- -+ -If no output is returned, then you must <>. -... Copy the following contents to a file named [.replaceable]`vpc-cni-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com", - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:aws-node" - } - } - } - ] -} ----- -... Create the role. You can replace [.replaceable]`AmazonEKSVPCCNIRole` with any name that you choose. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam create-role \ - --role-name AmazonEKSVPCCNIRole \ - --assume-role-policy-document file://"vpc-cni-trust-policy.json" ----- -... Attach the required IAM policy to the role. Run the command that matches the IP family of your cluster. -+ -**** `IPv4` -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy \ - --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy \ - --role-name AmazonEKSVPCCNIRole ----- -**** `IPv6` -+ -Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. If you don't have an `IPv6` policy, see <> to create one. To use `IPv6` with your cluster, it must meet several requirements. For more information, see <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy \ - --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ - --role-name AmazonEKSVPCCNIRole ----- -... Run the following command to annotate the `aws-node` service account with the ARN of the IAM role that you created previously. Replace the [.replaceable]`example values` with your own values. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl annotate serviceaccount \ - -n kube-system aws-node \ - eks.amazonaws.com/role-arn={arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole ----- -. (Optional) Configure the {aws} Security Token Service endpoint type used by your [.noloc]`Kubernetes` service account. For more information, see <>. - - -[[cni-iam-role-redeploy-pods,cni-iam-role-redeploy-pods.title]] -==== Step 2: Re-deploy [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` -. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The annotation is not applied to [.noloc]`Pods` that are currently running without the annotation. The following command deletes the existing `aws-node` [.noloc]`DaemonSet` [.noloc]`Pods` and deploys them with the service account annotation. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete Pods -n kube-system -l k8s-app=aws-node ----- -. Confirm that the [.noloc]`Pods` all restarted. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -n kube-system -l k8s-app=aws-node ----- -. Describe one of the [.noloc]`Pods` and verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist. Replace [.replaceable]`cpjw7` with the name of one of your [.noloc]`Pods` returned in the output of the previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe pod -n kube-system aws-node-cpjw7 | grep 'AWS_ROLE_ARN:\|AWS_WEB_IDENTITY_TOKEN_FILE:' ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole - AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token - AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole - AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token ----- -+ -Two sets of duplicate results are returned because the [.noloc]`Pod` contains two containers. Both containers have the same values. -+ -If your [.noloc]`Pod` is using the {aws} Regional endpoint, then the following line is also returned in the previous output. -+ -[source,bash,subs="verbatim,attributes"] ----- -AWS_STS_REGIONAL_ENDPOINTS=regional ----- - - -[[remove-cni-policy-node-iam-role,remove-cni-policy-node-iam-role.title]] -==== Step 3: Remove the CNI policy from the node IAM role - -If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. - - - -* `IPv4` -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy ----- -* `IPv6` -+ -Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name of your `IPv6` policy. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy ----- - - -[[cni-iam-role-create-ipv6-policy,cni-iam-role-create-ipv6-policy.title]] -==== Create IAM policy for clusters that use the `IPv6` family - -If you created a cluster that uses the `IPv6` family and the cluster has version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured, then you need to create an IAM policy that you can assign to an IAM role. If you have an existing cluster that you didn't configure with the `IPv6` family when you created it, then to use `IPv6`, you must create a new cluster. For more information about using `IPv6` with your cluster, see <>. - -. Copy the following text and save it to a file named `vpc-cni-ipv6-policy.json`. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AssignIpv6Addresses", - "ec2:DescribeInstances", - "ec2:DescribeTags", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeInstanceTypes" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "{arn-aws}ec2:*:*:network-interface/*" - ] - } - ] -} ----- -. Create the IAM policy. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json ----- - - -[.topic] -[[pod-networking-use-cases,pod-networking-use-cases.title]] -=== Learn about VPC CNI modes and configuration - -[abstract] --- -Discover how [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides pod networking capabilities and settings for different Amazon EKS node types and use cases, including security groups, [.noloc]`Kubernetes` network policies, custom networking, IPv4, and IPv6 support. --- - -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.noloc]`Pods`. Use the following table to learn more about the available networking features. - -[cols="1,1", options="header"] -|=== -|Networking feature -|Learn more - - -|Configure your cluster to assign IPv6 addresses to clusters, [.noloc]`Pods`, and services -|<> - -|Use IPv4 Source Network Address Translation for [.noloc]`Pods` -|<> - -|Restrict network traffic to and from your [.noloc]`Pods` -|<> - -|Customize the secondary network interface in nodes -|<> - -|Increase IP addresses for your node -|<> - -|Use security groups for [.noloc]`Pod` network traffic -|<> - -|Use multiple network interfaces for [.noloc]`Pods` -|<> -|=== - -[.topic] -[[cni-ipv6,cni-ipv6.title]] -==== Learn about IPv6 addresses to clusters, [.noloc]`pods`, and services - -[abstract] --- -Learn how to deploy an `IPv6` cluster and nodes with Amazon EKS for assigning `IPv6` addresses to [.noloc]`Pods` and [.noloc]`services` instead of `IPv4`, leveraging IP prefix delegation and the latest [.noloc]`Amazon VPC CNI` plugin. --- - -*Applies to*: [.noloc]`Pods` with Amazon EC2 instances and Fargate [.noloc]`Pods` - -By default, [.noloc]`Kubernetes` assigns `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. Instead of assigning `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`, you can configure your cluster to assign `IPv6` addresses to them. Amazon EKS doesn't support dual-stacked [.noloc]`Pods` or [.noloc]`services`, even though [.noloc]`Kubernetes` does in version `1.23` and later. As a result, you can't assign both `IPv4` and `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`. - -You select which IP family you want to use for your cluster when you create it. You can't change the family after you create the cluster. - -For a tutorial to deploy an Amazon EKS `IPv6` cluster, see <>. - -//[[ipv6-considerations,ipv6-considerations.title]] -//===== Considerations - -The following are considerations for using the feature: - -===== `IPv6` Feature support - -* *No [.noloc]`Windows` support*: [.noloc]`Windows` [.noloc]`Pods` and [.noloc]`services` aren't supported. -* *Nitro-based EC2 nodes required*: You can only use `IPv6` with {aws} Nitro-based Amazon EC2 or Fargate nodes. -* *EC2 and Fargate nodes supported*: You can use `IPv6` with <> with Amazon EC2 nodes and Fargate nodes. -* *Outposts not supported*: You can't use `IPv6` with <>. -* *FSx for Lustre is not supported*: The <> is not supported. -* *Instance Metadata Service not supported*: Use of the Amazon EC2 link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] `IPv6` endpoint is not supported with Amazon EKS. -* *Custom networking not supported*: If you previously used <> to help alleviate IP address exhaustion, you can use `IPv6` instead. You can't use custom networking with `IPv6`. If you use custom networking for network isolation, then you might need to continue to use custom networking and the `IPv4` family for your clusters. - - -===== IP address assignments - -* *Kubernetes services*: Kubernetes services are only assigned an `IPv6` addresses. They aren't assigned IPv4 addresses. -* *Pods*: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node. -* *Pods and services*: [.noloc]`Pods` and [.noloc]`services` are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because [.noloc]`Pods` are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. -* *Routing addresses*: The source `IPv6` address of a [.noloc]`Pod` isn't source network address translated to the `IPv6` address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. -* *Nodes*: All nodes are assigned an `IPv4` and `IPv6` address. -* *Fargate [.noloc]`Pods`*: Each Fargate [.noloc]`Pod` receives an `IPv6` address from the CIDR that's specified for the subnet that it's deployed in. The underlying hardware unit that runs Fargate [.noloc]`Pods` gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in. - - -===== How to use `IPv6` with EKS - -* *Create new cluster*: You must create a new cluster and specify that you want to use the `IPv6` family for that cluster. You can't enable the `IPv6` family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations . -* *Use recent VPC CNI*: Deploy Amazon VPC CNI version `1.10.1` or later. This version or later is deployed by default. After you deploy the add-on, you can't downgrade your Amazon VPC CNI add-on to a version lower than `1.10.1` without first removing all nodes in all node groups in your cluster. -* *Configure VPC CNI for `IPv6`*: If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation and `IPv6`. If you choose the `IPv6` family when creating your cluster, the `1.10.1` version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see <>. -* *Configure `IPv4` and `IPv6` addresses*: When you create a cluster, the VPC and subnets that you specify must have an `IPv6` CIDR block that's assigned to the VPC and subnets that you specify. They must also have an `IPv4` CIDR block assigned to them. This is because, even if you only want to use `IPv6`, a VPC still requires an `IPv4` CIDR block to function. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. -* *Auto-assign IPv6 addresses to nodes:* When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can't deploy your nodes. By default, this configuration is disabled. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the Amazon VPC User Guide. -* *Set route tables to use `IPv6`*: The route tables that are assigned to your subnets must have routes for `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. -* *Set security groups for `IPv6`*: Your security groups must allow `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. -* *Set up load balancer*: Use version `2.3.1` or later of the {aws} Load Balancer Controller to load balance HTTP applications using the <> or network traffic using the <> to `IPv6` [.noloc]`Pods` with either load balancer in IP mode, but not instance mode. For more information, see <>. -* *Add `IPv6` IAM policy*: You must attach an `IPv6` IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see <> and <>. -* *Evaluate all components*: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and {aws} services that you integrate with before deploying `IPv6` clusters. This is to ensure that everything works as expected with `IPv6`. -* *Add `BootstrapArguments` self-managed node groups*: When creating a self-managed node group in a cluster that uses the `IPv6` family, user-data must include the following `BootstrapArguments` for the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file that runs at node start up. Replace [.replaceable]`your-cidr` with the `IPv6` [.noloc]`CIDR` range of your cluster's VPC. -+ -[source,bash,subs="verbatim,attributes"] ----- ---ip-family ipv6 --service-ipv6-cidr your-cidr ----- -+ -If you don't know the `IPv6` `CIDR` range for your cluster, you can see it with the following command (requires the {aws} CLI version `2.4.9` or later). -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text ----- - - -[.topic] -[[deploy-ipv6-cluster,deploy-ipv6-cluster.title]] -===== Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes - -In this tutorial, you deploy an `IPv6` Amazon VPC, an Amazon EKS cluster with the `IPv6` family, and a managed node group with Amazon EC2 Amazon Linux nodes. You can't deploy Amazon EC2 [.noloc]`Windows` nodes in an `IPv6` cluster. You can also deploy Fargate nodes to your cluster, though those instructions aren't provided in this topic for simplicity. - -====== Prerequisites - -Complete the following before you start the tutorial: - -Install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. - -* We recommend that you familiarize yourself with all settings and deploy a cluster with the settings that meet your requirements. For more information, see <>, <>, and the <> for this topic. You can only enable some settings when creating your cluster. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. -* If you use the [.noloc]`eksctl`, install version `{eksctl-min-version}` or later on your computer. To install or update to it, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. - - -//[[deploy-ipv6-cluster-procedure,deploy-ipv6-cluster-procedure.title]] -//====== Procedure - -You can use the [.noloc]`eksctl` or CLI to deploy an `IPv6` cluster. - - -====== Deploy an IPv6 cluster with [.noloc]`eksctl` - -.. Create the `ipv6-cluster.yaml` file. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: -+ -*** Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. -*** The value for `version` with the version of your cluster. For more information, see <>. -*** Replace [.replaceable]`my-nodegroup` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. -*** Replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >ipv6-cluster.yaml < -aws-node-t74jh 1/1 Running 0 5m32s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal -coredns-85d5b4454c-cw7w2 1/1 Running 0 56m 2600:1f13:b66:8203:34e5:: ip-192-168-253-70.region-code.compute.internal -coredns-85d5b4454c-tx6n8 1/1 Running 0 56m 2600:1f13:b66:8203:34e5::1 ip-192-168-253-70.region-code.compute.internal -kube-proxy-btpbk 1/1 Running 0 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal -kube-proxy-jjk2g 1/1 Running 0 5m33s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal ----- -.. Confirm that default services are assigned `IPv6` addresses. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get services -n kube-system -o wide ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR -kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns ----- -.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. -.. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl delete cluster my-cluster ----- - - -====== Deploy an IPv6 cluster with {aws} CLI - -[IMPORTANT] -==== -** You must complete all steps in this procedure as the same user. To check the current user, run the following command: -+ -[source,bash,subs="verbatim,attributes"] ----- -aws sts get-caller-identity ----- -** You must complete all steps in this procedure in the same shell. Several steps use variables set in previous steps. Steps that use variables won't function properly if the variable values are set in a different shell. If you use the link:cloudshell/latest/userguide/welcome.html[{aws} CloudShell,type="documentation"] to complete the following procedure, remember that if you don't interact with it using your keyboard or pointer for approximately 20–30 minutes, your shell session ends. Running processes do not count as interactions. -** The instructions are written for the Bash shell, and may need adjusting in other shells. -==== - - -Replace all [.replaceable]`example values` in the steps of this procedure with your own values. - -.. Run the following commands to set some variables used in later steps. Replace [.replaceable]`region-code` with the {aws} Region that you want to deploy your resources in. The value can be any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`my-nodegroup` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`111122223333` with your account ID. -+ -[source,bash,subs="verbatim,attributes"] ----- -export region_code=region-code -export cluster_name=my-cluster -export nodegroup_name=my-nodegroup -export account_id=111122223333 ----- -.. Create an Amazon VPC with public and private subnets that meets Amazon EKS and `IPv6` requirements. -+ -... Run the following command to set a variable for your {aws} CloudFormation stack name. You can replace [.replaceable]`my-eks-ipv6-vpc` with any name you choose. -+ -[source,bash,subs="verbatim,attributes"] ----- -export vpc_stack_name=my-eks-ipv6-vpc ----- -... Create an `IPv6` VPC using an {aws} CloudFormation template. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation create-stack --region $region_code --stack-name $vpc_stack_name \ - --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-ipv6-vpc-public-private-subnets.yaml ----- -+ -The stack takes a few minutes to create. Run the following command. Don't continue to the next step until the output of the command is `CREATE_COMPLETE`. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name --query Stacks[].StackStatus --output text ----- -... Retrieve the IDs of the public subnets that were created. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ - --query='Stacks[].Outputs[?OutputKey==`SubnetsPublic`].OutputValue' --output text ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -subnet-0a1a56c486EXAMPLE,subnet-099e6ca77aEXAMPLE ----- -... Enable the auto-assign `IPv6` address option for the public subnets that were created. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 modify-subnet-attribute --region $region_code --subnet-id subnet-0a1a56c486EXAMPLE --assign-ipv6-address-on-creation -aws ec2 modify-subnet-attribute --region $region_code --subnet-id subnet-099e6ca77aEXAMPLE --assign-ipv6-address-on-creation ----- -... Retrieve the names of the subnets and security groups created by the template from the deployed {aws} CloudFormation stack and store them in variables for use in a later step. -+ -[source,bash,subs="verbatim,attributes"] ----- -security_groups=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ - --query='Stacks[].Outputs[?OutputKey==`SecurityGroups`].OutputValue' --output text) - -public_subnets=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ - --query='Stacks[].Outputs[?OutputKey==`SubnetsPublic`].OutputValue' --output text) - -private_subnets=$(aws cloudformation describe-stacks --region $region_code --stack-name $vpc_stack_name \ - --query='Stacks[].Outputs[?OutputKey==`SubnetsPrivate`].OutputValue' --output text) - -subnets=${public_subnets},${private_subnets} ----- -.. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. [.noloc]`Kubernetes` clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. -+ -... Run the following command to create the `eks-cluster-role-trust-policy.json` file. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >eks-cluster-role-trust-policy.json <>. -+ -The cluster takes several minutes to create. Run the following command. Don't continue to the next step until the output from the command is `ACTIVE`. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --region $region_code --name $cluster_name --query cluster.status ----- -.. Create or update a `kubeconfig` file for your cluster so that you can communicate with your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks update-kubeconfig --region $region_code --name $cluster_name ----- -+ -By default, the `config` file is created in `~/.kube` or the new cluster's configuration is added to an existing `config` file in `~/.kube`. -.. Create a node IAM role. -+ -... Run the following command to create the `vpc-cni-ipv6-policy.json` file. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >vpc-cni-ipv6-policy <node-role-trust-relationship.json <>. -... Attach two required IAM managed policies to the IAM role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy \ - --role-name $node_role_name -aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ - --role-name $node_role_name ----- -... Retrieve the ARN of the IAM role and store it in a variable for a later step. -+ -[source,bash,subs="verbatim,attributes"] ----- -node_iam_role=$(aws iam get-role --role-name $node_role_name --query="Role.Arn" --output text) ----- -.. Create a managed node group. -+ -... View the IDs of the subnets that you created in a previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -echo $subnets ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -subnet-0a1a56c486EXAMPLE,subnet-099e6ca77aEXAMPLE,subnet-0377963d69EXAMPLE,subnet-0c05f819d5EXAMPLE ----- -... Create the node group. Replace [.replaceable]`0a1a56c486EXAMPLE`, [.replaceable]`099e6ca77aEXAMPLE`, [.replaceable]`0377963d69EXAMPLE`, and [.replaceable]`0c05f819d5EXAMPLE` with the values returned in the output of the previous step. Be sure to remove the commas between subnet IDs from the previous output in the following command. You can replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name \ - --subnets subnet-0a1a56c486EXAMPLE subnet-099e6ca77aEXAMPLE subnet-0377963d69EXAMPLE subnet-0c05f819d5EXAMPLE \ - --instance-types t3.medium --node-role $node_iam_role ----- -+ -The node group takes a few minutes to create. Run the following command. Don't proceed to the next step until the output returned is `ACTIVE`. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name \ - --query nodegroup.status --output text ----- -.. Confirm that the default [.noloc]`Pods` are assigned `IPv6` addresses in the `IP` column. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -n kube-system -o wide ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES -aws-node-rslts 1/1 Running 1 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal -aws-node-t74jh 1/1 Running 0 5m32s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal -coredns-85d5b4454c-cw7w2 1/1 Running 0 56m 2600:1f13:b66:8203:34e5:: ip-192-168-253-70.region-code.compute.internal -coredns-85d5b4454c-tx6n8 1/1 Running 0 56m 2600:1f13:b66:8203:34e5::1 ip-192-168-253-70.region-code.compute.internal -kube-proxy-btpbk 1/1 Running 0 5m36s 2600:1f13:b66:8200:11a5:ade0:c590:6ac8 ip-192-168-34-75.region-code.compute.internal -kube-proxy-jjk2g 1/1 Running 0 5m33s 2600:1f13:b66:8203:4516:2080:8ced:1ca9 ip-192-168-253-70.region-code.compute.internal ----- -.. Confirm that the default services are assigned `IPv6` addresses in the `IP` column. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get services -n kube-system -o wide ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR -kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns ----- -.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. -.. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following commands. Make sure that you're not using any of the resources outside of this tutorial before deleting them. -+ -... If you're completing this step in a different shell than you completed the previous steps in, set the values of all the variables used in previous steps, replacing the [.replaceable]`example values` with the values you specified when you completed the previous steps. If you're completing this step in the same shell that you completed the previous steps in, skip to the next step. -+ -[source,bash,subs="verbatim,attributes"] ----- -export region_code=region-code -export vpc_stack_name=my-eks-ipv6-vpc -export cluster_name=my-cluster -export nodegroup_name=my-nodegroup -export account_id=111122223333 -export node_role_name=AmazonEKSNodeRole -export cluster_role_name=myAmazonEKSClusterRole ----- -... Delete your node group. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name ----- -+ -Deletion takes a few minutes. Run the following command. Don't proceed to the next step if any output is returned. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks list-nodegroups --region $region_code --cluster-name $cluster_name --query nodegroups --output text ----- -... Delete the cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-cluster --region $region_code --name $cluster_name ----- -+ -The cluster takes a few minutes to delete. Before continuing make sure that the cluster is deleted with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --region $region_code --name $cluster_name ----- -+ -Don't proceed to the next step until your output is similar to the following output. -+ -[source,bash,subs="verbatim,attributes"] ----- -An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-cluster. ----- -... Delete the IAM resources that you created. Replace [.replaceable]`AmazonEKS_CNI_IPv6_Policy` with the name you chose, if you chose a different name than the one used in previous steps. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam detach-role-policy --role-name $cluster_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy -aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy -aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly -aws iam detach-role-policy --role-name $node_role_name --policy-arn {arn-aws}iam::$account_id:policy/AmazonEKS_CNI_IPv6_Policy -aws iam delete-policy --policy-arn {arn-aws}iam::$account_id:policy/AmazonEKS_CNI_IPv6_Policy -aws iam delete-role --role-name $cluster_role_name -aws iam delete-role --role-name $node_role_name ----- -... Delete the {aws} CloudFormation stack that created the VPC. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation delete-stack --region $region_code --stack-name $vpc_stack_name ----- - - -[.topic] -[[external-snat,external-snat.title]] -==== Enable outbound internet access for [.noloc]`pods` - -[abstract] --- -Learn how Amazon EKS manages external communication for [.noloc]`Pods` using Source Network Address Translation (SNAT), allowing Pods to access internet resources or networks connected via VPC peering, Transit Gateway, or {aws} Direct Connect. --- - -*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances - -If you deployed your cluster using the `IPv6` family, then the information in this topic isn't applicable to your cluster, because `IPv6` addresses are not network translated. For more information about using `IPv6` with your cluster, see <>. - -By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"]``IPv4`` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default ^^<>^^. - -[NOTE] -==== - -For [.noloc]`Windows` nodes, there are additional details to consider. By default, the https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[VPC CNI plugin for Windows] is defined with a networking configuration in which the traffic to a destination within the same VPC is excluded for SNAT. This means that internal VPC communication has SNAT disabled and the IP address allocated to a [.noloc]`Pod` is routable inside the VPC. But traffic to a destination outside of the VPC has the source [.noloc]`Pod` IP SNAT'ed to the instance ENI's primary IP address. This default configuration for [.noloc]`Windows` ensures that the pod can access networks outside of your VPC in the same way as the host instance. - -==== - -Due to this behavior: - - - -* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. -* For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your [.noloc]`Pods` behind secondary elastic network interfaces. Your [.noloc]`Pods` can initiate communication to those resources and receive responses from them, though. - -If either of the following statements are true in your environment, then change the default configuration with the command that follows. - - - -* You have resources in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] that need to initiate communication with your [.noloc]`Pods` using an `IPv4` address and your plugin version is earlier than `1.8.0`. -* Your [.noloc]`Pods` are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. - - -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true ----- - -[NOTE] -==== - -The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI configuration variables aren't applicable to [.noloc]`Windows` nodes. Disabling SNAT isn't supported for [.noloc]`Windows`. As for excluding a list of `IPv4` CIDRs from SNAT, you can define this by specifying the `ExcludedSnatCIDRs` parameter in the [.noloc]`Windows` bootstrap script. For more information on using this parameter, see <>. - -==== - -[[snat-exception,snat-exception.title]] -===== Host networking - -^^*^^If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. - -[.topic] -[[cni-network-policy,cni-network-policy.title]] -==== Limit [.noloc]`pod` traffic with [.noloc]`Kubernetes` network policies - -[abstract] --- -Learn how to configure your Amazon EKS cluster to use [.noloc]`Kubernetes` network policies with the [.noloc]`Amazon VPC CNI` plugin. Control network traffic to and from pods using network policies for enhanced security. Covers network policy considerations, requirements, setup instructions, and troubleshooting tips. --- - -By default, there are no restrictions in [.noloc]`Kubernetes` for IP addresses, ports, or connections between any [.noloc]`Pods` in your cluster or between your [.noloc]`Pods` and resources in any other network. You can use [.noloc]`Kubernetes` _network policy_ to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. - -If you have version `1.13` or earlier of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster, you need to implement a third party solution to apply [.noloc]`Kubernetes` network policies to your cluster. Version `1.14` or later of the plugin can implement network policies, so you don't need to use a third party solution. In this topic, you learn how to configure your cluster to use [.noloc]`Kubernetes` network policy on your cluster without using a third party add-on. - -Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are supported in the following configurations. - - - -* Amazon EKS clusters of version `1.25` and later. -* Version 1.14 or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. -* Cluster configured for `IPv4` or `IPv6` addresses. -* You can use network policies with <>. With network policies, you can control all in-cluster communication. With security groups for [.noloc]`Pods`, you can control access to {aws} services from applications within a [.noloc]`Pod`. -* You can use network policies with _custom networking_ and _prefix delegation_. - - -[[cni-network-policy-considerations,cni-network-policy-considerations.title]] -===== Considerations - -*Architecture* - -* When applying [.noloc]`Amazon VPC CNI plugin for Kubernetes` network policies to your cluster with the [.noloc]`Amazon VPC CNI plugin for Kubernetes` , you can apply the policies to Amazon EC2 Linux nodes only. You can't apply the policies to Fargate or Windows nodes. -* Network policies only apply either `IPv4` or `IPv6` addresses, but not both. In an `IPv4` cluster, the VPC CNI assigns `IPv4` address to pods and applies `IPv4` policies. In an `IPv6` cluster, the VPC CNI assigns `IPv6` address to pods and applies `IPv6` policies. Any `IPv4` network policy rules applied to an `IPv6` cluster are ignored. Any `IPv6` network policy rules applied to an `IPv4` cluster are ignored. - -*Network Policies* - -* Network Policies are only applied to [.noloc]`Pods` that are part of a [.noloc]`Deployment`. Standalone [.noloc]`Pods` that don't have a `metadata.ownerReferences` set can't have network policies applied to them. -* You can apply multiple network policies to the same [.noloc]`Pod`. When two or more policies that select the same [.noloc]`Pod` are configured, all policies are applied to the [.noloc]`Pod`. -* The maximum number of unique combinations of ports for each protocol in each `ingress:` or `egress:` selector in a network policy is 24. -* For any of your [.noloc]`Kubernetes` services, the service port must be the same as the container port. If you're using named ports, use the same name in the service spec too. - -*Migration* - -* If your cluster is currently using a third party solution to manage [.noloc]`Kubernetes` network policies, you can use those same policies with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. However you must remove your existing solution so that it isn't managing the same policies. - -*Installation* - -* The network policy feature creates and requires a `PolicyEndpoint` Custom Resource Definition (CRD) called `policyendpoints.networking.k8s.aws`. `PolicyEndpoint` objects of the Custom Resource are managed by Amazon EKS. You shouldn't modify or delete these resources. -* If you run pods that use the instance role IAM credentials or connect to the EC2 IMDS, be careful to check for network policies that would block access to the EC2 IMDS. You may need to add a network policy to allow access to EC2 IMDS. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the Amazon EC2 User Guide. -+ -Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't access EC2 IMDS. -* The [.noloc]`Amazon VPC CNI plugin for Kubernetes` doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: -+ -** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. -** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. - - -[.topic] -[[cni-network-policy-configure,cni-network-policy-configure.title]] -===== Restrict Pod network traffic with [.noloc]`Kubernetes` network policies - -[abstract] --- -Learn how to deploy [.noloc]`Kubernetes` network policies on your Amazon EKS cluster. --- - -You can use a [.noloc]`Kubernetes` network policy to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. - -You must configure the following in order to use this feature: - -. Set up policy enforcement at [.noloc]`Pod` startup. You do this in the `aws-node` container of the VPC CNI `DaemonSet`. -. Enable the network policy parameter for the add-on. -. Configure your cluster to use the [.noloc]`Kubernetes` network policy - -Before you begin, review the considerations. For more information, see <>. - -[[cni-network-policy-prereqs,cni-network-policy-prereqs.title]] -====== Prerequisites - -The following are prerequisites for the feature: - - - -* -.Minimum cluster version -An existing Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster - --name my-cluster --query cluster.version --output - text ----- -+ -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - - -|`1.27.4` -|`eks.5` - -|`1.26.7` -|`eks.6` - -|`1.25.12` -|`eks.7` -|=== -* -.Minimum VPC CNI version -Version `1.14` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. You can see which version that you currently have with the following command. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ----- -+ -If your version is earlier than `1.14`, see <> to upgrade to version `1.14` or later. -* -.Minimum Linux kernel version -Your nodes must have Linux kernel version `5.10` or later. You can check your kernel version with `uname -r`. If you're using the latest versions of the Amazon EKS optimized Amazon Linux, Amazon EKS optimized accelerated Amazon Linux AMIs, and Bottlerocket AMIs, they already have the required kernel version. -+ -The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. - - -[[cni-network-policy-configure-policy,cni-network-policy-configure-policy.title]] -====== Step 1: Set up policy enforcement at [.noloc]`Pod` startup - - -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. - -With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the [.noloc]`CoreDNS` pods. The default deny policy isn't configured for pods with Host networking. - -You can change the default network policy by setting the environment variable `NETWORK_POLICY_ENFORCING_MODE` to `strict` in the `aws-node` container of the VPC CNI `DaemonSet`. - -[source,yaml,subs="verbatim,attributes"] ----- -env: - - name: NETWORK_POLICY_ENFORCING_MODE - value: "strict" ----- - - -[[enable-network-policy-parameter,enable-network-policy-parameter.title]] -====== Step 2: Enable the network policy parameter for the add-on - -The network policy feature uses port `8162` on the node for metrics by default. Also, the feature used port `8163` for health probes. If you run another application on the nodes or inside pods that needs to use these ports, the app fails to run. In VPC CNI version `v1.14.1` or later, you can change these ports. - -Use the following procedure to enable the network policy parameter for the add-on. - - - -{aws-management-console}:: -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the add-on box and then choose *Edit*. -.. On the *Configure [.replaceable]`name of add-on`* page: -+ -... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. -+ -The following example has network policy feature enabled and metrics and health probes are set to the default port numbers: -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "enableNetworkPolicy": "true", - "nodeAgent": { - "healthProbeBindAddr": "8163", - "metricsBindAddr": "8162" - } -} ----- - - -Helm:: - -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to change the ports. - -.. Run the following command to change the ports. Set the port number in the value for either key `nodeAgent.metricsBindAddr` or key `nodeAgent.healthProbeBindAddr`, respectively. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm upgrade --set nodeAgent.metricsBindAddr=8162 --set nodeAgent.healthProbeBindAddr=8163 aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ----- - - -[.noloc]`kubectl`:: -.. Open the `aws-node` `DaemonSet` in your editor. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit daemonset -n kube-system aws-node ----- -.. Replace the port numbers in the following command arguments in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. -+ -[source,yaml,subs="verbatim,attributes"] ----- - - args: - - --metrics-bind-addr=:8162 - - --health-probe-bind-addr=:8163 ----- - - -[[cni-mount-bpf,cni-mount-bpf.title]] -====== Step 3: Mount the Berkeley Packet Filter (BPF) file system on your nodes - -You must mount the Berkeley Packet Filter (BPF) file system on each of your nodes. - -[NOTE] -==== - -If your cluster is version `1.27` or later, you can skip this step as all Amazon EKS optimized Amazon Linux and Bottlerocket AMIs for `1.27` or later have this feature already. - -For all other cluster versions, if you upgrade the Amazon EKS optimized Amazon Linux to version `v20230703` or later or you upgrade the Bottlerocket AMI to version `v1.0.2` or later, you can skip this step. - -==== -. Mount the Berkeley Packet Filter (BPF) file system on each of your nodes. -+ -[source,shell,subs="verbatim,attributes"] ----- -sudo mount -t bpf bpffs /sys/fs/bpf ----- -. Then, add the same command to your user data in your launch template for your Amazon EC2 Auto Scaling Groups. - - -[[cni-network-policy-setup,cni-network-policy-setup.title]] -====== Step 4: Configure your cluster to use [.noloc]`Kubernetes` network policies - -Configure the cluster to use [.noloc]`Kubernetes` network policies. You can set this for an Amazon EKS add-on or self-managed add-on. - - -[[cni-network-policy-setup-procedure-add-on,cni-network-policy-setup-procedure-add-on.title]] -.Amazon EKS add-on -[%collapsible] -==== - -{aws-management-console}:: -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the add-on box and then choose *Edit*. -.. On the *Configure [.replaceable]`name of addon`* page: -+ -... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: -+ -[source,json,subs="verbatim,attributes"] ----- -{ "enableNetworkPolicy": "true" } ----- -+ -The following screenshot shows an example of this scenario. -+ -image::images/console-cni-config-network-policy.png[{aws-management-console} showing the VPC CNI add-on with network policy in the optional configuration.,scaledwidth=80%] - - -{aws} CLI:: -.. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.14.0-eksbuild.3 \ - --service-account-role-arn {arn-aws}iam::123456789012:role/AmazonEKSVPCCNIRole \ - --resolve-conflicts PRESERVE --configuration-values '{"enableNetworkPolicy": "true"}' ----- - -==== - -[[cni-network-policy-setup-procedure-self-managed-add-on,cni-network-policy-setup-procedure-self-managed-add-on.title]] -.Self-managed add-on -[%collapsible] -==== - -Helm:: - -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to enable network policy. - -.. Run the following command to enable network policy. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ----- - - -[.noloc]`kubectl`:: -.. Open the `amazon-vpc-cni` `ConfigMap` in your editor. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ----- -.. Add the following line to the `data` in the `ConfigMap`. -+ -[source,bash,subs="verbatim,attributes"] ----- -enable-network-policy-controller: "true" ----- -+ -Once you've added the line, your `ConfigMap` should look like the following example. -+ -[source,yaml,subs="verbatim,attributes"] ----- -apiVersion: v1 - kind: ConfigMap - metadata: - name: amazon-vpc-cni - namespace: kube-system - data: - enable-network-policy-controller: "true" ----- -.. Open the `aws-node` `DaemonSet` in your editor. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit daemonset -n kube-system aws-node ----- -.. Replace the `false` with `true` in the command argument `--enable-network-policy=false` in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. -+ -[source,yaml,subs="verbatim,attributes"] ----- - - args: - - --enable-network-policy=true ----- - -==== - -[[cni-network-policy-setup-procedure-confirm,cni-network-policy-setup-procedure-confirm.title]] -====== Step 5. Next steps - -After you complete the configuration, confirm that the `aws-node` pods are running on your cluster. - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -n kube-system | grep 'aws-node\|amazon' ----- - -An example output is as follows. - -[source,bash,subs="verbatim,attributes"] ----- -aws-node-gmqp7 2/2 Running 1 (24h ago) 24h -aws-node-prnsh 2/2 Running 1 (24h ago) 24h ----- - -There are 2 containers in the `aws-node` pods in versions `1.14` and later. In previous versions and if network policy is disabled, there is only a single container in the `aws-node` pods. - -You can now deploy [.noloc]`Kubernetes` network policies to your cluster. - -To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernetes` `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between [.noloc]`Pods` based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the [.noloc]`Kubernetes` documentation. - -Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. - -[.topic] -[[network-policy-disable,network-policy-disable.title]] -===== Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic - -[abstract] --- -Learn how to disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic. --- - -Disable [.noloc]`Kubernetes` network policies to stop restricting Amazon EKS Pod network traffic - -. List all Kubernetes network policies. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get netpol -A ----- -. Delete each Kubernetes network policy. You must delete all network policies before disabling network policies. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete netpol ----- -. Open the aws-node DaemonSet in your editor. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit daemonset -n kube-system aws-node ----- -. Replace the `true` with `false` in the command argument `--enable-network-policy=true` in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. -+ -[source,yaml,subs="verbatim,attributes"] ----- - - args: - - --enable-network-policy=true ----- - - -include::network-policies-troubleshooting.adoc[leveloffset=+1] - - -include::network-policy-stars-demo.adoc[leveloffset=+1] - - -[.topic] -[[cni-custom-network,cni-custom-network.title]] -=== Deploy [.noloc]`pods` in alternate subnets with custom networking - -[abstract] --- -Learn how to enable custom networking for Amazon EKS [.noloc]`Pods` to deploy them in different subnets or use different security groups than the node's primary network interface, increasing IP address availability and network isolation. --- - -*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances - -By default, when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node's primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both: - - - -* There's a limited number of `IPv4` addresses that are available in the subnet that the primary network interface is in. This might limit the number of [.noloc]`Pods` that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available `IPv4` addresses available for [.noloc]`Pods`. -* For security reasons, your [.noloc]`Pods` might need to use a different subnet or security groups than the node's primary network interface. -* The nodes are configured in public subnets, and you want to place the [.noloc]`Pods` in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. - - -[[cni-custom-network-considerations,cni-custom-network-considerations.title]] -==== Considerations - -The following are considerations for using the feature. - - - -* With custom networking enabled, no IP addresses assigned to the primary network interface are assigned to [.noloc]`Pods`. Only IP addresses from secondary network interfaces are assigned to [.noloc]`Pods`. -* If your cluster uses the `IPv6` family, you can't use custom networking. -* If you plan to use custom networking only to help alleviate `IPv4` address exhaustion, you can create a cluster using the `IPv6` family instead. For more information, see <>. -* Even though [.noloc]`Pods` deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. -* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. - - -[.topic] -[[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] -==== Customizing the secondary network interface in Amazon EKS nodes - -[abstract] --- -Learn how your [.noloc]`Pods` can use different security groups and subnets than the primary elastic network interface of the Amazon EC2 node that they run on. --- - -Complete the following before you start the tutorial: - - - -* Review the considerations -* Familiarity with how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary network interfaces and assigns IP addresses to [.noloc]`Pods`. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on [.noloc]`GitHub`. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. - -For this tutorial, we recommend using the [.replaceable]`example values`, except where it's noted to replace them. You can replace any [.replaceable]`example value` when completing the steps for a production cluster. We recommend completing all steps in the same terminal. This is because variables are set and used throughout the steps and won't exist in different terminals. - -The commands in this topic are formatted using the conventions listed in link:cli/latest/userguide/welcome-examples.html[Using the {aws} CLI examples,type="documentation"]. If you're running commands from the command line against resources that are in a different {aws} Region than the default {aws} Region defined in the {aws} CLI link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-profiles[profile,type="documentation"] that you're using, then you need to add `--region [.replaceable]``region-code``` to the commands. - -When you want to deploy custom networking to your production cluster, skip to <>. - -[[custom-networking-create-cluster,custom-networking-create-cluster.title]] -===== Step 1: Create a test VPC and cluster - -The following procedures help you create a test VPC and cluster and configure custom networking for that cluster. We don't recommend using the test cluster for production workloads because several unrelated features that you might use on your production cluster aren't covered in this topic. For more information, see <>. - -. Define the `cluster_name` and `account_id` variables.. -+ -[source,bash,subs="verbatim,attributes"] ----- -export cluster_name=my-custom-networking-cluster -account_id=$(aws sts get-caller-identity --query Account --output text) ----- -. Create a VPC. -+ -.. If you are deploying to a test system, create a VPC using an Amazon EKS {aws} CloudFormation template. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation create-stack --stack-name my-eks-custom-networking-vpc \ - --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml \ - --parameters ParameterKey=VpcBlock,ParameterValue=192.168.0.0/24 \ - ParameterKey=PrivateSubnet01Block,ParameterValue=192.168.0.64/27 \ - ParameterKey=PrivateSubnet02Block,ParameterValue=192.168.0.96/27 \ - ParameterKey=PublicSubnet01Block,ParameterValue=192.168.0.0/27 \ - ParameterKey=PublicSubnet02Block,ParameterValue=192.168.0.32/27 ----- -+ -The {aws} CloudFormation stack takes a few minutes to create. To check on the stack's deployment status, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation describe-stacks --stack-name my-eks-custom-networking-vpc --query Stacks\[\].StackStatus --output text ----- -+ -Don't continue to the next step until the output of the command is `CREATE_COMPLETE`. -.. Define variables with the values of the private subnet IDs created by the template. -+ -[source,bash,subs="verbatim,attributes"] ----- -subnet_id_1=$(aws cloudformation describe-stack-resources --stack-name my-eks-custom-networking-vpc \ - --query "StackResources[?LogicalResourceId=='PrivateSubnet01'].PhysicalResourceId" --output text) -subnet_id_2=$(aws cloudformation describe-stack-resources --stack-name my-eks-custom-networking-vpc \ - --query "StackResources[?LogicalResourceId=='PrivateSubnet02'].PhysicalResourceId" --output text) ----- -.. Define variables with the Availability Zones of the subnets retrieved in the previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -az_1=$(aws ec2 describe-subnets --subnet-ids $subnet_id_1 --query 'Subnets[*].AvailabilityZone' --output text) -az_2=$(aws ec2 describe-subnets --subnet-ids $subnet_id_2 --query 'Subnets[*].AvailabilityZone' --output text) ----- -. Create a cluster IAM role. -+ -.. Run the following command to create an IAM trust policy JSON file. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >eks-cluster-role-trust-policy.json <>. -.. The cluster takes several minutes to create. To check on the cluster's deployment status, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --name my-custom-networking-cluster --query cluster.status ----- -+ -Don't continue to the next step until the output of the command is `"ACTIVE"`. -.. Configure `kubectl` to communicate with your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks update-kubeconfig --name my-custom-networking-cluster ----- - - -[[custom-networking-configure-vpc,custom-networking-configure-vpc.title]] -===== Step 2: Configure your VPC - -This tutorial requires the VPC created in <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the [.replaceable]`example values` with your own. - -. Confirm that your currently-installed [.noloc]`Amazon VPC CNI plugin for Kubernetes` is the latest version. To determine the latest version for the Amazon EKS add-on type and update your version to it, see <>. To determine the latest version for the self-managed add-on type and update your version to it, see <>. -. Retrieve the ID of your cluster VPC and store it in a variable for use in later steps. For a production cluster, replace [.replaceable]`my-custom-networking-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -vpc_id=$(aws eks describe-cluster --name my-custom-networking-cluster --query "cluster.resourcesVpcConfig.vpcId" --output text) ----- -. Associate an additional Classless Inter-Domain Routing (CIDR) block with your cluster's VPC. The CIDR block can't overlap with any existing associated CIDR blocks. -+ -.. View the current CIDR blocks associated to your VPC. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 describe-vpcs --vpc-ids $vpc_id \ - --query 'Vpcs[*].CidrBlockAssociationSet[*].{CIDRBlock: CidrBlock, State: CidrBlockState.State}' --out table ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- ----------------------------------- -| DescribeVpcs | -+-----------------+--------------+ -| CIDRBlock | State | -+-----------------+--------------+ -| 192.168.0.0/24 | associated | -+-----------------+--------------+ ----- -.. Associate an additional CIDR block to your VPC. For more information, see link:vpc/latest/userguide/modify-vpcs.html#add-ipv4-cidr[Associate additional IPv4 CIDR blocks with your VPC,type="documentation"] in the Amazon VPC User Guide. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 associate-vpc-cidr-block --vpc-id $vpc_id --cidr-block 192.168.1.0/24 ----- -.. Confirm that the new block is associated. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 describe-vpcs --vpc-ids $vpc_id --query 'Vpcs[*].CidrBlockAssociationSet[*].{CIDRBlock: CidrBlock, State: CidrBlockState.State}' --out table ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- ----------------------------------- -| DescribeVpcs | -+-----------------+--------------+ -| CIDRBlock | State | -+-----------------+--------------+ -| 192.168.0.0/24 | associated | -| 192.168.1.0/24 | associated | -+-----------------+--------------+ ----- - -+ -Don't proceed to the next step until your new CIDR block's `State` is `associated`. -. Create as many subnets as you want to use in each Availability Zone that your existing subnets are in. Specify a CIDR block that's within the CIDR block that you associated with your VPC in a previous step. -+ -.. Create new subnets. The subnets must be created in a different VPC CIDR block than your existing subnets are in, but in the same Availability Zones as your existing subnets. In this example, one subnet is created in the new CIDR block in each Availability Zone that the current private subnets exist in. The IDs of the subnets created are stored in variables for use in later steps. The `Name` values match the values assigned to the subnets created using the Amazon EKS VPC template in a previous step. Names aren't required. You can use different names. -+ -[source,bash,subs="verbatim,attributes"] ----- -new_subnet_id_1=$(aws ec2 create-subnet --vpc-id $vpc_id --availability-zone $az_1 --cidr-block 192.168.1.0/27 \ - --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-eks-custom-networking-vpc-PrivateSubnet01},{Key=kubernetes.io/role/internal-elb,Value=1}]' \ - --query Subnet.SubnetId --output text) -new_subnet_id_2=$(aws ec2 create-subnet --vpc-id $vpc_id --availability-zone $az_2 --cidr-block 192.168.1.32/27 \ - --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-eks-custom-networking-vpc-PrivateSubnet02},{Key=kubernetes.io/role/internal-elb,Value=1}]' \ - --query Subnet.SubnetId --output text) ----- -+ -IMPORTANT: By default, your new subnets are implicitly associated with your VPC's link:vpc/latest/userguide/VPC_Route_Tables.html#RouteTables[main route table,type="documentation"]. This route table allows communication between all the resources that are deployed in the VPC. However, it doesn't allow communication with resources that have IP addresses that are outside the CIDR blocks that are associated with your VPC. You can associate your own route table to your subnets to change this behavior. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#subnet-route-tables[Subnet route tables,type="documentation"] in the Amazon VPC User Guide. -.. View the current subnets in your VPC. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 describe-subnets --filters "Name=vpc-id,Values=$vpc_id" \ - --query 'Subnets[*].{SubnetId: SubnetId,AvailabilityZone: AvailabilityZone,CidrBlock: CidrBlock}' \ - --output table ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- ----------------------------------------------------------------------- -| DescribeSubnets | -+------------------+--------------------+----------------------------+ -| AvailabilityZone | CidrBlock | SubnetId | -+------------------+--------------------+----------------------------+ -| us-west-2d | 192.168.0.0/27 | subnet-example1 | -| us-west-2a | 192.168.0.32/27 | subnet-example2 | -| us-west-2a | 192.168.0.64/27 | subnet-example3 | -| us-west-2d | 192.168.0.96/27 | subnet-example4 | -| us-west-2a | 192.168.1.0/27 | subnet-example5 | -| us-west-2d | 192.168.1.32/27 | subnet-example6 | -+------------------+--------------------+----------------------------+ ----- -+ -You can see the subnets in the `192.168.1.0` CIDR block that you created are in the same Availability Zones as the subnets in the `192.168.0.0` CIDR block. - - -[[custom-networking-configure-kubernetes,custom-networking-configure-kubernetes.title]] -===== Step 3: Configure [.noloc]`Kubernetes` resources -. Set the `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` environment variable to `true` in the `aws-node` [.noloc]`DaemonSet`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true ----- -. Retrieve the ID of your <> and store it in a variable for use in the next step. Amazon EKS automatically creates this security group when you create your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -cluster_security_group_id=$(aws eks describe-cluster --name $cluster_name --query cluster.resourcesVpcConfig.clusterSecurityGroupId --output text) ----- -. [[custom-networking-create-eniconfig]]Create an `ENIConfig` custom resource for each subnet that you want to deploy [.noloc]`Pods` in. -+ -.. Create a unique file for each network interface configuration. -+ -+ -The following commands create separate `ENIConfig` files for the two subnets that were created in a previous step. The value for `name` must be unique. The name is the same as the Availability Zone that the subnet is in. The cluster security group is assigned to the `ENIConfig`. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >$az_1.yaml <$az_2.yaml <> later in this tutorial. -+ -NOTE: If you don't specify a valid security group for use with a production cluster and you're using: - -*** version `1.8.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, then the security groups associated with the node's primary elastic network interface are used. -*** a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that's earlier than `1.8.0`, then the default security group for the VPC is assigned to secondary network interfaces. - -+ -IMPORTANT: -*** `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for [.noloc]`Kubernetes`. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. -*** If you also use security groups for [.noloc]`Pods`, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. - -.. Apply each custom resource file that you created to your cluster with the following commands. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl apply -f $az_1.yaml -kubectl apply -f $az_2.yaml ----- -. Confirm that your `ENIConfigs` were created. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get ENIConfigs ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME AGE -us-west-2a 117s -us-west-2d 105s ----- -. If you're enabling custom networking on a production cluster and named your `ENIConfigs` something other than the Availability Zone that you're using them for, then skip to the <> to deploy Amazon EC2 nodes. -+ -Enable [.noloc]`Kubernetes` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. -+ -.. For the test cluster in this tutorial, skip to the <>. -+ -For a production cluster, check to see if an [.noloc]`annotation` with the key `k8s.amazonaws.com/eniConfig` for the `https://github.com/aws/amazon-vpc-cni-k8s#eni_config_annotation_def[ENI_CONFIG_ANNOTATION_DEF]` environment variable exists in the container spec for the `aws-node` [.noloc]`DaemonSet`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node -n kube-system | grep ENI_CONFIG_ANNOTATION_DEF ----- -+ -If output is returned, the annotation exists. If no output is returned, then the variable is not set. For a production cluster, you can use either this setting or the setting in the following step. If you use this setting, it overrides the setting in the following step. In this tutorial, the setting in the next step is used. -.. [[custom-networking-automatically-apply-eniconfig]]Update your `aws-node` [.noloc]`DaemonSet` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=topology.kubernetes.io/zone ----- - - -[[custom-networking-deploy-nodes,custom-networking-deploy-nodes.title]] -===== Step 4: Deploy Amazon EC2 nodes -. Create a node IAM role. -+ -.. Run the following command to create an IAM trust policy JSON file. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >node-role-trust-relationship.json <>. -. Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the managed node group <> and self-managed node group <> options before deploying the node group. -+ -** *Managed* – Deploy your node group using one of the following options: -+ -*** *Without a launch template or with a launch template without an AMI ID specified* – Run the following command. For this tutorial, use the [.replaceable]`example values`. For a production node group, replace all [.replaceable]`example values` with your own. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup \ - --subnets $subnet_id_1 $subnet_id_2 --instance-types t3.medium --node-role $node_role_arn ----- -*** *With a launch template with a specified AMI ID*:: - -+ -.... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods `for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. -.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. -+ -[source,bash,subs="verbatim,attributes"] ----- -/etc/eks/bootstrap.sh my-cluster --use-max-pods false --kubelet-extra-args '--max-pods=20' ----- -+ -If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. -** *Self-managed*:: - -+ -... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. -... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. -+ -[source,bash,subs="verbatim,attributes"] ----- ---use-max-pods false --kubelet-extra-args '--max-pods=20' ----- -+ -NOTE: If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, [.replaceable]`110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. -+ -Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text ----- -+ -Don't continue to the next step until the output returned is `ACTIVE`. -. [[custom-networking-annotate-eniconfig]]For the tutorial, you can skip this step. -+ -For a production cluster, if you didn't name your `ENIConfigs` the same as the Availability Zone that you're using them for, then you must annotate your nodes with the `ENIConfig` name that should be used with the node. This step isn't necessary if you only have one subnet in each Availability Zone and you named your `ENIConfigs` with the same names as your Availability Zones. This is because the [.noloc]`Amazon VPC CNI plugin for Kubernetes` automatically associates the correct `ENIConfig` with the node for you when you enabled it to do so in a <>. -+ -.. Get the list of nodes in your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get nodes ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME STATUS ROLES AGE VERSION -ip-192-168-0-126.us-west-2.compute.internal Ready 8m49s v1.22.9-eks-810597c -ip-192-168-0-92.us-west-2.compute.internal Ready 8m34s v1.22.9-eks-810597c ----- -.. Determine which Availability Zone each node is in. Run the following command for each node that was returned in the previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 describe-instances --filters Name=network-interface.private-dns-name,Values=ip-192-168-0-126.us-west-2.compute.internal \ ---query 'Reservations[].Instances[].{AvailabilityZone: Placement.AvailabilityZone, SubnetId: SubnetId}' ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -[ - { - "AvailabilityZone": "us-west-2d", - "SubnetId": "subnet-Example5" - } -] ----- -.. Annotate each node with the `ENIConfig` that you created for the subnet ID and Availability Zone. You can only annotate a node with one `ENIConfig`, though multiple nodes can be annotated with the same `ENIConfig`. Replace the [.replaceable]`example values` with your own. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl annotate node ip-192-168-0-126.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName1 -kubectl annotate node ip-192-168-0-92.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName2 ----- -. [[custom-networking-terminate-existing-nodes]]If you had nodes in a production cluster with running [.noloc]`Pods` before you switched to using the custom networking feature, complete the following tasks: -+ -.. Make sure that you have available nodes that are using the custom networking feature. -.. Cordon and drain the nodes to gracefully shut down the [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the [.noloc]`Kubernetes` documentation. -.. Terminate the nodes. If the nodes are in an existing managed node group, you can delete the node group. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: -+ -*** Replace [.replaceable]`my-cluster` with the name for your cluster. -*** Replace [.replaceable]`my-nodegroup` with the name for your node group. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-nodegroup --cluster-name my-cluster --nodegroup-name my-nodegroup ----- - -+ -Only new nodes that are registered with the `k8s.amazonaws.com/eniConfig` label use the custom networking feature. -. Confirm that [.noloc]`Pods` are assigned an IP address from a CIDR block that's associated to one of the subnets that you created in a previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -A -o wide ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES -kube-system aws-node-2rkn4 1/1 Running 0 7m19s 192.168.0.92 ip-192-168-0-92.us-west-2.compute.internal -kube-system aws-node-k96wp 1/1 Running 0 7m15s 192.168.0.126 ip-192-168-0-126.us-west-2.compute.internal -kube-system coredns-657694c6f4-smcgr 1/1 Running 0 56m 192.168.1.23 ip-192-168-0-92.us-west-2.compute.internal -kube-system coredns-657694c6f4-stwv9 1/1 Running 0 56m 192.168.1.28 ip-192-168-0-92.us-west-2.compute.internal -kube-system kube-proxy-jgshq 1/1 Running 0 7m19s 192.168.0.92 ip-192-168-0-92.us-west-2.compute.internal -kube-system kube-proxy-wx9vk 1/1 Running 0 7m15s 192.168.0.126 ip-192-168-0-126.us-west-2.compute.internal ----- -+ -You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. -+ -If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned `192.168.1.[.replaceable]``x``` addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. - - -[[custom-network-delete-resources,custom-network-delete-resources.title]] -===== Step 5: Delete tutorial resources - -After you complete the tutorial, we recommend that you delete the resources that you created. You can then adjust the steps to enable custom networking for a production cluster. - -. If the node group that you created was just for testing, then delete it. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup ----- -+ -Even after the {aws} CLI output says that the cluster is deleted, the delete process might not actually be complete. The delete process takes a few minutes. Confirm that it's complete by running the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text ----- -+ -Don't continue until the returned output is similar to the following output. -+ -[source,bash,subs="verbatim,attributes"] ----- -An error occurred (ResourceNotFoundException) when calling the DescribeNodegroup operation: No node group found for name: my-nodegroup. ----- -. If the node group that you created was just for testing, then delete the node IAM role. -+ -.. Detach the policies from the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy -aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryReadOnly -aws iam detach-role-policy --role-name myCustomNetworkingNodeRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy ----- -.. Delete the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam delete-role --role-name myCustomNetworkingNodeRole ----- -. Delete the cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-cluster --name $cluster_name ----- -+ -Confirm the cluster is deleted with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --name $cluster_name --query cluster.status --output text ----- -+ -When output similar to the following is returned, the cluster is successfully deleted. -+ -[source,bash,subs="verbatim,attributes"] ----- -An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-cluster. ----- -. Delete the cluster IAM role. -+ -.. Detach the policies from the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam detach-role-policy --role-name myCustomNetworkingAmazonEKSClusterRole --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy ----- -.. Delete the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam delete-role --role-name myCustomNetworkingAmazonEKSClusterRole ----- -. Delete the subnets that you created in a previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 delete-subnet --subnet-id $new_subnet_id_1 -aws ec2 delete-subnet --subnet-id $new_subnet_id_2 ----- -. Delete the VPC that you created. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc ----- - - -[.topic] -[[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] -=== Assign more IP addresses to Amazon EKS nodes with prefixes - -[abstract] --- -Learn how to significantly increase the number of IP addresses that you can assign to [.noloc]`Pods` by assigning IP prefixes with Amazon EKS, improving scalability and reducing launch delays for large and spiky workloads. --- - -*Applies to*: Linux and Windows nodes with Amazon EC2 instances - -*Applies to*: Public and private subnets - -Each Amazon EC2 instance supports a maximum number of elastic network interfaces and a maximum number of IP addresses that can be assigned to each network interface. Each node requires one IP address for each network interface. All other available IP addresses can be assigned to `Pods`. Each `Pod` requires its own IP address. As a result, you might have nodes that have available compute and memory resources, but can't accommodate additional `Pods` because the node has run out of IP addresses to assign to `Pods`. - -You can increase the number of IP addresses that nodes can assign to `Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. Each prefix includes several IP addresses. If you don't configure your cluster for IP prefix assignment, your cluster must make more Amazon EC2 application programming interface (API) calls to configure network interfaces and IP addresses necessary for [.noloc]`Pod` connectivity. As clusters grow to larger sizes, the frequency of these API calls can lead to longer [.noloc]`Pod` and instance launch times. This results in scaling delays to meet the demand of large and spiky workloads, and adds cost and management overhead because you need to provision additional clusters and VPCs to meet scaling requirements. For more information, see https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes Scalability thresholds] on GitHub. - -[[cni-increase-ip-addresses-compatability,cni-increase-ip-addresses-compatability.title]] -==== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features - -You can use IP prefixes with the following features: - - - -* IPv4 Source Network Address Translation - For more information, see <>. -* IPv6 addresses to clusters, Pods, and services - For more information, see <>. -* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. - -The following list provides information about the Amazon VPC CNI plugin settings that apply. For more information about each setting, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[amazon-vpc-cni-k8s] on [.noloc]`GitHub`. - - - -* `WARM_IP_TARGET` -* `MINIMUM_IP_TARGET` -* `WARM_PREFIX_TARGET` - - -[[cni-increase-ip-addresses-considerations,cni-increase-ip-addresses-considerations.title]] -==== Considerations - -Consider the following when you use this feature: - - - -* Each Amazon EC2 instance type supports a maximum number of [.noloc]`Pods`. If your managed node group consists of multiple instance types, the smallest number of maximum [.noloc]`Pods` for an instance in the cluster is applied to all nodes in the cluster. -* By default, the maximum number of `Pods` that you can run on a node is 110, but you can change that number. If you change the number and have an existing managed node group, the next AMI or launch template update of your node group results in new nodes coming up with the changed value. -* When transitioning from assigning IP addresses to assigning IP prefixes, we recommend that you create new node groups to increase the number of available IP addresses, rather than doing a rolling replacement of existing nodes. Running [.noloc]`Pods` on a node that has both IP addresses and prefixes assigned can lead to inconsistency in the advertised IP address capacity, impacting the future workloads on the node. For the recommended way of performing the transition, see https://github.com/aws/aws-eks-best-practices/blob/master/content/networking/prefix-mode/index_windows.md#replace-all-nodes-during-migration-from-secondary-ip-mode-to-prefix-delegation-mode-or-vice-versa[Replace all nodes during migration from Secondary IP mode to Prefix Delegation mode or vice versa] in the Amazon EKS best practices guide. -* The security group scope is at the node-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. -* IP prefixes assigned to a network interface support high [.noloc]`Pod` density per node and have the best launch time. -* IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix [.noloc]`Pods` getting IP addresses, or IP addresses from IP prefixes with [.noloc]`Pods` getting branch network interfaces on the same node. -* For clusters with Linux nodes only. -+ -** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. -** If you're also using security groups for [.noloc]`Pods`, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your [.noloc]`Pods` communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your [.noloc]`Pods`. -+ -If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. - - -[.topic] -[[cni-increase-ip-addresses-procedure,cni-increase-ip-addresses-procedure.title]] -==== Increase the available IP addresses for your Amazon EKS node - -You can increase the number of IP addresses that nodes can assign to [.noloc]`Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. - -Complete the following before you start the procedure: - - - -* Review the considerations. -* You need an existing cluster. To deploy one, see <>. -* The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend that following: -+ -** Using a subnet CIDR reservation so that even if any IP addresses within the reserved range are still in use, upon their release, the IP addresses aren't reassigned. This ensures that prefixes are available for allocation without segmentation. -** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both [.noloc]`Windows` and [.noloc]`Linux` workloads can run in the same subnet when assigning IP prefixes. -* To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to [.noloc]`Pods` than [.noloc]`Nitro-based` instances do. -* *For clusters with [.noloc]`Linux` nodes only* – If your cluster is configured for the `IPv4` family, you must have version `1.9.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on installed. You can check your current version with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2 ----- -+ -If your cluster is configured for the `IPv6` family, you must have version `1.10.1` of the add-on installed. If your plugin version is earlier than the required versions, you must update it. For more information, see the updating sections of <>. -* *For clusters with [.noloc]`Windows` nodes only*:: - -+ -** Your cluster and its platform version must be at, or later than the versions in the following table. To upgrade your cluster version, see <>. If your cluster isn't at the minimum platform version, then you can't assign IP prefixes to your nodes until Amazon EKS has updated your platform version. -+ -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - - -|`1.27` -|`eks.3` - -|`1.26` -|`eks.4` - -|`1.25` -|`eks.5` -|=== -+ -You can check your current [.noloc]`Kubernetes` and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. -** [.noloc]`Windows` support enabled for your cluster. For more information, see <>. -. Configure your cluster to assign IP address prefixes to nodes. Complete the procedure on the tab that matches your node's operating system. -+ -[.noloc]`Linux`::: -... Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true ----- -+ -IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. - -[source,bash,subs="verbatim,attributes"] ----- -InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request ----- - -This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. -... If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. -+ -If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. -+ -IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. -... If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. -+ -Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on [.noloc]`GitHub`. -+ -You can replace the [.replaceable]`example values` with a value greater than zero. -+ -**** `WARM_PREFIX_TARGET` -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env ds aws-node -n kube-system WARM_PREFIX_TARGET=1 ----- -**** `WARM_IP_TARGET` or `MINIMUM_IP_TARGET` – If either value is set, it overrides any value set for `WARM_PREFIX_TARGET`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ----- -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 ----- -... Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. -+ -**** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. -+ -[source,bash,subs="verbatim,attributes"] ----- ---use-max-pods false --kubelet-extra-args '--max-pods=110' ----- -+ -If you're using `eksctl` to create the node group, you can use the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl create nodegroup --cluster my-cluster --managed=false --max-pods-per-node 110 ----- -**** *Managed* – Deploy your node group using one of the following options: -+ -***** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. -***** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. -+ -[source,bash,subs="verbatim,attributes"] ----- -/etc/eks/bootstrap.sh my-cluster \ - --use-max-pods false \ - --kubelet-extra-args '--max-pods=110' ----- -+ -If you're using `eksctl` to create the node group, you can use the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl create nodegroup --cluster my-cluster --max-pods-per-node 110 ----- -+ -If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. -+ -NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. - - -[.noloc]`Windows`::: -... Enable assignment of IP prefixes. -+ -.... Open the `amazon-vpc-cni` `ConfigMap` for editing. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ----- -.... Add the following line to the `data` section. -+ -[source,yaml,subs="verbatim,attributes"] ----- - enable-windows-prefix-delegation: "true" ----- -.... Save the file and close the editor. -.... Confirm that the line was added to the `ConfigMap`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get configmap -n kube-system amazon-vpc-cni -o "jsonpath={.data.enable-windows-prefix-delegation}" ----- -+ -If the returned output isn't `true`, then there might have been an error. Try completing the step again. -+ -IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the node events. - -[source,bash,subs="verbatim,attributes"] ----- -"failed to allocate a private IP/Prefix address: InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request" ----- - -This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. -... (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. -+ -.... Open the `amazon-vpc-cni` `ConfigMap` for editing. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ----- -.... Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. -+ -[source,yaml,subs="verbatim,attributes"] ----- - warm-prefix-target: "1" - warm-ip-target: "5" - minimum-ip-target: "2" ----- -.... Save the file and close the editor. -... Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. -+ -[source,bash,subs="verbatim,attributes"] ----- --KubeletExtraArgs '--max-pods=max-pods-quantity' ----- -+ -If you're deploying managed node groups, this configuration needs to be added in the launch template. For more information, see <>. For more information about the configuration parameters for [.noloc]`Windows` bootstrap script, see <>. -. Once your nodes are deployed, view the nodes in your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get nodes ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME STATUS ROLES AGE VERSION -ip-192-168-22-103.region-code.compute.internal Ready 19m v1.XX.X-eks-6b7464 -ip-192-168-97-94.region-code.compute.internal Ready 19m v1.XX.X-eks-6b7464 ----- -. Describe one of the nodes to determine the value of `max-pods` for the node and the number of available IP addresses. Replace [.replaceable]`192.168.30.193` with the `IPv4` address in the name of one of your nodes returned in the previous output. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe node ip-192-168-30-193.region-code.compute.internal | grep 'pods\|PrivateIPv4Address' ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -pods: 110 -vpc.amazonaws.com/PrivateIPv4Address: 144 ----- -+ -In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. - - -[.topic] -[[security-groups-for-pods,security-groups-for-pods.title]] -=== Assign security groups to individual [.noloc]`pods` - -[abstract] --- -Learn how to configure security groups for [.noloc]`Pods` on Amazon EKS, integrating Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods` to define network traffic rules. Discover the considerations, setup process, and deploy a sample application with assigned security groups. --- - -*Applies to*: [.noloc]`Linux` nodes with Amazon EC2 instances - -*Applies to*: Private subnets - -Security groups for [.noloc]`Pods` integrate Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods`. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from [.noloc]`Pods` that you deploy to nodes running on many Amazon EC2 instance types and Fargate. For a detailed explanation of this capability, see the link:containers/introducing-security-groups-for-pods[Introducing security groups for Pods,type="blog"] blog post. - -[[security-groups-for-pods-compatability,security-groups-for-pods-compatability.title]] -==== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features - -You can use security groups for [.noloc]`Pods` with the following features: - - - -* IPv4 Source Network Address Translation - For more information, see <>. -* IPv6 addresses to clusters, Pods, and services - For more information, see <>. -* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. - - -[[sg-pods-considerations,sg-pods-considerations.title]] -==== Considerations - -Before deploying security groups for [.noloc]`Pods`, consider the following limitations and conditions: - - - -* Security groups for [.noloc]`Pods` can't be used with [.noloc]`Windows` nodes. -* Security groups for [.noloc]`Pods` can be used with clusters configured for the `IPv6` family that contain Amazon EC2 nodes by using version 1.16.0 or later of the Amazon VPC CNI plugin. You can use security groups for [.noloc]`Pods` with clusters configure `IPv6` family that contain only Fargate nodes by using version 1.7.7 or later of the Amazon VPC CNI plugin. For more information, see <> -* Security groups for [.noloc]`Pods` are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on [.noloc]`GitHub`. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. -* If you're also using [.noloc]`Pod` security policies to restrict access to [.noloc]`Pod` mutation, then the `eks:vpc-resource-controller` [.noloc]`Kubernetes` user must be specified in the [.noloc]`Kubernetes` `ClusterRoleBinding` for the `role` that your `psp` is assigned to. If you're using the default Amazon EKS `psp`, `role`, and `ClusterRoleBinding`, this is the `eks:podsecuritypolicy:authenticated` `ClusterRoleBinding`. For example, you add the user to the `subjects:` section, as shown in the following example: -+ -[source,yaml,subs="verbatim,attributes"] ----- -[...] -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: User - name: eks:vpc-resource-controller - - kind: ServiceAccount - name: eks-vpc-resource-controller ----- -* If you're using custom networking and security groups for [.noloc]`Pods` together, the security group specified by security groups for [.noloc]`Pods` is used instead of the security group specified in the `ENIConfig`. -* If you're using version `1.10.2` or earlier of the Amazon VPC CNI plugin and you include the `terminationGracePeriodSeconds` setting in your [.noloc]`Pod` spec, the value for the setting can't be zero. -* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin, or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, then [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` aren't supported with [.noloc]`Pods` that you assign security groups to. For more information about using a load balancer with instance targets, see <>. -* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, source NAT is disabled for outbound traffic from [.noloc]`Pods` with assigned security groups so that outbound security group rules are applied. To access the internet, [.noloc]`Pods` with assigned security groups must be launched on nodes that are deployed in a private subnet configured with a NAT gateway or instance. [.noloc]`Pods` with assigned security groups deployed to public subnets are not able to access the internet. -+ -If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, then [.noloc]`Pod` traffic destined for outside of the VPC is translated to the IP address of the instance's primary network interface. For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. -* To use [.noloc]`Calico` network policy with [.noloc]`Pods` that have associated security groups, you must use version `1.11.0` or later of the Amazon VPC CNI plugin and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. Otherwise, traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon EC2 security group enforcement only. To update your Amazon VPC CNI version, see <> -* [.noloc]`Pods` running on Amazon EC2 nodes that use security groups in clusters that use https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/[NodeLocal DNSCache] are only supported with version `1.11.0` or later of the Amazon VPC CNI plugin and with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. To update your Amazon VPC CNI plugin version, see <> -* Security groups for [.noloc]`Pods` might lead to higher [.noloc]`Pod` startup latency for [.noloc]`Pods` with high churn. This is due to rate limiting in the resource controller. -* The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. -+ -If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. - - -[.topic] -[[security-groups-pods-deployment,security-groups-pods-deployment.title]] -==== Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` - -If you use [.noloc]`Pods` with Amazon EC2 instances, you need to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups - -If you use Fargate [.noloc]`Pods` only, and don't have any Amazon EC2 nodes in your cluster, see <>. - -. Check your current [.noloc]`Amazon VPC CNI plugin for Kubernetes` version with the following command: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.7.6 ----- -+ -If your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version is earlier than `1.7.7`, then update the plugin to version `1.7.7` or later. For more information, see <> -. Add the link:iam/home#/policies/arn:aws:iam::aws:policy/AmazonEKSVPCResourceController[AmazonEKSVPCResourceController,type="console"] managed IAM policy to the <> that is associated with your Amazon EKS cluster. The policy allows the role to manage network interfaces, their private IP addresses, and their attachment and detachment to and from network instances. -+ -.. Retrieve the name of your cluster IAM role and store it in a variable. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -cluster_role=$(aws eks describe-cluster --name my-cluster --query cluster.roleArn --output text | cut -d / -f 2) ----- -.. Attach the policy to the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController --role-name $cluster_role ----- -. Enable the Amazon VPC CNI add-on to manage network interfaces for [.noloc]`Pods` by setting the `ENABLE_POD_ENI` variable to `true` in the `aws-node` [.noloc]`DaemonSet`. Once this setting is set to `true`, for each node in the cluster the add-on creates a `cninode` custom resource. The VPC resource controller creates and attaches one special network interface called a _trunk network interface_ with the description `aws-k8s-trunk-eni`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true ----- -+ -NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. -. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for` Kubernetes Pods`, which takes several seconds. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl get cninode -A - NAME FEATURES - ip-192-168-64-141.us-west-2.compute.internal [{"name":"SecurityGroupsForPods"}] - ip-192-168-7-203.us-west-2.compute.internal [{"name":"SecurityGroupsForPods"}] ----- -+ -If you are using VPC CNI versions older than `1.15`, node labels were used instead of the `CNINode` custom resource. You can see which of your nodes have the node label `aws-k8s-trunk-eni` set to `true` with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for Kubernetes Pods`, which takes several seconds. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true -- ----- -+ -Once the trunk network interface is created, [.noloc]`Pods` are assigned secondary IP addresses from the trunk or standard network interfaces. The trunk interface is automatically deleted if the node is deleted. -+ -When you deploy a security group for a [.noloc]`Pod` in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. -+ -If you are using liveness or readiness probes, then you also need to disable _TCP early demux_, so that the `kubelet` can connect to [.noloc]`Pods` on branch network interfaces using TCP. To disable _TCP early demux_, run the following command: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl patch daemonset aws-node -n kube-system \ - -p '{"spec": {"template": {"spec": {"initContainers": [{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}]}}}}' ----- -+ -NOTE: If you're using `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, as described in the next step, then you don't need to run the previous command. -. If your cluster uses `NodeLocal DNSCache`, or you want to use [.noloc]`Calico` network policy with your [.noloc]`Pods` that have their own security groups, or you have [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` for [.noloc]`Pods` that you want to assign security groups to, then you must be using version `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on, and you must enable the following setting: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set env daemonset aws-node -n kube-system POD_SECURITY_GROUP_ENFORCING_MODE=standard ----- -+ -IMPORTANT: -** [.noloc]`Pod` security group rules aren't applied to traffic between [.noloc]`Pods` or between [.noloc]`Pods` and [.noloc]`services`, such as `kubelet` or `nodeLocalDNS`, that are on the same node. Pods using different security groups on the same node can't communicate because they are configured in different subnets, and routing is disabled between these subnets. -** Outbound traffic from [.noloc]`Pods` to addresses outside of the VPC is network address translated to the IP address of the instance's primary network interface (unless you've also set `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`). For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. -** For this setting to apply to existing [.noloc]`Pods`, you must restart the [.noloc]`Pods` or the nodes that the [.noloc]`Pods` are running on. - -. To see how to use a security group policy for your [.noloc]`Pod`, see <>. - - -[.topic] -[[sg-pods-example-deployment,sg-pods-example-deployment.title]] -==== Use a security group policy for an Amazon EKS [.noloc]`Pod` - -To use security groups for [.noloc]`Pods`, you must have an existing security group. The following steps show you how to use the security group policy for a [.noloc]`Pod`. Unless otherwise noted, complete all steps from the same terminal because variables are used in the following steps that don't persist across terminals. - -If you have a [.noloc]`Pod` with Amazon EC2 instances, you must configure the plugin before you use this procedure. For more information, see <>. - -. Create a [.noloc]`Kubernetes` namespace to deploy resources to. You can replace [.replaceable]`my-namespace` with the name of a namespace that you want to use. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl create namespace my-namespace ----- -. [[deploy-securitygrouppolicy]]Deploy an Amazon EKS `SecurityGroupPolicy` to your cluster. -+ -.. Copy the following contents to your device. You can replace [.replaceable]`podSelector` with `serviceAccountSelector` if you'd rather select [.noloc]`Pods` based on service account labels. You must specify one selector or the other. An empty `podSelector` (example: `podSelector: {}`) selects all [.noloc]`Pods` in the namespace. You can change [.replaceable]`my-role` to the name of your role. An empty `serviceAccountSelector` selects all service accounts in the namespace. You can replace [.replaceable]`my-security-group-policy` with a name for your `SecurityGroupPolicy` and [.replaceable]`my-namespace` with the namespace that you want to create the `SecurityGroupPolicy` in. -+ -You must replace [.replaceable]`my_pod_security_group_id` with the ID of an existing security group. If you don't have an existing security group, then you must create one. For more information, see link:AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances,type="documentation"] in the link:AWSEC2/latest/UserGuide/[Amazon EC2 User Guide,type="documentation"]. You can specify 1-5 security group IDs. If you specify more than one ID, then the combination of all the rules in all the security groups are effective for the selected [.noloc]`Pods`. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >my-security-group-policy.yaml <sample-application.yaml < -my-deployment-5df6f7687b-j9fl4 1/1 Running 0 7m51s 192.168.70.145 ip-192-168-92-33.region-code.compute.internal -my-deployment-5df6f7687b-rjxcz 1/1 Running 0 7m51s 192.168.73.207 ip-192-168-92-33.region-code.compute.internal -my-deployment-5df6f7687b-zmb42 1/1 Running 0 7m51s 192.168.63.27 ip-192-168-33-28.region-code.compute.internal ----- -+ -[NOTE] -==== -Try these tips if any [.noloc]`Pods` are stuck. - -* If any [.noloc]`Pods` are stuck in the `Waiting` state, then run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace```. If you see `Insufficient permissions: Unable to create Elastic Network Interface.`, confirm that you added the IAM policy to the IAM cluster role in a previous step. -* If any [.noloc]`Pods` are stuck in the `Pending` state, confirm that your node instance type is listed in https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/pkg/aws/vpc/limits.go[limits.go] and that the product of the maximum number of branch network interfaces supported by the instance type multiplied times the number of nodes in your node group hasn't already been met. For example, an `m5.large` instance supports nine branch network interfaces. If your node group has five nodes, then a maximum of 45 branch network interfaces can be created for the node group. The 46th [.noloc]`Pod` that you attempt to deploy will sit in `Pending` state until another [.noloc]`Pod` that has associated security groups is deleted. - -==== -+ -If you run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace``` and see a message similar to the following message, then it can be safely ignored. This message might appear when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` tries to set up host networking and fails while the network interface is being created. The plugin logs this event until the network interface is created. -+ -[source,bash,subs="verbatim,attributes"] ----- -Failed to create Pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "e24268322e55c8185721f52df6493684f6c2c3bf4fd59c9c121fd4cdc894579f" network for Pod "my-deployment-5df6f7687b-4fbjm": networkPlugin -cni failed to set up Pod "my-deployment-5df6f7687b-4fbjm-c89wx_my-namespace" network: add cmd: failed to assign an IP address to container ----- -+ -You can't exceed the maximum number of [.noloc]`Pods` that can be run on the instance type. For a list of the maximum number of [.noloc]`Pods` that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on [.noloc]`GitHub`. When you delete a [.noloc]`Pod` that has associated security groups, or delete the node that the [.noloc]`Pod` is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with [.noloc]`Pods` using [.noloc]`Pods` for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. -. In a separate terminal, shell into one of the [.noloc]`Pods`. For the remainder of this topic, this terminal is referred to as `TerminalB`. Replace [.replaceable]`5df6f7687b-4fbjm` with the ID of one of the [.noloc]`Pods` returned in your output from the previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl exec -it -n my-namespace my-deployment-5df6f7687b-4fbjm -- /bin/bash ----- -. From the shell in `TerminalB`, confirm that the sample application works. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl my-app ----- -+ -An example output is as follows. -+ -[source,html,subs="verbatim"] ----- - - - -Welcome to nginx! -[...] ----- -+ -You received the output because all [.noloc]`Pods` running the application are associated with the security group that you created. That group contains a rule that allows all traffic between all [.noloc]`Pods` that the security group is associated to. DNS traffic is allowed outbound from that security group to the cluster security group, which is associated with your nodes. The nodes are running the [.noloc]`CoreDNS` [.noloc]`Pods`, which your [.noloc]`Pods` did a name lookup to. -. From `TerminalA`, remove the security group rules that allow DNS communication to the cluster security group from your security group. If you didn't add the DNS rules to the cluster security group in a previous step, then replace [.replaceable]`$my_cluster_security_group_id` with the ID of the security group that you created the rules in. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws ec2 revoke-security-group-ingress --group-id $my_cluster_security_group_id --security-group-rule-ids $my_tcp_rule_id -aws ec2 revoke-security-group-ingress --group-id $my_cluster_security_group_id --security-group-rule-ids $my_udp_rule_id ----- -. From `TerminalB`, attempt to access the application again. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl my-app ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl: (6) Could not resolve host: my-app ----- -+ -The attempt fails because the [.noloc]`Pod` is no longer able to access the [.noloc]`CoreDNS` [.noloc]`Pods`, which have the cluster security group associated to them. The cluster security group no longer has the security group rules that allow DNS communication from the security group associated to your [.noloc]`Pod`. -+ -If you attempt to access the application using the IP addresses returned for one of the [.noloc]`Pods` in a previous step, you still receive a response because all ports are allowed between [.noloc]`Pods` that have the security group associated to them and a name lookup isn't required. -. Once you've finished experimenting, you can remove the sample security group policy, application, and security group that you created. Run the following commands from `TerminalA`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete namespace my-namespace -aws ec2 revoke-security-group-ingress --group-id $my_pod_security_group_id --security-group-rule-ids $my_inbound_self_rule_id -wait -sleep 45s -aws ec2 delete-security-group --group-id $my_pod_security_group_id ----- - - -[.topic] -[[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] -=== Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` - -[abstract] --- -Learn how to use Multus CNI to attach multiple network interfaces to a [.noloc]`Pod` in Amazon EKS for advanced networking scenarios, while leveraging the [.noloc]`Amazon VPC CNI` plugin for primary networking. --- - -Multus CNI is a container network interface (CNI) plugin for Amazon EKS that enables attaching multiple network interfaces to a [.noloc]`Pod`. For more information, see the https://github.com/k8snetworkplumbingwg/multus-cni[Multus-CNI] documentation on [.noloc]`GitHub`. - -In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amazon VPC CNI plugin. With Multus, you can create a multi-homed [.noloc]`Pod` that has multiple interfaces. This is accomplished by Multus acting as a "meta-plugin"; a CNI plugin that can call multiple other CNI plugins. {aws} support for Multus comes configured with the Amazon VPC CNI plugin as the default delegate plugin. - -* Amazon EKS won't be building and publishing single root I/O virtualization (SR-IOV) and Data Plane Development Kit (DPDK) CNI plugins. However, you can achieve packet acceleration by connecting directly to Amazon EC2 Elastic Network Adapters (ENA) through Multus managed host-device and `ipvlan` plugins. -* Amazon EKS is supporting Multus, which provides a generic process that enables simple chaining of additional CNI plugins. Multus and the process of chaining is supported, but {aws} won't provide support for all compatible CNI plugins that can be chained, or issues that may arise in those CNI plugins that are unrelated to the chaining configuration. -* Amazon EKS is providing support and life cycle management for the Multus plugin, but isn't responsible for any IP address or additional management associated with the additional network interfaces. The IP address and management of the default network interface utilizing the Amazon VPC CNI plugin remains unchanged. -* Only the Amazon VPC CNI plugin is officially supported as the default delegate plugin. You need to modify the published Multus installation manifest to reconfigure the default delegate plugin to an alternate CNI if you choose not to use the Amazon VPC CNI plugin for primary networking. -* Multus is only supported when using the Amazon VPC CNI as the primary CNI. We do not support the Amazon VPC CNI when used for higher order interfaces, secondary or otherwise. -* To prevent the Amazon VPC CNI plugin from trying to manage additional network interfaces assigned to [.noloc]`Pods`, add the following tag to the network interface: -+ -*key*:: -: `node.k8s.amazonaws.com/no_manage` -+ -*value*:: -: `true` -* Multus is compatible with network policies, but the policy has to be enriched to include ports and IP addresses that may be part of additional network interfaces attached to [.noloc]`Pods`. - -For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. - - -[.topic] -[[alternate-cni-plugins,alternate-cni-plugins.title]] -== Alternate CNI plugins for Amazon EKS clusters - -[abstract] --- -Learn how to use alternate network and security plugins on Amazon EKS to customize networking for your [.noloc]`Kubernetes` clusters on Amazon EC2 nodes. --- - -The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Kubernetes] is the only CNI plugin supported by Amazon EKS with Amazon EC2 nodes. Amazon EKS supports the core capabilities of Cilium and Calico for Amazon EKS Hybrid Nodes. Amazon EKS runs upstream [.noloc]`Kubernetes`, so you can install alternate compatible CNI plugins to Amazon EC2 nodes in your cluster. If you have Fargate nodes in your cluster, the [.noloc]`Amazon VPC CNI plugin for Kubernetes` is already on your Fargate nodes. It's the only CNI plugin you can use with Fargate nodes. An attempt to install an alternate CNI plugin on Fargate nodes fails. - -If you plan to use an alternate CNI plugin on Amazon EC2 nodes, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project. - -Amazon EKS maintains relationships with a network of partners that offer support for alternate compatible CNI plugins. For details about the versions, qualifications, and testing performed, see the following partner documentation. - -[cols="1,1,1", options="header"] -|=== -|Partner -|Product -|Documentation - - -|Tigera -|https://www.tigera.io/partners/aws/[Calico] -|https://docs.projectcalico.org/getting-started/kubernetes/managed-public-cloud/eks[Installation instructions] - -|Isovalent -|https://cilium.io[Cilium] -|https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/[Installation instructions] - -|Juniper -|https://www.juniper.net/us/en/products/sdn-and-orchestration/contrail/cloud-native-contrail-networking.html[Cloud-Native Contrail Networking (CN2)] -|https://www.juniper.net/documentation/us/en/software/cn-cloud-native23.2/cn-cloud-native-eks-install-and-lcm/index.html[Installation instructions] - -|VMware -|https://antrea.io/[Antrea] -|https://antrea.io/docs/main/docs/eks-installation[Installation instructions] -|=== - -Amazon EKS aims to give you a wide selection of options to cover all use cases. - - -[[alternate-network-policy-plugins,alternate-network-policy-plugins.title]] -=== Alternate compatible network policy plugins - -https://www.tigera.io/project-calico[Calico] is a widely adopted solution for container networking and security. Using [.noloc]`Calico` on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use [.noloc]`Calico's` networking, which conserve IP addresses from your underlying VPC. https://www.tigera.io/tigera-products/calico-cloud/[Calico Cloud] enhances the features of [.noloc]`Calico Open Source`, providing advanced security and observability capabilities. - -Traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon VPC security group enforcement only. - -If you use [.noloc]`Calico` network policy enforcement, we recommend that you set the environment variable `ANNOTATE_POD_IP` to `true` to avoid a known issue with [.noloc]`Kubernetes`. To use this feature, you must add `patch` permission for pods to the `aws-node` [.noloc]`ClusterRole`. Note that adding patch permissions to the `aws-node` [.noloc]`DaemonSet` increases the security scope for the plugin. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/?tab=readme-ov-file#annotate_pod_ip-v193[ANNOTATE_POD_IP] in the VPC CNI repo on GitHub. - -=== Considerations for Amazon EKS Auto Mode - -Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. - -[.topic] -[[aws-load-balancer-controller,aws-load-balancer-controller.title]] -== Route internet traffic with {aws} Load Balancer Controller - -[abstract] --- -Learn how to configure and use the [.noloc]`{aws} Load Balancer Controller` to expose [.noloc]`Kubernetes` cluster apps to the internet with {aws} Elastic Load Balancing for [.noloc]`Kubernetes` [.noloc]`services` and [.noloc]`ingresses`. --- - -The [.noloc]`{aws} Load Balancer Controller` manages {aws} Elastic Load Balancers for a [.noloc]`Kubernetes` cluster. You can use the controller to expose your cluster apps to the internet. The controller provisions {aws} load balancers that point to cluster Service or Ingress resources. In other words, the controller creates a single IP address or DNS name that points to multiple pods in your cluster. - - - -image::images/lbc-overview.png["Architecture diagram. Illustration of traffic coming from internet users, to Amazon Load Balancer. Amazon Load Balancer distributes traffic to pods in the cluster.",scaledwidth=50%] - -The controller watches for [.noloc]`Kubernetes` [.noloc]`Ingress` or [.noloc]`Service` resources. In response, it creates the appropriate {aws} Elastic Load Balancing resources. You can configure the specific behavior of the load balancers by applying annotations to the [.noloc]`Kubernetes` resources. For example, you can attach {aws} security groups to load balancers using annotations. - -The controller provisions the following resources: - - - -*[.noloc]`Kubernetes` `Ingress`*:: -The LBC creates an link:elasticloadbalancing/latest/application/introduction.html[{aws} Application Load Balancer (ALB),type="documentation"] when you create a [.noloc]`Kubernetes` `Ingress`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Review the annotations you can apply to an Ingress resource.] - - -*[.noloc]`Kubernetes` service of the `LoadBalancer` type*:: -The LBC creates an link:elasticloadbalancing/latest/network/introduction.html[{aws} Network Load Balancer (NLB),type="documentation"]when you create a [.noloc]`Kubernetes` service of type `LoadBalancer`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Review the annotations you can apply to a Service resource.] -+ -In the past, the [.noloc]`Kubernetes` network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the [.noloc]`{aws} Load Balancer Controller` version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. - -The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-controller[open-source project] managed on [.noloc]`GitHub`. - -Before deploying the controller, we recommend that you review the prerequisites and considerations in <> and <>. In those topics, you will deploy a sample app that includes an {aws} load balancer. - - -[[lbc-overview,lbc-overview.title]] -=== Install the controller - -You can use one of the following procedures to install the [.noloc]`{aws} Load Balancer Controller`: - - - -* If you are new to Amazon EKS we recommend that you use Helm for the installation because it simplifies the [.noloc]`{aws} Load Balancer Controller` installation. For more information, see <>. -* For advanced configurations, such as clusters with restricted network access to public container registries, use [.noloc]`Kubernetes` Manifests. For more information, see <>. - - -[[lbc-deprecated,lbc-deprecated.title]] -=== Migrate from deprecated controller versions - -* If you have deprecated versions of the [.noloc]`{aws} Load Balancer Controller` installed, see <>. -* Deprecated versions cannot be upgraded. They must be removed and a current version of the [.noloc]`{aws} Load Balancer Controller` installed. -+ -[[lbc-deprecated-list]] -* Deprecated versions include: -+ -** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. -** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` - - -[[lbc-legacy,lbc-legacy.title]] -=== Legacy cloud provider - -[.noloc]`Kubernetes` includes a legacy cloud provider for {aws}. The legacy cloud provider is capable of provisioning {aws} load balancers, similar to the [.noloc]`{aws} Load Balancer Controller`. The legacy cloud provider creates Classic Load Balancers. If you do not install the [.noloc]`{aws} Load Balancer Controller`, [.noloc]`Kubernetes` will default to using the legacy cloud provider. You should install the [.noloc]`{aws} Load Balancer Controller` and avoid using the legacy cloud provider. - -[IMPORTANT] -==== - -In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes the default controller for [.noloc]`Kubernetes` _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. - -==== - - -[.topic] -[[lbc-helm,lbc-helm.title]] -=== Install [.noloc]`{aws} Load Balancer Controller` with [.noloc]`Helm` - -[abstract] --- -Learn how to install the [.noloc]`{aws} Load Balancer Controller` on Amazon EKS using Helm to manage K8s load balancing with {aws} Cloud. Discover the prerequisites and steps for creating an IAM role, installing with Helm, and verifying the controller deployment. --- - -[TIP] -==== -With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. - -For more information, see <>. -==== - -This topic describes how to install the [.noloc]`{aws} Load Balancer Controller` using Helm, a package manager for [.noloc]`Kubernetes`, and `eksctl`. The controller is installed with default options. For more information about the controller, including details on configuring it with annotations, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[{aws} Load Balancer Controller Documentation] on [.noloc]`GitHub`. - -In the following steps, replace the [.replaceable]`example values` with your own values. - -[[lbc-prereqs,lbc-prereqs.title]] -==== Prerequisites - -Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. - - - -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. -* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. -* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. - - -* https://helm.sh/docs/helm/helm_install/[Helm] installed locally. - - -[[lbc-helm-iam,lbc-helm-iam.title]] -==== Step 1: Create IAM Role using `eksctl` - -[NOTE] -==== - -You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Controller` once per {aws-account}. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. - -==== - -[NOTE] -==== - -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. - -==== - -. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. -+ -==== -[role="tablist"] -{aws}::: -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json ----- - - -{aws} GovCloud (US)::: -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json ----- -+ -[source,shell,subs="verbatim,attributes"] ----- -mv iam_policy_us-gov.json iam_policy.json ----- -==== -+ -. Create an IAM policy using the policy downloaded in the previous step. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws iam create-policy \ - --policy-name AWSLoadBalancerControllerIAMPolicy \ - --policy-document file://iam_policy.json ----- -+ -NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. -. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. -+ -[source,shell,subs="verbatim,attributes"] ----- -eksctl create iamserviceaccount \ - --cluster=my-cluster \ - --namespace=kube-system \ - --name=aws-load-balancer-controller \ - --role-name AmazonEKSLoadBalancerControllerRole \ - --attach-policy-arn={arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ - --approve ----- - - -[[lbc-helm-install,lbc-helm-install.title]] -==== Step 2: Install [.noloc]`{aws} Load Balancer Controller` - -. Add the `eks-charts` Helm chart repository. {aws} maintains https://github.com/aws/eks-charts[this repository] on GitHub. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm repo add eks https://aws.github.io/eks-charts ----- -. Update your local repo to make sure that you have the most recent charts. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm repo update eks ----- -. Install the [.noloc]`{aws} Load Balancer Controller`. -+ -If you're deploying the controller to Amazon EC2 nodes that have https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[restricted access to the Amazon EC2 instance metadata service (IMDS)], or if you're deploying to Fargate or Amazon EKS Hybrid Nodes, then add the following flags to the `helm` command that follows: -+ -*** `--set region=[.replaceable]``region-code``` -*** `--set vpcId=[.replaceable]``vpc-xxxxxxxx``` -+ -Replace [.replaceable]`my-cluster` with the name of your cluster. In the following command, `aws-load-balancer-controller` is the [.noloc]`Kubernetes` service account that you created in a previous step. -+ -For more information about configuring the helm chart, see https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/values.yaml[values.yaml] on GitHub. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ - -n kube-system \ - --set clusterName=my-cluster \ - --set serviceAccount.create=false \ - --set serviceAccount.name=aws-load-balancer-controller ----- - - -[IMPORTANT] -==== -The deployed chart doesn't receive security updates automatically. You need to manually upgrade to a newer chart when it becomes available. When upgrading, change [.replaceable]`install` to `upgrade` in the previous command. -==== - -The `helm install` command automatically installs the custom resource definitions ([.noloc]`CRDs`) for the controller. The `helm upgrade` command does not. If you use `helm upgrade,` you must manually install the [.noloc]`CRDs`. Run the following command to install the [.noloc]`CRDs`: - -[source,shell,subs="verbatim,attributes"] ----- -wget https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml -kubectl apply -f crds.yaml ----- - - -[[lbc-helm-verify,lbc-helm-verify.title]] -==== Step 3: Verify that the controller is installed -. Verify that the controller is installed. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl get deployment -n kube-system aws-load-balancer-controller ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME READY UP-TO-DATE AVAILABLE AGE -aws-load-balancer-controller 2/2 2 2 84s ----- -+ -You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. -. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. - -// GDC Must Fix - -[.topic] -[[lbc-manifest,lbc-manifest.title]] -=== Install [.noloc]`{aws} Load Balancer Controller` with manifests - -[abstract] --- -Install the [.noloc]`{aws} Load Balancer Controller` add-on for Amazon EKS using [.noloc]`Kubernetes` manifests to provision Elastic Load Balancing resources. Configure IAM role and install `cert-manager` before applying controller manifest. --- - -[TIP] -==== -With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. - -For more information, see <>. -==== - -This topic describes how to install the controller by downloading and applying [.noloc]`Kubernetes` manifests. You can view the full https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/[documentation] for the controller on [.noloc]`GitHub`. - -In the following steps, replace the [.replaceable]`example values` with your own values. - -[[lbc-manifest-prereqs,lbc-manifest-prereqs.title]] -==== Prerequisites - -Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. - - - -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. -* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. -* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. - - -[[lbc-iam,lbc-iam.title]] -==== Step 1: Configure IAM - -[NOTE] -==== - -You only need to create a role for the [.noloc]`{aws} Load Balancer Controller` one per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. - -==== - -[NOTE] -==== - -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. - -==== - -. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. -+ -==== -[role="tablist"] -{aws}::: -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json ----- - - -{aws} GovCloud (US)::: -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json ----- -+ -[source,shell,subs="verbatim,attributes"] ----- -mv iam_policy_us-gov.json iam_policy.json ----- -==== -. Create an IAM policy using the policy downloaded in the previous step. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws iam create-policy \ - --policy-name AWSLoadBalancerControllerIAMPolicy \ - --policy-document file://iam_policy.json ----- -+ -NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. - -==== -[role="tablist"] -eksctl::: -.. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. -+ -[source,shell,subs="verbatim,attributes"] ----- -eksctl create iamserviceaccount \ - --cluster=my-cluster \ - --namespace=kube-system \ - --name=aws-load-balancer-controller \ - --role-name AmazonEKSLoadBalancerControllerRole \ - --attach-policy-arn={arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ - --approve ----- - - -{aws} CLI and kubectl::: -.. Retrieve your cluster's [.noloc]`OIDC` provider ID and store it in a variable. -+ -[source,bash,subs="verbatim,attributes"] ----- -oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) ----- -.. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's ID is already in your account. You need [.noloc]`OIDC` configured for both the cluster and IAM. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 ----- -+ -If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. For more information, see <>. -.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. After replacing the text, run the modified command to create the `load-balancer-role-trust-policy.json` file. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >load-balancer-role-trust-policy.json <aws-load-balancer-controller-service-account.yaml <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -quay.io/jetstack/cert-manager-cainjector:v1.13.5 -quay.io/jetstack/cert-manager-controller:v1.13.5 -quay.io/jetstack/cert-manager-webhook:v1.13.5 ----- -.. Replace `quay.io` in the manifest for the three images with your own registry name. The following command assumes that your private repository's name is the same as the source repository. Replace [.replaceable]`111122223333.dkr.ecr.region-code.amazonaws.com` with your private registry. -+ -[source,shell,subs="verbatim,attributes"] ----- -sed -i.bak -e 's|quay.io|111122223333.dkr.ecr.region-code.amazonaws.com|' ./cert-manager.yaml ----- -.. Apply the manifest. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl apply \ - --validate=false \ - -f ./cert-manager.yaml ----- -==== - - -[[lbc-install,lbc-install.title]] -==== Step 3: Install [.noloc]`{aws} Load Balancer Controller` -. Download the controller specification. For more information about the controller, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[documentation] on [.noloc]`GitHub`. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl -Lo v2_11_0_full.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.11.0/v2_11_0_full.yaml ----- -. Make the following edits to the file. -+ -.. If you downloaded the `v2_11_0_full.yaml` file, run the following command to remove the `ServiceAccount` section in the manifest. If you don't remove this section, the required annotation that you made to the service account in a previous step is overwritten. Removing this section also preserves the service account that you created in a previous step if you delete the controller. -+ -[source,shell,subs="verbatim,attributes"] ----- -sed -i.bak -e '690,698d' ./v2_11_0_full.yaml ----- -+ -If you downloaded a different file version, then open the file in an editor and remove the following lines. -+ -[source,yaml,subs="verbatim,attributes"] ----- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: aws-load-balancer-controller - name: aws-load-balancer-controller - namespace: kube-system ---- ----- -.. Replace `your-cluster-name` in the `Deployment` `spec` section of the file with the name of your cluster by replacing [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -sed -i.bak -e 's|your-cluster-name|my-cluster|' ./v2_11_0_full.yaml ----- -.. If your nodes don't have access to the Amazon EKS Amazon ECR image repositories, then you need to pull the following image and push it to a repository that your nodes have access to. For more information on how to pull, tag, and push an image to your own repository, see <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -public.ecr.aws/eks/aws-load-balancer-controller:v2.11.0 ----- -+ -Add your registry's name to the manifest. The following command assumes that your private repository's name is the same as the source repository and adds your private registry's name to the file. Replace [.replaceable]`111122223333.dkr.ecr.region-code.amazonaws.com` with your registry. This line assumes that you named your private repository the same as the source repository. If not, change the `eks/aws-load-balancer-controller` text after your private registry name to your repository name. -+ -[source,shell,subs="verbatim,attributes"] ----- -sed -i.bak -e 's|public.ecr.aws/eks/aws-load-balancer-controller|111122223333.dkr.ecr.region-code.amazonaws.com/eks/aws-load-balancer-controller|' ./v2_11_0_full.yaml ----- -.. (Required only for Fargate or Restricted IMDS) -+ -If you're deploying the controller to Amazon EC2 nodes that have https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[restricted access to the Amazon EC2 instance metadata service (IMDS)], or if you're deploying to Fargate or Amazon EKS Hybrid Nodes, then add the `following parameters` under `- args:`. -+ -[source,yaml,subs="verbatim,attributes"] ----- -[...] -spec: - containers: - - args: - - --cluster-name=your-cluster-name - - --ingress-class=alb - - --aws-vpc-id=vpc-xxxxxxxx - - --aws-region=region-code - - -[...] ----- -. Apply the file. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl apply -f v2_11_0_full.yaml ----- -. Download the `IngressClass` and `IngressClassParams` manifest to your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -Lo v2_11_0_ingclass.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.11.0/v2_11_0_ingclass.yaml ----- -. Apply the manifest to your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl apply -f v2_11_0_ingclass.yaml ----- - - -[[lbc-verify,lbc-verify.title]] -==== Step 4: Verify that the controller is installed -. Verify that the controller is installed. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl get deployment -n kube-system aws-load-balancer-controller ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME READY UP-TO-DATE AVAILABLE AGE -aws-load-balancer-controller 2/2 2 2 84s ----- -+ -You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. -. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. - - -[.topic] -[[lbc-remove,lbc-remove.title]] -=== Migrate apps from deprecated ALB [.noloc]`Ingress Controller` - -[abstract] --- -Learn how to migrate from the deprecated ALB Ingress Controller to the latest [.noloc]`{aws} Load Balancer Controller` release, ensuring smooth transition and uninterrupted load balancing capabilities. --- - -This topic describes how to migrate from deprecated controller versions. More specifically, it describes how to remove deprecated versions of the [.noloc]`{aws} Load Balancer Controller`. - - - -* Deprecated versions cannot be upgraded. You must remove them first, and then install a current version. -+ -[[lbc-deprecated-list]] -* Deprecated versions include: -+ -** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. -** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` - - -[[lbc-remove-desc,lbc-remove-desc.title]] -==== Remove the deprecated controller version - -[NOTE] -==== - -You may have installed the deprecated version using Helm or manually with [.noloc]`Kubernetes` manifests. Complete the procedure using the tool that you originally installed it with. - -==== -. If you installed the `incubator/aws-alb-ingress-controller` Helm chart, uninstall it. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm delete aws-alb-ingress-controller -n kube-system ----- -. If you have version `0.1.[.replaceable]``x``` of the `eks-charts/aws-load-balancer-controller` chart installed, uninstall it. The upgrade from `0.1.[.replaceable]``x``` to version `1.0.0` doesn't work due to incompatibility with the webhook API version. -+ -[source,shell,subs="verbatim,attributes"] ----- -helm delete aws-load-balancer-controller -n kube-system ----- -. Check to see if the controller is currently installed. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl get deployment -n kube-system alb-ingress-controller ----- -+ -This is the output if the controller isn't installed. -+ -+ -This is the output if the controller is installed. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME READY UP-TO-DATE AVAILABLE AGE -alb-ingress-controller 1/1 1 1 122d ----- -. Enter the following commands to remove the controller. -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/alb-ingress-controller.yaml -kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml ----- - - -[[lbc-migrate,lbc-migrate.title]] -==== Migrate to [.noloc]`{aws} Load Balancer Controller` - -To migrate from the ALB Ingress Controller for [.noloc]`Kubernetes` to the [.noloc]`{aws} Load Balancer Controller`, you need to: - -. Remove the ALB Ingress Controller (see above). -. <> -. Add an additional policy to the IAM Role used by the [.noloc]`{aws} Load Balancer Controller`. This policy permits the LBC to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. -. Download the IAM policy. This policy permits the [.noloc]`{aws} Load Balancer Controller` to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. You can also https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json[view the policy]. -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_v1_to_v2_additional.json ----- -. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`.. -+ -[source,shell,subs="verbatim,attributes"] ----- -sed -i.bak -e 's|{arn-aws}|arn:aws-us-gov:|' iam_policy_v1_to_v2_additional.json ----- -. Create the IAM policy and note the ARN that is returned. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws iam create-policy \ - --policy-name AWSLoadBalancerControllerAdditionalIAMPolicy \ - --policy-document file://iam_policy_v1_to_v2_additional.json ----- -. Attach the IAM policy to the IAM role used by the [.noloc]`{aws} Load Balancer Controller`. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. -+ -If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws iam attach-role-policy \ - --role-name your-role-name \ - --policy-arn {arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerAdditionalIAMPolicy ----- - - -[.topic] -[[managing-coredns,managing-coredns.title]] -== Manage CoreDNS for DNS in Amazon EKS clusters - -[abstract] --- -Learn how to manage the [.noloc]`CoreDNS` Amazon EKS add-on for DNS service discovery in [.noloc]`Kubernetes` clusters with configuration updates and version upgrades. --- - -[TIP] -==== -With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. - -For more information, see <>. -==== - -[.noloc]`CoreDNS` is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. When you launch an Amazon EKS cluster with at least one node, two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` provide name resolution for all [.noloc]`Pods` in the cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` can be deployed to Fargate nodes if your cluster includes a Fargate Profile with a namespace that matches the namespace for the [.noloc]`CoreDNS` `deployment`. For more information on Fargate Profiles, see <>. For more information about [.noloc]`CoreDNS`, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] in the [.noloc]`Kubernetes` documentation. - -[[coredns-versions,coredns-versions.title]] -=== [.noloc]`CoreDNS` versions - -The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. - -[options="header"] -|=== -| Kubernetes version | [.noloc]`CoreDNS` version -| 1.31 | v1.11.4-eksbuild.2 -| 1.30 | v1.11.4-eksbuild.2 -| 1.29 | v1.11.4-eksbuild.2 -| 1.28 | v1.10.1-eksbuild.17 -| 1.27 | v1.10.1-eksbuild.17 -| 1.26 | v1.9.3-eksbuild.21 -| 1.25 | v1.9.3-eksbuild.21 -| 1.24 | v1.9.3-eksbuild.21 -| 1.23 | v1.8.7-eksbuild.20 -|=== - -[IMPORTANT] -==== - -If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. For more information about updating the self-managed type of this add-on, see <>. - -==== - -[[coredns-upgrade,coredns-upgrade.title]] -=== Important [.noloc]`CoreDNS` upgrade considerations - -* To improve the stability and availability of the [.noloc]`CoreDNS` [.noloc]`Deployment`, versions `v1.9.3-eksbuild.6` and later and `v1.10.1-eksbuild.3` are deployed with a `PodDisruptionBudget`. If you've deployed an existing `PodDisruptionBudget`, your upgrade to these versions might fail. If the upgrade fails, completing one of the following tasks should resolve the issue: -+ -** When doing the upgrade of the Amazon EKS add-on, choose to override the existing settings as your conflict resolution option. If you've made other custom settings to the [.noloc]`Deployment`, make sure to back up your settings before upgrading so that you can reapply your other custom settings after the upgrade. -** Remove your existing `PodDisruptionBudget` and try the upgrade again. -* In EKS add-on versions `v1.9.3-eksbuild.3` and later and `v1.10.1-eksbuild.6` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets the `readinessProbe` to use the `/ready` endpoint. This endpoint is enabled in the `Corefile` configuration file for [.noloc]`CoreDNS`. -+ -If you use a custom `Corefile`, you must add the `ready` plugin to the config, so that the `/ready` endpoint is active in [.noloc]`CoreDNS` for the probe to use. -* In EKS add-on versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later, you can change the `PodDisruptionBudget`. You can edit the add-on and change these settings in the *Optional configuration settings* using the fields in the following example. This example shows the default `PodDisruptionBudget`. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "podDisruptionBudget": { - "enabled": true, - "maxUnavailable": 1 - } -} ----- -// Not using [.noloc]`Kubernetes` here because the _ causes issues with the rendering. -+ -You can set `maxUnavailable` or `minAvailable`, but you can't set both in a single `PodDisruptionBudget`. For more information about `PodDisruptionBudgets`, see https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget[Specifying a PodDisruptionBudget] in the _Kubernetes documentation_. -+ -Note that if you set `enabled` to `false`, the `PodDisruptionBudget` isn't removed. After you set this field to `false`, you must delete the `PodDisruptionBudget` object. Similarly, if you edit the add-on to use an older version of the add-on (downgrade the add-on) after upgrading to a version with a `PodDisruptionBudget`, the `PodDisruptionBudget` isn't removed. To delete the `PodDisruptionBudget`, you can run the following command: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete poddisruptionbudget coredns -n kube-system ----- -* In EKS add-on versions `v1.10.1-eksbuild.5` and later, change the default toleration from `node-role.kubernetes.io/master:NoSchedule` to `node-role.kubernetes.io/control-plane:NoSchedule` to comply with KEP 2067. For more information about KEP 2067, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint#renaming-the-node-rolekubernetesiomaster-node-taint[KEP-2067: Rename the kubeadm "master" label and taint] in the _Kubernetes Enhancement Proposals (KEPs)_ on [.noloc]`GitHub`. -+ -In EKS add-on versions `v1.8.7-eksbuild.8` and later and `v1.9.3-eksbuild.9` and later, both tolerations are set to be compatible with every [.noloc]`Kubernetes` version. -* In EKS add-on versions `v1.9.3-eksbuild.11` and `v1.10.1-eksbuild.7` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets a default value for `topologySpreadConstraints`. The default value ensures that the [.noloc]`CoreDNS` [.noloc]`Pods` are spread across the Availability Zones if there are nodes in multiple Availability Zones available. You can set a custom value that will be used instead of the default value. The default value follows: -+ -[source,yaml,subs="verbatim,attributes"] ----- -topologySpreadConstraints: - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - k8s-app: kube-dns ----- - - -[[coredns-upgrade-1.11,coredns-upgrade-1.11.title]] -==== [.noloc]`CoreDNS` `v1.11` upgrade considerations - -* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. - - -[.topic] -[[coredns-add-on-create,coredns-add-on-create.title]] -=== Create the [.noloc]`CoreDNS` Amazon EKS add-on - -Create the [.noloc]`CoreDNS` Amazon EKS add-on. You must have a cluster before you create the add-on. For more information, see <>. - -. See which version of the add-on is installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.10.1-eksbuild.13 ----- -. See which type of the add-on is installed on your cluster. Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ----- -+ -If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and don't need to complete the remaining steps in this procedure. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of this procedure to install it. -. Save the configuration of your currently installed add-on. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml ----- -. Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <> and specify `coredns` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. -+ -** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.11.3-eksbuild.1` with the latest version listed in the <> for your cluster version. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-addon --cluster-name my-cluster --addon-name coredns --addon-version v1.11.3-eksbuild.1 ----- -+ -If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. -. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ----- -+ -It might take several seconds for add-on creation to complete. -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -v1.11.3-eksbuild.1 ----- -. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. - - -[.topic] -[[coredns-add-on-update,coredns-add-on-update.title]] -=== Update the [.noloc]`CoreDNS` Amazon EKS add-on - -Update the Amazon EKS type of the add-on. If you haven't added the Amazon EKS add-on to your cluster, either <> or see <>. - -Before you begin, review the upgrade considerations. For more information, see <>. - -. See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query "addon.addonVersion" --output text ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.10.1-eksbuild.13 ----- -+ -If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. -. Save the configuration of your currently installed add-on. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml ----- -. Update your add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to update the add-on, see <>. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. -+ -** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.11.3-eksbuild.1` with the latest version listed in the <> for your cluster version. -** The `--resolve-conflicts[.replaceable]``PRESERVE``` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. -** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"replicaCount":3``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"replicaCount":3` with the setting that you want to set. In this example, the number of replicas of [.noloc]`CoreDNS` is set to `3`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name coredns --addon-version [.replaceable]``v1.11.3-eksbuild.1```, replacing [.replaceable]`v1.11.3-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"replicaCount":3` from the command, so that you have empty `{}`. For more information about [.noloc]`CoreDNS` settings, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the [.noloc]`Kubernetes` documentation. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name coredns --addon-version v1.11.3-eksbuild.1 \ - --resolve-conflicts PRESERVE --configuration-values '{"replicaCount":3}' ----- -+ -It might take several seconds for the update to complete. -. Confirm that the add-on version was updated. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns ----- -+ -It might take several seconds for the update to complete. -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "addon": { - "addonName": "coredns", - "clusterName": "my-cluster", - "status": "ACTIVE", - "addonVersion": "v1.11.3-eksbuild.1", - "health": { - "issues": [] - }, - "addonArn": "{arn-aws}eks:region:111122223333:addon/my-cluster/coredns/d2c34f06-1111-2222-1eb0-24f64ce37fa4", - "createdAt": "2023-03-01T16:41:32.442000+00:00", - "modifiedAt": "2023-03-01T18:16:54.332000+00:00", - "tags": {}, - "configurationValues": "{\"replicaCount\":3}" - } -} ----- - - -[.topic] -[[coredns-add-on-self-managed-update,coredns-add-on-self-managed-update.title]] -=== Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on - -[IMPORTANT] -==== - -We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -==== - -Before you begin, review the upgrade considerations. For more information, see <>. - -. Confirm that you have the self-managed type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ----- -+ -If an error message is returned, you have the self-managed type of the add-on installed on your cluster. Complete the remaining steps in this procedure. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update the Amazon EKS type of the add-on, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. -. See which version of the container image is currently installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns -n kube-system | grep Image | cut -d ":" -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.8.7-eksbuild.2 ----- -. If your current [.noloc]`CoreDNS` version is `v1.5.0` or later, but earlier than the version listed in the <> table, then skip this step. If your current version is earlier than `1.5.0`, then you need to modify the `ConfigMap` for [.noloc]`CoreDNS` to use the forward add-on, rather than the proxy add-on. -+ -.. Open the `ConfigMap` with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit configmap coredns -n kube-system ----- -.. Replace `proxy` in the following line with `forward`. Save the file and exit the editor. -+ -[source,bash,subs="verbatim,attributes"] ----- -proxy . /etc/resolv.conf ----- -. If you originally deployed your cluster on [.noloc]`Kubernetes` `1.17` or earlier, then you may need to remove a discontinued line from your [.noloc]`CoreDNS` manifest. -+ -IMPORTANT: You must complete this step before updating to [.noloc]`CoreDNS` version `1.7.0`, but it's recommended that you complete this step even if you're updating to an earlier version. -+ -.. Check to see if your [.noloc]`CoreDNS` manifest has the line. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get configmap coredns -n kube-system -o jsonpath='{$.data.Corefile}' | grep upstream ----- -+ -If no output is returned, your manifest doesn't have the line and you can skip to the next step to update [.noloc]`CoreDNS`. If output is returned, then you need to remove the line. -.. Edit the `ConfigMap` with the following command, removing the line in the file that has the word `upstream` in it. Do not change anything else in the file. Once the line is removed, save the changes. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit configmap coredns -n kube-system -o yaml ----- -. Retrieve your current [.noloc]`CoreDNS` image version: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns -n kube-system | grep Image ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -602401143452.dkr.ecr.region-code.amazonaws.com/eks/coredns:v1.8.7-eksbuild.2 ----- -. If you're updating to [.noloc]`CoreDNS` `1.8.3` or later, then you need to add the `endpointslices` permission to the `system:coredns` [.noloc]`Kubernetes` `clusterrole`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit clusterrole system:coredns -n kube-system ----- -+ -Add the following lines under the existing permissions lines in the `rules` section of the file. -+ -[source,yaml,subs="verbatim,attributes"] ----- -[...] -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -[...] ----- -. Update the [.noloc]`CoreDNS` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the [.noloc]`CoreDNS` version listed in the <> for your [.noloc]`Kubernetes` version. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set image deployment.apps/coredns -n kube-system coredns=602401143452.dkr.ecr.region-code.amazonaws.com/eks/coredns:v1.11.3-eksbuild.1 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -deployment.apps/coredns image updated ----- -. Check the container image version again to confirm that it was updated to the version that you specified in the previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns -n kube-system | grep Image | cut -d ":" -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.11.3-eksbuild.1 ----- - - -[.topic] -[[coredns-autoscaling,coredns-autoscaling.title]] -=== Scale [.noloc]`CoreDNS` [.noloc]`Pods` for high DNS traffic - -[abstract] --- -Learn how the Amazon EKS add-on for [.noloc]`CoreDNS` autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. --- - -When you launch an Amazon EKS cluster with at least one node, a [.noloc]`Deployment` of two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the [.noloc]`CoreDNS` pods can get overwhelmed and slow down, and reject requests that the pods can`'t handle. - -To handle the increased load on the [.noloc]`CoreDNS` pods, consider an autoscaling system for [.noloc]`CoreDNS`. Amazon EKS can manage the autoscaling of the [.noloc]`CoreDNS` Deployment in the EKS Add-on version of [.noloc]`CoreDNS`. This [.noloc]`CoreDNS` autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster. This feature works for [.noloc]`CoreDNS` `v1.9` and EKS release version `1.25` and later. For more information about which versions are compatible with [.noloc]`CoreDNS` Autoscaling, see the following section. - -We recommend using this feature in conjunction with other https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/[EKS Cluster Autoscaling best practices] to improve overall application availability and cluster scalability. - -[[coredns-autoscaling-prereqs,coredns-autoscaling-prereqs.title]] -==== Prerequisites - -For Amazon EKS to scale your [.noloc]`CoreDNS` deployment, there are three prerequisites: - - - -* You must be using the _EKS Add-on_ version of [.noloc]`CoreDNS`. -* Your cluster must be running at least the minimum cluster versions and platform versions. -* Your cluster must be running at least the minimum version of the EKS Add-on of [.noloc]`CoreDNS`. - - -[[coredns-autoscaling-cluster-version,coredns-autoscaling-cluster-version.title]] -===== Minimum cluster version - -Autoscaling of [.noloc]`CoreDNS` is done by a new component in the cluster control plane, managed by Amazon EKS. Because of this, you must upgrade your cluster to an EKS release that supports the minimum platform version that has the new component. - -A new Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table or a later version. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: - -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster - --name my-cluster --query cluster.version --output - text ----- - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - - -|`1.29.3` -|`eks.7` - -|`1.28.8` -|`eks.13` - -|`1.27.12` -|`eks.17` - -|`1.26.15` -|`eks.18` - -|`1.25.16` -|`eks.19` -|=== - -[NOTE] -==== - -Every platform version of later [.noloc]`Kubernetes` versions are also supported, for example [.noloc]`Kubernetes` version `1.30` from `eks.1` and on. - -==== - -[[coredns-autoscaling-coredns-version,coredns-autoscaling-coredns-version.title]] -===== Minimum EKS Add-on version - -[cols="1,1,1,1,1,1", options="header"] -|=== -|Kubernetes version -|1.29 -|1.28 -|1.27 -|1.26 -|1.25 - - -| -|`v1.11.1-eksbuild.9` -|`v1.10.1-eksbuild.11` -|`v1.10.1-eksbuild.11` -|`v1.9.3-eksbuild.15` -|`v1.9.3-eksbuild.15` -|=== - - -[[coredns-autoscaling-console,coredns-autoscaling-console.title]] -.Configuring [.noloc]`CoreDNS` autoscaling in the {aws-management-console} -[%collapsible] -==== -. Ensure that your cluster is at or above the minimum cluster version. -+ -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. -+ -New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. -+ -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. -. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. -+ -Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ----- -+ -If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and you can continue with the next step. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. -. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. -+ -See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.10.1-eksbuild.13 ----- -+ -Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. -. Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. -+ -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the [.noloc]`CoreDNS` add-on box and then choose *Edit*. -.. On the *Configure [.noloc]`CoreDNS`* page: -+ -... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"autoscaling":` and value of a nested JSON object with a key `"enabled":` and value `true` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows autoscaling is enabled: -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "autoScaling": { - "enabled": true - } -} ----- -... (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. -+ -The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "autoScaling": { - "enabled": true, - "minReplicas": 2, - "maxReplicas": 10 - } -} ----- -.. To apply the new configuration by replacing the [.noloc]`CoreDNS` pods, choose *Save changes*. -+ -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. -+ -`kubectl rollout` has the following commands: -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl rollout - -history -- View rollout history -pause -- Mark the provided resource as paused -restart -- Restart a resource -resume -- Resume a paused resource -status -- Show the status of the rollout -undo -- Undo a previous rollout ----- -+ -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. -. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. - -==== - -[[coredns-autoscaling-cli,coredns-autoscaling-cli.title]] -.Configuring [.noloc]`CoreDNS` autoscaling in the {aws} Command Line Interface -[%collapsible] -==== -. Ensure that your cluster is at or above the minimum cluster version. -+ -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. -+ -New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. -+ -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. -. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. -+ -Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ----- -+ -If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. -. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. -+ -See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl describe deployment coredns --namespace kube-system | grep coredns: | cut -d : -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.10.1-eksbuild.13 ----- -+ -Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. -. Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. -+ -Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name coredns \ - --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true}}' ----- -+ -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. -+ -`kubectl rollout` has the following commands: -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl rollout - -history -- View rollout history -pause -- Mark the provided resource as paused -restart -- Restart a resource -resume -- Resume a paused resource -status -- Show the status of the rollout -undo -- Undo a previous rollout ----- -+ -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. -. (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. -+ -The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name coredns \ - --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true,"minReplicas":2,"maxReplicas":10}}' ----- -. Check the status of the update to the add-on by running the following command: -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns \ ----- -+ -If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. - -==== - -[.topic] -[[coredns-metrics,coredns-metrics.title]] -=== Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics - -[abstract] --- -Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or CloudWatch Agent, enabling monitoring and observability for your [.noloc]`Kubernetes` DNS resolution. --- - -[.noloc]`CoreDNS` as an EKS add-on exposes the metrics from [.noloc]`CoreDNS` on port `9153` in the Prometheus format in the `kube-dns` service. You can use Prometheus, the Amazon CloudWatch agent, or any other compatible system to scrape (collect) these metrics. - -For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. - -[.topic] -[[managing-kube-proxy,managing-kube-proxy.title]] -== Manage `kube-proxy` in Amazon EKS clusters - -[abstract] --- -Learn how to manage the `kube-proxy` add-on on your Amazon EKS cluster to manage network rules and enable network communication to your Pods. --- - -[TIP] -==== -With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. - -For more information, see <>. -==== - -//GDC: Need DF to review - - -We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. It maintains network rules on your nodes and enables network communication to your [.noloc]`Pods`. The add-on isn't deployed to Fargate nodes in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the [.noloc]`Kubernetes` documentation. - -=== Install as Amazon EKS Add-on - - -[[kube-proxy-versions,kube-proxy-versions.title]] -=== `kube-proxy` versions - -The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. - -[options="header"] -|=== -| Kubernetes version | `kube-proxy` version -| 1.31 | v1.31.3-eksbuild.2 -| 1.30 | v1.30.7-eksbuild.2 -| 1.29 | v1.29.11-eksbuild.2 -| 1.28 | v1.28.15-eksbuild.4 -| 1.27 | v1.27.16-eksbuild.14 -| 1.26 | v1.26.15-eksbuild.19 -| 1.25 | v1.25.16-eksbuild.22 -| 1.24 | v1.24.17-eksbuild.19 -| 1.23 | v1.23.17-eksbuild.20 -|=== - -[NOTE] -==== - -An earlier version of the documentation was incorrect. `kube-proxy` versions `v1.28.5`, `v1.27.9`, and `v1.26.12` aren't available. - -If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. - -==== - -[[managing-kube-proxy-images,managing-kube-proxy-images.title]] -=== `kube-proxy` container image migration - -There are two types of the `kube-proxy` container image available for each Amazon EKS cluster version: - - - -* *Default* – This image type is based on a Debian-based Docker image that is maintained by the [.noloc]`Kubernetes` upstream community. -* *Minimal* – This image type is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. - -The following table lists the latest available self-managed `kube-proxy` container image version for each Amazon EKS cluster version. - -// GDC Update - -[options="header"] -|=== -| Version | kube-proxy (default type) | kube-proxy (minimal type) -| 1.31 | Only minimal type is available | v1.31.2-minimal-eksbuild.3 -| 1.30 | Only minimal type is available | v1.30.6-minimal-eksbuild.3 -| 1.29 | Only minimal type is available | v1.29.10-minimal-eksbuild.3 -| 1.28 | Only minimal type is available | v1.28.15-minimal-eksbuild.4 -| 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.14 -| 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.19 -| 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.22 -| 1.24 | v1.24.10-eksbuild.2 | v1.24.17-minimal-eksbuild.19 -| 1.23 | v1.23.16-eksbuild.2 | v1.23.17-minimal-eksbuild.20 -|=== - - -* The default image type isn't available for [.noloc]`Kubernetes` version `1.25` and later. You must use the minimal image type. -* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. - - -[.topic] -[[kube-proxy-add-on-self-managed-update,kube-proxy-add-on-self-managed-update.title]] -=== Update the Kubernetes `kube-proxy` self-managed add-on - -[IMPORTANT] -==== - -We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -==== - -[[managing-kube-proxy-prereqs,managing-kube-proxy-prereqs.title]] -==== Prerequisites - -* An existing Amazon EKS cluster. To deploy one, see <>. - - -[[managing-kube-proxy-considerations,managing-kube-proxy-considerations.title]] -==== Considerations - -* `Kube-proxy` on an Amazon EKS cluster has the same https://kubernetes.io/releases/version-skew-policy/#kube-proxy[compatibility and skew policy as Kubernetes]. Learn how to <>. -. Confirm that you have the self-managed type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-addon --cluster-name my-cluster --addon-name kube-proxy --query addon.addonVersion --output text ----- -+ -If an error message is returned, you have the self-managed type of the add-on installed on your cluster. The remaining steps in this topic are for updating the self-managed type of the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using the procedure in this topic. If you're not familiar with the differences between the add-on types, see <>. -. See which version of the container image is currently installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset kube-proxy -n kube-system | grep Image ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Image: 602401143452.dkr.ecr.region-code.amazonaws.com/eks/kube-proxy:v1.29.1-eksbuild.2 ----- -+ -In the example output, [.replaceable]`v1.29.1-eksbuild.2` is the version installed on the cluster. -. Update the `kube-proxy` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from your output in the previous step. Replace [.replaceable]`v1.30.6-eksbuild.3` with the `kube-proxy` version listed in the <> table. -+ -IMPORTANT: The manifests for each image type are different and not compatible between the _default_ or _minimal_ image types. You must use the same image type as the previous image, so that the entrypoint and arguments match. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl set image daemonset.apps/kube-proxy -n kube-system kube-proxy=602401143452.dkr.ecr.region-code.amazonaws.com/eks/kube-proxy:v1.30.6-eksbuild.3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -daemonset.apps/kube-proxy image updated ----- -. Confirm that the new version is now installed on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe daemonset kube-proxy -n kube-system | grep Image | cut -d ":" -f 3 ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -v1.30.0-eksbuild.3 ----- -. If you're using `x86` and `Arm` nodes in the same cluster and your cluster was deployed before August 17, 2020. Then, edit your `kube-proxy` manifest to include a node selector for multiple hardware architectures with the following command. This is a one-time operation. After you've added the selector to your manifest, you don't need to add it each time you update the add-on. If your cluster was deployed on or after August 17, 2020, then `kube-proxy` is already multi-architecture capable. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit -n kube-system daemonset/kube-proxy ----- -+ -Add the following node selector to the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L265-#L269[CNI manifest] file on [.noloc]`GitHub`. This enables [.noloc]`Kubernetes` to pull the correct hardware image based on the node's hardware architecture. -+ -[source,yaml,subs="verbatim,attributes"] ----- -- key: "kubernetes.io/arch" - operator: In - values: - - amd64 - - arm64 ----- -. If your cluster was originally created with [.noloc]`Kubernetes` version `1.14` or later, then you can skip this step because `kube-proxy` already includes this `Affinity Rule`. If you originally created an Amazon EKS cluster with [.noloc]`Kubernetes` version `1.13` or earlier and intend to use Fargate nodes in your cluster, then edit your `kube-proxy` manifest to include a `NodeAffinity` rule to prevent `kube-proxy` [.noloc]`Pods` from scheduling on Fargate nodes. This is a one-time edit. Once you've added the `Affinity Rule` to your manifest, you don't need to add it each time that you update the add-on. Edit your `kube-proxy` [.noloc]`DaemonSet`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl edit -n kube-system daemonset/kube-proxy ----- -+ -Add the following `Affinity Rule` to the [.noloc]`DaemonSet`spec`` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on [.noloc]`GitHub`. -+ -[source,yaml,subs="verbatim,attributes"] ----- -- key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate ----- diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 75fcb437d..607962e94 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -10,14 +10,18 @@ :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Configure networking for Amazon EKS clusters :info_titleabbrev: Configure networking -:info_abstract: Learn how to configure networking for your Amazon EKS cluster using a VPC, subnets, \ - security groups, and networking add-ons to ensure secure and efficient \ - communication. include::../attributes.txt[] +include::network-reqs.adoc[leveloffset=+1] + +include::creating-a-vpc.adoc[leveloffset=+1] + +include::sec-group-reqs.adoc[leveloffset=+1] + +include::eks-networking-add-ons.adoc[leveloffset=+1] + [abstract] -- Learn how to configure networking for your Amazon EKS cluster using a VPC, subnets, security groups, and networking add-ons to ensure secure and efficient communication. @@ -27,14 +31,3 @@ Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the A [.topiclist] [[Topic List]] - -include::network-reqs.adoc[leveloffset=+1] - - -include::creating-a-vpc.adoc[leveloffset=+1] - - -include::sec-group-reqs.adoc[leveloffset=+1] - - -include::eks-networking-add-ons.adoc[leveloffset=+1] diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc new file mode 100644 index 000000000..e3bf0dbed --- /dev/null +++ b/latest/ug/networking/external-snat.adoc @@ -0,0 +1,54 @@ +//!!NODE_ROOT
+[.topic] +[[external-snat,external-snat.title]] += Enable outbound internet access for [.noloc]`Pods` +:info_titleabbrev: Outbound traffic + +include::../attributes.txt[] + +[abstract] +-- +Learn how Amazon EKS manages external communication for [.noloc]`Pods` using Source Network Address Translation (SNAT), allowing Pods to access internet resources or networks connected via VPC peering, Transit Gateway, or {aws} Direct Connect. +-- + +*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances + +If you deployed your cluster using the `IPv6` family, then the information in this topic isn't applicable to your cluster, because `IPv6` addresses are not network translated. For more information about using `IPv6` with your cluster, see <>. + +By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"]``IPv4`` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default ^^<>^^. + +[NOTE] +==== + +For [.noloc]`Windows` nodes, there are additional details to consider. By default, the https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[VPC CNI plugin for Windows] is defined with a networking configuration in which the traffic to a destination within the same VPC is excluded for SNAT. This means that internal VPC communication has SNAT disabled and the IP address allocated to a [.noloc]`Pod` is routable inside the VPC. But traffic to a destination outside of the VPC has the source [.noloc]`Pod` IP SNAT'ed to the instance ENI's primary IP address. This default configuration for [.noloc]`Windows` ensures that the pod can access networks outside of your VPC in the same way as the host instance. + +==== + +Due to this behavior: + +* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. +* For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your [.noloc]`Pods` behind secondary elastic network interfaces. Your [.noloc]`Pods` can initiate communication to those resources and receive responses from them, though. + +If either of the following statements are true in your environment, then change the default configuration with the command that follows. + +* You have resources in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] that need to initiate communication with your [.noloc]`Pods` using an `IPv4` address and your plugin version is earlier than `1.8.0`. +* Your [.noloc]`Pods` are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. + + +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true +---- + +[NOTE] +==== + +The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI configuration variables aren't applicable to [.noloc]`Windows` nodes. Disabling SNAT isn't supported for [.noloc]`Windows`. As for excluding a list of `IPv4` CIDRs from SNAT, you can define this by specifying the `ExcludedSnatCIDRs` parameter in the [.noloc]`Windows` bootstrap script. For more information on using this parameter, see <>. + +==== + +[[snat-exception,snat-exception.title]] +== Host networking + +^^*^^If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. + diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc new file mode 100644 index 000000000..00d0a717c --- /dev/null +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -0,0 +1,110 @@ +//!!NODE_ROOT
+[.topic] +[[kube-proxy-add-on-self-managed-update,kube-proxy-add-on-self-managed-update.title]] += Update the Kubernetes `kube-proxy` self-managed add-on +:info_titleabbrev: Update + +include::../attributes.txt[] + +[IMPORTANT] +==== + +We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +==== + +[[managing-kube-proxy-prereqs,managing-kube-proxy-prereqs.title]] +== Prerequisites + +* An existing Amazon EKS cluster. To deploy one, see <>. + + +[[managing-kube-proxy-considerations,managing-kube-proxy-considerations.title]] +== Considerations + +* `Kube-proxy` on an Amazon EKS cluster has the same https://kubernetes.io/releases/version-skew-policy/#kube-proxy[compatibility and skew policy as Kubernetes]. Learn how to <>. +. Confirm that you have the self-managed type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name kube-proxy --query addon.addonVersion --output text +---- ++ +If an error message is returned, you have the self-managed type of the add-on installed on your cluster. The remaining steps in this topic are for updating the self-managed type of the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using the procedure in this topic. If you're not familiar with the differences between the add-on types, see <>. +. See which version of the container image is currently installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset kube-proxy -n kube-system | grep Image +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Image: 602401143452.dkr.ecr.region-code.amazonaws.com/eks/kube-proxy:v1.29.1-eksbuild.2 +---- ++ +In the example output, [.replaceable]`v1.29.1-eksbuild.2` is the version installed on the cluster. +. Update the `kube-proxy` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from your output in the previous step. Replace [.replaceable]`v1.30.6-eksbuild.3` with the `kube-proxy` version listed in the <> table. ++ +IMPORTANT: The manifests for each image type are different and not compatible between the _default_ or _minimal_ image types. You must use the same image type as the previous image, so that the entrypoint and arguments match. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set image daemonset.apps/kube-proxy -n kube-system kube-proxy=602401143452.dkr.ecr.region-code.amazonaws.com/eks/kube-proxy:v1.30.6-eksbuild.3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +daemonset.apps/kube-proxy image updated +---- +. Confirm that the new version is now installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset kube-proxy -n kube-system | grep Image | cut -d ":" -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.30.0-eksbuild.3 +---- +. If you're using `x86` and `Arm` nodes in the same cluster and your cluster was deployed before August 17, 2020. Then, edit your `kube-proxy` manifest to include a node selector for multiple hardware architectures with the following command. This is a one-time operation. After you've added the selector to your manifest, you don't need to add it each time you update the add-on. If your cluster was deployed on or after August 17, 2020, then `kube-proxy` is already multi-architecture capable. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit -n kube-system daemonset/kube-proxy +---- ++ +Add the following node selector to the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L265-#L269[CNI manifest] file on [.noloc]`GitHub`. This enables [.noloc]`Kubernetes` to pull the correct hardware image based on the node's hardware architecture. ++ +[source,yaml,subs="verbatim,attributes"] +---- +- key: "kubernetes.io/arch" + operator: In + values: + - amd64 + - arm64 +---- +. If your cluster was originally created with [.noloc]`Kubernetes` version `1.14` or later, then you can skip this step because `kube-proxy` already includes this `Affinity Rule`. If you originally created an Amazon EKS cluster with [.noloc]`Kubernetes` version `1.13` or earlier and intend to use Fargate nodes in your cluster, then edit your `kube-proxy` manifest to include a `NodeAffinity` rule to prevent `kube-proxy` [.noloc]`Pods` from scheduling on Fargate nodes. This is a one-time edit. Once you've added the `Affinity Rule` to your manifest, you don't need to add it each time that you update the add-on. Edit your `kube-proxy` [.noloc]`DaemonSet`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit -n kube-system daemonset/kube-proxy +---- ++ +Add the following `Affinity Rule` to the [.noloc]`DaemonSet`spec`` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on [.noloc]`GitHub`. ++ +[source,yaml,subs="verbatim,attributes"] +---- +- key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate +---- + diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc new file mode 100644 index 000000000..5caf27b59 --- /dev/null +++ b/latest/ug/networking/lbc-helm.adoc @@ -0,0 +1,179 @@ +//!!NODE_ROOT
+[.topic] +include::../attributes.txt[] + +[[lbc-helm,lbc-helm.title]] += Install [.noloc]`{aws} Load Balancer Controller` with [.noloc]`Helm` +:info_titleabbrev: Install with Helm + +[abstract] +-- +Learn how to install the [.noloc]`{aws} Load Balancer Controller` on Amazon EKS using Helm to manage K8s load balancing with {aws} Cloud. Discover the prerequisites and steps for creating an IAM role, installing with Helm, and verifying the controller deployment. +-- + +[TIP] +==== +With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. + +For more information, see <>. +==== + +This topic describes how to install the [.noloc]`{aws} Load Balancer Controller` using Helm, a package manager for [.noloc]`Kubernetes`, and `eksctl`. The controller is installed with default options. For more information about the controller, including details on configuring it with annotations, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[{aws} Load Balancer Controller Documentation] on [.noloc]`GitHub`. + +In the following steps, replace the [.replaceable]`example values` with your own values. + +[[lbc-prereqs,lbc-prereqs.title]] +== Prerequisites + +Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. + + + +* An existing Amazon EKS cluster. To deploy one, see <>. +* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. +* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. + + +* https://helm.sh/docs/helm/helm_install/[Helm] installed locally. + + +[[lbc-helm-iam,lbc-helm-iam.title]] +== Step 1: Create IAM Role using `eksctl` + +[NOTE] +==== + +You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Controller` once per {aws-account}. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. + +==== + +[NOTE] +==== + +Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. + +==== + +. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. ++ +==== +[role="tablist"] +{aws}::: ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json +---- + + +{aws} GovCloud (US)::: ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json +---- ++ +[source,shell,subs="verbatim,attributes"] +---- +mv iam_policy_us-gov.json iam_policy.json +---- +==== ++ +. Create an IAM policy using the policy downloaded in the previous step. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws iam create-policy \ + --policy-name AWSLoadBalancerControllerIAMPolicy \ + --policy-document file://iam_policy.json +---- ++ +NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. +. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. ++ +[source,shell,subs="verbatim,attributes"] +---- +eksctl create iamserviceaccount \ + --cluster=my-cluster \ + --namespace=kube-system \ + --name=aws-load-balancer-controller \ + --role-name AmazonEKSLoadBalancerControllerRole \ + --attach-policy-arn={arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ + --approve +---- + + +[[lbc-helm-install,lbc-helm-install.title]] +== Step 2: Install [.noloc]`{aws} Load Balancer Controller` + +. Add the `eks-charts` Helm chart repository. {aws} maintains https://github.com/aws/eks-charts[this repository] on GitHub. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm repo add eks https://aws.github.io/eks-charts +---- +. Update your local repo to make sure that you have the most recent charts. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm repo update eks +---- +. Install the [.noloc]`{aws} Load Balancer Controller`. ++ +If you're deploying the controller to Amazon EC2 nodes that have https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[restricted access to the Amazon EC2 instance metadata service (IMDS)], or if you're deploying to Fargate or Amazon EKS Hybrid Nodes, then add the following flags to the `helm` command that follows: ++ +*** `--set region=[.replaceable]``region-code``` +*** `--set vpcId=[.replaceable]``vpc-xxxxxxxx``` ++ +Replace [.replaceable]`my-cluster` with the name of your cluster. In the following command, `aws-load-balancer-controller` is the [.noloc]`Kubernetes` service account that you created in a previous step. ++ +For more information about configuring the helm chart, see https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/values.yaml[values.yaml] on GitHub. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ + -n kube-system \ + --set clusterName=my-cluster \ + --set serviceAccount.create=false \ + --set serviceAccount.name=aws-load-balancer-controller +---- + + +[IMPORTANT] +==== +The deployed chart doesn't receive security updates automatically. You need to manually upgrade to a newer chart when it becomes available. When upgrading, change [.replaceable]`install` to `upgrade` in the previous command. +==== + +The `helm install` command automatically installs the custom resource definitions ([.noloc]`CRDs`) for the controller. The `helm upgrade` command does not. If you use `helm upgrade,` you must manually install the [.noloc]`CRDs`. Run the following command to install the [.noloc]`CRDs`: + +[source,shell,subs="verbatim,attributes"] +---- +wget https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml +kubectl apply -f crds.yaml +---- + + +[[lbc-helm-verify,lbc-helm-verify.title]] +== Step 3: Verify that the controller is installed +. Verify that the controller is installed. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl get deployment -n kube-system aws-load-balancer-controller +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME READY UP-TO-DATE AVAILABLE AGE +aws-load-balancer-controller 2/2 2 2 84s +---- ++ +You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. +. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. + +// GDC Must Fix + diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc new file mode 100644 index 000000000..aa421bc94 --- /dev/null +++ b/latest/ug/networking/lbc-manifest.adoc @@ -0,0 +1,353 @@ +//!!NODE_ROOT
+[.topic] +[[lbc-manifest,lbc-manifest.title]] +include::../attributes.txt[] + += Install [.noloc]`{aws} Load Balancer Controller` with manifests +:info_titleabbrev: Install with manifests + +[abstract] +-- +Install the [.noloc]`{aws} Load Balancer Controller` add-on for Amazon EKS using [.noloc]`Kubernetes` manifests to provision Elastic Load Balancing resources. Configure IAM role and install `cert-manager` before applying controller manifest. +-- + +[TIP] +==== +With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. + +For more information, see <>. +==== + +This topic describes how to install the controller by downloading and applying [.noloc]`Kubernetes` manifests. You can view the full https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/[documentation] for the controller on [.noloc]`GitHub`. + +In the following steps, replace the [.replaceable]`example values` with your own values. + +[[lbc-manifest-prereqs,lbc-manifest-prereqs.title]] +== Prerequisites + +Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. + + + +* An existing Amazon EKS cluster. To deploy one, see <>. +* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. +* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. + + +[[lbc-iam,lbc-iam.title]] +== Step 1: Configure IAM + +[NOTE] +==== + +You only need to create a role for the [.noloc]`{aws} Load Balancer Controller` one per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. + +==== + +[NOTE] +==== + +Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. + +==== + +. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. ++ +==== +[role="tablist"] +{aws}::: ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json +---- + + +{aws} GovCloud (US)::: ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json +---- ++ +[source,shell,subs="verbatim,attributes"] +---- +mv iam_policy_us-gov.json iam_policy.json +---- +==== +. Create an IAM policy using the policy downloaded in the previous step. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws iam create-policy \ + --policy-name AWSLoadBalancerControllerIAMPolicy \ + --policy-document file://iam_policy.json +---- ++ +NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. + +==== +[role="tablist"] +eksctl::: +.. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. ++ +[source,shell,subs="verbatim,attributes"] +---- +eksctl create iamserviceaccount \ + --cluster=my-cluster \ + --namespace=kube-system \ + --name=aws-load-balancer-controller \ + --role-name AmazonEKSLoadBalancerControllerRole \ + --attach-policy-arn={arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ + --approve +---- + + +{aws} CLI and kubectl::: +.. Retrieve your cluster's [.noloc]`OIDC` provider ID and store it in a variable. ++ +[source,bash,subs="verbatim,attributes"] +---- +oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) +---- +.. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's ID is already in your account. You need [.noloc]`OIDC` configured for both the cluster and IAM. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 +---- ++ +If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. For more information, see <>. +.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. After replacing the text, run the modified command to create the `load-balancer-role-trust-policy.json` file. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >load-balancer-role-trust-policy.json <aws-load-balancer-controller-service-account.yaml <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +quay.io/jetstack/cert-manager-cainjector:v1.13.5 +quay.io/jetstack/cert-manager-controller:v1.13.5 +quay.io/jetstack/cert-manager-webhook:v1.13.5 +---- +.. Replace `quay.io` in the manifest for the three images with your own registry name. The following command assumes that your private repository's name is the same as the source repository. Replace [.replaceable]`111122223333.dkr.ecr.region-code.amazonaws.com` with your private registry. ++ +[source,shell,subs="verbatim,attributes"] +---- +sed -i.bak -e 's|quay.io|111122223333.dkr.ecr.region-code.amazonaws.com|' ./cert-manager.yaml +---- +.. Apply the manifest. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl apply \ + --validate=false \ + -f ./cert-manager.yaml +---- +==== + + +[[lbc-install,lbc-install.title]] +== Step 3: Install [.noloc]`{aws} Load Balancer Controller` +. Download the controller specification. For more information about the controller, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[documentation] on [.noloc]`GitHub`. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl -Lo v2_11_0_full.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.11.0/v2_11_0_full.yaml +---- +. Make the following edits to the file. ++ +.. If you downloaded the `v2_11_0_full.yaml` file, run the following command to remove the `ServiceAccount` section in the manifest. If you don't remove this section, the required annotation that you made to the service account in a previous step is overwritten. Removing this section also preserves the service account that you created in a previous step if you delete the controller. ++ +[source,shell,subs="verbatim,attributes"] +---- +sed -i.bak -e '690,698d' ./v2_11_0_full.yaml +---- ++ +If you downloaded a different file version, then open the file in an editor and remove the following lines. ++ +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: aws-load-balancer-controller + name: aws-load-balancer-controller + namespace: kube-system +--- +---- +.. Replace `your-cluster-name` in the `Deployment` `spec` section of the file with the name of your cluster by replacing [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +sed -i.bak -e 's|your-cluster-name|my-cluster|' ./v2_11_0_full.yaml +---- +.. If your nodes don't have access to the Amazon EKS Amazon ECR image repositories, then you need to pull the following image and push it to a repository that your nodes have access to. For more information on how to pull, tag, and push an image to your own repository, see <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +public.ecr.aws/eks/aws-load-balancer-controller:v2.11.0 +---- ++ +Add your registry's name to the manifest. The following command assumes that your private repository's name is the same as the source repository and adds your private registry's name to the file. Replace [.replaceable]`111122223333.dkr.ecr.region-code.amazonaws.com` with your registry. This line assumes that you named your private repository the same as the source repository. If not, change the `eks/aws-load-balancer-controller` text after your private registry name to your repository name. ++ +[source,shell,subs="verbatim,attributes"] +---- +sed -i.bak -e 's|public.ecr.aws/eks/aws-load-balancer-controller|111122223333.dkr.ecr.region-code.amazonaws.com/eks/aws-load-balancer-controller|' ./v2_11_0_full.yaml +---- +.. (Required only for Fargate or Restricted IMDS) ++ +If you're deploying the controller to Amazon EC2 nodes that have https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[restricted access to the Amazon EC2 instance metadata service (IMDS)], or if you're deploying to Fargate or Amazon EKS Hybrid Nodes, then add the `following parameters` under `- args:`. ++ +[source,yaml,subs="verbatim,attributes"] +---- +[...] +spec: + containers: + - args: + - --cluster-name=your-cluster-name + - --ingress-class=alb + - --aws-vpc-id=vpc-xxxxxxxx + - --aws-region=region-code + + +[...] +---- +. Apply the file. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl apply -f v2_11_0_full.yaml +---- +. Download the `IngressClass` and `IngressClassParams` manifest to your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -Lo v2_11_0_ingclass.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.11.0/v2_11_0_ingclass.yaml +---- +. Apply the manifest to your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl apply -f v2_11_0_ingclass.yaml +---- + + +[[lbc-verify,lbc-verify.title]] +== Step 4: Verify that the controller is installed +. Verify that the controller is installed. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl get deployment -n kube-system aws-load-balancer-controller +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME READY UP-TO-DATE AVAILABLE AGE +aws-load-balancer-controller 2/2 2 2 84s +---- ++ +You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. +. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. + + diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc new file mode 100644 index 000000000..8e0503381 --- /dev/null +++ b/latest/ug/networking/lbc-remove.adoc @@ -0,0 +1,113 @@ +//!!NODE_ROOT
+[.topic] +[[lbc-remove,lbc-remove.title]] += Migrate apps from deprecated ALB [.noloc]`Ingress Controller` +:info_titleabbrev: Migrate from deprecated controller + +include::../attributes.txt[] + +[abstract] +-- +Learn how to migrate from the deprecated ALB Ingress Controller to the latest [.noloc]`{aws} Load Balancer Controller` release, ensuring smooth transition and uninterrupted load balancing capabilities. +-- + +This topic describes how to migrate from deprecated controller versions. More specifically, it describes how to remove deprecated versions of the [.noloc]`{aws} Load Balancer Controller`. + + + +* Deprecated versions cannot be upgraded. You must remove them first, and then install a current version. ++ +[[lbc-deprecated-list]] +* Deprecated versions include: ++ +** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. +** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` + + +[[lbc-remove-desc,lbc-remove-desc.title]] +== Remove the deprecated controller version + +[NOTE] +==== + +You may have installed the deprecated version using Helm or manually with [.noloc]`Kubernetes` manifests. Complete the procedure using the tool that you originally installed it with. + +==== +. If you installed the `incubator/aws-alb-ingress-controller` Helm chart, uninstall it. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm delete aws-alb-ingress-controller -n kube-system +---- +. If you have version `0.1.[.replaceable]``x``` of the `eks-charts/aws-load-balancer-controller` chart installed, uninstall it. The upgrade from `0.1.[.replaceable]``x``` to version `1.0.0` doesn't work due to incompatibility with the webhook API version. ++ +[source,shell,subs="verbatim,attributes"] +---- +helm delete aws-load-balancer-controller -n kube-system +---- +. Check to see if the controller is currently installed. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl get deployment -n kube-system alb-ingress-controller +---- ++ +This is the output if the controller isn't installed. ++ ++ +This is the output if the controller is installed. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME READY UP-TO-DATE AVAILABLE AGE +alb-ingress-controller 1/1 1 1 122d +---- +. Enter the following commands to remove the controller. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/alb-ingress-controller.yaml +kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml +---- + + +[[lbc-migrate,lbc-migrate.title]] +== Migrate to [.noloc]`{aws} Load Balancer Controller` + +To migrate from the ALB Ingress Controller for [.noloc]`Kubernetes` to the [.noloc]`{aws} Load Balancer Controller`, you need to: + +. Remove the ALB Ingress Controller (see above). +. <> +. Add an additional policy to the IAM Role used by the [.noloc]`{aws} Load Balancer Controller`. This policy permits the LBC to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. +. Download the IAM policy. This policy permits the [.noloc]`{aws} Load Balancer Controller` to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. You can also https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json[view the policy]. ++ +[source,shell,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_v1_to_v2_additional.json +---- +. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`.. ++ +[source,shell,subs="verbatim,attributes"] +---- +sed -i.bak -e 's|{arn-aws}|arn:aws-us-gov:|' iam_policy_v1_to_v2_additional.json +---- +. Create the IAM policy and note the ARN that is returned. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws iam create-policy \ + --policy-name AWSLoadBalancerControllerAdditionalIAMPolicy \ + --policy-document file://iam_policy_v1_to_v2_additional.json +---- +. Attach the IAM policy to the IAM role used by the [.noloc]`{aws} Load Balancer Controller`. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. ++ +If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws iam attach-role-policy \ + --role-name your-role-name \ + --policy-arn {arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerAdditionalIAMPolicy +---- + + diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc new file mode 100644 index 000000000..dbb2c5b65 --- /dev/null +++ b/latest/ug/networking/managing-coredns.adoc @@ -0,0 +1,112 @@ +//!!NODE_ROOT
+[.topic] +[[managing-coredns,managing-coredns.title]] += Manage CoreDNS for DNS in Amazon EKS clusters +:info_titleabbrev: CoreDNS + +include::../attributes.txt[] + +include::coredns-add-on-create.adoc[leveloffset=+1] + +include::coredns-add-on-update.adoc[leveloffset=+1] + +include::coredns-add-on-self-managed-update.adoc[leveloffset=+1] + +include::coredns-autoscaling.adoc[leveloffset=+1] + +include::coredns-metrics.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to manage the [.noloc]`CoreDNS` Amazon EKS add-on for DNS service discovery in [.noloc]`Kubernetes` clusters with configuration updates and version upgrades. +-- + +[TIP] +==== +With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. + +For more information, see <>. +==== + +[.noloc]`CoreDNS` is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. When you launch an Amazon EKS cluster with at least one node, two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` provide name resolution for all [.noloc]`Pods` in the cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` can be deployed to Fargate nodes if your cluster includes a Fargate Profile with a namespace that matches the namespace for the [.noloc]`CoreDNS` `deployment`. For more information on Fargate Profiles, see <>. For more information about [.noloc]`CoreDNS`, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] in the [.noloc]`Kubernetes` documentation. + +[[coredns-versions,coredns-versions.title]] +== [.noloc]`CoreDNS` versions + +The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. + +[options="header"] +|=== +| Kubernetes version | [.noloc]`CoreDNS` version +| 1.31 | v1.11.4-eksbuild.2 +| 1.30 | v1.11.4-eksbuild.2 +| 1.29 | v1.11.4-eksbuild.2 +| 1.28 | v1.10.1-eksbuild.17 +| 1.27 | v1.10.1-eksbuild.17 +| 1.26 | v1.9.3-eksbuild.21 +| 1.25 | v1.9.3-eksbuild.21 +| 1.24 | v1.9.3-eksbuild.21 +| 1.23 | v1.8.7-eksbuild.20 +|=== + +[IMPORTANT] +==== + +If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. For more information about updating the self-managed type of this add-on, see <>. + +==== + +[[coredns-upgrade,coredns-upgrade.title]] +== Important [.noloc]`CoreDNS` upgrade considerations + +* To improve the stability and availability of the [.noloc]`CoreDNS` [.noloc]`Deployment`, versions `v1.9.3-eksbuild.6` and later and `v1.10.1-eksbuild.3` are deployed with a `PodDisruptionBudget`. If you've deployed an existing `PodDisruptionBudget`, your upgrade to these versions might fail. If the upgrade fails, completing one of the following tasks should resolve the issue: ++ +** When doing the upgrade of the Amazon EKS add-on, choose to override the existing settings as your conflict resolution option. If you've made other custom settings to the [.noloc]`Deployment`, make sure to back up your settings before upgrading so that you can reapply your other custom settings after the upgrade. +** Remove your existing `PodDisruptionBudget` and try the upgrade again. +* In EKS add-on versions `v1.9.3-eksbuild.3` and later and `v1.10.1-eksbuild.6` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets the `readinessProbe` to use the `/ready` endpoint. This endpoint is enabled in the `Corefile` configuration file for [.noloc]`CoreDNS`. ++ +If you use a custom `Corefile`, you must add the `ready` plugin to the config, so that the `/ready` endpoint is active in [.noloc]`CoreDNS` for the probe to use. +* In EKS add-on versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later, you can change the `PodDisruptionBudget`. You can edit the add-on and change these settings in the *Optional configuration settings* using the fields in the following example. This example shows the default `PodDisruptionBudget`. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "podDisruptionBudget": { + "enabled": true, + "maxUnavailable": 1 + } +} +---- +// Not using [.noloc]`Kubernetes` here because the _ causes issues with the rendering. ++ +You can set `maxUnavailable` or `minAvailable`, but you can't set both in a single `PodDisruptionBudget`. For more information about `PodDisruptionBudgets`, see https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget[Specifying a PodDisruptionBudget] in the _Kubernetes documentation_. ++ +Note that if you set `enabled` to `false`, the `PodDisruptionBudget` isn't removed. After you set this field to `false`, you must delete the `PodDisruptionBudget` object. Similarly, if you edit the add-on to use an older version of the add-on (downgrade the add-on) after upgrading to a version with a `PodDisruptionBudget`, the `PodDisruptionBudget` isn't removed. To delete the `PodDisruptionBudget`, you can run the following command: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete poddisruptionbudget coredns -n kube-system +---- +* In EKS add-on versions `v1.10.1-eksbuild.5` and later, change the default toleration from `node-role.kubernetes.io/master:NoSchedule` to `node-role.kubernetes.io/control-plane:NoSchedule` to comply with KEP 2067. For more information about KEP 2067, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint#renaming-the-node-rolekubernetesiomaster-node-taint[KEP-2067: Rename the kubeadm "master" label and taint] in the _Kubernetes Enhancement Proposals (KEPs)_ on [.noloc]`GitHub`. ++ +In EKS add-on versions `v1.8.7-eksbuild.8` and later and `v1.9.3-eksbuild.9` and later, both tolerations are set to be compatible with every [.noloc]`Kubernetes` version. +* In EKS add-on versions `v1.9.3-eksbuild.11` and `v1.10.1-eksbuild.7` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets a default value for `topologySpreadConstraints`. The default value ensures that the [.noloc]`CoreDNS` [.noloc]`Pods` are spread across the Availability Zones if there are nodes in multiple Availability Zones available. You can set a custom value that will be used instead of the default value. The default value follows: ++ +[source,yaml,subs="verbatim,attributes"] +---- +topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + k8s-app: kube-dns +---- + + +[[coredns-upgrade-1.11,coredns-upgrade-1.11.title]] +=== [.noloc]`CoreDNS` `v1.11` upgrade considerations + +* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. + + diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc new file mode 100644 index 000000000..b3591ce2e --- /dev/null +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -0,0 +1,93 @@ +//!!NODE_ROOT
+[.topic] +[[managing-kube-proxy,managing-kube-proxy.title]] += Manage `kube-proxy` in Amazon EKS clusters +:info_titleabbrev: kube-proxy + +include::../attributes.txt[] + +include::kube-proxy-add-on-self-managed-update.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to manage the `kube-proxy` add-on on your Amazon EKS cluster to manage network rules and enable network communication to your Pods. +-- + +[TIP] +==== +With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. + +For more information, see <>. +==== + +//GDC: Need DF to review + + +We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. It maintains network rules on your nodes and enables network communication to your [.noloc]`Pods`. The add-on isn't deployed to Fargate nodes in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the [.noloc]`Kubernetes` documentation. + +== Install as Amazon EKS Add-on + + +[[kube-proxy-versions,kube-proxy-versions.title]] +== `kube-proxy` versions + +The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. + +[options="header"] +|=== +| Kubernetes version | `kube-proxy` version +| 1.31 | v1.31.3-eksbuild.2 +| 1.30 | v1.30.7-eksbuild.2 +| 1.29 | v1.29.11-eksbuild.2 +| 1.28 | v1.28.15-eksbuild.4 +| 1.27 | v1.27.16-eksbuild.14 +| 1.26 | v1.26.15-eksbuild.19 +| 1.25 | v1.25.16-eksbuild.22 +| 1.24 | v1.24.17-eksbuild.19 +| 1.23 | v1.23.17-eksbuild.20 +|=== + +[NOTE] +==== + +An earlier version of the documentation was incorrect. `kube-proxy` versions `v1.28.5`, `v1.27.9`, and `v1.26.12` aren't available. + +If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. + +==== + +[[managing-kube-proxy-images,managing-kube-proxy-images.title]] +== `kube-proxy` container image migration + +There are two types of the `kube-proxy` container image available for each Amazon EKS cluster version: + + + +* *Default* – This image type is based on a Debian-based Docker image that is maintained by the [.noloc]`Kubernetes` upstream community. +* *Minimal* – This image type is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. + +The following table lists the latest available self-managed `kube-proxy` container image version for each Amazon EKS cluster version. + +// GDC Update + +[options="header"] +|=== +| Version | kube-proxy (default type) | kube-proxy (minimal type) +| 1.31 | Only minimal type is available | v1.31.2-minimal-eksbuild.3 +| 1.30 | Only minimal type is available | v1.30.6-minimal-eksbuild.3 +| 1.29 | Only minimal type is available | v1.29.10-minimal-eksbuild.3 +| 1.28 | Only minimal type is available | v1.28.15-minimal-eksbuild.4 +| 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.14 +| 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.19 +| 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.22 +| 1.24 | v1.24.10-eksbuild.2 | v1.24.17-minimal-eksbuild.19 +| 1.23 | v1.23.16-eksbuild.2 | v1.23.17-minimal-eksbuild.20 +|=== + + +* The default image type isn't available for [.noloc]`Kubernetes` version `1.25` and later. You must use the minimal image type. +* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. + + diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc new file mode 100644 index 000000000..f38bf2c89 --- /dev/null +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -0,0 +1,85 @@ +//!!NODE_ROOT
+[.topic] +[[managing-vpc-cni,managing-vpc-cni.title]] += Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI +:info_titleabbrev: Amazon VPC CNI + +include::../attributes.txt[] + +include::vpc-add-on-create.adoc[leveloffset=+1] + +include::vpc-add-on-update.adoc[leveloffset=+1] + +include::vpc-add-on-self-managed-update.adoc[leveloffset=+1] + +include::cni-iam-role.adoc[leveloffset=+1] + +include::pod-networking-use-cases.adoc[leveloffset=+1] + +include::cni-custom-network.adoc[leveloffset=+1] + +include::cni-increase-ip-addresses.adoc[leveloffset=+1] + +include::security-groups-for-pods.adoc[leveloffset=+1] + +include::pod-multiple-network-interfaces.adoc[leveloffset=+1] + +[abstract] +-- +Discover how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on works to assign private IP addresses and create network interfaces for [.noloc]`Pods` and services in your Amazon EKS cluster. +-- + +[TIP] +==== +With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. + +For more information, see <>. +==== + +The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each [.noloc]`Pod`. + +A version of the add-on is deployed with each Fargate node in your cluster, but you don't update it on Fargate nodes. Other compatible CNI plugins are available for use on Amazon EKS clusters, but this is the only CNI plugin supported by Amazon EKS for nodes that run on {aws} infrastructure. For more information about the other compatible CNI plugins, see <>. The VPC CNI isn't supported for use with hybrid nodes. For more information about your CNI options for hybrid nodes, see <>. + +The following table lists the latest available version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. + +[[vpc-cni-latest-available-version,vpc-cni-latest-available-version.title]] +== [.noloc]`Amazon VPC CNI` versions + +[options="header"] +|=== +| Kubernetes version | Amazon EKS type of VPC CNI version +| 1.31 | v1.19.0-eksbuild.1 +| 1.30 | v1.19.0-eksbuild.1 +| 1.29 | v1.19.0-eksbuild.1 +| 1.28 | v1.19.0-eksbuild.1 +| 1.27 | v1.19.0-eksbuild.1 +| 1.26 | v1.19.0-eksbuild.1 +| 1.25 | v1.19.0-eksbuild.1 +| 1.24 | v1.19.0-eksbuild.1 +| 1.23 | v1.18.5-eksbuild.1 +|=== + +[IMPORTANT] +==== + +If you're self-managing this add-on, the versions in the table might not be the same as the available self-managed versions. For more information about updating the self-managed type of this add-on, see <>. + +==== + +[IMPORTANT] +==== + +To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first. We recommend that you update one minor version at a time. + +==== + + +[[manage-vpc-cni-add-on-on-considerations,manage-vpc-cni-add-on-on-considerations.title]] +== Considerations + +The following are considerations for using the feature. + +* Versions are specified as `major-version.minor-version.patch-version-eksbuild.build-number`. +* Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. + + diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc new file mode 100644 index 000000000..08ef0040e --- /dev/null +++ b/latest/ug/networking/network-policy-disable.adoc @@ -0,0 +1,43 @@ +//!!NODE_ROOT
+[.topic] +[[network-policy-disable,network-policy-disable.title]] += Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic +:info_titleabbrev: Disable + +include::../attributes.txt[] + +[abstract] +-- +Learn how to disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic. +-- + +Disable [.noloc]`Kubernetes` network policies to stop restricting Amazon EKS Pod network traffic + +. List all Kubernetes network policies. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get netpol -A +---- +. Delete each Kubernetes network policy. You must delete all network policies before disabling network policies. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete netpol +---- +. Open the aws-node DaemonSet in your editor. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit daemonset -n kube-system aws-node +---- +. Replace the `true` with `false` in the command argument `--enable-network-policy=true` in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. ++ +[source,yaml,subs="verbatim,attributes"] +---- + - args: + - --enable-network-policy=true +---- + + + diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc new file mode 100644 index 000000000..95372eb81 --- /dev/null +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -0,0 +1,34 @@ +//!!NODE_ROOT
+[.topic] +[[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] += Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` +:info_titleabbrev: Multiple network interfaces + +include::../attributes.txt[] + +[abstract] +-- +Learn how to use Multus CNI to attach multiple network interfaces to a [.noloc]`Pod` in Amazon EKS for advanced networking scenarios, while leveraging the [.noloc]`Amazon VPC CNI` plugin for primary networking. +-- + +Multus CNI is a container network interface (CNI) plugin for Amazon EKS that enables attaching multiple network interfaces to a [.noloc]`Pod`. For more information, see the https://github.com/k8snetworkplumbingwg/multus-cni[Multus-CNI] documentation on [.noloc]`GitHub`. + +In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amazon VPC CNI plugin. With Multus, you can create a multi-homed [.noloc]`Pod` that has multiple interfaces. This is accomplished by Multus acting as a "meta-plugin"; a CNI plugin that can call multiple other CNI plugins. {aws} support for Multus comes configured with the Amazon VPC CNI plugin as the default delegate plugin. + +* Amazon EKS won't be building and publishing single root I/O virtualization (SR-IOV) and Data Plane Development Kit (DPDK) CNI plugins. However, you can achieve packet acceleration by connecting directly to Amazon EC2 Elastic Network Adapters (ENA) through Multus managed host-device and `ipvlan` plugins. +* Amazon EKS is supporting Multus, which provides a generic process that enables simple chaining of additional CNI plugins. Multus and the process of chaining is supported, but {aws} won't provide support for all compatible CNI plugins that can be chained, or issues that may arise in those CNI plugins that are unrelated to the chaining configuration. +* Amazon EKS is providing support and life cycle management for the Multus plugin, but isn't responsible for any IP address or additional management associated with the additional network interfaces. The IP address and management of the default network interface utilizing the Amazon VPC CNI plugin remains unchanged. +* Only the Amazon VPC CNI plugin is officially supported as the default delegate plugin. You need to modify the published Multus installation manifest to reconfigure the default delegate plugin to an alternate CNI if you choose not to use the Amazon VPC CNI plugin for primary networking. +* Multus is only supported when using the Amazon VPC CNI as the primary CNI. We do not support the Amazon VPC CNI when used for higher order interfaces, secondary or otherwise. +* To prevent the Amazon VPC CNI plugin from trying to manage additional network interfaces assigned to [.noloc]`Pods`, add the following tag to the network interface: ++ +*key*:: +: `node.k8s.amazonaws.com/no_manage` ++ +*value*:: +: `true` +* Multus is compatible with network policies, but the policy has to be enriched to include ports and IP addresses that may be part of additional network interfaces attached to [.noloc]`Pods`. + +For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. + + diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc new file mode 100644 index 000000000..34c422d7c --- /dev/null +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -0,0 +1,49 @@ +//!!NODE_ROOT
+[.topic] +[[pod-networking-use-cases,pod-networking-use-cases.title]] += Learn about VPC CNI modes and configuration +:info_titleabbrev: Modes and configuration + +include::../attributes.txt[] + +include::cni-ipv6.adoc[leveloffset=+1] + +include::external-snat.adoc[leveloffset=+1] + +include::cni-network-policy.adoc[leveloffset=+1] + +[abstract] +-- +Discover how [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides pod networking capabilities and settings for different Amazon EKS node types and use cases, including security groups, [.noloc]`Kubernetes` network policies, custom networking, IPv4, and IPv6 support. +-- + +The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.noloc]`Pods`. Use the following table to learn more about the available networking features. + +[cols="1,1", options="header"] +|=== +|Networking feature +|Learn more + + +|Configure your cluster to assign IPv6 addresses to clusters, [.noloc]`Pods`, and services +|<> + +|Use IPv4 Source Network Address Translation for [.noloc]`Pods` +|<> + +|Restrict network traffic to and from your [.noloc]`Pods` +|<> + +|Customize the secondary network interface in nodes +|<> + +|Increase IP addresses for your node +|<> + +|Use security groups for [.noloc]`Pod` network traffic +|<> + +|Use multiple network interfaces for [.noloc]`Pods` +|<> +|=== + diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc new file mode 100644 index 000000000..88ad2c793 --- /dev/null +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -0,0 +1,74 @@ +//!!NODE_ROOT
+[.topic] +[[security-groups-for-pods,security-groups-for-pods.title]] += Assign security groups to individual [.noloc]`Pods` +:info_titleabbrev: Security groups for Pods + +include::../attributes.txt[] + +include::security-groups-pods-deployment.adoc[leveloffset=+1] + +include::sg-pods-example-deployment.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to configure security groups for [.noloc]`Pods` on Amazon EKS, integrating Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods` to define network traffic rules. Discover the considerations, setup process, and deploy a sample application with assigned security groups. +-- + +*Applies to*: [.noloc]`Linux` nodes with Amazon EC2 instances + +*Applies to*: Private subnets + +Security groups for [.noloc]`Pods` integrate Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods`. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from [.noloc]`Pods` that you deploy to nodes running on many Amazon EC2 instance types and Fargate. For a detailed explanation of this capability, see the link:containers/introducing-security-groups-for-pods[Introducing security groups for Pods,type="blog"] blog post. + +[[security-groups-for-pods-compatability,security-groups-for-pods-compatability.title]] +== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features + +You can use security groups for [.noloc]`Pods` with the following features: + + + +* IPv4 Source Network Address Translation - For more information, see <>. +* IPv6 addresses to clusters, Pods, and services - For more information, see <>. +* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. + + +[[sg-pods-considerations,sg-pods-considerations.title]] +== Considerations + +Before deploying security groups for [.noloc]`Pods`, consider the following limitations and conditions: + + + +* Security groups for [.noloc]`Pods` can't be used with [.noloc]`Windows` nodes. +* Security groups for [.noloc]`Pods` can be used with clusters configured for the `IPv6` family that contain Amazon EC2 nodes by using version 1.16.0 or later of the Amazon VPC CNI plugin. You can use security groups for [.noloc]`Pods` with clusters configure `IPv6` family that contain only Fargate nodes by using version 1.7.7 or later of the Amazon VPC CNI plugin. For more information, see <> +* Security groups for [.noloc]`Pods` are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on [.noloc]`GitHub`. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. +* If you're also using [.noloc]`Pod` security policies to restrict access to [.noloc]`Pod` mutation, then the `eks:vpc-resource-controller` [.noloc]`Kubernetes` user must be specified in the [.noloc]`Kubernetes` `ClusterRoleBinding` for the `role` that your `psp` is assigned to. If you're using the default Amazon EKS `psp`, `role`, and `ClusterRoleBinding`, this is the `eks:podsecuritypolicy:authenticated` `ClusterRoleBinding`. For example, you add the user to the `subjects:` section, as shown in the following example: ++ +[source,yaml,subs="verbatim,attributes"] +---- +[...] +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: User + name: eks:vpc-resource-controller + - kind: ServiceAccount + name: eks-vpc-resource-controller +---- +* If you're using custom networking and security groups for [.noloc]`Pods` together, the security group specified by security groups for [.noloc]`Pods` is used instead of the security group specified in the `ENIConfig`. +* If you're using version `1.10.2` or earlier of the Amazon VPC CNI plugin and you include the `terminationGracePeriodSeconds` setting in your [.noloc]`Pod` spec, the value for the setting can't be zero. +* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin, or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, then [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` aren't supported with [.noloc]`Pods` that you assign security groups to. For more information about using a load balancer with instance targets, see <>. +* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, source NAT is disabled for outbound traffic from [.noloc]`Pods` with assigned security groups so that outbound security group rules are applied. To access the internet, [.noloc]`Pods` with assigned security groups must be launched on nodes that are deployed in a private subnet configured with a NAT gateway or instance. [.noloc]`Pods` with assigned security groups deployed to public subnets are not able to access the internet. ++ +If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, then [.noloc]`Pod` traffic destined for outside of the VPC is translated to the IP address of the instance's primary network interface. For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. +* To use [.noloc]`Calico` network policy with [.noloc]`Pods` that have associated security groups, you must use version `1.11.0` or later of the Amazon VPC CNI plugin and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. Otherwise, traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon EC2 security group enforcement only. To update your Amazon VPC CNI version, see <> +* [.noloc]`Pods` running on Amazon EC2 nodes that use security groups in clusters that use https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/[NodeLocal DNSCache] are only supported with version `1.11.0` or later of the Amazon VPC CNI plugin and with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. To update your Amazon VPC CNI plugin version, see <> +* Security groups for [.noloc]`Pods` might lead to higher [.noloc]`Pod` startup latency for [.noloc]`Pods` with high churn. This is due to rate limiting in the resource controller. +* The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. ++ +If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. + + diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc new file mode 100644 index 000000000..e283bb265 --- /dev/null +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -0,0 +1,95 @@ +//!!NODE_ROOT
+[.topic] +[[security-groups-pods-deployment,security-groups-pods-deployment.title]] += Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` +:info_titleabbrev: Configure + +include::../attributes.txt[] + +If you use [.noloc]`Pods` with Amazon EC2 instances, you need to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups + +If you use Fargate [.noloc]`Pods` only, and don't have any Amazon EC2 nodes in your cluster, see <>. + +. Check your current [.noloc]`Amazon VPC CNI plugin for Kubernetes` version with the following command: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.7.6 +---- ++ +If your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version is earlier than `1.7.7`, then update the plugin to version `1.7.7` or later. For more information, see <> +. Add the link:iam/home#/policies/arn:aws:iam::aws:policy/AmazonEKSVPCResourceController[AmazonEKSVPCResourceController,type="console"] managed IAM policy to the <> that is associated with your Amazon EKS cluster. The policy allows the role to manage network interfaces, their private IP addresses, and their attachment and detachment to and from network instances. ++ +.. Retrieve the name of your cluster IAM role and store it in a variable. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +cluster_role=$(aws eks describe-cluster --name my-cluster --query cluster.roleArn --output text | cut -d / -f 2) +---- +.. Attach the policy to the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController --role-name $cluster_role +---- +. Enable the Amazon VPC CNI add-on to manage network interfaces for [.noloc]`Pods` by setting the `ENABLE_POD_ENI` variable to `true` in the `aws-node` [.noloc]`DaemonSet`. Once this setting is set to `true`, for each node in the cluster the add-on creates a `cninode` custom resource. The VPC resource controller creates and attaches one special network interface called a _trunk network interface_ with the description `aws-k8s-trunk-eni`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true +---- ++ +NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. +. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for` Kubernetes Pods`, which takes several seconds. ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl get cninode -A + NAME FEATURES + ip-192-168-64-141.us-west-2.compute.internal [{"name":"SecurityGroupsForPods"}] + ip-192-168-7-203.us-west-2.compute.internal [{"name":"SecurityGroupsForPods"}] +---- ++ +If you are using VPC CNI versions older than `1.15`, node labels were used instead of the `CNINode` custom resource. You can see which of your nodes have the node label `aws-k8s-trunk-eni` set to `true` with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for Kubernetes Pods`, which takes several seconds. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true +- +---- ++ +Once the trunk network interface is created, [.noloc]`Pods` are assigned secondary IP addresses from the trunk or standard network interfaces. The trunk interface is automatically deleted if the node is deleted. ++ +When you deploy a security group for a [.noloc]`Pod` in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. ++ +If you are using liveness or readiness probes, then you also need to disable _TCP early demux_, so that the `kubelet` can connect to [.noloc]`Pods` on branch network interfaces using TCP. To disable _TCP early demux_, run the following command: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl patch daemonset aws-node -n kube-system \ + -p '{"spec": {"template": {"spec": {"initContainers": [{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}]}}}}' +---- ++ +NOTE: If you're using `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, as described in the next step, then you don't need to run the previous command. +. If your cluster uses `NodeLocal DNSCache`, or you want to use [.noloc]`Calico` network policy with your [.noloc]`Pods` that have their own security groups, or you have [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` for [.noloc]`Pods` that you want to assign security groups to, then you must be using version `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on, and you must enable the following setting: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl set env daemonset aws-node -n kube-system POD_SECURITY_GROUP_ENFORCING_MODE=standard +---- ++ +IMPORTANT: +** [.noloc]`Pod` security group rules aren't applied to traffic between [.noloc]`Pods` or between [.noloc]`Pods` and [.noloc]`services`, such as `kubelet` or `nodeLocalDNS`, that are on the same node. Pods using different security groups on the same node can't communicate because they are configured in different subnets, and routing is disabled between these subnets. +** Outbound traffic from [.noloc]`Pods` to addresses outside of the VPC is network address translated to the IP address of the instance's primary network interface (unless you've also set `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`). For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. +** For this setting to apply to existing [.noloc]`Pods`, you must restart the [.noloc]`Pods` or the nodes that the [.noloc]`Pods` are running on. + +. To see how to use a security group policy for your [.noloc]`Pod`, see <>. + + diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc new file mode 100644 index 000000000..0338a0cf2 --- /dev/null +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -0,0 +1,212 @@ +//!!NODE_ROOT
+[.topic] +[[sg-pods-example-deployment,sg-pods-example-deployment.title]] += Use a security group policy for an Amazon EKS [.noloc]`Pod` +:info_titleabbrev: SecurityGroupPolicy + +include::../attributes.txt[] + +To use security groups for [.noloc]`Pods`, you must have an existing security group. The following steps show you how to use the security group policy for a [.noloc]`Pod`. Unless otherwise noted, complete all steps from the same terminal because variables are used in the following steps that don't persist across terminals. + +If you have a [.noloc]`Pod` with Amazon EC2 instances, you must configure the plugin before you use this procedure. For more information, see <>. + +. Create a [.noloc]`Kubernetes` namespace to deploy resources to. You can replace [.replaceable]`my-namespace` with the name of a namespace that you want to use. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl create namespace my-namespace +---- +. [[deploy-securitygrouppolicy]]Deploy an Amazon EKS `SecurityGroupPolicy` to your cluster. ++ +.. Copy the following contents to your device. You can replace [.replaceable]`podSelector` with `serviceAccountSelector` if you'd rather select [.noloc]`Pods` based on service account labels. You must specify one selector or the other. An empty `podSelector` (example: `podSelector: {}`) selects all [.noloc]`Pods` in the namespace. You can change [.replaceable]`my-role` to the name of your role. An empty `serviceAccountSelector` selects all service accounts in the namespace. You can replace [.replaceable]`my-security-group-policy` with a name for your `SecurityGroupPolicy` and [.replaceable]`my-namespace` with the namespace that you want to create the `SecurityGroupPolicy` in. ++ +You must replace [.replaceable]`my_pod_security_group_id` with the ID of an existing security group. If you don't have an existing security group, then you must create one. For more information, see link:AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances,type="documentation"] in the link:AWSEC2/latest/UserGuide/[Amazon EC2 User Guide,type="documentation"]. You can specify 1-5 security group IDs. If you specify more than one ID, then the combination of all the rules in all the security groups are effective for the selected [.noloc]`Pods`. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >my-security-group-policy.yaml <sample-application.yaml < +my-deployment-5df6f7687b-j9fl4 1/1 Running 0 7m51s 192.168.70.145 ip-192-168-92-33.region-code.compute.internal +my-deployment-5df6f7687b-rjxcz 1/1 Running 0 7m51s 192.168.73.207 ip-192-168-92-33.region-code.compute.internal +my-deployment-5df6f7687b-zmb42 1/1 Running 0 7m51s 192.168.63.27 ip-192-168-33-28.region-code.compute.internal +---- ++ +[NOTE] +==== +Try these tips if any [.noloc]`Pods` are stuck. + +* If any [.noloc]`Pods` are stuck in the `Waiting` state, then run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace```. If you see `Insufficient permissions: Unable to create Elastic Network Interface.`, confirm that you added the IAM policy to the IAM cluster role in a previous step. +* If any [.noloc]`Pods` are stuck in the `Pending` state, confirm that your node instance type is listed in https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/pkg/aws/vpc/limits.go[limits.go] and that the product of the maximum number of branch network interfaces supported by the instance type multiplied times the number of nodes in your node group hasn't already been met. For example, an `m5.large` instance supports nine branch network interfaces. If your node group has five nodes, then a maximum of 45 branch network interfaces can be created for the node group. The 46th [.noloc]`Pod` that you attempt to deploy will sit in `Pending` state until another [.noloc]`Pod` that has associated security groups is deleted. + +==== ++ +If you run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace``` and see a message similar to the following message, then it can be safely ignored. This message might appear when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` tries to set up host networking and fails while the network interface is being created. The plugin logs this event until the network interface is created. ++ +[source,bash,subs="verbatim,attributes"] +---- +Failed to create Pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "e24268322e55c8185721f52df6493684f6c2c3bf4fd59c9c121fd4cdc894579f" network for Pod "my-deployment-5df6f7687b-4fbjm": networkPlugin +cni failed to set up Pod "my-deployment-5df6f7687b-4fbjm-c89wx_my-namespace" network: add cmd: failed to assign an IP address to container +---- ++ +You can't exceed the maximum number of [.noloc]`Pods` that can be run on the instance type. For a list of the maximum number of [.noloc]`Pods` that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on [.noloc]`GitHub`. When you delete a [.noloc]`Pod` that has associated security groups, or delete the node that the [.noloc]`Pod` is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with [.noloc]`Pods` using [.noloc]`Pods` for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. +. In a separate terminal, shell into one of the [.noloc]`Pods`. For the remainder of this topic, this terminal is referred to as `TerminalB`. Replace [.replaceable]`5df6f7687b-4fbjm` with the ID of one of the [.noloc]`Pods` returned in your output from the previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl exec -it -n my-namespace my-deployment-5df6f7687b-4fbjm -- /bin/bash +---- +. From the shell in `TerminalB`, confirm that the sample application works. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl my-app +---- ++ +An example output is as follows. ++ +[source,html,subs="verbatim"] +---- + + + +Welcome to nginx! +[...] +---- ++ +You received the output because all [.noloc]`Pods` running the application are associated with the security group that you created. That group contains a rule that allows all traffic between all [.noloc]`Pods` that the security group is associated to. DNS traffic is allowed outbound from that security group to the cluster security group, which is associated with your nodes. The nodes are running the [.noloc]`CoreDNS` [.noloc]`Pods`, which your [.noloc]`Pods` did a name lookup to. +. From `TerminalA`, remove the security group rules that allow DNS communication to the cluster security group from your security group. If you didn't add the DNS rules to the cluster security group in a previous step, then replace [.replaceable]`$my_cluster_security_group_id` with the ID of the security group that you created the rules in. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws ec2 revoke-security-group-ingress --group-id $my_cluster_security_group_id --security-group-rule-ids $my_tcp_rule_id +aws ec2 revoke-security-group-ingress --group-id $my_cluster_security_group_id --security-group-rule-ids $my_udp_rule_id +---- +. From `TerminalB`, attempt to access the application again. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl my-app +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl: (6) Could not resolve host: my-app +---- ++ +The attempt fails because the [.noloc]`Pod` is no longer able to access the [.noloc]`CoreDNS` [.noloc]`Pods`, which have the cluster security group associated to them. The cluster security group no longer has the security group rules that allow DNS communication from the security group associated to your [.noloc]`Pod`. ++ +If you attempt to access the application using the IP addresses returned for one of the [.noloc]`Pods` in a previous step, you still receive a response because all ports are allowed between [.noloc]`Pods` that have the security group associated to them and a name lookup isn't required. +. Once you've finished experimenting, you can remove the sample security group policy, application, and security group that you created. Run the following commands from `TerminalA`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete namespace my-namespace +aws ec2 revoke-security-group-ingress --group-id $my_pod_security_group_id --security-group-rule-ids $my_inbound_self_rule_id +wait +sleep 45s +aws ec2 delete-security-group --group-id $my_pod_security_group_id +---- + + diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc new file mode 100644 index 000000000..1e9e2e6e0 --- /dev/null +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -0,0 +1,97 @@ +//!!NODE_ROOT
+[.topic] +[[vpc-add-on-create,vpc-add-on-create.title]] += Create the Amazon VPC CNI (Amazon EKS add-on) +:info_titleabbrev: Create + +include::../attributes.txt[] + +Use the following steps to create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. + +Before you begin, review the considerations. For more information, see <>. + + +[[vpc-add-on-create-prerequisites,vpc-add-on-create-prerequisites.title]] +== Prerequisites + +The following are prerequisites for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. + +* An existing Amazon EKS cluster. To deploy one, see <>. +* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* An IAM role with the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] IAM policy (if your cluster uses the `IPv4` family) or an IPv6 policy (if your cluster uses the `IPv6` family) attached to it. For more information about the VPC CNI role, see <>. For information about the IPv6 policy, see <>. +* If you're using version `1.7.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` and you use custom [.noloc]`Pod` security policies, see <> and <>. + +[IMPORTANT] +==== + +[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` removed compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier. VPC CNI version `v1.16.2` restores compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier and CNI spec `v0.4.0`. + +[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` implement CNI specification version `v1.0.0`. CNI spec `v1.0.0` is supported on EKS clusters that run the [.noloc]`Kubernetes` versions `v1.24` or later. VPC CNI version `v1.16.0` to `v1.16.1` and CNI spec `v1.0.0` aren't supported on [.noloc]`Kubernetes` version `v1.23` or earlier. For more information about `v1.0.0` of the CNI spec, see https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md[Container Network Interface (CNI) Specification] on [.noloc]`GitHub`. + +==== + + +[[vpc-add-on-create-procedure,vpc-add-on-create-procedure.title]] +== Procedure + +After you complete the prerequisites, use the following steps to create the add-on. + +. See which version of the add-on is installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.16.4-eksbuild.2 +---- +. See which type of the add-on is installed on your cluster. Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text +---- ++ +If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and don't need to complete the remaining steps in this procedure. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of this procedure to install it. +. Save the configuration of your currently installed add-on. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml +---- +. Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <> and specify `vpc-cni` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. ++ +** Replace [.replaceable]`my-cluster` with the name of your cluster. +** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <>. +** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <> that you've created. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ + --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole +---- ++ +If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. +. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text +---- ++ +It might take several seconds for add-on creation to complete. ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.19.0-eksbuild.1 +---- +. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the EKS add-on with your custom settings. Follow the steps in <>. +. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. + + diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc new file mode 100644 index 000000000..a80f4da33 --- /dev/null +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -0,0 +1,75 @@ +//!!NODE_ROOT
+[.topic] +[[vpc-add-on-self-managed-update,vpc-add-on-self-managed-update.title]] += Update the Amazon VPC CNI (self-managed add-on) +:info_titleabbrev: Update (self-managed) + +include::../attributes.txt[] + +[IMPORTANT] +==== + +We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +==== +. Confirm that you don't have the Amazon EKS type of the add-on installed on your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text +---- ++ +If an error message is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. To self-manage the add-on, complete the remaining steps in this procedure to update the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. +. See which version of the container image is currently installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.16.4-eksbuild.2 +---- ++ +Your output might not include the build number. +. Backup your current settings so you can configure the same settings once you've updated your version. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml +---- +To review the available versions and familiarize yourself with the changes in the version that you want to update to, see https://github.com/aws/amazon-vpc-cni-k8s/releases[releases] on [.noloc]`GitHub`. Note that we recommend updating to the same `major`.``minor``.``patch`` version listed in the latest available versions table, even if later versions are available on GitHub. For the latest available version table, see <>. The build versions listed in the table aren't specified in the self-managed versions listed on GitHub. Update your version by completing the tasks in one of the following options: ++ +** If you don't have any custom settings for the add-on, then run the command under the `To apply this release:` heading on GitHub for the https://github.com/aws/amazon-vpc-cni-k8s/releases[release] that you're updating to. +** If you have custom settings, download the manifest file with the following command. Change [.replaceable]`https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml` to the URL for the release on GitHub that you're updating to. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml +---- ++ +If necessary, modify the manifest with the custom settings from the backup you made in a previous step and then apply the modified manifest to your cluster. If your nodes don't have access to the private Amazon EKS Amazon ECR repositories that the images are pulled from (see the lines that start with `image:` in the manifest), then you'll have to download the images, copy them to your own repository, and modify the manifest to pull the images from your repository. For more information, see <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl apply -f aws-k8s-cni.yaml +---- +. Confirm that the new version is now installed on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.19.0 +---- +. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. + + diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc new file mode 100644 index 000000000..399173da2 --- /dev/null +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -0,0 +1,80 @@ +//!!NODE_ROOT
+[.topic] +[[vpc-add-on-update,vpc-add-on-update.title]] += Update the Amazon VPC CNI (Amazon EKS add-on) +:info_titleabbrev: Update (Amazon EKS add-on) + +include::../attributes.txt[] + +Update the Amazon EKS type of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on. If you haven't added the Amazon EKS type of the add-on to your cluster, you can install it by following <>. Or, update the other type of VPC CNI installation by following <>. + +. See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query "addon.addonVersion" --output text +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +v1.16.4-eksbuild.2 +---- ++ +Compare the version with the table of latest versions at <>. If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the latest version table, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to create the add-on before you can update it with this procedure. To create the Amazon EKS type of the VPC CNI add-on, you can follow <>. +. Save the configuration of your currently installed add-on. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml +---- +. Update your add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to update the add-on, see <>. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. ++ +** Replace [.replaceable]`my-cluster` with the name of your cluster. +** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. +** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an existing IAM role that you've created. To create an IAM role for the VPC CNI, see <>. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +** The `--resolve-conflicts PRESERVE` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. +** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` with the setting that you want to set. In this example, the `AWS_VPC_K8S_CNI_EXTERNALSNAT` environment variable is set to `true`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name vpc-cni --addon-version [.replaceable]``v1.19.0-eksbuild.1```, replacing [.replaceable]`v1.19.0-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` from the command, so that you have empty `{}`. For an explanation of each setting, see https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables[CNI Configuration Variables] on GitHub. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ + --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole \ + --resolve-conflicts PRESERVE --configuration-values '{"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}}' +---- ++ +It might take several seconds for the update to complete. +. Confirm that the add-on version was updated. Replace [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni +---- ++ +It might take several seconds for the update to complete. ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "addon": { + "addonName": "vpc-cni", + "clusterName": "my-cluster", + "status": "ACTIVE", + "addonVersion": "v1.19.0-eksbuild.1", + "health": { + "issues": [] + }, + "addonArn": "{arn-aws}eks:region:111122223333:addon/my-cluster/vpc-cni/74c33d2f-b4dc-8718-56e7-9fdfa65d14a9", + "createdAt": "2023-04-12T18:25:19.319000+00:00", + "modifiedAt": "2023-04-12T18:40:28.683000+00:00", + "serviceAccountRoleArn": "{arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole", + "tags": {}, + "configurationValues": "{\"env\":{\"AWS_VPC_K8S_CNI_EXTERNALSNAT\":\"true\"}}" + } +} +---- + + From cca39a3f7e819ac3a8cba061c97658553166bcb7 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 17 Jan 2025 18:52:18 +0000 Subject: [PATCH 023/940] Update launch-node-ubuntu.adoc #835: https://github.com/awsdocs/amazon-eks-user-guide/pull/835/files --- latest/ug/nodes/launch-node-ubuntu.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 35909f2a2..4ad3cf064 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -64,7 +64,6 @@ nodeGroups: instanceType: m5.large desiredCapacity: 3 amiFamily: Ubuntu2204 - ami: auto-ssm iam: attachPolicyARNs: - {arn-aws}iam::aws:policy/AmazonEKSWorkerNodePolicy From ee916c9baa70027c236c7fce5de0f9ab0ded5fea Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 17 Jan 2025 21:52:28 +0000 Subject: [PATCH 024/940] Split Security chapter pages into separate files. --- .../networking/cni-increase-ip-addresses.adoc | 3 +- latest/ug/security/cert-signing.adoc | 140 ++ latest/ug/security/compliance.adoc | 4 - .../configuration-vulnerability-analysis.adoc | 7 - latest/ug/security/default-roles-users.adoc | 193 +++ .../disaster-recovery-resiliency.adoc | 27 + latest/ug/security/enable-kms.adoc | 190 +++ .../iam-reference/auto-cluster-iam-role.adoc | 1 + .../iam-reference/auto-create-node-role.adoc | 1 + .../iam-reference/cluster-iam-role.adoc | 1 + .../iam-reference/connector-iam-role.adoc | 171 +++ .../iam-reference/create-node-role.adoc | 1 + .../iam-reference/pod-execution-role.adoc | 172 +++ ...security-iam-id-based-policy-examples.adoc | 250 ++++ .../security-iam-service-with-iam.adoc | 154 +++ .../security/iam-reference/security-iam.adoc | 1188 +---------------- ...ng-service-linked-roles-eks-connector.adoc | 75 ++ ...sing-service-linked-roles-eks-fargate.adoc | 95 ++ ...g-service-linked-roles-eks-nodegroups.adoc | 94 ++ ...sing-service-linked-roles-eks-outpost.adoc | 96 ++ .../using-service-linked-roles-eks.adoc | 89 ++ .../using-service-linked-roles.adoc | 28 + .../ug/security/infrastructure-security.adoc | 40 + latest/ug/security/manage-secrets.adoc | 23 + .../pod-security-policy-removal-faq.adoc | 116 ++ latest/ug/security/pod-security-policy.adoc | 197 +++ .../ug/security/security-best-practices.adoc | 16 + latest/ug/security/security-eks.adoc | 129 +- latest/ug/security/security-k8s.adoc | 848 +----------- latest/ug/security/security.adoc | 48 +- .../ug/security/vpc-interface-endpoints.adoc | 63 + 31 files changed, 2273 insertions(+), 2187 deletions(-) create mode 100644 latest/ug/security/cert-signing.adoc create mode 100644 latest/ug/security/default-roles-users.adoc create mode 100644 latest/ug/security/disaster-recovery-resiliency.adoc create mode 100644 latest/ug/security/enable-kms.adoc create mode 100644 latest/ug/security/iam-reference/connector-iam-role.adoc create mode 100644 latest/ug/security/iam-reference/pod-execution-role.adoc create mode 100644 latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc create mode 100644 latest/ug/security/iam-reference/security-iam-service-with-iam.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc create mode 100644 latest/ug/security/iam-reference/using-service-linked-roles.adoc create mode 100644 latest/ug/security/infrastructure-security.adoc create mode 100644 latest/ug/security/manage-secrets.adoc create mode 100644 latest/ug/security/pod-security-policy-removal-faq.adoc create mode 100644 latest/ug/security/pod-security-policy.adoc create mode 100644 latest/ug/security/security-best-practices.adoc create mode 100644 latest/ug/security/vpc-interface-endpoints.adoc diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index d74e1edc7..d13bcf44b 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,3 +1,4 @@ +//!!NODE_ROOT
[.topic] [[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] = Assign more IP addresses to Amazon EKS nodes with prefixes @@ -61,5 +62,3 @@ Consider the following when you use this feature: If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. -[.topic] - diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc new file mode 100644 index 000000000..e04c90f68 --- /dev/null +++ b/latest/ug/security/cert-signing.adoc @@ -0,0 +1,140 @@ +//!!NODE_ROOT
+[.topic] +[[cert-signing,cert-signing.title]] += Secure workloads with [.noloc]`Kubernetes` certificates +:info_titleabbrev: Certificate signing + +include::../attributes.txt[] + +[abstract] +-- +Learn how to request and obtain X.509 certificates from the Certificate Authority (CA) using Certificate Signing Requests (CSRs) in Amazon EKS, including details on migrating from legacy signers, generating CSRs, approving requests, and handling certificate signing considerations before upgrading to Kubernetes 1.24. +-- + +The [.noloc]`Kubernetes` Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.509] credential provisioning. The API features a command line interface for [.noloc]`Kubernetes` API clients to request and obtain https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/[X.509 certificates] from a Certificate Authority (CA). You can use the `CertificateSigningRequest` (CSR) resource to request that a denoted signer sign the certificate. Your requests are either approved or denied before they're signed. [.noloc]`Kubernetes` supports both built-in signers and custom signers with well-defined behaviors. This way, clients can predict what happens to their CSRs. To learn more about certificate signing, see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[signing requests]. + +One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`. + +Amazon EKS version `1.21` and earlier allowed the `legacy-unknown` value as the `signerName` in `v1beta1` CSR API. This API enables the Amazon EKS Certificate Authority (CA) to generate certificates. However, in [.noloc]`Kubernetes` version `1.22`, the `v1beta1` CSR API was replaced by the `v1` CSR API. This API doesn't support the signerName of "`legacy-unknown.`" If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. It was introduced in Amazon EKS version `1.22`. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: + + + +* Trust distribution: None. There's no standard trust or distribution for this signer in a [.noloc]`Kubernetes` cluster. +* Permitted subjects: Any +* Permitted x509 extensions: Honors subjectAltName and key usage extensions and discards other extensions +* Permitted key usages: Must not include usages beyond ["key encipherment", "digital signature", "server auth"] ++ +NOTE: Client certificate signing is not supported. +* Expiration/certificate lifetime: 1 year (default and maximum) +* CA bit allowed/disallowed: Not allowed + + +[[csr-example,csr-example.title]] +== Example CSR generation with signerName + +These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment. + +. Run the `openssl genrsa -out myserver.key 2048` command to generate an RSA private key. ++ +[source,bash,subs="verbatim,attributes"] +---- +openssl genrsa -out myserver.key 2048 +---- +. Run the following command to generate a certificate request. ++ +[source,bash,subs="verbatim,attributes"] +---- +openssl req -new -key myserver.key -out myserver.csr -subj "/CN=myserver.default.svc" +---- +. Generate a `base64` value for the CSR request and store it in a variable for use in a later step. ++ +[source,bash,subs="verbatim,attributes"] +---- +base_64=$(cat myserver.csr | base64 -w 0 | tr -d " +") +---- +. Run the following command to create a file named `mycsr.yaml`. In the following example, `beta.eks.amazonaws.com/app-serving` is the `signerName`. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >mycsr.yaml < myserver.crt +---- + + +[[csr-considerations,csr-considerations.title]] +== Certificate signing considerations before upgrading your cluster to [.noloc]`Kubernetes` 1.24 + +In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working. + +Before upgrading your cluster to `1.24`, determine whether your cluster has certificate signing requests (CSR) that haven't been approved by completing the following steps: + +. Run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get csr -A +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION +csr-7znmf 90m kubernetes.io/kubelet-serving system:node:ip-192-168-42-149.region.compute.internal Approved +csr-9xx5q 90m kubernetes.io/kubelet-serving system:node:ip-192-168-65-38.region.compute.internal Approved, Issued +---- ++ +If the returned output shows a CSR with a https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers[kubernetes.io/kubelet-serving] signer that's `Approved` but not `Issued` for a node, then you need to approve the request. +. Manually approve the CSR. Replace `csr-[.replaceable]``7znmf``` with your own value. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl certificate approve csr-7znmf +---- + +To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. + diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index e8be4ab3e..41afe5093 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -5,10 +5,6 @@ :info_doctype: section :info_title: Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance -:info_abstract: Discover compliance resources and services for Amazon Elastic Kubernetes Service \ - to help secure your {aws} workloads, meet regulatory requirements like HIPAA, and \ - validate adherence to security standards like NIST, PCI, and ISO using {aws} Config, \ - Security Hub, GuardDuty, and Audit Manager. include::../attributes.txt[] diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 7ee9138e4..bc9880105 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -2,14 +2,7 @@ [.topic] [[configuration-vulnerability-analysis,configuration-vulnerability-analysis.title]] = Analyze vulnerabilities in Amazon EKS -:info_doctype: section -:info_title: Analyze vulnerabilities \ - in Amazon EKS :info_titleabbrev: Analyze vulnerabilities -:info_abstract: Learn how to analyze the security configuration and vulnerabilities of your Amazon EKS \ - clusters and resources using tools like the CIS EKS Benchmark, platform \ - versions, vulnerability lists, Amazon Inspector, and Amazon GuardDuty for \ - comprehensive threat detection and protection. include::../attributes.txt[] diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc new file mode 100644 index 000000000..0cb5878ca --- /dev/null +++ b/latest/ug/security/default-roles-users.adoc @@ -0,0 +1,193 @@ +//!!NODE_ROOT
+[.topic] +[[default-roles-users,default-roles-users.title]] += Understand Amazon EKS created RBAC roles and users +:info_titleabbrev: Default roles and users + +include::../attributes.txt[] + +[abstract] +-- +Learn about the Kubernetes roles and users that Amazon EKS creates for cluster components and add-ons. Amazon EKS uses these role-based authorization control (RBAC) identities to operate the cluster. +-- + +When you create a [.noloc]`Kubernetes` cluster, several default [.noloc]`Kubernetes` identities are created on that cluster for the proper functioning of [.noloc]`Kubernetes`. Amazon EKS creates [.noloc]`Kubernetes` identities for each of its default components. The identities provide [.noloc]`Kubernetes` role-based authorization control (RBAC) for the cluster components. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. + +When you install optional <> to your cluster, additional [.noloc]`Kubernetes` identities might be added to your cluster. For more information about identities not addressed by this topic, see the documentation for the add-on. + +You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. + + + +*{aws-management-console}*:: + +.Prerequisite +The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the permissions described in <>. ++ +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. In the *Clusters* list, choose the cluster that contains the identities that you want to view. +.. Choose the *Resources* tab. +.. Under *Resource types*, choose *Authorization*. +.. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: ++ +*** The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. +*** A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + ++ +In addition to the resources that you see in the console, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: ++ +*** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. +*** *`eks:support-engineer`* – Used for cluster management operations. +.. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. + + +*Kubectl*:: + +.Prerequisite +The entity that you use ({aws} Identity and Access Management (IAM) or [.noloc]`OpenID Connect` ([.noloc]`OIDC`)) to list the [.noloc]`Kubernetes` resources on the cluster must be authenticated by IAM or your [.noloc]`OIDC` identity provider. The entity must be granted permissions to use the [.noloc]`Kubernetes` `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <>. For more information about granting entities authenticated by your own [.noloc]`OIDC` provider access to your cluster, see <>. +.To view Amazon EKS created identities using `kubectl` +Run the command for the type of resource that you want to see. All returned resources that are prefaced with *eks* are created by Amazon EKS. In addition to the resources returned in the output from the commands, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: ++ +** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. +** *`eks:support-engineer`* – Used for cluster management operations. ++ +*ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any [.noloc]`Kubernetes` namespace on the cluster. ++ +The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoles` on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get clusterroles | grep eks +---- ++ +In addition to the `ClusterRoles` returned in the output that are prefaced with, the following `ClusterRoles` exist. ++ +** *`aws-node`* – This `ClusterRole` supports the <>, which Amazon EKS installs on all clusters. +** *`vpc-resource-controller-role`* – This `ClusterRole` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + ++ +To see the specification for a `ClusterRole`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRole` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRole`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe clusterrole eks:k8s-metrics +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Name: eks:k8s-metrics +Labels: +Annotations: +PolicyRule: + Resources Non-Resource URLs Resource Names Verbs + --------- ----------------- -------------- ----- + [/metrics] [] [get] + endpoints [] [] [list] + nodes [] [] [list] + pods [] [] [list] + deployments.apps [] [] [list] +---- ++ +*ClusterRoleBindings* – `ClusterRoleBindings` are scoped to your cluster. ++ +The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoleBindings` on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get clusterrolebindings | grep eks +---- ++ +In addition to the `ClusterRoleBindings` returned in the output, the following `ClusterRoleBindings` exist. ++ +** *`aws-node`* – This `ClusterRoleBinding` supports the <>, which Amazon EKS installs on all clusters. +** *`vpc-resource-controller-rolebinding`* – This `ClusterRoleBinding` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + ++ +To see the specification for a `ClusterRoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRoleBinding`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe clusterrolebinding eks:k8s-metrics +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Name: eks:k8s-metrics +Labels: +Annotations: +Role: + Kind: ClusterRole + Name: eks:k8s-metrics +Subjects: + Kind Name Namespace + ---- ---- --------- + User eks:k8s-metrics +---- ++ +*Roles* – `Roles` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace. ++ +The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `Roles` on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get roles -n kube-system | grep eks +---- ++ +To see the specification for a `Role`, replace [.replaceable]`eks:k8s-metrics` in the following command with the name of a `Role` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `Role`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe role eks:k8s-metrics -n kube-system +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Name: eks:k8s-metrics +Labels: +Annotations: +PolicyRule: + Resources Non-Resource URLs Resource Names Verbs + --------- ----------------- -------------- ----- + daemonsets.apps [] [aws-node] [get] + deployments.apps [] [vpc-resource-controller] [get] +---- ++ +*RoleBindings* – `RoleBindings` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace. ++ +The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `RoleBindings` on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get rolebindings -n kube-system | grep eks +---- ++ +To see the specification for a `RoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `RoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `RoleBinding`. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe rolebinding eks:k8s-metrics -n kube-system +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Name: eks:k8s-metrics +Labels: +Annotations: +Role: + Kind: Role + Name: eks:k8s-metrics +Subjects: + Kind Name Namespace + ---- ---- --------- + User eks:k8s-metrics +---- + + diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc new file mode 100644 index 000000000..de33547f8 --- /dev/null +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -0,0 +1,27 @@ +//!!NODE_ROOT
+[.topic] +[[disaster-recovery-resiliency,disaster-recovery-resiliency.title]] += Understand resilience in Amazon EKS clusters +:info_titleabbrev: Resilience + +include::../attributes.txt[] + +[abstract] +-- +Learn how Amazon EKS ensures high availability, data resilience, and fault tolerance for your [.noloc]`Kubernetes` control plane by leveraging {aws} infrastructure across multiple Availability Zones . +-- + +The {aws} global infrastructure is built around {aws} Regions and Availability Zones. {aws} Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. + +Amazon EKS runs and scales the [.noloc]`Kubernetes` control plane across multiple {aws} Availability Zones to ensure high availability. Amazon EKS automatically scales control plane instances based on load, detects and replaces unhealthy control plane instances, and automatically patches the control plane. After you initiate a version update, Amazon EKS updates your control plane for you, maintaining high availability of the control plane during the update. + +This control plane consists of at least two API server instances and three `etcd` instances that run across three Availability Zones within an {aws} Region. Amazon EKS: + + + +* Actively monitors the load on control plane instances and automatically scales them to ensure high performance. +* Automatically detects and replaces unhealthy control plane instances, restarting them across the Availability Zones within the {aws} Region as needed. +* Leverages the architecture of {aws} Regions in order to maintain high availability. Because of this, Amazon EKS is able to offer an link:eks/sla[SLA for API server endpoint availability,type="marketing"]. + +For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. + diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc new file mode 100644 index 000000000..314619f36 --- /dev/null +++ b/latest/ug/security/enable-kms.adoc @@ -0,0 +1,190 @@ +//!!NODE_ROOT
+[.topic] +[[enable-kms,enable-kms.title]] += Encrypt Kubernetes secrets with {aws} KMS on existing clusters +:info_titleabbrev: Enable secret encryption + +include::../attributes.txt[] + +[abstract] +-- +Learn how to enable Kubernetes secrets encryption with {aws} KMS on an existing Amazon EKS cluster, ensuring secure storage of sensitive data. +-- + +If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption], the [.noloc]`Kubernetes` secrets are encrypted using the {aws} KMS key that you select. The KMS key must meet the following conditions: + +* Symmetric +* Can encrypt and decrypt data +* Created in the same {aws} Region as the cluster +* If the KMS key was created in a different account, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have access to the KMS key. + +For more information, see link:kms/latest/developerguide/key-policy-modifying-external-accounts.html[Allowing IAM principals in other accounts to use a KMS key,type="documentation"] in the _link:kms/latest/developerguide/[{aws} Key Management Service Developer Guide,type="documentation"]_. + +[WARNING] +==== + +You can't disable secrets encryption after enabling it. This action is irreversible. + +==== + +eksctl :: + +You can enable encryption in two ways: + +** Add encryption to your cluster with a single command. ++ +To automatically re-encrypt your secrets, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl utils enable-secrets-encryption \ + --cluster my-cluster \ + --key-arn {arn-aws}kms:region-code:account:key/key +---- ++ +To opt-out of automatically re-encrypting your secrets, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl utils enable-secrets-encryption + --cluster my-cluster \ + --key-arn {arn-aws}kms:region-code:account:key/key \ + --encrypt-existing-secrets=false +---- +** Add encryption to your cluster with a `kms-cluster.yaml` file. ++ +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: my-cluster + region: region-code + +secretsEncryption: + keyARN: {arn-aws}kms:region-code:account:key/key +---- ++ +To have your secrets re-encrypt automatically, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl utils enable-secrets-encryption -f kms-cluster.yaml +---- ++ +To opt out of automatically re-encrypting your secrets, run the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=false +---- + + +{aws-management-console}:: +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. Choose the cluster that you want to add KMS encryption to. +.. Choose the *Overview* tab (this is selected by default). +.. Scroll down to the *Secrets encryption* section and choose *Enable*. +.. Select a key from the dropdown list and choose the *Enable* button. If no keys are listed, you must create one first. For more information, see link:kms/latest/developerguide/create-keys.html[Creating keys,type="documentation"] +.. Choose the *Confirm* button to use the chosen key. + + +{aws} CLI:: +.. Associate the https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] configuration with your cluster using the following {aws} CLI command. Replace the [.replaceable]`example values` with your own. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks associate-encryption-config \ + --cluster-name my-cluster \ + --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"{arn-aws}kms:region-code:account:key/key"}}]' +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ +  "update": { +    "id": "3141b835-8103-423a-8e68-12c2521ffa4d", +    "status": "InProgress", +    "type": "AssociateEncryptionConfig", +    "params": [ +      { +        "type": "EncryptionConfig", +        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"{arn-aws}kms:region-code:account:key/key\"}}]" +      } +    ], +    "createdAt": 1613754188.734, +    "errors": [] +  } +} +---- +.. You can monitor the status of your encryption update with the following command. Use the specific `cluster name` and `update ID` that was returned in the previous output. When a `Successful` status is displayed, the update is complete. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-update \ + --region region-code \ + --name my-cluster \ + --update-id 3141b835-8103-423a-8e68-12c2521ffa4d +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ +  "update": { +    "id": "3141b835-8103-423a-8e68-12c2521ffa4d", +    "status": "Successful", +    "type": "AssociateEncryptionConfig", +    "params": [ +      { +        "type": "EncryptionConfig", +        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"{arn-aws}kms:region-code:account:key/key\"}}]" +      } +    ], +    "createdAt": 1613754188.734>, +    "errors": [] +  } +} +---- +.. To verify that encryption is enabled in your cluster, run the `describe-cluster` command. The response contains an `EncryptionConfig` string. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster --region region-code --name my-cluster +---- + +After you enabled encryption on your cluster, you must encrypt all existing secrets with the new key: + +[NOTE] +==== + +If you use `eksctl`, running the following command is necessary only if you opt out of re-encrypting your secrets automatically. + +==== + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms-encryption-timestamp="time value" +---- + +[WARNING] +==== + +If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] for an existing cluster and the KMS key that you use is ever deleted, then there's no way to recover the cluster. If you delete the KMS key, you permanently put the cluster in a degraded state. For more information, see link:kms/latest/developerguide/deleting-keys.html[Deleting {aws} KMS keys,type="documentation"]. + +==== + +[NOTE] +==== + +By default, the `create-key` command creates a link:kms/latest/developerguide/symmetric-asymmetric.html[symmetric encryption KMS key,type="documentation"] with a key policy that gives the account root admin access on {aws} KMS actions and resources. If you want to scope down the permissions, make sure that the `kms:DescribeKey` and `kms:CreateGrant` actions are permitted on the policy for the principal that calls the `create-cluster` API. + + +For clusters using KMS Envelope Encryption, `kms:CreateGrant` permissions are required. The condition `kms:GrantIsForAWSResource` is not supported for the CreateCluster action, and should not be used in KMS policies to control `kms:CreateGrant` permissions for users performing CreateCluster. + +==== + diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 74cf036af..be9ec9417 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -3,6 +3,7 @@ [[auto-cluster-iam-role,auto-cluster-iam-role.title]] = Amazon EKS Auto Mode cluster IAM role :idprefix: wip_ +:info_titleabbrev: Auto Mode cluster IAM role include::../../attributes.txt[] diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index 24231ede9..69cc82bb8 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -3,6 +3,7 @@ [[auto-create-node-role,auto-create-node-role.title]] = Amazon EKS Auto Mode node IAM role :idprefix: id_ +:info_titleabbrev: Auto Mode node IAM role include::../../attributes.txt[] diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index fe9ba478c..24951b62b 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -2,6 +2,7 @@ [.topic] [[cluster-iam-role,cluster-iam-role.title]] = Amazon EKS cluster IAM role +:info_titleabbrev: Cluster IAM role include::../../attributes.txt[] diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc new file mode 100644 index 000000000..7fb902c99 --- /dev/null +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -0,0 +1,171 @@ +//!!NODE_ROOT
+[.topic] +[[connector-iam-role,connector-iam-role.title]] += Amazon EKS connector IAM role +:info_titleabbrev: Connector IAM role + +include::../../attributes.txt[] + +You can connect [.noloc]`Kubernetes` clusters to view them in your {aws-management-console}. To connect to a [.noloc]`Kubernetes` cluster, create an IAM role. + +[[check-connector-role,check-connector-role.title]] +== Check for an existing EKS connector role + +You can use the following procedure to check and see if your account already has the Amazon EKS connector role. + +. Open the IAM console at https://console.aws.amazon.com/iam/. +. In the left navigation pane, choose *Roles*. +. Search the list of roles for `AmazonEKSConnectorAgentRole`. If a role that includes `AmazonEKSConnectorAgentRole` doesn't exist, then see <> to create the role. If a role that includes `AmazonEKSConnectorAgentRole` does exist, then select the role to view the attached policies. +. Choose *Permissions*. +. Ensure that the *AmazonEKSConnectorAgentPolicy* managed policy is attached to the role. If the policy is attached, your Amazon EKS connector role is properly configured. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ssm.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] +} +---- + + +[[create-connector-role,create-connector-role.title]] +== Creating the Amazon EKS connector agent role + +You can use the {aws-management-console} or {aws} CloudFormation to create the connector agent role. + +{aws} CLI:: +.. Create a file named `eks-connector-agent-trust-policy.json` that contains the following JSON to use for the IAM role. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ssm.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole" + } + ] +} +---- +.. Create a file named `eks-connector-agent-policy.json` that contains the following JSON to use for the IAM role. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "SsmControlChannel", + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateControlChannel" + ], + "Resource": "{arn-aws}eks:*:*:cluster/*" + }, + { + "Sid": "ssmDataplaneOperations", + "Effect": "Allow", + "Action": [ + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenDataChannel", + "ssmmessages:OpenControlChannel" + ], + "Resource": "*" + } + ] +} +---- +.. Create the Amazon EKS Connector agent role using the trust policy and policy you created in the previous list items. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam create-role \ + --role-name AmazonEKSConnectorAgentRole \ + --assume-role-policy-document file://eks-connector-agent-trust-policy.json +---- +.. Attach the policy to your Amazon EKS Connector agent role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam put-role-policy \ + --role-name AmazonEKSConnectorAgentRole \ + --policy-name AmazonEKSConnectorAgentPolicy \ + --policy-document file://eks-connector-agent-policy.json +---- + + +{aws} CloudFormation:: +.. Save the following {aws} CloudFormation template to a text file on your local system. ++ +NOTE: This template also creates the service-linked role that would otherwise be created when the `registerCluster` API is called. See <> for details. ++ +[source,yaml,subs="verbatim,attributes"] +---- +--- +AWSTemplateFormatVersion: '2010-09-09' +Description: 'Provisions necessary resources needed to register clusters in EKS' +Parameters: {} +Resources: + EKSConnectorSLR: + Type: {aws}::IAM::ServiceLinkedRole + Properties: + AWSServiceName: eks-connector.amazonaws.com + + EKSConnectorAgentRole: + Type: {aws}::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: [ 'sts:AssumeRole' ] + Principal: + Service: 'ssm.amazonaws.com' + + EKSConnectorAgentPolicy: + Type: {aws}::IAM::Policy + Properties: + PolicyName: EKSConnectorAgentPolicy + Roles: + - {Ref: 'EKSConnectorAgentRole'} + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: 'Allow' + Action: [ 'ssmmessages:CreateControlChannel' ] + Resource: + - Fn::Sub: 'arn:${{aws}::Partition}:eks:*:*:cluster/*' + - Effect: 'Allow' + Action: [ 'ssmmessages:CreateDataChannel', 'ssmmessages:OpenDataChannel', 'ssmmessages:OpenControlChannel' ] + Resource: "*" +Outputs: + EKSConnectorAgentRoleArn: + Description: The agent role that EKS connector uses to communicate with {aws} services. + Value: !GetAtt EKSConnectorAgentRole.Arn +---- +.. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. +.. Choose *Create stack* with new resources (standard). +.. For *Specify template*, select *Upload a template file*, and then choose *Choose file*. +.. Choose the file you created earlier, and then choose *Next*. +.. For *Stack name*, enter a name for your role, such as `eksConnectorAgentRole`, and then choose *Next*. +.. On the *Configure stack options* page, choose *Next*. +.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. + diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index abf05173c..cf39d636c 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -2,6 +2,7 @@ [.topic] [[create-node-role,create-node-role.title]] = Amazon EKS node IAM role +:info_titleabbrev: Node IAM role include::../../attributes.txt[] diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc new file mode 100644 index 000000000..38f5efb33 --- /dev/null +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -0,0 +1,172 @@ +//!!NODE_ROOT
+[.topic] +[[pod-execution-role,pod-execution-role.title]] += Amazon EKS [.noloc]`Pod` execution IAM role +:info_titleabbrev: Pod execution IAM role + +include::../../attributes.txt[] + +The Amazon EKS [.noloc]`Pod` execution role is required to run [.noloc]`Pods` on {aws} Fargate infrastructure. + +When your cluster creates [.noloc]`Pods` on {aws} Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. + +When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. This role is added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role based access control] (RBAC) for authorization. This allows the `kubelet` that's running on the Fargate infrastructure to register with your Amazon EKS cluster so that it can appear in your cluster as a node. + +[NOTE] +==== + +The Fargate profile must have a different IAM role than Amazon EC2 node groups. + +==== + +[IMPORTANT] +==== + +The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permissions associated with a [.noloc]`Pod` execution role. To give the containers in your Fargate [.noloc]`Pod` permissions to access other {aws} services, you must use <>. + +==== + +Before you create a Fargate profile, you must create an IAM role with the link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"]. +[[check-pod-execution-role,check-pod-execution-role.title]] +== Check for a correctly configured existing [.noloc]`Pod` execution role + +You can use the following procedure to check and see if your account already has a correctly configured Amazon EKS [.noloc]`Pod` execution role. To avoid a confused deputy security problem, it's important that the role restricts access based on `SourceArn`. You can modify the execution role as needed to include support for Fargate profiles on other clusters. + +. Open the IAM console at https://console.aws.amazon.com/iam/. +. In the left navigation pane, choose *Roles*. +. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. If the role doesn't exist, see <> to create the role. If the role does exist, choose the role. +. On the *AmazonEKSFargatePodExecutionRole* page, do the following: ++ +.. Choose *Permissions*. +.. Ensure that the *AmazonEKSFargatePodExecutionRolePolicy* Amazon managed policy is attached to the role. +.. Choose *Trust relationships*. +.. Choose *Edit trust policy*. +. On the *Edit trust policy* page, verify that the trust relationship contains the following policy and has a line for Fargate profiles on your cluster. If so, choose *Cancel*. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Condition": { + "ArnLike": { + "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" + } + }, + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +---- ++ +If the policy matches but doesn't have a line specifying the Fargate profiles on your cluster, you can add the following line at the top of the `ArnLike` object. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in, [.replaceable]`111122223333` with your account ID, and [.replaceable]`my-cluster` with the name of your cluster. ++ +[source,json,subs="verbatim,attributes"] +---- +"aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*", +---- ++ +If the policy doesn't match, copy the full previous policy into the form and choose *Update policy*. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. + + +[[create-pod-execution-role,create-pod-execution-role.title]] +== Creating the Amazon EKS [.noloc]`Pod` execution role + +If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your cluster, you can use the {aws-management-console} or the {aws} CLI to create it. + + + +{aws-management-console}:: +.. Open the IAM console at https://console.aws.amazon.com/iam/. +.. In the left navigation pane, choose *Roles*. +.. On the *Roles* page, choose *Create role*. +.. On the *Select trusted entity* page, do the following: ++ +... In the *Trusted entity type* section, choose *{aws} service*. +... From the *Use cases for other {aws} services* dropdown list, choose *EKS*. +... Choose *EKS - Fargate [.noloc]`Pod`*. +... Choose *Next*. +.. On the *Add permissions* page, choose *Next*. +.. On the *Name, review, and create* page, do the following: ++ +... For *Role name*, enter a unique name for your role, such as `AmazonEKSFargatePodExecutionRole`. +... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +... Choose *Create role*. +.. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. Choose the role. +.. On the *AmazonEKSFargatePodExecutionRole* page, do the following: ++ +... Choose *Trust relationships*. +... Choose *Edit trust policy*. +.. On the *Edit trust policy* page, do the following: ++ +... Copy and paste the following contents into the *Edit trust policy* form. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Condition": { + "ArnLike": { + "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" + } + }, + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +---- +... Choose *Update policy*. + + +{aws} CLI:: +.. Copy and paste the following contents to a file named `pod-execution-role-trust-policy.json`. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Condition": { + "ArnLike": { + "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" + } + }, + "Principal": { + "Service": "eks-fargate-pods.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +---- +.. Create a [.noloc]`Pod` execution IAM role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam create-role \ + --role-name AmazonEKSFargatePodExecutionRole \ + --assume-role-policy-document file://"pod-execution-role-trust-policy.json" +---- +.. Attach the required Amazon EKS managed IAM policy to the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy \ + --policy-arn {arn-aws}iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \ + --role-name AmazonEKSFargatePodExecutionRole +---- + + diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc new file mode 100644 index 000000000..d5b151735 --- /dev/null +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -0,0 +1,250 @@ +//!!NODE_ROOT
+[.topic] +[[security-iam-id-based-policy-examples,security-iam-id-based-policy-examples.title]] += Amazon EKS identity-based policy examples +:info_titleabbrev: Identity-based policies + +include::../../attributes.txt[] + +By default, IAM users and roles don't have permission to create or modify Amazon EKS resources. They also can't perform tasks using the {aws-management-console}, {aws} CLI, or {aws} API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. + +To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. + +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. + +For more information about working with the ConfigMap, see <>. + +[.topiclist] +[[Topic List]] + +[[security-iam-service-with-iam-policy-best-practices,security-iam-service-with-iam-policy-best-practices.title]] +== Policy best practices + +Identity-based policies determine whether someone can create, access, or delete Amazon EKS resources in your account. These actions can incur costs for your {aws} account. When you create or edit identity-based policies, follow these guidelines and recommendations: + + + +* *Get started with {aws} managed policies and move toward least-privilege permissions* – To get started granting permissions to your users and workloads, use the _{aws} managed policies_ that grant permissions for many common use cases. They are available in your {aws} account. We recommend that you reduce permissions further by defining {aws} customer managed policies that are specific to your use cases. For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] or link:IAM/latest/UserGuide/access_policies_job-functions.html[{aws} managed policies for job functions,type="documentation"] in the _IAM User Guide_. +* *Apply least-privilege permissions* – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as _least-privilege permissions_. For more information about using IAM to apply permissions, see link:IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM,type="documentation"] in the _IAM User Guide_. +* *Use conditions in IAM policies to further restrict access* – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific {aws} service, such as {aws} CloudFormation. For more information, see link:IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM JSON policy elements: Condition,type="documentation"] in the _IAM User Guide_. +* *Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions* – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see link:IAM/latest/UserGuide/access-analyzer-policy-validation.html[IAM Access Analyzer policy validation,type="documentation"] in the _IAM User Guide_. +* *Require multi-factor authentication (MFA)* – If you have a scenario that requires IAM users or a root user in your {aws} account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see link:IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html[Configuring MFA-protected API access,type="documentation"] in the _IAM User Guide_. + +For more information about best practices in IAM, see link:IAM/latest/UserGuide/best-practices.html[Security best practices in IAM,type="documentation"] in the _IAM User Guide_. + +[[security-iam-id-based-policy-examples-console,security-iam-id-based-policy-examples-console.title]] +== Using the Amazon EKS console + +To access the Amazon EKS console, an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], must have a minimum set of permissions. These permissions allow the principal to list and view details about the Amazon EKS resources in your {aws} account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for principals with that policy attached to them. + +To ensure that your IAM principals can still use the Amazon EKS console, create a policy with your own unique name, such as `AmazonEKSAdminPolicy`. Attach the policy to the principals. For more information, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the _IAM User Guide_. + +[IMPORTANT] +==== + +The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs [.noloc]`Kubernetes` permissions. For more information, see <>. + +==== + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "eks:*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "eks.amazonaws.com" + } + } + } + ] +} +---- + +You don't need to allow minimum console permissions for principals that are making calls only to the {aws} CLI or the {aws} API. Instead, allow access to only the actions that match the API operation that you're trying to perform. + +[[security-iam-id-based-policy-examples-view-own-permissions,security-iam-id-based-policy-examples-view-own-permissions.title]] +== Allow IAM users to view their own permissions + +This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the {aws} CLI or {aws} API. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ViewOwnUserInfo", + "Effect": "Allow", + "Action": [ + "iam:GetUserPolicy", + "iam:ListGroupsForUser", + "iam:ListAttachedUserPolicies", + "iam:ListUserPolicies", + "iam:GetUser" + ], + "Resource": ["{arn-aws}iam::*:user/${aws:username}"] + }, + { + "Sid": "NavigateInConsole", + "Effect": "Allow", + "Action": [ + "iam:GetGroupPolicy", + "iam:GetPolicyVersion", + "iam:GetPolicy", + "iam:ListAttachedGroupPolicies", + "iam:ListGroupPolicies", + "iam:ListPolicyVersions", + "iam:ListPolicies", + "iam:ListUsers" + ], + "Resource": "*" + } + ] +} +---- + + +[[policy-create-cluster,policy-create-cluster.title]] +== Create a [.noloc]`Kubernetes` cluster on the {aws} Cloud + +This example policy includes the minimum permissions required to create an Amazon EKS cluster named [.replaceable]`my-cluster` in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the [.replaceable]`AWSServiceRoleForAmazonEKS` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS cluster in your account then this role already exists, unless you deleted it. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "eks:CreateCluster", + "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" + }, + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "{arn-aws}iam::111122223333:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", + "Condition": { + "ForAnyValue:StringEquals": { + "iam:AWSServiceName": "eks" + } + } + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "{arn-aws}iam::111122223333:role/cluster-role-name" + } + ] +} +---- + + +[[policy-create-local-cluster,policy-create-local-cluster.title]] +== Create a local [.noloc]`Kubernetes` cluster on an Outpost + +This example policy includes the minimum permissions required to create an Amazon EKS local cluster named [.replaceable]`my-cluster` on an Outpost in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the `AWSServiceRoleForAmazonEKSLocalOutpost` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS local cluster on an Outpost in your account then this role already exists, unless you deleted it. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "eks:CreateCluster", + "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" + }, + { + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "iam:GetRole" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "{arn-aws}iam::111122223333:role/aws-service-role/outposts.eks-local.amazonaws.com/AWSServiceRoleForAmazonEKSLocalOutpost" + }, + { + "Effect": "Allow", + "Action": [ + "iam:PassRole", + "iam:ListAttachedRolePolicies" + ] + "Resource": "{arn-aws}iam::111122223333:role/cluster-role-name" + }, + { + "Action": [ + "iam:CreateInstanceProfile", + "iam:TagInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:GetInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": "{arn-aws}iam::*:instance-profile/eks-local-*", + "Effect": "Allow" + }, + ] +} +---- + + +[[policy-example1,policy-example1.title]] +== Update a [.noloc]`Kubernetes` cluster + +This example policy includes the minimum permission required to update a cluster named [.replaceable]`my-cluster` in the us-west-2 {aws} Region. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "eks:UpdateClusterVersion", + "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" + } + ] +} +---- + + +[[policy-example2,policy-example2.title]] +== List or describe all clusters + +This example policy includes the minimum permissions required to list and describe all clusters in your account. An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must be able to list and describe clusters to use the `update-kubeconfig` {aws} CLI command. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "eks:DescribeCluster", + "eks:ListClusters" + ], + "Resource": "*" + } + ] +} +---- + + diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc new file mode 100644 index 000000000..30837bf64 --- /dev/null +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -0,0 +1,154 @@ +//!!NODE_ROOT
+[.topic] +[[security-iam-service-with-iam,security-iam-service-with-iam.title]] += How Amazon EKS works with IAM +:info_titleabbrev: Amazon EKS and IAM + +include::../../attributes.txt[] + +Before you use IAM to manage access to Amazon EKS, you should understand what IAM features are available to use with Amazon EKS. To get a high-level view of how Amazon EKS and other {aws} services work with IAM, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] in the _IAM User Guide_. + +[.topiclist] +[[Topic List]] + +[[security-iam-service-with-iam-id-based-policies,security-iam-service-with-iam-id-based-policies.title]] +== Amazon EKS identity-based policies + +With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon EKS supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see link:IAM/latest/UserGuide/reference_policies_elements.html[IAM JSON policy elements reference,type="documentation"] in the _IAM User Guide_. + +[[security-iam-service-with-iam-id-based-policies-actions,security-iam-service-with-iam-id-based-policies-actions.title]] +=== Actions + +Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. + +The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated {aws} API operation. There are some exceptions, such as _permission-only actions_ that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called _dependent actions_. + +Include actions in a policy to grant permissions to perform the associated operation. + +Policy actions in Amazon EKS use the following prefix before the action: `eks:`. For example, to grant someone permission to get descriptive information about an Amazon EKS cluster, you include the `DescribeCluster` action in their policy. Policy statements must include either an `Action` or `NotAction` element. + +To specify multiple actions in a single statement, separate them with commas as follows: + +[source,json,subs="verbatim,attributes"] +---- +"Action": ["eks:action1", "eks:action2"] +---- + +You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word `Describe`, include the following action: + +[source,json,subs="verbatim,attributes"] +---- +"Action": "eks:Describe*" +---- + + +To see a list of Amazon EKS actions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. + +[[security-iam-service-with-iam-id-based-policies-resources,security-iam-service-with-iam-id-based-policies-resources.title]] +=== Resources + +Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. + +The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its link:IAM/latest/UserGuide/reference-arns.html[Amazon Resource Name (ARN),type="documentation"]. You can do this for actions that support a specific resource type, known as _resource-level permissions_. + +For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources. + +[source] +---- +"Resource": "*" +---- + +The Amazon EKS cluster resource has the following ARN. + +[source,none,subs="verbatim,attributes"] +---- +{arn-aws}eks:region-code:account-id:cluster/cluster-name +---- + +For more information about the format of ARNs, see link:general/latest/gr/aws-arns-and-namespaces.html[Amazon resource names (ARNs) and {aws} service namespaces,type="documentation"]. + +For example, to specify the cluster with the name [.replaceable]`my-cluster` in your statement, use the following ARN: + +[source,json,subs="verbatim,attributes"] +---- +"Resource": "{arn-aws}eks:region-code:111122223333:cluster/my-cluster" +---- + +To specify all clusters that belong to a specific account and {aws} Region, use the wildcard (*): + +[source,json,subs="verbatim,attributes"] +---- +"Resource": "{arn-aws}eks:region-code:111122223333:cluster/*" +---- + +Some Amazon EKS actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (*). + +[source,json,subs="verbatim,attributes"] +---- +"Resource": "*" +---- + +To see a list of Amazon EKS resource types and their ARNs, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-resources-for-iam-policies[Resources defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn with which actions you can specify the ARN of each resource, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. + +[[security-iam-service-with-iam-id-based-policies-conditionkeys,security-iam-service-with-iam-id-based-policies-conditionkeys.title]] +=== Condition keys + +Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. + +You can set condition keys when associating an [.noloc]`OpenID Connect` provider to your cluster. For more information, see <>. + +All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see link:AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region[Example: Restricting Access to a Specific {aws} Region,type="documentation"]. + +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. + +[[security-iam-service-with-iam-id-based-policies-examples,security-iam-service-with-iam-id-based-policies-examples.title]] +=== Examples + + +To view examples of Amazon EKS identity-based policies, see <>. + +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. + +For more information about working with the ConfigMap, see <>. + +[[security-iam-service-with-iam-resource-based-policies,security-iam-service-with-iam-resource-based-policies.title]] +== Amazon EKS resource-based policies + +Amazon EKS does not support resource-based policies. + +[[security-iam-service-with-iam-tags,security-iam-service-with-iam-tags.title]] +== Authorization based on Amazon EKS tags + +You can attach tags to Amazon EKS resources or pass tags in a request to Amazon EKS. To control access based on tags, you provide tag information in the link:IAM/latest/UserGuide/reference_policies_elements_condition.html[condition element,type="documentation"] of a policy using the `aws:ResourceTag/[.replaceable]``key-name```, `aws:RequestTag/[.replaceable]``key-name```, or `aws:TagKeys` condition keys. For more information about tagging Amazon EKS resources, see <>. For more information about which actions that you can use tags in condition keys with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon EKS,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. + +[[security-iam-service-with-iam-roles,security-iam-service-with-iam-roles.title]] +== Amazon EKS IAM roles + +An link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] is an entity within your {aws} account that has specific permissions. + +[[security-iam-service-with-iam-roles-tempcreds,security-iam-service-with-iam-roles-tempcreds.title]] +=== Using temporary credentials with Amazon EKS + +You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling {aws} STS API operations such as link:STS/latest/APIReference/API_AssumeRole.html[AssumeRole,type="documentation"] or link:STS/latest/APIReference/API_GetFederationToken.html[GetFederationToken,type="documentation"]. + +Amazon EKS supports using temporary credentials. + +[[security-iam-service-with-iam-roles-service-linked,security-iam-service-with-iam-roles-service-linked.title]] +=== Service-linked roles + + link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[Service-linked roles,type="documentation"] allow {aws} services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An administrator can view but can't edit the permissions for service-linked roles. + +Amazon EKS supports service-linked roles. For details about creating or managing Amazon EKS service-linked roles, see <>. + +[[security-iam-service-with-iam-roles-service,security-iam-service-with-iam-roles-service.title]] +=== Service roles + +This feature allows a service to assume a link:IAM/latest/UserGuide/id_roles.html#iam-term-service-role[service role,type="documentation"] on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. + +Amazon EKS supports service roles. For more information, see <> and <>. + +[[security-iam-service-with-iam-roles-choose,security-iam-service-with-iam-roles-choose.title]] +=== Choosing an IAM role in Amazon EKS + +When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. + diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 7097c8d7f..63f8b3b3a 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -2,14 +2,20 @@ [.topic] [[security-iam,security-iam.title]] = Identity and access management for Amazon EKS -:info_doctype: section -:info_title: Identity and access management for Amazon EKS :info_titleabbrev: IAM Reference -:info_abstract: How to authenticate requests and manage access your Amazon EKS \ - resources. include::../../attributes.txt[] +include::security-iam-service-with-iam.adoc[leveloffset=+1] + +include::security-iam-id-based-policy-examples.adoc[leveloffset=+1] + +include::using-service-linked-roles.adoc[leveloffset=+1] + +include::pod-execution-role.adoc[leveloffset=+1] + +include::connector-iam-role.adoc[leveloffset=+1] + include::security-iam-awsmanpol.adoc[leveloffset=+1] include::security-iam-troubleshoot.adoc[leveloffset=+1] @@ -136,1177 +142,3 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. === Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. - -[.topic] -[[security-iam-service-with-iam,security-iam-service-with-iam.title]] -== How Amazon EKS works with IAM - -Before you use IAM to manage access to Amazon EKS, you should understand what IAM features are available to use with Amazon EKS. To get a high-level view of how Amazon EKS and other {aws} services work with IAM, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] in the _IAM User Guide_. - -[.topiclist] -[[Topic List]] - -[[security-iam-service-with-iam-id-based-policies,security-iam-service-with-iam-id-based-policies.title]] -=== Amazon EKS identity-based policies - -With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon EKS supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see link:IAM/latest/UserGuide/reference_policies_elements.html[IAM JSON policy elements reference,type="documentation"] in the _IAM User Guide_. - -[[security-iam-service-with-iam-id-based-policies-actions,security-iam-service-with-iam-id-based-policies-actions.title]] -==== Actions - -Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. - -The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated {aws} API operation. There are some exceptions, such as _permission-only actions_ that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called _dependent actions_. - -Include actions in a policy to grant permissions to perform the associated operation. - -Policy actions in Amazon EKS use the following prefix before the action: `eks:`. For example, to grant someone permission to get descriptive information about an Amazon EKS cluster, you include the `DescribeCluster` action in their policy. Policy statements must include either an `Action` or `NotAction` element. - -To specify multiple actions in a single statement, separate them with commas as follows: - -[source,json,subs="verbatim,attributes"] ----- -"Action": ["eks:action1", "eks:action2"] ----- - -You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word `Describe`, include the following action: - -[source,json,subs="verbatim,attributes"] ----- -"Action": "eks:Describe*" ----- - - -To see a list of Amazon EKS actions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. - -[[security-iam-service-with-iam-id-based-policies-resources,security-iam-service-with-iam-id-based-policies-resources.title]] -==== Resources - -Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. - -The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its link:IAM/latest/UserGuide/reference-arns.html[Amazon Resource Name (ARN),type="documentation"]. You can do this for actions that support a specific resource type, known as _resource-level permissions_. - -For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources. - -[source] ----- -"Resource": "*" ----- - -The Amazon EKS cluster resource has the following ARN. - -[source,none,subs="verbatim,attributes"] ----- -{arn-aws}eks:region-code:account-id:cluster/cluster-name ----- - -For more information about the format of ARNs, see link:general/latest/gr/aws-arns-and-namespaces.html[Amazon resource names (ARNs) and {aws} service namespaces,type="documentation"]. - -For example, to specify the cluster with the name [.replaceable]`my-cluster` in your statement, use the following ARN: - -[source,json,subs="verbatim,attributes"] ----- -"Resource": "{arn-aws}eks:region-code:111122223333:cluster/my-cluster" ----- - -To specify all clusters that belong to a specific account and {aws} Region, use the wildcard (*): - -[source,json,subs="verbatim,attributes"] ----- -"Resource": "{arn-aws}eks:region-code:111122223333:cluster/*" ----- - -Some Amazon EKS actions, such as those for creating resources, can't be performed on a specific resource. In those cases, you must use the wildcard (*). - -[source,json,subs="verbatim,attributes"] ----- -"Resource": "*" ----- - -To see a list of Amazon EKS resource types and their ARNs, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-resources-for-iam-policies[Resources defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn with which actions you can specify the ARN of each resource, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. - -[[security-iam-service-with-iam-id-based-policies-conditionkeys,security-iam-service-with-iam-id-based-policies-conditionkeys.title]] -==== Condition keys - -Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. - -You can set condition keys when associating an [.noloc]`OpenID Connect` provider to your cluster. For more information, see <>. - -All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see link:AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region[Example: Restricting Access to a Specific {aws} Region,type="documentation"]. - -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. - -[[security-iam-service-with-iam-id-based-policies-examples,security-iam-service-with-iam-id-based-policies-examples.title]] -==== Examples - - -To view examples of Amazon EKS identity-based policies, see <>. - -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. - -For more information about working with the ConfigMap, see <>. - -[[security-iam-service-with-iam-resource-based-policies,security-iam-service-with-iam-resource-based-policies.title]] -=== Amazon EKS resource-based policies - -Amazon EKS does not support resource-based policies. - -[[security-iam-service-with-iam-tags,security-iam-service-with-iam-tags.title]] -=== Authorization based on Amazon EKS tags - -You can attach tags to Amazon EKS resources or pass tags in a request to Amazon EKS. To control access based on tags, you provide tag information in the link:IAM/latest/UserGuide/reference_policies_elements_condition.html[condition element,type="documentation"] of a policy using the `aws:ResourceTag/[.replaceable]``key-name```, `aws:RequestTag/[.replaceable]``key-name```, or `aws:TagKeys` condition keys. For more information about tagging Amazon EKS resources, see <>. For more information about which actions that you can use tags in condition keys with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon EKS,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. - -[[security-iam-service-with-iam-roles,security-iam-service-with-iam-roles.title]] -=== Amazon EKS IAM roles - -An link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] is an entity within your {aws} account that has specific permissions. - -[[security-iam-service-with-iam-roles-tempcreds,security-iam-service-with-iam-roles-tempcreds.title]] -==== Using temporary credentials with Amazon EKS - -You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling {aws} STS API operations such as link:STS/latest/APIReference/API_AssumeRole.html[AssumeRole,type="documentation"] or link:STS/latest/APIReference/API_GetFederationToken.html[GetFederationToken,type="documentation"]. - -Amazon EKS supports using temporary credentials. - -[[security-iam-service-with-iam-roles-service-linked,security-iam-service-with-iam-roles-service-linked.title]] -==== Service-linked roles - - link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[Service-linked roles,type="documentation"] allow {aws} services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An administrator can view but can't edit the permissions for service-linked roles. - -Amazon EKS supports service-linked roles. For details about creating or managing Amazon EKS service-linked roles, see <>. - -[[security-iam-service-with-iam-roles-service,security-iam-service-with-iam-roles-service.title]] -==== Service roles - -This feature allows a service to assume a link:IAM/latest/UserGuide/id_roles.html#iam-term-service-role[service role,type="documentation"] on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. - -Amazon EKS supports service roles. For more information, see <> and <>. - -[[security-iam-service-with-iam-roles-choose,security-iam-service-with-iam-roles-choose.title]] -==== Choosing an IAM role in Amazon EKS - -When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. - -[.topic] -[[security-iam-id-based-policy-examples,security-iam-id-based-policy-examples.title]] -== Amazon EKS identity-based policy examples - -By default, IAM users and roles don't have permission to create or modify Amazon EKS resources. They also can't perform tasks using the {aws-management-console}, {aws} CLI, or {aws} API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. - -To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. - -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. - -For more information about working with the ConfigMap, see <>. - -[.topiclist] -[[Topic List]] - -[[security-iam-service-with-iam-policy-best-practices,security-iam-service-with-iam-policy-best-practices.title]] -=== Policy best practices - -Identity-based policies determine whether someone can create, access, or delete Amazon EKS resources in your account. These actions can incur costs for your {aws} account. When you create or edit identity-based policies, follow these guidelines and recommendations: - - - -* *Get started with {aws} managed policies and move toward least-privilege permissions* – To get started granting permissions to your users and workloads, use the _{aws} managed policies_ that grant permissions for many common use cases. They are available in your {aws} account. We recommend that you reduce permissions further by defining {aws} customer managed policies that are specific to your use cases. For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] or link:IAM/latest/UserGuide/access_policies_job-functions.html[{aws} managed policies for job functions,type="documentation"] in the _IAM User Guide_. -* *Apply least-privilege permissions* – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as _least-privilege permissions_. For more information about using IAM to apply permissions, see link:IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM,type="documentation"] in the _IAM User Guide_. -* *Use conditions in IAM policies to further restrict access* – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific {aws} service, such as {aws} CloudFormation. For more information, see link:IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM JSON policy elements: Condition,type="documentation"] in the _IAM User Guide_. -* *Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions* – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see link:IAM/latest/UserGuide/access-analyzer-policy-validation.html[IAM Access Analyzer policy validation,type="documentation"] in the _IAM User Guide_. -* *Require multi-factor authentication (MFA)* – If you have a scenario that requires IAM users or a root user in your {aws} account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see link:IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html[Configuring MFA-protected API access,type="documentation"] in the _IAM User Guide_. - -For more information about best practices in IAM, see link:IAM/latest/UserGuide/best-practices.html[Security best practices in IAM,type="documentation"] in the _IAM User Guide_. - -[[security-iam-id-based-policy-examples-console,security-iam-id-based-policy-examples-console.title]] -=== Using the Amazon EKS console - -To access the Amazon EKS console, an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], must have a minimum set of permissions. These permissions allow the principal to list and view details about the Amazon EKS resources in your {aws} account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for principals with that policy attached to them. - -To ensure that your IAM principals can still use the Amazon EKS console, create a policy with your own unique name, such as `AmazonEKSAdminPolicy`. Attach the policy to the principals. For more information, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the _IAM User Guide_. - -[IMPORTANT] -==== - -The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs [.noloc]`Kubernetes` permissions. For more information, see <>. - -==== - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "eks:*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - } - ] -} ----- - -You don't need to allow minimum console permissions for principals that are making calls only to the {aws} CLI or the {aws} API. Instead, allow access to only the actions that match the API operation that you're trying to perform. - -[[security-iam-id-based-policy-examples-view-own-permissions,security-iam-id-based-policy-examples-view-own-permissions.title]] -=== Allow IAM users to view their own permissions - -This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the {aws} CLI or {aws} API. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ViewOwnUserInfo", - "Effect": "Allow", - "Action": [ - "iam:GetUserPolicy", - "iam:ListGroupsForUser", - "iam:ListAttachedUserPolicies", - "iam:ListUserPolicies", - "iam:GetUser" - ], - "Resource": ["{arn-aws}iam::*:user/${aws:username}"] - }, - { - "Sid": "NavigateInConsole", - "Effect": "Allow", - "Action": [ - "iam:GetGroupPolicy", - "iam:GetPolicyVersion", - "iam:GetPolicy", - "iam:ListAttachedGroupPolicies", - "iam:ListGroupPolicies", - "iam:ListPolicyVersions", - "iam:ListPolicies", - "iam:ListUsers" - ], - "Resource": "*" - } - ] -} ----- - - -[[policy-create-cluster,policy-create-cluster.title]] -=== Create a [.noloc]`Kubernetes` cluster on the {aws} Cloud - -This example policy includes the minimum permissions required to create an Amazon EKS cluster named [.replaceable]`my-cluster` in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the [.replaceable]`AWSServiceRoleForAmazonEKS` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS cluster in your account then this role already exists, unless you deleted it. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "eks:CreateCluster", - "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "{arn-aws}iam::111122223333:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:AWSServiceName": "eks" - } - } - }, - { - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "{arn-aws}iam::111122223333:role/cluster-role-name" - } - ] -} ----- - - -[[policy-create-local-cluster,policy-create-local-cluster.title]] -=== Create a local [.noloc]`Kubernetes` cluster on an Outpost - -This example policy includes the minimum permissions required to create an Amazon EKS local cluster named [.replaceable]`my-cluster` on an Outpost in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the `AWSServiceRoleForAmazonEKSLocalOutpost` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS local cluster on an Outpost in your account then this role already exists, unless you deleted it. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "eks:CreateCluster", - "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" - }, - { - "Action": [ - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "iam:GetRole" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "{arn-aws}iam::111122223333:role/aws-service-role/outposts.eks-local.amazonaws.com/AWSServiceRoleForAmazonEKSLocalOutpost" - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole", - "iam:ListAttachedRolePolicies" - ] - "Resource": "{arn-aws}iam::111122223333:role/cluster-role-name" - }, - { - "Action": [ - "iam:CreateInstanceProfile", - "iam:TagInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:GetInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": "{arn-aws}iam::*:instance-profile/eks-local-*", - "Effect": "Allow" - }, - ] -} ----- - - -[[policy-example1,policy-example1.title]] -=== Update a [.noloc]`Kubernetes` cluster - -This example policy includes the minimum permission required to update a cluster named [.replaceable]`my-cluster` in the us-west-2 {aws} Region. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "eks:UpdateClusterVersion", - "Resource": "{arn-aws}eks:us-west-2:111122223333:cluster/my-cluster" - } - ] -} ----- - - -[[policy-example2,policy-example2.title]] -=== List or describe all clusters - -This example policy includes the minimum permissions required to list and describe all clusters in your account. An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must be able to list and describe clusters to use the `update-kubeconfig` {aws} CLI command. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "eks:DescribeCluster", - "eks:ListClusters" - ], - "Resource": "*" - } - ] -} ----- - - -[.topic] -[[using-service-linked-roles,using-service-linked-roles.title]] -== Using service-linked roles for Amazon EKS - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -[.topiclist] -[[Topic List]] - -[.topic] -[[using-service-linked-roles-eks,using-service-linked-roles-eks.title]] -=== Using roles for Amazon EKS clusters - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. - -You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. - -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. - -[[service-linked-role-permissions-eks,service-linked-role-permissions-eks.title]] -==== Service-linked role permissions for Amazon EKS - -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS`. The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs. - -[NOTE] -==== - -The `AWSServiceRoleForAmazonEKS` service-linked role is distinct from the role required for cluster creation. For more information, see <>. - -==== - -The `AWSServiceRoleForAmazonEKS` service-linked role trusts the following services to assume the role: - -* `eks.amazonaws.com` - -The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: - -* link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] - -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. - -[[create-service-linked-role-eks,create-service-linked-role-eks.title]] -==== Creating a service-linked role for Amazon EKS - -You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. - -[[edit-service-linked-role-eks,edit-service-linked-role-eks.title]] -==== Editing a service-linked role for Amazon EKS - -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKS` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[delete-service-linked-role-eks,delete-service-linked-role-eks.title]] -==== Deleting a service-linked role for Amazon EKS - -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. - -[[service-linked-role-review-before-delete-eks,service-linked-role-review-before-delete-eks.title]] -===== Cleaning up a service-linked role - -Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. - -[NOTE] -==== - -If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. - -==== -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, choose *Clusters*. -. If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. -. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. -. Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. -. Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. - - -[[slr-manual-delete-eks,slr-manual-delete-eks.title]] -===== Manually delete the service-linked role - -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKS` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[slr-regions-eks,slr-regions-eks.title]] -==== Supported regions for Amazon EKS service-linked roles - -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - -[.topic] -[[using-service-linked-roles-eks-nodegroups,using-service-linked-roles-eks-nodegroups.title]] -=== Using roles for Amazon EKS node groups - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. - -You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. - -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. - -[[service-linked-role-permissions-eks-nodegroups,service-linked-role-permissions-eks-nodegroups.title]] -==== Service-linked role permissions for Amazon EKS - -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSNodegroup`. The role allows Amazon EKS to manage node groups in your account. The attached `AWSServiceRoleForAmazonEKSNodegroup` policy allows the role to manage the following resources: Auto Scaling groups, security groups, launch templates, and IAM instance profiles. For more information, see <>. - -The `AWSServiceRoleForAmazonEKSNodegroup` service-linked role trusts the following services to assume the role: - -* `eks-nodegroup.amazonaws.com` - -The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: - -* link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] - -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. - -[[create-service-linked-role-eks-nodegroups,create-service-linked-role-eks-nodegroups.title]] -==== Creating a service-linked role for Amazon EKS - -You don't need to manually create a service-linked role. When you CreateNodegroup in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -[IMPORTANT] -==== - -This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before January 1, 2017, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSNodegroup role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A new role appeared in my IAM account,type="documentation"]. - -==== - -[[create-service-linked-role-service-api-eks-nodegroups,create-service-linked-role-service-api-eks-nodegroups.title]] -===== Creating a service-linked role in Amazon EKS ({aws} API) - -You don't need to manually create a service-linked role. When you create a managed node group in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. - -[[edit-service-linked-role-eks-nodegroups,edit-service-linked-role-eks-nodegroups.title]] -==== Editing a service-linked role for Amazon EKS - -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[delete-service-linked-role-eks-nodegroups,delete-service-linked-role-eks-nodegroups.title]] -==== Deleting a service-linked role for Amazon EKS - -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. - -[[service-linked-role-review-before-delete-eks-nodegroups,service-linked-role-review-before-delete-eks-nodegroups.title]] -===== Cleaning up a service-linked role - -Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. - -[NOTE] -==== - -If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. - -==== -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, choose *Clusters*. -. Select the *Compute* tab. -. In the *Node groups* section, choose the node group to delete. -. Type the name of the node group in the deletion confirmation window, and then choose *Delete*. -. Repeat this procedure for any other node groups in the cluster. Wait for all of the delete operations to finish. - - -[[slr-manual-delete-eks-nodegroups,slr-manual-delete-eks-nodegroups.title]] -===== Manually delete the service-linked role - -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[slr-regions-eks-nodegroups,slr-regions-eks-nodegroups.title]] -==== Supported regions for Amazon EKS service-linked roles - -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - -[.topic] -[[using-service-linked-roles-eks-fargate,using-service-linked-roles-eks-fargate.title]] -=== Using roles for Amazon EKS Fargate profiles - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. - -You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. - -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. - -[[service-linked-role-permissions-eks-fargate,service-linked-role-permissions-eks-fargate.title]] -==== Service-linked role permissions for Amazon EKS - -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSForFargate`. The role allows Amazon EKS Fargate to configure VPC networking required for Fargate [.noloc]`Pods`. The attached policies allow the role to create and delete elastic network interfaces and describe elastic network Interfaces and resources. - -The `AWSServiceRoleForAmazonEKSForFargate` service-linked role trusts the following services to assume the role: - -* `eks-fargate.amazonaws.com` - -The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: - -* link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html[AmazonEKSForFargateServiceRolePolicy,type="documentation"] - -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. - -[[create-service-linked-role-eks-fargate,create-service-linked-role-eks-fargate.title]] -==== Creating a service-linked role for Amazon EKS - -You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -[IMPORTANT] -==== - -This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before December 13, 2019, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSForFargate role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A New role appeared in my IAM account,type="documentation"]. - -==== - -[[create-service-linked-role-service-api-eks-fargate,create-service-linked-role-service-api-eks-fargate.title]] -===== Creating a service-linked role in Amazon EKS ({aws} API) - -You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. - -[[edit-service-linked-role-eks-fargate,edit-service-linked-role-eks-fargate.title]] -==== Editing a service-linked role for Amazon EKS - -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSForFargate` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[delete-service-linked-role-eks-fargate,delete-service-linked-role-eks-fargate.title]] -==== Deleting a service-linked role for Amazon EKS - -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. - -[[service-linked-role-review-before-delete-eks-fargate,service-linked-role-review-before-delete-eks-fargate.title]] -===== Cleaning up a service-linked role - -Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. - -[NOTE] -==== - -If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. - -==== -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, choose *Clusters*. -. On the *Clusters* page, select your cluster. -. Select the *Compute* tab. -. If there are any Fargate profiles in the *Fargate profiles* section, select each one individually, and then choose *Delete*. -. Type the name of the profile in the deletion confirmation window, and then choose *Delete*. -. Repeat this procedure for any other Fargate profiles in the cluster and for any other clusters in your account. - - -[[slr-manual-delete-eks-fargate,slr-manual-delete-eks-fargate.title]] -===== Manually delete the service-linked role - -Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSForFargate service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[slr-regions-eks-fargate,slr-regions-eks-fargate.title]] -==== Supported regions for Amazon EKS service-linked roles - -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - -[.topic] -[[using-service-linked-roles-eks-connector,using-service-linked-roles-eks-connector.title]] -=== Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. - -You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. - -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. - -[[service-linked-role-permissions-eks-connector,service-linked-role-permissions-eks-connector.title]] -==== Service-linked role permissions for Amazon EKS - -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSConnector`. The role allows Amazon EKS to connect [.noloc]`Kubernetes` clusters. The attached policies allow the role to manage necessary resources to connect to your registered [.noloc]`Kubernetes` cluster. - -The `AWSServiceRoleForAmazonEKSConnector` service-linked role trusts the following services to assume the role: - -* `eks-connector.amazonaws.com` - -The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: - -* link:aws-managed-policy/latest/reference/AmazonEKSConnectorServiceRolePolicy.html[AmazonEKSConnectorServiceRolePolicy,type="documentation"] - -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. - -[[create-service-linked-role-eks-connector,create-service-linked-role-eks-connector.title]] -==== Creating a service-linked role for Amazon EKS - -You don't need to manually create a service-linked role to connect a cluster. When you connect a cluster in the {aws-management-console}, the {aws} CLI, `eksctl`, or the {aws} API, Amazon EKS creates the service-linked role for you. - -If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you connect a cluster, Amazon EKS creates the service-linked role for you again. - -[[edit-service-linked-role-eks-connector,edit-service-linked-role-eks-connector.title]] -==== Editing a service-linked role for Amazon EKS - -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSConnector` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[delete-service-linked-role-eks-connector,delete-service-linked-role-eks-connector.title]] -==== Deleting a service-linked role for Amazon EKS - -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. - -[[service-linked-role-review-before-delete-eks-connector,service-linked-role-review-before-delete-eks-connector.title]] -===== Cleaning up a service-linked role - -Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. - -[NOTE] -==== - -If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. - -==== -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, choose *Clusters*. -. On the *Clusters* page, select your cluster. -. Select the *Deregister* tab and then select the *Ok* tab. - - -[[slr-manual-delete-eks-connector,slr-manual-delete-eks-connector.title]] -===== Manually delete the service-linked role - -Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - -[.topic] -[[using-service-linked-roles-eks-outpost,using-service-linked-roles-eks-outpost.title]] -=== Using roles for Amazon EKS local clusters on Outpost - -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. - -You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. - -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. - -[[service-linked-role-permissions,service-linked-role-permissions.title]] -==== Service-linked role permissions for Amazon EKS - -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSLocalOutpost`. The role allows Amazon EKS to manage local clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and Amazon EC2 instances. - -[NOTE] -==== - -The `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role is distinct from the role required for cluster creation. For more information, see <>. - -==== - -The `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role trusts the following services to assume the role: - - - -* `outposts.eks-local.amazonaws.com` - -The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: - - - -* link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] - -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. - -[[create-service-linked-role-eks-outpost,create-service-linked-role-eks-outpost.title]] -==== Creating a service-linked role for Amazon EKS - -You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. - -If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. - -[[edit-service-linked-role-eks-outpost,edit-service-linked-role-eks-outpost.title]] -==== Editing a service-linked role for Amazon EKS - -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[delete-service-linked-role-eks-outpost,delete-service-linked-role-eks-outpost.title]] -==== Deleting a service-linked role for Amazon EKS - -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. - -[[service-linked-role-review-before-delete-eks-outpost,service-linked-role-review-before-delete-eks-outpost.title]] -===== Cleaning up a service-linked role - -Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. - -[NOTE] -==== - -If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. - -==== -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, choose Amazon EKS *Clusters*. -. If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. -. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. -. Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. -. Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. - - -[[slr-manual-delete-eks-outpost,slr-manual-delete-eks-outpost.title]] -===== Manually delete the service-linked role - -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - -[[slr-regions-eks-connector,slr-regions-eks-connector.title]] -==== Supported regions for Amazon EKS service-linked roles - -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - - - -[.topic] -[[pod-execution-role,pod-execution-role.title]] -== Amazon EKS [.noloc]`Pod` execution IAM role - -The Amazon EKS [.noloc]`Pod` execution role is required to run [.noloc]`Pods` on {aws} Fargate infrastructure. - -When your cluster creates [.noloc]`Pods` on {aws} Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. - -When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. This role is added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role based access control] (RBAC) for authorization. This allows the `kubelet` that's running on the Fargate infrastructure to register with your Amazon EKS cluster so that it can appear in your cluster as a node. - -[NOTE] -==== - -The Fargate profile must have a different IAM role than Amazon EC2 node groups. - -==== - -[IMPORTANT] -==== - -The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permissions associated with a [.noloc]`Pod` execution role. To give the containers in your Fargate [.noloc]`Pod` permissions to access other {aws} services, you must use <>. - -==== - -Before you create a Fargate profile, you must create an IAM role with the link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"]. -[[check-pod-execution-role,check-pod-execution-role.title]] -=== Check for a correctly configured existing [.noloc]`Pod` execution role - -You can use the following procedure to check and see if your account already has a correctly configured Amazon EKS [.noloc]`Pod` execution role. To avoid a confused deputy security problem, it's important that the role restricts access based on `SourceArn`. You can modify the execution role as needed to include support for Fargate profiles on other clusters. - -. Open the IAM console at https://console.aws.amazon.com/iam/. -. In the left navigation pane, choose *Roles*. -. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. If the role doesn't exist, see <> to create the role. If the role does exist, choose the role. -. On the *AmazonEKSFargatePodExecutionRole* page, do the following: -+ -.. Choose *Permissions*. -.. Ensure that the *AmazonEKSFargatePodExecutionRolePolicy* Amazon managed policy is attached to the role. -.. Choose *Trust relationships*. -.. Choose *Edit trust policy*. -. On the *Edit trust policy* page, verify that the trust relationship contains the following policy and has a line for Fargate profiles on your cluster. If so, choose *Cancel*. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Condition": { - "ArnLike": { - "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" - } - }, - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} ----- -+ -If the policy matches but doesn't have a line specifying the Fargate profiles on your cluster, you can add the following line at the top of the `ArnLike` object. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in, [.replaceable]`111122223333` with your account ID, and [.replaceable]`my-cluster` with the name of your cluster. -+ -[source,json,subs="verbatim,attributes"] ----- -"aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*", ----- -+ -If the policy doesn't match, copy the full previous policy into the form and choose *Update policy*. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. - - -[[create-pod-execution-role,create-pod-execution-role.title]] -=== Creating the Amazon EKS [.noloc]`Pod` execution role - -If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your cluster, you can use the {aws-management-console} or the {aws} CLI to create it. - - - -{aws-management-console}:: -.. Open the IAM console at https://console.aws.amazon.com/iam/. -.. In the left navigation pane, choose *Roles*. -.. On the *Roles* page, choose *Create role*. -.. On the *Select trusted entity* page, do the following: -+ -... In the *Trusted entity type* section, choose *{aws} service*. -... From the *Use cases for other {aws} services* dropdown list, choose *EKS*. -... Choose *EKS - Fargate [.noloc]`Pod`*. -... Choose *Next*. -.. On the *Add permissions* page, choose *Next*. -.. On the *Name, review, and create* page, do the following: -+ -... For *Role name*, enter a unique name for your role, such as `AmazonEKSFargatePodExecutionRole`. -... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. -... Choose *Create role*. -.. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. Choose the role. -.. On the *AmazonEKSFargatePodExecutionRole* page, do the following: -+ -... Choose *Trust relationships*. -... Choose *Edit trust policy*. -.. On the *Edit trust policy* page, do the following: -+ -... Copy and paste the following contents into the *Edit trust policy* form. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Condition": { - "ArnLike": { - "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" - } - }, - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} ----- -... Choose *Update policy*. - - -{aws} CLI:: -.. Copy and paste the following contents to a file named `pod-execution-role-trust-policy.json`. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Condition": { - "ArnLike": { - "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*" - } - }, - "Principal": { - "Service": "eks-fargate-pods.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} ----- -.. Create a [.noloc]`Pod` execution IAM role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam create-role \ - --role-name AmazonEKSFargatePodExecutionRole \ - --assume-role-policy-document file://"pod-execution-role-trust-policy.json" ----- -.. Attach the required Amazon EKS managed IAM policy to the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam attach-role-policy \ - --policy-arn {arn-aws}iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \ - --role-name AmazonEKSFargatePodExecutionRole ----- - - -[.topic] -[[connector-iam-role,connector-iam-role.title]] -== Amazon EKS connector IAM role - -You can connect [.noloc]`Kubernetes` clusters to view them in your {aws-management-console}. To connect to a [.noloc]`Kubernetes` cluster, create an IAM role. - -[[check-connector-role,check-connector-role.title]] -=== Check for an existing EKS connector role - -You can use the following procedure to check and see if your account already has the Amazon EKS connector role. - -. Open the IAM console at https://console.aws.amazon.com/iam/. -. In the left navigation pane, choose *Roles*. -. Search the list of roles for `AmazonEKSConnectorAgentRole`. If a role that includes `AmazonEKSConnectorAgentRole` doesn't exist, then see <> to create the role. If a role that includes `AmazonEKSConnectorAgentRole` does exist, then select the role to view the attached policies. -. Choose *Permissions*. -. Ensure that the *AmazonEKSConnectorAgentPolicy* managed policy is attached to the role. If the policy is attached, your Amazon EKS connector role is properly configured. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ssm.amazonaws.com" - ] - }, - "Action": "sts:AssumeRole" - } - ] -} ----- - - -[[create-connector-role,create-connector-role.title]] -=== Creating the Amazon EKS connector agent role - -You can use the {aws-management-console} or {aws} CloudFormation to create the connector agent role. - -{aws} CLI:: -.. Create a file named `eks-connector-agent-trust-policy.json` that contains the following JSON to use for the IAM role. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ssm.amazonaws.com" - ] - }, - "Action": "sts:AssumeRole" - } - ] -} ----- -.. Create a file named `eks-connector-agent-policy.json` that contains the following JSON to use for the IAM role. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SsmControlChannel", - "Effect": "Allow", - "Action": [ - "ssmmessages:CreateControlChannel" - ], - "Resource": "{arn-aws}eks:*:*:cluster/*" - }, - { - "Sid": "ssmDataplaneOperations", - "Effect": "Allow", - "Action": [ - "ssmmessages:CreateDataChannel", - "ssmmessages:OpenDataChannel", - "ssmmessages:OpenControlChannel" - ], - "Resource": "*" - } - ] -} ----- -.. Create the Amazon EKS Connector agent role using the trust policy and policy you created in the previous list items. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam create-role \ - --role-name AmazonEKSConnectorAgentRole \ - --assume-role-policy-document file://eks-connector-agent-trust-policy.json ----- -.. Attach the policy to your Amazon EKS Connector agent role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam put-role-policy \ - --role-name AmazonEKSConnectorAgentRole \ - --policy-name AmazonEKSConnectorAgentPolicy \ - --policy-document file://eks-connector-agent-policy.json ----- - - -{aws} CloudFormation:: -.. Save the following {aws} CloudFormation template to a text file on your local system. -+ -NOTE: This template also creates the service-linked role that would otherwise be created when the `registerCluster` API is called. See <> for details. -+ -[source,yaml,subs="verbatim,attributes"] ----- ---- -AWSTemplateFormatVersion: '2010-09-09' -Description: 'Provisions necessary resources needed to register clusters in EKS' -Parameters: {} -Resources: - EKSConnectorSLR: - Type: {aws}::IAM::ServiceLinkedRole - Properties: - AWSServiceName: eks-connector.amazonaws.com - - EKSConnectorAgentRole: - Type: {aws}::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: [ 'sts:AssumeRole' ] - Principal: - Service: 'ssm.amazonaws.com' - - EKSConnectorAgentPolicy: - Type: {aws}::IAM::Policy - Properties: - PolicyName: EKSConnectorAgentPolicy - Roles: - - {Ref: 'EKSConnectorAgentRole'} - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Action: [ 'ssmmessages:CreateControlChannel' ] - Resource: - - Fn::Sub: 'arn:${{aws}::Partition}:eks:*:*:cluster/*' - - Effect: 'Allow' - Action: [ 'ssmmessages:CreateDataChannel', 'ssmmessages:OpenDataChannel', 'ssmmessages:OpenControlChannel' ] - Resource: "*" -Outputs: - EKSConnectorAgentRoleArn: - Description: The agent role that EKS connector uses to communicate with {aws} services. - Value: !GetAtt EKSConnectorAgentRole.Arn ----- -.. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. -.. Choose *Create stack* with new resources (standard). -.. For *Specify template*, select *Upload a template file*, and then choose *Choose file*. -.. Choose the file you created earlier, and then choose *Next*. -.. For *Stack name*, enter a name for your role, such as `eksConnectorAgentRole`, and then choose *Next*. -.. On the *Configure stack options* page, choose *Next*. -.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc new file mode 100644 index 000000000..e7f4387b8 --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -0,0 +1,75 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles-eks-connector,using-service-linked-roles-eks-connector.title]] += Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS +:info_titleabbrev: Cluster connector role + +include::../../attributes.txt[] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. + +You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. + +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. + +[[service-linked-role-permissions-eks-connector,service-linked-role-permissions-eks-connector.title]] +== Service-linked role permissions for Amazon EKS + +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSConnector`. The role allows Amazon EKS to connect [.noloc]`Kubernetes` clusters. The attached policies allow the role to manage necessary resources to connect to your registered [.noloc]`Kubernetes` cluster. + +The `AWSServiceRoleForAmazonEKSConnector` service-linked role trusts the following services to assume the role: + +* `eks-connector.amazonaws.com` + +The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: + +* link:aws-managed-policy/latest/reference/AmazonEKSConnectorServiceRolePolicy.html[AmazonEKSConnectorServiceRolePolicy,type="documentation"] + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. + +[[create-service-linked-role-eks-connector,create-service-linked-role-eks-connector.title]] +== Creating a service-linked role for Amazon EKS + +You don't need to manually create a service-linked role to connect a cluster. When you connect a cluster in the {aws-management-console}, the {aws} CLI, `eksctl`, or the {aws} API, Amazon EKS creates the service-linked role for you. + +If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you connect a cluster, Amazon EKS creates the service-linked role for you again. + +[[edit-service-linked-role-eks-connector,edit-service-linked-role-eks-connector.title]] +== Editing a service-linked role for Amazon EKS + +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSConnector` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[delete-service-linked-role-eks-connector,delete-service-linked-role-eks-connector.title]] +== Deleting a service-linked role for Amazon EKS + +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. + +[[service-linked-role-review-before-delete-eks-connector,service-linked-role-review-before-delete-eks-connector.title]] +=== Cleaning up a service-linked role + +Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. + +[NOTE] +==== + +If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. + +==== +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, choose *Clusters*. +. On the *Clusters* page, select your cluster. +. Select the *Deregister* tab and then select the *Ok* tab. + + +[[slr-manual-delete-eks-connector,slr-manual-delete-eks-connector.title]] +=== Manually delete the service-linked role + +Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc new file mode 100644 index 000000000..c302b5205 --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -0,0 +1,95 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles-eks-fargate,using-service-linked-roles-eks-fargate.title]] += Using roles for Amazon EKS Fargate profiles +:info_titleabbrev: Fargate profile role + +include::../../attributes.txt[] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. + +You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. + +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. + +[[service-linked-role-permissions-eks-fargate,service-linked-role-permissions-eks-fargate.title]] +== Service-linked role permissions for Amazon EKS + +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSForFargate`. The role allows Amazon EKS Fargate to configure VPC networking required for Fargate [.noloc]`Pods`. The attached policies allow the role to create and delete elastic network interfaces and describe elastic network Interfaces and resources. + +The `AWSServiceRoleForAmazonEKSForFargate` service-linked role trusts the following services to assume the role: + +* `eks-fargate.amazonaws.com` + +The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: + +* link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html[AmazonEKSForFargateServiceRolePolicy,type="documentation"] + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. + +[[create-service-linked-role-eks-fargate,create-service-linked-role-eks-fargate.title]] +== Creating a service-linked role for Amazon EKS + +You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +[IMPORTANT] +==== + +This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before December 13, 2019, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSForFargate role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A New role appeared in my IAM account,type="documentation"]. + +==== + +[[create-service-linked-role-service-api-eks-fargate,create-service-linked-role-service-api-eks-fargate.title]] +=== Creating a service-linked role in Amazon EKS ({aws} API) + +You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. + +[[edit-service-linked-role-eks-fargate,edit-service-linked-role-eks-fargate.title]] +== Editing a service-linked role for Amazon EKS + +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSForFargate` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[delete-service-linked-role-eks-fargate,delete-service-linked-role-eks-fargate.title]] +== Deleting a service-linked role for Amazon EKS + +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. + +[[service-linked-role-review-before-delete-eks-fargate,service-linked-role-review-before-delete-eks-fargate.title]] +=== Cleaning up a service-linked role + +Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. + +[NOTE] +==== + +If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. + +==== +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, choose *Clusters*. +. On the *Clusters* page, select your cluster. +. Select the *Compute* tab. +. If there are any Fargate profiles in the *Fargate profiles* section, select each one individually, and then choose *Delete*. +. Type the name of the profile in the deletion confirmation window, and then choose *Delete*. +. Repeat this procedure for any other Fargate profiles in the cluster and for any other clusters in your account. + + +[[slr-manual-delete-eks-fargate,slr-manual-delete-eks-fargate.title]] +=== Manually delete the service-linked role + +Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSForFargate service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[slr-regions-eks-fargate,slr-regions-eks-fargate.title]] +== Supported regions for Amazon EKS service-linked roles + +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc new file mode 100644 index 000000000..5f82452fd --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -0,0 +1,94 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles-eks-nodegroups,using-service-linked-roles-eks-nodegroups.title]] += Using roles for Amazon EKS node groups +:info_titleabbrev: Node groups role + +include::../../attributes.txt[] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon EKS uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. + +You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. + +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. + +[[service-linked-role-permissions-eks-nodegroups,service-linked-role-permissions-eks-nodegroups.title]] +== Service-linked role permissions for Amazon EKS + +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSNodegroup`. The role allows Amazon EKS to manage node groups in your account. The attached `AWSServiceRoleForAmazonEKSNodegroup` policy allows the role to manage the following resources: Auto Scaling groups, security groups, launch templates, and IAM instance profiles. For more information, see <>. + +The `AWSServiceRoleForAmazonEKSNodegroup` service-linked role trusts the following services to assume the role: + +* `eks-nodegroup.amazonaws.com` + +The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: + +* link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. + +[[create-service-linked-role-eks-nodegroups,create-service-linked-role-eks-nodegroups.title]] +== Creating a service-linked role for Amazon EKS + +You don't need to manually create a service-linked role. When you CreateNodegroup in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +[IMPORTANT] +==== + +This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before January 1, 2017, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSNodegroup role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A new role appeared in my IAM account,type="documentation"]. + +==== + +[[create-service-linked-role-service-api-eks-nodegroups,create-service-linked-role-service-api-eks-nodegroups.title]] +=== Creating a service-linked role in Amazon EKS ({aws} API) + +You don't need to manually create a service-linked role. When you create a managed node group in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. + +[[edit-service-linked-role-eks-nodegroups,edit-service-linked-role-eks-nodegroups.title]] +== Editing a service-linked role for Amazon EKS + +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[delete-service-linked-role-eks-nodegroups,delete-service-linked-role-eks-nodegroups.title]] +== Deleting a service-linked role for Amazon EKS + +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. + +[[service-linked-role-review-before-delete-eks-nodegroups,service-linked-role-review-before-delete-eks-nodegroups.title]] +=== Cleaning up a service-linked role + +Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. + +[NOTE] +==== + +If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. + +==== +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, choose *Clusters*. +. Select the *Compute* tab. +. In the *Node groups* section, choose the node group to delete. +. Type the name of the node group in the deletion confirmation window, and then choose *Delete*. +. Repeat this procedure for any other node groups in the cluster. Wait for all of the delete operations to finish. + + +[[slr-manual-delete-eks-nodegroups,slr-manual-delete-eks-nodegroups.title]] +=== Manually delete the service-linked role + +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[slr-regions-eks-nodegroups,slr-regions-eks-nodegroups.title]] +== Supported regions for Amazon EKS service-linked roles + +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc new file mode 100644 index 000000000..cd2c268be --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -0,0 +1,96 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles-eks-outpost,using-service-linked-roles-eks-outpost.title]] += Using roles for Amazon EKS local clusters on Outpost +:info_titleabbrev: Local cluster role + +include::../../attributes.txt[] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. + +You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. + +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. + +[[service-linked-role-permissions,service-linked-role-permissions.title]] +== Service-linked role permissions for Amazon EKS + +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSLocalOutpost`. The role allows Amazon EKS to manage local clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and Amazon EC2 instances. + +[NOTE] +==== + +The `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role is distinct from the role required for cluster creation. For more information, see <>. + +==== + +The `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role trusts the following services to assume the role: + + + +* `outposts.eks-local.amazonaws.com` + +The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: + + + +* link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. + +[[create-service-linked-role-eks-outpost,create-service-linked-role-eks-outpost.title]] +== Creating a service-linked role for Amazon EKS + +You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. + +[[edit-service-linked-role-eks-outpost,edit-service-linked-role-eks-outpost.title]] +== Editing a service-linked role for Amazon EKS + +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[delete-service-linked-role-eks-outpost,delete-service-linked-role-eks-outpost.title]] +== Deleting a service-linked role for Amazon EKS + +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. + +[[service-linked-role-review-before-delete-eks-outpost,service-linked-role-review-before-delete-eks-outpost.title]] +=== Cleaning up a service-linked role + +Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. + +[NOTE] +==== + +If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. + +==== +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, choose Amazon EKS *Clusters*. +. If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. +. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. +. Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. +. Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. + + +[[slr-manual-delete-eks-outpost,slr-manual-delete-eks-outpost.title]] +=== Manually delete the service-linked role + +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[slr-regions-eks-connector,slr-regions-eks-connector.title]] +== Supported regions for Amazon EKS service-linked roles + +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + + + + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc new file mode 100644 index 000000000..cc9838a47 --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -0,0 +1,89 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles-eks,using-service-linked-roles-eks.title]] += Using roles for Amazon EKS clusters +:info_titleabbrev: Cluster role + +include::../../attributes.txt[] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +A service-linked role makes setting up Amazon EKS easier because you don't have to manually add the necessary permissions. Amazon EKS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon EKS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. + +You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. + +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. + +[[service-linked-role-permissions-eks,service-linked-role-permissions-eks.title]] +== Service-linked role permissions for Amazon EKS + +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS`. The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs. + +[NOTE] +==== + +The `AWSServiceRoleForAmazonEKS` service-linked role is distinct from the role required for cluster creation. For more information, see <>. + +==== + +The `AWSServiceRoleForAmazonEKS` service-linked role trusts the following services to assume the role: + +* `eks.amazonaws.com` + +The role permissions policy allows Amazon EKS to complete the following actions on the specified resources: + +* link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] + +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. + +[[create-service-linked-role-eks,create-service-linked-role-eks.title]] +== Creating a service-linked role for Amazon EKS + +You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. + +If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. + +[[edit-service-linked-role-eks,edit-service-linked-role-eks.title]] +== Editing a service-linked role for Amazon EKS + +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKS` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[delete-service-linked-role-eks,delete-service-linked-role-eks.title]] +== Deleting a service-linked role for Amazon EKS + +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. + +[[service-linked-role-review-before-delete-eks,service-linked-role-review-before-delete-eks.title]] +=== Cleaning up a service-linked role + +Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. + +[NOTE] +==== + +If the Amazon EKS service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. + +==== +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, choose *Clusters*. +. If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. +. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. +. Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. +. Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. + + +[[slr-manual-delete-eks,slr-manual-delete-eks.title]] +=== Manually delete the service-linked role + +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKS` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + +[[slr-regions-eks,slr-regions-eks.title]] +== Supported regions for Amazon EKS service-linked roles + +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc new file mode 100644 index 000000000..ffb7f4a59 --- /dev/null +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -0,0 +1,28 @@ +//!!NODE_ROOT
+[.topic] +[[using-service-linked-roles,using-service-linked-roles.title]] += Using service-linked roles for Amazon EKS +:info_titleabbrev: Service-linked roles + +include::../../attributes.txt[] + +include::using-service-linked-roles-eks.adoc[leveloffset=+1] + +include::using-service-linked-roles-eks-nodegroups.adoc[leveloffset=+1] + +include::using-service-linked-roles-eks-fargate.adoc[leveloffset=+1] + +include::using-service-linked-roles-eks-connector.adoc[leveloffset=+1] + +include::using-service-linked-roles-eks-outpost.adoc[leveloffset=+1] + +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +[.topiclist] +[[Topic List]] + diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc new file mode 100644 index 000000000..e618b6200 --- /dev/null +++ b/latest/ug/security/infrastructure-security.adoc @@ -0,0 +1,40 @@ +//!!NODE_ROOT
+[.topic] +[[infrastructure-security,infrastructure-security.title]] += Infrastructure security in Amazon EKS +:info_titleabbrev: Infrastructure security + +include::../attributes.txt[] + +include::vpc-interface-endpoints.adoc[leveloffset=+1] + +[abstract] +-- +Learn how Amazon EKS isolates service traffic. +-- + +As a managed service, Amazon Elastic Kubernetes Service is protected by {aws} global network security. For information about {aws} security services and how {aws} protects infrastructure, see link:security/[{aws} Cloud Security,type="marketing"]. To design your {aws} environment using the best practices for infrastructure security, see link:wellarchitected/latest/security-pillar/infrastructure-protection.html[Infrastructure Protection,type="documentation"] in _Security Pillar {aws} Well‐Architected Framework_. + +You use {aws} published API calls to access Amazon EKS through the network. Clients must support the following: + +* Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. +* Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. + +Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the link:STS/latest/APIReference/welcome.html[{aws} Security Token Service,type="documentation"] ({aws} STS) to generate temporary security credentials to sign requests. + +When you create an Amazon EKS cluster, you specify the VPC subnets for your cluster to use. Amazon EKS requires subnets in at least two Availability Zones. We recommend a VPC with public and private subnets so that [.noloc]`Kubernetes` can create public load balancers in the public subnets that load balance traffic to [.noloc]`Pods` running on nodes that are in private subnets. + +For more information about VPC considerations, see <>. + +If you create your VPC and node groups with the {aws} CloudFormation templates provided in the <> walkthrough, then your control plane and node security groups are configured with our recommended settings. + +For more information about security group considerations, see <>. + +When you create a new cluster, Amazon EKS creates an endpoint for the managed [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). + +You can enable private access to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. + +For more information about modifying cluster endpoint access, see <>. + +You can implement [.noloc]`Kubernetes` _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. + diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc new file mode 100644 index 000000000..e3b2a246d --- /dev/null +++ b/latest/ug/security/manage-secrets.adoc @@ -0,0 +1,23 @@ +//!!NODE_ROOT
+include::../attributes.txt[] + +[.topic] +[[manage-secrets,manage-secrets.title]] += Use {aws} Secrets Manager secrets with Amazon EKS Pods +:info_titleabbrev: {aws} Secrets Manager + +To show secrets from Secrets Manager and parameters from Parameter Store as files mounted in Amazon EKS [.noloc]`Pods`, you can use the {aws} Secrets and Configuration Provider (ASCP) for the https://secrets-store-csi-driver.sigs.k8s.io/[Kubernetes Secrets Store CSI Driver]. + +With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. You can use IAM roles and policies to limit access to your secrets to specific [.noloc]`Kubernetes` [.noloc]`Pods` in a cluster. The ASCP retrieves the [.noloc]`Pod` identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the [.noloc]`Pod`, and then it can retrieve secrets from Secrets Manager that are authorized for that role. + +If you use Secrets Manager automatic rotation for your secrets, you can also use the Secrets Store CSI Driver rotation reconciler feature to ensure you are retrieving the latest secret from Secrets Manager. + +[NOTE] +==== + +{aws} Fargate (Fargate) node groups are not supported. + +==== + +For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. + diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc new file mode 100644 index 000000000..8cac9d46d --- /dev/null +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -0,0 +1,116 @@ +//!!NODE_ROOT
+[.topic] +[[pod-security-policy-removal-faq,pod-security-policy-removal-faq.title]] += Migrate from legacy [.noloc]`Pod` security policies (PSP) +:info_titleabbrev: Migrate from legacy PSP + +include::../attributes.txt[] + +[abstract] +-- +Learn about the Pod Security Policy [.noloc]`(PSPs)` removal in [.noloc]`Kubernetes` `1.25`. Migrate to Pod Security Standards (PSS) or policy-as-code solutions before upgrading Amazon EKS clusters to [.noloc]`Kubernetes` 1.25 to avoid workload interruptions and maintain pod security controls. +-- + +`PodSecurityPolicy` was https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/[deprecated in Kubernetes1.21], and has been removed in [.noloc]`Kubernetes` `1.25`. If you are using PodSecurityPolicy in your cluster, *then you must migrate to the built-in [.noloc]`Kubernetes` Pod Security Standards [.noloc]`(PSS)` or to a policy-as-code solution before upgrading your cluster to version `*1.25*` to avoid interruptions to your workloads.* Select any frequently asked question to learn more. + + +[[pod-security-policy-removal-what-is,pod-security-policy-removal-what-is.title]] +.What is a [.noloc]`PSP`? +[%collapsible] +==== + +https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPolicy] is a built-in admission controller that allows a cluster administrator to control security-sensitive aspects of [.noloc]`Pod` specification. If a [.noloc]`Pod` meets the requirements of its [.noloc]`PSP`, the [.noloc]`Pod` is admitted to the cluster as usual. If a [.noloc]`Pod` doesn't meet the [.noloc]`PSP` requirements, the [.noloc]`Pod` is rejected and can't run. +==== + +[[pod-security-policy-removal-specific,pod-security-policy-removal-specific.title]] +.Is the [.noloc]`PSP` removal specific to Amazon EKS or is it being removed in upstream [.noloc]`Kubernetes`? +[%collapsible] +==== + +This is an upstream change in the [.noloc]`Kubernetes` project, and not a change made in Amazon EKS. [.noloc]`PSP` was deprecated in [.noloc]`Kubernetes` `1.21` and removed in [.noloc]`Kubernetes` `1.25`. The [.noloc]`Kubernetes` community identified serious usability problems with [.noloc]`PSP`. These included accidentally granting broader permissions than intended and difficulty in inspecting which [.noloc]`PSPs` apply in a given situation. These issues couldn't be addressed without making breaking changes. This is the primary reason why the [.noloc]`Kubernetes` community https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away[decided to remove PSP]. +==== + +[[pod-security-policy-removal-check,pod-security-policy-removal-check.title]] +.How can I check if I'm using [.noloc]`PSPs` in my Amazon EKS clusters? +[%collapsible] +==== + +To check if you're using [.noloc]`PSPs` in your cluster, you can run the following command: + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get psp +---- + +To see the [.noloc]`Pods` that the [.noloc]`PSPs` in your cluster are impacting, run the following command. This command outputs the [.noloc]`Pod` name, namespace, and [.noloc]`PSPs`: + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pod -A -o jsonpath='{range.items[?(@.metadata.annotations.kubernetes\.io/psp)]}{.metadata.name}{" "}{.metadata.namespace}{" "}{.metadata.annotations.kubernetes\.io/psp}{" +"}' +---- +==== + +[[pod-security-policy-removal-what-can,pod-security-policy-removal-what-can.title]] +.If I'm using [.noloc]`PSPs` in my Amazon EKS cluster, what can I do? +[%collapsible] +==== + +Before upgrading your cluster to `1.25`, you must migrate your [.noloc]`PSPs` to either one of these alternatives: + + + +* [.noloc]`Kubernetes` [.noloc]`PSS`. + + +* Policy-as-code solutions from the [.noloc]`Kubernetes` environment. + +In response to the [.noloc]`PSP` deprecation and the ongoing need to control [.noloc]`Pod` security from the start, the [.noloc]`Kubernetes` community created a built-in solution with https://kubernetes.io/docs/concepts/security/pod-security-standards/[(PSS)] and https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. The PSA webhook implements the controls that are defined in the [.noloc]`PSS`. + +You can review best practices for migrating [.noloc]`PSPs` to the built-in [.noloc]`PSS` in the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[EKS Best Practices Guide]. We also recommend reviewing our blog on link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"]. Additional references include https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller] and https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/[Mapping PodSecurityPolicies to Pod Security Standards]. + +Policy-as-code solutions provide guardrails to guide cluster users and prevents unwanted behaviors through prescribed automated controls. Policy-as-code solutions typically use https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/[Kubernetes Dynamic Admission Controllers] to intercept the [.noloc]`Kubernetes` API server request flow using a webhook call. Policy-as-code solutions mutate and validate request payloads based on policies written and stored as code. + +There are several open source policy-as-code solutions available for [.noloc]`Kubernetes`. To review best practices for migrating [.noloc]`PSPs` to a policy-as-code solution, see the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac[Policy-as-code] section of the Pod Security page on GitHub. +==== + +[[pod-security-policy-removal-privileged,pod-security-policy-removal-privileged.title]] +.I see a [.noloc]`PSP` called `eks.privileged` in my cluster. What is it and what can I do about it? +[%collapsible] +==== + +Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`PSP` that's named `eks.privileged`. This policy is created in `1.24` and earlier clusters. It isn't used in `1.25` and later clusters. Amazon EKS automatically migrates this [.noloc]`PSP` to a [.noloc]`PSS`-based enforcement. No action is needed on your part. +==== + +[[pod-security-policy-removal-prevent,pod-security-policy-removal-prevent.title]] +.Will Amazon EKS make any changes to [.noloc]`PSPs` present in my existing cluster when I update my cluster to version `1.25`? +[%collapsible] +==== + +No. Besides `eks.privileged`, which is a [.noloc]`PSP` created by Amazon EKS, no changes are made to other [.noloc]`PSPs` in your cluster when you upgrade to `1.25`. +==== + +[[pod-security-policy-removal-migrate,pod-security-policy-removal-migrate.title]] +.Will Amazon EKS prevent a cluster update to version `1.25` if I haven't migrated off of [.noloc]`PSP`? +[%collapsible] +==== + +No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't migrate off of [.noloc]`PSP` yet. +==== + +[[pod-security-policy-removal-forget,pod-security-policy-removal-forget.title]] +.What if I forget to migrate my [.noloc]`PSPs` to [.noloc]`PSS/PSA` or to a policy-as-code solution before I update my cluster to version `1.25`? Can I migrate after updating my cluster? +[%collapsible] +==== + +When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` version `1.25`, the API server doesn't recognize the [.noloc]`PSP` resource in `1.25`. This might result in [.noloc]`Pods` getting incorrect security scopes. For an exhaustive list of implications, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller]. +==== + +[[pod-security-policy-removal-impact,pod-security-policy-removal-impact.title]] +.How does this change impact pod security for Windows workloads? +[%collapsible] +==== + +We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows [.noloc]`Pods`. This uses [.noloc]`PSS` in [.noloc]`Kubernetes` `1.25`. For more information and best practices about enforcing [.noloc]`PSS` for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. +==== + diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc new file mode 100644 index 000000000..58c3d790a --- /dev/null +++ b/latest/ug/security/pod-security-policy.adoc @@ -0,0 +1,197 @@ +//!!NODE_ROOT
+[.topic] +[[pod-security-policy,pod-security-policy.title]] += Understand Amazon EKS created [.noloc]`Pod` security policies [.noloc]`(PSP)` +:info_titleabbrev: Legacy default PSP + +include::../attributes.txt[] + +[abstract] +-- +Learn about the Pod Security Policies [.noloc]`(PSP)` that Amazon EKS creates by default. PSP was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. +-- + +The [.noloc]`Kubernetes` [.noloc]`Pod` security policy admission controller validates [.noloc]`Pod` creation and update requests against a set of rules. By default, Amazon EKS clusters ship with a fully permissive security policy with no restrictions. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/[Pod Security Policies] in the [.noloc]`Kubernetes` documentation. + +[NOTE] +==== + +The `PodSecurityPolicy` ([.noloc]`PSP`) was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)], a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS have both reached beta feature states, and are enabled in Amazon EKS by default. To address [.noloc]`PSP` removal in `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. + +==== + +[[default-psp,default-psp.title]] +== Amazon EKS default [.noloc]`Pod` security policy + +Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`Pod` security policy named `eks.privileged`. This policy has no restriction on what kind of [.noloc]`Pod` can be accepted into the system, which is equivalent to running [.noloc]`Kubernetes` with the `PodSecurityPolicy` controller disabled. + +[NOTE] +==== + +This policy was created to maintain backwards compatibility with clusters that did not have the `PodSecurityPolicy` controller enabled. You can create more restrictive policies for your cluster and for individual namespaces and service accounts and then delete the default policy to enable the more restrictive policies. + +==== + +You can view the default policy with the following command. + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get psp eks.privileged +---- + +An example output is as follows. + +[source,bash,subs="verbatim,attributes"] +---- +NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES +eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * +---- + +For more details, you can describe the policy with the following command. + +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe psp eks.privileged +---- + +An example output is as follows. + +[source,bash,subs="verbatim,attributes"] +---- +Name: eks.privileged + +Settings: + Allow Privileged: true + Allow Privilege Escalation: 0xc0004ce5f8 + Default Add Capabilities: + Required Drop Capabilities: + Allowed Capabilities: * + Allowed Volume Types: * + Allow Host Network: true + Allow Host Ports: 0-65535 + Allow Host PID: true + Allow Host IPC: true + Read Only Root Filesystem: false + SELinux Context Strategy: RunAsAny + User: + Role: + Type: + Level: + Run As User Strategy: RunAsAny + Ranges: + FSGroup Strategy: RunAsAny + Ranges: + Supplemental Groups Strategy: RunAsAny + Ranges: +---- + +You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. + +[[psp-delete-default,psp-delete-default.title]] +== Delete the default Amazon EKS [.noloc]`Pod` security policy + +If you create more restrictive policies for your [.noloc]`Pods`, then after doing so, you can delete the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy to enable your custom policies. + +[IMPORTANT] +==== + +If you are using version `1.7.0` or later of the CNI plugin and you assign a custom [.noloc]`Pod` security policy to the `aws-node` [.noloc]`Kubernetes` service account used for the `aws-node` [.noloc]`Pods` deployed by the Daemonset, then the policy must have `NET_ADMIN` in its `allowedCapabilities` section along with `hostNetwork: true` and `privileged: true` in the policy's `spec`. + +==== +. Create a file named [.replaceable]`privileged-podsecuritypolicy.yaml` with the contents in the example file in <>. +. Delete the YAML with the following command. This deletes the default [.noloc]`Pod` security policy, the `ClusterRole`, and the `ClusterRoleBinding` associated with it. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete -f privileged-podsecuritypolicy.yaml +---- + + +[[psp-install-or-restore-default,psp-install-or-restore-default.title]] +== Install or restore the default [.noloc]`Pod` security policy + +If you are upgrading from an earlier version of [.noloc]`Kubernetes`, or have modified or deleted the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy, you can restore it with the following steps. + +. Create a file called `privileged-podsecuritypolicy.yaml` with the following contents. ++ +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: eks.privileged + annotations: + kubernetes.io/description: 'privileged allows full unrestricted access to + Pod features, as if the PodSecurityPolicy controller was not enabled.' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + kubernetes.io/cluster-service: "true" + eks.amazonaws.com/component: pod-security-policy +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: eks:podsecuritypolicy:privileged + labels: + kubernetes.io/cluster-service: "true" + eks.amazonaws.com/component: pod-security-policy +rules: +- apiGroups: + - policy + resourceNames: + - eks.privileged + resources: + - podsecuritypolicies + verbs: + - use + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eks:podsecuritypolicy:authenticated + annotations: + kubernetes.io/description: 'Allow all authenticated users to create privileged Pods.' + labels: + kubernetes.io/cluster-service: "true" + eks.amazonaws.com/component: pod-security-policy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: eks:podsecuritypolicy:privileged +subjects: + - kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:authenticated +---- +. Apply the YAML with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl apply -f privileged-podsecuritypolicy.yaml +---- + + diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc new file mode 100644 index 000000000..94ce58b1a --- /dev/null +++ b/latest/ug/security/security-best-practices.adoc @@ -0,0 +1,16 @@ +//!!NODE_ROOT
+[.topic] +[[security-best-practices,security-best-practices.title]] += Secure Amazon EKS clusters with best practices +:info_titleabbrev: Best practices + +include::../attributes.txt[] + +[abstract] +-- +Learn how to secure your Amazon EKS clusters by following the best practices from the community. +-- + +The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. + + diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 16f8d901e..79b200a9d 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -2,15 +2,14 @@ [.topic] [[security-eks,security-eks.title]] = Security considerations for Amazon Elastic Kubernetes Service -:info_doctype: section -:info_title: Security considerations for Amazon Elastic Kubernetes Service -:info_titleabbrev: Considerations for Amazon EKS -:info_abstract: Configure Amazon EKS clusters to meet your security and compliance objectives, and learn \ - how to use other {aws} services that help you to secure your Amazon EKS \ - clusters. +:info_titleabbrev: Considerations for EKS include::../attributes.txt[] +include::infrastructure-security.adoc[leveloffset=+1] + +include::disaster-recovery-resiliency.adoc[leveloffset=+1] + [abstract] -- Configure Amazon EKS clusters to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Amazon EKS clusters. @@ -20,121 +19,3 @@ The following are considerations for security of the cloud, as they affect Amazo [.topiclist] [[Topic List]] - -[.topic] -[[infrastructure-security,infrastructure-security.title]] -== Infrastructure security in Amazon EKS - -[abstract] --- -Learn how Amazon EKS isolates service traffic. --- - -As a managed service, Amazon Elastic Kubernetes Service is protected by {aws} global network security. For information about {aws} security services and how {aws} protects infrastructure, see link:security/[{aws} Cloud Security,type="marketing"]. To design your {aws} environment using the best practices for infrastructure security, see link:wellarchitected/latest/security-pillar/infrastructure-protection.html[Infrastructure Protection,type="documentation"] in _Security Pillar {aws} Well‐Architected Framework_. - -You use {aws} published API calls to access Amazon EKS through the network. Clients must support the following: - - - -* Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. -* Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. - -Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the link:STS/latest/APIReference/welcome.html[{aws} Security Token Service,type="documentation"] ({aws} STS) to generate temporary security credentials to sign requests. - -When you create an Amazon EKS cluster, you specify the VPC subnets for your cluster to use. Amazon EKS requires subnets in at least two Availability Zones. We recommend a VPC with public and private subnets so that [.noloc]`Kubernetes` can create public load balancers in the public subnets that load balance traffic to [.noloc]`Pods` running on nodes that are in private subnets. - -For more information about VPC considerations, see <>. - -If you create your VPC and node groups with the {aws} CloudFormation templates provided in the <> walkthrough, then your control plane and node security groups are configured with our recommended settings. - -For more information about security group considerations, see <>. - -When you create a new cluster, Amazon EKS creates an endpoint for the managed [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). - -You can enable private access to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. - -For more information about modifying cluster endpoint access, see <>. - -You can implement [.noloc]`Kubernetes` _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. - -[.topic] -[[vpc-interface-endpoints,vpc-interface-endpoints.title]] -=== Access the Amazon EKS using {aws} PrivateLink - -[abstract] --- -Learn how to securely access Amazon Elastic Kubernetes Service (Amazon EKS) APIs from within your VPC using {aws} PrivateLink, avoiding public internet exposure while benefiting from private connectivity, routing optimization, and built-in security controls for enhanced cluster management. --- - -You can use {aws} PrivateLink to create a private connection between your VPC and Amazon Elastic Kubernetes Service. You can access Amazon EKS as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or {aws} Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon EKS. - -You establish this private connection by creating an interface endpoint powered by {aws} PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon EKS. - -For more information, see link:vpc/latest/privatelink/privatelink-access-aws-services.html[Access {aws} services through {aws} PrivateLink,type="documentation"] in the _{aws} PrivateLink Guide_. - -[[vpc-endpoint-considerations,vpc-endpoint-considerations.title]] -==== Considerations for Amazon EKS - -* Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. -* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. -* You can't configure Amazon EKS to only be accessed through an interface endpoint. -* Standard pricing for {aws} PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. -* VPC endpoint policies are not supported for Amazon EKS. By default, full access to Amazon EKS is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. -* You can use VPC flow logs to capture information about IP traffic going to and from network interfaces, including interface endpoints. You can publish flow log data to Amazon CloudWatch or Amazon S3. For more information, see link:vpc/latest/userguide/flow-logs.html[Logging IP traffic using VPC Flow Logs,type="documentation"] in the Amazon VPC User Guide. -* You can access the Amazon EKS APIs from an on-premises data center by connecting it to a VPC that has an interface endpoint. You can use {aws} Direct Connect or {aws} Site-to-Site VPN to connect your on-premises sites to a VPC. -* You can connect other VPCs to the VPC with an interface endpoint using an {aws} Transit Gateway or VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your VPCs, or with a VPC in another account. The VPCs can be in different {aws} Regions. Traffic between peered VPCs stays on the {aws} network. The traffic doesn't traverse the public internet. A Transit Gateway is a network transit hub that you can use to interconnect VPCs. Traffic between a VPC and a Transit Gateway remains on the {aws} global private network. The traffic isn't exposed to the public internet. -* Before August 2024, VPC interface endpoints for Amazon EKS were only accessible over `IPv4` using `eks.[.replaceable]``region``.amazonaws.com`. New VPC interface endpoints that are made after August 2024 use dual-stack of `IPv4` and `IPv6` IP addresses and both DNS names: `eks.[.replaceable]``region``.amazonaws.com` and `eks.[.replaceable]``region``.api.aws`. -* {aws} PrivateLink support for the EKS API isn't available in the Asia Pacific (Malaysia) (`ap-southeast-5`), Asia Pacific (Thailand) (`ap-southeast-7`), and Mexico (Central) (`mx-central-1`) {aws} Regions. {aws} PrivateLink support for `eks-auth` for EKS Pod Identity is available in the the Asia Pacific (Malaysia) (`ap-southeast-5`) Region. - - -[[vpc-endpoint-create,vpc-endpoint-create.title]] -==== Create an interface endpoint for Amazon EKS - -You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the {aws} Command Line Interface ({aws} CLI). For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws[Create a VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. - -Create an interface endpoint for Amazon EKS using the following service names: - -* EKS API -[source,none,subs="verbatim,attributes"] ----- -com.amazonaws.region-code.eks ----- -* EKS Auth API (EKS Pod Identity) -[source,none,subs="verbatim,attributes"] ----- -com.amazonaws.region-code.eks-auth ----- - -The private DNS feature is enabled by default when creating an interface endpoint for Amazon EKS and other {aws} services. To use the private DNS feature, you must ensure that the following VPC attributes are set to `true`: `enableDnsHostnames` and `enableDnsSupport`. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[View and update DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. With the private DNS feature enabled for the interface endpoint: - - - -* You can make any API request to Amazon EKS using its default Regional DNS name. After August 2024, any new VPC interface endpoint for the Amazon EKS API have two default Regional DNS names and you can choose the `dualstack` for the IP address type. The first DNS name is `eks.[.replaceable]``region``.api.aws` which is dual-stack. It resolves to both `IPv4` addresses and `IPv6` addresses. Before August 2024, Amazon EKS only used `eks.[.replaceable]``region``.amazonaws.com` which resolved to `IPv4` addresses only. If you want to use `IPv6` and dual-stack IP addresses with an existing VPC interface endpoint, you can update the endpoint to use the `dualstack` type of IP address, but it will only have the `eks.[.replaceable]``region``.amazonaws.com` DNS name. In this configuration, the existing endpoint updates to point that name to both `IPv4` and `IPv6` IP addresses. For a list of APIs, see link:eks/latest/APIReference/API_Operations.html[Actions,type="documentation"] in the Amazon EKS API Reference. -* You don't need to make any changes to your applications that call the EKS APIs. -+ -However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref/latest/guide/feature-endpoints.html[Dual-stack and FIPS endpoints,type="documentation"] configuration in the _{aws} SDKs and Tools Reference Guide_. -* Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. - - -[.topic] -[[disaster-recovery-resiliency,disaster-recovery-resiliency.title]] -== Understand resilience in Amazon EKS clusters - -[abstract] --- -Learn how Amazon EKS ensures high availability, data resilience, and fault tolerance for your [.noloc]`Kubernetes` control plane by leveraging {aws} infrastructure across multiple Availability Zones . --- - -The {aws} global infrastructure is built around {aws} Regions and Availability Zones. {aws} Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. - -Amazon EKS runs and scales the [.noloc]`Kubernetes` control plane across multiple {aws} Availability Zones to ensure high availability. Amazon EKS automatically scales control plane instances based on load, detects and replaces unhealthy control plane instances, and automatically patches the control plane. After you initiate a version update, Amazon EKS updates your control plane for you, maintaining high availability of the control plane during the update. - -This control plane consists of at least two API server instances and three `etcd` instances that run across three Availability Zones within an {aws} Region. Amazon EKS: - - - -* Actively monitors the load on control plane instances and automatically scales them to ensure high performance. -* Automatically detects and replaces unhealthy control plane instances, restarting them across the Availability Zones within the {aws} Region as needed. -* Leverages the architecture of {aws} Regions in order to maintain high availability. Because of this, Amazon EKS is able to offer an link:eks/sla[SLA for API server endpoint availability,type="marketing"]. - -For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index c663f6796..59bcabb53 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -2,856 +2,28 @@ [.topic] [[security-k8s,security-k8s.title]] = Security considerations for [.noloc]`Kubernetes` -:info_doctype: section -:info_title: Security considerations for Kubernetes :info_titleabbrev: Considerations for Kubernetes -:info_abstract: Configure Kubernetes to meet your security and compliance objectives, and learn \ - how to use other {aws} services that help you to secure your Kubernetes \ - resources. include::../attributes.txt[] -[abstract] --- -Configure [.noloc]`Kubernetes` to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your [.noloc]`Kubernetes` resources. --- - -The following are considerations for security in the cloud, as they affect [.noloc]`Kubernetes` in Amazon EKS clusters. For an in-depth review of security controls and practices in [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the [.noloc]`Kubernetes` documentation. - -[.topiclist] -[[Topic List]] - -[.topic] -[[cert-signing,cert-signing.title]] -== Secure workloads with [.noloc]`Kubernetes` certificates - -[abstract] --- -Learn how to request and obtain X.509 certificates from the Certificate Authority (CA) using Certificate Signing Requests (CSRs) in Amazon EKS, including details on migrating from legacy signers, generating CSRs, approving requests, and handling certificate signing considerations before upgrading to Kubernetes 1.24. --- - -The [.noloc]`Kubernetes` Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.509] credential provisioning. The API features a command line interface for [.noloc]`Kubernetes` API clients to request and obtain https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/[X.509 certificates] from a Certificate Authority (CA). You can use the `CertificateSigningRequest` (CSR) resource to request that a denoted signer sign the certificate. Your requests are either approved or denied before they're signed. [.noloc]`Kubernetes` supports both built-in signers and custom signers with well-defined behaviors. This way, clients can predict what happens to their CSRs. To learn more about certificate signing, see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[signing requests]. - -One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`. - -Amazon EKS version `1.21` and earlier allowed the `legacy-unknown` value as the `signerName` in `v1beta1` CSR API. This API enables the Amazon EKS Certificate Authority (CA) to generate certificates. However, in [.noloc]`Kubernetes` version `1.22`, the `v1beta1` CSR API was replaced by the `v1` CSR API. This API doesn't support the signerName of "`legacy-unknown.`" If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. It was introduced in Amazon EKS version `1.22`. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: - - - -* Trust distribution: None. There's no standard trust or distribution for this signer in a [.noloc]`Kubernetes` cluster. -* Permitted subjects: Any -* Permitted x509 extensions: Honors subjectAltName and key usage extensions and discards other extensions -* Permitted key usages: Must not include usages beyond ["key encipherment", "digital signature", "server auth"] -+ -NOTE: Client certificate signing is not supported. -* Expiration/certificate lifetime: 1 year (default and maximum) -* CA bit allowed/disallowed: Not allowed - - -[[csr-example,csr-example.title]] -=== Example CSR generation with signerName - -These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment. - -. Run the `openssl genrsa -out myserver.key 2048` command to generate an RSA private key. -+ -[source,bash,subs="verbatim,attributes"] ----- -openssl genrsa -out myserver.key 2048 ----- -. Run the following command to generate a certificate request. -+ -[source,bash,subs="verbatim,attributes"] ----- -openssl req -new -key myserver.key -out myserver.csr -subj "/CN=myserver.default.svc" ----- -. Generate a `base64` value for the CSR request and store it in a variable for use in a later step. -+ -[source,bash,subs="verbatim,attributes"] ----- -base_64=$(cat myserver.csr | base64 -w 0 | tr -d "\n") ----- -. Run the following command to create a file named `mycsr.yaml`. In the following example, `beta.eks.amazonaws.com/app-serving` is the `signerName`. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >mycsr.yaml < myserver.crt ----- - - -[[csr-considerations,csr-considerations.title]] -=== Certificate signing considerations before upgrading your cluster to [.noloc]`Kubernetes` 1.24 - -In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working. - -Before upgrading your cluster to `1.24`, determine whether your cluster has certificate signing requests (CSR) that haven't been approved by completing the following steps: - -. Run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get csr -A ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION -csr-7znmf 90m kubernetes.io/kubelet-serving system:node:ip-192-168-42-149.region.compute.internal Approved -csr-9xx5q 90m kubernetes.io/kubelet-serving system:node:ip-192-168-65-38.region.compute.internal Approved, Issued ----- -+ -If the returned output shows a CSR with a https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers[kubernetes.io/kubelet-serving] signer that's `Approved` but not `Issued` for a node, then you need to approve the request. -. Manually approve the CSR. Replace `csr-[.replaceable]``7znmf``` with your own value. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl certificate approve csr-7znmf ----- - -To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. - -[.topic] -[[default-roles-users,default-roles-users.title]] -== Understand Amazon EKS created RBAC roles and users - -[abstract] --- -Learn about the Kubernetes roles and users that Amazon EKS creates for cluster components and add-ons. Amazon EKS uses these role-based authorization control (RBAC) identities to operate the cluster. --- - -When you create a [.noloc]`Kubernetes` cluster, several default [.noloc]`Kubernetes` identities are created on that cluster for the proper functioning of [.noloc]`Kubernetes`. Amazon EKS creates [.noloc]`Kubernetes` identities for each of its default components. The identities provide [.noloc]`Kubernetes` role-based authorization control (RBAC) for the cluster components. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. - -When you install optional <> to your cluster, additional [.noloc]`Kubernetes` identities might be added to your cluster. For more information about identities not addressed by this topic, see the documentation for the add-on. - -You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. - +include::cert-signing.adoc[leveloffset=+1] +include::default-roles-users.adoc[leveloffset=+1] -*{aws-management-console}*:: +include::pod-security-policy.adoc[leveloffset=+1] -.Prerequisite -The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the permissions described in <>. -+ -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the *Clusters* list, choose the cluster that contains the identities that you want to view. -.. Choose the *Resources* tab. -.. Under *Resource types*, choose *Authorization*. -.. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: -+ -*** The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. -*** A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. +include::pod-security-policy-removal-faq.adoc[leveloffset=+1] -+ -In addition to the resources that you see in the console, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: -+ -*** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. -*** *`eks:support-engineer`* – Used for cluster management operations. -.. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. +include::enable-kms.adoc[leveloffset=+1] - -*Kubectl*:: - -.Prerequisite -The entity that you use ({aws} Identity and Access Management (IAM) or [.noloc]`OpenID Connect` ([.noloc]`OIDC`)) to list the [.noloc]`Kubernetes` resources on the cluster must be authenticated by IAM or your [.noloc]`OIDC` identity provider. The entity must be granted permissions to use the [.noloc]`Kubernetes` `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <>. For more information about granting entities authenticated by your own [.noloc]`OIDC` provider access to your cluster, see <>. -.To view Amazon EKS created identities using `kubectl` -Run the command for the type of resource that you want to see. All returned resources that are prefaced with *eks* are created by Amazon EKS. In addition to the resources returned in the output from the commands, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: -+ -** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. -** *`eks:support-engineer`* – Used for cluster management operations. -+ -*ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any [.noloc]`Kubernetes` namespace on the cluster. -+ -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoles` on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get clusterroles | grep eks ----- -+ -In addition to the `ClusterRoles` returned in the output that are prefaced with, the following `ClusterRoles` exist. -+ -** *`aws-node`* – This `ClusterRole` supports the <>, which Amazon EKS installs on all clusters. -** *`vpc-resource-controller-role`* – This `ClusterRole` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. - -+ -To see the specification for a `ClusterRole`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRole` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRole`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe clusterrole eks:k8s-metrics ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Name: eks:k8s-metrics -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - [/metrics] [] [get] - endpoints [] [] [list] - nodes [] [] [list] - pods [] [] [list] - deployments.apps [] [] [list] ----- -+ -*ClusterRoleBindings* – `ClusterRoleBindings` are scoped to your cluster. -+ -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoleBindings` on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get clusterrolebindings | grep eks ----- -+ -In addition to the `ClusterRoleBindings` returned in the output, the following `ClusterRoleBindings` exist. -+ -** *`aws-node`* – This `ClusterRoleBinding` supports the <>, which Amazon EKS installs on all clusters. -** *`vpc-resource-controller-rolebinding`* – This `ClusterRoleBinding` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. - -+ -To see the specification for a `ClusterRoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRoleBinding`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe clusterrolebinding eks:k8s-metrics ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Name: eks:k8s-metrics -Labels: -Annotations: -Role: - Kind: ClusterRole - Name: eks:k8s-metrics -Subjects: - Kind Name Namespace - ---- ---- --------- - User eks:k8s-metrics ----- -+ -*Roles* – `Roles` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace. -+ -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `Roles` on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get roles -n kube-system | grep eks ----- -+ -To see the specification for a `Role`, replace [.replaceable]`eks:k8s-metrics` in the following command with the name of a `Role` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `Role`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe role eks:k8s-metrics -n kube-system ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Name: eks:k8s-metrics -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - daemonsets.apps [] [aws-node] [get] - deployments.apps [] [vpc-resource-controller] [get] ----- -+ -*RoleBindings* – `RoleBindings` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace. -+ -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `RoleBindings` on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get rolebindings -n kube-system | grep eks ----- -+ -To see the specification for a `RoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `RoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `RoleBinding`. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe rolebinding eks:k8s-metrics -n kube-system ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Name: eks:k8s-metrics -Labels: -Annotations: -Role: - Kind: Role - Name: eks:k8s-metrics -Subjects: - Kind Name Namespace - ---- ---- --------- - User eks:k8s-metrics ----- - - -[.topic] -[[pod-security-policy,pod-security-policy.title]] -== Understand Amazon EKS created pod security policies [.noloc]`(PSP)` +include::manage-secrets.adoc[leveloffset=+1] [abstract] -- -Learn about the Pod Security Policies [.noloc]`(PSP)` that Amazon EKS creates by default. PSP was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. --- - -The [.noloc]`Kubernetes` [.noloc]`Pod` security policy admission controller validates [.noloc]`Pod` creation and update requests against a set of rules. By default, Amazon EKS clusters ship with a fully permissive security policy with no restrictions. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/[Pod Security Policies] in the [.noloc]`Kubernetes` documentation. - -[NOTE] -==== - -The `PodSecurityPolicy` ([.noloc]`PSP`) was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)], a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS have both reached beta feature states, and are enabled in Amazon EKS by default. To address [.noloc]`PSP` removal in `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. - -==== - -[[default-psp,default-psp.title]] -=== Amazon EKS default [.noloc]`Pod` security policy - -Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`Pod` security policy named `eks.privileged`. This policy has no restriction on what kind of [.noloc]`Pod` can be accepted into the system, which is equivalent to running [.noloc]`Kubernetes` with the `PodSecurityPolicy` controller disabled. - -[NOTE] -==== - -This policy was created to maintain backwards compatibility with clusters that did not have the `PodSecurityPolicy` controller enabled. You can create more restrictive policies for your cluster and for individual namespaces and service accounts and then delete the default policy to enable the more restrictive policies. - -==== - -You can view the default policy with the following command. - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get psp eks.privileged ----- - -An example output is as follows. - -[source,bash,subs="verbatim,attributes"] ----- -NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES -eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false * ----- - -For more details, you can describe the policy with the following command. - -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe psp eks.privileged ----- - -An example output is as follows. - -[source,bash,subs="verbatim,attributes"] ----- -Name: eks.privileged - -Settings: - Allow Privileged: true - Allow Privilege Escalation: 0xc0004ce5f8 - Default Add Capabilities: - Required Drop Capabilities: - Allowed Capabilities: * - Allowed Volume Types: * - Allow Host Network: true - Allow Host Ports: 0-65535 - Allow Host PID: true - Allow Host IPC: true - Read Only Root Filesystem: false - SELinux Context Strategy: RunAsAny - User: - Role: - Type: - Level: - Run As User Strategy: RunAsAny - Ranges: - FSGroup Strategy: RunAsAny - Ranges: - Supplemental Groups Strategy: RunAsAny - Ranges: ----- - -You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. - -[[psp-delete-default,psp-delete-default.title]] -=== Delete the default Amazon EKS [.noloc]`Pod` security policy - -If you create more restrictive policies for your [.noloc]`Pods`, then after doing so, you can delete the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy to enable your custom policies. - -[IMPORTANT] -==== - -If you are using version `1.7.0` or later of the CNI plugin and you assign a custom [.noloc]`Pod` security policy to the `aws-node` [.noloc]`Kubernetes` service account used for the `aws-node` [.noloc]`Pods` deployed by the Daemonset, then the policy must have `NET_ADMIN` in its `allowedCapabilities` section along with `hostNetwork: true` and `privileged: true` in the policy's `spec`. - -==== -. Create a file named [.replaceable]`privileged-podsecuritypolicy.yaml` with the contents in the example file in <>. -. Delete the YAML with the following command. This deletes the default [.noloc]`Pod` security policy, the `ClusterRole`, and the `ClusterRoleBinding` associated with it. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete -f privileged-podsecuritypolicy.yaml ----- - - -[[psp-install-or-restore-default,psp-install-or-restore-default.title]] -=== Install or restore the default [.noloc]`Pod` security policy - -If you are upgrading from an earlier version of [.noloc]`Kubernetes`, or have modified or deleted the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy, you can restore it with the following steps. - -. Create a file called `privileged-podsecuritypolicy.yaml` with the following contents. -+ -[source,yaml,subs="verbatim,attributes"] ----- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: eks.privileged - annotations: - kubernetes.io/description: 'privileged allows full unrestricted access to - Pod features, as if the PodSecurityPolicy controller was not enabled.' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - kubernetes.io/cluster-service: "true" - eks.amazonaws.com/component: pod-security-policy -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: eks:podsecuritypolicy:privileged - labels: - kubernetes.io/cluster-service: "true" - eks.amazonaws.com/component: pod-security-policy -rules: -- apiGroups: - - policy - resourceNames: - - eks.privileged - resources: - - podsecuritypolicies - verbs: - - use - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: eks:podsecuritypolicy:authenticated - annotations: - kubernetes.io/description: 'Allow all authenticated users to create privileged Pods.' - labels: - kubernetes.io/cluster-service: "true" - eks.amazonaws.com/component: pod-security-policy -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: eks:podsecuritypolicy:privileged -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:authenticated ----- -. Apply the YAML with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl apply -f privileged-podsecuritypolicy.yaml ----- - - -[.topic] -[[pod-security-policy-removal-faq,pod-security-policy-removal-faq.title]] -== Migrate from legacy pod security policies (PSP) - -[abstract] --- -Learn about the Pod Security Policy [.noloc]`(PSPs)` removal in [.noloc]`Kubernetes` `1.25`. Migrate to Pod Security Standards (PSS) or policy-as-code solutions before upgrading Amazon EKS clusters to [.noloc]`Kubernetes` 1.25 to avoid workload interruptions and maintain pod security controls. --- - -`PodSecurityPolicy` was https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/[deprecated in Kubernetes1.21], and has been removed in [.noloc]`Kubernetes` `1.25`. If you are using PodSecurityPolicy in your cluster, *then you must migrate to the built-in [.noloc]`Kubernetes` Pod Security Standards [.noloc]`(PSS)` or to a policy-as-code solution before upgrading your cluster to version `*1.25*` to avoid interruptions to your workloads.* Select any frequently asked question to learn more. - - -[[pod-security-policy-removal-what-is,pod-security-policy-removal-what-is.title]] -.What is a [.noloc]`PSP`? -[%collapsible] -==== - -https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPolicy] is a built-in admission controller that allows a cluster administrator to control security-sensitive aspects of [.noloc]`Pod` specification. If a [.noloc]`Pod` meets the requirements of its [.noloc]`PSP`, the [.noloc]`Pod` is admitted to the cluster as usual. If a [.noloc]`Pod` doesn't meet the [.noloc]`PSP` requirements, the [.noloc]`Pod` is rejected and can't run. -==== - -[[pod-security-policy-removal-specific,pod-security-policy-removal-specific.title]] -.Is the [.noloc]`PSP` removal specific to Amazon EKS or is it being removed in upstream [.noloc]`Kubernetes`? -[%collapsible] -==== - -This is an upstream change in the [.noloc]`Kubernetes` project, and not a change made in Amazon EKS. [.noloc]`PSP` was deprecated in [.noloc]`Kubernetes` `1.21` and removed in [.noloc]`Kubernetes` `1.25`. The [.noloc]`Kubernetes` community identified serious usability problems with [.noloc]`PSP`. These included accidentally granting broader permissions than intended and difficulty in inspecting which [.noloc]`PSPs` apply in a given situation. These issues couldn't be addressed without making breaking changes. This is the primary reason why the [.noloc]`Kubernetes` community https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away[decided to remove PSP]. -==== - -[[pod-security-policy-removal-check,pod-security-policy-removal-check.title]] -.How can I check if I'm using [.noloc]`PSPs` in my Amazon EKS clusters? -[%collapsible] -==== - -To check if you're using [.noloc]`PSPs` in your cluster, you can run the following command: - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get psp ----- - -To see the [.noloc]`Pods` that the [.noloc]`PSPs` in your cluster are impacting, run the following command. This command outputs the [.noloc]`Pod` name, namespace, and [.noloc]`PSPs`: - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pod -A -o jsonpath='{range.items[?(@.metadata.annotations.kubernetes\.io/psp)]}{.metadata.name}{"\t"}{.metadata.namespace}{"\t"}{.metadata.annotations.kubernetes\.io/psp}{"\n"}' ----- -==== - -[[pod-security-policy-removal-what-can,pod-security-policy-removal-what-can.title]] -.If I'm using [.noloc]`PSPs` in my Amazon EKS cluster, what can I do? -[%collapsible] -==== - -Before upgrading your cluster to `1.25`, you must migrate your [.noloc]`PSPs` to either one of these alternatives: - - - -* [.noloc]`Kubernetes` [.noloc]`PSS`. - - -* Policy-as-code solutions from the [.noloc]`Kubernetes` environment. - -In response to the [.noloc]`PSP` deprecation and the ongoing need to control [.noloc]`Pod` security from the start, the [.noloc]`Kubernetes` community created a built-in solution with https://kubernetes.io/docs/concepts/security/pod-security-standards/[(PSS)] and https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. The PSA webhook implements the controls that are defined in the [.noloc]`PSS`. - -You can review best practices for migrating [.noloc]`PSPs` to the built-in [.noloc]`PSS` in the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[EKS Best Practices Guide]. We also recommend reviewing our blog on link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"]. Additional references include https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller] and https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/[Mapping PodSecurityPolicies to Pod Security Standards]. - -Policy-as-code solutions provide guardrails to guide cluster users and prevents unwanted behaviors through prescribed automated controls. Policy-as-code solutions typically use https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/[Kubernetes Dynamic Admission Controllers] to intercept the [.noloc]`Kubernetes` API server request flow using a webhook call. Policy-as-code solutions mutate and validate request payloads based on policies written and stored as code. - -There are several open source policy-as-code solutions available for [.noloc]`Kubernetes`. To review best practices for migrating [.noloc]`PSPs` to a policy-as-code solution, see the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac[Policy-as-code] section of the Pod Security page on GitHub. -==== - -[[pod-security-policy-removal-privileged,pod-security-policy-removal-privileged.title]] -.I see a [.noloc]`PSP` called `eks.privileged` in my cluster. What is it and what can I do about it? -[%collapsible] -==== - -Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`PSP` that's named `eks.privileged`. This policy is created in `1.24` and earlier clusters. It isn't used in `1.25` and later clusters. Amazon EKS automatically migrates this [.noloc]`PSP` to a [.noloc]`PSS`-based enforcement. No action is needed on your part. -==== - -[[pod-security-policy-removal-prevent,pod-security-policy-removal-prevent.title]] -.Will Amazon EKS make any changes to [.noloc]`PSPs` present in my existing cluster when I update my cluster to version `1.25`? -[%collapsible] -==== - -No. Besides `eks.privileged`, which is a [.noloc]`PSP` created by Amazon EKS, no changes are made to other [.noloc]`PSPs` in your cluster when you upgrade to `1.25`. -==== - -[[pod-security-policy-removal-migrate,pod-security-policy-removal-migrate.title]] -.Will Amazon EKS prevent a cluster update to version `1.25` if I haven't migrated off of [.noloc]`PSP`? -[%collapsible] -==== - -No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't migrate off of [.noloc]`PSP` yet. -==== - -[[pod-security-policy-removal-forget,pod-security-policy-removal-forget.title]] -.What if I forget to migrate my [.noloc]`PSPs` to [.noloc]`PSS/PSA` or to a policy-as-code solution before I update my cluster to version `1.25`? Can I migrate after updating my cluster? -[%collapsible] -==== - -When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` version `1.25`, the API server doesn't recognize the [.noloc]`PSP` resource in `1.25`. This might result in [.noloc]`Pods` getting incorrect security scopes. For an exhaustive list of implications, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller]. -==== - -[[pod-security-policy-removal-impact,pod-security-policy-removal-impact.title]] -.How does this change impact pod security for Windows workloads? -[%collapsible] -==== - -We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows [.noloc]`Pods`. This uses [.noloc]`PSS` in [.noloc]`Kubernetes` `1.25`. For more information and best practices about enforcing [.noloc]`PSS` for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. -==== - -[.topic] -[[enable-kms,enable-kms.title]] -== Encrypt Kubernetes secrets with {aws} KMS on existing clusters - -[abstract] --- -Learn how to enable Kubernetes secrets encryption with {aws} KMS on an existing Amazon EKS cluster, ensuring secure storage of sensitive data. +Configure [.noloc]`Kubernetes` to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your [.noloc]`Kubernetes` resources. -- -If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption], the [.noloc]`Kubernetes` secrets are encrypted using the {aws} KMS key that you select. The KMS key must meet the following conditions: - - - -* Symmetric -* Can encrypt and decrypt data -* Created in the same {aws} Region as the cluster -* If the KMS key was created in a different account, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have access to the KMS key. - -For more information, see link:kms/latest/developerguide/key-policy-modifying-external-accounts.html[Allowing IAM principals in other accounts to use a KMS key,type="documentation"] in the _link:kms/latest/developerguide/[{aws} Key Management Service Developer Guide,type="documentation"]_. - -[WARNING] -==== - -You can't disable secrets encryption after enabling it. This action is irreversible. - -==== - -eksctl :: - -You can enable encryption in two ways: - -** Add encryption to your cluster with a single command. -+ -To automatically re-encrypt your secrets, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl utils enable-secrets-encryption \ - --cluster my-cluster \ - --key-arn {arn-aws}kms:region-code:account:key/key ----- -+ -To opt-out of automatically re-encrypting your secrets, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl utils enable-secrets-encryption - --cluster my-cluster \ - --key-arn {arn-aws}kms:region-code:account:key/key \ - --encrypt-existing-secrets=false ----- -** Add encryption to your cluster with a `kms-cluster.yaml` file. -+ -[source,yaml,subs="verbatim,attributes"] ----- -apiVersion: eksctl.io/v1alpha5 -kind: ClusterConfig - -metadata: - name: my-cluster - region: region-code - -secretsEncryption: - keyARN: {arn-aws}kms:region-code:account:key/key ----- -+ -To have your secrets re-encrypt automatically, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl utils enable-secrets-encryption -f kms-cluster.yaml ----- -+ -To opt out of automatically re-encrypting your secrets, run the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-secrets=false ----- - - -{aws-management-console}:: -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. Choose the cluster that you want to add KMS encryption to. -.. Choose the *Overview* tab (this is selected by default). -.. Scroll down to the *Secrets encryption* section and choose *Enable*. -.. Select a key from the dropdown list and choose the *Enable* button. If no keys are listed, you must create one first. For more information, see link:kms/latest/developerguide/create-keys.html[Creating keys,type="documentation"] -.. Choose the *Confirm* button to use the chosen key. - - -{aws} CLI:: -.. Associate the https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] configuration with your cluster using the following {aws} CLI command. Replace the [.replaceable]`example values` with your own. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks associate-encryption-config \ - --cluster-name my-cluster \ - --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"{arn-aws}kms:region-code:account:key/key"}}]' ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ -  "update": { -    "id": "3141b835-8103-423a-8e68-12c2521ffa4d", -    "status": "InProgress", -    "type": "AssociateEncryptionConfig", -    "params": [ -      { -        "type": "EncryptionConfig", -        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"{arn-aws}kms:region-code:account:key/key\"}}]" -      } -    ], -    "createdAt": 1613754188.734, -    "errors": [] -  } -} ----- -.. You can monitor the status of your encryption update with the following command. Use the specific `cluster name` and `update ID` that was returned in the previous output. When a `Successful` status is displayed, the update is complete. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-update \ - --region region-code \ - --name my-cluster \ - --update-id 3141b835-8103-423a-8e68-12c2521ffa4d ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ -  "update": { -    "id": "3141b835-8103-423a-8e68-12c2521ffa4d", -    "status": "Successful", -    "type": "AssociateEncryptionConfig", -    "params": [ -      { -        "type": "EncryptionConfig", -        "value": "[{\"resources\":[\"secrets\"],\"provider\":{\"keyArn\":\"{arn-aws}kms:region-code:account:key/key\"}}]" -      } -    ], -    "createdAt": 1613754188.734>, -    "errors": [] -  } -} ----- -.. To verify that encryption is enabled in your cluster, run the `describe-cluster` command. The response contains an `EncryptionConfig` string. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks describe-cluster --region region-code --name my-cluster ----- - -After you enabled encryption on your cluster, you must encrypt all existing secrets with the new key: - -[NOTE] -==== - -If you use `eksctl`, running the following command is necessary only if you opt out of re-encrypting your secrets automatically. - -==== - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get secrets --all-namespaces -o json | kubectl annotate --overwrite -f - kms-encryption-timestamp="time value" ----- - -[WARNING] -==== - -If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] for an existing cluster and the KMS key that you use is ever deleted, then there's no way to recover the cluster. If you delete the KMS key, you permanently put the cluster in a degraded state. For more information, see link:kms/latest/developerguide/deleting-keys.html[Deleting {aws} KMS keys,type="documentation"]. - -==== - -[NOTE] -==== - -By default, the `create-key` command creates a link:kms/latest/developerguide/symmetric-asymmetric.html[symmetric encryption KMS key,type="documentation"] with a key policy that gives the account root admin access on {aws} KMS actions and resources. If you want to scope down the permissions, make sure that the `kms:DescribeKey` and `kms:CreateGrant` actions are permitted on the policy for the principal that calls the `create-cluster` API. - - -For clusters using KMS Envelope Encryption, `kms:CreateGrant` permissions are required. The condition `kms:GrantIsForAWSResource` is not supported for the CreateCluster action, and should not be used in KMS policies to control `kms:CreateGrant` permissions for users performing CreateCluster. - -==== - -[.topic] -[[manage-secrets,manage-secrets.title]] -== Use {aws} Secrets Manager secrets with Amazon EKS pods - -To show secrets from Secrets Manager and parameters from Parameter Store as files mounted in Amazon EKS [.noloc]`Pods`, you can use the {aws} Secrets and Configuration Provider (ASCP) for the https://secrets-store-csi-driver.sigs.k8s.io/[Kubernetes Secrets Store CSI Driver]. - -With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. You can use IAM roles and policies to limit access to your secrets to specific [.noloc]`Kubernetes` [.noloc]`Pods` in a cluster. The ASCP retrieves the [.noloc]`Pod` identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the [.noloc]`Pod`, and then it can retrieve secrets from Secrets Manager that are authorized for that role. - -If you use Secrets Manager automatic rotation for your secrets, you can also use the Secrets Store CSI Driver rotation reconciler feature to ensure you are retrieving the latest secret from Secrets Manager. - -[NOTE] -==== - -{aws} Fargate (Fargate) node groups are not supported. - -==== +The following are considerations for security in the cloud, as they affect [.noloc]`Kubernetes` in Amazon EKS clusters. For an in-depth review of security controls and practices in [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the [.noloc]`Kubernetes` documentation. -For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. +[.topiclist] +[[Topic List]] diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index b7db58015..7aaa03700 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -11,14 +11,24 @@ :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Security in Amazon EKS :info_titleabbrev: Security -:info_abstract: Configure Amazon EKS to meet your security and compliance objectives, and learn \ - how to use other {aws} services that help you to secure your Amazon EKS \ - resources. include::../attributes.txt[] +include::security-best-practices.adoc[leveloffset=+1] + +include::configuration-vulnerability-analysis.adoc[leveloffset=+1] + +include::compliance.adoc[leveloffset=+1] + +include::security-eks.adoc[leveloffset=+1] + +include::security-k8s.adoc[leveloffset=+1] + +include::auto-security.adoc[leveloffset=+1] + +include::iam-reference/security-iam.adoc[leveloffset=+1] + [abstract] -- Configure Amazon EKS to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Amazon EKS resources. @@ -28,8 +38,6 @@ Cloud security at {aws} is the highest priority. As an {aws} customer, you benef Security is a shared responsibility between {aws} and you. The link:compliance/shared-responsibility-model/[shared responsibility model,type="marketing"] describes this as security _of_ the cloud and security _in_ the cloud: - - * *Security of the cloud* – {aws} is responsible for protecting the infrastructure that runs {aws} services in the {aws} Cloud. For Amazon EKS, {aws} is responsible for the [.noloc]`Kubernetes` control plane, which includes the control plane nodes and `etcd` database. Third-party auditors regularly test and verify the effectiveness of our security as part of the link:compliance/programs/[{aws} compliance programs,type="marketing"]. To learn about the compliance programs that apply to Amazon EKS, see link:compliance/services-in-scope/[{aws} Services in Scope by Compliance Program,type="marketing"]. * *Security in the cloud* – Your responsibility includes the following areas. + @@ -53,31 +61,3 @@ This documentation helps you understand how to apply the shared responsibility m [.topiclist] [[Topic List]] - -include::configuration-vulnerability-analysis.adoc[leveloffset=+1] - - -include::compliance.adoc[leveloffset=+1] - - -include::security-eks.adoc[leveloffset=+1] - - -include::security-k8s.adoc[leveloffset=+1] - - -include::auto-security.adoc[leveloffset=+1] - - -[.topic] -[[security-best-practices,security-best-practices.title]] -== Secure Amazon EKS clusters with best practices - -[abstract] --- -Learn how to secure your Amazon EKS clusters by following the best practices from the community. --- - -The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. - -include::iam-reference/security-iam.adoc[leveloffset=+1] diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc new file mode 100644 index 000000000..8752cccfd --- /dev/null +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -0,0 +1,63 @@ +//!!NODE_ROOT
+include::../attributes.txt[] + +[.topic] +[[vpc-interface-endpoints,vpc-interface-endpoints.title]] += Access the Amazon EKS using {aws} PrivateLink +:info_titleabbrev: {aws} PrivateLink + +[abstract] +-- +Learn how to securely access Amazon Elastic Kubernetes Service (Amazon EKS) APIs from within your VPC using {aws} PrivateLink, avoiding public internet exposure while benefiting from private connectivity, routing optimization, and built-in security controls for enhanced cluster management. +-- + +You can use {aws} PrivateLink to create a private connection between your VPC and Amazon Elastic Kubernetes Service. You can access Amazon EKS as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or {aws} Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon EKS. + +You establish this private connection by creating an interface endpoint powered by {aws} PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon EKS. + +For more information, see link:vpc/latest/privatelink/privatelink-access-aws-services.html[Access {aws} services through {aws} PrivateLink,type="documentation"] in the _{aws} PrivateLink Guide_. + +[[vpc-endpoint-considerations,vpc-endpoint-considerations.title]] +== Considerations for Amazon EKS + +* Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. +* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. +* You can't configure Amazon EKS to only be accessed through an interface endpoint. +* Standard pricing for {aws} PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. +* VPC endpoint policies are not supported for Amazon EKS. By default, full access to Amazon EKS is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. +* You can use VPC flow logs to capture information about IP traffic going to and from network interfaces, including interface endpoints. You can publish flow log data to Amazon CloudWatch or Amazon S3. For more information, see link:vpc/latest/userguide/flow-logs.html[Logging IP traffic using VPC Flow Logs,type="documentation"] in the Amazon VPC User Guide. +* You can access the Amazon EKS APIs from an on-premises data center by connecting it to a VPC that has an interface endpoint. You can use {aws} Direct Connect or {aws} Site-to-Site VPN to connect your on-premises sites to a VPC. +* You can connect other VPCs to the VPC with an interface endpoint using an {aws} Transit Gateway or VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your VPCs, or with a VPC in another account. The VPCs can be in different {aws} Regions. Traffic between peered VPCs stays on the {aws} network. The traffic doesn't traverse the public internet. A Transit Gateway is a network transit hub that you can use to interconnect VPCs. Traffic between a VPC and a Transit Gateway remains on the {aws} global private network. The traffic isn't exposed to the public internet. +* Before August 2024, VPC interface endpoints for Amazon EKS were only accessible over `IPv4` using `eks.[.replaceable]``region``.amazonaws.com`. New VPC interface endpoints that are made after August 2024 use dual-stack of `IPv4` and `IPv6` IP addresses and both DNS names: `eks.[.replaceable]``region``.amazonaws.com` and `eks.[.replaceable]``region``.api.aws`. +* {aws} PrivateLink support for the EKS API isn't available in the Asia Pacific (Malaysia) (`ap-southeast-5`), Asia Pacific (Thailand) (`ap-southeast-7`), and Mexico (Central) (`mx-central-1`) {aws} Regions. {aws} PrivateLink support for `eks-auth` for EKS Pod Identity is available in the the Asia Pacific (Malaysia) (`ap-southeast-5`) Region. + + +[[vpc-endpoint-create,vpc-endpoint-create.title]] +== Create an interface endpoint for Amazon EKS + +You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the {aws} Command Line Interface ({aws} CLI). For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws[Create a VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. + +Create an interface endpoint for Amazon EKS using the following service names: + +* EKS API +[source,none,subs="verbatim,attributes"] +---- +com.amazonaws.region-code.eks +---- +* EKS Auth API (EKS Pod Identity) +[source,none,subs="verbatim,attributes"] +---- +com.amazonaws.region-code.eks-auth +---- + +The private DNS feature is enabled by default when creating an interface endpoint for Amazon EKS and other {aws} services. To use the private DNS feature, you must ensure that the following VPC attributes are set to `true`: `enableDnsHostnames` and `enableDnsSupport`. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[View and update DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. With the private DNS feature enabled for the interface endpoint: + + + +* You can make any API request to Amazon EKS using its default Regional DNS name. After August 2024, any new VPC interface endpoint for the Amazon EKS API have two default Regional DNS names and you can choose the `dualstack` for the IP address type. The first DNS name is `eks.[.replaceable]``region``.api.aws` which is dual-stack. It resolves to both `IPv4` addresses and `IPv6` addresses. Before August 2024, Amazon EKS only used `eks.[.replaceable]``region``.amazonaws.com` which resolved to `IPv4` addresses only. If you want to use `IPv6` and dual-stack IP addresses with an existing VPC interface endpoint, you can update the endpoint to use the `dualstack` type of IP address, but it will only have the `eks.[.replaceable]``region``.amazonaws.com` DNS name. In this configuration, the existing endpoint updates to point that name to both `IPv4` and `IPv6` IP addresses. For a list of APIs, see link:eks/latest/APIReference/API_Operations.html[Actions,type="documentation"] in the Amazon EKS API Reference. +* You don't need to make any changes to your applications that call the EKS APIs. ++ +However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref/latest/guide/feature-endpoints.html[Dual-stack and FIPS endpoints,type="documentation"] configuration in the _{aws} SDKs and Tools Reference Guide_. +* Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. + + From 0c9ca420810512f1868d81f3352460a35a833c06 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Fri, 17 Jan 2025 16:09:48 -0800 Subject: [PATCH 025/940] Add latest EKS platform versions --- latest/ug/clusters/platform-versions.adoc | 40 +++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index a69c27f88..6a35ac91b 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -49,6 +49,11 @@ The following admission controllers are enabled for all `1.31` platform versions | Release notes | Release date +| `1.31.4` +| `eks.17` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.31.2` | `eks.12` | New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. @@ -79,6 +84,11 @@ The following admission controllers are enabled for all `1.30` platform versions | Release notes | Release date +| `1.30.8` +| `eks.25` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.30.6` | `eks.20` | New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. @@ -128,6 +138,11 @@ The following admission controllers are enabled for all `1.29` platform versions | Release notes | Release date +| `1.29.12` +| `eks.28` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.29.10` | `eks.23` | New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. @@ -202,6 +217,11 @@ The following admission controllers are enabled for all `1.28` platform versions | Release notes | Release date +| `1.28.15` +| `eks.34` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.28.15` | `eks.29` | New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. @@ -305,6 +325,11 @@ The following admission controllers are enabled for all `1.27` platform versions | Release notes | Release date +| `1.27.16` +| `eks.38` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.27.16` | `eks.33` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -428,6 +453,11 @@ The following admission controllers are enabled for all `1.26` platform versions | Release notes | Release date +| `1.26.15` +| `eks.40` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.26.15` | `eks.35` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -556,6 +586,11 @@ The following admission controllers are enabled for all `1.25` platform versions | Release notes | Release date +| `1.25.16` +| `eks.40` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.25.16` | `eks.35` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -690,6 +725,11 @@ The following admission controllers are enabled for all `1.24` platform versions | Release notes | Release date +| `1.24.17` +| `eks.44` +| New platform version with security fixes and enhancements. +| January 17, 2025 + | `1.24.17` | `eks.39` | New platform version with security fixes and enhancements. From b7860e4a162537474ccb90c0065e503e419abf66 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Sat, 18 Jan 2025 21:21:22 -0600 Subject: [PATCH 026/940] split vale checks (#838) * split vale checks * fixup * revert aws usage --- .github/workflows/vale.yml | 16 ++++++++++++++-- brand.vale.ini | 14 ++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 brand.vale.ini diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index bad1eb18c..ec3c4da5d 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -15,7 +15,18 @@ jobs: - name: Install Asciidoctor run: sudo apt-get install -y asciidoctor - - name: Run Vale + - name: Vale Style Check + uses: errata-ai/vale-action@reviewdog + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + with: + fail_on_error: false + reporter: github-pr-check + filter_mode: added + files: latest/ug + continue-on-error: true + + - name: Enforce AWS Brand uses: errata-ai/vale-action@reviewdog env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} @@ -24,4 +35,5 @@ jobs: reporter: github-pr-check filter_mode: added files: latest/ug - continue-on-error: false \ No newline at end of file + vale_flags: "--config brand.vale.ini" + continue-on-error: true \ No newline at end of file diff --git a/brand.vale.ini b/brand.vale.ini new file mode 100644 index 000000000..b005e14b3 --- /dev/null +++ b/brand.vale.ini @@ -0,0 +1,14 @@ +StylesPath = vale/styles + +MinAlertLevel = error + +# Packages = RedHat, AsciiDoc + +#Vocab = EksDocsVocab + +# Ignore files in dirs starting with `.` to avoid raising errors for `.vale/fixtures/*/testinvalid.adoc` files +[[!.]*.adoc] +BasedOnStyles = EksDocs +EksDocs.ExternalDomains = OFF + + From 094a2620086333850fc5391c518814c3bd608528 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 21 Jan 2025 11:27:54 -0800 Subject: [PATCH 027/940] fix IAM policy rendering and remove the `quotes` macro --- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 2 +- latest/ug/nodes/hybrid-nodes-creds.adoc | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 1549c5e17..ac7c0337d 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -173,7 +173,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp .. `CLUSTER_ENDPOINT`: the cluster endpoint connectivity for your cluster. Valid values are “Public” and “Private”. The default in the template is Private, which means you will only be able to connect to the Kubernetes API endpoint from within your VPC. .. `K8S_VERSION`: the Kubernetes version to use for your cluster. See <>. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Parameters": { diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index f64d1199f..6777dd5a2 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -101,7 +101,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp .. Replace `TAG_KEY` with the {aws} SSM resource tag key you used when creating your {aws} SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the {aws} SSM managed instances that are associated with your {aws} SSM hybrid activation. In the CloudFormation template, `TAG_KEY` defaults to `EKSClusterARN`. .. Replace `TAG_VALUE` with the {aws} SSM resource tag value you used when creating your {aws} SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the {aws} SSM managed instances that are associated with your {aws} SSM hybrid activation. If you are using the default `TAG_KEY` of `EKSClusterARN`, then pass your EKS cluster ARN as the `TAG_VALUE`. EKS cluster ARNs have the format `arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME`. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Parameters": { @@ -141,7 +141,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp .. Replace `CERT_ATTRIBUTE` with the per-machine certificate attribute that uniquely identifies your host. The certificate attribute you use must match the nodeName you use for the `nodeadm` configuration when you connect hybrid nodes to your cluster. For more information, see the <>. By default, the CloudFormation template uses `${aws:PrincipalTag/x509Subject/CN}` as the `CERT_ATTRIBUTE`, which corresponds to the CN field of your per-machine certificates. You can alternatively pass `$(aws:PrincipalTag/x509SAN/Name/CN}` as your `CERT_ATTRIBUTE`. .. Replace `CA_CERT_BODY` with the certificate body of your CA without line breaks. The `CA_CERT_BODY` must be in Privacy Enhanced Mail (PEM) format. If you have a CA certificate in PEM format, remove the line breaks and BEGIN CERTIFICATE and END CERTIFICATE lines before placing the CA certificate body in your `cfn-iamra-parameters.json` file. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Parameters": { @@ -170,7 +170,7 @@ Install and configure the {aws} CLI, if you haven't already. See link:cli/latest . Create a file named `eks-describe-cluster-policy.json` with the following contents: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version": "2012-10-17", @@ -203,7 +203,7 @@ aws iam create-policy \ .. Replace `TAG_KEY` with the {aws} SSM resource tag key you used when creating your {aws} SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the {aws} SSM managed instances that are associated with your {aws} SSM hybrid activation. In the CloudFormation template, `TAG_KEY` defaults to `EKSClusterARN`. .. Replace `TAG_VALUE` with the {aws} SSM resource tag value you used when creating your {aws} SSM hybrid activation. The combination of the tag key and tag value is used in the condition for the `ssm:DeregisterManagedInstance` to only allow the Hybrid Nodes IAM role to deregister the {aws} SSM managed instances that are associated with your {aws} SSM hybrid activation. If you are using the default `TAG_KEY` of `EKSClusterARN`, then pass your EKS cluster ARN as the `TAG_VALUE`. EKS cluster ARNs have the format `arn:aws:eks:AWS_REGION:AWS_ACCOUNT_ID:cluster/CLUSTER_NAME`. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version": "2012-10-17", @@ -236,7 +236,7 @@ aws iam create-policy \ ---- . Create a file named `eks-hybrid-ssm-trust.json`. Replace `AWS_REGION` with the {aws} Region of your {aws} SSM hybrid activation and `AWS_ACCOUNT_ID` with your {aws} account ID. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version":"2012-10-17", @@ -311,7 +311,7 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t . Create a file named `eks-hybrid-iamra-trust.json`. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the <> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the `nodeName` you set in your `nodeadm` configuration. For more information, see the <>. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version": "2012-10-17", @@ -400,7 +400,7 @@ aws iam attach-role-policy \ . On the *Policies page*, choose *Create policy*. . On the *Specify permissions* page, in the *Policy editor* top right navigation, choose *JSON*. Paste the following snippet. Replace `AWS_REGION` with the {aws} Region of your {aws} SSM hybrid activation and replace `AWS_ACCOUNT_ID` with your {aws} account ID. Replace `TAG_KEY` and `TAG_VALUE` with the {aws} SSM resource tag key you used when creating your {aws} SSM hybrid activation. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version": "2012-10-17", @@ -433,7 +433,7 @@ aws iam attach-role-policy \ . On the *Select trusted entity* page, do the following: .. In the *Trusted entity* type section, choose *Custom trust policy*. Paste the following into the Custom trust policy editor. Replace `AWS_REGION` with the {aws} Region of your {aws} SSM hybrid activation and `AWS_ACCOUNT_ID` with your {aws} account ID. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- { "Version":"2012-10-17", @@ -479,7 +479,7 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t . On the *Select trusted entity* page, do the following: .. In the *Trusted entity type section*, choose *Custom trust policy*. Paste the following into the Custom trust policy editor. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the <> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the <>. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,json,subs="verbatim,attributes"] ---- { "Version": "2012-10-17", From 2289adc29b71055a9ed6863062b6cc83e5aa9bf2 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 21 Jan 2025 14:41:17 -0600 Subject: [PATCH 028/940] Update auto-networking.adoc Remove references to VPC CNI from auto mode content --- latest/ug/automode/auto-networking.adoc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 711f7bd30..6bd91b0f3 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -15,13 +15,15 @@ This topic explains how to configure Virtual Private Cloud (VPC) networking and When you use EKS Auto Mode, {aws} manages the VPC Container Network Interface (CNI) configuration and load balancer provisioning for your cluster. You can influence networking behaviors by defining NodeClass objects and applying specific annotations to your Service and Ingress resources, while maintaining the automated operational model that EKS Auto Mode provides. -== VPC CNI networking +== Networking capability -With {eam}, you do not directly configure the {aws} VPC CNI. {aws} manages node and pod networking. Instead, you create a `NodeClass` Kubernetes object. +{eam} has a new networking capability that handles node and pod networking. You can configure it by creating a `NodeClass` Kubernetes object. -=== Configure VPC CNI with NodeClass +Configuration options for the previous {aws} VPC CNI may not apply to {eam}. -The NodeClass resource in EKS Auto Mode allows you to customize certain aspects of the VPC Container Network Interface (CNI) configuration without directly managing the CNI plugin. Through NodeClass, you can specify security group selections, control node placement across VPC subnets, set SNAT policies, configure network policies, and enable network event logging. This approach maintains the automated operational model of EKS Auto Mode while providing flexibility for network customization. +=== Configure networking with NodeClass + +The NodeClass resource in EKS Auto Mode allows you to customize certain aspects of the networking capability. Through NodeClass, you can specify security group selections, control node placement across VPC subnets, set SNAT policies, configure network policies, and enable network event logging. This approach maintains the automated operational model of EKS Auto Mode while providing flexibility for network customization. You can use a NodeClass to: From 86d354c94e31b0705f97e68fb6f0ce169241d822 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 21 Jan 2025 14:52:16 -0600 Subject: [PATCH 029/940] fixup --- latest/ug/automode/auto-networking.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 6bd91b0f3..a3279d9c6 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -19,7 +19,7 @@ When you use EKS Auto Mode, {aws} manages the VPC Container Network Interface (C {eam} has a new networking capability that handles node and pod networking. You can configure it by creating a `NodeClass` Kubernetes object. -Configuration options for the previous {aws} VPC CNI may not apply to {eam}. +Configuration options for the previous {aws} VPC CNI will not apply to {eam}. === Configure networking with NodeClass From e773c2607c23ccec6dcb57f469e6a5ade50e6455 Mon Sep 17 00:00:00 2001 From: Michael Chu Date: Tue, 21 Jan 2025 19:41:20 +0000 Subject: [PATCH 030/940] Update platform versions for local EKS clusters on Outposts SIM: https://i.amazon.com/awsdocs-45203 cr: https://code.amazon.com/reviews/CR-173343729 --- .../eks-outposts-platform-versions.adoc | 257 +++++++----------- 1 file changed, 91 insertions(+), 166 deletions(-) diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 2211b5daf..2f0828e2b 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Learn the relationship between Amazon EKS and [.noloc]`Kubernetes` versions available on {aws} Outposts. +Learn the relationship between Amazon EKS and [.noloc]`Kubernetes` versions available on {aws} Outposts. -- Local cluster platform versions represent the capabilities of the Amazon EKS cluster on {aws} Outposts. The versions include the components that run on the [.noloc]`Kubernetes` control plane, which [.noloc]`Kubernetes` API server flags are enabled. They also include the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. The platform versions for local clusters and Amazon EKS clusters in the cloud are independent. @@ -20,7 +20,7 @@ When new local cluster platform versions become available for a minor version: * The platform version number is incremented (`eks-local-outposts.n+1`). -* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process might take some time. If you need the latest platform version features immediately, we recommend that you create a new local cluster. +* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process might take some time. If you need the latest platform version features immediately, we recommend that you create a new local cluster. * Amazon EKS might publish a new node AMI with a corresponding patch version. All patch versions are compatible between the [.noloc]`Kubernetes` control plane and node AMIs for a single [.noloc]`Kubernetes` minor version. New platform versions don't introduce breaking changes or cause service interruptions. @@ -41,10 +41,14 @@ The following admission controllers are enabled for all `1.30` platform versions |Release notes |Release date +|`1.30.7` +|`eks-local-outposts.2` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.30.7`. {aws} IAM Authenticator updated to `v0.6.28`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|January 10, 2025 |`1.30.5` |`eks-local-outposts.1` -|Initial release of Kubernetes version `v1.30`. for local Amazon EKS clusters on Outpost +|Initial release of Kubernetes version `v1.30` for local Amazon EKS clusters on Outposts. |November 13, 2024 |=== @@ -60,10 +64,29 @@ The following admission controllers are enabled for all `1.29` platform versions |Release notes |Release date +|`v1.29.11` +|`eks-local-outposts.12` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.11`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated CoreDNS image to `v1.11.3`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|January 10, 2025 + +|`1.29.9` +|`eks-local-outposts.4` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.9`. {aws} IAM Authenticator updated to `v0.6.26`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|November 8, 2024 + +|`1.29.6` +|`eks-local-outposts.3` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|October 22, 2024 + +|`1.29.6` +|`eks-local-outposts.2` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|August 27, 2024 |`1.29.6` |`eks-local-outposts.1` -|Initial release of Kubernetes version `v1.29`. for local Amazon EKS clusters on Outpost +|Initial release of Kubernetes version `v1.29` for local Amazon EKS clusters on Outposts. |August 20, 2024 |=== @@ -79,6 +102,35 @@ The following admission controllers are enabled for all `1.28` platform versions |Release notes |Release date +|`1.28.15` +|`eks-local-outposts.12` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.15`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|January 10, 2025 + +|`1.28.14` +|`eks-local-outposts.11` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.14`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|November 8, 2024 + +|`1.28.10` +|`eks-local-outposts.10` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|October 22, 2024 + +|`1.28.10` +|`eks-local-outposts.9` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|August 27, 2024 + +|`1.28.10` +|`eks-local-outposts.8` +|New platform version with security fixes and enhancements. +|July 30, 2024 + +|`1.28.10` +|`eks-local-outposts.6` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.10`. {aws} IAM Authenticator updated to `v0.6.20`. Updated [.noloc]`Bottlerocket` version to `v1.20.2`. +|June 19, 2024 |`1.28.6` |`eks-local-outposts.5` @@ -97,12 +149,12 @@ The following admission controllers are enabled for all `1.28` platform versions |`1.28.6` |`eks-local-outposts.2` -|New platform version with security fixes and enhancements kube-proxy updated to `v1.28.6`. {aws} IAM Authenticator updated to `v0.6.17`. Amazon VPC CNI plugin for Kubernetes downgraded to `v1.13.2` for compatibility reasons. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.6`. {aws} IAM Authenticator updated to `v0.6.17`. Amazon VPC CNI plugin for Kubernetes downgraded to `v1.13.2` for compatibility reasons. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. |March 8, 2024 |`1.28.1` |`eks-local-outposts.1` -|Initial release of Kubernetes version `v1.28`. for local Amazon EKS clusters on Outpost +|Initial release of Kubernetes version `v1.28` for local Amazon EKS clusters on Outposts. |October 4, 2023 |=== @@ -118,25 +170,54 @@ The following admission controllers are enabled for all `1.27` platform versions |Release notes |Release date +|`1.27.16` +|`eks-local-outposts.12` +|New platform version with security fixes and enhancements. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|January 10, 2025 + +|`1.27.16` +|`eks-local-outposts.11` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.16`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|November 8, 2024 + +|`1.27.14` +|`eks-local-outposts.10` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|October 22, 2024 + +|`1.27.14` +|`eks-local-outposts.9` +|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|August 27, 2024 + +|`1.27.14` +|`eks-local-outposts.8` +|New platform version with security fixes and enhancements. +|July 30, 2024 + +|`1.27.14` +|`eks-local-outposts.6` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.14`. {aws} IAM Authenticator updated to `v0.6.20`. Updated [.noloc]`Bottlerocket` version to `v1.20.2`. +|June 19, 2024 |`1.27.10` |`eks-local-outposts.5` -|New platform with security fixes and enhancements. +|New platform version with security fixes and enhancements. |April 2, 2024 |`1.27.10` |`eks-local-outposts.4` -|New platform with security fixes and enhancements. kube-proxy updated to `v1.27.10`. {aws} IAM Authenticator updated to `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.10`. {aws} IAM Authenticator updated to `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. |March 22, 2024 |`1.27.3` |`eks-local-outposts.3` -|New platform version with security fixes and enhancements. `kube-proxy` updated to `v1.27.3`. Amazon VPC CNI plugin for Kubernetes updated to `v1.13.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.3`. Amazon VPC CNI plugin for Kubernetes updated to `v1.13.2`. |July 14, 2023 |`1.27.1` |`eks-local-outposts.2` -|Updated CoreDNS image to `v1.10.1` +|Updated CoreDNS image to `v1.10.1`. |June 22, 2023 |`1.27.1` @@ -144,159 +225,3 @@ The following admission controllers are enabled for all `1.27` platform versions |Initial release of Kubernetes version `1.27` for local Amazon EKS clusters on Outposts. |May 30, 2023 |=== - -[[outposts-platform-versions-1.26,outposts-platform-versions-1.26.title]] -== [.noloc]`Kubernetes` version `1.26` - -The following admission controllers are enabled for all `1.26` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. - -[cols="1,1,1,1", options="header"] -|=== -|Kubernetes version -|Amazon EKS platform version -|Release notes -|Release date - - -|`1.26.13` -|`eks-local-outposts.5` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.26.13`. {aws} IAM Authenticator updated to `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. -|March 22, 2024 -|=== - -[[outposts-platform-versions-1.25,outposts-platform-versions-1.25.title]] -== [.noloc]`Kubernetes` version `1.25` - -The following admission controllers are enabled for all `1.25` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, and `ValidatingAdmissionWebhook`. - -[cols="1,1,1,1", options="header"] -|=== -|Kubernetes version -|Amazon EKS platform version -|Release notes -|Release date - - -|`1.25.16` -|`eks-local-outposts.7` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.25.16`. {aws} IAM Authenticator updated to `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. -|March 22, 2024 - -|`1.25.11` -|`eks-local-outposts.6` -|New platform version with security fixes and enhancements. `kube-proxy` updated to `v1.25.11`. Amazon VPC CNI plugin for Kubernetes updated to `v1.13.2`. -|July 14, 2023 - -|`1.25.9` -|`eks-local-outposts.5` -|New platform version with security fixes and enhancements. -|July 13, 2023 - -|`1.25.6` -|`eks-local-outposts.4` -|Updated Bottlerocket version to `1.13.2` -|May 2, 2023 - -|`1.25.6` -|`eks-local-outposts.3` -|Amazon EKS control plane instance operating system updated to Bottlerocket version `v1.13.1` and Amazon VPC CNI plugin for Kubernetes updated to version `v1.12.6`. -|April 14, 2023 - -|`1.25.6` -|`eks-local-outposts.2` -|Improved diagnostics collection for Kubernetes control plane instances. -|March 8, 2023 - -|`1.25.6` -|`eks-local-outposts.1` -|Initial release of Kubernetes version `1.25` for local Amazon EKS clusters on Outposts. -|March 1, 2023 -|=== - -[[outposts-platform-versions-1.24,outposts-platform-versions-1.24.title]] -== [.noloc]`Kubernetes` version `1.24` - -The following admission controllers are enabled for all `1.24` platform versions: `DefaultStorageClass`, `DefaultTolerationSeconds`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `ResourceQuota`, `ServiceAccount`, `ValidatingAdmissionWebhook`, `PodSecurityPolicy`, `TaintNodesByCondition`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `ExtendedResourceToleration`, `CertificateApproval`, `PodPriority`, `CertificateSigning`, `CertificateSubjectRestriction`, `RuntimeClass`, and `DefaultIngressClass`. - -[cols="1,1,1,1", options="header"] -|=== -|Kubernetes version -|Amazon EKS platform version -|Release notes -|Release date - - -|`1.24.17` -|`eks-local-outposts.7` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.25.16`. {aws} IAM Authenticator updated `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. -|March 22, 2024 - -|`1.24.15` -|`eks-local-outposts.6` -|New platform version with security fixes and enhancements. `kube-proxy` updated to `v1.24.15`. Amazon VPC CNI plugin for Kubernetes updated to `v1.13.2`. -|July 14, 2023 - -|`1.24.13` -|`eks-local-outposts.5` -|New platform version with security fixes and enhancements. -|July 13, 2023 - -|`1.24.9` -|`eks-local-outposts.4` -|Updated Bottlerocket version to `1.13.2` -|May 2, 2023 - -|`1.24.9` -|`eks-local-outposts.3` -|Amazon EKS control plane instance operating system updated to Bottlerocket version `v1.13.1` and Amazon VPC CNI plugin for Kubernetes updated to version `v1.12.6`. -|April 14, 2023 - -|`1.24.9` -|`eks-local-outposts.2` -|Improved diagnostics collection for Kubernetes control plane instances. -|March 8, 2023 - -|`1.24.9` -|`eks-local-outposts.1` -|Initial release of Kubernetes version `1.24` for local Amazon EKS clusters on Outposts. -|January 17, 2023 -|=== - -[[outposts-platform-versions-1.23,outposts-platform-versions-1.23.title]] -== [.noloc]`Kubernetes` version `1.23` - -The following admission controllers are enabled for all `1.23` platform versions: `DefaultStorageClass`, `DefaultTolerationSeconds`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `ResourceQuota`, `ServiceAccount`, `ValidatingAdmissionWebhook`, `PodSecurityPolicy`, `TaintNodesByCondition`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `ExtendedResourceToleration`, `CertificateApproval`, `PodPriority`, `CertificateSigning`, `CertificateSubjectRestriction`, `RuntimeClass`, and `DefaultIngressClass`. - -[cols="1,1,1,1", options="header"] -|=== -|Kubernetes version -|Amazon EKS platform version -|Release notes -|Release date - - -|`1.23.17` -|`eks-local-outposts.6` -|New platform version with security fixes and enhancements. -|July 13, 2023 - -|`1.23.17` -|`eks-local-outposts.5` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.23.17`. Updated [.noloc]`Bottlerocket` version to `v1.14.1`. -|July 6, 2023 - -|`1.23.15` -|`eks-local-outposts.4` -|Amazon EKS control plane instance operating system updated to Bottlerocket version `v1.13.1` and Amazon VPC CNI plugin for Kubernetes updated to version `v1.12.6`. -|April 14, 2023 - -|`1.23.15` -|`eks-local-outposts.3` -|Improved diagnostics collection for Kubernetes control plane instances. -|March 8, 2023 - -|`1.23.15` -|`eks-local-outposts.2` -|Initial release of Kubernetes version `1.23` for local Amazon EKS clusters on Outposts. -|January 17, 2023 -|=== From 03314e59c148b093137e6ebca2dd730121f4b2ad Mon Sep 17 00:00:00 2001 From: Steven <143614555+nisi0495@users.noreply.github.com> Date: Wed, 22 Jan 2025 09:24:59 +1100 Subject: [PATCH 031/940] Update efs-csi.adoc There was a typo on the documentation where Step 3 provided a Note stating that Fargate does not require the creation of the EFS CSI Driver where it should listed under Step 2 --- latest/ug/storage/efs-csi.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 50dcbd07d..63078bb66 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -179,13 +179,6 @@ aws iam attach-role-policy \ [[efs-install-driver,efs-install-driver.title]] == Step 2: Get the Amazon EFS CSI driver -We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. - -[[efs-create-filesystem,efs-create-filesystem.title]] -== Step 3: Create an Amazon EFS file system - [NOTE] ==== @@ -193,6 +186,13 @@ This step isn't needed for {aws} Fargate. A [.noloc]`Pod` running on Fargate aut ==== +We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. + +[[efs-create-filesystem,efs-create-filesystem.title]] +== Step 3: Create an Amazon EFS file system + To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/efs-create-filesystem.md[Create an Amazon EFS file system for Amazon EKS] on [.noloc]`GitHub`. [[efs-sample-app,efs-sample-app.title]] From 3aedb0ca8f48976d0859c5f58b0759156f87fc71 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 22 Jan 2025 11:47:38 -0600 Subject: [PATCH 032/940] disable style check --- .github/workflows/vale.yml | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index ec3c4da5d..08ddd6b0e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -1,4 +1,4 @@ -name: Style check +name: AWS Brand Checks on: pull_request: @@ -11,22 +11,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - # For AsciiDoc users: - - name: Install Asciidoctor - run: sudo apt-get install -y asciidoctor - - - name: Vale Style Check - uses: errata-ai/vale-action@reviewdog - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - with: - fail_on_error: false - reporter: github-pr-check - filter_mode: added - files: latest/ug - continue-on-error: true - - - name: Enforce AWS Brand + - name: Enforce AWS Brand Attribute uses: errata-ai/vale-action@reviewdog env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} @@ -36,4 +21,4 @@ jobs: filter_mode: added files: latest/ug vale_flags: "--config brand.vale.ini" - continue-on-error: true \ No newline at end of file + continue-on-error: true From b94ef831118f83a5b464bf7c748754560952f553 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 22 Jan 2025 20:10:05 +0000 Subject: [PATCH 033/940] add new contribute chapter --- .github/workflows-backup/old-vale.yml.bak | 39 ++++++ latest/ug/clusters/zone-shift.adoc | 19 ++- latest/ug/contribute/asciidoc-syntax.adoc | 134 ++++++++++++++++++++ latest/ug/contribute/contribute.adoc | 25 +++- latest/ug/contribute/create-content-q.adoc | 49 +++++++ latest/ug/contribute/create-page.adoc | 35 +++++ latest/ug/contribute/edit-single-web.adoc | 59 +++++++++ latest/ug/contribute/edit-web.adoc | 31 +++++ latest/ug/contribute/images | 1 + latest/ug/contribute/insert-link.adoc | 34 +++++ latest/ug/contribute/pr-preview.adoc | 40 ++++++ latest/ug/contribute/pr-status.adoc | 75 +++++++++++ latest/ug/contribute/vale-github.adoc | 26 ++++ latest/ug/contribute/vale-local.adoc | 52 ++++++++ latest/ug/images/contribute-new-page.png | Bin 0 -> 578145 bytes latest/ug/images/contribute-pr.png | Bin 0 -> 757788 bytes latest/ug/images/contribute-preview.png | Bin 0 -> 800938 bytes latest/ug/images/contribute-q.png | Bin 0 -> 807135 bytes latest/ug/images/contribute-style-local.png | Bin 0 -> 832035 bytes latest/ug/images/contribute-style-web.png | Bin 0 -> 768315 bytes latest/ug/images/contribute-web-dev.png | Bin 0 -> 1018125 bytes latest/ug/images/contribute-web-edit.png | Bin 0 -> 801738 bytes vale/styles/EksDocs/ExternalDomains.yml | 4 + 23 files changed, 607 insertions(+), 16 deletions(-) create mode 100644 .github/workflows-backup/old-vale.yml.bak create mode 100644 latest/ug/contribute/asciidoc-syntax.adoc create mode 100644 latest/ug/contribute/create-content-q.adoc create mode 100644 latest/ug/contribute/create-page.adoc create mode 100644 latest/ug/contribute/edit-single-web.adoc create mode 100644 latest/ug/contribute/edit-web.adoc create mode 120000 latest/ug/contribute/images create mode 100644 latest/ug/contribute/insert-link.adoc create mode 100644 latest/ug/contribute/pr-preview.adoc create mode 100644 latest/ug/contribute/pr-status.adoc create mode 100644 latest/ug/contribute/vale-github.adoc create mode 100644 latest/ug/contribute/vale-local.adoc create mode 100644 latest/ug/images/contribute-new-page.png create mode 100644 latest/ug/images/contribute-pr.png create mode 100644 latest/ug/images/contribute-preview.png create mode 100644 latest/ug/images/contribute-q.png create mode 100644 latest/ug/images/contribute-style-local.png create mode 100644 latest/ug/images/contribute-style-web.png create mode 100644 latest/ug/images/contribute-web-dev.png create mode 100644 latest/ug/images/contribute-web-edit.png diff --git a/.github/workflows-backup/old-vale.yml.bak b/.github/workflows-backup/old-vale.yml.bak new file mode 100644 index 000000000..ec3c4da5d --- /dev/null +++ b/.github/workflows-backup/old-vale.yml.bak @@ -0,0 +1,39 @@ +name: Style check + +on: + pull_request: + workflow_dispatch: + +jobs: + style-job: + runs-on: ubuntu-latest + steps: + - name: Check out + uses: actions/checkout@v3 + + # For AsciiDoc users: + - name: Install Asciidoctor + run: sudo apt-get install -y asciidoctor + + - name: Vale Style Check + uses: errata-ai/vale-action@reviewdog + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + with: + fail_on_error: false + reporter: github-pr-check + filter_mode: added + files: latest/ug + continue-on-error: true + + - name: Enforce AWS Brand + uses: errata-ai/vale-action@reviewdog + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + with: + fail_on_error: true + reporter: github-pr-check + filter_mode: added + files: latest/ug + vale_flags: "--config brand.vale.ini" + continue-on-error: true \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 4153ff050..835602e64 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_titleabbrev: Learn about Zonal Shift :aws: pass:q[[.shared]``AWS``] -:imagesdir: images/ //GDC: remove use of "failure" @@ -18,9 +17,9 @@ You can start a zonal shift for an EKS cluster, or you can allow {aws} to do it The following diagram illustrates two example workloads, Orders, and Products. The purpose of this example is to show how workloads and Pods in different AZs communicate. -image::zs-traffic-flow-before-1.png[Illustration of network traffic] +image::images/zs-traffic-flow-before-1.png[Illustration of network traffic] -image::zs-traffic-flow-before-2.png[Illustration of network traffic] +image::images/zs-traffic-flow-before-2.png[Illustration of network traffic] . For Orders to communicate with Products, it must first resolve the DNS name of the destination service. Orders will communicate with CoreDNS to fetch the virtual IP address (Cluster IP) for that Service. Once Orders resolves the Products service name, it sends traffic to that target IP. . The kube-proxy runs on every node in the cluster and continuously watches the https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/[EndpointSlices] for Services. When a Service is created, an EndpointSlice is created and managed in the background by the EndpointSlice controller. Each EndpointSlice has a list or table of endpoints containing a subset of Pod addresses along with the nodes that they're running on. The kube-proxy sets up routing rules for each of these Pod endpoints using `iptables` on the nodes. The kube-proxy is also responsible for a basic form of load balancing by redirecting traffic destined to a service's Cluster IP to instead be sent to a Pod's IP address directly. The kube-proxy does this by rewriting the destination IP on the outgoing connection. @@ -42,9 +41,9 @@ During an EKS zonal shift, the following will automatically take place: The diagrams below depicts a high level flow of how EKS zonal shift ensures that only healthy Pod endpoints are targeted in your cluster environment. -image::zs-traffic-flow-after-1.png[Illustration of network traffic] +image::images/zs-traffic-flow-after-1.png[Illustration of network traffic] -image::zs-traffic-flow-after-2.png[Illustration of network traffic] +image::images/zs-traffic-flow-after-2.png[Illustration of network traffic] == EKS Zonal Shift Requirements @@ -66,11 +65,11 @@ Ensuring that you have such a multi-AZ setup for your EKS environment will enhan The diagram below depicts a highly available EKS environment with 3 healthy AZs. -image::zs-ha-before-failure.png[Illustration of network] +image::images/zs-ha-before-failure.png[Illustration of network] The diagram below depicts how an EKS environment with 3 AZs is resilient to an AZ impairment and remains highly available because of the 2 other healthy AZs. -image::zs-ha-after-failure.png[Illustration of network] +image::images/zs-ha-after-failure.png[Illustration of network] === Provision Enough Compute Capacity to Withstand Removal of a Single AZ @@ -89,12 +88,12 @@ Kubernetes allows you to pre-scale your workloads by running multiple instances The diagram below depicts an EKS environment with east-to-west traffic flow when all AZs are healthy. -image::zs-spread-constraints.png[Illustration of network] +image::images/zs-spread-constraints.png[Illustration of network] The diagram below depicts an EKS environment with east-to-west traffic flow when a single AZ fails, and you initiate a zonal shift. -image::zs-spread-constraints-2.png[Illustration of network] +image::images/zs-spread-constraints-2.png[Illustration of network] The code snippet below is an example of how to setup your workload with this Kubernetes feature. @@ -216,7 +215,7 @@ metadata: The diagram below depicts pods that have been co-located on the same node using pod affinity rules. -image::zs-pod-affinity-rule.png[Illustration of network] +image::images/zs-pod-affinity-rule.png[Illustration of network] === Test That Your Cluster Environment Can Handle The Loss of an AZ diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc new file mode 100644 index 000000000..734045db4 --- /dev/null +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -0,0 +1,134 @@ +[.topic] +[#asciidoc-syntax] += AsciiDoc Syntax Reference +:info_titleabbrev: AsciiDoc Syntax + +This page is a quick overview of AsciiDoc syntax. + +We suggest using AsciiDoc syntax. The AsciiDoc tooling has partial support for Markdown syntax, including headings and lists. + +For advanced syntax, review the https://docs.asciidoctor.org/asciidoc/latest/[AsciiDoc Website]. + +It's important to get the link syntax right for the {aws} docs. Review how to <>. You cannot use Markdown syntax for links. + + +== Basic Formatting + +[source,asciidoc] +---- +*bold text* +_italic text_ +`monospace text` +---- + +== Headers + +[source,asciidoc] +---- += Document Title (Header 1) +== Header 2 +=== Header 3 +==== Header 4 +===== Header 5 +====== Header 6 +---- + +== Lists + +Unordered Lists: + +[source,asciidoc] +---- +- Item 1 +- Item 2 +-- Subitem 2.1 +-- Subitem 2.2 +- Item 3 +---- + +Ordered Lists: + +[source,asciidoc] +---- +. First item +. Second item +.. Subitem 2.1 +.. Subitem 2.2 +. Third item +---- + +== Links + +[source,asciidoc] +---- +External link: https://example.com[Link text] +Internal link: <> +Internal link: xref:page-id[Link text] +---- + +== Images + +[source,asciidoc] +---- +image::image-file.jpg[Alt text] +---- + +== Code Blocks + +[source,asciidoc] +---- + [source,python] + ---- + def hello_world(): + print("Hello, World!") + ---- +---- + +== Tables + +https://docs.asciidoctor.org/asciidoc/latest/tables/build-a-basic-table/[Learn how to build a basic table.] + +[source,asciidoc] +---- +[cols="1,1"] +|=== +|Cell in column 1, row 1 +|Cell in column 2, row 1 + +|Cell in column 1, row 2 +|Cell in column 2, row 2 + +|Cell in column 1, row 3 +|Cell in column 2, row 3 +|=== +---- + +== Admonitions + +[source,asciidoc] +---- +NOTE: This is a note admonition. + +WARNING: This is a warning admonition. + +TIP: This is a tip admonition. + +IMPORTANT: This is an important admonition. + +CAUTION: This is a caution admonition. +---- + +Preview: + +NOTE: This is a note admonition. + + +== Includes + +[source,asciidoc] +---- + include::filename.adoc[] +---- + + + diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 048684b19..732625f41 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -19,11 +19,24 @@ You can now edit the EKS Docs directly on GitHub. Our streamlined process includ We look forward to your contributions. -*To edit a single page from a web browser* +include::edit-single-web.adoc[leveloffset=+1] + +include::edit-web.adoc[leveloffset=+1] + +//include::vale-github.adoc[leveloffset=+1] + +include::vale-local.adoc[leveloffset=+1] + +include::create-page.adoc[leveloffset=+1] + +include::insert-link.adoc[leveloffset=+1] + +include::create-content-q.adoc[leveloffset=+1] + +include::pr-preview.adoc[leveloffset=+1] + +include::asciidoc-syntax.adoc[leveloffset=+1] + +//include::pr-status.adoc[leveloffset=+1] -. Navigate to the page in the EKS User Guide -. Select *Edit this page on GitHub* in the right sidebar -. Open the GitHub editor: press `e` or select *Edit in Place* from the pencil icon dropdown menu -. Make your edits, and then select *Commit changes...* -** Confirm your email and include a short description of the changes diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc new file mode 100644 index 000000000..511d5aea2 --- /dev/null +++ b/latest/ug/contribute/create-content-q.adoc @@ -0,0 +1,49 @@ +[.topic] +[#create-content-q] += Create docs content with Amazon Q +:info_titleabbrev: Create with Amazon Q + +You can use Amazon Q to create and revise docs content. This is an easy way to get started on a new page. Amazon Q is available as an extension to Visual Studio (VS) Code. + +In the following image, Amazon Q generated the lines marked with green. + +image::images/contribute-q.png["Amazon Q in VS Code"] + +== Install Amazon Q with VS Code + +1. Open VS Code +2. Go to the Extensions view (Ctrl+Shift+X or Cmd+Shift+X) +3. Search for "Amazon Q" +4. Click Install on the Amazon Q extension +5. Wait for installation to complete +6. Restart VS Code when prompted + +== Login to Amazon Q + +1. After installing, click the Amazon Q icon in the VS Code activity bar +2. Click "Sign in to Amazon Q" +3. Enter your {aws} credentials when prompted +4. Once authenticated, you'll see the Amazon Q chat interface + +== Use Amazon Q to create content + +1. Open the file you want to edit in VS Code +2. Select the text you want to revise or the location for new content +3. Press *Ctrl+I* or *Cmd+I* +4. In the prompt, be specific about: + * The type of content you need + * The target audience + * Key points to cover + * Desired tone and style +5. Review the generated content in the inline preview +6. Use *enter* to accept the changes, or *esc* to reject them. +7. Edit further as needed + +== Tips + +* Start with a simple request and iterate to get the content you want. +* Create a first draft of the page headings, then ask Q to fill them in. +* Amazon Q might output Markdown. This is fine. The AsciiDoc tooling can understand most markdown syntax. + +To learn more about Amazon Q Developer, see link:amazonq/latest/qdeveloper-ug/q-in-IDE.html["Using Amazon Q Developer in the IDE",type="documentation"]. + diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc new file mode 100644 index 000000000..02eaf81cf --- /dev/null +++ b/latest/ug/contribute/create-page.adoc @@ -0,0 +1,35 @@ +[.topic] +[#create-page] += Create a new page +:info_titleabbrev: Create page + + +Learn how to create a new docs page. This topic includes instructions for creating the initial page metadata, and adding the page to the guide table of contents. + +== Create page + +. Navigate to the chapter directory. For example, if you want to create a new page in the "Security" section, navigate to the `latest/ug/security` directory. +. Determine the page ID. By convention, the page ID is all lowercase and segmented with `-`. The ID of this page is `create-page`. +. Create a new file with the page ID and the `adoc` extension. For example, `create-page.adoc`. +. Insert the page metadata using this template: + +image::images/contribute-new-page.png["New page metadata"] + + +== Add page to navigation + +. Navigate to the parent page. The parent page of top level sections is `book.adoc`. +. At the bottom of the parent page, include the child page. ++ +[source] +==== ++++include::${filename}[leveloffset=+1]+++ +==== ++ +_For example:_ ++ +[source] +==== ++++include::create-page.adoc[leveloffset=+1]+++ +==== + diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc new file mode 100644 index 000000000..4b9c7dfb9 --- /dev/null +++ b/latest/ug/contribute/edit-single-web.adoc @@ -0,0 +1,59 @@ +[.topic] +[#edit-single-web] += Edit a single page from a web browser +:info_titleabbrev: Edit single page + +You can easily edit a single page in the EKS User Guide directly through your web browser. + +image::images/contribute-web-edit.png["View of GitHub web edit interface"] + +If you want to edit multiple pages from your web browser, see <>. + +== Prerequisites + +* Docs page to change opened in web browser +* Signed into GitHub + +== Procedure + +. Navigate to the page you want to edit in the EKS User Guide documentation + +. Look for the *Edit this page on GitHub* button located in the right sidebar of the page + +. Once on GitHub, open the editor by either: +** Pressing the `e` key on your keyboard +** Clicking the pencil icon and selecting *Edit in Place* from the dropdown menu +** If you don't have the option to edit, you need to login to GitHub. Your GitHub account does not need any special permissions to suggest changes. However, internal Amazon contributors should link their GitHub profile. + +. Make your required changes to the content in the GitHub editor +** The editor provides syntax highlighting and preview capabilities +** You can use AsciiDoc markup to format your changes +** You can use `ctrl-f` to open a find/replace interface. + +. (Optional) Preview your changes. +** Use the `preview` tab to preview your changes with rich formatting. +** Use the `show diff` option to highlight changed sections. Removed sections have a red indicator in the left margin. New sections have a green indicator in the left margin. + +. When finished editing, click the *Commit changes...* button at the top of the editor + +. In the commit dialog: +** Verify your email address is correct +** Add a brief but descriptive commit message explaining your changes +** Optionally add a longer description if needed +** Select to create a new branch and pull request + +You have created a pull request including the proposed changes. + +== Pull Request Overview + +When you create a PR: + +* Your changes are submitted for review by repository maintainers +* Reviewers can comment on your changes and request modifications +* Automated tests may run to validate your changes +* Once approved, your changes can be merged into the main repository + +Pull requests help ensure quality and provide a way to discuss changes before they are integrated. + +https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews[Learn how pull requests are reviewed and approved in the GitHub Docs.] + diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc new file mode 100644 index 000000000..a2b541df1 --- /dev/null +++ b/latest/ug/contribute/edit-web.adoc @@ -0,0 +1,31 @@ +[.topic] +[#edit-web] += Edit multiple files from a web browser with the GitHub Web Editor +:info_titleabbrev: Edit files with GitHub + +If you want to propose change to multiple pages, or create a new docs page, use the GitHub.dev web editor. This web editor is based on the popular Visual Studio Code text editor. + +image::images/contribute-web-dev.png["GitHub.dev web editor user interface] + +== Prerequisites + +* Logged in to GitHub +* Familiarity with Visual Studio Code editor +* Familiarity with Git + +== Procedure + +NOTE: The EKS Docs team has created a workspace file that includes suggested configurations for the editor, such as text wrapping and AsciiDoc syntax highlighting. We suggest you load this workspace file. + +. Open the https://github.dev/awsdocs/amazon-eks-user-guide/blob/mainline/eks-docs.code-workspace?workspace=true[workspace] on GitHub.dev +** You can bookmark the URL `https://github.dev/awsdocs/amazon-eks-user-guide/blob/mainline/eks-docs.code-workspace?workspace=true` +. (First time setup only) You may be prompted to create a fork of the repo in your own GitHub account. Accept this prompt. For more information, see https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks[About forks] in the GitHub docs. +. (First time setup only) Accept the prompt in the bottom right to install the AsciiDoc extension. +. Navigate to the docs content at `latest/ug` +** Docs files are organized by their top level section. For example, pages in the "Security" chapter have source files under the "security/" directory. +. To view a preview of a docs page, use the *Open preview to the Side* button in the top right. The icon includes a small magnifying glass. +. Use the *Source Control* tab in the left to commit your changes. For more information, see the Visual Studio Code docs: +** https://code.visualstudio.com/docs/sourcecontrol/overview#_commit[Commit changes] +** https://code.visualstudio.com/docs/sourcecontrol/github#_creating-pull-requests[Create a pull request] + +After you create a pull request, it will be reviewed by the docs team. diff --git a/latest/ug/contribute/images b/latest/ug/contribute/images new file mode 120000 index 000000000..5e6757319 --- /dev/null +++ b/latest/ug/contribute/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc new file mode 100644 index 000000000..34330d6c0 --- /dev/null +++ b/latest/ug/contribute/insert-link.adoc @@ -0,0 +1,34 @@ +[.topic] +[#insert-link] += Insert a link +:info_titleabbrev: Insert link + +AsciiDoc supports multiple types of links. Using the right link type is important so the link works properly in different environments. + +== Link to a page or section in the EKS User Guide + +Use cross references (xref) to link between pages/sections within the same documentation site, such as the EKS User Guide. They automatically update if the target section moves or is renamed. + +=== Define custom link text + +`xref` `:section-id[${link-text}]` + +=== Use page title as link text + +Use the section ID surrounded by angle brackets. For example `<<` `page-id>>`. + +== Link to another page in the {aws} Docs + +. Find the link to the {aws} Docs page +. Remove the `https://docs.aws.amazon.com/` prefix, keeping only the path. The path should start with an a-z character. +. Create a link as shown below + +`link` `:AmazonS3/latest/userguide/create-bucket-overview.html["Create a bucket", type="documentation"]` + +== Link out to the internet + +This format creates a standard link out to the internet. Use this for Non-Amazon content or content on GitHub. + +`link` `:https://example.com[Visit Example Site]` + +NOTE: We allowlist external domains. The allowlist is at `vale/styles/EksDocs/ExternalDomains.yml` diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc new file mode 100644 index 000000000..e4fcf6b68 --- /dev/null +++ b/latest/ug/contribute/pr-preview.adoc @@ -0,0 +1,40 @@ +[.topic] +[#pr-preview] += View a preview of pull request content +:info_titleabbrev: View PR Preview + +The EKS User Guide GitHub is configured to build and generate a preview of the docs site. This preview doesn't have the full {aws} theme, but it does check the content builds properly and links work. + +image::images/contribute-preview.png["GitHub comment with preview URL"] + +This preview is hosted at a temporary URL by {aws} Amplify. + +== View Preview + +When you submit a pull request, {aws} Amplify attempts to build and deploy a preview of the content. + +If the build succeeds, *aws-amplify-us-east-1* comments the preview link on the pull request. + +If the build fails, the repo admins can see the logs and provide feedback. + +NOTE: If you haven't contributed before, a project maintainer may need to approve running the build. + +== Preview limitations + +The preview is built as a single large HTML file. It will be displayed as multiple pages when published. + +*What works:* + +* Cross references (`xref`) +* Links to the internet +* Images +* Content hosted from `samples/` + +*What doesn't work:* + +* Links to other {aws} content, links with `type="documentation"`. +** This content doesn't exist in the preview environment. +* The variable `aws` will not display properly. The value of this changes based on the environment. + + + diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc new file mode 100644 index 000000000..fc0740c1e --- /dev/null +++ b/latest/ug/contribute/pr-status.adoc @@ -0,0 +1,75 @@ +[.topic] +[#pr-status] += View the status of your GitHub Pull Request (PR) +:info_titleabbrev: View PR Status + +After you create a pull request, you can track it's status. Pull requests have three important statuses: merged, closed, and changes requested. + +If a pull request is merged, the changes were accepted. It may take a few hours for the website to update. If the PR was closed, please understand we appreciate the contribution but could not approve the changes. For example, we may have been unable to replicate the problem. If a pull request has changes requested, review the feedback and update the pull request. + +include::images/contribute-pr.png["View PR feedback"] + +== View the pull requests you created +To view pull requests you created: + +. Go to the GitHub repository +. Click the "Pull requests" tab +. Select *Filters* and then *Your pull requests* +. Review the list of your open pull requests + +== View pull requests assigned to you +To view pull requests assigned to you for review: + +. Go to the GitHub repository +. Click the "Pull requests" tab +. Select *filters* and then *assigned to you* +. Review the list of pull requests awaiting your review + +== Review a pull request + +Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request[review a pull request] in the GitHub Docs. + +== Make further changes on a pull request + +If changes are requested on a pull request, you can make further changes in the pull request. + +{aws} suggests using the GitHub.dev web editor to make further changes to a pull request. This supports viewing PR comments inside the text editor. + +=== Make further changes with a web browser + +. Use the `.` (period) key to open the pull request in the GitHub web editor +. Review the comments and make changes in the text editor. You can mark comments as resolved from within the editor. +. Use the *source control* menu in the left sidebar to commit the changes, which updates the PR. + +=== Make further changes locally + +Use the GitHub CLI to pull the changes locally. + +==== Setup GitHub CLI + +. Install the GitHub CLI if you haven't already: + * For macOS: `brew install gh` + * For Windows: `winget install GitHub.cli` + * For Linux: Follow instructions at https://github.com/cli/cli#installation + +. Authenticate with GitHub: + * Run `gh auth login` + * Follow the prompts to complete authentication + +==== Checkout pull request + +. Check out the pull request branch: + * Run `gh pr checkout ` + * Replace with your pull request number + * The pull request number is visible at the top of the PR + * This creates a local branch with the PR changes + +. Make your changes locally using your preferred text editor + +. Commit and push your changes: + * Stage changes: `git add .` + * Commit changes: `git commit -m "your commit message"` + * Push to GitHub: `git push` + +The pull request will automatically update with your new changes. + diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc new file mode 100644 index 000000000..041f71fe8 --- /dev/null +++ b/latest/ug/contribute/vale-github.adoc @@ -0,0 +1,26 @@ +[.topic] +[#vale-github] += View style feedback online for a pull request +:info_titleabbrev: View PR feedback + +When you create a pull request to propose docs changes, multiple GitHub actions run. This includes a style check using Vale. + +image::images/contribute-style-web.png["View style feedback on GitHub"] + +The style check: + +* Returns an error if the string "AWS" is used instead of the variable `{aws}` +** Pull requests cannot be merged until this is resolved. +* Adds style comments to the pull request. + +== View style feedback + +. Open your Pull Request +** https://github.com/awsdocs/amazon-eks-user-guide/pulls[View a list of open pull requests] +. Select the *Files changed* tab +. Feedback from Vale is visible as line comments, that start with `[vale]`. +** Use the style feedback to identify typos, spelling errors, and awkward phrasing. + +When you update a pull request, the Vale check runs again. + +Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. \ No newline at end of file diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc new file mode 100644 index 000000000..e7f7a39f8 --- /dev/null +++ b/latest/ug/contribute/vale-local.adoc @@ -0,0 +1,52 @@ +[.topic] +[#vale-local] += View style feedback as you type by installing Vale locally +:info_titleabbrev: View style feedback + +You can see style feedback as you type. This helps identify awkward writing and typos. + +image::images/contribute-style-local.png["View style feedback in VS Code] + +*Overview:* + +* The Vale CLI loads style guides and runs them against source files. +* The EKS Docs repo includes a vale configuration file that loads style guides and local rules. +* The Vale extension for Visual Studio (VS) Code displays vale feedback inside the editor. + +== Install Vale + +Follow the instructions in the Vale CLI docs to https://vale.sh/docs/install#package-managers[Install Vale with a Package Manager]. + +== Install VS Code Vale extension + +. Open VS Code +. Click the Extensions icon in the Activity Bar (or press Ctrl+Shift+X) +. Search for "Vale" +. Click Install on the "Vale VSCode" extension by Chris Chinchilla +. Reload VS Code when prompted + +== Sync Vale + +Vale uses the `.vale.ini` configuration file in your project root to determine which style rules to apply. + +. Open VS Code +. Click *View* > *Terminal* (or press Ctrl+`) +. Navigate to your project root directory if needed +. Run the command: ++ +[source,bash] +---- +vale sync +---- +. Wait for Vale to finish downloading and syncing style rules + +== View style feedback in VS Code + +. Open a Markdown or AsciiDoc file in VS Code +. The Vale extension will automatically check your text against the style rules +. Style issues will be underlined in the editor +. Hover over underlined text to see the specific style suggestion +. Fix issues by following the suggestions or consulting the style guide + + + diff --git a/latest/ug/images/contribute-new-page.png b/latest/ug/images/contribute-new-page.png new file mode 100644 index 0000000000000000000000000000000000000000..e33c33520a5f934f42ff24371d525d58df114304 GIT binary patch literal 578145 zcmeFZc|26_`v*)aN;PS*B!(6wOepIxl}ZaKDio%yDNC|vIc*|DA(CZMA{DY^$udgz zWo+3Q*+vXwW|%SCInNn=KELnx^*pcV^?IJ?ujh}SyO}w2&bjY%?(5vwb-l0mbxlt% zoHyRQao0ux0fEhDPM71*P(SrV3kC0@Hs;x$`11CX zT%^p_f*Y3NbqiO;MU@ZE*?-TglwLDam>*0DCZ@4Sco#6JJz3wIwC1QM>D+tW4+;Y1 zacFCkFPPgl<{D8w8@AqGbL9FKGHXqF!uFjzx4hY$3VBdGj(gth+nsO~B18FE`*$?0 z6Og;OHG9Lb93O8YB{0VjvFO4XZGwkC&zfyuc+-`xOKdI>(Ei8j)H9t;XLP< z;)LgG*GI2|L+jfJhwQ#qb{`^oo~bLJvRm`eLYt3NQa1rZYGK=7m<22x8@w;E zU-@N4^ySCuiaXZtKW-AHBZp1hDp;`orx=ag|0NWc@X*BL=lxg{v3IR?YwVLxZzJb- zHJt5sI;PG8^}VNr${iFn>MA2bgO8vz)lOVKNPc>sD1m8RHz$5ZhbpAEhgG)tz~=GW z`$sP?=veQ28he>qmVTIkIpvG;P;7fT%WUAC)ct;Tbkn#_U?{n!iWPY0?#CtS9#^|d zsmkXo(NV}x2$!Ipz{pgmA;ipx|V`AbGdnwu<{lZYVjS{llBo?J8 zrW12rS6{bc%^Mrw60TIcGh}Y#4>wkO8zdt@nW(C&GOqT{Xb|itZNY2^$9rqJl@)&w zyaRqYD&J!1RYp5{AG<{_n6vai-Dbq?x?y|G<^Vy=R*~b!_C*MtxxOdbaC^JA)T@oo z4+GzbB;236zFA2)rRK_ob$*X{Z)6WYh#ylaTbp-ZdQ2_VKxS;+%z8?V%i3e7MK<4% zV@GVTf7-vdT|}CCY|V>1`_`X1ZvJA^iHAzhlN*CG*IGYK*n92yEl1>CN!_P5M+cwl zHyUMb4}2DUT>X;FuVc?H9Q4`Od`kDGRVR+!XvKU>lj3@p4A3c#FYPyW^g3 z=4V8Ug@s=2s{d)CE*$;LtKhVX)VT)7ez(t(2kVpzu6`CXB;B^s?+pw2`BX>9<@c65 z>%+&WWdgW|g!-hhseqk!;kf$z-w3J)SNg%JL;L!-qc@;`=p0{vLpdYj!rA`wIwy35 zi0`-j(BJc-ao^SLBfl$NooL|Lk+#Ym#Uz}l6`lM;(KI)mk%spLt zU20ukU6;*;{|H$>b35**Ap9b}Y1>`-@`TFx;OO9&+-Pp{+cO230p@!S9B=k%)@ar` zyLU?C{UciP$CF>P?paKHu`Pu8&uajSgUoC!Z<(_vndC=}F{TAYv z;m6ybhH|`rS@i6jJ@?E11MUL;9r)zbJL^vF&8A}Xp!wA!^E>7R=O3*%s=fFqTfXPj zyNekYv%M})>`yyhn&~~W{m;53bG9Jc>0Xk;$?mi9pPKqobFDK1t>}r)vEoLz6Ru=l z$?M&gn|4*AIQ@2fac;5D*RVm+;?i5VuF%#R$>~jMMm4Vp{q;JvGad4?R&$F!g+6C} z{N{>hedcb>eVb93Ip3YzVeoON{pYJICbF90<`j2it%2_YHxn0s{bDz}05t~Dm0W08d zywuw#eoxe&Xl^RqRU*ldl#*U2edbxORGP-DhVw3tl#5ipmZ9^o>yJZJb+MGsTDl%I z;d4oKH>SQcTV-31WIf4}&)V3nnw6V{Yx~?b-nOxg@oGdn`*l%UcbjF3c8dSCS60zq zU%6g%pr-7vi*rwQE$^kJP6Zvj{prM~uq(?~2)WCj1AEu?9_eMe-PEeqvT##&&l}q2 zK2S1HBJGynpW&D1m+ZIGFKPZ_kakc3Z#}0(?6H{a-hF$Ojfd}E@E_Be)bG(j`#9=7 z(HGb2)vw;|s;&_@8To>AD%AU~Z?o6nw2yxR<3q>Auy?zRtNcp5#dR!out-yBnZx(m zXP$KC+mLNfs7c#;RA|^Vd{gsr_v6h@FDQ6_@}2W3y<_H!rG!T1*2dVQZs3@50V_eR z)SI-GnLpFXq;eu1g%Zwp%TKc-G+4!oJsZ%PE+|dbCI&_MS0Gvxf4LNyRpjTOh^1Z3 z7r1gjI%ku6GFZf@?`5{*zn1aEZ|PY}Db zy+?+;3%z&cgoyk;6~~i}s_9~8HJ_$^!@q^MZ#0m}k`Jik*s7MVZt4GZnHHOn5(HCoO3~T>-9h-QU*Pe82i#Gy`|% z>lcej)vE{YB`%~@Yw!Y}_}71oZZ{#ecD1UhTiU3FzT6r2^}t++pCcoNJevA5)u4QG zxM#R_oBNrP$tA~$rf!AOGxP6Hb}zu1*$Mb8;JR)({_N;d9`@GAa-BF^b+g2_G9;|PuspKhbW$r=7XKfpN z0FSfz$7V}yw)^K1$Ko8v?rd1UN=w&z=6ovts4{YP_%(j{Psw9dd)$l>ppjSa>84s%>s{r!35r1!> zADk8<3w;$Rhr3?=j7v%OiaD^gMm*rvC1GW#yfps2ySrd-Y$Nq$tPC%G&xx z-*fw3FgmfWA?W;RGoQ3p9adSOIeo-p;=C1!b zf_21x#!vd?d4Q-%ii+6om)W;E&msDaboyp zg%m(%9jFyDDc%M zc5WeHf6y<^y(Vd%w*Kh1O814Qvw@3h%n=f^4!MN66ygY=nFpxdMFb1{^Xi011`r+0;}(8QvBVSSz?oU>&?A2)_&krT=I9 zl%SG;(CYp*0s`T#0&qaGdd_+HlmGV|e)0SK{S=COA|MQZ+XlY^-mLle?2Q6%g#O)L z9|Io~IA&pV<_!F4;c(Z<$;11mr_aX6Nh$D-4R=mkdkYAN@8`b+&zSF9gval9y=3KM zWon}5;OVY*!_m{;NiD$r4u2d0bbubb>F(rnLoUGG&BI$Sz+lhn8G7(Ge>ZB6-0CSl zw+;4KnO=}H^1SOLr=@mC?a&^>jdF5w=(~>2dgdoi{nH)(X0Yd`kIx-F6w2SpRO85v=04u*Z(^7f9`tO+v%>6r#pO6AH)AVuzx!L z_rZTUqEY<0|CcQO3VL-fENR1yXw?5aHN%a$`ClKx4|2Eb3A0P^C%nw~e?rFao6_G; zczbPrT*kSN*98QQ3Y{5Urx$0W9^MEhWaN6TQDDt)k@A{Dn`%*FdwwF;bN5ImY}E}_cawV&hu-isPU6`82S4rC2)%FSRsypMScpz2spb#7JPC{)C_dK))r z8*+DB*in(k|NHNMCGfuz`2QpU^lOpIh0avJqAd@uJ*t^&FzGkTA35MjCtA&pcxEle zxkS5TW@m)H*Y1TTeN|Y_L#>J!?ysE|%LjP3A=7Ke3_0<Gm z+FcXNy~xeTd-c(*4q1onzVaLeD#5MhlQ=Mj3RsfpzA|&}r)x=DFx8kE{>}cQ;Z9%& zU~=tP^~yWA3FTkqKERK4Vok1Ppv1BVwCMa%W+QXhm*8R5-Pf_kW8sFVoMlnNC391G zn;vY{*(E6S;+_6a$u)=#58RLbJiO^mr^9YR!ltaG@dFnT1L2hpyMiw&wpINu(~}SK=dW-?ve=Eq?2RGLU!~6r!OVZ@GK&iGJ1Y@p&|?S z%kQS9(iA|$^glD=?1w5ABtpdjvirJ#57L8it9KMzm8Rop7KQn;I|S%)et42VmzG$n9&=|!)FP_-5*i(3G zi!yq8-4CJ7%O$^4bHfSMlfNG*#0sXnH)oinOkBmwq)^9Rc*dAsqcJH$(Qlq!T*-eG z@$B9yUEUDopqDF@%l=_jaMUtDiBR=*M-j&Vkbo$&|ECg1NF&H?*ku4m_5@u#Ek`5< zZ5YukGDSAq^;+G{@e?DHP2j`R3`-)}umzfgCmd8UTiuapuh~ih7&@lJJ*T!S&MKIJ z!Y61L7Va{lSQD0#C+JVH9F|~j^NV6};i3NgI~4TrG^h<#%s%i_fKs3~Xn_~WIgb6| zp^k$_CJu*uk~B^Ikb-7mw+04tDc@d)KB+mf=gqP5Q(~KWulBx~xRE@Zm))8>dnU0{ zo2J9IOfnYMg6h_zV>IdX>FU7xv*4N^GTXGNC8Kv&vVnO#*^HqL#Y3v_a=VH#6w^MV zIh`8laDJs#0v518c!xwLxTkBo6%4c9(Tz#5?Z`BY9^eDca6920;Vvo;CtEDE8-u1F z5`szj?btN@ux=Xui|EWFlIaV$QxV;TL}~~lJ;OW3?H1P|6RkeUr=wjlt>{=-HDVNGE>$`(8!!A zzx(P<5g@~4P(pea-<#Hyi%3SyDmjL-&pYc$(GL%p85`YMe=#e+lGb@@^d4v6{H)}n z0&)i83i<-Dm2yjxHf~EYyp&2FQ7BH!gUW3XVJ*+VVyJ z)zgf!rw;5s&>N9~8o>GXm0|ml)2?2`ve=(7cNs3RFLjfJ-Rq#n zkO{**zKHKBJi)LEueF-8r-y%DBr9bD{u3oatB}@Sd{|?`pJ_LqfeR9` zZ36HA2*tNn8C7xWL-zTtY87cAq&D=ywCr7YZl_0#77g8w!#mL}!zznCzS zr-M9icCYpNor9&pj0Z&YffLxLevNto0lNv80-LY}Vu&v(0oG8% z;5Pd;r_h5k7R<{GMb4x19}qVQJrZ*{dvUxr@S|wv)_d|!faSiQYoh~-E3y_okv$pO zoD`^2_PRk<)t7WV8oa*pza8C}Az=>spFD0-6Jda%_zg7>L5e7be9fpdl>HZ{7?nx4*otTdLvaNnw8eShDPO`4yi^DXHjDy;g)oBJ7zU%Td&r?>=JE3QwA_1jBjF7ab` zK@;I#3nL?yTcN&fV$oRt%30{j?w-xeOB@vEo$6)9jvY)0p49U+2Q}$Z<-}>!4{S7=$L|ylErG76^lV<<4-2j{@xyj+{BzuL;{0C9 zq&&h2xUzdCnP**aLAxgjHuT2V-kxve9S`ljRuWqoAC6AoS$mDSz?V2aasgY289=%} z)l>iH^0f2+UVQ+!Q`FZeqzQBciucd{9R9BxfDZ|WIs^Z&Zh-7>S`Lfpw(<2{PFfQx zb3b$F3MKP;M>tkyw`Af=P14o_w03R@mUiq;-61a1>ba4nobNQ+;9OvBk5NXU{+UviDnjmo)80~~T*DQ*fUPt8ns`-i8`Oz6}c|#Vx zPgeBq%*M?2)Y90o-%Zd0bxj4=3?x;C#PghzKI_HtMjVc*aVo}NK;`|hlRy+E5+8|) z!bjnklL82Q&ljT$e135SVz$pAkbA)EX0vQ$z7kqXh zegHeKe1I+BYD~ujnf%-kTvB#H_-P8`$&Nx3JeeSCvAEUJy!p9~hnL}}(D|(L-tHxYQC49twTWIv7Duk(o1F$0+ zq7*T(4B?^1bh$QAO->~f*#wb&j~fW$RMmQpjc4KahpBW^6v&kGH!-j=SU?JD9hB~C zTTpO5F)Jq%E}f>w8E}?4Fsb7m{dH;q7h`nGPPZt3V&K~7WWLp-sDKv|sJWUyTc7UD zVJ%``yzYOREg5;4odmiwMfKiRo5+~^JAagY@tPQu9b;_<1iBZ+>^KWX3hEpi!0!y7 zH(QSAsl2CEV1Xl}JlRRSq1pfYUZD(x%u%y9WGJ$hk2e+>5=p%|w0m-BBFR(t#} z37-=o$$FU!t(Oe;9Kp+&$rPo7v_V)@30yKp?|%Bx0f;|ArdUoObKqw?&k+b50tTSm z>Nk65TYBVuU9x7ya#-^Lv#*wylKQmfPG?MFbQwU%1h4Y4NNd}@PYR63=hqvt25F0S z)dgtD4ogaAk5SLD;+CR$BZFf1Y*eMU4QtF499Vf2EBRE)>fu1Jal-FMr|VMvZ>2BI zwFsfsA|0qiaW~@BZhaQhUL5>G9NxQ%9{s)ciB16wLl_!0yoIBYPb>6MtHPBE7%k=( z;W0j7WuLPTNahZ(yph-ZzyUqyawulZ^!*&LhnZcC zv29~2+Q-tz5d?C5&f;A^0|XF2we85DzBJxw?PtP{Qw)iliXyBrS~?^qr}WH2cunYO zXDvw)tqm08iDT({bJ^+-jJwKiwoc-B^XHIr$o;HV;*nSBUqd(N&1I@+Efu8eJv5J~ zEOY%Z<&B$k0djK$zVWVMp`!7!FletqR0K4rASanmi5_xQ+Jq?ae@n1 z9wK8nR?wG8VzOUT?a}*5NQ2#L`ya;-f5_YxsI5SWH0*KRK`y$KW{37RvM?SEH}tL? zlEams$qT#mnjY4-%(>V+wkve-LwIZ`x~FZqmVht(0>v5ZUzxw{L_^HsR>Gi<4m0Oq zg>M1L?l=DvANbz4%2_E|eY7ZoS-R#KePF@C*y|7cNI4x$6w{3VRBNP!W;y4GSTt6#K#-?oxvx9p&32o;BLzmv9tDl+rWuf_?fV*2zi8vVU|%`=C?Q) z)530#2ph=K6^G@hpVsxS_>Zf1$Q%FY}!0?CWFeKlZSWc&&Vi9HDOk53 zz^`XZo+HL&MW3}@S~pQJD%R@XK7SDg#3_IMC3HhLKyK-~WYo8D!nm2k!SMsW?^Y^S zq=!1-2v0clxO9P|J|Otxcp8RDGId*buZ!jVtUwRQXLqn1>M~ZOqXyvf`oQQ;IM{>r zno;0OqExxhaE$n?p#y&I7y~vDhZdEF9EPaA;p3R086n#x@VA2s9%EI4zdOx3CxuYP zu}=0y2%wI93tij4&rMQWEc}x8R^JlUfsw2<>Go$%x3HY=qU8gPgn}IWMpm?_Da*~L zx#J3$pwBs^9o?QfVS@==sf+ZI>(;$OtHr<(J%X|6r|d0getxuA>Uun{34AO3Jk)0) z?VqPDUvHb$ohS~Yg`Gfd=wqIG$Z42;NFpt`YDU3MUw<{oEnv5`W9RH%6&U>+#om3g zIP9+H(9}-kV_$!8y&$$EOw{V;@IzZ5q4un;&?6~#^A<>ZVP$RpE z^A?=J*aG=M83+5hfaW)3$tCaIoMyA+N{8>#w(4shhSt?;4L=l+7Fs9nK=)WX+eBz{ zMZO$0J=FcaT7CsqIPuUUFCBS=I}r_qJJAE2i0pa&co0m{vX`+8-^8q z{e>$*&lG*kmi=HG?+2Y12KA;xuW*eFCfUwsdDe5;^U4&YX}NuL^i1Sdfw7re zVl_99dZ^JeOLF=>4iAwvU#6jXGe#9o=B&e)N>ojaTP%eog=z`w{f75fNQdi9X$l8U z>hB{KNIpXIem`pL?z=Y|hXiM%?}gcY@ccuJ3=6pbLgy=ti))Oe->GF74N48cYL4|e zS#{JHreKinPyBXPb&O8KRL#so_WhU-iu^#2eLXru_4|_<7q^2j8FCccBkGe0`!l1I z4D2z~k~W`Ht3z^lZ}7kTuJ$&3OS;+DK9~qce$xPx^TS{=y$QPCc$P(6W*YoGwGKIG zG@<%=pVvz#2bGWw^L1DrC=F$J>;NR-Mw#EE6<3wfR@t;7J+PHlFrR5*7&sdZsl+$C zAcqpOx(iz4e+ZXDFBCidJ_mCW4CU5TM$FvWx;T9>CvrZ^OQ_)ce(g3lZ=p^iRkC)o z1GXizV-kP5I^?&7tZ!?Zm&xW~a?uxZqsD>5EL0oOfc$^qY~e>1BhWoLXOEhUX#8K-Gjo)??LOT^yk3M zbLn##xH;QG{X&zCrl3Qw8FJEXnMm7BQDH5fKt$X}EeeJQzO5j%-Ctv79(eJ}j?k{j z{fPV&<0-%R4no_FQH>nl8AVf8w1F#44^N-0oseAmYLafe+c}+O5&OG<5;r0i+!aWh zy0Ph@LPWLpeqx{kf4U=#+p7*eYRg#nA_Cnv1<^2~WiWQ(&%+mWeS0J<1bDKZFv)5O z6OR6**r1T_mxBQ^_iKGB-_i545w2@7uBtLFP^%niW;yTEzCJ&l&hR8sfPN z{GIQ44h|aXm1ovGel~s4xOk-4)u<7>19Ajt(CmG^6R)8GiYntG#}n!lLU)Lz!?A}b zLo9)3t1cMDCCr0h#=NDAX%Q4O^hDMLDuVho4nRo|3LF?Z{iVkLD0?f71#uyFkcap- z`)*6TI7DV@amrS*;TE3uWt-N+Yzi_2x*!n=^j2NuGG_p2k8^hk^@?W-8R25}fQQc$qnkHp7u?9!WAz>LIA>E&IbK>LCA1cB)d`lkQ(QN(NFVp@ShT|Pb zNU60`dhFSC#gH~8?>m|hIDN_{Qh%@+$HQ6cs2#+DpPmDlIWv$wS_^$&#=tp;+h(T= zUP=sLSwk?{E4++{`LiOR-8#MhKVE;&y|#~Na4PR4jW8! zkIaYjWPgI}hT0BHW5xN~uBz9<-KI|ul$#r~tT-5sKG5y-YQ}19@PP&zCMWos)5(ju z-kKQ+%Ef_!B?ox>0~D>Fxae>3Z8RE?pB-3&#p3#yg zf-N;E`g_uJ>>fk!iox0}PzO z3#bJ$)lY_of-1R0m>gh1zpm_nLt4S02fVUpB*?Wd5{iU6E-&5BUh$8u9adyPCv_LL z-qU!hVdVrb{Mq9m3c_+NxR%@sJlVnR$izmn6Kp&b@727ES>kyu;})KcQ~v34m&$zS z4KC8Y1lh>|T}+H#FrI-RM;sXzy?)PxTfSUp0R|%_25={bk6{+jr)7c;#%noJPe{lK zM0B!5zKF@~Ff~s;@ad-Ve&1dD7h#T20iSDGAl35Bc$5}r@X}#aJz0X)(oE`A3z3`B zOhl%Cz|ja-A>Srq9)xDKLLd78DOTSDfQFRe&GAZM$W$e; zzhP=-eNb37ypE#Ewkv}wFcjj`j4mWfHRdx>h9B`IMOEWFV%matwBuTLe#=?G>bj)i zovWzX0r6~`C0?zs`g)Cwd6s|fJjp;rq~BokW%AYw>fbk<+d9DGb)zqNd>5Q!;Dp(nIjYNVww*KP5^Y7Yt8*bL4N&ONBmD?KmHVf zPg-Zb)l(>H!1`?Z2o5x40D3(92VZHL@UZur*qZ&@4$?D~hCW+)(w((w`V^QvRep;Vy`icQjWDX7GYf^2J=%C^2+*e|@mfFB%*<36^1cw$q`;Ni{L5 z#9GQ_B2?bWQw&HJ^`?1r#Tm3&_z!R_mtxniv6Gd)Y!)nTazW)~tOh~lT`)QhoiK3v zxo=|bJ0g0i)$4F`Lvtx*SftsantsYK_!`S2craOFs-@8%J$bDC&-38fNk#s=NVyn( zLUP0%7z94$+L?5|?8lQ4rx$p{CBDVx)A;%m{IE_KFJN28+6z_KZ^%Nkh&)gkhIW6O z)%;O@SZ2koiiL42lFRw)!TG7JU;jih)RTWhnDA;0x{)btf6(WqVRX3rgSy-t9n`LTE(__r@;g>!>e1j7T5Ie6;K#|NPF`+vp1ty zNjY;({BhdHu^#t^A(~!dq#kQS`b|YA6A?pC+IiL_Y5iNWReM@B!^@`r?Lz1zYUF%_ z{yv-^=_vSdszSVbo}C>$O+7S)AulW9nK+O#|Lbx;W=Zp0BhN zm=s|?Ju6oN*XNU=dwHj!1&BLQt?3T0_C+e3Pcjpuk0#PF-Unczye|0$ujL}xK?|qc z_q?Blzt=&b3{n4jyN^QrP)A}lQsPHTJAu)X73s9#OXC1xXWue!0Kc{|aJ_ZETccI) zQs`ti=`$}@rTTr`UA0GJ?-7|c=BGztt+2|r%9P8by_W4>qSiyg0#qAG-v zWaBfJ?JWjhyc^eh^2E6A$`2i1Y@k|s|coEFr*QtgdCRjq-#3Kh_7Ndm^&o#2cQ74Nml3?(2`V{|Y0DzjHN( z8}gCkxbQ9+kfaK8`U6LbgD35l+13Q#eq_UrgVWDE9!Z_3KxY-Dql?`uZt_aKbNWar!3R-$YInT#VVO9ce##1^18Xw%$%#ZVA$+-00VBJXGao5AbaM|sG2T67p z;abt+?!8zrjHkqEoiC(qzPqKZPuDJ+`{^eX+Kb~}F1-icWTg*NdaV?~w#-9I6x!;l zaUePZe$G=%;f(r?Et&kBgJ6}QsO*<=J`!pI-)Ilu);&HpDE&z#{y0qehyPd3_=mPQ zU^l`vv-i$fnHa@3-ZzEO^M5x!k|tdq!6<=@r2@7%V0ly(6jugA(c_-v>3xKhUTcN0 z1ro0U_uR=Y?Hi7WIh2$OUYtHp$e>o5`J@N;m2UF-c8b=Jhpo;HuD{dPKJZPI(SuRX z++(0FYUq$5d;OC6%e7(V2kIgyL)8Mzl3c-?1cQZxH0W@@emkYZfP z13m${d_^m|mfs6%jJg*C^RRyeV@CoZD)HTJs2Cc8<{<{aKymVs2SGR~=+{Y6__=_- zzP59kiS*K^a705QAx|O`H_mU!&laGWemZn*S$-8WTThh0)|WUAwPVsCM!_)>v4Vm_ zZy^Ep)#Jpf7-{H!i*G;RGp$U(Rq7Mv9W(*=UZ-lz_ZFQzoW=>Mx6vw&0UmE-xK300 zjIQOTeaAw&u3&bGY#J6ByDk;>I`HK-S-P^U@787Isl4%a#EN7K_0DxJez3Ln+y08Z zEfP(ZTXK97gGqD!dL5jX7;PL)W++fsvCD{tbmWCk9t=O?uFWuQ2Kr$iLc#DFc9C;< zz*mrjhSPBTln|pN+y>^7jDp>wxo@Zd!yjn>K|D<^f{m{tG!bLfy}H3KFtBoGHfnZB%-OwHId!k0tCp}=L?UHm` znWpEa(o48<@Tq8UT!;+i6%UcmZLL$6?B*8C;co8*dU+_;bLxq$0vOj!dun0eCAB+m zp6LZ%Iy@*hn?sM23S@uMDItI!nPKzAnE53y74t@r;boMY`$=WC|0n}v1|BYq7DN@c z#}iiUHWfqWU-z;*!B*OEY;d3d=U`Id_G<10ke3G)!r%&^c~0}fp>Go1(9Q=8=oV0f z8Nj71!iIv3DtMCsM-hgNtamG%TkTjlA_72Q;7DKPH0I!r~zCECN{3?$7oI%OE237@(R_36CJKXeEEe40;I>pm(AjOZl3i z@^F{s>=hC<7V0epcod{An=1YzrJ5&}3i; zpmK{k+3YMJ%dQo+#wVuV$E~5SRaws4fBt>OvE3!j#?s$qg{=d#;!M`P9W}0dj|z;? zqAM@v{XQ?vI)F`Xc4_ZOKwuoy)#k6U!c$v*_jWWQgzsUK4SM*6P~^z z`=S6Qds6pSI{vRK`eqynL_y0kF!4ZvopTh1;b)WYjy-!LIVODNgT=+x_~Xi3oa!H4IyD=RaQm!&W%%SZV+^bH-S8wSSoiS3B)^%^ zN&Wg%iqn+l6Yu@YUL#pCb5}|CWG{g>c>2Y>Kc-E5g#)LU#LKhTm2jvhn@kwRTu;d# z0!!i0eIDOZhue;t*f$G@?LZ+;K42usyONA$nAtYN*p3E$a<9&#=WAJ2-2P~bfEJAv zyYRnI+bdcF>O$TUltF81GFtZS=b}S=J>ooT> z_BP@myMX5FMrv}=Jl?v_9CrE%>5ACUdOc^@6lr=!lXA?2GT^kF;2eHVDpZtQNvXUsVW=D09$TDJ+D2Cj(eg@CQM54!NP#BcVp z2XYZ5va(Clq2r$Qj;T5RiQV`m6dW(Rx_sFg|Cs<=HrUG($76qOxw-dQ&X?FU;L4?% zH9!1YE3Mj!VWhNOM!o&0r-C(tZ|C?7=yl;RX8yM-2Aq)pdhPSEW=Fk25vodL$#2c&l%zcV+usa1)9tdTk@9qk4GM{p8 z_y_cT3A?)+KS4I*vrqnM$OdHPRH_02dcJLiI(C4V}uVYrW|PWx?HJ<+y#j7u8+BP5?x-O%Vl z)?Gg}&qg%)n+{cok^z;Zlq8+}oww`$XA&Oq;qDOyP;2wbO6<)2@o*8^wTOj7jevyqJ2yQ`U* z8xl5Lo-RzDX$`VF#`DMXrM%lJzrE#si6%Bd508TqxVvNu#OJ1RH#b446rf)d zQ48LEO7Qo^)2L!gU!ejHvRq;WGss4+zX_WXJ_x$5-<@@NOO$tS$TC;8Xy(&dwGvUW=_aWbhc{a-v zgxcLaR7HjFP}b%T@ST1S}M>r zFeKx2)_&;TDE<|kV$D`7hOP_&={$*dE&TxdD8ngOJ$sbvrifb&QE5Q`!%s0#u`V2R z=YM++FQn}$JD|^oe1hTMRv|;146!;+y@op*pB?*n z{Dt0@<>&6oItLu9BJJ@{)zQ)K+@>nT{^(CxP)?pQkASPz`rTY$HM}VshxgG>6ViC; zogO@8!kWy*x3WuVe_C{sUIL?RsaTdw1sFAn6^A}05&}AYLJEC2?y3hJz)f&HVZ_1n z{Kx$8nfiv*RWADz8j@JmIKI}cY95yp&R;&``JXsE3s~#^(@1qxMadDyicru3Pnyf& zjRF}&Ckj!Hqrr@=*{;_M4kN(P*t@EYG_d<5HI}kV<&6;uF<6N>G0T2gQHQ(NaKj)0 zd2m~FgX_iWOT9nOrJ#JLUHy5Pbf<2uCa=j-_n7dvALM$B7#4vak_gp{>I;|r=1gRa zSuqsJ_K@E0zEBIWRa0UH%_=5%DVgcUkiI!{$i_HbEPWAq5UN~uP>T6ZWZ8Y?!rC^R zpi8%0<+Zy3zwS{(Q;sHcxV0A8`A_g$kTM9Y1S)a7b*7uZ1+QafG>i)lm^Rcy{X=Sy z6XAq~|F1{mu~oP<^@i3*m-y+6UZ&+zZOA3A;I1G@1Ml)TCpc1tDVEOcCbgms{$dX> ziMO!9yfGvJvZXEt$3wQhLP1yIT-ZgfS7}Ixhd5vp!VR0RI?t)7Zd%T!P^}=6;TPgb z3i3eGQ_ODY)p9KydPqUlg=&Ek+lfuG^N_XB&&oISUbBjTI1RJl2nUq`i@Up7=cQ$r zqXp2jbFb)3r;FM<6TW_o$gI3+E@CMANF-qXAnq&zae{McS3_2sR-^jxTH5n={OGim zojtv(MtiE(9|rTGiNSr8RJFML&kmFN;&YChm%VB zUVYk-{%|+x70(R05;FkBha0wTzPma4t1Uic(%YRjXjwhKYlhjl{S8`e^6I5sh<%l( z2Ll>8_8}R)wS<-@m-Y-^5}8wqC#h4c&i%^iQpRb~nhV^JbH8uwy{JH`ynK{3lg*vK znwTa15^vjLO-rVv;`=YSRL!|WJM^K%?ayExA0%s}zPqb3)WDug0D9TUo-|7sU-?4s zwp->xe~6*DuMo3Dom12o1;@zYE27PytOQ_xj;dO3e%)UQY=+45Ca}Uj3h^TBfFvOA zn7@Voau1bYBd-FYr#YVdyi+@tW3`Le$)b-E;WYFDcV4%MpKhAr)Q-B8q4ZXh%%*F9 zv4-f{R;m8b^v8BAdy>#=h*p2mjREV9t5g zqIb&(c#e@U<{x}eMkuttz_vVV5fc$ye=707#Ib9vU8hLEi{R;>wPlO6)KYNnIpLM% zek>PN1oA6s{Eu+(ywbr*GGW#-hWal-7qpY=0*j(HSqbJy>cn>dpYMG+>b1xblKjgt z@!xax7UhWlW+7k>>TlgSpHVg=3!I3=j(t8EU1Ma+uSZS8dotkqjOvd(ZRQb{!#D)z zS`ts#4XMwS(QE5Y464PU;0mTxCt&QId)MVg;vmKy$BvEWltWWxdC1^WtG2IbjX-g# z&U4fw3C9bLX{ab)bK`+1x5?6*o+MD%l1ROM#O2QVS1wK2c-qwdk!GAmqrM@}MH(iiGmFy{aU}=3UT1{T$nEmDgF z)}HW{PAxBOgL7b)lOh33jD3o?O5!q%Wm&57z$o~WuZXG7~?w9;z) zPgm2OVkDZdR(?PGoBNw_?w=p2m(KZDZ^{a0%fulN?v1}6WJPmc5G1Qp=#vNO8gQo1 zt)0&e5`v)S{ydl*&iBX!;EFj8MTe8bvkp1WfC6CYG(nTVLJYo?%J-VytuQg10!;;5 z!lL?JDiYifNW{PupR4VQSP1loL&%^|R-TWWT_{^&BH+LXF8boPPg}0Tl^$e*3f)-bP0+d>z((k)}T8z-#y7=L@GnR)#~H8u|sycmUd;%L_IJ*P5zQPFP8 z<27Zn*ceosgoo7rWc1{Gi_Rk5r0(@b1$=YamxX{d(fJr7yTHabpSx5CDzrqLSft<& zFbs1zRy^c#5GgyG72Lelcc{9x@7`3iW?!K#ltAboH{{6mv1%q#ow0+6rf?v}H$8Yd z=yPyi{Yoq4^Ky5n3@t=EdKGne_(7%6l}ec7;6rqJYA87YFge02TZrEd#_|j;jZsKy{nTrcilbUKFgt+{|bVZ{2^Clrv*4WWNeHYRx zh(3vG(^rwHO}IzT!|6q^qk3b5wO3Bk2-h%$q`}1TPFmf9@??>->`XsgXJ*e6COE*( z75~pP*D&KPQ2RG&u1sDYUz$HsF!uPT19zIMt_2<`N*4>neQCNY)$V|BmQO z8ee!YfW5|jU~p(u8N6B}86fErcf9^>uLQ8*bpX_Xn21ow*nidW{w-UO0N?%(i&ZDD&D_nxr0@H~0Ol-_s zg*3O4=~4x7aQkru(I*j2mRYnj*}-#!I5VIzup_Bb<0S&Q{Ct9taF1kP<&2v;xW8liM;ebOypepST-YzZbm}- z91H0nzS-NqrGdJ$Ke{}0aIJRa)4`yWSKlxj$&vWz96#YAN{Ln;MvqQ>7g4R%H}{^QWuQy)C|f#f78<(O2@>Jm>7Ta$vQMMmjk3w8e=qBi}{$t zEZcy?GYX7%Qs~xf!`P6+#h+v9ZQwo1M}OAjs*QBORcxn`CAi~oh52~bHf@(TTg=~& z9qm9?C0isZ;<=dIE^W6(H7pYmVa@EW+TNv(z75S$$DSoT<^vV9DL()p<~rF^yHGtW zOm6Um724d>iIT`~`_b{L%&IDv7+CjW^Oao4aVDq`O^iiH!AfNbD@x3^O|LmE@FfAv zGGNoNN?soN))hd#T*fk*^9Ri*zhjxlL=;3KJ$C3N)zAd-o;nL$>}=Ft?H#1l_raLJQFK&Yu6Qo+)dO%E^FD(`#@ zR2;QPSDS6<)O_JGFQ7{IMU)d;+FY=6JZUo?LABSmLGRi-Y_VuDK5AeIrDVR5-KW5) zShk%=Bn7Pv5j|urkU*qrUj@h06mJsK5UgVzX$4xN2@4L;W%o37zlo&c>*q5rUxDt& zmPhrV@$|jytiL2#T&SKKx*xsn0gwp6bwW{deCCqqp3nU41o*lXI@E&)-g)T`0MeiP zPcS#Ns{x9e2mlzYcQRr8vIR-f%E)zjwh1bj2Y*k;hu#nWe~zJ-bwnUoY!`Zg>-J~z zH+e_;xn_xE2-;=7;YF1P?k~AEAW+6Tz)K#+)PaE3J$67Ee#xOWYW6vQZ}1M3o&GGB zEhmm!9`k0k1}F3D%%NP8K3{X<3O&xqy~EIzp7xnP`n2OJp0+8YZ2VZ0=B$TT!j!V! zB%n&&RFW{W9t&;|Ln zy`=dN*(VQ~v@fm0J#HpdN<&)4WwBoqfK}~U6OX4=wZ}Co-L<64pe7$kh;)8v`H@D zMmFlEw;ew!>rDTZ^ZXghG7fEY$Z=>7ldnUJ)6p6{o}hI)zk|nX%ouZw0O?aJ68>sp z9Rqm^B?7Kyjq5)o&e>pVPKvI?HCazR)7;72u=X+(zsauS=D%hEICAP>!Id8800iMB z9*_-WNVC;rkd@XD50)AY)Sfi8t(ckpZo{3Z!E#(iU&R8sY&k9s{L`{ zUQpaqF9 zTf*!)HLRX#?}{aJK$YDP@<_vc>cs`Xe{WnlVD*hOX?7z`03!9T*{ieCo9Ta32(f9h-?J|M!OI`SKe&Wq*VggxZ0U-=YJ4u z_yCZv6`o_I!p=Z}zEWxZ{rtn65NTpI4AFGoWwMZ84UohDEvv+FaMt|TOrdBy((o7qbP_x;f=Q$euSSDvhaL58pvcZ1 z-m#8MMrz3cb*w&1HlFm$kfW$gJ=`b9)YwZnQSWz)`w6Rxg&MBGZgPo%E<}aT_-VV( zz}^rmlFN;UdLme3A-A)8m|B8qlbx3Fz1_SIf$S{VaOtzCXqx2#{||lJ@!aNC(=Ax9 zX3WUrk+8&;CM_Eny9O~%CI-%>#>Q;Th+wwWpk^iv(PF<%ft7q65O1WEshaRYZ$m}>^XXsVZj9uL14!^) z=uw@ZNZ7hA5EDtc->~fGsUcb|uL=OMy`!@lu=;;p!+e{}rsQKqUtL@t@M7WE;0*p# z2hp0@0w&qdeF3lv1RD&pvY^CYkKMTveVuFTj&ngw<4-c|~%9xi^hg!8v;$mnilIT%_;qT1|j?b3eiNV-e0b zxi3^ z{uh*M96G642mhgm8$cU7sU-|Un?u)c@u%MVmQ`j=!AP-_*@ zE3wFdq?{jp;I~=Gpq4}EmW+-lZ9>*?)m1a%<$=`!TvG8?J1R-I2MAv0|)Nj9Xn8a&BW+9RSl~bSMdQk({c#ged0);R8NfOz-@aC zEvi4)@@EzOb{>eLi76Ym;Z)Eu_iAwA;|4lGZ3)$=S@0JD-@5HmyVc?IMp0yJs19bkfVn-9_Im-F+r#?@BtvIVaOOXE8_bkLfFPIgq?L;$S%U z)?-oB&hIDAFi@Bvn_nV2 zU_1hzl1@WT){xiAD?(;v$c&~67<;bFdjc_$;^BhtT(&VLHHdoq^A%QjND z8Or*r_3_V6$Pl!n(N|U(EhYqg{L-RR#7!r{I>DXefTJfBBU47 zIK94`RY>NvlQ|V&_Adf-sSC#K0`nVHp-TqhAn8r~YlzA>>q*q>6yF#zIy64;MJ@gm zk*joj81@L$8W3%=1-2eP2g1*H+pi7pScOJY_N)aO5`GZ_hZp-W%ziX6Z@8432y0z) z{uQ_%^t2G!dT8m^;G?)y~xvw&vu|Mro3I<&@c z85$!E;u1DH={xnqnQb1>WlKH>%U{OwOTg?BETFl7uF{gP;652T{W0z$DJ?XazMls6 z>1{SJABK%}>|BplGhI`LF{^qTbD&L+FxoB90k#7j2#p}_-h>B-(9wWG^L;selxn-% zRWsN1ybZj$#9R>pYVkM%_@{2bKWSx}DzKEy72!QsueO%8*Sc1@*eCszCg_e|G=zWf zO{7JI_m)gqqSkD2h65M$?4gD$rY#efqrD8gRw!`?KwPFbl1#^~*U^SxOHx3;0h+uX zLPoC*`jJA8rNV#cUe?(5UoVbC&;yB)lL~>M3|II#ekBLOU4Zb$AiOpZw-dyji-O=7 z-k7BOlCgZHSL`z`Hz-1J>oLi5>g_ca6Sr4f;$I{xHYwxl_@|8g2iP_)POs^5cdwJ< z47*8&uC^Xq%6zxCO!B(tXhFFvsw8Evft%=FC0e2Rx zt#B?o8O&b-^E(0Q3y8luiAD29HjSu!?~-S7=9s zHe*kNPb>+3EG_Uu@>ukEiXSk=z}K)B-?KowW!3lTN-iG3Htg;eG3vJ1Ix2LEsN7k4 znGm(fe3$WgFIB3@d$q*OzI$jwX*%@aA37H8q=21MA9x*mnFG9T;Ps}g?Ke=(dC{D5 zz9;;(O|MM`0>`YH%n0s6W-!JV5RWi8MisjD-ya3V#c`#2^k&Xd44T7dNukGV zIKNsUc+RZ&4&aE~i(fCOY;8P7bBM!Y=78^3zK*SxI{kJ%^_?<}tJ*J1X4?*9AH^7+ z8eVGgrji0!M|ZF1PH+#=iGd+NK^ECR{T3NSiib^>eoXJMLCwe?6m0f-yBX?7(UOfE zak3DJ-O1a$f^4Z(b5S}~hk%b1U1xsT(}`pf$MI{YxN0{F1DKi+r^vq$oWoYUwJTLfv`Tp6;^&-Z%n6yyz42fF>TPH*MNJmHx z$>Ek~hVLq^%1f=MHT&rhqs$ZYCl`LK@qXHUev9Bo8aS+sq7v4Nr!0qR`Po~khr+wd zRcdA{>d;i(#gq29^bnC_Rqv_hoE7 zIh<|na(|ONao9rXspsVI4pMC()%ie>SL%9x@{B!-2DddEt~pOXRzx4Qh58dOHJzKM z)XK$Z9sp~}iONqJGFvQ(6&*M~E*<(Q(PHS29k(WwJ_;>x#sO(yGjr4XP)A5-F77xn zo~!N%qk{MO5i5Wu3HuCnS7i?XrF&uNNs3_g7+)tC((}nAnY$2(9)WWU(5rYOK4+Qc zLbUx~#$FCSt>1uz2^%1*jJ#|_UWTJ4j$xTPmJ|#oyvBUkQi-}$1oXHZ@#Ej_891}0 zuQ&JtPzaSTh0Fuuz2}C)AOs<{cV`A*1N8lD+lnLz)-~=SKhiK8xtxH}2AI08weu|^ zhTRs2zlywQ^$fi`W9g2PI^3_$uFre4gke_xw2(pA^&e)_rzni*hDtSQ{yc5%sUFnN zXg^ld(;iAu!}6kQ+yZNx!vW6uE5XnUUYa*+|3`=dk3}}%kHR?NFpdYW4a+Qc30eIq z#dn)5`V9WBBH;hM`J)10`wP2|1is`=;uocPU-=&|aC_*Ba6v!S7Pjr+6*^C9z4+bw zsEd@BM94^v7tnpzZfYrQ`gN{Yf_Ok&`!T=(lxZveam?NS4xU6^w4iYep}Y#DvUwU_;jW z0$1RCA=`^F~r+RN>qi2mB&|2NW7@(DS{h`2=y2WorX>|H2^zKO#|-zOVxU zguIiBL6AGccqP(l!v&od(>sWkg_(TU!;Cru6_A$%#UOk>2d7uAmG7q!?T&6;)P<_A z7FoCq3>75D^ABc89?Fz%K*#EK0@rUsb zj|1hzd?Z7W{UIlK@<$xD2F=8v=>vG~03I_?^*=cSrziD! zFzz&*Q$%AGfv+-nL-a+mfFGoVePQ@**1aFK%2clE%mna_256Alm zmgk2_Hw-Q0iNtWY-Z)Ua=I0=T_R0Vm$C^BIu?tEyfO3f8lbPSs1{+>Ip<5vI9+jty zhuSOxceW`1j?q*Y@KXNVUK=uM28DcW4d{tG`C=P>`2?V#OV@I{gIDiDd^MHVx5Uw> zKvxdf4EaH77r%8a%s(pJ0QcC-BK%+3Z$| z+<|J}iimJ=i|kK6W<>pkt10kOgRJP*faT)NMMv(U37H)=PSGZNuawC{$F1d;9hn_N zttk85ls5nKxpJ?4>v~Vu&9C|0BL-$PKOKi#>M*)C558%xIVHGNSita+E?gF3DF6_X zHu~&y@=X%w?buqm6#L2f?<&FiySLQ0rqCxX1EN>LZn>UoDy1djFJRTNdJW=Ly9w7& z9nMfUTT##{as_89hBp(0is9U;>pE64+kH6*sJb_17VcY52LIkZc7<51tM$fyFl_051UGc zG2^ciz21UcO}aD9B@onKaORo=E}x_cD|0-19jBQuNTvq9CI!V(9sgF&@MGM`lW-%VqZtVV7=U>4o+@*#^A?t=%EcAWp(9yw8mr zpeTWn&Mbtmhx$7|k93+-q2Bm?eI<|DUI0Q9?3^I}1nCSGsJlh5%`%N-|m> zY)K_^CK4)etA(mIM$}@2{Mh&ox!>~X3V{v#8I!^?(16>(v+-AQm;0zpB0b2VrN(m5 z`!$A}JT}cego^vJ2@nx;^NNo!^`5O`Wy$qvrGek3Y`{SkA?gOaS~OL54Ixk^8sggAAd}xM4xzlYj%#RP(ZyJT};&dlyMXwjD zwLUfkqQo0yzaqEFQX!je0x&*`lDw~ z6AH$OAxlEmd$m3nU$c8AoN7qX+nyhiC^AL-6umPmW33R`uRs9mk6wV6mM7TDt7Fyy zW@@U{)JW@{$3jumPP^+2NGN%^iWIWovB93!g>T#YkJ0gl`^4^#dPh)gZ~#YSv`^|@ z@_*RS9;HRjG6{svN?XQAV1V|>usdcK%I`nCHQ}$N9X9(hO;p>oh>pbb&W}kbBw;gcH znZpR(WNt^i4Y+sQ@UX!%!w%=Y-DEM%%y5%tY6>Kx6f^uT{N1L+6g!ZuM_qj!-M22R z$}P|^JK8lB@-4BX*>uskgRoQn_91fBJEyW3uk4~eea45fnAyCoRxYhh0-QAxnzzg+ z_!@_p@kNe)JoVdGzF#95L``zAMsa)5T(<}cEoEwhb58JP<$CKQx>AQfu_5mnkbIVR z{z6!OBH_f`N?w8J;Zh+h)`! zJgwhx2#tz}KwrDEnuiGwO$oLiM2{8EAuzXF7McyN4&$?a1lx4`5L#-^598^>3F;vV zgwkOx3c$J~j)v9pse|tvpz7mkN!}^iY!U~UEakM|_cENNn+FIAn(f!(>rf}BtagY$ z5w;%5f7>oCbRTFV6h0SgL47+^saa5_b(IRt;QYHO0e>%&7u49q8>VrGTWFjP+TaOY4BsVa^y#1O zD)6Vn?=&$%E)0M+ck%q>idrfOGRyf)Wzy;Qbs~e$N(83XdVhoHHZR{tZp(l^Vk$mzvUKvYisr1pfTV}aqh zX~u+eZcgQ0)u)w?A`rvzX>rZyz|1|5*_UE{W$jZIi8j?qHgJo*i7nuGn{uR=Q>6HK$&-z*LO|q8NWUG z^a|ls=$({q4`Lc5DS)_=E)1iX`l0-W?V(7bj=Lv4+mY#VFpb_~x!ACrOGR9-5@6U& zW?snM7*G87M|g|?z$U1|m@QoqhTN5|zx>Pa;xnDJo}|scy>;W)f-1!hnV? zpZBmGP$0%=wipz9AzIB0==lIe;sywzC#c&Th@aGfdmN~NYyUh_{88T1UYExweuqyI zl~!W4bmAdZFrPuNF;~>!*8v`Q7SE}(g5+2I^EN8=a>A9I^|2^OhKmpqs4rSW0j@P8 z_V>JFQCImWPiQ0$+-|Ht-|Kd@ z%MB%+(}#Bm9sMG;6aM~xOj4(iyhTBb^f-_r`TeS>3o@%opeRA!Z!?oSDG%5zp%NuO`C;Yi5Erext=UGGf zOcL$D={6ovj*3B>1lAnr^ZbX027a`b9DxY>ZtmnGrsZfsgchLG$Lm_t`Yntu>MAX= zdhr=R-=1k}Kd+sR^hea5*P*FbJ%FhD^hOYBtOwCqV0ZcD!N>7!0|W!RYygFa)TN$= z(1 zCsn=-C68u$Jvsp|hgi7BO3N?PU+GUI77wOq9e^bJG#|@VhdkFNJR$gC=A03TTY(w$ z&Og4BYdMR)C7u4i;O=kdnbc9d01pAmvef&h4T*>$N5$c~%p^E7sVk*+(uk&q;2};j zevft=OEsdcy!gWsl8yw53P$N;K$Ryjt(H6Q4LgGQ{WKCJ!*p;w4IeRvw})M*f9{5vu+t|n-u^cxzoTB zi)-3T1=i>d0_uW7LE)!2#zX)6F>*<9v6#P#hcbU)bd|AbwbUctdWhbdVgG`OUblb0 z?_a;uab^T?(K^;B{yG{>sE19kHYl00l)JyLl9{X^Px>tteU!y>-;1v{gjbcxE*wEr zMAe)fSLv_av`UO$AC^)N#Ez_vfolyvnS8Q;cCN)9^o8*2699__%jg~5z$`&`fV?(I z@d=70?IAAnl6;eMol{-yY+RV1yn7)KuW`h9X2+_sG=i8nfAzNY+*Oeyk88}`N{xYu zfAJ%iVeEQS0|BO;93bGybiSXIX~!%z4=GuByA?v|3xBvw%>004Ce<9DpD?cRZSJ~v zr_SH9t7wRMj`>Nkp-K--m=qdeWAFkD{))6f*ume8YapzCtr&=FN*Snr^rWA`#IM8u zf2(zkNfB4Y@>cR}_OcFz=ABRc`#J@kle`Rgr10b%Nny6MKo#~=9rmsWSgaNA(Cz3`sNDhZ}TC~c1jfH#Xwr6@p5Ex z^^y?N5@D7rlk+Kn-MApANodYY!N=c&kc1FOM)1Zm zdI`e&Hhmnx$Ra#X-tDS$|4|~Te;Zc6p*cyAh9j3Alx|c&{OH~GoPDbQSRwJSUOaDA z)jOy`28X`#vlv2ZZEZ+bm!};E2KX8suzMbC`6-yR1;@wMEej+Tyc=fhf3gy5eDcM_ zlIPg>ZmI^72P(YDt-+AV`u4UoJ-?2&K-%z71$*e&n16({%5ajo)r-;dmtf5L3{zfb z!F+*9=Qp0a6v3fZ7st5tOSuHheC~Q3;>c0_bV5VzPJg6nzA5)LX3Ua&E9bz_Ex}sK zPTAcr-}JVaVuZq9vh;vE5>H)=QPK?Ub`_xLUR8C?A?(I8BDqtI)8pTub+?~`40gpq zUJ@`9AE1R`^lfC}Y0A>xfxD>0woPA>8R=ZjPH#cZ8!y4RxTBiFTLn$)C64~<>9wE` z7RAaBX3tkNoMT+SRkzx6_m8qt^*ut*LKUxx{r+^}QGKd6ZaVSF^~I4d_dfr;RM7bH z<$rvlkq~s#h&3vnQ*ZKzai!(`B(+g(ixKD-$CIkt6FtAB#Jg|~%~36Lkd01iFW=hu zsNeQ$lLBKbMcK6a7&*xQC^&F4*Om)drjs(w*b3Z8j=$n|3mD1u_?Fm?M0`b5c@ z`_AL>y83$`sA-62YaHzkcTtT)$(80cg0*Lsf1b|+nG`3y(O3DZdrCUlT2|k4F;nWX zwNIzL1JZLm!Orz!428YWSqvo}$FX)|HJ^_W_5`f3{JB!MKqBI7!oL^i|CTD*Kq%pW zl`k00@p&ccc&f0ZXr^Z#ADNHQjU34Un#q(hkf<6@N>^q z;O>;TdkI$BJ_BAA&Mj@v{U+Lc*2!pmFy*DrU=0m7n|m&0top(94(QwBQsTiPG@o~` z^Nq>9=2*od8!YsQz~0oXzwck6bl5HNYgz(dZFcCKr|L}YM5dtQF6rWTe$o~HBbDu=@{^V!N$pt=5mvxODa?1dVLW1#ch znIT{V+e)YD(04O%dPq}-QE++9$RqK=UnQ<`tG>cJMixgKhMMD)=dV}$3LKO9`@iu1 zxpDjMdh()%D&sNezQoMPkuM%Q@*?9+;U6L&sLGX>)OkNE*S&Z<)#v^jiOLJzdW(uY z>6}wbDboH+#Zw-#`b}ruikVq?u#A|oyH0avvoTy-46Nx^Es_}1be{N3-|x=Oh{qQU z1aO~k?KXB4KW*bI{x+uC+*{LpN^d+0YK~fp=#Iz(foHn*G#$cCJUt?s74=xF+*LM< zF(cI?!C$#;eUQRdw$GLuKR)z|I-Yd8J&$!}0%^#*iogMt8VI!1&i zAsD-(Xou+6@Y6GkSrSXH# z`d2oqCDHRs7`tx05YhGg-rD1E%$OQ3^)Bk7{+z^Tb;`rJW6@Fs!ZXd1#@Wp1ml_I9 z2cJzGO4Wr1M5?2m>+Xe;`=>Isy^eR^J@>n(27bC$rMNg(M!E@0-YReStFTsU^H-}4 zLw+r`=-%C~L!RUD*6}r`qgLuVegHQMe7HJ8RbZAF?Hza#SEWK5tqR*DTKzU!pSW$$ z(QEme3ikfP$Da^e4DDqsQB0#gs5#!NaxZ9@NDmy|yq5#zEH?a6?A5SM=K&T;k4V+` zzwfIcdp&zn{RoEJ7 z@YK2-_j>8Gf_B8L3U;Mo=n?qat5=-;jw>awZy5Y5KGn+9@a!pVMxM3P41KhqFYO1T z^rfq7aTO&7+EZ9{@R@^%tpNn*`To+54<%1TKHk5f7QNeSvxIEv^3QAG(Wo$MbraD2 zwE7@J|NUzu-8fFCa^z`8%IP9|81K7!vW8v%kEKKMlq+Cv_s`-eH#d7SO+^EV>Uou!rr~GZ zbN=DuBqS7MhGo0~`F_dIOOEcVJ?EJtk3oYd_Pn%taJ!F@n^W!RGnu*3>WLsCX2O?-T_V#-vxvfy89fJt>ZQ<=N-YA8OJpxQl6xNm)A~2PZru_M2m$ERCJhw8s5} z$ayjCz~w8-jO^_&ajY1(d(_1?hHw`ZS-dosh*&;)X2~ADuNc)YI~~+_yC_kN^*$=i zVW=eVIc=v?7%7V)a$9~y92t6s)G~3>IOa{)<+I;9by*^%tlEPwdLzz|E`PfiVT~GN zRL6z{PLZNwY&b`u@&(ls)S6>LZ^!O4E=6Ye2UGi+1SfeGvvy#{z2%yp~&%l0T6{1}0Atav+5 zy^HZWP!{gDiy!54QCg&^+Lac2TIui>#ocCGmAqK$B9Z<1MxoapXXuaoNUkg1?JO2q zoRC=(8B>S+9u8xTL!yC?D(Hy#@<;FkF=-`~L=ruG+nTx4o!T+L0wBSCqoOjrAN%Gu zhpykacH?jB_!ly41q&(*Xz=~69RobSalZlO#j!yG7%jWI8T70n90Y<1)2SC!w0y=+ ztpn_*24}H3NLldGqpaT$XoH)eZ;c+lF-B|m337pHGRJRqYW00~ zpG0GQ9b6DOH7h?XbFSu&`>{_;JC6tSxl5Z}N--SGOanAhEidJb`Zx4et*=(*2YQVb z>o*nsAaPrDk3aqGaMf#x9llc9=s(lFS!hHU9V;l2<A{vr$-Nix9Gf`X%Gj-VeWszh4b1J2og`mGDM+ zvJntmvfe8R-#Yvyuv*}V7UV#v!mpzme+U7~O^P_Pas=l3-O{Zf9?G#jxIF~%Xj`~- z+T4X7dEzf0$|@J#wN5M<)_L5FJv)6RVa#6XSMzqcyNa7eMo2I|2j%koz~2q)gSps7 zVYCRyJE9?BR>>eCqzSo5j@0<7QEZRk(K8J*&x}_kD%bk&4m}1z_sIIvn1I>S%75L6 z`a|^9F%N5oN&E+8vHixSZx&7e!@&s%6($Lo->jQ0swtY<&jyE>_ROaT^yizy-*Qy35B`3C*~mo)=UroYAwW7-Jd_co=o0uOb|D zzX7eYMeu$ttXV(|V&RtkDI2t1N+rHG#>Gk1=Yv~8$s)G7Bm6u86wa_MfxnDstt5k5 zPc45{U0cN8Fv-&$!(NX%dda^pTZMNVD8^+WzAZ(l+v58#s#63m`n=K&Yinv0(eM(q z^b`aZ7&rs(cUwCy=YYTKa^At!rKaC%$gmvNM3Kq0$b)=&2{)!*4;mUGbkj zZ%5wQ)~Mnl3rFn&JF+Cta+;PtTd&@gMH#SMLnQ^mn*IicF6|dqxGWd4@;$oHgU6YK z)hL=i`(WPcz5A|v0hSNE5Pjqxdv&(=@I<%Mf$PHc6TSyL|5aU~!Z?A-Ti=x`m=mc6rHpU% zd2jSUI?zy3^1g!w(BAX+Do39=)hu@ykmk!s(5jG}L?Erh1_QV$vKqmd%uT&_@W+*g z-*M7Iv2F>0z%_aD62TK)fBliTh{<-`PUL~Jl^5>V6Re#M%&go#%u#K+9=`2iALEWh zknKKGb)Izk%IIUw$e3;69M&CMw@#EQ?BBgJ4F?Koc@k^lpyqGXZ8;|kt|^lv zEwD5D!e4SmFx6+j<+XqLb$Ky!siY8j%WCOc{;C@8>`LRCp%(C_NfH(fwmF^h_dNBZ zl7jIBego&km293KuB(wbcJqZJn!D=ogsKyD;$-Yb3yv&ow*nAiOX39H9&;707u#B} z4{+9@!P{WQ)~}DN2eAR6!c4T@#H)ir8UdOpPS84lY7GZ?b05k&e1QzXrNmbJHW$b( zHap7Ptp?aY{^WMOafuU!hr{ZD{A4`~T(hBuson%K{P^T^zKpn_%d#jK`7wC8UB~o! zVa0I2GvL8q?z;DM`R;o7u7$+j;4f~Atey&761Q#@(7-g$16khcn(L;mVLi``@9r1C z@pez;%c1|7qso}P|3p?55Gsydx(oQqt3JrpW0xqd$Z=E6 zolR$ z0#$kk_>JcG8E#joWZ_j9dY$kI3P|BgA%CAh=+3eENILV;ZpAJKf5mHfE z8^rj1E_)sFqww7}Wr3o19>YCDm&Fz--~qmpQSjOWPwr1#2>Zd5*^&4f^ob4ON05bVS8);r53YLa3LT`r+?^rp0IbP)zvECm<~;S ze_Qs-bJHI0buJ)!X&nlt)m`DAk?|VeZnV<*!P$ZOO&Wffc)l@tEEcV3n5gVG+2QY| z7x}cU`^eLyp6lU^wkvfzg<^R@{L}h@3v&y#%hsYxfE&6TCwc3ouyOMPH+GbJeW>6< zn5g{oi|#+s0GH^7?duYhcDiq(use^{-wy~+Q)IL~e`y^!#RPsAT(T%2coJH$w4P7wOk=lwtJ4!L@czml;!s zi`Rd=R1r`(y3Ch!u2?)5u1xU{&z;|%|+$< z9te;mX1k`IiHPGrIRzAY@f_demzLj|f*D}(OAj=KMj}xnzgPt?>mg{SrOv&<%8}&4 z`sTCUmxaD?0L1c^yxGcG`!Sw(L9ZE;BrcdWBTf$j(LGZ(N$=?-% zwQ1iG^a41S_;Qb?QgOkhA;7oKC=3(6nhHD?1w~)Hr1LL=@6RCeZikT9KsoixtoOq} zDbAM|pZh5f>Kz_|RU}E9w@dk-eNr8CVeI@DpDeHu2lD(0qv2A>;@j-?pXXvgrcEMS=I9;W}+YWMcHh(-tA^!eemlZi#bs_ z*S%8ggl*g%(>tX?oK&BU9aHTojym(O_~2F1huLMYKZ1ltLNeX?fA{sBXC;HCb1;LF zX0oFn_p~oZ7v_UH@nf&_Vl48iy#I~NpY&%J6&DkN~i{0#qQ~|Cln;hsMimxrrkfu_^@~O?9Z;*Cv9k* zp$GQr%Qy2X*rsI$D(wL$-N^g9s>h$n+`B(pjK{scv`^@e>_%)iZ@N`J`O+QmUt9N9 zxH{|kmySYNQ*WzsYf15O)wt4Djhf2MQU`W!ql7Sk2F$B*9sB+c3ik;8G*M6zz|9+> z7C->+nl+-Oct5Ez=_Db{+Mi)F6VrnFVXH*9zjb64V!#=V+F_gTvvT|1ZD;6|be{zH zMN)Ij13HkgJ?(u8I<=e&DYtbFpqoXIeuaDA%-WNZb#<53o2$GVFh` zD*G{;*%;Ry80gua)8GJeS$M$G<-*N!+;KhHBsR1fZzWT;xbJtLE-3`u(LB-sU?JoN z@a8W#s{51CxA)h(lfongFy9)FKQqn|GhA*vwvZL2v8ADE9UM65lT>{$SQe(00R;Om zIEP}FE1Xifw-vYmXYr3UKT-VeTDhb% z&$sD9QJ;4+y9QIh`YiYGnD^pg`z$~0*?m&>$XW5ON7;moZ%W-KtOc5_DI&RNS(0G~ zz>Ow(sQ%Y7`b_G$pHkebMu$6w&=b<0Sr^0tI1N z%%j3v#EhG5wQ-NP>o5hWZZ)De1KE}X?#`hjo*-Pi_Q1}) zv5MP%{A(|N8crYpX2y-y&~|HO3IO+2R$Ie%Nrv^93yk||m>o8l`)F#rMyf2nz@4uk z2LOpKy3KwkG*`iU1%{{|H0J9n)Nk+qhV~i zx5H3Ha%|+@w?Q@5_XuT`V9(By9Ed)EeIX%7yMy{0znqa(hqp5>N7|s z6N0WV_O%Qp;#-)tCWSGzf9ms@Z(T^r(mrMUQrZ~fSIZgA_m{>hHAVRPm&F8bWggbr z&H8kI+BKMS>xK0}==XdZ)hM6mtf~KxsLS&)(tB`nVfuV86cd=Ub~5JuN4ZN@6DF_c_-D_vNBAnX5Qw# zs<%Vn!2@8ptDWu2l#Hw%dqMMzemHD>Bi-ID-L_7@q^jxv&eMrROWrAox<;vN6>OKL zSrG6cBT-zJ925r)aGJCa@;DBX0AtIs<^ehmZmORJwnBr&*jwlibVtAa@)XDeFl zZMx?CW8KIio3?4<2bnA1wHa)mOIJ*_gpJ7h3@z#knnbRsruHPaS)1d@{mz&aLl-0O z_(~QM=Qh8Yo;pe>W1xf{qy8~JM*a)R`or#%FP3<=*M)4Vt7MDm!HpkiSwvtDN>C^n zQs!u0|D9hgAF44giC3(+kshb7t;-U^N2p2VDf_&u z3QWK1xtqT}XKT8Mhv4i&8#i~#=m%40@mI`T7w}EYlpUi$}96X59Fm^3}>9^1-{8w1i>JmfL zHLKTNnP#fk*?y|L7bM!y`*|O?*naSm;b%;xY5zt^dR@v%*pnz>WjA< z?Reo9&^~4~xio#?noj?lL1X&<1qg7HJzN;^j=^k&8CdKKjFE>S0JPAp>H{)XL=rD;p3FHJmJymb6RZ7 zoi?)?1K9@@M7{ep3|LXWjO3NnvY7jo{+*w9U-aDvW)Z(w z%*BWe6KMF1ewj0D{srAa-0X^Ow-5WyibzrLc~^*nV>Tt*`|NTHAC4VtX;NH2(mIq3 zWwGDv^jLwhFJMMT_!poSgd%gaX)kmcyso>D`ONfQ&sVKXH3qdq%TM3Otj&;lQKQPy zg+|r(9k?|k3ZApc)I25U;=@R|G$UM!Os2Dieb_a7rTF2&mun8`HZhj~zAS0L12K;w zFm8HBNz+?6oFmpo9qa~-_b45oYZGQ#QU>F$jW5wpr9~WllmaDhtegchEP6jySKG;2KD8C zx5NqmG$=cue2!G@CM5`)QdjSmo7|mmSsSXLjjh>G3I8TB?_1UNhuORi&Ns*zOIw3v zG>L|?oAzb#vxPk6jq}-r0pJ1JWVx zSvG>+m2-6m(ROpv5{)^nBDQfC`b7VlB7o7j;IWE-elORkrHgP23LY6_DpZ$K;*36H z28mn^Ot4M|5`~6&+}mCT2Mev~W@lYq`;D7&C4eY8jFg@rl{+Y>;rmJk?<<^IPv27G^Kv*JXd1Q51gdE2G6m^%aDS2#3pq}hl^ z^8(v4W7hjOnwJOu^T3&*nhfxl<}AJUoq@?J05;;*mtBnBFB|vx|4~Wk0mW?acBij0L{4Rxxx}S_GHs80Vq(iml89ZL4PR$>WKp5)m*4~;ENRoEi#O!|0xJq3-eNv(r zze(Hu+yNnW{g=O$N`8mTF5AF) zw&I33eo78}MW1EGi+Y=Upy;0+8z6BF#o(&vWbvDY`iNoD5RL(%BBB zihB_}N9MCh*Cp)aJ`Z`?1{*EXaO2o6{?1p_LwfxnlKe{@=!u9pw~_0mIp;g}F)J?D zOxhVuCiaipeM{-8GkK9T!mi&rl%gREPqqKEToBVdQ#$KeusbmXDXojk4jK7A)iYw=w~{6>IHVE8 zX@O)Cb)S?JwH@Xt>&0X?tUo=op1AlUdh6zXzFXg*|7W8?{g%Boakloeoa$?#JO-nV-j9@kC7`+IK2_IY!zhYL~S5NEr8HSLMdAjnee1@A5YB*MRzaZ>W? zNa>^eXFMxDWR7Q<+l)RHnuGq!m!{a-;h>(5<(h6=yQ+r)Pn{-SD?UVzx+XaQ(se;|4nNHW_vO_w zn6cl~_Dw?V>HOAgIaVyhDHdXQ09E50*jow>^=U{3l-V*#l_C;JKzBgc>RH`rF>Z{S z=pP};wGQ&MQ(^%oW8jXA<~~p{FOP>HjCyIEBUf?foG`L;6=TYNo!pC@i+~upQ&Zg4 z;a|R9_s4DSYYq|J4aKlRQw7iq)%rzeG*g7LXSd3Yat+9tl}{HvNMPt!#Pu!dkS>bPZtB>7$) zmAFN%+We7D<$mf9T$<)T0d(%5;XZn@d^?yl#BU`e_`S&C?isK#{pq1ezN_F1Zgd`g zRv7A%a+yDLgS^*j44l{7CMkPcv%DW-w9aBU9RWALb!*)?(!Tx1&4VE<%&Q3huc7-N zVYnO?0d2}uW^wcBB$V!;H}2+q5n^C(4Yk59d5Yb2K0O(S26wIpDw)i)>s@&mZ=GZA z75mPs_b*Hc653XJI!-YG6~pomi)7xi?Sc<(%#I=!50KqI`F#8a zm@j2-0Yuq9s|n_ier~g%THNZ5w!2(Se&AWUE!u+lz>eVmOZ{JFm|j&sH;y6+^X(J$f>8y1v5fS2N^g7F z)f;ZRrA50(JWCt8!K+Sj#>70%Ydk?_>>Sk#^bQt2(_})8U9O_i6#2eSLLR;4_D2y< zb1`8mxMn`(HUPi2#se`~+hlR9bK0547_o`cM`ZRar9b;>%2P?_ia~Svn;)Gl^w%SL8*JxF!W zuBF?x?;u^m<*OO z-C=nJJm=|bP&J(`O)VZ_(w5~h)st=A=5oH)A%aWZb z-iG$JGs~&mgPmK#O@b_%?Nvd@^5$ke#u0-q*!lhNEra$k#i08yRy8*)m`m`SC4#XM zT1@jV4xttZO65ab_debtVZOr&OVZtl1zqqzW_o8s!3?T96NK&Bs9=Cu9U-z{KOZ2e zXdib7|Aq+vEaUZ!8`nslwQJG(AHQkS{ zygAImCDs$PcAk8-qHP-nL~G!?e@^-LlXZDQDN-e+b8;JQ zm}EDP@dLhaoXpUfci#!GSN785dLYem9-Ipf z({!~seS&=i#t$R#(ngdr&i58Vcz1M_!Lo0#O}&W8KJX3K%)ATp#X#rZE#0jhJa;A% zZWNtTM#;6`C)3>yEG|E* zwK1=GAWDs!L%71{kqLAIXl^EdQK~SJbfl;Ve{`dIwkr5E?RqYumEWI)S0OM(fbUP+WQ`i z$*`$k6e(=NXA|4>lscs;jGd}zzq zwudafctv7-%{@EK_??qgyr&0QWEw*MdcKD1L}%Gpt?W^m00kHN*otu>Pc_~Hxj!JiNN4&7d~u0Xx*KZywsaAo!YTL&$!so6TL`PHMo;4 zzVP6DIBqQVOn414EQ6?~;P}+|`NE`Y+jiIW7Pnn_72+yYFS$@Ekk^!YhPXc8q~LWd z#@DN^_R<#c=+Q+iw{wj6 z&ePO~G)lUj0v3ZQOipw3-h0FX1{*UX8?~_{AO!>>9jhtbuBqrLuCwVMhVf&{5zE{t z5hu9%DlEbgvdLs`Gn)WXIuozDUH@bH-rwp50Htf^0HH?Hb#fyMtFnnC;K^X?R}quu zf#&`1dl$A!W$_7IeUR0EqAd>fqe%xRUK62=C*H)(>&w&9F;!{|@6v38`r$`;SG&$28L8 z_-R9Z-YaH0R^>z^6z4;@GdPAG()1{gnliukiIR=Mmj;v*b9qR}MsAa?`EH?l27v6P z_rz?Dh&`94l85~Lj-y`8@{wsY_32mT2SleXKi<;boZ!F`w(Md&V*Ji zIiFXup_jRK5*lvitlJ;IK7`*LY{nbAF+d!%poQm~etucr+sgg{E>x_<=oF!$eweCa z-F$bC?kG04`dm$-Z$EGQ6tohuy1TU2KO1t@^Nqj$csdcCeiYZdmpW#*yc6+9McSE3 zOApU+e8i-W$@sD&0DFs#c*}o@+=!(uD(WsI?iufqMnP@*{3M;|o{MOWuIq;G$a+fS z|0r7>k3M$<<2;sgqpJ&v)!TqDjvWn1l7PF=u`x>DM1rQ@j+B(zc!Fiz^gymR^vRcF>3Yt#1%ZR*!Q9{>09MH zE$iJ$Cv0f|EK~+3c0J);iN7E`(&M;(`e>Pb_!3=zFH&$AJCEIV@kQNZzdc%EYi(j> zET@q_?u&-ye+7O$OZa6`4AiVFG=Ip7T*Wf2Fqe3>fzKG}4Ek{l(2ISphBRn=F?eCd zeuuXkqV3z02F^oE@qgnOMGXNXN5NxMxsD%O&9jrRmncFrj{Z0VuPf%%u*n5y_g%51 zfN}wp2zXSZ01*4R^{3un%ucnD3$R)*oU{U1tBFrj{!?h)ewzegkgj61?@SJ*B&25Q|7O&*#^%JkK=Y*2&aqRVl59PERHGLy+3GYOT?=y`BEw}TYxWDjO*Z4fWJ zT`^wswHZ-j5vNdkcHZ#uJ|LgE0cahng*jAotS8XlD79Rhak<yBdyv)>~mDTunIGTPi#A zo}U2V4u*@8dqKjY>9aO!@8?yGw7W=`uH;!!Vb-JLjn=%JCo#ykw71&lLZ=>>GXF>*F7~g=MeIMDW-a+Yh^`Lk7t*_!uMegjzoA9kZYI zE0q7c#V>^uVzC6~s`t0&w_?&eT$&kvf-*9e{8dF>#~6vur;>MySV|n^a=Iba~q#Gqys>Ea7sANkC@{4AtSh#vDi> zPr&VleG|G7!rQHDENR&tv)YARZREhbsr26gA_(9bVO_(7E;+yj`IdXUR|c+O1QDE3 zfe!G@Y69C7Zm*Wj+a2k$?#g$U+AB;`14?>Sz$Ig#nQr)&wYsVd*Y#=udq;Iw_55tb zdKoX|yl7?9{#K!Wqp}tfpc?9A*6+{jkZB>gBYt*h9O}rzC=Fu_GD3-dt7;6^844r7 zldvCjVVo_U=o!l79~d$;_nxvTj7|2yc0zJ54J z42Vw1P=+guE@91-O}LH0w^6c^(wlHQ@b#K)5$<-pZJ6n@msuH;R=4lO3}(`vPbD8) z=*LQ*1Mfv=q&L|NHskTy^3PhVW!~Y12Yq{;xV({uBHsv*VAijbo8mu2vLZr#w}Z#` zTv{d*q~I?V`1_C={+C+dv2N+<@#IoV(||3k*P=-U4I(PUpdSIwTFF8^H_LzmMgZ;S z5GlvPcK4eD7lo^ovBfrTFV)Iy3=378v7;}E%)wR>JDdIqPmhW*p`P+-5uZwu*)m-; zOCFsj5DgfNcAHIm5Ct#0q<;`NL|(o$KiiuLSfg3wJR~#%WC-OU`E>7xYaJ;t{G#|> zfkdHSPud#mjuC;8>(a^ZL16+5DiTpSZkN<6MiZp^o@9$E@?V~TM`y7=n)XKH6Jm6o zr>i(_Wc9SZIw&n-s2V$>;`TcftYxnsvb2y+#{*29c}DXYS+47S_jVfW^~5;PMN5Zo z(q0Mnx!$cG|9@t=d#NfP+;J`=jM0JPH$00@d5ME=%wA#SgA+R}s1}If6<*$*4_lV_ zQ9(RVAfw4Xy&`}8v?u&mw_bN%0%epU8W(g;+r>mf+Q>0EeK9a1 zM&{)EAcb$$*mOfSrK8W~I0`^5877Fkd21dWzvBvw+EDO$5?wBgDBp;VQioaR*1hL@ z@kH^$vScHK;KyhC#%Xkvolz+Fn~hdvTDr?{%)GeG+1b0vj-9E;4Sp~aXf+=K)}bcx zak(!*^}4RfR?b>#kvaJ3P2%|vHipJF%bR{zYJr*_dGqc~t)50g`rDk{#qxB*J=04; z4ED;;niLlDN*Yi+G@*J2tBSw8PhKc}#D3^{U^Xt1-B|11FzUMXyW*ntnQex|c_l*= z&y9|=t<(ka3IqSlQ9Wi=zIjU5xPJ=4E_U?;ucW2yiDND~(cM;!KUBtz9r*gCCdW|f zA?ts+0U3VuYY$97!(yCA00n8a1(V^=(Ib_~N}v5Qv1yXF6) z{%N%*%GvBx4qSG9R^L7}MERzyUDM4!i3H!H zmgIY$`prjHFUVd#*whTBxGoH)^YdBnou3UJ)V!?BXpdm5h4)of2HWmUTZpmF!Dph6 z_0lU?c-AsgfzWNPccJ!QyxMY)KCw{m6?K9N>Zn>oi- zFnWaFBb&001?&5P#jvL?-H2M2$M#3Y+_>6~3|a~!a!CBv%2|!h< zS*vId5YQs{GWYFZpPN5Z;XR|pC=uHu12?nT(;Iiz-MO^ivk7{(P7LzADG=*9j@gZJ z^atB8Q%SS<^lYALsd$viIsCRsj8r#sHt;kDHhIcaMNmnE!M7A59-s=%|C@fC8KPz8 z(c3Bjot;$9d)Zg#SuS`j%k}9UHEwx6cil9T4!4#@eL)X+NI(pLlg$MV6Z=)Du#`q1 zskn^QNlfH6Fcp;z;ZB?Gd-RKF)RKBKBW@Q;Lg2F>fV!GCjagT}!Zk((LIGJ%zF-Yy zGBk0|x)F-OyIn)*+`gR(J~9ov5BY^$%>Xz2CSuk=1(Sf55)s^@=-jUQX+&O;&Q<$& zpX)U@p;dX@%a8CokAq+G4<%7!DgO0&DSC7NJ+fPaJ2p!Q=)~b@4qqW)P^WRA0(w5i zEk$6o2uq;!D|GN>@Xg{J zZs=?kG4zG$c7$&}(u%W8<)S;JM>A%%c%(S!X%=ik$G=ro?d!q=XUrweQwj}u6Kgb` zD-Y%g(X5yWdeSZBQ{cV8qYyf|?C39tckgm5r^95!qfuLVmONdGTZ%DJuvL#Ec7_G6 z>G2m63{zCRchgo}Ucdn#ijf{NtTQ6J?k9{HBRKLG`}2dslKV};yjL#N<-D}aru_F! z_>K5A#bil_0(qXyYk4}I1AFm@=tlUIvc_9@+9EOJsrwchsXIEezV=f#&ymTyM{n(( z-Tdaa>&v5==V#R8CWgE6XfeOlQ{4VIw;df+4U<0x9Q%EdDra7A)}F zm_3u4c4hE#Xw>SfZT@@8zkhaa@A60YU_FT|IA!b3RQ;AgDb~cgt#vw{cuo$lOLfSH zU5P~vD?tLiC?YoXvO$o__}$pWdMe(JAC}%m%STs!*fFO=vxq$yeHOmeV8jE#ZCnjy&U?lDCoXotYG)_LGe_p_Y^Ssuj_(Rz)ih9Wl zR$^m#{Pay+0RIqq7xfMkbDuH&cDxNhhv+6MPv0htWX6#?Bj9i*7T8sqh33n!4+fS* zPFhyLf%X7qXCTemvf^es&oG@OwP2J~8mmwcZ8}w-wKD8ccHmT(<$KV2jvgx#t-R3+ zkRn_BsV~2iDD^s8K$KRALRnyhSr(8t#s+d7 zGmgDvMCF~2xQ5|`9C4D4_4TRH#P}q4q4d{7n0X1PZ?Q@@Y`{C z;%AA}M;$$0yi8(&^Y3uNHCs9(dd6Z9Jkg9-6GS6B%$AmX902|`sRx9G})u`l);cPr?2>V`ei=1As!_z2-_ur zmY=AN>Ir64(_T@8Bt>s;%=5}O0y-3Qt5j_MNCP2ho=S5(th(?KkBeB1@<%p0275)O z13y|;g})?=FZ*`71r18@j)L-c%zQs2vGIfdi?(tdj{>-)bZ8-|o+*>9Jp z!A(Yb--Vm_sWM|3ejqPkkQ1O&cfxNUcE5Vdb45MR@BYL&sIBM3wL$c{}S)~ za^xplBAwR^ilC6k(!B><|9L%vfe<|o&5G9S5@UNT2{Cwum zDen_jT`#L02qIOb|A7@povQR+4ri?bKnVwBH;Prkf8!nb$m^DaKa#|kuG|)sRV%R0 zF{$cN=vVg>`%NqW3u*YvW9*OD9qD!t)04Z)5w9l@14O->UsII&Y7ruyahE0Xrq-N{ z6LOJ}597djUkYyh*jvk{J8QIGeD!E^%q%rqm22INXtuiMOw$_2$3|B1mPH`eo1t& z{tY-RfqDCE+;fI*02x1fm=;w(^aqH>{dq`X@X9R7T?)<~`|ORpW)=I?)_o)^Y4=1p z-o0FvE~wI+atR?qRU{h zC@$ylTW+)yY~6?g2Yw}W{?3=2F_)Wg@xNHMkBp-v#7pPYckb6le*5-UK`;WMS#S=9 zMHsKb2=e#KB_k88KD+meU&doL0h!R<@ET0ArRt#EZcGSVdsNGjHE+&;gQu$wFnp^Nd;3_W^Lx7d zTE){vUAqetfTdX@-D{qem7i$mEkt~%w7R_d;UV3_&J6on87lwlWxFUh=|ZFCGkTDQ z0dsAZWeyp__2H||%j>f`{$e%qfKhVzYIf&z$9pK>qHl{sERD~0Exz3P9|=N7o71%2 z*^>E%Y|l{F41zpX`k_~+cYLYOud&O^p50`jdi|GS!^T_EDdS_OHl=m5S$9#?zCkN)m2N=T=i7(|1sf85N(ER)11fFCPMZj!Dc;FmY2pc6j! zSVNLH)PZ`0Fx#xc8c(@8ia4m$Wq`#98T7s-k$rA1Zj37_VM$)(nZU!IHAvl4OVt^t z`nTQwO;O+9%lR=rAkXux+boGWlotxFzwB?j+TR6JcFSRwd0b5i{er^Mbv34v6~p`H z+?)qf`0aq~?4WaFBoA-%A`l57@-s+sOjC>ER-SRHc^juF*Ch&-l_&kQgz%!4o9A#Z zW2ZN>dD$1{dZAKXnLjsD@Vp2hA_Pl>&(h-*8K1|M;`a>*P}(zcLDU>=i8xt6PPPtF z37q$1sk}CQCB7V6*D}yYRveAzdfK>Hk(B__GZuiU%+CX(?e3GdF0r^9oFl9`?eBR6 z%fxaSPhvm_x83b4C3+L6^bXXCF!Epj5JJx5PFZ=nmZxG+U4W3@b1imR>I*3jd<5GJq4PpP zx=;^v5z!g%(R%ROut@;=b-3`E3m2Qoabt0BXs z+s#jicIys|w+>_d1PO@p-*KefDKf$kC4bPT_D*yB#mc8gq}N{xpGaeUMb)gL!b?$A zF{=@%kZdvOQ#~Oa=P?Dw#Tv3~5-GV%<~I0;RkrBOblEjs$5$)G5fIFp6Yh`3i+AZj z--4fs!ZmUKWUWvVX$mZdz#cy*q%DOuwBXCRl*u)2=r(@K9*nyt4k_X*4dj5;(x5&XNo@bMvRgtUoH)_eq4l^D zowp8}#0&a)E$J6%XLbF4Fey}cn~l5l6e^0?068uk)9GI@NWjd zTJ|HCgjE6AU+-z)j;^kYQ#0uU z%8)jR(MGn1ktR1UXBVEW$ucDl^<3~h|C9eR&~Jdd9&b$(f$nNcY*?K8Ry^Blhu!@e z*=tFDZSRk&=0_hIKdl2S2 zBHgvJ6(^U7ffp%i9EIb0=UCY0xi6yn!y2@^U5ArKGRjeD#@4S5RB=8=wgUKRM3l9a zAuxXKhjW%8xOSKx9v|ZAXQQ}!AE?&;*%c^ki&F%3O#xOaW%{SRBsfzsBb;L()7TIR z20GAiHfIW_M9;l!T~jUX#pS;UGmVbpeDpC27}ZIh2mv8BsRb;OufVtm17?Zr=gw}1 zR3Lp^LJTP&B@lIF2o!j=lG2MUOOzyFU|+{jz^Lj49+2Hv77 z_jqcWxe=&=Q#YP#N*~EcZ+xU_-4-6BE@z0$>kV;1X-Y)@^ne|$a2Bj|BdH3-CbqRo zJPc2MtFGl41(BFuj6TDKY*!a;y7gpb}3*AxIKSAk`xfTp{oDfcVlH-j{|#-U;rv zy0bOn+qH?(7%H208oRsQV3zLCk!RE)*H_^A6=HsS%`&fopVxQU-|YVNWjn_8$EM(D zLqj|K_4zTVcYjZZuHmy{zJ(DQZ#E7eNISHdR4(v}+;^Gd*yHj$A3qYqN4wi#dbb*06sN34xGV&#muE?ziF5HucAeFWz{w@n3Dif5dQ8b9?tl%#rk#(Kh z;xD48*FO_7l)>MyUyP-3x!)7i`nL$a-k3w8itp@j;)c&GaDuzT5Xd)uw^R#xW(k^^ zjqwumd*A>}P#FE=!Pnd}n=(TI!6T_*U<#y0^in@~onRxL2nf%jAE&GWYa-qDS`SO!A214oz5-x~8tv|5ZxOrt;5yT06nG*e-9ssAq+` zp>&O5A<@zRHn2ykCDJ8(7zX+h>V>?fQuOJ$kTMR+T=~WJ`lU;y5t2&&_8XtNy4-@uczZN#@eql0Jcg&Sy+tTIeXRcU@hRcNFuU9J(UvKs;T% z???)Y8YeNHf~i;^A3o9xbZ;1!LL0U3Yv}-fgP#iY{L1i=#*nUnD2?gAkjKQQ4uBYc zV8wXLJOYJzfbZz|xvZvLo8~GXS$n!P;% z#x~?u0H2@kspTm;Gq~@k`+AJc9vK;WN`{S()EPGm3!1=aB=KPZlme=aJ^+oY;*vh8 z&J>#B=~_jJYY2+;>uMR$bXjwtgDW{2Ar3J&n~=Nho@lz=jyxVlnx$u(8S&l+YB(Q> zr2K)V{@?2YyX`>UxYIj?)RT%8f?9guzEf1#ggPLeNrr9^gBY26Q|lUZ;W^)_7ncDL zpn_?|yXX`+PcNsmwry%BXkP-hAqK|ERhJIb_BTm^fso?D&&1NQZ_HM}KU$O0Om(6f zmVXAnY2# zSy5QlXnR_@DpL{Gs9OWr4cD)9vm11dTcgEA(&Deb=Bh)G!fi4s`qT_Gmn)vcA$2{Y zI)>7%9IJ`>NUCCCY=(=%=ZDOhJ|WR6x3RxedU{L`nT_9mbg?##iGJAi#YXldm*T_6 zpjH_jsI-snA&b9NON%4*K%aRA!3nn43a-z^7vtkN;6e-}?8!-{%kQzy(0xe9a?7$~ z`H~iRr(4x_M~Th<#JJ+!k4#6_#L-`Yx1M(`fDod5FN8?v0q2Uo2$LU4u2?G_h#L< z*Kj@x%Z44?Z3YJyIcx|_GWZTwetADUU589PB{Dw6XcpN&PIdkhnJD69V;oEO^kf+OqL<4)#Bq zi0*b1EaQKHgYck^8mnKl#(dRkNoGKOhv&?hBq&&w|>az~cb+jX>77OZG|3r@^m8lHl0*D6=8qDLnlS>5H|;y~tsS zg9f&2pYhng?BsP!Z1L}eL#ZkkTg2z8V<`E*ev4or+GXM)#}B23t4w=wC$->xyzgH_ zIFMWZe2=#V5qR%tU-leqd6c__%iBV<@1Kti*)6G#ZU&;i@@G>jD+z+18NM=BE2DB! z8O#R~0aUM<(KKTZP*4oy*^A&@rk-mrF2Ym=27Om)7DL|*z)MiX5(`<$9>|zIg`nbz zcUTX~)asg6X{7-YR$rt=sEf)nWBF_${UDHr2gnfGjge0#T95_tQQ0^5#+=+IO~DVk zg7NEUc~0Ll+kn@^ah~H~Tf%6HOLaV39S`~j^rlFsFr97i(BA=&5Mut3W8{Oq-WUd6 zj|df|j{vw{wFt=v?oxE)*xWo>@}K;sJ!Z2&*$2B>+aPIMXDg)D9w~}FC3dd3Z%FjE zLGg(G=jN19voUbPw$_Dt0$J7I^L#PC{L=)bYhY)XwXK`6AZuI|ejQ%J9AZ^B?4%S# zZIjP9`j#kkQR6KW8l3C94?&q~KcIX{4_JQE^MJpPk(%bV(_g0d2O>G-u7^wb*|pa3 zPBz~$A;QI{(G`aT z+;`$jA{Aunmr)1sR(Eq?>{rK=G4;Mr(}Fs;KEk0cLYj~*GmSo3+C8G72+cM5OHyOk zZg@<>$S2;J{ur0YA6c5f+l8aK%xxPi5J#wEtNu@nO?)yRKE@}Quf(}O-g^9~BJ((5 ztdxrQOsW_r75Jw=M<3`}~zxHSM4@Ya$m4lxfe9vdA zlf3y8D&RUq6GNOK%GJT>`FAMEWsAVzSR<8|WkcN!!KXP7`+vIt+@wB>?Df^m88NK( zwE5@mE)*wcXT|IgB77MKj1dKT9hUsaRBe+ZlQQiG+g03j?>6rWKQzYy-b46Y;Yfhp z0V94o1Mz(o**_75fF`1)UWYa_KcMSE@E6c__>g1?fP)gZOUA2!;2m&)8G*I3WOu@1 zt_7ewI0QVp=T72I@ky|{1VicIBpf&ClySYlinR3^pJvibroxxfELKm&oHW9AM{9%` z6pnh1S;JZ0QiY&fV?Z!_<`ppg6re643?!wRuF3rVnVmCz_BW6Jar$Bd5U`eZR@G@0 zyMj)}YAsWThZ&`;5rdA0jcxVU$6swH)tuNgznv+V*#pP-?#3CKCc(l6+(w8h-U~4C z7eC9sZ)C)7sQmca*BnS9Da<{t{>`~o4iGQToF5`d1RU8@pE(z-)`CsuR)JhhW9T7H zWdJPCa~wExjx<4_Y3*~Ys+URqm#J+8dNwMc=e?UHP6uzSM1}x4U=cWGRt-3v50qN4 zx;nk_R;RyKCBPL#SkvzRhh=}Q7alN*_4-S^k&v)#avPpYwaiK_vhn6Nd!fUR@s{o#ZZ6qE(s+-uEa`Y;o?!CT(M4QyBH>tQ z4qxu#oJ)A2C4=6p!lK(5zy8eHlx!1Q?J8UQh52=>N=D%Cq~(Fs0|v==QcNgd6Nirw zu&lg)Y$_Udhq>xE+%}sDitV-ez8@}%O4Dun-J;m-65FJFGwOt&$h;Tm z<>Q2me25lyd?ckx)9*4iso@mn&+d1&ukGHG%PLyqm2|hXup_1^zRo+otVqlK;TC-VK9;VLdCp= zGxFP&aUIqz5dYFQ!$$jF7HOjJKt(9URHft7#6Zg~C;LnU!^Wy-^0ByTee7p#VXu=d z7zZG|I02dKky*!l_A>mHH|d}T$$i3m6-VIwNYcrG9_A0_j^gpH zrX~&5T|>--0^j}n3xDpD*<3JsG`PA_AwTiueekk@*W!Uq(V^dlyDv_;`9{2j)q2}8 zfcRR_0}mQ&oL6VxaM|cKqray6+K^Xyuo-R&+-Mm@eCSK#)s(tzt*tuy^?ppwfUsH>1`9Q3Pjy3cf8?q6@rL3&uhTYj#s0q!x3TAvTe=08-@5GWK&zYJKtr=@x zh;4k|Eta2i!H5HZKTP`CALm0CQS|?*koYo2oFZTzF0lre53j>Ao#Pgee4SQZ&5UaK$Sj{(T{Gjm`fd2RMnQyS>Q_@QkeMu);_M{2d=0AB4*bU0@;2y4e zBMOz8WHF0Y!|4UGE70jlUDKIpl9e1YfNN!Eic-l=+7^a}gHZSNf3V6jw>|vYX>b{<b*x;_6YRf~PxjW5{m^7G zrIp;!IsVuGSPpFZz!E%(iY`Rqt(X zjfk*y`nw;fLYS3YOq&1j)gBVwd8-A2pU zDf!mD20HB>3oSAX;j6@J15wO?d_&WUFm~QgpHaLqDd5T}WxGS>syFx9{&D=N?kw;9 z#?lY}Z3e!`|K4Q4*OH{C6BtcBg^v*`K?N#r-WQ(&3e;a(CT@fQd!2pa8y!ceeXDCG z#7$&`?6?__A1%)Y3E*#J=nE5y!QvlJn4Y4=>Oh}&n5&ceC( zat#3!i54T_g(^v%z{{*`I-k7Q0|x|0B&+ez!b<<%uUv|%13=I7AK(pZsF_1InQlXA z-RyTI#Z@4c?4TiiVO9_lis@M-azquJ1<t7kR*piRl2Y!r$jk+EM6KssWB=EA+X&TGp2G(hk4SWE zfdTS`>0^+-F+1(iKH+`v+tlVy%BvR^;@DRC7y?{V<{5Onyz-{>XhhjWe*lt8uirNX z_q<>10sG922Yz>48|xI*UP`f`dG-m5i0S&C0 ziQ+%sn8lujy}=jZN4w5&9(DxEYP=Iiwh zx`ygJI^}zh7GdwA+W!;h0ANoyj3v4YLn>6@uC4zeMis&}fk;*CT~>#s+*6yBrvdF` z^+i9EzcNUZnT~A}F{rwQE6{lN^yJ%Hv6d2)YT9VX(7irrO#-AP42nCgqV+V zq33AfGnGeB89QT08M0MQb|$G*CQL$hvd0*rv1T`8H^a=B8Dr-A zc0S9g&wc-X_xJw((RH~l6W*`)>$yFikLTk_hk+`(x@KRtl}#WDzS@3mQEa{cNGI#s zL(bcaZ%uS3*u8*`4Q_Psrl*%nZ*az*eLYLn4d_tjP5$BKngS_@W1NiGJ(60(o_mM3 z(3^H9N>1rVdp+)B!(%X~SU}!|La6%T9sJnYSDe=1$OJ!ITy-N8G*(;3uxvV6aYH?u ztzi98fE^%w_l}@ZRrHw#{8{)r@9tBEw?F3

bZh|2n@L6ExD*HnPt0T1rpR_5%j1 z^gMSoR(&`cz9FfQB-cec=Gq*$A-F5lu&e&-WLYZ-IoFu@{YggFjK7-QcaFX<+Tfof zH?B>m#(+X)8}!1(Oe0+fqqGd59uQ4EyK1?Ked3*N`@f@<-=FLFA`$+rzPk$lN#a8K zi8gbwG()7bP=qJ?uhI0cug>QSZ*kXnna9T7*mLdC-7}z<=D&I9xQ^^C)Jb__v+uyYm#fWk z2Q-{9jz@O3M&Iym&nWYpvwiK5_F)NtR!bq;_m93je%!9v@`Q1{%cDH**W<*c*I~}0 zx6c?e-vacM+`|&#_`KnD(ZJ$w-dZl4F97!17UW=z%5L4;R-(GY(y4WX@aKLZA1NP! zl8NsvPxZN~WWZNUy;$F^Rt2%$f5ZWi*QX3?dz`*~)uXcm{OotJlg{fm3a0%OcIcL4 zr>djAc7(;XXP5?mCZM-Klq*P&2gk#vT4KZ#^dV#p?MX(Y-cpHIp)>LVM^kzg`HfOSvx`8Etw{1n2u_ zoOw~i`hz#thhrvNbzu9-yRLdJyvnl%g$;5n=&x4aU1-#?$T4|kiTd5;U7tzU5y(9w z#auS6;$@Fwi9N;g~_(WWPyLwNH)AH+T2E4Cu^j*Qlb$=y}j_jg{d^c9= z0u4R_rDxDHkEL+W zx|C+ot&+D&=DpwUXx9)BwkV|ut{zwcQAt4V%KWu7$WUBtulGrVol3Fm5@|6j(GEnn z8mY7fU{y!j`6vz1-O%h0TYgm<1b8D?v~*xQEdQ+XvI9VYN2tc+_8T-nufs}o{AkI;xT_9_YWi!wnqcO`sHUTb_kU_t z7!cm_tC-`=oMmkB@FifB$-a335OR!- zylbEE=jSYA-LeWGm5qPBU+6=p&$7&L*+7`d9*KO}tg?Rh9euf0GFHjRB^k#x-OJB( zUzLjMoEG{+we-s-_3eXJ&nxF0!641CyX9rFjpts$ zhiaoWg=TuuiN;q9Rkt1Y6hGK_Jxw|IZ0%)5>G1+$9uvTKtc7qvFFqW8L-*n5PcOS|(1*3UP*4HuYXtY3C}m5&xdk`HSe^8xKgx zWzM|cC$zuF`oN7X56(XnQ+}i~iyfRidpt+mI*B{(css6HA^OO}dvjLU!a%dI>CtPk zzlHU;Y$)4k5!1pr*VF_A*CUuL$jxh3393DG&D_ev>Y~!RV$~UK01z7K?xK{@QNgH}@Em*x$#vceXLOo2I!gEyqG(D=M)MZxXzXe9mvvk->Wixu-qpFLlyBE z_RBS8$bhvfzx<4Ex0B~Tp1aoPe-IONN`$c*k@VaClMQpLZ|KPAX!4Pt}Fp`OZ3DdeuNmgztOFt(`>s@_K-6S!DxHyVh3CN?@+1f9lD8{nCP+ zpL>B(;>-C;2Tp%@(zJY}L^|3e0DymJ+%^rVCuhZXx;VeCYCY|}`^6X_PV0y$EgFs} z`DI_!V#Rzx+Li~Jt!cW#`t$hQrzyf8YWUfK6EVXVFjZ&nv_IWr^IjJ)v;#uPA(-$3 z=c1Yd+rKL&4$eLPwwF46v-HBYa5Gg)R>hwOuB8a_3o71CiCW$$#xIvXxv@M6Ir27M zDEi_-UB#A?knYn8-_mc(X!U28J?+zTFic9**IC!3ACxhpg|7nx6?l)<51V)p-fK6o zgvWf7i)L&ST3UcGUH6d)H)ELl|NbEv7>Cju#s>cK(m)9q8V&sA{zBd`CJ>tcSMy;_ zR7UqFBIjSKS&)3r18I$_ys`~?In?a!0g2(GV&1#_X2(xo#`cOTJTkG8+ILWc5p-qD zF{cF>M!b{~Z3VDY-t61HrSe2g^I-^VR|W)7yycBq(3_yK)Gq)*rPrvri)`2Q=SaXq zt%cS^Ye~qKXx|U=(f!Zm1N(P~4gCJa*?)%C zcJ>b^g3u$A;Mt;AN3(cASGvX(T!L6}=D+l$Dr;c+WnEUkn(e}sy0_{8ivLR3v1P$P zNMEW=VTJ43=xr*Eaq{r#q7tjIn@8rNX2j)XF3UN;(A5o`a&l86_MtFzHzye$chmtg^FG@EXZDCj()6Q?{*10W2DOI zg%+xRS|qiw^S@2!TG6}Mk#9w@+R9W@*6lIPW@@-Pz<-*fJ;7dE!}y2hbDELYoq{(I zSFz5FFM2*Ti6iTzd;zr+>awwzh0zZ?r|szEdn*&r{=PeUdc8&PcCC@UlMc(bYUZdb z@vh212;4axZu7T3mo=AbE-Rk}8*!P1`{klfitU$;$dVoNQslXTkOh}+iA-J8wpk;q zqBC$#B18HDda}aEZ+!9kc4XhA*U`=4fGgn1 zj-cEAlS$9vzb^r7)9IcJ&7Q}N4$C8)&H!!X(W!X&7d?HUiIyQHy6FH#MLGCZl-Yod z_{yGE7hrL(Grw*a1@5W(o*^)RjWuM1Y_16PPPhJq`9AMlHX#+FIV2YF*>XrR&~|vZ zx5+`Cqsp{?XsEq%rp*4<$0<1N#zT)OBChXy)ic@vcfcq~D*Tw~z$j?!3~J^mK>GRc zCWVArEgxJ=7yR~NK&W*Hya}@whD~UOxet}y@!mr@8p6{f@_bL(jwcG(iMU>9OK9^` z!|YC+blB^yC-1E8F?Y9St!?M4ty~M6zIOE*K%(nWLlfwuXEOyi!fN%Dq%uwf<1XYb z7H$j{9>oZ^+ogNmI&Qtcs81qOMk?GYQQe6@kTH^?|%vE0^Nv z(^iT*;bMAm$B5&(9(o(EvatoiB22GcZTP5~4=WG5oJpAJ zAPp+x>E;y289bKACA;~1)h4gijh-em#P-?(0|v* z@r8ZWMG8Zi;1j_&ic5oaC=U~ZpxZ=g{7d%oz)Ep9FSO?=4YCOeyPWPh5E&2v++4jJ zjH%IC0)UI@p19B@CX_!3Ev?qZy?A-{5$ShG4=8=bLm~anE@g|F<@FlUVyPZ3WZFxs zxC>wUJx?>}yauxOh1eWWiLUSk^Sde(#C@ZAhmn=! zS7|g5e;kzkRVeVo#n(WHt$SpXvnf>$8DHMbbGCt`U(cRh<8qFNj$~kx-Jpg&oe-Y$ z1<`}ZwF#X+vf^m#Vzo$OEw%iC$pgax7Zm z!;US19_wxRi^E!t`=+`_c{9X^P6l&D%jYN}mFMo7MOy^jQ|=XOOy3b=oY5C`r~H?D z{c6q5Cwv=kf!h7TIz64;yvgFS1}l4~+*K7V0vkIx%)D4z==`Og)wpSsWk;Mohhlmi zl)+4Eqk@}#j*j5CY$B6rql()CInm6_6{g8__HC`ZS9{>!&!;8E7G)X&N{{&*BxV&G zQnif+bijiC>^v3$_|Ae)6OVQycl75Y`KxlhLchdN09O>Td7Yh=GZ?SwZpCsJhd7X) zTlav$w1U9c0icguJ5kHzSoGxsvWLR6Y6w(v|C?XaF&hHgCbPkML%GVVi-K0h0RydH6FTYt#bN0h0;FFFw zPKzG6__;#@8AE|HgGeg49;0o>mqo`^&lRidvpLgxfAYfGpr{kfrK@Z-TOP-5{Cev* zfCXCaVMPoi0V6U)oa+0SWaw%dNlT#B@L;upng(fGzrblb>m8<}jPt&}xjds?4UoKB zfp6b1TgO5eInzmV%4|n&UtH&zN=Z!t3hh052K;#FW9Jd>+69~{T%gFX7*H`tJ}q6`!l{MT-*lF%1;jJ>aM+ z+c#RM^`^BrQl&gnH`tcu+!_g>PdD98|R5>&SjCsi9(m@DJo#06-@Ie23w$-e!~A=MlihQ1J_9UA@$S|~xI$U#UmE_c@F3i)%> z@6Y88^6omD&mEWR7ZqcJ!)+dQB9$gD`c<7hK2RxU{aX0$@>gR$!#wj_-p$_^hmMgt zZs+fefTz@Pfb0Es(?>a{&$5v`_)h-)7DIH8;d|%x!M=i;x%`^BKb7CVZOXs~4QV5H zPpjhAhpE}K674R0-Zz(xZ~UDzdQZRX``5EbEM(WQV~Yzx-2w6RIz>SEq|XxiC-^d~ z9DnAGEP={~ke5 zv-oH^zhB$9E!L>mAlZn_`?jRgJX$J13yN+mByEPozh2c{XZf+C7FFB2pnJo<OEN11l{IO5;1uzub=gVHWsHBY^^JPR69Z1C&JtJEAB1xsE5nS zL6;A~^A4leHRz}rCI4QDOluJg3yvw}rr|hge&-;j>;@>WVICb@ZS@@Z@9Q0$-W9{p z217hlrn7ccFb>3sxu@r~jVs0TgT*>`MywKqW&f-?%k)Bq4C&PbA)7l@PS?^^YVR@i zT~_tmRn7#h>LD+HyB#8fMD+w9Y2>jQVEX;)X4Fo$kzGABnr-pz!TgiAfm=6y3%N0tpSsP_rBBm~Zo^tqm>@6Vu=9SY`Fo5iw>TaFc?yeV#p z$K>ZPAt95r@6S^2UaN13{B+{;wArx`A$Hw>hI(d+Q1>`IQZ?8-C(m5^alf3`=jH@E zLH|;!056~HHxPoEzq@D7P85tAdc}9ds*WTEb%IM{$B^o~*r_DNUUl!kV*dF=vY%HMHdK}m!MY93v$9<2#amf~-857JQ=G z-mKyjQff8F$wKS{u~+4c6K|#SaBsR#~5;B z^LwD|Na&}Dq+AK&8O(|%=EH<7rfuZFCDE|~^b&@Xf+^?D;`p=7ePMJ3%suAO(UqgX zdzVjbZgq>Vg zb(14T_lL~>`=y-}vjz$CCz{yj)kckvk3gbuLa*U%{8#0|(rV}nEc5v33gmVuH;Y!E z0Q!6Zx-0$x>s(qAIC%Y4$3?VQWl(>TiV9~pc?RE*ZiITC*Z0K)R?fIT-as3kA$n<1 zS1$Cww^2Ri73J7f?2(O1YccX#psvR+cHWF4tj@sX)KepagS79vX6Wb_mgu3R-9&fO zKNrMg<>Xkwo!~j{R&anhOr}gN7z_b_3B;fDLMO;hW8{e)sMB4s_7aHhSpePtz zvq#ooE2ib^HbeMt>Ho4r*@$Y(a6{o0@rG*7@&cGyxm5AjsQEWu8C~Lz(6G=~0}&N5 z$oc@OAdFANgfZXRpzjdO0P#Y~=QBO&Wy8=hAlcMIYr$i8_mf|yd6N#-xeTOAx%H^nO;y=Nr4&c#D4^>%qcSq=wYhp3N&Q4cpCEsd;U9njS@(5}j9zEcO3l$N zK4?we&DQkQE}_81Ks0xqopI^x-~Iup$M3SXZ5|rVT+=9En;D=;neW1V<#K&v9tbNw ztrl46_hEpC^Y;V9GI5pIr5ke5bxH?mfN%+#39NZRI<49W7&a-S?FGA!vLqvvg-9d0 zVSSY&CBXo^T@I-OXbVf6kXvGzw)e-)Z3-pIpn^S*&Lx3vlmOtn$E+QwRanviq+zh1%qB6HU}LcGRfYHAJHzh?9=*!$Rw?nEdjhvtJe ztR)$&)4)xXd6daciZz$MF|r;70TwD25*qDr1Bx5bY3q3WbP(}2dV)b8St9J~VCPyn z>ZwGIIHJ(7w@B3*yxc;Z?bDuaV@eKKLVP$>w%0B2R;XE3@QTnDw|H0i@UTWXlF)(& znniBu!@6H&8O%RPim=0NIARi7Na>VferAg@xdkY0P)YlP#nh;W68$|<)dZ(cZdCcY z6GHqjsc_e`KiK!?p@-5UL5{$L$OCBIr zSFb!Pl(gP_XZjIxOliF=pYup@BaO7L9|?M}DyDj7GezKN!)$3YCZjZ`Cc z?*(5n{1CRpOf-ZS)SgZ6mqnE0{0t~hQi@YsOlD*~R!GKOguXs*w#v{#BIx)$5rJOF zbh|C2in|dA638Y0?Tj|>7#vr(nf>lY8e6bMB}eXVe!E3t7#M}j52%_{Yo}r`GuW_O zOs0!~nFGA1{j?ylTOXdw$p+Q$a4tI0i^;Zqw3=N9UK=j1047_=YgK@3?Nvbacrkc% zVqhO_fE4CGozYoZT6$FnJ$wEdFcn5Gw#DP+0uy8vb=>SWXYbo@%cvR^&8TfuL zzQth8_Ogl^#}1|;?dI_qQ;^un?T@baHbX2&NP*oUzWqvM+h~FPUgH~n5z042}Ecde5)+psy$d0;k2_$rQuK>!*q3mi8=Y@Pij@*&1f+JU zNf`wsT}lIn`;RyGLXsv zyv_I<*`f*wJDVBs_bW<;2gK3G=o&qhmbjhO7Z|4oDo@MEf6g8`#C>6>r@^}CHW|MS z;A3m#xkI0UFQa;J`qY}kq}*EOK(WV}kG43z4$8GSibFT=M`&a#viiZM`dt~gRT!Lf z9jte1In}r=Vho$wQ%ukl6f}ucS|1as&Quul8FEU$&b~AG`^=}JV`hm48}R4-{d)3n zGsFZz_!8K}3k4xXfZQ+goI(^r%~SvZvUwRM7ecnOy11fC;^3Dt%no?wd~sI)z25-bO)rCj&F;6+-J3GDY*|Bz~yp{`#^=MdU;&$K$&4 zU|^)v&cA(yY{Y7O9k9>q>STOhs0h1M_mbP*yF4%(?Cn1P5LZJ{e&?rUEa%zyq$L>NttZRMe4^;f z@{FIh^_;5r&`As7wZ_|Fm0VWbY@x|{hYoESCA+wB<2;B;=3>${ij*23-&I_gU>?G|6NcH~VZ@xPlkh-3)5hH>KF` z>xt9*vmd58N+5-*Ja~)mpkvJ0{}MlG;ub*pt(hE2ixP!o{D*G=;w36c2=^Mp=!Rjk z+c2Z_AnxB8EO48tDiM=Fh9^v8>8dM7jvU;IzRWTtye^ALJ9E&3n~_RC{ZR>_v&&d< zChduF3Nd^J*qmm_?2^yTO5=7+F)wsPQ}xJt%F6@su*AgjRHD~+jvnph*J+wT|KpnFkC3Eta{l`bh5#jlXZ#Ul(o6_|zD%+cAHWw}u`Blwb?(=;FCQ z9dDL#gU z%%#Rlve#zl*n7lI8+35K85V56AQu|VbR?fB^k+%bFmU#xcAm|4J(=W2tiCQqPhd6) zcSb!QdiHqCH(H$PikH*YE$l8YD;O&wP=$ld8B^v~T8K6FFa5&~7SPZK3Gss&%z+FH zfbB4*#&hoEbuQ?Y&Q}{uyg8eRSayBycHJk$d4c>n3StLwY5=n}SZJ00}a^Kni+0DY8&Y%IQHQt z>27aeUJ&0C-D#1guCV3uRC>c1yt^}NkhWUYF;$QBfJrg>-zHwN$_gqPCSp9-fy(}kX;R81Ys7ZsQOOd93)~+ z2p{_Kn2bQ%XcL6@@82&g1yuUQ<-+=JS?N4;C+!YV9-o1IC~V6<?Qk zMpdJ2n~mpVzjN_z*ykDR`5%L{J%aK0M78f)*`jJ3T0r)EhAq^?oermDlLL?&oQ3{f zya8l@Hro2mq58L9LQ^@9r>?$+?$|?dNG-^Z)UjIV=S=)F+OqL8%@i2 zs2IADbF3xQV?M0`925sX6IcAYrcpT&7cxP+S>)jgODsAhelfBcq&%MzXDBrCRYgcV z=4V$T8<7a$+43S0Zs=mn!~a}EAeQKGo|+=;K<@;8w^cG~`H1{K}Qjp=SO ze?q2G*K=uZ$crH_@$H_VJvC%dJJYx|UJ(Z2$@$D#07VdfHYjclpZzc${~nr*(AC*K z`JSXcU{<_FkPbnoglF+Tk6T~qs9$(xq?mG*YX03;J}U&SEh_d992O1fm963ic~slm z6cvXRkgmTmyFu>FAi)6WFHDwF`9cGGyw3v84?2X??VJK)o2EjIB{2jo75`TDa5eJxpF02V=R#Cyr!$yvI|L9KsyXKIMkl)E3rb5cNQ<~87(lu7C z{-ZrVTqEk?h#lIWT!CRbb7dhUXtGt25jtRcxKo z!K<4-BE8uy58~HN7{w!@yE%-8zLEC?M;x{UUQ`p}POOjXU@|ogKVOJzuw!u3t%i;r zeUZ(>e+LyWOx$e6l$BV!BxVKs2banp8}{ZBw4lpaGnyG7_o#}VOnJ~(Hj)G^<;1w#SJ5G@|SDUd6ccQUSKyQ zub&({GIE&JOw{wAXoIeI!d-#z9vG_Bd&6dQH%{ku;W^Ak6duz zY19UNIs$h`3RFx`vs8OS=4#l3MQe)avUWpKe5hl>j(r(H)nW$P&Ex3)X2Lbi=$z|~ z?e8?Ph%ur}-*9&QU}ximjq1EHkc(c3m4%}*C-L=WhRaW6_9Ze?sbF1l7Tia#OIM@u zSNyl!O5ZqyGzh|5=efE6$9Xx3ZA$ih+r*xB>-hi-jH4IBJAMjio3@t;d<?k-r9k)gq!9|JR@g+Q;bdFP8#r|Ip6(Jw;c2FHnv6jqc#0C2SW>M@?UFeb z-gHQdY<9y{R|PtR4UTBkIzVP`SJ`j`nYsfx`-+P%dyeE;ymvL!hP)l#pm3SwiDs;F z-nTEL2MS`J>hl}hA8?-P7O3HbYMN?e3|K!O$z5r=PrzdCYl0OW!3SXHF$SodypSS} z^0(!FOeq1YU63CmVgPy0zDI{nP6I6;&K$tV4j5AX@nfs$b-=QMK+!QLn3>U5@HvTM z@TECVAD9g;$)6z+ven<0VN~8cTBF0C9;*43*FEI&P*8QKGq@N8A-5!aGR&*KnsINb zI+7CuOAR51NP8_jE7vvw7O0i&FHL8ZxjSe?l`6Zp$Vy#r*F8d(wzB#vF5 z@MHFRx56y!j^K$Jx90R7D?RmRGAp{|A1y$#G!9F~-gDh9jSXfoJE2=Eq@Z-+~z1E)vsN zJm`&8?K5UfebgI3M3*5EHb>Dbcg{Qn>b&VaZ=0BX%mcfD1e!KY9!GipM-L77-Iu#1 zE%W)NnHGZKD555c@#~Ogun|^BZN#ypcI+K~&h?dJ4(*}E37M3ZMDXYGewEx2-i#cJ zO}}KHZ%DoL9uwX*9^2phn;L4+E;=h1h4z&&@oe1N!4G!^l#Dk+27cKB@LPb+s?cruzwcL( zrUdW{!bqQH7GY*5qR^Ka@O_Mv1FH|>Bi_I~p0`}fp>6}4z$n>T>1&J@8C?aiEjiC+ zJJ@8UqlV?C1W$YhFJ1mpY>#s!wxL_($6zRNv#)ocem0+?2f~Pdsme-li`a=$`vnOb=`?Ix~sBR};Z`ITxC6skT zY1x=+>L3mZsituI2}(Z*SdP zW_~U1r<85ezWuGjp-{Ij##)z!%u(dJsZXO$Iyh~0i%wwu9KaWJ=ob5--zZ_}S}4~K zjQ-5kMTm|XFQNMsc{}vL=T2yJi@xgLH8TP^!*Y8c zH0J%Po^2+=xIa@RgvcpoxeYN6u?KMH=Ud{&tl~r@AJ~U?%o)cTm*p>KuuE6-ASKay zG6?t97{!*sitKL{&EDMfb~E;5`$-yZ`GJ}mQgceau8*~C%zWPu_W~%A^FtM@{a&beqQ+>KV8{6ZHWswA&QLljLnD3MCT(R z$*l=e;7E1N^wkCASInC|Ii$1e!;Ns8J^nCCCjNbl%!D(P(W{vPcA$K|hFRe1I`r`M zV42lBYG!0t3FJhjQI0nL$wdq*$I3{Q5KT2M9cn5(^!@aV$pg_}r!sUPg~oVhs**^y z&f5`j7geY5e`x{e4euEpuzJi+JrDJqqm=l2kS?Hoj+q@X0Cm`D-%rRKu1C4Qa6W_)jIQ&Bc?4K^KQ&L!& zzX=2?3pyp2-u>YC%)}+)w$>TO!A5kq;)KrJA{VE`l(=Jd8$1|jh6HC6AuMb_yF&bc z2GLF3$@ZeebI_Hp%BB&()!eTI{{h(1VtM)`h0D%J94LOb7B|=$KZbp7xc0(`-##p8 zR@TKbzr78(iu7Wc?s=N^?r~(jx#DNl_B@H;Msf4FluYw+m^xV^L}j!;#G8RqS6S;i zl1+><32l8C_GZ92 zqahP99JWQq503_XNjfYN`gCqnp%h}(1b^FHOVz=>3Fh4s*v=aJWl5|2?Y1|Ohq27P zb$K1y6*Dis0RitX5OxlbdvkIEB!2RD=r9svI%8n|(LaU9DaS3neoG-|Ue+h@q;%uy z>X*+6lhg>h+oH3q!EBD94nb1by&+L~rsyrqz>q$rFN0W!hBWS{xRG&6Y3Skg$8;;B z*mw-(^++bk^r=EM^$h7`D+28o>&81yosh4KQ)vN7)|72MDX0HqCG>A1!;jDX^D%3l z53k7uczgiRgM^tKk0SaR2o1L17~PHjodM2)$7h=tCh7TmMuUIvr#LcB+3!$6_)?B# zD>eqsJ0MxP$>3{j4RRl4gs(@k+$h)VsG?{{yR26DC*t&*ebCOnl8u!`)Pi1`I;`AO zcXsJT;_0BX{*JBfs>SN-el=nUS5DW12u;M=R9asn!RnKlY}c$|@;n#+%ovMEXNKOI zF$3vlLf1Es$TyQ<*3` zEUzDLksXw%u8T#iliui34RApp$FbJ*&>1sL!V)-U2mr!7;RV7NO0OTn8^-DznYc26n)2kJhE>Aw@&D>O{-@_o zkhmZfUKS5j(zEav)U!El$R)p1iCNBvJl3=AGCk9;G~{)Ta|`Os4agB)c5uo-0-*Apo)7Jfp3uy$Rr(>?w8&X}0lBofi^1KERYhNaJ^#BkhY_oIx|9#1SOtk-r z1S~|?JydZ1G+2v)B87Nmx(NxudgYCC66lNgZ#_Mhi9m$ym?_bP<+W_n6|a#=%u&xE zbdX)IwnoY#&=bU%WycUt1p;-uOK?rnZ; zYIa3`CLyU^m8|rx#JeC8$0SB(xfKw2RjcE%GVbq<72qeQ?l1d?&Ctp{N<$i;Squ`GyaXZ8_; zMM7EM7w!^q-V+=`c!SmPrvf0yj_Y8Z^;K{tNDy(t9Auh{t$(!>F6B>YCd{ErXR~wxiYXZUyjX&ka#nJczk_Vd;G#5p^84 z%I~#`z8R?Q%l0AL$Gw6C6iL@)wwZo zruv1hj+6aWyMlF~P>GYXh=d?yn0si~3{5xhUMG7y09n*WJuj=_v_4cs;&uDYDyjA2 zrXe0a9q_>pHz|bl8WYX9d4^`*dR}zQZxhlYCPF(2KLIK~2e$vl=7A5GYTTXa%2`&I z!>Ix_it>}0iysodY+O3Jaf#vUHAon@0`2neLy3-E()r+|rOU7)5*W@;toBK(L3+EJ zJv)uX5p$CWmp(h~nx!LvwS|7?vPecrelEpjK zGZg#_pDAFZAQKyz zvg^;94u7XPtc=v%4wSZQT2g2@84_tl8hKqwaJ*4)TYY{q-wvnjlLmX}g`U8-D0NT5 z0E-LunQicl3uE8K00D)*mM|l?k~H6?*ryH&Whd{@KGxLrbAR$@+~>bd3#{+g^$M|L z#=S+KgKZf{x+^VFJFBgu5gwx>SWrXQFKDXWWY-f+g4?nKry~LfY5ZVCYZA}W1=3G? zPT9H25(*gT-gm%DQ-A>$GS0F00J%ihqGakr4NwjuRBKS^72MOiZ)|s`4;bMma=xK{ z(;+Flcs06OAZ=Am$j!pfGUJT1s~>kAq3B{E%?>-jB{yAFL&y^I#_DPz3lu{g0~mcA z8*^PUR8b&Wp3ha-bg`-6@ZYpgs3y z>~b4Cz~ufo-27y$>u4{`0$vpY>vh0WdGiXfrIb~S*mQ+sHi*f|~{$|(@n%GwQGcfbtzTuzK!6ePQ;|~=ISj(e=X1RMn z;BR>zAw%eU1Ud9jT{{Z>`yBl=Wx)Bc2RHjxheazE6l6D~5Csb1G3t>^?>{T3F}-9z z-un{VES+-N1LHYW3_;9KE*R4_a6qS6L2bhkXor;qVu^Zf?OaM}r%Ao{o&&~e6K-OS z_=NMt{zcT^op00_-4j}2K5pE5-$Tceu~71)g*%0V4QR~JfS)#*dAlpO#+af^p~lS& z04$k4CIMz)q=VRa3rHm0h$Kbm;*pug{qiIw9rZ~rpbgCi109|JV0HZb%>Rwq@4veu z7D(?WlgTP)8na+#fo4A5-nqJMug$p0Ge~zEO7-7s+(74@dlE8Tz0?? z-f30s6uZSg%T+8`Njv;*ko2o;WoPB@Jkjv@9rF1ky8@j!XgQ6(vh>ifLESsHP`_WL z#S`KlUB=(^vOQ5y1kYZBj9U)r@L9Ol`A$X|b*z0WXyrw28p$!co0~0cscWKV9=a3b zpw*73<)msS_T$k&a${%s;(wb)I5O3|lV&R>`OB9%r{n3Pdo2i|QT3G+Xxanzptv#vvv#)!yn#YJDP%U*8cHUwsdFbM(~6Yzl4D(MThe(FYlA@b56mM` zDJ|+6=>P38j7@EG^zA;KuK?)WA{FHV;>R_^&z{8XjQ3|5(+6DEGZ)-m6t_qO1!s#-eZ`A%YcK;ioX-CuyN2&nrSc3{(4TjD@rX@%|*q3po zyXS!v_&zc0$RefQ8?y`1Xt&xe{}37!Qx@txK^m);x`}+s zX&XG#DYp-&N^Y?M>jnEZ>QaK2(&*ny9*_NT6Veg-+lu?@yKHx(0&lO}yQ}@aGq#9Y*CDO_0+_qH)a*mQS?CJy zkojyzaV@R!+fq3@sSbTmoTj1@;%N#+_8Il2WK z6#^F35HqL8D^B^B=@%(T@V*J?&*l-%LDT<-wC@aSa@*F8h!hJ|1Zklts33?)4;^7C z0wN;4BPam@DN;g{UZbMY6BMOL2kE^=qzi;lq=XhokeU!eyB}-swf5Qf?B}d??)??v z@duf6%u(L)j(5Dnd&T~zaQJUu|M)*BTvj;=u-X36Fy#U*+o<7=YRUQ5Jbj)?PcNhHLCRH@ z6e+%Os|M||D}n@*t>7*#bsqfKv%tQqZVq_(g6SG3Ft@f?v7;3Ut~lmpC+44lR=sG1$|{6*Yf2FB(T{`GcNy#k<2oVxMlrvwle zw{P~g9SV6$4}DO_z5ck=-6%4}@>>wAw=>RB;u(S{cqIC3!^?$d%M7U)VAS~ezJlaS zuo^F3BJITxqtz+o7`*ZN&g45ulW7@lTO_`ulDB+msGrjI)q{UF?{pGN5u=NwxW8DO zn{@=^gb!)U^nQD7XQWh{Pufx(Pqx?f{*Yp*t(-7ph6mGQg z!)C8sA-veVy~pw5gjYQjU*2RN2W|Y-bYN8lTaknXD*WLHti_pfPq>Lg7JhO3HB>06 z{%3OF`w-xfMWQmJ6Q-_E5IC3TaSH;3<$#Z4@qt&+J%nf*MHwniJzezT<%Eg=V-F=f z<5sOwzJK*%R0WXrMcedLmRf{y(|Pw_ zj_oL!u!0Ofn~P67=4X5=mv-prE*)jOajVnUWZ%&kv)zHJFE}BOdMZ3s+tV(HF{#sv z6ps&BVD2FcE-nn*57{X<09)T;-DEg1Nxkg z((A`X$hDaRHzFd_G07Kky>g>|h23actXB4f^DshR28w;{e~GOvg{k-4qY;3tp3EiIB5) z(RMCtqsB%4eFH$=WIGAdwC(CIIf|F^%7q&viRMURQAZmAAYk5#q}{kVZ@+puxrX|% z=jH8w6}WP_{M?8HD*(*KNPvc)o%0;F_fb;iiWJ{1kb94>04N49AA(E=1@kT1xZ7Vc z%Ru&IV|&j($Oln5K!}_I$zJ)RWLDGwW*HT?OX{5ducrTh@Rxm{5CA`vNx1nUZWeHk z`X7}~e?Wdmi1?Lp&`AbjI7rZ0SLF+Sq|R#Lghj>n{dQ}|N+s#lZT;7@;IJ`D=L-C% zBu8<=f%k4j;;1R*3qYw@5+!-}R+LCU5*;6+?xpL56S``k{4IH>Y1JUN

G)N6DD& z&QnpW2~6v!82qQga=`xmPP&e^Or&|cemCXNY$adv34tae>N&GBE=uu61n{rut+Rde zl}bumDaMkyU2!Fy)0FX2eoQX>{xtYJ3A0!m*?Aa&0wjKf8ap!nbdfU0E>Z^JQT2CR zq`(bM&@{y9AKp=$fBWiSU3;cn^q8fHAA%Q{#JswS;bPgawU+|0X>lEJa z4S`Ff?XGqR6cbk&%ava6fe&oR`k@UU!SX;)UQf{}YX?$PY5*=(0@zBrqH;|AkpN9% zv}aMXNrZoQnQ1dQR-1oCdWRdmXcFXX7_6L^M=s7T9v7;tR!=PP z6>Iru*PGc0#WRcuwA-{WR;6eGT!&ri^T>+`C0;J@=@ zt|(zSLoM!dCk*IV+6Dx~x3Tjal8jPl8;Gl0wwfgpJ)sO%k-I%Dyklaz;9oMREG`YE+=uvBITsl%9i07={@VMx}vVMlboS6 z%{%{^kFbUx9|0VKEBZS}pkWQPuywMA0sbtF3MCPjVhap&HUejW#tcZ}qCe*KWy?61 zGsRjcKNlb~11%gS2mkMc#Ii>JfWfp;L}5*11q3YZRS>OO(C@6f)@dnmAx#1?LcuV> zE>hfeoflQ~L_hYI{uB$8S{73q<>$W7KMi~B8xJR@huqnR-EqbRd?WC@oWY*810KNs zfZ(EMp|by$$+Rhj@+!I|$$Sy9#e(7;bS+Xw&DrtVRWr&JxH14-ggilq#*=_I-`GHb zo0eamar<+E4Nz7B+~OI%8il{%7JGiDq)%vdwAl?HHP+rL-rpLxyy4Q*Xb7hfB8)rl zr+Ky2|GF+HF1?o7Lc{;~|BHVXfbqR5i8RA|*`AOIgwjQtTHnrT|G&8qUDuWrnrY!TzwG)qA`Fy$ile2X1EjC4eh~ zqPRfQu{ZxTf7j!?cZDoH`#X29Iztu?_B}bn1KfQx&`FYs<`wZvrG1RUS%HG}MECa>NJP zb4WIZOSM{Bkvd&FZ6;nPKhaX<>a#?ge9i|3`FTdMuQyZr{9!OWkKb0`MnUPIy`vyl z9{ti0?GON4gaKU|o&#BhKpYWx>X@`P(=GLdds8ixMZu8WZy^Xyavh-Ck;v!QAI2-e zF0FK;r@B-R#CZCjfSNTUGjITmii9H0zkdIYDa|-VQx_K(Ag;RF4eUF5@JQM=oo~>k z17=(xrHCC8L?TNo%H!3U7ESTD6(!}BIWdh_Nn|r*I$a~0zrWs5hk=@_bUZo*->>LE zo+(b??wr_q3~7w2`H6Q7Aht^|;mfON+$q>{JBejLPyod6!Hq*aE5QV0$!)B3%Zps< zt;dUQ_tPhRGuL{uGG@legPnqGwLNfrwliO<1ciQ_J7G5JORC_NC(b{%&N6wm=fU7b zsTE$U7fNW@6}yPXcM1njPY4J9$+R!gIt~I_yq=?fBM4mNbK5@`?8^HY;5+MqCVaGt z&mY`npnN{>pYw#{6Ow)~LAe#7B-~yhsf4yUZl$f1Icg5%Il|*1+ZMZ(t)=Gs8|vE| z&ZK}|qRB*Bc+*Y%2vGCV?BZ6(i;i4!N0rKzE9$wFiWDVlExKT2i_09UFZrg<^hLf{ zg@7$Ndgy9`>G<|t-T>Uw0h=8c|IRa13Q&jV^eIxU&H2mR?1YQYV9<}Rz z@}uda>1Zp*^O5H>L296Q?B&1YNUe9I0Nm|&}~kpVIM!T9^%1p$?r)-&SftH4NRZ`Lp{JbN(|AruyP zHO%rdx*So_aKE4;e&L75ZC6&ces;C#p*Fi*EiEvcdk?y~2;N|a!DW?2K%cY3S_?kw zi=0vz$nP-eiSLD>tBlTY1rk#7?0AXl73pK#gkBdVQm6j(9u8U{NwJ6y|0kD#`I^v- z;0k6A^u!zf2@&n4sveAA_cf=uOgXh;#!k>^@^AsPTi!kNW_w(kzbN2pwnhXrv zzWk?CXm~nY>v47p^dt)bP|c*vfJA&-g1=9?YV6EyMm9Ckn|rgNOm^^Lf~yz|hZKnP z_L?sjkM->fZz8U14fF=$2wQ6XsTWhM9?Bru>e~EMl7KM*G|H&1e5te3Z|e}?Y4eZe z#Y7TYd41}}w4WIn9PQf9lj1yhz+W2MO_7rm9iVt21=#DcrQ}6Saaz1T#m}1nG!N5@ zh>oOt9t7v5vkb)fmY~3I8_P+*_2+UMcpkJ?Pe@gw|qiz4aTyUeI zTVELbgH}*~;#K1%nlibGE0Ku6Jl1o58BCm8Ob6z6IfD!h0fzJGqhw>Sa=T`oPJ=g* zWHL7AB}%~*liy5~n|LV2D)r41A>~JB3`q~x%P_zV~weCBww;@A%h@~b$B*DXG4zzGYNHVJ2036gW z{=^}|7f2JGnudcnGutifYI}vfwo^? z{&Oe&zy8+eJw3N82sU@cW0Zq2P8G?jcz4@vOu6G;KN|oX>=oi3xAxt5Uq!c)!^5@V z0e&mdLy2E_08GeklUz-ZjaU8KI-mcP(F{D0Qy?z++3me;@Qt7A1B%?-ka!4=XINNV zy6+x0G_rKcYR}CCmi)R#skH6_gS)&vjWwVEG<71XSKFp7N!#YdxhpVc4^HS=>4PQX z?bD5mEiWV^{lW6?h}#3?9^Zns0%Yk*yu?&FHpg0h-zH^r{&pO4=N8D)=;Tam&L6d* ze}u}pVE;w^7lZ$y3i_jd{AZsvo%wi((XZ{wb{F7A($f|Rs7>x|rKh8vaW{r0?B{q7 zbPJY|KO99z{h#Mm>BT9Aa)e0*{))HhAD4LFotiqYwq|POxQ*^$RR-h3x>t+ZbQ<8YG6#Ta`p9aV&?Pxx zlGO&Uuy{)`9=)jO*rA7%6PFJ_ZC;fkwk1>}*Kp&Lgblk#vLXPL2qD!*!7*GrE5 zcstEWR!1K6uM9^ncLGt8ox*eGj;>)fN2}_w_zYdBqO>@{GHBm9j`h6sc4MV}T_gEK zGL3vY1?7#}MhmlJL#=h{{r10wX2>HFFE)^X84NO$GJa`tzQYk<69D3al!7G)Fsjv9 z96!%Z_7ehn2!X)vW7kE)^gsKG{-MVPFemro-zJ>?C>8%5HcY3d+9R!+0hQ29Zx))z zj!bV&NhE})a?K13E@_mrK-;H;w@C_lZO?+(k*6xfPxC09MYq3(*G5VD1(f2|(_1-% z@N??vOJ5tkBA!|d?e|1^b%nTDZuY!nJS6+jqRGC>ghgBFe)C9UQrd2$ljF@cjLCfB z)UlR}8^5*PDuGjZ)UM`GwPZ{$qkJQ6>2jo3#)hi+r?E&FVpJ;dY@dDkw6mSgGmUAx zI=d#*Q5rSac`vdXgT1B41sVy=M$!jAXEf4_o$;UoP;&u#%m1%|5YX|ccX_KIPZR%q zTVibb_8JS+A$5chqJ}~Q3az&PSZX&rN%Y|Tl7s7k|D0?$J=q}b=z@sm9v)Sa*~_!j zT=e*8PzqL<^YLRF2q}Fz5FR!h84o(hh|ia@O-=k_403x2=DL7mAlN zrc=nX>L>ZO(z}fv_CbX_83O}#C_UswfWzfO=OJe6j1j!hQUvx6=vkct^X{|@kWG*& zKy%x-f|2+D>08vF5!Xf|NC2GQ5HNBX{?F!FN#t=N7|H8x6#t*X+<*0bQO)J|fG@sZ zr5^)Ky?w^%d~^hc;T=dgX1@&FJ6lp=AZ6U~^O}RGf5gFqEkw4e|Cg_3$ObtJK&1qH z61jWI83(BYI_rW3itq;KsS{kb4Ex`17eMVIoHDv8H@_CSllzE;p@Bwf9}L)I6~w{dt!XU^58GL^a9&GX8YA!;M{c5;4guQ5yi&& zOMS-Bvm=x^vS7PGH)U$13XGK*l}XxYtH%H!fD~Mjgwfd#{c{wdR@HHoCG4evl z4OwWH)Vk=CfB z!)tb(&n>1UnPbIYg8kclNM}9#9}#ecv%Z7wGz456Pj>}E(gaCNPcxqDY8mGyytsZz z-cTZveJ6AN@#^~Kt)|}l8|o#Ac8yHXgRZQA2w9o#lu>RnmsU@DzbxUqHxx`$0|-ua zIU>dw!B7*VVp|nAr=#vZHz0kMQqx3?YKc7f0U`sS_ap@UFCP$g>;vXiU-bTsAaH^T z*hV|+1PsQwa(@2B0nCfuDjA&92x1Afyc|9yx|eJ$f_vp#X>^)LQSTPbI9GUrJV{kz zP7nO<6IX`Zd!EwHQe=U-lCV(dF1$6YSZ*o|mGX!|ld1Vo=?Vw~j0z^psxLaUK;y?T(E z=+C?_brk@9$p)R|Ilo3;mLO{7esx`ZTEEZAOe`S0Ln+t*D8?iGyUhc=0K_`I_38*K zQ3M92YXkl@;^_asJCUrNClwVH#7_N{J_%lK;2`{~0Ai_GnMuErIBEONAp31Apr2mA z>1l4X(uyvuz2uwPFsht zSeCGqlfCpjyK$!j+`=faln(c+yKv?hFx|ds4%(Rgf)tN`c6g$>Gdz0Xjb+c7az`Cq z@&52=RlW2LG@vp=?36ejMbFBbg&WiOM@X-!iLHgkD@xk(pxeukL39JJ)5vm2sVC$u z0@=?IO*Ugxd?_x)5bwS^2UiZ1EXLmZBMrcC9pfcj{WWHP124J9^v7_ID{sZ`W3v9a z&QxEuz6(kDB|j<3D((`J@oZn78#l*2b+didA0fX@#)x-}Hz<*eQ@E^F9)Q8m%Y^y> z%`c@h-rHn8a_@m1+Ri(9qQ2diVZ~n>Kc<`wKU~z*<8}nlk=?h)L>z90S+~V4H(pNg zDyDjy(8g&+1D(03@IICaPIp0psVh8rnj4p^08m^P4N!5JIi2;wIoOls3B*#?Pz3kc zwWnvjx21U!79MmflxrPel(OVyBU_#6#B;8;szMQ#am5-NVp0~$sVcqP%9VQc9l}O1Ok{? z(l6+@41xjDaf6ZO1-%`-gYXJ>^k-x@hr4O85XAU+tfx^zASklZ@1 zi~^3EC~LLW{AWxs#57ca0*6F7djVtKW(&-O+ zT>#H|YbkK!LvhTMFc3O$aV@lp>PK=8zdBlJCkP6acymBdjgpu|iP>EqY>h}}<*_~M z@66y|UgApfo}Fv>dTxY8J77fsgXymsWQCto-mI%4-Cwm7ZQMJnC*A4pCeEkA*n6s; zuR^w-o%p={i|`a|y!0v#lQ_*u8RFL3&(>+OF(pWkGv~z1&SjM9>$&R%^jBV7GU-~i zSSOkTih4ZHKeiX=r zqaK-=nf3RG@S*0qyVuQ|EzhpupfKGdF_bs-$^4itS^D!tMZkvuh z(F*h^N8q!xB9)=eXd~sNp@ef14v6@yMnx+!3*N%~m}f9)l;-CkXAHJFl|ekF8Q}g& zGw|~fmmW-s8Gv_DxGzs?;Z&yBb<2vxxYPU>G zvWAebqOOkn>m#~~fF{fo8~^PlVLA1`Mv zR+huf+PcOa5>^MF_c|9}*d?q2YC{ZYI;jmQu>V{N^G?yvxjN|V0Kh#=w%O$yDP3wN z$lWMcSCl+S*F)Dh5t0TDdsWyG*C)SduZ%aDi>rc5kMFdq_F(HHqc2 z1{b}F!>fVhdnB*U#>$;U@q@KBgC^8L z5xHTWa{5v5H}|^!d?P z_9%wxxc1YRKraU_NQ!RQ8F6QAQs*wl(MkB-f(NW*L0)es4mE^rs&dFmlPcgGbISUedFBeyRisqT?0=j^Ou`Q2D9aOdssEWU;5q z^S6%R_rnTV(X`&B4~~pfN^Cm`Y%M`ik46ilJBnE(#Hv~Q-uYO?wsIG-%F($;Ro@?0 zw-;srd%$o}*kLPa?2OS>y&BA{)gZWOvw{KZ^HvMuL9|b>?!I7)^>Ys(-4*ld2uehn zu7vXL49O2$;m_JEB$>wos=F6@ZKd8IEt2H8G>vb-Eh{&ZQMJKCi=hf#%(>r}+Up62 zWUSPag!rlUSWi?gY{Xsz%ZV#1r}5Mz8Z}toCAH-GX!1I}YU4Z)Udqqjj2h+SXwi~N zJ=L)K=CXD~L48?kXh+AtOueBVU zTvu5P)xMm-VlIp@#&Y=FZ@)&%qb#VjfYq`$f=IZ1{5BY+1G%<9YjACTlPSx1q)kZC zvd(kiirzt&evoZ+;tj{25IQ;cpv_xGK}3Gu4>T_=pdSzf^0iB*55wPNee$s>ExPUW z7Ov0Ys^%U{t*V=LS&4=VX&bF?;R!O->1f}LL9uH?a@gA;8Uco8P=orF>#>$-u*JqE zGyyJk%_{4L4eyQ-FYw{aiSQ1jvQ}yN^9*v;>10ooFf=$%fBECt{Lf$h_m}mGmYP$_ zshvL9piNQ+vi_c_(-zn7y8~lw^K}JRj`{( zf?=5p)jdYS>^>j1Lv;kWzQ9+$G&xDKCuwKFdM>YU^_O0KKAc|AEG#pp!&IKVt2NMms@NG$s_r=Es<_e>|XnzN7#CF>Fk&3Fmb=UW%kz)a1YO3tjhO?WMVyFFSF)jd7yH zrtN#$`y?_jBrz^M;hdOc8IG|>7nqP{Bf;aqYCDHSA)T__t)+?9@G~yN5u>U~mkHA( zF$-s4JI+FTg_?O|aUO#}$&b4tCT$Vt7|)m?SrEJ3{K0$FRoalNo*L;w8_5@FxXgvz zKLZP3np0Y{g%OF}p?Ycz0+#0koma$_z3G)K57M9YJ=wU?O~ndq=CdrCJ z5^r+Yd(1y_gWC0qHs_M=G8~-pygx*oF<|iaV~#!7QcQ`_;T{xU`D~2-Y>E3K&gE{( zSnEdb^d(<8tLSV52-Bhmq84KR!x3lxIzH^$t)hUOzdr0+)O<%4z`$9h^$D5ZE@X29 z@-g1S`dVy@*zeU}_|+rMi*~)aK3r@yeJl?quSLZz=@193YRQs@k=@Mdjm`5W#VhV4 z3RMp2DqOVhdVk$)k>Pp1;43ZaR{G!uwYsj^LHb~~% zaoni?>P_(bDz;!Z>i4aCL^-)z{CrVC37(%?{rK^^y= zibow!KPk1Q`}O$Vf`_0h8euB9_Sh));qCCmGb5=Lxs9FHcku=al~A2=u2LYx=#g3) zhmo%#1PBgrAIy|1G!5=P@?s`s^MSvx-tK<}ypY!)#iy z#w>zn6@O>}IFl=$dHR^Fz^y*YIGzpTU@V}iRP`a1GCkv}(Lb3mO>IKD z>B)hiWsRYu7Q?)^2CFET3=8de@A&2frHxVV8?x#5Qq-inoz{ZGIfgw!~as zCFh>k=DsmDNcYB-FUo;L1D-+ysc*$!bKM`GeyTbg742l2DcyW!U}ITufF4H1Vs7YI zQUyxuxrE7LQlk8Bd=bjBjsB3m7-RR)BBMF-9RDMHW|HM;LA7*>aKwVN=W4hy_Mvu` z-<9_P?mw)Zg=K!}=@gz+P&*Qu4FUNm)BM-l;yS*qXZ4QLpa1%{=tF=tB0)4CbTF#Qv+#S$dnDXoTdK56D&>Au!0tlQ>h2P<>Z(DuJ(;ft0o&}V{BieV zgne}YmhPblRd+E6aX!_JiVq^pJUS!VQ7`1_?1mWFweG;%iuvDXZPC0=zQ1t?)*fy3 zId$cB(8yaIWsZ)HFBg2Hu!AFDBmw7E#x!C-|3Nw6Vv6?Ld?|?^MimbueQbU04Rl7D zb;Uj=KQ2GL|K%gwZ#o9XnPGm;3|;8Qv05NL<*7@)7@}=5{)4nU*OLCT`>e0w(N1@b zARZ$IVA~BroS#IrO^pumyfy@CpK#wmX+)2^dlg4!L**)cQN6csbHk|K=}gl6>6y>k zNerav{gAGIB_jW;OFJP9T3m9GJ8?r@F~)v`4VZK?c?)g1W;pX$>z^0T!c?D)aW6}a9 zJ_$=<8(2gX(B1yUTYu=Q-tndx# z(yX}S93`E3N<2?W{(K=;Tjmk8x%-N^ zf-fYBB5B09d0zWo&F$OW861~O=;&hy9qjGSgT`e+n?Ep7&Z;_|y?LR!Mbh87qxa}; zjiuy+r8PW82G3l2Bt3$LkUFI1i27XMj}=Y{@upFvW^P3xCYIs@YNMGmR;KD91vr&M}bJ0z3x**!}W?Hk%RGW|_q*oV4t&+V(?i}l8fd$RWJwCG&J z{Ih9#z-T5p6s5@ZqUTE4P~i*H37!{y|DPAI@YX=LRKl+Flg+5PN4ysveLcfSBYOJ! zF4NiHCG*~Ha%*Ky(updcxY0<(f#sr-qiuY{J2v}UbOEi+{rYTKrDOvtp4uoS&b&M4 zHVSXCh+s1)HwD~-Jjqt+8ovc;91P}Z#Z{Y;2j<2%4Uj%}oRi`?oS0Cdy3^+SRo1$8 zSRYD0jl_=%WoNcGJ{xS;nBHhS5VYcoV;8rutM>_MiK2S~60iiHQKIJJQwR1EQ=(p8 z-N1joug#Yw7`M{TodH*sUdb|$^uNAA89`dEz>(a}abp!_2mF_oZ(sMjrX@9kB<5AE zB%buDcd@txVgPTvzi!g%c>mx>!BYc#t>Ng3>pYJW1gL*|hD1E6tP#OQ7hRNqhdyVe zu?lG6ja1G=vkG$_<#aUeIk3R;3vDi*Rya{|md`ipFReX6#gh5h!^|YyvHdeLKAX(Z z1E)#5m_Be^%6L%;=z(TFkYc}XYVS`d)iRx1$uF*SsT>o^81;PI8b5lq5fdQ7{ zzR3?VP(Q_{dxW2;Dh}9Nt-5ncm#rQMuZ2ZCbcU*ANZ}hg4eI7QABO7}7G})vc>Wak z*eF|X1GqDSQ*3}wSB3~{TvFU;*>@`{>Db*gNTNh-4vts_E)1PfB-v$Y7QrZOT>_Q| z6(sAsF7r@vQ$|6#sLcv?=S}F*7dYcTI2clIA{nz%Y?Q!M#ikOve=% z0ZlbwxFt6cZ&eK4Psf3TvxmkS|zPfBhX( zwGIx$RDB<7{6P?Vmszmrytk|s9qh`ln(X&0uR{BBdE;0{IwOi8%Wk>fZm+lG$KY*7 zd2#)wQLl3m6a%A!j-M<>+FtfKG^Jl!%qtAxHJdni5r^i2)7k8p=$J>M{w5cs9%^M` znfb~jMzM4HGaVaW*x@m4nmWuxkg7ZA^2_v2S-oZv%Zd_Kz3U@wIX;>V+{^9VdZLUC zB_ixil&md2&gd+#hvhB#kA5+B!-zci6a>Q4syMk5UaH$=<_iBdK_9Fmcfzf^aOHes z<5D=$fN(q#~&@J^`0FR3#8^6}bEP01)6T zMFvu?n$R2xEMQ~BD}jw-pTEDCdi?#o!tQ+H>fTzD9uyHk8aw6AlF14hGQ!6Ejb|2e zTs`mC(*fBK?b4e+19@0M+4pNCK%4R6{8e^fxw;@zwHCVC-A*?mg@soabpELx_ccxC zv6rdOKefNJy+j+xDqk-|egFV@aS%+jYHl8PhaEiHul*V$_#^KI$EW~8s{LiWPseOl zj*sO=?N@f&_MZZ9nBuVd!z7rk?=aGMSE@{GM5Vvt$XX0}zohJAhf|xWTakWR&xpas zM(0->?3|L{a?E9;1Gap9C6&3)5?Wth#CI1oH5!K$7#C)6t`x(AQ-4Im?MAF5$a4Wt zf11*2sCW{M3b5-#NLG+S1h}>3_jD(OEe^&f*N(nM&TLb znDcE>*6PE`6JkvStjW`i?y{tVyQ27k@nKf~0@f^ykD~iMx-O=|P!6K?+gzc*LLKRj zxBhWlZx!V3TI-Kr(U3h6*4Ig0^bOkb*7+t)nCyPNxkW~-)kjKCw4f4=P9SUrjGA?2 z;tkPq88PB1%mDDW1FF>5T3(^4QKXhAIPdT$Bs#AKop0RV6jIUnfy>#x1itCPnG6zDVO zJ>d9h?suDP0sx!d5pQ%;B345MF!F4{l5~)d4+b^7E?O7ia?yyMA&G1d=a$+IZHy|bYRciE2zuRc71myM zb^phSbYl&vclq3~7`R8Nc9bEHZ8`KwQIakKEsz-q@;j-TSym{~NW6bgA2{n!?fk zmdpIN*UJc5r-0_*6X+~0`0%4g3;5zD-ETqDuq~a`AGKciu>Da0Q5>%P$R-Rb!pY1W z{0;cO>^O2u3yesdz9;@FO;BkO7|7MnYHP)2htpE= zaf?zbC6bM!`O75W2RMjZy2fOpSiQ`ppV3R-b>Xf+Y*KcC=>uOvQwi>m8zXcmv`hIq4Iw0j0-a7RIEPSL&^|qj9 zF_nJT6;NA#m&d0m47$(`UBCT1RQ^9k|3RW!ICdK(rWqa!*7qn zb(#iMBk$H2w!irS@5I!4rfwfPuhl#@ie=%|9%q5;F}BPW4M&1$8~7K!lO#3 zNMc!=M_-G}RNQi2vFgww`boUhkKG>~v8$+!52&z>JH?-4FPIK_jSJyjE0!J5)*~05 zIzPQ@$OK|Pg7iBi?6wD{N{e(jaN zGd&{nizSfP^kBT4W&9=Baf}g}aHsL8#wzIDzNkUknj7(4TfZspop{RTcWu)0&m*xP z&k9{CE8_jZkBgDx#ZkpVOdyk6mzrb6YQIhS;R`((iTKf~{G!_LwJ+8X<1q%+zt}ge z?iHB%uU4>bS^)`qjJBB#$tS~HkAVGazdS=%@Z>lwAZ3m-ks0#`>_9#gmayk^jY_1r zzD(-Lz)V!hApotjHM_mzd)e$7L+^%}k-C!{yQjghL4JJ3>H8Yi)OsT?_s&^Hd0%%I z;{71(x=2I~b%qa7I0CZxg%PYB@G^DfOMg_ZxD*pwJHt4NAHlJ*mC2fOFl%&Ob0m82 z6$(-pc;lVkm4_ySFHLeUh%v2yfWFmD-_8_LDY^Liz`-g-HS1w(5)8aY58KYM>kM`D9gJcen@j;vVX188ED}{z}6DOL|9Wodh zgiGFsf+#<=j>>n6Y9}3F>z1Vz?)QTd8&Rf7jan0TLk5iA#09Oma|M!?pZ>Pxz3Osg zH1%~?vZ?AtarLl}(%!?B*mo42G}E0EqsFL)qw{I3H_^05)#zNa^siI4+7rJv^R+Ku zOQ>Gw-ow789lFWIJ2g>RxBcB-X<;OZ(2!4yNxzzC5L8(FI&_cgh~GH5YNk4hCg=4ektdvRi9H zbt=kMw|fR!N<#=y>lr+DM9y1RBr41L%&D7ub#adPZQRpWHdb<}%KeY;>hOcgRyu4L z5B7GdWTs(~KdCP@1B-e)D}Q=V48JdgvD4+eI?AT`QAqt`8bJ4+g#UJE7q1H%PTL&( zS6laA&Afka`)A(&9r&6G`yKeYV*%ulEb_nd^N#DsXdA{ettYS29=;)4xFro-+=xCI z9xn$I+T|Z>@xTtNbUZzqeKu`n&dBBY$jLew=fY5Gu4>TkGUH&lzO?2gOJV6THm&PK zVavdUr|k(v6`6wLp%n4*LyCy|O1L3W>X6e!H@@>7n@fV}c;;^zj_&BJ7gjt_Y> ziAl=IZw}+;`P)l{7i>-n?#H(cRf-`%vaoiucYL7A3SE3LI8y|Ya&!AJ*Wu{U-Alob zi)(-O)s3wc)uTC!rfyEWldvjt`w-xX*CEaJ%GhJH)4ra~nOVJsn@$lfd3;&*Ij67h z(eUXHPpkZSza~+*O$BOn>G4NTgZ2)l4=*;ZymS6>rhgotlX1x?Z%(&r>Z!|%$r?7?ebYk$;+iZeXT0Yl3<$x!(# z1XS~!PsT9v;nL2VA{nM#KEFWNUgq$_)H0o;ZkIVh3g#I7p}W4Sz?aNQ6N&IC=tamX z308fjzcg^YUsi$1X4j?Kd9#bBYJ4xKsn)rrJL}PEb>r%Ke_FwUP}+NuVn~a`iINVQ z43{ldJ>8&6D8OhC%=^K`!Ngm|9Yb^ZSK>di5E zd_iLReihpEGi%V$Cx{3Dm`Kh{_5BTNdk8p2<7*m*EP!jg7E=1)Ht^$BGNeX@If^cL zKfIPM*e!8Jv?biuo?(60_AcggWQE_)^z9tAmvMY){Pv zCY1WweQ|)A_0@a9MqO*5g4ca4w?%%P|BEVj#kY4w>DG6lc}+JSS}ibh?HGXxY%H9H zk1!=FS?@1guTyDG&@F(e>IAnW=!l=T@NG}*Hl2exk5#<9S}1sfEvvyv_qqmN0Fk7| zeZUO!%ZnK@l^V7DW>DmJUtNBKZg=}Z&?=h{JWv*UIJV0#Y63O_Rh<)_J-0|(Dt5=^ z5=c$cpGa#)YYg1_$8xHi!r^o zLG!88Wh{i;v4a?B;YfDcgyi1ZyZqaw(%*ddly;n++u9Umnp3M3871hQ>Uo#cT{-cS z5i>qST`m`BHRWq`_i{13>lGy4WqNYgwf*+eBb*|^bHYM;yI;%E zx#kwtj7*lMklf{rFDd#rpg+8GEC`H8FJecam>b=RatD{w?|pA;w<-b3H0SNJX1 zqRv~#MbfeFtAVauhmcO{+wt*Amo&h17E__wm1+-x+mCYX7@hyCpsMmy6QJwt`W^w6 z#@Kh+%bm*l4z9X5TcEi&Yj*9SeH@Hf-mD~SrT=R z)FXGoqF6Q0Ie*EK%d*YQl9MV)3_aHZk3alQ?=)@&6-Y7;lUScx&y?7sWTue^F zzC=`Tcy5!ey#cSByW+xZ()$XV!;;Z|YC--Sg6RieD7rm7ERE)>nKvJ{=N zaA`Z2DDs58C-t!voZ}htr@ztbAuRgmhn!W|-cNVGFYwbwhk<@OO+z*3qe7ux6Md#f z-rCTCkKw%s6p^(3A7?s8K97}+m@JJu2+u2}h^K*)GbY^o1DscXO-x{sOJgsxj<}*i zirGw*oqVflAnlsMqO>Y#50%qz(0xlU|XE1Qj$i+_8T)>BR&T=TMekuA>X z>16w2AkpyoX&bS#e2zS_1Q%$DQ>^*pf_iEdKgdCj;&U`MOquR={w*hac49s8syBSd z{rBz}P~Ker3C&vH@&wA6u?uF-Hs!5rK-3kwm;8z{Q2|W?OuCa3`l(XQ5HRUn*Ur&} zzc%UHnb}MryG`_mNM0x5bT_qlzo&qCAK_Ca9TR#HiV7~1#a7B`3NN1BoCZ2h1$s!O zyyDt-k7n0cb`^@puS`x>04rR~9y2s!Ek+otaE3Hlw`W!Or`DYE3mjKQaUd~k;MdW~@o;5Ne$-#ePqwGK93hhDdY zCOPp&$?(|5xv>%!rY}&k_jaI{xNXz8SXw_TrEkh*CDN$RQI&Hsa zka?3?lg>|`_l-}OY++>TO0nPf9L7>|=|--y{D!+yY0MCY4}(3#j9B461SYO~(or|> zwc;LxGLx}`k932UnZNL15aT`(87 zPn4J9jv5prfLETJ^{mY+Zg5iHpB(PvmqvED7qmoP^S~he$kw} z=;jb!ApP}FE1Q2*tj-{JiQn*jB%SQDN!h)<>7!?JD7cJn86I7jmf?jqd4vd64x}vS z%&(n^JjdlQDT@~37WG<8aU6eS=3;nxPjp)##NR%iOJ-4~{pxJU>}jJrlZBZ=^_Rar z!*p!fGU%PQJYO%Q>7M>Fm0ZoskrtMk$|}ywCcVNxMl9_hE(lveuJ1!u`su1-4kc2; zxT%{qrTV9k`|Uqio1F6CXg$|LZNY;ID=agXX(SH+)TLYC`))qxTgmH!=4m!3qb!RE z8`-5DV33mZJ+ZW501jTn4G%Al-H^j{88lKPb0P`f?LH+?65;1s!8MQ`-}xcS+|LIy zc70K~jPf--b8rw>MHd{OM;oSGm|?tn5hxAY5}33ZpZr{xOGThdcBQ9NA}#W4GTYw3+1cD4O8-~FRUY6zUPaNL4|pc|A)EvjEZvGwnYmB zL2{6s1w|xDDsq-20wPM0qkvN6jAW4<1p&z-2$EwFB^NmhRzZ<7l4FtKeXPCLI_JE* z?_KM)_vijoq1jr^8gtAs`slq6(@Do+283Onp@7XqJaI`wr&N>A^I%b`)>!`qTz`XK zC~#UyqUuwz1lt;~V4&!58%nSwSv8Vc>AuIF$FPq$M?CDxH|!t8sQN(#;#U+{Bl zx?W=SLi_uK7cG84&h~gNJ9y&y*QvKGE;Y;=pAV(6sdC>#z8Z;DxOP}9#>*f39J7OM zHVt%hVDof~xf@8=AM=WTi)~nrSF(Fw zU(mzbj{DuyRc9_X^1<`J*#!*fj<=!HZSIK?X$38rx$5PsL=(b`ALNwlL!!>U!|i2H zUkM=;F`36@Fn<8`$R@xm;-oByW)Oei_t}1;!lIlnXaxZNvKmQ^WB$S50f=nGq3|-$ z@;A2HH(w&u#kT~{S5ocwkyQlg*5r2_`akozt>@>_E>-G8OP#&hm~L>ld8C~w>YNK0 z@|M%&36lNLtWCF_YYFJ=akKb%b$LD+O3KPFC#tqvJ!vOEM4rEeIbR_gcw6a%4}hR! z$r#~%z{9m!;KLT0m*+DJG{9-OS7*wq@dW(4ASgXW!XazU{$pS|^^q*nfNw!3A6$O; zO`31)3A+XW9+Y59yZMj+TXEA+>s{ZKV6TL0<8-V?jG zUlS-OL&`*cjV@HZF8=tl9Ez6V2Q^IA0v= zzci+|JnD78axc-6Ircq#3x!SCJ8>85*}xJ&xH_?*)1>D^05y(uQ_OY!weXaKe3W<_ zFojbv`bPJ^>+t_uzpwrHX0|=Mlzlyjl=kt2=EI+nZFFJdCZ$H~=2S3#*A*8tN zYwishH=oo#1AG0xS&Y}0zK}snbD5s|O1w&Q1xjw*1HUp!-_xHKC`9fb$x;7;`1ev8 zs7Q$x1Q2U-|E}md&uK<~^H5~l=17mx_Hi^KuP-2ZJ;WR}Ssm2-BEG0h?z|q#*aEOFMn{kPHPg^IMQp zCrKz*$5E(xE%+#il_***aiiA+6ZkDZziGniE2iVVZeBag*8Tad21^4-U(>j8^``_- zH$|;{y#-lAwb+Ki-8c3HOV>fKtod9cm@2Q&dS3mFl)7^$bUsZKO(S*|AX46u7uh+pl z$A0H|#mzeyG}S7+Qud{p@63XWyQJ-^j?fdr?b=hXdoE7Vv)2tg7fAb4zg}&l96%Tkqvxv53W;d7vQ;b5J5C*qUH6b}*C=%tN)};I=fBC<~+y4y7 z^}Cos%Aln)?UM5#IPA^H*Cnyx!E|wbWQn0|!mAVLSql42bc#2eEJSPp49=%1H^>8! z`Wlw=961buZG?7<4T|s3n{U(fAo0t!=?8na&jq%)^M~d! z#jegf-VUE%<6G0_(eLjGSdEd7MM`uO60@dp?B$JVHHPL@i@e&HmF z{BN^S!{vQ>9ut9_mk!-w=Y>q7Yq*zmA$f+(ASwSWo}LSt#Ga&GCd%#PQuXAE{fIl7 z+}o`bUnWB~OeVK$D~o@;zuNU2Qe;@TKS6Z;qepD}sEdFu9>5#h6@7Hp-@4u4PqB4o z9NX`vMJ%t}XD8$XK2h~C1~QckHMm8ng=Iv5bP{15LBW|m^-+H7d*iQtq*AGU_m3vK z`60S@{L?PF?)aB)o=+7bzK-55&-ajwg^yof05g1Z--D!48=wz+w#q5T(Ra-MyJHno zv&6V_->q@O7kbbzYc>8fCDLckh|cr30u2k0(GRSA?TKAyAF*!NeCte35#`KlWNA!{_2;Pr*p`M83!npeva=63cDGRWe?> z-0RG+SE?(dq3?_R7%Mt|ejZCk1cEDZ-=Ea#&QGS-cUItE+I<#SC|h&s&B_iQN)2i< zbj(GVw+j{rF&?u=d#wKihTRTT02mfVs7d5}WH~0am(9B1HjivtYL7{$KD&3aKz|Xs z4jo7lc=X^-Q8%x((MN;jG6yixLzF*g>}%M_?Z6Z+17jiG&mqk4;tB!#Z?5WlnMOov3xb10EIC9E>|0@Ai)q8*(HIFULIF> zQtInvCl)((zJhnFxZt;qbVRg;>EQdNkazBWxGv)}-d&6Vp9MSI(`B=`4{|!zj`gy9v|^UM;mi)l~~fm z{#cqfn~|+{Ul}b_n@%h`RZskVMtbU1$8p@o*-FKa1M1WX^3F+euTAPyE-DNM#Hx9_ z5F+`S%<9;SsR~v-!2>|ADrnaMTL6j>pLT;N-n3;M52UU)jw+ybFjuEX7K+aUG^{x> z99H_1Zwf&aJdAu)c(_PcAVLH416KF-!#U&gUv~j)OU+ZON&WBhDG_Fn9OyMeS~%Ff z#IB6%is7b&bpyH{QQM|{Clb((k!|ZiZDrwV{F=k@%J%{2aRoP9}*+DTujsXa!#OvWsUsJohuZKR%W@{s+vqXSSg5 z0uq7jTrhGh0(1RL2V>)s`NMg`pm+qo#+tB7%q$>;iZ=Tj*(TA3&K;peR0b;12>Dr$ z;R&bL|>5(`Q?1?UH@eE;? zWN6#icnnKSwb3)PsdjEHVu~x&YNiqTncH}kGLXzKDxL%P1hU+~B&_Dr*s~I@Cj!C3 zaA=g?hDw$+l#jtWFm9l@i4P5z#_y(6+}Ef>bb()InsG8`h5#(tnu>UXoT^?#QS{ET z->vJn*A2g~e|{6P{?$uFvnMOY8&TmgV?g&~`2kH9kpAkLN-vFQEeqXrc!8+u5l=FD zv&dM>O9-v|ZCO2JK9uYHiHb;i_-1rwy%=s%f>)yQg6@w0Y={;=%Qf(QarjUGw1=i? zhjv0Y;Cr4B7`k|hTFQZ31>L=VQScy?90YCC-xvCOR&))?LoCcWK(iHh-JH4MYaZ}} zJe2$P1a6!vSE_Aw^3Cc)1VH8=Hz=zI=0^wCKo8H9_M6}5>~N_{n&{Bq!M&R$WIQ)D zF$TYtI}RWqHAgW@qG$!*m`J`mEb}>@7B*O?(sF(}I|{5)x8`lWr~rVk$$FRHWZ9ehu7R7TU0bqkYK&W2}hflAi)i4Zk*qzxvxIvWt& z{?vda6p9RlK?uZrpRhU}j;h8SKOt~dWHeh0xr)6A)s(j8c(xyta`7OjiF=5qk_ zc}b_n!XJRHsO?0=FLv8)TQP}B^d4Na`<0wczmB&E zQFV|XJ{Xd=cb{@p>U@mhbj|4 z2kA@WmI~+5y%pEZya6 z3&tjcD%nUCckuJU$pEn3Q?%*qONbi;nm4^qB%`3Sr?DBPmL_bu&v|uIj zP1yew!Ei-!xd+tsfE>;fE&$P3!L7Doc~C-yv?^VCk#sf3EDamOk=)L6{oahAY3t>! zqcog(#Ff%v%_iNz;|z{0GhuABS>}sz#mF1LagSqto-h>VIdQqy0Uf5NYYe0M9j$p< z&=U$58n&<^T#E#7?$%G6ftq`f5@XCELO|gLQClW06?*(W###{n-K0b2X>0;S+oP;@ zj1~)^{=A<3aUShM9_l|j<1w%jvcVM*FI0m(2FdVm;# zsu$mU!!2fOqK4E((iWlaNfhb@0&@~ypoV3ZAht{LY%>G`!fnc#X>$JB_r5a)#)FW6 z(On}^U^y5ugx>j=BNtFit<+wHEMi!A98^yh`f~h6hVBu+ZO{^ z<580CcXgVd3{|?mSe4E@xS8Gnw4J|#3edFApDoRpDgYuAW{KGGxffyCHi4{e)L10e`4{RHhPxSatm3n6Ty2>wy0r6pW3AfGsT{)0APL0@+HwVudd|vpaLjO()5R9c~>-z1%Q`q z%Xn`kn{wLj|NIz&I+TGYRL#1&Zvev?LAB2L)il$a(F&~iFCo zD%(l0=xHgSPT{AZ0T8PjvVzOn@K{anqe3=#3!~&aU?L>i;Bslt?TT=m z&8#BN<1{3`y1pq%aVQ$g^e9$&Eq|nGcm%Osfj^i3@0$N?MyVs@S%Ps1pOJDMnKKqt zvla{QXoTjM>br}3Jr=AsWOFn}kCiHf3*N!A3Z?6f5`meWv*aG_o>mAW$@TF4dmBB9 zQeVZ^HPR3=3@$c~OipD7-6fun?_bh=&}=L#_uC%}@xVfBp38vf)A}!x!~#K2(uwVx zT1C{j6M1}MV0KgnX(^UIQiB;NE2K;GAB3sGX3MxCe#}G-%E7CVV3%{X;6gA7Xku8_ zKCzJzF>E=B8aT{au1lLBBvtpj>S`(=sNJpoKSn-`;Z{7Du>PJxc+{zg%yy3_t_3bcentDNDx%9`_T2Y?FfKk#Pw2YE!!M1c$>eYVCbet9?w`}Cn3C#zJj z4vm6teM>TW+6GLOguD(%lvGu9=Y0WI_9_KHVwD#0N@|le`Q~7v`G;2lXUdIN0p#}a z9XqPD`&bO5c`6dQL9MrwR17#yo=Z67mi-P}UD}_Ej}3f|-x{NKx!lFmn#UPZ9d!b6MbXsw-o5Q5^omDqH~#P=dAIE=xH`-krVh3hTlwX!Th)2Z%2`fc z8JCB#o+&im?W-TdH$1XnRo{@M;*nKzJ+k`nrTYqaHFn8CxA0sweNQ`#)?8x;PUae2 zj=8~WHs@03PsK9PosVxgFTd$6GP^RkM_-lSv_-s3K2H?wY*|2dqt{M>@K=<&yY2n= zAS~|V=Jx09gf(|ncsVg1Q`PMYv!`3@r@3i=OgR-?TJ+N0UF7m|NS(E`DO{ZKt6(S@ zVjHr+dJ=EkreZs^S(9}67(Lo;ofrX9ZaE0qwwjH;vZtMVy#;oYscix#O&w6(*9(;z z6LeM?aisN&U&M>1)sx{Unw^-ZzKn}4+(Qyw;OhfpGp+Ko1yAR#X@^(B=asva18-yX zGaRdhbe)UMoC{Ez@qnjCp1PX)RVtskBAzNh2PNB|)q^H5w08s;OgH=ac^wQ0kBS|w z|56PN0Q5y#)|^;3k+nJ+*bzh-IekNkp#TyR@!-t2G7>=Yg2v-ap=Sh!Dj_O4 z(vGQf+^xFrSFv!yNtx<5`|qDnWYe3GTFcJJzhue;c<2}77TJ_-p=zS*3XQe7haPMi zIZ_jW9K{p|qoLobJzlT3XLKC=MCE@|+IS)5W)r!zyw23WOogYdtwZuvK}!q2>p?oT zvOO*x$wNL8I3|(jW5K&X{iC(Osty|=U3pi&kMHd*Vdk@ok+n!g%KM#$HxuB*N328H z)Q@z%Y>+8c!e%gOmv`@p&tLc{?w1|BDPGr*l4I)l;_L_QawTO7wm&OH_K=N353LkRhE}Xr<{78M4QhObQ+E=>;Kx19*A_e1TfLF4zyP3I zxd5J%3uM!0$#H2H$J6e!-x@*=-GPdUhOK2EkF5ot_s8%Jr&%!Jy3@#eucNw;ry-}B zq8NCj6q+%1cK(i*;?Eiz)e_DI^4)F4aYIj7<*AAtPdVGxOuMPBc5ncY|K}SlGt4Vq z4O|{@tIzF?g5%M?DKG<&dJYCeF}@Ceyo$^qG|^2Y;`%SxwQ9*x`Gsp5a4McaViW&? z{l)(^mKUK8@@+bKuTMg2A~$FYpX!yC2iyL%h%a~qDG|G=$QwPDvS>st>T(5<98Lz= zy{-ju$$*I03O%bj`kHGiM^ss(eMoZjLF2BCB4a!X!0LDbbnveF9^LCBS|PI(tp|-K zKN@}4!xX$jqUqD)zvwbz&Yk3Cmd*P~a%ZDc^lfbcBr!=y$MqM17kX*yYIOpDDq~G& z7Oz5V2a0QY%HHx{^>l6C07}le&#He3ubb&-x_^Y7PVX$McX|8#yC(DYMNwhzuiG6H zaeUsAtYNu17CYPA0jz_HxKf6wt` z)cdI#8%P}hqC`)3&Si2E9j1Agq)V=gzjNK_Mr!9Uy?`JZC5r{I+y=%v+xfN%kJLd1 zAJ@F>{}%P64=}(jQpRMyZeik|1-5j@a@hhnWpygB;l378BSItjuIh#WlAn43_-IO{ zQxz=S0QEG$n~Y<%^Fjo7_c#misq+89&n=Orh?RKPuD|?-K_Hgqni!WC!xQx-<_24DLE~3 z1p9QJ78G8c{L*l(Qvb!={PSyP0!I$EChLQOw*e?nwoF%E42YlJ+1t_P^8;QC>C`;1 z9R23ACz8~!;x)_R&$XO8_zHMnuZgY63SEa)d4otu`hwE$_-adYwEUrx#LIV@npP4&A@rO8E0wR#?ajoX$D_3 zjY5g+GX~A^WiS3HQqJ!2D)YBt==(V8hQ(ztp;0<^K)KK7m zjFKHhfemneoOK%VqwloZOx-%Zp%RO=55Ddjy-xX&bT8WEAu$HYdm4yH7jpCk`MoK( zBx4JxeWl@vp^Wr)U;X9dZ2>xplCS}(R z+JJt-(^A{X>ipubcx*D!mrSBgul2shD*LO0o*74Q{(~nT`~6Ky#cXZ9zO)C%N)F+j zxv6&6*C$=lfG&8m86})5x6P=+i+nrCJ8s@|9a<~TJ%_A?R#yf1-L;?z^%uUB5j z7kf9S?2-C%zz*92ZQ8fb$PdwkJXB&!xA*El_c4w=DbvK4dg)EZZ^I;4jxnL48eJjIOTVUuh*B{uw{-#K|<8as7`%C_CwTW&MlX|HQi2F~`K10O2J z#N`03NUNY%CJBcAZL+zzAbj$Bh$_=kN|x6F_@6I-Pe8cn%uTf!F_}dHHC2#g9dhvL z5H$;C^-KYD-&dp~T5F-=j`P!T^Ig_zOQc40!`(mv%Z{*v_>|h!TndooF$OWIA@zpnvCOKA?u-?U3yoH@IyT5L5=uPtJ$? zYi29n7fKC^r@uZO@&l~Xl5^%CL3N_#)InT0I*jZ8pa7u4(iX&U0L(UkiDzbHquUnh zm%7M2)}%=wA(?m$9^m=|MV~Cju(QcvJCn^Bd2M}rD;x7iUkuEy{;B{NNwwj|okRLf z{L0P?FIw&6c(%1A7L?||9pz&!id=Gpd*42jM*wn1$>CQ5`Viw^W^CFQkCyqU_B1Zb zSyBYzO0Q1X!da9Y*VYR~6yLpIo#8C6hz~T;l8mb04EC%GGE1P~jt<&|r-ni04dkmt zUCesIWZO%`*2a)&q%6cN#D;uh!EG^;UiOCo-)PN|p+n%O(jLHB5(Si|8!vc#erGlg znmpCXhLdKa^cv8z^wqV^*71RJt8d9Ns^@`cLqI`pk%D73Nc!{TK7Q=0C_$UyVQubZ z)USfypBnJ6zCmJk^ttvPx+6*vH?Z6Gv7`;RFvmO8?0a45ap+}qB@NS$W2hWWmGqQD zM58ZCh2|qH08~3a-*~Is#`SzRF@VO4(-u>c;03}uUHB2W3Sdd&snMJ{?fZsv>xG-I zPVQ8@y07Wli~-|HShr9$mb>Jt+~nandHB-uqL=0<-*sL4%`iOIg7KJ;t)KmP=00l^ z8zysr^8>Xih=xeL4w;2wIek3f&@C!@$#?#;lRgXlZ&Fm9!8epglH`@6dF}0bh5YhY z47+_l@1vb&jTCy_#O6#E*B9mPegpyQUg&Pnf7i9)tlp$LlU7V|z*5U*bG#f|{>nTa zkRIdORHA#VL;H;Pl7%Qr#0L!%yQ0JU|`U#0gNS0q6#5_Eg=n{@^! zX^1%5A+HIlEo~>4o${)~NkA$YqATQH%eAZ#Y0o}W4rV#X%~dB6D65zD&8w>c2wQ(} zrn910QUy|8<8ED?cGLQm(O5`%?NJBcPZrZ{hfB3;boKOBMwEDOTI4rU(4B?w8Q~$Z zj@(8*t{#pJ-sa}*+xpir=Ltd*VSo&d4t0-@1&60x3w9^*W&n35)~; z>hNmcia31B1tysX2f2St9UE2WnL(mrB;Npg0o?SORVE&cKLIe;4YVm_^g@l}FL`B2yAH zxa7E91}O5bD&o5UC5Q77vqm}mlm5%9sW45w2JqIQ^Nvb6nH16d}Le#bOSOs@rf&-CtL|9~UCRQ8em{qZcB1T%Mqf zu+sM4Gfw0oblt(tsS$TJ5`Svh^&HwKFjT&>CC(Pac-rnpQ~pW~ly=(Fh3?1jvf`@$ zgBY<}YX3CuhEmQl?Hf<}VoIpCU0tg6LGy(fZQmXLNyB#*{Fz6mI$qcI5DHb?z}GdW znHm+*=bKPKr>G3QoA>e)NLfKZuj1)dn$nSXMIvi@sEj-;1mY!#WHg7Om+za2E zQ8IK*_HoHnZQ;{*jz$b$M6t`=8n$TcKJGW@PQ&)2eJ zobHX(yFwRHvv$+<%ZF4IfHT9Xr})1MF$WSIz%|wz`!QS?%a_dizGOxFM>1XFwl5xP zj^2;+u*6)vLlv!G$a`}}!9zXrnj)2_m>908*hzmfY5KXWld`@blsc@fz8GUSBAc{e z4W@?^0SU735VMJp4i~z85cIRL+Uph;D?M*U04YJxslpHFMn+ z!`qb18aU6&((zfnNsAC8VLQnx3ne9x>(?;ACrjYf>uvWwMCz^Wdc$}9g&(mRAi zTNg-gXxZDG^aR}hg}CF75v2F9nM>EEvgu^X_X@4Af3nC`NTuw^S!^&w8?>0O@3L-V zaIVjC2kX18abzVRvbI&F3YooiOSVXt`9jDZne}qPFzBp!E(cH_=+Wl!4kk;C_|i+y zByt&;3?OuoDaDfr+R{4hY`n+^54t^}H zn#>%Ql4GvKDc~3P=-C#%T|?F$rC8k4NyJv@{v_>pY`ZUYTBl!k_2~D|egOkgp9OiD zXfe&GHGbn%RyG?``nR&hfcnsu)l9z(lAWq!=OIbqIycBcc%+8p(I+1OBvG;6nQ7bt z!bQFBuF_S*cKyareIGyE+0M_p{SbI-F?f5D zbiVz|+-dj6a>x9?%$+<`cR%k6v@MeDgp*3YXUZVI7su!uCSo|g;C-5}>ht7uZJoDy z|924MdATMlMCx+>HEHRUp4a1V;H_7%T~k&ZO{ojMi6!LKD`^$n=5F9i++X57R&MPL z2jwI(2K38~kS^pvZ-ud5e02qdgGNIz7w=!i-c{uR?ec#wlsGbd=~t}kZ<^HI70Sd^ zZ~elU$?*AT40-xdfwbr0QWlYrj=1Zv`TulwT7Ad`I6GYc?j9c^SYvMmRFHt2bLx6- zM5F=lZ{&X1m+!nC|Mvcl>0&YZT{t%U&P^@wz6Pw8D$HXf!NvHkn>XSWq_LkQ%n=at zU#T*{o&jB@p=$ym9k@twa}%gwYubs#ixi85jB?09=7I*L__$+*kfC*Cso#_FjSsv1 z#!XiL2d}2@*z;Nc%&RHPd{CL`*GI|E{OGp-=GAnBq<%(0PEo9buHdr%9xc?~~`Tv+Q$ql$|Dp0Pj;vs%v-$FH;L`qsjj0bcN)?~QFd|EkGQ0ACdgJpQ*!m#IEfdRir93?7Ri|1hd~QDtc3nDx*w;jy-Tbdg=Xx z&-U|4ZH!U9S#h# z2n=?)^?FT#KD}B zK$V%wF*h;;pVASsjN=g}BVV&^US%SF^7tME2cE)B1-BrT4YI6DY42DrX- zH&#TQ9mT+rJ+Hj6%Ng+XYkKz&D!YAFP_hGH*Wn$>GKu4#7MIi4!0H#{zOu8-G{ zsyiQv$;sfVS?FC6{;GZba7}z_o`_Rl=bz5-z6{1UxzrYb<@JeY>1E5+Y-@}&Sf)5D2%AQowlTLZK;kb;6W~;yt&eG#k$lJ6{@hF;&ZytVsuUp zW!OBSApzObVw%XakYQ2EFk`h~`-h3*Vg+2%29SV`H~NwWZ~~Y~u-?m%;9|-$13&m* z{?hUZH_fS+V>&+%z#e8`C9cKW9lXAd?gy!}-o4f;_?Qu_4uGQ0ZOCippq{hDzq4Wo zpaY!`!bFDMDjXL(%_oz2-rU0c!s~tV%&9H~6#=GP?{Wx#S>lYev2Xin=`ZK8#e=uhX)*A^u!SbAxv|wINIi`Y#sfA_6)Vki zJRwCMMXn<()#wGx{6hWK2rf&CXAM|0z3LS!ZEdkywnSKglh_QC!S(ktBU1$q=3E++ z1+;yQe9Zp8JEXsk?>C7*)(P?TE-}Es#4)aT@MLa!$JhN@Z;|NJ`TGwSHM|Bvx15Q8 zbPC&|mRS9H-{yU&Sz@@F6~-Z(pDI2S~Ox=nHF zF%(2XfH;vTgD!@}Q?oxmDU*-ArF_{*7Q%qZWOhAWIPG?>g}*2FCB8IWWPL6#=KOVM zNppT<4E26tBO;fF??}$HQmP*C>}(g^8!bh5*=6e8!kkm1oxE_d>!7)VDQlvEH7Itf zJ3S~cEA2G3d3|Z--ao2NTb%tzD4~_GJ@pf4|k$%2Y zJ~|eUz8*wN+!-Yw+MI^L}Ja)-JW`91&tKd!Z63>)BiMsK&kRscTWz=Jw%iz#S}JEm*yr|qkn5um?pK_yWuB9F z*Jf95%$FpgSFFecTOEX)e+%|W$9@%SO>i_-D&|OlW}7HI8_tiSZt#Mg8=uFi@|xYX zh0nr}{&9NI1z!oc;_Xfroes(4*f+V=HWadKuym_AqffGxM+DOy7{lDJDzryT) z+)|j#7ZT8r?IjQN77^9O{nHzlmgK#jfVNIrsd!&yx81Z_=oiPq0l^_lp9{nTB;)vz z=!Ub#*q3JCv-V~)L}%ofkJ+dlJ#16shwnjJd3FPp3tV8_ujZ)NFRYSEdqdoqMl?%t zaXCCBI}yjlyaanv$CCHo4lT~b7CZuupkk)fFQ)ElX?zqC=4Fng*4$3tE$puyo|`Dd+>?O39)`Oa`u^zpXEM4(unsQZ^6CJ1%p?K{0W1U|4czNazLJObt9ciOSUvJ>d;?;Z;V372z9-*cYKu%wxs)oLzF=FGcYJJ-Q3mxBy;ysj?p!(h=(wWV}Ep@IDG7tf%2RtKCbk8(^Ca zyemnL%8G_so3P{1y=S7kc;uWSw!V|meV>vgTF6Wa8VsA}^xZ@|G>?x1))y;a*Vk4W zXr)qEk5DG<8p1>p_WVtq86okuVt&N-?r!YtqwjE*lYC9$4|Wo+hY%7@-NAYU^NfU( zwdBDr=b{VmZ5VavWxiE9tx{y;=1|JKA<;nP1IOrGw3xtZ4U;ImZ2OM?^|9Zz`@7Mb zwEM4X&=Sc^f;ksyutqQNpPr=ubPb9yFagQTb9bN@W17|5db9Ww%v{#$_&yWvUzpP} z5ZCpg#6*6b3xY?N#vU5rlwCHW#CTU=Z}&Ufa2<|wO5tjnZp_sQi5aOkq5yo>VEm4x zOK(~XT`E+@GTv?8vTBxjmV&~U9O!6CG4=CaGAZ=3?fV_{m6OFTjj%%0($+3fC{QS5 zpSiy?4oAko0Xlc^K3Ricp?*dGPoo20#2W4?t^k&#J+X>}T-te7?q#u+luu|!Oq8jg z%K}uYyi>H)z8b~Ua5+tUMEuqq$_i?N4Sf77-c1xqa4{Sdd0e7t{w|sRd6EcFK&Rw7 z*cRnt0Cn}HlYVonByOrW7yaXY&%6B}I_>fAsjy2`?5M=v$8_D&Qq9VRE-Y)B7UoDJ z$7HO1&ilIBR+)*@Y3wL2m-U2Tv#bKX2ZqE$d6_!z7HSfGrlcjOlLRg$dG~-_M?z4^ zGc|7T=Xx2{!^iZXy#?#ikWOu5(22<7I{Kf1o+gO3vBO>Z&-9y1$-o6X9JXT=aNX39 z0^|BE@#_d2dQw_@GI|#QiTF!=Uwsp9nP%#R-Vh_n)s%R71|V!dH&qJ#*3}8FHgN2q z$aCf#{3~BDKc>S4Ja6cbqIm?Ee}3}+x>A3g-=EQS6F$&@7QhDbX4;lH{4O1N8%sv? zWgKW(S>;7wJ60W$Q9PTl%@R$v9rq?l8ueKG^N@7v(-&(cQ6J4MY|VbF`k4Ww{tTZK zF%-Vgx05X9h$ykLPya)%Jkzepe*l3~Ic`oOj$nfLH%vy@9DSZfa#ls`Ds( zt*a{wN+4EF;L;*cliwH{gUjVBlS66d12xIE-+~|!qn(i^c}j*_T6^y&x~@)oTGa`I zR|RpT-Bd!H_4+8A^P?oCl6b!6-EpK3N~YA=1aVpG40aJ%=*a>4RM+vvhy7=QisHMCL++Bs#3=njK6l8|=F{=8 zgfwLd=y@$7H(f}Mp(hBj&alPgJe67puOoI2mED9`Z6YdeSLc7gyh##KS*-L0>xWKT z0a$?^-b>2$?ZMB(TI)t6iGWF<)bZ z$(B(*HVuhvSILma7W|}*B@Yec&NbZfRMhxST>m`Nzsd((%*p_uaIJJqckcaw&TT;&XjlHa z3(Sx4Z;}E&MAYh^Cxt+nhEtuIx1$djF}&^Ql3*Akg#2*^CAsK&toxe|sniaimsIB2 zsifVkHb@~#`e>o#J8t}WV7+~l8+R0{VBVsg$m@jW|WyE-ps(k4krR!#= zR^Y+<=pYvnnq9lq($6f95|10QZn^#-e`7^bXX}-@WLb_lF*Yuq%mTz(t+gz7mCV2# zrXNU?>T7(rsJsEJSYhORB)T2adrc2%@REIKSjm+JcxxX2QJ zy%v>$H(}sh?ELc|hXD$=pA_VSwR^vq>BoH!y-@lGE@7UiWN2EsLu#48qrATQ{ql9% z>5D8LWC1#fRgtR=<-MNWAiN)ycblFEu|hqh7o8|pX~4bSvt_;h{kE8#hFNhJ%G(kS ztA_#~8Qf@4u87@-pC2VeXE_j@%z#R!@o$MF5htpB$AUFs)IYvyu7>y(tC*TpD!LMw`W054F*{L#M;B zCj&E@W)_>{C+AcKVPzHb1IrABqbDRVTn8da799+I(0m$kjLI zs3pWs!cjSW3lI*SSLRBew=1e|nNM48AEcctfq^bub{@`ZgrDdS$zRu63}_^z3Cqh4lZoT}le{aL;R(;;feXMEPDx~#`y zDwn;uEq9_w;IzHINc3@AFpZJTfeyrQPQu&ySoFQMlzTrNx(jkVM+@j=l3coMnuL-+ z>fJIF_mZ)yZazxMm&U2w>n8yA7cxeco+1QeJdRrkq!6`=qry8V*v6sj27!IzUy;D< zAj1m01sFb_&b9wI`g3tx#PyneFT;v|i`p6>ZoihQed+XRPK>W$>}GXgN?>#*O(r1o z*y<#|#U4&?WwZai-#+(aY#(!{&W5R0sTV}JOX57<99UearBi8tTTUIQ{GsQQAs!!S zaovvPB)3j-$%KVoIjI!T71pP^Ai9di_tBMs--bfvRGQs_5Lm7mK>E(gph$yekj$K%97;JbglftI)csAIKe zw)*`)WcmLH@|X~kjMqA{x`U=BI*C#KH6I>B7*g4UtuBj5Pt*uD$LEv@|0P|3gnO9H zKTFm>vfSS4hw+}mS-0C^Li0KknI6Y%6T?ynSTjtwZ`ldarB`lmXfA*dLyeP5odaeW z>?s?H51!JKZ{|AO0b~owTi=X$+3M&&$Uk+Gcb^^`36fJPQX&8#hDM$B6B0ypz0$>) zDKVg1py+vr>Q*W;_gk0>q`ITOB~QdhuvLE6Jn>$7?B*1fT>_UrA7;vT-Tig8h89i~LWg5Z z9dz!^Zra;ho+Aa2S8G}ksmVZrTop_=KW9fdE&te@JtH~L)Y*he&~|09z4KWH)n}L) z5fzDa-3l@S*dbW{F|d}&d&MM=O3DV;cY|(HyjL2{pU8-ot7!r+OcB@D3cBV16`9g) zdC*jfI0#dV?av-+^QIo!G}uTJ{KxeWHs%(Qe^-r^IBJ&&Sop_w*<<^@hOL!|=&m=r z_Zmu<^CZgjL3F@#{C!3OpT{@VbEH`wVq$PxHorO$u76o2*!EqW}& zxc=pu!IA>6oG)<-|QfuhFs*GDmcH0+)Kj0YK#&!jid(ntJs^M4F2 z3CZ}=#S|MiUwth8g>7r_^S1W`T<`sq6jW*QvO;Uf`*ygE#05LB5O4p-_rSIGl9nj5 zSXK>d1NyxcATyk$+Dl)c@+}y}0xuu4!o`Y0i0PoO4Kn!BDp&N8S0`Im499N?_mjB6 zM(QlWPokc_bPit?3mYT&0d4f%RO(29=?tR1H#xYl0TnH5-iJG zH+gbVZ1vMW&XdI?pS`elJ&T##K_6Dx90>VYRf^Mm8Vbj6p!Vx%`gigbm9UPBKFH3_8f-r0L*_B_w?&b%}8{P>RVr-kDnckb)F)>`K}*V&|q z>Pojbi?+Z@w&#ySa{YW%%wrYPg?0+$6ky-1NNu-lVdlVUIia!QCtNt}$#$HL!DiW& zf@@;$%5|cHM7f1l$5uH(Sd88?#3V=Sn2xItci%;TFD^US8TihdTlQ@TxL@9zYgaXo>fY7tKU~F!>b-Q}DOrrddI#B3{0~dkRd9r!aeN zDdAs!3hO+NS)2JSs>EEaG%&}1WLcdf8?1U&ttLPs#_u{5Mi|HnDPnIbqLAP8Iqktd zFm7LpMSQy1-o3?&mt?1~Blkl^6}(=1_x$y5{$G!x{P6EwiHu&QDpj-OwP~u{_sA1XoyJa5Kl8@BT~L4p7%j(U z$;_7vA(F~V+ceROhWO>>OwM$bOZ z=vE1^-i;`q)WDCh7V(S~NJi06gGO_?l)R*+C#%cM_R{_I9lOW+Wwh~60;Kjx8<8=U zO8{_A`WsyOk7NU3(ueWSPxx7zy~nESxdH&pEb&!xc`M7T74~fW@-1tabdDOk5@zGg z(5&uttkl)H?0UKF6(moT8PcL{NHJ)^JEbVM5q+}Et0%Tl$+`T@lxC*U1$$Ra`>3sY zAZHuEYjkod+HPGqk*!j3s{BZFZ-Ag{5A#e5Q*wN}&Symw#@d7}+Y0<$xG;p(KpjT0 z)3dVd;J8+-1gk4;w5Y@*$H+XSRbdenPk*y;10Q=FNyA`$t)kscBd8?eK-ksg2@<3w zg9N!Z&ptf(g) zpnLLP2^)pMc=GXkezW!{elN9c|z1ruy9odq={ws)=5Pt{~$(7tNp0mds zF&(cfqjOdN)q1~hwm_89R*C8ahZc=kkS1pj$dwLCCz{q)-4`1LP|HsefT6bgL?`#{ zuF;|PMIMmI(ZA6~g{O=Y;Zxx~^e>-?@9f8zX97!xzj?3ESpA}fPeavTpl+nkD0S7@ zwCjf`}-#FZ_fUp4cS%6MBFBltM6{04u1* z?rpSwULjG@1pYC=4wRK%5H>fOXpm*b$C_-xt>c)#%flm!IE%wK=a>b!InYP|1)pYh<5yE+m3<+4 z-sf`ZF?p|d<*j?VGkVtO!>D3CZna9ySI1!vddfy(+{bI!wF2&;#QplU!-%>G_L>wE z4Be{=>uj#Ct{96t41-xBQGq-9$}yu>OO6?a7u2kY_zTWv`nNaPW0lZujeU`(^ChNE z^X0}SZ^R`8*>3Y;vtT*RBJMK4BE;?>a)J|a?gM{WuG!&+^33>Y`Z8x*y2^gVqHewv zS|Mpv!309faCLF*pACg&{%_^@MEH>F*yokMmddx9s&{+%Ml;mru63o_pZVKrEvvJR zhZ)9@3^A* zYy*x`EXr{ee3#+v5Wwg!&6yVWXQ<2xU0X-?(-o7byRPiws_3dDcmZ@1Z=07cgm!h7 z8+v_MK`W^IJ)|-UwNxHfVgU7m9em01-(0UK9Ibi^By;|)IQ*xY5<_G7vPr861*(Ea zSFU}`&r@YbASZ2alpgc+$dq+w;Z9{$0n#{lw$0Y^3qqZfyDjMV*X5LpYxL{o*LeEr zSdXsWlP`r!OJL%f>qw+H`9sv?ziOQLTE;!ob`t$7Ml`q`V}(0fftK_$YeflUYmiP3 zv<;~d{gwKx))kFJDy~^q%GrvJz{2cHqQsz#Hn$$gZ4n+ z0_9U#4Ym{WRiE<>WKwgvOtIL2i&C_vkUNGJ>)S~;yP)A|fBi$|!zfW^5yVX7s=(VI zb|(4v(WK2{UMFtY1wZsqVW^Kw+w1N(zqU8_jf|f6Y#*u}NpM}Q&uO34x56lVw9HiW z?1`mG(qAj=)O`u{P7KDc2={(L@q()66aIur|B%LJx z!lBE(xfp1O!H%*`qP%w%{UNX{RJqZGW9FqE7oR3p+o3@cg2kJG4>0Zg((;CR8+Hf@ zw&eZ9)7;MpDHWPaUu7&jJAsdT}7yMJ7C+7NUMd8^c1}GgouH?B%!Wm$IeK=yE)iMunH6_J7~ z=pCibh8Eh{I_VsLE3BtUDl!y}(!5SA((-YZYRB8G(}6g^AMt`$MC8fIA1eh8tCHgc z^w!BZ_h1EI#OI2IA2;PR6R-Roo#bK#{2K1P?K=N@tAU60zF0(&Ep2r&(alE+sEuDd z%|$$_XXLsFk#$e|5{$TyDWNygcl16*Ewx#*Bzn8O4^uTrWZHkbCB=fd9{rtSWO z(2rLtIljg7XZp>5coa6bo4J%AHrbFTmD558iah;hRztbP^xpT*BZ|UurW&FsjXV)= znUVHO@Rk)LQF$IvI!wkpJ&xruZG@Gp4mOuiI3pC57=IgsaE@;%}%*}tTbe^ z`iuZTE_={+Uz+HSs|=BWrz5?m_3%})GOA(^NR#Li1BvkbSsxj6qSEV~ci+DZp7t5w zX|yDhRlEAS$IBUA`O28Jr_H{R=fB~sX$h&|N4Se=ih7NAt@VUon7o^&7nc;OI#x!4 zK!0Qb^to_*a@x;?84I*5PW86NB<0mXYFu)dAog5yAFhMN$$?LspZWeVC5A@kUA=q*@oQ<~2^5T(Co{JneN*=j2ylRKv#|-IDq+QmX`w%x& zDY#@~J)W!Ky{^OMJIA|qTKE&OcnS#A8w2vOxsjk4P=GVgc{ugwQ}|CBP@+BqI+L>q zNT~gqubYTKm1Mzo%JXRS3$rcJU1dpvx+y4*vuVDlsVC8`7>iyjBWa2vm>z)NOdsbdc}zcSqz9Lve{N%2N236&IAw z46v6L?-tN1B0gRF7axPp)&GC{7!Df#9!~vLU;9^OxXbK}mcMl!$Bd`U3RNj|;IP%{ z8cT!qz?;u@v4Isa(ud@Z+B~0-^#S7i*xtX?HNdoW=YPF_J*>1aVrZY3hK%ml5m!@~ zIJe)8a&~Ugccd=XiRTzWD|Xu4Whm8QLA7#D`*0gZNIwi6w3BJ!a?v;9<+7a$Xztsv z4LGr+5wzj?z)STlfGdj!3s+`U8TtGQz+qf@J*nZiI+7dg!b9(TRPMOEePL)zgKVZC zMbwc_^9|vBkgv3d%F&dd*7)0NDyVG|8R`7UM1XwSJ}p?{ZRU#m8w>weOU7R$OMa<= zYJKU?Z?_rRB;p2Np6D;vojqPjU|L|$urY}m4nrl;VzS4gg7{X;`K4@+PNL+!ii-^{ zgsd1Ph@Rg9?vg>94F_p)$cDyP}PybmW`~%nGV^N^1=|g{vP2%nmHg>Pv~WaUS}Z|echUI0}DD*K5o==g3x}*dIW-*qZ(f`pC!|$gCDUM_Y7|zVCGs zXxGhKWcs1meNPEk6ahTC$J2e0Z%M01@^FQ1c7FHkcqMCgHR{4DmW!faa7TQXCZHzyY(&}`}gc4#Ng@V63 z@lcyptWIkl#Xrx1$Qqjt#pX%1xj8%B1Q-^V-k*h%o%x@9+5fX%T>RztMg=M>+tq{Z zk1*sozvW%erncsyNJ?As&!@dW6tY4>nQChM70yQC@t64)%c!Q!p?6L8Au1MR9+Cb_}!Q@7}6Gy5ZUn z$kbom|B``>5)UL+DZ>D9eq1WNs!Hzb`>X%fd;j;3;->xsJa@SC=LGNZ>SC@~x8xM8 z7a)tBK5K^4yUknR8DAc ztg5dPlJ3pN<;{acpv*km%_!>kgzl8UuXH$S><$%vyB#}h1bqv1 zF2Xt^h@&Gr`CIG{X5#*(gZ}p)_>Wfv`0k_hLAF1(W@TD_>S8axzS;A$&uTs)di-g& zv8pvX6?qS{ya@KKxsPfRmAB_bFPcCm8&cdg6lXjtlsW>?UZ0237o3fa+)PdM6$f~O z_+WrYs~}Z6Yz=(a@|A_(6wjI2TyrfRy$Dn4!435FfLI-$j(9c?b4Yd)?b{t8uur9a zKK8s$_QkH6^H%)sK=v!3q7ZRcs-Oz;eJEK~&V9I(HpTcRz%jDvfvguFU;YojH z%kBJ#p;4`oxJoE&zY^+#9nwO(E^77Hgt2E>ZQbA|D0ccALUT(v=$ zXXIOa?eAKLrnXft;#Ezz8be3Wf8=;#b&bJ;hN4<%@&NBVt}Ic7d~Y%Rj~LHPf>x}< zD}4>X2jW~lQhTLaM>LiEp-aq$wWTDe|S{zPf*7QI{+#+^`Z z7b7sPfxai80-l}-Ny^LU7u$}ZZ4PTzw_kOiJ3T3%>2Bco7Ojox6CX%lcW-c9?Qe0> zP>2!+kn}vPQL$HQO7mhAQn7S!rx(a$Pz#way-@DYVq#N&2$Q1>azH znEs?x=xR9|FeUQaLrqt#6uJWHiEoL2T0)dW2*&tfdWT51(~fXE7Vs8MPlK6hT+u;~S8#x}VXqj! z%oxdAJ~vzaK6vtkNGK_hTdtcTg~50_ zJZza^T$r{zDdJV>elr|OoPu^Lm1BjOrKz!d&V}1x+O%7fK zm+JzbJ+F&wq)Tjc!2tf|_)_2yp52z^rQ5_8aau;5ugI-*l2R3OzmBGM&Qa zR@@tD8?b_xfysP{H&d(K4w~K*^!UX*)sMh+j z$0r`xC52@pTSxS7HTbynM)W7{&9+OQ&3_7ybX`dpZOE9jjW-tvwDNt`TE7prG|!_XjAe| z`W^0~l_AACw?gd7m8Qn#en6SYznw2tK~;Ff#s8yQ;K51OK9%_dJg~(l>+I4;_Rx`5 zakMod2vc{?qQL2&*tb+>cpp#X^N&gTfA-v*u#@cVdKWqUR@T3$kIY+bp!iaF1pCYw z(9KLJX2ER|MD41@+f`+#S8=JfkHledVZ^it3mNIb6lLF2?a2FE=L>pdflfQR_~RqmIn61Z0=cJoBk*FibwNFz_`>= z)tWth*dO$wnyup~_lx|k%=*k+CHuj|M~+;CBVs9)k3^N`2YAt`)qqDA&buVO*^>X& zbnVNdrgkT-N{X>^k~stwVt?N6X+R8Brtf4yxA;!k9ryz$*9)+1L?HPLABVwbA#51`g$z=hET|cguhFYqeMS&y~ZZxHp+U zeQ8qKzfSdr3~g!{h*@jnu%o$Joa@V|FiYaxl-U4GPegx_xA{+h>whz9ozZzfA<_`k zr5ZQy%yA#Nu)Xd&J?>felYcfX|8MG2G3)Q=>2nY;s|!9V&VN~j)jEeC7GU6&8CwWj zZ!=+QSroQ;p=Nb9F1YPl{d2&zM&q^TSu>7*ReQB8Sk`OzC&mJM4~T^szRHDet8?0p zyHdP9rb2;9BO^v~QJS3!FJHxdd&4jNl2z$-xez!%(Hx|q0`eMEiTwh&$YHB_&)0O! zrBKMcCr++Vmsr?Z08`wsqbp|E6o#f5i$LaVtR3=C%n6z0n*xb2IR%9wn&^>4{W8T3 z+x$cspd1ze1>qm6M&+kiiTYc)Y;~<-_<;uOX}J|8ml?wU`=J1YN-tP%M!Ln+>oG#= zG$X*I{=M*Yj})_*npRtS#!#~R!mWfhb;>0v;J%~E;V)kcYXkZvQdjXOw00~kp}TRW zAFV~?ha{3B45vM*RgU7{h6462qXd2X5w7P7Gjl&`-+cD=Y9m{5rm25vrU0ko>9+z<3B(X<;ooaK;`N$=;uP$Ne<$A%-Dek?qHXAEd(1u{%c_}uL$_lczX_x}3 z;lmXphvKe`%1=;urcoa-Jcs~|+>T|9h-^NcX7z(M52ZVhIGQ#%CUw|07X*$lQYPCTy-4qO>espl&x_=*`Zugu*GVO**nckl?gV(C@C}3zcM=dy*I0KzBTQ>9>ws6? zJfcK~l9xFoHY$)I#p(+$Oc?W7{zjo&&+9BFSMPINZm(~W+-QZ+%MWU+sa|vm$0`k+ z9k@H&h1CI)EqTzeAmhH$r?K6Gzp7ko?EmAsv@fO+$aNf?bhOl&Y1V)6j3mXTC0ykH zRW5Who<>no-v~jHd{P>uKzoEMazVx<8X>HSl4`q`if;jjZcIH#pMApzf{>~^d=o;< z0|-7%lu7r`-*`a!w=e%Qpt#BO{B-0ne&n!nFAG)9Xezgx>>}{RJ2COk&AudztAmsx*%uX#|yTR}d*MtPiyp z+WG1x8%oJn;Bf*%LozrLlg#>69Q$vD?7+TMph9?PXr=zARsplo+kIVZgznQ&8=t`| zlgLmk#-grd?!CdDM40$@3T94>5TH*g^>2WEUQwT1G1NTbF{#${;%e#H?#mCxzqoFn zqoUnu_l;_^oLu4w!At6sKXZtm0~hm=TD8)Zy$X&MY|O#8sXf4*BmHF#%j;wm_}!$| za%$@(yv^o#Oj#IhP3+-^ckKT2^=MS-aW6|IjyGG|Iiz~~mD;oh+#^lH?F4h2341W! zJ9o`y|3_L9(T6;X@b3?3SKua-xa)2ASEFr3vf-#yDfe1MTaF^GEv7qRg#>->@#a-mL{SjGF5u%u%)larF|rsk|fM|AC2=J2`7Y->gt;4YfV%6 z(*C+NQ@f>A2+f#1_TZJ9wyQSutu%j)Eza52_5!Wl!bur7&-lFv(-vp4u-W$$N^TP) zVP-)ic8Fcb3*8^l0h;lA%rkWOa83To_!RNWAd?$Vdq}6Wua&ZW#MM7=BBfUL+f>d^ z5|ygfOQ#!+E=M*`@d(l{SS*A2i1(%G-*|!fTF>AU+raNMy$%r2h+C@o>Um;Z2NMFc ze0Xpdv1VyE5 zj5pGFoNykmPHge(H!^}=j%ukI_wcO8raDD8t+p#|#}Xcek@U3Yimh`}DHCEqi~wnA z3TIBTPw<|ECzkmR#_7k}9q_SLNRHsqve*!lRaX!m10_I|TW_ ztScHSTZ-)aR%Vu~=-H-_JO;_7!9@4g#(6ZnirvLXhGBD)P1?Y8=lGD#2R$yw;GG8s zP)9aczukdFW+)a-cU2|KjkC13y)-`q$_bc@+ZJbHz5VP*d@wu;7jE|t4{GqJ55 z+C2^>$ejH`9a-3(C8}wnd=XC>{%a~s?7J8s6ec%^*r5*&9%{iSV`7jN*w^YkyVQNl zYmnB2Av)Gj#>M{hTVN|7U`=4+Y1NyRdZ{;S%I0Cu3(J6UYt6%C{i4m*c+`t$$Knlh z;JlCRoy92XB2J~mjDke7x22|I+y+-)ET4h>hLq4$ac{`qLcDwtL@A zgZO3`xJ%y)qj4=`NSmqWuj`BNjbA3k9RvP&J1`ti^;^Zqeud~oAu{!{1J{{c}25@6Oz zFFU@NSPcM5jEWh1@R>cchSwuzrcgDOq~~p#z5#~&nPb~I#W1-*`(h!iM0?E_r;<3X zivKUYTyd68j6j?7(7-dRpj1yJs80+89*A$y?U+;a{{BmW4*-nOALf9B8d46c%6ZoO z!4^}UbSw)gUbglFWrhtpq7x7q+vSjsDO-y9kaC?zrA{++`<-0Kld7_05TcB!@6&+P z?Y#l`FJ4RP(>3rO2XO^{DX(f+ zcbx?OdapV32Mc^2_`{&Yk3hMfU7Zn`518jpC;195qkj=sp zwi#tzOWgcW#Q&W$KPcgysVpU4z5-$Dv3@cm6NrEY+*tMc^olpYaM|lyr$b3oVMv04 zCmDM!vHQ8g>7^bzx>SKCG$d&VQQA4zYKF!=`Y(Ar{VN$7l)O5>(#A!+Lt^C#VqEme z?&I7s<-E#0!XVZtMJ+IHEMV?b`;lW>I36tMPE$pj9ikaA5=L^anxqfu*7Gc5VbV!z zA2{7{;67>+2376u}oeuQoY?_Wqx*9Ezl zs$Y_4rY7%qH&MIs`4HOj*|fTTO=1Od-Enr!(P#PIZQyJxl{ss9Whj9$t&MvR8M&m0Hye-&N++G}hclNboK4b)xxoX-Ve;xs*y z#7BL9BfRx+*>yV^Qk>}ACJeS3JN?ZeV!_1tx!_^7K-3paoRMg#gW37zw((rSEi+4q z)=MBA;zvn;!bqAhJLR3>ar;>5n0-#4ISoiCOy079D2d!H4^=QYbIhW&+D>V;{SXtR zwo=V=)nGkh=HfHjXVpyTgq$L7?ZSu1yAB_gLWkoV%B8zPhY^OZZ6iQ%)4^DpRS<9f zW2wWCJHEuP5^T^-`wwEdv_$v!_++Iozux)wq*D9gQKsaZ;^~K(u7xvrSRFDLE0yn~ zg`1OgsN6s)sO=m*4?y%xQ+Y^rf0V;Lfu(GJn}Zh5(@a{l6(fR#Sjjt1Tb6iU5P~uX zSM$F$YdpETIneH@oJ9dhvn;q%m9?2=?NcaF&R3_Xi^|Ar;ea<`{d#z^598u27H6FE zKT-DY$n3!>>hxQ_t@~f*$q5Gl zDyqv`hIwWo&2}m~c&lqtxoNLA&=SiX$~fPYI(n~nf;n|rAG!(=qXJaG2`q;UY6OU6 z)9=`kQ7@3i|A>Bj+>^Md57MaGZ7k+evD!!z^m;uodvW$TOLXFHtYM zw46e4(ZT=JdpPHCFo`~YaJtXNtb`E!2>VnxG3~r~l7;v{V$BH`hxCS-9qA-sEUyRk zvZkkv>2s({WXzIlY57m!)tB<%GD$lK`n;lDIy;6zwUXgP&;t7I*~`FDx=9yn{799sNg#_+A8q zgX7Saj7+E+i=N_HHA#=`nH%zOQ>ep&o{)Oaquyk>dzj?Iv)59JAhItv(QQr%s#~?? ztp_LBTJXQyDTnsGMn4$WSfKOHpgQj<7o=ZB;pAe7ipY^MV2d%Iu#Blnd7g2%0Zf1u z7x^9;Knxel6gWDm;rtvX3Zsq;!NS(q-^=F=EAH}=u4o8Et2j%L>p!&Dm}1)QJO?b5 zgSYZE`H;y*a=_#&cSXNk(%7`cVpVx)m_@zFoP|^T4jftE~4?nl*Y_XzoqC?CSEj{aQ?en?HjZX)>&YhCY)` zn~ClTu}4mAwY0xC@VGwikM&!MI@m8eSfvD0#;5VFn3_J{S~iUtriR7=Xi;K|ZiqBW zj~UCGsPWObrauJ#)3ZQc%cJhxQw$gKfLZS_GPSnL!0m^vrMSR7Tc{O(Y06jFI-}xt zpYE+s0=RLRZ*r+%CkkMIbYG9k%*o<92D^K!#tLlFaJ9kNL#lsPg_H?@t0Z_n6~t#T zao=MoKnWf*lxBe@^0y?6Jo4E>MkN3IMk^R%SqZc|3^la^=I{{QJOeNwDGfTmRuk#0HA#{dZvd6QPK>4P?*FBoRXHkso9b4&CIvRuG)Mp&3Vz znrKPMJsx~81AFwNjK5R}lOr_C8`ugSS0zLX*o=f7%&k4MY1`O-nL~ND(HSVNNeE0* zTm6v3y4*h&@}z9EJD9cFG1&Ie#04yqM(D=w*M7Fp`xj1OE1JqecZ((&;2qB} zjy5%R&7@4rdcO`jZ)e+u>DHypI(-8+h>zQ{l(KwX%O>4T2*RgIfJ%4zk+0|9%v#+{M6j11m*dMitOQ3$bx?u$)8j$wd+n_bocYG{h8hF z>R>FgE5Xe@jnUfcGQuYTxI@!x?;!ht)ZRroWK+aG%@)w#MY>_H0xf$)Pj;;!EMT{G zdnt;IU-r}>bz!#WjU zI$>SH`Hga+VYWvmG^XEfPlaA3$Q?{C9Y)HH#)JlfuQn$I%qewoIP&9TXE6-?BWEs=^9YT#Xn=EJ&gsJ^4VA zsC+du5IYpKIBVLzV#B$5iHBm+ucnwJ2p`Q=WO)PGTQq;Jq7V3;(znNvqV{Ga)@I_( zq@S6g&E1VxK~&@c8Hr~cEPa0$vt{N9IJEo7B-m7Z zCy&jy3J7|9x$_zaAk|yzPNA>+5XuMC{(}k6r6|t^L)C>BfvU3iMOY}s*dDn<)BETu zBE-g=1jshFVTo2{-|D@W`jWt%s}6C95J{1ZvAqfirDE!v!&fa}8w&EP_*OE)ho_Wy zCTp)Um*zr}JJ^z&WT?_tS|uUW9isyue}K;f4yt6eVtxQ+YJ0hOUvgx#0|I?%c64P9 zOrHTS?uHJ=+YBAp(-|b^K#}dq1Ibwn`VTqUk9ylIxnq{=zz$BdxsxwL-=csaMP;iz z{LM5s|GM#d@HbeG#ajJK38pPc_OEid+|2~1orkHzQ{5Yi7iE}|L+Fe=JW@v(wFB;w z4rW?olZ3PO2%+bMOLs{1PmYA^@g3&TzCQ~?fS=lIXJCACfs%G2(z!TWe^+z%h>_sh zPxkakFnuli?(T4U*>g7F7}79ZDsS8quN;hYXrUWsx!eWQRinxd*-RJY1UVZ~#SU@4 zU{vQxJ;?rmVi+s&fynmDVCbxqG{KsulanELrtMhdm_CMBSZxe*)K)IBpZn>uChlKH z`2_ut^`3CYi+nLFH>FGqU2eSMl<@?O(X>lBnY z;y~ILw|m{7^B(J@LQvkb`IHP)L3-$%bg2DD(wF!KNTFs(SX<2=%d6<8YbQN}YEBJA z2i>JO*V_P27Z4f$fJJyDSvqJL6S|Js?^xz`Fb&c?!nDEAhmH6O z;pD_=a$-`)_&Gk%9`ulZGcCS}98ag5W>sgm)7zU^(!w0@#$x5EJVrG!e-t~dq+pK8 zT{tQfd7IQs5e)_2!s&ZW`wSs+Qvop@ci~iUzYWf5zPer?x<5$kpZC;qp{$Zfsco*W zD+#@g1O1Of+X+TMQR^e^YKque1}Dm#p;`reH_5pq_q48b%iB$Umcsvb>RfSP(MaZrXZLpIA#WDlb`DM0VgauQ}~ zD0j^Ii08aZa<4qhyRulQSoH;)ozhDU&|IV?ORhjqFtozUdb`9(3)S@w5@`U1`8*AN zDikSB>yi|g?4#ZONk=Q>irQ~FH~@3o90E`?=-zYaN*8B*%IURPa(5tp#IxIS z>QjcmP>s}K>~~K{smzNu>$7AD{x{zmB_?E8-n@nQMKSp^KfPR=aS4#{5TH&i$)&9p zljBhK!Y{8I$AAr+jZ45(mIs&nXnR&xS`Mv1qmWZ)!+@FO(Q^r zEHgOEQuT{KrBJPn%Dn+S@H%0l4W6*CvtK{c5(&QB@yVhrt=1O5!!p`M;v7~sT=MNB$xa~} z0IdlUeIXiDJqCqd&3tl{kixi{g1gG(ylUR_#7S6L4Kp9vcq9imCjkuS-Sp9i@r>WT zsIdybL{wf*jMxtjf80DxdRk8+a<4;}57h9y%>N~}bk`j|KE7Y~+i!{onCOSjoYR(p zz1rB~10#i;KmZ!y;zLYlLxvewsp-$lYEX*pMx?-w|CB;XU7Xg+bt5m;jKE1cpodZ( zb1@|o6n2qPSNl{CZLL@5>J;t4SuM6hqSRM0G;WfTTW|Ksy^zjo^_L~UiZ5F#y-~P2 zu{H3QFP_kRQpbUN6T^2xQs=(*zTV&B7Fnp9l6>xF%{&zWrOx6L-Gdzr*4A+A{_fj+ z?H6JQw&XCmY1_T|#)cG_Ob3an6HN{CaA&UAU>JGCk?PZy;!PBC_Vix%>B+(87O*`^ z=`dZhd8#}P`agh=hs4Qd0&0xlkpy!Ba+n~WnM|+a@0-ABOe#Khngt?vFT!(6B!txvlgbkD_Hc%*VnIqd$jziXTFOVW0iFKZkv4 zmC^rg+Q$&g-JD_kM`&sLuf9GH<|<5{o6V^J13%`O|8Z(5TdssVW8lY#lC~lf*2LR5 zx*>V(I6kRetm&nchTk*rspELuS2msbr(jW=&EHHf1f?Z=298zh4N8e`vZpyX(a%wL zfkvp=^i)FdwH7%|0Sdl&;AaP$Mmq040`h*}Sr3{^+el81G441z}eWU=< zEqR|HMY!+|;?FY2{p2}NobqM?7P)6bxKndGEOf9NVaqYu0wY^k;8;itz(3!l&mz1y z*3H$MKnV5<@!cKu5NO27G9{}|YXHD1 zw`#H>c0= zWGt@Cvxf)wTjHV!frq|F=2lRPCrw!=n!%#HS_5pzcN%Y8Y*nKuDm+KRlMTr^3cdXx zk39ewtmBjX>+^Zm<@KJK;SBxZr;f2en}CIl*h69M2^3H+sZEd1_m>*P_iQL+_k;ef zzo+FYTkna8wyzM5gy){{`N6b$>GZo~A<(E-1$YzzjXwd0>W1M%*;bx+I2%gUV{CA4 z_kRwZa#FOF!^i2*>+HP3A`?0n+#XY*`OiL)u7a%Mb0IlvjFfVt&%T-~J(I*3{znO|D2C!Q(;bo`{=5l zJct7l1(c6W@v$le-ZBtN87kK)jl!Jj;t~nu8wEzzvNJffw4<7?aQoTgqVQvas`t@n zUN-JX$7C#HM+*w`8)iBTIdw$?iwj+$jtErAxK+pn)G}cTCmq()Anfjn!=@m66}LY{ zzv(`%geX^Ct5H=pNC*uUt!>Za@78A1@CH1Sd$G-PY?qxS(N%|)_R*ofu9~hr?0!K* zii*eOUWMS0xuUqC2LXoO8xCncBSVAnaXB~Efuy%T5_iYsy7Yhq$6p=+z2@Y%4{qXb zf6Wg7HqdU+jUP>u+m-jh!GT!=w@<+DvNtU|K3|_wn}V0{ zps#G7ca3ki4+pv8b)@gSd?Lq@Cf21j&j~SPy|{*98kn_aehF|bzSF$1DX`xk zgswb6Ykq)yd+%2dQwaW3TYeLdjZt#z{rI;k060hkso?d@v|h|c4SIe$@yD6h1z}ly z8*T4JJpI1ApqG0txV#my^Id&vlY2OHaVZrtv=)B$JBD&Q1{plm?>oE17q}cOHt0Rk zuSuOa1d(4|D|f&snIkjMsh`$a^OU;4)-rw-9Hd(GsvTI@WrsH{IZycwf{xs zeUlV6_Q}zAUdEzL{H?#fS6uj2SmiaF-6hV}*Q_@$bLSlnkUT!5!@{93z{e$jjHl;D z;#FDQC^`m~yB$i_SSxPGZOHAW+w@TsDx21bHO0GAlsZxN7eL7kC%a#R^v@4n@QWNs>k!ko&=0qXj-1+fCn#Wl#Uo(2NYS$~7w$XXaR9 z)spC>Ahj@v0Io;3lE;a_PVb<_bNgp5-PxJGO3xTlrh4Qa34E3|JVEjRQvp3rHb!tk znisweGaje08}5ZYJdtPh>Uc_e_%c7M0Dk;cmx4gw6C5e9kGXz%K3d*mnzis(ynAAz zgBY`D$El@r__7g*>*d@p4xlDID`>1q?aMnzEQUL&_uAY@F=|h)sYL~!W~s8I{c<=& z`r(O}qcYa{OM@6KR_(cpyJ~`7lS|dnBmThV4>W1%b3BOsI_pVxj9ToaiJRLg*3>-0 z3lqb_FokV-sY-S)s=>2Bevo9sLS>9jHS6~4w<{LM=Dqtn8bp?SLhE#YNgxoeJBorJpxwq6ii zJb5B!DZ${tl4^wQ7SRv8u-Cn(E?~cL&>bSBP^*hyWSQkVviZs(sjyn#?U`h*Ki8&c z-jl3SW#+5R?1D^E4_Fhzc`q{l;KIS~0(8<-+K)2v%pMY`zi@|q13Rl3_eXyAFU%0< z?VA<7fh#|+HjG^##h!np-#C0Vd*^uWU8PmcHv96{0H-=w6<-0i>4-|@>(hF{D`KhyhdDVe)%UP-))5Nj%*DQbs zQh6ix`Pot)$E8T`KFvMXO>VVm97t*KV=tULdVBcY`!R75;Ao}DE!=~2Tn|pXx&QWB zLSg;2$hJ4!*84^`#NMd9{SKr^%JH57ysPMFHowhirg^cT!_Cwdh#V+A_4Sj(FMhZj ztG9A^8D}L3VLf7Fe`R*ztlUir&C3yITQS}5-aQ<*c_1Srb458{!$B3e_E#4cJC(am z%0K?CW;w`l$lg(=>y&-=&i>napGWTxJ3fj3%3^AR-{w$|?#n->OOILPbR<94IIqkQ1DZdap<}9 zvHn%USB~QMkHiA=dU2r5S?Cv@hsytlt?v$}`tScgq!49Qh#Y%_j+O0@k#UTSvI!v} zTlUD_``DDdWh9%dV;q}|l${-pd5**Ry?yTA{ri5e-+lLA|F|x$_v`h1J?7JHmi!lw zZ4UJX&mID0Lqu@XB(^6t_-OmJA1P7=RA5?|N`<_uonikv+_$mc#U!G>6DgfVod*a_ zxuvPRac;&|Uh#hIx$FrxZxHD1DQ%6HPRX*#fPv6d(%`SdRJ=fR1ofO)O+$?80`MZ} z@bmQ@4nEEtGXC)ECFDa^uC7?F^CP=VJl3^KReN~)i7``4(}C=CpkY45wrkaTggKc;R(@%5;`cs56$A1tLdB4zDbLIQ24FE)OoBlD2jSIyc zn+lMJ-DyW0f?0CmR;9;J1RU^RZyE5#S(6&~F=q?oGYYcQ%DYV}-aDsR5yNLi)s2Y5 zjH|Rq@UkReGo0|{^&81qjy+99TQuEV!QOs?id+e|ELu?9hgj&n_g$Z0^X@Sw_8s3A zkBdZNvT<<|e;c;}uaODGt^RTc&mqG|d!*H%LuR7m@DfdQm#UW-*VBd%!y9Li@mOop zc+;Z|;jA0zj%J|cAn()$lr z#AJGgJpb2K@vnQMvmqGNK{Dyku{x3Fpz+h!hH9VK8H{BcB*Jo{ruc6xy4z?Q55^w9 z32GC4Suj5q<36EFuO+IzqQO;UH-->7r1&~yaw$vr3~bn|sqa=+9KEEtCW|hkn*h(1 zIMga=T*eRop$=X>w2YHpUk_?7B_KQ^cgu=RP^8g8Qo$@yo42ErD}R15Bb;Do(#XEW z9bamlWSTOruoflh6kaK8M?RfY93vp{!tZ{P`0k-{rmL3wy_7xHVM%f&%uf&AY z`S~{pGigi@zc9spYJtuFDD>}wmFVqs1?{b~f&}s(4Bb%J5-_BP2zod@4xGjN&XP)L z7F8I>NCId0GQi-h*Ir=o6E;v-$d(?fg_*J}9aFI2+a42mgCY!H>OsaHQTBri(*xLj z?MJ!|OfuF9s4>&PdT{@nT4w6Z0TqKJ1;SiyqGrNbz{W05?mDdAJMU#EH(vZ)_`xX2 z7(3Un$Lw)exPJVm_B|r!T{4rm!o&saR@@PSga-#c6SdFOt{%J`jk?V+5*6G_a@#}) zX^66T%|OseITxdU=ZGyPbT%vsy5YtIg7-VomuJnA^!c&nZ)P;LD(~lXE zd~`3MKWT6hJ2Ta(^PIdf3D2$amYRoD>(!h`rOu`h?tZbsoHhMyRGFB`SEJDt@gUD< zp{icQzyA!`*RgcgR2Fiq$E2Ix72jmM|4pT-9aSsF@U!reC=mS7I{C?2bfI@M`$w}$ z5^O{Ir!DE3!3n#dBrCVTx8PKNOFOlh%c6Ftwl&EY%zC%EG5rW$G><)x11VQAD_X3o z)Ks!@DgTx+-Fo?6H?8Y=Zpe9J5(ox!9JJ1L4PU(}plG~gnF<*9WBEnojcy?K>in(r`o)sAc9D3E{c;5_4)m@#|6~)j{iSL`w&q9 z*?OGXYKNdb5=10@JFvKi~3n!A~$* zA`u`DV4EEO&!uV4v`wn+AF z;3WTWj*IP@$g>Y--E!uQnYmz}u;0o+R9GYD=T2Kbx!$q$GOK_lz~QNO8EoZKB0fS1 zv^G)Bi@s;m^7-L%baPN?#M57K$sGuwPROzyHq%c7-K@$Ak3W zHyCpJJPhX>SgCrI8DELA-lY+$qw>EAYs#WQRp#VYVUA z)ALjZ)F#uWrp6=8nvF&GtCR8Ec^kPmRN8aPa#;}9nrXe{ViU~yr;c~pQl*YBd|cV4 zxS-A2B(YX0v+1+S*s`OCdeQgYp1w}_E5r$ySXlQGH??2)7x%F_7M6RV84K0-#5p;& zt7~1uA>hpt>7E#0HjV7#!l=rIAj`^w?5p3IVh85v9tdW61WYNpX-S-wMhPR`7 zKHYOD5jW96P2|!tvZ|ezwrLDT{qp&d(%wS`-wg_;E{p*6qdbv$4??I5)F2ai44w?f zCf<8r^WT{q9LPT5xLiYM(OK02B%kz2ltvXJKjzGh>QL zT9s)>ySeg8gZ^Wd_k$Z3r6kLRLJ|gxv`#2CUeBif_TlPu;1h$HWCI@Zhh05F{^*!z zKS};X+@<~$4{;c#wB&hdrO!Z+b~BE)GtZT+L?P32!$nqm68WLfTe@m`LAqh!+T~Qk zCOU2(NpZl1fawn1L%@x*!xi1`DUe#QN0enp~K6c8{#sKOFiqrT~1p|U(D51$x;ajK39PY^}SjWAKoNj z{iw7VB02Kaovj~GV*RIPRQn=i^vpuLs?Ls#5o0N!eq@%N5Aqf|g!bZmIKWZk6p;A7 zjRcj#=hhf<*14b3K~EE0@o9mv7zCQnf%&;)ldhmwdWnzXuO}%dGgC4 zg-A&4^r&QXlsA45joWo@r$>o(30d&^ru}gLn+^=VA0zv|PCIoDD!|;sc()v90e@PD zEB`LRFC5Uri2F0ol_wExJ|6e0sgUYd$;FZiR)U4V!5hIye&f1?XCd~T?v%Oi>voma zgCC$0_}5|70wuLY&9^mXqq{3wBF6k@r1eYhke~%P?^+ z!;Of2wtz{k*RAzg3VNqe`f9B91vlFLrlam|)u}?>MEZEDeEpyd6J$GlQ9guJJl~K< z2K6_t*-{x$~NUSaYa*uB< zlT(eL(+6B>y4YHvc041J3x=sd77hWo`4^ke&szRRxQ&UZCG1U*ALGNrj>VTAfoLG* z=2viaj*#{%_mzA{FPfBu6OB74ghK2#uBTcY^<5qWBGFuvvF(uZnZOzpiOb#WmK?b_ z=W44D1f5@-zRc0*ob(nvT=SN{R`lMDK^rnK4 z!Q+#Wnko~ospI#X7G8zvEQouzc-GdW;T)l=)9dS30l)0-^ulBsJ_qZYQb&-Tsb(2E zFXL`74+-IHo2qRF#V86QvUI%yN5dZTEYGmVTVGS^{P$xO!ZnhDX`5F_1r)))u2OV* z?{&8gCrLjwRSp)?o@H2B4~;show39xrfI5mHD%EbG^@0eGP?T`1sks(kMDT3u3f~Y z$EB%Nl_x{}-ZF#kx?OVe+N3Q)Tpul}Ob!kB12zF|-*)k(fE#~)PXn)QB4wX*c66aB zrf_`s1p9uNIAFoQRyDthE{wtJZCgRjZVF1e9%vZ7zmt3^qQ^d zQJypLqj=3r7LWcD>KQ07s;vQ8i`e=Ipv;1}J<)`+lm|+4QXjQi;C0;J9mTBS%~Nb{ ztYJ9y*`)oAV#`Xonp3j5qVyL{6^8cvTzThfhu!RtQf%bbf+P>`6Z)QrY{y$`<5b$G z;ZyHEM=!;-4o<1DxxO~Z!&C6D30lKTy=NSFUEnio#{6Skz3o`Zl0)VtyTaIbk+YpP z{oFXUJEi4HV)0!~NsLm?y@-=p8^y8bCYVho{+IOIl;F4rNt)$v8QBI_JJ?`oPQT9Vpkm#9C5?`IZx`Fo3cpLSr zi>BO*CatW`o6!lEQMQiuW|zFV+zpvYBLu2Q>-JHC|( zq{@Q!+m;2rIc>d8f#y3Jt?F$z$0hgaV*H;_fG!g6z#us)f{LeGxK`IAi_LhsyQS74 zdoHwlpucJ}ek^{Z*Y>_%!5X^8$flz>&Hr}u=C?`_!V8}r&ec`?V$otao zZI~(kY%~^KBw(+?`B&@89o1W~s3FAE1#(KzYPN>2dX)`)A#@gc9g}(tkB1BW!^-gG zn`N~{_zfqeeRjH=4e$4lUs*+Z9_?!D;xqE6rzEXUHbKn#bi%KQ)}+I^iO!aJ?jytK zvf@OGoyZWobA{_qYnuLK*ly1ap~vnfveelg@*65U<1?Nu`uYw1fx4KJ?=9>*E(#{E z5p+)Mrxvx7qUk?R5fUjGO*Z;DsjZ5XRM}7ca-CE=d0_uD+>UL_35YeDJ-w!5dDRrX3_AFwFa;C`J;XW^dk0)GSm$E~>p zm`HRD0<7%+8fw6Q0-pwhMtLVL$}J}2|0>Y|m4OUYMjQ=k)Ez24jZ;Q0RXrD&4jrI( z_0C5IU{C!O`E2j75CaghO7IBHmPlxK!(iSvEqufWQuL)XB?QQ zD_ZV`b2g}G$s^N9IcT4@^gYu{)pwVLQ(NsOn?l(yBYpp-3fy?U$(QNgu*->P4VYZg zcClx9Vc8*9Ho7|b;Np{jThDXT0tv0TAr3A|-*{aqUq+3xb5v^Cwo|-HZt@-Q>=@ye zqBlDE5oY@a*LgqUJr`~kxB@pPrcWuwPFlVJr3Q?_{O$CyJ-J1Jd^bp7QS?3s-%k?N z)V!wrcP+r>Q0y|;a8c`R%TIlMR_2)M^ie;!>C4(pc?PoZ3vdRKRE1itT`RV*BJ(sq8@N1e!3>}w# zz?jLC82tlCI#7Pe7Qs8njF|NUj8SoS_CEM+e0XfdL$88b^zi+A5$Y4mD0#lQ@+Z@w zN`xr)uv>7ezVL`0R0Th}V0NlgEM#{s~bXlg(E3A&mCPqj@%!r=w=sEBm%#|_X_yw1l*`#m%c?NnT47NIn zaQ^MN5kpZF`a3L2e8Y_m^s!fHK}m8b6rv;@dh&JguBoF>?xxv^A>qXKqPE zKhFQ;9F9or@2)hL)V(4KAg}AJiaWs1wKQQva=tQX5W_7(e#I^Lp8a~cIQRAbH{NV3 zt8RAxC~*^&v(W3T_D)=K21cu_1G8Pu4L?iy*L+z!BT>85^w;$=V8+!{h!m_U3^o7| z1{X{FCr^l1gu(4kdTt0vbj^jJ{pycor)qp%e=BhS_azoe@ZR?nK~B*5*}q)jBUtZ1 z;^QKfk~;YtcTKDB3g=%^S2Yu>ZzY(H=9$hR6WyEq)7Nl{cgZij`IIf#3FRVk4e(8fQioOd?E{my^ zcd|$q-x`eDK2XeDDaY0Br}V`h3-EB3YYP$I!zOXO^Z1VMLEm$-|9;CwuFE*p)f&bb9 z)>@>Bl7pOSQQv*9;%kmUkbP5a&m0<|-n0+C5m-cG=5?wby8nX3A01@*Q270>G}T?$ z#V_X}UY3q)B)+~5L8RM97CHjlT8)m^a#b3-`)D;*qRI=f#uoq4Y<^&>6n*R4Csp+; zi>9yAn0)Cn2Ea$d%em71{>b9>D}2TcPona}EQ5@3>m~;5=tb5{7>H;at<_JqA8~2~ zFmU9cBU_dkgQ_Oq;LCnbrrUKy0(3gbS)l%j>1(T7o=UL~bOg(0!olI9H8|jp93**A zo`NOhF*5ZVOJEftqdD_B&M#M#T%kB}d^%3Jk#qflPP@$*i!>a&WioBBSJ~57vzh5D z!(*a0>Jon!G=Bx^wyplG`lNrasxwUetN1{H+|1J*&Yk`8foE%SpGnu-37V?r?K1uq z4XWk$B|8WpyR7AlnapKy^Paaw^nVwyaz-uQmDqi8*ithzu~6skZO8$toni}~hi{I80@uj#;kp z$L_kAXZvwxJ=tHjU)XO$LZkN1&QPc8=T(!giKnHM;p%n1ZsTwr!=F$-6~733osfv6Z{4 z>b;@o_~Mp|m!H*yr>IDbx5?+%O`F~1&hzyq3QZ#wOs-yrSG3y2gbI)RBRzyv{}u0TLGi1BT&(ifpYL0G zw-usntzVN+}d;L#al|5*YVrTqup2)Ppy>E*q*ZnrM z<=S|ZbafMa+B*O>Z;(X)0capnp@Y~*aO-mu$Q;Z9N{vv3`c_{I9RjWzTGBJ|wP|gm zapF?RCPE2YQ*pq9PaJzG8pVV0;EIt-WNALVbikcDlxz5`P_di0s4Zh37%npp@3j< z9cIS=a;7YoWQV4<`AT#71Ppj(V}@ysYy{Q zS%5a8*$52ax#Y7JGX#!2bBHEz`8SnoHFH<8_Gy+>M$hlOgFiBcz13Ff+yxn&n5cdhS> z2bWBq>mW+C86GJ)5Zxf>q#$y|Ba{e#KLG%Om%l=De3BG7Z4qV0OOt(}8o@WhCHI(D z3U_Bm7Wq@QqOjZw8dqE16}q`X!mdxDs2&1vU*UPdtmbG@`(x-SkyC-3UuykcZuqmz zl^Yd0->lgDMg9Ak!t9>5yvY5&=rStx@=C_`2b;ehkbKb+S#Xqd+xt56emZ+%_a2h@ z9H3PlR7G&_K2$h`c1=u7q`6%qgsyubHhgK!s*of~G~@|xVn|=ZGF-B?KMMal2S*k#is}P@gyeEie|iR;0YDOBj0GP*pYL66Y&Rh~EyEkSHAUjF@{%M zWCx1#PJ-VV8NgSAWEJ}c=8n3{fm@zfkVKHxW~^=I$5ojCGE14L3e0yExAZCK?!ztB z!DOposqK>dGK*L-EAB}w{fw)$tS>hH<7MBK;d|N@j{(HhN9xv3P=9m?8+JQV(!O1uEVDa1}9Al&)-J{^>&pia4WjXhEu9N#TYib(_{Ds6fp#=dtPnP|y z_S?>0IVJxgV1+JxB$`qP^@x4Jd?rJ`(oO!?aFTjC#+a8P3y^hKJpk}cym7|lWV?VD z5<2k|v*+ONy%D#3g@WK}*%1S7HaBB{C)xU_A>(%^simASG6-7&O^JBUoH0NfKK?OE zC{`t6Kd*C0r_j}e26Bb3oSp!OaN^A3jd;R-99D#mU{0iU`HsbC*cXc;*T4K977`F6 z!-;1#$5=iD*dfa6`lU7<9c}n;qtyREa$D*^USNyl1kt_{9oe^@Un@-Ho`=OsyPKHng_O<{doD%cBUcTlXfPGyYMf`B8d{j^7i#Cwa4Wiv5( z=k=fE=;uomHLjFxsBye~#o+oHF2BK8Or>5y__5Oc;`eEP;wZZo9GjA=>60xUlWanN zlAT`3`-IHb^PnHaq6eQiD0GpSv(Bk<&8;)U&9cj-e%gwuW8_pHEhk_M*kB9n}%S!AU$Q~IahU92cNB2b1J-p<4KL`>uShYAAVas z=uuaRQ>dyR&(}6iLuG)dxv^cu7GWJ=4PaXoxb6i%2_ilb7;5C8j^jee%dFA-17`|m zJ*dmP%I`4W5l=S!*Q^j9p!uj$IUwN+KGfIr?m8gj;PK^dMKl@(eOUDUP@BC5w68h# zB84m7(+_ehEoo9Ud71EfQwEN>Wz?suid`p8QJdc&WI)B$4dPlQzWaFCuqWD|ML;~|j z$c0>%HZV;x#ish~7OpnfBiUBoQe8V05V`<8i}~M>P3f?44{DE}C#9=wytD0l#~gN9+OMo~&v<=psRYIDJ0}7JVt~MA|M4 zDe4p8@c}Ze*`te^O>BJQ3GEO7T-MJk;nEJv>HR<-Tu@CMC*X+iZ}9@WVPdza#mU!L zF<)44=V|FT(jPhGBrbLw7+xU-M|bJ->Q&^g5?mv~=TBGyCj9I$G4Rz<#s`P3 zD+6&DF7WIq&uz&l7B?cWD?La^W?KlP6$oTo$YnyQ95qE=&PW8h--^>90B5KuFvbsZ zl)7p+#8%fHE3H$TmMMabPlEL3xqu%ZX{u{i%2HkPDJsW@t57}f+{c-ArzYlbTwA(C zF?@8AgD4=gWcER@Wscrou0djstQY=G4|kf^%pgZE$nl@wV>mw2vNP#Q#fhOG zPe@6^XVuDScwyDe4y}iMl{x@X!-LnY#i#ij@MFIsCvWb5^kG4>MwL|72SaSe$?*gb zLMKT+{Da;v=Ng@S^q+;NNq#c9lL#m?evG)9thF)Vq)bwRa6l6Co5?(|A#Ol#o`{9p z6YMT^%_rH{bm}B%?!zileTnoiW3{RL0EcuwF;bjO8;D$2rRD{0grQmKJsS-} z*Ud^SVh8h&P0yZ`AG9& zMI+7TD!&)aIU-Wh*K*4k;#JSce>2tvfJO%?IRXlAI%v=dg1THNoz#q~bzYLtb8Ig; zCxi{LnowI#7u)epEt5cXvLeW&w%=NJ7n@U=p;Fvn!))4wVc4Z0bxs9O}d+C9TQCQx`xwO;UlK%N7}%-0b+T18elG#bDd1=%pJq+ zfypOQTD=Kmt}B7h^f4%2qqNiaxZ}jjl?F>)$1kr6j@hIvg8Fq0)QjyGat&|)amX4q z@6d6%4H<#e={X0k)3j}ul}9pV^l4$FmuEwleykfMjMfj3(qQA(8~#NUk5micFHP&3 z8v8EY0Mm4Tt;AVGmUcq%tcmNs%IF!?Uu%(xYlSoyZ^c-pZ(aA0x&O33K{BFYy8X<^ zz6qh#1@a5W@r_nsxz8#08y2P8O|HJrk^!;|Hk4wO{5qG9yH{OeFZqLIxwDP3IQ(yL zKsGD_6n+;n-%QT`zHvEp8*nQcTo>Cq|4 zK!EL>WQcc`Pw1#8#sPKnS&BXjZ4w~&o-X?P-=~|rE}EI{r8brP;RnRHW8kNj154K> z3l@9E!~w`OVtwX81169FyOoL6tv||%qkTbsKkfRiJqKPU;v3E#*ht-0bFI{EcdPl2 zL>z&vFAVVY_lzfiLwa4rV>tY{rw!&;0mmRwf#l8CEoR;oO%VWvcCy-fG*S-4K_Ss6 zQT%S{3UPC_O&u{48y__5cai|Oh~z^!$c;Q3Vqyoqf8Hi<^0{zSQD@%&x_y${53w;J z?~@qRO6%nAX0Zl9Op z{4wRtiL6GQgUn>=58OrdERLCZPoO1Ksifc)SfO1dj7~hKL)(2N@N%HL<+ou4F+0^A?czA> zk>#sm75UB5!}h~5UaLq@lDAX2-y9kPF2+R3c{6%fmtLaARL zvi;Dr*1}`HdBMdI?{1v&vGNt7FQqfkeiqmyJ}_45EV zxUpQ88aIJ7BS$fbsbM<$tsgNtvdSLd260OFVoBhswnxSozMEiMz$@jErn$kT;dy&5 zkB{Z|KjX`-dQsTh#gF%0GuUiV=FdQcT_KqZY9s|(_10T?6#XcVlT~nJdLc+w7-?Cu z8sZJJ>KhtOi3h_jwWMn-ZtY+{+}cwkkeLr{_DhCShg6IpDC|2(m~beG*uo;VS)p;n=qsXe}D~#tTC_ukso#piWQaaOO+VYmT-MRmtcALo}wWg@Dz11iH zB?IA@7tHM%8DjACr%Z@czo7;xIRF@=b1VBb)MmaDq2f2rXuk1Ev%a^#?Ee`Gm@5tq zd1GTN0#byXyGmW>tz`h^Czxhs$R!>d`%Z z6Fi?6IF3}qH^`dmfnmG-&#;XR9Qsd5)gCXfhwb&PPKV+cT9Cp*kj2d~Wy3X*OVhHj zjskJl0a$9XKr07|NW4}v`}keRahNmfUrl(G`R8)z1bc3zh6J{9=Xe!5Uzh^i~-vlU4TsD(ZAuN%=2s)}YdjJemmf&B7kdhLFJ~VT9oiuYH`` zmJZG<4^{(x;{8*8He}fV{QMr?@9wsrS%%lXS(_m?lxZ%lNl}c%KrG=`Hp)>}37}7E zs`y7wpeXDO9o`pto~}{ghrW8`dptg!&v3#S$+8?G!J6f>^;*e^JW&Nl{jXWeD2BJy zxEfmybf9g-tZ)lXkr1z>z$5b*nE6+Js=O}|L(*C~-vA>;KstC$W;S>wxGx0~{&=&J#WTdC2>@7J z{r!lvt8Wxv0M=vHX*f6-X{Ubpu>WZiEw6`IO2_66Dic*jU!P$^fOy9vqJ0_msAMaA=^}F>k@qfa4fc?OtH*=Sj3LUUi)KFyq3zSRM$X zovPEQ%EYRjV$H$p8yV~ZEN3L-cU&%$)Wu7^`UG<*!d`8JiJB1UU;+ZYpyYwC)8j6$ zg_Z5}5&&#GpK3@HzUEBH#BZ7<&(Y>PBEMi+dYZ8qBCe#kVw8RodjeBF&ISd%w>!F< zk(|&5$yL0YBPt-HW0&Ae zhxVqw{`AxqD;C*4MOK(D9F4^wF{0Li1%%3E;uyC;AaV#FxyBpan`9c<@9n&kBDeBm zEX4ez{*27|ha2(hW9myoHD9ek#rF6ym99EyPEtyNkW1yU=#Npr@>E&H_AZxgc;7S+ zqSQ@(l6EM4yN>k;S#)gJd`!XD!Nm0ZPnY0xC<u@A?T3Amlh3f&r9GxK+f|1?x|Sg>27+IBpk2;S^= zHcVxxHL2Z9UEmstq%=u1aaKO+3DfYNpL}Od+Jk4Z@J!qc=wTa@qbDaj@t9pamI43r z-f#PsqsHu?u1I&t`1Y`qPN4U?*e+u!k?QG~)L{=5w+Ul%fly2MF(bZ!9R1q!_L7b7 z_5;$G_)13R8V{t9ds2uF?RKfqAsp3C#!WhI0U{|SVUdBRLTSP*G>CqjZdO+r5Fkzyom49<3 zkhkVN{?D@w9->k^S_w3b5n3zACvXyk7{T5Cs`w2SVwq-g%x{2CEfu+ajF(e#_KY-FO z8jssNGf4UR9AtO#DLAzXNz^YEx^sG+sH>TBm1O^#%k<~ZhDFtMJlJ{pJOFfy7$Avb zEvg{)wSeSp)Utxc<7xC~U-uc65-&(dtREhW@dJi>3-}p$g-?(nHTZ(XkL=6hoXBx` z{o?p4%clv4FGWY}Z-g-LA#wx>zo+Akgxak_=;h>W)9(eq)?{J4o)f6ONBWLcNXrF}3DCP*ub3qT8+EcV# z!}Dv+%X5;2U6=g%shAEadO0AEoW8wf0sAIVi;(y#SLi;v>?HKETZ=GU=_uSzP@m#} z`+UlmY`0FFMcX_gCfa@4IqSKe(l4Cj(a9Ch#v^U_pksPn6M^4G-e>%9XyBA*$rZR}&MZWFn9Dq9@8(w0rC!0hsHX{{_m8f_#nw7OqDdX}fUF;k zy*>A3i`%33tqRjs4OW$kf?FCsZ_-#TkI%Sz1vEYyX8WGb#mMKe+v!N#py{{NGEwFU zmI%fMX5@&R7)Pe+j{mC`EKOQ3cw+^K#Wk^;oF3L~{u5|5#b<2%LV9pr?^VfY-f++A zoQGIYLFS=7m69@2{beF|b!%<&N+h?68r6`M-)^mi3_ftw%uB6M8cVl^Hl!lA$!bu=-4PAcTyhQDf9Hd{u#;X~^k4FNJ4; zwhB}4U!ZOL#7_NPt~^NIVSI+{WPK5LxmYaT{$(Sh`zm;>om1@ccv7+8>EH4ut5mBX zBOR=8NBmQONT~n4Q7)V-SMMa51Hf34IR~{fgURS}Ar{@g9Jm++j_&N4uVun0h2HaI zmvdI<7rTOIr$~W5wD2G+{%dM%CbZ1x7%df>5A#!6Xg(&)w%G@-b&Qe*%<^EqWndHr z4+jXvn(7l)3w{d0-cRnf)n;CgTh61;Z*ADe8$`*Snqr?03k(Y0%;9&g+-1R5nfohl zp|Fl68^*x+qPVdU^MAAE|0ALN#K$)z3iwuB^ZT1+t78?b!Qa$c5B>UX%Z~`Q-}kxp zi1r+F$rFy>rjFe$j%bC4gC_o#u!{QR94wv72u0G%PE_*m_R$Wsf zT`k-O>la)ib?AJU?~ouJ@m+vDvGk3OJu&kKf|-B#>Hv8qmyisVPm9+({_8 z&D7F+L%F%M`BqYPpy?df-O`nEQ~X@7hkyxq*Dgxd-D2Ne`54-t+TKF&99cuqPibjIp5YngKo=ouo#O<#w%W3TulRA-?w3 z>XU_gkj)!lNNR4h+7JaSb!#Q_C}xw?)$!TtD_6Ch&ToGtdBXX0+6}n3?`2q(ymL)^ zn8p_7LM%AbpbRA0uDcZ0)~|EgM^D>r#6}usCmRB#FU&46CnwI`w%J$_UiI?tPo%G! zkJD`h3vOAd*(8-$w>M)t387;}0{eSyum9Zz@NU&V-doG0zDfaz%$e5m@YK0I9sVtb zZvhMSwzdk+W<`H3+4GZcXZ*!4@%W-7PNqLNepddfn;QJ#i;vfn*&2GUBp#GU1b_N3 zcpO+L%D|3$ohh~Mp2TI;SrU*vI5%87VL44@i$dQS3tJ%KqHmZ3J z{}HKCmBi`i_-lR%iwYO}9k{O7Yq+3ALZ=@?(C>PW0`#}%p#kw7SdriL1Tt7&lo&oZ zSq6U>CEe%1W~ID-MfA}oS(!k_)w56AU`59dVD#%DC~Vca?*x<6&P4TR;(%kD@s8=0 z#&kEy+^w%ef{<5t&_UAYL7QbGav8a&BHOPGJfI= z8FZ`IYbStNAy>aGT{o}Q=2rk3a9pLdJnu=(&hA$^$^D0@*+E9<@&BA|MHI8LAndD$ zYjF*v_tfwCuo1kc^4unGe6gaJpxBclt7ycvz3jtu@Hy@B7Qh+b@zm;NOz9VKTeB>d zqi_wJFO` zUvm}T8Gdyh4-Qm`0%<<7bb}V*L$-%ZRSOj#LGeT|%DoRcw)p|5Gp3& zgF?F*>PX4>4a)~)RT)+ywl|W)to;G~!*p~7E^QR;&ZB*F-6(%;N1OAuVK)D=Ko1jm zMrlLY&v0E~(_3q7+}A}Zf2i<0HSBZYtlaAtkv|LXQZinIrPgz&U}r4po7AuPE^b0R zo}FA%Voe4$ND@VO{ffuC4Bs&7r;;*#4ypPtu6>#2{M|HU6);L`=;v&!0tDWghb_gNU!7l9b^^wSw5ZQNq-IX~G}Q0iH0+KuYZ1bLh_GnIxSI{oTS zK(0HHqHgyKWRB6~Xywu=&U?Y=O5+;SI*nw)0lT1@(p@y=3nMZ{JYix;2$Q3ulmM zCWi4v9XP`;43q&I%A^TI%%2aY+Dg3?a#ld5w5j0-c0L|goB@9;saE;fe{&(4wr@u4X@>B~v% zf-PL(5yVqIHpm~H>R)P||6W`;{ntHw5LY53WGrr!*0#bd>lKkbrU+Nl9d;a0c5p*=F>G9M} z=fI0ki}H#MaIl&UB0`EiF;RS*#3v_yW)+W9nJEKkeV=Cxf4tHb_a|;~rQ0fG@@!*& zKd39US6axxe8NmX^~P7-4KV3=!b(BytF7HU1=P)=i!;p2y+%pG=GIQlG0wG6lH z^}MSzzkc@Ma`jB0<7U%y;a~eGY~n==aMzYIOtj{J-M@1n{3|7gwglXF{%3sto6dSg zi7!d@)9+$04(5w-pHIVkQ6S}1qNMN!Hb^n2Iu?*k0>%Q*m{@kDI{65$9xj+B>&Y9z!&b<5M{hZh9xjr6` z=X3n4=q*5+bmsXq8SAV&&DArO`;(noZ({fa`)T&z^xrK*Pm{fND0KKSyKKa0&0D9E zAm+k+z8v9swQ`@%aM26Rr0Iz1z&L6*R@Jx|QTCE9nacBFnfJ|gouq|J z8mJO<1;VLj59^DZuXzbpqjo038d7$DJ(ZYu_)eb5;bQXfR}OFNj=Ou>vf%NJgu6qP zYjSHVs$q6KARD;js=rL5CftCjD(r;M0l4ytHy``mxf%q`*ar_$Y2d0d)i2=&r!3>h zDA8lWuU2P|=``<(eg?uCpjU8fji;OE5WZPo2SDL)$Nh)K!fj>I2ZDwN>ox0`{gEEY zP!iPoQolq-Y`~k;>8$l4(HZ<#qzPE|&1|gI7<+uk5dE0e_sxAqeD~&IfrD_{P~|&@ z_+x36g!g@B6#HB+fprLB-8xpe6L(Arkewk}fH0A1YfaZ``b3n6SBFSF1)k8EqqiDP+ZD zIcJT6JXMgJ8?aXK)jAsF9{R0rdmUwu|8>XursIvYIEsM+_sm24u4(reRKEK<>w)Nh z1MQpWD{|EdzX7><0;iWDETZycu~a&?$<)S1ncfrsnXCK$b0)sv3n_*(Px^$qpJ3Gn zcrYrd+3w3p^B^S}EHz_!&y%#G7h@9gj`Dc8^RDfgPbze1-O@F-JaDSpZ3 zt@Y8Q3Fo~`u}9<4G+YFyr<1|8(K$v?$ zp=(agMXmR~;f&HG8z81O^d9OIbs!lY+&^X2AEF>#6q33;ka-XM1s3R&oYNXH213iyKE!tLuLQB*IT822LcZBIlc(v4n!Is6=d@JLUZLwZ|L zHkFBV9izGU4Ir|sJ1<-*dRXuD@)3AC^#%;v-%UyO(wGUvbmkII;a5hJ?B~&Ug1!?ZrT8pO)G5@2g=zQx-sdfOh%upBPZ*YDvuxN-_qzOXTSLUU}75 zuo_{jGsBY-L6w=c5}Ktvk+V8Q%}l9X@93^TqArT=M;f=Z>2#^;@RKwRhRt{|m+Tg} zZ1@VGS&;n?_FmU91e*v5X7(;Ts9%4kvcmLMU}Bp8xz|#ZjdV|HWP|+~xPIJUDuY@m z@cTyz0hk!3(QjG-obE-}(^D%SWM>vE+~?a*SFh%mzNF<*$|KMwA|N~w*~g=J0XzkE z7ca{dJkGYpWQ%uiaPDMe+k$RCSP|!Z)KJVSXZ}Hfn2W0Ie{DQ z5#j}nU!4d}0J!a0?U{N&4%s;WM8|xg#p}m!j|0RbM zBM0VA3-gB1tUn(@1Qi)_+79sFPsxc#cW%3>e)>h9^pP<2Ed0twLVL)KcN`XFnYQ_< z7a$|e;R3@!qSw0PraE082KBrHZ()@<_O4e6S?p^TH)(tO&np@;*!IRGwr1aU36?jq zNH4l6Hdy^5LU_sZth(hz%6Gkt&at;a)aN=%ts4YX!4Sr2iVJpF`46X5%2b&lOWYgW z!Sz+8RYrLH+vmz3+Kjdreg(KpWueosxe$wGai>DmcHdoOUovo}_cHTNXsQy{d`9o# zbyJ^jfEfV(%8BA_x}?MPffE3rt|_(GUZ?Sw6N;@_0VioeS!WrSpNpKcLS|G04mB5; zcX|#~0D_n)YXEn}pohA0KFRaasG;@AHP%(5js;bI+KE1}q2T2K4(YS^d8U8dZ`)C7 zK>$NXR`|&Z^o$ERE>wph z?b5JqS?d6zOGHD#vx3lz&^}Whl;KuBOE8La^+&QGHwrVA>d#@Z7l2Ba;Fs>`gz=|T z5@i>Jktv`3p;AOE9#m4Ra*bDb2mHN1$LyF-&Jv%*rzcobshqI06eI07o^V2DwaO`9 zHwLa`N~IU~9E8xfJP~+wS`*ud-p`fsu-&@}J*js89%moR1s})NCZ9enL7Q3Q z#imaXM~b8;cO<;5eV1Z8$n~q!Mt(Ib({oV!ruD_x-tRm0yiAL)H%o^VvZ%0;CeIVab1#VS4r@>;m9Bp*Zv({a z-n?$1&bvYZfaj~1KB@{0+vrW)mv;j|j88dy4)FtkV20TJfz{v4_rxDCU#_K2RjSfw zCURbo%j<6s{&0Q`;_n*(tn|>rAUW9wvOV{~p%>2o^{)Tp!9s!G>P5??T58{y5tD+A zZ?B}E8>I1DrqBs~T(W;($LspyTzTYhb4;*>ivQH(Y(qSMXC@)7SPn(YK{O^RW@$}W zD08^Ksom!hif@%=y8>SLbyk1YA|gi#bHSKJ;LA#HDE?x=e)b#Ll3*1ZLaKVM5!WL) zCkXqF*88)O^am+IF;n}Gh&tII%riFEj4d(kC_F05_{#Z|0Ql7~MUSQ2j$l-x?Zs2z zj#QM1a0<6Y=#vs~3iI^*PO&M?WE&KivoU8nS7w(0H>&UfLnT1Q&P5c|l>@6*F^^B^ zM4@$-_b27)B-5mTM|1gLdw?>_i{I{Go;JnF#swV!L(-CU05B_*w@>!fJa%aX4(Gtz z20-M}5D<%U$m<7?+z+*(9q8`=b*$ed9+j;%l} z-yCM9^g?H`Z>J?1*6>O25*^d<;K%kL(h==%D z{pc}o6dm$$E7kVUqkvv@jzfWAfTM!he{-{%+9Q&2Sj#fPemlx#>7qO-Jq+5bo@lG( z@)(Z3fcDx7&0oRG89}eZZvt0+M*ftJGG5gvo|1m==Idb2d(zM;-*#0n%m&4!RGe_w zLA77p#JeBCvHDTdNcxnqZQ#^29GSu?6`W3t9KO?;yfVWCu>&+L?z7fUnflYsegY9A z0HD{8$co>L&gcfrRC9oZG*km8(lMyXMk;XL2{+NhAN2h7y1>t(wemlqNq?t7mupZQ z)*{$`;yM5HNbY4n1(1vo?PORf>AD@m(4<5o+{{1ss$cvyP9}F6XO)L7Q7LrYOwFZjaIyno`gEse6A=v&oUPA}D)}FgP)e%-p~+8k4S3dPGLWfLl<|EcvXaFj^=x z>9KwX?%u;;O}RKVymiyN>Y>5M2}Uoa=r!6Fxe|GvBuc5qh2Hl6A*+%e!T~C3n)Mf7 zy)~TbpT)j93-pI?77S^>w@6LMRI-%VrVQ}gN-RBtPxf%tJ!%VMh~HAU#-5pa~wlWt&$x~0}l zVKV$<0#hM~sA6aEeSkaOu}8#)35i(82)Ae)2W2DquVGq4paA6@-3P{JTsj>KP_D2h zETELc+lySu@!)XMq#(<=ry1l(ih z7WVGI<|am}VKiORa>bX@0QOt4hEE`zJ!ncR8d^Pr4^W{p23o$iuRsXJS_VXeV(urb zhArHRSam3v*||81!&xijwfZU->l6=N5}gg7CfNLg4x2kA8(GUGwpDh&T$U=~sEgLq_~E0u#L&Y1 zgcIO^g6!`#n*EVW{cqkLFvWtu>=fsdQ6Oh^_%^q5;%@OtT)U0NDeoIlSKx`3RF4gF zE-!wg^mNEkDNANsO)HQ{dzsOU)_gep8D;N~g%$E#>boe(=-m;VTDKgf17X(49J{F#0F$dJH40r`q?Z=R{$YPe#(2Kka00giUN(b zE+mihAoI)bxbpp*j!h0dwG%eOfyvlA<)2EH+bHqHG~1uTd!O_EP_n#lyuGl{(8$}W zBV*gnv#|ED+<6hbab7_1j~M@_!OQ>rjUR?OjTMAa6L-x3P*J}OxHlpdN_oIB2Z~fi z7svR-9X@46&`M!T?!!hDgf2;yD*goc##g}8s^I$On06TZ%@KyZG`etFi;>cxcty|d z)qBd*n)*38c0q81H{ury$RED+JQKR#q>jHBe;c4@{y5(d{{v>)aZ(liFCFObp5!Ov(Ct%`_-|9?rH~Ke zfiFIUH_tv8mJ)t_e*0zo(B!QkK1J#BQmul=N4+8X0yt=4DyMg)_LY%e#+YwyM66Z- z)P3ZF@xL_N7=gV?e`vOu)c&6}+Z1rBYGtAO@?%3f1nhmVPsenK+UqYPK>^Lg$cx}t zpQlz52+MU8w>EVDLlZ27$d*%VkiKz_pO?9*z|Kp!GMAlnXX!rk3#M(`@cwJ{Q|2wV z-2ojfhkP?Hhvr_z>z$m(GXr;5(oysh29Xv#-W^lV`QZXzE*&+mJ{S(CCs2#@MZr3X z`4k^(8(BDIUXp_3wkuPpN^3etF5a?`dYGfOoo4GR8~jY8MZys zrx=;SGeO{kMD@kcxsNcWFZ5ZhI<@dADqC-b(6ZshL_Y&ETC2ayXvsDGhfbjZOPw~L zj8biNO#^U{_%B>t+yYGjuiF&rD%H|*luXSFik-(;A5+j4)$5~Cht>F`o4M+L&V?aCSd>c&vEC>3xoa1L5#2k5g zWYo$tRmkCuseU2P?Nbo(;bgd;2tN;Y_O&_y;S$xh#osuJAHkNoqwfuENh<6$XY>NzNfd#dDo$lFRU1uAa}@<|L36{o6aVE=RQ`=ep-r^oz~PQs#b_(M!$ zIoM9*?EyuFsti9NP(p1=1QNS6c{}I^KyRb%zTiA!#;Pwqa&?GnO0iEpaVj^_gU0UZ zt5^@)zNUgepI~{ftNY0}_xTElKhht1H@_Aijw0Fz7YwBZgWK4rBhXK=aVHY_dykY^ zDy3A7{JGLOy)`M762+HJe_DD5XLC*)vZm6CZhyz2B3)jLlD^0Wun1^Vj(U07mVy-7 zoT*oVJ%H8RhZ=&5=jDsqJL{KvwS3yo#zb<=0)qXjlz=#X51@h;@t>3yCX$Smiy84s zzfJ}SHh@Gld(@!E+){3VQJMUhb!KADJao6JEuCyET>LvA7I!}l<`6%5GsuLB>I{a- zZsrMG?_Q0QN}sv>Kj`RXskyo~nQG3ZJU>!HW!NyK8X0Ow=E1_@`;XB%Hr^{&V6=t< z;l-x^Af#sxW+1;Md2CbFXdXWPY5Ymknqav`UJERxf?1BCR{ zJj??){}E#c5vVL)Q9SM3e+3FxHdd&OlQ$*Z5ITf?q;{? ze&?erL0j86xx<{=fo=;4?6HunHfqOQ^TFokpH9X9_j&o(Hzu+a<<8`jKu=JHYh?3m z8K6$09l+r-MDuN$!`dHoeeIIWHNq4;JQ$&vGrZd#@?WXLJW~-8S_|CR2rGY>q5yhf zN{9WXQ+BE$iI-kj70~ihK>-Zn(Ay3hau5&Oj((vd{rAF1mepW%aVioqc0wJVt@$_V z@a6wP9j16n5#bV*9s(Ap@F_}?Y6u59G>?JK4FFYJit&x2kLu$_T^Dy>NmKRSQm!B1 z)#solaMu&%dYR~E%=M%gK!fS5AYrxtut*hT1Da7^)XBM;TdZWJS%u+L-G9-evp4@WqP3IZ0 zOHO?e!s)@>hOI3R{fjt9S-|Kes%>gK_#|G&XBGafDElXYx7m9@+kN0ZXzcbWpr)Bf z61N1snZG)9IU&6raRttiz(;r)*SwsPw+|3|q`Vpff<^Jke8?y-flK&VE$69+Vv8Nj zE`eL$Zb0pF_~`l0hQl?*r1~PelXTNM8(R{I=KFo)Z4}O zH*^m++9p596jaBOgLWJ~3~3Z_$m_9TzKOmRAI`A7X_Lx@?odS+AM(>xm-5V%nJ)oG zAn+M(E%I1Uplu?Kt4&oQ?jz~SIT8dvb(ve&RgE!kRqH4=P8zx)K1-R8ivB}`$eqj~ z)Ic&&4l&oXRm@Fg`ZP(0?8&?Q!fVd)n`0gfKaCLw3N0>Sw7ZeR zY{&&eeC{)4y=GVobK?UG&6SHV3*{>uw!mf*2jyUX`G;Q3MJc%+whT)%@a&~@`KpRZ zTWyW`1!{fvhg-A`w0)E9sUd0vZ_&aTI4SXfZ!Sa$m#rp2lXhd8PZX#Be;cC9+}kWyF|(`Gt5xi zNn1h@e(*eD!<3ob*rwjMow66X!qL|>|r^8)vXU*tt& z=Vm56oYa77jQ}FJ3dAKC&MrO>fx>GQUD^&MFLHS>dSpb-BJm#;s+~b6P3;I!WfPtB z;{Y&Hf}+7beYLT)(f@TD1tT4|a1xV+o7$9kGE*nO_l8kB3p9mjatcKTdMyOH@r}o< z1ff3rw}UagK^BDYp11iU05^6>F^pBJhz=YHh-g`$gsw~osKW72P#kP2Kq+-fdNBo< z;FSUsyw6PMrBWNS!XAU3PlDRj&AD<^houT`Biqe${WO)#*!?m*I)arsQi>0sQ>Ele z?P*JvE24{hh#9mR#!oWnj00O`d~cWv|)Lu1v) z=T*iXQx<)6Xqp!hZaQhDJf%&J_Y{7l8eUOncJ4D;CAPq>coKqvu?|y+mu)5;7~pX< zeYW*8%j!Qpj^I)SqMHVP*M;;gU zQMp&k=u{T4$7K7|BMRuG2L13&PL&^O17a^%&K-8BI{<(<(s>iCDpu)%wB5`s)3MZo zri;_dkD2wsC=QX~(&+_h#bsyPIEP?Qv_xFE;FHk048Dfvr8KjcNQw6_TVVgd!!h0V%HZUPhf@4+&#xuPmw` z?}Yan-^pZ~eRwbv56ob+IO#5yQ`>Fiq`;QMD5v_FovsoxiNq&f4i(JJQ-UJ(^Ry!gx{b=q(j7%fpBX zh}{8ch7VSCJ^lCcMmL%Ia00bffH}^$zvNlbwr`x}G89K+_`gZq{02h*-M0`O78efw zufQt)B%PI**4JT``a`A#v_64{W+5oOtSmL4&g~Jy{MFJR zCdD&-LWG>>%<}?E8B2^4K-#KYs2rJNBy(fiu>?0)zl7e;h%FNSp>g?uX*<=J08B`3 zDKS!I%V%k^Z>u?%eZAxJ@)mt^|K;ln5@ZTV>SqnY2Q{BSK2uYBl$JP_ISH+v-^+Z@ zxo@lT9v(lX3|Vn~7~jyObTs?#sGZX=;t6agGDsN^Mf`Wz4yBe-z9<=k+i%{+FDeB1 z{cpHVR9gN0bia$9j0vP8Mz%5JbagDQ+_RjWaU*W>We`m9Oy>Ps-Vp|TIsmJsf6?!6 z?Js|goZX|eh#LUxikszdfQK|M`P^t_zAGq(ax(`68c0k5s$+sq_~hcljW<)Bj@lg06uYRcU>iu*ax1t%~sV+&0&;u;sOerNjHrW~f6k0<{#To)AOy~-_ zIEvQp2dW&a+8YISas&$?GR-qF)X$w#z%4ogkl`HYNH(3})#$|-I=UruFQ?f6kC9Dd?6 z9=kT{%8pgVf1T$MkB2>(UP|W@Uie)57(ww>hLy`Vc;rmr=a0$hy7~ya5bfN^Y+TVu ziqE!jt}gqMtX$rc+;SWap8t>_nR@XN<7q}d_Sg&09>h|eX8j1FnW%PswVqef1Lc#P ze{)rO4>DL*jPt;W=ItU~c?P45cj^2Xs82p>;j$FIr*48|@{pGHS*OUjE(@N6M0n(d zrQ(b1d-Oz!%I0r9zc9kwjAA%`MmVpgtG|cHH@XxY;uw3?2-K+Id)%U-OH(Xgz8FLBx%u}v6#JWF68x=|Zt&EK;D-!o~& zZm7$6cEtsVU4nTomConk8QY#-Oc&X4ZtXD)63xgD=^3hK$Ms8ei|nq7R+o!=PQ{8G z@En?d-x#agUe?&{lK!59f#iTTp3#}J!TheNMn~Hx`j}SjMUPg~OIvhAzG_Dwnhv|f z=ht8a#SO@Xy_>veLyWa3U^@^V5PN(NS0Y_8Xrs*D*g$>%>!%=XVJM>WwrA#!PdTt~ zaP|u~1Nq0BC%2bQjz9gtS2?q&(L7#F`4Q3-Mn+)0%$BHy4t*-ehG)a%P( z$O8rhEroB5pfTp~j)F;1XiNhjYOasj`M%ld&g@l>-Gxla(R&`1bk=6B!M=jq-YJ`y zGk}Du4%P@|OvhD6YR$%qO{=W-#J1b!x%uy;O8~*QIr+b5MD9X^dGvUIU zbKj+lkxI{H7a=CxrC3+VAYs0`@=0RQd6=xR>H1Fpye)FwJKNOQD)~%yXmZl7vl_d=;{J0HQUcJ5-TJLa6bvR@Z!@qj4WTCM6a zn_phd4c0%w?D~UIdoLM5VL?{@QtT+u#;45+0sR+!N6y8jG99{R<%0>1$YJLRlKA_O z7qS&BA;Zhvb)UP&Jtt@v%9{#4+Jo4;d20S~fB*7tAB_S?VuQQ^u{>({lv-8;8q{L65g&tc~)!h8Nn__RTvTk%|zMkm#l+1gt>!4lzw zqh>~b(1)sg3n5Vl-yL>z??w$@ckHDk5uzK7-OX277B384j0GHsp+)7MFqyS)ErBJl z66e^}b$4gyebI;j#x~Ko0D7f_o;>pkuTv)Jh2g_DD}EYv%N&dmrqPDgO7Kf$lb20L zxLzwUfiQamq8-!V@5ZNZ*w)x(L|4J5j#uu=u&H)kA~QMO6}wd8LtIm|XshEKg*lws zI9efC%(m+9p_8Au90tThs}{`oe0`^nBzKcQt=!|H`0I~}77uXg8_t3XzM%C^`#z5# zwwaYa>RKTMm{HI@Pmd*O!^{WdSx4hLlah^ce)3#?tTkIj8rJU@E0Js#36wilG(3lP zy-N>9yf53;=$sRM`A*MY!X|uqBw=X@S6qK?6~S3#=W{TL{?PZlI78*Tl+n|AhK&+R zU#ppyREHQ@ue|R}#SU|4)AKD}9NZ4w)%&Rh-ZVNx6O_t}gN8Va57d#qi4JmNU#iI{ zVeZNAKyxRMDh8wVcPH3^*Q~JUj844moRcmYOe^I#J-(UzYIM~#4{xpjs%*`|c}_kj zZ#WC9w-`qBG!pBli<)g2K|9BRkU}En)xm&HsKl7<{(IV|hj*vG-rxw}^tP9rCqH7d ztW*R^Bq+Q59jD1%n9cZ)`z|jpZ*g?ErwkC2%bdq_0zL^GnX-tSk`jD3a-;hqW)Iay zWNAKF^~vjln9i7E8>}F^U9FGWfcI+*a8MWA7jRrE9-WX5R~1xZ_w4f8IfwAn>Bf&X z9ZXHrB}|J}2-P6hp84SH>|TA(q(mSJ(S;h%i!EuvVTNj3$xNR((Vr`GSLQ#q^{ z>bD))(R#5!2`md$m6=w~!y+D^Li{03M+xEn1$Bs@>SNcd#k)cr<%HVudOC}(3g?r( z7%a`donjCkyPUB1wTq9^abiv%?PU|83Ok3MU(qw4G4G<@I`mMP5}B%{7hAQ5Y%aPF0>Xn7)3(MJ?W+?SDh8L=N%M9~Gx{2;4Hr7}tc&(IxSN=i| zM69qJLmDu5nBzi;iH->D=a%Jkc5}o@-ktDX-*i_Ogh*CId)LAsbupqOZzJHnZz0OJ z7w(#tG`=~DRRF)EYVfMs9}Q?7M1mxy{l3j|d*1@bLJ&6l8#1>fiQhygj#d_vCuA&_ zhR|MK)JN?Wg;s8JC67Aif4zr@T7q#i#r7}?VwM_GzlW3hs8+fNDvFp|4FK~*a~|f4 zSnUyJGu7hmJ-0RI_62Q(8I!6HyK6Hetz<}_iwB~;hNsVjfF7Oqm!$s$e2e(PNw$x> zQE(j$Bb??rln6U4fJgq^8LeN}%l3iW)z7Eyqqp(nyUWHgH|m|$tM&+;9X~6^45G)p zUE`{@aTcA4EQiqqhBgj%f(Ip=;CuQjB0#X7!>@ZP=@3Rf^{D;d+ae zSJ9Z$UixgeVn_$BW=(s?ZOPA~`v@*HirxP76lQ5Y`vRbNSd=6$n!nBK8Ca5^y%R&?)HVkP6m*7QlV$Il9ge((2VO(dzV zl-)YeKLz$4MXru}?8k~6Zav?{V!cdvieU3IlbMuF^LGLq4}7uI-TA>pPr10dUCax&C74$6b&nL-%;$bpeyk-TWxyp-d(+0wGoHl#L&d6@fm#P)lBtv6IxJh zp4c&2Wkqn7pMD@DiDCaWl3Ee%c_7O3foI}rbL{$A)A9n@?SWKvs3dOkTuC&7wCea{ zV*Yj#E5fr{`>KktSMw_$ORre(Sm0-x;q!&_a+O=3FW(_4F~?Pk!9_p5($sWzSHD??8rmR_C?+-^yhoxc^bW1iX9K zak#gM$^v7TmnsYBoZ*27y~0Ipy~;(c^A)F-a=*MtketcQHgjPZony5JTi(%H%3QIg z!(+AOXRG#zK~EA?WIPWl2Q$$SC61Q2xFvQhtPB5Q?)*HYi<`2Qh(y5DDacGu-Kj@M|O72#^VTyNF7%-2d!CkdoW;Z2u$q6-4zwNCry9)A+NZN_%m zj~YaEAO?hxYS6|#?zQ#K@k=31qA20WXRdw8AFy&Jjl^9evkpozJ3G zTYo$BX$*P8DAL_x4<(;er8KcWxLyn-L8<4B|JvQ0xTJ<>|2n%~Zr;0tgN=7VDOF#4 z`T0xDLl@|8MqL)bJx8O4$?Ck(9)J9Ae8ZUs<LU+ zMm)pTU9ouXwNaOf#+0@o5J(nuUqSA%1>noSxAhg8p{ap4NI_4tr?QoDWAPp7? z$7~cbdOxLt+1DOu(Fyi1ALwpPhjbX;9q;9gp#}x~YUll18P`3NnW>M&YZiM%;m73t(!}n$RRtcU{p{Cy@=N_`V?xc^R<5=d) zg(T1IAAI-SNsR_NBYOQX7}>c{wXT!X%?t%fAY`e1^~y&A#(#cSTA)C3{;+r%bFd9z z`|dtZI~e1G{9%uBF$g0rv~@-#9UQLh(Zi*y5{{O1Tz2b1?i#gp<7=M0q!VPk?9PARdr`ZUDLL zoreoi3|*#cee#Psqs@6}3EV=8Zfb%Bt{t0gUNtAZXsUI7?$14**+)NYb$=JpO8JO6`(PME4;r7dwUCn1` zWT{7u&D|<1q${vd0|P@zCeY@2wv^ zlHACu=X4N{{=AL~b9dZps`r^LOemV7k(pDDiClG=FxTyVi#~+SIu`hRzlDx>7xu7r zANL$zcPZN(xd1wv*+lba9)1rw*qMnxZ|se`+o_F8__@nIKP9~`=ruhxeKbkmX-{ed zhhDymYfM(2(C@BlIBtD<(H*a+A3ZFMhv^mlt(@lfwyQrs$Y77DAz-j)zBYc@y!ZI62x^mHv1;jM#Ucap_x4ZI?@yJbvpYh?n)iHE<Rg@_6dkipjcZ8q}g!gyH%xWRJU%B%vNA*#(IPy*#d$C}lqi zN705@$)n6&C*0qFslHalBXO=&JV|e{}{{9t^L9T?> z-z)|%|MM=~1#v!s1rB11O6i)to@ZmPCp(*!;#xoZU%|2C5=0#>h2~?C(?N1fieaKq z=f`t8I)m*N4CZ;;8&xmX*GAYkSKwi!plj;pJ$0-sKAaC+SId|YgGN7wMJ@Basi%G4$aV)@!@T_-SJbQKVI3r{?z z|9xukKc8~B-<#n9OU#>HXc*caREr7oTn1u*NCm8g-W(Jn`{eE%Bi5c%-@W( zNe|?^^gXg_wYpjwIae;c*K7_bYKrYCI~_2sCthG1X{+9;5ce!I=uRpcTp3-%vm!XW z$AUx;JbgCX#44Csb#_;1-}hcS%xkgycg@d0#9)LOo#BY1Hal3-Kr`0qV9uP>o6j^0SamIGVeey zcLhK)=_Q@uc#41Ik$~9`NjE(w{RkO`*v0%HFd3Jud=Mjrw}&FLfEU2ib6Tz{Z{}%tsY6bFOqtp6@o9=e_d1 zR)o=myN5$)Qi?6aGiGgAm%L&6(zs^E_pw^GQ6VIu>R4ahy+!q@j%z50fqU}P(8zg^ zka2k)`)0e{e!0QVySzJUpFWF{H_*IRefqcZdE1$jr1v@5B;)pURUutH83S!Z3am_R zA-eZjvg5r|EnTb#(u!Djs7QeB`=^1sx0W3(4L#k%jKO8MEWPH2LOkr$23H>@r9epo z1Nj3>{ekJ_QnwE_x|V8drOVjIJG~BxvEP;l>#N)BF90I@++C_#{UOtiYUfh!zNcb% zaQ3zC-dGCKq#Qj3loH@(Vd8sSa#gS zttWbkn|VWVTW{!lEPN~p8=|$jq;G8t=I55qCD+kvk0&o_9%a~0Q%nXV9;WB z9C}yOlD(u%nu=+!DTV2qonw~yP0q{xgEjM0tMZO7gnZxNzRrx*6=6+Hum}>-*PIja ze)wo5ABer4G`P!aL8hU@@nY_+Q})Xa_B~zO{wB1`np8aMba|t7BGjOHtUX93zq?57 z&2Lst`OV76y62{nN4|9d(mHELb0t=hb;xyV@1B=NM`a})ZK#D~rbhd^m7Lp%w#4cx za~jZu!vO6`Vd`u?3Q#eEz7lf7pZ?HH?aJT69p?6b@rI2Pg=ryYDA5JKyTrKs--nnaPS+Vpgto-{DI-nj1wqlCZZ?V*UrW%$ue1+E}4G zy7e;VZr$P&)jRWJNE|*1$K~_Ga{Ai^!aeNsw>Cz-R3?|CtdP_UO-1v0q4}fTs*?!; znc_<9OAos^yKv9MqgiaK?}iOmBTs>$?{(MZgpJRLDkYGl!=j)#=-HxXz0P6IR)T?7 zzwt6(#VTBF-4C1!tJezx#>4DIYW}~OKIu2px9;B`Z8{>=caRB7*t*>-IXJqH7DT%n z9^2P0leFtkT=wA+ymJTT;iTn0Kp3OP)E}-(j~90oy=s9U6POwhHV9RaNjZ$_ZIOy z`l%rk!s~gGZmNamV2hEDq02dNS+9KAM6+_jz5rq*Jf81ACF#{W z7XIk@YEEl5LQm;Aoqsb1NYsUa;c+Ct7Io0Sx&)K$ySw8P-ZoXU%rLOS%ibGd zLIJhQZy1pr=!1a4=(8}qNX1Y0leTaH^k8f)sRi&YJkWhSA#Hx=n78rRy^nGBV?lyQ z-lh0q_)uo;n*IdGFYxyw@zcJU9HhImDgAJcKAYc~H-=942bIf z!_mQ~UClWKw^4OK1iexCs^=kwv|Nm6{a_B{94@DpUngOoqoZ_5GbY5m`Me31ooVr4 zHC!z_vuP=PKTfIg-QLT*plg|L-%Uv6Wv?f(^3e03%0#epqxg+oC>sesjCR&ZS&AOvC2khHfoy{zWlD2l!&xE0TJO0pJ(d9yJD&E*!bj zFA-&&hrRuX-%4QKEc<#Dq~&t+@le{jjKLx+BsmLvd>GKeA6oY?qz3so|16t*ler=- zkX2z^mDM$78L!c!<65|te#Z0wGapV8X~JXn;_T-3D4<8ZG9SGs?CxHFJ9k?V zRQXha<~KyqU;Jo5?fdcf-%Z@^sa~N8*)fB+8prOSAKe)arh5|a%cS^r7CvFc8T;3^ zncy7f(4I~jU;6Ix&+sVyN~{*%Ttoqqo~WnIrJlI_q!5E1z`GHihO&y}qb{!m?RL*G zh3JjeIqVF=IZpvi1kVpvf+Ex6Az{)*_b1O^j=`I5iJWbqqT&(`rRvj(Ni6eRD&!rc zvOtx2zsUe>xna7NKYjM9HoEL*g_Yg+9VB+{+~$`xyvEs0)}fLYr{6Rm06$)K8)rQ} zZ}f6PPmZ}diDpuZZ~vyc7);#cxIqfkLp??tem=sU98NFe%9`jb zIvyXNF<`73-U>f1YP!3cxH03cl)uYo@2)amx6SQ*aEJa<6ACImT>u(M z`Tf_^-MSTJkW484>GGiRIk7E-=Ad=3dYdrdG66%%(`#T9YXY7 zoi&uMh+(D_<$VrfTn~6FdJg=7v6lu%ui@<6jb~E6$z9SKyV{c^2B!3$Dax>1H<26!tV{1YMD>`DF!T z-R+dXm)9K3B^>wp2pdc7gnIYbOj};XU!>0$;?w;_<&6=p~7(-un zn1qdyimF&+t&u+Hm{>*8+(hhwNPi)EadJ}dWznWwTGudfdAx2RV0zxJD(=eKjD2%b zKw2!C?=pP(-mZ_6h9oqX`z;X5hT!*wlZv+`Y{vtI2r&)JPV=_DU`5PK`umZ2V|M>0*+Lkz<_ z(hw(ajJV)mXS=fp7Zt|o4&mR3aNK0K6DQvG7<)W(b3WrX(gRS!V^@jM&Zjy`N)Nd0 zNwwxbJ?d_4@g6VvD;TZKq}3vZb2?}ZgXtM(P1WQj4sPif z@qvDni^4)JQj5ihH&^2$(!prQlL%^HgN~5e2Cr~cLAMc7O|oeD(NWbbxf5n4iw&N7ll;EH0#sYE6QHnuF^fA)v>V@pxrTfaF$vBrB4Gi6%^9-lfw4J`2RRd zYGimK?GGVH(2au3(5E))b`HLJ*WBMFHlAVDD>}#q9=dpJx9$e0j=Wy8jwDL?zpy-7w^|=KO$FwSrObJ&#igi6 z04&JffF8t>q`UGmXE`Cu)%D~c%tXTr1P+#Jx4FAG0hmG2W^BLPDePQBxquS@KyBj@5>$iXkd6yDEDwQ9Ty$AXmz-7(O#x-$kJtk z+cy|-hiQi-t38-rifn%{wAc3joajT@1*)7+PBC(6ump?dynAj| zP1(WwBOPtiP`weOGCXLYIf zQrNK4Q?&QzR1sk%kSdnmTiLp(LQ!MtN3V!N=VKs5pblT^^a5lzyngNqzHGBWexhEp zUYPE1kNt{bK102T9Ex@_3g|!AQeWUR#l43IpemD~dKXR_dU>##$=75UEg8bqK)t5o z)xWFn5#Mn3Ht>cdHhy-`D_O63-hkKM_hOb^Rjv-cD8pT^3PQ3UJ-fetHkX;+T|2>( zS@kjUEot8ZYIFoJi;~F|WI~Eo+1p-JPmXJt1^4FI6z+7_gjdx~)vHz0{yU@KOT0Hv zM%P&?vg7Q$H&=z6aLf<;N0(bi-&Y37@0js4uXDX}(-a+)0bN#f-ug43(&K9L^T0mv za1TiJ7WAcl+e6UK9eYC4&YRw%d|T=yvxo|J@Vlo=ZfSfrZ0IlLU(;+zJG0#lk46{i z!K#kkv%{W9pq&9&6&dk``0J|C08JNc0uG2i847#6?nhCUEYbrC* zaqw3*b~9FI?tR+G093s$RVBo#1T?<@zp!Z)tb42LX2&w~cs7Oz=qq&rf5`pRft#WT zoVV!JLELEwsC6=72w(%M2_Q%NylCqhHG-`+`H)?^A#wz^Mn~>03a;KH&!>@@7&0i8XRxY_oq5P-!Q0 zepu?L44Rb`8~D&Vm<@>L^Iv{$qdukgV+bZ#m~ibc53pd+*|kP1TW%Npe&=P2exbMl zW<2>M-<|M9Jq;D))79=b%h8?8dVhX*QtekkHKBt*{(0%kE>iZ1trneZ!k*$9mJ>&9fcu{VzPlK6aI-%EIQ z=~VE5^KRh;>QvQYW!uL*(v>G|4Oi&G(gQIysk?=RaAH=pLYWJB$Wr*?g0{=ap!)lv zg^1}|wJ_9>>wAK(P|3-`b>3*~hS&fwaD1e(M_dU4tcVV}@l(+KpC)o2ra^3qGRD9OMT8gS^94maP#c(#~VS}Mn$8iGBkbJ6y zU(HP-!TTc=7Z&lW<9UfZ9T>-Sc0xbKmao~5n#a$Q_*z6ALe1)t^6b@pG)Mm&Zuwzv z{1HV<2FAdBIoOd}@iE$!|D=^*;Ib2Rf?P;-Js{PRHY}@%U94AVt<~KO)_$FHPO1

zU(s%#mf7(kYpxfN!Y7iul!xT&|6F^c6-qBl35(Th=oY?romViZBc4$%{Nm$r*~bUb zV4c(;jIk|U2J=t8Gft3$k{X1> z>8#iQ?I(}xugW3_pAEQ^{i`EM2x<4?1F9NMuhr3nb|iFPE{BHQ{Wu%AKd!!DZPIxJ4PqqZiwt1?I=M$@3XFrgh@pXLM2hTGtmll zl+*PiF5AZqwuk|_x?LMF>0d6paEZiJxb0t^#?M<+bGT7Am`SXUE^~ZV8Y;OF@NuT@#TR15vfesZJYDhStJ4#cFuRicdlw&=z zkFg;nxYBRa&6d@u4KF0r9ErjpKMbe zSKIFUyDt7=5WDX$I(YQMaKBN@;jF$7O);M5fus>_{`lLLbFUHCdOj--M-e14;>|BD z)@P^Jc066}y}ki(@Hm<7flJL<>!#Zqc zWbIegkRrL+#bRYoDP1f+eQCkjA4E;at_r$?;YbAQswUd2ewUbk*hR|7kfv{l3n7@y z1Ja19pc$4C1B?g524d|uqeJ14ZG{+BS|{M2a=xS`L zl8(zn4O0;nukD2GetGC|!{1YDflTpw@kGGRqBLSc-8>yvr&QKVYQYviHE8{dom^Ts zE+vXrPqbzx1k8`A*f5uTeAGZU%-%^}iGI0P@8rdBc8lI2?>dV#o!p!!;D@pyfm1;?q^JjkOd}6OQ1)_%L7Vp3;#3X#rYam<85t@J9@5 z#+D8I-%)MZVZ*;sZR^d5fh4;G6%DZLQP%0Vd)$H$1L??~ygoZiux=mX{30lT45yTxbKok9srkG7R0;lXZaH?`-~H`6CnO1y zV*s_FS<_>!NQH`BhzFKi`*#8wyh}rinM@>LTrtJclN1;qnmmc{r6@9#WY{0Jy72A) zFYxo8pE`Q}{QDr*^Oo1%*(uJjBLT~o_t`CHn~l1%cAQd{ zbOFD3JWQU7DArGwP~NNVJ0`qG7`|>-{k92<}q)KG4gt|%OB4+XiIwc z9Z4qLGM&Vzh0ju18C8BmQKs50rTlu9$Urwk%XsnAW;FNrWA(xEh?O*jJc2ybV5C6A zv5-PUbtVCBK=JD9UiCi(cKkcFeLLufPwEIxd}&5dQc?-bId(Sx5_M+e07aaS1U>_T?$CQ~e}B847iqcv2ys_~mlybSuw$~sjM&8I(V#0}03#l; zqoZgiF;iJc>0uelb0*r&-gFXwq(FnNJ4f{!i^3+O1!!`=3HNso;K~c`=MvF`*(D5q z7|DJP$Dv6UpkfO^F^|iWP1RE*7=B+w7&PDUy?qp(N!d>n24%*z1 z!isKdu=Tf8=}jAVJi{YAE;(DbvUcU>3vz0r=qTv!so64p^L$6s$q|3BpvccPn(jYY zlCj53gMkt_d*Jwd3*|fDRfhi!V9sOmv#{Vl9{}%1Unr2Rj%33n`*s-}ySPIZ@gzWy z)MEhqc4`n_kgUc2KyhCrHgg@a3xQr-Mq>{Q3E|nG_2;59H!EuK$K>gb(eVhkLff|M zJvS5j6p1>4yAY=QF}IG6xlZl-d+Lnfo`f`WjZ7R}^6b^&);dmv64wKFux~27rMY z%cF(V;ojA>E=o!00~B>XxZ)R}J!P~x%MYjNQWc34Nbpbv5^&!PiUjR^VyI7)sktd* zdiK(n;_B`b;P*Klj?eV&Cq?|SD|lx?;noYZStZK7w9|dMuzG`DGMukt`CJt(n6I62 z<`2gZlkypsY1)r;84a>wg`}VvSvVjTv#?8F?h38RrN#lYR04>m|5r!y@4MRn{PRc1 zkE0K;ykPuAQ%8w_FF!P9OO9;1Lw4RZd8=6C8Uju&2Ot6Ko>QAX3O zVGUhQV6X9Ps;(SVa72LetXx!!aaIL(zed%%4n%zcuUlYpq@?ZU+L&SCR9z{DWje(* zMRYFZFyB$^o?JlLz~|8HPppSJTGScW6iTJTHdVMZwDi&AJ~2I$LxH&+p)eYhY`4BPxkZkhykz^%4+?t%zRe=_9%Q2G+>$oEC?O<+e;PO zcnhdg>hsrRfA@UR9a)Ibo|sY~F(8k!*S<{BYF=NI}kAr#uD__!a z4^mlVJoMZG^XypKU1Er)shTnCt7E03Zy;4pUJDns{Vrp9H2Dy!$H&KSh3ern7eOfx zLnGeg1CH(f^ZBoXhzJ~lWYsh}rGRd((D$y<*ne(hKl_8V<@$pFh&yK< zjPxEDqCg>c2ra%@alrKC?lsB-9PhR3wIfedpFVWkN=WaEYZ|zyA#q*qvmr!?j&T~M z5|kS(wY=JHF2TV9n1>3jTR`Lhv;37~+h|mFCJu15BypG!R1bmoxVdS)PA&+Q8?31~ ziU2=SfX-4)OcyoN8mWtsXEF4P zP%SIY+OP>{Z3d&m0>9{dETMENmqVYj+zdEpG?*aC4C|k+e*cy$ss-y^0|0l%z9*zU z@mbmtd?#_YD9ht4`E9k-j@^NpG;20I&&zYWuGjXzfkX6VVucCoBAAuvh0k}p(o~bC z%O>jgdT2 zu}`~_>#tcw@5x^>SnMZ$bL}Fanhh{~R+MSb`-cRBPz0^Ls!-G(=H+Ls62p*3%M)?%B8FVl}V+8z~{0|wux!lHG02o=DL z+F!fIw$4l+{Xl<9948^8;81ZTDz{vXuC(LaV= zIxzDjW4~!9hBR%5&(Yisrn2G?pG!VnUAozkXQiKnMs)cvSQ5V(X3f8m8dJdT@Yo%q z>~l>t6s}KSt#4&wgkHG>+p&DN`(U>y>oA@{9YvL$0N+mU8nf$I#rM#S`dbx8EW7WS zB%O5(SIoK6yiEY2o@G&`A2O>cHcEEn)P!n7X-khNgSMnZ)5M&{dq;KJ9w3!TKBCPK zjC_87h-2k$wDfa_?%x14Uuy@3ep;SiJ8b@gnCgY(y2Qx^*3eZn>4U(=Hr)s|Xr z)TezLR}02BUMo9fe$`JeZ!h9a`cPIiy|L1m*1n9-gOEhwU}b zZ%j@Y-W$bt?(UZCI1Y}{%O5FdnXwDg;{gTIi1SGPsnBkWvFd6+JRJ%Vl04b+^o!tO z_9xg@Znp{7RV!$MiMHJOr{ew?c?8;zkgn>JBoFi8%NuU56uVDe|0o#$Up|We7Ygj; zm6%)15%ThcMtosDb?TdGenZ@|k&Ub5bn)}A+Gy?OLqk@{SO&L#cF-kvpx6(Q-84h`l2gDq~mg&eKj)CmtNYA zdd@Zs$~otlt)r2_yBcCT+uwz8(Lt2y(^dtIu-kk%QhF|Gzgw@{H!saoTkOvcpMXR` z+{Bg!KqK#F)qr3glCPx-V?^*Lpnt@+ERe`x2(`io^RRxBR3zjRbGrItyYbHb?WPcS zXUGPC;|hM}Psr3V=5-G1r}@~0%-aC1GEn=vW5tVK{Pzz+|Hp$E)dv*;rtz5_W`xI% zjjzGcFI`MGhD;`RFHKHw9k)h>8eWf6oXo*TT=j=Lxe+;ZMUmXU2&C>~{{?~cwC&5H zSWi=#ucx;5cDIWypuPRl+u-sLHK7N3Y}+H0)7HYrR7Dt|1~D-53(t|w{bl#ZfX;X{ zEK%2cMn|csM942MHLiGn&Jsp!OoNYN`KJhYK*|TQYyMF`b{>>8`S^!d$#8PE5b_t9 zoOCK=Z6fj~7s|cx^;+sLJ_zLl@U452k2Dj6u6bIKsD+DnQraAJP%&OHv@O@)Qc5y1 zwmGG64Slj=lK`YREyYrs!7+rmFEnLBlaCH@xP95#Yz-!S7D64lJ(e!r$||8FMVHTt z>QH*{u>i<)S7bE6+wD{N_3P`#;GW*O44 zLlR`!qz}5a>qis)Q1gDPYr@M#6_YA1s(iY4+t;azMGkro{O3xpYQYa~0ZvW4Iz~%H z{~_AwaGmnv6=C1WtK+YZ7hEFFI^TKSW)18hzsscG+6qn9-fr6V-RQlminq0HPlyfa z6fm_YF*iG>)u2%Np-2@=c(~g8M7}wYpP4Ia_snYl6oYjK!nOE}B31M}VDFN5L#1XT zT-?4zxaNI%6YBH$YsBe={KYxW(ehLMft-8F5ck7v8y4Sgj)#`s!{YzGf z5SoB=h zy6B$Ga(f>4s9!%Xm8blp!ZgpTUAc>*uBajFXTPZ z`~CbC$?YZ&d51vdBTY_+*XD;bERN#~>taT85}ZtHt02m23#*{Iugk_WZMBJBJKdqk`5FJc0qYRGvL{l5R-C zDN&ZMsMMwx@p6XyCM?Srl>*5?gpefNz$}c0-Rk6cBBY^ms{g7sBs-q zjNv*hsr0%J%^aGmi^SSuXVMArJ)UbfZ35SR`_>ty(Asp__?}Z5A3fhBCghN0u5~V{ zPP{`F=V4|ME5DEfQ=&jK`asgmw0*%H>o^WrH2&$cZ;xM)zWqw;r+X70=oFMXZn`|e3pTqLKAO1+D6S=d7UNEGo8BSp75dv-PYqUIzrc0=%6uGp!DBak zJJp0wOp2JtD~^1!s%qz3Dcy=S7Ihodqo8{Be9d^pX@JTI>?Y_2-ZxiSk@E4tUyU?j zNTGtT0CB1rs(=v289NW}Le$xU7z-{_D#7DH2WjD>uMPZm+y@TbWP}vFfn2hr=aOS~ z54mHp^1)nrEc}7!zzv?(PsulI}J47f6+^S zSgp(@&+(9HR*4iC30!jBaAldURYvdfF}WMzK-tK61)7OO3c}`6*H*uL%tX^>xreIe zKUw)=q>onSDVGUpb+oQ>(bsdXW2bteW+*b^?599C0*i|Q-M4iu65NvoB39h znTjOn+imCZq&Aq3a&&AEnwI>q;rw74Lhl+LHkE_W_Hmg~sK4D%LWbM5mhv-im7QWF zp}RWlz1t98=G({CUCIG=b=|-gfS^+|i+s>9X7>|B9!fdU$m1W=$yY{LB##q8HbuB}5`%JEB+B-$~Ql)pE{kGF}H5NpD+siXO=XS#s3R%VYo zol^gpyT0F^nw11m#^PFkMjhc@_zxj`AY3p}k{k2cNA1>((rU}0l3Q_~qh6z2a&ASL z@Y6b6H5-x)XyF=UCsp`%Jvg82Yka-Vs6HSx)(26MKUH#}%EY@u$w+(p(Q~u%07xc! zZmO=k0)+-va(;u&wzcBuy>WV~+lTi$CYpjC1EK=BvtqXXP?YR$_>#;QvF|8YL|tsK zG->T=-_|No)|2JE)^T|RgUS1s!Q93uCXjiFmodY#k%;RF@))8D1C9h#*+E0YOs5`j zRZw{0X7Or=9}~o4n9_!a04&;is)u;5N>t?9_yP!zD#NxedSzZtwOyU% zCxN7#6erVklhto4uRhim^|-kw3HPmiZ7p-tg{}#6gH(<8EMD;h z1g7Bb8-oWr4Tx5tVrHe~!TGdOT$fLRMSM=tuk$6flK^;ZuxLD*?PN^;=;;y0A+y6l znU{IPJ!x(gkS$RMK;<*@cJUSbk+pJ7q#R-P$y`>#O8dvN|1=7*g>>jzoOin)jXiC1 z|FZqjjSNjOY?@#_>BQ?va|Yet`ZMmN@Z%_fAgv{(9~P!0G{LNxm!PT^s+;N zy=#LusJsY!EuQhvcdO1;vtzpvj}QJ0`qYH5R)+T*X;$jB7_cT4$4Hf?@6Y9$&Y;Jp z6#Uc)XK?h1*wv>tU|mMPECDe8r3{GvMZkffd3` zedIr4F^|YvY!^R0Ruo@CtrzP?Vb0cZ(+ps?{tW~3W-w*Lwi7^Jq4q12m4=0}rNLRe zJs_m$+J$wkrde5KLUjWY7xkpUQ3eFSp72*1fX0bU!Sm84f11ooOKJ7oBef@5lE(!~ zO=#$nlZK1qTC&y4z7Kbf7dgvV%ZXQOmrw9UAFZv@ou#o~$}S(2s2CcLk$%{oU&b|= z!Z-Ki+23&UBsELol!180b#dW(Kx+W)XSSrU^>OX`LoLOg+6{Vh>00(@s%nmGC}T^` zZW416P7FK(I(d$Vot6S@?h&aO?^+V=p%2i(qb~~G*lcgyY*w1-?^5Vs@@De zjKhwSTU-XeME<}15Z!Jgx;JwxU2zwWup-#XO0tbAB-Z4zoemSt;fHI-Pr;A6v z2-tBN^$3c@oEmKHI>e`kxv%}Z149a|I%~J>l|dBBy+FFY+keu(|Ln#+ZaCONlEq~^ zx(Tfii*VZPqmU@df~TH}kwi$?eO&Raq&sR_6~n zttH5=d!{_CsjW^z!5oEB>5+)^@Q62^IlcVZ&`F!Q)<$V^g$EUytObD&OQ`ZX`sSqj zs|tF3>UQ*1L^fwwYTI!?A>hI*q9nExW}fXjC|&7=U)?<~rX7gi@ zTn7(2WxBUf&*?zPe}0@MTx}2G%PF zejl=zH&Kb{`sB_21**MGTX3~xS|}Hf<`!4n(}gd7LRZXJhM8nS>c&QE-d$J^T{0N@ zRG#gDm`d(W?a)44Wx}<)xfI}9!Yb6DW0ERo><^4c9Nz;9$>fgY8-#>`VC3w1LAv@|{7GOMW5v8y9HV`W%D@9*N+ zNtROi_+eNlL2uRrlHXt`eRI7y5miX@mb+iCCyc)}qMULTzmT0c5sfs&%0D#qWfqoC zk0YYEL9+~hdAC}|C?!{hi7gq3u9v|nl`UY#E!d#E=38<+OSuFQw zLL6!S^Ew(sOHmcPx$LmzUqF*1b|+aCzmqfxFzYxDepgYo%~JdPUtw#EA6N;nYIu($n@5pX@Kxy;U8wgXO!m#3SJ zgi|PQTI2cJEp)WQ5jKZwODCVnJrc{b$UST6F*ka(E7m074?d-XudfA;OpJt#Pu z)b9B3AyxO2EZMPa5!=w{dcX^9NSW7dMV06>g)d^Cg>{lRlyaTO4Gq12?g>=T3SPR; zBPTSlHVh5a7auRQ{~j6OeD6VEV8G=28p~83jp7!HWp_>tV7I=8g)6Il$|c(B$I~`eFLH}utR22hLs(?ll5`)L8=V0~77QQ5Rjte= zd?jE7!|DCgDH>v)kM^15l_HP z$_5Ra873|F#^OGhT~j&?4_FQ`8?sX^puKO1egax*g+XprqS~Hcz}NNcBj+JEtn>?G z6ki(e62EO%K&jC_Sk_Vad0N+Y@kFZ`$lk3b!)vFc_!%|HjStm!ZhUn5fBA>%gEEq0 z_g!{@G8x(n&3ME40YNc~u}SQT)T@1`i!VrG4sQJW8tfOnGgsj;r4=(~_g%hOo>jqm zzo*3JdPrd>r!HxsfL%oA!6g2AyJuzLh}uZuiViEkY|6uF(nMn3G-ZAyHVIZ)F?*e2 zGjo@uUD)#A?vpxoWg1qMW)=s-%O`lES{hwnZ%8Y=$&uuRSMQSeHBg;TmVk^E&D-{1 z1)VZ0)H@!5hatyV1_T4WrHPukG{#Pf_Qb~zsW$xzN_SZ>V?tlI-iOM&lEKxewRjS} z;!pfsAyOJN=oOo0lg3-n+%fandRCH1+*n;Dnw92x;56e&vBH&I5lGC@sp;y7N zvSoDT7|)eJt|~+1NxBB?1X=vPYWH1aaRF4o+-wJZJ0CG%F}2wHsUeWfR$VmRSnU;d za!1Jj`j!0q-!z1umJF5!Znj#It=X@#D7o=!;GSkX~C>W`k<|PIML<$!)}NT_MKbX*Uw~eL0F5@y7aM!cm>=>Y%wT1No%W2H@vy*kw$Lx@WpFvJhzrHlnFs@1W6d0`RZWE7Twk4E zrTeGo_yVscAC~a-fB(V!^X<%@Q`=Y_aUO&};re@$9)fX(*KwSjyX@15e$*?0+oJRk z{3Iq;e`Yp;Ao$STObQJ&yg8-i-D5PLS|I+x`WQv?xp zN(Swd>&}*akFy@`BJQW7tj(l`%6%zFZS;UrT+3~f`ViFd2ahil8j%Vrp51_+v88d^Asmn)V}D9RU~nf!kyO%A?EwKMIN<1;at z2P+NK4$By*vU~S3Eq$|!dVz!8THhDQ-piR2C2g&z*_lf zdZD?Dwc515>KHhvmzZn%vbLu!gP1?Ii@U6D>=^L(t9$A{rNY^2Slaov@pVoFF`&z1T1QNK)FnLWDeokwKuY72#X(^2pW z>B||-ISpDFh_cwOh^FL_eUB^dejoDX6daVJb_LR#yU^5F-?mPZXQEfHT!WA_;47d1e}b|O&OU7RQV zG|gCy;Dl2?R5^#QI=-|M@iDboOFz=UXfHXkc=3d}GSrZIF1%2$UPg#^^YBF(MZlKp z24Pu+p&{E|$W@!0oHTUY36+rhb!Fsgb`=L+UU3w1ZxVk78hAP;y;9%Jafi>)F3x*h z^Hkn+ePZSvT_%ag2)Gr9mh(21^J3|Sr7eXIBZXI47&r{LM)nOLAJyNiUHEXNcWoq1 z5V_o$32_>umAO@qN*fN?xRM=w6$c`{n5S=>Yzf}xS)NZ_qwMI5OkH`J@G^iU`hZBE zN$N=D2f0!FEP^y_p>O)wSYO|yPu-InCe_9-*}lT*9edH^Sy{3ou*>v;%o^K%S4TGW zj2a5%z92m;(Xo#~OLMK4we6sS{L~lhyy9}q+#yT(7yF7>2<8=jKu_5{X5W6$*%#=A zCMO$zjh=$Sj_C&UD}st})>}}<>}OARa?1qWpC;QLt_||rJ1Rc`v8l5`^UDur2AL-5 z#QfC_K-T5zlEmmXA-6-{3Jw(?FkGAeJjc_oYlv;GpWSj!))UBx41nF;e%Co)$iGNBC9H=;qypun!-<*;}URk9Tmcgno&?SUsC zgKKYJ$o=om`G0O(Y9EQ~C;k9aLmN>}$zB_2jBA?eB1z|pa*1qysak2x)fY`S+hby+ zYoy5$o5HrxWY6MlhnD&{7LH{fx+c!3VCM#HpIe%WIMMwy04c^iaG`ZD`MQ_4=V$cg zz$)?D-dQ}Y$))B@36@?4!9f{snfr*oJQ8Dbr=Z}wYKG~)Ak%U=1iY}s(fWI8g80Tw zYFyX1z1#MB)qKoc+-1*VlQoSY!>b2B&LUDYZ1O^l^wPpgI5yvAlPsY=f%&_=qjja% zPki7$d(;xS;np&6pM5WM6b%&w7!C`e3ip>U>G!`^p6#xaSaRw0+bM4;ew&-qUpDVM zngNyG7g9ucUa>Mo`U>X<%>{p&0CL|QMIwUKOyTCowJ6J_@6YOsPLbQe{Cdq-77%Xr z+(%qr=0%$zwUUp`X5g5ab1MV%pscACDm>kHG_PvSVfhOT?#sC~xC4PSEsXG?r-&UvEo3K>8>{*szwNeFsd46qZ?QyU1Q}X7yqTlXMzv`0?#0E@L zpzUnO*ZlicVUE3FMhEwOlb*^)F=sZM>MAH-g|l9^Gi)-Is#w!yO%d9r1!mqHBPCY@ z@!N5?JOxbzV^e=KH)wfJ@2$+WsXE77zI|(dRwDE6p@b9aAimlD%AY(4e|ZShC|3dw zq#Zo~5^NdR#M?X*KX6ywJF#W|*aRFoPkqw!n6L@=wCXLKoQEMY%*mBjnQ85`Oz>GP z7u?)5O)lz!A7ZrZuYoKRhaeJ~VmJU``;6VN@95^`DD zOEWeAvcSJQa+^f@;vqM$zWjXHBrxfEdkk#_BQAe(I@5b%)G8hZ6+$<7LQ5+1IUW|} zr9={~<=3}jn{?uh#hac2<;X>5RZq-@XlIf| zyH?K&7orDOfMCfo%I3jHsVa9xZOdxmuTv~lzfaSEdokwoljzGcS6gZMNFTq+USj}!R{}j8 zUfquq3VlX5fJG0o2sqXIvvtzOZ|{+t85=M<({_?akBAR!%1pB#E1z@Spw*=5DZN6K zE3KqM<`0d2BGIP04{96olw4Cx7gYyZ<)5B(!>5ut9Nz);Q5kyR<$!?@3cp7wW=5}# zg-Hsku^M}6nCE|JQZ0Z5&K<{klJ)&L?{J6VxLMSzMBb?QpvO_~FLE(?gj?8KVV+(DL_?k_DB`1Q}n%(Yr#3J~PqwZBejnb{A*!7FLPI?VwFkb zJ3=sWa?1>MGN?4*#D+`IS$L92KXLkkBf5A-zE-=_O zb>wBCyWxbZ_N4JNRIB_gk<_(NnJ?Yk`)<7m3vq#|gSsD+w>bt(8;;iIrP^w(0GAD~ zG*`^Zu@ZKGOQT0My3Ih!G8fNp{mG>x^^c_kVB@z%5!CE$;%efDo>XDn3QJcG`vzPc zpR1fE8rf^Q?{o>bfBzZxx{nuU5oO}SKS^KKYm10m)b_D~AHyzLQ8hg)SZcAZD$AX; zdh;3HRznZqjyS(}@s(5wiQxrrsX${o%7BSt6nwi-WfohsEo|)LblW2T^H{B#8=-_XMJCEh^!+CBSH+4X=5Rmc0S|yJY`^n<$MVV&eLJD|GLLFsO}ZS+r#?^9UW& z9S7X})w&k%{TR&0xxZ`6@ONx_K+7h zC>f0D_v1%8-O7M^cT6j77V_jHkOs9KVg!MGzz9luyl3oR-LB&ziPY541I3)4YCz;_ zWva|}&k4a8WH9dNWiCx>Mo1XGH#I7au0Z|CA2h9GT7nZn~nd2y78mxxp;cxSr9&P zWA$esjr8s6NbdV>XSePISz8SM0E$wM-+bVranpxGwA3~YsLtV zeRVtu?!yds*Bhksrd=NO(a13l7dt!NBLe$D)>n%OUsg7eUr96c*ZTZhn>To_bXqhY z6momRX=}?UU{k97!TCbrK!XQ}sr^%ODeWl+H*U3~m3fhsc!XTdX%45iK z!H2m@ha#?$@zl#a>EfmweS0Se@1^EKP?;Tb^M(5mRyrl#R4Tw(KT>~d8h@BZ1x$3|;NS-2|M>J&fTuRbv+L_)C6)zh-uPJqsEkgy}+2Q)-w~odWgIaFmwv zNQcgiKL4GdPu5vhM%x`vTcA3fS z+AT;Y8DFRfde-JGqjjipheO$iK8YtWow3RfSn0x#Z4v67x%{a5i8=+f)z?Q}@D{Gd zc2br{0ycwpRr*TljeJ}{SXseWUzQqg1N&cL0SikqIK@hQ;JnHa9I;KZ*Nc@pszJfz zuJDi@QpGGSW6l*v{~6Tg^(t4!+E#qv{vRdpD)b0hqo~5KFC>GaMNYk_~Oz`FI2T3h9lt{0L z#?+ZFB-N*u%%msLcz{uL?7E-gQKlmqx^oA`&T%;v?3<<(WVJ_p;1Dl5aVICx_58+a zFm`FfsF1rx@Beh-7EpZjk3`2|1dD!fJmftRY9Sdcx)P!NKkAZyeYv;asO=OVczggf z7f_i!S?V#%-7ziOt7ULO(r9nydDT{xc8P@Zxw|n3_uvmfB;%?IlrcDnI^?`ANO#wT z-1m}>oZjC#8%L*oo++8xmJDG>48k&L5>YwUbsP3w&f#&)-i7{O)V*g|lk2)Q8W2T9 z35beHiHL|!5JaYQ5|OFsL;+*&QGsPFRwiB^W0_JV~m@}P1V;0tGdjqJv#_}RJ`8G z6nG6w1ok~9K6Vcb7)QxG^!(&(;RDqXxG*co=kctJFZ*rw%jU0-ec~LT{?;Xk+3s!b zEA1IYN}HUQ5`SKf=Jx+~oS$F(3COoKOXZi83I=oHn_8f{{e4Jw<3|AV5>eKHAuCvK zu*}nMzW@$J?VZLGPi!?}12|P3sHWjdK7zbTRW)YXA zyH&hCp%vx$<`;b`fOe@52mZSCbr*cM4G;MY-B8wHw1`Y)E$0n}igb+)6Ywb&^mWGq zub!zVyW!Ben4(z7=GV=ha*bsTs#Th6S@I^&BMWxxzr~^dqd)x%uD)r$mCcidg35^Z zY;6FI!7auR_aj*;pxC7thyReuo}2&v+3+&3hYNeoF@EZ1+3`8%oW{gGlS$D$NQEg|O8|7r_72u~XV- zR^k^JcX+i441M^JdK0Jyd#TzPi5`8zD>NvFYHPFE8@!1+NNm9@7&ZG@x%QuYR9vWZ zDa>DYvt5?pF!uzzs#i9fQgK3ZF53a#cx1Ju4U>yrWx@}Q*DqALZ1(r!*fnuw+16{V zS>UI*@jXEnb`SMSCiAmmgpKu3U7Lw5pWANJon|zgM+t&^_)L%G3jSP{PrtvF<=X`+ z4W{RuY;8nA6YdKV9h0n-zKL5os~o+DS|*b_2Tved0dNZ^J!^H*B!#e6DZgO_+y`Up4J#c2Qq)1K;`0#FAMRbF>+SEu4}fVO z9X`3aOggA2M@}*dw0!*^jP~$9e^YRKZ?AeBROt~0P)QBn#71T7K*%!VIl6I`0|p6F z4{Q1-yW*c!FzZVqEg9e{8O{gr`6SIZMTJ_TpcIRczQiwv=GO(vb?JHN$q-X0~m&SA7{R7>N{cs zlGMY;f0Y_>p(SHu)}f0zWPTu@-#S(XuDd+8ZRQ|!Ci}yOM5}^ zGTJn&+)(ML6i1!RKAWYoTDCq!oJA~ueLOK~IBV*@!af^nuL%@(WiJ-CP+<6Mp!MSF zoy)NS&t~6|Mm!)V`8+gp$E`@4ZkBNNsU1Tyxo6>jmfe|+3AHy61IgCgE=Fd>*x`NA z)GzvxhXvnPYylblu5_EjbA4T+p!zVY&;P@;>Yt-T9prnS-x7Y*MI2h~wG#*oCcaVT zUJ>PvpS@AwkT(`e7l7;%5ijL&J4Uod>OX?*cUSOhJiQR93#_3Yx1yt2@o*wLoRJde zHK|0Zj(X0>g{Y$YE>&nFi=C|Cc64!{qyXI%y;M7A&-rh^vd%5uf8s3DE}Si_tr{rs zd?foxK}q+FuE3~u5@jbUTTRRtAG-+~n|(JWm-%p+b}?{>cV-=to|fP=FF84)aY9!c6G$4e&L8`bFo zR!Pee*;G5zAqr&qBk&IZp1Ff>icWyu1MN2Jwa(L>ke-`b+3KJsnviW%11HF^2ZUU= zwiGXop(!y(wvCVEbB#awMj|yB_<%t=_E`3w8>?T(=zkm?HY*(&*=cu-=tH44jdyc< zht37>7Cf0rKo8Gp^h%7LTIroIC4_#MZC4>&FAQXvtrVQ77TXP!b!g7gDakBy5x8xv zfogjTrr2UZo&zGVAHXc98(ogqUWq+C4pkwwC~_Cyyn=+1Wnrj5GT%>$Ap=X}NA zy|6g7+A@Lx%gKXS{+nH9gudl$QK&42)8qm7oG}Eg(X4PMoB}q~h;Cs8MS~9a;uk_B zVx$QhEoU5;sw$@LJi`iw0qapUg|`1(d{DCZ-UXao+Wtr0z1C6jN+e@+PtZL6SZ0-_ zGwSLjcNme(j$^aFWG`71$Z;pPLp}$HLr|==nJFb2*^H3*DH*}MAZ-u*!hSMkh>d>S z7mcq)({ddYd;E@j(*~NM z;u^RiEzXgY^*gr{;Be1izQTziA8Nq2fEP7YRdNo7!#dQ>%e)O72KuJzwM%A)>}CeB z=k>NV)#D=kMn<3+;)9Ad@+@nH9;@jXLV`2Mn^pnle zv90M5`W{swjtnpP0EdzQz^eS63}?8U5cl}5Z%x0%pTKNI^+9!$bP?qiDU0xFyjr8B`DP zGvzU-sI#1dzmN3KA8#Jwz=~Hbr;`!&(_lW2^o9@0KUtfWZNcd0#X;cA3M|U2)o!gc z=vRffU6|-EgBjimQI&4a$f;lxY&6}uXh~*T*fo0QZv_tTVu_2r3CK)Rvi8Y)&^x#+9h52 zZ$^s1+Uo`VV$-72?XAfg@cL@1zXoj#3H2k_qrGXb?7E|F1I{D5ae%EFW=<>XO%@QGPC4#F%IWGT^;eAhrn2hGS^1KOwd_{TmvC~8u&&)kNdRKy7@a~~B|0vL+TA?f8z{0dUk%yUU}4Z0P4TZFP@owyfK*t}2?mtH zlIbqTRR|AgU;XZS{v=kB4mjX|tP2A*iqmBnU7yUFTjJGt&$wyRK&0BcJbbh24x(V~ zIF*)yvwn!|&l%B6mO~V_R6EINhYamq&d%^TfJ%CCQ1=&mH>$I@t9?(Nzl;~VFS3KI zQaEbZ;M7PRRUVfk-Nq;~cdzx)?5(I)hOU3uzq_`7>6kyNYW%J3UdZTn-RzQ#t5NCO z*EnvBjwkxLY{Ou%&2WFD79p_^f}v^E>ynIRFahJT&~vVIhC@;ftW6&>XVyKtt;Ph; zj<5cPqmZ)h8R|;z$otq+;0Wd0Ev1M{44B2vw>N|KvZWLQ;{0K1>kFjw1w^)2|{=H6_dy`lGrJ!Q5@eJ{!!wwt`jp z%?fRr0aKIFHx%M{$qP}C;MqfU3sFYOiZ1TicQnSrP{`(026-)PFXdG+-GyRmZs#+^ zDuQh!V|utqqhpgxlqw29?}={OPhUHa{KUZsoC`;zR}QuS|3b59fdkGGXe(&O7o9qx zvALvTu=k9`K0Z;zgin+akJQh_)&KWzuBL$zEotas364&$s95X?i2L%x_st3 z{}B`b{P(Vde__B&x?c`NS?L1QkI*xbKUv?z?)_fhu*Mr5IWzsDpsZ9z)R$rXDu9)^q4>cM9~BDZ@Wg$Umlk;9F_JOw`@Z{lB&Vb^40yC>2G^9k<1Ho zu?`oF8Sezuc}e|#2r++`1Uh=XD@PQVq=jlD8xIxqJ?wgXl@DvG84=e}uMD!40-^3( z|7LeX=Zktk`=_P1eV23$+ZP>lz>v3Y5Xg~|m6?p8x`8AnZ}RHyh4caLG3*YqObt(DW)YYQMYDy5pVs_-)Ub?6oFM(qnu@s`y>@cx;tE+3p0BSp zT7X>!*Oh+V8rBW(L1rn-j%Q9%{}@KDpbVnyKn|xKXwY$Y;a)E*MZ(y zxdn9Fe7mKBatFrBTaYI!5f^}{>^^dAV>vJB)>fa&xA8&MZ|=6rJv1lYq{I3%5dx4& zkbz6hti}}GJD>cl%H9H)=*xH$HC)Q#UXTO@<%F6uCP#%27rjR+JpmP0LrqTkOCj#} zduJ)^_7xs^xe{doe9VROX99lqV;=baF&893WD}49+F)3r$^tQkm6Nvwe|=N-QN7|z zsetxF`*0n-DOqY0Uh0Vt$&C4YAy?W525ZooFK$?(dyHEmO;+^tcIybQKK8BXb{Y`PrT>tE@>NgsFUe-v9U3DVTCobGHsP}+843n>dl030Gg z`HXV_wx}q&79sL;1EYgMe^cu;-3Ic{080x(8P#QPGsy>Fe`sEtj}a{f+5ypGQ$%{Z zSjqMAhM2Elx^OVq%im@(7km~N-Q2dAi3AU6dujgBb+l&qM#1{LzaR~H0I_dXi%?FA zE0woshOSKMXX<4$-C(YaS2%Z((t_FUv+6lheV-+6bW}q_e*f*<;vIjkw?vsb6~lCw zf%>sT$~{)r8m*wH%g;Q?EY3W1!^&`oXQKv#_RjGTF}MRUc?t-nG5=;C1yk{qf0 zjqCh#tT#GveO-P+4u@AgQa&N0)~sl}Sp}j#RR=Jo@{tx~^E4yFg8IvkLuqKk}%4fhI*~4vtSO zuc{@LGU#91R@R)F+F${$R3s-Ypii9eMWVRf4Twk1c_t_JT@UAehB&D+!WkHYVH0HJEpcsO*C7TRZOKJghMi+WQFdLb#T6hHy|XLlqKe z)D>;jU5D?ObyJ~vgqhF3fXk@*HL;!BCTtpBlwOctQeKhed`Pm6WjCIkC6&wsQ|30h z^|X^mzCFb*eU&Mu&dRU0{#rqNC2_n0KW1;)RTJMP2`U2EuhG*oLj3x-`HyVf2_cUmF=$PP*;D>|UYq~Pdrv-(~e+c__u;}Sc+H?F(a zrXsyyB+RjOk9w+0HLEhCu-t^Wp0iA89w=X!PHVam^BmP$D{%uc;p|9kEjmG-De$6idC&gH+viIcxf%3!);-3$kB@M76O8tQ%dryGu-kccN-g#b{2C zpm}#xA0$+lWqC=5@QO{=olfbJ_wC9SUG?>*MbGiJzs5UKKYQ2sXNx=R(2J*Q6%es( zGNt8RA>OW)4@^Cjc4Ko<6cntmSK#;#egI0-=)Zs6GJ{^R4WPQbc5FS%?X7M)1z;)0 z0{f;ba60f`(DUhrrxut2YjyOFsGm{ZpyGK^3 za^xkfRwU)Jt+=WHbYGzANsFhtt{e8^A~6D*tneIBMs}oXr>0(NZEQt1DNfS7+J^Ef zpn;A?6p!C~VFY$ty;XmO4xEVU%CJwPi`+$(>2{kQzreAxAEK+H^4XuH^E|>Ao*w}D z`<-@`IJao~^k9kg(_-zQ=x2SMw_L*GsXe0>4F%v5qF#Q$WEbi{@bMJp7}|%O-c9Y9 zl9PDgMw-BF3)CT4uMR7aLO{i+ok9B_UlM(FWG7JJ%=oM|W6HfzmABU3l_Qz~lJZ*p z4R%upZZMf0OFYyTc&(pVY0z|$>~3KmUsLgQZvQNLKrBnqBFUdbBwb8EP2O>=00*Qm z{I-YxnW!(bRATp0V3K)tXOMxcc;L^CLMn3sQ@~20t03Js8_JoV08WFHk^nRsogVdW z;ZBj~!vlf(%AO|Dtk8we-o7RruUK7G*Vsow?0kGbrv|G@u+4DK)S)9X3%VM5kJ9WG zC9^X5oTiy~;C`BRLkD%vX9V~!8-KmOnZ0nIF|fvYF7@1Kcx?8>mN#jTq>7%* zSftq_V=-P`e(JuqiQALI(2TMabuW^BuQ%M`>|o>BHe0UYsb4K`jo9xLT&U~=9XZ%n zQ{eoU)>K{Cr(;iAY= zMg{Y#9b!JYbOy&nKV0!J8EtW)kNJp{aDqU^jR4fA=M;0p!w^VR#aVK|NOV}?Vc-#v zNcmEG(iX0vH7;Ba#y@XZKMcIYxn3MB?x$j8Wq{20u4KCFlOwGqUa%L^SN3I1;Iy^8 z=I`?fxA>)?zE^h@4k|b|C}d`Rw!ugcw#S-WFhSg$>?$DQN6@VBgwTvP(Q{}-YIPwD ztwjH$AdO6r_EgprB^eRS8)OMmD|zjWY)lQa)}7!j;?+l7Pjh*A{@sWD;1+$o;v=F4 zJ{Afl#Lv=4iX-mA0%m)blj3AZUJ`%kJ0mCQsP0Aw&*P04x7~P3c*(Q$3xV2kx9+`o zHz|ib_-#7z@r6B}tXfl;Dm?+%g|PJHBQPs(lm+n{9^1NVn)Hy;Ciq5MU=0>FC%l|+ z{o|EGP$$Q505hIHS-uoPjqyr>L)#B2?o_%stl&hwp^Vqb4a7?2&yDBSO)~>u3e^21 z0rE(;>(<5oDh|p@uXs*ogjCnsUCA9kpUjqcUNe4fq&lqauGC9uT?NYF`$_&@d*=J8 zhZf)V9O6cnNRBCW<-LL@^5(PpmU85nTEGegoGm~*DE6A=cIXLfABB>((z^*O@p13Q z?DD;+>yo&NLmb2+D@5jsRd%c6axn5Pt05TFK;h)Z;&p@6qfFZ8U80?gg_E?nYaOo) z_YeV)c{%wymYPU89H?9O=|Te%S{l%YhnIcPX7_(G(9QDVR)%w(z1(5}XQ6#ZftPya z<`xLGIH?W{948JL2Bzxza^5M-d*UoGv<@!+yYBn z7w?zc;=EBHrrs#}_~i>RQ6-F25H;uxU61?yV1EA5%dJqETNOu!C4O}PcvNd#wCQ9I zPqelAxbg|Ntm#>f*cCQ0O?_Rg?E)11Sl90;)24-;K0rz#-EwL-z@s1e-P0oYJ)~kT z+3Hjjm51qgLix)2zdjZ=dHri+&!epq5eR+~`jgw9S;q5~w9?!yDanHn z!|f-9pb|#2`#qn)XLdpl@XFW0(iHKd3K25gnUq#{k$`->$sXt<&64@F^iR${{4*GThaT+MBs=pOR|2K@@j5bkg0qNmr+4A#4s-0|(HURkl=2bC|) z&D9?F_2t2`#yHOTNm^&UuduyQY+jaLLs8W0LV{OK4CV_s)K;m6x0q*=U>KE`h-+n? z!uIq>>ss8<(bie^kvThl+h=Fc@*uJ;@$*)s0+={^gA+E;fY{Rz*0nri;#-~2JOCaj zhR>AGT6=U}ooEBf%{BHwMI29K(3G}07KW%_vuZxffMur_0a6hBRbVU!*kPOlS<4@r zU0oS#;r(Q#4*a!)eBZ0T{0E&)z)EM4&p2OOo1*UR!F!^_*Nz>qmf!9kt9$(6cF4C` z#E1DRRLH>-8oMCKas8ZVFz$DLyi@kaFzrOORaL^l^UCL2Y%_4Yq_{)lchbo9JU1{< z_f6lNFVRfN`Rx5DzGt)&xIhQbatHFvku&Ez7ev7%J}s$IDEL|HSK4*kM?==rpm0HV zus!rNqftMf?6+!W0(Xwb4y#2)Mw#NW4cggD&&TBe;)tI%71N^zOoF&K0gR?1L!no9 z`DAx5seTUKX0X}K7jI#@%leR9n4F zS7;NKOxjm=!uKkov|Y>|E%VBDmtH|*oZ;gv`Sk~#+a9dy*g+4dN_hQ$k$d)TfWkfR zIG4PaV1MnKTwG*XzdF3uWjTj-y*F7Dg@=+-WFU`V&X#>j4wT2X6zoBDol&WW&N*ZV zAJor`%0cdU1Zy+S^tq@&MRCOt@l_RPKT-phhmhu$kGn4YTw(Rkqh#Q|+*JKeA2mxc zKBeYF(kGqm?u;~t0?EtM<`6Hqv?eynRm!LWSamqIN>`gawi zUdJb-@r_a^*(ie4qq0~SP1ie)$TY&!Zh7IU00HrDlUuSwHA)>q0hx=!6gsWn49>6{Jbg z#Zz{`^lk!t}P=_gkX)19e_d2$BVn z{vy%F3E3XdLCZh%HQ7r!QdxzyHyk#2@$5|kE|RLL(`J0o7xwlJa!ug1ePdIkIo$N+SXB@$7h~l}L;yVjm&F?lU@Zk?n?v zWTJNP3ifPL>n)Zp_U!l(l8et8Cs(jsRcKG0fv%>Yfno6RugNfB~;1%5tk?&SY*9_IVL2hdRy5aec{hD9#`c8pld&i{FA zAi0RJDlcfee^4Pd@i@BYc__gVW7UbsX^`!qndgy(iFi0PAU>-P5_LeeCTUBV_M~L| zp4i-k_lq%N#0`s-SRSBEyHf-xf=wcHS6p;TztkyV@(Pdudtg?GNe()ewkTS`%$ z`Dr;XnZaRWHT%$gi#}nz=VPgJk?|G=_~PGmrX#L75p`5)CkI-VU5Q>vF%-&U>$VGn zycXc}M!956mln0ZPZU&?N&rDUzt_+I@dJPMP%5A5e;0b{q7dvsBk-Mu*Xe{Q&RCrv<2wV>qXovQvx^;!T~j)}^m6 zXUp~-IRUzC{lI@$m>w~1_;ngpW`-NF`mVAr%Ps0I@$hsPAoneFx=`-~UGJKzz20z^ zr28HZv=a@%q!H?2s|oSSO7WlW>3`gUt;qP|I~5PZ@2kJQr^+fM<#EHE^Kq|I2*g%3 z33qXfdGl264`EN73(&{QT~rQn(_8P*lU$;8ZWECxJWF$E?zrw0mv#YGVsnGZIcNCl za^`w=hLd4_cR?f2#7}swT0vO*9 z35t#WD}($IgDQuwDn(Ch01e9g+xC&m1>R?MF!q1~9x>%8?MatJM)_Zz>bYs8hgS5i z;Y}{yiGO!>ca9(+_%$e}yCK^xld|l9wlPDlZ|8b@!9wI^%}U=V63(jyg1-q`dn2|B z1s%yR*lje*ZFMLzJ_k(q5!M54Em}R7zg6FZf_FnkbxGl*sC>*cTC}FURRR3Khd!*( z#_MaLqq(UM=zYNQ1+Q7W35dQYsPf3@Ccf5=gpe@iHELYd-e-4hmjiB2sJ1?rNi|7p~ zOTDiCVn!uPBnZn%y_%>l6e;cAPHOJ;NV#a5L61Zc0k*tTdtJRNOMWQF3U1>4o*A4; zPuV~0{W!pm(-A}E!K#cXCiMnzoukp5N;}Fv?_(8!jVj7e@hYd?aT#sN2^BW z)d;m)bIQm2m}o{{?W2ImFCT$Bu!Up&8_{mpf0nf$fCI)>nO2ODqDR?9+R)4HvvoOQ z+^b4!+~G@0oM5@_{U(|Fc;jE=a|^rEO2?ew^y?#=EP$3!IJ_Lr9zW<-F z&r1or!$8FsD4?BJUi^z?;9v27|C22c?KQ~PbRCEVfbHMz2^;`;~AxnwWu8NAu&WEgMW@mCFGuX=%|WHq9n-77(3h zhi8@An)AkdP|A!2f0^l()~wkM;mA01P0`Whsi~@kPtn_^_Kfg%35lR+{36=FX|S{P z(onODhS^it)^F~?oV@b2p!UYNa0`HLk`k-2;CW!R)WV_&MzpGMV!4lNL-6r~q2Ec^ zK;m86iEPog%g8(>p=|9t`u;Lg?6bzdR}#g_ZIwj#`G;kfQqE*4?+ii|4WCSICfLWh z)XtKZ+b49Bm(jqyjpRX9=ztk&HGF{Nnu%o<&zr=eY@L>IScsivdt z`&yC(F|3=@H4_yD>l6gIl5WN{A z$Rl0Pb8t805s+~fu)^7F`QM2QKqYYJdur_bcvTTtb=X(2;gR{tMc-yV{>Xfz%V+2M zdvOxm|0dkd6WT|#8rg6E?=o)7gK;+#tXfG1M@SP>kh-tEW0MAGIpkiA z`4NMLC8-uxa<<&KRt3PMG+0(1f9a&+vCpE~$^sl1eFG9=Ex&nti_0_rM?doNM}-a)>MUt3h_j468b92A*T&Pd)am&-XHzr&(GefCB? zc@e6)Z77NO1<9;6&RqM2kuATWWfu~ouCqkSa<*tmuG4);_ZCn4dc`l_N8SQV6 z!cisQwP*m7ckkSQcAMiVWIWa1_;BS9D&#c-n=36j8tUiw0AoRSb0EnhhPK8O|N4En z{TMLx8m>78GRA8cv?OXpYk+KT09GD<77Nzz68ST2LW8Fc3mAW!&>XdAPDuJio}&zu z-7Yp0Ta0xh<~6V*YKE_gxvZM!If&;a4Y5-J5po0tld~Uo9%{64z~@Eh#BN&AH&P|e zO}TK1=v8x3Uj6WmYbLpI5?7R`7yd62_WqGFvYArH*Y0=r&iql5k={ zE3zCjeKVY$gV)EGj7QvZ)t>(PG05PAR9*9=g9J!LBuMvH<+oX%rELb^pXL|XKs3Ue4Ivt7a2f-%@+@~jM28bud+4Xz?#lTeEe93U2W-e2 zmE?yBmA^ECNu6x;6WuX!wt&|?B;TGaZZJ4?8O$@E9lunDR0hnJ46&QF2|MF)nh-o@ zykY2Q7=@#59LS34$-+tbJ+D9S7{t9|AhkJZ51pGXJoV3KRKZrfAqJPn_508r^;q)O(oEbe~)iIJ&EX>}% zYuG^}uGm{LYnG(sr`jpyZ;!Mf(OnszM)qGwcnqjj!+$)WgR($ih!RbGzx`(;?6sqR zj|@l|IP}J7J?CoPw|@PrIN&tUd9z4O%b-Uf+v5A09I;iV*^>D)Uvb9LT`d$R|uYS@J(a=_3Gk8HAV!^Z~68+W!GH- z&ux|UX>TTXqNZ)%0G>;}BIm@=mDON?&?y^lH6%UkdvLLUq%}iYw&oABQ>`;jJorU# zY7UqAc?hDQP4|L&wcOvu`NP`nUjeR9pCT$F2C)O$f?)ijheyW6{#!fnqm z!x~&Tb$++)4KldG=Qh+y)-Z>_o?@U&tPlk=?+7yE1KY?HPIX}vZ<3a6#jv$;5KoB8 z@VmBOZ$>WlH-X+o{ds zg^%S$31!otrH>B3b7I=wW9GQT|N4Y*^?O1OGr0X0pt=Db3lkw`CNi_XY_kUktl3U{ zu;bAH)3KjT`PsVPXEO>WN!It;k^)TEGpzrL?fDAWr#45eZj?%$4F6^RZQrM0>LZaX zAsEmW;~k-@ezzQ;8?mW|Fh;m6>Hcz|1TQgpKYBdDFe08+Hh@G)AjaLV84{mi!UH}j z#7&?Pk)=pw|2NB}z)~{f`^EXAcZk`7vqk=m7`0Zo3hi+toX%};{m{dseUaSutIT2b z(V-y;)LcMzh-;=(3YNVt)^3JhQ}5-`MB#H2C3=FtoqI@6aFOw(v3FFSQskR|{}(w7 zvreYQsbF|r*QocH1wBe_D4JQ5F*vX<)y3?u*5_u&PHT3;v*zt7yN{PqSj>_9=;FQbUefx+on7BSI8Dp|&}SEa29soZpHF@?@{CAqfQNBR3F zsaG(c8AH#D`249E4z8k0wSCNrJ{=3Ye_G~iGV#Q3ntbQ!?IDV&j4#>}&U~^sO>nOX zeXqp~?y3w=={?@0h36)-gjTyTpPEw&%Ay5f=OVg42Li4Gm3gd&n?gZHv#I5)f7U~t!L2iY)eJ(xmHl>W)>_QgtU3Q4 zu(nCsZN-`wMaa^T1k z*o`AE6D}z0j&jeP5tXK{wG!OZ(qajLJ zf!#(;v`!6asc?m@Bk_P-xUKsHY4l~(L!j~pLs9ut?em3&vU-4X|Ci~=9<4Nu=O&=# z|CJT;qm93f`fCb(93*2JsM6a77+ap-g+9)^d4m}a-R9AkFS0HG`W?+LPNylHYz@7{EcX^aKXQ?e6DhT}ZYz@v z80MvI-kjs3AzAYD7x8hSy#ZcGXT7DZ{@8NrV0RX?L~7D0pRr{s29u>S9?#0>A2g; zYjGB5Yye^jT2rsiF98LWfODWdC2#j#;uNde-HT?TPnRsDZ97DOn z)pX#qS<0#XJY3iq3g`bz<7y@uRmwRBxK3@FD{s(x1+~-m^A8`nH2UA%%>R0U|KVR3 ztze>@=hVg#uN0nc+wt`YoEw_*URmLpbTIvq$mZ{v;)MVxix_MKfZ>Am=@~hIX2Z?! zO2Gy+s0l*+6p1B$i&GYc8BU?}T1!!9VCF2{@sXr8IWX%Mq3z0^c^uevKKjFcB}GeD z0ROrDxG8moOj(pq2{7f(;Aa1cWn)a<#y@;~>68cZ{Nm?J>Bm@YR_>=XsB3MxQ^&!F zJ0fW+#Timd8@L#r-T>Ia9Pi3tEFQk-@4bW%;pepLO0C(g_+z*h@S zx;+bU6%|>HPToKD;zK~+3&4L2AE94SUc3Xp6#tG${wEgBuz^^wMYnRrvo`+bl(!06 zN)M+8D5OfbvL`atti90(s?~Le41vZXKM!;>+oCk%WOmX&m?(}vHxXI4oE%5NMmhFH zCOTN{8OlcYS?#U)zaZ_6jJ0TZa%oz0ify-usP)BM0@R1$-)01+e-ZwCq(EztT{b)S9*o_#97YHZEQ%=NSB1d`1-Kvf*u zP%J;2ePOtgK4W!nrre0}R7SvDlV4+<_xg-iYe5s>zh^t*)X2AGi3A=UWEC&4itB#^ z92UK*c#fTT$hG6^&o)oy=_dVl?|+GyKkjAv&aJL|UZ7HuF&Cy`S~U_C2qMz-cGW?oi3_)$&8>gFl|?qvftv#+%3h`t5$Q zZBK5rV0+zy&|!=ltK~rzaKXXJ%nRRHI4`kODSwyMv5t=iWZQT%oI5@M?RC1vDMdsU zr(=l)M}%jY_ufNoyM18M#>0+u+~ zi9r>Jg))zFXhI93S2*L@AY5u#!iXX_U+uN-EVyBwu?Y?pbj^KGKW>&9xYh`6F0;d1 zxxdmVx?<~AkX!5S|L2yFP2G1={oU~crvTS5ME7HQoFvWG(!FGMfb@k24^$L}R}j++ zXTNN@JDl8N1@|Lx@s82bJ~Cc`A^}^(?zzon?3t{W1X_~6ammsOqe;6{LnWbCZH~L> z)TNV7;gvD225#h8%+5xe+Z3c*Aq{`guno9Tve-h10gw)}l8FJAX262%dJok(Ew`f( z%s_wh4#m2featB6xkNtIS*8QGGIif*w%gHKJgkV^@+Me30*lfh_`^&AbWF|1s*1c?H8ez1)PB9DY z1dN!OZ*K&eF<{&(xv$e#CDXfkPN*%_ybZzUwxv^N>j2}opW@R22-y?SzlmTxVRNA% zkLY2gs>lB`>1mMH$N9slC`|W&)_ld}vtjm3&xnCxyB^M3eeN7EJwh$MH6MCCJ$$R26RMHJHugj9L+b=a5XR6X6N-kaD7_bI-#HF5jq2VpJDc^7JFBcx) zS5hHs8n|s@&*lPQTPBgAtP@LzWK*|_W}q4_-e^*6;-w`1LE?Rr&=$~fTHXuV{N4aJ z&j+oaqHh)sdXe2G0&P9c$rssZANiO=+oo|sWqn$sxlU&$HEmAh&^?1m$hXP z=N?`{1c>`5ZVB02`~Xu4aVj@fDI_Xb?>*Xpe|it=tb9k3nV>A5u8S$?aWo#Z3JTXkz= z*T_+BanMZ3FnRv-AXmp#1*RFtcjH-8p}$`8TJznFPJosDBL@ACp(;D~M?oBa=0nS0 zOfQ|XznEU1LI!u76p}gc|6qEZ*EM!7$;v_bYie3)Fo|T33;6Uu88=lAW3GDQz?_zejl(+v>gonCNVTIAzM-K z<|S4%#n4~&A$!W9YhYrbtdWseoouFNh8rHW3qbzL9pokf|pf%@{$v~Q}XIB00`C5P* zemJ<)y&{7hTVaRc8BLhL);+17|Bab?dj-#^d==07K%b*7Uy<|7EUJy2$kwu(E4v0S zMqfe^0x4>7zV|K#wV^k$%_p<`P*iWYE~AW;(6h1~B{w=X2hCkuGb2n&$b74Bp<~v} z98&@aXYZ17MU+fNrS29M>E6d*vzgks0{V-7)~upk%vNvg2rBF-B*$!nuJdvq1X$gJ zP052^Z$tUegzc=iEHPK=ngkgnnVr-Oe``K~6I-)nj0X}Uhun#L&nawNOTGlWnR zlJ>r`^{XIN$fgRLUuu04K#7m+Xo~z=FNHFl8Sk|C&O1|M)}!rrmh4pZFM!hgZSOtD zX1GJ>MSAnH+*F4u`e6$ZY-t|$TeD?aT;o)A{M{k&(dm!}YC~4Yy2MeiwEm$t-sap`k^aJQCw__hH8 z?#=hEB@Fj~&f|)p_b1M$SZvO3Hg!#{@vlDho;s8ggVRId_G=s;K6DkN`Au@TZh*Fs zg|b0Slfj2vxW7j}17*WV9hAF$398@do9*>_$z_W!)agBt&es}uG4@&Y5*wCDsYGsS zRva^_jJ|71P6$LkM}o4q3m%||6m#;c)?iNuR`1I2|F26QmjBpVj7Xz;UCpQ%JnKYC zT%TU%yj&Ul1Csx{bJ2AEJFDyI*x4rmJ(KU-FC@EMC)Y|j;0S`p&EI`=8STDii7Te8 za0gaq)9UTpu-Yw$I?OxlGH&3#NevC zGICxsCQztA;5aLr=Gj(i+Ps=w|5_{$j6_%#+3};hj#p$jfdvAS@HgjL5`9-k>cc+> zZuY#&c{ufr=aO;Z{!G%v;T1`DrFt~Of1)LibjW+@s(QH{iY#e&cIzX{%{Qx{3(@RT zS$0!<{2wC~iB+1y%C`Bbi2;K}IA*{bgyAzzEiUxNrWWlD!5u0vBR#kx(I!8eO zL)A+d6gVGj&Z4!CepWoKW|1zw~Gx68G8s_9cB#YS=Em1nrO7%%@%RvY7_G?;G|&P`mmQt%PCx z3NrboyQb&G9U!#K$ZHOcZuWqd)IPN_QFpcL!LriKn8FUZ%x+viuA_dS2QZ0mr{?vW ztiMvNvyz0N61Njv>Ml!OP;ikF8T062d&s;#xZDqL3wI;!QLnbO4QewF@?PEU7d%>U znqjpK5vBO1XbnTBVQ0!KG|#QA3%RuMDcSeVNJU<*{M{#OGiV=8RoLUsmS&MB&J?+)U zeKX_~V4(U3WGt+-!~Ry{e= z=6kPX`CdYt%O?5(4@glbEv!8-{*PwSXW-8m2jVLq&9%kZp(}UAYuI>Agi{qT7}PQH zdXPkng49}AIeATBUeF1OcucI-80z9lnfIke%NXTl@8`VxBHa%7p04fzqfSgo%A&TVP&3* z8GtV+)eZXgaEF}6bIkGH4nx&WW$TAp7jzd>aQ6ax>cpE9{a&ed*}I?WdF9#Cny2EY zj67%~?gF{k5K3KMQ+hJ!D4~r&=UWa5?A3rtr2S;k6dt+TbazZ z@N-dU7cqx&$j)~G+dpTyd$AgGcKE+4NCXx~Tn?Ob)RpVuJj}fG+?E?Yu@=ESy?R>P z5Yzzh4lkc`ZI$~%ClWLL09Yd5#E%BRlYs}Dw|kgG|!a>xY89c zb60|Tjbe%>m}PBj;nAX#F6^w*5%mLn!_7FoOxN|vdhflwCle-6=4H8E#i9_|^V4Uy z2ZfKztg|d)@dS3+nSkm&{?%U?gn-d^6U7D;icL}UvW;KuE|}TMQmCD!F_aaqo~}br z3Ef<>s*hWmE%L1Qq2NrE?0h#UL+hAm;DXw1&PgRhLicB)3Z3ku|q9PJz10q8}hKN7{0%0Z$k^o_fAqgZToR@CDugbXRd7Ql4hHbH9AcCQ5^om<|27Ah%ta&^E6i zAZ@;I8oPaMf-pOhz1-Z~oF%}Y?G2+^+~Iib_<@RKA9fHPrzwWf|?NA%d$&37q z<(Vi!l(}E~sAQ;w1ey9-``r~pmeeBwp_^zx_mG1mN%|BhWYRs9srkL99^kZa2=)CX zqwGYa&QDuMdo?WD_d?@R7Ar}AaJSrd>3+x}T`oKAzR`1lH?$!9eHth$-sPKcL!g4V zoDNz!skX1gb_--*qZ$R%$kA%lku&tciyzggX#}Q=THdUw$?~gbxU7LIfS{Z`m}e$n zlajCO=k_bYtCl-J-_Utlbn%zykEM^iQNph#&D!+-f?L8T*+Y}573PX?8~iN0`VyE+ zVsAzAyU{pzsko>la>-@B^nF>H|Fh=V;QqX_&NA5y$I<~GAw+`q=LG-`n?5Dy^eO2J z59_BWQO&9PdmVpYOkfh-PxUNFePTo#8Z@?;=0744LGvd4CNB%-{h9~Cm)*F7ip@_j zTw>Blqw`vrsGhphK&W#6EgQFBS2f#J?6&Kpq0XtkpnPG89)dLX_C59UPSAljlA2k` zxc~x&k8JK3;$~FaTeJwP)63>6%I36S{Yz}h9LryeSi6V0=(IHR$bD9v4n7pbO9%HZ z#ata4GEBJ}^m2L844^#yr_Zd@_wmh3)}T3i%HBjqls@Q1`Ny_Hhu*;xCghLpQqlBG z%EFG?bUdJ|dCv2cnJfpYvY@Z$!!*NlNT8JvJoUxB1d6{$17EjXu^m)n2(DjBZGfVG z_fZlLHJb>yie~O{Ri~n`EuxHGy(~z2P0X?fFXn4XU2VC+#mc)Nlamm)LMtO#r31Lp zPvfSG{h_mEi4D{gV@!{_pW0Ftrm-uJR&8qZZ9sz_W+9l!E`Loya9Vk!8P{mO%XB{x z+F4J9N=v~Zf--&Ny1UL@07Ll1i-O-gx0M!c1eHt8z?EKxw`bAKk*XxhhK~1Q_nGNA zT*WeAEaWyRi*3ZnJHJ9vM6C)@iEy`-DF_qZNUPXABq$q$Nzjh?$3>I~|C5m2Fx6#2 ziL^)9dJm{wN}AR2-|DK_;+pa9r{pQR2Q!&#SGfFjZW}-Ty1t9FyEs^3g|IcK$KH+q z&1iS)^g$lsP(PG=$Wt7Kbzmb38jr;c&zjSM7M*nN{MFbMKjT(*={n!t=(?U zLwrEY)>-Q}Tv_mJMi_RJX_BT9V~fGl78$Cjqp|trq4lQ~2Zw!bONOL93};{)iQ@(7 z71^6WbVKd~|3#@d`g+geEN}OdfH@4)qdE{W_gpD(XltJ+2{yS6b;vpdFsL5Hb}#?V zJ4X?nv)Hip;JV|rC@$KNAjSHVs+pgMG>oL1^)GerCD zm}R|umTP5%4pYXxvou~FuRMK7(B!2~$>K*Nfhn+^`{ZF<@4RR&qKI*QNC3>92xd+9 zy5pVcSiy00U%Rm=cj>@0m$^|j3b%8(a&{8&BwP~HHQ!6@*`ykwiJbB1Gqdfk!xWX; zt8yZC4Tc=r=Y98@I}*9ME@kM#`^KrV4H{6P#I~?;u1~okG$8l!Sja?w##2M+SPnbQ z$ylXmwnH8%E-8hLo)OQZ;$_)dcUKc3eG0}jM@N~{a}0p6v?-&X{Tp`KKTX{|SoyIb z+nRVq4%cvYTt>*e7ExtjdewNH`Hpz9UU2`AuXyi8@X|E)bEACkhd~uy*hvWER~Y*O zx1;(LrKJF7)<+)-m_0X0?4KE=j4s1=)nBKWh?>{e_Wv?{S4YhzFqBnNk&~DnaD8b) z5j+S4EBn1GVFx#UVgp2Fs44)Xp~$k6^&OZNgBM^mW1Ue+|Q@h{jqVsMaf2xMV4+D%Bvda zB+|o*!`OhM=g`%q%^o=`+)0U55wv`>fF@~|zw&8(2C$M{p&VJ9YvBr0mAXQ;o^@1* z-dU1xsqrd9;=#Ro2C4tC76Kl~jXMJjRy_t<(7LOT_1xJsJ0i!!Gyk|X46cee+NZf} zyuAL@2Q72XTk6g3me#rS$MgzieJmArN-#VL_`?nh7z`LIQD1od>;6*g#9XS(jKwjaWYW#X z14IrL;Z=J@ym709=(7Wa&zWfsNEiw(cGO|?!_o5TY^5(#k7#7=Ff4i zfqOgXlL>+M+t=L{_x)o6)zm)^^{RC0zcCJK{a%f{gK9M;8jLZmAj`s7+0;O>e zLlV-7t79E%{pfmb^L&{5qW{tuQCn?;M}ZbBf13Z&Byy>E<2~+n;6?trcSuymgVJ^6 zu>)hxeP$hvcA*Z_-fLwm7xnE#qT_d2)W zFfkM`^xvhF#^hUGFQ!MqYyx4!=LUCV#dMpC4M*D_gjcPpQOAFUH4EiUUiPECEZuln zk3X}FOp5Ka*VNd~-hjz0_f`>YXs}7d5e}y_k5_xdcY;PWD*yIz%jaaK@#}qmRE5?y zU^_HG)3FDCV7jrx%=g;$8xb^AfV;PwK_zDWLVdu9$xhELuvNA%GfFuU;Epdqz5_<9 z)O*~_d=oXPm0-e{hEU^5DA3V1`(%VRZoz&5!3?9HRU?Gdmy~KDx4IW7bTE({w7q{$ zuCx_@GWt)MK3JG6@46oJ*h+NB9lnZj z;|mZ4CgDhcujSUhH*1M;t-epCg^xD!$;uIpX)%Mo1C&J1VjqzvBi+coKjX|Rnc}!GuT<#w= ze7xjBIqT1eBUKu(vWnW*Lifo4i^IW)HD`F+N9WCJ(uFwR-YFa1W~Z@bVLR}?+i_6g z>)iaKQMbfb36NU@DmHsaNV~&7Pf|OHx~}ILM?lLIYb+^D=!)VvOMuZYxcai6 zGOz5FyMON> zytD6uvg}Xm{N0`{?mmTS+yQrGfyl2RKGoc5G9!O7;<$WC0of##%W&RZMS`Kn27_9` zh?7hkO;W#<1^N8IuS(SNNfmS?!eObgjN&exQ=;rKAN`}ODt`b|w+%R(?>U>|E*t0% zJzjW7YfOa=EjHtV%nfG;QR?0OwX>3%)@ENZ?HD1LF*GjIKXd%`v#d=Z_Y*5g#WRY; zFJ-jLO754S^Ka5cvw*?+*X&=IfNV+BI5}{QoPnIlp<7i|e9|)lq>e7pbBiOk~rPGJp*WIn- zj&HkL7xMcZJ)l_4(;sr6E!A?z-xbhw*wP7ExNpQFieO*;+89W~_MolS{79O9W!t@t zAXz(*!O4@C0NzroDo7`fZplAe_5f0f4tqGDHi(GNM2*%G@ z5V}7kAZR(x$NgIj)i?@?d{I;k<7S*M%EXe8cw~uYq)NhU5o5YPpSuUS7uyM^OEZ|u ze(^JB8=v-Q^_UeM+&QI-c$df%g#VNXC^^pgwzziR5QcjuI1-du0>o_8c$!HZ*&1Um z$f?`2T?*;m$(htpFG-NZ@V4T9UF?H?-ChTb&l{*#}dvroZ4pEK~gQpZlK2N)ecl^s&O8Wx@ zR^qlki4Hnp{TR>T8-=l76&~pUjGT+a9V$C2b&mszzxb$Y05%dM~iXk_A z?uZs{qOckR+|*30xaS0rK?~xs(-a9tQt)8q#+2%b7iiiAH>co=p8{)jtUg@$C9;At zT%!P^T8)XQ-mom=Wa48o&L}~UuDVWUA1d{0-s7s$abLpWNM>f(p?gzV13 zo@|O3CaPZYZyIeFx7L!pOY>{#-n?=vfx5`PBUGwy_{VZiVEX3+#a>G_kgQk5pmQfzMGRbP_c{>c46J?SeU5Dry9 z@hio3c0?OSIUO509;exu5-@z$Yfc_}4G7}x24$#0ag&8KR}DW=VX1lwIx?*Pq-scz z?*UcHO3$?i1FWXTk^n5Q_+Omi(O@c7q z)kmD!2w3C%?>{8X)e8R|==O?;?C7A*1Vu-lZ&ye2?Yy5QW!>|(@jXKk#h~S(=)fRzUc$l#wt8 zVFVpaD2N-`QlEy62o5+sUB|WzOKT7%)H@PO%5e0rgVB6k%j72YSuec#w|QRh74c&L zA6I5^I@xD0JUeRW|M`hvW0z_LRbf#ev^olt_Uc3pik~aZI0p_$J?g?72l(sE6<=Gv z#uQB4IziS+_j$bC1}3Wm}rYgOw8es`s0J{E6drq zz>s*{0)QC0;RG=R!ImSkxTPar;;IZr5b7PhNLbXh4qFI*}_59rkJ0Rd7G;BZof=< z%q50>RT$^UQi@SAbe8x+o-P$BBLPUpum0ySTitVNkwimz zyx%8pOV6BGrpjUx#+NlwJWa2@t_BsCP*b3tHP&hbw4jSZmKe%nj0FW9v*lI#8rRjb z$VRG)OLZ?4n|#o3;K#J%CpoUGlBns_E&DRb$9sc(js^rDpCaSJY9Iu|MsGZWu`hv& z-o#MJkMT(8O*IT@97S>be1$Fi*sI$(wz3*laxML2$VL#NlX6R)iJIto*^_ea>g1PK z<8AWTN|yjWxlTLqQ@@-2Y}Lqyf9;P1%h%#xVV8}PQy#aD9}84kUS9d! zpP`57T)a#U`4?i1?U#r*!H($$_LAp@eo4#1vVj(<%P!#}P^mv%!R|*f-P$ww(v`z# zxzOH+sv5!hmGk$%)g}|BE1HAG#;IWY*QA-1Ym=%Bzi*n&?qF&8xBd`|CuJFdfx-$J zEA`Z#etc9gXCH$3>Y-yd^IFHFR4=U`K!}EYFYH@WQ@aynMTAzZ%4y1IE?0=DobZfI zGQ~)>!Y1YC zKa1rJQ=|Ds84^c0(AYGFzel7J)JtGumLnDI6ux{uHD1f^(^{LXU2j9q=+yjtN3gtO zUcZ?H)S{eX-bfLBJSScu>a=2sY?j`h_=Axt`SI{~`KaN#C13`g0#xeS==q`Lc z%ksWY@*yrh`S#~h9sYDGeRgpr*dBn0U|;gujV7zsij`Ja_TzT+;NMW*L9N!wzT$eV z#MJ!iw?NA^=!5i;rexh+$}-@?sm~NeRv(Ja7QFR5Ka|Ee(qq~d+|{5I03|+#@|yDJ z=iRGCt>5Gccu!_%ZePe!Is3^5B0*i zc#%=fmxc*?#}zRq)pJ9+)hmzt*dtis>jC7dyf_>VX^@W3qNdwJZ}c5&4i z0ir@uBkDrsQ za){yd)uU0j42BUUXEl8!HGML}i%t|XTKK=mEs&oDL~A{>AnN7aBf7LCdF5_ezR|wv zWuTqGb8{2zC_ar()&PA%>6{1SV9E?==XF{`NK0NvLOJzg3N0StV3C0jB50Z z70;ThK5eEOl}Sllw)svo$1I_oXoXD_995Et61BDT1d5;oU&pcu9;g1~o~l{R>65E# zBgf~;23+!2IPSo|GnBsWZkY=n3lKq433u`oB+F?hVMhj$8x1JJjG%=NTI8Xz%LRw5 z@!j}1C%6|g%e}-1W9CIs!%A=rVakQw&*}nuYyYU$Si@MYyT?nNeJ3ji=f3f1d$`+@ zfzHvlz3D&_IR1z}luhc;n3~4iHTaQQY{UJ(k<2t_%C#+=67QwNZS84JhZihqUA|-u zv2x$*Q_oZuJO8vXtGbjP=-I2Wp+pvq6wqdn$ILyu?31ZZBSZ<;BY#g5uuW1RUzMo? z)s2uZk5y(|W4f&6BI%(CqIeGz->jZ%t#y9eGXy7md>$Z^65&=y4Ue5%W_Va(yW^BY zltWtLGfx#*tqzM2jg`Q7r3u`)1xU4((d+sAR-Oy%OQN)j{Sx%nW;D8}6d?o$wKxGwLKs%PiEatP^rBmYB1olX6it}0RC}&bEB{VRo>kvJZ$e8U|Bx; zIrp$X)Dl|Vv^mM&vtLQ*L8lFg)Ep^J~>}dy;z>_oo8=cc4GbA%5%4f zgfRb}rwTve1ijWeO3R}!J)})X0oV3ppJHvS#7il zWY_^DPj)mz?mB}0Yrmgl_Q8O8Q?P>HRbxSa;EwRX8tE(g7HVz@A(C8+K5#qJ8uaVD zHB2x9OgO7X*H?0H#c6`lB%}C46*EC+l8bns#pl`Fv|~j-f=>q>`(9zM8b~716suNSZ2j0!(fXv9Z?3u#oHyvgz<5oXV&yjY7g5Q<)JN9c&KRt^Mvy#|a<_C5ln*>QxZf8HS+S z0v3VK2tPfPZDqv&)L;!pi`y>1(2{^YJ$hug+nWmTrG{e`qtV--_kcz=cj#f6Z1v*f70O$i64q@j^+ttH{+rHJUgsr4AC?$6* zQbF?%c`KKoCozdeMuI{~MHc9`*ATqND|J08$oLj}?`Bw)30Up7H3J3rT&3igR|()G9Vp61Y!lxYu5R*+{7(A3u5Rq8_c zVcX7T!c8|uLG0P}Dz1Ef=Eknr{=X$Ia*s^MoKPPSK>Irm@;-dLQ`fo(nDSTVIS>-P&RBpwXi; z4r(qF><9Xm>8F4V=u576Er<56`WZ=@(Ksm~%|ywgefGl6c=8?l11h>1x9Ao=g5&fl z6?O9Qxtf%aBl~_D0w_V*VB~V6E(%#l!C|j=0=>-BFd3KgB$-o=GQ-#9d)`f#(RG`j z={BzDrXWGpE*@t#0oy)|YvZoN46Z|(FXz}4w9p?{1H3jBo8uM(t36`Fsc{|1xD|CR zW%;T90%h+d(WWJHMUZV0aR)REXpDAk(FPaMR|D|3VaF1SFkpk?(B{31`<)3%l=)7( z&yWJKa5i<9#a1=1zf#3g+ydMp#)0pgt!7dX1}IKWu^NMbUO<$)qfmKU{Wg3>Wte2x zK7o@L12E_&>-tYvuO>M~s8Ao~oWvV(Ln!AO9KuH2cXns}$mtYr{a2eBn7BX$nJ-3W zTALPp%~Fql;%Txjd@7}HacXw+L{dqVq3vUpsXVn9n_z^yIcbKjCQ(8icnQ0XXLV|r z&+Nvu^!Lr$5rgyi9F0hodhYRT6ifoBYTC8hkTvvHD)OS*H1L`>)dey9oH@;CG))6EHd;k^p6>0L3X0MCuUTm z+d<%}`@uas-L3OQHiU7l)zuI%SkgkIi*6~%Tzyp-*#l&bpF{8;3e(U-OXKovY0+wp z0{_s9ovrc+v6A$*?=8dkB#kQWToa_VW);Q6e`)d>6c3e!jbC1Ik}f`07nqzvwfE2I zx*t^?T9LsDo!R6>SEmF_cmHV^;NjlCr0I;ZlUw|#;8g;6xJN-f`>RLI1VKQbvH#sJ z)&&lXZtr#*SH2L}@%dwi^)Y>Sv}Nz;BcsG)LD)+nSFx&nodJwvtBoeFp|d(J`<18; zzg)V2s>oYyoNKQLVZ;dx4Hr>{`Ig}&&W2_gPj9k5EbI-7#qG}>q&m;wR;uQn#o{E* z-x8Tb*L=5NZuI?kt{l~a#1*b}!EIL8l41?`y4OIRlSX{BKze)GZ+w&~{ooQRx}i~R z^JN)mn>8MN%j}w?%>9v|Tu1~l3@nDKm*#=msuxGke&z$_y)UL!&COhC{Lhg1#(Nm$ z)r-Lm^!_={OX=83-;44u%jNEjiIg@-5k0!}{NOGic8e#{j-LyiMowqteC%dbSi4Ta zS-NEuF{>jsq=GD<|A2JTVZK_yU_a;F|08YckM$aMwf)K5@M zOWt`b1>$C6^C|+HPoe|R zxdS8P^rcg8)_mNvDl=hn6>_(lz{Z;COM*U;D#~^!gceaXYtxOVgxFLypBw+Yg;S+n z`TXby)>|MQ6dqAsRdV1TTTYeS=v}OJR;qU@+OB*=rvC1-?w2L@D_p_iq(}7y)mxz} zAB9g49Z^!VfPm6NSlJp#$`$I{sSuiwQxix^4ACr7e>si&&SQUoCVWTwwjkB&S zYrZd-L(cMBe3Nrgeq*D|Z}-yRsanBfc@f0mn~nsNu|1O8X^L~uBIAXRC~dI-K?`4P zKQqGGS|FS~)QR*QdRVyV)@7ztw;-Wtb$=`Wx(2=rB=>PVSXCA9ga0&*uk0Y6ab0cV z7Pc9E=$SP`9dvsE7gz45l*wkylD z^z_Wlmz}>s{tT~9T0g-g z^zC1x5Tb1=&ViSpopq!Oz_%1=F|ZaiuWc;Jtoz`Y?q(~7F-b{KBQe+MEy(81G*lkv z`l!S1z?;aFqJ&wQc=>oe*5Ka6kh#UH5w}Q)>_~}Z$Hfjqt`A8P??L%%7Q#lEkD^2Y()nOG2-TKo#Js_!QJ-DUWqhh)(qL?+w1#D>hS~tWZMy2R!xPXzPIMCIB!?T2qsmnYrppzV7ap zsXA3qyFpI8DdmCTC|jr2qE9O!Ea2is_DMnKFOUQ8kO7yc?Nr@WofG$}XGwag(G6;R zu@XN6?bulii+M#slxRrTJiLi&-<4tp=Xqb*M1J1Sa)ZE3{{rkRaJuuJMAHvJ+7cX~l z5%ohrA7rlf6WHXtSiAt}`v1pkqPx%$lUUstPZZ<%2nzasDk*4IUv zZbp9)c|o#MBSka7a@u1m8E9EWRo?(|HT}#HTh#`z{Bk(1Pf3+i4?NgQ6t8R=p^bv3{3jl_JLe(y~Y-?9Mmi*yk}fI6cgE12n%Z zL=@f7r^o)*e2+3?O$wMVp@)NRH*Z{RPHucqQ?ui})p9NG=L#V;ue!|vClT7U7eIRs7vf)%`CayupM8cBY))>-_;vCP0GRRrD= zP6cW)43H!0Wj5D}8yk+xjox!ydq$bm%lnuguVv+t_PnQ#a7ONrS=9?_xOHJklEl1c zOEcETTIBB=E{S5YcyZJk}Zq=a+7;y@W z$@>_=2dsSC4`zdNKcp;MIvtOjTe4&P@k>4$e%o#+D`7@7|t!Cur<@DXoJJ;Ps zT8_Zh{*_Ds`NV(xDBoH=ot2>ZkD_gtK+&f*weA37Kf^oyxb#oeyq#GnzU~#1Cq-4| zq>#=FWaKa5H{TAF!H~$)h?7wUV9z$ZjZz)Ex3!L{2A>V-EDn(s97k@qIOd<8Y6mnD z1&Nv1R*ljbl=`yb2^CAm&KyUo8AoXijs?0+P@~;t%5PUk^B&wvTQa?YOzy`eHDc_$ zJE_KrrlzBBV#q-dTFHk}SO}{xT!j`x{bcX`sc%&QJK86$T4K#B)~xb@zP>r6K&bg? z_YZW-|GJgG$Fjnd)lS&I1N-#asczP&=;&KQ%HeYWA0W8Xt*Br=UZIW}KHF5b0=06cd=>3?+5MRdph; z698eS7%21~BcXap&f)wA@urXUkimZPzqzuYZeXtSmZt`B*qiT^JbjG=22lG;Jq~v%hXa3mZM<+V-fLHDgfqcF!ss}&y+Et z6xt65>VL09Vc+*tQ;n7@@btoBD8WQtcv3UNRm()s9pGz2udwrm3i zca^0WUhd1wvxbtJUa3dYv5XeTH;DPV&}#6X!Epw3GfS~EJxm0^5N#ywicGJ-On2|WmU8rRiXUyFSy>lWWw;+*N= zjZ$NyqM>9UKGYEuF33ysAaI~z%IkKDZTl;N{X5nDksnCl@4R! z=rh?OUW}=YM)KhT_(D->Kod`GL3m4G2fH4}Wi(oY5w+|Tzc1$PO)61!25Efbv?$F+ ztl<3})w(nXFsnwl4A@gpO$WifUyrqj7&R8mQum6|45;~5m`R_Wo*wMDxQB@KpSKIA zVp8g$xN}hfeUszqj&L75Lx4CLRCStZyyndOYMlBl<*=}oYE2sbWz@0%{}`dsKiUDS4_^&X_)fqCM0*rbRr$NsMq=x(NUQUi zdwBvjF6OL#gdoPkQW1)duBF4nQaf%IMSB#)=QaBtWBK66axUOoMc(gv>PRv2x>0%< z=*^OzxvoHkv8sXGd@F6qWNZ=jLtZ>FOc0$_jRYcNeJe|`;C9sUgm8?EOsKc^@cPMy zk*YU|8uqXy2AXKHO&vMaUl&~O_fOK(N|9#d>C;PW`zy9{ z%6rOS*f%i*?6Qx^w`mlLu@O}E7A6z+)d@M0@S{oCzj6ASsr`S8&$6x3od9)6oi)ha zh3L!)Z`%g>(<%S-Ov|pHM=bj5!z0h9?-YLp!ee`AJ=xkd@a7*;#Nc;VHqX34`2Y*D zycmt3WdMVj`2z@f-R!-sS(FqV&nCV$jjL+CZI+XPGdJuZI&33KV$ut3yo(v&*Csy& zm{ckuG2|jQhxYWuHTO6CDj=7>K2DmfdVnP1kjF>SOr7<}Wk8cl0v5zDBdU7FF?mck zBb1iYkfp$ZN(xJ1NU?_8JNXqx@NGZZV|LHdreWZq zs{MB_8sNBSuWTBYOa&oU`BR<~No}XO@6i0qo5!XCEzqxKIdcK=j2N{zgWr$synAg%kkUo@7r_LEhk3j$iv*23%2uIJeFVqJ+`)($yxd&m*Kgb5B>uc1iatA_#+$YVsKf`Y;H~8$$Nl@HU&~7=0D<_; zy%FKj&JOy}gBCN(pUcnRlxNUPUS?t9oG_cl?mjp}Yu>^9c%AOxNorPm&N%tHRX?MO z(Wh6no#g@C0SMip(B>D3e1vbMIKOu+j%D=uK|nu{GbJC-w9U}{ap0uqBX!~`)!0yO7<09|ZEk5k7 zL9T8own+=jQ_IhbY5Xj$$7nW03X1Y2d96;z60DS{p|Cp@&k1%nYI+9b^%|Q6#;f`Y{$3lb~Op+>@Y4u(a(0uSL#Z&US zBWv{9RlpBoF%B%Z`wB2_oXb|CJT7xmmuM0e_jO68gwZmx_8QTJ*DwE6O*Ez<%ln&j zJU#M1k&Z9OV<2VK&{1P~bb05EAYZ&W{)Dp3@Rg9Y`;u0{(0}yFef&2)WPpMT0u(lY zn%2X1A-i4D@LoJD_bF#@F+@cmP7-b_Jv#*)|k-vE1v`4==z(j83x-~nK^*dzMuqM=E-tgslS5waMPR3>SnPQbVF0;YJ+fxAG>(CatMgQ@uc;xhONxD3v0 z0m;8{e;ToBl@YileFs24j=Pzsj1_~?de$wFcQ%bG7C4j|WHYhzcZH}Cpc{gF*q%~v zYahS6Xt75)(9-VJOT@Msgb5G?J?xu%L<2B;Iv0-==gI@&1E?0tgxBli;O_zv@B?^< zI|s^r(H~(zu%y+6C__B4Bq|unaG?A}enh#7 zOHeRQuodzT*o_kIwap>>ZoV_slb=|x96`%)U&E}Sx&bYRboqN&ZEK%6gU;k66Xm=n z@1u~;J3eYz0ob+b&^QPBSsmC;^Ed->kXkdgrD{u2y<>AbxY1u{=wy$m$wzG0fgYw# zP<(;N29DAAFDmEQzbj`o6_vw)yCh5Nu2Sc!)*Nm7KJt1_mmY)~#fmX>(hP7V@w;zO z=WVu_ToP+SM?38uJKPq^UPJZlG#Z>@jaz~N-H9~}ebO;WZ%@dCwYxbZr930%Q8lAj zj$8k2qU5#S{Nva?CAakM!H%82*Xg@iw(|{jyl|+zI&d9mY35*4-JEP)UsPX9xd8zH zVIV>WhmLYCDG#CU*-K3l*WLlXKSTFfFzu5{)@ux7?$%MEE`n)bE_Mh{62#W_1tXhZ z0r}B|L~WCsdE|}%MST1#DF%)Nn}KTmC_3sSojH3l``KpfV>H=$<`XosG$;Pm1}OPj z=S7{%+35~~=-TPpfs`t=*eUjr1OGCs=*l7jzy8W9gAAV@*sAOw2lr+AUQKWN?>J;A z>VL^0>(mEKBAuaMe#N&)TXHPo`i=>b%E*J+P_7fF+hVI;^q7Yg z6DKO0nr(c?T`1cCp;f6@Z*s&eZrb(c{KL*q!uvBL=|-hdN*gpZy+I0di4i7S)mL5f zm+oI>%11bvUQdAZ5%tj3TScGBuFpC4pqbKzZx>p?hKtJaUd(_B_rd=cg3o`MKnBYU z-xsZSdbfPx0qZv&8|RqY?5S>|*ryp_A2$u3&O(3OIaySYGx?v%DW8Pe8BveaTEZ4Q zL<2%8WA3L;*nmCydWLum=$8Vm!F4jW%@&{3o*0^^p>^7NSN-yzZ&VLnRHz`k{{+vi zSeqap{(;pS)h^AraCK2nsN9PnlFOIW8T4? zV}ogJD$vn*I3Z)|FME5>PTxls)$;t~oIkCP5+pGJ%tvU)@DPgFUbq-{|FNDtC&J`5 zrTv0{b0Z7`(fK{BpDI7-;6H;RWns>YnZe^jf~a0YMo@?Ss+`^&4?JaE=N+psRU{tX z^S8gf=@~#=$S@F0(p5p~mjH2S7bH;r!0o12c*RKMq+uZ+$MBAA@asc?C2+Z*@)X#aBIt*8m1Lj>>H|6a!-|hs0h^& zmk=Hi45#c7iMwr=IZNMM!f<(oGj@r!K+$GFJd29B=GabdMB+b z*-9rh2mzdTaDefpfmyg}2{Tt`4An_}d_<4>fiUBtUTwn2k?v6d-DhXOFC-4R$w}I% zpD)|H_Y1!$fCLRYewenh8ii|IfBzepnzg5Z6B+Erad*Xq-@V^=T0>skuOJk>h5mYZBN%2jP{Jxw!mk=CWF}<%1K=)vZO1rYbM{f<#at7s^@aEB>Gh(l9OU# zEiSQ;7rY5)TDYoWIu8&44b2c!qVgriqaLW;t$GaVKNs%4t7oE&R6n!e_Rz$$e5aTu zV|DbpCA!svzIaNBVonN(p2-{OlTSCMAMp0~Ft-tqTt;iE{-fG0X#c-!*PAX^)Yskh zEQ`&7~CghuLzL7*yWJU^0w*0Y_4lk$){0iL9g=-N26554qtz>IZXpf5>-U0hK9 z^-Z@YK^bsW%czx0mSk|Rk6+4+xP@VS{H2>=a2;_u%&~C3cveq7w7q(K%Zd@@|Jx${yYJO~%>%o< z>FT@Ryq~n`lh+u8O{AP;+$4V5pMeEP;ax%8lA5WUH|Mv?qrdg_2?}9;)2ek&aH~p5 z%zgry-wyB1wyHpLbUg*HHZ+Fhbf`e;70s|n^2?-YU93WYu>-EG);qRgs7{jlF+d{HTqVw~U95M2Vx3Qz_N;sNsl z-9MugsOc?rvKoT!9Qy86h_EoSf0cVX2VI~vGf`v6D-;m2z*R0p%xNBNhz0QPI+)ny zM=Z4d)nVKau?igNfGP`d-8(@qEKN%u0O48BNo#AK;(^`f%qavZ^k+B*?Z|tRc(Xft zL)WEpz`d1mhvqHkXI%e$<%M=6y(BdXkjoD6-gxok0CSyv2~J;6>t}!XK%Uky6Q@|* z>Ssb1wXU5^Asw8h{QMk3h<3z- zdK*RLoM##$zz6@Wg)FO=rbu{H(Dny8h(8lmPnKYKts`1@%N&ZYHQCs`c1X$VNihdB zuGp#@uMJX*H< zu%EKH(_5#0Ab9FM)AUw@KZCr1%X-wo&?R8=m;>_RPR2=+97Ou51Z7MwQICK!JV{Tf zU+TPppna0eSja(0Mr&&NQ4}mLoyxelhArjZ|2C=9!Wr^?96x6-WvaSeX1rzI-w3L3 zII-ym=sEvR{2W@p*G>zQ9nAoRS6JXqjNq5Qf^O_-Gsv_aJ)8S7v(=Vb?@|XiBK;5U z-aD+xbYJ(66)O=@LBK?16bn@hJw!#p84H$CdLM`q5g}4T0xAkh$uKA&B@s~(X+{W0 z4GI#J5*Q$%M_PjP8bU(Cc{1Z#XRUqqUQ5^6>s-J6`_Jo|`9t5l@AG`ieSdE2{Xthq zn^wPydT$2zITu-#mUiI?cY9ri&5ruVb3+W6scJQeY7G}5HIU&hV_gP3Pt51a$r$<_ zQUtcxB7H|%dXXNG{F0I0lT>te?R~`)7WV>fNZ0hr&jnZlO>fadIj6&MMv$pnHg}LH z&6)e}Yyqc7h1@alI}})aFdX>>dFACu2k4JRrpesY7ou#mF+SWC4kwBp%d$DLnB@L* za}q@zd*)nlHxNLt3Yi&}w^^}vGM2VDtASdURW^QU=|Vv=B>=sB*^{3SeTygPuXkP6 z^}oN+gsl?{fX2u$zVfK$dh1oQ!e^G|DRP*b7lxiTA~MFDqbYR8ii@ZIBr^A6P6UHD ziaIxz3yVO)rxUcFW4eLn#5pM!*XFTw~j@)<6{ z(^I?nfW?C#;(G2{_kMf@exS`W|tbWdR0uzwqRM+FDY+yD6`K|S}nhvCE)>m zdK&;j-jQJq(?`L0*<<84uKv(O`)E3$PQD-PvyB>VGZ6jHqMpVgq{F=QMgsJpXCj58 zUSGfpkYZGK3w=GsH!|q->(Lc4)(Lajw}|B)G+z%SK2n|#n2&LHCphvbDB-~8^wq@q z!(sTv2ht*Ss%;+1Mt-bMVjJcnNj_ap~(>;Ersab{N z26lkoW4Gn;U*DK-`9qf5f7pAj43W3qd($d%=utu%?!x3fh%|DG@;%rC%SbS1oGM|| zxMUlQRTqZ=>4SD6pc0zH>&017DslRAnl3LtbXjL<^(Q2u9cFDgn#FsW#*skbi<`L1 zu$`Ga({{}OtUO{A#s>ADz;}xaq_Fb|*!FGviU#<-Ygn){s%2zx2k9kJ|Il6AmQj9T zAd1S}mY*-x6(MDDSqqSCjCl}gVkyrLcFylI2qgWbF8Lm!q4uy2>A=tFJlm;HmVJhv&_tw(gKoeX_=RV%7d-D-98;36m2eKd_w0v9i>+ejy9C2a;&f}V$FGkB# zsAz5{z%b3yJ^;vTP=Y>CPoGcvK%f;w$WIIcDx3EgbB9PI)5BwNAkR!`&aShh*wj-8 zj=zfw^-}6uzoyXyyG-MxhV;aVGNmHH$3jpPT;*F{WW%bJqm^mFjJL(D?G{(eNVtK= z6E!f=VHS{ji2_KEI(qI}GCq`xzL=Z|8twNSi9rYB@=QSrwrK5VZNXiqR(R5rmDfwB zIMYl&vgI(hqwF098gRbdJEFcA1DHEM?RNRD0`-k#aa{#a6(pk~5ahLpcD_G^(! zRaDqRwFQRG{>n+^YrRJ+pPhYx_im?8TtW7Aq^lbuYAVf*tPl2mOfRQCE)-4mE0gqb zJQiD`ys1m}Jxmn4mxu3RmFUqujSzadIKlQo$6#kf5KqOo#Wa;-jZ5JD+A=q3pEcH6 z9q4qz&wkw+g`MrJj>Pw`U(9dLp$M|yg){K9E#UCbF{RjpFWMg_02NF$!+%&meH+m< zOE_C8IpTM{kIm@I!sjPf=Y597JV zIGyRJ^wkRLOpZLmIw}rpO0{me*m)_vTcJ)Xa5DzUMS0ZY-H=M=pb5;v#z4gE-kLqJbZblu*p35{8`jYaItRU;j0${MrgF0EQ-M0&cX0L z7~>=&aV{P6gd@FR`dJ zs8&dWVOe}rS0%^Ne;Wjo;@ozgUY_2i6BbNVf8FiZoiX}WbUHpFa_KYoHrwYIF_@J? zwkDPL$11Q7xNfE0jnZxYu2W}|yg9fU&z@fP`8_~RrW54cSZ2NJ4EE-qH5#+UKYIVR zxVyJWVl<&xubJ5!WW6B&v#0%0DD^bTPhD4RPJ-4uj55LER(_-{?Bwon^vjFskYggbS9qf**R&V`cx^uTGV@+}To~V=FMQh@J9;oi}N%2MP<0Q<5J6#Xv5G)(oD=mfj z=wHYN$;*1-*fSK8@wC=R8(EL>IV?1H%tTttNML7Sk-l_p$JkvcY@j{Nf5WoRoJ$aY zH}oTvED1F7vSQ`BRp0Y8p6>ytO6WF-F^%Aro52`cPph~>ZuHHF1^bMv7w9+9{};NM zo}GWIn@Iz@nc@Fy-3+lT@_ATUf{g?BOx~;fQ0V!!FxOAZxJ6A z70&E!?QQQW!q$3V7r)G{(!coX0InXf;4`#}m!E#k!p(S!qOSd2U0i6z1&OK@JgadV z+LpYLeqg%P+%LG;8G8N4TRRl?&7K|AVlk{;*z%@*{+jN)dMdMk(U#{;M&d_Zswwp3 zFl*zi_B?{&g;VFr;^E<{Sk`cJcq_feMB48%pxR9d{ncltaIopsbGhR&ig)SmN^52s zTV_A=lV$G=ZR}q@ur^H3HF~h#-z^%SVmW%7yDst(yYYx?8ce zNqoJCxgD9AHsp?MwswH7Gw_U&y6%AaK#b9%QC+8az-3nJ-omT7cJH3j0QBj^7FcSa z%fVH*6g`WJlxCvm=ev9g(Z<-2qo2Go3O)gVBLgmPm^Eql_TcJrsY zR&%XaROi_-TwSY?7QNAQI{>aDkO9{w;h6(fNPXDGQP;Jg$TO1r1?AWX^U!kxZwT@WnU%nlM#a>>>lEpD$-q&&r# z=>mmguAL)kb>-C;=7`!0$v#Huh#GiayT9sPqfH3w)I_P-<&nqG42@f!pIs!v?uM`m zEe4b+Ab0FNfpg-HUain~KYCLE)xZ+$Ztyb;`gFW*B|fm;>tGzO2D3P?sV( zPlaoufdWy+7yU_>S%+-k6=hV&*en2V&f94`r^xF&N*C2!Feys@YHY%CP7{{%hb6j; zn`hUt8da&qdpW?wqh(h6EGL302Ejtc?x|t!>?*Tl!2wK1gqYcq?&j`AVeW=%lZr&` z%?zb8+uY8W!UWCnF;ur4wDYrEYLrfIbG52vRA251vzU%Ey&(#7Z;$+C{D zdX;;KNChIrgRi~oPnL^D@-fxFx+r0VzAHvTNiA0na4aiLEn`WbNwsFUvc zd62k=;>%|zP%5j=MQt{Vq#{e^U)tF1t+q@;m`X!EAzfL3L7Zh!efbzDwsJz@fjLUw zu_mqE4|ZNEFCaHQJ>2hF9l0HdaT5QHVw_+YP8o=C_GM`NyTmvb$Z9~I_1RKiZF$9` z87w3FTkW!tfj7eLVwirB{X+zkCzD8E z@+!lM3ZmgVDZqMM+>OB$aMN^f322`vqIH6wV}0q?O`9jcgbmz8g#O2ch&G2bB5}!ToUgSdupSdcX{2;!DxO46luPO}BpvS+4pW6^i8XT$OCp|14Esi`F`Zdddra znElCE&~$P?(?s)SPDWJjcuq*PJ}yBSk&)W-DMtRTAI}vmf9slpr}iEbxPY8MBoGr& z=%v|X#&h>s)-+@1mq(SLSb_BKv`c=vFQU?Eh;XlQ(PY%8j!NRIBWEr=GcA|92A$}l zAWJpnwT`X`_ou0jI`KnBJ9%|-D}{u8f5+h|M+pDQ;o;T1qhC=4x!5AW!F#$58AaKP z8UM5}>S3&($wY$?j6baWf3Yuo%cw83;?N&unjFO5j&=mQjc~uw_Nur`1LI>gnub2s z`E2|_3_cQn^K8OyBoBeG<97tjXPm;<1#x(O?4Up`&-tnIF6Y1^>lYc2k!Wvc2Vdy< zFr)d~oySDu(_~=}TaXeepyLr}P7$iF=}wd$<;P7ssX?K2M<2UX>CZ1ui4xGUkQ4lh zN@82KX!mxT?j1M21tdebk(^@Cf)Nc|;dkPB9paYPC<3G0Iz<^`WatUW`r*4(&b5*_ z4_N>tmteL4Z$&gL$NePeDxX{*x_4dK=6eNzmbgLfp~68*M?v`_b+Fi1N()^yF(7R0YNTLi(FxAGLnw3UYsItC8rDoGR zj6nBsugR7^tdL@L^Je?{H!q!bq`pz!gwH|-8LrEXDzrCL2qPx0n+tJNda|WPzaZeY zZjUwpetO(on>MKlO4pwnm#sC?SmeC%4CWXmD0|Ji)JxSX<&nH1dmanwSXqp1er)`F z`iT7ZYWUXNay9*Pww7!Z;QbhZ0p!aF>=_9=?kN)SbL6`A;rz^)3kN@(losse0Nl_i z5Ud~{Fe!WIe6v#jRN*nCbG-{R&&;rZ8qVF2-K*TA#~aFM$VA5b?E=86fC1q-XrB5) z)im%o&F|2UM>z!2;M%ais&|g@Q5nfd@ zjvm1h3QCNGf)e9`AMy7U$WAP*s;_bB29=G^O9=+WvYFTvMxB2hY?DL)CDzCrZe=0; zRVzyEUvYlM?UCH0fU`{&bQcvE7pgBxr=pKlJ|{eoITKsFm!~;*!Tou-N#{*8zVY1t z5annjtj>rz-qehD|Fzaybh*>P!?JsPxEfSY+>4dZbs{X?-xlNq%;uwj9*Ahb$G1=^ zW@^(3Kmj7^&fS$F52pC$<1eF3BEzVVtS|2@g^;I97e-}jpSSr*-vFGtM2s}9y0D0k zaLzWl7QB%~0GaXIj>t=|v+bLH5RsX7PhBtdS8eivwGvhMd&L{zYS!i%wK$o9~sJOLz z<}~JK_BPPCuTJ{zfAuEI%U|F8kFhH8R(Wm!Xoek`m+Jn_lW&qfV0&hp^1X)pMb=u= zmLIz4 z(MYK2H`X@ZI(9b8i}@bqoK|BQ72%{*wIXkIh^A#8_pY6ydGdR`qm(fCEv22^x^a4o zYd{E&hNaqMC)qjyz7jhS=8m$+n_iMY=wdE2pZY(-L^<{>duEk$G7*ZLQ z^P@{P@4ixBJIf;74ljpVpGA6*ST(7slAG-T70S}fwXzUkn@N_RwzPpG<3KHASZJ*5 z=HTv_9B+^z6#!o%V1gf-9AXwgOZ^qkn&!dE5VxK8*ijKTwvezy|1r~ zbAK{PF=Y%G?>4-7wiMB*M;{)ZvLfRF0s^`?u3yZ3{PJk<{1@N@{I3Zl;5^sx;=RY< z>A2lydTCRZ^|j|~*9U5{-s{9QL6gN*GIt=qQnFpumAyiI;pE22lD!QH+elh`{-zG= zfpfJWF_!SMs#mwVBS$p-cCVargE*4ulur}3wtiupgqbS&9fHCm+Z?FINg&4L(XsEf zfjd5yH0tlyLvmj_>|7OcCALvD^{(?TQOva_BcYccG!+WAXTmEiUsChODHO zx^m?uAf02E1Rh1NjIqOMFMf)F8>qsl7NZA)T&gCgb~;aw1%vQbrvWgVMI%{})#vC4 zU|YEZb%DbL2e8BWoowxxQ>vy)n7SaQ5tElS+FuyP{XpN|MwhI>Madt<0Ax9kXugrd zbVRzRHComyfJFEU@kPXVvqk2yJ<={@g|WK{isn1!ZNjrH8;Y4bdyKq00y&i2jfq01 za}mH1FqhR_E#m@ouAC{gFpgEM9-sr&Z7-sUYIfc80l7r;-F{>{?!Ry>{-q$0$dG{m zal(eCmp6jN{l5T*r0G704*RzWQmBG!=U0W0b6mdnqu9AJZu{4FV|w7D1dkzX(P%)- z6=nbTNKe@Rwe;j={pz%Tzw{*k>(vqZ2NditlD2Q^E*;yy?myB`Kfd5rmq2k4F>UQY z5#j!F%d%H77oOd_x7KS%@!k{H`8C?rMbt^<8-1yy+XjnOFXNrZJLD0UnS0~PXH`J% z%*QGK#ym7x zX|d(=6p8bi=+NYp;u{!%W&$q?733}3l{M%_K{kCqE5KF43i!IA2Qe04Uc2*N+*-SB z%7J@0L!>RGyFyH$AHq|^c5egrbqq9?r$UuE#xr7EuQtmlC`~6Ry77lT2+St1;B*(U3 z)lcgB1iklEvtTtA4}E;6SvfUaiwzBJDqr3T2nh=VmUobK)(vxo^UrAWhe$FQoPos; zCpChqya}d333z$XO%AApFm~?z{*$xz!PjaNo zV1vqcoOAH;>95=6aAs>7l;S~};yE4HeopvA;%qYaK>R$OL?l~&xDP_cHoQx4v3-@&TuYVPyn1RhCT&O>Zh9uj{&Ed})zKWx2`uxK zO^U`!t?>X)0d6nPa%Pz|i^MmAGr12+DLqMIfHI^{V=B+qjm^X`^(OP3axaRv6v$Q6sQgdA&R9#Czkdn%;`EcdAom+9{>?#?3yJeaj?CPO#C-B1lR$ueMews7<{ zz01GvwQoL@&E5OU{Tim2yDMxIl6s*RIl5gp!iLx#1 zQgE6Ij2e@T-g~qLQ%cT!?pdxbC2V6|K;HcxcDW;ctDgJ*cifMatj1cY~IUv>KmW99zC8{-KabD znI2~PiYBeFzls3nNGjXv9~O<378??(3p5t0Tu7BvM3ZGZ*`M*OtL~?T6TVq$C2n6q=rKG5!W>_1zQlXG?{)u3ZN z+^8lGIwilnqCOKcS=VqN_?wEqzpWG`N24D0Sc%W!?yd}O1!cW`u+n_6|3&vjEtzo`a_tESds3^5l1juM>{EE-*{|Y+fkOUnf zsek~Q{WRGaKLOAoIl!y(H_2)L6SWKf!h+?*pRLhfPDquI+#Im?KF)o1V`Ke=OpJ3h z6oeDzpB^r@9La5t?oHbk_>y-fs464(&5N=j&og-U7u)18YSWtik2}doQC-t7PRw5h zQc?Kr;2RIzYbvm=HK>xUO=Bc7E6mm1>Tb906Ip-wU5PJsf6%OD4H4rFfH{4YETlRqczK(YYls}jiq^nbEs;jeeZ<#Wq* z8D*5ZvRGXYc1gC5>)abo3w0d1ujHGKjn@zVe*F9yT%vy%-@8m)?ymln-m1HxgThxG z(v6Ej6svF&64m-Aw*xS7_qut@Bu|Y#BW2vsOK@K>UD5TVg-8;;$SZREe5b>;4@4P8 z8X=*Yzphq z4Y1vYv@QIE^`s`G5bRtk%~3*mdi(uKa97kpf2E4%n#_C2+$YiV8O`HT;bbFWbC?;( z@Cvr`t;?f4VLcRFdrXF`Hv7w<>9Xx|Gm_}RbhZPzuxkDILMXmg(HGabxqtJw;i*pD z`PyIyObkby2F4t6=vKn}2TILil+*`L&D81)U%U0JTXTONa91+u3bd)ZPKD9j^W>{@V9xN#9AdHg;IE>Ic*a4C z`f|6Qb^A(g3>}n)UAq2T9CW#yn6o&YF_GMbO@J!-2U_`r#}lH7QTg;$w8fwFg*dVj zb|%bYy2iUIhaOpUc3o)2C&?c7(U>d)|IZa8j?R+1>Hn<~qVEQ*YJEYN-*_9$UOqD6 z$+F|64%>K|K}UEVI8Gt(&zY(1(w0!I67?Nc;|HwrmQ+W9MKo|>Pl1ZDH{g{Z(u9C= zdqOQx!Q~9I>(NYmXOQ>hY=)a;=XWrnY^+-)jwTXSpJxw;`q5llihi`^tt4R=d4uyf_I9@tYohmi)veyRmU7%m2b459WJW# zKNOuR_3eSYJ$`)cw``OxA4s~u$>kN9BP^GO_ql5l57v`~u2DH_cgPAOuOzkDX}uv* zhz(souDbXa7Qotz&*m%)GXP?TZ&^)Ac)Cn^g^!ud@l5*W(IRS@`UpZYv#ng|(R zF^L)1dc%NWF&Eexb}7EJ)QvCZJ5Iqjv&2w#Lc?}nV+k1VICnl>vhub^x)zrH3ir2=(b zXtOX#MOi&->=e&$9DJcazor`aidUXj`j#_sUcxevEF&c5eZlM(VQcOupk>1MTC6^^ zC2-FM4_R!Gy!AfB4p?uWQpAiTimV8P>68qY7EAPNDY`pU*C{c6y1t2$Qv4ZBlpYsN`qsr zW;+FzIKJ-|dqvMO-^0>y#KNXd1E2O~&yO@v>Scp$EQYF9JPgCb`nN}6&z1_So7dBd zM!{kd$~mbdvYa_8yk*VMGo3h%=U|xVh?0qNVKWFVJObVm+grwUGWLTNvE)kxKT&S6 zl_Gm-*R1AFl+0Z6s{qqVmdWa)lGw_-)X{JbQeb#5lG4n~YPgNB%51{r3Z@ULVt8=7Cp?u=eGbWWEklT>YBeQ;Wq(hlbPv?uyrF zGg%jM-D*_`nyFQ=TxLiPVjNJS5=S=^Dda zZ?M10#=`F1`ve@yGC(~AB8I}NfArWQ*i$EiQh4!UOxCR2U|%R!0q6cyUZ#Uue1O+# zOQp1Sw*s{^J~F88Jk8)BqiCo5I|l~0eYBnQL7vVt@(8kt*PoKt>N?-M(|7|JZ8OV;vmMGxZ9 z$e$vDbe&_yMY~?lN~F%SZ7;mPLFrskBhh=Ot_oq~lKDQ8QQGSDCX8pW%>FAuS)F)} z(Us&a-1Q>YZz;mxW%1YZQu=JluktlssZR;7kYeqmnX(D zNrC4#PFiRwxW06fER%HCEV=E6{IG!#+vV{1&ntW!PLAza>3n+QL{(n3Qc)I#Zv|Kb z=xCxI=heO_O0F`Y;iqIR54)gh=2dg^{x-U8q2JBx9?U8&XPz0Ko=nHHn7KCHNJf>X z=XJ1MM8Dn+oS)#I+!qvAS@!Wf8GokevmDpAGHhJ;dGgW=xLozr8_KLDh@duH3NR~L zG^g#Sm5*}=by-VKZH4pgt{ufT55qi*J=z7!h^o-`NhjB7k$=W;%~(!=Uu&R+pX|c^ z{*A1Twr|2A$pq1bff9 z4*ph4v%CKG3lW6$im6!!0o3Uw9o)@9>Y4VyShF~)g@fOHvoY?m_Xe5ShFP}G`t(tn z-N$^)NH#^hnZ3no$uDcMuY>%M&7K_b7Dch*Q0yQ)Ui|YtvFppMLXN=o4nkMG8U6+z z(83{VEFFr}b#5rbo(;PL!gX4OehoL;x3bmbM4ZJ2^irslhXrZ&b^0SI5B|BzPmeBz z3scyHw8bao_hs#gxX+Pq@KILixw&F3Q7o+mJ1uI|u|dy_&rcV!mfj@K&uBav8TK1{ zQKb6_lz`#WLu#aR1u49@Z>|p>f)yNI6>_7L@5fd}Jr>=WX4!~s#a^B4Pp0$iXGYG= zW{<*9j!DyvQE>aqJFGoUv-l%w!3PT29~7%_9-l-n;x;lnUa}rv`j)rV+x+itnK;xk zqe4PcquRnf)Xkq7T7S`U9!gHg+^S5Zg2L^-*ALOizM35m=`iA-0-_A3|F7zY4z2@7 zmBmAIZ~uAzOug>IZenMS3jgyC`%CtMmdd~&7pq7r9lsxv>~P{2_@bbs)=Dne`M$-y z=2N~w9^1drR^;+$CTh!7ka_81U7{estZugbl(`06R6RAw?3|GCnOn(RwL3=_B}{Rh znS-^_e8@R6qbUJX^jekjxp%i6r+co2W&0hV8_n}^Td#E+%~!wa6uQl|Si1}-4z3Tg z1A?n!X4#{O(H%>zg>ej9Z)@|egMNW7`k#N)7@MN-xuwBzo=XDEpyJ%ohlS5(V(;)L z?#^ikzl*i++1lPaQ8=+Ut~eO3ZU4K^MCsW0U?R=#62YgNQEaTTh^?Mqb1yw;W@UGG z47pF-a;}8YL4^BexP@kE4UIPOuQE&8C!JQ_Gc3m^-9i?;a{k!tAbx%e_f46&s} zpAgGp7KDlJ12+{@0oylbz9Aqhn+U4~9a)MEStd^dq1kXMg&Dq!BtJZ(snQ^%c&eF> zb6B8Gr&=L_}$$K7}ktirJvg@y+%E)&77RJAmTp1hu?Acz%!kDfh3l` zmr?SM6o(Reaz_GX{pI!Ie~={QKh}^B)T)?geR99K)M|itEuPJAyP7Rb~cbX6S!yFaWrab2{$BBh``yUV|mUF$lhcKg(! zVbXLTBkl~d=h}~{5#4alWjmjKU?meAxgOCG9vy|ZcJk~PODC;xR3CxwI9{I{-TCPv zn=)4M1hBZB?`!{aLuwrEucEb6)t%`7C|cv7)|C)zq*I#h=Cm3p#eqRgG`nM#qPYTn*K7o9U(&TwC+_1zhx2cD69$W=J#9M& zk>;Z^ouhMAD?Z7Tz_hRLtWKljcR?0AvxE2JN`u3k%GTzH+&stbw|%VW~3{5c$oQywqXndqj&@h zKf@n2UCDZJvfcn@P1`i7EfsbT5bT|V)-!>W>0G&d^3wT!O#t3Z|u4zu}z*${N-wavuw%{8f3C( zT-#^(;WVFq&BmAQlYZ#u;8>&%WleI>yQ#sJ_2$F+hdmWK9kZkUxPr_i6*-hPS?9fU zi3Q^|N!puF&jh}eAFP&a*4^*-2-m<3_YO`$6aVOZY6pV_9t%hDc?zhePETP&pqJ=N ztL|KhRF2eIh;T*WV_w4aXy-u8AYo2vV39vO5l^lcJE`2X0`_hd1Kd<}Slo7K zd%4jsY1y@ESWk6YNw39@%d`@)1(JoEG=&~SD@{LwIg}(=1m9Z-A&zzwVMkQLx|rkT z!tv=h=HuOieK1djf%;n!d176N@y-6Qc=WYAoG2M?tK+bA)V0}1N5ikn2UjGn#?o&Jl}KK046eO{!L+&D!Os_Y z`*iDzD7Zz@h|O|`xk%*_j7o%1wT?z%ND-&JPCW#9H6EUlU58w zn$|$^3mCy0?CttZLLJYh_~HWhdf)#Le$mm@7z4xLF7u{3D`)!pH;nd!+^7;l!!N-c z4-fD9^wn6*YZ&$Xl`OZ78skSZYP;yQ$^=a6<}iwR6z^DFRC=^f?fBL`Jlz-f{QByZ z)3ebqVaJmqFf0nt6kcQ)cqnP{-k>lrw)Yhh;{HrVb3<~Bu#>3dZ0WZ$kt zY9aG`!7X@uqMbW%%M+Id4v9kY%!}#Y4ixmy6z4{j&_-o(^ZDJ^y4612mrAzQvGbdO zp&}Oi7#i^GW6k11MOYafSDQoZ!N&OS2rm92c*9+5IIGD~!JzzxbOU>)eFY~};-Tav z`(}gwzAA5zU%^FIi1*ch{a{>h7epjttNa-OOFX0}a=^&JxDO{vb^R5fhy3j^sg84T zpd3%>nQJ4J63!1S(DVuyg=mN7sDQ2&=!db=25BX}Z}gUZjx7ju=i*v40#7vhH=2>l z!W+jio{LVsYJtkssm&15biM2+NexKinFsK-KiTk%awZwaY2Ci`>=g0?@zkYw-Zc>; zm94}_j;^(S3#J&G9`XM{*ZuWBIXZuxVMvmUUYL{1Jw?3w9LCt((TaQ3Yw?>w0NloU zIpf*0b%-EK!&i^qhjG?AJ?YpNG<#m^!$~8bt&IVzvBQ_s)Bgp^T9e`ldZm$`)WD5M zfsrZ(#bOw#YntOPE3G2lIV0C0rq|7at=;JP!a>LBI zW-(KntOV%xbeCXGRpCOF0=LGqxZqF98hL3q?Zj3Hp*WhdHN4`=$`JeD_!QCwUxGkd zU0a>LvZ0tSJ6M%lmc|WT5)IFM+BSlEOV^G2;6Eo1UH18?Il(mm)TnU(l%t+YI5r`D z%kiHh^47mPGV;>&$%(ET>>~x>M>ELGwP*-zWqs<%%+7mTP}{=jWBiznM`@HEF0Ha9aK*f{W>o$SzagIOC`;M?On?>&lTv!_G? zB1%JJaR?j8E9@AM8ElD9xya7vF4@jq^OIX6yQDvn^L`-=JX zU}``HxVLHi;)#M?DdZkbdIU8%Y3jB&Uwx_f&CH7uq`Ci3eo-}>r(9?oH$$e82J>_A zs&VgfbA(s*`7ULBwRcECCq>+TAJJg^TNro(4xS4axhly4GimpBPG8LBPdiT>=~63X z+xp@sB4IK!(l!%6_t>q}hAi+Xd0|}GDwX|P z2Ox(H#cdf$#W|A^2K&V(%Efz45odim+WWb;rmnW!JX30LU_^%H0C%uqSC;A-&>G1Xq5!;le3MUFlC=nb7SL`!2{E; zIbMvCbG5?P^hB9FDAwDm&|!H{%U)VG8oDx=lwvtim+UX>rH4P4T4E;X1dA8*EHY46 z<-xooe|g3JIYg%7_1E@R!DT+RiI^Pw>%|Lk-jy4J_XjU@vQLRdrR)VYmC*f)p84-8 z%Jkx)%h!1L66X5@3CCvELOXJTCRe2sJD1V(=)VIp1fS;-*fUzqh$e_?;PE)2pW-}D zUZ`zHv z!rHwUPiFs!L+M19%O`I6QU(kho+_TAS;4)E^oN&^7aob^XCE-_daXhz-G-e=zR1tX z=aKNn9r~w6M&uyV*oO2{KGx$TS1pLP(63QkE+)&CXFiZE3?5;2GvgE+g;aws_xj- zM(ah!Jj$*IH*QmG6VczY@e1Ix>S!L?_|J(ETSLEIs{n&{$fY_`G|ZYD27tfgNuly< zmn9jzFc^E#GPx@Ubci(@;Q{N~lWo?c5CNM?pRjiWb~w-Jzm{OvxSa72Y6&bmi+wU> zPpJuTI>HS2OjfmxA}U~@A6u{ImNsM=Rq3SE5D059k?l9e*%n7RomGWmKR>of-=Peb zRTUn2w#^NX`JCq2nQLcb4p+WMhK(gACc+c&qYPtxe#X0gWW5ud_Oud6mmUvg0CZ$K zxv8slB&hk15pDaAaKr3L;jnq)LTH1zKzj4h`o}n&KDTS;)AM+de@v~i7}xI<_VZNB zZW}LEm6Z*mkKEeM@<{=yIcRYY`5>`tR7~~fayXm zJb8oG_#gy_vvITu(cL#4SII2*s~em@p!9<;xY!D-Qm}l#xP(q#aV|IAp5N;|y^21U zUp6%45dX1qQOOs_u9FOyy6S^*qM|S9YQ5-48S8P}@9KlYG;wMYouP)hQknf}!jtdA zq7Q_w5NFo;*Tmw2`pbsoBFY2i{T_D1S;E*F(efibKYUc&V}qN!Div3o^Ol<(;@LeC zIvwdjYQ6VxyJx@+zxouKFpllRIt%9dw4kaFr-GFGpD?ETTnNFro?Urp!{{)`sdH{ zBw)+vlfuNaO{0tsf9J;+q1yMX>#{#6Xh#W$WW~?gV)uoaW zan^NOJ*H<%#{+)2;<))<_KjwEEq0_+ylI7c!#x{}*Fq4KaO1=Lr#W4F8?k>sVot?B zS53Em!K^p^wvDhKm2)-z`BFXp8gD(sufwfyx}far=*JPc@r{A8pMB}qTgzr{tO}{b zujqm1EZPUOW(en#uj;Y8NukA(>t1~#z?qSx^rd&+z0vQ12q&~p@&63gi+2iDRKG>- z`T94B#1E{^1Ac6kplY)nSeYZ*>0fz})2Obe00>FcolJH5-6FkP4_jk#@xzeGwIp;Y zUcTvc2Ki08e$_>rjgN#JoI3D$e5C&8O8@Akm~O(@NhHQ<1*E1FwGy66!i=cp8li zu5f`DPgT}l)i6vy{mS#BVupw(aPaMM=a;dAanCYR__||a-t;IPNmD6wfV{0u+_)9MX`iky_^x`>mUw-TT<3G^$D<4c?*pV zNFli7@?4Xy633?0u4-KdQ<1Zw(fwD$#=LK~l|CYnO+F=GDtSpbkv82oMI@*dyna({tm1zIr z-yQOdmzI^3Nnw}L3iPwa>R;+a;5qWts2TfliaAVc_Cp&6+eXitcxoJ)-Bq6GgnGvMDLou~z06$>sm$#Yk-)G57+5c_TCk6cKP-6Z%s@5-KO1IbATc zw9rW*5exID3JQ8VY-l%*FMKjDZsz`ww0Y`UOF}-z(qyW4ZBWd%hW)o9Aq(n134>5S#A-QvIW8laDXci>%goT>*j8Udt*8rzT zHx6BzIWP1D6*_p&eCIzr-!MxAKH52l+-74o%X-X$7HH8LR`_h^O_Q`|ahbq%5F}4He!%ETLd%a7b9EtqN4A-*u*EffbpZdq z8Rmr1LQA2}OaY1zRHcn(hy|U2<9T6^o1-~R4)t=Bfj~Jf9}p_JKIW)2rBU;&djR+p z-2q(17-%!>w_;dN1huTgQX^}q;ncFDD}E4K+gy}q&f336T&5x9r-~-xZzBk->V3>i zn-nF637eNyH?`dy$!+Ot3ilxs{;-9~NOgn-V~jLW%QleOaOQeNwtgaV@y@+x5`T^k z<~DWv?5&l$MQ#uu4QN;4jq8IbI+z70Ou4gQ6Kbh|jC%o@jAe_@Ewt(Ou(5*??CBDx zvNPAmQ?TovzGd3y%_JG1JURseF8Jj^SKW91ewzTJQ9swrUKsKo87sVLbL}m&dN3vl z`Jx2&<(H&-xDD@dz~t*@u!N9{JEcy$5yRJZSO^|Gs%U&uW~ofycrJw)7h5hS-P$#h zRcmG_-|nBH(Ma%ujkGVb_;>liga{6p~Ii4 zRaR%JoU91sL1q?q*3t_aJp*{+lqvn{$n^lCOK2V%MVMGzIl1QXo^RlgUfv=ZOt)H)lDPShOI*QZIW1Bb=+8v+C20u?*Al zsg@&^A3Bu!tumXu8(vKytMXFC!e8Mj={mW2DR4_{_g0Aw5#{ z3?zmNhV*|k!%V4L4A<42GnRg2MqXLreY67teOzgb)W(;4=k6SMwH&;o?}``^z+dQO z69}%p=9mXZjgvpU?TujEvzp;7bD`(d!IHXH-5vrn`6s2rg)8+JO7>PUH@dd>+jHMcE@e zW*UYbdxAh~ z?WW00T&ZVdHxYY6Pe!+Cikvd${`4$+P02tad}TT8a^3yViONx*YCSJecJMjnRsXaT zd36(r5I(wh^w+$FeS_F(K`No(8uh*5Oz5)Uqm-6f%$*%7xQ!yZQ8-~)Q^RTewg0@S!RmQ;(L|7*Pu()w# z=m_;(N4-FkVSpB;A?e*fXypH@T-PNp0HChSb%l#{Jt{ZWD4q~g3sDI6n!%+oxgCy@ zg&<`Y9eS`T+K`Dqy$nR)PlXy(aeuiX&%}FbGnyVa6Q2SG9>LDKVUaYvJFrkcH37IL z@lW-H=`P}ihf>Lz50U6=ZNLEG?Dwk%l>Oz68AlkGrW(YNE@*J4ic{$$WmbVjK?%J% zeMfopz-2>Juw0^`5F0caukfs2c8R+8p^p6;nb zc!`eB7eIZQGJ&S^EBs5ey<9ZJ<2ZnxUwY#SdX|7ao(1b-LsPg)lV7& zXEWX8kxis(pK7RI$-*o%A}s9T-@ib&aAL!j)Zd2&6?0o}O4-b1Ao}S%xFPCFLB}^a zAwyS-l259fCR;Xlqkdp|icDp6&6s_6^z5Q0^P5YGi|;krB$cx2c{R{#45pa^w-gyY zut+xJjlFqyReGP-BNy#9$Xy@DrJQqwV{^Y%GkZR=uK?<5CBB<7W9rY}o3v)zYD<$d zQJXWN$lImHn49kHX~($XB6l=fa4Ibx$j#1f375oS&)oBSJD}ztLm`5EivB zzkL@}?a;IfNdEe@Z>E@=WT+T^IGSQLJN>h(a_m%Bm*b+{+21?@GrC@HPdLQ11h#dx zDzkIX7kqUPHouN%|gp3&FK-|YZp&-Xih zP+?B(2*VAxzz-JMyG6oFVNvrfzyE6M=hvU$tPKwm-CN|kI8=`tLU(hm#ui?F zI3P#-lwH(lEK%r$zl|w72#$I)k(dmAH9y&|n*URCVzoy-F44!_=a>6R&CqhWnl-JN zhHl-n!+^G|`Jq~D8KFV=B2{UV`RCI7_lS%8<{)nmQtxC;;6~&%-qQ9;%POX>4Ywf% z4Aw1>AHVWMT?)YXvR&md1^>aVrfIX)PV9;n1pr(lY6@(!6h&YL$rI?JuMGd8r#_w2 zwQZ9y9n#YjAwBtX)9H#Qd(6j*r(Q`I)uQ1$!PiuA<%K6Et~9K}>V|{< z%*{C>^_i<9csUK2gl2`!*}Qd;-nH3cQzxC#m6(iEXmf93tflJ2oF$9=%^;?3=rT|1 z!RtKOVyuYBvzH0UD)4bRe+dN>YCU)_63wxr1}^hu2pHrG^jd+l5A z9{_##B-XXC=i@P5Dn2T4{L_R4&v>3bhXnWN@6?aG!*(sxk`3>Huu<(lUT8UZaMt6pUU8Ao#7l zQv*y=-Yl0Ua*8|{F5}KtlLd~~3Z1Q&ob8-@ zlV1Od#`hRtdu*Nw2$B*#uJ_642iMSb-Ixe3DIIp{9KK#}Trji;E)bmGY5TDWKY>K_#QYkPY-{L*K0Qn4` zZ8p##u6=|P6oU0CReKg&`LiTN=|_CuP@hRn;lp`mNzeEd>~_!|{C5deSL8#F)@|JmL6Lt24d8_h0;VmLLCu`|i`Uq=^~RF*vq|81)0@#)RI^)9ei zP~Xv#S9{Nd?vn15PXqW7#Z!@74gaM7M+hR%BY^nyjD)1X;j8QQ7ibl~ekk*xE$8Ni z1owL6c@D&w$i-#sK&iug%Vo+_?6s?_20GaYvxKjwN|xUYQ|;=W$|h+Bl^PjD9N&gN z%7YQ^kPur}*z&?V<-#V+zOyeu>hs_|ul;M5nb{)6tNIyX{v_v$jHHG4QFq7BtT+l0 zVb~w7gy~L-wM84F3>*pd8cz6}6beN?hv@MVRaX1tM)Z+3+78@l3(1-%s70X)=MToM zWDHth*>$puQaIQO*Y`1WdGk%rUl1>_O&AX4qjOXL1D`bdPZY_oeD4sSwTM9xiW-}E5SXsPd#cWEy2Bz^#d9wbuECSKY)bwS0@ zL6tnk(O!GANooS(NWxB68y>4%TU;f{5Z$@YOk21~6V*8NVom7Td+I8OI4iytx)3CvZDCzU3zR3; zr6lQ&6Dy9A(cGSrKH(t$E^W4Fovot1RzPExso_UydiJHg(ka5%_AfzqrKAP9W>177 z!nkR_sI8jpUpRvgukOW*bsG@y+R1oXk)qwWV%mz&treEiy{n556Vlu;IqP+|>saqL z!EWuS4^xDY52WCIJg+)}cQpeq_OWcF%O)m83NOLa{mUT~sC@M!vDGEwsMp#EPweZHYJqIdb$cms7FYaGI2%M-ID>6y6*4XA zL@`EXV%)@`-V|Wdie(OJEr;sL*tsm#YH@B4(qL{^uC~@xpc^||BB}3DBZzQbx#@6e zv&kk-2p9XRU&|yQRsLg0^#FrcKKtVvE~8G)bZSU4iFjMs(=N#jBAy0?W53zE?+bKY zO0~>=0QmFj%6X4c-$sa}oc|lFcxnw)b2Ti)9%nh7{@FZy4G2DG{T_V2xJ4O!elq2F zL2z(GCW#f5D$r|y;H7P0-v-IS>aTzno$TDN9Ks>5G z1sxxaf19L%R=g>F!{{kjKck1^Gm{)C@H&BuY=k9mh)`S6mW9o%Sv8Pu;d|flQWog? zvy#ZZT-6|A#E1{X{>;kGJx69zTRDq%;HxVySz|AYJ|fW@KpOY-g>~R=d?bGd#Fhe_ zXs<9N#e6b8AiybhpBHFDAs5Sl#3MX=J9ZJW2~MkD2XpgmW<`a3lN3c}@1bRGVO<}d zS3=C#MqwCZ%fz&~`$%}IIc}swG{dY7_{R#fckUq3RVJ+AyMdM#IrYmwKTItXuapqW zo>uowh;9*+b;L$djP;>BCvfCh?1ZMHF1DG3ljnvR)ZM#_xi+^iO9K?R`fT5SZn)<* zp8}NP?*ZnF>x)N4o|QiXxjN^;E33bXG>S!EdGNgWwi)b|C;8*I1yjBybtWqHc83M$ zgsDpj^$g3H4AJ8{Ghsn`&-Y~NyZR(l0HIYtvArMb)?VF4s%>66ilJ#ja7CB(hi+dU zr#u64=n{1(c=JTU;p2%N=Qn9}p{!Hdn1G57@yfk$Iu3?N6Jl97L$_A zymm1;k)quXFiBK!^FY@CCA+i%V<*x!gHq(zU%X*vV20E9$gRGUS}`=h0^I~eov@2M z!dMPg8rw2|T#eBH&AeP33T-~`7$~NRq5JgfRWSs-aMm;r8h$5jEGI0&6+2AfP`f!5 zW|7ysi*|#asMYy}4^^66AuW>>seJxR!`a1(&><&pE9W1|3Rd4Y290>F`1YoIonV+4 zwbBh1ZyHfupnRdzg}Tu9EVi)-P=Bx!;8hEo6+J`IuJB)upn|Y;k z^+i-GkYI22KzAvjF+T^OEth6##B|3{&GJh4=)-=#oi6DN??IAm-e)HLeK{PJVLGDC z=&7Zfw%^wk7Bx&7snnyOC>i|)sr3A{;<3?+4Y{yqEZd5>WeZlr&rZtpdh}#9imptr z57}XH(u3HF#oM_Z`vL+1em!9cN*e(w%yVp{RnTx9F26Z@Y$lP|`*gI-$@!1Avu;O)| zpt`nN<$ozHtkzs6)lr3hY6DcjCEW~*83#Q)uE7U?bDCd5#BWm6sDwm0B2r){Rz|u>uq`q&T2ZUtTwR)@ zMc6!l7vOwdpAHXgZ!s_5Y*O_^Hj?L3R#;qBH9vLJyzjbAHBxJtU(NK!P4|nqVWhGj z-UnK7hQn@Z?Y<@vLY%2hCGz=kGjW#!#`mfV<6MEW8(HI~Y^zo?g%R76Q!9%p5zkYN z&wBJfn2q>bHG7p9E$*AG#YpZKU}$Vn8dE%|;^O^V?P6|F`66Md#fN66puCitcySof z{72APYr|j`E6VWH5f}=eKL1lw>#XnVUA?gCS+;0Oj9-GL^c||ZTmF;-aR4pd$*T#x z5~i$)Nh@P^Jx^sW%f%CfvSkBlKT6$+6TromMJ%qAsCi8KW#-Mapo0RnyyX3In#5Ua z2cF^;(*J8cilX@KGXEy@LAli|t~~C=(Jxv2tFKmuJbnw%TzSl(Lg%7WpzxDmb5XP^ zF#11bkwiUiBpT1?IHutwmfX%$jblQqzG1JZ<^7KUf)Hkp;^YI!4QO5o)uK=r;`^Ma zJBCFq-fkrGITq3>BVu$ni3WWKd61@)c^Z}Fx~<|C{c=-sG0(Djf5MY4-g1$cj2oOyFmPoiiCN9E7yp$iiyk0~uym>dA+n#Cz6)h#BywKNc z(cmU2K+D8RN-RPMKtRK#UE7vM%oWs!*IU77E8k2Jv34F2;`(PxV=udPp<_4dM&e$Z ztd8#829ocofd_5*&zdYiO`}ZI2JZX7rFE|*MmIHTea7#%9kdkW-n&4KzjV&aDS3A0 z-pv#g6UN(QI@0u-C07^_E%?IvgZa%%4ZB3 zJHjO%G1}}}H7=R#jdxxb`STvL1>7ZC4Vo7j;d2D}(|YxJyqiV++^TLwF9e~UCCxc^ z<{jD8Pf9_xq@DyXv$F77t=8pm+R8SJtt!k9X&HuKR%6G1j~5Wt{3=z(3+xn^0%$OY z-8)zJ>O>(#vg$EjK=H-x#f*2GpxobMcvZv0ngWXjXn& z6JTYxnmZu=$O6bGjH8c5&0Q%zs^~MphPY+r{!U~_$0T7s5gA&QL~fKa1y?v|SMN<#mn*88p*gV*yu=h#4acP|&aaZBBp4uqFg zTDDIp`%O4H-t<00+C#FA{B~ua!YU*mC~&VVO^PXh2MgBWJnIJ6*lEUkZ?x%c&;`fs{73Q*^x2~Arv6Xoa+lw>+4Q%m08AfM zv>)~ennedd4D2iU?;0&^TrN%xinj`Q#tm0k6nF@~B=k(tgAjpJj4S#@d6}>)(~iKR zAIY5R^P)f!TaB@}on~ai?;X}YCel(%D0BWb!pUoTF#iJ`Ykms8dEqOb=i=I+8tR;; z<$A0+25oY1^OeyptYH(oV`4(pp31en56+@e==(bClx*CN`Q`=W7nzu23;3?fT zHLcUO)YgTp?T?^|S!&Mj=#gRmU0jn@W?q^IBtK{iPw2(z#RANR0D##roF!jbJ+Rvg z$S5cMGp^ku9e6K1bi#YS+20}B8*V2g?FiW2c+poko1O0VSP(b-jGfPFofyh&x= zXK8x4U$Au*WjTIzW_`sgwbL7nzG8X0SKMJ&p~KIuJEg~qs*q23wwg^*0O8JhXDP-{ zp=&4q33kgaMOZZ4KjBy-);bEQufka>xed)a(5`l3_Zv=FR~_paxROfXIxNreODm+Q zcAyQ}e+-hZ;eg6G5H~iV{RII9FJ#Iz7htk%Ck|rm#d%T&cg1CI+?p!c?|0OGGQ*<2 z;|#FIPz`8L#y!fp0J76VZE3a^Wq)kP0PF^DnKQrS7#U3b5y{$}EiD+lka_x$S)T{n zIjr!U5J-6eYyI%ieF1aTq!g`7Ww7)U2Ij9RnGmAS!92C`Z zV))5*CRKNTtEq@ZO+9WZ+Twd;xUZMOdQ~hdxX7j-$C&(Xnr}^bV~yhLTbG!T?YBy+ zMa@zE9$}KRB%RDyZu+^rKy6N5I^*yePGZXyX9GHHp9YAAI+ zeKiU9a313_lvEHhuhX0A6sgOw9ILJUNTqgbGLpK%gJ5(VZ>ES#v_)~QvS+L+fR)O~ zkw1%&7a<$7q_JUC6U1EQ`Sy!qi^tH3RH81Q@+A>88=?_kD?2Jcdj_z@0y>{xly4lE zl7#K-|G921-r+qpVxTBk7j3>_ zf0E{Q)RM-#Rli}7x9f>F)hG%{e`KAkAQlK9-G_h&cMN91IQMnxcsR=}4I8|W-P5sm zJs2G??CvF*g@haN1ciXL18~iM1+u=>Ulqceex*6{$9wTbl%r2K@U>l^zlp)OvHUh0 zHE0I$v#ZMi~d=re~BwJVw%dpm>#%m9I;;lvPQ(^4pq*K5#*?gK-p>BcX zPiI)Lah5j+Oz+49mYHx_ZO4le%DLF@k@-BFmnLJt;f`!l2knof7jugg?Anpv61DBY zrdd8AEneCq*Bt<&1ICXqTwTcTV=Nd0xTDo4t~dO7WqjceWjmBxPj67Tk7A~;O-0vO zaAvZ)&A8NW?CjR zisg9O5d0R7429p1Si01(JOq0%ss*x&{i{#H>tjmfRl{ab9lP$tCeX)yIc}#mH#Qp- zX~wZO7Hy~0O`^z=-yrjNFH!la&#~Xd_&*2ALM*zzTq=V3cSo&3 z{SI^}ZkZ@P{~74uA?;OBkdtgNW~cpG^S?=AZ<5SF)`sy`1L8FeK-IB(7pnH0|6$Bj z{MDME5Jy}ycK_F3r)0R|5`#INw9gJv`%ey0QEevz{&lg4lpUlBWN3HyP|?f`bLMY) zjbHf7{^!RoO)0MhplR8>^U#%pF2&Zx1P|kBq&?XG`S#_Udf$B7kmukoNE|Ub;XOiu zOrF_j2+my(o2o<|i#tA35KYpH(&jC-xumzJ=E^y@J$+4wx{zZOlxuJGjTEi{M++P_ zphv32SuS9Vq?BUndoz+Qx#$g^Wt&r(VHQ=P_0$+0PqbTc1{{aM4#|?QSac`G;-=C& zqh$0}rQeVRAz}jhdemavw=~N;C=SVnbZ-%gIp?Cii|C0eKuFk2jbb8E7uf-@h#xN z@qH{^7`YWF8*?H~Y3Co?1jcooG}R=g{A1O_up@cktr?K1k0eNvYZ3%~5iFybKogL& zJ;y~QW^+DE?~sppL)qEF(My7(S}NE$nWdo$f`;a{a=xjuY)-_SG-i;QO)pU|c;{ia zx?LAQ4Jv_KTUTB;8?DD67KDC4{q?+dFeg4kRGz&o0OpcW zTcnhIwPTv-ti_*Zl!qf%dXB(@sm`o^9VWK?^XmArC_P|W+pDCX0mJnyI05fL_3!*B zOT+|&*`jFYzw@0Ds#SX%BPVORa_^tgiUnwaTIeK*-1-RhsDG7_xBiaW0}_nmRx+!+ zF7i;T-bksRt;cBs)fs2mcP|~Y*zZUn@fv=+k3n}cr0wlk%XY5#lRt~X%H@(<)+?9N zxGie0SFQ`$cEg1TP;2;+O6%X^moJIP1rx&&fHCVmge#w($l+T1O?Hu@qBh9iU4DTI zAM?l`#abYN(--J{r>9auVCwr4;dJx>vs!a1(@ir7zM@?!7=W8SDDfzt$$A*N=L;MA zf1O_U#{K@qcvf8Zu@bb|5c%AULwAyIB zaC^s~ku7aIT1?L`eR-@@@Dy&^@q>LfPIBW%t=4(X7!4O8QiKczY(ygwY7(qDU?PIh z!_mV=#OeVI(;AgK?wQ==%%hYE%B%0ah8IGmg&+S5>1xg(*LwXE$P1@ zIRq$44xf5=&DTH*iZ~h&#x>nCPSl}oL;vWwiKG5HC*GIdW}}f-NdzLN01FfTU1=cezlofXgK*qBT-dJ(rF)sCCPfOrkGjOlSkbN zI3pP@b-vk^KjD7wE83h!lPrDSN8}Tl47v*}81}9D>+F}VPe?4F%lzC^0Q>gLM2TyA ze3elHZalRMIiBk}yvSZ93}JuMs<+Vjy{T0~Q3Sm=UZ>?3$$o5xjWxCNTtpy1@YrFr zjmd${2q#d)^LD{G)VLTq(UQ~RIaCvG*>Fiz2*E4e9pogSsi?8gLMG4WS3OI`f&q7j zrJ>zNeOOY)QWW{_{N|rL#dpTYoy0f*1i8c=WAovYeWP|YxGC~WKoox7D91%*h6L3WI0m}~J3^((PWIzk_(bH%A zm+d{J#e|tu?H?~*A!++(%%$6G!N<*;<@uK;3@Z0!`8xrM`R@h>-NUU%&_ngjKFoBR zfStT{s#n93F|!K&?kOB++Sk+mFCq#lkD{DR5(MATpZ>s8HoV-e%ubqrU&*fj9;)oTb;a}NrIeK>TiG@)rW~G&7Se#O;?|(O*6#mM26F)yF zfJIem_$gz}atRvvFV!~}P$C2_i>D7&);0pr(}FixXgl+eid3_3kOD8I9NW~=IeB?< zZ^6_k&Xs==i34a3U?t5V3r&4?ggjAw3r)tOj|?yNnXJRE%p{*Dvx#wfvo_pF7uHfz zUN+j_^r$a159}xkY>pc3rtv^-(_r~cGehK`mk zz&qxpP|fi;l^0v!<6CsZ5svv?&u;rW+o7Lwj399@y2vlF1ujn7atDgv{|=y5T&d{F zL|S9b+>6sY{m(lFxFAyeU(m<@P6p;K%%sXNes-7JuGH*8x7@c2F&&KT%@p3-W>s19 zmamQ=8&cM|z&GsfP1GUb$nR?l|KF?WBpLtML?+DwmYG4xf2j0Q%Gv2{Z)=+Az)u{XM`+hNh z0N5H27(H+w3l1bOr-%D&Y%RxrCUWlR0C=0pBT2zb9lxzCLAlyIr=0%6FT5_83Z3$a zDP`m{dZ4v#I$B+xV=?};$djzsm-l_5J2>xn0Kh&{x~-$DQ1pc0iW1Z(;WzfP@LS&v zg6wq62CqetlZ{jhDY!XJ6hS25;g{YO;K;rGHrb27JG{90zaYU~JM+1Psy6`{^w(J_ z)gZsa9rDq_i<^ce^N%Voh(nyXxgmR03{{;rpN5`=2WOS?lFa`p+y|>~F^VO!*v6rnQ zjwMamDoD??!T10JY1Pgw;w-~P$#&3Md?x0RId7n_NX?S*lw@4txQ`Q%4Mv)b< zz3Q#fl2Lx=V)SM%MYWVai)g^A_$|32*|pwfq5K}qSPP^E` z7%KL=G}0j-sVuLH2LZ&_Jt`fz3jm2ih1Ia&7K=vM*r z`DgvA(SH`8{9g@5nTE23b_Xpr%c+$W#3}PATpKKhf5E6x*QxzU$^?DJrs;|ECg}Dx zE!$ys{r8&&&KjyXX*F8Hq}UY1a5LO8iR3wyUpU8v2^jwRt^PQc$ov6R{^2LcB7K58 z9TemzWt+3*WK@8+A8TFYW3!qKYT}n<+*$~JC_O?Orh?CzfRG?j%_GaJDD39JH6vM` zi&KA~9l)(hv_tEhPZof77<{yXG(k@In6OxEyDYKK;Z$I5!Dmh@(GKC)@vGF&{^fh{ zQ%!gq(1f)sPk}k06gaY9;?#R9@bA(3y59&KvPxM@@8LdezaedHs`{)COPuA3jc84W zwVDoFAX^?i0H#B%5(ss>aALN2cXrKlM?+^YBu0-zZf&X_4huI~oX3Jc>kni9hyHM6 zW4r}2x?VRYGkBU-7~I;y=yD=L>v8M&B;n}hhK%soaGa&&_50D(rHVx1!)o;Rq@K>% zhf%vqMJRhm&YS9K=2-*$dO+|4Y|`j2y!#mcDnR^_S@XY*onAYC0$pqZh0PLH1CrI0 zDa5axz}WHo>R5-{RAA^zbq20@1GE{i9)5M64h(|@7QWkI1?hWK>zNtR_&ePh4HsOJ zca|<$h&kksm%B+omOzwr*bXLwN9KWJYpFZbSOkyTlgFdzTS*XHti+R%o32{CU4y9p{8V0 zEM*_lb%kmm7B&A1-l1wH`6Q^K29PgU;{FT3)iEXB;RhfW>abUjDtw{?B`|4yit}Wv zMDAM~HJKr~(FG|~W(>#O?hY3?l0RA&EIw8p)4^{I*dC)7a$$G~7%9pd+PP8E;9`>d zSgGH2uwRmEywIYaVX!L|wPlvP3=~W}5hX?ZYW*_i*e>SNyIPNJcRY_c34VR($JUi? zOPiyzI=gE1VQX6>tf{6$=TN?)OJ(~gr48rWX~E4bq1MuzPeY_yTla+g@^+osOe{r=uu58NK zs{HAh&>*YXW;U=D{nzICKmPowyVg7mvi>xQE%mD}SNWLben4Pf+!@%Jj@c66l>Br( zjQT^zIg`#*n?op|O}Z4&GJ%%5C#Jg!FOHSEETIVNoRxAP;KgXxzLA6s;GVyPX#4+9 z@Dm$m#>A$dK}a0yjMkk?-e#9XrB%<4+ZpboyJkXdRe|5DCyTIZZW_i2y|lVq5Y+A> zm!kP+5b_dHOArAyeTLVP$)1Vi#q^lK=j8lV;_9&8y+6G!%^LcWO~#)y{;qF7@3!LL ztD65!f%47&P@tH3&<7zYX7t)k;w~i&qQ($4o^MeYA`R`r_`xXR-~c@eszYQ_HpECk z<#UG)`&Uh$RQLk}UJ?DJIU&*j1^IS!%QsiuUl6tSsR{2b9RUx-CKq9SSFWD^U4vrt z121(o82tu<^&|NDLstY8VsPI>ixo*i{R*hN7Xg-Smq(~gE@cB(^v$LB6gW;>;>MQa ztkS}eHYKq*JwWfbB}Je8No&i^jtE57(n3dk3VZGwDDr!EWmkMj{Kh{&lLk@V#lS@G zl6WuwofGgCMV(Y^>+4cE{>_hPHw+$OO=flFqA&D*cea1ZDEqiJOg#SBGdK3aJG-Q} zRw0P7cCg`kiUBpD0L!|_JYCEaPt6cIPc}au{Qd>yc z>qqzdsAKeCt#MAU4mg+S27)PR5Z2!zfWAW9;bUK{cA3}-JJrtQ;FpewS@UbYb|z8# z*%WsQhuD+l!|8;={C#Spp;HIG`kEsajGiMx@xyLx-K^Oj#)7gr1^Tj?uR~8%54=t6 z-6dbphv2)P?@$Z0g9>j$TF;#NB2(L+cU1F(&r_^dKU}q18F88db{12q#S#7o5>f@{|pVp2iaghg6zS}w7sXB!+w_L?g>V^qoH_1#0?1CG0rrdim zlbR(L>tMe5C-q{?a16kMfZgsiJQ1|j*Ha3MqP&b;cH1%j_d6Z$#L>cq;)heCv2T(# z>YiwjULM?1ukr&SfEji2`b_+(!@DW;G(I!iOv!ifz(~9-7W?Fag)_}MmP={LqkTB& z>`aapb^L0QS@)vz3@T{xy;~pS=L+^G|B}jA`hvMvoYB%frEbH;ycRjGtKS6MGQ;Hm(2`BF)xJlr^?g`3SAL z(6svp;}5!qtyDE_RSBH4=9{-F2Ka_RVd4+h!qf(qj^v}WacTTn+S)k8Vp2M$)z#y^ z1V16UAsGFk1;=+Zfa>6{_dPt`QHZ~BbVZm&=^^Qg7_UA2Z+9=9FzxsvHRT;F!8pwu@R*go49ZO0!) zXh-Jnl0144^3JE_nwnor&ys5788e{V=)S&OSEs#1YkV zn?|zG*#pVtJMlvWm!YjmC{cZ|eGRYS+woYgXDfghiMG_VgNvftfQCYcF`Ze!j4X$# z){Z{#;PmslRKFWY1Wxo&7FW^!i`IN1p-$1upjLB*txhZL=H~rTm}*gmS-`|^{dwTa z;JC!^OL~visRNDlv8E3dRL#cndc<>iWvQ_x#+jVf>>Wa zZKjUd$M4)!z|OIefYnP+M3_F$b59JPIky!&PYz{U; z^-aRi9Ft2z+%y3O@~$1KL-ljrjOvM9tNj+$)*Xuvz6!ph?r?%!`Re+Pk`VUXqfNIg zT9>cO+AFgFW{0ER{1&o^*DMFzF6(d`h=4$i^9|%QhPO0@B3>##$lk%)`?7Cl6OJj)!THiO1 zeSJ3GAv;Xts3|o?_AnXZLTG8XJLD|xYcf%h_mEtt26$P~pgADT892$`!In(GL11YE z>RHYBEiKu}-XJb5Z|UX6FA^61SqAWL1GgMdO-A`CjJ8IQ^1>EqBAH*UhqTh5XnUXybPow2L&PsjDo66!LrL1r7#8QvqI-Q$ z$BQ~NvpKIUB#$XbFLev2-`<ciL@eNHc&nP#9Se04br{DKDEs zx6?yk{Dt1d)`5rZZB296B9-DSpXLQ;A!nv`d3j_)gPYT28uC)V@EMLocIC&hhoSu1 zm}=16SyiOf`e^f&QLCPHTHe-?%`ex8&?Ykkx%pqMtN*CXEp8Q(!D^*+x6O*A60xem=44%AQA;mbKe1b-jAI{7`@Q7^D6zbv#;!$!YP(U zV2DbZCt)j^udn>t_DxRE^VJqn;~7Uq{-k%ivoU}G_qVWlRCK4)`TN@I(F^_o*e;Sq zYqC#C={}CU;Vy$C884j%R_0V;x~cTSn&H}x0^2R~4d+O2GAy`^N@`k>lk_eFA1Ry3 zNI!q2cr3OuUrTE>iu}+^lUHS;qHb+lN`j#l^SG(HqL7`>@A_{M)|8-!wEKW~c_ujJwcbw6!M9EaMTJoxN?kbsh{JAWUCMj&TZ9duLg-XlUb(a% zsF!L8a#v|HueL+N^CH?!#i$*Bp|5DpqtZlu$dRT!e{C*Swo`dte-Em7vKi!Pu=b{w zXm(Sbdu-h1=uI|6T&a?Ia=p4`jE+eb%TIGHo;ZEKG!$r3n#3)3IzxYq@Rf_0z+Z8N}QN zY69OGAdr^=wvgR6T)*loOwnayNbpUO9;t1v+Nd>c6H_}1e>KT4-W}MYj@#^2t21rK ztSp2(7~5va(u?Y^5t!BJabPSohHI%;F>KWWguZp4uKm+riH4hsuaw~XGoRIrSu((# ztr6jZ-A7_ zC(eoKP zKdDhVCH~#{=c(?jNBgMnLINDZlKs08aUwHfR}V>o`Bt~3b9;dsS&C<*`71{K>=X{Roq8d2|h=37{xnIv79ZcHhDdXb1f`!0t7{ z2fhImR5|(pBRO8SM%_YDt@X;hPUw{x^?t>QQz~1Cnc=EhUU35)%rkAql>#Zh39&rs z8a;4OA&6D_n~%92RQZqdlz;oc3(L>@iAI?gNX=@Z11Smf`QNQ`5g5gXCt1we*h@W_ zQ8$1g6}VnbzFnfscdmIPRbB{USO>R~sJtxuKRK*wCCNeMb$DJll;@4*6vzf=S6H@> zYp05VRa#}?N5iLDY z_$0K@M5X^{UucN;^hW?bo+JqXzB0g=U!KO&32?Sfb@9`0CxW|gAo z)AbpiBH@{v#GVm$r0B#Pum85Ng?zglj8Afn1h&6TO4nj5;9ArLT#MW#)-u0{fMMA( z2T~Od_|Y>xZ`Va#JXR*xzoHNqdiNIBWy9<7g|wBY%pfekl2MdG{=ar2|KX39HY@Wk z0Qp&>1Xv&beyuj1R?f+7o^Cjo{L3D*qh}MQ+RXOfsJF{DEiQ@$M{CAJZkn9a%=NxQ z#UeXg-7;MzzX2kHm;0D7oMqK!-qP(i3560C#qf3{b5vn7+B8`klWIt9(67!or6HL2=F6 z_{a{ZnHl_uw2OqfG3OLBXw@>P2PE>=>P0U5iCp2T!L=Cl*(6fp*yXS?#9QeF)^e5hqIQDNZ>3>vcz1XV^83Sbf zTR(-2O#(w{-z({DmrZkBe3NHxr$bj;2+lQYM}FgL$^tTdXDuQ1?l{Xk!Y!nE5$YHN z2)2M_$hvnq9zsw0(9b1Osa;5V=`m*QcxAIss3RGdX3BJPBxu1fE%oMT$^?0{;5+{g z2IeIEyA`Smn(4aOwdohn8!Ojup@|dJzFv|}wB9mn4?PO5?kC;!Jp!(~@V<0CDvjzn zRWkdeZuZ-3okFPB!EH~pV7`@b2&@^_T&w|F00vrLe|2nmt#R#$l%Hf?8;~2H75W<~ zaDlDZ;!PQ=8gv2mL*Rp^c4c<@%L$Voj{mh=qU=+?CNTedq1ZTJ=wQiDlRvGdkZm6g^~9s#liOm}$Xq+yW?i{8f2rLK+3@hm3pOy@Fiq z9?7V0j2&6ih4jwQ1}BgbH*3IyMz)+NM7Mz%Hf98ou6_#FxF=Ly$s-O+Q8rxP(| zg|UUVKxMREf%WV^0=TEh;vry2n6nSoI?s+A>E?2#H9!V^>kz0JKo;KhM6+W4S!NF~ zfS=sY>;f9e-i;=bnEkc(0p7t2I{fE_B|7@xsJ3W6Q88C;Cq48Z&a8iJxq+WAo%wu( zZB`y(5g)EHM6->tI6y;v%Dmxk{*{s&t_RP(C6?Wej{Ez=?Yt2{7TX=!(D||4X6wS7 zCXw}z9DQL?OO=R0B!;uHx)FpTo+T>HGUOOh?q8d*mt9^#53)83FF{GtM=ue4&7wp` zp-T0vJMAp(>kwLvS|QD!tmgb9FZbr7RX<~jSli>waH-dmJA=0RMP*B$ULta7rgwyZ zCTAbppe+VSfO zT<;n0C2X!N;IMqUvn0qxKK=asyOT|-S42&Xu`!^&sc4a!^Se)dj;ezP6M4Ba? z;*vX>;a0R$*byom&0mjB%5HEc(w3Xku`FdgbHW(8)pvZGI5iROSeRFP#(zG2n{@<-h(+ z`Dd;0FN4tk=U;Xm`sW%a33NRKyb09lwL7i8FE<_lS0e&6Dfl7R+(h4Ghvzf@hr9QV zYC2onzau(gK~S;Kqr)hUBE?9DL}ip26*CSNddoo6(2-_Q-Nnt zQvftSV_aN~=KD`>PgM(iW#!ut1A6g6N|X||T;WR0LRWMs*8yb^pW>cxAluJnt~o~IsZza&2YO(rdgE>;Oqh`VJ>EhzUo+*# zAB@XN%pcRDD_n&!D2mbT9dN;|LIidp5D`Aq24_r6Zl{L{6l>aQ+ds{bjlk?N zRT%Fc1YHHuzj*xIBc-71s-td>2#x(`$EtkBu+L8nxz@W~NO>ClUMmj9C*)IN3ajA* z>)#}xbs|5U{lM-H=N?q6Gau;ax^HpAw`_wAr+uN~f#cXS+zi2<@8%>7QxIb58is+Y zA@38<^uKjvBrd)W>X>njSqodtYeu;+ug>s9p)WT)n_qPA{U9c^o0U+ldP)yQq2=IKN~Ic};Q`eyLNB$(?8H$A@xjZ%9sd~NEa^kd z!)>2#-Io#k;6lj2Rk+XSa($@%ZiA!X7PeoIGu`Fh?AB}oLyrW+y*DB%?LRqWJZNL( z5g8I2uC z9q_}mt(h3z_v6ZiXP|CszpQ^bZ#%HZix#tkQkJ#sf;H+w6_0Q_6MJcUQ{6bmo9kII z%dpDj0_Z)xCy=7v9P)6ruoEb|6ZN=nsnd%xuIYKpJIaDMop)SJ{&JzV0rYoUElg3hyD!M=ZJ> z6k{KN_QZ+X>n2c6fB{iyuY;z)!|=1Q;S_r-Xvjd5xRdo{e>{HMFBm^mO-d2EYfXx<=;?1XNmBXTJ2(~u#8Y4Q=2-4wZ!xkZ>GY2Qa z=%!_Roy}(@b{||Wd!Zi*#r)yi@SvlMmE5pmemUJF_&+=rJ$wJ|CxX%Gxw1K8Wkzb( z2jBG&c%iIQH<7Ru~lcIo5-e;R>^c%2KGe&H1C+%1o*e;qt^uu%oapTBnu z*8-m@)dd^`!K)(>Xa5&#J0J0F%kCon-n4A}yN#cv#N_xaVmr0Wl{dhjN{5RQh{u=V zmaSiR{|SO@4Z?BWrCd40tyji~#tlGMacA6>lWTbzo)Pq08w zB2$}VCrRQ-m4R283;W$?^kx9Yj=zK)VfV(H1y9LjY)U2ALIIJ$xU z&0al?14O@@ur0<}8_JZaz2z$G;}J0yv+rQtXIt9p1v2?Nowqv!nuK4#{0=w(y0Ir! z+S7w)v0AJnSpX?~KV(Wr2)iFmss(i+n1<_TZJqP~Uh-85Y(rE-u=baeC9E78^4&Lr zAuaeNs?0s+l2)`Y8^%X#uT*v25oxkT+qUIQj$@c3-K7U~`N30{C(xmU7p;c6`=ozIk%kyW#d``l!qOW5SXgg%8J93EB*1hx5>9wqDm*vre&) z_w=-FYT!@o!|F}2MU~E7D^13Jqcm*rC5mpPSI_eY9TDUvRC6D^Nhx2R<9`EhVW>k_ z>b0B6#^7iZXm#%Sb<=DwL*lXRy5Gg_J~eX{e%Wr6Fu!AJtKj2FA$%2KCiDWTK8034 zUh8G;iMo}Nh6UO+j_y={-OX8z57U-zl$(VTz*s^}INaPpv#0U(9)|FaMYSV+CXm+L zE6`L44Ri?16|KCe-}rS5pM5UfBqz*R<)ens66x?74aJ@63gK4zz;vSjyu|;{pZ_>p zS3_O`Nd)1AF62qzPbD`zGsco^2Q9&ywD*3Q4u1hO3c}kCDV)aL!W++?W<1|2%FaMG zx23sfAJ*_R#|Q({NCrvTO-W613$5{qm7X~v?rFIIGhm)C7r}VGGBQ9P#o&7Kau1{L znjY=Hsxlj@W*Cv3OM`5yhTk(^jMN)fZ}V)fQaVUKP4U}4CQ-$hzk}3{0Qdo5O&X&m*E`9KC9ej#>rLWXSF4Kg)l*`20_iwmN zZTC)ER-ST^|Nj8Yv?QI@byxKNi97C#2@H@^4B zxChk%_kE7fCU{zZ-}zP+t;^Q zaGtThW(F?U->G<}ubH;+w3Zmk^@8Uokb6|oIMI;49x$lLhEX=cP=%v0ipON)TS{W^ zZ>ZW3sQdx=evK!&y3u6pSl&)%bOH4OH03?o7ZIL-sOAByDJ^6I6(&)vL4)x{2tbo8<>dCK-|;^3#Si!Y7naTc zyjK3XQJH5gohv&3Ej<3*WRJo0U9Llg0?Z^~ezfjG*rYHU@y!RE z`Po2EA{$1mdo^$S;OGoZtp z_;b!ObpU(XWP;Ah{vo3JBB-nb3P!5hPUHQWcUmZ3d-CRSsl?uhe&oL5aV^I9& zHgu%}RF(xC)!fOzzk4ILt@z@oHUMXOVh3Z0V-;hS;cN9T z6u;DD9kggF8&Yh{L*x_90)e|xV@^CtOg!nAGvX1Ew^hSP_|o4ZHdkS$ww?)(9HrdD z;82e&ma9MkowC?0cdmD#c1?#Z_ryA(aL3~`%m5}!6x&}>)riF^T)Uh#;hW`8XeGHo z%)!i>KK6fb^(C&gSBnCMkAkuHY%QoH{C`rt9=SS@g1>RzhFyO*SAI=Dfs&ZC%kx_B z>9Y-`Ntr5LJ(`vAA`|LMDq%LWaGJdJbm2{Z?18XwraFn&vuc%@xT=%}XL zt$wV~e-{S&7YvJH}ejA1WC_0sDqt#@WzqdW=k?v3*~v;$aV3Z+U^?BT>bJWZWFqG zdKb-UIl;CmX(XvGk>{-w8EeZ~-{n$Q2{jGtJ={|NJZPNjMJQe9GLNWtpCDrAsaLB1 zLAWWwuDJZ*AB3Bw)?==zUoO2JL2MiY2E3JPE$P2$WDcGSAMg6FbxvJLz&%0kB>d{r8?h%x$DvGu(I?n6-L?(krUPvPR{N^w4ysb`_F3`uAcZa-A1_Tijqy88E;%4 zt%1>w zll&iqr=@N^c^^Y$K~hE7%*X?e#)qJRojJx*DBDrpukh#|#=x#g$yAGRq2VQp8|D=3 zPPjFAJhttzxq;0Epn;hPPD4bQ)`#7|2Vq3{yb`O?4-)-nFaP*-wutEU3QEsxzKTW&-&zV3f@Kn@{ea^RAWw!dHl=$N{c zJ8+5-WIeK? zb@o)-H#cgNDvF9M#*u1lN*>cz(HH0b66G85!Iq!VIN7<-ln{||#ouM@`9Gn9s@E;%Gt9WWpNE4Qq6wFe_}|LruM{DK&GB76bGWz&y}?3W^fOc*C!>y z41N^6OGQts-BmZ$sxoLXW{-{W>_~x_`xu2qq6v5zpB}`~-{Zx%?VvD5uOcaO@TmuG zz`}^GjKFYTsLZV6yKpKeNcA0Sb7vp<-XVenAjZ=?3KRzX*S+i)u7rJPv z9P4@Ec3alq@3U){Auy0oseFhldlOF%J7h=;PkBym@f33{=!PG$4W%!PJmsLvH-Mlys!EUI5%`gH;fz4Kmt0V{ z&2of^K##^t$=#Q(Q!c7hEUkC1&!;w_>3KyV!)nzQ6}s@r8WT8pejN4*KDvjolNo*? zuV|$(CH4@^03-0zJ?g}ehvEg<*N>`EObj|@0r|p|SiIgLpAeLNup(^e`E1jmqv~^h z-Qz9G3lXzftzU#edp`+-oPxigY^pRNpeOEdw(UPa*%+#PS_!13N5Rjp?pcmOX|GLv zo-SXes-pGb2f61*RXVkUj%P_D+%x|g;eOoQboW;mdus`o+TIZC@M3~ny*t4!bM_5O z_%_OzpOcM}6s?5ILBr%eICi%dmW?Y}G&j@|-Eg#*wai|!Pqfi(+Kn)OotMK2vtf38 zIllSpXg$@>8SaT6Gu$Wt$Z($_SYSYgyYdyHi^31)M+kE%X`*a2Txvx7sPXZgxn)2L z%Ub9Z3nsV`PpgB}u^?CKRnUK6Lp&n2A)W(=)aK-~5BE9*`-$pGe~aUceN^n|nEe}; zP2`^xJ9|E|Y_ffEv$h12m#F5LqTAvN*<%HPR-Uxx5S9c^zxBHon^AzDOHZE*NUP@V z(9o1G^mM>SS|+c%0RnnIvuuj-6sCBYA0_J5@LhP5Y$4j(8cL6PRf{Cf^U+8J(TKhc zRXj9kIc232Wl;xX9ooyPQ^tBW!Lwd@u*4hsQVr+5EwI}JGn4fTo{ah~1;i0;3qdhu z;M2Ad-ST%2??7y*_W3IVNN^tS-~QgnacOP{`VZANK^>K!)Hj&_mSuxV9X`Q5MKayLo z(sTc+(F(uOlmz_`KZ3l)STvp$=y`)YR-npJh7V5Az2fFl5E1)@g+@eMMq6D>$`%YJ zp9)Ne#E3V6iFM;dTcI9`SUCAvPxHLv;;4+lU6qN!(#O!R#YLa=G+TC+4hi~KF*QX0 zMo(igHgq4g4lKi^3|7^BaaCg|C_MiaW&>!w*DwDEZ@|ah@{dLHCy9?vj&#wq*gk1l zU9VvYZBQYxbOwzlrJzk)?K1;^ zl(@x(z~YU$Zu0sGqE6*%a@G~!U8yx*30v9jS^667Iq!#iWmiXq(q5jt7_E@H6As<; z^WxQQ%*rPwnD$f}^xwg3+C136t-^K6xURGw70ZGR&MFQ<x+h))E&a46LqyoOwtHT*KGsYVK38 z7~eqqy<7ANaNmWYd z@vc8;HbLur4WU&pyk8jWOfFwB`g_=Ah2OTu&!xcQ97RJ8^g!DF@bL^^g~1KfyDXfi zqs16u&vQ*WY`Q6ABqlNmyMQeg|BLpec=lysb!CSpq&pS#f4>bJ>H7~BONw;X{>NfT zK|)+kQDcKZ5^W4fqSZ0Oe05at#!$aSFXR3I!I8!@bHJAbw|Rd~qW!%kZh_(1^M{&6 zdMSE=ogL;2ne$&ibYu;vRP);UDv9sW52Hl4+NU~5@1#2@nZIx16UC-0Gj_K2_GI{` z_4^M5}uh%iQiKc8u(wy=AqsR5i6#Drun;QS?6nPag9 z)TvojeecR5xbKemvN4u<`ojp@Vo^o3s1m&{xoTb6hl`nh=XE&8BXLfAbEUx-atN=P zcg2|6dBLUbS3pq`j&jD~Xq|smlw{Z1BSKu8y>OhK zUvvF)PhR>{(&Jt)j*Y35%DKmoHQ>yN9;aj!QS>Swkzap)ywqqp$dpAAu|l9licwLD zc%j{U^ zE)tnXEN91b_Mp^xNC2XW*8xX&_-4JtfVI$(x3Sjtyj1epE+2Y8H zwJUokPJ~ojB^FIAuQ-o)WvlrB2L0ghTu(@! z9bu{MCcUH53ISxrZJ+h^_E3*pzD;H4Vcdn}mc8HRSuVfcdke-`=)e$E>yE1}Pu((L z(X>ER#OMMn9o58B4V|Uj767V(g^A;P4@WFyW-20`Gyg5%X60<|y~u zYdZnpM&YIbZw+s(KzQYTqY=-4E642Y*RHUou)8Ms_ zHhxKh<9|wmJC`a=f)oF3zztc{9_{ZVDI4$Y3W1?0`VQrRdQAvz)8jtLmg*SZx#KPp z;+v;Oaf)XpTJkm^}+7+)}H0ZJ}|D=}QYnd8m)!>ckNrj%0gV5Rzm(HB- zpsfL9%_dj71>l|#hng%j6PJ8o|B}~CdBs4|Z~JI#kRE*sb1qeB=;?ixO;#0Qd@Z7QqzfM?YTJi5hyn+UdebbbGMxYJ zu{kOfo$Tu*4D>;8LXntX5U4`l@ik%FFZlUG1P8*US`5ctgiQ4ne4$~Hj~P^kZB9&5 z@_!1`-@fX8Qr4H;vK&@Tw1OrB+tR3TU0IVRR;QXmF|4<}b>gOvVhro3Y*Kd-!k|(% zGDhsc1h(BxYWZ)pri7TBy-@fpYWQKhxE$^2d#M`*Joal-(ke%Nts^d^?Ysl{ z9tk{fl1z+boGZ}7?1POWT|D_orM{?X>uNq?P%2fwQThzZMCx3$L zWZ|-NrEneL_tR6t+Psh-lMNKm2@dh<|C}3koSIKVgFI(;+_?UQOP(THttkRS12J)U zgPZ3idhb+yy-P1f%7iv28Klz^Ex-3_TkRM;zj=5s*Vv6g%+B#~WlPz*W^ z&kO3%zaHZKDRhhbX9mwxE2l3E9$!dzcI5KD^FeXmD_3|rKm_CI&{OQfE6DQ$n?pL!rw6=Ptp#$#~isHz;B@cSl!^TDd=64 zIGb!SRcQ3Ea$Xchux`}epZ!~vD^&Nm#+WA04PLWWwQKSgFLN``p|}~{to*f^WY<*w z7V|CZ0BqRzolh?5cLVILZtR`7F`)hX5H1gt% z>;AFagyRsw>#aJwu&g@V@UI1}aec%Hg2+m)pJ*6|R?SuxG&;|z5K2~u zO4!})!&|EdaQA!)QLI3e2^+mgcg`Kwx{M9`dFzrER0nCh6RGwJzZe%%feK>@d!r#! zFHC)&MM<{B#I4@0MzMdSh!txVbnbNTtc)BGDKrYYHRJqZ^$u-^>aXFx)TD(kpz2*2 zu(Y1SGk*PM=F-$9jDctUbNGb>?xSX{EvZ`owz3UoB5G#BXTo2lf08_XV#6|70VnNh(J08 zkL6Q+%{fIY*k#*{7;>@rhV&>Y@~4qpd{<4M28UYFv~QEY?&{ z@H`56tB>!5Eb_IA_h2X9SL+yxEz--RFEhB^_shfDXNQ?v35b5b%=xv3=XtDaYjXqD zLf-`q#}o=kQ_goFdGS`kODcczeh1suRQ=t>m&}Oeu0jBPX6b$SVHDJ3Z@&MQVX5~t zCnGj@GUqR8O$#N(#gU%0n+GKgMjPHj0ooL`3FSvA%Wk&!-omrzFsT-wU_r6~L{qNX zN@;CWsV_<6$7EG5=3QTLuu8#8m)ludS)rGpe{lKDP>Jows3zZ!QB8%OX%By~Lp1>u zd=dhXg6s+7OHp^WY6`z z-Bn?Xkk?d%XkKHDggwRnwP!20bFk5KP+Is7;#QW{Hc167fj2V#taACUKPPK`ehtZB zVR3}|iOQ@Vm%d#rbperIE&Benn4%wgHpAFT>`{W=;Y$R}g|aE~Jkch8Az?mif?GQO z!M%q#m`ZsZzL5Ir>t1nhWmy@Vbzv`U>TXmb9)6s}u3{}by0)M|Zzm+O=bxk3(Arjf zzc>1q(p{JsVe^5^5gn)GVXiIy|oay+*lGC3NjLOukNV+_SfsDIRZNUcf?2if<2PRO!Y@T0PbJTrpk&&7tXPU!WEIQ^& zRWH)bjcC}=6R{;(I&U<3ME}}InFwU_b%n<~m*h9|qJbLP-2WRyFThN?Mbxb0Xk6L3 zrgGzrB9QJWxA#|-J&XkVZ{6FD_FK(dPl+zem%m^a4G{l)S4LJW7%kEu`}GsdjX68@al3FEF{kL9TPpuI=pvtriWDooby|PGHbF^cHm;toNUynS9ax zWF7;99-KO9lcKRcX8Er&CTzpMDUESb$97-hWNR@^imq=g`LMNG+c$zOyyPq?p~9an zc4%ryU#8Y=dKYABSdO8!EBvY#I>Lsd8cF80c+|Y?iQVNrxauot4;mpL-GU1jcwL@b zV2N@T$2sU<)Z=I^OZ8;CDgA1yoDE?wvX8j~)3rMr|wg zlXr(iJB93Zh;1hA{yB=~<5ZaDD7w?QhD6`Y7X9Y9tk}irWKlKeNx|SiPosK>gJUqR z#qu?6u7tg^J$d&onVO8zp`{JyiX1;~gir41sJv3Zfrypi^GIyx_SxxA+n_XrDrV;~ zOXf9=XOBbyMu4ATOqI%jng(N%&OOPBQovjXAS0$pmL$*0tXP^tmEEt|YfLM-W17o% zuDY&7b{M+LeXQZ>G=0nC9m$sds5IWdR^bvZ2ua^%Y%@~;f45d4DPrg`ky0#`0u}#3 zGBT7s7k;kZ-Mh)2-iiAp2BMXUVt)r(pe|dkryTo3QT1Ffe*G_GQLI5+-~wneV9zY; z%K+s>%8C<0CNf^KIH>@h_l>ia&%Meg3@xg>4A;q|?u3{JY`sV+L{nYDnlIgP3VOd| zcrCT6Dx8~|o^2E?8Ak5Gn~XhBzuR@H7X3&dp3X>h-naed=<*5sIB`Gnb%!MQ()`PQ z`d%Yv?8G%CHSA>dbMwI={KIT+DD?{4l-V6{%;dtGHhqdIlt(Un{X{s)34S`?ts9ZD z$hjk~aujm*Fq3g~gvsM^+-Pef95*Z2=eu13+ZS;M;?_Y z-o7|pamMM9Ecw9AL4pF4L>qQ2gkuM8qFq6LKc7jY(f>ScaaP=y(=+K8`udfFE2 znEjK8$rsa#?*`QiKU~1KwH4jbgsh-HJTFCanT)klA1uIHoFH>$Y~pYp8(vvXcW;%t z6We5Jpg7*l@Nbq11b#Gs93TEIWn_^uI zS@cRBK%Km7*M5dNiN54^9oXEV@OOkEAKD zf`s59c|W~7G=Y$Cgu~DA5ozpM`lYce!;!*8f4pw8b+pua1+;eJarEnGQfc_80w*y& zGHa2SDhYQL|148;rPju{xF;+=U)4$3@BQQQi*qX5ZsnubM=7&= ziQa$><>D{hUpO(Ws*#Q9OAt*t_i_Biq?Vt_P!{M|yfNe1uGsusSmb5J zzbTk<(6~}uF?cNiSRgJ!;l7#KuajLQ)B8evgy>can!BRZ`RBT98=_J;65Z{4PG1$e z7s1936;~Tgp}o<^Am5X!EhfD^ItodR0ats7GBr5()av1iT(R()nb%WI02tWuV5!*6 zb&g)`r_(q*%Ad|F4l^EzIQZ8EL9j@4C0j(SJC%G2b@=Nxv`o z`F&L5ebUrf>2kmK<8nV)D?9-SZ4F{t?`|7Zou(9Zcpj3ED_?xmd)@cF>d!84vGs7H zuSsyrNosTnH?DlIPIXn^;tyCw!PZ>!H1mPO67-=*>o!AldbtOO%UI&HMgG8@ooy}o zts2;e@e%B34;mz8uT0Hgym?K_r1|DTw@4WQfi7{FZ)p`s!u3meGn8^fsAOMtq(*$W z1Uo$D;>b``Tjr_|=e5LnkmnWf^-KK}^AUvZ%)D@HyR-HRj6ut}73dVN{)KEM zlN`Kp*Ch~N6kMqGGsn6Qo_tN!52`Cq|2xhbsO zBmSY0h3hma8$Kk0YAb}kxL@|3<>Y^KesnE~)ibB-9LA@==7*GG@Yo2M1K&mH3YxZ> zvcCR)pwwmI(0t#t)?C{;z^;C&^|}`yevy+DV6nOI{Thg`b5MjyHNE0&q3Oi4qMiDc-FU{V%p-D;^O}F zx_j)6TmN3}#?ol}nyDeM2;|3<|3d#GxDCU-g{<~(D?spw$?O;~&2)=>MHOQzi$(W8 z1-E(MZ3V$?Y5y*`t(&ngKGFC9HV%1C&;wSnwE(Ooexqasg4?niC!>#QM4}b~7YBI+ z#~5QF%ptl%Ogwuw9kinp<_r{|F~%;oR3GVa!) zLSvSNj(-%)O4VX_K^Jhtind2g8ESC{;d-R*Aq0zfc&!wX*PhTaqC!Z$4fYK(Q+p390X(5&q=`qqIe& z{nDyo0E&>d%3lJM>{DE^G-NKL-Q5$0GFICC)wr4$LR-I5J00oh^PS@;K)*bJJUB zgFA906-ZULsE{k3M{e)inuM+olwA}oKDJHP`g!nOpw6#FXM#dF{|xq;aEJko2{5uN zErIs}UZJ$WFd0>*u*nlC$Hao*@HwO0cDZ*~2D2@-5&XDkLoP zd~FF^VYVcFBV=-}T3%b0y*Nhz>p_D?^4t;Ts#yCMLZYxIGv)-20cB0$m)9BYKyJQ zoiP&Uq=J2ABJ&IYOmjAT*Q z+4~@Hkv~->C|S-HfR{dpWY$3na!7WZ$*ApA8IJ}zJ#AV2b(Onm#hRfH4?KvUtq@q}M%Z;+>OUt|_ijVTd4lIC*SI6`0<$kAj;X z3W(8qeQ(Dx`3zjh9!^P${0gsggcdFRmfh#i6}IW;Gp5`ovd*l5CTU%}av^o>)ZFK& zbsbu@$PYRDfT=!5BQks0y>q+i5j!Osao%I#+Q&uL&alD*!{&Q}$AWUY)ThM?4`t2! ze^^fUiwtS_b~sfxTwF6_K95j7E9uo8B`UfZgJq^IyEA&8 zHOBe;kWVz#<&XZ>au_7rbv39A#*k#w9v-ottIte*!MrU7`dQ3BGtJ7zKc)T6{TEEL z4v_ZO;u)2)w(UD;-EuvIqi7S(pB4r^-5 zN6ZV>FWzl*rB5{#|JXR^MZz6sdc0SU1OEF!Ysck5oEH~;Wr#p5NGF0 zCn}(t+rGbO$9e$(TRPGN3w9RBh~C17@rYh*u7-=zSWYrIj>XvC zboklHc`aEv^Sb#~Se4_6@Yjm6M5qXX*lVU;<}l~Ads(0AS?7}@d%r_kyosE;h1;7B z=h`VMJd<6v?NH6S{Em%~9J|UgwIHUtY>^|&Xs7&fmAA^v`hMxVw=_3RvI+RN{-W!r z&kUHZhdfL9X~okcNAIer?5qzOP1;o2uSr*8GG5?oZXLAvDoAi^I}`!B)_q#^&ic3U z;(9+yk~yf#jCvj2^#<%k38DmbMv+cfZoMq0Hyds zV*Je8`cRrO-scM)jZ=X7OV*&bkc{QL2c*T;)E*m~ndOCek%^Wp!a%92RgK2mW17`? zLYLK~fsuxb6_$3j%>wY(Rdi#X0mf&qF0R>sn360A8MSxFbB#195-<9G_jqH+bGGz3 zkoH6d_=I&W6V913C!8-*5S()Y1^o@0x`23%JZ z8J!j8we|~dO>93oL612Q7mnG0s>-|OuonW+x$(ny2Tws)6-IpZELS7wAM7<>)(<$A zhdGSFzt{{-g_?eZuZi@9dO#!l5(yz4I^Z><MEo*iSTh=t8x+K}i3oHxI@jY~wBqtCYi`&hL?fITT|Lz>tm`6L z5HoPUM69@sTc7o<%92W6O(gj5-fV)z#l}A1@pwSs-q#T1=<=8N#X(g;i{AUpMjwL7 zP-cdE@cOP1WnZZ0ew(rM@$>S$wlkK)rSrXalwv{y{&zI17Qm_uA|RFM;l+{eAc9o( zoD+6nCX%3R6aNV7p9XRVx38?X9h_?l71ax(El+fT%-TH4O($D$SXuS{^fiB#F74G7 zbIYMRY|-KiVsYj4ONmo(RjWESyu+*P<8I-Vw(vt&RIl*Lbd46YExBd9DsVdbH8oCY zF*ZcR8Z&wTnet%GyOp-~aNnG&@}4J$RHlYc2IZDD=le7uCDV#Esuv1(Kz?JHL4yvI zj^iTrQf900!sO{T1)_PaB--yguzNpFN?O|Pz3_4O{vwzC%K6W7S%W8t=cmpk+;ofO z1G>X%l1Y6ZT8TAcOI4zEzAKwxxcB@4i~AD)2*Rz%c7#I8Q*Q!yIwo-XW{NJwF1gOc zGlDx#>_|A#rzgpq*8@axe+?Qc;xeRizdju3zqf9cj~sY8d{EGJiCFvz821k9uQo42 zQ-FlH^pM%Kxh6dvO&d)wO|K5&&}VW0RASbd&_#l`)l*HxMH*rJVk6+X!?pq4?+%2- z{s*rSzEsDM8(G(N$+?vCr2JQ0C~rpk96G@@69n@W6DbPco?ZN)r6?~S+UqvV^ELLl z>O$2L_csi8X+0V(GSihF=C8Xf*oV;F!5*=lD{&30QCx|;-xp2t|K3E%I>F6o@cdG8 zDK6eO0VP$*Kpy)cH{#-xNo?1nkZ*M*y&WFCFS51DDOvNH5Q4$4-!4sKk}OT~mhKq< zL|ow2u@CeMo|yV%El*KZ*+F&$735&uRI0c8V>b{?W>QKR3@Os^pLp7J;uDVUcIb2l zh@texEedX;n-fK|#k1yYIavCm=G5vWUH4bBdvkcI$aRyP#7IvQ&~#r%65Ueo1Sffn zZmaXXGUwiCa%HD2G;5S*wd~;XZ`k$@HcE^SPA?43R2wAl!X}}gb12W^O+gN9)r6DX zAdGk^C!?X|<}4x77Nk;%Hpq5H<1pP8AP|Pw%&MB=y6CzHrkR&C7Jik0c6OCy`KO2B zqp+;cpt|hIVrwe&%o*0j)&ojbVz$Cg(W|a2t0QQ8aN@%0hrC)`h_12d&hX^1_*swR zm7;jGhJECR4kU8bfCJw-h&J!x#kqC0NHtO-oF2nYnr@e+E>|!wQTsrgnPxWIN`N3=hJ-rk?_rB)P#i+Z@@yiz+pf&HM`f}icfG^3|Me)0WgD0#K4 z@{?E9lJR&jNjV{&myDs=50DIBWChCwkrIR8a92LC%hi>snf?0c(r`OocmG%yM-boT zN;TCBI#NybtgE2iP#;)A4a#;gMt|#!=m}mVko5((et#H7=wiWy#>`)Q;!1}yHxG7; zvoh-RC>Fp=VB5-qPegPnG32;LPm9n7S*UUSvBF@y@2)|aLJ#=UY^L)s27ZaRHgCMV z{yF)dSboL-ngW_lGDobU*{UMd7&Lw@k^t&zlCU30bx}QIlS3vUkut_C$f~&JE}C%u z`fw#w;78Y-D`!PCw#F-nJKhp&ybQmUNsfZ72RRKJWaJC9s%I)aa+hnIDe4Jh?@M2E z+M(-$xL!h)XFU(;j^Zai?{%pf3mQ(LV-Ieh8#&F4&#h*YUdQ(?Qi{AnVj+{85rQA2 zGfpSyo!QlpTVagb_;{@P)KtJ=5VKt{XWbd~?%>sfRi}Mtt-}?kzY{iepyNXj{0*SS zW>4vcle@i15i5z!m33!4CeJL=>%5Cb9y+|1?r;ZB87J~uUnzvYwRvqA(pjn)FtaXm z&5P>5XQ4m#f1|(HG_AK~S)X3py`^#Dk`Z84)e;-=P72z9QD~}mHfIlKsw<;KKPAZh z`Nyc!F@LMT-zPaEWmeh;x$N(FW*GdYUsg(7X zo4JYhMe>!ZA~n;pnIE%GOzSFdTi`n*HMU(k$4#D5xWIMgRZ0 zYFuDg@^0i<-*T--XJ{sK6+~GLaRvI<%E^2y>1c*jGx9a$yUW2Hl110f8hrIMh{Zuy zNh*h7R@Gj8iL~}ZPqTv2w`fkY_57)~j=COj=POr(;RRLF_Rx2(q&#zZrQZ=|; zZ~12rTaOV$!yd7)meZH)yFMS#YE!Qan1k0p>1r`Enl}l zPi=jM$GRUeDy<``bUVxh(RtO3p3uIlT-mph{01C>40{9T2>ws->zSlg)T68JN?^>4Q2m9BzR^LlZ+NfFI&T5rG;AyW?*n!|jZ z_Ef{ ztaFCsR3+iz<(=R%H7Rd)=r2)Tx$*P;{bZ{Jlkj+kzmxjtL%osUe@b_qWggVL{tlVF ziC6z5abL01*$^tdo4ntE`@uJ8ZR_Am*xk%09o2?15XQgP$rO}4>2@7 zejGoJU=wY&Z4s6IEu+;6?x`+RWUDX!GDVJfx&1~8Dw8!|L!R%}e1OF)Ob$ABGrbx%%!~wvE*L6>9+> z@WKTVJgP7~MJJsM#!XqS96|1Y456d6geHSx_wcp-cdDkFY4i?22rS1Gz5eg1Yl2xsVCPPM!V7lrYDw@0+G2KU0v7dq4ar zx8FvfHbHb;iB>U5DBDHjb+7^#RnX!gy~u!DsX0J_*#gCI{1^YdK1_Q0-o*2c*{-UKe5c8Eh=9&*Be=dh& zVgp4XE%(F8K*b=HykhLkddhxu6BpqHjE`BVF zR4J^AS_NTR?P4$KndW(X{?hAKiQa(coq6 zo^gkzBCy5!GDZu=>7|}(aA6>Y2yd%Fs?`~=$5@@>?kLy|AcV&HvYKO*sa_MbT5yyd z)hqRu56Wst)sGNib$a1Rfq~1udA?;QdouQS`Q@q39IC9^jIC7P=(}z}srOhO!w)Hk zY3j{-1>1siz+hBwG2FQacRIL=>g>UbRL~9)r()yHng%5ndGA$y1wA|VH0DMIJI}X=A--jbMwlMu z<=y1*5{{2Y^x^V{PW-a7(!vfF`TdH^up+o zhyN9O#PdT2x}(bzuG126D{l6`3uI6j-fYW00@X%U^Mt_-i-hb~US3YY7s`y{I?CGK zBF*!Aqnsmm0R|?YYs{Fp6>f3ARrnAFZx)CDeu|@2Jb@%g6N5>)Q->g-YvO<}yCx0k zx^G!u&*Z*h?QtPaHhlP3@5Z7o0d6{3++{ed>I1IZrb=~p5oFoepyC!K z1zCcg?#HxY(N6e4+gZC-=MTkc@UJ%A|2t{JJ?nVLJMwostv`V*8PyD?6lD3=v|(WG z52H|$a$?cG7Q*$7CX`Nvv_V^TA<$C?TJe<(ED9spu8&9tY>IvtRi*wpPH8;0xX95I zv8=+gImw3IwEY{_hC;_A;^xj(_^b$y@@6WrO=RD_}dB^*_ ze|$6FO#Wde!%VKSueJAHd#zKxk#s(q~Ask~F^YkZjC*i=7$B)2GFI~&$Bn?CY8e(C{)!N28%3}ARJ=&T4&N3|DF~Dc3y@btq?7fWJ z)9cjkQ(@*LUVbn>9g9!qy$y%uzjy=gS0J{P6X#u!m`K`~h`- zCI-uFTnM;aq(}q%!{-32Lt9VaHT`J!+dfSioFWs8LFC(8lL=CSRa* zSCPhG=i+-2kh~DOcCfS@#OUhC1HEoRG932x>FcxqFB+F(znp}7tkQUW_8SWw?3}7! z@`Nq|wf|@|DCdHOz!hqm>Vqod78Gv!2;T1q9r;_a=uOSsFEJvZRG+hVqGlVIF|U5Q-(<0MpW$FX=xGCt z?nJL_(R%Ob`HuW;sEV>qBquRDF+|tP#vD+%z;hn3jo-S9Yy)Z`YVU?5a0Vqs;55ju zxdF8^fN_1^w^jZFV|P!>A+KFyfA;=r#_@-JW{B_9viII|QXqL%m3D;fjk+g|H1zya z2bO=B3}gPA$uRQF?#~kIqrXgsQL!>EYtme;WqaF|<;qpxZ);g*H7A$2Kz$OlaDXBc zFfgGV{KqiqIpCTkQfr3)Cd2CHljvU|X5$x!7F|bLJml^$d2u)*<>PLcm|}Bt`0L8s zIM;WsZkn-zV4SS1DR~HvPgnPCgZFLkjKE>}4*2y)mJcBZozIvZk*j8=rhJs@hP^A1 z|MPHwlpHXea>K93g)T0%pfT8W`Ir(diSIv5gqQg~awIE|iCJa22hAy>^^D;aIzg~(G&eoc2WL2p{=-GMBnNO276T@0qyALL z6#2!Zyzpd-;kP&#Ky)(vOK^ov+~8rfxM4x%;UyD;Ci=z03mvyU>(_P24$!u2 z;M5Vj{m$sp{`2Z9TMy;?Zb&Rf)W;9hyRK{&*A@rS z<=grdsd}wSyXiNwWCx6gVN2~Pz~o76yL(Q~WZRc|tK9bgWD2}2UMV*QTejzh*k0~A z_S)G`o1ZW;cXG_jZc;SasBgN>%NokvkM+?M_ctTA&jN)x4!|d53+V5(a~38$w^hgO zW|d@GqKqA@NHa=Je;x-B0jI;b@rzKPLm-kEE-_NBvf}O-KY<)zZx7$4rrNy3Qw&vWqpM6e7aXtaC|Gg;{@XP;qLi9w+H^s(j#{d{MzKO#c z<>6q*jOQ_`SF3bR?9@rp_mLXE3EZTOpPmmH3neMot4ms01VH+aGmEwgNHuKEC8m2D z@+}3>wnJPVYE2IZQJzc<{}1w+q_OS)kk3@RuF;Pz$={X_+}t)D8}{L+c?Kk$Vbh6+ z@M9CnfQFmxA5*oz1;hViye6;nFFL}X6P*ClWlD*B;`%jB+msHer#N!w6%7wfZVK@e z6YfP~dWgjxK(rx4LEp8vQO{F<)e4D|-jKFAAZAq(hQ1daZ6U_mla~ScOo!F(#*+W) z@w-TKW|Q$$Tj0NW`~pe~Hzb&*6bSXCG*`v`EPS%U6bDdrkl8D7oZcY;yC&MX!9tDvklOR1OturCEuWf;h`;|l4bJ}Fkdy8Rqtqu4phtXd+p|bA(nyI zUvDumZ(d7sBy=g|nC{5GNj^y*vwO+4Jrs`ht3m@dn|T5`-w6@xdrHZq%!^EpZ@)?pMHacA`}1( z_b;_|9Wv=nL*eA$VBA}5=rt6gant9XrcO zp0pe_LW=vWT)l`gSq;R6Ry>(ua!g)z(@OR=sPJ^a z6P-o-6znF^#gCqSYplN_ITbK?>^l3B;%4nin5gE{#7_$KsOt<7$z1B(2pV|o0U*`5 zyR0SA#`s#6vKx}ZK-gMOZX<&M)fo=ynUcfe|K`&BOR!BfOBNVUe)%Wwrk3ZQ?mykD zFx5Yi0}c(vh?|zXc^_mN8U{hB-sznTJG=W$4-~{`8rf*J%%X^O&B>Ll*p)=E8i3Es zhCIy^$<2PrxX02|CcPvJ$fTj!HwKLPz|p?Mf{J2@jJ3J#laUyuY-Uvz=^mRr5!{Zm zgM{_s58t1b{-B7m|Kgm>nk-EwGYuKdJZv2S zQ5Rt~0}wf<$D3uu&}<5b=$j6LIpusc`hg^&J14F5}Q+nM8jY&}r^<9^R0 zJH$T&j~&39Rb70e_jb^cB%=rZn14{V#6e6Q0)M$7tD6iok!4L~5>&bU*|*Gl8rHl$ zH`nqT4Se{D?5khNwEYjH*&3y%8ayW``F%al+8)&uAmtVjCS!i_ zrG)D+`tR#;j% zK?18MZewc4@+wl_dH4TKB={w*59AP%26>+VtT+>~8&p^j&PBXl6WDmt_w2Fk4}o&(JS=wf ze0@0E)V0svH`%|-o#ONDxgpJh3cpX4^>!{*x)&Z_$=>yBJ``CMKKe6zrR2(#%b|cC^j|a zL4m|diS z3md!ouFgDkpx%dZZ-leB!nNo7ocssK8-sYX1-K5$C_EYj}rG4!87>ngGc3HhX zk?86z(ZKku=0adDf3;2#@&7qt@;8Oo|FsNx(!cm4fFO!H@LqzPtbpGy{o}!WL2RcO z5GB4&&{J{4E?S=fpUYmdV_e3ei4DTPz`KZ#)2Rvbje8QjVwmy2jT#dtQ?BLBW{i+98=fmEz;~ zB^410bwz4OiJfhmJN#37mkxgJusVA#@Q4n(kV`dmU2wO&x0ajf9e8#LS%k zD>slFqMLYE#b>XyKMf7O!_yGZN9687#!ip63FCZXRnJ&sJQ|OV1}hSJ6y9BYTep7Q zUtI8wJ)nk8ty+Bk!8X$ak@Vd4N2ez5J@aQ8p}pO^m#Z}TeCwfpCZ~Pw+2e>eZq973 zBE0Ts(*4yNwM=-?w9m?NUqp;i^jCfOXTHf_)6brU!3D50i=(@qqL6aNymHdBMFhMd zaeCUU_mii7(V1gsZMNYJHf-H&YPeAh!X+_e0FB?BJp($dy~6Q|nf;%AN(A$$YIYPs zWRj>KG-pCw}jpQ;F_@PwH>SwT~g9oLz6(5t=*_*4j9ymRN**foO!ieD5hH9g8 zyJlrluIAdKlH>I&W}fzp4)Zx`uOdLr=n+}}N9|+hM=T2U>v7Q-spCoDs@OnM_~QF+ z->s@uVw+wiEUCBPY(9k~$7L6aL2ppmUw3wdrBV7mKkPNAZ08pPFBH5NfinEQ@vN} zZ%d_l!DNh*mfLO9`|bM`A^lDwu(#Q~RdD5dtBI1^y;EJ|V!fqLNjI!hDz1zMEN3ry zoTgD`-ji_Jp=F+d4Gt1@Gq=rg0#-V?Nx)LB;yTc7X#@%NPc6ZQJ zi)ng?uJAAQp0^up3y2iq-s#a$HN&n z_a(9Y-stWlK96eUK+`Ov+4X*?x$ltHPgl*djdtU~dk0Cq`ETzLgnFI&087z|Ri0^k zcZ_2%&a;m9rYKP{t+498$%NWH#`48cHn$V~l5%%J9M3C6#VLcKg)wX$ZpzHv_c6Yt zOSuBz@@te3_T?%-CYRWX_@6!6-@tH=0)7wExo%2|&ohWBlBa z|M)sz__ynfBNUzioppU+os_jV0@w9-ZaRo9vt3z4rzE(4P{qEt{@f!p*s$J7NxbJw z!i(VGy56$|379T4W`9KhcUeoND%q`WTN^tOR{|PVfb$`)8?7jvppH8(T6qLrSey!Ck}h3-!%?@UAx+e{Llz zej#18v6YsUSawVFhhD8+k*iOR_F$E(Am+IqWIhw>xi3nal)AfeFE>$39O`cmZ@YlZ z;ZUj|_D1qF`+RE6r7XqgB6^$|Z&8-SVGrv$KBD_0Q^xK|Y`CBB*v)9Fytk_CPV9L) zTK?j}hQT{O<}1{9YUtRhgr3m+?jJSccP0YZ%r0t}z}Fj6JXgnreLVD6DmQWSgM~IR zmDVU;u*KR$ZN=Am)ZN9+AJq>|OGYW&cZxG8n^9c*^i!8!$=SmqLpc0rF5G3})}s_2 zwAbSdt(*@JTLsn1h(TH~gvUb0qog^V6w1s8(b~BY@i*~shxb1ap z(DNMFqJ4`#W?`_KkRoR8Jcw0DAr_rxS%Oy+2Lev+sk|WV5i@fowJI9^*^2zNif-)G zA|MY9>L;eAre`>=K5N>l_m;`VcfBrolSfd3ydU`?79LjPXffGDtCmr~$bIQ2V(R{T zEy=`7y>l=ZHpDhuk~AZv6l70&W0^{sS$rVKWgEV0TMe@eZA~?mwhx(`lY`7=px}ui zv2%<28IFC)d|wR%WIwoHyh$B!IKLDx3`R!uxG+mz`oLAb^fj9IoYEJ>%qKfYId8O^ z1zoWo;?C68zl9kXiC&oF1g)G6j_h`c7e}C z#5r|BHGks4WOvI;TSM%H9{#D@%uQ*Ox6?69dx8?SYlV?&=FCUef+%;#f(*v^OgE!K z!=O#CV~Muw3SnuN2>sRk=RZlL0|~@43RqCmW1YeIQGYyM2c5rpZB+F--yVntEAVhqxOl2Bnfj zYg&4t=&K#10>W{I%E=GljXpR+-i7t8PpYw4jF3@Z^mCIt({}1Qh4S+xOle>FYbKsU zVgiqr?Mwp4p-Ay7d`I{5{!gkE!Lm048DV#3Mup48lJ?Pk7 z+vq9sYzkXlxRz}EZA@j_7CcS!D})l6*&{|sd#~=e{_|Rpaws9Suv=Z7pbbXAmwI~R z(If3_oW*(yOkY&Hb!eMJleq6X(y=jJRAic=W^iX3{g~D&s?RK>Rn^IC4>o8x4v}UB zGb66gV{c>CZ3pXv3>yr4%$2=~_(4|;?rX*S%)QStEb!8pxk8;FbZVh3ghc21(SJ-V zJ2g!+3FckmKwd}EM*(+NBgxDXeSnrILwmQbjp>So+(Cht&)ocPfG#!n5HCc9Jm zjPQ9Sd8JD6c2UVkypVR$z;)OVvNuFH_V9EO9(ny zi5BsO;+l4xYR!c^dXVX=u(=0s zbjqS*_vf7om`KlTq|s$d17~}Q50=_=rAPv3lV~_GotK<``=iXLZ7te%=yjL&N!pJc zs8)ffayW$n)I*5*%7EcLQ_Nb`S*D;~bWh@z^cm8}9JoEHo7*KsXdZSYz%o$l;G;Uk z276~dJ$9Gv6$ip?s>QOOo5U}A^z@0Cc~yY=`pJnG-QP^5o4CIkShLZ1ZI1KojF`J8 zC4+siEn<>mSZr{JMXx4qDm&HH=9-&#*~TW`WufkwU=WX=z7#ZDi-ME z{HdC_BTfUaS_kQQuKkoT_~a%=G^-r0J9%jp&OX{Dn)1Hl$jNrZyXB;n;^K0dr@ixj zvlWCZiI0i}q*I0(%0$*;nG!H;aT{JaG z-6%UZquo&DyRN(HV6sM6!)S}=6dg85C5D%b6;25vYu}S_2?@FKnd5D~5D}GAMr_bD z*}pt%5lT*@2pTk7rrBV|H}G0 z44T_r_PEt#PCr?u>{Q=H@0sru|ShU3KIhwP7lCQ>OD{JDhGI+Y35ANxH=4m}dq@M$%g=Wx1cCAqs&Y zuu*vaNY}pQD9rot+v0SW`Tp0e&Xxpw)(SHZ_h!$-zJ#W=Al{3E7qQKSZW6zi&IsR{ zmd*ES%R&cF9?dFLZ=@;uKt~2jU7}P%PYN2Sr z643COFJdt~Tw^Rsg1G37wM&dVwYU(UfsB6f4YxZMOp?K~zLACl*vI&s&Aa-%6&71_ z^y*uY5%{yn(2C&hR1R;5JLSw^OM{-T6;Hl(2&Zi3cR|A#wpf$LG1wp{frk9lMe2c> z2S{+Q8>lx1-kYLxtXUI!3O-MrY%1L@D!Q8Hy;Ya1f(s8bhgb{2{08Es_%?6tcPq}P z>|H3DSCc>xJ7j|lH&R;BJs;-n6=HjZvQrOEKADL1otf1)M{OQ?cn=1g*fPJoebl~U zRXyVMlKfMF@ESRj!(RH}h>QUv&E^U_*Xi0$QBRP9c+N4Jdm#p`N)#qP8aSfH&s9r_ zXuPZ6lhR{tQrIq%?zF2tp1JSg=J0FXNAOK)c1i#=mg5n#;ryLU<5QvFpJB*D%RH7_ z$?YOd4f6|)d#8ENsfYwS(Up5?4y?svUkZwr%!;BRbdbTdFJJ2e&b~)+Gp}Ozw85Lq zE=;5pHpQ~A=AV+rsiL(+^OQNq|eUJB|ierq#d)?aD%L%02- zZfiE{pvp1N^R29EnlGWe-nlN2=9K5Z)J+mYUTJO4dA{CXsx@#dO9L9ZHPgbAg` z*n_v#XO55}FMZ17yy6#@%tF`P@B6`MtG+Q8xEZwT-rd9)2o*dPN|hK9t1&ag z>DH$W=BYn;*^ zGT-!H#tM7s&UGHtOG>HDs*&kTzCuWPyvzK27U_NB&d z{e<7z>|9U_FEz$?Y>vI{M#Jx|#Gtrg5luI393&2nU1D4|;B%R@ie2tdxWtG3H3{2@ zx3{!Y%-Gr(rA&PgUaxAy>7IiG&7rIobdc+P!`qLg_=6Wecc}BH2rb2b?5MpoP zhB)?IKiqmj?ZG=v_)?3oq%um>Q##bF?QuBF!c`xaHkgt2P2b2@1N7ix+Z`9@-7|}> zc#MfhN@Td=g}Ig9wWGTxN=twWNgN@;RA28&$|&=5N9u{D)oK>etm2!4U|5^7@fx(k0Ek}=KgTmGPYZOe)*nviw(L#bQPm7TkeqTZBc#Orn<;!Fy&k-*P$sAj#y)It=xsuOA+ng>-5`&!_MruaRvc#t}zubG^j_m%;sI)2(>XrZ*+y zIhP6JRHsu%zTJgYI8`P%aU4z@tam0jHm1G6>A%?iB9^7#n~IeC1I}kmTVY=ciGYgf z!&fYRr$+HA{1$*51Iu`LDE6H3fEI#UYGsIw%cRM@tuk|aFO9X>;KKTsXII}QDcs~v zW)b|r>l~tBO5T7qET|)Ik>=xbONns-$xZ8>DSF_|$!G6#DM~&rQSkCi7<0WE{TJ9_ zmpP=t9Z8Zp)y4NV)b*QELqb(|UXdVZAyqg+@uJerWH-}KbYG!v4A+^T?0&xP(Tcp= zlFAD5V&BqDn#;4R#tGM~sh_hH)jVSgUdZJ$)mDdUy5TY@J<^f4`Cv{SyPpUM+Y97P zg?u;!e2ou-gLrlcfEes9mx;_8D=AXzA1r?Jnpsb4)uaSPhQCuJ%-CpSOnjHy*Viny zqJ$GY>Q=us3Efv-hZr5Ay9?)boJ}ct0KMz$| zMoBvgF3O59(V15-ZhI*vt)?nFNYDj@^)eCKRL|bw;&Xd`VE%mC!RTFB)7hJ}TqdwQodHx{KmmI%PTUfm_8m~wT-hV7!4p+RVp!IdT zY%wRq7zHgKQ}jM;q~&8>T=jgCz(l11YI|Sg@LPv2C*)Tgjsy)9+Thu*J@3FR=*tUc zH_IS=oxV(n2}J01tP41O#^&Et!$t|JnOxd;s%9cTM5o=BB7HuQWGXWtOblZ*b?=&d z_$ZXgUq5Q6K3Dk)x-dfM5wtxmcP=uh9mh?24=rn1d7V8*49ZrTOA!k)-7FH-Z@r~q ztOu@o3rM0r454G9|VAiQCzAS$6ADLOK$3N+Mthiybi)1347v`!BZbC86^hwlxV46-UF#vE%&}HX)S7M z=f8X7W5&l9<_HePL{H5TmnG(?&v%xinAW*31^PIUQUIMmx+Xw>Q%!-vrDy?oK^zz zAHyQ8?65R7eV+(MzlYlyeu1EPnwph`S#8xIhS`^3%dRPUKf&b?)rLbWqq9Ir`n-|E zN!B1w$TF*811xOP!`Z>QDe!&8M<_&wP~h`B)r6{_gfnFmLgwDs*h|U!2+7d^Zs(Hk zfTb}acvo9XQhl>o*F>41&A4T>qqQ=3lHM4Qr;*G$)<5LlY$OwfHh;h-0!60;<(SyY znwJfoKX#3mQ|?QJ9eO2+^5l4di@OKxc{PG&>!T(jIg`>NkUXwV=u_mU{$f|{5~Y?% zsibmRxCN>dT#g>3c_r;w&4W}}%(W^RT&oy=Cm}cdy)A}|54rJz+qDZVSVdnjb2#+2 zwSgBiQ1;Atft$|FikcsNzUoPWMEq7?rP1?}Xh6MT6`~<{BwYca=695Uy9~@0h4)_= z-`(S7O5ky}uPVzH_U~lB+IuwWi*#FU)*rKJ$pRh$c|94&K8TSoP0gI9FAAgvJODlX~jbNR9-XFIqb2jrFWxknmoBJ^@ z#3gvqe&bTwpfdf?O@)t=rxq6rP_@T6aw>P&VK7ln)|C-Hv2I|Wn%n!X z=s3r_#^EG)v#csr#aEtsXF)c{^<=5+Rc(x!L5gP`d$`Jnb8VAzfGs<5IGv`94J{cJ z{A0^%0PrQfa(Hklo7irwirgEJ(Vgl2CMQdkmws0f|9e};_G`0yAF)!{LttH&@(|M=xMajM)HeCVyy@3@ehL&AB%1JdEHDCXzJ(DLyf!i93bAOSz zKzkkRe#KtG?|bDrX_vBd&I=$-$uG$ny7bbsgd(!=Oa^0F6!_WVXPvY{y5}w%koa6v z?~EvDZY0X&LWyDwf}6Za0ltKo5(moef8bf`joQ+6XCfayOsb2Z=gRQ|$GJ|@#jsYf z87hcqC38DgA2^J-?19$@vG=@<-~?m;=^*1D`w|bV+UuCo2ES_6M=T|g##^4@krn>>TyAlB#cW6vA z(?6(<&aXME-k|1);gA}0(Rs&n2pgnWi64#9PsJQn-mo4t3q7+<$}YYHS*Un;M3w(= z9PvmVU%B4Ax7tv6RIZdOC^m)>w{!xdW0qyH>3A{S!@c|k&cPvGNmmJ%SAa{ z%XV)G(lcm9xK>Rq$7*={jK5-pJgT(1>bO1`+v&U!pE;9r)whgP&2p^!3`9!BVJ6t? za@Flf`4fE~+8LlCedDV&MxXEa0=em__bk8F0P9%zm1q6g)W|F8nvyy;`9xqX4%>8@ zJC0Eql~PC!)uof_xyPpVR^fGab-ZvgyId&uE$;$=ES6p!ua#?}pW}f`Ez3x~1DCMa zJ#EntnYr{J3fz;x8!u%l?eWHllsyvqX72EFV|#Y%=BBF4b;(yK^|kBg+3r$=X<}Wp zVee64&j|%B4JZw?N_aR*#V!A0R7%;k#Z+Rfp7KmXQyvkoF zK+DJQZL8kVxyuc1-@GFouM2|AG&`>P2wZX4S96{-mplbo9p)bN@+VF0CD?Z)o+aRJ z(hPk7DJ-O*ET)2{)zdI8xugCi*x5RQt^T;nVx6p27na=Z88|a}bNr}U?Mn`u`8o8Z z)1*bd(YYz}uZz+wfNj-?WFhF?9Ik)(0YhTFrA zIx_k=Bbu64&m+UCXFW-{BV)K_f{O`+XAfag)-N?(L$qJ3R5*Q;o|4fGw$e#c zoG&OMAmWn#h&1|mQ zF_aOhsGORCIxT&ICBsPcAUzdib#FpQ3rmt8@0{ZM)ESrLv?={{?)jFTuG>-WItLJz_rYrY0`q z_1wy^c`nQ)qD4f5d{ItiqC^-eF&nToSEcSTi@9Xms-1}xLO9RLN{@dD?bW<%b~nP@ zS61Rgmdy8$t|R>?SRL<*DOz8w%y-I7SiOArO_VgQ-I!Hu{Mp?xCFO$)2>6`&Wp(PV zY2zbb$=%#4hikLrt-liKl$b^1UfQO^9SFC2R)JBw!HT^d^+ZAu`(U%xt zpimVh9TWHyuOcfD$#fQ@%>)2 zdm!$Z;KH<=JyM1W_xJ(kz;aUvmC3O;-!ARk#VOYRZrKTUJb%uklBd$!g8IqknoIF- z^%|9g{%T_X)y7v&8}FI_vGwh8>3ye<6Y{nAn|X$7@fQZBAdgfb&Xf;EQ=S_4%E^zn zE(8T=nvNOETtipFA;mOF@ODv@l07L1m8y78Vu6Sce=Z4T!l|Q8ehQ$ucMCh3yAOgh z*(!EtT))@nETK)>SvZUI+@3IG_@Ab+m>)`w6a}XrXEM3-3`+TtS-nxY)nT$st;;{F zxYg~Q8rd}UKyYtX+6^YulH{Oqq~n@y#j1Fg0*GSFDA_!Hq?!nSdJ!t!u8(jzp1VYh zq4U$13wVC>Rq7)D8s+09=Z0Q+EKn%wnNgMcF+rW*u9whYE0#Mj!zl_}+o4d90;1=q zg4ME10Xuq8WhJac{nihkLocIsy^8%trVTm8rJp0ZsTiPK<6J8T{k}16;1iT&Sy70~ z^*2GOwIF`tisteNzZd45;mc%Tq)-uyV;qpm8sd0BTlgjR5Syz;|`{TB%wK`c#1*zfXwDobW+|0L*ZXKW3 zt5g|sH{|Dl;3WNq`}bN%gkOz2Ni7g}9Ks5nc0B0x;Rmv*Q%uKTNXW4OMlML?RK(JR z;(Fh8z%C`{Dtebi-_cg~7{+4ge0SV@ExaL)@#w87#Nz@~6hetolWG?=ckX@Bgvu%W zBvkG{r?rFIk5p-|%RC&iv6j=Zbh5i0lM*BO-M^W2pv9{Hm<_~x<~ryZ-X}deNySf( z8-2ZADnVs-X5tbpAEUtPZThOm2|Zn^!i*S~9^+z!NT1NXCpVwUMXvK{21C(%CFJLIO}g@ngN15s33Ly2(lo;uq45vTH?8|? z$iEBgJJM^9P2vf??!yd1SMRp4Zzq^XndW?$ar?U&(K>iQT(k@z$%_NIGs@J(d4I9y zDASE?TL1-R3l*2iv(6I61=9JAD{lo)bXT`W$)kNl4l6rL?4l3mQ8pS#e+XUxIZH3tt_OQ;{hBm9oN&?M364 zEXw9&)Mcb41Mo(v{&fDmBpLB5N#3BTk?+cVKy$tHo>MegUDdb(4YGX3;MBs*KowTSHOzeIME9U>5F^ixe(%!Axk47z9)A_s zBQaCiW?f<`rS74tu9^eH+;y$wE_;vBWF2*wnbMDaYAUEw*<0Zv&BguGu1Pm$WA7tt!*AvS(wD z!othgjJ{_{pw+8aCJtVgWEAO6uUsjy#RIFMCg-y+7`|Fq;4) z*CVi;dX>B06j@f4(9pyYJgxImTOEP>N}2a|wAIyObR*R`Tfq+!IXjT|)!3SaX2o~ned*!chWurEo*#Pl`gl=;vTYwr zXmBJFsmVcId1(!sg5Yw+rK9x?2ky`cbQl3Oljpv(E4D5iZ&F*d5Dt0cH)@SrBbsqHGlD+61SJHkC@|PRism|GwcVzA z*hrIW?_QyCJZQlFr^)Z}Jv9GlWc{mvs<}WbtCZdR!Z(hUTa=(5Ctu!V+##+P23AhGpcU2sQEJ)wP}iT@`c%KQ? zwMR{_@ePXS)olgZ9!oITN6)dOoG?f9Ju5bOKE(RP-}O2}lO&oUw7qUlyPU4VCH)vb zZz+ta`>xc&zNk%g?NWGH_(N2lYDf2?K(pGE;>g2ZwA4TOT#5y&jWYy3qD8es5$u8((NF ztNZ+tQ)XYOIHFaP63N3{Ep=<(+2r+@#u1s}o0k^D&SEr7XzV z>u-(AnW)hkiRXg&e2fM|xP11|AE1Xb-3r7v(4XSlj`W72#iOvztLU)s+n>bFf{xa^ zd8QhM9nz`8OUBn(D~mq{2CFyGBgJ4i=qAg6Mv@O6t%*|BRLV(T(7?5x^kZp4p)B>d zJD$A!Mg7sO#@ucznYWO}-#o20scu%{(E&i5Ey;@SReOK>kDA>^H^R4go zTH$k_TJ^#e^oSagu5nrn;Lh~!#IMn~o7_-EI&VefgUx}W9%JA1ZpGN#!WYS8%a%vg zu<5k$!imWCG272C>;mcqxHS*l6nNsf8$z5HRA`e-Sd}Ky<DA=Gp%{F+NZQ)9KgZL;1S2F>~N-Jy$_ja{K zK-Bmp0UFq|cK}Qs+Uk*cfUhkbb(qJA|hY*9-BeY`9D3LeRw^vw31b*hQch7JnM8F1u9F+{^88%XzECXHqAd zxK?Cv?MDN>wg7me)%7~~);{Ho8&J=;XSi6@Ge1dZ(*Au(*m!eL;OC=UvzhN^jBiX` zkAH_>dfcOv!i!}heUL;VwB{DgT5Qxd;<_l(#Lv@0F`I=le4X4L3rrvi&D!h*gK`M9 z7If#PiAw{fMY3Si!?;Pwu2;nSqp-+yM~YTRb0k!%%txxgiFi&x1dK(nB*sid^WiHm<7Dd_t^UEnu4UFi{cYo6ii|jWM7O6bY(>enI(MV1x7O)6zM2Ew&C`a znWj7QLN1?S=U;6F*}BQ~en@lu9>{%bbAty1OQ)@7Jqh$f+?*H!!=2JiY@+Q=?>>pp zddK;GWldlUo7Q^j**^7aqd~#;bp2E3p>!_ix~t-HWti*ds4{Y`r@AS@mqgPW%6g6& z+oZBRyH3M{v1o}wb00W;ZzkCB%Fff3RdxMQ7MRL&^Q8$yv7fg|+Sw@xg*(x`K$!msmHL(Plc5pjTGLOJLPzJc>jAG zCcq}A?D8GR;d4XWuZLR9fn0T!552XF=^L_wyp!kkzK9!k>AnnQ*!@)wkhP4`48Auy zH)H;ar0&B664i)hQj_X0nd<<+-IcxpkG=T(-Nc3QGF?ZxirE37sp>*}mSMqSs(wRD zLf_#zPt^-W-+)WJ`*o$+5rtB$SVRWe^5(WFisfDA8VJ9mI*^lhcqf0aw_jJ|$bP?6 z!J{EHb6?>yabt|V6F&gSAS zITerRhD`~DLs!+3=IrF;XlkeyB6DN#opo9U-(c#ZH~mU>)>$zo(Oe4r+hdmfBf2`d zB+5ilpMeCTpk7XPb9srK#z-BMrQ)8AkH}e1S+;1}l)Rj3me=$)nyHE!&&GlX0 zouXIkKt<ta#3Rq+ zZP1L1LYu%1v$p-SUGzVzt|)nD>n{5080(z$1MCrVN}uly9VM>1HdS>xwijhs%g;P_ z%;Jn6jm`)1!?wZA#$n5e2*>C!``{jVw;iy>VkFYM1+9zUcU0cLXjVqRb&Z%9I#jJ< z@lqJ2@}2k!Ck$!d^|;~ArWUllyJhP>^#rZs8C3TP-xP7R6PR^yPK9uJdjs;@HStR4 zwaL&UPAwCUd)(Vwr&DEQO?3YcbKe=&WV>w}ilU;SDX4T2kPadp5~PXC!u) z2@*OYQly0{y@T{3MS7EtNDaOB1OnWb{rT;?&$;8=>)GS}IKLc@0fUhz@4KG4=9+UZ z8ejrQMWpj*YR%x^YRz9mA#Vb})HMz#yA!|fV6GSyuo!woP8 zvkk$W{hU-!kh<3a34djqMEdA+uQ=?7gONF>61aMD9^rmv&q~d0x@Vxr7dk6-Sxqlt zzvO3GHM|aAw`Wy(-5y83VMAcno`(0eOkwj^(4UHQEh;{0U#kx0CHe;xL5cUy&D`%s zlQlK*o<3VNg;!75cpa8$dQD_f)}glhMWNI1(_f{Ddd_IW{QB=}fYKOXo^;4SMHAZs z-zaD8F@v=I!B3$R6}Fx{=0;T0-X)^CEA92W&IgG$4Xoat;gnzzL7JMKI^a3$Q-lVE zfrX!tZ~QEB6`?_Wz3edq+i8Ll!UZ4FJydIWTA*Hb^Z*2b&tdG&3<*Z=--E9?4$V;C z$+N+jgSxuuBljp(x6CIRT3E_;#h+erbi@w6_uunDoCvn8~K|;L@eLadsCS z|3ZsKiqJN!V5|0r$=1b`7!7R!c~;~qGPMz#f_JX%cCg5}SP9*^ULqoh&q%)Azf>#oh8HWHJpphbGO+#W-#FO;?-j zI{pmx;Quvgeu)GnfAX^4iJ3L0pXW{uiDQO(BxmVXDWCz*$E+A&5#3Fy5uwTbhT-BkqRt4a-t^dcIS$7qV9k9BPeP}`h1Z)p^xj36 zHDCW!{rnh^G<%?Dzxx<^6?tC2`n7g`nt-MtnA)Y)m*)b$ua4PV5yYR22f5CVY2>>5 zO+6)o-U;Dsl(6g6Ms9C59toEmzrC;~zeWbdax3aPERy0BYPIox6!{3c7P;MXYfS!i zCdHbVunnHB(V`j|kNr8?XfFee{^eq{u`_15q(KU5kD$4el~IWqVXlj|JM$z81<0#M z(;kP>t`F;33V2G@fhrXRJr@kucFsAG8Cy4aQ?}jS&v{S%j*U%z?$xhR=`8q7U&5DM zN-jJjK4tcInR;!JC$t92(sCxuD5sO-?6mNt4?$=0o{W>G%>iP=y9SEMx^=&{>op7t zPh2AI$AKO_tfTxBq4Mkn^pdv(#69ZyEMxT+b{XtkJ(X*>Q|aUajun9 zAVEizAYbF7$OtIrNjP+|2mOE~hV{*Wuw`p-_pMOrQ+84^W`%G-p3HUbaKW%U=pVtR zvhZ_8SKzWWVr`_ptUQf&9KpoM>AdI7AFBlJR_-8~<`>wT+c z;{|-_PpVwA-Yx*(B)d|hKpc?x*#9KU(>66HG64R%rRS2nI>fZdiu`Z&IWS$_315{J5C(eMYobh5iut+}jn7-FZgUE1 z%zJu90_^lK9g2QlVvr~jDQYy{IzX~$-T+5^D^gCf*llSvg4m6$Q=v*!Wg%Zpj2O_Y z?-T0`rjfPE@&-$Oe)9)Es1D%CeW@5>)902A!@`aZwYFy9yrh$^hH>4yb4~1GRwIVX zH9kX&DplDe*}2PMZqfTei>4pKA|_CH!vEXz+kbChg3sXWV_p?O?cRjeL5hsS#J>BX zDm6wJPXwJ!P~^P++w;pJ=Ekl^wkkPlHL7?20q94zSc%2xQ=PaeVw?|^VtZO^ zUpkD~3U8lI?~C`0q@O^CO&58+HybW)BiG(`Rb#Ad7NN&A>raWqwCXxxUyr!5;4~E5 zb$WHq+l`AByVkg`LQ)-4|A<(w5e0~4^^1BV4cBbmX;78C@Oof51V%_osmp5jX;!$z zzSChA8ku+Baekv!Rh}x+0E21@N|O}IPXbs1A*q{Hn;h>!=^jUQ_1!o68C`<;xi zcfHkG*Z45-wbzynOCKTz@V*t54ZysNI7q2;rQ5WWyoz8J3b8kNl@?30^izvsS4*3DS?`3euwpzh)5#HS*!p|Y%gS&fGI(jYsT5lafDaSVK< zgplmW?Z?`(z@>Ui(rqV_c|IUvJ0HW;6i`_E<3{&)#h-6CVHf=P$^_p5PT%zq;_*GI zg_Enc_p50l+4>fCsQI`pBgoG6qOEKGZhM3)Go5&aYH}kc;FYsV;4@6bJ(XN?=+MxtvraJn*7_B`Z19o4Oe0hs3kaU!)oPMcVDP{!`7oU;nhf$|%A> z6|?TJ;l8Q{Y?F4$3wq;l&F8>-ud920?c&tQGd&jzjJjFOVEMV=;qT!m*L<)?-Y3Uw z|B#QZv@SN*KEhpWL6B43}E|P>^h!{{#t7l6x)Lt7OotVPj=iUCtK3 zF*r5#Jxlj6GJ=<62%cnc*gLuJ_av`arW7pwEM^?5NWB)rWXlfA?spE|JNU4(=#Wj1U~Jq#u`Z2e z>Xq&I5;(<6LU3`4y-x^F*=}@u_c&jBk&Jbla$jy-I7iUf99Um^K7ZQOO5fD2@lLN+ zyu9IohiEBay$xV5zHU4wfbKaSXjx;LkGHzH+Grcave_FBYW$1=>4VYQl|QcbQ7|OrU{x1jZj-&Me+kz4pG8amY6>RZ|vnU|6Fe-JBX9=wmhC zR9uSKMnv&m%RP(gB}wiE{w@^*ji=zW+wS|jQ1{pM{iX%f&f%N=!bO8en?Y*nEjp0{ z#5lyH?5OW~Ui;m5MX-nQDp$8_bgZ1_&3Q~uh<<&4tq$2YSIPQLu-an-Idu&6TFQw# zm_rO6Q(8)0RE!2OYUmZvO`jcqU!O1i<)ytpu0X%6@IuT6=*r&R9KW5$mC>c<15ihzBd-eFbb*!uMN}!;^ zJdc7Lr0T`|^KS^FZ=aj9qJIvT2FhhWZ4G%44%@%e&PD$P242XD5j_b;X9@Ml?m=4j z&H*!nt`$~@yj2xpz_(FTgti&)8N_1yFz^HN5b)6a)tr}Nj>LKa$(M%tSUO}<$lOpf z3{nfvjg3eW7JFqCWC8jhSdrUL%gWb7F#s5o5pfnfydk>qYj%ek)+8P01MG|ToV^kn z-WXsOGVoqrS-xhetR-d6ix@O-fKlO=6VHrMh-@R@Snwqk+FR!6Z0cb+LUU{#3hH>#;n+f3*XT-#$}*mT*?iaG z1cqrQCsJF_!#=86CRLY-IzSwHnG@OGOiz2xXUEQDI|`UdUPT@2U}J`$v<5GdRk6I6 z>Y*!VnwN;!F(Kq4!#oKv4+>*--~Q2MjOjNTxSa5QsYn?+|tr8m+q;o>q9ywhz;1*awK zIbu+(MyMPC;dccDc~wo!-_w|ziLND81-i;{c%bW!5M|ko&U?eivSqI%ITr?vV@Xpc zv@KV!X%-kNZ#n{BBUySxP_Lma4@&~HVAj9(7#%=TVx(A)d6u*&+pxUn z2C(I5*=fMqBkn+Ab_1ulT1B5fwdiy0KexfmbjITx{`Gr;jP104e zbg^#GzJfT5L&=v!hnYkY$+qJCZx_Wu8?k{nEkCSzaAi^m>0Z*}6ps!feg{!lTn14L z=;E6&mwTbL6*rUD~W4QJ@cgfbcUW0q{%9(4&gZAIQuHTfa2Es zMqHAK^Yp~adj~Qden~-QS8Lr%*!jP`^`-P(fv@L;wx5;1E02jR&vp1o&knsJsf6V%FBY!zZi+l(;ueqk{yE^ z?WMPLN(@IOwZWH4jpbGIcuROS>W2|>+d$~Sp$aD^k%Tfe z%V^C2-vm7v#1^6FFzlCzMfeuL56L;(n0>Mo0Q5xV@WJTv+{!L*I#X{6$jrvOrVAp# z%^{liHv;WtF(1TB_N`WvWVgG^y7AYaA+pKW4e`0_nXqq6vfD6GzG&ESrr!RU2HBk$uQPt0Qt zgvNWx;{l1HAh@}UE9y9)DqzKa1*IJ27hvEyu*#J{oeE9`10s~AO;? zcsd+$@M%0xx?Rt`u?y2xSgVAZ?1i%wazINJ9|l|ziyx?u4nj&^Hl8o`fy+4?y`H~F zoI>L)DO_ZhEySEt7%n^$YWX7?D+%wf;a#z81Pzbt&Z}vVAQQ(l=+Qh46`SBoZJ|av zn|;8c;J8?7+~NV4*Cv!{Ad9IC<3e^sI*0Mn$$igm(%dPjvw2LI5VtnrM6=putPwhW z0+?3);W22PDd|Mc-dA3nn48$~|H9qAf-78X?~p)MuT9c;vUIr8N;k18>r159RL1rN zgF>C{@WLEEwNC&FV_LUB8oIAb-R+_z7mnbQ6^I;%m^gOW9O9t4m%h9or4`s0@GYOl zoMRIP!bAL>;neg3c#RUn+eq1p?&~DM-EUHz6nvi5{G$o?WhBg||L-C9U($s?^P;Ee z>#`gq9%s5QF&sP{ju5uDrxaUuP|6c@7zwF?lM7Wx(2S$jdvcj6lx!xthTxbSV|ri& zdauSia^NF$xSX*fcaE48T-e>w&Ixj~1EEswNC2(vO6jVfVgYAx7|H=Z9y=b7Ac`!2 zxci{GvZhP-HK%!@wDm#s!g*Ez9&jYEI!F|M*02>doJPy9W9Wb;*t?<(Mkp0awKQ^^4=mREjDSapc@VEu0F4y15f?_^SanTAL&_%rOo6^QsqBs{(m>vxx`;2uj zwDv>HoX#-aouCYvdd@gn{hA}}4z3?H$pA>I!Hd0>819o_xtXIcPCO==8Y?a%JI+T7 z#B%t-hx1GqwE|fRF+D#b;_mXH$D`$SooQfOM&$KzIaG(OONEKBGBub&QTa(cDDLH7 zSx$gSq=WeGrD1vM)|g51s)b%r^#VbAlIr3%Yq%U4Q|r%uC=>J(!3jeyQ2X1|`q>Xe!y{-a);<$4hroNs zCZh6C>H02%ZsR#mRf(W4{tq+r`m0{fo*Vdd_2u}F38ZB^q6!Ib12ft_oJY8{J3Es9 z@G~oH;R@1R^;F9e0`le@u5)8a+s1>)BsE|s>$0)KKO)GI_AMYzJ+D{4**TvKa2=~K zd_%SeE$*+TV$e=U)lmR36gLBk`|!_0{qN+^{WE9{aGe?tq&yYLqU{STXX;1ed<%M4 zsV-r8y*S>Z?r? zHEuP*`y|4p&YmC};<>hBsvBm4l=&CT89U$?%5II zj1R<7Eu(Y$db5j|wb<>h7Fig{A?T?ai1A(GQJrEF5J9sO1>-to_yTtpqgq9=DRPEr zq1EJd_Xo8Co%iApy?!#X!!Wmv8s4+PWqHdc4FgXnz-{}7kHmlcv6Pm}U@A*e&~HD; zFP1ag?-^~BAn8dmM6jOJ*NhlJ<@x6&DtL|8srAX=EK<6UoXNfHiQRK$FldJ~n(F^y zM$^l??vD&v|KZ0541eQICnqPK*B!*yeEtEOY!h3<-ZlFF)3X^uaK%nh;zi;k=Rjwn zqTnh)4L581ShRjTj4G98kh9TMU3mE*f7N>pE}USpWU3T?gcWu3nx;sC`%`T_nx}){ zBbQdJ_U>Hg!1!H#OHZXu@%|dK&wx;Q(;YXC>R`e}pAWK$h&2x>-wjpv0S@8m z?cdKXl9!)VNFhi;Yj9r7Q9rL!gxE(;E$N=v&Gs)xL+^aB5X`t<%N_u~JUR|((v4edORw|E>^UV7rXDxaJ+>HMHPpJkDwU=E@7UH0cJ zyz4X`%v{j{*#CL#GAu@dcp3XXFXg#3@FJyY_inc!lI7oU@|)(U$rkio?GGuV8~y-f zJ*)6L#rtvUc+kktJ)LQ*gg9C{0ciI#%37kXF5qt<{ zixtHZqltTw)(Xd#ka}XVYmRG+%n^{*&*=`O3mT$1(xFsq4&KuV4X9bkF=cP7UfC?7 zQqu$vBNpB`Wv)gJE zp%5xc(wkh^t%la_&`1Lb2Rn^NpGD=l0rG%gaL-dGTVL^;dbN&w8O#-+cin*-%t+@E zjpSIG_&mLo8yTVqFX1A`J+1V(Y) zTm+N}U9iG9kpizEkZUGTA1=GmKSL7#@?$HHF5eEobP>5)x$mZJTQ$oSG;_t}dQwuH z;7fGz94`yF6P!$Db4xY(2*tXe1GPK+qRzX+1|+H_1<~|qBw}`o#utrc_Z;S<4BQTW z!1wNGBspVOgb9VyM9j_|w|k(SL+o{HMV=-mynI(H)g6W0SKkT8S@{;|I*ZvZMahEk z#gFP@Ehakg%-VLZKf#uEswje!?RR#G_wX8AQFhEDb9fB%fRtf&rZ&U4;Jda}5Q6gEMd79@ZU+ zOz0n@!g7#atx%UzR-vWV_VV?ir3T$j58$00!)rwp3j5}Zju3tV&SD>t0|!heXCz7T zQWASBK`0lcg~FeCs$e%}zp?F9d0JQrSvBN{CqFL|*4_A9}SOC9jL-TNKnqPU9Sz4ReGedV`+ z4-LAaA%`moAea) zU-YXZFv48C9W611ka*;A6JjDt^Py>W@GUgF{?sFNu5e#h)BsAll&O* zA!~m?Wq$;A*h3#H2#Hxrj{<_9^F%kDI%E6Wfe0g_vt>ogOWSvhbI2dfOaC+YTH(H| z7MD3DziQhDQYBqpKofb)J!8mq8SN@R0y8qHQL=tQ%H-R1k6abzol_ZF(W2b-5C1O` zey&0_@ zAr_Oly9fmt>Bebu=7g*^kFOjIFIIE&p>tH~myCHOy+%rgWcPF03FacS$@%4Ze!bVP zA>y%emU0-#Y3uXGN3SS&PQ!TVuz+u5t#1WoN#o_OYqDb#<~8(1fs!AHiq!tkpZt$X ziFo_(=***)L58bDG<6OqBcaa;aZ?0UAK(NtFn+vG#q>`pynRLJJu(_hLyeWM+lFGj>5&Fe#Lwl{DVR)6QXKdmL49m0l$e?~# zrCn>M)5NA?puD1aju@QfC7cLW2%m4Qa!mG9cS=r*wRdEw#mibnX@|75tGiKIC@wHGoRoW$WuxF3O0p zztfTh2P%A6UkiNc*%Mj-K%@;3DS_(;MhGdDXlmA;P(WfW#@|Hc32g+jRaGvr|hI~-;2hev4)Y+UFiR3UDZQ6Y+ z;3Q2*icrpx=^iXGy3!o`pF@aS`aBl0lJB}5#1>3+j@S?G#JI%Cg)Yq2_<)8}t9>{- z*uh01Yxcuku=*1g#TR=Q<06E`)xrBAM81z6;@=|u_KTyL_82$wStS135@p@sT1k0% zyDYPm+p$;K)Tip(=Bp$naOE!cYdf_}T(-SxPUY;Ump}K26!j%~lno$;s>d}|48(2| z358>ok@IP6`ypns$#4{l0Wai4uKY{mk$QYqy|Ruez4~c$(fL6t6F+u*$Q_l_=w228 z8s`GGa-7^VX|nqFZmxn$kJTpNper$M=QbOlgW!mYhF`Z6ck~Mdgs-Z+diabRwh4D_ z<65JdVVqtY@oEuOj;(Lh{X{ofTPjEg!%uR5UBtp=d843F>x2Agn5W}r7`#md4@_aX_$awTQ2WQ{wvn{tDm^8RVR6|N zx%{;fbqH@-g=0a`+tT9IrC^JUSF2CEzQ^AxGim9$U&_l1^1VmTPgHgA^xEq~qwilJ zxt+ol>0}{hOfnT}FgtCsqPvdRK$H3LGMbtbUb1wd0(r3CdCk3-XW5M2s=P_(=lI-a z|JF(dZE66&{ba_mU1Rp42Ze`9;*0MV()G}5w;WQUzr{I z5w%j{Nw*9Y5RS}3A%bN)S@_x8@={bnVzX2c62!(rL2J!z~p2?R?MNB zl4lkDcSl`2e>xiH6`S+tea8N%$rs{o4!Gw&-esJ$hO3B(*kYGWVMS8zKR;cNKThG} zcPHceL0z_|7Ija~GNrqZX5jOP!C@MU2mxTjxHn9P5PJma)lgU@DH7xMi?HY+J)DkW zQn){v>erm!_U~Ok+IRmxlUqI_-^UjH1escKJ`??86-UzDoD80wlt4AGu$KuO2omZj zbTyilicG(k;Hugc@#WozZaSHgT!eyqjmv76Qu0Yu`gtoUvte(;y=y||-h1Wh-iP!w zsaN0Wd88(9pyMA-sz!Z`%5XH!DO9kCiO~8;BVp%*|5Opd2)ROuGzwDEa|Ed=v}Is| z+hd>Ce4%I+mGV^6@ldH-QwU1_L94gBXBieD#%fT;ZJ2bVK?D4gEEEoDz~N5&w^$!D zH2|qvA@Q3OlZ4;<;t|;6&8`SGMBq)6HYcu)OW6;xLoM;W$nZq?1(h?MW}iJhBGU+V zHJW?DA~2FJRK}a-*~v^Z2q{-r0PKmdx}%4ssVCWmCwcsqcGXY1+qKggR_`Ymsmbym z`NPgCycY#56a{`{wr2 ziLx~MB5sK!uu?1_0)k-=r4-`zFz8~Qs4RjW?KCPHIxqWZBt+GIB_fPU>hxO{)y6?H;?}pKli*&ePTI9h zP4{eynze43#3MgW-8Aii5u_IKCUC{}3xIHk%GoYFkNtLb(l5ZqP^=()f79g+!RDZ6 zOz~P*H^OQ3?p>45?=_l@@U^e{21N#*OzKr4Dz`37T@U+yvhwS>9`ZG_ifr7CId5Bv zygOcRl=!Fe!oLoFpy4t>Opgpi&|YctnyLne7##J?d!GNB4(T^A_%@swzEWBiGpliv z*Y2jj_J?EQkyxbW;YV7e6`G`NPSW(HydNKA1ZHXh$b3AWyxB!%VxJhjF*f6@+;{OcR5}lbh%jOMLvmg9>)}6&h{k zUm(r#?)mq$v&7fS8tQ;e9wC7gBh7fsu?gt$kTuKjFA|;>Svp;)3y}2Oi?6zZDn3f%3OHC`~KU{ zbJqMS?2lW)E+0tDSaBmAsr2g?Ms3?85%0Glr{zj-!aWy$4R~(phjrQ6{<;?Gwi&%M zuOJX}#VNr!ymn^L8-^J$tGMCKxYO-=h7hV3(w9+z7J5g1CL40YBfuOyQ<*+Vl#Fh1^3s!m~R|xBgmg zYR&M|Kr-;ksx}WX=v3-)-+-Xb7kc~#S^-Gnc@|-_%gk=Vq~L@bqM+qD8~aezLs?4S zs}Gv8ylg}^ns$0BGz7TQ1vdbR+6}SgZ9S`lT&-)OPK$5mzP1qc71)ht%`8p6ee&O+ zM}~3#x=f1YV>wg3FV26qxfs2mT3GPu$M=QReaSYlG}%p?mHcLCq%MkOc63#ocT*yW zB&x-?zU@b~o3S?^sF8d^2J>FbqxG7|$rN?GdTJ;WIPy{qKCa2&<`z5$q>`=WLcI=E zs5e#kI&8jX+d14YmmGc;WHFfnZekzUU1b~qL^?mlt9oc~y}+=y{(|G51Kqjvn97WT zQooD_8>{R6YC_xsfOSeN%?)0O#1qqi9Dc{7_nPyn@@4LiVjS#-URf{;Y{C>a@kAsp ztnI`>bu@l&CZEoJ*V($+kD9`cIgHYz8q7@l_MeB}=j9Kj;^Tjj+>@uoj-WlL<=z%` zprEXOjN2>alW=j~aIxLIFPU&2WsLiZmsUct=DLqi%J}O)o>+){^x;vUSHELJL$&4OGr4bO3Q!~zFSJ3`0g$)m}pU-4f4==$t4P_1FWy=x^e2(Q5p zcC+R}9XQ!Vy3`w|9_Ck{SV%itU#nZ$vuueYf^wE}eO-|-ME-JNEp;=*j}K`g6!=AK zJ?T*J6~~-yv(iL%(VEnd4{Wi(`JNyWJIGPF6d6V~z~odoqW-|@p#97FiaB)~?~v@SQm<5N?GxCkGN>y-zyJ%Es9C;+Vo@!+6UmkT#*43d{r8LSu-s?Z5@ZEigKpaqh2Noi6!vK*<0tkt1G!#F zPyU=3fCsEtzzOpMB%>^L5fytQA%dGEw4$tV^Iugxqv%il`Df2GsLJ5OqZB$N46VGa zGxO}N3~Ns>RDaNnYq7;t?8)!%@I6<}R+3}WZPLbmHnU-084(J=4YbC$Gr= zXN2IxQ1{jM>|^*%!NmL%KtxJZszchJ^Q~$!07r5JY&`;+cpyfc7{7^VKJG4o=p)w` z#B;=syNQ}DmZX(IagH1!yTeb5&2Mo%7skgU!2|-^8S1zehiK`qDv4Q;L=_HZ5mR_U z5ZD7Xjy>h@dptQ|_w$3slA~el?}+p)+j0PV01xq@X#ow2B_>WLB$!{ANA49FDSvuP z$9Hy+qwS^Qhr{+#ZiK5+2r5q!>V=~;X`{iL!;SG=h(r^ptg(99${ZtE$u?QoFkolWPc zTccpgf=2a74x4YLei(Rh#+a@{00YrkeN1wgcoa#TsJSw*2OzU$%(xvj>T^)p&f(&( zwG=NhMntk>;4Q{{Q{)T<$Xspbk7p1zP?qxyK53C&QHK?XOOeD`Kf;@M+RIiGZPXgL z(~B^cjHMBi=!ban;?B>n=Tn$$4CfH*#O{r(D9!z9r@e)2I95b&4Z+GN!ONPq-v%sq z8C!Hi*zdO+0q}XtDLQ*4;fbA*3><6Jy0i1k6lt=M5CH`P0gu=8OcOX9Hz#-5zy1;$wFmL8IILX6*GdbuA9ZxFGLE z^TgH*ho|V30)b`^z&O`%UrZQIVS{sKfaQquC~3zb6l_M_)WZbqmmX-u0q_ zHgrss=u{4*kBLfu4dC2cI|Oz}43w}@Jg5wX@9)aawcFL~VwaOwA%Sk2g+CXzyK3i7 z(X~G;gBT@eqBU-Ls_P1!dR#cDx0KU1V3=-tZ>{dU#h#(JqF|*nq+ZOXD+BbW9G~63 zPPF9j_tKKF$YpHc!58X!KEb_*S$@22<#`$)J*LadUNb7JRkUm1 zdFQ()Mq17U>z&>@)1kGLnAekRn*H4)T4Rj=4}>5oo4>D9#d;j>Gkoq=0emk~IODB} zxo1K71coo`zC3}%6XFXy!UIh#lqKP8y{&<+Sq(kUCTWu{?sh5oAIJ{VCb_o;*1jha zE8u`02E}GLPXwl3wY%wfva~ysR!toBeaL_>FtTvp(DGwOf{n6oT+AC zr7Kr?AEe*}y4JI!iLHF{e;$289?3F?YvbOdHdOZ>U8%cS8krTJ>G6%Z@nlGztHj-i zL8Am+VG;w))#9=kRN=|(j4vyN9;!ox^cGftyfi7p`;l`DvWP}qTj@b_=X<3Jns(Kh zAy#f7>ozqUqQ~=j(uKS*$YV!qI+EN+gM*$0HN|M&RcIE4NXhJJ-X5jhDzeZNzr^chsk55?Zzjj-xue z-t^;nm&uOL4luBO{7ko)*w|U~-2ABSfGHtBukfC>O_H{un#}?${_vigs-ed%*4;+* z=i?TS-gwH|g*#)f{fjJJe)4=YL@a-2uQ{qQ+-cMB|GXT>J7!?vzjNC4w$k4N25ES( zD$qMITg=cROhEHd9=~p@QUsx~UB_{&|60-M)V_FRL28J@m=41<>xsP*I_1~#jYi?K z2rQ9m2Vju+yzhul4iO zB7$iB?Vh*!>$LW+nr^4`PSaG0-eWUr<9~2 z{B5jp5X>edgCBTSFz|O|ABV%FSf?BP4jYl*JS12*UAxAAQ zz-jQLD+yTP#Lj1~1}Q{G#)5rQ98=$BC|1t{csbF_^W-;YKp6UIll zIT#fZ89Q7z9rk%qap4yc{p-^>prO+?Zqu^lsDRT{OxLbyJZR{g8E|W9i2$#+Q!=q# zuVhSa+!gjs5KdsN{beh!Y3~-1*hzO~^xREtt#vG770RjMh_qaVqFsyz=%r7M~u-_7821%IYOE3E9q7clX~9T zRrJ|2=c@ZOCcWBD;@eU%e;%G?i(47^^O(x+>Nm$%^Ft8#m0(7VvpacO5b=f75*a{# ztCA0eYWn7DZYJGdD~k1r{}BW;9x>oS4>_36OcF?mJ05D}&+iN&E%nF)0orrk>ho1% zSAe8z&eXUA?elb=VPOaQ$HU~Uqgup!SsL$}N7nzulD#353_GYhu>k-S&sYolirL2) zR#3a-xc@r2kz9i%y#u}C{vBZu0Os9|Ql-ub0gcCj-SC@SXwEdMtP%|Pzr3*C0P@r* z-8o8L7Z%<3=e=R$G2LbujlSNmsttr8k!og|=0)pwFDvDV#f}z`;}CxwEh%cG6b68& zd5BeSueFnB4ZlE6YlniLx9d_SuG^i*2cPrq%-nd^)o?6ERi#wOv$tg&;V)k~UB|xo zH$`Jo6rHLKh@o77gt7N-v0coo8h)T>5iLkh#?u#1+*zUFv=oZk7IW@45icBASO0n( z)Fu&|f6yX}{}lh-R1D{++!eH?18y5TTVU-vvt9Zu7kzw5i(xJb$ZOb50rr^e1d+Af z91Pc7<5_??waGXvnW}qlB1EOiHin;;_p{`&c$3P%-Bb`O$r9!XRya=n-umIeAS6(U z$Rx;Oer)=+%8T^n@~7!hQTY6seiHs<;ww}yW`pa<6(;Ca!~;@+ha`DCgY#?MY<9 zQABq>Go~w5c1-Xj4s=&3P6jp94!DRg> zSI=lI?BT0k(uOnC!p>_WdHd=KxKpPTq-%6nJwItw@r(UUCvzRM8p2t+ys|DK{j z&faEPNPdaB=A&ux8-wfnbF}^x^BnP08!^lYRGt#EL#-Vsxu|B6{R4KwpIcb@=B}T+ zjnwx!VR}w(RhvWvcNmM2QPZ@PCUL&rVHWqyAK`pxYym*MyL96CTRnk;Xi|{dclo#F za&a8zNy+uF8EzdaUdI(;IxUFX$Qzt@w#imIi1g;G2x_e*_od0a7ASbSsD~48oO9g! z<=wL``NQct?I4h5-tlvf1FJt^#mW^fanRUhek`9b_^e(0T#|~4b2lq)?n%&?KM@I1 zPM2kVRzM*X&x;IDBB$^05HFU43=`B3Y}cQh?vWxsLV@QY#+;W-i@fB=R> zNYwqj`if5OhWn<1VNRHLWc*`2f8J~FFDl2jTY`0LC~FQnm|uPrKl4x&{gMw37?Sb6 zZ?dL)(MUCVc(1<ifjtoJ>pIk!+uwR`M-f4a7ZMiP+X0KcCI+jd?Xl4NN(OD*jV z@-Bj2Phv_JF$wuPGKzk5*OXr3=GbC23@kqP{xU%_^w7waeH4i}k#wCe4Jq$22@LX> zc6W&^7!A4n`;#smZ!}E3UEFAWa43 zd2i;XfF0fg`W3dkmeZ24&13QjdQ39ktG1oCz&UAW4)v46Bg3DK`l?mG4u7*f@l$Uc z7=b|4nY>bk@&8~n_%Hrbeh+w#^Di2AzkUWbc)nh{*Tx)4 zT6p1P_~d&TAq>(to3))rgy z+KxG_OiHKm89SlJ4pIp%UcAGNe$^;b8+RCrVd9ttan)t3xr*>cGexZ z*!d7hCM@yyx|8SFx>bu?HPKesF#`k;Rm{4>J}`5ZyfRE;rKIt4)VvsAP*!pF)15YTzpm|Z;n&O+ zE|&91Kcq+|;zm|M)u$L~-bO+!gszg>%XXGp;mv0S0U{9tPswkN(*c$UC9e9Hn(6F< zuU?{m>9ySWDqlItUU!O4f6vzy-}sZu%31l1k+za;G&yi*V-mL;T4*@oxLO=G;|`TO zdv7bvw4M+(9OM=^$1Fa)DEb~6-pEY$_@jf8#QV0NM89YYry8)xW4FqO_IWb~V+OpH zqyiLMp6#Aj_K@$a0q7d4Ti_(TOafx_JpWv0QKw<=bnv7GE+Hp(gV?B(m1}$!mcQU(R!r`i5Up&!bublAoKiTONIkl`T91 ztO50ODB>c~Bo)iOVFEqN-W;x)GR?Le@*^2S>3BA(n}!UN+?F8XyZO7TP1zED3G#O8!3Vsmp1KOMO|fM4aOlwgqsAP2ucTgotPne#upI;=KFBpyiOt@3-D|_Rq8>$J~GLL3T;UD)LIpR_zwCa2xHE zvfFY!QL}Wc0Y#Nqv1*K##cuH_CviCkM^Mwc%gnuVPfVMdP4z@)76KEi*RbZa&Z?+BqNCDc$vdhabE1OoH0U*GTBd##z-?sI0=I_E!GOG=*SzJK*9uEUYSXy{_M z-cWQ0Y^H&DovYyu>b6XPeqoK&L7rKGD94QmsU5)2BfAy7(SU*MAH1yXXDieK_o~Hj?dNEl&u@0!MKNOJn1l!| z#PoUVuD2Ohq$3~T(#$%p9+GD9iV)uJjqhLF4hqSeE>=X(e}A+QdaXKWH`H^34jwE) zG5tpCeav{OFr9YIDL4&!+4~nDg=P1cbGsiJ*(4%> z;`SyO-|zJ`TamIN;Gz=(>gyKH{hH3?ktY%&H@B^90}f`^;89#kj5tada9)9B!X;GrmWOUI+N+4>J_1?O=BZ%RgPm0& zNXv}|A+kv&Wgbqf41xajP2mZbj?D?UoR--}Lw|vYz!d+^QT9?yMdM@OsIz~^$CmPxxmlq}bwuom!s+gj!uaTK$Yk#`w(og+qRd<6egK^U|XA*~j*BCB*@l%kr0H+|cPsBbK614~2lo$66 z(6^et5cw{X&Dz7_f-+s%C(gkpz@w(dM8$D;yB#V7tg}UP=}L$l;3wK}vu%boP50qO zD)^A3#{orSVAGu|nEFkX%BlIE30^tAx%n5$e|qeg4cP}P-k;+N)pp;Pe8K?K3IjS(?FKCAWe3r{mR*}ZB}y~z~}cLK(K4%;p#GdhIqmR^gc z0=&W8ZEK#h;}8f#wNUvOe(}EWdd<+s&Xs?#ck6lg`!sB{4Jn=&&ukV=-WMqeSb5** z{O(3eo-XOa4ag@GRYz@6bd1VSI7LhLM?;c!ZibWD97EehiX&EMM(fd7mbuDLHq5-^ust% zamo$o#T#n-Wc>N*W4p%J4a^6DaE?Diki9US74*gYSt35Cj2H=sg?$cinr7TyNx7Qw(A=9gLI#xgi9Pqe(`KGMx)p&hsPIH24 z0y(3;s{SfTj56S+c>Xa{>W4jRauvo{V0k$e=pOvY=0hC3in-|&yALy-fKfYE?!KNnE1w`*YZ3__iS#T z=zz&D9ZcG&IWS()T8eIO1@uyWS(a?B&mdoV{+!B#HryPLb>8RyVbjpRP;n#T$3q@M zf?QLyc`}p1;X%(WCzRY-+|zj-w+Or8eqrVj9g}B4pkdc2jb>niqGx~ZSn}2JW~Z2D z)c!$UrNi*Xk@APtGy@oKVny$$V)?w_gYp-lDjSq2u7&=Ys4wU3Zy|xX&4xz0*XW;k zIhP8ZKnb8^Mwx0!O^v>%T|;a!o06?9ylVZ>XNXVa^uecu&wfMFdozi?3%yrsbF6^a zdmoN`dOBg*qAQPW`Az=OtdYVdlPY}fL0ONX=cO2}_mbGaZEevPx}GgaeYsLY>(x{8 z;&V!6Mo^J^P^-vXnC0hOij^zp{Nr!rr1)8-4JZ!vOz}3P1KDRXQ_16^Q;WLt(S-+% z_Xi9`zFtEnmL_j+s%|^U(JbF)z-1;cf3Zhr#Slx(?(PBx!8wl-l>jtx+)ggQ87%6i z^4VgtS4gvoqhMr{!>8FTMGYZr>+=t(pS7bBY-(+^Z1V@3eGw?F_f2M;g{)Y^h2sy_ z1_M04wh-bin3UzKLC&smTi$BA&d}9?uMVhek;j}*-AyEIg&eKcvuuk1zl@dGk*t1itqnSX9&zk#gjUI)TQv|FLd-c;G2#0~KizP%T~ zw|81PPu$y(m#kL|=k^XfO~%cY`CYy3(=maS_1PrM7_sqQ=v%;-lFH}9ld|_{zObC; z^!g&o1l4CGlv2(;&`goXEh6c8SyBot)5Tku6zHeXhU#IkQPzE$X~yOA9X=SvMA);g z_inhh&l~^4ywSWG6GjTu#)CF`Lr>HYM+f`2_Dq5` z^Iz+eH%5+gGF9&`_AVOGllE6{t(Hb|BxxGnSFz;WYhj&w-*PY**A)6%)wbGQX*vjC_BEFo??v#>sOGUifKIyT)gU38Waq&r=A{TFKJkGizK=eB==L3-%6 zZgMcU?b$bKoOivE!)|+xzh%mt7JAm;LhThZ`^41veSmQ%PAyh;#X$D@ARnDU6n5G( z9XBUnD0}meX8TTaeriMI%V%Bq_Q#3aWkPbOLv)`g|3Nkq4~4F&ijtfSrWvOh1_#Eq z`U}6OQk)=ho!RJ4d~?+3=^EoB>Olm_TU8$bSWP3^H1kR^+TO^asN`imu_Obr`olCM zj2MZeZ30)(U}^T9SS*)h30k6j%K#f~WtYEE>FsvE$MUHusHeb7b0q--QV}1z&(AOv z5-9-X$Ye=QXH9r5^pjaw zHry_krNSyoMgKt=5QfUhU#7DGc`6>rQw!OEzQ<^>xNjI=J(5m>-5 zAuhSvZr9?X%dC@EG$$SbBE0Qgb7FYQn;hk>lK>rbSTRsl1tvsZ5~&9DYtd5;#~wx2 zH66Ca8f*^x6KCp@46+UaR)Tzgwi5gss`)o!%RuxJ9hJ}Y z(;#vxS747!OUE=T?e^qSl`$Vwq)+3V%&~9sJvoBztdRf(w@fwm!#A~LOD0uAB9k9| zk}NLBlGmULeGwherXyDd$7#MD3{BA%EDIbQ9{`w$YZ_b9=Ulei+cLx)OZ-#2n8guA zQiJ{Tr53(u4lqK^v}fx(z1xpa%PRu_6Vdzb06ZIrJr|?vEgGEiJ-&+Y4KGC$WMAt& ztq#VuLFrs9Z#k*WO|}X38NWCu%p}Ke0k>YpKe=6K3~v|?dA8W5E(TM%rz z?_6_|GT5Metq1 z1My@Fcne%>h@;(zEP1OIreHO>2Oo==DHRp*HFE@v@BMm%+tbb_m zlwS#s7q7be_=}Q7T{*_)sU(CnRJ}I$|GW!O6X!GjYjD1j zyP|)xF8SG1DJBS210N{HiWm%zJ++|Dpraj^0_J*i7ib54`C``BDj z{h^CHT>i@OuDYbj_{fj2Apl<1)OPG%V?Wt$bV}-Gm#NHyt2^H!0?WjVu8A1#~A>fVVIXkHLslt*FCK45{6c0 zf8tbCO)p3=+M)7sPO8$`&{*QB`xA$sQHsBdUbiI-Q1k-Sgf|bkW~Lc7s2#wE{8*~P zt4`Kqjg*K-)blR@tX1uJ&Z)x&@|{Fa;;^;tHmm=fT3~@@7c@*mD6;Zuk#kY zELcUj1V9D=ibwTB{jQOF>6mu$OfvX7*p0{O~Tl# zbk46YDp|JWwhWq z@edbE`hH|*8`NR725Wq;lb6o#WHsS~RR-cggpq>{{}N*1(*gB!<6Ct$HJPg$Wrs_h zo`@5{rrbhC z{D1PC3qwzAytat8k^0fo zos8M*h|qJFxqZY^pD?AJHZh+eW0bL<{gI4~l$R3}$IfO`;<8TtzhL!ZE6)hv%S%s@ zuh$(LP649ZH%7mo;Ep4aa)M5ajVmS=7UWl;@t?fPOGdpo9V2ziJdxh}Et^BM*qjnU z6pg-9zVrPP5GH`=rr|Si6RJHJ=2IlEzyhW$?)&^xcs}~BU-Adzgshn+hla7QA&caX zHcr;UF*a4#WWB$iIn(rbDN}Og($vl3@c>_pWd>RHO1*j*Ju*=f=4j5*|CDU9&9;I0 zsI=A6!tx%FnPzxcX!L4b-CFhB(7VgbN{XIFvW z>DiyMzSeC5c?Uql*GZZo*l(3rOEjx%8uA!Cq-x5fIlk%??>?VO(508TCF_M_RxEca zUL0KskUR2LHj{=&Iybj31V37{Smp5C;1rkN-yIk*@c^J-;@?93{ek{->o>VD zY^%e;kAilZsj+z`mVxqt#6y8;2Su^|V&35?agoVeK?43Ly~AO#Tps(Sz>Yi$_u(Lf z6@Mx>PJ>f!4av>9wMZB+#Fr)?5*X&blx!~wce57HE(`V*-$>?2)P#)0`TG%>ZhXr) zLW^r(9ngCu5oz6 z>fBIzRk!%Vp%hHa@KkKea9e(q$)a#S?{HV4?{uGUDe>4n-lbHHp zWpg%{UQaCV>-1OSR(71uA*}mR!ii~pc* z!419b9aY`~=kWfljBB0Pb#I+Wg?lD(uGz0Iv1ckzVhjE;M<9;ZR4o9DYHtyT2aOO^dZ&T70?X|s|?WV57-xOte=M#wP)MBOof~Jn&Lb}AromGdfp05NQ zQw?kpMF3EZ4MNmZ89)tOVz(3P`}&-1ys-Q8^p3*iZiFQS`0Gy+poH$8SrzF^i9Y{4#7>J2;I$Nn7vca{6T+7!9>tkOlzJ(@ez9eztmI z9qIo>Lh}XR8NfM69BUmb#%YEP*GG_%JG~#4o$RCJ4Id0=y>^eauDL1$dKjY+V-m4s5%KS>+JoGu5LkGiefu+NdX%;x!?#cS@MmAR;O6 zgy5&hVsNojY+*IU9HZU5fP%A+9~eC#EY56W;yxDjyz^>4^4t)oO`YZ|6DMQnI{Lc4 zJQd8?oKPDDoSm;ze=nq-jC;mwsenQrtlBLBJCnU5k{btBur3Ag4A2t;Fs#_q%^ZV; z=TC)SDnsWyORzSvvyw+%v5}F;=cn?y<2_pl7lP%;xblVGnr8$d#}3Ua}+^kZR9a{Yfvcdt#snY+MtG)J9Z3d@~HE zp4Q%=aty?7rc8<$o3pe%a+&U#QcRhF4%x?zY^93~YpA*t1`Q#&-p4!#7nMb;D@~r= z-2Hz@&==>44Rj_H-w4xoCwpOK_MVM4UmZofimclV*Xn2G=1lcoWlUm!v^KkRZ&E>1 z*8ZV%F1^e207{HB0v31ZgXC~_X(!LGGBwtpVvx+Z`H0#lRB8m60x{Cb8DV;=0M~>s zQdp`xY^Q8mYGySXvfM-sy!>?{LG9xw)0fRjFeb}30Y?N%h0B}SlcJjX1><7@6n6qZ zgx@XHKu@2x9uV=#ECI6y@lo_7aM7QPIoRl^GJ@dolDr?+%V{@cx9!#;9HyOopfJF> z(5}hE>qfNHQXSw4jpT_t2Ffv7ftyuNTZU_i%znA6SuCgQ8Ved|b(4~gsW(qh;(B{O zlXA;Ms<&Rb8#H{$~eY&3nh zf_~_{mHQwhcs<0Ce|!jOPdgOE^AN{KScCL)gca(Q?O#n;@p`>|~UfeedWPO>F72gTws~dA_$h82dK?MX4;a1W9 zb+DC*W?D~DMyJ8|qLnfUe@^(`&#|BN915T>M>`S*tTyAvu2DKsBP)EMk55(eeu%#~ zt#DFJaA&4d`K-nyFd0_QWvr^#G1VUwd{+jn9ot6C->IIvyX-fnc^&3)@L3sk{WeO@ zs6{VzYn8-8r7U}_^UPXR2!Qg&Oqk@}!aP?+7-ypNHe9e$laobT&)N{|%LLbozY#>s z`HG-eYX@KuNR)Hw3M~X|qR3Eu4Q8507`=TmppU;%Kn)&X2ncA5LGUa*!6>x;9L>pc=BA zdOFMU`V~Mjul_}!Slz{W-sRlU(S&IYTb12UM~fd~46R_R&-UZ}saHxHwqyONcRKBN zw`hGB{Vg8XlhzOH4t_NQjY1u>_hHaP`Hw!U0;%R!&I0b2dNxZx?%~;dIWC^;bpiy0 zsxH<_t=4F`iqaKmf^G&?yjAR&aR(f`3@)w9@7HOQ23(+-YfCZfHnrW|pwG zJP~8a#Z$9*xQQDUp;a*iVAD;{?T>>CYrIbuPamWVL)p34rH&Rie{fg442c8E(%bjD zYE^|f)%3lC#^ml+YOlxWzRZhQ@X^Dy*14KjIC&9TSEhm^njOFU&lc2@!i#>nvo1tk z`#N|&H&sbY=cJEnjaa?}n*a6S5tOO`qvz?YeZX8XF1~8F#rzuo{B#A5v{T9?dfP}L z(1!sXJz^c)II*LM)sk^aa>n+393k4u*n&@r(AyJ#m#dc!@)6u@$@SH+LWZ>fy`zfM z;b^@9MbIll2Kx=k<)X0$*U3^~uo!Tv<}l-)F3y zQ@c^y$8wX4n#W84=CuBUnBC!>DMZMm#Bw@oQ&x;2jcB)|>0-sG4IWJ&#cn0DUrUD-7~GJhfvnfT?r!e<>A z=%_b4Ir1X<{Bn5g7nhL*2!3vGlMdf6KJVq8(|P zt7B0c6*;Wp-Oywr0}^n+;H37Ecy;4gq>Gn9*z|0g5|SG1z59r;ykgrFW9Y?Qxn_^m z_I#ggFIc~Le?+#6dyLXjlj<>-gb)pUK6?{~Fl}~4!OpjOkzOBuTF7IcBJcZNyY({f zWK`6ZywtWe^A)q_jXyd#f#jZ>sXvr;N_ZOv;MuBX>KA_CAq(%$QMSv3GHwzM{j@~G zFo*`Q+4Ar;rwuXaNk4CV^g71&ake;2&W|vW9@x{u4op5>f;~K-EeGYQFtoIZ`hEY}s>fj^Y6pNS)-R>i@W6D?)0P1 zS!44zh09RLeQ?WX*HBYmpkmO+_59Ahoml#eME&mYn_!0L1YcUTrCkW9x z@-LcBPZh{B6v>RP>Fo%WJ-&Pfe-7|FqDLL>$xp2mo2n?BwSt6tqt6v0;>=NLMkW99 zt^W%c^5co$Q#Ac*Cu-8c-h@zn-CQp@9Yg0q za04+r44=(0E1^43Ddk_vYx(7Y*xRR+Ml6ej-SdkS5SWFvo*Dfqc|@l8eXiBV59DGs zBDIUrPt~njL~@17ULh@6a=m&~>HXPxUy?+dUvO4;-xsvs)qtB>pT{j^Gz_TOjG`p} zS+L_@5MG}FBRjx6ruB2hT-?HY--eMik!ycMkjk+CJMsOc5VcJ``437AOn`A{QZT*t zij%cnRnOGzprIBWe3sd}P@T<`z63%b6QFTB7<`m-EkRN}%0wer_Q4jAuAnYXlG=fm zw?!ABhGy9FbC%FffObE~o2(UJos-Qm{9W;a=Q^1N}vq!m1^=-0nLtLvY`oJ)v_j{EKSd-FyJ0uxb9v^Je`6$;F7w`-r&R zh9Gae_Mf<)0Q;4Ha55Tsx4O95+bRLwr!P|W*^?5FSY2-T8c2;@Q&Kn3MOP8UDC4XdR$LbF1z@FR~bm|x>O-&<+3A^qqIi8 z-z&;aHXC7XuI{~G3~cxI6y?%M;{Zjuc7=8YO`5VQZhFt9 zkwxSaQg6TX2lEW%G{6xGbhSvvr|S{>8k|rUCL6-fD~DKGZAdFSG2eO?Vp*cpZftkj zXv6LFWT<`lzfdX%PC`niPfce=0-{Sz_NMoBH(!p_wZ1>;<~<+$#!rt`IkMd{0!e_v zKKKD%3uAt!XDC(p<|LNHe_;j?bRi_ly+9lvvPA@*HA}P&J2Tm$XKV)v0zS680zQ1_S@?SB7zy(c2hD*BdwG>R1_wMm^W!*IW|DhYwdKni z9#ZB|eE&*S!glA1hd{z}Wa3iU{I173G1*;}KO7;{#hBq_3+Sm+v?51jz&!i~opqb26ORb_9o_xi~1@~)5k z+ZpEFpNhX{S{|p3fU#DfE!E*=f(pmi=7{s!^i7}Lo>;){uu?fK0;>N5Ujhg(P1vHv+x={4?d7r#B^t3n)6e}9$YYi+|JXapM>+RG zoRa8uBQO7gMV>`pju>bkI@RB$I+SQ*V04R*jKe2zsN)^|H;VS^x6pkuvId^BW#qS| zoAQqGdfnMy@fnJ#?!AM0<1%9mOklG{rY{A(^VQ*Z% z1Hf@e;F$gXVe_LM9ODm$FpXW=Du~_UBTPy0URs)p3GDa3*%gDT9#H;-EI8V}fihUk z26KvSZ!ZBhKW@08@w99sK11_f@7VA6J^?mA;``3tgP8Nv;O$_?4B357IV;mpwa4el zFP7aQzs;$r92i+}`c)VKf&YiiPmzL)s^MjT07}6{?^pdp9c+dhswZc234(PJwo-Dh z;BbA4Wt$GEC5AWwWHODMBwmesIo-wK^02ymeW|?I0JsJ}esh@tgdhS4Wx#9-*nN$& zRcgh)UE$s8uWTEtN)X;S^knnuGgcIFT&vZLH9zKSj;WxhO@m5Z+PP}zK_mZn?-&7ZAJq*@N;w(#`FFaAp*dg`C6(*OSA^V<{C zxf98)r9S@MjS2WeSPdlbM9z>s@hU-uY79vFRC-tK^LiNV(*qeb&&nhUlS2mHOJ=1@ z&wduor7U?+b^_Iv=DO~{2;0o*^B8ufAeOM2T+Ycn8qk2-SD*)LGGUNT+uO#Ok}-KSi4gDz%D zbun#z(7XvmELGg*wPbC2W$CSLrjF07E_2hGa3_k?I7wph{Jk{3oJ>ixq&VW@ubIWY zhGWu3wWKakMZY;s1sF?l$tOs*z4U8_DJMnOq+x8UghJ$IVlPdM)og%0*1YV#;pgfq z{CnHDUtAp0NSn9H6?{7AQ8sLTVElW{XSA*NW$+%|u2OiPWIR&z!oP0m;fKYLB0 zP|bG1W?f#O54v0)v!G9)OlSU|Kj?oEe*XOAM3DF7sjm);&~V&&V+YGtY5{h-m)3$5 zS_CiYzBtEq%|1Q$yYIw%x{u1^=6<06)(#=5+Oc@s1G#ys-(T@j9@1ERuS6B#j%5(^cf3(dB|&qF6v zmP-eAY}TuC>oCAMXO12y`fLJ>(Nhak z%l%aZ{v1ranvTR<6rqGGSZuR$P2ic|A~Ld-Jc4-MZTP}FoW1ock4c(hd$B2bvW z;DWtfLgf+_T@;laATxaNhv`kQ+*~F_RbI;ku*TzL`E_PIc9{Wlgq}Jt5v*nTCcpYe zS|)KOjS{kKG{jIy3odI{778;vVMth9oKOG z5juy?<&cKT$Lk3wN4UCw((W4XcsjEGfsZ{l`IQ{`!qwh5q zeSK}|jbrj07Q;z!P)FEXW6;2t@G(~^T zq}a<}5?=Xnk#Qm>eSZjt_bE^@w4gTylf_cwny<6SSS^3?cCtpN1S@8<;RZvJ>dt4z zmI{ftD3xVpPH*z*WSV~}7|jbZRT=dBv^jmc;;l^m)=krO)60eZxQiNAILazLb zAZgDY^E4lh2TBL`jXyhtzt@Ssb>hPRu|$5h84WmC%knQxzY^iwOzdf4=0lbpKI<~M z!-RlxW!K8uXP~9j;e%@CMA0mTMA&eT`nAy4T?X6R?Stc!?!~O{xu&Bs9W9?E6F*z! zOW_n+X+2t?43#NreIU z56chwq-_7id!HkPW$XvOLBVU0>@~oj07HkPM*Bwx_$fH61C~o(!kw1w)DCw~Am?Bc zjnib4uoD=tbTdutO`!iOWhMvY#e@%C6L1a{{d=W5O?jL)$t$@XT5BgY*Z5xr@QTO$ z+c~*HDVsQ7v$70;#V+t+rBeuF4m1HjUjPq-BS8K zIj1jAan6SKc+SF_ml`sANz47a!t(~ht+x++`%#i644~VXvd-66=z5Z8m^i%m(Cnhkq7-0olU^{F zWt>d(3VoF1VXM~9IzyhlSrhaKYDBsdzXz*)Ns9a4960l2e#(z=ffZ@*-T;!k`ie2| zF8L(}U#bTe$^Pv>JykBAnyhC9)qB8vFMv{?+%I|0@*z%6M}Q`uN#~jwd=R6Bd)jK# z{TlOBSZsrlHYa;~>}WNADSm`&nhpK=I8`VBQ%TM+(?V zx%KpMz5chK^q>EOWCQtm&^q+g{!I!no!}wYa@aC9JO}eg8>6!?(4WR0Y2pxVXM;OI1EDbz<;%FvEbPQk&wl~Wk zQHF1*(oYZ9l!uWPI0(03vm!l?_E1c#!|UBUtdyPsBq=`13D{8auc~Le*0HP$@ASg7 zQ8BMEMwm1hRY~#esX+QMj>LW6I4I4$cXtJ3f8a`tHyZ>qQqtPq7R$J}zY~r&MY{u5 z_7fiS{Rpk@Es<4BJV6SjHIqnBKQRVwAl1?1gxP0)@Pc4Vu_b?W0scM~tL(nyJ_qU` zx5b{6Il|V=5K_21$#hJVLWjRh*R-nd<~6MPLJLpQh3czLPb_P+OcS>je6!P^^~-H7 zXKi++%I^&{&J*#P$d))iS#0N<+{HqyrJ$zktNAh5Uc$tJRPpZYm=1pHXm{73dv~u6 z_$0>I#Fbv#HZwnNR<J{CZPc^tTA$M|3bg>ZB<*nzir3JVKdUao;1?0 z(BR%VP%OVsU^tBEFv4thRy^(4vujOeFQK<`7{M5l!3M6t3(V=s;p0hK6P@vH2UBf< z>6FKVmD7L{Qw5LY-8U?M78ia$mO9>WkRALi2+1Y&RnH4IC=q7c#cg^K^g>S^ew zOJa8(2d?ypU2|wwP8KQ1_Xqnj`FWgO-egKM_)z9)I-sSUphfIMu~~k-f`OP;)t_4+ z1bqukz?tGrU9^5y&$`nSJtYpZ!J@5hRx<*~nn_1YtyS8hO=yR)Ublxqw<^<&l)0=& znDG-qKe5eD?vAJkBz3go#pmZr>cuvDUDqWx@-va_%}}H}^hpcG9i4w+fQScmPU$a~#6D3M6k!VWZt zq_9|76}N?$zD@S(b&P9XP1ZWNWtvBH~@feC7Yz8(Pq5|zRHA*mrEB-+~`1?9MFe;?F3>rg`H8vyYh1ufXQ zA_H=~>k18M9tCg<2daTC%eE40KObJ0@nPiNYNC0qS8VU&Y}D6GDYUvSZPdd2jKE9# zOIxdJGX^McJe%_cRvjznTSp>oHF2tmd$$m5o!&bk6FS(&3cj?)kz2yuEn23smInPD zb@b;cwh|-K7U{rBPhgOj?SwP;3Op4Zu^h^|05(5)--hTZ&^^3!N@pmUPzyG14Vhau zz#47nXZy1;n1)V>&fu74SP_X;K$J8NW%S%))1)~y*tXK>UY=vaeZNO=&KyEd%QT<}z%bw%t7}W7S?_K(Y=Fa2gFOmW=j)&b?J{um>nw)z) z-qXE0*Gkjs%d|11tr@;#F?0No{LoIKXlJ6kIP%D{K9GN?qO#RiR?Mx?oESG}1UC_b z;RRgUlu~|;!s7Nn4&b&S*6U(zL?cC4$XP0mi&8`L@l8b;8|Mp(iTU3`FpdouR<~*- zl#0hCb>`f_#BSHup%}O2stgtdKCC0r*b$D$D|5X8ALVY%0$14W>wl6J>MjG}&+r_G z#MHPKy1`J*@1zsUaRqyJXIB(s-cFqQQb(w0s7AJET=$Rn!VtJK=_b*H`7bmORYO88e=*Z5l8~nT?cV zHN*JFaTDX%?;5oR{yIB$c#mqtpp&p_`UGEs5-W}s6~UG#+ph;n1c(7rwf18p^uLZe z(UKVF@5Vh7h7_gXGFfoPVEhq)mwodeopet%pbk8`07?d4E)@tGk^*}Ai}{^Yr<})C zr^kdragh~3mb3aQcJa$RX}I7pu}g#ylpgJ#_;W(^KoS}599A`(R$Y zZD6vprck?=WU3`vJMpqij??&tDe@Vz%o8SaTga}wld=mpf9@-VkZAFJGKP2M+Q#3d zyk}y&n6f<0Lf8-o`<;;aYkj6rIOG;AmQ=}SWoC_!T%i2MZZ#9sJU?<`(=6{vbd-n9 zc6#N>jOEHM45C2mte|fZ|4Ecv<^P@Z=b<1&`Fa_F*1Mp<6w~`F=-8p<+zYLtGg0#@ zzlL<%c=DN~*z99=xxF18{9ZDj^+EYydWEh(An#zlEiv>O<0m52x!Ej^B-OGc zBEfCBTq*Gw;rX}gm=PG|9$+0=n<`_rlm9)W3m8)^(B;Lg+15?z)cK9LnNf(fPtmnv z_OW-6ZX1m>U@JXoYzzum%VPZ~X~D^>N%4)R>18Vq_Y=lzxuhK2++*4ds<|X5hh~z9 zBXUCjzBl+CB+e!NRVm8uob!7qrh*^SZ&pk#fI;-wDDbX0m z#|>NP&q0^k*iq8gcMw)@XKx3JU_A(W7+2S~VeWW=Ho(>?vv^^gCM2;+-hF+|7CbFt zX+)?yhud{5=i7NMqmuk_KDf(DcxjcrL|nc}@*;2ePB9u&BqbWnw(^xCODr^QCv?HO z+#M?X-aXbUf9+RD#rV=q3y zTQ$By+_OxtJGpphRc2$0-HO|5EJ*ag6TVX+hG89fInDCT-~(UEQ#eqJ|0 zwKg#DI@ipR=)}2F=$o2>N5!oJcd|`A>Mz+*9-?+bTh- zEDAJ)SP2*BTO?Cq(OtD_!8fFzmqXcq$-2kG>*s*nO*uuo1_Wfgo zkM||uD{JBt*&w?^i-kG=3Eb(9m7`spZN<@iv+&VjLiC>J#NPO-4fs#b++FhSYbPO1 z2jtdFa7bipHUvFr{;~*t%T&#O#^ufD9vS;q9eK}CN7L9KQ=@_VwFvDAN0YTVDRZJ^ zTgXg^n4bBKQGQjGeq69z)zdWAdc-er>TH zd~$YM6*ksF>~1bAfUb>fB*8d~@#asUo%k+-5CUNf^guc|MmgPxul^DI${c@6Ito7o&eiQ;!tD7>fH3ZyiT z#rHJ9tyQEp2QS-+t`PP%>$SmeYDdM3Y7Prr%UZ$8rbO|LD#GEL?yfW8J!Y|qH4@R% zG$9@(V6a`MX{g9gR2{Ieb`$=l(<~>FC*oOh1)~L&cHA9b24NlS_5cYz{)E(pEH5Lq2#yWI zD@Q{sF|6=or0jhv!Z$F%yJNwt+g$#Vyz-xq7bG=*k5?2~^-HU;~cY4s+JZ8j@%^m>@v&MH)v)KvlgAKaaZ zSCi-3?jsJUAcNR4O0-n5Ri;LUC`nYR)LO)0w*oQzqFT)_UK(&+}aOb^q?` zk!c7YK+jdiX_$9WFJxpw~Sq_S0UAqZ3irWWLKQSkaOalRLBhyX@ zrNrL#vDKnJb3-e)U2ZUdWA9^TUs9_Mpy~C7RY`7Q%}sIb!dWsHsZB4}{5}K|>EAe> zdvfLd4LaG6?@nJ|!sQVlmP5CqZ#%2c8q@*(EY$DEFGdT4Bz}r!JD2OvT$LJj!g2Ne zOO7#y4e)`^Bf&4jXR7bQJrBoi7K98&vglO^lqR^O?K!QDa|?kl=t4_Vouf4&?c18I z+Fzgo(0$I<5b4ZmkVrY`naUXMBNc)KKD=ugU~#J=!JW+4y#9os#GxHiU_p{dPScfkfL4G`SEqf5|>( z(wWGd*vvSa(pe%cZ+rXW;d_oDhN)_UVkjVv(4J045oRieAn;j$ZVeHLUZlZoj)A}E*=Ofi-I1uK$`ROJx1wO z<(2u+BN4~9U@sAsM~)3q3UFG|P2T zjfk5fY6pNbq5}5W`Iw)5qG;o9@NAzDhzF~C%p<`@XVf6owO4v;z>QH!0u zmyDPwB!!EHD)P#1?JA|{kXk1e=Vb>qoruh}NoGc;e}^35lovv}Aj-O1fL!A(UlCcTyC zwiGV-0j1;^04Y8RBzCjnlLjV7oy-)AzmFs0XAY}nu=^4$D?ty?+MqpbW5{N1ChmYNwzVldMU6L0yh|@ihO=l9OZSwV9J!!tk%&w~7vpt!Ijq+YR%_4QM zw}8NAJK$R#e~H_21g+|f3@9@{PU7M(-lf*-CnG0HCBPL-aC9w|FD+E)?{k6N+c%Pu zkEQmn>6E1xo3)gR&{s&3I9Y&M#hZIuvzbK&5rTvYv0(eu2aQcjPeD8+K`sfbf7t zb)JrArIw9DXETM-OnB7&oepW9`0C%8t5n;fbM7%cFUOB-C&yc*?ehB#Umd!=hha{3 zlXs^u>fG}^b}qi0%-lkbRG%L!A1`oQ&eI>bzu|j<4PDK=d<6Om>*{{6XuS%X_M@47M&w1Ucw{i@=>AnZ9QJ^UC%8i;}`s#deCIfR4K6K zc`xSPkW#hB%U!QxX1+O5)EVZ1$%)V5tvGyJ^=O?mGQgSvCEjp16uZuPD1v*$7{%L` zR5;r|yL7q+T)1UmT>d5lJ? zCF94MP3SBiA^aHN0ZuvYuw+E6X+Ev6ZVO6S)R3_=OflAUiYVXUt}8@w$QV|4VW-Sh zdfXGAL@n_nm4MlYj_)qh(gKg3)+Zr`&Uu0nn*MgNffM+q4{i1S z0+F}$opaE!+uFsSU5=c>%Bc!3zNg*i2_C!`-*RUswaYXZ>!_`xUDRjFBei$FYu}~;$S%*< zM|)DoxFrZQGM}61Sa!2ucTz5X+f_S(<>$^u9c)oMpFSx~9_7;G)%V*ne1x_=A8lHi zz{61bWY2avJKi$o*|H$^vchD3_C0F?23ifsR4FiN{aUe8dm)7H6D|G*FCeXz{FdRE zI(!Goa|IdIegrywWBw#{rlP%)ue-mhympRFOqk=&YkJV)4C1hH>6br5Xh}@`ICAO& zc=G2V6AI?dvWTJ&ShTM17Oh`~nG2f)W=7(iCmhluK>v7hFa1jJ`ktV&vj>NZUwA{W zr!iK5pKa6u)=PBy6#3vw2gwwF7p(GIMGZ`vQnnjB;cgEf$d+Ukj?_u9a~}f>`I6f8*!xWe_Xv>90Jp2jzYd9#h-$q&2yPrrJpo{NO%t7}N$Un>T?#X%_k zc~%C?Q8CWDS8q;yw989S3w&UN75Co)Ehd41bq3CC$70Pdo(IZDT0HqB6*%Q$0AXm0 zIk(8-_16taZ|Deojpl72Hsf@Xc5QhuL#qvcygoNVS*vkEoEonkS8mU<#?O;zstiZ{ z@K6!6AMAR+f~iAOm`ZxGSd}t8tzt}KK2X5ye0OTVammngV>U(&f2u>D2id!r7oigW zrkN^UrW3f{D*eoUi76AZt2P*buedinIDns}_twIM<-Fgp6dqh(u2P&)ccP6QJ!@pE_(`VSTD-s0JNROp-9O@*YM*|Sz>mKaMuc-2>6hQTvsPTzmjl*QGz zy{U-Lq(?$P=u{7-*^X0$HK^w4O}wzh)TH+*z2k5@rOU|b~Um69hU&g?nnC%-0s zxel&=(jZ3>`iI*2I-Of7e_n%)sMP7_70^+=5HWwL9i|dhi1`V`53FFS{C~9 znev{X&Pz~$?GlD2bfV+;m`b5&dEZ=UQ+MYhCYsN=SC#0^p8=#wG9Xo+6PDYwA&=IG613wwxGs>P7j}SkmYOV zvdc=j6rX60VflOz#5XBUAO8fd*q>)6zTpQ-hGcY!tX`LbCckB>GTP1c!z||T7$9Nv z_7maZlh3Wo!6}n{jYCBYX?rdkHc^2VM=$Cd3VeEM?uv}ip{e^2x%^jkT65lzZ0Ibaq(>#Yjp;A5jcAOW$jCX_OOW}?N|VVFmS&Kim!8q5cuqb z#66~SbYfXRSkz?2xgbCb1|QByO4!e=K@hYS=v7P32ig#)X9WvQC2YVk;QU1}#&d?S zgueN%$*e&AZFC+9FNNgFHB4f1jifnjl+K(xNqvgrKyu1dTNoPq`M1*zX}TXqPHNGC zgx{yl8EW~n*qje2kl%p}z6pb^3A3+`h*a@M`MkF{_)71&Bg>9F@*F802d-EwdWoF<4OzPu-%;8cL1DM{^jR4Nu(? zqn*-|qwe#M1(4;E-VlzUK>H(`fYJANQx2Y}mR_p4Z*6UaqTLL$lBI4rvMxC*3W4WI z;}~w9W20OCv7YPEsbG|4BF{Lt5EQoP7$l1#x@i#p!B7Q&J;;%Y!dmy%esZ$yh>T-k znF|xz{%lmP2K|7P#{%zD*gNaop2SdRc=-+%fbpkN2C((A1O;h+u$xa+>VI|9{&bu^ zp-73)y0oj|G>K^bGdUgCA)6A*wtT<_c=VknR8Fl*IcB;wbol|BnBt(4$boNGt${0t z3w-^*&){W7tlG*;dFrL6#hJ%kL!0X;P%JB~74<@l(UdTw1nexXs`;MSC#H*<%;#cQ z{O;OEtU=_zk3dl)>?Ezlxq#hZIMCJ<$B{ZPeJR(kTB3;2qwYOo1>jJlHkvCKe*>UG z*Hs-|)Hf=gL`nEM0zX}dYtZUvhs@`PtAf#r*2)fAx5sCltv&mGjJ1H_U8poWv$6CM#G{O-$E)4|FAMXF$xg z(Qa~oi10DfbR6wifgz5_e>?Hy=;7PZYu!pCma8vG7w{0cpKfo|IC{O$7^FP@+RQ4`}!O(KE_TGj`z~tU9vf+-8si zb!gh0Ik7ZOr2%VcDB#xPOd1^Cn>}BJKy2kkxLIb$n8Ly*zeVEzucdha|K(akv zYop2my60;@`sLG^P}8#qZDcFO`5rja0sSmOFidgxjO=Ux3UdzY0J~n_)|e5$e~adG z3@hP{c>A?|TlP3$IXI;$8heB{)zhRMkeHDrkfbd_!o>GP0VXzqdv6&U{YYE^tkmdL z;ECN2+PnKDmQ3z}%qE|EEZsT*>o8kk`^h7Bt$hjKHvza=D!weXQrUFNbuk?=OM|d2 zk#1T#O1(Kl8hqV{9aJXZ)QJg$7EOc=Alz_q#_6@AV@B&99bL38P_2#O`7I4YFwdH%59$~jGu<;kz)ZffsWzD+S44daN9-OM^;I z+=0>^_0XovEk1O?SP4^g$2fj0>?qrSS%tHKPumRFJiUhkJiXMyt7)(%1NmB79AotL zMDM0lFV0oWPFFUK-~Jf&NOll@u?vWOZZil=MfI4{E>WJjsEnCtrxrc~KjFme#d zSw5pn`D(yppw8TLJPxLK>$gRwwgHN49XXH|&&$Y&n;?k|q6|%5R{W3!h;f$FwRA_{ zf<>^PmwO3pH1Gy7%t1x2b3|fGE($RVCPdD)_-NGsAaCuFmaN`GTZYF;R z7|Oxo%l^2r_=$wHWC1(w{!4!kw|bK%(zLQ8;HM7g_$c1Q5va1}->+lPU2N^kmslWeSGAgCnGuXB z^JlItT6He;*rysB$MbXjBUEs9oWbY}E3Iwl8k}QHM+F3c`Dty9fs{EVD$ran^*GEn z3`+ba{at}y0V3YzB5tz9Mswh_w&MumiphgTx*7`1LYI;hg@>RA#xuZ9xsJLck}JUE z#hcVVP;pndl@H(@Q1uJVr70Qltz{roGjq>Hh|sE$;>ca08D)E~*~6!^ z;$vNO%gHvKhYw^>ZDtSA-q@G0e(P@jJ0ri1BC-GU8# z>T(@Li;s>4+pZtl^@qxSGmz@8TG&sI1uO%xy)AO10(zxY)FZ?`^!^M|dg6#Q@ zOc}=%ojtTo0Ku_(s9g?nKceP@5*6oLL3@y4>*pd6M3HRS-M-piWM5=-!77xIEMHXp zT$q~UX)ey;-rer%zWRX&f?}dsKS0GkQf7IQZeI9lUk*6u%y>mjE>;V1`q4=o(wr|h zets(A!U#YT;Sy+#w$Uy^jV$SRagr@Riwg_ey!y5^JgNo(fpg%TGE2}jFf+PwT@Tg> zjln>N36^B$yu8L z>-f0O<9g>aRZGq@0pTm2jw1}*^Y$J7eIJ;PdzFWunsz1CpG}(=8wQC%gdrgjlSayy z5%mgb{+9T%3mi~B^60oI;xJlvtk&zD8szpXKzxy^A|9-VydjRZTMwl*@K~Z*aWoLE9 z)MZJl7#H2^6LNF&6DK}onv*2WA{1gZ*lM7|aig1YDM;Q@qkrocfFnz&qt{SGEZrZJ zJfvRww8-3{;pR;@Bj!vyvqCq+*9|yz*U!4GF+<>*sd9X$P0{#C@O0-;I#X|3^yZ-_nTyr_dF?FUSFHrrI6f9Dd8*U6GmTO-QRTH!~Na`WPO5DUOwG#I_gV2{- ziP`f3e*Ir+=AB;;pmj9p`M`5hRpy0Fdv30g4FXtrS86jCdFqH~ zYg3?a$Yvli`aP()r~j9zI9|EFIZ!_~JsmNZ9p;H2(K6-Jmx#twGlFx%dEEH)S~pE& zDX_7qnyAX1?Xpl+L7ek1CGUM`d~!y)0-#BSMmy%0OyVU)7f!FZ`SIQK%*yA!dJcwM zaiVAv5*?72_zKCz3Z!x24=W3`4=tTOM#jNsgR$Pz+4q*&xhkbL{P65tbaZ7%=iwgD z+)+E4N9t-cOeuvRC&Fq0XpnU$2`$KvoZC5q>53cPEsrnmgVn* zr)~!94BCSxcNPo<%rU+c!<(^UXu4;UHul>dx@FZDN}JiBT6VRQ#0b@ndl4GPScmTW z!fNxUp!Fw;KFTFaymPvIFFZrBF2_Hm^2d;rPhiR!+2W>*F4FeL(X41h3c-R5%qIAp zqKv0eeYEs@2vw6mub2I-ss1-ixPC<+VUdM{Oh_0(7@kjGWzIaTjnU-kjc&Efk4<>H zR_oM(uEd#HBo<)HO^5d04e+SLy3Qh~jaK%6_lEW?|^Zk9X z*vIV2Sg$B)Dh4n5+BNYNGiASv_7O#!Vy?yVEvxW7Bfs~QKEG2#gUl6;K9)7wSVyZP zi`ay46CRr+`8MYOS7xp7Qprv+(y+Lhjo}?@>2rebSyDUNEXG*CQC5r2l!_Wp`9jj{ z2G1BvWH@x8e_hhCbdsm*+R^qvif_tjV_Ld-pmP7-zJ(6<^si!V)6gp7Io0%C@A?#I z!rk~I^ z=vqM7QHPD`GDG%0e2;8e^kyhrNRb~Yjfg>G$v}m0R8bG}! z+wRLs3|`z>$l}bgFkU@%_pG1$au@>TY1UEs*_pQnTDGbehU)FWp$Z;RwMFbLR#J9W z{O*5mlnFps9p72uOpvgydL_`B@vS&< zmvd9tR6h;jB zu3~r9jiT?k0Q`a;+*F*^0|&~uCJ&uLt*d&rFSmOP_PswjlDypGwTb+5zLec zekxmfe4(}pX}UUj#;v{E-(BKNDah!@^jR0e70@R3Hx#ftmg@lD!E5s*0`^TY0-oS5 zZz_PQ-?rGovoNFfwcGLy6?qjikF3$7qfR{SqulnOGNBTs3|!^}s(Ty(T5|Y9##J8u z!65)P^eRa$Cd!n!$YRy?Ul5f6!?|l-7hl*VZ?;A2$2@u2ksEU^95k77jK=dbEAwRJ zw-N_P4n$xY1AUE&)~DRf{ROUXs=VSHC%9+%kW{eKEbcqm(3`34b$N5@dh?W{v*3ww z`%6GYvRv_d=gfdQ)GBRwm1NQ2iVPp*g(kb=qWH1;hw;2l_UpqWSd-qg8!_5$ec5wr za5%4?ANqcfgTSlqm)8b(8H9d?BeV%1U}Q=Y|E0# zz1%hNHUxp`%wdk;)7)nU~%yib`pli3&{Gu!@{k(4`K9Yn`RE2$j{IApKrFid3~GP$T3R4@WmdF z)`QNK-#Sc50sB%@6o=r=9&Yy)m`*fhS&lw(M5%$uiXq#k?K0eGHx;7|W@AIrbYVr= zNrzia4kADPHDxEbVar*bZnfG3N9I-_ftzA|WK*52%YHXAyVAM}Ijq%w0V(uSTH9shS ze7Al$E&v~MSM(jNvb8A-6-(sJ(Dz)w6nwp4CsFeSUC5c;&zY&rO}y-!Tg)#MGz7Xv zbKbr&GgJ^FU z(5=^;+Fu=s-~x*Y3XCt^KVzQ#k=-UXEpA$oy=|#pd z>MtvD$i*cCr^>chJ%pj85G+{8^1$wiosZf~$VyJvxQKqa+wM3+jh(nat*;p4iplJ* zD$cH+ue;ZbNiMbd;Xef|uH;Ch4CY~Y@(E#-H%Ei|eJ{&10;3xt*k~f4z0_|}V9C?% z@#S4PMt8&H_;t8(XqQ`kI9`MNj8^~ zMi`uXh&`s!uoz2-JeZ&AngF|3UfEjY8Qsi*$2@WtZ7&Mk5*@2zbwwajOgV+3-wb5UhW21atjf6reDi@cpJiyx={rRG ziA0V=AQ5dL=~ngkT;t}64_>%-`>Sjm*e60%slcT~x+8yBW-&zw_Gy}2)D_VKiLfAR zix2E;rFldHRy#LuCwNZKi?inWRwL?lt1)}b;L%8E5`t>3`qjE}_+*x6m*Tq#RGgx% zCONC!3S_qOU%rX|^63|x5&6>dNm*_$>QRg@Pn2z)?{xzbnaL%nT|Kuat`uOhFlYDY ze*)uqdWNZ`IR1lucn(gWRQ2LgD=7S_gUE+CO-b7)B7+G3Q~;mGUsXkJG=_lj`EWj- zIeTP<1k8U$E|AStq1>u~?_lTo&V=O!S0A%3W5ySMXDk8B7p>`EY>tSkp1b<}*qQQ% zsmKFDUoFtg!mco7N^K!Baz)j~S^e+XLz?!sLTxwIH}wl$-_z}h_r0}k9g}<+nX7*g zNz{q-KUDxj1!zDgfAv9!!+$&=;~XN$J*=nm9P8x)Yf?9u##*6qHX)llzoU6n9%{aS z<2gxc;%7eFVAJ{73KbQTTeK##i%A7$sn5BZtHW`6&7 zx5sx=jd3;+gUUdK_i;Xau zz3fSXa2yrB!cQpMIq9TiiBHMBZRK;}j7v6^M+dLTZ#hPXO=li|O%3ATtjY5Xikmg` zizo-rR7;QJA6biHl-G{VZY2=%%{LMzBpIi-)F{0LU65N-#T9H^t>UD-2~7Jjdv*fA zAR>%no^2%LR5CrteEGCUw0QkGwALQ&Ae)g{gUaoU8jiBaAJ9-*{^c?L-)DOP{(%iZ z#Ov&wD-RCmxubL^@djl@@s%At-v-stF*?)|w#b4EX%l=QNC(*7#|3M*HUhYUK`~tJR{H8Pf4=e>Va9S-ENO6Ge85u z6|d`L;RNU;U!PfNM&Q{l2T^|pojK6@A(BY>^FODlQYP#cFIs1}#T0fum39L;T|wms zLtglN){80Ka|M%CpE!PJe-xr>cYF+=!+U(>q|uk z71=41#tY^;t0trc@E$Ldxb5*@=exBnO<4kWY&0IJ`BCb>ygA>JaRo(!DuR$x^m{xU z&kh_<`}Uw6G6JRRz2SqDK2v9{ZC?e;mN;M#%#O;+E-Q9c7q}mcPM1xTB60*M(c9nq zYZHKySn7Tih_9eDyh#$*tMZ1Iy|3j4TX#knHq74NBXLwc9r}IWwJM!FlBq;9t9(Ze ze*J?|SOnNh!fr)RDF*Ye&< zUn@bomIn$8!t8$#}zIGX6`&sj=h3k z^YfKySP7-_0lv}0d%tY-Fcl1PE5{>=13upA^(-KN!phGPJ6ghi4Col40L2>Hw<=3} z2;~)Z**RTfDrlaA^GaJz-K;TB8S@r`%f@XlokNG`Urmi)e}>iF+EYK(y)2CFiS2cIH_Z z(oOU~XP+v^eI`i^vDIRLIg*0UFKzlDRQg^?(-<#Dvp`U*0Z0*D|a0HQ6 zOj%Rq2ry2!$06B6=3 zdh0|Foal`&j^-f{`MVUw0ihMk;yXVPRziUxz~e;QZlQ0K%%E&!I+b*s4!BmBSoegm zz7Mqu#0SQl)p`(sO9!^H3fz9K$*oajoUDsW48(J=pMCmiPT_0a$CA2-SnYLG8SH*P zz^&pgrH|nsG6`Sx_7X7+C@?eihvnMdn3gNuw6J?z0d~RqPa?$c_w=vP06%a;J2vZF zQE%|iaR@G}kro#15sV{yx2G3=zMC-o$R?)T=ZKn>1!V6KqHkUoN>&$jJ7?@<{IlxE_>}%~ zheA}qfCJEyf+z^uYksEM8=%SJ4991QG$13V&j)2`7Y3 zGKlgVn=6uH*J}BmlacCHkTu9`9C%8<2~lHrA%kfk*abhukP zrIF%4XAzBTTWkS->gl6c458X^^yE1F^n(Cby*rLVM`d3lc{sgL$ku1FFDu}kPnffu zd*&5n3Gy}7a|#2mU_rr-j0Kz#3m%F1f(6i^>OZt(1AwK(t^k4O)$9mR_2|m?J!dff zeK*Q+L(kO5^TMj?*w{LD>O7C3uAypcE+Ot)2a-br&%2bJde&OLWW+vGaUmRi3j_yhVcvTy?4}jyM}chPEQP zSyfjIF{ME7**}`c1@7?0Q>^v{@=A|`<$;0np>K%deZG4fqPaDW`g5neUdLa!HjGRL zNi!Z230oO+CJnac8}s}%?qCkZ(-ZG&zR?(wBJH8VU^7MRZ`NwBlgt}|%e9rJe4I%o z&KxyX;GuoAF;B1C(BL0CElXAIn3TQAoaF-SB$$vDlsXxay?Ou5ZHc277GI41H_sj* za%RWHtNc^}{j`I)Xgd(da6kQP%UgDz?T$H-Zy_v39~w+2`65G)njnmvm(8x}?04Q% zzXq*h-LH7;RWWl1;nDeh00qxVz+3aCtkNvKN7-ZSu}4*jZ3@R3)oJBnM0D1afEDPN z)F`8*2={cnvCC_EN}jDF=WS$Rc*!#kO@%?r(0xGa+GZ!P)fU-~+aE{c(S0TI-Z;_G zKrkeo>ZqU;7J~EfV|*x7{h)F3ru0lsL`Q#6S?XN0@^vr3$QE$%oFIh9qIE#rNT?04 zb%xte{i^?qn)E+*^%a4C8km1Yaa;gd__bejy=q&(8hti!rO2WIaPL_!{4B2mojDkR zUtlY+Yfq%1)LGRCI#dMQncOkP7bQmpA2x@ihtNt}93eTCDazga<7RYh)Ob@?3NKYr zJ6V8sWUMU;NCGVULr8+J^^9LLLUnB17VWrwF>qxv!lAz#iE&XWQG3?;Gb%58h|Mo{ zF^qr&sPEXby)rQw+1V^ZUdoEF7<_hQE2=d9iDs9Dq(FX` znKY0E1K&y<&*W?4qd7rk6USF6MK?k&FY*wmVUTcy2O++-K-)ud5ZF`zseB9C!_@!3 z^Dh2OA432ClRors$7CssB(NF8Bowr$kK6y?uavF*avpwAvs5KbK-@T4}n=0oki zym5H}p6uVcjU77OanxgBwsUQ|#{{&A)>vpzt`})}9yD7~+{124_M;mW?ECC)7-Oxi zwa-y$nlx3hGPc}>wVJh49<9V=i<2~E~+{|mP{THgheEre89_^~ev zGCj&)9r-NFp1qlS<5_ui4iM#;;6C79d7!gt#)@r==di1(&5&DsUzcvWcBTj9q zOf{zec`4-DEUKdPq~nz60x-++^eoK{0o*53YHV%?_w7pAFv+TwA0^CeVAkN|SBZ%! z?MKy+Vf*n2-LNKc=gde_>R)dT=!a}&+^WvL zpkDg_6csUcp3Zkij_J$P@U21SQtJe<)KyHN1Qe!t;87uxm(HNTL1 zxxn)lqRaY$90ACJ96kCxU*-wleVRw1vtM|7OiKKmDr?N_K5Hh#+_~)hG56;hMe5Td z1Zj=iTr*PCRPWgl1hh@%w_m@23o4nFT@Qy6lv(xB;uI1;XmnVzpWG$Z7BNdx7_C*S ztCuSeIjp#(0o>%FRKvQqq4mD2Cpl)y*V2p-5)hz(8qXLigk;qt8BVg!V&mrsL17dO zKZq1mAmT+Aw$Y}z_|``L|H4cpBmP4|kz!Y0PLDjCFsUWtQ`(qnH~9hP&E+7zKPhQ= zdTH!JrckWY=JoG~R*3d4_@zRlhEbMqlIH>3Fq`a1M4vxLGR<# zmCnQ|tG(%ZnKxe_EPq|c$uY_L5}j=6IB`5!yF6Og3{kk_%yhe6qTncXew$)(ba_FO zaVxY&$_IZAoniZ%N%1}qV?@1AQ%3x0Jo1R~ON8=^Tt{V8EFKS}r3w-N%DUUYF|+~L z@e!rT`D5FNN^kg(f1X%9yIs_uzTFZ;Avww?7q9I782A=?o_~Ah{R+W4tA$ol`O@>= zS>*$OKLjAA-&`?tdKDi%bSz`pN&t_g&C-Q{6I9@{Y>!JbHh&i8EC{Dy?vgMZA6^jT z{?IXg!K|zxX;y`*j0HUmMh3!^rYgvZd74|qIzjX1W_tj`+3(71 zW{1(_zM-RJYjh98OHO;XjxW6 z&uSUoU`-gDo}#LM9s-)SY_A!3kx>J^3)!@xhwKS#Bz(KyR=%J2-T-$30B|5oFwQQb zdI4ekNA0EknUz3fP~~@kB5_1}2GTs99Aw$~8>Bu_Yv2zGJ~3VcsGK2C}vmG^`pd%c&XZd`&JDP$#7 zqQ0}f|=0|e+= zfy5MyJ@wERnJgp6g=sOT5u?e0=pUJA`qb%_DeGf6yFA^77w2E%6+{>jFOcZabEl4g zjby%*Zkzb~5D%>T(d%77QTN}9e40JMXh4kGN>O!W1+u^ZzMBY@S}9 z)=f+CX#(8H0@Nwm+wNqgfDRZfNSglGcR3LFsO>)Ar0+=wUqVL9&3Niy%xMQYp0<;t zYdIEIS2^@pW7TkP|IKGZ4HxFA_0?S!x~J3QKeaGg%nt_a9o|_|wB}V{AIbU0FOx@3 zUcF6eNp~}CTD;i$QNOnZLeyxz444xSOzmBL_4iiFgWZ{{e;uwjd^>t(^Y&MJqH`gN zuh5GRT2>&5U(zs}0th~PzdC2V#6X%Kr@9%g&yUGn4Vv=#+4&R9EsOfXW}cdSN6dt+ z1{pRGM(W>lihRLDi$L#n?Dm$lyD@b~j-;*!=}wqYIPRc-CJK!gU`%6Q=G<8Zul&9f z$Ww23`inRj`j^B>t}`UvK@!xXTH|AqdIIxk}`-4!26&8 z#r&)=f(gVZ5}MsW1doNBho>2=m8*V6juz=W5%}iEUbzLZXU>BBLKn%TEdYrzFJZ^H z)zkU>_9zzt~p9@ zE{?39z0Pg`Od!WW+kKo$?k~dqp({dnNxp#Z0nTFbrzQYrJy2`a;5V@7b=YOa#4qf{ zJ5s8Sd<9Cb0*6_X{-d+?uif^e0FseRF>0`8f}YMVaewY@ieH_&A%n2>(3M#W(_hiu zQxf=!;UG*p^ze1Nky3Kz!DLiK^eGi8+i*1kxYI3~C;;ws8~+$ZON!+Kce+*SHJ6K* z#hVId>c5`%nmEk)XMWF{R^?FKKaTyh=D{`jV%1RCc6qx=nyuB=^Osfa&u!DqTMgZm zxgYv^%`b)Qie5Qo1#W0FOv>i@<&KBJ`x8CPF##*vFrL zv1;#|kAOrn*)Z9CcPbej^K5eb?{JDproJElEnMI6y=5Fx4llb-!ifj)`E89HfAC#C zMjWSiihLKz69Gi>EPNA2w{!hkLx1+%Lq>zoIB*c6#hacRI}(~tYXLUpsreb4O{XUx z4qP=6Zq!ts!s0+tw9>tJ=2^Ng9vX~^&|dcsOb0t8-7}l5qB^Xahs#c>?xpLeuqtm9 z5XwUb2&1ojLA56FqOh4{&?dfeB_NoTC8GoHX?pBi5LkynYLE0+%yFWP)Lj&NoJC_e`z69o4r#p^3wEZtgm9h-6_X}#RMM*H<&{@gs zcBu>zbOf%7Ds2>X3y^V+K!$A7sWQdW)6pN-2P+j@VuJkdlb3%9#=0?4{o~1_<6S9GYuLP1Z94{;lI6HfY_Xfx_KbimdBoNSx8&!pxAvLed!e4_vG!)uRVa^ z9AK_+wzVdGPwPI zMsOZ3%2w$tz@PwMQ*fl7*eisr6bb5R=E~JNiOi=z2&=s3_vYHFVgv4$cqf^&iLe_l?B?>CA0-C+2;768kp|P}uN}i@ z=#yeK*J`zVB?*qh)_E9`tUy1=BH!(!O}A1g)eHL~^=S2b8XG-8;h!upYA~1DPqy36 zPY)EGr>t0&2NW1v14ascnmYGAxbcZu>`OW7R`DT_zXQsYlyjqb28kjEeamw`vXzM=U7}_dy;AM$x)SgkLeq%#+6Z#iz3fCVtMhh#L^myrr zcpEb2RuyzbrMy5kIG$P+kRhuDHU?|Hax02J}UJD_ro z^c?~I;V+HPUqBwPw>h-42~>LYt@uMvWg*#XWH#8*?tM3Hu**F1<0r;z{-9gB(MSN) z!gDwH*ME#^K1QJ{%_wp^!QFIy7&aPSS&B`$%dg}F&MxYkiFY04EM5_Y(T$@vp zIwXd@6!|LP@#QEX_dOr~+~2hY18~W!6)rof2iRC+Lza?n z98fX0%YHiyxdV9O0ue-S+qs?x!O^P27NTX!{$;d`s>=af!3s8+ugw0W+S4&T-qMZZ z2zm}w^5*B_eB)P2mbBOsmL!~?=?wxdGV5y^o5!ho^sK-Oo`v*teJ_#-%0OTTL-A0!iM|4No2s>ZtL{P2{eN$12%CU%jNtYH&H5~wN= zl+2@sC%vb<=vnwA0C^#dAnFJF5t<6EEL#H6qY$L>&N3GM0X^GhAhQ^r<{8f*VbC5&QL6PM{g6iTjB;?e>hJk5 zxyH*KOI`;825Fvr-zx1klW)J;o}MZadd8bh+! zl+v3JY8}T*P6GDMji4oLeb1kVi2k~-*#1+Hub5v}^nQVp4dZ~J<%?a^=LYN*uYk0d z;k?eI;;<+#r@(F#Zma{6lGAE-(~4<#f~zf)wxEbm;V61l9Z5&h z0~1HZQzdbrW8+gbzELvvJW^tZE^DyX(Z9aH_k9eRCv^8R*X?pA`+I)iqPf?cnS$F| zXIeP5dXvuQDc8`8wyuB@emQJ>%Ho%!EX^ZY!B9pFGqo-~!^>}0^ed07Q?i5%QoVVQ zyx2gq#w7Lv_GV*_;AiP#T_jc~WS@TUGx35*YGLS}9c*I8$f2WN__`c8baOs#{2;Ohfbrb?~+bck6ifLPPdCznbor9!@3Av8{c0V zK#Raoj8iGo4O1+Nt)R|i)-bHPV-)e{Rt3fZBes%OXwIl7ycTC5j;1jHASHMRu#n9PiI`3b|f-4jL`JgoSM?SSO`>-s$7(hS996!2(D;uw=HlQdf z4TJ*9HbF3S>En!mJ+!J_+4nN)kJeV5s*D(Q&s~Ao?)vZI7S@}LKNzma-tbkwh1<*W za#32(xe%aVm>*^(8f>*R$jmCWZ-I`0d9y<1i6H=OOWl8`ZTWC8R@#i;3bnRaB`B_t zXJ}HOGZBV^{=f2as1Rg%h*m8}CQ`N0CKX9nPkb@TwKVu|)GMphrCIZfhTFZJR$=rf z+@SA_RNT$pQL+;L10}0NIuMMaKaX8}@F!}wZXzU4qdrGe{ax{jW_efUjw!~!`>5pC zFgWQ>s*xX0F02=&yid?cct@cIR3TFh!=ewYT4rcDGgXUnI3LWbK*TwRP;oGSlbJ<# z?7WVjt~yh7UY!WiMsAT+C@);Yt0xcD#@O=O6t4tUiVi5hZBy83!6oAadU}H7x2h1f z36*D?6Lt3S{Pa?~!^_*4|7=yJifjl+IC)YjQ*QpXy24pnjh{-G} znj)()tV<3{v~Bb~zg3nPkW){$4zt21b{b+KXcnHEz`xG%kc@S<_=gGR#P5$)hgc0n zL{i?VSs1_Do&@}b?MX_eIn5M%@rHX{p+=ORS)CFmT3#r0#{8#w05Xs%39M> z8Wj8nRfwJX9t2zB7wfispuH@{%9-Hq=&bp{S|rZj&aPtIG+T962Cvh4j&~k>t7n)ihC!3vD@}>ncjN=j4atpM7m`Y zDU31Q8?3PL>yZ@fsj*&osdGy*ool+*d!etRq;pb!IJH1H_m@1U@lYf?CaEvruZ&Mb zIOHWaR8_gHpmUiH`KCF;VUD(&qTpL=R9X>*dA!nqqNI6GM`*_@rsH9tbwu;$J&y(b z#WLHc%ReyRWi6WCuvmwp9`^Pos@nPFF9QE?>ypKl>oevozfCPwRLl*jPU1gg(+R~ctSHM%pW?89W!MVn5rXuCbKpW;JWI!5Y0aT*OkDDNy!v=WULKM zzl|ve9;gi+4Sa?tTawoZW(Q%`>`_;UUys04o9B|Q9<4Xi?IK7lt{};MD?3^}mzBJ2 zqLgg$qI^NhQzF0QX*F5wL)kw`>wZq{nJEu0SJ9nkmqaAkL z=MaB`2TFQ6+=M11Z*CC;<6?Z7@ST^+3`lZMcL6j#Ebn3U>qu!Txn&03H=~^q-_SUN z8^kdftCeUcDPGemt&&oDyg{1}e0ZbHioS%+C2JXE6*2gc=Z40Y`QznSn+kTB!@RsmZD9@>{C_8~I{BM0p>W(ep8aqW5nh_*P zw(`7ALjp?hTQLml??%3*Y{C1;JQ7r)I>dL(xA`YhlUd74fZ z4mM=bGOFsqZ?BqpG7U2P!UrvRteYcuejj51(=)o5PgZ3~a;K(Z^3m)1oe%uHZ&9ux zsy%M^g1tHL95|+*<-xX9*BFLxya^B=Ll0Px=2tJzE=A=?$4Yts&h_g2vpom{*n_Ou zkbjR+KY} z5C}{U=}jwM@Au3L-}i9=4Qzo$?S-Bdc~MnkP;q&$AvM%M&ix#9meRwF_jOjeHEX!& z{5y56P+2lbZbmEMzNt;Kr&q}Bw5KHHFAJCF|55Bhxz#(d)a>EQ*g}gENbhHX}XM{{gphlUc#NW?D({eA|{bgvI~ z<42rI_1N1l*#sU*70@e$3K)AjzEbgOL)_DkwIj|Hf1qq>26h3cRsrAA9xDD!odN=x zKfp6}(xkEVbsZ(oKF}?M@}T!M1OiW#ce6~VCwue&FG(8fq|g16uqCPQ+w&B(_8S0Z zl`B8mWpj2}$c)$;5yQzi{ekkQ&Y7m^yWx|fn}|whjRCZd&1U7X_G=fuxVm=rrb&?N za5-Lr4r6qWv2o#2u@6_C>P840Es^2WH%#5L#Cf@eOluj}n)ye50h5NhOMZF)EP55O#NP%d7Y z+JF%Gl7sR#OU4EzJsRYj&gXbt8B{>&g6Ed8*>wx z?(rB)jVF~rK<9bS!@4ExG!D3QhAFQB0WFxUJ4R2M*=*6BQ3mQDuH}8`H!-snH8WE9 z{Z@ns4@k02D$=f|FVdwwz3*;DKnKon32bcFP&HAoofd&!jn5q`^D|<7Z)F}HdSu^I zPe+bV+VRP$!&!Gib4)rSOw74HPVBLQ+Pq((H-bffv<^9)5{r9l9r7n|RnUk()!-`L z%=LVXePdFhQ)2Ebe@olO%Q#bdp!y>O(YSyY?nT}N4E$wCQ)^-lX>mc7dtIwp&4d;C z+l#7Ko$7~!PGjy}UoZdN3jj4q!2=f&>WquXGxf}o*V1;|ec(QV3NWB&`XRt}fP&zg z0>`hk_!qG42TnIvtp-?dF7OiyENDj7RlYS5`4f7I^4ToVQ&Xb(+EbJBA7;HrPbD-f zWk6mcH-A+rUQo%~eV*%>>Lao=ki^8oJlAk|VY2mi@G*rDR(D7@9at~mU1Y{EC%PtJ z>;)$oFGw6kE%BAT_YfJkxI%Lx$QEhW&upgrt#^>~(G^I2asR6rFq{2@k4QSa_VtcY zH@~i92lg$I9;G|_!p-N?7hthoUhU1NSXGbmw^5ldkg6?@FL4f*t1+S5P%mxc3Q4Y4 z>31z)veQvbuKG7PVQgir59NGj%lZ1cfMqpgR$lDIC6a)gs0|qBO59p*V=yP?b_7@` zHujSYhbXKoVl|2pPS`t06lcQbdawhBkaWOX>0NH|(O0p{U1AEE3~^$np&=@#-po7# zOvcIqB1bXE0)7c&Iy0G*4rI^C4?F{e_h-Nw^c^E4KTrAo!AFE^H-#lDBhQ|G@90hxKzG6>UC;aR^1srZMDJ}xL_}`t`X`bDSE+?vNltX6EyIkgY^}8y9X16% z6h7oDBcu6L^2ge;1%X5kXe6&APmH)iZjiYQt-pcfg8zWDEe0}aaRq>4yL^@^j?H-% z5x}_cp=dybmijE8EX_VPK9e-{_aA3>|BU=gF)119|!pXu_p{G&%Sh6GGPUE~* zqOUEMVaL`eU!l%`jY@-wm<|1H=r>r4ym?j`0Va@4s=E%t^a}Bu_HvDJlFm1JD!}>ej1axSdz%E^yx7$&> zW$GWYj!&YW&7Bc8=@J)uexO!XbRC2c$qJov#YfN77FXVE_Zf(Py#+p*dHZNi#F?)= z8{#1HFa90J#6V&vy{DJ2SKERykeRJtu|0~3B^)O86pl8#=mFp%Kt3N=76;ILgB;bl zyJG-|M!c`cnvyvu{;j)6$qbFj+sl}hcvtuHGVfJv8{)413ghR>4Xc|2L=k(ouBXog zk#v~%d{QIkP<>r+s~i}Nyj|f+v~GS%M67qQ_IuM{ifyB*THBSqWwrva?duG7W#`VE z{j0>Kp5`Amm=*zE?yg=(AqFU?raClrM%KIVKTiqCt=V-wrcQ=CtpZQ7QchdFRz znnj2p_c|@a&z%YtB&jcY7>eNqdSTsm33wG9eTH52hUx^_4xqU;wkq@xT_cN;mur;6 zwE9$#Tm9X)@iL*0z*hlmEa|Nf?mh6x(slLb!lSI-yExz2yhY3v_gCFax=J&SN$xkM zQhqlZA@B+#h5GGd%W$Tc$*+Zl;=a?7M;Lp}ru2t=xEpA0H`GzmjwFJ6xb(OfWScSH z6~nBD!D01ES>vi1-ce_*L8sd#fH0zCb_twO)Ttn$kcUIKtzR?T32bF5<~3eE zH2v0VL>wH76JK3=t56*ai^D5{A`l50xE4_0LiM+A1w`27K#v1|N`KBX4hASy&!sl* z%kX}YI-cpHJSMEVov;6KcWO;i@+S1PpwlO-OOvzLI*8(Vz=jSu%d?eD?x7sv5sp?$ z=GCXGtZMAVsu6`}0&Lvaw(LmvI)omLRF+b1-n9{siq8Hksi-7w!TEJnz<<7uvW$F& z?#NR5NB&8!;dADXmLu+F{SJxn%muJPp;MgAWbvasKIGvIBQKmPSgL37VkZ+Y_2F*$cm>>>B4XG%O-wZfR}i)6$#+l z_!j~ZNIL=N_>(yG|LgjVS^1HOetchXd{gdNkqma2maMvw{)H2_+YKR8rNZXM#=mfC z_Pb|a+j6?uYpALP8u>g1kK=g0B?oz}8D=p@uvYM)LVNT1lGMWBF=F%M9k3B`8&vY} zd}ke$ly`nrc~H-nEeXBfInIGlyXHzg_N$i7u|>ZCsP;rC6}AdV7#jIAIEX&n0}Z-E zX>71(+sak{1`dMnObg8_u95SAFdbLU*2-auX2=|fUJF7x(P^Cq61tX<( z$3uI=>@ItCd}JOGA|YlGCPpgTm=Z*az?^H3?XD;~(pywhX=BxMy>;#`;}N*zxhU4+ zuutk;`%3CA{afj44w#bX5fjxkak^^Mbt}u@JJ^&mDpOxLIiAi^0EGy^F-^5sV2>pj z6LZ#bF*qQ!>`qHj^DEx%GiH=FGe5FaUFR;bxuQ_HAvM zRCL(3O5lNfVo~gJ<^8Q!DgiwJl`o4j?SVJj)y0=bBNykS-%PHuaf>g;wpVJZ0xswg zVqxPliyMwIt_$@n%{`s_Pj8VmwpE7Cr1{t$B1FjbEnPAMVYMu9)uUTMdeX9dY>#or7X^F->d<*si;yAIwk3Fk zEz2AX_pOXGi)xWO~x0gxR==2zEBT$K^08NMrn$=Pv(~ zm*YP78T3-gTrzSO$R-S*1oSUH+q^B9@;fajVb7kP2T`NN#zN1|cA6u8boY|xDpc>5 z?caz`tEJ98LE5^h{xORyK(jVEXdwwM89)1BGlutlhj)q4DIG<_)Nj+iH3`thuQyLP zM^t}Bs4jhBht`A4T^3)Vsa@S^xDT;!36YEE`0E9B9Gi=TD{R=~8Ts3Q7+u4Q^6<6o zX+ibVF+i^mdgx|6BS>(UDGf|`r%L0&?pRxIvg;Bq_Y4I!bJSNOI--vz6js)nliT0% zZpcfqf`@{s8zt43xP|k_`)|`{97BR;979gMa}0?yukn&$IAbUE>**T<;($UN%>!e+ zNFNHovw+NpgHHRfWvBNusV?5kF$eye5t8cA|DPljAAaG3H*pd7USZQp#~9_8D~A?H zs;7KwaOk&|A9c>f_uO35j0l&H4*c{Q_HfiUHlT*K;QpO`hvZe+nJk;^)lJ&@1!yHmS132w(%_sK&KTROpu?~uxnPRsSVF=A+J)*Glv~<3F(@_L>OVPAQhz+djy;tBkA z(>L`op_3E!BS8E*WAmZr=4cUbZ9ZlZ{!}vpqmhrUxb~~U|9fwb(l7o`vX2>zJ$ID!(Oa*9Vp0EOAVv0UKJa|m}SQG?7^;GAfdu}^&UNC5%8)r zvUVsL>pqts8#BkcvdrEH6+8Zbc|U;w`Bbk5Ztn7CEg~jaLCm=|zW6&2`OW?um`m+n zqFm6S9d)Zmm|F^$&h^b1C!ov7zSBLo=Z!Bmjcm*7=mBd>C$p?;OjMr#M6xv3*Z14ykHy-=MXPjl!@f1^nmbtCM|watKZ%^; zN>ZUqAcUdz%8;snUT*~SLR=jFdQflZzVs<}>Kj+QD@7ax=P-`87cU)V+7}~952C2} zX@*%SSXCy>yCSZq>1aYU=Ba0A`3`<>BZ3xv<`fsiLLkz9x_;l$I#?Ylch@3h+s65; zHwGR}jjw}~F~iG>YyGLKd%G>na(~?8FmyUaDxyLl<2e9?sqy6C**18YznQv;xa>e4 zE+Cd4;y32SnS|Co*Hrl_MqEc?WA_vnl9EVY426Y4iU^~BH1NpVtcO)vb+69muVyJ6 z za9^yWHhfl*CSLk&4ky`PiFQdyXUTwHU`yCd>szk=jsc*Rf%X86DzOcwUkVPfWPJrkQ?mZEX9oevN<^K_|0SIAQz54RsrD8I1Ms{U-+s|t?*cV?I{haTP{a=i227*0O4#&N9P?Ioh84>19AoR@|@C0ckNF^KENR8PJAF!Oi`N7|Nv)SIdCa1X2C7 zm#ykocpOEwlzL=trP%X97LC3pDdFjni7(rX+OgJyBPR5se~?D({Mj)ZYM$ok`W-?A zm5-;MZzqJUXH|}1&x_Gz(sUQ3n9~-*>BQHptq;DlNY%-AL?_u$ur&75oYjaSPp0aSr^776I zQ(t3cCv|v08-gZuhc9?V&zk+UmiEZ%i>UpAiwx3~ppV+w*tYF{HVMvqzm z+I_>lxIwwVx$fSHkDXS`tzUtt<;B-^9W-BX%%~cUP!Zz11uP^yhUU@pAbX61n5+$2 z%MNtcov|ep@w!Lf@)PX$lPu zp4JziMUchLyyNOx5-D@+eC%Q$ujFJeQySKHDbvUCievXujO9f)^UKgUW-yGMq%mh{T3X==07}&=X@&H}QMO z$QmelY;v%H3UO*XX^fj)G}7YE&;zPZQ^Qd}0NG^`*PV=) z;usZ58}=x&u7OFigQ898h1BpAz!*vC6`2mXMZ2JsR^n0xdAqQG&i-?2HVQ?tKkLuU zCAU7#hdzHHoG)3wY^C!$!|nbAQ&~mul)JX4)>);jdjO z0t=b5`vUCVe*s2laO)%4lmA;K0)LbR%p#pHv3~dbCE)3Wl1|_l^aj4!!c{%*B2#55>07st_AM?rq?I8C-0S=)%NuQcgr zPuOr;+!_kUM{+R`UwEyX>bYs0(I5RLAPcOgbKn4WhTyJ4Q*2w-;Lewt0#P?8$Z0Vj zCzQ-C*va3^M5dm^$ObZ#K(F+Bwee5z!mkHXJhD66z>;>`{j~>{5dB^~0Bb{cTr9yh zq3jHp>tj`?qLbXD$NLLTDln9fPKc6T%?M)NV?{P!Ts3*GhP>v(_5h`L;7%c7L61m5LI;p z-dq2ImpqMfAZv_6_^K9I7EJ2)Sa39xJ_8sgShuwi*WB>RuUG5_a$?h2!6QiToeHED zSAY_R#^>x>a6N9(defRyX@-Q$hx}5&1YccsY(b^a%<~8AFJFB;6?r5iOH@ZxqN>ht zGgsLXIAO!3FQuvF+)r>=R%Gjcrigg7TZWBR{rGIdb}Ip(K`nk3G53~1Y{WoHUqO)T zT5hlMD_M)ke7kyNG{OLnTZ`P~D|K&IBidnd^@Dnoe$P%p=BoZREp*8vtc0JD!zpx$Y1_(n6St)wqlKJTNtZb<=`qe3 zB>bp3-;tHL_IGLs%dwANy&lv-wuh_{oFkQW`yN@o@oh>_x}!)t27BznIUK zr#@}0WdS85r#{PQm=s4{eX_3sa%k1KOfC}aoO&tW%8N)cWf3QRl#X&W7rDIuJu{>b zV;uy3^>w@a;MZ7t-BDGgGTqwe(*ma}pAfscT}Fy3_SeLzbZR4ZdrC$s{VC!NHq*%% zRw}-xExA#Cz^<+#As!|#M21d&qj(+=JoFWA1{os8vx6vpEs%;}3Z4sw6~jh45ueW{ z)W2(BGIhXh-#676ZN2n=q5Hy=cdWc$d{OH^OPrW|1}6qIfx_BaD=(l6G!RBh{=#lS zCAg6D29}ZVqH&Kcbj&dPh~c3h0>^w#Kd4O#t?iyhQJuu6s_+r#6_Ivv^jt}sd}1qL z=zKyYE|A&`fA4Au##&(_7BlC$@{ydX3fuR*Jvl-8+)MGO)y1o+L7}#R9Gn)--Od7| zdn!M8)b#H9bn{j1wj3vp_V_c4Z%|AJA;9z{=SA@gc=g8Y!SfXHsM#MmArv5zbw#s3 zyl3}^#`P_0*0l5p*gEC_JjxsUhp~GquE7N^m6KWQD0A<%D_+23p|B&Yg`-7zH}SBO z4nZ9j{{ji&WTwA^gvdQ(0(kP)afTJP$JRF_^TlpJpI3$0kzAe~(qufVv#}a=UiM;9 zBrIW7UQc1bT7$NKV}t}z*drB!mlQ|mkX|?bPF@;VKBnx3LUSDIDjzs6L9+**r;~w| zV0op6u|xf`Q;ku%K+2tX##+WAo#*kh8DDf*%xnj5)tNq1?og3BZf*S^5Fu*vUm`+4 zBd4-oac>P>f4swWNkW^Y@5651)BZON8sGr|9qI~xfEC1?>MaOL99B8eZkgXOX;;5u z76e2k_^i1CV;U0{tg}Mig!+cA5a#I~wnQJo*LSlNY0=*1+?`ckdEGpNG)M6#=X`_S z6GGBJ`1Kc;CV1;lGmr(`=N$N4-7YyGBmtrPY%e=7vT^ON1KQVxI&aSS3?wz8*2eXr zD*iJdqyv_VrTC2&7O*?&%KN|1^oj;7HI6%B0Vj9~_E@DR&k0Iv<1!r^gl*_kLYNmXiphce7~I(Kpp#Ee237K%36s=>|%- zLE86Nm^;gOrv=xq`Xy?{vcMSAV}Hy%@OXOiW*A0REK48c+|>_A??y34FIf^qmyVm2 z@|L6-1wVhep6AFPOm|d04icAf`W2Bd_9+EO=Sp+OZDOKBd}KOH=M&h(#{@ytF=LBO z>@o9ObMFajmPbHzA!scaI+In$7E8j<94aUGJg9_|$}FH{4kk2pnX^VFZfo2yAA*gL zf)!0zV2Fiqvi%+VW1Y@41H(xt?Vv;u?#w2$0eM}-JK5gEd6UsME>Nfc9}E&^)u6xV zJyY3(7-uBuobm&>>B$2_jMr8L=>CICRv=^pNscbxM6jdY5x_-yRq3!;e?m5 z9FBx*(ib5k8i1jETgBj8*W)ZNZ?X|IvQB#;u*{Z6@#a1#ZKw zJAp3~(ZdDQ^EN#p@u7+{Ra0xAyg?A$_slA|=f8h&nsD*G|H$=_U3$y)V7hF7aQ|1J zjw`;8MdKq;OT#tMPmK}c3uXweF;<*;r``@M(}vso-5zdB4M_8A^}Zp4QCm9s2nFt& z?N4(zAEn17aINP}=je8sz&ms+AnOp^{za|!lIu^fNetvc0V$g>gyJ1ozdoR`N_IL1 z;P6IW(@SM{Z-9s~v2yhjd9FseK7gU^BjQ27R_sVpPR36;bSP$(%P#C#{Qhbm1cJo> zSe zK*t9jtau%|0N+3GI@O)3N%g7nO?Ahr2E?Sn-KKH_tzhQHAqW}go(KGA9;Zr?C+nGJE&mMLr_W=XjoGf;<)6UJ8j|?O?1{KuU3pjI+9mu>- z=xI9A-To6&-uNttq{^=CVeJMQiC>OSp2WiH1aT|?7}rdw94+por=G4u@M!70x+G0` zLP(4~E16-YzTm&3B;e{7leUgJlFFtENGy(`YcF`-JFy?qAKps8f1fIR-rHrtAp+8R z1X+^!5Jj07U#~Dvc%I&!gv+=i?v8PSq9NSgCw%WY#Kw)3X8MBfkmAERIP{@1^%$z^ zH-Qw?ca&>1=ETPt|Dy;%LI7&;>d*FG@w>O;VTR8h51`7ry#_H66L5a(^uko*#$#Va z(2S)=b2`^#*8JL51^A^^U&X^hWl4R5R;dDu`Q{h?EAqw^ci)@#Kan@$d=6QL!^T)? zeLlUY@A^z58(-w$mJla9)iPd~GSPN=vW4L1M?NDfKni=ivgTI?Cs)GBdn4$MZ^0Wg zo5HMqGL}oB=`3}e&BH%?TiDCyJhPCfck4uEoZXX99peS;(=0y1E$jlzZ>WKc$ZEGW z9J2}`OAlK=v0~T+AsFTO$H_C0r0puYUAh~$u`(uO6&71i8-qHZPI`k+svJpoQ`w-> z>E+W_#Qx+6aSgg*jZxy~ej~N`-N?_U84Iu+H%ZHqA3QEiU%ZB;))jWN(@d_KPH{h} zAtINeRUd!NH(mP=*oHXxH-4}QCuTG~Z{?!j7DEa;XeJOe1l_z)2XMWfMq35&DouTDRHG&pg*jKn`}P6zG_Ta?f|`&Y`#HjOPX+(BpW;uaC z9qvaV#IOglO0z108L2|ghoh$>rCzD+G(=-nEnMSCbyT&dID!4g8Bu|wb{Tuy?B0R; zy*m~#-&DLIVnHkfIe+I;^M`%OeFZ1(UW1%BoVz4`=Vtb+KGO=iG_oC4OQnWzQ(L{Yc|tfQ5l+}a)%cZ1ZfGtpslhqILh>=nq`os0Ul>tlA*Lc2`Y2_UpT{bO$1nl51Cc;f2+R%a|_L)ESnI{xT2v)50#ZZSyDD=v+ zm}P{OCFAO0is4DvoF;tb9 zwV&#wo_aRsBNN2sBo&NWa16eKa%&7DMq3ezC_0j$#3PBlBY>eHzbzyJp9-*U`1hK$ zz;8woJ|%KY`W=i>&^(mAqNaX4qx7g;8UZAypDZxfKel+U(?Mha@H2^lp@DDivWW6u z9r5Ft6+a<`{RD#^}VldpvA++!bhg+nhj}Cah z=VEyOk&D4xl}e=v%v~PzOQJ&)RQMusml=c^b@Fnpe>p6vz%#s%EP9sQs^P9_9@j?; zl1v)cMK~B&{1b~2g5|zVaOo~oJ;9rReb2+OiIlRv*+!&P`!I73Tuy__7371*iv5$38 zc;D86AHpsgbz&~<_mLGA1w(mZoJ^V=bG}R{f(zpM9qO*BML0A1!NdxfpcDAUZkiR$ zRsQ9>CS5ZSA6zQm1?;FUEJE?H#G4(dP8ezi&bO;JV&BlEwcC$IsvEyt=4zR|87~j( zh@geaH_$>@gp%TotGB2O#c3!o!C(HNd z{TQCi{e$mFl{yxl!YCJ@746f+rTXz zpH!YW?jS>*qrDD#7!MY!zCBtysT$8Xdvwcnvzu4ZAJb6cS7$HYza9QCy2q5JcB;(} z=%<<1xLO4?9#>!>N)$sM!$1JSaGjYJ{X8l3f8-_^u+X)R;<>VAisl(3P}4lWutE4X6(Gqdq0~UKONES zzT8E6;HO@bUjqGZDFv<7b}PU9!TPi4i=SM@=^iQYU2D!`zRJFy)~C>!>bpasJh(K8 ziFbZ#;0+%M8!uR<88T8`^w2hDyEzT*%_r{&=!`H+$V3cEi{%#KOMoJ+LT6#aH}m$L znay7pY>~gt*m->&GQjm99r$VaoFOBfdK=hevwwW)&+|uEyOM%?GBLr2710IJ^vF{; z8^$;^%q`^_xG1Qbs%IDe&p~- zz07>AEv01BbV1Ladk3;xt6P7oHV!j4TW4+GbMvE!3$JtSg`!g)3}uzO6DC`-EmK>i_TF$*veFF35R?|T!))UcbDVgmD@oyepc?|f+I=~XZi>?CKOyx@J!@9UFmKe5uERC&bc zKC|Ym5S;|`+-D1C`Io({MW?IXRA=%!9K;N5>L`+}Y;f;S(i?*{Uv8{z<$3%Nx(Rwv z)>DssQxAs;f7X9ho1Pf^q<6c8wA_BYugSYi)7MNzGEViq*(xtEEXW-iFM!9(`&J6l zg2{oy9Pf&u%N)O#+H()bYgY{I@#_fp^L)IZC7j)yaM!y_z(8@v$JdV$%Gy3p9Xxo{ zfB+k50DMX78CtH_m{uUHmE*a)ui=Nu=k0#`c@y$W|~!pC3vqc8@(jf_yrjR z{iHSEY|~L3xbf<*o?gV5`}}t=fdBIKl&!kDM5nx7_Ze9B*NTY2({t{^v*tImEIaXs zF7JT4UZx+c4}@coL(VOY+YAD=%V{P3*^k_<)!9k8Ne{K36`h*cKR&6HoXtvk^-0q& zr?}5lo=u%YI3neX2_pA>hW72oy-XdzP!<|KU-5do|eY;PGusR zmf|V4snPjC9%kSNY{yloo049vv@@CI@i)GDay>Zz#c-X0x=Uy(nOv05QD#b(Ipgb( zCgHxs1r772qFV1eoLEwXe${x+Yv=*h4PkrFY|;iv6t5$@paB3>yf3|~R`r-srHd1X*dAvzh@LQip)l&$*c}K~~W_ysN6te3_2V-v<9vc<$ z9O8zfzOZcy+IYzl-2c@{FVxaj3v-(}v-=zKo3}$paesjhC8*rK0$FFRv!eu4^Q+$1 z!|Ax8=IJL)i4(t=~lh54AI@NKo;V&a>Dat%8yJ5km9j6N&_~nd#60&e=fAA>l{;I(x>`B6vuZUv! zP-Z%mFh0qcucfk;6EmJ}Vpko=@>$>eC(YlV`o)qFSDiIP^Zt0&mcl0~xBc8W&(7cv z1y9=|m%M&6wV#pfw;k7Hb^kd-+4icFc0p5Ty==&J$n~V_LHcRpBqN9{t+pt3N->62 zxnCyn?X*EGSKHt+P1DkNo~p&`Q+c2F*Il2&?rp4Cz)Nt&Raisx92RZg)uVbcwrs~O zRUva??sI;`PbY2-R(Vk{PpzGIOf?b7M&;Ae=4@+Qn&}Qg!E_o9XvE zJUe*m5&}6Ky+p_ChM91O)KM_NU|$gI{R#Bs7Zg!*X{jYyauA)8%y=R(B;ya? zTkoW~mtcJUj^HJ$3jbpHv$0eL~)`o0u{x;qu} zliJ%CHLv(A_s}V1h}ajB8nR*DSGgx{dH!&?>Sy_t2*GrN)2>B`kdYgmBI~0CwbMGn z%CCyclr6)2=A4@JUb;l`Ci@}T`)MYE1RoTgri6x_B3%^a#f24n9)3YqO^GyqjWi}h zJ2o(1r=rbT$Lw$Z@H5Y!0_OUXVDEL%BmF-{wru5xVj zW*^Pod1*iv))MbWe^YnB&Ur(^SW@=W;R5-5b?4rLN14j((^_ zcq>;*n62zmJ9Y5v(KiWaE9#DB?%dtCX#WnO6-E43g23WH#d5&WBzBfP;nT)WXO_jlR5sM%p&Z zo6crV{=PGFui)@HW7CQj3mQq*%3&J`<(R3Dp52foXFRcc8Pu3%@(}&=h`MA=r$>C~ z=HD!T==3#mZrpBoeC>`)21DaN$}grLE!{h%>0_ezBWxb2ez{C500z5H8@UFD?rRP`&I{;ypgFPabj(0RAh>0~vZ)wGtt za+P>Vg%%TE5M=#1Plb#J!P=k-(Fu;qs`?kcyi_25dU^cw7`q+zFZZfd$3gg{Uycf%%`r@gv%4>^|2=V#~v2dqoC;@$cD0^y> zm4CxS*k3Ht)ZbVuZ|HCftYUaWJ?ha>$20MPbq#b4F>LH%CC@J})^%&>=)w|aIqOY+=1mDz#A)kTbxq`Ds)%2v^gzo+rm zPVixma`&klBtPZ{1=7Sy5ZDwTuw7GqZ#A&Y->iFXJ>;HhneOKPYsj9oFBr9}>O?v0 z(JXpYrrlomgQWJ>&f^}o!Jb9FRHcDaw7?=wYssSJT#I4w7d*`KN+4)DHMBB4y+BBY8fbYqy`2h$opQ6Ug$6Dxc+jPx0iUtG9NL? z9xWD^KnkjlN2|m4-lncJFt_^cdYbOS8&Gcpkw;m{e8HUR+6%k%UrtxwMAtaxCgLrCr=MbkirZ_>tIy@^mNfRX!gq7$SVLeRRes zWYuV~cUnaysd3hM&B8MMcM1J2{v9Y`QbH$@PEh8wwTnXt33Jm$vUqz25{ySN~wdDpJz~iv>N%z({UkjQg%6D(1mnmEb)f=NnwI^y4Mr^^1&X`l|g>T(CBs<`};bb0(YhLtWCIz27n(>!E#i-(c9U z^5?H=CLh$E$wp8L`?%pw-h^_|y&IY-sU77k2W=sDYJFmqbwXV&w9ZdU<9QC;vuo6* zNyXZm*+y7tyVh*#YH|%^i__s;vzF?e3m9$$NQtJW%2?+Ye&Mf$(Q|hqPrq()h~CnF zkEf25030UlQs92Yn;Plx$cuUb&D?r^eyPiJ1$cDtm2<`$aZ~tGW=Rk zGy} zR8X=?+~>Ej?2}xdus+*>rYEC*vheTarTpj%m3(9KxOLMGQgZl{XgilC9nauR!V)tm zrm2BOjod(NdU{?N?Cn$q&pMf<30|_}#YWCHPG9;|oN}pC-PwypLmZ2U(ehzd6Pni&?!bPLs)dY1jXdBKTt)||Y<>OQ)OA|4Ar zJrx#xiW$LaJv`)`FifN@YH7SfY0i$gS|PG3vTLYrrlv(U31}Qp*10H}km~r?v%UfT z?dn&HW*T~5!REEZeC_OqPSk5o!uq|8J>+FO*yL;1_07ZPUH^x@Hw|m@-1q%)*-8hM zDk|0i9IDhJP^653L>E?65JZKD3{fbgjVZ_&AR*D(%49)GWe`FfP=o*hQ$Ywxw2&fG zqCyN2LKJ~O0*Mep$o#+QaQ^%3v-Ub0?YgejYoE8i@Jh(@+{1VH{5H}GM{kZ1v%dPJ z@>!UIi@10tK3U-+?g^RWvp$GXYLDwCs!?!wsPYk$#-*t0!ZIn2G&jsC3EJ?b-%L1b zB)!w0(wXp;ol51V&c2p)ckKCPY;W2_%X1^fe%42HsM>L?lE&e7Mp{m!3?Loyptb5= z5@I=RU4U$78i{_b1>bL0nhyQ8cuEND^&Zt{J2F9wCT^SWmcHS+_r@ zE1j=LN#+gT4y{DGv`hM-6C+h)Tm#=-Bt*FoAwJ87{+BRF50Bdv2f+!(7q z^G#5W=&mbI7`596f4B8Vp>Y@`dN*|=Z!5ybVQ&B3Csd)Vmx);&ZHeK`TzE?nW-8Gq zIs%)pY0++=UKRXp`@(b^p!2*sF)!VKho3X?*ph@-k8{|{QOx}MH(I(>S%iq)K6+ye zt#dtDAD)tF<%zfVpUv-sQ0CNq-QEr`e@<*GS+LY!Kh0-3mV7+e2qjV@Fx$nS1s|^l z*VLmv7%OOE`m*Lkn_}+o>FqokSW|Iq=za0iylTzV>bTxEdgY6O5bmy}`^P3!nH-y2w%H{# zun0cN=mQG&`~!dbAFG)EOu%{P59M;VumHIEgp_(%34l9y2d{`bxa`?u(66`pCHOMm zl3cXCKDMJ#khIpB8eH4V zLoNdGvk1qFEZ|uB=-3MAtpcxZMCc3I`52qQ#eeI&>3-E%JTmS6Q(Jqt4KqchTIq;X zNc@^#IIB3Rtc|=D;Zbr=mm@f3b}-;;DTmK41r5&VcR z=RbV1eyf}KHMYOB`R#Ai=s5<+fN}uzo(v?obY3k!RTkNpt$wura2VKBi%y|@G7&Z~ zELPDfkZiDU7_Q55I?cUGRC8|$b$otnk4g+aPXQ_C$2i%@xUj3>cq4rqk)Gtx?1V_f zZV=l#o+2~*%(DJ&VWo_adR6w1VEY7;?8yhq1d5M8Sh-1+M~nQll27|42tAAH<4-GZ zo{5wNd$**tDIShP)q|Lu)YX*GrV{~M9GUoGDLC)8oKvVoHw-dRD@j`L!%sOdf0a)$ zs)a4mmdiKpYWTt@>$8@<(VyDVblFx<(WbNnPP~6Za+Sv0*3dXu#T76=w5w}v#3{xF zhwxLV!WXeNH*pPo#1qbhi4o*xPID5ErtEDB~2<9%d1XIVo}EUdWqPAT?8#wDIY zn$9_u1V(*0JzQAJdB}oL5?CU^`hJ@_=%IxT*cr`B&XBUruV#5Y^IZ3ox51w~9 zd|YU|_^EHT7RY>RAky7f_&GLVevdC+e3s!XqU5YI(yFVL7!}iYed_62oVKg2br7BB zPIGQ*{J6=bLW9dTfe1IY*aTEh&q+uW=%nTFj`CpDX!S&yK0cu;%vGL?dZeJ_%t^6r zkE*3g#xs>qpGQeX$_yL4+-7r(GGl>4`u>v#ce9qQ+`Z(P^j$Cf?9jx>+dol>>0c!< zQWZNWo86JR)RX8kymWsNqTrwKrr1iktV zueXW=HGWP23QOZEDK0gC(eAM9_Nu%DNjKbKEoLC6h&;;B3tfs6e(-3`jl9;omCu@T zkv~2FG}rBHoPYAjonqz_5>qSP%>Kl;InJH5s{+sTp%49#*Pe`byF5s|J% zJ!=m+Un)@kf$kyQcd3)|3(MIXCN zqPzVr6TE%5@Kzp0EBc=Ts|L5uft7Va z*C3CmNfj|ewLOd2eX&>W8dC8A(svUEw_!{dFubfpnSV zs6Y+xZw#!N#jy{h%It&cxb34pIE73qG#$8k@0;sTK`3QLbN)xkW^?|f z^>jI~Tt9ZLC|#SP8&5qxj%#g95auE_Vm_Vo^j-I~b35r+xqhh0!(wH>z%zTT6;>3U zGGlnam#{9RHLKGtmlzooU=t&^ePvjvFm>_1)gNADf(uy0qmde2AR!SNHrtMd#~q1( z;(avEo8ayUT)2ZpX?ME3>+VXa!CAJs9#^u4kYoaW_FD?frOO6h(zHy^^(4gdUeF{x zKt#0Hbbmu>R(3PF%)wc;Fq)z1LF^0}Wxeea=FpU$h6zl`sikH$VAlp^xqr#;5QS4a zC5sb%I;Iv)cUl|theyUZ+tcDL7_ohdq42F*uI=oLd-@7^T}p3Os17~UWa4fEv;j%9 z%y-FpBkdFj?c7@Mf%Oj$Mk@t@l|%*vLE-{c@)T-}!rva}wXCn`+%8$GCr4WH$}HRr zx#I3pS*}=Q7DUnF_;UwhaPeN%`Su8fETsB^`i@1<*3dzB(ssvU!4EIHyOR?zz$^HK zMAtmTA`IdBGk$a7tnc<01W>c6H?!-Fu0O3~CBHK(s!d z@RVnkZo}Bq40QPCvAUHc+A$_j`^Dtce%jG!(;z}q>EMeHMMGzJ!x)C3+Di%>Basw& z^Dle>37>*^ar`x`IN|=^Hnmq~BJ#8%5UliqUFCbD@g0Lzm+1)M4JY|t%g7s<);@Z< zv)wYNgZ;Mb+8%59(OFccf5V5?b!e@iILd~s*B*#LD@1WmJ(nfM1h^99(HO&M%bbMJ zTaHymL3Xf1C(~YTGaQ@Q)`-b=FZ0JIj8sNVE zFCQunNOcC6enN?&oZ4mo;q%iq6weg1>cf0iw?O*wb zQ)7mJ8JMK&q*xFV?{?e>l7?G`1#w@7$8DE&TKxi%X~j=TOgwkIlzYkW_{htg9lhW6 z-ZSPloiwR6CQ@woFz>fv+Dc!(^mwjJx|`wLQ&eU?i+Yx|`bMN^Xo5RwHrJQlC%p!@ z$Rwtd4K1&T-wy`0W|9N2?wJZ3=4VO$BZE5bg!#l?gGFhC(W`=`3*PNk{3ca_EuIIq zJAq0%_xA2MpJg>gflZ<-W9Z1zvB;t;l2|srH?6iJ!dwhM`!U^ce`=^2ZXaZS)ZmZ4 zJDfW-t`K$lIOTm_`BlRVk0&kpv7b1h4j{V@u}<(S1D7Q>mK9>k&9p&}&B~xR@149} z+LkLysmB`c*6a2sPo#dzw!S-V9yNby8;-jjnKH%Zl5>vZ|1LY9yp}=rryQS>j(PWX z!F6dbArKD{yVFv*YITi{`)RhFw$kN)1nb1g{Nri zh0!ZFcL{$SoOnu?n^F&9s@9>qf2ere-0NpihYQ>9KE}n>@ET4e)^)=#iw2$}bn9!y z=mLb{2K0bkY~~G~a>uKWQz~Pa{^&%PZ>v)PFFQtm(r+UCW@lr10&KMA>oecaI5!=4 zar$gl{D><eTH-K@`tyd zx(jxi zPyvL*Mn0^ueS5w8t67}FERGk>qd-}WH0N3L(0+@naXRWa?>RzwxLmnGF~0bV0yrVH zYGQ_FaDkT5T*ee2G}8{ExUYZAOVWWnZi$S8;OsJv$Zp@X;hK|Z7!9PF?RH8RT2jJ0 zLC842@yKiIhE02(hr}U9B)+Ye#1-2{p*^x>n?{wQI=>nFi+9)8M_U4M7#qaSibT`QusvLWECGJ(>nE$Gr{1Vhk@HFEhg5MHsog?hg;XzY}odL^8(i$m?BJ zE2to46}G1GLo3&>0uFjpk4!`|(vxp9OKt`v3_qGw)LL>QZxj?nT{vj-!XBQ$3zscZ z)3OT7QWWq8eRq@t*`GLpO0T{UcNbh=OZ78h6C?E&J)LFOZ9DM=H}@rc(_wlE%?{BI zp2xJoWrJDaN2z<XAhuIOR&-j`Og7jA~$mxHnsLxLA;9H&@Qg1As6 zJtYgg3B&Et6`qw=h$??VovL3zUN@tp8wz3GtF*_*@3`N4pBXL7l}Q4%x?1y{dga4dJx$JI9(U+r3F`#aYw>iD%7CnYtBl9&8=6zh z2Sr_grR4esU;nCY7r^8#F(P2VYX8~GUi6QuZBN)y7si>>S$V<@KR#&umQwUFZ4V7w zlgTV1LuLy}qjWLHcQ|i$qB}5wgYlE;C-H*nQe{ZyS4>%4n=oN~C}V9j`pl*8Yq{mL z2<%(U!xliOiy1dZePFXYzF>J&%jve6q({s4ZeW@;z=)lsW5U3aq^tp*N=#^LH#`V@ zkatukj>mx8lVNv%wb)#-S$zAHsHY_mhV5*`^crfaNdsWL*SDl0ayU7OC;+#cL%6bJ5WHwD`dTdsjJ&<>tZ5rEce+GAUW8cI z$nK67=!%y?q~(ou;&co%^4^v1mE?UQaeg^cry&;UQYu0eRV9Bpf{aPugjw` z2h6g(a2BzPZ%3NNMJ<}r`r*RdGhrLg)RkQs$!~#ciJhhC)!BU_2Uq2_PKnLAHF3NO z0ybtOk}1EFu}#URt7B`0U{6gW3PHk>@&>D2iqR_}yFdhE?=t#wNmd~eWiB~&56x~M zMHR)M&e+mF+<_ko7Nj^>j-oR*vl41VA=D-XT=F#QYYau5Z&jXb4Ym6SMu!YDPag~V zUR^G-LQIOGLIv2^Ud?Z8%55Q!w)VOGY{U8x{@2;&)v#s9^?mxf~;JBv@ix1mPKBpG0xgz zVP(EAxa@t%;t!T08Ri3xNioZQc{?*laCXBbRo3dZsIxh}2EjOyu1DoU-)RC-MH$PwSn904~`Z~7dbn|9m?j>pci+CGIKbXl-lzWAi41xTY;y!A%khA;F?|C=o_3KFGQ z1_UV4OAAytM`>L)k0){6yX#zvksZ+w*(G_1Wjkwhh582psd`jrwK0}4ixV7Jrjtve z^&O?%K2q$R2wR_ObruH^3W3mRj}AoNHb5jo!)mzgQ*ndAeR{FO_ppGJk`wN=SqaM% z>t>;6bgT?Jqc54KFP}Cuj>p$ut;4K=cP*o=b+q_7#4G#6h`D0iV|81o_g#o`WPE2q zI+;m#omGoqw>$|nw=L}Aj_{UrgPh9f1F^a{h!q-$wucv=jm+!XS@hi(vmry&yE(+3TXpHsReMjBU>MK4XIN!1}@ao|T(@ ztQ*GxH}hz(uP&M5C{(u+Ne0ZHN-7fc=cLb^d!%OCD4&X1z@TwVXE6n zs1<8BM%6D^ym_bjz27rcfD6_g%~8J$>^|l&j9lJ{n$2WBaDtqoF11rg2=Q^gd!c^k zt5b-RtlK@{Lh6G4meh^&ckxUW3yH&-+lERGsMrB_X;v_-dy{Q3ZUE`Ac^KKQDCng50t@R#@x=t&9FLNKARQ5@ibOOBPMj7(X| zdNiN*-r29?lGz(AZ-pu__3Fzl)0I1F5_;33lwhXTikI58M%sR%ewO?AHKdyVn3@Jx zRuOe+ZBfiF(icVk2fHF2+V=YPJ)}EXu_8y?PoAXuq1B%mN0>!tS1xLj9%je5N3tu+ zVHPXA<|-5VXJm|&^f(`ik50A@{q3RBh|*4X`9{U&l>E-;XfDZjd4DP|4%hgxI(5Gp zW={bXDY?VWr+O+rz}8J0O`n6GrWSL#}nLXaGIVDcU$3Enat~vv5uTKGjq;x|7G!h zi>O)6W3Y*2kdwUY_oCasRB4&M^rovEe#>6JCXLUEP1i@(~32BQ%p!y zVsDxaPo-a3TVZXeftxHQ2tv@&x3VY}kQL-M7zteKa$b=MYRhYX!qP987xAv4-l_et z;zDoNrythX^Lj6>FK!NdLS{wXZ$Cmg=bC8O?e!R92IT9zEHRn6)?s{F9M@Y;dqvIK zJS0`ssrfMk3eQ8SU@dRn&Q>7=FDNi+bK|RFeEL#Li?}{-Z2R zBqzF|GNHG;4~J&)grPpl#|TmxsQzT#BztE1WrbQJk8GeftFMSYX&Vegr%rqX)2V2E z9o9LMtRp@1zdLFm2lD{Bca~=CZXpPdz8X6+^Wv=rbI$368m8cEi58WygK5$lDm)tr zsqti#pkC#oZX%h&3WDsDK_6-9__BA!tnE*AlV||Vj$eEhs8_acFW9d5KU0PzqO4oS zo?rjmKa|=thrPQzAM@1-_t9-LtKiw%$jS-pI!x%4qOQ0Ig|93fNr%%utkjNBv%Yrr zYmQ5GMRrQPd%wC@dt&~YS|SaoxhM6@UVDUzMN$GBK#2Z5oW&DX$VDGF@l%C(;QTk6 zOMQJjFzCI9>dn`GF}wTW@+*U?f7~TuJI#Znb5Q@}<@2?HsIsOCzl^ zV(q0zeEDiph&N(`3&x;szh+uT`t5<|y@_(kuoZ#c&d2qw_B-(RyRdQ9k<>X7Coy9@ zM3p_BOJ*{@<)~`9ZAiW)YN907+qU2ev-xMC@yp<5SEBgLKx7LaP)6wI<|rh_ArZV>teB9uGlG5QZ!>?*0~pf z{yBh9XS?P*Xn?eHpx{_Tr?QsD+t`18eUrp*(?`3fEiv6Ek5MsiH}p+#YpEkLuNPf| zjfEE!*^=Cz)ET<$Akr$79)GuLFB%WnXyCkiVX;Kc@iYiEruSbh_~8%D`z>#G6698V zMUXF|+Dq1abs=N$WN4yhBfN^gJyB9RUKu4nt}F`G$I%1HG=hCtSVo*m+(RqY4skzi z84328Vt0Rev%i>ogu<`60p(sbb!P=|8gY>ElEJ`UE7#6O@L7awQEk8b5&l^`sp1j_7dK>}IoT{*Ef z&Dm5jM&yTnWb-QZfJu`?U{-eiwAuQP&My5)V4AO;VDUTO{}KsV(Idub#79Ftz_3`& z{l5LWf!rv|hLBK;w=C#MF~ftB7MmJ9TTQblE}{7*w!F}Qu8;Coj8P_0K75Aq++7fpf z1n6RvK|A-sQ?`Rq6`R{OW-{gEz|uMC$+q%!Fjuu1XvB8IN%#|UbqjvL_dRD8{iar3 zrL==~2%==t38@>|*@BC#xZ<}<@`WI_t?>NHpyfm%8*T$@4{cs+?-%=wf91v}hQiXl zHQR3WiR*3(F}}9t&Fany=JA*eDmG{@TYv}^sd=7me&=g3W{Nv<`u?WgtRE<4ny`k! zZT)h7o@NE>+!woR+A^7^1S01hoBWcI#xm&^rL!O&IY@HS$5mZnBhE?m$l3! zS+T+wq(>#-)CSM#(Jxe(0{-Kc-+OS9Sn%f)vS&3^;K#I1`;*{mg<4s-ju~Ag~3KQ9#8FP>-idKGFzXtp0&Sg$pWC723qU6Vyi-!w> z^tx*uk4cA?k3(@IwGvj_zBw{tq9sOmloF=6ZAMq~!MQ#q7-$1L;UH=0e1Hr@ZM+wJ zVEr{P`D@e$5ELeG7zUIKRLPd!M+oYn(foC__KPD1Gjd7=E-!3jKiDiliaEoqk#zGIF9ckOzii_o9DewyXp;%=un4a3EeR2I& zTju+@Hr0`4NH4SSvG0@4Ha}0dTC<^PPs30N?R3nf*c7QKsb)Kk>8mKVAB5n}CjlM) z{)l=T6jOl*YCjjQsmGKLZm-wJyVF}};^>05C=lVB&VaHW!C(^0`4`?6rki2>T=yES z5oYdhn;Hn(z(*w1rACgl2%n5W?T_?8D=d@Y89kce)3tAPP>EI)6SfYAiafaCRC&;7 z`2=?rIm-S-7=MoDBnS@Bsq%*U#2iso&bo=As(AgV5Y&d!rg(uSFlW@(?CMp)rz(gUIs5Zo+9dkQ+}3{VXu>@x1_-JBMWSpW5*9YCB2%VR$vBBsS6M={RHZ=XTw07PiuW; zTidAjU;+FhW>Cegh7oj?J?`Yqh8s73u{e7B{fZcq%7h2zCrw-th;Q)ca%9<{Kb&@7 zHia^cxn+OAeS-Uwnbp2-Hj7X0w|!N&qE6sJfv$qAfE&_YK-SY6(pST)XH!;5LhxU` zs_&$0$b9#{3_Z-P6NLXiT<~u9|0ifEV7sHq1yk>z9W7ZGY)_5nI6UTexjpXQ<-i*$ z(cLyVb+ps1SLcNrxmzUJ$$hByt*jmir+^r>J?mIc)HsDAaM{rS;VY^G z5?ZtF-tnidn}|JNC-bqLYq)N^KlNbDgT3xKTR94}a`{=UCU?3|bFw4|)#E>SG>VI@TE*#?NMuHxc_zkm4ED?4|a>^}e=)1#v4R_^y!t=j+B};_G6gzMSA*BMbRH!z+?! z!g^;VNfR95Em)9l977zMRIeiRrhS%#5hYM!6*a0?lONtoJ^X|UctGAJley?J!6T(_<{tIx zO1&kN2gk|*3L#l}v8b^B)&=UEG?;Px$RwM^h0)xydWDVV)0wN~4~{%G@o8Qeyd|c{ zJg?jQtoib*Cfy!)z&!~QkY>}6=9)+IeRK!H%lSUO#>e7nADS!0X{1+_y57;Pg1h#` zC(4|hdt{6LK1CPZ&PicUuzFnM74SZuX}YE|G~(TVe=JDqH5>+pr2)h`U{P)YN0y zGZoj2G%$+}>-_-vSdl8!_S?Z&15;|ahj)rB9Gg2(K=3=4*L&%T);tLTrRx~DPbWTl zWRxN6{MoZ_x0E;AVe%HiBJ;$aTl0ylamG^qFkB8s`c3l?6hEPUkbV%M z^ZZ$5Nw7zbj2NENvr^9tUH)MA-4lBf{ajZR3@$d$misD=w#_}STc1c{?q`|H7nhiL z2&Tp1pbhliTI>%THpi24OPx9nU=Jf@v}oPP_*aStjWkz~NppEuGby5J$bN)bslMd~ zNFAa;-t={Uc<}wBfiuSurk?BCTLj+{Sv-br-FeJDApS|!kA;yp`?_%}?(;$nzGLrc0_ z*#>W>n^=b6@OAm26C=|+QdDkYjM_zWb-XNv#m7?B@dn-;NZt+@@UyQW*suHjurGfZ z{+nnE+G9czC{3(?cKSlc;HG{*Qe@ec%XgG7qvGQZjo#c(J)D>oved7~`&dHXL-*Tl z@WGa3eMK8xc(;|-VvQckdPx&COR%-&?G`Pc<3=05Ag&)t= zJ&C}cF~bW7w+eaGIn62e<6437XGf|A)Kp~+#Q3w8xUlw(a`v=TxMc2|U^GTVA=II6 zWii8PL3Y{{kkG(5zOx_v8*54;13}SPV4)|x!Pno7D3tR&0X#|yR{Jl1so;Ms_bMX_ zmi7=v%q*EMAD@qV7h&(0cs@}XyqaJS$4uD4y0Kgm>7nH$znCg6m0cgy_3N5~+-0;? zJ$Rugn<;t1GPN7*d%kJ?DY7r7bM~F2b{G)thMu_hZVEm-X0vhN0xx@f>gxJ*XS_ue z!LJ(a4#vqoO6~K@XC$5IA2^Kt9H=9P3OwoemMwXWZ3u5 z@Tgsf9gHlqIa@|tL_PM*b+N=^VUxybed2&`TsU`y4Bvgmp?F)s_iV1UFK8c*KPX?0 zB{w=kftDXMGOO2G4zCCYOJ$?&nu0m#@RGybHlqW78&chvYfV{2aD5(jz@gJRjWP!* za9(Ug}Z63;CP%Xw6Z>>`+HHUIYSgQYuz4a*_%5)a4K+NLV7AUVpU%4N)f1 zmP06sFnY9fjUA`g?P<#yen~V;u-^UxIgBih!+CI!l;i@(w%QxeRfMJ7lnPpi%P zrJ)LIxR3kKo^O>E zn(EUr+b7L~cG9S>4J7vV?7>wLc8af&70g<(@h5aW_j_?uL+dWSzsiEP$Yqn<%qm-8 zWKm(D^+2#X?v~UK;z887qJ`qC{D~@piCZl9>Az;4CR<(jez1}e2c)tjOC}yem{o%~ z)1vzZ)g*|Pf?BZB?=?I+*FW^TAoj##4rf*o2o6ZpgONXWISCe@L62TpDT*Wwr;9iM z`=PQSthtx`i396+d@^P-r5CY*V8?zp1gB#?jH_WJSE)BB4p11xUih*hhInAhzUH+G z>!y2yZ3t^@f)qMkLgK-0nV15Bwy8ENaca}6$NfF5n-+>iKZmcI?R*-lmuo8hgtJ$d zjA#2%G`F&-0~M#3{hsjRRT}AxRH*LYdU^kFXsJbG0;X>GRaVZaM26ao;7!uLsy3&-ef5nf^BrLN`d4&f+jYmHyC1?$wPc3c22|x^gZo&XMz@@DkC*lDY19 zu*ObzzFMv2<_DR~;wDv1dF#|7o=|()y_h(l{Gv0otJJVM4(nc<1O7llPW5U2eOu!XQGX)`5uK8$=8Z z5X99bM%~+s0(ZS1fpL`V?Q$&w`x+U~ay0RukOw2l$rT#(m$gNeT7YSaY@%<7$zLl+ zh*#E2L(SI{AJKfNX!^OFV;&_ZVtYDWZk3-<bK`IXOKPW#@06{{*^v(>#!Nc(E9R+qeKVl@f_ z$Iqt3BOEc$k-$y#O~h2fbT!ruIEOLr8GPNxGj&J4Hy`|*d$S>>`9;I}O6Q*`zvwol zOo@k?n+IEBxz!iuriTX<9WQ+c%ax~YN93x>a3aLVn=Y226;^2@{zro)w@n06og#1R zFDg5uxdx_gl6>P06V%|!%0Yg3(*ETa(Dq&A9}Bxt*%_s^x!CA{%x`f*{Z;sa4hC{ZnR=zFKwt<$XlI|>nd%isM02rzGnz{_(r;{#oTm{)Yh;di^K972qT$7qB?yb-s<8bc2va@H%_m!& z>Xdm~PG<kzS5-Eu~EG216 z_Az-)xiIVI5?h-yE3p@iFF^+;lsEWNTO*Qjr{bac)APh})NGPTev1u7tA25Sv zMFA)Bxo^z~dPHK4QkX-LkP4HK8o6%U$)iE~5Q_N{eG{#3(Ax|FOWYEWLx6&7oy7~d zVaE6Gf5OsFn-}yvxF4LfKeDW%=+v%YWKG3pC&y$~89YmHHt%NW;)IE?D+SjvHbBZo zWpUvIJJgdAuIRQe<^|Hsqg5aeS5O-&Lqd`T9tLRubF?jU2jkhq^uTx3RNalwALpzt z*lGi(+wg9(hDGu*$OW6H*U!VHeimCuZ{=I;y}MsQesD`BkU`b?VbwH#A-Imo;}>*lTb-<^BULiSB+`UJ)#1=`d$xO=2yyye{}_fnoX zm;knZ6?f%PyhS>lv8X#SI0xs#1u&6=96a-=VbH&sIN;v1er0dgp(;&3e}C%4_!1+K z6hyqYVC&-I{r{Xe1Sr>HA#r~F!|obD;@gV~bFNbrlC%8m@f|fARNcq;L1D7yAxXHC zJy(0oy>kU6(f*jK6KU3e=6aGy9na1e6y5GQbL#H=HPuB>9ULRLvB9nkuVjZ-qiX5< zSIx~cFxC>2daEVeM&q|V+(;!CqZO;xPW5pKiKF6hZ8SXW` zDi?JpH?~A|qC0X5Mw(pNLz~{%vlY}m-X+OHibJ3zX9a|(DGar7AS8dsH2I}5$>g1r z1+!<(Zx?hbADLS^(X`?bkyl>{m*P2f;pH$)xf&B}LO7o|J>71_B>FPTsCvO@#_5(BKNXR3^h~AY z**D;s{YtpPJRJDJ#rnxoQ~HDEiCIX^aq6Lor|v!eg3&suJzXnGp$1?Kk*%#OMbq4J zjFXB*K6Rn9v1Eu?{P7K>yB#kn1cv%2(xvi}*pcFfJ9+9JZe8YhmuKZ39uqo5lWp{9 zXcB5rBFHI|nC;@n5Gs9t@N>-%=J7n5?S5mPjpKf!55J^Y?o{!!s0C(^*oj+iaaFV2 z^5zROB?{%ax?FYRR)J3xtr_|bG-Yb&A)S{N5)4vj7?`6Ah9owZZ>8t}+6c4;&MaJ) z{54`R&vXD8i*gZ7KHmn-aM@1vd0Op+;GP_afkoC_(WnU`^wR^&S9o6e?nurTW^JM_ zPfMV=7CX!RM=p0p=?@b0)3h{avfC6}5x*VH`MfJcRwJv9<$kTV23z_yp{~hOM-#oP zIg>2B3HvG2i-x9YMF~Xr!h5ycw2)GHwQ)_Gg>tLq?GX*DS)@}*A@PwtK{yZ0>@@i+ zOU$yAM9kHGkS`2RX>JK^798=&hO8op;8eFM!GmmH2YmdDEoj6RQ=qz^UWFGe)R?|_ zpI{HvD!pMs@O8HJzRS11?#Lh8#d@a+2+00s7hYU`a07M!u>IJON~jxJiB#67m(ZBaY`{@S zy1wL;%tjm`!sfBWqZ~+mzzdgV9=|ZplN&deF&*ypg zdfYj^d}o|jD_(+L)_7Nh**;plGttrh2uD(wyK911^3zoZppzlMkkT(9FjZ1tLS1~(d=!y8w#9rfV%!}hlm?}z(AKk8 zBdka{-GGYG=dz>C_@QlsR^xH`2CR6)lhnD6Q@pI4?_a^0eQ7V%<)JLGpKXeQnjwMC z+?&@Hm~_~OAdHsvWl>K= ziDm!t-;`xP_+PT@b3j9CZgtB-4+ww&nDtv+>-qeMZqPcxFM3pR^!(|_d}-r$*Wx0} zrodaHO(j%7Qb(hT(wYbvzQJ;TZdHMv+x4`om#`XGmt{#QI@O(??k{pt&#ZNdyAaEf zL`xcjTbZ3y7f_E1I3HrOV^lEywjp5V?F!!=HifrEF~g0elY@&c5nxBmu@)EOyuNNq z3j!sR&8iKRMWM}c3Ng6sKhm5uzaaaXYZcH8aW!?2`x{=&4f=>|*`Xv!5kR+fy9fAgj1sA6|xM4|^YyZf6Qsv0SlA$q0>U(aPrKo}E z)x{ypPmx2hvtcE$YqW9fns#DIfOKnqrS96CT*7b*D%yDX8GT4?PFzBBw}P6+Z3&3g(!%r3%IRl+X26x z``QG+TgD&*1AHvvypJ_tA0Dx!GJ)fyIF0AGKFPWZDaKyUi>%KKx61Y@kv(u1O-r`b zK&Fds4ACTj{m=zx&^2XdNKSboq3$vJD7VE|-6JN8BWMc*A8QJ{y+qaeSrTsmu2P%Ym8GCE8aXrA zQm-g{DtVi%)Xp@nzxT`=I82cztBk6Ml!k z_)*KEnQO`W>u&%auK3Z&>|wy}d-p`5NL`o9=8i93Rb2gy7%dEuGf2;HWwgY|qggXc zkZSkcA2R?&z>iZzPf~}RH?$#B@!;-4nYBD?lCfYbll%uW=euO^A1q_6kRKSme1hM- z-=PY5vbOOSL|;f+GB$=Q3pwO)r2%CI=mDvd!%|--!$`q93QI*f+42_O8mbNfirr9N zf9au%>xOnVF+gGuGFn~;2{oY756Du{wm)d5Z9h5l!@47R!o{-A@&;jn$pzwD>o!fL z2F|^+{-N$!sOsEvnTMa%!}u@?(_T=pxmb&WGT%plq&c^s(06$;{kWdpU?{Yp_dcN( zqFk|L4VQ*}=Ck;L@1ttkn^%3crX#8@ zYcuLfM&XEdRJQO`D&UPOyPo}8lrm8Y`Y+Qgq z9@0xA&=451D77H$nM^YS}`8QH(z9{@;pcQ_P@=qfA!zy*GmDv z9@(Z>y&1orD4S>85`={Rf?q%KC-Up{EB;@H{vUSeW&f;0k3%ECmwi^;o=U~vc|-5M^e@$+Hw@2@9~=2Iy!#SG+F#4N=P~sP$(wlhK(TTb&NKi1^&R@0 zKhe84|6krcQNeoS4n0^bVRIm<_3Icm$Y0&Nmje}-_a}Mx{r~g4d#AsgcTah1!5-KD z)}gn+O}ASjN@ep5k(Pg1hhDq&U*p|FB=ZkEW$ha@kbd*-`TSookpE)ue%YVy-J5|9 zJt5%@`Sr@*`Ssm_;KcJkh+p6KKZsvH`Y+_yd;Xhs=rusqr-BasybJXYI`seU-aT%H zgqt5hMwmYEqHWhg&FHn~43U3u(6);}ViH%^kg=q764Jj}myWBBreXqR|A=(B1+ z!cK*C?QQ=Gc{;mN8=kVVF~2a3+?J0Qy3>bc7JheeI%R{9Iw@Tx-blSS2$b{PB=u3-R4Upktr z4xrIiBj}jNGIdWDM_9z!*cqLZAr~;+u-+4f*ry^eV$tK&f_oK}zlY5!z{}97{-zTJ zj^?N9p7Phlp61BByPN_i(2-@OJiDzCeU!i*Q(@iSm$8yIZEe4dG0n=8K5o1cStYh* zKpfD=N#du>XYB6SyP`NBF_y&7toCul43P;+Tf_NT%@&Iv=SrX3uvV{9jL)Xr6k3!8 zn@l~tFfc|0qs8_-KA>oQB=MEC929M3S8KAh;(O;Gz*3&nhB~UsToq=#jp|E%QfO@J zaXtjh90TK{Lv0=1hPj?@Acad2!G1Do^vHV*ZE{fYur z=h2o6Lr9^9Fd{#C4Q_-Ut*_QA>UjpdTtL!?jqjR|ACez`?$+G-1p6&9q*>6?cVc2s zX8_cq7*H{46zRcp)+EnDKB*_ z#zmYLO286!0SC%0GA z{CW}z@ax}Hmi~iZ-}Z0Huc!al{CXm2S6RKm1g2kS$AhMc_TO!GeE(nK0CfU|L)d5SOEWdj(i?q*^^(J1_)U8^J>nolZF41bL8XSc#b@U zqZHZx#pcL!)Y|zu@{|8F=g31OmTy3J2FSw(z_L%1G5?Y*`^WPvd-|KP?0JA?UoK<* zGnPG!^l!(q$Hn{^bL36tM@-vt%tV;K+#LB*Fkrj%&zK|c{x6*)Z+Pdw&9Z;--)7kh z=2`aHI{BNi>>)xT;N2P+hW~ti^B*;FyFK?M5` zbL4+jr{`JrrGG`1y%Zd8p??y~9`FJFVk~ohW!A6N;e8zN?aF zaxalwc9Qv4`X$1NZ@YK3_EHRBp7aXU-evXTgnF|ZK1heYk=hk_M-Zakpr{~Vez3|< zkJ~;13F1m?v=fRk23mTb6Cm{?O-PRs)FDApD%2zL3vHO+SoqC#?#)@1UeSuAmT0GA zG2bG-*X)@Y;-(c4>8|YY^L< z>oLLVSp3j9bQuF$JI%Vp#^4nrWNSF==X_z2&#)=S$%c7KD2@34*n1PVB=f%i+oqXn zW^!yDTTCh|+thI!_khaE8co|2&4tpE#!ORGRJNKHGb<{~U8yWLR5C^l5vWPCQXx}R zQp89_5g|oD_UCkFuHU^p*Y!KDmbs6a=YEcZe?U(-&+qy9yx*^vZwa@&00Q7JJC3uO zxVbl|YmvKK;#i> zOgUgmvcy-3+H`Vp@TgiDJhsiOWH88^Y3gAd9N4!?vB+dO_90j5PT|3gASUS}*T7{n zUE4U~G4qYdLBT3Hs>1@E7#}CHA+|gs1~zeDbOyAGz!+BiK2U9-P~-8auv$wC2G7<4 z{1AGUH3KK!R%UL%bO?coF4-_lJo^F9zqlzm9f0>&SLbpIh{Vwv#A2g}^Q9{uh234U z&+f^QhpfQ;Zjlk=7k2^Ns%e%U^ckYAh97LU1J-9dU(UBAvOc8!ZWD>Umniv_ZGHX% zP1qS8H5$xc4xbrQ9lr?dhQ>53%baCz{A)K{h<7MXZR+6JD zVE;ktMhEmwt%lAI4_d0GJ&Ix}8;zFRHXX5UiVRMPl$4xyoPKifwzz)N4Zp26y;)!; zue4(?F+^6m5ROMX^W5>+>uOh1oAe6vbvvw*s&aQlPmGI>=abCPh)Q{7ns!1c4cSn$ zsoKWEvRedrNcZYO)PQTDdxc&-4pZ zKIf73=rr&in+)k~uvcWfiqpi-xDV_Q2m<5A=Xl8m$wPDfjM4sqG#Jj6h}(tG(Yj@I zlG6C7x!v^15i%h=LMujr6XoO@%Ctu|Qvd+b$Fl74zq9NC-!$fb6U(0Pzldeu@+Y$F z34gH;y%K0gA%G73)JE!`bm$E%Zdsby$}2y7eb4;4^%Zs&!RsOk?+`smda)scr@g7y z4xmh;eG>(FBg39u`Kg(--XMO!Kxwx&09Pe)V`}0EY7~3E;>|e21AlB`Mm#rO#U61% ze;0k2WJ22{3@`~KKqc;8dzzG~iENFGhZ<@wteHG75f8xHyd+B|#FEW5oy;Ua(w9t6 zpxrxfhFYsYCD259nn7?t7 z2JJjJm#za~|8&=eA|=9$vu*4%t{eh*>oH>;+{fPJ;b zIb=Uu&b{deTS6pSfhv;9PFmb-Auo?dZD1rx@9^bC09?$D=$g(qpD(206BU_VhJi9R z08U8$^?kdbeLjD{B7%W1kp}2Tu_?_~b2a4@`~Hr6epY7GgD!6KPB1xi$BX-L%059u zcGh}j2SIhXhL0Ucwd55b?OXgfa11KE>pp~2j<3qg83<g5<+z?xcxQZg&!UlW(%za|4viRGjFU zXYdnu57Q&YcLC?P3fGAhl{{?!g~|sgNTEBRkERDlBs?P#5<&pTAsc^|iOE&4XT9%X zzHZ*{bkEK341jlFh_41vIF>?-Fk*AOz2$bxmLKdJCo)3qn%c{5B(800UJx(>X{wr> z=X{sC7FVqnBD^QnX-~v44JF-uaO{L7Y8itDq3au5DEy5;cZjbI(2blR8+3y-sIKAF z(W#@WZ$WB8LdHGiELU0rExEF)>r8q%2I2rvF%Ajunt_%xd&Z?EK3DV+F*}uSHY5kx zKpcLB>q0LVL8oK_J z)=yt99WzRNJQudnDfUccgEOjA@S0=E5;+ItMZMJd!{N(oCufWSEZfsfau1ATpH2~) zR7zHykb2Q~N9cx=l9EvzzBPddC~*enV=vyu$9H%G75Hv4Q2zJ?Ec=|l8Ot6D1z7gP zj~q+?gJn`ZOMSpinUL z@8*%W1o-u^4<-QqF~Px2nT7wB9{J&q_Q=DDfJdJ7_wvXS<*F%<{OkXn9(mwd_i_CC zD7NX42_OHr`SNjUo9ZiDk)e9ys%HwMU

6h~evv%5AYUfHlUxTat;t_F?(7fGd^mQ*n zMBOY&h2SD}=rS)8T)1e?rMZ9qG? zQl-z+=}uK58wfseR6HTsYDvGXmzLo*ut2&WiLbADX43wH-fuWMT>i+q!?~;BwdRrB z)bgp(EnS6AMUdG`75C?-z5ao=j&&hjm{}+*=WxJGUS#59hPLHMdNPVAfh#NY3Q^Yx z(U57b8y&yk6t$jUY@uhf)XzUc#|Uhn3~0t?W25Zd-&2l!`$7`Yk&+qr{f47bnC{{U z^U^LMmE|kjr{umoWapzAkp{NJqMZdBZ3mg{t0Q>yO%5)%QN%EA(sWSCd8exW!VILR zca;eAM4fJ_kibC-)07>c4aOxtMIH!~&s>+C!o>8Prkh;792|T#bpv!Qsys$&LYeG+ z?T>v$U$SaJ(Hbg$Um$8U5T7{E;dVK8Y#Z*(c^1724qbp!;`8BGfTc+qP=Qxu2&E?} z?>)TP(dRR@Z3N=OdI9Dq9I^w%3NI{O0Y&=xQeawR2KURHqZdlxhJqaQ%JGyX5uA|- zn;m(q@cT`NEwmB9q}Exq-ym59+c;O~`2tm4$_r9)M_RGmp3}r~V1vlzmFOpE)ji{! zTd*gphC44Cf3#0ZF!jmk6^)(eM-~faF_$RM3^kC_4CfO}ntW=O2%6H6of` zJAJ!|92_TcvXz%IDIBs{I&60|uo8}?DLcKdED|;v^}!A5PBP&`kv@*#sfm>UgX|!( zzJC<<^f~7GQQvj8IUKY3;KLTm-m(P%!|u%KmK~MDZDu!u>YPhw4Ar_hH_9`eN%?xr zwvBH{9VgnD8qo@tGu=hbJbr(!Lt=WOwXzx2o;>7leTL$Lhd4(lgVWq;3fYduSkaMV?eEYJvq+;Lchx?ed;k#!pYuZMvJVvO-hr zZxG!i6Z~)vBs~E4VRQ*z;}asLTpcKo93R_Z3cxNt3Treug~01;^M>lCG;ESG!=|RP zeUt!qEHJ(+>&(rdIIjbAgxT4ncjiOz=6>bdT3CXdf)HA=-i5S9qLxRQr;=9_A{_(n z;VHiE*q&Av948b?n{0f&_2HZ%%?OwNS}vsvQk?d+(DHFM=}YP!KH4R=HQ%g0N#PU1 zXiOuF`NmEQw4X_QA&L7I?Dq|=ZhS;q=B^kQi`wCkoYPQhI^`z0rkI1C%pJW8iKViX z8K-uiP@(8aizY`TA!s{58Pb*F2iB{A&=LMD+|UO7GVgt-xR)M{{DbIs;&-B76#ILl zuGv0rrvSRy-LUh|Pv%hz&-ZloFH8%zil6S4o@Cr!nfg=kMZo$TR#s}|3qa_KcV)nc z1rXjjV$kflC^mt^?k$av8;CQ}(E@bYpbdqS;glw%X*Ekh_;x$gH}J~CKzVIo#)Ag&YDQnP8#g6! zZROeEIy*Fu<^%i)8wNu+FaThFEkUndB}Z8YZwvzOyL50O+&N7!G{EWH1anrfLPkO@ zRl{t4gKuPFgiU%j1Gw&hm9Xw>#fk@f@Q`ZA96kN!h9VQohw_AA5|AC3(ccgA@Kj-! zE7UW7=#B=D4;(l{IIsb%(Ru06u(9|UrDxR6JvI)Nk|>0Qys~Ji(S+qG=Dhbt_AWa8 zpG-Ztch4<}m_&vn6FikYQXYB8)?T->1#L%+bWWozYug{_Jf2hXpr*bzv7xguGOScp zl9X-{JQ`L!p24=RezOgrJP+qu(d_mXz4Usg4tu3m?gEL7U2)%UCSvmw?+!j50=IS5^T<9V(0+|Nxe`!y(|*U ztp&ktf!`Eq35(}r_2kr9Rz7)B9HJIHqiQ<6zsb9x6aV&wXNG)4{$K*@JhiGrXmtJn z!LxaxZBhHJWjZ~Q8Pe>Ng?*6yQ^*GQ*)$(*9+DlB@`e`59xM4)CxO@1sx3K=1r6?{ z&v(3t9z1TJ(_p|f3eKJ6N|VM#@F)ZjGMx$za6Xn_Z}^>G4jQ>0X=H6Q78kgP9OCTtkyhXb%C~ixd|TBY|+hgYLnax86p8t?$iy z-xKQA{9!4S0`xO)HcB{UWS)og49hDEh+>pJe)tyG9B8kUf2!U6*!XP^e8i{U-M<@x zss{nB6GmC_;r#pm%&!OPg?}A>y=F-H&-wKL#r&_!uip#s>j^(&fPS zIetClhyNLVedEV<=xIQQo(t^mv46_$-VNB@zuo@E`%m26<2t;jgcooI8ubY}^i$T4 z9Nzau+oEtUddqIo;rs$e**43tf{RvOdYO~0F~r_(^_BZ=R)dnw7i^1 zYm#2OD>_0hM0U6v$4C3R;AK%L!{C$25qx_QS{doOjukwb{C2hBz{F}Q>WT|z{MhwT zK+Gt0mt}mt=VfH3HZRquaV6l}bvXH=V9H2LTEP+ppDy2lu#MdpRa+MV9D5{r zPH~0Hwm`EXC3Vr%5ole{N26VV4n3qB&{_Yx9eTHDK@*9Yplc$7@bOhI3IZgdmLUP0 zx1q>2pcfmSx&kk>9YiLMGn~)4YIwfyt@pb2bL|gja%vBm+@G08w%Njb)QD;XIN)x5 z%7m&Er?#xS=8EvwsS69jgaR>V)O51z0w76)fiC791o=Y5+N-+qm-qJ9>gp!~uf# zx0R1K&E|9eONT!1pLOV`0EnDV)1e0>Eq_vn{+G3il2-$P^|c^mr^CY?NoGN1xl5Oz ziLP=%;}4&bS~x^S7k{=D72`>u14^~3%r2_}Wfik%Lxrq`aVRQh}RU8+z22MYjN{w$d1 zN@O9PRoHy76#Pzsk((krLp#Zk1}e=-5h2(Kx`otHhCBP<$~{E@$$fbGkqkf(RwkaH z8Jr<^Y0g7(C@}W?=siC0?*Aw5@sE`ZxmyN*X?^XXC*gUR$!3$8FOvsXaIXMfTasHw zw;SN#vpmMl8)@9(0xL4v6Hy(GVqj4%8eF*Sn&frXZmU;IbBC2iwG%K!*FpHWJwEKW4n5<&JM<<4BT;KSFglvX7R>Eerb|LI++H|>(yj1P zvfkp2HjSA@86U?_^fo|T#(tc2>tOkE+Sg zJ2FvT3E0NJxCDNV5DE)m`*n<1K-v)VidUl_pZG=H*Aui%9!bkRt5e8$I!-YZjWRr* z>d;d^u0!wmTZf+Ur+4Uy_jbhn{9^vq2v(53_YA5LChbiP-A~y9o^x?}=`^as)#hCT zEH$X^Am{Cd-rnRiYY5ZN!$uLK8u6~#NpsTWVqeDYqYK1ze{8McxOVbW?D3^o1s4IG z^3eb0@Ay+Z^q?fbL!Y~Lvg9`pz5Zpd1+@KNd+2+|_5ZUTdR*Lx?eUd+rG`-)uRLEF zbnz#q6xqm+8y2K2ii$XS_40jA5$!1Y^SXY}7w@sh*S+5!AEYt;xII4Lp`Y60|4R@3 z|G&roxA*u3z#c#E)9>-$RO%*Y8|kkj-@ki6-u}Cj?On4uR?4HH{+$lJTVji+J<`_@ z&Zp_qT?FHmtx<{QBVudNi?nWDb0YQYYZi>UUao&Ib||kqiXROPNhN&?6bM%m*PHJM zy!*B5^f|K;4D%jpLbUPIFD?>zr_8RZQWrKxo+7jxbi;JIKKvSFR;^YnXn)gLgnrGH zf#h%ITNtYORh)%Sc0~CA0^ZoTx->Ww=#^sYeV+g==qa@_bJHj4(5wIC4t--9!-7`?wb2_}W6jayHU<@zQyhifb0)U2xD(sf;4f*v&mS!y?Y@Y`CmEu! z1ESSyp07Di=&7ao#Y{Fde&-6;r9um(y1p_S)+h1Mf6@-UvV-{_9eQ`bLtpx5c<6P< zKC(ma{O5M)y+5&szSWVBk&!+{hyJ%c)}Ps--~aD+=rKG0?GAm$M|J3d)innDciZDL z@&9L!f3kxBz%rO0Q^0sPH45lO5V49jS%Zq_Z%9n{zZX_>MV%QC?nidEK_K@H-f6bC z@7`{S(QmqcFeN*$!O^`T-b5GYd!|P|!r$~Q+{2s~S^c9Sto(}lVL={K%VP60;AQz* zPN}!DlY*`q;iDVoN8imxfpx(f?GvI;r*(yHIyLboj0tLq$4{HwkfVVNoUGKPiFlMS@zJ8)KBH1|9i6RKedPc&)nmeep(N`0U$s=v3uX! zT*B@t(0AMPQ@@|?uTobd58hq8Ch1HfcN7&^8J5#kjxHqCwuJH!Nh-EHtX!gRxsbA& zH9+!~MvkY#p3KfbIybmF7Tk=C^7WvH(XOZuobj4i5CDieNADt&5S2FHX6O%;JT)en ze4j)4+Ld;nev=n@`jBM^^mB=R`Okqit^wH6VNCaM$SzuDIE?&|B}lz3ON)<|^dtx4 zX_*RIg_(x|xA;CTd;ltP>%;?;&&%(fM=UIyxnu3|-ikML2M# z0*|dn@m&0?+mWR2cf&!$;5`lU@c%8OxUi(z=#UJ929@|9(FLkj4gY z21KiwzQS%8aeT=uWCwrd(;Xt=l~`Bm=(u|M393W%)`WP5Lrx zchs0MkK05p%;-d+K15jpH z(txn(srSXV1p(nzxvEmUG~B*DLzihjHZD>9P{|din?*&kNHj`KElefmx%VckL9)iw zUy19jx7GfV9h7Sobm_LEVA}Z478QOchi33DA|(|KRV43R4zk*Xe@jDQFgC}I84H#H z3#W{cjLDvR>e0rD1Mt!A-n^uoE_IuH;u~oxGsv8_ovCTER4;HdXv>HgS&JhRqm+Dt z4*gX6$boj$E2UR^gYLfp&1ASo4W@WC?^qa+s})9vEWw0_{b+W$C}6Ni%vnH+v^yBW zouoPP0)2I=G(ne$Ei5A}5ev#<^@Dui;g>u%W!Y9rc=7vk>90*1J@h3*9x+n0xYB{v zRoya5DxWZDV|wcr?>m*NDe21gcG_q}-wk(5h1wP7mdl}k7I2vrGIX~$HnHIWU)}@w zGq7_@_XfpXcr@{$tUuK!+Y%ZEza-cRTdSf_h*XIHt~kL-peDo9;C| zjb8QDrHze)o{$@`OQ>EIryPpcm9~LND-3D(o)Y&Je_ax7QX2Qz{E&$Y9R4%zG(ma= z+}N1>NIDiiKf2Iv7g)^s#dO1t7FGk7)NS*waxMT`BSRLr&V?D0-?;wk4n5G2>a$t= z0R+H*xHrkaML8vtUu;Ht8CPWa*9xZ}5qz>c1u!mJ6G_9MiU!{!}y3*(u4r(VZt&`;uG)4F|cU{>JgtyP3)&Q*A)2 z>0QXZhllRuH(nDaRikHa*6VgAim~6Ztg431BY~1hazC;-ENP6zApxQLt5|z6Hc{$&W=AQL@zng2+Q#c zo04q9HF291!l*W4Indnj8jHtX1P*RX>S(fB7*#DYX!F0yT(Z!z@HLN)GV7e57E(Iu z+3yGRZQOwledkAY=zl980PwG_zWl`-?DmwS86|KTP~{6Q<8gcD=lwwOF$;)}6<|yx z&KYoRpGxkl0l#+=%c#U3*g5b(CAYn#&Z4%N&#cLMwI6pFWk6zfqL42~fY3~u?#n|?@BPL9KMoV1 zXUBBr6PdY3zjt8ocwWWvl%&%fiRBLB@+t;)NBQ z{T|KOLcT08Mm7>)m8iUwmDyc*o-!#3WcckHWi@c1v`wk)e5(2Q#f7rgeXRtqx_N;s zqqEG@TFg(Ge{;*E#qGf|`E8VMvUN?eOB&7l&J(S^l?B$l|LO}a!2-2}X|TAsqwq0=xs-<$mweEAP|jZHHJIxXVe z9O~1N#ZI*N@UYLB22VFe4rEn^7HO!dJ?T5)!L6hU1a5AGF6VoMb7)LR5 zjoP7m>G=%@+5jdExp$yRr7Z)U`0!RKP&6a6raJW4_wLYxUUc$3(7=d$-c^^ z@igYn26Nf;ToX6mxG0p2SAMk!eVxr>yORsm*kOR1GjNv{r5hOjN&c8ha{)4G&R=Rq zg)|LmFJ2+hpPA~=$9!CeK8iKfp~wE|9eRkzWzpw1Ethk1X-L$bV>`c<~ z1v3v!j~PV;_oV_X&4jAbMpzx)#4-qjt4t3T4~%ybBd^6rtDQBshVLddaM2WXtf6yq z4A9LQaEkYSkDXPw}@DtBc`x%@&9mk{L(r5CVfkF0R$)-0bRpJ-q2unv&Xft z+v0C&i|!O=6^rg)L+>Gw>yl;K{RA}gcnT^xpsU`r5yejADMeNx*}UtP%zNe~6_`q2 zUBh4$iX8qDI-w8MJMDc3-0~HD*4o>2cU&=IO!*|~{v^%h*j+!W93c%teRJ%*u>QL1 zAbmi`G=BF5wM)W+8$vjqrufGAnvh9(1zstMm~$1-LZ!a#w0mTL9^Sn(EI)vuyrAaAs7~em%;Kq+L>~j+ zXgx-_x^%NWEfe|m1tCE&e`K$A_*Cj@&c+%uhCmvq*cK624v5h-Qye-2pB!I8UES)@!(v@OYN3g(A=vbUXvERS-+qoD#a{O56&gW zDQW+WhW45~UQokAWarThieh{x#R>OHg$qrp%4^{6(i!Vp%e8qVe4sZ&GVvr-GX}VY zR}0_wA|LuZIQ94ET3;4e-AhAB|D6tf@_2SuIKX)4Fi<+HxcY(60{-}>4sHvEtXvJB@fKJAEzD}FKnU^Kbm`$v)A$+77qKwlhsZI(l1pDN0MVv7 zFPE8axWY36l^8T_Xta*A5<4drh#HqXA$u!-p$MU(Czd<(Cz!`c8_r+uEoC5e!=eOB zCT^-%dZGM0(1KQt0!P}!Pt>88|H&PC!u)d(pW6GW@ng&1wRX2P+ylv{{TjMN(bN&F zmuX7(@)fsc3}4wx))b~vdP)v6yWL?q3pDx(JzxETV>{6BT*2|$Pbz@N~eXRBL3vO|yjb363J^`EvwUl0Y< z2VkF~Ly!KmJM=~WZiilV_22H$+k8}qo&v0!)n(AUqo-OfrKwf{?eP!?lJlCRUw268 z{_7mN$y8pn6zsH@CaLLu;qL^WSynbC7!5yZ!9lY}^`E^VMR zyN#)p&o`{09~95X-6&sD9BSHDw}6hcZSnI7C}XHo_oi8sA@11Puc5R>D<%0L5|QpR zDta+u4itga_E2BXF-};9&^jV-l(_LCuJoZY!E?H7WQhUFHtRPIt+Uv${Tn`ag0r9cPICXJtcaUye30q z<8FX|c(`(KrV$gu2LbNkjcL@4w8Yi5)S?-^vma$8KbSAu6Y?cJ0in>wlMcFLFSa!L zVgO)%EJ!EcC6Wf#`PC-fT~sy1iCNRo+C(BJR>X+&8af)i#@mR@)bgJ3E+BJ(1u_@K zPjv~VVz(nq^h;SQSTSQg%nRgoa%8N|7hnJwKYLD2&m7lm7R!x~RliN@Zz`DqD)CKH zX!6v`3c+ZB0d9-p;C6zc70G~{h$*!Sq;PddQsj3YenZ^*C5b(l^mc&2n=4Efc(K;ON;M5d%w>+mp?eyOknFpBu2GFv4O7a4Bl)D z`=+?|PIk~q*sL}AESN!zqH8gC zbI~^5hA>9`i&3j#aRccMUG<>*?H+vPmjSv4hTj790jdoWzK>_keNJ;qIkuRWdf@l_$twaURU8RLL!-U>Qrl zDPu!HIzuea=-$ci0q zbf3CmI`S?haV^qQ+~UBcq!#3)-pNU;WeX?o%Xqfp5YBo6Q?C-W;kM?-yto#C5i{0Y#FurojXU{fw zgAYGv2j|l3PQ_Qxw=HMYkRb#1cZFq4lS`M|*~^CGW4Z_ATi&&%nz~Eq5V1fcEn{jb zpHnpll$oH!Q37;Y9o*<_=!ace2jDIaTw5rZpGO8DFgu%Vv*I2^(p9B1-d@qzA~`*s z23G{dE9QdJtBp63R?(aw2#CwN3O%Mz5hT8s-np5Fxomql7zxW z-6TcIqEwtx6P=_JEaHQ`yBeF4t#y??fv=Bt4?xKy;>Y#p$|2(M+$iu#u>K*)d5aa_ zW)Li8qxiS&a(V?zYbhD<-LBN*FDbO?ykLU}7;G$42u9PF#Pr;rbY*4_q)5Ms$CQpe zDKHEH6?oM+kM@c9_0A(~#NxjSzrKJEY;*nzzkZ5h{+H#~yHD}!*N;vAWc+$5@xSxy zlm2r2dd9#kfG(V1fG7JYgu=CQ?(NBi zp%77V*4+SdlQ8<-^hdmei0rV@p#ngNnz+J*~$uFi7M-lN&x%23%b!dvO0*58^HqXz? zyu7~JNyUC!|HEW^^9`q8y=t1hxukWzys%&DAB>@*YN=&vnPo#IhsgE^*>^Sg4{KYP zz{AhvE!hAVsd%)}yH4mT(3K4B{??5CUT4vPrh;A7LWC(0Ack9S-a z4OuUc+c0rjF7Vikq!RKjobVwKTCy-}$%~|QGEx9uul6ZI`?~2ZJuXAn_L=3pCE@-hZX8cUE$9y8rnwK8F`Uw zQV+C64wK0|=XEu%TzR=~TzzWQ10Tu~am+4TskhB!%^jPa*dL=GZvzu7*zySFH>b3k zYvWy-L%9LrZQ!2u%3_n}!aXe$f; zgS2J_3u-Nh&g&U8i8F+S8R({YCq*kT;Q(uwo033MSw;O+NHSORW0Z$b)*V!>FcAY< zy-;0z7x5Sj$uxg$!QE*x^lL*e!dCaoN_3nQ<3e0PV=Rc6c+@T9z?*{zK}_`mp+wL{ zNwL75V#(Qs@H2RxTOQE*E;6|q6s(h1K4_cT#axvP-s%K`GM2zO?c{rZ@q^R;7}Lvv z4K|Vi#XC2d0cp}RC(rigrctPcVLA0ZLa~6eA|kJ4`@NiV;a9yq&!AecH_6bsZly)( znHo=~klH`kS#xk)ve?eHX16h7j7P;(-hG{yO2Wq{ep|vsg8LV47%aGVXR03faGT(J z@R}U35!h@qC_DLxtH@1S_DxWvNgV6ax%hvu0M?+0w~nGJKud=M^B|imxuranf@d$) zl(e|l9!EG-?Tk8E$e(^zfM)Ln$#c1>MSS~7d;;+P3cSN70l(m@@6UYtV=K8Co{7MJ z*44MvmUtw%6vyMQ zT?7x#bON2P9pE$u8zc+AQ>-H95edP&<(gMO_O59cimz^JYZIM8qT+x|TFg8}Hyfpd z73jr0-As2!0AdOpT|V@}133hKt__>W(0rDa@;!N5vqLNQf`4&X+0b48b+#=(R_3Ty z4&DZgbO$-t+-f?XD1Lvt7X`C|OxCf*a)k|2M zihN|Ex-GRbqZ{XGlXj7@QG-oi!ufK&_vQ!AC>7eIcNv_Hwz;yqWrlq7+HZY%tCXk9PZM)BHO&a{tzOQ2{d3j8I zLur<^{>o@%!@H3ngM`Ojz8ug(ecMQ80>Gx{z=D#){eXc@_&>yChgkqi(P)x0g?+rV zpR#u_W2Y-^aiQUbjTa8NXNGVdBkYcN#;An4ULRH==?cYVD@&o!Yu>LZjtCBz?@l+= zXyR&;dQs~Nbqw}0eCNGX%aFRt$6FkJ^(9KuN9Vq~j$bh8e!)Yz=gi4zcWALEmj=5Q zHlB%GE||nV)C~vf@2XjX`hb238)k6z(kt0t<>!iEMYItchGypLNFU%pu-Dz#m1xdV za|2lP0zK-4uD@5u9+N_}Nf?|M9$_>m|Gk44$LIYa-W>*(bNVuahKG8#DQ$5DkRlDs z&OR=%Xz{S$u$mRo1~^UJI7YcnkklK(TyM5E{8?NiZbZV5=!%B6T=sFV)7U@ZM5O!K zyTEETfk)UyGl?$Z^1;`W?bqF-Zgy*A#H;R?@_KXw48K4DXocgc@OWF{w{zH_2Fs3u z$+l^x9;N<~&X@*1Rh-f#x_}KXK!R%PB=e5hqVm)=rm#o=3z6d&L*$WcW@>owh`275 z6|hLJo%X@$^1_)$hEYtS{_V!;r^4=ENGu$zG(X=oh|vtEFD{y)e3f%eV9DZ?!;m4Y z^hNsug-N~kzzMc0lHL`sERCYZWOoYYyN$Qe-1M{^Rh(jc5@VcGA&~_U3F%+qfw0j@ z_^U6#Ket$5ZmG`1LRT(t$bIKtXZMq`D}kBzum|hCFY>IqZ~sW!*r6xrC}}V7 zoHryepo8h^b5P`u!!1X+DbAKjl#uaUpol)V&H4&?af!)*y&b37Uq`}9)d8XlO^rL4 z1Bqo68fL9`B+5=WV7=|i`_-%# z$n&{u;%KqAEJ(lcr0hWW#mb>^$!mEr(@7taJ0B=yrd|^UVr71EXHi-(*0qGZq#nzm zZoiaZD+-8>rW2S46`~$&zcZAK_XJsfg)NOeY&t5~(pOMZlBvaM2wN!=rbA0 zGr&4(`YC3w(Q>o*o?rfk`E`UEO?CsRdYOON!)6CflrJvRDGx&;6B_QT z=1304v;(g?-k?$^MMx=+YU7QdZVS|nawor3^oTS?@1D|eHK<-`6=l#|j;D_s zZt#9t7t$)6KS7|3V_>xN==TOFz9g|$3F$KI|=y|&;{8qBE zZb&11XtZ%kXMyGcbviTvAaXyT?FZh7+>e`V3291A{>~a=c%60+m@A?Q|r02xh%ROkyJ|IUw zdxpc(hC*-Tp7^oB;w866z8Ns<3>_>>Qp@I6o+Tfw*=>-JlAVMTqIN^Y;~ic7{)5yW zJN{nK9RzhY3+Pnz-{+ygjTxzT46}v>)%J*5$VB%1ZsdvpvEz@108a zD13Ez{I`6wh27wZPJiQ=PBLERhp|eGrE%Bma;jWJZ?DAb$6cX#IIc2j97clh;6Ns> z0xw=4zQ3xq7~f?CX_k7K$9Zo=^h z@PiBltVlo3ovnRdm0OOXZ!hnCB8;$<-)@RyFh7q7Z(@#co;-r1OuKW21tUO(Lo~)l zV59XG+Hs-K&!z z*oOt53y?0x9W;|K@OpO5`gCqL)0T_Kw>_j zGFHCRHoTQI;CZni0|u7`4s^MumJ{;&i=cSZ0O~*`kiSp^`HQ`mHDlIY$HL~<&M5Fv!#(rbSzVZpN(p4@EYUqB>v!k!r zLhq`tW#(OOZ_JN0dI=aL@16SilMe7Y6UA`(8?x-R0PO})@P_@X8HRz~i+<#PFkQ(v z@d(;{dEw2ViX4M6&{dz276t6t`1tyA z^>qP%+hx7geUJGEJXhX7XC&2O|ZN;3fYP0r`V9iqRAocMM_ksrVu-%wU=Q6HrUrvMmes$_1X%l@=gdFyU zUjlbjIpD^*7FX02qrAYkIW3Lk`~Hg>AJeBzOF9<$Xz5+kWaSRJbBsJK3asR|y{jx_ zfG@e5x$EEMN1q_^VaMF_(fwJ{XXd&eIwzD7PZINQzV7|HGCvioX-m$Y>}rIMTtnc| zlpRJ7@tRqEZQW77I$S>Yum9wK{;zl>m~+ACoM2t;=VwpYkUw+@|Ow95*X zqd_8I1 z&ABew?s$86{q+&LQ)AR7`-gDlgx!nB`ugxmvA4Ku$L(_m!Jgn%ao{>fUo^)r%C9xg z@r%!muZoXX6@FJXjQz6HPuFp%UdV|0s$()}X@MX4gxonlnISK09$V}U7PbpsU5F#% z{6^WY^%tg(QrvSunFOO5-WxyPy8L}Uhit#xX5`fR*=Fcx2`A7dw*$5oohvyUQt_QP zH1x9Fw&6>SU zI)_o=1l!%n&Enh7R?K;y&;6m#R~qGdPFo(8s~9erWz_kL$Fy6u8$L&79-r7Vl=+Ty zBBb5h3>mw(xpfyOE0Bt>u0>y@0u{v@!)LJ!EzQ|T%SM*JWZ3Xv9+2dTj zVnwg4W6@w>e$;^z%7cDUWws())a9s+Z;b+)>TVw-n_qQ4xj1Fvyi;?2@j16zGkH1m z2k%=Ii)};d0z1K)%%YtHdtKt=cZU^kFEuZ&6j`!Oe+CaeouABUg-oVUpvTon2&TUs z(s4opVOJVv^#MOov&uQMPQTZuVbz>zeMi1Ba-901kJ2fHL9>i(V?B@MJro6EZ~pqQ zns>aS9UIiyaV+oI;|ovPx9&A*^EN}5aYL^xMgXXR+vM-rf!ZPR5SyXOKjUOAyMQ?1 z-LZ&q*rKq5B&Wh+N=W(^Y&bVLaa8CmmO2M?X-~A@76zPiL;AUoCyzWBJa79=^FZne z^AQ)*Tt|Mj#_V=Bd%ovEdkL}V6lzI81{=R51ygoSdVgB^&Q76^pHiD5&d^& zIOjf|%#PYEyP%wX>0Ra1-V+RgdV~zGipYA?GXLxM`%eJ>wiBMqKYR3ifzi0bPu@nG z7{;d6$Fa0IvfKCe6`buzAsxKDW#;xW=VmVA2s=<=t9v^C%$kd4?if*Vb5zCYYfalP zRdzfP*5&i4&VyW{nFff&Jk3TT5BIn0`>EAT?1jeS({Gd;+uPW^euKB4{%E~Reke|| zVi_;AU9@}A%vGPq^lltm=zxAYFEnV-sH)J`o}Zv7<=E5b3?5cgRU_}ZDiD!% znhNgQOM|X2&c=;KnHP920`ikDHch*~_rm+$;Wn=S{Z8)(+~0Pgrw6rJ$9gOZ&3n7Q ze{cwLd^UEzDGqb&?)i~h*S3m_d@m-1w0dR*2wQlX#mC{}DUF+wj~~BN`2aeWzpL^# zw(L0mIK{VVV95M<3nT6_+izs(t*4mFm*qgomF7o+Q!IW4F9_Ir8-m<{b|%}bqV~*k zEO~aBI^wXbZcnrA$lNDA`etlpE+x5AQHnT1bjh9e287&QnGYGa9qA%EvHMcbk`*hG z7g_5na!68Uz|zrkCg%OzJN`f#I;Zx-v;GynOG{Qq*}f3$M$@Avq+px5(_2$4@3 zMh`aDE`DwKOOWVpW@vbJyX}c%kY7B*@4a-3zMb`}(5JIMrn2bTnUd5H5K+f#Bv%UE zzjgT!8u}eLRAU4{qZ3qZ@a?x|y7h&aDPriNzp$>MM-ZWFcwU{Z}B+fcR3>Lq6 z(pAH#)a_6;1V4TCB)GYpOmJd93A8@plG#mcCCr|B*5w<`D)jr85B7il&v_Iw??0Y$ z5ol@IPZ{1u+n(GV@;))Y_WvR6%%hUryS|S$SecqxX%0|XS*KFTa45mj(mG{ko^l>3 zF-cL$0U4}gPC1ab9p@mkQqwduG-peMN|Zb*D$YaTJPRs<@6~;uXT9%w*E!ExJR``Puu2MQ&gCK6QEkhy*6Yu6LmidH;jN zum2-1o|grYF_=GKQ>LKYAlauou}d~_-fvWht6(h5iUoad%}}+F_^Cs;QQNL4Mh&8x zBS?>0(&^W2>Q`ZPwYNp;gAa#&qa8^$HWx^l`$n1fzZb;Z65sw=(AnA?hng|%GdEfofCH0osw1r zU3~?5Y;Xn8PFiJye+IqrQ4T%4kuaXleebIGI@VMnA~L2WWYLP%VwAV=T%HFe$@%P3 zHX46n-k^w~h+}eUR|H5`6B-NI+<;SodQ=xM!3a)gt}*fhJ00UJD#4gcgj_{Gu5~M! zGu?*U=lxq&y3FEcm562vMw(j3bcy$Alw5G5X5{FbtB+q{f#W#0P9>{&SLi3SR3IKG zK+FsH&r)=@X_{w>@yx>z>`a8+P{DUE1!TDn<&>Rxgd=HNR9}X!&U9&Syq`1t(~!C|-<_!{I>Zf~B%MnC09E@M}a2*>LFw=e@G{ zO`cU#+m&L@0R=ruxwxy9t!}x;)6!gfwKXM?=2?jHcu_ILzxa$-@ zmw$nIQR9W*+4#^Nb$#OwTMN)*SIobR*J^YNs&kt%)%YjNEb&-!1nj9An;R1RdY zzKwe#&ThP)bQCnw^yhmECe7Wlvha5A_LfYCUluK!+kM*;iQ9c_;$Ln?&~CL|(`kQ2 zJdUTk3EX^}2Frej zdKBD3%y>&Fv%Z_f8#LTvTb<^hHmJ&Lf@&paZj-AGOttBUX_|x0!B}K&Q|sKULcf}L zu8WF$gEZD8#$j6fcJ;Lzvu|q?$4m%Uw>?uml%Rsf2hC*r$fc?veK;ycPR3Gx7i@xx9%+7wW(pF;d@)gwi(G4ppwtI@Z8k87gu0nq^F$Qaa1 zFk)0}6WV29bcT#I@uRt&`GMWaW-N~T$1HH`s^EY|HJy!e5^-&;Uym>Xy6-a$hh0GQ+8}X z!k%CEL!jGc+K6dZVR0&~(6$4w3e#-i%H`9o9S$Qm;`c(^E#x?KyyrqpL%|f+P&A=M zmIdT2{xRw}bU{D1`AqRazb*0gA$qGSn+D=HJXVfZYw36;?tulSCQZb@V|YWd#!x;c zgjDpzvh>b;Hn(uX<&8bt!bhOX9#@6XbY~vG7Jk`xuupWSwFZn{W9SvZI{Pb~k9Avs zsA*)7??I2BD-U)^$D02o3?uihZgG2vQCU5>_^Zom%f+J{Gu_<6Jcfbr>{(_eoRyf~ zb`A6WV%(=QqLUsp6YQd^am-^$syNMttU_~~gci|ya}aY5OB0%rs&s#7&dd?9BUZt~ z+gSYOTpV^rq2KPNg2~MX$uBO(6EJVVedS1am97f(+=l3o{^OJG%l9W+1uW%_qM9RZ zJ5OTcS|kN&3!dLBYG6_9PZW_LCk5jn`23OSbzD?9LBa~Fb1zsS3%;b|zY_%d)XeWw z4vJE4**kvv1pM~n1XO|i0s)CwIcE8g_v^wi$v(f)0|Hm#9uBmPn?z1#V?XU0D=x|# z`((S&o1?u1T}bQhCoYUNR80?OGja*5*8^>YQWW@Y&h~s227&+F2&!vixm!pKy%R) zqRP}v`Nl|BEIE-VNOeqFtr-JE0`FEcZpsP_FDDEdo(asg6_0o=PayC#6WAoVzhtJ1 zw*_STee3=B^FJF6-CDK)CGnheoosgos`r(_j`Smozp8K#^OkkrU-K>iq~gnH>thj+ zCgn)5H?cDJwnjjz9yi>&L?6N98CjTJ&}M)uUOOn%3eSc$o5p#9~gj$|5c5#_r*yF8%@MzOzFH5qT;_BP>Kmtr)61FlK&ila(>8fJvE)t1)bj38va~bgTR!(l7^+N!7$-d- zWeEx~|6e?TeVEjL_X%u&eER49*VQ6OTd{O<^bHz_vqm82W6b{jNv)-KPn6!lv}JA9#4oy8nwaZw`l7^WpVdT1QQ7w=%KhNRjIi4q?+?WM zbj5i1uY7m~KjZXgVZK3i)Hl7X!Rsas(XTE!E8$Z^fipnQ^5K5dKK0wSfoLRIR*y`> zFW#f7j=Z~Bdqb2jhwk3cn;IC+CwPBo^HjVn*TI32DS$)QjL^VwIcA%?H7y5#ifPSZ862X1Do}lX>hdV1efX%=vx4s z>7w$H+zt=23X902d=xv>bKBn5Vuh@n(!eN-RaW zGf`4%f*tpxPPP^am>7u1n+Kp-!4EO~T42=Uqx!R1aLa>+{r_o};mS@;wfOtkwQ8G4 ztGwB%dT7z|1}I9wIf>ygrDQ}eDJrs*S=C1Dv4ii1#SD5}b$R2XAW~x1Knq|zdN);N z-p&yMPbPBj>6RfhJzc%sGE+{sNAIVojANl%%_3yKLmVfM_!$Xzsx9ZCb~)tY+~mhU zM%00^7JRx9rWL%=AiL9wn!Qrbe;G;Ci1_7&su`R;k!h&i{GzjH8k(c;Imu{exK3Tx zu8wY5RICTzZV3YUr^8bdux1JGoQFOE|Yxt`tkr{gpooIFf+kJ2L`Oc_*6?CPbX*k^} z&QPT15Y-}?Hn8odCK|^XPJb~b=z4_VDsPSeD!}w-FNB-*kH$El0w6Sl$I@rtU-C-+ zW(s|0KJhRs(DYctsEs)8hQjShKW()3()GZ2uWOcnhy*AfOMV=02lK-ARh@BDIAMeBP;!XUXE*Uakw#Z^TpKVaKyuOf3`B1C8I4_79-sLBh|2 z+n0$_b5H}T&x|ykCk~B0s~)N|)fKN0yz*T;cUo8$^u_v9+G*l1dL7_4zpKXPHKt~q zzI-c_gM|V}vq2OYY%nDqSRb}_H+ML3o4xe8l%;Bw7olMQ`c=?epb-flfpeF z*j)qlSpKjBy0U1(8>Q&ZL%jz|C}?wJ?r^&5@|TZM#bgEIA4Wc>M`zMLAKIgt0P{qk zwbA&Sg1PScg`wf?lf!ytmNKN~TVXt!emT!3yc}jn_5n`5eZ89SS=;UD?@gMd{A)4w zojK;!`*{o-rg&TNqwfW1xuGV_9F88D=+oAt9PZ$hD$YYaRket#o@A#t=BTHmEQhMN z@2PqL>jKRv6;3s1mZ64mYUllQ@c*kR@*XtXDPY*Q76wk4)td2BThdYv1S{ZF!CpkPFobO9ehgHP-jgsWSZg>Iv4=sM}2q=^69pD)EOD z&Q=X@+}O%2f`@JgtbcXHCc|mfeYpqKq^=1;o`1$4-XFt^UNCNZU%SN0Q7E1q9)4#6 z$RR{A!)TgApqY?Fc<}g4SD`oqG;8J)_p=({Vcqk;dLuwIHT$;~Z2h4HC(?tmZd|Wy ze^u>!shDzFhco)(+l4Ij_3j3BB$+JpD%sq!gPx!L$@W56VcvuGRe>$Jfuf9K?QOZ) z;`-)Bh5&WzRzIPmUdTrjFW%~R5X`MDE;=PF3Q54nsV}gfXu;eq`PjM1;kiM*oLkL@ z)d|btd<;nN!9Ae-5{9Mb*_4^yXKZjqo;1%YGeL)r8jurD3$!4R-%SF_?Xczi>T8W6 zcQQ=V6T%yLSBQ}&v>mSHl*s&U!oFG{WMzhk2AR<>ncyjhE|O9q_l}n7|3D=h{^cdj zB)@{6E|kj$gu*qsKMtIQU4PW}O?Q8xS;vddau6KDuxt-$<5j0Nn`=>2m8I(}z|3QO z<8*#Y>2>8RA}c zbUUSa_trmUA;pLHHG z>Ji>D;q@ftS0>za~%&fWlrFJUhgI8D}}ei$_Mt_bOxDf*APQ5DJ7$ctMjtC<6ziDp2mci`xAE*LTb0v?B7#^G zO!3a}!fjJZDd~p^ydB}x#^rPynjQVEEwVe{S}bk~V;neEWDkkogHMIcx%1w7vM>AW z5!G|GJ*sqs>G|xJCPb*fu7kV$1w}R-uPhD5#$)s$wVyoQ)n$a6H;!hNOJN?nsQ0NY z@jka()hzX(tm>KRs{&oHzxql&oC?Rcb&orFq{9Q@geM)X%!gK-gT z&B=$$-hE`yqMIHOdFkmc(a1Y;e@iI6J^zGAb!1Qr{N@kSGvkgKz@Rq-GRNvFsg*de zi2_~hxEEO5PEfpDC>&C+oogE)^|rE)$cU8k2TM$fk!lfpyq9#B9=9#c_SsF{Kvuh7 z2=3dpdU`$w?;4cq!8+_Od32 zxav+bL5noy-?PC!BsYY#%KtD10QQM^%K&W({?K>p(><>uW6D1ni{oI;cJD2h%U{20 ztQapIPcL7o$I@=nYE_{gP!7+AT8`4}5Al9B=;4zvSJ3Wdg!(Q20-WaTb2|5*T4zD5#MF=$S@htrU!eg7xe<99w=%C?fS54x&;6rmnV^yoOX7m z9V<}VwQ#cR8$&cZQ{>rxd64$y3yg&CF;tDF2}q~#!Ytj z!$pRrkIyBPk7Sp5&?niMr=1udJQYedV^_PQLfDSTR4lH>n%0YUuP$cfGJ9Y(#c><% zo>++Vt`0rRtGj*h=0%X{x0}0@Cx;CZT8tl5c+#Wi0-S}DNXh{?XOX|DKB|kXcM?T^ zO*MAiB1l!UQom^-8qjK%6pXP~W)p2hc4g%vW2Qv&{=&wye)OMXL;y*c^q<QKbtyL@?BxN0EGyA9#dsQkCJ{JZW8W!6y? z%x?K6ca1NQ!p3wphM{hXPARTn!pX0X&^?WP=#8*qsZFz8;NfV(;$fE-jqDZ9ExNZH zZ`Ei6)?DORRK6;5J4H#1RUPr$JdCb^HEH(g>3(9W;>%VZO%wqyb$)j{(%`3onSC2e zp?^_R-7nx$v&;HUoj+h9R#ft@@jD%~3cX>QHFg#AbWzkqIJS$qsAjc2{YZfNTweCc z+Vaij+R9Ldg93E{ScJ|4X4L{Ft&aPvqMMr{fG;VD&jn}_aQ5cN{*r4}CU|68l3!|+jdUwy&M;qwxKPZ(MA~V%D>sMXqp<;)xo7Sg-rOw z^>tFq=cX$?$$IHCN0d0UT3p;o_nv&`V+$MW%=iCngnOI&S4R-&sU4btf zdwf`|^ewDe_w{+Nj0ky*f($`7-WSpOAEFlX*LMC4HuP`CDE9nc)I-XUY`@JC@KGBir@Mv|>z!qZV z(w?K3PfmkVT`sx)`&ec+t>MGitJ|L&#HsDGGNkX7 zRp)K#jYCe^$75e080nz}{V^6q2c44;JbzAh~BofsQJEV zz@iBafb^t@_kO8oH&g+&LN*!7N-3MT->6+Vd5@&Y_}P&7hT-8VYF44nve5H$cjJ7F`SPYj<&|X^n7Hv-2|(>XcNadm|Wrg zKDvQf!}m`j0;Td zw?`9CbLP*kMs}!I^_>#&q@!Wqez_uWR=cdB9T(b8CadzGOcj6(1gs~V_K>j*siQdq z{S5#J=x?n6gL*Bq8*a`r_?=&-J(nt0sWv7<0k6ab_x+Fj!pa1p&CjXzah zGzPqkm#S43ce$HZ>O7jZV>S=%-AZc8)!qhwQgLLs-7+iiI{$(O3%;i6a725){X+aB z%|2t1l2zEk6tjlpoyN?JUC{NQhuV|jgo0vg9K(+a>#q=?`bnI*OwPWrkDkL3yXMcf z4Ge&0H_zcV#F_GEYqk=kA$VBn36b&xqAw*~#XnaMx_?VjIxGHAWO`vd@_nJzKz)?r zgwg2t*iX@lsP(?$FU%f%9{;ULHazZoO~{{aOG%C*n^x=qbF>y!dDDfo@;#^DZ$tM_ z7ezmyywo!fEUiF*2m2r2;OX@bkw@~z(^H4d7U=3Hk}9-0tKIJn2yLbcH>h-r%++7e z+*k>xEyvUQl^r@UYA?G-GC77yI4oOoSW{U%*7(^$uR{;|XNLo4KgCX)$a%k+6aYo) z7c!RHpCez$UpIVa4)>K;qfF#$f<6}+Tmq9^RX8qfp3U*twC-2c<;+j%&G9H7xM)Ws zg3+V=D){caJ=<=`NE02GK5bvy-#LP6uJMl(6mNzu#ed|6pc`KTnBifNv8MD{-G=|c z#o(E_C4pu?BmZL9?@#8k{*>jQ zbJKzo@6QgcZU4GOvIKLgdY_HbHT^lqO@NVx(xBc_lTLYadzHJ%wDBK2cXJ^G>hQ+a= zGT$atGx)%n{$0zdvXmCMNXcemFo#Nv8=j;Oc37zMWIuBytD`xyZ0t2AV5)zVjiwp{ znDu3o1#ayL{KDPiqcnV_yq9!ct0rjUrGE$$hskHhr!)NjYZm~3l?c}`xXusEywn*PEzBbzjQag5ub$`{fG94^tIu@8Jb~R5ZLtKZqQQD6N2c;) zJ0d5@S?JvqitsLp!rklu5FngFL7J`9{<%J@48fA!umJ`4=A)!<%Aq`HimMmQ{gVC9 zn$peVhqDaTY0p#uD$Y#nL%M%=THLno=v>@bx2jmTrC)dP(&!&mi<-Y(FNkux=4=y> znSO9T!3dwK3Cqjs`e9Tq+8 zakbxiwTuU*w}q@ahO6-VAT`AWU{ZnfiA#y9D}8S8Dl9WJ#9i0p_su)zYV14fXQjGw zrqXn_2#D6Xhi>syvc>j#{HAAQ0$QFL0T)hL>Gabl6T`_Zb^_-PF>e}g9ZO-@CBcMW zS0;TBMvdJxkKT$vR4MeIq^9nJACj_8*(X`k0%R!r>~7TGp_|8#N?!ndsL+_?T1J^+ zU#|Gq7PQ|kCR4WhBvl+U7eECqM(&RmJ3HF$4d$;*+oY_fuCS(NYE~9KT!eGh$lnm+ zmRpLLFm|8Q2FOZZEZ_a0j2?uTiV#+ZO$fJ6DGS>()A*7q3k7|^kK1?F8@Dwr{3J6P zJ1w`UHl@s#+BLXA!Nj9%)%;{>Io_{Ir47bL#0i8>()C5<%+Cls>&+!%|2?16A=s0A zKva+^PBng+Pfr63U%;ugKx#FYswyx@@Mi<%l2iLXLP>QSe{h-7uJ7#=)TIWF-+!m^ zck1-*i!GB?3(dWSmD8b4XWAmB96GcYuc?F{+U}!-6?9`g*d8*`-eO2-`z=>y<1i=!f-S%; z=KdQ^z)zQ;jI(tTutU9C$+0fWO}G0cta4q8p;0Dxp`z5hdt6wJ@`x$FR4Kqn*D28c z_h-YPF9caeSeZw5XKDK?11T3tY(Hi6%Pq8Hb)F3JAS0?0AoyIinGHXL1`KL#&OUtl z2!~NNwkr#a=M_hFWhc<~%u$N0ylMwD`wZ6>f8*a^f3Mz=&4@Lgug;CKPa$};2YzWF zT8JscHnB~xi+OQ`D$MZ3|H~*Ssm{^JIu*sV+Tw(1DS%;u@v6`GF8Y$(V}z9GxknwuEHVTCOnBYP;`l4CuhzAvkHK63;#~6UaT+`WK4Bl{zsOpOo0Q8ycmrGu^6GXG z#gYnL0HeckS}7alzsDcArnCbqf5HijvQu!C+Q}c@BOY}Uz$Qu#CxmDh2vBSZEMcve zdpj(k0HeXa8a4#4eYUr}01zYAQL1s1E#a_0U7pjT5Rq#p_NMe20s)1{Yx~iQ{BI2V z)N4QJq*2+j2qf?!HyL(q``bqmuu*?2haZ!T=+(BJ1q!4)$C->QeS{iFnR%eJZi-=4?FI`>wrnu ziS_Sx`Z44T{3iZUd|uK7{OK3f9wk%*>AJ4HhYtL08o8s`i6p}le6=dx1H&Hq7q7yT zWz0n*HTZ2QDlPg)d(39&>f$Frwur>G#|-ih$N*zEE7N+y0~~JKYixl1nE-8Xw`FL6 z;Te+llGC(7#}hrdj<@=-$(bIwd7RUPJegQW2rHf?EO-;(2W3VM&#wGlq4OeCNm?(m z;>X4J<=Cwi^52v0SJZ!WVx|veEY&H3njamJ`dilNax|zS z`+H-GNU;uWpwXl?ndLroCp0zvIL*DFMNctb5CbE{!y?JCP9AfPGAEvhSmnFqx&5i9 zuh*ZZmq(Ftv_U)0qWT{eg(x%rA=!Xv1F|C4l0rXtR`mH(FWEyQCo)8#daz zd%hhp5*oIOo+|C-+cWj-`hn{q(#oIZBy3JW$AV-wtf z@J}T@d=Aid{5e<$6;ur(@Sk9!4)!|3tMQ8xfrh2h^7E#E5kPoKJ(>Dj;d$u7vn?PUZyCpa?S}!Q>21MTHXhBkk*iWuw*Coq)aO>C^ncs@A`4XwsY6W58Af zoY%~N3=Uq(IHw8fQQc*u`M2@JQSrzR8iKM7)N(kl-Q#@b3*Ba;Y^x=+ne*z(r?rqx z7qo6uxVhy$&Tf4ymTaui4B;u1qe0{&PHdh z;Az!=OhIhf(V!i_{X=X`HI_~~4yqb|O$}Tpd|dA!uCJ4dDktAvu2jQ}P~W`jw)72X zotBr;XzLwomI)3nZ|tpj8qA}9Ep?3r`H6@=Sk&LdpttayXM@`$di=SmKJB|5T);gy zt$moVt$JtZVVEUAGnE9f!**RC9%)@~gC}Mmjy0O&WRu0S_KlM9x04;Fn^&d>>p#EL zs@COk)c#=Cpcd6f?4#5}{SXT=NC>suhr95}s!H5M)6ZU^pDf!vQ5^(W0Z$R$}8UNtAUs|@L7P`v%i>L_kH7=h_87V3@UU5y5?8bKm3~Yk45pHhje44>y8yJ`v*^(5Nbq%GD&vj z;ATme_cTLEY9?&GzCuP_Q0JTCyk_zi%ceg33`Fq38(;UD{oUB=!MZR`Phf{L*=M4C zYG~{IEz7!+!6;dcq)5+Sd!IZ<+`F=LAlaA*jB6f^Lng2Z_#IX{<4DfiTKsa$HAOzS z-0sZ{B0~uoHviO-iG3$nTh=AC@rNL#hP8MfZidhegYE=)#epK!R1#C%P*2XlPz;)+ zjMTFc3XSQpFoW;$x~iAK_X#hujcVL@qN4CZbj?!41#Ph|o1bnMM~G8=02ar%H+_fO zwZbRT$h87Y%3i)- z_hKukb}l|_3Lyzb0iT{!j++Ae>W9-W``8mxb%lw=AJ0J(?QGdt$x(~%@iQp%O2jC1NtYr!WOuX zS4#RXYi)J2X=Ex5-*ygiJ1o$qFy2O{PH9C5+f2D0u)Bnk}rushj3 z#uiJM5v)7iowIni0PYCU?RUMa+h3*1b~iLuX2^cdT5PS)V94x1cG_%5UBSxvriQH1 zl`boICxugKD*}|If|v)r&XoL^91%Gbl=qaF&}Na890ArBXj16Nn9pQ{o&+2g>u?os zUDQDei4Keo9!3d+rpkPKD{lNV*m7mxgG)eHAxyl~i$aL=rq_xn1`+e%#+2YFa42<} zA~b$c`TdP=6SLt;*Ls5vsYSdz-&i55y&NihiU~u1RoajO^mpN_pR+4OeL{&%z+s{y zpuB2-Hwyck{5om3aoHffH>i8+Lr{k@O;&0j_u#!>5q0sfR~O|hlki?IbYWK+&xr?I zDk_M3NF{Q7ZRnhkI{Y4)w;mRPvA-cY@v8ZG7xpNR@X zrstE(fMNRR27bE#N1mL{iycw*hM7yonNfRoq6HtuRO>V0!Urhd48h?mAK$TK%}%f+ zoH~nsE<4>+%iOhEAvA=iYF2q$mm6qSZ}`D$Ll52P~S;S?!coU zsz8NlHuV(=ymX76PS4h2+4twYLk!24hgLtefmu>)fILYq_xt=Z8M8&8i{IW6;1gy} zN#Mser>CZ4tVAbwGQCXZzxX>N3vLWgwO)Uh#mb_38Puiob@#@Ts)idfVX* zzyzul>L2IVb#WV$D?pFQtHj1U%p^%rLX{inBlYj@wV}+vpSJZSEj+*=l4Nz(tb=)D zIe}YbX`1BFwV;KAbz4Bh8+un&AFPY}*QdgY)!O<7;#D_rXb-YGJ1_4L?_kEfGfULJUKtZ=l@8?u|N@Vc9ARFTm$a=5ptn|cg* z(VtbBun(`(8_vJg4VUU8r?`@E>r0PkZiHa^=99}N1%RY5TF;4^0$=y_8`?5koM7up z3|xl=cQ^-6)%MAol;ekdf02=Yuw!)VtVr}yhj>RAk0E5cu753B`&Gy(tD&u9(JC!> za-MRCv*8f+53UR89rqLn0~=%}u9&)!;R3@_>kqlkKS-NLIXzj{rp$*~*nnv;Dez{T z%IaaBllN;D@;8&0Y;Zx0t<`rMK^)p~gXJIiVO)WxKsTG^`E2}7pdV<@(| zcM_@)Zl9s|x_0Hn-D{1i%Z!uT?#e9;sQ=4obKGg+<}T#b0^M1~%L%_55>)(`tL*m= z^WPOt{PG-o6*7)hWJh#SVZ{YFDd62dVs!|#9^T2EA-*fk;oqWGEKls^2Go6)@ZLs| zV=0ST9g=8up;yOOps!ps6dU^Al>5g6r3Q?sMwKFF5#bI+8=l5$S9qNrnj?o1f@eRJcHb!nG@Xz#*H3KgqlE6<_G1GGn!q)~BW)h6&KPNtaWNp-4 zG83uhJK84^lm(ltudrpx${(8umrF)_uxyRCp{+N`q{VC*^x+N{yif4gqd8aReBNx5 z9^u1ha5i7(7CJhrrvq&W!`hS;7AmN$ddi1s2|1?lV97)>Y!c)unNO+2kQOppy=N&r z^pty)2B(*g5RNU6GBtWf4n>(Mz~AHPn&82JkHfRV@!>s$&U!GX)^nJLA>)*t{LTrx z*rd|+%5UTC`Jy6-4q;HXjOq9^$ZCCFXZ_E)r82G(W%l8;5gT_kaA{p?rkG5e+|{o! z?H4s&Jwu$?1&LiDh=@Eb(<}BSGNpgXDs|1wz_xK zJ9!s(|J5O6SUx511b#{hssf$tAP}6E*EYxypP+e+#}ix$L(vSf=A9eY(OFTlb3ukg~s^usd|t82ZQF{i*2#FvG)CXm7b?wDX8<6GssD3c^Tz@8PusR ze4~eiFB^T>F{flv2tZ2W(2`}lB$UFqb$A%@y@@~PUDRCkXzsZVJbgA81Qnvp{~dyQ8f z^vj)@SJEIY*FyxRZz1AQ3!56x^^t}=zC z+A@UiTc9LpNt&3;4~BprwH=yEbdNm*8o3jLqToD*24M>Zt>45e)O8%`h{^c~t=Gg+ zGst+FoR5!xxktmJ=?glc*1^KceqyYD*Y*byJI)@LJWwD!6U|1M81ql+kmh2`ULWyl zj!(HZz!eaCvcXHaN3~XgU~ME&G9F}8FR2dIy3aMQud&zfS!e`4+3y&5{_UrZJnv|A z#RC{QGq><>o{lPf2@8d2trqppOkYUCj>XtT6_o{74Ql`^PkR}e{*1l7qW*QsNAdn- z)jg5&`pnerVMPe@7(_%4MAJOM=dkXh6RtM$r$?VPo$DT(%!Y`)gw4S<*ss0&pM&>Y zS%BD5fU9~n2I=2y#J__7G-X;VnSaibsFnF#39s1g!dd#wt zUp>%JBDt2LC35b62<>#4(o|oGE`P=ShF8_$|etWP&m_H^b8v~Kq9hNcES?XKafz)Y}MGN1xv;mELJgPrJy<(-Gm-_1{A#^t!=|@J?{~i zhX5?NxRU~GRpO;SHYn5&&)0c)ZL+~DOtdY?kU@iuqI?9C>?+lzQ&^3;ZY!$rmWH{Y zCwQc0jI3Cn?!@Dj-qG2}0@e&2_y-S5>55z4Hc)Ml1P9FeuFOewp%4@0y$^y7z1~vp z%r^&Dy>TpAeNGbHS)bA4TCA@zu4HXk@2C~DPbX2A?P~k5?CJ_77s;bT>&1ED_2g8b z&oBK|KfswV*U+ohHyfEi_RsuM8VQ;m&o7$pn@b30EkhFpE{~+ol5!VP!d6nmNeE+< z#$dhDBVTMr_dQ!D{|oGQlE-fu2c$>FqD0e`m_Q8hawR|%gnt8a46>E-_9UVHOhw4^ z`2n%ut8L9Y(P~GnOKoYX=pY@;q&wQRYx5sTPxpBZW~(6gzlCkx_jM?H zC~C?@SYaDX#`k0oSFcQA!YYS{cU!D^`F6^Bll~t~bXZqn|m#oH3N`t+B zQ~GkZLF?Id5lL9-s&lI9i>2?$o?j*ood+d);`{gg2i62ecz)U6S>J}wlBrh*j>NQ{ zRa!I{8&w|*&8jJ6jJX$Yk9BqFUP8vA? z>ItilltayKGW>^Qxc^7B@ESB5Uu1%tZK;w`4~d$#XG_A3K5AHiKDP!-hDJI9ZC%B& zHB2Syy(__=s}I|b099;e-!G1^Es2UAXXsufU8bAv_b)RHDw3|A&Ku4SLzTQd0$Q6y znRHjr#bYvq?vaiNpX3<7j0p-Oa>2hd*vNEG=)}|WpbvW$t#05~8eMC;ith*(b4;p-^Nh1e`)WO#(x*p~tSE=C z3|2F2js?!qcm5!UtqoTW=3wR$zZMav&}VAO@*+XW z>(`1kxuttR^Qe&x;Mx1Q>^`5e-g*AuVQ&HvOnU9SDSf8#m-uove_@GSbjU>1#SYC{ z!||VX5XUaNs&+-M-=b5CtHO|%lR&l9e{Ubkacl+lm3XC%zpU9x^*G(|E3j*UkXKnz z*wg|m_QWhJU>3%`)R&+fV5TgLC-`Wgt}M1+P~I%6WJfDTS*Miq^U;EMWT6~2LR23$ z7iCPFWZU-?5mT{U?1lEgZZO+iBedoZLW}wje3m=o{Xt5b6UQqq#Gb<~_*Ak#vTq}F zT;8-Mhr3Y1?f4_oHM}&8rFoMvCzCB{&JQ7p63I7)@O#{Dyb5B(Fp(|Ns3U(Eg^T@Buul1Mi0FhQ(sndOnuM8~D{9^S7PO?DlC$0@cW~ff6 zv!rjwV+z-ab4?f$cHsWrT8PC~OPO;%pO~L&7oN^cQn@zbBGOWRWxaw)RmDk#2gO@w zVPcjZTYZEr_|1mCgRmwn=Tpvnb~k;xLBZJX5yryqcrwUO`!4S3xW&LcZS}JzIrH-P zlT>TzR5D>iv-boB*Lc+b@@?q&SXhZTjo#r%f5XqjHb3bOSr_&9Yxvbk*$~cr@^F*| z{V0kT`}3!_+zqoAer`R!KC7_q$C&@oHmNjONis?EH&M&pdVFL862>1ue~&U*8@$sH z{Dgd)5;UwdbT+qdV>**I{2$Kdd=zPGFR<642$&y&agWh`N3&A(-rYR*o#OCIK&E4g zG0*!Y%l#k)&XN?)C8Ax;Pu<`w9FGGMV}F#Q3A{WtDT>s1T7a@zFs3|k8hUdZ*jRM0 zh~t*fkF_SR{LV5vk$drSp-etjVQdtfeG~J^aGw+>;}DqowllwYIsOe0N|oP42>6E} zn&fgcfqq~z9|lj-sSuuxThP}qD&lKJ>TxK|@C~pra#x3*(R7#KW@%W+=?#Z`|GWD6 zf|T3t;oe10g9#VGylwMJ%pu^!;JoW5*4F~X7IJgvbCq22^K?Y}0qHs)k!Z)czFe(V zaSKFjz5X78C@n@jxa%Y}Ago;%CunVv>$bMgXy1Q-_|EwsMP<%i9T=d*7FK{mY4AOc zP2lN?w2CeLecgdVdhL1G*RQimJ61wy4a*mceD;GzWSI3qYsvmiGi}6yP)zr8}rU}pu zn=m=)f0?FJz4+&}kTfHF^{{IEM$tHU@tKU}+|-uXEufUX{559S8nbtkvXic%%DSSo z)WF>z-LrdKq4b&8x+egyxbMVe%=(Xde04o;@XKi99cC@c-B6anIaO@HS%`X^pTMARo+l$s907YN8wT```(9YvVn1#t|3uviG%qA>MjVw)`hKz`G1jjWKLLg&bbW5#Q)HL>wV|W z2jn~UzBaqU#79E5G%q1{Dx3WuzTP{U?fCy6jnSfNlq#(es%WdI)}BRMEk$W-G`6bR zdrPb;sz#|%v#M&u9WY*<6?7TW< zXGJ$g?s*$=;gULEUHdDHdGp%JTN;*!z6Lti*^7FY8eM@ou8_zO0Pial&8-5?mI3Uu ziSa4z4nTC;h(~VMZq#CliO3|y9aJF%b%BRPK&F3R7%u_?G%gh>g0VX@dbM=A zt_`m2ITrRa`LkDApOtPSgB|F0P7fexT^wi;ncKEHyW|1($q`;;u<8e0v|jcDQwdz% zu0kFbp6;wxM~AS@HSXTRiT@xt)vjwePVLF;%J*i5a!qX^Pq%5UMX%M=N28$%HNexE z9)*sq$$Y};lwlp=(lP?id%sJI0*$7kOga2ll$c>ajh$`UeXo{iZ50(rM{$YXR$e% zA&n|2bp&IQi0hV6zgsYKTMa)h0$$Cg5zNZX` z@4(=51+p79jCPU}=jj8lwMa&SKj2zt&6aEjApo}?m=awJn;JG88!3cx~e{IOH+qu<*PP#f0Y1Xkp32rjoo z+D#Qm1TH8>V{oHmAh2>NQR^5XOqRIBt>2HePs>pY#C4b0Am=MpQ5> z5$&PWX1g%J0GHOm4PN|gyld~OZ#ckPmt2HR6P#DFl6O7twbh4$VJEp;fsQA62)J$` zw%s{6K!f?Sr`$Dd-xWcVNlxdsYr<4Z<4ho(U0}S}?w3EFRIu6F@DBHmYa4I6XV-&rvEZP5gDR=5^fqr|s# zj^DPsuO$p>m4-UdSUlbMtkrl6j=@4PKUFxs-1tgJau2V(aT>Pq(04v7N}O%xapL=Q zvJ7IMvqt*w7KyDTj_^v>%FV!Nc_4ssDFa%tbyJ_&Rsm+wRjvqI?2x$fU{s0`lbN^P zyeBQt(OBq8p`6DZc8T6wj%Gm05m`f!Uo6m26dqSD7eKzxIB(m({99o!9S}_A{g(HN zV}RbPtyT_Rl(g+B!|@+3R{1<7Bh1N%;lFS6y%jdl8Ge`^wEL4&+TEKFoQQnke=LYG zWxqy3?#w1c0ZzruCa%+J0k=kc%5lo`rR6xyO|Rb*Qb*sc6msfXl{`}u2zgq51>s`I zsZ%g92@pvY=S!?bf}J7|z`|7J+%euSlRQa1vf)S?=SPWKZV<>p&QF1)73s=tJVfs1V9q^}Om zzB&Q`Q|W2B;%WI$get+?g=R-K1Mqx)BJo<8*wRieSsf0s2g&nGH@s!gQ4U$@^b&K? zsp*2PW(zkJf32*i`dvRUj08_d6B>+g-ir*k1Kw!KSJqmk;b2b!WYHra?;vhxznNtC zUYi2UaqrG=p_^70^HhpbE8$-uU#+5Z4jX{|lW~|ADOX6%PlDeMA>GXi1>R7^org~+ zx_^3KVX*S-!W+Ve&Z9ef)F9U5 zcd{!#-qgDGOItZne}3ps$nlra9}rtOW&@WRZ;^(O&Nq6VV!&8bX1ur1n6WE5ai+?N zM1tK%wck)0<)nE`&C@Kn)~Kid^;`@W(DZ&kYv+BoN`W*<-5NO6)@n~FJhEFXUl0iB zzXMu6me9hDBSJtiIUEWAc~WMnr~r(s>HKZQWM`q&PZvleIox+#+N8%TXx*-uEX3>I zBjq826~T_~1ebn1S#5qii4_SU0`ZWdGz*P7Mo|8Ya#ovRCi~n|Al$=RX*QAyt$4Ne zxB8*^&n$nP7i(PNNpCW~8@^IJoB&)W-+-WdShld$o*yP|)nID}Khc`on#uw2JzI{N zTLTJ!hrL{cc|)55=U2%J13E5&h7{bc1z+NyD?uqO2Xw{KUJceq@>Bu(t`;o(r$v$3 zQLNr$a|y&LnQuv=2c2D2VB0zFAii|zEa&l0MYFj|>GJw1R-DHi;i#}qttcXNZ_jsf zuACQSILT#yYK8>;XA@a;lMWyy9JT3roV{jUTJp!U&6~;M{}hUV&K7G-){wjSfulmM zi_Ze?p|huwp=ixEAJuE1{Z@vjrnpiPO-$^p>ld&>=qtoVM6;#8tS$xMU6}c`n%+Cl zA^*smw6%8UseYVsJ3}UNqpzmhnzU&Ea%`Q|8QVH(c(7=CF7Mv&8wPsKG}397dHtF| znwySiJGAOlR z2eyxtI)U!^nslNhBL$*J_|k|uaBa$rgtu0+x%dnVZ+|%VTTr}Wjl<7+_9crGGwidF z(enehi+~)S-M^8Ntycdqr4og>y^2Z6`USej_KrgX$6CccWANv&>svZEKrU|tQk|5K zi!TVp!KW!(ioA3etJzA69Q+JEgTX$UkSi;vH`3>2qxLeGP8bx?OBqDJ=&^I-$oIHm zkG*K+Pd~2@R$4n2!1FB3mv!p@(0>(wf0t-K1u0Z1z+#`H{f59O2e#gq^?n!=1Pq zBG3nK({M}O$o5*#tdra+5cZQw*Q^E%85rIG_K^SJw|aFqki^rKqtYgfpobkfr}Ee# zRSyQK&A^d01@5d@y zl{YMiJM4-6)2E2)K&323i|N;+0bM!#1U+phx}vsEV&ODF+RRx@iBH6WzLwp+b-f+> z^7WJJ->E-Qk{SH?^;skGE*>k>I_7xzbL8=i{L<;s?(D#h=imHvpM?BVw+vSw!ghY0 zW0jh-`qq+we*qqAeKCtTU(U0noj(P>yt##bo4VHmBeJh)dp?`pwHl6LBeT{dM!EF; zA2}89Hd69o3xBb|;6K6iyk8FYs&8ta%ToOl0<^{Jd-bNUg+&c@Km?t20!;waBnC;` za&+_nw3zn4mCNTyds7<1Nv9%m=0^Oxo^b=Kv?JQl$Nf@Se8+~s52<*Ua#qHovD_ef zy1zNs$W0mUR^@U(SK`{Zg3gi0YDd3Eh-lVPHpzfZhLt@mS&(#+(ZWc$#zMx-xW&d>4x_h9YL1jXwlV~!VMU8xRkPQJq@lQ3rV z1&9M&Gm!&-P(WyGJH*qNQ7gaFtNvS$?{iE)Mt;u4t*I*3+9Gu;R6vH(IW@i)>$7kq zz;azJROpwFkMHT6G}s$dVX#M@t%xuLHkVVvC!A;WNQf$->m1OfP4cH)Ms0!%?w?fT z$lG@%T!!CJ06?=H0_{+DRFh;yqdNuL@tu=(bg#7nc+m#Yk7=NjZY@|@!|Z6>jso+< zG3h=hHiy}(Ijuex(8v2ZkG<2Ygfo;<^?;M9+6Yk}V-UQp{}`vZaiA^-G7vVayuUcL>kdy7lU&B6t+Uh1YZW|ldt zJ=#a!X&n*~=NCOSFvbhppb>CO`~+*XMZ}GOms|5)2}8a;}mqaZ^(Uax+o}Jz=E&|9+Enlk($t(8&?+?64sW&p~DtEe{?(8&c3> zV=wk>z-1(>i_}zCD$Y+1SOZ~@)lz6Q@d>_@P&4PSrE1SC=TRd5sTxrLy4$t`=-Oir-Yf6Y0xYlG%p-|(dcB-z>fQJgM41@#YZ*g8F!TUfX{fjk6xGAuY&Uy)|ylZ zbqioQ@f$voV#daT4$Pj(=^nCIeq~vH`r>Ql?#d$wi)VI9@G-!W;nJHE2aSBgdmn)Thm z#Hi4(Lm5ze4uyw|Aie&dmhWbgy*e8{`+jYar;3F^FW3*|@)-D*ON7ZhMv3gcvno_z zzuiIKCTz z;#R2JSyv2B*Cd78QCWA^2448Z&VHAdq6l(WgORo$W#HA6TKMb{;!M0pdIk2#!0vix z##R{cndD@Qx91Br{<-4b^rQ+4bq@R^JEqx=JkAREY3PlHYyb!+u@TAH~pM(H>2~ z-lJo`F*TU3UrUiJ^~Bl9>FVd;K-r%vV!T-d>$Dq+_1 zrRuxTvE-_6L;brk;Wf?bJyCwD}^KQMqy{kL(Q?GOL%H9F!wrkcGajk(v zis4}*;NSL!+Qyl?GlLBBd}GII4W6+BSEr$d?~Q?rc2<*V4zKw@6_pL%xYD3mDuvy^ zK+ZdUU4FDL=dfdPtlw@gGe@vY7*uKoUY&!Al)mR|L%grfadw2fAW%CSmGPbf8=xMO zYzty_r_g8g~j^Ier|avGRF3f|$cP(_Y4UcLQqtu|4I#8g``#n)@6 zdqLs5!QTuVE#$B@ni=u>vt^eaij0C2f>}V0_o=4uc)gB^m9yz*k#I^KHB&c&s7>vs zV-X$)nVovF1aA74@<;x8^oy~~&CfGrG|>j#v+bA$y!BaV_P=Rk81HIw!gxKe@b23j&UP8Yxrz4GD=Vh2JmdUi!4M&kp(llo}`SKDf?tPlnQ} z<1Z$1(~;N|Zs~h5*J=eHPgSMzNzdZ@J?WLpu#AF5k>&r`KM3k_yy2ekJIDg3t+JE< zqVDtXZfDV}fY*-+9zKvT@5jfbAN=uXua5*`no2kY^7&jLk-9)Ob`wg}qy8&OmBd_` zr)U)LVq~xbHQ6`#4c%Mj@xPL}@v({Ze~iNaA~xVE`^`tFMvP#ov{}fA>~tXAAI#@7 z@dZyqCem!(;NdH`^cseJlaZ|2Z{^{ijB$5mqV3B2Ttd?B_G?Ja zi~|0c;-o6_5%W7I;jslzmMY^xQhj+?UVaT`D<&|4(b9HL1W;=&YD)W#Rk-$JO2bhW zmy80R!&5*~bWa)MYnRKc7YjasyLM6qEk_xiO)SR8zqd8mBz7?jPhhKVbj|u58GKCz zSivpdVK%ww$D!@8+yHsO0a1rbw=IrwqXo<$Z{11T;)YaZ$oYsO@lD+$>%tE#3nZDD zf(0(RuM+G0nFa5qtIc&bPc?v6OR~}qo38v;r!4<;fJ6yX=)u~WDskg?cBB5e-l1%Y z_(xXCK+a*vul7`!`RwlJ(AQqNQ@>V!*}rULfR6(4TBuXOoqaPEPS|zm4~&2?k%PK4 zmpP)=`YTc)I=a*eT&#m0MT_GeuW+5e zMozFxcdTiD1do4_s7b9BhzZYaMId;JpyW^4^KhSXX5(Je*=nVfCS~Xt@^cl z|MM~b@p_=a9ngNrHoNgfEhe$?Z0<&7r#x&9a}3_6vfz;dmikDBOtzmAK18CkmFqn0 zW3j5DM}c4YrwTyu?KDsd#PxQ*h$G12FS}o+SI12&F)(2;^o#B=yVaoI9(pFK z_-KO{wEyh%IlDdZvV4JOqnOpktnfXjKR9yExigF;WHE^!5L6oH9GvY_n1a{^Eyl|x zu0Sidln+w?YR_y1`M$&88I^B8>vE6}pJvz7f?j=f&qHOx$)i-3LI=7zqrlb_K&`&4 z<07kW%F7W6wsuxWT!jLLh%rAv!Zw+%wrIwYL4IkK-8K?v`|9`w zBz2m@c>5-01L3@a@!me*PCXhtss~($z&{}@rH$|?u8Om4N0H?0z+Le|w~PqY!U9?Q zv+eR;=T1&k(U<8+s=z{|!jo!WlG9b(mXOXfA#*GY$X9Y`XO?KMHr_9<>J+QjcxjFb z7bUO%u_?h?dmcX7o;&>da~?3g?u$?qj~%w=Dz)4!o-QNjhJZ|TqB0Uybh!NZPt>@W z7Qfmw`360t?xabXLW)r>%T#NgydMsg_nv>gAfS3h9)Y#y?Z|Q9*uSO1NxTA_tNK-& z7@iDsm|d?{2D0O^Vz$gCBl^d98nb+0S1phl)vL)uPxq_o;UIE8 zmHLDc6_(Pv>x8Mb|g%(Sxh zk=c#JlX)#awfFWr6^LHWe=tgTaVJoN~C zF?;);BA&s!-Q?ThvvV=ZCU%EvBtBGoe%pxWm!X34hKbv1_WOuB0b{fP$J8smgfyrXFLN{1sN-f7movRcjJWOb$f1jo= zsqZ+4d;6^$Gjr3+ZkBu*bF*1LElY!iJ&lnt$hHaP^hm05G3B&K*s#;<{g++&gu{%l z)7iNI>Zk!==1#>FDCLtbaYNMK@7fS8*PUhPR26n^9O5{$3D}3WB$5r`!qxLZ3Ezy0 z6|nl;GC+8Qp{zzXo(I%_zP=s1VIZ0$%cg?h&;_?WQ_+rYv4r6}3){O^azF`}m2 zUfahw4T+m4C0OoaR?AdWFv3>F;2KCo7#9Mfj;4Vnkash1F)M@373Bo52XCrO%#F3_ z5ZC_}Z->5l#_sQ>?XFmQ-NIVM8b%Dyjyg|v{Wvpy)HCUFb`+O*Ho-$c|8?^_c`eW= zbJ|`I^{#iSny?lPvvD?kLv=SQ{fW7^m${8oDf1_-U*4QlaV=32^V;MHyCEHW_a9-V zud!BK&_08WK1X8$BMya#Ap)pb;m5M2AEq-pSb})+^;zNZr4Mq1+_;R=p^oTSwnN&N zka4F_keA;*-v5LksL2Hx0}c2<=L6y>G5?FdsH(;@s&Qz>ZW~64Vb)dqv*PY~R*Il- zV}0f6MfzE1pZsh!<~ z``qeq6mU}PNRsBeFR_RAE7BiIuF~m-7ldE3TdxC5iqV`mf3K00f)cCv3MkNEF!+~= ze4dd*5J9HBb%q;o)KnxMc(nf`xWCb|xqdHO9Rx%|z*3Hvl4LZiX8F7i?QiOx8hR~+ z2swW*oCk8`RY#e#s-Vp%P8Tv0O_9(N_iZIA&I*pqDK`HjEC2D5SSz7|aSH9SQI zcamH8ODNnnlKuL=+8kRg>e1rN64&vkmmLs?nw9!p#>)nL)wB7Aya@e}`3gigmLH_B za!>1LRqdX6l556<*QE=6n^L^c_yFz$bifSAv$|z11Ie4Ds{9>u!O1 zry!!T`ugmv)@Ui4g-`}VDi+x5w--_r)B0nQk3vDm`GC+(V1( zzy0B&p9GZdc~v&-+0@{RJ3weZjV^dR;WavFQ zl(nudL2{nnZ4Ml+k#acfxXZ8NL2!6|fKH&Dq!JDLADNQ>8Vw8NC_l!7sAD^!yA*xE zEH@M6Q-_`@@}8xocR6XFYox5fHkv*nV2$lf{oIbu;z`t_9nsJRo{r zF7kOoYd}HZ_?Vu_%jNACYmwMbwLU)XQpG(1YOgv}Y zw`_{#Y@>J?mw9-Pu334*yf!Vsve&<$rZ6dv3V$GK7URGN9KTCH#*Vq+wJ#}3yq@s+ z$-*JNqqUN{` zSBIpc1ooS1U6hp{A>0wMP30T`FE-13#{XE z_rhh7?00#|NalCOPqAnKq#A7K^(%SeSHc^DYw^(hp z(5Xn!#ua&T4LJ}a26p5>MPq1ABdg@ss-?$28&LF4wbpa0VrSYlR>Z!!GmX|Gml5EmFHx5; zOR=Tq>EW>}?)8P%e7H_Fcw)!eYh%txR$RZYHpbh7d?&AZtGI(+H%ksMc85MvRyMVK z{;!LJ97@^5;D6HkrufykQ3HMKfVv4`IBy-OiHe!Y=Co_1Yb=<}^f$yxG%+j_o5)&A9zzY3Kev4?v zIIpW47-OI-{RMb7Ra!rr!I+6^SZL){W@w2RHeloPXq%GXAVj%BW$&zOr?^dacB=pmLtpV=5es_!cU$)Im=^FTn%4asBpxy8iVu zse2!hF}`SY9tZ3%ekUhnG)}lOAJl~}p&avFgg@kBSY6m*_5zvJlbDXGDgtn;8Lmvl zSo-KlAr1pcI|2^MEKc(IWC4)N^IEvk14R4!u0d+i7?IpzSfmC}cmX)aerE>_13)jC zT-86dIUCWK68)d~3BqJ0(M@`2&kYhGeJf1;3j8Ax$huYbAwGw-v5r(exopvnv`0+- zHJXWyUpOgC4i+*84B(Ckxa0Z=aKpzkox}L;REQR;%$=|_l~}Quf@BAaozu-Q&+q0Q%Vhx zu(RGhwJpG*Yqt#~km=Vu?4KCJ^-v#Ja#rP5rI%_MCJQOa=LZ84Gl$Y1FDvWvraY}Z zHlmgV_;d6f9^HC->VR_Sl{(6Q+21^dH^xXt;UiVhG@5%N17PKOM~>TP{V#~2+aU#y zPJutq@58s3vLAnfsQ)YKGuUwWQp-mNcebkN|0#Jom_cejfM+ILAbrBFtean@Ryz`C z@c20EzO$AU%~k8~Srvn!((b`qglk(s?hzo=0S`C_LLc75I>qbLyhdK<^Sc{`j;Dad z)!(arwVNzAFS!6uBTiTZvn3*YT$sQ-mpL90!Y%A@Zx&VU=q+9+XM~z`yfi$R`e7qD zk(brhzc&w`RcK%ym`PvB0K10a&pawTvLEV361FO9Am6 zz)1K-vtLJ7lmOi8(|*Ja6L6b_?W?X^mAl!-4exK6tjPl>X0gWe@lyn&0uWbaN6;7Y zQ8wL*oXnr|T8g9#ZAq-M6Hp94u>XlVmRVy0bq~$xI%L+*jG5L7Di{IS6o zL0edKN%|K*6L857$l-cDHu`-01Ty?w%FhYvjUI+TQ30K6o@I?5N4`aLzUz)v#1JXC z(`TiC`^i(z=`oRsU-ds<<(WwaM(pK`^Ysjgf)BY*&Mgjq0YNe2cmJ*g3NI{^2JVzl z`AxI<_LDJIz#!j8g4a&^|MFiMJ({j4g~bVi==p13#c$UneatrLpF<&!Dx1T&O+9wD zg8L!Xz`r&rU#fV%7oC!$aG0k;Q4g3TwH4yFAN^q;lLEXdUuq|Y)8p-PSkm7$9u_)^ z7Z|@csS87?nrV8H0#RQ;;o~k^aJ?~h_Zj2<4U;+7_j3#~gmlO`5DY1; znImpX-Vg(9?wYL(v^EQq!QfAK<*3HcR|bY%!z>I(Eb;yWaXoCpB2<)5!e2NgNPX)0 zet#@su(#L`4=`n8i3ZpDrA`Z>5#Uhq9yB7+?y-6@YX1cN1ECUE3H(JwzHYNq+qt#lZsLX z`SXdG41`4X)VTf9l73$_xJ*eJAp{OkYzxi#-vI+3BS`6Ru5mvb6PM%X2YT3ewec9b zjoz$TRY|trLC!pBe7(|$Jf6XfYNZXAR61qY8FujuKpl9<9O}zn29TEX3?nE}bMfYL zx7zWQM3Y${-95nO0ti(N?7BKX-=4TciI{G%l<8ZBjeW6^-YjWNCS_15-p%FP1ovyM z0N&l?s{J=}H(Gc=9swztACDupNh#;)$49B3K0^h+9YW2fkJ}%i|CKgOOAQ+pGBHgs z18_Ca_E_ff!Xc1ac63Ff3Ge!w+;Us=@rwrQyr827$y3ayZw}q3jHxHTVSp6E`970@ z2xPh+9~eW&;KpNefVPhPVqm|uEs=c(b7o&cX5w8aO{V&SLfrc25C>r5!y#M@U9(af zdX4rsNx7Rm#OkImxPIHc*cO1^(Rut05=@{v__0QLEkE1@nD*y5O%?j?2T`oDyr&^^ z^3a+lr4=ziTI|>~AkJx|G^ zOq+h_r4^GEm}tJahHoWuGNeD@AwLcpG+9si_K=#o+U`Vre6cSfgbch2oNS zXJ}TxR+?X%|0XT5O?fd}4N9IyElM`dY)Q|bDUX=4SPf^q zOBhs%p?IP86tXE7I6?k-?{0Wb(OWd~mXlprbJ8FRe~DebM`9db*^b%+elJy8i&q`~ zK)mW`EiGf|FM~Y3FE|6?cWY{&weh5#Ci~leL*4&Fo&N8c>j|aq6*9(8jVB=k;u*x= zyx^^X5MOv9!og!^>%7lMVy0s9!&03XBi;cp(WPt@H5TDB%IF4;uk7vA6zy@EFC{@1{3?3t@bI13s$crA}d{cIy4D4McNjr&jW`wk=bk~$fx&v1(< z>A&=2<0_z3s_x#q#uo$>1N0^mFjR<>$_WH+fzg|L?T$jw;>>MU2xEDYTk*9C z&#DMn5~$9KlCfd@%F?edY9(ssp5Y^2qd?9rs&7d<3@2AAMmpr}B+L}E_#FF?PpI>lMM29x_CBO+x+%+3bv4wN3jV?bsQC^iEAs)vPa*|L&pMUwAW!Lk zs!aQmSd~Ag?syK!+$qT=^K9p5OlKW>(nIgI0`Xvk9YHJ%0W(i;Ie5a~H5_h>mqpLZ z0u-n2xMjbQ3$d9BJncX;EjhUzEkNp`^kBgyx1m-$Z9jvZM(=#=_dJ%~pRz6HBz&hT zHQxKGCl>A9Ye8tCU$0$mR+U@4wuNhr8M@-Q>!%NUy)R&SE0HAKt>|dCm;_0N3?dll zncXibFnjE$ElUkWb17WE0R09lh0=w>I)w8Rz|X?v>+iMsRSb=EfHNJqIu@nY;yjQGn?0?d0U6gQ77)O{ZZAlM%l|a<#}FyV!{E>lzz^f z%#rzR>lg*MsAj3kBEZYR2#W5MVxs&{Qbx%>qy9_ECxZI9i~Q{`<>v&%i06vHEv-)$Q{KXA z9s{y9v%HFYdzJ?DXuOv%JC85+%f_P{iRet2?w)C7rSM)(^mUp&D)SL#lSLw68vI0x z{bzD8*3=5JnKJ@(+pEW8roPf$R+aTfmBsew^9<*|bR!E?6iy==Pa-l!B6+Hnq_9XB zfjWTFcr(J?IIFj8l(L6-Sas_fYIsb1R^t4!L?s;FG4%qp$%G0Bw*O~P>X~_b$HUN(htZ=-ln(>& z7g62sd5t&{PeTO@>ivKMdxqWAWu%nTds@MIiAnzY1i%x3m^66;^ zSrH|&-E(Cp6A1VXesrAV`{K-b)}^ZO=tIvH7zwh4x&Z?Lq|V0X_-3sH7Q&JOUbI6@ zeyp7AwI}P1mZ~mt%E%4b^209-=7MjR6z=nca_H1m2p%YGJ4dq*yR$=&W0Byy3!PTi zV4&Z--eF+>2X1rbD~(n_h($$lldTe3=B#H9Fw_38I|hp7xQCnVgF^YJzRJk)pS;^o zAI#GepkdHSL;e`I^~Jh_OBY`JY*p}nw=5|jvo$E#Vaj3D9F_Fd-8{MVY+@9jXKOKY zwsvhV@M0_xEbGT9;@;*`B;Ia9p}8RA#ymyp&HdKyYGEqPWJ-Y!K7bafXP@))Kv$`oJZ#vr~r8c|$*2`bUO@ zM}IgQwL-5&gNxl8VF`f;NAtRy{|n%M9M+`93nJ%%-%j<$toN;($QRaN^TE-P_XR1o zJT7KZLeCdkQ#5*P0xL`8cTc16C}4oiij=TP$JMhY__r{i#}vxnGmtr*^nM0ODUij8 z;Plg;nq?OO-4+TGiP@y88R;F`m*lt*v1PdzHP9BDn+09kj_YuvIqbb7_r|BsE=cA< zqs-tfwK|t`{HmngJsMH<1$F5#!|!B;m!C|6>?#Ir@#q1 z#-ve)%tB;wJOeFPwk9?faE-7aW6t4?1i1HS)>&G+Xd`uSxWlME_m5IF44}2?g?`$| zq7JBU)UU~rog)cy3o?T&+pVfx-plpJF5rc05Z$)*B4n%DGcBLtxY|s#1dh*>m@U8b zL{A+o%;+vnKmsgt2Rl3B$yxNpNwgAM|26cTWBUdaF({pd#X!heI=gP_ZfVVBdBRY% zalcpUz0Qp*Uecy5aPT_TBy7rVezZA~!9D1y9?s%z|11~^(j#*Rzx6Aw?%4F_| z?#4eAK>kdi?A48jwnS6tla<37EhPK$3!!^@$-*S_l*P=u1%9K2VFTxjKsN*0<6p8f z>zWiSPajh6R6aN;=)wMEY{r6_0f3v1({1KAK0XZD27FIWr(DamlPq2S1)6$|ir&Vn zR7^%cLs&pH0~y|!pMCdoQXf5aE9|UgD@|Ix(UpFv20Ov|b=-%}tkR~}Y04jt9(fn{ zx0Zv8Q;@5)F#SPda~r7S zQ-|{)_U2u0DUJ&0Nv>+=hig~@4aj-O+x%N5(yj8g{?SsfrtBHnRNU>$6Q|}`CW`wb zIgLJUqkT&peU4Y{dsWa#9nM}B&YF^}D7K!nwS!efRp7GOFkXB3^*^JsUIlW&?;!mw zLNM5Hv}oRQJv&iM&)C`fjR*V_P0+;jUetypBOdVpLb;=VPS)5;FDssf^lLk>n``)m zZ#tco>0hT8dj+l#b;c(2+UG zk#n1P>{QE_>h*12dELTu7RF#4BD&SQs@{JvMt!A>h7-<1%6Q)Oey{w02Y@7v@4 zBvs88hTqpsx+0mVxq7o^%jh63N^ed1#F5p(CvDguAohg9guMR*DPjbzHjBTx@huY;RHO zA+^ljB`XXM<+5x}Tw#1K%s(|BnVPz8)2z?ls`|mUTINZ~EzM(M zA6CIoJ*;uoXQPtHYU1atzPx4LWs~8*FR&>l`2Z@IVBS0}Ibj-Xwsa3-CknJ>HbT=S zleF$nGo!|Lu+=b?u&uh{U5*ypZ%o4?kmu!mcZ$nNrs0NTmKW(U@`<-?dC3^-35XBR z2M%$b{>PpvfUmREXejzr81;VEYNoKbboCZpceU{zGjWRBDCow7eIxORS&K91{oKEH zxyP25n!4wgYn#=w#9wml-+<3*-iN|>-NP@SXtOvfb1AAF+H`a=kN`XKCT}s-du|`n zkE2AXZ}(L0rdvb-vaiai_s@+x18s*kAyXFsdFpCwg?4dg1bG{g%>y^Jo3pGJtCVbW}crmgT-zK0S%Aj=y7(tK4XbU-d zi5aT_MNR{YKHXmU2W{9m=)kwL>cwy^KXVkcy~;b`-s(x7t8EKU{H{qWxb^q2VX5B=ecQUPt`reG4d9x-w)X49>`jCx7wcXO~!0=VC#4ol7+% zX%Y_v$&kNlHjF~6q-=`N|RI2l>C;ZY*x`akoG+s&E$?eRgImLk3eJO6G?y@mmW1CCoa2s$N*;tjjwXHnX1 z$$+9&@v(fiDz^U*?@EL-GB@Pur~sfQ2%@1tkzjh2&#R1L8RQzY2LcElOk-m!qz*p^ zOTCR7@N#?Z4@{Ok>i>%AvbF2_1E}nMxAuW@x#(yl-txbtpF(g(FE{ zv89F(ngCPjE%!ePK+$qwX;kGf)`)z*Vky*X*2p?ap9iEF^=U32YFFF?^}V%T^nR); zdH$t9+UTxA((@aT!Xtn|w%1GEV#0TJy91?pRg|X+=rJYGW{+$X{kKVauS_A2I%n>1 zpq15eGr!X&x;$0{LfH4td^io!h#lJsE@DQGWZUCtb(?+i9O zF2=OJ%@?v#n|+%&s;YQI&G(s~;Y6EhDJ<03-}P6P<2G2uRpLnc@)RcLjxa2&rU3H0 zliqhR$;7{>h|_+50S>mOKQa84fqcKK^q{cEpEt^aKgy!n!G@>HB`nx1;IQpdi`nLKAXmC8`WbFE{)%stPcDTO8TRxR1p&+TNuDYPq#`lvCm0g8&UzAyWL#8>%}*E|GTQr)xtxX2FN7+C3WkzqWQr|y zV^W@TSM5C$h9kel3X|=wYx(<7c>k~$>h$g_-C`H4))u~FcT=_3`Gsc8qW)wI%Y*oK z>VS#J+sK<)5Y2r)F*q}FKfZYL3)|!uLo%LJp{J}&x{Ax{KDzGgdfYyNeYqk7JQ(N5 zybxUL{TMr~Dh|Mm;PR{b{$;@@&L+~p9ISUwAb0OQ+A0Iufh>M--N&9ERLjY)c$;nY z{ktXVm!a`vr0m1{2Hi1$T4)%dbH2)iY#CpS>CA~oZf(?5xmCed()~{sLI)tuo|*Mo zx|Lf5r-sjlb2Au(tyRjvCBQkOPvH#v0r)y&z>iAJ!SGZq+)@*%b4}=_t$u*T`RjwcSwbqPK1-pBF(GAXbZ7*aRmx5C+UC=^^-?ZP_bL|Tr z@SMbd4do}fnA zt#0LERgm0#0L7FqwP060sld-@JrX4b5i83EL&lg`X4KW&6VzZM#SR~28!T>7ksr3#LEeD`Th zPFlL`yCdo?tGmj5}A$WKeSBoUQ>w-H!Zfpz;>u4y{@=7>qRXl6`G8S4jVSYA{|Ba$W z41P1}_MmH|A5fw)?9@2r_Z{5oP7@%fva3>CR1atp_6mS}!7!SY4mmCIr^rdaGC<$! z4}_;|0qe(x$26dx8%3{t$Oqm5Mb11*-|_*(?SIBr=`~V0^|}(%POZi%AwO0#{9&!W z8CIj(`@g8rxX2D_{0r2yCE|z>ok~s zI3yzAc=ET(?gF<+HvS;+^(q@DM4n;uP-v`Ke^)XAR?(;4y^yrd8!a%Igz41f%tlV2 zN^^OC9PpgExxvfi*28U2TlFKJpZ_Nm0{9pKdT1@~C}R~?haaSxo2x!;Cv2#Y`@!($ zW(zFI&s7cO<$+CB?ej6|K_d;NJ~T)KdtG-O3tOM?>HyyD~6s6NyOP@p;%LW1qB)R6qboE*j>n~ zf5e**4Ecw{>0IZ}9yw4OTS98W7av+t2dJm*Jbh_V|A2azU@quj+&XIDoe*p*e|$q1 z9rQx9FaLGVqo&HcU8JHQ4B+SbG^aj|?%8(PI?6Mo<$ESJntCKUhZov|XO|4vblIjZka?@$TGHm#6x$z}0TWoE|CFNiAJ% zQrLLz1+T5r6g*)VXs@y(^Rxc>h4M+YR?OtG+ZbPY{1erCT59_#NT*CjzaeM+oM@Tb z(gWwxTZZ&*yV+Pj#KP-LJ&r8r|BJ78k7v5!|HnJH&{d&SbUCb(=;|OThheK!N@a}Fi zu4#Lnp0CsMHRQ9k0;K=yI{qF?78M)l<2(w{-}?9UgvO6=7#Xrdadl&I>gVa0!p=8X z)ep`AuPN8=-fi8XU1s^-^j7eFk61P2l(pr6_JHf6R?5ZMvC(IZF#88EZvB>+hv|2} z=k7JbmpF5p&*N+Y)=lM~p2=2Ex67{x&`quHcxe`*q|;=EKBbQ$@=Em|nF#~~sj+m}{w3MDAIhI92w`-3!n`#+@`znUzv=i0{z$o; zr=ElE9!qvKBv}?`x>E~0Uh^milhm*)l+rRiEkzrkBrP9`nBblE@EXm?Z>dQ7jr z+b8j~Ns%a)7x%QCiH9;g&JEgvTsuYjk!!HTuE>|8Zm6?@p>K3RLcadv59-E&ox~ z_Mbfd`h8ir)1`sA{2Px_p0hm1p3r`=JJqokeGLvs+Q(F)QzJlB_e}OXmls z8G1HHL!8%|n?+#EeaNGW$_mZv< zu6bOZr<5_xZusD)o378r>g`rh-eYv%;I7(lI^07;8EMsoRjc;pEDNEYa@%4b@`M?n zddA0YAfQt{zXP?{Nf>-4#gm*>3|H&jCtB)O224;pbi32lp>#_s0T%d*&hLCnSZM-* zRT@((Zsd0@B^lW9nm*+I57_biAqYEI=_J2&Sv&gy3(gS2_g7qw92BVgni;!o?05y1 z8ofOKT%-myt~Eah4!QEKzD7iRb$SI38GVcnRc!O@i3i_eH7jxOKNYiBdxe5Nu*lfW z4dObrZ=cEzxLSn6`e&oo&x?{b;Pl-SQM)Y8sy?t3T?DJVyMz(1P3!qzc2D3f#$$cj z6x(=-NS*28Tdrax`y4W0?WM=c13>N%ngL#-syzr`(J_aH>!QL`|SOO za|*Ufvl_5>^*Y@i9LHO|UEw2yZ_NMGjqG`FxHqKi<6@r|Rzdpw9GP|H4?HqyC4Rli z(OoX90(Gp7!q4jWbtaELS{tHvY*5pz=?Ub9{>Ka8$Df4CRQd1eviZ)?_p^n0sZ8PV z9`2~eOJe9WBE2zyg-8z@-u&Nn;pfqyY9*!@_@#y1 z4Ek{i>6fuE6@BxWlt@QNB*m^@}YS5=~rO&5MefJpA=v(%FXa6c!J(t%;2`(#t z-T&AuDJG&?bUTr#bs`;Ub^W(!Xn^(dWKc+V+|WjrZKOhhq5AIC&xiqAD2Mb7vh+|g_VQ5b}y?Cjw1eUlJnw*6=2Z-Q!RvR18Er-z-fYuw6-byB)9^J4Vv$? zt6Yitv{L^YNKxVUVxZyXpGU4LuLHL&lo9riHYoj{#$WMujUnuwl*@rFVPPQZfg4BH zXX$Dz8$Qs3`?)80Hg(82pG7?AUq5Q|5nU`xZho_|Pk5Ek?K46L=JTnC^%~R%lQ5Kb zf-X{B=i&u^4c z)=yAE*3YkcVXQ2>U7)Etwa&00L;Hus>C`g#O3=jTC1 z6usM^i`=%+YF*WMR@^HA4Nms)1#6G(;I#p77lrmx4iCL6D7y32_teT(Fk7qLRgki# zFaQ5V0U%xi2jFLJkEz`D`~6}{%E|+f9k8l1b7`aY8+#6`EdA;xJlDO;hh>-k%tF;9 zuN9ZogwU~Y6uSNhJ#I6bjUV!Ix0l9qUg%;c?#NmI&_p4NT3%TDid?fxb1JWx%} zQ`zEZZY(MWr|bu$pl)xv4you%CBi6g3uVW9el6KJiI0}XDvI5gH?A1^6@G6s=D%ucx$5#wx>gI_PJp7W z8|CtHv1iPG_0{k*{z(=Zr%#2ImE5B>9Z6kZve$%AF={Q_TV9DodZbd%!~4bbk3H9R z(|?T$zdSzVvpF{vXQ9gorEc3P{<3=aTiYN~KV|F1X-;@|XT~3@A1;5so8S_C?266D zyr5grYRH|RxAIBOZvH!3mp|BM)YO1`rVXwa@+aAu(_ld~*`mpSe7>@s0KcwFy$+ji z%4!d9%eH}X7qm+Z)G!+AUe~M{sW|8dUrRGfZeDiA9LQuZu)MUqxOoTm|5(re^=ey+ zvot^pJDy%tqO7xG$aR0S(SQ2-e`(H(bxMkZ6!nr{jKdpLTK$W5si1Z$WjreocD}{G z<{Tc{U-HM*cCXLK!3{aMpGM+@YiU`(jXswghg3AN{r8BoY`dLOa*sR2Vi{KY-f57K zc}gb!%Vd^2r*h`SWPs&Ofd>n0k@_@QcTbp-13D3VlwUGR0{1^!dF_B&GBk4MJ^ae3 zkR<(an{Qhw2UHA7tRpDYixBbhbeO~@f7E;@G|1_W-@f3cEN8n|h^XAS=iXJXec}c4 z6j6ECIvcYlDxwpj2TNj@z+>)*DJTd56$RCT+S=vCuh*?w@!uzTKm7_`(E7A7^fN`< zSM{#P-3^KV;lKa=H`b{a=kbG&p5-EZ2H`zG!1wE^;s{#rXIxUaZAj){eeT zyEF4Y_IlNs44nuOuv%R;=4zh&Rt+r@4SPN%y3X(Zv1`H(onCs2Dk6*Rl@{Mvr#cK-_a0umumOm;!w@_5p zqweOdaU>USQ=w`YQ!%6y{oSIwCI1|iCM_%UaHHlX2#~e@!NG40JxdO07_~^W#Xnwnz zilErn{kk>{wRroqE|+oXD?DgTxjvSijWows2=`r5t#A%F+;nZo;nQ;Ha`7*?>Z_+C zv(-B@)@zgrc4)e+02hrvWjXm_#2O>xUTWU4r~6&I+pqL{;qaKLtGM%q`0E&ZS-Ve7 zh55b`4RKlSs6Q%+k=@uKjhA&OfDfb&tOBDZNZ4twid+9I7!z0ciV?(6OzI>r)6Ktbs_}u1PXSYr&$O8y1Y1Z1B%s1-v zXtlVty(!RI$j#m>>Kw-1Lg+~%9md-{^iuPiV;%HfTO2t2FkCIq&2xyIJ*u(C@RIY& zx=(qg85K?0pyN^}`VL6hloNL?H{*5Sl;fCR^e~jy$G!z^nRg;d%5v3B@UYPx<~Yp4 z>g+s~fJtrq#%)8&slL?{pMtx5A2&|1 zci#{hfnevgIP_g}BK!h>)3H0{t94mI!d||Y!;3|Vzk3KqnpPU(@f*`3xoNAiO2{#{ z;Eq-4k*9siGi^#Vyz@tfv{hABhK+=H&&O;T;q0hcY#LTFqU3-~Bf@nn_0V@!cXfo1 zZ)8nG>+4~3AD5KzDoRXqOWJJRMz%rKN3wITNM1x^JY2tfrk|I-?+=rFubfc02snmf znh|jL;_^MWj{R-uI;!wK57Y8iJ=(ltNa`BOlXk>W ztKhQo++$pRc91t7XBIi~ssB9kU7m4g%=o6!N!Wy=mP zJ9X@cvmc5E9-XlAs|D9HYA=A_Ud-Qrdn^9(-Dz)D;j~u_J-FL!{Wssl=f+^;H|o6XuyeuM)r5}a|-KZNpo3wjZx3O*rit2 z8cQDE(IC8t;eWABH`zj=RCXW+%wVc8_B+<=?K`2~G5Lsea-N$_g>Fp17sBhXGveJp%@iOX<%j{hBbOW=FL}+MC$)p+d7&53w>8J)~MLviy(Bf1`{&v7dlCF#m(i=Vjx?fu|yU zEHRf1aI78twV3rj>I*NNaI~hc_hw%{=^L!j-6_sv;kqO8y6j@F+MZ!$W)sY=>smOi zSMBNavkv<1Ij~+waEoAkzQ64@Tb^YX?}_n0XSb&*w0$AaVSa1&T-$=fEd8!#Rh#Jz z|A7WgdaNt829jBJ7=m_+P(0DglB5U7}U4&OcqQaZuMz_quzE=GaX z-@}0Y{iv4zwH*o5r$_j5;l$1}!&MGbmlo&7%jR`MV4tX}%+%MfR z`~@n0HEKv*C0`F3fh9srZ?cw6Hxe+GZcY2)XjNzq{sM=t;wG4Ed@-6fY)p>BNZSzB z0xOu9pWA&AlPvOrfXm~3ezD|=oW93U>M`KigS)3UF5i)i+p_;0Hzqn4kJyWkUe#&W zubt+NR0W3`R$DC2dlW!!OnYG#a%vV#9(jbKGWL5MUfd3kd|;8W!+t*A7B0T6Nz-~~ zd8f`~yfL?f=enx}Nq*9~m7xjdhCapMxQ%=f${c`kw8~Rqd$5dV6ALAQV(|-sYR0ia|bxVViFN!-H@O`nqMk-Px zHQ~wG#G&oGDyE}zAG{`6I(1KHBf%=6_qy;4?+>2bkS-7}| z--={kY;`)c45YscQts@=M{6_UZ1r%^2;I~9YTWUJd-`sDl@!v=ABPBxrNxH z7Ji-j^`16mopbeaWyf5-=pPy9XRR9;UZ?ZXK6ZKz}SU+bGX50>o&v{Op1W|w&OxSbQ8xlg>u0YGm@X}?3XU=<`e%=Eq30jyv1_( zHw%f;%VlOO`q~QzV=aeAzCSKmrvG}K&!lv`{16hUWA(;L4e?$yZJsRZbaK&MJ>5q& z^LRg9!vCafva^J%r5qW2(i~LxNUp|8b73J0C2HOC&Y3|Mt1*wOQ|1Kvy% z?6SRP+9FSS3mM=i#7THAV9nB;0&-@3yp#hSI<#3u zU$cMujtc$MOcFot-I!I6h+j%f1L4+0qyFHAkl>~wRu_pB+5~Q;-XWy3j*|3b-Rau{ ziW?s_f~1O+&lPyv%M{Ps;4*7y(#doPkpFPGF-~<^3Aj3Vt3Y#)_*+j-;t9JtFE{7C zRY@^?a9%mSnE|o^_`-9{@a<{y5m`#Fv}1hG->#7|Leps#^1dvWDO1BpZX2_T@+Kiz z;DPW~(h>7NqAks8Td&M~XdcEv)FO*5D z?&~jaZ+%t#NG-J*S+pMNagP4hS>>`}Oijx+J7?52o32kxpo@m z6MrNAdr!xzxeWAp9vwEW5jfOZr56Vl7-vn%Zw@ocG?tt9fvL4w#PDill?2=)lf4Ex z^&;qC`7cb5QU9yfii;}24-eaax&ODu{r5oSuiyO8T`?EAM{iZX^r&<<^(@$Gmsf(l z5gK|SW;@>1{mTf+%s4NCSwGOLj;?4Fd4nqth!t&RuOMt+F&kdEr@?b42D4D})>z&k`&+`I}q zmzt=J?-7~ody}CPI^Is$>w{nWHGulTV3q>jQDaqrz3eNMy`a-K@Bb6zof)_VPOjHB z>dh1%xn$rk3k;~57K0-SM?P9ee}H>8HIK%QY*h;EeBI$VS##`&xMug-?GC=nTOQTl5Tu+JOf>yACfZIz4$zNh zz&RMzBn}TH|H2`m4laiw_EJt8Y%-vX|E&^=jz|fL)?Y?SaY3CSV zECNn1g**kwqku7no(8~20riETn{wdEUk_OTka=}s5-A@wBx~NQlD7S#Jlaa>DPG;eKYmAfgGpAA zew5OE^-y6a;oFJgrz*$YU`~1}=_N+(h})RJPyuaS9NW9Nkz$e4C;p1df?yv&LpyBY z)M4v3kWOUizCO77bAsTLPL*ZCE3L~xL~l4dF<5P)p<*Aqe;3%p z?&}Vb?Aoky^~gEF@#qfzW@_lfo#ybQWjEv>2S3(!w=-Q_JTdkmNux~=aDTL27UDhX zsmpN7vMrk^&;f^<7Q65;iI-l8;Dy#y+iCc9jL+;=6;=bLF7SO+>k-KAUk<2=`A4YN zbmz-sqON@BS(N1-qjnaiuKa1>mdxE^9)gay)BQ!y<7RwPQz>~dn*>IdN>~OKiDhRo zEt*cm`_)3R10)Doyf5-V{Pe{Hb^7Usw5b1H(BV0YTo7w%*(1#(WMeWHWDplhO1z8> zl(ow|d(|K5=N;y*YvOs?|xRk9GvYY*hX|fqCD~e*{zL^!7wY6emymZU9iX3r5 zTrn2{Q#FaVjXn1plabWc6Vc0?929L{ZH4YJf$_~<9M{g#7rWQl3l>45i@q1D;ge0* zP@_wt%9(6DJm>m=G${llS=e50sh1cKy9*YwX5JpuEdJi|)T$l)^UbT)wVtxv-+v|p zveaNeC8n?IbgL{VoTcUr(^OZm{{BTOYpMStYbD+Y}b!e+a9W z3Tu{*?pMq43!fj|u}Ng(lG8V0P%&O&N`{psjD?Te8nqBIz%$fN-G%8T?IdH-f-RM? zj?4I7L_L`bYtp71RJ#H4p|l-$LsMJ)_D~b0zkJzt-RNxtwkN8A9&a(Wkg|j7NouH z!Jcwx7naUu6o}=(X!*gvBo9CY039VC$v*%93s?)7)2P5j4zzo1Rd|zr&l9A?+I@2( zQzE?1C7kz{vzhyN?FS4y*EcG_(+{}UurTs`7e5d8fl0`8Jpg}gJD<7CHbC_j$V3wm>mHY^=qsynsE!)?AXEF8!o*P$74hCTBkK7Kl_Jc3aRF$j+0obMn-heL-~^DVMRE>g92XBtue7^3~W;aq6UB z5gF7D0zc9b37=v`X8z?Dw8YZk$tHT@lHO_e()8$4>qVSp2+5B;W*mHC>QaJBxX z)E#ikb|eicJslR8CRF=9;M)9BqTbODx)WtKJ^-W`X}~2RH|;VHfw*JG;5rA48u_Hq|O= z^VGHHJcQqOSfj0Ohr|SS;tH>01mEoRYJ4#$aFt+7$AIvVoUxs4LarCTAXcz~GVswB z^AYmfI_hvW?@m$Vfs2miS#=`E^I`66yGmD#w*|PR;JIe?7He-OdIWRhKIw zM9L%rls53b8sPln`!9^dELbK!<2+Qj^;G)3qc%kNMRd_<#II+#G^|K^Xz5N1X#XTl z_wBk7@(w{*23a6&_qt2d7fGMeAR=iASCn6Cp!`{OK;iYH|M?C!E^IJlVEGweIJA$n zi`IxS!P3v314OdR6~hRE|EOT85D=Kt;=k-50k53RI5ta>d{H7@?dT;qmVrcKYeWl; zDKK@ERO-Sp*FrPSZyUEv(}Hs6HBYX#+0=C-6n=o z_M6KFq>C>LQX!CFHZ^0VBr=1N>C8jT9v?3d&{=PpCRgno9#(T8di>&MV)c!DwS=zl z5X|*}d9=JML)yKO%g&`qnf4!0!g`yd zr@Y<2bYwdBOXmZGS$V9N5D33Bxgw}R4a?6~Z`hPc6r~c)Kw&}2X!bVs@Hj-iT8B!= zlrE9sv|c4MSkCy)o|R4_^dD59oAM=mTRW`YY3uRq!4xt^wlVRD+I22ru;QaGA)GGq ziW1j|^i%}I9oR5=St54krxI|11Y*UDbx6TK;Nq|ZIRg)(<9=cV(x;%Wr?pv|3*#pQ z`<4*kAGi#klUm{I6yl!tJUR%eHGU$NB`Qp|8^C@MxMYy4V59#60=Ymb`(uOWlvuRf z#z!(IO;>2fa~krp`d?Atqq#oCuIS_V9% z|Ee-#YUaZujr%x}h-7rA9aV?|t{GzAbP)929?$@9nw!MJPRyU2bn=5y9(7dk_26i5 zetd7wV(&c~aa==M?39-X0b8ne)uNtjgmh84&U2=Sm5sE)j)-J+qFw1YmXl{cpG&a8 zu|5zP82P@Qi?c`KFL83!>*N#{LpfR=f)TG{^H8z(uHv-21c?5Ua^*z1Ny8gVd7ZKH zJtbY`oDAJFV7V9V@OagBa2vcy-^PS*s3I4>&YfyAgNy3O?(eR%z2!*3CmzJXR)svib5DW!Pq8*LbrR(Pd;ANbX5KstKRjIT`&nDCIR z2He(+hUP3b9mI=vt@FN<4>Cx@J)FR5kI&S)An=NSXjeN4USc_3I`hJk%56tLLL^+N zFjXW2qY5(~6L^Ao0iYg4`vE2aa^M+2elJdY36R@tOveC(2yl`E zW!!2o5hxUUKL>wSo6YKiza9hpM1Y$dNCwD-)poNRz?a%>P8*K_1mRruZyeFeTFc_& zcckd#Y(n_Y%9w<;J`p>`LMf872l;78= zUGt{|`K$f$$$O;({q157vj4o#Lt)IP@9HsS>%@9-CGBpKZz>aoUQUw0^ST7Vhbc=x2^@QT}iaL%&e=u4M|sCUS1r%=$I`O^9=06u zuYj&jzxNXx1cvIc9#7jr^;+X9Bpb{YA=W{npEoYSPmhVbX6nvg{bLp|K6Fz7`8_k> z0_jT*qUhB>pMBgk3qAaAizkXe+h>ZTbvFUvQyl|{a{WOZGZXPy)DvM2i|dGuu6@r|cH*HX#W(7^^}rEgA2w+%6wS{U zWSf%~pqm7_g=az1>FZY!MA0rigbfZvZ?%K_k|1s#*Ns8r^^Uoxrb9gvdkzX*42bKH z&YQyC;0wqe)O!8h6~9)L>FtJ%>k>%h$oToKVoQD2AE6%Y5obm8H%`@+zG~gtD@Ip0 z>JGGIsU-DvKtF9OTNl(_GVWw-!H5jpjI-?A&WQS+mq=E2hRnzK2%!2S=Q(*nDeSvH zbNp-^xE+_6)!iyOfqfL^%wtH79g^l0*l$Gi#RP)Am%ENgOmGN>dxhWZBQHWEkOlkU zu<mJdrxo6W?X6imi5+BZ``t1^- zWjX~`>`~+bjGKWqSuLM#jd(}Lx?>B9OzJsxX0z^X5@Q~`$h3A-pzLMT-f*COA#7&z zwk1f>i!K}N7-;VLi4vOBbMYU7H>W`&ZL0AiR z@FI+D?+P_E z(-WI>y`qgnV=QBuTMmaG8S)@5GBoJY5bxj^5kHezfd-p?#kQUpF57cW4C~X0DDixQ zazhHLt+9GK>yG3b$l8U+PrH9&LX;GI=#Th{HNF5lQE!Wgi#DA*;gmmIy4ZiEx1^F>3kex(3fjD7o*}+d!L`<3|)36`K0f3>NA+ zaCZ4O36p*}Ob)=K!YT~R@qc;=x$_dZ-%|T9ryElC+FJS4y026FO3RIwnfZK*Y4|kz z^{ZdFGzIa1lomN`PEXQ=TbZ$k=hKPNvg@ocgDD#$)b!M~MXSv~N|kWpA;R!;0daV@ z;1mMMMF1!=E_r&0;-0n>yR*L2|d6ie6an zQoH}LW`?-Qg@AR2bZaO5=?H5i6{bZ_0OwmKi0Ac|Mt&>Xk_kO)mu`LMwY~c0nw^K` zAJU`83J&Y`5T`zS_OD*O9S!7EpmubrVdc+)D5vT|L$oJ$Pwpm%tuYIiS*Q;-QE5mt znbmVM7q&ngZahi)F6>M?Bo}kiKi$&xj>2e0ReV_j(TY@ujr6O0^&f^k)tqs2RwF~X(#c5q*^R+y>N<1RJb*6hO~3;gKJ zk7U=)HNcd-hC|CBr()BhGNsFWpcMkZtrkkiwr*FM)ATqky~@7?+HC{s2sB%{lO1 zv@~4gqTU#}3pnX;aZL-KFHT29B|?Z}xzAv~5`B`GQob$uKwWs>evJ&w54+k}qBT0O z+NMtv9)F3gg8-gF>p$=jmll`!5Uw#plrD5)3d_4%4I$iHBTN=kvKzlZAfFOZS%fPF zsHRQEYeJerN8aF&fWVIZQds`{nqCjmP)(k6)AOdG$e5*KZSsULK5r zrK<%@Q_f#$fnbbxrbjP49{-$0>M$ROg$y=e&dCpbaLMxjOsx1*zq+SoqQdA|4hK!z=eOaXKa*LBtZd4Lo2Y5=0e%5Io(i85{))7bO3$ey^lsDP zKA5Xf+|^MFgMcI29@RO97>FMHj5FakrU|*c;Y2%P1J(@C0Y(6+++1!2gv#pbfN6Qx zOw`O6WE!XeM5Y$qWF5@^TI@gIo{a62%!LlXwtQ z&WnY1PzxARmS~CGPS$suU=ja%fd>JPx-g|d3N4_SdI)%R*eRJ84=Ish$$-^rwmI$+ zU`U1s=ZdCeDT7gDVAi8bBJx88N%!jjdPLu(gbL_DtTFvq_{7KrB#Q{#h7hm7dKSP> z+J4{))W5975C#dV>&hn1ILh)nFe8H4q^T#7^{~%cSaI)seVHTrUjE<<0m5)VI@Eb1 z5iX8FM~2s7#Tg?{(bXvMzG!vg_hu)eP?|a0lS}q)>BuDB;hm@J= zE%dDoR(_5*+icVQX|=Wc2h^@c8tDM?Yw(9tg!iXTyp>Hg=LE$->c=CW1ddFYLWaF^ z6W5|Q$a|sGR6t5m zs6VZ_6Fs=m;bB($;{40nXM3386Z$h!kKs%p&+?gZrl5Y-@5UP|kCnk(Wvk65p{IGQIBuJ5)9eJ|{i*|DFMllKaX7 z($`%do;sGE$)(K@$F4k|FU|icSbAJ&F(ax`$oAsrQ&IB29*3Nm64i)sKUY1s&G(Zp z2$=A%R=b-EUR>~%M@;W!ce078SYP>VgS0XcNAcL*vk4fJb}{Pbq?1e9yfH{H$V#v0 zIa0aQCQ31`9@{@Uh832c<-9x_Iox%`$sA>kcHU{&y5xxN79E{1att^}G!u0#)$9Xq zaffou`2|>IIB_AGY*lYYw3)b7P`b8MK6I#K-pl3tk*;Ll5`)%cwO>mupH1(Xu!#at zhaATAi0TNI%{ybXlijFMdY|Evxx7%5d`+C#qU-#*x53h)`j=Hq^{;H>GcBtb^Hw5J zHtxIAiQqe3lQ^&NS-!QrHF6lzgF9O>;ZW;-7&iVUrEdN3_Ql~+)7Ud7q_ZvSQfJ>X z{RNi%9-A2J^ge0Bv3XcD#7rj6ZmT@6)7e?ydIy2B7B@4inzJ50-(z#5iuTo3dS6f9 z9qoi&lwYIpWK5aBoIk*i~MWzdw!NLA0xqHd_xIC#{lz{LLtIL-3u#u@)A9=YbrS{VjQL>cM4kx8? zGyDeo=XP7u-n5g8Zh6Z;{zF2b;4(B7ezi`t#Ac>qc`^?kG76BI50VE4tLe#=3sWJ5&8HoRg1q`#YYbOY zWEv&6UYO2<<-vZUzl~7|DuUc&f5w~*?HO+T#uUFovpf-$onHxNm#V|0sPCB0N52cotRBY$5HN>Taaj3HgmK4k({$+HBk}>9gIF<~lUuQ0WzE z0?afE8L?G;M_&`w^Gmn@O$ zu+y?hhPKKy=q8C#08FcC5d1~m66iT=!e*9mGI=o*Qe?G+!B$=GG*`J~yP$XlxhUzv zU?m7ZZiJP0@kqVo5c%VPgG)$hlvKiZXJTt6Z<6Bea;4bhQ4o`$t=_4>GY+1AsF!}* zPuF`=r%sG^h6sBHr+d#z{pU>hJ-o$o;;^6r0-i6ST2RmUeZ{lm5+Y^yb30Oayxt)u zU+qUUcV)V`wZ3Y?&SWj_n#nmsPgcG@Mi2vgd0@m?T7$-X>6z>=BV{0`d#Tx?DCb-Z zP5j}NUg`og!g%7?+M5-8CFe`UtW_G9V0^=yp~3{jOJcV8n+rR;`dKgaW~MD+4*OS57SsUbdQcXitlpM4LhDS zTW&Z5N+;v&18PypNCC$V&X$l{%e%%5vEf~WP-pTat%;N&(e?Yte=GefQc%(NDzy#i`R zF^4zFqXnV!q7=_7KNd5wMb_Q|l9wL{j~GVSC*=oDMS+p?FU24%-dDswUrXvAb|DHAv3VeFvxR5jxVR5Y#*;C-Rh9fXld-Aqj%-Bw zz8dkRh+=)S33hZsO-5iJLTWqz>5H+=;=*pC&qTk;+NjD}z zEy45CQp?_7Q4KGRYw9;`nC5C?mGiZp`b5g^I3s6;nX4fW;r+t-7RKw@g&_RdREH9a zcj^&Be(ym{y?7XGpfdd(X1q|aD4~}$Jb_%li;vxi6^o{XlX2^NRD?@H@OB3e$bs02M|n%kiWA&615nHvaXN2-y9{*-VA;Y;$5OEjcR()v$JovhzQ?2{~QB-DYvHHya!eV8aG4UpZKWQjzD%nawr zPdysl>}ZJ#U6`NcCc3)dqF;fPAVb&{kvdV>g6B384%9=xVtLQ4nJv$SiQ~nqqKUCc zNPL{bG`H75YCC;I^kWN%;czC{)fZBy=S|UPrJm?l=xZ)%VzMjBY5R}NER+0 zvH@0Sg|M=`vOzxOBHYgt`pM+u!&3+#zY)vz>@(N4UQjl;tN$XrrQ7k|sSF3R3DuJg zsj^(&R@%<^O&c+?-QQFuGYPy^5V*uYX(}>*)RCnM$Btg>Y=OJKLG}$()v?Kx>(VZ) z_-ic0H|3orrq&3BW@)v%QnnL?ePQ=^!Ah|U9wV%+7Mf(?6aLe)C9Uwf;N6n~nXGu2 zYHMDbExxbrB_7?4LcJOF>VQX{6s>^|no7ODz&_{J2z7vTY>hk=h^TXcxUpu)@ay|& zcAj4|;4Tiqa9~Ml!=bVvir^;_pD8hKlVbl3GNXV#34M_4PJB*v{J2C4pub{5mgMD2 z#-0=mAQMR>3VHdcP5slUx^tX=G=pxnV-24nS^B3eX+Oz?>5&p_pE>L+SyJ~{*4+43 zR$242RK__MHGbi%$JHB&r0~)3F{|M-Qd{ZlONaUoW32@Gx%%!FPa^*_Pj`6rSZaNw z_PnFC2K&KNIDvyR)qw=KZVv2*i{xrud_L@EcEV?RrI?DS|D4rd#o{+SLezSH-exOm zC9hX6sUfJtQ;TPR+pZr!` zn_s~XwyI+y`B%42uej_lK(Ht5{M=tdKOV3|&Xxm{;p5-emR)o#`cmhx=TowRwb#EwNWM#cPs z)^QCmzzZl;Pv+N%Pn$+WbBKeFh)3GG^I!s`N z2)!CRl4mRzWq4jTlhdV4QRO5_cKkNEiid3p1A1j)G~yBsi0DwDPO1XceDrKXH$=Qk zAPtJ%{S<_OewB=W=zngB_k;Qm?DM1py~6{7K2N&?-@cd>mvaGB@Y+PyCDb23yEmgiHD~) zJ>}c|cu~#~Lb1&o$$SLa``lb{Qp`+>qXW5Z*uSYVclo;8I(HimjVm9!Sp4f%*qoEZ zw-vu;Vg2`wqwX8@`#0T(%0?GXM~U;{U;Vk2&#u7A8Z$ywB*$^EtjU%N%x$`H{aa#i z@A2WTLgxG(Pp8c=No+I{yOVe&VAS*-AWrAa@?P5C< z)9Kl=-VL1D(y?6m12ETRy%KV1v!$)H%*Fdm3+yj&xOAUo7^6V zIqT&~XO?67=uLK)2m64>9wuo~--^gruM7}{1{A?7J1(Hl2HoZ1oZ?Sc;qYitS-z%Zg2jJB_`B!n` zQr&Z4$)k!rn+BF7ak%k_4{=ni09hxZL12BN~2#GEFfsfufXdl!Blm(&9DLg8Toe_sbt8ekxri91gKJu=m2y9S@hfTz@{8ljeXo3wPZXOC68FjZ@1&a-w`UF?UBtz8e9ppIViCLP6zNg%qcG7 z2CNY9|G-N1K|u$MJ;~!e*uY3}XT|}3ZhE9}s+`wUQD6TMF6kF?2u6mO`rn5e3jraw z+!H%7XGMnpT)5V5qSuZC<`8nm{7?P_js#msK&GyZ3JInocu5#O`BQz|O={Hg;S0Z& zMOJe&Rv7O$g2{qgx)b$!?CK7`)dJif*^;#E?5t2e$IP+Mg~i`Xu^MFdaQ$3(S!x=pgEgIa z!+!Lmu3o_F+x^N^5nFp@OKB?w@43f9^x&uy!-%L4;wUN+mP@>Z$mJUie=5RG6gScx zKx9a9ihy7vH4`0@YS+W1mKgL);ry%ywv@ze`O?#fFqStp+lr!*$Wkxq{761_SAewg z%iVL)7yX_D%?j^7mwRh9iPK3^)p|%#vu7M*p`hJ;AEfuG9Z0U0J#a6EuIYd&lMMfK zM0chNgU1D#$A&rP)(5PUe4+M{U;m{1z&i5s>KX6MF+$4y-*r^nF^RXc_uoX16fmg> zbL{Y>N4=m$?P0T4uXkyKT_R~_tCv({<*L5T13_9sEQ_Ani-yKHRQC;+*06LqQF3|Z z(2{Tb5>Xo%iIbkv0mx)|sQi#5RK^qcFDzBkfB|eMuxo_^$(BlJFLAD#SeCq8;#Wgs zgVs3%W-YuK^5XI`4sA1zCzXHX@HTq@Gon&OA`>MCvzM9JD0xNzL$D-~%d16HOR7{6 zfg#ve*s=_mM1q?q-;s~;OofX*^E}~?&ob#L91jC@UOG!bk|Qz`ZPpx6|9bO!Uexy- zt+U8r>Fc#H*jKZtTFm?=^+i)O`c3rs144@T2#0Dx6z$HK)geDiH{5eW+it;;C=7QL ziaH;`Wt~0yEyZ7JLwrX9XrIk{F zRIT8SiUrv+wJy{Jqs5B8C=o%Uf~Lw2Nk&CQR7e#pBFm_#QBk5GC;~}YBWpxt2?7xU zgs>$cB$*_WncoxieShD->XnNNYo5$=&bjZ;eR8ql+;lvn>|c^DM=czgIwov5F%uoV zH}`b-q>Q9^E2|9l&zl@<`E~Y^}8` zk45}UqW)PWS3JRo$aE9ccw6=P__BJW@~se78zB`@+481`5>(OMv_4^D(H>CfVx-*l zFJA5v=_;Uiw$b|g(y4+yA~d_z{+`ylwF27U!0MiM{+Crf=V@enwyOogp`(TnG7*E8 z@OV{>;-{9hHJJh;fhZge$1_f%k2DhIdw@cUMnQk6lj|o=C&Qzr6Bgwk6fF{(GO#4e zaPzt3$vDkV^|0}EF*vOWajw-G2(2AUoq^sOq!y{?GGzTcCb3-7_VHO0Io=BcVq91i zkmLLOj3&AOG{>xw8Ri~&p=`JV6C}g!Lwy@*EPStrqr|X?xK9ilJ)dQ&6mbzut&yZ1 z*^AwZ7xBXb4!sBcDwP-Eu_{*z`ndLs*4^1sb+r$gpXaf`K|m{2znQvq?r!LA(+P~( zZ+yTXRL7wD6@J)<^G}!z%!05b4*r0558mToca-8g%Dm%PU~oH}m&Ngc@)+)7s(TnS z8BtdE+*9ws2I138OE1ZcJL@#pzMR7N`o1>#q2+g{KChDc#NY3%SWxQ(`Rz`!b6faF ze?*IZN>GcmPuSK*h2=64M`MS-<8iP$!?-`@HOJLo<*2fUJY2mF9AddX;utEnUGO2R z%193H4G$8)M2J%^K~U8?2wOhEY?@x6bGE1_cFcxkx7e()` zPMucU09u}?o!gQ#Y%)Lz{hwIJz&lglMD2_r@W}cE(C=Pff5V=bs(%r-vh_EYcZx)0 zKTb)4OX3v6e3{@>cPi1qc!M74Aw-QQ2pz?~Z!+(sY!Zh;TbaBFL%W6C^;L6D1YAtP z=S7#MYvNOnn*!&~gf+h)2@cCt&banvuiUwRT<(SKRd`r0aTuDXMH@Zq#GUd>*MtE=TlS4+E-M%GoveVyOk6&&bx(V> z>GZ5lRkbR)$*;tdczxX#7ym4>�naP>w$&+7G-+NcGbUS9;obMWK}t@M>ou`)n2~ zP^S9)JK3K5EIcXiA+aSHUbRz{Io&HtYk{~EP3%M{N}B*17 z_!C#ES+Wc98Zke9roYSwHu6;(k*U6=E;Sui^XditrpAt6BRe_oAt(eKntC?h6Eiy? z0p zRkE@<&ptM#STcNW!y2lGv5HKILOnHK2@EV|s9T;Ln>7V)&-SdAt1BTtQxG&j++v;lkS?e(%Wx;Vf%XG)PO!t`_r}^vfnb;W8Woqs zs&?-5`<7|Sa#O{etZs|!Dd${UXfIv5jq<2z-Za`~M54T|k+~@~^P(?MZP~0W3HnZk z=4-6#PuA%qsC*mKz&tOcqBVh@nltN2-9s_S)MDl~%!t)$6Gb9NtU69Vhb`q2*U^h2IiI`6&$A7_z21L1_cnDBrrDm{?164Xj#xiqi4u)mQmCo$bj95hJ7rBgl^4T zZ)j4GK@BxA6mSgj9xLDeQYR@PMoke4fz0m%jlN()Q_z}a1Y@arq&#Yi*-Hc&@sd^S zm|;(S9K)7TDRD_iJ|$+uXN8-5r*hpm1-~TJz(bQ#qh(M=3)E>iOLb=QtL0_CbuTKH zx$#}om_JWLY#;G@2#L@FS@u4jnz@}tY+>>TgV36lWjk8|uJ*D*6 z*Y^B9V{U!zwWVxBjNdrP8f;(Gq081$Q-G0YjfJd@&aC|ot>v-!lb@tvkSigo@CtKuMy zS8`|>qN=C$jnBocNq(j)h!?8Ts42UPmHzz>%sy-Av7Fns2AGnF@z#L+}a9fQJJ*0f6!#2S{L%Aly{i04I=e}_yl zVi(jXea}^2Uqs|R=5VV-u3{DW!ndldhRJnvnr+}7n_~{91E2xc--vD|X=4XI{4zTU zDi!Gr}Yy89M{Mfl8FsNVkZ8*LSma zHd{)}#6(wMmB_h71+~`tG)zc$5kyggvLSh|xdr7-nP_O#r$myW69@L!?KAj*@nFI_ z4p5WmK~evB9Qp(MIA=^qJx)X}X#;Q-C3%k3cmU$GTR-A+Y z%mP-BV~D>_m`yHj)U4}Q!f@ojy8yPfk#X-aUR4e@sCpr}u+zvVssvInJLRnqZS~n( zgi&1<6E)aVb)tGbL|bWkGxH(cGtth^X^U~HNvU|LKe}yvXLPgv8zONty@&3o@9uq( z%T~z?IS{S-xjpVNM-yN`q$1?oW(QZSfH=(IZtp^ycVf)DZd*--Qs@edSv1%{8NK;} zyYEUBKSMQdRem|)7Sjq!=d3w&iU=#T3!bDnZ+k}w&k1e+eh)=_)4g|4{)~WyO_wv! z$;R80k>khalUXIC9(cW%u3O38bfY^8#Jla>jR@%=;g~5o{AmzWD}Z<&X^Kb&Q)0+iHjd|gGL1j_CFc5>rOvk= z#!VvYdF!>*;~O02_IU~fk>U85dN!Lar<4neqE@jAUVD9M^t@ARgtI8NuZ%8*_L3U|OLwAl@II`wN2;MRgmof4Sb23d zTZ3wfR%1uA1>&ndFLqq=Wj)S-7p7H-oHABE&*NriY}_1>1Gww z#e^{=s7~=OQHNR*Oxaw5hk#Nz{GH5C)q>{@F_T!PsJ7( z>mhbScg5kH!o3b%mArzN3~Zyn`M5&_b0!Cs{kZN4DTu29!{sQX^9VINn&#fM{<@aa z9s+|;gN~*j`-m5qMIL0k&^-5_Y=||_{driFLJ~vpCAYO^Gc!t-sp;Qh^c+d0F=eKr zLcI-IC7+rlDC`h2n2heG5)QOKcafiw_w7B$RcdGWv&dsej8DOJ{BWDek{40IwI9wh zjHUe(e7$!I#n8PkjQ_UUhrP5~u6a?bR4U#vj$P~XwXzfFrCZ%@jxdXz@uOT@HU(UZ z=wN7h(6&nHtdj9;eiKjO-QWa;>Zj0Bm(|5;-lVd&#tmh+)O>KGk zn$Bu(WOSFMrX69`%I2}vrt)7kK|NB5sv3OsMXjDFv)4Y2S0;;4@pN{!M{>YG*#PuZ z8KuA|Dujmdn9->%8|j&^cOj~s@DLUtkcqx`R{a`-r$?z+wnww784bWCJf+EiA(^1^ zNUP)*M!0G3#tHk&$Wweda#j0P80jX~V2urW=kU$ifKEZJzv=<=!t!Li{ek}#fplS+ z-NnjV4Kt00Tqd(Mi+v;$oiEf7)+8bRvmg!LZ>;L4g*Se>5G3jF-Yo4S#cLSF>adic zlJoFIKZ6h6%*gE5d-I*P7IaggLFUE;B*$^ME2TZyef%&jvA_Il5`Sz|eV_zgh$It7 zeLaxSznz$Y7#k7k5_#t=`**SqC?j4>i`}mBku6C5nuo)cDg*m-`#1Bg~#RjRkGj^}9D2_R~~vt4U-zl{sdJm%s(rpyVrlrW$7? z1e51(l`T~%q$IMRH17RcjXkq?e6FxGIvzG_Mp96Z zT0NbND6pe(9N9XcHxMhZ$!HG)HCjfQVPwW4;i_if-1k&Qq zB#7>#0S2B%6aMDKITM~Mq49gn0;~MWziil$ub}c7>{d*@i4sCww-hNJYd6sE3P~NW zcgEbeu5lCyj%9TTv>1MkK=n7JilXnC1rZn;Jln;uB7!Yd#kStCqu4N|N78$NH&#u| zWS%^NHQVF!*m57V#5rI?0t7_{YHVoxQ%M0CYR2H(G)00Jo;aATU49M>*n7RQqlzwL|j!kczWKbT{(ZEI1qZbj~d8}!W%^{805=S%AyxbQWzQN*MhOm#E zj>yQ#KLbdQm{w#M4iTk>sXD>@2yWPLqEH5FzkY7k-cHFpVB6a67o%i#T}GI#SxTKy z0)T}H4HnpE7L9!LG4surXBv#ypUpqrufsTeLX;lUq8EQucRp592DD^dM*g5#7%(CK zz-hY1h&tHi2f;uImTj%ri>Ys?>k+4$rmEVMSN2$zVNgeoc#OSSuctcDwz!j4=R8cx z+_!+@agIJ+iv(^VF$?sU5kGdh&zk#f^Fc&Df$hoSLcVn?}zf7cMVe+U(37YiXm zqy)qFXrhaBy#T!^V0Xo{oFc^J{Lf)a&Dc0jp+gZk`Ees--{L8 zQM1`UcV0Fpf{9fj_2XWN$}(XL12b6nS0GYom)}9(>GC_{$ri{J1vuer(>qn_tl);b zo)JAk5|uh-1~XFs$cxlBiJ;)YZ-bV}4})or@Wymi0u+4Nr86$O$tnO6>Ih~8(_Jgz z=ZtlukWT~fkWzijb3eHIWcoLz21=ohGi1xx@zi`b(G^-DaRRtg6EndHGeX5CF#WPl z(27!J(tb&+WIK4cbez!{F@!;1*Jfs9Y0tnQm7*@4dG%hB*DJJ&>{pO)kKfh~OzX;1$-J%ZKYNgu zDur%3@G~m~_!7M%`))&umg!k3I{<~2z02`Kk{{r?PvAU-*dtjmMm~eCIJWZZFN96M z%1-w*Sq5%klYWgZ8E2kTuf+UosSb`T?Sqv28~jz$jc>gLQf`XL5j^~Cc5Z6}AWlnL zY3T1BZUMJxgjCvWdFT}8f{#O&B`C?6gfR2!Dcb-J0ty!xV>urlid1ta&3BwbnM;lt zacd}zp2c33HJ81%d+AQhjZ)-B>9P^9mFGu+5}7q)D3MWD0&5f%GFZj=$@*Q47*$~J zH4!=SpC(0P1Mx{)a}RPNTtzqkJ19_Rf09R?2|P!^i6PoPUWD_$Fk=EK`vN}U98q=? z1{63wqs{^PW<4BW(kDy-BIz@GgO_LY*x?bj?hI`Oz@?Z@ozLFdJ93{_kD^$;DaBR- zI5)U^x9y!2$*b`+t5?lQK~x~JrA+HkHPzByULXEDT*^&D#-GEJfe-^-7EnI4dhW46 zid9n2ghEt(X0kmkRMmDBDu>z}P_;=d^;cADAMlm*ZFX#MpY+}JmTaD}@90loH~u=~ z)VF)r-NeSLzuD$+o_cD-1&H$`jNKFr-A2l!gT?R`wnSvr~y2f z|79El1Ofyue{X)y=so=sSxJC-;xl9z>CmyF)gvJ^eVUHCC+YDJ9j(%J=~Ix0LZ6`6 zj&h+%XFq;tFmG219B)Zpi5?*y-n9gmj{eCE+kf#=I0L)CtNnw@ z=%I6eCLs>Tsc57Iu2HHT`z9Oxr;)s3j=#F-aCdxCC9b{^G5z@31Zo;-;Z1zVq7d|- zTu3!USVL~#RXJikX&#*hp;Htvfd{g|_~WR`Zydi0Gfy2q#2&an-X#4Uao_vW44Gn= zttdz^*MlFP`$9PsW6%(ZG%%L}i5Ey;nnRt>t3dTKW|*b{wX8k?m=GRK|4EfefPk{^ zKMueaQUh6YDe;^Gq{&PmM}vz`2h7=FK#r0dHa^$!LRJi$LKH|R`SIlvm=;rRre~JZ z+Y}_D>5u@*pvQWg6bMFi&c^vS^-?zcUcoq3&3D^9s(WF=3nUUgVNA={rD|HOPAD>s zx<=-6W8>VCRN@-_J}@L4#^ zGq@)y3u}}vW#+b9kdYa%c+pPNZc4c>c71`kDUDxV?wPPW?XTR{6;-Mw-S*Nrk<$Od zI&wY!NE%0_`35J8&(Q=wa#k~Qm0T8@09132a@o*wCMN0;sT}axFJl2r!!*M*3>^~W z@tgp17${%@ne|_X|3m5%d_pS1Uc@*69N+i~Ol0NTUzyKvzrG(daX`-G1$hjchRk%^ zC#db{%v%6pGs97*a$-&Ra|tp5nGU{hXTwDeRYnEr(pBq&0zrHkfKfv>y-zckgfS{- zhQxrc*DfPCkPgzEitU1R!Y=*ou`yh(i?L*`ZD%&=I!5wMr>Wu_Wd{KPPe*26F?%1;oRooa^YPaidIs>HpSSNTRu6 zk=<0-e;d=ZzIwn1p29aEp9$I(owP}3>=%9Yx2@mjZ|%6q3fm<&#MgAI-~KrtA9GZ_ zuEqu)|63Isuk=5Xr|BgC9Q>C%>i5$(yy)W#VSOsf1ot%w5o}hXKOvwM5nyjJoJ7i@ zxnyytswp)9NGQRxrr-5YX*hl+mq!k+fs0I`a_TDqVMWMe_rJQ{tLJf4hb3}}YDhTV zj5R@HZfq&y#OS8JuLPbV=GMAvDCbnpJutV~PB?&Oo6jv|irQbzag?Od!QjLLV8o_v z{T<>7k_l*Cp%;=Pd>TqZCvr5C1KD+s8z%7Y-Z>#6vkl18gR4?x9=KJ8;SM9f-XKoUw-`Ab?>i?TQDz{SBj%MT|r&2<^wzGe;%Rhfak+ zm3y4Zqm3AcXE9xSYvSQGS!Jr?I%jYJ>kXDLg1 zSIQr%BZQ3Ae@E>|awKaOxY$snaarTiP1+{y5z57cwp{gtIO;!MDiUYt*7RmEwLPv2zOw*B@v77@1V);`d@p=56uS*nU4N_ujQ zitAEmYJa*|O&5`kmr4Qv8N9-*TBm5WlAW?+7@)^rnx#&<%i*EGoYcUUhL0$m zUeqgT=>^c$K0#iWUP#3Xi3r~Bn_b!X;WJo_uDQN7^V7ghJkkFMUv zj``@mmEZP@&aFzIWds`zTOLL=E`n|m{8;|3P?M_M4%@a2ZU$WZ-m&p|Nkn2*nI$X|pEr33Ea%6XT0bB>t( zJ14@uwG1>F{5M@nfK%u=L81=KxX&5y#EkBq6AeDV$jtta7H@O`Y-tIcPfiXPHP=A% z{mGp&!4@{0Z@6H>|LUKnR)`KZrSA1RH1hHFMiZ{gmyjQ4)AqtoDq8~dE7(RWzZh#t zvrO-4ZvtT5CbzO7Q+6D0n**#roaPWlybu_AHgi?v$CFjF=U4%oZAH}aT-#F^liVy! zdC>8}bcLlyMTuORrc?!SfJBr=aI^TJT^ z8)^=tyR&w9Ks2@DpKbD~2+xgDg6(=6R~g>Zy8F&U5zonux{5`D_Oh2q$^;zpCWSK= ztN8|*Ay`BVKCM2`7v~NKhQ6L(Ty@@ABR<-sdO*FBr9X>s#>c$HXnDZpV@n&~k;sq$ z81L7S8lXH&^K=50b8Svk0Dl;Blg?XFgg5K~>PN#@LzBd`4DS#^V$!vHYO$ycxDEWr z<*YLHk}y+1|Fu8b?6%X?pC32-MTHY0i1sW9Bwk8`-&>f^5u6;KGPgEs=}3y!OVlMu z{0Y0&b9;lMpLsxt)1R&*fn=LAvBna7B+mZz_b;FDwGztQngvVD-fmN2w_flMT$=J_mTeRcvr3+mF5X!;gmyU2vRC{ zpzS)9@wQ~x*#y#Pm=zHyQkI_{TBot!`-51-&K98}Rd&+6Xl%gep6XxaIWTvC$}=}Y zTRk+l(@^<&hcc=8u-fOr=h%#=U)cOpy6LOz58t0YyMZ&)qs+axKJlH}Lseb}b&kKg z>Qu-sSbUCSX%$PvbT2~WEe>OY-Ihhc*YiXX%;TX#g-z}~M=7~~yw+BLlAA3bNq$J! z2shiaqeG^5H~Hu~R4VpY$S4rBBJdHAWs=WKs5W4jxQ28$!Io4`NIz zGaryl4I(l?2SR|BcQ8t;z<3_y7 zIMc$D<|z)5L=eFVsq{f|AB{a-+hU3{`NFWv2FQfp6^Q?y7ct~U$>lDF5A;;0k z_TQ^*pN-_)&+yV1sBt+?Hv?)WQwq7vLkIh}PDMEEA8vG&MwkA(HHGiGY!|?V@*ZZe zSTo23h0Rv(yyr>_ol7E%xt?4db#(E4;G2fIlR6Ejc9D~53Bh*wLrpy~*de)l_RG8v zYa;J?-b!AS8eI^n`CH=h~HoXWQpbBSRf7n>6vQ6_?221=l0o_k_;28HtBen$~v*W_kG(v75p6 zvVlXzkpp|-*O#iF&$!&_i2b!xPS4uV?ZxEJ$CTOhG>2EgqiTnaEe7$f6?lF@?-6r`iDj06-F!2$KK7JckSXj3m)?7$B5c#8 z^AkBig&Eq6AzrnB?2;B2mlT~+NLmd8!)-=cSb?jjnZXBVw0Elgr@rJ>!$q@45TcOC z#5-m_1UDlE$A8*h`FN}ZE6US7F{MDO*GOqIv(I^NcIW_sN?x#hI};B|y3Kr$q@(e& zoDW4{?c>b6ffv7dYWm_%4t6(t9^x-m%_`=@AAr`Hc&h#WR<3+G=y$E)mM%9* zS2i%`R?JT-`R(!K#_97**lRuQnM~qPk$!1&eA4K!Wz@*Z%x>~AhYg~&J1PFH4pQV4 zbFF;4yZhaAbbRMnUKnn)#jRm2xm)d%-uBKXEL1TUUcTa$Z2+GmIJq5TE|yYDVom?1 zNgFOq_hROXJ~R!bMuKnSy8PD7S0)I)!%@nxS_b9%Ww>gOwL&#Zdhnj@aqM!1&>R8H zhf=rJ=k+(65$h1YI{ks`zfg0&kI1NxEFuJcG@Uv^hqS81CfR?yTUz!pbOoCHA;pz5 zdp4vI-vI$dheeeLM)hg~UILOydf>K)-R}~;k9ogh0z2#f_ijCua|D3a(eQ+HsW-uD zPV10)G~~XN&D9m`5C1r=zZ{#94;;S8U|eHhip||A(TmmYRV|e|fUlc{IZtalM7G6R zS|5u5Qmq$7z16vce#mLO%>5B*ZeNAS_Mh}3_I23aaxU(^NYJ}zTXZAuL(_7cZ3#+v zaM{BdG}Cs?_cT^jM507dR)$D>^XQ3|yzn37Hg{6?^eyeO0nEq`0zEs&nuAi!Bn}&&a1AfJP(EF>Tvb~ttGA0cC8|$}6386itvvFlS0dTs~#;ur6mkEQ( zvOIyXiU+-k-_s#Q$5NmiH;A;Vh6~!6<_xc%(ctbzm|6D;MdUEvY5PjwY87wpRdVN; zv9Tt?X!;der>UA&pl28V*4WAbWJK*dMn;Kd(GW&?WGb2%Bb7D`^ z=mF@W7ZmO-N=$G~y>?vNtP)4svGIPCyL>;X%NJ!ft-27(8O&x^Af{2{G-DNw5HARy z?HgU9+v233VxLy^TLXo82-V+qQziCi*>JpEYna#K$ch6jhvtWhjfKVKL2pjx+c(eo zGEDT`;@8r|*4p1wY;J~!HZ9od>ERJ}*Q*u&o)_&9$R9R1o8F3a<8%3JZfxBBu4=s% zVv|ls_1<@0D7m(9#7)!fXuBJwdVKAp@k zi^rsv^`4u%_GC9P(vRCR%y@&^irKcPu7?ycp_urQ+n+pXi3^j8H4#~Wz~PFV;W>szQy#fUb3BOMdSEWx zqI&$k%S!?cMB1sG6_7X#r(&VCB>hbdzo>q7#$Wo2N_T(I8S{gj8`^^hs92W%L%pgg zE4D1#ubQqW#>sp=XK<(@U1M0Q8Vb<1Cyk3N*rq4%5M2xH2DV#}l0fW;y0Xry(`Z5X zZm}`?e)rGY1%Iphw_5C5Hy}S0^Z7-u(&j3mbOBtlY$QHp4Q+hcUB7eJsNp4%$JeOT zWWKgSBuW2yP^I^#xBiystWu4l`C>{rKFCRa{X7+Ix|Gqg^jj*hto@=7&*HGz9A|j|6!r59ZiGUmB$h zcETqnZDW*~jy9uwL)(fF*gR(grujOZZ3obE)IdR>Y+*XL{7EfxqebeI3{IXMV#|Mhp?Ji{XesnZ``NF1Rx zXxYR<_#Z-=6@$k@suIP@YtMqP>M{pG?}AI7o~G^S7?1h%-sFHDk=BOT!P>#3piP1o z%IbkgToyT)=LA`BPK;z3j#;C@f4hD|E9tn_0JdCY#*6+zl$V~J%7Ko9(lXecRQh=T zGLXqFLoj8zw^I)Ju*7@KMTH9QSh{V}nj`n@m#kGy+vc=o>cJ#uiZQtOso$?ZM3#IA z9<|8Gv3G&RLhlL2tju1~cVXv4lKztL2O^OJ3tJC6+pqQbl6*C8J-IS#5>mVYP`;OG zl3W%8W0pocvDss{x0AZh-)7jJ;}LPXz!mv_gpW4LgFuqRlRL~(Fb&k*?3*z4DHbH+@Y4ZU$5mJTRY?77z`V5s?qTNnd^u^|`w5yNfQ7uS$L&Gq}bI zg}u6K-xPVGHHY446UeqXITq_F2(g?Ih0Xp~k^Pno>Zmq=Ze^SD7%?e{D%*$(w zZUZ+QXx1B8C)GTTxozheJHgQ01^lv)+A!z=!7OYZiTQjN5VKr5$1Deb4Da;BtT*e9wl5jCcOvM-s-EQ>!^80YEthEx%4u1Uo~J8&xE(B78|D;N%kWiQrFVGC*>);Vm`#3Pbe)7e!jd5m($jh5BK z6S)yhqQ6J=M{()Zr8`;imb5fzL^+fNzQ&cqg9G(Xc-`uawhvqFb9G92i>3DItSe}@ z%m>1MY}O0DMkgJa8U3{-?XxerDGxcBV#-ZU%C!;Z?63Z=A20u!@|k ztlQZX9D@eLj(LijYVB$ZR8lWf6)(6rVL7Cql14Ig|AG&XQAuD~^xf@#5|!$?y{$yQ zlN+0CJ1v{-kdcSserKb2knq?fnq&3bX4y&t+InHI+GDie_e-Me$k zJq2e)Y!$EV_{5Y|q?Kq__KiZVnOzfodw$%gUiuxsf6I_vrb_^SO$4CR`x`O^A2)n3 zz{VDcP4TR_o0oM;%^8|5#@63gsf*)Ze9T|^#S8#jv#apqvWN)~eMpgEG^xYfUq$R1 zHA!991JUs%SRSfC`bGV;Rv=n}j;~&TtH*dDLM&eb->_F?2$&7U_nhYH_ZN%^+I1%T zH0)hwf%xh?{LaxhuGh@C41*&!ocy~y?#vcanmBHZ!(7r-KYGC9;^UL|iS^?jj4}K5 z4q(o@8XjJQd9kBwj1rBOk$lk)imdh7qp!>4vs(_k zh3R!$z1?%G{H!Q@DFbDk=Ui&os~T(<`zs3BaHZ_e=qog{as944i;gIl78Hbn+_Iyl+-D9!M>PR_*nN%34%W0Xq|~`v14;LuOvyF>xN?p|gHE zM~k2AiwASED6Ry?FdbDN5V1tH%IA4w2le&+98JFYsk~v41_Q0~NKT3e4EDPO*y2el z;!ms)$t@vp>8Jy1VW$y~X|;cm;$z!vIXBFp-^I=D#37ScXS{?FKIV}q(mSa0NnOF1ITqr}% zS-wAc^a`<9f0>x`PB2CP#h;&z-*&xS@TB1w%%DX7*f{lDL*0^NJjHqPd&O&=wTB5h44G0gu6kaO|?v0=tlqphb(P5~ExVzH4ku}qO;-be*L z^dD1=3Ul;r&gX?^if;*sigIVqC2*gD96ZscyZ?Iq{}i$lxPBRtUJP<{iW(@LD!4|x z;S8pQYsNBb0^3Cm&{#Z3bR_qpEnpGSmficYT&jI)II6c>-z`F=L2;$Fct&n1q7joQ zJD_E~lkIAtt`ZSgfxzWbR%Hu)?rga+`1Jk>sq6)tN)AKECmW_f;`4vGx}cEIy8(tOCnBf=-N>A>|T(ko{l`NVM-` zVssM6`QX=|M5(T@G2#4GB0)#~y0}H^JLF(Pj}gG7my5YC#>lxwoXZjkMy0Km(WtFP zc|GZMnZh%ocjasM2dc&3op#ISPH*r;$32wSgU9~VKNbWoGKS_4`I=f9UZ4`w)jkKH zk~X2L9fmET3@SDl`Zk+Jl9GvYz{UuOz7HK2Jn{47&-h>?d^+tfjos08OCEH*^Kp;% z3rxDik6vhHI?LWg9{C~xte=CnoP$)+&jJU%aEu112g~KJubxND>1sv;-pJBkT?KG_ddy9L|`y!2m>~>q9m+#Knux(dh(|E>;*(X1_t^!CUe7X zQz`08e1_X^-a$VweovdMDH~)s?0OS@G&p9q?m(63g=HHdSkv{6YR?2a9wNaGk8HNI z)hE}DPkvK!p43Yu>iz_MPL38seqQ7vGdSH*hc}U z9mYYPEsC4<5TwrBL8vfj9e4+^ZI`rD0Y0UFN&$1 zlYTZt2EX?DfeJ|S>o7LlJUhney8e&((IHqfxojRWoo!+)W4{Ey3M1Y0uW+Eo!Ht>!W zY9kn2KMgv}W(nL*`(OSVgeL@&30#AyGRCP5*=mRah2Tvw3VdA`J`Xxczl=K28{wg) zJ&sY@UU3pAiHNpZk}JBvBV24*>&Bs29z1@(B>GF5uly+1Bv{q>&>?UN52Z`+Bo>}0 z^3hi3ksudBybCO8BKz?V6FrR?nqevUKCd#P=kNB!=5GXl{B&5U@yb0k|8CZ@500nB zSDmMp>zgy#!V9yQOtv<5^(Cn&JmIq%AUy0*cIXiWC zfQ=fYe9NAuBr>IIE_|W8yorMyQSS^+99+L!@FPU2S-~99DPtlm$eD2?6+1muV5X5$ zG3IwLe>TMEPCB2(bi!jzi!m3r0#w)Jg4EHedw zh;7~f-tcchN#QZ9Suqo@@H4<}iI5d-OaEgzi0JW`<{r7fZsHImgw6~og`di#mvsq% zUu9-x`r6F9gD#8(A9{9FGVtOvp#Mmeml96lcsJ2*Do6Q)rpp$FBSgMkd9YuuBQbW{ z>w@x~hYsath2l}8=;Wck%*~2Kk$v<9L@;(Go{+?OF|`?js+J$O&U~@TJ`2)^s!#5s z4Lng%ne0oQ))1S-3|p(&SY)t4rmI@lg8QRZAQ!RYvVt*BO(SApfy~J?C&~61*!we- z&)#s({;@LkgL71m^kEY(XMDVeGgy21O3KXCXm&Li=ke0$d(NxGk%hs7tvgxE{=?jG z;hNw)B6*?I9|>lP3>8A>qvcP?2@Xu@v}p<-r8w$G$Y{k=s)iVGb5#>bdzV zMVEmJU99j?3qE#RMh*KQJaHPQR>TBq_!~i#z0=1W`+8BF^+(RJ`tj$;?r`4wk9@il zaYHtd1OrNt1kxIXY*37hbr1X569Z0PCuq)S5u8+Nhx*clTmZ@O#zK|7PO-p)P%0c6 z?vCQ378<>UWy+^4l~J730@U#BKhZ{7vEj{2wVSH?n)=LWH1?fim|-Ws4Vy_Ra>>M~ z+xCQDpeuX2PT!P?|L7C27?HU{S%XBsWfG-Wz` z0oj~dy^HwDvFM8!hp%pK2ORGu<<5AGBl8qxTj-iq&9fm3uC{{fBWbpOrrE}P1*Uz* z7^gqhjt3SGd7gmYWoqXk>k`07IaWLd)U*ciL}dZ{b$sehDIl5kV$m_$lPdyqxdFjfS{j@>d1uT+lbLl{ zqOMET9Q>u$tN^X@bfx?HTvy3&ID=jr53=1bvanw`DxmM`&vYBAJoeATtBKD=1vyKk zO{*B;pwP6sUu@r6#{sz7gF26hmdnk{%;l%m8eF>j|E%H$bYa{PLCa)AhU!H@+hys# zi2O?R6SOJHypQEKeQ!B@b>>4b!9|M4DfaBhVFengHYHJMU_rT)#5)CP&x2IgXS?)p zamo+iqaT#c==MGzSN5dNDcyU>kdjI7DZla~6oppjWzFp>nNEgoY9itM;LqUi$EWTo z)x@s0;N@NjQTz-?BG9&APAhC9VwLt2vr4ePPqbfE zTTx2faKbGTyA!IuJq+m(Kj~cNflhh>D5RHO9MgrSGqKj7r6h~sbt4vW6=&4u$C|sb5iZre6t9gKXHoLKU zeNg=^@cyYEvjWUvE@$H9slhQ(DgpNTW@KyMfJY5%5gjle8`vf=Vi7}lsFxWJ$+8V* z;3WL;B4>i%5|?kzu2X9sy8*+XnjPIhWolvLEwN`7ZE8MBgb@@u+|f#V4VCoMMAzBw*9T< zC8t3`manHIM_|2i1OB`XSeHtFk9v4I7Dg=0l1TEafhcf&c}WbW1__gdY_?i8hmtCz z;9U-6{h2hsu~^Mh8MzV(w-7|QOGVpbst^;jWySz`q=KZhvi^LfF9*F+m+83*_!HCZFeU&ewak=J>%8uP;0fBA$h*Fg;TWV|1c=fOnq- z&_g$Jv)3;75oHkg9|!Sgnhl%68Qe;Km$dZi>drYfw$>=~UdS$*AuE&91F5*h_=m=7 zx@&iw-WKn4LV`g=4Y4tBm733&K}8=dFB*>&bo)uOEy1s|J&RF{-7DT#h9jU zfQBj`sq+d-l5KPEQ(h5t0mynuSTm2~5jpq3&X0m2#j`(0bbJ)-j>3o5s6@>mMt%DNOVg>E3M}-4!%t&O9?Y&}0VQq-p7eAnUXtD*#k2m8P zgd6+WmWGwK>GXhGbMfJ=k<44-6Vv5O=aM>=-RC#c4ZqXk8OsJW3p))wn-h3m0&-$Z z31X&19D*rN*%X zZgIw&NyOV~j?*Px=E!4vQO+uWSSHzfZ^!7;mr?)*2DenZqs+NY5k2HlOXA|0J(txV zQ;{DL^a)MWoPq@5R7DYCy%@;Qi9eXjKg}$M0#k|6M$%HJ1PX7nxu)fX?jt zv`fgvCesrM#%wi&v>JmkQ;O2C>1XGo`#PzGR-^!)-LGzzxpr}cwO%ynly~(uWm|?4es?-~gF5Z1p7Ozl8IAsWWlSt%Fm^gJx1Ow5_ioniE z`1g{Dx|4QkGN{OfJp#T}b35D1QWQ{&VY2VRZ)iw;W>ge9X|Y27`g%I6O}8GXpL#slkzF;&Nml0(w=MwV8VY>oJ?|9G9hR5BYpG4ixW6_ zi34Eh5sqGm{56(EjZ}f%TG(Pz_Nl>asizJV`dlD$me)*vuaqt=f3i)0S_bsl0Q?Qa zYAB|X^HA8~3APGq>xw-v1 zIRF2@SFgHis%Azg`}XN`zVn^$oTk0Y6GNVV>WBRAD!fJ6y0HUx0n;SaAMY|O@z#-A z^1s}hP)}I%kvbwh_kEg)5o zWe0Ty#d6r=IX;s{RB%jF6>U$~OyDmqm3Bb1eN;>&v-Ds&uDCgp&)NiI{wG)yNVykU ztij;lAe+P01a)}f8gw)?^q%qd8eDB(U50??Izjva_YgnxX1)D?6|>2kedPC4S$99F zQl-&r$Bc0-qeD;z%A=jh$rWtbnOC)YN%3^#r0s`$GB`1c!-35XWpd(J8s#ldYZG>b zn39F9b3+LIN~x$zUTZ?ZjVqa6Khr|gpwj;y8sO9`csYTx~t7t)n$ zdw_Vr=7ubbZa#H{|4yvVN@AZ~47wLt~(k?0#_2g;g~vNn@bveNnl=5iMd zRj)`r#a3|3kxkV5I=|on(?HhXJU+3lv=olwRA;kB zC;L|icVX1s?)alf`-+TBISxnIPWh5_@VjFSi& z2Q-cXG*FK_>XPw6A+*5qgb^;3%B9hNs-upbFY!P@l%cpY@LSFS~Q7`{JCpv** zJ~}Mbt8VUE?H2$+S)6K364qSI_JWmXmY2j3c)_S89h8i!4p6gwPY z@+#75q&GsZx8*NN+oQ*MxlXRVTK_PnCo?m~UOfNo!+dGPh}m&(9oo!NJ||z~ULiZn zU-2u+&6G_uN5>wK1F=1)&&_JZX)DUM&_xO;b~xZh18QP zEok%=L^1+0op8EpCVV$+xw=h#SYD)Zr_UG*5C938&EaGIxWWr}#Z2%9T7}Xb+t`wb z#3Mflu?oHadoiVfC{h`nu2jqxmm?!xg$`=die1HtE+o~3h5+W6W1E?< zOO)GPira#FG&!RTdA{;RJX!rz;-n zWnXym+V-rHws&}6^bgmg9?_cue;iG#dqk^_Pp5Iuu4EDQ|3clRy=xrM8^uIHDTtJ` zbK<$Q#%@|0RTNE4V_8%Z47kq8($d`ieWay`Pvqf6jPB>cd$h*j6)Z;2Zv2as8cVh5 zWR@+%72PqVUmK-HzyrJ^tLyRS7y6YKxf3&zFbZx2D42WUxd!reb`>S)o$VKWzy4KV z@+COxNI@fdngITYF)#+JKpDW(vC{F?_WgwdQI(FskIXJXg5eD-ADUA=ZK%CDeTc83 z7pOwT#0c=B4Sw_p@L83V7Y?@RGkmcnv5VTo?VyZM>ul9U9$XEwOwUJ)uc+0x&#iUi zBHtaug_J_K$&9NOP2BrwNbU#5p}0GQDS75SK53GtHk9z;N+a&yZ7-^3CSe{ zPIL%O*I3;hU?(yk@(>(e#oD-0Tet^pM&DF^YYh01fmyjSShIX?Wd`cGR`gqQ3d$WS z?warH{X=Hu3a5Scb#S4!?}^(&Mt+%498TKy7tIB97}KY?e4OmlpyCGN1{5u>ls4i z?au*qX&{_pV3y&`7uAL6F5q+9_18)=?UnfKt2L8C` zC)m3!cQspLvTxmdmkKM6S&MZYRooDz{i$phZRUmjdqK|)(Kbnr}6DdqD?4zxm63LSWabhF;#@D#oNr2l&bHKX-Z-OLEMVA zceSEb(mt$~0Ayk_6&II~QN9Y*+GO74Kccl=?r|joHgaOp+t|#37wiG9?LyDJ#E&cq zWzBNnj=2?{xBCO}UpXRM7xni@kut{fTNVEO<@51$6}$i%&p&#zolRsTiyS%vK__xe^+f%a>J=j+MfzVavJiH;-n} zj_*HA&Gp^K4rK@^sr-!z{_f#9T#vRiKHcIkwfmiDkeIA`Wg@T9I=`ZAh>|&+K67&y zXWm@xjxg`U5f6~jszNei;uoH9ocTliSK`{I*!z3ok^Zsa);aDR&QZU zWC*xsyZ~Zdv;*os3S-fF)QaF&L;p)pX2FPeX7wLh#Sgwav-NSe1$2CRk=scxJUEg$ zXxmG^(2RJ_pR$6b#%rZUWLV!35MBW2LfZx)ho+zUPQnHn3IfcUL( zmO}5t?-ak#8dwTSpVt5(l7G3A;B~Zh`$%Yc)4htfWtA`BT&Qd;uy+fpkfdTejNV+F zdmn#@6=3t|=RXqqEUG^`Q#7YVxL1-+%wGczZF`M@sh>lGtC z(T{1TZ*JP4HuY<{sOw6yrRfG5I3lk_R+fp24B8}Ib!AV9gGx)W8fyo(U|*Ww?w&MS zb;a87^Zuo8{d|V@`5et__H$RHuV43x6CM5LVnS?LY&J&PAbd{3jCFR;{G`R)9rP;c zX;|ZN(tG_{cx!VB{CH=TG0SdSjsT4}72o{HBcdnGwZ-w=g=t7OsW#M)cg%qI@KX1_ ziYvuC6#;EjiC(hg=N$WPk6Kn_@g43r$v$K|{vKp>FI%)57msPJlcLdp(@)m5@1=}I zKidPCUdNEglt$2vkgUO*>IV@2Si)Oig0G`oC10w8ZsxVGJ#_AH)h~zuFFP-Z9q368 zR{ie@9XmR0exy!e9l$;RckNlzgXb^x(cA#xu3v%qFk?>g;+;X@5FXG`d_tY|ojvSF zOa+lyv=8byyRvxXyx30dgSU$P4@J)P{nJ$xYM^`!LYWTgEHHp_ky(51rCr=4ja6Fw z#Zsk6dNb(p;`>9%cbH}Fqt`r=v<3W1BE#%JtSaM~Q%hXqn7(SkibdG;ZW8^Z!w;*< zDaiqbCG?l!HHAfegGav=UUJC1;868o9U<}-M~lq)S$c=8n8@duR(r(rYGHp9DUG!$a0%~$ZC%zg4@ad?zs0+O zT6&PboE2V6=8=cBL1t(#MVO7b+ou|P#ZL&wn}yDaj4s5{h- zjxV-I?F;`i5ss5bg1}e4ze3%_5cfg%lA+?{PG&^6E4cLz8iz9iX8=hJt`*j&azc$w z+mVJCSyXPo2{3%e=Fj2bPdlGDLPNMHS_6(WSS6<2ocl0Ea*8Oh;oS*uI4b_=P)A*> z_%oGoEhsq4R_17n_XpHaDUg`e^o&w7RJTJB92BGyWpQxra?zOvr~`&IXM6~ z32dR%0lZ)^R2c25Ab79j-h0IzK{Z(3P0me^}l`vH>mXk0@|L>oUrWkVO@>8Cc8vt&F+o`6;Z= z(bU@TSkXg2B0+wd-Y|7?E!*x&GQCWIMvp_lMb={gf=G(y%Nyf^X7FSAqyPZi58_pkanR_UgSL1Mr*d1qsEAv>K7oFG8>;yH+u0sovYU*PX)dCs)Xwc1xu zpc^QpwLDVa!EOqA)st0Gto`5D7UgD{_3`g-e(${8@IK*9bohZg=&kNo$10ZdPpgiY zc)|l{aMa?R)Au5+>dmRNLF2^>+lJ?v%+tFieN2<5>vOVb!cQS;6PB64CEEE8YvXOP z*N-CSuGF%j-x%_pwGL?}EQY|QBG_(DSKW(T+6dB%HFR~2xk~2D;4eR(mWtGc4q9OR zrL55hUxQ4Er>4PQ-?$RBDMvf z0drl{p!pY5m8wq_ic^=|0v}))h0iMRMGD8$53x`nX)N9Ny1_<~Q{SX6RS;a9BY<~d zt17F5Jy^2k*?(D;%Ad;~RV7BeW%YsQZgM;k3-uoUjH;6)4bP}vnKZ>xt{Hf|c2BF! zEQxy$4=Bv$17qm`*7mZL&;DSSlFC=JgMc@IDoGXVuDFzA(ni`Hu16)Upw~U;%3BXF zQYltyk2L-HqrH@HE82&}-V0y5W;E_re-&2>kN&G9?Ty#=cG|CZvWXi39dfkJe$tf& z{b_o`BUW)-{p#i2Op-)N5FD(%?r zq0tqnsU5_jaR1 zWJtajFYo_tWFDn9Yn%fh9(w=zBD?|OAtI2gV?2Hq46(kurSslXWFxl~;vCg}Ty=-m z$jAf@$DQsg{H56z&>;_f4`=kv4s-)f6=r?AE7Vkp8`vnZ(g|}J3!jcC7Ymk&IkyNu zIH$u-AJ`$8c<5iJ=lio*(N8XzF-e@1qF_6_?PJ|X(*lj%V!GWRg4@}6)FabnD*Z<3 zf=s%+DP#{%vPNc4mHbS2!m8yw{U9X@EC_C{5<89^I@IMvqC22XpUgv?N$1>vF`w>d zUo?^}Wz}X87$pA$aYf;Zw3Y}NR?9b=35t4=v7#VjRhyp)2sA{PBSxUK-wC1!RU(!R zo$wN59X?d?5^^bar639Uj(~kwF#~v~WWHxNKy5MKUD>OypE|i@FZ9=cAc>}<>h+uU zVQcY+li%;%9W)84jShieNUP*%?q#nB^ZI@t91o-Ld$zOFIM+XHBvpOZ1WoutL3H?X zf%_=`d)IBOi_AVZCp>R}8zA3q=(EoL6fyEKJrS7m;bR2UMGg_Leg0~6 zsCPFhG7zbOnV^$i+Lu=zZB`A@9!(6PO*E<6t-lWV+mmB9e{^0h|1kOI#PF%#NNb2G zwlaHL+i6-W2=w8Rqie&_sD*@uBu-(UOZ%&PU5r@CschOX;K`%bA3@?nS5i7G&<59z zRvS0L^|zS{W6mNB_=kj8Ma z!ty;WELTEijU<4!#}$qw>XzyR8Y@olzN)-Dh;ghYungo+-OdhM6~pL{cfe9-@|la@ zs^%n@7wl^M=|-C-Z#`j6w|$L%Jmt8so~F#rFn>K&ni8{gI4V9gg`-RV7*7BLSTd z0|6Nx1X}7WlUTJ4sAZqktNIeZ1Q#dL|JU$4T#6V_eeJ}gd%0t(#Wx*{PrG0JU4I!i#XMs zzmdjhbf23$N+gLoBJua_4vpg0+cU|&_A>jSFPkeOLd%4>fe%FkvAJ((wWK!k<3C;! z3w~Da3?C-_dF7;P0)5M>NnH+^>CepfM|Wp+r(5LiKl7z+A%4fTHBm-hN@Rq&@racM z0)P9WS6+7rEJ@a+CanPNvr)Iq!V|>0nW8L)E!ih0AQ(4cp&vcO@Lt^)g|cBTuXuum zGvpIIYeR3G8&YI<6S-nW9I#d;k16g$*UTL>Raef#hTtR2zk@hD6S2ULBZm&lUEy3r zc08D8gT;fK&7I}5iRMx?8)J_fw)a}@VCFc^%du?^-QNxjBY}g{ZQD`JJSDP$Gzi+9(P!624Qd_@x6Ye*hr5@Q!_TvY#y?*cMvXyRav?er4504!=c%`^Hz>`;a%r4Bsw=vV1 zq~dmG|8PL%7FzpbRhhPRVeA5?2ttU3b>uGU?~>D!Zw}${&dC%b*0WGCmRouM z<49SdNqVFRxk;11zfV<-Vl}EYsP}!^-i}>mgZX==)0?G`Pa>w);b%^a${ZpKDnsN& zvunW`{Tpqj-?{ZNXmlb#@MCVZ5R-&(wQuPr1ZRt2nXFK|AO&Sv{MkXf!2c z(!3q`%oP*I^0jmqIb7R2A>q{T?S=~n(Fft@hd*a6J@X|?t{=E(jG&^+3BcjImqQUG$;&MEk}cQj8S^;;s6{ zx5XYjDYkj7YO~HU)iN#%yPW;?3U~$PWXQzDYyYwT+T*Kc23Bo?i9&8C+xiZK1TH$V zB`6E?AEB~EKaEzLz9i33FeT!4&h?)%tAaG(b|}h4Uex9$&k~g3Y6o}%8O(z*r;~uV zWa0woG6;ne=fhM^hzf}HE0wUjwkXCR!7fDC{lDobxx_su=Y5MA)SSfAnVQ_JXR<7> zo1gL}rO#rNXq$N|uz<0GPkl#IM2OXvFAP5*!uzh050yq@*LsId8@Ob}5rdp3(vCd_ z3%Z{5?<^Eok-M?^8xlnRn`aaD>=@m;KccZUdg*XLcx^R= zJv}Bbek|R$b8K4`KRn1&94kk=GZQ&b6()?|xFk_;~a)hH~DRIFFIPdnm*vJ&115lSOjM(mlj{S<93 zI~(&E6Ss9!q)lv@*bC2M>{0ImiN763P~zY+P#To3EI9kd{s*xPID_Ic4k-=L2h@%z z7hk~|O8{;m@h}tfo~iky5fkP^Bv!|kr@X~ZxpB@AVabFgbf$wZ3Z!S!2EP9X)#~7r zvDxHbd|N3!9>M4+C!&Pd1!`)&l9BSA6;^y1KM==o=2*rE5djMU(}|a*ZHClw{PhJE z+Whz(2KVU$(FAE02w=s9`V`-$7a}y1^<;c;*M#MNtcnW0BC1T@-KCp3<2O^^ExL<# zF8Mq0#@oE#TaGmp$H)48;g9XxP`eRMs*$i&YOee!eVUiZP*573Esb0$&wNq+w{ZELDrrcSzo&j;2ns zyALY0?9MUdlkCQ@pIu#gUU7(%RZf5{TUGt{&7+O!DI!JDq?%CE;fC;+$cBlZ`MYh8 z)kNodk4$*#ZvK~h=JWF4RLR?!gu3IYb0t-l!Gbm|00@hC!mKTZt zWZ_hRvN2F+a#HKN)&?!(Jv=WFZ4QjrcT#CBSnyS??>q;#%2ya zf^@s;wn{5v5?!S1$A{J85s)*vT&S=VKKu5?QR1oEr;41357g2F3|lq}r@Kl+iNzvz#DCq=x4VAic3B1JFT@MKR!*!{@Kh!o0Z4snG zBdgAI5Co1?>!w4ZEz3iBl2uD}x-W6-??A=1)N&J6Fl99n&!EYdH!8YUiw{)@F{;FF zp6XA0>bspTq7$AuC-m@{rZUNm0WFS99IA3ndcnq=@zC&Fy@6Cu_j|`-iW(EEON}+F zVT5Vwpg#CB)2(C)yFTJEH#Io_{;xmKLrt1Ghzv#>fn<1**V%mBCd>TlFhWf?_i4<5 zI`J4-(+hgPIm6TK8^IY;j2hPQht_hR>3F)bbniX58>l$f;CXBBlrOn!2BWpgYaui9 zY4R@01x7cbv#LqdSaRrtIsElI9ApLG5;E1p4=lx_?4CAi57D>c3*OExeD5C=%uuDy zBq<r3*06NOxgjY-B3Lj8UO?)Q~Y@1u|#`=kXJroO8CD4N2PI6a8eXtw*dr(4GRP1??oiRaET&wF&XcrKGzI2*SZni- zAt%qIhhnw(I3E@1h$lm?b}spK!ItlFhUG{+2nD@3Pn`#?>DQ7bZlkxVpuXb&w@ha% z|K$_o5qtoPE1UQbt5dMCD?J@z#4sETME3E7Z0yW*GP)2QzQ~1TO@l5|Osd~VKR^{=zGgukXlciu>ww_`Znyy4=(>GU3%^W{4nM#9m= z++D=rnh{=&YkGT3e+kkSNEaSi4}V{UsPMo_Rbg&f22J#w(ESb^MjLh{`mUDFK^rr% zX{d`ZhmuN0OBvBHm>_-MbFvUF{ZiO5q?H&l36e}?@dvWTsMI&DuKUT>sV83^(A0!$ zL75o0qz~ov`@>>9@4D8rPVT$qINpwOT)=5jC9EeR2}4OK$E+#|0`K`S5KKucD(9315dP2RAAxVYkt5 zDnj65A$t@HoFzZwPO1Dh+fVf)d>6Re6)|+Pf_-O-Fwge;&%LB(i{FN~X5Z>GR~h)Y z^#`Vum_PCP1H0~O$azegzu&Osc*>>?DnTZHOg}5Oq02NtU==6M^K5Uj)j5~q$TsgS zB5~XxUcXm-hZ*yygY6_yCRDu$rh)w2fVdNh}u}P(fPdGXJ!K4)FQRv?^m-4NSru=TI#xs;EMK$GI6qkl8?<$1E0RlM~N?$gp zK7{u;_*?Pyv+zIhu9TZvMOOWCd@sU2Csif3PQ#;?3(MQEJ-aR9-wmh_1ThuhHMGwHr z$HZhehg?t z4jE2dy}*5;d!9sGaMvR6Xv?_w5syLNV*)tL1<2I}&`nRgpZ`j!QmGu&kFDz7*IRG? zpWMQO4jvFq@Xoaw8HOj}#xo5$z!4*($$eL?U>Yp{Zs52I=C_)KB}ttb4T?`9PF`A7 z3hzBp1YaEi5LqUFP5xd~!`4AOd2^j=eh%A%-_b4L-ei9*L4)yB!u`41ij{ZYJ69!e zyN5PMZ}JJ$_T9?aD9B7)aNkY{+z3Z&x*WUcTYrEIV=y35j{ zI$*b=>>w)$&E$i!ZgBe|a-Q(;fY7&_TkKy;{#0K)b&yx1Q0(aJ);knu{k}C;RIq1y zD=AJ~+${6dub=TH%i{G9B+$ zU`?Q%!*~V$3p~pRZx!80qm;|71CZs{*|w0ZRPn@)epVvHHmL0tr` zdF}3};~^=q$jooK%AMcajfAwnq5iA$3nm?(^YvZ1_}g74Yf0K4lpPt&5~A=8H;)#)R8!oJ+5Zq`F6fQOsk_G##9!mNhPmDT_RfJ% z?M-WW6MmN8aVAHeSESL76)T=aWH4`m9+Z8U#0~!JTJP%r-ChFLs{7GwG}{R@0mKA9 z23o=P#UKgPgJ(9(kf=T1OA)(s0L@h}F}8Df0tA#4s8xz4-jaYSb|=8S?xjpj9##jU zTsXkW6p|Ca)_T=pNY<~#$I3Otyelf=-$MeEi~+2nycN-}fXV&4#Kp+^(4n|Odd<&D zsUUDvwM{I9hkd+%2n?Y;YTPP7l3_H3!ri1M!Vc`8yqV4h-b*4uT8a{rySoZX* ztf^)5V6=|lj_dLEk~8#|w8rb$6w`EQuYttT9szhmgHeANu8^KjT)%P5GdI1UvuT;T<3-^_2NPJ+%L~!6RhZ~L)|;&Di$0z`o)%P z4&2P&j!`EngU|jk$!9j9Z}yBmp411QzM2x$w8bqF2Y*@qV_)CJjno^LDucP*tn$5Q z*$poDn36$q9q0A;E?+pY@Yri&W6%nU-VNjuZM}CYc?Gd-oY-dNgYoF_s}zVV1#5m0 zEE>sQma?FONEfIeJNUn40?oE0umU!p@MaRb28N|ie6|Ku{NJ)mL(o#9Bg5Y3^i&60 z9~Hy3^l&dNJ>m*hFsTbI$c_B|Z;^E-JMQ5I{0)_D%fX`UAlGizf{Lc^&A5F2&;uuz zpH4Yz%V{SM4R5C#f0bJpKz)GDnPDg4X? zcvT=FA~*A!7I}{k5)pC5<8geyh8-{;(Nmj@@aT+05J+DS>n<0AnaZYU{$r#rQ+p5E zv%c(>?><(^V8j^mEobYHj2kyY%AIUBVg0EGjw@1Ds8=PcU#>`q3GVi3D7jwaG5;$` z_%7>Q{i%=)qMnY%V5^5 zeHsPlnC|HI_AL~BP2?y+Oo{y}Q?(zi!`z4MBi<;8zs2|hB>=IGD96y}OWae7Dt-s~ zrz?aR<7@ag0jr*P-#-D#qwThBu&5{NtP>vW+>e)c?T2?~(7@hit4)rLyakI3_UJDd zU?N**kF5cm3b=)^-@_~1J|n@5YC}{#pZ4j>gf~0c%hm^MZCyWQY_C&WJZa6y294&-4R*UTa0->D9xc3e{ln|sdpzxr%u4uMaKh=g zw00*Bf_sK{9%&tKglVaUVy9e{y(=KpM#qXVVU14sc{X zKFL6C>C~L*fB@M(HhGe?=lp~pI~8+gFT45MnZCkjME3Fv&Vn82UgfTaxF?m_BiT6% zr_+YlYwwG8SQbJOpHQdi5Z;bm}3RNX5Ak zUf_kT#^;0aG8#c%2hO~GUn7?{BY0RlUQeisqFP4RA85n~$ zzlm*8FPHR2GzmP`IokB zhcr)RS^Zq(Dfi_X@Xcptz$17c3a~|vhnm%0a9HTq9{W>C2%ZN<$&0kT;nX25d|^p6 z+4}ciJ|S_MJoqvMaN=SdnR&Z@$nJ%*DwS|QA$e9^S??FYOPbaR*Gz8ti- z+NgW;0;ziAj9JI~OXkpSsRJv{6~Fh{o;#f#6wkD6c^E|UBQ?z~65foJh-iY6Sc#qK zOnt$!$v8Kj>0yF$M@^w_c06>e%aqiCbWPlDh<;xD|GKs1mWWJUiupJ^824Pht@cpk zt&tV}rytam@_j&~bQv3b_a~Nv!EuR|tHN}44~`b9ve?<_Q|!Ix3%-c`3)79P$M{y@ z*$8W6Ym9X5oPVFWM8`_*iD=xds!vKA(Q4k@@J|<~=@XkTHhH(r-tzOY*?!T*x$dsD zOsM)Ri#yGFX3whbzh9Wp`|YJ5J%uJ&>>A#@glCn;L>KC1`f`KsMHY%PXhNtK z+lMl(9N?C-#&sjVFnuC2MkK@|WG>-q0_|!-OI42&ju2ud_)2tgR(=|Pc^g!zq8S(O z9Liox3&!ay`1HMfZ8UOkhaP;wH~*5uh0r^L1;IToX};ec-|)INVewAl#R+vLY0GyN zK5b(z@1vbyU%x5wRW6+4cXHKcpIob1)fEuVCdG5f=oz-;c6t{ip8^lXZOrX%V?(;_ zBzYA}y~R}opz0q|w_N)FQMZ!GSn3EH;t3SCOe;$V*1@PfCkhiYc&o=z8cPAW3U}v2t39<(ciPTNX5nsGT(emx`y9q>a$=5+-$S>Y{_+2XA24}^P&9pgBNH<rhfE~ znsN7s#bbDq1BG$Gb42W7a9bLtRZ1Ad%Y!;kTFU;h(aPPU}6(`ZvPfpL1I~=IDuQ?>6=X&9LZsJDvz0IAn%;Pp_{)*VQ+C_jvl8VbAw!1} zkcVsg$rIKr2`8e30j0>suk#fmK8_39Cn?M*PLR@_Hpq;7xBw(Z3ppu z+6goiEh;|#E7Uf2UEXwoHvogJJ>?p-g-Mr>TONUtm$^*97vV24)d}+=(4U#VgC(g^ zk^OEQ%*B`ieXk7z<9lu9sTw=UK6MXPQM6F!0`}-NBTM#ft{+zh3 zXC|Z4S&W39*0eA{jgV@O^i2IP2*#26`wSk$w{}NqEj6sPR1@g$MZ9lB=>zdnWbiSY za^?K)(c_cm1zmqb({469_IpH2ZydMe3VT+2P58n>b>Tf{y7lbiHNL9SIx5nHhMOG) zt|A>%?#@Yo+@_^J(Dtw83%VF;Qsdaeu7RInn?O;F=jueSAFi^s<4J@jsN}1*t20S2 zFkjBpH4R7KKE(o=1p?OLzaWqhozW@%d!WJ|N__t}7>N#zIns}zqS!sC$k6^%oJ4HL zH3lt#@kr7?TZbP^m@s#E*Y>Rk5OGMpZ`F{^jkW)mBu2(QWj8xO&fsf2A~yTO4sAp& z$NI&7&8OO8k1Eo((vx^{JGG*8LJNI4d`DDb7bqZZn{Yg)f-uQ?+HQllw4L&wTh{k= zU9JzP^P%@gv~Xw!)B3kGq>DGR%xX4*9jNz(F5x7_G`y+S8GEny{q4CTQpP9`1MkF~3fN-mgQZYJ)|-=7rQ zh4KZVu$&2%3LQrka5`}(SE@rBYlfL4N9l&Gg^@18kgTaN+)NP8wO}7{0>9K_>hH)u z7Mh*+TzKRRZwQC^>%;|1h6xPz}gS2vlq8s3EDmN0IX15-4vWMZ+miaprQJsM`d`f z1@F8i`e0b!!7P*V{k<8sb%olV_<}7833RzJ=!{c2JJ{*OS}imSh~#Fx(#Mj{9QZP%akrbd`|?P(K7S^#^; z)OYTcT&dkW#gvHrJl#uEst*=Kn4y9UW`v}Y;<=a7{A!QgXY!V>e>%On$_$}C^@MsC z7ABU4Z5rHRlg^BQ5G`Zf-fd%t`+BsF5p8L*(!{=l|1qC^gkggw%2#KirugRI`QXyW znNO7kw`R{<-|6%HRdeomF%P!oAmpOb zAf%Wz;`*`4WgMA~yvd;)VvvJ6#!F<|R^jWGzn^kLsT;cXRrY^L(HG(myT|P3EK(nN z3I2lHvuN3Q^Bv@w6B$SA$se>)Y?}T`kCh8J`?IzJz1BRRtylUhoed1DRVA}`qO6(2RaMoshX8m=4Wwiy=Lz}1<1QJ&%IoA=^1@cZl4 z@J)s0wK%kRe+)*8A)+uzIo)U1ucY$tZa6IFmnS^^Q1$Dles#t5;k|Z|;q~e~wWb_5 z&$L8?2^djH>ytDvQDwtt*9K<5TVT5VO%h?sbWpqhz0_wb=d{bVVe2ywMp)vP8}x#) zO(VzB%r!xt_4kXmB)f0(2M7E)4iJ<(eV#IdX`MZ~bl4-Q(d#FJFOCCvm7#jZASRAw;skvq?VCu89p)rqGLWzIk}qVt8^k|t6xglHl#7vk^E+kH7OwI zMg=C`wsJf*=vxs2yqS#4A$TbKtF9s?jve9{#m0V00-iP92-pL%Jr7*jG7URA}y3?>^?~p=hZ-4Nt*I0m(kXko{EWdqjdhjXKLY(k(o1t?UU=E zs~g)N?EP)#XsdslmEqocHzEWZgMza^ z{Bi2h^fOOPp_MZ$wx`~eZ==iGLSoC}qOIeB+vZ_QQ1E=OWpfg|{tlFfe>p{_lT>~- z4jr}j26a#bs!WEGx+jbJ9C4_mGu>zOxO^{5U6{H|+?}p1Ko)3YAHbS5&9g>VXt>#= zC-a)To@h33J5;haT0(|@eIc@7LEn|JJ1{!;I5uB9W!g+-`-y67!k^fqtjm)TDOs~U zdMy~R-oJLrwjWxHAIxid>eBb|D=AoYBAH~6=3BObyLbi*thf>wM<}sr>D;D=I}+YH z*uq$73Z$j}uSJ#;cGxX}J#>Q$nxX2H;4^4vbK#d}e+ z<+4%a+t|f}y=ew-D`8tl*KZ*jCtz1nc4HtnmzN+_y6CwH$bMAb>fPSSb#ONoQQIoJo49Z zR4vC4`|yKQpn3sA4Zm^2`v;|9GIKX+mJZ@BxEE#7tN95^3hRj*=E_1nZ2t3h+5n2! zpU<@)d}$1~MONC#hHsP;ma}cgTa}0Ohw!Ri>?QvLAkvRb*Yfy;6*(1fR$?#hC(o2X zOP_Q-lZN^>7w5zBqRX__qgPpOz0HT)@9kMfwPxyna9(C^`<1!lGcJMI;rC!n9O#+ukf*2<3K8T=r>Y%gol~y6^(ot+$mS&zA_hYppC&!L|7NI8|a90=0bg zD8VFPSn;%lTtn53=+HLazx*%b?+tHGOW9#BDZNq2LQV+7ξ}@;}T9USL>r_ zL~e=N@J+%c(!j3y&<2OTeF@d^jP#S?%A^h*oK-@Y)WKR3T@1@TbS!12H5@y7lRTd^ z6QtVwcN%@P<-FChJ(zA%KObg_mwT5c|I=6k?ao*7+p^z~v4z)o+sSJ=pe zVr%l5n=+%C<*`&*5%f#pfb*I|<@ltkM{`MApaSF$>I0jgnc*QGKJDxFhamYvRp&Hy zMd?Bg{H?eq)jt+$E%%7Q{xL!R#XHF1^=s-SjRRSWDg)YBl>ACBC(*U>S$U}w3HaDp z*?%`K1ID0z4!eKxk>N zCFE|~ewrG5nD^DFw)YkyT~b@BJVa?mZf6Ct(swjk57@5{-g)Xw~JkD#1 zd5;p(cI$+Px}qUqk~y291i9dso{16Z_Uu!JdFnTHR?h$ZT^tzUhR%@ma(wjC5eSd? zvUa>A!{4Pgj2S|333bcMNSW~LV#<{_mxe?;6=B$}Bm&^YL((-5FdyY5M3G<<>&i5OQ znKl_s51fLPvu8}#SeVH+HnCvj|ETSSV+z_`2kjR*8c6eRI>N0o*$`KrO(D>9p$#SMTKSF)He*=zx2yd}Y+6{Y)&^|H08;l$MM}{Ub zDmN137+|0E(g3Z#uIgdc{a%cS9E^ zuD!{SdI2Gh_dsdeY;`RK}X=-s@m<)?Yq|@dfd`FSYEHgEk*Ep-tKV?iQZri&b-0DO$?C zz^U%;jhS z+^o6{xjv-U+E_N6`nh^k}E&L;z+-m_Y|&2MaMnnoxts=@#aruZ^%3WXADVk zZ2!sQG`!+&`BDo6UIF$ZG+Xt&_#Oob0T`-L)1>Zg@HIFpw(A?x{Yb#E{Tzm#Ti!?2 zZSa!Qh7eQ`hBZ^_5YMjUO>!zb-^i|PP!(?k?{u2a>)$2hGRD4K*C<(Z>PfaFKG=0g zh%G1DoSMMQ39-CJ7qtQJ?sp^bZUp}45rB=fVQf8(H_K_8reG3r!Xi)JJ7E+QPYF6>5MDo@_Y45Du;J%-4(Ry)SaEPj7=qRLi_gZe6u4Na-q7MbG7e27pX}+1s#%OY-`z zjIHC3%|it@1*vUK&qr~E8rCQ2x5OS>ydUaibK*>BR@`arkfgZNS3`1_7}Yfoqyjf_ znWm5uY`NaF@4(%vl;oLiyIWLs@zCDOk}JVIGHO2gyGBZO^`AkUK5CIky2d;!GwS-< zA^5d_V6Eh>@eaE&t~~SCKM5cZKMI(+L|NV0?%30%Vk@Q8n0$9I)kc4(k(E~{Mz7=0 zA*tWITs1X6(7=&<_l}(#xe0!ZJkuI-iswpbUA>1Dj_n^2gV@EJCsjT5A~|#+knqFP zEvAF-x1fR$WpPCEcks7MhXo_%R@J4F4yv4(Z}AjO=p7n&oVyZoS`wSQi#w0EdN*yh=Sv_V?(r3u>Y(T=yWcg}Y_dw!+cTTnQFp1+ z_N)>c)btqVDY2GOt|<=<^go4EQ9OV1`0TSFvIwSm%Z%{F(~CSBhZx@$9+^LR8+7L8 z{Ats}&!TTGeoH+`!svJ*U1VCGO|RCmFQ|XNG_-x>G%j$qs)B)g;Qnc8@sNY%jpSq3 z%2DBn1MkE5$O1pOMK*H@8&t*f9u1b4bea1^eQf+GRkDgtIfnauRT@F`n{-~T?xyIx zH(ac(&-v^5sC4SgzDNG`fcTGN>Wh*Y8X7@MAo~3!Ro`uHiu^q43%A=d4vR)ea-$wa ztRZ$U-W94k=zhm&1@a3FVz)k!6dEGQ^6J>M^P!$Ss^+rdR|>Tc7aK-@6Oq^%9r#6k z)M>z4GMWlL$#|mrL;A;#bDDoz54)u~>BU)})$9_S&eiXWUjF|1&4=Uj(SF)qA0t%U zc!q<@s@zV0Lmuqimp=f0dwKKjj&{(D7lTR*#DocLdB6SL+I6R=Lz#Co{%CxBo4p*p ze7)wis)_6T9a7t33FZctpLADSEAK)N_v}IMJ!L_s?k)#~h}RwXB0T$Xk6`OJnE(}+ zJB6<*ee=^=+tlgohGWO&d_K8Nd#=BoZW6lMWK`{BfBZGptOsG}7X6}pukX?5H^l%1HZc%p}@)3?Hp+z-Gn zXQY~p-M-Pz1Yvh-_%oLtDVYyC-9fij?eOKs?BYLn_HZcA#XE;0&_b;qqOZ2ydyIR- z9~U%!XNN3bQq?VkE#ATGHxefw#SY7V+nf_5HmsPeB|f}ml9yU#xB09d|Bkzo>!Dk% zp7lt#@{28=-SqsyVcv`944-d5|5!FAvEDy@v+1)qX|tI7HVF6q>d(y2^u=h_Yo`n0 zBK^-P-4OqEHqzj@=ix>jb^HAX@Yl|$w8`0XmvUKz#izZTR4m-7^~~~|>zlbrfkHl> zR|jgVuPE_FM7rha$%|gDv*~fl-haI2Sl;dI-DrxViRSN+fa+(bdF=k|e87tzUi`*I zcucBI7#{cCXNf1&=Kc{}bYY1-(m8RsM+mhQ_2cw8-n+-rLJcnUTswXKG!Oax&L5hG zp4T6~Ej0M2?A7_^L#>jEQZAD7QmK+fyAeWudWT=28&b!vh86NrAp$;WBnuiU$P=tiEl6FrTZElk~`Pv*{Iy8dP#a*`F$`g z@zaH`A08Twel+dEbt&IhSl+%Yu^jpO_3Omf_}hiAO`LOXC-zx>rQa9)h5qE2)t~9{ z%cyJL^yObZ9|;D;ci>ZJ2+T<2c5eVB0cLg%H}tcLF7&!%ZO6MFo;Xkl%~xLfJBa(?gmoN`;F zFx4@(@N*&0*N{Ge!s7dcj=<)s{S(_2wX0r{dTLMqoNSYtHkn!Q%=f(H={-|8?KyLQ zrgZY?ESaeRanJ9?f9;;7nez9j*I4cXW%+pE5sD?z;y5A&S0z>ityd zsmk`^14a8+_KS*b5xW@qTQo&^TKV1qrl_50t}6Q8fWwayi%PqbvQ^bxXndCwYVMAI zX*9_&9sKb0gVcv@oeCd5e;~AEw~VxGYgu_UsFv}%pry0LI7uzZ$Ly6!#Mf62*R2{sk`;7vL?LnrTEruTH+rhgvD-2tjG>1nhOt|78V!N@cz}~w>y6K zi_mqwT@B&p`*4^>jr*6np4(e_-tfGz)cNYVl8SX}jk1+Y&3r_F2nA6rKkrh0wfs<} z`lHmC7X~Q{XeCKETPxvvE&-YClD^ULiMkG%G3@n=1ys-1p+E+)RMC%}UhlP;zy$R>{~v*TBy` z&KHZumTX2FI*%4#oO^$vV?{32==YVW_>hL8rrnIqIPKJ(tajJyJ+gs@sOHs%+|0)*6Ha%K6^J66Z$h9Nyk6`2Z zA3KcI)}6BlZ3;7OIy2z?Rb0H;H8ZR5ll-Xy z%kz~_K`;kXefowuzUyl4Ob#jA)m87lz2?D(-%8rE7Tb2$No&5ol5{L;TEfCR;-S;` zyrI!8b$-|M^gUCWPcy#Z4C#YLqt`4j;sK@0S9%iZcEPQw8g=SEtnyXH2Z2+^R7o|*SO z;`fXButAKira4qv?mYi&8n>XhI!IZqK`dcz1lRzmRk_8^0+JCirZO(zE4yz^VYa_w zXkf@v4qHoQ?yCxNcZ}UxH6zZ|_JZq9Re-ct`F)_rF7&>BKfVh1@kz^uP{M5>08PCs z8z#3XaILuTRBfB?G~x<<%e{-j-PZn&ufNJN$CaFU^3Z^oQ`GwF_#|F1GIJ#zQ?0eM zJ?@j@ok<4Ps3v$sF;i-w06;Qo6YZkTwQT)m=U?dq&} z*T&V#R?*k_0jD1>l&=O{b++}qE9vX(>>t95AO4h^`@IgLCdxp9l9qt+pls|J$V zuI{#ys){ERPaHyTla!Q1x!c^+Fg&mGPjmQ_)**XO&j%Vvq>qn}qK}HAtGgXiNnKqX zc|sYftgHavq2PgY@x1G+;Nl_ux08SSIdAJ>?e6fv)4|n6lGE>9D_1X1twV=65BksF z-|uPb>+nBMa`E_QSnvRmoGVBr#S_T?^bI#fan5QOIQZH+nVxrWhUW}^23kq=q$+Bo z!T;yd|2*=)nwtDiQ{_|2r~kX@e_i^2H@)d$>#ptU3_sKp{XYx#Pvif-_)kL=k~8-I znv1^^y>S+vY4kP}@;|GF-j?(u|0ukW2OZAq-++&>m~sAi)ZjPSzel*vTe>@9XT}s4 z*BP#h=g;2o<({qZi*Pmd?lvCm98{T~N?a`G6YPmVl%N0dIPzJfbFJ#p)4L7}3GrRn z|6Eo!>J0BsgcSdU=R${$?Bo@dyQQ~@Tkf&%xjk=R4cF}-<$Ka|D^x0c@c z?x6(SX)l4Csh?s&0Y6O}du7dku3Rm+cWth_&u@;c<(T_*C3Da#I_m8%{zw1&|GzWv zzccWEF$2E4cKME-H97Cd|A-mNBlj4zcwlXAd+(AnMMMdn2Nt&-B&xZms_RxWy1l0?WEe)CP- z;)6#@s}F1{-t@@S$8D1tzWMNu;o%Tnbc#A^4_k^Elh(%$}jlQGBpH~s1beVqb4Z+MVXnmIJvn>`hLje9}7b4c~hk<>o~Fil`yiXL8@JY-zd;wOM+zQFUn#`OULN3A;H zb$KIz>Lt%2AHLafif9rsi~M$GUZk9%xArjdD1__J>rlILZ*{%y^% zY||6F#TNFEX7yM2EFK6ZVox4r@+ihILugKB_ClJpg|jO9D|X+{J5^mq6<~T1p5L`> z0^48B3jX~<&i{U)-v5g)L|5%2*cP$3KN35C=BIn`p#$sOx@YW8l9N@bK%(^KE^DVu zLW8pP^SToljD+}p_F>uKBg|k;F!pxGv2``1W6{fVexi@lGH>2G(Cl= z0eFG#6nW+*6w0+1ZemQyZN>gQJwRGKhu|*vZ-}p=vj(W#&WXJ0Q^HZxy?odxEy9KO6)EO> z_Ri6#BS)h+-T3jt-30w8#ZFXcS1@Y>4tv9AT|vrH}UbVEE7AD<pI`I47a_S(=}HQ)s=eSB z@q&sksT#CiGAp|D%(gTUL(u2!xhqwnxKfNuR5O#v2l#24!hgJ#1e2@o>7Hv)a>}P99<>+q>LqVU zgs-bHvtF9ag`eu%*Vs$mhnUM+dv)L1nc!9!SvpI7dU+_v#qYFPBj zP5&!j^NL8P`*bW;e9lgk&gPy@cnS}H)8?KY)P9|alv@3tAGr@+)kM!I^y6tox#b5e zaI=oDSsUZ-+cW#9NSYb^(%il_mT zGUU#5t&wGV+}0hi?nQVvotu}*bJMp4@-cmeUYjDXW9v!F@pIaVtY&SA`;Y>x#!xjn z<$b^$X7z=J(u@GyLw>+m3a(yzj<|&{um}>C@7l3^1U69Z@gIfgfl`=mv!dv76+s-V zR)(ucv!ur%rD>HmoCoajvKm5;Q64s}JolN960`+`53VJ$O}`kZbtS;oOV{k}wPt1r z%iOgWO>0GsrNM1^Fa;O^;pwOAFW9)#bEHz0M%djLklnQ3OuUHK$1yZ9$loLBTC#@g zkNzAZ>G!P<4QF&#Y|N)$05YnSKf<7W+gt4^a@dxV74l)8>(!8zFdZdhrn`Oth+Bz zzYmc2-3wS8)ZGUN13us+>ldSdo&oNm_A<)oJ{0PasLlAfp-JY?u&b2ZeFE;2+tOQ; zH~NI&J_nr_FwN529_{*eZ}Z8B{aPu<4|#q%aADdWla=aS?;Xi2XM>)qGz7>&27@8N}V z;?X$!$&XYs<~@YZCF?7=z8N9c|>J{!}Dj%#Po(qWHbFjHr&#IFW>t{mG~P)Vg&Icv$#T z;5(l_?I+gay3f7Aw=P*KQ&^_!@8_^a64B&#&@Pl?5Ne1)+TiLntRd?Y7PH7tf$#!$?8S3EU%0fjVie`-y>NQU{jFQ+-?Ko_W`K<{cDpU9nrnjGP)x zU|X;>G^7>(Dm|+U;V|sul!Zu+XI|Y?d$BgQcJMd? z-ZK5ao%U%~FRUdg53ent{*?54K1ql5f}9{^d?J z28`qsG}<;?{0%H3IGSNG?8$n!=C~MJL&&6{t=R%eBH=oaXE$EeJd zJ7o2&XogjPed?i2d%?@+)f6L_9({aAs0~&YbIif7TGsmnnla)`2_A1zB%d;{ccC4> zjPV)3E2nR7T**kycOH51*Inr0bvn0U14YH|w#{OC#nw7l)ceQ3XTW}4)|!Wwc7%f4 z9&6G{@WaL$au&Oa~`8V6vF!=P9t;&aZt9Xp?J{XcP9bG#=V(|qnh+%Wex5{ z)gLClByBl2Gq{vPRt^3X{#y`B6Jc}PE%I~Nh2lQZFF{}S_3fX|$Ao`w1r;j|2Vu9? zPZ}y)+s%^m+x&VI$yRWNv8Uj28a!}LY4UJcq_lbo1A_Y_lr&)$gd?<_1zX7XzwSuE zXaZJZ9HBjWtxYGwiHzX7yKAL`?oGz7gVpHk8{-#QN~5p7<-5bZ%*;Ji%NyH@b##KK z?pI_}GO?;s#$HX$p$bjBrOcN`3wCVj@1}9tJJHsR(k6GLhwM=-F+g{RXWW- z5a)#r$sI&nWSA~IbR*_0!EdXAJHZy_(P}Ku0o5UWum$VZiiPg#%BNSfKw~h?v@8W9 zxnI|W0r^rciCUBOJ=q`Ko;t%!8Fn)4;iIU%us?fWr7&wU1T5Ov5RQX_v%6O>F6u7g z*Y8BUSEzY9ZRdO(MsMe^T>_rz@I9B4(y(WdVZ?Q|9TA#aCI2;Sx7lfnMR~Ed*0a3{ zkCXh=!kv_lax=>>AZ;O|L7r4Pj8(=F%~X#KjAu~+Z|jL@qU|=c;kGF zk)fLKoXcjK)1`*UiHWx@J5EOHVkG(wH>I~VlK^h_=l-=;sg2eL$26nlyb9%9ZG3DJ z_r7KbnnG9WSBd`W=h5^KDDX3equaki`54CsI3!zt19`Q8_kaQ-ozdhGF?BVCg9!;N zeNYC9g)xCVSws{1OuinD`AwZtTV$7POu}E?zTk|{`)oyWUcuQv4!HKka#iuSit0Y}}QT}6gZ=>)#YMv%JOdJs; zB-9P#2hzv>xNWD!Uz8d*QWeDDRF$nsHkj#TGLCj?+d^lzGQ)Ht83PXn?$dF&ZM#K= zf9+-Ptr?{P+CY9L;qVf#uCoy9aqzd_b$lF1sHh4Is@iPEvk%w{7kNL#RHsSS8q^p+?Cyf|h)I&)Aq8#WW?;MH=uT`6L_}F?<&lT5d}Zg!+{ZLT_9uu`0#w z`iBI`Xhyb5>7h+Q2P}4Qe=$-LKl|QRI)>0cj!*F3{=qBmx(&>}G?}T|qUxU7NsyJN zR2R}(mFfvHWL%XiqO`>UQM0wh?2pfD#H~S?#SCgC@WDErP|-MZ z+gO(w-Cr&(_#CKooJ4n1Z1yC#2IE${RqywveA4>G8p`+al>lzN13j1&~K2Aj9UpPyr5uqv8;9oe~ zO1>QNPj$Kc;{1D0Fwmvh2aUMfJln-?3wXBvaT)IfDzRe>{JQo$ z;(NwtpMduwl2uLNJ9Y15g|3`uNbY-;pVWr_u;A?GBh>zM4~Z?>*)spZAZpZU{HH5s zXSCC;@t>Fbub44B05~B5pQrcoB9{J}#LhiLW+=B_fODs4+;@S7qwdWuM_u+(L_Hi2XgnH=v-kYvHtbK zL$s>yExcN7ekQJ@@Ar3VS`j^u|K*z(P-pvK!day9?uS;wOv*w356tlxx*Bt;bd;(d zs5!>s!`QG${^beQfYF+Lk^>W@fVI09VlZPYDT#szn%}OT%1|x&n>#k&OTLj4(3q3| zqJz&;O$e77z#cmlqH8!*)co{y9U*dybClOdR-!Axzcx7T;vG8)FeyITNiVVZ0-BC{ z)tx(p%BB*RGoU#L-whT+{cvRkSR}1C(UMLBvyUOO{g5400QEw%zzT**)tzUNmjR#| zLh=t3Q3*Ae|1LA*kuxCM5%vWH`S(H!l`BOo5V{);RK&c5Fmn*4;*x)J<#J9aE?{%! z!^47XsYaDv5$xrm!2Yhh&&6bv2(CyD)q!Rd&WYhQ#+8ni?oJ8jlDt5X=F&MP-1u=M zt1V7yum0PsPB-t=e!2GULSp$cyv1E-ZhG5H`tE$GkEksR^It!c9^ru;r|S<%93w0% zsX5d_pJs>={$oe6OCoh|uHm6yE7*0PHP97;DJo(wc6U9Lt7Hpv;C?UHh_J&t+D12q z4Z87SLc1=7%zXvp3zp0gff-geBbSb)V0KT!HIfPS zCj|Ygb8ZZ>$*r*M%QG^@|nXXYI3 z=ZvU2IwjQ|C^_rqWtRta@pcj(p1qMXA9@;fk5*%U(20ADjxJA#GvyhD(#Gm>qCyW{ zP-D&+k@&nAeQ@p4SS=0YV8H6{UF~{%hdDIF!7n%Sy3O?{{S6gI~Dltp!G^$_#08?#qAh<9a@C91q z9TlAa<*O)lM0NbTxA`(CIO@t4wEh$>T^4&WZ2L?xO_b-Y1bSj@KxgGJwWm-!ZmukA zvTl>*>49fe*`Bgd=d~_9asT8m`%3I5Dqte;cl5N-kwTYSmulaW07SCg8SK9Uo4K@1X2Lu zG7j+=bOsjR@SS^s?8^3@DGd^k0>pcGfIf?wF#V7J#}`omWx*4wlBXdJ5WVCkHrT7xMMc~aZ-jPAYsx|ecVZxmRUL43 zWQ`|4eF-GpoTK{VCtTPVzdfaZ|kD)BR^@EyYj zRU4GxRzyo-+K&GOQvJKF9uCrww~6i-)0lDu^~2D^WvVh2!-8WmSSD42ja{LHL8LM{#yM{fbXGP zGVztP+u+~;P+|;{fUWLVR&`iNzj(gaRK(yML&Se#G3KoJW-xA1v}-O_KgEAY>Tv>k z7Y@-#du_OC5c@`}OERJ+m?!Lz#0S~^4AZ-^S-vpBE*SF6kr8z6p8%O-eqRO}eMVc@ z;z@B2CDyOUkENBjU=IWFUeEm(O0F?@qgt7kO+#2X@+lU%O*42~q$_gB>T*UXVS1?UAy0YFejBw;>StFJB z%s59A^oZ)7gX(Tjo7ghe8e^Ea^tW1Z;bi&OEt}Hzj+_&}MAW}NCfXvC&@vq2IJtX0-O_axvRy%phE7$oFC{$z8!ubXL~MQl?OT?(#VZ9) zpb(#)n6)8ad!;^zLiiTZ=4RI7rrvEICy5c1RvLT)BkqES81>6;3TBK5pHNm-Hnz7r z5A;(&lvhVE$c~Kq%ODr*x?})zL`^o?s|Q%QwE}3Z5ypW|;*#r->lj6uX)gv{r@TXE zkZz6;;W+5fAK*arMzVxxt=Fz1ZokaABQ4<0UA*HkysberCGsT&IZv`W8F;Nn&aL$x%9|OT-yX*W)(`}EdyL&+ z1Z$Lh@wuBC1u^ssw?goqa0zoshNJ2g3oq~yr&@0lQRz#MTz?aBSNiWU7SM5<`30q& zyDRkDZ%F!H*J)7RhN1j%Gp8Su2(Yspzb@E-6xSE(_zSqsU^N!)ufc0F015_X_+~HyaowupkVwR&t0#gxCrtV0ML=!j^wI&qV3XMZFU`G9= z7Pmt&4G@q3ySyDqbO7cyDxq)DT?s5;5e{=FaX4L0Ih!0Jp|>76g4}It=$ru-ZeYKe zSu*Cn?f{ZQdiEK}--oA>Qz%!f2|Wq@!@xp7_Y`E3FluoMwAnscI*at{QJ>>Yg_C%G zLo)(91E79-XuibS-UkRBtHEROxCgIh47Tm#4|!~#(TYBHz&VCpa+(h@H=(SS>z!H&Sn$^j&xU5rZN+M${Zig-h~7y268-* zcT`eVz_%na(7bYl*|};A0M8-Q)db2Y?4gKQ$in@~f+lm;i*>)Kgn`^O$KP0X|J7>1 zzQM~Mx|>|KNbGT95`3ViB^`m5tkIOT??t25=4%w6i()o|X*7z@U0`CVEv5=1FL0~Z zw;@~n!eU4k>W9TU?KW%5W2gdtT-fmLiJ&(1IC;fSp7XuCW zjwO!&)YlvxLNe?=6Bs?J`DI^|zXtx^Y+=i8{FbyV^Vc51jJGs?oiIxsWRm|w1&jfx zx-mdda|0(2%&kWMCHen-KQey|h82euOD9+L|I(saWE)ZtU#6e64Uz8JOSPyPy7z_pp0PlYsK;eS0I{_Daj!9yYbYZ4AwO2LT@Rq99L<^$R?mwpfuWQq~AUUeZ7IK&(QX# z@$r`H)_W4b!D^=NJt|P6#cB`zb@ZJ_!H@&~tD}!25c3jz56o+J&XV(~eE^)jL7iGd zplFzIQazLkfH(BJ5(6ltja;&wot%SpF1-5P9=Vx;M_}&Zg3JW9q@cn;KMWK9ssg6e zvkEFXG}8f}*TV2Y7|7AMGhq7(%Q0V^l02Hprw)3j6n_UF(Y<=e3_)89RdCTFyy;a( zCfPV#$bXDN=PTc}T&N8z4@^Gkg{#(RES_AhoS6{kDvm;}Yt4)Ul17hkk|M>XamWFY z@~bxwOs_s)KK47ic_9lWi{`s(AFoasPca%tYEfCZP=8y?TWAlXO7|j_FJShvk)Ys| z?RfA{7-=>|wZ1^cs~v&fF3UjoV4g7pl57L9{w=1U4AVyie&di08!1c(D>jSzmM`4c zgv6l}5Nd89@}D979T-Pm6v5h^dTj7LnfO3w@^3uEYG1EF4D$ykWdga*_M=e6*qoo@MRSpwad@C$I-&OTgM9s#9MZ;o|RKdlv9qiAH{a|mb@%o*-@EZA2W zZaR;f$(Va|l>6Zu5q06Z4+e`90`6nDhQhOPcH?P?IdoA{AKJtlH8S;WrC)}i3SJVI zqg_NGNEc`&7mgEX&u7+kyo-0*#?HqI!p<%jby>_>qtZH0aSWp*G2y_hx4ezEK1N{K zj%ku+UPRB1Awcja?Ac-1jvRP~>HGC3s&$!28;9b*Z7uJ?_y_?UhiCry(p34HaV6~e zMHdMCrDo$R9=xO?U?`ItxKE)G${}|bk;&DW9G$Xey{KM;{aYjrSS4#0MtMgz&q?<@ zzy+xSkdE1+&tkFLxB-5I`smT(S7tpK2#=i`9tRH*;Klf;k`8A(00T#%QFMhOR5ye_ zXe@qujO{_tDf_V>?+*p>iMH9!3i|j?sxg5kkwMHM?>C4kCn&k@Bif#=g77FVf9cA2 zHU9k)>I=#w>$dT`$EDo%ZY{^Q+s+s~`E01pn{>(c0jghCyT7ta>1e>k=W(lZ{y(Z(@?0F&@F zu0{VerEn{F#8_86OSdd)Vbbc1*-h!<}q{WP`^XS~s zepn1!AsF{=5SOC0o(7=ZcPWVDB7dFTVwFCU`%9Ixx&BQ~fWtHKWT4gWyUF*p2IclA zl<-Pul})5V6bK}BoM7dX-H!A{`~=0DX4eZau8Q*H zmy6?-ZM6KC@`lRi;z=*`HJuyZZSReCv-ca;tCA=T$y3Ct%2f;8kdn0y8rU8ug*}b) z9VhIwzO{FqN!c$d_;#m+gyJ_-Oq1O}0PUs9YyAe}*6fcFciHl~j0j9Oi6#mhCoHzc z3PQKgEMrq>()$uRAI7g3S2pEOboSgj@&%PJv&63tNQ379fx@@Td*W>|E9LTU)l0=Bcvx|wg>6)z6=VxCN0nFg*Crn15+N1L zgq+1qG?adParcvJcchW)ppIraz7Y>8gR95ZG*_jjJIKH*#8|OuckySt9lLy;yY-WN zV`v5xKdFE>^)+a{aKr1So!MW?A7I~Hl0?cmt3a};hP-_@UzbFdkA`N9l1AmQ?_V?L zVqLLoID=b2?`5p*b7QoeXDX{CMP1IWEO6$JF&ff2r6bTMLxvGlyRc(A32z%)zn_6+!Xv3UamW~_49 zT$TR%0NhE=ybsnQ!jG5+-q+1h0jqAQD0-T*ljcy?251tbf=1z|G5$GTHu@vJGxqqg zGQCQVWJUwlo2{8v=iZ7wxy(Na^stYG&>VrOmFp2W(=^gzdB|i$W6{6Z0CGK!ea5lx%hQ z%KHLEY_9*LEefG(vJc)5Tqcg{poR5Y1%knG7UHpi_z)9tIv7*BS6xeF_i{u#)Lf&RAJ3rB*PSButS`S0gN|NC2jgEXc{fLsxWhRcNmJEpL);M9=; zI+R@eDr+20IU!*uUp@3Tg?=VJV6r2W1+5dKW}_k!zq-+8V}Z%_Vmh&#_FRob&Uci4 zX`jRGVeP^w;eA@+I_b0qgnA8_ueY4B)PtC$69Ioa?8;Y-LRScz4y{~;gg5WZ!@yx91V1M`vHE6T+blI- zrYe|^91E#qz?(k2H#8feY|4=@-)kQ~qa=)wN1&11luTLhbdf+`8wca`2cZ}K##DrX z)K#`AS*f`uiW4tp2ka>2B&l<#OEMf7ce=|-6Mz#Wj@;UeuY@oMiO_=KfL9M@WNYYB z8@(=#CQ71|QxWy(^Of|ndPpjKaVHye|HukhRP%UT#EjPHzBZj4LHR?N%3da+kR|2A zBF z)y71k*JAJ%nC)9%u7`#VSBeZFFHT?LF>svxkOEuz+B_nArzwUVQ=wn!ew7r9S%u?| zsAg*U^6~B^jd7KGoU9>hnIR_oZ&LhUni^J4ngm4Xj?+#1SCfPxgg5Ag5q}8AlIhkP zY{zW0clSwH+i8t4v%tepLABQ`qE&r3j|~nm_?+cn2xiufu@D?TuuZJ%YR!Sh# z8Op5pb9Q3)=)g*YOr^RfdqJ7lv<~B9Q9R?>v(cze6*C!uN5?cj__oX;Gf@J*yX=|g zQ&e@OY{-@iXW zqxP}l3#vv63C)NoeyN{gT^8tj4~Cmqv|;Tds>?Xl3_>&NlPG?ntoHFA%ZOuyycfhu z>H^UOg1J!g1(@Y5n5>tAp+pk<)KERl{waoGHb{Qz6kW#K0}XK^xxP8NYB@A^FvzUL z*!&F*V={3a{Mz@kmCzJ8 zTpnV%a3+QLd%wUH4FI*DBIwC1oh7)9r;&-nm@cSQ2{c{z3H4uZtVza=HIQM0h2pQSGVU)NbV5`zw{_e^)g<@&A(@nZP4B z)^wD5*~sBfT5J9#f!xuUa|`W?x$fdXJoQgdU{S1br8@;(hd~3%aKc7 zoU0GQG78E~(d7mHbi2=pz;Tr#S|&LMh<8QQ0saf&&%M%jE#vF)kO2dZfqocs?WX$2 z_#l51SQm1uHCWU+@G`6bXCE?M+k;^vLb0sHY=lragd+T-A-=yqCR$t1U*GH`y;-sP zavbAn4NqcgURN5KFoA|m(ccUKi`h>~aPIhb>5bXt5Rsgya9(Pe2B5I`-9Ns3j-qc} zhHF*Bffl=Nw+c^&uVQyT$E;S=Lyt8b%lM)2-=u@%QXxf)1j-Zo5<#`jeLI|bmqM3X z>x^ccRAYa7}Xec5g~ahy;bSZlpqPaWTA{FH99onEB$ zTZ%Skrx86~ZeL)@%5`Knp1Qd+A7+ud7s#392GFQ(bt=Lc_PH_4;>L$S31!*VxQpXc0)a)Rls6h z*kw*eiBde%W=N$d&*$&Lz}bZuI2nPjhH%-*lvPn3J00w%DraMUH(+rUZUBQmrJ{cu zY-H$!6G`Dj=YG4(iZei-c0wK|3X@TwP>`yA8;FNI#O)d~h>N_a7~8QP!oxfRv@M}v ztRD}jVSS6j{RV?!v4XBw7*{Ui2Z-lZaI~7v<-|jyM=o4pz1O3c-`qUys}z3`C%Lai zb$a-{1TDny-a!f9>z=mlI=$hJ(q+=?Z@U^Z*!FzDh0*uOJUv5)~B7Mp~)S zsk#eQBOO_#_B9o<%VJbzWCRCEOCLtjy48v$6 zStdJ$DQjBDk|krtmYvB`c7vI*Gt6LS%=Z0wp7%Yz@B91f`@F~TJMK9gHRcb;J@HjY8L)o3+hV6|}jfrD-a1j}A${*l%f`X6BAoL^_HYm>N zmp?4INZJH^jauE0?iaetjscAbvf5&%UBQj9rMlCi3rXK~m%93j`Rzq+*gg;mxjuDs z<#~cBm>%;P8Zb}p?`<&+NrFp1la!yT^5!i)*w8K+p`v!ihN}bM+Oq_NxI~#T1y6F~ z4%G&mU0x3;w*O&u7InLzzIcxOvjsjInKP1nKSMJhf63FSfShuOlnhh*X~Z6d8eTFY ze>@XKyI|0iccn6yv2M!P=}E1UXE9syVvJl{{JmOFrc;%kYrg-=O?6@ehOWtj#5fSx zGe$cv##fx*>>^6V%saG^3b2}rlRD&a)L-q_V$6uDe~DlS9r?9uH1sGSBx>cW`)$PI z4QyT%zGqES;JeB)0LUyCkhJ%=JcYLGs~g|J6b%pCKumuxh>!TP<%W#HhR53wMmqKH zA=*V=w{1%&NSr?n2<3ptKzf3dnn44B zzQ&*p{L?}1Xek_TayQ96!>Bc{&^IUK66X&H6f6ZAR7HEarY{}Ct^leIfLAWDpuW{A z44(5J?!pBnyN*Lh$hq*TV&MOjaDgp{_G!IPBcmJ$!hWOY#?fU0OL#Gw!-KJwDyAk; z9Pe6XL69q#im%(U!500*a)_|ScmTD#lGrl5l;FiQB2erY0K~+G%F36+>#4~6m&(*> zL#Z*Y^i2r5=ky2czo;`WyZNEBwF48m&8%~*Z3+;Ta>v5~JA9!aV9 zj};Iu8kId%aj|adcm0WNJj9{MVB0+ap%bdZ*Jb=QAyn5JV4zksUj0 z_AYNN=ZY;Q5x$G4?(awlwg5R0d~p}?WXB6ebN%HZcO5U_eGMP;`i?tQ<~l1G<(5{K zQJiQME8orfQJ2Z|4L*2(OLZj;B~?0k&_z-`FmCF-`S88iFpdB z-T?6L0$C~nx*R2}py=3|XZ_+@VTUmtDFhfP42UK{7O924rvP9^I!@CRU8giw~wIh9{hA32ZAjN>@eCsT!z!yrWGEey!EVc{KLiZK%LTe$bWr46ghk zL&Q@`JpuHVs#k!}FH9wJ)v??!CrVIvoh}#!ClJyxjJq0f&;(cZ(lKxblDB3lhAMd3 zyMCNxOE*oH>!3?pvwH#6nNK;r%!MuC-UbiI1^`LlQLuCii6E#$pH<-5r3d{bsC5v_ z?;98Vy^|B5$IiJEqyy1FJq3YjZ1{pU7QGfwWGoU0<1UdvYKw&R1;pC}$;=c;X8y~} zJNq_*^uNulh2d;&OZvMxd%;0ZjmpRgnlVLtFaK@P#Z;R8J&A@)a5V3<8dYaATMzonduU5OXhLHP*%@n+|lv&R|#5lH0di3n(dWJurVwE-}%4rA6 zT1pR7ohui~w_~>sXP^^3W^qs@?LU9`5z+LEQ#8=ZNUJ}T)vgxLp9IB%ASk;#4_>ir zjcpxgk9haNKKYd(MV%7%jBz*MDY)2&qZ-Fj`)HHt z)aPyO9**)>Q~JeK%NG>`Tr)*!*O&5WwsSUkXe;guH+T-~(#Z~g|t z3efMLS&VrG`mZDE58UUu4F&k5_EegU>4v}h?ZWvf%xZfV+vDdm`+xV5(^olD8_IA4 z^yn~q-%yb5T3-qn=EeWQ0%t@{fY%I`5BW}16FH>HPFFETX}U5t&^?KUDx34?>mJAI zSLQ~}gK_PWA$=CePVYW%X?b@?*pnn?v~fCJD$?KQbA;Kb-<_B(BCI3Q`5+hJG37yf z8RRR?FGKjlbK^=x@>lEGH)p}}2fWps^q;%v>NaJAkd5CuFJBtqHZQ(9El;UB)mMm; zDyJtR-W7k$6X5s*7t@r{1z0M~sO6qmr?~!}NBLN4JeF#pIvcA*YhI)$Kq3irX)>U+ zoP*8roJ{cj@;~?#C!C-T+~G8RhzA$k2zvaA=Pvjz_y&Ov2u`l`PYH_73}8>@o^@Sf z_;TZU4$IB_f**CGXKl)sz5gQWTLgcrZY9uroj8ElQrvhyx=`~vplP@;g}JW!mwz4h zm~YP%!e=q2p4DehI2c;X4HPW?6$BOwSKbAj0%7f!zRVIK5sS-2@Fe z;$+k~tcqRN=a-Sn9NDD+AMC6j>z%Q3W3Nc?QE>)!{K69J&KD)BP(JPt=93)k=mP%n zI>*ZLi2VAS^-NPgn;TC7NI}zcZNUP>pSIBxJ9f#3yvyv?)93NH=1^?7j~oW7?lwJdeyh?%=|so;jf?YJ5d1U^(I8Kd0+qSK>GEx z(+N;GoJZt-=JGe34DglQ4Xb7+>GSc0zs3nP9ds=M%TpN1J_$v=Pv!-i2U;A&>5X5e z6Pd8G<>b|=7Hrd_(Z+`CUQZhK$Pn{l73FPg$5v0OHL+rdA?d=AK`+L``u$Li2Mc=G z*aPSjr-Cnn5{Wk%>oXz|wMZ5b*IYvM3S9;mf+@HmF59&Qe7PKxvgE0{Y4yShC#P=i zAtCJd6xHkQU&=cqn{GxKo4=FnzN$cdJ19w2Cgyxkg{xDQa%lD#+16uyfbi0n(;NAy z6@0x4UxL!j)f!i%u>fS7A1=j=SU#b_R>d$9oHXUvPZT868_r9Yp#FehI)&Cifs)RT zIcw-aD(71UH?8NF(2Uq+9jIPUDv{+)?dkizSnnjQtBhTaC)!moc+W4hNR@&S^qsAK zlV*@C!BQStA%*WENUDC1zT;g{SS%2cXoU4k72T$#sCMwvVj?>uVKr);$n7p0M1|7> zfT}eNpR=I@)_7pd2!hSO#{J%y)*v>x^RH1H?5exV%uLX{$hQ-C1sB3&zLbLKvA-P| z3tP+15^iy;oi~`F0h&{il-*D$O$UC9>j12df}3l=wOQq!mG$WXs0`Y%b>{rE|3z+- z{y2^Xu^V8C%paOFY0PUh9#O@#DGiKNe~@Q8Q+VL@vz!UY>TACR$P>;y1j^||FJYhX zvpRsRZ=2<*6cm?tg-t=GO#yqX=0w;fz=hnk++j(y7mEdvz8*e6Idvr_nG)$6651*9 z{_>LTR-*mrT6}n~q+2@Aq^G6ryqJ#KZt7Rmfd^O=M|(SO?CG1r`AV>7fpkdUnfoML zKHet{6D%DM4HwcFsYXHVi-Tr6yh9i=1iBiD??GBaVma)>kl!951J-cE)y5`lz{Gcq zA-_0J9zDODCy!j2?rL&e>sJE@ueczrPc)>kL?H5p^kyYf2%a_3m4z|-amiigXS|l@ zQj`F6%WC~N;wE9gKMo<=)=ajygA7!tZ<&w)583YC#>>{XoVX_w;%#~nhAMv2~eex2&g9pVoyfS>32L@ly?2R3rF~w1)SwkAYJeQY$_VQS~`hHr3SQ-pD!HdYCusEm80c z!g||>TR-WvQskO}UFt_bWc=A+!@z+y zN57Q@G6r1Dr9xnVbZsN@bW5Hia%I+rus)q{W5gad4Ox~%Pq+$}Ve3x`Ycc*PLC`28 z!$~UZku(j_l;ukd-$8c-AvH!kY2ex>9=N&c{HO>0N-PuOhHZN8J^4hP^##jzx53-( z0918TPwfX2Va5KiR6eDT#z1QsDfQWbL{9nEhBL=X%_X!ophrm%7=JJP>5o04_rArT1#@OjNCQ( z)r=GM$-#+Z8TRIq9NB!R*cYKrFWCBW!tW!UT6NKALA!(73p9k|2{ldBs=i>dEXHDaECBO2{?W@`X$u^>+|VV7?ka?>Unfk6 z#5fAp`vfK6bvyK&0iIJOm<5T7(`1NEO=M*pJ7%x;7$3w8!KqTJ4?(^Sm>@|!)kX$? zA9U2S7|TpF>4{luVaCM!J{31=e3({3>2U>EkGoM{xt8B$;`e6~=tq@6gRPR-oK*?# zK{#%I05ui6Qw3Cu9vYBrNcf~|t&*|A_= z(FjaU1o6L|Bwt~u7Qcl85nOiiTY2fknsem-;*bQA1m2LKgci71ImL2yuYNJbQ(oNc z19{a1T&=a*Il8sZ-DX!vYml{W1$Y?66M(cdK!b&)f@np!U4vNLns#O|O zsMfijYNXS%imh)@1z0T%qR!W&*^HF5bLT8~OTM*cN}kK6bjH%vut_Lt?`lG@`%qvL zxj0RLFMbl^iA*8_#w9$ek<<#PF|bmjSM^n`H9 zO9mjFawROE@lu}?ped$&!S?Xb*P&Mb<4eo^Sm^oFOntZ!qT}5QeZ!N$CfMUi0;l>Puw#f(07iE#w>Jf@O1sh(&Yx=W zM_FY6x5W<-L~3GA_WR$JW0b%cN}vIJf>$kE<*|(W_Gq>~eE->(;}?ualM;#-(w#G(FcT&W#Z^+&mSilXW$E-)1ig7?y^0rS51tLqE}-= z;4xFj(JbJWltUTIaIPJVTMItD{y3So{V*^j;~&P4VW({sFPOibR^MS9S9^h$4VJ&= z4fLemF=N6BFPh{O7Y}qWF(%8Dx>R5{z?ABvgHu5!6zL|8X{okKurdwYK@JeSGO!@V zxZ(wrksLr2V{8s?eDOsUgKBz@gX4K?BY+j|s8-4j1gqcw+KAJm+f09n$j7ytb?CXz zcD(7el^>`^t-Nd!@z#dbRNXt!xW=H=S0xgtt`FGFM0z4Mr@9O0q59;?(uv$Tl^id5 z|NZcUdzG8W0f(h>s8q<(IUoszY-UdFMfh zGuRgLjS=}0`@N<M?N}Eq`OwG z0Or-^3~I?}-sn=8F84K>Lt<}5&!E{(gsJ3^iGA2m$UhGYdnzsnL)nygQv$hMphg26 zG+h7So*gh&Emqz-=pJ;~_*sP#MeYy{jKnk>m}E1mmDX)@X(-~WQ?LA*6RJ#q;W=sP}2+6Cjjrw8$mHbCnjS)b=}XiNh@9 zmT4zA7pn{|81KUFGI_VF6${BuKP4~F?~668oIZs?II+vMr%e^4 zDM2>wybZ)lG;i^;U{M#%0CV%vtR50qM8GvPh2X~aJdXZM3YM2kH*EIcIP{>P!8&dkS8B!Eip@)3N z@C@iERx<%!jZgxl8S&qJmi;y{gb=10da4gyZxBK;MXx-;u3rUF$m4W~1_?`SzC*3MMyx*%c6N z=AdR5W%N@yr=FU9d%wQdoh~H2VxJpaAn7(6+~sS4Y+O@joU6Qi6hqHvQfn^RX2gzA zj~eGLsl^9Q6))rgr43ZK&9oERcw}+XygKECM)1-2NBdTvkd_JsG6b3{zl+G<0p?Ac zVjNLj`Iw~tB|O|vTxw>i1r!GUwl*cuMT`UhW<;~p(C!wCTgl^v-99!E24{bvFt0?; zj>=>@7%lDr!lqjZHu;qsmImt*!##1k{<5=h#+1Ut_V7UYS(G?sv*iT^p^K2#==qjQD=s}^1FlEE z^6s%?b`aIE%atd};dsfJd-@y1@h@BYc>G#Ro~I+2yA=CqGtD=INMK(kvEv1OBtbVk zB#vMr{l6s6d)pkBU)#v?A^{Y|?{s3*1aw^t67LTM%V3zVD%2WAlw0i|mW*;tv)?dt z0gJV@y!j|PvlA!~iE+drOZ!bLK+d?^qUuU( zr^{V9MO*$ZA?GnRq%)ELw%(M@wi-%vHR{AX-u|vEbyGZ^E<%T9KvznF)v%{#-?%u< zT|1S~3QT}1Ahy$3bbWuTNw+FrtI2i{XyMHqvl#3$=*XVbC9rJ>3nC%EnK)W74L!l0 zO1<;H;K_I50rN#oF{3NFx-brq;XxryoKYqotv9(IvD}`Ft}vj~j~p7TfHd%wntM6$ zQAj2+EzjXC4c6lNj+s0y(j}(YRK}pR8N=w!TCn0O{SNw9Yq8*FZ>qs|MhexNV|#Bn z$ovW`W0#>s*u1ntD_+=X%h7FMjDiC?ElFbI<0S1Sr z@KmkV0|gNYnz1`#lbec;^b|a>qAK}z4!K^#Mx7)PiXo`A=gH7)(V71=-?zj0VzdXj~x+Tb#0ki+!qYoQ?Dc#iEwT^=m}6;Kh{}rOTwtL&1m|XGaR!m zrpKh7fv#$&3ng%)&VpIjb~R>qo|%9(npW?THWMu6t-H6G%(3&|tLjrqQ0MYthR9URgaE=%P1)_+C? zq+t;P!vxosd)k0V_ z0fod-Lj0f|1W7I_EP{OC!V{x!{Bv+kz-|oYGZy!{uoi$FX&r?fqAqr$1n%;PMS!g4 z$&!2$X({dA84y(SLwhTvSvj-N6uZEl^CA#On*I+9Hcp$Q9cz$}@(c&fgZ-dQ0*rpEBIqc|N7`D} z9tNFIz(S)oFH0_kunPszPV15|`nVJKI+m}~6Z1a+B*$ICP(BM`S{O3>8^()=@%=++ zDTV0G7z1PID0pH67@dorA2ql#ng@hDpAWC9%!Xl^Bb=*%6Z|Z2C9G(g3-Lr~!Z;8S zW)+(0~&_Sn?(f5`x!#RFEl04%{A?Bn-fSwXP1XhbFqmI04y zGPq#BeFFamZSepI0!cXIhU&w}>MV*70Gk1)7?gp2DDUp*)@YS^tzj06uRQU9-4lbk33U0n37g%sa{L1@-B7$aN(!Sx0`nFwP$3P?UaS?_4EbL>p-jPgDGPfRP!^INPstIx1c*2P26F` zs-v^+1n+(na?pCcdNbd2G?*a9r{CKpK^tD#MO{A|3!ARveSVG(RLBzchoc)(*H zbzMdRvamoassW5z-)4*q`7jF2A+@VveWg1L^tn0E!7&>=)$++oZ-CL1E^5XGMFO}l zelmfTY23a4f5U+C(z?$^Sz)?HOf-K4%s!6DfazvnFio6G7U=-^HO|bax;TnH^b%)7 zkyFvAJ3H!qN0fE~DTpXuVCXrXc}wl2S3_K0%MPZ?ux;_o!pX{`ef!xf)}756w{%y3 zwPR4Ndlo2()Lp_6j^1GYrmtl)%O9wcz zEY?1BCT|1eR?X};Q&b;!F{{bp0*k?po+}wZn+^a=eG>su0!o09;1YgCEo7;h76gX= zMV8F(VJUkf+q(MrNrn3BvxVy&rdZwpHh5)Hw|aRxu@FUdd|ZL!2+IeXrbtXz;7XoV zfmOr&CQ+1z(r(vrCI8oc#xY=3tt;QhTG{XiNp4sNBuzj|&u9mXn;!817| z8c>=COpA{Z=m3z&i*aP67U~D`=0+c`v~KhSrj;;2PicBd8KRLf)iv%L zwhC>WEfsvY(dV1?4)x0|*yqLX!_Q~B#^3qjnqdCMc)ge%I!0RZ6uG<>SR-OghX0p+ ztwhRM{o_q_{rf6P&|{uWz@%>mEHbhKXoSx{xUk%J$6OPbu^8!dgfFl6n6F3SuFjVb z?ju7VWKH;w7xLMU(NBCrw*@jyW~HYfLR}${J0kba)5$bdfj)Fz%Wn7aKK| zMNXyd@X2e|Vuq)j%m>dj2MHn~y_e3lX`;+JhQRW4$7>A!0Te?{B>=GekCS~gTKx;M zW)gtIfv9aG_bXMY5q+;^Jep)L1bOs!_};eIsjquQm|$~Qs#ys%{p`@Uq;W;>f&I=x z((+EC$ctmuhGwbwH;6Z0)Xz6dHFKf9;HDdRT$E6Y2uU67MbeA`53P36)3u>7W+6#L zJ^LCCmAqw?w75n7;duZm>QQ0zcA`bEc&sP_ds$`aC0KK2du z4-5fkR^4)?r)w?ir}9Z9g`8kgew_Mo_c6QX8u%6$l_GU;xtg;*NBte{@3$mhQewV=jbzL(VqY+ zLr}z^+lDX?WMJTA4!;|rk3KGkX?l31rzcCEIkY6-mvKi(fYS!@*Ay}5a?^_}D;$FZ?}hi5Czwy=87 zmWrg1>r6x5)$P!qw7L~iC!#-!s=SiAGIef*OLx_e`3!j7pR{XDvO#6>m2oy=+@)oO zcsk%k4*D5jR7eQby}I#8iWvNw2Y!8;$ej^zI|+|<)rAGC(|bQ{+OOiGdE0kk%Lh+- ztk@`dw(@!m*~3m1+KbKXI?C4W&aB|B%8oXemsuLi2QDp7LCC>v<@};7n&2teK53W; zq|b1%r#85W1Ez$@KJMG)WLhra&uOs%gU=P(&oNOo0sS2a?Mm+IHRo;!RoKGn%IUe{|SK}dh8kN=~|iL#USOd zGDO4&qE`yJNVfa2?&Ogr&&j)hfd+f$hw=J!DR*=%n}J#7BHDD{0z)qJYwO8vr(TAKOIoCB&A5*G%)m1OsqbPwImqN|nJrwx+BO0w ziW61KtaPZ6IdWcc>5bA72Th_GuE(P%FyLk4n&-~vnIH6vuH_wzf#{{(u{YJv3UsMZ z@c#r8I>HtatCHNy|M)W!f_u2)DQH0lu1NB$2&kybX24+T`e!vBj*Pci==#aPi z_37xHDcdFXoV^qK$J5$r&xlZcrPbu-n^v2ilagI#Q_4U|a)4)cb*U2t2m-@w*hk8c z)S#A_%A-x}<~f{noBkl_RBMSvfFiqv5D4|=#6dW({qf9dUQh6*y)SF(U)6X^quGmu zb%&ZJseb_jn+a-k z1+~k`OQT3tvEKkm3VkEIluX03A_)N%sp9MM94U(ljaT@3f%>@w(7*}^0)LOzZ2%QVw_sOsIyS>#Vz?DCM z{n>mEy?lrp{{k==(5?!7WFcy6Z+>QZNFw&5#lBxvH7VN|D0Z3%hM?A8W?@+oVAwiE z6;|1g{f{gROyl?6mgJqo`I#|N=9$`R?I*ojF%h$F{WVDSp-FOWmFGYbQ_TNsVw2?3 zsL^%+o}(T>E$Z6tUjY*Cnp4pdf!nszP|JGrc1U^ywj522Mr z)=y$sX)MqeV}i0CoGw$BC-;n-@9DL835ZeDsaZuLu>QrFjGr++H$mSUT#Wlu*Q0<*2Ba9<%;^$K0g; z+YwjCk3+$G@_I%$`!%|u+orYb>Z&bH9ENe3b6|n&f(?41Pp+C7?4a(t!$fgOP~tDQ z>BfGus-$mslcFf1&q7m9AjDqz=SgASXN*c~24(nfKY^%`?UY3u?n_y1ICHfj;9{r# z5ow8=r-}s3>+p^_rr*vw4fS8&4SGg?|GqwQ(s0C3d-apQ%kG4iO;y#*#VGwRw=z@L zmE+9X_br0!bKdFd<ASQ z9lnzGORy5Ni|I5w{k*6?`s8iyPI6(#kt_SA#ZwS<+<2)A@m?7x1SYe>bC_@ZZe_Qd z=-FMP(UP}$a(_q>sbuC?Lf@B`1g8*bH8z{OvQNS7zn3$|Lm|*0N%rt{rBEakX%0O7xWzL}_+C&$ z#Q?PEXsPy{iw_}c4#V@TASBh0&S`6%6Yd`-aVADz`UKv#`Hb(tf^Ox9(R$%Y(+t5!a4^{zT}t zX$!r*qfTO88?SR z#rIXtADL0cee6=n%1lr^t}~(cSUSn`wz*%z%A@N4zuuijj|N=ws#u<^xcF+@?rpp0 z-yZzvM8KDN^j)#3#P0^lZg1Hhvr}`w^JY;Z;(o=Z!*x1=_l|G#Qc!e|rZ5n4f*A)4 zh*BEi69&pAi!WbAJ+plSUIDK=O@xe9?_DIE;J;W-4)aYrUB}%wN&3cLaut^J_xSXU zziW>8jW0$7=Pa{58ox*vJM*8_8Qaus{0;xP625F-F*LV4xv|H*j=_ebg;0<<;BH)_v;(< zJYTg}METTrtu@alwTnd{p|4br*XrEU5sfJMmFyjmr0uAJMds6^cNo)eH$M_JYtw3s z519BO+S88EA4H3%sAM>QNL1{kyi>0lc&j-k$#F6wYdRg;+vHfFH`3or?%>~x@IhAp&EO9Qc&lwZ#RC{f*82Q zPDnpSV!cDrPhNt5-f^`x@`>`@F}H)zv3!lXqi)XSJ!hU9uD$UNLmzc%eWYi$X~#aX z(>pKzJlyTmen>)Pm*i{xxafTnoo4@fM|I8 zfrq^Ztkra;Kgil5Y}uU>Z%Ijfy-n!i(AKKhBWhnw-@suqX9d$oKL}oOAW^W}+}~B9 zCDHG!|8+`)=L)~^Md!RVKy{38jkxSm7@A6 zTRngwRhb@ghzTm5c*i=o>6s2LW#nc?x1^B~IjEqC-9Wiw4G;oVauksZp9 z&bFCouI%2LVmhQeX=~I|YI*25sN|#;M-_&p+QyWbMfKch!S!l-I{Snr5VfKh-+rW` za;>Rb4-7e_qST0w8ZAd=BhQw}mvCA$-mw?6h0^HJlUG+;1l!iu)fv z8&~(#JN8oY5Z#O_ZfEy`_nWi_ZGw+w_}ZdRS18x^dtZa<;C%3id-HgMD+D zqD86gyaTnOa=2#33TSdIimv-&ru%HE zPV4%p79D=;+R@W#=K0${*%WFx{CK>atK?|g@07#LdsP|Mx2UynU(SBZMIy&=q~{DKROasm7+*e7ySx{^L3B zQ$bOayb`%FIvxb$?m5iuq*w-?tNv&@W{M`D2#RzSf9}SE+NAe*k1>jV$QT;S<7MNC z>ufs8NQKmDE#U(dRv|r1x|fl7lA{L0uz!l($iL${uUTp$e&J`4rQg#C?F%P5p~qsJ zOLa~ubta7WFb=UKh0Jmg($AKQBX5`HI(JLK!c?#;l(YQCwq)WDadoVsPh&lFfK4~U z9wQ}tx|mJ1sX{)(7)QcQU1U3)LzyloYM!fX0Ydn_g8|ExdDLd5A0K|p%Il#HZ;iG} z6W=8v+l)DS#)}m1(3RQ78GfC6;>*jBoz24Z=ltKo_vhA0-^P_FI1vqt#cPV+J=``S z>bJ|Ec;D9I2tihIH7`HCR&dkue(#rvqWa_Ik9--2ArSbDf?F@SI!CdNn@78+QBoSO z+Wy4dTfGt&_8k=4nm9XiqT+ssXlnV&CEH@UY0JR3Eu&{EDZ8%TI{7QxY@ho;v3`MW za%qa`3A22g)9ERDzfX$Rqgknm zJ}VgX{RKHEh>W_j>gAL7P+$q#Kq!zOPYc}jlV7k+Rjs_w<=m*_iYQ+N-R6BD5^nPj z{K4Mlb;QPHDK!bD?fHEzfZu0vXx z+`M(vXUt%CQ=sg%q=CblozF3j5_Ck$z%g<7`$M}^T&b+Hq3%gVbW!V>XpQyI_jJ^| zqhwPg<>#AHJc>NiR{mq1ZfQZ4F^t|39RuA-@u2epwTYBl4iQQaa#OLo@rhf>$3B$o z)KFYAi_QY<^q~<5zGFd$L^Kp3#qr z$NWxokH>u6(k2c+*m%_7y3uk{xSNHyPxm`}k*_=z(v;TYC|NmC~!fKWM2?a<3ycE5<-G zRWI8waQDNZWE{@ER9{g5oTcPfM0$-|n!!TPP9yK_q0f-gy6=`O_M4Dsz7X$M#J^RonjX;jKxv^oaH? z38#1e;y8T2|Jw)oaCIerz~LB6r+3FaM`FW)E7!0HQOOn@U8qZp%;KF{p;=B3nbvu^D zoiKHf#HMh*=OT|@Iz_;J(OAt+djB`L(3GXV=xDhqA*;_)YXA==OP;~o?mRiECql5cxGmeJp z;1}W&ZySNNkCPx%@~~Lxr(Gvz+7w22Op3o^Qsc{?CYmJ@QEINIEW?yW2c7A*rr@Zs zir$Lv9dxOKFoIWuq|CRy%0drtCqp0g3(JR@>g=?zy%Cmb)Tw&Ps6pDh`)%eI2McX4 z9o+ksBc{^%H6rE;(Lb%J98|Q4$oO6QW%*?l68%W>pVSbUuU_}Qw?Mo1(b{weB)T_Y z?0$*u-X8E*vfID=+NWz~_kVv&YYu5we*V~m2XEE0=NIdF|&^l~hcc8f7SX^|t#ZtG_m9u!6VMFDgU56b^`wtI$ zWedK0^tCt!(PZXS&ii@o{-ty=BqZZYhy8Ks-=ABh^U^g&;IkS#z>nWtqc>{ykvxaZ zycl$sHY!`Su{A+cx<&e?hQ9If@Z2eQE9W-dp%^uiGPVudd{oQry;9T9h+7}r4dO(W6`~ko1xj)a6b=C<05&yjwvYt-6 zYbZuRCfH(^pH_yl!r6=I)om9XSHwuFHdYd~KJz|JEg!<=K5_qiu~obN`9|XEz<`xl zr&Mba1SsAwC+m&|7(XhivJ(Ay#A&YO^-bS9ia#YIM3<&Fdv6yzIM&r4y7zLiH26eE z#lR_PxvSh46(HTdD>ws(dH+`njunvvT~ zwUU51C3W2AhTt08#5JJ%V2Z`0Es|`zzdCU!_t!Sheesv~mu+Y5&dXdlWS5mn{BhGb z!Zj`6*>X|jUGriT8GdVW;6mA>1XsPVeEQSZ)Dn3W5=9D}q`b#l@AKB4ZMm0|#x0B( z{oBbN3!BZUGLWq0p2p!^%dScBttI}y1TMD z_ENfz-9Tv3P+T;ZegCF!j{VEmRv%0ZrOFbzHhX(eRc(HMc9o4*GM~-MoZZgG>EQ3g zCBE)e(Kft~(THgj&tX^(84Eh>XfwaPr!YwnC&z=jUg`w?`saf)i`?Ub#S*{vq}p|O zHFw0u3;K;UX#SP+TWPK@f8;(n_AQ!oOIAEp%gB2BDmDfhHCIzLZb;uVk@y>P^F)7Z zCo$nR!T#BG8x1%AVf$|`w+4A1e>^de?Gx{NDX0h$!kOSk{Z{qADNB!zw<=xMI+?Lm zuB~F3cu&>FzAD<$*Usy+6f+7#KkZaZ{5x8{PW0=4kFPPbp zs^jxo{buRK8-=$zp4xq?|LmEyefL;bS^DDJhN%(#CI$n8)sQWW7CwaSEI=uoN>j?ewK$iQf_W7Ezj^4M~cjGcX z?TEKXsPNj;7wl~l(UOpz3n@{M9uwjlcX=a7yf?MEuRNmohpn`lH}{Kd&$dhPkXnkJ zgH&8t4YXwWP^TLTIH9d9dP}`qgzC2p37hji=@y%R{v=Kz63a}qFs-*wf7eVZQ;7Z( z_wQK%T7H|Q_qs}M>C(GwWa7OG@%D^Ri8_0oe%zD(Mvj57B{zw^ zY#b7`%~Q*}>1Wr0i){1j*~oJ1?6Z>GZfET`$DDe^4G14Gbh1%&WYzHHp2OxjRvtfI z)fu&7RP}7zsa|gz-9|ze=A7CNSoWK;m$#`#RstWBTIf_G{M5J`+T=98vM^*b+gAwr zY*U!jBp+n)=+UFSlJ1hxK3{CBRIJ~g^i;QT3eHLU!&q@cX$*&Jmx$cG?Dtmv=2Oj` z&*9Gxx@22Ek$dw#T}S$Hn@%b;zpBOV>6@su#bswjVD#UUww@UAh}A&v*Zow=%JZrSwjRd{KTWeY-eKBm4U| zE4AkeuD$^zx|VS~)x z`FSdPjNGcEjdHTv@SIk#V97LC0CQcGMY4a}ycm6hIC3~tcoVqbloCnY3tIxf5V6Ar z5!qJp4@6z2Ee^g<5kJm;-2h1kB~Lkqj(+vJHmxWkJ`sY9UIoz&StqZ zW8JmmjDg~2`{NrK(A_t~0>T>XkmQ9aCA&GeE#Q!8!OAbay(2ORdA3e)4}Pk ztQ{(2Tdzs3{Lpb}-EUj@NZDvVqfAZo_h*~%Cn(d7l#?Dw>d#ceJ%t#Les6MA5Y0eN zO528FY<})6$%Ah(5R=Y#HnupH;hwC^e22Na)(2KQTUv1ShK}>?z^&E0+zVWPWnOrS z>DSH^oj%R{apRM&SAOr}e(`{m^SyNSVf%;|+={P0U3ziOg+SFor=bYb}Io~roV|LiT>^#qNzpv|cT{kNY zWY+6o`Y*q?m_E+^2ibMZWGN$u;p`(9Qo7bSx_Gz|7vWMcC!kZ^qt3H&>3l7csJEjv z%>I8~Hxn{Lj@{;Ti(-?VyEh5ZFGZpi*Zh7rZs7>GJ}9(*9?S69PBsX(554E}uEeLf z=i0=EmT1yBth7ekSmPGAopu67sDbOj9-H4;9Uhk4x|m=CvHUxYZxt3TMz+KcB8AFJ z0FRWpn*@h*HLPo~l)e(po2}S84ptUPl=nJT$>O>tqZsoeu{v)ZxBvRr*_QyI% z?KghISe?k8c@m4GjV&U;A(KU?g>j*skfM)6XK=QGiQ7wqkryZ~ceuoIKFnS-{XNaZ ztY;vfg8#E~g5^}P#`gU=#2`ac8l|fkOWUDx%Q?11yfK|qqPjbt-SDg_k46e~lR~=2 z*lGk1vctrRpuBcuXB!5*AOFDUw@~Db*Zm0B1rHgwy#Da+O~;HTJK!VbDL5*r@2b{u zRHhx*DU~a!j|BV#ut|cTJo0R=mwKpNW0vj_D$BQ_nh}qAtE^)+^!oelJ0oot;`hgz zzf~FW5!PP+;=h$^qyNBM@Mzleq((8C(h)R(ixsMp$TCFb)^0gu%C~jj;_6ad?>K2f z3xZ>aZmoyHygjIm(~RhSKv_&Wy9$J+-TRoy+U`jU^q7!x`a8isu_wMdELL|5fX~hG zxDGTqUsRJYh`Z0!&%b`ys*(QL*l=iGA|8ws!k|N9dn$sP@(h zjE{o!o9WPbq4j*I^n>&8lUTFU+nj5I`yhJ;@mnGJ0!4!DWU}0qLg9AL@kgqywoWr+gL^D@w>Dci9OK|ZG|YUJ6#vOq2_?6>F|T^tZfnJ?m#D|$f=aj~`CU)xygEj&?@ff2_$VMF zBdIk?(J7h_cjiU56m$|Ff303!UPlr!fvy;6|HsIOHeLz@x(%cogO;IUzeahL=wA3I zfGDJ#)123>NG6&z-5h4{aDbu(6W4Vc~oibr4(B?In>EUZY|s>B>RK z5Tc3x4aK?_?!GRybCAR6QKbFShdZV^JvrUfJ@vYLfl7vG&Wi7>uQapHm|`rv)i~5L z*~9DgHigVMtSz?HrR1TDmIxzZb14{BUAo76gBbT6otH@RSY6~OKeDoBh-U%6N-706 z2_ev7bcde!qPE}XH-EG-(YE+e`%_Ugkm)FdV*K@oZKDqI45-F?Dd}G1*Qmts;RX?T z+ID-ER3ug#`M<>Ccj$+wQHq;H`sW;T&He>mP$2r8V{CuSi+oqS&0!;TuB>T8dBmd0sy~J#0Vf$EX{nGQqy6LpbAV zw};(?7L)%Q+t3P`Z?n?wf#F;<{89_zC(lG}EoqsEM+0 zt}TMr&%W;R-Fr+4JlECsmMouDU*iaLI8;UIW*sw{Y|i1Te&~DrU+ZCvkkIJhBGbKb zrqi~k1#ctXhdwPcDakwX>4}!vbK=cff!lJodhi(x`e^d35y+h|$!APEFKCJ7xPRY- zwTrx&G^U{Gyf^Srv~T#j|8KYG!{|F0Ps^atCQeO|XaxJet2ve;6&91$xAbh`(`hAiLdd ze#WS{{e{KLPPn^5uOfwV&E3g4^g9XbF#1+s6}}t3G$ThTW?KVE!113>#69U!iV-_V zD`dZ4)bvGw*S3akot;Dnz7deSH%|xicE(6KctDJ{Z61qV%LHsC2;jvqDvbW3(zf|$ z3S5(iAcB?r?;V5DVRWboe)4rKl_Gp%z{Fy*$D8Rp^XQ%Yco|ruZj3#rj9JD3(EI6JWW^m2HZ2#3il1XQ z->qDK4@|Fa=IFE?|#IqG~_-&Th(PdJZi$^G*|5fGrNd7$${`j zyVJtR$0y@_u>$UEcdMUX{s0u=30+}04&u@cHx+cUpCP%)*IU$x#$_@8?-z3o27tm< zHKB@3mZXM;!pD}F+Jqzi%C}g>jeNbqWkt0X{%1cY7_(qgLFbP7&&}7r0&rNDQXt>J zrn&-PBIij?-IsaN`q!3?%9R2zt!?W9LFg+b9(keu?{%qJq#0vLXFP$0tn*J-_ad31 z@9b08mBe!Ux9;xM!_5hI&I^9s@uaQe>MnEjN5|M|bV4E!3oMujCi0kiiAqV*4B9j< z?_b>sSTM*iAhgP|jDbp((y27L;g%vtV3a=$Amv`T5w;t~lBO>0>hZmfk2C{ROu*r~ zt=?%$KGGD2tfcA@%bOXo%r@z-!k32{1_ZQEA`wHWCnkFsr(NPdF=(ZScVXDJZ5INf zwZ_<@wccJ1`Xw>Cr6wv(5o)1CR1Kfva#?*vMIDnRe1@zjIyrPYhfTP3EbIV{CZZBu znSP}io0t{mcj4F`UrX>jE>`u5j0z64%d}gQLftLWJwCO~a+`b1_6`zMBX-Blnav++ z^*hN^ITOi>T~crL?6G_*Orb?rfqF%Xy&2k_9ttz&qI=<&BM}cCmjBW)D^8MMq>LbP zXNP~7d%X1z9Gb1Uss1{`6&Sh=yf=oJi^tcUcvKul-&2)wDljS zR2l&xuv(rm(hS(g^y7!6U0;Xxzhl15oDs&a7gp*Hc!gG%i+hJ}F6K%cCql^VY`P7? zMbj%LOJ)(7uNs4~QWzc_1($ThatK1Dl*$uUzGEqjTu188LdzZ#!=wokXFN-s0-PES z-uY+a6iB`HaqjR;pdPk(V=Wgec;2Yq$$nz?lMPcd{HLECw`Q1=*x*{qVHYpzbQA~J z{s%_=;e?S~3p#WC!i9|^Q^ZS{0Z`L9s=!h>a@Z9cg-+2R0+y$WjNjS}GcY2Nj_ zi(rf*D?f_;iMJZ%9$uItPF)_gb^%Qs#*HEX*Jc~W-_3LNb@3suijJi|bJLgFyVWJ%^)G8|BerDi@xG60Q&ZA! zFfW4kt>^A|>Od|CFV>k^{4thXG~~_8|EUw9hlUlwZb2s6I1Cec#JS;9YxiFIt=>eY zIldv*0#CyxY!@eyZ{4KzJl*V+#I`>Gfs=?vnoO&p0Z#idmLIF=!|dzepYC^7e?`v9 z@{*%TPgE9*ijV2(p6-*V>LfvV*0wU$Q!ZhhpdDTpM7q#BwvWaIcFH`o`0rU~9!3y4 z4o0g85KTPS8)btd3xapv{T6%dS?+D?ox#*F=QPu=#l8&aIsBYHJGscGMK_EB+&FYo z8*egTE`;N`4dg;q$D5px!Y;n$#94;@n#Zw()!jb){ zph}uZHo|a@k?}srRN;z)#QNkqJ-4vI$5Q=|AIktVW-b}3eU3AQ=*H55KVrXH*PeS~ zd2^Rc$bn4E2zztscE^)_QY%v)KktZIOI{ZehHPR~tf|~3CFkJkCs+H=B@fTA6$Ccp z-@Gg8T3_l`3mN%tmPc1ku7sMcGD4qaj2J_^08Dg`++80IQ~#J7mH8OHahPZc)-5yB zgWA6y%n5D%0<}^uz%;P4*>;O-NKZ!`rYRtngq>_=G^tbz1CvZBf4#$$a78IwlVeiy zjpj%K2q?WBG20m>*IUT+kIIg6TtEC^BC3{AT%F=(e8P6HR_KF+w~Qb%D+SWknr~!1 zqp|Lbr@fXN+woT|;peu)>E07;)k128r>r|1IS~$*w@f8$`5Xj9PuoMq^3N76_&~a& z4u@LW0{D?)dse;8N-x8|4x{|c7okY*0GX>Zfl+&z>_ql zi@D$jqYjIcgMOb2`pg!`u&jU`3O@S@lr{y<)kz?CoUHlI(17#;@yPAhVCp{x6#J`x zvZ#ZOKa*HTZnLWzEqfo^q)W4^4RCw}-u||MC4Pjs#x(NxF8qubE<|ef7)FoOLU9EI zZsrKU2C3I0b~A4g~ED%>=GZ*A{p(!@)8@%fo+g8@GudTIRqyk>nt zoN_@-DomZ)@42{YT#ete+ud`eJ+Ldvu1TT!@uG8`y!J(mbQxgc^Je;4tRzGo0a6NW zdFkJn_&u@Y?S>w6rl=mIlxu+6t598WK}7_A@Eq0S#)47~_7&(}T1B1ygT*8l#2m47 zahY*&cV7J9FmD;oBo$hDWY@2Jw|jxCOA5`q+j>8>HDcL&+%IeBajuDde{-_D3f8YV z)hUrXG3bS>hMcnh`e!f2u7Yfvy7z~EXC01Td70>CWP}(!=N<|{zQC)JjuG4ZvLE>O zY_WsR_h^j|yb(g&@z9p|;In-;M`izIDg08&5PVF12x&WQ*8^jD-(_Dbvovn3&hFOu zT^%G;)*$Nd=Gqg8iCMqUhpS%=MIRBOX zs!ERBZt$Qq`I+3#Wcbh?d2Qb4E-s&wz=$D#6q)q+ACBV``-p$_XAQ4P-?njX28a#Y z8JSBt0RJPM8i!b`COz8#byFU6FI0{XH2j|08d8K8*2TuK(3Pf*AB;;ti3Ue*sJO@8 zjVJ0gi}+GRMN29oYvXu5JuKq-16hIU@ z-)EgOdB=xpo=k{5sL+ui^O$Oes->A!zU>hQRH@#HL}9o}Y1AxpIfHb9lT`I5*^iy- zxmOhuk4RNtr>|#}&y7)zwE7=2vf>ynmjvPwZ=f6R;}$U{Fk=n~F6E&PgftP)sRafL zl-m2Ic82aBtCMWaQ={VPD{2e!-eI;^RJW=+q8$m{2FP!X(Ne8~!nXwQgYGu#u0VmW zB=30%fqtQTDyMITJvtJ2Bd)E(DR^JyAm@cQ)h{wiJ;h-Lb0rsnUxmv(U>1cqR9b7h zO+^`;iz+2`7K5^8L7efY?^Z@*;M0#&>>i=+hjLaZc^Bn4DnrEr@qVZb-9t z;HyM^vVN%@Nx~$&Z_5ud1KC zWWk8LdUfJN4`%-&=mHE-rDlqXb$M-C88mOgqnCtV#o5^&v12)$nJqD&9p z&0YdHfVM<;&6`aJ9#xas22FjI*=&cu^b;ZX5+PetdAV+9_c|}65tLufyXv3A1~ijO za=}ElBulO-)Azl*ix^FBM+nYy{k=IqqNchL=v6rK!>QcdHJw*<6hG;)j z7Hg&ZXIA;`HwTAW(*KJD{$Eh%j>wblr`86*2Xf%tv2)b&@}u`qzxZb%SHMm#CE7n? zYHynwY-; zrrT$&cv4Q|LAr+vRuPiYyfyV@HPE$lpLSFSKQJH&3nvGAYDa5aQed4Z-WqgxH^ptbJ;&MyIHKFW`tG2G!@QN zl|df&WPNS`4M+qSvqL5htn((xm~;6+$ilO2KtMFv{?9j+n|;FqR-Xy1x2qVuiPG)J z;@x-nAxX9bLSf|55ZtXZY}VCb;?q>?MQ%H?@l?%>=pj~`Z4!`_`W@Lws)N_rNc^nL zD@`W3E)ukAl-S>WLq3j3uZ{`@Oaz*gH~s1xfJzv?p)+r&G+Azrsdro;He0fnjP@~wND=4maXo@K8 z(RnG2a6}E7O5Z420kI8P!y_k}qrEgkOWL0rs%vJ}D%0NChk^L|eKVM5gk*KQ4(^Io z>U11cLmM^zjB!Sj2~V7G>1#5e_H9CL%P6&^L570^jX^()#}h?Qxl(7O$x4Y}LNisb zNx6of)G(Qa3p+sHR&x?iqm^6&wQD_Q$DpQw#$VAHwkW8vkpaJ%HA)D8VJLwxPjlMj! zrFfC(WXaY!SkF+vBMSePM2j3-s&67adCfrJ=MN(jz7LD;5ncl^$w$0w*y5t`a5hbB zQN6tq1JDNEY&2KBFnFW9W>;&PfqFU7?3y7F=-sMYMNUAi1vXKxVaQs@{~8)jup)uW z;r3m&Nj>>J$ys~ww~wAFBkC#B{&F4cA)Jzi= zL!;)}|FH8P8sd?VH~e|kYuLz-bFz=sWD7U1(E<_Y#slohpTrpH8i~iRUx^f&FOMb% zvR{{QB38xSRPV0PJ3=lJnj9}3FN-OeItK5tf4;?3^qpDXUkz$5h!vkqaKG7}h)uki zc%sSbPxH0oUHDc4Ie56&5Owt+tg_7ps$zt5h?7fC+|FJ)6h7XjdTuCm#EjR4(gxN~ z-0ReRu4P!}hjfq=5O4LXrjDY2L%QV`4u(iv%YCJjtNfV2%r2et@%?AklgDy4lj3jV zudZk5{Jr+*cmMWosJ8PrAFj%BLG~z!^RI+m7O|wiG(W?6FY0kf;{!vH;p?dG-JWvY z#&TnSH6^}&+^Gh~owlO4WPZ|5=+wULY9j9-Rg56x<aHU$u?oSpH%n8N1UTJhOVH4n5r`5YvT!SKR*Ga~bSYw|)ohMCXn-0#)|FLm+* z_UP^O|3ODfP$U?f26s&TRkex(0)%zRR-!vZN*0SjB0EM#o18hubcrew$JubJx7GaT z>N!Jy>dzQfQ;%U9EXul4NF*|0{&DPt zbt2dBr~CZ7adHpQDorWd4wcw=&_$zZb;YelfIY+792S^B! z*~iAwTkn)nf4hdQht}iE&`51;1&Vc-@(}S3TnT{~)3~|CSO=*1dySA!dl<21VB&DE zBkAX))oV)B!A++>PNck`%SLZ8aezgGQdufe#W3}M}w(-NV5jNvU`u zKY6s*N#d|}E>|}7`IJ#~*UoOJ+;=K|_r^xR_5C)Re!{52x$R8WP(oW^m2UOaC J z4qMAnvIPQ0w;z>eSY*9U2CB(^8e!XPv!$5G+58X3Gr8vIRS5t)JQFPxZ>En zs8nYBq6@XFZkt=O=J1`svp{$Skj{Xe8c$}s zF+AO>O5IX3c|OX96t+v=kG|_b%i0k$){0$ux>s@^XQ-MIJnXMqZM%l?>P7wg_{t0` zVszamOv;7qaq!rO-fdF3fQgG(7ZgZLi2vv^j=fJhW)NZo+bxDPD*PmcR?Ow{hIKQ0 zWA%m;kkGchn3(UB*vXlDIMoxqSr0WO?6swZKi@fiK0ZLf?KKu9;Ct4Nr`-^8$vHv_z>ta9ifuTg1Wm-O?-q$7={@+oo}B7^V=T01+L)m8ze~5x|7l8uxMPHyoGdn zr*BzHaYXob2w+AZe-wEz+;4q+(8i=Y-&go@w#n>)*0t5V$a(G$cODRZspdm4xJT3D z!`%=YuoKW}6;{nXA4s`1^{Ga?NEOka>Gq%GmOtha9^13>$IE!Bv1&$7d_=d>P&P*7 z{)^ECJ3jpO!~*SjcTYKm>+dl_!cH<212B<7k6-Y25#b8>^O(z#1KLkwz#K4Qk;8Ig zn6w;w#nUf*-=d|pN*8SUpj+E16=D(po66cBD?(G$$M#pKlmo%`<{mW!;Y~s ze~Egn=s|$D0VcGv#sNzDKWO2sy8DlobK}E-u`ZCaCa**N+EXc0o4y~(e9l|Smy~V@ zw+^HtPzy34X6k+{{fT!+#Ntu&GU)o~oZB@OsYLJy!ff9)ms$CHZ?Js+=&nS^IY8r? zgm%QU+HZ4(8|ZH4*37|$8#61WP1kcS!KdIo%Su>EKDR{_ddLK}6ba*!d0L{jNp&ny z6rA;wtY6MOzOJmoz`%#~(DBo$#}0VVz@OtCj3%|0_%Ux9Eg#CXXlOm%Zrc31sh$u5 z7YPlki2WY$&{hZs>EHj!J<=3l0M1!egx~(1`Y5R(=5F2<9|?F=Z?tC&rwlLDO30-K}^3Ss_g5igHdd|0+2UNsg?dF8b}sa$_o z4xindp}S1a^bK-vaz`2-z5BX&#Sh;{`8IHRkanGi0Jj4$VIS70>`ZhV zVZYuVX90x%hSu{V2qxlmDWOVL%&M?Let+g2D(=m(hvBVP10saO!u~Am@@T5;`+2Z$ zrFbv{p%clz5x2P%`t~`(I=%(y2-cQDd+dpBh{*FL7sU5EvBYA-9x}7asGg{H4NK=I zRL%qpIWh`JfpDhm4K!J9zEDiPLxi3-slX%W+kg%Zh+GAgFVcOa1Qgh}t-u@?BNJGL z5M&ZF%JF)IX4jNI3sg2u8Z9FPvLDgq$kH=n$9K zLYaGJrig@nJN(bGRL;Mist6D&a&;%N_+PU5x-P#)UPHZp@Ai`2yF8h#S^NHG`>#%h z>h?jhmyEZ*7u&p^4zlgGr%~oG;>SC<0(XR^^NFH3bri}Wp}{X&Lei#M;%e>4s%(vx z)gZ31q#?<1!n|{pqV(qhp;V+^H}wRX_V=e zqzDCUloLR&_obqB2uRxX(MoKSLd1y5c?KOHb3 zb$)G&YI5SSH8ec9>1b)uf%_nQmkJ73pXfnra>PE zR+3HF8GUfZGeAz+3rs<@C)0v=@Z_jAZvDald6w*fnAM0WS4v=R<*`J>g#mv@o!*k33%n|tJG`!-C@H8}dXCZ%QA=9T$iY1Ed z&+GpX|0oQXfpK(8=1HL3{@BFShKRgm=Fa(Utk+cXu|&Ri1c<4BB--a1D!Qd^9m-;C zL1aPhxn$f?rZOM&Ch=7ULM5V8izp}!jSv^xfCzr0BuLF6{&yxrqi_~Tll^Zo9drbT zrRuCmT`dz-!9PMy43$P(yp_p=duZpnQ+tzId_mr%+}~-n@|8} zh>FUu#fRralzgX^%SOlq`y8e)m4ia#4CQ_(1u8vS28Z^3A z*LVDG6gZg=X_&gTN6|}1U&@o&=v~zFqW%O{vID|$jGr_GoU@LnlxcD&-uD5_rGId` zd`iMFgXBmSp(iqTz4P;P%e}Ka^<1fd-PI89MH>@?IgaC)YMuV$sKku2j&G7Or&aOS zW~8>_?R;{&ZK5KD24&Sb3kbM&bhs(iy012da52I{4*6r+e$|Ws4&3d3gFw(M4)G!v zlV$m-`W??LEBie_>8qEBV7}ACSep$VBG5F_tX6sh!hhp))SlS=&ZEWoX`BCYnf8r^iRQg1k)AF)|g|8b^ zipmVx-zla%TVqVRKiAg%OBhK(kf~NuR~^R}kHKf8O(&qdC1?{cl^1JrfO(d`B`kSw zFl3eMDSlh#o?-zCpWgBSsX}jsHpwKk}a}swkPo*-?O_Cbd zZRWD?E=}|O-l6^3FK*9m7~P+&P3mutuE!fQ)wrpADhB3WF!Z$PwA@NKaPbWz$CC3k z`TF)??V3lS_6#4-Z3VsF?-faLlI^uX^n5YF6sw{KjNKxwEFy}LI#70I@+l~Xo%o*& z)U*ap`!{|(Hb$)f@-OnPTAU9d#R0;Dt|xxoUC6`z;h!$1`5_MM*|cSZ{T9>hu2rtd zJ`l77+SE&!{G5b!q}%^=pr$3oNlNnAbn=wXsM$XLLNpZzDE{TeqHBcGrFZ|Avg-Kax)aNXc4V8pD9c}YDjZ>5NaQ6V{V=7#gH}2(Y8aOkXCXjaH?Y_@Lf#_~gld@U? zw^`khv2<~RS-pM9t;U*P74p&tIMPM`0$RWE=nOBxWc ziNS=t1txG|`vqKY{)gB2GO{&%aAfS~&hp=L?zQN8G#)4YwzOosc6N6V@18FJk@UV+ zi2a4hi;)t1zt>xJySn$le5DAOI?#tdJ`kH6&Q=v@4!Tv6)INEA;;f6RVnG-i{vqgQK2y z&EKroN;2B4LLW&*jNgS`zaLpoKbee_kS+N0L7Q&Q?>ZdAEK|R=B5o-}h*3FTEk!dk zxI^6Qucs-6@9lnx&Bouo0KJX;Qu&bheqxm_(LUPP#$QDkt0vUTA+ydYrOK2MBAD^t zSj9$IbGqXi8U)Ce3N0g3Sse)#%p@X9B#GtO<;50-j6|U=v2N8-L&B8B>23&RH`}2^ z_Z{AGzCz|#1HI0rk>?}EqP<2^BXJQ8Ls0zZijaElwS#|gGGerSFJBv@u|c8jG-{`; z?K;cKh#6)*m4Auh7wzxRX}oRqmMt~v5q?*P@Zv8iwi&ijN^Fu-4`D)5g?6G(&)<&# zc?HCJ6LZ=*>aUD4@@7)qyV|$^M487R(u?o4-GWkMkM|yQtFrDpbg0U3QgaSmux6ck z9HzqS-rqh=;S6CZ#rJo}<7N}Ycq?;$gOMAQ+L{h51FbceAEF79%%%>1g!-_9A8CatPC4{IhA_W?aZ zGu*Isf&DKZJ%>sG0HFyKO;|5HhUVubKWcwOrcdG0TH#ki;jJuK*OJ0nq0MTDFZ}}H zY;<`%JI9@u3?*Sl3(h{LtI%58k>-T^cf2-(uhIn^pyMt_E&kuQBm?_0C0W?xV@ubj#nti^7;p3*4PVRu59E~@!XPR62iJZ7u) zdy8Mrvo-5ieAJhCZ^DOU-9up0n6uB7ao?dXQ*0V(HQDV;p(hwM)&ntr`&ub{++*(6 zLkYKbbHRQK;U=ynDAP{Pwo!g^8Clto`@UhGqC72 zb<54)7dAa|l>f51joJq=&>64zM}MS3nRyMD#QF*zA<%qS&)^~v-O^I59(s0TYhc3Z zG&|8vdORTO20V($S{qJgudvM&a^T=@zxW|>zWidokv7mT9(**ZH008>%J`GMMtJM^ z6CrS=b>Ct~!m4)0l^#)3x?_2-N3Hp-@NBrmd*LCy#r0k(Pau;J-dxicBu~EOsZZZr zS2OtwyvK6U_2u#GWIbB;OVjtC;$t7q{$l)0x;oq4Cd--q;pTj|5X`f4;yX--C+y13 zvxb6Wwy&caJ`L$;A`_QA=Ujd?aoVTfbig2icPC7C*{eDoLm98ks;S9s0^pMat(VGo z-Z!%JUxZgYGHpI1l*F+;Hjv=>7#eZ=_=ouiR~m`lRblu?Yb_h#w%{D5IlZ7Ik5Km# zo_F7Hvd4|(B>#(d?{X3L7Y} z#n4F8`NSzn%*&CgO=PrJJgI4of^jYIT0W{y8J&Kb{t~YkHyb!o;Jz}D8^~e~5;S=O z8|k`-{+ynVt>^B#&A8b2@^0^JL`XkeNc$dN3d1o&dkdAWN!EwfD3pw)nur3o{;+zz zNZ)LJ92dFN-SE2ooW$R~w2T5zNt56Jb^hqHA76LXfDhutJS7~^B^?S_%of3qEJ+3VO&3|%gy>%a8kSBSNmt@&S9^1wKB|US zxycer(DbuUkvPo`&0Wvx7Jq<}r{!~u#fdyxeZq0)a06~W!++m-e!PO&TWmdY}sJ;vzP0=(nuHHPS;eq!Lgxu zDoWjCe(|IC+vOH7M0C13eLw1^5wQMtj{-2IZ;n_AN41jY^vcGuAa9s2s7Q(jyA_<^ zh#3kzhFu?wL!YVr%dHJL>aP#=oh&Q9&X@iyk42MM`B>dblZ$ow2_6vFbK_fb0ZOBd6b#}0u{9_!38Ew=2s3G&s{h1Yl=Gg4zY%b!z38>>(y zHHg`8K57Jlc7$A>ZO=JQVK4nP+oLSLRIi`4a!P%`!))^plkip3uQb-VLXAilnJ||) z`JpmJFEr}=Rw|MYj~GnHkrDjguoANb*|$r`P7>}pK zwN|2Bf)D7DlVa>l%KKwKDpd!$l1SXVrvZE~oBXDjV(_MKe4bJL89Ulg66h2s==Tu- zF-}+yzgmW&pHedyC*Jw8;@%?3454fB|JAJRSht-YJr&)yyz=qU_|sbs0xBqU{k%z~ zQnY-r?M7zG(X}DpKxGM^5VQ!oKy#v#tZ9rh8GF1b$2@C+;&`jiA^rLz`v8|`Zq#aQ zg|aKj1}4SfU*;ZAIO%*|88$XH%GV?@sa-i>+Nk~Eo+oZWlW^}&xaekLbV!E2O zfYSgY>Z(UR$LUXQ{AfooH61>BKCA{|STXLT6;yR?gSoCSmfHT@K{UM>PYs2CL89S% z)fzOtV!hg$;JEl1=^ct;20Gq!7wdmJ?Emg%&E!!*zyO8l;jap7$pPtG?47J%^}K8U zUVVnqVgIYNZY3w#%EXaK#`<3Yyso`)ncwVDXxkSpKs|iDP3LpieBE{kL$4<8jA@F9 zj$eAU@VMS0 z7uUw6HN|?K#BSf5fyXi$JRT*(2;j>%5xh^%`}F3}M;iG>{@mIkFl@X<*PjX{F{Ed88t(&0_tsR<1Dhick{Iu zEl%d)|LzA_f+2TfFof0o!Vn&(zanO)${)y`sdBn9gq>JY&F&418pL!?sDb92FX67= zH;*2fLU7x^#mIB~kJ`OoZw1#$-Tz>z6^ARX!yWi6WWWLV8C@1q`0yNs#=F^}?L5N% z2obUMjgL5J?DBx$OLuUOQ{p)e(3A;n*yNzu&wC_&lQA4QVsVa$u5IqMf3cX@bTng`O4+4QgKfGmdKyvg`*3$M@0)Q7g{IQ%C({eEa4u`%pt zm=PX{P|$tVq%*agi3Gdz0oQZ4Hn)o^5kw0 zC8Fz^)MJM1I)@rSiEez6CF&^+w{;{$9Agq8MFB{C^N|vX3PN=D(E#1=6*DTF$%!7w zEgb~A|7$+dY$#`sI9ed3>mCtT*ksQ1_kCR^xAslWS8Gs0qD%hpX1SVs>s8apQxJw; za4gc{2K#a@v1GW9KV=8r};8OlkiegZ%h0#(O|pj&zhnF zbgMhiM-|CN;SLybD5A`od=eXiSLi+mE9%oK;mPZE@l?tir&hW#C{v^nUC&?Q0Q9Py zO0ui5ppH&lcqF$nWF5clkr-8R+R(zf+C6eB&3FLYQ--cxFI=yFD!3c`SUv7<2gTZO z0`l2@30IGI)Fe9+WaI~)tkPWPD%tcczjq`b(ndqJnq}Hue}=V9F`H~Q3CA-{3LkOq zXx~?%S3}rxM(lPxcascnrV^(*nbI)M?I!dur~fwZciYBoGy9u?a`*D|>yGWbRHJ-h zuky;^WzV7u!#O#`?9Ye(?jSxN0!a+3e;nqrV!b3*4T_v9`8oIlU6&#fK2|^3?zJBM zuUi#s{t)kdhow77CwAf&tJPtwt~~~J=$6Te199CtE>qOgczP1rOb11a_{{pj7d>~- zR?Z!ey~Xh6)0PWn@;@F@fA6QN-7_TIg;II6a@9N52V1UM4{dIKTWXoViv#@W&_GwS zo5VBjkyUfWg;ns_F>#aNfK4+~64`hz3ci)`d@hLio9r~(6Bq5FMpy4LWlS5ehavdI z5UW5W&~O!V>9=0FA(0upT(xL8x$v>dXK(`2^$8+$kv2zVW@!&^dAW+1?FovpHnDZK zRkEH?q75*SLOH*Sx_)5X&7J}vWCvU(X081j(Y;L8H1VwHrp{E`8yVED)b5D|Au!_5 zi#_x#YOdyqwAuRXO8e*@ml*xtCZ&^<&%V2!N<Ylz*#4B8w%%k4ku z#BJAu=PP11@of(ec^Q~j1Nv&=**+@~WK!6F>8Lqy33hWc1o@YR5VY42=|{Y!F3ltk zXFdP!hr3~3C7S)>cM}pg+`y^gF`3pUzISTo!0ui+CLxe+n1_6w_oV4@BDC%Alhdyj z*tEMALAZp#EQsR=9AE}fcCltIL%~LT437O+reHi%D@`%&ZQ7XVV<#@Hhncq*@ygA; zL5m!A%T76ap&6=m*q6EemVoXodNf0js@bnrGj$vq2=UGsKwdS9;~WTGFKb^Lr-Y6# zyd0*EIpm>QMWW+9%y*|vnw54b{s;TJznPDxfe$TDagvr#^mm<-=*~w(fcJNb1p6`4 zJLEu~WgXi^hv6g#c%iWRoUFgk$-4m>|ESM@?gK(;6MW}SfKI!QU)z25S5ZJ0r=lOp zZ^`De!lN=nhYjn_p8KLL8b0TLbBJC|>6WYczhM~*Q4grY)2O5QfC)DCAF5xD|2~u` zC(A^)?RNcscz%ffL2&q(0D5RS+I&$&v6F@laSwwd0vXaBM>~;cN@Gk&YY(Y81#830 z0}2n~{>5UTVz!9yk9Kt4P^>a}3!S@?*Cdf73AOiW$26uTQ>cf1!T{ z-J+me=S(BhUJb+W4JY21LOj4o2jaXM5c*05Ox#fT@1Kf(Z5Fd1(Jm4@p*D80 z1`ZKR?zTqfB+r;gPbx&9>6gpQnx9Q&f&Ob|29(D$#P{?Dhqz^X zmKn1LGPzm`o43serBWoxU%m2!fB79^j@>`!-%ia;b@oEdUqEq$Wbe=oy2cF&it{fA zf&dqjOf*fa>?)Y;tzL)2wyCDYR%)Y|If9NaylpC;=wtC#aW%f>6oDcM_ znc~I?yYl;{^&G2!wv}{sNd&?a8Tz=lsrjfA;)mXXk8Z+qv&Y zUDxBfPS3B1?=BHD7=IoV;I!}9Jh=P>ek!TH^W6dkId_;mz6HPWI#tm>u0!lthb098 z?l(Q_!2y^;_5I$hSK5n|ZyIDbKIgdA&Jke8f@a@y-pP>m4G^92N~kpT*8QCS^k)Bi zXyK#0z8~b6M;qtc=A0%O-}j<_8wWni-p?F-3EfRWiw3XNW3`8Wal+679n#a_%B&_k zjGB&7T9mi?2d)x91)AI=m zXFez5oZ(6hOOkAP$|L8FEK8F`AD%6Rv9!1lf`CZKEBP{0GnQbGLzK?BuUGp5Mq9F~ zs`b~RO2#Ma(4S$1rHLCS3ZCZ=nh#n!#6AZJKKFe-pKf^IsQyO``2!mHRam&MRb#Z( z139;`D&a*&PNlKhj5s4Gq|Prl96LlA~<0z4OZi-iGN4 zwZAwc1J_N5BTe-TuoZy-XGOx;0xLm^A5p!r1&R{tdXua4x(;?ZzgNeK7&IfVKaHRe zyw)rHqU?v#5mUQUGP{U>q5rL9)w%Mk;gQs*S>Z;KKTlpgdaKpC_%d2-nDQOP`;_#< z;2X;?61HDGc(g6JI?!_XUTv21mfh|8)c0eblkchfXlk5ZzfZHvaLGcDS^#_HbEI*R zO)gmHXyJv~x5)pE>OP1mrRVd5&b_dui=)LeV6Tk0Ou(uXkG`ko^Ijcl=%%L)i4G7h zxM>8{FAuE_!#G;jh8J^eVa%$+m3QdYsyHORh=~+`cX^MWCkRGmO*) zKT=Nao6ThYGySWL`~|g^2ozVWd?6mwhu^E*KN!Ow7eq>&rfs=B|u^9Nn=0_n6EBTqu%XsS83 z_1dN9FFCD_b6pMmwn>HMe7Usnr@03jd?#Z?KhVE_3_f*&KbN}n@Vxf7MeS_$`EN0L zifsF=+2}x-YtjXwSXwnhrHJg_q-=0k>sL^`YS4jN$a$^EZ7Id&M!HZ{D7w&vyzP3g zT5*X_yl8t$AhgEo=ZlX^Hn?X&p`$>@J z?c_H8Q25$*A_=TTp3WAehjf$Ff-MIeR-bpifoC$iFS8eK@3QX8u3S*hKP>?N7NAQY zi#*$*5QEAQVfW>qtsch9y)0e*@q?Z`{`%$|e6Y3nMy7dU&}6iYMhk73c*k6#pDH={ z2pWLrOy?dm#NW39uGvbSrY1`1yQBYnY~0Y?;~sx-yP(loIZn-e!Bydfp6rO9 zc2Coxtldwc2cy|!NU2aRk~@9$BXa8#%SIj{ocCZqJ9)Z3I;6NP@VMz7zs`kg5z$>-9ZzCHs{}{R)?r?Y$xf zW-m?aH|ofLov1}-CWk1f2+s!{e>HdO3EM9cx(aWFKPX%eF4l=IzR4w2U`_0@@luPgN*3w28zZayn9;j*i49CLA$Tg~*St)a z7IM|LZa}S8$+YV(CB|@z;2ZslaMDU4)^8P^%6!rAj7^uR%3VF-Kpxy(u}CiYcFSw^ zMIa|+ro-6xBc@2x4lyodtvN<=++#%B>SfPkd&jI8D(;Z9V+*&RStbIA?*hR)wp{N9 zUjr5KU!M4{yLlGsE``F6BL6*p7izQ@&cVdgxCZ)!-NN5iz ziIErT3qAU?}s6j=~PQ$H* z)NQ9bExrP}m_$3jrP`UfJ7=ec^JG@{W`$Vp&6JC9{ZgKput>A>6McoY=egtT>bj~a zXRWUIqE`?7G{%^Gg>yZ4^UbfNU`4)Hsc20KtoDtQ+n;9>km3|Rb(m@wze1a{R>_nx zANz1r{)OC2Wn*m<3!nE_$&$`mB*rs9+~-ASd`O5YFOq$OGA+j2GwLjx5qx$I#_p6b zreNr+30o4URB+{P0I9inH!AN&oZmupmR%VALbL)lDhOfwD9xLkNn(8Yw~V_@XYA5W z`L}MqO?4-hn(_)@yjqNpj~(!VgbuH`?2w_Zg7DC!Rx+lRu?a6Eid5s5_ju5uosr{+ zYnY`N$|X#-kYWg4`9yG(dI>3n*;lj*nW@O!4?+J&4w*hW*SvdI4NO!$*e+UU5jnQ4 z>@@keb#y55!A;=F-TVdoS-gNqcR$H}ID|w`6h4fmpif21e(QHvrKFm1uciL;i;0Jc^k_%+?B1qmFcme=Z1vi!KDD9L(($_R@VO}FT;tr6ATJnP zlkV#(Zvc`e`i~qUlnv6}p?k&-Jf$c~aq5+e$Q`yDdn8Vc9!(TueWA&?)h z*dbh9SNtk|Q`&)#B_>bp-+kExIHsD#RL|bm#eu_#JMO1ITQE_l_%(5B&G-vx_0=Cz zFn(<#SF44XwQ~x6U7~-eV`mFOO@lD=9}Dj?7@=w`B(B>NeU|xT1Fs!`s4;ZzT3P2r z`@F4=23pXHO|i|0S|s6SV*F~(yBPVk_>ewzwwrp|;rsln7w=xc^iI1z-v<^*7hmHQ zjp*m-efddX@RNb%k%>W9aKB37SB||@)Q2<{wz_BBbFBFa@6B5?`mm)jF46Pd;T3to zjrONS$({qu8(GRm7j;+Uqf3wcm_dIvJ>Tx%9Pc;W`q-zIFSzv}GnubnMl&#nA&1jW zX@2c*rrjJTz~tYn)>Ws)+?l_|xqdXieCZ-AO~IB=b5DP+X6gYHreG1?n$b{ImH%M z13JHH26iJ4pEvf3k>3p}37plaH6YWXS}XyRG$e}-BR4QFMZJn~1%nWb>ozB&8YV{8 z>O(e~U=OI(Bhy&iOPGl>d&xV$ooNL5U#B3nQ?()%bc98srAkpsX5BZB17;I`Jva z{%=(CwJsu=?Fr@HvMpzgPHdd_cC}`&jLP20 zBD+qQ&XmYDKm6=! zHoa1kxj*$N?@YeOv8#c<# z*K3<2IN$SE9rdyAZtCT4-%I7xpYCG_hTG&cHjELk+K0OrI`k@gtDcKaBj^z|1+j;5 zP@zL<^Vij+Q%`%gk140@r+yK+R(H2stBD)e>>X1a975atyrY}VAA zaG%xVT>YY589V25Z=hu_MQ0kSkMKDme`Fzok`6!QI+P0?C+88Z`Yf?80Nq_7!CFbP zW#J(m`wiV-v6j(L3W2^4-2}Q!%@QQw`uTZUy2bXbA+|&`kVlM4-|4D1pHZ~5%u^(1 zAcr53`t7z@?xr*FV!8EMAe}Bj$`~J7h%9Nz#3n+% zsqZ%35g?I#rnxP4!Xv5|i?d1G z{8-Z0_%A~+qp$Z09^q}!1a5Huz>cZwZ2#Uv7RZ`eFxnv23lwOLDvJzF0XrdO(B%L{ zxopQ+c^af6qZL(5LpUw$Gx3a?<|}__zf^v_7_u#z9pheTy*_Xtj_(?5<~-5PR8o{` zCxOO&om5d7H`-bNV0`IfID&tyaT^DKa_%oQrz6M>BCjX8h%0c*U(}wATy*=}DX0a~ z$7Ofex%JfO=Cf4aIa@BU`OA!$ygq`SqXRofO^tmbE&g?+Roj%>_m?(1$mdvZYj>q1 zw^sp(dt%Y8!Fko;JZunO3s%~z!9>SR1Ay@ z>wK~oNi99OKC0%M@!dcm(Tlav+2R+|(F^GMq>$y^j|PHiyMHoTdSg7j(y=eMX4`{* z3Rj5*n52Gd`R%3m_qpxoV%xcr%08v}>LKf~ksi85|C#a{E$Hmfu9;ky!-wo?VzK;J z4q}|4ohA3P;1V(O=y!O$E?RE$LpOtEuw@v~?zTN~_-%PSyTcpmise{3`8s=2uvYo< zO-;px&G!N$L-AHmzF5-Tya;W*9&n_#Yn~PH?=(G*Gx^%}uZj`mavA>sw?@7b%OX*c zQ>@m{0vog~{@xAei;r9i=mx(eYsXBTsMNaVj{1>mEh~84T>=I?nek`6vN51PKo9$l zp>^HNmz+`1-wcxEXgFPIjVLXN%iPR5<7n6~S8G+y5Y$a1N3NRyhgp3;%~7ZMXpP02 z*4>bU26;29Jf}5a2;5b8c1T2Z|LhyicB_c_QR7vp3_&IG<~?@?(4&%Z^E9 z?B*Vv;+i7vggzBSGW+na{Cqq3pHE(PYISdpi0~n z%GvdLNS!J52gJDfUoksMLzrNZ@|+9{sp_W6$N zAO*~2=0HpSti>-G?aCoBvCbmg(2T2+F`Ih9!TBA7%-xUn_)YB-A4eXpC=fB!q3 zKqtc;Rh+tC-&Yw`j8#=?N_}GFBt3K&oIhO?T#*n8Pd6kEc5|gJQGGhCiI`vZYM+~b zRc@-e4X~8btRtP)*B)7O^(92$8?Klc0~d;b!6a%=&9INdJ*P%=Gm`^U>^UrlQp9GS z#l-i16#@%xAI& zLcG?^ZTxdZ=13UHN2Ldswk-1K`dgn{SJcc&ryb@GKfQlI#LO`LwW$N}r8nQXuovqO zt?nX7op$)N`4Y3MI;Q;b{}_VhEA@gVPG@HA7O}`XwUd}l1bUWDN5JIC=%)2s2pkaF zd8nSMv1Bp=nuL5_wMQHn*o48b;^ zQpD>2Miwr`eruB*QKN%$PBO0jIske&y0o=hQY`5Jz^|YSp>CNtLtZr&yI`WSS2krZ zba84FFcGvMZAU3({ZE27-K9_rw?P@qB20m9r1Sz;Zqj$|1+?$+$-K=WWWEDWEs#W! z+0R!1-9MkD*Q_qMEQgYCPRn-mEfpBt=G@k4!(9EA`1C2*ce%iVy`^-J09fzlE7>KS zH94_jnl?7=N_f3mxWVFwcdq24UNe)PzK(ZgamO+1Sef2Q_3LFNHggX+P4Ji(crj1Mo+p{Q4=)0W?ti_DA!}b0SHr=KQ_-H@~@cF1MXotP0 z6`A>Lf^8-~WR?B+kJ{;gMqP+{LW$iY&q5ih9pn7h_5n8wJ?nkR7% zav&?|OXg47AE3hvf*mGW0JA%!JBv@CTRrf9K+( z67D5w0B`ea`0j!ng^p>!v}MPEY6c=ir=i|;cHoYu=H4$OxR0ts%EDg3{Yj~0*u5eH zSirdykhwmY0$REzf+#*quF+X4vnjijU*;CG$OUE%m7SOJP*%n3Nl5&e}{KMs%mDL09)CfFgIX_L} zO_P}iV!jB>@M!nu=Yb7&DX?Z$UWy8QPPFbPem2GXg=Xs_At3BH+@Vj@tr~cEpk@zc$)I8m$s=6DK?AC~w6D zhj>1}r&aj=*3H?3S~aL+xBtcWQxGn&iTg0}197wCou{G3sWW}27SyCB60H&82@ZcN zL7NDZ<+EN`0&+$q5*o(mtDFMQJ~8=E)3II)Uj18QLEBe%{Bn7kF`FqBh^t+(fExK;KEF&lBV z=ri3N@t9hd9J^ErhQLr{LXvr?I z%Jkyvv81>socr~8?66?NOuuxBm^CG)PQ%*yd^d zk1_1Dv2^xJzPhFLn9MSQ8gqAJ25e8$?Az!xZUEfl+uo23{!U8Q7U(7`*1u9*juZ(_ zLIW$Ut3m3cKtxD4LvZ+&vIhRZ*(GN3E=B~mby-#_u+`amY#y>{6eu_ zl>t#_bGTJr-bV6`-CR;1^+&))?Gr2CP`_MT^TfBZicMDLR~pT&`)O7uf%@K7JlMY8d$w$1pf*CHkD6x?+s|~Qg>`c@*!)Wq!!@g0 zxZ%Kooraa}v}#w7T@QUcP7{j-Q)wfhRZ` z_?}%u!UQNXKvJ2H_MLoYW`oMX!K*8|1=w&#ahs35mRPVyku&bb>B5VV1Cw``trDE z_5q))FS7WhoxJI%`-kVqEV{A#SqYV{1@~DZ-ruTXPQ`GUe!B`Naqt(c_I$w!l1V{j z4}3D<+xrDO=id4mnshg0)e@L>weE)QcX8aGUVMg=WoNjjeekM9cFr$9aVerzam9HZ zjagP_Vp-ilw#tX_KZhS<5^fk72)29`q3aj82$l&Rr}^xd+wuxGU{at{TCpw2K4qBy zx#jN-gh(p(&htF+a{fPz8QBq2nZf`1%hdwLAS!oWr}%m%Q@}*brYY3CPUpURw%d-^ zrht}S%aW3O+V7uo3WdHK<~Vu+0b>Tf#`;+*fBAZNeb2hAiA*z}ORH^Mh_z3t70L`q zDQ}s)V$qRWxi!bG1F4g=_NHK;)Nh@P3zc+kQ`@^=AG!K0NKNK^cF?hq9()*ER)b%O zFWO&d?L#0BPszPPz;uCIp1|_>eBh47c~Y2#lfEeD*xhn*u#2hN#rxWShH?RKNeYKCO5uR;mRGjHjogjy~E{YFRX0*Ln#n0=^8;NlZi%Q@l)VRO0{`i+Te zuHWQ`Fb=Q?&e!KjL~3FUXO|DQ8Eaxa5Xp>HTs-A4XJ(I|sw-2f58dD3*Q)*)>$# z1Cy zWou+k@-HH**pLyVx=V9Y+ghf9<<^%wGeHdMF$A zzm%GIFE*C%voAf%0j*LeR*Qg;I)J&M+M;#s9C(C;Mn~*Pu07?`^jqiy#t z8i;2bYGjXu0pk**()^9?eiOm{B`xX8eXijx{;y?_cgF8zgEVpdMTQQ%69rSLQ(J{W z5CS%#r@UA~@~Em6UHe?Jqs|ID$hJR8*rHRagiFIE4o`LF0Jpy7VX8$6YdP)0pG{CW zbWgRdX!Finy5UDc&etf()GORMdDW()QPLLTV^s*WdzF6IU>FBpw&Nr>f8d{VN^2w{ z63YB$k^rY(X`m9I!gw80z=q25`WP1IU6af^TL~kr1Y&&;7J*yLnOL^2DTn+g5A%Y z2~l{nlq{b>tvy+(FjQmOxg=jr7}ZieeRuf?5!zU|M#{8&=7KIjg|72^TK9Z{^nvTZkOw>*eb4viaqi zdC;@h|APhmhYNK2ojz1hmD2q|1v<8+-b6iB8&y{0bV5q<;hlP{Yp4o%S|Vf8qt`@tsp8Nb8Fq?})%y%f6Ur_A;7nl_WE-J{6I2`j}IqF`B+wI7-SsDh`=4hdKDR72n_J7YnN^mANR5!CtM6XpF%=KmJo{SH`$;b)Efzp+=() z_DOYsZt)=1Pn}Fxr`5jkD677wzl`T$$(ZODQ(t$n6ods^WI4Gc-S=&% z4i&wVqGHKmUm6i0b2y+eSQ~MZKVe3b=6F&{HN!ZfSQx_MXJ>d+mM%@<-IEzYt7aB1 zV3w#-8{niGSUxfv`bnxr`kSA_Mm*Ez-;8%1FIE_JY1(5uC|E`qV(#TEh|OxSgFi$d zIyJG-L)qFk59$vyqAmmj!ZR(^6;4!zqpT-1THV8a)a2z8K#%1pW*|NwZFkEp*=5WU z$X8!7)X)J`7^(sXj>wcQw*Wy7`7FB*`p6DlScP2+eTkg z@{ySKp1 knfr@W4A1FZ^SkQ-=vA2cQagg7n#uBM||JjPpiXe@coCPtU-XFfYq-nSaTGI%Xt#M9~gmb|`O`GKAMNg7WCRlNPjRN6Q67e-VV0||b z;6$qii7_Bg*(+7ZHx~WfOO6Km&K~6w67<_>lRk)vnD&@6H^qQkpRRw`UeqF1?=chB zyqH1_QqKliRL5g_DnSTHNIlu4&x35_V-NYPlWK>OftindQSMPd&2|w9=q)6pf$@+A zpmofk#h-b^cbgU8wqJ7zp*HV29(l2SkKD7iBk%lGjXSI^h-@Jlz7u5D>C<>K@JRIt zee84p=C2n7gWukJim`SWy&R=3W{vd+xbt+)Y1V-IG`TIm(D?X>ji8dR>()3XZkfq~ zNUSmr02#_x3rVC~9oCBax(OKkQ5R4{6dFAJ|}~gEWzo7bCsK81H&U|ati%!g@sk)F{P zAi|G_`A83_Fm^knIE44#%rn;W65Mi8c77L`xHpu4!PCC6AeS>6u zf;V3zc&Dick{hr7vsR1OWEK93Wp#Q%v1XFjyzdR%VOq;Yb7(Wk!-9YoMtG#Dqul5} z3!i`kD5$Ogj@7^~N3pz+dfEDi{nZ`BzN+&H`-j)gmM07}mK6Sykr#CIk^;3D(#5t* zo^M+WiP8)>UrV$O-aJ_Y~ET=LG&MBwmi>$sW&BQ|I zy7VxqSbx&G6S#>@VUhoW-(H*PZ z6V}+AQgHU?Ii{IkF@94hx8qQtGHGyB&xg?bcX6laC5#MrXq9qwyo8AhG7Bd0J|c+U z$dPI+xso6?Ei7VOpy~G3LQkYXZTz|Ika;#0O73WeCZi~l>U8_(n1MQ<@B5PdKiIC% zgRF)Tx=&1Oa~U#3I-+s+;4L-7eODOt`JoovBL>df1iYJJpbp>-5RJvZP73+}Y{Jp)JlB<$Fm z>>o=v+UHAE*|!C3S-09N)MHh>lcSn1+a>M|hf2tjqy+~E+PBLyrx3^Dbvi3<8jw>y z1&0JCuyffkZ`;Xf%ycHhbOQyo<%HKXzJId{$M^4#Ci`Uf-jPrgr{sKcEB3sD- ztY!VFs*=RpZ=G;^DV@98Z5Q6WN6Q%F*cm^@k zY9;!{#v?e+_`w_3`(_2ks@K9hpCInGd^ZSHP3vAsTQmJSgY zb6j;4%EbD6rgKxTaP>!ub+y|vu%%?8BN!{dOX!MPV32JlEy}@L#v(7l*%Q?bEh%4` zh6e^{v44f3v+t#VCo=jiFkWqq`sKiQFNiPH-c{jISQ9Nuhee2jMK5D*H&DQabI$GK zlFqg9!F_M$!p7a3bUU=Ra(i*=v5;&0CcRxVm3Fl+ehjYCox=#JH-zCQkE*Zj|EPW0 zJm9IxyDJdME9dUe(X}hIuw?b0SxPH;s0->#=6+O}wS&Jnt`Inohc1Seqvk+{=y=cV zXJ^B;qdJ)6)#SCCP)|G8AUx!qsq^8n%HBdWB&d4H@rg{Jsto{4oG^uuT{UlBcwBzf z#i8>3K}Rp$e?IU$Xn)dty2SFXg8N!9A>eC#4@iLOvUz-AfFZ2QP(%P+;f?6)j8|L= zWh94)c$Pu?*~wCqTA3l6JRrC|?cLXEaRVcPnBCx-#Z#Y2ohWq6UWJD>sIi#fu$7OI z2K)0Wc;=k$`q!eG*06zB%p}zI71j6i{uP=3&I?3Xf?xLspEUhQCz+6rpWm?s zYj9LEuZ=Fwk*6dFBg)kxkOU^gn9QtK{je&c*rL&E@^|&KJ^*J0T5N@FnH^Cg$)G_v zkqz5J1?_(l5r7&3FDkUBgK?HJr%IPiROnZ!q!b>7$3`=y)4%k2v-4%$B%{&5MzZ(Y zN*X24EA}RdijZU1W;2d6UkTa&Ot)=3(?jnbR!pLRj+$Ov-cmB^L|KtevOPff_g7a6Vs-ax2!VmY z963+hdA%-MBT^~omPorRX(?F3-?RtjAUE_Y7qyXG8|j~l2V(-|dvbOc7@fRFFNkmwhM+WJwo z9;FVVKu$UGon`VHA$kW&;Hb;Nz2;Ep=u4%DI-iFtO1 zoP^0V3d-QdHj-4iggcP@gUo4Npq>Bo z>;~$noHaw=A{7O`$Ru`YU+N1y{XfT|U7+*jM}LzMET0_d>_gE<(}|@B+-1<(ry}y^ z@4R)Hj5F6T@byE{Och3kq&hS?75@iVh32JjDa*Kz6d;a6XN+QIBbmgXr;L!>9{BNh zC9Wv=8)<`tO>XF8hvu98=Arir67O$>7-i}3^Cg2{-Td%HQgvPUsX<^bT;_QEzS@M6 zp~gI0D#W=EfOaoDnN595m5;brT(6f9Lj4OVob}oqC0xCK!?3mDxn8#2HxCxMhK7gy zwG%m8LNL+l46H7y&au1JQ7yqqRQZ>m?mqpur2TrnL3o$PpL(whk^Z}b1L+2C$7Dm- zlimPh-mWa_oj-$DOy;sRR{KT5^jr!<#$D`TWpo=EZW&K;nIVi;lcSDASO|74Q6=yN z!VDr!d^Nv2*^A?lOQ{qN9xyznEy2VlXZzo_iIFh70zNHXlzRhH2S&V`s??d0RIiD| zd0Bgv96+-I<~<`Ot5ZApTxcKFI0QfY(^0o^b+tUs$a?-t9Le_zchgz#w`$a7iO8HR zTFU0vsRzWi8T8h{-`cxAr2@u0pTcrz2lUnuje-i`;g_Wb1uh>>dst#}w807saT*%` zezlu75ABMmifOg{qD4xijvhZx7!s$rv=5Pq)B@Ut)uRz)-o_2P=~(7GrMsXuqmy(il#E{ZWBa}0fAF}~aX^T%@OUd_}3BP8kpia;j&p%Oap4|?U zjCJgw`MI-HmC@ez@B)xlAw;4_DL+Jlc;Q|IaaLNcEjBL$F2@ zdVYaqE#OzzxL@Ofyy}%K7w5^eEgCK_l(=pw_=j1uDf`??U$8T4XL!w&6tRy&Re(UE9SnoBiGk# zpuIsyypdC5UtF`TgZ=GY$%fnk{Vg7%Ai^oawHebAslqX#x=~mUT5p;S%A7`@$3fcB z*Ev;Yc1rSH2{m8zXw6bx9?TD1Bg=Bt5U>{?P=um3)`v9;RJ32hC^{c_I;sU@%;_V! zT*zDVP_hf(yk59-A^D>DMZxHU5xz@Ipmd6%I^cRcb4~0E#B*+Z+B(RV%q2SrSZIoA zL^x1qldZuksv&3VCWc`TNcJQ@c8ynHM{pbVlKtSvVvUPKj^TInm;MC*p)I~-;rHhZ znd0=A->qSH6`ah?mmz)ck{S?_FKa&&E^BI6-Qn!+Elag8C zp$Ky)uktSM9^_18N$(0GA3Or^EU7{uR&@AH?j(4j+gj$BW^8SJo@J>6TFcge@3p=)fNwYuam5U@lIZu- z|9WvJ@ZWC-4oDs8CirK6D8y@OoO*R&@BM}0Z^R;URqU6H=Ul58gh1f#<&$i~8!B8m zrtYd{QKhl2^+Z2eil+n1|Jf4uaNKAcRz%z^XNZgH%awJtLMKUfL9qVc8y77nlpO@cD-3JG@hrM9pXWCld@a$^pA_t(RZ+KvdDU14x9$zalryI$LYfhI5qb zw=WsRkc6=fEs7=11Gh!e8asw7{7jDdGX5d&b3anYQC(6GpF+aSrMVbVqBP>PV=4l_ zBLDr^etrE8jA;Ap3n}(pyhiV*&5mZ(tn*958Gv@dlOdAA!C05M$<}d6pM4v6HHF!| zV|nKb^BUkVvX^d=?DE2N56;A|q85H)Gcp6VqBL~7Tl|;$f6sCX9Rpgr?jB>|!=puB z3Se8<*gSOOi=g^E^LWD8h)ZY0^ex$hM}F&1%#U_q+~o?P9pw9tDsnZV|?ywyY- z2)|I{R2ry!+E0Z!KXRpKzJjcE3}0ZB3S#hm%upb#5y|JA8Df;$skXD~Rv?x7@^0bV z=N$L49Yx`v+rzW}( zC)}TUal2i|T)#I-&Y95->w-nkB`w8`tt`!6Dw)}(8pq@uv9jz)0|u!MdtH>Xl>SOj zJ##99d@xX_nToyG-A~dv5@-BlXscHHepb>~w46zFP=kyHdHy!|EX1ODGM>@!OG#ng zH+!*wOZFG0JL7#O(>cYcAoO5(55cwvt7+$5J%#3v&3?aKX!3Bqd2y( z^um1X3Ot)h-~V^tUp-jdQ%JkHn0gA0%-@^$KC@z!nxAPLXi=iApxK3sh7$0-cE7!q zWWPCaM_w2E*DeJFI0eBT%n5`?5dBK+%Wd~85QP;kdx3AZE-j_PBhHw&4vuu$xH}0w zAU{?MITootxWm;SY@_;+XVr1YUY8BvoHh3gTBI)mPA+>ctjqtf@R2dfhGTWyem%C2 zcO_;3${=}#+WeK$#d>=FG2v_(O0Ks(rGIi1-dT!<+`W&D8&fpZky(V4w$iqIfOdkA^>>sndS5VmaV0B!4UR@1qSy_U>BJh1=8-VtH(Gq!#8 zw%fm8t!u3-s=^%e?4v`CA50E&IW=E8wz|}71(rIA;3?kiRQc3eHyK4Sp&OZ%s3+bp+VF698jD4u)Wjg3l0GKR!)e0kf5#a`c>x~NHL)d^m zGaJ}Ci;XJZwLXDxI12ma7JV9GWaJN>r{cv`|@TZ5ANVL^Zp&sT-owHZ56A! zte-G%a0^`K7ejX4gDV#5xa2=n|0B|8+6R!iQ1Of;{cF&(_mN@O$aW4JXyO!feP;80 z7I?(^>@L-{J7j32l(Z6!^w$eK{JAG}jm=}=+~1rGO~m(-L6Cui793z`HFA7NAZ%S@ zeE^lPERbLQUdO7V)vH%D*wMoz%PII61w|zYr==KAZKmz}Hre_d%sr7K-^yaseI(R8 z$bl}1)J#_Z*X`(2M}N{OtWgIy<$;i z9JBK8u!@o65|RLAK$AriyJw+YFJGBnp8}MX)H*lB2as3ujitEwTzMF;q zfzBe<=wDUq3L4w%P?1U(<6IgKv{5>kE%K}%R)L$|8}KjgY9;wrN32_4i3{PQMj8Bp zH0P^;Ui{(Zyca|k@VWqS{#iq#4V1f7$b^CdFeT($FTQun`!{O@zgZ`u$CNyJAKRku zbaLroF}vtZe5Z5jb16Hj?meo3qdIDACD{k;^j5jO26IKtpxbd1c;UUEkoca9llH9P z!*K$gy1s^{*_z=3sfRslvxBI8hxf+n-f}$EdDUCI{xRtUZ*qx0(m>N-(ip^H;`nt04evx9)Wfx^Nx5oTgOdX_O~ahD`eXM1I!0BcfK;$Q&BLNQKdU zLks&_{?hVgYMnC9uiu$67^ijW!?$3Sl(pud+$SLIpeO%Id88;OKJ8wOp4!htV^NKS z^pO@zJG|aSlc;)Kk<3o4PW?wZQTPW#wV!Oxz>MgK-5(L-uW;wP+t}Q3jn`^;X`cHR zYifzj5p(P;uW7QJjGA8>4%N?wnEAbamvX1(JC%IgMpJj4h+BOH%=yC_ThMI9-WBj*Jj3l(VhcILbY%SCLqc)$xz6k~#k<*5+xcwCEn(>6GMU;L@T1=LoXS<>G9xa=1z#)CQW?B7AX>?ozS% zl)M-nu(}*b-864#) z37b!$QC40+`&i`V^MD&uCZ7pYe@Q6Cs{q}(OtU8r6q8+afMk{&@@Q@={)Ly$paX1* zt$|@lidk)}s)K0d@&4O`4m00pq>J8W><}q<#a~WSm*MkbYsOrp?e07?uiuxKozF4( zE1B3y_%SLoP02FqW^Xv=cLM=Z?&OAwMYdk!@(J9`b(<%!Xn5-9K`nO7J51WvGRl#l zcw{dKGB*#@mi<=sES;fZVS=?>Y+5UC*J1Zht#WcS1V@_u8JgKC@>NaN|fv1-idL;kJA!R;zY>NY`(^b!6ROo)2yIiCgvWk#L#o$m=J;Oz{}igzk3*FgR>9e8tS#z zBb(deD{aubK~ko5CK$L5L)Du>LG`8jW(l;qMZRJ?$wzfr{cLv8ymD%+d+RJ4*YU=Q zO)Y5lJ6-cYSZ(GG@5hqqUo~OAg^d2KQiL=1Jz^4drB?iy24^RWd3zWQf*~FU{(S=t z2C=S#8O+X#3WT)c=T8+E_cd-wP!zD#S|KTMC@0k)kwgBI!kJ*!2jS=RVdu5*+5ke1 zD520llN!5BXN~moW;%pZjz4WHbTT+PnHZfjw|HVybno!}TAK0z_3b(AF?m1bYqP&h z-uERO!Py&kmAQLrX30Uz*t^7e#(rxgf8V*`17`MyAy32)6;&A@sc8afV35f5IP2*D zFO-c)W09K^1jR*g&+l%5%uT@IDWIx$Uy%p=_lBU24&U19q4`V0qQkTpofhJe-DbOm zZC@c7f|gQ2m3~zFzo+Jw8msF}=+jZ%CvmZBRH{R1T=L^yZ5z|K3dX4l)9OTu)XWEN z449(O^=OUhMi29kgZmJKSN$goO2bi>vgfBQ471S$Dlf~;Y0Hw7Hu-NrAdIEAE88^r z&aHbcnVD{lv{tk+N}II4H?}D6bN@=#`5_tc&8YyNY1eB(av$Q~r@8A#fk<%L`@h*y=;9`e-GrARitROmxo1lh)XLu#0vNyB{F8=bp0S@SrcxmukkC9KH2_@T-iF;(y>I1`SC}ACijm|$6u^YQDtsk@aeu!jXhx)4kvx;1Gi^_lP9BS(|SCQ*9 z+r73ec#*E#D}8Y~MNxvn0e6oebL&gCL?nlny)uelNJKI}a^Pl~=J*&ki61QFvNdHd z6?c4D?&wK3mFm8UrnnjObG$+4&5UJZ-7WBOvix4hT)?;#^tbp&;osfmOtsNwpV0#_ zYjie&3V3S1zsWNQ2K5;J+W&0AMya+9k++ELEOb8bHmMl=QsOwAyC`+uBf(6c9D>Zg zYl0=lzSBx?c*eD}$$xxS@*DkiKAnDAd+jTZ4g&LzM10#B`Sx*{Dfx=PW4-3LH(;CD z{1;MhFolYA%S!7Ieo;lo%qidH#b19XVj;k!VJS7iRvA_ET1&L_4_7c3e+_I!A0{bUmq8JFdC@M?gl*1S}o2%yube0Ggc z*iL+2wvu^#$bAN`4=PCs7qN?z`|26!dMNi)v70jwCW^ zuU<3OWNq+EX!AoXP4k!2`c(Upf$wSdy?Efu{jruy{1}d1+DQyxI@wSy-Mfok<;JE9 z=?mM2&lk3vUk;a+*~IS$lr!xm2ER+Z?=rakv{y`5SHDe-tFAz7`NqW|oREtwWH7x}Wprlx&9@S}B6EqY$MR@V#-1dpXZ z2%hR+^JA#_(WZehrYZOSqzjXsVnAX?k1_}MH}WJD}0aAWG+e-7kv7}K)D>se?QSk z{!JV$C7rB7U7jo0F&iRnWnt@r$bKMhc2r?R>(BM;(^uU#qji?d=2~4V0ABhdu{BN> z6XGX26t`!Zh@k#))$4AO>Etg$h!}`Myd@CL1HMN_lXtkwHBgo~*DMIZKGuG_(D3WX zZ(r@F5jgF z&w&2u2Jo*B#;ont>ht3KZ2ewb)dWF4Bth`sYRwmXjWDSP)bubos`=D)tF*!YgZTV) zApC&naU0A#n-L2<+WK`bVuV%W`8Q{2C*$J|%e+H!+j6zv;QJPen%fFHXzzTnaE#E; z!F>iYU(!;a-@tLRFI3rXa4S!{E($&h|9#4pua2uVxWbEHrP$UHF5pd`c!bFVk30_x z&X0#b4#mfK>j=bMa<4~BCV#pe+Iga~pxsC^eivPRJU&0yPLPnl}(6_ zns@QC+fXXrX?mxC{C!^yxFSDf5>p@9Jp^1gy+`^)`rMk_7q;~MOjNvQ5ddl*eFNtG9lKJ!-`oG3HA$^J14~InGTOHvKvns0j2@j<)7ranjrM>f_%H=Er=n zr-wx?@}ph`k}JYoRSNBA8B`u}zZI?tGC%ndFGFobVT&hHUx~x(`*6K$*X4&a+V)za zgE9$_X}q|G*S+ps>a8zn0qaR11=B`2a^T2%m6~0}`J%IHzsa?@F!ioXF}oxxlvxo3TfyRjT0X zpAnwzOLKog^L0C<4K|BCuFaL z0pHJ2y|}`CO`}?x=P~M|Id5-QO>?}2FriBSS!MN|%h>rvs^rG6=aM6;EPDOQ=3Dp8 zL)3uhmuylv9~b?zv|ZswQlMgOz>%Hnik%Ve!^j`LU;XzWw6*=MLY{w@{h)c!C{nDx zPpWD{Mp*wNeSRnlCAzm6EU_M3wERVr?CuY`HcU{PW z8}2?G4x`@CNufMLMcb4MJ(5)x3bITK-6{=y=hN@b#o@`7?O3i|Mx8QD0kj32q8`vE zr35Et>HI`HDezFsIZCXV&y}CmLqgRh6Abs5eYQP^m(o9~L1am#!??F4i$O6gE0bb6 z7@p%S6wK@}Du8cAroBWL#yoN^hNaYA8*65Yb=^Aw;@(R04 z{EU@#iWoGmXl?ORk3f%}I*NNV3X_joFrt%)nke3q#!ubIsOw4%Nu^E|2EF z%T%tQ>|qxaYc6}+Pc#E$SR2($@xy?R*B*S0jfUUGJ|Am*6kREdae;yqACZ~wI!-pQ zKR>vWEW)mGe-bm+lGB!H$ zrseld=aLKmPmR9%LL@htOMw;Tx7(6NVl}dAa(Nht0n)|}gO3(U8OyX7uFX}gwrP=0 znE*HvuREOZ+xF#KyR9L$^`w$pz>QbyL&diT3jU9_s{nA9kn3-=7YAqdP#8|}d(Ha= zD8+k@3tu9M$O(bzyFe0pgY}@Vh7~n0hqPKipjs3OWx8QG7NNy4#FRsULe3t|GM68%|{w>q31q=Iy zvp+a}Bt_n6i(9Yvde2neCkM*@aQMCi<;}z2PLAbKj!tBvbT#6g?{^(l;l-9`^>1W_ z_2+ynk4`=z3a>ZKhryHH*XFRLl@h9iiSa!`kHLzV??x-8M^5_#A?oL&~D4(F^%0;A3&Dq`jQ z?mETZ8)imr?*x_YB92)s6pmra@R5#Bv!JYUkV{2OQatsB!gY8B@6e|zqIar9CL`!f zMaomDpd^I%O5B+&h^c61|Cyi!&&V)Wk6K7fgq>=P`96V?z#M;ZBzoPQ*?wO*pVhiJE1WwlLW4aUU#`sfxQ@s@$#Ofs2O&!9KgYqlZAIjd-`*3o;ZiOCK**>zef|2` zPDwxUzto4}+#F$N2$~8(SBg(_K=iARZWDnd^$&47K&yx39Z{=?#2wL!$GhF+hnf@O z|I0<7PJ+z7 zvf2VEIo3gQsWgn>{g(_fj2lIf<_B7mCAKUK+3xf4t!dhz0_qeO8XF>kWkmb=6r!rL z8jlFw-{F49C&a7PFQ|+;rx9l9uja(o*oWduFiV)e9RyYM6FIx%ii)U|r!@Cz4I~~p ztxep04Y?LYTbuioS84L$qs&{^aa(->-|G8%1j{hBiTT65Bx|y+B1TeIMLV{psc7qZ z?f&oavQ14xNw&}O$iZyG%?t8kJIjiT`H{$#XqL4yY?_O8wvJ6RfuCe|fuvS=h=OfO znW_+)ED^YDg-^^%wTVhLe}VUG1V7qL&U!cEvr8)n3@e{&{M*BUEYlI`4f{I&OT z>D|fkaHG{sRE4MAWYaNS8d>c^n{Iz|wHpbG`;!vxCgUS+JLg3wZ~o);waVWd=SR7x zA4+EcoX{m!*44+9!}~wm+R*S4>i-ey;=r|(!hU5{6X#9@UicHPSGa}9=iTI)eY4%a zKg&?LG=8!BCQ>qlhBgE<|8v8fAs^ms(Z4>M}gdE9$6Jo6*vtSAR#0a--=Q?rQS6Nl)cp!{$X&=EX=af0s z(-E?1$cTy{H7XpBsaJVG!;wpws&=-+_9bw%498i`yI%r)*wtG00tXJUl;Eo&xHijy zC(uG~%wh$oSrb+2SqZ)djY+@#9q_D;3*o-)^A!E&DFI%0-JUw9We%jTc+@q1+)2Hp z4-ey**dg1ER1nea{;>5m70(K1332-O)9ExbAaz)KUF)syz*t(-Hs24adwO$ibHJyv z6Ey6dA5m5igw$rC0qAmQ5lZDzYPakTv6(B^{E#lhEAMVJ!5xx(Zm~>Z-)1}kKC2YI znv}pqPPI@<=W7shIiQP^hZJZoDcESOx~{rtv+Sny3b;HxI|i(ui+!Fhz&OEkBSAhL z+Ua&$tB~}!y;G~D>ZjWF7LUa@e)FAur@{I&32}YciJ9otG!;qPu87NHEsjxZ=z7h6 zpx!}avkOw+rk|~mRI~T*Y&xf;NeMgOk_y>=6+Ry_y<87PQN!wF4muT#7PY!ldRl|Q z7+0aBRu717S*wS-n=w&@0O6F z@o-|vGR(;9V+}$LsWb>oC)O!tNqR2$dRV?+_GJo-B+J?h|2)LZFrqtzWuYFIGM5@F z0ily5*q@nVD1}pn>NPimsJ|PsLtWHJl!H1=);VWLxcfm|+c`c*Mm@b?oI!~B0ZkHI zfw4)2Vpat@jOb9hEN=ifv&(p+W-Y1T7Df(|!OlY?V8pX{g26XQmfN$k>$;30O>90J zsS8+Uf!mU1R73Rb8w0p!JxQc*Fc&uA; z8b}o?lqwHExmxts1+2@0Y85A+y8%jwP68yR?cs=v<_~)~tNddBO9Z$=Ja@_26>J1| zuT~wCGS$eOAcHIBvZsSAaWCtQObn~Z*GY+XvD1^VXQj@<_#0qHy|n9m8$J~S?p&|O zNx)?Wh!4xOeK~v7mI%>nZvV^7B-b+6gJST){^v@I4!(T~uZ^BDm5_67*0;}J>^hpG zU6!386(43%snCV74U@Yy2?k@E*Xcuklmv=2kUX9Nw`7*gDm!LM<$~v`^f{_LnxFrT zuxnnOM-0Ou*7Jj8_xHHB94sanXL1BBo3Fk)Cz1_**EU8wPJMM%7gG=yz{9*tVDr5k zMQ|xpbnB(7(auPm8R@GVmY%K0F(b-~wZhrQy`ah&GhDH+K^UXOhxXglh!t8MdE9i! zKJS91)iXMNt`1uH{CQ|H?{cI9<*3&m*wSI!818II`pW7~?yqPJ%l<>+Z&9Cba({pE zJa%Q#eec{0I!Z~~G5Seso$jkV_%`U#`^1N*Q+DaU`+YpU-rh%2h6qYsT$fwEu@R(Y zu@OI|)`mX`row0+l0dSEs7P=% z1uvGL5Xevuurm9_2pq(J^pNpL+ASemH@O{44DIr=@(!by)w&^klxpu&i=pvmWxJ=!(>bDpW9o#XCB9rdk8vO7%@{N%>ExAgGWOJ0oxM}pr@uU}F z6yYX61*RD$67k=Lz3Gb&%?fHt1#vQDA=xHq8~Qm4oo*3u>NcJACWlzYf zS`@j6Qzk=p>2EE{5ukR6%Q_!?Ggk3XICyiKyu6HP5Cf?{qXs{1xG&DSvYJ#Hx;5s`xOVm{ z{iN;_mx=?kc95d=qwDtLW5->@{blOrW@0?NA`;_d+nE*s7|00pYZL4!M+>YwSm($* zn8SuJp(`q-^DJ3Rq-_HA59cdlt1KvJ_NsBUlzZK}=(}GZ`hPxN)(yR+>WRzFlCPF* z#@pp36nsdbkG0~>KLfwxpr~xgH*psf?Fl5fKDl7apnLlo?6Ldzg`3=RYREp%^oi&n z`6r)+Cxoc539x4&=bE|7_$|8skg)??;u+o5e!_7%Ru5U(qFUc~YiK1xmN4&(jROAX zNqy(!1?KpEqn0;oBQu%=t`D!j;bKo5Hq)e&@x$C) zT3&=zo5QLblqo!I-aQ(<+e9?=bAOKrH=#_}s7Ng-!0M|b3UU{?>V9SYUKs}7jAbey zDCz=_s6tQWxD2@@S}}yr`2+xNkBNL9l_2R}-jg((CLP??Qfxnl-BfIu)W#N>*9| z#n6!L3?n%2_)zC$bJ1#&vp#G|)AGw95d?wd9!8&YWu7BsZgfneOclVhZ7$lx=3RLD zKF;`wXG%vtSqn!UMzKl7h!MD3`0S7a)vfRrQYXFRK^7!Jdvx?e)m47?T(wV!v;|IE z*`=G#lA?Gik*l{;M7Nt8clXD&k73`p{pN1!_rsuY(JFhgHaCDXE&_!BA}Vlsazp#R za$_^5#$X_~@(8o<{9C!F9})~vhh$TB{M;j`{4ye?9+T-If#p-uiv2qW@-6Su@1$u- zi951BtXoV<&-(3yWSx-m6TMwk;G!#W7ig}sSHrDD&&wW(zPqjf+iYhpU;xmb2qJcD z+P6Ly-rA@8zUS=oVtFcGaF3Nw-@O&~tp$0xP8j|1J@HpUh=~4`COv_L|9WU41I!@3 z3^j6^-ITq5@4aYu<1B-il%4WS&YNM@Y*)wS3Ig@d+5-I_kV6sa3(02K;=AG~7WGO( z7Mb^HG!Qldyyhq6xdjV%nT)GnC%Wsjy$ujJ!$N2^NR)z zktHM($k8h+!ysFzQ^P9hR~jS-mLl^Y>fAG$x9dYJ6k`O1k#2MRO)6m89r_sXR_sN5 zXj7rg1wDt=RnRU5&`RvJ_5*sr=A&%umpgJ9a;WOEP?4;Ot%mLPxJ zp&JTgS$nR9-IDs_te;M>g|Ny|cJr43DwzYCLANz6iIZoC&MOcsUlZ5rE+dkLzS@sP zhi%K`;{-|M)|PtX2yL{l6TVp=(I;$T_FCZ4&+pQ))CAl`UQeCY)?5B?xZ@9p!D_8e zk(>g77r1K$%EZGPu5=SN<(bh$^6yw6&wzajGOYDn2(I|tlM{9NlPkSc9P?oRF|9l^zLYPD7~} zF=>HIh0+NA^1L4Ayg?Kx>0O6=imjqYdBO-b3d90J!-Hcx@&hvu&9lLE>`U5+T?;Sg zTs7o+`sy`297ES0Fhfextl(iDdl?Q%tKZVT)rFem1{9&~t8VM6@kP*(vnYebUYJ7P zC@$e4ypoHNNAR~6)d%IYZF8iV}?F zCOaFdw;u!6335t#p`VI`s#7-}>jBNVf@yy#zUK<=-P~hfg|)>7i!ph!Cy3-XtcU4} z>ukLsHi&6TxZm=1rn$^}>ZOGZ0HeZb-}j)%a4O$?N+0<3l#2c0{Bt6Q1|oQZ!A4dO zX*<6j%=~lC@5EFH+aGnqvpYL(tZSpm1xG4U|CLevSCDvm?!X3IDQNSLSz>o?^8xmIWqE1qnGM6;UmN@MQ3yZGBuS@8v}X6w6}rku>{c!0vr2 zt$qUgCaaiR44A;(U?#n4dDg)0OXxfu#heROzG$K0%Ufz_mqkN~TZ{sdJ;&QSgy|zk3 zknGA7MFNf>u~%{hFQyl9kXoAD-iVbo%>UNm?@5K zKmTJ{iD>H5J?zEc1||tQ5?b~!5zqmMkE;x{Y`N$f@C*7vj9CGjqx9y=1RdTp`TaVjgqp99j_c52HBDlZWR(C&^uZX5IKCP+3o-^WRb?7d3lZ2u%>D~9`?Z>QH__4c zGwBA%5$AmG?z@&6C??UJ_MZqM$kV3v(J`U>t#rC?7q-;{(N0n~;D}_M`k-Nq=TY&@ z{wM$R83wRLYw>I$01f*XF}k#FsloEw>UrY7@z!zRlT|mr3CX)a&yGpJwJPBEP)~^! z2A+V?xV%4yY6P6@^IBBl9`PjdW&Gj$n3h488Ij zaoEDoYFlrRqn(%Yx543gpIzo=vRcnZwL#Bu#+7wx25~M%h2y8bc?iFtS90Gk0*jgN zFi@N!@|b|Vxh0b5vIEA9q-3h8unMBmjV~|9gLKHWG?E$g+%;9r;Rml+BGkdwN$2<~ zP(B0jtc1`gYEj?e7Jf;avs{e%fth^!fn;GrWn%xEi#XUt)bWsr!*r}IJIn2?jF8x+ zc_4VUqIIYPVH%_Zgv$XO#?C%O1?o?Vq-yA=JQe}Wd<*;r)4gvRVs_OE0frZ)^%C_Keu+4V;{cdD3>oj1xQ z;bW+2G|S`7$`V>1ET|j{X#5xKr8JTen@~fb+3FA^1@aiE@~_PTC$5#x&9FA^KQ;=Z zpRal@x{?-T(|rrCNf?uki26+#NB3w%_M_@4<+}~~CVV7i&j13T@1oOp^c4E{bnC(0 zk;RlO4dcxKQOXaH5@m)rV*kddAn=Uq0h03kISnKuBFM57uM%V^U&b*`a(+vnm{FAt zUAt>CuzmdD274il-Srl8IbMk4yX0sa}P&-r91V1x8b@;y#GJb#e6J^$(zJW*>E zi!O%ev|LdiY$CYy3hHiV$T3=nyEGw!E*N_R$;LY@p+cxucH}H|9qYxw7xniW@$CE0 zhPT5=02if-LT8muRsPQrNd}%^OzR%zfu?EN%ODsxp&#*rnDQ&pZCQHJiy7QA#iB^J zYIGTymnw0%OC->7h`g79{c?Wgl{t`U*VNnewlLA?I5*Qdj`6;bfJvdv&uuPQ;ESfm z&}g7zeV{E=6n)Lk?^&A+6RyY;~AN5W6WAJ%J8!l0Mv zl2^%L)2YQ?{#rxf#k0(sL-=${gH$wcNgT=5-DRyLM;g%dXki2mQIPUD`aajAN3xlc zAN!W~-4ACykwuy+|8fH5?L#rZvX5lrYi1-;I>U0fGmQ5|YR2m|1FMHzScI*+4WI&g znL^Y_H#0G=HezA9Sb3)$3V|Av@khM?H{?9ve@HQm$bF};C_eJ~eCy7Vt}&weuVfPu z7tm4eENtkCuPsGZFUQwMbw8Em+D=;X zITaH>KaJ$R|L^v5Pp`cOsZV75r-d-Xc`E%#@Vs_kBL6ObPN?=Or!JW=GN_^mE8O|? zh@{NmW3bD-m8t!UJzq{7oB=KpjLjfIjR8HU3he=cQ-^>$WmI_W*dpD!&W>2RUS#EN z5u{GG5E8>|#}yO)Sr&vh*tXZB5ORarH`+m8Uw;)2F(mxeFZ8m+Lp}SLfNE()lfT~b=bb@8*kd42{FfJei<1WngGnTtM4~-zYq6p?pWgKiK(Agyc8n}lQL{Fo z%FtPw)M($uBVwUa@K9(8I$_uh0g~*0V;=_mz5JB^PtN(NgK$SBQ+m4>1)Ena-S_$y zkxVF_{W-s@^UCSm8PBqzmx-yh?;x|oKB;E@zoLTt0g{L)yyXoF2l0A6@=H62J_Ain zm{I!k=M1~4na#Pb4#$ID3|c8RTu(3}3TLpplQnP9?Sw0HEp}5@@Kh5g-YvDhZo{}7 zd@W@uPZM)0i_=69Mtn%iE+UD5^s!bw%na>3fFzV-mc>}i0|r%~dFo5h{m@RMPR)rT z!=Q#;iubg+gx&kw;pVY-=qXyp239**jzJ$BaYySKOj_ZJEQTEam-&B9)y(bY2`+dc zUCPS*6$g_Ib4&JK)6u^`fP@)y2~$j&NO&8dHvEu|hymOdON(`;c8e$Lmm3O?Uv?kQ z0-~vf2X3WrHimu7Yx|?Wc0fCJOkKU{`0Y3CZLNL=gHG8@0&Rl{{8Ex+I!I{D7y2BsqFOOKPGFlvr2*6O_2(Ot~Eu22E&eC@0cu2;-#) z?u{VWZ{su|XQOzQ2~5&b-jb7nQw5>bP8$*N5y%2Zy?vQwK0OSg+Q_rpF{Or=E4Jbe zztM!c6blD9Gp9s&A^aZqiDTZ3L1KhviIe5%!*bjL&N-9+gn@v713G)#9Ir3vul0!E z36~SHjCie(^2RmI3J4{-QTNGZoAV`kVD^m0vqp}4l_5$(v7zuSS`PoK#SnPC1lc}` zsDsdT9~TfYnM4jMqybn$tb;k9)5KUB{qlyBdKFF~0va1a3Hny{wu z>J{3W8izwqMP-sBqA!S|=#F)?<0`m-ZAp7|miT}nrd3y)ItlXnmUUEQe?x43dl*Ev zQOI9Su>Uym)4l6fF#GZGr6+3MrL3)9L3#vPM!J+u=(2`d1&>9v^&Df9mQ64d8?UeR zLTS4-b^^_%a)9hz&0nYS-C^$zvV=ca51|tm2j0JLJ9fM~JAVZ(92$62&w)CuXx%-f zFz8{p19{G$<|g}#O4x-iak^Ct$lMjCf+<|!AdG7~Z_I#j<=t7bx;#kc!69!=d8}dn zqI${AVi+w)OQUqGsAm=nEIBtZOCTh>K2*ttXET!X47JVOll9k`d}k}*6)^!P(my-) zbWrt-#J;&_-}F=RtkIrRmoY2fOP>=>Nd!@=)g<18Pp*%u=Dd99qaEv`sT>uK;g9m<4_w5$%`~iAcg1BWJSk@x+WH1e^Yrm zSdX7Kv9>)wGC>AocHN~;9YAx0!_J`7Qn^uwf@Ew6%>?t5?#D+QjgpraxLGrax-YVb zc3^(K<{#LM9D=!#|Go;q56sRZABhEc922QT9hgcqYO{~afqT-$GRJGsyZ6->*eFie zT~VM3wW)qs|Lk~&K|gte3g%sVF}gWJUkH8mu|U}7CTfpM{ZE3kbxJSEw~f< zLcHgr^B*`ilAEV2+y1^vCGA0TrZvF4H>$B%)X>zRBR4701yvaG3`V`7kGyYcT zU}sc&68c+vQp@YE7ge$ApB+Mk{`2TRQIxb zWY!-c)Hj7;$$)nG%DIL@pDK+xpAn_Z4NYK%$)p;jrA{q})EV<$y*!))(WHP);bZ>s za?3=^`w}jul4-j|&)?u&Uei!q)|BkC2hwrQ!@^}nP6`~QL9UK;kd=g)SB>r?M{~9E zbc{geyE|7lOYTObKE5B({=99}>@g6NI0=@V965+GVde@vdhe!J_R7<^>s!MXmJ>gP{U&t_F~nutt$eIZM1~$Kt5J zgem)YAXDdj-*7XS+v6g5y@LA>M!vj!ODk;FZn(5<^O2F-0QoIoC}>OJcJ>MZ0(LT>E;1UetMu(Y|bEX_Efxy|(wpNP0`vQF%8sf2ZS3 ziUH<>SFZW}bS$rURhiQXYFpIr;t^LCM z#?O4FrEm~vbZIRsQIfu=1F0FSxQQ^HAZNZm_a7=g+mL{w^WBY<%#?`;nVgh_csc40 z)@$9riQzS3f^#oMN|++d%m+%gvD`j(DG>fIqM;jVg!W`dddV(P<2imAEF4OUp6^3{ zK`<3sm`y+5c1Z+8_q?u{dO;;DcQi*493wVfZzLzI7k!~%G%sYyUePwI@i8mVqY{7T zjcd^u5D~z6_X|vvsDj#-4=YE4vv}z;4hZPga4oj`wW_z@{%m09|A}P!=~XB$Ys2Np zgw$*oqd-LOK+z&LDomXq!}f|H?Tc{+z&jwHaXR7v&b_1s|4e_SgHsa@1~v-bQy$;> zfMq^rkWh78^bWy}@7Em6j}*b|e<)F~{*2uH-~DNDjQ<->=-mw7p05^2` z=T$V#Eu~NTRW1Zk@^AljqfB4Qrv(PmF_12$DSXR)9&|Z|TtK?rRSXb>@k-9Wgs%tI zGHRhv(R~`>s1@S($U^eH#JsqmZQ!sO#xUHMpqAwJnPm}mUM;KZFyUe07c3s4K4$Wc~a__OUn zGF_}ma*lAp`LG?Ex%Zryj4#1$J+%$$w{!E4wnuZ^{m|>tn~?&_tKiX%hC=< z{`uZ!tEu&LP_EV^ z{c+@9W5A01hY-OJ%b63oN~P-uU92!CVuLt;J_QPzd>d36Dkm&+^`W#g41pM82t!5d zaBiYQcDrIY0-%CR3N>yP+g&lWupDcxkh?sgdWgcszGuG3Zk*w@3;KCw5y!5Ec2m8G z(6&i*=kL&*gUteH?R52>d5m)w=hQlgwY0?>cyqfFgE_jp%o71QCSL|(N<};lY$l@CwC78j#wDW; z>gQY1zU(N1k?f&}i-7jOxCrl%Um(7GBtV{Pm=D8EWa>WAhL!6%376@hw0(StNBkl| zAh2D!k|)gOOK`Ipn&5nS4M_<1J7d4GS={7yTYr_s>-dOlZC@!%Z&ZDdE~~b zyr`~YyiZYi8{$1jE9Q=SN$|>i9qYO6Cq@-_9bBd?8WUJ7E*sF|?y7bxaa3O3i0}w4 zr5&z-VV29%3};rs0stjD7V)w=%@^PV!0Y(P0im5YqAo6g?Vf7S?Rq_K`jN7>E84O8 zI?HHTnelz6u^H1~FXW#T_9hMgc$-8l1sde47j79l@kYa^4!9mM=Y>KZ!Fy8bz2r6_ z=X#^nx;M^Mo>jBELAY-_4y;U+RtE$%HQUY+s*szp@&a8SxExHrR>2w9YyXS&SZ`Ww zS*-l$@e-Z+XiI#8tQSBmhoTQgJFLe9jm7UhrC@fbMJwC>MFg)dD~l}WRTmg{XUxlJ zPe%0TwW&=S2V!{zQJX4Nl;_6Gw|l99cSH)*=obvjn~)u`8l5UlqmE1pL$VURy;1HB z#5>WxVL5&aJ>8;8{}3Q5=1ROwwQJJdeDHi|(4_WxhkyvP^pYz0J=r33K|kqGsoFJ< z$SU#sn~tQfa|dI=TSX+{WWwC-@|d5U!wwpxYxKshl7zCP>aJ)G9>r@!m^b!1)xB*G zqF>v*)=p^ zl>*jlk9p)sLr>cg-2pinkquO$c2r-~x7W4nv8BWwSt`*!i<&_Fv_xU|(KLZMnOG)t zBX9p&H4-&8L~T6Mg^=EabSvZapw~5O+vpwY|2i0=9d|tiLrspCD&2{bkf3bcd#Q5} z?Kyt3(0&mF$KxjE)!wii0v=7$p7WG-zzei-+%-aZJub|cNt~7vgJTa^N`9BO3IQCf zU-yv+_l(6+Q3w_lFt!lVXKc)9ESbsFoSE9l%g#fm{F5RBqxvd&Yk&1 z-tm_22g+(DW2?f=s|?1%x<0U9>Q>c3avFw|DaF~X=^$IG-j{v*)j|X= zItn$nBg#Vki2oPhNflKu$FEt6`evIl zXDgRK%)eA6jMrPTDEfic12)^)7iHM4dM-Nk?bTbpi+58i1KAHuce9B}qa!jtSML*R zEot^NA*X$61lO#g;{j9|@Rx(+-?9^ApcgvErd2mZP@nn+Z4Oe0a-*LVR84Q}KiY^? zW)M?V@1v4o(!f7`un57;9F;G$>@A8P5ZFf*7nJ`HAXP~duYX$~voWlYX=^Ux9PN3{ z&4O`_@69~oRN4U_g6Y_f_2n&yz~-o_9O{{geGwsQsmQVzsaBtF?ZWB*A(d=nJ6l9? z+9PUQ3CPZOEcFe8((%@=hwfQ9EY1RgeaUK|ug(v?sZ(;vwt!Mdw{wl;#oK~(Hj+?; z9cGO!);PY67daJ{H4Oud=Cp7xeAjCl)(2H7J0kjx>c$f4|5QXJdIwlOZ_-AUY7waQ z=Z1pQ7rhk2IfnPFSGZF*fZ$y!{Fo5ZyYf&29^aDC*{9 zV%GH~xr)c`v6sgJT9Q;Od$dLRXco6(?b0cIkfGxLiyT_!)l&{legYlI1FcOp6#k^W zN!+6lA5_f2x48*38#QNJoa8L6J? z8eSRg+O7Ry?(ImorI|zIJ|f0`)K?&r6f4ZP?=n#Dvp><=hH{HVY-kpM68X%~PZu`R zZI<}WYw<9ka>~g;%q(`VSDb@$aq>`N+?=RnWu(Z>;oisot@qf!4xuPU|Imz0jN!07e^NF-f`eNs!gI{tUo04_&*__6>Fel6#Jmfm#0Hm0F*~B*ZQInso^xh3F6sh!4QH3gR^1nrvn*BZ2$Ngyho-AdpG6x*OB^mhVq(%k0Ay(eTX5+HG}v$*G=?(L;haT=X|wN^vg&r;*1 zkt6J$ihn&iZm_Ij;+2vlG zZ&Opz`EKLCV^>sOI-ToitYi1qCTVMidXIsqUY7!G#YQILd4i9 zL0$fAj4U`8ODs9&It|qY*-^Zelk+HO?ZSIgiGNK~@_)l4;XUz4Y-dA=dtg}17hmGL z{XuvFG}?Y|infyMrPrP=U8qO&Br}Gv>Av?0J%BO9*QS z0Uu^Hej3alz6qVbI>arif#*pqCX&#Gv~JO8T{!B7U)HZLG?spt!Fp3Wme=cm#7?JL ziGNg?Mz+o1q;IIhNvOiUPuPpmm(GFpc|Pojrxt%=lH?hMgk=K9=}p{ZGFPPw><#on zP}BzXt^1@JP|a)f%qeLGH+1h!KX7DhoCmK}hFKHz>iz9jHq8EiNtNQCoVUzUdM8>@&Q{=)zFKjD^6>x*HLG$Ny-YF7XEtQ+IyOPi& zOfDgS(75==eJ9=RS50cpInyxe*NAwr=={;~Q^y~W z!0?eTTfmW1z@P@~A^Jh{gvEigYH{|X#PsClvM$5;G4D)l4@Mpx+wGM)EuQu{J?JpA4|Hm9- z7pf4c|IvN8a+c6OQ6rFOP&xsIt%ATytOg zPlikQgn5Rv;L$A1uudprJg@B_I3e3B>~6axz1-*~5}Ru={!NUIZ5aGDbaxJs04(vd zwK^m23{^pAH(VjcQgf6vuhF!~HTq{Qlm&4{yd%pa3>4kwN>x*^jvLOAn`rlNu}Rp4 z?kJ2`oXXouceMKE2mxNXcbU8$^?l{GCZYhQBZ&HdVM;^)KO>c&E>JGY%T%)jIRt5v z8mK*4o)!h_Df4HAB}0X!tx0V%!~130_4{BF4+m1}v5Eg5XWto?blZphH14!JS6R6w zvoy0LbCe5mq?sw@!cA&wIddz5w%wY0OJ!;*MmQ=bnFIIUd*J{VC@P5h{(IizeLvsN z{fRGr@X(9vI)CT-p}OZZxdy;4&e71`+tQ}KPf~E?_n{Wbl764DT_YPrzGqf?Ivn3` zCaZm_aJc1+7=%}&BmyMVgYE*APJI`eY&18hjS_cMFLQxD$ZcAfyljMf4)fSCp654z z1al~&T0WLu@hB{;ZhbA1K{kpFI6-YK8f_3Ogt?kyHt%iJVTKK3vj7I8|1;#bU|rLP z+O?0RS7Xwc<3doujY`JJ0NuKO!5Y24Lp@&oGLRK(iMw<7o|(0D?vn?*dhFwz&~P=h zZu_q6lFo05k8CHaP8?Lb0~GT7Z*5LT-JEPS#%ZsIulebBZN+O>qFde2+ymVsRPlG4 z3X@y)~vQlLWBY&R|HBj)@KQ>M}L*-smu7=o%1R;7Nz`?3l}*j{ru=v5UJ+@ z5*-j7NL4@EX0g%ztk}u{?YhhU#jEW{yFNO70-zO~qq!>$VK!c$jMTQVr|pI*u7x-x z%|W~QHJDCHXjAU$uUJzCc6QV<^uqonqxxhW_CR_0vn45xZJxgu>BEffw|^TUdhvut z&ilz)U07VUUw-zbM!Y04FaEHA&Eblc|B@3QcOK;OkZ^G5FQnhShWb@nq+US)x^9x0F@o zKK-O|49_EMGFiw7VLwuQwmIl5oobtiZ2Vk#hUIITrA{B=1=o;yzA#&HM6r185U-M^ zuL?*~rvoXUStt%7sdwFJuHQes(k!pEASi3sK*~~XDem11{ht}N)H`fq@42T&m1CK9 zTsE9~nD^)=M1pkRO=4@>w5pcfC@)W zJ~=j-9Jr#c6!6#e{kt5$>Eo~TC` z+WZ8U5!`52=lI=jv#6~T?0K0hqgHjr7eZ?Mnr@LI>mWmxUNo-A1_J_Y%gFzJKS%&b zsjT*uDQ7_St7M2cU9KnPb4~V}d^JU8Sn4v^PTOp*9-C@q>bFJK)6h{3-ZFi}s}k5> z-;n-NA2KQ@K3bGVyJ3W}Vh`p(=Fb-~SEwm4dyXJ_{7ikefLN$qMdV<+vbT&h6m>2V zXIC&)_Wr3Id!Wyimr~&Rw2SLOuf%Tks{+z|b46I&Kkt&-uq4QD08D zu=opc3Z*O)4CIO(>9r`x2Y^DYZvnUz!RUP`o*tX=p_B^>QY^87?y2Zi5%Y~`uYs0Le#n<0Wh=!g6Y7O?3PkZ^E+dCxJD1R>_1n z6=na1T$Mk{_lZHO(zq*&?TtYQJk&-p1pY*=NBBR!ij5ZOch>BN!W9yfdP>Xl_y#c?*B<9AXVaeDTA#}%?XkJKe+Sqm@+18~^c?>E_$sBr|> zm2lgx2iJW@7fX7jveSC5kPk0r%SvFHQt@lLH)KCo^RU_BUgH-&otfScOMJgUx|XXy z{qx2}&|s^MJF9==ohX#{1>&M5d$c(!rZSy+88eIT*?5^=m|J$naHy>Dp%yBE4w>gByopTP*9qrIFN(*y9(82)i6sG zNYV*vd@TO%94;c%|Tr1w7aoT z#X;u#a=tD30f@sjzwPj0908(=W)bOb4QVl1mY43&B=GE41K_4TSp_=tM= zC*js&a46XpOfiC0-b~J`e&*etKzM`p{{C;i8h`}F8DL4mvn}w)zpj;FzUf!Zb5un} z^z$|fR&8V3__wz%OXEo5aDtG`bx z%5_ViM>1C+0~y<0gA3Dn&phCmc|70i;QP=zQ|-5n%LSV4g`?OSnRhk^ z?G7BC>^LB;qKS(qhJAr#P0d6|B}sT)-DkF|^1@fhrMC z@S#r{&|B&sbIWT5ZY&DVr-1$|tS>$FG0N=BQ!AzMgo^ZFD@&xlR`b;kJJ=U{OA$~$ zLp}v$yY)=_udctUICB5Z6ghXg`Gl&Cy2=$c*smP$7thay&VD(e_w+rslx9M|EQTxi zZAGIEOFqKEXZG)}T;7tAlB_IA2`^_2EM7v4go%NWJ`N!!?$Q~kG+z+%Gk=3r{&qSE zkqwqkyBRx9jbs2 zyCB5|5_DPF#i!u53JNJaIM(jP6}`BuQKsR0UNz;D^erEN)xILRcN6Hunl-0jcc1cr z309^q3V)Sgly!c%{-U%s{hOx%&koEFKIH!J6V)$)3Qlzb4_Z?`zQ;%l9Jh__k>wdN zFOub+lI5hG#@Srn-hI}UE=&%+cnh*(Zm*MS0+$PZUR#I{QyGJ4h09D^kemR<(jS7eJUqUYjRE8 zEoA}Nx3;xNU@A{5#r5h>g|K?ci}uPFT%DqEh_Oe}d1Ef}skLGs-V~j!s)Npg(NhIl3y|&XrJdqXl)^@jAe1J)n~d-wd!HY{ z>!;;Vn&ZU59f;pn7XOAo5(EgO5#=t`D}PJ~Jb($|%ldt_2iHf>gIN5#PoqI-ou&Q+ ztu9{V9~;6$sF92`dL-a8GQA~oNfk>?v7z^f7v?bgKS6@XMTdHR13l(RaKCK;%>@@Y zd!N`2BVRGVuN1&UCqS0wl0Q05hL1|mcawbYSbtJg?Xb5xDiWOgUh{Qi66oD*m~C@j zdNjQ+_f<|Q5BO)p#o@4oE4PAZv-!6>b~n`DM=E@hZ7&ECiji5 z@A8Ba9DN$DNXq&0(4}R0bC?nNPP&1qczbD=1lTKXP0w~^sHX*Qto(v4PO#lUlx7E} zkiORnx!CaoxIqO!l;v|^YyxT5*PT;OzaOt29ZGu9d-6nuubAV@?rUbWx{wE-%+kBd z&R=>g9lMrSgQD6-FGU?~jap(|uR0GMbTAO4@OVkt==-$;{;za)m#mB$)LAgp(YYXd zaFlmUiKy!S>)6}>{X$fhc3LV{5!JR8j2Hz6-e4 z(rhlDkhO4W(m@-yg0sj)F*GS|B&oxpTpP|T0N9XJvD8lNvMI5$R1o6W?e`{owkNcN2B|FVG;(Veks{o_fxS>C?2EWq=#e z1fzhQ6=<~%zDF|e&E1x!XJ!HNKQ+eu6SGjNhWyc~c(2qHJ*bT7eD`%r9d<2{zh8&Q zyRjeuum=uV$}{f&vlZzG@6yxbB}Z`Z?7%->#r~XzsBW+p?zBc1&#RcptE=YXOTa}? z?UigEM7y!%f05wagL)H7{??RdwuM!gZxf9ZsX1;LsJ&fizO8XOXF)P6RCq~fb57EF z#4?ZBAhrweq77F=?Dyprz{(Fd1uQPMT6K&cxe7`|MnZ$_Yul_kJyAX4g6fpw+9IgnY8oPOsqX+)TxbN8KmW`lU)TWdy- zE}&aw&gUG#SwfEBJUY+w@<;#bhJ`kHHYy2&{)V#|qYa$0c$;L0|FN1KGy2hS8qEKttACc^!`ETG|;u z7v$y@CHujo1zN;LIB={6R?*AuSa~-*ux>i^-^}u#iaY>wg%#wb->me_lFVCIo%nfw z#POfupbbu*X^&TojpFO2TYq>&KvZ8)3TGCk4oqoPnJB?3sTJ` zvI)K7Qc+e|CzbTN3^LBXCLlA65w%+?%c{f8Ma+i8ibTl)6HFqL(4BDX5l5hdWImZ< z5D~{&bv(lvuxhk9y>g5%hx=S0%|7l;>i$x1i~l(ER<9dbEDgHA`E)n2<5>f_zMk)W zLy@D5bdR|)Vo?mFd_s2R9Hy=Cd~LrZfxK8k8>$E=fmbu{QVWv`nUSxG`-`&42|7FC zG3ot_Hdu!)hs%YrU0X^E?TFvO*Ch_+U!Fg@LnlB*QOh#{sOdQ>YkF}mG7e$f;Wy9@ zkMKB`L(2x>wW4x>)Xu9o%9r*3CJ467LnmUIEfGzV73B>97#XD5S?XbnVb7PpiX^8irU zN@EInG_gpd;k*@2 zaEmBj>m+cR-75k?=+aZCcIrvpE?be^+ z+mdOC(Pu2_$KwP?hV{zw@_>{9IKw#}qg+zJcYhyILSfD4NCeSCJ{nzL@X{AKi6l>V zJ=7l{8lc|@lFNVFEDVS=upQ>TeO(5>eI@WkZrk#&)@Yj>K1Uc=xe%zZ>);Migw{8o zK$3&0DCrks@jqCv51OssF4sXc@d#qf(y8CsK{uqoj~8jDON$vOS(x}@XMOlqm>0iE zq&Rteq(|Ba_zlx`$XA+Aegl(7a5$v8Z)RIW+?ur~LqeBT3W zyM*Xq!AP0Pd#=?~*yc4RarzA=NBkDvcfJ(1E2-cqZb0#N%tSe3t}d6TC5N{$ZEky> zl8;e(WpFsPa9OsaRx2u(M^qcH&n1%Xhzw(YWeSkGURRYYuQ`?y4M z{)C8st2v{g`j*{-jI|y9E?-2NQ@X4TdX*k9+u}6a*9D0L$uM3IFTz#euqo-+hX-9Q zb7YG9?4cO%De!FsDx~M_9FXviB?862lj!w*)ZaFXyQ{&3h_9RNChr2>{^@0Org;+R z)d_wa6YKq@=fxkB&knl^+K|@fFyPu07328V3c2(mThQ^K5&ztUs@7C!tD5I7g~LJo zB~2=(CjC-scpV`s#hP9bJL_eRv2?LhNQ@N@>uk#INe#VCZjPiyOe{M$V{p-0yab0co3oaR+VN%<*VdNQM1s)dt?NLz?>Gs~!kz7zxn?tz-&`SLY z4sjfK$VD>*^@xNw!Vd~z?miI?6IXVV=~OX{mtDfN9&m6aLY%3)Srw&6)^7rS(D3zd zbj(R%owIpu9jc+CQT)7s$>vnNZ}nSd-4uK}LC1CJ?BHj^_od&7t0=!!3k*Y(=;fcErfwa++XBqFpH6kgCYidf?NERt5N*A!dL!9#L1)DE7I|kr zKKL+7=m2dwkVq_Y(5sj&q|6q&9D*x5Rs2^7Ltou&MD`v*q&5=e4urcPQ_w*(hep(y z$@30RA&j+>pY+b4SslIWrwOAZz5(ecq#Mt>i%h&lIfL2ON`tOd?AqOI6!G7`)wyRm zl`1dvbmw5eK!6b7CM0X8m5E{oQlCN|dGx&H3)AEtulgSN52yEyjx#{2BuExUea6Ln zyJT*N;obAfAPBnp$BvR~*F{L-=#no!( zO}dQD5gpR4x#mh?>Sa!jfMY8(mRxG;hN|ETvP+aq$zkNUSop-{@jm$=^Q--(LW0qE zujtrql0`~#w7|Fj@NoFFf^QUxp#kfWpPi6fVXSBz&T#+?y^ZRjXeNV^6Y7D!+uER2 zs#7tueN-+XRG4IK;#Aq+mBFbtg$mUaZJ^P413a38Jn5Q44GP={zID{DAA~MLkTIFF zRvaZI3aed$Gx)PMt$j0pgPZ`_W5-#bdV-wj+}gih^%#x|BU?_WiDv zO&{f5HOZ@vF;>b?eH9uOBV(_kf(Q1UxnC>mer4j_w-lG-(v&i^6vsdqk8IFaO1m1d zr5%E$U5aC=R@!}>qN+cUC9}Is>AHqlwU3+u9fP?oyQCDh1}DbZpNvHeu&Tn`ix58W zLMLauCq!8R=~ktd%M7|F8cjZ9R%Wu!WKoIRBuU+v~BhW^t zrwfn(m=ZHkIrzfF45&JIbnSC-rXLtUsXIM^l|2a3UTnw&PgJ=nMPQ6RitP-v!+6id z5fAvrJW2zx73BNnHj#gDmaPtkr$0~X`SK@q7$o~2T6AlJkB*GteN9FF2<*Mz-gRTN z)_K&l*wNY?$H!6!dy`59Db1Rh$7`7H=VPPO!+@7WnI*V+MUqLY1`P9>*BPIjinFhf zOx#HtFe|BCeU}w%QvNvQ!FC5av^c+ez}aMe2IC97!>=`8w8uwBE+yBV=YwYn z(#uvc%LJF3g*C$B8wBy@u^8e-?`y0iE4#Y87TFPZj~Pp;D!4G0RfzT6=8DbDp3=+bK4`7z3eg3_G`V zQ1;WDFhU_!)1Lw;#XqD)qCe}&-~+I!Fqtuz*a`bqseCM&=tS-BgTWbVA=4lEZ#;f{ z?&ipogvN`fz-Px?OMP7{7=)tXAcE4V&OLeY)`0&LfwOfusvhb1X5z30&+fA45H$SEz zgc#r85>uCL_H;d{E=CqjRDs>HR;6`^xJ==%pQxc(C>EBhiqYO>xJUCLMEPBw7>#{8 z1vY!z%^om_0b>WNU!6}w53V<&CKieZRn}@lP|2JgP8b?7)ty7%C(|u-ORNjgd0UJy zc3uA?@YFvVM~#Khl1i=Z2D0sg?WU}E#z9V)5Kp>Rt(yN>ZJ|y!Vh#O}Lugw!(~~C4 zC^Tno>G0Kj`mVDBYQp(XdHS%q{6jjW*6$CC4tBE5enA9n(uwc|TI?PWdhKokJt2j1 zYXTNM>PKRjf}A2_v1FV0?uw1<%4HzS_7S2)BDO!Q|68`TICG8$o}+4>MXXW9Z=p?< z0e-Ma5&@quEt4SVYZsD+G_-*E64nO-H&6eEqm5pDxNH=+KGiwvz2?PYv> z?A&j{enm%3#teN&`rtI%HstetC@?oRMls~e4%HaO_7%<{j9k9Po91wh*CXdGJ%nPR z2hf7ib_%xCZ#-a5Kgm7)Szfp#DCA2t+KviY9ETF|#H?Wn|B7d*8c#W29ATzu*#Gd@ zW`TcwTff^NVUhyJuTKVUa)QWlk@>JJBJqXv4EJIhAbwy6vf@ z;Fe!=ewUce0d+p0_D~N`;i|DCol6nvNRb?%HdKym4wOr>X1?{T%o%0|PQLZ*LUT9y zS$YV%6xVu@nA(cPYa!i_Wal{g;IK|1OV;58D#*%b1X>866ZPJGY42S+`Oi#M(=M0Z z1LBWEMT+-Er~!~pcKdWvE81tNwMpfmxftr$XQ>r?8iEZs={imEiscRj{DEhS0(^!y z>?I@>m(7e2RC3@&?pGpGbHj6?`gHRYCrO)%Z#|NCIUDh&Qzk7ZR5YrcOLSmSow*hb z7ah=yGBb${$?!3N{=55MmuWbs+Fp}p8v+O_Fa==5aFS!Dk-{w;am16=} zJdRm3=#VMgxgu;Ke^_*Tu*>{|KWmK3$$yntR_+SxeJ z39aQl4h*~>e@=Hs&W0a>mB~+$ik}S@W}}9}abdaQyt@}MqKY>$5qE*pOgUqn61HkO zsTiz^*a=4#Pl5VqmF=g%YeLoWXFi&{d{tTq(=A<7C%8R}7_-f{p4(PAFd7LwGk!t{ zo6(^r*O28uA;JyWeV)5Woa%($GBvMossU#Vb9Lrp0PpT&NRQjtsvkDv)Avc|$lD7` z;$;3#T9tUr*BzJQ3gp%j{z3JI#^FyUVyNG<=KJKu;E?_=Kb1e&)=?0*7>x4+MXs_v zFTRtns@ZRkI7M1|ROKMw7HB;EOsVLN82GNL5>b$!el@vGa*|Wvru_QG!wkvlea3jH zUGxCFu{ho_Ac-@ewRCqD8uk~h!2QRRrxR+UF4PbXo1_F$|Dp$D_POpU4h;rDa!4r% zMPTkJ515Z5j;ih#bw_!8|^8Yg-kf__i+xzUQV(4WO2*V zzdrg_^x^(`%T;18)at6=nC~K4p=QV`$a);r=9Uy(SdbUBw^kvCnZ1oxJf6*i;XYJ7 zpbb5$-V(uxWe5kR&!*@erkpUws00(Uyi7^K(~z9mwVxD%=hW+1V_3o5Gp}ah(k{W$ zd0zIo{OmwT43xf7Sg_4!xvy$!wnmgSfz-vp7af|8=rPy!X*p7DrgCXe!P|>&mPI-5vL#WXX2) z8xbqe2l5hplz)2vYaeA5gQpG}rJu5qrcWwuNy)Y@sHAIr&d(21+c)Ty)x)$^`bXsb zhc0MKgk22rdR8m|CG!?#W35c7qeXrNPQ|4?;<>`TN%Xeh>*T`oN<7P9Vm6;{FBtmB z3>Y2?1m-3Xwo4urJ(J=da*e+k%Efj^26yVzo0WEsmv+(Ymx3CPY5qF#^t0k zD%S`-(#FD`gJr(!ydUNDQS)rqzL|IMz(pIs<*<6bI1!QHm2)_?(iI?DJ+F};(5dxW zlrzBF@t6%E^ZL}0qp%vLPp1DKVm9s|woGwK-%#P1zH&va-P95GsW|Bv{;v|%2KcR` zdPJF`wX;(g7kqedkWHV`6ZXTkn4e3pHtlm!9Yt>>vekA*^N|+TexpS78t$mKd=?KE z%qWr+;;DTEcDrh=#D1bI^pmSy&JmAt6L?IA;`%wDfK{DDplS;>g%d$SNV0INXxk1J zp;EOOGe#6+JN!-~vB98Yn?rlFZ$$F4|6$NdUFub#xu(n2P20^mhYu@!S{M2w!7LZW zZ_&uVM+V1S`F0L=4q9t_V7J1I43ujvQk)i(J~ZtA3~DoCM+67n!Q!_oeR)M;mU9Iz z_e!e;g*Lu-49$xAHrSdN2$uUz(&1E$Yk*dO+J-&%kIXcr-nD@mNZZXepV(Ty{p$fW zGQSh{{DzX!9gE%#{Q-&3m-K@8{G+OBGSd* z9;|$yQ!L;6D}|+YkcEp-qyH2y8fqMTXIE#me1Nni>`wJ{Ef5+cTO@@IF#1WL#%7c? zxC3eFUirx9&{oge?)0D|;|F%rwl;Zt-?a%9`0E3IHtdPj>|SJ3=a|PiIo~v37h-sR zmQd_G@97_tu5)JVl0`r8_!$-7-E~+yoWk|h)jmjV?deO?e`qy8<^HJyQMnPx(V>pv zQPY=y(=DkLavH6P#fvRna!APXDUr_3zT`tzzX(;7F%Jfnel(XfoW><#I z`tptVLhXzRe?Q$<52ine)2on;d^@=7#kUo-jsE+MA+|5K2b{o`GDVrBitYlLTK2$j zDImVJ<$z|*B;Raa_?Y)d3UV6!#^RK-U4av-a`GHPeQUx+8@H`~3F$PsOO+B=}=y>Q#=uUmyhxB^zl_ZDrFdPG|6P~UbHtM$GD zdU4qfr)DX*+*-QXP*zGy`jP9(D(#rV6ERoT+&wdpCTp+uoAa>tx_c!fCV-OVud}%v51ZX6nf7ApG!Dj2V zHCKA|WJHBLb`w$wW7Tfs>j&$vJ^zdbr~tZK*EwYWwrxEmoYz1lA9-EokX!I`7ga|m zMMkb4V)IYWtK4zg`in6~(t#4BrH95=lbmKFh6qux{eN8m%(NwGLmZH(vW;zi2j0KC zWM0GSL7*F-SeBnJjUyRhE8@P+z3E7S!JwA6@PvA9NuKd!ph$y28an7i zcxWlkM7K+*re6=Dk1PAx_!7fgpP&RcCW8+5f9|aX%^t9c{w??=;LMN?2z?d?-E>7K zdn!y17!*f3VUXAIQePd+Jn{lSK_hN^yvj7H03VUxrOT!A*?%Q98a)@UFk}N}5_Szq zUb`RJ8o9;}?X1?yivjJ?V+s+wUD#`X5Mae(fJ2H|Lss_Xx7Rb}C}!t*TZ>$OWjL)> z%mO!+d%`*c_1F3+#q}XYGE>LNXWd&q;%S|7`Cuw}WN)pebh~F313#4B9wU%+ zU;W>6n*QgUW>*r1gBO{)FDj?3ygLM-7R*rmsB=-ns7tXx--63KAqP7knBZOC(X-wf z(iq3Kj=`N+vq<8PgH4VFb{(5zi0Ga|GEO>%)Ts#tZ#=^yHw zyG+30!OgweE&UXF^=jXSHWUyvPt)#lDRkiTcESV@Z`3phr$1G=X4ezi^A9ewgj@=1 zX$x@VNGq-Z>uoBofwPhC@5(AD5GgET4oZ+Zx3jtgLP zkSnb9`UJn`H{et(OcF$N7V@uB)s3q%bBUp{4uA-&9YO?UCwp+dRKYM{nE?|m)B~M$ zA|IpwVs@C~GsS81TA}0G9EYmV9k5+fr(DwkWnD-bJnH?)n$;$_;a*D`ygmKvH3d$L zDc*P^KP`fupTX@uXRFrC!CfFW3p zd-ZXa$DYr0N}1UH@*TKZ1*E4uI}lBl`2TzMVsLky~%BZGy4WHea+vD+T)>`GxOIHoFQh+}AX4{Tq%=M6izTE@6Q^d7B;j>2bMiO06 ziq_iz#edfAv3ueq;Hnf!CO(uCi1u>`NlI_(#%njp_j$Y#B{YeJpm^xFTVVM1;qJDS z;iht*bfqfhhp@Zyr81NRJ^v(bWmGc|FKs6Z#zEy|)6ZFsQd921vSkNSrjB=9a>iW= z<+=wEY#4T7KVCb$b)@I+8}1aR1=(xYL!{g*o}A=V!J{eyQ1Os&KpvC}ICu94Bn@7e zfT}7}TbbC?&U1QP;dUmNn&VLP?Of3++T(l)Cn6#?t4FD&DCkRYp|jX|Klv%yN{5`5 z%Sx8DxyRq3lrJ4@;Oytt@;9I90OWzLvTtGfy2SElM3u*KBf2>KKOO$^Gt@NP&*8s4 zH()`;G9v@av9VHq__4_%TQdO6pzQ zlAHT%#567h6p^B7{W!48uMB?Qy`2!*uNB+OfQ^~ZxgH%*SN=~438d3G9oC!X z12&Mg0#yV(d_)#86xhVi9C5-l7U60{OWSERu7fUt8q?n3YM?kXzv0!Uf225vA{`HCegKr_oN&YgN?B|e;M56|e|rAoB72=S_c=vod@5eHi139DJ}?0% zc{O8(I$B}A8^oAzrZzq+CYUsSWa_uL(6l;%{=-~;mbu)97!bzEXBHH$w6h00WU`t= z^*JN@;qH#xvx#kFY-|04YknQA8HEdPj_Gqe66I=8kMl|v6>-t>0}@bGt|XfjZOMnN zxdE#!U@7QRpJ>R6?+J8s|3ib0LS3$6CEicFUN~W8u-q%|gAyZz(;fIivm4sR*$eUp z{6TPoX)1WQYkKDALL6oGGsPhMG^SjhZlK)wq~}?06YlxmSBO)JQchc$TvHzo!YfYb zhP!TMPB<W*T;Q{*Z&Aw8OOLIqz^q!96-Pk<&b*-f?Ed$x_;~FqBs^X7AWV3tk4eot=({& zK!uF`L97>5xgDUvZcAiDh0H5}_dwk$2h^^jqT@myWwx29Sx>k4o*VuXoVOOB;e@a> z$8;&heTGC*&B%#r$3TU#7dxi4O=U!y8bxIlzvoWP*xxDG@u+4vx|UHLM?TOUbESng zYX6=*Dr7mpvZTs4HrT2s8moibLtrO>cb3rMn_WIt1rvc%#xQXG-8L{h;COmb7G+a zJCldcuMu2#c5NxVbiuh{(7_(>Y-0-B38!6k$N<-$g>JN#SaExRnO}f*OIy#yZi1_? zxpzp;@B7r0+ihaphM#W#Q$|kc!h0a^Z{h`Ho!zd(jJPdUROnpC zR^{5xE{E22&J+i^I5Or-VjQd&9-`^0EuB$`PFKC-H5EzS=00FXVxXDPsk+!wit2ow zgbG7|9g=Ik=peyX!2@`QTzV9#MsG9Ni#1!1Nn^Oa9xEZne&jX>eL*Ga$o;jEdrA}1 z8p&-q$gApuZNdEnoTlnpFdKCEaWl`toEmb{&IP9eIM+afHqgJet(@QaNf=1A`EYki zfwo%fb6hK9gq3Kstjk&+jO5e1Pj>S?htClr_b@>hYMbHge(CZEwG7SxUOmTb_l4U} zawhTp)q18L5e|DH@!-I=*M7!f zc1b@rsz4&2?Fahi*AvzDu_|JnN;_baBQ~DM%|mMt)2XBF*oh_y=vZ~I!s<`KjV-~U zqC;P|mC~sr^p`>zvz0q$Vw32dn%3I?vd%R+3@#8v_33Vq+s1Tj?T$@Q(|u_f#G+u| z?5jwbaPb%x+JT%16j}e6aL@lqSqm!MKS99>p$*guEN+dx7`ldY6xz7G zf)sKU{sWDD-Gg1rNeg(ESDUH6|2}hH&89iOQMdJkst<3*EhXSbR&G;28<{(nF3eM# zHFpL$pC#Q4kvG~obgxvJe$(B}2%Q26051f2kH9b;YdFTOYCIw&v~k|*36*Km5VS^Z z8xEPOktR_0sl&XmMrwXGuok1r0bASpx9_kR133~45j~SH5@K8|%~$<<`=?Q7M8!g? zT8tX`1Jgf$%ND(bF^G1;tb?l7S&?R*6(IP+ACB$dxd!IXkmcF`k?@S8V7q_PeoE7> z#I;pzu^&1J^fj4pEIVO9tJU{uy)V>F=0p!~05s`T40YfqjqdsnEe~`a!19pl)2kcg zP<})y;HaoZ7EgYR4U?=BBkLLp2hpaBYA2Ir+#u|1wTZ-SPu&6`*|ZVNWZ3hopX{{Qr% z%x|&Vw=ePl=|!tMe04BSlE6kB6gkq210VGxX>|2XZ>f_?-hqF$&-a9CT+@&=3Up^o z$3E044{OAjWoaG&HGImbu*(K?q4hjwp$?W-YPxS_8n~e|-=%V8@lSx!!9J)}pR@`R zN&Y3$H7=lI<+%l?ZB-d0_(b&mP`P|Q%|5PYmqksVn_W1ZFr*BiZq3QdE!6+6eSXYF ze}Q712&+@E>#Mg*x(j#TInp%n!hdYlzad8DNA+x?MiK72Gq&V@7k{Sy^L-h@#mS)c z{mO$~`RN(f*kot}sW{qrC2(NHG2VliEMt#UCtU^ZNmG8_q3 zB^18>^xvz!JpYIXFyS<4XSfb7lzssxMSitjj6O1QEnHr4THkfD|0kL3VmGzV{lxqv zHfY;QcF@v4tJ1b4t@0QfXT-qZu5MKOkgT}0<0h#~aqdWM--v{I3-i)20xsm znR&Hbz6uS-rhD4mV9Y1L7tJ0YFy`LB4zb*ea`7BcxYcwH7{3TzL)CsR=niSlk1DI4 zcdpg+&*IlbRbpjXn<$6fKM=Ma!njm<_&mI@&b_ceTY)ov4$QY5S+!O}KpIY%=d(Tr zU%YgfIf2`WqYkR9HwhMf1r%3CX=-)A#rdH15FW{_V4Lbh7=co|74O#h;ay#4R(|CE z&S*KZ1IxARskqv6w%KSid7s*g9|HToZz=s}snuV%9$Wy0mFkPmGzw!DK1|)ycL2=S zkMl((kXbya{>V39N!*3k<$`8E|MA~&qjehWfEtFa5?&oNP`co^)vC{R97M8> zp_bEgpeSq;!w$7}tRME6c!U#j+ja-YHz8$LGuO-x>n=ifNYpZ)`IDJ|?UBW+W4nse zoPheP80BWM_&IG20Y{uZCG+i0(&Cc+0srD5{kQC(rfw;9#3}ncAk{RPq3>%RqK=N| zS#Cw_Oo0ZjnT?w7j3Og%Gn=OdU{?UF3_$SJXTRoH+>ov3f2;!3c_SEAal&HIa!1m{ zdyY$G)pQx)mmeCqPI}ZbOtIyiOzKQ1XkhWN=l^pv`F8ZHvHW!!@1{iUA^gV~QIPz8 zUo+P7E^leYW|x~!pZ+a3RqE1fHy``4%;ClH|C-dmPQqP>bDzC}W*SrG!l0RFGu%ql zUCRze?N4<`j@9tzXVFu3F9beNS(V4%`SDejxKi3A#9&SX7G8c(@YW;xn_r04%894A zboAO=zPWxmOS`J}+nNLSZf!oWo*i(#g8q2eW@10}2d|@d#xFaj){@TsRKABPJrw-! zWV%{(nhtZ5*hoC=f@!tJx$9r4{%(f5k zdvg1lWC0Dt=#qGRv_J-{+yH1MQwd>x9*G%0GuUvCh*gg%dFR{~Q@o`P4jG)ko4UOB zDKvr^<{Dv}{IpoOe|n`o%+Xm&)OyZBAvNh37q7nYhnkar#RF+&86%r}kQaAi6a6|b z-rGHzsfJ|z=NH?rsG2Afcc0yR_n#IPnFqF|JJ{SwsYtZ+O=~mTW|wX45CxG8xwdFM zSsOW!-&lSYkKMChn%`hqIY7aeb<}U#>cx$<_d9k|k-@xR!hs>GE=POQHzrGBU?^wb z-`b)%lY<8CD zp1qvcaaqFob7oPN*M6A0R@vcFk$>0r+9&7Rpp|1Pn6V@8cbZZ~YQ-(GU+HK%{uo(| zO!%QD=9vCnugbmFXNN={YNkaDHVst<1G=B*FAwgBsWJy@>#AdpV5BkWsdH+}DZb*e%Cmd)6LDy~NHwy9Mh z-C}1~d`D-o(@p5>joQsl6~KnGW1??&Bg>=KePHqX>b8n)%yOwN1s}SO8)Q;VHiB31 z#JOq$OW_X>G%fX(;A(MDNBIy@DxV&nvU$>7^_9R(>B{!uaMj=ckt&iw z7FbtSsTe8oBN)uelF9m>&d9K7aS4RIa{r z?G^hD`Nw+Ao_n?b!k(i&*Nzl^bu!4}-kdgP+Qs2duV&xyA>!eP5Y6Ok=H!hd!GuGa zX19bzK02kAt14Jc`FIE9kQ@{^Ln`Ra-G6PkH=nMK{@LkRe3sGLf6Jln)8$vKzGvSr zT!j~2=y0#ny`OwV+c(0mE!pj+CyjD5Waf;{;M|k&*~a;PBWK-&cejqmW|M@+b|9<= zlfmouM`ROUwdOAlsTc`Pc%iTMin?JHj&mH*{Ka$QAAP*ciTzb4{**dHzhCqG_;m=+ zWgI*DdDtDnBhNV9mQI7#bi*rddr#58 zKry~8o{;FUNZI4x=QTai-LlYq9yZ2>R40g6%k3^y)JxgHy4%54CTv3y!)3YP!31~p z-gcgby0>>{{+{6AD>iaZK-qpEzUB13&hMQw>gyeLQsl*(7iCSVwa`s*QTq?vYHujB zktY%Db?^N6>-ny)RLIQFcQmm!Y=gJNwiZ)81tKXL9J?Bi>ofUFyXYEhL0F;hORtNK z)lZ&HC{s}Ct>pQH1_G@?S5N(|7N;gt#o;P{r?UXL{b&Sw&$ulG z$0PjFyyQvCG$r_RyyUamfg*U@LWiYQ($~L9Z910(8%s_IW2$uRO}|>Tn21I;-a0>) z^O7&j!N>-!_7kfoQ~R(rMVe1IN6xOFU+1aTp`98e;P+*Dqc8bt75DiQ?BAS+Y_Un6)KXr0%x&4uV4y;n zb;9e$OJN9SlqAYG>aa6qAIo_^jV*=!vAicm8+YnzJ3#Bk-;Gr}K6ACyVLZ$JGeG4O{I1=na0qNthd)e8 z&dlf^((2$HLQKpdU0&$ z?YuIi7e*%O7;(Bgt9)R+@cV2(>c3mYe-*sFA}kOjJ!_y{{YrrRu$=^3O7KM`A}Nh) zI151nBZps$9LH=SL6LTHmP?Aux;EFc-V5#v` zAk7{<$w>;y=P0jRlF*6_JlF*Ux=EhwQ%rF3n}y&qT24$;1RMQgq?Q-eq0_z|Sr+DMOdXgA_=|OWASBoJQ)^ETBy<8yEiSTWe zmBoyzBS1aqRf^o*><>GgCifENb45#Ak(GtpH8$M}o7`btOx+NL8}USeQRP<+UM=b4 zO>X9>DS@QFJe!0HLCb6}I3^=s;^y!B)()w$6Z7jdJx#L3@HI{O@m$hqZSQd;R+D z9cje8B;EgZg`<;Bw%=7|{c)_~Qv`{*OI$U>8czpkj(r9K@{|5_h*9g8rljg1{TraL8r-C_EFj zc`tSpa$nD&Ij9~OzrBSNx7{)8A`@96>7aue2%MOcwWi3DZS*yRLtxbrkvFpST3e&? z_|2a#$yLTD*Mwy=e+})gBjo}HgVrntXp&_sKdkO2Vi>+pZfJ6S$F54rB zr1*VLlc3`kbNkZY$fjzO?NnRzJlOZ*cjf08e}hY1jm~`dY4(jS-{eho3^Sx0T~ zaI4NsXid>E1Ak4hI)VKv+($RE`B94J#ednc7g#^|3V8*p-}C2spZUrO#6-T**fyy? z`B6VZ27$9;Zv0Y7Qx!r$xsow-7cY%^@IH9C_Mxl)h$#x;_Nv#5{T35!9tv+38>Tq+ zgT1~QxJqExRrJc&64C6PgFee%9=?-|X;+oJdHlWUEY@-;DSt*0EAr(yXNQj$$xpoz z=@in$RsWy#`~PSZ7IZ-&0C7g?CZ&Ix1pQ+XQbtynh|!hcz>u|s@pks(%`G4UAx5b> zNWv@u0T7E-C#Mx$^MFWV-k!qwVB~m|4rI6F$2m`*pt*m8L{h*W!vimWSn>~>BCNBr z!Fr{nu34BkDnW8d$*Z7Ly0&K~(GFb0^j(Y0v{5wQevH!iOq-LzaC;$AaFEP*RFrpg zDwW6H1g*ax#F~Vu8$l|0*VCRNAd0=>Oaut~DYbd^Oz>k|#?jKy8M9=lhyR0VW-^#5 z93$?N_#79sBz&7QHl0`bq3aQB9jI`AAv_SDSoeAZb>?33N?X{`6k|U^`|R+02ZUWg z0HXwGAI>$Ok9svuCHF3meZ+{?RY$)XGL+47{6&*9B81E*&)R?CfY z;~Tl>@v&dXtNWQU^j`~sSrVhPiFahgT(yx2@=rWn0FooQFE`}_V7!Pnp)`loanR_F zr()z)jz)#r@lIF5bM`!Zj3aBNe4H5WLZ@7m#ouFUwPNe{1)4>98U+T5l~#RqBvk)x zT=;)FK#(~#wusGnjjiiG`{N`4VsbeJ&`G4jlDH`uAOCcq`Wn@S8{OI))AS<~Jmcu? zd_$qvyj$KZPu$3Rdl}uLgP{D=k3mF^24IZIVYW(>iZ!aQ6L2y?dy-`rMusb~*PyjX zu-i$nQ6BVE61I(fQ_EHBo?18JF}kgp(E&+hGkjvkTwJHc&t^z*Wk#2xeqokI;oo}c zI>r4}hTo&2$^1?IyXE|Q+h4fKz@tv=ZHBHRaDu>qlf7(9vf=lLPabo$E0++H)y)-g z_wq2(Yh4^9oiK6l(G$|}MYh>m$3IQWfouH*iGO02AYFI&aU87^I@Ib`wht_?+y@-T zy>07$3M?0_@AgN0kPQ(8s@n716{qj^W?2X`!mn04GfuxuTCh)Qs=WVu5F#o0P@_2e zLF323G|lxlLT|=bZ5J;wA9bt!<21O8DR5$ zkrQd__3pIwVy0erwj=mAuW$Ur*DZ+(0n?0!{l@P;xOwqRbm}qxPpkJ&5idN+`{UV_ zseU!fU|&P#rTcLiYlse($B2lvXFJyLBnz?Afu0{RbF9(yQ4LSSFCZe}q-V?;%=`^1 zqVeg)KHjc*-%c#gkuiw+9&8w|ZBC}2;5-B{4fLsj&$+zLO0N5}K z89$-DaIg6BDt?Yh3}!hB`=`mYWV}#INx&?_uMed&>_#09?@KXWbin1ug9EjVbjx42 zt24(4HJJ6kj4vnAl&eyRF;Hq33qE!vKTK~!(--Je2haYolT=B_mkbcxAv@U^=5eeG zV6~p`)icI8bO0Up5|+;oW_f@u)4fb0QHtbS;V+pUyAS^HsGUtD^qlw^UYa4G4NYBe z_`17F5)*afHObN8d^1s&aIRhFygEvguTNEUh5e@t4udivF=+$;g>!~z2IISGJmMd@nsSF--WZLyo z2I-e359$qL;=jCrU2a!L;RI~RgPrUB_Zvl`=}AN*+L8jFgqJCNc`yCI;8sTXgC8#= z;JL$BhAwfTp4P&&7&gJcNRf-qq@^EWWPv8>n6W;5(j_(b9&{tNHB&V5v>Kzg#aRV&RIH6V4riyx(QUhEb93gnALX18eCQdGin z`khNK)-x)cI8iPL&Rt6+Fj{-}2=Va=gNOZ>=iE1{;V(d2r*^faalYv-lGa@#)q?8y zeZOT6{PS{o7pptZZqjZR_5_TPSCiYA^>r-)rEQtqxur; zoEC=>2EVV4Ofs-+I-1zr$vFZJ?OVPC3@ld~VvPt02Qb*u!ZmMCNyZ zY{Du@P@d`nKhIRjZ|%zq@!<1;rgTCODT5EMeZBUxFR!L7Z9OrT17#z>IlA1xj%)hs zU-}l3|8#?Y@{9$Qp_5Wc0=|4W`>GHXb>Pxi?MMG&)fwY z<=q>c;pu;)tK23KS|9NZe0|A7=rwdUla=gGyi~8Y1PW3I@KapYGhf`h@8hS|?!99Y z1r@l+1hOas1rNKzM0(}HqHFnW;6)??dYm058Cn}OmPI$L3hsvUtwJQPQ^2r`j&LuN z=rn_G9wECNH05VuB3MAY>O6u(UF9_(*667v@6!->bk^&RsP}o_3m2JoX0^}S%$?6< zk`5!I6#d{I90^&?%)Ri=T%9qI1#kV7Cy|E6FFg(CbH!lWgYYntj_xGvfl&U0!!K-q zhEXKElDK}^S_}>48iIAqtVtr;yQpRdi`lEzq+BX35Qqd``NN4n0jq>FeUG5rn;H_c zEh;CI!^s53_Dp9l#o8{t$5BZO(%*bD9NDon#o0XLfhV#GjgQD6ePp+ZFL7Mk*}>{4 z@Ap(`;c6AnCg81pLBLE+tM2dHgbXOVB`zqyLf@yMNdc0Mx3bv*N*g4abI`E;&*zMw>k^XG3sO^PEWy>m$H!IzyGe@ z`h<+dfprGjE&2k735NwF7cy9)87KshCSlre#tLe@nG%vErbX&1OI=a55gj@aLC{c< z0mshi3@gU9&59}mpjj7IQiM!hNgiA3*QD)8j?xYgbH{z3W)r|9LA0~!=H?&M!>|w# ztvy#(?V-FMR=@a0m?Kmib~21e!qn_uM&L26QUDi|cC+~WSR#-j8*tJSJc40XEtMAT zE${`$uIx|4gjFIO4gIUFIs}{do&W!4JYCBE7Hf;lOIgQ^+@t?!WVx6NG4;6V>-pNY z#?QYcZyEz{S^*6<8nS038VQF3PAz$7i749Zr6%HZ1X{G2??`0jd+X{N|M69&WX|&6 zI)x%-6v@nr&g{DmNCUQU$KG5@&jh=ZSoGv2j&vivtBJg@d}Te*Nc&HVQsc`l#zqSU zhJQ&<@=QS=BMB_vx3+L%izo85IM)oH{Vu=B1l3ca(KtWeSo=F>qIoe+Bp67#Jw^rk5)V6`v2ljJvjuDYPDN-bV z(;Y0?Ax9$F9Rv<-Xm~QrN^o88f7uld8y-uB71IYpusub8xGM(JKyzuffK-(nUS0X> zV$;^F)&8xxWWYJRJqMN7@0uZr;{I;=E6%Xe677f>p5JSeZZFdNQ7ArdX5hqHr9Bcy zmLRIE_N*-ckiXXXXj3`kn=d}K@Cdc$IwzFg;j#?XPXz{lBKf91n9iH+2$ptjaQPj|M%=82P;wGeQtd za(rEHN?G=2*gOvP;g)wb!}o84_+);S2B)?ljc3)r5zB+_p5hYlEb&e7W#WQ_<(9~n z&A{Ch@teZ(pac~WD3v|S#j1$CpYKJ;_3L!X4HF>fApp9kj)0tmw5|1ZF`69#&#Y6i zDhJJ89Ic%x3Bv^>35A4WF9Rp5KDA=_s`}QzzZ3^rPZy;Fk(_+k=&zZpn(_j+0B@F| zjlx%xe`@mim+KKAn6Kjp>0TGnhVycmWd<{jMXxC+#*`!r1UtyE>tO`&x&5xf%55iA z$P~7rtX$wp7ftX>HR}+X&Sv`p^!}*)?e#w-HvNYa*Ce0IVlE%MT~cwSp`y*r!j3=y@743Sky7?u73KJ@v=7Orj4m$aQmCb=Rb+SBzyt`YEyg$(45oFHjqb6K_Cbs7w;9Sx8D6vG%ZgNH1D&w_kmBrE)f;;c#A?U zi_(aN?@Qt)Ks3gq?pCi=cfix*POhHo4HHFB`$>Ec(=y{2=Xa{t?aCZZ8z26Sj=jYH zLW@por$$}iFkB&NqI6Xz=;{3taxaB7sjOURbr_S#>+&vqrcl^LVBcC_5b1G(c)sCg zpO>{Ma=H~H+8rwSv3mECPIkHzNJ|JA9RrG9xPBb&@}6D^Cbb{SC)K;0xX%~*(ZtPq zxF&pLg8wZarIm&PXV-mBormVGLFL&onI_TDGi&d-?FfjpEZMU-a$4HHVW98UG9F7g zo%&{*LW-5jbk}|J8L7T+q_x6iG@USrWUoKtDMb{9BBUaV6?D2f^V7<|+th#hIAb&< zPQ&5u_C~$(LvE4nn-~&6?ZLv65{}x$_1z>f7ya`KM(H0qA3m0M)$Fg&sF$fw@N;>$ zMSBJ0_`TRocz8M5!OmgGYq;b2h4Jr&Fn|~O4T~K7IL_XeX5G?hbLttT+dzyetyWpt zDs48OU~I;a|7hJ@u}y)$OT2uDr+~ND3gImQKff|PfjwjFWnSjftD`gI(yxz>TEBm} z9#&@bMR8Ge`Q421gw{@m$44h|&olAVsvSr6>-8_ns*P-0P2N*9HlhdT%p#*m?-$q$ zOhpeCliAjzl9M?O7)#dra64-B`~Ee&g})N+O=T!a`_F`AOuvmG0=R4=G~`@95Z!jV zzTw>=194<1w^5Y#6a?>tnMm8Pd7fK`AYr?qW&YgmV ze49Rp+P)i8rMua=AlOe75~I03iN)?4!A$NEzaX2YBt(X^ZsnHOqt_{_ zbxzXTWKN?L&iC%?@y0H_FXQGY?+_RI{P}$!X=fjS9^Bzg`%@sx#qbb~JqT>FGbWP) zK5~*KxClxbaEC-XiOu$8}4X8Gj`fecno9=_Zo&)zF1Y(5f{Y`j!1C}a~A98cE zSW!NB6C(+D{SQLJc!#s?#%2FqaZ%7J@k!DRE_9ffRdrpaDK_Mk(La*graRIheoDbT8k-<6eI zPMoq>{*mjl`*})fe!{lz;Z!tM9bf8}HR&5MJif}PTK~tE4Z`JAOY1${fZGWs%`|OMUB*-9K z6CtjDb+Ia}KOB+)U?ODS3Q-TGp#|`5Y{^2YH<(9Pe@MDr2n z(Orl6?CIwH2B+u-?~95w8VBZUF2)n<2Gj19x48QENCP&0mr`w5_?N;xMzfI@)-3(_ z`fKuj)67tO*Xkbe$8e>(TdgwB}!0xl4e{8Y+6e zek_M)bB;NvYWaCcweA_+jD4!tgZ=*_%Q2Y%-`cbOyq;W}dp&-gKi;8tWCR_DMC|?nX__#!W?5q|8SGmWhj)ulzi;CT|FwY~*lORkC90 zu|gzoYzie#@T5KYqpX!+uZxH9I}Wnwc;8Odn$C$OKZ?sjXUmFeyvFbI#TaqQ=6RSb zCO`e09U|Z0|93ps;xK!D zoN~neLC`8qP%>z)NLm$%#FP|?U6 zCy{5*Czo9;EkJ)z9+z#$mTWqruqnsC920E|oG%AAlcH4aJPSKPBzA|(Lq%=64<`$a z#@2=${bM&dR7m|Z_9seOG>X)?z79czJbC8=`WQKDGgBz~i`r~xwJ41~e4;pfM)fwz z^8Y(_({u#V}gZlm~R`s5Y_T} z?_Rkf;b`8gAGfxDE`94nnJl4V1oNs~Lnb0A&`xZ7i8W=hvm>p4QauAok|`Jb zi8mib_aFf462Rx8lRVthOP`}O0c{e>3! z8TW0TCiGrhlz_0d-a=%6wFxC@P{0P?7oi3JMGE0Z^W)54ZLoRN)TfG*j?--DxiKB3 zMBelR;SD+l+##*vcxTl%&Z4PO*O;@i27^b7E--s(m3zBfWjyb%vytj8RymukpC9sQ z(M=?XB{AB0f@5FZYA{8aKbeUMaII;+yP+8i$Y)Ntocto*a1G8fSFScQ3~oMoJ4oER zuH35}a+0mB{cHGTckRmIr1Pb|?7&=HfRGga-z1zYD&~7beL`A5E|S5)c|}{1rLAvoU^<+&|6AXoxs+ zERCz|Stauo0MBbOG5lRQ<;%7x?MEu-Xzrkvj{A&VEef>E!`Gq_o_FK`>UW<5X^CD= z{3qT0uLnWzytzt<`Y8cANlSo_|;JH4%-+LG&MGz!`J@x!rN5IwW7kLa`wiItS z3v_e>2%$hg4S38ufUf0mzG)%LQ^cM6=fHdg#{A<_%GK~TAtfCQ@AIN1Qis!&G+hz* zo^q>JFBPNj7$1#Sj@OH%VK~rt_8d;)bcehSqli|+r{EBw z_x+q!5UpSH;2eg;vVGNj?wnurj&|0A>zmveK)u9`kqsf;Lofors;Z$7cXSFnH>_gxH+q84$zNIl&k1M}5* zte4^`ttgd9e*G%oKhK?Qtk0gPwEl%+zpx(sW#Zc%62Hk}NqOjdlZ%~&qfBL*mIUIo zt<3CqY-&UJ&&YA%RLuZ=&Tj;5&q9;KqLP&sgIMP(_E`zgM2@H6(bDlN?4exnM2SmL z4^Wd%QmLYX>FnOl%J{{x8JC+4lN)1|&IaEiE9!xSZoq4WqNz43PguT)nm!R6F>idd zsNW6wD)Oz>-|~mJz;aTH%h@CCNP5&nYZ|O~d%W?_{Ok4;>5A5WlPBp8ZI{Mfpmd)p zqP-<1lVK2+*$PozGafYuU9&hPF_(84myXHE`%bshh_mgO%4SLIkE#)Xu|$UNvLB&S z-jmXK-6}CPsAC}DcaiMTYc_<<^*BY-(3(9aII)>Jqeoy&hhBEVojd=^COep}xDmXQ z?_TQpl@<05g}xDKL%yA$;S0pS2f)MfGH{S7*$zzqRHSVFp|kZSvI-KL0bm53Dy#7UW%wtNa5FYJO?GCZZRtH3D4?? zK{5XO{<7KyT0aV9fz+E$8oSw!q)vUKuR|X8Ri8I!efvF;ZBzvoucYp)Ci@Cu`{P_P zwqnsc7b(^5`Umxe)XAviB*!jfBwoO3VK{K4=ib1F?MmwSpV<2WER~yxg_}H3N%Kud z5{5a}aWbYv*7|iHlY5kt6jPt&=De!-F(Noat3fQyUh;9)Q{m4bHG5gSw+uem;`Y4H zK2=ym>fT2$by$JtIXz`EYg6VA!ot=4=?3Nd2s)14Nyk_}@00#)3A|8bF#a(%0ZkC=rnt!nzbM`KSf0;H!LXlrI}po6S&Dl>T_>x2 z9V=h#U{t>ndi8s;O~%H3|ALG%rtciesJczc%Fc+t`)(vZBl-JT^O!VWtFirb`B)1Y z-nxk$VgtjQJSFHwgsVq?Akk2+55{2p_%dEC%R;53vUqW^MuVAqIafY9Fd6ha#xTPg zsa&rqc{i?sS=mLYzggaF-}vkhKP1r5PUyuITM_i{-o{|8xA^Y+hcF}IU>ZLzKe`Ya zMwZ+6-~8C3r3*u(2pDFv!VbF_tJ!v?5#A&35fJx?&&}kL{HN6?AF+9ztp>6!uHg`1 zBt3)cRsxk=K<@|MEm=u}^UY~_@l*Ofud^Q`bY>&fIuvfM5Wc;q@_xb39>TRaC;%4db5 zTAppJ?cqbf7mE^TqL3$adptAS;N9x=8(ku(aK`D5{_*^922%m4wDgL#&+OadAymMi zan+r(_Y?7#kMW)NufPFu+bI9F!Y*ePIb!N~9)YHJrA?R53WNC~^i@^8Z#?V3*!w`2F`MaJo6karU|*Z!@Zu!`u@kRntE_O%7F>&QTF$fX3=*pZWhWuS|fkW+gqz3 zeUidXL+61ot{8<6_IsERM4MBY*g=pCKFOBzz{}HCtj5h-eRA@{XX%70zj4(lil@T8 zJ9A;=fyE2P7IC|CgTK|5QC+vyGaN(vZyn+s^yr@&87FhdLwjRO-`d?iR9RS>TD)`V zBbM~Tu8TElL^5Y(cD&S9&_mGoN*ry7fg8;)lS*{95BM~SyIucWOzzIxZRfh7Cm1Fc zlO?V0`09<1CMXwpY%>hhA1xS2_V|vS(t{h(kCz(W6L~D&999(>5OprSoibicC(t_cht0{`GNH{eRI(I_(3r}8nb+dtF_dB1bpxxG+ zsvRWs8V>RRe0*_gKk_fd@Bfj0|H0xE8(8<|<6(#Bg&fw6RexHq@o;OP0~uWM(X;~z$DCF$(S*C45VIg_&J&DC8i$KDr{|oNb0Ol!%HO-Nuk1Ig?w)l zTw8lY@y#xe>^x%N`f#0*PF@Q~Ra%&0twF#zR&nu7(v70h*D;`%ROfRd=688c^aE71 zKl8%5{S*hT{hj@o*J9E&R}`v9zA6nx>08X?NsZovuxm)EN%wG(i!noSP{5L}&t-Vb zmP33A3zylRJZXfs&iy^rYFHU32{G3Y^Y#0!evE8xcdqD&3}K2b7p=2n$BGX8*byB| zFpDO9>5N^(DO5zLlvsB1lnq!J`!h`D$>$5I6}{F>#hf@kJ4lU;*`gXDZ)oIcApQqb z7g_;pQ3v+eOFcID^mE_lFQ@=rXcaWGaB=nSjF@uG!dx6|GqfNKqPBjA{d2{-m5o+( ze||CND$yiE4QIi%gR~0983AYCtDCDL4g5M9Mrg}qi)!cRL~XUo9!rQ3^oOSSy^r+B z;MR>hXI69D71L3)zsmI*d#v_4QZy==-<6t3x_kGsKjgqYuna-cpBQ;XdDcI59BfX~ zut`%V6t65Gikv55?UTs=GgdnkpF6~~T@qf359op)G!4ZuNl(%}b;FLb$JAy&Y?pRw zcGGTtvcT9q4-6ETw4^A%V@^;9P~0pki~4KK$$*H}q^69*65akfkM>X?OZNQbv5kBE zVBN0xrEZ}?pH zt4?M9V%i75<}1=i^u>>K^4t_l=o;oe4<+-lG7DDP(x0p>NWFZn@ky3n0= zQhH2I6Z}xm^lp@IY%sAtAeIEZ`dsyaqV{d3x&i@Gy3{~Kor2hmWvN1mJUwbKagZlc zoyURSFiY|Qlhc}l_>>niOZ;lZLY_CI)TQS*hK;zB^T3^PpWv8r9|H;}PGzj+WZfhNsJ)ejOBfWk(-F;>p@9POS{Lq6#Puq7E?B_W|Iwk6IvV5Sw z2IR=9FzIp+?vL~>H^Wqtkt~Gte0rGFM{w%&YAO3{_!X;E%Tx1`VZ&Pa5mBy;=A-r3 zTygQ~M_H0aEI9mrT%aeI%o^BI;5DpUsqfNbmH6CtJu&H%>_OVa(QRz8 zK?d^#bdj@)78TFbgdS2%bQ!X=dido;^({jXFJl&AD2rdfoPW8feb6;#-Zhdt16^l* zumHcgdXVEf{e{=)H$|Chk!xlAPjlZg%VzA3AUsy&ca+B+`_9dT`yAyYA)OyrGNu1T1lt4D6@=KSyA{O6kL4_ABM?J4GJLr#Ez^Okx zyjWd?Qe3rbR!dPc?oeTghHTymsVpqE^R>=?wQg_KkO0IF!w$2a-PV7m0T(WZ`0R|r$>!LmR|Fkc z*_0^oBW5!9YUl6@f9cq0Vl$`g=uLsxZ{3Wiba4K!=h0oXOX0ebo2jQz7*V(#CjYG^IKVa3=Q;V-@hPZyPxbTuKPMTZf4QJ;of zY5%jBL@{0Mnh+ZPbUERNdMSa*Fi)rfh4>3p73od^n)b zrha(OG~czX&w!WQ{E;1gb=9qBA!xVpy;16AUa>*TlN30hdApi<*5P-Z4(C$o77iaF@=M8z1kh;1@hn7MM(f3-aUt>6tX=G@nQoVxwejaeb+6 zd{F4yv2j+nkXW~PMQ5ljLCDs_czNxAIFNii^X+*WC=sJK@7lC0e;I6R!Q7aIOTkSc zEoHweD3e;;L)y|2~np0=iqY;woM5mi(dfMyUGi^J%Y>S(McR7gjqTtH2L# z=ASPI2m`P0lQQh~!;`snfq(9p{f)#qnDiEtgJUDF2+$M}VTkjs%tTr|6kdIq^f4aS zILA`Y*G0a^q{a%I3cD25#{MTE;zG`!eA~9>OIpNM9@$K8`^uqiyBO&!%xAS+^!5`B zJQz0#I*m%xL~=6@s5H^c!XIkTfmsI_hnd6I4d;c*-_yH68tH(b>en^gDv}>BeM_H# z?n7^d8|&oT`V1GOeNe#$L<7ab%L=X$;O*8P12!VssNL?W1r^jwEnv@;w%q^yY|qnEtpPuSsFH_(RUTVcZZz@_W|}1wk2eRN5M9MH9a+te+>Bp* zG8^A3TybbQN!m{;T}|G(LgN%@i01FTeUtQufs!e5`v}gh_?Z|U!)IJ=izu?b-^W&S z=i0$vpwC)%+EgdwgxYH^4E?E%-Q%$Q)WfC7H5ON1YkSZ_G@uvser-VIPmbG|@K=J_ zE{a1lUA*9hQSX?C{om%-@tq5GIv5=!QkvcmynD_L2t}T*uvfbcFCyV! zEfa!(8u7l`GrC6v3nmigZM(jgf1PZqYGYLZFrD>UBFS z<>aG(g|7Z<6W$v(_w`9jci{0%z z`Q1SP;VLJp>0vxAH}^j*lQ}6GB>Gq{xTaKh5vA-%E_t7p;9iBdLyD9Wh>ssP3>vy* z@+Kfq+G!h)>GB>CjM%L_HwGhu>XXm7JzVXn=_J5z!=FSWAd^S~y5~^nQJ?@olyEZ( z9)lGRMXJeb%jNv4tFy?~rIdEzre(HvF1XBx=)wR%;-SC(>9_d9(_cdJf&;c}&8z2$ zs#?cP(7jUq+|tbBc}1T$P9Fy9ljuvD*abEn|cQ^A~9;GMPVIjP#$fUpO~2;cI&NUu`LoH`8#Um+gK{!Ao2n4H~&^32+r83rJQrMR+?l79KPi0@$DsQFS>P+ zoc5PTjYx9fA8~2ng1B?CTp0SFk~3m1yVa=-?%uFJuZ1mvrUKj!IpymIGXydMAM~v{ zLIy-Mau^`>h$_S>e&XVRt=H!SHf66q-En2% zzUn5Jb)Vw)WIyYlafp)r zJ~_&OMFbi}!4}wYTd-*y=NNFog`Y*@6U*;QO7|pJImziyUuM@>ACvC`r$5`|aO&Bo z@Xg&ghnwmj8W4KHa#{_pgRZ_yw=r`yAO*`)Nw4k%pXhx9@2v%~^|`7$0?l`=w+Hg_ zKTe6fDmH-k#olmWpIbVCIIZXQkzca0i}a^0;gv@y2Csv6nj|t;qqe~*vX(;?SZ69f z-6h^_yfBrV()S&GnR`*wcQRu^`#Cmju9QmSp`YzAv%JdM+EaGe?a>sYwjz-FAxkPX z2cr$y5$k+iN)+3&ne%sM-r)MJq0D7-%MrY#t4p+6G~zM7Zqz(zXw6{-NQ;~$oITslCea0HaMaRO+r`xC@jX&5?W#A~Yic4W4m-2VME?zf?SB9`b(JGO zOxmrvGQnPh)~<`IN_5S3{gM`TQ&hGaaspuL-E%GG-V8~)jldTpz6=63@7 zq%DNEq~sL9x7Wj8 z;A19slghaf?W-eyThr98M7M)W91ACTLj6^_yIQh|=7y-aJs!P8EMV?4^8tNQ_d=oXxz%z0d z?C?#{(K)f(Pi7u1dHYxudKF*Q@jfT3)Ayl#?~3lHB-&PV-S$pl?PvdHV`564jdx6? zFl~v>DY0O|$?J#&n#jaJ0!qeyr!0$Jg$B^}`Ol(9bR!^5LVeGj^}>5GV3E-<<_dzu zXYV89EA7w@aQc{LMlrv8e@fRW>VONr@ZVx$PJYfGdWht|%8o0bKYj`ed(hdlBI;Ni zP&4OaK6v#B1rxtbT7JAfQf&3)5e{)^PR8v5i{k@vMMWW91GzeOyYs={w?QZ&G*EY` z(D3u5l3|?1e%`AF&rw|Vx9gh68e!!h;H+&G*je?x23_a}J0H@bf9alR0CQmR-bxxT zFas0ef(YLs-AXnTbl!L&+cA|!h;CScDk;|&pybN#^Rnqo(ZAgbaJSJq`U-_4>%^+$ zKebEJ`deL!FJ#{95qf1Isa>!p%QB4Nk-+5Ui#bsCd_XG<`$4P36&AQr9$r@S3f!dY z9~iurRFmVjJ9};HB)(U!$dmX=PeCyUeo&QKRX1cVP)fKHw_Af0x+pch`Z)u)^#tG4 z%k{Rl>hTxqONk2dF;wG^kph~J*;m(3cQ}(k|G9Md`{4Dh|B)vUb^(lRnD`Qu3#pq))d#5afDn%xG-zMAE(>!zi za%mGAr8Zy2?+AOj91QAA@;1R^G8>0u8eVUW$&)NYvAH#V1?%EK!OT8ggMX;CqK2L? zwi6A-8(SWu)z|BK+IWZ@+bn)1X_nc?%kku-T-Q+uXZDS=??Qq(W!37Ax5ulE%tf-* z20v-1R>;P`BQMfUuIl(Tw{v$;v^!9bV158&Bp@7!FV%r zw%)uBIo?}~-gi`<_Ixq;#lAaS$5K}Z2XqF}&N+vz-LPkBMaOZx;pQT$A_aLQk>-+p zoLs;}ye>syTu{t|v`j$rI~*Kf_h2>U;Syq1Zt?2yxo*=fdB;6K!Tl+N^dDc%toZ{N zBj0qh%Cjt=Y`_Pe5K&dkw z?6_GvKd!{XioHEs=j7_>$C)|H(lXsv(?P(ifOe6k0~V7+hu4jfTV zUOvMn0|{cDyqhd6e$ZL4D zkZz}Cgxlq}D#okj&8=66*dA~#Xs(h2eUAL(ZIxS{8>lICf?`(wYf_x@ z4$beu*xeeLwfpki>ySo@?{2t&W@4p5-ygDrSB|k-!PmEC`^SEW9ku3nCa?;VxXCM@ z-nwsVsoQqztqjUaAt!i!KV4gxdU=yDL+FVAfF=+tYleMqELFO|Hi~r~?WXJw)2Iyh zmDMBE#yJ0M9qRXLFnY%sEoV7x-lBFL5?Cz{QT{jZ<)Vxw5c#0SOHthrjg1*?;o}nC z+LO3EYEWDfm;MQiCWEoZ#XLGpWVYW{<)`e6fcv#F5pn)6?!G)6>b~teQB)X9mMk+Q z=}K9W-Hed5Nu}&r%T)HA8DkO|`y>frB)P~gTf!j2kYy-4*@hX+*o|du@2~55p8L7) z`+2VWd9L?3-hbZX_;HLe4)dMgxqQyg`8mJeV!NPDC2g01S68#;8W@=%B!@!-SR;Bi zN^rURE(x}EuLl@a5h6@5)j---NqTLco$avdvE`y=dfE@3Up^twJU&@++xh5M^>bRU z-J4@RH8tCYl*j|x4Bm8g1!6#1d!vwm@A0)K}l%Ehg~b!s6WxFTH{`7GS;xsJz( zv+6Gq@$FAs;ja^Mo*yr2P)&gSHkiDFV>0RJ^ZYVKUL|_ifS=ifToae-Yq}@H=P?}q z5=Mr}>lHtK{@hUkgu|a`>~-(hB7;^^W#Kh>ona831(%=Z?%q#Z`I;E41e}hsH*9;w zGI{Bn(=BTJTL7{k7c)tZzR`X>xOq>P%o~4;mvXGHCDR1U#zL}NDz<<5QsU4GHC_&@ z_1aT_T``1Dpl5QD8>N>1T|vR(OJLSo;F?F(QcY=A#VZja(2vzb@EdF!2DyBx*(YBv0uBooRJf z@!e!Ak3iWE_oFDDLA9li`AT9gKb(yF7I$_W3J47h4%C!B(fidGI@wI!eF+Tmsv-!h zKY*`m%6Vd|jtF5%IKF>u&z-RH^KsrN%cmCC3@x$p)mASjdCi z-c1XT_7}FA>lWfJ_o~nSX3fyKes3qpx0&ag_Nrs^Ceg6qZoTqEb=xuXXfhNPf}M#AJm181bTEImv4F~J#KjCAUNDtdJV@d z@bbbkVv-n~hTNn%_ zS3tmvz-{>TgVyKFo;^!^v;CH>X4~zoG=n6YYVRQde*SERe<}93>u-F>kjJDbxF8)I z`;5J@p^+G2GpqKiSQgwZZ4kG(qcKD}|Ah0A<9|=k{7pT+1knX1<$bYoqGD$`uKJAY z2CIhl$;3=x+qw*%+8u*f5Bcng#YbI^O(=qc+jWdA=Kx9g+<-lFTv-te46D?0AGEQu z(smK%S9}SXBClfte*DXJ7U|VS>;WZh%C(oPtC=7j*MXCV zU*LgJ)I+|39-rm&U(hI8l+Olhc8#e6+N+9nxzBZNrr24E-UqpB|EA`Y#(y-}P*b%n zdTcbo4~@1_aUFh_@Z;4_k5~YCYQZ#Qj-T3Z?Re#nX%aer`{rDFP{G9XswR5_~o1ggxGb5ev}*>)m|0+=AcJZ+buxkQ)0LZxrg2% z5;UKijMYXS|LxR^V*=h@ST22zG5}qF&U1DxXT-P9AM%3O4oKoRSw?&`g@DIPidAr1E>LrZZZAMZJ$IqrF=3|j{_eG6vqKr@twEBV}qCfahzD;*sP=bv*6F9&<{_>vKRF4XYQGP80- zf%h!*b|kH&MlWGz7ShJu{$)daGWOm=e{Be`fk?3HM~hL=31FZ-$tGXGK%Q)7vwz0& zl%dJ{^P$AWD{aR#dG70&6_{kb@?PxGxSD&pw`ouBO568o*}FVT_8nNUCvj%Llur0$ zEt|nz^5dsA6nU%sMXqB%aZ7ZaOJcjriDOyQX@*mi$2u7uY2Z~gIZ>jc-i4@vc=JC% zL?-|uC?~IdHjC?v5XMN2i+_ZlF6Ho#xOP2kLDlqC848bNj4$Wrshql+Cwa_B?cnJA zE=B!tDl(zl*Qs2enE&ju)N1Xu1g~-Pu5B-(7jeI_ywWu*0im{ps!V3=;elmHh zd9P|I1ftRw@0NeZ-kP_nI;gcr{vL2TJgU+hhj5CqLdAkJ0%;kUF8u4#)lWTNtWsZI zXyWGG1JrC$0#N`a!}p#=>Xi+Rn#)k*t^E=~3kc%E?!utKGW?&=yaIs50^RnF(Ve?N z6w>p>{*tTR?_W%Rit0@Ko^_ot>G(g5e=I=^4xml7%vjv2Tpv*z=EpGLB$T>cFDtRs6exZ5n(_I%xcpv#XbKr zeMg=NKz*xXJ*%l~ae!p)$b3=XxsfS8X&1|;KLvL#Bj{D%8Yikfo`~}K^vDXBS1f+l z&eJ^coR|Mt*t;woYOech;$A9<+Ggkwdr49*bWe=EEVyXz7?)uVSF;tX&BH0%n-%R5 z!gL2i9_F^g!i%jcnE{2$@2Uojm`(|W4cKeS9u7SyFvp!o>QEnghdJ}JuEsH>NQa(&A6)VB>=BHy^T_v~*YfnB7 z+dfgGnfoDl=FnH6>2g*0=S<`(rB%vk1|>Lu<{m*upAgNrv_!XsN|;*v^*&m_QxQSG zMA1q?&!_q$!zJ`4chxPdHz#~_1+=u%1=S{MbDQgpxTfDVOy5T9EF$&7)M^nv9uQ{r#vR$- zn9CtuQ_LprAsLX2lJT#0 z$S!!LEXto{yy|&ZO*=>+{9HGOJ|HE{qT(aG$G|t(YSu>3r^aiQ)*hlD{Zf;4gQrON zS`&BYrErym1P<_~vTNt7pWlJzeZz7oS<^Hj)gu^*T%UY!;ac86nzdBXh_Cs0t=vjp zGUD*wPn=b*M`@e!gWN;u$ww9o<5lZMk|LK90mPGU29!CKb~M-%MO(ZHs^es%K>9Ze zF3-9>&gip2IXoQ8NBj+rR`y&ye6bss=ni`#IsRf*>3<>ugb!l$E@^8LmMvu0h6;rC z1~{J!Up+K_G^0rv?fknnut{H7{o$Z8{dD}}6Z~4zd{iEi%=m2A5tQPR!{(M9D=;>q zQFx*v)gh=|@vyhqu?>CE`-e7yVSy6GAyB$7Fgq4EY{S0-^kw>+Q*%9??0}gAn4{ff zk~owd-4IQD;k7K>7%QPm5_+u?-6;6m0Wi$&Js0`w;e${%#DRlQ?-?oBE-*dI#)}|K z8?vF>yRiXkjoQj^)oCd9*$}>e~ z_7}?QX~7PTlICS+tyH8((=5qWRmII)o~_q}Zp1oE_(8;Vlw%vDnvdj8Y&|DmtCTg5 z?47+@AJXx)>Bgg%Cg$YjGCYJ?sB22Zgq)J0`_X^MA8rlESPx=AI{}seBb<}}!l8~Y z!CCNDah=J=$inZ%c&Pxk^RL9XS?{qsZ`&S|R_Z%aIdbpIB6>$37q~8+4U&EzeDBCz zK{kWE$r+oY)Je~&E{B_Wv%4}E+#2j7uvo9lC4f(=xDB42|FY&oP`J0Pr(fp_D)%PN z-AdWR-$ZZdwc^gFNbM*5_TX+_MM2L_lsD`ac)nXw-{*3ndRf}LseIDw4~IV9E2**a z)PYJP`@G1H5M?g=l9?lMM71G-%gSPY)lb?4q2DiHya6RDIK`@U@Cx(mwqz!o7QyC= z^9xS@z-Y~&&sQ^a?^byR4AunXN%7c^7Oe=Lmv@$w08c8jwZ42V6}nhgoeXTm;2e3> zKM5*v54EwC{hy2aE&u5Kdr=lEQ zDOO$`^LtgM_5B1hx(v01dxvu5MP87-rS@G+A>4P&9+ny!CGaF|2@81q8%>}E4S2jA z2pesE>X-@LhiHzo`mHj*XU-4M==k1W?#xdxMT{ADePd<{F6&Ooa!32}{ ze9qSjb?YputbQqMwve-O$<^N2p4=o$Fj|d?Jh20GL%!dr*Bdcg{G+zGT;GTXW{GSe z*XtYQU7_iBC#SwX_`dY%y(du_b2gEomP1@Fq0*pl^A~-_NJEADW)kMiF;ksec{m|S zhc~X|#1^`KHA8JuZOf)3@YCa7aB?Q;Cbx7|%;S_#d^P~hVs`nQ8Nt&A^!=#+n3J^D zRmMuy!ygqWgme{S;m2Gej0L1(a8#ARod77wbIvyd7%$`QywUZRx~Z>-1<3EAZFc`t zcSCKN=TaOObT%(}Au!oG=UJk@{L5qYDY}s79?#r)#(5|7JlZD??jJ#aYJQ=(YYP&m zv>JU)@+cEsvkNQ>*U?;)6w3sS^4Z(RqUL`OKLlM>(57eTo#SxWMgTiUF~i9uK&G?K z(SZLfNO)vjCcOF_QrK0Jn~Gajh&AU?%X}VV%M0uedda=C$ANW(gFZtoVo@o>;Jm^~ zqAaV?hoHi;ff;3@Z0QFw^~LaKmR>v?pcJL36k{YnUJZ!^wZf3~b}X?XR@UEIbZ_Z6lmXiuz-9{@whhwT}8r}L_`IuFLGLPtO7q0z7 zW7n-P)_sn!gG}FNer)~E*iJ}XdS76Y`?lvd8-qR5kA-{^eGbpr)=M=j}%ecX!{dhA~YK9ntcaTlid*CeK<>6x)HQDZ**-a@sz1eK*_Jx%sbiG6G4lOB*y52GoMwxnu*oh^tZBdaYHiw zoJ0C^mxniij+6U+QOl80wW~}$F`h{aKl=1pEg0;bL1fp0`IcHS_?~p=xLTE^+vi)I z8sxHfE@d@3nIUNcfNGOZdLy_d5-F%w;a?nr{2d35UopSxwAUpT*E}mZo^fyz&}7Gt z?Wamfh>dRX{gAKAoOIa=jV|VD987_ONV6#DU|`5)8)jcRnu!hzRCG!i4y#X!=sB9 zARGUeXYMt1kUtN8Om}|ytDP}QV7+T~#AoBD*>y0|qbk+sE^KyI+;WSYDt^KCtEa2d zeM>-X7*Js;L87I*y-Xankw;m)NmP3M;c|loSnSK~!tYXA5SV``{G5kFiGF9wm%Z}| z*Pr-Yl)kccVQN}nWj=lQk^Q2`Z@EJ(82FgEEKQZYWy(YSQ%hC$RN^nXW6Kl5#L z+W@vIrL-qVN~L>$FyYBU0RrA`xi{OV@76qKt8pj&=C$oowoR%;&X;nntgzFv+}e&_ zzjw^YH)?uMkKXB!*fR2{dfMe)y=D^U{ZTNu;`ZX$!+`gC_kXiF*z`@`y?w6KttifI z&8Jzh?d9YPud8je8(;c+e*3Bux2yYnal;|)!fVyHlF}XWSt@!mv7g(q zDtccH9nXYoY>!I_3Lae+N_{}IQlQQf4I3~hrhUxk1A_Jk?#%&^ELsm5*bV0d9Hfl4 zmIO%Q_sYl`6RZ<&U#828c)e(DNcyTycp-1m=@olE@G+H2)$-na2<%oPF`m#5TF8Fv zWY6(I*VgZ=YjT}$@Hw-}+izT~*6h5dKxpuTovt`mB-hL&1Yvo|J?d z_0?+;2b;3)HQc?M@i^euoZUTnb3;#JX83fSl&FfUpcv>#Lw7NCPO;#%4^8zd5zH#q zaO^(e@Y(|53;R31muAYXi=tgq!_GF zkL_n5+jW#?4jdGZ{eCXjVDGtvZ`mQXY#)U4Z!OoVyr>!{XFaSGTT*fgh0ba+I2^hoyoLnYG6O}V?oV%oJnN7NmP_!v_kI1(u z?GsP2%Cty0euK4@o9)}%efXl`f%W`vn!9=jS@;GM&WFB}m@}*F{xW{BFvsPAg#b@l zq-A+I884q@QDBniFn@D?b3^+F@4?TO~*7moFl1e{T*~e1eD};Jq zgKpDX_iKk$4k}Z}xXnC%@~144Ix2on4%G&kXrohhS*m(S!M;f_sWM^jwWL!H9KUEmOuOuR+_1Fu;glW3^StlfMiI}E9#Y`Y|; zC06)}*G=mLELIMTd>~XFDoQ0UCcfYX*y%?_;JtIc{hDJL&<%5=(u90To`ZjS)sIy{ zjDf# zP7XeW*C9SV_KP;w#TPc3>Uw^Mz3&hbmlF&9eosQ z=qMb{T0qw!%Po6T7X3AcP3PwAsW^1Q%ShEBDCLf6o#7M9RiZqbuI(~MAUS2s)s0z= zP7NCV$qzBLkqmsyC22i~UoLQ~#G+P8=bs-#_kuSt=q~W`61%*0_rs&XE)q*oF{b5j z^CCv-InL#wBM1Dd_BY*Gom_c`TS;Rlzt+SWKPU@Abh&Q7^+k5xksVHRMFB_WuHV|- zIn*dBv52HT7>>df&uJ{!x6LN@Y6mY?uZ{%OJv`vnb}o}En1|y}E;C`4y~YjZQ497Z zf8#^wV`M8{q+@uJwEg24pOJ<3S7@Z(ImP_u9^bAB@;QEu&Z)H*k5hYleFx&BguR|* z7lO*Wq)^zY>FDtra*kPaP#Pmf3dG={_j$d!SNFH_!h(swUQhHMG){i3K30V*r3#i zM@?h+oLNu`BccR`B>0mk%897B5HmK2lc%p+-ON(9Ti~G5v&t`rmu}@N^ZhbUuaoZ0 zrg+6b>5n#2n&7~6hSPbz}F>#I?K7qV&q5xbp9H# zor&l>zojp9Fv@WJYg^IN#LY43^S&!nDXPIKz39SHYV01lt>(wbIP2=FU&wyAqw;1j z2{*Pkn_1_~I5}$W*}|e(ZVG+mGwdL=x4d2{Uvtr<x+Kp01MLYV)<;C7#8AJ@eM< zr52#szpJ|8o(2{`(R;8J9ZY|J$$oe0Bw6gw-OHUUT|aiDuM#c(KvgRncY|h!YdImk zr+<1stT&-S8V#zMAuCO;b7aw=X&^?DRPk&*Wuy#TK%FM4vm-+cEj ze~BD&bz}FPL2-tvw#UutHAcx3RUtUO&htJhZTy-g^CHZS&aVc6#;amD0EE zQMJ>g;VnjaS@ryv8=CID-zMabF9s5a-IP_D0b3rE3r27E`3=>fsoRbH-FE{RxvWEy z?2w+#qt#bAtRQSEJ*G|8?t_dw>dKW@#wp4-%XXN_kA^HPqg;p0_SH~(k9NqG5ASkV zA-3*qubYbwZIJL~^Pd}E`MPtB{oH#aJM>9>$KdDKp5c1#n7k}yb9=fB8=*l9;`ouZdcHkfJ-kOBSZbeHRknKl~=Jx!0G+nUa1dX3i3% z2@OznSdvK(nwd`%UbV2PyAZ>MUd_8)DIqzb`y#4a%|2v?r*rpF=y;bo=os3|j;Ml5 z4BTZWR24Pg)K;COiV)0(!dMY{N0!aUFyYPt-az55Rd#}!=O=2z7&^vC+@)Nc>yUka z{|@ClRzUPQm))aFSf*+o+^05dg}^j48~!6S{%yHCz8ubl+F2`tpKfd!KbbnLV@qYq za2}4_VaJGGHtxT}Z_HTr3)v4_4qwQ@c6w`ge8-Itu*R|-p>nN^E@0HkPvD%kLS+xoNw0BafLHUG} zsS$SN)-LQ5(J>-@5Rx6t#M2W^uri`W@oO6mRJ+r9 z(X*D%HvBPG+_JVK3O(}q35Q#Q1II;ev}z0qspzJ@yZvavt&WELOkZgmmM1}rOdrsK zW?yBwOz&-1?67>k$FAUmxc-_G#`G|E;|FIXqhsFNgvPZFXZ{1_f82qnSa zWg7G_N(R&|`L#Ei`KXu-d5sSwL#ur|_jNrPS1l7wriV^H@vWuJTng4~I|KIKCY=?s zA{+%-7hvRnI{;QY`SHAaODIAIsNjnB3du5x^)H zXWG=L?w@>0%rn9KIX*ef7WN(7lVb zEyL9M?4qm(;`mLTMbV|c9@rnr@^2qk|1p-ZrM`ZNd!v`vhl!+=8sDl2?y+l{+UQp; z2p6`BJao@!`QiI+k&U_i&8OG@6jyKr)6y@Ykj;v{O<#U_XA+ku?4!1l-jrBeGn2bGJ@*D7h)Z;Lb!ko+ImQ%;>S)x7VGASi6_(mW5dthRhUJ{34Zy+l9&aJYX9mqF2hXe9}&xeV8t&Y|{ZxAHQ=39tHnB5_*q;&On zTJsO=>^$I4o{?4n9I~3Z`~I}kpQMLB(#A+JN6&%L?%rBlLaK4*1FAbL-U~3%u9UYlMb<DBJ-#oCjJ*!21qL+pV%(>Kn3 z_lG?;YhR7YtJbDJ8&UhaDEW`+;WYLV*Z8tP8EtM^_Hi=5uGN<5Xy-M?s^P$vC@cH= zQ%yPpzQ6&2Cx_3kzN6;zQ1z^74iIc(n0(OCQ_XLf&Vb+M2C{dHzo#=wEUPO*>bA_0 z`^#!xL&ug0{%$nm8>n>9e!ww(p|g}?^_7y1nylJ-W*bYh6~$Ix<`nu&O9W5RW=66o zWQU=w3f~~C3R@1x6^x~{1yZK+yQCUDDC_xdV|hpu&)Z|cnl4!)o&k`Z&5X+}v!-1* zwZ|(r{*|r#QyBX9AL}pk<|Mk6OW$~-@T{@|$6zQ(5k`1HO8V`50fqAls-d{#lk@F- z3}mMkq2wg@Y#hi2>`Z}UW0`cQ1KdcC0A+OB8RToDzG$%Tao`DRvX5XivIAa5ac#ZAz1Bx{KBq3;<8WZ{8Pm}J z0(acM2q%B`t5zw6)x$OAy<5$QBqPrx09Jh+;rSXF8*mc;{EfQQt~qc2><@2F4=v`a zMyn}Xtl5vP)19?HwR$$3;PaS~P0uR>QiPoT%A#xtexT&em_@lbn>KmC5+uIM<0S4S zLe4D;u#)u-vd`GkH!|q1;rfK&eY+Z+9YjyqJ4j%JIBl{Xfvg4EKA#Ux?ne|(!*Y!v zTAOE6kv8j72E`2R%bc~{QNFZNi@J(NoYqXc40g0XXiZvBvQFjKXRKx`(|?PRk9+&p z!np2;ljxB@snhayW_l7JPe9mZ&)4DBz-8Bl2>LK?@z%A3wxjbhBT`qMb*Jgm^uTi5`FIa z24Y*?vp3EGe>r;%X_MWv$}jrXX3hJ!dQCXj(8Dn;o?4!uT7Nqexv=!&7^yIW6lEeU zv5n(&Rk)CxtjCljcS!}*F8i>@x|8i2MCWQjG7l?d12Ykjmw1mfJjSdyFCUD zpHNK9&o?q6?^aoZ*ehG=M2L_4DTx%K25wou zr*va)J(9~#KYJ9aLSQa*%odB~DfSVCG7R(~CWJ4Ab4cy=p0RS={S)=FNB_FXC*3{> zP!!(fLARiZJ&hwT8$HX#9W#W59UQ~ePr=`r^LxD&S&9Hc231ancXIHc>$A#a(Jj5u`F`11>S*HB!bke81;~A=LF1NAI`m+ zBmW}@rZG1R^0MwLnlFamC*ed0w=>gUoJ?#q>XYy7Vpr#Nn#e9pKmP-!M%o-#wI16c zGh$NupX#k1U3lKY%4s4}7Qo07VS~`Ehd`h-p;N!JKOjz=yF?FPDxiJ4WCb#V%G#q= zmL+D2jfKRWw9PPFkf)-VvAwurUg~apUhU10pBkGEjiBXG6l$&StBnnSF>+PM)57)s z9{B$+{lNAUM-Sa7FVRih_(4$~yz%BnJHMh~15dnz(Cg4zk6va+s zJH4(|VQg$5hsKV;8fq8TEYc^Fy_->rM>vP8cf1&75*Vv+!pY_}-^p&vHjVtDcFWuh zRi}(fwDT&T{Kca2WC_s=LNOmRbr_$KI-*qibj0es=gtAemasH|lz?5y2B9v3Q{KEp zUm1RP27{~JGUt6daRaqN)(bk6f*+V|V)lIn3d>T+ik(uJ)s$TmJDQF{c}E7QFPf0{ z7%58+W6b|W!S`o2aysf#Ez9C^@A4qS$^x{i-)W$3d@r{!B7cF zO)-nmi*}G})lpp?Cyypnoo3ANP?B0&lcBQM(px=nHx#*5->|b2ojfLxg7lO{ant*z zI_V{r=_2dW{Hv2u@3QL-9f>)2@9}G`i;ds(O0|w^*!i=dVj6`Ylgt}P5Bk@Y70M%J ztol+VsNRCaT<E?6sd|%-Y&dy5uB1B5k;~(V z>av){uy-eFxAE-jDAc6D+*@|-?fN=W20p#|6Ufs}wFpm02~k_)*!c9uV<;M!hYJ*7 zKry306etoLr93;Y_MNliZB*Ff<93UURdvr|`1^@-Sozy1esN`Ka@E5Z62pFGXJd>#p!C4ICIX?`1yv1%57xD(TXbW#%Aj1IZA3$0Htv;R0!UKztK> zg$O*p%W$}Fz=`y%`jic;TAI#RTkY8%&a0v)3h(fGRary{6O?2@>L2ZDhq#fe<`5g? zsb($96$4eblBF8{dlKq_HDa>w@nahmL5o?8M~BWG2n~)+B^+rMnFDhEkdvk?HmLSz zt*p;dsYyDk_+zs-980dj$oAvw{0 zAw1!PB;^GUHBL?G9_C%6fwl=7^y^$P7)~GR@iH-RojZxLUSl#~OglX{$cz9@LG_WV zGd(Th!srM^*T_n~wgc+BPMIaGUk0y-dvtp8s=7%I>NZha!UHLcgS&$)pYU>tm#`4` zL)5wHwu^i&WQO{-+1RL>((!EE!)8t82rl#*8RGfzFfvnll{Go(8RF`2e z-A&ehZ!=$Ier*N0MA_M;;xz(yVE2Y*K4(TC*5q3I9es^IUwpA z>hI)v#fTF@u;{eAqn8E?AzPs(TY;j`x+f47V$COt=p-A`+`!tGzQnLA0HzsZ>o1phFWX^ia{{3!c$kdk$iehC`$HO7z`EIt;g(cKnd^};shfyIJlcCx#AY~7E&heJPe+VidO8%pMg(^+T<6~I zcZD$DrB|Byj~+S8Gw@77NY?P=?xC79zS?Y;J{feea_YEouW51kt}L0wv#4Y%J82Gt zhSovedGt~9J3iy(z5ALHYq#=APf?x|A%#Lt#rEW7@Jx*i5-l+xHKimYi(fiT{Dd&E z37Afh={@f3@{g3jKd$%BJR<(eyTeO3GwA+jaNYAaK!l4jOOx?5`F7&u+Q11hd*AB~ zpjxHtbY9cRmS7$tPAp|k@`|_=_4a^HPX+|@*m`ZK-7vq( ztThvYJlxCN)QAlnU_DWyZND8j&=q&g28=H5k}B+LU>8@9DX~FbCgB7mv*9KXXL41S z%@vprqUK5zahwCLRfQxX%AByNujpSTE*PqNYNF-kAo z>($XvZkLrTY}SmL8m!711zMS~zJ6B}%1Zo$ROj9x8Jl!N6z*W&O3EFr^)i`jdqj9K zvYwr$hTF4F?Z9fQkjlk(Y9UnhV}}F*HX}e}`fj+22n3?G`o7SL4boY=rrs4lCNfY~ zYC!}EXuqh1p*VdRwc1}iv;$|mnUu?J=X@7QJnx>51~M%&`>PjSYCBcO=gqc+>n$CE z|7Dl>Pws!b{=4m?LpSogFb%@FUWJk65D~9&`dgF0h~y$hsG=Z`R$mmuHyd+ifV zEmR3{4X}Keyo$C&SZlFYfC;`+pqK*>y+|jlG&c1YF@u42i}qEgcc+@wSS%sctez;; zI!Ade@m-Sok7`DVY|nDzvh|uhYJQ+b3K^K+y1T3gP$zHqdd=pPp84G#eb!HIh5hw9 z7ISIi7mdM?R!Y;P66PAC<5->O$##=;E#4qpTF2R5g%pAop9(c`^Nac9lEak}P-U)?~d+@9MG-4{%OOy%sN$JFe8_{{nmHGf&X{_FBxj&l#QO(eteM(OPy~3 zC5uqJ%TKG1{NT3_M6b*BZQR;SiZ>&zb#Ko()b$WzakZ@e0j$;y;eS1|pW@3=9Tzu7 z0Tqk`wEeL9IbuGKl0j;+!e2lX{|CUa9_ zK)}1l08^x5;zGG(AU}E|{ccR)U_7YAZ>K8`b6<078;8(@^;J54yaIiyrz#I1xaaWa z%&-nPS*7KKHu%}Q4c1DD{8v>OV1j zNd=uhy#2wKwSlKwbc8=EPD!s*%|p~N(w~PC=D#f(q}8siUQHNO+v#@jgGH1EJk@l% z(ke35g@sNgLm90R9Vi$0w62>tjqGN$nNr>FU<#1GwP{d|g>ZLyWQGClljpi*EPTf* zSH}(33HXEjz0VwmU1}#eIub&^{v7S-KD9LNYm`&zu2dUCF82QF_nM^ve7L|Wy_nX`P5(e@SXqOVuIxS&N5YemeC%Nn0v?N6$Maxw zOG+|c*EvN_U;ymdW7m{ue(vdHKdocFm=CsocUV#|WtR^-U|O`e{jPA;rdED$T^H=I zG$GlEd#V}Efc{{`&ke@+Tjd|)ldpPrN?@c>QYhvms*y8xu-KPeb6jyDCd&Y98^@Y6 z2av`cnK-j`iYZt_-j<&a27N|r(u4#eVNP68*!zFrAw!R?CH{a1^4x;favVuBj+tp?m4F>E zp<8~7;f5Tt@nklJ{A5z*oz?>)W`7BMD0AB%UrIKQq!t*-dA;i=YEBrS0G1C>_*{5~ zu^p?zg#frZlyf}z6yL%4YZ9#f@mp0{v_E5)|C{H{I1h3jE;1__VbKB@X7f|j$N?oi zLOze4Q$E?(F_LGEql8c_Vmz#a!Is{fQH%c}^xnh7blA>F&b~b>?F+0&7rO?1l?a?f zvwC|S)5&a(!yq_(Y3etA|B0ZC--J+RSKlCdWUCm;Z-OZ2k3Zm)1c3~fqivdhZ@Xyq z9dsB95~>jDv@WX%0Rqv12(|VrH~))XrqBMrk;|z28*svABJ@XwfdkrSMQzqO#|sL_ zLS_1XfpmaXgzwWw?ojhg7obCM{y$fs{MQKPPL`=ZFbbTA9b1@!GbUv*6r!f0`AYTL zk5y?{-ph@%M#B@-G#vlp?6P|`oM2k0ISfJ=j(NZ!< z@Xjo6Myv`csD=4<%!*lJuU9OY&pC5v-;t4DSdlhupQKz0a2ml!KM3f>NFx)a&%{g&ZSMsuCam80tGb4<^j!3TS|cp z$i^T=>4>1-=L1!rPZ@eu1gy^pjBiT5+u+Nu<+?p1?5`vbCj|CMa;F5P4z3m(3~VSL zi0Bl{*V;P}0K&{hSKg}Pu3FAKT*3jjH!Cm&@PoZ(hX2XCkAdUniCb#j= zE6!ZjwS9gB(9=EFt|JMGT*#sLMn!AY7l}?_L6^V8UhTapPC8t7O)=4$} z&W`rf#D+qYu1z%&2jys*V-L0P%`aI8{}-x?|MyA?g(|iS&s3|@A83I7LUZcHFTMsD zIQ@r0B8lHVtYxAks4FH}#yMYWQ^B|g)ZXiHQR&6cz)iKvhhq4F)}}eVTi)SS3?&S7 z{05AYZZ=N}P?+oi(D?4Qm2ke>x%Fl1ZpoSD%6?ebXj0Kv_7Z$avxnp2gXOf+B=62( z2No3vn21Bss8U`cd1cN?^We#g_ElCOqOg3&iIQ73{3*v}}FYYv+vfy3C#U@dvioPIJA}{-f7=cxhFB(}`IxM6&@@ z>E@JA-w_BK#CvE&$@mf1#`kft#x-b~UPza|v%&BpxN6=^~L}uzwOGtS0a&R&63K+}= zAq{*avFF&9!b<1?OLoejl1SwOBQZvVog1iJeD}ahjGFzf2K3;$F-Pn%qw9TAf?f*Lhc`#Wt=Gn+6(^}G`0zpmAJb^>Fo z6b7CAL)YL6=o*x?VgIRXh@PO2e!k149$pDUt_+|7#VDNIEs2u<@m783dd7>R>i*0t zS}EzxClpq{TXR+?{`yZ;o)lIm!lbN~iT8mLYZpwd&x2VmG}*l5gaJ2rC8KfSU5bjg z7Rn~Iz-IW)E$=>{fd32|WezMaE{3Etx*ZG*z-#%{J*A%jWohm&WvN2OFL%g*SPgOi z1$WRtd7ITAKuli{J4Y=jp**IJFH+;@s42xtAyf6g-qv2{4fVFm>w>_zN`%Jf|#% zsNNQut`gWmoU1wRLyuR3XQU>c?X|7+MW5z|dN8Z!;J1)EM$sD;FzCm{)d_94j2Yb~ zF%<*YIGIywfS%UaESz7J^|lnd$V>auH1 z?x|H!+VI94E<$x;b4<$>_ZKMW-JLrpjmxAE62HHtramFCB zxf5pKv!-4n7E@B`@ifN^q>$myYq|#8q!F8tx5;oC&0!ZNw8hlGF?^aZ7$sRwT#*`JLQaN_&H&?(=75LT8G*ei@dk@d z+DyKvmo_PkJ_e4|363` zPQSi%cMZjvp zyu*H=h2~>MaOpyd-hV2IMtFXi*dl!{Ms-}#m_X;jA|1oTa6c$w#>rs;rvrH%qn2iO zBjB4I>e9}eO6)Iq$ktFeO{uPj+IU57lE;MR)f}tsGutEpnQZSRRueI`%4RWs;zg!% zdMKns7}4s}Cm1wl!zOntLZ2#x^6Bv}y_j=L*xxH4MJP0{c&!0_<9Qke)K~lRnKPK? z-z;>8G`c-3s}d@ZhS(V3p;fD9H+tqbn?YJ@(?) z9dE&Czuz5a*LDUrEUKO7uJhV9e=s(1cxqbM>8I_Bc1S&jwNo%le>7`-1@q2X@OvypZYPq{=kX=6;dx8DPBpdG?aZI zbe8+I2g{4!+g(C7Kk^@iug{sIQoX0nU3_`~EGdtL)5uty@a5vvUIv8E*J%<9f}^^& z0EwCndz8OC&1+$`SSFFtYUk>`qR=_oW0|hiNAxp?a=6u7mItg-;@_N8^zNc20>$f* zlP_6njxdYAKmAW*_|J9!2V}Wr}gW)IHX@!htAuIQW@k;xqNGC?^ z&c7*&D+@;c4|U%e*3`OgtD=G;)q+Y12#AP+hyNXjQlv|l z-a$$NN|)Xtk zIKM{V59#eK2>DHrr~Df2dn65mYKfbnD<|pe*Q?RbyPg*uJzw`UB|8`Ov~m5Tftr@! z1*)Ltw^Q~w^AnM~oYtY9jJ@4VK!ae8bGxu=-W;#2y*?ps9aZ>F)=%8>{~+1$6R(8l z1#+nlseeh)P@JUi>%v|`MJ`y5Fv7nD-BWVH7~!eK`Xebudy{61WK-Np=Wb$xa8 z2Z$9OyuF6YthsVXxes&%2V;_avy8{!@X09v9Cr8JHT^4a*u=x=*<~^{dN_k$e`RRq zrHEiEK8&{8!C z!`H9hnX;Goy(!p;1|F9!^1=E(`VHiux++qj_goD-MsY`l|jMKsXwX$GgM2aVIw4A;GOo+2v z>Up+=2ca8UXnO=aZ*~NBD_X9+(vn^?>u-DL<2CDB&nElmLbC#yd%nI z3XyXcg7l5qO9a;-4pLAH@lZS2-5C$1W@ne>xlTk_Cz+r{0YdCEce+7+Jmt{QtKyJg7u;8-;U?VQ~YyY`F6e}6Vvc6m{A)5AJ) zk}_N>l<5nt#)2|tDBra(8pKGRFvS$NC^kWcIs3l8WyqHjdSNFR{ z*ojf^(Hdwk%7|%8V4PGXgv%TQEFmpOEs5MhAe#TA_tyoT{1hc&w%bQjY70R4W;cCR>Kf<>mnrZcdC`5Hyr|IZoZOE zJ^Xmhv`r%UCySIv|Hu@yDp%?t0UsuU95g!|WT^tq9n_=SGaZTWoQ`tDqulU$nh#(1 z&o$T%<&byyWby*ZNKC{-ic_-*A&|#p*Giqr6OC%GT}&NY^IG4d3xKB`{mw;m)UV6v zQ3m7tUipz1`)md5PHYf0{VaCQPXZ;VhZNzmY$YIWasD4z@5_ll#I04e#i=9_{C%O8 zJ32?=pWo9qTLrtQG^~c6ywMvB6yyf*mblHr#w6o|OpmGUCS-|b!(&szv<+xy`{D4m ziy>J~a1}ce@9DxA#4%$wdjDxs*$ytKBm=qFk0zn9BR|n>rDv2A(~VsQ7{hO@!o;^( zN}XmYMhBZ`@}U`-XZ=e+x7-5l$p$ii*pzz)8^D!8e{hFM7vf&2Pxp(Jyj|=m`^q~7+ z7G}nGj@O#zaMrTED|(1$#D~dlqnci0uzp5ncdCE4N(W~nkw9A zRrC7MC-;820`zhkWn9HiBk3;Pw4*&pc4sCM6~(X@FjM3UI$E*~FIhm`Ou(JMJYN@& zH!IF-U-}c@-wgN<1s49F6jR zrZpiKGiBCe)z~r}`K4>*Sqo>Xu~&yG9S-oBCiPKvP~5`UiD=n6uh0*RDPK=@&dex$YS3YKjHufUo@N1@d0clkfwk1Z`CV{?CYM=9! z%}6_9w;d+sqlwG3iA?oyD#<_6vDPR$7UBM#1(95FinJ~9o3yu{T$%T1tU(a1N*oYC z6-L<9FU^LcEkT4J{M*(h@Mt!W@RHXkNIWHXUC|5&9q#`&xNpeyg01FE9P zV?6-_&{{TJa#1eqrV$o;FCN*FkS=kWU4~M2V~NQih$L<~mXlf`;jGKDOvo53*&bkE z_1=3_ViZ)%?_z1W{v>7-3uf`2^7YR!Q`nr0L|XfCw0*!W0EijER^KN7c|P&RKN9009^$22{M*3k&s$?w+&t2X+ILapW^$=2PKP~OKH|h`h|cx zg_6T$f%)p1>XDV!0p0|IIy`J_G$n`@H)Kc3A&WYJkAGt-PG)0oR|r0ExKdRD^(|V< z(eO<&IXE*NjYq-gB^`DWF|h*MAXgXmrlh{(%9WmeOr!kA^yFUIY3s9qYMplDtP~ai z!PbG4bWvij0SUgk=|&%tE`|+DerTZ>RJzF3w#(bslGNq7vK$l+IPL)cFXppnR-|y> z=sv!aGQVW+-4^+~+pCQ1-(xJ`Q2r+S@VimKxL2quHsvergZTJmp^S*oH`)$6wCs{L zLflXGNg~R5XB#mfle8|bdJawr7eEt6FsdlAk%fyFQYvm^N80YOixzfDvo+v+GIOM( zSsTri&77a5866l7%Rrk1XrdUuygbG<^O{14zr-{z8I1~0O1<{!^8sPtyIn5mdQES` zV+7$x_2^*13GKC*f->{LlUS?Q;oCm=E*p3@;)n`lH$@q3WFR-f=5T0`3?&K=TR(c? z^CQ#@MPENAy`tgkM`A6z)q&`f@u^{V-#}b3akU?N@HTgQl+qtW8f!G0>J=w+lWY56 zNJJy@na5mPIKD}ry0Qc5~;ZY{swhdGHd^{JaBU)?@MB-|kPvH;3z2j&XEVPo#mtBR0GzI5K7>NW9i)P>0FC_|$ z+=}qrXEfNmp9bPAkT~eHIe?eEmP#Y_%ms}vX3BWG!C>|;<~Gd$Udav6M!)|@_N zu#AK48br4AzBxlmY{4NWf3qqNAo{MI9k#yKPT$^0sluln_MO9Ta~$@QxBa%`$OoYP zQfc5AxmPtv5*L2%$ae+W0>yMgaz`LBcNa=}s|ClvZ^x7)w+GM^>1OwB$yvE()=i*J zG1SP@%Y1hnFHN7E>GiO8!;@Quk}+i5S>{IKf(S~u{cyAJWJ7D+T%7l^PtTv?8$cev zv6!2!9=~dXlrS71(%m@?~z>=le+;G+KN8%t1G z>v^YH;sWoaz+~rj`Z!pctoL2(6#%6TDx^j ztu0Z)nEeQHi zzTLPuU!9Mk2`Yp%BBd9W`y6aicSp!8bC8MDo%iiEJxO9UK2zH#@joF4`G^JRlvcAl z1M3KUWV6I}UBX;r?{ltfHey~;=+;!8`#3D()nclLnGah_1f%R^$B|5iWHmnre@0qF= zSh4qCw%XlVFpJc7ZP;I2R1NN}Y@22iQSas#PHVZt3#p`kV1Y%K# z4hXpb^px~mZL)f`eDVH(=yGlok3(NPY%`fMD~q}aSs&bvq=(GeOETM(Z{!x&IxP`^ zBkm5zxlyK_=0_;JJcvlRLfa=Pcjgo;Bi15YHLLM0OY2(D2^BJp_gk)|o_DF#Kb~@M z*xzr$R$4n!Cwh02!8XT?q;*@kbC+*2l@?ux)p&Arb{A6@;R=g4lk` z>>zbfA1^nkXHdMa7PfIOPSgM%>M8wcA^ zzg%{=?u$Vs-jmQq7&>LmwVfQAc4Tptqh*HVcaZ2lYzY$Cd5w?XJSpW{Qx$pKVAiiQ zF%-W0sgBC0GN|^MBycoC`eC!5)9l7M4!$W@iZw3NWo|)zhfGjMo_j}Zz0`%zC*X_p zHBiXj${0?=D+vHw5Gg=>EZ(yKG!qM-(U>;wDxMfu#7(m-Y$$2^~JmeLYr~ zrX2o%t1#W|GcXvFolpKlV+x3jfFVsnnn~SX4rx?xygA%usciI~#G%_|4nxfEt@5`^ z=OOm3ggA=dY}HSp%_!xDuK@$CrZk=#KhX!1`xEji8Dbsn{RnMhHGPL&i|9x=aZaw$ zVS>K7e~dQmD7kvf%qQIU+W1_7^%1~zUB$c(ItdBHne8PuvYp*h>aE&sgixG)8j0!A z|HuMpmpn3*oC_1d37F+VPPlaZsIlwwS@Uyb@L7sN;6&G;e(m-2^1go%3J@#Fc$v{+ zlQFZyk8|j2HmMJN7w&u@Px!36ug*o<`H^$`t|BeQX6Fw=y_2Sbp6|WvhO1kMYXvaL9j$PtT*t;T8qTFCZms^-SyzUg2I1^$kTS*e zgG_*+W>dL4JG`Q-aNb6L9rI9tv~Yj+@$0>zr)-*jLcQ2_P|_lb{ty#MNd9n&_Oi>k zRJb$00&93AL$a5)p`bs*q8ZS?bVBJIP{u`bK_An8nx)B{t*2l>lixu|;wzX-hS-(* zZ5tXbK+*>*8o*6%SDP)eZg@_SRwx?Z+fE(3sQ^PX0GQWB)Z72O>;Ibzz;AFhx&D~u z?UfXQs>f5t^l9tqnqjO$lj8TpyW{J)YAkzTi{889 zQ)B9pa#%NJPfks;GTECJupBEkMZ2S6HPwq8J`Pnheon}>WEa#&%E}o0gp<9TOYK}W z@i8(lFK@;%z@&inziic!kG3yY#v6Fh2MFseKEG@)`vBWCAzHM66! zLN1n)$|O0*#%v-a(bHY#Ay~>JbnY zup=|2Iy`={MFZ^4TQU`{f4MvV(^`ZozLh&n5SuP4N{;WIck2xq3A)BjJvuJp*E->K zV_!-#Nk88l9OA{}&?~g*R?#xk9>!cYZp1|HRy0m>fuvovDEq7|YbSnWb-@W3?Q;u} zNEPtBvyuY-5Kt~?xAfsx6_`uKugvNIMjH-;|4j)T_J30e+>~`Jp~`|gFH8Po0`M;w z8?OW%yZOHSsw_?oC*5P6FJ-HE+|A}>9jF33&P@@=WeGhDbHmU;urX}O+z{EfhV61; z3;m0Lp)TNsVZSzr9f>lkN}ys#cnZPPM7OLoWm+(s^2!_r`1y6875t9TRATmZ(l@%v zhL)d%^Qq@nSix!GXil4b&lCO_20akrdtBFaS80L_wv}2g@+CofglEgX0M#o}xMH zkc#R})Gj~!kZ2j{X{`x!ws3)DKo$bPvO`Y03pCzdjW4JpD%f_r-SqygD5*R zUt*=;w_0vos3yU10kV(j?U`^dl3`0w*y_p#SDZL5a;k>{lg8m3#5CN!wlnP9)TgoeAv%M zOxwNkWh?TiBwV#y6BT*$sRXS~G6K5t!fek2cC!dRr_iAhS%w9TEk}up)6Z zvNsDA0`!Lw3=B?WJ+xfmdIHA=;HPRBwK4tV*?ERHZ<>R?_SL0jR_iz2fmN)F*}+cG zJJMSxLfIba1By;42dSl8jJiOUvx=QK4tPt)`eZ`nRy)%l;=Yr;`uRsWO9EU_Rkh5S z5C}w4BJjXyK=`f43m5}Y^$)N6zc%>&C%t8<%4ut)KRH>g#{4EPLGBOb?feP!_i&)~ zEJQT!=`hrmiZHZlvDaQEcXQ`ilDL#10Tp0_#eAZ+@?G-0qEW)0Mc_wDFxb-Q@;3IX zAfn<%@vtZcv)XC2pJzqyZSr7~nO5V~(7bu%n|FuKlrV;$dATfH=`Q(9(q1Q;sGB~* z)N2Q3GKu|#I6Dl|I*p|tCg@@kUlq9!#%TGvcLz|NERi;!?r4L|Mb84pjI$eztCC|b zT6EJXZ;y>I{~}2Fr`EKU^B&=HWxHOn%W+Iff`@Z)ury$YIxk$=Ch^+C`keIRe=(;H zClzz-d3Ksl=kTBO?v1vsNqs0j6y!x|$mSray@rKnrya+8$agf$>q^bVmo49?izf!i z^)-LMf2d$7!oT3=lX!IFLXmN9WR1*j_YV$f3kdv6iv=)#>uo8Yg+hjjK|PcfqcmxY z1{*?R7qUa{j(?=+!}=PC>&}oEa`jr1i7A!mpR(J3M_R@Rcz&y2c1C9ki~t5X!1Juo zdrMfdrQwr+i|R-3gB1PQ)i9<45v|n(Rf|vb?1wwi^(ABNCM*z_5%=N9hlN4mzvug{ zVfH$qFj>$CdcPGW`-X?Z@wSY_mQR`6?R}K-C0gw%T!%Sy{!7g#-*gMh`EudJawmHt z{6SxUtUHHAKPkZ4jm@FZY+OI(aGn!1%W&ag(GS%22ap7QzO~l`8&<_0O8*tJ z_K(5+e~$8-W*NVDQDMqr@qZ?v1&hr7BM7aL!@zGbcEctTlUpsnn)7VWi{DQCy+YWo zz2y9hDjDQB6ENP5mX~!HHSAL>ly(`7lz!Z>J21ft@7DBclo{QM1&Ehq zF&xgjbDWd4j_wGJtS~)JG4u2d=b|p>W!(&R(Mir5*tQq6GXlxlqqqyIN}ZGqT-(aX zyKT53ZW)!Sl0DllHb2oBwr1|~)iV)(CrKQllzDLTD-*A>?F4Z^TYvH`T z4Dt|Hm9(Vqht1QgK~H~s7P=GX{EH(+YmmcYpfa*NOrcSRT4rAOitMVuigD~osW*Vk z*!dVMILp?%{w&*X+dIE1s#EDm_xM^aL^WF;d}S5U95(_Ko;lw@Ukc`4S)Z@p z-Eex{DehbLIdmi_d5O^l2XK*1@xI-%WvDd5iTg-ErDG? z2tz(FSimg9=ejZVvywK#%gI#jrySaRAGDbvYz&0j7e>b1Pb<7?ajxZv5H?E`u}DGQ z1d{@Wx`jshgh)N_CK8uCE9+P6Va}W_T;r1!TF|QW?+c+}9jiw`}M!-3PiZwKw z07Eg)aoA-y0@2Hkpl4FjZ{I@n5jk z{8>}qeCE-rU}+z29Xrlv{ORzCpn8yS?Z#p-o1ktksG!+>HKkQ&ah1u&#W+-CaFG}m z>23X`16K%mtYwxeYi)9VU0=gb5j+L$(&x(D9fLT&9A)@fkP7gx)>8(U&|~-7;B7c& z5k9UT7Bu0c_$qC|;5SO*^@|zwY3C*@Sa9ZyW9`FEjLytsV`7mcphn0rhR;!%M}|vD z(a5Bh>83Gg{ji2vOc17a?=GfIAxS;ZDvMr?r1-`01)iDjAYy=pLMhrl%UG6w}=+JAQBy^QD`FCcK5whWKNst_(<2Q|ib%#@D zG+0zre}4ymtdIVSY@&a9={rBux04N-I3)bcU4kloys$va99#6B4&CfnX$D{0L%#he zvp&p2-cgx&k!LLxe*~SKP7($_|Ke`|#l4e0HV1|Kt}-D=mAU{5-MQL4fdGtp&WunP zdA{rjMGx+6%ao^><%qiM#6G6I?7Tq?_XNv^i@d;QBd)p&EggX38_D z0N+i;qTKVc8K_hNe7xg_ybN)i-E}B1B6mHsf@ClGE2KAZX#&W(FaZJ4Nie`i?!CIy z5s>N@?`<%80&@)GfYegY=E*=hAVSn{4gOSs?y1KRq&M^u4LyT(6&7N!^+9!UJqLj1a1-~y$+9bF9?8&UYIK~ zD$6*#y%QDrze~3M`X>(I|Hy{`IGk$(kDe!7c7B?l2L0LlDTvCaik(c66k51*u?)sR zOujtp+hGq|odY0qtEP#g@^1e_Aw~8*o?hcyi`ip~`GQ*O8GWdg!Jquj@^xg zAJ%a4(l@AY+UMsqVDhjHFUNq#e+Zf_1D#?MM7(hofSw)K5g;OJ-1DDVYpDbO?-kAc z7pITJMLcV;^P>1n(4NZPe6EbPEJBwQ(0X+5v7xM<=#!c(FnYv(t-7QnV$ytq43PBk zBX#mAIOSpoT|>v$h9d&&al<0|kl4EAj{+zwK=u>wSXUmnQJv()im6;D63sr0jOEG9 z%Q3uGmYMG$mj)e~p)I#3(SS4JnRPy<(&~H!(yA0LHYRx%7amYGDzx#gzjUj1*y|hv zNat_Gz)UNtf3-f%)`T{Se<{;x4kk;{xX9B8NMJ*D&ObX#OSCyowHgv`*<4bmcZmv+ zw$NBi65n}hAyeTy7VSzfdtl_YA7%-ab|uOex^>%z6(F%r zMg6-WAFwRa?1}_%$BN>sUXfHvnIVOiag3pOhJnYopYZNnHMO-Ft~PG(n+$AYy5P+k zY~nNM$LJBGFi}YeRn%v90L02{eHBTQ@`mgU#2dZeM-@g!l4jnfJeM3fwh-IV1xQ3O zerlqSaA?50R)tunT8HMs=L52fLFp6-@^Rd|VmvN4=wv;6+#N@Cdm3mEKEB$jE3PW# z2;{SP5~4p)xv46|NQ0pDKdA61)6#RemGSkIf!^u*;E$JSZ~K4s&lsnrA!B?LZEuhR z)tD3|-V^7Ojsj~_pHtmD8Ovg`pR&5Py1KgN(uZ)~ma(}ht#Myukk_>9<%k?Tx4)T_ zc3H$oU0_33UtfH3tXKJcG06Fte#38dvyX1ih4=9k{#W(V|eu0g~C@4jFWaOfW z7D*{S{AZA3%avE5VS*ftj`HJ*t>7n}ZKWcmj%=3S3;VEPX%G#I7qg+8X9aoZHk!p- zu+^dieQaSBB($eP;nTG6DhYd~S4px-Q)-m5ie1OM;JCx3eQ*R^&_p+IRBW)rn8AK| zmgaQ%Z@!`2t^i9=v@*y~@5-GWQ?-jEcRH?7V&IS@pXxc!JpPdAxWa)oqW|!jYmqdb zdGCVbZ}9W0bq{^BSFjQo{pP{T+bVHW!>#k3g2A`<4f{WDga;b31$#d9@`{FNUCo%W z)sjjHzUt$razLTWLPt$5e9Mf8i@R&0nyEy0bkWw9>-S}Txu{?doZ6{(I@e-UDRs4f zbCLd7)uzCAP5CsQvbfj5Z>jfAtue-r%v`wU)k_I$&oX`2_x|oF?UPC0r02LAuW5$J ztj@@Bg_YGU+oJb3;xi7Hn&YEx+;W5i%Qr3}WM9V2+LlnV;Hh9&%oA!j7uN|M^?r`qbRUvFXL4`JN+zNr(_5Sto(XIZI9xBR((PQr*( zg%t}F#2Y4u3=mVgB=!3HssxGWt|)hw;)fTxUe?(PC6^!8mU~Xz?;HsB{Gj$r!20*? zQykgnn26+wTm*5|ExB^NU+%i7!==H=XGej0%$xMlvvoX});TJs$c_&jOhO#jppt*@ z$vIw>BOjVuC)cltRkhsa~K5l8rBJm#V*7k@m zgd*3suar7uS1RfkGoG~mje}k08WjAD&J7hD8#Z_UFg{$q-P0tg$MPU-@#k5S6>E9h zxgOw?D=#D|qerh#LEU3-CwMxx(pWh(y;n?tnsB=3h-kgi6_d_3ZF9|X{3=Y{#J#gn zUfmNZ?cK(C_KxF_B7}$H_;j@_-4VRBYTX>?S{jV+!sfD*RgQQXj|JmE-m)AEC_DLKg+ zT3e>k(d#nBg+Un7|I?WoOU^g|S zz=b^hi&-k2KD^#Iq34wfA)d9*450-op4C^m=c??g%GmsVhYV&aYufgIMGk+{Zhis| zW}Y>TQli_><;h|;xRDzAH}WofqFF)_Ys=6)QOqyW*Q zHjk8XsD1JT>c~nx(S&W{z%cVl5X|9EN=(ak2ZS4os8i#6N=CGDA4t1lUtDlesMXrJ zkBR9i$uFh%y#Z!%&k1$zDwMriQvO2_4kv(Q8^a3>Y-#gHr#m?JPn_kYt!zy))0Znv zp8`7yaY&#!Ei)e3i&WA*qA*cSVXK%QKfm;1NcRR<_V7ESD^Wy9;@7RR2pNYj=(aBr zgQE(dIR`)N7^O;ph?W{33Szg|i|CESV1Hs9xTdQHRjlUjz1fA{*w|aAeYr$8)@AB3 z$>o)J9&E1|@#QBw1J$IERtk7PfLq#Fhxq}%FdC~OO*<1|Qheup zY8++irR)0^|87+}UN!rG6VIvW zkR$T2?ok1oSfLKqPm52cndQ_9Esp{^l z(V*_bTo0G7CN*Q*bBh>KdZ6AE#(l*x;3KnPBV^85+_A9CIOqnxE%&-r)VH618$0AX zL0K+{8xPDE^&H_uH|$zCa zvJw{w>h;xT8YB(z9}p28X9oqTCGV0)>8bl1V30_m>r_aQyA67TjC>yJ)t3kF_G?$m>ss%qe7 z|DA5s-1+;(7YVvGyN*)GFQ2P78@n50iN@?xH?=`Tbn@Z0V<}%U3>vuE=+`TGT%2zjn3yWJQ(JxJC2#r5wjOBC8Q# z`BJxqcTEBlEI>1fD9C4Wn8_>s%6R0`|IC0d*y^_g9jF*s2#V5O?s+03!47PS+3E^58FVavIeP%J!y)ffzR3Ar9s9OGL0X`NWCYA|S$5*G8x z9c;W8lgekC-(~P~^5$KWj<&mr@l2cLcDGeE&v}02nu~4C)?OLpl|SeGscUQN{LAc> z_{D`^{vSf;$GjRle^0?R!C)h?8W+7sCKa@-H8FqT}>J)l7YpY&6 zDa8L!QMY2nL~rae0-`Cid+Fg~GU3pMdq&Q)`zXHC!yVU*P}gNPy9B`z2ASTRW;?0e z^tZl@LQWHF4$bQ7CcN)Ls?>HKzlq9V8K%G3VMXKqCY*+>sLE>2MjqH44Z?UD00)=p zGZJqOh-yXlf~qXd2mvWYRD0hThLpVwtLa7Q=DJHJ?qhuK(M$hCItaRM!k3yctFMy2 z$b6KqoLaqYipsbx{q>amm1c{cc*hgEEA9gkubZy)eqS=GXutC24l}z8=QxU1O*ZR+ z+K@1Y#sjOaZ_d87X<5CLhraGWPmn{aK$jR-9UDj@vba_T_rhys?#2b(EC=I>$%>QQv{AyBCV*!Db;r6M`;7wrR3Sqf?)oK z`h$ZamBmrG2V17^l={2IoV|L_8zU_~+%c3(_c(m9F%&Ks!^Z(jHMv2<#T(++wdH z$?x1zQP*e2P|DaKAO4+Usdws~{^Zi$G>vwU<|Rb`5Q8aCzi?#>eccIO ziHi2KCY~xe?QJcqJrRShVd)V<0(l~`$kJ>_3xYDT4ZJ9hVCg;pFEHtp8lQNs4O(KXXze9G>TC^vaS&r|=|%uSEgjLhJ&~yr zlskxLw{{oJ@0uQR)66fjbObXsTXoQl*}klcoe`uJ3&l8QCkh(KkA85i6criDwl<)% z)fX_;8R66)8X7G!RZkSN<6#wbt?wMI081?X_YDwv_cIk-ozz-jl>7%T7JlSk4;^-wF&*7E|pO|r|MNhH@LU9P-Yi%9pihT_L+1d ztwiyP%{HTS1|Q<4PY#&zR5gvGiHR@k)Rh4S$(GS8;jT8wp4>?`?I}^WRi&p* zv{w)L4lfDp;%7GJtTv|Y=X2AnZ^vt70(@Vy;wA8!;9XVuL{kCvm6tZ^q1_63={$9b z3D*X{%fW0h-_wUnbk$d0T}NHFO-u!g>fe8$W0s%uRb#+AI__5kt)YdETCka6M$M}z ziLoaYPdF7NpvY*Pvq5nTZQu}?OhKkW&Ft&O3b!uJpA@m+(-QpV{#2&>u;62*GV zx;kzS6X?em7iPaDSK5uJouzM3KzS^2_9TL1d3Y}r_vvKW!f8V@jx>!L4U#fSyvmh0 zT%G>@mdo~z1Uh~&)7-KZngUM#{P3tenE6saYt3ytWpd9>;Dk6(}WDiN3CX@$PfWl zgDF50crB%G)KZ8(dqOwy3j`PNq@4}Sw|8&W)YY-u*1ko|U7H=gX-g0pUF{rMX4<&) z{^;YA1PP6^X1-+&gf+Cc?oyHVv%+hZqS*yG?7Vn~V0f;gwRiq-!RNbfE5lJr=XP~W zxF<#XT`M$1S4^9|-FWJ)17F^rpg(06sMHwnKK@s1+)beVy_&BdRM4=@Ki!}+IJn}_ zs#Yg3P^(h&Os|mNHrChR2~UInsRZe57O%zT$d`vdTg!R)YQo;u+}G^%IP)&p@as#_ z8!K`wEv#a16wCW$@Gtwn3S?V#84On1e*XAml$QPKJpaHOSiGywzzSmK-@-pQu~U>i zID_d-pLc8SSJ4~n$v0Nog!~y#h@ESr(Yrv&~h^ho=A&Vv8)bgtujg$S!pU6@|m!Z-V(8iDAl-Nju(b#qx>QxZO44TZ0sdD)yZWXHIFj{{cuTBiSGD#FM*H-B8b z%`!*}Ro9({cpH-goS8GRKTx+kdoZz&Z8vNACW}>u)&WclHSBq{(2eOTz5D$}cTK@> zPR9vB1mjJGRg|XS^=mO`#WSZ;F&}?(hIntw{Zt>6%*u&gSsB&ONKtAk_}r*hZl9$d zYORr__*qFuw!V6}yZ@WV^<}{rg+|>$(~n9$>Z%%_c{He5X*?Ag)t^LJxTSvOw@oNe zQ1#$VjJ$G#gK1htRUjl}s|(s_dmRN`K!g0^Y6&c-PhptD-`4Q(LE;LH@}f40_;1>z z!;f#<<0xc2pG}He#Bd2jv%I{cyx~w4nUi|gm_fI%jXU<+ylMtl-M>Z4P(n{UztD3@ z*HJ}$; zbNJ0~1)S>SKJo0D{3O}p0GkHJ)$H0P`GvaY=6}tsg!@_?*JM~saP0W()M(4qA*Pch zdCVIe1A|snN^gVh86wj-S)O~Q?;~HlTdQ2ffBN#ZCXFoDAacsA9K)5MmfuxuYBJP6 z8Ygi^JqyTga~N*Oa~Lkn%Sr1QtyXHH9axVRJ!Mvx#kBkMoL9*8Y(ed=`=?TK!t|NV zIssCvlUGqEUqNCtBdp<*LA93d>`hy{35c7<)X~moUlD?Gf;1Glk9=8s=UJ*iXpC>o zi{W2RyXWZSW)&mKUL7{xaNqesh^FKtyHO??`U;ZfCz z&ic1#gTh9dLNz%_b;Iw@Be%JFe;E7o06d!@liM8Q53k3{=#^0e{i^^=6Amce&BK_^ z7e)wObbS*CRI`CyM~!i`XVTQD8c3$B3ZXC-NpHehGV9&Z_O|4KD+=g}7-wJRYCVlP;;r_4^j&58izbEgrzkNQ6JM}h>C zE}lv%6Ro;VxxllEKU3)hmUYBcI1RX^S9q0Wzdm$;t0jRT<6lER_QFH8j4XGnX6%9L4#1=w}x7Jw>~KHCT4(D;gCud z>)ynoF}4H(di}oN=HR0SlTz30Zb-SpInO#7oqjtWX&TQ@XUBMg*anSXe>eZ4v{_J~ zy>D02Nd&ETjSW|<`Z-!9C_UJxB&}P`WVDvMF5k~Ht_U2~cb>oL2#yP+TPZ2p8{bjj zRnM`#{fy;rHadTFMn-;2z-h@&b#)+O`K8KF7deBquBUZ;*JYrPiwzne#tW0a_Xr=7cO{VE31{Kz64UCBd{8@26E$vszZ$G0z## z#2Cj$shLuC z%Vq3EMt!wssaXYAN}p!TRb8t{r|$?ZigeQUBPIwr)ULKYjx@3*ya=FA1GkOZ+bd|M zF#pJ{;>TwQVOS(i!*a~-ir$zIza+?d^Hl3~tF>NX57i@=-Vw>nRl=>`@4e$=ZgUrB z#h}$iQSEfC8fnGatJlQ}h4@1{2k-D3-XE?u9%>u3%ft?rnn~v+cyKKQZ6NH zc;$}qZP3%yo3gjgK|e$f$1SqhpKf@bQ1d3L@XoEcjQ1~jiM(-T$^vpPSY`HaK3tlX ze{kMRI#3@t<3k1epg4m4kCG~i4r9c&t;McWLl~cJzt7Yh39M7p2 z`8nwt=c6tNB=)%dtr^LGa)=wy8;`(`7aTwNyH}fak^Chuy<&Y9$0YGfToV^%vopyk9Pcok*$J+!+?2^ku9s@+}D>;Fw%B!egzBcxFLcFgmRt&`q7~c;Ox+AR@SP9sR-=7?Q|= zV!tsEPyD!ih7HjZ$>5_+_mYyA6uui4*Ueg$D}*ZP;oPa&?crkw$HCEl4~Un%2{zSW zWj!d+Tj>R9w&gCLIk^tBMqsVeS8l&6+799Cv=?e*L#LmuAA04C8kSV!f1?&CFwo&j zF@K&DeSvpc)PDR?^u_2b)mgR9;al!^6U7EDRrZ{k5Hvk!{44dd_jRWty>nJ)cD){F zRbCghQ^7x*h|XTNAG#m&J~yl3RCqDN9G_6$hq4<#36=~C?U|cIk-pBBNSQdnAh)<` zpH+@2yyO3}p}cEkdIx}k=P7L+=RU1u?B6D~aoxuZuc$d(vyV3jfY>L2=8P0cU>>|5&Jeii)k@2_mT=eOwSfmSf0Vc6;QO`>udXHo#!^^!0q!;~mb<&9=Kf ze5bQm*Koxyrs3Iy8;`#31Xe)UAsf}3Bx$JX+4!q`q3frqS*DUkUP3IdXhlV~HU1eT z;z_(_Bjs6+-(l5$wP!*bkA}_-v-Iu*m^tVC<+!B=wFh%&i!YpH*qSP;!3g3}RiCkH z3hFl%*BWm%@Dp5RN20E!`SEYd+%t1Fh|9Ls)c2n+mRx5Pys;kz2U>Vd?12O%=joo_ zO}La|T!|4=j(_qP0+(J64MG%%xH&xWex|nbHH5$6UuXa}(&VP`9+=qAPe-S&>j~C< zZ6r$LhtF@rTfY`8q&v-7^H~-`&jWbRO!-eA&)k9Z!2%{(q@eqr9i0 zXgn*1q1Vi(8B#C4XR4pR`r~27yuY6!dPia082#Ni|9rI;Xesl(#p62THgn~qGNSg4 z;Tgq=-<6pJk-#$IT>I*m<{bz)&}q1~v{?vXGl8Y<*9>{V!fxZfli5e}u^Woyrvt{k z=E=M1FYn+g2lw;yy?^?Te)s}1xhG?M@3F0SK~idT85lzmxNe`6)A#nLki}e)Y0lj} zR#^H#3%b8rbUd`14LhWkbP;4=qY)e)S?wqUZp5EsC3G6uS44a(ni%&^_zWiwhre9} zI>9hH?KnZx+l#3_#ZR=DG5M<%=1Iap^YAb$XhB47*>R@rX}=_oe5YMF>o6TY@SNA+ zx2JIqzsqZfJBy3>Z9+v?QgWhudSbgPAMnmDs5)uGRS0S;6NPue#SI&g!_aY+@(~&3 z5Oc!fkznYRJD(JBucI8s-3S^_{aBBw zv|E;ZQt3RMltN}AN9Li zCxsM2%zl(k<(CC_YxXamc-pjgkw>^yU8wPPZkktw>uSH*S}l(J1taiZt6-tPY2x-W z$BKQmnZou=yB&AekIT2YgJPUgpOma{Dp@xLI$5hvwq2j1G4WJWN)AwA|zFJ$t3-y2@%S5+Bw-A`d`!wQRP_G#e zYY?3qRg?rAf73z=2JQvUKkNY}FI7bfP#K4(l#LLMvg)ECEYLd>weO#m9j*4#yX-sI zJ6w>>tk`y#!ozgab=Lzps&)5?!?B#=&1rA z^b;=efxTc)qG;@8wc#XbpNKnVrCPfEf(Fdb(sS~AVo-LUGfpG3^um*K;UeXBT^W}J z7E(e!zof8Csc2h#oL_#t*bCwGx_(fswLY(-p-ZcMPi_(NdHmpagBLB3{j!(kmNYt8 zsrp%zZWq0GKJ=sL!CK-Ndt-17=HL;>Xk`Tr^>svq%wzIz%Q4T2k?O`>vQI4mQ+D0$ z6LIYZVEe6S8_V3Y!;cL|6>8J#M(=*xh5o`p8~7Q*VMfSZtmLlap|9$YkKZiy`YnDE z!;Sg#;S!$B{WJIRpO?1|7-Ut_F}U31-zI|BJmsq7lBBHilf6d0%zY=l-R83w(?WJv zT>I0vCOxKt$QsQ-zh+G7!%1GPOglA9oTqTp>Dmy$nX4|-~^EmeXx9?{~{#2tY`tp91 z(|==QN^mf+2($f7VL*}4B`tb}(~mHdF5aj&VGaK{1n)Y`I{oo`t`VbYM;;^sLx#g8 z7w#?jE*88&n0D2`ww5Y%z7Y#9wy90yyZ}WGIh?QJaIL6{m?$b!h>rR0?*doewAr%X z)Os>oEp!Q#-P9F*TfQGFt6GKH1%_8(y@?>f2ZrZrv;{185J%H9+d<0K%e57I4CD|o z>@UGQPVUruQP8vZ48Dg_U)a#c*qiLD|4{x38tT%a>z)%DT;9%Kah-ji-~{r!U$%YN z^#(=ah7Ku<6xF*SO0$!tT>v`hQ{qb;v@F*p*MTADJ_cfiEa}LN?r&dvUSmOvm{i9N zsf)$hCh8@rS6|1opmD11TUf}25Hh9Yyp}(Bqm-+3kf0`!J@tBfOJ3Ettwg7aH;j3_ zrl{6t>P1dd+@^-y_^xM8mfd(sGVjDiffQ0IMb=P(m_4Df+G2q7d^XCvoiTqXTGm6l2=m8P+2JH9DFkW8dpfLZDJPkGl?O}f?7pGGc2wd1u1 z1XW|w><`@5b1R;ho5XLdc!lnEZw`|4l;AWTi>S}R-ic+HBoVNLm z=z4npN`;D#WMX>6bl?h75AT;L8<+X?Z z)l_2%`5k~%p~;B{=U*itFZVT_C;d8XB|3o+t6z*R3^%pZqI|)wc}U2I#_!Iq%^Nku z59^L%@j7f<5V|}Xp7z54^hzKg-YY)jem3Wfq%KIjhO~1|n*bkVz zj^?z6Py8Zytri7tR_4;Ek1r=~ca*_)pA7H7n2~$bB&7SLyX5;ipO<{1kY$@FgHV{BT!!juH#sQA$+0qt zsJUR-d*jKUXX)4`d)1fRl$CB$mt$`4%TL?0>Sh=85GE!SYsP7%a>Zh{zBbj*Y?YKL z+P6cUOFKc0TAy4UU%mCNRH1MBJWEyg`JmpZj=5WBsk=&=e9O_)npkR_&Jb5c9?zOMJ78H5xV zE#Vh(*{6CI5*0J9?v-NQa*OGDV)t{%ew-pM|5 z5V^%~7H(Oj&#)2w4dk!i5<`H1$~C)-sL4SCIuh5}3@6$dJf8;o(K?pev%C1+YL-#C zhi4gmAqO`tl6K zk51-NKnsx639@FL?2%oGkU-3v5Dk9cLsS*&YN5-qVJ|_I+j-K`YO*485Q1pFU(wRv z!!(}w_5XJPoRDI3n{@B|$!mOu21QK~_e-rd-~TK&J?tR5@c7BSZaDli?PKT0+CBk4 z?ikM!2iN0kO?wKTpchn53cVol>F9#R_qGj-T-(RaIUQ8y!!L4Lfc_UbpaJOOtshbH z>6}FhpJlRbp+#?`D6#_anXmKXaPrRML$mkQ+)hlqrn+dh$JqI!DXHf<0`cLaD@XZ% z=j&7qG2*_?Nc0Sk0ca22jhKOBNEj=IMW2A;7}#}MhP1Z6sVIOGxh5f2)KQP^b|agY zU4uh4CTMGaP|uhA5@|`%j>XWzDWEYJsRIws%X<}>*^jO+=0wWhc|>fuqDD!J2}FGV2`2s;^YGIF_lys=dqy0SkM***@Kh<4_ba%Em#q+&8Ui}JwuF9gAUy)-!x;N zo`Mepl^N3?R*Cjk+q=ZQrl_jaid52r)REY)183k<=PZL88%BbzUgHy?^EshujfPjSR19V&rpXD(+I-r z=KyU`c@@u6$r<&uqqGG{%tp3mMTGkM!S_B}t=`DcYO!E!9}_hs(n!W!!7cuC`HzHs zjAuK`smfMOY-D1($Nk3WAMe4LUU&XwVZApt^y0B(NU4VuR*vV8WhINPL&5gmsI_bi zHAQLZrWZ}7UneJKs##*9&8es~NiW+S7Tiy8xgD0vztANbI!C81-gS!F{mkd&1ZrA- zjR3Aeo+47E&-2RZp7C6sbz1Uw2lk%hLCmo3iZVyU?|uCD=td_S5eX4TR|e^GLQ@~m z9Mb>p4gZgWbyYOtA5sRPV~@|!hFGSXL?iDnfx(MK(OJ?c9SX{kjSUvrS7^+_^8r!zV>8#c^^5&4N zHeq;8fVc_&JmMqNUk*E7D&84$9?}fBC}}^;FFyG30!Q@}Am9=r!B9p?oz6%C1aElC zA{Q*@u--vt^55aP_fLBB{*(N`A}R(<*LlueI1EX;C;Is_^|i=lCta0l=o_&|B)Nk; z6+=6N4Q~rS#7i#4W;|**IysDHe-$9LusLx!pD-yLYG8)PJ^n>ORL3$fzapkB(IGAV>tV_qxowxTZVs? zd9K$Wd!LO{hVLdIc^~}J)1SMI>H~1$sZO`bJW1&@3Q)J1xC}Y`4SsmtUJcp)jd9p* zmG5?KXyYi|7~gs#=o@?6s{9;sbnYI6D>@i7>Tph)IEb_ZpNplsCBX|InmyA$9ja?9 zOY-Oc<{XG4I=ZqN*7;3Br^_njyuOUORDRLNv0Et6lAr>Qq0#@v`EoAVvv7aILp3=@ zSI6PSMXEprG6!UgxY>oKqzQXaDx3=>>ektss{O$ytrysEpT_<}M@c8VAy}Zt*@6WNJUz!&gV9oI?w;W>a|1j<~XfV8-DvYKf z=d*f4yUMV6&r+JgAH&YSqLIRDP3>lFQ}ZF5J~2PYeNVo#I9K&#TrD=fM4OD3t#oiG zUif8pModf|vpHWCh3ff5sH?Qv&%7G;ge+qp97jy+O%d*@cb1*PL!e@e7FqxmXu-=@ zOr(lqODONZe)lOlP*5-il7>G%k-$PwUW6g+E?~ci;p1%YWi{uVJ(~!-c+AmA_joy);|aRbgO?|i%s`?Ahvi}2|33x z%%6fm!UZmgh}+8=!kxMW`-O_9bgQ)v?U9Qf*GbL``)>DgXKO)JeO<&aM=$0XgW6n% z$*D)c*WVU}jg#=7^0J^X4d|6cP_}_Ssvq`6B1OdB`SQvgley@JU0mN1L;5q3q&Stg z@x<_#60+BePLBaOm))hCwc18lb3ep`9@Yk%4TC<77ilVZ9$Y3W9bvSP5dL4!@e?#( z^@$h3Jq0I%u&w>4@LmCV$DmalUEQmV3>FPVhpYEO`19RdS*Bs(J2LLUuDcaI32nRH zW2Yco{qx+ZB+>IP=VL(*-a7Ch2N!N)w`pUa-3kkE_dN9c3+(9mw+ybE;CYiEW!H;J zj?N3fv9|R+EM^yg=vM}=4ZP{jvRwnoOh$CMd{Gu9HW`%)F`s|o6Ib_zRmtM&<~J2O zbTCLcHGsQ`!|n(8pobInown+&nBWS0Orn(EhmD*MUR7g@66 zJvKdRGA`auAI|u)aNtM4$Fi7Jds03%4l36_~DJ4>KcZk$YEve2i{& z9`6+A1fTWfi|@i_%X>pbrXLw@m>J(2$jP@UD9Qo&Y;e76m;9~W7-6!YMFyKX_i{N- zVn3ZSm{Bn5%GK2ATbZJqcghp(L|eFB(}kvTpRVp$F?1_lTcO^5sUsFjN{aaO=vl~y zc2efm(@*ci9bxItZzRg}y}#VDRvRKJZq9nkW+d>tVSWAKbYCZx2`V~xFNbGC{=?F< zGD2QsngQ*kaR(BYpW&$m9uIhNJcH31bagapRMxW2P3pMT#qHTYS&>y--eLf|5@=f7 zZ@azvK>@Sl=NsMN3-j%H0XV0 zUIJ%3QvTTQBV?mbeRBtH@l<3FUw}kZOTG84i$;ACdpsWj;!3ol+Oaoa5wyQO8=Ijl zeCx_aMrHL@dc{37&F{}gpLORHfXc)08V4D;T)w7JvRCOuk^1zcHw_1gBQcw9{4m(Y&*+~Kxv8k{>%;c z{c(Bd+fcJu(3odp^e$5L@|*Wn*9^^1(}}!r)6gMMH04s$?(ze)DBg9neg&nHv|SZC zoUj9d(Un*vl;!%OnyO|fn`ILvgq{-a^u&rr6B~I-Y!9Xr($SwVcnV_3bzoY-Uf8ymu!V_d+IGZgz%FM)1tBVf)U_J)> zou}h%zHAMimqVVuL6T9F(0{&K0;GwgzWBelilRy$sa`qYiOyeYZzq z%2YM=c^z1ma785nb;T{vzR0~u&x{wqePD}$LQZ(|b^iQ7VB*T;t0jMIx*(zxh%uOGFL|JbzPOZlIZ4`Z&6Ol$26 zQm^2R$&4g-^Pp?HEX@St6825exf!{ZaRffa?x=1ib8YWf#PEIfZVpymep4TGMyhx%p zG46Mzn?K;W6PLbnSTS)7JFeGg^7tS=LNEZITLjYTK#gd$It@M+M?akhlyt8bHO*xOM4E0?N~|(;%?#mz2Ps8o*L%FX zM=}ln5W8Q{n1|v%$9b?#(+U{1c+f8VMs;WlMrM0ebIr;ejhX~SaBa_Q^ZU)eCORBy zXC5n!Uv;z#RH|_7d=reDNwE~>|2x#S?jp7IHVZz~b!Vn{@idDfy~8`j4^UPfMtP`m z_mTpdZn-~b26ENx$yE6NvfvL6uNFyCo(`V%24&Q>_L|!~3?+tV=ipVI##P`X!69q< z`@}0wHng0D;RBB(=#tOK9mfKlPkcPe6TTA5IuUD2sH+L}CQO_j$rP9j`+PSwvx0HSkfO!_`#iXI0El|M-r@aP(H}QqyZ&Bg zJL&FhGeZsbGS_h{zNwH;RCbaR7>-GGecSpn%>z?{zwfS!Nu4)>Q@85Iw%~1HWJd2- zg#}w3;J?5;+HJhTn>NDE-tp z-a@SkTt?$cPjoXzOJpf29;1Lli{Y)N!}o=0+~d17k8Rw@>1Y_f^`m}>tCmXOg~w4v zH1~PF?(2)6yf))HNVr>3OfOm7!6RaW+4;^8Z_jJ_fnTdk|I^`=;nhKfhv3#~W<7@5 zJmA-rUypiJiPKq1GiXBUafXi=vrk~Z43Os4{)--Ko+x9?!KkO@&6S70!X`_jhSqbJ zjG7gmC^?~ScsRQ~0z1~vhXthSR_cVYBdKVf;Tej&!?e5@*nq`Fs*o-%0A~la!sR*0 zh?>;MQ|^((^JKD`W3pqU1zJ5y>5F4G|sUmslmFNqKTb{u~o`z*K6`r-SFSBx2sB{3iS zWvM_^coR$9XCTxkrn71Ca@pAKa0%k?)pm6&4ET%olw2CPLWqCJ347&cj6^k-J$FQg zULo{HiTK)0dah{VX-zpc0Yx|phogl)P5WQ{9r2M)+ARe*@C*4qNl3>&PhX zOO$6d%p=E8!n{{sNJZDiW&`rlyl@2`-`-wKjQp$HMK5_QXi_$ul=m!#JkpNn$B)tHla9zgJTm!iq!8{(Pxq@34B9$wSL> z0~+-zrbxt9U!4lKefQhLzup_ozV3pEd+gnD&<8DdKNM_m3^n!~T~pMXOhe}{+}corCx0GZx(tUq`%fEP~A8Bo^1d*yhBNVO*z zH@y})dgWs`{758TzXX=Hf9qR~xCQN=Rb5vCA}{-0hP!nmmpA1LQXygK-y7BT6YTwP z;&}3kqRN#viobX5S>TD&#+q|`ufTI<1qlVD?r@T*_anPVk1dI!oifPYEjPC$cLf_- zEYWxQpEIO_17GJgS~+m5x+*6YG}tNjP)2(`_%!W#EiPV&FUR~nzU@`F+24$&IbBf` zoQrY4tsoo`mr-dFlZR3zt8)_tQDYN3U+*LeA5i-qGpUVDo}K$7L3gU3YaQq?sppEA zB9v0hVuQJHz3aweHpQn!DR)6YhxqR^MAtiAUORnZw~KdQO*qkE3m9fKc)v!)pgiq0 z1VA9=eFV5VTPZzMNL)k+^CJMY#~HXknFEI@0?aif-^;d26Wngv8d3?Xb1Ob9J7iMF zwuS9v&=m7&-vfa@tI&R0T+KNDng9S*QDZ=3iW7ZReJ(YXWGYi$)tIU7Hb`B(n`mZH zm9xW6Axhw_(Umv0F5PSdhEwT;p$Bp6oOkjlAV)PdRUE-v5X*iU_gPy##5IKMG?@H7 zC#SY-p`gbx=Nfazi*RpkNFN2mz5{?c%5U4y>moO;swm@3r%Pz~_`d0+5SGSWaKOG&(fT31 z2z1t*(DUyR-wQPz+cMxjkgMqeFJw#HCU>3R@1^hrIS>8JgI~RAH_w_4C-Dq=wHw>{ z?(_SbpZ?=2*^HjMk)GZ8AYKbwq{1dU6E=nJd%`OmYKw{gJz9;8NRre%$lg+bti z1ovplaju;b-D(L@WdRp~X@iMnLaE3}ws*w1yPPOw1{rQ{`NR{;O)-(d%@DiI-%ma; ze<_ipj&U9x%AB}6@neGTElSo(2z*_W`vlyY>|SNDAo5qtbcQZ+Izx>zLnbPZ1H~B;^#h0`0#h)Hnql{;m%`GU+*AxK-7w! zU)E7lXv0@Df2FVLJi?5bnZ%Z!Z(q{$aI95<`i5Z7z9i4?hmP)>a`nyL4m@0wb2nvW z@LiQR(vwu~R4p7T{auh=9xL0Y7mb3?c)sj!l1zp-C<-;Y5!(w}YNpI8w~|o0ylY+L zKORG5V?|$bG$SGzU2lUpG0OTTz?x^yF|Hzq)N`NckkP%9#NO+D7Y0Mspw7 z>zI=ElAteY24DP(L^xE?xR=_6bE*+y?tL2nqIK^ILFzhFKyIvDB0(Z@bQmf=Dfvzy zZ{f@M?QfK^iwFX-@h^bW@4jHmK%6$gpLhN9KknlHVGtfM&@D22GFq;XscVYg<9>{t zzo$z)sv7vjtwr^TcTLgc;HaOnEtC)e{dm6kK)j#aZ}X?dKV##R!s*Yqz|5iKfeP|6 z9Jk^7D|^V*(r%kqw=D4b#zXeNq4FH9_x&o2QkzL*+2Rx{&4+FE(rWrNGX`#fZ>Lbb zzsh&<#-`oX&?(iFM<~N>yOPHQ7*>ydCF6k8Pm|wz{O$8^3Cv*f5w$W$YumBdfAV*O zQtj__g8uhjyQo(oF!$j(i%!a)o!5tRE~f2Ia5Gstei$(Zxq<1^u1h#)HQXb=JV6Fw z8hD}<1*o1l8G0CnN!lAINIn{!N<@ZezCp=ZUN%*BN&JwXLe%JX9<0Z3ZeAU)$ ziQIQeBP6%LAlxrQzGuZ?r-W`9Ib@IB8$qx7oKIx*2YzUkMSSf6D}!s{87^(?b_>U4 zJJ8a9O|5hGHQjXx&^u^=qixSzk^XO-d50|dtRfxgnc%SK5J33+>hTDI5Pn{VoMEa-4Qr|G-R*(=D6rc6^W(#p0e?*8f3;Foir;q4ke zHD{WON*Q@qP{jClKBuqmcIUH@VTa4A43-DJAkDX0!;9XM{Fb4)rt0s^Ln*zG1>~Qn zpSfNH?`4_n<=eR!Tey)A2zYS~zM&wz9BSAN6kWlCQk(ojWQpTeY2usbyAkA83 z?vSvy0(>eF6>Mg7z1rsx+gSCOC%1HB*%rC1G@Qlmb#a!+v9x>f@Ne2o1I{?6593>B zV~mjA@A*dKANa(cPib2j|7_cf+s=BNkPU7{>3GetJD5pvZcNM5r~Oi1JAK7eDF67f zZ-N)Q=|aA52ja_4C&OAPg&DPfv5sb;;1gc)np5%*OjX?|#>g1}EaQC^P8gIfRhW&S z{TJP-(yTP*pLT`L5W~)&4f?xoxK8apf6_kNobP|x@ne9(dOel;IMT9rN>#?*_f2|-He{T7YuGR7HPgIFLwRx3nC{v zG6u>TSSIIsP}j@3K@47jpdeFV$%#>%)M&uM7*ftteBpLi4QTM#%o+q)2S>S9Ivar< zJvQadGzA{>R+ygm(Ln>rh*!s&GjSAp)hAAP%fwznpTNIa>)0vecEWO4O z(u;4xvP=bEwd}~OT>es=+)dzf8}V4=&KXR8sBI0C{;Y>uvU0%1}?Bh?BZ-DJ` zuTSrrk$8fIkjIMQTN^AX=f)3E+!G$h&Zf}d(?K3&zpljvP94665w!BK8MLy*sN~Hl z`TTJ^)nTim%xood1-4-(Qf^In$ciKaR+IfE=<3sPsXo87jj?UEfL`^`3$&HTyLR?1 z-*96sg%QTY{eYA-I)X9Wf7iM;l0~@3L*UuELiu+rYh@8I4Jh}B_}g6P^$M;9*#Qnn zb7=zrvCU50?*cImXnMmNQPUqk(!W0XCtQ}_ZJzPVN_@yy{_SBe)9=#x62l@pgHai= zE>y!g0LP(4EqDeyZ=#d_o!vGO@uByqeu>bi7?08S)v?m>D0DZDk493CK2)L*d?Nx- z_FFkbk$A{H^}PLLgA)}-dA$*ni05u}t7Ft^r1Ybclaq*l4(4{!sqUlF|EML!lr;bj z$=aWeaF8{P$9@YS!pV=+`zD6+=I&uq#igH1VM8^$$g6hHFymWArI)?4-;P@OB`}`& zAu=ySP$iC9Am7C&RYxFwOw^Bi3nh$}K%^c*u*UI=Zl}0ou=MY{<2$OH3IFs<#p1@6 z(|Luhs^^Z<3S|1=56~6+c9t%8O>8JC?(p_(puFEM+dd`$54mv|S?hS*E$m%ZvR98` zOYk9aizjO2eO8#W`M_K$He3{QKSQql{-^Xq=(WCq!4;1&Z!DneT}|?AGwIHI|6hjJ z?|JIq?VcAaA4H~l*jk-0zGePeK^kvz^*SPcjGjlnMlv<7N{~} z5Gd`w&#K3Pn?1fqcJKq6(v+16Igrk^@P2Qrls`pn?r>1qXzNR^;CHV#MzdR4Un||S zibwVm6g&h3=-=AygGB2z-?->)`8z$a<=T!6RON52Wwvv%UB1u@M>GD#l`tgrr;@AA zYCd>~C_NTDftju8XX|^<-G2LPVOz4t45gJ)3ItQWJ7J-;@@oWlc|_Pq7KnYb!4)CH zW~jW5H{{(NmX^5=f6o*NG@I@n=suzxetAYJR9hOvh`Cgw>-si6pUf$%RO zgR;}-tLB);n;63!h`CL4QJs+w!^k8SriuTr%=0tJO+pbS`5C6qLvbJD_2?uLN(X0T zp;9sVICpv>{G6?~8H&gYa^`6d$;>iFE4? zI+^AJqtc#R<7$><2+!RUsjPE8#BMdgge)~v&`1Os=npe&jsdT0*0%;@1PrT&IaZof zQx`?Oa~A0wJLxW31q)QTnSvMMSM$}SFN!KJwm2*wD8RVAPb=+wqJi^^k2Ocj6al34<(#6aZ@joC zx+y0cL%mC*d!u@&d<5Rs=s~1%bD08V`Nh>Uy4#g+WmYdpA^Qi0gtWa=>c$MpMsVlt zr~dD!PvSPrMwSLL#v_r8^9$j0J-ZfS-xfU&UdCjqz9gV4v@0gq;+WK^R;>)S*!{tx zTV@q2J!ao{)p|-dbDKvn%wgKPU2>y(dZb#(& zZ}Hiz`iR1LUbtEBRAL;tgh>QA6O8zI5b*FW{Op-~@KI@2T;WBm)^$f@e*d(-J;##~ z(I=XU0E<#Q45J>n0{eUvs5$iLcS4dK5vC5XIJBK-F5ZoPA1%Q}bNKwoV``%mNEr|D zyEA-d08>&i}{*k*zIDTv@+DjwU}24#puG@EG*5xUU%sBg-Z;y1Wm}5)l4!maJ?D<0tTPwPn*(|oZiUP zQfsJNhHfA#SRb-6gt25wc}@KLNXg_*F8PpoQT9k=>s3&xk?1nl6r$h#2xPF`(~V9 zMr~B<^@;MU025d`{$kaq={v~3#^vu#;Dh4SmG3qTSmb{P+)ulgQ zVYUAS%U<{`Y7EmMh$-wsGyW^T`y#Z_dvt1z=AMx%m6|>7Fo+G(X7K5FLit}hfl_1J zf2*Bvx>>u~M*>62cV?Bx;Y^0=I~EM|=9}R{>wHiNhtH=YLk>Ox$!4BmA(IbffFgC`kV%PtlQHY>*i9gQsYC{sw={jO}`H3>@QDb!hUk z?M=dLgK$3_D&@CJV}6(iDj>$Bv%sa{;d`+)5fJY=0PAVrEg9J#ba2sGnszvXLT;pb z%v@~v1~IX}T>||KHDtvL8Dm@^p`h@}%g&L3Bo=Jk>A;GLU30t4XYcL4*GRSMeqc5{iE6fBU{kTs(L<&NDtB&=9aazQj@)!E;sW#FTRDWCv`Qni_SWzWpu zLme5^RwK@;hggPgm0{2DuTtDE52DTlyShb5cLz=7eHJkeJ_b3p__)}@=v?bPqEg*t zK6g`V*CFi1;XR*9WWqDB=RS_Ws zuo7OMn(qy~a&+>!EdJj#@*jVERTwK`TxR+3*nq9vyKv$|GFTlyIIEm37X72TN_>B1 z%ww6e+I$3CLiXJAIN7IP#85{U(nnVLou$liAN*F{nuYJQd7BJx)fS8 zH{KPmbP@nYqv`1l^WBO8~JG6Q{dBOD*}`=xpa=gu-vi?YQV zexogeSAV#tFwwISn!&iQ#L@2h>jJ!oVWXvkJ9AMD_eM4zR&BUD5AQK*TN0JiXKmza zDO&q4)$ zGRJmc<@IQG%7%fcZe?lH;kZa5q1}eil^NXCE?N{!yHqBk;cDzcCy3aSyIUDux zz7hAbOO&gjuhG%?I6qb+E%!G|&8%gcy|k&N#3TN<;+EBwk6#b}ku0>CE-7p&RLzO% zh!l_qpn38+zxD{{gWlABb{jYP>ZSSPYztn60Cvgdf>o+H546V^oy+aS;*P9&DVJbini=5$8acEW!!WTJOZa#?;SvV$GEC&=Ix5#Tz0j)AB zZbhmzMcf^Tuq^58D#?$*CBYiRwb`FQ-*d_OGJ*_8c0KgGui^93zXPH=eehrFYXkDo z?Osh}wjmASa*mujZ){JA<1@^VNuv+6VWiCCSkN>DF+^y;3WL>Bwk}h!>-GG=NKlz- z{Srt0vbzj5kJ9Z;fT+m56-I|8MoZDUQfCY99R-QP$YP$-LDUaV;MOZ_W;waSJ4kdp z?W%u3ZcHvE!|K=r5G~j&Fo}4HCkV2hRms+~&xIR8Fk|##u#_+#M4L0-y;l6!9tR3x zEEM2k2VsWRulO!F9?Nw~jT1Ul$&q{NRTtsE|HW+OiWlqwQZXB3~a>$QF6Fx<2Kfs9t?4Br_Djf&H&(@LMUIsJ#6M3eb!NDa8) zYGy-ItlFG6a*iRZ_@@#=+J#1lppvpF>Oka-fK=F@A2?nZUK8p)7L)aJT=`B31un^u zZkn;%Lb{v3xS}9DU&Sn#Ygl!ot^EZEe#w)6+ZBP+e(FY^Z}(ue`M3yBGsO zcB6Ln`gt{P1|)4*Z&rVDbk1+X1J9MlL3ZTXDW~NZq~}Xu&xiC9O$2XQe-TrW%v?Bn^dYyNr;ArZj?#+adSVmELYx} zmg1wdbe<`bASa(lcGzxiXDP+Kq;YEol(HtRGq*W?# zd4n47+!oXt>6Ys8i?JAqf<5^(SvBQO|AwRBc=2Jq5iv){6 z)Nl1%|IY9d9z4MleM4s!;kC)^xmR0n3Q^kdipe{7`|r=te-#Y^Z%t}46mYX&x7D+s zdMVSVqZO})_0~t;vd|_I5ZERz4YVngTj50=fs@Zv->(@sBraW#pSPlWo>iW5pKi#Z z3kKF?*?z6w@41o75k3v!8;nBClXm?K=$TdHW|f$DlNRk(^f$u)Z*;Zu zQzbNi#Y^|`;WZj3jOs<>G1(sM1_ECqK`U>QK73qV;?JJw|1LunE2fQ$D@jYYD#lIQ z#oj3>LR+lDLc3~LJC#85+RF8JufEKHU3O0#-RetHSoWgFqeO9dlT5#Pl{rv#qS=+o zH<)&t{h|q0A+3_CW>3XuGactL0{GlY*)~fm2Pf^1nQuMT`~D3CJFhI6uqnekjrCA{=>FZ6@ z(shmcz@-zXQ866v)S|JaJP4PZ#-aT#!}}41_eIg#`sebB;pR60%7R_?S1HB0)TKPr zRk#xU#kO^L;-O>W_JE)vG=t%$j{^ z^zdbS&{5RqVJ}WT7X5K^@b!N-npLb$8sJ^}7d1RRpf*a@_*eeH4A;q@Q#!66iDf{G zER^u&G5*J`I>_VuOP{<@B$wYj1qOMuZG@)b7SQDCTiG@2ZOu1X%G>tps_v6M9>akN zn|S*WgZ_PvTCo2)%}RE#t>D)`S6Tqdx2h`j!Y`!`wg-UTocVVp1kP!x_IK&4x;YtpFB&?*3!lvUv7HDeWrr#;`q$yA_7;v3s~+ zKIH7@6SPS3AX(24*bakDau&@g?tET6Z<)Hjwe_nOHXrVih`fq|L__`k$)Zwb%UJQ} z^T{hd`O5MfFO^BmS#HbR(`^egQGIfK@+qvTjXK!AQ7FRrsKm1G%`X_1#ePrxUO;u&Y&IgwW~=Q3mTXk5|aZ8N$HMfg8tWA6F9$THC|1z zTHkq0d3J1V5o-;I>{-G+AGUN{`PI~p^XXgCJr<4Be@=$oZc@itnmAZplq5&Xn&ku? zPGzS`S5(*g*~;d!?pZN!9cRkph4BcN*m%$kJ#mJufSvz*J@3~=Y@R*ZHJgOxSYQZ; zU5T#Z-#!E-|9SZR*wK%xWm(RShDSBVhuFOCYgLv+C7vl0B8;G?41(u}50!jf`Ivbfh}^cJ=|@I= z+e*Qysh_zwKqQ(X{vX)7^-&hZiqB)V0bkCc6>2S|t}Z%{JtT1}<+y33kr?yxs|&LK zYQgsPz71_*DJMqDLC^{d#QU-o?4z$w9iT}chy<^q<`pLK6VNLgW-_)BeuZ8~+QG4s} zhk=&$DB%bMop0B?Y4ow79hd%1Y$DZnh*ti`3xtjoJCGV3r_vL2gNl)ceQ7bj+_yQjJ#@ zUJA;V*fg?471RkM-#$D1n)&fO%UG(>UFsD%6D>%k+~_qYI_=cYpK2N@uT)>pAsj<+v}wW;bCry*KS6!|L4tZ!ra4;#ZI1#+}?q@59lw z12aw^IdJZ&lT*{uO+za>>g6fJ;ut={*X8PDoDmo0I_x*c;MYInW4-3hd?n??+I4@6 zqeZj&lGtG@8-mY2@)6v6f7YIJ{)p(Aw@6}4M|5}-n(iH(&J(N-%%5+Mgf4KJZ(4XB zEz?zl@!>~okV;{&Nw)N@MYY=i=Gs}fQxipfn1S~i73Jw&J{afw#D|k6RhSknwZQ)^=y{aTTQ9mziSKGBM)|MKV*NI85&iF}wV_m<(n}nZark_K%ir&wp zlvCC(T&%^WAf`1XfERPEjH^u2G5|`<#eN!I{X<~Lp2^sgH}RrGR-wsjycLgKapz(0 z%ysPbqhe@435aAn6RPKB{0~|=S6Sv3M#~x@!u9Eq-x)^BtR)yN67Q)DE&qzMzR+GA z509$kDgN`@sQB#t+lsTb2GDoEO@*fQg#d?OqM9q{)nlx+q{s;u<7z41TFNW%rua?X zp~EoJ6F;o3B==#uzCE=KmHt>dr0{ok79h_dKb5YM*O0;P*qClP$>~L-=9~6}zL626q0qtM`TBLwn>`yD zU-R0GrPFFrl6*b)&b<`ji8SY{<7=uEHyc`^CFpsnQ~IHYbK41pm&VbP(%R@r&@1%i zghdhG$qmmjjE(_=)p`FgtlH4D5eNL2#AT*ssmH*I)E1TK4OC(tU>Ve_PW zRN9X`CS?a!K?=X`4tLt4e6P+S+r@&M_Zy9T=tPogy?zEbLS*QaCtN3dXIaExQTz5A zt5f$9(QSwpqnW$iQhOoEE=JTmQ35odc>fbGM8g05mvM@{~?9$^(r5pDPEJl0v zy+&2nx|Bbu+%XBaz!`Ehh__-yJ9T`cc$Tk)@rOf>uh7e{d9{(-QYG&dXA&KeV^(aU zFrGe5aL1DB_XJwHT#0e6UmGJOzBl%hW!K`hJ>we<;jr-MT|#La*c{>l$s=fM=tH}L zyLQll*`y~R890xc-me{?dOdJjU(`eJkiAy%3}dItusYBVNq^K?v+<=<1PClx(8>@N z-1@#XzK$FE@FFdq*P}A8J7dfGS?s#>v?2Bzgc5^(xv>ch6Hl(gDuusSJjb?$S4m1m zGj#Jh$P2ikC~gt+C!eOj>(s4~bLyEL4m0{;!C~Up`Ny>-Pd^`GUoQu0V!07$TKect zun_zs_dW;1@I9#em?rq}3C75EHRGsrlo^sC;sdpYzUcgulcYnXdO!W(-Yk zYr7K7tDmWcXZgXnFOqfanOkeQVqI}s0cXTmQmraDm!kkT)|nYH|KEZH_9Fiw$&bb&z=1~Sl9O9 zf_p70S*yhog0_AO(%BNa4R{V+i(b?NyO(YO(ASv zUdhRBLlr|D-THC%y{+lX%C!ehom;>pdGEDQJ;I$w^E1a&)s0z*hVy(;x4orIezl{BCHJ>DDBo@D^jlaCH2CEZ9qUF`Zs3RiqR&d*P&f5eQCm?~V5X_muEy4{+p zg!#^s`ahqX#C9N#$Zj=s&gLghdf&rA+D@R+& z_qWvcPiJsJA-I{Oj+1VBRwsdYeYV5^*B*eaJkc8xdCSoKCl`2ekFCt{iOk=%0M5pG ztoUH(&duizJ>=pDW!Su*-~E1)e2&wV0C_McTA+F^QM=kQs(!l?2~q{(+hxyZcLub8 zGD~q@eZ8E(6GzO?PkwwCB$h&xRn}2!(#imT6-nmT_0;JiEx&Ws8%BlqYw|O0{1VSB z9j=XU^qaZhX$9G%_orwjF2 zaZzNduiTOnN-SeYm{&!M~v1#2<`cBUWo2?=YcY>H0^aG4*irWZ8?x z_wEU$W5g^@LDU@l&yUeQpY;(-x5X*gf_+ zhG4}%eU-FhLi;@+_JgJ8Oub;SQA<7$ep&O8{My~0yvqWc!O(ZvSEC=*(LcXwr%XM{ z)!Tk0TRa&2U`kkyrA^z6KZYsQw)ibr!Pv&^OQdIjrZ%frn9>^~NGpg2Q{mf=%@GlA zx9LlzTj?nvZj@sSh=!3CunT=yli%AbGRSo#!xpka`>cLLwm+tZ_1wd!P>^kC3Rvvy`#E1A5kSa zEBIJUw4=xaC(tZ;E_l%v&%G3yU0GR;(v8q6vV+C$V5EavYUHb$nuH7i_`sLrZ1OD) znvr@p@->4foz}rf(9fMl34FV@x)Q8Vgb9u9&;&Gdxjp*mc;B@W7`(JTeXRHVEHW8-L8?Il~I{oCBZ@jExIkPHxTP zIISIpRodPkmi4ed+`t#W(`G+N>Iq)4`PWh7$uIo z7HpKw*p2I1ER7vBtvrex86Tb0X&{umZJtzfUW<*}-UzVd*^nRzeWN?xu3nw7M|@3Puw6zhvma~YmL$02R8%R{^i z(Fb1UcIhiebF@CBd%H&?SkWdps>qifLA{b{+MR}ZGo-(DMz1x?^8b!V|45YQmXv?? z!N`&`8J}K(DmBLQ^%-4|&`2w(2gFj_r%%v2-CUd}!WKUZ&C#@5X#>!|CAT_pwY}~d z3EuW}3qMtZ8P25?Y2Vg3nnTB3va&2wl&YrOk}~chbkEr?!_7dCyf>%kGqgD^8^`pF z#_h3Yjq_=9v5k($R(HpPr>~hF4C{|Ju6cEJDtwvSM|h0>xgmbF3!tj`N>z(Kypq% zLWa*NSPf1*B*<$|FfNb3XWh!;k3J-q9q&p?h9|VXJKm>rF=y4I zGJk)R-_kto@~txj ztYHw#jR*&TdsT-REal}m6Zx<4(WyB){on5IA5-yhRbKNd;cR>`NrMwar2L88wDE>Q zF>T=iqb&1pw!#a%-=1nf&2SM1p$g!XbKlwi^~F4X3~|ykIA~Ntav~{db_ONo3)sbM zOr0j{-?@*;AWoS^v}l^{4Ihy7Xk?;+3i4oY!({e-PW{2dL!6AKEv5dzvqZzJRtYPT z0$10;^!%A`Lfol1TxU0iI83)5T=Q%>qUlsD=@FIZ{p~u4`_z$^1Bh1s_+=GxdwE^k z&xY8ouFwNy?e#_fky@vr>m2AvU23jw;9IQ{OCE);An7=v%5dRD7VVT)^dv-@*t@)tO>QClseW{(p1X`t82FGWWub`_QdAv7$ zu&L@JF3&L+wH`LE#H!!tJXT8nh3B1CFvR-8*X8vKyvCNgtcj%(FCivS}oBYoMx z9d>H^rtVHNyu#%xKX+K>(-F~|%mtv7FM=ogS1Si3Y;Km^C6yc!cJ*uB%X_Pq85vJ9 zmU3{~+E!oRxu}r_`IfLQ3ENGL9&As@WUcQyY(k|L%68QB&(45eWsDc=r>Za!52dyb zHQvDn?oinJaq1?bS6P-aK8v`-NxD9U=-U~p1MD{6pq~`!>~L{he=qi$ui8fTEhmfADpHtx-q$@$S1U8|0-dB;MG1J>8(ZFOKS9or1u=-U5DY? z>c6(@G-rHY5u87Wqk1o3N8SWfn_X2(%DLnA99~;hv8VEttv=Ha5uFcbDM`JiHb&qyt{6 zW%>YK&glf#YRXCP0fe%cRzzHs<(x!uO}9d0Jj=A)-tlFI&^AUbDqER!5cZLKUtMk1~ev+7Js`Wy3g)Ex+57W z#eFZ~JwFysqLr4jJ+AsnIn?+j%PS>Rr1nh~Yfm)D^F9a?XNvF6As$z$C`n#+_`r(x zBW}ol?PB-68%McYR^N70=23=YE3U-EPsum;9R@d;W3W+-<0&R|e=iK9c42_4$W$w+y-=uIoH-L59tFpmbDImp35 z`;$K-dZ1(LXOR%7!f03~cH7tyT(|q9sbG3#E(7Y>7gR4XIv7vooeo3OS7PFF7l<@j z{zow$^-p|Gu~}WfJ9d=7kb{Hv2c9@B42?<6UbR415Ku?r1sq zLdKnJ=J4p#h7W%0{H6)zN=~G<|BLBKs=n1U()TRwpd7A`fK8Hii$Gk!Qs7mO0=Yw| zxxj#!{)JeaPToS=z&v65Xha(%XLq}mYjXxWIS@m;ppcr$3N*W^dIwdMn4aj~Un$Yy z5Y+Q?AlzZPUEMZz&9&dg=eNs+gI4+_3T~LSmSZ!;4R>}Lz=rc2I17c7YW2E zHmccN+~$jK5CJ{pe@-sjWu-tomw3EbR^d`6pdZzEFU*HRFWg6B#uY-`lW2^a1s$8B z$XiO|a~jVxTuJwF^7Y%@1{|Pg#d!NBEW*_@_D}4N-{zXAynMXCr#Q^-6YO)sz21|O z;Me0-`&bXPlg1BOQ*QMUZ>Q&W3F|@wpeDi@fv(!ec=g2m)3UD@Y!@~@xtgZ{_I+>2 zJa4utC%@90rDN%%)6; zjNK35+1UaFTmD{@7b;~8SfdJ{CHzLiqb|w}2%X%n^QZIJCn=5=>F2w%mN77tODMek zKhf{M_anmNB#1pm6QeP*?o?-d*5oIV+kk8TJ&AkXi(|kD`$& z74oz`e?|N9tu>+{6??N zZkKxXy6k!am}M}3GTC*CLxg7#^_bDj@QG7|J{y#YkEhv?QLdF(sQrkBuCQ21Xyv+- zD69*~w7yo!Ym2h>>*4oK{$b*_+ZjS~&UAVUY_M4r0#kZUcK|!J+y92n}_<(OaW7SMIKNT<`vbKv|JGo0!#i2u@X|z>pn8F{mV8l z)$MUnk3+a#V3w^p)WpLlB(D}rgn7T*t_gI%kH{%Y_pNsJA#$iSjGG*)vf|n+b{ZYJ z3g*kJE-JnsZP!G&Drrghgt((HfVEkNo1L_(M6O5TB4`2x4f(bP8c z@8tOr{G^1!hs5M`XV*YI&I1XA;NrVZY#pQKur=sF!%==HhB(LOF=5_df-Z3@gZO#C zToQE_t0E!%uKjCu9rAa46@TA^G3JJ1NO)SNmEF(&!t#yn?QU=Tn_tFPZ~}NYpT^?` zrvaa%f_{m#LrTnyWk7q5NzkhQCR8F#{QW2s(yr`Oa3#K><9PNu!By+=4E|{hY#|_Y zFLWTS-MgYuyWe<38l5{ok(DI2H4XhwoZ%nqAYrmJW-{0~?nlD~Ke)CxJd89~wh;E^ z8=JikcLvn;!Dq-D-4FP(Vl#0E1$H*Oo=yJ(mZve1?E)~pg6YSPB@CC>cCTkq?xm9p z(w%bR0b~n&--5zgm_T%LG~YV&nQ%qlIoGTsR8{54P1Iwag2#m{-zed`i}2rceAb_T zcnMm5h9sh10okGrltuC~JP(TVq)9>;4uv*S37VUo;#@-^Dz}VjhF20I+toYC@;Xge zMq5)L`>3lBK5ANkviP5aDdF0K*ahlARLO@MKMV6WAaZ+30|tb3I-5mJpFOOSFO@jK z!b+eRX?XmwY0p}2sV$$$`Ew{c@RWpI45`N_NvYPqfCF1~2b_}%PDCOv&A*o2sdpLi zb(oUqa+^}Qp$E#1l4lREgIM(fYdbgw#SUrnowjJK3*H*#^KA?B+ub3r58o;)sx=p; zx%RmfDM9J!q`UQW$svjXcbsSoF@l^r^SPyaJg0umM(gn6v3ickN|53?HzqF|#?X+N$6R8Dj?l)|H4T8M=Ya$!wH^u#^LA-lbcQD*L zqV0DWd4Pl<`rQ%z$J1az6RR(J0!0-665Rj#gDpL!WAs+10$C1F1_z>dG~>Q9FirWxZifoVqY~1_JIbja*_nE+ zC#Xv8qNOkC;opEaKM1nOJ@chOL(gdXaYjEhCL)0nmowVo%DV!CAZ^~HpPkjjDa=~}#R$O6O(5=vN`t%Hv{_^l6<-kgb=@}8FTMCI= zSy^#iVx-kRX>gjateyPuuT|(@N>WraZ_Fk1bS7aWt3YPE<_VbY7hxqWFT=wZHnmyn zoy#X{j@DvjbD00<;%cVzjH5<@0_D4^V)S}eLKIM=_MShSE4CMK$`Ro>!6@gVESvw> zRD3VYif7N{X7PrYAiBAxRJ%U7t|usKJisqSiTK4M&n=ev*IrMO=Q77%UaoI6oqjyH z<40KJ|J;cBR?+K_;eFe5)qhO#2h*Jr<40kixT40AlUN2@!}%?j;X+?G?n&El9Bb~*QbnIP!*h<1%9!9TVT4?*{ zI9SAxVM3&&?J;)xuAK^C_qXt6q1cJ8V1AOX_7H6W_!MI`mLZ0^(l-r!%`>-dUM72I z0?Rp|4QC(lTp<3!UXI~6Ydg%%_>gBM?-eRq)bJphmfl43K1GlldYVDGo?`*;a@|xk z=6nF%-hr=dS=NA!d@tii=07=x+y=y+Nw!0*iH*Dv>@u(tBM(c`?6ZDwgjUm0Fx= zYd8Pm>xzsW7Qc15Qyh`$bBnP;7WDD7LuCF1Uj|Hr*^uTkUG|a$oM1S0_TZOXM2Vx# ze_JO0^??6#0b!vf!yWljdU~jA#$2Pj{EWqww&SI8PYAmVIh~{?rEiKDy__@w8zdxq zZylE)tRkcUT@N#VA&8GELNcw;j|rVs>Me7DxS&DKMfw63fc|ysrQDE>c42seHXiq0 zp)dSZCX;+Ca5n7uC)IQgvhHvB{X^WtN!Ve%m`ZEH@RdiGC~vqf-2*ijh8*MxSx#Ek zXs{C!+@r^IC=|vXx_nhyip)BEs*P2Q%`lZ`=J#uWuS^weQ$G(j!`n#vESq zL22OXPg;R3kiy9pa3tNEUCoD-;H@^rP?pSxA@^A`aU%d~rr{m+Vm)P)41TyoVXrHP z1n{2Jkvt1VMSW%Ary)GCJ5bWHl_nsl({ktz-+UQWFFtyPBw#;mS3R3)|LZKK!h*0@ zfsK*LH}UX-r9OV&Llj(w{m()CZ$A;YA;&nJ87s<2FzXLK`|j_dOe?3XOzkSV61xFd zIqrh9E5ZjOOFLPA*$zKRikTUG-c!G}tWWHsWr31hUzOb!v>r&1^1Si`)7k`TIj6jM z@#yj=dYR4$vCp9**^*ARVJzjbwiVg!5XB`OQ@gL}kx%u;Nsh0$E5?@#Ow(v}wBD5< z2aL7wmEtS0m|VUTOnWLSM1e?@kb3i0TL{>WjTA;tZLBVhhx;CL8X9>GXE^g0u*W<; zstKFzAlc0=svJEA@Qs)_wclRfqG%NBPm$qcFZSFtH+UcLjuEcxbk&a6#GH1R?cMhP zj$dL|sSveDzAld-Ygjt;DBh%6bHH=&x6_%ercLy5;;usk>ukec!3v#!&I)I44R;H2 z@_B^*EuNoWg&3Wg`NACJuX>l5cz8HEJd|Kx=i)AXQcpc{dcv5$T{tgu3q8_7R zdJ(XU%XHj&^iKW1Kp6j+BK|dh|6{%ot^yR&?|$ekmby&qOGgvX_3F#`V5E^QQKUm( z_MVzUEahO4YUtM-I_~U%6%>CGrjSp;wr^3iTPUP59mV}VYOk~(40-M294{u;37^@m zU(;;iMcfuQ|CUL_XEUQ>4C3FRs3M*&4}a*1R_j!mxG#QsRoZ=JDykU;_U)l7{-aN{ zUam~l;bz0>I!_Nj%R6bCLf#Vq4q?n9R;l8Q)!*pS1dZ|O zotuapQh8o(?RfYXCj!(=f->9i!_bQ=uD5(!|h%E zLMT}Ed#;hHc`f9+h3RUIQxOCc?@C%8X{>@hty8_{+pM3<;(c&6H^n;CZ5MmF4x+k+=DyhO#=ilYyv<6DU`(O{2Fp_7?7O$OOuazq-O z7gc>MDit~~CZClcZ7~33YTpn;5c?|u-1kDx4A>8>BUtURA!n#~F>INvQr&hf1ubNF z-jgE{OQXry_GpQd-A79ArmKH}gr@Je;&wVX@EOwWLDt+;==zej{FqSZ@Yt%3&+<^3 z!Ag!ibiIdI91xxFLlVg@wqtSq~7_FsSr4s{Y&gu}C<>rldN2(~1+L z*c^0`2&~}fuMBbUh8QtlCo@&D)NK4xMMY)`(cHLB#;!kdz6`v0v3k0QaV0677VtD& zDUxueQTZLhvFNlhyI>Z3iAC}=y!RsuHeT+BYV^aQ7*orw0EWZHli8g-xuY3=glI-O zFDO0PQv4vPvAM#}AGq47BAF4ZbN#>c!2et#|J&>u)jXl>uauaYno1f@O)K)oOrFXE zTB1bWQPZg^zc53HG<1lRIu#Ht9&OVT02sir?oyt0DeG~(G%o4QPh;(xmGp@A4yI>U z#B_lfHl4yJT`B?{Jpm@t7F`co3g#GDpr>zu=ej;;FW-OGehaQLKU&6wuo=_bclqeV z6>i-|_RJlc>TeN6$+`kmCNzsm)TZmsEffG5A~e`LE#STU_jXbn=F+x<3Isp2&YDQ2w9OE$O&6 zPpELz&;xc?l#NVhsZdgqn!E7}e2M_GM>pxx`CR+N#%13~g_z=&TD4nio=p|5-Az)a z_!BF33*JzQ6#FE-+KwO^@{2oTN*dxfRYM(W6O%vC@lpG2Je25otY8V#ZK~*nvl=%2 zF${$b!VO5r^s=r0OF`(J@OYL%mGVukOKKgI&`U~#{1i~;zzkW@vEXLjD$-D_#j%K# zc;?~&LPL&b)LF=q2{8M3-u7dP~<3I^1!<_!> zU&hy40;9jZw^Uwep#W-Fr8_~1$DF`u3X-Ns3zVHXV$;&{=k7000F%;TV62!qOqE$d z{-)}UFVptglLB^f-?#;Q7tTcyIXqhPwi>CT2yRMG#qW`_SAu+snyMApr4gT^Uqmae z+1OD1Fw!v=VV%o_3 zxtmg|%Ta^%BBp(P?qplLp+T;wK>(2xt+RU#`>rM+gyZCuP}~US`fTBqMSBk0p>|o& z@5mN(<6-o{UQ!d6RRgD##N(Gn0%YWA_g8Z2#}i?|+w| z|ASvcvK*j9pp2CKyhTkEsZ}X`=^BoeF&g1Y!R#`B`MlDf4o2pnm|khKN&zrTaXAvq zB6~Rni=^NKM@kElqD2A~vWIZiNoOSkH0tIE?Aa z<7_;g(MnrLjPddCf!R0J(UP0;Yh6W5W%>~1fn;{hf|UcCi4B);N`oFMX}6X0bzT{W zgUGL4yEdF&yFdIbl>LkE#jl@F2=*U^+0`>sC9P?)jUk$VeayRB9JZq%!(&QZ&KzyB zx9(w*VNz6SWnH(Qn5IK=WgFp*(##OhD*7p)=1xZ%49V*oTSjLY3o6^W6S_SF$`tFU zy^kpd1QB0p$V}7S(ddagd}!RnRcu9`RHcV&ZWXDi8XeD+?$8FYF%;y693l<|hqqm4 zwW{+Y1qm*H@xVq-N#J^Sob)h>i}@O?9eWnIAaP5%>H1|M_9YII35ld`m`8=rq1St9 z;u^98nmXJkd1hbA@Is1?_A&cCr86OoYtC%o<4?^+LH%PRRA`Yt`+qy|OiwS(Dev-; zHZk@UJVRfvKNay$*W-k|Io1>@Tfdvc#g*Z@n*hM?W&!rTjTqPGkwgn9<%@-Wjq?EU zT*Gt)_$POCpVhvzL>NH#Ml_Kkrw^mo=@y^amm#CtkTZ-f%bmb95>cB_sX+4X6tJBL zc<%4~5%(xwi}Odh<0Zw47Gh@fLQrG;V+!bA$u;rGbzN15hraY3dk-wXYl4Y6B}Z*Z zV#STl+4_&%w}A9t$s6{%^~E$AI`Ya!*U9Uvx+M60DYbPjAF=R}Q8Nl^kjMnp>m#9T zsoPCEbEklI&W|aw5_TIX(Z-S|TR-+e>rw;0dQ$|POh>qjVshl>d(LWs3yRXxfiSfnM{P1nQ zh4yYwMRG{wDdFJPns?xvaWN;u)cW?QQ7LPim*3Jx_Bf`>*4DL-P=?5+#Z=cxo}^qB zL<6tf@j^q9)ps8JP4SLy&xTt0CF${Q!;d5Rc8QIr%Q++L-m(%}nX*z^siICfP#sRJ z6Bqjh_U;9E-7>U~pIq5j{i$-4ys0GaH@eUM4cuSC^55&s7U(F+RiEk)A}DjZ%wjh* zd~ZXY!jvVAbl^heHX?mqV*2b(r5X(zW=cZf^#tk$*NwNd_4k+ClFG>yf(=r~g@DWV zDDa;j11*)$4^V}CO{bOy`<7AnZ)S~+4S?EwIEOwym#TQWrzmcT$d6u()N%m4dkmY9 zl|$E(JqmQ7Vs^Lis;TkSbuhT`b1nJ}O?_lNs%DNeZ%E??oz%jhVi?XFDC? z9s)&AKv_mVK3Y%h*Io!Um?7nc-Qj5o`C2KYZYUK%`^I>E3Z2HxQ6+a^W~}H9Hf;2K zwPDgInpwa7q7_1eVNw1bP{UQ}V0Ir=9T_SNs^QLmpazYmX+gw{-z2r&D3*=nSZ1Rs z65Htc*5Sv+*gEX>=|d`=;SWX*ado^}npdLBie#J*l{aHHt&$#@#A5&rqN@m*5t966 zx?tUD@d0wvK|K;1VF)@33Jd+NO6j@dv(vJ!1SC4zT)(!^S62P|UPbi22_Er3O-cXg zvi~EA|0BJ>Tzv6HyE%=)lf0HY(i3!G;~1rEV0q&rqV`z%*jmtDukf)1l{~#TE{Vey z5DH}Fu_zznj#_+PB)~{CWP<#b7hOBV zbV$#%SAtoqf!3u=(c!UJyiSA77bVN_;QNi~5TRnE++t2T%I3GU2AJ@%VH6dUSx)IG ze_5z`V&c8J@gj7q5}haHgWF%UoNa%sDC@_l#vVf|L}|5L=KFgB<{ec{nBc zP2i&ICQb1COPff3$n-S!$YgbCbad)-x966zIm^A~8c}ilwITbNC2Pgzv;;$GzTESU z#ABMVc)zwoif=Ixdn2yS2%gB{D~jax4vP`4y=*Qcy82h?cEA@J`>O-ma&mGhQPm`~ z*St1b1unbVWj!bQITAE-dR$M@^k1X*Kgad&pO{&yaDbYp6%HjNruIHM1}P^7@sp%B?@$-J7dP+_yoHo!To4B@{5KSt!Pdg1O zgh)%EmEPnt4nrB=wJs$g8A7jEf;;RDSWHRRD93h9<=#Wt>;;>bwPwpBt(8w#j)zEQ zrE@O{_u)jx?#9^urJVX>jy1Z2OHu3@bNAXm73=BXyGugDJjZh+$A*mYgHOhd<)F(i zwQQG^;U5uh#f`9J%N#zH6ElRgNS{>7UsbyxB%@U~Au$>laFu!+NeB-D<>2lbY)(In{QxtGLMEw+g2qe*D{|>|zmoDo zIHqXuN2_tGso0ITpszXYn)aU`ka{<jMfaNywDw=tO*CnZf6k-x*2vO=mH#y=B$8 zekLv^8|$0eJ5tA2NOfhFA5mkcIa1(|fNpwF?;nR)T=uE>w}YE@lgv?$G-KTiV;hJe z!7rE_;aGB}mm(i2m&ibVZSZUAh)9pNHi#giB5L)*$Jt^; zGNfeb8B)3!t|0Bq*<-Sy3zV_ki+At%n@MNIoxNf~ITta^NBsWF_YHd@z^Yi!idGc^ za%xrbU~zsqQaiq@V_bU;wnW-9>}@JGBaGLiVqQADxdBr~Om>?;M%O7)( zz7nu_9yKDpgd|SnwS^jB-Zc3-6obcgGAK*Ntc*7*V-SM_VG!8?|9Z>GW4eW&aRT+7 z+}pIXX}qMe=d3u+95u2Xa*ZOe`8K+v!v!E(C(0CzX!&*y^MPo}x+&oz>za^4Zpbx| zX3`^&W;UMuE&^E~gE_$}vS`pK){k772kduTBZaZ(?hljLm1|hnU*A@$Mgd|hX=yr| z-bNd1e>5@_FZ~IN+c2Dx`O(M;<2D*y(wOXG2(CW{h8HrRhYt_(16mpf+r4k+wk-Gl z8X>th#(ki;>o8MMHVo395QsbZ@FFYIQvBSb;z!%${!WRV+jvwz#FF;kP0ImVR{|tq zn*!w{GTC_LAj>!Of0){;p36BKUA2_K3{p67irGU4?jRX*1HM4RG|8f@8+xe z(+ZFUpiDhiYU~wwMUl_EbcXA9w_qC7q7aNx_L+Rk@J<2h3fQd**Xaep=YE89TngXX z{3rldqtiJaX6^A_iK;X9lb|J zcM329nhkRNfvk*83f-T5+WhW=5Rsc!Y208J7h?(P0EC^fO&G&Y4YW$E%fl`sqbR3@ zztYX^!=8x_1X9Y$jt+UT+RKNdp?P-w1{s*-e8YlXyopMvSfno#$%;iY^3Bs!!nJ3W z`n?*A>?(EB{n2&d^=S!qss7dK4YPBl|3qZ?zldUhD#yzP65_#>s2jZ-^wBXKbvsao z=cbOe5+94tI?}1oMext=XO8L5My*WpUtAAtmhM9etNs|q!3L8o_qYyr8y8ew0Y7Vr z9MDIv<8lNc1*)SunmEI>@mzz`Ue<;0bINHkb@8l@-YVa&(rYnOL!-AdG=2zalU`D>@~L}zs&Vsxrnw9B4Ezx?KZi4jhv z8rPaf+5j+B^;o-pvt(V8Mg(o`Y-wsH33e;j2b|A|-a?NLe;?W{0qmwexr{7wv9O8J z*`5l7q34EDrerKxeJmly&slQozg;g8JQ~ek8GNbU%%bMwbbbD%Z)v%%?^o~Fkd2rS z+eX5NB7QZWwA5t(>Y@hh9P-}`MFQm;lVqKOI#|o?+Osim4n>N%-y}LE&8zgWwaR^{4uhl zO5aN|Yu^1R$#fRBV(Zaap>eY-TS`P)yd4Ppl)b6crDXZ4g4q9Y$h;?QlqD#$Bc$@q z%GAdjKcmyvF45DaL?=Hc@!1MkqlUN*ljdGnlrM5CjAeI%H?#BE#mD$mNbPI{+SrT4 z2;ib9r<7j{e=a%>9a-Z@5m$2$a>}y})~ z4bHC@JNoN(P#NJ{mZ*tR7)`lN<`uJirP1%H2g>~A}46RI9+GkFU8tS9*gwsOMVlKsqZaVRg8i}>ikJf!%79#Cut9s z#2ysnxUwVI&tD zb5na2jxblfz)wxi=AC+3Nw8%WRDEenvgC47bp7y8_CLd~g36t{g-H0Klsh?)5(<5K zOBK{1ddlCIt-&_=%!K=@MG|t4Kk0O>oO1#IrG$BXg} zghxADpk9i!*ADopNiD*Xj9fYI0u|NKzj;E$<;WM_pg1)tP``Jgu3e_3lPG$&P}nyV zxr%z=j?rJt*)(4kYNS7p8Y*cQ?(D#arBGirB4-h6XXR8OSSGs+mdH0w(6v94Gk2$QwQe*w*M%ZxMgQCrzo<`VDD zPJ!T}hBPm!I*>u_0vjtX-;!pM?J2=O%-R5iYWeov9bw{*>SewZ4w724hWb~~eqO(Y zlwM4A!K%_&(5;{bOH6P46z)`^8RM(!`z9hM#eX9|0rI@lkOU=7A9KozL3??lnt#0S z9X=zuoTP?AvBtHTqqpR=*~#mBa%#W$cji2yBnXB%pMn_*Mrd$Yrq|rg&Km4+u&lpR zDf?1G2nSlRS&3s>WHq=Uy-X|lNKUTdFJM_q>CDHe%2?aRZcR&IMqS20UVH&{^}B2$Ct%ZJ zM#13B#K?#EBSYt)^*MPxFCv5Hf|Gqncp+6AMOq7Iu3;w{u3tuy97}M10(4iX95@ia zOs3GWiL|1qgc@Ai_)L7&1T1oNyu&=^4#V#0jem30nQ)~eEqUiyDf_~!9x=z$6yD{6 zhqH#V|7H+}GRwy*X|x)@fTTb8(-TTt-gld^O_q-lD(0N66wksUy=?ZPEeW=pwN@#Q zYYB@J40*c*UTOVGjA%D)(sQMRo>q=O4smNiwo<(EX@3|aWqGRlNJAP!KK4{Vg*HSBSSasRgk(+DWnj~C$M5O-ICG#l zCrFnTX>5mGvNH~!&poD)e=jhZ*Tx9MxRK3Si&QZMhzbkGZZ{k?j*hfF@boEaC{iHZ zvJKwtO;zRB#!?lh+jOeC=Pp}rqpiVc;taODvoueS@lPZ};RnZFJH8~de=l=cH^ zZdNsz3nTKP@1XlSmVe&1FpI$SVc6zC>t?=TpY(L}n%cN0SjJPR(%SZ37*xd_ zTVmgRyZZ@MEaaniXe#!bJ!qCd-stH`>VUfAc=K@BPW1c3QPR`C^8e>)zcN*%R#0Dh zT=Ps67b|+ltS;oXoXAV*kGJX7c=Vt!luovgOL)%nN0zBI8poUyx7wIEC45J9*qk*r z)pd{%zJJ}C-Z@j$Yyp&zN|tabjT)KmFJw9PYb@Z%@e3TMt# zeg*1KvwSUx-cCCtXj263n?NqG4<0k!!px z(uTEyE5*PzLy&86c&3Qc`}z&b&ZZe!-(onsjP%~ug3xYJ(!#4i)j@=;grr&G9(hLq zL^5sCPzuteHxa zZ3|2Mt@?8&vrlmqZ%m(@IY!ZKYpwuIoZ-jKck?Jo(FayZ)J(_kXdD z&JTO)C`sBy+yAw+(x!YxtFIXw0KgoG8hd~W`zbhOdG?bPwB z={9a<=Ine>y|O2OE+*B-LZQ|S+iyL!6~I%^`*hA5*Qa!Tb_l7MiBUQVY_)!hq%XiI z_CO+3DdC1vqXE$w zbM;#$dnv7PdUxHl%wc^}K&SuSWmFBi)Rq*YMYx-jBX8MX{)Cq?TLeF3uKK3wu~Etu zKXR}ID&e*KSf?ufZb{6p8A!Ild6+@y(XPOAvB3wXgm?U#N#&ce`Ntpg`o8s-3wIbw zisgd0ygO#**M0Nwr=2<3q-c8@O*G1*(O7^sFwn#m{M|3d@c#Z`-HiclT1v3#c2=Vs4pucMYD1B{eQV=kzdL&@fD2sPJ zdZ*9+W5qMq$YO9tG9LIRpJQs7LJ0bYlGa4~g`|YTeM-+D#i~tsR&b5Ac$dewUeko6 zs>7<$vB{LWy1LgcE`*%dl3q2}$#@sa$U^!4-6SDJUd*@9A090Pzowx6PP{`@`4$b- z^`&f0;GKxj({(yLiQbtgnF{OvX1rt;RhWOQ)u;Ju?l zN9X#!Cp5c&%8ypLrE7JAp#FLI5?%qS~+gvA7%wRi>MCNRA9mK zdPKPDe@YKTnn#0qe%a8|?ohRUm3%c7x{>6CL#JorIijq?YzkFXSqVekNd_x_Ne@i+ zN`GTd`Kb8Ull-j2GDKF{<&5($q*>ID5PvbyvCA+K!5zYzW;2eaO=3=7;xb(rW>96v z0LI2szv~1^mVt4{AEUI&nSXu=uH7qYg#I}$Y8=lt`19VU-MqkBi%n#XmqZg2fJV|W z(UGxQPR-6{NOICznEJ6ol1>78V2)@*GhdqL3-cZrFP-GVokblY11&*ImdEzE?f+r!y~E+|xAoyD z35hUTkmy8qlQVM6K(X-BD#qXBiaNJLG<2<-aCWny^n4fykF1R`|RgA zXP>>_bG_Gl{eFMBhT)pe`hKi+uY28Vtw7n30e#QqY>;o(Uz(oZ@UHJNt5x?aTkLU@5<>o%qb&CK^2xsnEk6nHujWR7`$BDJ^~hcBkM_z` zrijM70m1i4C~FT6rC{?kb4qf-md|bj%5aeMFtrEY2QhWb>aO1Q3wTsga~H=4k8V0Z zDxro2x1_R~*l5v@hi1+Nf+3iGZWHN)kkd}vB_o^MazGdEc?+&9&k4aJr^@(kzyuq- zNx2-6k*P;96kYi^{YC>TAfU=SJxS-dK~~V6!98<-Gdom9x_c>59YkAaL=bLin%!5^ z-4t(>twFM+$RSCYS*i@s#hO0ehUv_J#7R({TcWm5Gxg;THSok+NdbQqnJUtyD)iqb zNc~Ifj^<b|Tew}n*rC@bY*FV3GYxqhV3@4*JwEw0O#cw zCgaC(u&r}2Dg9rPkca+{-}%0vt1IfIp2uI!`k}RC_dkF>b zA+>?=C`-gTCW+RmW2c3YPfJqCuImMsFfEyz4HiCLa~!)-`fhnb(ox(vihz)X7V2r+ znG=j}>c?(UM)OuvZDh=IF*v1gZ-{mH7vglWEf`B~yVufdplw=;)`2YzdA0|u2`sXJ zq@+(E;EnVcPVj!{!1p%L+}(#&BEUSCP3Bj)(JP> z??@7mQZwRM2l@kBV!{);TP|O~4pEQT%fEH|8w-sKLN>ECh;vorIl*;=o}(fU%$U>f zP^mCb$!S0eAKeu9PbF^Gb3B=sGpe+*qpNNJTCNZ#9CHC^-T<;v;4;Q%sT8h)1f4x*uz~!J_G5d-N0L75|R`unfC%$RXcvFtLwp2XJbj^v3I{Ru+s8`wk7fS|H~JKsB0k7T}|byKyJk|WW47r|IZzNSj2QjHz0 z)SGi9(T`*eH!JLH3DD>Kr61{0iNl*z@lf~T1UFkfE&WD7{`B+BkAtfjtS0XzmTu{o z02-TiYAHzW6QS6^%BK#iq}V%PiNlv*4>aU&O(oE|KoiHs`$+Q=pv8fN_TmJpm`H|S zBlxU==su6)s|Xh0deHbR)Y$%K1o?k?J#P9xz}e}2Iz~?%MfzS?R5oIc;xn-n^hEAm z9O-V@>Oco0qxT%MG8`^{v6qgBqG?@x(HDQZ_zO`fpOiUhYNNxKi=e@hExpJ$Xl62&k9|CWtdqE#S z!iX7QT_y93K8%MT)I665qZ6y1exa_#sxV^AL+owaF;u!a^%Gh zeiwkYc53yOvhVRLQgZN7JF-%JiqtJ}=MC}h%ps0-CTs7kvc;8x`Ekz<+w7ZVhuR(< z0+U(mMqBA#Bpuw>s?m=@p_NQ8*@GW!tSzOxdy_327@jBn79Rk~05jJ$sLD2DFyR? zCu6<%^oN>1>;En_e?SXi#2fr)4YXZ5DP#8k2}b|n`~C%(eRV*HkK=IJ{!qf;{7wnW zU?Z0~4~)#4r9$~#_$;{@b)T{)h9A+6H1TY04lln?E6FyZq&J%ReZJ+*F9K$etWRqO zqw~?%gcHkW`9>$2Nc}B%p}QVX_b6a(&S7^xX#T3Ctt!c5{geZ_Df*lGQ-p4NYUBgc z%Exx(w4Td{;c@kQtHiIH23z=vJVKOAqdw!&&#v`+GW}ug*t`(jZ)4n3ie$@bBD~bA*lH zG-~8iBQD2~en_w=(1shp=;;_s!@3^IN+3%IaXL_BRfHWpy6S|67%X^qd?0CL)Z|+l zsv4(;Bsf`v!lE52hTU}+Tk5LxN1DG2h-I-geh4YoIo0K1_12ju`>?|A)UWccGbqke z_(#IEfTzKA4Dw3~;6x{i93!Clk`WSO{l@#5jdTRg-GS2(-hDGUB|dK}&jMgPiVgvz z%c6F~XpT^t#WVOvEoV<5+r!F!=2eMwpn#CYd8NOPP{VJ1h~qFGwq24|En=Xt?R9o) zeaS5;JVTuSZ>X8)7&$c?Rn>J%hukuNbr`U>{A+sGkREV_Kp_y;tEf_T|K4xr6Zwxr z&1wPl@1L4}$@RVyt$y!BCB(BOJp5awyJ`mGAsHa)f&zSsC)rxa(COU;I48mu;7l}N zo@+u>eJZE#vaUqC8qj&mrMh@-nG4h-xY^OzMLfumlixs-gf}Iqh)Z6W%0xqSNO7c? z%sU?OV)?NKY@~r*qIP{%twrOPzVw^h&^1+GmqXY|k>ZG+`axJr-nkrZ>{mT$Otxay z7!Z%ell{i1Fif+_-*LBr#Eiy^FhT)$dhd>uRih8+d+UeRM^>_W);2bP7VEV1sNHlP zvSYj(_AgU7lr~vE<7?Dq!|bc|wKX*&YOrdcT%gtIvX+(wfp1FTU){9-VfbU<35B)u zJf!(1zMH+OIv7uAVFR>sbfNKe6Dxueo9G3lHfcwa$~eEOZG{?>L57JBgn;SXTp+9w}7 z3W_~E^PI2i^z zvPt_5=Km}VuGO>s*TG7k8b9G4?F$VD(*)lgJgfC@H?4}fD8|^jrT^;AUL})q0;A9< za8z@i%!>`=GzyTLMGDZdFV9oVWmZYIQMV$eoDF-COq;2sZ7(KGUG9w_JvLV)aJ1%wDViS7+%i)q7SkgQ`Nc6zExk&x6 zlQuj0CXoSSnxp~0*vm(<;M&%~A&MOLaXsoBH3-G?MFq-y4+TRH-WkhBhtl1pH)=bE zpQ|5cE0aXNq)0n)%B%fRck~|aM4ltI!RfPoUC_zCq_e2}U>iS?Gd|<|VwZm5JnbBjhH|sm-e>%p__vxo zF%OkqGBV;<%O4KRansh?cKSz^TAJ?N)agMK{fim2SYsOB|wp!-v#dClQuU{+=q;k_G487w2dInN=WmqIgY9*ay#+Ji(`_5ztg z^LNMFdL2O~uG);gE{n3U)x$Z`(AGt+t%!j_rT0Eoyo)-^tLaHc2LOWeg;jfXinH5gNC+&>2wu@tde#Vvk&UC5MKWIi9s2dIz2NGp@a0_#d z%DvG_Khh1F!)P*H+f5G(Re|y(Fr4vxTD$&drZ|~yPG7~a4ZU$HQh=ZTog#!aWe@#c* z37h8(9YP!F2Rzdn1s>dlMzoj(Y&84E4YJ+~2PuFV*U(z(?kebyl)=Ql2g9jt)O=Jz z`@XnJ;992`yhbG(Gj$%}T!cHm6f6ValrSxq4}5mV49xWnC8QtCmwX3U1)rXmcy)t< z?D^|MaFvn{O}5ZkayqBN=iiL@n+16Fp)FQg&6Yp)N1x*HI9X?lJ|U}?P`9tdtxxJtG#rSPXB?3i$ijMx4KB5pINdV~?2-9PuU29iBRuJ;m zfJL)vw(ieTwqxO*)f-{T26 zq)G|zyO;~5agbblhiCaEpG#QW_P&^9XO6Dpev*fgUoV8KY;SP6E`rRPGEqP{EQ4nC zO}dbo670RMG>Z8|wm~i)Ig>hB4givoq~w5Wl++?HJV6DR`PT; zq>H9e*PC-BSRJzz491Wyf7UR1*fYcu))=1@7Sr~bzN|Se*E=iImf6aO(6NFuEXQ5o z!9?aDiz}qxx$xD7lOaVOmp4Rbd7Q&_7b3KX}rT0~Wax_LvO-t=#&tuaJyioGL-w zO7=>-Mkv9)AW&73<#N*_rJUMw|%W{{fJ)z2Q+4q;%%`}@!S_`UB!_*lXT zzPjb(bD&WcOt?*oFL-Fx^2Iz#n%XBs4wK}rv}Zx$kI?>Y(XDWMJch_{p3~Qn1gQcO zqgE+fopmPDfK99YN}AWuzO%>8xIg@@w1dEFzJsLJx=qRPvnfs zW@eO8KOVafE_e&zKKWKm$Fq4S++#UxfgD`_Bx0ZLU{}k#hfL3N-ONPXsb7z0yz&8t z|1Cq~jeryerae}6AHK~jGG_SlqfxcE+79b*7|fQpcEPdh>{om1aIbaAuaiVD<(OoE;quZ0yZZtxn3nG_<_6w{6u=DFZA92?A8v$9z*fB2pII0`oofL zv^}L`G2nYIqwM_Ro>7{&`UQ$|u@_XWMp9FK#R0KQ`# z+wo7PyJ#J$MWxq>wuTR)do59z@pEfBe974>Ls0vxFwY7d)1zho+u8qo+W)Z9#pBsz z6wVHaKaKh?{{6WyF2zmvWXT5o`nr9h6jC~t=r*S`+9Zx;%gO?Otyqd>Z~fV40{QN! zkn;O7wqH1?a{0{DY05!F$xFei~JI+Z!aWDQJgjI@;eLigCJ#hfBcuy86 zQ$=i8@BAKh8w<5K-_ntNHqHh0;R3hB4%MlFpt$!w-JYgYi^ndPGU0PZSu>2e4kwX3 zAi*55NM%9Zbcrl2pu3HAVq|1zW`}veS~Ov;>)bL-op4%Nq}cpBW|U>OB&O1zd^wiU z^wbE||A3^9d`TOIZHI$=MrNme;rWT4%%!th0awG3%9a#O7xMA(*B4}jxF#9Xl|Ll@ zOAPwUT>yUe-4&>cisZ`RnxFs0CXBd18`^mK8ll07G7F;d&OA9t*+-9UK;Y-e2^fj(P2w*ygxJPnR%wq_up$cLE0pQ#ioJ*t*`; zr^9vQqEiDYnmto(6;+5GVD{kENg#)PvQ!D8G4f!($1NQs$3K)-%D-I7d1(CEg{3gG z-~+e}7ePhu$BA^)GW8gFL3^~9`9>YqJj=o$zO3LfL?@nC!`IrmGbQ`Xr86`|8U{pv zLAXyH!)7d_)c$HnUd{+>9_jik-!54e-B2Q(%Ga0@s2S;v>bgB#J5P5o+*e_+WukE{|5WM%3UufRG zqa=BHZ)}*FA2WYVv5+#5D*5rR57Gi;Shgywut?&gA|2b-^@Tn*(;ceiy*hKQ6!V91 zzhTSoQEJaX5E$OEw~zpZ+8xZ*|w=|L**w&99&N2c~3jR9TIfZp8VM|GcT6r2Vj1_xCI2zsJE z{|5}*^|rAxaD^I4cx#bPI59QE;Jr6XqrhAB%68^PMaNh}0h$fP(ML+R4?6qw>zXMw zfi14AzT_r>PyU9GpETrjpHb=j8_WXO0l&um_Fs)QOpQz723TUZ?wAPnsonOVlGI&} zkXQUfp6&@z-_xU#kcn)~&mfpl5!(lIvOwvyq0~&WFMto>isBM$`Gon=RZ4HYnw;J_TVOE*>j};=Ta+IG^sO+O#QGkwz#?V|qQ9}mVCe6V> zMig!0Xekt2dsqj4Wg@m4e2j1QJc%<`4zpi@vU#Q|Md-sPFE*Uk1V34Q9S(*Z z9Aqi)dobuBI3E0v+<5>tw`6|sTwxj5AVT%tn9qQpm#9hoRTqenuZPRR5hlXrr_6)B z&c_RDZUkxCk2Fh)p|#HU+7x}37jvYASR?LeU`8IollO9{Fb|O{2*!P*Y%ARzkzIQ9 z2amre1*GT)2dxU@e|DCCy$yf7;_qQ4m6%oA2l-$7i%~q~Ud@xZLnN6bW*fNzB$_j% zlbEAd9&s?lXs}7gR6KnbUeK|%8;oU7A$LXrDjc+?sb^~^$d?P=MpuZIv;2${*hj@6 z42I1Ek>*Pm>kv6pG0Ua=GErpWH*7WzBVP--Zl{J?%VBl4q~_pW%_aH)UmR`*1&w~O z`yDXT@GYM4SEe!ieJznXrc5|R^PKQj6wBby*r^V;GjL&W`tT{`ZE+V_~Tc0#IQv&egmLe0OyULSX~>MXNB5y@i+kSk8s-U)JhZRv zxg1{|NZ&e|D>qnZjm$Jiu@XWXrYnwfP)HZPK^V7E>A&(13!2OKl+@*Utoavk_n%Kf zffcx|VRb&5-hVdvB`1E8UwJY0qv?Ey^8k_iMM-WH)VF@oBr&@`oqs%_V*1;hBZ>@a zv`Tuo>)#gJ*7yO-(&r(9;bP!D3QOJ?AfxadcNYPAy{vZ^0+E!n(kvBYF-miw9=Do&(Q9<<;yAe~PfEL^7VAy? z`n>8Lt6YOzGlcOeGAr6V0q$YjX95NG!%Td!NP3%SH=1X@d&12CzeA)>$?#v{#1-Cp zz6-#te5~Qg@((w=RacQo79!qPUOUs{Z<90`>vdYN2gP99&5B(`31Fb@WI|4U0{caG zJ~r%o_de2KEH?K+&EJ5&%9Ghc5v6f(J=U5#zru*i-i(%zlJp&}2{mKHArUSEmZ?I) zh!El~A5x**y(CWP)os?r7HtB-0D>iwO+c`erggg|dOGtKW+2-1O0Wdm`7WJ%aM0lo z5_96CECd8gFue@%kWfx)=-|@thdmq%p~9#;D|*;@>>hWH&XYG{7V6D7w+(J-?+#W! zxGCIiGf?HRTJqT2>8nqCEAB@R`C0CK142i!hQT40P7O&ueER)G1*JrajrgVyzxSe} zbcFZ76{zp-v0XoUSK{$T2AFE1>;whqULV(@Mx zy+!&QRjLu=PM_>9*iCLh3xo{HO7?qcwc9anZr@Atj;Fo)#BD1hc`Fymg|TIZ7u!pe zdzUfm;uj|rTfkE+BMMG($jPfxNo`fx!QOeF*#uv;-+b*p`X$q_8k%@v_fc(af6;-v zh9nfoC<#9Py8q9y;z=Ue4`4-N^$xs{fDy)$I`X!*^k>Vb@Uf8J{WcC|jIfh|dVHyJ zU|trL(8MsJXy$ISG2Va@|H+Kc_*T-E%Ra# z`>Ao}U;%jQGx$p1hyl;(%Z$4NziV;)`?4UCL2$YbyUy)vXVRYl9_ZG6Y2{()hCNDK(3v4wlAvXzmoX7bRJ(4G$1@Pn>6EhiEr2ro*SGY?YXW1qI-(F> z1{t5)AOc_r^s?0#EhDL?1=lUHLO_z+nT5?(g08M{OY_R|*>-4n+lGM6)XTcH!uPnT z%fj;AvxD8cJA(C_Q(JC$E$?Gj?}v4{+t*X=bIb`PL;_<}GV4y= z+RU?0j%;Ska!TarBwEh3UaM@ZPv+MfyN>X0j28#HZa2?ZU*5)WjJPgFD~%_+MHZ-n zYf+=NBkM?<=Th1Nr8nJ?z895tC}_-q;wIkl%vm`DkyJ)sjHjPhb`T-%w058{?*9OY z4nI83AVsIpVQPr$&_yNN*O!rfrz!5hv`FqVNo@ok$&S_K`6;cT?Ld&-;x_JTn!jh-Xk*AZ;)THWTk|NKDsYoB9Tf53hwhS3+>QAO_(yUSd% zgBwG5yNkD2+n-cF(X@0{%k25K=XY5yvWI_M)_OYsOr%fa4dTk~4vKzy_RmLK!bQOJ zHuAmxZ!ua=_FD~iXzD>su`$O;rpxo4F=%sP?N<4WZ}A1k;Zyt;Us+>Kxi`$SzGp6b zVQnXefu@pk&2aL}b{*xucp};q_jj4E)5Uf_!H&dEff>>39XvAb$}Ck}B*N=CL1Xu& z#NT6^Uq3^}sTy(Y4e7x!6yZq`fWpnYv^xt~->@hUuctn$jPzLI2wo>=4-4mI@y=F! zbMfsX*PUBzB(DaXGPqpWrF({xm(Cy)5d;Z}#i`V*P4bID1c@ z%w>|(2qpOVvbf605Pd!y2(lX;e_M)KNdzMw9K6J{!ReYmi;%&Dt@JxHD?w$%x8|W8 zzI-Z5Sr7Q@^=!_jRC?W}J;va*@oiK_@19g@+hpCu0fnS{L-dt6e9sTZj+PLnFNeOX zWn&fts}|e0D*JY7&hmteex~*av~B9@;WG5a45TX=hEw%u<$82?9D*y*EVQC%qe-`! z+O63@lBA@pk)=xg-UYIVk50&XQ%w23^u-Cp2G~R!i7zWvRuL@8p$NYVQ7yI9bT^8) zcL=Qt?jB?JjY~)E6!%FNJJexD6NGFM_J)CdSdhxtvDEn_*Sj$beJSA{NluLLjQN&@ z52cqEXP1Mu@jgf6`w!C?|5-pKCB(83YO~;gUX9w9CeRnSjVbeIYv4}DXvkOuf~zE# zR%?dJ$}sG->Yw0KvCBvYlSG?dnd$mP&M|4c8|;(98+mW0s`kWOT(dgzs}#=RoyHpH zdgNq(gxM1tGIxgq{SD{!$7ka++$*B!QJY-*E^u|M&*8|}(Xe3Oq+0pZXKBF+U>o;O zn-%(tPxC1r+ibM%7rwSSGd?>ZfyWqCr%|>J&_yNXPS%*bQ+~KF3Lp0Z^V&kmEXj1{ znS3Bf2=kn$zFGMfzSCV62J%FoCrsI={3V^Bv)`u9t1ZRkm|h*_e$~But1B31iM9{cg2^k3UP5`QZ(b(TkDVc7*bSxFU7MZ51lCc=UjZNhqt~!GTVo z6Xy*`^mIQns>^hLG1FxJl~PYgt4?~hem4>00YK~SE~XpYA(B}xXoCvZ-#aB}9vfC9 zM`Nyd+>_udz*#l*wTc`)7#(i`a!H$Xzr-6eeMI}r!fw>CFG{LRN$3;Z`@*=K{4Y-- zF*&o_WN!KZzRmgaxOHvnjI#RDpCI|^;hTiO)nngDdk6tTg|CnyabD%Jfdqi(E|Afe z>?3sQAvU!~24yQIUZ^ncpG<;@pQ>&>sc~M26nUAypix3!Hq)yvzV_bx!QnBgI8o|w zcnG>cJjV9$m3_lR-jQdYsE?l=Fr5JtJLR&^3r&s5Z;hfy91!vF*V8ZJ|BPlu76L=n zhc29VgUZVCbA&O)RcO4SX`j;xR=A}3jBg)8qI=mHciNv|(*i(jTK6{E_WNWUjG=4R zwDuML#0)M`!&&F^;b6O|!wD4d)!ywl%*JdxLa?{!(#Xlm%t#B^E;u=vb$+Ik7(mw& zUD_vkoaD38EcDHBL9uL0c=A3=LIg8oZjFknp-rxCXcDGh4#YvubUYUht}Afvy&Fpy zwefRkqE~w3c9*i8Yfq{X>1{8Dv93bT;n3t6j)zMs+_{!go^*B+Tf-f3`sR++J|~Pe z2*%@!2*JK0k!g3q^Gx^FyA}nXbq%g=vCj$UJ zzxLvk_RpAFeL0JF#r21QpZIMR4?gm|-))dA_b0;=84kWPwR?PL$e10{_Q9GPjIP?p z^0I23C%}}qzi^v>dxgDDsQmy3WO+269-cc^b(%%$$~?P!(I4-~_$_(QfM=k4W@dgN zTLyo=(E{mf)mMKIX6$hoX=R>Bvh}m4%4YJ}h4k=m=f2M_-j4eOGg~BI9HuLWyeyGt zUY>pRC)vi*o2TDq%qB^!R%&GSRa?hF(A@>pl!v5VjAHo6$@OPnE>}(W7ElcUXwT;@ zLI+&H#(oL=lm!mO{!|hhhAr5@R;C8j#gp3Zc^Q}b)De()uf2jeVVt ztxdoC9m$MI%~Aewm=2fOwUIUOO8*d!p?0vj2=G+9NF};D>sJ~a6W^%K@yWWqsVQAU z4+V+MhFW%yEzjMhvCRW#K7MH%8W&HbG7L=F_OmPgxS`%9UFra{Dp^JvbkRbU}C3a&Bn_mfe`;H1+Hu9O`J?MzuazDD%rV6uB9V~@>?(34*35>e@@vO0jp_0HbqHnpBxaty5e|;q9AaY zi}#nzShb1D_0x^~-O2~*g1!}QGVAfNN%U(45JZu#Lfgk9@ooJ?-;3;Y5dQ}w*Y?!l zNj&vBo8ceP6!jA*hx&`RO%C;}OJa+&cy>VYl2`TvKo2eA&~5W#@d1nU$ca;RH8lz| z;=u_c=bkriQ)0i}v~o@tDt}jHvmG=7AICPo?xKIQjj>R)%c)i71kfjK zg02OItZfyrMm@V!ehI@Y*^a-7Q?AY{lzytu=#6ef0^1~i@}Z}^!+9zEi_DrnlucOY zh-$9;c=e10BrOY-_E~2W;pD$8ehXcpFTXP?;C-?cDj6CuF@8OA3bcP#bGpu(tGXgn z_mb#~LwQ~`M}T$=d*qN~sigh3^E~D20(-BmFChlaua6r(>zeSARWpqVSr7M{c&;rS zoSaTy#+0vT=X|e`!J-2xYI;kFCrTQ7Iy_wa{G~2;#b^BjH_bR^3eRS4*o~IosH2z_ z?2}AnSoxX5j?1urwpm@jLwAyHSJc6N@xhqYYw5F|?Y9kTLt9N+;R6*z%haH!n(2~Q zG;7(+1;NA(+LFTk8%V=+HLgAdTmV`iWEi@9Qf^nD-rHDMRBt!1o3#J9jUfWpSf(r1 zCXaeA-9b2$hM13E#xYPZ~?jUSGc`9$qo8gtxue zW$7ciIKAN!yJDLtyfMCl^s(0v&x&0!Pdpqe-tS{HIu82q=Fhy$f6_Kg{6U1;4{<pZuzr9ZbEbTS!z-S`ajozLwZ~PsnH(iYlwkE$a+ZZo3>fMqRcK zgD)DRl%=A6h-=OjrH)PdfTREV*JrYM zEEZ;NmQ`;T!_Uv}+~j!uv-;>>nHMlfIwTW*)LnOcypmV7%`!O=QCT3zAWnLT{?ABnC%YdR7UJ~&l zz0RJ(+K-YS&Jx^B@%?899nW&@h9a}4^`5C*?ygd>ZiShNP;L`@ZiA``w(3ZHZ9S(L-6xbsmZxFIKGoi<#KNN*vGcC*vBeBS9y71as$$;FoxaQE zDjyPY@vYW2$$aM_4bb%_+xCWw(28e_)wB+kLnc7mmi)byHz_lE+HMHqSH`s$*gp7hA3jul#m3fP?c z!RuKWQQ329-}=izW()Q-mTH2O-#a{NW2htXQ&K~x(6>Qi{1qE11Y08_(<+I0e&@Hk zc(>|pBt*@8QUZ)!E|LjFao`}%HcSg28#?2JH7HI7f0l@OwSq=2TaE_8Dq(;xCCgpJ z09h8|kb|W^GJ|^+VY&L z*=GMUaq3#_0fglzo$edCnsv@EXMXkCeM}mi`D!;&XuGPTCkoK?%H(wb7X&2t+=g#H zf2P1#k_SH9?Qa52UYs$$CO%ILET49Yxl~GDpG*dpG?emAxILAymIA21pan%osnuDz zNcubyu|=jyiyiwQ%T*xHzdqx!Av)l{r7yp`D6zGM z8W5TB>=K7=eu`?OcO2Uq{iYm)ivypcX7pN2mCvKxEie?}Sf}?4nR42&tK(j994+0* zgK8gVi?FJ8JaO!+M+dmB6&X$}?J9B@@GZQ5`hKbr3h>Y@@}u$%3m&+sg%*7bqvJan zi>nY%6nf50f2H^L48seJ!R_)HoX`We#*h29wTGk0uNf4w`dXYA;3`IAD>w76+mskg zBGcI@~l~Ide(a{v~AGYH%3il zUqnr&C^N-dl78RFnq;&90PB-68q%Mk6@jmRK=Q%W*ju#xvj-*J^YrLW4|;MFS36Z0 zU)-)c4*^)p&7HVzc|G;|{3dV&yPVu|HThOU`?`TRgKPz3#69RgT;-n$x&}(-=b`vD zFW;t&qZ$dU>f{ACmYRjPPIPH;;9z+YQLm5~?&&--Fd?}TeN{ehdH0JoRi`Cj5d5B& z+>uO;MdU8RxGLyy6ZSkIC(@6g!wwyUI6IT^{wAFDe6mnUH~KPu%j=ZM>%2$vdehyc zAICYqPxJ>%yQ0c=Z*0WXGLWH7+}DI8Y|skVag*nBj6GVGHqm(18T8i%e0G=gpzn?s zh7Nuf_nOOKpDRFPrFh@ROxH%0yj7#+I9$+>vRN_pR#@M^7-1m-$36|I$NpOR{nn<$ zsD)(Q0X__8{NvEE0S(5-(w1`hwPIU}4_FM0u?p-amj0Nn?h6iWXMex)awF%P3V)vk z5VN|RVxvy$z04Ie_8VL0(elG>x)|i6r(psjNb!8Zf=U)TnJ;0T zIa9ZntM7i%;}hJ!HZ-u#Vqoer&hLd%9^ZUaC11?GR_g{;ToS~I8jyO2%nRzPJgF^I zEth*iPx>2ehIj$xIUf~)SZ?kp?R$MRzQ+7MJy1V*bFI07c+4UB6pQkyZ<;#NtKLiV z=juHH$rRZ*(3!;R1slI&o`~Kkk(L_T5OyXl)o}X7P<^DS+SEc-cs$LR*s69<-L?+?gp!THu;_XJ4(9jU6dsT@;HgTRL7S|y9W{oat>)d z;f}+$b4V=HG+BL0c8dXu;k`bT7EVVeos1Iq`?3Utn?I~5BoaB#8whal3_q~nPNzGG zesDVSQ78eJXlCd)k$~6Lu!^%NR^%#TDwWvq!WV@M6}_)_IAED!1cizV&d^x zurJfo#o6+W2DheBPtPjF;&XNDC&9)hv|>7}g*wG9C<-mi?g*XNw^kB&64|Fr&pZAg zq}=lP@M|Vm=qHQy#9IqZXQayxM-A1?0Wt;@#iHyw)f1|vq;pAS(WY)ZsBY2nnlD86 zqau23`aI+p<3SANi*KA6dA|=UOxh;ZM5fF$lLjZ@N>kzhU!=+=>9Zi=n_H^8A=x97o#!D}{R zB5h|I)@OtlevG(|%`oMLLtM$o&^ONbd}&YZeNjJ)?P+H|JL*(-cBHn?DY=M5P1LSz zR}ZQOXDrXk9NOfSs!zP!ajFltIjM~;Xkx*fd~g-G!f?zj$%AEOE9PQX5H9VALSx-- z%-F4V2kQCLb-lv5bm=#A5?#V=c1B{TEiqA@pn3bBWt~7m=BfCV{HD9tW>JjP@h|S9 zPdm5X+YXr(|00ntB||fTZr5*2zn(GgXrY*UB`u?P2N+gy`#t^PhomX+)&u-Thebg! zDoEY$F{(6ks?~1rOnG7}H~#6^y8(qw4qq_-uZdYAaL#huKn{xz<=GRL1JD|CXY3;&n;Hfz*&W`xUk0 zY;c-9U=?g<8xFN25(5HY{FEFBSVC^^^a$fvtFg~IRVNJIEWR@jE_%K8EHm~;X9&YK=<$ggvK7*sMblUa+KuSzLKMR-M;l3f> zFx2xYIp-Ga1QOhz&DSzS{OwBKs&!EVHg=R;(xaPdmSn&Ts3KPMNR}%~_@E6o>)>X+ zKb7^@p$qFO4GVBB=x48^af>Zrpz864gx68!$|g`Ta3mk@I0862LFHdn>rW!tLtI3;7FCELzSkU+S2%yU=;`f`Bf*-G(_2heyy z$-}o=UuMQuEw(yV+XEcZ zno;pFdAoK8mN+|OJcV z1bJ^bK{dK=x&vPAEx;`n&^pw3d`jMoUvTf;Dg$hQI}K2Buam`hK0%izGgK{}5$)}R zWoRXcd*_wdWR5q7gvb>XRJdUg)B&%PU!;U*NHY{a(j8mrU_%&LXCfWrMqHjf+O1&x zjo?7KKO&Gf_rk9x^_Pv;GRs0;{X)# zuK!|imb-BNEOoTlZv9^LfVA4{P;83I@U+0 z!!HX%7<&BB1o3YiM;u6)eekhp2bCl4?3#}kmvPDEL;RDo=F8Fb#jblhW91YG0>o2% z!Bed43POS!a(^d1CPmCK6SiAdp{nDHuY>9MP+^1`dT^uAIr&7j^UK)6_YrGNI#KmS zZJ7B2*zBj6(|{h#_FGeMJUM2mtXrT}9W!ToXT?p2e0&ijr00}Ktyi=!A1wJH?5cg3 ziZmf}iTwEi8BT}3$ZdZ7c<=rJg8QfBE+~~uY(n3{5JCo4rOhpUP)gOqEe%=M<7*9* zNk86I=x0t)f&;Rt5jx&9D#Q7qPDOEOgJHKXv$kFSLf{`7Z^_|h&f&B9^#oI4$bkBC%7|AiY8b~gV*{#0`G&l?oroDFF1T#3j6G~KK@EAsM*=?d6 zub=mMs(BhX1#YKha;ZH#tl-BTWs>37Mz)wUx8 z84p*liVLR+HjxYbJu7OoZ!{PoH&}5U~kt4Rg>6k#4K?=Q%nYyDTMOte8=T_||kJ zOb&n#EA`hG1p4#<_u#Pt+Fc0j%W+(JG=Dw=l|Usr)V%>oxg&W?`elRY(eejZU0L!WTJ@ik?}-@U*Rbh{|07X2$6&_pEK0iGwR`7yk|h8Ar-0vH@!*1D^T z0rdDBB;oIAvEY`u=sbfz|1n)X{ypij1-|4+kLDa5n{zX|3=a^&HB=?&*4nIw2G>qt*E7#5gGVx_@PLujLhRjN)LVnh@=BWU^ zLmX64@>61Vl3|WGeEK9d3?y+yPYo#6VF1BebF;2Z2e6YY7h7vc>R433k#7$9*p>&eCytR zJBvszURjDB_fv5x&H#G!s(EKEO}GX;U6S3j(PLgJo9TskI51!5&k8}@&Sa)+z=j82 zy7qoZ+HdE7{@eLak1TL%lh5RRdIfe~BRL#*CGm6t+zqDBLV1{>69N1FhyU00yB|%M z!lxp&_1`@BUgQ?ix*yk5$!7Bvz}B6p*!NHF{;E7BxveErzgbXM-S*1yKE<*Nfcq)m z!9S{>vHy5zYT`hHVHP8#aWxlt|1_C0jE#N14z-b2F|3k!hCk5?e1T>=!sd=dkrB|# zye)i0^;j!kKJ9oHk39exNY0;qr{(2m(ZRpYpMO5vx ziq6*oFscfN_C8!gpU=?SJ?9olE-P*^7^fNjrcfaihs~TjfvD}XONEsTj@7GRpjKtM zi4m&;RKbyD!~M?-iTT3}1!vO}VJE-9MTLuW+`c0ww+LrtRjx z8`572sGvSG`;9C&3(NJ&%f=IfUp{XMG<m{%UHavRZ zVgS4?HJVW=tYMz-6!HcaF(!1c>od6VrnB4Hae)yCa|0AW;7*eN4+Xj;7hs8t0ed2a5*#RzN&zxq zJQ-wf>v#VJ^mKWUvHkm}MUChoS`nO&GR5Soj-@;p{m(i49pH+$>hn4z(dan0$Z+Aq zKn0$g4)`LiVYYD`$Nt#S0J$SYq)#|y+$N{4uns;m9meF&AZOId(>Cp5%RnDOO4tN( zRRb}Bzya1hHQ34WUW~>=NYz236g*pt9x_0pA(5-ipPHo_bVtKf*P!QayOjU8taIZ%t8e9J@UCLr%P@m+b_21)bt{0)_xnW0;TVWU2a}WzAC@XOzfYnac{D->*J61zvkIP|ck3`#Y59JRue&uZ_-;P7 zqO*;L5_Q+98q?>0hs_4Tcc+QbECVa+sFa8f5v|<#;6C1=mG)1qmpYS->MQRt_bd=V zQ4dUlcJd1AOU5?8Cx@c^;YZ)LIZ^9#C?07yO{ys9CxaH4 z5z@RBTDNb#LZ0O}Nb1=j!7}h4o1x_O2`rXMy^^WrdWAN>p<2ac@_M3t>P^MHv?*u6 z8mfv^Hk~};E%9iN2)aX1hkR3E`m<7skwrVJU|4 zmg5rd(pO1~1BJr~>BeD<`|h#5aOm-t6L`vjw-)k+{ry4!JntWKMhvND-E!C@B?8 z_oCj50!*bG4J(mG0@gWNFkR%G^3NH@B=tf=JI=)4f%O*J!2OUEY)Q;4{14a>wDuszX(1%t=2|Tf>9&)9JqdM8$M>Y&qOlZY*uxHWIJVg%ubdb%0 zn$Sd#*>Bc3_2eHGh{K9?(V=dugc6mzC*D*Yi=pk~;!bns0EqBmyr;GzQJ3p_Ms&Vu z7SDS2GB8o>(XIIIsu5!PKf5*KXzaImO&S!O*v;)(O-LUNT+#X8@RS|D#X`qD%+mH_zvG zz$ZTBV6mBBQRaT0dr?|=nlkQNO)IHqO>}Fm;5O>8ZuG2)PS>-~t>Hev=b(3*|MvskD4*t!;Y7T&%CELCBCV`>(7N;jKw&Hti z`f3do(eYX5OkM+i{K(fvTtLb7k1@*afWjotk-Lo*evc!4Od8WMl+EhCC7nLKt zk)FrE6%wtYmdrXgX_45wlIXNOvRb#!bXnCUG(<9KS7-o9EFY6U{|7Y5faCG#kLHHQUfC|oAhx0NYAUlQ$%zh#PJy}FeRA~;{*OSH-n-bT zOwZ;*gbRE2RyU7rJFWe*w{KU8sz!ho?u{v%%Fv3Rt~T27(*0+O4^Bc0{9kUZb!{&5 z%n%jlR9&BK+~?ghI5jK-8kaVS(CJKFW$I_2Kr6oP7pLz?Hl5Vr*5F?z&20DN_f~Ex z+yh_B41$5(PtfOEj?G3I#X@j5Rba%rrNMv6XW; zKHXxaH+#}nUG@kPJ4_g7oJttf4wY-TM)6YsFT};o7=l_)e;eZzz9z?or?}j%dhG#d ze+i5Ns0!YjD%}ori%c%Y5uKsU57O1FT!|f~UN=ok_-=%bnA5ru#)}3vKlhFBr3p$0 zZvri!&(gnFa~=m+Az!mq0bPS(nrB}cWM1fuI$dl`*sq#lho!;%^O0$Ai6cR(mExEA zy29&Q4Q)h9K@Up;V7ou@fVKdB(Ipn%q%^U3f{EnxE0ev};rNHwRkrLLPAXrsuETc? zY7qPV4PQb-rr$La!p3Wi#QPnNfUXAnP&>Ea9KdB~MCV0dY@5%orxTv3jP#>4EYmiE zaktL@cvVlL89q|Z1KmXwZLx9oogdF=JP3O(JnOcvJkU7@ydwDUr2aoHV_`!dS1`(=#~@7 z;+^cevEE6#%Q)b;QEP*!dIxlY_YF#4Dz`K_j$3Vkx3^!(H=Ev+8UmUVk@B84n8i(- zxfEm=m|oep<~s58+|iufoEb5eWk#fSsT;eLIPOGZ*rMZ4YhXTHny{;-NJP5Fz#Zya zce?#?Xwf!=|E22j*Y+`Nf}WkFWX}`uSL`8JemSK9TOeL>`BMHFZA8{ zNcfpX-+y0E4SHEOs7HhaZ_HR~OfvPV*{;uOxVM)U-bqnz9;MR;Z#o}vN^$FMCmgoX z{$nomo(Z_DRT!KlE9K%|IJ6j4>V>l@-!gT)ihrlh5AX7h%~o|690738`wP1Wn?iE{ zVJ_>coQdlWPJoTw)0O)J$@1UYu#KAF`MGC}*V8|4drTDkz`%zkf%(Iqy^ovytrR*F zBHKkFJB?4Gi}m_vwu5@a$MvCo>+Dkpgt-z3Q}&8sTp|Sr0?et_9iljaw`K&~LLNh- z>{#$bKO%_@=hKUi5_tkXjN=HW`1sv*i~1+C`A2)cT;2#PSZJv%r49$(xX41i|JSWd z+wsbLgxyBXEG+tRuZ5GBw~(&>j^EH6mIMVPj-!2`fyZUI2ox`^077E@5-59yhL z#0u4RQ4Mfqdg#+4-rUyKg&%J1mdMoE9TceElxWX3Ie#L%ybB~*Np%?%ZMH6t1` zE)DsbG;ZTASbKO>GYV}y?VX!jK12cM&#`H@U=$iqGktUFSj4!d`3=of-;`aXqW=jY zR>Jtke*d=KmRT|$z56sz6-syRx$(=*t@f|H$mAQ0KxvY3xB+v;xMeLK>FIqeys5BL zr3#R>ZLw^Z+PwYI8>N$5btr^tY})CJ5Ig<(aT?DFG+U3-a6nW}b$E=wHHh(h*I|Rv zueX{1_QaL)5f7Ejs*%?wEIF^tB_|$u${Lg}7p3$b$zI3+oTcPP&Zt`O(&c zJ?mc5`Z5>P+E#h)D}Xj_F`?<`xA^Bot(tiWEiaPe?x0sq^JUTHY!GrXqmUey%E*w7 z`|SH`>p`A^J*U5Gy_Bn3Z-s`vNxipJ3z1Ok`)N`BBkk0%T!^day&eDwt&)oPIrkx^ z)yYq^-3hvBM~AReTh>1aHyE2hZz-@t?9;ixol@8z*St>ICh0yW7BLo20|@NEr_vl3 z0e0gBiF6J_`m@T6P6hj>;F%GqvBJM^i%sS5@DWH=R^f*pr)AX{E45-po#sX$HKdYuN+ z+2or~k;A=hLO&0Id0ciyUZ$HOjP5JLQhnX=WPcl+VF%t|i)W?1U_9<)0O5?=M61PLhEYlA=o0<-SFn+C z4d!lpki9v}JiI%!-rL?CwnIs*j&E`%<^MpYn~Esx0ALfM`iTpg9EvVHk(+4JAhi#5 zK4{ee*7ebkJ4~0*#gZ}69H45kOq52v$+t9$d?kSbuJ1k)5&_ojD!_8P>UJ#~$};I? zIcHYhEq-ev1D(_sb79pFT?8-1?iOI*GiARsxcR9|&VGcHewQ)6Q_j9va)4zGi%MK% zh811KwSI%ybzwu&7vzA_pbv>87Keq5rfT0_HVcheBMH&ULUn)Qb0|BpqzjI0ui<1{ zoIJDMU>GsXFd};Xd!gT)3D{V{G#K3}Vf40SfADy>-NC@<0n?mh>H-|yiN3QBaWk?%+YPX)thh%%*z9?nEvJO z(-)VP^e*A#Hhx7o_1}{X&etj@zuAhsIsV7Wi$)A*PS94@q}n^L8x-=sBG_MvbGDLR zFi7;q@#h~YXDw;^GmLcWzB#x|P~N$$iccu=nMrWy`!)A8&gT6aji!{Q zA(VQ5hIN51cAHt#=N1tA_QHkIC;POE#TORpeGc}3I9J1$aotn&~DbJy( z5C8>F)NS|GFchin)JKPcWZH}UZO83w^_(oVx9Vh}WG0l={pZ~k_@XC{lU8~)t6pH_ zmeZVI2dgyhk*Whmt1YS*>k@@~QQXYNT`{OS?2& z!b*^sAq?tl5?sUU;x%Yc|+zUAE9sn2t;JzLruqfs{nJB$#7iQ9a zqYntOox4U7NZgOWjE6upLI9cy9q$u;wWEOt^y!+D#^-;jAWSKRd<~8n$G3`sj-B-o zvtqn%=)@cUF}MVV^<1UedB7@ArkAy$w4i1k`f)vS{8mHh1eRmQa

I+VT!O+^MpT zxOCmZ@^y5Qk>k@Jqz3CX%_YN|^fgF`?NnJ5qW)kw1wdLy7e7FHN{AC+>WJ2oIvlhO zpFTS8GtL5yi2%Go=ZwINi{eK3_?#OMk5;ihI*f?=&6(d>M8gJim$`1#teu_SnRg(* z{GL`?2njYqdb0Q3spZ7rCouEi%ntCn^R?f&3?$ZU75vI@v=&1N3M^i5uAEOhDQk&H zMA-xrqXRn=Fthm-1a&A5(9v3e9|yER+kIu7j6FFE9?H-BU8($zwu{xh%_exBGcq?_ zTdeIqfmfF1D}31(Ld=Y1uhw-uDZCTUP}D_X;;y|UM#MNPcL~Ik={MwDDzDXF%e)`@ z_EtT9OGWM5$=C2N;Hurbd@7C|hUnO6A{w_njf;hHPLCv2m+Aa3$?gT(bP&nm0S_1b zC*=}CZ1z{-`ndrxjuLd-OQcAZ-dLm>s#;0v7O)(Clgk}TH^p|sR|E{Fi)||k5DW2_ zjkotrO-~OQzR3F#PkX2`T^ea=GZ}x#yoF60CgOTv2^w<=`2f#S{EAQgKSC^if76fo z1t$<@K1K63zc+i(ju}1jn-pVT!mU5J9hS;-RAna&lW4qfZpvzl{_!wN2YD3QRs$lS~Uh1|O@0n|Oi#XQly;`>uwA z#F?eHBqC|fNRSC~IT@YivIX=lc_C4;7K-5Pu^V+eZvM4}=Ryd-vsZd_wubQxHLa46 zq{+o`)|Nd3`i+E|OezomP*WH7lbsTmv%`eMH`1AeIA?ZYJoQ7zXP8c2Avxinq4h$~ z-zCno4>E56yqgbb){8WrU-51(wbLH0bxH?u>py&N61{mho(f+e*N?BhC&%!NJ`qQm9+2mrX~*bEX;Y6wcAmHsT4e5CrC(m1(f*E|K4`U!|orQRDbZdE5T^ z4I4vuU2=(y?r7?&Ye7_=T!{ehk$rl5biK*I2G+t%x&=K*=AuL+@q{rK5cFPFi*J`? zS0h^ZER^Nao6`!0y14hI`5?hTMA(L8mwt}rm46kpQg+i%Uma<=LoDX%&(D=P_6=4j zj#&gL%Ymyo|CU=jjm0@8(PXP~!i`#nEsFNv|AQGHoBzTiVz9d@Ihg5#(1b~ea^Tuxqm*$CiHA!bkz(KTr4aCkIE zoA0bu5*Dg|5EwMjbm}cF>n`JfN{P%aq*}^=>dJ7tEEgg)!`+J6qfK7u)df=UWngJN zwO?a-$Y_)R`5gFeNF(T(6g!})y>RWCpl1|1&Lpi_?yFB`t@T~O{@C^#YhqC*4|r|2 z0iH>4@jcVDSD(EM1$4=vOJK`oA3ASd95G)P%f8+OPp7;8GUACnw$;tY0QY`xtjK|#edRPkiKxG^ZHluz+QZic zX6oJ)_2JI42fyz8yz5;irzghSN9u}WSfSILp&x)Bb|vf20g4OxG2M^hyRK#!Mwp72oMiamns z>S?vsLV`-JTHqD2Z*pBkcRbnu&A8={=0FSuAfho__Ac5qGic()?` z!CCDT$f{WvOC1V>ZcEZ_*hWCG0EgOW{qAUfs>hv6B`a zN%oy3ylRjr$^c!Ck6OzjN}!qQldEG)E!V3Zc!$63gBZ- zBCDAQH1Z1x^^dGOQJfeC7k1Zl9$VNs)RPO#NHu}?>f%iXxIh&>EG@m8_dg+HG~Cy% z_OyC~&A|*mjrIm}1d#KpRq~`VZ{ti% z!9;E(Z6^a<$xh*q-h|S2!R_d!VY((I?lR@6Y5hdby$krdU?$c(*{`p#BtHdt6^Z|F zmw#gvY%eQnuL*$Nu>QRG}1eG-?^S+MdTqP#@V*iv8na&JqHNdl|yY686-R= zAEe@5=2E+GHWEPibv(~~^m!oYZjnr-^~&ck-WRPyB^-f}LDPO(7*;0Vw={5iH!RlT zd%{ExuhH3uC%_@>G+m6IyWLj3escHJnjTjCts8b%uVP7C%uS0JO)|O6SHu+RR&44H zZJ@>jRF46^sV>>8*Zhm@n>ww{Qo)YB^N-ubw#=yWF?DDC;M->js6N8FW~sQzj}X@E=OCx zgsZV={>@~KWdWW5P!(YG_Vg4SE3`ZFX2IDBAh?p&4XKNls0a5aXT;*7Y@KC zx{}+O4U@p8lew**g7~@b(1*MTxPWl z$qTWq%I|z0rc#<5j9wyW$y5(8?$Rvd;jIMn2N@}QT%I2rU$7p${mmE3 zj2$V}sP`tY?P$}kHo@;t_xTUz>Ujja{&By~Ua~RBU+V8Rtz(>@PVS?(OfaIA3~CIQ zI*_ar(p+P_rJzbsDQ}9LziSoDT}+jhmE3QdOa>3|lP?r1i)%K7=^D&(@8&%%OgL%& z=>3R8C1Nb)%tar`pP51LD?yn`Yd!c2?DnCgHJZ;AGm?%LgXeXV-PKHTilpQ#yK^_2 zd4B;*ji8B#k~;nK`x8g6M3f3O#FIC&Qd|JEyP$=6e~wCPlO)=c9Cx&7nuG&N zD>;s&?Q_y6f7 z`5reut}&(JXF3luQLGx88rhcZ%;FkR{F)lsp8oA?YF!j}i+u=u{{IqBI zYSX0;srxa%ZjS7@M|ekv=8HMlT~m%yP28o|$TWkHDFaZ*8UEDKfGXiEq0PZ`fU5CL zBjo+b!;CU=RS!EB8>(!%6Fn_Beh6XT4Zh-Ei!w@8KH1!9Xio2}j(GWKP2vN%k>ni? zE!Mw(QGE8z*hfby4VVb+cpUkW?J717)`(z-da}&p3;pqO7UW5?3oRY8oMM~6wUaj! z?v~>r_vI6k-u-g0kfeDy$?3X4mC`OpmnsIE=gWW&{A}oOhzdD3gOkH1RW@^)+0HXe zCu6dLIWib%Xdi5hz(p`N5L6oU!{mTubnOTEQ6rJ`fT7%>2J;a98Ut6C3?UvZKr9!V z6!-oVHKS`T8An8CUXo^fOlZUnYKd#~KY8N2P;iOE14*2R=A#*+fl#yz16|ipiV7Z0 z^+P}{*AS&DTrN$ohk_GMW~w-6C%0v~qT55y(xxT^eDR&R*_Gp-{*b)x7;<>g4%mka z|0>Ak7n#wp%qbIjobz)!?By}Wz_S0<3jZ+1-(N;|RN7=j4u0Z^mpSChW6)ggvq7I#v4Z7e3l`TC$S3C@9+!RA=W z$X}0!Go#?*0=^=MJtaCT#qVi^bZ&X@4S9Yx#99`*vjCCLS;S&VK(a27SkJq)0MmG%8sZkQ?0J z@<=ZJ>zoN;4`0Vxyucx-A8m!eOKca&8Fm91`xTtkh&|*vw|2v`eN<(VXtdM?d?N%7 zNs>Pc___)lW)XeFcU)7-Rz1&xElFP#=j^GmU*={JhAB^`8eXhNqx#o^vQ-f(zym0` z%a5|vyu91aW;9}RR(AJ(+zYkDtPew;W<2tXMOJ+Rvlax@?@CsGP9#UT(m--P9>Am5w5Z zGQ}$H=MW;6!-d1M3@-Lk>~E4y%2K8z?M1TQPS-U4HeviI9dbKLSqk7R#7WO{UrUv4 z_%IYFw1uq{9&MmL8Af=(PvjX1LXZF8%nKp^S?>#wgz2MH>k#SSdxJj|_ISld$2H&F z&ha?N$h+=)Gzqa0cR?*lLP>SUTCe<)#7mKN-fN#V$h-Y(SvZ?R;QPP3*8dRNUbo3! z1+;~)rGzH+5|BT+0Jt#*Tq=!9gS)l=dfq~xapF@QTM%!8x+?ZGkh_oRdDN>j1k=BC z-`V?ue{{o3o_DX+RPi*AP;@~j(9J?iEjv2hlrb5jdbs;Qbj^x(ElWT%8CCFA(e0NNPq8#RZPF4{o?Xu} zLTF>wutS*#e_fZ<7L9<)TcziwHQ+mym}}Y7j+lb0N5aRcmZSwZf)3>9yz4P}beF-D zqHBC_WR`Q)Be@ZSk=YCa#aR;6d5}T4z`WP)NbHVh%4e3@lPG80kYKqk@Ykm9x>L@voQ>F?jo*mk56B*&QZSm)wFqv#-q3>~=yK!&o;X_3 z_JzMZrFgGbM96i?t@I%^!=qA1%`vg%WLMOPU}=5^i6O4e##JN(#C?G5=^m42?#GO5 zPKv!_DM$<|<@xJD|CtN_dirPQjJx|2yv?_iDsmVswy)0XU-9qtCqUZD`Jtp}mq64v zKi(TV0py`~+?ZtCSi8P#+}Riiqvwik#!50kp z&v31#v(*5$%QoZCNos##i)8Mnu?|O=cUux&I9|Zmh}Tv~rqRc!M)BbGE2sd}mzmAQph=LI|ty>v0miZu*L=x@wDr0sf}}{`;|dB7hw!-xz-~ zweu^_&ZBJEk;YeeHHN$AE$@kit&mMfH?nWyP6z7M@nc~#)yg@5Xl|+BL8%Cr;;<6VsPxe#UTMv+;h3+M2 z^3rvYu7~F)iJiCVsRPo)=q#Q?xauKg^i4V(QT&U}EZ2xwAGg#ru^dQ>zX!(JeW|sk z=~J7WsFVjf{kb?S8@vQ)6T4-rh^Q40fT%dNic$i*3`L$Pe-+r^v>?{Sl%&yh_-a{9 za!jOv4y_CYvagG6JzUq(%49enl$Ph`nH(l!)k-`lX1}yDbeud|GJ=+oX?#4%GIY%G zKz|ES-e<-(v;nYKjp~#@-phUgaJXxyi1zs#L|s|;p;HiX*Wdi_Uk|0%Jqj;HmU-A| zv#Rl#uaR`=8)d0dHiy2V(^mGCKkeAVfghZFVnYRTH?bW1&{s6?=FrbEjB;6ecCEx5 zfIsMXL(6Q*GP4`+lm2|3!0|%?5)t-PHF3j=%xQzSJE+E2+}9mnWPyc~mu4;9ae=p! z{k)?)Y9pTu(LzMa?$!lz9IAxy*HhFFgnJ->D0rqY&^eY7;@aykc9sXZe0leV_#_j& zF!es2ezBZ74RwON33ayT3sKH^Pi8niZ5M*i(~C|9md!#ezjS}(=Ch3@qpchmYC{!d zOZ@=WVZ&n`4eJUvy5Q`tPo2@x`p%*yDli!C@nKZ%GlwkYDK!~P6O26|XY&Au?=8@Un8efaWlPE!rvgQ)5_qvZP9_is zhpI0{T5(#0g_L$9=GlMVXXYg$NnqdLcu-iPWsYyY!TXrj79Tdx#MEV~Bn2#X9)blA z3;9wCFM!}R^hx;xfAoj5k(9iPsNMh}owY^n3N`tyaB%cq7A@pDsHkKlwTiJ zz2MAKJ|D7IV{cgd8ZC}ykMw|~NE>jWBo%4mS0ocx6b$ijTyQ>?D17E|HcczG%?BuY zcYd~cmwyie99feYh>CeFbt|Sk+E>T2;A30+@}I}*uXOQ``&46a;8m)51wGo_Y4by` zSkb?+>Dj!0b*lf7KeAbIE>8CQcbk70H8l|w(QZK^pMGGl!2-k(?RYg9-o^t7g$1V} zK+}!cKBI*xH3=FZ{Vt1jO^r8{)J2B#yvS<+E+%kM79ugkVlJJ0G}3VQNdj-Vn*TR= zM-0?1XN+BLK(Gu+|AXA&KS(%&B(ePN`?0ABZ2Er+{ z{%qKljU)M*cXlWSa>qQ{wY*aRW*$T?I>bV(#=T|N8cgK!Ozx=!CiBQLjYw~;WW6z! zUX2U1_QGHJaL}1wZlg1tc|tQ*lg4(kB3n9}T|h`_fGEA`cYQ~8m0DKZ_tm1=uTo3@ z`9j)%NG)=*-$?PDFDLY}jg3NYItbcP#0kWj%FW!B;QiBluRnobH?_<)sWt=?Z|U(; zzwy#qcr4BIdOCUFo8b2t`MSs*|km=In)o8N#^B)m|E@Bg1nIUG~0f+Hu{}FUsG`Npy#-*K%}A zV9IhJli7u6HJ(@RUgUOs!tH++OP(r#o1`o>EED;dUIhst#qPr<;ZEJP^k;Px$q^DjgR1 z8|o^BEN?wwutx)v^;*=7pv2=ppZ%XF=%0nin?IE0_D=#UATz#Hd=_%kcoOV?e*X0v zsrgM{^M83M{!>*Pe{5`~_;3%uj`xvZd|AiqFB>g+%*qO;%n73rsY(pCzMDt zuguWhGR?3$H=27xD=T8JG3cxKhfbvd>9y|6JteR}v6lyHIeTB^fx>zk`RP^Ao3px? zsDClY`Rb7-U>UYg;w0qE^PT z?4yXuPQDi9fsp;8bRG`g&39?}%xT`nb6KXeo0gd7!bgGD7PXCIarv+mj!yIM@X*TH zD8wuP185q!XLQq|%m1ahmM83*k)`}Zz44eJ%)LFT17YDmO5PrQ{Ikc#CMV}`kn|=6 zL7zTZ^36B#GL1A=!-6-8)1q zE~I#n5kk&H%&S<>nRT%)ZG>HkCz1ujJB%G?Q+&jFPg?nBM=w#*z0 zKyRd}xkPOZTql5etddb;qt$xzdM-g29U)cxZE7a1I#e!uMj<9oT-!)FP5{f#K;~Sl zAU7Wqzinw<;>clh8_{|4ML7c%NVt5DEcL=l$05w4_a@zBdSO>E%V=b1TaYRuhn*KY z3EcSPkv^@LqAakV8(F>THoY9+2>{^j3r}MHDs2DjA&apm$;QE+1vi5Mq2Cz6o;R#w z{~F66I2VslGujk4>|$H>ULMJ~9SD;Y;X50AH;%AvK;Q}j&7>bv??O46nbhmd(_YB6 zIDX|37}0iP`S6P~P{_Y7!qcLaV?&9lJPZTIO99lfFLI={ZPTs82{)*MR_@c~b*+7E zr%x?T1Jgm}M?=p)Jhu`RLGdQPjJ%hI$bO)>^dq}ZLnPyRlsKXO_4HtR8qXJnbX;_k zYSvt8lqInr%qZ!6U431zWhRMiu^yJ@2CJgm3y7F8Pv{TB86ubAt|+bt8HNH&;Q|nK zc=mVuu7(dB!*YrYy*?#puLKb3Vp+EN?5as(jVe+b27r~mVUqw3dSm-3!~4lA2Q8W5 zmw5E2!~Iv=y~BAU|6BU;BFo4Zny-uF5&cw}-uuaN`o$TL0Crj6pMa$c0XI}3q(GwDS^=aN%3cZCP;g=`B}K?CO^?OEoI_U zt07xL>iMoex&v3)W5IBrFZ#h%_81pmT>KB&qfO>2d+fk4vX*nzep}ZJjjMouOh_ZJ zNlfZ`yiU^=dY;=B*aNye`vp{4#Co>n<{=`pzbo`-%gno~R7cAbMc!n)Tuzi@kKdoZ zHc_>?n63apd`u%qksU$JIOBowqUtg(dnxi6X(9(^WJ#oAtcPiYu#G+G&pi4M-BP2+ zx&;L8e0WOHb&#RFm;sU!ceR3v5S;;-u#MEh;#UGspdTjIviNiaKA+|FPz`8_yCAzj zRtl*KQD!Y7S@W-hyqMQLnL@1^t+heQpC!8Tcumc&KZIP%-FQf|Uy|mE`5H~APRAG( za#%J@tmd(9m2e>W6p&(G0$W-8iv+s8)@~6l&r{}vrAK45MIFDK%jfubj(1V@`EWY| zjTNt3SFV4zdeLpdJn+i(-&dY|`wy;fOp*<-m8CvGO6&&qis6eL?6UmodGZmLK!ucD zdq@MeGo{3}-aCKH~2fdO$}g!tlBozxiY-B`riE`((# zHyNw5A5(&}Wto>GlmSRK)95qX`^miSe(O`2E-<8NvDHH(rrl|Wet*GPwUmg zizu^_nj`L8*1YProO<;K#%$>y7_+z;o<7n;eAv2lu0&LbBOtykLuU@*Vx%@7)e%@J zmSvb!7j-ZH739iF#{%VKS^G?!an)hn@TWUtD(g=EVP+i-n*7!yWX4`@Ga6fLqF24q z?fjV{Va)Hfe~4tUxvHE`MW&F#7S+aNOi`PZ4p}(_(#+;~E%2Fccyd|8nW?HkhX&kI z9}#oan+@Hk#c2YDW?SDnuk{bSZAApA>uz=vL6ERBHq|3Ulj?GdcEa1PTZh!#@_>w zaHnV&K52H{EQr6?nFbf9*lyVIde`W6>OZQj$E}f^hz3?$n(04o)3H5|p^6i*r3Sc0 zQexh0x=dbG@Bd7l)(nC&C_oMo`9?R*)<=OTS)TU(59wXMh$f}4*@l<}E;Wkw08LsB z)Vr^YLu&pK)e|b`8RyHC29qU_H)17B9%aTfG}hrB=oU(J1cNLc<|M5U)BR~9pYzt? z!B4qdc+%N$+mAb=S&kC}6GdueuWL028;df$_&5mlCDg@n`#(u+K@L)Q?#JoyRfJhL zDQdC9Ag_rBv3!)#jLPkP^p4i;JXSht{yV*qURn44Ha~+y)m3_XKl4O_=XZL0LyJ>SFDh_`+V3|G zlcgl=jT20^XM36Q7bzP+-|wK?~5#~%mN4$h5~aRN5D;N0P2J)q zvhCBHA%c+XcIdM3!QfG<^Fm8tidMXUaj38ha`o{O#zwm~;yD;-RC9{AT$AJ26q+m9 z&v@6JXJt0bogsmS(mK&o`-#Bp0zSFVv;L&I=DOn!hI~s9o!@ZB+5c z3x3C~XR?fd2|iCK%MuPneVZ8;2`wVTrmtoEA$_MOg8i<= zX8{ysiHRt~c7ZMjWQ$*$jubN&fXFi#t(kx?N@1@wkkRi`(v|4k0Hx?;^RxlBQ;pom z7t3&HTY6OvF=is1{tzG_EeV4&drQ{69+@14x`bfT056*HVset_;KXGfL7) z#I>}RqnWm}+MT#ck6wg2@7*1}tUFVu0+xV{d$PlfD<&=Ar}pRcor6wV%oR0tJs1yE7E~9*2A!Xn3T0{c7d1)| z_yJ@b8P3v<1L1RtN`1mp4|_=wyj5nF0^0jUlI<$c3toM^v8=+I@7y*9!Q3J(Cy%Dx zY1ovL$d5o}dY)&$7VtHxv8SCR-e1Cgo!T`JPVdVrif0DZv46RA8=@(!ee8DB+5YPb z3;cHeR7H1I&}Ppyd@*zf%dbgx`ebXitivtJ708fTu4`e;1^!7@42@|6abE~QIneF6 zM`LG?^I6u@+^k>pvZ=9@(kv$<>bAw<4ke<()->bHygR?*Ccr}u6r&CLRPQ!>(M}(f zf5(X~S|HIyqKUZPJ8Lk{ZyC>kCtj9EVH&1c#g{xE_y(-Xkc;l+4Gf}+hA540!cZeN zr4Zz4RtBfhEe2+$LGTebjqR5%P<0v0M8@sHKrw-Iu+D{+s-jUyYza`g9z?@7o(df7 zrlB)nIpAy!5A_NN$>nW>b&JgXu7+P9w1d zn)-wcGYLntP(N^7LX%g7B>G5{_ejiB|2Q1F?F z4C~7GTEvENmiSS&oZ*8^RTwe?xX<|06x23F0lbYfy^ocye=P3gR>FT!SnoPf+`Y}` zs`5PswHl&rM0h+cAXI-1Sn<{g`QBnX05YCMuMptTj*0g?*{RKO?L_xWTnJ4&k7}i; zrRg*qx6>adlQMLX@OGFu5z~1W-b{!`@k(2J@Gff*d z`H@!CsDt5Od@PfW2)F&Bz07#?4K&!f@o?M^KI;K`_!ej6JUBZwd!+UogWGUOtba?a zO4Kjsxzl;+CMidm4m3K;{uh#7JT>Tkl%WW6{BU5zAaRN54(YwTd|Aq=({DbTEpLkD zRD?G=Chj&ZLTk2ldv6c6VUnQMC&NRdWBLz}MKocUO~W@)lYD}Ed0Tpy7QM4$6pFY-TN;~v6Su40Jrgz z$VwvpQONk2))zUs8q@4fa}i*Mu2TB3^Kd2U+Y7OT1G0rn@bddPwY7@}FBwYKV${+e z&oET&)IV}R<4w^AV5;v`zhD&+JqFSauKk-T;y&?Hgbk2*L?vc7@X3Q3cYifE2eK!U z0(UifWx&G7U%rcQ0#QhV!R-HG?ybL~Y}mHZ8$?24NNJD(MPe91MQLdi0V!#aZjf$J zX@(k7N$HU825A_&hwkp4p}vdz+0Xm#y}o~7{|svZYq-wqJdb>)Ab7NTcuA%ZVA7uu zKp7wy@6t@Icm(*nE>A}XF^AJ8f66mLCSKe4VlS9r^>XXq-JIi}^sAi_)RJx}PS(^2 zN&f@vp>GTsZ~&f8aEieYKo2SS!s0ELiQ%6clm0BTWM#gpkuXn0XZQvcv(TUZ(VbO2 ziXQTf#;V4nx2s>(yMA^it>#tYziN>o0!|?}_RL&~g?M(0xE}`>T`C<*(mJqY$=}E* zdmwMAnfYb-b=UrAKDy@cedzorn~Qb}>$SSlv!`&bGt9t-f5hW?en*4zWv@o$HH3$i zb-lK7l9_bEo>s~=JDPr)kk8R`)~i%bg^Xo+8Ee&D#tWe>1TUpC zBY3VY_mhq59(0}c+F*u?VD$o7BGX2O15b%r$!uU{cG2Mv3g$a3oNC1?BfB1mB*CR zLE|6EQ}K(W6d~sKwu$sEkAQ3*=gYlGy|&~B*zKDPvYf_#Y2rKKFC%^u|Nu2F(HO+LVqwl;4@D&NLpp zWIg)f?bU__i*()O?h1Ga;fXbhffQof5#C9sI4T9WYBF{;;JR8<+A{Lnmih;%K$300 zKg@@4XpSPBNmPaooKLx_8(fzbF2k^Qr+1-g?C>vKd8XR zVN{f4`Lo^-gh{f%P-WuNXi0i3YwL$~@VBlq&z#f! z=-L#6&Ez*>*NzCta5mZDqX6f8BH)qAq0v@Sl*ba(f${>b@e=Q@@Sf)!930>!&7DHZ zs;UJWO6ez*n6t8973_X{eH3L`wTDN9QTZU8COf;E=EC{1fgo}R!NeH7Q6W+8f#g#% zgVk31+JomNj1!Wn_~`S}tiEOrTA;ChmTc_ddD+rNdSq@2KSnV>gLx00D;rIU3)c2y z4Dh1P*ColN^O=J_s{Pqo!?!D^qoFGC9!~zD>BdEk`{=KzHMP$CjZ_c*KGj7FIyG%O z)yo0zcr^{D*pjo)TG`nzQEzq)3j!J3S^B1P72l#V$#@veOvrm#97g-A{a{>m?Lk&2 z{yC`${AinB1TSBPf*@sQ`yRXWh^vEY+qcU>``miwC*2>rUxvS&9muse1s)HO+a^ZF zrC6B}Y#M-W$?`g-HJnueu|a0)bh_y6c>MWpsZ!u40ES68{|milcO*us>78X1xJh;x z+;*FBdyNXygzj>`IL=r5r4ns;oL_B)P5fO-uSMpsBI7nmZ_st7u(`6AO2V=9Z7IwL z`CCIc&rrEuX{%R+ml(}d!J)v;Sdo_!xo~} zAZP#7;w)=V4kZyEbVHK*zI=KNo~zG6-GpAO0@sJ4Tp> z65AcEfP{nArg2^U!(mxfwVy?+uC=@wFQ@psS66(!2AWv;4c+_W zJklS6x0;|%%^NR^b`8UiCk?yW9Sn+UH--=Gv-`HRw3dIFMRBGkgD^l>Nj^T;M;_`% z!yVZ(h{%mp@7}m9@1gGVnLsDrsTUiUqaR94uER_$=@NMRZIu>6Cd42wlj>}E#|*1XC#I1o5Kf`ol@F8gPt3L$(9uR$ZhWY5}jgB|*XT+DQzq=74=lZzu9;0qk#I7NSv={M@i zKtA)TgBRzTOX<(6#ogLIPGbQ0;q;i^KRnZzzLjg&4^Sro^Q*Jr#uAO zR~S_v!2n_7jnQCC)s%hW;UBNQxoU;tlC?Nh#?jByg0~rSdp4$+_Zz~>zR{J)w|J`z zt3R3{`609{-lSx#gPp!KM?n%?%E_-K>6PGn-7r`dzg@(0M4YFhlu{yl&aK;JgpO4n z$bIuu4)5BMN>AW1O>-}@szjDP(Nl{Ty<+@yC8zk5GqJ~VU~Kr!S(-47LX{qxoP{bE zU;oRN(d$nbAF0y{1j)t|slFGLJ&XGx+FTJqk?|$kJI@CR_v!6Lh&;(>6z~(Yp3)Z| zQvBt7eRow=n=f~}C7VJ>uY^o1mJnV`^}fsjxrO~L`}N=-fzynLTaG{g)x1SIW2Ru- z?+Wbq(`!si`BfG zwq;o^YTnJUyad^}*@ms{KVtRgvVITh)x5%jFf-|cNI734c#=t*bobnr@k(*=2zb=< zTJa~Z4jS5Ye+<%wzg_aDLu{_IVcj6nqxnA5uP&PPP9~$@@s+AC^Zf(8}QD&mqJ|rFUC7 zIJn=mG#vYBi|cqe>sv$Y+!n0rC-v;ysDKs7xsQR7`8aEjm_nDDzhc_k)LTgYt#H)2 z(%kN~T~0E?da}>0#ds173ZgbJ8n7+6W%S6Knu^1)qOY1Wj+ZIP%hvvafjR#JA41nu zp6f}>R=-* zOrfmq=*_Xd2GM8jUWj#eD6O{%quM(iKe%qg16P~^DG$5BkjI2Tt(!t+_pdQ=vD%rS z`p5zlA(N&lVxqA1v%oG@QO)9Y(7~_?RIBDQS@H+joI#t+#&cPSG08T+hF`&F zP3I%BVS-0q?OzakRrnl0_|0n&YFRP|DjkZerst`sZhS_hUrV7z0Gi4)|5ni_S-T!s1(+$#n@ud zy5eSSHx90Nid#a_>ql3%@j@5*r9unXGK?4V-dZfb#0$jMlWo0Wt+Px~J4yoJ+Z?Cb z zii^FJ`i{D_y>HEvyoMaKLi3Ai?LegkI#+Mz9Y-62!nfl&lIJ(T?S16~f}{J*oIfg) zEj?8tdjUYnz5(05VAtXBuetK`RkZryfiQ^=o&+?5$|-!@{TM`i2Yj)gNKB_rg#MjFr>4i%z4DAox2 zu!XYHure#fz)Zuue6~es_y-EBlB@@c8t2q+v0ln)l4a;bE6wK{(4(iYK2C4Kidvp# z5xp~u_c^u-QbH>FC~XY~5c2LSD%1zrSY(7l=qZg+)mEL)oQ~fMxuF4cI@S4f6!n|+ zZfsPZ-Z__bjSK}SP2WuY-)f>5W{ij+l}H2EU@1TL)jVm&Fj)s1Q$K>$#_9zkU)wrv zI)~moxQz10RI^Qy>y!32kmSFIgDqlw?3KwPLud*>JqZyOWIgc>u2LXxtB&92AOCFAIAMwRr#f^5$L1dgl-bB0nt*ybE6@7 zGaE6{%=-IdO*h%-X?`fCZW%c*%X`Sihp`vuBv`Lxs`7~G|CpDpA~>K8#0(`_l}yr* z`qtypFiM|D@}Lj)B@q2YxhdH_IS$~jNG2hsndZCg*l25GYbbeTkF@G=!k{8AQq;gSeeqR#v!}8 zul^*5p<{&agB?tIjN^iTdh;!xybXU0<9bZ=@<%ytgT#aSv$`EHiYR??1OcIpC?#nN z>^OnRz=-L9Uw~M*mO&I#$GL+d^q;zKaNod=tlt{gS5(Z_>)^6>QSze=Gy;m>7UtQI z43`7;NIZw{>PH!ptBI!bD6t)9Yr~ix?hGl(v)!!O!M$-rcw?$qgu`H%gFh#}d7MK* zAf$HS_4Sz=Xa1(O?*o=MTT?gXoEU)!CEG?6X3=FM>#Mj_h_fhwZk|CjE)h zSCO8%S{25KuT!O6#(o8dB zj1(=dzqV&)_aZ44iDWi0e<6E$+7_|P&u1DM6c78R*6pUmsq26F&o{9_$v9YG%=Z^Q z1C6|UkBiR*TI|;>ssA>Se^0{Zj?Qf$j#FQLyu24EWwu<`7x*NS@2R0wScUO?YPckB zJe@4y^is&PDqD*?(iJG=U;)Z&k84?nY9%Tr5`bdfO%&rh@CeALO^;PRNTSeZmt-+V zYU*Y#C|`x;v2&eQM22!Q4!RfWY8Y;Pa#UM!8edVM4C{4GgtGgoCD zmc9MsTfCRmQbA2sl3fGVqn8q{#)SKdY=3qt=2{DGP@>Q-$&(rBZ zj-opLkLX0TI;MiM-rh95g?WAbt2-eriHY>4COp^clv|sNQo=nSc42IBsi~KwDX~?h zcWrJdiqS(ZHC{vddKZ#&r?(1TK?GfhWxhV=^E>NiB#usWq3!fDP6=)1gzd?5!LJQB z-dy^Fnx`T)yQVoSoOPEnSCNK_S3Z`v1rglkPHYinSI58xA8@`$If(M)rDeRmyBZU= zw=lR0@Rs~3X_3rtSrpO{65oe+K zxrXDCPqIU;WMVP)s151JKYEXeey!W1Ec6%yS`uGgmI67n zSi<_^6&`T#v}8sLnVg0jx;(Gg_$45nuQF2L zWs{|1UVV%FtWme69?RN+eY*wA4HK-IT1`bU#o+xK?zD--Rsy!?dz%lS1z>k*M&%;N zzT2}bHXd#Nd0cAxDL}i+*Y9PR$~zVqna62`nS_IBdgZ&1=7vxRZ0kgCpG0>^^lgHb zUMhn*++AIa2sO&^;;iJkiv)_lQSVN@3)cPpjW(km9r2!Ny5u3d9|1+!>gCB$x~XA(<;IW_Y7^a>ta~{}k4mOzBtWKMirqJB>&NNk|tI8|q>KCv;)`lGLxG z>|blvTT!RqGjyxUW9H(eE`NNhL~B}VNW2slLqGrwyb$7#_O@E3V+~R9fYISSLxLn6 zw7QGqC=H2Mi1?0kFG*d7!rn~7x~l&`_BdqyNe{;&R22END$Qx%8<}e*Y+%?Ak|~5D z^!FC_hCVvJEAnsw(U8Xr>zb>=LMtY9&8vSL6CXaQDkvS`Ukb;lo{p;bn2M^W56!iE z&tgw+G^to5&4y9@(=OPor1b*_4zA*~t$3;zuOPtc*!Ah0=P_VJ7{@Rvii!nRD|x@V@imtAh?p!wnkUPaE|M)IMn|q)q*a zgA@^YwbpzZSl1=~bmqfzPaZM5yYUlM8nAsz9|LC%-0(18hta>} zuh3}#Li|LNC=_4vKR=AXHI@*5YQY32U{W~5^!M=VJm*=P)fL)%OHV0(;PV-~S?p+} zwDpj8yW#z&l^;iDh>X1hi>c9q3;Fg+WA*$aU)!c0Z*kM|mDBbY5pZjgph9h*C(^6H zGHIVe4pU<$wm}JEhbZt8B z{DsaJL;(50FI}t#gAL)v3%nEPs_PgI^m;wzi-e-rr*_+xZ#%XxF!u%1X1Kdd+B83D zU^Q&Hak2N#0dHr<^D4_^zubZw1rZ3B9HQ&l7HOrwE+Y)3GltUb_A2QVewhOdV5$6_(HuS3?X4ULso?j}-KS+Y3l;P3I{_~T-$MEfWv7`lTyIPI&$&g+79sjb zyKA4*VJ>P2e}G2&peD*21Pr*aV23-E!ilkj(Z_Xx55yg)|;p?!rAEa2Ol zk*cGrzfXU-v}5Psa>0A!!Wx*im&o(zxfBy}`lLjZBv^!Y(-2aLyU{sBcdM$|$%0kH zYex$7dqLM~vA31qg@15)wZ}#Yp`@j6dk_(azd!mYAz8ATOWwVqK>e1#F;=k7yQ{FB zcT0+A&m)uz{|=vQIZESS!}$2y4E!N)GN9@7r|TmXXN}t|=DR$|ZkD%7T#=IF)bnWY zB^h2gkM*%X2#>#vd7(^HLx4w(mNz%vr*|9HFQxMH9Z+y4-#TN^a|cMc-bvo8K|*G& zg*SO5f79UsZ3xB)gyyU4l=DF$(106;C%Uvt0;|%ISyA8#anLulkEvoVc%bFx_Y4VR z6RDKr5>35NIsbMlSpw|+oQecd`W10(I4(mMlINFg(|JB5!@_*?Ok^`D+OY zfy}V3}Z4;79S* zr!pE23T}szv_>3YzHyedZ{iD+5;w?m(VOj<6|6y z7Q?DgTIl!_!4E+}Rl$qUI{wy3Ba_e-rV`w6%-6;j#7caMr^igP>%5L?WrU4-YFGiQc@bI$mtv}tZY zCj;(|Rf&G+>QB%ry?yT*ISX(?%ieN$u7d4*P9wpJVaDwv zYyK2VcA8jHs9ZKk2TuF&4p)6&+jQ z86k4{WP1HgTHCZGCB+u8eLtVnJ73)B6lSRKown=cyvIvf20a5TIms`~SaDaim z;216W(3^wK2Te__q$Ss6(JCwPpgWoMbQ8`rXt1HfJTT{cBKI8^HWwk%^lbDOI>A%W z05MJEwU11ioW2L_;%>d{*fDj}Hr{i)Qf&JMKX&IbX({bHWmy!>XW;g%fs}iu1D!fx zCt8NOjs3$YhyxdJ1eXFdBc?m7Cgc& zyRz%jteA|mNMMJYsxaYsq46j854yoj8YqID_Dn(GQIte$5--5+Nr zN?v<^b-u^Q;I(_yr{X+oclEVlZf3I%9W80S?=yka=Y##MyO{SdIX&)=5o-|`OyMS^ zdhxtZ{|;7e#dY!o)br84r-L#8-~$voN+##80)TH8nHMjpnr2^`)bqh-)U2?UG27$( zfu3`jBe}by(`WRxZoZK()#JrD5b&6vbc^mc)Z)Tq7{o|GT3~+>Z#TRZiMFcWn@BT_ zc&SPtzIT@hq|lCd7mKMI!TqfX_FAPGy<(V1v)kXUyHvmz0|}^Ut_IBq3ogIniF5<$ z`Ha|v4dWvZ4Kyy_r5L3Mim&`ywfIv=Q&e|+eA&FYO+OJ*m&ZtQ_~;kTW%AeMo~1lC zczN(**TFpK{F(-7kLVX)5N#3Sqh7Kg#Q>sRAC5n?I_&K){ktGsVw`K*`vCLr%LG8+aQ+r*ti~o2x9EFELK%ukoF|0u)P4I@3K~v2X_wBmZ1EbbMB3wAlT1Ib zJlzfcD!GaY-X(V!%%nU-g%;mLJ+952X@uw%KhRD1}6qOi+PMmy)ASEi8 zWehl@v%8hI=#KkS-A{+Bl91W(O>ssNJRoOsyo-DAt)n34Y`SD9rj$-qfuY`2c2_X2 z>t?CvQ^cNV$&6>Bb(=e_ZPHw$CUxsm*~rq>Db^}SI%B^RCc=>cj__1-KH~zMNgPDfAe{Lw2PRgH?h35?g{D-HlsEEtfWp`_u2* z3u3-WlfO#mAqn=!)yuoKmRk!9f!~(U#B`Pm6_sIr! z;alvU0E${(vumON|8|IjYx12(@S|2gHY;rm)L!=vQ7+3e$P^PF z25GAmY`Xl@Ds=Tu(OyH|^}v@X+(eR~N3sP$2_+#6N~&5&3;ayWMY27>e-c`QWnQ+_8yTutQy5P@^cl9);ZRA1i(jUs`rKl)3He+q2ND2El};3Kn)e3jX7 z0`7b>;PYu=O8s{tCs8Ib=9y`Xo?dd9G$XQc6{MM+&HkGOzzOyF zacmzI5i#p#gnDVQQAB!9a`ux z*!LYh>hE&{NWMOgg$-RsTy2*d!X+R-KB!2(B-gV3U_L8h28Y3QD7`3|?7jA@cPavZ ze40yEqsEIf#`)JYa`7=4ig>5Z#F<^sLI$N$t3e;a1&S;leh;UA^Jrt{t^yZPZ&SWU z#O*U*YZ@q@%-?x^?`Q}w83#T2JLkA^rjJ^S#|JEjFCJ~}MZutt?yeR>0Ftp8)aZT@ z246C(-%Q7E4R}mJ#D|I*Z3S9j9%o$6d5#j=T}L8`wx%Hs#_+{SU5|b&*jW*gu}_B+}BD29rgAu0K%a2J{@00S#QwR-uQJ-o4V1*PSQV zg}j&yH^<3c-!LAuxozl~-Rb!aAyO2q8^_}uK^OBbKAXsLm%fWCT(A5H3Luo_xx>AF zeqA8fZwYx~*3?dIoJcitm`Us^9rRXZb%`i1h1>?-yZM(xiCV`>F+0U`I$W5a)QTxT zo?fXktynOR7h!U#Y7wu1zRyCM8shCu2)xd59uKGArUr@WqL0&JoYDGvH)HWUXRXqE zd5o4^@~?g`yQ`hG20X(wTYW8~M94t=3(ILU>j$CrM*^Ymh2E$7%CydrR(E4~AC=HK z#;6=da5D|r-sNvbw=iFFdStqsS1jOC;`BH!j&VL+WfVHzwnSRojz>82hM5x~s(Au# zpUD0zqZYfDQTy+|Wpvg6e+tJE1k)Xo0=wQuCk}Znt}C&FP1E`|l|}&NY{w~^W1uIu zr|aeVPVw=!)GLVYZcZ!Z4+*&2!Co~pUj*fL80{N*)nzrmNJ6*gzQn)2QBrC09|D@4 zw=M{Xo!bC?y^7D*&;3KM9z|k3nX($nQ=S@2hZ!RzZ>|Dun^F8+T0dbjKMPZJ0$2_w zcJ9;)(SWQF2K7AD5W<`nRBq(VGUQw8z!yp-Njg`Wp&71~pzb2#-9xF|H_xCej45sN23kB(yWxfC|J;JaKb ziSe3)e702wq zF!tbH8G)^7W7#exa+TsDu}AuW*PL1A5(TNsE*m)s$VwNV>erze>_;@@x|5W92gf7r z$9?dpAiiT6X0|38DKC`d+jegsk5qg6*E~g?+PkxV;?4!$NPYC1 z%3rWXLY|Euyi3Ds5IZ6r{wH0;=vc+Eps#uH2h-COD1w%2A|GwraArsZ?RGbF`b<$E!(-jjI}z#)!bv?^=8ZKPkW--Z4#N|C=gkt$ zn)U5J`FV5RSM*DT)eCsmGgWwjblPXl_rU&giW|D8@3?OJCs6&l;O1EU+?zA2zTWi8zO3+S5~&Jspd8H|KD|VZV`3`wO)aFyGjU37%4LhM0Pt^kVW()fK%~w zuxv>9^Mr4hnuBvBXwjG;P(PKcJvCo*wRk8Y+em-57D~6$|pO zuKB9m#F|{ajNQ~T{0-n5cpNCxkI0qk{ACGw*v^e@@$O%qcjI^j6~7v=p-*BSac=!i zl{GUp>|%#T{-XgzXB#_`j7Lvizy3T;thB9CENC5c%>hjWBjEWF*BP)EQo)WgBq-H< zv`U2FZQ{%XpyUj=&&T+C51RjQNdYzP5bMtba!f?Go7 zM$mLI>oK?JAvZ*RG12&Enfz`U0jglz%GVP~`8$P^I;O+<^Y~YEo7(JKCKtess&Meu84G5LkmDVNH-F(kD`NPg^Fq z5WKh+^7fg%@(0%_p%G8Lx~9XvmrIIT?$sxcwN_bplMN9i+)YZ%i-3aj>@X7mRv0hiCtd*` z52!~u$xiSe;#AlequqF6F5};=dQ;jIUEUcqA8Z) zLi&Azd)rH@ueQbieKSWDr#=l9bQXG*z;4oPNdOkK^Jz=6h!%^8RqDJ)a?3Wxp>9mkdkA8W0?M91*cR6y+QbqvE|Asfd1%r1lJ^fm{o@dE; zCBtS1&#Pssn(xjnwFA!Q-YirsT+Fm#)9Nr=8DBw^#c>r1gK{+B9QCN2@PrmU8A&XT}p&_!5y$+G8uHh5GhXV^YT@*@96d z9{49gw>pgDekWKg*_ZaC)bnI3sGLYx>gC{q8PdEp`}+1`_QWv7*vnkYZ7sGHeZFLz z$XjUGcxzR%)VTyCz~jvk?a>ekU%peF{2B6XvdTK~>w%DqTvq(Q^AA9>q-kdchjAq8 zRf2v55_2Dg&*0?90b<`?ntRvC**=^3*Ym{cL~1JQ8LS!Co+o8V#>|wDTB(wlTxFKu z!SjU$Bo*kGPp5LlV{$-(*<(NzGo{-=S!wDnJRLe?F61gD4Lz8%VCGsfw;HC^e~;g%*={Wrg4xe|*>a+eqtygn|>MKabmZ zv<2BHyzE^YP7Cvtv9iYPa88PF(6_9DI!D%FuGGy8aSi^ltuNx$BoxmQ;;)tE_aeLE zt_{Vj^2ivrb4v4cZ%di)HrX2pQe7)5XovnHq5cK)|2mqnfIm~UJN#JxGZyBW3{Wn< z60rh1YJ@yOj64o|SbH}huv`{=_pzuh*32BFKT(ad+wf65WQ$B-Vl?$$>n(UYt2R`^AE{AxlQ~_gv#z zKjX`NYQY-Kc8)DkM9_B9ki2ERB-ixRGAtbSPBzDJTSG|8GOKKfuvHR0P);s%A!|$i*qpi-f zbnulL_&%3H?Sh!)40g@MSdzQ2 zH*+jeYC$xvtM6I;k))XB{8j%QlSd}qw{XAM`;i&x( z1oJ`JhVGFrc*X`eu8$j8he(mLJMV-QQs=w?c1VAba8jX?rA$WTPRnV$WJlLSEpdJ^ zF-Z94v-)7VK6~$1?kgQBd?rDP|2ed0Wov~W)lZM$k#%lHZ^E(;3lz_y&?U z=x~(gaexOEx@#b*zbFAc)CEZ>3XTZtYMCwh=g^p>O?DZ0Q{p#*QY<20ngbE1CL{C* zqbd8qDV_`w@^Bj;DX-rzb9jqdB|AArjUb?bqY5IUK~}1aY+NNR*J%+qyalCFfeq-K z58y>>0GWh$$5*i_I9A`9CX>O68_`Mu&sl#Uc@UiR*dUrGXFqk_*2b5%EsF|)e=rOK z9iUyMjTW#@`izd{nU6kODzOO+;L=$%QrWU@_8Pyl^u?Yhjgu4Rza6->-EDY3E}a?q zSimt?bNxCy(YAEW7#fVIB67Rc_%)E}b(Ks3H0>1)<*OnNTW&5)wu|fc(f^Rx&eo*z zI2k=zCi!lI0TaA}-4GQw|LrVoR4ZoCPb{=-nuNor4@FHiu>|8%`%M|PfDSJ;{*5FD zzj$3wCbj5EKFt4G{>OTL?=})Z>7=HyF(N2~{|ziv1ts3CJsXaj5S{Wh^!tAzOF@Ne z54>DuGsk)Yc5~+wcxIn(A3}@BLB?wfW!wt+?#GwELBfZr=rlsO&vAtz860}55@;Pe z9?lgd#I-#Xdt-H1K?$MxG>o0?*dG3@|DT5`+s2Ia)342+W&dwpX*Tz$!p&M>OwJBl z3k@Y3`0mtL9E;sMk9l0#9bKB{>vg6`pVuitd-F;JsapTK!x<%-%6m%OFL0*N=$Qu9 z0h}|t9mns;@54!d^W5Lv#`|v=o!sv4?grohex^OvoZ84TGoTx19YgsQ@CPBj(m!Y0 z#+4mm0B{YdZga&yst}R!3XSriy-mZ`*^>d?gO92;2GSXTRBwiM4n*hZq7Cxf6MVc-F3MiOzt~p8^ zH<)w0TXxvmd7AHD1wg$U+$14E9Yl%DEc3L3GeCnxt}ZjaYEB?bDou0FocdrjpZiEF zwh+#ppsgKEEt}(1pJ#zFSij=~iM{JI91BnBzT-NNj;qZ)XcuY2lNuR8MTT`%^n!)P z$d9%?wM;H?Jf_@R^yk`^mBC3uo(GLf9UG}II9_lH)8w~^p;u~SAEzx^i@JZ-f22mRoZShY8;%M2dt+bL=~ycp1WWiCuz z?iFx4Rr@EI@JLyS#pNv2XoL{WTsD>-?#awSuIjL>m=jsEU_hzI=a8@G#Ti?sw60QBGEhlpa1l2=!6dzWJ z-G2HcgR0ibXE>W&CALhpXg2a;T%kr&R+tQv0$_KsOh4ietCT%}KQTyFsTdG^=)?A^ zl%0C=a9wM`XFYEx&5I_@Gi7wy-?cN982}u_@cusC+b2@2#;MlU2tjedO=GMNMWT!L z>qt{m8QiP^9mT5N@88s(>vj+mJ~~T#`l*(S?hBlSX@)7Xzqs*qq=wUg7bD_aY#`bI zSUS<~nui?V!cnFSK7xX0o6P#}nQsoP;n_;0p^hPPuYJHlqV_788bSG!+V1bKh4|<9 z88-mBGf#VyK^d-?qx3vY3^B6dp>PPGbu(_7XHjo&!k)H{IXOeVz0y<066_x4bm*%j zL;>EnHUM;C3<_y2%jPJkP%?Q2?3;k8a##p)8uTqN^*?Zew`$?sv2# zw$x$&4Kbqy=UsCwr_!nS>x54}ar)~SAy#bbQ|!k3qYkNNHo)BuUMI6l^iYP=HQ)Aj zZ<(eVu3;}_>Nd)vFFyc_!COkyP0en@i9wA0zA>fwFxXM#)>Tv)0y#yi_x)E+8+|XQ zjox=nJ$IB`d~>DeoDn8~<9(s-9%rn%Q6Y1N>WvW5#JYXy-X3Igy2Pv;_u0Qa`|jwZ zbbPO*txXo%NM{e<9BZ!jYInbwy9jXGNM_~A%12M*n!F}C9J}DSGDB5P-a;Dyz-=in zCl!cr#xn)`{V8q&7YwI~vup={bGbR2^ix&Skko0*9nNS2T0?J&6Jg&1mjUAoH<$sx z@P=bTH6|~bphvT zmM8{54cszRs5PmsHj_Gin6^*>@C~a15rl8H$>S&ItgCfeZR+fTc^9F~pZ4z$-`R^#b}K7BZ#+6%AIvCL$t4*)6jmGuiK;#XVJ(5!vgo}@oeqP$ z+t|Ry;xgvSj7NE9;<={EKHDXMp8}iw&|^N+(!#5Zi8PE($Hnf`#K;)P_P>UR@UW&J zbmrb^j&9Rxpo%pR8%3R1mUT4xImS#((kW%+eRMnoJBJ@T*M01@C}C3BGlgcU=fA%G zBWje9tU}fqM?~s~k#Ku#j(mR1c1II&n#&5k%EWCN>JT{}27-Kfw?+okSM{2PV!e=~ zt|iim=r8yJnVY{AJhoH$gLjou5LJ(zN$0br{;$}wd%SZ9?2bQ76kbBPhLZZikv(`i z|FVJV3+kgT8Zbpq>AHW0Zz(mG^CrEf0~kqaCCWR_!+%mYW&3y22BHw0maD~hc3ZqM z`~nB1(k!c)yfHaYC?t5dYHy%kqU`5%nQ|lX+M4Z7mGuffQc=&7y5|LP7}4fLp?o~G zXK&n~*I8D4`kepX!}nZywhg*3z~dQGnHCcTwT)l5W05#WLl3v^$agUh51;aMDIvHF zv0@j%`r(1*4XZQ7mXlG3N-FUKT2|B zgB{IS;}6B?+v{Qk+m74flU;0P4+PD0J$tfRU77zO_AdhtD)?qX)PsC2f~7diVnRlr zL+=9Jp>#V=Grw=mcPU20Zs#G21X+5ONngjCS!Fd<22FT{b+1KvzJ2uo?41%n;HUU< zFs8+&41kexoOhBc@#B1-`8KZ67&Tkm85(v%b+G~(2LoSc@6{fUM_Erp7;1RG9dwg0 zx3YNrte+9S>clnKe9X~tS!4K3(zwEmo!F)}4lEH=o9lCTm-?MyXAf=g*L}8!Zm+q_GHLuXz zIY}0if3tHZf=gcUVeL%^iEu6ql&v;g>+^l}mi>i;nf4X%vxUo!7%;IZQ|{5sLpBO91N4hXWtLBE$~syuuKDiAx4;AK3#>6qr28>G zXHBF|;NushcO@mcjZ?IMuf%(9i^K_mzg@#A%jY+SQE?b3g>u zxdzLkotI?AV8XPQQPG+ijPLU!dNsQ47?IJP3!IZIZN^dViMYT|{ZVJ#=@6}sg;bJM z!t&hN=5{ZaZn*U4`pI>MGjZll*&s*UEyDDab0>}~M$>+$$=DBnyB^ca{<=DyX6>Mh zm{mS$esIB^q_!7l#(0;?WKYLPlhxiu@a3V2L`!1Ih5>&jY+#!)xN2-%Y8CoF6MakD zWTF9BqbGz8PEt~E8;tMnfb^m7!;)R$wEh%PAe)mjMB_l?#XO}{I9=>k+4V8PzZ`u* z2!m9qXBSoV$-SAQ(Wj=u!Q35#tJB?Fyu& zwH~o1kt2Xt1NwBIx@y`2@iEoz{HkuxSwNko{%Gmj%>{lSqqn-1p(;tr60bRr>3Wl2 zKuRN8!piOORWCx^aIBd*T#%iBnrG~M{CH_S(I)6;4~8PXPy@IRQv|2xBT?L&+5DoxzR^u2jrs2~@w#{fNM^rvWB#PdMNW65*wRsUJ- zVygv6-BrW2tFRhNM#H_Q3#JLaEHKcsnqU!8H>y9mIt}kRcHH_FQ|{10AzpQWk=T#E{_swt{}_<9cCFDdk-TsDb07c13X|ux4G-cO zL9iN&kkzi_Fn0MrfM`-=cALNVqB{xERGCo^!j|%51JnVv-F}fTo|uzll^XBxE)8Ww zgwH*j_7zCSY`i_@fIoktMa(d%Y1^0=XZYDeI8WE)gy-S~tR!Amia2=?jAbl6f@v6c zv}*hmldohYJCWLLYet4{vuvA84J&oZ~uIUW#HsQ2I?@caDspQ}8CHnk**!p?q;0xBO zarW!RhH3nxqhPq|J+J7>SrS7%sT&M-6bpYw%EnS@#b(q@$-~t+CcNBE_D3?fU1arD zc&e4yb3?bqB7rvP10UjN)5qS#q?*;1l!d1WG#YpfU`QZWEP@$F|zi2ymYA67uqgS;&r?v-CDii zNgv<(XU|0wh^@5*#{f2(ko!oIplAEF)?Zl=*(7549kRouwHwQHat}u^5!=SnbbwZi z*Nx<~+v}nu*Z(@MY%spWfsT|+vDcpDa5MhkKQ@kc)ju8J-cf^lKYe!p;(!&2%81K4 z`FCiLE~a_p$?~sA`yV{+`DxaBU35HUlP3AN%A@PGMHu^yPu1)cU~T%$ij}ncm(oF@ zMf$A^h=E*0_^<9tXBab{cg~zkgd#s5LxeCYCX{0@x=5NHsDfYrb@?3&YJmD}6r2_J zXlBN%ceg6jx@y(KYFGiGV>0ubpy&4gaQ4?>P5uA>I4+0+qNIe&AUj(@Gbf`)N&7^x7?*RVUBWvzc^Yq(U{Vm0V@H;?oD*P!xi1j(b&)e+17BV#+m z6U^lmO?3$#n?l9G`*|g!=KvsU_j5YVJc?K*9WJmO#c`Rh2a zOEiyTif7KC%GI{Wy8!$afmZfb_6P^<|`1 zH?y%8$$gO}aUnTgMY`f2KyU-&WU;{hxzYmve1+435Sjg6-8W(I;%||Hg>m#H@z62} zf}T(B0DE`y!rm=M>>9`4B?Rn&e-`$)jN3Sw-#1}L1O2cGd4-=~8`3Lj;h0cCU<9ye zf~W0k!q)jOHeMZa#kcH1k75FbCnam$6(=X(?Y&UXk;(C#CdUR!ww% zp+F=@sqw0y9-349@a0ps*gf*|L#cT4FXIM+Rc@r4EL$fyyxrR=k8$Z=RZOExZ`q2r zuW*3m<&JXHov%#w)sh$_ZWTxV7&ANPd(rA9F=}Rc5St@JFQoR%?_Rx&c5<9X=%XhL zV7ug!cXO&@=Z`=6xa&b0LhKJGJb^UW`op!k%$j#^%#uWHWu{M7j>k5ZXn| zz*K*l{u_Ef${)oNL{yO`8zdXXgsW^HJ*2I0g*5gvjhCLGoh1;j@r^P>wr7d3SjkpC zoF3y?Q1ZJT+p-@*d9?GNSXngItejVH4UgB}fATL7HS<70pS_mKEOk6hA$s{c65sSp zjo~K|j(?k1gxIzET>AhvFVgCxqFD6d-u_7o+&amw)Cg^mFD)?%2t@sSihz`$* zh@wXTgY+l64}1y;7;O^rrvzz(Xisq?pQim)@@le2fs$4BhQ-g!mz3^j0rWQ8Gb(*6 zj(ll9Y7UMgXokD>7PnqgNM)aKAmz_{O0n%-{j7yu2aI>`oNVqIO3i=lw>m9b4&@6H z-&s48L?ZLT-XBKMOuA0P)WPB5;77v1CZ5QWea&%p0_=HGE^=y6JV0G%2LiM@9n|?# z7$<%Q>Sa$d42a+2*A6 zA$@x&6RPBft{b!0^tr%JBL(OVvstNsZHsD%$ho@L(CE@wwECHBxb-`$S&>0J`||BG zVi5pi-F`Nv;&_|=5(?>!4=TU1X0!ziV(@#lBYPB& z&dKtxvw+Y1i;)}SWe?OgfLF0kjAZqFB*I2XRBbhq5jePfeojGP{~hdfI?H;Uy||t# zjRL{#^ZP*$z1_Pw%Jrk^J9^GVEm!qxNj|eMhOEC);!AN?YkHiSumGYfUB1(f7|+#4 zzpObjisX*d!}P`L-0sIxMl-bo7}Pq_m=^e0AD3tN+=AARTstKn>+u)dCs9HfZNaPSpk1MP1H1QWXoPa`@+2FXm#ibHBTw1 zWg$(&Y2oocCmWaOaj29ogXfMX8|kP6>o;CP5AF?DPI-=RhyrF%p)>BX&gf=E%VzUn z0s19t{ZAm3dB*C!Ehnk9g{FtzKP#Y_ZK};HJ4>W#RV&j<84&VigHPf7*GJ6}s!dXR zYk6XI5#Td%snx9X=+}ls(j=Z@Q}1jmpB!|FO+Ry$!BaS)Dke+Y%8n?Wz%fKk-sVoH-JjO|QgKm3MM*jS$js4^Bj=750d7JI8e`ZTp(SSD@jAmgKc! z{9c&8otjP+^G?5MeEE;;G_rHnn_@$#;)TA@Dcg0610XIJdhey z51VNj{Zui@h_&j9d-#M5Ao;?Xl4~)Pd4ecTx1^% zx%d%I(`l=#N=C_uCeb(T19#~f+AQ{?vbX1RhRK=7#sSqpeEWcqE;jocKD;6>{5{--SjElk%$8@98+8^Xec>stuNh{?Uj6tN<3#D zD*9mU3p!$D(op9^&6>Twk5j08RC5A{L|BZ$dc59obCkz8&UHDK0Nzd84LWtAZJ3gO>N(yV~vIlbZ+;DQD_^M44qA5`akXL7#y?Wx*n<%#~!mB=w>%p6mgk|<3PYQ`!9B?A*)aBY$O{HZuWj~odpQO>Ok zH22+2#f{iNfb6`sO1E`-T8$g~Xs=ur9r^k*xAJy;iDZp=cd~IhUPw#|IfSmv>#dQb zr_%a2`mC1UB{Nbr8)jjftQs-zatEw&*``b~$@H}Agv+qFOu@4Q;r8nn5Ti3bA(w`U zr-21BE0u0%pRC52-T1>UVNpM29EC0pJ+A4_L*F`c-?}?lN`u5Y$Je>b%w~ z?spK!U$B}#J^&9U_Sp?V!f3Y3$Gu{}Xr14oPl+>wYmXGSLuR<@1^iT+s@>K4Isyw7 z4vPEwTcFi?IGdE#i0SrxShe{x0eG zekjNLPa-Ki6)LtBTiH`=`V=a_Bz?N{aoR)9V(+hZ^d#@H5tyCv{5I;)q zISKV8-!6V#PuH<;l*_DFBVOkEn&bJ9oKq6tU$axLz(MnWp3QI7Xo(p?+~ zA@*Q`Ey({g6+{F`jIHu5zy9UTasd{;>FJjW_gMUV zG|Ah&+3WSHbJ@6{>@k>gpI2F3irx&&AwD>W^0F`VuI%UIP+!%28Xslcu4nLF8Q5a* z<(81-_DHpg8vQV&qTqTA!eeEd{RdH!iT>hmYni=SDD9G)7WH7(SnHrsTbQ-QC+WaY z8s+C?bd-si7^)Y0RKAV6jF%ajxt}Ancbl5jaD{_R0%>&mbGcl=UPq$pO|?3&*6|B?)~uHo#wdf4{*BI^ z3$@&88JZ}E%1*2!htV+k zi`wDx0DOCRBl2?%JycF=%sRQITrJq?UEB;$y}F-@0+fkETz#1#7g?D5nIaFb7$_e! zbD4rv1EEXp{4Q=G(l!+;Vl3o?(aGziqS4R0i)3Xk#U9$pHMKRQR)>bmu^?ni2b5TQ ztMyE>;9a@oqhIa+<(mM=KqkE}?|c?|MD_-fbm`L`)!wDRuR7QFq)B$0W;N7EY)q^@ z#kxrEte5y=HQ~*P(NGAzBnBNV(}bJ2;W_DD$hlB^7@p| zMnMp!yT`$L_+Z}|B?QCnX}ywbvGm9T#L}U$?{0>KGs!`)2~XX*DYOXTlscvybo61Rvsu1;KkazCYhE}gLU#na91y^wkt;p&mGg)9E2NczI)aY< zM{}`f0$)S`x!m*^YyQ_73dIY-dj+~6Qa3CthmYohNQ<=!T7Qz|519p?eyBy1$bmnT@^(D`d)!e^b^ z#G91f9IckeisWb19I&qCegsFK@?|Kg2A_{Z)I&OZo-$6bUpUqpf_sy$tssei1%|Ct zq5GIjaedSXZO?u5ug_De*UBmN_bpk#sosVkX<5A%A0F5h4IeYa3*52z$sHJ)`GPLM zBBCLT)Lbu1kIwJLyaASBIRwenX_>0+QJg)ZyxhTcXbd@?U@%=hoHf7TXL0Qch)06Fkp2oSS&g$*HZde-&R7NN$LuE* zxf&mCLhX-#%A%gkH`+g!9(Po9XqPvEV@RsRnrfC(W)-F}=rQale3x%Y4>0aX76nj$ zcKK7|rq2lI>P3meJ-j^}98PmYJFAq7quPC`S#hLB7;^|wg)|uUVM0&oB|nR1750G; z&}pi)mPUsemUhzPgxSPI1B0;KK3!Rhnci){)*SWZ_wkK1r;olKQvzYa{>JN91{D`t z$?=ejm+T+f{5R<7uRI(tZV**#%yW(K3h3zux!NYq(KRLhTh;Z@6869CEb`c0(%;%N z1naDwN%M%l7UQ65xopR@qSR2<$+NqSM?#T}H5 zML>{S^h^+hqIMu#+re<~-nXw9_Rw^{5anKyyuDQw^)Mt}1R9T|>q>slA;{qqZe1(_ z-VJ}EY161HViDc;Ex{@_nqgIwhU47(X9+iI=tH>4T&}RoLTQmk&4L+=42)`fj!2rA z^A2T}_JyL)lcIOg;kb~+Cc}__-u}N4i;dEvlH}E8f=Hp&%;!m#liF(o&SD(ebboW8 zw;JV<(cI0ofp4~yYe~!S6H<5LqONRKv=pO`niQ zPevLvsU0HRf%H+3@1b(?-kSTBR=4Iv*3&SD@t@=3G9ZFz+M{@4B zRqBz4Do$Fo9hscZJCG&ee1rO~-KSlX%xWXF<}B|gVOQx(eh@}pMzqEnR~uc?7n_^( zj6^biEbn{M`?=bBv;vab)eUNbw=-FAJdw@qL8-OPR=s?Ij`x+G?*%vKXyV>9CP?Uc z7n3))&rjZrcChyGJYk+bJWis7{iU_oFDTWZ8upow?m}y=4=EV`KeU$eUs@}~Xa1r0 zp7?oMZC;6Oe~$8|JU{Q>B77vxcF$>uDM{4y$Ntvfq#sA$p6f&fxU}yXAM*kqBZdO> zU+_I)ftpSJb&PX+V(acR;Cd12>8J3KbW;faPIKt|q+jG*KeeXo9#!~CG$Nrhduvj! z@Hby1)-*CgH`rv!6Jwq#>wxt*Ue@JosC-4{5E~y?$bxqdZOMP;i8eJTr7SOOc+BnB z0KoU4pY;$HQ?4(>55Esz@3oFN@?^h<)LoW{c)^I7Bs?Nah!Y>X=}i@E>oHkW&%z$* zILl{}y!xpI5L0H+qq$5x+FJ8W8i6g>X9u4eASK25s$0?&!&q#FKE7fHNcAH8LNsr? z30UR7y5PTTDH@k6{}#Ic&UU{aQe|BwWNGb5d@wAVa1UMStT(7vJY${r2atRg7tvx5 z)F}GL^Ivv`Qm>P=4dNL3Zc=SGmXRO0gm0Utg5P~~^karOB+N+GtEVXr(6feWi}o33 zCIEnh>}`<}>%GxIbo%AG3r&K`YS6mIyg(lyLx8ne&tT&AfX&Fo{nzOrtM-T@dU=O(~%v1JaxvhvEB<1(<`+5xl8+T=lrw(Zy;qftHH z^34@gj&9S4UT2=X+Ya7n`1ZxB3B=JqivdplgtA%+k5h*gHhT2r(U!1Ob%hyA#Hc8Spu*7z<4^Rc)c!c(yP^Ccl5aGi1 zR^aMoI3>k@;rH;R0{A@=V-paVPNr^WW02n~B^y%M(bK-(RrV*T{)LMc=-kiY&I@Vk z1|R6A=$Ux2oQcsCc?vKzn@~wVhgBP&&)|>5g)o_loBm^QNfuP$H?q<~Jd>(7T)fqA-*(nNpEp2G@P7KnLH7jqctII&O-lnS2r}Ty0}8fl!z7m_G7pS z&sEP+3sqpN-nUo^SCZP}Uw0NIK-G~n+nf9UL1PqyccOs7J+Q=$qrPEkQe-U&62EcF zYeik1?s=_S-y`eEQkb#91kSyeqw1vZK}Wj=Q~Fr5D(MA>Bd-bzTI~E@!y}Aae80(@%1m;O;XO z6$9@p8@>^Bx<2Lq1?98%FDM^yqNSLHueoEArh+Q~qSC>YAjbza<9DDBl zrSXaD$DIr`#3f2oNEFkegj?an4(mG5s<=>Hh7vJi%zoCcDhA28n5qCZbbHXuU`2;5vNlWXZ?*cjUHaz~R-b$Y)+v9@TeCp@{`sZkfNxzdzpo(? zIWVEErwp~$I!smA|M!WBa28nfwv@i>eVim^U)z=XKnQ03+G)e4!wRB303jsoJ}m^+ z@-xr;07Acc3TS9pI*}Vm?I%5VW$KkTNGO0%XR5$QeiJ6HOu6#gI8vZ+*Si9RHObYT z5*SElXm4RE4EZL3(NS~k?ZIg*7l2r6u{zgRV7#QB-oa7hrkVIo4SEh(K4+j6=M(>c znQ&U#C;YTeGQg;fynka995UJS;8ET@y>T^S7UPtv{VcJ%PD{;=Y%lx5TbiKpu_XALFQ7%LpA$^` zbT6(%WAe*B3*R7w&{of+HT})S|Ag0nA44J~;o#Fc8vHN3t5PSmH~ zZ%;9KG5rsz>7gTd$|j%<8PzMbG0sb7o36z04mBfFZs722GdjOn)^nLxD2SvX)bE1W z60+6#x^Ft|c`VBVx#=dU&tNA2bZ1W1l*Obq)nJ5L2^Z#c^a|Ti@uEnP7!l@<-L<1$ zyy;Vz^9hPe$mGgXl^vl`cU{(!k`2wp7wu;I86l5erdh{O78Eu#a5HK6E>kw+Oo;rR znoH=8@X_sd(ze`%)XII_W!l>T>OWLEo~yaY5xLfEjJT!5pO zO~oF$_;84;Lwko-#kIJTy_3C|a<6rI2r&h}j)9$V?fnxp^7#yxbCr%h^RA8)#2m+1 zLp|@tT8@6&k6Y8shsl2el8f>$$PoWGeF=R7IbL)TRR`uv;Qv$q#DNLJ)a#^LIV1Oo z30XMoK9|dXq}oXqM@I;Ce_1jH9DO%3@4M@>f^BL$+bLV>-SHejPoK`|w51BC;YU`( zylk+ZA?#9%F;GuEZ>8G?pN~z%3;U^^6-%Qz&Tf?!36=7AJb#a2 z$N6z57KUc_%-wyTuKEb6_geP@=2sMiqxTG_!^Y0-I!W=Z?^5E>h7ld?(-%8nQ>^!F}+p~|)6 z5-uF_sY=3!|4NAcuXGJn0^%=Pl%j^wpX>~Ts;*ZyP9O#O0I0@|h$!*r#nL29-;-mm z#&aX0!J@%O&x-0(N9H(a=%AcqEHiBdt~{*ER4L(bUxnxs;R9c99^5J1m$0LgregFaI_TAL3y}>tH*Vl zU{2_Ig8jUD58DiZ52ucDucC{9^%_}E214IF{!iZe^C}B+;ndZ5(Z~KfsR?M+7s@33Tr;p9>)RVW{67DJ zMgRfO2qqD6#EjyK62{#@SGsTRh6aVZt6&@BJWK%pfJ;)L@C}fRCD5M>+5U0dMBJz@ zxy2O)V+kY0#0%}BOVZ?jnRauEUO@e z^XOXUG7jwsD18Hk!aC}sBI&vqG*YEOPJN(sG&lxPzMymcM=T9<Cg>hg zHqY@MNTy}P!mz2!)F^tXuiAOU#2=+rS2ca|mlvCHLAqyRg6;VLkY~z!u{T(=s!eRi zPy6$;gHukQS3-fR0q?~u8;HDoIujc75Z-$lNy4U;TGt4W$ud0r9FqUGHGi_zUpM)m z035gT@;^uhKGLdG zFmQT24=;>jA*XRbyEI&_znZc*5Tu#Gw3-VK4>OG-V~%w65*xg99(KGFo8m?W%e%!~ z>p_moN}a1din&Xq%ktP5XQIVTroh1YanSsm%~g)yB0~+1_qID=pVQCTxZoaev@v;=6#i9O41<zFm_%ZD&k(YO~^(LKU!vy zByq1vzQPDZpd9}#0*zIx^ZzJnwyg-XY%dhH43ZgZvd_>8Ikqa&j{y?Q7x-SMJM|{= zZu9?5IU)if$iJ!~fAeGq8PJr#JW~i{&G2`kI%clz1P6Vu&HcQ5TYK*)c?sKh(aM zFjuFNGfV01++J!Pb$@AoagxN8frj!cK2$mdr#(4&~to?!Z_mPOg$E zGxCLgn+sNg&Q~52azUBuxZ_NIr_nt1)S#rPho-4&+SnAt=b1dvX7ypgd6wOaKcrRJ zxfxyf;Wm2em$eomj$wg*R?R8@Sz$5D`rZvmVV5f#FowT8Dwhk7YIUM4tMWco zmI5IQ(a&9VnY&c&tMVHQzj_MQ3@dLwSE!TP>HM|+1%xPYoAT~o>_H$FtE38T&bNG~ zwe?~9el?Pf)3D)GPrNXr*a7ThAv)4FBUZa8wdQ05a|p6~8*9KhAQpu3r$Q_CHkGzx=;f6c^c()SA#|e@bbV8Iibj14Z2X z_hMs+TW57tz*fY|7h4gVr&JBN_uhp*q=@Ib>4i3fCXI~=bnJ+y z?>>If6m)!ApuvREzTQ06TDchP3&Gv$h)>{Hm8;Y5pZ-8$LU~cV{io{M4ge36x+k|D z{GN0J)rrU2E|1&muZi0JoYu1*CUl5|9VlmxEAtRS5b#s#FLoOQmu&)RrkkwIqV!UIz=-2 zQCVVUGm1$kH_6xnmEru-I^|ev3f&%3_mewSM^yi5y8gKu47jLATcgs({&cl?Z~3A@ zGvNof%}*|amCZztrAeyUKhQCIbL4*wFu&uar(oNa)l3X#8Kssl43=ZnP}@mjSlSJh zhd+gNX0w=BuTKtSqLn;H7jX&E_j;Icu_{g@ZIQLuZ|N+9IYU}JLc7@5ytyoNsoZD! z>93bI6?S+(X_LK}{YW)B_|Xc!NLD8Z$~UHXI`Y-Lk;sNTVU8D}CnjXWG+vC=|a8Z{&D2JDpU;L z^u%B31YXLEEaA)#1!bTi;4bwx;8mz57|CCSn$;ZdshX90=a&Pk{!R{<*SSI6F6#q4 zU#h`xKTf{G&}RFr^JM;5Q^AC#;wDiihU1P&NEKUD^&yKFCL{iHL`8Ee#{Vj=Pb7I9`u!j&jtAd`k09Qg5~5Dc&({j9h%cw7xJ}o*6S?={ks9xH(!ayEzm4kO z7Wkjq#Geu$8~WbKha5ZBe5C0#sd+;^)Dc}p9dwO(f_=qumd^4cb2UeJVSp2wLFUw( z#mnYS)8p?tOnP0$fYZgYMR%l?sH29Tm62n(33|5n;!Ilb;CBB@ipL0I4f2xZZBALq z(YX!=8JJa{cWTSv4I0{kdt0}KOf1-WUnnl3FQ?IcFcj3gCqUMyX4FB!%F@MS?f@6# zd9Tcmzal6AZ>p!zup4ZWme|%j#kM?wEiUBBig13URmTn9k4(Yl(&6qSmf~4=rE{`l z54~`t?uTBC7c#9CdcnEQ^J(j$3SW7sw+|-Vz~d&lc~-NqeKh^}2MX}Jv~h}*&Ju@2 zU}J?`CL-?G+|WI$#HvfKLZl(v3sCHu%1vP0z+iWR>?GUg66@h9HAeAIrUhhgf4%K4 zUP|?7RzI}19p5N+l7mjX)*z}5+N$a~+nqz%uGyCTvfrpM&xqr#k&d+bU}Zs5YqzVbqW7zEjMKi~*gYG_E!Vvkqh@5(HK$em z{smuwnLo_1L7IXwxAqaC8CruSyioCbCUQSldy!Jlxi7beDGk5M_oLOZ7^?xdp|Xl; z4W!e6l=LmR?zK%%AyVb)oNfX^2=9fbtX1uy;fZGdeUsE3EHSIFHd^H-@RRivBY&_3 z^dlWe9Z`-u?{@Vw>GV5Zu}&(r-LQt9dkUNc!1q@W=iAPesr&d2LB21^+I+zjQ;fn5 zaQKGEkWY%sdXN&UrnF(7yCT*0l*ca0b-2fV|F*2M&X(gC^YGyT)XfkoMoc;^@YjJL zN!*oKyps1frcs+Fj~V}@_Mft$6?DNzb{%Om|Dgft{&G^$;rr%4z}tZeal3YNkL4Kr z9}rO}GjZ#!gz2w02{%L#GpEVQZYN;HM?OIpB(}J~=yWu&CR7IKuoGh3`XOtoAOM%1 z^J$}CKFd+{co+$$5FP1@zmbQ3BOjKPcMB$|orm5n;>*74V5<1xJ{{XPZnU=Vh%)E} zLw|g#c4R`t$1ArbF0rr+0)>%C8BcFYf)3qE@8|>_we><{enw}{LgQR}hY~@Id2-7) zb$$#e&?KFP1*>V>#|L(ZVI8MCV@rNN+>aFSVgvhfbu~o-@0fM_A|4dcrw!01AXJTd z?>3R0`MPX#()!!^5z@!@{Ae6%O||{xI^)|iLmxwds>-YM1`^-vhf~PC4w zRmDm!Q%F_kZ+8sj0sG}brag95PbN80rESq%w5t}qX#p_PAm%tvUT8K^b@Ln_;nWv; zhy}22iEn^DjSuq}0lh`*Op@#Teh>fEgl^bpWX z3Q{9$0uhe|S@K`{qC`}S%?Y54zsxTqkcMxXm-{WO4skA)D2$M>X%%2yvCyJ%IKRv@2LmTEzQ z)PUni-s(#b;sd!X6--0fcIe$NIhHpsm~qas9YLvY&%vu8(*c?BQjl-k>)1zH^FOBX=0qD}GlK>CZ> zinv%ZeYB4BpuF_rf;|7+Zxer+T@Sc3HTum&J!12W%lk!i?^WP6_b)n$R>yy3l{->p zxf7<+GzJc?E~^A zunuywVnf?&EnLh7@EZz{_NW>IO|KN_H!1kUi3;U5o#0Qv-|*PQ4|Dx$0RY$$bVp(r zzQ_3H^r>B*?sc}c*dkCkT8zY9P>pGWx5!F^S}i0HTq!)a@RZ#^&{?LgKVC)t#z zx-9>$l`E;m9aNPX)ju9LOW$W)m>x)8ZJeKv1eZFndRxqc6O0TcU5aaAo*9_orCn5A zX5T6gt-odek8xreuGhnYDS4(!wX5X+@=02$wrRF&m*zFjI(LZSQAZkcH!E`LTpokS zsi84#fpJRJ-*I6lb7H-7L9LNOBg>8YFPUrxbULc{mMPtzH<>+0#3@0?fLH?CfzVwr z<3Ed^%YCB;Gf}}Zbn=0$fAmyiqvc&lY0zjoIdxb#^)<_%FSs4J1LJ~BJnk$L1=6wU z@z;S6M?-sAb(ILx=L(>^Xa>?Io$zpUSKZ+=YQ9>K4ZM5RC>BGtE44gSharmNW zxTUF8>#nJge$Ark+!7B+MGABo_qIqf{&TPu6T-Ent@ zYB{Ig-*)Z;1r34SII}B%6Z{ktzu{Z8={N^1dqaJGO-*Gb_|aikifbuz?dgUY8oGdA zo$}g*klhk6~bdA06SX7d^V5J zRRQg@_nhN;4i@ZLRZsCm(pY)fXEVMoMtqIc_J;PY|2zqL_0JkJlbEKbeXEZet=xt_CM60qj(l?o^KW5GTG%ehJtvG zijEn*PjPMNeItZ9bzmK_Tq0M4FQqv6t}oM^y?8`EJZ19BSYj8Mq7>sjiP_4tDY-B!AGK%Ua}c+D~$d+ltl35 zSsm-=M}qQA@^b}3Bnm(#J;BkZi%LnFFKX*^ze&xp$BjLpgGZ zP>z3*R;Toc?<#zmYAC}1+n?-R7|&cvz2d}#^%#wv;B{ytcVT#W9nDL3MT7e>lw#hS zfR_n1p>r@o$opK$dErsPVBmcUo^WkRn_lBg-6>VrUQ?8S=W&jl#7%!;SrSPA$G|!j zKaiU|@X^BHK~9Jw)2u%P-gGC``&F*VYzx!DNa;al5Y0Brb;49mDxmTDqU`qXED~sj zU~IB%%F6!yF#H2_*lzOY+G?&8yM5G#Pb+)rvyQkc28@sE7!SIoTw7GdelWm}_si@i ztHy)oTgI28IBk1d!q(r*Q~U}?9ibmb1Uds4;{qpW0WpwHzVk-49zCOkb3#{w@T53w zGYfJ0b4UyMX?n_gqvUbUFw|p|twwI3-_oV#_@D%7SL0Iu7JsrezOQ3oN4Zw8g6ggm zH61H1j!T6dk9ctg3ONw6Gy%=(28HAH8!j&me|iCUPeVB_))%Q1{6cMM0Fy`NfD8}) zG;Vike2bpu>iK>H84rd|-&X5s4Nj-b`KKpcbMOBnviW+O#GQ#n^J!^xSul+#Q`^9s~F)%#~2*l2^c_Lk7;l1SBY^SDjd=H&WkIrIE&@4>_w zU#N_gy7Vb%+%-vHBUrv7HeY(SsW7^`n(g#t=I-U5g2AeMZOD7xk~3V&;pm5u=#8Lh zaNW@IP)R}P@%9mh6ZNYl74M%nR1s}^7@lV{S#omH-?O^QLj)m63H)h%C8p3o{wjfe zMZ>LnK>vOv~1EjxQABzignHxMaKzec{KQ$dl$SB9^QO#TN zgk6Q=vGKOk{^a=?FdUkG!!1(U#A&fp?O4#TYV1I2>vR4`OwRaa3YkvPc3^^dziuI= zY^qp;^T~J3s}Ae6i;1OcZU;rRiY}P8XOlGE?e%V($r7T=A2XmLoyxwHR2Ks+|Eos) z>iJi%%W~}wuwkU_6XQ?ZGrm!@T0=XjawpV%ROH~Gs?l~$0A&I`Gv4sYG=?j-&a2Cs zQpjM-Vb+-&>t9a~^r(0epFdY4TVEgkCi-fzGbQP4q-1|CiR^H^9#5Z0yItm(B1d$O=IR-r>yzo|N z0PG4MwWH&K7wa~eVOXzcp zqEOYu6W7jfI?T&=+vRVBb}_*m(iV^-p#hMRdH)5cRTZQ-PFI8~NR|Wae6;;gmt^Ro zJv`UsrVd$a3&$sn$Buj?^UO8z61{45S_LOG?$(+H+!xL8GI@_E8l@ZEX&hPW9&H%A zS6mbYE+sJ?)RyKF1&tL#{ymw&b0RI;Qoi@U4rTx{E@6XL6z+L;Mghz$JsijFE{+al zYuWi>Gaz)ie8RTdo~3-_cu(6)2vQ)9-MUzVQ&?-RZvxc#cF$8&@Dcuvw_(mh-gm zjUmy)GXe8erT*KBYNpI#(%nrV(LXg?wAQNA+$x9b25SWL1y80&kHqqnqce3upw7Gj z{`1NLyQa9|+p7_fRM)xhJVW`0jMlFkP@tkG5I&WvzVhTwr={)(5YriGJ1RO3>-jUX zy0mz#yK4CvqpV}h4cV=SYlFX9`Z`w!;;Xg*|Fa0lQR=lssGPg?1pbsm4-PyStaRSg zrT&5C+ZU-r)vKLac!o~@{4iWGH>_AUFVpFjtK};HaXoC@aastoPKLM~4N@gjH z*R`UtG!J^Rg}0#vTsBo(SV ztT{8S?ufcpM3gtZf_uN|Ima}Sx|3hjue&ZPiHUAPR>+4$IpObhERPgr{tpfD7h7T2 zU#JpEKQ+rthG}p}p6+EeuIEChI^XuBnt~86-&7I8jSF@|vDVmz(At>3k7Qmb}ubNQyuIN0_CybCid%iYP1~zcQ z)in&%g&~U$pF|ew=hqDA{WNfTa)szqqmOr5-uj)`=t!w{JJgySG3KN4H>!s1LYlPh89ZC+Z9x<%`5YE+{2I;|wZjJ; zY{f$gE6!SefFk4s|fG zdtQ9&!Q12b&(MOiQ_pd#Am-)a%Seq}n_zni{A$_3F{Ays+4(%Q)iKGgxR%**Mi$<+ zgI=NVwXa@H)00K}dq?(2%@cuqrp(iygqK8uapF|xuIC34a4l>^fFuUGy0$Zng7t|T zI`pPRo~q2MTb&(^`ma|vmb%W=di{8ZcAr=}lARZ)Ke5@!oLL#0Hensq>aG>iD{h6K zG_kIaEj9%U+Va(@gw4R@GE+I)x>qCaNQP>B?&9Q8ffcpb(x z@u{aGfQ%mJwWx8@f;x|uHP4PbTr6`t`>`>HY%^)FtXLcH99;c1Tb}M?kz`x+Z6KRj z!s_DU%!S7xeagnS;P+2fOgyyVzsPM1gellOYN?HI5;5^F7BsmWu{ ziGDTlN+U9fwNIQrZ@X%L^QSaj_02Mm++2ytn~#*>7?n%#ug;|D_jKM`Z2Hn`*_r)j zDHV>tul~+|W{(jxEBE1>YpZXr+s5Z$=%;U=q_$2oXfjgOi3Ee)oKA1+1iOE#gyS3K z@s(4z(^yJPTf)oa;tf(--vd@p**)Cd{uRd~xfhc4*3(TPR-YY*wvV>X6AnnRlWvE2 z*J}hJYdR=g3JjJju&xxu`n@2#=CEFAJsT`*UbR^b^L^)fq^|ZnGjGyqO(a03L-@#I z%o#+M|7Gz>wU{LOb)FLlOttf~LD}e2iy*UOdJV4o_nzMJbXghA5Z$fsEcp-Ls(z}0 zZ+>V$R`B|$YL2QgJ@doC6>WqVMX@y>SdUr7Z*3$^kA&LEJ%h>AZuih{AcSgd>^)MF ze=4PHoR$#JI_DzoQs-#r>rdvuK+z<$Ng9gol~N&vZ~Nq7l3i6x z7Da<4sb{K}1MiPsieh-| zAm}}{>p{4)HFNnuO%qdnA-mE(7qtnaQIc(`xamanf6dB`To#NXc{`^7Ov(WOX26`> z1JLFG;Z|6cf;17Bh;b)sK||{$@{9iu`9z z4v1JJ)#}zZQCYGJ|9^^b_FfLWAf#ZFHMe$JQh`gZ;%^aLN_|zU7lO00YqU=XWgQHIA zpM#%wB52s{e~*GP88G?ZfNArJ2=G2$!F8@l;=HJq^29td)m-xj+${dOWcoWlL&Jqa zCjWT}0qg$om)D;@GM8izi3SGFk4eV8e}zXwnplDj{qZ7&iP5p24qISGmxU^LsfOF{ z&fL(=L_y`eojJY>7?l6stURAppx&r>>ozaK!*jSF422Ds4FwR(2Jl(PxCtTI<4sr( z3X@?=GEQ^1F56-j`NnU-uROF?kWIcPobp(?nlZonx1_j+%FFKC+rv}#TMOt$@+st_ z(gmVYQ0iHWf_GW3YwpUHEh%Z)2-JJ!EP8BvePe?a@Hg#sq} zE@MkoheB{&cE_ao@}i`Tsb3>!_&Pc5V0ukuV4mQ0bBq5D}1;5)l~$1f&I| zyL$$uTUv5Nx_gk8jsb=mhVF);n_>8V+|S;7JjN?3xC zaMb5tDQS*8kfs2JOsov^%`&h5P@@ss9jl~kXC&fctY->)f$L#1cxyzo#>WD#>R&%R zg%}yKW$=PxFWO^%`c<+(tPe2-L|*4y&6XySKgKP&J+9Wv;+x&>GJz;hmesBA9h@DN zXG>fJuOc7F99!wTbmRN@$%RnU{Gr96W_TEuz!dF`qs@LeiRYUY^^@Q^UZc^^HK`wL z#8HmYpUHJb>McMFhNbu8pa=Y8shEShK@MKn5in!5h=+a}{|T29Hcwg_5*f5eJ39XM zGm2E1&!YUcol(_ZZq2pyg)g}L#NlsF_~RRJs^Wf_BiECg;lR;}ti%5$M+)Cm&t3TT zBBNTjcoo?s_-36@X~W3kBUY5K@Uj7KqqXFb6>E)?v<}a;_r9d-6?b!)lA!J!NEq8? zVd+7}&){#5OXnCJE9-fgZ(VC|M5(#zxHxG-m8#D0$dKP~aaq=WbIe7czEy$yI0Rq} zISx+{Ns2oXjZlNZi3X3)A+AT!b2X(lDo&Qk;S8%%gCjKl)oO^^ZV|Ulb4^`m*M;_1 z+l=v77d6ewUmAR_>U4sY|M7;(2@Jq`A`v^IOAyuHfeBk&!n9>}yXme#r~Wx1>xWpN z>LdFXa~zU|6J1ZND#J<}X0exJ^{(?0UXvyD*3i+!d$ldI?uWFZtKBj-aPB6Skx}e% z0ED$wwHD|ULQ+fEJ8A~}-gn_lBr+UJhmb|sY<;Pob z$|5K1my1sY*q$3{4m|lt(*71yV?C>DAaI#D48jliC`?(A70V_}K?)=vd$f|pYE8I=U(pp}wCH3X~Ih4rf;$tl?)AB1v&*yT5PgjGB5WA`_X z4>W*!uvhOoCO+WlO+6^}hsZtX_sqXh#Gda3iL$m3H@^yf^YTGFKXM| zqs&YKvD=2brs%Xz3Mf2P#gP4V>xb+)V+`~YbqZh2u3b%wht3F_^BAnJNpjr4hT0sQbmj5134YeNofO&NnSi zHK8lZ#bvX81+`tH=*p-|kww`Vfj`so8cNTySf^UMNUwry-+ZpoRS~b<=x#~Z%7spe zJ5s@}!s8+evR|upQk({>^gEg2N{exU)1Ky7c|=|9FTBvP)Y*BG@aE5wGtU9oc&n5W zv{Sd6F_%St+60+*v&ls_tK?-!;Lf_aPIa7|gZhy$$9Yfv=e?zk;+wxmMg*Esx`NN6 z@0%#XdxF_g^_`du@-+t?`}b&t^t8g*Vcj7{l4m^%AvDPbi8?!5(aF7xrG`;)GJnXi zx?Q@xO{gz>OW~%7@|vrHsSt4J(z9JBy=S>BOp=GOgv|{TPhW6b-PhHDQ`G2I!;c3$ z9H;b1#+@LSLA0)eO|UlCsVs{|l6OA$*$D=8weHngHM*eQX?}7F)#G5orPCZ=MJdBi zSEqJezHK$%MUf_6f-Sn6_GMHHeAt8$AD&wX5#X0v8(_S%={w$6qk*Tg*J36NC{k4%fH^sR36W4_VOh1DVNrKM!6+Gxo>{GyJJ`n zu_DM_0ZuvspHz#B{V{O%&1*vFUXAO1o6DC7_y98>3c$+2#guu(?bJS5KKgQ}D zQ|c}}o4cDvea;6%zN2Q{>m!~Vg7plk<^C`;prmBNuOyqBlF9kVO7dpyuUtlmGIiS` z@^)V4tp$x~MTKls;;3eoWCXN}^n_HPbR`BwO0=CGKplDR7cQdSlkRQGh_B*)T?x8T zJj4d@B^g0%%V>}-AC7La-AvN#kuHXb|=(uWOmQF?BSs**IYceEum z;fdlI&>?xLJ6PWI6PTmj7j=8mDe0@*HNm@My=hV9`CO8MCU?I+0l2sUWXiH4&SKh+ zV0{*T46%HOMT^=2iqB-$PJ=(X5~-+ArIu|CDYDf0H0=A)(7!amt8(Arha>Xc#V#xz zi+t5wl7|lt%$=%uELFh${J8?dU2lZ7Bwd3Kfba^#6F{2w6tr$MjPSmw(W*it11l?75#OFZ-z@fxB4o<-~xo*0|^ zjPr4ag|b|q@3_MZ1=Z-}n#G9OI3HWO3GHM}C3T?gN2?O|vS+yIAXgv?h=4bzzIN<{ zbs47;_%5kgNpJYI3`t?o(OEQ*!Be8I0V$_U=)ptDkDZWGkV~ zB+sR2Vb$s@C59GwV!t-4%G8w46h!uSF)cEfIKUMHY4Z#xN_S1)JpgE_tI}M09X3Y! zogb9stb|TdNc~}!2MPdhjhBE4xesLJSO^_zWh+>MnsKNvw#mFdR>_klDq>oUj;yDz zO4J7ztFX;)xKvk-^x2-$d|xBJnr(tD3Dw~I!YA7Uew5E{5tsn9iTe!lT z1O!up2AA(PdC|ZMK3$n=3+T9 z{PE*q_~5(JrlYE}UIV~o!*ZyPh<%ai0QLKg&LRJt`O6N$aCJYyB%08C4dIXs2?53f zM3;8hftAuY`_rZ;YVx*R)JR3p>d*)k&MtU2=;ltw->}I!XMVHSGu`m|yi_dTLJ@3jCMDF!tY-v#*+E>wZ>e2z?tUtmU3@3t>@x7 zRMc75KAoixFXB@_A5~J zN&q?ai@x{DF$_JXqg^=0{WoSz3ppZ#otsh@`j7IE;LfI}gcrfi@(=cm3u&O(Q(prNjiZ0KBKmTS9NY2!ngR{yP(e1Nu8;Yr%=+ zd)_}}o9-Pv@&H?tuClIoM-l7v4_Siv235kwSgAEBtT)I>RM6uY%*4g3Ay8Bt0^lt7 zZWKsIB+H-}R2K1td0l(&YKT#k;666)y2Y?wol&7eQ*9e#&6v{j#-Utlka->Fk+_IW z3`SSIJ0H`I3?qbWMnezGi@eu2tcoZbjo8_o+GV56i$vlL1jCauJLI=M7m3X(@jb3N z0XjQGdn4u>VD|Q}1bHC*#@F(ysQ*3M__r5XiQ;R{yFcU#f#m%>uP(pnG;Ud1++|Zv zvRu=(54f3j5Ko&aPq`$b@9KCBC;4r+5ycJ*6xG+J@0KuF>+a-&8~L5j92w`O%0zeK zoJKZ20#IQi?eE?601Pj7u5d$J50vfqUTx0J?3gTy@Jya9`Kp!3EOpYYi9A8$Ft*_P zgwyJHJPIpTyjJFSQcVk+>SPd-%1L_Z@lNDw3xFX%c3;8e>6F_On;N|)Z?C1s7{%2G zUJ$x3uTD+??je^wmRwVq^Si^xl^wa)NV!*qBz|?>n%m;J0S>LsD(9kv;C=0h;rrhlu-&eZD0l0}5M%cf5ig)dvJPV$yOmB83bq1q_(a`^u74LbFEhUW8|Qd>gLCxxgcKC~?S!<}B!~RBFX8Wh{K$o? z6z@yGx0E2dQ@M7%zw4Y#gL)wy^H^e0T<5oWv<q(;4$p4^(T zQlb{Zw#oJ`iHencopxTjAHyx#t0m)uCuVe0@(TCtk~m*kj@WE}V8f?WOqfUFAS{5met0HnyYIibieN*KI?&yIoUSQe`|7bj9PS^ z^6qask0{M{&~tyz*s8;UC$Ng3Pm@g0hyDD~ZulqU8=34*;+O z^&FT4*3Va1J=l-8QoTIevIho?_(Wl`j}fmna$zUhJ{;l-wWVK!fT=0n)r{JPIN#^A z>Y^a1?0Nc{|L42qR^OZ1#ZN#KD1#SE`pcRmCgd_z^zi9 zJ>IpeZ)(63*?RndQfQ5H`D$7+%!9YU!ue^drVN2 zCZU7fT|q?%mo!}MlaMf4#{ivTb9S{yvB8{W*pUP`jQdm|w##~b&D-HVA2E<8CV@1e zK~Qh%FL{XhY8*$ty&l$vhw726zJvGjxFhISe1tQ=aP`jxsN`UPERil&b=K0s#O7M7 zUmo)HvmfXiuTudPMAl{HqJj7z^g4dZs8lSJ)$8&NP52KfgoX)dSq0>9;K(MvSY^d!2oV^Z#Vw_phk} zF!cLSjMtEeJxtc~S+Y4{WgAYj?;~^BiK722x?2x`*$uoP(?QtVV{EWDH6^fp{H<)Y z66fUDR7QoF6-^cFl>sj+)02yIaOfkp4hK1o_9|)&Ue1O8qaf@$o=(08fBj(&qoRP% zAv$9ts|cuc6T06#ay2k^nOYOApVVxs+EBfExxc=oJki$d^CE4m=Ca21d!0tT{Q{HM zdUV%zHEOQnvaEGR?BiAX!`nC9e-%2{r~P_;+~OHs;ui82CK0k4O77VJkHbOZUvvy^9^HO>>7p6 z@6XZbiV>LWAlNHAd9&3o)Q(Gw``mTH-VSDatbN?p)7^KlqA1 zhcx^MPEN6@Q%PQuml@jwXi4Z00D!7;S{QP+2D^xrZCzp!^WUl#?zh{cK(Rhp3Rp`oC<}S5Ij}Z; z!=VFMobNAN;wuT4yV1?%@#xyAfq>J@2XXbFb0kt4SK>G|8KLVK8@cnJUH~N#AiOq_ zdvK5bXHkfAk#~eQ^~e{(vo%J*(&pG~%t!#kK=)gA@lH$HgCGv5Oz!_^X(LlBP@4S3 zPhyvxDq}^ayjF5q{v{i|cF0B5cy!{V1zGiSOtYn$(m{tr6b><5sVcY=|Kku~OY-ot1+~e6Rm|q`^gypo=uUW8jM-Sa&ZwvQU%KtZ1BSie_or5DX&x1L z8$~6rNMAk$B`>x^DOo2_6qz4sQAXgi1zBJ?cqoMY{nFxs)D z^)@UNItXL3d&p%rmn-aHQ$pVSN~$O>`AJ3K$0+ivI`_zU%)`zV?n=x@#ghyx6i-Ab zV(qqOh4e$~CI5C4h1%Uj)zjPG*fh-(FSJwvoZ035k5@gY@y^L}i)1(uO|>+|Ku`TK zeH4>2JQ8k16$a(X!lg-$D1%h48)f+iA>0O%t2^3cdw|0ZPmH@9;IOlwL2MBLbEgB5 zeWPokqSrom7uqNzO9aL%My(^Q0M!j3;uV9LcW(#(7!v*Py-i7 zoGr`z(3EiK0UAekeB;dzsbVGDW&ckeJKS^(WYH6QJy-Ei_fRQ%@n3aSNoOyDBDUkg zD7}z!pvLhydis^zsBQz}4)te9xqIGZ)`Lr7d8M91hRQSJ!$H2Nsq0&A(EpQG320xU zryj`tUyQfDkexLE_ORRdovrWQ%mekWm8PzjqR9R>0l}`>*8NXxdc2rW==ZZxe#FF= zW_QY z^HNA#Zd*7W=Q#~H&u(Thk|19qKRow#vh0x5-+)UVWBHC z(&C{R-hE^#kCN5ED=bu3sq_KFUIz?ak&c2&cN*{$)+HJR>oK)=^Qpa*(+XqcRd{DuTb8%CrgLw5sz^h%|m0%%40$$?%j zDYn_tKzl2vdebB#_+VJmd)2XVb&yNqkQ>u;$e-)cVbll3IdXo3y_Jn|@t^uz?0x&D zJ-;&@$DVI_)1D)3^&b9u?BP-}!xh;)M=?G=0iFMZw0W0S4Ef z7|>NA|7-S}`FSmaJ%Di7jINi1iq6_SkGBo|21F)8Dt|qHmiUnD#v4q70T+B5-9iV> zx=}9O1`hOdjzsY*wZ5UX48ZdpO1}FR+sC*U6M7l$5zOf2XsAfD!aJ~_*2B9d-2-TC zc@}#R^$I`KFdYTb;1%QaZ{LC=E*r3aZII)L3CU)T&_NR4I1*g)mv&3CBvNVvTAMa3a!SJbnA`ieSOd3zsDU>u_SO5tP2}lY4EBeBmD}^m7CyD5 zXX@+A%5b%3i%>(ZOQV#SF2Hf46*stpiQ~pDCrTgp)g<1LHlB?H!H0E*1`Zx$+5I>I z$<;4iKO{(e{K4tB7=}3Txuf)7YX@~ZA867EDV3Kq6EqPTdz;4tU*aQvz^l4TC@MpO zn@>yfm-f)m8eW5h!|mcsK%V}Q@21&U><=5}BEEs;rxRqQ{^w@nr3IjpLuJ(nQBwT_ zXWF~oP9sQt*fG{odXYY1HbC@&v?ZL3@8=IEjSnrpOq`)aoya10K5gBoao8uElsLu;Zt;l^^n)FA7&fD0 zW$)*c`F*icSyAAyBicu1~< z5{&V!3|i^N;r0Wmv|gu=4UoH*l$jOS&jivGH|2VZuG2CchAvirQneV?GpG)8$>&ku@lsaV_2bT_4=q)De3*A3Vaq{1Lwlhsd zQ&K6KEYd|Ma-TCrvDk1%MfNT{H`LT+b0&3WS4$hVFIbkbI5s%<);aqX&M=pL&&T&# z?%IM&T-kKw3BO5|(!~erW41Y78&x9wP3iSdj%Azdw`9ASm*Y);GC_%)R|Lvf9#tvA z_N_^+hj}&(T$iB@!v`e6mRSDfU8^@P+a_EiDFmPL1w92A=*Ivtp5WdvFW5OvdAJE-)`*(NcUvAR#LS|AT_sR=0 z(k}XczGFXkNbPZFn{1VI23wUM)ZQy0l@epgZe$OJ8D^&nE(&KvvA`7o=bO|j)<{aU z0(rZ-G)V@?<}LH0?t(J5oLeD5?dj!uUQ`?$y1DNMaeg=&*f4ClCf9kSnx%&ILK}|2C%~4`%yls^?jls4Bnc?5JsXWe4zl=RKIZzO`m}H%TOCGPYb@`=Z z)Ij1U;~A;$I3#cpoL#}F%$raV@$l>0KUP`fRQ0s~{GtEtJL@|jl*OHW1|gLF>tF8K z=wn>aALF}|J#BBy%i&B1%;_#mxsB+_wG!Jz!;i<(bHs^F6v%m`aN8#=?F zV!lc@`o0UXS5`c49Od(#7MyVF9(+C%Tq4@xaanWTp{yQ3k#$8)SPz$y*SAT}7dnaW z;R)M4Pd$jPzR|Ev^(qQYXl93$e}$0kd<4!vq0^6!fc2Y_jg;uKxOT|R!^xDrc}go) z9iadJr$mMmhS%UudUJ^X^yWry<2Ico^h;cBlkPqBI2*b}!{{!L_e#z_B<}Rf{CyST z+_%T}Au$#Qc#~wzOdEzIdblnX%E>PT1!V8ep{ z>xbj*qwKCfv9DLwRt!WApj82lS@bK}g^y@)J&f=mOfAv5pr$=WDS6jr9l>rZrn^W( zKgV;nQrP%I6<}oG2!1ddDIEtyiJuNkz{7}e0!WO^|NK$^+b93eA6e!*jQ`v9`B_4m zr;B43Gj-W<3owtGcuP*|E0Nt)E&d|v>mfm zFQYSuwSf(Qhno!L_|j`}@@k%0tUWk`JPNu1pJXs2m597d;m;RM?8AD`G07{2pInU4 zQPv0_|GH%l!PWlPiMGCl1%0l{XuKur+E_4yi9 z=ZfX%%ipKN_xI^Ij2S`yA5O=&gJN${>c8c%4`zg~PIF^{*!z{+oXlO7uz^{YhI5!S z;3Mc>&0CM7c?ymw9$2>;NJJ|N9OLfKExS@7QzUW}|5Rh|OM*eR=XsWR0~?{=qO1iC z@I8k$9kd@2Fe<%XmfL&a8CiFGSyuffs*i7VqrEGDA zz06}(0b!(0i=F|oOHKA2&uj`cwh zECwC_CaB7rw6Jl}8&dKBQ%F+9*qu-o1G$KsgYa@HEmu{Ijp(enB@h?9|NOIm9_fLT z@#(Vy!IiYM_}371Z3dhQfFpmf&cw-9ykA&4%Ge&4uWPYMdakK0D3`#jL47Vyl@aw| zgOvH8@Y9Nd`0&{^G-!nx2cZ)DfXuudh`9R9=?&w@z(brj2>G)1E8N_iLUefZr7FFwJ2XF&h)i>_<`E&2oU*m}G z_{Yj1c(rpybp_gPOnY{*HW*mZ&T?GQXY`9GCgM|%PX|9uQfIgb}DD| zjtgsR&c6b-$eQvt9~ATp?KZ$>J+~472=rY4g>yvH!jxSzxdgw^r2VZFFI&Ov;Nc%+ z^SZO%a2xC4te&wV3v%lH<-Ja^)R;>wu$6E;jsr^V-p7xa#$K5@Tp}RuMS4Px@Up4x z9j~2AA}H9h8GDhU=P)4$TcJd6b-IgdKjwE$MVF1(E_6K)_?I_0JR6pdx^Ol|Q1CQIq*9zThshp!MzMJn4ZsynTZQW@RfF1{u! z6q9_TOv8Lc7{~Z-1fNcAm{{bD%3~llBW;^3lXt4evA0aYYs39TRu6Nih5S66-NaJ< zF&Zg!t|DHC=RC;DO>0!0NX+-^HWtB~E1H>%i z$+?0z-s=BckWt1dQ~aQh9m-7=4EAL$typGJ;f1be%IJ&4ZG4tVM1LlWP{j7Ip}%(~ zV2ov89OQJCxxhMmY&rAw`oIQ`;q8W%Yb>DWHHGRa$#`I>fTaDB>88lRKHY-n8%#Ly zHW+0}J~q2PZ6g^g>Ioh5L{h@E>hHJpN(YEFU(E)cv?`WP{&0X!;vOQ*xRXo2h}u?W zb2r$tu=r}WR}HGDIcZ(v+(PFRx$4Qp#zX^;YNgayJ+KK+E(0IK%H;cBSVGn);GlGwA%WBTXabY2*u%YFH#HqEywE@QCz z-S9B0yHSr2kMK4(pXl1|QZMRS6Vk6N?%7$Av}Dbg>P+@>2~+~ozO3bp4#a6phSd>Z z`!F}5?|H6HeY_p~TU$F5sszc~@~>19+$HTcgLBsxiC=H4U4K)dki^r#ih9ip3);5g z!7*)1t9KrIF1Y~uJslHxC?nFYW~l^==_s<9im>isO(?Ssa0202Iq)9F z-ZbvTTpgnfG!n;`Z&B|e4#_OM&)@#xvK{D*xE{ssZ`mEjCsU$6KOMWcNU;z^*YDbd zbWl|XP;u_o?)Qbl`zA}Pg5>lD)V1eSB>yXpWi!m-K6?3}3C%#jC9%aTg08_{WE8-S88p&eImPU}$A1xv%PxT~a&?;q6L|m=3+x~BM|b|t3!NcAUO*xmd_*?* zsl}FGTn>dOcW+nr?~u6vu1c<+GWXf?{2-sg9MyoC&Pzlmr`X;lSv>DJor7GVspi7D zfonC+w!;+v`$3g*9+}WPo6PP?5t*wwgBtmK|dFa57 zW&R4t^sc3)--J@G(M?l4E_Jvet5&|v){Q51)Tz2n-))9%m+XBmwh+zMJ=qCWzyee? zOMV}*O4_JwTtSP2<+9e^i>+cal%A7ZzA07!y?O9Nmze#&1COA8l;iWWn(AVJ2LBr~ zB{6qxL}-?VE@{5s2hIPM?qEGe(E7LGMWVC&z2#VHbkvZPJbfUtFuy6jz>T zV`a((VSjM%j+ZuLEHBaZZfRui>D~7XMNfW{w~@R%GgL5+Kji)0&C|I3Zp&p6V0?d~ zUplLqhN1`rBRWi3<|%~K|@&F|EhAnQ{sT1t?rVY9=gVge{5JTnJ1Sjh}~x~>(qO!Xi=;|AwiBXe>6;;} z^<{BQnH;57w?5=hkJ|H6+;A$Ex!x5PA!r`!GQdk2C7y4`u;H@vJF$AMs`v^6=XG6i zkwG_-yqVf8*3m9azm7!4SNMUFf`8=T6{)772VmotqL+(dyf%Y>urP#v?Q(+n$s}Ud zd&@?&RTKAB5B<7)(mvrR)%j9O5M8;kXZm0sk-K=L_$;00nM(a}0(Ar$Wm<)yCUU?3 zbpuqtZMX~B%b2mBQ3nV>DT4lR&waj|3rXyVIU|Ctj7?2lG_kJI*4*bt_BH3|`RMsw z3;fmbH7@+M-h;iEv@;>^CblmA!t4=UKV}@eRdEq4_bJ}}fW6>c`N@nRml^@orFC-E*`O|5jCRSNwmRNFo(DP7jE>Mo82tluUrL%+B^5QWyy^QwN()@ossa`{%F#R<@V>nPe>SbIld3bZcCf1Wr(Ly3Hp{HG}fjMc`AFov(pMwdqR@_ z3#I7$3(xy@L*$O@uOI{QKfDhl-=#9~_By7qlM@i_#5o5OEwYxY;#usc1X~2<(KfJ< z&3qxC&8BFxQWZ8K6nknN!>06}6h(BMwPJuS4^Tb;?7fSl_afKYHTpj3m}`HczCf!Ur|}8J;&u{N(!O zme296&nwDUq}@RQ^P4i>4E?&zM2uRA$VRmMsGSi;QF#TqvLQ1pc`=N{k-pNU)4;4j zA-2b{gR%bzhQT+%@T$lM+woB}|I~L+u@@e6uUkueeN|@{5Y>QrtYxOE@1F8fIL^sL z1rW$uE2liWM)s(QgVv4PsqSrx!b`qU@gbvCwTlQ&6rVNyj_|&4NO4OKH8>}RY&&d$ zN6TS9N-NI#g1c;*&R4nC|444xgqIGK?X}*WdZ74Bzj(l|`P%k6$(YzcNx2@WnRgKO zIC4SS<#q&x*4fHvz9Bp(J3)6iLEkf!5ob!3xZp7VWFkguTZ+v zF-RT@gF!#k@BJm465%yYOA}f9R8E??_&hTO4Kgw`OnWa6b!{i4 zlp+}C9eA}zuFN^yk&$^?N_Y(hkgI;XPX5TbRKXx9)p_fW(3aCg1IV%ZN3+V>EB8LC z0i}WZ&CSE(LU?61l3oIG{>w@ZEbMU+FP1BLjk$ZdbGcirHIgHU5DU2E6s4}383oQt zhnoMQk#o()F&;$NZcW0Hbl7~|56&6J&bZB026$66R*&gshSE+x-<|Uo?N8X>lEJzt z2*&PLS&ZD&y|AMfib34HF)r^C9mOj2mUkf-9&$!X*l6R`fat=LK})21C2D-mNB{cd zJZ%cG%kuQ)K=YfGMHv(Wk(%_Nx=_z~^ybb~1vH)Y;M~q-@yvsS`;u3G7t&)t|J& zvtj8-4IAbbSRF6e^}^L~UBp_{t|U|gX-;ywaf9J~3Gf^zC8%6Lny2T#wxnE+ zJI-F`W|SUg&lWyB^yqgVemiOP9Cir!u_EXpFP=`rE2~XyRHqtHV@*FUjJ(ZftuDgh z*F`)Qy&Sb# z1M}R$X+B%LYcbli)8uOAc%S!sor0NZ6uQcq5h7yzSk0M{d(w@HCjM>YG0hV6n8S5DOr8v zE$zcBR+lvI&exaLy;Nh(ry*m`9VL6AzYYux2PZ8`d2nzWU;YRN+aF?{?FF= zr#%`aIf@nhH~^=fWV>9L7zDXyD|$`*q+KCgis9`w&lRbbGw@u0_c8qlT9l~o*NK}r zV8!4Z_d2at>~U{*VWj6UDV&f~K1htuF52Ucbeb~<^Y^u4wmMFkM4_oejn0OzOh3C) zY&L@_DEE%8#mausShQm3C=Xr>dl5gNEVZGdnY#3g+-h45+CABu#7MZ7dimsUptmCekEP1ELaXU&J`^D5RLa_fN z1Z)HA7)v5kmQ)*@t{KTOi4?mSe_x11^}sAD!BgROUD_WY*SAQBJ&ijf`<+EA((l{;4W~;o z?bo@Tw#u!E*siwA1-K?l1?#I+ugLhT_7nBa)rCDGBlL4q)AwyMDtxB$W>%9JsaExC zM!OAu2P|coY*l~5zT?(5J3+gDUM;SfB|aBFnN=>Bc-5bJkH*^;M&IX>F|VU&V#7wh zG9O>1rgw2cZF}dc_ADm!@SP_oLEHWkTi&a7i#?ZCP|ij#H$S(Ap7;_=KaJ>@S8gp! zKV?WtRTFdO8yKl5+mElYyFuSf^&w0BKOvY9HZ$+3s_kn3rlN*k%ZaV`75kB*yZVFj zjuJj{17BkM2I|pCBdf#k(!Pd^O{*k5w>i=IUoc(cnAY01>O0$m7L(pc`*4w3p8NzQ z2=;s}>6Qq6%u<-sRcjbe|EsT03*~>sE$weaBbLYUnM>fgr#mSN4X9V1ryGgK$bDa) zjA_j~eF+?2>1@0O-cpz>8I?w1f4yp}<(xxyKtZWLs`YwZn&Qfrp7(pipg;G@%INup zrIFV`PjpAWpNr`f_8%Er99NIshZ^iQ9F}~naLAV!o+giTjQHtiG0?H?tNL`<8~eE~ z&g+{2_*}s0V^n(5nAOK=x4ops%k)drA0z|S#5#7+3Y0)0)#Z6)ypbeTO9Lw>A zw$6w}(HiKh&&k3q${aDBT|D(@iVL4rEwi=Xjz;=9K0!7zGibNjc(q)_21*~o?DRQN zru7Pcjr?>&k68Fw8=ubG;Ug~e{-<8?79jDZrByDQ*)?Nt-EooB(da$q>mRR-RDEju z*j49DBGZefiR6_^RqqwADfG#{b4xj!1H%>OkT+{v?s#(=Zg^O?Wmlx%V-(N}tpB9+XB~NR(D~itVrOb$x4$^-N2C#v`iNdnF7S0S?lW z_tVL|sno3q^aO|6Q6dDDe1Q~Nm~Ae}*+!z~h!HA?`t{y#PwP*`xJR#n|2hNf2Ei^! zPIBg@7<9Y6GLYi&PK1{h@*o~HpE+6vBCy^I^`_-b7I6MWyIh|{0jJ9u6900sljUw} zEu|2Bp8?{FCCRjpa>X>d&pVH!vDxt#sk|2lji-eo;Uh=F=yL5H-Rus&&Huvif0mHh z6O(dvTQ3{hkO2M)M8zA15xrIJvi9K`$A8TcMh^AH8)nN+w~uhS`MC-_ zX;zSGU;~>FO5P!U=*{k~_O31ILDU@(1r3*xyL$VbMct6f+nQl7Q+eV;=H%XsOEvJi zf8J~AZsUmMF&PaB%JGa}IYeZwDM?csZN$8p&&rTz*Lki{@>vFFjKRW4cBRL;f+s0Z zAx~Wz9(bMGq;0j)SjBwF8g#YTi}@})JxOy7=dWN{UUGIQlX zD}vG-O6~&e;)v!t56QM9KYy>bo@k}>*lXhCdRAW7DnUz9Rc_oh5z19UszH4@p^0>; zP0W5_R2dF4r@oZrI@aHX=ndG9=S#OQBZ6 z_;`vaF^&bqCICrgPza5hm?5 z-x9PPL=Uc7iW2RN+??f}VuR$FrxC9k(HI=|3zb&Sc~{!s_gbA;v(5;hymN>f={CoA z<;sUnoj(2Jcd{I-OaLu<*y-B4RgCJS)QQ{Gp{T%KY-uOnI@J_xUs;SdE=qo%L9zE~ zXz57es`bpSe&vm1*V(KVqs4wUa`qB!SK4?IcwZP&hK9ih;uAQTAdhXZj!2%SJ?|-t zF0|9;@RxKiaGbCL`_yvNCHR6Bj zchT!shl(=#AVicWBTaK*(QqqW-Sy7)CX1u9J<3+lak&x(VBoOx)s#uMIUlndG$%*t za^TX*pVrNqBww4OiAEt#ncvg*}!>bF2o+1VEP zw)1uMzV!|)-bTRzh?B+Uv=GU=dYIN}AxTwFGmT95v5iZE>@ZCE)aW^4M295C>oLQ3 zZR%}mdd9Mkhe%Q9s=MmL(@QS$1s;uPJ)Orz8;Ad{?j~? zi#1)x+vQbGs>`H~qr(?_^pSv?t97&9ZARjm*X}@LtGcGa+FHM<>y?1!>e;I@c*eq^ zcK}5KN#VNfaEVPG1Uwpc0zhp3#qaHCUDaH(?KnqH{*k1 z$Edj~zdD-FJ|IbfIEstJlZzj&+X3EV8mqFpqM37A3+__|ZIlb(1%P%`F_bA;&U!@` zVT0DxH4G?9a+~v-D{0uA{0`kNq`HW@*Lqrs)X?EBlv%{PZfa>%(IcEw)A!z>pdM^4 zb(yw^YPs#dRT0=!SJuC);QP1N0sVUx9HX(fxKmC5F(#>&;VuTLfG z*QddT$9rv2I}{Q+sqAaK?WXW_E=~QH-Ozx3ib;#?ny)^}#6FKiv1&^qzG?lFHlMwA zo75udUl@0S%H-+j4FQ;ct5E6sfvdXt2EqZhQI=G#Uo97jy=rRfxgwFY_1b~?K@!s} zLC^0Nj?p`;KA&;=;toxRp zmv_6<$^H+Acpp86b`hO{Xng+uRTy0gHn*!Fq!f4coDHL5un(n&twJgduhOmaMgEhYwp|mD zE7238ri%p^p&47~<*_FKjaM?>y7V8&LOYdr6}$lwc@HT3zYxdgnPhtudm^6nPrc5N zw{ENx+ppc{HE_x3LofyzS-D3+a0rF8pbSgC|vk|vydvD4gspouhanjhdr&3P-L9zR317uOo-eW}})=Rh?VrUYY zq;OA1jcd+ftzU-~*Tl%1XUF2v&vv80)`tOn1!bwZntAuKQasI7AIIwV$ncXCehj3f zt9(K?=jwh(+Fb8(>CS#~yrFTFQ(}Iem8VVB&5&nQ6j%Ey(%m$^^Nedi`qPD9Vz?w> zH;wyv`2s3xc%OT!m6w!ccSun#X$Tq)cNRT~`v7h)&ka0lg_pv|x@2$Tl8rdaf3u5t z2o^?I+FKP@O1*8~TU5LqaZh3m^8sN=Ui60X9Jr1ZT&+rHFK2q+g8XBXVwRKyr(PVv zYsh=c7yMH`%obk`39l$i2rw0WFCQuKS`GJ8$9!t^jkh`I2;t3$R6p_ds ze#NdSwn+}HCS&dXL{L*r@|2UABLm$LdGE@)&yFtTyiJ%F_22Zdcigl4LPQ*o__}UG zI*P(oc=Qjn)QaMFssN><+YGtAwo}?Me}D!LH6Igg(^(Uszis_NvXNY0$HL`O_U$p( zv#X1((!8;xGHupF?U_67MG`XN3)6?Z-4`a+3>pzxslP?E?AlzVx`+so`O9&0o>R0^ z&_k$kthyXas$`KYgW;@}Ay2KyG@=<3qt_D~UmMdZ5P_}GW-QcDc*M+QQt<@j60_!ozr+- zw*doGN#)Tlqou$){6rD9C-OFHOrAk5qA&XBxn!RPI7V6ldxaE2_oGkJf5utK3a=Uc zf84!gSd`t`KP-rXqJ#)2NJ~jccS(ngh=ioljdabBN(x9z4h>4z&_jcO(m6=S&@sRO zL;Wwj_rCYOpW}Is_xtAP%O#cZc+_dON$#XKc0^jdpybI1%-saA z+lI$ib+-B33;j`u%;mGfB5=paxQ=&Is?8&v{G-g%Zv%hsDh%?YSFVaCTxg2VaIKal zk3)`pGy2#@g%y2eoCT~@227;X(Hi8 z$bIHd+*Bh6A8kE-+I-6%xb%xVU?8S&wQrs~By~RP2hjsdVJ~}%a4&(yLVzPo}mq& zPch|%D`b?5iKd}W6Bp`OL?J?TobAf4Gu~Qa$6^_q+)2y*v?K5{2{A%BE~8q4_kpmG z*fk!c0a$bO@Ddq>l8F-GUgm1tLi~jKUdG#%#Ls%A0-cDXwOF3OApL|PXYDOvPtHOW zkBdC2ueE>7PkOXLe{JvK4;sYzF4{Pu5>oH-8m2S2gBz8Y7t zq7~q-bVIv9lfH%3dIu|=n7ff7;6(Am7e%gJEck1lpb=TWrH)?rMe)$Hj?y+(h9Jt^ zM+Bt5S+P@})oLy3M3WugElEHv+NbnPcxH9R$<;f_?HLan?|xsD~AC0V^`8Bs!jAjweTHDn>1L2%s?6v3&y ztsyBKy>g;)7L1GKK6Csbl4+V_&o2YnbMfM|GTV@VP#Y~-rLeltE&q{gZ}gyrsn-RE zK5wL)MS$O|7x@BAR7;Z;%sYjy8 zDuC4Y77bfRyh?mJzyINJ1*yN?Xbfu0c>wnU@q^bZ+Hi!d$}7`p+)rAGoUYjJbL_I< z;UnDTez0)y@ng~pL__U#XY#5n?5K@x3U`cgslJ8Hs~?Tx2*at>vQUUrgyvnBHuV~Rj668rKS_zrvs0a&(N+{({&-#deY9Sj^b)D>So!n+DA0Ns+N7B;vB(()GxC8Ts<~%cp8gN zpGPRui|dsm@jsfaTFVpdDWB?pjQd#~Jpf%s`oo~&D^(K0GVGnf_ePOGtH?VZ11GTh z-O*_nI7EsSWhZ%%3$*V(E`{5bG6KKXc9bk}BXE;cFWyN_O3V06Z5WPiC!I(?zuz7U z_FrQZ{mxcxRK>O8!M>7y!>HZ?u#^OjusZ#d>l)msMHMdGp9j9@vU)yGv6X5DkJ+b6 zK-jab!EX4FY(fB`p7cFG$^D%dR(NLnPE;>a5TZTp7M#`&`*G5+keAttD~Y1N0#Y2z zAqi)mzm8`LOX@h!AU76W+}+$B3F) zPa~FHx1T*~d%#;fz;{cs8arq?P-(PvzhOzjRk#Y7#I-Up!*{`(jx?lae$9FHWrDK- zla~QXLEw2fz4=L2)j1y^-WBAa7%DcAaB}y<<8%ud3e$#JL{14ZT!I*rF5XevD!Eb% znnv<clv%@be>eDloT)81Q*yHxuNA0lN&cB57 zsXTQo^tzAcuJ%k0j7$;9h1C@#QQKNqRQ5R303iZ2d`hlwnrP@|Hpz+X>86G;z0_j2 zv>h88C(zUTd^x|JYFG5i4Le*osZ-=E0SY-wB}1I`p}pn;v?LI)nZckLuuQ9uw)Ps^ zz~mCVGq2f?8#a7I-t+!RAA4n0)86k9;a^oVPxR_bDh1{^^7;Vw1iJX?Zb`+_l1l_a z<1o{%0S#Nr3ZE?G5;wXvR}$=AlP~}I=TtyKacAl~i*WXeGS_vmR3r(k%vcSX?rndz z*Cgm%!ll${3@aEx8;b6frBz$D9_Oy3I!HjDinF}ZJW^dn8*K{Kz=N6ZH+$K*nmZ=d z_*gHE`)l&WS!`EQeg|lYSgp$1rLG~TnI)}d92)x(n)c#(^``pd9*oZb*K@P zJ1#Mg*5BG@+7^JNI5Y}$BNO5AD0xZ;!=;3gO^2#b$ii%P>FGe^=^3?Qm8n30_b~SQG_`cf=WcRtR z^G|MtNqKLEZW7g$(#F@3hCX?dOWafaca+|TuZ!AKS=*-RrwOeykC9ca=+ktc={u}D z_oD$g($mJ(;F%RZBB$KA+i=4(=1^1PUsV)i1XR)45jX?|p!d9zTkYcu({?ox#WnVn z)3w|33(nH8@8RLsr%5Tj!MrB5bMS8q#Px>Q3=(CGdcCf%{#RU$(} zja=enFS~4e_48x^Y;-^lc4%(1>x>Jv^WG`fdlUtOHf=_}huKs5K;P2kVlrGIhDen< z?QgrAuNY0~o&jgf3Rp(d?#{Gbaka;exPjW{%tWe?IeDsYKkDR zIDiB?FQ%R1qvlPcX59HvtUwwoBBo6HMA)GiNiAOhJ^|{tl<7* z7kM>aSjJKOQd{L{Uy!O~x6wZ!O89*%xMktkQsf3jdfj)Q@4k}amvOx92XQu>;@zw1 zHYH`Bwv?K1Cl`0193QR@Xbi(OLt+N_hqg9Jj6w^(!$mv1Uc}@PA zVsD~Ga|MZ-Xdl4HxFec>WhFddpIT(zoi;p>plj?Xy1O--`FI+dj&LaBSRIJ$r}XnR zoYKS_@Q*yW^w}MNSx*OO*{MmGWEiD1&NNV4+6n%+Fx)g% zJ{UW?JI)A+Dd{_16!s&b2@J=AsG;lz-zJ*Yk7`2ksR~`iwMV?EH2&svT6*Br4(ubB zsb&r=sGq^hv_B-xtF@8`Xv=Pa7-VRpzGx@wSZ&OUJMtdo<2ojm1rHKPD}bNon%zt@ zO*&CQC2bMH-l*w9x+Eo5Xr@uyJ%dJL3*lAg8l^mlcNzg|a8B1a8?l_aq`u=_IqA{v z9N)3r$k;TMnc52J;UE!QKkS6ayLe+HBsdSPWaqzVd$$nPTFX4PlA`CxRK4+9o+2eC z2Qq9861{a4FOb7eHr6NMiQ&3hHoIz0&*PxK`ktT4bE=^2+7V*xQVwFLif?^j(B)ve zyC<0_YN18Z>+u;I&cdsA@c&=$jkUt*Hp6uFcmq`ITI1jn7f_ zrRfx*qUi!Y5)>_(R)_6Mcu%!pSp<0z-xsl+nk}i@K&1+dgz;k*>juzqV7(AcbLT2CZp2d4qS^mt?B2*&*z)Q>q#Z&lQ<#$ zLL)&04aI=^zEsu{=$#L1+0})KWA-jaBDC|CmxjZGCkdt<$dw_vV$-D>$Y=GZxA=*Z z!|3MMbG_g*rV^)FsvRG3cbZ1VKRnQV4W8BoQX;p%11GyAk|_@Kin+l&Bb2|BexA{F z73wSDeLfW2RvypJoJM9;jr=r2XV5T3wk=q*SyI>LAzeFrd)xMouMnZX3wp}6p_FW; zvzpjRwuJQv%!R%MmCqz!ICK9!fq{Akh2eKGq*Gg6^gnqQE1B|O!{Wf9O z<9xgmBo4X1M48~HJw2%+4&qBkEM8yid6_9>?2uW9@)8F{N1MJdfMKg72hdLrCW&Y2 z5km^p(Hv}XEL{o+?||2(#JTC=pSm;)isA-nApNA?pby5S8r#=o>B5rQQP`|?U#k6@ zkLC5j_d@?o!!N<<4*S}j4XO0mcS|qrPR$alEfge@cqP_XACmoeSg#FS{2N!F|7uc( z7zM|aJ@mex7lG%|esNizJEy>uTk4CRaXH|)wlrORYSobEQYQhvWz(?GmDwtn>DW_) z=kcju&WLKlZPpdUJmB!IJ!tk(a@ za0tMiJ_6?e>)GFBqIH*qQ1tNKG-LpB{{_lG4eqm<=DuAr9XzFLCx9n;@`L#@9^-it zZBp0X-!O%Z&;G84uwhEepxP`mGfq=$>%tQlP}BUdCPFn>==vhDr7DhC`ld7vrQrLl zi#5pv%vg_0jwFDYHFxWD-A0QF-)oe(;0kfKDT(~Z zdv?)kiNt5aln%`i8g>WrG$*1;W=kG_81&1U$#6@fC zdUD;h3mK!h zLyDfB>i+lRnX{_hA z$eJ>ZIJW0v-LsLkUrYXvv!I zuq3f5%131Zgu zo{!j|h~Ecp)B9!7!H^5-PjkWY*CG-MHf%?H1SYL6C1{2;0e)`)1y!n=oJ@`jI6`6)3CO^MQnt_w-h;IUW2IC?i-fM>nb_F(UoK1TD+3|LB4sj>3( zucoWkV9gDH@Ia0bPAXP5D8FSJ_;I&-d@7??tA29L>BGdUQo9Hi@6F;Gna3xX_I2x< z^C*4{`rAk?jDyvclMEprzg_whF&sKFPtA{nSr-A!gqL>{w0vU`U0g zuhQJJmY>9I8_f+LYtff zSz!slyCcr38Y42bNxC$Gbc5^JNuPDZf>yLY+1b?1GByVTh0r*v+f+fhjyVGYd__zb z0Gp59VoS-0KX>Xb>Cd{kXHO{|>g5Usd|`Am7~s|-5ptIP*3q!c&ek<+lVUC^`~qGJ zG}nW?4G>O{W$Mw;lxymc8DQXd`rNHcC+#y0bmsswv=DVGC78zXjVn_hCl~rsY+GEq z!lZK+pJ}?oWgm|(fy1)-d}H%-=@asFXX}PR)1PDoF~F}I_x-{uIHfb)u9kv^u#6l` z0y!A8g|Vu?ulAPSKM|bsa);^Y4N9D>9dayavU>OIlPQC~3JLQK!D`1&X}qSzTYU}e zrS-M!LQ_tfUuVPUXpVQUKor{Esm3t_}wJW^#%f>OX>g@Fpj=Hm#h^OM| zxBIkzWHH`s@kMJi{g+_2Tlrxg{s4bNb5TD!*g5xxMRrBV?2lP4c>KC(=$o25Jk9Z>r0$o^=v=lV+)MA;xfD-Po_uhC} z-it-k!ph9_Do-i%z7^9)5vGXHry$jLC>G{5+KkkjQn+_;BM9OEp;f|MLMQAW#-qWHb+|O1^ni^zs&<429xs)ZXFaUlgI|9vF4U-ORw`i;T<<=2RiHdm zq(#Kd;oAjlr|T;a=?93%7D41UddR_R`wz^k`KRB|#fzg)VlzvaUZ`<1oUNuf1W<)2 z!e`{wNap%^oV|A8NzVOLF&gk0f`*R*48T>KbwXwDv2;r|!zDPfS1s1@C}sHz{ALHVgKw9JvvhHT>-I>~rZB5k}Dfp3^Bf zMcu}xbJnZ;nD_CkVPU@&0SSQ@$V{Hf6$a9RpXO*tlnMLUuZD46%>IUJ#!IV;@q@Vkm z`pHGnPW`a~R9vqni6-WqR%H!Jw)JHPv={GmmmyflBEL9U#~6cw>cO%?q26DoGjbB+ zD&j8x`B4&k|LBUif9Yq6e&#s=iEiAaO58M(4Rau9Ds`aKd7y#zFl7@daYjWn3=q+D z%)l!r1%DM25#O*Tn(x^1VFCL~;SIM%{G@U^y(;d;29@6F=yxBY?%#eiB)oH7w z@+HapE1&Q@&Mk$Fz?)+kb4|!^!kVs1YhF8_v;(44N*d|9gL&ZCh6TRH9nQ~sM`c@L zo3N0Eivyv}-=b`}i?5PCa9p@XR|N_p~IR(p>aRT6eb|6eDstk%dgy zhO7`Z=c4f={jnguqNu+mqY(NQi|;_yI2i1|`J0w_Z~ne?8$;FidwU_t&Bd zK=e`_43^y7wJJFaBE&I`%(WohoO_WE@e`w&Es1%BH1~=+8Uh^T{K6T1$c~gX)QIxK zt7;A6i07R{ahc$cJcUe7SN7V8Hoh-G-v@dbyC^aYgH~gYNOgJFB&pObM%7*AT$dle zaq^=mFm{n^j0HsaJx+eNJbG~|m;%3sz7{6Qqs>ZNJP-80c@vd}jr*B^I>h5H{j6h# z(ANBzb4RJ>11HIX`oHG^|}w3u~Y@84~Izkc(d~71V^;Cr7j8 z%xUV|);Fptt`b>fRX5G)uWN-F8yBX^`iVGjPYT!6CgdV#diniClXFG#d{2gDDOV=u zA?ljq?|P%Rk8yq>zo|4UxEN3kh1e3oiJkz^9DpK6cLTi9BH17xC)e9rUq~KX$P@1o zY&j{ekr&$R^T@Z|H9AcE@^oIEE2hItTc7cWD0{+XB_Rm_A3BNl4j+`w99BU&F8xlh@Z?zIinpp~^ItaK+ek6RiaI=!q2 z?1ay2q!=50taM^{R9ues5}x4Dq91Z)gZeR7`~(O_X)?xC;+UlmhWrk7Ucdw&8I4aB z`n6vW1XPnlj?*@sHEk#Al6}qUM+|hH#hpHg&1?)#xm&!J4NgjtlXhC1_cctrlFB@G zB;MQzU=_Ljp%}gCx*tgBkB{)N`s7cw)6wE>spC~w!kyyv1ByqJEzI8W^7nli>d=pl?3@7YM$?Zsjoa7hFFCr@6 z&>VTDajh8U(v`@x6;0Ya$5`F*sA6?hv(zh!Ta;lduo{~OxG|DMb9KHHz=??zSnB&G z&^u5yW|2&C2}JU zi78rBeA_o}vvOXW{d>SB(ypYP_a+wCwz&TXCeFXH3T~o3AIv)P=VdVZ$Cj^R)UyWP z&j6yich0NSat5%10yqccn$yq*1dn=<1wD6(>u;xPdmJ6^h=cHb!rrR?s_D63FYbL* zj5_x}NQMvBlrJ%vHoPLiazI%?aW4#;a36xZ@P)-s1G_;G#>PF>T0h?%8rc99m6kIP z)g9-%BGB99hg^;4^@BBuM&7Zuk$%67B*+%8>kq!~yr$(XF-&ycfK}93eR?6{L-^6( zZKnbUocSA`@3>1`#iUvoS{^@e577bB3(0YaweUXJ#p8S+mcvAy?B$oA6TjDC5a7}M z-F+_^&?HF^w};XPk;qZZzKM~H*B`w%Oyzl^mDAZCP$Ng-LuM6FtJm?Nq2qv_E0Vl? z_(R*EzlJ<5VX&&zie|#+1t@Ej#Hs0?Ez!oHOaYflufY7Q8AI&a9jd3LQu#{RDl ze>MqpZLD+c#gkNOGIsc**+mbEg-r3?uMtM3jwI;ZEU(|(I&AdbdcA=)C zTU8A}lA?|G+GRr_|M|t$1=JPM91b}dveYwA$_1R&1)nn;P5!V*=Vg|7J75wC16s2K zR=yq4;y<+;@XfBNiZ7G-%C(KWe`y&(_`UZ#69I7#lfYung0S7Nd8(p`0f7WNU%P!Q zsrGXt|5kABtrVLQ;q88)jX+_@S!cEOd~f@vBjbZZtH+FjP2yOIQ4ChgqzKOv{pMC~P;=*@aVKf|C) zn`{nKfOmmOv6h{cMjqInCW0CWm}w|_d1)JF;I&UQ{r+sbB0(X-YlvXYN%2Q%jUlB? zUGFn=53@;|$JbaDP6}huo#zJ7idfJ#)oQr>5;NF(x9J$pZ-;n_n>_*&p8{x!yU$4{ zvYL*k=L~%>UN)0)SW=1D5+j;X8#d@pa-(ae>ofo-lNURx|^fyeI6R-On&oczT^kkcFlCx<(Uzj z`lQrh{OvTsWV4B4^JQ1cA69C6!uED@At#|3M$ityXH$9E#h<}6m=BOhy1Aby0KFuv2`O|8H%d)6lV0s!*(mAqDN_8>!TQjvS|UN$h!w#9|s(wihOv~ zxAsr^N}CZ=H*tgWo{)!hNqa$?jw{A4l2ad+jKO1!9tlpsV0MBPrFlMP@QuvkCUi0y zVdL+IP&O4wpnP^uv6tsZoL;h~qh0~NQF{Fb>$=;e`nk-rWMKT4D za-3k}oVWofaOC@ab*2@E259{4$i*PaB62w4bLMak*jM4VKeW&Xn?2n$ta*L6T$NA3 z-LHh9;SF1GZK1p}-V9%(&03?*>aXC}!x+nuKeVCyj#SEvT3h^+p)b&Y_ye&QyjzpN z;aMVXfJql_0W%6W%%3~kP8hiLYUQNG+O|Iot&)(~_fAT4o0=Jj7T(%lAVdIUX`04U z>rZZ-niG=->9%~U3 zpU&D|EnE#>Q%qSTJ341cmZ8lW5?5ls-4Db=cLidWFFaW%x~ohQ=lJ%i+-L0aPu%Z+ z^xkJo)M=}|JV*=N<#qopzz2?EHyu%mbkp61yDbw3Pv7aL(NoM->$TtCwNukA90IXI z@9X!~OnzVVp7?TrJ8j>v^#s#kl;6M5z}mf(Rx=aB8&n0I=;@+RIJOU-3S~Z2)f#(S z|JU(4_cuP!!7=BSiCCCgr}4eC0y;`&@V1oeoZ|6{PUZIrsrnXy!TR=4U*WNYV}%JS&#`QlHS$=o(Qf*ccxBHP$( z)9a8hHcqjI-s4{kQKB=K15i5y$o{(&_gT-1ZN(?^zm*ievn1AxZ0M< z9OTLuHb$1Bi;VO(KZ5kBAK01OU7oI1s`QKUo;97O<5E|jQG2l;y610;m>wy8fQE=0 zH4V5;nyXAZlp0hVl{W218h|^G(2_I*xyWO}rRBPAb>>4fvR!gYYg@3qKMj2s^E+SP zd8v4nZR689*4d8zw9BNJO<{e<I9Hti6fop76+LgMHrOT&JG=*>$A zNW7n{6r9%~ysI}5RJXo(u|0oLqO{=!Cs_0PJkaU86~q?w#xdp3M*SMO0iflR8Vm|k zd6W)Bv$x)?yRiT5>(z2k%Fp}0?^S!apAxmt_bqIFdUy^A+g`w#17Qcw323>K`31<+ zv9gh6txX{-@==4YM+TJ_N`^{+Xt>cd+5x3>Rh7wcG#O1T;n7NGw86G*M$>STn11f9 zJ}zl>7_*%d{BmRdi#i~B)1tn5faoFMw)>{d-eCA9c`&n{Xi7b}Tq&5?IG(N8$r!7c zXMGjPZ)v;MB2BJ@DP>8zloTF{`wqAl7ZR>5;?h)n(~)R;wn<|kyB+Hpp?TTEu=c~8 z2P7F&KdkQSTJ~Dai<6LOFRxksDBzFp+tQ2c7J?7_ny-6p#BIY59vLIQofY=*0xLqD?wn&Gk{iIj{|LI`})F5)(H~_gpP^qjWGu5>Q*(l-6Vdn4#5MuGEz;^n&_?+0{z#)U_pka_*-zo-pu@m0Z5yZM^3&Qy*`@x2%6ax`cfSSW`rq zZGRcWmk2QjsQvW$YFvWA_2d0v9a3TH3qGfS(G!i)+ZAWC zns~s4q{qc!l`Gw7|1!;j26E{5RbvC~jxxC79Z>xK$%UfvJ0E9Oh6pw_VH!k~?Ld>h zcp|j>ZB2WFd2w#1;PfDgw!Y^}p>#Sa_<36;fPI|r6@rKGTa($Ztt8wo>jDG9O7~3R z*sp~ogwZVT)_*$fpI2he~D*gT7+<30F(rWWYQy3gu1h=4w2Nd3m^$K#oTQ2wRVeILdJ(`HH?&0b+x0!+y^!_&C|b zF~82`$WJANGcir$kA~Tv76z#2`0R(pc7Sx>_#?6Oc%XjdBDtv*Qztpk(us?{7UX$d zle%)Es+CxwlEB^MBD^iz+7FHco_o@1m98SdD7rLB&!R|!Z|)Oh zwRPD|BQh$_aED*Oq|NAGHY*EL$6kijF|!<yZi@Kyf| zPH*6LHE6!=DtPbMl0iX?`p51hC3xr5ZAEiJcS42`rU8;r=X{ZhK1e=j)egD`Wq@NE ze6J`ikZHVw=t;=LlLps#R`lf)U#p!v%1z`&g^s_J-6(EiMV;0TLKERT122(>G+xE^ z$_IN18?oF=?S#+h@>WRpWL>hi7sEM?UnUp51GKJ$k`K?Dw=NX}j#M=aG4 zk9p5a*DjgCB0WkUC4+1biI)t;#&w@yH)Uy>u(^yTr)%+c2Fc0O|fOIk%TW3whMkK$_1RVk7UR8)Q5P$YLQr51A+3x8@cHnYNyQG;?%JNXYngB~S z*P&5;1*<_R0IdzlK;0^2RHZDl0U*uGcq$HrczV%Gu<}hVQbSOcFN1fZZ0p<7hM4Ce z-i;S^Om9RgvL`hII8Axie{hQ6t>CR-NAbLjL1fD4(#CX^5YQuRVnS8`E59hG;a;{p zeSzgzktviZa0MLgX?FRs6eY9{Z9MnjnS3f)8cceD)yARQ8ru7xZNwaY3Lu~CBob*) zd_wEmoceIu27gZUb&X|*Se+gmC6N@;8jc;dX&M68cV-i_F!PrwZ%(VrT{h^^#g5y& zM*Q~Q7!!-CjlS%H&jgv-IqVNah;bJdD0#AXO?=Mx6@2|q^ay$wU5bKy8yiiw`Y;>fBG$xILf~i~LNG0FOsdoPun=o{^iJL~L_5MA70+`iZ zO=swK%uUl9#m^IWWln=yRN!F|;jMym-dUf6SJ4eQe!*u8)+{a#Hi zAt(hZNTO5va#TJH45*3wl422E8D5I=u}r>XT42=@{Q^vV*tPU^qjJ=_{E_d9&*j6V zn^ciTS|tJOzfSphm1Mx2<26ynr3Wj&3oWT_8fd=v)p4v+=znjoYnf|%$0z1I{}*HIc6N;femM&h!H!t^2Rwt&XFa}U}Y@GuNA)f%eJ8yaczR5%+Yatw&Cu6_ROPbGO-yu z{h{O&@h)n}qE(Hc0MQwXk@-5K-GG66+0k@agI-A^3ZsVxAaBH^BQyxfdvIod<65i) zS&}^TusqRl%P9R>Q(Zc!og#&xbnAwo5h)JSM!uJJ)Amhut_bg%!J>!yfSFFi(kyNo z`+4-seG5N4w%?V3eY3NYic_762EWL=m67dUh$mM`P4jm>4jErUN2m)YL897!1hiYu zwPt5-!ffouY}Xu}zswuWA7YC|p^rJzeqYHF7Wv^G;}Jv)X{F!u>;(jC?VA=PO7`Aa&Q+jLPv^TVS4taB|5*-r9{p%Oe}^BvZCZD(0iqD? z@fwcfmjCGZjcYRA$QX6EieVYq#1hv>eL5Pj;PlCV@Qz3%9^QSem3vY*r9s;<5Ge&r zTp_`k2vI>INAK09G|5U2`w8~fN219O5kQzu%tZnL2G3_X97f;ujb=E}cSAFXz|M;K z>eM9m3ZNkFo4>uviCx*ib?{C+3O1}6P$kq}v;D(L^|-c`^C-$P|JOq=(|=| z@?UyeUN)Y2z=tr1<8${JS~ULVy(?Q2m=k6<8vgHI zeoIl9RHOE(`%kb0*6tklccHK#sT&V=^n7S8#`n|gC^^`by$*VoDrQL05XA=3J-XIGZ zRx@DZ;@a(fGIR4u_S4qLDk0SmY4gm)49ekzasbCGlR0HCZl3NNmFpTH;4^kvFkT>O zGOe>Uxhbsxp#$k{j2a;r;<6LjLFk*!i@uDmL)u1SN!y|#IEZhc^n3JIy(73Tnrajc zD3E@FUOC&Zul5t6-i`@H_1e;juzBZo8bs!&0wa+B0H}+gJ{_u29Y? z|GR%DFBW!@N4J163A5VW>4+-(vEE6aql@D?LcL|cC<8Y0VOvuZR-AUHe%7+SC5(Q% z=Jz-pgV`LkfITzo8~(G|{A((WMgr5|8&!5!1~K3)`#!;#=33+TI8@4nVg8q5QP%F? zwoiX;!O6rxqO{(i&*}nF`Q?c;&UJ!FXiI_-u7i?mhY}>WNoX>QTH;}jh^>kufFD0D z#}0h_DKNiEt z#!kb(_&7Ej4^SwCQI!PCA8&Bd@F`_h)oZN7Z zY7!0F&J%D^ZJ-${E+`(SSkf{1kMHa&8oUlb+aOi_-fs58(l2y>!|oKf0*w`5zGS6? z9MbzU`j$9bi^EtRN8{`tMWj&I1%TT^7bZ=jY?Kh*z z432%R=NLnd$xRzlX}*kfI6#h9}qj=@K2QZR{+N&!x-6> z;RzLb)Z!!J@SAcJY7b;ZdIuHAr-n=%P5#W&rJ_!WzjQOA zVpS@(geyq@y*vK(2?M%$y}_Mb7?X#eA1)W(4iOG-ZfIvxRwSQ4Uq_~CnumflhzgsF zRq|!J-~II^e1okYzHq|QyW27PEbFgtL-D<>kv+7dJw9gYw$dR zrbe!ln!*>EhGr+U9D2hCS%X1hM|dJchc12vR02vQgZWW-K5z0Hncmh{aOn**AX=fr*_c#xzi@B}T{cW^bO$mV$L7IPb8HzTKussQJ-Y}D8uAS zG&$vPw%VnpnyTJWQsbc_LscTAcU15Y2*v>Sz!tUD^Uxh1!Ngbh4AzmG57WA(4DfEY zkOk(9ERT5($En;NOK(2M(1K z1(1wk%_UhvVVfOHh@fA#l3@qD=U=3YfPYBZ#R|kRbuld|jB58PR$?2*)?PYw(2hOQDm0yyyB?hK2qAFET6ui~UAta&PMY z6q)}uyCMYdC*s;-AF!u&Jp9MdZQS)&#x_)_5$tInpq{_eO83B%UCAZzK$eOdi%LjN zsV&u_GL?11jF4(SVU)mNqg<}Y?`1F1R6@FK0pXf4;U!5qhFRj#_M6on+F=kP>&4|* z0_Gh4I_Om-9FuG-GdHiD8Tg|a@tw+Zn1ZeTo1DCc;7^;3{vXs-48=|>q5ML(OPxUG zSj3i9W*?M3jLHWxMg0H`GrK+`RF1z|zHW-%|GpB-6R<(5qJ3HJKS+>iXk~nwp|(CBZ@5lK7DhX9^{RpKF+C<e5O^7qVxHzR^OkZJEtsMK@nO z&pxTx;!K)7>rdwYQwvh*L;3{Zexx#J08IT+RC zaab-ehw7vMM9##Gjdg*_jM*pgL;Oe^jLF&16b&J_8YcO)sQktkt{RmY#IUY!aVjo{!{JbB|ZE zMi|7qT<2i~alx2m&oDl@8Sej;1x*Wt8Udk4 z_oAeT_RLT8Xm9)#=kw=(r7}8!s1WL?464=METc}KKwXvjQQrQRvEKGq5{?PLcv(Ms-P_C8lRVBYqpGY2_^cXg6 zJ=Cbq=vFw>^0AJQhzf>uz8GE&GcFKX@oW|Na{~Rk_Y%ED|AEL_YCYD1%4e{(eUaM$U zD{FvCP8}hM1D<#)eQ`TuZ}(5DlOZ4ggP2f{!X|9s5!LBqn|=`!V>*gh8mdhoWWJxN zvxT~qjK(qdA?UPR-KVRULF{X|LhjeY6MTGIXLSM~ut}_V<x_@C^o-3uHN8CuRTrb&bTPAsb`U1 z?!~Hc1w6aDTw&V&hX}k*tH|7~M=GfM^NA!AWw=jm2c27SYze+DK7)D*axLc*P{1Cn z)^V6DG8C-{66Xk757nba*qRAPz6z~91bHmOzAL~^=sPBoQ9!o!e2YlA`7x}cBb4L} z6FwOHUwLAsx}#72djb4!!{gU^$HS52dS3nK-Ks~}{TJ&itwEkk#8r4=tT?m8^aP|P zAuonU+Bt@whP9i%PjOl=ot)}s^iLZvgf^Yf6kH?evdVq*-cZLp2 z0N-qQ)9T@9;PX7X-b`vLpAH3PJ#bRCh3ZS)frHw59(Cz>&j~ML8A^5kXFOcgMAdX# zPD4TKQ;*!R^?XhStMXDiPiJy&FqQ9-*B+h_<4VfbX_9O%w}6iNXecAz#+G)Cetxbk zwxT^C;?`TLyWHoMZsb!m@2;`fqu!-*dG>Q6VCwdZpqF#Wjwa{xb?TbCCZB5&c%2q<^&^>B zo2^@d^K{yjPrrSu_0iU3Qr1m6epp>^omb z6+HR6$)eNC(WSa?W!8q2O1W)9P&P$h>HCKI6i&59tA9td?UdM{&t zs;E$!tkVuU)6g$Id#$TYz4f-8Uo;`{!z^VKl62S@)srmxcQ_6&k);A10&G^=)RW;g+7 z`}Eir#sJBjbk`Flpn7u$X~=?P*51ZOoxCZcTeCtbD2U-up&$G|*4{g+$#vToULsOd zKtzgCLPtc1ETxx#fT#$FNRg6AQF<>z2tlRSC?FtR5D+OLR4JkNUPJG_L+B9Td$Z2j z`?&Vr_dDZ`asN!nV33FT&S#ci*>yh~QspWfYU?+2btr?HH z#^vb$>0IwfS_$a5u2yQ$=v%f3;Wk^8FGeiixNvrR{Pk={@7_jtB^G-~==;AuRV>9J zrJINQ9?Xq-mJ0d#P-Ess>CbAHhkVr6$M}c4`|4G0!NeG<0s*gU)$TR|9WLk4LlH5)bMHMzy0_V z*VI@NR2B$R#RRs>YX;vd0wa6?nQ297Zt9bda`h~CUMDquVw<2lb7z%RMFt7z6X-8Ob}3F?2sw|?Sm7I>u0v11ckL{$<_nbS zXz)lqFn%n2BTM&&;x`Htk%c3&m*U7$^cv<8OM;>@HL1QMXSTxA)M#qJU+qSlRwngs z{bxaV<4<{s8{Val?Ut^s&7)oLnqY^#)VGQ|Bd=`k;(Te~N3;=cc#WJOUy#+1iIjiI zJ}@ffqHqgSe9ZnljRGKAJOvv>vQiXYBN=#FEpZ7w)LwqZvRU;_Kzg+mILsNeOtrW`HwgLDRQzGcG~GOv%<7i^)Lo7l`kvGX8PTCyg>W|Jz_mBZU{=|Xz_di+qd;Fl zr$BM_QmiH59UM%vA7GrRBZRotv20P#?TZACEWbU(NEB7+-xCH}#hAINvSk>h;7N z&amFfPK~)|loHAe$(~l+MA}0cKN&) zQvf|lo8-QpG?TApjpuYX*v)UVF>Sg9ANT-GAs~iRhq8qk_@15x<>)T0dOdl-k3tlh zA-?Yz{q!%jbYYmF%y8?6QPV*FA##Qo@UTM&N<~+2B zS=@D3KA(9&;YLk-0CR{BpdQ+wpOqrgzgqM3c=QsZp>YxdZ{ZmKZo<`dS3`M-9E31G z81twC?7D~uE&ahOk_3OyT7O?>p;?kg%_9_B0**-0m)c+Ave|^ntPUqS<1JhPL8Dhm z0F-4i$sU0fd91x^lNacDvi@#=>h#@ct3Zyf9k#y()>+k^dpf!oA#&akHag0~m;mb{ z>*YXYvu+))0wSasl~CKb=djYyUUjv zJ*lPY_s2YSe1&$e)v0ZJWKH&++8l0y!jT$$O@K~Jr|X!oGW{CU`{fJdtlHfjYosM8 za%|j2hcd{k7VvbhvakVF@pVbh_J3r($fk)n^Nkj#w26rjJ7pXet;$yw9cfmB?5Ri5 zoi(CBc5UdwvWU~e`^gsW8(;Zs0>fA%F3eS>MHznkuziL-zyO$^%n#5Y$E^mlq*Lm` zXy}>$Bm^}Cz_Z?VNwAqT;jUjV7b?j%+#d`koaw!ozH*vVGM>10eln?tSctV!Bd(LO zyEw>)TLsWB^Md97ryKk2x^dwG^5RM*Qp5B2ALmehkOX=YC>`Ha4LF6v-VYDf=)Ui- zA2}+_uo%GB%Ph^+xZ>2y21n>BJkS{%Lm~1tk>Z}TA|(IN0#I$`_d;wbJA&qu;$Yt>PmaiDoh*50;OBT6zGnm$EOH{D2h7yj8Y7dLqXRIpfoZ zFQ@fB(Vg@>NWdPC`~gw2s!@!&!#gFfIO1H8WBns3vFKOQ0xoBCWxpjOY4~K*>r?pI zUicLo|Me2V8(SzHXc6>e&F)ifqSr#^$HW?DyUI7^8UI6SGx z);It4CXn)w9SYJICXKj09Y%-Ws92qF7GeJ)KT*C#a9SUlRp07cdy5e=lw>AtrV?AS zHA_T3o&GrvNHeGf5j4xl;@^tdmAmc(if9=uZ9?TCGK6Xw--wj}_jU(9?n&V39JvCn zv|b;pJlt-qhgGX5DzHZ-I^ZPE%5EhsoD=5gn8mkL<5(`B4G@$S2T1avHgMGpx@N$- zI~ipSkU+Ku*Q(Y+#U`G*OAK#JlW*p{!_NZB^(IoA6MZ9{6S(4`3V)XkAd76GhXv5o zdF~5eM-$zTDdW1-KVGH$E$aUn>pzghitcpqp6lO=Fe~|L!0n`Z+qYy!xjX1Fc}4){ zP-!c0inm7aqe^|5n_6$1U#a5$ZtwlZBwpxstF6dLP@FWx6(3C_O5tz~f4_4*rht6D z{*ej1p*D+Fu4e;u0c=|D1Z{cL_VXTqQOrN3|j&-fjzy@o6Mb21XnE$i|Q?fpR& zp*zwf`>c5YP8YV$>PM6C%`;VsLD)TdWA_$>$< z&05mp=O2UDSFF$lRAp$pK|_x>Mj&r8s^WxqqxTcI_pQ(Qav~yj?tJ-RS7A}U-XoBZ zyC1Nbp!|&!a@b-bb@o<=c>!fA$U9Y}jc997A(h@QPoe`!YWIiCGvdvQht-1m({50-yuukmpGru3i zUoH3Eq;;Rc_+LK~RwXoj^9*wix9~a{w?h?i9kbkV>2<0)J8JLi4fOT(W%^ICO7T*V z*dmXpF#7&JYU%!YZK}NT>)TihFn9$RqO1mat8jn3X(Fy*A7S4984;oe$JHksw=~TN z(bCk=)I36Phtgk+GvGT5cU;)JrUGxwrX>%fllTHka6HLlg9RH5@k3U7rxl)2iZ&Ey ze;Y(H?aXUAAa!^&LVt!D(5pZV(&X_>chtCrZFJ?#6B2oonYc*&ONFk!zDE9;MzZmJ zz3xY~KTQ3e=obS)G;lPm9Y;4pxa#Yp*aycNZyxy9XYa>^kWfrNbcX{%z z>8m=&?N&;+quEzaE`PJ7gDCYJx$W;WU$ovRU3^*;;N#kT0lTiw2W+Q30e8#{?0iOv zh*GxC`z9`1u^r8w-17aO@X9nbwZpn6%b2z!moCo?USejZ-BaYg&YZs9>)CmkLT{3!UUKXnZ`+w~M-4ENI1 z-4>93V=Fq=Kx<0}IRISVLzZAXpRA?@{iH}>*6O^DEor$)c z%Ao~UiPRO`zs;~C!>Yw5kyfiNll8<}m3gZ*7}p32jco%g_iWV}!6Qv}tVwhgvvb{9PZtkd^;7}5L~3Ef*~mFHK77D1>rkh8og(=n zd8H9rf->UdU4OHN1!24Cym05-v6xulQaya8N&+oCd=XFK7LVk+s5_p?UkR=mv6@8~r+u}3$>d0C_7xe#BY3}`1X;%4RynovZ zkm_9ltmH?Vtd9EQ*yOJ$Qy^)vhl(>#0~LG{T>=#BGq{JoF)9ZNr?5ec*$;(z8{O;< zo5K?QWLDjgNetpJJq7>QsM}F9nYQ~4G3hZQ-U!oG-b;z}4zKLmbtGQ(#l*~o=lLaT zvJ9vDKJ~h7pLTX=p(!Em{;f1I)R#>IEj^UXm5z9cwp8qjVdF?&*tN{2Z+hsTyy$MEa>y80@{NL6 zVyq|<3r+X&loh$;m!!@qdV_%7S`(Xl@`pGIvj$RWwng_{OjQ9={Xndd0(B5?Q~WBS z`N7C7t|_B}I<@j)k4>x{jf_1ir*P(SdQ(@T$NtyiMYeLI@HrPgMbA0zA1_RS!c!nV zk@w^UrJG^YhUNN5QGpoDODWek5zFd0^f^;#Md41S3g1rv7)@W?upo1J`{q@U?3nsZ zgQ^P`>?~*X(E)$*&d>0WKsEV#S>5bGeBLsPb8Y(89U@kgP97UYXsqbeUW;~viKaWk z5)<%VY^x|b{-vbXwj@Ri|D4{sHX+;BB|NErcds z*eWAQndb+~@NJK<0nUe+$i^YApfq5|oW>`M-MtlT#)FN!Vb4*#(kF>5M8MkVK_0jV z2S)jWXED)&+~&Er{em){i~5>})&^6Wjr@R%ex%wlz%wlcqFJ&n5}@wR8kmTCQK}nt zWxJ&^WyVt0nHop*bXdfz!848vPrC&Yt-o*$TE(O1B@^C@#Wi`qAJm~tA%5W%1!8c# z>qwcAOJ*UhJl&Aee|H+1GY*KrRbK$>Z)X;rfZPIP4hX?iz*OugYILpe{+YFaWZ=e7 zDk{%q@YU!-j0rWf47@NW&#{CTAV*9ftT<&@;mseGg$t#T`{WR%%{?8Mtz3$L8K|K+ z?fO;}%wkWGon`lIwDR5Qu_p6+qQ|CKv(w4JM3b7#(f64fJY6oAhg;6X2QJbq8FpFKW(|@(tnb4c63v4|QCntO72f^|0b%ZLd zf4(4Lt8D(nku>`L!^QOvFrG!tGWIb)>zE$n|Sr~ero|G2K3Ynp4KR9rtSN?;if(t6cNc1;3MRO2-g}A_Yk;fuIn5 zBu%^A-BT!R{i^TMOq>jESXu_b{X!S8`hRC8ou@_-|!I-vxUxCKrSPU~#sUMW;VI z&}-vj-np=ui9B8JmR05@ zS*}CgG7;iT5OpC*T!Fd{zgY`Z2DKaVNg)AW(DffCVM%wt6&N6%=u%#=BOGocTVbI| zx-IC{2*sgAlwo3_o)o+nbP+KiGC0C{1#E4W+U|v{ompWcs{EOm56l_ z!)7zXKcbEJ?rzW@lLGy~v)q3mo^P9EA2>zblT{;p-6&L;g?C|w&M2ew*Q?y8W88<2 zvjeN@XWwqusk!TNk<~ImBOUK|?aX?ESL;8sO4Of+(;!1EhG?S+z`R5!%>}MlA$Zgh z=9V3p{1`dheT4?ZTSJ4rRoR~jbuiTW`uw>{z|4==#xEW`1Y;X}`(_2aa>N$0R10{M z1A?1jJ9;+jU4)0J{KZDOx12w>e2ZE662Wv!laBKok&C@uweJ&ZJd-8iGFP0hft@pD zl`)~+TJh>zyYkoEScVv2@La8zwYfZrEiI zY7w_L^q|2!6BG?|_+p4yo-gk48(%+O&9$)4Pr@6x^`yDZ4-6htBCUoe6P`8mBPkSX z$2~S|W}D7U!P28$46q7sgVv2n_zCN%`=Cr8m)ho<)Urm_B;v%T*Xi=;3l&!kQe9Rr zU|erokP#jKzNBlyWB6u9LcH47SyZ8>npBy0Wn>&{>}_vg$M^ybowt56hG97DJ8# zLmO%*bf7kZUe7j%3JZ0*Wa53^!7;Def1f7*GurfMiCZ5fMy{v7&nuE!X}9RM;KvMp z?#$~{wx60E?R}?Mg#8t`u{06)l1%>AXDrt+iA{FDgpla1S7T1sdY%!TT!pQ4J zCv!n0t&1K3TSz%&!I5Zd1FgI_&!hpontz!1t{xu}s#zHpiWkVpx-4QzWvG-=PcJbj zF@H%Q@v_c`c1-F83b^6(;oD(wu_wi!I!sf44Y4oL?*0+NmLL>PFwknwB-9V6`at%Y z)!iTH$nJ)S=%Ap&kr5)sDasFY5?aB`3)wxhsh;xb559@Iaticxr#|I1WR#Xe(J&G53!A)`pD6&8O(auAth8Y z`iGBPN!x};T3;{nbXCGS)HW-luTpd@xqNTLs_WqmwX@ZEk8}I(sofz1wzLyKk$l)xnvf3+Pc` zDrltw#=ewvSL2%sWxLL?y-tUNnr z1}Oiofa%BDIzS>Q0oW_t<2$OfTLE0x`At?{^-@McBwp?G26utu=MDfzGiDShU71MG zD9jK_ka~4yJ`VVJW9)+rN)NA>03j?3Z{Gka__wRM&6Oz=u#AJV#+DL$ z@w`hL8N^4r)fXM$@Ka&GwX4i|Xetl0q)El zaK%t=)pYu9fS&BCj;@jWNmhhI@z`5(@8*NGKJ^EB)TpYto?<}2uh0{|S9rfmyhx*b z;SLNiG(2fLVjM}92c_K#EGdcD?3COAd_Vlpx4aV^S8gtA6n?5de0LEDszRd9y6e`5 zlfi-<=h{SdiS>48{3Jl*0q{q6i~W+~T{ni!Mjpjk8#SQr+jJa8c}G*Yt)i=P_a@$L zDiV&zHu>+p?eb?sJWoX(_%7{5?|}2mH%rm>Beyc>Y=L2-Yip8PVd+9_mOa1QOZ=TI zv{nowja!8f|&~)NQND!UFKv7EyDy8ZFK-w4de))FrFQ7QQKF8=v6W z>AsJLKrvuHY89Uc%|FnUyNKy}+5NoQR!vz}^r26K<5pU+rw4FLRqi@+@_e)q%1ClA z24stKT!+&bhxbQqG<9cCbIi6C!-45tqs(>{U)6R@9F)AMlGYA$vAEbvqceb*HS7%_ z5|mJ6C5B28axbEDEoX?Um;OCM|IwT#(-Sww+Rnl$k^gv$7~DTu0I;K#-DIuVM5DX6 zNhIAGQ*a&WASK&%nH0?7^WFT<)KU#T8Kg8%kl9A4MCsk3+EPwF*HS1Z@Wbm=y_ngy z*p&v5JjyV)Yn2`C1}zob|JmU0JA(N(odLjN6^}$R$gI=Mo*B$%*hQH~bX=b4ln}2^ zdCm=Hnu)oLDUYc_eT$v5TLs&hakRs@XmM*)Y;zA5MYxv`HB-e)mOs2i+FkL}LD zPQ1)VDv)&=$3bbpCH__UQ^p!U%|QkO`wz~SCn9GGT@e{RIzWT7m(JYl>Q4jO;A86y zXFHcnJN0JF5LV0nY99P{Xm*SQhvcf~1=Zv2j_^?ed!hAk~dSVevJhueM+%pr{G}NI-S)v2nu(g&n zrhc4pis}Qgw(05;Uf-O+U26eD7H@vvIo8Oa|#|3!^2CZE~a7=Mz?+7CJ&PjH(Z~Rr? zB@h#^BwGI^fThqT6{lY_h1hJIk+c1&rbNe|RfN;GaVZi-Fmp|5F{f+T{WEd@?ZBRQ z5PwN58rskH`}?c%$s4qVfZ80zU(7M#|7MPPZkLIxEYTvizeS^HBB+@izIF@qrBf@K z2mx^#qkDKe3fGeLNND#ll*{2O*H92m+Hp636(K-D*2iU@F8bMOYX(z$rh)_hSFTY1 zQ|sZ@X!sq5@M529{*N>YXF7hE!=A?V`^u}E)cy1=6*mw*QxRCBHGxcybN3Gn+nzX zwUllp?*9hq6i}RM%|aIe9P?gv<`aIIg`ItUyFxAPSEcmYdI>y5j}YGPbrKF<0H^!! z5ypP+l>IpsX$5U+)(I~%|%gAWI1)f=#I!5xyB>YjXj>`(1s9hk7#cKU@;zX5ObjjiFi zEG|IxY7T#uV|cJbC+eZU%+c1DD&xnSDo?s+6+*_?q~^^+%dRauu?oLr7QVyqQB3D0 z6Xqq8Ql|ZU^ZIS#EbRfJdtUK=Qo0D-Mi=Xx&qua>ZTw#SOX}kaA;8Q#;a9d(Ydk^A zLlYZ^%ZiraY;Duse$}=IhyWjEcdZC^b;aW7gO6Ay7!H~o$2Y(aL4L#|5g~4!EGsNE zoY=c1X@9N6Rt?XpOTSTZUA87)t4hkL=ncv#=)RNlQ)K2O6q0yYaYd*Y*jP3aM?_yZ zng36S{DELO5u&Kzk=cnm2@K-4`@XvUei7!?TR&d9Kd~HBsO0g{g9r7@q|$Ek z_WtZK7SF()H>^S|LO7`Bt!7wTl0XxtP)HDQELWY5HST|uK_~0SO6iQ zCB_dsvEH020%FjO&TiA*rdM&@&F0AF*uA#f49O_rAuzR$68-}Q?cY+{-=E^@>{}FW z4het%lpch{g>PyP|J2{j`@Mfa9QVdGCq-#KH4I(VWo8*R?fn@6qb??FEKS6w+on_H z4GG1EwaVL`F~;2jkm78v`i@l|zcpP=iR!94rCZ-zLc2B108o)#IDn%b^EzPN` z3ovYV<$dwQsJ1wf6#C>{FvdIydYe0QGd22;Fd-7S%|}_-#oNx;CT>Jaq`0+ugRJsR zI%67{jN%vnc*L z*H3y@6SeBq8>nQL8^DVH4spe=h1gEn{XMP!{oDWbD&`xoTbj7)d1SKlI~okYs1I|Q zSK*W4q&dwN_968gDH$C0pB!J@GDtzFo(-|j2(*xS7zd+#SmU{8jJa&1@xhbaUe@yp zSHELK2(;VZVlCcW86tnO?jP0|~!JC9qN8=0(V!N;5lb|FwDinqkj#*8a)mh7O z*=_hJbf9HD91h#w(vq1|HjQqo_7lf9gzdpR^rb1>s%fuNyaW@cV-r@4Uw&T_{)c<8 zI^-`r_S!0_{P$UGa@w^YTvO}w+kSB7d8))~ES#U498;L%`EW}XL)HAPluojO_UXDh z($@9*;h^Gdx?pH%%+j@ns08C5WY&S?=Yi0@KpMX!XW3_*C(;a8TEQ?}u$7X3auc*@ zLAIX^h%&{ac>%~mNRf_p8^a~RQB1RZ!)-QS;V7sR+$O9;WwVZiorDS|8tu&mvWb;Q zk#<+ZeOG_v0*OreHK%hm>I)sK>gvjyEJD59mVz!o5s=W0NTgdY1kWr8=e0Ol7)n}W zYG6Q&?>YQG;`kg6ppgT8-c&ne|4lfP1v+oG&&_XoTf(5GQjIglPxv-yof=*UEj(t^ zbh7^LU#Do`kdP;zC!Zk_I{lL0zwsw*XGVAKp|YkeDE-!ymj5c^`>d0~66Z_^)z<2Fz_W)!>6|i|fWS(Th4P^Jcji{KXW) zFZPgET+~!GkDPEVU6&&BfQ#+hy0je}l zQ=0Npnv|va);=3_=}Pk)OGk<89o|n5%<^HajYTkV0rKtYM}dMZdrLP!%mV??qe3+{ zfN{bLTDaBLrNvKn*4h;#{&UjbBD9py!{IJi6#FMK{731-t9sCYg&_6mYwd*=HX$xH zPfc`q5*}M~W={v_RHrGEv$rnRJDTiamC`#o0>JEiy~!GC7Xi>IFc1R{k1^&?H2yRC zIpdso1J0n>JqJjj-UQAuiw-URsC{o%F`kFdWIpZ}e-8u!8S(iSV%2vCtbgM_7B|1= zlJ}P`fNekiJ&2;@s%a+kMQujps+m`8e8j{bZiSiK2TfhK*r=;#en^w?c-1}-FYI&+ zxf}2pUSAj07&~+SkutI|wxBacH=uD&xk)mGP*m_lI8QmRLD_)6K@({m3BbT9XclHP z_<3c{YDq>7A}=No=+&(N_M8tRiexA;OfKcfWq(Csis0Wv4U=0;q=2k6n)w&)nn75VDb zDR8aSy?@>4{Yw=5eiDD3!N>QE2Y){dIhDU?KF?8NBg_Qu&%;c8fLsiPjO3xB^hbuo z&uh!Hdqo9$AcA>5kDoEEw{S}QjF@oOAiX~UzLvehAzIu{+ejhX+a}t@CuRN0ER@hX zU&lSvg2LdxrLrNuC=1W0LW_e^CkzGXcz(8*SCedQVFuF+pvm5X@IG-fe~{4dvx9Q$hrfF(!z`%Ozq zBIx(t$qVkDXEfnPDoCP!`NKP(0EGsolux_6_Q4ODsG*-1hOP%oz#ESw_a(LibOUyS z02alXNV?9B(Fa(X%X~d(g3d?YA*GOJzH8PPEg`eV9%2#T_(RzrwB6If00XFGni04i z>D=6BFQ31eD1rhAtCz_^?ZM=VHWcLsg+_2uzl7>2knDpTelrK882|excL|q-WRUeW zG#a)8^^y`>ny2`tM<%$rEMXC@b^y^mP!N`Y&tf>rPh5-!tv(p&$2GB@l2%my8_4S4 z!s7Q7LD9ZNQBUc1pCEYckN>G%<=DH8DS!>bfiL+SskFF~y}$Xbx|`SC)vRWOk6z5& z4-6(Pp@zD53NVV6mI~KGm-aiNDnRBym^Nszbzqdfn`NJ7Y2&WJoqMg?Z>11!38XhW?&1Ny6Rl-rvmcuVbgy^O zHKYYnQqti4e(|;sDT!7Hk#2H0qqO|@|MUf!vm}k7_rz&HuR^Fi9DZF)NAb4F#p^*Y ztmy+1oJo8oOqQ1i>YYu6x|=U-Q8-w{3PARkw&h9hIxXXa>&qOCQB+RD$$cGuf+%k# zz!TOivB~J!-FZGg<5W5}yrxaB0K_2@H2Mn50o;&>K9qE}c72a>pMW4h5F`fy>uo5# zVfJm2|Nj^P0^{lj_Nh0o>;Fy;Nq$8nc-zt3>j#>eLwWmPa|$OnML

dtQ>lBil$N z;xW3EFvZDFzW)ie)Wh#L1GIs@gr#OQe9E1lNcV)o8|SM1StJ;PbU7jXRaq}s>lGuf zNG&_se#J#NBv83F9MM;aR}t>4Xgycz{7UEWhj${0R>f}a(~nfEBZWe2k~Y_pSj>~s zOaCxsr9EuTVtZ&nowvIifTu(GC7UEvEG;=1vsw*((wFV+$>POr^_|_&S*?u3eIfV2 z}A)fKO|2I5RT`B-+I^;i>S{qrjl2WfJn}8EagQf156j$ z)^CLRm!3k~kdSw{!m%dPVj?nW}% z8&d8q-+m5nFOsM4G>B_b&uDYFC~s<#kSNkHp!!izZWb*9;?+=_*OAFr=+fO@rgbz@ zLC%;cASkW!-z4Zo!bbK2Xx}>Q!Z&#GPkxj%GKdi}pPul+hE9@UJrgAp8HyE}WO}clqyI zD@*yc9%1~RpyMCTh_^+@qk@;S|0MqUH;i{%seVgE$@E-PlUnQZ^PbbhX@t^@a-ini zPm)2(1o6lA8Kw&AbYKg_xGsSgPPledqjJ4R)giA(SEhn@xrYORdGs4^t1U@)&Q$0u zdM3+Eb(V0YLYi!~wI%UpK`vqLxnZrM14gM^6IS5!FjnBkQ4XprzV&@L`Q%u1 zr~TL^xyJGK9l0rBJXSdC_0AYiSmj|H0qhF(v6ip&A@k{X0{!3d#86S0bRpJm?3E;d3fSECGW*Cmj|uODW{edWq}8tHmLI5cSg& zsBP(+^_r87#1RX9?z5hzGhCuueo}|*iFI*rkid{HBLUdvn0{smG-UBP*d^jA6#S_R zh+CU;B#JTaS%E~6^a0@t72aj3yN1XkBRh`L4q=tTK|O8WpTff=04&d-`SKPmy7k)O zb`vdeDLaAycsp6y`Ho+-K=W#L6b}xNcjq_#7Anc3!&6HK(?mSqio63)gD46afUp?U z%T?^B{YPXG!(;C+=2>O1(Zr+vb+W&xXEmU3IU$95g_%4sg?Ld1zDpzlE5>k#j^I2eBb@*^0dr!(%^L8T*j~b2AJ@c0xAzY|1je;j~BKE_~t1d zOM6uUN!f#5D_?=j?}h>LFL_0ZOpmuL%)35G%;yfpp$HP}EIr*?p#UCQM zcB9STA|z2fU#Ux1Pe^AfRjxX+~xUXl6GC27B@60p16~kY4RVUHdExeWJ z;jH?)7v#*`P*TuHz}c`-bfr>Fa`|Uw`y|bI4V!05RVe5@!lqz89YEV(5ql$9w|ud0 z!4Pkj=sCgWx#qz9z&tPXmdr?*^RhLw&94vZeO73)j9f$K7T9`_0NUcyR>ueQP{sO) zNVk8ABk4xj3G}26q^@>BNPLrJ)FnFM4vpwdbu}ePB0Z&#Lm~TZ3Nq(G`F!JQj>o|s z@9a$#;EC^!y(T_Q!#6B*Fkz=-;EJ&+@4(SV7XwhhwT5VDartIN2X3ht-r$g4JZt0+ zdZRA8S14Gv#Hq$$FhB%(hb=iR^{b6?Zl7;9#;pUY`IrO9VK;m6JAF@)^2OXr!RzJX z6sCSuq7!#%v!x2{?7*_;&X|@5aZd2w7j3!S?30xzyZQIkvQ8_k@`gTMe!MU)wqm3r zINWe7b7X$yQP^|A&}v}8WsZ_L`)-4Ar&+};^X}E6Zi%#ZN}Y2uFP_`KM$5cI$4DP6 z=-Z77mG2eq4Z;R(vCDpN3FGS&&#XveJs?r|cM49E-YP9U24i}CX4*~%*Uvu4S;+$} zY|i{sMb_W1gO|W`3n27WMqnlm|D=4#%)-&Q6^Qo(NW2R6QP%)$`a?bs>pWk7Zkgii zjZ42#`sV8lQV4$$`Uu=auo$#-Oa4Jd25kh(U#+F|d{flvy(VP`#85SxVFR!tC%0EN z{$b&?8?bvM4r^-~DYRa`zySE(OB&Dcy^d5k9*e@@fK_GK8r~&zAOg@IX*Ee!Fbz)F zms6j8)Gdj%exOY-X6`6b2ZTwOP7Q$J>AA(9E|v0IQ^e{0y**;z-CuLK^9?rQ&Iq&M zdKC7Qa)j_RR5g1#r!V`Y%xbviL~1&d%C05C=bUo*a4bHjaq)9buR z@5+VE`UtfrrnSs=zl3OSUG~+Up2|o<=ARI5RKSkBqySOfmlC02eWKbhC&RdVMh`jj zvP<8J0e%{#*6mBexW20X+$d#wHSnP4Ql3%q`o7d(uE>M1cP{i3MH+Z;V0Fl&>QU2z zoVA^J|gVu}cEBe5S;d9Yx5&hZFiC$WP%KMEwWU`8E-J2G0HI7MWw zZ}TPMy`I%Zu(qp%Jlbqai_n)Y*f|Dt#8?fUt#9r#@(r`TYu5mXYW|FJQ||^9sHJKX zH_o$jN&vsjf^(A(U*GnglL*9od0;Lyo%x+x>-7UHfm-X*bM@l-g$Y#J*?4#S!PE;U z^VBaB`Z>$@RXhS^ul;ySyeB(!z?OfTl(}#aiTD*Me>E`(emCV^L=V;98GyzW|IGjl zqv6EPq;QG4f0h=456_F{n^0j_BMxyAnb)yt z=V*AMe(xw)q~+HBQZP6_D?AY@if>{t${h(>tj7f+hd6!;LYCDq^mK^4E|ae1ov<^= zBcOJd18VmHqNYW9=NGACAI(#Y?RgQ^AZ)aF*jO{puF_R>tK;2zl+;F%uu0r}&8R-12SLlcl7jbnqLqBpXrYSyb0$66giaE6@0hG&YtnO-XrNVUj|g4(J; zx$(rmC$9?dtG?O##A>M_r*)mlM1bx3cQLm|Gb}x+3QT=lHDo<3UJc=Z8GO?%CvjC^ z49LNI_IM*zJfc8HwN*VtI%8pomN}8pQz$#osv$P-x%!#01~o!};Zml!+`~*Z>T&zbV@qeJbG;mjEL;D^4r#5wV4E(Mqdn212#RYL8C zEH>*ugS&Fy#SV0MZelVL-8p3Z_NOKY7eDGr5Pm_1QCyF7J-jML=3c@GJn01Rl% z?w>4k7j#NmZCJ(|lYA@0h}@(GAj^K#tZ##bihl@JbU%DCxEiRSaG0{#)0CK}Z&&$^ z?Lyc2J#)M%2Lf`sc0bMrH*CG#Ak`n7pxy}2p$!O<(Gmb*gbc~-gf96_;Owt@En}K_$WSgBVrHgW7SjOlayhMq)RMx3=))cd{u94%#yGzCx8J_ zr3wmZU^?yFm-=V0$u;G{**+jWGw9ox#Vfis*@zXq{A66^xcbv{(|1nx_MS`l$uo=W z*y<=cjChCj@SAA<*GB-?kC{7o7=h*gmJ0^DIM3ov$T>mv>nk2K-6a7L|Fu$ZC6i=7 zgTA%!>{)Hnfu!26gfXaF0%8HhW$5}fjn67WI$pN*bfnZN!)Lf3Sn<-3`XOZNL8GOn zsc0CM`t8oaVWV0~FSgZV?b-cpK9ja)M}h3{m9JxFFB2`EZYr!5sK&tt>JmrX*E?o5 z51Qw4dBm?W@27?CYOZVRR$8U%&h433G~h-@A*ViNV$gH{4zbOO7h>g$iQuSLZxc)N zqGv=5m9a^}pa+Ls`t~1=PO(-!#yezAc{2shDUjBRf+}0DQ>(L*>bbNVc>j&0rxV^1 zv9UMNsR>{t97|31Bz5d~QECWa(I%4L4Ll*o? z#|2;RK$%&QlNws1g+H?* zt5jdo$!ww#QJt$*sY{!w2*cT^Lk~>+r1uxGV}9c3gx}-_!|$~ZDM=c~)MUY)a~rsV z9`aFJQL@s__%5;sjkqcncurY!&h!?$@AdduZyT9Z;M#JUSqMb6f*Uu*&kqrGN3P9* zLDtu1*yqgRM}^I3S_4BHcY}OckG7RE#Agg?0oHBU6gs}WXBNe#A+((rz@K0pJ`LXX zet0`1v9^eRA;1}!uBgely0e^hNjb^Q>YKtvaNig8IdMmT7g_sF6NRpLyBCW;tU`_; z{q4&Z@!U=EiA`m_C0WcnUJHvm>51DU6Nk7!yDN#Yh2VjXj#5Ub#!h#tx`-~ozN4{(v%0F+vRj&_y)#2 z&r?Mpr@KzQFxNe*7TYQPOh%rUbvCvm^uvtrqyn;kNVjry&!JYm19ax*7z+7VG*xAL5Nah< zS$MYkJWOh>(5fbENXNiMwd4H-^dRBw;<%M0SWBM^zOR*O;I^H%=V(qtBrS#du^cwW zwVajk#p}+Z7_*1%BRZ~}sR))EcL3<#{0{)dJ&AwlHqzuY7+h(vmE*jLl0Me``Q*?U zT4vQjY+ z?+>ZG9ZklxJG<)A!)T(V#ohXP+f>z(AIsDy9ehd1k!ps92z435g5ju9Uj6+J?1`7y_=}zL$#dal zw{a2W-H8(b5InF}axO1Yq1HU>QxZEt&Ju6mGJC$Qo{_${(^+*}Cqo#GcEL^F&Z*kj z@Sws8Xo+*MV{NtdTtfN%ZqIuL9O&*hpYpi_ng`*wZ8ol-el}8GfAS7sUNbsh{k5sR zF1jq^Q${T{vlRPo;wygBYK~iM(@T&CaxTr$z->!p(yZ}nu3K6F>A>rX=+%iZG% zWRu}??1oqOx2GB!UL8e)Y2wE+Z@ZIgmfvYl=l~WyASz>R{7E{5L}GraX!Gn!cm17z zXaOucNuRe9^{Fj~R7_rUE*kSBVZT%|v}Ic9oo-x3cDQ?4Up;Sh{!&5nWk<4Sac1@6 z+U(Rarc)7Zx3gwftL#YY~GQ0sJ3HhQ+;Hdt!QsXA(K>BajL&`t^TAntkuG{f$WAxhMoG~9Iwp(a$<7L0XT=|u| z?PJemi;VpGuK;^LJjfm2x8j}wsg!RUrz}YgJHQ5BdnKW?LT)Wzq8>_3zc#cRZ&7h* z|D+>+W3Vx|bPhK=BaAKyH+J9FJ)9L2_zfK7GZnkELjT52bP`(Rs2vi>#pBbkNf~#&J+fGt|M+2PBFJ;hZryc z6cfSxIjPqk3dEY`$oP=c?5yBIzJw)v347(NZlESG0md`i&SZ-jKiH5#=W*SPjaLwNpiTENll zK0gg2&UT?_2GAX)`QC*Jc-S?eC(Z)oKg?E_RE~c$H0X?G*aFmRW!EAy&9}9KJ(I+VZ99{~T<3bp|XJ<_WS9Hl5LtIXIJ}CI6X+ z-ixQ$u1$E=+$+)caPK;V^qKc|3tn;wi7^x zZ(J*hHM|n{rB{OK&emoyABN5xvJrXy57RXXSMlp{3!ZFgkG)WHxXEyT$#y^73}ib@ zI`ntF=2%&pJ7xo9R;huhNRxo>p?8xT_BI0!Jo*5e4fE0rA}?N3uiaaf%Oo>GHHpp- zs!gm?p_=0Q_hmqXQ%!*m)Bo!kGpyx}aSv!X-{anpW)NIwn|a?#eC~Ie*s$AS*qyF( z!RUvbZy`!}EJkG&y0B%#$Fh{YokE?<8h zRC-Q4&=0#~YN{FlwSwEOA_{Qk+0k-P)_kSf$VTPQH}Q}y6q6>eV2u5)4QovGiU z?&*hlD@+5eLhcGqBTclji}mgqCb6{$?c6)%+{=pw$&eiBL@nUF=eG75C;Vl2aVB{y zWmR7h<~2}_f`zn{v&%`OoXF4I72n)hgvw=2R~~}S)s$a%$wG^6+n*bF*U~rk(W*P0 z&R6!2KNZL0kj^fzoE>!czU%Ht4bJDZU%W70J&zVI+T=nxP}nRCAaZ$WuYCeL@qny4|6``h*tEmN%&!QQ?nd39M8uC)ZAN zDUSC3*3}D?jGOG84x4fNGd;j(a{Ap>FiEqr`w*h$`9riTqd4#uT^)=d1mh;K#c z#9g?pF-1^<4)*nt(qL8CTzwJR4y^g;Khz1u=Q#_*RjYK<D&z6dTSI8@Ufco+MHpsvcuoW%GnJe=k$g5#?w) zwoqNw!a2n@la}Kg{Jabyl^16+DOgor^UGQe+sYiZaBa$Hs^}-nNKue~jeg%vx0-)HIa?FT@|Sy|?uRR5CO1yr<4b z1K}pAsRH?rdh)g)$v;lrz|Sc>Yq>RPyoaLALV(`oIh2+p5wK67TaH-B5Fk zUw?Vg>tAd;VD&mPxBK3I@(l>6z6J@W-fi3N^Jy?ZQ;d+AOVY^@&5VvC==}Ws;B3aC za%$x(@M|6LYTnO=Q-H;@RnD|Eo47B1bwJVNXM ze9$!Z!lckPN{HYtUQTMjivLb7;nLJ63=>QOrjJ8$;%VjI{rSwb{?06NEYKj%i#e?i zraj({C15cz)rP7Fm-xN!zY9H?s+Rn&iP?`JBj)q!2zrTO&a} zb{8*NYEmf;ksDt2f6cMa3f8{dO9`XX6rqODDoE0sb5!PJN+! z<}0*F&A9P1?&NNE!Jy~v(7yRnNOni0ov(wp#x}J_+chMg7kLd_^T8veN5W+qr8Wu= z-b~eD{1rAi&X|!xL>gu+Pk5gTOx-ZW?#tA9pF!f1*>r*eL_SO=<_W`xmR`oMzQ{8@ zSXT>K;y3E980GWMI@jo1*I%p-*(d1^76r)%bcj9^Ta&lPRn)uvB^4Jvtr(`-!si}@d zmbFR~wa3?EUtVpgcLW<*p^TzN!V@(@dF2*dD4<}y*64&6Gdv7#W zkqyDK%1mc7vyxF)u07V)MM(h!EL5d;ijo`;&+qb2oLX3@cQr^($4mMx88=9>DMuIT zyPYJA8mN(DJ<6daVKju~ynt}4T6Faikc~YU8>>6=qT|qhR*YFw)x@89SGO>RWi&pA z>)Awi%!dMsv<|OhyNYd+jh8`WH6CsJcr|gJm+y5Qmy#VxU&%Ffgrf6swC1}ncE3^j zGR6ZwlL8*?KL=UEZq=l^I&U}l>W~Lgrkw5gGdC<~>#&F!xgtz3}H31UQIvt69a8D-R9YY~JVUW3cE zyX%9$O(6Y`kW`JzyOZwDduN*PPSqVMvzMC~23BOk{`EP%M&j1sGI#2_5Bq(YdLSZ) z;^a4C2Aj+m$!BM|+cP5D-I7HT*nk@CCByaGt3glXkks8G2Of`mJC)B5QqIGDGcVv@ zeOB<*+s|M&W?J59VGI*9sj*$lbu!Zi{sYDxB9&eooVPyQIaz94Ek|izz2?K=-nPfU zeXhqu((e}kYi!OuM0Vpc@>__bj5n`qV+`cOOYnt7|Ao9JY(x6uG@3A!JW8CrP$Drcl4EwA?{KL^_fd z=1%J}njh|g=!P0^PJf-}U$xt)<-nVFmd0$_c{DLOchJjFGw zC;0kQUXCvXXUk;x>$5Hx`D813sVH|uVPxVG*V>!F=gIzk|u#4k32v4 z!dpk%p`EhNZg($?<#U>?t@fveJ)8Gx_pt|m(u_x3FJ2D7z{lu%Ib6%djbIDcE&Lvs zi%Ouns<$yY_7jOO-$T}|=gOZ~ggP6S1lx{^op=w(cO)$= zAWaf&>I{W?odKeWeh@kK-3P;$r{{u2EN=+~o$)^h=rt0A$#g`jyYFoTo!d(JfvL27 z=Y3EYua3&%zL+I%zu!NVWK^=RYUP^}=O{!&2qfkHq)=GUZm+k!Q6ZrBaC}%CUZgrA zy*>q;){inLyb1f*y7=|XmVm&V1RI!+u?A_)0aCK}CdwnglgPt*jpT-6u>|13%Vqp} z>m_r3JS%b>=M;m25iH7F2rgHIJJt1g{Ym+DzB|&pikbl29r&p8_CIkT#|3fIsUT~P zw8Xb~Q?&~$p`nPO&Dm9Grx&r2E`B`^N@aqERXu)s+jgbv<)T*{I}&gTMGKjPCNV)| z%f0Vp#cJawmVV;`1(8Z|+O^(VjEvL@Wi?nwT0{^gLia4y@!*hyQVP4zx@&jh{a_wG@r zZhkuMG|94`LImTBA50$IKsXw!G3~Z)a9f~~((Kn5eZgpWK&O?E!t=Re$7p8;)d)fk zeb_#$zoUb`>Se`Mpjos)2{*=|*?;;hS`uY$*P*+B8>py}{wB_+Vw{fFn%GycDAqcA#9OqmF#8BrQV?dwtOL>Y@UFcxP|LG*%Leyj_SV2e-0IJwtn2f_qdI& zdCrO~+UjLLmhE9#YG&Kqq)25wRvcTTuQ<&61;$2CALA<%rB$nL`Q?-ndN?K{#bjG3 z7Q*RA7>qb~vtPx8dtmdK=QD$R2o_WoBzv&sL#@3Z3lyVGprR)6DJKdNM*OF-aYNi@ zktCWlMo(AEM>*gRy=szkjHY|I;SsKP(Sc%;muT6 zuDd>)>?G<>Gf~e~!D5>9uDm2YWEk@fj=P`Qe%>dKQS3Bl1Iac8`E<%XD$(j@L4L7i zDa$oH8{<&j_N@s5r!ub?`)nG0(OF|>-N-WNPV_!4{{*hQX+lK}(xJoCxOIaKIga^K zYuVLchN}Aomi)!D&23Keg&dnN&G*TAd@|m~Ooa2&aiFy+KRC4U+$@bCLs!KB&m_;7 zMS(+Q=f(ZbrEx(?K~Z$-es3+#Kg2?|~+9V7A~ zYJ3f>Q?F2m$&AjczK*cK%|JI@3;8Kdu!MUUk7Te_lsYcs7;mfxMl;&0J#+cxwM-T6+4iYLGdTaUUFOmqbn)#g zTRZ%o5K`UY!4g?Ymt!Jda29kdG?u-V@EU|S-=1h>vhF<892&ArFr|y|6^aN*T=mll z&gnl#|5ghh==V_WnJ!Ey&u9=YR{heTP#%qupz*fr7$?IGe0Eyt+CnIwjxzu!hDR_Zqa znK)DKxZm6L1uDa5j4JaHSyaY1TDUs3^^&aDS~E#J`<8EFTRa$)4Cl6LAcYB%>0~K2 z5qjihK9&D>mAe;6ONOQYG3R4WAUXe;h@TKp3uaRJeiXq^%q;+8BgK{S()i=1m1^ck zIN@J~$%7mT62lp=NbxVNp+D7O_|y?m-7g%oks8g}tf7!cFsjv)U%~0(_!6t}ER)SM ztT`l!cl~If&f^fqq@MCPWYU*N7Y>q#UfO*!zZk2|Y#!|~h@Ub~4!RDv(S&hiJI^ZV z2WZ`Xe1i;3PxqXeWvnD2ogS$|PxzH2*mcqcDf)he%jL(gY!k#R7LC-&p{KyUdCbGu z<;MPiDpIYj?%20$yZ7T7Th;eDEZ8!sD$w03yGB3PF97xjg>W!(cQb{VI1wH1y~1 zP$RD&Uk{sWK53icOS&;GRVR8CrM!>>VpN{qy+1{AJIL{mC131~uRjr^?W8UGDUu*KSr8EGbMo&G2}kVs~UIX&L?;*)W~U}{JMF)-&v5K8v6Dl|Dv?( zx(i%bUICT|5UD0;=yjsK^BAV0B~Pn|fFm1~@q}glp#!k|)73@F8bDBLU(6=+{=kC={{Vz4Pni5ouoPSD z_AyW3=g{Y$Z|X60t_%b;UR`=0_o)u(puoDt@8cR?NN+K}HvRgkkNLjZgOM0FOx^D9 z6mDV$R@Q9?_@P_2Fy~0DOsNU_60>I5x;yQJ>S-jBMAge?@~SkAmh?D-wNeIo`WtH{ z2M+}XlZ*R(gWYOYpuq+*8NQc_&{5Sn;I5OMXso~9$`@~2*xwvMYbCq+o-oxd(sp{ijJjPwQl4_)sXVtu}Byrq`AQ_^y=MvLK?hJ0YDG-_d|;q z@BCsK0Ew_fc#Lfl)v~b|%B!Ye*UYPsWy{ZU>htX8^Tpq7uw_jlYbS=K)%%R_}Zri`#87W@Rw>jBN z9Ym*eAEEBGS+0|#{_`H@^HZ_yp6va6)|BdKV&8YQ@5%0k1;1yF&yE49J^YasX@^z* z$q_?FoPHY6&(q??x)ja^EmSE9l>WiK+f8o5vdd*W8*o;>`QH|vhbkoJ2xB<+N59d z#jJ|Dfj)xvA)ZoGLB`F!mfqr9dviBJ8T5p``l`MM(cCD0YVpb1QhmgRSqs~_A0<3j z`k7&uUFWwtaj|Jd|F*hV(8+4>ES`y zpJj6Pxcsm?iN=1GVVy9-@rE8SsoR8!dn>@p_2*F!XUI9AZO>BO(1`QjHubS)VVBVi918Z;&0;6?X6@)GuICmFzvJ1Fyo^@Zuqh*|y`Sj~4UXx3mHiRq%-a_fRs-hc5XR^YoHG??d*dSa6arC$v7@_m9L zwSB%fhg+a_d#7<98w~#D{c+moowfS-swXVQbHc}Nhpig!^to!z5B1z=&KbR3kfQy& zQX5~A{)w_*nCvWIkeiEqHhA$)-9y~EDeo4mAnMo&luB>z=-2VpswmfgdT{g6ZUBNIw?iA`)aQrj9NdHi~; zz3S(^1yv%x*L}l3H9r>Iiis5V0Q^%pBXPG#@1<3nujjRL|5E??nZZ-{{Mo`QWI_AU z$S5h(N;$&7@fCH;+a8~Z$Ld~>i zPnN_HczGi?e2n$N!#yw?F@^0`bvPn1BH>E2MWoo=E9cH+wjB(9WSi{NHm z>K;*}(to@GHev9&uQfsD=v^GepgS$SFetFjo{J`m<`9}W3)3i&^Q=m%gc^%i@Q+y~ zel#Q<6%RJ8a{|7K}E;F5U;P??S#FGK&b2Z*dL1qYiOYu~LHt9Ha~>)_s7ub&*^IPDYX zaIU}yuQUW$rE^Mjhfe8#P$o>5pUy7Nn2bV6w&y5fq*vBbb*i)nuGzUe6#z}&eHI$S zeU@U#c4Y^NF_wq7EvZ$vo-y6;sW{;e#|#160^&F{+zda!^8lIw*D~7ufwKf=8evzy zczfs6wwUXVl;61r!gjoZYmtubgn)f#B`~K({*+-oTI@8eIxjaBx}%e$=|X2$t0?*{ zlCL(*5OO$9kM3_|?BlKL8?o;bS*VporER;-TZhV}eiGf$`K<{>rF#2?iLFG}$-^Ko zED^?TdB|)gl>6S@PM>toH8((j@afEHD`p^0)hLFMyG~@@qu1E2`)$?XYs0sU zZ4|_F@Ush0ygsVPu;Rehs(N1nd2%RP1qfYO>>m~LKRUZYz3p^TeiI59DntD*cXR4i ze#+Vh-a3ZA;nVL-u-fq)porqv@LNQxrTQb+cB|(OO|lbHo?1p2nq`~725+P5=zzef z#ulGIuNtmoaZ4`Xy46IKyTZVn^9-5$^oCW9*jj2U)YSS>)vPmbs=p({^tr9U+*39F z?N1HIA9D9i)A!kJKW~g)xe**m2+~Wy=#1;!ocetLg;+-L^3`hC7noi#;|{zI^Z0XQ z%k_4QqiNiNETYbxA5o(N!qu1>_J!JxtR|YQTzk37FI^2@i6fmS%Fr7@a9C|0>ve?+1!n*{Ek2+5UC&-2m8Zxo zirJ;eeHr?w^fz=^NPtmq!j{45!j`o4f(W&=S#U^V zn*b?2UW$~67O*|r00r1;yhz6F*gwTmc2vihkkKTbax9Z z`|884%sr=G{;E`4G)AJvq)hXT48qhU8$D`ufy}rng(XO4G`xM1L0O5F>`a9k4n6+QTA#vWecNIXcvHt5xN+Q2d>Bx?Kl_)WI4 zVYgHENnei_-&5G9H!=DcCOR7<{l*k*Ls4<#!ufF=c&@Y;SYq7k`LoP>=Y+boK{3zP zWdak~Cx!NX;;UZDHZ*qWmhAg!qV>P4R3;e~kPhHV;Jen&it5L*?2JiY_8sX4zKW_l z(TP`l={(}{hGG@HpJiMY=AQ8oI)%wb$8s;SMQ2XhAd)PCr1_SqSweB`OcmiVxj=wD z;);VP8+B+#KL&j}wf#UFcWTab_E)Glg~rcH5~26!T1rXJCB>%x!uMjgx8lJgGW;ti z8ZcB_`YU#n5trcLI{D&Hd*}nw?Fjxxr@l#kUvtyFqUt@Wm`-;h-<6cwrDZkgpCWzQwPvm9ckd*oW60_t4q6`t(8*gF}yK z7`+bu0vntZbx4QO|A{e#RG0`&_uJh5WW61;jt_n>F)WkifBN0(rWj>R>?7v6Gz^h8 z!*mt*ou35MiaiRJfT=q)h+nk$#|6L{m@5ILuB7Aq|0pw`6*WxI?tI)Igi3i8?@U)% z>l`rC(=k>r00YSMdstQG_#d|O^)=|aGuX}~B$`JODVGrscpT2jls63d?sZ!Q(!V%M zPxoz+_;{}Ysz>6kd#-E3GWRItPTSOrTeH>WGSVteV1ta1&Nku z_C4J|nHfd$R_4yMGRZ_YF6cH>^zb>(*q7-JC!x=(ua0IEs+GZ`~)9w;1^UN3`W!32fio3Vj@=Eom|O!j(3|(eBIrxQvD*5Hzh+q;NAF!J_GhY zQNFNOS$Z>pChKhIp@gX6W)n#4vhBytUJ5&b*G;gB@j z)X~9HTaaDRLa~v9;CS%s`0H(B3-B%Hn1wIAv8S-=z2xWVJ{uucTvMyMVSNTVS4ork z%OofDIyupb#`+mmvtHhS!>y8^6}>x<3p{>q$%hPThjn-#&b2Z?R~9dm2T2us9}QNo ze_u5Sl|m0SYKoGX`(Jwc90xXWrLTAcR-@I2!jtTMF`gY?Q3iS`gN34QdCv1_$b?V^ z>Xar1w`mI_ML=M!#l+stye0TDO0b5o0Czyp7m7CAB5wh>)jJFWSB!IdZbk*Mg}9X6 z*{XdD!--vlX$%SCZPyUNrPY-xj+2=^lHf^AZ2kr&C)g#}^j6$*B z4<&~MYPP?n&;yp%mm$=5Ga|`iPK;KbJ^faAJs&DupxZMFD(eUn_>ua~ZuKEGybN{% zWJk{(COUH?WWr%xxW8f{ok!2cqKW1CG121mWTrep)oAog-ObAjexnB}>6l2-E-xk{ z$}z6IYcQKDsjut5^W$y&V_=-5|BM_vDR!Ih>y?@t^3F@ZOEHmfgx0f^L6iI=Vy_vXln`D2J0(}}i(Q^FXcAfhA8^qg&S=`Jk3BUE!&NaUP? zG}Cw&8)CA(66T|2MZZUJmcUTC7g%(9hji=d-RMm@>@Qh?Cq26sg0kkBh(KAeTuzA= zLcv#{+yr&`@2QtL{9;G6)B+Wglo`?y;D;~$$5-{> zf_y$h)Xho)c?E^LKU>qCAZicsOt`O%ygZqD zRqyp()afVaFZBY2zCyU((d!8oi6CbZ`O-X1=1W+EJrlSmc?lq0!c`?yUn4|p=@i;- zl1NUPn)djI5jH2x{ZUn!M{9AKj&B_EFi5SX{28^Xhgg<^>qj32_r`$>>(W}kmeA%8 zRD=zVY)G5VV^sC$Q1 z26s}TI@|pk(Fx3_`uN7Gf{i+rX`1Y{G)t*(n+r*<)`-{X0x13c!v@CDc^M9r;leVj z2>?*}bnGq*&dqRi8dDz@;+mo4E^fPK`1Mn(FJ>f(|1~1bH3edS_3B+|O3YpqSjYDx zm_7RbEX%Q6Pw&+W43$Y%V#8&Vx-mVQv(t~q`_E%!PJgxnn;bfKmo6hBi+oPZ%_R3S zJ<1p9m~3=>+SwnhCNYJOcrOj>U98G`El}c1`C`duAUVh70(=UmZ$e3|55LVFF`y!Ts?eB^VKRqUOGxTz(?l-wpq?IVKH}ScMtl zBXdQ!m52%8(~{jV32!i5XlRASuyP2!^|)(EC`f|`fWJYvDxd!i436En#=&lq^@sc~ zO87Te`22a()w(a(lxCIUe;qUP)cFP|?c!D97b)89){$&^GIoUZSr*^LiI_@34=Rse zo?F~opgc8Greig9#nxbR{NOaf!Y9RAR7>29+n-fjbeI4dpu_>Kgzt*pt|cnv&c}vx zwQ$($kFC>pC?LqN+e!GZo$x=tuo8H4kjOu6t#;ZD_6f+1!>6%4?QWdLa!XZ~t0~{> z*?S~We8)F;^l#71y9yUrmG8k)5QVT`!sF0bOYSS+b?0faX)9QjQf z6cJ{y?Hc%_0j6d`Pmm7={z<^eJa}6kRof&Ip$KZeKTYTMAu!{)_&l9C;EqpY!aY-< zM~d?oF)~~&FihEMoir}*zkfsr_(I{KMJ=lQ}mu9{!jZ`Ezu?JlCs zyUOThA-7D;M?=s*(UQbVo;!J?xH#kdaRxIISnnP#p};^s7;e1PR^0Nbw)zG94U*f8 z)SZa#k?B3(E39WX2JZBTdKWbidtEiA)-7}m5*=Zx3w5acc!(??3NX}=TM96jK9|-oYW#Irhf<~#1hV1?v`Chb0^rimDHMTulEy*P)SrK{!rR}>Pk<4`PGBgb z+m`)N2c5$w1c5uS&atT0#=-sI%S9_X(yFJ4mU&$lVT1w(UYrP+9bMHzh>bunxKFk6!jEOsQL;!K8d!vYLFUb zRi2D+*s*G9GvmS%n;8L!sBtoECi{5lX`W2wW)NxCE4mB7M>IFmJE0u(X$g{(M9WrV zKHNdyJ)Fl>)1hSeR9c`!cIlWavC87yl;oKk_tV4}kB_uGVsT%)9!MRPzkKjE|E9Q? zLTxqw_81j~M8bHYpEymaVrUzDgPQ5yruh1S+L5lrY1WU(v!1FC;r#vw;~rr#U3^D@ z#C~Jc64NN0wI>_$Mrb(8kn4308Uc2QA2 z{i$WX#QCw#+*sb|>?yi%@o2#c_w%Scp>{7$*u;2JH&o5|ScK`H_tI)4d_{&m!oE~G z6PyBh$T@~7Fh+*kpF5=rJKq;R&y?ioJFy9TrdW4w#y0=;)J#nR-j#q2C;8$q)g9Uq zzT3;-regTW=p7}r(>jUNGYfhQKh0-?_9Syxepl3d z=C1BK^mZjC@Z~oXsIx|Nw;Cq$)^mJX-|t5EqEFwCjFGp8Lq<4!pX48dcX!o%PJZYM z41XDe8C6EakOun^Zga(P-?kem`<1p9vM@;??8H-{7RoDpfFSX3KQ0Zw=FGgjP7n&D zsl+q?q^W-*>tFPuci#BPcWz)J`IT!59ID4Jjz2YE zybH{W@I+pmXH}DgzK~@7(wh~>P}AiW-`@UJbCzv$FZ<2dm&u&X$rq%dM2$=0WFf2!NWqLvnJs*9e-U#?vCoY!QVW#9avwd>(pY30zFKW{*F%oWx2mJs=;$R$j^z%l=vg~w0(C~c^7Ccj{|c3=*fD@7ej;J{u1AA zL;a=tUdQKDo5M_=Pv#)u@$aS4nB#-YLV;s*vm3}zAO&$-vmh%Dc;2ufJ(<<-1^)iK z4c+`w<^-hb{~L|{PrUy7(XsvzYkY6+nkQQ#ui+5q3m{jxr8$&^X%`9ycdOZL-th$!fOmx#oldls=As)>-e?)U0v& z`*iMj_+J@6aO*OB-+b#Gewb?GrSLESTvuGfxkkOK-*^wA)LZzxRb;X|2&edoNw#eE zM+Yfp0ct+-a|JCIC&+Am+?KT!^Vbx7}W6Q(+d}Poia9xn0ZRGzXytx@e65go| z>&D6i+HfB;x8HneeECq+9iCjyp;X6_U8;BMZ&%l0YQsRaXp-lYgVgf+P6^M1x5hJ4 zg%4W^i2T>zQx9v{t-si<&gF*lKk)gfqka&-L5i2(h0|2$*@Iro={Qvy>16ZESuw5rF|I5Qfbk&uKefOgW?xBoQ%=C5T`1N%5@KLF& zy@Jd^C*=bdoHRC!?(i^4D|8Hz=}YI{1oy^wHm-j>skn1gx8u%FOt-`IVfTH35p(Z0 zd{o$eG-@KTr(NI_H#0crik`C{S=sA1<&(w;f@yuGE-<@RcaEIQkh{v&nheukrSldD zOqjFwe11c%#ChA^Qg3lhXalL+P@JIcL|;*Zk^>GfPC8VOWbCftx@d#+eQfn+^4YSl zKZHFW(=pl;E;6iTBb{2{tz2il1*KmO{zc*>GVh#2huc4v^FFIAnlmG~=)G_$Q4HGI zxsoy}Xj4 z4C&;mB?`6ENv5NkkRKIPCqqcAvi_mA<&6hmlD8{r(p|$u?7Vk;SPv4{e{_ooPxiis z=M|{?e?2`l&*bInO+4=gL5U#2^q__OUSY<9o|R)}IH9`@5NT@r&C!bCNS)#z4EF_( zGOkmq%5_R*Cru%q{{Km-_ii9w5qiW(ofM+W<_%z;`<}D>jhC;v@#fF>`%xU=@7f#d zRd3!|yPpR9Y8`O3kwmp{&vs_`!SYjjxd~4Orsq_26Y5q`ww}|^nCPDCK8czBZ8{ei? z%|97j&;-9)`8(i*!GerBvi=En3`R11sSf<8mQ~Atd!EcoRM7^d1me>H4TD8wSvM9* z4e#6SfgdvLau#SxSo*MVQ7|!Vhb<){-W@kFHh+^|Qti%Ig8Vv;r&9LNqK;9O?%v?% z`4gomFqGGLp2r)_gwrtQ@UVMyl-Uhn3bdjESvn7!@FO^W(l^{cDupZwXm!^v^(yT` zOpha%bNLKcCu4Kt*xD$FqQ&hZ6z>rU@BNzGlQkwNeMKid#4QayY|jbvBEx>$2Q3=Y zBwaU)qYBr};(qm1?mx}qzpCLs39O0iJr{oc@r&_q0ing)Rr7sCm8zs7M*x8)RAPIm za`iV|?VS6(a4_9|zxz(x=)hgeF1t|1>f#iKdCxht1AG|z;QAr@3AT9jlNKkm6()ZvdI=QalX3!Ed|PD2-Yk=EzJFUgG{X{YOWp zCn7X@_kCec16NzNv9Be!OixMwqg|wn7&eWj{`LzP(R<_=`BVa;=PCviV61M`${71c zcJPMwh#vL-dI3=U5qP^-;L+3Ix!5GYcfazhN8kE-sDE&!2f3^lgvUnD$GIJN^A1w+ z6AH$Xq7F90Q`Td>l^h0S-^_ z-znqG-$uhW0GX_PNYG%xdxCUN*GyE?fy3H-?&&x=@)Y{ubJJfI&H$HlWoA*_& z>i&cdai)hfHn{CeP{Z>0c8&v4fEnQx%h;gAg+i54q~#sE@kQ+?r62!w(rxh1FXT*R zngpbQRGoGH4j^VJ8q;(2kcG5$vW6OFiM!4EoQB0S~esb_Id>U%!|xhr7SQ$A)#@soTUXdqAa! z1NIL2Fd?KG3OC1?mz!_?`O3M=HNB8nxTzA5=*Z1}0 z#{fWK`;%bclih!jnf~3X{ils9lfo-wyMak+C3T*wgYt?Wg)%&QvbEU}Z3m2q{a((z zZ={$9T?&;i#4w;tbHv*Ls#6oPbIv_mY15o5r&AonhM?$m>d-}%!*QE|~i5m=jnue4$`jq-^D|eH4 z0RHGCUtWEB#=e(2-3Hmy2pnYRyFbhN!QA^)-j4ztF1)oU%X08i-)l31)SvT6nGU`l z8Vh90=@Jkhzg3#i^i{C8L;IE7#*nT@)g@F`161nDcc4?RT+MoMWy?njQ`+2G_8*W{uw%- zf#+4g)Fpm%DW5G_S24A2=ju~6b!Y?Q`J-^#?2oTjL5vUsdg+rbwX51GLp<4%S3Iu1 z?sM~Y@ZH;)V$omP76-hUTw|n9KKxM|_$6*6M{qXyuRlNvFFl}BxOL%Jup8td&)R!p zj{L`K+Ib^R%x#IrOj#~8R~_)0E@Ao*26#>LfAZT?j&AVj^m0AUYW(0M5TD1^v!Q(d zO6_83*c75eUon~yOk5dnDG$3WWl@d?3h9{8ghkz!_9{NCC`_vZpZ%UHT#HLQr^vib*CSW_$Mk@%ENsQMPOQw}ga9D@ZqpNQg*xh=PECbV-Rw*9@_^N4-_9nvg2e$^L8 zn=Y#OeBO2(Cl zPoTN}EZz<0Ie*hdO8ws2L9%G&L4D1>_r#~){M&1(U{mnCl3v}*gxs27R)m~kU_&sy zH=@b$cwS1O_Sf|=8ESaR8RL>$mkHM(C`Rl8xs_uOAHy6g5%0=PKc)V#DWr`IP{@wO z2{iuu)e(TOAP7AnXEZS?0-1Vee~8>{*?&C;)AXQsWmuaN4;o7D_6@}WY#f8=JiwPG?`%`A`)u^%Ga4Fwo@@2jPT14W} zZOz39egDwRYmRqsY|$y`z#x}?-LTr2FYy{BvCJ@fjjL=*hizK^4$zX@4S?MS3ZXn{ zzKz@L;1Vtz*8G#LJ)i>NPn0>`Ap)P=P7V=Vk$B-5uOY*<=vccvk79Q`R1=I2r#HDv!-#L_qpL^JMt09{ z>cE6(ER~pA&Y%9;6Dym!bF2EYWK-|CCO+=xC;=$$5wj=IC!rRPn!4B|juKZh=~<|% zI^Z(GnB+lDqiLFmB_67(1Abpx(kq~x^;ry|r`xfOS<-raJ*9Qh#96Az@!$%f?c@ z;L!|O`m(Ozl_0%c=TJ2ZY`VWjEe`}plVTx9%kk^UvzquYCYEESMQYoh9E)mGbY7;V z3h#m^u4}Ys6S=h&njNYpI|^$J`9(mp8ZeuN5PC(im4I@*8tYG{Whyej0`~J1=g&Lf zQ;CgGN(R!=DF(8or7~6i)p;0F0erZN#-(6|Z2^u|2ELA)xAX68$-gVcZvo4RR7S$8-~Dol<5E+TsyQqT7JBv<{~K1KX(09&{~Prg^)g*h z?4>c+lD4kTF`W8IUc@!Wb+4^9%|iSn{%&|r8uv&Mrem^G=23@LK~{`bLwDxb`Oe`6O`Nq8=XR>Y$+jtzKtd`3~K z`$PFaN18k;H4Rgi(DX~(GIZIJ--wrNdVN1{Y{B;$8X`jo9r`P!V7*Bx!j=2F?EgPf zir|)=mo0&^CqVy)hvAB3ce*AaW|t|{SqOG8mAscm#80|XKKa?k@J6=uLp}YI9ex7~ zSO&r9dsaJ{L+5!xUZfpTr9-hUu$EN3PTW)`>&@ee;ECNNIYXPunT)A>Kf&VXC0QqF zYJ(p2toJxO0+k|B@nX(5!1)4Xc-%GI|9%pH;8BwmflN3%^N-rMwdlOHNYttno*?@2 z^Iy1C#jiI%LUvRYsSAZ2k!7 z5;Gdfj;XtM$d-&@}jmly!Z50F-apBJKnyTg9NIr=}Ng z;h)LJe%q}!y{DGm7$eQZXfs9WG;Ju;olN$xYZGa-)c+>%WF(}#(R2R4_GQ!<{cp5z z8Zu8u_p2+Tgm;!xo{eN)q+E>JV+XgqQbGW2H;)0S>wxX@*0Um|2y2@y{l_&duNMe} zju}w8JJUVs&Z8{P+U`*fs7q`NSXI5wRm zM6MH32EZ1Bs9Yg?b&Zg%De5_Dw&%Agrk^EeP)|G7?K1amCfdTq7G>$~3+aiK*>8zms#|$W6 ztz8PMP6)T5LiAO-aGwbzx)8C*rC&Ee>6*2dSL1;wVCyn3J!-nU{?VL&KYP;@e}1Z|en=QiCPM1`@nJhxIHmXWsU=<-2d;!m z^k5Goo&6%q%b3ECg5Fbcs>)2g7%lZL7@$}89aGxa^~mff;cZNJvTNse((mG8gqa<$ zCC%yF{qEmKZ5x+hwVvp~+Il0q-W3N?nT7Ir4=?29jPzkap+M3G|{2bGgwsG3NJ(6#Jx3ZtG@m{0KudtQP zgx*q`K6hN$>9HQVUjliir_8%64&D5QTCob9sLiD%sm*bOe+Aq4JbO5Y*_hq#m>)n zEW&#DkFaG+hC;uDc-H?__F=S8(cOy#t<>@z%HK`<_xLBw*(6+XjXoM%No`f+t9hU1 zFf4Q^Su}50Q_plq3m?(q132K8)Oe@qhi*@)&y$=^zemAJI~*R3s2ePYZqri29IvM@k<;L#>x5H%D{|r5#*9Y;*lAj$h7kZMluM<&lj?-a8|6nWP;m`N zL?UidqMdK${{NE_9Y?nS(CC%Db0p4Q_-{T}Bgay&Mz~!sR@3E)L^Xh|s5{x6uFK8z z5gL1QaP)F@GV+}`c6&(kCTPx*|1Sv+QNN7Mj~F=K%>{iNa!X>e5?LXia|?nTn@ERk z`Q1G349N9%v`p!2^!Duu;)FAWx4LILmFE?|CJ1pG0ElC^OGC2VP+Q|s+fyAnqX-rO zBH&J^M7{HGPxiW#L*V%(T_69SEr(ySz}OF6>GTd?5~IY9+yDBNp#s07j=eIC(S9s* zW9w6j^-y{S`7er0`^j%|n|<k^mJlZ{lP753`DpIJV(g8PcumVg~uc;~kG?&vcb|FFiLmG=Aq6MGG# z9aZ-F2eR%5-%5x0WWs6SBcATg-PRg>ab}frKiGmT1WCz}OQq!6mK`FXQj%uO8=tdY z7|g7S0VPSm87!-PWAjrx-I$sLI&EL`*aW=)Jg8nBpQ+b@pg|(0z8>0{(NVrsieHPE zcKUnmqz7;=C86(Ht%X(9dk8$sSIql_@+j45H*Pi{fDhFs>H+<`)z-{tlnuOA=Bh(G zn!z)+8bC?TfzBED01e@Q%(XlE+yu3Tx&}?cj6^1kFE;zKo5*es-S(MuVUs|n0Zit4 zNfkXhGEk!?G9^0ZnE2E#jcS7IClOHI=utluW?%v?c5!&`^AG>N*o6Re0G1P2X0I5k z(saYY6;(>?@?D%^L?!8uITDyyIV9wl8;&nl6`(um$+R;0SLknlA584st&(UDxt!%v?2m^gLeR)K9_(Y!*0 z0%cOOr(X)Y!$uw#J}=~S2+OJs&}orf3^GBDKasloU$?Ny2c$fzRPW}uE1z^78XccWhz!m(+;F&Y|R z`^T{<*Ak0NwNavUUBC-oGmoEerFIkq$(qParYBAKWZ<89o&7Q7u^&&50`v!SmZ_k3 zmocK#m&iEyEJO9e&bU6bvSRKXVf~cX9(_y5HTtK-MYp9E@P3B{&VS^5!UH`SKZY7o zibo2+0p9W#%mVdfC{x%mF?v5YGh_-`wJhw&a!ornrFl1GYX9d<+P@pK{=sqxpg#xd zOL?|@zXGVM^H?7lvy%Vm2n$G6{2tw5?LIuhxi^~G^mvcritLPKGBhT;%;zoTc88hP zt250{{F{xBFdd}yTo#X{#i!0K$ju`3C%L6}hlfHuDeU8`D!xtlJZx`P=|cZvp6nsD zwpjh->Fkx>AuS{t*CF&8>l?^5-tT)P0sWS^fS*5;B6Ls_kG+?|9h)qDDPQVD!vIj% zW|t0!l&yUSo#ysq?q}9r*i{4C5^>kcWlD)oxUR!WsH^>c@slBCaZroVI3;TDr1rn3 zv)y4Wz=zy>9!bA>byfeT(sr)5Pez7meT+zC)(kU;LuKNwSq*S(6NNH_9a0XP!(9&l zJdL4yw#8H3{XL>aiQ0gD^6G5c$+7JtVNqoaHIe0)J*Ws8x|ZgqF5q4(UAzB&T>k21bLsHH zI&Q<-7YJkZ#li1RHKkQ&LG_=q-!(Y^^-_GqurkMh$6$gD?wn%QzVC9qmg;0uUYk-26eD$A`#;2rQBt9NK-F#}mB(ldP;U6+&eA46WXmfG825?QxViP?kGj-7&;dy^}l;^_Cad)`jblRAS?nb&+6Tc3*Yfh0| zqqfS_6-^9>0Q$d!Ob*qM0f9M-N@q-AVb%??o*vf>* zSosA3dxbI+q-_qitp>!9z2p};?7L9qye0#8+i?|z0jWNKCh_^iC+7The;s2vOqh&~ z7z@eo>w6Z`oU7Uk?AJ+sbAPL6oAS5-%g3~zs_@}@I zMbOH0?->L0wxR9Mfq9|z`_5LE^JEJ8W@uZN$g{eI6`j83>wO6QqXMOS6^-ZfkVVD{ zyJWsaiQMsxv@7qaS>I&UJKKJceJcqJ=PDCSugCWyP{vn}zo4&RA&G9Q&g8PYaE#2^ z5yXO+Dg{EuKl7LTtPCh8BhNSDP#q_An)?%iFo3m;q3tVF~ErQw#UkTZ6(JUW5?FW&{9Q@=t zT#>*HnCO?-Mc}2m`!L6_=fZIqO<9C5qC{qacU-~k_ov_W>7dzp2GEP<05Q@^agaez zVQtseBGx=$d?Ly&aT}0szq~jca71+`i!llo)%P3j{o>){jlDXV2m7Ljf49#9+DVsW zGnb?rad@D~;o2df&`^H@X!{3v*IxR*q;Z9t>;da;z--SWQKY0Mp3EcV@ZP)@HDp?;&G#abWm>(M_2?ISB#9yThS|8E_mRC0t4uMbG#MRlyy&e zK~ll?K7iu$kl1U0hyo#@Do&+8U%D)OVXEp{J{%ugyji-k&ppLeDp{V& z(o)lqvdDbo{IzRw!$AsUW$_#*PAoXN(mAzx+!VH{wLV#Fy2jc3%PGMNL*rK%we=n;~eieZjqcuT&57XZFTfF?B_YCC9K>?mrNODHjr2xhO6*4J=1= zj*es?iMq~xtG<1 z6sdKZcDfF{$LB)@yXrY#WZVHN7u0Oj>k8YB@ z`+`42{v(KWhXd+_-PLo{*S9GelCRlY`B^jfD2-WMaynS#H6$dnFw`NF->8+t1iz=j zFtQuUG)%r2MW(5^gpypTXk`BF{^aRFmPxh)4qsZ4!|$)+HTvYBR@-WKBzZ1|O@9?z z4F3?64&(SnEXO5NMojE=ov_>hBn~e-5gj;D$9D~%d?8?EIAagpSW$KOHKNzly&p&% zCa73h(_Bnt{}4y;`~DFBiE^rsx$1D6e9S{Vdi%jeZK#lG6uFeOD{khm1fHQ!M?oZV zGMO5M7yOsOU;mHhumRayu%AQKOb>J=Of=#=ec`O2IfHIJ%%#{fpdZLR7KKsS{;5U$ zuv^{z_`sV4W?q)%LyXxbTt?ezNL{|#7(uq+%(`5)GGNyhDXcsC6I8cg9|CSfqy9#~ zK;cNi%gvyh~O7W{MXA zJP`RQ1_ej%ok-c`!fIld+zgm5a|5a*=oH1gt$lqbKIfC6U_;k4&cfZ=0hr@tiC%kq zC%{kn18iOr&tN~!f@~Lp^T2 zb?pKybt77O%Ne}U`jnBe@pOE~aoyy+uE<0@B)x08(qVbp3%fsppV*DH*93BW-!UOd zsaGjUV3J^xFTl-LPZzJdmhv>qVcHT3@d_n8;qorIDwb68!I>ep0&w@ zGJ>-FKYE^W1V+5DGw9EM;8)<;D1AX(jf7qAuWt!ePyI-(`^1~rMk%^e<_B-Utb^S^Upuaq%M9?pVFI#gbGjp zK{lO6HG?Wq6X6-ae3I=(%zUrT^zVko=61+jU<+CNGJ4_q zb(mjrt_I87VEMmnIFtGSG!32Qg7P%F0gTSlh{@ZL4?W_~V9$w7*RN|`-g~siibsNgk{*Gpn zsKNFfqceiM$IqkX;gLZFb~!9-8LKsRbp`|A zGi#F=0~tCY;Z<7#PyVK(GRRU-?pUW33Zby5%sK{e*i5Tgz8=rnEjXJ=Utb*75?_FC z5qJ(XqbzDP*3X_jCG<3C!T}OJ;^V2*|dFgAM_Y+ZvDp zxLiEIGZ(1?yln7=k%P3ZT3}>0+<3Y+QzVWJSR;CgJ?2OfN`Q_>;ti;S@)K zqvPw@An8hUo`TZW%3=TgyoiDNvknb>y@D6^g>BkFrqcU~K44#plpB2y<#R;7Q`aZ% zXXCaF*Hb^c#D(aRSq9n3Q1yCAm5vj&_BTsJ4keWDbx8s{R(^|vHmRm>a2o*`ZKr{F z_>Bv;S$~k9G~XZA+a`IKny(H%_wA68Bs>;os7t(*g!v3QG|s8Zi2z(1c@s-ieS47j z^j5AthF{)14JVbP~ek z^-4~oRYsEJY;0V=`cJcA+2F|)J`6aJxecxi zMBw|2h1W@iRdb~U(A@jKuh89=L9z5a(LDO6_))i|ZUYOMyCki9N9E~6PYgZ!${eZ| z^1l8y>MqwUD^k|DxO@1PFXNu!8q<8xVmztj>e1j@n2C~hx2tKMC1ZmqXXJ0>J#G;e zG^uD{#(vlL!j-C0kgi>D7)490yJ8_J@4kghc2{1XKjL-5pn zy`WlTEgGi8=h5WWc)qb5L*!sgId0(8K4_DrR`qa$du3C5g;|MXAZ5a3z!hp=F!8Nm zdD^lV+Fp8w%A$e47TCUslJR{%vfsEiy=_hFsv%3#L?VtUVZ8*l;*cMuMfeDB&@P%e z>5U^}+ZE`RiwcFh>;&9;!}UHLHh$Za_^g~!DKE29(jIdMewvdUoW%1Bn#*;0&}I_@qlXd9hi7+3pERVPTc&Y{yMPyjBo_z}H@LgV4hagIM;h!n|beiPVQLJ0x6r`N&b-N&0@OryZ=;i}D@X zMYsEw9M`phSTVoO;3KcRwL{5;pBJIQI?uh1ySkKgAWaA{ib5=Y!len>U$|}wT>J)yAREnu(oH}!Pmf+w914i>TiBFAfMlGqD8$Vf0s2nXk ze#%TNZ4WFdn5eSQR02<>b6Q|AL(T%=i-Wd9z3YrK4&-_Az)AH8l zA_2^d{cndQJ`cl;FB1q!PiwISx~--_9H1=dz<Xzxl?6L2P(|It4RBcAKP^L+;ESk7IZALw6Q|=Tb)t=>hkS73e+$R|1HX3LS=kl zUgg%9mgbmO(lJCqVJ>$Jeff?;oxro8@A7(tf9lPfb-1{X4XVD7dQSV?#8=^(QbRhY zTiRdVx5lL_!?Yk~dk9J{0x#-JalMs9v9K57 zdAbLy8PbJ|+U?hGs`!fN*KXJhcWx96w}S2iJ!C2@DOrZAuGGBsNw1*2MY#~)M)e%& zX%5-?_nUH}F6=w*aE1Gz6osSLx%Yq-KI6J`cWQk(^fpMjRa}AV7p&iO9E^vxI89 z1_Yi8nb4*ZoQ1k=r#B$LNS-M5^k}LqPupgPm8+RJ{V>NKgA(Z#6<#N<6WF;`-LqyC zQoG=W^yMM8nb`%CIFNN-@G!KiJ7oIqTXWPmgiG2f!KHS+?_oJb6jt$wy$XFsf9|}q|Yz$_=I4q|%j(RBDW@#N<4MCe7DObfD`zHkcU zZxV{lQ$)SB`J`VlW8eywv!7HWE{Ml%D1cVr&^3KfnQrABNC6;^|GM3V*T178VoFgl zGIW@W75$D(HBLo1iV}fg@c?Ji^ua^gnP;M;rUw1!;5sBiA4o$1myl}9 z$hro=Ruz3d?)s^6n9Oa!b@tgr!8#=4_@}h@8fCi=BU+9d>DhEugXhZ0ocK(uLAUkp$0h0PSk6<_Z`vgDSVo&_)6` z(CYva$@~N%TuGDdG9Nw1?ro6AVY#pZ^Ud7n39asb^$LlxGjJ+WHFo^qsZSPfw^9bM zReaY#1tTatjtOC!@Q0O$)><n@})$Kghlrn zxNF|5I2UwOewXx39MleZo0}$xE8%IhGP>y6N}8o!M?yBoGpM z{3v5<5+QK{&&PLN8GN=9EwLGif;w@gqC37@xP*D)Z$@{>E5h5XO5+t8BC1`iG^_W+ zl+@?Hu{t3SLDC+-20iw@Y%;rtTqryuw7_O-ibgZJP2Qe*sR@&3w1C_IfR_?@J|%@j z*b@ld!ENhO+cob%} zBu>q7$-`YP1wdWV8LXcZ!!^UL{F$T%TlI7{1Bh%IKIoDTtL!3L`d?sv5@9o1LQZPe ze>2;6EN_)r#K=~BhrT0Vmu;Mmaw!EppcFd>AZ8%lKt%T3m{2C*C9jE`TmHb~H6G5G zon*+9GoBUdm=i6rya04(+Adf)Rm#%zwiGgM7Xw(3#`jQy8LNJ;i1#9yebuwVqY2lW zl3!>5CbuWY`fC#gdQXOj#hO&l6OUS z`;Ys(%afs3oKMQ0-=oQ{4~{Eo3h6%+1r~1Q8>uTf0D3?{^*f3#7h|`vil3MU9wL%f zeVl%tlSCVhS5h!-1CE*kG=odzP=n|Wab7D zTOns*v+f3qeUp&Qf>=E*nteU7o3duJ8!Q_MOr9--3jQ%!2i!ri)L5`=q?jxOgNsGF z#4yX;4R#LJEqDQN6Di{!wo7bnP|mV?Dmy>}ViYsj5n-OW#GQy|+^vxBk0}^09@c2C zIRB_Hps}veVefS=Kji<*uudT7E)njXvw#MitV*3L~A zx2CZ6v`Or-)#FRoyFb<8VZZSdNVnd~vMW-4dkmE{0N#5O`#>3rT|f3gz#!x7x+6-k zA;!$U(=GOM(wUjtQdvE{gY|2Fz~FZT0v@51EkPAQMXf0DAkzX;Mv#|K{)S0I z$%*}gpUaXi4DSehEtUJaq$AU#_iMO+4~Go@=uzghGy#9*dFM?p#6mVa-WYNjB?nhG z&9N%Cy~5-lRE? zfkx{FyoA#DdB}C(WVT%I$PYChBWU5VyiYXI;ZV%e3L*<`>o-`X8n8^viCJH`&s>+mp3_6(omgdWJDMuof0p-;4J2;3f^6?X#MN4yVTeg}m-p zuTM1s7RmGiC8e>xe#0BqNe+-E#?nA57&P&Sba>PY5b`|0=DvBrDqsKn`45Hg*XRGj z3)*4WP07+&gm(gXMmuxw`vjqL$)N1S%<<9TXH z0r#cwZ@DDJk%D1@pcS3{0UvGuVyYQc4H=)Y2Fc#>yqJEd|Ck{O86#u_`1tom-j&OFZMXI@gH%lyYz0hn!PGx9_P+Yr#S-8 zLyP69U16RmIFs+a#$Qjj11kcanmrJ6eG_`yAfNLT*dY7cb1?Z{lwL8edX=_~as&%_ z_C7^1P7#kewLn~QytL9R01jsM5R753O_+P^$>A_VV)A=S}J!L}7%IDyr z)IujFc$qSAQ)+0vnLLd-C1yA?j;ri;e~CSRJ?CRrvf#2l7qOF<<~INJh6230somp6 z3}k201IMLLOhf!Qw`(x;i#29$yT?hfV=19BbTypj1NkYZcSC~)n532QO`J6g`0Ri^ z#aP$Pv>8w8R!QK>^Mwu>yj6hZ;ypZ!+~uNZ`SjFRZ0H4Kj>&MfR^0Wobdmq zkf}Wxt9Ly0+G>R-D##D+5oR~hOuCUwZ!s08%tSr?iw#kF_y8RfBXwn!b5*Hn)ws^8 zI}YSt08FhvUlPclmZS?=_C%JSB?S2?%Yc|{cn=%p>jyZH&6d}Xa{qOOkWD!BwYn-W z^8%t$)riC?n*XpBkAA#G&zw0K8KGAD!Z{E@B-cUd`_oP73w;r}BwLO03UGG>;xfIw zU>8+&PM%bZR5W0hY}}=6OMe0GT~x5m671g#2%F*c?>5vN>Anfdd`q;Y%%bGBM4e`q_tabF9%l3htoKgo(@M%RWk%~?3Doe-@ z^#{VEO?nB%vXo;8O+K76`*bEjlA_K&;Q5E?#e#OnpGsPJ9hJg~+EWCrKQO=Fzw_(c zfV9~l<@Ml|GTwPsv{=*E+}Mz}-|?T>71x_jO_s_~U6i^_j?e7gTk0SkIh1^npdCu@ zO}vc~nNO_K>hCA@#+(3i(}-zO@oe7*BS1N?mmR~?ZtC@H5`_RD3^L)VA9UU&%lZ_J zW`T#qy%sx@?`*RJq+gt&UC?AsD8UKPx(=F%ki(pLU0@8Ocm@oI+7T7oPdE|8N7-+7 zFO*>iE!sGI0N~PkNb)B40tTDJBJ+|R%?Dd{tDGyb8=}7P9|s!Im*5f`v|K20{0(M* zL#zupU#j(MGzyFjLMIhs#kKEX`~4|t+pMvigq}`%I|2mJ``bayfEuLDG4`+9$QI6D z51g&-zlM?rk=v2w{eBI)4*`NKCXYlA8sE&ZTCh-HA1wb%;A~%p9 zX=(efGZv`uug1K`LaXFK!TmFq8+frk-A>}sgqd#=kLpF{aZ}dE2wEL4KmqYb>bHwc zyjTCfd-0*<5qpg+o7wlFAoxVK)k4991L*UzcUPkXI-g?i_VKS{pfm>-&xjoHD%w1lLvC~C3<@;DHz2u z`s_)I?^-tl>XibjZx5&%^G&Z64MvbY=OZ!rL!%HAYQrgEzxes3hKa*gpgI6Hu*z@R za3fL&s9Fk-@?RvUv8mjxMKd1;Jv4Id;Q$u-!q$}OzaYJBnqqBd zoT>|f$=vGL^QX24R&)*5Wan@H=o@*hCfR2-(M@Z}Tv`oCo;RGbmH{*8A<&;8T9-*eyMBLLpIvoh3mS7aZ@|BRDngJ8LLCAs&mKs$sB4kGJ6tw*HB>B zpK6u&y86i~P}nq|;Q<@W8|~HoN{NLx9Kf^Q((Yq`6eeFuwuA? ztV?r$(`LNML;^s+O33?KH($%)Mp7ky>k+MVbtY>{0bN0#qKn}es4lFdFy?1~C# zd-t#F!L))tj zRYC86Xk2&V*-H!pAVMCacVBYaCC&Fl_d5V`abXmC8#Z(sz|ceXGF&2dThc+#%-&Y@ zr;8gdG(qK4wxw-{*(J_Ml_v?|3<;(D!kQb#-0sq@GN(&sp8>b})q4iq_iBD%(N$L@1Kl1^(ejucNhJf`l_8gQZKz_CThoJv zJG=c3;Jf8d2gKniLJk(&h2_zeP78bpfSP~Or~6@M+|>JOGtwyI3#=gf)KPYk7Cq;T z!^6u<>@i(oYpKpmGEhOTA*q!w{-yUe`%6B>6vhx)!-^;gsR*(6Wg>TQrsRVgy?Oomg%$})LD;!_&qho(WZNTS2Wtk1RI z?J$56eVXy=YSp)U9GkS_daj*mM#8{%){){;=%QkG%>f`>u8Just@v#)R)?EZU3Apl5n6TMkcRh zz7aBgiM~5f@eTLTb@zC@I@34f-Fh1Id8HUns>QPWLhbw9!CI|9>mJ{hx!0N=twGw` zJT;6SAX7&!&gZ<=%^tjE6u!tHBW0}6z&nAS%=7p-{drhMQNPoqhnWvNn{7_F4Lmuo zEP7Rr>;$Hwf6#Wax3H589lt#ExMH|EXBaR61NPBiv$5rRh*}B7N@tWRmk?VO3!R2$ty=68*k^??V$> zr_S_=XX*ALkPtoqH4wS=o_Eqi)~42ni=NtocxSDv8wJs0&w-&}bo%mx_glGO=$|)_ z1mlotaOe}y`@_5-?K;GFRYB!lS6o2}6WupHwC=_e_U6eg3F=p>qS5#4Ck;Z+4-Q?H zv2~{;?rJrE7N6Q(OW=RkPkrEH|8wA*#o2L7;I+#5?iknM-K8spm&eqq-ffd26DBX| z_sNfnq|6b~^_=u0pLusasCb?9drt0)$v zjng-D(mWH<<$Q_2{K(chGyw@p(XL$rB(lcI;x<0pyWrrn2C!O+kXWwT6Etgd_-Rpt zK*o$1K1~uiup1~;0x@>$)f;8t2>;_m--`rx*5W}n*0I!I^8+5G4m!j35meZ{cAfw` z+;xIIa-Xbz9T(-8MK1DoJyx|>@7LvgIBV2+yx-kr;5(-GZPlqbf-RNa ziV%6~ci_6OEZWC$aq?$SJ*oE%9l2c`aSQ)$qo_Hs5BB-p=19N712xI0hZ@jf0^8o6 z+(7q^I~fJ(h@VyRT%Fh*On+pFgD>bwKj2Gw-HPM&n)*$>YQg3$XsOC@OQoD~#GyO) zBL8kPMxpp5CkvTfsy2bP|Cu1g$d^5>Clw_py~+0dWRPveR)d;;;eg+)=nkkOk>!`h zANDLL=hla-kREf7%82mu2nryeJ+{JKBJm`mK}{Mfz9naCaU|QZe+FOH@yX47*XQ|6 zzoaB^jzaaZxhijGy~A86sJRB2VQ#MX!0h!iuJoyJo}!J*;e6#j2enk;zNYgl2$S;p zA4m6RM$~#s3$L(E-6&BX%xom!W21BeZ`biaqbUpL_a%~|=ww)S1SjgA6@J^3qApj5w{z{9VK%6ByB&FTIDB z&pfnEi%91=XjQlJdH(6sr$6Yq2pe3a?eXb6kkA}DtUPo)3nKD#*#3UYo((Iy;5+y)J)5*$WW$M_nB74rSGcU~!-&wB}13|0~v0W(U% zr}W-Di4lbqekD5K$N5$ojGE_@A4(}x-F^32Bzi}ijygtlGJAeU3&}%Im2;cS;iCI5 z(~9zy)ZKq+yy~XfA1FzJR;kT<(T@gY<16O&IF|RGHyC6Wonn)JLxgC1fCI|1f{2;vVls>(jl}vIR*vdx*Kk=Qfw}g6Opi% zIrO|!E@r4^t{zMb{}Ud1eJrvtiMR~;nB~eZc}+h9DVAEJx#mbVb!-{}GRFGK?UW*GetR1k?PI8w7@NBZvoK?TW8t z5zIL+ZJoo0t$)Q3vo^)sm%v4y7_;w$?ngw`n0zoZ<{Z_T3l6mtaspv5`%2(`hiQzN1(-)+#(>dO~rkMH; z&k!8Oe&r>r9P=W%NL9?MGAw=gm#UP>-Kp;i!%ca~O%GN)hVqh4^j0^@Z=2K=`TYKL zvKmvjMY_vYrh49jC-WJXK%5ZKkYf4IZseO{6&l1M`|&UR~!pjrb5Ksvq|SW{=iYn`}Kr|{Cy%p z$?_auJ<>YUSGwP@+R@tXWW#*qheq{Kmhw4Y@w-L{y2AJ3GB{19A2Wv}Ew{;pwC>S@ zQjh0KG}5DG<|91r*tk>umBe9V$N5on$^Rp%yLkd8%)r-9x6;(*g_**UWD!+ljR~U< zVeF^0?!dK2+{+IjA1iZ7ucvxvMFHAE<;&WT=ercBsUfa` z7YCiDzWu?>gL`0)M;uq`WXrCO1R7`-MEw0kNAI{hVO+nISAV4f5pHmQl;$+cGCM~v zLqE_GH4G8N36;&_3seov5~mgNQryj+$$oYA_RVqTG#tnv@jE|IGRUolTj!tb`@bgr zW^8LwDfi`Q=Y6irqR1{zs=LvnWD+C$pT!KQV2Jqt-K&4)vb}rKUyqzBRc5kgkN{zb zBY&EcECRyJ5|MeI8S#RuUmn}zmFA!_tfOCpr;z1t{~=GU^xcP zL>Z0fe|C1W41iND#ooxFw)UA*f98{I^`%CAu>Nz6zfOTHfg*NBY^ckBJsSt|_ruve zuszELd;(8`S?2wOVJ}g|CGs$1&h(v7r7AXFzEAE;jB&~Ql}d~+&)+c8Z7vEd>KSv{ zli3gEy|NY6`JiBXY<6mIRuL5awMvTStc6K^L&n2;z2}vo<#XjZce-C$S60=k=>az= zNcYE5`W}f`tSjUPDo4dB)t(CX9P-OAba6ef_)OLjDajY@mvj7c;9Vx;~kWQ}2A zo_wewwwrr>p!8)rm(LbkxZ^;LT^vUMuJ{r#U_ z+YpFi#jw4HLk7t!P#?)Uor5|OR1Q-gh6J*=WpF7No-C<`{Z^c-U^-gi7}X{VQL&yn z?yzoCw+2{(r5LS>ESQ#t@x%Qb-3*F^q!J?C zLk`^_Al)O<(lCH@NOv=IcMZ*u=jM5T=RME!p5IyLoWEEs)*2QU_r0&Zzx%sC`)T(W zL=Y@;JQ`hZFxi!J;gcr#ylN^3Je+g=Ssy<5)lv#HDsc5(9i*Yvl!=A)>X3n|bpzuu zU*3Dei2X(+>KvjO|#vp*A_( z8V~fJ6F?N@F<^o|5Y55X+q)!I`maZ)yN5*R|M=+q?UY_VMlR9+<0J@)fU#BgBX;vC zI15IdEoHW|7ahia(7haNj_-$QkLqZSZ9+ca$1|rgf`3qQ(MD0;lrX3;-ewLBflOCf zn7(mJnoh~c2>d){vv0h(qw@*g(fOu2q<5p$g<5>;oIf1ODMCMcTWXDB3Xa8##%4`} zC;EhxmMdc61bE@$-_<)zB?PnXEB^RO9WuoBiBkwO4U<)<_|!P#bff_pZzbb0$=V+9 zHtkuu$oGX#)$Gcz5m;mmIok5?jMT^gLIVe6@EaeJwC_8?L~XIv-GZZZog`F; z{shB8Q%@R$-D`9_zUp`M{}MfKj}sPuo*sT&rc}iwWWkaXb~+ZvSA*YD-G*4jvMv?}Qj{W_4g#m9OGFKXo2!AE#t1g0f`zU} zjqPI2OS+=>?aQ&TFrfgAcQ?#FaPckwn?=WvQD?ls&vx2LZx0WO+Sc@RW z?CxKww|)pF?g>+yy+ve6p)-E@gut;F%fJ^iHsh&<@^^U!b8g}47;G&Dx&}?D!G}Gr=MdU$Gq#RkmRmH9`#G^SRX?kN$O)vIrflNj6$9Gyn z9OrMxEp1l+Q6%0aW&d#op(1xuNSnt)$$S6!*(e#B8bDFo!=JoQpiDGF<1=g%Aep9` z=&Y#spv|eI)7a$_c>?bI%0M^_6qc4A%@koDEA_#b-yGwI)FMd9I zvDKwf(=d#PRDaR>tN2Z=2tUqlKEWtWXMD-~%VU<>+agxw(XX}@o`tcq9|f6Ho0^iE z^N-NPOPiwbPOJUw&`8xyy)iluGaxY?B;V8E?Zpl60|+ys^-Q}7D~jRnAunYL1kI?l z{Xp_Y62O#X+i=dV?8r?NrFt-iundj7G$4)UHfUw}ZVwn3abf!Lp0>Vv5wI zKRP|_ipY?2-c&@;{k=Y4+9T7$AcHNU*4y_Y4x<|Lqv73o;3iD%;W8R^=p-Rs2oQkQ z#wK>`CRd-1*jP&Wabr@as~#5O8!)B5r2%WX8a&{l=)!$Hbbh?q}i>-M$ zoW=Qg)r{E9qO%7xmGMO-IacUb9W$8w6oILG9@M>)UvM$qbu0PUj7rpuYWh6^w$MT$ zH_(-+P2y7<`w?*~1w0quu)Tq_Rg#nq!u$7I`0tA0-yWSz!t+96B=AC-^L*)rC-Rs$ zCm5HT43vE=H+kVYPu)V=mZS;5vI;&PeNlh^-XP0w_&pmZC%^t%WtykafBT%fClXh@ zX&!d!lx#~$z0geHqb>Qi^ADYPtJ2Sxg}x;+WR)1f$KCmqI`kFZA}e$T4u>?N!*1`g zp$_oko2H}pm%yPKY|4#bI)0_=^KXgo1e?vPrBj_tj*>uzv#O0*3EI{85XM!Ux0Ad1 zdhbdFKYUpIz;JaBlZ)cRdX|$Kp#}5A566Q+Q?F4u^xerwQm+^~H2q!H0K#}oO;-cS z-Q@_c9~mi-A)=gM$C%F&)4%8_N-reIPF{mhYSpCvb``!N#sG)IsRnv%hU+#d-n6}- zZxisD@GhD8ngXPOddqcIr4#@0NB?)y`kC4-=HU9 zzM3?D|F<+51l$v~LiSai9(|5DL)woa7m3BvqMI0eL^BiY&gC`$TUCH6P;CXVs8Sr{ zF-r^*f1skcA#^|}4CVm0*Si;HRIn{7U_GOVagcjAscQwe{`GBGP0&_mPhNzcWgdk= zY*%r<`1~k|>j|vvrzAS-FFQ2`N7;sr1P2Ed*IwSYjwyARV3A#p4h)}8X#pG` z!(lo86ng+h%4|Q}V*upr30HH!`VJNOoB|d2?4xw`xvVb%70S!WR?5d#^r?q^eq4Qb zaHz&%&tSH;_;bDMsl$?PXbG-fzB+rMTE6;tnQ_k>(|?3VNsKjLuYE86&QQ^_SF`9> zvs_L+2$GMI=ua7=kw#MG?$}&-9{?Hwc{-&*{NQ z3DiZzK!$PoD}r;1p7SRDiY;5w)Lmg1#H^7V7X5nF48}Lg`I)v6LE8c(PAj(#nU&%) z2k3w-C#Vn!5WSvzS*QU-uiSV_IHq!S)9?aN$$6}xyPcqa8cUnfXza=ld)D0OXE*sv z-;Aoh+en7;U1PARK4f?zCWm12v^2hu5qs5`QvJxXA+W=;jv^Sy$fZN>viM_J2G51k(HKH;*8@&IGEzsS}ue@~vf&yE==-Y&M(k*diZRbA{UHTa8 zPRgpb8LNEe?N9^VQuwOj0q}N9z?YGrzS{SqNU3Uo-gR*(CUT6u{9gN44)<7_9t0tu z30{umh}WGfecoRyjxQl7VX_*EKlIKIj)pqEH);!1PydDQf_s0;$CVezd~L9q%h{6Z zUd?*^FMJpL;s@V~Z=J052H}pH{wf^odEiR{m5wRyRlE49bN)j^#C-|uII4mANokBQ z>;d~v3Ebb`lWnr6{|Qv3EO(iWET_&6w7 zllyqmq?6_jVpH{)6-46P9=T((=GBn@|Il;@o)yMD!rX`WsLvTLArYt`Owq= zu}$|j6zh#R;nV{5_W*DV{sv2+D253RQE||-)Sc3163VD!gscO7Qq&-Fv(MnDZE z44g#kESAL$-SHO+6gxzy_XU-?zRY07CML^V5pV$fDi3NgCbQKE=5TY63VqHo<*m^g z=z}Q}CJR%}=@~Y~)2eK}hkFkVodT4{^l3EU*i?I%^~{J@v`itMtuO&nqN;65wLv&( zki$htoPf>B6!&fT5N4TC*PeGe6fNE87pQiHJ+(+F^H)RY|L@2L6L6dx8jPZuz?E{8 zAabGcz1mw!H)J!`P7aGGszsfc?Ld4TSJk8nI3(r<= zH`iLalznY#HA1tfblb-0mcV5g(3iqHOEcrVKLhcnYRQ_yA41Kw5#^Ko2o|N zEBL1#kX*_=`Hwo#A4p8z_(1Bg!hiU4KG+X>7Eb6+Bk4|m7`X++`_AxZViAO)1u|)N zv2tKNLH7}ksMAnAi0O;TcL93WZ#mxyA+uMKxrdh|^BUZHNL{zG7<98=uV$_?rE0*C z63^d>*jDFiz!wTCfA;4~oJZ^9QKyo6zntapeH%fs@bFFB^Ey&vN#n`gXbqLitrsq` zw!_PcCv8cYkKB$YNhbkj)yo%S9V9fx4aVySg%sB%5~Eee%1(#uuq1NR`77bCW3o-S z&)R`X@Egfp3IdPkfC%5+oj#jo3FJ3bF?fX$JNGaci`PyftK4KyAwNnGUbKZ8Ger{p>Uc zESy9I=m&K3$}|LX&er9{#>Jh7J1Id+EvyhY#iJv@KWuX6W4Xonj=*?9W^cE4W##ap zov2S`uo6sUno)?$x`r6(af32RUYtMp`0S7QaAxqyRz<_E=!RDb9Uwzz#p`t^35s#v zX;}ZW@d~^)UeVuJahzd7B)|}W`IGyLj;u<5fvu*(Usu+BB9d_RHIdZf62zeJ7L1|k zR@HC#5OHcGL*{Y^wlZqZ(L)Y9u9$e7ZbeUZnA9k(mj2-v=3IiSFcv*EZV~6&H3^;i zVKqd{Bqb!P7Q>0hC_=dT3>!V`k(;-&fD4}VCxB6ivQaBhm{yHDWr)&!euuVdc*h}X z#xt9Ckr68K(#;_F>enM~3d>xjcA6#K8f$nSXz4{Q{ElsPIT{OP19wm$$^C!}qdn~I z!dS~Ey`%&#?NL%R&W1O@U%dHiUK)yP=A&4U>?Ff>mb%H& z8Svt-+m1It-L}hI*IkY$L$Gd7B2$q$(Y_Y|o~$(0X^Lh#^WDmeOZThek%67^0Z|y% zwi4f-bssdxH-NDbAo$b+&ad%b#tPG)d{4~B>Ye6XCKzwdGfuW9d3L&0*i3joSXrEp zzX~(kY6q?7<7KCDH@0o-fmNic9?&93z^XfaRdZ#=@gLjAb)8b{%=lMOnme_h^w1-u ziM$2HKkXn0b^(5UDX-gc31AITmC?&czN@deXa_ZMoBBa4c&=e@RE`I^T}0r9SIFCh|7pbx_SoVnjSv3 zXcdW~q&UIZdyKnhRWN6eNfJ(p@I9q0hI ziMA9qtX;U2cx-=*w@l26Pm^iPeL8dY!n!iHaIQM~oAc6lEywjHnm`0DXM@q%EKl$F z{%pQ_gW0bc1hUYS+!SgEJK8KA)wrl~p54aHH@GTu+ft>2b$u{qdJ6foJCzk$xSk1r zs;&uAl{V;(VS)6!kY4<>%S-i`Vo`4yGG$q0t~}!WjTqN8v3voa2jx93kGKJthDY95 zyY*+%)4vah(VE?ND<;Zlu=e(GJA2g2b)O|x&D|95mQHw#H{MD^)-9`6#*8G=BH9{o z*Laa%pAhBJVJKf6ukKY9`q*y{^xcd zTf5y;vPs$bujlCBm%+<^>=FrEpfm+;OrO9!HO(f5$IW4{Q)qt6VI0Z|ep7bsZcR;E zHMNaL2C5J=V>V)Bt)eHxm9H2o689pK)wgkt&%Ku=lg+47r%sJZ-jP{;SHFx=kfCsw zFX^hxdL#ldqq}IKYd(3= z*r;Jqn7*ZD7Yi(OFwGK{vi|D_ow@+1RP_?^ zE9}|3F!q}x+76NbJ&E~opU&nmFK3!A0`#S7&Mx|7Z>;?O8GNm1?8{K> zg99cRVPjx>u%ljW;n+;5=KB{Ilx|mDB{o43{PV8Ud%x{}uL4_{Ryz>F3$+Wp2cEV2 zl?uKHOUs$_gUUb3wI5-4d?m@&H5}GopC7pwqiuZmOIZc963)vYP?X~D%+DHC8z-Qf3oECkg#iEEOmKY?xnH-Ta5QD z{&*w@2xrFldOE3OhqcD*dl+By&kpm=yQ^My%v*QHh@4&FLPm!=P~Xi)xCI%`?>F^% zHqOa;<||aFEE!-sybXe&Gx*&;&#5kT)NEg1M#=iAXO5yPTch1cIl?%t&Wx(4d8z$#!-y&ge39NR zXwS!d^_On{td&a6X;mCCcHhXn^>p@m(?KfkERT#{c>H~w?P&^=!%D3BoLV}5>DDr? z5RR#{Y|!v|)DPeCOdxPiYrsl0pcQvQ8`y$3&fyjyl3k?r2EF-+7y*c6k*DD2+7~j< z-&Gs9=iahvh#L7ee0}#vN(dR^g-3WOrO5RC_}*)kZbzbfQLlX{n+T5&z0^nc@Gfya)cvzB2fLYX0=G}QxAHQ5A&%Jd zW|;e9L)^J@=97}Coyqe3VX9BURDa1UMtAZGUG1mRTA+0GYU1j+9=bU~X7FA0Yg+=I zSUw-hf$6q@x(z{V>x?gA*jJaL5s1=`TNZ1yIiD-`5Ifn2+Lk59Vc?@?i=?g9nAMcQVCzyEXi$CaKuYkvouSW2WRinY25Q7T;l_iREanMvLF& z2vtORM)-MSq%tuw?le^d=5`?m_;>Yj*nkfF&f!$;fb?f37TKkpu&OT+ygMiSbMWn= z#vwhARo;2;U-7d}XC?lE&7m|4#!e+PeH{T;90UkiZhF`)&@4cg@>OUxk@u~omvYSIB0`=wPXoZ3Pfqjp5xNdT zZG1z)&U{Xl(fezf!9d8q{9evhSdzkCdmN?QYHsOWmImM1`Masw?NRIT`33 zt!3R5n0--74dQpQdfY-Du}*KlI~`1%>U9=Zf70*9hg#n}E!=0l8Y76_jTZ>+lTVt` znXibZKx*#NR_qM-Amo_Rj4pSCI;Y?ttou#&Q~5b%wu|tZ)E6+(H&0RNcJe-;LmQIB$vj5$sR- zt^iUZ76={#wmQokX9g3wvw{oWeyrqlz;^A&)nu28^1sy3)rz=l2m*5ZcP|YS6=@kF zZ_Lnpo---DZj}|xoCGph-`6$MSFa;Nsv%UJltG^3(@amFdI)PJ7M96h?kq)i1bDq| za$6bd*zKRT&XaCh)}%$_hF)-v!}F-l7CZc9zw{<73W^$JZk_X9mDOcc5JxBaYEyZ#9uh4#dWp5L{=(R>!Hw?H@^Pm#j+l zt&Yvr$3;iv^X+vr#UcqjqzFfEx_rB_&pk)_b;|a)YPH==isvm!yw+=t9@feE!7dIc zLgbYU1K&t#AIYnJnT8u+eRICd^iz%F%U_nyrmwbaXP?RR#Iail+{QwcTF$?NSwR&5 z*K3Fm@uO;1WarduZL?ZIEd7XUH|+Fgz4ndWmGbGkU{j$fS$$$z+L`E7K}Z3_I&*uJ zPnVgC4rU@*14ii)k1e{~Q{SDgI?{cn6}YXhFEeNdbHA9(@u;(0?}h&GSP40*CN1B7 z8e-jGIr^mtS+{T$_<%Q!h<8`|-A2l7A;=dOiqC}wc)TVDc8_Pe+PQV5lMW9WaB*r= z-agLX>~L!n-X6B(qGC(=FXcVxBA@)+2an*N-ZNDx%2-nbiN>j6v8rf;Dgka_!g70=PofdHrbYWK{G zHdCtYcPid-`aLj;9dk+v_3Bu6E6?t0;i^NyVFT`pmn_Eu;92+mXz}?6BiF32MTX?i zmfOEo#j5Ldsq1|9f1W>a3hKfto|}*=xy05y)@QAv; zinkGE->8)RaoVXs=@>D63NPA2luDfIsgYs`&v{>3mt{c#cRJs36s|>;u2UXn zY^O_pVdXCop~GMmMl{N6XV+H4v7JWL=`^zc;;tO4Hc5l4X?$de;j}>0Yk-Nixwjin zCXQ@stGn=LD&l8=lra-E{cu9Cd$-Ubpo08ug$ha-~ zlkW7E_m=_jjQXW?V)TB}rPI)Gb};);+2~Y-?p&PN>~P!}uqd{mG=zOw^n+%1V}_ld zWA!aNCU70gRmaA}ov%yTdotR=3pgE6o;*H~)_??D!vQO~-M*9}2tl41!M{49DnYI|uLvrEzcpHbAL`i5PdgaU06i zFsG+ag}CP)ImC$3ux2bz`tjg>;6ncs;I1_c8eG=5RLQn8sK^KnN%ezU3_CK%gDfLB zrt!5ea!*%@>$lz)9pq?a4E4Y)#-z219co?{j^H~NBowdlFWN+8+-bAlp4=%nnWP*L zAzGDtXjtUOZf*xz@A#I219yjeir@gOt)DcV?e^%OdkljiV3cC7!=7BX@5(2Xqx6MUU3C(NPp?9I7D68^q&8`0%QayXb!%`L;VC#NU4JD{P4w0P z(bRFcP7E%Yb*E`?+E0VriiECJgw1ks)U0qbeGDT=;Ip*@BrVG?CO0RXN0EF4|21|4 znHTx9^DDpj(=R;h-nBtl( zR%M$vy{EHo;KcQ?Bbo(W*U6{K;kh%-bh|65ReJfAFW%LJ9RpAoW0MpVzhUXS7Bq$l z4}j+x%}NZuI*_@{pVzpX8d5r1wuxMg(;g2OS|g~uUAX3k&};hbl|nduH+V%|PB)n> zD%3Ra7~6VfSj&F&91IoL-_$6jUf3faG`Q`RP78N<*=Fvixe=6!K<39Hv?xEVr#OA4 z##hO6Ia+JJNyvzJ1ll@mbPp!;7pB|LrlL)(t>Y*7SAh_t*giM4pYmy&$d*t-8xnd_S3!+5~}HZ8uEP3-ZU1R+P?JGu92q&fF=okqVo> z#sQjU;`FGtr>MptclWo%$ujo7gUCL`j-TIK;qCcG7=&Gz$(h?@PBoFGq?gs_D?#5O2U+p{6ue{u z+&Aby4Z}gKgc^Id>%NeaSP9EO?=e_2D*Up1093_}X<@?lva#-)>%pW;P(9H=;l%cyD)bA!Df^i!_RP^Eq*Hsc&5F@?94r?p{GM{TQKZeAwlLkDbK0Dk)^8GnB*EM zY9XgkB9W^w_{NA1cK!oOzZ>zI*3DpxxxH~mB(aq4TP`JE^%Q|Lpv-051$*Cf;_vtr zV(5S3xOJ&JjbeD54Z`im9+Fm?4l?I(M2E7AI5Z2BNs_*|{E->Hh4ZNbT#aqFc`8Q- zFSNywQcG*dhjuf-GeR?Lhe#`m?Ydt}4p{G9m9=-%+5ugj0ZNW^nrx1@XX(P7aw)MKd z)T61Z`3|b-7uI#gM|2BMU6s!1P8QGuo@KV)4XBYMTa!SDTmkL-8{M{Moz4dgVGcOjh;dnw34!S~Sltj}RHRf|PIy8ia137e>=c1I`RWMOH=hfLlBjrQM zF%%I}^U-x9-3{T^@$^>-;JC-o#GWARIx-(; z>unp#m?z-V(18T+){WqkxsfCRWB#p?x2W~J(<@v~|Ls&L{Aki7Ep2i&Hv!ezFLe1x z@YTyLamrRv`p7$}>CPiUceAe|8outQ*f{5W#6E2fYaTcJw)eS%MV2}>)j|4J5?;Mn zlWz%Zi0K~93zY=5hKa+7{Pl=C^#Un9GDVJh?Hd+U&9p5_T@YDEV-tD=M=2)yx{r~+ z!5+u!1ZTn%ac&;nF?n%Nm=`c$V{ppbg*7ie&HSb4?fWU036WhW(}#nw`QeV6R4N7D z?qK!a4)zp;YmZW6lyPX{QDc^gO*$}DROAL)@ngFds2d4K=h>t2-fcMZXt=ZrMZVlX zr27(^>)~}|lpRfvfJM?!Gwf?0Wh7>tB=AAK>usEsvz60=EVcFZ%fR)pU^-#7YIFSA zmA}+r9*5hvn~qBqjdIMo21Vs9+fWrP$62>9^XNXo@YFbZImAy z0Hgg>s)5i^*oZ|5l~|8S|4$OAp1m+RjLqC(-)c5hk?+e60%?fNCl-(^AR46t8b}As z%M0&&q3=5ZDFi{~zOlG?WW+viYjV`bk2i1$pf9^Lnpw@N!gegi*Y{#|1Hu?L%2TMthsyoZ~nrIr& z_Mexx5G0)MoqpS|>n*oJ@%02!Wse4UbqFEF8ihvZZ!Zu?A?qF-vH@Cbq!PXLGzW`{%mDp9y9EfH_%kzmLGza*1AezPYM3 zzHsX0*zgobRZJ}EplmngNBv1sJ|^0n-A%9gkL-4Pd-yj%!VJh1&-G%a7-3d0!O<*o(XtG@gT@bmu9-N9#rRX>oKxMW-N8gV z!zV_8qTP}znNSoX31!+NaS;?vHplgcmyJbQ@Rp|6Zv>?x!_!!b;fILGFK;o1y&~BN zHWm5g?P;)Aa8jh=CkRLLE{9TJ>fTmqTIDXPJFgkHC*n=)A zH9KJ4@|TyJPI{pnXP*8cp5wE9k8@LrU9BAr$sg~i7eXJ(1@_NI9T_^5X9mrfG7Py3D)1a zmT?OuA7#2mjVkJ=sE|5%3awxLIGVi_zgagOiBi^e^*c>1h_zjBZCW`OO?zSi1Sv2X zRB%y-$^Y*cEjy=zG$XWWlh6)aI~OckZkexk-0Ml{ z@fwkKQe|Hr%8e2)4vxn31<&KLAJBCJ3px-*e@%myiJa=aE;bh0E0Za6t*U7GJ;qfO zyB|Yzv5NcceIUXq?V)S;HS?_EWDX3PR#2^6tg_};9hQb_B4>Dm;`SAtSUhe_dwQ&F z)`M7=KUZdL?w3oe4zb^=oN~QXF*#g;*~MiTfrg5=t$*hweItJCdxNBlD9S#YrAJp6 z+O08JlBqN9E~>kj`qX&qjb-9684L#HVe`4|s39EtO+b3iLs`xI6O6N*^Y2(U8`f&l z!?x*MuD|j7hL>Jiy?oEqAOyBMf7jv1y;K8?%QKu8ZBDB8^86e$|5K-Pto!uTa+oZav zU-ok*T5)657L`Jn0b2K;Fp$vqfs|Wz5ntZ@LnyxSa_oR3l|xgc*X72UXX?>m#=6a^ zyYLP&Lp(LVxLz-tMtWdRFVK>73FE>?U4I_Cy1p5t^GPdfxaL;~ z(DN`poH8$FYEb>cTkD@F=c#wO=QNhImKxN+v2o-o228N63sbPHf%5ulKUFkOL@x4> zDE_9(R!UAQU8L zi5yWn8Is#szl#$F|M2>R0V(Jg3ddtxkBEV;M{PLuWOe67Dg`rc^P;}6qz0MQL+y75 zrn!GalG#UczymY(z4mgqN>z^>0qnrU+4EQ;eF#b|J>_g^N;VxPDjbm*;kuVSU9|aE z#*BhW!oBJQ}A6!?vG5bkW z(Bnp<+TBVedHJ5GHDh*RtHhW%xNLV)JUx3duR@%am0bL)7Q?lMb+W~bOZAGA_OYUs zfYJ0y+VZL5%~8B>R7bz?YnP>zj3`nLQ5G`j^n)%F0-YBvh((F$3F|j(E?X_c;?D$* zTUUa6Zc}DF=WO>3XN}eyW}`hs1nDi~UMh9>BrzDXD?~@d8Oxc59%hb?tgcdO#n7{N zD@1vtSAkQW>Fw6q{;8QN<^M;F-2$v%_jb3_8?hjyUZfac?C?P?$_2b;24Izl$GeFS z8#|`rIUnkha)g`-^>HYP$+KgBEmczfaik3(kV?|L&oOGJc0cXO3;<7Ty@Myx&ayro zjJEzBB3It^td8B_(58AJ@H>+_s1IE=$qtR2$KYS^MA@T(&YT{R7ZyQ73c0?Y8at)X zGw7bj3~vHMW`3{V;&>f5m3}UH{>sH7iwV;ijnwA{E)B)0&Kr*BrNcU39SD&L&suBF zSL7sW=#+XTKOerWq~IAy|0tM0F*F_FEU zbnRFxyog#iYUvIoj05G*B4GOr%bm|Q7ZJuMZuv6%cc%lTraq*wm56Oe%47zF=mJ6a z9tQmDa&2!PdXTJiq{{G5(Q^~d9|q;ql$U-|AxYQ}+KI6b;RK@Zxy}a-h9E*aDd+w8 z-p8jA(|b+y-eDMB#z2RfMs#acLp;^uJ+Z&2V#+g%kDvM&v?Tq6&*wJI>=QqXm<|D` z=X=KQFr#3%Q8h`rMT#^l5$?q}6W*Y6TjitIsQ8fqY~#=nFMe>~uP2^@n=ymMo*-ng z8KYK-5A}EUmsecMo$*n}J~t+?TY0n$a&hKUoe31t>Xxt9*>2UmexG>cVmtcUlgzvn*AUg)QGYfo3WtS`IsjAWz!ZVw=n_}v+_Ctp>kn>`>f2f* zlD)ZoJhZjNyt>hi8tjmLz(TRZ>K)eUSfGG5M+FvkNrOmo$j>t!J>26PP%y_|lklKmyBA{3^|9Uy@!ZtMsAJxLrMe1$&)U-rl>X zBPppsjI`OUh56gPk};!Q5VP^F8!hY*Y^H=^%zu6(9EjU2{Q3jdZI)62b?()3jqnw0+-~I>C?7=g8T`ZtGJ0lZF4w2N-H58mTk^hEoAm$4= z1+I2SolcdD8gFVcM{#Tzj2V=h^63|OIn6g+m=*X7!zisk$#^V136V|*{`5G~MEvXf zS2zjGNiS(+iFS7cI~~7O+|YVzpF!yA zEIThbqlwY!BqH**X_^VMjf3}TGb^6T*NOp3FM62Xor-#=D8sFewtxyNqrhvi1 zgxZ2Wi4EOpM(vjw*NRd}mw(oyZ6NqeZCm?6q@q-`QLThP_aI&mB1KJXnjWdkY8GWc z+J2ZAF*~8dxj78oH4Dw$3WU%p?9*qpEgw5ZiPUo2iAZvMZ{PqZ<2+_ZVV!45U!DH! zP*gpm63TgXT0_6^jT{x`R>T1Y0I*+~NN@aSLdWVEyL^zbP@22211IbkQ4d?;S;xKB z0WcQ}Q^J9MmY@mUiOk4ZZ)woAMSu}H%MMU{e}$SU=3`LTS-H1vZem7VwWw_ z!nAyFK&mrwp{*#W`sU_gbI4&0^}?pmvunSN@cA9;vaeEYIq8qM83wd`I-^Gyu~?}* z4{?gP%Sy1FfmG|s5m^pO6E<)15Gp!wZx@FMsRundf!DMRe| zOxRhJX@M6nJ+toP@MxEnk~UmEsZxv8RDEu$%a%PFqEIP6u9xmuX53*M)womPVmBt1 z%tX33$t2*keiCI5(c~0xTBzx2tF?-pxvI5{T6gEK<1ZHGb=f(Vi0(O^8@0Tk*Pwhw zUA>$z8|?}6c*||DfzvgKg{O#FP@z@kQH9@CR@f7*zT>dIQX5A}OuZaiW$`_x(kwB? z?dxQju)u=XH7;W(e^4-?5E0M;{

b2R@+<{@^Eq7cPXH*!_gbj?GUEh&el*ZGvlD zyfj9$Sey8_cG6YVyh1U+I3ABn(UOCjEq(m38gZ1P|H6bm{}(2-6TpPZ071o_?Qlu^ zJIVcsXB_HD8B%HYG;k?Njgd7$UC|`_xRlQXZQBN;12v?R-aZ#vN;)^ui&@Oi+Re(L z1O>5JzxpXg#HPeVwPLzhD}M5+bThs3er=F1#~ zNJWtI)TT-Ith*t5O?F4`fe1?WucRfo=yQ=SjFpv@w25R4-zz4t;evd< z&_4D(bc*`gTx@5Z^0e)<)SO0UP0h?=CYY;hwoYhAbrDYO?dL{jZ09y%x`*|QQ$v`K zbt=E^ILb9CP}%37&bge`dvW2mo3b41DNZodQ!nB2`B%Q{)mi-5PTn2pCk`t!wsplM zJtFUJXM=6)JreMSqj=?9K-*O9z=-tV^_ zPMx>@4Sf+hwSP}OP(Ho*Un0}WoVYP0AgDsQ!+LN?vw|gw9qh^Bvdr|#C~Y8#J#Hf3<%g6KY{23h6RD}RsPeID9r6D5>5$TI{LMtr{*)Oe>PrL~J= z)B)fXP+<{Q>ON1FG*;;kG3r6U-_v--P3JNR=G82exZJ`J7QLu24ULlfg;DeQ~AoTYb^S+)HiQjj>BlWM&eTwbevkeyBKw+8AXJOqh78z z#D7&wqnQVy@%Bu0#@U&%Xu#7{j!Sn{Y6;6YVTZ072Hb?ghE#EZP7I zEYA>4VYYM4%%`F8QlP#?TD(A9{AadFXa3>BGn~T@%ZR{_`pJw}aBO;7IWr!)9Snci z`xQoEjBSkfepF0QM$7jdh=L~w{tYusnVJZluql${?L8$eFNu;29WG;?R}Xf6e+?P3 z_pU~Sj6{3kWOVtYb!AYaQ4%W><1bN|8Za`7wF-SlCiG@j;8GH&4(74$E!mn7=!!TL zKb(0Ji5x#}`X)(@cR%9ZbVXxeGwvc~gwkCYJP86k%% zFQ>tMd>mZr$RtEMhel^bZeJwO@%&shQsjmih3_XQD;s&ZS93X+sTxli93Jt4@5)Ni zw+KxiHKf(^Xd9c95;)RwFrFwT06imyU>On_#oRVKi@m2>As}HPyM&&J zz5*Y;yn0s&yqr4afN;>GLrP)|pC;^3A1b~J29U79A-B!cdiW20pb<{^nv-QJv~dZ_`*w%x8P3Rsfl4?)B#z3;8htqCFZv*xH=iX)Zj7bBrpxS*jQ=9PqelDC35~%Y)raKO`Lw?pYQ(YPo;MN z6m-Jw{SRH3*;q-gP^!HqDFDM1bysp6y(Xt!$Z|YVSie+EghgmpZV-Ll0HRGv!|9ZH zs{4enMAI_!)E93r4N6Ee+d;VL+s^aT>Dj7HN!wcRV#{C%^ zt;2xmqdnp4PNOQk33x3#3D6d<1EB>M*6@7NVx!Z_>m7ky%iBx9W5XdGzrmW{vE-}*yKn%{x1Y8 z5gT6oLtS%%%%?eW&KnDcL@@!$4{~t#Nbb*(05wK6Gh5*>fM9)z|1pUtfRboH5rSyp zicYKR{(zObBmA*X-EoN1E}dsH{FnWvrtfE)4PH$_Fxgw|N3rQl-zb|_eP2@(t11_S z`lP)kjlq>Ez|9L))N2*mOrTDBM!Q5LQAhV`C@4{dc7Y3L$ef#-hGtppH?iA?Rv`mM zCnf?4;R3x_MsQ7XV3FEqya<|QB71bA@spA`EGuBE5hi zfUj5QBY#5VjqBQc3tFe{*$n@{Tj%>Q0sAlghLNwv`=3VUtuf`mY$4Rsp9#na?wWaD z&+g>lrQ%%FWfeTJFq8>Be7BFO+6rK$m1+?FGVLQB7KY-;N`pXymtB;W2fjT^a{I z`03MFLw_61pcNh}sgN#I81gd47Ia?hX_Cb5aPUU8G%gq@CPG}KpSUXBVQ=mega`G; z9dZ0-ju~UPzmHhHjhR)XMH{GI*N_pRH*$hPUUE}*?=}x4MKzM7cWi+V$?o-=oi}qg33NhL(j2KSdE(0s-|r`J#}ht?&HQfmf8%P_o7 zn8kF6mgUHqjH%^hYm{%Y0z6^Vqozf_j3cB2`WGO@_%>6#hTuC(tD}d@yDJ%8n z$_mn{o)(8w3`~r$c^A1uvd`zna&4*cj4`6-iZ=MEMSPW z_|m~Ev7E(`0iB`XOuUAg-}psS1nRbdyNp`g_#wBmO<&qA^8_P+veF_t|q6~lFBh8PRfT~k@jR|I*s zF~wz?It3O>{Rn4dJmsgGwDabm6qI+Qvi{(|7?nIxxwfYJ z>8<^{`Tp)UHC^MSo8n_KGhjs5az8MI%%CN3r;@}|@L`XGBc#Pvew*=4%%t$0aSWii zm_9sFOLWU4<*x}j!&ZQd01ESvoIay88j^(9dfss7T3V@FW(1}SJ z$}=<}1Vc}3etisI^;bGe4e2$8>5>SSqJjaLGrPDgtjSq8q&cpw zXj!*Vh{SP1fboszB&+npYw)Pzw0b3;7EwIp@tF$G`1r*wA9L8@5u1WfG{C1sy zZ$8}rgiL@5Jl**qdK$U(m713~nf2B-J=CJiv8(!PyiwevWM_8wr{lwhu7248%sl7! z-l=_9cr-wr}mH2z61Ak;nS6mcJbaBN853q)V}zf)oMfV>2^TIiR92w+-oDJcwasKQ zNXIC!=oAScnmb0K+3uxZC(=TQ*2X%fi#In_KG8GW>j{sKGGpA@u?7Kb2fUML(qz=J z#3McFOH;-3NGS5XO%J1$Vr~7DidI#(Fc-JavwfeCG4S!tuc@gK`Hj`lsO2iI%?H!h zXISbiDCU++>Xfz*Uxr}^t}tyAHI^;dZ9=?t{$xJDrmt?E1_2amln$Y_T$qlb>5X#mQn><#WH@{?1p8C=-&GbRR(`!m-8m5xv97acJiSNQ5g&UXZx; zWjiwXjbh{`XC*fgk7f1lA z%0F2_2%_hR-;sf1ipWnHvajF6+G_wSfDr}_|4cdI$k5%m%p4+@xWAa?uX}%X%QEm z=CGo5*O9@*duHNBh!PuFp1M{y>%2bR_#icGc@_X__%i^=F?*j7)(oF zjhF8BZG$by76O+f*IMpT^*GYGxX@a3CYr_2Rk!GuEe`&M^o7JC4U6gy=n8<2ql*%b z9B}a~C;rWTHFHSWv2aOJ%XG?d`O@x~MZPKKZs#u&qIRvk~?yXgS8WBRf@;oAAgsInIX1pZ%nu<2kZs^xe#DM+<*I- zT(^`}_5SQlY2%hnzcX^um9DGiT<$6F0^IEfuPWL!bKIU1xp#Xv>AL8rB?QJG^|fog z+Kh<(Ed;{B;WHfgcjCri;fBtQKT7+aMQ`3#cM=vz&_6z68%-*kh$!Hl`Tleq)^1}B zbgY#U7Zb+hkGvFby7u|4S8pCIHt+k(bdTq~u8Q5vW|Bj`+$de`I+>zSbl*h)0Qzh9 zs+NwWo!9dpKl?D%&e#EAblR5ne4KkfVR+<=fo<~2D`CLnen}?msz=I;44^T1?ZVZ` zq;ng^Icmw|NN1Ns((XEAADRxZm~K7k4?b!B9aw$<6zMO}=K%_jXzjLMBED8Tbtnf* z#@V7hmbzxP9sA~0W)2g(tEI_az;xOL6&p;#z;GhSe60~CM55!dmPdf+-23t-+D`iV zb{m->W3dIM^?O{CWhjh8=K8&@;iaVa?c$5FP60_SMO=u)`OT=G))UUd1^7Y-&x4v{ zf@>95y=$JdZB1ik?xbY-eDb2FVRJag+KSB7Uf=MiB?Xkx>gat{5Xa1#zRVLS2qnzaGwcv;t+47`-ktS8mQ>yn0ONLFV@086S zJb$@v*`GctC42B;lf3LQ>aKjO?obeHil(N2w~UY`aGe_gNYVUbxWo`s|Dv05P#aUq zufmAq;qP&%_|8)Nji9@FV;!aA)`|zX_U@n1X06=qLRI44K(q~U;me+DyFFhYA4YTzgv>BhBxL8t$Fp&c+hS_0_dqA)wUq_96+yZ+WAY3Zk{5)c-E zew7ulqNR9ET;=z-w#NKtlMJXAMKb#rUi*(f=B!?8G@E@ABI|ZG&yLd6|A&ZS> zb%EKwmL7e8!z-G>MkL$C~_7D z_Q$vY@}dHhpHt;U@5cgM4U}U)!kc_JQb|?--4K`+@&YM^MU7>IRz~&uk9F@V$gXVZ zRa6q7kltP<=2Q;y4fe%<8{BOjuO(4=8)?NIO|4{o@2UIb-M79|xLir`;7Z*SDXeeh z>Uolmrl#h@Y+qx=24CvaSM;2J=3ej({Cbn3@`2SO8nK6@f#ZWJk?!W!X1=#KXgXrt zjbtU4(1$Xv=J<~X9o09c#g;!hjw=~cQ!k%8{h{J+*>97q7I2cA18ntINV3ZuyTDNz z$LtNZYdm@jc*!GSffb@gwaG|vm42xD-@NuS0aIJacxkRcd+h+glxXX9hP7BJgVVK zQE2l1TJSo8tiIpSY^p!GbC*Bm9sLw~di+Orsei500{FP96vX5=;nbK6J`;rGIL^}b zT+g!a)Y7?8_a64KzZ5i?N6X~|UmrZyShbTF{*YiRkmBIs%oxXJ^N9{ppe&z-Q#;_u zHv|T+IB(%sq^~kudh|Q{%2RJHa*y&X3UTNe?SdV+Wxu6h7gk`}tRz?Qt&*YsB1=$L zSD4loc|mMgyFr@4MqPU0J2t)zBEG{dfL`BH^h>aEoq~fSsJB0N5((tIwD3^)R59{* zP8@3Dn-SwguEFh>6XrGIHMhFR9hRz=6)%sn7}bNNH_$ohOHIo-E_tC=J?SB*JNxnS zb43=7!!@{{*aP1LT4JPl4qioVP;D>=fh+o9(xxUy_)cPN5vXX8buT&{A@~-< zmREIS$N&kUTs_8cU`K=emhH&`>Y3CZe!n|A1vI0hD``9iYN|P6;+Nym=9{u}zd>+J zxdB&-# zS*ns6#C0zYmzFx*@g(B;5p0Hu@xV-CYV()tO#~=>Af@i>y{Ht$`ihN#ebnahb#;lA zDD0;7Zi0;zZ&1Z%)>Dxs*o-Qe7qPXsEiP1kF9*EAA-|qWmQ(m4&p`FLmpXI9_BnhXHSjcTUYusg4oEsLtKO$u6flY-K zz1>Z0HtY#@INy=GL4kJCvs>>hdl8jEfWBYT4cc!ap3muA@>(EcH^U;l0~iXo^(+u_ zLI+)YRyC)*le-0!*Rv?@+Kdx zNR(qaZ&VNbiJiKb7|@NNpW7$ag5n?2`mP~HU2B-++abZ30@Dm4zYz(!c_?=eR_ti| zX5=@Rf90;uaHC$z0c<`pHwSTST|RRTmvW5TXvt8~d28W-tFShkuM6M|HkIG$E#Dxm zLTkz!Kr-kZeo&U&F+PMhVupSz@FQPScdH#lv`8udkK2rAlyioyRS)Osb zTodJ#bGs1Tr)powrN|TK(b%P-Lhrd4rhR^Yv(^`0={K8~YPJ@Fo#fo{-}gzxr5ln? z&^Q@+D(X-t3eK9I@@=82<}{>CqIhPd<3sn=npVxvTem5Uz>|U45S;t4RR)s{0~@MZ zJ6GP>#9B1{Zma8R!v`E=b_!Vb^+dtDnN%{Yf^YGLC4BZnkjgIu>7l9jX&qxa3;_w- zip=tYOiMO-lH1aAc6;)y8Hl6bx+DEe@SpChIV6duyLoHe@Pq8|ctK}J=hcvIE$9-6 z&WNjDeDphhn+w=z%zPTyLI*5)WxhzgHPyb2Y4mX)I&c8GV5IpRSlM}ZVeuyB*I~ts zKB07ap?&FYFnV0{yq|nUTx%GYh&%2L9YTemm!<<_QM~l_9vcoYd0!(G6i=qGW+PLq zvX#vTe>Jhh_1+5CtA3M%0;|D36=H@Czi=OAeNdz|XnQT$b|zcT{1X3XkO#S-;F|H+ z87Ys)mG`endk!{$p^cX_LbxGLPva8G@h17hPXzMhv|V-xzImZqw!~KuVxX4%fbzV~ zVr_s-a3kHpK6^htp@&k2zJS^1+>=^L^ttNyw&T^Z16yQeF(H#I7ML z1D?+F4ZhJKa_-}s?qM`{D~+orI81*sEJndk=LNBa7pXm538UbKNE0BS$~T0GcA>oF zaO$8tkUFMSzged{Gc}XXmFM}7r_U$@f z78z-Vf9BotGX6L)r*(^pc;@$h<@D;CC#L6AL^6Xj7$0tUq&w2G%J@bp5?O>3p})lD zXq061B3ARIKCX85D-(}A(o|`cuZCMpUT-T8`?8XbaPs;mojr~zN0kjKCXe?@DlW~v*+X1|za7^7fHd>PV zJ9nZ#9$qLVFO6EBx=7StBomXt5^a#wnJF5wwU1kiN5<>j%ocJD5LxYfGPH!L8{JLA z_2J>+QwPoMew22wL}Z>^IVuUqOhV zTo8?$+F{w!b&NtS)Y9@optD*v@y5rY^bwOWQo-sjC^(42ra)c8A~(kFo~|c8O1IEW zMJDc8_Cq(5DPF~Ob!jSr%+VL|y|PiYa<-K$ZLXqY;WS^4yB+S{JVh<-yrN`q{JP*sz5ucjvp1)Xm@VCz1xbT-WkAxw|(Z>`zvXR zMar5Pxj|~AHp^+cK>-jU`b?2ks%cA}9wr-n>4OAi)lf&aj~c1eaMf`BuH&@EP{eB~ z7>?TrT+2p&ZLwl3Orc~v&udIE*;1pl(Q}fF-mkclAk|fa+6J1axT_W3I%piWM|xY{ zJjDx}G3Sk#IJPvlp9>O5#c?6+Fe~CXtq%Az30NEY$r)go1X&O z*FCKj6yhkxNx{1=qA=c|`0;?tN}HIYJYO!K0nnS^!;Tm&ad zNH&4lQ&90X!4(&z=SrnF!axu=OBqo+`#Y^whQGjy($QYon6ar@7zzF<)LM_?!=qXff-X$zlGy-V+qUpH!~A7Q`PjOOlTz ztd^)dE(9R0>fT_FV~0`oRCNL5Ld(}fJ^F`Gq#az%iFUBdY~jpt$WajgIj+ahBo>YW zvx|*im9eY4(15LsU^?!%FLYQ1>2j3Lp7;DvJ;bg#FXEF|eM#F_!H^|#{8@{Np&rCt zGo^Ycn=UYT&NshFiSwKsPng{Q7_+iUtEDn8e`< z7?EvMQ8wWM3bFHAM=P{Cm;H8tu2mfy?r4B9bri3!1<+{%Eys!Jn)JQ|bF3(E>T>pcxF!9Now$%jiVC1G-#86y{JEk?hK0jB(?}?%1Z$NpPQKb5s%AfL{E3dkg<;~YV)M-d6BMZ;cj0kH z{IVXSPE(GY3%PxJI)k)akj6{ru^1%zK%HWeU(x_bitk=fKCgxLTv#d%1E7mDwG4TS z7YC8we?wmMXPa}asmk)0=+-u{Ws%+}SApK40Co-~-cIT}hD?Ed6Z~vcKobMabR7n*0HkxbxG=v_tMP zNOel3F$>>b_p2}~`f^gt@O*hG$j#;Z@ zj&c1llyIMWau*vTKon|qp1W~^4Dqe5D={om_^ZV>lKS}Q!k_ClDh;cF8?c|mUwo5y zv4)qoBbWDTO}A%#+r6$JQs9U?9jvlyaiS2&cvRWU^(omf?--pZfhlfa;PeT3Sy?`4 zN!D)8YE%BN2j?{JJ$?F?Zbh`Oi_4{IV8H-=Dofrcw^#f%G}2t@kF(p&O1{XWd0`D^ zJf$6e$<-euF4||l%|Y@4ODkLbQF!4H&=U?qmRIZw_-I5+IwraXFA{S^uy4yU3KURU z(uP~9Ko;u}BaeEcuP(fBoHzY>Xbe5A&3VZwtpmxd4i@)IMsQEEu~@BL{IWWgLI zhNEp?P0qfZ#h&p6F3M zkUsoRa*03M+V&)uybON`K57#0i$LiV{E2*Pi$c5+=j5y0s^WpC7W#l9DJiLUauQ?C z)t4c15=Ob^luA;k?Ya`F<}!JwSZel(-P`^em$%|Qw$EwEQGqsP2>iG5s&3h-Eii8J zKzPR^zAR4Wy=xurROg)HJlMR)n+{I6rjhYHNSIhT${%uVNnPieT*gzdN#Q)C2_G?=X;gx{SP=lUtfmbyBg0u-PtA#qGIQ^eJVVC#a`ptfuT0A zLjx8Vkp$LRh?n(~Fn`P^i=Sz)O(*B}zDz0E9np)t&>K%$&gadZs`0!{bwrJ6_{0TS z&^Xi_#1?6D%+w{jnJ>J(VWc~45N!2T1C4Lh9s-%_xT)cyqwfb?QZ~&Ulo0#g&wBlA z@TF9i>T^fnXfMH;!bw6V52BPNG? zY?3`Wa-NM58joeE-MZWDeyQ5$183C}OC9Sy96Q|k`j6NB9~bqH`sGiU^he5*I*k;F zNPhn-V~*_D-N^-v`&#|%tTnDUs$t*f<)7a8%D zRS~f<;CuragncMLRNPQYjzG&MC&!dkMMw-!^fRhPcn?RHH7)YDZe*_>Gb1YDE_asK zL)4#o{WQ(K50_2qeMP@j9@&)hUU2TzNf*}SRbYi2Z0oju$iGnBAHN>00!7VBIVYBcu;77iGXkwSaGZK4P-;BRv%+#o!!dTD`&3i?>A(ar=i79BwHSkEPK zi(}RphNy-6+RJhU*pvS~aBR#EPhQQ%&IBeVh?70~IM$T3>E#fR^(lEV8Me<+ zR#1L*@QRvBp=$c;VsS#_>H`Dm((w(mGpOV+-9&J$LB8?JP!^FJ*FZ*w)h?yCXxvPj z!omvXnw~g94R&_Knh%je!K(;YjoL=w^V{0GPa(1-6s2gIe;qOPtw!FLR9uc%W}>FqOh zw_DXc;9vVW<=vi)&8Z6QF6+eruN62LCh_>Y4yXC()^NNYZ;Y5%^jfxx3|fHNZ}#yD zdp2aT5#ni1QqUElAM6PYm%yh*f(q7pi_!%~+oiHNlQX}~JlRwJtVs3J&#KUxliv9{ z`B|?|oFuasg@Jv;y|)^jB+|;OGm(Z37Yxm3TNK$-$FMZgVu2dR!OhB0>)^roWQN_g z3{rf-Tm}jIq+q0-6kOl+0&MD7ts-~Y&b;dya0IMZPBU(??)<8-`SU#fj-3C9DJ5A7 z-X!m`w<;FDVcVVd(>_#9X8;SPfut-S!Qq5?aa$=BH-cW_oQX9Qind=Rm{i5o$mmB# z4gVfsPg1Qknejc_+TAWNyC4Y7VS7Vl9Si51cMj!Xyeo4N^@Eo)ZkSQ$2p_+{I#HA+ zVwx}}jbCvij_KLjf0j$}9*%HrxjwzXyN9Q7BkKRg@E!BJ+tptb54IC{vtqES5XJhnOqtuP3J7)&b-aU8n=lzb2eUs`w4(eY&U5L*N z-`(fwD;gpW3O@M2lC-05s;CKpE?m(I*AoU-1Uy1sCf?)C&e0?FA;k#8ZNi&F$k>9tqYSTZ}L1rc5HwBVi~bi3<_ruYxX zpu#wYC)w>Lyp&E@ue^ zV3$TZ#BS04Hb+rf4$pLnvW4r=v>DjlH7ASizEPJ-?dlwGFrqTHNZb|l;T}RY(W_~t zVCEd#m1+;mzoXx$*XQBotxFw|lL@9?m*nmT-HB-rzR*Y|Afb53wb-+}9q=8Mf@5r^ zPG&g6kt!y<6+0rx$%PG(iD|#BPK?FrY`j8-%QUnL09i;jHBQ2R9}=vnjP}sr7!9(R z_5(qQ_XLgPIszAuCNw+=`gSo>=R2<$=`nl@J@fS4vx>p%UVSuIc5{DN4AJ+0u6~$y zu9kP+>>Y}L9PBMxuY3oIz zN2C#xN zVVAVIWqVfDv&5aM^dX6ZHOE=VG2yPTJN_-gndR@_+IWEbQ_AN{or>LUr%$7f6%FK< zsPBvbi(94{gr_;9rKmlZab{1y4;$IP|Ew#r6##3BIIgi0#5Dfj6`MkV`P!kYOp$|=YfM?0nNZi%t z?~D2O|NCzO^c_%wM)0ee4CRjECi$jcI}d{J>6(|PBVIIjW?}gHOBPe_PSK1{4zX+8 zPz%2JKv!H!-(VK<03tqQ;5xC>9>~{8SnS8eb9XIZew5s8n%CI8J}o9tm&dQ-wm#SN z_+TUmw;zGoU++YOrX1tP_M3A9A`^$NBvqd&`xRSs13Un2Ykn=tKZ+99L%cr)Aq49H zyBI9{lVeaR>sw4Q|AY`%DGtH>wsJS=WTl&Zed@Ql&*Kv*g&4@(og*^>-~7N0tm+IR zXWlfWGvl)IxtCdjm6hcvIgT#xm>u3%64Ojc#L^{URgo88sxLf3ks6}OA|?!tQ7*H+ zIbX2%+SAcl*&Z5qcd%UJ`H!hswYMIAVtpmV8X11>NAqhc&AByax7i&hNsRaP!Z#L8 z>1Yy99n;sKn7c92nd#UZF5)+fpX3helC2+dL>zYwWdf|AKLnd|4bz5#VFO?zR}_Wt z_vZZMcMIjDg7AeYQKo6+8)!|XZUAhHa#8?F-K3af^B?urf6syRz;SWHO(^h35bJlL{Ly)lf?}lZ|1o~C$;+HZN-$lG! z2qpF}<=~q~z*_k5U0i`1E@F8_{XPWaUyAyuGi1K8=tVJUnUTmq#p!08ThujHYz+`x z|Gr|inTpp_yj|aOl9Jg&9BM(A<)0;{Y7UmGFE=OvUZ-5<{%$HsXP~%**dWC#R3Med z;tO@k(9W&+@5%wSraS_kLmjmCNtxaHgsWg7t3sw@Ric<_fBf%=`&2H2^BuVbIdWnH zG51~?!5DUS%3eL<6%-VG#u@*{yyuRhue$N_DZCatW}jY%Q=h6?DBsC#!AzTTp%wx^ zm5a^7kjz1BB9FXiT!`7AL1j<^d4w065J$pCdg*z3++3XlLEt{dOT&otB|DDJT+YEH zwi8Sn7T^tR;&Sc$UGR_F`5!3a&mT@vvVQa~d)GVbwm%avm&SGY9=3^Z2P6J~=NWK~E z4sJpdx3_JfkjW9CQ`}Kw?Rc@Qp*2NLY^YOUBaA~jJ$vpy3g9vNryJee?u(<6ix(3) zF!YAs9RediT$sQAScZ>t_v})jEDxs!3y96Vq3AL(?>uV{^!09SWiA-~p|Z^{g;ZP9 z!3}S%0wz&@<)QKXMv{Sw$oE2nuM(|;8zEl%&%T4~Z?5AFX7oPlNEp*A$A8mXNabdI zq6^Ij(S2vg1%x^oCY3l4W4bhbSq3xYW7LFMxLe?{Hp*G)?1`am;H@>?TLqC zz%|7#2w z_NaF5k?iis@A3_u;U){PyyRjh{HDuq+bRiikDqB$RwVD#LpE9BhpPEsjk6ywn9lgR z3-5J}<1L-t4|2rqz{0T(i{@I6Ql-Tu%AQoHB#uZhhApO{0;qQ`@ea?uhqYCL47!Pa$k!+PYYP0qnwNG)X6Wkl9&Ir$Q74gcbxgqin*C?G zX)#Q;ZyRroA9Ok#kna9d=1 z1~HATG;=GT@$Gd*x_LPrLcwz$$^WZ1Uj@eyLp_n$_n!dae zbL@16zS$+GKp3u{C6)!o-O_c3>t}S$q_Ss{2BEh|NnW_Q7`M z_;=>`H^}|o%E%O9x@ZSSZ+R)1jI;0jlHV=Z2QL5BddK4QQ)IRkJ>UZ16K+ld zjB-`1_tQ`{Em_$+9r%|r7-~;~c8x$;@^S!I>f{dUJbWfoPL4Et(-Hji@Wzel)5u0@ zQK6Ib*(h;b`YW^l`+WZ6Ol(iiq&Ygi##ljyw4ByEP;vc6u}gErlMCBQx)8#A)eYMx zgx$sC?S*_v*X|UykiO%f=A}lM5laH<>v|hdIKi{t+1P}A87k$Q0x)~EY>Kz|gByT( zhiNl7P$hCGtQ2l;rfUlqj_xUK4Jz&|UMGOo^sEDVA7H ziX|ep!u78d@IOQ5E;c9|30XAt42D)%!yV=|0GT<*qmeZd=x%kQ`% zQAIW(Uw}*oj@Yckm+ELZP7ciumdLt~-#MNdjx59AX*@0%NSV9=L!Y;1ET|>RSOShG z#I=9ioJ{(s6q5=SP{&u7g5q;HR`D>fbgG@ye#cmA7k|>B2x=!^)C?@(-fZNW3zGTnoWT7wQ zS6U&wobn&^;I~qQt`|80`+u=9&=u@<76!k}^M#m+G^#AbSQ(ox8_Jxv^EgWHee(aN z<^R`O=uZZSKrPC18W{o%v^WA%UUHx?JR~j6_01#bjuwe zw$)}0T_ZL;s<@X|FqRq-Yxuz;^!?I`TVrEmIdD}~)h00kNtBq#u9A+Oj>CGy?-=*^ z2)E%x*LshL(6X;tyw`S07yI!y8V9m8ln#eKpZ>>h_RvnwM?zi|cYe&%v4iU&rO;<; z^V}KQIyIAgQ8o(Hyvs0}J- zj8){q-lkoH4mJyM2+v1NYix#GtnR93J<@_7YHFo&wv!4kx(g++IczH!Kz4$bjf0^<+u$H*Gqgx->V4107qPu#hP*C2Jqyyh= zLuE|-$nFzvS63%%azRF889MhPAhHa+9N^mVo5wguz5kyKPuR2CxpN@!FTW4NlVyBk z5g&&8hNDrzox_c#i#Ec^x>S}zsP}f4mpp(^UQK+9{!%QyAZX^O151f|yW{N7=&B`{31@JDJFPHG` zGk989NHKEin_-7&P!v^^^cmSRb?Th{R*#Gs4Mbw1)vnK=E@Vm! zT7VK}+b}&@LYUlWFhGZ<0L%UapNPd42s>SJk`jQz74nr@G7>xXeZ?im9G`D)Y+yc2 z-7Ne!TU|!V8&9O-3Wg%!rewmVYXe~1%#zR<%L({dKS7)9CFM+2=At?fFGyOX;}sAh zWPB4XkUozfyVseE%tjvFrzjzzqn8WoasbN352&{%1QT57~c!kQV^Z(nGruo^`{+a$=2 zI-j>IE4Q^uUMHz^K|2NJOPW&i(sg@AqfqHKtpZa&wPX+T4o}S z+WJGqpa3>-;w3F#jR*QzOMNj(Y90=f2Yv6Y80#^{9K#Nv)2og(Ri7ngJf05vP-%e6 z-b~KA?ITDLqPxt{ne9g><#1c+Fk5*iH;%!Nk+tB!=4ueWOv%-GIhf$LS9g{JI;UB8^Eq1-D(s^fwcwkgb=Jj^cXnHCAm zEH5PYey7T0d&%zh-b+cg{+I5f@OS_9W%60L-qS)U!vUQn6NNztANSUXF4*j2ozPC@ z!IE9)#m;QLJ}oeM6>;_M5&h!6U6y`P4A@LnQBE4ww{V6pH77^9GGRQesEq&Gp6C-# zWzXD_A$?){UmtD<9RDN1c{404dw1&+D}n{4JG%fO=r^~Vn}Rx{IE~O19{BM_mOS?~ zgTP9S!esZGM;UJRpNpC7RF0OT14^*%c_e)A9UhL7o|%Am+CrmkQp+vfcdCbG^;A-X z#0*=09=#O^_X*Q;7n?(>9T*Ogb?H=Z78jO0p*s zB9`CUl`B=5xv!$zo)KCn1YbesP0~R;G~o-6QMzkV@_Y|zJQgBRR#6^5RSmNG8MmbF zPwkLzBxX^ZFum_&0MXY#c6e>sRGtCZ376R&vB_|oFhT`qX$Ul{Av7`#X37zd*TI2&6EL&Dlp;%< z6FcrLzn7kd%RcD%#{>Nz-|`+syP~n$^=WT4{??hv9%(`vi&REZdYj|D{KsDTN7 z5ahy2aFbD+N(5K58<>aSor^-YZS`~@ax5UgGdz)=Q9wO3+{I|??LVjiZ-z|e>+&Ki zSBpdX&IO$J(G)Pc>ZroXIAg6Rf@yd+Ul=_6hmG{JYOJv$2(l7=q1q{ag~})jknQw+ zxgOn7JZx8%Y*m1N?-1yUCdUQ!KKCLnIb@A3aHiB@=S1Fe_qGK)EE~_Cct|T!)iWgs z(Z9XF#-1EETtRWi*N%qO#e_IJ+g~B1D)Ve`zS?6b+55}%FITgRQPZ|EJXYqd=jnZ@+y{-neo7B=TpbkCq zJ$uqsfmLxOqN~uKhuD6qRrh{zZP4Ei*H#TTf9lTCaPj9PCLQZsG9jtMYiH-Yi~o*B zpZ?NNg(LcZ#?3V^Ay5mA>L-%PUvHLA9sSK@Z*jr(Z7NuUqsh>;X)HA~cjjIJQwp{G zdSmA^t@Sy!2e=rwi97cDbuW2JNr5pUzW`5It0K@Uqv9PGd<&9w7I907iz_+>JrI+E z&B$)651m#Hot;;fv*x+^3L@9>i#H~kK0~IXp)bRHL2YpBgTMC2n@H9h0vCBZ`k;4Z zMGAsr;Q6{7tO?#cpj5Z@gOWqU7baGm$DcKo3(w9Pj0kNk-BR><%xii6`LEh0p0Z0_`5OY{$8gN zxb{E4+JC%OK35ft)p(~@Izq19Z4(c=cTL$sVDCx5jdfyF70`)3&#cp_7*bmH4?;;v zfP&b5foh@EVo5jljP0iuhxZ?+*$V;``QSo=Z;*kjd=Q75+Av<&%&i~^Wem_bG5+jI zdwR#qp=PQ&Aq8c)(|%jiodk!kX-r9~a#`8L!W%$!hf`Drbh=i^uI3n^XbwKt`l&qH zb5T{(O}Flhf?0iAM$_PRPcriK%AC*eH+qZjtAH^`W_JU9 z9vc$qMtYfueTVW`)`Oy0svRbeny~xNuF5UO%n9FB2R9OE*Q?)4Xmg0Y8SbdB9Bl&Z}O%D^M^>!{VoCr(J(g2 zn|8c&1X9#`@B#Y2r>IB9YW&kHFn79a4_O=-e&R`d}R0NOEtxk{6uYSVw3_Cj14{?HDaMjPjm{yVJ|SC)Z1(;q6q25A4}bas%zLibp_( zl7a>Ds}okc(@AEsgRS}c@Sz_@@LGyd2}p>WrK8A?JHUq%&FQQlyxY#a@aHIczu`m0GC3)*4 z4?_R>S9}IT9?HQ&*!o--btBG%zf{RLy?cq#P+(uBBXDR|QMg@MiX6q5d|8IC@l8FK ztaB{xW5^RV^0R7($TM}y)%gO~5=i`<3P?y6=-_MKKI8}J2+JQ+GKqUbpONgK7leg^ z>Gq#>$D^~m(XUb!^E4x9h3dGO!g$Q;>6-`g*Mj@M1@`I}?6jP^<8Uh52~cU;cx4N6 zqy6+C*DG>&MgXoEBu`MGO-+6ruffr2#_4o<@H#5cv9LWoj+q!uFjJ-)MY3>EqSf%? zp+c>re<=Ncq%v9LICJfeA#;ihF*kO5TCrf0Z8yAZ?SN!)ha8fFxXNTmp3sHPHb^XJ zaD}%<4tX@i_RbqWSMDF&)%))-_K!!S?nOb@KXbgX1T`(%cXu-M^*wqz`M}dLPYt;l zMzA(pU*4Ju9hRs&M_-VJ-F)gi|0Ula$;VN2PO^=4&CK)~>X}^M%MdYl26H#a`^-#a zOFFZ8&`_JgYYz)0Q4Jj&R!#QSHH6hIs_LKjd%3kAe2c$92mNp+Dj*Up%b@Pz!SHms z!Rj%X^VBrOJyWhb;!-d^{&#?6>)sx3X5=m8c&iM1Kc--f!6Yg{R<7*_`|?7X$c!@l zgP!m{cf+Gv#e8I^FfWZ8)3?8oB?)EVin%YXL0%=5>tytaqA1~F*kF~Xe@95eT zrxN@CeC~P~6)48eQ~v1FQ0(gZ?457Qf&Bh@!WFqr`+@Br!eu214@Cjnze4@U5axx5 zq)OI-N60AIh!|O4)c%VTxkxZvWVNS9`eg@sbt?l&6A;F4;99~iJXfNd&jjVpH$hDq-O!bNSyV&5ZIjs~}TOF%xD#l4TsL>xu z9${<`ts$kRV@5Pnm6P*&f>QXK3#~fZ1I!fz%xYQogEtS~CHu&`oD*Jtma1nf$X0YI zS5Jx<=?4qM7`J4xc9=o-zeOgYN8H;IX9o`o7oA>bL%ISpg`f+~+E_D16nW&0e-xph zHP3LZc_9`6RE{*@cYhbC9;oqu!LbJqbnPbg8aUO>C#ctje>7H93hIIj4;NGeZA^bu+#Pz;rg+tE+#Zrjz&I-|r#Dcef|BN|1_D z#!caU!1Y+m&O2RK9t_bA(FZ(Ba8nL$_ODgVh7?(RQal>?6(f@kf$*wn8Mc0m07>l| z&TAM73D%{P&t&Vv2kX_rQVAwo0x9I499NSl9l}CPdi*qs{3_Mp7WYisd8#z~#}`u- zM`8jPsCkm2jb~7XBL#y?{1A7akr**u#td@dXB`hxoe+nZu3!wnb~WZVhfkkT07I?= zq6zfe(N5qC``hc72VU_Le(`3)^mL*r-(!1u2V4EIjk5nh)Z zAGIDgnCXyRpC=b(DOsjb!&J~TEh}l+&nW&=K8D*{zag1%ZgmDf0%m39!)C0QR z%I>_)6{q+|+%um)=^c~iGu;4GdO8MRD3p6Q&`n*YQJs7nw&S5o3_*R6hwiXeFOPbc+>Fy=plaa<+)Ku4*0=`@BS|y8l&`dA$d>!VFRb_kl&2K9my~ePh!7-cP zij;+(gMM(cwXo|K<)2WSKU`AXChc!^K8n+utJ+M*y-cUa~3v{V3!bC_GYKUckH) z12Q6ls~SElvljy~{SJuf|5M2Z#Pq^9(}e$s>0q80z@vf*?FDF8bw5+SOMqhTuiu$Fx#v zX6PEahZvY4*Uj_B9&Xtmh0hgxX=dLLRN!Re68O!cK%{9xgdo| zP@miIrg!Cu$<;w07{=jgEKVdSrDrkq2URa8_1~KG-+vJ+1YX6HqP89L-`+%h3$l9* z3$$r?X-O8+#9$fcFgZGoa7X8iQXW2Jkhad9Ro9nG&tHKg{KBlDHAZ^Au3yI)*hJ)N z%f4z8!*Bcb;$4LsT!fP-qya67+@%%Q?E+u|fNK0E`*R6u(tq#to#_XXZ>JHuG`?^& z$;*%K69hN0VNnOa?%8cr+Q1iu8jfm^tvIs^Mg00Y$y}ff?|A6H@(dZenFu-U z3o_vU#bY`C#1zJcCqwhj*v=Z(@=#pk$7pTO%hi_LBG!6$G(xrk0CWF=gpPW$GI{o^ zn|wT@U!VLUSBGW#--mW)6OJ()S7eJQEt7^UL@9`qN9xp&ywINg2{5(nf|fN7;~>Nf%2b14ep@Q zdqE1-*!nt%9cJ3;b$76Kf);qQa7bYQr(Mr@@F=7iky7?JhUWIc*LJRNpY7N0S($DFRM^V2 zbschXI|L9r-7$gQbifE++|zwodRUC-&%1RNo9pXNq6pw&iF_7ks(w#5|K*A>iw@}7 z6fPidf4_}rVZT0;|BiA`!$NlKYEZnw-Sn~Mc}KGM&k6`>E+cW0J<0{ayU6ySsjvG< z(_N1-HW!3UICoM(U&+);hR{(*uW7~kNA1Qhe^Ty!5}F1=uS!3B>H-%Mkwk(*j8M-Y7t)n*Yj`sO;AAx*=_lt70;TA67F zz}Ep%jPG_)?}yiF{_YcGu)TTlB%DB8Q}d1_EeTk+BFdmJ25H7km*mPz&iw?*DbN4& zu?fbKV+&Ho(U61gQ%R8x1r%;?(x^vliOjI&@qR^_-~?h^kazM<8#ntEQT;~C99yrs zO$X6WC-|7h$O&S^1z_JoaOqbx9ahYsgunmCVe&dKrd(125$(e>5OYq{$K=_p+Ni@N)Jt@$foF0w6PBL99ONsMtbnXhh`8${ zBWOgzsC5#p4&UbCEP^742L@V^_73mP9Fg=ZleCf1P zkeGy_g?17AD5?}B0UM8^m4tz~BRWmsAR5mQAL`FrY5=F1&#el0(w|?h6%Ajgh8+G^ zMZ?ogGUR`oD$EuLz$cb68E^4&@pnmO?Sy2RhI=2BH$ z8nvmQHu9UUbci%`+`+#z6o|ffY8Vcv6yoEf{kCMUx z)So6eref8Oe__}E`bMFbVac7^!3FSD3P00WV2vcV3Xjw>x1 z5d`e>W{8>l-h8L zSA=|u*}g%|{|6l-x2!L$n_iqJ?5!2Iv3GoFA>guE3Lz2kFI(*2G9yb@MNLAy^%GT5 zyRambXt^?&uFs< z;NNK1Sj?qb_$*j^Kc7Fn23u%p=g52bzF@hq8s!NU+F)^eG%w4D9aN}BsUS#lnc3RC z@2l8IZoVEpEeb{=#tj>`s0`CoNT>^;-kJrG0F%bqH)}OV-$JnHzOh{c2UvSMG zvyBuo7#lr~bZC0r`X^O$S^>Yj;(HsPVB`V_cZroGakV644`g=;{WmuV>Q^D<<-v!y zg3JJCl85-;(^Bfgy4t@D*#7Iw0u-N1>c8C$=u_acoUk1%zQnUCnG~kHy&SB8>#dFr z!M}{N-bN<=Y-KYi$_+~idTOB^h1QuMJ-XeQ#Z3Q>IFR79Jm7v709({iq3WpY?vO{h zu3tg^2$jqGWntzjqWkN*sve)LwC8km8}liBP_YjB-*AXHzzj-6kEx=S72l66mEaV( z9E*s#_|(yuN|8>M@>yt`_{T30{_N;a?!RuaV6o>vEA#@agALJIndj&@(|2l36C3g< zT|(0pkOWFr!ajnL%KOuPE4{A)eYzZAeBM{489;8ro@E2X0yPQHM^Nvj)>`})7=NYF zf4A&^0J&xj3PjsqVHTwOK}rH^Z(+bgBSv0$fhwGyRb8{-jS-tWf}u4%frL-C;rmcf zC0cEugE8Vggyq}kgN3Y0Yp~i#mh1vge4@CWbx4i+m`(9%1RE9qWaL%$d1{%hnxk?G zPW>BKYxsn2CiSN3r$^jP_&%pEAAgNcqM&9a8GOq3I+;fFK*^Gvp)PhR#}L@C_NlujxdkihoQn@YhF*YkoF3JD`prGHz>q|y&yjBU|1(Tr{ESvZGiYU?*D2E9M6mtYr|_q^e9Vo=7Cn2h#y>{WBSWn z?jX7NvAE-b#{J*!7`}4Xv)r(TCysspQwwkR1jsPOWe_;tZ-A$zBBlk_{@uIDjbCWiC_zn#;t z2ta9EqWDqahP(wtFEZxSB7Q5COoyU5Nj|Z3XzckXvLpP89-r;9{)d3kMvt2D_kl>0 zfb7`w(yt);b=CqLCzV>j_JmDkzpvP6J)9%^hi!Cv<-tc^lpGyA4AHT|8>2PO+tM$&lz{yTa6gf(`|YU2`tfg*0^+Ok|B*}BA#AP?T53(oe3@|E z!2v;PgkVBFEP;EeQ=3QE9y(DV20q9Tv5^mXrdMzZsC?7>@aoVu?LAW?QepJ^wF#Vvh}WfiWmY?IHf z|93#hIHy$4wA=mLzxr=y0my`bkeD1F|A$2QAL+KGBK%tI)aP@uoELbbILzHSLO;?J zHxu9S&I|xxCOX{`{^If>ID2nuD5HKQq4M*=E-6Uqp7$>@JvO>C`0^e~81ivY1&p!j ztyyr+QCvSwFc@YTn{n?b>`i#6JkiFowlFb@B%!D%P8LtMsa%@&&I6xglv=;3w>y?_ zDKJn87VF639`6exM!J_RLkbLO_5q8Eb+)T|*FnM*%W6)ylPO;fpjd+=NPVr%ltv1Mj{d6L;iiUhKae!@qxNp^gLs$Zk6u z)%x3ugDhhDIX(S=laurM_J-yVFQT3GPV4iuM>Wc~kCkc_*u(`~a_d| z+WwRM=S376X(2wWA(cZ+^#>KXfiN5BxzChw0XuEQ_Hu^?YCkFZ{;w!*42+y-WFNNy zaK-Za4|3iAx2*9D8*48dLum2q8>`(mKl0z_6D5G#6|)njOx_h;Wf2>3NDQEUJvz_D zmLSFd5tFA@jBVirIw!L`>^? zTK?T6g&ztPJ{b&uP=ayTKIls~zlesL9ulvU|0YNK9r$qsOEHro>wJB_<%UjcT{nXN zc*o4tq`qWl3mXoS8IW_Wj1I-&HneMbD_)xw#E{Z2f9hnr15%-3I+|c42D+JrP!k$f zco?9X4I=GMrAZeKi>K$q3EZ~2n1KtKmVcE+Dt=VOj0vup557=Om*zQ8gHR7gG)&+{ z>Z;irCRUt3jru=KL=*pLZ6fWSF_MV+V^~jk$BS#(_O3k1P=f!v0>`V7g zd6qDvnK{+wX#BS*Mqhfeli>h{9EZ~e^sz>h@VO-ssqkL7_x{?;%R5^o&FW%-{e#qB zmiU`H70v?oHn$^$Pb5EGZEi%y@K~5{)@gsMObRS807%k;##d*r9UWsJd*|i9ZoeP? z8zL*c$?y{&w}Jl;Yx>sT(xROh_IdTyxl_*d&??4Tc!9W;?OobUMf@Pb4@!W0z@`S- z#`hp-@N2z>8l|bkSf6ZqUtD?^#2B@bWgsVl_$Re&f+IQQ{F>a7k#w}7)&5~-Q^ON+ zZ{kxDi0^XZ$FS94EUGkE=FhQ}?MGS0@?T)_#pif10FS>iRY}1S$LQjG-X18(ij2q% zuJr4>w><*6T;IGvW-G!#>PHcsC5I5NcE(dG=^1aw<1smFf{T9_T|CHk zkQCZ#t+`Ze4i7xvKL#KCVzcNH7_}(esg9VPtFc>lvJ@jq+8x@h*%SqJX9gUufzflJ z76(3w7F}>Y^H{+>x(AMRi=*ctJsvFr@Zs8EEO%zW9B*v(B<1I>m&Efwk1vy%W5tI-B*XUJ{%#je_Z_`f`o;3y+4t>OG?9i(J9}q0skYuddA(3#%%%* z!S6K3A>rCr#$2@oO}~f+Z^zf}_cfk`(O%hxW}h}3gf@psULGe;oO}`NqMUYY`dA!r zI7XBcoNYBXpC#6yPO3X4Fa3Of{HW~E9A zmgsylFW7f-Ml^mYFf^FyU$L7(>))txLB3aED#=+j?@|zBk|6|7A!6#IF7;+z8N5u094K9sKVi`vsp=M?T@(^r!B# zDlkKI8;lOt7v8w9Y4LV#!`@@!Rbsjs*c5FL^@P5X3(es}A` z>T1q9ErZVXL0vi`ES8>b5YuC)Jf2V@w9~_9emuWdtixG6_-l0bYJB$7z6HWKmxf|` zw;_54)GG$OJh5U&uNzh<@VE}6L|F~ikDwXl&(9*LOKJ~5t%*5tlC$S)=*t265CSkq z#N5yG-KL9OG>p3>HgL+VI>f(?K?5o3+U(V>S{107=Chj%A-K+?bUq7Ei5*cEg`gXh&G8Fx{>DSn`iv%sh+}{w}Z9*)%KY0Ee zhnihV-Ek~&#Yr~6iHZLY?p>$ayVzj0b5;{URhoc;_t7-?c3{nd!KNaO+hr5I%#v@y zuCnhT0QoXAH)~vWpYM}erG>GP9~04lZvO(Y&gD{x|HlEjLw-0ZS?smpA+KxMo-Q4wVFm4 zqQ7zI+o=e-M4xie@sZ|fpW=lUxu_4EX<=}n@>)CoF94QRx6#k!xjhKTwFbCylICleV90 zu42v*-Sg+R6xF+3TOGZiv>z(*H2JsWC`f$-SC;~Et~ zVP%Oe$I@N)PDEg!pRPPLFP2kMTb%;ylHGpkcw-jRLi*uOMY4C50>grFhDPxjB7aTK z1`s5L@38@fi5&!$d>5;!50+}Y0>zGn7d-ZZ$mdK)$GO4fGbY^r{(ys(%=x&-eDT11 z?ZUw(L9#YHgJ$n^K@;nhXD@=)W%kO1el5erMEFtNalm!?Bb@*HiGu)nBSY{OH}!U9pwRUk{T}AJCqID3i$;BNJ4r)#ywnIQBk%4? zkrZY&oW>O9n{tUCmirBEb6ZsVdk*F<&_49=+gwOYaQ35qXm`#-hDN$(_CJeO?4}t{3i{36)Tkf}rVs+$S-*Dh-8}m`r~cgFtQC(gf{i|q zS76fJ&^>C=>v1wC$*{MOPsJ5V&SvSWS3Y)8)`iDN(P-qy+%G(CIq7qeJ7Wb zC*7^Sv}D}#7%LaJ;BcOMH=T!3++p5HGc&O_+tseWiiF#_!TwTzU@Ej~mTm4NJS&s; zwoCS2dd&G8mT!}_H~Z9Kj??)M=tip+3Fb_^xny{4j;KCi2c=q|JkM^jjl%mZvHon z=6`PtZ(^Sd?l$DQD*?7XG-6m9X^bvuLXQN!Po0jA4gtdKgMiy;4Fp#ih~{#=EHbmh z#M`y@uA(x352GYJ?6|1*zLL7VA;4ibTGv%X?SnMX9A5d|T;g^IA3fpgLdFQ5ETgY2Hy@9VNt9TvJAsM#2AhHhjw z!>so;pmX9eJrxiZ#>-!a1rCtQDYn;F?ejEy;=7V>_E+AG|8cd}x)%v7cdzKftc*5m z#TOtKA3KCvMKfP6mGXW!ygG`=?3P~}j5@QPHQmWA;bWb1IhsbqHaD^c>}M4gK>K$* zy)mN*JvprW6@KnOS=3n73TC+B;3dYRRC7h^4)S=y?F8*Af!dj?-z&6FTSAJ-UW`Y$ zUR??bc6-}o(EH84XSD2eFlo^BLv~z&jL9*@0|VnT0lqY(p9els?g{VCFUcx@n!Ygg zjMfO;4>mLm`vjd{RJ*1hq30?gx<2AxiLg^MJiXd0o1L-o{qFV|{AIOxR=m|^3KRNNAxO&+`QE{8;dY?=kROzMsH zxsWcGT>m_#ZZ3|ih&xDz)O3FY6(YpWDN3I3j37HPS3RcsYHe{phlMPeHw{Yh%5e3* z{lz3SlX7~m&Uo+{U?N_paBI~L8R&Rn>rrBQd7jELDsGS>7ZE&AxfW>(`Q8W7!)@4t zHZfk|D7c~cg-*(9_oLmo@=8}>oos0r;r9dsinK`Vnoe!TJ1{o>;=3AJ+*hvledCpT z4c##=N8OivDv14Sk8@cuiiBL*4Cmwh{fNesyf(@6q1dkI=2PP|G)Cj*{BW33&dTsE z%v-JC8>ZU~x1lz6DB6PfN=hC+cU9`Y)JX3iJ0t$L7VlmV+4Z=H`FNy;=eKhGj0PJM z*&Av-`rk37I~WEI;?;c)TD0GVeh2&vvLNX~HTq*6&@m1{VN$;_LSOT;d{YD&N_Vqg zB9HqLv=Q0t!x(Fh{7;&6U+4cnn)Lma6tcP;6i@WTWrrS9J@2& zW9m+BD%Ko(ji{z{kD1zdIo_jQ>HFg3J+Ia>-M_--^D<_IPmiOB4pi3;xnh^=J#fmP zt#kDgnL+wTW9zvN@PSEBm94~f0)uXwbGMX_A#Xu87gGZ3@j>z<)g+*V7(!5@V*^GZ zh@rww=+};o?_xL=krBg3X`e)?g-tiBD`$4?*4~$y{$j9)8h-WonyO9I^BMQ>!E9;t z>WHbQ8FiicUZhy2gu#+wFO^Q3jIj;u1wTw2#x|Q7Pq~xihFw^tCDiO&KbW+k53~jz zBM4^XwBxKbALUAhWRUf&U+>d*8rrViw-i*zo_1Vw;1z!=d^O_M-ut>xF&!Vg&_NJV zxix-^4Gkj-E*oFkcqQbqMzUZJkRsHJH0&7CDHZ)=%{EPD@(COwK5w)aqf(m91Zh4+h`U(caTId_dNta)E8T@y*d;`)3!P;xy};5v62vLu|i~XT&^5Uu}&7 z@C?l|Qg?)RP!Kk`Z#3gI$4y&xOlQh=kdU|CC+3ImHL9R(fQ4i$P?HGH&J**G7e(ni zbs!-eWhdh9na`(;Bsl0BF1`}g`s)w05(LmUp1Bm=@XSx6Zra-l-oyJ|1T-ACWA0;K zN73@Ty9+Juc-hTorF%5zDT=|O_fXz$Yn`K{7#cUkbihkm8V#-YM%9jJ8dnv%%(Gfx z#Z&UM)2qEkOp^d&Z9wL$t)A&Fsz3Mf4it zu<(@Hg_rOQI(pQ1)a$_L%GA}PA(sA+@U#%|XkABlv{D#jsD#*ruBrEEs;!Cn zh*4j0U7tKr=Lg#;O-Fcv2G@!dH~kKQ#! znQ94jtYBZnT7f)BSwolPb?19z28L62S@C#m%wH zcE=xs)ss)EaQBbWtc#Zj0@AFjrswLX=oXis&b1;KNVVi}8wy|rUF0l`2*$K`;5S)( z4vq|}o=r_zJ8nI5nwb~b&*t~I#SbHl;dO-$_wa!&1sh42fabHDR)K{sQJf7Y-}>E{ z!V2wf4_iqNTcm6|eN~3BW9h2RvkL8Dr=-+~0XK~Bciir~8FdC(*3sb92acWM#UVG$N+(1M!HClI6HztHSobbPeKYTvZyn9?|@5z8iS2wCz z1v`FenAzHBp2~WmK4u5l60k1_aB`Q&&YcMbaLc?~S&O=Umwyl4I1+pzEN=R_gp>8( zK9}lL`~qCYk|Ar}QF7h6QhaR0xau6Xa7)_IVxVd%^vkvEMU&?hwa1^b7k=SI+r?qS zx~I`@u4Gw8<=UWF^Y;ZxvCFKI|I)qKIW6bXy)#C2uqLLHX%fSazKYqJU=~#!G3?0! zu9Oj6#Ec{)YWtQ>3Tk-TGv7^a`_Ks#ndsYPy`pxQ5|d(LsvrX_VI?ph-wXT5`EOX= zi6o-OW$ZD?#L_|C(T2QRqg>I1Lx@$Q)vv2$Ylb6%Is5%j z59gYK`!eR<;b5kPoj`O`d_y*MRN8hItX)lAq-)65^vG8!AR7|^aXLn$Ag0qUX9C>E zma3SD9^GUwJwt30F3Hd_DqOK9!HD_*LkXq@mv>7J%!EzjK3-cEB*fm2(jI!NF=#nb zX<&(Olxib}MFLhi9cv4gDv$MR;9_TM`J2n{pypKkuC8lj_0P)r-xR&_imq)p@q1Hb z?BfWU_Kv;k8hyklxmB?J(XZzFe7FxKmeT+luUM_nb6;c)CuU+;NBSPX~{(XbM83XO`pCP`ZhR1KI(1 zMb7gTix5e&r)ClFGVZy4zeMLt2%O4%*YH?=;k4Xipk!jAX|b$j@hrPbml>4>aH-1< zN#Ap^rhc&c!Skk_8n~qv?g?GTkyVG8JwIzBN#9=X9D3{)0or4YZmm>m-X_yDUhRwJ zg!PA*V9MOipBvJD-tOzHdjsAK-ufPr6NpbFLIpf_4>NAsTZkfe|I0xJWVchG{vO;{V!N%C%8f{T~ncr8_Nx-(yxZn2qcpBO~c?JzMbBgxoNDC31e&b}+KeXjh zQd|WukjLpO>jP?%ttF`^I$N)8!^kLe5-~uI&`lYER;ou!8BHknr*%cR-`EM7rnNRw z#VkLtpkxwVm&@DM?qhOsxT35Y^5J)w&_0p7?SAou?VU8Ss(i<{MiR%@TTVuj{PMi` zAf1f49RS&}uQ#r$JbeH^n^utfBD&g< zwKGF(18kV#c4V%Nl=k%iJxw(!hwf)uVKx zQ~cG(FGO9=7whSZe$jPzYTps&)I1n^u-B!%B=o9O6Id`B!_2luR9Cw&*4q6rhHLyW zNJHZ2qp{0A%+omwX9vN-6@{stgV+ghfQs$2urV5J-_*cX36(@FnR;vKmPRCfx)9K; z>xbz3`(bJXxyeM{h+Qc;QO4B;oesqEh4Y8q{^2I`IQ;p*v-jv`b-jXy1Y>&jm?id6 zBl&r@*)z}RT!I{Lxm5ODH@-R5f1{5lDTQXdHj|M>oCS2;9VLN2>Hm zzvM(fg8W2hSP9O{Oe-uwUQ_4Os05s(F>N-fO{sUqxSC_AVn; zxr;Xe`21xXYRsugKse1vh|Of{Vs$HVsj|RN0aIkH`e*5~9kj6ijYY{#42;?{^-)>7|T`YvXv+)R$Tg%!Ky&FI-AzA>A(Y9q74p0tAa z&#p6$>bi7snV- z6Iy{pH;gPr8jHMn3gW`t(2aT(P1}n1E<@s4BGrqTw#rJ4Snp$c=7pWIc}IA$2879B@Z39x zmQH=5K-a4gY+M$_Wc9{)1U@NvEA7qZ>vtAiNIJ-or^X%?ME9GiprZ`z&q6PtetJQ4A1!=h@z9X%ctyoEPCfj0Q z=@ZjlJ$#UcTjvf?fBR8uq!*EIPo!!LJyHB1*~+*lYS?tk0}`O)YG}^zqjlzU?(V)M z4j?UFQeS~)C8b-Id|s(@t=w`B3yni;yf1uRn}aEqqNMRY!4VLPnb=VAHxd1Wji zYo-O;!3lJS!f`XPO*VU`=x?a&x{;%x16~SUG-#Pf7k#RTUZMQO3W(XcO9g|~1 zjcgIwei|AFg4RWsQc^vB&gaK^j#>Ic!l&(7*Cl1wM{ao{zz@F<%Ad8l6iLhIG{r5v z9IA%Owqel|uSlkM3kI(!=FTB4GM6o%TNp5}-yQBrl6((^D_BQ-e;m8~-AvJ{;5QfmjqpjVy zV4-}a7ImuYZ{J~_6|!lw_Ci9zwLI`z-Z(@6MzssR+E>)Y&AM)0b^L&01lpgE_tL)` z^lF@>+Gf{(2wqZAW$ZWoLC+txDNlO~)I5ZNvFpB@`5M?oS<}e3Yh2Hm_5~Dp=mU2# zJG&9$I^+s0bV%nL&$x%uiSLV*K!U~Y@1RFht?>zjiW+wftL)m1Bhbknn(_ExJcmFq z1LFLZMldA+0wz@E za2^Tmv||#Mj^aos7qyo9f5AV%%E?=@7a-*w<)jj?xr&Z4Jh zQ2T~ud3L{r^SE`Ie(Jv3P#G{0C>1@sac3^S`-ApnZSt{6qo3?alV^uZ==9^_ms32x{L!G@1Glw`SjmdBc8Z|{ z0P^T40_SBY{>%@WK^Abi-^7r5fN^*ETkqzKdvF5?nU(&}2NJZu_jD8ZcLD3K+T}O(I7`$edc@cx)2TK}pqsuoEvo5nyA<}eZz z875m83Cw5r+nZd$n?hJ5LPkIvD&GRw%Af6CMyE^qj4vHaUEw*vs0;Parl%)Uw@M72 z+@23aHF^jYBo>#ivU_&+I1;AE31YH)7wtOXS>3yAhWUoQ1!&UnUXZgHv#cFV3N9x3z z#g6=Im_YTT;ZX*A7Xf$@dvPhKHEa8u^UC7aXc8{-keMSJq3Cc9vnwaz3l*J?Y@J8| zt4^rfxhLxu>%kOa>m~0#Y6qLJCJUH!OSW=nQardx| zPPLozA0|>&vr3HwMu^n&Zu#rW?G_r2_BPd`%>Sq_>8?lj_kT3e33_nIuuvMf#*fl4r2>jKZD2LjV?Dc=^4BiPA{e z&+>iO{+iHu;g(L1>hR7TD8uDZmPWgB&gV&ri#qG_C%{ZkCjPCUU6uIBZlWgt^6@Lr zEtFSB;XGbU9p~k9h?9s6^~(H)hUDo$jJ+pVET6yfZ00wVa~(4JQ$XY8WXrsZ`W+SN z3y?ixS)ir&6yz7HXvfjO|L1DG(8J*9cs%;ciR3%0ZM^L%Z6$ta(tbmiSJdOnGSJYp zb<<5Ora|{zO#*tr4{u%kPQ!PB{ALK*R0T3;#~@;oa-adV#3at`}4R6cS;Z9C|KA zDNC6Zk8FnsZsGhXXLj4Dv>scXXgGS6igmqLZ&eG}tEX0>pu<)S?A2S>LCd3hRsC05 zic;6XmgA59C1-Y1xRx_3V%eH5tGO*C{%fxu+X4}R+n>Nk`x^M9QTtnn|pcI zPZ#Jw&37Cf?J5NdDwXcm(ajGweLBddbw^-%j-@D0xdvH&I6r9ThF9;X9Z%M0PL{0+ zR$Zj-)c1&4@ce_Ui2AhUfj^Q*AIWV-s|R@D#C&pTe5zig(u_cY2H ziD#HeTc@TY7JXjyycze{rO;Sww{ZbR=L~cQ^UMfTJuo`6dbv}|x+Pv_n1ah|ia@!}Dw8Iffs2o+rmykB;q+efq`;JYyU<#sl1W;Qm-O19{Rav{ zbyRSek3VE?-*Dl5j08i1CZDubTG(5>@T01D!A=f;W$CM2ei6Qmr<2*^+3=@n1$t>8 zSI;iqC32T5FU^JJR-}XB1Uy9Zp=l-E8?lj03rWWn3CGt%3GV>njaeO_5131RIyq!F z*HxfvI;kKg`0ViT2v!CKZWG*NBsEl-7FOOlMWE&fKhrvYyC4mqb2VJfgX~30jx*HH z!n|ILSp~*k57z@27hKwwEB3_5bmPj0iLSVi6>ggI+V36d%)MrwzOZF7Fuba={3!9C z6)c$vm_@&gF!O!<*G$40H`xXEa_{OgRxpDIvE0qcbca01dXbOatD(Kq{DR|!xlNvXCpxVm76&)V5 zNGKexy2TN@SphdfVQIQFkgiVjw7*}-;`iJ<#AXFdYV=pd&`;S(%I*NpUx+-7+iob* zoD`Bjyu+At7N7w)a2x7^ZfxN;{1Fk!90$Edd8YF-&4qjUdm5D-FO3}z+ik5l^h{dc z6oD)l|6u=+*da1I$(ZJ@i`1A8&Sjh0N#84#y!zzC0o8&DOxyCEz3L)4?iJ1K3S=Cg zHZ!&x-Sc~C6|GCzmsI%e+Z|-U>7q^j`q(?|;_H1%%E}8re&syqDt4^BpxkFEF*;GB zVc{(Kuwu!LJ92-yY6@jH8CW&-Y!mG|)M*ofn<^<=ia5yJi zl5LXQS$5O-kvQZSAFjr>WCDgwWx6Qq6xVtRU2IJ<5~jO`#9tZWY4t6KJH15d7Cx~2 zAt}2nXzI(6A)ptSv^5}c#Z==1d(X}_O9 z8?b-36Ny0x`j!mLvimg;WnMuVDds5V+5AdssRb@*NI{fjSWuIetIzl6aoZM-dD4cN zK|Al}f#gU_kaDkFG8ULCuCb`#hn;Uv+817R6voVF961&p?u^e*8S;;p`)1y!8SnIe zJZQrjO%5L%er=tbG0zU%RzLt82Sz%^hlYsLbTg-NF__W8(Q)8g#?OMe%_`^h@D%Sn zw0tg?Nu*w|q+*h830{aldl_0dC7)Ry5Hv7>h|@b(Lr=CP^%#9U?bqOIAFdNz8XgA_ zU}*wAc#NH+$!bHx5{B9=vXjlI5e+#wEJKAmEQzt^f72h?W1%E6Ehhl43-46G;%z#H z{arx3OKw}J>gl-YP`+qh^nN|>cijy?_y1^TlOJ9ugVfi)oPSFO4!GD@P}_+`s>Q`y zhL`JXuJ?@?>GtEEkrX^?4uvA_lC{&@dm|N*kPP95@6W2w^Bxb~aid#dC1!+f@+tOw zp!e1Z6-&^GjS+%rIUE(RiF$mblB7GZ9;Tpr&V#pKFq|f~Dfv7ry3+Nl?1;&&XI5yH zuLrk;!6OPk^a7|u&2rT2EG8-+558yLlrzV9Zr_36aK8Tw3*QrFGxYv-2jC8IeI&)>uw(^5_0{|1!Ocr-RGaiz`#eA%8Be9KHDW;>xbg#e9m(Qt@X|T)@3!T<&#J z&@i28F4_^y2pm1FuE#ie`5*RQ@UqP=p8xtDyPZ)OG6BjQeuRc_tm_pud~>LrPWBvO z^r(%yqxqu06fDTWvN{Fj=cV z$q#SOxntgk1ehRXvrV~(zk>EVMS*_F++7w-K?xSnYtW1AEleZStF5paIVX6Msa z=DGSIH)&nfsT#MfBkM%cF-|9rU6&(twBfk?s#3CFkC;s%2?TsuvA%A}<0cPjzEO7h zPU+S$ys2A$k$p@-uR4IX-fnoC;NG^u8N2n#|-1@7xUkXVrL^&OdxKdS4c{5+w&_NS|DV zci?T533*SfpvkXciO&b#t;27Tm;&wQstahlLDeChXm9aAR*!$&oa6mp&d&YwB;Q->pR{9zTh1{xMn%PH>QX^ z56E&SMYdo+eCg`>w3&UiQioNj50PPth~DT)OZb@LVfi^tD!-c^gClM6&ktQCjod_; zFmb+9c{1cKc)@xaDfwWkdU12{p)Y-NkM=k(0Ts`p$Tl5qNtuQO`k9Z5)&62P9c2Jr zv1K)inzU?guhc(c@P(dVq?*>dgQohu>Lzi=@(bd5wgfwu_dVdA7{!n)O$;R3+vB4y z(fE_xa+dk<&AW;%?GF!D-`EvV61<;m^uJgchwuJ~IbJz}B1G+`SNyV%{_~;%tw`#O zJtv7>Pv!Aj)SIQqF#wa?cbhHrG2ann8 z2*hP#v>l6AJ|7ndGYjWwJYjm^=DMFJL9Y^AS@MOJhX1k?z!L{|u2J}k-C<6DSj&uo zo5NJ-=#nycDavtfe~&4>#vs*%gcB3l5l!+PuU5>BqA%E@TExEgv4*(F+SBzXnJEK>Ks+3)MaEUG9d z1*M_kuZNcqy*fY&?uQpvnAnaa_2Ox<=90U1ZXyB%NxQ%&cF>n@jNdd;QqS?yG3NoI zOQL7&aRFeqI5!Vk2k+@SSkS$Nxvua}4TNF!cCezd3CUO^uf7v}Hg*{u`H2TwQzuO< zk{tgJcV`(D<=V!3K@q(lTnBqRkyq`QU^L>fj!1W5srPU-Fr>F(}f zs9~t{jPAW(_kQ1V-gVB0v(7pnQFN{6ey-=bul)ZMQL9g;)<`Ze8IWagNge)pt~(fu z!Ef?W99>$fv$#pi%T4Q5XlM3&L$)3g_J$OGu`WD!_92QJ>`$BR4|?y_jPazYOpeGwqSqZJ@tO@&2GafR|8c*)*JISw2m);~hKi zVLvgfz3heh9Pk&uynG9fIDjSLR8+URylVj~xThoD)zHW0PL_}IUMHK5HYAMuFn(b< zN&q{IQQ%uoCr`rG6@R7s1sqm5HHmk7kn@q4Q8gN#Cj}ZHIR$O(1Za~y-`ZDGnT+U* zx-(>!Ml3xb>*BfmBA4=cJa>$7Usj)X;S!lDA*TK|TuJ06_RsW61)W|c?e8;yH|qdLz-+9$_8e8^YCkI_Pe*i>LEO%holPs34#)S{f746v6E_xcQFe{&cnJUF z^w4L?HHl76$Gz%m#s798vSQ9dmVh3gat1(gekrsffd+;W1HjO{FYmmWz2#(#8?tWu zi-1l(NLREs(5fo!#c8EGFDKXLC8$G|TB8LUX&L08C*Ka20(hM*hct767D3WNOg2ai z#h~HzQH_s!Ia`8S`n7e+g9=$nnf_|(mqT)|l`SNe+jKuzzbXG%?hm;={}x=sFLDjd z3pK{+7)mDud9dWD8LV)8<~b*lf~HcAt0$=*HVO20yj4E&li$epT2kbC;5Gh?o_-h` zd;2XD=f=B8RsWAi0`KN_(Mk|26OWpi}32ODdrZneSHgtKmYSg$U8 z_~xi@E#%~_D}qil(YZV;VcUHT96o%{A275}g_IkU|4c7veZ0wm|Lat<#(FmAck5In z^Qk`{Rc`OOYb(Smh3ph)h=tCP7 zUiH+JL6?<@XM>NQX<)V1z_Y^Ky{eU{Fa15iCgu`{){8yDrLAlrtI6$ZtLK9i-k{sI zv(v|ur#9X%*b=52fre?M-tX0rzdFVUY_y~6t3oLM{y}G~p)2&qZflXG@Hw&ux`lq) z-uLYeML}(3k0bh+d4OeSkEh-X40S>2e)!(5PjL8R6#-`1Ja5`bK}3j%pX%Xrv$7$~;%dB@|bq;(pwqBV%5%cj8 zj?>)7e2`lIf$*XQ*BPXrvx15HK1$xHxRo*@vEnFSzmOqx?dvElO$sWOGriqDG+5Qs zgBbd;JpkwyhYh5Ab!XN+LKho(zsvy#$cH|_#pu;sO%e0~&g%yWKU2o?y4-frF_a~E z;QVjK^+(OsCpZwWzdH*$dx^gvTf557xOL3~>iX&(_6(p>ZAe}5gs64yW`i^dcCadH zix^@T3SX28c&&U>;+p^=c!<)C=dp1-f^Q*zDicH}8WgP((<*8q!(=A`NQ4v60Rpv7 zFWC~Y={-Jo1*igQG%^AdITSg=7NvS#Y1ACL`T*z>|6icXk?u6pA*OFk7Cv(LZ{*v% zQcE@#fu(Vo`l3%fo(f~?q~0D{UDyd=OXNoWmx<_&@5=jk*`hZhr7QYz30pFS*VU6G zvS7Qx^HP9A>rL{$5Ou6rCZj(5b?M=tZK1ylp}{EuoLe?Lzn$iv@%+C|PhA?hpSm>I zYTv+O09DXcKa2jGT`#+&gE^6O*hf5Bo`|GpkPIXGC7EY>`UlurOiv2AoTF@4M(lkk}J*OI3B~pI1D`3w4ib_ zhaGKizceZ9Ifil+63~E$G(sIiH*jg}CXx`HpvV1rVo2jA!v5Mp)S5b;_sN6$Y7FO!1E&1O$e6(7LRgZph5iUasen2xPvFW^#UEx%M@grn z28^XYs#O34Z99(3P%Rn0%mmkitTeIEA`Y7;Ei=#XYEW&TB4103UZcF8$*`QlxBmJG zbgD#3uva^dO*y@555u?JKY=(7u_5itd!Lk7Cq_42knYnxxkYR~ujq+bl=i|E zIx$M89M3=9#3Xycg`-w)^H zK^sr`ZmYP%Z_obMc*;-L^WwP-+ISXp4kbl@>kPvCZWAfji-VtCNJuy|U9Ed~#%>qv zd#B0i0UH6y6vxS3L}2uR&b;m!tK0%nOM@awzmglgUze$xb-kYf9@E|tE6M~z%hlxl zl&g7;maCyIG*h-#hy~|gYxZ-!`O7myDFQcyvccpxpXjG#o=KRB5w%0 zqJT5sBS@2A;Rn-}VhI^roY7u1eJ#nl8tv1nvqzFywwYIh?Y`cMRp+5jQT3|;jjUfE z60tMOIorGTEI~#dAIqTT$=3S;sx&5jKk?-oS!38xL_4LV!{Ha|&IawT!j3o>!O;n* z14Yo;+O7V|7wYfvs^C)jBK99t_|WLRCVxn+dXpL_5!_!CgZDQ2lH)-8=t0U=E6s=K zFN?t-MEHO4W!(!we_7+2n>4>$*NaT1ClBjS1;{Q0C2aj}7dH?a5hSsD{xA-JV430) z=LZu1MFo7g#0!yI4+I+AVcnT3Jix|rv)iNd;cWX%10%FPK&mD9VQ8v-BgihmUa}eShdvZ;9E-Jxs1EI5z>IG3ELU|AS0khw-N3 zhoF-*=N`eQ*pT5z4qv2~LXwW^+ncbZoaIhl=bep%wJnmeV2PqAplm=2WE~`Of7J5< zF|6oxICS#&cmKP0{VN#fQpGBr_q|J_v;sLOqij|FKA60sy{Vt@PBFAPyw1YsqN4lw5E*( zTGNKP2hg<1{JW+NALXB#Hi|4IX5k4Hh_4oarp?MvO&cClhUadwJ=qKhj(nl_d9t?^ zH;Zr&kQjMy1~YoF)#P4w<@IU908N{b-!*Lj?c!&uee6FqZ8U7gE$laCAZJ8}pAsF@ zr#dqU5SKtYP;V9>i_VCW!U08zJT+09bfJq zz#ta|an`jxsDn+Ly34$}d5U+H3X5{i>nwCRP^SxlWpwoVua{83OawHKJVEvjn4mL8 z5LWM#N7~Z7*6JH=v<7?ck;?>$5hC)TsCO_?LcRrFGo@;Kjzj=A&`PZwdDbYf!i2r| zkUCW&1fi*tr4nBJZ3G!XlSpZNXRNuTk(Eo}DMSZg>BY+`*ek!sx)UuFX)Plr)F@Xt z&-5l3C-^MV zGtf2qNKWbSq4n8QI=7BYRCA~I^4()nI3^BH_&ft}F%%lJoKaWq&uK4Stn#t?$^w&GHU%%Z)Hpv$=P7%U|fboPN@`Khbv?3<(}7 z#?R~Cf31E%VD;=|;ChLI<=S&oVQ%l`e!Q1W1Mkep5JWI=0w=au{b1JzgC`~nfo+6_ z&kQ=#Dcji-&VUSlUAJ<}BP(A58e|3rw8(gJ^Qp&Ni+L~jQ=#)%)$WaJ=tpxydvL@- zi`#$uK;ilFw`Xx(^J~Bjv7p(;mA=a^p{W<1o74N+llEQQ_jV7n^IvIAI&W`BX|~Ew zFYED?Q1n#X>Ot2Y{$;u^>=^HQUwC9c%Ot6Ltwh+D(>P@tBy*RP?S?f8p#^h7Y9uJG zT&*skqFixFI#3!;Ot0XuT+cQfRQENunNO2v{q3COF-bBes0D(oS@9Rfg;U`@}%;IMe4 zIj`B}8eH8Y=9Nr5*I8!vl*reU&x?xQ-NfU99{?;<9(d_3*i>~sp49Jt{dJsWqpu3g z({F@=^>{IEe`Z?4xG9xSyXHo;wKT7)gkx!B;cr%q%Y1f-NuG|%F;UZYCg12Lm#C^L<&Q}W*7aOwjrDly7$*!|cNDVKs+@yrt^fLW zKaH^+AGj_oh#AxUZQIw+hj~7>iX1nKu%4P=9$tJsjt#W_$i2#Xr+oEbsjkYuOuo{A^_&%2X|xKQuS{B zc2bbcL|H3=dXX$IkVODqYtN)Q%m(%In*xf(f~g?O@roY|YuWw*oUgG{ZP78=+0U5l zWTx8UzaAWLZpSC9YPs{Z*salH+la25lRYIxk7QD|8pAdLGm7o=)0r38^p5xc?bO)C zG0)nFySU3}HGcrnemA_H&Q}FXRB4JCsTg>0E&G~*?AOTawInI3dkc(a+%r!%A0hEPzP8Sy$ zdp>(WY`Ut@yLP$7aX)^mXG}B=0ZwZ707i~bFfLF`LZx;cHAREe z4Mh7nDXNYLai93=pDbllXX*n%&4wf9%p(SRtZIfkbLgqoC3j&;PbC z)(6hltNu3`-%4eX<_Gh!gaz4Z3p~nC%xOqN^Xk_X;6(mRJA9TLc7YjSM%KHdV zhvsP@WcVci2ON#L2MtHN71aOG3-EXm6YJDT3mc1SuNYL_WJQbl5J3+E!sTfIIGR2h zj%Jw{v8jte(I9*cU%b$xyxdEjm+Nurn(Xh2F=n1CI3*>p40heYstx1lC-S`Vrzw=f z(R6V~?X>j6FE5b{Sq24nkXc$A()HQ9Y;$RF

o`1c+s$y?49Coqu!a|L);{@9PTi zn`M?>1YqQx^eH?QwzzU+U7oI7W@$rtE0x(BM`&TYGxeMFije zW1{leODv>I79g9FncVmMT}|+6a|SkAG^HB=mQet}vfP%Q8(Hmth^FMlu@FE+9yJ>o z%fvK=Jhd7z^E3)E};#v*EyXOwk8G4~1uo7@Bs%ItauMUQ8MvPgAHY(0)JI@=QHk zcUKDqfnUDgE*=aQeT66p_N(6{Wz~*cR1V~}s@{`3YEDh%eCj^)*XGd+;JSZ>;cqto znG{qm#n{zA?(5J@O%QQlNc~QbF)z}iBUx)N4E`>id4cxiDW<-boGMp{fV?(6JysPK z-C_ScCrzqlr%$+kG4BbMdTX@k3DIFVy%++}D7`379|{Lz-d9gdpdaz|l!0^tNYT^q zIg_Y0-{$NsVh|lblM$+*um%>?1EEM5V&Ux<`5#yBLLH$B!FXAZm4?~!!7|N*u!U#x z7Q;ZcZV|Q?B`sJOK`NP2f_es&yIWfyh8{I&I{`uGOFcn}!_J_(Hvq#NxYWrF=`iBdZf`tBHD_;4M2q(B49@{!|g! z7-GCVvFY9hO)oV!lLy&peLLc<>n@%?o@jg38&96Ex*}$R&W3)z;x8$;fr^Pn=2MoK zg`|LhKL}+S^JIH~Qo6`FJ_PhrUqa&#eF<&1#$udb`VuRFBS3nmY#9r9f#2jMvH*Dr z2gFzBm9;UZ#@e6q5=<77&3iBNfmU!7%<1#H=4EoB2c!bwI5<`sP@ykjbLr*9*d9wT zKmm61?N50L+GPD_F|8;h&I>ujS{hNveM`mDPlOjZqR&FKh!=+f&H$w;M02_w3LYkp%i8azhSOoBa92|ItOD{}2=NM6UjH z5eBh@`Jax5-ZF?jJ?E}FLmV}JSDC2X%v0OZ1?Fyr{Sv3HakLH4YCLCHBz;MlXk z#uYMgT$&$<;(eugsAUKI8NxFS$H~)`h*K+!)+4YB+A%VKU_G7_cF=rJlR(b%extxf zA!z`+zSl-1m5gMNK)M+9pu`$;mXtp6>dR;)CO(AXW>+{t5j~R_j;m9XNXYtYuQg|(DgY$I1&lj>d zoKg5qJx|vy8M#1~mKoQox;TA2gXigGTAe-oNF*8F#ankzxjVDcUR}rdaMf#zzbJ!(yqOg@HzQDd(>&clZD4f=#8Y_BTgc9y@Zi=Ln~@Gw)6JP&o+b~YKh z+>PhoE@ut1N`s3Ua1Px+xX9ATHL}PllmmvyfC-jh&z?j%q}be#9HfY3W3lG4!cxP_N`NdBeT%~Tl&xw8z#-OxZeb6_qz zldWYTY2`{l3+sf88)=pq;;#JI{Yuf3D_BtGlEIMsjhZ=fKwW}}_YJW-b@tR6#hH-S zoT9R)Ye9A`;+x=Lb@SJXk2+3KoZD=E%~Z>;a#2f92@VkbiSSf#V+QIE4BWoX>vK5X zvLw4MI>CXU6CAHv;oZNU?>}5$KfiPz52iUidoxO!dycNm`ZfC_e(?q`fXk_1l_%6if%5rJ8DwpPVDzUXZjFIHU zG@1oqv@Kr{qy4bPn!RK9WXt2-_i)#h*4<3Kp(q_xVR5YdV39F}EJj?6GTRkKP&@mgYWqIKkxhoC)~> zFYhC|j33NIcu2IB#m4h_D=VEgXIes;W_WrqcT>9TCLz~3y!kGGP$_Z9$ z1;iRw%TZQ{xct?#i*T!vDSdYI$1CyjJ|--4lKb5b&Zy^?T|_+}<&B&C z-6yPskGtaMuG?+-QLwd-;a-u=DOY=)ZS9h+nfc?f z%1tg5YPx7-`Jm!cu5y{(qJh$6S2sffe)Xb;MZqSI>hW;st&tbUHH+0yr*`|Z+}e!$ zmhNi}5v9u%aq^fGy;VDAy0YCI_I=<(t=5xm+dFgf@*vVtY&yp`(?iGCPq)ivA3)N_ zIem%)Z7b&xU79ygzD?#rT6MM4!bTanwG-z3iAPOAp6>}+80REK%!~DYl($jcvf~v$YY@j2Fc1ilchauhk?l;f*0A*){(dtLhmh9sXt#jI6 z4UPaHp~G_9r(Zxq&6_H}wsm72k~jS>gH6_E>C)-W(9ZFTFM7rO2Fj@VZzF*}3l0DD zk{8#3RDjzP6C{(K;5;o!QhGbusjfQ24mG)|mOdf7E#_~bGYhlXZY*7$6g5pCUY*Wc zGrW3zhHmxpe3!u4lPREXva8`t&Ywi!4Ac-S1dx2t1Ld4=y`OK5%30^m~eft%sbT3%i$92 zJcn^Q?j-51Q+HAJr6@IAVyaT#*-V0NH{8c%ykzt+7?lbWYlP}+zAaH zE)0L?4A`{Jbm}xS9p~=@Q+9Z$fRAj8?Q*yGdUPhf3eSXUR@92^w75F$0Bz*g*mTgB zIfE}o6LS0TC3B&N8$v4)ZTFaKr(G;wyxpl}Lfv<59?3grvFkCNTZ+_f*48CIlg7oW z)&;ALV^!;q>KW7cS=h-#BwC?Im3$+sT~(26)xR{p}3@(O>je!2SPf3CP-C(INIQ@36}SAG>Kk?pC1s7%Pj^{cVE|V z!t#A+%AwWFN$G4k?$!}mdwWCzGgQ>Blb6OVt&OtEap*;!E&?x$s)<_Mmk>+R^FEop zGBC+K$n=12ym& z|DWdgmyPoOw91(=TXOS|PwCCD*}b0d@0^uR9Uf$mlO?su<2TX^(0oakGI4CO_v7K_ zjyW|aBTM(SbsF?tcQ~>ujwU|GbX7W+9nW6gPTcZ`q|c`TJF3u8tfFxh$ob3c{MuN2 zdMM1Qy5IjZQdX%`yKJwpZPG6&a-qYs53(;4v8ktHV4Ex{0Da7LT<_V`cvv?{#xR%r zU0I3d^o-x9UIWh7A`kNH?iD@uT}w*5BTrz@@JB9iYgL}!L05v|{os^7jj#~O88tm6 z>hs->5nTs-catp#;1+IEdHWh?iKakf-3mbr-4G|I%F(Xl)Jsxh|Z?Rr;j`r^d` z!y>(j&ZmKF1`ypr{*V$Gn$g<*e%Y|MB%wSJCtygM#m=%#XsqzlusASaeGk8XYoib# zs@?JaVR*FHrnZ18lm`_l36F~y@BhoPNHE{A%_R_R{e3mmi_pPUVa!cyzw6Cei)Ld| z#o0@?PsXp+YRLp;9x%$CGzqM{c;@L*$h7qMlqKM-AhY%$v^mRk1YsOblz+B1MB}xk zcB*KM=XLAO*xQ9$ZbhaCdUD{EVgW;hFYCS4YQ)k4^GZrrYAW)K1Y(wawazW7RkqyKl~qOLVL^ z;(`=9Ug>s--_br|3YDEJIe&bci({__ex9F9i(?8m*w+0Oq7sY1jT&BSK z+3r7lPTNR#?zJ}JVs&V?hQa)*3|{pLfD#tkhO2CppxmS%@G$aok~o6Xu&U+dATQ$H z4PG!O@K#M-#|KeIr#6!J0E6zae@!^~)JcDN|E7(+*Z^Iy4vxRx_K=oQ4unPU^wFcY ziXSJ)V1$gdA3We}Wypuf1_ef5@Pcz@EmA4CO_Oiwe(-l22@#+0oZrw|y09gga-L@{e?~26 zO`U&F_PEt=Psn0~Ytl2{Gga}CjG}STDho0EXx4_l>Ttzte5WO^4!O{EZ&>O4c*?lU zRZKS)`Hr$}LV+!bLY-U1+&Wqhsz8hh8igP2xLL8j?47D8ZPA!)b2_T!eLdL=q7@WN zEXG#Y3t~$uEu}1h)xO2X4}Do)ob-5rgf$gJWvF9Qvdnm@%AP)9C%6lDmzOC@J_wC} z(q1bvPV`yWCedkUfLp(ThP=fiQ^U$6?yPn5mLd;Ub&=OM4LzqQMyzVnB(JHB(d@YO z`OfUTl1XcNqEVnMUB5v3t90U1Ck4E87Z2Mw>csJRA2zIjhf9SY*RHSP(l8N%ZG)dS z>T10bQ5%aQq~H5Q224rX^KCGoX{F2Qv>O-(hz4(?XWltcnw4LI87~DWuMcZ-9c}6N zGpy}t=9}Ggn%A6vn^9{-4geK{!z(;g2Xu`FsRUC!1X^{WxwlG0g?K$!pIEKukRa-N`c8>B^k zEqNJ@1|IWWV&ky?g`MA1{C8zU2lnj&eJGP2P7V0!VTDD!gu< zxoo%gbY?`~f}7^D6Hf@}Cr(1EE+@9e9W0yhN6OL@UB3o;+l5$S>Zd)5S_ra5I`0fM zC|kQ3*%`_@n&ifz^6R`j-B&u~LzZYHUdA|WObKo{E}KCYbf4q6_SL~tN-UkA-7Orx z#vnH?ux`&OV$3vb({SB1+v<`=r88UASc%4Ql};Ar!~7-NXmd2*G>TJ`ha5vi;kF$3 z_$&lyC4YT*#ShMAxVxEeFe^9ZQdeT(t?u>mK>ZAN4|?mN)m2WhKua@^b^?8bsw%5+u3vL_zY*_MZV}hTKbW z$6xeSi{+=Z7R)`Fg5ZHBL&p4aW#nz-mq;ZC5%sL(3e>2WIAzI?y$t7=)<5X0c!S-# z?sD>$+R}U*Y*jpbCL|mK+0{otY;v zU_26=4ZeLRoU)OY#?6(;qqtSsQ~wKA+y-e^JT|@DGJ{4+Y?cb`VUS@Ss8L`a<2IpP z^ZhyL+jGPCb#r1Eyp8h)|69E(ppS5X>$+&**%J%$HadgTLEEK9j$8FV6E4u$RGY~I z_0#v~N7IwmRcUisYG*-jwOYxGXwJ))oJsqj+Q5NZF4f8G;1M8HE^(1;5T5=u2rH>~m z;%rJEHcqA}*DqF1CeUn|0R^OMo)xwf6BSQ5XKv185v$$%kcsbtc7_Vto#UA>zpL>=F1@&hqZVe@a!BDa$ZHJa?>fKV+8~kiA6ye}&<6KwAhZBlE z-)Ml03x>+TZ=JrH3;h`m9JR$k@CNkK!vnapW!KXy0!-pR0UcWB`+$R8s(x4V>^PB1^fBgc)~P2w~*kS9KQak^Xf!xYee=%bs>F)ROcpgCy;^ITXr6-jVvHFHK928kgaFxH_@w_oPK+K@{;@5J3=ea`XJ+H zw$C5-;pqD&kGSkqxw+GpBCk$>qS#~~dI~n5Z%`47FpVQlpd)>cbGsnF- zp4#Uf>qw6$wsJBbEefaODeV!ygbnAawLJo~|3CAmcPDYM&B+Fy|It&bHb##_TNY1T|q7W zX04xke*%9?{6Gu<@OK2E@ZrZ8)$u(I*u*Q!OGcuR-XUcGkgmclTa@nKE9h{E%e zRS$7CqH2)$LS`sWf-UvroRrI}cGDJOc)Oj)e&p8hs6H$?fDT%4SdnZR`zqP(`KCPy zt%xm)rQL%hBFqYZat;9O@wC1`b>7Tp>CO&RA0=AmMB~2H-)8sxp@=H{o0sqe#_2AN zRmg^X!{~8k1L~;ixneenGU!b3{hiBL1NiDQ9ALS|FLFKhTDM6^C;ZyLi;^hK@bn`S zpwxeUBtGe|d(Jeja)D3n*S9`>RgrmaUUQ`HBPrZ35B5iKCj<{8&xP=^^g%rkt$d#M zVZz!C#8xKOWd!>92>%~V93K+Ap9}&DPzyIM3ia*}FwxgajD1WJ72Dt+r51OvXNXm! zr*oD$#M8jDpM%XQ-aOe;2M-fwJ@#D5Vv^7bkxz>cZN|g%P*cTs4AumX51`B}GgrxY z^S_D~i&7iswPrFTtX$!EQcN7Sb~wii5lZ~EFO%UF8{%O`m%E%zOb;3f#W|GmH4alM z$zW)ZcYCHIsjU@veNqhV?z4BP6@mR?89ZoZInP95z}(C zkcZ1$#_F@Bq0hmI0fXueL%V<}6+c{3CgRP@MuQO{puaMiZYXWxAhl`B7!OQo}>{Kh%Cq;}N|;E)rIuVmG%>fG`)BtFfH7*^6*2UnCG86E#gToV2P^`Zkn; zW8>|D2~s$kSiKS_=A_*{x^m{QJ$0Fo(2=RVtd(Wi^{P&% z2*3JJwV0dqb_Nnk=$1}rhUj>{U21Amm3ZGL1Fwc8BYMxRAXkzZO@p4mTBOs)7&vi8 z*l>Ya$7)#JYQWF#v&7>>w-wR1YsdX()H2+kI>6C+s3W& zbb4Xs>mPO9hD)3$x34bP51k*k_QhC&|595DdGG~28qi>>>^jF5)ZH47?IY}WH)Syz zSdn>W`hRb)D3Ox&g6F3ig{S*@iL1umO@WkDl`;r$NwipSNDH(8VRR0ROI8eK- zG#sLt{)zRK9r9xdkK_eeyVv37==WfF*?rXI&MAG4bM9e|xq2@yM^ZO1iuNra`z^z8 zZec5R$m65)<5`-QtxhA)(}%QdKM?V8=9L>|8oy?Y?i*r^bNNdu?#Uyp#=2uRtkIu? zxLAo~n7cT{0l}g&4C}Y%Da^v?s~L0mSST$Hy4A!lIQ9bn-`!b?ZeuV+YZ>`Sp!I#+ zPz%*o|D~gi9A$cM!#216&TeBo6$T;hP#B1E*5#qSQP>8mnjD$O68LKh;8&-tCE)%% zu4__2X#6i2Hf+V#UnVh9N#fg!U=LQih&hV+NE9jIiIN11C9>)5gTQ`W=tveJ(1#2N z(`{x5&FZ5TzZgoR3_}v7>zY-sAn$78%e7c^=TYh!c^=-s3A4xL98OQ)x_Em>ShasD zg;K`k4;c118iq}chGFw67wp501SucB$&tuP6|4errrV8N4B2=Jdms|fXf7Z;`2*ajJ5#@u& z4E!Q#-wgvu+JSZU>Ay(YhSaM$#9_^Q0AxwTu{m3KI3mFn7Jqc2Dl8^E=MR!LY$OW?ff^BEbZJ)}uo!A8 zo$VQN(>tOH=DVB<0*}&AIfD}29ciegC)SRQ(smn4&|x;%#$uI`E3hMyO&Z819j&9B zth#Fe#Phdd=vCwt0}ALztXjtM901HK&^o-&uk1QodN^|1W0A zjvjX7r1t`C|2ZG=Gps4Nf*yecY5ae<)x>#G^DfB>T^ov%bXR7c?XW;hqB#cG&$XjW z&$hQ`X3EB6!afr>`>p_P!qivP=eSxM{ zGqim*YYXLbXL!N3fv#3ox&1RUpp&kUr$jC2 zR>Z_OK1T0m-B*eSxQHU#JZ*S5j5N+r%g$^{+}bNj)s~`MGJ@&``w{fe)=m}J6Fh^B zNP2pNVnGL`xPz+aa3i40sj|;NFVylrMB)HB2dmLV^TR84I!jqE+0Jr8cL21!mInZm zaygR}w|~ie9UD8+L-^2L79hKOEXI|!(Ybht12}0tyCwJ&0cM{(4wuWEm5A?A{*@Vh zY_F|9QAPs9j^_RjsxCY3q;jPwb6w~<-a=6q4~(*A?Oh?zU}Byxk(HO1-w7V|@UXM^ z+o}Hh4-PW*Sk3zLdq`42dRC`x|K&NX7_$hxg#Kv zRexaYKwAvFmc0CTO|dVE>BNu$pI2 zoW=MWF>vNxn)^>Z4~jZq7Bc(a(reGYLdFFh*hkw8YN0+a@?TB9Z{xQPuXDeDeekQ1Y|B!p+kiws43I@rh~W8>myaVfdlJsLqP zj}p5Rgf8OR+fHmrkk|cT&GS>_HXcTdxNZ^}n~NzSyuq5)3xtcooOz+koS)=1O-&tN zeg6*}_}{Ib!uJiXE1pyj-`~CowgAe!l3?xhW8;`HyEWbX*ueX#Y>^$!eaer4bx z(ksXaQWO0XdQL2mJ6bM*-MWlwR?NtjK$?M&(GCv{R`kq3OO1Ke2o`nAacb7(`-^P12963b^ zrYZA2uS;R*aB_;2PmL9yaVi#)HQs@aP7TFW%?iq?8B6c@jS`h;U+DCPyIO7EN@T9? z-=mW75FvmqSwoqO%~mnQBY5!lK1A1Y>7Q>vg1dO?Br2;aQ#f_3SF0WxNF|p3osN0; z@4iTd9FuiUQoX$@@3&t|^ul>e3I}yXg}r>sgq4gRPGpRfS@s8s(>pdje*h<4#rbP_ z?GaUKG<}U@^Ig_xXzP&X%~6tJ-cyUbPT6=YZ<&grYzn@>ymhmmnDqiGG-kaETFxrx zX73sgsk|0)gI7fA`Uh#HkW~4vys)lPgjUEWUdg|a){jiM+zDVEOm#(i#)m@jd~@E_=TEY}1H4@ic6gwv+Rs6t57T$eR? z4w|FVEC;E?jh8tLER>fFL)n#ec@`+Rn8o$_mjux}a1>8!DSUEtqh-Ie5!zmhhjN3J z_!%d+P`cTfwJWWHUq#jxzPT2%7S6-Gj+B(ulhdPN3wyHVBU7&oB6Y-3^8v4|mlJkA z>WCgLu&-M8jeS?D=e&DB$W-teATIMR-2bpk0P0TIeG0zV^A7YrONXuYIt8SHgWRG# zHUw8A3(^X~6C0Z;-{)UDIyuU?xR@61>v>8`Ka0&$jcywtSSkE|N&pIt*z2Hzh~1K| zxT>%BVcS1^WHsEigo=(X0fo)#@tXuj*i_cL?1f*fRE z1cr~9uG7nm{)v;%3^X7g=c-!GI%zADa(|2JTa=Wy|v4cFU6sk8fM&#Yq)VOSH!tq9O1M!3mh~k8- zgUw4s7e9Q}v1#B4*!#&XC>&ql@X(yT)K0A(nfk~3GPf* zN&HQpRuAtq?MxYmG>+NSj#iP=R*(GU4w9Ye*NM=(4zqG?Mt*8UPwU9Aa?;_vvjJ?! zAg*iiDkXBHaOHRJxBvEr9b|6?4wt})|d-A(G25!FE%t8mceTl_qQS!p?uPH`1J!qGf zKq0h5e_$k9e>!_ANGdPkg;TSV=27W$0L(9WWEp@Ig~gLLIAPXCqV$LTikf-Amfve_ zO7S_Xb~?Cq&kO)FuV<8f!9fZSr@f_sn672+2y3${o1vgTY417lH{1E9)5heHGInCU zjY!m*o+hqn)6;dF`R01zMq_kRwA|l6PCmRclJP97|A!WbbA7hO>)^eP4ytUW=2~g& z1^3xH{vA{U;ldL=!6RDg&|1mU8#>$$N@OZq9z!dtr9Ir-d%Z4a>eUx2`AQ@+MX$|# z#!N+TVUnJ(IyZ65JWlF9t&gZJ=4Wv~+6v=6Z;M`>a_9}Btc725<2+eKquBrD;{FVH zUs&UWE=M1sjzH|rL;0*hITbg2EQ8x+X5VA+cXbfQJoH^?7nsjobGUgcFEy7%WBF7x zigjiI%zsZmTlRA1t)1 zT1#*X)%zVAu84sFHt6YlA?oWaUz)rw*u+B8@Hn0wy#CED>|@*7*EZIjA=mI0Jx2Nm zw7xLpLuyWJut@?^F-w8gc=-cZT~--UZ0tOsy4Q0tI(!AG{TAI!_NvGEU$Vl&>nPe^3_LdAp`U@`s2_F^bTP~jij zi_!c18WMKqv7CINB^2XPNfs;lC|%Av=PE_@WB@xC51=e+i~5;1_E_pxWI`Rc-juNd zrH8IR?IV)}ju8{+k(lv`q=F(`D&lp zT($}?@|RhM0b^hyDAehG+;&v?zWZ!=;?B#VZ^mPnvqprwD^q~@E{Os^H%!r;5_7j6;el#s>fufMm{sM1IUB1z$^U|yT! z;sDLsd-mXZw`A9@{M_o~UOq`}(%ch`CpK#SoRVk1_@uXw%3!69Dnd_EP|$l^knrS- zK|u!Gm-OZBkZU;0DW)GDx?yOuJ5OW1c^Ucz`z}_E{g-rxu?}gqpKF~f1qHxbr_)tn zty8z_TREcoMhK{P|uxsb`CDs>{|!NMT21OpZnSqd_c*4NyX8bS<*QZt!#lz&E=qlbnfp zDH-soTol(LhA%_wT-(I=wdRa1X7`(RWo+L*lav!q z3emjW8@4;1hTM5Dv%gapBwV+5*b+0^*V1>nog;q8*}R!oAvSY7L$ew=QTw+$<<}1d zSj2O#16JavsVsF`rBIXINT}|{Q{T9Rap%Kb7*hrRq`x3%$n?6h%lQ_()M_=6ag=&T zFLmYtWV&0W52>9yN^^%8$nFi4`_|;Lrs|Eybc7;3Zpkymv62r z3IUQAf%Y6pD?OD|gCEr_o`iY~n)sW_>Tj_Ht1DSjM@DLsSmKB+N7xu@tr4>5zm~Am zes(J!A=3qA&5h;4iXb?*BKwTWizPdrU%i-oIr*>bBI1)Y_V;;IH*qt=XF^)w6SbDY0|e z(NuA&r#A#wA<<7X5I=0}hzSjKnYER!KIs{4d7iCtGPyf=si^02KDkg=cM-ObRaVB9 z2VIUTbld-KFI>rK8lG~#uHsGMZQG(gNK729kJ8!uFzaroYriLJH}8-rnVPga_YzA2 zaW<_)AE*O%u#m#6URFyA#OsB4*RF5d{D+HA5yyw=f3WrL@l5xB{QpGQmu-wsPo6@5>8F^G}B?rww6(QpXVEn=djfz7S+fPC;#fq!Tg+ul1_ z`*r+Tf7cMZO8{r~zp}mMcVBIoS`b+0Pob}@BphVCk(4wToK#HUX2p!BZx!d(hWvVa zOFwnCTM8)H9!*&nZA@n-**UJ}eKScqYSWU>2Ex7h)k*~kKtrms%YFjO@Y3=8QaAs` z`^nm!4>wL0tE>X)Ud0DG`+h_&7Joo|mM6GAj7Qt~`k1c9UrIF5++DTdgz_ojt~f>K zU{mKL-r6o=9{W91n*3l=n{#i#%?6j?O9JM-T|6-kS1jg40{6n(L(jh7s*^r;tZT}7 zv!TGYYElNpW|lAOMoV#b0fX50_!GBY&%xpE%0}V6Xp=fhNS9~BRzkajRj^^)lJ(d7 zF44?_0!v)TjVoqQ@6D>0Qf*W2LXkp_td)ndD6J!KxT4CRT8CiVA2CyD{NO7&aQZ4_ zlXn`_!%#`o@3~e7P6p4;XqH-GcDTq-P3}{Em*UBLViPcdNUuT1*D5C2@xE4DRP8(A z5z<{X8Rc2d)VQn5k3hxv*KnGyQP7(+OQ29lYv5MqlE$W{Lg-O}nA682$>e@%TdWS~EuYG-$E~H_)D~C`d zv1JET;!Gy;4(kU_NebExlrbOMJju@=ekmi);Z+Rj^l>{kS~dhQI_3{*+=OqAm@+4-y0 zhDy3!3~~NiHmgnu@?cJxgEpMHjNwtILLMt@aW)&$YJ#Ue1x|ZL*zPwuk$GwyePa4s zPH%7T{J0r)J zJbvs|R6OkV?C$aBI|mQS@7d!e!)Ee3@|w~1ad*z{0M*k*DQHC30AdhXF*Ax^(hMBX zh_gVSrI6beLU9SQGDtl?2MOgW_hGMRoCJ$z3G>Ya!_{L|n(`83^_U~s^m4FDF%wW_PG2VxARn}X!+Vt0nnx8Xalg;-N5)yV)AJ_x5%+9{4 z>xp$lTwd<=EwbSc{$j7Z^@Jy+8LGB@nEjA2JlC6^U!6B10-3xUJRc#s{SxXcUC`0K zUK_L4mN!IZo(aV1r5qW^)}U;;m!~DnQmq>Etke**7gJQLI&NEku;eh&d5dv|)J&_?b&J{)!fQ+#;K#MQkGJzn+7|fER*zzhaX+>ehnK3js%5Hz zIYKbhdeo>FRfjnM^&}5c_8X8A6``bLAc0z=#tD}xeW|I+Xj?yW|5zY(^c%Ql`MlrCGY*x8yL>Pt6TL%d1J)$p-0tCGj^+{w3!kExi!?yZfnQ&DdG ziq%;tGHr9X+>0V_T8lDnDeJu{J=Ci&>v87HHf&|vX*z3}mO)-NjOH4H2hzC9?aUvM zAhHEzf7y{V$5szpcd88kk-|m79dxTMciS)+wbIONb%v38Cgk#=gI&13z3t>21?%>98uK151PZosVrCe&wFv7SP`a-L-F>N7Kep8BB_fhk?;r>dWd2JXU z);B>GbIdbqKZ1MG?8i`QFH2b%^q4>ELl5m7eE13$KCmy~zyh);xyaE`7YuK@)RZms z&)4`3JPHh~3cfrNGrymEP=BwI7^LaX*=G2BO^P05Zt{9+$h<yH(1% zb+}z4MGguAee*lc=ygK;*#t`Q{_LovrOYnBKsCfj?SyQvn#x)aw_?!ZzK=4^kVGFd zkLcnrZtt_6hCj~@FBUh~HL?+Z^bYfv9(Laa0Mct1R2R-Y0h(zPx*GFY=;6kkPwZi8 z&Ns2ryOlz-uMU1(z`rC$va20t|#p0GzYJqJJ zI6n;@UynTCf6Y$cZTVZN$e6K$LSe9MNJG;d^yBNz(Rc&Ig}mxI&-`6y%mrLJ_5^(B zp5lA2UC7J2@kJ+qUymCGsg;@MTdQtmF3dZpl>x)Zl=Rcuj{s{;Rs6Txbik`(vOxM) zA|`i}1oImnZHksoI?&F5YMfuK4PGiO8??ThnSOl)uuj@LHf`Tx@vRcmWJCRN7&mP!nd?ggGHy?mbl9V{^Ja|b3iZyOvN ziH!$exnZiG8#7%)WJVf6~nb^gySin>?%o5!x`{MIv!1(hpf}qnUjV)xK3CrT=!UT zhUCcX(UpBt7B+zgP+ndcwgEg%NZ^-c$#anIL;JiHZ(V7IjcvQmor4xs!KzNl#ty=E zqgb&zm&Q;2HXG8S$sV}QV7N7ZJYr+p3>L1*Teg?t%T}@sGq*2_^+^fu6u_$7eRupH zH$AWfbaCxt<8@?Se+j+A*m3IM@lye&r*^5#{>3Wtjs^{Bj6+uIPYF3TPQ-{*u?*fN zG*?wf&13?Rs5!Y~{h7L&McK=v#{hC@G=Pnbwt404%*csB>joD4ZOv)uzgX|HY00fD zedl|y`Cc$B=bMFY)4q$R?JOtsKJFCP-}%DWJjnPjd4MZjjHuJ+%{j>tbcKf!_90_I zm3PNFpDBmAw5GqkcJU{kNvoa-hg_2(o;reZ0A!S0UBCI2lZhHcEYc$flb@+2o0w|? z$sN>w7~$g^*KqyRg>k7vz`HZr_iXlNUCK(msG7^<>EO99k+f7q7c=E7-X0j~h2Qpx z|87BhSAGMEFI1vKEn8{XxPG-1C@1l|`NCV&ELaSCox>a`a+FWG6#863>*zb;!rH#K z+xc@YYD9}V1+PQUTI|oJD1UFO+R>++QDzNb*gU2)aJJ(k9I>|dBDV0`o1H*jYrFJA zD#aBYX7LGT?~DnI27L7P14Y+`GWwsaeG*^fRj+%@+iMtDo%e`RH7_Z!tsGj!64>Gn zwuxctUVW!IZ<|9+YZjo?F2f-vncHfO_kefnZh|;-=`sD<b0a~*BRMO`>)LB%y!R-A%o5(a74v7I@7!ny5mPG-I-Aqg@*_N4v*txCm_ z){Pn_)^a@V^p&j1A}k$VH_{^{g-Cdch*1!4BzTjKYi*MLzWVdf$_JmB1k`fCMf5D# zrSDNTvaHS*UdP>>ZrU8%3_~NAc2#&`#!|=tbHovbWR&TwcB8%%B~_LxnhX4X1X8EB zX9rpjt*o%?Z!WTnY5{lSNwLW#6w3=H;FX~``>0oegFzdv_sU~{6=uZd#tWOr=NC)Z zXK@|(bwVPV#h5?qETR%tPf$R?tYV$&~d(=$Y4dBcGY^MRaB# zDCF9;KEvC;{c*MSVCXZ& z+FKlUS{I_5KPaNJoi*LONwnBqd#O7Ki(8Sb-;mMaI1GjCcfto4ShtF^t0AOIvliS z-;&n}1ju#Q?;ls&?rk?dZgbIfGKr|5u6Z!zieyuRLx0F?{VUi!U9jlFTYdtg5rzQf z?yXFmFh;C-93l>W)CBk|$h8ZS^lPt;y}!f-JUw#UTjkzqu>C8?rzMwGv9jc&Lw^n+LQc$(@ILXfElVWYal*hi1Rws+0PW(t(R}$QLc>`alPTml8 zv6=OpS*}@r)?|Jr?jkURC0vwz)EOOrM+RNT*ld<%(yt}maUAoY_{P-0SH@%dShpx+ zo8QEv4UuCk-4aSgcK7pae@b8q*FHX~U+U|q9f#(L<(QY>3YJ%^-RxS-#zGXZxJ09r zrVGu9=7Z!RynVhRo)U<+4d^{%P%~idHbjvvr~qq`E7F2_H(I*_Ay1cWRdH>jj#wlD z@i5|9F1Gq2TWz<1rzeG!m>&{5T;fc=8hPBFA3Q_6@>pS1bc`#u?5jR>8c(NP6{0yi zr-r(&O?4A6p-s_Rvn)N*3k`O!(DLa&9lO3n8z+Y0e^j~+$41hi^@|mJk6L^1tDvP<0@{p z`)`hJZm)vv4z9S?T^_uO#2O&E3l|#RdMxGW=q$y@%`Q=_!GYe0vwoXKU^ z?K!_xbJdgO&rXIe@JN6|CY&x9PP`-dJZ$iel27X6f1bAqe+UwxJ<%)o`*YfX-rcy6 zuQk6+om;0QVmk0L8bl#J<`Vr8Z4sc5bHDjCJ((|kO0`>NaANRk=cPKUj_H2-2E#qQuk-;Ba>UYWv`$1 zU6y?ILZt3!y1eKgPX(S74JJs-=*C@ql9Ov5SfW}ID4>;MSYei=CfzP|@@B=+sdSsR zXLh<;^4nQ4Jr{OEURVkT2s7_P61@e-xaY0`OU`GPQ#~WX0dnZM9eZ3UTqa(f642@S zVkYzfy!aEa!QPY~FI%ayp^CuW(}@L`poTIB95g|qK-Pt zqrF1=7+|`_V#UaxF2t(vXsuxjnTsX$qNHXuYhZ$Tg$4n_a^!1MCNX5~D#n&!-Y*MP zJxhU@gcZLLW(;mUntXaxM^rl*S3Bx9h^ECh^ApU~t7k}tspZzGq3<+kL$&j;@fpc9 z7sD%mPFyiM!TW!0g!~tEFJ7CvC&w2h(yE`-JieO}h7ZJchH&~)7T)PFS@ARsKj?yU zilo4Diswry@W+cY3MqqUYU>TG&qE-Dy4&1OyOrCK3kq}i4I(#qV=m3%_4V!rX1u%! zj>7eb7-^#prGj)>SSw;`L`-0Q;kE9OvhJo|yz0NQIJEU{?o5q2?gPqhL5@+eo6#z+YX%&~ zm38<0@A4G&><H^jkgUDI;>bcQYOX{i~DQ4;> z9$p3BIIoB@&wGz*2CO>QGE9nz7B(c(R(X}DK!3KWzQQK4wke7`rpuo0Fa2tlf`jKH zBcpMTHf7C8xU$UF5*+VtNz0xmQ6Enp>>2}YJSJuMwCCdyUneaLD4V76^!MQ+x41M6almE}G;U&$ z<5p0q4TmcPJ04sK@~ntL(nYspL!Fsr+)c9nJat$JI1U)_pG^SGZPWCoBp4D7<#~}) zmuz9HF+$@eko8mF`F0L=&#__T_dQ zj<8sfhYq|=tVj*m3RG+2=i4CWEBvTPQ8EzTb&x-fe3f58YEzrziqdlyJq;D;wh6<6 zoASG^i~Z~D`#&m@xZcB|tfGMdLS&gIbiHb5#Q3|KK#ar)Oojzp9I2SyEZzgzekko; znoW4v;wfTwKP5~kd$D?-5>C=Cr1f_x;q3q=>q6ZyVXFdF5rVwJRywzRAAJ ze{R|e9oZl`xzSMLCz*Y9{O``vhRS6hY!Rae=Gk3_e5Bf9;#QD-p#|2cUuloXim9J1lL{r4pv%?EyzoB5 zw<+%BV>Yib+Ur4_QBfLEeQcE~+diBjjiu^!f&BMpDe#rQ?-LwTj_~>QTiO1PrZ|p| z`a}63yB%7^wu)YHd10g!Y>?|F#hTGrXJIcN60xs~P^%SMIB4UgN;)1GfmXJ8IVGLhJcy6OjeE zFnt~GukngtWefQf+H_-=xB44-kx$UKMvT_$MtZ*U3MfC_IkCob5U;vqZbTfw_v( z&3*aTb0Gy?} zYjVx)~+wn3?Kp|E7YwWeBepXBg9h z(|i|;UoarcKEb>Q{;?H0Sa_iHDpMwr>l@>&C3h(3i(gcLx@b!HhAoJYrv5JN)moLv;_;PrB}9h`NY54ZhXU| zU8_Sln)`)oL>68c0fdR6ASHs$v2`kU6H*9}YX>bRa;^7xxWKaEuOI~b@2cCNz&YL( zp%AN2@C4%EmlV7A$04ED7D}Fv)QgU(QxYblu4zZEtjO(`}FG0 zuaiO29?7$z?M8#-K11b%;62N$1f35BR%(>q=Cp?nS34O#)?OQ%6 zn`5Mm?vEbgXSd(?`ONnXQv^Ekm$_$jbQXJ5Ek`Uqfi5>0d^Y|zWxep-z>XEXG>@7w zAEgHNis{QZhVTwv@*FO{l7F$KJb3dA9bht*-Z(PfaA`Ae0-*&@hDaiQO6M-;6UHhl zMi0hKY4d(jk9Ej}q-Dsbg$&4Yn@u$_W4!$i5Y+B_Npm-@4XX`5wFPg4)m+Kzt!1sb z`8C&w&iE`AlvTXEm2CDB-o57mT zEab}i&3;3e?&nR%gMvEIQZr^qcEx#lmIC3!+>zV2$_szKR`Jpk*NeQ=mGmdn0^-@ zQxwY^*dDFjMaSSsKm909Lef;SpbUysf%{0U?n7V#$DEk?*wg@^cR;qz#eO~f|C0Mx zQvMoGSB@ktCoQI#M`FA8IPD4GDp%HtK-Q!jiIso?_+Hqnt>^|OpDqo1y;N+dRGeE- zu_V8<8oX3ZRw|!6gmtUEZG$2Mb>p|5NDwy#J+PVgi!fOXVgR4x!y6^*-Si}!9^Jny zkXaWN84o#KD!OM(FCe#xm!N@cSp>tT$1PLOe-!Cy9aw0Vo2WLIKiD@= zNILp(8Nk%7A1CJlu{aa2VX9E|_Rtu{!0E=|A0b0d<0j;7m6~%wt=}z%DE!s#>8%C| zsLag5N|WJP!SGvLR-0}Rk1o3|s(VSNJ7|VDNCV_DlUynsH-FY|PzHY%0~~IMW)?V} zWEuvSJF{wi^;zi6TLlQNDaP&6;5b_;D?%w6uLc|I#L zf@-C1i@b+cm_;Lc6PQGG%Iu-T8uu7m3d*cjj~$wkutM>j)v$xKa}xhJ-qv|a3Gl$9 z1by0krbdIPaKNi_10HPKKuV66>pv-0^hSnX6on2~f$g6L#?0_GX5_&|CEPHdhG%KV zHpCo0z#OfK%@+J3tR+$YUo5%O2G_24Gy0&DcI;jk57s?>YEl$YQqJd1=1i92BxXW^ zPts+`#(!3MA$~$qzV+Ktx3!I4!$0&T1!|0+tGVqs=W}rELz2qBL2@b?-B&?hF!=)S z=RSldUI(2(N45Zv1{r^&iq-VpMZ%5_Pt3Zj45S>>UoMEJbbirQ)MO-MX5U2XDvT@6 z@P$GDEYC6(pIF#A8l_xDR8mfJJ3aU@d#KfC#?Y6iwgt*4N7^ss7kWpRDRki_D*cPn zMyp6~+WpGXMzy}HhdOsB(>(=E3jf3fuU0u27-T2l+?^DmKqIgAO!6q2xy!6hN`dH1PRWlx%$&`RNiw7ny3&3v~e}v^J;LD z6?G^~C|5RZeRd7PUsYeMZa7q7vJAwdF}Rztrwl)W=Redkho<Z7UOUG|`%^=?BVNi5CqSb7|7*y9Jhick-M0JiRt6juGlZbproa zf42rJ0ciQ?liA8B<66RL0ndh4vAEX9HKw*>h5Ue(s`+RB_phv&To(?=d*j~|o2hZN z)S;lE+yuh!v+$`_>Rf12P`=~Y@Ak%ji#)E(f=-}@?WH-hWP9eA5NLQ_UWQI4D`9Mm zHP^36&yYcA)IjUN^7Hn7(bIUFen_lUf*k3ed)dDa)}i}^LpB=mIPdQ73&;z=8D%>E zfcjFxD^olrC>>rDi2Xo~Qm1%3kZR|Hhf=UL?ojuNP7~n(4#+2~W}~lteg;RP{5bib zNRbZnXTP=eUfp#*Q`js-lDoq7_s-39ws;Dme-NklTo-9Wx9^chC%4$R-{Wk=n^Ev8 zZ?+?Nt@5%adb+!8QB$3MjR}L_=uaS958szvR4n^Zi=>HwxvCYvLS4C<8P}PFU2|wwLvGG)LvEgPRqFX~ny~}S%APoJ->Cs9*9FJ;V z^Yk2=1m+Hp?b`t(_P~^Ak1T9{VaIloZN|HM_6Ux3|Ka*=|39jl&qq()HL4?bnjpV{ z4z7&vfBi2CptT4<0Zja`JL#O8skZJbzD64B_Sz53Na^;YXpmyys{Q^<14g6g{SdX6 z$8XuHO^Pk#o>iS2WM%^QVrFu(oTAY4D8#oLnHtue2cYz=UkyU70~Um~;xJUgQ-ONd zas_?nPE{*w}oeKubC3|rFPnTbOf5{9WtFGG4y4v#cADerc)^_g^S zZi}wPeQs~MfDZwNVKlhv{$>GoJ`)W*{1(JC550I4U;zs6*_o{LTa6Lw-TV9=CLf2h zzaGgl0^nz%hL0sG^+FBtm4fm!Gn}Y`k-bRpaP*m71BmQ`f#50MJSfKjRXFqmq>U^6 zDM*mm8ja0|tfk%+S}iCwQ)pj@n>-GRI$H90_}6?t4YWgu+`ofTXmB|rgYMj3(O)UL zYah2|^LSuhHT7qke@A+Xc#qvmK4hr)yUGpG^#sJQQ=+k`jU+>T7>1fM3TDOX_YYJS zJMRhjPp`1`7a#?3I22jjnIzg-3se}S$D{K50(?#h4W`PjjRAG~qJI~=RaqI*y;QR( zLJmkj(D#vU!W`zG2xbrm`#;hRe@iz?^5~`$^^u2M8+6U4PESCI zbZc!5-|)~%R?R@A^eiq`ll6HAZKL1#Ci+GG;}chl>7w31{V?l^0?9$+ga# z_z9k;({JyxAv5T`AZ>Bu_`mR~Z9d$VA3g5WaZ;im1UCcLGR`kwRs-W$yVkeT}ft1^c^g95k zTBe*|>jHf+?*d^xETprNY~vS-^g*SngO;Pk-TPg;6U??4f69<6Jcga$9)tGSq38*< zmE?ipLyV>FWl~4Coy8ZRtKAgj$o|=kW1j!Bw%k4|mUVWVJ|VB( z5#thCC%y*T@}5?So$9F%{CTroK>ZDX!c)VNQa{eT~#i3ls2>gzWO~6cVL6o z6{?+l((4+!ed{$^W4<~?k2h>1^#E2hLMv)as3~PJvTBuV$u;$IsoA@07ZSb~keGlh0g$NTINvS#P#Y95?CNL%R7*{wGJwi>&B%2Q29ci6hvFj85!!EINyz?kU2T#3Imji{rS z2Qo}B9>L31m>R~cbZGy@^^{{fwFyPv>7~QR)F^96iRx1zYC>n}Ay}D5c7cpL*-jct z9q7{a81C~-U7CUh`Ye>bQmkb;B*H8ol~6wn=M@k0P9SoOm_)_}ZI6Z0Y(I)Amdt^L zEGArVkB%o?*fvH}$qzJQ&g<8OuQZS1Q=68H-LO^BI%_?0=lvZ~rApPT`&HcNs)aky z`}f^tQXeqT*t;(QS$3)k=?SJ+r+9Y$FceM1{TODNkXg*jhU9Tk$e*&4Nt}V2mM@XV zpJbxF?=K8SyUnxUV{WFDYZ)m7doG02K&eYieLB+Xw{cJZ$wv~f8bloh5AbNBY<*ZrnyZyRwyq zJ(ZOo0%h%eUCpKZprm1vu6zjF{8=|h>*C1X&Q`ZZ$&fu#0MoOfvov?qGI)zEiSP_r zu3Z;lWFtJOSrc#2(=Yq8`8+ASSg`Mk{h9t0b6aOJE~ zvU@JJY%JvDbnt3(xX>AhSdKZ5dz*=s&k+uiD&ARr@ymYlws3$m#``$ct=(+g|16LfJd=?*f zVrn@TuQ&R5F`owLO*a#!si(((TbpprOJ*ShF_3XUQH&wL?q1_jp-LkN3Hyf~I zV6Rse&fiq0R_YSUVTL+t1Eao+9&$g>IG5@+c;@l57dxX)-nkfDoSgN?<9CCkc_3 zuYr+^UccmD*3OQPjtGTmH;Cb#$iyHlMMZ(Cbd ziO~C)C0+Ous}kp7_vOEICtn_@ptTO_;#5o@L!G{0@l^jIy}EU+ge8k<{For2#CwVn z^)!FP0F_XiJO)@IT$5m4pL~7(v~k>r0Fy1gaRyEKYORiuUan%4pFVf z$61S(&#cq&*Wpy#&BE0w`CE*5KYH07tq$LslgC?J@*UB z1_n%pPzg()pu7ICg%2ZQZ0XyG?k+gMFcDw**v*!-qYaLakxbj8PKJ(!OqHpc%eEYK z^F4OEPOdW@h3ZQSSg5dRiko!chje#E1#glX00Usshz41cALm9}S0)(egfmA+)yUu8 z^t}3-2UxMe%quDL3VNp`nc&7CpXJ1@Rr&vEd;IGTq#P2&h#s{!^oNeTdAp(EJLYVW z5*CTa3F*wv$>jljO21gb1N=bpZ!<=A&}r!4-T>>~cZ$}V3^|1v-kr~N1dFv%@9ghE zr~A9F)&YZ3YG|~Qu9igH<{1A(%~0eTC`QK}AauJ%Nv!bJM@)H-UNrYW-prDFEharF z1-8J`zp9LiPaf>>>C;l7X`N@-Cit8x5;&{ouqshrI`_xUs)c^)U%wpcVXLKU z^*2RC*1j|scy0oi)RwNdMGL{|N#bbNubCz`YIcmGDU1#Xm~x@x=QDlPq}}v+0q^O= zRnO}{f%f_J-$sb)8XZ5H#&02&mRiDL8};Kq`#zUx01H1Yb$T5}#n-IuRp{D;KWU$} zj2uve_xqZc5i865CsX4WQ}wPiTT~-5(3F$w{jPpDYJ-lSt{&ixmt=iw@Jvo%F1RfZ zqsF*>kExPd3;qdqon^at8k(c?3f!htm{Hw2$qu%&I+VLLe6RM9jRK{QNsaS{5PpC{ zpTI)d3Bct?9I!!tjX*KOn(9&~7LdDsm& zuCVUS-l!vcFVYYB1;7FWQJnQ?@V7bwWYq*b(O_zds+dVEqhbR81UwhNvU*)21fzrq zo90VDz*@2-m_OIZkFsNj>%k+Rs5hnEAO031^DEoh_F|mD5J6con}%Y&&YlIzZYKq9 zfpb(yw>CenMx7CT7rb*V3EZf}%ywa?M!2B{IfYC|n5j1Wel)^oallR|5u6 z)dDrj7j|05(vCch0V#!Xqg3tAvnJ@rqg5Bp)6M+~KMzJz_g5_y`QP?hy+I`(sZnds zDDix`zZE`1;!myvO-Dat=H)J}=H1$?LP*Sc)ilv3W~yC*xp16Gw+!$#1vgsUq>;)D zqpbJct^<#c*V7s$g^npdxVF)*n^Lj8m$I9k0o`UlFvL*E^Q2Dt`hCYk>qmcU{PH(G zUjA)+*m2Y6f4enD_6qQI>ws0^eXin@i9IJ>C-%OUPnc1+r$*YvE>x#%tws935FL@5 zFAnUvoCr)1%B^v`+8nom(^}j zaWvONJJO*hrNoKT_C2Jn)$-@@-%Q)4wazXxq_y{5*bDHmO@jA)$ja39*Y8cCJ-Y9& z{Jkk8pZ?q8(7Z?gx1mRLJAV<$9BzJm2eU0F(7o)J5NfE@uE2Erv`p^Px~e29IOeXv zNLcbCdCPIQUlozT)|8BaR=3N}9i>)zlQZ8`a32)?`fQ(J4>cuTir~HUvAbGZ!`upH zZb)ND7v;wjB+R!u2LKK2+t)+nvC6hZgvRS`&x(U9x6wZS-8Gw*7+qvuRxG|GfJ67E z#RE2fj2U1M^dQ4sLp&<()83lEZ@ z=*s1$cSU=|&kn7%D>~m`*zEb-rMK_PG~!a|Pf^@E&oAUYkPn~qf*ztDeauNbr0mB4 z+?sR2Ym`qZe4e$57PpXu`osodM^@bGFVBkq^F;Qq+on!As_un>sXJ-o6Ydf9#-drJ zlAtW*fci*zQk0Ck(#(^=g8Ujbsoi|C`^5W7;ehIGzaKY}PJ@*P=rx0~uZMt=9`?6c z@j5bLi)NmMkb9umaisJx#Ve9d`w(wZC<4fB{oUGb@@VfMlFGvWmH znKcUN^fQ1EF@eT@LJDG{)nWPT9F7`!=?P}*@+ZcCZL{pLr=B@1K&+>Agi0w(FcY%U^T@HWvR)KiezRuRneig=pKM8{30nlR@esWB z>bkh*S_PFKZ%%TQkI=1A$3s19PqI7c>v8WG+wlcg4GFvHv!MqTK3y0&{_MnfWAi^3 zBVc1vIXHgf1guP2aO@H!gC(FZJSHZTda7LSSg`u)%bxWqJniZ0Vr0|thTc=B=3_-+ zBJOP_AQ{HI+dH&w#X&}Pj0pJamRULo@tX?#uKa#m<`yeU7fBS81?Veg#@3S&yK1fe z4FxV{loTV=t!;mY2> zYt_i#wW`;%CiZnV;m7(ie%}rpXT>S|P)juki)KGxt%vi=pDv}EB?c}Uk|bDr1K;{Q zu_wD%M(6i^PhY2}hEYX9fL4t*--Te>R!$VJ*;dG3a2alU17%Hos{#DpL|Ihe`%WK_ z^OD)9E%!(Y)pzf?Nxj+!YECPy6_kt=_+$T3U%cW1^rsrGdgZ5~-}uQ$YTw#JUw|0= zr|dXkt<8ZIc)0`Ddaau;*f6UIq z%_Rk54(1=%NAbB#T&Q!JvATinPVF?e0YR)nkj`!aS4_cw7N{h!~exzO{!p7tkVCtWxLA1n7-BiLe zWhttrJL@UgkAn_z`kCEot9-s|)of0Zku=^E#o@^V-qzoRbfJ|ewq3-8=lG0J9r%Oo zOf@G$?+VIdBym;9NsO7oa6GobKk%a(Jg7}nWvw?7)B^VfRE< z3)+SJf8uJ#_B~sWSa}(!TYIq1K3TSZ~Cp)9QRm=O>{nah>cn!TR4 za4yr~SDQuPub?OOdJ)Ht*h(}`t6sH63&;0MnXr449+`xdU-UYF`s=5Vj^v%X#{#By zMAOBkimi_D9k4x9dCJH&xuIgvsau{MH~fe|ByBlEH?ZeCW~F7zRd?;ok&^`XoS2w} z@Ev~MMTCc<@?ZA1C>btS{@vZZCVWL7Q1-#M0z`FJKBG}%Y!~wI-dFyiqp8+Z(QEA& zyFs@sy0S~n8;!Hp6&)pE-y#@ePmqfhPsn;b^-1_5HtKjwFnd?TK#mbOMHhi9TP}Ta zYJ5iG@UW=~e=u#uY$ao&*{|#t!_*lSUdNH(oxPgoX}id%eq0NQ&{@nYp#zzcqJjKH z{0$?szAf&|mjyrYcH__+U%Q|61MA&j;7fNSCZ1bgI{^K^SMNV$a^T5dQFSdUQ~8CT z>o5wXSn|nq?(#n642cCTKib3au^>g~qnh3y;C;FNK^`k3mrb@@*V<>@Q6!x4?LO=a zoIR6NLJjfNdfft(gaxEUttC)BtGLD~nh5h#K1FNf*htXh#eyo_2!g%{46eXeE`yi% zw}~yE_$=eS^31O;l=Cg$#H;Jj%2GA=@nYFA}KpF z^$9x3@>&7njQi~I+5V&JHLxA1jDa%Q!H2rpKW(Cb*vDl0|5l+rmckmF&L-WeBQZJj zzMO#j->|$d;N~yag#2#>S%+R5lnNEEJ{7eZfoPPfG5--Sg9;Z3`%t@-4s!N%FfKY*`fT#u z`mecPTfT_*?o@51O$*$Ue*rW1`B|DO6)FhzYIxd`kzBS|WhipTTTJ<>%WFANuUD>a z#zWaxQ)jUOA-|e4EE%6J|FmR3fGPTIKY$_bU1Yi=8||q*sY6(7RlMfz0O`L&T!){{ z-l_|K(R3uMKBPTCE=Ic#5XiqMYg12a$hVkn`IVfx5jgO(8E$>p8cY#MZ+Cc0`bsC0 zf^xZIB#94a2zy)nl@7jNN9UP8crXdrABsXe_uVHXNF;n9Wi2-i(fJ``V;q`cOzs`% zz!6rszk&U|tEbk?t~IO^m(8twRjYbIp9^N`-8VeamOMYeLL1HeHfuIBBR7-Zl4Nx% z$z~QduI_upfB&!ll#2iR=z#viXz`TVV_Kxd#opmJ+w33w$af%!Zhm3Y8@I;BM#9|T zfWTESO05rQJ1Q{XFsgiBw3^S{T}oS7J`e)kHt=3=PbyQMD{EoS8Wc zAwN5SxPG>O9tIc`#x@995=cT)$#9tEnzQ|;o zZA)Gj7wY^KiI#9B_k<8*XrNw!Lk$t%V{pN^IXB-7ZT8r=>n$rS=AwQMI@u0A_4EQG zlcV8Igl?H2it-yHtCt%tvF6Pqp~888xS3yyKTR(3&dKK(U5>CVwXd0o?IF`5?$V{N z23&0Ez|vzuw{*^Yt0!Dth}Oh^a{*YqlYKC+5|UM5yj%j?$(|aF;P-#CcM@Qp>Jw<#`Bacx+!sQLK%=*7_!pa;5Mn}swU%JVO z+MSw$4W;_*$sWw2#2kq`%eJSHBdHlzr-1mJ`ke!n_~uuj*gO|5KRH@zyIlg$5ztPI zp7c9fS#@^!fVKrpSVfG!DYxRKqmdBxKk5+>&Lv#E>D0iNB<1^EWWaIjg=W-K~dWL7KK_V-Zs50Bjz2lH?h(v?#4di$FQsAcZmtJGdw8o!nbnZ+oX4UimF{{IsS8s5Cf^P9(kDZfDNWE#EQDqSpAF zSYF_xmb3Tcqh0O&j#<1}`{ID6nfUO~f3bK6wEUaJ+pua)t)Umo(%d2lhg{NsCH-SEtD&R`vJ4<8X;IC$;OxP-ypfppcD!Kv@xZ%JO^! zHG}k76MZU6IyNNx#brr-c2mBAdalWfB665VoXZo@xe?*SL^=hrfqkcyz6UyKSDGI2 zqTchwdFkbB=G>-p<;i)U_S(oPVXeJ#l&WrYH>S?Rw^=f4;N6u=$!B@!p7q>P)-v}t z;QvWgt!>Ogm!kbKUbqMJ(3&EUg8`qD%Y4_A`Ps59!+;oU-zG4?sv$2OXa8kyU1?h(`wVo^{Jnf}>4aQ)B&H0)~XnY^0<8 z`=Zm1YNrF7O;#&|Q=miXrQc$r5qIZDbg-#W8dxX#)n7wagw@B==Q9IQHQ zO*8(J%lElhElKHMtwhYBScwv}Tw3DLsQW!o)!m# zNoFjYFCC4`98#~6lu~x1ZTlSOswf+MkluE_N|TGIq<3<7x`WV;UT6X9(awV zX~y0FJyq1(9xJ_2{F7n&9rj>#br2=T;l-U1;t1=&BVSj$G%2|`&cG|eJ=!KBW2%m{=jnFFi8QH*Y$dKGI^wgtaOLe(#~}h z@yV|teO#)PU%N?YhiPlHeEr$FyoeRS@d2qjaZ%dAsf?gM<2gHWi1ip;lSQ7KVog%8 zsfuAKF9b#*hpmSv^=MBtzT+NpLKt>kB# z?q=f;OkP^YolaZnG=i-|5Bi&#m!ENrHJ6#tQwlyzw6m_;x1S!vmtV65?(@gQt}bb6 zudemrR>JRm1K4fuX(6B*JrY0^Z>0O1=X^egeduh8%>7rH^C~EA^NV90y)1P>u`;SI z*htmadYsUH0~&;e_iJhe0oPmKbx_;|jJwOZ$k}!^t(IB%^*UpRl_-fzE7MQqto_zYHR=F6xaVtNd52E_vBmSzhZfV3;Wg&%FZI`O~0;jYhM)oh@#*6 zXt+jmlEGS4;k!eP!#o4}!F=_lC;0|S@>Il;|I(?0-R`4VTxUzRv6jJl=7fs~_NFiD zGGYUFGq-?B8K0AhGA<*AggF`+ zsJy!R1xgD$o?-59y$=Eq)Sexfoaj@Ekok~QU@U2mY5m+qLcuQ$F9HF1BlX}3F}C!y_K&1>;LJR3O|Hq7Q zP1L{8k9B|&CHO1@B9Qq%9PRh##gvSfo7{L<e_6_dinH{Eox{T(gP1;vIT%N>yh<&PmI> zrHWJu&<5yfGkF8O?V?n#U8r@kExUfIu`B( zw6Q3qoD!kpq8zcsWFT=vd%cE>*~F#g4ClGl$ip7XHx=B+w)prQ%?IAQ-6}%ZNw*6S zb)Seg8qcH4YdX%=eUbyNV7?}$g5VV9V8v^BFZjY^&ivK|`RszvS#3c+&9*VsHFpKq z2_n)Hf!h=4in4F_z8n;uoD{au1=@<=#*~^hjh5Lj()m{^{zbC$$5V4tezuo%&GrL-}oxP)R%;+rgse{WW7;l14_y^+! zyhM7@lul`oUS{UN?ho_4Py_c1A&FfbAM$R?xal(;K0~bbBHcBo3My)u2-`&;)3^YT z_0JKNHO=S@tnjo5^g3+g`+HtW3u*?gAaSKs-X-iOE)hS@FHA-e;vOSk!NMGs*&)xj z)8i}#)nUUu_MA)nIgN3Sn3j7M$=8~NDqO!HfME-Jy)@`fjG+8ra+?a5F1wtS%oSli z6T^S8ziVHWXMQVe5*KwRf@}JmOqm=+8lzf1x_f!`k#AR+_>|l?!Gzge$4hL7OZFDe z4fqxFp_d}W8VucX6$L8vcN*z>$BTs~u2;COG=A!u7`3jZq7buW1-b|XLI7yN&b+EU z%Gbw83AfORO~N?TS)#X|t_J%KRMnJ@0`Zg8VrR__*VL%Z&Q|(W!`gzLAaBU&_scge zB+)U;FD&K{^HL2qj^IXXlr;%V@1<&sdyLDMpE-_|=gYojJ^e?I3A`-1dx!745povv zTp;k_4(eCVLD#w9({dws1+T?klDF**a^~lU_3ZD(jSt4z8>lJdBAo`_-P!3`$t(q);#d~2ME9}k(go!5$5P%9(louachQc;(DEUbm`$*!Izu4hRjsC?B zA4@C)*x?-uuW9%*J_p$01)~%hmSq^U0pXwIkhe|=t#7h`b6(vR?bB6}l%-?XEOyKIzHr}(R4j*!)Y}b;feUT6p7Wx; z3z*Gl;JQufASOdEOE`8!UzhS7eF8W~>u)eBVZS$vM<_AuSULh4*Sg{fLvID6P2V=#pLA3w^)z<+OLfiq`PYA_~{Tfy(=pTDuF$jgKH_3&sC$;W!&h~;2 zI^NP^Ul+|U=9sc?;kio_<8aF-e?1U{0wrz9KkXCgdcGqi zgk_;r84iH*e8*k1SV+klpga$avB;gMys`Y!MooWpxdihfDT8;PgB)`okvDzi8U8dl$!&;e#EW7)9A4; zv}9LOki>)_CJITp&gQzccXM$dgZG`Zo7x-Fsyf0{q?CN230wewWZ8TV$!17l-XHlh zz2SoP^xHQV=sVO8#Uyjy1ns{{JDUX0|8lsI-L%PwbKLja75IY(?W=J6KO@2b<&Uq@eJ zG11TnVq$h3`)j`Sp9=Uto<6%AJN&uX%On35@3AR(*-b42u*WDJA;>+yxd9VY3M4wJ^hl6Ba94Lp9Udm!yQ}Z_)*?;G}hV(8z(oXTW znqL)_O=W@<4Kd{=4)+TRmhlbKZX8Yv0aYqBY9Cin=INcIW5ah^(g^(4J3v;)#fb zz*LaPU2UMH_E~NU4Tm4{8^F78a3c7xT1?_GVVbRZMZEj}s$t6YA?W`hC+n-z<6ItY ze+2~(w@z))LwVY4X9a#*-2IBULdF}Y%Gpi}aoaJ8iAJ`}irDHh+7bQV{8STSSkCq=QAjtC{Gu-YV&J1msN@LFMEI(wo5BjzjpNW7P0 zLxT1b5kWt?xxDB9W^>kef33R})f1;91+Y0A!C#mC#^$`3X6A9W7T0bdS?s-AQl6(R zG#%pwqW1a^Uny{V5|`eG*#48t@&CSaCF+32bsh53pZNW=o|n|m%Ri^gXsDg>eW{QIoXppimv6}|AmW7!Kfbh7lYMP9&-jU!BS8DSg+tYykL`tSxKfA3bA{AMqn<)W zR6xkOf%{LO)0*Y6q$*g)0_!YUhB@SAN&Ax5JE%o%?VIF`qxWXR?JO&(WIoIF+x<$tP=_0^9? z6wdLBNyaI93WCNQuR>J~Gw1?>itws6p@K^LXA;)b1KWk}Q47(&9BztD+2 zD7y?^WmFONz_mqO0n+pjGDLR#r#K=`&)0xoUW8{dc6MGJ!ql`EzwQWP9lTVR-STZ%%>Ty^V;fo<;L3$fdYqo7bp zDzoQy*D{R<_yUNXXLX?-c>t$#3L~gPBd?{CcU6e1D=u-kw~vKFOuydkCJ+dG4?dR1 zN=yjkf0KvXU;062q+jIv-D1!E1z~KAd^ixFp!=cBgZjzj=hnnZ`)OxVtAUkaNCP?l zC=Y)R-=KHVB^+vWGL?Qc zp91tfaNx!0vbhXm&T`H;yN$}wRo$60rwyoV1oNPYKLpxXm1s{W|4j?JD%#FcoB)kx z;i6RZ<9ySb(Wmw}IoDP4X<7}Do&gQLlqq*5m(!bgC07l>o)Z+7yu=VDsWT8qXYEkh zw4}hA8}6y6-6BF>($&>d+8k;hrRv(p|`)~DVo%aa_p(7^sQF1CnvR>m&E zEM}*p)$8s1CK{n+>ZoV4fp2=+AD{t8h1E0lpvAXw)jG@%QBhR8egVtgHM_R?ortG? zW{g`(rw_T~fa*2@;d$pDiCC$H_9@IGh{N9+0}N-M)a_LQ0axmZmtg^joM*oM5<@J& zU@&x;MZFt;A@n@J6|oOC5LsaVT_yf`WB&C7R6HgADYzalYW%E;52W0g6px`|&k+6@ zj+A-$DrH)*muDq}PECkw8LOx5^#J?vQosfHPXCu?7Exx&E!0X(5<4{rAi1$BvPCxW zE&*>!wm%o(EsQKkk}R7G3*mHBE{Rc|QCY~AP6~_Vji6SvfU3@wHW(J>837o7!|WG3vfs zPKHzxRf?))o6u}Bz;wrd4>m$9&hTGT51~D2?m0z8{7)|_5PJ%E&sdHABg+2W-~KJE zo;8L*CTt>E{pyL|rT4j)K5Np?BNr+gJX?@g<1=w_M6xa(B>iIL+D&&RYHPJ)wC%K`$gE@(zn=F z3sBl_i33sAa02*Q{n%f@N&0bc5@i14|Al1z=c3&9p#&)C)|5_C{3AdK^Lyh47gkb& zOY2BAL|lf|3tm(|3j`_LW!Ol*UnmPx{+3zR-r!SeT-p~^ZNxdC6EmKL$5&sSwkwSN0&}ET-b<_b zUrq7R0tHu$lmyUkmHuyX792OR{-d7c%aZK|x|CyXmK$!tL*t8sRrX;7*YLoVUj{G- zqgsch7%rb8t`Xw!a|2Pp;u;p$)R2^aBS-)wbKSfw-tCW8^7#Y$hW#CxF4$Tv{MD9KAbxb;K5X3hk-Q<;{aM`MA@f~{Y1df;Lt z8V&9JxyX|?Ta!eYgfqx>-F-?Y@Aj+m`WZN`ovwC4I~13LB#lQil42|#yr$vjGc}xP zikC@0o36qN*12~z@OA8I8aSpQJm13{XCp>G=Wv18biK}DJ|>m$EH3=YPK+k3;DLB( z5ikBuPal=4%lubBif*b|yh$xpZ8)HE63HbZMag!TMmd6*PhOfqJp%oXr~{6uIhWb( ze|1Da5Vv*tcY6Ya_w1B82K8foB^S0%o#f*=W$5oW;DC}G`J}j(Zmxh_@x456}UtG(l`&_8(RU!&*^4{a7 zOLIx?HCm$f9y@il$jCnhL)YeW|GNaxFJGFg#je<tkr83cCM_sQwA}%?I^k8H3d|1!F6If|LRGafX_&{kPvmq^O-wPLI85 z5TV$83AW0>>)ftjwWSv_p{C^!SQb|DL4saW5wEk>EyxwB;P`aC317}kdyo`T2iJF? z_Lxm6>#~%>KW)0YCq1Oly)+p!ti~K7>S|@-*Jv2=v!~4G#lEYlxzAIdH`G@uO$$!9 zvWs`JS4*{4@eM@S9($-@TFkO6PRZ8l5be+nERyF^W5G*i_mcq92gC{BsaBxDJ{; zDEWePG{uro;>k&Hc@Lw#VI^n6={@|z=Z9esuFC8J}e4);7U;qn{T)Q`|(sJV)< za$tG#CJJ6R8^aNsCbJuT1eOu8N81}!Z$=)(T~ma^}3oQi#YAWlBx zJE)18>JpD@=l+vA*7Gq?Q#ePS5K#R6)6W6*t^f^`kD{qA3#9_3(?`=cRmCNOM0F`%{2vK@o3D>yhf5 ziSyXH_%zeGoYB5o2`Sex&IK7AxP>dT# z$?guHm29^^FljwZ9$2RfT-dtPv!x4c3YojCM25UM2Reuf>E`(`Avb?xuT%-LBS4yAb{YU#z z7*7wJmN-RH@o!hk@C-xN(c}-4+VZr|@6-4y&lk{Zaz=Vfy3c|Qi=rBpOp626jpeHp z`1i`06*0nJO6G4c1UwpIKYIJ5n~A)p!||=mnip-}9XJ6aE~~(;O#9b|x^fE&&Jgz0 zGsCwH%C=p~nWes_*fbSW!+*UjzI#DmJ`lVrAwwx4w%&~OxxQ<+;t)9u>>$+4n=ZCK zMSt+LtZ#j_+o3559gbG8E6fVGP^T*GJ8Zaan!Ii?V6Nq`*A%X8p5zQCHC60$cOMRK zS!d9C>;c3fg%`2ic|LrAE^@0~rL5uheHF#(qfA*-KL0={-%wj_>m4pyP^k#a8NKsM z2LV#g!$OuyG zdH^SGw0U%E{=qZF?-z|As0G5Juk-)+!=h9GDf_6I!Tgw0>1SyT?x#LMIXBQzX*8HW zm7nk;Ja$cJb6kD4nD=opQso;$DPpqeVrGQlY7r_fJ;E(gkmUjLiKIKsrvi*Ci~`qG zy9~Z&UYqxFK9GpoE9cxgMWZDsH26wp<%j`TS`$B6*KC7PWppOWAPoCEK ztrp{?5;=mfTkhy~SyfpcSgZS-n{s$bIoNv4Xka8;8GhE2n3J80@eQ0)4|>$6(~~-B zgi{CXx=PToha(INNS0F8NOOAJAHh_jmj{T8l0(sH7Nii@24DvgFcV4)zvIyj))tHK zYHF;GSJn`#J#%!gBPwk#6jxDarf*(~Hpc{3AR)-4r>@@MRk+Xu^ljAb`}Oj~EZz>z z>P@-tqkrF^aLBOc(oN^dnp^n8j+y>OMkJG z$9bOX(Wbz%ZiFE-Xf?w+L#YZ(TI#>szZ`Kv$?E7+--Ki!z|k5&Y%)e44)m`^IB{)F z3rBP$uFZ#>F3KN1l|&fq8`^Vr6U^&_7XKQ=x}N{AF}>6Co%W;OtlD@{b)a;3NX4Dq zv~}lD@|bbI{ehR%U^N=e_Tz3Yr@gf!1rN>`c%kG(}$FV5Dcv#RtAY z5#Q!)?Q#TS@knc*mhjxDDJJ0#(~RakD>LJRrX^q);*od!ouktj(N56ihiCYwwZ4OW z;<9u4217aj5c?=UbKwSl_v~FMcmMweMultKH;HFzP^(?w!P80_x7g%p-b%kKw4URt z!c&SU@Xn1e?0@RJPYV&Y&bAb>`^>u+J=IjXYZ7n>^B9C=X$gZVIk?rUiyW2a0-GZu z4)=2G1e+29oRl0oRSJCbY{RRI23-)@{y|}9P@L^nUR2NbdCo5;+@I@-**iI3)+9Mg z5yZN-F70nppJ%VMpZIGP%`R-k)a@wjt@+&^uKIB@UagKi0$4BYOj@bcAa%A?g_g*W zM;2-1pduw1uZX8PNDZ=jhXnIJ8_X{4_+UcLz6I(KjD?ymBR)LS;zVu)+?p`HSZByd z&Qgy>r%5!FAO-#UfaxGZZCOk|uFM%)V(LCHMdOSZbsB4pX?3n}9B~N%haW8DB}jl{ z8MPI%O<(t-JGhQEk2-1~o-s$zHvd%lnCJ30OrbRUB(P6nt2LGiG)=Kx zW>t_84g-UgW`O<0TGA6=`&f1>df`*Y-a6h~&n2yVI(_hg2aO^i7;}%SVVsyPIPr zRdw)|VzCG7Qaa>ybq+Jw;kHFI802=~T7P(8D>}-(?L;2V@3_u&;6+$Q!^{hi#I)UQ z6kALtX!km%3<1hIP;e8orRa!5k_K?SiAM;ynTZ$gBEWra!TI<|n_CAuJBQ+?s{7t| zkhZG|ADbgjteqQF!pq~4`|v^%4lcHw+HRNIwdAd|nt;CMvr&{}Ir7`3`EP0=?0#(L z`V}M3U;6FJeNp@D3g63Xw9sWq`>Zyt!Ho^4mwmGIDxkEaQ3Uspot+=u^f*MqV`orD zLHt}9{raHgka~?=b#9I#EC%KiNw;~n;dAn}P0OQl(XG^x1S(}P_ui}4dz`yPmo-Jf zYfGJ9>(=$U{DV$ih*gYKyC63EhIWLOF3>#ihkngXc@|#n!YQtxw(^R=W>Q_%5r9O%dt@!F9W;9?t9yHV!Getmfl9*jAnYf=1hq!;7u z=A`u6jppI;zTU;*ly_l#pImghh#+6)z zJ_!1YO8#PGx$+B%3OGwOOn%X=8}~>~LgZZKuWbq6CZq9ueg^5v z6*^m_Gx-`n){y{CF_W5Hf?;ah>iQs51jmQFnA`7{xtr7X$EOipN@N zh1z}&B_bmnYLamOyzECt&k5_a@Hcj09`HN-UsJb7B;;|KdqIOzNI1M5by!WBrcx5_ z&Vdh2>~BzeqP<%Bgp@aDT>*}U<(2h_ytJYZZ9Y0_2*usGw7ln?p1U|>jI6v;bdLa zJ|-854girpxf=MgO`^<+k+=ov@EXZb_Q_{uWQnveVG_L6!G`YDd#){=u64%kh)?i}YnxTvuC9`ilPNfeV&w%AO_)`7S}wm?2H2UGAq;HJUN!o3c9F^O<;?j2*& zlm)3&T{O|IbCMLx+i@8T`>ud}OLuLGuwZccn;`V?n2~)Qw0MwcP+NSkKFvN~(L3pR z1D00HeGsj@WqbBjG_+x^LPUOZXKe$LXP}YD_Vnbes?`RNdlduA_{5atj#?)+7nu&~ zY7~}(bgl{YS2U9gN3}^k?KXRB@^ZJ9YTQ{)2N_+sZ#`)WCds@9~c=RN-CskmM})bTDekmp|8 z6vlmpjnkL+#X(+s+R|TFhRzFP-*J2z#fQXw(M`}o3P4a$ehpX-X0u;?eBD;=k@^Ke zqqSWnDbjxim%dQ|suuep^W){;04MC`+dKTzTSlLSR%f-YVn6Vqo|et=D6{%YP||78 zUaH-`a<19FSj%gn9kYIiTQJYww_rM;glr92Z_kTSvF z_o?J_@2P2qm12dlG_SS!t0z%LCI=s}V^LmKGHm``Tx>;9TIMbDy~XiC<;+-ewxy%P ztYvD6ZH1Ein$Fq-cWwY-%cyi)Ooiw;-(F7NKF&il`HxYgm(*^rhR-PO1{;*{$k7&P`CiRp5_2AquX z<=0XNA}`^cv16~l7FkcZzlQwW_Poqkel?O#xf4%f+300BMJK;AjhkgzpI|r#p}Fd; z<}?8?2lAl@%e1`vi zMFIptrF?P*n1KCnFz67rPAgsaSub(sKZF19xi<^PpU@iT&o34X!lB#cj;4vzMDEss3P6FDL=M zvJ=!_-r`ja7i8HvQv)CpMbIrba9qF>*X#y1`ZRoWW*q!*JF)n{NlbVXpH{JIyadAq z=v;4Q_k`{Xw51)+t8X`#qrG)u$Fa;iN+MR>QTN4DzqOaqo$ho7-Yooo( z%Cw5cqL<3%wMOa^t7Nl+hC^f=MJgV`Sro3Qn8M+!`}@+)pC{g)dEgY8b&7TE{1SFF zH=EH4>toBsDJ6Dao94Bm2biKMf*R>NK^R(Rezv|ANX~A(TR4*`CgpJy!!94f>YbDk zHj#k+v`Eg&t*er&^9^iOXP>PdI~-nDt0|(#O64EPK;$Ss0lDc1#$!LRU8(iL?yOgh zCqpVh9+U)O{wK>TfpCPFyuxZi3f$${-h8HFhR?ReL9Bct!J{U>d^{bx(5VxV z;H(^Qnk*IDzv=b}YJ75h1e~H@K5n&5D3JLSf1KE`A5GFlA4l`a2NTZS2B#Xe(Z0%r zT?AZW;X)*1wxUy!?wle6RtnykQH{R2KZM=x7;~!Dl3kC=+^cR?6gx-Ze5`Z~Sk`B& zt%^kln_P8`bZMlY;%OTkp7pGM4x0ZQa@>0Z7b_5(8m%>-39fQtt33y_^0=Kd<-x0L z;AaFa{dL~aW(KCbFPxK52Qh&ta z=tr<6K9+U_UT)^k?G@ms@0&yF*&)1<{rb#l^n|SbL7oBTL>;H^-=k#D~hOrUcX`K%+#rv z(CJXiGj}bDdwT0^?;^-~2$wWnP+)-K- z+RN(V8ncA_3!|gH?B?=Jz&4NH7PnB8Up`U*bKUvi+9`jOS%W=|W|NpoKa^r_-E`}` zlM(Qj>#wVwpS|Tv+#z)6@V%%b(+N)zHug~xE13~G#OZ^@+_y7@(wyeqhii)+)~nzY zwA`GYS*NO9go#7H7vNNC_eV3>Ax$O=LM}V<5h7gV;nr4Yw>R=Ls4*Q#?J*U#S5I;} zo068Y)0VzZYr#kr?~e8yD<;Y@N;isRevf1SgFZd8y$2k`H^TDs^8dWMN`0Q?$?0}0E-8iW%6{@T=jAoce{p0~kpw(&^xMuo z4WIihSv{B=i!V9&&72OEj4-rnvj>peEt=T43ejr!Jmng<6M5vd&GF>jBHn%jEZeH- zUTXnbraREBq;E=QokmVV1@Pq7yw&1+Z$gFEAUE6=3l=gX&pE}!Jw6(ugCJDhyh z`eK|k9?$I>$2+D|*6fA7cdS)+E&@2QTi7%;>rL3>m6M^QsMOI~$4&Vuq8()V6z3yR zeEWMFbgjj&+Ot?NOX`&Gt>KX~f2C7>M#TNURp?+>Y>_wQ7nny}$9rWDQ;ZT7J2=`$ zbyx-<3*a>yP|^YDkv4u>!v;u_Zq(sNbmYeVt3hOQq%&mBGN9XFHl>x_0OZ<{9TN7Y z;#%GMX$I`dk;qtW^Y)Ge`o_mMCXgjK=xa?mQe@{i9<~qvGj^7(e5^hTy3arUu0Dz< zV-8BdwM|U!1Udoi`)QssP3^~$o|IA^koz^q^F!cw3bSKS-(ifA1~T`%cA?Pv`6b6A zsc_^VceiYyv;9kFh(WimO0~l36-}gMTVwbuF(1oSgnxwBoQ%+@3A=Hf3*#h*UBlTq z%3J3fjZrl8!5g#V=Jh|@?cKrznO{K}ITY!wd_Uv4zZKc@S~R4TA{16DDa z>jni(kp?}hm{D3L1<-{Zou_`km}%@~3!Gg5yTJ0IdXtduI-{l}g7Do{#sG_J9?=45 z!9)^+=cH{b4mlUGI^o?|Aw=}XV#mvKD-lr{3pQZneE+UHCncP9{al*NuSK1tf?C`88>HP=caai^{!`zv5cnL z+0(z|U7L_q>kEY=YAs;}zV)VSEo`j?VeGH%Dl_`hjGJ8b=M~Dfy6r?3`2)O~j5qdp zsJ1%0(*+dQ3hJ$*DLy59g8B@Q zY6#xk>zQmxUq!6M%e9oj+&zi(U_|*DsV2kOnp5&2Tz)VQ>;CMbzSe(p0pw3{&5ihs za>>gb*N(DaJR6}^>Ol7M57nt%{NWj6mRi02PDmth`gNzv=5;|hJ_FMm;r(14nsoo? zrti@>u9!@_bXSQSL{O^p{?(otZ9U~n`r%y9hByS!9)rV7*u7smL$JAA3t>7K_Q>E& zf@2MlT;5KPMPi%9V*KeKD*Su}hG!qsZG!5mx9;r=P2q`gsGX+<>&|68+p|}vMMOKh z3F9msUjk~gNv&{&EGSvXLO8;Ad=3Tt1q;w_P(*C&kdE&S|3j(oxcz0}xpn_p35Jv7 zs#f7X`#z`u?Zf*7bb!JSD6m0;)wyY7J-Eik1)=C6q|QMo7k$A~)+!=pXUa_NwN55b z-coHnWlmUe1t^MQfM~AN6&IlWQYD@0PyGmnH;#*n*_+yaWy!np|8KAbDwUKw4L0;!qW^Gf?nZsa;NM8W}RV+E+ojn=*`$#`BAW~ZE!__D<;Mu28i7o#mm`$!ykTwsBHmrZt^QI)8aSu@6eZlm4Dhy z-?@zqJIzu=FQX!2d!c$fM~XJZ5OV+H$s-_($DNVcMLrD6^_Z~9rIG&aswEIlmb zl`gc2Mh@0(e(z?GboZ5k{^qhR{HSr{n(+xBOB}(Pw5B>LEpE*evY`tM4Y;1mc@IbV z+^?|*XJkq|PWmx;&&+NVXk!3BQFN})y{hV0f0GxeWZhJ%{rMuz?&Kr@={-&@LD5vB zB@4_lkD#V;@6~*u2s~DH9KB`395zXJP`97p8p@F$t zs(aKB7EC&RB7C39F4Y^nt|S$0qV_ir<;w^Q5u%Gw0Wtp#3dTPH4Y4xEP?Aeq-_766 zUpZj@CO39n;|2zf&Kd{3eiht@>0ZPi^~FSQ#xZtx048TM{wxi3#vN(L&*%#rzQwqn}4Rh#!r{K?%a8Q zp65_wrv02`P1f!xMJ*p_E%_ioYElk#M>H=#C*@H9bS>ZMg2S7|##;r6-jI35fI|7W zUFe&&(a_9PvWb}qToLGz2^b#CQ1Wneg!@ceL&PTERA}&DO4i>$4#-u4j|=w1X#w#) zzznitf`tm!CXGFTXw^MR`J?}dRueRRpahrKR5gkg?ft?tRo>HlWLXxSOIbVR37&jM z1=;+-=CsybqqaF~L2^Y(PjAImFV?-<-?-pP*&Q!l%iC+})+M>C^{S-0!moB?dMNso z#nzM=$Dv{Wh<6Z;?inEC+XGD!Tar*9w*^}pl!(-(+#M1`oBs)!I8=9?&7lxRIIfjU zvDGo(?wD~_OizZjfW4jU-~a$7oa9v1UhjN1V|cbcvDI&arY8P<(^p(UF zxW_>YoAZ-yIdT*Rv|p*?`QhV!TdTvsGHEM=3o7m0u=<7Jk2-eySjTLe`ow6sTh|Iy<&^=o6B`c!!mgPQZ35y^e80ZN$8BwK} zpVE{c|ExB8g;r3bQ~C5=C3(%yJq-Vcx$ll@GTr)BK|n={ID*ndR4fz`sewdA#R@9Y zqzMR7dhbPw0z(rSL8L@QDNet#0c=!}CW0tBvbs`drq|1UIpq2(~d+ zox3Bl7!LHho^uH|om$)%@&yB-7I`-tDW3o?5;U2P)>_7wR?Uve9GU1m{5dGLp1KIY z=o_zCipTwdah7n}$&O%J*B$v^ zFw%=(8`&f8ov8A0EQF6}^ae`lxj~ar z01JFBX2kRy^zP{D78hhN5++aR$X0V7S?BA zaQe5j*=%m7p-82ea=)H7pk!3Ep%>IK;ZfqTNZJ@{ADJAIf-R90o~Pt^e;Y}DunCP7 z*!IUm`YEo4+cotnZ`SZOfyD4A`ciOfDyrnSZC*myJ-SC2S3Ki;)^K}$wTvj){d#7` zDL0+K$T;Jk2|2mhyp7wvh-Qn^Fnm>`ny707doccD;gynrhtrr#C2J;g@!5)#MUHOU z2+SGuX<3~&V>t(~w=B|z)q9rAt3U5f>H0noWW!*A0RDj+^tC&jX_le1rZ0o zXV}{0_Zzj3dbF_oV82YMzVg2BG_8)KMr&Mg8CifM&#~4F4y`m1GZO8HaH>c}@#~C6)mTr_dXcI(9_g-+urQN2x z3_%ZErlaV*A{Qj-;Uc98)-Yr{avuN}=*JcgOyL|<_@tkTPRpZ8V}&J=agJ*(pOQZg z#Y(vLoxudB0pYsQ6uP@jENa|dV78*YOOw&zD>liB& zw(3_NWqH}$f8Bh)^?*?KE32JfG2`qQHI-TH#kdJzIS>zsHWz6GsSOJ)L?54NtJG#7 zQB*vW80UD2Whqu$&8UYQKD)h^mWVWPG4lv3?a~}CwIT!e(6{h$OMD417cFUkrpNzV zteZFTk3#>T$TpjB{-5;2`0?509Rv$x{{2&z{g&S2Ex)~pL2RExKO??(&RDQeekN5s z;4T}APwID9q7a5N`E7oq#a%Ru)Bo(K-KaY7mXDoUm79H%IN0u0&_Fej?yc1mQ?rS% z-)C{`j0OCOcwX)W9alw_ONwAwk^86Dt#Wg^tG6khcinX$+8-h1B9}ry9)zfUoK_itvwSD zm%MJVn^c6wX?1%e-WL&%HXD3Wh=}j*dS(C+XS}I!VA01LN>}xqkx(_G$U#bv6p^Vf zqm!UD`)y1Mh`Q5I1Cm=NREoBE<>uQ)Rm$Y8e#6f#^M^9DM@lVkMDO6a@z@*_S=8Pm zQ0wnEMnDAmD2(7aOWxay0U_AZ#WKZjr{BSpNE>sh<4-cU$(^n1A z=4n>lonPAy5bIXZDbm*4Y(^iMHOKKr+HqO4c46L`piL(J&y)XC=N+ZFy<(c}*?HMb zY>OiOR}EV|R`1UJTH`dZUGwq>DJwZGgX{^Bhvm)+*`n2kZMR#j)-Itx89&o9s84@n zmXhe^qWY=pb~`d`r{_zjLDBu*+rfU4xwxX@X1{c7~FQBsB^p@oLLFrm`N_@&oyl6M}VT6Mg(Ln(d;#p;6Qu{Ky0EcX^3tBcT zj@SYJ9Sb_oHH=TO>8bx4!}tXd$&#ADX3z0rC+~^X0&d+EGH^Gezg2RPB-rltW_R|X zecL?ZP>rIPsExw`@rWR_14acBkMMi1^Ca)Su(L#La^R%`h&r{%%OZ;HGY+83GTc7BMzF( zQ5fy|otjwf_H)@+zGa6E59#3dhTJrp%nlEmCrRMwxRl)=WI-ANfs(j|voMRFilfv1 zo4vt5&EyY1(xLnNyv~N0z?Mz6^x`z{CCIrDN2S1_2e%mK6hB_@etfus#u``p;ow2+ zFRm_rEDPTIR>%1yuo9>eUR(H;K3nGY)(L7b z{KKUIp`BKZ?(I0xso^+z!Rpn&q%s=+ltskrCP#4yR`ne9GxvqJohjV8#h<< zF{KA|Ka~3rqI6e}o07{=Mt#@!#HS8!ShRV^0elkG5dBrwPBT_3#!4VifMY@?RPI?c zZ27+qm#3IJ2qP|~0IfuYP}dwI@T;5r9u)?x$@P$&gux(I}!i=?CX{* zQI}(r0_}@N=q}51*GiD@30ar}^cDj*=NUw!-jBzlOL-NdMiB2V)D!ybEH6mA?*TC$ z0Rc~)uS97$Ye}jDxT%q;RN`HswwprkDH_QW7HA?gHM;c3%YKJxht*H>05ZTw6Nxz0 zSIHj&68FNd7>h$ZGS$Wg#Vc_=s>|L6=!TgA430pvLxDNZXPsHZUJoT~FPZQFKsliU zjWH%kTtiO;!lY)Rk&@cK1&#molUH|aRcVa+!&H8^kD~Lh!lV4l?~==bJN2T)c>@HZ zGIeURkB81E`o`&(8jYr|F+>8duyvsO)DsKD;eGIkh?LpcrMt?%!SUlhx4P@z`$u&% z^YU#XSQF5r3r<4RJ~g3QM4E#&OVZ3*Pi~ZX0Dj}@F)fP;d%A_gn5?ZOF6bQ^K`$_0r3a7Xqc_nQ3_a8JBI}>@}M1t}_;=G$^+|jwo{Qs1|A892o zH-bq1^z#=7crT4TLP1OExSE6Ga^7hqA+Jj$ZR$SInhBZ_WKR5kQZyxb#H3$&HMs^A zdOY~@`9m0{$((b=5X^jCz;7t1$W98(a)Bz~GPNaRlb?EoxneI#tsh^&O?@f<fG2MG#?3~!vH~CDkYjEN#{Ny8|e$)IByrt|}yXZwHYit~iqAvp`YULq% zL|3Z#&)OsSKpnDASD#*oHiS7pFw4>kewyHUG6GE>yt`kyNfIzR8}X5UCo5A?yAzj5!$|u1(S4y*`h=Ou=f^Y zHM!Vb=#nS0_(&dLbc%Dc%+*21rN5r{Pc;DkCEbk+cUQq8+<(fj&foj(5z3%6Ajlfk zzuibcD3t_HpW&O{Aq&ujv@R;ymC1x;A73Akzcl(R2t8S_uQuT&Uc^Nbx*K{hJ$Mm@ z&oKf^1Ocuzp6aF~Mb{LM*eJn^0G`eztHpJ(IPM(9qbw-Sa(bJjgGvh)IFc4_2LF5a9ul7xh)i!6z( z&r;}31v#38AeGrF^|*&2KX8{6RY@$qI<@zk8QE5Ce_Lza%QOHIQb&%0$d*mwIprvz zh#K~;#o3$nZQm*!DR~%Dq}L+%%;0eK^(-&Sv$>w{_7BrS(1UmBlZln;dSZFfLSla3 zbwr~@qHn--vQLB*f*PkecUL~OeF!kA-9H|o3aM^0K^BBST}f4XonE<|29n~loA*w{ zG!r^>j)`B;lF#n1E+na)Tcxz#J@wheXBIBz{0v7&C9}1Qhh#;%h>@>|c|yD7+SJ0C z%Uga4r7MU7gQvBApG_zaBbH{2glg38AXj-_2?dcDSMCBygxNkvZVv%g{c~<_%F|S{{AJAn5^&434%W6Gix~`c zy$tGza}?#g{d)iLff9d_?g6N$fRha&VPf_6EYM6l48LM7pJCqYh~Ya(FLo{%!sQIc zX~LvoL4Egb2}_2@yE7}`gles!Mxf(@r^HL=)M<=y81Wtp`q^wa5pzkJLMg@}?SL@) zf0|PLyD+N%YR@8oh5|%}9d`rI$APTmf^I7{?tn-g-VtIl=S%#4t=;husx&$WaX$B& z(DMe4ZuNEa5BY&$%F??TVm7J$@iP^Z8#!a6bD6pn(*6baZ1tS&Annm1PUqYDQiJuT z^S$lAs!JsY&*Wlyx98VOH33-?1ebP{~VMNGdAJ}^~c2<{kuPY*41S0Y=a zAwF3>C6>$$;{8qi{GEFMenW%vtaFg;B;(ehz7?^`f`D|O;TY9)lZy)71Xl@4^KR1i z&3VFq`HW*gT5a&tk5B!=O{_qJtFiV>+~?;3G)B0lOzf?b}mNI_j~+93p&Kas1Gr zI|KI>Y!&0&T4nH^sN9CCh%As@&Q#j-swWu^r+oPfVm17>i0xIGOdh#d=Vev5{r!e( zgac)4;El}?1_7T(S7;&RSJHSf`(gDnuSFcBLo9)zaBp2%bs$C|s{4K`eivCX=-T^|zPs2O^jZopyWH}YF zZR;NlU~VC1{G@3{a#6W>dk~KdaFdn3qMw%jv+0#~hxcX4-G{|@xQnW~>8?E;BORZR zmjUjoNUrh6(qkL@23ic1mPCM&$u=Y1u*}vRiKUYMsbaBccVYkK5f-ceX<4J%)0PkE z=7X?I=5%>}Gde%oaV)1FqR8VcCitehu4PwD?Y;f_>w!_Q)@T#)!)L3K!*sq!g9v3$l-Nn;<(7G9c=J`y9UTN`orkHL-D^AjLJ?DLeVG zK}sGhbe}5vjbw{^gDTgee#|2fbXHPUk0G)B*O=4FuTK4jlzyt^7WHYrHK_JlzC83? z9)FX3pJPxJgoW`DzS`P2zYdhF0|J@ zVipg>Kc77x$TND0i#_-d&KQG2IKXM|#c>HIaWVrNEw`qJwNb-fnC#Ob*lcf1HmDUd8BxhwFIQ%RN-dN1akps;Dxy1!~fuo8*t>RPncAuWM6Xras^CPjAvYR&HN zUz^j{1y71BjLVD1M`LiFY>!r2RD7dz>A3N`@n=drIdU@)3(DSDlAywfIqt?swCr*}su+MDx^2M?3{Yml5!Cas9 zp9PyQ1bDN2p^iH{xBXLl0Pj8H z`75x<1O)aW8Bgd}AUZLZ^mrwyJLy0masU==^sZG5+SYCay4`TGLqUR+HWIDS*#kyk z|B%60YnWegQC61?K1X)!?BruU05tSI=%V^UgRjrmcRtO9n#Mp>z&#n+bC#*nz5+z@EDZ)OyppeJxNSWMPY;Ae8~| z@%NIwZ4hNFp!S9S=meOTO^e(azpL2egDEk#Fs_a-^o8@y_` z>6k(w{kJHs?UK?K(4 zqBSZJyWLhm`F1Vou;{jG!PHoEN5i-jP;09q*MK>j?yF1I8E2f$JfLSiSZU=wI32V$ zKhZ*iAU>(0{@`BCPYf?Js05R zt};GOLRPnl?J8`DPnHpYgKw@s{f0-Ts!U+-_V;x~=IFH98wBu$m`5YtYPt$gr^p46 z<=e4ZPM37KzGXsOmNIoKEqF?+82P!yKo<@`FWkKsJGYh}0@mpKLD<;Wg4Z;Ok~&=d z{N#^hRKJqYL}@VM?>K6Y4cACz=&K(Z(lf=ii=srl$e zQ0AwjH;O>hSS8J2-)pPd1SHN}3HH{lBL2YNc(Z-m0U_<%UW(@XXSC%83Bky#O+>Lu zvp%4!IB~5RWFO02?Vg%~-hW#C*ODr7|(?kd?Blj5F3r(EwlXV96}adEWiJiPta7LW+7guI=A;Qdgg zlF?)+HNG>uHlw^OcZLjH#qAgYB?=xl1hsZ%sK=)SQrN=PFLgk*s#9VKp8i!FHDp+x ztXCWY=~08IQfGTrBF&1cC1W4q>|Q{kntHe;NDsK?`2J8CQf(GMJ_`2FL7Ljy-`Bbv zfg20Fwt5_pk5%b)OYFv#m(N_@aXCUi>B*)C^P}8Aof+6!eSgz$r3-L*!X3_Pquk}{ zkDK;8Uva^IH${5QpuYgS)!QJv9seNhQDqbK(ma%we?XpI}6u|5EY4s{2GYEjw{CkOiZGm~ZLB$+)6gu$5~iG4@Q zkhd~k(iL!w{U+U#izft951#7e0-K#i9!m&Y+p!A)L!E<;BY?`-lRyPeVgg2XYi8{4 zHB%<{X)gS|nVFyALOf^c_WV@sRovrN^sBS=C1n74@9NuV;~3>e0kG)s;g1(R;}<)8 zzPSrRTLb;)W=I{D-}sH%Id}qR<&3Sen5uxE2s01mm0caJ7k>+i+UNBjcw-4Ngv1}) z#A(96UN0bSP9r7@(n33v| zX`cHyCtVt4Y?i~gvwWU<3!|S<lz|3YXcYZRjk~n;Zsk;7HSJrTY3A9frkH$b*l>}yNk;7jy%^mXiM7kK0|)bw z?Y18jf@TK3+1#+cG27(zrhpCKZ`-dLsuU~=jaVmqehoW+Jwg#o8ReJem_%$i&&Ftx zU-i1&dl)NOdD*gM;&8ln;n^7|bjMzuLt5EkryiY?MoYQQJc=p1CwA7AjvE^=(1ht` zAf83fTd!Ec)Ruudmlif;t?sAc&+a>n<)CLB42I+1HK?WLC25Y2pa34N@lQR3quLs< z?E0!bW2Uxlmn?#gaG>M4-;=d{z5s(%4r~2K8kNkfX(`^s8=4uG?)Av)wtoE|241@S zMq3CgUy6&}fCe#IWNwc+YkHj?p@63PbWqP}CqzB_O-yU1&+P%AhQD$Du>jw1P3|Z0 zU;kxW9>Cf;WeFRvNnl`@Yb%$Kka!eAUX4-jH^h;-kV63nlzs#ODhDzHd zvyUvtyRkrG)TyB{3+k;j^M!BNlqB=zVuF~q1-chU;H{*6jduk5UT6fVXWKUVNJNL- zgHxNfJ0H5o6NAL>-}6vq{34YlvSp8Sv(P;Of0uhuIYv>-2Zhe`dPlCH13o!%?6WnuYm7y@qM|rYVFRb!MCg1FSNkKOGwkkZWO4 z@l%7s&0B5x2QI=o!k8`0^ma_zQRn9l3~qlxHLgaxkA$-*A+Fesqpr1Grj7+rz4{W1 z_#m;=Eb)I=kwKZ4ILoIqiFC1KV|Dcu>CIB>mkV)f$qxE}3aXST6>l$)u0;Br3)v>{W_JiAZlJZSn?Smo03;l*_3yYWli}jgLZ9Q7 zQ-=mxVw3KoKdjr?84SkG@r9;2q9gZV$Rm7}wL~?7nYcHsrQ2K+@XvCuyJZ2*LC#99n4VOFV&8kT)E2GN zKAhx|C&gAwZ63Z`s+*>m=dPpOLaKM&KD@mQG3D$?+h44FOp*S#)x`n8nYuK^{S>lK zo!Yh@G6!_keuo69DJ`C{<6`Fw)3SIYc6Olx#Fb(+*L#&^nbT_ST3h$RX7*QYx7{|SGE`WbRN4j ze#B~hRCdp+sFC0{LLL&BXBn81Tr@2MHZ5tQXt|6^)do#8nAwvDDY^OS_5mwAt$bjbe95c=$ z20|M)!uyjyV9IKL3kkNIoul0dL78nEW0K3PH&Q?w&;qlg|8BF!pPnEL2z)sH%gLK` zSYR8Ed{1bUzp2up{eri1>Q4AmI1Xi-*gu0h-X(Wy!xrr{O>2=AEf@J zHh}N2K)>D@$d0$T|GEdDI@u%!@A**yuakf?LV;cF zi#|dAVD7GVxY7eg`*+NCmu7y`e#6kG^rp+nLEBs-*7uMIoEd@odIPA0o?0!NdUAz2 z5vbw>ZwwC|70r6iPK!*@dLj`yO&2!P)POb z2DW=Wvk3Qi2dNeT+4!z}|M4%T$7;bI1xqn=RTCSymQUY;8?J>f*Dl2yMdS|yvobku zSs3?Q^bzQ4Zp67SNLuel7aVH5R3q&9_Q&XdJCOGWQq^>fi)R-6R6YZkE!a9u8f~U<@k;p$GY4Qb&CQZ_%fQ z=?bw{>wT)pGE0q}a>6+mrTl()WV4HlmJ#wxRh??d!HmPlz5)9esD;i7B)fprj_mn? z(){L_$o%sq#HPOc4`QrqYyADayKoSjvWzx`n|&8MS9R^B*AQVn=1d1IP_%HS%z!US zLA@_?hiaoz zQZfY10CqX}!!Xtl?)`h7;vb&)H=v#R7gY2F@2n&+-SFiXzpj#9?oaP)e?0G*tkoj- z&8FW_OCJ3cs#sIKloa>4;ILP6u+r9Y8IWp*zGdE=kzkZ9{9g%5tb*L@xem#kFw((whH*m7ODa(#N@0M@2feKToa4}!dep^ zzV@`UIN!#IWsH**UF&qn4bvSG2Gu|VC<7G=U}t*+T~Gl#X(BNtM{1#Y5DYYSy>o4F zM`^t=1^taN_}`n$a$FZNp)cu40-c1Ny*AMm z5Zf^IDDrbaav(8D^LbuMm~AyRKdTlsUC&L>EO$3n`DO$#qH z|6P7Bux%GNE!*xOX0$24k7`1T77okWkUl`WK9(qtK2m^QP8Mq&-wOxu_&Roy*1mOx z>TB6u@-m?CwJX`B#{H^NM?!A4X!)Ymbl64lM)mIiYx7f|!1mrcX93MQ5js9}xb5@eh6F4yJfml(k(+VIV8qJl{?>i!TTCp0eUmzb_KPUK zTFBG){{HJExhcu%Y|=sO;fGl8yqmP^uX=?iy$l<{0p5u&EHZ{~FhyDt*sV$)`t>hs zI(ZVq*f&tW)z0571G3rm?rvGHc!k^@W` z!fGwoVTpQxD_sM}c26aIJ>@e%VLoZ7{i5SiR(3pOvr7I;zDqp#RC7Fu=j!H!3)Un^K=-Rz6j>FPw4n>1<)?s}_TAZS!v~4Miis z{y`>f5Awuy{6zf&Z9NNTQfAa*t#6_D!ZLHDy$Z_Luv6Ek_86(SoErKqKI4V!x!8Om zoln~d9s7HYVtTQPQ8716<^5;3Y!QAWy%C6ni{@3n8pMs%xOG=4pG6@{+-&I@8EWT~ zk=kOwBF=l7Z6HyAJv<^cDdH_RF2^t{b?Lp@1ls*y;}idYa-*-ayInjKi%pkCex>z( zAhvICn5gg33NS*o4fBoOmjO#RunqofRWXN?;*I{gFz+2OO5N{>fpT!$$eq>8*we+& z76)uSO1HP6|Grun{TC{9-@*Ulb|L>KaJ%lQ;QwE8yZ9tnUy93>T*{G`GOMyT5T~m? zD*&A9?1<)zj=+uFDj3;iIx}CFqXszysb!db{{*wKstTg)b4Rl*sUG7aBd7kp^|K-e zs4{KqGl$Iz-*i^s&b+X#!BFW@TMJxC&A3?mtx4Gz6T7NguHCMbR56Q3NXh$a-<e6G1OicJV*?Qto6PoIK6VK3gwI>4lO7zMvZtsiqm_oi4am%gsA(P=gmQYQpX zQc_Z?MdnJA4qz`OMLwQP`-ML*JzDj*=%KtM2Y^4rupr%YiFcym*YNcfwHm~tb9!i5 zLG`)jQ7mw~C%dn;+j6QifWCcB-M6!DSQM^OL!%=7!|p_qI`~IN_l;i(g79-Wbdr4g6gE#c6fy?KE)LNcVHu^_i#-=fil$t}H|mZ)tY>S7s1Xs@}B!mO-LMvdt_!G&tgJ`AFu38nkJ=g6V*rE7et-|4 z(!D4Qkx&5;uO7496v#2ue=ETKh0Nzxk-6dB+7FDb*#txao7R?Z(Ykyz)0H$M?hJa2 z)rWZbObuJuY)r`mOVvh90q_FpP5J8ai<6{Vj|Wy8h`j%~^y33U@_|!te!`9f z6S+NKddYUqU10tA1@~vea@aUsg;9Hj#$P2M!Y*~8M<&0*Yu~Gv8SmM$_5FnyzwD_{wFHdEjQ93`3#*rg!JuE{WeiBqE}JB02I&~fU(erzrMLSd+lN4J#o$=fsnUOh|d#!uLacO;Y-gY6= zNUyfnHbS2DZbR5_Dtmc&Y-|W5@1M&C^Nn_PNUOs9;#%@$1F(u%f$0XmgI_bb*A+bN zo;a059XO7Y(+uxBxNpKxu$DHfB@p1+R{@5H33XFQq&3lyia*?ILStk7_h!v8rv;V$P2`6psck?j?caW~ z#6E8sow9nfJ5og8j}QJpdJ$3h}HCHw;8>GCs1rBV(bCD$r zVPp)!^9&Xw(#l`e%fFNWhA992=U((#zD13jq|Fko*u9O+6S#haT7B2dMO6VUnA+mN zekG}9gvVPjP8s(JclP@^IPI)mTl8{o*9wKF0aqs&`o>k$)ME9tYp#JC1 zB5anGM2UwYz1`-k+zb_k13#(hG@FPvA2TO@WLZTM&osX9eTfIRIdvL1WcP3F z%H`_ML(@$K~NAhGXN<`T6!c95K{}4>6=h{9kSXSEP!srlN**YA_?rLNQ5J02!0eb1!`i)W!Ki;L;k2#|f{vnJ) zggGy)iAB_f8jd*;m!f5vFv6hE^ibB=%2`%(<9eh@MX~w&^5*(*_N9>JcGew7U?}UK z*8P_+_!zD>NA5BCL;k>9Xu88YyAUB;ezq|xeeG~;$BSR=wPQ)uccK~UB{T68D$gt! z^7Xk0pR1HGWoTvG_fBuq9T46u)of8{Ss^sc`((XL&KebNurknVC_PIgo_xb3Nx2Ru8N{yCmprUmJo&ilB6}3?dvp zV2~m$9n^!6Euwku9@n!D`B|^at!y5k+~=J6T?9PT*7_i<={Zbzs9Qd>F?=JSvYfFL zFfv7lr)=D2#TRUhzG6K?HI}j)JQxIeKEGjAhx!Wx#g>rInxX87Z=);*N(dTJ9Z0>+ z;%v1A}`l zvl8W18W;~-aG@0JwObhQT!#p^>rH*>3&X z;0dvF&U&oD3{LAZ4j3l0C<2m}bxQIiw6v zEvGV>gAuoFAqk-ys~oerYonZjAqxBZw_-Cwsy;tqBAONAhyAzV?Z18~#&v01592l) zL6JaTtOv5XTAObX+kdyPHBrRJK+);f7e|(CFm~<&dTJL5nMY>3hb_=>d7&Sv!nXS~ zmVGW6gkeYFK1anTGnq3L@&mTD_31njytek)&ric>R5%z){u~XWQl{=J*z9A_?RWdO zWf@u8Hm1~*)ml*}!-Qm$+q8zX)cbqI9}vj~ds97Df=c}`C$^D^BY1})DMN-Z=Z!gAM($|nQ09i+>bKU8x!0OG z4?_G|m?1ai>VNp`e>(3?UrGSqZWF$Dv*&lZc#kc%h&5?&LB25ZevzcM3y`#(0Y+Ce z!mBeol><=W2yRMGw9*?$r^L0jYd0^8T_SlQO8hHe|kV5?a`!dhBg(&fuX1hN>A!+Sc34pt~AH921sF-F3@D#@~$* z;uO&D<Wpf(P-Ui*7xs|JaSM_r6 zJ-%OEZjlzxx%M1oO-0V|OyClPJF(Fd3a-RByN8IW`)u#QM^}_5A9ol^1;y!?xEbM# z&SkSDQ&OO=ZNd4_nA)|Hg=A?6c_;ynXEEFCpo6`UIuKKssc$}=tL>M$+WuC>{Y%x_ z0YXAXd1YF;+Bki=aWUS1N+H6zaB)#zxC*j5vf#2hf}%xgJy{4RVZz_AJ8W5I`eo%C z^&4KSG^6k#vOnkcZUGsHzm_e8Rr8y@;D3yf>VQN$jLvTkkR<{o5!*%wzhD%`RgKXU zkq$LAeWC7$KFLMbTXfS9mpk`O^s>ad7qfh>;uoPpJLTFC!Se&q@S^V6BrCKWWnem4 zI%4))0tk%GEKXTX6o$G~NG^aa%B`L->1PEytUi1I>)oK+zW;%K(|fUTpZcKU?)PGR zqq=onyFOW)Gshb_rAU$TvVJ_aTMX@`wNs_|y2(gpgqj1r$uoG(3zd?D#= zUY6XVxR=La{i3qZW$amaF>ILX(6&5Wu%Q%2RxK`1UV+N& z^V0GGcmWRD8;(*slXG1dcofUwVCfo}_a_{;3my{z&$dUtU4%GAl=! z%^EK7w2_!U!G~qx}dl5TatP0S@UuW!vLP0{6Ep zBnh-`_8y)nAk|AAvuv1lR(*sC6+v87i~;#vh(lb#2TSvW;1?Z_&(=#~6rZUtLK#5s zTDvo^;kqR4>#ebH#x7?v&PxkXJbfLwhVE;Sv#`e2rq97)>B2im>UD6ELDnZH)JE4pZTYy6LMIKPj(1VM*F$u(*sI3CmP zWOG=k;)TM#iD_)D&7{L;f}X_&HNHJz{0C8Fzz*fUGXh6>yrnEBj42=H_XddY&KZ$=AjP z4YRdIllyLtAYE`n?>aJuJl3ZWbCl{`-_f%BT|VKk4bw)U9pvyO>D+RgYSWS7;E~r& zwBH8*qnHo!4gelX1+sHM-L(zxY zR{ViWEjn~4gig!%uQgp>qas|5G>A1>4FX_59!qb zkj64oKT73QJkAtz4k%t&UxoFcvzD=Ev5ecWb;eWM=1YQ6IW{F8O0H9yF!od7ELGAW zVGx+%ut3f;?(ATjm&VS@euAEH0*VR=SuS?5kkj>sNKVikx+bn7%;USvVmORrm)3W| zJRr2yh7FUt$iXVWnFWd_|osc#DM$XYn1)Kd>sDu zZ&He3L%?aFmOm?PQu2Gj+h{ui7m8*O$TFOL!{@bQ&|j}2Rmm~f{fC_jR_vhK8NNPj zN~jpfE6%I)i1v(=OsHOBd2|m}?)M)2 z%a6{ShEEj~uJ%TB1In{7wk+-|JXC81(+T*|e{zmkTK@Hy2PxZZt6dqg9M1a(w$~95nB3~cC~YtYC@k1^qHsKM?o*4cwv_PR2*nh%2>8M zNf&FOy{^GqO4eJ|^PDG(mEXkaG6wlMVL~+a@bj>zyJ~}IM@FU4uMGl~UG^7rnXl7Y z%x;bO%*-)IXzmlWLU?ql(}Mx4GZ*p%pyI2Xt*+T0!KM+Rkzd}*>o^}|Fweu)erqce zvgM!eGnNyRU*<`K^_tl z0L@F5j|aIMT-iW*wEfYkp42q0W^?_pg$|1lX^)OPTaQ(Wq4au5|Mc0|nFLsO6LymS z9Hm|b!vXg@ z^aFdVnioe-X6$=Xo~;*7Sxk>z%`eURxcTfqeP`rc0F1XWZPY3E$e-rR8QD{~RktCE z9;(z3l^%3_DjAFP7Ubz z^g%LtNo0n~Q#L*v#yIU3SJloOwjMxf&I`5{DP&R&Z`ilUvPsvJ`(HtEn7~lcdAdfB z0tz-0D{Jq;Rv5_~%I0{kR12F?9DtxMF_j@Ap~RIDy}zr(>&b-jfZ11@>MDFPPT}j^ z;G73r?WC9GoA1w`A7ENOh!vjqz>tffC}w*I>PW{XG5jT%_@4s)dLT9Ji$8K%dgey<>Rm%T8PZ1L@@ zINCiiZapTcK9@Sopy@0<>t&*6BMPx=yme6`J0exNVBd?eQP+^h(C>FG3)LZwPwRVQ&}C`nECD*0I9DhK4DKmE{VkoEWPz1+XDLfNx_Qwih=iUchD%^9f6jqvTI z(Y~E~z5E;Ef(|*Qy->1G7pV0yoTW{a&2*RLs!_2@4;>8KnKMjg-82m7Xn zSzgooOX5?Y{yq~1VfJBQEY>;|IHNq;G7S`L-y=WZEtGIzc4fa5in;3w09Y-a>%wWy z=-caehkba+?jr6YMfUf50VCTf4UjAz>BUeB=5uHHI$(ANr6Y^-g^4&cqf;;=^n@4?zXT95{S8eF={&CA2QRtw!4e)XT2MOFnmJd}7g zWZM#mc-nfP#^IyK#`>r~si%3O7z$0*)c%X={P}oKfh#G)a8?lgPeXhm4g5d*t3p=Y z0h;Rhhe@<9JMM)$$0`AMwyL!og3BtRz+h4EDW70KMLf4BI}(knRkt^jSW{` zVM=LCKYfw3^E?Q2?Pj*-RAfk~ zlud?7lFDXivK`xuT^JNI_JhGN!;IZ9#_qlKe4i(4eV=E&pWpBOXOy}blzjYC4Vz^&R^RLq69}j+V z0BR4E)6M(EOrI9)ReZ?7z0omUrI79RW9%FvG!Ku)a(CE~NWv@ha$RU5ym zA=lm4aC@zLQV%?568Sj8=*q*&t)a!8_jZqiD+Ov;hMNvK^6OLz&yAjL(anuT+h5+= zi6LjvY(#gjmY=3&wOA#2px|R!k;;y<=GZr~?;l4-MlzhY7eue44wZGxyr0@Fmf^T{I>)-AEl08cuKK?C?wn#PS892gYYVHm zAkZzRIh*Z`zqY1NWPD@fDpP`HN3Rj`12UW0)E*)7RDbG$p~iteF?w10#SLZM#(Y^x zl3B+ZvpKWxex33AxNYrJdQe~oH~Uu5Z;GnAO=5Wv@%V2FLI06*ZpxXfBe4lqNPzQAP@`HnnR%6|h$^ovUN63~F!)-CD zAxm0WwH?B!vE zfEJSZN9FikO2Y-PNn#$4KI9g(oac|D4X|fDsGqOc5Nw5#GOkK*Z#zdb+RS|r3jsX> z@vM20V-4=RT)MlmX@)h%gIUJl5Gxcr#_c-@9`L1HvrQthkM1aV<%~NNmE8v5!vbr% z{6MoQ6kuG<4h8~L4i_j$-H~hssf}msFPJKH(>kcahHP9MbCEG1d);P ze86j9!U$4MEMaI2b65&5RBx8`Yjw6VGy5&aI*NaQysnN`$KxM?brl*{IV$p+A7bVf zF~#4p$@_h0nDDwDrv+c6T4qd3+~c!7d%d_e!(PvXq#6aP#gdf6Z=aaZ)`r08+s*i? z(gzT>i-SW^V2o#C9K~CRD7<3=UDl zK39d3hZm>yvMLZ3OC4qm)d#*MTc>8W`RSx$^la{|vxlF>;t(78x?fTJAH}>)GQgJ1 zq-{)w$9HV$1A2CuNK>+x7M;klt*w7}iqv%6!#70`#wIzua!R;tE4?jg))3jJ;K5Z% zJFB3E2vzmEN*?W}$cLG&Z}bDCU~xT3$9+M=>E%IWERcf0KA_gZD93wV~0L{X7iia>O z9B;&XQEf(#nzA=)sM4I_@cH>j5zUlP(dAI6AmTSEPTOE+lvR>uYg=SXy75Ofq-HEA z&v&`?Iob-cxReqAfszXyKB@(@hq?WcH+8*=c?MNIiuaHJW@>jF97Cn@66(qv(c1J$+>3mjCPX(REHT=FEl_t5gtdpD^wz z3tWhO#dJ}GZf;4Gal{<0z9a&$?BT}2)iE{8v3SGYsA{kdf*xCxlo4IneAGNdlIL-* z)ayM|GtWPV=33lpQOD!TIh2=}o^+af0W&w9LM@pW) zVOlrnBF!OsstFKa2Yn>xIwSO+Qd*!9XC@j_HJL>V{;j{058^_+y7P-g)8KG8L@R8i zvrXl}f*A@l_v24c=N{x&{q)}gMV)B9{J2mD34yZaOUUraBVX>#+&|~{V0CaVQ8LuTSXoz> zeqAnLX43<)%4ih6cWmlvz+JMBx;q@-vSSPyU!2|8U*~BMuA=UXY_b=c<8d!>uL3T4 zTVbJQTc?C41e}s{HkX3Z!hu-uGq`4`J^wLtd4V_EK!zzttEg(>(u-Pw*pthw7MQ1_4O0f!6AYrnU&>$aH- z`kS4sd5zqkr1WFzS^54s1?f)fqNO)LzkB$s!1>VBQ_Q((vOHE(Bh6rd@IxVhBi)PsfVlk2D9`8rrT z54Y_8o72!a4WyMqS}^~X4JX1u7w7_Y_xASEUQOs`GxHPVJC)~H@3E=6_+C^Qw7-P=Ix|{gC80W?v;MM>E4lDUzQ)4r)v>7z>Acz` zJyhb>GsZhL1A+mR9#t;PDT|hzKNtP+@o>*x3Ay;FwwF;BX$xuo09rFAzF`V9GqgH8 zQ8vClyx0(AIPCcFm#u+Rv7oUpv0@PH3CGeh>OEyj4{t@9f330J|@QPT)F3*E1i+d=1O;k(}I6)k||_|c>QGj7rj zNI^sCFcU7kP`=f1s0kNU$`}_QXgS?iiw{aaU|VEoFm?NM3s{&|-;nqirX$u~4}s{i3-%`~777+z)`2vgSIg?<*U5-f$5oFLbU zL3I1e;htmYW*(y}BHxh(WRh@om{wqQ%;N7@T#Qfo_T=e_tP38iJK-zxC>GD?k+~q~ zw376T_r*Qhj&s}ZBe#vA1n2v=9`)W?nivnUg))WFmtic7IYxwp+I9M^ssLb)cMw~B zTZ@)$lB4Ig{Naqk*W~>OCQxg$IzQY-*)B<@bTu^0%FRECRs{-aE%+IWJ+d;#ZP!~a z(~XAAjp5)g&yd%rp_|fwueR(I^-uQs zDo`bmtk%+W-MkvV5{PZmSM*kJrg)4!TvX=C->lGb!=N0ziSwtP=3yI3h%Oh-AK#Ih zw|d+4rNG%Dxn7;wH$vELeFPA>`e07XN9MudLpeBiX{OhL3+mv3x*da0qqG(H!R*eD zEjzB~nq$pK3dqi8y)4_yOi_TZ(&*8XQV-fxuP3PzbXbwkFQ#LU%hsvwXAkk$uG2|& zD6jFq!weZeiK4Y_^|Kpx!^A&&vCX(Q_RxmG6Aq8fNHYFP9S4JU9Sg9~e}Va%%bO_$*0=9j^xA?LJ`YL^eVuYEiX+D z6fiHBFAboG4Ck126!8++_2+m)-x0sg`(NQiW%PQXA+;tayy@40Ij*|p)Pp+H))d@` zY3m93&?41i!g&9u%NY%kKY27XQ$+%Mj&-UAz^iJ zlbw=RZkp(BD5fDo7{~qI6a`x4y-p%H4w=`IJ*vsrW_zfYr|DSapoUibwl(3*4;By<5_ZcGGrg5x_FWT+fr5h)X$uB_RlFGLDI zmFzy$-_xvzsz8u~>Z6o>LsfNuDwcSIkx~FwxKRg`Nzr&tYa1w!tdgO^;=Qgb)6Edw zaapWvpZ=^`Ju9RYO$YmzJdeO0 zWv|KDjzw92u>jaUA4$^i8Aqu9T={&Oa-QH~zBw4otlkVMo~QgcZqxz6f0BGCrC5IJ*5rs8%`7Uth6;hK90W9-r+V8&41&CQyBno+90R`h zQ-0@o+v@$$$LT+>7RWo3G?66m78D9sh8~B2!mznfa$)JsuVXol_IyW*!^M;!9>X$1 zc?CMRGq!rnyK6&J^2C{mDI%;LX90B36E`Uo+iqSKEph;HH8(^=ubt00CQFBFDUT<}`eUrAXb(}Ag7L&67Y;JD{M|m6J z)N~!103BPtT^)}L(MKvVz1Xw&kHm8tZo7HU94Ga+TVS=xb-r-LP=GJ`SwIwP>ItBN z*69|Jb-HEDKE31Dt8OTr|LYIO0HzWb^4xAi;;1ZG&yaz~s)}#z98duhU4T2#Ns=N% zF1rh?>nf$ykmgSU*tIH=cXlm{Lv0Nlg=Rk}|2T*8ZZ8CnmSzF+!X}^{bt*jd9BhZa z5*nKY|C9>ylqG*Pwt`u_N8PtxsB-^Y4k%|N)H~etOn&n{^HVv~UCO(*>k$Y6?v6*3 z1P;9yu%Zkqot_Av%4U*ITY}7VAhxKPJYnz7kCD-3;H>Jfb?Ho|#@9*`<&^ zEv{WPXu5cbHMQVh0czegITU$_Gojvz1j#gSJSu z*LM8bCQz}RBXpb8>{(3W@4yHNkhwilwo5!pvDem`kr|sZZC&6j?RPfAV&>5#9wSd? z^rTn-Q*XW zWQ@TA?sLK+E}dO@i4^c|w%lz36jH~b>o}SUF|7NA1O5^rfS;Ry%`-yZ zP-E-b+~jA7PW77H9s>Bb! zN%EhXo*-Gq26zj4T^b%HB_@w#i2^y2>gRbimM{w+^{pFC?7fKPBb@SgAa!ON?^=2h z;Xke4`h!{!damHu$&1pjZ#%Xr7@m>e2|f*{P1T@_R#Q>;C%(=MHaEISdkwgQALOTS zCX)yN0ld5&ftqaOjpdKmN#(gC7|e`SBj12ACJl#!9qgn#C*QKN(lJ>RCabI~*Uqi4 z0nNg&3u_dnKjY>qZw)V! zBdKtvyX$F~SJl3HttI_lR6cq+bb7l_a|jkSK&4-ywpeuu6z3+H!iSpANCt$`KgW4= zKdphokb5~g=>8n46?5~>S7Y*8DaqwO&}F~sD>#q+9((~WiNC=2l`}{mzOCQrdr&qX@a%ndYWSV z87q?=mh*-?SHp{Yv-NilB`50}IsJsgNZ|ee=?Ik;ht;w7`*s*7zuD3-I5XHO!dWRU zdLD^QOX(va|c`P}bv7$j^O77NkZxYw^B1Q`hHp$j59%d7h8vPjK=qQNlWnPB| zpkh4_wo9SR7RobY({STbFi%zBQq>)5j@h{lUz2&Uw!3UI_QhUGezW6bJm?23TuVAs zpeC%MHP36|c4$OJ(CE>Q0m_mc(@XOXh3~ARP++y2wDUY?qAtEV2S%{9cHQ~oYV~Vv zbcip?z5R=UCym0aH#B03X0D}b(M6}W1M=Y7OEwBX;pl+r|2vd8U@hXe05PU!wl_#@ z08+Uj>zPrMQ}jPrkFlBkPd&!^LVzk3??7^cgWkRT@i(<25c%RNIW-cK#bVY@;+08? zlsg*~(8=d*e0=gJ`^%Dm`NAvAZ(4i~5t7Hfjy&l)w9oe)EX@QMiT#)kcnqF}hHCJG z>Cd&3_^{UW;6sXPd>-Kj-7J(TrE^q>~g znLX>JmZA|~w!6B^vCS=rHRq0EjV}CPT|70`nI9_(W70CCq&({4m*>wu)q-wjryi(W zI{#lh^!~<8{SYG^?Q38Et|xJjpS9~DReQ;D>lABO_ni%srcwqrE647(bcDbyg8jDA z6U=RmA{GxhL})Mw1~rbw5NA{<Z8I*s3*H3Y zLr~uQ3?nkPNv}1DPiIG!k#yWCaT~8&_~?+!=ebK;qVP~(*IEuL6|Yo|X?8>*n6W#+ z-eqPXQWA~y({wM-d4Wf&x=^prv>ooA6PZ3v{{D;OuODS^oCx{flvw!ybjbJ%bO3ZM zJ;x~S9W%%70y?+l7~ ztZj-{^A-fMM3W;`Tg)*|6SdWDPBA`8^Vp0nRe}7vQ#&^H)^;^wady9N^NA7Mk(3ii zK{hh-=Z)IR#{^--uLFAalEG^6`tTKz9(r|Hv?cfR za+PjOk%a)*d-!B+(4>ftBO(;j-(}T##4A;=6`WNAa1M_Fou$liqxINH4>Y9wP3&A3 zgZu?MJOZ%87ho)FT@#r7_*Rn;P-@?QjlTedV+O?yx57A>d|>pIurDoHe}>h2jctJ9 z2Q!@u%b_fx?;?(Cm}!Hi^e95!#IU0&yG!#JXXJC$uX#kA@6?8$F>GTnEPo&!w+KJ+tFgZ+kBKApwvhnFD)ALK{w?-0p`iKfM634=A(-P5xSg zb>1b=aa`k9cHBrY{p0!I`bLoa6Nr3tdSRO%{SWFZ4u+(eM@Ufdw24wxz0{j5|FwmH zH%~tRsQV1QjxO(ps~buNH60a+jFK8`vV56eyugW&*$45TOADKY*9zAqJ_h>(vTKgv zsm?ADdco5lG00BIEAPso6Eh!Z2Z^b^B8FJjsA7k=t{z@^w)42=y#u#R+2%Tsyjo}A zD$oquZ@Zj`PZk=l+gt__0pVWvuZJFaAon>kVwtsgw^cKvk7lnlp8?s-jUg}8zH&-?&uL(SM5gELFg~Rg!2AH4HP(Fl zGSKCW@hdcDGOMK|ASzG+UuL^UeZz`Pwn=7YCO9WpurqRSjQW~wt+DayRt%!L? z*y#u6Mrq~tGSi610;$^$81N5Pf1+Z*?LK3TEAFHF4@n-Er93?49QV=@-HQCH%-cb9IbcHo_;fxi%A^^TTnI0`s zMyr-3r7$$YIb}ci${Cum6y8M7Zm_4tg+GeWdP)cMd12y`_}i1Ui&uz#YH`x$m9hd? z0P(9vl7UVhrn!m*Ixi)lgBTK~aqz~r!hxQ5Nm?wFwD*%!^~?bb!j(lFqfjW((YIj; z@0|lWH>rFp-v3Yf+Q6xTtQs8L^ec$iIPjAz06FX7(vp;yiwF1N&yu!lR;t~zbGslB z$YvL}>nTk%>8V^daC@ved!7Nbt;U@1Q)*e3ub_+%HHoEy5HEPsm8;-3hn<9>F3I+E zUj#9^q_!tXM?4ai-*m=ZRTOMX*yj3L8zUn9CRhV?L}0M}N940s&5rOC?M(x}<=Rmd z)U}W=rCHTO^^X1A2I*t;=5FXZ)#*fupwfxQy>%Aioupmu}Ks49?5+-7b5rH8jN zoHwzn|0Ego{+kdX4CK?smW`}Ep!mrO{%un96;t=8dS0IXL_<}Nm?f;|JQ0gs1_T6SJUo<8z77oP-`F^)A7Ah*5^h9EKc5lW>k9e5%3Op$bYa!h)ffB@6Rt1= z6h|X4S8WmD{xZI!FZOVFkW6BqxE#XqjfQG0@t~B}^7LU}I4-78seJSk?Hp`0S6a<8 zRxgQ@eL<15g50CE{Lvt5dh`nX{h3x#z36^0jA@sqd=`b1Lzg|bbCOv^)YR77+nuzh zk;hi}-7nfwXlBC3AcHLIGH`A1?FSPRUv9f;_%slOqo+WHYy0X@2alNCZ zlt7iks!zu`6!Uh5JhplNazh3FoDTmOwx880g52LaD?rrn^mG_B zjuG_v;=gd1=^W%WUKhQqDlAv^jloJaps2080=@BnNJWKJ^5h3}%)5Rr#E{Diyk4&e z9mCxNp=VA_Gj9WpyKTXwF)JTQTX%AQi{aI3nM1Zs@H!a*VED5p`dJ}6UXphkn7c#R zP9_q7Ofu9QL+YQh3;IT9+9l(39kn6O*D$bZ)3pm&LV2vszOQ`GBGK>evD8|`%eF|u zw*-J6l@)H@F2(0QIuf1GqD8#@BL?EQ&oR^s&i8DrsfsisP*1;~K=Nb0WImICISEJJ zmk;X;SkLcjPG;CnDB2O>IkOyI_LkNJ$URA>t@|DWlF5YiPUiBALpyK1-mGm-zop(Y z6qR03TB^N#1eP{;L3BeszA=jmZ-Kn1oDw?`IR9m3X}(}_5#<_0El1eEupY-D4S+m1 z+Wy4je+8LJqa&@T-zL3ks&H?7G@``i9K(TIMAl*p!58h~J`{?_fQCw6K)JC!{)d(m zF32iFNeFZ5;t|^PsW8cU2ely)`nw{NG{8+0us;eSe=$Hf-=>LowTajD)047{W4H%V z6)6-2i{*|`i=Bk#KFJlnZUqP^eJoNs*ah?3sMOe)h!08u!6Fk|@Oi|=6Lb3Lx#9>W ze5)^9%Of_gyUloe36$K+yGBJ4yFnb06`mybS)JK(F8I^>pmU|jwujT}YAHWz9|8g| z^}v_SeH$q-3-Mjo2>hr20*!5gcMT?Mdt^=G9+sM)-#X=RM&(a)7Gwc{;5|g@D7h7> zDdP|>Da{ndqwlOv&O(%FoT@iMF(j7+wiQ1X1M*OZOboY)MXQCTCp z1(QNVGIF9r#;EkKHYmG1Nr%aYt<}^R-dOc>=-N(s?Y61fs z6DeIlC8LAAOZR$S*z(XAZb;BVPRsNI?o%f8jl=XwuJ8cP#lXd(kwNw4G7fxDTGRVY zGrP}ZZ7(aOz_Bn`!3BT*>wgT$z^uuKip%EK*7wxo9w8_gr$FF+#Ie$QT-`Pwl*bS$0$3b&f%=2cG;uLeODVj?+m!H>>vT!6nk7wFrV z0+fYCUxhP)%jlT@Hgb$3rcv0b+xp{l?APvu%BBK7AVC42(UC zo|?l@`A)FI{IfS zBM|r3%GC-3b0$-goV}RL$Sz~2UvchV0q-9VmFzoPkgvp?0lqFfD@$l8zb0wYOS$~o z+V}gWfx}e-42$2FnF-mkKx82&9+uru$JluNMJX~HPbFR8%wFzHJmYBth*->n>FF4I z*@Bjk6oM|MQTz|rSP#;P!Hiw-**u7{zSPnolKD}3`o&Y7*?rUqJ!8x&ic0s zWr0m;Us#;N-a1-hrGjpL9)n+KCOsMl3mqRlApp^m8LUpk2u?pyZtmp{;Bdvofk#s8 zU8K}qR=O-lRposjmvh&?Z}99{1E>6#Rs^%>r)STepNh(#3cTPHThx>R>mGsiql%%w#Tb9>fv=^q!YaHw-+DGYUrpy%q*$~%%4HPh0dj_gj&*d5cCP~M#) zOkAIJ<3rdZWfjszU>J{UhQ<2~S0(!)ygrL6??49TZPlVRXJq53b^V;gp`KSzGzc(S zbHyBBX!Bh<3Jr$@h^_Lb2XsC(0HZW{LD)znN{Y=Zp;Zr&fLjt|G+3Qk`n!Gu&zki} z_M)CAb=5!Y=k-P%&Ikzrik)j~!q5=C^^y;>uFvHx)UI)hJV%^%QLVBE2{lptYdlJD z8ERCuqIz5u{*5QbMfazf&#UqO>y$Bw-CHcy^nj7rvb%*) zKph4MxkxeYuuOmG%Q>%g0))*5}IyW2XzqT@rzSDO^p# z6%_3LkQv0E`dpbup_Y4~r~flNNj~$yxGHe`yKdn0tH#OmE08MSo)lYq#}2EaRW9KcU5PMDagJO+p_X9SiCqK}~!8>*6hY+q_tlTw2<*|0`X8_6fHwAJS90Y)v2P@pHifi0!ye9kL(|adDYxLlEs2|`JyUEoh z<96ZxHpJZ6bAmfdNxQ|`FX+P}8BOgKlIjg^f!<>)-HHH2b$>}3|NJ>|cMGzyw!=Ac zvWsqgH;`%Zhmp?Az;*5ac!J_0jMD~{KPO7r`a3w(4{ExSR9@XnaQrGZsN6a|z7pZc zZPq;O!c`S`EKD=k@nx!3w9~84DGdoDm|k_!FrV=nDezEJM_pho8h@%Y$`_kus-%Ys zJQ!xLWNwa4IkKeO;ceSC{uUnj+9hsl$2LB9>Hg8*29*?0Q`Aejc)z@q$NYC@&FUcK z;Q=IQMVYN$XWPexr@QjX9lf*^>fD}kruE0JwgF1M90IRDMwJso4mb(8DaZhB3P%8H zQ$5IkxiQy}bK`ToGF%!1TWm1?60=;E(bKXXX9%8h(LPglEgS=*Z*p!<>{$poK_bKRQ_i2Z&#Spu6OGF`cAu9L{ zsz;ztPHS?M1GIXfU#f8A1Z9As4mGi1g3U1z_&l(;O=~dQKiho48!YX|O{f7dmu- zNoj+1o-rk}>cu~e;@BLj1*&=eIC6oJi4%%$(e`@3!UnHGCYKlS)l+>bygqOD6(#@N za;JH2)q$eSRDupCa43gEHK)uM^P-9XsrA~!0$=LG0?Sp3yHdV{x_d!9u03P0!+-zx zOk9q=Ap3cpQGOlP&(q8xMp`Ot%3*p*VeN#_;%8s&n?5s3^PA)<{?pkBt*nsSvP`H8 z<|NU>Dkl8vKB6-ivV49fw+*js_@8Xi~SA#CH41$N<^Va}l$}iAjmQzxuae0qvMIZ}D6#-2oI-^Gs`Dq0Ad^>~a_R8M2 z!C3YvBU5gEGTEKLaK0zTaCU^3dw*0^$}UK^$eg?g2p@9}6c9X}bD$#b#eGE{cHF4I z9OxPL%@sA{iKTKTp$EJAgQ|(#-9JrRC<{vSz3sD!-N)8OiS>K@-C#0>A37^hq4N?z z!evL2mp5VyoWTS4$C)4x|F_6>%Oh6f|8G=bgjop9gbi48buxmTzkpYsgYT^|*Ji3Y zNh6+preV~xppJpQ=ZnP%KXyN2W@>dl$3XfnoA=!}zc3}pISEUJM>wB%Up<`!^D9!M zP}<9{!|eiBi+4<#R4ljj;MRgGy5i#EdWOnZCcj0!LU0)QRT(M|3NxW9I49C%R}b*H zRxbrom&)-{u%OcEdwxC7cMiCst!@8veLlZFWgPgvVI!J84)hQBOBb#Wcio~mtH6hm zFIDx^yAynL={tAhO?bI@jA2P}5TZOHS%auC`a;rM6$DM`OLV>#BXm1D0@JIB$76in z0+yE&#!60}zN?MPETGA3G45qkc%-FCoWS{b8-7AXxm+-S*Av%Tk9d5pK~Hr;;kEtm zW1)k5W6qL*?Jx!Q1r%*%1}*jPYPJ(vp5)6V zjAM3UOkd}qOt?63tOjH2dMsFwYZc-wCpd>xSb+1Ve?-iz#!l9^*|`R-RTa2Xkv(OO z)TwQL1O(gFkn?J{dc0|OW4v;KF>pgrcLsE29N|wv22RiD1`gK53-ox7+!7C>WK-Rk z&bABf_o)jgHrAcG+VAeZKn)J=slZm1k00Xm`{7}DeM1cUCtUbPDC|83u=@nlJF)5; zi^)uWr+IqA6HU1DZJoG^VuyVn;iN-@U+;?#N$v*E*K88;B?7s}TEZWL_vE?>-l7Du z0tb32^46(2{!@6+@{%NDsrcB^K{3QE!?08{TrXzIl6=A_DUZuUw5^YD%6lMs_W+v@12nc6n09E3HGt1y zCaVsN4jAoxBveK9n{3a3JAYRlLQNLLMQYESahKF=aC}r9L|=A6=GH03?0EO!V&7!8dvOKO zOgbAlRc<#4(*P`D=@v#`0V2aE2Oi;_#q2&Dq1S#Mv-h{FSM4sHbU)4u zR{3`50KEN!hxE|dcAM+h9RhMw$HU&EUuUfGl0UJ@EJMD&!Y6S_t2aM8+q79|7k$Ib?w_m zEMv3J9#dYra|XzRaf4hLb~H}IiVqSA=U?pFD`&-#u=6JSd;)rY6Fa=Jjo*ILFSdC4 zK;-UK{!5jFm8hP=;NafR%(%|@L&bP1x0c&&S`jx4fv$4LBx2?P5#jgMoX#&!_p)xa ziY@dN$!zmu+Evf2nibhxouf0xnT;6(90NtHP5hU#Cl5@W-D6VQo*x>B8fH4w(HNOI zPg+)&f@@Dz^oppnOB4(Gisa78_t<{U)`2t&PmMuNiN^#C%h51}7_quOX3<36z`P## zQ4N2o-lhhbbCrVoH_O@Z1OKyR(b^ep5vL z?q@K8yh;)q4dF`O+uvSkBX{lF*6Qe1x;8 zfy*D&pxz#DU*ftyJx(sYb`k5nJod>X<&>yTtH{W0IdsRDD=s;22TuueuA7QoNzp%e zY{^rkGlI`@bB2`|Hm9VX(uu{#@toC2&xY<~B+S&jCK_nZ*Ct`!e8V@GT#Sje(OGdS}oy$>FqJ_xi|JA$2YSpE#i$iPm>|OwXLo9E&Zxs zwFK%SYv+d>{G}fY8rqM{=pnUlDvTL@?He*nFs=z4z$NdOchgpjwkkh|1BA}?Lp^4jAfxJ;V@LTZiW2QMx*GB4=A5!ic$cs*~1jT!z{`)ui=hv#lZQU$7 z6?CeIkh$@@RZfZ|$PBm|fs89d;6&Ylov+@Vni#tI3b;4-37UU=SITn@gNaUI?|qs> z%Hx;Hoqop#J*ln}H;Ns)mQ87oAGeQY^qQACTnl!J)A2bH-Hl9bvEB~#$e!A^V{*=Y z59eUvy{pgP@7NRZDLwLc<+Ex^p*v~}N>A6dn2X6Bk1)kJz5Dp&7;XAh{@KsRHWS|; zc)hEF@xigncy??w_gIS6+me|x@6*r$o>H>?ukdXqs@IZ=zMr#l`UER}!Zz+Rt~3-@ zIQQn&&rd^8KYsiff2oznY%`z*F69k`oS;w+k%g_9#Ij>jBc+_v~E z*7yl0Gp=stx3UW*%&4546ti4E4+VJM2`xh4?6~h_9*oJ7=oI4%S+Z4V@LgFcQ_(&l zx#rmwLqo#|Y9&iz#0BLFSy+*?%4^)4#}CwB88j&=Cd^(TfVRH-7QZ?^YgaR4KWox? z<4?!u&p#@)Wq>oLy?Ok^pU$4wxr5vMG8~^b7axG1IVLNGk@cRA91xuzQR$T}@2pi$ ziJf@zd&Qlb+JuR*;mE>6VC}=4x|{RZ)e|~VzYm=d3ArMW3M=8=HOe`o6Y-psb8EN_ zYdMl?S8cGXISecV*U_|-7l6FA9+qu?ep%%e?SAl;J2|?$tUfSa@iAoAFZ$K^GIYa0 z{n?H<#g2;~^q}+COn13F$Vf^rI@vK>FE4bPV)-dUqFyO!=wrrex{`&R4#!lgkN6q5 z>bLRcyeSB&U?pZ;*^^*gNjT^m32aftCl9vy3G^3P5fC-2huo}qd67d>?t#uhoudZU zF9v{6VqEF$E)kQ{eMe!^EhaxQz|P!2QF{7~Kuw9>n~~Aw8dhK6+sq7kH8(A& znzXN__rm%hyq&%*_VGV&rib(ec0gcnnhkL|w;p#ODPSr-Ho9{3uU zNTk$kh_wdFTeREXm6au%wz@Uu2XEb0bXGPYLi9KFh#K+VeOx}%M17qUd_3Ympr4_I z<)AOTI}X185>fFkWjHl6ZsOi2r)vVyqB}YE%P`>ebjc35m$*dQ zn`;`i^5gn8k53^+xcBLjIbE{$yLQRHNZ7hpcm|K>2QDVQufeR{wADv=#70lxkoPvV z&Ec02z^rmG-i#dn$g>dqQ8e;L|1q@I07#Q+4*^J?Q#Pbeq z+R!=n0iXm?1orQjqg##)H1`)xPfr(3*Csv6C@q_4f$v$HkHXOfq``sD*q$Db9>g!b zU=^6*bLHcFJBBm&Nli;p`hNxD-e==2ofP9phI z{>-*RLq2@3GFCAoCf1r_YMjIStT^phtCf%XI}5J0he&}9DGx7GB68q@-k|}X8jKYD zOwx`~Y7b>uViY>B|NNBe@7vsesw`;U(bQ5z8Cf-JcURap_&aMRACH{4JepziB05bK zd$#Z$VPB@0H}NwoJVSfFFfAi{Uo`~@K+Bn!4ImWjp9OFln11+8UGJB!YqU4ST#&rQNw|R8dT-7!B5^Jz4RNLF>>8PxM$ArSrbo|P!Sy$JH zoH!vUK3Qre&>%3~ywDJrij*a5D#i)tp2c zzbo%UoF(vtL!w@PYb$*%0?~r#UQX`HpE^bU8fL?8%vZS}CT5!p;Jnt?KqyiVqyjoa zDZrvFYP~q|=(nK00EZ!$bt~nL!1W-a-LIY&z1k6AJNY7IOu7$j9QZxW?gHF>?wl`F z2Di^JULnH1F|IEA!g=P{L{mnGlxTi5sS~ClyfnMbuk=Mh9MPUJDTS+9TW&?$neLv- zDV`oJ^0|Amw!1qmI}OqhBo3tYTj|3F{=28%&u|Le{Z^7_zXi{IH7oHRZ#s)EXqMm1 zCe{03*M=xVUk%sbr`oN`czcJeS0j5$tnFZ#U@9 zuekg$ZTIH#!0ZmE(nkpA98@uPcf5O+Oh!Z!QEV)H;zvdoR`z?t7WlTd9Hhr{@AuLx z-!xDWm!9$(ajQ?-lw_^mx6=*erLQUu<$2sxf^fR*zihpm^Y*}jlrzOg&qBAlAHt05=6l^H-d9S`0zJTwkMaM~^(HhPqk za6+JB!d|L;&>dFmKg6A}oC$srtZf1&YN7@%dpdz_!T-iv60-!Xqy^;Xr(rh%4 zOYsX6qe;HC0|PdtE2XnT-wl;Xpi9t;8EfZ1SnDTYLrofLnXc}U04%CSk(FXB3M?gB zxGQxv45Vyt$%yk?T%qzlMaw;ti@eTeb(aVhi)EIKi_9J|nLIMn;4ilr(36AIaSbeo zBD`G`+&YVu%jcTewJo>`8KsJuPo2rQw^BHt>-?n=(-YrBr#``aWwsbyH>L&heykZ_ zd|8W&-es@w)!;{ncY=PUVGB+167fe0k7$PHoz@mQSJ_i)Z-Jbu7BkgZ9gb-U-&L1WW>w*gqe`w#wHY2;inQip z%nA|BleR8@t#|&3t=Cca>_cFQXCJ?bl!u8{Y(N|*A7x$*Ew!eX0 zBkLLLX)%gMFpfbx0wlHGYTF8tE4FL(g7>`6{1CSFT}rrjr&-By+v)MGXO2|2)Zk~e zOdsfnE1sz~R;sWp4Z5MO&~edQu7gib^P6ZTBL>c2{28XD>uzOWpP;Eq;L+k+4b%-N zH3|%67}QEmONG(E5k-Gko4d!$@Eiwic8|qAF#T%RC-_DBXQanZ_7v8QjhU4P&BxFL zs1*t@NqNsRafSr5>9y+? z6-332NK-&*(ovd-^e$b5h?LNSAfObH-a=QpARr(JL_nkop$O7z=mH`{iqz0U5E2L` zlyH9R@4Vl}{eJI0jwS@RFV`nyBab$Ip;{D( zSiG3%K4}T-!$H`(Q0(QAFSNRu;4!n+XELoUB)@4H%+gYeo+NC{$_kee{E{xY{_wE2 z$u0(?n%9gfe6hLpo7NPK6+8;fiyx)_HTThV1?@?w5PSO_ivvM z58f{OeEaaZB69obUlHZs^2tw1peXyd$}OIUypv(8=F#k-cvGi`%@}IkNm>&*HeT29 z5GABY=O!EbHs!;OZ1@beV*AX&V-Z}`0RfbzS{qD0xhM6wWKVM(;?-^>%6(^I(RGR62Wck)=WrXI47xQksKh?B04t zl)kRJmwo&#W3i01Y(hm|YzW|Q$;-^h{k8bdB(hTTbowd-LoyavlV;`o!(WxOCYH!C zKEjbTqO|=wn1WA2Bz4ELD^IT>_!ITdXoJlF3!%R42#FF~BF;`Mkq4e7wHX6D#H=70 z@Qfm6mvmA^V(~1J8m@{J!m|b}u{eq9EbX3#C)bo71Tc1{2a_sm?H==J;JCdj{S|~c z1~$&o0{P?er)2F`Iq!}L!jwZZ?fMuT#zvz31l*Sf9NKB2bo1bcV{Td|v5`<3DPQ;v zUiUM?_eaAlldbIn)`_2;BO&+;x9tW{Frb~_37~^*hlLvG;bsQ11eH0~a%*qjub=oS zDx|we_-Io*A=prUYt$gOsfkf(4|^HAHWXOIwV(CuzzrJ#ZW5A}{ct28&rFtZ_2?IO z8Uoxx%;MQAjr!Gi=zPy>9wG$UEv^zwnq{NgLAM$IUIqSE=eM!~^{;FEDcR{0)q;lg z3@u>Fkd@t8vwZc-87ayzW=KlMWt)`?ky^Wkg7a~-s@XQfDT2*(70?_(6f6ENxfQ#h zzDQ)H#srL+qDAenf=-a50a_gT($v#3M%zGvF>77rww&8|VTXtkzCZo0k{BAE{iJwE zfTQMv+RL|hv$b!WGghE3Ba>n1Ca1;J=fvo45KuFRSv#6z60U3ZvPEO+AWRY@`=#`8CJdOamX3I=V-&Rfxf! zd8&|9qo#qnNtx=HX2R$;%ts6$=i6vVFPYhT3(zxUWN-xz-Ouko3+gF84V0flEIinZ z%0IM3Iz0)%;VZ*WpC%ShM&&@WHhk=^7eowRp$cDl9@CR2?b4nji(jl$aWGoru7 za1x(B^NMXKh)K&_&LjHCrcgBY9#9TCEUO17x{1p8T$ew*NN%M_E)ig{n+3?fby*xD zl_)l}Xt$pBjP>E3H@wApH8&AIwft(@pIY5mEBYX}!nRr3 zW=%@|PsUgepFpI<#N4z?H3W|-h0>^F804c%(P+T&%<-OX{L(o`MKT(`tVcJL){|({ z5_)5s4;C%b;5mU`R6((J+Fj;V&MH$*8Ar<3d@}w*ZZQixO06TJr9-7a_=N!Ce+w3X8EIHi3vJrz_yvW&0x4mlX zuFYGLI$#HP&-;D}n(D&e`7r6)1nA1Ve!2L0jl5AfiYw^0<-l+CNhKb&doSx)0k_bz zHLYniVWEvi79V19adUt6NQ!hAsniD^P?RQN&J309tG6ylRMGBT)Ywy8$FFq7L($jZ z4NKLZd)Vlx_H$b!}Gg*cqe4jX&B*t7{^O(wX1 zCk(lf&xM;QD#*MPOsrHYweZns-Cr3xaDt)?U~+R3pBjU9m*7Dj>Riy7s%-XzfSrzh z#_#_`A~$jak+)G59roMB(B-C)eOm=a=>VkUe&8J&#IhojV9jPb?eVY0AEb%j`AE2* zLGyM`FhO=lb*ltc`v_M8b9`oh5qW+6L!F{v_2m+as#?4OY1Wdm_JOH5jtSyX=e z3xQ-eI{-K}9h`~)E=a1&2uEbHc0|dN!Itdyl%yi-G;y?EcRjT$nFIgB?MoQ+_G1Vn zD8&9=vxYYjce%nJUtH+rxm*J7wtWP>z58>TBOvme?XB%y8cae$&~5`ZujFZuUb2{R z|5M`mAI45Y{Byv)yFfQMiGFLYg_kwt-MdJ#L8SdWpQ>7r= z!Y4MwXY%wWhiEXC3cdS)ILop37`h)Yo3KB<^4#~Zgw*IheT6I`NC*etGhg!(z7fZiB4So6KQWxRg z#!s&qE!sa%^<>BuzRuNvn!m)E*(qkjuStBCbnV+i?ramNUCS+qAEMZ}81G-46GSM~ zr6!I-6xLo?;quDqKuYc@@T-*tCG?oZ`+0HvdWTpsCa!=dc@g$`8Y6eGbunl2QqS57 zP?xdWv368Nbq{f!GuOV|Z@XkWcE%}97d!fno!oaP?}LANn#WQFt`}r^AaAEf%s7nS zy`W%i<8s&_gkDjdv2q$b7dMaJi7% z#Z0iQWcgS@55DQ(PUDox*%v?e7L~ua!IL`el*bx_LNe-~g3Ct5iCJz1RPxuxS zk{0;kR++fc%#Uq@bYPq00duz2w^>6)-Ax+O7R|zePqTQch^4ID0q0{MDYDHEY;p@o zSATP_z?MXw8t^5annbAZCKY6_n1@lXv*ZY+?$)RMOW}ERfvQ@od6T1hvV1It*H z`9b)lyfVy}aEPS;yOLDYH^Zf8T?w?ORX{D*`ttZ>V}0$_R=Ht=^}R7hfyf7}a*7lj z?Z6-tNxu29Exl!SCf~oj0JKHE1XCJR9|Mq>KLNpMy#kA5cGL>*SjcIKbVHOSxe|QYq8lCbL1`7q}(D<#60S z86jy+RV|dh@W8|M1$9w>KtmwtLZkWfDLH!;l+d2goz}AJiZpTcALw6D5+2wi%g zC~>ZA22jO9tkHo`6T2}MB}kW0CQa;R8|Y-}7Q*a&W$Ill3@SFF_QvxYLohd(tQce^ zE_It8+Bxup#XXE!W$!ejZAY9D!#!`O018G|Lg;#t`bc)E z1QcOh9i4Zsj?%$>94U&tE4`2xxtDDI{nenJZW+h$$MLUz&M)+FN;4u5u_ z-lqf-{U^=t@yWRQK9<(d(7+i;pZ6l(ohaj(uJ-X#KW6UpO2j88ov>M(R_w5&nIT)A z^S%pg2E?{Zibg24aF*|eOGc%Vpf;4~c99HTRU${ihEXl(C-^@~LhN*RU?ir}y?H2o z19pGLR$2Kxy|7X}>ogJ}y+ZAPjP`~Q_dcUIL~1`>#rm-CzVgK}u(LQNm|D`!HRJHE z-JLLkA%3T^Kmi}!mh_sUu?(^GWhINfVCLxkAL}p+Y%DZp`UMd^mt)fG{G@RM1MUtx zGlD=gaLwr-1qW_%W3&2$-Wg+SH5KHu(;hWGAfW>}qBsr-G1AzXUopoe__xagdlv;z z;r|)r=*I#eM{}d}*9(@vc)L0F7s`N?1+r}If2OqO$+I{FC*b4{DV8O& zy~T}7urzm(zGz)|Fen%}>G4L%XzS+4MN05X9Jz#$922j;kT(jOLv=HYj7^TqJUtdx zP z*Y85_%*5m?VBc$IGV;SMQy*3F%q=BvYHX*J8U16f;g;tT&xpe0d%Tbm1lG!AZjG}Xa@?IE9(Z9xCYGj_vMrvLd3Ofv!GY%aN46 zznX^5yKQ($8P?*^9@+2G;3{y`wdE$6UbkavWJvB3`3xx7+b;8H?5HaH^usN}g5>uh z+I`ZZ9lQuO8$dEggW7@MB5MDiYvQ>=P2j2Jk-)8|PGqh*_R!V~WSgckUs5ej*Ad8> zE++Qaa&7OF_uIi*=bPX^vhW7`=rZZB%<0KL7F7@m*C^ zKD!tu0}wvpHPZx|KfVARro^_m89P&Yqa>WtRYeI#h-(?zb$ttQR)ZP`52It)jlZdc zNyMSWnCmgJRqLo)-wA`#(_CMBmQZ(}z0QkWjw=LBFu*WIU%$}c3q%f$PJi~dvF(Lh zR-i#Z!;zxJ(;MH)F9-TG;-&xjqsqMrouG**-UujAB;=0%cT1klcL5F0X(A*^A8ok8 zt>om+V?{cW%+lV&v5$37)1%{tJ3hQQB9JQ${^}t4-G?n#_{%H|>3X9|qaG5q&-=l@ z&(IxGF?G*vJr*);uH>4luJ-A2P&!H>7%HA|4Ux72$9|z5zV>Em-+7z5#)T+3iAhs% z(v}X`Sf61Q4eHgQ*~eGCR(wDqPw54RZq!xy%r^6s2q*l?KC+(#x3|;=l42nx*#bUz zuQ5`hHX-_)!rUUENB!uMl=Flca^W0kIAB*C z#t0~MX6vc*dFGl{*c`giDWCa;Zw=`T`5Ry+8l=9LnX+xlZc?8co!bf~wIpBE|fzO41ZQZVgv|o?$wHfL-UcGGs>oy?e@?#5dBND~+N@M_6T|uBMww_aebuXJW^(UiPE(j2`pjp39>@ZnX|AXFcyKf z0@7k`Rn$W;n>#PMhy)0MSUm?`IUX{F$Sx-4fxq2p{qbt?48s;ZWh~ueBLK|HZ4IhC z|54}RU;$e!2Oln(Vi#Z}X%3q-p4v~KrFHuTxgWXwLsS8>Hf|8mN6YG4#v-PdXnMi9 zB2PKsC_abmzAlDIM`FhK;NVYSk#>9G(u~#G;qb&X%MaH{I*z@aG!zbEk>zKA6m^^LYxMpGVw#q2Jx>%wl>vcQ0I3=M9SHZa?G?Lmu(9Wy-L&9X~ znrsO$P>EN4ukl=^?P=Nrbi&}BPYc{uL`)2z>|(^1FE9=3 zDms637a2su9Gig2dBA1<>_%vqkgQm+m(7c zOFDGxFEdAlQ7O@HLVwA9fXKalsK8b&ZNF40{d8K)4HwPdRm49nS_27oxj>DHr7kf> zi@{uy6vAL!x6~G{OSQc+Z`31XucS3cF2AT?4l>ezyUCP#Im3y98 z@+zEe>!QT3GL#63P=Km}5bo~mcy`Y=uV=1qhMOOMmH+U2-XzyN)=I`-82tI0O6%De z<>Iez$6^4HrZC2A+FZ7>SH2H;Th1%7^3d%*DD~`&73CFSsIz0kWb!UPiB{!>*k;$> zL-cBXL|4R$s&fozXV>0G>EsvTN__nIXyp82#>%9TqeA1o!(Jsy;=NYixtpKltXZf_ z+-Ajp^-_EzV%-;eni=_k+S{2tn%UElYf;B@#PBUM>T=0sW`6R}gQvw_kfM@QbP=D! zc@LF%1DCAJ=7Tq~vaaqh&FeMaHmdeiKwx#E?;8Lfi{+JsNC52!M+2$yl zDnoa;acTS75`vwnZi1K*k3*`MpNG08kwTLaCVP61n8 zRw50-x@dw3;XtFp2^BH$)>d9AtGjY2kNvP#`q##09D|;8&RRiJdI)$ri5Vm>+PDK- zm|TAvweC8e@yof`AIAo2{l^-T`}m7#(!2aRA-DoGIouS4c=_4(vt+J1fQDm^vQ5sW z?RuEbdynD~$jgg;k{N$mJ2yLp2^Pv;%Yu`5cl)wF9n-4Pu6M{6U_ z)F?WeUOMnyKo-S}*93FSx0%Y{KtAG!n9!QX_*)w^qkF--q8>D+1w@Pdk2$fnH$AEK zXeQpDexp46;&FGGdLycKi@va{YEMw(u-|M{aDVlq$p)fax{7;;;e5QfB0e|rIWtn< z6*>2j#qTDEM0tsl!_or-H3drF?q#LtX|&e=A`~{~e!2MiN#T6co%#Ec>70tl)ctfIa@*M<{+ zwf**xeyiK8DS&o2kTJDCP51v+{14K;0cxGpxGP`IC}}^E^ki%Y&r!-r64V-j$Crqj zpxYQJSYySR#NYrxQ2Vvhzrv)K%TCC(s{0eo294Od0HN87i4=-s71wnVfa6>^( zJ-=0Sr^;O9IZ<1NA*)`zT&zI8;KHV-2HQmMPmcz&ic7p}m;gK0S z25#=*bXcGZ!-CkY+m{-AW>^DU>trG#BW#^LZy$Lp2btiwk3J{|XgVB9e45rqtoQJv zgv~zPP8EXCRlk@fMo*@4Y(WjjY;GyJX>M2eaOc^&ExeSo*=%lOezG2OE_2sBy=pZ+ zQh@?gLcisWnYzr)omcS)n``o^yl!kWbt{g)Iqh%`xB3$uV>?zFEl~nadAk0eL#4)C z)UhC$E`0LkZ;bIz^3X+6W+JD#2lfv$itJ16X%kV>hO4wM9yvsszZZAgit*%2HOs8X zOAA8jpy;Y;CyXL36;b(BPWfgl;9hw4Vn;yOO#!{vWvYk$^@#N^gYuNJRQfa<<2`wb zlATHYSL9^Hdm+2p9v-=&8U5LVxe+32ryYCTeU(Sg(1Bw_-egg6>sbpXu%<%M6XQy% zXzK^D(9nK8cCQ}QQFHP6f^&Wu5F$dWyTD@YOWZSK1^ie%Od3BX)Yl2w1+xdG+M{&? zRRM?B+`pu%)5MoQn)YkPs~kW(NR3>$ivVBJv$5>wbv2Lru%8-s4+OGUVfXG>(Qiha zwXvR^iJN6nCEjj~h9aM6XavXsISXxh)NWGitGy#?#&{@y9^N1~Sud^xP%@I~Ug9E? zlU17E`$3b~k1ehrx$7B)67qG@rikw%=Uj})XE-e~RDV0;-#;kp00fAY&Wt3D%U>i( z=ur~o7kM&Q4=Ywc;cr0U6UECm_^QVP7v23D7z5!Ep`YTi>GQ>LwnP^^Pw@4H2&Q?Iaz+14EhzY*BAX5?6$@7utM5HKHk(yZ zoJFxwHoAgAl=R?9H!xsyIoUDaL*r9&H~o>0-+0fMGn!k8C}b0*4!+QUyWA1~7^XOo zE#Z_0af|#k;#7ZXRHPe*7=>|h{b+mt1|5;lg8f>U1&IGYq09U8uIOSY*vkQ(86T+ zi>dqpipGZLJ!HQHwa6&tpvVKvh3ORf0_;eLxQD8VHbtQ%Mk+`ABj&tX(V(OUXU za5VVS!A&TA-{OL=S!sp*cfL_=InFn+fy9`JNyM|A?_IfqFsre|_w_|JHRvZkF2qX> zkKgtkMFL%{JiiE&a}%Z9(f%$QY{(d>qt(?CnyJCKl{G&GqSy~W2os7mE8AVgKQMBl-I;0!U9bDS;+Nr;*gbE!iJGY!@n= zGKyWvtqjU#dQbk8@5snV?plh_^_|skjP#nl_C_ihzlhFZuxa@nN~+1F3RB)zF|Cz*2s^M{yQvGWjql2AvOB z-4;E~D4rOlYFO?bd%YT#0jQV0DHnHISBkyEJYOf5kankMKRP z3wEYQE;UMzO&&yU(aSUeRN`0vV|9h^FJ}P5Y5VTmJhr~3?aKh9iJH~Hu?{^YYEdPd zZOFYz-#yEqkKaG+bgPrtzC-`8BC+U{9S{Zzrm)2mcW>F>f`v%k8fNS;U=y1dW&zk1 zbr5K1p4yvoSk8MRKJavSg?;BYle)NsXUEc)-|qTvA6jluc+b@HKkYlR|6JZ8YP=F$ z<)m@1)#xEEg`IoA1%`#*6MF{G9?dF-ew~f39h1_1v>0Q@Q#3pHsM2ZA4 z$oWO#=6Iu5Kgc4q#xBCOy`3o`jRwi$vT`~W{CjyNEx00e&>$+fsM#C(&7pY?)Q`D9 zFhTcvV;jn1%7xReJWKX{-G&7hFq2DoyiiN&IP|EpuELW z30XFxD@)=XY2h-bj1Na49v-O)Y&p#oEjAKqd$wsHw@kW$0lnbP-XKi}dx3ohxXEGI z+~#1l80@EKBE;^EmPwrQpKaawS?Tek{a-YQxjE%HUQReXm8TJ!Wa$vl93iPB40O>x zrLLgElM5D*O7YvEA2HBKVeJ6onykFoLbh=iuyKK zBcZtXJe=azg^psz(_#W)Wu0}6r>Fs9pv2dP%m^5QK6mHiQ-L6@Cz#4a(e^CI{GyE0 zz_39qo27VRq~kNjHENbSjku)(rR@ii()Jpj*^0Vj?V`|f!Gw%agLr!*VcZrS$Qe@R zrQOsd|8W?E>j`@?RUV9G&yE-N}Y$xa4UA$gvO=tKc4H{fK#^@KN8fn})`nY<|Z6l{i3 z^=(lZ1b1=1WmAuer@e!IGCMjA5HV%%F_c{C)z1p=v~@BYtz9Ee*P<4-WR>FzC`xO7 zFs3e;%4SWbY;B##=SQxg@JQ5lcnO3Lk&O{N{8l{zkTf@(tW_`RWR`_yb&7@^U}6%> z_Fjs~uFE1h7$pA4|s)`KKHfwIAqtn^9%&wezA&WZNnq zrcGm>J)fiEL~*-C7)DxiYq(*0cG8wc8hZT4vHkoFXjFk@U}B|+cV~)NOh=@phjm&Z zP2+WBSEPvEYn+jJb$K%Q?pks@hox6vm3{6-KrQc9*W+X+APFAcx*FwQTtX!<#PupA zu#OUgAS(+QDT@VxEf<|IL#8^15-bi{Zj}c2h&H+?ZuWo$T|EOk2XGuNT3y&F;;eWt;le>V9j)ODrw^AZQ6O9gZ- z*Q5&I5B&D50A2pj$vpSB8+ia$4v})ijC+}5CYz*MJkw)R`cn}o8PXY3hAoodfj!~s z3E2N^NZC3fh0qFU;X%0 zs5NpXMh*F`^EDF}3sd_G6t~s8g_V!7ZF)jFZpDcoZj{A!gTK@FmQm2Yb$l#&P@I=- zr!hL0(HXTRcewA z=5e!3xTs~Ss3ofoBQ`Vqe?;+BlssgcJMu1rNMIc{-P+uxoLC5=WwKp2%$y>Pvc*@g zQZS-Q4U4JFOBS6;f@N<*o(yH*c$vk zFN=DpuPNDS7#g`B&gF60arKT7ob^6aG>zO!SI%X)Y<;LjxpR^69X4D=TD_z7Y58fP z&itZmO+`1#hUEte)5_ixmp}@5QLl-s>qRZ-RlZdGYJz1=WsCou?OHtn62Y?V>TLO{ z;TY>Nssk-5#wNGzo4Z>*k1_RLpbINb9>+bM-}3lxAEpi|cRam1W9(w{3L2cOGSWk& zL~qtdok%(H{uF%t{CR(koznjQbL{lI@88Bwt5;vX?XDoQ)B+4iorbONBcZNs*LlFJ zD|)B3?D#SDF~MQ^bxK4hl8Yc?|u~)u@BXq8#GV7;8-1%zt@O(3O+jsUE*V ze_d3WDFz}%c5Rprb1K3bOpOtuQ1UWCpAXe_9xxPyDRWs#-S-2AbQPCUJRTZAY=(_M zhZ9Jc8NymnU11zs;mJ1cnYFt2LRqu0AOnL4lae4nqFIs)-P|gz|5B}t#rO<}|6^*k zrr^5Qy6qZz;yT5(LOFqHzLiI%P98vG1c>rX6|o?mve(jT<5*SJFgae%iw)9uSEIaf zg`uw^^{B08HR4ggs`LfX{gsMAViFC@9r;|d;)1$55zkad^wrmS;}?pyKNiLUqblfV zkgUWSZ(C&4XQM8?fQ*BpcHIx)C!^LWbFafwy+!UTkWnO32XIFf$66{P`M}lVMS0Sm zQI2*&?CWByA#slt-TVCs<@&KEsX-Ox+>^*iX6I4E_+@0=`0xasBl=6(3wQ;iBt-y3 z#7ZTA^X#9R@?+My)NfY4`sBC#AGDJc@<$hcdwalaSnpx9S!tKxm4T;xwMvSM;T^0UJRi;S`Lii45Dx8DFWVi6AaMgB-kXk$6=P=9~J zf>JC~=em=1L9_o{GR!j2(;zzeo#2NrZK45J5=zD5P3#SWk%%&jgZdz?5PD2;feBt< zd;q5ac3^w+?|0!o@I(ZhVlJF5(rdi2n{=D6eS&QR zk(8I>m;$e=)k2v7eot+YmKBx29KggUahgT}BsZhw9YDXUvn{A0QKS<5{v-cj3TmQv zSTC>>m_69U-TTtE$KWx3C#NpPakagWpNma0RV2;?TCeh|cgq8dX&k(4O=qL?bt}1F zlnD+&QtMRHPix^@wc>FU<$DWEDrK02_^;+;`d91+zm$;(ygS1K!(L*sd;JNZu_(Pb zfA>QKCt4{mgH&X(r`q~sk$)~_%R~wovQ+M;-IDw`01{Lz6Z*%n3)}-*;_D=*8s~&$ z(A1-wCo(#~jkjjf3S@_T=B3(zUFXYYXkdg)#+FB1jEt@#s3F#bo*HM|cuEiDfucmQ z^`^L}@I1Buj}L!+`h#qf07%{!nvEXrPW|)Ag!-w6h-$+n$Xu<&yu?n%(*dCShAmjZ z18l&XSkV>r)NnzHl_+smEfHI2DJZkI0a5KqeKlI*i%A(_#( zWR%|1_d5##>1UA*=iBQVUePM$+~Z`-a+1?LOZi1J28Tr@5H4K0rXM=5YVV=un5mpM z@;(SUiiltRD1(HEWnwFm^Va7+Di#?_$oyKGl$Me43)L2DwE?s^(aI&jy9WOly4O*WCe2O#Q89X%5cA$f<1P1RpO>{83YCh5m)HDquHOum{2xy zW|K5nsYuDSI+-b&^4?~0N^e3EY@_5%qNxbNO5$FSQKQGODU>LUR1<;FWqmG{{f!6}aB#$rAI8rdTAo856 z+3yeL-=nRyuP;x{#<(4McJSrj{&x9HD3tKMs_Ls(orZgx*p2hvtEii8USTjqycQEj zjHOs5T|owrsX4FHaA3#RI`o7rg#78jlSXf^Qi^4~5U(TL79|4eoVx)s=K?#AZrDbT z2^D>J;Ezzxw!d3Vj~`3F5|zT1RgWH0(l_*;FqILLM_KMCrEZ@(ne44Rd^}xKM&o2AJ zix1nJqYuR{m0)ddd)61nj=pRgM1@IEIaodhv>zGcr|3gJeNeP(-ZKD6e68Tl(2+{E zfFcCq#p^H#ClP;in(kq*ez2z+QMRPa@rj7zt618+?96;8D`y0-({2@rIecWB?f>d- zmELKUBO-Jw9FDBxUh2MiK9<|!^v~xNTE~5gSXNb~z$m&J3$ySF2O1@jqbJ|nv(e*_ z1m(8eNI#FLu~4m>V~Eb9@S$vepy!B!-vrWB~g8iuJJS{tv#6_i2VjFGwK6n=%12KAZuQ z5-8oE*}f%DL6zoBnv>cnlO-OT;!P|sQ6!zz^lyu;Fs&#(FFKAqkJTy6qC?I#1Ad4v zdk;E-A1ZOE{Bvy@*E$^D+8o+eSY6#2lOJ0gD@nGwTKB8@!HM`iHBGrF_!yR@Q1)M9 z_bEFtq&cOroeSqQlYii*cdcR;H^-8m9#f-VfUP4G1G<7K)F=-@r{L4HNX zVIaK2Jv<2=2}}2M>Eq1ykLf6z=+(ExgDrknx_ABGQMyyPyL{=sZ}sMg_JiZGT;Vd^ zV+nHhF9BMsk{|_wPb6%1(Fa6L_`RR#FZOy8I+KsULHFOOk@MEiPT%!-Wb^6Ju{*ZrfO ztHq-W%#haLU>hv=sPIaD1Zu0O1%p|1v>%L7)$9QWI%m9;CK%K=-vS@paPD((kcc5T zAZ|2^Ex#JN^oC}hys%UK)@=vsgm_DG>H72IUUZmzns?=GKkr)(Mxl#n{0Nu2uVlT5 zf0w3kivF!*dDRZp`*qrMJt8_e$H)b>sv^>!&gzW^Am<=qHHWmAD)GL`zyQNI5JR2S z4RQhYTr!*iWOWZI%wC4@7rOqCqYd~)vshqZzT@qq4hA}9-Z|m6ck!w@GyjJJ6n@@n zxHzjCUr~W&W@CxXNj%WIMIFny)19P#c+MgcQ2(~h|0aG`PNuvBe|Kn?`c?3;x?Z>~ z&qX>ps`*%A((AKng*(?_%xX~HPFj$QcdZtp!XS;=tzi^$z_*kpGpc-XnVW+S6eF(C z=Vuhljs|7=J8F32+q)$yZ4KB1OyLzu;`HIKx9`GsS(ibV<-dG7-ENfEs7&2IsIGk} zHp>^fN`B8lxjVkccp0_wF&m)`7V)dU64M#+y1G};^{m6RC+@1pQumC&c%KE*Sm@9w z!D2u)Sk29j+NLni0=2c>g8Tk9{1Mf}fAyc9zt3@D|1`mU%=M(;57x z??@h5FNH|{$BOltA@|o*2y%<*WdKf;y=pI@!FE2Z`7wM=Fw4{z$OoP687He8l{oNU zL=;LYIv0lya;5rj!Nw(E1nb4#R7c(zQK$L)!AmID%*!lcS-t~i%Qu-0ZrIS`!DTq< zJcij%g^x$h*wg=CRsfd*{U7}vg_@J!^?v|aR)Fr&)ymqF?nD@44pnkuT&%toJxY$;;o5G-6EB2^|dCI(E$k4>d{#72j552nJ4CN>Vqx#ZD?)Ed->V) zQv9{X4rHai=Q2sA`WKiDoH~jn_8M6fds&Xfy_~9ybiWOuftMF6=pB>5yI?l_ijd_YnZDl?ttWK!Atz!r4n~?%KCg)9 zXUbB)(13m=s1L&PCy*B3IYk(*x11W~OkizFVkDo5c+>`r#V7-mZpksFTQVavbV63~ zZ|oxw;p30xXZx-p@RKu4+mXujTiNMIzz>R`&6U=6*(N%YM?p7bRpR4#FWpeI@B2@A zu>}aL@AR6nP|wuby9iFg>+tv}4|OGcLCyP5wg!PVx48j-b(rD~zlM%XX1<`Pt`Rj3 z$&n?Sp@i(~HYJX~a!-BI|M1}bu*Hk3AKhuQj9_h?Z`N|X9umCtzl|79sM#<)d}(2G zMnq2Xlzt0DP5*Ci^7_`N-GeNcQi28ryUGk#;mR84g@ZRtm6vBmjvkng!x6Pga4j{Fgw>1;VL zt!J6oA|?eML}9#t2@rsL!ij~UmWMKeX&GE-l~y^)BhJR>r~Y5^UrglUfa7Bl{;WqE zh(4V<>qRTeo$-n`eiR^>j=MB;tYpz$dDZS~mK%q*gAr{v-xe$sS6)x}1J zdzDhAQm_V7AZ>$P$ZPS>H#_gvrwUeb{-Rp8SNOsGlc2HJCkIE5T#W%ckb_v`*+*k9 zZe|Xu-MDD^!0MDAuiHysWv;VwQukU@LyF4wo(ygI2QORG3C>$|j`! z?|cJ6wdHdexf;;r{hE!Q-lc}?2RDewWT-EQ_H1YLH?P8A(=^|#iS%LpVZee^zB|# zkt<+2WBK~GhQ$A&ipXOpQzF|eJi2`I)QRJGBXx}JKFd(yDCDKppGBH{o4*h(&kysx zw^mHJhvI4z=K2uF&w+dEdzTOudG5t4ZcFb$G)-{P$H)Y;MNSNQ=!z0{$BuCW@v6Yg zuG!P(D>B@YILWear-g)wzv_4({4k&NWmGyCFg}uS5ebkiaWgslTGyI(pwr2hEXUIN zdITZ-d=R6QalJD6Bcwh@Ra0Lyc&gaXLIw zB;ZP<-jRA807udUfZRa^_$63T&B`a7m<9RwAknJ-@;Gp-U}RBr=F_?W%b_IIA_el%q{jFEev)#Y)S zuCMmgdDWttvpjl|q3u^Jy}gCS*kq_~`=64(W0^XL2FZK7(~|X@*5LT&!5~!h{6}Wz zJv;8yu{N%H5&Vk9ca?(FJpJCLKUWHS^QN}e*uc^5*Pqez z*!Ie7)!xtWWMusJgHb*V8R(ZSayrwbQ!~NwGYCDzzMa|E1Kb_Z#;NU3{&)QXxyF zd=S+NhHTKH?uOVoXpX}Cg(z5p_H1lLqrC`GIiKAh*^b>K^o-z($`00w574Uee^+V& zQx)|8E$oI%Y`!g!BtP*Aek*tW`~c*W+20Q8IG@xhCDP2wDmb|SLMa0VMY=_q^A=nL z)k$mzsQoOAl1&eQ@(;TUSg}Q0oa3f_-5LrMELeJs-O(*gg;7|>vDHFe8qp*$m$0K1T190e2%emkF zX#0gSpxre!b@C|7vDk`5B+wTK=z5hgNd75Tipb)%`nDSPKg*Tm`5fIf92}z8)q*|o zV8!ayUekmBMcsPi=f7(g&KOIfPza? zQ9x-bD!rFT4M>xgs6avuy(e@MT9W?>TR!&w_xIg9bMMT(cbs7+EbefQZ++h9Jg;&W zi`4@aaMj5=Wu+|aaNzf#sNy3U{ILc5TX=rA)2mfeJ#O`5L&3Xl14Q=EzgGqC5#ov9 zp^=4t{7KtBp@8E#mu_hC*(=(!OjWgX@SOwd-pemk=by;tpws} z*W3OXam!>KF91OChZ;ltUQR^&gvZ@VOz z-k%ceP;$;o@lfs$HatoQ2uXwGjn9#MOZl?>t=1FMs&PJ}VaCN+jbijD(FePDSUy7N z%Sm2G#l3ddxCR=^svZQ#kR}crD!kc{)AEz5-#D|V_p3eWe02!a(b!0x8#N;uE-`S3 za+?qToSZLRpOBZrY`Y{e5`Sn>+w*YdBb$Ky1cNIxuSTv}Hxb1m(y{Ea2dvunrC#s9+f7`Sy;5Q((Mfak23xU}b* zJ{8EnG6fTl>a%%5qYpJj$bV@8Jdr*q`5a~U<7g!K_4&0*`oB#ZD%xqDa8K^_L6pQU zKiAW?Q}p(K7VNXl7@}o4q*)M{^;)u;#6u?}`#v=^jw)Rf&KO>Dr-adNAp>*fK1AN- zHr*x2>(qI~(3bMHD)Jo3rc1~x!jUmEw<3+VcII;mE2#J7MjeE6F({4c7C3lg5xtnb zi@>6@#E8K~4JtPPXB550b+$(AD|cK$@c(EJ;K$-=Y}=t?I5~D2M$F?gM~4>o^`7%u z+-JUaVS(0NLgP@}z~qYJma`6<5x$$v93 zNO|JV%Q?=9l(CZU8=Z@(7HK+Aw&MTtnENwzm$%*e4Z{*)e#BKysu`zQU)&{Id4AVD z_<>dv6T_8N`Xr?gSLF8i$FwB7iPmkse`cuVm87Hr(Pcp8fm*O$^;Un2)~N64RUa_x zd(G77?e%b&>la+m;$1cn6g6cZzS|(K_P-x~f_?aQ%&s!@4wsP=dU%_Y+)#1^`KPLW z2~gE{&+66iv>TV!^$SKEnGBN<3&P77FrOoqa_+(y5!<5rZpPHEBaq)bvOOFZ@pmu| z#X35|2F^a#l$@a$$47<={nLZWG%4?XyJv19_YdTZ-|Y>*KPqGSBV;isDy1k+=<-Np z(fQL}ZqC}(rLjjU4xVu$x~gpv3lMz--vA9tW6=p>7n_bl8937z{-*x8$WFTg^qAv{)4^$XFiy@Gzt_rfPeensco^UM zH1Pek$@S?)7U3EjF|&-X<5t(}dKP5I`eIa3?)kE`=b`5WoEtqKI&N~GlRMtI@Q&!n zz4Cl5-(wEa>odEyt1Q1X6U8RfV9QVEb0iD2esY)@e`YBDdCro!%u(p5n(RkIdO0&z zDM$&3okcXWyQG9ceHcAn<+Gbyxv{r0W>#_^r>^Z8_UX<*EF1a%Jre#A1Z;a{1v$yZ ztbJS$c7)2yKX8KW3<|0U{FrcY_^i2><&R3wxKuT-yT+I%KD*WQQ6i;3BOz1C`-vZq zFOSO7v(6md%Z@R)JBCYNb3RnPE`Qzma8%!L(_XbYQ+CaKMF!7YD|w~|e-zI&4d|{C z(AvskGP^qWxq*s{^y!0yOXa!V!~F6W+jRGwg+njB`6^U9ObO=TospW@R%+jqu*a!csyLlrB)HXiyGNKa!KpnH1=E!wbKg&9 zXwItUCGAfLd~yz(%;=$lxSL;MCx8l2n19&r|86rF5MU5jPll!4&g*|J6LCcwQXfv_|jQksf$BV;-?xs2tcWI3na|Mkp&2(Q187t`)a; zybz5zXSHQN-Yc8}_%9!Z^v0Y^3iOiQn7<9Xee?$Wmy)64;8K**eZyV4#kc3Vzm<2d znk85|78o_L=`YS`9h%)&jzexR_r5>rFK`7)SVdr1?fEMniKIgXsYSA#D{XV1NjCe% zf&y<@1q9K4|1v<8;a^tBWhUJ80IkIVSRVmlkZL8Kd*8&qUOg}&BOA|%PD z-h4wNq4jDYiaN8DT}*l^snm&rF~$md{oP7oi)-2@CE;{*BFX&z$?FA=>r{V^JG-Ld z10QY+FZU3#)4+Zw)?5wrAL<~uKp@B6ekfOQ=0{VVwM&^mR{I;1Snr~Qo)_46t=2`y zp8Bn~%fiNSna?MI=qI>vuv^L>1pDAnaH?Q>+bOplk^isKV8>Z^fke_ezcV-L+7=4l zhw1uT>c-y4L{P9S<(k2q3ug7_E)HRPdpU4t7G@= zrx8JSGdwb4oA#0;KiT4ga_`ST1{fQxxDe_ix>Djx4*qcEX7+GHx;&VswT26Y6S%ov z@xtQ}lODOd!Ug++9;aBMEd$V9+_$=}20Wz!(u*&r6K3ncSTA#mr>e>TAqrEiU@V?k zSseCJzE^-l2atu5ME%_{BZ8X(NspPo#4!aICMNlO6t%%fYY6OmA`j^lT^8s1mxKT3 z$h&}*EJ6QKQpWRgy;dJm%wCPLDJ=8Er zh7oyNBpT!aNt8%g+qBDo!{L;ZU+;u@iO0X@jm&p6A>ps)u5UE8tbSkP0_w)=$)VYL zm{NhmmoU5t#Da83-Rn8p`^Q?U(i2$3yd7p8xv%MxFF`>#nOB zvhGO{A0C%2ZBts@qWly&@+6@uae5Z1R72h%o7(djr}`Ot5`xdEZKNt9``mIa?>yO8cpLw zxxf;p2L<-a(yvUeR3+2Wa^Zl_(xkoVQwl+O66U&dZg10Bd{9?6#p(`0pqk|1qQK1F zt}*SbTwjpww99}zug(FkpqgDWz$$jZiX;9{tRfv;NnDEVj{69zxg&M041RZ_?G<;I zxd^F2Y+;PI+3g))qRc@~WEd7F)D*-z;{Bw^x8A-<8OYCiWoiYb-VtyR4UO_Sp9Vj@ zm|^0juSlU4z!&lQl_eHXG28mfnPsx`yk4s?mp=lYvRWYY>1~l)PZ1SJDm9632$ZLKM_=c!H+f3@yVqg7N zGvNV!$GG}GdajecJe_e!3Ck=iQxcz7t%?JnthmPyY1JCq8FY^86^NxqYB+v23JSd= z2^%Ts2u(8mWV&)Bx5R?YSiygOWf_3K1Pe;~L?q*NZPsm^6&CR~y2xzJRgaIEC_4_Khib5Z4GZC^MQ9Cl@b!m8Y>I40bM4~3C3 zrm_`R+tl%z&AN#fzb6Lv_i1(i=zq;*BoQ4rHzrD=k)rtuAy73QACFn@H-M?jg# zaZZY>k|WUd5Ohb)_>b(k{o%LhGvt5kDYh#KQc&yT@XrEvwMU$(LXro4|FI2T#UjR>SHWk!5Euk1M^Ls_UEy7mq74Z&aW&V_H|6ciLY zHp@xvui5}Dg=kxPQCL~!TM+*h3D1!I#c`@1Q+U#n%((U?WS^&Wa_o`>BBKRtPReh( zMR^roeaX&N4_qA0`l>0;N{A3~M-RD1b7GB4gttr-lcz$nUV7|ojot#%nzRM_%0qhW z!`JGA!`BA5ywduwhnErrCByE2TuRJC_Q?g(OAeA6(~ZY~BfUn|IO@>JD?Fsc*|__8BU@LT{P{ zt9qEG=nPoU@3==g{m(Lh#wn~ZPdVz6$;N=uB0GU-jQF(3Bg56fFOltKmD!k;}Wej?>fH;#KTfeq9Y-Rwg0=GMc|` zm52mLd;47c9W^?B+%49=UWxk$iK_?nwVdjOFHuWv5|B1_ImTUNZDKwI=3u0k!k}JM zUWtV~iuBod=2(5Y*u+G>yZJ4UYfWS;OTMcr0c}dUip$$I{f64~aa-Q;A=>>>(d2X5 z=!2Tw=I_jOP%xA-CAXbTL0RP1yW*dZ^$-fZ0{2>6j@4XF3N-fTlTcCi)~AHK1P0_- zK~S@!gYR=o;V=eq1ccZmwosM>BQ!sA`|gCm-Q8k!#+rN{_<*S@>@=B+HA_I6tMz%t z6n<-qY-xM7?mam3?UKG=Jeeokw4kuRa%94t!KWTOP8ztjhN*P&PJ_NMd-+rZ6tn+H z)I9(BP@~VTaNqIB!FS&E8LpYZP>AJf_zVDFm3ig_xm3MSnnr71&8D`-eP?65?`)G) zaBPyw==3=SFUsIxYI%8O?Ebq7YHOCAs(G17Lq*K|4ALNa?NxKdD?RPih`Kq-m???b zXl!B_hOIvDBz)k9t2aN12Fvn?@eTJ|pBFrmRAMWHRNPwIn7xq~cqXw=a%#-X2I5ts zDu8xgIfIRL>+1Ydi;(~c^X=3}2oWN90#|%#(qfK*j)$6}1ZqR`^}eRE63ZvLNY|1% zj~!)aDqD7@%7J5B^U6ytz1qJQb{#BgJ?Jqc!G=G0I7ba^o4=2bzdqX9LdCu|Dy?F~ zjw-)s+hJQf$~-9^b|uhC_{U}1o)Q#A?B0Fps}kJRSz|O3F*O&?nE|0 zg`C&^(&kZn0O}U*3tX1C#*9A=lm}0R?7tR%3Gh=w4VrRyMG0_J#MvSPcRk|!oB&v7 z#3DdXi5QK*pEdZ}C%NlM`(cU#<_uZyRMI*vAa$nWfyHxojBX`+10#9RNBVmX$aqjf5oeJ?eyWo!Bta?9^s>?uFs zKcByP&@nmw%l~v^E1-U~hDd1wU;j_ei`f5gLby1tlM@|u%l)vptfoGAzrcUv(yzgn zIyc(n_dd(J!@JlS8?7&%cmxRSVOyC?32pL3aR({;^)Civ7u`M@K=Vq#uRlVWj-b#! zH%asqylNs7XXgnK^-|Qz8NK9^t&SkaS86i-hpBrcVv{Z%YqSHa9m*g0?)9XEm8yxr z5&j3#T$Fray!Hjs&dy7{p|w4sSFJI*XbK}Jr@f@KUGmO5NBmwTE@5~Js8P%JsY^$BNVoGqo5yZ`iu+*l$@5@{QOM*X}{fEe80P%@>}} zcIGdt&6C+%fGeADJ5SH8&n+?a%n{x^Al~T5`#5(%wIXhGsW+>4w>}V>b63=u@c9iN z7TBA-R_v`?hv`l!U%~Em@wc;|_Esk{JI{Opn$1OhyHil)`;%4aeMG5`)DJdd1@%wo z#TE|U+^!KHusyF^U@quUT&!l1y0QiSp`-YAD7p;eBq>?lidCw}-D31p<#0a7|6v~g zak&mo5ClIq*yE4xsHyU=3Vs@(x_F;)E>2hC@!{#0TE9p=#Q#iNrulAfgngV-sFKK~ zgnn5(u}}o@K4u$mN>-?{Y)=hEXI_ncu*jE#=( z4AuV$MDa@O=EEx4bMDX%W6Lmjb6|m%XSKzpxOJrYuInSyrKg=)8N%?o-;>0Buhz@v zNLT@NGK))52iK<*%Gk`5HeG`;%Wni`=Ph%n+N|(sL^m~!O-yOL%a8C{&dkWtt!8}7 z7~L|a1|+sOJuWWdH6xA~9=>ujz1D$y(J63msO`juDp9oZ2kR?IR}LhEoOXZmlO@V& zmmLn2mVpDWB7K&77GG^ElMMrshJaXBQg{&~t2gUOdvf=;X2)e}bjlhHR^J1GqMbTx z@zv+7pf@?m8D7!AEKa^*A9JHtF*7B3;QmBg;cBeMd8qv#Rwct}VpCDvUuk!)CjMsRFKi=(h!WdU&_`zoxpKa&=a z8V*uoEa3F76U787!<(d!Mlg6X;Y%&v7DNS+xeWmWG!ykN>i+-K5v5yEF zQ{7Y1bK3%2UK{px(cPFS&r90^ThC71)!77XtLJ7IH^TQO5$J0vggG}zcDG@Zt4lEn z6^&Z$^2eR|l$&g)_^%2$&+L->*}7h$BHU;6lh6K}tR7}#H!kN~RcSQBe&ES%w|fRt z@@#P}|8IKIjaszQy$HydDa-+6SA<8#vFiey}m zy)qjN`lCF$e3bLVOy4}ScujfSx}q(iMJ+?(-|xtYZG+f{ux`r}JA4t#!C8l_u`snz z&fAZE&epQxMDpBj+M5z)`1P~usbmQ^h!)@Y)236ghl%g@YS|gCUrDsUc}>kD5J{oE z_3r1t3b_}H_0d$LOt;pika+;uNc5ee)ir95^)|hp_$1~iL4U0UEBLln7+NSw=IE*7 zsq>ZluHpHiYL~C#pF9_V%eEFZ*^Y4fVe%|n$Lc4%vqHI(KmawG=etMk@hTLf33adU5V_GWMQ_?FjL(%BB|Rz{cI%6v17WEo~v;QMYD%f@bJ z{~x6mn!=Tj(aCq2Ki<6Byd$fF3;rv`+v*vBzs$$jH;Mk+jLry}dh^_zBj}d&y(?ei zQsgxJ;h}fPm$zp_e}11N;qnYIGW3)0AA(U>^oRvpFp5gNO){v|0>zUK`X$=`xxoCs z&uyq^R4iyYg_PI|FT%d7jN`%bXq?*POn z0TP+oihSbco*lO|AboOcZ)Lcn0r>%U8mP1{0pX@G&A_Gj%&bw>=5s+7`j^EFVPopP ze-dC)bCZe~!^$PA3)jQ7Lk9lTZE}-;tnFB`K2!guFL)q;&P1PnKReGmmY;p}77g){ zxt{e~fL+Jp-NENwaE09t!o2UwD(m)#RM;NU+cFJGX$UqJIdY~nDo|TE{JsI5iT_>T zcGE{IFgU?@IsO`JuinJ0muX8Et&8d=S^0|r?u#P34yye9EEuAm1Ykxa+6R1TJi<1Q zkNoU>&EI$PUm^4Sx9pPVF*C#i_qU};@nl1}j&mScz0Ph{mu7?1kC^3VN{IaMSu|1F z=Ysp2?h^WZeY1*8)FZy@^4yX}7NMdWmy)v_;t)Ehk(`0vg6lB>_L;rYi9+5>rc1as zz=0|1G5A9+N&WFafPJ?R{cVRL0zsvVVb4P&<&Pg|`SjrPH6rTFNb$ZO5S~okiq17;kq7CCuVopxJP~%y%0WG3dXk-Lq11)VS(ku zD;10kdyJiW#{OYGA83wg!AR#J)yq`Mx-4)XjnIb0v^os6pGE20r5_K%DKeSSc{Li{gP4Axj5YF z=4OI=?!d#wm;FbsbD!)!^mVwz#7Mq=i2fa>?PUEl@!*sn1{g@-Z%bkdH+#gJX&@ z`oWjTiwfZImnDD+U6Clw_*W$He~2UMAdVPjC=Y7AL0Q}+6%OZuxdP#s>ysgYveD3# z5I&fYR-z2*;O8iU`1;K?L5jliAHqRFRn)9RQ4m3WwJpk8 z_H1;B=>s_%8-VPmF_M}zC{sj)!PGegMus8p>Q4cUBZz~Wec`6F76jk)P=dI__0S~I zkwq+{;23ed(%7nxgyAvlc*P#C*6OhhhM@3&*I>Y1KP>6nMnSe@)~~z&o|)0)^;wR4 z-`oooih}P&b^h6TA1;-uv)~;2bUQy@xJ&NyPll~R_6h)!z>WTptx8C_q9ii++;b3zAAqgB~df3v=&dN@R(xxtb`{|P(f^UT0?l$9Xy^+7~vB*iHw%rry zysBc6CS_A=ayf-quy+y9kxwhad3X?;qORH0BC|b!h81j7LlzHodq#`%X4-h2F(Z+y z+(DR*@`)VFGI!m703he#C4vj*?GIcMG=&JJv)ZqtmlIgWDkw_=cRQ}E6Q1(v0k1ik zZ0`bUpudCd-@#?5^bEMuKF-yZo#o8qCuhc);y00{>A6Si)I*fHL^7=0pYuGleEdak z*hKAMdpgH^;d-R`&Ts3ODlH5q(^;Ew3{-(r;Z;+wABODSz-Cix!rPn78>nihv+H+x`_)NXKS)9fR=r`-J0T72LfKRxuY0`ljdvmse1{|YP~A9 zv8jW8mo?`rm&-Fm65Vg~1b9^60$D63xJHP;z=Fl*$tI;e6a3??HXEP!E^q$8fpkYh zGXAxIw$)-6nw|kOWga^c-N(IbHpID-ja4r|c4jN*NWiXF# zQC^L|H>tT4EPmSGsqgTqQXKlO3e4)V{C~6W;W)U9Yq!|xW?@nP`$+q5t6(%BF=~!0 zhX#ffnON)=vr}**1I-)(U3i7c3~@esk)lJ5mXO#y=taE=*R6Q-AC&Su{8NU^(16cq z)DZo{#;r)-2OG3~n=aw}AE=r^05rtOzR`31!&Q(edme{9Ge+GO?(I zV&+;Rt83dX_-W#`V@1s?Rm2NTkBNv2=A{9?JsyOrUm5dJcxJ&U+#J>COcGKF_5(fN zwG_*Ve@&CFee5*p%;G(@b8w>eBS@3chF_I3!?7(jaU;qT{~O)r&Xh9kF{&8|=*)Jw zSZ#HFRQ^tEaIqA#7l%>s53LG-evad)UYzjV>Jl*bsJvyKqJ{RHEk+=Ke2!hRrP5NP z;*SaG8kM`R6UwdM=vliN)h9<4!zCf;oKb#=BcTW0q1iy zj`F@=gHej}zJv%s3ZD?z_gzd|Rud#rLC=GlOL5vUNX6x8gg6ZE`Z^-ZAy01o zLV|sgMYy-zrco+&8c69Z$G!Z2gSWFWowJ{lT-xViVZ9bKx%yf;FXbbnZk~0mdh2E0 ziv*X$8_1|om?vTBAsvSmQRVp+46zqp5C;#L7}VG=jjvwuDN@Tnb9nWJ&(5&8a`d${&P^?a4++=)DW{_?Pi=I)6@ef{ zU9GM>8o2O+5}iXeG+Z7(B@}#(`z_p0tmzfBJ4VzC%XV#l9`i~A8}F(o&qxLP4bnvL?Y~@PW7cfGnsw zw%LD?XxG`G2j29G!JI_Y%(2whtO<48F@gqVVNTIj3|VfED$2V9{#8_)C-6cC|hyOZ^g{ z2zwAMZ{eazE1FO(5Oe;es4baK0Mi~aD871&ZZ>{edML-N=`99E98-th(m^|3id9hT zbMgo+=#Oy$<<@uUE44dpp6lUXA3FB3%k%bB{J9-)+Q|<*3-sXs5SjXU|Nlm0+G^jV zy?j8o`3FQa5X+_g(RaPo#;lr=G>;0F!1Nom1WOk8g-PSq8kAoerg*xS4F&CQ8JxjA zoA&`a&GA)qw7%~c**`jL)paH#?PXrTs^d6)Rnh-xxD;YwH5X%(Oe;={m51Gi*PW-t zS<&L$CtjtTm`uW;*SqpCRxZ`kA2)vcTJeG#w!m>Wr3qH5J;XtW2oY{8aFUBsmir4` zhd(RPjN}8}IpG+z)FpoHsi#q*U*ylhS!Jr{1xtX@T<1Gn_aV;O9KY2++3Gu)WP`Sv zZxG|g_RZnPAs|}1*9#GpDkz1QgagAj+L7q2t%XoTTuN7Et5QX_?3;%iJ`~nUnpZse zfK>}lXMWH4=l#mrM{=FZ2_LE%67vd^$^I^7E8knSMkG_r0@qukj#tbxhpc<`^X)zg zV8%Wz{;p?WaffDx6m745ngiL(KyQ+@F!c<8_=~Y;QpE4#~<`C=DcxBg{ju&`;z)r=H4s~ z%%k%X*QR4yAS@qUvr?x+tXgXn*%#g8MdFT)Bcc@xRxTPcC$*Nn#`7=?oKli$Gcr^> zz*TeXX|UGjGlS~lt$8G-FVK&cWwU+*;m9)W8+3y2^*ElfU?h(&->e$+9KCWkTyf$> z6O5)ZQ0b_r;e;?3*5Rr=t$R%6ucm89Xk!mHOxZ2`!Q%xxT68I%2=0f&hF_ONDq2IA zrSY|9L1|p@eM&;*;xZbB-5Oc`xgRCpwgor{rM;>9|2(zrCGO{K6!lLSY=8(B-hj%` zAjGavy=t0Imd9OiTFO1=SMu6pmV%+*cVT}QX50^X0pnTzA=SyL*O}us$v2pzUU|+6 zA1uAPjK}j4lGaMqKEpf}p^@r6p8}@9X2Em(;^7bI!vdIMaaKXJcSfGi`t|WQ!E2DK z{W7@Cf%%pWIz+})XRTJ?cvIj?oz7%085{TMhezrpiH!)vL7uzz&47k?i@X%89w~Dw zxp1h{ol-D=_{4`IYC)4;%jO_GIqJ^6uSO}QnDsgcv%Bh1lz-s7{~+nK9qUUd+>|+; zf|_?4ZJ3$akgG>@`sd8}0^jvklt<49%aYBxb?4IKs@~0R=7&1TQhU+)Omsl%h#t-7KBJi8<$S>q zzVcPC<+`#?Ar#_1b$i?dx8Y?_1D!`q((JA^E+;svfc1h9WAs9Bkyg-5*ymMOZ~@pe zl1az+aUe6FUK#i+F#p3K#bBT%c3vZBsPF7r%Gvlde@2y3dMiK_g@SDAtKTVoI_v&n zOb`fEy7A1tI4h3Q1hQICU-oz=tufN;nY}nP+-J*~1!hLoE4TH+46^U)Oiox&DLDFZ zdqm_&>m>i=wHW=<(J)}9^L<>9z%y)DBfoFsdfKC=SL6@ZgS&z{_#N=2y4-i_*S|Q=4%eMmv@>Jo=gZE~r1y%QZg;ar)JNf? zu63wZ?6<)vI`PoV08hNv=;Tfqz~vIBBvKMOR1;i*eX7zU4?|l9*7feLkd}7UjhDHX zwb9(kpkvI-CUxeoGwB$N#Z}F_y7cDDJl`N&HJg4Rxh&?qjiB_T1X2Ddh6NY&QX zo4usffHwLAzvytK%JgdEg{+rt^vPUu^(HJ=oDr)|FaNcsBcEg~a6)jExz+@a1@TWz z=d8u1=E$OLgBV|mM?LPP&DKbqRhACDKehVpg318Pjb)z1Fo18kAu#N!8nV6+>UX3z zHsJg&B;*c^%=IPBH-%m~i7K6B_AR#>qL(_{D>iJnLm|v;e$_87Ht9&at?zNw{as{4 zN>i*o8ReO_+*pwYqfSd$SL)8?*Cl_ea(<>h8#sN*=2*Ch^4y5^@@tcqX(aWNGJ_jL zY-{_8TQ?I~_G`;nix;HIiLRu1B`87JyQ1$a(upm(&b+s&GUWWo(6=R~Ma}z@-nx0< z`7MukmGr84C4oGG>+vI8l^JJFpWacI{Dmb0j7Wezm5?N8Vs|>kP1%}3T|&G{uzH3< zX1KaXjYNkL(s}DJw&$ef=1eNl2X~6sU3V@32JiMqc=s^?a>zP>SXoPBO9B!%0 zCEXc2P#Um$!iEyKccs~IowSq&XJjnU%0}TE&)iv?gL&#(hUkrsrL9R^dUpB|Ir7Iw zi>{~iD%S4t5aFv7Px4nsA1_`$qxin*fEA8<0 z=xvq{bf}*+9%Rz&TQk!50s{kZfsnx}mE8Tgn22*Vb@FbROaqJcIqzz-QnH_;QAw*`7d3RkNQOVW`N5{WcH|Pu^eqSUoUlH z7;#rIOGeBOBWSlY2(a{*fwM_3!9tykkmg{mCD~GC%=G@dO%mQy{fZm{0XD3Sw`7gH z>W!JDwZIh9!Hv?&1AQ(gX!kkIs>#Yy)4)-&L4`cORh+jDJ(ED!nfEoJKe6E5lC)lX zC)*m0(OxP2By6~Kr))lOuA`xJOclnxNq#+`M?;Y@u-zME@b-q7>L-$P$QLB7HCEI9Bj@jC?>Q z6u#L*IIbK}yX;@xd=r@V{a@o2henAKu0}yuBl8@T`6X1M;|n&tb-{~^M{>uBu4iU0 zzOQRsva26i=FpX^BaHW~C!VO0sV{vqEFT9U$$72UWcEH0_%12htYY|p8f_C~*$0t$ zi=|KT)*i!1RyO zjv@VLEwlnF>D1>Yi%rlO`8y(=hRre%R=3+-k`+Wl#(nzxhbr~*0Z`@6^F(z^Zsdo0 zBR%|UcFzq~Eh6=A=mg9d$;Z;GkvyYV$TD%x`C)xA*jP$fyL|NJz+L?rc0KFAEZL}x z9&S73J=c%Nm6}#<>dc==VXj=XnllZ=v(^c-3A0gCTX}xtt*so~l)-7m^@zcqia{?Y z1d=r*+~^PU%$r-zXUeThEN)6fFKiAhzZFn!ja59sS`hG7Ov6kR3*BwJR3kQzEN!sO z#^m}`96`R$eFt}n^~tf0`ciCM@A(xp-1pJ!wy{3Q$d89lK33JjIRq=%*(U)lWb>|ATGab&r# z$h!dNEz|gV%58c}re0~}46I`9vs$`m&ikV#T2$aX!xlj{ zQXA_%Vf2>aewCq}J(AG9CO-9$TjIvrcUyXZ!ZI(-T;eiRD{hT8YCGqtt-ZQ3q6~^7rsAm7{gpW!6fTT64^;cf~+7w$@wH#URHt6zwm>Awkb(M0G>l+S&8}1(TD>h6 z*X?83Tz8RLL-cUv9=j~Q|4jbonaF}Df4*s;4|&Mm%1)5NgWA;?)gF4s`t+(_Z%R2c z>URzB;0bpnepwbiM73o)aP*BlwdQ??5A{7T^3XV&5(7Gl$E! zAmGyeR_@Iy26y`xqxxdwswf|}A%{u-HCf57K$(|>-;-B^=T|8?-=7x(IfwVKJH}kv z0o990Ey2?N@;Y;B3=~&9@f&mJ7xZfd5F&xPwej>M| z#G|sXT4%0i7~52$0=9x2H}n}X(h{!!A`rO1NK)cJ;uCu$E*7-w!Z&i7UUV2j{QPY% z)zo3tOxG*FSS0mN!sv6bqF*h6O*OPeALo|v9EzWQst&5@)K*e8GcxK-&t6^HXi*~) z-67_ue`O>(aI(VR+i}z)@YFsZyZlmIPuFc%HbPbfS&w(22rl%diR^rmxWj%-Z3Kbc z1o|F$#h$|cWjeu;yKEX?15jRf_2A!+4n~6hP|hT8D`yH@%C4WE5Q^r*Z5_cAGaQtg zHYlCH@JlRiD`y(z&4ihEQ|&P$1=sf%pd3Mt^PDLL%9;H_!`Aq-R-1($sAo+xa1$d0 zR&o+N(lNaGiAV3GhK!)~EvU$XO#Leo{!GMT_v-aQ2q)U{_M}$`EIpG}BVvo1S-bY- zoK$IvhnSxBS&09$6DoMk2=M=Ru77$dnXx&4k5!ry=wO})_jB})>glSk`~9aAS7$MO z{QI_f!n?OC$TUDctpH8Pt*g-07uL(PNMzAHXY1;f2IU_w{MOPlnP_Ca_F1+<_71k- z%MDT|w#~U@m1x!GQZc7BVpLRlYHf1W=skjj9RvLq>)qCf2u@+k;786UudxK`;?uX- z841wf4v2LO-AeJGncXEStPy3;jffNHF)Zla*__fDPM63BbO0VzRF1sNn;Rj6mK)$; zLmU!iPc-?prXGOqY;Xxx_JoXe{7w%=QtJZnnuwP@_WfDP9}<^SAumNLhZ>UBzv>Ab zGpO>MI#lcyK#L==WVivIwUlX6^{zwyY>kCjHa~3a&^QUlyh2*eSrx9fe>TE!?yqLT zP=kzGE6U6lgw?g>CSwyT<89av**8jW=^K6#+wDz(4jNz89Ph;MS$Cxmcq@aQ!hthL zkF3JGfe9m*thH7W7(Cl40yyqg zt`X)z66NA@pRO*%bPIW{U!yeMm&F6o(Y02GEII3{E zxV2%ja!eNA)!U~zb%K=@d6aCHZqKixu#}jQnbbX~sw$WTR7Z(+DNlWx_x+U7tf2p)i3For_WOM=Uh9zb&x@%$GA zgkH+8)*#vWQX|bK1*+Lt!dSHrrZhzXt)l*4XGAwFXntY9Z%+DbQ>9)F90V|`4|Biu zO*DWqym#xY+OR%U(n|8C`MB4oh5X^=P;812bx-yO_vsIDvEE&VxU=bJlb2q|$B|f* zvs#RJEG{(>)r-(#bjT-PlQJpcyd7nhTQ>2!u#O-4A}?TlzYaY|Xu(IdmmD47X;$uO zHq2i^Ep_x|h><(Tl}uf4fQ&ZxElahB{$ZhS5bdP7TFjd9OI&Dr@;YG12=_|)F-7YuRm4aPiqY_GCTngUMO_gg1psOIEdavZRqp(I0koF z45BWtw;>*r-%qB6ZX(2IE47w-Of`Gg_yXoZhlTsbQXtu20ujs!^=k7u&opQkmIGF% zU|t;0dUToI_h~t4-pSmo@Xp2IDF60XK zAJe>?Bai^2saaROt}tI4*3->QEe+y_TokJaKkO{vKkF@LpO4k@5<>adxTa4~G%e8+^H&UpxIk%?$3-3E$}m0{UYc0Bh8T zMkR4JY?!)*(o@u$c6CkPz;;G6YpEbQ@SWvK8vNy<)h;jAA|y{SU}iP7Ny0`-$hmT{ zaeNN}Lk`3CEE0bqCqLGnP>EKW_u1^zVqCIe{@RWSOw+ruxz-dlJ2B0>8a*1tG6ih% zsM)CKKuT(BU-Y4tI#)+7?JZP?-3%>ZR2*H#TT*@V__FJRR2 zlZmBSay9E=6}C1o_jw~K8ID^v40&Mi@N~mWxXsp$bpi=jFuVReq;j7sXqa@svAaZ4EVJdiQN*Te1`A)*5%fP_w`~`;=#uM!^Y1U2HN-doZ_|359Qclhj>Eg{*%y4-BFaFiejgZ=Adra!`ZNvOlo$;JqQJ8m}Ixgl`dczd=jvrWo$z#iog zxIr>vu4hOHMKo`~Uv7XI95!I%eT;#Cj#JOQ1n3Jx^vLL4a%EZ4c+h?&1;KY~mXyp8 z!!}9!H-Wfz^-vR?BXO4Q7d2N75i*fJ6=yrbs;beSs@Lao1`?Ldn`U@?wn9OD6?m2| z2Ve5Z>L*oij7KRDiPvrVHeX{i1HI@YtmLX0l(pA3|^ z%(8L>l!!!miH`C4$V#5$|7TeH>m@~vUl{QC*D;MfmN7J`QO zbx#^0;#40ABt7DHOJ8k@qRr1=x3ZFSI}jJqu$L9?Hvt}8 z1rQ->s~dd+a8+M*kFd04x9+4Q@!8(NPct+77Kx-V=d)*PpZp+V?^@5X`LHBf>VlSI zt<0eL+Ttqd!`00P8bw^ZN!qissktb-MaNX`@{)+Gk4mAc=nzpJKjxXXR5`71pL_aK zse~ed9zZy3)j$RCz(OQ~BpH*Pr}LOcH;!$6K>htl^&7!ClgCGWz|#m2aUkD?V&>5F zikBT%B{uiGLuzj1j2ETo6p1-u2f#Q1%1o`2mc9#AAvY-=Ez0P{);X%ZhO{n~zSa~6 zGNoqf7pFKIw6AZU3Q~D8d9$O?si)97hgw?U(SyVVw&HZ?VL~bKr*|!pFP4x9cqmR* z{q`iED?mgU6_o}$?npiV&Fjkk=N@*3BzoY@?$Q)K^~#R#hHPD1uV0YA4q2<=eqk7} zwf2mo{Wop8^Y^BkthJ{7EzR;Nr$($R+vjt=s~k0#8kA?Mq;uh~5{uAlb-!=sweYF; zf32F1!hWKb&*qMY$tDl@+b8>Si~G2)53(4}fTx9Gb3DHG_eG;;RaV;{>7|evpC<{F zXL9}=#%5yKXjUlP6UnEY=WmUfd-)2EL2JINUSC*@##j;_7iuk;iM7dFN9UzTT34<; zmn?88YF9f!&qk&N=lftQ26Fh60jTcX;y*}#NVZsaohu>LwPZO`q(fmv{<08cDb%a> z!l`L5l9dT;HN%jERYSks8dt_p9VAiRZ^w@sRDbF?I`nO`ACfZA(+elk)GM@j&B4U% zC+!Jm11weU3Tw0>?uGySDa`ko57+*c$0Kzzklhb&XwUZlvZEh1da?_nY+-ZD{TkKn zI>259%PzWy0^VbyPk0g#Bi5)p0ru=3Se)txh_X8}8~R@MAk6QL?3n2w(2jW05FPJ` z0Wb0i%-)`6uY35$x3Xgvkc1*31IRpS!p0=}*hE@DO{|3z@3y;&LN;J70ghDYS6j z`*r*yLkt@wn}P9F450cJA^KU0JQ>qqX2>d6f7bqLceG!7i1wH3m1gs$GFD)smsK%v zHx4{Z1EazTe3FG)?-!Pb|E!tdG3CrpgX{CmTqm%Q9V;0i=37R3e)Li+tq)0Jz~mfx z!$L)@R?_CKV4&3EQ3s5NiA|u_`m7Dh9M$dCq|zLZRTIIfGxab;(Ia?^)($Le>t51b zFMl4NEWMwZf2E@x0f${^8MAwU<9F-?cA{gZV(j;UK%C_{c&3yy_KU`O_poj=9`X0F zYz^<#SBAVYHqD|V8H$i68qDtr<@H~vg}5!bq-bGbVumu95h%y93 zrEL*JWC(#oK#jHv+IB1R6eVhqDUdK^P*H&f5{GU9Aw>)C=j>CrZr$^bl}e>3zxA!P-nG{Atmi!zWfya4?QzT) zWAF5}I?yM%4Yiz(^qLo`C(}XI&i=>UQp@Ijg61cpsnxl{uJPL_^b5N=W)vP zH^JPX4ZbfFR^oaVhokRh0j;uTANRcv2_szK{H*-Wv5fHs!rD;zvu2Hq_lUW@r*v~E z*SD$AQE)OylW(f|7RwQMlIzj=S3#kMq(wIepN(e0Bf`-x-lfU3e1U7M=Vi37G6`cBlZhh0cgpi%hwnSDhB@4*X*p zw;Kr37ps`ai)xEs|64TFe{|I`GT;NUDt}wA##Tgy8GpBUs?j!zuAwy3 znHDLy^=PVv2KQ_qsRcN@~Cisbv?e6*yZFYsl%$fm` z-1kO~*nH}2`n;E3R5*P39)*2B`-t{Uj&|q~_ExFD>Dq6FNCwQ59os{cj5&~e-FZRh zE%P6}-7(w+2y(N%TG`AFy#H}%{oPCZWlx&`l41^4mBU2^Df)SK#t$s~Fy7kIv5S7f z*&xaJ-6iG*y;V8Ct~P2%tR+o{7SZB;7NkXt3y>7hJ4>v(DqogAY8S-mP|E9iq$9s-)&QMxC$CC`VfLGDKvAk}yIHol0vn=fw6IjtnDb4_Jf zFB)O8J7){u7UrN%v%kUEkr{7L$S#-G4&b`4jW`LgXZo2CJA{Zk)9lok{>fzqu^K18 z&&k1V|5==DxFMOzJ&3GRQVa)ntbf?1tsjms0_2C|05z#0WuKUHPr=4#voU`6nB?Q1 zGIi-jcrJo@j1_XUB)n~o}q`7_V{P)dQ z`BjMK3Z-4$=G-f=vscjJkPQyFpvcST6b{%4cTTo@)Mznl-5yIg^Okk8Yx~Cw2{u}M zN2Pc(s6G4ypv&D6ultQDmtJIUwWPSDt#iz4~{RZa<@vG(K^BfgtwmmDaX?UGX6i{CdPR>5pud|JBuBR!mJ$b zkIa2UzRV+Yc5T}jpk{i_X7O&{@ZJFfUEMAA$N(?ld!raPs_0fztES2V!|MDkiFv zH!mp(k$_G&=)A|>H67OT!c#_1bb3~018?c1V#DyU($?I)F618VCH43NnZ8O;UoYGQ z&=5+Ca?n|-)8Bmq=v`I;XQriO02q^$04rDVlKiSB(|;^SufI_#&0P*2pw*Y-Qs8?( z|F9Zd|4mJn?78|k%F}THU+x>cSRKmF=Zm(r6}~nOcewxgWoK}PUV<=bbo%b_VLE!M zFYW>Ii1sF}CypvM&)%q*&L!DgXf@^lxTITYAu@B%V%?90%@BjhVfrvBB_~;qHuPyFS)Y=P(}rE?XBNy5^g?;6kJl@J@MTNnIt{>`*7tP0Cj*5 z{<3MCr|V>4ec222{r`TW@n+SA)pZXoL1shk7gL!6w%T(NoEUWNZNX|U9o?@%S7lGf z0u6}RRqK{5zUI}IiS&l(_=})HeJ~x#xDy8G@Z`fSBv6oz$z$!cU(z^T)n7aopIE+|J7939mvUrL!>YjdeyYzGY zo8N&$m>~E@E&R?-k6t4k`c2P1Ftdi9%u|;(O#nKefGD^uNz@~Jan9`u zy1&Q}cZ?ZGinK~fc207Zht8fpu6gmv`^POlnplnMS6lpV4y;cwr#Sn5K$}d|3O7AW zDl#q&%dsoNtjUoIrn=Kabc2=)(^`D@d1fBRiXDq#H1}CeWLuj#bkV|*(i{CFt!HM> z=ed{Y(XQltvC&r)x)>%({ITs9XrEAJQEB3GxbJGybYHcfbRx84#lxkqxa6l4v-oYB z{w`_sbsPEnV5E>K^3T>D&D~3r{+3*1ub?8gaZ#u!*gP zI-+|nHJ@TVle4QY>_jzIgxxUr2EO1o^ z7$(k=?0hsT-hmIKESy$;@O#Z0O4S8iU%d@S8$HsxHd$FkT+0*Ita};wBvZjY2ebwL z^bq#i@X2Dvc_5g*v&i)JCh9v~Zoko(vX*_>qGXIy)}l{NQR6sdWw?rK6-pyoo~A?C zSNG3Mt2qgB-eRB2mwmMc`482Z{eGP9+*ku%VXHX#&8lI8f{SA_uP%1X%q(DvQkMr` zXv%+)n7-hfZd&D=YEU3aU-C_@?Yxt(AilZW*_6!Vk{63fZn;-4{xO- z&C)e}2lTHP9y9H=0-opbxq2O{tYzmz#?Fx!iMaD2`KGhf06aIm;~O z=1)3;2L-L%symt|({SD>p+h4lAmOcO3274rs0t&PtGX$zMMXwmQ~`8wx5%>FS;Gr^ zw1YSA_Dh4s=i9V@*hW7HP!9WLU!Lm^*s@s*QJ-n*DbIl)zxi_Z0OY8Dj7gtuU1fx2 zGpY4o==OMjul9Tu{waNK3}8TB-}I_MwSiH3EPfaJ?zpOdjV6=qjcDJ^53b91f}*bd ze`7l_%CUj^)plYwG4z6G`BV4ui!LSA=iPoe?Qqw{{EQH&2nxosrNc-3N6NeXqFA{fR~O( z$a$^@z}pSm0jf!Wbj*X;TKIV!o%C@32urpiD6h}|+!o=D3$MpNxWBuoyD8e}SyzyD zDDIfuUHK124>sIXI=K1hVx>Ab{i3S;=n22I_w_z}+mmQ@XZNF@UjOP$_m2bUn6tTk z<@}&FJ76V!p)(hZCRF8>FD&%(-FF;Y;$tL`&PuJHxQa*m_o?=yP$a2LA*N4Ow<(4+ zmm7$`9qYbR^@idRy>)7_hvonHSe2xHdCgRP$HllmzYIUL&g}Za_>nR*{+!`uou|lW zv5eWHEOpb=8h`d5p;UtgT_*GRAGaDoqUi6)+@D^end${Ig^KIqK2WE zVqPXJG7ONo^F}TjSFD|y$IJCP`8fd(N!<)Q9l&}ah=qnRw3W{$pxMeG?ewVmv5AqL zBtFol1@sJ(Z1$|$q#~`V9JpqX*0;1=#c?Hxn+#(X`%+ctYy~$~yre19D!KlP_JlA{8V93{QS5v{kHNEdDm~PNP z=>?x}+^9+w73MEO0IkM)&$t1B+v`*sRO&`6U6j5lJ$ua>J270tk%+G%5#7Swm9}b` z-evIpmCN(H)~U7cy|H1sLZYzn4gm(kB;sZln*UN3jqpYas>x5+=Ky{eyt8WM zps3}6lWsbJ_rk>~aA}qUo3+v(&Hc*f{%)pa+f~n-+8#7!@IU;r3VEb|-0<=g>jAth z(jpqeGBVAo!Eas}F=4Y+O=oYBOHosq)+)bjpE{szaZ8hTSCupTL!&9;hHhjO3va&fJUF8?H1!0xa|grW7uxiAvCB0TY|3VZzV; zFh0YL<}QBhRtv~eIakP0r-lV!dDJaD?;>+s?{N54?gR(EvfPkzlZxDYLs4+=uv~c5 za?3d6>*)K_VPdNW8rOJ|)_-9r%cI^Kre#4P($I%+yZQvx*`orsI%MBxCACO_l8Pzx zxBi&k?Yr5r(BR?2u|ucGPAIiZFmw}1fR>i%qAFfzI7}m0mtadgk2DwFoO0bL)R+m` zH{(lk&M~J)>@h6d;vb7~%bxn}GmCT@?_Aq|$EE|*8OJGsv42)c zqy8u@wbrSzg1i$*E%PTHuPq}G1HyFvYYO^@5r7}aHhd9Y0XM5yGHqjHV<3P^8NI2s z0@c|gN?DN9n&r(;WHa-%l`5ZJ_;_v%w(ND;HO1baOKd?*(<`ui{?MeJPVhWuJE_LK zvskO%k%$$gQyD+NjS&OmRRFffBD+i0J(!d^+i(df2L>zw_9o&4%JM^ zupW8Y-j-piz^?FTCTX^57llu;cS4Yb_y)>49yRV0g$rv3|`fffpEa zKU(tP5hrDzv?DIquu_J>Kc0_dj`)a#5f}BF!fLf)33!!H8OX&0c>3a6(^Ge-OvWrG z@A}bcj|?Bfhj3#eu@&S`P8Hj^%I!9-+t@B?*SYJ)#~gb;0kx=YrS|4hJTk~&^3;=U zd^D4%1sOt~?xlczrS)B(E9-ustu4C%h{40xvLYQgIs;9OD$?7!+ ztr*h=CL$37NRfcTareVu$vsf2+|Mm-F&?^@?ps!K#=c|CJ!P5JPM1gb)Yw>@a(r~G zy*27Q$1z9P3D)3e(l`EG7Ax#EDNI_)10Q;H4m>&EA9G3>^VaQwcKX;xQ)2m&27hS} zo^>JzCvhf-=w4TS5uA>-Wff}!y?3d#?*r21yyRmm?$5*ai*N@%P8Y8xz~GflqtZX3 zzMrSavg|Ln?wDjtf;1R*D)pxOYFKJGzt|Q|u=->y!%=d-+Ib{#`jX?vcaWJ}xo}KR zjk7VDTnK|HV%O`4ng+5HJyIc!P4QEoP(LEP*uxG29eC)lPn)BxFsqeJ5#>T&A}O7X z)ZH4eed6yfUu(x(1VncWk!$74!Ovm5U~p1Hl8+gI6%V?pYX|b48(qGepw&u$Ci=(+ zs|n|jX<=nY5(CPl<*=aJ|7s|K}{>7OT&1@pND1LIb91=eJdZA5wS2J z`mx7>;MO5tF4X?Z==WAUbiIvc_ouC@POBz&(5iFYiab-@r&xnp(`nm7>f#Qvw$N31 zcf|9S%g!t~q_n2TYPkuCgT<9b@WfRK_su_KfKfG2)c6DS)DZ~m?xymv97?6_K;Yz0 z6c1a}Ob(Vk8gB5uRB&52x1QZ|RGU8sdwDt#Hc2tsRgpKX`si`+5mnfEThO$=czesc@^)YQT=6Ib?HP|++ zU3f_&{*gF067xXr9n-T|J-&e$hiDus8gGL==P$R7$5)oKgzZq6(V*Z8In}ujYTKWk zZWfWtA?_F6Yy1A-yM5XrP2aw}qb=D8wV@8@$ct;^wGaPf$(-=l71e}TD3p@) zFx_+QaSjP>99W#4;9~}aUz{J&xR{TRCgD#CvMYOmX3s?@OKOzEdo6Q~{Z}%8>MhCUkO}hUI8-HG#Ql<#Sc(Kl$1vmLA zl@4}jxBP~~)==Npb*0*FkB1ks>;f(Kzy{xLy!OZ@O-;7|=16O{vl7ki+!g9*{=^Wp zM!cq-4mYy2#{aVQQCLqyDc5~=U1YS7OEf2ve!is=p&Th-qpLm^W8LzCmYV(Q1E2_>)3wH@6*_o34uqQpRK z4Z1`c%?Z>7G`75p(is;!b5Sajb3W`awXwxGaL{@MH1LR z(riE*FYQ#ID+1~plO4pS0jEB3h~Jv2d8PhxSk!7g^b2q>LZ$szp?`HSh6?~w{qy@* zypbY>xVyVA2i-4+@-tmn>X6JDpe(STWbNKNF2bFUD>XYNU>^?l+Y@JJ9V#9=Ia%1d zBhUliV9rFsc?G%_ArBlJH>qFr1IfG&v%DX%JI> zZ^&PNF|4-k!zJXQOG8{|>E-m>aIA*uDA$fr5@3M^3-TOEA$LJS(491{x7X5p5EVP) zJL1MmC|WS-Vv24MBMf{!*gWQ&@xlyC_ovB{ zc8ao(@z@-TdQ?UF;ZQDCmZM`YrG1|@8)#Se0r$kVY+_Xwq^svd2=+_i^P#9ql0CRht~BSOJC@<`8)cxtJ+ zaMs@_n5Zdv;=t{$$pvq~!9xcfk%gJ?t)b|g647rJi?M~^aRW&%WLlp>7yFQi+>^@v zHw@ych^ukX$H`;=WgIY5ft*2E80q8x@sq04YQ;e7-85Wk#*cPkZ8UWlo^H1utz)TM zU^QT@ExB?Sj4k_=k0lt!-oHJ@1RFvx{Sc>OT14a(DBwRbm(>B(7<4S{EhON{%A-xu zqQqKa=RRwBTiN{Ex<;+ppTv4xORm*q8ev}r#b^&sjr2WGBT8f04c5ks~zM9uA(oJ4@Lh==*4haRRO=_jw19e14K2UJm-%M5A;RZ%$+NchY zgBDm0IxzLOIPjbIdI55l~TVn=+&b7YnCCzy)H+!9 z*Rdn4kn1-Y+dT2kdBz+0>sYop`n9!N>M|{3P0=hO42?eS1{fF z-HC{poO1W8x&vO{cwG4K&Q(hoK-__U6a3T=&*N zclMbp&_v9`jqq#YN0gq3z2ohM!EAeoiTTThfC-VKcI4n3u8os6e=}XP?;0WUhe}@c z3Q!^dJ){K!#_k1UHCPg>s^ofY!RW19AXLcCntjB}ygCIEp`oG2OlX8034fi7!lZE0 zy0=Pvfg25bMIKQimZQozG$`xZk8Z|&(O}XqiV*3>&Nj=_D?q|8U9F6b;cp)Ob!8j` z90c&2Uu4Hry#oOBS6p1|y=ID?v*2fHP}8jzpR&_04(RVwwd^^k?qU7nxMnzwU_q=y zO& zs&s*oPXnzCBSuw{qL#p?mY%w|ebEQ})5m~^YgQCeNlS(#tazkySwrx&TKxTLpgd4qL4W(6Ope$|y!jAfAnj0FsPDR@6l_HJ=wlobbS!5KufEV4 zpgX?AV9YxN;7bgEb(0o;DYqHqC1`&hm^m^)${}=9L}Ssn^WPIhpHC6xyCjI3 zMy>M8MX*xQ2vD#_v+*;|gb9R~ui6Zn0fTX4wr|+09{g@;Dr3nf^+MlG^E0Nyj;CxA7hn8?VxNE#b?0)HKRp6zmBc!<=W=wQ zvXAi=uq<`hWJN96-$Y_^dD$}}Gc(esGFP;Bc*$0u;Yi3a+NpBb{&@MIQGPh+Q zj)Ji@Zzsnuz}YP;bva2psI({ADZ8-Z31G$Nd0N0Kx!4l4Bx!Kt@>y%SROd3V!p z_+B8r9U4hcBN~OqqI{E)uCx6PgqRUtacv4khlI(G3?1I(NrMESCV`o)(Fky{6r!x$ z1pyTr;io_6fJ%iDfXb3oWHLD)d9`h7-^7-RJgYNxa$6o9EK(lKa{RU%l8wSa#y)sl zZUL^M_k4)s4^h%Jj}&yb=7Kk4(SsBaj?lQsyki1ah!-34F)U*lBVVt0$>r_|0v52%LBdxAV@@iK)e?Fajt#KS)xQJx+sHjGf8h|O*D1GHBTvkhbWX%=Bph>P|NIF7{=CZU*@ar-$=SDZCOcy<<>^P*suTRjli6nvzN8m z6h2I*F766tsR#Q#i>2N!K$_J>eCMwi`A|6eA?9(lmt7@rAm#WFLOQ|L{A}i(T8@^1__zyoR#O&Pawv+e!$Fob@5}5c+AmDRp4IJ{BOlNNgbRHWz?uPWelFKc_L=!K8hK~s|o#Yjo%!^RI`w~u{v zFcTO(y0mxn)_~lcxr!G))(t#SP2W_{Oik*s;Z^m))}U?qU6#0O0>#Cx0!e3*s0rOn zf%^6dS^({gq@FRKTuNny?1ncfk~^`qFjZ-~qQ*8|g-4EiJIRGlOKVL?VdCt{MbSWM z-y#-{C}qNn|9VQu-dV+A%a*rQ+AOmHGfh(iXLU9LN5L2E0U5wh$}E6sa^%!^`)2J~ zJ9Fz(cDZXBJES=b)>mli4U(;xuj|kT6wG;*zH4?DA~|SKTAQS1UyC`2IDcd1k%QD4 zcL_ZFKERU@XQ>c8s@8jH|Iq90@s&jJcjFgSvOOyE%iP5K6l`kl`CaC^A3Bn$h}yOw zT5I9hy(1f5aafc(`us*eU*TtJ#vyE24KxUqclH|Lu_2{m6w(!K&U)9AVHv6@t3zkO zr1urzk;lrsdW|tYNubD~4<}$qL92TWFwpE9@gtBnO!r=06L=gLt?#{24s?x+)f5>LXUIG(s zIxB7QQ#jJdbT>QTJ=Wpzq}GSAQOAR}=9g3Ug85Tob7GT0JG;+;BX=JyR(O;lh{- zGowYFwx#D3;OJaPqrPNtM62CpS^qMsjmcPaB9tvT@-s&gWVJ3P4FLLP`uA?4N>^d} zh!j9>16L?cGPpfK(t+w)>2K}@P^zyD^GBBVrpSxobvB~m2Nzao6xt){ST%s=GMHH{ zm_J>t%2AQEMi*`uh0_2q%CapOgn*?etbDSQZ4iult^(XZNfanX-s}?6n!FV&6>k&P8_lOQIOWa z=$(iICbC0mpLb6B>vx3J@~*|=d7`!ap0%$EjVXsI;Gp#*lS9nVE!VO{C8armf!*7G zKIe3Bi2A7J4qVaa<+**Kr~r(FN#_xLe7yqJ1R~qv zYVG@P*n;{eG$IrKIy?PYS+1Ij7_I28++S|CU#J|;+D2FPyTi>epJSiTC8i0(RN^u$ zc?oF{UqnohpW4v!ecWKfB^%LPbsaTjkCYeAI$`swE_q~XrpS>00GT_c0}nA9sjc|N z0+n0v@jX?N<*V$=(Rh$X_1<_WiQ)o&LXMd}<1gN%1I2+2PA!Yfn9nULTftqA>h(*v z>RDsjwXn0!m|PT`XeE#^_VHTl4(OQYe1vM3xkY6@v%RlX`4hr3#FgeOrO_~b*DY1= zD+*Fpk!ji7IFPcxezGsp$d@032)~m+ znyealdU7<*4v@Hq7+rndjKbhsNXJ7w^kYEgeVvafHFwgNt~5(hnV`E0*{MT&hV^x& zkroQp{fj)A>dal6uz^{WF5QMpLu7q1vH{$_J+9rTg zgT_h+ydJt6=r$eU#hriMZT^``S8dR}<_3_p!2vyQSAlIPUz+_3Ycs@~cWMjcgwf=O z$YWW$sf=^9hK`QiGy1?qVOEsk4sCIc^+;0A32or2C2;G*2R1CLv(1vxIogoitZU1A zj-6I^YJk-N!>-`GQ;C(op*4FoMj zuiX%#ifjztuo<apti7hR8Y49nDmFR7p4r1# zIIE-Zw*;J~ik7_+=6EbBWbbIQ%R$|~!U_O{D-%s@)q)5``_U_-)8<4nB6!ax()c5- z7;`uZKSnWo(nHmr&+mcF*^%Bjiv{xPivEX_)nCq*I^*8Ff!N!HmgKnDH z!!WOgHU);*nDggH09`NMsdxW4fPv|oE%B=8uMx_xC)34{)i8*8FpSa+O(g1t5>1aBR$DQ$OIEtNPTtJ&X_b#4Nu!EA@+ z)FA6%R^WkSeZdg6%e`$&)xNoL4Q7xRzj-^Pb-5Bu_M>FzL9^4XS*i{3o~b2q=G&kVb3?4hojc%dnIM#&!8}3$G+@>t1NAeYO}2vpI{3zW&6-Pv zh`F>5wU9^@&Ij6XTg7gr+lY8`K5WZs>*%yPbe_dz^Z)8B`1;vn|AEcc)~;X8{M;x; zvW{1+@hb2;DkQ4cIcs5GDDf z77p3*k(1ZUz?>gve*SQ~dp?V5#g!OO@|fV%1xSFbg0f_=X?@;4UO~i;&u3#TcEEM4 zW-}&j!Nq9#Bjj(+j)yFq`@e)^L zYn11;Y<6H(ROAc*L*7~63A8FwHDJ_8qPhHwI`r#&7;wJ|SP284_KbO_`4W@&GeKtu zre9Ex#m5CV1jjE-8r?TLpWSQS-pJ4HbsudlX$E1=@~V>=tFXECkh z6OF2go8iNm3Rm-Sc-`}08bV{U#|73v^@kBX9qWgn>TRiD)#{7w5jIfx$T!aNeOq^6 zeHVuYM=nUKc*Swxr{-riBh#+uQhL^w6v9xqIxCRp+VImm&{JT2g!){yyeYs%ahtf*0*Z$i8=!;_g@N2@TZxWg*_;&3xPb*-8ndG58H5oXyle9^mPHTj{ zgQY%??i2Fq(0jl`BC)=SZL$JqaN_AR!$%Vqh%d^Qani?4X_BBK1^C6Q$;~~FhNn+C z#R~a7Mb3Se14u{T@@D3EHbwe_Iy924(hp!oasbTWxe7D1IptOS+mG(x4G;=jKZfGC zF^pv85NEQBz8|^R%;6~!KynaiVV{z;>#PHBnP9$GVc!eXsY>PVsS9zz0yy6WvSS|LMe3&>4{gJQ;b}bi5Q8w*!`RgjM6<$wLpeh|k)x0( z93oH!?Q38dSyM`I^#V_}x5o)}x^vB#`waoqv8RHxB6H%w?dMhl-eEQ1rya6C|GNRN zto8>PBlJ%)#`phskTJfFhi>f~i!-@kr#G|)$wdvbWBltnC{%KCm@h0&M<}q_QVJWN zHZ#P0&(hx>qfDA>@nI&p7+oDK8gDqQA`gxla5S=5+O2Cx>3iw5^f+(UE89die~^is z5*NfWvLFGzgsHjf`H}45LfBGa4Z?HZNBR7q4@WaUbRLLCTIBRtfsZDjkYo4O8-=X- zsYknr5z(Sv-=Qs#-CzYbBMntdJ>g5cHqZ@YcsWBAJi9FC=rR@dl{TJZ0ufD^7}cBy zc<*a^>t~^jf$aaF0wCZ%5rTfb|NmDO#@9WOrQIqm)r;yr#U2EJ6xfrzej9D=jZ6h~fc*!CjMS|shvzmm6$2$IcF#6b-X}+oZH0{nXv*+sazEeZ7ik8g zB6v7M_hwHd`~H=pbVzY?Oa!+q6E^>S03q==8sqj8OZ{P=rY-zAQw!T?6ZeP*MqO;$ zJ&Ttb0VZn56S-aQ8y|&n!}$+5+G$M&^Pgi*7+K)wh8&HcviYN@SK4!&5=0P#x+u&1 z5<$Fn%}%lNgHqJe(HJ;ks6J(FSr<^YNd7S}29m&BboRgKlD}#Rs+50cWYyNzf(%0tW!K*K< zoTKIA4d0zs1nF&~JiRh$!P#EEP8%*i2fIlqT>FiVTp;f=IhkW!;{y!YP#UOPv#xS? zM_KRKGoTMRt5c}5u)47NM6h}6(PH)LfO1H{dmSzF94En}YBMM#0`8kXYPCAw1#Sp- z(2uJkua*WwpnUGXTNE$|HVQtQ}7!um0UHGIx z3V~8?fz3_~*D^bd`OrRqs$O?jE+RQGyauv&vc-AHe4BX=g=Ri+ugA4L+yH7l)ZT{A z5{;>WFHW@0{`OgI#T;0)wCxWdi*8udvop64nuaKejH)s@9or`XiM8yWN8$*JhgNVU zLX$o^V2}#}07mQJEP7`X?VGpe+-}JaefXMAkVs9+)fV4nIxiQ%;r!n=Ojq4I;#~<4 z3c99H7e>B{^RFHLtHY1K`R{y-lK&g{7GIwMYQ_5N0H#Gv_Ji?BqYcxle$i=8u2U>k z2x2%W#ah~~^JYk3^w1hbDNe0-?Y?K8g~PX)RUh$0QK#*u?Xnuo%zold`>*smVa{&S zsqe&eM|#WRWpS;6WF{l<7((D$t+@orJ;^fIxG})~vOggwapv$X==&ZsP?-4CXfL7t zo9JS5zr57D4~h#bB62uA4AG6t+F(VL|FDm~IGpK7fE`|+DvJBedLPqcQ}Z47H7vLV zSZ=mu3B?MBbq8aGhF5?dAmW*~R+X0O3HkX|zDYST1h~ZP-zx%(x36}*)gOnQ8V}Nj zgSIp5jYjU;0J93xovpTj9Pa=nCz8$HOV2M!YucG^R`0TVS=GNT=vZ3GlXTI?+?>cz z9+Rot&a3&57ZJBedqX|+70}meN*AxB ztu+H?>;+5T0(_286*{Egm{G<1O9%y3enT+St&Q3{ZJDl<8a(WM52S-t=y{!i%q0XD z$+RhuCKq*E)F5zB0;=`|5Rr=jE;Wp3WK>%5mw@Ns{cj$DYRPMDfWCRshy(!W`ZZJ+ z{gJ2K#XSO+9;5&u#^zMc{=hz{R?4&Ec<8e~EB*SW*$S01-Fzp1u^q^SWWweVqhDr! z$m|qwJ*R3i3>`^0DeH>KXq>Qzn`J0M!NZ-lT%6|r#J@)Ut^w_FI)nwojS%7qT0HEcsw)$$mld-j@fIYC@ zk>UpB4AisZP{t8{3N+pdTcd9~Gf@BDkH{W<&gp<+*~9iW=fFDH8VP`EhV)bVPbM&a z;H^UYBmO!OK{)c?(gZd2>-v7mxxo&fz2e5tr+Y1)67v7{sG8ZNiPFltW6fEk{xc{T zG4HNr9qB`{oe2!L{Ygv?-;q;av}C#>XP$aS;rM z{5bYlS1ue5PzU;HR8C|?gciubNU;J`Kl!76@nS4@W$1E8L(VgW!-2vCi-k8#Mw z09t{JMUI_R!Q6{B^F2M1TAYuaJ<~^{7J@^D>U9PZR5LyM3e$;VU*<6a8rW%DP8jmH z4V`ny31eMJD6QZH(;8=M>_?7z9cwC6ezm0fXqKEsO#4-|wk9_kEtcB|p2K_J^th4I z7CAXY%y9x6;kQm^o1kV4+PUzZcX~&UmI9M5ICJ8ZZYb{oa~utqY>vO{l`0a_VcG=` z_$e+$Q+<^yb;}4V=IRoc!Rl6m_(kg%GyH#%?}42zU?D-kK|h$71ja=gK91k`OezN7 z`PnSme!L@P{|p(7Iod1Sy$v8bT!6~>{c0tuBA!p%ok|q8O`9_NQ)li88;p~ZlC}D0 zXig=swhs!G>ZQ5Fns+y;A&8-p&GkCAsK`$h-0h+WUx!sI+^ddhe|$QxL9R(*py+3i z--wTRW0#e$b7xM3E6JUF;N#JwZ% zzH+L|<^kh4OJjf`QRhsjV!m&mMyY(GU&n}?z`cFe|^>iBkt{0O9M|MaNH$EvQ~(50J+O(iyV@rWEwN9 zw53$itOG|SOd~TKY}Bi@n;$8F$DuZs%>8VM?OZ9*>q^#iSnZ92x{n)wDY>Q!53?U&yV#c2pFm97 zXKv_Mn|W2{1}4qb=-vFB7a+Y`;HFN(7xSapa0~n*#JL9NLR)$iV^)&mq=LzO5EDHA z3?Qb{VHHjd_P~rgX|ktufmeGwBejAA47YSv$9)L!`P^e)hxk9e@jt5_nJ$2A^->Hc z{{KN?z?Um7^Wlq({I=-G(|_W3|26je(Z~C}mSy|AsxOG1esM^Uj;}LY!T@JMWZ2bS zs_5NM*LZQ7>F1Jn`w~CsKxa>kCL0d2PN_jR`7r$wW`Ar~oiiG0x(Bk0sk}+dt*mpd zmJGj!hjK4alud!%G=@+%36$ zN=Nx6vqz!R3I}#d17tS9s?q-K9rTno_-6dt(`9dfami^uAWS(5Nu}vzXjHTq!ePS~ z3dZ88o;iX0@eP5nC4I03^21SGEPk3xCoNf`2!S#K{7K|eTMUp8yl9+PN&i&q zed!fdZAq)Y>f^jgI{Jt20M-Cn2l%7NDVF52#_Ulx0&?!q%b^@~Yt-Fj>Zcg$XZKH8 z7f>UqtIIJ+V*T$&(K|aMw z!76bkOTO1*p@Z7ZJMt54*e(!!(Rz9~TnRs0* zppLQOW7ni?#BplDU(*%cI+c#E4SX zZ4cOJqJiOJ0{sF;4H(hkX{jP9P#R~iEz`gEFO2YCW5qj0J`Z3eq;uivwF#EiIku}-FAtR><05;OGC`d$0{z&Vabi(Tj!S(gm4>aC; zVD-+~K{{UVvZM|EklA;2LExyfoKwg<95WhE3j|J%n8#EPFoy>h2`8bslyo!6HdOf` zV7v5p#^9g1?q3f7e?KpPiLu#rrc+}t6+k`@n$&iyLCx%0oAmz^nE(G>X#dNQ{;zNH zkHG#tXGBhjI(Ey37|*od6~qO;%kp<*e%au+XT!54EX z(_5)LMn%N3Y8$=LMTkAY#~ebwPa_KW$aUAU&b1;GmL%Bk|gWc zW0+x#!SAi>zQ4EY_qp!-{$Bt6exHBl@fhC!%u_Yj-nU`RUN1SyL`DiIk=Boo z(YtwfIB27CW?47tB~H2fi5_u${*L2Xeb+b)+~vd(NUaT`N$Pogf-ca#Fyi|Exyr)d zI)ccfnUQH6X~^h+TmbN8OeHefa|N*?N`Uv4M6JfY26N^<`~MW5n~5|IL@Do6OP z@{>xC_yy0D-N7K5CXg_EcQx6~@p_H$rU7Cvhuqv#*< z(le_Fk%N%xaz}~yRMP6QoQ!3ruW^)dyPe;7s72xWjJ+?Z!~-#lS>LOIl-{5EVosBs zt;6xwDg!$dAOc$MRos}a?@T%+w_6yXDO2-`bRVlLxl-2l1Xv23A%ky$a}+vg;o8i1 z_RpWZx!9A96nj_)M7(9vnc8e#&?$EZ!w>(rG^KwygE6Lnd0s0>QZM@%i=5u-o7=Cf zx&z9DzGJVoiJ=81Ys%Dm4GTS2o+u)bp3WZ)7PKJU%89hl-gCZ`CH#A%=#;q+;8Kh; z=B}Ts`9ufukPVbmH;MHy^zr5}QgZ=RBWSr1Z(J4)!RMhbeD9o(FqDoo3O=PBa7wp zgen>BK!lrRnMy?uk1#B-XZM<~eY_+oL5J%St4woZ^>tfk=nA7Ezw73rDmB1Q2MnJI zviSfC0VqjjW!$}Xm$N~;#Zn*Ce0;{{h0&TJitAkQ;2%9Qd0T-&_6pq=Epwl&15N5I zfzmz;61WOrmgEoZ;mqs%54?8QiSijz_-T7u-}bM!vTMXTrW4cXW=CrrO6nb&(J3g; zY}l{?XfKn;6_>)^xB^5nmA~iKOLdIk1n7SQJqNSd;mdfR&n=A z163M}REcJ|)HRBQ_DY(mo>z<()df-`M8cJ^i!NVPg8`P59p;XzP`w61huudihPK3w z)E^yeBC|W1_D}{qQi;illCx2Ci#H?`Oyz&5Fx&c8MeT%!ouDSK|MHO zAuy#Uxt#w%#+Kr3dp&g02rtr42{iZmN;@sWcJAUP&y=^Dsk7XGQNlR$qP$ zBE@9Jp6y_i zSLcrlE0p^mFjd27)yCC1tRm+nvtqlo#~>2DlVP|a#q6r0A7KB%v?VB`L!8|Rbj8TB zISMa@^xSjz#rTc3Q)#1wn?Z$);xfI500OC@4)q%tE!w|Sctd-3e*dB!rWZr&2^ zwA5hpQB`(d%u}sUsjIWa)37w@Rl@CXWlhq#GA> zeCtnBjQc7(=#t~MC|a{%J(Xiazb~GYvU84 z0}h2qcJ>xv>n1Z$r}w2G_I!)^TVY-4C?5fe(?6{D-{fy6(wYlv%oV&l^&(pw6JK6} zJV;Zmn{V!wy`cDN?xCaz>{HYa<*14?09(CRe<>sCQA$U6vB*yA`HOgZyS8G!v>tgA zPe9x_*S5CqTTBT-w~GzuYB9rIl-!@y(QCu)=Vu{*~Ee04O%wp9g&G`6n0jfG1{navJ)7*P=IZUH1N2h*S@v>&BwoW&mY|ARMbMhTu(ErL zRWU%H*p8tU&HPT;?@$>;86dFR?8;*pt$AMM@*bk%b86^&hpEQXwb0@F@$;UukPh><73=Aq*IyT3N}9@S>2XJ%%ChqnKhH01v#h65U~u`S)U76zf1dr!# z&(E;}&EPY^50jl$+bk3lG^FL6Eu$6vY^F6hRuCi1LzgOh6_&!IJOno{OQ1E26A$mc zDsYfn#m#+>XhL`sKUTV#ciZ~xx4B#(^&lC3R0IZ&UgS`j4WUj~tU|)*Un^Sj@soPq zvVXTW1&Ba&I~8XvXS$J*waZHsHPSXO#o@jgHdKz{TTgb(f)fy$cqsJK=4S; zc@!oBsE7`HWA*LU-mMoK*}dt~R#v9fx+~(1hv0WR-54eUH%>TV)siswTPXv4jabDy z>)c}otRMP?H=djR3fV1CWE0=7a(?cpB8e0`5!%bP%75tZ9o*v5_Sn+6a)O}q#xPJu zcy$B-LlY%BEksn2lx$f{%ntWJ(v*l-Qy}LL7hto-0N!ebC+ipD;C7o-tq#)-K*}H-8PP_ z&N1^L6aAZMl&vN9JNUhu@2o z(-`)}Mfz8^{I0)7P<>@3s9m$ga2g|L#!6r2iT(ainaJU&1HJyj63hskh~Xab&4Dde zVj6>G+h&6Ica4O^{3)XTUU=W*J{m&FSR(Zn&^{ODMV*gsu~_-QDxy6G(28&AmeX|i z;3Y-g{_rM9Rz78`AM0rS#lSB~I zI7!AlwSq?+pFA`S8Q}%Cy9azrS~ML0fv*5d(aq4UrhNkdzT8i%g_`ynOrvFCrU`pJ zfo}b%5wr03el`6VX8>=S`^>QQ-v5fW``^Jbz*HD89WLnunD_q{U4y^n-roT!I?!l! zvpf=ZILrB~`ePbWDua^Vc~?LCc)-)HbQEK!mt=5BgW_ zg;%RFl9nG+;4H(>E4Mv)Y2+M)z>z~1LxzMd?zt8t^M>#4t$a0-lhU&Qw z+mr5RG_EcR&A}p4^fMPBqRz8#8tO5aUy1JVCC;+rBW2aymRi5g`3SRF+OHFf>O7zG zQsCLEhQ#v(;Ok8=$lbt{1M;<%<^PcVx?^d%7Cb?4QU&N^ zIiqfc*`WHd5}luqoF~X3vyzW#+4t#e*_~Nti;x}@yg1pCevbjTj;O<%Rd67tb~YDe z`ON2pGaeT5QNnY;-p6&N&rv3Z zB6WAJgg6eXM{&)KJ_kf1Xen0bJfHu0l=E->dX*>7{Y;b7e$z_nF`wu#QFN9$k|NhX zrKNu3S|wVGBFEW4$ACF%EqJTDPxRLRPa>EO}b#i?`g%lZzT65I6!@45%_z3lx|x_KiOq`M=F^t zfErk2OK)kmPJ35Itm+`}#UdHe=rhVnF)@7nOTFmZS?#WDnHO085L$lYZtrROp zYInq8uWDz*a~4+jfXSrhD6Kln7a@4L0QHTxi&Bpz$O59WDU^X9s01&_g_uX5DY<1P*LgyFuCtcJNtA4*t1E3zZ@@ z`Qf~R59bhv=wK$O`+>wSVURZtJDmZ8q~be1`yGvA`b9K2MvmP74~6U$P5(p1Ze4A# zhx>M7cG1XC@B(5!IP_1biL_4#6!bw_7@)cb39sf1p2t-6C=drO18ci#D)Er)l``o;uXrQ}x0?2$@hR0?WE1ijYH?#LT8Pl7uxhEz(dSn;O4 zrL9lFn@N}gN(=jd`sxo;?KPrLW@_{3MT$;$e+6C4XL-`svu|a9;*TINdo@)gi@$1n z*QUJ>X@Kz!Wqi#SykfJxCJ8%TL@RwbwlNRv+xYp+=a(%kFdeP}uVUB_ zi(o(KIwV2%Bi$E*K|W4|@CH);(tKzORiB(Q$?v7dvijlHVWd?V&wsd~Q$dv8#BU4e z!@jX~KLYmY{`Zz0-yJuaKDj*{wf^-#HO}j=+ycl&Y2W`p!w;Y@`?JJ>Tj?1&Dv%9p zM%0hAV)})>?tGtn$v>nC7A>^cAGSWYk!C0q5MN3Jie~J=b1T|Y4TqqE;b}jT!QoJV zgNYYg;Nj1=hdm7>B<qHlM;KFbi?@bo zzonM%%XD{{Q|zA>l1Gg8S?DR^J8}>DbL(+qbn|+GxIAs+UI_OkoqP6xs)9`}O~#AP zWIbhvytk(N7Pj$LiaqCws2?bHDq9Q=e85%NzOhNE5Z6x8g3q3O-5!)mpS-!u*~IiA z6fU4irK34)0NGURGv2*S52U0%o3o0(XT^8Tvzdks1ia&*yI*N{i*E!O&zYep{8l}D zTo~q`_4w5!3;0m(wJ(;eah=$W%9lGwUJD5e+!?M^oT=e#G5;m?JPP90-f(VwHgzK{ z(x3honMxxi^GWU}UM)8j)QT%wH;ec;~*vuuHzAV$`60CI4_&HoLuoDf^zrT*nEDy z9;oicrbT3qgUWK3HZf=f_ihvot@pfB?A+#o*2z%8-vu>`R+Q_LyRW_2S@Eh&j#O~c-R3KhN6uunjtG02H#Rg|NYth@t^)QI>IYd2;sw_<$&XM zqQ#&(kB#=@9n(J@d>bcO=w6x0UC1pHMcb}Mrq|)I(3z{#WYy>CX+vA;uh5mKpe#CP zpK-(7A9DS?C|}{(v&E6HfDeV=H}Kfd1rZjcKJ|GREWa@xi!-Q4@g1ozY-c_Si_t70 zbkRaXaZ)tZCccpz`c(rb@sfk*du}pO4_t3HW?Jz+Ws_1R`w(DAl28KA$A$0Nu6Xtcn_DO#2A!GKMwBbynY z_lN#M$Do)O*A!m(q!8zT%Cp7dX~!k~Q8cSV-FFqYu_`-(aqFfr%bis7&KtfB28{>E z!|YaDa?<#>wjbPHm;c%d|9QsaRAjYLt{W0R(Ij?DTcO9>;Nzzl!f&GYPb~oQHes>~ z@>kz4Ouw|{Vc)edUhaMQhf>mmLd8Bwle2?2EtLAXBe+&d+60qv1)1CuucBpz zJa^~8n=L`6J|EyYG_^P8+uDp%uD9}4I(_67gimBixneqFki(1~3EW|ds^<;L-aZ`; zOEOTL(>1lb0u8?tKl+Su5qrw`WVTMScGiQZ`2~HC;LG_EBkyKD@g~l+{#In@Ois~z zo2CN}Lo=BbPTm}y8wvF#a4ri#mb9wlbZJ%7yuvQXz|Xp$4zkdTo;s4<8{y4DvOaTrJpi7E=1Yu0ltF|v^ zkbm}!cSPuNu1(>!Kc@IoG=xwEh{VQ>^oKu=+Y?3`{IPfhC1tJ@d~1PAg>f3)zB(q*TqSvrCmqHBN|aq-_B^gx6ofOfxc_+O=zx2&);_#i&GWb@?2Jx z2-Z1>V3?1izRfPC7vmG+4&PDH#H-npoY*}&a*3!;gqtIgyp~+yaeRiBEcY22V!41r z$$(d~bJVvP93$*Sxu00ny07GQOsaEyf|UZ;>C#_@g@4-B?_+sIPnaL2$4)o)Su}Yp z{@ENwPXWgDo#!oH+hCs0O8L_pU6e72i=gx}X6jPYwPwMz7~H0rKr|!+*B#2_ zpf0Y)m{M?-0uE zl$^mTG7rNym(JY2%j>t9>kEb#-9{|)!R*b`V8q4Du9f^V;(}}88P(ERj2oVx1_o8= z$5t9M%*QsS?Ofb6zmHr1_E*56?w&)hla}@|ULe)%(-=X>yPkWqxBlC?S!GaeWb{8? z^3yQAy6@2O|2pUU)MObdkzq9K(i`W-<(F6Cg<2FD5Ay0q$H=}+$;l-y&LOg15di%NZG4Faz&g1~&?A~F zBKL0v`{^4&a?dqsdnD-Qe|s-6I&sy5MvV7;0?S3ZQW2-K*D)cDW`(S$0N%-kH&Ieo zgyA0;{TKD1+p-YnR>o|NI))ZwuV|B9qoIc7vWLE@u5i7#Q97F`;pvF65akG5UI4tTSXT08urug(@(GBdu-3xrNT0BI(LB>gz<&5t9De;|`J zs*{Hf9cwGTUX{lTkQq+-wf?p1ojk0f9earL%lN4qP1>(DP{wRrlG=chX3?t$ae=p6 z!_Nm(bDrT~NSCU z^*A(Jv++l4kNl?l7h$ zcMkOK>@N=F*eTp1^J639nc8<8 zt0_I^+s9eRLj5Zh$A>5YTx&H=*(79s0ikAm!x7M)2$m#wy9;nv9Agu>S$=CzI6INv z3!2ZN+uuUAYkeQZrwDxmIFa0)ncmCEKEewRwASQ>H#G&X^@Y`rt%U1qzDSCRdBpG{ z#Qkx#Lu6*6UtCqK%Mn$@BDf-0NsFe#-9S+IZx z2;(1-12Nz79_x>$f(ptRF49Nl9W4jBsj{D^itD~i?_|@HL-qKXpbI6jV-N^SUg^c< zn&kHy^Sz*&jrrlh27mhXfAM7l&H03E5)@p=$NDc=@j-y|T@^&QiJTF*SOH5cNrF|1 z8=+USLzBt<&PLZi7b7A=Tm~Br6hv>D8ec7JecXA(YRMp$=GS|RhN-Eh5G|u1>Bglc z5Ba%wFK3P#%knM7XoON#4iFtJdP3(oETuZ(PYF$Gu@628E3%vgNpc+ai4<8I=MFmVj zrzXp77%liQ%06maStw6PMtm(=3Y^z*fK}9Mc&@)?Q1Ug{U!qdGv1{7e%b9Uwc~Ten zn3;|{X8nJT+W$yyNRE^V{yS*1_0D59W2Hg)ly{0+ZI9()jRZD@`BjrJgIS~$8_&oL z<8*dKm65tW5U#k*82v&=dl-U2Y``)RVXp3JYjaK>QWTro4Y{^VbWNUB#7qk-qp*hL8aUi*B^6gmIwxbSkA)6Gp z);=|aSNt+{CX}DTfU=j~R#Is&+nTe0-Z6DfgQhhM5VMfIM!(PwXWSSprE4v1cb+>E zv(V_*0i0>6aAy|V;-d22d+i5t_1zu8Iln0~ILyj2}>mmY?T_77j$ z-JdMp%ykrNXMqTwkVmrK1kDd57@vc-Ki|~(hn|HBOiM!DQC)vT&j(17xzcJ60~OoOCBDPYQhnyM;?RaG^*-i z?VJ!y$Vhjtw$_WJZ0l6xMSWE~)o8tHSu4k0z>qaGuHBk^31lo9#Q zCRZ*2cyU_?w~0Nme?8b(rFezCzQU*T!0d~!786@W$`iCP8&8$iMhr83PiwGwEX;*) zgID&NyINRF5X5u&)(jOBu(o90bDoFdHO$jYlV2RKA^V!6!5Fb4Z-Q-bf|7zZS2C4P}K47?$P`3?eROGH$KUyqd48CsayBx!;Bo`{0EzPneyLdHE-jsgfDO{6Vc(ZGz zD~hHR#4Szf?wq-EXGbd|Gm@+SJ$da#_~V<~lXhsUMHH$Je0V!bZoYu9YiU~cL%Nl` zcEkfZ@n0O)2RW`MWTsxVE0bl%JX;$zSq1U~du%B!vhV~X1OSIs3S7nd<5L11Z3%m} zX**II&;e$ zDFkddxhiFqm#^comE>XS-|Kv%a``r|pCLD`>Jz9V4D6gzXjClL zPAaNqJc*<@r}16sLnfvBke0}+6vsgw;oZ5IR%F8gOP}nalkCA)5#hZTWvC>Rhfz_^ zy{0D!Q{38Z)O8Ma6;G1e}OvHbg|xi?3MVp=BD z0L4Z_Z_KG?8xiN~7~jv0Vra=p5EXDCga8{-#H3zbVX-|jg_v;W`S+<`zT~{+=+?vE!+M-24+wP-o17=5nclQQ}h^5fvyJWNUsIYXJTFwIz#) z$^knoVIT1!opOJ3fijW`#0(l1H?keP6BQd*5-8o}hODeJD9bOLbVwC52xtFdZ~Ecu z7UuhGJq3u5e&wC1nfE~=Z=1`I7GncxQ)Bh>PsnSbossK2Qx$DBGiiSrBL7tkTw?@+ z!}x;FPSJ7bFi3gzm-f9|P2?uJlk!VMVUu^_D4o|b<5JRGDtW&U$DM2F6$Yj^P}fjyC%&yAOhsJ$}apN?{U*q>XUYs!qIw_2@qr$ ztpW|fRY$QcN3!)?dT+pI6JcxG#OXV!S$5S+pbcA>2Nsz>rpA))f?HWfzqYc zg~|NTc>}>+VROY|&ImeO4n+BjbXH8KXBMql(xY)MG6Chr?|w)V^XkmQOAykA#j4ww zW2?HGlZD4%bS4ppO~=00EUaL=Y&8o=YxCX*qf`}@TPcwWBI+(DPnZwDzAl!+_Ql?QEMl;DM zOx8l3+G&%QHTu*FJf90dFqGI%m{#31h2P!1E{j&ALbkg~(Ovq(^Uz%bqNu0l>v%fx zJA&fsLj}XK&Nzm~0nIx|&0838e+7zZO%EgP&TK$YBnD)QG47_vcu@N*WwS*Xd-|8t zMlW4JN_SMW|CSUnWNgXt1j-M#FTURQG2dcK5_uo9&%Jz+-C3(K`8)E1=Jj$j>lt?apX*YD302g~`%zVTT>)D!XN9z_pLF^4Lm+TS+HcdA>z40TGL zQ9eNrRR_pWkG-#wrmjXafks{?=|M?6t+V;ePFL{XLR3*P=9-bU(E0SB<=O0{mZUO;UcK=K1{DBDUQ#!~ERI@7tN=4#pCwZWW$nm*X-*YP%X%4XktKKe_bXe^ z(II@M=d0$zRvrm_0IYBP@od{Mqx#FX#}OtT{~@pwbj zcy-fI%jL~hU}Q8ENK#qKOi)0h_k!zui)!t)*6Hw6V<7B?(&*Ul-U#+=gnMrwn1>OB zCn$Az*4uVS-&=Y7#qhdP0~bn9(y%RuqQgf1hP)oMB+R16*sHa&BmI*mO#$V7kxo^M z?#$67on(tG0DGSexx*dbGe31*CHZ+|j+QB7GVZPJ8fX|`R>hqvvq_(QZ<67yk6@#8 zq;&1MtbZyQmtvLe6D`pfplzz*y0p<6?4IgB%GV=ccOf92YwBd*nUwN9DNyr;%2D6C%r2i_5y8e%)f+^GcPpGYh~$hwuyw{UM95j6)}P-!HZ9a z*tFtotcngQin^5rT#WNlvy^E!8Ws_TyP4KfqiF;5$)ooph`9wC_hJIc1vo|H9UexO z$_I)yKXMkoxtVxp^bu=U(-lFOdY3}Gy0IzLLl04b$)gPkn+>{!R^bpN2NeQ4XIQT{ z0WtRWLUXW=M@U>w)-t22k9k6Vu&4mr3;gsD2!Nrxh(^xG$eP7XZGymr>z?=H*& zu5S=wS2-@qllXK-`rZD{KJ84Wtydcp)K_2i=lCVS#y-o;`2IH=V>+_2^}3zjV>Z?g zgjO=s(O6yNhqs8UPM3{21+ni$weu8kEDv$0kcB|V`<2A-Y*fMmgKD@t#(3uDbnp}1 z^Ug{se9O7u>TA^;shhJI90U1jt6x8Y!Cx-4JaTTmrXT&reb`cq1CIb;N5#wlr-zVO z5)Uc!euV-}Q7wI89HNag!Fp(%+12ju)~A~;TqU7L;wfZsdUpRD)1*tz!^3J01im!- zeNr9PmEWQs4DMXXamhX0UH5z$I4`UXHfHQNt$(9#j`mHQ7WtP)f+?_z@EJ4W2+81Gs;2cpvt!07!VRdUP`P z*n@3iK!pp7^sX_FIRMy=G(v{1(Zs!o zbDX(7&C6QfiN0Qc;ni1O$AZhP@Vi6JMdQ0klDKNWXDLp3Of#Va_43~ncuTv0XB|Tw-w3ks@xEO!q zR?X%(2X=0#55`1D^dGJLE{a>LoGq*Q6^7*S;?FX&$xX2OvSi*SHX4x&H%!-R-hmuK zWl6*q?EKCfixF$f$X&}sp-X8N(+SU#5?2TwX8$>ty+uaPGqro;PuRukEV<+@>(^&_ z{QV`am?#bbJ+w)BrWCF!rAOJ;O{@yE*=nv;O1mjyOpXyDYDb%LsFF8DR8@U2k1Q;; z1eKhZGg_i@e0ywMXh`(lq4WlKclAJ^Vap=v<~J4YdYv6=wZ)AROv87w-RENjkO;K6 zrxw=cTHnW>0cK}0E$SsvidzBckyc7bD!<(lEL%=z#d4P_e#>~SYsE?c8cBFr@?0s0 zmx0apMV>PCS#W2@cxTfiiBd4DRDV9$w)MTPk{pnVeWEo3vGLn61~>xX#B(dsd=@`? z^N!a+ron7_SJ7pm6QU=P*vh4$@Al!eLiLg=2RPj~@>}dL?{t?49A4(YBH-)cBEKZd zn&HUw!|*5(*NFLp(ibkK#m@Y~J2Mx-rY!$6<{s~%kMja`x{AKNUna*&kWY-S-1j1z z^pD*Oc4^XPNQ{(XB6FZLQ=&kG81!$>){`#NM~dYqG0#*1HJ152PRg(D`B?ql)W=2c4TEz-+ryR%V|Ed)V6C_mPmxg$K z6CIPrNGSpqD7E_M&eJt-ksk(b8*t4QR-&X!u(w&!u`&0A$EOmH-T1$94XHq>*Horv zda~%)gU7n+wXZJ?&=NMH=p1trwk+y#5u{?InD0hdc^llgU_hjAjj({?jwb(Pz@hTZ z>Gnx!6YEEt`E&V6s1~o+x2|i&Zhs_tn35`sR^uA*nl=LdlM@!MNN^MLY=6_>fK5xHR|qv;DaTuhj)-P7887&T-P{ z*x>_HSx~utt+N?Y;;lAXeU!HIx;~L(SY01{x*@>lXf<1SpdFL7YrI5WYieCyu0!ri zOUBV(huyAm+&&Fg<#G|H>Ub9ai0h$|b#+4aY|2SaTn3Cn>8GV>h$Ym$+Gv;M-0hP{ z-=|l;Q`chKm}A>rGJFrJeY4M$r@Y>2Qy6Mpszm6(D4@FD^J*$cUecCQ3I5#Uw$FSH zwp?jbSgZf!IPTOa0NB#?RZX4IF>D#3OKzjxxPl0KNyY)`ZDF4oWb1v`?pzv*j=gsp zaTXc~B4RuCLxV{?X$;~d?+v7O zv9qIv7?YZRfoxueSbYetyTT6->;qEbt;3Ab4UZa2DaTvrMJykw;V6M4LY8e}!8;aO z`?-T+*=OC)z7^+hU^+=l2@vl(s!De3nrd2E`PijhLh8QQf%y1q^y)bK>Iip@NA`o5 zgUu1&|b&I=@saBC@_#{ia_ESvhe(iWa- zk+0NN_OC4a7-;&J7anIk@*UYVYjww*%##VOca-iXx^Lx|W?s2%1S!R9485j0jeQMT zo8}B1Yr5_;AA<0mL&K=p)1`zr5;kQC_n~vuKtVqiM(;P@i(hP4uk{8h8f7Y?4CreI z@R@#krC}V6TI4+`Jxa=MaiPa2KT7$;rRS$PIU8d80E7UcNBCx3(sIk;0pVySha#<;Wcl z<~!o4eas0jDTf;bYTM#RzuleOT|Z<9aM0tgog#bCnz{p~tDNw4s4jYLPBv+U3#!{O z^?uoO8vCPbIQ4eb;_d=^!C8yl%cQz*ajrE2$>G!U@kykb!Du~7Rs(f%WsPa8@3voL z^5L-~{wprjxa85hz_PBc9b>3WxhY+t-}tOOf94YvVC>y30y7GRE!+x(k~FHvMQ@6; zL7Vs%-v<|!z&M81CglgzBu-GSUU`A7PWa!vh&CGYnzPX zBa|7Q1_Go{UDeM@8H4q<-$ohEBMV@4-_nDUQa^~llN}eOJ}0{r2Li2*i?YUOv0mk& zkQNB9IHA{vx?%c?nG-dCB40>F3DEabAiw!)Kp2CP#;f_Zs%4Wp^u|Jl4q^@DX5W~+ zYJW=&QQGSTSWE(>c>v}9a(QH={X1CxeByF0ul7by>)t#K2eK^d&mkoLI~q* zvO|OIEdvW`pj~wZzqD3~-m^^mW;n)zOLoK$TTBmW@vUZO8uU*dcJ3z%K{dVcS9WVv zL@+;D5Q-AgqT)u+GlY9a{@Zn7K6*tZtjlZ19-N|8@Rzul)l&IceV!uA*4>VkL`j>g zMFtN6Va5I}w~y-_urTR07(gXCLCZ0^`yX|EmP$A~bAiG&kq$vVF-yBPg9g0ZTqb~n81;_y$-nqHY=88-feP#|UD*GL z)B)n5K!Rwu`PozV*n7qesuRz*5WCr6Aa@f{sW)h}kGbr99d3m&;0k4QrEqam8kP8yqR zWBM_2BIqLG*Za_BrQg~}P<;jN;d7DigP${3Tg7X<)_P)fYEz#Lm^FesJYq!)7MFX> zKhxuwZ-n}sC|J&|Cq5To$;mKG^{F=OfuwNPL3vS#?*fllLNY3a3lxaDr5E^ zt)$l zeh%lfjM{e6dWP5~6FIH1<*FdE0tvEXr~0o5^3UUs*a4bV5|cj_9FF_8!ZQJ=Z)1XD zEwC*`+vFKl_bRpBYg!C~@4DzngpX-0^_!seR)BPfZvlIt${2P9bI-{Ob$C5V8|~ZA z$(LPLJ@BBxQ>=#)YGLL4L<7@Z2IP@0(-@QIh%u_8Erc2X?(u2>Lw0S`7MIf;Nt1&H z_C7tVEuJKnxPHSC7s@D3oq+ehX5_1`j|}HZKcK)3o=uM^vKS2 z^+v`(*{AF>y_fwS7wB@$^jrXX4f^+Fg}wW}+}?c}6Q@*{Ch^0x_Otkop%-4?9Bo(0 zuLq>?cCtG&eAU%PTif>`T?}Vc`v^7mr6Kf_Y9`_Bzmb^VOwo z2UM-J*1UfR)p2ScO%hQlDBb9Ev>A<=Uv!jJoO;Uy4Kpyk?Bg^)^4Q_>(7m4N{Mq1$ z^?exVdW{Bmzc?MUEFs^0KT=}m$6-Aa!e`s)p7hewk{{xJu1FjpQ~;hM_&LJhG7GIx92ccP*QPS#Jgd|Hd+b9{dxP2<8P)v2qWxCqYc37FFrUaoFerykZAGB5JZg9+`K zX+~^*T4Fv}O!@~EhV4tal!_A3JMH^swYUIO#sBn)fB;}D;4Jg-JMhjkL9e8d4(^7D zqH2}psq9A{G%g|D*dY$)YInM)ma#BQCv+*JVjJKnC1xOQn>c3~^l#ri>YQz;(rvI% z&6f||Gf83Tv zFF={$q?OIvLoKwEtXn-Y4%PN+G1$7pktpPz2$|jKfMAe^D2?P|F`%ld%}cZ&M;T9K6#$gsetNCZ1)Fi&`-X3XWgxfS z)+z5u8aZ3FSCqEibLfyow6{t$zTX0_={YhOo%}^Djj4|01ll!IM1uP@^e84{oh&Q_ zwPI)D9#{7>!ZqxN*kqjNJ4Tm7WxMHHKXM1fCvRDZ;>Py;{AYOCfr7;_J6u4&!^@|oAv%2VjO4r-kZFMj9{XX~`01R>Gk z;}I^|6P>xi+gd)Z=)8z+3aG$lebC5*EhA#&kZ%=be9O1E%<()-xE zkI(N+9KOU=$Hffg!MD{K_oiM`ncqi%Bgq`T%)?Mg#9E>!+})UU=iibjxf}&APx)H{{T}qLK6BmYK7w-?uaVP(XvGvg7@kH$LG*pA!=B)d^?$#e{ z(dpobl=2|ciM$DzRQ(L6yl0mm3LQja)~kH);1tAmCQbwUH3lRO6y4|GSTc&Y@4?r$V%(zOuT`>-5y75eItAVj&qy9?#y~Q>7k$3gVia zuhY>zTK#1Vtp3UamuwXzBt|7paSXoyBNnz%0hf+d$UY`n^j}f5(LLY}*OXlh%NnAn)1W_0 zjUqdwnxIUQq?HJTew}788%3@Rb_G``9YhR@@S4_M`!;nW7yP9bEOt>y5U5{!&@GGf z?HiU+45L(?Rpy&vM3jwRcWVt-uqUv*44G5_%sFxB2<%fTQ7_HuN{ZuY)$=YoS!Hy> zC2};)75l!FTJHih)GMs<|9kYxIV3tC5RfNLTt`8^#6E z-ceefFJ`p%lQ1)a(X<1wUBWxKhVy(Q?`UYlrz8(ZM}?NqSo zD?ulN8uiahWBgIZuW6u5f61=3Dfz!+*WS@!*x&&M;K!`L3s9vSUo-wmdzs}2a-ALd ziE$+_dZtN}|GKHFjNm6Z`VCVJn|c?-@-lP}JUoq^*QhhsA3nC{$UfYP#ldLm&)5bo ztQI);hIb(s1@+l{$C^s|Oub@Ph&(Mp)Ea?9X2P@QMNo*t0^|l!7G1Q5MI&ai5q@FT z*@;>5XrTr+wjnJU&3lrZP<$jD$Y2CjKE-fbCYTX7U-d@9IBFK&;XDrK;n1)Ni!C-* zvp~NSzWCu$;h}pXQ3A?!pKW$V7=Tn{%;9=&mxu)ZtL}c#0?6S&EIPk|xSXHxJjogu zz2UWXRfO#0bREg&$DGRb3QNRxdn$jPK_;cW7*t1N#DnbS+Honq`}+58W3NVjahMJB z-%$n2aH~c|G%Xn=*pFLVq=)jboXYt5Ky-WSAvDbf5s8^;+Zlqtp~zk*TwWnrs`$up z_|4pKw1AmrE)`0c+HX2PJOg`n`}6uxN#M8tX`Z*pW={f{Yb1q4hrqEa#1q-yRFzW? zY9L=f11hP#46@e<>i2Iatf1ZhNo&3+91+HJnTA~*qqa3D(r0=LOd1-ISp5@Wl`YLC#99k#qMCOY>=WKREnjily-k<-GYP z^{YSq#luV_PF_g_7U-RqN3tze)2+@;KhQL!Hn+{PHe*yHtem;2g*WQTs;U)o$qN^9 z2C9}S!@Nx3MJF9UxSVUlP479vw~#O1m4 z1bsWM`AO~qwbHA#Z;&#gzL%TS-Ko0*RzP%*`Jp>cYlyXO-|YI_NmyQuq14Ks4B-M_ z)T&3w875e4kxYs~cMif0eXHlwfneTg9EGeUJ~HTVgR>Gnmj|IS;ez#|zv>rE1!n8L)+4^JSMiy+wP^@7ybpQN&=w)mODFT9 zQggLzC#`km9As~`OmZ!vY&Mh^annXq7OPZZC|&2!)guvJSUH~FtuN&<-3p&swk-lM zr>C?p35#w%@92PSWr|F79RrI`JgMt^r-DTM+POFJ(xPv14<~|cp%ptceKS$n&XsCj z{VYD}huimxMLBIlkl9?BHUySdw}&e01A~709QxdY?7NiU9%!_=es_(GlR?G?k0u(_ zRK_p+)q5-m?4=*pZBIh#4~Q!dDi3}4P;IPs_lrR88`D+z&wgl`^#cj8dbS`JP{GmV zubLt&X(FziM)kL~`yK9?uDUfgW!hHS*C>q^R`QSD`+qol@2IBNHeGmwD4@~=L8;P= zh=7RnCW3$4Y9y2<`lEX3y)McfK=c zeSc;V7Hd5`<-V``DqgSHeO9-aO}Oq&dAM#Q*yi!s4K52=R)vd?-98bD4E;EuXCxXS ziQ{MjQd$COH216Y$KBcsNg`KIl?RTt-yL?OdW^X*Cb$m@YX%l<$E*^GCh^W8gvoJ!K{)xCk zCu+Vo@(LkPIecet!U}t#wN(Bq77VOSAG}sp4*1HOun$iXTYUHnt6*EtapT@QevIa` zqF)zN{LD7f{ErW59_Uh7st47m#tY^*^{B8zI#{-|bFp308z>fXR+s@X9?}Vyo|`@w zN-xiEw^ll(u;nYodG(Xu$w7#Z_VV`ezG81_H}^>jI-f{$?WxSAkKs&&_M>8JBKw3# zQvJ{&JWr^&RqlZn(17tg!Br zGbpsZj&SEV0ewlHSmpQNSxkrch79lWK}fq`uyg^T{ zFlBD8_gRSebINQ;r%Hxmd*;OP6&RY%2Xgza{vivn`VUzE;ZfULDz=BLfJ;k4^lZEv z9k;x);29FtSJExg*39~yLrZX8dupdKSzWT6ys1UJI!1;c50C=&M2l^}U5Ol*`*m)AL=W!EumAA+KIi9t}QrHc2lqVTB|<|lWUNzH_R|j zu7l*dmS5vMAZ=wr8$-W!b2ICbbGXgvgb{TSOP@rz=K2%0m@3+g0Y@5u+iM{eo(=k& zPI&3)<)p+(kpIPxM4BTW=mg9Mb-aEk47B^a&n7Q!?F)zr+Hd%6Y9+f74+L~@zIdHXxu9RFCN zvDEBsf!l`Px)7US&Gh)N_0QdQckP=W*FC0Or{1adKQ+$&z!Wkmi$w5cvub$#*#E3Z zjga1`$-Z2>dE^?ke%IMjO*Xnye2nMDYlpJd1>u6X`ci3bKZ=WIsmBI_Ew+|25SVqJ zHKV8x&97BMnv>V{O~)tpk3iI47Y!fk!R7dGn)hZhnHns{d{g_;Qf-w+hhg=6$W;;c zxa9qk%W?SxJ&DVRaPRL!fBK7jgNhDvW6?g1!t~=U-j8Uo^zK*lR?4^8sUELVqKoI^ z5g)m*K!cP3!xzhAlWVFPpS8y;rR@%yfCTI2-pT0xZi7}!vFa1L`bYeO#umFSRKdY&DH`5}^Z3X^L?8zaK@ z&mPQ418LnBp`GHfc{c>uy>%3)Ohg?&UOPBCjk~`;;*HNm7xxL)#xHAXVs&{R)6eGR zBiYVfxP0e`5n}zlYJYvK{n|}h`^pL5MX$A8aoo~&6HoLL;}=gkax1IT#PRyu_V<~@ zarop_ziG~`_c+H5f1I@V9+gu!+&&Ea~y${q=-pphbDpEJZyP zFjWPJL91bT8A%~&@2g?>YpcDBCrh`FH#1cR^uaqJO-09wq%oiM=cQ8K zhDlQ`}8luRAx; zE$;|W3>0dPo+H`FXcr7688VgE+gu#6LnhcQreJW}D%YL7(pB92zWO}!hJP4<)j8F- zc@$$3GlFkk?P|i;tT+`YlD@m^(xIi&n3ZJDp#4Pn5u9@ucSB&U%C!>u*dmss{Z6UQ z_(xSs6zv-M;ikTNjjl4 zz8cA?;MQmvVmDkEE91)awey%-f+uBW@6D5@mf(mfngcW#nLO_4y20)qlogAW$QH!o zx{U!5@BM09Kw-S?%}cUTnJQ||`Ex$|s*CCV#A(AcS^3nJ_3in12!mZ=wel}0CdCu; zJupH};~SdLd}TB7aJ7uAHD8#l5$1FTR|S(0ZRMN>cTKW)g2eN)+(oBg?BXor54TAmA^6QKZY`&uK-Wd zZMv<|KlCQbpQ|Y>fv3pbhRc8JCtE!jpCQc+J^oAR$8$w)bmNj*9~Z=Ko(^++D4$wv z2OkTm?pDu^^de&RoCn<;p4dTWJF89|Y_6MD zP9{IWx)uuQuUs82Q&}M7+&t8m1;jqj7}Vha<0PAd-6u{@bCmUr4=Zh1KVi|z%cx-) z##wy&1=Ez1EF1OI=w;@-Il`oZe^dG(?9xo#DSY^LvHc2}47lFsl|PkvKh`4kZWhbE z34D7~I+JnE%Y0Uvx?h`Kzx!a4N`9#l>jaF0a1##|{qp4L6nXJUKvIMP zt3PYmcu9L>l)50D`W>`ELDdg@a8C2kuLL|GZ)wUi8O&2`n7;b0cC}2=ZFN|Bc?>Vnz@X#Rp0pcfM-8K~V-M?N9^dsdOKvnZy##%0XvI_A_ zbuoV}H6XolBu;&d(b_V>J&KBkcc4wZ43FPu1+KPPwsyrWG$CRV3la^oOAf#z8z&e^OBI z4nL*WEzUgWcT@I!>?K{T*~ySa20pNX5#C9iVQXN$F!PX!WMj!fGiVa-C zfKjnh;>W+e07U#!4!dgCQ}>1{H{Ti%HjJFqkR{1TgKg+gX9d9rw%u9T#GH z#8#EigQj?6=0%g&&cch>nPqp(Vlo`sAwLCcT5-qLZ_X@@tYr0~fkL_&cmhp}_|u#( z_fN{m`d<=4z2>q!rBxR=s7!FISxz4{eAyH7n3se`q>4R7wNm{~vB4H`iXJQ_Itg>V z?+xn|t!dQNH#U4FwTQYjV;T?9D)Qc4Zw0aIqnHocg~(Mll=4=6cgr)`qNdL6Ptd!1 zCgEP!Zlp*^-tLmyM^(+V<*Q4Byj=|Wkhj^lR)ThLi={JJI|tDZ>{EP+%b~m=qo{14 zcAekPMI&^EGXB6z|GqN9>d(ejCzH~ij{gF6-VVP1E0Fr@)H_KMrw26w1A75#KX(k^VK>m<2D(yo~oN2~bu z)1ImeHwrKQK%n~L({LbNGb^Rd_SrcVIeV^K&rGYYe^5zee3*>Cdqq8sIaWM35p=)* zO1g|~Lh}8vyK2blov_B+kUgS#xs5$(2r6i%yr^gJsMG0wq8i5_PC@(=b6c*KXzLeA zSvv%IQz7@CRKiW9^&03rp}qay zy3>)<^s$$<*)GIU?U!h@t(#9FU{y8d&2k;b23SsgnJItAt-P5wvU_Rn7G$w?g@TTJ2JE#Ju-PY%}$yUk%I2TZdY zW9v_Gd!w$E5;L2M?e2=vZQ5k|&%HCN))Vt_v`rFU9779h;-za8ms(AWjn*a&Yy2pL0M@bJ1J!6Zh)q)!F|XYm=%AwV zt}&UIFXKgj#DdPvY)%2AwbR3C{~t`GO8|hM>u+b4L-=WTuX5OSM+D1n?d=hHjs^&b zt2vxB?^+I&+5RYO3R_=(M+h)Gh}9F&Jb0(tW)pOz2+P#f6EZcC-hLu-9?LN&Ldo+r z#bZJs)tC6`;rYnb%*8Z8&F}fJW=Tr?s9PGpY5v%i@_y}kg9FJKS3;W4`mGjc{D%k4 zcD5=Jb5q~xwm}c)6!(Wv?1_CtdaL8SHzGM-c>XNcS6S@hXS6#Wv8wmSB{O(+lN>g^ zC12%tRcJ6OZy%k9);gTBXQ#r$*O~5XN49A)cHa_Ki^Rd8I#B zJ7p0EU?I8NdCN?xYetLPiciY-16X6H0IBiYkfuLh?BDn~Fu}Y_f^--MQuqG&Ss@9a z9%YxmN&SQg`FIxN?t5*P+@tDYSivva#{dPn|LBe0YzCn36xJ^wC@=lu3zkqpC%=i0 z`*17nQ7ShQLG#Weow&3a8?Gfb4|uHa@R-iWINghFJhuyG^`iaR@_{zP3+5s%*Or_3 zSU0-}|JkV|=XLbC(l;oxdF@%-R8e2!n%0^xcrEtumrX9TUrD=8Bt7jhDZQUxo2+zuwlNMxl#^JZc{S5A8P zMB+@D(tt3>N=L3?I3s@%3i|0}<`OoPO58wb(&yB#xC_b>ORRUQdztJ!$~SKq-8SR{ z@mtd^Zfi@qxXC@%a*8}E*!%^U! zU403g(g51(^$ST1t|xcu$4h!@7Zaw0ID83O1;u;BOb*cD1k@Gj(n;wx@VjKzQO83M zQ#{T6!^MR5Nq_ATchuI@4pz6Z?fRS+MrH>uL+PjT4p8Ndr9H;u#Jx2p>90d!>ICXB zp~!?GFp_EEYs=IX`c2wC@84(-Ejjd4`3L+RtscNz=Sg#>TMubKfKIfv`&1D=^%} zyiZ1BW$qzTDi0wq<-*yPvQn&$O_r%nk(AmC`X;pd5Hj%6vM^MlsLlP^Rp`9Mge9kQ z`4465cg=JpUpm#W7s}|47~=QeAdY(4m3?I?hGQ?uV(4(nnKoJ+93&m8>=O*;bU_Z@ zQ~2*3oPoA<{N~BTkM%fh>GrPN~ogAcuO4{F2P8XTbQ765%W*oU>oJ1*k$9w+9K?0`!|` zzuf^ZcVu1j#Y4R36dOHOV%7j|7`m0uY1*`~7?jYYpP^*>osMY@Y6ft(6W-tTUYNxk zlQ*V#PO@pr9=oA-2c;wH^+flj7nZoqD@{BFb&~Bdlul9ckR_%*4e7!-;3CI0x^_v` zNodgo0*|5328uoTM%*RPM>uiW>O;to-{jUt4^sS5>xxjkk#p=l9?-Pzp1~(01*tCx z_YsmuFlLZY6GX+u>(aZl3;YtLCD#{0{foU#3wBH4Om9QsdWK(maxqE@E2bVgR z=yTsy>b~7%Od|5KDerbgwK<+&`sCS zi{&}LIQ=m+i%wbevhx$F_9BS`+Kg)R<;Y9lT1aww&z!{AmxEsxv4+(s{6Ff;2LZ{+ znZA6;clST^<jR?lww??tqNlFA@u5a|4F)pT!u`%u}y$__dI*gcXBpv?$V zsAD;iz}B?hEN;*$+;{syWDj>;ml9uxZlxO1n>x9_{7))hWl;$oKSbdG2TV(pvRHg} z@)Vnm07mT$+GqVvNkK)kRF6E}{>RpvNp~ip$C>7kgT)A?RcS(ZVsy(lwiGb$SlyW5 z2P5Dms-*Bbo5qhHY#8BUuCb5^Z4`sM4HzZ2tnWBR(z{DMr!v>o{u=d0e~O=;oaW?q z-JZ+*JqK_@K7g@I_>EYuS(a*uM{IXVmOe8n!b%;Ys*dv3xBN1iVIK31%VzP%D>G0^ zJA5mKUDgNV3`#c60cM}+UfbpI>7Hpx=dRGYv^~avNGGL=cU<_dBG0FKrdH2J2Cj$t z0kEfA{eqOSdE_IhrU}pfWWnbLtBlm)1Xp{mN_Su!@uO52D-j`}m4C|so2EuODd)3B z7s#QfDA6(DIh<>>1Ftdt(k4$HTQ{HfOD5I(#8}T)sEmvR!QAQXar?2o2JbWgG@3ZK ze93qm3S#wiTSfIzm-XGsUD(zO_RF|jE@wba_D7pj05ArZ-%(f9HP!<*l(pcJ24wp+7)Y*>`dg_+Ap*P zr`leY*g3xqfRNeItBmT|E1dM2GR~~FSV$+iEL)#SeBnAM zhu1bYt*zLQ6!OxED&=$hNhd=JqtWfN`D6Ndu&Phi#_UUJ0Jq{c(@skP5JA1?4xQH| zmZH-ak4AiUib3gP>lvC_6Bhd>vpL+phdvLJkiWOIYpUXIkIpy)x$t2y=Bhy-F06KEYO~;k) z3Agb|ySr;$l8xF|g$z=lXB2bg-SUtU_@^}Ai=Z=6twqqb?}>6TAZ$|qOXOS}(tJ64 z6gZ})hez$v9llsFIuuTC2m+TzwYg}TH>{*WAkk78h&28mr%FVxsVAnFO z`P69sQ^mI+_+_IhTuU2Jm(ynecwv)WA*wAC-J)>k9m2L`(D*q0XBv9zC3R@J1yQ)# z>OVx0H>W9YLX0|AtO3s$cEted*qQ-^L+qRVzQr_*Ym(#Wjgx5iWd6A7+;uw*7B|P2 z0c%2&d>1aSoA&6g4cRg~N>zDwNOj(EUj=5Xi1wnYJQ;8MU|z=1@DJl?32v>&Mt*l3yzL z?sNP1iSA{Rj~59Rh>*}z_vf&~HBX?LD19^qV&{97>bo%FJg+;%uq~n~FPhTp?s9ar zE!0%A7(Ub-!hgrKV@j2*FPy$d=WqPH@MT7Gv&<}yZLlGgsEz;$vZN9i;z$Zs)zd6!j*a$*H4M`*Fh|#w@UL(q}C-oAM-d=v|6({X=n}cr)+LY|nG< z)Qukswjv4Msog*eQSOU$Nhto(J}Xr`TvLAvGi!u2PwSboO0Dn0X=JV?OXWsC?Q!~c zQsdnEXi-Gqt0WmJYm()n=)z%H7We7DlRmG#-J&|%_m$EMzJKm}DZ1&((Z<=O#2S_u zL2&dNO`eD=^53>+zbbn@zOp<|lTBe39xj?8@wDR?58$#E2)Ms5?&7@$I$e49OE~7A z%G%G}47ATfCia`BZfA7=(v&s7ie&8tX>%?GbE>Q((r^|TLP|tq73y8(h*y_d^RJ33 z3yLah+Zv0y$R{rT;E-k#UUEr)ZpbL6>|l`Lh6j-!(8}JO)1hic2_1E}f+4H)S?d3r z#YO<9uoc%|I{{B#0(E^DKj|bPM9+wKnhHSfy$**hSWp74ZfnfjY;I5e_Xh2&=1%;Y zI*)B3@sc%~Xh*xb_k|G%fah+~ZqAyh`XyAT+J5UIm_elDE?nk#E@M77yn0)x{^&~k zohiwH%hxq{=5tSUZH))!}Y6O`;`JN|ms`sDBtQ!)#SLzORES^%R8htI>U z(dVm|?rg?;0igROfNC+ybz_VZez+IP=CQ8V;mQGpt<5jCVSk)C=BNwQnsaGy`@IWR z;zfKm2q8K-=P5ZTU!>>-;>VX<$YB4iWGR_5Rx|ISD%I4H@E)vHT4Z z$cE42T4l2-J-Yg6d#5!0a9}7d&#`uu0mJTUSzW|4?S6)=Z4vX;51lmfygej3T?^gC z?x+{k4Kh17y^N2syNQq?8mv}eZU@OS zJ>E(*trFl&*}k3~IanBT3O#-;Wev>AZ|^tHh^ejDJP1T_An=rFV{|%}4?&#}pZ}dK=W;|*8 zz-IIkf}a-;a)GE`GvT-Kgs^G^W?WB^&^0zn(w1Ob{m+Zstbjah>t(@EFH<~ z`()L8Ilm~;ra8@K$}=q@!-uW!#m})ql*4NEAiKpdzo}`B7xWm%2TG$273|I3`M}^z zkdKJaH}$FO7f1wq)$*t81YA}_+88^8yQ|HdugU1mH>#X+OnL`vTzNnvyV`;uNFCPS zC^0mK54?PG$>y?TE;De|BWMF_OufAU%=JUM+^J?@Y8{aQ^f}Xp(+Ko#@>6imz7grC zoOb3F#_U(E`w1C{ptXu+L)x+&cw-Mnx!xDsmfWH|6jRQkcHn#rOejUK?nJv@Sygi5_#_BhyF&b_noyP>=YR_0eQ)>VT$@%mgO)IbCI@|*2 z4SVOI_R)WnfQ5}+u5i5n${S}`B(n?d$}j4bEUI0&EfBiZl7YAco{ui5R*tW_OGoh%-9yuwVGSc`Hp8NBYE*ePtgIrFsU*2%q7 zSkq%$&k48_t8>3FZ*hD=oAy<2u{h(Jh0;Ly4@%Gz(6R|#yHKSu*CH;>+yEDEo0lV@u6PT3o=N@h%Qs(4(yzTZ*Wv_Al7PM$MjfiV}q=Jt`g6y;8@y5KFa z)%(x;(~5{j5^}a@=HL3C`Gp!e;dJNn0oq}(pLXg`+t*`oEPUpd3Om2>Tg%HM20xZz zN%j>ls~4~88wf%ty;3@sYjF?Gg3%Iz@N4rcS$=RecmHOtvx$ZS$_8>FepjqP~Ev$ zStzv+X+teUDa~Z(+aLAYi6$i2N9&b#h<8Ws+Vwr7Ud}j%SEV z+_(P*qnXC#48X#hv!GZ@aW}Zr)w)X+yoboqck2MD4~;J?4vU<1Ab_mK-N_z!r0U!o z>9z*wHTx&*D-3_7`k1F*w}sFruxe%;?jGn zwHop!htPRCAsatZTl>vtzhu?1YrDNxWP3+)f8BOnwyO~kD41wsujayu9nme?8NH$* zrh~;lA1yTI9Mz2a9c>RvtOjMM&0QkRN<(YAZ4AmP!|{((2x#~rgC&DWYfv%Y+}AkT z&77X62w9)5>z8IXi8{@lIvL~P7_MGDm1 zDK=J6{NrLf6X=(0lKB*DyYPw!%89*dqbR{q>ZDlC`&Sw8a+p?w9VTnB^4m%sVq^B1 zWM>!?n+wkcikRAs8rRmq)}@{dixmgY%c@VVK!4Sk72Sb5w0yiKpX%pS7XMq( z5lGr$k9SqK=BGy=qT7GsFI*c_V=#zYcNmG@j(j5ksUdQ>dT^uq9*6jZ53hEdvX zpi$Gc=}I<}B6{hgjJWeb=yyXQDd+j(k_;gxH}3+M_IP5ON&)eU99O*zx!j!A9p7Q; z>}&+3S3{380OQpl9aMnR_U$LNFm(7^O;VwWJ8n`yuX=Ivg2URQ>K>c=U}Q6F;6?4F zj=C4d#n_irqw9Xt-)G*}3f0?6h|%Ci%hi)T_dXR58rsd_%zc4gp|K$voSTikD!Z60 za$(BLL}9&sw@{%WW6~5^bq_2zzk_nClN_3bKwCc)?-|++mTIVJ`CheGL>rev4@?EY z`Uze7_ryQky(dY^-fCD=$v1HNfyv~`VzQ5dO}$Btn_x@$F>z0z#WVR?d|H&gOUKRa zE+A#b?Ym_05*GkMcNjA#JJuXHtt5}P@cDR7Y+UOhJO`d;R0J5+z*Xm$|{1eXmwY4Z~;r*l29NLIXF4{+i>b*IvMgVS8tH;c&HF zh1I+9%kIuC<{xaw0Co4;Vww+Q-{Xt=$9lxc>%``7!?r7HYWmA@OfzcZzn15^el6py zzb3y4bnMU3yz<;W=~^UME;)wv+o_y$ivoEJMJ2v)XFr?}hZ4UH@O(ttfY`Kg16O?R zo|fE0mkB%U#O$UbO|EOAnKq@D0Nf!Fzh8#3LjHR>ws!q(GAtYJrgJ5g(hK@Q_80|{TW^)IY#P0R*b&wK!d$8l{)NjK0>2uk)KpmMcgGD}=9BgvNmCy8+8AM;I zV|M}UO;}i@=3jLA3mr_$3+KsieGiHT6fu#0sh9k5{ER-{zf%eGhhzfK(?BX=4%+-G zCQS5Ub4d`NX*gL5kn(x^kF@ziz}Vj52v|vl8aYE#s+8VL?NbUi2HCYHI43 zv(mE$X$9vKj=!vScJBDM`n>hahTmRL3JlTei!TUU}|))AdZU)GT{hI!&qwKvDx{g>Jr$ z9=AyOTylPB_++guf40yq9U|z8mDR6-xPBn~bjB!EI+o65-2#OH1haY^9YfN?25uYm zeKB6*qFWW4$7Ep_pKH57rTt~}uNqQvFun9aOy5kT3VXh%;fze34<^yBfL$e1yWefV zj&1X1=`D=M{)9)cMTA@lm_gsl5!K4bJCQ64Z4}XzH8hOZB$#k+qbLna$2 zY4$P|ARilcMVMIl?+)4J>^{_Q-AIbkCCc%jd8=eMrxlx0s}p79x16&+y;Adm+&T`I z&vC1(fWGXY^qM|OTTIK{uY7tU;O)@nx5z^D$&>mYnwK@Uw=Q^-DQ{@g=Dz%$iUGRE zUVweUzGuPVA7btYV+uDWbSgA(0YdNo%R+5=EdNTS>fF8MIn1pRHdp83uk`ytqQ#pj zI-#Obi~YjY!P46cwb%hDb<%^SgEbfU!}?hc3sL%=Cn(Ob{3M?8s~*=o>NE$x3BOcaHWIB zyCho9s2d%{k%8pjRqRthDM(1x3T+MfQIBh#p+qrDrPAt&51pqLmp`PUq0#5D>S z1sMt*eBK9Mj7LxhH%yYVv1QZ`Obt?3H{Eo~Q(x@bTHFRfl7{CRF0vXODn?`Uj0A34 z>d(y!U@LmniW|Kb=kq+o<&P4%XGhGiV#A)<%UKBWh`dPsUIHPfIViFxPwZG_xORaLM15n-#R&SyU%+Y_lYGy9;Yf}1v|$|KHB9=sxZKqUg`ByO`#O4mkmbKOR~~r-6UW z)-?=_8rzwGZxju^&a!UZFjAjliJiIdHcFdR9?&x+fK2i`2S#5QXyi8AX?OZ2xBodN z{tt#m9PKU8R3YleX_H*-25sdO-0$)UhV4;4Tlo8-(KO!5%%QQmKiHWK6go_AcVzW^ z&kG#!M7B>~+zJZ(TFp$5(`e-5x)4DJI7grKiZE#g3uAdB7>hf+W0>U0lFSph=b90K zceI~E^h&gPq+)qLH*`Q7j=Lq~D>EmM#xM9OgtajrP1HRlSWmTmplSob`SpU>=G7j09r>%PI zAVGTHl3)3-uo-nN75EiQq82RozQAf;3NlzR?Jyq0mks4iy|!kwyZo3a!*O!;(j%kW z0QlScK{cT;p*r=jbNH$zeuuaTTSAm;!N zUV*-6%^o*w7vIozRd#u5`d)e@Dz7E;cp8%gSk@JNt}E&$s01oaBlRa}X=L{-1ILYA z#mg6L^BWzd6$q*L-cgRkCsA)I7ZQtya|>PZQ!x+sh7~YP8H(&q_m49`a{W1-7yf{2 z{;~Cbe;5@bjpm-pJ&aKOVYh~j`jDye=hxpxeE3UTB=gkkJn1A*OhmIwJlu@%nr8UU z+Y6*FOwvLn9+mv$ZCfnx4zf^E>gDD@%M8b)NlM{FhM1*YT{si9IoLducJ1`&U8fP# z>S0yS+JL+gz-4)Wj=i8M;~7|a=EHe3kk292#GhvGeJoSa>Kan1gJ&IO4Hwp*?f(dN z{fqwAXpr&_bTgiV1^f24DG&{zBaeNAMnw$b2ZCs5?3CX_xxN=SXBqZ?oX(KRD`YL$ zeJEzhO%5HfDl~8j$pMJ;sXOXk=cwZ%f*a^H3O7*A;-%H@vpdNtLj(eU+e`G}y!NtoPjd)l{}d&h1fjmMZNBmL$7 zyP5bJ>D#QRjj~T;y^p=b-9N8b8y%Kf{#xq!$L5^nJaebpEGrdWew)T~kHwW;$+Si! z-CwiuYT0Jk95%?h;Q2t~6%4nj%Pl6!1nxXOU;35tBANc7@=_d-vs$8@z}=`SG=)k% z+H8slC+5XweVERcSjY>E@D0*so7V|bKDdo&W-$De^YkU)n06m|;d(h;Vjr{SfpGjB z%MC$L(JvZR!so^F^xq_3wBcc~YYHve)cXuPI>TYh>1UFr1 zMEk5VnAEyCx;#<;{q$su4c}!`ZJwo#k32d(r1d(~mj-)4WcoyI16gKrgfWNv5$KthI?* zc6&U+??h;B?%{9uy3L_vEzQI@f^JFv&8^MU8<#`qGvPVDsZ4%_*O$r7y8Lqjl-(L5 zIZ|N3FT+zMWm{8+9^=}SsB{@k=pRu#C{g9LqP!pU2W+-KVtHk0L7=p6qWj66WE(dG zNKNjxK0-CT$eSt(BhEQ1~QessGXOne* zBMID4D;FL|9o7)N%z$b~GBeE9FFJLfraqa<)m}ySi508yr}&cpC_MhsdP#bfHX~5< z$aFz>epSL|GzB0$KIo@wvS(m+d@v6d^W_q z@hKh|(VGja!YW+TY)osrpWhCi+<8v${)cLA$?MEvdLJ@+9W?!&@11mGhGa5l7tP+4z&_yn9+bZRsH8Sn>bvUgxCxZF}>Ft>DMM zo_hlnMHt=kC%aP|kU1L!hISTn<{_(HLhfL4t^t-L}{tk-SbW*(`51x8#~Ji5+q10LjFX;+67b1GogjJ(8>PVDH(_Z;}4Ddl1(;PdS2vq>g3SZqDYmriGyMpVZJHPe!z(f7F_ z8sbZMF_blu;5K?gShCyZdBOPv=uPle-cJfnL2?7QFjt=D9U88uxuFrlput=fJioHk zyk^!9<>b9=6z)35YM!E?J%Mx76T(qv`%B1_!t1z?(rf6~i-V~LZ&s{1d~hRP2LnUW zI|1^cF+iOM9yKXG6Z2{nuKdz_O*Te zyq5lyC-vLFR`KABUEE0B|F*pF-^*Kp2$KHCH*?6|HXaAN5eCKhJd~j5!p`qZD<5$@ zuY;#)Y#OQMDcN9L3$H`2dDAM}htQ>6WOl`5I$)So?ce(;2N%R_c0;HR0?+zf2 zx<#_lINBCgQ(QC$2VVUfo&Ss9QL*-INEj{vVeU+a_u8 z+)Sv_kYGyo=qp2@UvuVwGhppY9%me;RGZctoHVnrlvlp|xyQ76?Wa6jq~RRa6kfgD z&0hV$^|S{|Nc8CLslUP#v@hKFimW*wHVTO6i?yOW&bZWHUOnzmikui^suiR%9=XLhM=`^8UF-vZv=MTt3&15s}sZ4GMchJV?;nf+n+ z_I5caf|&vhRVY?evxuQKrCX2T&kbQ+YUMWF=@{_0y+v*pISIth@k2ateL~)w8CFUw ziMkqss{}O$6)>Jpx$ZWT^YA9db75x(Oon24(x9$t5cc3IT>>+3)w-V?Y@K{o2wzX1 za;$xHD!XUhKgmdCHQ@ms-#c>16+Ll#ypw(3JYTmW3~&q4yzsvn7kYg7y_6;-bAPgu zUXUe*0SNp?3d3DNSy(ak7pe$aSAx=kKfCl1r-V9%?+ojgXn8rp55*{UQ%cvJKLTb$ z%mlQK&*Ej7oUcSu#;9l5()n9=wkU#ae><%MRvNGo8awkCkjBbEM!tbg)eMk0$O`@c zWwYk(#of|%i=#8Peq6kh}VRorPr@* zuh%*OyYCfYH3@6pCn7Fn7bhyL!3E3I>c0633-_XyldZ=0OvDl`go>$i?+2^TWh9`Y)C^lt1TDJShZD?9{6y z!d{9e^LYD=Rm#;;WR0zVMMch0pDYtbLz5a@D0+m=K`#?W?BK`tMzH1a=s(%We{+@p zYwjFeSDA)8UU$4wC#>ssIZ~JO!hN| zX7r5Axu$}73ieIuJXb+2q_OHrt>Rp4EM^(Qn@mf?&+SA=>HQA)RGwY+t(LEliC6WI ze6tjzSZAisKG3m}%TXs0hPR5jg|z>;obx4dRk5)aC2pIi;xZe*(xMI?0O_5i^o@h2 zd1>z`e;)n4UUJ?`U%b|qGFBX{y4(kYAAzNEQ_+RDCy7gi!}Bu}C3`#B&gr&D_r0(+ zJ^u!$|Luv;B+DAKYF(oj@O1cdz3%b>$cj^vrJs=O{J(6wV01L%l#X=9T&pvZkA*k} zuN<5eI9^+Emj2maiA#85zYePE3E{?^LJn4D-=dRUhn}PJdh8{69DV+=Fw;f|D~?L~ zAoG@43_xkg4AHutiaZ z2rFV;`b$$N?kFmc;cwTjx;J6Ht!c2lG;Ah6Hk;U%!6b}Tf$#Lr@9LgoLF_dFPI0|J z*^~A6`ApB$99OxFqbjH#m9<`s_18h&2BA&;OmIWyqwCwV`S zlJ`>C_UzBK9?)1zbP59*Kj$?6fWc@lJwl!gDdx+UucIb$dTqPjtPHzus1o%@eoPz2of~ zd$ZLwM>4Xp%#4Innj7)PJc5FC5Nh_9zf6#Mw=g-+!WB1C+7w)S>Y`PV*UV0izIlS3 zPzk@h9Z?@X*oN#|kIL&7ZUcjlbT~{$uF-`PqD*D!xYQO<9{g`cuMXx#XPWP0kHhcy&ynumYUHi3QOPs54i$yIME#E076HJ|N~ z>$XYj*bR6Q@ljLq`qp_TmnUhdzJNgE=jXGW+OsV2frp<9Vb=KGTA?Nqeb)Zzij%6& z*5XmFd@<`J!!``WPbQ-JWVirzVy~g&4$hvOa9g61J9gyaN&R<6zCSxnFr76&fKh7` z#w-53KOY1D_Izs}YU)*)yI^IsPF(egdoKUzF-W#qFhDFqiB(SGjD#&<~iPs zx+RFnErt!GVyoVq?_s$lo37=)sqlZ8d(Wt*w!L3i6a_3)0i{DIQX@)lk=_KP3DTmV zf>a^&Dn&X3jPzclOHoj2K*u17d&WltPiJST0;#s?5Fgzn zc;hqtYTA0<7x_KI@H%$rhqSuQ_!&G*fV@!Yg=mo(`khTUE%ICI^Y@9>#bFS|T*M_LWw!PXitPpew9e0bFm^}V zXHp+3L#LRVllLF(cu8oTiXoF>^PRwO;Ap4RuIl>05W-usW!}5`Q6^;`_T4TL1P;M( z$<9xsd1irTs{b0xz(X0K$)jx3`AztYy|b>Vg^ZnQpZc;F|<*~Oz!NLes~+_Qb8=oWmPk5hf zVKe$dwSP0KJ$|FV;5yKIJUH;xo?<=bIgre%n>6f!A>Z~bg$o4E_m;AJ^Y(+10d`{;o}*VM4wNOa%`?>+SQ$O$?mwbeY4vx7Pctv z72!bx()am-XF8ARGww~-@}yzi&g9|LX?p9$YV zSRa#}x9C~QrbgJzg&5lnX{g;><6=#9tUa0Zr>B0=zx9m%?k>?O0hf6E)JwOq-?1CC zgc!|F0OD`1aCxxGCt|s!AOt+8XlOwi684wcLL9QbofAh1-KF}~9Ql*VxgxEr6%(Bx z$Og)fTWNt{5ilxS%*U$g7xgnh0Mlp4?h`6mKvw<9btb?e&#|jnh0n)YZ#uW=zEuI; z|Dm=J{JYvh57bI%QKn?{0&*lP*a^4`fi_k+)De>!)ISMz6D?T^s%N@x=P2WaYA`?w^fPu#pV@!u|aHd@SnH$Zvl=VMKh*d?O{V%C@s5!}4)jjYMf5{;JNbsk zv=F$dE5^=vy6eo=L3i!&vCh_!b-)iJ7o#DV*GdJ)F|6d*%k=M}V&L|9yTy+S!F3zaA9}K!L9i0iKygDo+Vph-p zd`&>JLGmopA5mar5pXL+Z`ZBLh%i;H!!xdBWW#+IQdTn;Uww!R!FS2$b1lfqXkYF; zGiXKh*ON;Ral0?4`^rgs>0a0UaJGw$L$<~3PtXZ!6b??!1UmK58Gj!0LRLs_PtnJl@HWU}Kl{JgQzvZw+n!ntowV$U9u!~oI>XGv zMOWC_82EwZsATZ}bdc2UA$U7QNClYB^?)Zek7|&LmKD!NQ=(erg)!H%? zoU1*cD;^8;0hsJ4Y>ItU5~6<#E|wV`)ykFO%d`wV8JF|xz}3+Pbx*B+cW7@J?mv|@ zW877$Kfso&oNYwnPO&Wks}1Elml`jZj@qdNlX~&u_J)eN?XBuXPXZI~HVEvYx2TFs z>*e@rFl^Uex2z1#v;l5EhV@X7GnXw9K-+5NYeh@;1@m{*@pds&lMH;fzUiIi;h46M z(Lg|)A73wHjp=uI;_XYUu0vc2!UqS3}% z^`9}OM}XyC_{`{QnndtvY3|Hu(i*O`NQ%pPI?fE?Hcd})g50YGr<=h6OK;AlbQ{f@ zQF`7@$Fm04QpAwar_Ctg3l8k4w*INjX$PGAZp5dRV_F2%n8G7Y1XPBCcmG+;_u z;slt0r&CI?x4wH3d!=CmgNtFZMkTD{JwRpFUJF-DjDU9li%}<^X(DuCXW}uc%xtJ~ zL{bJYp2!#CS3pkWAyb(ZU*@kbz~tq^&hF9+79X=wYb-6a=n_{Lq~jd*f&k z{Y;r?5>CO02Y>|$-irF8*a^L7d@`^wK_3lQhI&=HCY+Gm!yx?2$Lb$khm09NZ@`Sc zS#NRLJDX8>cJZS@a3kemy}JX@zukP~+$_u`al-cy>Rct}u};NRlq?p=vbV7Z=FIL2 ze;2w$xy|CbBg7t)6)jP@q=1A&j)XKJ$JsaHLZz;CN;NEngUBXDpQluLb$UOqjYhw7 z=I3RvF#R-Bl-sW=Cyr0E5dC6}EEKXr-XMyGYWvS7OIqwrRK9*z(nDj{L}zH+reJzAp3d3eX<^ ztjHM|obW;}40PnyOceE@BKS<|E!`WsFH%lxhx{~#mt%WiXJHUi&u4*U772Z67PEpO zV_ut`rZ3>+H}+=Emd)I`1?u-5zW7yDu61>{r`OpU)PB8*;vpOhCX`zPe57K1{b+4F zY}5WBUr{2riU7)d3ahE$U;lCME``cWl+(q{=DZaQzp!^e<@6#{#`{RPjw@&&A*K3D7+5~nY6b;}R;CeN_5t}ca>5+$% zq8Y6*WM**M86UxPrUTonXHVVjO1 zfrdobMyF*uIMn^4>lRHrgX7~^=V0gTsgjSbyh{mYj&}Ecs=p?Rbz;W7He+%Ri`dl~p72wRx z40Do*-ApkQPy6|4CS9_)S2dc}#7R-=_-n+M^$+8v-`iikUV>`_Q7P5PU90vd&5>Tw zQAOm<=xg4oKZcUE=4eR;a(_DB%xhJRYGpfhznfM{e6)MK<#%h^V!gCMX+OEnaz|qN zq+fEr8z4E>c=p}AK-F0VV{=n88nVD0pMCYi(bMJ*UtERtjv9oSx?$|X^txW8C^Pz5 zYddX1Po&%%%SAPR9IuaxUgvruAa+*26Ou!wZTuf_#rU+)Uj(>dPx)%D$t}kJ(oB0y z$mxG?le&^^*6||0Ht>D}KK+ z>Cv}D3fJ~k%yvPTaI$x}fkNbglJ6Spgua%^oynUNi;p#!yAaE9%*cN+>CLmOgoC7{ zgj#ixH-*#gw{oJtW-dQzUVB|7k_iaL#8=m=6jY+C|AtM*;Ja<)G7XES$^Ohcf4Is3*5`?$|; zJ|`{CL?z$jDDRj@R-}LEU_3Q!6&ksAFFfZ}g_Y&R_y_tAPcwNF%j< zyhu&h+G(`xX2mFvaVu_pv-nj}WG}~T;YuTuH(zP3?@LEOb=&gl+gc$rw_%9+MxtZI z(^@0gYiCMR0k*#0l+r+{)oPF$=W4Ob`Dy224O%WHn4x1_Uby$!>7nDwAQ#>sn%YKo zYSPgr>GElTv(t>!YS$yp_P|Pz|4VcTB%P5t3Y+_2kx=kR&nD<)Tc^26nYd5BrXyCh zT>&o6>GzEDY`3}{r`+ZihWWG^pVD$^y;R>iEH&`V(b79j^Mc9Krt>>{aq(bV;Luci z?nmwka67$pu|5iOA*U(RG`I}PPkpJkpO(LrY<@dvprbQ{D}UTKULodfB>kZ&13E-E zVm&Is_<5(8d*hEQ!@OnJqK5lw3KA0#oRj0N38rb9v0kjZx+lpIim=nsy#-$~Bg88M zl276U@L^u@R-N;o+S8n$*Grz9Dx5!UR5<@bHP4xPujb-pH19h&WNlWWk#{R^-AYU9 z^d#WbBi~)9y61I*tr;+qVVO&gb3u|gA=SHpit)wvK^=}-G_Tl4eDx=oHr1^ClH>NA zat6;q#gDNRkt3t!p*HD%$fS&}`F}cjLZmH*FJ!1N za3HHgz`5EjuX1_*MX2YGrT__shad=JNf~h%^X~PDC9X$CU(?B&vR2Gl zmAHIz%Ne5!H*Dn%+3(aN_B8K^J)Y0UPOMysl^KtfZ-~t?XZ285jEYr{8hlG<5H$r~ z^4M<>{i-Ir>qR&c7d|y=;NMaweGK+k{%VXu2j^hmxYDX`(dy! z#ptur6A#D=h3!gQM)m42V!WNR&Z%OlAYNuQ;)m>N!fg$F*`s&G{}V2&^L_sh8p|19 z&2ObRq3z{jlk(O6XEIB^z!Ss*>b=1lG57U%N2+A-*b3~VR7}i zHH!00ErWYtWWAW|&iMN2oizIz$5_d;9l*VhhUkMo zU`YiCb8ldnUcqtUX4KqlDkp3&NEF5b(Gz?A)hMD?is|`KE zKQHU~%{h6*6VOZ~Fz4DR&Zrvb`0ASwNIu`Fc1Nu)hco2^PD8wTECdetzF69)?;n_$ z#%K2XtJjf4>n3pQZgE-r>av*$#wmMd1F#4JM;DurNqaud$^f?WF_X7YDKZ^#Bd2;7 zQ4C1|rAoOU`jAnxrk<-_FpmJrMViP~T4OPaiKWtnBAxTolfZ!ftbSjOuW>`iaR6C2 z+WkEy05KS?!BxbXpQpQn9Z3%#k8voK+{*5rKXP8Y^+D6MwZxl~-F)T(TuPe{CT9p_ z*rkw*-!BuC>DVgT8$T~>oiD#|a6R|k&b0HJIpJ0IX7T44{C$$AL2{6jQ?mI(uGEJ; z2}b6Fi67e;IQ%qlantQ8n#r~=;0q}NrZ0NYttQ4&x6|w=W4y7G%Z@!wcTwL3EiT_R zm=j3DE*JsB0OkiVlJwyp`+nVGzidKd;>r+U6VjOfZ2R>enXGtY=I;WN)2d{IQVLV- zu>^)7l(=I!V?FzZRLLB5C)AtcB&l1=)x15Q$oy3Y!N}ui@|+VRU=sMhGPYMJoWm^_ zxM_F#x8wY3v=HO$1;OP6P8F)j&)+X42aL&w!E-JzDuIFQ14Y7b!y%l38MWf2?kf&Eo7E0?33nm7M^Z3u4VafqdzQB; zbezM~vhI6wUCR=$-NP<14o+Rb+Xqn0duPLTW|aDT%y0(CR6ozv+O&%p>0)^4d*Wo`2I_s(QwPvo4=SH|NH636E~ClS%oY)fmCAcKUZnA6gF`Z@J;WzGQB)4W!Gc+t=Nyz5ClgkQYiC0uBO$f=e^0#ji!jiYY__ zaFmthT%l@(8jT$c3yQas$j>PP9>ko=zKa6cC#*%xy#)e-8#$< zUYpNPUW?VPDz8vhat^o9bC~E_*QEmFS<5`4-X%fe%9EbBOvQm_GLxS@)ulYjZfB;4 z5#$MH<|yZOTU2~}sBr>xBOE;i7a~YIVN?l?H%idiR0d4El2|9%gm#|K-i2k}Ek(?0 zpxtiRtUOaIDx?8u6X!zZsJ8F5m=hL--t#&hSXi%swr93G5O=uG`@PDXX6QU)UxY2* z8Xqmm&#(`ku#V$5uhah=)pvJy*{ZASEz4}w@z1)6vvLayfVmYuoJaG>-G5eM@KK#x z1im+T=HsH`sAg=;HtQp`h7jYUXo#8jb$cM&$E%DRWp!vNv^*<(U;y-u@ooPazuJ=O zJcMp*wTx@+>OQ=DSCg|5Cu2&6oiPY*v5}v-KW`(ro1?8bAOuO_B%Ss_~Lci-*PPCu_9AxJ@~k4zj%CY z>j)%E%}%|Y5YN$f-F2~9nf+YrTtu2lq-RGMskZ$QcZg?Gg15IvPXW%5x6D~pKNPTs zxS_3;}+a}i`a5(HaVq0j%mz1BlG$#?AiaDCOs5V!Vitq{>yp}3ZXJd=d} zMO}mOGUY}?za+Hz{Gv#>z}+#f%3DR>a)|G#gKG@&PN*815N_09X&7@NwJM)`IZ9WiO^zvG)%5wa|VbC(+IFC1>iVQsb z-mpFL;yL+VY5jg`!0ovFS1oRB9tqcrQeV04LAE0OrX3yd^ei9Mhic2az~V3Bfov)G0yNY5_j>1 z8Zs^t@ijZk8?l!$vPE#@>^bwCzKmIFaTi}WIW+8L}XDC+vUxhSXql9onn^`I0zp-=!iSOBu zb-gnxiIoEIyeecNVf8Mm7ll0rJM+X-c}53JPHjxnBaBwu^&~YSm}dP3Ar-so!$T%s zO3Joo@`7vm^#X#ul$3h%R(vxhbk72bZGx(nY~Rvep!kcXtN0iztBKkLKxNnxVFRCg zdJJGEfZN4aTV$SQ{BVoRD62FP94FHhm)e_xX5x#7KwlgMT%R!EOI|Pgh5*f`rG*xpsRoS%6PM=59Pvd<9V}p2 zV@ZwGnsPGK%HIdQQhqNB=3#+fn&P zZ$EPSt}tf$3;t@>kL(YE&L%c+|K+drUk@GXY#YNts%F}=qlB}X^cr`yNDl$)@Q*F2 z$|f8qe>@`e`jzzCEvOPcOhF~!(tPV#ej-7f79A@Ywgz{cPLYD@_#!XkJfY}}xW=e8O=~l%HLRoQTojfr?&wj!X3-9rA@ePQGf7J9W?F6} zr%#8y68&rFpbP~5955uBb&D+Q33J1v)JW0Yh}fN@mHzpZiX3%=G1uf$U1trhZ@ptK z2Z_aA{VSr%Glq{#FPaa^M6^x)ST16#jeAGQUCbIVkb6fn-2E+7xTY_;xOFLvW%!-? zG6onR%@?f$R-)#1tCx)qBxFo&Jcd@6+a<%^2H#I0hQfLTy&|y-!vPGJ#5dCv7!6GO-s>nc-w{96q)~<0@og=n-bvgA_JGa#ZElJT}I3|;2a1%K^cJXEe zV%^Md{(bd+xXmyU879-<)mnG~UbJ~Te7K#(hc(r#t?;GK@qRQwvuFQVb2b+s^?EbY z$2DT{tStDg#Pf}b*<7(ws?8yfr3qNVrum@4zy)3vGrzinJe246r01!EeGu5=9;xB` zgZOiz1@Fl9B`ZGzn#?HX&oc-d$C715yTJE003`DuX0+*Av<%deu%{=}l6?Yc)s0N;h{oj4N(0rMy{|@(EZYqUL0daSkLvRpG(3 zU&7I{N)e*=X;*9)6_H_!;bG3f=!|G*tcAql7T~6Uq3pJSZ`)L(l&1LTm7Nx=nIbLz z)je;F0pE4I!doH9AZFNm`s6F+-mr5yCS6}bHCa|QWHp1_!_0&h+lc&*ctmY_!}H@@HrztBWi6hNfTLQl7ir z3jG)AqBm#iPb<r>TdqN)l zw>q4G0q@CEQ$?9K^R^#d!Fhn?_A|l0NsDN)rO*p_E5|tXDd%p+Rp-XzaN(zUrD2t# z5)BVcn7=nVWH_7u2>lvQwf*4LD9Ngje1{D&d;SX`LkqJf4yu+vn31MoEPqfjMpjz7 zc-fdl;eM#`n`a3|*`f13pg#t^Mlo1&YYl*bDqF-ewtD%;>A_TCU)87H*6bSGNE!nH zna)y^Za;td*Ng^D$xWeF5<7CKWuT&(KHJVIBH!+qF|p<4nAKhnPH~8k{8^Lng0+4+ zW~w@wX72FB4L>x~GkVYD0cUdCeH1ov{HRB0IPwcgGz^`3S8S2gX(dtcgy=p6z9M7G zc8vlLAIGgndB7biR)cp^uKDRtoHqYjy#G?(rx0U+LGe*-HSaGsd!;BL<|mKOXJP^e zcTda*ifHnB5EF7DNIe&TJJz%Adq3iqguYsYjY+kPdW(z1<|@m0dz5oSV9q0!rNXXD z3vxpFG7=l1YvU!HOHIsQ5^n6y7Xuh|y?59ieP#D@&U9_@n_;vxn5AsGmFs2R9~RMj z6P*3r(>k3nE0|E5NtCX%TRs53Tky%LeC*0(OccWkV5?=`$(_waSnn|ep1USy2vnm5Oy_X}xt@j( zc>%pH@*dJjheOW%G=?2ww!TFJQl8S8lhSyTizINWiswo1Y))2(c&`lgJflt5F7mLi z9om2GT($bmrUc-UH0rB@-;j?-{QP)K%Hd;yGg+ z1w^W*mM4O-9l;G~d)ZrSK>adk5j`28J0r$VdUQHR#BM$r(8^#wCqu+++C!$sWe?yB zhD)iIYDZb+L#Q1Q#}&Y6tG$btPg4Bz*S@%l&p$k%jwlv`Cbl1xOR0pPPRCM&-QP^( z^IFr!W0SC3myR}RAy97Lq*AiQZx8SyO+TAsncH1NPeHij-59;XJQ}Xy-h|Sc*X0v7 zKhvv65kN=c_D{|6Hs2%t-c`StY|s6~1~H9m=6ae)-P_}6zzm~#=Ua>@3ZY;tA4(4} z^}ZDP)-FB7MgFm`5y#S*A%~C~k4zT3T^iZA`jRvsP6^Hd$Pw`MYEeML_sA>V8-ZAQ z{C#38-Wrc>acmV9rQwoHcf*qC(1Ok^7k?fz@n}{u92`jQoF1NpK(u4*{HhMX=7BEb zMaoECh9S5$x`QMXh$CezFL%8>zlAB&ZZQ()8<h|4b(O$nGBJLf_vG^R`IzOE_A`YmNOeXHJ2t!@RB3EXqfSHyQ z=;$sR9f02yY}xBbU?{oSnRQa)(c-}KnU@TGbUxb9+Yn(4*ds1Q{-IC6Btqh9J7T~; zxvk3p8uSJ4|;k6UgywJtLPzS{~qEPLC>k50;G1~MG=1VA!MoX-Hm*|_oT&1gu zUx=i^iLZJIbj?PG6Q|U{3_d%vyq!R<&TvFwdz3;vL=R5fDC#f30(|ApK+U5d<)6jA z3+jAwzLR>)%%em^8w<&T(g4*%b6iy6oQen@L{H5&OQyj?SjrgUNXKMQjpIu*90Qs5 zcXd9q(+|Gt^O0rO89=`5uS;q*h_H6cCeLSFqs{PAbJiGNV{@oKa!pNCxi_4vJAw25 zQrJpefDXtHIFB04U;PHfZp0sqT%Qw?3=M{{e`V$B5!M&ukC|AN(4dX!PTuX;A~qp^ zht%MT>lHjM>HVtVBNw?b5+sv?pYx;yP>o}KrPhX5QbP-X$@19Sm~bDX06PxFN&0bO z*rKEEjLrK&kg&|@MuYF7NhwppOCr?MOWC4$~- zS7PyTt1VLps9{bC#-AJoM7CY_>T472n4^BCr9jd@hMhdr%7f8iDF zYpZb~+9FQYeFY(eEjzChHi}fG>bZymQ3@}ZBUS#;Jm`$Ly)3II50XIXL6I$}KtS@K zq7BeI=>7-IgR!=4s)=w=u(HS~UzwJff2WE!lJozk-~qC-LFV5`msb#>LbgOreHTK3 z2GloqU_ei$YFR6`HgIa*B)3N^EOyOdrTp`}!}#-TBH_PxFd+Y%|ou4PHKOAZ%aeo;;OS)r4YN@gyKG|ZS zmPZ*IDL%#K?c|4IZ4Ao~ikjNaBsUjINUvIJhIZ{e0ns`VgOHRP7~KRjA(VWo)8bC@ ze6xx04eGLrdNU{PwPGT3_qXbXg)-7{hZ%ZtVc`#Hqy>xWAJM(ld_3E`G+O^^;8yuU zpr3p|S_th!m_K1hSB`|ye1uBB$+1D%1i6y)kWKV8ZJ*va-KXM8tpzejVrjL7=Foyt zrBxVYX=FJuQ-*Vv<2t|~>mtU;BX};XIqNIVo&w@&6&Lz%nNoGBy5pniG@}fg*xa=w zz*Noxz+y!MLB3wkYhc!RI4+s2WvOwJMdXK7!<%WUU&7`8Ts{CfD&GX;bipY(zx71d zKrw*LDHi}gxtYe~F3;Be?!}ka0kEN4I&*WFkY`l1E#r zJo!I&m#KnY8}qQetso%L;Qmb4q9x(~H5ss(^K5Z`%0Ey*uubgYQTfp4WRNP5*l=uU z5lrbi+QQ5{wkw-2N{_5v*F4to8S`LTTF~)vx+N+xmnDYgY*<4mqj%C|q=^CYlPVX} zHS2Bz4w^J<2!)j;epOu$0#3<39pi{Vfr#yC4+n*YABV}smK$};nuCoSp5I^s^?bO~ zp>D^oTVzoem)4=+zRUl0A(KP!*EW;c!EeqiRt)&UQsz-eKGAum6P9X#%4p-R5L&G| z;lvmuZHw7e$sIRxd>N~E!OvYi5?~s7vWTWO7%T|px!f1fap6X!P{GnWts=SYFQppm zt@8QTC=nOZ;#-Z*nJW__*Q|rc6E5&cgR-#;^Rfd^@&zQ?QVm0{Ff?BU86b{y^-FYfadh>wwQk zfE&XnE!UY&u{~62lKoSU2k{^<2PHpx0LOVRvHAy#!o%P2^}p{%|L3g0<(P6YA?-Kn zHk~X$-Nul*r95Q<`S;hD zjTN)6>0dXY&kcSX(UzMdyXrW8X;jR{E?q25pq-wWjowwswyRi_1bI%Q-u8u2sC5w% z8_Vpu)YTvQ;L4xE1D&*z4FC*$uK1)Y-?t+~LvVqO3?zfG=wHu4+ybxLudc@Vk~qW+ z;w5iJW$}whq-^aOkdx^marGoHGAb zp_&PoGm7O)+8Z(u++B6vW*H?aNEvdA)a*^DeODlSiEd6<6;A5kuAn*AbJL^6B^!`` zGLWh%=rlS3FOG)-1Tghoh6#Oy^xgJS?8pP?R|St9#erdHM39mZkB}Nu@{@(EM@%FV z{#n;L3>+~ic@yLdJBGTZp{2M4ZI8DX{LlpDMfupZlq%au;vqc|Y-`50>Npzqxey1-YWS{J$-T34TG^ee4>39o19< zb?EU&(;{&;>6wwSU@##qw_l6u*NaX!*_bFpd}LY7qe9!?ws$Kr?UX1Wc>}D`$;;BW z``4+!S-)}oiE7Gu%e=!3NKpfz4fU$)Tq))|3Cu{!RTzU)-AS@k5n#AS_cHfpvc3Ra zwsuer)7a6a5iv)Pl9Qc_dT9#E*9f5vnG>w<1l5%5iQT&5^c0!@cZ&a4q6Sols!VHv z!6F+eJr3j4{&-8FsqPD5eNa#kxKn8Ooz>xVD6OB0?Pm zTSHudj!`)jfb5w*0Nq`z8U+Il@a4PLy1a_2jWr2{jupjJV(@PIXIkg@GA>U-JO# zZmX8p7RelMAp@Kf^ZP2TQRRLHpYi>DRf7Su3?=-HqpyJ98x;5Rf61Kwe#F09 zea;W?dxOa5Ndx~chvojoKZWN)fF6bV7fJIV5FwP9f;mh$SAvjHX4gVt02Il#UeP9y zvS0EJB3sE*ou}Z?H-cGpRcT&b6}pR`n+b2NXC7R*!T4^Hqu39(}wcli1er7 zv^JFVxRq|`LN3pKbBDDVqBr#}7vMNT~syRAWM-v2ql{&Pq8N8_XMPxrDyx2Jzk zd;JSv1MFElgmq&=`Yx}PVs4;ri^&NaM&Tu5mgWn`SAlfI{_Ye0SO^ev!)P5;Mcmbj z-~we@8m$rCL1c1FK>!*UGPWTryfc`pU9+7dQ}K-%wo}@XHC+yBDdx1iw_vR~4j65qJHa`9<1;L^joz{=z!V?gTsDxX%}S5-e8 z!~_Y__TkPjyQj3epd~ZfzdRJTtn0Hl7?HS~BjdTci!JhxQa(oE(SL;XHh)sN@%drE zs^0&y8l>U))yM>we17)JYCKeW{56OKPmTElXnfPum`Na(_&G}9iw5dR)B?MHV2PasJ%rd&7l)4ywRq=+_ORq4xF+s}QAn90KfpV$b8dN{ z6`)lE7TNzs2E!OEq7g;pCvQWc2^etket3MeBbV_#DE9-zBdE^HK6+omn5CM$3 zkP8M{Er4mSdjloGR-2F!zJ0=mKPBOhCH}i4pi*YwAE#vH%DUaJr-X;)f!D>&Z9UKX zb{?Uym+`aQU$g?$TTB?(#I#lnZAx8q;)tJx)7~Vdm%A#(t^jjV9r*G{M+)iTgAQs$ z=|daLL0rgh>eCPjZ)!k!nS$$z-x`l7sfX_pW{4T4;2O2?;Os*&*->WMza&n`%L(La zZoHuE6wQn>ACEW}(*y9rf-?sc{I_Fy7Q{*!Oley zU>G2oqBP1yE3@LHeND+$>Kl>7CZcAVyoX|!n+t@T)rejl9^MLJ_Pz1eu>4Qa9sKcO zU6uM@HcWH`e#2Cky?6ViuJRwl%b2*T2+yd&OEX`C2pdDSz1bY!wXn*;8Byd@+$6p$ zt=i_%K+X@$e|tIwWu#j=;ITx08y=^Xe2&Pc@*%VETM4^`4hOBN%HmZ-tsSB@Z`~g* zv`#-Lu{Ix0O&xjjSia?ZmyZn}HBJw8xjEuCAdot{5VhnfQjmNuKqUmpps=V2PI00t zHi=w_Wrl@Xdw3hgdnaDFlZ^}Q-FqUhEa2_2-zEpQ(qr@%3vVskyuK`P6|20;i?@$!-?(Q!e;O~y(pHcNOp#*U8^3~)ZKTIe5a`PI| z;zhAunySd>8APU_gD-kUbB=;+2Lr@?q=GWHe>fHQEG50&l)#qs2M1RElKSwCXqqMF8dN! zTQrBX*Qgcg($<-Bsk>?+h&h9$YP z9Om&{X8E!q;S2?xtNGC)YOh$P+{krD*60FnH$sv zKTApXaPd<8TB2@O{K<*`{rRE%*!{wEa8d2EiVr@TJ*1wIwuTlOWK>?qVcReVhlhop z4wR=V6B|$z>|@KEGMutvB9UTjfAz#m=}#>H#YZWphW|2yhgeUXJ-g~yauXAqfWfM_EvK(@cWk?nrI`@uDV8wqe2RYzM1%T9R5P=*>oH;?B|rW<`qraB25g1W)WXU~ah~)_uT>OVYNQYL(J{IyR3})@MUFjtzQqzP*Z|faPl2DldELTGE%239OpJ{f zT%3Nzo#G^tzW)^*w^9{510~#8lIve5_IXgXf!?9Geb>YLRtuZZr>NyIBEKMpF}ATb zvHq+^bVYG2aN0;b6L10Ui8(76V7RAm z(2W#Q~VT@3Cqz&*xN76toOB~FzyV+c$VlTQ-| z2Vc3_`Ve7Dl0m?`zRMm1N$w$kuJihzw?|M@DrLvao8|p4OGbZf57zR_gftM@x2e_&EQ;4F1=9=VGJSvspbK7MP5j#8Ef)bV*cgDH^p!b&GB-iz%K5f? z8hROQ1y}q{zkWpxzsVA5h5OJq*=BxTaTDJyT5QR#+jzdQ0^AlM$OWeLsGYIaag(al)OLokW+i(k ztB*+G!dA}>xLgPX9V$G{u+}|tQCe`}#_7&S8Iiu%1v+UA(id+u4xJGZPf>sUcybp`* zuQqc1@*Jl)nu|o2!#KB|19XL9vIa}8w)(O0vinqDW=?np->axp>&%%mFzmcqAwQUZ z7W8;{lK6@r>`A*wT7vid1#`&QV~y0Ks#pW*Dp)HV|Va@gcl!3N>n(t{xOQ+ zHxL*fNPIKw?0*d;h$a;Mwq{W>?MNm8S%qllH0wdAk7j*qACAZSM5+XLz&qDZ*N_u0 zeXy3??#pdG5u^}#WHSl7ZOjbaAoghAdm|6A9W&^^Ut;;ZjM*m0eJ^Lv7BdK0JZ&>P zE*`kq-;+pl+`m2Q_suflkUjDBO9CfHRnp$+=8sBc=h{PFO{?FAi`>h~nd`0JpxAp9 zB4&%Nu=`S5Mtd+(@WjWwouM?T zv-6aqKRjC4p-EC8Ba{DfEO{ajGY6lx-9rfc*UJMqQSnkCWWol&Tps!?x4i=nvU#?+ ztn4&%+B=xoo?nt98=82l1Rk`y%f#H`%i#mqPMxY?1`!Ho-W!`Akf$1L^EOw-V;Cnx zl{XOPT2VXoOWDEbosW5zPe0L!{OpMA6I&9TarWs8CA*V8jt+Ph2GOW)Dc_vx6*L=Y zz60Y{gzjT3EckC9-cyDb&;vm5&z!!cQ5=0CSzw8$JsMM(+Y`qFVJXq0(Y{6lQ58#L z3D_mj*xm!?L5CiHGLOhsvSR|_v3CSy48XJVjxy`|Rs@0R;?|U0HGWsC`XCZKPOqAw${}CYIxN}%yan&-X@iKD@wvDbmy~?fC zt03b!;PASGI6Ybh5# z3J(faO0L`Z0IFxK6Q*~KFQj-*TP-(qNG>&5mb^1%L}JLd=(qbyT-XWa9tRWdDkE-w zy1+%Xsfef3ZBKF?Zn&NbIsQ0Q^~ z)?SC#XW*_WT-*NWSFLnyKC^HK=0@{`CWyCi@M*V`Ziqri+bv%k#BUG>OsJrv?9GGN z>)fk+aNBDA;-jwo__&e)ODm3Ttuhttn2@+<(`Op-UOlRy94yfJ@Dk~gU1$@bsm4R?h% z(v^&Nd4w0Q;Gda?f*&aJwaWA^DZy(Wrz&%^DzL_J!`vx{q(?=I}`QNzorPzzt!eM0<@ zd$IAOvivB0Sv^%6tk114!0hdQHEEjC;{mKIaUMC8B^AYU@9n1fF+GH8)R-3I+XovX zE=sg`2L5A{0=;4>)nEODP2% z;WuiX4lG>_TYAO0xy!#fJe_o;$eCyxd_UA&U z9$6q#S6W3$9Yrs6DHwYKI0rO8Qtgq!`lVi7Gd6@cIPG>IarX9Ig9MYr_D!2Ww6Wt+ zS3=yFfd38K(n5#KZb70=NI0}_5;c{xz4e4|YS|#$EWHZ?HhJS+oA&-Z&w(xj58b=< zwrEoyxLgMgKxS9VoneQQRDR$6&5d8X3V&XXvOQ0#_fWZ6E%j?G?ON%!HwoS)5Hzjr zZfOREsk*SSJ)rJIc9hdDK?w(I!J63n<&1v&2UqIOSQXMKe2DN+K@tICI$7k8PlJ>x zbaz@sYLHewP4%e@wT0V|`Og=Lcs$R}-b$0h%{rtDo-M2i_!0dAOb_X!h>#q;{JmA@ zReS?YF|N4fblAqO1Hh;_r^+!j++F1D)NbvWWiX;buf$n{NulaQS*PmsBYa9 z%s1CzO1D5LT`7BMaZYtXx3`&+e6P(Y;$T)5Aqvs<1@#gR9<3~}kJ5_G&^Kv5AxDdX zaJ^mNeJvJPxEVXB5vPxdfEMFLdZIWCE z;zr;)6zxhfUpxGNBFVKU2dgF5VG;Yj%x>*EaJ<%cE%~1B8n6vVwC!3rrL~};#Xn1W zeeNU_Og=F+o0Z=Ptr~N|r}Nwz!aU4(DP__DwmlQj!g=%cW%Vx=kVo0mj~*VyWL8G< z8Y+bqC?-%fmv)gw{jt8Is;N~C_s*px&WX&@ zjf8eWVDb>>!l#FD?AeV5d0j=NFtIff<}tQQ?)rNeMq)!LGGt=yY4%7MN?^7g(E%doGW zJYtCV8(>7gL2<>>`3>T4JuY8mMhWww7 zAG=2RBUMV-l>ciqSbLIaAxV|$uug|>2-)RFMpdqMX{KCugI z#<_Dt|FHXanp*m`WZtY5V#_XD{v;(bVlY|AsC5F}St%T88o#!6`X-i-)TE6S!c3ZR zXEZ56hCG@so;N#~E&WMthUN(f5JU)i3s6 z;Xn9!jn}TTvVpo+a%3THHCgZ|`Y!2D>9AdO^xYm=u@3<=$e|y3Q@AXp&#J=ze*QWq4h`@Xy$gVmb+d@o-K%z1zJ)2MHr4WeDZ$ss7@1lJ|4EET+CY$MthK(GD zmOFSjdm86n{C4vVPi2&w)!S;{>0eR`DZtzUX`1SvY~EP@9;<(Z6E%~|K5a3u(H07J z!Oj^d-01<1GC<$w-J=(L!++bTfcZ3W1(z-V&jbV!*#}-J%T~V`T-~pt16U zh_s@Nlx4?t%x4r;1$#u9v^)TIx!}a8x?PkQ|Iv2)CR0G*vws_Eh|Ul!_r&jUaVi@)=qBP^ zjt=<@i*qzH;1`hVL+q(5`guS?(UCKVt=g?N*c^^WqeRJ_Sr#l{`2&X5yaki?hT12h z#6>4_xT}Y%!G_&qmnrH!xu4VQkfkt)dBW-DX#M-?^SLLD8-IBa{w%WgAlP`n#ZlcY z`Y-Y&Hjjb8Tl%q%wodfQW~PD6O1e}5t*C0;H6N#@` znAU@|250B6qXpCUNb!5m{#N1|H$Obw^7zIakZ=F;r)GKENh$g=tbbtt+7aRUFHo9>#Ex#C zOqPLD@2w_Uh(7XD)T()h#PRE6nW!6Quly8?PG^ z%ZwFdPS~3D;FV^E>u@9yWAnwKKinOlpZt@*BzA2Dz*N~UUDSK&=Auj#SA}?8j&DfL zu$VD&GUJ&5`x_X|QA-a7kLhvdj(V$`d`88fAb;E6;E6-NT{q1EF!&%7l^Jo3Il>hF$7DB1m=u{ULdBi!7wtfC;|`#;e?*zpcq;W8F(Y*0W-d9t z|7*KaZs^X&%T9>XHm1rV~9Tw|> zqpsEb^54b{lRZzQEB_L0&j4uq70b-!wN+H8R$b_B{^2ey)=WEI1z4xhPi)YvFywK% zo~D#HCMuCbv+$ukZ5X+Q$9}AoLq>)){&5v=FW(GZujlPdRWtN_42F7KlNRN}zrD58 zL#y|f`dZA+xuovRF&MQ*O1Z;&XlTv$)S?9aj^o8P-Kgn;DijiNAvO4!ig)*J!{v4a zeC)g*vCA=Ixx4FEaA%vRKu!?)&b^10qWWd)i)1^C5E+F6@oQYds0FIejr;UsW%4-?|+Y!`}HUi<(6qr8qTtP4T zfz6KAPQnhfLWPIH=R(CT_n32s7$-V?w(32W4a-2Hrf)_(st#rTbV;BlCgI9F3f0zS zf+JD2UYh7wo;hAV(k{%kzOv8lb=E^jStKri(fejXl7fZr3UOSGLbE}g4_XP*R3rMO4@ev;F>N{eEbs>Y$ zOL>hWy?}MYJ`Nh}(xy!-l#f=OT$qTp79V}~+Ycs{Zx$(1!N7ilUIgfB*u3z&vV!uf z{#x?0tcDVkwsq7Voq_i!U* zpkgNqmZDEUtR!UXB=BDU3p^7zBH8kW-QV1g!PD3J-+Ouj3+Trbi&NY^?Diw{pUS%O zkGH4PUBkzq?@W?<&HQX~xsJO)$JFoR#V7Mx?orWaMvW+)0uTs)wQ=(#&zBvt;CgcfYgY5|p!WU}ws?9yhbg4AK4X*wMbVLaA21SWJ){{*Ud510a zqb@0V9FP=tigp1J&+h5z^tDU>C;wi1lISc6o1tXu`LDRjE)KJ&hqSBl&-|?1IY%WuI}^&sJF*PAlv^J+ySaH%*6?&*IMc*z--z= zctOtm-(Zjc-v2{n;a_4z;5gKnD+2G|96mVkjh^ifx;G*lsP=X;zW#TVBe<$#${1VMkPb3t0#b|~HSA$|PiwZJ7Xkv2s z6OmpL?COH+uFA62$Jv}6I}sC5{lZab0&_du0pmc!<&#vIci!umIQZ(+34Nv=iPLE_ z2D+pvlLpp1{P-&!{{^CFO_SQp50<+(xJvSW(aR)Li&AdW5p{N5{^l4el95#NO#%Y@Ceo)C2vV& zRJnILc`Xk92aypeiHwZMly_^9qsD8uq{s=RP4k>zoNU95hI_#`@QT?P*-?N@SJyu@ zgKS&9F})4Ln6bhSuI%PBbH4gRf1&M+1XkGzh&hNe9(m|8N4*6a3AO@c4_|yR2PpNU zii<28G`3ECwKLB0OX@X?LY|(s?&2|#)i<qfcQjh~v{j<0vx0B2CZ!&&fP z&oP10x{9*4dDCN{iw7{k^zY`=nxG#@8*!eDGTuj!R%A(3i9xF`%Nxs?oY9ImW+R4L zL`W$6V$Vw$``omN+)rWy`%*6`rbYFa6B00SLUKs{bCnJ_B>(#z5y0{I&#OAX@%X12 z_|FQq%Nw|_f5!H@1c}0x7q<28yCKzIjH}w?*_>6)J}+?SnTX8Hi5>U>EqdB%VAg0r zyOxjZt@;_;c`h0fwAEEq#mdNpWwt20)|Z&PY3fbd3amYu?lq4i2`@CMr+T`M?zx=Y zW)T+&`Sd-dX#zaBF+06zBk_lh73CELH6$aQj^N9hJsp__ z@z7&2WxWi*9`T~P!3=<{5xvUG3NE*5EDENb86SYsg~kanEU(u95w(!7> z)74d&|M^5rS@DJLqX!lm11;wYt!7F1i5kVdjV7?-43fkWp)LW`)*mH=_7#LOo*`92M|-2g%t25^JgN2q0hZ3}?d!1s~$ zcg+?^pbrnm{k+B>)}Z5`^qTn`VBXAsGRLHBx;TxnFLG^}z2tuZx6i!|aRa}NY_YJ} zq$AveIuBa^-;TxIrYZ;Ax6_AJN;!ous*x z)i#2Fy5Ni=MTh*3BDR=VhAk8EIA5(vD-9EKHIw)QyPb0a58e(sDEIYau7SuWPy)b#@5g{%`+02G~UYHF^B`WKp6z z{Bu#`%=%~`sphylodrt2fM|<}?9t|%%f0O#r0~)}j%s)#m~=Bsc#U${dWm%7NEj zS-nMYq{m&`@#*`<`aLFxG4g=NV!b+OeX#yV^SrUQbUUL<09)o(k2GdQy_W3fbWL>uM>kiuI$2;~QvmWvuY50C{)zKALneQ{D0Tk>* z$o=ECISz7odjD?ID_YVAw2{eFF|uABbbxzPJG=HcKNj+Tq-&V`*g zn_COpaE6T8qns;WfVp`6z+61&sj>P7x*ofK=!SU}<%v}9Q(RyjY%jl4nF>_4Z9#B! zu%#>dIwQ836@%2Ax9J{_5$&d^lM??ZbpEmzDkfpfcJEo8t|0fy(o?iYe;CCk?jC z1)#G?N7b1cfMoPa*n>xqj{U#op4t-b$+*yxwiZADt=iTDP-K7he&b^&D~e!g6$W{D z+{qf>qz0A(1wW=dEbBWH{JJ1T9<&r6Q>$cFmZ&jyJTlQ9?i(l_^4V%tv1q&q6l3gH z!pU4s+#Jrs)x)rt?*O|Bpls#ZURM4m8B!IALPBvJXB`U@?|i;@VVx!=L_MY?SkUYg z+w?B~>xQVdsIRxR)sdBlF?FU$8;{9~j!}7b9AN&a@vynGh1)8+`nM@;-OaR`*Xc%m zLHcvCCNnDNTUR3WVRcJ@bquW`@k(h)KHq=tBLu#x|Mgx7K!^R$9mqgpff3MN-|DbO zUjU|x{PNKI@hiJinpoRidLqZlFFG!7*%$1>@%;o+;SsqPTr_=qvrd?!ACi9&YW2ii z$MyK0fU@K4Rd}psJRWu28_Mm>fWhRDJr#y|7ojq1}R$!@TLf>n8Z# z;`3TENb@Mnyzj57&6UMUwNtMg65g^sT#ByaY(pM2#mMah{7=sI-AP3w-sWIKM&rkw zAXAQE`7MhEWokWLRFXP&9A&dWe5A(6#cQn2!i08!3;531QEJH9KUC>|xJ&=rSn7?m zIqYZ!=^@|@L2UGSeWekWL#p0n20dxW0e}Oq)cJQO9hU}kR`0$#6Hdk#Lk*O^VrbtC z1XLtG-#MFF*Sq;<^~Id>!9GU1@j~6iG?8Ee-5l&vS;{ks6B&S3nsz+SyVyK3(%8@^ zj-}mK(U(#7O$t{@dopv~1{eiYAL;59GSl5Xz;RTh9(*6K*#E&WVX^tM(}=_2hNOOS z6~oRE92YJ!9JmEIPQGGi7zx|7vI#GsS?D=!07|(^pcMG|sekJM@U@l%#3eUh(po_5 z$=xvd)m~zyJUs0AhEygEJ+`1>z}lOc(1<;N8Bz!ieq7vPeK@Zd9EG&>_@WJ}+TsDI zO|c^4AQEMxR|ny>U$-Jw7gQL^tZb~R>)Ce`#s*SxT!tN~xOOCWp}4GpGcX{?fFqa31w=MSQ5hag2+@o_6Zb7{NNt8`VRxsT>F zX#kU+PEVTONmPk~q_%Ih3cVxR)}#qVx4y&@FHC-YB=d(c#H2DxX5k5A zu&=>#gr~Z}7EfAg9-w0-j_q>#&|LQv7`@$>zR3&{HNQ+@FjP}Wc_!db^blGAC6>U0 zMw5CPM3n2Oz}I3l)`Prmy7^DX`F}em*oH{aA6!Z{8g9REd|IIv0<|!t-YUZ9oF)@K zJM9jRo>37$%3f@N?eP$H$UIPBT!muT9o2`KwU&CL3a;#;hFG|tNi-N%mxPW9z{#W0 z2i2y{9rGQ6vD715Y8?s-VW?zS7|@=w!_jG>*_8;kMcK;qTCiPg^l-YP{)ov+azXV;B8eayy$-Dv`@GH%uyMh z&|0so*t3!q?U_&JyO);Nx9FHuFaMVRK7hO==F&pfr$kbm&RT?Gg_8 z?BSSpFwoWjJ=;8)jaudye8S(8^Rd~2J&n{1dE-6rZ~&9Km^f=Bcw=RCW|Wt6)49kh z^$`+i3sN^7g{JrwD^hD@oN1ziYWeaK7gL4*v|Tn=#Qk!5H2h5ql~f_$;h!Xo&_%*5UFog+F@6k-PhK|5v)A+GO~ZO;zWNqK2?}9L2J-0J zKp~20sVmPgPYGtn0SzZp7o-67j{V+iFqoDMdFYP~1q49ilNxuxM-%k*H!gv`lK1{= zVN?G)bocuuF@+qkXgM7^Ez{rY9cnG!>^|arP9Xfv+3CFbgQ|k-NHboU{uE?7NKgTc z`Vf&tB4_$yI^W29vBAIbqfCjC`M8Q>13sZ@4#HI&4=FTaihFN`ec=xg^lz-rG`3Ea zBpU_RA=4dX1G|gk5FeZ?ny5p!Aoyo}YnS{VO5C4+Fw+8JXWHFIrr*50Yo9j&72mNR z`Xt<8B^*vZu_XeEJsw3q)nln4i|LthbW?tF;*kg_7oWjABi@6zST(bnuWRydCU;s{ zX;Li+2|RRfck`s(g>Yr}81mV%!o|;`SCivAbzKfDcjCx5`zq!$wyh z0gHo$LeSlh&Fi3*qVs+qWhxT*BN_Ae>tbG@`vvRkVmA(zw;ry;-R%Nv({w>nMao zD=#mvM&8Q_{fU`2h=#}$q$|5#68`#K6rd${1f4qi4Or9qb#TL5L3USD>6xGMaS%QG z1tz?*!#umq`uOS-u)ip-tsPO9oDMj8e^TQf<0C@Dj&lNNJ>AgcC zR#It&&!x?i1?fwuFuDanm}pg;GPt1g+HNkSe)|io$hX5I}q7W z+@qbIk|Yx44E3gifym$8?F=*-(QKV<%up)@WY4#)06PM?t$){kS1`T0_=x}emFg}L=6TIuzhsQbQgcX zclpXMVsEy4-qPHasy;d6Yo2DKqV9Yn8a5yp7WT`9Vb~JKCL0^jW0$2GDr7`fe^Ohl zD&m^Osb6slx>UikcFr@?_#$VvaCXq&*m=3dT4drKSgYOV9bQpSxTq@{1xoHA5?NF)4ARFzxWLYse`L55v3dDmBu^OP&wz5&eSOFmq zJoP#31lC=cn1x@?8xJ39Rh_wkqsFEm5ZxMyqc|^7>OBVytPm+xXzFzPm1;ik{gh=x zNWy`~Ye?{4upw7sSHWoZu4(W`Htr_?eTk_T+kv8-Q}eNE1@cLTtq?EREO$6Ti?20X zsK3I7W9ne94V=`1I7Nkvc`^qk9r37ZP@1k&Mqbd&yt)u?(%DgWWH~Ul5AX?2T34Dx zS>S)wM`z5#dSdFG;UU|3NO61KkRDaj{jXg->ZS+U&PjbtNZ$B|jb{Y?hmFVgg)Y8| zWrvYQCx(-4yjcp%xb8F9R%^{=j+~G4TfMPQdZ6c&r*R>az{|c{BW1%vx@pF*lMPzW zNI5-?l9 zwZ$17P{DRA=PpyjGQ?d;-d@f`9pjtTSb=A?a6Z6Yu!O@PR9oEcV1!xe1Mr(mZ9|wN z6}8;3%!=tZ=VZeH#xmKc_8tY}J{nB0%(H?`<>0P-g^dM(+F;AxtEFjz&(wufWA)Nd zN6d^AV#>RPy)GI~Uz`$@$cM19xYo`qzjSk|heElfQy2oJUkqDr$Cua-jxxEVZ1X!? zfDIuGASIH;8q;1%AtRso+;YX+EUn05%+UOmKF83J*0>L|PN_UdK0FIM|IE5V119*; zuYaX^P-jKYEpT~Uv@o@(>uG4|%%vdj^`r|a08mC8%P95Bz zzL>4=p{6f#S$b7I|EL-}^x0R_K{S`*_gblP>^C4gjWMRL#7rILKEr+!oBla|9RWC; zRLp*hKlNZh;JJMK4@=cAxBtabmGNLzxoQ|i-D)bH{g?pT%^SODo7IiCOT(TSQ>7lo zA`AA?Kw{{-vZxC)R?S~M4!9@?nz!6OUmIM)LC@QPoTqBjmFGL>Dwf+1*zd38Y}kHM zE;0dW*@UXgwiaSm(^U*G7%gkaEr5GkW0?qH9*JZ{69TTe z&P2aRvjcTA34EVvXf8e-A_{jWzGKFN(SK_Mlq3Oc7X2*c9V;(DcwMYxeXFKod2U}H zm@tpxPNMU?QjEMOW)CONGR=}(LRVS?Je0h8I?rI~(HM(?WGJmzt#jO^+6huE_FNHo zpsSao;oT`kwjD%%!G#^F6Y>3b8|=H?YAlSK_9Qs<$=O!C_n}QMghAiaBLu6kk#>iQ zCK>o#Sg_*gr@Rs=dE*zJWga8*{78_$EhHD~o1iuWn+Kq7^vbfnjzD`QCBfm#G-74x zV%$LfAX}6CTsH96Uhh@xQi^~-6jmL2nL1Y!7gix2NDHNSLU^8T)UerolPw{ey;mwm zWMkc&7bm+#_ELh}*HGBH5KcK#XQi@i>T7dc&T_b7s}`YhBb#Oexc>T>?1 zV`RGcQy8cEea>mP>jrp4uPc<_Q<8(qj~(bdF$2*L7F&YEz#Ib**+oP2x*3Nnfu5tJ z^gFN~sog9tqqO#!Gw9%_kq{SkQy1l?9nW$vnpeu~A_S3ZK9t_`AU5p*CJ#A$G{Gz$ zvN_&=2g{dZV+{F+>vMFIX8mmndNXYPoCV-g3lc9_=w0dtvys3IA`I1#tZU?5tOk0I zQX9I1^75U8GhqdD>M7FZ3RcIiz29&-Yn``98aP$pcwm%!VtA zs?5R8)PiymtxoySud~?;I(o_FPU3{@(p6Di8Fx5b&RyS}t1=iylMM_x#Ft+k4(QMI z4w|Pg1Ta%p^01loGm++u9Q-uFOH5<7a33MCm&4))WMe;sV#aDi^EHBM)rzh4#g~_w zs$muMbiu?_^*-;Kti4k{h)~PbIyO%ZUJ0E#7uGgy zZum9apAmYwCryw;EnekK8Wrzjdxn-)aC7_i%42?oOW8!H`pw55@D!7b-0|2kP;m)b z;GN(Y8br>R+V0tL!r8q$pE?K|PueUSwSk;Vf8LO?{^{yCOu+H(>Mw%zHucX0x*le= zE1X2`JY+a59-yw=!A$IP>W3{(P>aLm%nPRG3sxrjrao+j2lmtFofqa>H3bvEsbp5z z)0ba!pGU$2KNCcQ53=h1dN>60v7~f0>BBsw~>kjhd$Lg!+oE> zUBa#OP#g?)?x5$XoC)?_^N zEqQEv{#1V?eC!@qH*DEo-14iTJdAe=@717DaYnFWS*{CkX)*3j#h1Gcy4MkykJgxF z#YvkxA)}Yd7VJ~{Q&#w40xmg>=f!=K<<&!xu0*ZQ#<7d?tXOoXS*3jR>a6p4v4tG$ z1Nnt2|B1fC2U4}o6J8EA@RzLXXGd(psi9NRB7RUdELX#ym4R*P7rO0wS%#A?KS!Uh zk}siRSMJk)H6FYhFe;wzSDQAL^4<`#oOP?p%zewyD~Pw*%S}|oP+vsADXe=pwe?w) zbe$D^RI4lT16A)U?!sRttmU61cpE?0K^ph_=3yR*0?WrD(u9 zZ}f=1EBH}Ck>&qAuE=XnYBPbp{p0M8974Wy$pL#kbb_ZvvK| z=aB8!kD;$-_%qd3^YRxfr+>0%&yzumtcLQ*5&59A5GDHie2_RIn`bm87LmhBV4Fiq z4Q@oDhwd7w2KkQIcvXg8Ja9|gl^;rmPS@*CdvD)8(;84|0a?LjV0mcg=^(F=0TR!! zI+Bkncvjw%wm zBP~;B_f(^HS!w_!)pFGtx~=cu8grSXb>6j<=)QMOOIPAt-)W49LLtMmi@l)gK~J4M z)fZNGU>ZTNylKxGOvliQ1!lYgu$iVXb=H*x-o*aEA6lJfcwSMRajVMOgr`!|`9w5a z%8aSjZ8)rPd*&!Fz5*5VnqMU!`Z6t)HssNL7q!Aw4=7m7U7}~t@~fNlt23dKo5DJw znhSRs{b}sD!Xaz_&bwB%1L2{OtJ#rXn-Z#)f8#HUPU{gE8ee<-8j2gz<_cE!4xS_U zt-Y9kHm%jPO8C&Yhs(F{!B+KNJ)+I)&6_4A?OUl?s7J6pqBzzb7f<=EPz0-|!r%Gr zDT}1pu}_HWHlS^z$qql52FJ%V1Q4f_W{l{f^zCXUvphY!bWV{jwTwjcy;;8<_98D_B55^V>uGdNLx5orPrtPowHyJP(nanPnhv z*CJhsUl|JX&JPl+h}92&Y~PaIRv>tuP3V*8M-`oS1y%APAJRhkLwutl@^XE43Aw7F zT05cdu2I#xX*)#Nvxd~>pc0h-v!t>B(6N_IS%6$YGBrKX630ztZW(OR!9J-yfVE0sMDb^+TQ47Q*=hZa}PQNNv zX@Ar5tl{(=V`Xb4E0GO-714UGbF7AB%MydC_lh9e5leFr z31}c>H9pX6=aRpd8w)ane*y@&G%*C)t#~BEr(Hf&MJbl_l=`(z2V*^9+ezPG1&yd-A4R>01IipBi~sd)6#{ zdZ5;yL&f+|Pf5|A8dZMW4Udl2UvXVkTFQu2Z${s*;NHv+@s!~Ak`(pQD(K=Yo>+0f zDUUcEG!!{`p+M*)9`&zdZ|Y0c`nCN4k|i#>bpoLePM#eoEk?^k-%c$H1!by=&t zWTWEnckQ!V<*{eYgfGx)nh7ajpEb<%r)K;2Co@@=04IdIBg_S|YoT~re%;CvFByUs zZs1Z>Q_wS@=M%b_CN1>cq67ur<_dIJ-^uKUp?m6j12Inr`b!Us7D2_cq$+h!H)Syg1vytcr(L3jpKb>@{mS_4Pn? z)8wawW5qr*5A-6?`m7UaWgB4}D-}SbsD>2WLcNcb-wuCJ0z+=`=VigmZ^1)MvUn|z z=(Zd>LFdT#IC&B2H= z*}$PZ3~V-s$`Op(1Or}CO@i&K#VKBPH7U)Po-NA0ObD9<2@p+sCF}6MZEYWdn&Rn) zfm*|ID0Yfp0Ca}E=i|LGC=453oi#LqSYd7Ava(`1>;Uq(6c-mZA78~RDi$n)0;WrD z{f_zST$$my)cW3k$hrDT#rWWK9~LlTEJiGqR4gy2^>tUR;P{*lr%t`<(Z?&d2D9N` zNsA61y1#+`@|70^OEltO&IOY-xt@uu0dB^=NiW0j_KPUz?ejf{U2A(=T|*xEbQU&L zlq!AJe0R=U!-K`UR^OVsDyym^TwxCZo z@bJc}xh`)v&}v-}Pyg8JrJgt*{#WbJpQ2W*(M~R|~gu-@eOp>4$%h z>HWHy;BYgndgud!Y&Vr)tG6f{SU0nyQt8R6JH4jAZzNKKmcq!Zd{(-ylz!N1KJ^po zj`Pw(uqvVNgmAx}&4Vj?>3HcXc<>iw-#r<<5NZGNb@;?pk+6&_A@C^QihlZA=$yQ! zd64x^{=W;*Qxe10V3S$bHzpmYOPyCFc7hnny9g$+*?3NUfIXzD~^oQ>BRFq z`tB8Nb3@nQXF~j7-AF^atw-}lv?!C<5=umDA@u-F3=q!hp@+t_Ez6D8STWFW>xHtM zQDZDn-# zq)m@2qh_a+iZ{a>WN@y1kz~}2)`i;CR@&}JbZdk%e2N^+BP+s~yJ^sIWh`&Dva>EW zy#(k7pqc)yRStdeC-sj1?aU8f}G85 zN$C$FET8sHw-4i#`wxixxR>(9Y(6P$mFmy7r&mImPvr+&!%!*I5dJcsA3)B=@_m5_ zUSuVvZnbjA9~@5)@P=a=2+0v#j+1fabU5f%Hi2g(_Vm*aYrhqzyn`TW9`7@w^XUBE zd8N551`Y!#2Un&<(fwH09cr=TtigijefNMKu1$WWI7nd8 z7V=TUruKcusar9@QJvj|n=uQUj+*a{ASP~d?V0~R{ndytBg$?HKnj3U~=lct{0_4 z0linONkFZ&&uWE>B%90LGBRbdKA$U?{oIYtD|;Q5`5U4{?}YF$M^Y5gMRmmm5{?SUT@VUhL7gJ6U;tWS9E=aP9ju zg_C7>l|E8G%x)2~@J?!r;uAGqdJC1YZ8DddoIs#;;JAj!WBZRG`vbkOGggh)54d>7 z%&UulFl`zVwWn3o5m2;ZOEukYm_rTj#K=`$2s{nxNF}?2ta8&^lz;#z$BMz#L? zL!ihEoY@;UHhp`j0aY@1k@oqf=>P7yhmhRVOMj<`fIZ71(fXucYY@RbKWI>eTi6to zHN`)cHR~;=U`5%ErKLCit(*0o1pxBi)j}_QBco_;l5`VZ7~~e#FSUc}UL-U+X{q(R z_FOn{3#ln~Oei1!bO!#Tjo;X1+YbE8*xsYDBx#IiGyl>=R_s+Guxh76a6*1NZ>uNe z;J&<;qmHeuF~%3V1F6iUn0mrh=CB7?QJ?fBLNnQ%xK;0<(;32qr7w}wbda)1TNt~@N%`KWB-y|tAjJ^rzR%@mVM=DrL zY2L@Ksy18#x=Mfg#RvAV z);99b#HU7p1LVajZ?`z(HBc1#QqpkAk0@Vw{fCyVyY$$$!{T_pf(^R4!ygmhrd_wK z*5mYn3ONuasg0zYt$!SupBIm{(Q|2jl~yk2o?%4+KTCk#&ljIfmrvv2wB>mU99mJr z=?Y%+$8_IBRI~l$XS>h2`J_}-@3D5fjX}!lj}5RY@{X@VPl2`sODpmBbI5K7DsZW+ z?;f=kyQUe?MPpzY^g`75-1TkIvLJDfVpB}@c;@SB51KATL<9!XrgS@`N2}NE0w59@ zO^ucdYsKlKRcB~dr06RD<7V6!!C_ai+oyy-SL9H(Ls+_nR*&dfq6euH*5^Cf-uc@w zn3zQFJr^6qHejgmOhdu|l59XP7bd@pkDE`d4en{Qk@KXL>Xg{x#phTv*_tFuiUl^Q z{DtmA^(;8hnM)~C;AO?Cr{mNCg+KqIxpJAga^&1FO<8PgE)~Yv;?jo0xt4GZUG+J{ zGhw%%$j>T0Or>4Zq&@(da>wdh?U^wGj#)~RU&Z`wtGaSx3*NI6ZQ&itS?W|~BRjnG z_-Hf{AOUQ ziQDberTP1+hljQJI=yCfnk4F@(w<)D2Y5nc*HGx5WxK2ZfJrzx&iCk_kWG0KWe|1% zBj?IyL~CeG2RhwmMYf10lOFM!IXomz!8`O$x-49jT{)zT4%=?ZNK)x=SyibLA(l9E z=^Kg^^p5E1ea`5`1kzaBhlL7lm`%)f>7VW#u1rdRy1>{9kv4EXQH8jbhLk;$36=rZ zI`5pm4o;h;?d?uigS#t47wA6h1IF@a$(Ulof_0JC1e zI>1|3`OgOd0SBlyGI`%x;lJi*1!bUzBIQ`c0(&Vj9JJ-^~P9_I&JK9lTe2iLxlDaD6Xr$g6B`#XJpY zzDKpS2C&Sm7Tst#&5r%I>3G2B`){>W{jh=GgTyPoaCmA$s}SGFJme=b z==W&obK396*CZJwl=NsL&j^HXvVj%heAAKe;qWsl=-{`+k-qr~LhFeGcebFr3kmmD z^ji_c(2`Ul8Eop(ph^i$pD3@}f9mAH%_G+sH=#c%9q-ZRIQpJTp+-#6qj3kL)R6A| z4^r!JycQ%N>*vZJX9VsflAcE18)j$%>%s5-V8~W%O1>vw6clxdc~RN@3`^z!hMkFow~t#jx9P*jjih0~lYS%s4ubLJ04;#(YIq_SgRk zbR?h@Q)JO~qx&3O?|erB<`VXmx2DR5F_K6sR&vsdZP!cNZPZLDfqHye{@2~QrszzR z&44n{i3-?sK2k+2QkJ%SFf-g;{Q|&DyVU<*bdLyEd(Ac5@31F|B|o-?cS0 zF=%zQB60x~!}@zicK-3JdfhtRVW020%HHMoccd$1YUVu&Ja1C{ z$j|uXF3#dX+)e$e=O0cBnLcgcgyC!*x!-7y#dSA7ok92ftVtH0A8UurDk}XFviHg> zzpt(1!i)w4fAVH_V&CTAkUL&qQHU?&vjzJ0Crw{vD)*_+Dx;m;_g|Za(DtL68t3M_o@NMzpyLeML7OAF>`iw$lu)4G=<_(Y%wwMHej2f5F8bGO z$dy;Nrt(Qeb23V`3MAjl(XoK8`kC1Uc?;v^K}4x;;N?Z`fxmX>EP_cw%Wa4OdT>qno}Qwpu3)F&KA5P zy%xr_KP8ZuM6k||OoPSt|3lkbhDF(SZNrKn2+|@-Hv&@9IU*%35(84g=tYBc3=E}o zNC}c6B1jG04MW2aGNg2e^uWLX-^ulq*Yn-md;fXgpPZb!aURF9_O-8ltz)gy=tq8t zZTN!;)`>;d;)F#mkZ3Q`!0SD}%YNRycm_Z70DHdP0L{zr+)8P`-$pxvJ-NCE4t}ck!x4hO zKqSO?PjW|ld+=%{7ZfJY)I^hiu!cOA0w}2>&ZE%zNd;oQ4uVeeq7rjQ)8nZxg|O<#+7FBanEB zX5nNbuMiA-x^*GH-u@9-fIME@K!32&bEUL@xf*{y{B8!kDs~||EpGT9=JFrE9HqIr zc1gD`(dD^B_zE}U9?mWSc}TdR0`tbk!hP##`UaMPQug~UN0Ena+b)abrDPjaA*Qwy zw(9WJcARF_t==%uf6N`-pzF=-LYTUEqk{y#GxugO(8D^EIgNZiXIu7XRAj6L&9aNyQglJ_Qjk^(aL?V7LqNEuU53FYF=srOpg?qA|0F@P55LmpM5 zJ0vCcMlV-lqB;wEzz}q#09bkjjFfcmg*SF59ZNT34RWouTuwc$;rP-o!>WeI` zylouSU5p2*o~niBq@;wc%8-rEJRoe2G=ptN8)+68wps|$GDUx7pvB(fIT?RI+u19} z?{|#A%&@JDGwfw?eJXhgL+dv9ffG4ZUuB$_nIcl(294agTPV>W%FpzZ=<(!hGgX7! z{nsM*pZgbz_hw5}g&sw^!FCcw-ZP{h(Ub>2YVHi@Dx+)kNnkX3FQfWKKIReJd&5Pl zb2+nX`lVcp%e`kf0k4#p2s|tATD>RwADH~}L;u@up1zh;0A3wkkdI=;`=6&wdt%J< zxD6LF#|Dmb&>%6kvNTdkYQnY$Y0RF_7oQHRnaw~rqsiTcT|+xhTOhqlujOH}Yd*=? zdoc`9#NhFIXjrqIPjY8J`SIy+$5kAoB(_p)Wmxi3*skR5V_I)aUoeBVnc%r?apQe> zU-2uMuv}e*M@u&-L~|ylnA}J1+*^&z$pur6#@0S%#cyHl$gwWQPGooClb7`8^f6KZ z$4^GI|80;aKW&vUe#E+QFH$n=ixQ+heKQ3a0e(1zJr9tXd;>G%V5c?ubd z6zUb(SW*V8K%E%}a3s%ew9EWkV7a;hyn0S5y)16=5Az`ad=CBc4<%@jKR$@Sft=W! zB!+-oEUeNP-#kXd&YEIFB#F_OZKZ|bfLulr@q%u{_s2&@dQ2swr)lqQyYTm<3_*!K zX63;TET6iydUx|HNG(`;Kcu@#RI6|Gcm@)?BQR9W;?3CJ&C0B@G$GE#8@FX>f3D_u z=uy}ijAtG14Q=?JE8PT3T*+K9+NFP`{(2;CuDjG&w=mz$pCz9fy`spmw$fj zzci;&p6fL<&9qDVhcmX0@OSa+k8q@)H|+8}H-F}Ss_=1*?OoVB=?_bK7=`4iLgd1| z;ZZU`lVg>ovL*0N!48v?%7rxI`euMmv`JPtzoSDmF*%mR+UkgBaO~*{R>+4Ov%GZ* z{Ix4t<0*@E+&dbzL$+6iiR_Xu3ROcJVc5t-v&#+^PM7`WduB4WG?YehU9U|fB!nQS#7w%WBmr$> zJMyD#$ME-2>OV@f7fT*`)1>C84Bfd)|Fr6${XQ-BKz?h!kmxbJsnZ6PvS7)$>s00gx&TqKLVyGqifr)dS|M zK_uyysHLRyUIwG5dhC+UOcR>{Wh7itrjl628lA`B9N#aT(RRZ^D24=i!Q_Y|Aa`$i z`HB;C&Q9XK{cyO!LZ3XsZ6U}M*1?wHQvpV_#fWT|7A@J|;hZNX!O37Hry%&ra&1wH z0<60K-lDj!E$Uy;+kiX3NNbs60 zvE8QbMvl9zOo zD_b-LoTTo(iCs@ay6;P+2V`_cd~x%hv?@GBh^B0%^~Pifp4B$;t^iX!cYXiHmH!K? z@Lwd~SdPeyaF$$#j`{Ri=;`x*W}x?DNi4lgAVU_lVT{DqtN4ss*A5Q;xGqKh`WYqn z!mM%GA+-ej*#wL7PJ^^Z7@jJNtSQviFXbxq(=uyQ4s0F!nGq^l0+anKWIHTd_(f&Kb8 z@G;ubasTP1n(?lW1F4Jz)!sbyFqyc#gf($vjb1H1#10`Jcyt^2JdG7V3kZ!YFwHZ% z*`g=YrwkG$k;XBJDIufuV>{7KQ<=2Y>eY&r&Rv}#r_G@D_tZ&D#4-)n!=~k$wV1*cpN?GF2 zXDWt)q;Y$LJ-k4q+jaSc<{C4CYy8xH?M6-%N?4%v^Gr)<>-G{Q{^b=yz-mPG6l zw!M*K8QJWq_9`g%8+QEwyPVKmqdvjZA=ix*uZ9dhOrWHV+MptmI#?<=6uiG1{$PrB zi{P@ihfYRzoqUCYG=grVhvOmY2w(2IZfI5zw`r3ceVoWqe}ot>6ft~jxn%?+aK~v+ zIWvap7XAE&dC#C89tc}1zh23Y7`^o^NfX_nbLsQg#0lW8bTS>%447fHq%|-J%1V-& zYVXrNq35jz(mQ}Rd3DXgDhd92Px$X#%WFx+>jl{eih}&PAOcb34?wVn0pU?~V>v0* z^aXRhpmk>SKVrZ+|CaZ_phoB>Bj>jeaeT`=85CHy8ihy%bKv3o=-SSd`uwMl z;+wnQ6*8Z;$UhV2_=HQJ#*Trcu8n7uBsCw{!VAeMjndiYK$3PVyX}FY@gHQosAz+v zWg&Kxj1Yyb&9JNsTa)vT#ApABqW;8W;fhF(SnLhSM_b+mH+mk(k-jGIMm*J$H{c}E zkYFweE81wU;P_ZFek&pKKxjM#d*GX;V`}%1C*xq02UJ=jmlWYVRIW5CF|?5udHhU3 zDKt0vXrfFhb!_@c^VQ`!lV$6fz~9S5biF+H9*W5Bc%U7_CK36_9~$j^4dx92o6qq{j2DRt<9h6yj9nk*0z7FF zFI)P{;VkEO2iLPbi_++DV@VqQEguU|soAD16&M_Kv<7!RuwXiyF%>P= zJZ`p=n+Yq+^t+sd?eAxrJ~`2XO^0i+=p)tLnQ1;wN3#noIE)`lX%v?S_w|9oGkIZ=n9U%OYJ?QnVn>9Dz2!-(uFN zu^=#hKG!)T5micUJs5<XE1RrO;?WPD}5ylEo?8ctjIn$=;ay4VxAuE+KoGSK4Xd zG}fo(BE~f#$fx#P7*L>&Bp-w*RRlLBzxy7PzxH}U0LdN`z`$gMqrU|NKQg)j+xg3^ zsWTxW8!k{+g!=@A8D`@xs~O4-_S~NWaN%nSq%tmcWGjQvjnb@vRbrgkF=vMv zAgl+a%Z#_@U?=Gpdlx6@^*n9#UOQ>dsYwaV6l5Sflx8V|+_VU`+n88s z28aUs=roVBY1`MJ1QOXzn)(tGudU%nW~HhqSRuD4M+PbW9%SB^!a#;AVka&wGhQ3s z5NuCEvvqpltiAf2v_C}Uh$-<_&cPC=e`2N^`SJlalH3`hb~nr?F|!s|N`@|7%{IJU z(sr93Iv8P<*)b-O0D7o?8o)mx*OWcxQlPXYZ~vdy4p29)Lo*)I>b-w@h`h)f9~=PD zf_8^z4oVqA@S9AUMMPYCQLprNNVtfn%2DBPgqZ>zE(q~7gnxXXSJTU&oy5GbW<8k) zBqRGSIYDcGGU(Lopfy8~SZXoO%pF+aXRyviqaH2y4u}S>;vh4v_i9^Dh&6nDZ11f} z<6>RDw7GmGb9j63#N)V=k!(n$6}=h8*2ETL9HPYe<(}GQ3Z+>b$jTKV+Fyw;^Tzqn zckdOp;LhzkvCXSgQ-qCZwV2mIjm{s5Xb<9&n=Kwo0e ztJ8m;(1d3#JoEJPXM(e^v=S0!0)|-cCjSt5g&55l)}s1+riqg4ct|#;^#KKaqn(ez z-rKaUk8p9VSGmduGAn{%St5w1_{yqlaZv??Rgpa(UWYWI<>^ornm#mv8coF)BRrh$ zQ`zX?;>X&HWoew^E42F3_QtetqUkkAKi}FXdz&r3>B}|wOgcVl(IRLWgUcY<*^!h< zI%>f5m9yBC<>q71%CIr!z=cd`oJT3cY^#jD8U3TNJGj>3HC%jKM|Axm#Heff$x>Gg z<2>Ut#^CGEvuECOWS@_^!dRZKPFiknbupAP&cXU%=Lc%%JE@L#tF^0ThO3!#s|MdQ z#(uq_O!df)vR?%%LWzp+t&N-cRU&22XBeQ{+ESQrlm#Xj2b7^@C6&HGtG?k|DkJ9} zcKhG8Yof4R-?i}x*wL^ux|7y%BGs|Ux&t2l;tqVAz0tl}ss3T9{J%TUWXZ3tf!c#Mf-c@5`)5yTq7_leryE5Vbht$+Yp|P1KW~cV!`j zLI1{PPPMKb!qv~E==MLcNkET$@0kd`SKvv*#Uin6-1E2ZLYXGyNCLsQ)OT8yjM?nS zR|!NHnb|*Fy--J(o0P6EuyVza0t^oT)D>lAXVsV+Zw>npa6q zR<81L5HT@mkwW<^Hl43&3?EgTQZCVa&q#7_`v>|TL<`+8J+~R7R@BsK zUX!!>wfdx>?kQKDKGDDH-AEw&c$*5Oa9K7gyDw+J+5DT~lP2asyjLye5kGXiX{7DF zNM{+B2nWgjWc-0ph<|m(+%1{z^S>2!Mchjb+y=)C*wpOSL@SI|thke)UwqoG>d2{U zx-IG?uhg-$9iS7N?}2L#a2cAMd^f}vrop^D*u52xdSbHxP7(pqYv>z~=$i3Bx>Y$g zUsP4vO^*Do+v1Z4C;o(+&Hb*i{l;6j&Z77Ez3iVZ@L%o(*L8@bbJraApN=&7Z#LU? zmXI&y!>k#^^Nr#1BZ1w~$Y^e?Zg(IuiCWQupB9qK&u}><8-U|A zMb{4n_sPzrn_Z6%vXZRS;f<}O7NAgX=N?9reV_xjq+rW;l)|0w!e9K^NFeXqm+|8? zG)4QyCnKJ=-EaAv-9>W4^X9rC(wB;sUNnwQctsCh<25MF_ml^;ABuM~ny!uaL@{O= z&^Rr!#_6QO(DDvZ8!Oqyr`(_|7tewWhu#3a;1> zv?671Q>q2HmlAm(UD3z+ZhjLSwDzw7-Z7wHUZd|0Yrb7=J^CH>RguW3q`wzx=66wP z0^pJRMo!XMVs&OB+v0$bmI?H1a&08Biqf9#-XEy)&qe&NpMFvRKDB_IiB^g|07yWo^o!qAj3Jg-a`B1sJvEG>GMFw^{9QH~DpAY$NfA$`g#hRGgEc1;lL?;Ew>)MG z0VYu&zEv`JkUz33JQbJ{t`(#G8PC3PGqwQbdx?&dxTG=iINU#_3x=1Gh!-D@Mt-E;#QnU&YBrtnO@K#*9N zy0KNS*i6AL&L%NynU0LUN7^bUU^BnI%`v0z%TwPHmLCfJ71@ZM+Cl@!GYwRT+wc@s zSS;Ags9;d5Q)A$ha_H|yr0C=uh}1?0rH#onx zd=sm;k=x6`Vr59sa5z|xs?#tsat>oJv>hKDyM(^bFMIb-w)9^ckNf?4=TlW%lqUW( zzDo$fp3HHi&|pn7BQ&x)v$0i+LOG0oOyoQDI6-5#Jp#QKH`FQ-7eh)!$B7MXm#hlU z;omcCkEyi~==>z|zSemeW6*v(eNm_@gCYH3EsZ-}(Q6t0V5A;OfndH}RR(5QEi6@5 zI5SqhyF+|l_F-O!d+I@Hg`j9o6pyk)*D4ePWG?qF?J><=;IWQ44R%7%CkUu>(e@SelFTZPw(zENQw6p z8QH%ttb9Or&tt+V>7L{1o{@d++oYn(iApLfo8S8tqng!HyENwYVpBVez-FabrvE(j zJSy$lUeAtk`f4jvzk^EsE}^0aEx0}gE7TViayQz9pPX-(Yblg0f!Ii;*U6v@AE=Ae z)-?Z;}Q`;c^iV zl1a09dnz8SliOLXv-Km4;+n-(j>>Y8#~)+vB?)fzKjdj9B|0}R^km_)hM%_O#(~`9 z0KhF=^K#Wcu;G`4IOGa_fusj(Vh(-lCGXVU^9$romtQLLwl99Xc1Kh4k&ZnXeVa5W z@+nzur2HMgpGCN#Zs2MgpJ8tbB3-&Q_bZi*7qd7S8(o)Q7aEkg=rK3jZ7_FhXJ`u^ z(3R=HR>ODOm$O468QY|*If0_L2do`(37JCu8$}slCK`iZgfDRk0L2MU4`1=WdI1FV zu3=@&HUmpv%V)Lw34oQ@xrDh^zIX_K&PS5H&;tBpjQR@MK8A( zZ-_9@%WX@Qk4-AQ6}m%pzWMWWyHX58Ja=Q3nG=Gl5cxJ~$|8c7qx`4*%+~A$3mmsP z`4<#vCdmD8>>UMe0}YP;8(EPau#wnACmeJ+BU#~S3A7Qh)Lyj)rKeaHZ3=(X^l)rQ zY6LVAcPAu6)lSv4?pw*RW4-id?hDFty%P?qc$xZ1u88u$**xgu)6owchIF2-gBm~JYUjZd_ zJDHMaygZu!Do9MWH-;X9>xWRz#dfqRpZEC=v#u{|Y4P0ON0ub|mTFY4;pP$dw7wqg zuk-@CP2z}q6Xdjvr9Azx7fiojVTRCQuqfk@T8*^!eh^uz4f9Wk&M*)@u*mjVR(9pH zu+nfpI%O#ob4kl!uQ|n zcDa3bY}gO>y~M2jkem%9;#&td7r${Cl*pxAQksD7Hd^YwoU(;C+O_!K6zzLV)l5@5 z=e{4Ll0-nlv_iK?Acrw zUileM(d%4MP?bQ8+&|9XHA1Qz{VjIwN8A0$q1537Z@@#*$3mNguTFIq1;gYOv?xQK zsDtHLvB;SISpJhnf~@96Zy4{A1r(hp zerk=JVwE8_j}jWmj%RE{cfN9hIbX-XBE<$j7PRmRvy9kX5Z$DC10ybv!t912NE*n^ z@3jP0O}ZsLzJ`{?X%p6u%`7&|yFXBy!^6sI8iTk^iocn9o#gq1}B`vUXy39e~OAQ1X{`WmJ_^m-?Ph)M#gO zl>I1g3$J=s?~Xp4h}qsLA9Q{88AkQj_e)xv;{tf8WFK!P7bobkVoP?MdJ><>c7l%P zLerT-;SwVW;Dcg*`5X?!lfG)RNHTF3+>BM>mS=MD4Idk=6j>`HX<%^U1e)sG#narVK6P0(XuutiSxo}EjI#BpgqsDw;8Id zAgkC;?3Z}qJ+`dWyEq?f2OT_`qE4E_b_T7jiJ*$Deks`aJD#+~&Cx}*XZd%^+)%ID z;dO8(j27?R+ywuVg97+;4Cpd}n{d{%@7+0^a_`JUOkD4Y^r?TN{jlQwj8`$di+=`~ z*MX593lMs8XN7(Er?;kI5(w}g?=X=)LT8IL^@nh>9VCZ3_{4tWKYLg{NXJJ3!B~;- z-|P{wY$R%77UZ+K?$bl=oVPJFT9kGsccxfu*%fnl zSQM6*f>)AAWiX|Hvt(e#haoVA1*MOyqUa;&Djp&r@sT;>X{I4dWFzM#?*syZ9R`^{Yw-j@&k^to6G?!wpQ%15k%%vz_dc(%|Y$^>_w3P|N`z5tjRp~?u zGA{Yx18!C(P4&vCyG*rjkQuLuy|^3@`*7@2(y^dCK@mcqQNSU^2OLJpiM@q(`{OY% z|Ec_h)l|g~6Tm}mghg;te^$iq^Wyo3RWP>Tagglexl1Y@Btwp$z+IcAM%&>?Xd%0i~BfSQyW7J{?-WTXp4y$Cyv= zP}b8~HThTSl%~}07wn(ksiJFU%KEr{+qNQwkY&K(oLF^cv5aA$_GYif5N^fOR2&q9 zJ2vjPPkZIk?*tNY=WFP_guOJK#sRYX z2K0Q#qoH>gP$K|&Jip*)wbG?@)#P{c)@Zr?!)|1+cdh4=kt*yR&ffP_d-LWCbiK)J zZuNfg+QO%=NJ3?D_$QtJx=jTd~XWT6UKh>gPb?jHT$~%_Oxo2Q=`^u$qXk z0tnFhiZ?v;azr?Qm<(hKbB_4d{0*#SGg4-i zt)qGlHk~3Y(K0v)6H5w`xYAa9+u9lwayr(;_ziipSu0w0^Z7L39PQ>VNS@dBln+YU z<~r3Tvs+$i56U*5*`%3xTRTEGR+4s#s%KS^5jHteXS*2yy$5F%S(ih0fUQ++PFkQm zXjsi`UUc~c0@0nyR3V$rIp@xIX$?KAKD-vpyN{!5hqooMn%wvbJvz0XsopYOuwPuY z7zwp2GP5Z zp&vl|!YAe?K z-1Is>m&1IGb`E&*jrl8Ig!_+wQ=#0NZL9|qofpvD0rzCQYrEqPOh@{*>6T-mmlNb) zjks@gnh12kq~fGeW%5b`lty>VN|M@Jz*kj@uL#$l|Bi+2YzKD;8COzb4arb?F99NTG{?pDN)y(+TKo@@5qH1aGN+21Z@ubHoA|lxf3b5W z7Zgz)+bu8SZTx!LzTQ4Zgn%W4&by}Zptm6LD22}TMLfXhf!#*n*$ z1W)DwtFi~14tJppAW_m|Y+cj#%@CHr%6;3=lasAbPWJprallzmLt=fv9*ae@?>+YI?h{d{9M?gVE0};pYd2 zms5Q8qN<13v$_01v&1H{lHgm??tHnOo9BU^%5meLV zS!$T9yw0J)obQQm{=6ixL>dFaTxcZd$^vwO)me}n-z3}1+Z4S-?uXHtq!V8r^zoyE z&ii-A&68N`0;@#tcuJ4+r{_sJ{;G?vyex+w{N_+@DfnHl4QNu1&F6zKk7tzxWf)D{ zv!*?d2*2^C-}qp2hcz@1Wb;C|$*=It99bQ?7Rs;xD@MYa06Bx*-Dk1~e{u$a3+DMN zBQCS2u;m>~N3y;S!$2N|AQ#-+=PsS=&J;A?q>dKFdl+aH1P>A#q72*rkcfXZbdc$a&|Z-w%64Y! zorrrsU8vkr3B>?aX8RuTdy)Y<^K`+Gk%(HGB-mVkOy~vcsFPVMQ6q+rm$(R%ysosK4#qW;A;npYy4@>gu$!no%oUjp~l$wjOxO0-x@MHfE3>bbwJFM`!91oTT@N z)|}kDiu!K$HeOgOB8R{;UCN_s6}YW$SFYzXjC3pYJv-W0eOIKjlGCG{J`u?8w$J&y zu>9qVpI0xT2vD~NXQq#Hz)ye^FzDq@RoZ4+Xy5idubur=E`87)BwC$G`Xk)` zWHEw&GAo3BK_Su1{^EGNJcvYc=#!a);k8af>9uxDSiBN z)ZKOTuOBIsfVdd9SXA4&$u+AXHW$bJnf&W@UR8j#tF}+$oup*`()py1b|=ctz)CTK4rh&Ez5p#TgtEdFY6A4~MT=mQB zH1p1f+hJXdybU~${zR}O$^&ZO#94zytE%1-+*t^rh zcCUp7gv(`?^(5dmi}^xVN=Zm~1gkDf zrQ4dp{ZGQdZPQS=Op))o`^&4XvjvY|5D(93-|F;jO3q2y!|&?B$W^IwpzOXOc^)=EZ$SDJQZ`)5^% z@3ib@u!>#REMII-F6_h3Mpbv4-v!XT|M&*<@MC*jSsG6INvY)iduBcu4^w6)p z(=$iy($;bxL0vhfZ#ap5*Zle7O83R%W!T<=@(z7hfS=J`wF|PdUL3P!Tkq1*ScNo= zDqPS{rLNZyhF=>;AN*A&&lxmlFlW18M=PxxzLo=?pml7r$3IKVO?7;-;Ft}8UJRvf z2azgG?>2E>YTddPl6K0w9IB@BdBEY?R5#&uyTO5D3I6yCJ2k7hxpVcL4A5^T(2J6z z48Dqa9Mr~4IAP|Puh~S<>`7;oJ9p(Fl&|yy4dYk-vD)1 zTbJbQG8fumy}!jy_$|QU{#89&Q5%K0{i!ld*=xyOzq0UN8a(632JG1d(ba77a>n z^(%yrzS6t6#HX|3Z#*jFE$e1+Zzqv7a!xZ@+w+dvZa`!A<86H2|O zsUtGaRE=il5+TttvrLEkX~pg=n}j@%Gtn=9F;>sXN}I?L4m&5rvmcvk^_n3w3IdoH zR@%xJ^HH7kVr81?gKBCYZ#mXqxTm^(GTZ?Km@0{jaO0jnc*7#tM^t5Wwh=msGO|zX z#2j|t@myIf^3glCpQdvpL zf)yhN`tDfcZ=ovHSSFT3c&HCMqfVSzdZ)vFdM**mk5Y|?_w5ceqG!cST%w9afr_7P z%9n$;X&o$dW9=pnekzcRF<`LhhMJ_(abmHF7We5L{>8p)`I(>{Xn<99f&Qh;M|rFZ zTBiRJKAV$dEIoYItmrhoSHFX$hW3=XB&L@MJLGk1FIMx>=oN>RL&rPa6Q#O!DJg@v*z8Iyub(IuZM`y zLwQ|0A8(!Tk{x>f=GAnJ4-MpzkjsA?u|yPOG5;}@;tpT6UzdspHM-$3`4AJriGKZD z^LbE0r9b89kGo*?mMzfh&?s;0k0Ytd3^P9xIWk6P`0jGkcV#-`jT0bXY_z66X?mj9 zTOb9LmHmv1mz3+535CWNvhjeozIPv~>dL z>$z1nNwQbe8FPHGdCYtnTewQy{vRiqW=lEq`{X)oot_C5G#?NWngcY5Otj$K;n52T z+=lO*X*NQG0+9UfJ{LoaeZ&YR+Sc2E(CF6*9;9(M?Xzl(3vvhP^P@QfV|VGtXEk>4 zErAv9gb|YdX0q};$CQ45O(AWWKEUd1pn5JR-z!%HH2A5gx}u**Le=*>?C3(i)90|r zV+7h*Xl5@P734-FXz{<({_6JELTe>?^y!~MD^`qb{`~&cTmtFdXf(Q0 zM1Ju>D`y}ny92q)ds)T^OE!xPyPt=6GEoM=6;_ucpzbC3RHZi_e(rn#%mdqeXbYEB z7u^htuuA8jd$@HsoSzm&jx90QM5aj}g{#B>z4ONPR1$*1uvA*MUYCS$noBlJf+~Z2 z2m}&Y>E!%8SMVv}J$eNhZ;|b{oG*r%5iTqEkD`E^BI}3J6Fp56!4h8^Aq7e5Ro?H) z5;dID=KE4ChJbpquULfWD=>VbV~KEz9k@30{>Fb6WMXyhcxp-A+0?pvStD6y5P!@5 z$6sCd)SDZ2O`+8nwI49cw{4G_2UqjJj?RC5IJUrHc+ZzVB4VTK^p-6+TR8?zXvMn? z6w>jXCJIfMhtOkF22C};oNe`O$FeF<33kyfC0fcpXSRLT(jMS9G_(GVCBI2qqu3zt zo!fG32)OP{M>L*wo|q99k`7ZUI6^qXh}&Pfk3L+i_9XGFW2%qR{xURm)aYY+I^M% z>*RTs(yT8y|B*f|w84CWtbV@jH;jHWKFsR52q+fk&{xah@#3WWw8PTcx}d~iMX{xp zTfMTfjBZWvCtE{W;ldhNl^F=mS7WY-m(zpy%e|hSg1KzPI``BqFNFON>$QyA;JlY% z3`50$7TB^aQi~1w(BwBA%{kj<{N`jRV}F*+IpvyQPg);b^^0nN>9WrO%)4#u5mi+G zyJI=pSzzt3diIPqXYQ7Xq({Dj=`HH_b82g8qa0DTLH^)DS(PTYAbSe(kDIBDd`)?; z^h68PT7nYpNVpVLqSUFRN6oK3fE1nwy1Jdpol|$)(|wo=v#j1q2vwbSEU(-tUvt=a zkIkqrv1Ej=qMPh%Cp+EW#S?yIq0&d%{Tg1)6RLOH^>GNm)l3r_w02y=o=v$Rtv7I& z6m`;G;x=$*_@IjG&}Ry+fdqKkgkJkO;GL1C3pr4gQ_s>0!D}%Os zax>MOoN;DZV`O9VOPmx>CUeEA6{!uyCjpNQb~jCmp!h+O)9tL3^WaE~SCLW9WP^ zIXvimw_JJQv)QoYm-r>qk`L6ch9s+OKd78lqaLogKHud_rmMM{?a8P#7n^fnZRDOc z)|B2w{m=-QfYSl-^(nIxo;@DPzR*8VX@2+m#)TgvI#%M(=NrTUcc}K1&TC-@9L_X8 z%r)A=9arELw*H66dEz#@!06gjgZ0m9_ktK`YgEHo%`Eb>SV1nGwcWu$*;kh_X3Unf zkTpDaVm%>Ku#HY?|HpD4&Au=a84;Zvo-?b5$B60Gclrqo&sqQYRzmBY#o-iFBT37u zaF?!oBs=EjUSE&>#Gycm9P$=riNx#h0w1r;=~8MD#{1~Bm@v2mWF-^PwQR{q;M6Ve zb1k*YeFbh|Fiu)WJqSg=PhW({!vy5CVCb)IsJ{-YBK>}dU0}Wx}v%Fs=I)t~5aonVMQy=vN~Q)MxT-5=Xor<;~sCxtV#ozAr5w z;~#=ArpA1+XL`#hBZo37u(8|%q3`7+oEXPc;{1&eOOId%kPg7o%nnd^-E-z^c2QMv zyW`1%cL23t{^jwB@EAT6_P7F_QZT(gz%83Sb((AXc_+<9Dwo@SXF5%L!$s@3q;_-$Vl=r%TU9A2l?-=Cx{DIghm!(D&SHNL#pavnpF+r79*YQ`K$Ed6 zZ|LF=OCnn!bsUlIbN zqhRWUG~}C}AM&e@{bV{`N!0ecIIebWa>RNVX-3y$^S3Bew#Yc?9TvVd8fU=JctF_d zwlR~&NY4C`(B&iP;nnTH_3=7i>htYGe(sfS$o&|gjt9Dxeo|-@qZVajXIW`y`fkTb z#SFT0EEdIMJZ|he7TEODKiuD>&g{u>IXB0A;-SMwM^yq(`&a3UW4Ds>Ds}*b0ZNn2 zI_`{1$27bYc!L#6d#Wk|WGgTin;zVFRU1QN_g&j8@n>TT%LI@y+<_k@TaEPgt^-2V zR8pLbkD>o8aGc+Lc8w|22eD%Rz!cJ(S96URzwVfQAfs3FZ0|i;jXZ(N5k;rXB6Sa` zDLGn5-RfONa(3<}X#*P~F1;X*j0kk}+yR`0i4edt8Ce(1l5Vr^jhXLTWwQZv*bkv`58X@!bN4V&NTIfB-WAP-~m&1J0G=0o>K|d zy!-Di1fzO*+QvX7*KNOm2>!NLF!$911ilpJhouQ=Aj5FRzIkMZpa!JdWqDk}CmFS@ z2FFJ3C(1xpI2kl-%g=#M1XH@LReLIbUw9tsL^Y!v`M?|~(NlZFmY@UFuj3xyG$WXU?)svd!LRXh&P`M|Ei)k%gYnh z{Sfv;l6DITI&oc?YR})!LEiC{SWw$KN_D7GWZ_%IZAf>Y9g{sOxL?2u2!(MXGG}?O zCLtM)R~ILhqD9Cay)ha;pcJEO3^mO*o$5embG$VU|HP=YR^hM&W&>2an=i@9Bu+oJ zZ%z%2PLCMg;*nP= zz4Nm-LYDF-oI8+#M8^B5f~UBl_tQZE;Vy%=T-6ysUNWHQAJ3>t==_}pkf0EL>8nV} z>Awc#zYFReFqJV^0#_(3GnZE{zJ;&MGs{zQ-AjLysJD6U*4||lR8$?ueLTiKf4t=p zGJ19d&%9G(mwux)hveDOcH-m2tZX5cRLJ-8 zR6X>kqtPG0OIwTMLkBaps{q_hV~*$DwgWZodC1pFujaZKr=iBRTeynF1}ogZ#^-#b zOj@UYZ#Q2KQd92rdWngv)#6HrIyOSxd37@>`9yrpj+z|n_HVnNwo)lrAinOx_E%t+ z)!XkO(Iu5A1731jW|*_$V=xglQ6k6Tm3!T$+8ZB;`x}7(z;&hj^O3QHMUV8ZH}q zSsRa+N770Mzou>a{#gC`P2{9-Tf4zfl$$=)GP=aD^GJAd2!j8-Y~NfZmcK)|^ML1f zSlDxZ(8_BKOeN<|yy<0`4qTjUi){6Px+mJS)Bw1l@Tptr@>MpcUlYjZ4bs!WQ4Q}V z>7(nLM2gpSD$tV|cl64|iJsSlB#hnmf`OWfd(PK&ED=3id12qgTU|jlm0@I0F}tnC zZ*OY~mZQjfVmSN^;3z=iTTMZ#+d2QmEw3d&eXkO=pYl9T+l^q+b?g;!TT63^zOGXL z>$75W@IWvLy^Thys77LYsIC#N^p4HYmsZq5gQm5&Ts2?S;h>bYbs5#3z_*lZ4L>$t zNk(#W!8L03zLDtjam`uRQ2`*@?)~6-SM}Nse@jTM&$q|@sx=*W*W|UPv4s8qSbOt$ zC?D>BIC~|AB(g6>B_!Dm*^(4Vl08PmV6yLH&CZZyr>N}9kbMs`$i6rBeHmjL#x{5^ z_kDlvyZd=Q&-eR0uh;KSGhXUC*E#RAz0WyRBY0rusV31PI}K>anRx-WGz zXM-7@ELdYxcRy_$;c&rCmCfC$n(|YgS`R=+`C!GxqVPZ;ey}hAw}v1@_f7gEB_>BX ze2AeRO9#uUZb-!5QjMq_(~v6r)&<@hC+tHIFL;d1Ep7yR5Db-$Ml(TU5>s9fn)2U5 z^lR(Yj+KI?o&6L*rz76*xt3TI)FFqbqT_bnsBD@mKrK+47mvtOItx#JKI9XT{1BHsx){8?Awybh_MK+(0c)=e?fPQA%;#pw@5e!E9Ar zPF8xkDu?^vg;CDyU|nUx>QL$B3q{rBwc#GdYhQ5!spHip6Hap=#Mxm(Sqm(F-9G*j1l&51GZPkNEm!?vUyrYxDia4n9{WNzjiW zYXE(CUwi*np;`NurTuuO z%RnAt#@A`vQ;c7e$toHq&EA$L086_-50SkwCh!AeL!-7ttYdK;r-8ELLVoWFBNh0> z8pCkVXXUeORWe5mds>8Vl5C3VXI4LmzY%coQ}iq+0(Nit+$Pxwk8vIIWbet_{tPvA zEa*b6l~@_g%UoN!Ub|%+w{QSv9pf}^|Mu}t^#;6rXN&)%e(rOi=+|6qRO14aPP25X zbGLxG0ZrXjIb2JmgL$Ob@TP!(Fwjey_%Tgum8V-|?1H*x`Ss${J1^pWsgU2$Dq!t= z(Vn+f;X>7Kx$Wfk0m!oXRlvfhQ{!T5Gv!SXx}%##nil)b_K4l31R-~5QXK@~#F*qQ zhlM!Zl4Mx*7hpv${l~MqZOx{?o!aq$ru^?iR=boC1Meeai{ztSgf{=F0qm9VUD}2(~NXfG#q9Iu(EHv>)vW*$9Fr^k5!nQC307s z*WBt0>InKS$Bo$At+S6`6JA+IS|Z!OCuimT3vC`J=a^-HGWOW23VjqsSDz#+Qu1UaFm4P!nw?u~rU3W7OS$Hn)HcT)#`rq_bX@ou=DgKrxKcZ1IMj8LeW*h; z2ITK*cSO5#akUFD0)fKH+FU2?uT*nea|cV_2Omt3dbc~iwkhV)>H2(Qyg0NL2H6A= ztMS7HPGU<##zQ#!qE(met*6>=YVp9Z$nz2Vs|=eV6WjR&LRlknIHL!1rOFhF0>=Gb|p#8hI!j(5ZJu1+2ntBZ!OHvHm3t>o&Z z7Uiy5#2Zic7`v^+J)W<8X?y#2XI#GTUROo^siSS7)Y1|!m$i(t6XU7n-qW|8ur4!?He1c@=95DV1D&R1{X1J3F}y2v^zjmSoU7>_WP=L2kc>FS5&w4vN|f!_0wL$ zURAE^ygvULcs8((@5qCqw&3eCq2Cm6nytIJy?+Of07$dCeGrO z2l7pCVO}vH)${fACU%?hE28ll*SUvP`thbL1DRQB<^fT!TE2Fz6-Ww+=eMUjhY}Po zCD~l#)sGjJ9{yN3grW7C4ZC<_j~v1J{aFh6+dn4WHPg6kxAXJ!JU9Kq5&#exd#asQ z%&0iM-hIP9mp@t)mDwHCww-SDdw&y%=M}8S%zhQ%(40Oc&1|s)25B!tVn8oasVBg^ z0C7^C==?peaMhB@Wh3Ui5<*_?wo!cik@a}q$hQ^iK45}!R9K@iGmKfcM^W+i)tD3q zQV#JNF>4#3w2@|u8&FIF$YE2D$#^!xPivk3?GqK9L`c^8evTtAenFq5o zQs-b)-xmULOIu<6YS_FnyO}odU=yy0A6K(dKDDtN7gb?~^|H2Q9=@rB9_rQtmkFzZ zGSIlgEfZVZ7NmiN&VQ`Z-Xseu1Y;H-t-M_&T>`Y>aX_Ud=Y@NrG`!?XF8dJ9Ee+Up z@E#28HW)6qg^t0dyv;ux0;TBQ3kdl!fcFEj9s5!EgV0C@!ff%Ud~_P(2C%^O+t(X> zMm5IKX#>`I1=h_$v}tXMq?!&RYUS;F1ZKyzDi~t>~qI zOYHY<#_%~d01+in%$)rA0?2rcs}eRU2ZY2uc9;zykwdnP&c^~edx3$N`Nn{OvIaJ} zf1!^Twx9y{C74rVA3ym#MubUjtYzVn66NWxrgq(cj*(tIb61p9ciu|m_MRydw*SB@ z=hXQafFB-p!TQmR;q|po3_x9J!|?0=p0sX)OG72XwtnTIc(AVD!r||^Bn}H~zD}aD zVVJM$Z^mO>6_fGp=w*io+}DBBbpM48;_;XB(uJz2w&i-ZtqbvG{6x%nc(u!;7Wu-> zy3N^NHWjHAnsLj(aLXGgoY==0brQP@!}V;W6&8YvaEYH{8GVj$drqm?5sgQ`+U?^_ zoD0AJyTN7I@8~<8(f{Ba7@Jq5-w?f2vr%86-ED(C^}8RyKC)JpE)mcNjV7r$hRDU z>v2mz@^{vs3vNX?N`HlVI=|lltijs08*5E1Sowg*VR7TU`J|(a(X!65TzRR!c*Ps6 zU~1H7Hb6mA?K>`%`!`gab#nf!-8BCA$EXU+R@;A#s_cZGJC(`tQEgQUZl>~i zemN|#jc-1SSbCTu0s{HqnuFhqK$qi8T((Wq(ER-6Db!&90_7tM7uP?DtH@k}*r!z9Y5nj-DMw&iPUKWyAU|eJV@` zaVZ8b4*i*?fOFujp-*4LA7#_!R+G!Jbz4oK?5bBjDF=;0d%(C+Nb+xBYU-02FcI$R zGSF4=3e10djoDzz)bT-@j%bpI43m6Kqqh(;588KSMgz%misbo(W$rF z9x^MHxB=A;^$(4}ybaB@dxPD!KE@qoXpTr+8!xD0;ggYgOgZHd<~;`%bjjI6dVeNVzv)tBYcO6HrNE_ZJGxo$e=d7}ZzpxvF*Vx7yRgu?j5HT~y z1n7stynF*!4($98n*`=<^9$}R8h#oFp~93@$3iLG$pIL{m?&G_}M>jgN@9&OnG~C#3<^{drAFh*3tPn{_09qn$zqBiA5fa- z$qlUILfOgh^k3D^4*rSE_O#@uP2Lt*{2J3K>-{{Rb-44rF$#^HB=_$`dHPNubLa5d z7h#p0M>$1`F^*p~e0@TW)096>DV*~jyD;&TfVYMi*uC^+`^nsb{B4;mX!L%pKW~ZK zkYX(34fg)YZ~1sb`VO5hmkaNH^Jm#$+6oDOa9C~8_&T$L^+W6&2g`0H4YO0g(3U`T zkKEk+&)s?xDXqg=AuuuZaFSqGn};hl3Yhb0EY{9lHB@xv z8F>F6oF~jbI8VH6TmQv*+Tfa=0&yvWDceJ}SfVrH|#C%W}fX@(sj-HS42R*`a? zOF#`Pm>DDLxL}z|JTJ95k^U9!&m3h3Q{Q;*lq>hqPMZ?P+|jL@o4>Q8I@|bU(5wiR%cE5 z+d*M>^I^pqa`ae_owz0ow026V)!CpkJ~+3<0gKghc}zWEIfg za5WX=1h^*6lpiK^boT@jlwKY632cU>kh`xuZup4=wro%&tI-_ptU#Ies=vM_wFo%6{75d(&`h_9ZAh+KT^N284f3#k~peg-(E2TNjYZm!fC-q)wJ8c!|-ocW| zBNv&q;=0{sV};5N_MF$Fvx5T{dp_KT$QnGdQon-?Y=AU;z32frZ2AfS+`x`x?tj?f&-n&YW?z`nX`LysjinQ-h9&2za20>@-7)S;MM4R zQf_z6C*We!$zs!dn__0_&EYcDjh(85siMGwCCLc9E88~R^W4j99x<`ZOY`E3AAl;k za$q$o^jVK={CUq`heO$pT{`GV_|oxr_EliCob$N)Aoxw{E{(_YEcP+k3)@WOsu0Nmz?j(K_SOeTG2vC`Q5J& zn}dbbr^SUFB%sUu<{DqqV!bOyZ6IR~_{jh76eCx<%~S8H&~%rGiVeOL%&G2Hi;6$u zE8htnbTf7N2BQh;_**lTXKNFOX_T?ot%D{5#qFx?+mv26Lbrb*q#!mcTdl_Roi~=_ z(m9%fKlN<*N zHppaMz|)UrfSz57&Za%|oCgO3dpS?8RUwDL@B%^(fo92IZqbE1VFXShfL$#EyrVPC z)ynoN`LP8K0%>c@$QyDgN>8juAxKs5YP!IT{ z`E%~LfuX{KBos)V7-EF`TA7vZj`Gp&nbyg7(HMbQ8y!zKDdl?yM_FC$v#~64(Rr-g zDB#S_d;Q^U3-C^Fb7-gP`}={p4pbbYEm4xhV(ZwAk2NL@(C3{%ZIdTwzm)XE^S<5M zP-Rr1G92JDx*{r@FI-i>_2kQxLmnmJz0b8NB!miq^i=5a%{4x?+<5v~uqM}IBlYoA z)`!QS>zmQ2bD$ZrcBbo^lo!wU??3ZvdO+g$`Tq7f+lIe(0q{ina>>e(t1Z)$DwE!P zw4CP8{n;sund4^2&w-m?x&7{6=k`v|^}<$Y9(O0Yj^yNe_JEz$?2eb1^M(yejj#=S zzddn|mN@(pF4Ce_EPPfa#A^?_)aD4Bbzhg;tI`x^JrV7Zs$XsuUXeRq892NG^J?D0 z(S(6mzq2Av_YsJVsYaL1Q%@(?=K?kYuimz@1!yMOLoD z9(~l+S;R%yox8|$8#$WCUF%JtlY>wNFS^N*`~JT*LzmQI%kE>UmN2{D$+Jv*}e2H<*8>fx|b&J4)J*^Mh7cAn)2CQS(iD5 zKXh$+pJ}ExNp#-Kj5j~%?(Qw=)~``a;4sNk*QY3Tr>wts zr=>?7|BOHRB7bb6<4 z!$*88scg6F@&Jy;g^j7u$hCeTWpsyKDhkNJg+neMaFeEIzNDFRFBvF+3w~6E*zi|OcuuPQ_EoIDDax!TQaad5HvJdSA$3c#&MP^5SW&SFA+4k$7tTQ*$7WrT4`rmv}Jrl%QLxurE449<1 zEwtsDYgb?*>F&dtTb!DP%^44nRRG6ztS1Sc$q8_}_9o}+?SC3f{yrXY?E!4Rmf*PR zT2*S7jAJtJt@wS8j3RxAvrLh&z%kI8#;PvZ$oj-Juel&qxa{19DK5(-Q9@q02EATm zi+uFEWz+<7Q4}QkT5gHAH9(@`^jVX$qe1#qA-6YR5Pw+5Ilwd)WdG}<1SV44krQy7 zuy%O=pt$dJKkZ7tmN2=Nu=()^@rWGZjNoZ*^v<9>eE?-qcl90bq+EX7N}t|Q;N>Y6 zRStGp!VX5P+yo>t$QuyS!#UiANV9;?qZEX$sT%F-1_`=Eq%t^Wmv0U`m`aEawRf?! zv`cf(GLKLU+Ea9=+#!{6@qKisEdg~+P4(0|^NE33g66X!`eca?ox8gd4bzvK*%l>) z=$|ZhaPbVl z+`ugv#H(MKIv#`?kKqR4LUu1P&q+9Z+#ts$}w#DglPu8|AH4OG0GXPDq zqY2N2wHT~=o$MM+E&H(8=fLqLCN?CKwc7>eY+<6DPHO=*yR5^moTtmG)iqPzGd-7! z<_$k!%l#TT>rMnGq?Xb~8cf&eL7tCX+qkKAVPi*GFt5BLd6UzJCLi~P8BQ8OL%PYzht~5+u4M`6NH!$9ASVc_sGO<2)s_egir_o@A*v|A%;QUKZ>;%t$J-0FJ zaQzl<2Jvb8MLQeJ1(z2P2rDLz^lQ|?x=CC8$wrH$u^ zUxD(IHnE6@>ckN)b*E%&yE{zUOc@dH-Od$T`q6oygdW~Cs&w&xfy+Z6$*+0tv?y5g zjJH|VqN4CJ!pCe7rAy~i9q%%fyQ<&~0&7lYf*OZ9lwih=& zZf4M?-*^a-}XD^r-mxCEcV_R^7L@&e2avRA+7{rPCf#M^MM!FV^=QSpxH zOHtA(8T{IMORQY)mP&j{@#PIyrb8bd z{-F$jw=LcVv;?*wqKW$B^Zb|O`XrNcW0-C$T+nbfXU2J7eIDwS=q6qz)h>E)nabw! z4EMqyb5kDV65ygXqdh!q1{0_DTT1FLBs!LUQuCS9X|RxsdV0xGk{|U$TEaU2&b*Q; z99x*edb0mulo=u7fP5W6%j(6w6doZiO7B)Rub6UWYd$e0+{uqr2XBp_H9n_T4DXJc ztXwS?rM%ZDTI5~Ec;B23;e61RrP=$h#;!C-x=I)g!GN1I%@1S@10of&H3y*)cC)<@LL+^JP58H z10P?TkdqfZ)N3yAwD~=IHY_g>c2VC0t`KLh1AFiitUJdxIF3fq<>|~`My~TQsswou zst2L_9R3ctPgn>p9*YPV21?&~fUHO@WNoEHzAJo~jXAg|_5R@HG<>4ZApsMTGZYv+f$dAJcW?pVI^B$6lw}Mb&IBZA}wB zz=FVLMr;Fq!_w*W5a+W2|2}gv;9B!5Y~g9fA8G}t+dHTd7lm6zIq!!9;HQ6udJ5C! zq33)+7<)AP@dXSNb9=v8zKc`>n(VvbUgqUBMdRv4aI|Liu>G$NG zyxg!<6BH`9iE}bxIa1XN7Yz~pp<@TP$(L`w>K=)EHSx}_ z#o#`@P1OsCq!ew6uc(%r)9ONEEw$AeGuzG~1NFIF&^eLC2bsaa%M^4zn7cly)CXH= z%G~mZ$T#qv{b-6eyI%Ut+oQHi+$U7!6g^`RaoUy|NSh-C<&eC!q$O3GLs*Ehpp7(&qBX} zudRL26(SiyY;$~EZR{`ZL&39rTAB`Zu5%y$WsD z!^ZQ$EUUX&au+#wTSin*`B<>XGK+BLd2~D_4DJ@b#xfS`;o)Vqh(1?^O{O zr&me4&WZQA2^Fd&I(|okz_Ni2*leW7!ktq(^QsmzlGaxmA1a+mgsyxSiB~W7Z^-{<{?wtrK3Yj1x}_BrUSQ zd#f(iFyk>(R%3y}w^c$lYuoEslT-b@njUWrfrJ{bCZ`~>LIaRnBiSKOEzIX=Y$7Ks zP5S-{x?z*Lp?6{fzK7M2Ki)avHyjg#<);1w`dvkyzs4pf!8>0-ID)N;_Lo28`iHUo z^$Hrx6#-KmyZF0>hV-wP!M~9Z{6L`5^SQz9o<5%cEs5VDkM;X(+YFZw`2=nG>jzX$ z&Z8Nsc9F3nn+lYA0u-=IVThYwOXWh1O*|Z4$m4tSMCDyJTUuNnwQY)0dRS-QA-_)x zrtvfjRoZ>8J2EQA=hAyuzC0Rhnr~Z_u**r-vkF{Oc*~d~-FMrvf05kl(KQEiMrHHm z7_zX>tKl5iAh>yCaM6L3RkYHwH8F{kJ+QNEd5M{wCg~G{r+%4bR9mOc97A($8G7m! zu*Tz;+um^0TUg`K-Jj2Zm>IA1TIb4i7br?aWp?Q`u(IjH`uAkJ)k)WF&l=#IJk7-6 zuHp8}sGF;vC)CEHV0tSJ5K zD)UPoOfMB~$T@_exR@l@^v;X7RVbfRV34$Fw}qRzJs(Qh#>A>VTYww&345Tsk*JSoTHp+2+>I;Ksr`p%(sEP=6r$A6{moHMH|Obo$>f1I z|EU!)yg6AqBr((V$x2&z(ra(WQnu8yLpy!AV8X{1Sl4%CV|_*K-*Wj2(*H|hucOX_ zjHuUqFaG$waz}Cu>*mcynTj&3K`CFDVvWAZn}W;t+}`SIdeb|s*+d#~HB*+LF34Ok zu}ot5TfQW6f&)952YqHV;cwdn95seUY6;%Hks{NfR`BDP z9%b@ZLf0}i5=cc*;vn+!W%3YGF`IKyY3VwQuWWXesAhgOecQhzvpagZxr(_W^ssV> zHua!=iET@wuxcxy6H#;k9<6J7$hx*waL^Y{<$>qrm!D^A+mJ3ELL`j7?iojpm6h@0 zDQkliZ=UbG2IOR2ls9z_;!WW00@XDopiNEO(%S|ifcz(0KximbIZccrt#j{}D`;Eq zRRUq7+^5OLG=Fo9O>CS1loS`2bUR=V78bK;o|bc20PrCHgZ&m?AidQ%M*iWv|9@1H zj@;sbZ$lXjxV&A}H6byr#cy6mC-yw5ATOgZgoST4B3n2^RkgJKJZFgHvQ^t=9a0RM zz?>Nn0V-nS+=&=6Xnx;)$mcYg*nkAjSYE=5x~^^7r$(~(kWD(zWO8mHiw+6~6oc6z zOTS0$y%X&>RbU&^$kfn;UfDKD(uYs@XfF7MH&Q-F6rBvcWOZtz$l6{M{SNV7CShva z%xqHHT(&yojg<%zX_uFMhPoFuXMu?ok?m~>j_(AHz(X(1_4Dps=Lw>4b0;$<g zSzCu_F|8dsx%=U3(O>d>>VhkVFQkgF)Nq*$nf4fRStqo?E-gYX;UQ4)m3zDUk1)AP zLWookH-|xDz9uVv0IP&BPL{TtHMWyQsq>Kv$Da#PyKCRpS~Ggv)qZqEcd3!ItcaRl zjsm($p(s^H^>~ulv5Qn)H%txK>cSaz25`tjrZ=Drf`dvyoGyp-n&~J46|JXjm!+3Y zh$(!nIM}c!EmGd=_;8ogw&=?m<3F;411gSFMN;c*~`Sj<22(T>}RX%MyFLJ0W@6qI> zF|TSTg!kYx~l#M7kLiKeK}^uZJl{HJHhBUH|RqNb$V@ef4kL`JfsOC)LP>N$X; zNxVT-Y@XY%1L{8@H)GHbIc-B#;CPngghNv(+|4^B6XG-^7^w&3IGl?{>9c>LNhq0XJHh8dLPXqr#U zIrlt*GMdigd@7Zm%yF=Lgvmmuj^}ZV-g590dAz8219I6adaHQrbDz?o8H9FzXo|Qq z%F5)a`QqXh;Eqcer@bq8zW~l>F$8$H#q$=5f4t!T^6UTl;pHvB85w+|690AaKakRR zk+;{{r&FtrmaNa{cN9IZC>2Qye@E&D?LR+#F4e=eR}~(m2&0 z`;8qEIKzXVDB?la({e8CoX>0*Qh=7 z8MV<*QvQd?1%Q&qRTThY^7ck8-uz)+uhhuJ>q$1Y1ebmn7*&W=?7q}!ot4B!Giz&- zb357;#FRZ*w!!pk2PhvisHhIhBnBW)B5|Q2%6GQSpmo|^Q!QX_C77KD{`CXfkGm!j z+-B08$9f2SUplc{GZ9$GDNl@Ulkb%Hp|_Ku)*0|Bf!eG;B2`v49Dj~XDExa-IEpio z>O8CYomW0fP#cIT1Wsgz1f&E1h8ibcMxHp6nv8AabckS=1&d6tL^fA0=F7@OboGrQ zIZwK2Sn*BC46OLIJ~yBS|8Y1Nc;5-UfLSE-CR||rAWL|wci;m+sM(_L?^a(^X zqDX5^Y^{7oSt#5FFX^RF!cysFBRy`e2IoFyCAbVS_YLZqTSPJ-xy%M%jnXqHE{&!f ziUt*zq13O{9SrsHHczDh|9N@fL}S9{XqANr>abZULNC*S7@^8GcdHcsOG-SJf`9=c zl^Cxo^N8vP{OTs4sB#S!cG=f&)nO$15YN{`BEyrf=HC|`#F6kJzpe(*9IRlQUf)@c zWFMPWcZ3fNzptxzwp~=A)Qn21ION*1e4FRJ(6{j$gVXjMd3K({Pm1>pNy(Dl{qd^* z&b8{Cfz8Vqg{}|(F%_;&h6k@9B$GuIgG=QuPocwVT6^Srok1zpJRuz5d)6^Q6qXS= z!5Qe6$*3srJ|$GEhOr5;O>^S1xt#5_Oi@lqNSepZ`TpK`wiZihvh6OLbkV@1-!b-G_UAa^id0``0>A6(^sv~zz= zRuc8h?!=;>Y`$`FX_{puWmIW2Pqav?w;iI59#w36`)o+&dzM>a8uR|Dwj&P&zNkzE z;-0E2lPL$ysL}ddm`_Kr@8}Wu|9^GWWCK%l&f# z^Z%kDLy>11vbWW>`iJa_pPwHG$XXI-5w7OjgZ&E_tU+c}d(sW-;J3pMbU5?`73cW% zZgG_aUF7hz;aclk37}P^g+*SeVjsvH89}~(+>-JALY@7Pn3gbqnmOEiGoW)R<(h%O zH=6p*`|i-fq-=D=q%$40ftlKJ=Nm((xDl5=Z==nORLY>1cRzF4SWTW8-iI6;UV*rU zO!A0dEu^iQ#;{UxO>--}l-Oaozq2_ykidCw&0U*adi$p1lOAI62vg!grzVURXT;=y zYa@Zd&0;v8qf?3bbWg96UHZ~!FZFXi|<>jBgTXa)dY zxJy+6N=^E2Nj7$H6$59P)`M8>DyH zNB>^+wh%QK94(ec5Z%>)^DRYcpx!xz%&`B0P?_Wi(fUTbe_H0;ly)V88-*cBQ-Ln; z_@Pmwas2W$CbW`YC*Iy?VWnnugG^J;K;UjW_aWjg3WmoCK0wv&Dd(IiR!z-j($}>G zShIbw4pbmLeIk^A$Lpjz^TAYT<^RnGTb%jeB!u1YpFTKF>GRMD(d}%b>%%jF=vG*O zuZTS!>c}HJf+x+b3<-UsxRdB1nYab)>+$f}hlZk>K`dsdQA7?M#`U zM3l%fIC}FweuN{9@)m!CN>Gj1Nii@MxU5Mlz5IF1^a>Doy_P$}3^_@@$Nx)aCw7L& zLtaj$<$pM%d^S>GtZ2m@C@p&$|Jn~2-oK!~8gqv)^JRz#IY=ZZYca%M$^*B;?dcRP zvTQZTb1m3d2H&TfEY8Lty}KyE=N{V1?C<&n!6`nhA?6~>=@h+HW*Q-Ee#sqg+U$jW z#p=CQ_APi#HS^kuvx8`5lu<%0!`HpfccswG%>&o>tIrYd7%K7KY`c}sKx7#iN1552 zprV#;AdLHiIe6^4K$;r!ixtH^vVej#$~2$|(&*8*)S7wH`1|&-CAAiho7E7Z`QTn$ zKV}9PZS)|USl+xZJn^6k#Fr5XWy`DZgVPH`IO1|9eC z0w-K<2u@KHY%%;8q|@Rj*ODObo>BecTnTt&-;?-< z8gMIP>H=&=%IEOxSXX+tIc>)g5jl=aS93V)J}01={e5X_;X7B0zCa>4e7sr55HSji zOP?W{8(yo1#g3EPi@$L&IOQ0got+(Bwq_s*X3nnKEZ-8E69m3A* zA8m@WI;Ip!;@y8^#@{<8oqwdhTTNa4e+dh~qhkN_UijoG*<;}EZD92u11<5 zC(jbOF1n@Gith|X1@O&KnUY<&+o*Whr(4_=km82YnpB>X;u)Zog5X7hRuf(=21|TD zScy?sRn1h}GK#})RCmENJd#EB-gf$>AFo-a9{^;V9T7@RP9R9#KI>0xi#!SZ!%F@J zf*Y+>&w|_Wt%8RT@+#(P8 ztfR7d{j(IxbX5_8UpXPHA_Y0QTU{`A2EuX-E1C_JrTRT}j*n$2wgUZ$MZhK$`eZvJ z4RbK1c-3k4h~=;fpz)#E2nX`FRW%I)48?KGqdi zGr3#H5AYH-ee~h}-=Cnf{>ye_I-0J}V8(1|)y`BXfLBK`(g#?Ckfz z45Sf|pSIBjTa>cU!0cQ8%-X8tdL~~xMJPP!wjUGc^Tc;rkbD;m9D23$UZ6McU*IH0 zzOTJ{A$LSo#%8`Cn1|n4a}kBc+#DHKrrzcSIEHO%Pf!Efy6&PYwp~{BGtx+dds1I+ z$k4KdGzTsxexAMs%MiJF$MBh~+dh}Jh6y!}8KNW$xmYh35o!r1aWUSxKkIR>(*%^e z70NqAJp9~@+K<>uy~-(N4xg3MonL%j$SxfsLJ&9K&-W&jrXPPkLzkk5bpIz{x8ZoK z;kbiAQ+7*Ta4xPu>n@cR?~CxI>{}V|kjX=y)%5&Zx%cLy?|H1Ph}9okyyXeQgVx*Nmkiw2c?Q)mimgQ>YYItC%Q-H3^atI4q~hz z@EvtNKBS>T49d)`yQMCF#>GmKKtdo3wRYbm3&J2@*|BtkkLQT~_dgd8O}& zgHX#(fSke0+n~(m6}{1)big`>{u&&CC~|yY2Om*p8wpJliwW3m2H_dPnS1RDa1Ol+ zR1*tCe2>otFdNn8rFiD9NzMS6q$Tiw17L?U0PX<2`}8LOGd`F`JyhjzpVtmoYc+NN_5W#aJ0bxdTAvk4~X>EbJrTy5u2oSMz ze%^w%m(A#UEFVYL1&MP0g-fsQ-``RCUi5%YwYS$GKd6Z7T20heKnfLnRAH5QL~@xq zb5HrfL->5O1F9p~{)ZR>-px=Yx6>?%!D?zgvFX}SQ=p&xa!P=m62d$u@o9U|e}eE? z2rT8BK=%iP{GFt9qRv9#1Cs9TKP<2~l76(l_-DMm!$ku z%XS!~rLLU%u}o!DyXB#6%sp%jb2CJkK3Ig%F~dFAIF}{w-BqL^KQ|qGsSfC)-=A+$ zSRZvCl-xu$PFjHV7f_1&!3KEKXlyC&y<>p^!ohk=Kq45#`1N5!EO^c9$98F{Bg^b|3Y zJ=Vd)Y=D8RVRbC1E{eJ3TR%gR1!AfiIFWWj50I0?)20j-(gF1SbQbu3qA?}?8~FXx zS-k|GMZmkklGK+-|1HQyah2&$26ij@T|EZI+aKb+N^Z<9Sr)+}^?9rVv(-xKLk_=S z^5cG9l_JD#4sjTStuDuWVf_I6tOP`PTYjCUnst|J%ZKlqQhym3CJri83E6DM8Rp?1 zM0F+!5^Y+X1v|;4lx3G7cJtkgoHl(5m}Y^1^w3o^i;KM}DRf|l683&k$L5tq(ulq6a}S$Gf?)k;hNtbUC9H3?R(v)2f6oJo>^S-z|WzXe`>ILcS`-x z(quDB;FL+?zeY?0qO+QTM9Z`T0&tGP(w6nC%GPdPp5m8r9E7Kp0NUtF^|_v&4}I0V7yI)C6=^q^Q_n~kZ}kzA z`q$ms{VQ0QQVFP`3d}XCRN4Abu2NMC4rp4mX+TO+HVab~HcK^_)1j>r^TN~J7KeP# z-`xvJJYbb!O?)f95yK>6cn555$n-hVr9*X?*XP`O$(y80JVvq}kS_tN3HuRN(U3Vh zfH!zeQ^uwXQMjnOW?(h@lF1+R0@oK~89z+$IX#*> zZJFASoZ9a~{U4ACH>nT7(#ORiZ};Gly1f;YNWA0xbdXX@<^}fs%@<0vUrOISm9epk z$hqOaqY!n8eXGpYMp(4a0T0|7q%Mk*92BHy_(^FN!N$|z*aTuFUdLN$qqn;wD>oM< z5C_mFb3hV$O(dAG-026mxYyQ65|)WfpnFZ4ME!tL_}r@DeGdiewb7pUtihF-z8bf= zIciOjWU6G5+V`;4&ArbOK!SvKznhY!;?UA!VrIBxA!NQBk{Q7q5t;)MUvx5VdmD{! z8F7~3KLigK8hN4tvOo<#+q*^*;AqpC%W?rgRzk*Q>kl*e(~kba78~I+jq#M~*R%XX zV-~|3flUC_>cDsz@hn6Tu3ann)ot5XWEbf#hW(h$RI;9PwZBPQ$$Wwl(w4+a^|F%V#r~UuBC82kJ4w;Cnb`hFD5&3DqtHn__SZ^Ww9hNV!Oyqu$)Yp*7sT z5oqtqo69W~j2rGNb~Dw9*O}#<()~dddm(gFtb)+?e{uFEP)X z&xhvwJHPLF&j0+MbDq;V9Lg;}_kHhu-Pe8H`yN}JzIt~H7#NPa$$kY{Hr%*K2^~Hj zi;eYrV(-(1k54V#5SA+qTtDM-j$zQyk#VqZ;#3KBZ6~zTcRkgw?|8kp=g?B^WSYD# z3XsQOYh5kwJ_VxAWsOp)VqA~(|AGG&?*h@Ox~Qc4u77t7WR&zA(a@CNv?^oHi) zXFk1KY!B(xpAxM)g}a-w#f$g8}1$-qNGheD5MsQV~gG3&8|prtOg zL{DlBFyOX{nW*J`dL;zH>i#49@NWXv|JM3u*{+sHE4w~C03`63+*^fbtfOVcg;b!p z(l6&`I0pEqQ;0j!}c!h7qu9X*|;dHR1=~>n*ah=%$1rfl;h)P=$P*w znD2k|kG;?#nQ#7Sg^ebA86HSJ_Ft#uf6mZAwbYxr1r9$pi?2GGYC`|Zyb#uwyN&lx`X5zoz)k7~K&xL8h#Dfrdk zhu!>#6$;n%@0*iX|BQ0{W8&Q!{aeHAkGQd)_Rs%Gx%}Z5H0$Svn62X$V*-{v4kL-) zn7(!^hUJF$@(U`KdMEJcIET&B-bvi>WlTgXNt)rxwtdO#eKcAF@Sb&__cj>Iq%^E* z3ceH$UrJsDP@raSZ)#A@&CZEUtNstq<$qf$j8P4Nz8KkBG5TMJZV%`-u;KKDyu+h; zUW$XV%q>TwCsX0qddq@m6H`yUc7C=If5Ch@!7MPh;|eYtgc^zXl=tc(USyGycO*3;(Klv`JD zAfaI%@tkpxzhEIf_Iukk%mVj5C+Xg(L0bkdD$V(l&NeW+4(;M4scU~FYDFHvLPRccFbFz${ zeFb`Ua)VLegDuW`Zza^2uEiL5z{5PY>ire&=Q_R#CXjt~+?tT(7ztc3MU3VePbMR( zDi~{xreD0la6N;&PK03MCi9q~HYQXYG3huoQ*_i4zGAB25aay@QhLddUIom}$=gHp7WR#am-wwQ-P7R#d z(x(_S2&C&>qyzf|gik;iK>|JwZ80zP-4U&+->o#iyVYbx(^cRul#aP!u;OjQL`QMG zvuP-9PSB#0v-S>fPw_KnK8_QmQBFiHHK_WJL+m(}R;ZA@oUbgkbi}4%k!)8FT;%zD z2&=C0w86vvFAsc}tvRH@bLp2p{@2r%{9%6MnEczfGlYfbmP$S_PK)f{5eiWDXU|U_ z9!ak{wa~xv)D=raNNGA+H+3Do=V0rL#QTuQ{lEJ-2WI5s>=wB>Mwr$vHX@s@R$%z8HCLtk>L?WvBuYe9vbqhcGv(T*fXEA@V2X~&vMuYHNS+e|-QP6;+W z7i4uZFi8E#Aqcn%%(i=FGN{X7K{g*=yy7c^0DZ#l0lkn;rQXg*502A}SkSk&?z&5n zjPNiN&PBLw!hzx*HoDMS64>AEXrPbe`~>n%aIwseEID!r4@%wIIC8;Lt_kSPB#gM2 zSbcq@zGbL35X>t3h4Ud1@M^~T74Y^Ijd?=>3&*fa59b;J2qOg%i%Sh7QA_}|nc%sY zMa-BHwh0;ntls7Xn*)F*k{gxCY3p z;-W&LM~W~1Q|?$4YzPd_)a+0faLCVp85`+$nOckIrNxi+{{OPrxlOC=0F8(=`JsmR z10iK!vYYwOGu>sJM~W|BCEw1gmUSU$7qkzT;;YVlJ#k+9Fh1?*NJhj7$;p4rn_TDW+In&xN7#{ESS=<>?4qOs-k*N zR4!Xak%8iSH?2e>mIeJf4$L0th*MH;Z_w_pduE}v!H6@=AiQx|5%hK-ZFs+b>tTSf zoastBJ{rSA#%G+mU&C3hZG3~V)-qo(wz#hmISPm+mn;ux+^5SzkooKT29?aHKB`g9 znoCj3Mt5XRMpWXl!>D>~HD3Grv*e3IW;a~p;)cSpd{F&{njr2XvZ1hy4MpM=VSi)30+1zO~%@zXbpPBi&T8W0fT0 z&--LPGGgHG?Dz>?qJ*^$Dfwt!y|r;&o@DxKnH%%|M+h%%tkm#X4PlK7diM3|XE)a8 zh!0N#q_W=YrwKDjZtKI&n&v>d5J;ogSynMY>VOq5Y>eFKQgwoj3n-&RoJh;NHgjyx zY*NAo|Cy^m{~f4c?WuzHFaNe>h^{ijWqGD24sR)bQ*-%#?(X~bW}}C-Hzm|>RT{W5 zF2u2*>7J;=A(&W7diZTRO#!IRL8uG>(ezS`+2%UJuG=Bs#jaWdwhzc(iN43sC?LPy zYovsxn2w5n^VtUoMOzQ8`sdsomfw{5_d5qe4KNWpD{i@9xNoUxP{9h;L~4TR7d_`? zM?r>h7ciWQ=ox@#KR(&7XnlS^_%W{TqKER@%**LXM@vfCFUaUE5VILCa8r4rRM@NM zENanBKGZnkIW##2h|ATzc+A2q9~f;m4y8Je3dexk%(%Cz0_k%Vyt0NlV0lj5%r~EV zbuXK&LP%d{f4@|AFUIHa%T&+d<{S5$2mf}2KF91ITtH6bSx6JeoI9MZN=U#a&QE{M z8tlg5`te8efKw7c7&3{Gm^U%g0>9qm4e@-}0vAtTY8QX%<8)A`b_vh3L&nTN7>?Z^P#t55kc0Y7UxKc<~3 zQga_1YoL>bv+*-j==Asq1XQbjCPMa2c*`a~4;l?G@-$b*!sx%LQ|&A5hvweCY%)wa zb|eo(gx6M|#cYmJcJZ8f5#Gr>&N;=HHYZA6C6UiI(9Y69m*J9e=}7%b9q!^_ApTVI zqIGDFehf}(?V$cRm+q=FS8mECNfO3a>wEWu@xaZBwO!boYX@*W8)ME50c(-^InLbo z5hHtNORuoWFH8bPF-u6MOND&Q4c1H2MDII5h>4sI9sB!3i5h4jPDOfEoT))MYhS2c zO~uA1FTbuC<*(7D)_+&Zt%;)rvTwAAIDS>YQU^TxRI;<9D$kS50oN)8igop8e;<)2 zlX>a}Yc(orkcla$Hz}5|HE{J#XoK*jQN8Bk$4lUXfHG{fYNUSxdE;Pf)1pCpSl#@5?rQw!PXRyWM_rTr zmR+wZCe_t9upWS;v}efG1!v@Y8A$f?i#%V&QhEEXoTLwdm+-mz3V#Uy~ z3@1T&!VM1gb(76i?Qo?Ctngr~GDX%L;u6_Qy+cm)!iFi&Cn>RITp|u**;utBM_WHKN*z+eCu`4xZ?K(PyEZXj%S`NV%27Qp6?qBjA;F!0xAKlx6^D`bPn&?`njbDS{w%hngK4WtMtu~q z)0x>f!@QJOY754PPJ9#qta$W}ib$?`s+4`TE%lB+QV48c5m1?G)snS>gH>@vF!5_d zy!si?=xglyP%|R5Dej*WP+fEH-B6Vqm>i~oXLdbD*|ZZMTm6di`d$b>oHpT$8+Ayz zO2Oe6$8(9$>D0ePg;bCsWsh(d#%-xsDNzAHS_h_3s(9JhM8GP`( zGJ*Cu-*iSnkST0d-Npb{pkX`rEH13kvF*|z3dwK~x-E|2m`fQZVBP_u$E$mlJ zZATmSIY-6%nH3g6NQ>+|LQz1lYZSBVu07#9d6!49Ufpr;IPZ!k#?G%FzSr z$8@5pA#3?lOS`+NEcD~TaE}l#bh$;1G_^SRjM(nyCmTeWbOWv+6w{)Z&ijM7&N+Nz zi-Rq>yv?SQhVJ6agb~5ESU?XQdm3*IW4za;PYyB&={6qdln{)(9u|$hKlP~v;&k5! zDeH*qz7l|u&m6U% zSCq%QVBZEjSNT4gq}3hji>g&W?+KLbX%T0m8PlKRI}AETBNYPttdxL}~sQGSJSfE$PoPI;Xg zMwwsmdto9>{2?jzGZ&dntoi4C|EFblS_H;cAv zg$4K95FUZy@STEt99}%*RedP%#Vb?P6`H zLqM3)WF#AkoR(VH<=b?G1J<;cgJ7G!VQ*MnB;_eR7Lnhum(-sK9r1VMYnKWZyPg+m z+__WbOasGE(M_-Dpa`$uvN%!;8aPH}FydOF?iRTb$n%OE4j+o;NS$fS7!?6(DS?hJ z=`0o&oKdN&PBY0jLgvr)9P67$@xo23#ZnM_(Mc@D8$_sW76N8MaX>$c?SXg4M&~+( zn_0k*T-_LZb0ckAin+fRzRMZ`G6aDq%;_%y15>6uPl+tTF)VXEm%An^ZiZo=>ELP1 zOfkGs+I60eA62x7^N@L4KF8D@4NlLbig|^N6CnQZbgb}c2Jv!G?An;Fr!KL6^=APY zdFVE+NN#1|%$KBPpSR!M_DC0X+I`q~ua{#?2IS?qYhlkHCyj=9T<^C{`{wg#ieD~< z0|9+vED%F!9k&XR*+=FhM-^p--E`dq2R1}|@>fe!Cl+OEWEX$9AGHq9hWXjvoNk}= z;+o64zEeRXm5LKk%CZKlQl?^p1HFF`gWnC{$Ezh&#l%!&-nA4^k(!^0=-ru*ZbFWjgR4sMsN*Wh><>W$K*AJgG+$tya2CRTy@!GAiu8o}5 zu6iB6jgqD0utv>yUVNa8T4c@@YXUY2iglj@jNKv9ryssQ%G*ZVwB_9lS@iFR*ivUE zoF&gjtKaqWk<-m9Fc5i2cZJm~{Mso`o7uH-Z9bUCM21S)Zt6J~I)}ZcdgJOtMjQx$ z-5j-i*q}9Wh?{Z#=Kzd9J0wW$QnZhJ4WumnclRIj_;Nx5qY-RqHS6mkXIiw zQCBgsuhPbG(u|yJz#wgTN>PF`U<_;Q{M?lRKjs z9*2rZ^G^Dgj!mCv-d1$GeBF_mRRvHKC~@88r`)QD;loWS5VMOQ(A8tK)gN_JAlt@L z#JHl@#nL2rm%brzCyL)xKnMoaZ!ANtOiHa2_`J>7yF%EdZhZ>Co-*kZeuBPV&B;d5@@@Wpi5mSk!220L!+@&Xcd8~E^g zWmkf64q$1UMTW1l6+Bkdmq%=7+ZQ<+BnP1MS(e?8<^xG;Khb2iB6HFjGqKC=!w*B} zkyX+dp(v9_W2wk5cp5yXj>fku;c_sE=!0;vf2Y=jVEhcc*7SIsY9V%9Y@x}_4*CwD zck2AH-xR8QwA3Yr#<}NZ?J*yuV|5w-z1D$nja6U9zd}Mbp-gUg-y%V}M13TIJDtrC#t@e^ayDPsfh^ zmQN~wOS)A(9v$QkN`$eC+>Wm2cuhLGEyGpbCY7h_u0yiYicjd`lcHN++LN24Rlc1v zbCE}**SbZdmP6dT0AG$xDyJIc2)Rk)!V<}3 zh>EfpZZv3l3|D+Vi1DrHl< zecJzx>e)ORx0$8M-Wo*K1z6cSGNmxEFm8AT?iPn$`Z`ne>2j@_uC;#r=?vLYUit%Y z(ZHEB*F|C>@WT9t4NwqG!v7j& z2#4=;hTq<@*c>sC)!q*j_s$vy!Q%&PUZO-H^#e)t}psnRqwu#cNKt3AE1vEvY&@w>0xDU26 zUOeQ52`c)Ix*nkfK95eyci3!KwweIa7G+#p?@xJ;t4&FzLCw(pkh6F%*CC8fOmkZd1kGT~1v0_SSS%3`U&>)g-pLz3Giwr2efqD$H)OZ762rA%Hv42t*Vj-a(czaS?U}{gsX8SbLwkA1w&6H zgclGL3lEwl@57n5j9Z-b=Z!uevY)w<4x_Z51uxjbtGm~lpk@t$nPl#j&J9NQ36L<6 zVM2NJLdsLC?;iLj`fAZ&gWiH({p%L+R*x#TjQ5owb<)CMCB0Gt_xo$7uF`VHxG-bymVP3}paG zAQ-rAVUz3xWf2!J!Cm~?!Cac6v+49FaGmI(r5zv}yk|fO3?gGanzO04} z(uL61%U1E~ERC;foVIJJBSzIG@*u$7=yzTyl%L`+ z6M#fq@E_=%$N9A}wEl zVFLsCj)yS*`#GmCF(BAAMxvp-V*4xV-;NgLZ!uML4Kd0$?2BNNT%hG|%}r@*Q=aA` z4d-*gjy!v6Pe8ad6-S7cxTcM#Zby)Ou(2Xf=LD0(UcYyamy-hfsfx7rGa}t}Ibo>2 zI7MpmhUfUuh0;iNi`GX9qv_&n^<(sFjBDHu_T8Lx-H5P=^`Nz7P}Q{8ITr(fQ(Z_T zI%Z6{4qry1 zWVF7Pw&P4<+3#x~@WRTDbs_fnIRv1L0v?muEs1pp**N`U(Xf+#Z49x8!W$gfdb<;U zeAIYha6mEN8cAqTw0_h#ie3YcPf0dzX6sw92FH2P;nIv^&p$DuIt-N^=u3^>YJ&?r zNRwq^@0<`I6;i(RktpP5{Lgr_DoiLIRiVb0kQ(^?J>W;K*3@A(a(<~=NmX7Z!2eS` z$G8Y$ENH|Sl}{HFE-`NEmlJLE(Xf|FC63lxsl=U|(DnryigXI?2`X4vER}xyJE+n| zPrBVdr3z9F0p>C2S|-qa(QURCIJYtrm+Fr4gJ`8Orn$PfLz2#qhRpYXxwRL+b`$c|yMRB+7Gty$PgAcGof$=q(;(Hw+M^KaFZfGSS z)7$aL;2ACju|A^hip+?_4w)ug!>p2R5INh22knA8O)@NwsoI5FfjcFLZmi%HCz(TX zc=}mt?-VdEoh&gZupTX%t{ac>C-M*)%yoRuz7Rq4UvGC(*~pSPe_ZMH{s)Q1b4e84 z3E#Rz>@_X(n~Z3MEdkj&TwO36QWtsP;)Do3DT@JWuO(!+_D%q$0k~}1<&kK``9<(I zY(F3SEieXLPSaH3Gvpm|tFnTVn!@a|+C^q8hZ}; z5_vgn-bVXM8ZZgbdM9d+wE=g#|9<`F`KIvST@EaBs@~t0xyn?q=R%9VQHWnk(#pSm zZUkb0be^eT?IS}3*_}9eY_7EYgP!3w1T>nRR$7O1!7yY`{Zmq<VPGs+P*jJR zc-&Bq8dY>ICuliRiY9;(;!2fO@)oiu}eaK&$Am@OwA`6njG8#|v6Eucy5>-1PaF%1{gjX42``w>ZfF^k8a;A1tV zRi2W{t+{&|Tl9fybC|w$z5kl&Z{`@I8xskW{su zN&ZnbeQe&xgp2X#rE(r6;6zW`67aF{uM5hRoXOJ!EQ9&ie4MSn7oTCdfsbvgv_a~M z_fff3hV$&!vp(u;#imB=kHG)Bx&^8#Yffcy$MkjwtbuB3=_I&E= zRLo%Q<@ol1?rVV<0ZIBPA)0c_QY+Hb8udljW0-rjyQl{WA-ac+yq-8Je7 znAP0k=MTha&tmNR%i%;Ut3@&FnkdI#L+zP3WD8%7Dg(r!ZKgS4aW`4vL=YLbOn3gBVHk0-{g5Gy2ChmQ&@B^ zgv%QoypdTh9Krfor`bM|-oFh(1$TLfc*Ui5i>*0H`NPM%jS4g~C!}?uDZ8Mh57za# zj~T4nEZkW?(fTTu#ikI>lfOsXP{fPU#;Ia$sH$Cj8B6h%W)vr-ATY7uV zCg^p!L`k}|-50|?Ev8Vv)&l)&Jg0C&d~oZHhY8R@Ykq$7k3Tm^^ij%&WQAZj{Y%Gv})45h9QSn=gAc|;0Xrm zGlL)J7?6kx=5C)E!S=+dZTCX%A3-VYt0?00O)k2{7m?^VBRK{bl>6>c7sJbUcaUS8Keru5y z--Y}>J!O7#aPiI}-igvl7yAZaSe>6Ifr;GEf)kB5x42)K+N2j-yUg;uC4Z~Hfc*(! z_@pPjm*-}^lilmKG2L~5I01Rz0(Pt(oI;S+H!XHEqq~oID$5hxK!}#aQAPgY)_ZRg z1m(UU#NI87Ra9*wf0=#t(o98XZ+Fn!So|tQ8tv%Xw!9j5T)#!cU}U> zF00S&G{t?QBF|Jk26u`ISDk?IFc|3!Kx-bdpcB85)IbMIl_?L=q)dRaY`P_S&q>n| z%&cz^O)*qw_gBZi)TE>AFbjyj#0rc$_rF-mZc!9~o|Uf6*!Cp^u;Y0i3L)`{(Pu9a zx3^ngQkQ}tFXPqYz{Mda4EqxAU6hC%ah)Nli9{?qWpZ>`9A~V;ejmCRj$yaz6!56b zuM8h|bZ&J%mR)3z6$eg0HX-9Ur$jA?&j={sLOeaOWHiaThO^L&bt66LpBM@OrN$#bb$MSm2xOR9_0gzL ziufGj6)d)~c2NylZ6{;e;dSjgcyg^408X^@9MwmOObt{PI!)U?i-*Sgc_l%rebnO5 zVtYDr&bdw}c&eZyNbOrv;lz$m(d~a0?@94i=^+O=p zGQVLta&mjcy(PEB)Vb2{8g3HQeGl+oKAab^mB!4pybc3DG)VYcpsAmuN3@dbjRW)?O2a<07?JLfWTDkA zt=uFqP&G{-wo5{lU3Gz+-|Yl&{Uv&zGhAJ&*;ygagoD%2B<&617U3qgWS$+|#ou(I z9krWe>^bqzhNioX52P-th*8!hXlID~{8>V6TRtwn3*Yt6ID?6{wvhN|9w>%_+Bq*XJ@nItKxLfHiT^ zqD|n@#L>)EKJh4OUGau6_nm%U(QPJ1ID%F?Y9(Slds#*%Wd0MIns)Bkd8`dTzHL&L zk<+JG*x1yCx@(LKo8$;D9~ZSGc007;ppY!Xyijokkf0ny^1|= zqtCeqhX$8Rc`_mH0rt*S0oXS~6cXm%ui-6py=o&_GMkTPKnD@ydu)k3jFt4KENWTo z)zm~g=>0SBqv!n95J$^*YJ(9^Mxeji*3r5a=qA~IG}8dz+JFP!u-8>`pabE?`Mnuy zH2$6p(2aAizhUuj0X8Gd-5;Q_YKS-}_Bc#`*m+(7`DmtLHQGel9(OgkD_le)Vvb&p zS4}v5c5&M>ij96`IDy#9s+1`{8@$5-9d0jwpP`Hag~U-mI6Z?HzoNVi*XdY`Sx9%9 zXtMx1FDT#zP)hR<-CHfdj%^{=Ww~JN8pqai7>G2kC{^uXohaFRN!h&;sSrdF{!VOU zAJpDO#hqIyNjTRcv!1N)zWhbriA?u*2Uh2lMDNUk^+ujTIk>kbsK-R*Qx8*)%}Rer`%aOU|&u5 zb%k!ZTN=I}B<$p)%S-+DqQ}f99|P2Jz;UP%>UTH?0JDt845MsuVDhj-i6@wo2ug*- z^xH>vf<)np@-t~xe~AihNG{S04@Fl96t&guEGMWlR%M$>NCDOlkz=Nk&WMUzK#r)1 zzLZOtOF-*p-IS}b2$=bdhvUCm&iv3@t z95l-Z0`sMDg42I`3|V~Qyt0p59~~%HrShSQG6RCNj&1@|OC1-_eW|egI4Ym0l!Jxh z4|;EyaLCy-?=F1WV?cS!V!W||*9CRF4Yg|Pv6z%wCrRukCsyVFaxL>&uFzK7iC&Ug zZjeWuaEV^yco?Az_P2#QiFyhxYA_TVxD%ii7=6@Cq3bz@3Qpm>6>Xh;3?Wqfl&bd; z5A9YsS>WefOCj9oSn-D=Od5nr-ac|&<(zetv3S%+b3^JU}a zUw^8@u*zt4JdQAGgxw1i&2Nm6z+m8H0Ol(w1OrSawTSTNY>S}Euk%Js+u&W~&`j*z zC>NDqpBWgOJVq2*6UkOcH6R;_w(b^Z@8)t<@J4k^Y8QZ+z}@$Tv2ODI8TF31y=5jo zfG7WG9Rqrm1x3M+Du|rPhaX+)f@0q$w27#deDH|J_kS734pD%Hyy{}M&nsJ4&f1GQ zqn1Ci@sAP+sFQB|ZS1Wd(_JP84b98-{j3*79Gk931Z+V=^$a%Jeaoo2QUp7Rhc}mj zN5w{&3dtrqfBQ^^t874FTNKF#R-cCXYD2W6{UAVJv1+gVbymh}`@Ku(Xm$rQ=|!54 z4|B)#rM7nMO}d1m?y(Dkg$O0U!*7m*@TeXiaTK&SIs7?L8OjwUKx3ouVE2HM#4EzR zwSh^ChZSY7*;Efj`_t6N{k4qld-=m&cY@b{Y~6kFemiQf-iBR9X~NQEy-GE)sb(k) zSX*?Rb^^;+H;&ljY`DAj_HO#~(uF^ZiuEXKGFL6%v+)D?x6@VYVkBCrW*=*I=bC3**6eOmP8&}?z;K2 zkT2oRO&(a<)I1s0$Y^!1E;qM(A!(D|h3A|9wN18Tqj@ny{tA?Z$7G@DE+Zs!%VoY-wpz;;_9>yxN}-AE_K~ z8Bltt2R|ip@af-M(<_|?vfuyaN zs7kUneUTLj|ERytTR};KQY~S@Ytc7$4)kdYukt0W$UhyUE2|C~d9iev7%B-ozpKjC z+xyQoF_*%jg2l**Gjz%;Q_K{67QUlEhH|ykTJNW`btU(`;2=Ef#bM$HS)t8}7bWux z7H;5b^J&%C?%Cd=lI9OBXQw~9f{Z3whJ?KpNO<}g5Aapj`ErY9Mi#VfCyAu^az?e+ zy4eoLHBWXwJ@_1R4{!1ZdScntmi83u31ljgJV4bmpcpkTzDg$H84-#FL(4yR3agUx zC-s?MAdZ-zE16F94SQfMeKlE8!&ym0NT2BoN!ypiFQaLE$v;dkY z*o5sCRW8v+$#SJ{**y&QoYbF8UXUNtysVQRB*Vq>K5XBTC3$yzr8*S9KS1DGlZr2Rhmr_Ktg~zYiptZlj)+?L{_FPAjqk6jy=l zcU)L?X)Tzz0G3u3kp-#0IC1-y!otR^?G>Ld>gebNYrmr#Zc9j9_?&&|H?HWDfkDh* z#c^1KB#zj8Q5St_r@3sZ0!)y&ua6kpO^h6O?bxmpaV5LFv?;zsFn)0Gh}+Or{pQJ2 zS}xO!r-_(dy1X1)-;ZQAeGq7y;8)`1S4HF{ly#Pvwrj5^L-LwL5G zMmYDIOVU2sHC9M1;moyA(_rjfYl;Qh{~zGuveZ02F=_|thl6>_dkU2_+dgH$ELg5W zAeNYOx#TtsR$^-mzY~~{D_wEgYaZOVCKMx^+ssX?^Jw(>*10q_?KX2{r)YnzY zZ;BzsR{E*0Q`x2k_isjvF~mCkM7OdNQ+G zy3d=$+?>jMf7`M-))_WGahm#QF)}Z0WnD?~ZmsRgB)rZlFfsiU=C6>r=aRN<7+Eb{ ztnWO1e^N4=KvTGCA0klgwquguZ?tz6(mIme)}H@@a1l;n4c9L0OYmJ&WU|bmd5_dQ z_OA_(4&v5=Tvo0|crI)Q9<(8$6^9STI9P%St?TY_`>OMfcO;V(Pk(l*9AH{5mni7p zBICFh5yajiLgZ1A-QJmBLEtZRZ|k9nLQpT&HLvzS8eDuD^XCa>dd9-TYH{UirX&zV zkfdoFicQW?)|o71Y+~ANhf1fD4h}8B-`F1l?fD&j^ZgT0(>5XN+snIU0uyyk6ETtI zpkhmsfB0IHvWQ3e@rNJs9X^7sSKm}msrr;0{xG~j9jTsG4Jm8nAxq2({==CKo5Ne1 zR*dd$#`?MCeX`t=oKj;vly!0vKKZ`UTo2mHwqY`H(HthJHbMz8(yJR~G3I1>o2FDY zlRf`>Gl2{@S6{T2Z8MA~XJvO4$cN|P3p1wny3^~Eo&E9MT z-59np_|m&lW9aY36jyNYjaPxm52_{7$@+YIS60tK0u?6V4t?FL*o~GBKJ$m3oN!iU zxoI^TV`Z5U%0t?iG$a8CFIR>(J9Cfq&n9FCPq(hv%w+WJ=mwtJALxj&fben8NPm#_C{Y*Qwu#c97 z18s*v7bF=4nW>oQBuy{bQg}5PM6_!@xC?|l)D08v8gOnY!gGMB$uLIsVV|L~`2&NS z;Z(#3*mSe@Amc;88Y6Dux>LC9U`akBwA(3Q;(#DO-(M7{Nbcrg&)>uv3v7u|%8$j0mVE6a`DUY;ZW7 zJv<~xQFSg9;t zB8`$`0nVW)@Fi9~%LF90Om$9j=VuSB`XZCcu8_myR?VLrg$qF#HnP(DSid879_P;( z6l(L_sS;;ZtNyX|OV)4GIR~|#A<$yMcG_WoGwMCqHYD;250Q4tQ8qT@mIo7-BbaWI zwp*`9TER1(B_s+_(jSG6f3~1RdBjbeIW#d8Y0N#ei}pBmQ+(1r0;FRJ0e!y_YzT1^ zk0mSzKcmS$L=V6XF#1!K39E1i4YOJ!ZY-EjuG@CS(BNj)(@I2M8ZLVo=-qRjw0D&c z>DIuF(-5D{lD0ljFRjo-UU`+QyTQ>iwK^DI2IQ>DS-%%qMU9WAjKszX60R8u*=Dwm z(0Hn;$^<7#x(&^e$X*im$)2I-KNVR^Wl7g3ELI}U1I@-VL{>VVS^M$WdC4Dx9_;nV zm`h)f!l?wG+kAy?$c1JwE}k}4$d8M;toTF>{A6ISvROfytPqh!fbYp^@v3n`SfuJE z;B9%1Y2h#A{6RMxy)yHOn~$&`_<%R!8ed4Qi+wW!sp3{;5eGpd65zb%*=wPx3#tmg zK0e5%=Hm4OUGTGn55wuX*wR`9-3|gd+&VNQ7{E8h|3=!~)cM96K=Q2f>r;e(-`JVS zChn$PQ%!aEYSLv%MET`UgU(RTHnKVd3Mi+fY*~&3{xJ&Mhy3aQ9ZZk-&0Fn^!K^%M z8b3V>?|EqdriR(hir*k@rIsze;$=!IdvOcPV}9Q=NtASKwcHUA|HtvLfSWd>Nr;hv zzd}?O^odI#UrXVqn|mJN1QIv&O>X9bb2)(TW^d(5;mQa5vc8(^4i2)^iGLt`ay%?( zI)StSlJ!RuybPuA_CL8ZV)Vnwxd_Ec9PH+rpFjL|ar%AX+_5bK2|boKj+-sSY=+Mk z;!CQJigk!~wT#V3IrpSC5wj*vW{FS>TQI!W2$N@rai`Uv+`!F~h0T*gG|-v>st2U} zpo!!3;1_%OE^{hg=XpH(&}AyFsQc9@<&epr@_rjt<$$(!XA1L*iY;>E!%;blrNs!N z`j1qd!&q5~s@G82>ZUeKejfj)sra?)Hxi7`M+oDwSILr8EQhI75qX8YkXiBwHf>h= zS&m&|{sL!j=9TKJ5Y5*Yf>RO)y=myl?F{+ML2diB4KAJ6lBB8NYRq=QE_mLw0 zDEyoow2PdFwO11YZ<{=@9ak{`XbR-bQFyF+8gN)^cWMl5QB@UoRKzhX_=TwCtAT&- zi&Az-@m&FP;EO&5WEJKT9?oAbrx5GO+n<6y?vV79fspFxfc_En)jpzAzi7#%FsAPm z*kpP-5d3X-{7qx{VsFN)@vuG|M^4py$GFo&Z;trWbY~1#@PyR;s`=3>OzFVY4MUF024T%C zms*{ln-8|+Vz!*TbLh#q?o9sgg8mmjw`3p9k@!6eFe%t}(~O!>VkapdO2h8~lCc$R zyMtdx)N$@<+-9(eaNGvtchCg(qMrYr3d28khQaRB7+lM<(=YhVM$z+b;_6$kT)Bq~ zsR5(#c|QaD(4Dg_cEQZmXo^{{b`nCq9&9M<{{=4QM$OGg1W!FCjj(TjB*w0Y9)Q(b z5tk-kA)bQ=g6!?G>hM70gb&C`1q66t!KP$Qr0tZ}tIO(oL`58Y)GMGS?9|i~#Zpd( zMIM$GZ%)S6d(=nCl&_cYwjrGrx!5J3exP^MdF#)ZYm6C}82$33o%$T-cM+Zqp2_JV ze`S(Kb`Lw}V#|z^$-Xv7XuvKF9Fnv%vEJ0qzqx;N$N`)}Dd!y*mwlgq%zDew8j)}moys(n24HP2zpg6dG7g93LYylt2S4pX zs(Z`D?Qwss^Y14fjr{-7ejGxk49TO4dc&9WiVm760@>2_-KXbW> z<`(L_uo6}kL4#$2GslBY%&G&|;>F}W!rcA}*Q zWGs7X;~0(ngoq=x(wTS)QXw8SQah4!K4YEK&T57gY!q9ss#gt1?P*YHu#U1qQT)Rd z$z8y&nIqpBc-v-mhde|BP1yyHy5Rq2%y#382ua5hkR|ggyU0Lz?aoT$jf zHa4@1+|>Z!R(k-Ijws|IEM|TWpMhlz5!$h);|=f&mrW0jFzZ!j8(hzMVM^!f=-?%-@#uO z2JBg?9lEaI7>5!{b804zmWo2={ve)Ldt)_Vv@E{0V&CUEAbOs+aKW;jz5$&m7XaV9 z3jw?)%Ju6%0c&|EGS*go4JZ(j|Ng=U&8(jL<-7*ud{b0NYho75&r{&@|FMjwYHY%m zgMMc}Xu>Y4M);uczgY#&yt0RT;?%O3CF^jX(U)S6@8m{)z$m%)(L@EMC;Q9UGWbGt zJ~p71y91mzaVaMfs-E@G_8i-Nti6yl;qO?_7gW72Q)Ue=NB${o_0ZcxArBQI;cs#4 zgLejhd4$)YrIDVe}mhwE6F)%O9@0>!fV<8r0Hbe$fh>p2y0k??QeXbVD>Oybd562&6Rq zUtQsm;vWj~8-XMfDbwZ&X_EP!Cfe~AoiNiIA4@VMT*2?M-7u#(vLtPt z_k!SzG(b>QG32I?Ru0R16C%+pL4wLfl@K9G#17uWl`Qr~7`N)wq1A2Ateg3(P1ZOs z_HneH5*N&iM@}`3CtEd7BG9ZVp!yl8Q2#_!MUBI4R1@~90&Fnf34_jhIujq$r5e+s2l;!s%dfqq>iu0B5TUW4XQva8HD~B{9-X+|vSH(;S-=0Be^)y8ClBwDmF z=as1}>tr+b=BFCG(6b21>=h|_#f&U#%LAiF21i$>qu*ZrY_U=67t{JjTH2;!@5r}0 z-hZ~;lKSluAIWPwrLFsg9b_eKeLi>i6v$}sDN>%51kcqzyIAZ-RGrFB!95n3z%NZR zC@&9_(LCY@`lH8;p6m*t<=*-fEY(fRd81wHEl%{*XFEGDB3jK?7B1oc zg(ek%1>toOrN%%}L5x#RbjEt9l7qRx$2u zscU^7)?z^`5`|llGDJj0D~gH*nG%)OD5!|^7AayZgXjfBK;{f$6hwxAqKF_75z(py zl%XOdB0~_7Fv%zc5+KY;2qY)dIp2=l`&<8Sxt2s$R>17+cR%klyn8Xcy17k@qh#A* zxw@`I=S7PQkJc(;=2Y6$ERN6z+AC{is7XZQmZ4`ue($eZWGJ)&y|GNgD+N!OZno1@ zwUdMVl*U+sf14W~KS@dN88<;P|E)>xD({LKH7%Vf+UbhS6m(fvS(?Y=FGX*-a!&h0 z{MwD*9i&;dFPHCKvx%VbI3@CeQ}YMczL%X^`F9}Y&6HJz!AiG~-%%etMl<7&I-;Yw zz8a6${2>o8)Lv-tI7|rE&ZtB8H@|nvs=&P0a6JZfM>z)BhQ3L22qqLfNquO9To{6S zZ*(w9om}nZ*DNANjhRsMg-^N<2h(_mv`%GJL7pD1qH~J>z_xHbZargvfBU6*y0ASy zop{}qX5AI@BZH)m$W`j?0PPaAHrOBWT*ZFp{9To!WH2^%qU zV9NB9Z;Kwu1961WhT6kidlD;U&GaPN zdMKWb_W}EYS9B#P^EU5@3Ff@Rv${@9m2gAl={RM^Zwcl+x{hR{FylvBN0iOqTIjRf zX<9{_7M99iWHq76x}av5zb)2h zqqw=1D!5&M6%+h13rmYdmnrn7pUe1vy4I_^cF@#+X72ZWGLDzZ^g~DD8tfU!eALr` zZnR+Z2M#A{hJ%kTg5f&By%>1U)31nXYeCBdX5Q7AMRlB-jN;ZM4!g0mrVC;XcWg+H zJRjJ9f&leiO&) zCG9o_O2dYheD?i%c+o~lKo*?RsCJSDEy2ze@82EauUesT?!C@t{C5%luQ9!qM{n$; z96xCqEvJ$+sibYQqQ{X0g0sPug@&p^D6=h%<`Cp8-+GVW9AjWOR=OO0O=}mzVRP#! zLbK_z_VQyX3xPKYKhZXv9r5+TmaMVWy20DV8pwurqDy9!1 ze1{8g&HT$2+czhkJoqm-d86*t=&-7MsVv@);akaUN@MvPrfTj&wk^JUlG%(%LN{uS z#huq4)ltaxJrqev$|3q12|D8N;?_hAv>-Yl)I}Sn!`od~S&lW7tjH2m(dAp(QJPi# zouqzWCB7E@AFcej1lOW}?kS)}Gu0s!(-=*(T_2HNcc~F?vSstGEt^UGR)_m68N}_> zT*M5@iKQE?J%uQW#KDvN@mJ(4{ zzjg1#Irb{---#x6+)h`oGXwoS*nzZ$J?}lX?kRVAo)$K7)%CeiRr6nl*Rt%k7hs#V zn_+^dGi^zurEJu)R4U2OOVR%nMPqa6+P>|FyN!D$FpViGP(al}G7SJ=ZC@vyepWgp ze`!?3K<=c!hi1d|64z&dpjo{xv)fib)W58w2?YXpL@)Z2g${3ntEl_3*`?O zjvi&Dx|^Q6wN~0Zjwh10lgq&QyElbXzOvjG4wX44M77^_(ifa_Ev5I?9+8LQXpfTA?Dgh%cky zJ($dPbmJX6u7R1n_R;mACGo4xY8`Wzn1-moy|Sgd+=VOo!quvxcn5T z<2S2#|Hj90|D21gKZ#jvk4Jq3?`Sh|A89m9`3{Vgr*gVPs~nFYVan!0$6z;Su3=WD zRzOetuK55lidORcO#hn`+f8#eG(TZ5^39OD5M*&!L?)9PpZ-@75WJ8u)t&L6ubPGI z6Pxo7vpH(EF%FJJ0^!=UXfmQ|R=rV^`RrbG{Q}*TL-OKq|2evvtSXSPKwrh|UH5=o zihaGc*D!|+w%g@Ad6dbgTDzN(VnIZsHKHWK`;hx&GymFs-=P0=+`OfPE2u)Ecah4F zH(Cy{$mo;aFxq>Qh*>WmjmN>Q+~|>mP5ViHn?))*o6}~r`+u_l-eM_tpo>%tG5=p^ z64who$V&@fMsC9HU4gXi)N= z)2t0+W(74ySk*XLSeVIr`s+i57FOHIgb>X=*`q^ju60$mS5L+Zs8i|j^_*#Y%;~1T zsp!Vh9T3;eZoTtS!sU&n^&TwDm=Ow=Z_JUD+|{WKCM_-fauD1+UPVWvi|c3t|^KpVC$}Tka`Gxu$fXXWnJqfqHT4 zO{&UF7i;&|X}J@EAMrPoJ$D>^sNGAkG$Hzop3XEJO!Ri1Ih3h9(1tuQ3pUyF>_rHT zky>nK(ip{JlUUT9CjO;wc?IT&xuC7*3_Den(qD=mp-n34i*y+B%to|VSxo(-Iq2}> zc@%@U*41RTtPnGwL`U1hYvXRxL(n6><|<1Pk0Yz>CW9ayx(fM9L)17hx^Y}K8S@`J zn{$_({Z3a;jOKk&@?m)7t#6;Y`x?Tkccds~QYKcY26`93(oIWg<7n}&9&mI8hy`yg zB>-+Pv$3T%5=8)$94n}pQGu#B#O&c%C{+0zbhR&Eb`j%`2DlL)Uc3Oyqyk!t>-Z>6 ziViz4zW7B(U*i`B@1Tikq<#iD$Q-^fM8Y1T$;=6}`O`8D^assMiFv@{b4!!gLS^Zn z5{fCNkoWjsv?}XXVR<5P(Gw{vUH)){l4wNiExcZ4j@f&P`@$9d5BCMt!g?X8qGGs@ z>QE7>bVLf!##hQGp$q1i{c;>_Lsx!RWr(DD5+Bd;gLhAV+Lyk9^{6hqEwiZ~_h=(Y z=)ZfR2QwD4eZiE!`gctS$RQn?|Ds3JPjJNl9I-O4N%$mKWMm$E<<#MsT8zB@Dh-1C z(2*tCP?_nh?RviwjfW$39$KDzhX2yTZ;vrzn-P5Tm1!YCrLM-hc-q}{Xyo~{AtWqG z-9-gsd!~GnF@6hpgHTqYX z!KWnZzWnt zQfU~z6eV&$OmH?)l(^W7E;{ulTrktpjF=fXfgTYbXqvKeSV%8y5#3yl!PMMXMzq

z29&G0ch>jK6r`TfJo7Fyy{dO>+lsZPTJ3^^3w!}f-JXZ}X@_DA)lTVh z^-7|qTc?8%V^=&4k{?<19G4?MG4azU$3HGQ*{9(i?jR8OZg4x4vHVlRqoDp}tUVjF zX2k_AK?mj+j4|{5ziRGX|88ghTGhk>;QNh}bXq4g-J(?`Sr+?)E@I{aO%6_i(p!i^ z5u(htwc7QN9H@FX2PnmHqrYmdAlU)mPd`-%cmV9XvN=G869lR0Db?Drks_@tK9hkjbUrJTzhA#!P2D=!NuFsCgIToGWX3F~G z#!w2{d)3)AeOZuMVu*wM1QYwz@XG-7%A8>*F(CJ+L){rRk>?KG>wgSnP4IK#)&@gq zoC@po_FaovcXVpL3N1*k)3 zIfU(=w|J|ctjSN@InX_3W;P2=wSm1p^4!H6yXZ+6XgZYn+#FAICVg$(@a0E5ZPv+# zN6lq8d_enXO|D)O&^v+0az8IYU&5@=mG}(5eL2ZdcfG z2c8PF@vs#%rBD8hG?E)1f0N)`rFeEu9?-GD*b6|po3c;I9LXMMis#Y3-C+A^P2Vb4 zx7hmO`Jhm`N;KF5<7l%D>ri5C=cYHmlf={?v&PZWhIho9`Nx*JvIpd_$bH}F;CBG= zgYCw3m{0`{y^2M0rQ7)w=`rV~xEsnLtjC#HL}?&(<&R?m*mF!_dN@NcO{<*F#lGMx z`8H-gO|HhIeVRJadGGGYQ!rI>tG{tMx*f&VLB5GH^8~_``Vz~Sg@eOx$V$A|#MOLE z1WRx_J-(~fn&{AYl*me^ro%H8Mp=Y@OfgomEx(?%ix6{<%hS)aE}`$7?tiq?mJ~c| z=kxr=c;V)_(ja=ly>iXHc#i;9BFc6$ z*c=maMA3g6Wpd}1b;RyWgD;ez0WEjzbNluNt<|2grZ$|Rg}lCJYw(oZ$y=9ZU12I} z_f>*#+XweOwG`pR*5@NivmyCp^umwc!EQFNJ!Y>xDeVTsC=qHp(6~|b+^P4ET`X4` zPaka(J9R-H{t>gc*^xp`Vf;vLEEdtiGh({G)lI(iO}Rn7vT%A|txL!ym!66u*$+3%_I`yGWCt|c-kA+d)rLT#&;MBhmwXfGzd#tR;*jZJdwqIUQ zP4Js=*CGZ}v@oC_drGq&{bx7{FtkNR!9nqhk>3H4=Fx@&T0w0qn=uzC=h1c!y`}Xg zu?{P;bo&Pu9*+1Ldih*Hv;_Yru_o9v=b;a@O?vvL2|F{Rs)ptwjLKL%>czcM7Vi8Pb3_P0CM@KyxZY*5q^CDlA_{n zDrTRV_~qy}%Q^twu@o=&A)RD9YGSI@=V&bamA*#m_DS7}^f@_(^x2yN>q={u`rp~8 zwPH#vn`5wA;(qh~5^m*@LWD-8LGT{w8uoy%cmvWqC$l%ZEiP1dmg5>-pepExkA#fU za%XATWaWlW#Fh?_rhN#j)?hN{XUOB(T=)5=qJ2mU#<$Rsyz%M7{7AD#^XG})KF7Tt z@6wcPoHaC)8#CpZy`cVC?|DN?pwCi;wejz{BIOa~3sIdGOEkmtpx#a-t&HK)Ig&zS zPC=FJ+32QIhu)b4AF*vbZd?)CzXumX#jm0!UWFdx79V96o?u#XmVI#7F|k~8 z4QCiLHRaW#FMn=ddU)}I`=-@}dsKdh*JKx#L=7fBIp!H;I{ml=Wdc}BN)^y4UN^hnx~ObGdlx}XzFAs(O}ZM2 z(t>BbdMx|9MM<$!Y2yc*j;4`WQOBAJ*Ia3DXV$mGa?NsnSN@pVNG_(eG8MqHQYra3 zhn?024kNI7A%IrK@6fmA2g5OWhz)X9W?epn{R8xI6DrEP!{2lpec^!`a&h=$HJ_|X z7*s?FI5j{~{q`XDd)a5xX_cZ!uJC1IjkYh&qQ{fEmY#wH5XqO1D-_9833jxY!7TAO zGl;GIXvHGl=nyBOD`%mJqrH)^TO~VWs;Ra|Q{@0ul4@fzpyy|t`a--3ekBJDUmt(C z=Q46A5l4PjK%sNJ^sW38dp{>cETsSFYG0;jDaz<$0c{M2#$#?Vq5e-IUoBl~)&5C5 zV~5|y=s1hCG!aTNbmA&m-#}aVOz&69p`7IdCSSZRuY5}SX;j;;>Ner*zZSb{KH#EQ zT5K)DsasT?vdR%t6b3Lhj~P7M(%Y`ao;P*9E*fHjM>qOE!;f@owTCD#`a0na?(}}d zT|x_n4sRuPZ6ySI;yh@x1v_bWs3*D6{e`K;E07=XhE0!oPzG@Ft@r0r$J-enaA&>! zfWPDGy`~qwo=V%Oq#eIH{DheOi-m2q?XHX%*BLc>OtMBEMya3BC+m^%zxtR&s3L$r z?345T(Y)!O@;?u)dYgDk04w6)vA4cQt5dT5)z*~ao!xHgua4x?tM0_YFBQzv;hC!r zPS2#E=Xgg(_6SP+82bY(mU_fJ($kXmB_g0ycWZX|Kez=L%Rc#-XW(43#Bl~5FEMGc z2l{F;^iP!fP@U~-w(U@gIiInz_Pf*aY!x+1bwQOA=Vpg{=Hki(crm<#^9%hdz_f1#8f8&F`~@5B8p~PM=TX%>O{^oiZy7 z>wTQ+$fK#6CiUPXN(v7*ehlaBZ=5)rADJ#$%&34bYSh-_wu;JAzYZMb59#b%_P$>f zR-$=L*Ou~Y&ei!3gwh4YeTCY7g73jgX$lonZKTa( z?kGCv=*K9n#6^jz_&pofpAuV|?U4c-P@wTI$Q(eR0DLZaNx*}7h3^tO_I55)K@1NG z|8$jgr%TauOH=$@{X}J2=l`o7(2yjlYwKI~C>g07!v)A}`Z5V@xBhM`#G#Jg^6z_g zQJ5Z18ha?$_EqdW0O1URV%vx*4#qwAmXaapF}Wc2PC;6AESpPtZpr2rk-16qowB|^ z685h0OsbMuR=-f<6!#i`aNu2qhyF;z97SJrw_#kw^;KprBkHd^vsJ5%cmDFqm$g>g zG;@}@*_I;vl%|Y74iemgbMzHcKa6g}M@so<`oLHxCTAkJcw2O&f+W_wfK8?Ijpj^k< zvvsR=>XyjO(?HY!Uczm&hF=W#M2_ay7m*SyTl06reWG@S1w&8(O&c%iHsOvXG+{|% z1mX$EeVi13ZFf^lJ1Bpa;qfu)GG2kQNT#*pnGCOnDnnW7X73VQ6E-)_*|DA^9&RZc zQieCGMK%Co)QIE@SOU&8<_j=@VTXf`%!h;sW0AAsLUo0VL(W7M1AJ*w9sWAtPk~Ad zBvN^6G?|@8ZgP|>%vHUE0uD?qk|>?f^&UL}n&;k1(66p?G~v@Qryd}0BQxsK$|~EB zo{?g&l#HN6x*WT`y#>b~o+3J5iEXc+gcQSS4$HxUNKdrr1zs%~0#B-C`!|ydr zmKR>Reex&2vsD!{IP1k{J9x>RHqP>mqnpP{Kcc25ToeJo$Qkv!V5;AR;IGT60;C8r z`h>)Y3H~S3@4QuhMgdn6P`l>ip1-^g-0FXNY-Q1_8SO(KOFMAhss*P3N%G`|i#vQT zq6^D-$wyN_50g`5O>1y{%QaLP@V@-HCq(ICVTW|Xoq$^Iox@6}DK!rg%Y6nnxJ4q~ zrIRwNt@V~Z#hcsD7cVH^;_>y@l`nub7C#;z7dZD~klbV9Vv(XQe9X5eV&Sv~QF1K& zQxY&EsKo)m|EqHY(d!o!90$Ev1TZTcv|LT9bXVS}_6R$>pon53R;XyX>SBXw&rv3` zC1j2Alf%)+s#^+kYsOxrE$+I2T3MF*QnrV|hix8IMx=*wnp^$A|>Qz>@V{Q+_dNXR%3<};`HGT%5!9?y5Rh2L}RPfQgs%o=0I z(las(jt>T~aAY+0b^pIDMX3#EH&KQLRt*a_X>Q50%(0G;L5GNZ!?o8Y>a8BFFz(lQ zdK~I%=&1-6-7OjoHKk7FCqFc%G3t9X!+I0j3U-<7O+ybEV3fw_oZk6Fa+#?p*q3Iv zh5aKYcJk8&lP5F}s2=?tg=M|}B)79$e|GCr*v+}iT@zE)%VAN2)l3OGj!T`|3ES%s zxmKhrkLt~i^~WmYB`9zLyEt|$_WUuB$4Xe6oX14-v7fQ` zx8G3%c^{p9-~1rqb4lvP`!-IbK0`jMJ_LZ=K-xDwU}(F#@Fl-Jpfi#y6rjsg3f41| z71W}otria2cD1qRznz@YwTc{GMYKkEjLE?}VN7y=K=GuiuKLt5vD^GH|4GVTr2cFk z)1G1b!~Uj2_qs-$xa|S(YL2KV4U+$sWNad8_#~NNG$hz%LU-QmE?o_uu*WdW5_gW% zdZB6_s=J*oNU~(_Nw!3L-;{X5)FGT0O^YtOcqSE@sA@p8(Rl(=+=BO-I=R=B5HsKYWxa}f!Np|nM4O=gr!NJm7R0HIf!;>WTW==! z!?kuRjZ4dZORTPsdfZOM_Hx$+{!XqdLVMZPW>8Aj^wAw-&gG8O@z&++jhWg;QN0m$ zqLSGApVbwups_@KIHV71a4}|CGAa_1a@a{!hcce8SQ{PJ?@(8Ss$mb)QkNW%f4(V3 zioZz$JypZX=KpabYTmy!yyJ~e(48z98IX?wVQJC#fEn&gctZ5$ZncAFGOt5{oY9*z z09xm_tbls;hWJ1D1_r^h9hx&Jn0PJs?{5^zikRzfSNIFif$WVYHRP{?=W2JIR3YuR ziUaE^##fW$y4~k@YsR!(H0h6l+kr@ca3)wfsIc_N)_GUyI?+d0E94RJM#!#YqA*M`*%i~v{RVQ|0tr4r&3ewnr3-DJzagG z#fvQ534*+2%!~uoGCw4uJpa~U@45DU!v5w>;y*r!1Y38n`A(xe4ZY&K`5Suagmn`i zD9ZetgI6qi%TCZDAkEXpv+f<#i(gRGIoJRX&#{DqYV7{`Pa$D=W_Xf=mrILC~dCkL1mZ-K8adr!*TrpXvjsW(0ZLs9u5REsvK_q zaC!uuB^obZ7Qmc=x;ihhDO)tvmr!4w{!4o|B?sF z5O&tpXnNsj0Mv`E!+t_C8g^lvY)M2H>~jiLXEP=k>UB@ByKb4j;mu+rIbtq#ZPwG; z@lfH)j;-5PT~=EIie&Ul-M6%RLsL+ST6Rg__J~v4_l|NZ$FXb z>KLkv6}7p(t?$m;!0kN2#EEZa%=fqLQc;DS=!l)|_H~IxCX$Q#h*G6TYXq^U+{%{h zTwJRuKTo_0lPLz~R`;y^FMy!aeTk3fqo?zyLmqm~7`&zallTuAkd^%Pq48Bn>;4(B zW^uUMT#lE1v-o_q&-s6}>kwwnY|IneCo(7XF_vy~-$@NWvZ9WUUsv38kgitC+THyZ z)m3t-Xik5<0Nb*)*zMz->48_azp6uZxnmqFvxj@x<9OxTmh!BaTrn#51ytwJ6SKoo zR9Z{1sAu2?RH(ej4s_6Fz{4&>HCr#%Z0Q<&}-IE!{yo z=oZ1m&mw+wr%nX12PLXKiv8lw(v_9Pn~XxK*m=xFk3pyHeiwLpPx69eCP;=O^_-37 z8+tXbRavG~Sq^0V^(eDw^TdMtCX^`)#n?!hT>VjhrDd=w4eD>WCvSRkf@_9KqMn&@ z)2H3GzRqbn)a-sOnaJWo?k0JpTlBdJyCXUK&c;*ejejD0;Urh%jzlX0FFUNszL==o z9->U5U<{DKJnPhKMxmp;!-J(o#cUgEV2hB|Q2kU$+ER@yefV|OoKucmQGxyn{8<;@ z5>SN@T;U$IaHEb@sRf<|r8fsuO%RScGx||LF3UDNS)4^Dk(a_zJ%Z`yOV3r49cs`~ z4#PtLcSy-~DvF|u&w!4ir_D|gm zPNFWjf1q>~oS?n#FT9RJZw5Rh4QhIO+s#3}MGA<*P@`_u87rl^c)9eUG+1 z7rbWFw@0kq>(K1(gK{)EYS7>PWl%ICK2$d1k|}WMUQYI#`@LUdo2B+ zL>tY}bB}Qj-khK+P`qb{`VEqtcbl3+b1#(J%Ny@OU5k!my6#xfx_%d+z8J{3wufij zih%EkvN!%hQZhKtiSYEO~Mt4NKuFND=bSLv?BO5e4Xb0*+CPr^jGHAdzdib zYqb=PFe5(G_Jx@%_DPzk=oP0+4;^#F;8T4O9t-w{>|T?PMwmmKazvpha=NTEE8aqw z>VI9s`($&tjG5Z;HbkRlSy<`XjjC(7bJ~CYeg1NW+j@h=a(}dCD?W3RmT58r`|Q)v zqCBYoN6W>#$C+&uOU>DO*Epf6xqifzd@F+Lp>CiuiAw8>R0_8cJM%D|g3ZWE4s_Au z*uu+BoIMNsptAR7h;nj3G;*+aZ*d>68YQ_7i0nf%uz6o7wt8ZTTqa~Nk zgxZCet)GE*R^tJt9H^DAmfVVP0ATLc=`K=9$kiFzOY)v=rFZ;j4st06-v)^7E3NZb z$l)!rC%`n=N6R3oYOgS;NLy(|xIFAKA$(s{j|<&7ab+1DgEfwoaS+Ez4PztnzcoCNO_Ct@2 zsNC1~_mDfQywWR-nWDWIuCE#EZ_Y;-<&L=LT9~kNxgVz~n7mZl>9u4De1W$O^ZFf@TgR5(U{p-F5adHiNc)l}v?c`DcU2@f0(pl; z)LiV)U2t4X!gWTVuwUE#Ox@6^0YG|qsksCm0G|183&0Vp-u&;~e<5|fMEhp7{vTPV z;)qo7D)^y{RfVWi!&CObD&UN?tLP)wwh3^+&b%K;7tnm-MEqp0E)7#6QDMnYmWZX936&X#q@fM2 znC@;!q+^K9`P0zIMJw>hTksVRd|XDb7cM&%^xZOp-zmRd9rnK*G>}#M<-8_mV^Lo8 zxkF`>9*wI~&=Ug4=Vxk)_2I?)*C&3~vh=@b{ybTGaR)(OPEozI-#%gsyE!V0t}o!K zKYB9)spwCo7g`%b9JXcjj2keBzzj4~dYjr}z;GCSWQ@<@nuY&D@)zwm>Rq}Qp3g+I z89Wc^kC5C~Sw6YpeVDR=NkbZ^T!+X!W_Ku%r9$TL|MkF!=Y=~@!SA>}$F>dH54xhq z(9H`^HHc^n|n%`;iF^$X`hDGe_mo5is_HE3*vu5i$)1p}+gOVtmiK`Tl(gK+C!P z8iwD8vG`Fo*~lnVx`ou8v2L|DfyEemHUzhBE-qy3sDnV(OlD~2pSrFvVz*Jfrqe7;SVx*A9vejV%C41Jx8V;k_7U1p6qlnXwKv97 zM%{nTS)RaJJ@WnIcUlBi%h5dR=P#(Q>RAlzF?T@Zk|PPKqU%7=ko&klWp~w{;*j(c z7}}uGnS}njFg;;}JfiLty$>LiQ{z2=2q7nIz(nE|^(f@n6pW%1|7;PS> zF{+$^#d5JZZvc>~tUsq^Sh0JzW|yi+ZN8XRSWXwnkgw)p$P*oZLNzl6dBc=4-}28Z z(}q>I0F&2)7bD}y98Co;J`hkH$$yYIK=k@eK(0Yb*KZDcy+om^qY%F^Bh(%5$3L&m zD^8G@k97Q*(?uK*pV*6GlMt@G8GA<$8sk7=+ly5|1LDu9>ZFPbQ+1TK<>;K}G_ea( zywJH`_6~&U&Z7q=0#_UNvxj{<#d!Q;$d$oH+@OLIohdIu>UHhYq4C_Q&MX+n{=sGi zMCT*K0ZC^TB==+Psk4k|FGWBB&VB94YOK^9Cf|v6lZCChvg;>hr>oowTKJ2izY2Y* zdsSk!-c7jcw^oK*P0iXV#(}ByiYP+RRW|*%@`n&)nxM)&k^4fFOx=0&HjWUq`+T$l znhaOkGcZ?Oy*WVCQ0yvszDBW)E>x9U?1iou!?(cn2wr7K$sBOZ6IL1@Aq4RuI+t3# zfm;xlU`f7$w#(Edw&9?rje#@p3cO+e6AL(Zbv-nrGTha(ZW}t=VTlVjX%uKQ8CG6UtL|2|8TiTWg zesjdt>6={3D69=X)!*2>i@(|Ief1f+y9s7*dZDF;r^&Y2zj;rN#mTQ%hY6o03!*ir z@9z_W%u&=0SM2L|)z)S7Tt><6XP7;H;fm50BWkbt(8DN% z%}}m!y~|dc5R+&kR~djcsfm);U2|rH(YtRLRPxQQT-QOc=x4chq}lbr`ED5Q<5wf1 zl}1OxQLtKv@Z@_*IptZe=@R9nEc`AxW?Z854t%PHTHU{i>9(lD+hP$}M4IkuiSsil z(-s?x+z;I?D4S7{i|;PMfFZtK3_gmsTR-GmUWl)Xjag7J!7EU|y5^8SgVFM8&jm1A zE5w_nt9w>COsT8k9(}ngq?NMn);j^YUeo8*NvY^-`4#Vn53v)1u-=c0MMOXLJT}_L z{XcB!JxDkT$guz~TL`FoSCw!UBy1?UUiKn{>v+5FsRAYUxpf18y3t6*#Ku4+08XiM z_SnvVS<~=@+Ewwv$XZhB>lJb(0fs}20Zm$NeFhu?OuynYa)7k22U z)A-!iX*Wn`_x);oD2h(2IpD8TIEx<3Snfgy-QJLoa*pdRcVgPzYx2YHO;>egjJ*92 zFk(xZN+(@p?GNfnZ%;8FT<)PX>5`vn3t}W{f?fiv9XP z6Jr@(AD$3%XERd`k0oowA^e+htHcGMfH}{-^|blJQ$1?nlTj!w!rQYM_Y|a}!8D1t zI%m*xg)gajSgW4_v>rU||4rxxFVz^~za5>ur0Xsy|3arbxb&i9;nruP**Ouucm34> zv1J|Gv*&Ih!SB9}+8VqUwOOh=j+1f>?tTq_bLr*l8IWzsvgKl?t6pbPwZ-FK6qXXk zEow-se^4$kMCE7xTMK+BqFSche9+CJqT`~G?Sa_X?%H=Ba9fiq9IiyyyE1$)E5SKG zoE$l9&X8mp3~F7>NvLYt=K4G(LN23g9O^Rldnx#5AwNgiu1u|OPvd#)2C?wrgX-xn z)~I}@h^hmxnXx)X+I_FqtXK0^2gyZI`Wus%k6la`fB(V-i`?DsERTi*92lpAF5jIn_ajQ&EG^$TLpm3=9JnL`D6Ce-N1ne8N1$#oO zFZl8`9~nSkoVJoN>?kh~SWX< zi#;gH)<}D(YY(o7hGplqGqgU zkSq}3TTtOq&RnOD2J>H(>TUN;kc|Z_LNL5Xr{iE=sT#cR*4o(GG>#7pRs)7_V|D(U zj8wrL0#|83{M*N}g5a>D0{ziU6)Y(igw)T4@X?G<>=|;k0xX*^WdlvjQX~?4n?!sR zU#Uvm^8t(%XC+dNl$i#f4XpuShQQpPGb3iJK?)!Yw*NzsaW}D;cY~@uYmAPQX&hKI z=1(w21XWE3xCJ}5zHY=BC?ujHdJ=umqSMlUR*O&1XjT5A^UieOIN>$7q77Q82DD(x4~>_6cXbRY?9+vzbnQFpli;97q&9vszvRKO?Mz>fcoB(eZq3Lg-{sF)@NJ9HET_QZRsRZGMkS zv(6+$jCiq0Q}p+MGR~AVTn}+nJl97^s_>f|3IaITd583>mesyGoLGr_h|&;o0BPgy zpQhwqipBzQBJsLbv#P;Si?KLUG_*9OH4EgkOL)N6vc>k>Z??3R0OmW} z1}GmOY?QRN0sq8Mn?lR;cL5szmb^P^D4RTgc0cn`OGv|YT7*(Gbmbnh$rWM1BY-nj zAHb!{tV*$s0>nWLOh3tB;sBKO5SL z4m)v9)?ZLFy`5qLn4%do8pJpTPoD=;PZFJ;Bp_c}XY%A2*ByAQM~BBCJ+xutcW=8s zZAdHjb?DDuV+#`O9X7MQuG{ZHnJ2k=`ZAyV)wQ@kw4>!mjFCwv602uDVOB^2Z5P9i ztAO$GGy(E&2wI$hlCga84h|XEr+fZ4G=<6!Vl%Vfr87sXpdeVS#(vu?Y;Z>j4KNO> ztT*cKaK7q4AipGB6RbcJ5zrfP8?p~o?@#Xa$aN9Q;Ctf#8|aV&N;GwaY1RDJx@|!u(A(O7NF)nF`hknQ=*E)fUyGa8p z8hjy!3u;=B^iQJBg!-bLmdMJ6_7#U^2^=4RR&Dmnm}887Szn3w%Ixn8y)eDH`wN(`i8rSxdyH3Utu(5=w!qH1R1zSN z>l=UfqS{edmRKA~Ts75~HQ!zO@y?y#eW<+X{?g;vCu=TyKC{RCv)zd(^=GkAM=XG` zBGvfFz{My@3;D~yp2a()l{v$5#BnG4l)ZcfS{EJX^MpL*w&@P(Z~I;wf{lH&{Je1t zu=MpGA;>ZVM6USy%gQ9n^^xg{9~iOrPfNF9+8xPADw47Wv7@GZd?Uu!v@*+)nbM66 zZ-mcBm&WJf9+It0yvaLsip|;N*c7VxumKcjEGuRfGv6q4-Y&PLRv|6X|1iQFBLHuK zgbmHaod9u>D4)Y>s~8Bf5`!X+w+vSBsfr71j;&cNT)aQJLd}#OJp27y%vYOSvuygG zIB*BzQpQy-&643Fq`x{h5zAyfDT(~#fTk}TB*lwOgH>isncqVLwKp3)TRMh*Nk0?r zNsd(Ii(6!@>|xpE3Pb>+^--ruL7H3cMUIZF23HXUq!64(-8CJ@h6AY`G8T1qqoT_r z@3z+ML~jA7k47?c0(RxSr?u8Y0lZ4QMSquROp+xn3{B>Gd7L0LKMXTk*uvn2D*KoN zGD(G{XdvEl*&5x0W^I{kmyeZV@ws8uen*U_7*J+yBYf?GZ)etTlXM(zabu9otg1ed zo`*S+dV{`Gp@(HXF^-;k@(N6(s`jmWDw(7hF)L>D!C)O@EK%5XP_v(fQpZn(#ve{_ zrxhMt`cBfao1asdyhQ3(4`KO53yCOMuz_)nif`12TU&U)5uMHDu$hgBbdmox=6?u1 zo9`sWp8yBXT)rcM<^!YvqWgy*AgwWNO7cVF&)6R0G~)aefLZ?)4Q4cI$SE6@x15;d zSGgZfFDUR#WK1gkpD%?Cq6nTJ^O|hGC0ECf0|`mt#AIH6^C0RN)8@WQKde7Tli?#2 zL2z=lT}$E%kseB#rjqJYg^B&Mm4sRKFo|yNl>A1WT0{HDesVSU*K_}IQ4WF$cl+ztS}vBO?hzJ; z`vj-A-L)cdZ&6Ij#K;PC3p))@Gp2|-$SQ!w1CBM}8_?O_oX|gYGAI|Otu~-X0;N{a zxtlIYNC)S=%{}O(QUEp#^Nl*VNS_wG0~t8%AUWm0(hR6>V}boVGRK_5d`7AOL{M*l z9zhrwqL4itWzGF7X#X#x$VX|V8os3-Sb}jqCTe~a755laL{7Q&eybE0F_n+N%>-^} z$VIr}*aNlgk;S}ChP)oIVVLVZ%|YabaixrPF2b)xgW+Gv!{jn#;~lv|rKftMB9~A( zw`ZVUT}}t*YMVsmK1C16_otk@?gm&)ycZXq>`9B4{x-n> zbEIhPE zy>3r4^6_1 zF%fs7tVxT=zwk!QOY;tl|Jij~&zl_1Jb$T#w(iax)@uDAIl!nfbN{%e_=DqhAjZoQ z^SZ7AHmZV${aAKnKbF~zo)n37m?jU~u#&8fBf z77VC<$IqQmh0nftnXQg=sG08bmKT8HHsEmUwM^Qa|IIAqYz z5-^ZL;@(h(?S(CbY7C1qm&Cas-j)RV_%@s)X!Z-vruazO7H`X!5*eW+(04P8|UaSu}o?HQ|2fV~!Z1E0Eb#~466IQ(qYMPNa z_@(l*s%*(}s>V$StSVY!tnW{MAmmHwGRKM~2bEGKK&fTwL4{PtL4S)twa{9MakR$3uXfiIT0np#kHNQ zlx!vZNwg;ojaxBZq_^BW`q&?;LLCt|x0m5Ju$}VK^6E$a=F4HG$rwrQ0meU8gy2E~ zmlA(`^w|#V-#B}bF$G$Pk4d0fWcn85t!|Fw78Ib;IHB>$FTr7h!y8Oz_MRFN4QN`j z5DP|Ws8TtM8njZrfs&~Xe#$6CXy|$y^(IuI*{7FY)&f-&!WNmbGg^8xtnaDE%rDt@3%<)M=fU24<9@ zzi@mkxvRv+DUPmI~7@uqwc6{dWD?7{ppo0^sg90E3eBFR{m;tt$W5 znkO9qq%;$&3vLfpvEvefx#qu9Z^@rjl(#ynR24gX#tMR-5A_LLC&E#zU4nII$4^YO zH{Rn_bdAGslwnh#mqSErE6tRY4nN;fJZ69)a{pRkSW#X?{+i7e);i&0280`-Hq3h9 zX6?!-d_{lmgodEywkMpA)EMIx?{@CqsLFYTo~KjfrgLB4j(h^C&Z!ms=j6Jt>sRg- zjw-??#AE+iZE(c+tOJqz=cb~xJCv+fd1L2{9sHsQez{-!ok3)@E+E%7zw6*u)w)E| z5qw7l0T{Ihq7p36b8ShYde`bq7J5&8PqFnv3>vGdKN#10l(1+qSy_xPGi^3T8;otk zeqc4e5G8)hVK>mGQ=)3)IREV+SZSrL1z(xNZw?QCEL!81H%pe7a@3u8+^+Ear2;Pn z@8>r=Mbic_F~#OVpr@|>^k?RIi;BZVAwHQN6L_N)5v> z%l%%6u*9E{AuIAdi4FEFV%sS!kqF!1zw|p=(_ERvsYj^369$lc6JkK{k0k7VpIHA% z^ul~=7#Jdz$F}05V&%Iq!JaouxCnI)YnQ;A$M?(p74Pv4j6PZb0m|ftuZ-4%+F67FQbt%|SkM(6RXd z7B#gV{n^(7%>U&TxrQ0ZeH>bavravwC$V)nNj9)6RWz{ZZy+p%{0k|_1+3Em*UUrt z3p(lhE{Lw;|3}R<)@+l~z(rOGP><@Vf}L_hGy&U7&x{{Y6CK5gdCZqLm$c!~kn6x| zX4O%Xapsn4DN*-bmx5&ntYHs;ZdMbbHnQl4*UHW@J{wJ{C+YDiw*QSy_8BkDAhK-z zo}Hlf)Xu4`Nt4ndGspe#Um^Pf;2Eiw)P3QrZ}|<813AMDwty$_BWC0XghEaL5E>`m z2-#!8MpM9Ox>*jo-q1Tr>N@&}s1&At#*kEhn2W|{p{8v`j$sh_=SBPidkmw8zj1;}y~MO}>`da? z|F6AwkBf0@=`d(hp+?#co#vL%CK-uMIt-FwC+$=!&CHFElm?|K9i}Al zl#-BCGw3j#G^KQ;(P5g-(;RBf_x-NP^E|)j{p0=P{r|Vu{_x?R#=X|M)^%Oq?{!!_ zjVWdIY)sEF2ArX_6&;q)!38IyS7(}$&Y&;lqRgM!5vh07CR*J$4|HolyHwqFw;tFx zC~y%rpwj0GPo=2<m1k{P*DB{p~-oOjazqQ5JvWy}T`yD zEWG{~?U3q8Q$+rdVYdp6(`m~U{GYB`5nttec?1PG^J=~iFTqUrOfZcXM0PCuybO5d z>NtpK3^WM+H!T}6lLi#>grE*uY(vwXd!0E6zJdGfvkoH z4v15g@gO;z_Wda+>ArlP%vDZpH}B}RR;XC%==!s5%P^(X9%fk0Ki(angvEa;XcGm{1~gP*W%)=>*rebvu2cGcX-hQ`LE3Vy&Cz9FxLE*0;KFf6HbI;d#9 z57cIHTK^6k_zSdfgs@t}|B%_5I)g}MLNR@dBIxkifbON?A+H_iF@GNk(ANMJhjmZj zuASO;>&vI7Xw!g$vc*jg$Db3uT$~r<7d@6cIi;C$FG(T&IGBmCsR;cBx|YXfhjnF^ zQ!xr#oSpw6_(lOno&hDWf2cKz?rq~%DYPB*1_Tll3W7>Aj1T!LfI&H671eRO4xNla zl*xfU+nT#$^Ys9){ny1RyR}9N;KlInxT-%iW_T}R!IU~n3lzks+a@;X@?t?H%$wp@ zaX$&ykNcB$GeFpHe2IE10x$1M&jf6^I#&CpZSLsDvX%!^eUCu3SxMuH>HBJ8oN0^B zrIyW?*C`z(og$ruL8f(}mau2_nu>l7=6*59ey;nZs(`fy@8J%bzK3j5Wg6Hlex*kZ z1#aUjmP+tq6{>qiln^oCuKH?9o?*4a_~@8LZN*LG|34@G~Y{7oae7#hJQ@J zF)qkDtAPz>FR<6uesyrERGD#iUcXNFkgii{bg{y^k`G*vOV@7$2OQGn#4-DusUR!z z<`2Q2bsZ}RGb24Mx|8d^f zoiI?!!g;jF3-*FBTxKUn6fpi=K`AXRMe~opFq~oRw(6^wx)v1Z@s-AFMnCcKdLR>j z^gt)OyZpN-wCeBicWU|}zq1LnsR&5Ns{bI|t~SkJM;e*vAZVx>!A*!@lozMK1;<~+ z=BjP)R(+&J7$9-lf7||=$*>_Gf@|jW6ai7T%@=YEXg-h6Y)YW2y+y7R(;GCAszT=Y z$X6p192`>FU~}omGk6;%%(hVvSzH>Q^}--zA8CL3Yb=hWT#M^0pm*(wdrzvv;CCns z7Bl3BNlWAhC)darv7~Uu?tx3+TFFEGRf3Z-hwZzBm3n!gL*JC?K5sA2gqp|jV8uz! zq}M`_rLaOV3`ynj(n#_>pLWcdsqLyzrI;&iw$+EWj6k41I!C|+nuLnv3WAgoO6K(f z`~4h<;>^(KicrQdw-E-9^utUf$qMrs1r9wZrTQ$ZD7z2x>P7Dqe3gtNBBoh`bc0QH zK^=~HDY~z2Z9zvtnJtU_1SlH9^sOiAQ<9`{NFDhe)M}W=UNpThy$2;4G?eW9^AWt{ zhC_o+-xpB1a(#y<88-6TKJv3wh^Mw1{enI&;p$FS^v}%pG@zK4$MirKhl4~v@Ryvv12(&rZJz1g63YC$!!N!?!Xx+!d+~=FD;glL>1q2+}lNXdO4}1^$mV_ zZPp)er*mnbpxwn%iPu=%P z>xoO+7u=}wL~HcUXtI$m=mY`sO{gw{rfxx1CVwF&){rCU*9qQ6x$qIHV67*yKtKKH z0_tXVb$}3%u8uNC118)n z2mVG?BOq6nn5L=L5M$PdC3I_y8t!wyUAuyKf~;ATZGGu7`h+)v43qPI+Q*_ zVE!Yx%Qq2V&4&ze!`ix%v- zv?Htv!0EvJM$SMC6-x@p5qC0~6)4eE17+{9H>e7jGagguQmb`Jco=LzlwGz>TVbU3 zvLqXuR*CKld;dEHaopv|=J1XjPVG(XQ1rYBJq9wQ0gA5X;dY1L(jlZ-kydP7c}#lR z{uAg&4ksatFq|MIpu!w4voxLQ>g61gFT!*}RZdK))x^(Y8X4dSa{x>ZHtC>P|!VCA?yZ5Nt)#z6CD-~M2XGAl#OoH>vGdO84Ml40nmp1YC z@Cklwbz2J%Bm4zFoSd=5uWn3Ybsd2wGo&LMWU_Ri&E33-N8gi?sED zI+2&~Nx`W8+NjiZHYK1R$&IMbhJbBTA?Elr6|(h6T;Yc((`6W=ZQN5%9$kO2wjm={ z4JFcvN`r%uAs!riP!z;g`$NKsFpDEs+F`Pm` zNwv9msQ4X7DN5ZOW|7W?K%;eaYGnsc?G20pts1r94;1uNQuaqMfNE5?wVmnB^B=y7!r z-7jpKp4UZ8vE)4_HSj8SsP54onz9mD?@0N*r2T^>^Zjpc!?YLTDP65zwCRKZG~BSO zE+g1pzGl$DCdxzT&E$ChrD@yPFPiOkqS_tC5Y zdiy?v63U32B*<^|oQH|!t|niP6_)0JtI5AG#rW@q4ah4R|TLt#+^dSPJ^)6reK4p}k3>u%CXD;Zr`z$lUyk%@vFsR!bU97V#D z186Xz@6_1qF=e68IiAjz@kUG<(+2+hF4H9#8B=~&IZAW}4}OQnzCBk&G5N^HcU=1o zmM-7lkp4i4FNl5gS44yI^&HN#5Aa5GZ+=jLj6ff4Q)xmCJ`BHip*%xJY_KyfvcXsR zh*X_};KLhAZ$hGP5c^VMfIf~+t|P|%!NrHy(fHj7cG6H2ZwqX5`GK2R6H(+k=iwON z^dNT@#d{mJ6Vw0PG@c$PJF-QZq+!;5X+u-r@mFkNFHMq8st(s4aBLrFf!gi(aAO+# zN)Iza63$l8g}s61&XV9n{uO=|T$hvYS??jle24t*%${nWX1}{+9#9MMF_bX2wCJp` zxcnB{7XQ40D#ZjZd?bIO%7*pZBamaZi_mO*dmkR*Pf1fy&U>qnY^lT(`Q=V0$43?_ z2R>cG#YA9-9VTPWMDg#aU7h<+!r^!bi`ZSBip%^!|;zc-t>isCv=L2%Y~UZuY+#iU))u~uh|`~nB(JEA91c%;mw?tOG5QWr&n4tj`z}#< zfQ)cq=@!}>J37oCr(;UK*TWrJY{4T{M7~Wu^iysZ0?bcbc2@a%rG(#Obu zpHWwvnanf3;MDmYjiu{3#Nh9KLT+H1pF$G;!xafn7xrFDwGzO&r1mV53nR{fBJmG* zVfZwbyoFh&g!lrVdz?4s@n{kfg9*E4ct#J=s_>ZBJi9pTd1&G=K_1m}&UvI(9A1>J z^3SW>gvO&EZwZ+jb=#s&>T;otMBQcm`M!c;uzcSwkJ=_%v+`*0g}gebDY22mrOynG zdgU5CpNo$1*o~YtrnQwrs%}~6%P}NV5jBCCPCj9q92neI3U?e2L9f0IMkmuIFkyra zky9nqcHQVZR95$;YRYhOi4+^!9=N?qrR^#8LP6M*g*yU2WW=;8@`%f{~nF z3ngosiB5cfW0)l-r?Z*jQn>vV+TBdD=1laW5htfVI8WYe8fTEM32U6t@`)Wkp9AW=tkI~U4swV156p`rWZmS{R<&>{>3Zs)knT^QoCjJn}34t)`yht zg)7M)w%s;wpWv+Ah#0LlIHEL1uJFBpa<~?-3B3|{mx)}B-nJ_TFd#~w-b3oYH&1{c z!hQPnOj|e@d7q9~)${Pe8=!)|WL5I7Q^WyL8FdiOL;q9;l}7+v@{p>`3rM;2rCjMu zsf$q1Xj9Lb>)}D>WGT!OcoHw!(~|?`NkMlBdZLmf(Tf@vQf?GO@N(j&?)5FtYhKGH zw}ju1`^a}DroP3V@RqMx?y&CYKF{u{Ufr!5l_MV=oTJXFz8{G2@<`X1d{P2P>vGrV}s z3ceFJ(mGfNmKuG;81?9t7~y(&I3B7j@TV7|PFzgAcTH&eO5ugmqT8fFhy0*wg38mA zGl|t#m{odz)4^8Lp2nY|i*plRXZvAK%sXq?9?97@+8`eY%)g_F33g@#_4;Vfzi~g~ zpSm6Y!k*EWkvv>^=6bOzzJ}Y<3k`%i6Fttee&*M4&?7y zdE+qWl${y6VP<>^9a$#Ueaq{J5aIilkG`L_LRiOhbo#Bw`y=9tP^aoF4%}e>%3{E( z(Gs+SDoBJE!IJPEXk3K&+p;jjpY0hJ#-#n;{_yA*-RT$GEsebQ{Fo;^%>IRnr3yWX z$(<|`E`RtPdGcRFu@2LxJ`iQGpQoO)R|oxptv)YOj@?{(i42N2{c-GI7ltU@g3j$C z8U8{d8Qo`h-BU!kFh)7us0SDPVkPV)Uq)+TFZ2@{sBlJKF_mnURI-$W#6U8R5^OXE z{H7MK7|hj+Y0S1EBQ~m}Aj_FTR0z-j<_-`lutvqw(k-zYUj(sgx_#%9u)Y3fKgXx2`~p zD0{)Wxc+wpjw4yhT%{K05cq3%q-5-eF(0mH{_i-p>D{y{NJg9)CX^qxJdSekmObz< zQ=C*7hTCavaTgyyD61%;$_afB**8-onD8}TGlw(j*`de+w>8z<%j`zC$|fqL&e5L# zoQ$J;AWq+s`d2wk`5I;Sx59I0*WlMJZ=|ttJgqYZukhTY{k!R+qrY|&k>>-gu6@=Z zL@4joQ`H^QV~@%V@^f8H=~GETgIQGT9qUKpFobUVje%{@v zxvVkbFJwU1gwEBIH3<3{=3WwaC3J#u9Is?vLTgbkv;uvL?nCJ!rbLOKrm52U1Au7= zYIJLgCW^3Rc59C4J#Yc>2v4ZA8m|i4HBAFQh6_co$Tucz`fr^!fhHE%#aZi0zH$i) z=eI(tkUBvqh1V6N3;Nn50bCB3GjdfzNv!?~97SM$K_2~u!3!qhhw!+kI3Nxxv+a4v z2w<>95#-OPp>tWD20M$7!2v6V>#l6U`5u(DnV{uTw&-0zJy8j+#-O2Oh zo{%diMVp{I9b)`?39DXwQ*oM|z26bt`if9>*pj_>+%;F4Z|Tn!h)p3)uH`yblRO@0Cm=6_BbP zd0UY2l<*d(N~cKE(R%d4fsg!VsmY*p-6*i-M)!~x9rY|s2v5rbBtV9|*#?s!gQo)x=0W;6;MlDc*TVgkuf0qFu%`z zwc-W1e4REA@u-kf&E^fUE)2b1Lil694(BiDPOPl96r`J{3RjYPf9Nsbd9&shR zv#b-qMzEQOO)w&qC;b-BhRT1zDC+=SQX54lwmX>7-+0Hv3z>E%K@ZtMIAc2bAn3-* zuhq>eu7N6hs!%JgXiU-r3kmH^Nf|nc2l~$t)6<87vL6;iQqph3;Pes@EUK2f6>!gG z#2ht49W;9`p@)Ds{J-O?s$0Z?9>O#*LXjcm)HI({53DHD2Z`=MqNVU{)s!N!xK7eZ zw?~bsp;dOiZj3=xYOfu%S~^(fA>@jzW%fPlD;gy51{sCDq{*mRxR>f5Xw*-fQ`_ zIsCF)TM{7p9`E+o_U%p+TV<0wakf)V(^S%;L*aR|JD*MiBU!J%2gs$JpyhkWG# zifDg4JMt|r3jMTKwS-EX;>dvS8`_pRhDEKw&gX8F>i~C*C)5$tqk}MeTLRemgLK=` zkvmAmWwoV9-&vX9#|vOJ8&2g&-IUgfdwqBTu{zcL*fBBYt-w}Jn~_dYhbjUXj)>_@ zU_$t@B}Mu9zrnRTC=x?(G}U%C0sf&mnI=6@Bl?BmhPoqDr8?%Qv`ndCsQgnU@^Vp8 z{y+qq*dt7#=^D|Jk*@ZwvRG>*T?MVhSlj8cXUp=ab%Y|y5aFXVv%9ooMZ}&Z%52kp zvzdcOqK`Z%T54sXv)@PY%v;R1Tr_OQUm~-k)zub#!4){_KT@q)rDE3+8{eoPV>C9>ut3$L zS~nQTQnSowcqgx*k&wnj(nPw`NU}hOY16))XY(F|AotOfCw>_z`GI@|{>;wCo17A{ z2fZKEmjt96S;O8QQB&?(k49rORc*X?Lb^42N5c>Kb7>8xq-0~t;WaCF%|1Hc{is3L zWL?49E%}+7_cBMDbZT>7S!p-(ue?rkq7Qg>iHqiMDZg!9pF@Z5YG)nRCO2f+E9m#B z7odQLY%A$ErzsZ&Pp`)qo}h<#QhDKXVcB<+Lsg zRf#iq-%}>Ib$ZWdVcPF=rcMRg|MoS+Ff`rHjSYK8X(w&h6I;7$(mYF|pm4Y6^%vS2!R8V*Xg>oN%ZWJBr% zvZV5b5!MR%-2J9#kn$3!Ee~umpFYQKzHQzkC)=0k?~GJon&l zaN!+b^9soH4i&4LkN&UkAhTR>CVyYK$caa7#B{H>fqR$R!1h7NTIM5V+eg6**>=e| zrC8A>(qRisxJ7UcfANRm1N0?u;}*)9i1`9c$wwd~?km649I|-XbllWceJ>|&)snKt zhiq(d{^w-7ypNtWTk~rr$BKm?MG(u$o7ebe*oS=ErtGy>ec=AvU+n1;zJcs`jK-{W zL8*#Z5}oHNtBL$U7Y6j|aQqbTUr4w)@RkaIw?v)JQG-J)%IpsSd`~3)cO6B8GFR#> z{ttZV3*d3MngE`t2lNxqb#d1GSjHyq?V`|{REkfUsjGb!yu0Tn^;(#nWcZbV?%1q8 zKv`f7bjaC&Oe*c)D=1cGDPv;K^A7y@h>koI7K!lf&~8;-XU_xlffmCAtPY zgs+S={cIh;rRVQ4yHz~FJRU!_n)i9?q0=v&Z8;V7MTphhd+3Je2TW)0cy`3i>_at0 zdQ|(js_+d|(sXWEVyxqaWMML%F50?ke+@-yx&QX=Bi5^Er2HJudRjCK!%bPt59Mkq^C7nd=WkSKinnU^P{2b`!9F=MNrG0pc6bn6$ z%f*iHBS24>R@-`Uz?yqVHeA^-7EtxKY7au>VMpd0IeHp>hAQ2dekEmi0R#ZzXJEs` zg>q-rCV!TYS%sN;ECuCrANok>+Jjy3;ZeRa)~*b&G+9a?)^Syp7y|&~HVXh4n=I6@ zP>H+%zC#hnl(|(*K`+F)B83w-?pl3^$G*J=51dOkqo4T5B7v?gw-Z-~W{!@H+fTDS zao+;N_&(vm|IRKm7fPF}<PyNh$ zIMC5i>A?V?+7y+>%QS5iCS3G|oNDiwke=pkgN#PxqCQMa2>Kab`Jsq>0}X`owhkw& zinbR%zHvMt9UAtD)ls6q|I!GR$O_K~9@0Cs>$izVr|)ItPBz9W0TKT1S1bH$ww^1+sa~tsVXb;GpOMbkZ^Y;UV{c7R0%PT8f*vM( zrB8zH8fqs8*k9tHmW=a|u2v}YH25bwpw=iYp*%hyqExOkb8P4J%wRP&Ui&%Jz704| z3UmVH2o*XcmKamLOz14P_Pa-Hq6|nd=ocA=lo8DV;II_=QyKmjy*t#7&Qa}{u2B#h zJJF`?!^RYJuC`t7O7;}`{5^J(-X*^K`TEWIyQ0_bGEKd+);q2?^ei|_g%F7{9zM1HdB?E+@XAP%Z&WtqVfa|3s&q(1^Gv>=vI_(3-B4h5xc;cIbvZKPz zQogB-fd2HH6AK#A0r=&-XHv;lnG?_~YE2r991jF^$vTrDmarU(hj3 zL=DPCC+C4a$Y=~)g>rRoKO9)tQQ2VlQnyQbNMuxh-kA&47aMFY|M7?ACSZB~!wsEn z*o6KZl{!1Q9QDZvK~jmVM$UIA82zGZ!873giN$hl8Jnad+9Yw6(DOuk2m#Y)pWrX~ zXA#Ud=VmW*x1j|JSG3()nWM9%*y{zj_2sIvVzK9Un|BB1ZJE6{`Oxpn7Z@$C7Y@n4 z@^<(v{q>GR$qKv0c4F)4N2IWflIkp>^|y`vT?VY44IF#76QO7V-5gyUxC|YLg5{Eu zX}XFF$8MCN*;-Xl*{4ryf%@CZYQ;a(muj(|MO+0adU7XwkjaI)u#E2S)5&4{wlqe` z7Us%0z*`ON+$CcP;|D!}dq!8!QLNb`0{rCR>6TljY76_h@awV=4RT=Y6@Z^KaZlBt z3O-q8hT45t8MYF%FIW9bRmHjMECcz8Beku`eSD!+N8=l1B!fK-)c`0II_)h}Vm41@ z*Ia9z=QHjHxal8(>FZQ&hB<~_4m&3c7OGmjlz(bxyEf0N*nOxfTjx3zx4doJI!ujq zTr;an>{wSg9`Ug$&uVWs(e_{1N>6!0fMN+C(f_D1qsuVn827q=uwwEd@Nzn!_m~4 zj{sl`s4pc_1U_dDZiW>J3)l*kBOqXSL@vG3N~|R;UT;<1j4qcuT?8h_M@pmCFppQf z`^=9JgD%cbN!1?)HgTpssrHkn4!m;tC0g?Lltg#V9C2<|UBH3^zK6q)nm$a}w;?B_ zJAvdG6&Q`f<*`o0CmENt`3blFI`{$f9>;Lm@?g6>atw*lKH&3hhs%)hK+&yWJT5{J zFAQ%SKuaV)@dt>JOXJa6py7m&3}e^Z&O>WJu#GvU<6MI<5d{2foy2?KLuDu; zOI8qqEx>X3jGq2whTM~sbASOz#P;&b`Gj7zC5&Mn-zAXb_7yPC&lWMiqtA3t_6ISi z6)D7is^Flt{6bsu7Cl;+Hs}wAx8~ZSZ#d|O{(z)s-Dk&#=Fho``R+8U>e2o^hL2NM zc0n@3oYeju3l%?{T>UX$Y481=2XhA|Qx`=A;#S@X8Qhickhb+=t;G6AXq?~X!7isM zXKoRl>52>c^R&g@*Hs5M^^&y^cofOOy+zqY%pR0;9vx=(1h7(-oa(hG69lY^gC7Gr z*A0;aWe}4$ZAl7610JF|z$NZM-8t-WF{Eh6 zXJ~y910u1w3KM9KY|^)~z}q!#4?HX}ZDHQs3t&U}I`nJ))AHu+-RF`?9{p+-x9t`< z;cBXT5L{~^|2iBXV(L37fBpSn?i*wf-o9#P=R*~DmHhWXENt0j^aa5jTz`JmA_H*X z-P8m)&%hBXJTV#|Yu~G0ja;Rl;-;P<^DZbDQWyt45>b+u*<$(s1>=$Yz&-UZ?O zzGzbSW~OG1-W({#P-isHIi^Ir(||b z)OHy--Sz=!Cuf=vFa;F2QVkf?W_=~z3{%VGV$tus6@BMrXg{w&O$h#b=!l}#P)W#E zNH|^2vQSy51XeUO%lv$LL%msrV(tO_FE|SNRhA0^bTfF{22RFbM&t}$K?IX2tC8Zr zZHC`Hgg+T4$0Wf`gW+ar0ksC;bz#(sr!b(7!TIj0*>fAQeb>wil~EtI`W|yP`?z9H zThcR8$u_*VbJ*{L2VRl=4dwTu3QO9ugeDw7&T4EiP0R6&{Ol*Bp2r4pGlLD=%1kic zOH+#Lh(`2*0E16(_gQ)9N)~)0?ZB5ou)WmxoBJD$5qdaD$kdNgvvaneEbc&>3(zHD z2OfJN#}IY2JQHh*cJL6OzL==#40cp2JVtSqiF_R!)J*f>8C9pI_nkKlDcfZQzzfP% z2B96z{5CPQazBp3+UaFfS1T!?psS4}(>j;=GF1$JS2(qgU*@R%DmiEHBzRoroy<-e ztqHQ=kE6%?Mr_1R_|>x}n-z;cEMD`Q*RGFMi8fDM5Ahy++ZGb8m(@s|uBeyiW%v5+ zrq&ScxrSe(21LwMU+pKP^pBDJEMc<9NY?0^2CYFCE1bYNm_*~JX#m{}bMDwz(F>^P z3~OM5x*;4H$O=%ZMif#1-QoZ2G*vY(pW}4j_>}%q6)8ZYnIF1i+Fqz?=Ll8HB1{oo zR85lh!2+ffE$?G8v)0^#i|Wsuz361TGxwQ0&ox}2;Wlc<#j1SJ!;SGt61sX zmXyo8X4%Oc45BngNPo<7zB|0~isi2lyXLa3C!Y^Z?h10L_N=!~kPKMm2bx7P%;+}c zx|}0#U-hh|Tf_U2HFBCp_+|9R?7vR0wqW;xXtxQZY+(XwttfakT6)@DK;)Va{+=+P zTP!T-<97pD{qKx~IzHxwufYyQe%qO53L;IL&@!tG;G)dKNa1H1nXPKkEDuHV)|_qY)F&=g4vDkD zrraGeTrjySi|RDX)Ad5a@!0dZKUQ6{6FaV)Q>jxqkf{UA)z)y;nq(i=Bo^1sFd_6u z(g~rCo*5l*BK5!mZ|NVcW>IouVQ0*x2f#>iPA%5-g}bo>u!RanLOcHiXZ2??M@bOH z&Nw_6s1s@0-OIbT#afk~te{S1=72i(pn)_l9H z!0Ssd3`(x27N2Xumy6mPi$3Hk6|;IXg!~t}YFAx4U-h?45)&h}WI~oJUTwT!*k{-c zzlBe)-wly^rr10DIOS5m*mS>F)5gNyn4ajX*zvUbKUCUter#&nP)dI5ejOKkdX=Gn zG{Ekg?y^J9rdR{I#z|6und}U8!9{2IZPvz$^GNhlHgmXU9FQ9$PqI==EFOIs2liBy zin39QQZr<1}@{n!U8i)`jEzwS(8ISOAbB1|7p*{U-8dR`z>&4uTN45AH|+CB~oN0S_4sg_jeut zaL!r|?~%~jZf(qit!vU-&G$_#}1nDNMyo`LKfcbVh{TndrE=USJp+=EQF%#dJG?-uZ zSk20eWr}o{_`-o;4_VX8(x9f>6R<6S6eG$vq-#9w`bG>P6j>bP+_S)P-{+Ff(_fS7wdZceO{U-aV{~OQzv6Jkmw((Fw+{Je@20B~i|97N zMiB+dHzOf3yOfA@lG|V&p_>WiS@SuOEI$QcRC3_@ZAHwRABq6~R7Cm{k!-oB3%6Ar z6ND<3lVf~mq9nl6M|OVM-h^ux=nBD10731jhKhq;`@ojw=!&YB_DB291nPK=&tJz6 zI}yv3em+N$=(l6&%M!H>mEQqJ8jN-(Y%znPzF9Aq-5?hEO$pg|zlPQWI>?UcBiRz3 z|FxhTzN9@!7vbf@KH77sm&}P!$dKK(phra{R$Bu?`E^d&y&=CPN!5R>YtcC$+`9FZ zU-f2=VYM+v(g-q=)F!DC_HI;@pDtj z$*=N!JMq)SO*QByrWWuGeD$j^_Ej717EgCsAQrpppcUF3i;hn^Y@cD?z?Ac=T7>Kh z2csh(YB}t6KqhI_PYlUp4yH_ZTA-e{6JQI2|LC9*Wl8_JpVqX&;Ml&N4q4EtW?7Ml z$Yc9zr7=T$UM_Zr?E|`r3KKf>drHJ~tcwDK^+V&Bd6}QX&%U8rw@cN0dlq)*Nk%1h zG41xXSsi}CEA{*r-KC6(9b;X$?`!>YIK|FMq)U%Zu*Vf}U><`!wCKqEHu!a8$q>^j` z1iUBijj|L->5MaQIj&RYC#!6vr!mz8Gf3Gn)K_bxncN+_?GgObohoMumP$gqRc;de z>I}@VvOFlS5m;K~U3x$HAncSDv~Hl3k&OxuUBO#}>o;@qYFAOKIRy#)o=!*co&_1l zn>mpm{s>+aW-~v%b(=$Ao8{`Rdm)S9seDT0b8_m~M&r~_DU@vX;3jANMkDSiCL@aA}6 zTy!oxR>H&A7)8pU?wd)6E+Za=l^tC(eCZ7Bbve$ztjXyz($Nu&bXd>5@o?*44tD`kX_8&V!*IzjrJV^oe#DZ+wdY%UYE3mAp~ z$tkv~6c)no#Syv6({m3!9pXF8s-RcrYGmqsaX2)xV9@q8H6*Ft&fw;)!5!QZO0bvM z(nO{OaiWukNg-cOYFZw|Xg+hA48@67x90>iY%E#v%)ss zh~{r^%MWyC5=xunDlJg8YWD0}G(E>f|I5YK#{2yj^eA;qJ^L1%C9Muz=2V!KhIsW& z&*^~w_e-1+qWj(H>*V9a-Rf_NyNnQh)*U>({#M`Mj_j46Qjlw(*2SH6V!n&c>S#WQ zS_Eof7c^8J`c`QPh=kXm9~!FhYq$5)@uq_B=bTRejFei8&yTqFbkX_kT}!gJ%?$vr zX%RTr3U}|n-w`o;4Emoh5wAmw^7cl2#N}B%R)33=Em~B#)WmX`V_;C~;f1{}=+54y z;Qa~TDqY9U<-oLe*L3HeJ#BiiF9|9CjCfxiXLD}Osxwrn77X1`9xdSC{X&?l@H;7g zHd;AGq_wUyd_-2yYB#IYLXzmtrhm%ueAj_)RC02-HrZ=>8w&i z=@_Vru7`ihe9Z)&$~B7w*sGeI>~{!@&bcYX1_^=C@b&PvAeDgqlNt_2CQ}_IHmkB# zYC23Ev->I&ZGj&V%}3H8hfKAu%hpU|Vnxpz=`>_U_W>;e*%Oy;ok)Z3zS#IlEGclj zs=Jbmoom-2z~5y{axAwrt{m7A*R4T~{#+vdauxAA0}FNYdzn*OQBcl>xI;8<3V?=7pivP_6xCNPXUG5BE3UvqWz?A^WOm_GLyZ8P5H1Q zc6pIn$yM*QBX08Vgva^7UDRNzqa{(Y<=&r;fBC5gmT!OaZwh=<$`Hu9&9;nxr3OgU z9dP(TkG3|>;sw|6duH+cALpz_lHIWThpeO(JV?)(Nork#h94Q3w3(2{d2FZ%9CYA? z*Am{{fPws)dn8dl8L569SF-t(BP5Vd;EcZmooLz+!{kEp`G2Tghdn=8=vVWQRVHJW z1sPt*8-XQrF~*sk*T2k(HB^sUoDr(&ngZ|B3f&0t#@7JmVpO@(<0C$X^c^;P2}tM~ zb!x&OJhil&*^x!aOhdm*hX_@y!mQ4L>64@oYm0ZOl11=nsDrg?HO2Vka=$;>&?^D zfygh9qqXc`SH*%eJ7Ox`In4QVjoB67@yxB0^LCwOa+oV!^|pxl!c9hZHf*jILdWYL zE7_kMzBlEl|E21sA#+@sy`Qlu-Hn+pWZ|JGA*7{=+{x*`qIX-bJ47z8qH;A7!J?xt`pP7QH;Qy;U7~cOpDK zcpxGZr|`FR>Zx@!tV1^$fGlD6^M~T7C$;VVW_2AXA$Qg$c+A5y+~Wg!#Zh^&t3fRZNT;&mV&adU^Sfpb_0|E#v4#%g(@3NcH9XCJr4y3R3 zcNP6+RN>%O+v`8^{co^XH%y0A?MKOyYVA)$e51HZi;gXWUgV--{9@uCyxOx zfN^#^7jt~yzg;)h^t@K!#~5)5645jD0R|_RX#-ObSVp@j_5fQS@}84`IpYK-bkp=uSR|Q_vtTXSv3~R+w<)4WoB!-)nq8#-3XWi z9mbNBj0O}W&IWI6{5C=;nzrj-wC+sl4100`QgbLj^dVcMY)3D011yTif~2d-9j_G0 zvCZ3_XW?pp>^`q5OOLCk4Aze(krNIHb?5(>dlUWCt2}1^_;r4|%UG)kuRaAax7W}W zJht$j&W1CDw$Ggs+FF=5TUrgL_RX!@02Zoo`g+_mtXouTn)|=NL-y!%pJ^+CH)|~G z#slW&Sth0^^Pe5)QL5>ST;ej@sal!vDM-dCVq_SP)VHn)AtsJ2$(|Bj8A(z#(Aw2$ zlmk4pX|{N79f~z*gx?tNAMNU_JQ#6_Q3e(r&BG4emTw99^Lujkm6-|HoP|W(kOtg- zQ<)47o@IYch-yWN2;;ZEyuZAyuq8be8vs%}piwQG$BYApheOXkH*!4z739QqvPt2F zMbxGHDG0`JCq6?tGj&@q^)#2U*XpUOxF}ox|2;W6>ZIAU?C12p#+knG1JfHHwqssi z0G8Wx&(5e%8P~dShOZ9JHyVlSewwO%-exWD3r`;Oy(F=J+68xJXRP(blr6H1mxak; zO#oigr?-y(-St5IEOkg`o zkIl7PzX4*QnGHaMcZP8vkQr5T!H)INy59>(GWy+Lq-S6cW^2({!00@iwH6~W+xB>r zUW#2x+2<_-Og%nrr;`xsX1p!}yscL7ZqHWQb4b3NHIQ>-;30scmb2;LCuvs_RsQ8W zohtW`o1dQZI~M2q30u2Soi*}&+0dT|v72@|5$(KkE$()Ve9M#*voA@RaIZ|rg}1H$ z5wG%B9cI5`zR(@I{q7mI>o@=LI?Mgib>ZB4uvZ~-3~SK~iZ7t!z6Z8xNuVp?DKd1- zAfCST!7&Cj4!5~YZJ)bq^<3oe+yg)UNqi6&WaA_ICtqZY&BnCdr{hLi%&aW<16i2U z3n|s$ek+&GR&GeS6*R7n#YHXmkND#KdgJ)sbU=v!=Y0Bc8o*hoo91N7>!}>M>(tF{ zAz`aoTskSnNAO|E?*9F=X3bx)Z@0q{c9If&SKXUnmzjTMa%a8?f55|_R#Sg+j=o^2 ziJa%;EwB@{%&14(g}tlC9V43a$7m)$;avGS6RYV%tc#o8m|ggjB7at)ah@nV$fzo8 zKXZU0dq7aqZLU(D!1V`Tn~nV$kx9KWt+}C_e*0_X`M?4Awb{!|?dX=*_T!C*512sY z84UGt!(03F8@nD}Uau483+rP8=g?%cw|DiK#R*%UYU>QVQ^p4bZZeYU#S<829wmwS zwKl>QCqtu}sev?7jIr#bhWANh@4nrrvSwpCk9RkZ7FkTwBjY}HX83fk_KjG7Dc?U?d2=^FupKemBL6xAxQj~Q zK~E-KanO+-z@(txX_h~%3N!7WON*M+%&)kpizT*_udF@``Lj$j)m{L69X9}DMK+u7 z-+{D#nc9Qd#Rs2A3IZQUO#z{zXLyk83A}-TotX7pSa(%deWe*%`f~O%oOH>#zFpmx zg+88kdTihT3Hajfcd_*ci( zY5}CIp2NFwdcMxc`qdZG2IjmXc!v#kXtfBUt~xS*xucBr$VuH7qZ0m(`F({;Y*oU2 zK*T-0sLZkGDViyo%0-ADgSM6J=3CaNg+rK_8reG3r!Xi)JJ7E+QPYF6>5MDo@_Y45Du;J%-4(Ry)SaEPj7=qRLi_gZe6u4Na-q7MbG7e27pX}+1s#%OY-`z zjIHC3%|it@1*vUK&qr~E8rCQ2x5OS>ydUaibK*>BR@`arkfgZNS3`1_7}Yfoqyjf_ znWm5uY`NaF@4(%vl;oLiyIWLs@zCDOk}JVIGHO2gyGBZO^`AkUK5CIky2d;!GwS-< zA^5d_V6Eh>@eaE&t~~SCKM5cZKMI(+L|NV0?%30%Vk@Q8n0$9I)kc4(k(E~{Mz7=0 zA*tWITs1X6(7=&<_l}(#xe0!ZJkuI-iswpbUA>1Dj_n^2gV@EJCsjT5A~|#+knqFP zEvAF-x1fR$WpPCEcks7MhXo_%R@J4F4yv4(Z}AjO=p7n&oVyZoS`wSQi#w0EdN*yh=Sv_V?(r3u>Y(T=yWcg}Y_dw!+cTTnQFp1+ z_N)>c)btqVDY2GOt|<=<^go4EQ9OV1`0TSFvIwSm%Z%{F(~CSBhZx@$9+^LR8+7L8 z{Ats}&!TTGeoH+`!svJ*U1VCGO|RCmFQ|XNG_-x>G%j$qs)B)g;Qnc8@sNY%jpSq3 z%2DBn1MkE5$O1pOMK*H@8&t*f9u1b4bea1^eQf+GRkDgtIfnauRT@F`n{-~T?xyIx zH(ac(&-v^5sC4SgzDNG`fcTGN>Wh*Y8X7@MAo~3!Ro`uHiu^q43%A=d4vR)ea-$wa ztRZ$U-W94k=zhm&1@a3FVz)k!6dEGQ^6J>M^P!$Ss^+rdR|>Tc7aK-@6Oq^%9r#6k z)M>z4GMWlL$#|mrL;A;#bDDoz54)u~>BU)})$9_S&eiXWUjF|1&4=Uj(SF)qA0t%U zc!q<@s@zV0Lmuqimp=f0dwKKjj&{(D7lTR*#DocLdB6SL+I6R=Lz#Co{%CxBo4p*p ze7)wis)_6T9a7t33FZctpLADSEAK)N_v}IMJ!L_s?k)#~h}RwXB0T$Xk6`OJnE(}+ zJB6<*ee=^=+tlgohGWO&d_K8Nd#=BoZW6lMWK`{BfBZGptOsG}7X6}pukX?5H^l%1HZc%p}@)3?Hp+z-Gn zXQY~p-M-Pz1Yvh-_%oLtDVYyC-9fij?eOKs?BYLn_HZcA#XE;0&_b;qqOZ2ydyIR- z9~U%!XNN3bQq?VkE#ATGHxefw#SY7V+nf_5HmsPeB|f}ml9yU#xB09d|Bkzo>!Dk% zp7lt#@{28=-SqsyVcv`944-d5|5!FAvEDy@v+1)qX|tI7HVF6q>d(y2^u=h_Yo`n0 zBK^-P-4OqEHqzj@=ix>jb^HAX@Yl|$w8`0XmvUKz#izZTR4m-7^~~~|>zlbrfkHl> zR|jgVuPE_FM7rha$%|gDv*~fl-haI2Sl;dI-DrxViRSN+fa+(bdF=k|e87tzUi`*I zcucBI7#{cCXNf1&=Kc{}bYY1-(m8RsM+mhQ_2cw8-n+-rLJcnUTswXKG!Oax&L5hG zp4T6~Ej0M2?A7_^L#>jEQZAD7QmK+fyAeWudWT=28&b!vh86NrAp$;WBnuiU$P=tiEl6FrTZElk~`Pv*{Iy8dP#a*`F$`g z@zaH`A08Twel+dEbt&IhSl+%Yu^jpO_3Omf_}hiAO`LOXC-zx>rQa9)h5qE2)t~9{ z%cyJL^yObZ9|;D;ci>ZJ2+T<2c5eVB0cLg%H}tcLF7&!%ZO6MFo;Xkl%~xLfJBa(?gmoN`;F zFx4@(@N*&0*N{Ge!s7dcj=<)s{S(_2wX0r{dTLMqoNSYtHkn!Q%=f(H={-|8?KyLQ zrgZY?ESaeRanJ9?f9;;7nez9j*I4cXW%+pE5sD?z;y5A&S0z>ityd zsmk`^14a8+_KS*b5xW@qTQo&^TKV1qrl_50t}6Q8fWwayi%PqbvQ^bxXndCwYVMAI zX*9_&9sKb0gVcv@oeCd5e;~AEw~VxGYgu_UsFv}%pry0LI7uzZ$Ly6!#Mf62*R2{sk`;7vL?LnrTEruTH+rhgvD-2tjG>1nhOt|78V!N@cz}~w>y6K zi_mqwT@B&p`*4^>jr*6np4(e_-tfGz)cNYVl8SX}jk1+Y&3r_F2nA6rKkrh0wfs<} z`lHmC7X~Q{XeCKETPxvvE&-YClD^ULiMkG%G3@n=1ys-1p+E+)RMC%}UhlP;zy$R>{~v*TBy` z&KHZumTX2FI*%4#oO^$vV?{32==YVW_>hL8rrnIqIPKJ(tajJyJ+gs@sOHs%+|0)*6Ha%K6^J66Z$h9Nyk6`2Z zA3KcI)}6BlZ3;7OIy2z?Rb0H;H8ZR5ll-Xy z%kz~_K`;kXefowuzUyl4Ob#jA)m87lz2?D(-%8rE7Tb2$No&5ol5{L;TEfCR;-S;` zyrI!8b$-|M^gUCWPcy#Z4C#YLqt`4j;sK@0S9%iZcEPQw8g=SEtnyXH2Z2+^R7o|*SO z;`fXButAKira4qv?mYi&8n>XhI!IZqK`dcz1lRzmRk_8^0+JCirZO(zE4yz^VYa_w zXkf@v4qHoQ?yCxNcZ}UxH6zZ|_JZq9Re-ct`F)_rF7&>BKfVh1@kz^uP{M5>08PCs z8z#3XaILuTRBfB?G~x<<%e{-j-PZn&ufNJN$CaFU^3Z^oQ`GwF_#|F1GIJ#zQ?0eM zJ?@j@ok<4Ps3v$sF;i-w06;Qo6YZkTwQT)m=U?dq&} z*T&V#R?*k_0jD1>l&=O{b++}qE9vX(>>t95AO4h^`@IgLCdxp9l9qt+pls|J$V zuI{#ys){ERPaHyTla!Q1x!c^+Fg&mGPjmQ_)**XO&j%Vvq>qn}qK}HAtGgXiNnKqX zc|sYftgHavq2PgY@x1G+;Nl_ux08SSIdAJ>?e6fv)4|n6lGE>9D_1X1twV=65BksF z-|uPb>+nBMa`E_QSnvRmoGVBr#S_T?^bI#fan5QOIQZH+nVxrWhUW}^23kq=q$+Bo z!T;yd|2*=)nwtDiQ{_|2r~kX@e_i^2H@)d$>#ptU3_sKp{XYx#Pvif-_)kL=k~8-I znv1^^y>S+vY4kP}@;|GF-j?(u|0ukW2OZAq-++&>m~sAi)ZjPSzel*v>&o}!rSu3F z*BP#h=g;2o<({qZi*Pmd?lvCm98{T~N?a`G6YPmVl%N0dIPzJfbFJ#p)4L7}3GrRn z|6Eo!>J0BsgcSdU=R${$?Bo@dyQQ~@Tkf&%xjk=R4cF}-<$Ka|D^x0c@c z?x6(SX)l4Csh?s&0Y6O}du7dku3Rm+cWth_&u@;c<(T_*C3Da#I_m8%{zw1&|GzWv zzccWEF$2E4cKME-H97Cd|A-mNBlj4zcwlXAd+(AnMMMdn2Nt&-B&xZms_RxWy1l0?WEe)CP- z;)6#@s}F1{-t@@S$8D1tzWMNu;o%Tnbc#A^4_k^Elh(%$}jlQGBpH~s1beVqb4Z+MVXnmIJvn>`hLje9}7b4c~hk<>o~Fil`yiXL8@JY-zd;wOM+zQFUn#`OULN3A;H zb$KIz>Lt%2AHLafif9rsi~M$GUZk9%xArjdD1__J>rlILZ*{%y^% zY||6F#TNFEX7yM2EFK6ZVox4r@+ihILugKB_ClJpg|jO9D|X+{J5^mq6<~T1p5L`> z0^48B3jX~<&i{U)-v5g)L|5%2*cP$3KN35C=BIn`p#$sOx@YW8l9N@bK%(^KE^DVu zLW8pP^SToljD+}p_F>uKBg|k;F!pxGv2``1W6{fVexi@lGH>2G(Cl= z0eFG#6nW+*6w0+1ZemQyZN>gQJwRGKhu|*vZ-}p=vj(W#&WXJ0Q^HZxy?odxEy9KO6)EO> z_Ri6#BS)h+-T3jt-30w8#ZFXcS1@Y>4tv9AT|vrH}UbVEE7AD<pI`I47a_S(=}HQ)s=eSB z@q&sksT#CiGAp|D%(gTUL(u2!xhqwnxKfNuR5O#v2l#24!hgJ#1e2@o>7Hv)a>}P99<>+q>LqVU zgs-bHvtF9ag`eu%*Vs$mhnUM+dv)L1nc!9!SvpI7dU+_v#qYFPBj zP5&!j^NL8P`*bW;e9lgk&gPy@cnS}H)8?KY)P9|alv@3tAGr@+)kM!I^y6tox#b5e zaI=oDSsUZ-+cW#9NSYb^(%il_mT zGUU#5t&wGV+}0hi?nQVvotu}*bJMp4@-cmeUYjDXW9v!F@pIaVtY&SA`;Y>x#!xjn z<$b^$X7z=J(u@GyLw>+m3a(yzj<|&{um}>C@7l3^1U69Z@gIfgfl`=mv!dv76+s-V zR)(ucv!ur%rD>HmoCoajvKm5;Q64s}JolN960`+`53VJ$O}`kZbtS;oOV{k}wPt1r z%iOgWO>0GsrNM1^Fa;O^;pwOAFW9)#bEHz0M%djLklnQ3OuUHK$1yZ9$loLBTC#@g zkNzAZ>G!P<4QF&#Y|N)$05YnSKf<7W+gt4^a@dxV74l)8>(!8zFdZdhrn`Oth+Bz zzYmc2-3wS8)ZGUN13us+>ldSdo&oNm_A<)oJ{0PasLlAfp-JY?u&b2ZeFE;2+tOQ; zH~NI&J_nr_FwN529_{*eZ}Z8B{aPu<4|#q%aADdWla=aS?;Xi2XM>)qGz7>&27@8N}V z;?X$!$&XYs<~@YZCF?7=z8N9c|>J{!}Dj%#Po(qWHbFjHr&#IFW>t{mG~P)Vg&Icv$#T z;5(l_?I+gay3f7Aw=P*KQ&^_!@8_^a64B&#&@Pl?5Ne1)+TiLntRd?Y7PH7tf$#!$?8S3EU%0fjVie`-y>NQU{jFQ+-?Ko_W`K<{cDpU9nrnjGP)x zU|X;>G^7>(Dm|+U;V|sul!Zu+XI|Y?d$BgQcJMd? z-ZK5ao%U%~FRUdg53ent{*?54K1ql5f}9{^d?J z28`qsG}<;?{0%H3IGSNG?8$n!=C~MJL&&6{t=R%eBH=oaXE$EeJd zJ7o2&XogjPed?i2d%?@+)f6L_9({aAs0~&YbIif7TGsmnnla)`2_A1zB%d;{ccC4> zjPV)3E2nR7T**kycOH51*Inr0bvn0U14YH|w#{OC#nw7l)ceQ3XTW}4)|!Wwc7%f4 z9&6G{@WaL$au&Oa~`8V6vF!=P9t;&aZt9Xp?J{XcP9bG#=V(|qnh+%Wex5{ z)gLClByBl2Gq{vPRt^3X{#y`B6Jc}PE%I~Nh2lQZFF{}S_3fX|$Ao`w1r;j|2Vu9? zPZ}y)+s%^m+x&VI$yRWNv8Uj28a!}LY4UJcq_lbo1A_Y_lr&)$gd?<_1zX7XzwSuE zXaZJZ9HBjWtxYGwiHzX7yKAL`?oGz7gVpHk8{-#QN~5p7<-5bZ%*;Ji%NyH@b##KK z?pI_}GO?;s#$HX$p$bjBrOcN`3wCVj@1}9tJJHsR(k6GLhwM=-F+g{RXWW- z5a)#r$sI&nWSA~IbR*_0!EdXAJHZy_(P}Ku0o5UWum$VZiiPg#%BNSfKw~h?v@8W9 zxnI|W0r^rciCUBOJ=q`Ko;t%!8Fn)4;iIU%us?fWr7&wU1T5Ov5RQX_v%6O>F6u7g z*Y8BUSEzY9ZRdO(MsMe^T>_rz@I9B4(y(WdVZ?Q|9TA#aCI2;Sx7lfnMR~Ed*0a3{ zkCXh=!kv_lax=>>AZ;O|L7r4Pj8(=F%~X#KjAu~+Z|jL@qU|=c;kGF zk)fLKoXcjK)1`*UiHWx@J5EOHVkG(wH>I~VlK^h_=l-=;sg2eL$26nlyb9%9ZG3DJ z_r7KbnnG9WSBd`W=h5^KDDX3equaki`54CsI3!zt19`Q8_kaQ-ozdhGF?BVCg9!;N zeNYC9g)xCVSws{1OuinD`AwZtTV$7POu}E?zTk|{`)oyWUcuQv4!HKka#iuSit0Y}}QT}6gZ=>)#YMv%JOdJs; zB-9P#2hzv>xNWD!Uz8d*QWeDDRF$nsHkj#TGLCj?+d^lzGQ)Ht83PXn?$dF&ZM#K= zf9+-Ptr?{P+CY9L;qVf#uCoy9aqzd_b$lF1sHh4Is@iPEvk%w{7kNL#RHsSS8q^p+?Cyf|h)I&)Aq8#WW?;MH=uT`6L_}F?<&lT5d}Zg!+{ZLT_9uu`0#w z`iBI`Xhyb5>7h+Q2P}4Qe=$-LKl|QRI)>0cj!*F3{=qBmx(&>}G?}T|qUxU7NsyJN zR2R}(mFfvHWL%XiqO`>UQM0wh?2pfD#H~S?#SCgC@WDErP|-MZ z+gO(w-Cr&(_#CKooJ4n1Z1yC#2IE${RqywveA4>G8p`+al>lzN13j1&~K2Aj9UpPyr5uqv8;9oe~ zO1>QNPj$Kc;{1D0Fwmvh2aUMfJln-?3wXBvaT)IfDzRe>{JQo$ z;(NwtpMduwl2uLNJ9Y15g|3`uNbY-;pVWr_u;A?GBh>zM4~Z?>*)spZAZpZU{HH5s zXSCC;@t>Fbub44B05~B5pQrcoB9{J}#LhiLW+=B_fODs4+;@S7qwdWuM_u+(L_Hi2XgnH=v-kYvHtbK zL$s>yExcN7ekQJ@@Ar3VS`j^u|K*z(P-pvK!day9?uS;wOv*w356tlxx*Bt;bd;(d zs5!>s!`QG${^beQfYF+Lk^>W@fVI09VlZPYDT#szn%}OT%1|x&n>#k&OTLj4(3q3| zqJz&;O$e77z#cmlqH8!*)co{y9U*dybClOdR-!Axzcx7T;vG8)FeyITNiVVZ0-BC{ z)tx(p%BB*RGoU#L-whT+{cvRkSR}1C(UMLBvyUOO{g5400QEw%zzT**)tzUNmjR#| zLh=t3Q3*Ae|1LA*kuxCM5%vWH`S(H!l`BOo5V{);RK&c5Fmn*4;*x)J<#J9aE?{%! z!^47XsYaDv5$xrm!2Yhh&&6bv2(CyD)q!Rd&WYhQ#+8ni?oJ8jlDt5X=F&MP-1u=M zt1V7yum0PsPB-t=e!2GULSp$cyv1E-ZhG5H`tE$GkEksR^It!c9^ru;r|S<%93w0% zsX5d_pJs>={$oe6OCoh|uHm6yE7*0PHP97;DJo(wc6U9Lt7Hpv;C?UHh_J&t+D12q z4Z87SLc1=7%zXvp3zp0gff-geBbSb)V0KT!HIfPS zCj|Ygb8ZZ>$*r*M%QG^@|nXXYI3 z=ZvU2IwjQ|C^_rqWtRta@pcj(p1qMXA9@;fk5*%U(20ADjxJA#GvyhD(#Gm>qCyW{ zP-D&+k@&nAeQ@p4SS=0YV8H6{UF~{%hdDIF!7n%Sy3O?{{S6gI~Dltp!G^$_#08?#qAh<9a@C91q z9TlAa<*O)lM0NbTxA`(CIO@t4wEh$>T^4&WZ2L?xO_b-Y1bSj@KxgGJwWm-!ZmukA zvTl>*>49fe*`Bgd=d~_9asT8m`%3I5Dqte;cl5N-kwTYSmulaW07SCg8SK9Uo4K@1X2Lu zG7j+=bOsjR@SS^s?8^3@DGd^k0>pcGfIf?wF#V7J#}`omWx*4wlBXdJ5WVCkHrT7xMMc~aZ-jPAYsx|ecVZxmRUL43 zWQ`|4eF-GpoTK{VCtTPVzdfaZ|kD)BR^@EyYj zRU4GxRzyo-+K&GOQvJKF9uCrww~6i-)0lDu^~2D^WvVh2!-8WmSSD42ja{LHL8LM{#yM{fbXGP zGVztP+u+~;P+|;{fUWLVR&`iNzj(gaRK(yML&Se#G3KoJW-xA1v}-O_KgEAY>Tv>k z7Y@-#du_OC5c@`}OERJ+m?!Lz#0S~^4AZ-^S-vpBE*SF6kr8z6p8%O-eqRO}eMVc@ z;z@B2CDyOUkENBjU=IWFUeEm(O0F?@qgt7kO+#2X@+lU%O*42~q$_gB>T*UXVS1?UAy0YFejBw;>StFJB z%s59A^oZ)7gX(Tjo7ghe8e^Ea^tW1Z;bi&OEt}Hzj+_&}MAW}NCfXvC&@vq2IJtX0-O_axvRy%phE7$oFC{$z8!ubXL~MQl?OT?(#VZ9) zpb(#)n6)8ad!;^zLiiTZ=4RI7rrvEICy5c1RvLT)BkqES81>6;3TBK5pHNm-Hnz7r z5A;(&lvhVE$c~Kq%ODr*x?})zL`^o?s|Q%QwE}3Z5ypW|;*#r->lj6uX)gv{r@TXE zkZz6;;W+5fAK*arMzVxxt=Fz1ZokaABQ4<0UA*HkysberCGsT&IZv`W8F;Nn&aL$x%9|OT-yX*W)(`}EdyL&+ z1Z$Lh@wuBC1u^ssw?goqa0zoshNJ2g3oq~yr&@0lQRz#MTz?aBSNiWU7SM5<`30q& zyDRkDZ%F!H*J)7RhN1j%Gp8Su2(Yspzb@E-6xSE(_zSqsU^N!)ufc0F015_X_+~HyaowupkVwR&t0#gxCrtV0ML=!j^wI&qV3XMZFU`G9= z7Pmt&4G@q3ySyDqbO7cyDxq)DT?s5;5e{=FaX4L0Ih!0Jp|>76g4}It=$ru-ZeYKe zSu*Cn?f{ZQdiEK}--oA>Qz%!f2|Wq@!@xp7_Y`E3FluoMwAnscI*at{QJ>>Yg_C%G zLo)(91E79-XuibS-UkRBtHEROxCgIh47Tm#4|!~#(TYBHz&VCpa+(h@H=(SS>z!H&Sn$^j&xU5rZN+M${Zig-h~7y268-* zcT`eVz_%na(7bYl*|};A0M8-Q)db2Y?4gKQ$in@~f+lm;i*>)Kgn`^O$KP0X|J7>1 zzQM~Mx|>|KNbGT95`3ViB^`m5tkIOT??t25=4%w6i()o|X*7z@U0`CVEv5=1FL0~Z zw;@~n!eU4k>W9TU?KW%5W2gdtT-fmLiJ&(1IC;fSp7XuCW zjwO!&)YlvxLNe?=6Bs?J`DI^|zXtx^Y+=i8{FbyV^Vc51jJGs?oiIxsWRm|w1&jfx zx-mdda|0(2%&kWMCHen-KQey|h82euOD9+L|I(saWE)ZtU#6e64Uz8JOSPyPy7z_pp0PlYsK;eS0I{_Daj!9yYbYZ4AwO2LT@Rq99L<^$R?mwpfuWQq~AUUeZ7IK&(QX# z@$r`H)_W4b!D^=NJt|P6#cB`zb@ZJ_!H@&~tD}!25c3jz56o+J&XV(~eE^)jL7iGd zplFzIQazLkfH(BJ5(6ltja;&wot%SpF1-5P9=Vx;M_}&Zg3JW9q@cn;KMWK9ssg6e zvkEFXG}8f}*TV2Y7|7AMGhq7(%Q0V^l02Hprw)3j6n_UF(Y<=e3_)89RdCTFyy;a( zCfPV#$bXDN=PTc}T&N8z4@^Gkg{#(RES_AhoS6{kDvm;}Yt4)Ul17hkk|M>XamWFY z@~bxwOs_s)KK47ic_9lWi{`s(AFoasPca%tYEfCZP=8y?TWAlXO7|j_FJShvk)Ys| z?RfA{7-=>|wZ1^cs~v&fF3UjoV4g7pl57L9{w=1U4AVyie&di08!1c(D>jSzmM`4c zgv6l}5Nd89@}D979T-Pm6v5h^dTj7LnfO3w@^3uEYG1EF4D$ykWdga*_M=e6*qoo@MRSpwad@C$I-&OTgM9s#9MZ;o|RKdlv9qiAH{a|mb@%o*-@EZA2W zZaR;f$(Va|l>6Zu5q06Z4+e`90`6nDhQhOPcH?P?IdoA{AKJtlH8S;WrC)}i3SJVI zqg_NGNEc`&7mgEX&u7+kyo-0*#?HqI!p<%jby>_>qtZH0aSWp*G2y_hx4ezEK1N{K zj%ku+UPRB1Awcja?Ac-1jvRP~>HGC3s&$!28;9b*Z7uJ?_y_?UhiCry(p34HaV6~e zMHdMCrDo$R9=xO?U?`ItxKE)G${}|bk;&DW9G$Xey{KM;{aYjrSS4#0MtMgz&q?<@ zzy+xSkdE1+&tkFLxB-5I`smT(S7tpK2#=i`9tRH*;Klf;k`8A(00T#%QFMhOR5ye_ zXe@qujO{_tDf_V>?+*p>iMH9!3i|j?sxg5kkwMHM?>C4kCn&k@Bif#=g77FVf9cA2 zHU9k)>I=#w>$dT`$EDo%ZY{^Q+s+s~`E01pn{>(c0jghCyT7ta>1e>k=W(lZ{y(Z(@?0F&@F zu0{VerEn{F#8_86OSdd)Vbbc1*-h!<}q{WP`^XS~s zepn1!AsF{=5SOC0o(7=ZcPWVDB7dFTVwFCU`%9Ixx&BQ~fWtHKWT4gWyUF*p2IclA zl<-Pul})5V6bK}BoM7dX-H!A{`~=0DX4eZau8Q*H zmy6?-ZM6KC@`lRi;z=*`HJuyZZSReCv-ca;tCA=T$y3Ct%2f;8kdn0y8rU8ug*}b) z9VhIwzO{FqN!c$d_;#m+gyJ_-Oq1O}0PUs9YyAe}*6fcFciHl~j0j9Oi6#mhCoHzc z3PQKgEMrq>()$uRAI7g3S2pEOboSgj@&%PJv&63tNQ379fx@@Td*W>|E9LTU)l0=Bcvx|wg>6)z6=VxCN0nFg*Crn15+N1L zgq+1qG?adParcvJcchW)ppIraz7Y>8gR95ZG*_jjJIKH*#8|OuckySt9lLy;yY-WN zV`v5xKdFE>^)+a{aKr1So!MW?A7I~Hl0?cmt3a};hP-_@UzbFdkA`N9l1AmQ?_V?L zVqLLoID=b2?`5p*b7QoeXDX{CMP1IWEO6$JF&ff2r6bTMLxvGlyRc(A32z%)zn_6+!Xv3UamW~_49 zT$TR%0NhE=ybsnQ!jG5+-q+1h0jqAQD0-T*ljcy?251tbf=1z|G5$GTHu@vJGxqqg zGQCQVWJUwlo2{8v=iZ7wxy(Na^stYG&>VrOmFp2W(=^gzdB|i$W6{6Z0CGK!ea5lx%hQ z%KHLEY_9*LEefG(vJc)5Tqcg{poR5Y1%knG7UHpi_z)9tIv7*BS6xeF_i{u#)Lf&RAJ3rB*PSButS`S0gN|NC2jgEXc{fLsxWhRcNmJEpL);M9=; zI+R@eDr+20IU!*uUp@3Tg?=VJV6r2W1+5dKW}_k!zq-+8V}Z%_Vmh&#_FRob&Uci4 zX`jRGVeP^w;eA@+I_b0qgnA8_ueY4B)PtC$69Ioa?8;Y-LRScz4y{~;gg5WZ!@yx91V1M`vHE6T+blI- zrYe|^91E#qz?(k2H#8feY|4=@-)kQ~qa=)wN1&11luTLhbdf+`8wca`2cZ}K##DrX z)K#`AS*f`uiW4tp2ka>2B&l<#OEMf7ce=|-6Mz#Wj@;UeuY@oMiO_=KfL9M@WNYYB z8@(=#CQ71|QxWy(^Of|ndPpjKaVHye|HukhRP%UT#EjPHzBZj4LHR?N%3da+kR|2A zBF z)y71k*JAJ%nC)9%u7`#VSBeZFFHT?LF>svxkOEuz+B_nArzwUVQ=wn!ew7r9S%u?| zsAg*U^6~B^jd7KGoU9>hnIR_oZ&LhUni^J4ngm4Xj?+#1SCfPxgg5Ag5q}8AlIhkP zY{zW0clSwH+i8t4v%tepLABQ`qE&r3j|~nm_?+cn2xiufu@D?TuuZJ%YR!Sh# z8Op5pb9Q3)=)g*YOr^RfdqJ7lv<~B9Q9R?>v(cze6*C!uN5?cj__oX;Gf@J*yX=|g zQ&e@OY{-@iXW zqxP}l3#vv63C)NoeyN{gT^8tj4~Cmqv|;Tds>?Xl3_>&NlPG?ntoHFA%ZOuyycfhu z>H^UOg1J!g1(@Y5n5>tAp+pk<)KERl{waoGHb{Qz6kW#K0}XK^xxP8NYB@A^FvzUL z*!&F*V={3a{Mz@kmCzJ8 zTpnV%a3+QLd%wUH4FI*DBIwC1oh7)9r;&-nm@cSQ2{c{z3H4uZtVza=HIQM0h2pQSGVU)NbV5`zw{_e^)g<@&A(@nZP4B z)^wD5*~sBfT5J9#f!xuUa|`W?x$fdXJoQgdU{S1br8@;(hd~3%aKc7 zoU0GQG78E~(d7mHbi2=pz;Tr#S|&LMh<8QQ0saf&&%M%jE#vF)kO2dZfqocs?WX$2 z_#l51SQm1uHCWU+@G`6bXCE?M+k;^vLb0sHY=lragd+T-A-=yqCR$t1U*GH`y;-sP zavbAn4NqcgURN5KFoA|m(ccUKi`h>~aPIhb>5bXt5Rsgya9(Pe2B5I`-9Ns3j-qc} zhHF*Bffl=Nw+c^&uVQyT$E;S=Lyt8b%lM)2-=u@%QXxf)1j-Zo5<#`jeLI|bmqM3X z>x^ccRAYa7}Xec5g~ahy;bSZlpqPaWTA{FH99onEB$ zTZ%Skrx86~ZeL)@%5`Knp1Qd+A7+ud7s#392GFQ(bt=Lc_PH_4;>L$S31!*VxQpXc0)a)Rls6h z*kw*eiBde%W=N$d&*$&Lz}bZuI2nPjhH%-*lvPn3J00w%DraMUH(+rUZUBQmrJ{cu zY-H$!6G`Dj=YG4(iZei-c0wK|3X@TwP>`yA8;FNI#O)d~h>N_a7~8QP!oxfRv@M}v ztRD}jVSS6j{RV?!v4XBw7*{Ui2Z-lZaI~7v<-|jyM=o4pz1O3c-`qUys}z3`C%Lai zb$a-{1TDny-a!f9>z=mlI=$hJ(q+=?Z@U^Z*!FzDh0*uOJUv5)~B7Mp~)S zsk#eQBOO_#_B9o<%VJbzWCRCEOCLtjy48v$6 zStdJ$DQjBDk|krtmYvB`c7vI*Gt6LS%=Z0wp7%Yz@B91f`@F~TJMK9gHRcb;J@HjY8L)o3+hV6|}jfrD-a1j}A${*l%f`X6BAoL^_HYm>N zmp?4INZJH^jauE0?iaetjscAbvf5&%UBQj9rMlCi3rXK~m%93j`Rzq+*gg;mxjuDs z<#~cBm>%;P8Zb}p?`<&+NrFp1la!yT^5!i)*w8K+p`v!ihN}bM+Oq_NxI~#T1y6F~ z4%G&mU0x3;w*O&u7InLzzIcxOvjsjInKP1nKSMJhf63FSfShuOlnhh*X~Z6d8eTFY ze>@XKyI|0iccn6yv2M!P=}E1UXE9syVvJl{{JmOFrc;%kYrg-=O?6@ehOWtj#5fSx zGe$cv##fx*>>^6V%saG^3b2}rlRD&a)L-q_V$6uDe~DlS9r?9uH1sGSBx>cW`)$PI z4QyT%zGqES;JeB)0LUyCkhJ%=JcYLGs~g|J6b%pCKumuxh>!TP<%W#HhR53wMmqKH zA=*V=w{1%&NSr?n2<3ptKzf3dnn44B zzQ&*p{L?}1Xek_TayQ96!>Bc{&^IUK66X&H6f6ZAR7HEarY{}Ct^leIfLAWDpuW{A z44(5J?!pBnyN*Lh$hq*TV&MOjaDgp{_G!IPBcmJ$!hWOY#?fU0OL#Gw!-KJwDyAk; z9Pe6XL69q#im%(U!500*a)_|ScmTD#lGrl5l;FiQB2erY0K~+G%F36+>#4~6m&(*> zL#Z*Y^i2r5=ky2czo;`WyZNEBwF48m&8%~*Z3+;Ta>v5~JA9!aV9 zj};Iu8kId%aj|adcm0WNJj9{MVB0+ap%bdZ*Jb=QAyn5JV4zksUj0 z_AYNN=ZY;Q5x$G4?(awlwg5R0d~p}?WXB6ebN%HZcO5U_eGMP;`i?tQ<~l1G<(5{K zQJiQME8orfQJ2Z|4L*2(OLZj;B~?0k&_z-`FmCF-`S88iFpdB z-T?6L0$C~nx*R2}py=3|XZ_+@VTUmtDFhfP42UK{7O924rvP9^I!@CRU8giw~wIh9{hA32ZAjN>@eCsT!z!yrWGEey!EVc{KLiZK%LTe$bWr46ghk zL&Q@`JpuHVs#k!}FH9wJ)v??!CrVIvoh}#!ClJyxjJq0f&;(cZ(lKxblDB3lhAMd3 zyMCNxOE*oH>!3?pvwH#6nNK;r%!MuC-UbiI1^`LlQLuCii6E#$pH<-5r3d{bsC5v_ z?;98Vy^|B5$IiJEqyy1FJq3YjZ1{pU7QGfwWGoU0<1UdvYKw&R1;pC}$;=c;X8y~} zJNq_*^uNulh2d;&OZvMxd%;0ZjmpRgnlVLtFaK@P#Z;R8J&A@)a5V3<8dYaATMzonduU5OXhLHP*%@n+|lv&R|#5lH0di3n(dWJurVwE-}%4rA6 zT1pR7ohui~w_~>sXP^^3W^qs@?LU9`5z+LEQ#8=ZNUJ}T)vgxLp9IB%ASk;#4_>ir zjcpxgk9haNKKYd(MV%7%jBz*MDY)2&qZ-Fj`)HHt z)aPyO9**)>Q~JeK%NG>`Tr)*!*O&5WwsSUkXe;guH+T-~(#Z~g|t z3efMLS&VrG`mZDE58UUu4F&k5_EegU>4v}h?ZWvf%xZfV+vDdm`+xV5(^olD8_IA4 z^yn~q-%yb5T3-qn=EeWQ0%t@{fY%I`5BW}16FH>HPFFETX}U5t&^?KUDx34?>mJAI zSLQ~}gK_PWA$=CePVYW%X?b@?*pnn?v~fCJD$?KQbA;Kb-<_B(BCI3Q`5+hJG37yf z8RRR?FGKjlbK^=x@>lEGH)p}}2fWps^q;%v>NaJAkd5CuFJBtqHZQ(9El;UB)mMm; zDyJtR-W7k$6X5s*7t@r{1z0M~sO6qmr?~!}NBLN4JeF#pIvcA*YhI)$Kq3irX)>U+ zoP*8roJ{cj@;~?#C!C-T+~G8RhzA$k2zvaA=Pvjz_y&Ov2u`l`PYH_73}8>@o^@Sf z_;TZU4$IB_f**CGXKl)sz5gQWTLgcrZY9uroj8ElQrvhyx=`~vplP@;g}JW!mwz4h zm~YP%!e=q2p4DehI2c;X4HPW?6$BOwSKbAj0%7f!zRVIK5sS-2@Fe z;$+k~tcqRN=a-Sn9NDD+AMC6j>z%Q3W3Nc?QE>)!{K69J&KD)BP(JPt=93)k=mP%n zI>*ZLi2VAS^-NPgn;TC7NI}zcZNUP>pSIBxJ9f#3yvyv?)93NH=1^?7j~oW7?lwJdeyh?%=|so;jf?YJ5d1U^(I8Kd0+qSK>GEx z(+N;GoJZt-=JGe34DglQ4Xb7+>GSc0zs3nP9ds=M%TpN1J_$v=Pv!-i2U;A&>5X5e z6Pd8G<>b|=7Hrd_(Z+`CUQZhK$Pn{l73FPg$5v0OHL+rdA?d=AK`+L``u$Li2Mc=G z*aPSjr-Cnn5{Wk%>oXz|wMZ5b*IYvM3S9;mf+@HmF59&Qe7PKxvgE0{Y4yShC#P=i zAtCJd6xHkQU&=cqn{GxKo4=FnzN$cdJ19w2Cgyxkg{xDQa%lD#+16uyfbi0n(;NAy z6@0x4UxL!j)f!i%u>fS7A1=j=SU#b_R>d$9oHXUvPZT868_r9Yp#FehI)&Cifs)RT zIcw-aD(71UH?8NF(2Uq+9jIPUDv{+)?dkizSnnjQtBhTaC)!moc+W4hNR@&S^qsAK zlV*@C!BQStA%*WENUDC1zT;g{SS%2cXoU4k72T$#sCMwvVj?>uVKr);$n7p0M1|7> zfT}eNpR=I@)_7pd2!hSO#{J%y)*v>x^RH1H?5exV%uLX{$hQ-C1sB3&zLbLKvA-P| z3tP+15^iy;oi~`F0h&{il-*D$O$UC9>j12df}3l=wOQq!mG$WXs0`Y%b>{rE|3z+- z{y2^Xu^V8C%paOFY0PUh9#O@#DGiKNe~@Q8Q+VL@vz!UY>TACR$P>;y1j^||FJYhX zvpRsRZ=2<*6cm?tg-t=GO#yqX=0w;fz=hnk++j(y7mEdvz8*e6Idvr_nG)$6651*9 z{_>LTR-*mrT6}n~q+2@Aq^G6ryqJ#KZt7Rmfd^O=M|(SO?CG1r`AV>7fpkdUnfoML zKHet{6D%DM4HwcFsYXHVi-Tr6yh9i=1iBiD??GBaVma)>kl!951J-cE)y5`lz{Gcq zA-_0J9zDODCy!j2?rL&e>sJE@ueczrPc)>kL?H5p^kyYf2%a_3m4z|-amiigXS|l@ zQj`F6%WC~N;wE9gKMo<=)=ajygA7!tZ<&w)583YC#>>{XoVX_w;%#~nhAMv2~eex2&g9pVoyfS>32L@ly?2R3rF~w1)SwkAYJeQY$_VQS~`hHr3SQ-pD!HdYCusEm80c z!g||>TR-WvQskO}UFt_bWc=A+!@z+y zN57Q@G6r1Dr9xnVbZsN@bW5Hia%I+rus)q{W5gad4Ox~%Pq+$}Ve3x`Ycc*PLC`28 z!$~UZku(j_l;ukd-$8c-AvH!kY2ex>9=N&c{HO>0N-PuOhHZN8J^4hP^##jzx53-( z0918TPwfX2Va5KiR6eDT#z1QsDfQWbL{9nEhBL=X%_X!ophrm%7=JJP>5o04_rArT1#@OjNCQ( z)r=GM$-#+Z8TRIq9NB!R*cYKrFWCBW!tW!UT6NKALA!(73p9k|2{ldBs=i>dEXHDaECBO2{?W@`X$u^>+|VV7?ka?>Unfk6 z#5fAp`vfK6bvyK&0iIJOm<5T7(`1NEO=M*pJ7%x;7$3w8!KqTJ4?(^Sm>@|!)kX$? zA9U2S7|TpF>4{luVaCM!J{31=e3({3>2U>EkGoM{xt8B$;`e6~=tq@6gRPR-oK*?# zK{#%I05ui6Qw3Cu9vYBrNcf~|t&*|A_= z(FjaU1o6L|Bwt~u7Qcl85nOiiTY2fknsem-;*bQA1m2LKgci71ImL2yuYNJbQ(oNc z19{a1T&=a*Il8sZ-DX!vYml{W1$Y?66M(cdK!b&)f@np!U4vNLns#O|O zsMfijYNXS%imh)@1z0T%qR!W&*^HF5bLT8~OTM*cN}kK6bjH%vut_Lt?`lG@`%qvL zxj0RLFMbl^iA*8_#w9$ek<<#PF|bmjSM^n`H9 zO9mjFawROE@lu}?ped$&!S?Xb*P&Mb<4eo^Sm^oFOntZ!qT}5QeZ!N$CfMUi0;l>Puw#f(07iE#w>Jf@O1sh(&Yx=W zM_FY6x5W<-L~3GA_WR$JW0b%cN}vIJf>$kE<*|(W_Gq>~eE->(;}?ualM;#-(w#G(FcT&W#Z^+&mSilXW$E-)1ig7?y^0rS51tLqE}-= z;4xFj(JbJWltUTIaIPJVTMItD{y3So{V*^j;~&P4VW({sFPOibR^MS9S9^h$4VJ&= z4fLemF=N6BFPh{O7Y}qWF(%8Dx>R5{z?ABvgHu5!6zL|8X{okKurdwYK@JeSGO!@V zxZ(wrksLr2V{8s?eDOsUgKBz@gX4K?BY+j|s8-4j1gqcw+KAJm+f09n$j7ytb?CXz zcD(7el^>`^t-Nd!@z#dbRNXt!xW=H=S0xgtt`FGFM0z4Mr@9O0q59;?(uv$Tl^id5 z|NZcUdzG8W0f(h>s8q<(IUoszY-UdFMfh zGuRgLjS=}0`@N<M?N}Eq`OwG z0Or-^3~I?}-sn=8F84K>Lt<}5&!E{(gsJ3^iGA2m$UhGYdnzsnL)nygQv$hMphg26 zG+h7So*gh&Emqz-=pJ;~_*sP#MeYy{jKnk>m}E1mmDX)@X(-~WQ?LA*6RJ#q;W=sP}2+6Cjjrw8$mHbCnjS)b=}XiNh@9 zmT4zA7pn{|81KUFGI_VF6${BuKP4~F?~668oIZs?II+vMr%e^4 zDM2>wybZ)lG;i^;U{M#%0CV%vtR50qM8GvPh2X~aJdXZM3YM2kH*EIcIP{>P!8&dkS8B!Eip@)3N z@C@iERx<%!jZgxl8S&qJmi;y{gb=10da4gyZxBK;MXx-;u3rUF$m4W~1_?`SzC*3MMyx*%c6N z=AdR5W%N@yr=FU9d%wQdoh~H2VxJpaAn7(6+~sS4Y+O@joU6Qi6hqHvQfn^RX2gzA zj~eGLsl^9Q6))rgr43ZK&9oERcw}+XygKECM)1-2NBdTvkd_JsG6b3{zl+G<0p?Ac zVjNLj`Iw~tB|O|vTxw>i1r!GUwl*cuMT`UhW<;~p(C!wCTgl^v-99!E24{bvFt0?; zj>=>@7%lDr!lqjZHu;qsmImt*!##1k{<5=h#+1Ut_V7UYS(G?sv*iT^p^K2#==qjQD=s}^1FlEE z^6s%?b`aIE%atd};dsfJd-@y1@h@BYc>G#Ro~I+2yA=CqGtD=INMK(kvEv1OBtbVk zB#vMr{l6s6d)pkBU)#v?A^{Y|?{s3*1aw^t67LTM%V3zVD%2WAlw0i|mW*;tv)?dt z0gJV@y!j|PvlA!~iE+drOZ!bLK+d?^qUuU( zr^{V9MO*$ZA?GnRq%)ELw%(M@wi-%vHR{AX-u|vEbyGZ^E<%T9KvznF)v%{#-?%u< zT|1S~3QT}1Ahy$3bbWuTNw+FrtI2i{XyMHqvl#3$=*XVbC9rJ>3nC%EnK)W74L!l0 zO1<;H;K_I50rN#oF{3NFx-brq;XxryoKYqotv9(IvD}`Ft}vj~j~p7TfHd%wntM6$ zQAj2+EzjXC4c6lNj+s0y(j}(YRK}pR8N=w!TCn0O{SNw9Yq8*FZ>qs|MhexNV|#Bn z$ovW`W0#>s*u1ntD_+=X%h7FMjDiC?ElFbI<0S1Sr z@KmkV0|gNYnz1`#lbec;^b|a>qAK}z4!K^#Mx7)PiXo`A=gH7)(V71=-?zj0VzdXj~x+Tb#0ki+!qYoQ?Dc#iEwT^=m}6;Kh{}rOTwtL&1m|XGaR!m zrpKh7fv#$&3ng%)&VpIjb~R>qo|%9(npW?THWMu6t-H6G%(3&|tLjrqQ0MYthR9URgaE=%P1)_+C? zq+t;P!vxosd)k0V_ z0fod-Lj0f|1W7I_EP{OC!V{x!{Bv+kz-|oYGZy!{uoi$FX&r?fqAqr$1n%;PMS!g4 z$&!2$X({dA84y(SLwhTvSvj-N6uZEl^CA#On*I+9Hcp$Q9cz$}@(c&fgZ-dQ0*rpEBIqc|N7`D} z9tNFIz(S)oFH0_kunPszPV15|`nVJKI+m}~6Z1a+B*$ICP(BM`S{O3>8^()=@%=++ zDTV0G7z1PID0pH67@dorA2ql#ng@hDpAWC9%!Xl^Bb=*%6Z|Z2C9G(g3-Lr~!Z;8S zW)+(0~&_Sn?(f5`x!#RFEl04%{A?Bn-fSwXP1XhbFqmI04y zGPq#BeFFamZSepI0!cXIhU&w}>MV*70Gk1)7?gp2DDUp*)@YS^tzj06uRQU9-4lbk33U0n37g%sa{L1@-B7$aN(!Sx0`nFwP$3P?UaS?_4EbL>p-jPgDGPfRP!^INPstIx1c*2P26F` zs-v^+1n+(na?pCcdNbd2G?*a9r{CKpK^tD#MO{A|3!ARveSVG(RLBzchoc)(*H zbzMdRvamoassW5z-)4*q`7jF2A+@VveWg1L^tn0E!7&>=)$++oZ-CL1E^5XGMFO}l zelmfTY23a4f5U+C(z?$^Sz)?HOf-K4%s!6DfazvnFio6G7U=-^HO|bax;TnH^b%)7 zkyFvAJ3H!qN0fE~DTpXuVCXrXc}wl2S3_K0%MPZ?ux;_o!pX{`ef!xf)}756w{%y3 zwPR4Ndlo2()Lp_6j^1GYrmtl)%O9wcz zEY?1BCT|1eR?X};Q&b;!F{{bp0*k?po+}wZn+^a=eG>su0!o09;1YgCEo7;h76gX= zMV8F(VJUkf+q(MrNrn3BvxVy&rdZwpHh5)Hw|aRxu@FUdd|ZL!2+IeXrbtXz;7XoV zfmOr&CQ+1z(r(vrCI8oc#xY=3tt;QhTG{XiNp4sNBuzj|&u9mXn;!817| z8c>=COpA{Z=m3z&i*aP67U~D`=0+c`v~KhSrj;;2PicBd8KRLf)iv%L zwhC>WEfsvY(dV1?4)x0|*yqLX!_Q~B#^3qjnqdCMc)ge%I!0RZ6uG<>SR-OghX0p+ ztwhRM{o_q_{rf6P&|{uWz@%>mEHbhKXoSx{xUk%J$6OPbu^8!dgfFl6n6F3SuFjVb z?ju7VWKH;w7xLMU(NBCrw*@jyW~HYfLR}${J0kba)5$bdfj)Fz%Wn7aKK| zMNXyd@X2e|Vuq)j%m>dj2MHn~y_e3lX`;+JhQRW4$7>A!0Te?{B>=GekCS~gTKx;M zW)gtIfv9aG_bXMY5q+;^Jep)L1bOs!_};eIsjquQm|$~Qs#ys%{p`@Uq;W;>f&I=x z((+EC$ctmuhGwbwH;6Z0)Xz6dHFKf9;HDdRT$E6Y2uU67MbeA`53P36)3u>7W+6#L zJ^LCCmAqw?w75n7;duZm>QQ0zcA`bEc&sP_ds$`aC0KK2du z4-5fkR^4)?r)w?ir}9Z9g`8kgew_Mo_c6QX8u%6$l_GU;xtg;*NBte{@3$mhQewV=jbzL(VqY+ zLr}z^+lDX?WMJTA4!;|rk3KGkX?l31rzcCEIkY6-mvKi(fYS!@*Ay}5a?^_}D;$FZ?}hi5Czwy=87 zmWrg1>r6x5)$P!qw7L~iC!#-!s=SiAGIef*OLx_e`3!j7pR{XDvO#6>m2oy=+@)oO zcsk%k4*D5jR7eQby}I#8iWvNw2Y!8;$ej^zI|+|<)rAGC(|bQ{+OOiGdE0kk%Lh+- ztk@`dw(@!m*~3m1+KbKXI?C4W&aB|B%8oXemsuLi2QDp7LCC>v<@};7n&2teK53W; zq|b1%r#85W1Ez$@KJMG)WLhra&uOs%gU=P(&oNOo0sS2a?Mm+IHRo;!RoKGn%IUe{|SK}dh8kN=~|iL#USOd zGDO4&qE`yJNVfa2?&Ogr&&j)hfd+f$hw=J!DR*=%n}J#7BHDD{0z)qJYwO8vr(TAKOIoCB&A5*G%)m1OsqbPwImqN|nJrwx+BO0w ziW61KtaPZ6IdWcc>5bA72Th_GuE(P%FyLk4n&-~vnIH6vuH_wzf#{{(u{YJv3UsMZ z@c#r8I>HtatCHNy|M)W!f_u2)DQH0lu1NB$2&kybX24+T`e!vBj*Pci==#aPi z_37xHDcdFXoV^qK$J5$r&xlZcrPbu-n^v2ilagI#Q_4U|a)4)cb*U2t2m-@w*hk8c z)S#A_%A-x}<~f{noBkl_RBMSvfFiqv5D4|=#6dW({qf9dUQh6*y)SF(U)6X^quGmu zb%&ZJseb_jn+a-k z1+~k`OQT3tvEKkm3VkEIluX03A_)N%sp9MM94U(ljaT@3f%>@w(7*}^0)LOzZ2%QVw_sOsIyS>#Vz?DCM z{n>mEy?lrp{{k==(5?!7WFcy6Z+>QZNFw&5#lBxvH7VN|D0Z3%hM?A8W?@+oVAwiE z6;|1g{f{gROyl?6mgJqo`I#|N=9$`R?I*ojF%h$F{WVDSp-FOWmFGYbQ_TNsVw2?3 zsL^%+o}(T>E$Z6tUjY*Cnp4pdf!nszP|JGrc1U^ywj522Mr z)=y$sX)MqeV}i0CoGw$BC-;n-@9DL835ZeDsaZuLu>QrFjGr++H$mSUT#Wlu*Q0<*2Ba9<%;^$K0g; z+YwjCk3+$G@_I%$`!%|u+orYb>Z&bH9ENe3b6|n&f(?41Pp+C7?4a(t!$fgOP~tDQ z>BfGus-$mslcFf1&q7m9AjDqz=SgASXN*c~24(nfKY^%`?UY3u?n_y1ICHfj;9{r# z5ow8=r-}s3>+p^_rr*vw4fS8&4SGg?|GqwQ(s0C3d-apQ%kG4iO;y#*#VGwRw=z@L zmE+9X_br0!bKdFd<ASQ z9lnzGORy5Ni|I5w{k*6?`s8iyPI6(#kt_SA#ZwS<+<2)A@m?7x1SYe>bC_@ZZe_Qd z=-FMP(UP}$a(_q>sbuC?Lf@B`1g8*bH8z{OvQNS7zn3$|Lm|*0N%rt{rBEakX%0O7xWzL}_+C&$ z#Q?PEXsPy{iw_}c4#V@TASBh0&S`6%6Yd`-aVADz`UKv#`Hb(tf^Ox9(R$%Y(+t5!a4^{zT}t zX$!r*qfTO88?SR z#rIXtADL0cee6=n%1lr^t}~(cSUSn`wz*%z%A@N4zuuijj|N=ws#u<^xcF+@?rpp0 z-yZzvM8KDN^j)#3#P0^lZg1Hhvr}`w^JY;Z;(o=Z!*x1=_l|G#Qc!e|rZ5n4f*A)4 zh*BEi69&pAi!WbAJ+plSUIDK=O@xe9?_DIE;J;W-4)aYrUB}%wN&3cLaut^J_xSXU zziW>8jW0$7=Pa{58ox*vJM*8_8Qaus{0;xP625F-F*LV4xv|H*j=_ebg;0<<;BH)_v;(< zJYTg}METTrtu@alwTnd{p|4br*XrEU5sfJMmFyjmr0uAJMds6^cNo)eH$M_JYtw3s z519BO+S88EA4H3%sAM>QNL1{kyi>0lc&j-k$#F6wYdRg;+vHfFH`3or?%>~x@IhAp&EO9Qc&lwZ#RC{f*82Q zPDnpSV!cDrPhNt5-f^`x@`>`@F}H)zv3!lXqi)XSJ!hU9uD$UNLmzc%eWYi$X~#aX z(>pKzJlyTmen>)Pm*i{xxafTnoo4@fM|I8 zfrq^Ztkra;Kgil5Y}uU>Z%Ijfy-n!i(AKKhBWhnw-@suqX9d$oKL}oOAW^W}+}~B9 zCDHG!|8+`)=L)~^Md!RVKy{38jkxSm7@A6 zTRngwRhb@ghzTm5c*i=o>6s2LW#nc?x1^B~IjEqC-9Wiw4G;oVauksZp9 z&bFCouI%2LVmhQeX=~I|YI*25sN|#;M-_&p+QyWbMfKch!S!l-I{Snr5VfKh-+rW` za;>Rb4-7e_qST0w8ZAd=BhQw}mvCA$-mw?6h0^HJlUG+;1l!iu)fv z8&~(#JN8oY5Z#O_ZfEy`_nWi_ZGw+w_}ZdRS18x^dtZa<;C%3id-HgMD+D zqD86gyaTnOa=2#33TSdIimv-&ru%HE zPV4%p79D=;+R@W#=K0${*%WFx{CK>atK?|g@07#LdsP|Mx2UynU(SBZMIy&=q~{DKROasm7+*e7ySx{^L3B zQ$bOayb`%FIvxb$?m5iuq*w-?tNv&@W{M`D2#RzSf9}SE+NAe*k1>jV$QT;S<7MNC z>ufs8NQKmDE#U(dRv|r1x|fl7lA{L0uz!l($iL${uUTp$e&J`4rQg#C?F%P5p~qsJ zOLa~ubta7WFb=UKh0Jmg($AKQBX5`HI(JLK!c?#;l(YQCwq)WDadoVsPh&lFfK4~U z9wQ}tx|mJ1sX{)(7)QcQU1U3)LzyloYM!fX0Ydn_g8|ExdDLd5A0K|p%Il#HZ;iG} z6W=8v+l)DS#)}m1(3RQ78GfC6;>*jBoz24Z=ltKo_vhA0-^P_FI1vqt#cPV+J=``S z>bJ|Ec;D9I2tihIH7`HCR&dkue(#rvqWa_Ik9--2ArSbDf?F@SI!CdNn@78+QBoSO z+Wy4dTfGt&_8k=4nm9XiqT+ssXlnV&CEH@UY0JR3Eu&{EDZ8%TI{7QxY@ho;v3`MW za%qa`3A22g)9ERDzfX$Rqgknm zJ}VgX{RKHEh>W_j>gAL7P+$q#Kq!zOPYc}jlV7k+Rjs_w<=m*_iYQ+N-R6BD5^nPj z{K4Mlb;QPHDK!bD?fHEzfZu0vXx z+`M(vXUt%CQ=sg%q=CblozF3j5_Ck$z%g<7`$M}^T&b+Hq3%gVbW!V>XpQyI_jJ^| zqhwPg<>#AHJc>NiR{mq1ZfQZ4F^t|39RuA-@u2epwTYBl4iQQaa#OLo@rhf>$3B$o z)KFYAi_QY<^q~<5zGFd$L^Kp3#qr z$NWxokH>u6(k2c+*m%_7y3uk{xSNHyPxm`}k*_=z(v;TYC|NmC~!fKWM2?a<3ycE5<-G zRWI8waQDNZWE{@ER9{g5oTcPfM0$-|n!!TPP9yK_q0f-gy6=`O_M4Dsz7X$M#J^RonjX;jKxv^oaH? z38#1e;y8T2|Jw)oaCIerz~LB6r+3FaM`FW)E7!0HQOOn@U8qZp%;KF{p;=B3nbvu^D zoiKHf#HMh*=OT|@Iz_;J(OAt+djB`L(3GXV=xDhqA*;_)YXA==OP;~o?mRiECql5cxGmeJp z;1}W&ZySNNkCPx%@~~Lxr(Gvz+7w22Op3o^Qsc{?CYmJ@QEINIEW?yW2c7A*rr@Zs zir$Lv9dxOKFoIWuq|CRy%0drtCqp0g3(JR@>g=?zy%Cmb)Tw&Ps6pDh`)%eI2McX4 z9o+ksBc{^%H6rE;(Lb%J98|Q4$oO6QW%*?l68%W>pVSbUuU_}Qw?Mo1(b{weB)T_Y z?0$*u-X8E*vfID=+NWz~_kVv&YYu5we*V~m2XEE0=NIdF|&^l~hcc8f7SX^|t#ZtG_m9u!6VMFDgU56b^`wtI$ zWedK0^tCt!(PZXS&ii@o{-ty=BqZZYhy8Ks-=ABh^U^g&;IkS#z>nWtqc>{ykvxaZ zycl$sHY!`Su{A+cx<&e?hQ9If@Z2eQE9W-dp%^uiGPVudd{oQry;9T9h+7}r4dO(W6`~ko1xj)a6b=C<05&yjwvYt-6 zYbZuRCfH(^pH_yl!r6=I)om9XSHwuFHdYd~KJz|JEg!<=K5_qiu~obN`9|XEz<`xl zr&Mba1SsAwC+m&|7(XhivJ(Ay#A&YO^-bS9ia#YIM3<&Fdv6yzIM&r4y7zLiH26eE z#lR_PxvSh46(HTdD>ws(dH+`njunvvT~ zwUU51C3W2AhTt08#5JJ%V2Z`0Es|`zzdCU!_t!Sheesv~mu+Y5&dXdlWS5mn{BhGb z!Zj`6*>X|jUGriT8GdVW;6mA>1XsPVeEQSZ)Dn3W5=9D}q`b#l@AKB4ZMm0|#x0B( z{oBbN3!BZUGLWq0p2p!^%dScBttI}y1TMD z_ENfz-9Tv3P+T;ZegCF!j{VEmRv%0ZrOFbzHhX(eRc(HMc9o4*GM~-MoZZgG>EQ3g zCBE)e(Kft~(THgj&tX^(84Eh>XfwaPr!YwnC&z=jUg`w?`saf)i`?Ub#S*{vq}p|O zHFw0u3;K;UX#SP+TWPK@f8;(n_AQ!oOIAEp%gB2BDmDfhHCIzLZb;uVk@y>P^F)7Z zCo$nR!T#BG8x1%AVf$|`w+4A1e>^de?Gx{NDX0h$!kOSk{Z{qADNB!zw<=xMI+?Lm zuB~F3cu&>FzAD<$*Usy+6f+7#KkZaZ{5x8{PW0=4kFPPbp zs^jxo{buRK8-=$zp4xq?|LmEyefL;bS^DDJhN%(#CI$n8)sQWW7CwaSEI=uoN>j?ewK$iQf_W7Ezj^4M~cjGcX z?TEKXsPNj;7wl~l(UOpz3n@{M9uwjlcX=a7yf?MEuRNmohpn`lH}{Kd&$dhPkXnkJ zgH&8t4YXwWP^TLTIH9d9dP}`qgzC2p37hji=@y%R{v=Kz63a}qFs-*wf7eVZQ;7Z( z_wQK%T7H|Q_qs}M>C(GwWa7OG@%D^Ri8_0oe%zD(Mvj57B{zw^ zY#b7`%~Q*}>1Wr0i){1j*~oJ1?6Z>GZfET`$DDe^4G14Gbh1%&WYzHHp2OxjRvtfI z)fu&7RP}7zsa|gz-9|ze=A7CNSoWK;m$#`#RstWBTIf_G{M5J`+T=98vM^*b+gAwr zY*U!jBp+n)=+UFSlJ1hxK3{CBRIJ~g^i;QT3eHLU!&q@cX$*&Jmx$cG?Dtmv=2Oj` z&*9Gxx@22Ek$dw#T}S$Hn@%b;zpBOV>6@su#bswjVD#UUww@UAh}A&v*Zow=%JZrSwjRd{KTWeY-eKBm4U| zE4AkeuD$^zx|VS~)x z`FSdPjNGcEjdHTv@SIk#V97LC0CQcGMY4a}ycm6hIC3~tcoVqbloCnY3tIxf5V6Ar z5!qJp4@6z2Ee^g<5kJm;-2h1kB~Lkqj(+vJHmxWkJ`sY9UIoz&StqZ zW8JmmjDg~2`{NrK(A_t~0>T>XkmQ9aCA&GeE#Q!8!OAbay(2ORdA3e)4}Pk ztQ{(2Tdzs3{Lpb}-EUj@NZDvVqfAZo_h*~%Cn(d7l#?Dw>d#ceJ%t#Les6MA5Y0eN zO528FY<})6$%Ah(5R=Y#HnupH;hwC^e22Na)(2KQTUv1ShK}>?z^&E0+zVWPWnOrS z>DSH^oj%R{apRM&SAOr}e(`{m^SyNSVf%;|+={P0U3ziOg+SFor=bYb}Io~roV|LiT>^#qNzpv|cT{kNY zWY+6o`Y*q?m_E+^2ibMZWGN$u;p`(9Qo7bSx_Gz|7vWMcC!kZ^qt3H&>3l7csJEjv z%>I8~Hxn{Lj@{;Ti(-?VyEh5ZFGZpi*Zh7rZs7>GJ}9(*9?S69PBsX(554E}uEeLf z=i0=EmT1yBth7ekSmPGAopu67sDbOj9-H4;9Uhk4x|m=CvHUxYZxt3TMz+KcB8AFJ z0FRWpn*@h*HLPo~l)e(po2}S84ptUPl=nJT$>O>tqZsoeu{v)ZxBvRr*_QyI% z?KghISe?k8c@m4GjV&U;A(KU?g>j*skfM)6XK=QGiQ7wqkryZ~ceuoIKFnS-{XNaZ ztY;vfg8#E~g5^}P#`gU=#2`ac8l|fkOWUDx%Q?11yfK|qqPjbt-SDg_k46e~lR~=2 z*lGk1vctrRpuBcuXB!5*AOFDUw@~Db*Zm0B1rHgwy#Da+O~;HTJK!VbDL5*r@2b{u zRHhx*DU~a!j|BV#ut|cTJo0R=mwKpNW0vj_D$BQ_nh}qAtE^)+^!oelJ0oot;`hgz zzf~FW5!PP+;=h$^qyNBM@Mzleq((8C(h)R(ixsMp$TCFb)^0gu%C~jj;_6ad?>K2f z3xZ>aZmoyHygjIm(~RhSKv_&Wy9$J+-TRoy+U`jU^q7!x`a8isu_wMdELL|5fX~hG zxDGTqUsRJYh`Z0!&%b`ys*(QL*l=iGA|8ws!k|N9dn$sP@(h zjE{o!o9WPbq4j*I^n>&8lUTFU+nj5I`yhJ;@mnGJ0!4!DWU}0qLg9AL@kgqywoWr+gL^D@w>Dci9OK|ZG|YUJ6#vOq2_?6>F|T^tZfnJ?m#D|$f=aj~`CU)xygEj&?@ff2_$VMF zBdIk?(J7h_cjiU56m$|Ff303!UPlr!fvy;6|HsIOHeLz@x(%cogO;IUzeahL=wA3I zfGDJ#)123>NG6&z-5h4{aDbu(6W4Vc~oibr4(B?In>EUZY|s>B>RK z5Tc3x4aK?_?!GRybCAR6QKbFShdZV^JvrUfJ@vYLfl7vG&Wi7>uQapHm|`rv)i~5L z*~9DgHigVMtSz?HrR1TDmIxzZb14{BUAo76gBbT6otH@RSY6~OKeDoBh-U%6N-706 z2_ev7bcde!qPE}XH-EG-(YE+e`%_Ugkm)FdV*K@oZKDqI45-F?Dd}G1*Qmts;RX?T z+ID-ER3ug#`M<>Ccj$+wQHq;H`sW;T&He>mP$2r8V{CuSi+oqS&0!;TuB>T8dBmd0sy~J#0Vf$EX{nGQqy6LpbAV zw};(?7L)%Q+t3P`Z?n?wf#F;<{89_zC(lG}EoqsEM+0 zt}TMr&%W;R-Fr+4JlECsmMouDU*iaLI8;UIW*sw{Y|i1Te&~DrU+ZCvkkIJhBGbKb zrqi~k1#ctXhdwPcDakwX>4}!vbK=cff!lJodhi(x`e^d35y+h|$!APEFKCJ7xPRY- zwTrx&G^U{Gyf^Srv~T#j|8KYG!{|F0Ps^atCQeO|XaxJet2ve;6&91$xAbh`(`hAiLdd ze#WS{{e{KLPPn^5uOfwV&E3g4^g9XbF#1+s6}}t3G$ThTW?KVE!113>#69U!iV-_V zD`dZ4)bvGw*S3akot;Dnz7deSH%|xicE(6KctDJ{Z61qV%LHsC2;jvqDvbW3(zf|$ z3S5(iAcB?r?;V5DVRWboe)4rKl_Gp%z{Fy*$D8Rp^XQ%Yco|ruZj3#rj9JD3(EI6JWW^m2HZ2#3il1XQ z->qDK4@|Fa=IFE?|#IqG~_-&Th(PdJZi$^G*|5fGrNd7$${`j zyVJtR$0y@_u>$UEcdMUX{s0u=30+}04&u@cHx+cUpCP%)*IU$x#$_@8?-z3o27tm< zHKB@3mZXM;!pD}F+Jqzi%C}g>jeNbqWkt0X{%1cY7_(qgLFbP7&&}7r0&rNDQXt>J zrn&-PBIij?-IsaN`q!3?%9R2zt!?W9LFg+b9(keu?{%qJq#0vLXFP$0tn*J-_ad31 z@9b08mBe!Ux9;xM!_5hI&I^9s@uaQe>MnEjN5|M|bV4E!3oMujCi0kiiAqV*4B9j< z?_b>sSTM*iAhgP|jDbp((y27L;g%vtV3a=$Amv`T5w;t~lBO>0>hZmfk2C{ROu*r~ zt=?%$KGGD2tfcA@%bOXo%r@z-!k32{1_ZQEA`wHWCnkFsr(NPdF=(ZScVXDJZ5INf zwZ_<@wccJ1`Xw>Cr6wv(5o)1CR1Kfva#?*vMIDnRe1@zjIyrPYhfTP3EbIV{CZZBu znSP}io0t{mcj4F`UrX>jE>`u5j0z64%d}gQLftLWJwCO~a+`b1_6`zMBX-Blnav++ z^*hN^ITOi>T~crL?6G_*Orb?rfqF%Xy&2k_9ttz&qI=<&BM}cCmjBW)D^8MMq>LbP zXNP~7d%X1z9Gb1Uss1{`6&Sh=yf=oJi^tcUcvKul-&2)wDljS zR2l&xuv(rm(hS(g^y7!6U0;Xxzhl15oDs&a7gp*Hc!gG%i+hJ}F6K%cCql^VY`P7? zMbj%LOJ)(7uNs4~QWzc_1($ThatK1Dl*$uUzGEqjTu188LdzZ#!=wokXFN-s0-PES z-uY+a6iB`HaqjR;pdPk(V=Wgec;2Yq$$nz?lMPcd{HLECw`Q1=*x*{qVHYpzbQA~J z{s%_=;e?S~3p#WC!i9|^Q^ZS{0Z`L9s=!h>a@Z9cg-+2R0+y$WjNjS}GcY2Nj_ zi(rf*D?f_;iMJZ%9$uItPF)_gb^%Qs#*HEX*Jc~W-_3LNb@3suijJi|bJLgFyVWJ%^)G8|BerDi@xG60Q&ZA! zFfW4kt>^A|>Od|CFV>k^{4thXG~~_8|EUw9hlUlwZb2s6I1Cec#JS;9YxiFIt=>eY zIldv*0#CyxY!@eyZ{4KzJl*V+#I`>Gfs=?vnoO&p0Z#idmLIF=!|dzepYC^7e?`v9 z@{*%TPgE9*ijV2(p6-*V>LfvV*0wU$Q!ZhhpdDTpM7q#BwvWaIcFH`o`0rU~9!3y4 z4o0g85KTPS8)btd3xapv{T6%dS?+D?ox#*F=QPu=#l8&aIsBYHJGscGMK_EB+&FYo z8*egTE`;N`4dg;q$D5px!Y;n$#94;@n#Zw()!jb){ zph}uZHo|a@k?}srRN;z)#QNkqJ-4vI$5Q=|AIktVW-b}3eU3AQ=*H55KVrXH*PeS~ zd2^Rc$bn4E2zztscE^)_QY%v)KktZIOI{ZehHPR~tf|~3CFkJkCs+H=B@fTA6$Ccp z-@Gg8T3_l`3mN%tmPc1ku7sMcGD4qaj2J_^08Dg`++80IQ~#J7mH8OHahPZc)-5yB zgWA6y%n5D%0<}^uz%;P4*>;O-NKZ!`rYRtngq>_=G^tbz1CvZBf4#$$a78IwlVeiy zjpj%K2q?WBG20m>*IUT+kIIg6TtEC^BC3{AT%F=(e8P6HR_KF+w~Qb%D+SWknr~!1 zqp|Lbr@fXN+woT|;peu)>E07;)k128r>r|1IS~$*w@f8$`5Xj9PuoMq^3N76_&~a& z4u@LW0{D?)dse;8N-x8|4x{|c7okY*0GX>Zfl+&z>_ql zi@D$jqYjIcgMOb2`pg!`u&jU`3O@S@lr{y<)kz?CoUHlI(17#;@yPAhVCp{x6#J`x zvZ#ZOKa*HTZnLWzEqfo^q)W4^4RCw}-u||MC4Pjs#x(NxF8qubE<|ef7)FoOLU9EI zZsrKU2C3I0b~A4g~ED%>=GZ*A{p(!@)8@%fo+g8@GudTIRqyk>nt zoN_@-DomZ)@42{YT#ete+ud`eJ+Ldvu1TT!@uG8`y!J(mbQxgc^Je;4tRzGo0a6NW zdFkJn_&u@Y?S>w6rl=mIlxu+6t598WK}7_A@Eq0S#)47~_7&(}T1B1ygT*8l#2m47 zahY*&cV7J9FmD;oBo$hDWY@2Jw|jxCOA5`q+j>8>HDcL&+%IeBajuDde{-_D3f8YV z)hUrXG3bS>hMcnh`e!f2u7Yfvy7z~EXC01Td70>CWP}(!=N<|{zQC)JjuG4ZvLE>O zY_WsR_h^j|yb(g&@z9p|;In-;M`izIDg08&5PVF12x&WQ*8^jD-(_Dbvovn3&hFOu zT^%G;)*$Nd=Gqg8iCMqUhpS%=MIRBOX zs!ERBZt$Qq`I+3#Wcbh?d2Qb4E-s&wz=$D#6q)q+ACBV``-p$_XAQ4P-?njX28a#Y z8JSBt0RJPM8i!b`COz8#byFU6FI0{XH2j|08d8K8*2TuK(3Pf*AB;;ti3Ue*sJO@8 zjVJ0gi}+GRMN29oYvXu5JuKq-16hIU@ z-)EgOdB=xpo=k{5sL+ui^O$Oes->A!zU>hQRH@#HL}9o}Y1AxpIfHb9lT`I5*^iy- zxmOhuk4RNtr>|#}&y7)zwE7=2vf>ynmjvPwZ=f6R;}$U{Fk=n~F6E&PgftP)sRafL zl-m2Ic82aBtCMWaQ={VPD{2e!-eI;^RJW=+q8$m{2FP!X(Ne8~!nXwQgYGu#u0VmW zB=30%fqtQTDyMITJvtJ2Bd)E(DR^JyAm@cQ)h{wiJ;h-Lb0rsnUxmv(U>1cqR9b7h zO+^`;iz+2`7K5^8L7efY?^Z@*;M0#&>>i=+hjLaZc^Bn4DnrEr@qVZb-9t z;HyM^vVN%@Nx~$&Z_5ud1KC zWWk8LdUfJN4`%-&=mHE-rDlqXb$M-C88mOgqnCtV#o5^&v12)$nJqD&9p z&0YdHfVM<;&6`aJ9#xas22FjI*=&cu^b;ZX5+PetdAV+9_c|}65tLufyXv3A1~ijO za=}ElBulO-)Azl*ix^FBM+nYy{k=IqqNchL=v6rK!>QcdHJw*<6hG;)j z7Hg&ZXIA;`HwTAW(*KJD{$Eh%j>wblr`86*2Xf%tv2)b&@}u`qzxZb%SHMm#CE7n? zYHynwY-; zrrT$&cv4Q|LAr+vRuPiYyfyV@HPE$lpLSFSKQJH&3nvGAYDa5aQed4Z-WqgxH^ptbJ;&MyIHKFW`tG2G!@QN zl|df&WPNS`4M+qSvqL5htn((xm~;6+$ilO2KtMFv{?9j+n|;FqR-Xy1x2qVuiPG)J z;@x-nAxX9bLSf|55ZtXZY}VCb;?q>?MQ%H?@l?%>=pj~`Z4!`_`W@Lws)N_rNc^nL zD@`W3E)ukAl-S>WLq3j3uZ{`@Oaz*gH~s1xfJzv?p)+r&G+Azrsdro;He0fnjP@~wND=4maXo@K8 z(RnG2a6}E7O5Z420kI8P!y_k}qrEgkOWL0rs%vJ}D%0NChk^L|eKVM5gk*KQ4(^Io z>U11cLmM^zjB!Sj2~V7G>1#5e_H9CL%P6&^L570^jX^()#}h?Qxl(7O$x4Y}LNisb zNx6of)G(Qa3p+sHR&x?iqm^6&wQD_Q$DpQw#$VAHwkW8vkpaJ%HA)D8VJLwxPjlMj! zrFfC(WXaY!SkF+vBMSePM2j3-s&67adCfrJ=MN(jz7LD;5ncl^$w$0w*y5t`a5hbB zQN6tq1JDNEY&2KBFnFW9W>;&PfqFU7?3y7F=-sMYMNUAi1vXKxVaQs@{~8)jup)uW z;r3m&Nj>>J$ys~ww~wAFBkC#B{&F4cA)Jzi= zL!;)}|FH8P8sd?VH~e|kYuLz-bFz=sWD7U1(E<_Y#slohpTrpH8i~iRUx^f&FOMb% zvR{{QB38xSRPV0PJ3=lJnj9}3FN-OeItK5tf4;?3^qpDXUkz$5h!vkqaKG7}h)uki zc%sSbPxH0oUHDc4Ie56&5Owt+tg_7ps$zt5h?7fC+|FJ)6h7XjdTuCm#EjR4(gxN~ z-0ReRu4P!}hjfq=5O4LXrjDY2L%QV`4u(iv%YCJjtNfV2%r2et@%?AklgDy4lj3jV zudZk5{Jr+*cmMWosJ8PrAFj%BLG~z!^RI+m7O|wiG(W?6FY0kf;{!vH;p?dG-JWvY z#&TnSH6^}&+^Gh~owlO4WPZ|5=+wULY9j9-Rg56x<aHU$u?oSpH%n8N1UTJhOVH4n5r`5YvT!SKR*Ga~bSYw|)ohMCXn-0#)|FLm+* z_UP^O|3ODfP$U?f26s&TRkex(0)%zRR-!vZN*0SjB0EM#o18hubcrew$JubJx7GaT z>N!Jy>dzQfQ;%U9EXul4NF*|0{&DPt zbt2dBr~CZ7adHpQDorWd4wcw=&_$zZb;YelfIY+792S^B! z*~iAwTkn)nf4hdQht}iE&`51;1&Vc-@(}S3TnT{~)3~|CSO=*1dySA!dl<21VB&DE zBkAX))oV)B!A++>PNck`%SLZ8aezgGQdufe#W3}M}w(-NV5jNvU`u zKY6s*N#d|}E>|}7`IJ#~*UoOJ+;=K|_r^xR_5C)Re!{52x$R8WP(oW^m2UOaC J z4qMAnvIPQ0w;z>eSY*9U2CB(^8e!XPv!$5G+58X3Gr8vIRS5t)JQFPxZ>En zs8nYBq6@XFZkt=O=J1`svp{$Skj{Xe8c$}s zF+AO>O5IX3c|OX96t+v=kG|_b%i0k$){0$ux>s@^XQ-MIJnXMqZM%l?>P7wg_{t0` zVszamOv;7qaq!rO-fdF3fQgG(7ZgZLi2vv^j=fJhW)NZo+bxDPD*PmcR?Ow{hIKQ0 zWA%m;kkGchn3(UB*vXlDIMoxqSr0WO?6swZKi@fiK0ZLf?KKu9;Ct4Nr`-^8$vHv_z>ta9ifuTg1Wm-O?-q$7={@+oo}B7^V=T01+L)m8ze~5x|7l8uxMPHyoGdn zr*BzHaYXob2w+AZe-wEz+;4q+(8i=Y-&go@w#n>)*0t5V$a(G$cODRZspdm4xJT3D z!`%=YuoKW}6;{nXA4s`1^{Ga?NEOka>Gq%GmOtha9^13>$IE!Bv1&$7d_=d>P&P*7 z{)^ECJ3jpO!~*SjcTYKm>+dl_!cH<212B<7k6-Y25#b8>^O(z#1KLkwz#K4Qk;8Ig zn6w;w#nUf*-=d|pN*8SUpj+E16=D(po66cBD?(G$$M#pKlmo%`<{mW!;Y~s ze~Egn=s|$D0VcGv#sNzDKWO2sy8DlobK}E-u`ZCaCa**N+EXc0o4y~(e9l|Smy~V@ zw+^HtPzy34X6k+{{fT!+#Ntu&GU)o~oZB@OsYLJy!ff9)ms$CHZ?Js+=&nS^IY8r? zgm%QU+HZ4(8|ZH4*37|$8#61WP1kcS!KdIo%Su>EKDR{_ddLK}6ba*!d0L{jNp&ny z6rA;wtY6MOzOJmoz`%#~(DBo$#}0VVz@OtCj3%|0_%Ux9Eg#CXXlOm%Zrc31sh$u5 z7YPlki2WY$&{hZs>EHj!J<=3l0M1!egx~(1`Y5R(=5F2<9|?F=Z?tC&rwlLDO30-K}^3Ss_g5igHdd|0+2UNsg?dF8b}sa$_o z4xindp}S1a^bK-vaz`2-z5BX&#Sh;{`8IHRkanGi0Jj4$VIS70>`ZhV zVZYuVX90x%hSu{V2qxlmDWOVL%&M?Let+g2D(=m(hvBVP10saO!u~Am@@T5;`+2Z$ zrFbv{p%clz5x2P%`t~`(I=%(y2-cQDd+dpBh{*FL7sU5EvBYA-9x}7asGg{H4NK=I zRL%qpIWh`JfpDhm4K!J9zEDiPLxi3-slX%W+kg%Zh+GAgFVcOa1Qgh}t-u@?BNJGL z5M&ZF%JF)IX4jNI3sg2u8Z9FPvLDgq$kH=n$9K zLYaGJrig@nJN(bGRL;Mist6D&a&;%N_+PU5x-P#)UPHZp@Ai`2yF8h#S^NHG`>#%h z>h?jhmyEZ*7u&p^4zlgGr%~oG;>SC<0(XR^^NFH3bri}Wp}{X&Lei#M;%e>4s%(vx z)gZ31q#?<1!n|{pqV(qhp;V+^H}wRX_V=e zqzDCUloLR&_obqB2uRxX(MoKSLd1y5c?KOHb3 zb$)G&YI5SSH8ec9>1b)uf%_nQmkJ73pXfnra>PE zR+3HF8GUfZGeAz+3rs<@C)0v=@Z_jAZvDald6w*fnAM0WS4v=R<*`J>g#mv@o!*k33%n|tJG`!-C@H8}dXCZ%QA=9T$iY1Ed z&+GpX|0oQXfpK(8=1HL3{@BFShKRgm=Fa(Utk+cXu|&Ri1c<4BB--a1D!Qd^9m-;C zL1aPhxn$f?rZOM&Ch=7ULM5V8izp}!jSv^xfCzr0BuLF6{&yxrqi_~Tll^Zo9drbT zrRuCmT`dz-!9PMy43$P(yp_p=duZpnQ+tzId_mr%+}~-n@|8} zh>FUu#fRralzgX^%SOlq`y8e)m4ia#4CQ_(1u8vS28Z^3A z*LVDG6gZg=X_&gTN6|}1U&@o&=v~zFqW%O{vID|$jGr_GoU@LnlxcD&-uD5_rGId` zd`iMFgXBmSp(iqTz4P;P%e}Ka^<1fd-PI89MH>@?IgaC)YMuV$sKku2j&G7Or&aOS zW~8>_?R;{&ZK5KD24&Sb3kbM&bhs(iy012da52I{4*6r+e$|Ws4&3d3gFw(M4)G!v zlV$m-`W??LEBie_>8qEBV7}ACSep$VBG5F_tX6sh!hhp))SlS=&ZEWoX`BCYnf8r^iRQg1k)AF)|g|8b^ zipmVx-zla%TVqVRKiAg%OBhK(kf~NuR~^R}kHKf8O(&qdC1?{cl^1JrfO(d`B`kSw zFl3eMDSlh#o?-zCpWgBSsX}jsHpwKk}a}swkPo*-?O_Cbd zZRWD?E=}|O-l6^3FK*9m7~P+&P3mutuE!fQ)wrpADhB3WF!Z$PwA@NKaPbWz$CC3k z`TF)??V3lS_6#4-Z3VsF?-faLlI^uX^n5YF6sw{KjNKxwEFy}LI#70I@+l~Xo%o*& z)U*ap`!{|(Hb$)f@-OnPTAU9d#R0;Dt|xxoUC6`z;h!$1`5_MM*|cSZ{T9>hu2rtd zJ`l77+SE&!{G5b!q}%^=pr$3oNlNnAbn=wXsM$XLLNpZzDE{TeqHBcGrFZ|Avg-Kax)aNXc4V8pD9c}YDjZ>5NaQ6V{V=7#gH}2(Y8aOkXCXjaH?Y_@Lf#_~gld@U? zw^`khv2<~RS-pM9t;U*P74p&tIMPM`0$RWE=nOBxWc ziNS=t1txG|`vqKY{)gB2GO{&%aAfS~&hp=L?zQN8G#)4YwzOosc6N6V@18FJk@UV+ zi2a4hi;)t1zt>xJySn$le5DAOI?#tdJ`kH6&Q=v@4!Tv6)INEA;;f6RVnG-i{vqgQK2y z&EKroN;2B4LLW&*jNgS`zaLpoKbee_kS+N0L7Q&Q?>ZdAEK|R=B5o-}h*3FTEk!dk zxI^6Qucs-6@9lnx&Bouo0KJX;Qu&bheqxm_(LUPP#$QDkt0vUTA+ydYrOK2MBAD^t zSj9$IbGqXi8U)Ce3N0g3Sse)#%p@X9B#GtO<;50-j6|U=v2N8-L&B8B>23&RH`}2^ z_Z{AGzCz|#1HI0rk>?}EqP<2^BXJQ8Ls0zZijaElwS#|gGGerSFJBv@u|c8jG-{`; z?K;cKh#6)*m4Auh7wzxRX}oRqmMt~v5q?*P@Zv8iwi&ijN^Fu-4`D)5g?6G(&)<&# zc?HCJ6LZ=*>aUD4@@7)qyV|$^M487R(u?o4-GWkMkM|yQtFrDpbg0U3QgaSmux6ck z9HzqS-rqh=;S6CZ#rJo}<7N}Ycq?;$gOMAQ+L{h51FbceAEF79%%%>1g!-_9A8CatPC4{IhA_W?aZ zGu*Isf&DKZJ%>sG0HFyKO;|5HhUVubKWcwOrcdG0TH#ki;jJuK*OJ0nq0MTDFZ}}H zY;<`%JI9@u3?*Sl3(h{LtI%58k>-T^cf2-(uhIn^pyMt_E&kuQBm?_0C0W?xV@ubj#nti^7;p3*4PVRu59E~@!XPR62iJZ7u) zdy8Mrvo-5ieAJhCZ^DOU-9up0n6uB7ao?dXQ*0V(HQDV;p(hwM)&ntr`&ub{++*(6 zLkYKbbHRQK;U=ynDAP{Pwo!g^8Clto`@UhGqC72 zb<54)7dAa|l>f51joJq=&>64zM}MS3nRyMD#QF*zA<%qS&)^~v-O^I59(s0TYhc3Z zG&|8vdORTO20V($S{qJgudvM&a^T=@zxW|>zWidokv7mT9(**ZH008>%J`GMMtJM^ z6CrS=b>Ct~!m4)0l^#)3x?_2-N3Hp-@NBrmd*LCy#r0k(Pau;J-dxicBu~EOsZZZr zS2OtwyvK6U_2u#GWIbB;OVjtC;$t7q{$l)0x;oq4Cd--q;pTj|5X`f4;yX--C+y13 zvxb6Wwy&caJ`L$;A`_QA=Ujd?aoVTfbig2icPC7C*{eDoLm98ks;S9s0^pMat(VGo z-Z!%JUxZgYGHpI1l*F+;Hjv=>7#eZ=_=ouiR~m`lRblu?Yb_h#w%{D5IlZ7Ik5Km# zo_F7Hvd4|(B>#(d?{X3L7Y} z#n4F8`NSzn%*&CgO=PrJJgI4of^jYIT0W{y8J&Kb{t~YkHyb!o;Jz}D8^~e~5;S=O z8|k`-{+ynVt>^B#&A8b2@^0^JL`XkeNc$dN3d1o&dkdAWN!EwfD3pw)nur3o{;+zz zNZ)LJ92dFN-SE2ooW$R~w2T5zNt56Jb^hqHA76LXfDhutJS7~^B^?S_%of3qEJ+3VO&3|%gy>%a8kSBSNmt@&S9^1wKB|US zxycer(DbuUkvPo`&0Wvx7Jq<}r{!~u#fdyxeZq0)a06~W!++m-e!PO&TWmdY}sJ;vzP0=(nuHHPS;eq!Lgxu zDoWjCe(|IC+vOH7M0C13eLw1^5wQMtj{-2IZ;n_AN41jY^vcGuAa9s2s7Q(jyA_<^ zh#3kzhFu?wL!YVr%dHJL>aP#=oh&Q9&X@iyk42MM`B>dblZ$ow2_6vFbK_fb0ZOBd6b#}0u{9_!38Ew=2s3G&s{h1Yl=Gg4zY%b!z38>>(y zHHg`8K57Jlc7$A>ZO=JQVK4nP+oLSLRIi`4a!P%`!))^plkip3uQb-VLXAilnJ||) z`JpmJFEr}=Rw|MYj~GnHkrDjguoANb*|$r`P7>}pK zwN|2Bf)D7DlVa>l%KKwKDpd!$l1SXVrvZE~oBXDjV(_MKe4bJL89Ulg66h2s==Tu- zF-}+yzgmW&pHedyC*Jw8;@%?3454fB|JAJRSht-YJr&)yyz=qU_|sbs0xBqU{k%z~ zQnY-r?M7zG(X}DpKxGM^5VQ!oKy#v#tZ9rh8GF1b$2@C+;&`jiA^rLz`v8|`Zq#aQ zg|aKj1}4SfU*;ZAIO%*|88$XH%GV?@sa-i>+Nk~Eo+oZWlW^}&xaekLbV!E2O zfYSgY>Z(UR$LUXQ{AfooH61>BKCA{|STXLT6;yR?gSoCSmfHT@K{UM>PYs2CL89S% z)fzOtV!hg$;JEl1=^ct;20Gq!7wdmJ?Emg%&E!!*zyO8l;jap7$pPtG?47J%^}K8U zUVVnqVgIYNZY3w#%EXaK#`<3Yyso`)ncwVDXxkSpKs|iDP3LpieBE{kL$4<8jA@F9 zj$eAU@VMS0 z7uUw6HN|?K#BSf5fyXi$JRT*(2;j>%5xh^%`}F3}M;iG>{@mIkFl@X<*PjX{F{Ed88t(&0_tsR<1Dhick{Iu zEl%d)|LzA_f+2TfFof0o!Vn&(zanO)${)y`sdBn9gq>JY&F&418pL!?sDb92FX67= zH;*2fLU7x^#mIB~kJ`OoZw1#$-Tz>z6^ARX!yWi6WWWLV8C@1q`0yNs#=F^}?L5N% z2obUMjgL5J?DBx$OLuUOQ{p)e(3A;n*yNzu&wC_&lQA4QVsVa$u5IqMf3cX@bTng`O4+4QgKfGmdKyvg`*3$M@0)Q7g{IQ%C({eEa4u`%pt zm=PX{P|$tVq%*agi3Gdz0oQZ4Hn)o^5kw0 zC8Fz^)MJM1I)@rSiEez6CF&^+w{;{$9Agq8MFB{C^N|vX3PN=D(E#1=6*DTF$%!7w zEgb~A|7$+dY$#`sI9ed3>mCtT*ksQ1_kCR^xAslWS8Gs0qD%hpX1SVs>s8apQxJw; za4gc{2K#a@v1GW9KV=8r};8OlkiegZ%h0#(O|pj&zhnF zbgMhiM-|CN;SLybD5A`od=eXiSLi+mE9%oK;mPZE@l?tir&hW#C{v^nUC&?Q0Q9Py zO0ui5ppH&lcqF$nWF5clkr-8R+R(zf+C6eB&3FLYQ--cxFI=yFD!3c`SUv7<2gTZO z0`l2@30IGI)Fe9+WaI~)tkPWPD%tcczjq`b(ndqJnq}Hue}=V9F`H~Q3CA-{3LkOq zXx~?%S3}rxM(lPxcascnrV^(*nbI)M?I!dur~fwZciYBoGy9u?a`*D|>yGWbRHJ-h zuky;^WzV7u!#O#`?9Ye(?jSxN0!a+3e;nqrV!b3*4T_v9`8oIlU6&#fK2|^3?zJBM zuUi#s{t)kdhow77CwAf&tJPtwt~~~J=$6Te199CtE>qOgczP1rOb11a_{{pj7d>~- zR?Z!ey~Xh6)0PWn@;@F@fA6QN-7_TIg;II6a@9N52V1UM4{dIKTWXoViv#@W&_GwS zo5VBjkyUfWg;ns_F>#aNfK4+~64`hz3ci)`d@hLio9r~(6Bq5FMpy4LWlS5ehavdI z5UW5W&~O!V>9=0FA(0upT(xL8x$v>dXK(`2^$8+$kv2zVW@!&^dAW+1?FovpHnDZK zRkEH?q75*SLOH*Sx_)5X&7J}vWCvU(X081j(Y;L8H1VwHrp{E`8yVED)b5D|Au!_5 zi#_x#YOdyqwAuRXO8e*@ml*xtCZ&^<&%V2!N<Ylz*#4B8w%%k4ku z#BJAu=PP11@of(ec^Q~j1Nv&=**+@~WK!6F>8Lqy33hWc1o@YR5VY42=|{Y!F3ltk zXFdP!hr3~3C7S)>cM}pg+`y^gF`3pUzISTo!0ui+CLxe+n1_6w_oV4@BDC%Alhdyj z*tEMALAZp#EQsR=9AE}fcCltIL%~LT437O+reHi%D@`%&ZQ7XVV<#@Hhncq*@ygA; zL5m!A%T76ap&6=m*q6EemVoXodNf0js@bnrGj$vq2=UGsKwdS9;~WTGFKb^Lr-Y6# zyd0*EIpm>QMWW+9%y*|vnw54b{s;TJznPDxfe$TDagvr#^mm<-=*~w(fcJNb1p6`4 zJLEu~WgXi^hv6g#c%iWRoUFgk$-4m>|ESM@?gK(;6MW}SfKI!QU)z25S5ZJ0r=lOp zZ^`De!lN=nhYjn_p8KLL8b0TLbBJC|>6WYczhM~*Q4grY)2O5QfC)DCAF5xD|2~u` zC(A^)?RNcscz%ffL2&q(0D5RS+I&$&v6F@laSwwd0vXaBM>~;cN@Gk&YY(Y81#830 z0}2n~{>5UTVz!9yk9Kt4P^>a}3!S@?*Cdf73AOiW$26uTQ>cf1!T{ z-J+me=S(BhUJb+W4JY21LOj4o2jaXM5c*05Ox#fT@1Kf(Z5Fd1(Jm4@p*D80 z1`ZKR?zTqfB+r;gPbx&9>6gpQnx9Q&f&Ob|29(D$#P{?Dhqz^X zmKn1LGPzm`o43serBWoxU%m2!fB79^j@>`!-%ia;b@oEdUqEq$Wbe=oy2cF&it{fA zf&dqjOf*fa>?)Y;tzL)2wyCDYR%)Y|If9NaylpC;=wtC#aW%f>6oDcM_ znc~I?yYl;{^&G2!wv}{sNd&?a8Tz=lsrjfA;)mXXk8Z+qv&Y zUDxBfPS3B1?=BHD7=IoV;I!}9Jh=P>ek!TH^W6dkId_;mz6HPWI#tm>u0!lthb098 z?l(Q_!2y^;_5I$hSK5n|ZyIDbKIgdA&Jke8f@a@y-pP>m4G^92N~kpT*8QCS^k)Bi zXyK#0z8~b6M;qtc=A0%O-}j<_8wWni-p?F-3EfRWiw3XNW3`8Wal+679n#a_%B&_k zjGB&7T9mi?2d)x91)AI=m zXFez5oZ(6hOOkAP$|L8FEK8F`AD%6Rv9!1lf`CZKEBP{0GnQbGLzK?BuUGp5Mq9F~ zs`b~RO2#Ma(4S$1rHLCS3ZCZ=nh#n!#6AZJKKFe-pKf^IsQyO``2!mHRam&MRb#Z( z139;`D&a*&PNlKhj5s4Gq|Prl96LlA~<0z4OZi-iGN4 zwZAwc1J_N5BTe-TuoZy-XGOx;0xLm^A5p!r1&R{tdXua4x(;?ZzgNeK7&IfVKaHRe zyw)rHqU?v#5mUQUGP{U>q5rL9)w%Mk;gQs*S>Z;KKTlpgdaKpC_%d2-nDQOP`;_#< z;2X;?61HDGc(g6JI?!_XUTv21mfh|8)c0eblkchfXlk5ZzfZHvaLGcDS^#_HbEI*R zO)gmHXyJv~x5)pE>OP1mrRVd5&b_dui=)LeV6Tk0Ou(uXkG`ko^Ijcl=%%L)i4G7h zxM>8{FAuE_!#G;jh8J^eVa%$+m3QdYsyHORh=~+`cX^MWCkRGmO*) zKT=Nao6ThYGySWL`~|g^2ozVWd?6mwhu^E*KN!Ow7eq>&rfs=B|u^9Nn=0_n6EBTqu%XsS83 z_1dN9FFCD_b6pMmwn>HMe7Usnr@03jd?#Z?KhVE_3_f*&KbN}n@Vxf7MeS_$`EN0L zifsF=+2}x-YtjXwSXwnhrHJg_q-=0k>sL^`YS4jN$a$^EZ7Id&M!HZ{D7w&vyzP3g zT5*X_yl8t$AhgEo=ZlX^Hn?X&p`$>@J z?c_H8Q25$*A_=TTp3WAehjf$Ff-MIeR-bpifoC$iFS8eK@3QX8u3S*hKP>?N7NAQY zi#*$*5QEAQVfW>qtsch9y)0e*@q?Z`{`%$|e6Y3nMy7dU&}6iYMhk73c*k6#pDH={ z2pWLrOy?dm#NW39uGvbSrY1`1yQBYnY~0Y?;~sx-yP(loIZn-e!Bydfp6rO9 zc2Coxtldwc2cy|!NU2aRk~@9$BXa8#%SIj{ocCZqJ9)Z3I;6NP@VMz7zs`kg5z$>-9ZzCHs{}{R)?r?Y$xf zW-m?aH|ofLov1}-CWk1f2+s!{e>HdO3EM9cx(aWFKPX%eF4l=IzR4w2U`_0@@luPgN*3w28zZayn9;j*i49CLA$Tg~*St)a z7IM|LZa}S8$+YV(CB|@z;2ZslaMDU4)^8P^%6!rAj7^uR%3VF-Kpxy(u}CiYcFSw^ zMIa|+ro-6xBc@2x4lyodtvN<=++#%B>SfPkd&jI8D(;Z9V+*&RStbIA?*hR)wp{N9 zUjr5KU!M4{yLlGsE``F6BL6*p7izQ@&cVdgxCZ)!-NN5iz ziIErT3qAU?}s6j=~PQ$H* z)NQ9bExrP}m_$3jrP`UfJ7=ec^JG@{W`$Vp&6JC9{ZgKput>A>6McoY=egtT>bj~a zXRWUIqE`?7G{%^Gg>yZ4^UbfNU`4)Hsc20KtoDtQ+n;9>km3|Rb(m@wze1a{R>_nx zANz1r{)OC2Wn*m<3!nE_$&$`mB*rs9+~-ASd`O5YFOq$OGA+j2GwLjx5qx$I#_p6b zreNr+30o4URB+{P0I9inH!AN&oZmupmR%VALbL)lDhOfwD9xLkNn(8Yw~V_@XYA5W z`L}MqO?4-hn(_)@yjqNpj~(!VgbuH`?2w_Zg7DC!Rx+lRu?a6Eid5s5_ju5uosr{+ zYnY`N$|X#-kYWg4`9yG(dI>3n*;lj*nW@O!4?+J&4w*hW*SvdI4NO!$*e+UU5jnQ4 z>@@keb#y55!A;=F-TVdoS-gNqcR$H}ID|w`6h4fmpif21e(QHvrKFm1uciL;i;0Jc^k_%+?B1qmFcme=Z1vi!KDD9L(($_R@VO}FT;tr6ATJnP zlkV#(Zvc`e`i~qUlnv6}p?k&-Jf$c~aq5+e$Q`yDdn8Vc9!(TueWA&?)h z*dbh9SNtk|Q`&)#B_>bp-+kExIHsD#RL|bm#eu_#JMO1ITQE_l_%(5B&G-vx_0=Cz zFn(<#SF44XwQ~x6U7~-eV`mFOO@lD=9}Dj?7@=w`B(B>NeU|xT1Fs!`s4;ZzT3P2r z`@F4=23pXHO|i|0S|s6SV*F~(yBPVk_>ewzwwrp|;rsln7w=xc^iI1z-v<^*7hmHQ zjp*m-efddX@RNb%k%>W9aKB37SB||@)Q2<{wz_BBbFBFa@6B5?`mm)jF46Pd;T3to zjrONS$({qu8(GRm7j;+Uqf3wcm_dIvJ>Tx%9Pc;W`q-zIFSzv}GnubnMl&#nA&1jW zX@2c*rrjJTz~tYn)>Ws)+?l_|xqdXieCZ-AO~IB=b5DP+X6gYHreG1?n$b{ImH%M z13JHH26iJ4pEvf3k>3p}37plaH6YWXS}XyRG$e}-BR4QFMZJn~1%nWb>ozB&8YV{8 z>O(e~U=OI(Bhy&iOPGl>d&xV$ooNL5U#B3nQ?()%bc98srAkpsX5BZB17;I`Jva z{%=(CwJsu=?Fr@HvMpzgPHdd_cC}`&jLP20 zBD+qQ&XmYDKm6=! zHoa1kxj*$N?@YeOv8#c<# z*K3<2IN$SE9rdyAZtCT4-%I7xpYCG_hTG&cHjELk+K0OrI`k@gtDcKaBj^z|1+j;5 zP@zL<^Vij+Q%`%gk140@r+yK+R(H2stBD)e>>X1a975atyrY}VAA zaG%xVT>YY589V25Z=hu_MQ0kSkMKDme`Fzok`6!QI+P0?C+88Z`Yf?80Nq_7!CFbP zW#J(m`wiV-v6j(L3W2^4-2}Q!%@QQw`uTZUy2bXbA+|&`kVlM4-|4D1pHZ~5%u^(1 zAcr53`t7z@?xr*FV!8EMAe}Bj$`~J7h%9Nz#3n+% zsqZ%35g?I#rnxP4!Xv5|i?d1G z{8-Z0_%A~+qp$Z09^q}!1a5Huz>cZwZ2#Uv7RZ`eFxnv23lwOLDvJzF0XrdO(B%L{ zxopQ+c^af6qZL(5LpUw$Gx3a?<|}__zf^v_7_u#z9pheTy*_Xtj_(?5<~-5PR8o{` zCxOO&om5d7H`-bNV0`IfID&tyaT^DKa_%oQrz6M>BCjX8h%0c*U(}wATy*=}DX0a~ z$7Ofex%JfO=Cf4aIa@BU`OA!$ygq`SqXRofO^tmbE&g?+Roj%>_m?(1$mdvZYj>q1 zw^sp(dt%Y8!Fko;JZunO3s%~z!9>SR1Ay@ z>wK~oNi99OKC0%M@!dcm(Tlav+2R+|(F^GMq>$y^j|PHiyMHoTdSg7j(y=eMX4`{* z3Rj5*n52Gd`R%3m_qpxoV%xcr%08v}>LKf~ksi85|C#a{E$Hmfu9;ky!-wo?VzK;J z4q}|4ohA3P;1V(O=y!O$E?RE$LpOtEuw@v~?zTN~_-%PSyTcpmise{3`8s=2uvYo< zO-;px&G!N$L-AHmzF5-Tya;W*9&n_#Yn~PH?=(G*Gx^%}uZj`mavA>sw?@7b%OX*c zQ>@m{0vog~{@xAei;r9i=mx(eYsXBTsMNaVj{1>mEh~84T>=I?nek`6vN51PKo9$l zp>^HNmz+`1-wcxEXgFPIjVLXN%iPR5<7n6~S8G+y5Y$a1N3NRyhgp3;%~7ZMXpP02 z*4>bU26;29Jf}5a2;5b8c1T2Z|LhyicB_c_QR7vp3_&IG<~?@?(4&%Z^E9 z?B*Vv;+i7vggzBSGW+na{Cqq3pHE(PYISdpi0~n z%GvdLNS!J52gJDfUoksMLzrNZ@|+9{sp_W6$N zAO*~2=0HpSti>-G?aCoBvCbmg(2T2+F`Ih9!TBA7%-xUn_)YB-A4eXpC=fB!q3 zKqtc;Rh+tC-&Yw`j8#=?N_}GFBt3K&oIhO?T#*n8Pd6kEc5|gJQGGhCiI`vZYM+~b zRc@-e4X~8btRtP)*B)7O^(92$8?Klc0~d;b!6a%=&9INdJ*P%=Gm`^U>^UrlQp9GS z#l-i16#@%xAI& zLcG?^ZTxdZ=13UHN2Ldswk-1K`dgn{SJcc&ryb@GKfQlI#LO`LwW$N}r8nQXuovqO zt?nX7op$)N`4Y3MI;Q;b{}_VhEA@gVPG@HA7O}`XwUd}l1bUWDN5JIC=%)2s2pkaF zd8nSMv1Bp=nuL5_wMQHn*o48b;^ zQpD>2Miwr`eruB*QKN%$PBO0jIske&y0o=hQY`5Jz^|YSp>CNtLtZr&yI`WSS2krZ zba84FFcGvMZAU3({ZE27-K9_rw?P@qB20m9r1Sz;Zqj$|1+?$+$-K=WWWEDWEs#W! z+0R!1-9MkD*Q_qMEQgYCPRn-mEfpBt=G@k4!(9EA`1C2*ce%iVy`^-J09fzlE7>KS zH94_jnl?7=N_f3mxWVFwcdq24UNe)PzK(ZgamO+1Sef2Q_3LFNHggX+P4Ji(crj1Mo+p{Q4=)0W?ti_DA!}b0SHr=KQ_-H@~@cF1MXotP0 z6`A>Lf^8-~WR?B+kJ{;gMqP+{LW$iY&q5ih9pn7h_5n8wJ?nkR7% zav&?|OXg47AE3hvf*mGW0JA%!JBv@CTRrf9K+( z67D5w0B`ea`0j!ng^p>!v}MPEY6c=ir=i|;cHoYu=H4$OxR0ts%EDg3{Yj~0*u5eH zSirdykhwmY0$REzf+#*quF+X4vnjijU*;CG$OUE%m7SOJP*%n3Nl5&e}{KMs%mDL09)CfFgIX_L} zO_P}iV!jB>@M!nu=Yb7&DX?Z$UWy8QPPFbPem2GXg=Xs_At3BH+@Vj@tr~cEpk@zc$)I8m$s=6DK?AC~w6D zhj>1}r&aj=*3H?3S~aL+xBtcWQxGn&iTg0}197wCou{G3sWW}27SyCB60H&82@ZcN zL7NDZ<+EN`0&+$q5*o(mtDFMQJ~8=E)3II)Uj18QLEBe%{Bn7kF`FqBh^t+(fExK;KEF&lBV z=ri3N@t9hd9J^ErhQLr{LXvr?I z%Jkyvv81>socr~8?66?NOuuxBm^CG)PQ%*yd^d zk1_1Dv2^xJzPhFLn9MSQ8gqAJ25e8$?Az!xZUEfl+uo23{!U8Q7U(7`*1u9*juZ(_ zLIW$Ut3m3cKtxD4LvZ+&vIhRZ*(GN3E=B~mby-#_u+`amY#y>{6eu_ zl>t#_bGTJr-bV6`-CR;1^+&))?Gr2CP`_MT^TfBZicMDLR~pT&`)O7uf%@K7JlMY8d$w$1pf*CHkD6x?+s|~Qg>`c@*!)Wq!!@g0 zxZ%Kooraa}v}#w7T@QUcP7{j-Q)wfhRZ` z_?}%u!UQNXKvJ2H_MLoYW`oMX!K*8|1=w&#ahs35mRPVyku&bb>B5VV1Cw``trDE z_5q))FS7WhoxJI%`-kVqEV{A#SqYV{1@~DZ-ruTXPQ`GUe!B`Naqt(c_I$w!l1V{j z4}3D<+xrDO=id4mnshg0)e@L>weE)QcX8aGUVMg=WoNjjeekM9cFr$9aVerzam9HZ zjagP_Vp-ilw#tX_KZhS<5^fk72)29`q3aj82$l&Rr}^xd+wuxGU{at{TCpw2K4qBy zx#jN-gh(p(&htF+a{fPz8QBq2nZf`1%hdwLAS!oWr}%m%Q@}*brYY3CPUpURw%d-^ zrht}S%aW3O+V7uo3WdHK<~Vu+0b>Tf#`;+*fBAZNeb2hAiA*z}ORH^Mh_z3t70L`q zDQ}s)V$qRWxi!bG1F4g=_NHK;)Nh@P3zc+kQ`@^=AG!K0NKNK^cF?hq9()*ER)b%O zFWO&d?L#0BPszPPz;uCIp1|_>eBh47c~Y2#lfEeD*xhn*u#2hN#rxWShH?RKNeYKCO5uR;mRGjHjogjy~E{YFRX0*Ln#n0=^8;NlZi%Q@l)VRO0{`i+Te zuHWQ`Fb=Q?&e!KjL~3FUXO|DQ8Eaxa5Xp>HTs-A4XJ(I|sw-2f58dD3*Q)*)>$# z1Cy zWou+k@-HH**pLyVx=V9Y+ghf9<<^%wGeHdMF$A zzm%GIFE*C%voAf%0j*LeR*Qg;I)J&M+M;#s9C(C;Mn~*Pu07?`^jqiy#t z8i;2bYGjXu0pk**()^9?eiOm{B`xX8eXijx{;y?_cgF8zgEVpdMTQQ%69rSLQ(J{W z5CS%#r@UA~@~Em6UHe?Jqs|ID$hJR8*rHRagiFIE4o`LF0Jpy7VX8$6YdP)0pG{CW zbWgRdX!Finy5UDc&etf()GORMdDW()QPLLTV^s*WdzF6IU>FBpw&Nr>f8d{VN^2w{ z63YB$k^rY(X`m9I!gw80z=q25`WP1IU6af^TL~kr1Y&&;7J*yLnOL^2DTn+g5A%Y z2~l{nlq{b>tvy+(FjQmOxg=jr7}ZieeRuf?5!zU|M#{8&=7KIjg|72^TK9Z{^nvTZkOw>*eb4viaqi zdC;@h|APhmhYNK2ojz1hmD2q|1v<8+-b6iB8&y{0bV5q<;hlP{Yp4o%S|Vf8qt`@tsp8Nb8Fq?})%y%f6Ur_A;7nl_WE-J{6I2`j}IqF`B+wI7-SsDh`=4hdKDR72n_J7YnN^mANR5!CtM6XpF%=KmJo{SH`$;b)Efzp+=() z_DOYsZt)=1Pn}Fxr`5jkD677wzl`T$$(ZODQ(t$n6ods^WI4Gc-S=&% z4i&wVqGHKmUm6i0b2y+eSQ~MZKVe3b=6F&{HN!ZfSQx_MXJ>d+mM%@<-IEzYt7aB1 zV3w#-8{niGSUxfv`bnxr`kSA_Mm*Ez-;8%1FIE_JY1(5uC|E`qV(#TEh|OxSgFi$d zIyJG-L)qFk59$vyqAmmj!ZR(^6;4!zqpT-1THV8a)a2z8K#%1pW*|NwZFkEp*=5WU z$X8!7)X)J`7^(sXj>wcQw*Wy7`7FB*`p6DlScP2+eTkg z@{ySKp1 knfr@W4A1FZ^SkQ-=vA2cQagg7n#uBM||JjPpiXe@coCPtU-XFfYq-nSaTGI%Xt#M9~gmb|`O`GKAMNg7WCRlNPjRN6Q67e-VV0||b z;6$qii7_Bg*(+7ZHx~WfOO6Km&K~6w67<_>lRk)vnD&@6H^qQkpRRw`UeqF1?=chB zyqH1_QqKliRL5g_DnSTHNIlu4&x35_V-NYPlWK>OftindQSMPd&2|w9=q)6pf$@+A zpmofk#h-b^cbgU8wqJ7zp*HV29(l2SkKD7iBk%lGjXSI^h-@Jlz7u5D>C<>K@JRIt zee84p=C2n7gWukJim`SWy&R=3W{vd+xbt+)Y1V-IG`TIm(D?X>ji8dR>()3XZkfq~ zNUSmr02#_x3rVC~9oCBax(OKkQ5R4{6dFAJ|}~gEWzo7bCsK81H&U|ati%!g@sk)F{P zAi|G_`A83_Fm^knIE44#%rn;W65Mi8c77L`xHpu4!PCC6AeS>6u zf;V3zc&Dick{hr7vsR1OWEK93Wp#Q%v1XFjyzdR%VOq;Yb7(Wk!-9YoMtG#Dqul5} z3!i`kD5$Ogj@7^~N3pz+dfEDi{nZ`BzN+&H`-j)gmM07}mK6Sykr#CIk^;3D(#5t* zo^M+WiP8)>UrV$O-aJ_Y~ET=LG&MBwmi>$sW&BQ|I zy7VxqSbx&G6S#>@VUhoW-(H*PZ z6V}+AQgHU?Ii{IkF@94hx8qQtGHGyB&xg?bcX6laC5#MrXq9qwyo8AhG7Bd0J|c+U z$dPI+xso6?Ei7VOpy~G3LQkYXZTz|Ika;#0O73WeCZi~l>U8_(n1MQ<@B5PdKiIC% zgRF)Tx=&1Oa~U#3I-+s+;4L-7eODOt`JoovBL>df1iYJJpbp>-5RJvZP73+}Y{Jp)JlB<$Fm z>>o=v+UHAE*|!C3S-09N)MHh>lcSn1+a>M|hf2tjqy+~E+PBLyrx3^Dbvi3<8jw>y z1&0JCuyffkZ`;Xf%ycHhbOQyo<%HKXzJId{$M^4#Ci`Uf-jPrgr{sKcEB3sD- ztY!VFs*=RpZ=G;^DV@98Z5Q6WN6Q%F*cm^@k zY9;!{#v?e+_`w_3`(_2ks@K9hpCInGd^ZSHP3vAsTQmJSgY zb6j;4%EbD6rgKxTaP>!ub+y|vu%%?8BN!{dOX!MPV32JlEy}@L#v(7l*%Q?bEh%4` zh6e^{v44f3v+t#VCo=jiFkWqq`sKiQFNiPH-c{jISQ9Nuhee2jMK5D*H&DQabI$GK zlFqg9!F_M$!p7a3bUU=Ra(i*=v5;&0CcRxVm3Fl+ehjYCox=#JH-zCQkE*Zj|EPW0 zJm9IxyDJdME9dUe(X}hIuw?b0SxPH;s0->#=6+O}wS&Jnt`Inohc1Seqvk+{=y=cV zXJ^B;qdJ)6)#SCCP)|G8AUx!qsq^8n%HBdWB&d4H@rg{Jsto{4oG^uuT{UlBcwBzf z#i8>3K}Rp$e?IU$Xn)dty2SFXg8N!9A>eC#4@iLOvUz-AfFZ2QP(%P+;f?6)j8|L= zWh94)c$Pu?*~wCqTA3l6JRrC|?cLXEaRVcPnBCx-#Z#Y2ohWq6UWJD>sIi#fu$7OI z2K)0Wc;=k$`q!eG*06zB%p}zI71j6i{uP=3&I?3Xf?xLspEUhQCz+6rpWm?s zYj9LEuZ=Fwk*6dFBg)kxkOU^gn9QtK{je&c*rL&E@^|&KJ^*J0T5N@FnH^Cg$)G_v zkqz5J1?_(l5r7&3FDkUBgK?HJr%IPiROnZ!q!b>7$3`=y)4%k2v-4%$B%{&5MzZ(Y zN*X24EA}RdijZU1W;2d6UkTa&Ot)=3(?jnbR!pLRj+$Ov-cmB^L|KtevOPff_g7a6Vs-ax2!VmY z963+hdA%-MBT^~omPorRX(?F3-?RtjAUE_Y7qyXG8|j~l2V(-|dvbOc7@fRFFNkmwhM+WJwo z9;FVVKu$UGon`VHA$kW&;Hb;Nz2;Ep=u4%DI-iFtO1 zoP^0V3d-QdHj-4iggcP@gUo4Npq>Bo z>;~$noHaw=A{7O`$Ru`YU+N1y{XfT|U7+*jM}LzMET0_d>_gE<(}|@B+-1<(ry}y^ z@4R)Hj5F6T@byE{Och3kq&hS?75@iVh32JjDa*Kz6d;a6XN+QIBbmgXr;L!>9{BNh zC9Wv=8)<`tO>XF8hvu98=Arir67O$>7-i}3^Cg2{-Td%HQgvPUsX<^bT;_QEzS@M6 zp~gI0D#W=EfOaoDnN595m5;brT(6f9Lj4OVob}oqC0xCK!?3mDxn8#2HxCxMhK7gy zwG%m8LNL+l46H7y&au1JQ7yqqRQZ>m?mqpur2TrnL3o$PpL(whk^Z}b1L+2C$7Dm- zlimPh-mWa_oj-$DOy;sRR{KT5^jr!<#$D`TWpo=EZW&K;nIVi;lcSDASO|74Q6=yN z!VDr!d^Nv2*^A?lOQ{qN9xyznEy2VlXZzo_iIFh70zNHXlzRhH2S&V`s??d0RIiD| zd0Bgv96+-I<~<`Ot5ZApTxcKFI0QfY(^0o^b+tUs$a?-t9Le_zchgz#w`$a7iO8HR zTFU0vsRzWi8T8h{-`cxAr2@u0pTcrz2lUnuje-i`;g_Wb1uh>>dst#}w807saT*%` zezlu75ABMmifOg{qD4xijvhZx7!s$rv=5Pq)B@Ut)uRz)-o_2P=~(7GrMsXuqmy(il#E{ZWBa}0fAF}~aX^T%@OUd_}3BP8kpia;j&p%Oap4|?U zjCJgw`MI-HmC@ez@B)xlAw;4_DL+Jlc;Q|IaaLNcEjBL$F2@ zdVYaqE#OzzxL@Ofyy}%K7w5^eEgCK_l(=pw_=j1uDf`??U$8T4XL!w&6tRy&Re(UE9SnoBiGk# zpuIsyypdC5UtF`TgZ=GY$%fnk{Vg7%Ai^oawHebAslqX#x=~mUT5p;S%A7`@$3fcB z*Ev;Yc1rSH2{m8zXw6bx9?TD1Bg=Bt5U>{?P=um3)`v9;RJ32hC^{c_I;sU@%;_V! zT*zDVP_hf(yk59-A^D>DMZxHU5xz@Ipmd6%I^cRcb4~0E#B*+Z+B(RV%q2SrSZIoA zL^x1qldZuksv&3VCWc`TNcJQ@c8ynHM{pbVlKtSvVvUPKj^TInm;MC*p)I~-;rHhZ znd0=A->qSH6`ah?mmz)ck{S?_FKa&&E^BI6-Qn!+Elag8C zp$Ky)uktSM9^_18N$(0GA3Or^EU7{uR&@AH?j(4j+gj$BW^8SJo@J>6TFcge@3p=)fNwYuam5U@lIZu- z|9WvJ@ZWC-4oDs8CirK6D8y@OoO*R&@BM}0Z^R;URqU6H=Ul58gh1f#<&$i~8!B8m zrtYd{QKhl2^+Z2eil+n1|Jf4uaNKAcRz%z^XNZgH%awJtLMKUfL9qVc8y77nlpO@cD-3JG@hrM9pXWCld@a$^pA_t(RZ+KvdDU14x9$zalryI$LYfhI5qb zw=WsRkc6=fEs7=11Gh!e8asw7{7jDdGX5d&b3anYQC(6GpF+aSrMVbVqBP>PV=4l_ zBLDr^etrE8jA;Ap3n}(pyhiV*&5mZ(tn*958Gv@dlOdAA!C05M$<}d6pM4v6HHF!| zV|nKb^BUkVvX^d=?DE2N56;A|q85H)Gcp6VqBL~7Tl|;$f6sCX9Rpgr?jB>|!=puB z3Se8<*gSOOi=g^E^LWD8h)ZY0^ex$hM}F&1%#U_q+~o?P9pw9tDsnZV|?ywyY- z2)|I{R2ry!+E0Z!KXRpKzJjcE3}0ZB3S#hm%upb#5y|JA8Df;$skXD~Rv?x7@^0bV z=N$L49Yx`v+rzW}( zC)}TUal2i|T)#I-&Y95->w-nkB`w8`tt`!6Dw)}(8pq@uv9jz)0|u!MdtH>Xl>SOj zJ##99d@xX_nToyG-A~dv5@-BlXscHHepb>~w46zFP=kyHdHy!|EX1ODGM>@!OG#ng zH+!*wOZFG0JL7#O(>cYcAoO5(55cwvt7+$5J%#3v&3?aKX!3Bqd2y( z^um1X3Ot)h-~V^tUp-jdQ%JkHn0gA0%-@^$KC@z!nxAPLXi=iApxK3sh7$0-cE7!q zWWPCaM_w2E*DeJFI0eBT%n5`?5dBK+%Wd~85QP;kdx3AZE-j_PBhHw&4vuu$xH}0w zAU{?MITootxWm;SY@_;+XVr1YUY8BvoHh3gTBI)mPA+>ctjqtf@R2dfhGTWyem%C2 zcO_;3${=}#+WeK$#d>=FG2v_(O0Ks(rGIi1-dT!<+`W&D8&fpZky(V4w$iqIfOdkA^>>sndS5VmaV0B!4UR@1qSy_U>BJh1=8-VtH(Gq!#8 zw%fm8t!u3-s=^%e?4v`CA50E&IW=E8wz|}71(rIA;3?kiRQc3eHyK4Sp&OZ%s3+bp+VF698jD4u)Wjg3l0GKR!)e0kf5#a`c>x~NHL)d^m zGaJ}Ci;XJZwLXDxI12ma7JV9GWaJN>r{cv`|@TZ5ANVL^Zp&sT-owHZ56A! zte-G%a0^`K7ejX4gDV#5xa2=n|0B|8+6R!iQ1Of;{cF&(_mN@O$aW4JXyO!feP;80 z7I?(^>@L-{J7j32l(Z6!^w$eK{JAG}jm=}=+~1rGO~m(-L6Cui793z`HFA7NAZ%S@ zeE^lPERbLQUdO7V)vH%D*wMoz%PII61w|zYr==KAZKmz}Hre_d%sr7K-^yaseI(R8 z$bl}1)J#_Z*X`(2M}N{OtWgIy<$;i z9JBK8u!@o65|RLAK$AriyJw+YFJGBnp8}MX)H*lB2as3ujitEwTzMF;q zfzBe<=wDUq3L4w%P?1U(<6IgKv{5>kE%K}%R)L$|8}KjgY9;wrN32_4i3{PQMj8Bp zH0P^;Ui{(Zyca|k@VWqS{#iq#4V1f7$b^CdFeT($FTQun`!{O@zgZ`u$CNyJAKRku zbaLroF}vtZe5Z5jb16Hj?meo3qdIDACD{k;^j5jO26IKtpxbd1c;UUEkoca9llH9P z!*K$gy1s^{*_z=3sfRslvxBI8hxf+n-f}$EdDUCI{xRtUZ*qx0(m>N-(ip^H;`nt04evx9)Wfx^Nx5oTgOdX_O~ahD`eXM1I!0BcfK;$Q&BLNQKdU zLks&_{?hVgYMnC9uiu$67^ijW!?$3Sl(pud+$SLIpeO%Id88;OKJ8wOp4!htV^NKS z^pO@zJG|aSlc;)Kk<3o4PW?wZQTPW#wV!Oxz>MgK-5(L-uW;wP+t}Q3jn`^;X`cHR zYifzj5p(P;uW7QJjGA8>4%N?wnEAbamvX1(JC%IgMpJj4h+BOH%=yC_ThMI9-WBj*Jj3l(VhcILbY%SCLqc)$xz6k~#k<*5+xcwCEn(>6GMU;L@T1=LoXS<>G9xa=1z#)CQW?B7AX>?ozS% zl)M-nu(}*b-864#) z37b!$QC40+`&i`V^MD&uCZ7pYe@Q6Cs{q}(OtU8r6q8+afMk{&@@Q@={)Ly$paX1* zt$|@lidk)}s)K0d@&4O`4m00pq>J8W><}q<#a~WSm*MkbYsOrp?e07?uiuxKozF4( zE1B3y_%SLoP02FqW^Xv=cLM=Z?&OAwMYdk!@(J9`b(<%!Xn5-9K`nO7J51WvGRl#l zcw{dKGB*#@mi<=sES;fZVS=?>Y+5UC*J1Zht#WcS1V@_u8JgKC@>NaN|fv1-idL;kJA!R;zY>NY`(^b!6ROo)2yIiCgvWk#L#o$m=J;Oz{}igzk3*FgR>9e8tS#z zBb(deD{aubK~ko5CK$L5L)Du>LG`8jW(l;qMZRJ?$wzfr{cLv8ymD%+d+RJ4*YU=Q zO)Y5lJ6-cYSZ(GG@5hqqUo~OAg^d2KQiL=1Jz^4drB?iy24^RWd3zWQf*~FU{(S=t z2C=S#8O+X#3WT)c=T8+E_cd-wP!zD#S|KTMC@0k)kwgBI!kJ*!2jS=RVdu5*+5ke1 zD520llN!5BXN~moW;%pZjz4WHbTT+PnHZfjw|HVybno!}TAK0z_3b(AF?m1bYqP&h z-uERO!Py&kmAQLrX30Uz*t^7e#(rxgf8V*`17`MyAy32)6;&A@sc8afV35f5IP2*D zFO-c)W09K^1jR*g&+l%5%uT@IDWIx$Uy%p=_lBU24&U19q4`V0qQkTpofhJe-DbOm zZC@c7f|gQ2m3~zFzo+Jw8msF}=+jZ%CvmZBRH{R1T=L^yZ5z|K3dX4l)9OTu)XWEN z449(O^=OUhMi29kgZmJKSN$goO2bi>vgfBQ471S$Dlf~;Y0Hw7Hu-NrAdIEAE88^r z&aHbcnVD{lv{tk+N}II4H?}D6bN@=#`5_tc&8YyNY##IKwUbInmfM!%F;dE>Bx%?$beC zIgXB7aZGDUMVWzsmtN1n!G)e&sDPV%B$J(hYKqlurpO#5oix;69hh0*s$WpDw7IAI zrlFisufg`QO&)oge&*1f3Pm<)3ZMW@rvH z_zdiVd84wZ)xo2aUG<(p$uN(;A6<74)~Z!a*t|u0bE@@5xL)0GNmXEP0{zWtn~peb zq*rVFd3|zx%yXTz+B<@qYoZ6pqCbR>zj7F)Hdj3mXrVT5iKnvpt<*d$KdMw3c<`n{ z5(Bm#|4J_RlvtubzxZ1<)-S5yfIDeON#^ko4G%Rj2M>+#Oen}n$<*St{p-;ge~oT7 zNI|1%A_;z6;^)W0xy+h*Wp26~G)LovAIWE%Jze+43L-T0;%sUbK6R4or6wTfCjf4M zG*QpO>kD<=>6Os4M^?+(Mk&_noRsrDbQ)Kj3L-B>t=`oeGvTL-_NWAeDIqp zQLm2c(0dyz7kMpw9vyNsTA7`B;cH>wUG`d^&hfK0gV@xutr^vmD*MaR9}VSe1_L6U zv>)d;Qx14!*;pI$GlR=58`BWyBx}`ChaZ@pnmvN30Xiq^sNNQdQiF zg%Av_;dH5ccc`ATIPLkBjc zGCzvOPj9f}LuE^!S9!m^vR@U$A4F^^ZBRt`UJHMm$1hzGsR>EpjO;nBm`|!NyaWbb z?5zSWHiuIidN1u*#)~H2@Lgy9^79Q6HkO$vv_R*pPuw_cZz{Doe;|?ss-%hay*H7e z%hJ&Ob9qRUT; z1?B|=#SE-WkQTLRvw7Y2K}a{oTf8wC&)_(t7@0eZeBzK{1z~%yS}l#rd#?}y9Iwmn zTwoQp2$xw)`P-YEJK&n2qNITCdx8Spr=@uUJcd~I<;gaguN>oQAWAc?+;pFkr!3)E z*4~Tu7%pf&e@|Mhj~n(_gB0_qNDtIMl7))bJxv8=V(4E`&(TGDKgcDh&T z!MXQSk!M2vE&fSQeZI2TNneYTa>z-L-b?TpP%P;v`ED}px4^_W{tfMR`bxrn`&Hw9 zS!oNfw9|u&aO%vTZcp_#leIJHlN8r-!CJeq-e!(O%A#l?br>t=%>c!qmkm&EN{-o` z>g6Vj;)zZCzL3D>ASpIEF;hagcXvOTMYTFo2rP=5q z7#pNx-zhukpW6)w5r}xs8>WlcR1BS4wG3Uq@0zre%g9T!`Fl3hPr*Dl)>F@qo|yNW zwOVfVKI%LmF{rcJNGaAT^0*`WqCz{#;7*+lgAObQ_q52mvUxJ_qg6o_VQ!jE+ix~4 zN}jHulNA5Tx!#6b>)MCW^}#<_rBbBJvOInS02IdM5`6Y1?LMeZ+1VYqUZ)D%&Mk6d z;_fB}l7;e0`*R|=^In%tTNEr@=&BUcR`Ab_}@=-mnh=> z=QqAH{*oa`N@FN}r6d^akfrs~^1Y2SHv7?Xvt9|3tm?vkB-i;Lc~Bk+I6w0XW(mG0ww#a978o(ly+VS>4C1~ zRPEBf-;U;@#p8ouI@tHx+fUKnQXafI)+7cEN=8b$5Ws#t6E+d++Xxi-ePxIdCvX1B z>`pjO#YK4Q2Jo*5Ca&t#fqOl1v3e(?VS*(e611o!btdzEd^V{8RCaJVX!=yQt2dqe z8}YfcD|LhIaqG!N{+15hUthY07?D(Zo@LK$rhnYznY2%Anyv8bdDqBPd0A=;>zpi< zik4XH+2LaFrT^yh2RLk2$CBlCV(Dqy#w5bzzr#HL!(pM4LTdVl9N!Ao1-#yq@_u6X z?X#OHr`x@`J()q_YHAthoQr;wkwv#XTTgr*0?dntL(t{w<)**YB*e3uil1wC?&ggX z#R%wtd7Ci5HM7cYuo%ORwZ51d-osITyK$`hS^Nu#JMRYDuZ;DBsR>lkM+M-V&Yy>0)J0K21?S+UdtEa&%|8IFq;>MZgMTX@_*d?Olg{4 zJcJvdt>+PJp-)a3jqTF>62(*=5?>L|PNYPnC9W#bTj`;p29iB}Q2O+uPnLn8l?o(r z5sqc!Qtu(2)yI6rbEbL(^6bzod>w5*BR?s9YL@L(Ph{PtM}&_>FC_%a?xjbaZ4W-4 zt#aRf1$%nDufn~3laAwxHCL4*SS*GqX=Hld8Etza6AvI-W!oD{bTefX} zI0H?OWm}jN02#*9%arXa{+8%iEvfiqj`u4m_nv05{_y+S+cop;zTh2$yW$f;E_ZcaZB<79Fyj-+d8kp^|Nt?)1S< z*XWvV4(mU5ca4buQ1dtKYgP^3(- zOn-SPgs5rPyC}DhFI<{w%GJnAxD)~GM`L}$A-i-wPsxs(te$_fymDlySrY_bep!pz zKQ7k*S0t7an*$?G04sey?Pv$u-~T3>YIqn46~>Z^WRKpG#E7+TWqak=)LA-X>1nGC zN$wqclzrCQvAsjMX-o}Y{j{MKIP;0m*TgCATI>vEx6}s0kL;emm+Y$BjmVu18E=pB zwLjr{ed+dfiR`41g4Yk|XrrQE4P;ARE|_L}Nf5(S|GmoUJCVM*M6c>5`o=jMss_Dy zVEwBda}(L^S(inBA|l9nCv{8eJ3UaPDq!E%b>7y9;->#lWU1>KM6kTGp8xE>%6WPSH&CCvc#NfZ~v+CHpI(x7{K$X4F*) zGpeEsAA;XLZ1)d;yj9X}_Q)dGaN~2Y8PBpk>8!C>p`6G?mkLp7F~EF~8dwrd_FUQw zUVV|zLlN#i7M{$ys+Yu!#3xu&4Bb~ylL)d%4PE~h_}r(Y2k|zq;VQm3hqmp458bCrv$5M}II6 zCA~ub!5#T1#$avQMXcxjl|!Q*5VKJ#3)*&89qZtCLJ~^tm!pxaj+*c3k`w)ml{vm#P8& zX87s;agX9A1J^)3xI$hg)t>jcajE1@{ zxJ1N6MPM5LU|MIKMHgSgYw~g2xN16qs;;U+$Q1r$BcXzX$MOt zD}1MYJq2TWCxG^)k&Qrzja>!OaT=~HF2|-?kV?zjyA4%RcMx6YS6oiT-S>5pBLhttvJlS{OlCePy-- z4}W;MPNnAjT8VMvg>H$&=NPw5l2uK87n93;O?fS5riy-^<=h(*Y=xf4Y6r(wx)diE zNhx>cIiHF8EWPpNdsqhDi3*A9#8Gi*;;VyHNac)wfLb_9-kSSRY&V$3JMvlqR@j}pm!MrsfVMIFhypp7c4 zjX7Vwp|0>s4mb>O)bTeWT)tpHL%B(}QcQ_Eo>19@M&1H|pH?@IVAKyg+}4NcbGX!e zu?9ZB0wtUn-YdXYejMct1K#4(DW3{KgFW?5e0P0!FrDYix4O5-MN2HAmwM;6P(yO8 zB+BkPwgtLFzm@Nf-DRe$V@vbt{BIxEe#O7C+?JsrY-xRQ7`)X~z0SSnr9bpN(HL zP{mmZTH_Ba*FmZd)vz3v*G4B@r(E(6R|_J{cXeJA+3;{>xlhLZOw|SDu_igQS<{Hk zV%yJ0u~nUgIBe)1I`P9jqFt~eXEA;}xquQZPkhQPGx_jQUea~g#z4%s;<^UQGK{Vf&$$<6j#QUMztC6L zjj60JSie}lK0BDTuBov$23nNm z)O7Hp^K|C<(LvvL%iocup0*?P2OOykRZ~s+T@4j(bUf~Vm2jB!j}*;M(5=E>Z!a#? z&$69v761NFMFPk|XLxxRZj<(|4>xpS;YFMe0#rb=k?Jr1CF9AVsviTu~dvn>zH)2N)u>xwkMYNFI@5O>Nb~CIQfW_eV zxoROeJe>GwU_X9=q1KMr-nqHNpK+FE3bB!NppMP2DL-UI1s==ger7l4rLvZ0i}JUQ z6ynJ8I?mMt^~Jtq-U#D_UyboF53EN?|9oMZDyV8N)rY8AExzw058n9JnvgAqg{E>@bX3j2J6#ym}2U^^c&zmy&-1?lcKv-M4-IM!!jBfY(*Kr`~a~J^h1c zuU^kx$=%}&4--IaGHgXCL-gA}tp7-%v?QCszWwL#+o@(i*0AR4pO?PfgQ@i!B6D)r zoaVabfKSCo1f-jDk(OFmsm)X^(0T8DD2vB8+gW!l>xmNW4`~v@O72Dop^!w>`&lNt zCSwE`StfNpB1?>$@?JGfq*lUtmm^k5D^Ghy*;;48b-`JeXDg{w%=zZd0bm6s?J|}} zbVTV!hkM+++3vVp`oiDlO0$Zki)F)GCWgxR=@9>Bt(6NMZB5vb8T5RNg|2A};(S|0 zX7n?3rSjiUZ;!DVn%=j5@n;0f`1Nz^*3p;r_gf|DC2W33p?XbES3>bLNm{vsj>V&( zmRG8O_h2y5c__W*4Ypg>@}?Ry2*oM@TiuacGkbWj+dmH_`yBpDpHo}fI!=ox=;*B% z;f(|=*vj5Nk3ZnZWyahBtM%tAcP>rRY4Eu|x@iS_Cadf3Yy^G{U1HnttvT|Bx|6KR zCLNw^nl=>n#TU&c8+m=K#Ht}xdw^-Qdf#{w?utL|Q|eNYtF>d5{``&Vq4s3#%e?z^!~C@O*U8cy+8 z!w~abwuBSqhxO`AQrB%+HNdMp2M**^9b|=`I=AV3nEUU9yf&k}f zCr+QV1sk2XS7;2%nZC|IFr295@TY++C{AmPOx{*7uF%tLk)|b(j>{p#L~E1xJK0x6 zR((pl-31>H(}9Z(u^*OiszcuD%7(mYXg=e9q}VvofoDi=w>aOZM`f2JZ2iWVMZ&2n z^OsAVZA(Lx^Q@Cr>4$NA7D6e~w~6iA)IBi`E1V&7MS+l7x?3c0U4F)_tmXGN#o&o@ z1A%gnhP!8<%r7IH=#_pL8bC=@=MBy#md zJ4P5WoIoDN6mGI8HpYdBr;-eN3XcoT46087J>km4vH7C=*3UuWc%52cMx|oy9hYfnMEV1^+#8$&qcD z4GT7&SD((T-mn0S3(Q6n2tDk%lSWHqsN}PTgsShH2(R=#OdDf+V|Z6gvqoL@kpnUQ z`k?#6W#m%YQS~Q5b$f2zAQh`y*NxlTmaEU#rzvY|@o^`m5kyBDPV4|ccY2^-lXy!B zL16Xnia^Hh1gX{|LKW4tXEW~+scS%ky~)y;^7l+^+Z7Z#YMpLvob8YI{9O)a^+Qit zI%2ajl`38|P;Lp|7r#m3jIk8{iUdCwU@B|;YT_;q?Fgj4I70KKb4Wf0du*MNyD845 zgzP*UJAxi6{q!K&jz-1|Khl8%bUzBsLs$q`MD}5_Z1^MIq z%(OY={fO6QW~Y-Y%#$l>)tEf3pWhliU&A)_3k`h^H(~y=TAEUnM*^>=333-ZZ+~F* zPAwU{7V{{Nx}Xi*uK_z&6nrbFHO{{9b-;%gAVReI0tDTlL9UZAycN`~5n$Bn|J|}~ zp8af78#MEI4)~iJ!C5cxR;4S#=D=SmiFR5q>;8^O|7Yq|LdwcOHIq&!hd5`(WBkl< zJ3@Dn7VY3g*dB=r1C7MGk=#X&I7p5hry$~#cQd$b&m--lhTzu04_{yH z`CSdT9)05pds&-)8c&kSscg=h%>s_CoY<>FS2)*>Z!_j<^v_L?RKWs&qOK6&N$h7l zYAvYP=@EwgUD@hdbfsZ;PT4*&9QCWj(+?*ZTZiORb8zVpSG)H)sfPH`%@>|e3G;T( z?HSj-zYWo+Cd6+l`0%bjQoYk<7o^~b^EKYvRs94yAB!e%RXFeaNprXOmS)Ix9@u2_ z8=VXQZ9}lJW6kd8ZT_WQn(wrPmn*{P(D%q+6)Ph8SDN$} zEd0kq2Nz(b)yY+K2P%CUL*m9L4`(l=Lg_)lVCR@uioaAh6y{wD$&u%BVc zYMY9nD35W%SzWeVx72%jfNrHYU5A83?=drK{VfZ|ISYMs60{)jdjT#tjFD@+Juoo> zX;pRfy}ijV3e?N+C6QW@Q%x;dYaM^IPd)AYHQlZSWD>-hgJhFj>E&S>q|T3Un-Hy6 z2eWT-MuXR5&~c&l`SNH^0n7D7NS|PobME#*u8k@40hM1ecK)g^mXR$pX4SJ>a6Xtw zHmZ_vewL3<1jl0)d>s1hCW_@D|IWzP#28>GPNiBw?U7t5^Vqp4o%BmX9Nnrny^vfAzheJ<8XS$_!5PiIkSV3b?;G^fHE(TByM5Z>P1@ zy8p?E!<>Cjg-$CZJ5P+9VmVKZwr|yy17Tf~5k;f)oJZ>p5UwoGTO)|&icy|V@W(#6 za>~VW4}9)}fD^7__*2n^bV_wy@%B;+ep`fgP2k8Im zoj`nYRY2MeGF)ZKpSG=BVD(N%-6!5RDUz;P&FIPW7Ti{>Y5RYn?%3Ryf1Tdh>U8s5 zRm=dO`=2}tGR$S3`jw)y%)M^%XVt5F4g0EeNVJ8=c%k)g(Ku(nP%QuBJF9Re!^L^bl+mNCJd~2gkI04b0dx z&jMHT&*)-LEy`?^M##n3`QwvtB7Hl+Z+f~0We@Y1({QcSnswbveV9p3Kmoyy#)iJ8 z$Y(Z29yPEuxhd?a$_ypeE4dK2pK5*jRga>sP4)$SC0HwEmhwXPTKNg%|2Rnah#lgyFrM_UjVyyq}C3n^z*s+rbRe^wx zNB+hftc~+D&(A~Gus%BBtHhMP-lM=hJ7lKs7P78tpPOTh^L-04dsY$W3Guv!kS`& zr5}0ne}R0hT?x~d(OV~{HH@zRa=q^B#CDqdx0g1#8yFeR{;mU0{)rmqQ(E`Z-&Abr z$>EVA0f_o93^ua7N!?t!G4szxT}i9oZ@$$J&uVSKSXD(aiuaeM{41mQk09~)xrG#P zuBFcq#gSmELX25-A}{aHX((HO2NY!FN3iBp?!TFPkfFy+x5JNo;> z9qpkMI_dr{sOYrkO^efJfQOA|uakJS+>(AWC^kSQA`O{hbn| zTctSqD~>i?9_$WR|LG^TW3oWJ&P5E|3f5wrbItt%JfSkVtYLUmcV6(X1tus~_qTx` zzbkMKP>c`!u}`ogvBS&b7WEXIA6RVGcwNFAQWl7+Wou4g?}cdXut7HSyu6vm2SkoF zBxBJYvDujsUh72=9NS_QNWi{U%(-G7`PeiCF7k0HOG&9yY)lP`CGb!$G>XdaOyh1_ zAn5O!`?G%dT^QAjI!w! zJMIr>Ty<^HOEy8H3`z&4$U=#1uf z9P0YqelrZS6E)=G_+<`1quCIApktD>-%vZq&H8c+$GMR$rLDKfD!`)ioZ%TY(VKRS zAHM&lGL=h~dseADWhCV0J7$-i!c&;uTpykJs+Xv9Vsf@-^~2-KLErQjtUW}pmQ42}U0X#k-1WS1(|7vK}vV8Rv*Dzu-mjlE$)Xr%32q z;{N{eb=8@}M~_wwl=>9jRm@2KT{15ED=c7L`yqe5y8iA%IG9&UM-1!#T?hu5+V;MJ*gbQVb(?H;=fj_wLHFNOy zW!VdXts$Y+Xv!>d^P77QS|86E{rHrd`Dv{9^pFll7NywwugK6$#3*9(VQI<7b1mun z27NC*b)=1dTAt_?D?1Y6t_93T1O_RO5;(lW{B7} zcJ^P8+0sJ%6{4kWF#!Vu&Afvs)FU-J<9ik_gzSGmV@IARs-!jxMd9skQjEfQtVwymc)2Xu-`7@!~4b zvt@I7p8{=XE028+UCD z^OM~NJfB~ItrAdF>M#*Q@VKnR0Db{{Z=I^B$w@KVeAi5=dG|$rZCQNRQ*>-HI`W_w zVm}sR!_RX$E-xW{Y90t4Fa6ouf;A1&1D+@X><5t_A_EOZASpWk9wpjY#Y%dpCXpRT zuwVN^4wVYzxF%NrO~(C~2Zn@X83}hD==X+kD?5hBC3YngbSav>kZ6nD|0T5EI5Bfe z*7EE8%fNp0FN`@08`s}$VEvg0JM;15+xlG-Ln;J2sgp4TVZvtiDQhY5*`udi=XlQw z2eWGS^{zCCwKkus6@?Gtr?SlsH>k<#e0a~|kjLgfWheJK5qk*L2AVDOY9(pi2CDz- zupo>5DdP6FD)!$F3Zumb9q6`%DTOrO{0q8=3Hvl%rVj_U*&sWSHOxxwhH!+>3k4)V z3^W8CyW(UrxaL?1ZjUHr=BXWS06>{PXceh(J(d11j0zUdxbEVpO`_Pe(mw}Te4{J_ zy;Uj}7^XvAa>l2ZXTg@Q>J4pf=iHLXrAXT(iDyGrQ=(;~-WgIM@qJJup@3C-wves)}}zFF?iI0MRV$l{ z7Wxh~(qMGW^=cgd&YixEFggJGn~DUo%(2}6E;h-a6p#M7O}wjZntCrNS?InW?Uc0I z1L%eVClvjg0;y6E;Z{K?FMm%xmSTnuHms%OWoS41wd~v+_-M=2+w?L&-sm7F!zuRR zbw2eYTt&&(yxa)E#}#!&4`7FVyf0B;4tEpRU;OW3cn2rKuhHw(k=%vTi{-qP3v=ue;wkmg;s>AKM31 ztKpwi4Nh~c=xs`;y@@E>D$uG{$k&SIwiS#HcToUQ_B3sGD2HH(;R7w4H8tnqT5s5&xK5>@1{MUmhk>BB)z`<1Jy_0=KbJd@>W z;7@R3kkZ>g&6jhhiC>xwC6p4A9CJ&8N>VZ!V{x=;A&O@v!z7SQKAJE;2o`JJpjww?+f)a9fUn zVm>{Gcf-yfYi$}?Xy9kA!PH>mY$;K`)BCg%-@v`0MTGamepBNp{3rII+uzGi_5bCZ zpIYv3s%O01=)@xxmQM4%xWpzCD#%0BRkc@k>*jE#HK%-Zm0b&iE$LAO_y33rO1n4^ z=t<*KJOSF38r*xfS_WKfm0?C{ckgm-rDQbZxY{4|cyZ|@SquJ!5s_p)?XA4IJ#I&W z8Ot$i3gXAwWN~gOHPx%eCEyD=3njMbV+FE$>M+_pc7DhUEToUI?BM2Veg;UuJK&j) zA>QTE0Gg-V16}uSe%Gr!QsL@(ZJXphW-e>{?y|38@Ht_UjROYZ zCo0Yz1rciNB;V9@9P;Br*)E+JIoZRDD3S=)jrBoc9$^s&rHgQ(J8De@HN422OuZ2E zIyt8t2i93omdF~|JfBp*!2qhUJZGo2^@HB~dG{aJ7x`O9y-+&{>O`H0sQuC*Qf^Tg=5iD!tV)o7$P0GfR_Y1kMb z^nPZ#+SGRXXytTO`L=HB78wx5D%E}Y5~KL9p7mHF>~PrfuU|VRty+@mY$nFiIE)CH z+d?`X{5uov3tRXUXDijeI~GE!kgBx7=UmEL7Kz z|JL3MjzLkaf0@cw9|7zsFjU*&c}FE@?22ay`ui{C5JXhDk6y0vzA=ei7}OWC?Kme9 zG4H>h9-T=;%fAjv$1*Pe^-&r^R1<2ct%I0+w3q00bB|UGB+sEKVp3X?uXL29f#kQ1Tz+RN#~EGMOgHFD#TSo^U-;$7;1x`yoDJnczst zdzt2AeISyhwPDVMQUOlfNuRy2evdn}(N71pq9w*@6BRkbvfTnu zPZAHqKtRAQhn-EfR~_NwH?+^CO78RYd(G1e$JURFNyNLc!WFa3MG`!SI|kx-BZj?- zu_d9H(35p`0sr&qkdqo&h8;Sny~G7v5Qv>jq6m|C4Vc01g9)GG_!u^WlG>vhbty7@ zo3K17+#^;M9Jiwv|AV6Y?}+>V|99;{JpDT`*Vmr-e|2DFg?GfeNw_Q71iNXeD*c`v z^K^#^%EJX;h8LfQg8+CJ_bc203&UcnxPbR-iKuy)Ei5({63OS3$I25V~OcMlgNo$@1jU>TYpF zw3IBpNLpM2odCGvcQ*67tQS>K_^_kLOPlS;+7=_EmG}PV>gHk0bQrrpqhVf8cJo%r z2HW;`>YgKR&*`$YNP&()>LY$H)LPa#(Zwz#_Js@^{y)3kSyGAJ(0qq#6ty%FlDiQ% z%Zqf)*u5~Kl6tXC<(at;k_i>)gm7Jj%cg`&>zxHMPYQKQ37+x`#sdXeGhGnlQ^1U# zD=8w86OHVqb>pbaX6yHG%;02CH;l<+k4d*gx{ATmPHyNrkrB@_l0_qJ3Tv#b>x`&C zxp$5to{50l&es+q!dN*ylgDRxLj_#cj$OA0RP4t58NFNY3EmY%iKHT~cFWbl5+?eb zlMPEGOzxCOBXQRRVT?vdl=IQy*?H=c;W}Yq%j{4O%xKsCA!2Q+ZFPV? zrVD6_Ge417Uv$*%qIW`?_1@1w}Uif;H92L11+c^p8786N& zdWCTUg*;6Ta(BIzq{42_O%91D)*8hCCO%W}ow;m=W^dzjkC*S^VtetfCW1R~l4v3i zdZfL=h76oAse$C zxPXD9g{>v0%iCeqjg>K6bOBI-4@RwLrcoN!^@Qqep4M4@L|+vC*}7x*2`}H@rO(nX zYAL~f^-%x>%^eKYi4l&9mey&H?dm>cl6Wd-LV3}kv_ zS{^0rj4s`%>PBFu%k02DlZTF`78*-UpwBy|`UcsCld>@>x6>a3fQnU=9qqkc?LQKT z%%f1Alf*4p`T*A&X}EjbliW;hxm^|>EsVxAO^Sv{S?8Z22}U>FkJ$zAn0&5(@07(v z(_a|=09y`2Bq>=IAyNhv^F|6u9{kUDe8oJP~9MUmnAU6yY-9In>Dnj(PUO_ zk}S+BZO&06Mz~{si!}iqh^{t>hdiDfm+swLtW6`8w0@C}4%ZxPw}IJQzgddUYMxgl z%4myYX4R|pL^@J2O$V7Wi|}{BC=L4`irAi~7G)2~MxwhdY$ibh$K9zBQr2)xS@`de z1vd*ss6c>#1boJ89^ttYN)APYva+c6%Z`|WCc$+!dsg$6Edi(Hq95nFA^-d~uvY~U zXL$Y*Kd^(Iw*bF!8flxll4Ihxsbnyzi|ig@HaVR!(v?&q@9`z=r?(|d9#XWwXGQPR zI1wMOo7xFb`>b<@daKnj!wqeYYH!?pX{yf|5BF!9?HcEcA)eN56sKWZsOW3&k+^sU zD5ARsDsKy-13=wFOhY*rJAb+$26Jc~1+F*lc<8PM9~<*MKi$NSRkfbnKUkcoO}Hek zxIo)?ht|0u_2ZiZ0CtR~$JH|wz&|D1pc|I%|L_8kZ4!9YLM(Dn(HC5KF^!D`5v4eX zLzZnk_u~F(JfPGw!HcZytEWZHLx0gh_P_=2Z4JCgpX5CsDM5RYIKW z93ft1b*VroYVz<5ljMHChY@(04(9Q|PY-Oi;DTCTQSI)94zoUXTHE5D=uQ54PKoen z@+l^i6bcaVncN}^JA>AzFUx-!*2OS0-`{EfVDaZbh9=1KeLKA=g-uIu9kaAqc`N`J zBwS756t+AlpofTB6k0~G=C%kty=+N>YTSPjqK9=y#WP_mn9Lrc8U@SKfDz6oz`fJk*+t zL!rw9qi-IbdP_|byP&;4+Uy^sn%Ld6w73uY8yVR(K|Jw&L(oG~Fu+oHSEp)54z9R{ zuSQPfVP8x|Wf4H+#gDRT5)vtL+m>@&suuTAYSZgC(Zef@zs9Cqhe$)KEL2rb-efmc z%0dWl!qDZNk=7aJ;HKRWPS)faMTBb{}Ij5+I5}ZT6|I4Z$&N%OvTJ0B0 zS5kV*5I4()NvWJNudG$IhDljtq9Z%A^$4$D5?R0Np_8^#JKc@45Fv62YWA6ACPN20 zf7cqoprkaj9Y2V+T0BR*@rEXQRH4zMsS(0AivZ}}nyG-Eov3eip5fL*R-ccWuBU$l zHgJMRfs4wNswzgmmZ;Yv+PR`kX+Jv;vg3Q{G4}_Ftd56dxd3n}V%J+MkL!xUg`Io0UXdT~hI0bYspV^B*^rH= z#4cTq%gU7#Zmh#WLy*S@83?_}HH)}#Y)2`31>KqV@FJv0m|%+s=E9uNc!^g^ea~}p zHSa@9ZfaL#${jJHB$}(xZEGZe(efIqwPMK{! znUPV0uB>)O!PDtK6hPE@Txb)DLom;xP?w}VnxYzFjhZy+E}C+uH9eNzzm>7ezHg5* z(g&tDYkI3XCb}PSfyBEVYtMMQbN0}6EE9)&)gpx1;cz_F`||{Gp`B0gUVPhC7M3V` zQeA!eN=6RxrfPb@RLBBY6zv5kp=l0)24s3oAIX;mFCu5QLl-d9n2i0tIRsoEC}l#{ z(&AsGNmreOMoYeL4x|z!I~f}P@gvLctPqS-sqnwZfWoP^u}5f$goKf_wZJ{~cCBr0 z8H9~5)wLqA_lst=W(m`g->&&NAkgutM6T?%WlhV)D3dJfUe!xG^`yp>%Pd~6GCQ?H zE9~I74AtQCuktAjv(<50EW&-}ks@mY&!)fUon1{oy!T~D7aZFtmLfqhz1N(RY%1Wj z>h+UJAScSIg|dLr0Y}Mba?|7`{@VQBs6DIot0jp#=E><|g#LHx(AbEy-q+-NwV>f& z9uIe`bPm1i;-@x$y`d1k#LQN+!{hLP*ninl?ua*sgzFmIW%9nM`_6kzn1+3h_c7th>n-> zIxp+TReTy^wv$gE-iHuXY_RRle6lnHt7Wncj>=NgR?BcST((3XuXCvxWCIq?VZQGj zV}Zx2quHI9&Cz5%n?ZQ4tI>dQOthG7_o_N`N7-8`A#%UJsbKo=|3fOc=(szrJ8{JG zp^-pJ?z+l1493AUeI)DkhFRn?_vmo#Ku*SPDbXIzcAceXGAP}eAk!qnYrpwio!L2s z;oSPnFe^`mGu`L>%^dTo@5W%W7JKpD#0$UEay9C1IRlDNx|S#NnQc_dk% zy&^_9gxPScP)Hhe)3%>G?s8{89u;XnnXJ!ZAqcvlv>7jGX{_3@P%+BRAg+d^TxDY1 z==RoR`H}7qz0mB0?S;_#3E>m`rU1%+9{mawmd~k=KD7P%8lv8oXVJIFjzxe>GCeBU zRMwcV?-LFWrbmR13dEytI8QgfZBVL1_Qz|&DOg&zDIL)sC$UWFCY1@onA+$i0;B6o z%=(L7>uef#j5Pl~JWqbGhc(>;F+Fv7t$*hF4r+1C;YhKM+jOTk8ToG3X)3gt&MYb` zf;3KQH6j@HWP0S1W6B{+sG)IiYHQycQ+F|n4)lDtXC!ty-XN&vi^6#7td4M=S9iaU zwDwLxn~G%LQs*Ff_pH37v;1`L|1WZXd=hN#&uS#?>5O$yuzBaWse>XLwJ=kEWw$pq zd&wYq9J!cW*Q|m`wi=Hu#4h5K!N5vuv^T5Gez`iIM=nav4)~gnh@B8<;aN1zGdmav z_zE+!K3SDKpo~-!dV1~&~Xq#77J6h^QRc(sV8c`yl>H&FLWNvq7HRB=gf!@Mw_ps9?4@2 zt*w2H8IK70FWCPf>BEMf#Oz;zbJ#D@gk5pnULST$=6%d(FB4{u>x>;flLhDy1&clC zq`@wn-fKF&G%1j>DBFG8(j;mdVN*#XnAL@8Znei$^(-Drk$O!2=~K<7aTFK_u?mLN ziI>Ny9mC*iybn{wr0G8J8=tZ@v(X(Bv@I!{S{#~>tnGE7YuU-YjVkN&45vRh)Ivli zx3NfRNOzY#+Z}xj#t3TBK@qP9R_2?_D}xs>>qtu%xa3If`-jj*y|c^N=roiblIA-d z1aqwJ^*c)Rqbcy8@AN zOo#3rAR$D?ak2tUP`^% z9vaGWT$SYwP-Ve{%iW;{eS7ZU_6~_ALVX#3zH~Usj!BpIGfc^tJ$7E2(>sGq?&LB| zO`SEh+}YRv{d_C^WoAoOTw2-j;npmLMSHZH+T_}nv<2ina{4(jk@L7kmHg!Rk8jum zFNCR~0LPB)3-F&&eprg|9SN1#qTgAD#L0xP%T!Klm@zV4N^{rNOE!kWcu3+X~eh(6Aebp>`Xbo{9 z_B`Q$Ya}zn-&7_A{+J3`f}4znQ@?(f-Pvi6!_V;unW8vo|Tk9(rriZaj zHYrxszWn~X?IpNV^o~e~#aObN(E}%MGV8;!9)oOT?aQioA{I2&TFk*8F;X8)T70X+-X3r-}!Q3;Ul0zL*da!gx-&{E_)`aW|RZXJbn9Ctn;CY*P93 zQ?)01`l6CBHho=xr}rC!9glE-*PxSb2s{Y)phd&Kf@t4Dy=3*WQ{Rg%5ubk*N=h|s zp{f#`w-y=}#kY_vQ^nq9`%*Q_oKny5m;pf>D1u&; zf~xt*ZzH`;Z-0Aw&qDQT^la-S$`4QvX_Y{VlP+L(dAyuLkJB=OMG1vbJ)xL&;{zKX zF9u?lASoB@(}f;3^Dp;21A48E=6(C;2LYB7ifY?UF!$Nei;P!fr77zp>HL zFswZqWe+!z9kg!Ra*hGq?1N|pr0fIkJ_`-q$^iw;ipK8DAq??>IO8WlGCtO*x}k!o z<(5KgRCA@kOCw*ffFLmj%ldljbB-UY4!rq=o+%XyNp(a)>R6f;Q5M~yf^P!}n?wu# zx0qM2-bOz?6DEhZs4aYc_f2}A8%GAYSsgR#lz!%k2!uK!rr7{~ChO}Nw{Jg2Bn4To z@-g}?eA9bwQ|A1A&zj{#W5Cfw9)rms_w|Z9u9GmSLRaroZJGX(JoWZoL#HBD0xmv_ zWAJ{nbuY4ec~z5y6~R~VoZh$SXjh#xhLW=<(Ycm{*!_Q;y?0bo=^8gWjs+YQL{yX( z5tVUNP?1g&6#*T^jKe4(B?3x>0FhqO22l`cDkDXN2q+x_BAtXzKuSPL=%KeHgpvXY zN$z&eIe*;me&?=rhW|Hf!G8DqJkPH^N8C5wG?pZm|6$^={($0wU6P|78?PBS1xy*m zSZr6uL@2bFq-um_4rbrLKGS&`eFe*&w25}kgz#Gcm?o09Y_wvw_kRa^q(eTLe{XvV zbK}^CxL_djI3V4sm3NFIts9&;*qhK41q#KTaQ_K>eNbg%-LHiA+v`0_I*D(+!00vg znGd@z@Jt=m$?WJ{)`IH53UfoQakGVOmD@uqx?n6T#$uO4#zC4L zo7?tm`?+U{l{@&0Hcs!tQ}=OKde0W z5huA?yo_DdD=+RMch6p211gj9UaV00lWIzj(Fb*U_n+nLx->l%gN8f*=)_0Vt!hkw ztGh6M(O{hgwe+K{kdriy!qAKh;Wgxu;_TZi1-JSWdohmoa8PyXBpow6?gT$=k(;=G_NxRwRta5DW?;=o_RSixaAt z^oi*!qL9w{dT@;b#p=nA{S@P_kNjpOYNV{wS>$Azk4GUHqKnz#=7|-K_GJxO5bnz$ zG2K9u`9?m4J6K}&!jV0cj{;+pIjXnEmh zslem|x05}+zbzbUVB;JRJw95hyp@kq!FGhEhP(;I*Xg2@0wlHz&!Ye5I`}sg zaOPhACs$pnYV;c!*l^*T+Al*GH=!4~|`Myt-1X(B@*ylZNor_PrErQwm~Q zH53x|1$SUoFh`b<2DvcEuFWDoS6>Njn(X(&BnuQQNDnqbOrPDzAE)d3a zMvC4xB;5}9qf6zHx0i$}%?m|p`JEY(2l}2S=8z@rY2yCyBlz^v(tNg3)UKKW0M>tH z`oFhDi+_`$)SNiDeJJt6r`i`+h_AFoCcM2D@(?Xy#1iC|9Wb6;F((}83~afmz2MaV zcP!`}-FUUVMzK<@ulE<`Ep1;VwySNryDaQ5WQ1;fjAx>aAfbg zsQ$Zlu@o>w#xnSk1oV( z6AL}+0GFt(JF$A`3+Lz%^&0#Qn(%C1RmsAngQIXkJ%80vH#0s|g@nDa@PZOM{)?NF zMlASN{?S2>7d5J)JToXU2d23Lx{G8fxK99!1yPiu@`Sx0UWc?n)U0M<64>XQ6ciKP zOtW5sojq}1S}ivGz%BeyP4{yg<>B@RCRteJH$fq?2cMPtb$lW`XkDx#!t9-kY^j2U z6-Tp<>B!g^op1C<#^cK4@p!{? z!+;(j2SIZr78VnCVJ-HeqwTbNt(xjwe2zw&6e0~c>XS&gyx|V0@1^F~p#TiIZ(!p> zKKq>wp3y61nh#l6y^>WBZ=#9m_PU3$PNuFOhy{hNS0bWsJHk}Gql9ttV}V%Y?|W9o z1NxaM6Xpjxtc=eBnt+4{)cS%RVH#p0Hs#7*L#585==Q+dTRS5IZUCHClD1Id?wZ!XC3uv&kSdElc&E%A)$`~IG+ zhYrZ2u>eb@nBRjw#acKr!=T<9skg#o{u(D3@7=1=^H0u5M1ye)QH=?XlBD@x`i~7D z?g>h(3_7Px=MG{Tgd=Ne8^vW1NPYq0oYP8kO!WQK_Kn}8yF&NXhn@ef z4H&THGmTbu{lhNd12AdT7;+Ek@CH7>TXDaj!`)*_%-e|m&0P;rTECw&U)=zvQ?muf z<1MMDdP_FtVvjYHvt=9UxU*9>+Uj#9WbmCqf$~g~Io^XA;Yhu8&UYDU zun>iCiHa1#o3wAwXsh}ppbwmV#!;BM%mg1nYUchBu8VD@LnLN+5xYcq;s)~Mvai~Gt8?;QkNdZ$FkSwMKHM~%EvE8!W=Fl>`x z=JGvS#bbJi2}<9)DNjbQ^}mWFzN5wmrIo?M_o%ml@tZdAVOuQuxYDTgh)I)s+eeshm3oY@)(=54$t9PJ4ovSu>n)>TKwAG8l8pAtNCS1maj zyGsq7ZtWaEt%`Mo!QU9T8QfQjR8f;MT-W9o&uMbAQw!t3LU2QCcg^YT{-*0&73o=%6TwqTT_N`v_w4l(U{#MvTV zblokczOr-87xX;&6cU)eo&{ebZXUl+_nCruy3ok_OdI)7*$d0XY6A!lnE}#obaWae zR{vS4E}+>~6Za1Ko(LYjIlP|@cV#@IfLs}z4qz6d~CPb(Y$VB<7 z#Rnd@&6#ySMsc>=CRCp`_i0zqk?U{}9byLcIlvGZ#6E@NRR@u>(n@n-bm{!XTF7{*U0Bs1tzRF{CT~YM$^R3$ z?Ea4UyHev!&MyGZu%u|bE%x4r)jPRqLqKf3vCVZc)0QVUYleg z1YT*Oc_NjV*x2|wwp1uz5Ye+d`-5BIeHnij->VJbI>j$ub<{_;C>r6I+`I7HJ1SG1 zv04pe1y&!=;>vB#!oj6YUqj!G#5gP=p-Or+AAANPGxc4kQg-^4$UPbu7@;d+8RPps z{#jwvzaI@nx@5W5Rp+)8DsuMp?7OCZ6l}^l0F?NckjDrQXH~L>;tZgXImz3oL|DiO z(^{it(F22WE)2ss1-Q2w0QRzGoGs2yiL7m7OZ@}_!MnJmcLRK8lls7eXe}UJcuusM zbp5&^e9aa0ojuDJ|*YLv2Ij)BuL8@EpYZ~w_L z*;eLG{r70M1WAMh4fMGs>;4f`IT?4Ys2$@a^MtEP7RPT%|jYTSG_ zdo!QXaXyQiDCa`W0Fh-dcGKp#9dvQ@ZERP%3Lp^xCPfy0T4na;Kl%g?>{wEI%sBHn zE7dBTRMnEI$l2ec@vIy4e6Z2iJ)lDhx(iacn!(Oy=cUi@27i|d3<5Cr6&U-C6Bw~} zJT+WLyi^dYS{%d8F~tIWhU8|opFo`Bt&~F88q6nxAfls#>H`yr zuodOg60Y#nE?`Swb9RbB~r!`+U1Px%tw< z+3wfL-{yFK>b{*+KZvnrv@;jr*VFE7Uy%+vx?BLO;o4+qq&hB(O_!*@YpT~eP>0$~ z92D7!hZwe&ByM*JPYiq?!|Or1z9iXTCqOs=F--k4pnjPoq<@J*{Il18Fl4qpp*$() zEtO~jzYDYh=)V%>1kV?AuDTz%YL0pf$oztz9aVxGv@=tU_X<*4QRjl+t`y54-CNQT ztnLJGx(exO0aP80(mK#sJ#^zDfP~{vH1F0 zpsUQnWPdUU#B>-|kWEoI5mu^DFk7VX0dbh@ml70eP2Wo04r2CEGF4P`m(rc@S+&<^ z)?QcuXCN9}u%gx8+xrw3@?pkK=a_TmSsy60_cIyW*y&g)8S-SST*p6}n9V)_<ENH zkDp>NZq~-l*PA&o^pD|rRZV3YV;=uJg zHUDUMe)%_?ST2Ko6phtc&~iG~!P%|mD_vY3@Dmuh3vAjk$f``2M2w$g4R)BL-jH=a z7hBm`_6i2Ofvn-poQzI~pM|ww(73fbaU>CZA-{Q)n3M4#OGdmGc^_oNm2(?JJ||Hb zDl?&yriLqXXO#aku3Pg~9UNVFKDm>lBLm00U}<%#!mn97jMsF`U62x|ZZDd<9L|~d zFOc1on=V!-Um5g~b#WGwbiNu(d(G(=DmE+5+ZPGV9$0810hVP~T_g{f6~o@C|IeBl zfIxV48N7|X`L~KJ*O4ywT|2;+Hp2cc==XlC>uiPqy~W;}sRPxI^X-Q)dPf-HIGD0H zwI25irjw#rjA|D&P0%Sm00zpxP#B-#Q{6&ygrKX9mC)?G=pjQvvDM5s8k;3Z;kZx6 z$>@iuhffyGt^HW>*}sUbHBleIaOP4JS|Ph*6s5`Jw4&aqmi(AN-;Jcac=e(MfT)JJ zAQKw}8$sqytNnDrdxezZe9BHb83LKn*3jJvck{;YNEY|KEAXmyt3z9M{_kJJ#xFnO z#jjIX+X*B6WZzD)zsN&sgxR;os|YW2jg?gCu)d-0)9#&x-id6t`V=vB@VnsTJ7_~J zuH7ZN$~oHux>mbii0ei?OHq))(ovU|W3?>&W-bCO-D9q5)jsK4fdFT zxEpV1si&t7(gWwbb)_!6K)Zwm6stmjk;em52}L_~Shf?_%=L-`UjroM2ZaZ7bzL)k z1H@G?I+656*QM^q%SRSEw2mON*;pH-hX1Gwmh*z#HNb}JV|s+g8Ij{giL{bfVFiUy z%1s*6jtf^7*%y?QaTJydG$vl3_}?eT0~JB@X*@K$>XWEPs=VC9x9a_6@nX4$yM$>( zbyFJXe&rtBUrb3vwGe>6tf;Nsrf<|T^GvtJMC+#9g&&&)hx*(gpW z)j#Y{xEtQh^!#*DNR%)nQ->2eUTnI^^A25=_hh`RtXXW{1_~J#nI~j zEpAA0z&xBDsOpo>rba@YRNNLLQ%k{j=5)#{yX9#&Q9jWrr9lD`;#SAGY1=Vn0OKvX!Fh%Sf`cO&ke9XoJ!hX^Z}AEZyUAu?NsV3tWfrgh$}xq z7D*u?gEFed`U2=ys(!3aNU2-@S6zE(TUQ^fthZN(_W#H8b`a`-^`+spvZHW3v;wv9 zWTrcP16{vKKYR3FO-{VwHi-Jv_8=(eT_H6BsNb-~QsDnP%wvww!r&l=c8N*2tnBn( zhwUe3&QERepXJ*Xr#ldH1jg(^L~u!OZ?wxZ?K?}`&NL$OHo<)liOW_J3HYuAPe`Ty zxhV;y^Vfz~EA^wV@K?;aCZXG)^wsszm7opRjm<7AP2&@H#(t0dh;U*p4fzvF^ypqi z_eB&5)*0Q7E~DQFNZ)4>2;IcakE+8OGA2FYBE_#8O%&)jMDm!J&aybk+z&7JPQo*x3x z{%<1WeM9EfE{aV1yyWOVZ0u1nLTiPp!ozTLKle}2gw70~p@+2X*AOz)urcESCc}oH zEkB~yW<%`DsG0jr*7_yLy{0!z%ipD`BsWX75e$6QK-2vkC{Ovjj7M+Rt|Y%qMvYzY zJ-V*6HmTRdl^^^=hji|+!IPElReGJOvbgTD0>>szzoxZOyS62L=8dzj4t(@PID58K=uf(#H) z<1|Du&c**Tu^nm`$e_T&v1wJE;%w$;fx#RH4a%-Uf%VZPYy(EfDaN1 z)*NOWbd~4$ziDhkbu>$AgKAeKdbL`!+7p)C^YKO!F+YadY}MaeemGP)KPz;#PFV~x z?1$35=qnY|ci~L1Jbra`WTaL?Vl3;g(5yvUvg75V43vXJr{-|iEz7axG4wDUv$CBf z0tMoQgXWS#EKi%Ds<^tG`?dRl<(M0%?JUEv)b*Mu(;VZ2ZqkE(2JE4L{8&Vp!Pjw&}gfOE9i{IbdVE9`BK>5xxT6@A(n zbTGKddb-E4F*a#yu&+3iyvj2ks(YrgI6XKW-YLizmdK+t-M37)>qI$6cPW1c#4QM> zbg+|gLh07-8X{5F>u-Lnb<(tx2I{`)WJ1MlbqkWEtjVr@0F}D7Kb8zn-mbEODdwE% z|2ZabYrhNi5d?nOdp|p<7@azv8C#kUUv4x21Y}yr%N$_&L5~O4Ei!JydD4J5I$LqY z0S~)0!K%RqRQpj_9_uY!57BV5B(DE*K5noQ39I%Kc9jJ+R+ZsYq!S8PKGp*Z4lAoj zs9gA8{^h{>)h|9>2Gt&;6|1*vyU&g(&CUF`CLuDq&Vw89)M$ylORoTKD`|aOYxW;n zuI}5hB1v7E|45g;M`Kl~M{ii^9{wnUaDqlh2J?$+K@ z{#cTEKY00thX-rekF^Th7~sulKtF-Gt}rDYa)~DYZuM~96R}Q7FJ>p}Z^aQT!Z9=n zP#jenV6QFoUjQ)8?0}^Q1uUJ07(zO<(#~kw9P3m7Z&w>9m7>8&s#)w`27O#^n+c9# zoA*cPlf%AE6B$P+qmlEU<3)&p1rfK$tRUhO5Zir2psXtMr``CTJy(siO@7OlyYg92 z^~jIscc~y9P7M5Hi0QY1qX~r4)g}YuGZ*Hrh99AdtbK4uIikIa*T(VTo=M7hAirZ6 zX^`LcyeqKlTBz!n^Za*3DJ)?7IIF*@1$3&*h@UUGL1py2#=lq*P0+>yeMFOP_O|8M z#K)S{t)N?zwI29QEBqK_vkg|7>^VH(S?wWQiEP#9-Q`Ah*&tH-yNuXm)^1oJ2L1ID z%u^OKv7IvZS@yrW*9?F=%3SREq&<_%Rl6>F{s_DOb2?cwCJB|gK!BXjYVwl#_p_Fl z|D;kko}_L*0o!{F(lk8FN6UORFfYtfHotlp`R{|J80Njpjh{leXjDm@TzBiN9GCDk2XlXIk`S4YP;n@V)bgg+h=?2sOJ;)470dHgh--w zz4_)%a~TkXCy|x?6w-F}df@04uN=-Tyz$gCdgv6PH_WcPia@Rj+#n}jtLR&}a4%75`wLYW^U*Zkuy z@S#YHjS?;=_t2#Y`@4XPs>0IgO1=F=Vx@%O5pFziMT}JPV7t z{!1n0IFyyuoRQAZQJ8&GAUl0b=%vMw-A2J5s|8!mG{jn8J6yOrtGOV@>S}W2-&z2N zLq5H;yM7Tq`T5WD3E?MD_-$G*#}u|zX zu2^t3bC+?KnPtBYjsC}bJsP8#l5z8Z++n4_ z+77k^mAlrTPNN|MYJ*wvZlUL7Gb>LSo1xO5PZj?ad`eaLO)F*@e=%|~=Mf7mnY^Mg zZHNGo``OwA@vUm+XIg1_tw?qxhBXqdyk%0D!F^W!Za6pi>lk)`=-JCXmfaXGTk6-F zH~jUHd7d2FW5gCdZDB&~aqDup+v&zysTXhqOpUC8y|j=%&(UHcD@Qd_@QB=wb}w=5 z&E!QPa3~=ezn0INkb(w2ZkUb;jJz@N8~lo}!LT<0$;`VV+27D%S^??2!uz$~dq3}m zE@n~dDs>pRg7!We5})94?BqjSr>3lMgZwf7b^_?Wx70#g9VeF_od(;Ny{1$dn?m4cds1XOE>(3K->pcLf2!dNef?RDkn2-N8Sm3 zsn(uEBGA&21>0gvR=KZ@BltKzxEi|j#=3XwOB%$={ulb!(i0zW(I#sTKdW#J&PV&K zzn(13)1a*GX!&#&W6Fz3X?9MPNV=t~9kGEc4%WYd<*DLNXNKSEeS`UVd-qgYvMeOa zQ*l0!8(O%|QL?i+ngXgNktRP&`XL-Wkg};vXF$JB33Fks%rQ8~2+8u*p`Ak+@tG)X zZEe;w6A6N%|#wlIp(w=%ZTpl5d0 z6bsBFeKAp4Qtu1ya0by+MepZJHNcx~9@Am_JVXL+2=Og?4~&CS}Xv z!cs{eL^woE`PR7dVumdwvpt}zTKJk2pRT0!;MCtA-%$O(-(CFQf2`&&Bg;MMHn7@} zS98_qMf5S+-_=n&;s-)r&$IFZ$og=N7uHtWNPC{qv)_LtW`vqe?RZvnL}^7|Npj@D zO_D>NMj)wXWHFWBhsY~`??@;}^$d#}nAV;+$L;UVLud&122#g^S!J~ODS6$++ri70 zhkzI(!pbW)Ch%-&Y6Jlbq;lGWSm?@+Po_3==${KoOQ!QFgZd%y#HY2~0oxI_cv<3} zKoa}0z7p*&xCJV4E6>6Q2Ku3E!*+0^>Z#T=x7<99-v+F{dS*+RuyS^N8+w~JJo(6c znEXv8M>9DoSYQwSi=<-g{ek@1?~zEocu`QWR#d?M{5}zbOyo%>ZuA@G-o|oe>ZRcEo@=w{0Snz z2$y4a^(=EE<;UrCl2FEO0953gb<4A6vrN#2bgL(;i~mybm5JC)6=1p9-+ZXUm%_83 z2aMI?@xmbj`VpF9G+w#V#y&OeE>fF)OT?H8Q`tDdSYY$NO5FcfBJl)us!kra@e-1{ zQu352i1@eCuI_+F9j#|MKkMP@p*X$)di_1h#}fOT)t7r0(T8xkYMs9?FmhHKY>?7{ zIfW|=zQ}jj3t7k3zIP?s2aayq8-P@AvPi4*ps^v`Vzk~DkyNd})eS5IDNLFlD+jY) zGuV6G8&o<2^yrwILKLu5cNi&|XMa)Q9;|uY=M~>0XGwyU^j|A4Yk4V{>rFCjszlPt z&LK00hl9T|eMOsba}|eX%PUjw=~+ex)5g7Rs|&>;gPlO)xH`A58m!~L(p3G`z;XYJ%2QzWu8H;l0wW{SceDRi&t@!7RZyfp zE~tBV%Rho2(hbfoS`GJeaqr+MY);7|WJE#6>9~PBh1)GE^=(B1|S8MAFDMPE5B$w z4qPZI$ZJN$ElAn`n{>(WN>Y0uf5u9npg2|`i>6LQ-rDD5Xd9;t7-F3;wR++6kIYu; z;YM8W_9}?Ehxz=cQ}ZT)+hz6z0#do)?NF~2naZ`{@34t`4!dXWXGEB?abUK6IV--5 zyXC_!-s3UiZ;4*L=`akjrw8C*ZIX3oNj_=jB((Tv+?~p-BOg8gOYTBl#BR*&JEbL1 zk!L>Yb)r!I>FxIyhX3tIubAJ>94jY|1+Me_dqm6H^NlP0f6aRi`I=!}PCaWL{xe|Z zH*99WbSF1yd=#$5_OF^hLnNg^Y{85u4B@?Jyib81o!_3s8&(nC!mLT~4bw3J6TdT) zHcFut#Uw6igk8~OpP$NYie|x~NJqh`$G+8znaLw4@f_ZjxS1kxfPEeTyWx}+r#9{n zy5)~tH0swaw7Cn*1dqn3LcWn7F)CTbvX$BPPYCP7Vfz>(FK4-&>c;S|{@Dd~I{gDE z2y)@Wke`s{0Rt~CuOSOPK!R@xBSMI9)*r1iT3}O|?{Qym#NTR9XY@$k6?R~P%>1I# z>g6Jr&Ud^F36oH+P_ts%|7W@Dk!eUk$kJcgIracK?Rl~mpjM|%AMctv+;u6c2i_Fb zHLlM3q_`V0Sb9OdgL867-yAZ~A?Wiy*j`0-#CDk`sJg%YPZj{~p>dZs-(YpMX6`b@ zrX~UMNpbTtMEq-v;@pafxvC3mhE44oSuG~(+|;Qm*Y%Z;c&_miM70kzh*2Hg{+SXx z8Ohv}8yocgMy%GDgCJ1>^pPm_fU|&k9d)MvgTnFPHNmOlTDsHu)8oM+@KQ*Cy}z*|@F!J^xdeAGzKb?h@+neFzXYN!-{9m?SDgjzjicJlX|I;_ zSB^?jIVo)6qd?Zu`n2|}vzOvwO(IpGA-ZL3yd0>f)hr>RDp(JynM6+y{Fa{4^4g6+ z=n6||B$DiW(+CM>onB8!-W(pHZQT}j(l@A$aqP#M>x({(RXn~ebgazN!BV7gX1Gh> z#@B!{w*lvggdef)e8Ql4cxrQZ)ZEp!^yvQsoSdtgQ0~j!2vW4ab}3Jv`Bjh(NvNQF_^!gY27(Jw&AUV)Cl4``{pM3r?;8 z{FN%K_|D|;tjSIZFYeKV9iY}Azl|GHL=Sj7`PjD`&0a;RFl@u^UR0vN7nW?|vdT-$C@ONx zvo@_rdl#O})RAf7@B4z+iwPyK0?7@g`a7h|cT7I&_t~cPl;9;gy3zw8>8=UQ>O3_$ z#{0Sya^r!Hdq>ADRrocLwSP`@j@lW$uoXySWx+dx;tEVZUU%QZ2ymX{{7J%8y|%2{nz<_?p6d$p^0B!KPv9E1q#>` zqq~H~lw2c1?z$$A-|b`oh&8Ah{>7vCE#>vfUW^lkT5QdW8+ZLy(fkBOj^S-5jP;WP z0TyUBT59+^5MT~@;)iZ%94KQ4HdXC3n(9h18Ubywp^qh-P;!<1=G!yNf6>O{&mpr$ z8maW|dsaSUX#&FyRK>zmUbJm_S+wmyd4GSPo>56=XQ6FxW+r0f>tcVS-sZmIcE%Z3 z#+eD%0s}i(hY_Jiz1bts1JcypbeoRNBD#$%GA+TxCfldhB z;^DdE4fNr)BcZaP`fS_wEBS1P!$5`ru`+S~q=UD^jbAFlO*Ca*a-=dtI<_PAx^Bu% z4_kM&{&3hppl9tNl^n!58DDCUh*j_N2GU<-04W3Y#@?x&#pH9ojI>`&X)gY4(!tF67L^S9R{z`cR*BhDUP(=q%F_EA_Ji}@(pI)g97E}$U# zALk~0E>)|Ugm$exVlkFZ`^^_5yINYF8F`+pS7r`gc~j=;f7jLuZe(QJ>7!kO%#A2y zYBPp&-Rf-b!J*aZWygX#wo&a=4(*2eUCAe+qkn$7j^Tl--`Jdhx=gVpK!mooae=r9O z6LJU0{yOOt*&k|t=ol1Q`(!klFQ(bhhH9{#5UmeFySXw=A5gohTFWSN^+JL{H)A?w zB?Hpnz85E5d}%^$5P`J&!mg{QfmS2)ir-%~u*6?57~@aLWmAKe*GFa(;9ft$3pPKA zdqA6$ytRZ{cifEwD*yM_t@gxhzy25=?{9Xw{p7z1v>pF?-=3#0+jImN-9^~C1tl~H zA76Oy1tBspP6~}+=e)tA%P$+(;Txf>W-W1BS9tQX4ElXeIeGl0w1r=V65MzKoJLws2r>mPL9 zx~N)ptMMe(v0J;M2;s;!MH&pYM##L92BMG_rwd>ZpCYr^Ku!29r{c*B5ZWnem2cO_ z>2$$5eV2iclY%;DD_gIeeHyDXRL!edSeYN)_?)>7#Sn*vYfksP%QETegWtM6Pg-aY zuL_2T_+++71JgzpGe866`D(&=VZO!;iH!w4rrG&)?iQW8H(<1+R6D6OoBxbnN^h(JQXy zT$mBQK>O@}?g=JiR;YKAT*j` zOCNRMekFJqmGy>RuHM7aE;Stg(|me#$?YS$+XgvO)t@)~+09VcA`lFj_YGD!de~Ou zJZvrD+l;iUt5Pv~WA`-SL-%fXetC4}o-R4v@9~tH74{J8Rc-vGiMvW>M!&%tMsSQ6 zUPvtFi@gnaKVfT&ZWY?u!;8rCbd`doXSp=CM6KdY3OLK-!jx`oxos-i=1U zX)^zZ!MkgKu|Td>_2h$ZS~Hlv?x%n4W1xr!(CDZ{DGbH$hmWsiRKy!^s);m;tpePq z-`iK!$68jYvMsGsF!1p(gADyiMck)85a^Sw)q89qLd~2VOW+oJX!&?Af0c3~~LW2mDkl%I;q5u(67Frr62b zkj)*YiE%<%Af~ArQ;FM5z@>?%@mn4Bx954`(5-S7ek+#l3d#+FG-#R8g(RvwbgdCO zs!85RzmscKGj*4B4uu_gOxMcH${IGJuk!qXb;$gse3So@ZMpnt$L)SP0ob9H?NPlL zU*|cA)&0?Jff?R$41#M zEgB&RrJoAy+9;WnXW_=9-V6^`W-{t1IgE|t8=-o176S(?bqGH#zxT_T1>eO`ztsF) z-i*4uB;xHXd;BIoyck6nd#zisHtqPkW6{3oxn6?dmUtsi`P3gB-%B7Xwi@`IBP@W< z;MWE+#>A--U?=9|TG2aNsgZl$s&jR|gv-dnO{)=9F|R8?WLoVe?D8KwHMGHG`6=1H+R;T|RG1z0&G-Tsk*zks zT1dSe6;wckCz(C1-MpKgobc)ixuF?wRc`B1V+z})>oZGK4~yp-VmyqsHU$bVu<%eF zuQ{5T1NXgDwV_*)ZUXL;qSK(W`AXUqs@@AAw5qd?PTyx~ZhOw$B4m)OQ(MV#ZV7u} zlIYr%9>7vv<{UX@>atsw)gFSW$Qx;Fn(;$S0Jp1H@il z2Rn$39?|N9amq)%Z=weq$%WvJE3$41c7az!lZ<>pGa!LvVT;85JMcC^(`6p4Gw{mK z*vWPHW4J)5Rf-a1qTHbT5@@gLZ?PUK2?63ZLK%J?C9d`2K9)qWH|wPh zhSHchANXUGurZ*FUBMX{E*}7$KmNTpJFoELmfG@m(8dGdltOJEISZ#U4L|*Vx+3Sy zAEZgd%sud}aGn)A2rsk)Z+nQ>Im-E5C@zfDz#DT0`TZN|III8fmhYOv zMlD46IIvj2Qd@Z_dik-Sr&t$M!Bu!WxUE4iY{@uaAsFjL+RPve>5Zhy1u6 zWXqAY2t$8OdB^1>J#=WTw)kDL>~y<-DE|I@Gz zL4k5yi>k9B^J6tZ&eMD{n#c4gXASm{y=VIa1f*3?-ycFTTa?P1LE#&I_J>6N-GRJM z$`X<0N{J}=mQYL9Y9az3i)Utx@WJcVPU&X>NcYR#{ukxBslgOlS6AWK=z!;_ z@uih>aB?o$(;q)#DWNilOG{LYeLtKdCYtou>1*4^?W z7C*UEHh=7#Zh)5V2nkrW{t3)7sx3+VHK?mQ(u;p*4-(L)fom^1+yR8SP2(rf;WaO? zw`+nHZZ`bevnKj=V?BAVsKcE3J=6A}&Y*fzBK>=AZF9`45~!8|r_lw=1tKV1c!FZH z7kW@bY8Z%rLgRbic?Dst?QF+{Hd;x%2yx?a57a)^?hkhXT=_mhJN3!Z3#1)BsO<+0 z6~|Z93G+GxzZZ>}AoRfA0ci$#*Rh_Y(4dqwe*)F-&I=QcGwh32v?aP7a#mH>CDBsP9&QhWyRLYQTAG zlfa^3he0t1Htv;BD-%PXvm^+7zr%`#*|h%JqNy82|0l%r9R15)kg<4~F+K{JeZ_Sdyd0*gll^#@A~l)R7~gNo@{*JmrXL#=A>LKvG%>Dwpx#2;xbBk zIArF^`px)-zqz#N9j8Q5kH1xj-Ozj%l87Bk9;QGy7ac@*k*N(nBRm!OC-$LB>syf^ zVf|!V5DE8&dv(;~O_hecPi|LP-&#zGfP;Y23v0zK{)=&BKOi8Ef;`(S!Z^@2o4ziM z;WtxxWzb**R%fo5y2eHme8OF9#KpUTsZCQV@5;hDSGJvg*9*S&4I0%!=RKp8&4Y!6 zy|NFFp4PDbyFSi>Iwjxm8{A2L$}|NSP%sW?W=8F!k7b)NSu?BiA=;JOV#C_uL0nW{ z@5p17Bs<)~bE+#WkeP7`_Qcp5LcDOgkSrMH5#i!*ym>q?OT)N58=h8WpSe^@`bd82 z-yYV_S`lMeyJaizBf-ma{=P#!WeE1N+Z&sqT-i*O!j`7eUTv1xmQB~J*bsYUl2iTN zg8jgztMUH*3KFutSMwoORWhp3g_Kn0+8E}44}66^x=uy5Tiq^~aD*tNd2SE8yQh&A zXXTD8XJ=5D%gx&2j4T`i-JFLjPJLQloMH*zhaLVXhTDLRI<2}LY#WImN)4j*UV^W6 z=Lx0ED)mkf7mF)AI<&#lDx1=X}SMkIV48)4vpf3 zKv`_rDcyXp6-Hio1<~^oMb?iiq*Sb0vlb{j?LkOSYz_+I1eWE>i2#e@D~k125i!TB zeq1D_HLXz4s}?8zh~}1lZ(zRJ<5^1>s<=@L0);unEnI8kiT1~qu#R}rhznDXp{%vaqHq zZrRALky4sH^rxXBoIP3)fHMcbo@WYj8@9971YfTz5(`PoVfFKAvbc#A8k&KR zy5SpKoB2nIN6swk%IXiX38FsgK3KP)7=*im=BR^ulG*)?zh|m^3goD3;GsiR78&Gy30K)-l*yRMgI7aAXmvcpWeN(3xc!Q*d&N@;&A&z zxRm+LQ6x1L%u2zpX|Nt?ZLXG~`OB+)jpK8=_u=>YEm@jCs*bJp-2(sqWBjq$!0RIw z!I`W=<1_IzOLk1*&I6{X{D_2!QqVucQb;@kT#M7Ke$jarz!sC>?rLy*q6ZRSQ>^d;EV3NFWSw$%@4fX@- zBBVa_%I)Eb-0K^D_6z%k$0KpV;`Dvb{8!qo{fGVm4 zwJ~ofs9Bmz^!pKVEAK94cgikyn73Ut(t^DoBbjU6|NJn=@^#Tz^$3 z82Y(My{hKH%2SPlVW3W@;;!&pFEZEU&25*4N(*3@qhSQFWn?kZ=R}OJt0lg*P(X`P zSsZDB32aR1uD_KBzqm#b(DW(qUd(Re{W(O}FY%t@XuwkcAGXedt<7%T)(OGg-5rX% zI|L~Xr4%bt+}(m}@j{`vyIXNB4#g=}+}+(yzO~lbXYX_EUy$U@^*(ZsG3L~O`iGFZ zWJ|?VBw5q{Fa*rFwRSUEA)u3)@@QARXSzH}*}3Ym8eu_HdvN*F5nkR*g2o=8~24v~>=ov+*Y`M#5x zvp73u{VvwzK0Lp!g-d@@fc6k^CsD_<6^5s3$+C0DHiBidyqK6r9K9W zw7*%J=z8~uthJZ&Ch;y?b5nqm$*W=rc3uCHha%CxVZXuThP3rkW`9uvMu^#eRJ`hXbXlg6No z6Nkj6>tage!FWIhTR!Xqg{zcG6T5ex*li)(?S@RkFQ6nDWHJ~HmV6N`e!K-h&Q(2@ z#&@$_mt^v$d`HXIFSh-ef~#bdu-V!dkb~eHpTHmjSf}&3IK0uP%#aRl7d!|XxF1_O zzi9_ZjHOpo?os+5J4eW;{NS@APVuGculd{~b+}TTt>m^d^1V=u96+eg{2a#xeZ%Gv z{LUksm|<^f0!5jSjc9evyt;AzdG(+n#f zy7jJYphI?c3^D(rys%!WJ`wXLfi9&xCJA6y$#VT!&L-=NTO?*o8GN^N{hv&OSZNCY zz(M})^cjXeZ1q`k4ji2-@8zI~?ZK22U9zSaReTlrz;I|QrD zza*fcb+uu50g&TV)IcRJn=P!6_X%Hz?+K~q6*;Bll}R$oqUG2<5^kdAGX47>lO*%4 ztWgyz3C}e9OqPMF*p5W>0m_c@8U!!j!k}mtIDklUFX=6O7^EpxdK9GG!;%}TT%))S zlB^!eK@UkHL~O8y*9<$xqqa{x+!OvMF)KGP>AN9G#Q)4ADe*sX`F2;e~C;i?4)=$6(o zucIKdwSfh=qSSF3_mc=@3pp4k`vf`Z*STovVr<7zkSb!KDSE!CSfOoKui7}j^P?+Z z_5xV=aSC445=<1+)HjjUl@XpfN$H@{n#(Cx&*v*zz2bAL_VO6>mv~imhF-Huzvb^H z8d4Dw4*k@E)0RQm*U@tHpD%U&CpANCc-}pf1Uk3kL53x+dbk*VPEJQ`i*a)}fUJ%R z-SpETFClgh*R&1Ev{W`x1dZeg?n}kEPv%;ltS(1?>{=mD_;jjS8S(f_I8yRECo6z@|*)FE(HJ@eILVfsi(= z>9bJS4&Mhw;JH9;0{9UA_CV1|@Ub^sQJKh9z*Yj|D=yQwiK6r9{Po78>F|NLh7Lbs&_!|W1yv~_M2xc_hB%U<*7&NQ6Wv(MFSiUC&`1Kx-D*daA-Hf+ zF!g&P=X$1bcopP;vrFgww|kny#llKgFa1{@7xI%G#FBG7Kc)ECKP;)41griI3(X0{ zf68S&jTi%jz2;*sKKo9O^QuT5fpu{PiT*S5j84&_k4&F3bu&*RjB8tg%QR!K~n^onDHNN0=?WkMy|w{v+( zpYQxK-M@Y_J4#V9P0K_?q(TW-2da zuUq%AA$d4YQiL?!PI-E_p*j@hv+7a^&=yP!DUl}NtBu2;LwxcCWo<4-rMM6hk}{j! z7LYIpU-d>*@69zi_^0vv2aaNWsQi@L>V9E6SE*FUMp$E#W8Fx6{d6{{?}+_7lRHZ6 zO{88)%!q^1;khp|@nAhy+V%9WAo}1_>~x{hsJJIlsqPFt{K7$;xQg0@VaHtD{TPur zf_HpG%ZF-pC4(Pxr3O)*k7Zgpxl(Vtta|(0=myLAKK%I(E3G#T)^pa6TYX5q%yrO* zuNH=SP%3+6emw=IAoA7d!MN%Tjj|L26Tq$`2XydQX=t8&;w@Fn4N9W3LGOROQq^R# zP|-6md)wtye z>JVn7M^$Hvi^qK1iD#?9>H-rTqQ-1ngKzR(6v9OTI_iS3?n@0;rDl=rr6&Ezx5v44 z?EG}{?_OkgqjODgpY#T=c|-+W+z8=Dhi;9xw4Bd zWA{vG6nr5c32L1 z$u2f+fjsfyv3`)!!Lo()#%(bgb$0W6yX=nVLoHo1Q~6*dCJYHC4ccN`-Fm3Ec87_&fI<6xh&WC7kIMDpzXf*ZxIk6 z>B}&p!#Mb5{VbjvunNsE%n7bTpSB_vTe1#|QP~IW+>PyF%|jQ*%|3-rj=gs-^niMe zqW6-&)A@HyKcOlYA?~GIK>zW&{`-1P=a7>y^&~P8&xpg>MhH2z+*f&oyR+|X+G%9z z#jo|^ouWRjn(7*H&}+SWbDC_YqM=teV_Mpt9{+7|2`^H4ij3PL7h_*~j@v?nD0tm` z>hMPUo+j`NgYwxScY@1;(|!n_{Szjw6wCA&xzKgFiNj3MccBRrggrZ721$W8HiJ6( zxg83P8I{aOoRfu?C^m!Ef;1qH!}#7!5|f5nOj@Hh$+RMwsL2d_9i!+?Ih)NK>wm3Y z|1}l*mXM$CJ}ibX%^aLhnKHu+O}>gUTF>T8Fl9WzF=>X!{9MrtmC>SD!PnT@OifU^ zB4911=_1Q-C>1YiZ7e%9C?n^VbB)8dgjYYu;GcC^N-m0~u(!tTctoSSxvcjA8}{w_ z0<+uPVL3EnW|;BEQkG|%S*Z5NYXF|(FQzx2$T^-!EIz1+bnc{N@<2g#qi_v>aN8C< zoX4B@wnv(PTUf;8JYAG#s)G{olXs!lGTXEM72M7iV=-^J_H3I-m5(rg9GW-fdU-9x z(%UUX7a+1i5_q&qs>59e_|SMTs|g{%p?fdU(fSjm_Gn;u#(b*h7kCcV$IVVPQe2VH zv(ElFH8rv1Mh;&H8VFXI5j42n$nSdh9iX~1o~m7#C|e+r2^(^kMBs)9z!80fxOYPD~=f(76<4 z0?;gvOXci&xh3xzcTe^RTFrCeY5n-@cZSx*bG3bc?q(!O6uy3ff)`@d7*i zYTt=Sz}W9?)N8Ojq5n!O%=!D_3;&o9-4kbUi&9gTR;w#fY(PrDnQ6YzcZ^7tdnQF% zf53Uw`E3OM=g0uz-Y^oK&yi-?<;eUYw;b&X;;SWxZpWsAwY*EtyN3zH0w>R^)N ze72{3Fj=dFMmVG)mxA`z&gaZ6fCAQVNJ89GHhW=@{+HOH3HUh>GL(;-$wv z0ohTrKNhGqRgbnBggZGX%u^-)>Q+k${1w)qKo*NzJS0;f(`LI)AogD0Bk84cfq=ZW z`Y1?jCH5GlI%&Np43b2-FyjxLWcc}68c`$c@U%dnyN{bg4)9bE zfLZnB34>1+g|1o)?X?@DUK_N!1^X$;>sz+bfNk54T?15VBdPlG*Fam1PAOT?U+j$W zRyP~XWxmSbqg&l4Xl*KG3+9Gaj@?OkfRrY^>b9jK5~4(d$OH1EF#Nu9CRgO;w%6OF zN}RP;#YZe+?j?6lYDFdgJJH~$@pn1OTXK9Hh!VOkyJI-X5_EoMgRx|IumB!oYA_z@ zkwDq!$~0cf$LLhWI8guw<*&5HLrjT~SjI0SNvJ^?3Y_=7QVbQ0VSg{S{P%y$iE5X{ zSv@y%2If^|3PIA+c&t<+WOgEu3D{(|24c~jowg(RX_qnm9+94m7Xl2Q)eKcCsjR3< zs`A19`HyHMPV%NK)Q<04oOfsg<}qK18(bHi5C2q#mx201<-Gv%i<$}4p>r3X2A*R} zL_tr`lK#atl?Vmk8H!B6?J7_nO)Qwv`CQlB!)1LHM<+C*{RT;e{mT6VWd7M7)#8V8K5`)oxU-lEo`8xtcDw=`aCqr1v zznQu})LV39FNdL#l$sWgqf*Pbnh(wvIMG=DsfgTCA*d8r`60hG@KVwY2+9x{zTK4X z1GH9Zw^c30485~PfAf}T9XehZyH^$O6eyN6;aD$JN{Olc0bK971BfGd#6r6h=Tfs( zeI1sdGp&%TW0&#SOmsF;m-5x#Z*_oGe&RcUJ77Da_54rXxl&ENx%mnM@X4}=)(x$~ zx5)uC8*Q>T%&%n5m%1E6FwAs>A*k8Gq|gcVo>!t#`~MQG|0<&&$?tPSKi@tOQKvUr zuNkl|jij=o%$1YjPVUBO#q_xqQq*)wZ3x?p95lt88|M@Lq6tZ1v z{FI`8I+UJ()o}{56=F0pV=*yPqb{z|+E7|*Fgh?zYI{&crV8|YZq~*^2uH-?+EQ}i z+8sP$_6aS&fJNwbp(CJ1|Ct2+8UT^cxBTN38O>&Ifksw`(Jj{e&DX*CgQ~e(46EWk zv4a!5K2DFrh#7V24DAe-Q&s8K%<2^!-=AJdI+nLun_R9Iau8rTiI>BRbUaewx@S7D znooZ_@zOjk*NR*I?aQ8}Jp5B3)#7Z1CIVgb;)5D>-i#H0d8{QBI4E}buWeO*;&#Da zSsnU{o@7Uq6ER!5SnsQXcKBhw4Q3A5`{Xq3O8j@i-ClZcOc2FtFYD!SrT>TV3+N(! zkyDtV-kEDa3=}>yXXDSsM#+V?0jGGo=ept2M9O2!lG$ZB+8YX|>N#N+Ha32=`+Iq| z$w4(uc=;CnZ>G&yjjys1JD3=G!c^4p6ICDcR~0l-cUu87L*w#TB8qwhjA-iOkH zwn3t?)3wJa?4tK_ks4pN1DHJy=qx6_lGBx;wd@cC_Bt;u@uPP7ydENndS3_Fue5^^ zJgF8=ubM2MI0w(TPF~C~ddoE$g?MdNKe38IkB>+e^@%v6;fV0RuYu|I8G#Q_g{c~0 z&xwV^ON6N9p}lwxN4C*!fRVmU|FlR9CFR=)MW2ErD+!*ARX$fPIeN)MxHUq!4n%mG zL^C`NRzr}KTME@_V(?v;6@UC}Wb34jbuWYNRvXTDk+Oi5NljCD{*|2RJCOUWFP=y@ zp=bR|0OJPi6XYD3;!x@lma-T$znv3+a3b(|^W%zf9)WMG!7490=~8W=&QKP?vWbzYGeFZG4=34m9SJ#)fZPLLCPTR`E{i9O&gTTv zd{xa=TRSOIJ@9=6tGO-4)l$z!TS#;GyU|ldRz8>LbWxow*3UCB5np)5;nvrr=j*71Im z_<%qnyYc7gIvNZ=PTYQPArxNJN2|qTvi8O z2{slGi%4xh#pvfnoFhshLc(>~htl`i&LKR2a`TBS>0*^k{14MWPe2Hd{of?_E6#2V zo0ms7CjU-ftGA9JO|(Bo`>5?7REA?V53pFn|ox?YR1PQSMsysU>)CMwQz!sX6J; zC4$jKN>D&?6O3aSOI>GEi8SL@~gWiZbI9;Ylctd%qX z^5>O0ZIY#4XG+qzRPG{#uctblQgqT5yJOkv2Jp@uo)6#taK)nxqK2HU#GdHIM5LEZ z{q|o4oR3BSu6QFQGs^H0--yUpCv<&=q@H;ePBht%FAapryO!%zbDEutj`k#=IGkH3 z#}OliO#;?$j`#z1$I~665%`-I>n(Hw%w9;*;C%pDx?RKr6<_}+-|U8Bj6jS9ka>3Y zO0!p#_cd9bxnW^1hF0@uLruebuRp#^^=Fi8>9RSszYy+Sr*hr_R*$`+4mNknec978 z;y;XGQRVgH`IRQqYb%y%bw-;=nswA?h@o0})?2(}e5f#-AROt|^0Y+W@Wh191hVY%Vp-$73UWL1KcXzivHKY0!v`ojj9bh#xbVX)Q>-M#*|M#~=Lp!$kc_p2Y7T(n^BA&ZzA)*Ex5EHtX#fTQ=TsjZC> z_Fj;`C~5Y>UTB+D7OQ4YO@FtsdKwq~+T`@|DQV~GeVP4jc9RRY%{-ale`J;snDv8I zME$$n=Cp*&9zd-DD(0^?F&WGHw@M5Vp@}=k@$MEHuR7Y<%KSY^&9N~Bxr3OBeTl^? z7YFa|vv1Dkd;NmwdCEuaw>SPE0LHwdwA>O*OA?D=$Vl?Tl3yD68HIprNYS&cPgfM8 zXGDla*ckcNJJQfDm)+fvk*rM(6K)3Mkmbr`-lj;OLd543y*2G==BV*5!#ii0KoaGorAaCqaVo3(1_h6nvBnTLfO`@?;R|cW%){ zA&@DC+d>)f`@YU-S+l9?Wdgx#(?m|$P47AjcEjJ_6A8|qlE$)JIT-LqvF8Z;@Xy{R5+k$*OZ{(q!j^4f8Xv5EIX{jgpx7O6BY`9e1ZCaA^R~S0q^xmN} zs~#W5w`p8JI}ilVq&-R~k{T8;xfF?X?k$F(v}nqWLook zigA5t>5WVc)!F4Sa`OaA%kFC__JsKPDXeT1QT$a<~Hj#BLp|C%3|U>1(Z$*l4d zsd0G>ak8Jty)^E%4{c;`HlljV{8)1uskO%nNR_|v%cv9 zvKDJoZ?a!3NOFv1{2Suh4^E#i$VQWCQZ96REztJFkQlmb?(D5+OG<%?H@pChL2ji# z$8tiJGHSABq5hzX{@0*SQG+lhCNAuCh#EsEtnj;C zH@`JWP!nF$5bzQ0GwozE76=b>B8i$mL?3wm$KkJ{(uWH5J3g9+{xV1i5=*kpa%l=o ziR+hQ+2yM1;|CXT9#4)A0Zl(^76^4` z$S0**-(?5|fSgAyht%BUGE~4zy)@JuIkTU&0;6a=oN=IOy;OtV#h8RIa&`Xq4bTxo z${%?OD}v%%{rkfc6z^HjRfzRZXHjICIBuK=xQ<2;w!BRmOTRa2@IIf<=h-P$Mz?Io}nn)g+}hM5W_8kfjB7U-r%(yLMs>R!(UR~*V-@RNq#u7X zsAAR(ie6fLHm1d(;Y}q=FUNZ6I_f{meW^_r6kWfoeu0nEYFqQWp~D+WS89d%ZY+3( zsp0XOGL*h$E$7}HKh>_bg^S*bdjO?*CO-g23YMY<(`v56c-mKUTBN*2A4byz9%~q6LLGNK4r)5ivvS^ zTv1^|Ty%;TO?_XV;m{Q|1649bu==XjKf)e|X)uDPL$1G+dAc4x8jL*Z5`V=VR|T$o zqf;3;Bh1(Igs&6xe~zD-5X&>dpfJH)$xdQXkWw5($wem@SEcCxs@SiTobxo#ruH6w zM^^PmM6V-93_-Qg^p*w20g(Mx;Tt8<_cNi0@zrKl^I+DSTBI3<18zr&oCD@&aGp$L z!D8{3?Fg)Mjax2QC-GwW4JaOSlP!G7b&l!{H{afbMk! z*&+hF{E~Xg!|2B;1gS_qs}!L}2@|8kJRH*?(Ije`+a8o&!q5-|I{9NorV}BG!y1ar zrUG`u&a5YT$~5eM_k`Lx(Oq= zlz3nUx8fkG1+UvJ{aNFsh|RJfD$v7P#r_E zP|0697#^MD@gJfe8imV$o5H3$G`NdnD&DNsH^Oo-HSaN=Jo?u)yf%KGI1o*Z%Y$U($c4I`RLeI-O`loGQv4PA_Swrw?OEB*|Rsc4VM6 zi8meq28yt->rr{00HrlTp2vQJ%bi%7pa)jy9zp&ugqsgcb(8D>ky+q3X2S|fNDtQF z`Q-_8!uImhn}wm1p|P1SLkis@P@xoAOBHZ~C)>SNu$10zh$fnznkk;JI(rRnuy~{D z58tzTue>)xu5|#Z<8unK|gST`%TRX{PrTc2RQABAAh88Hw$% z!#eB#_bh;G*o9j67)4TrGt<~ur#Kq$N#XCVg;Nhbr$b|zA26vmZxh^mrKZ7%0(gFm z%2qSJ6?r;jPoP2X^6959Q&L*5;dcqUZUAyyQ`CFk4Owf~SWiNJ67QQTX+yOGT&PYq_q6SE(#2U+v03tj9vxp(aNffoc_Rvu+T4E6! zir)u+8}9NHS063B*4Ivf^<7TpJAK)Y4(SbxDG`>sG28=v8)xF(LQ2V%MVW1PS4vXt z^setC%#kE2pJN4fomZ{h?Ma$!i)EpjkxtbOOj0aQW>)-SZA;z7TLnQE8BWpIdT4*Q zk|#Lg`s>83e`q_@WMWqP8F=;!E4N89^H61_-T62Cr$+bup5QaKJb*BbzV!NEAhBQp z277Exhrbhj{vA|L81kWcC#3e80`&X{m~H|4yZw%PqW((}ifdepjn5kRiLX?Z=pk)U zlglSsHB(I5D1}+>PM|wVr8#z>%_fP`D~|PK>VeFroI2Y@XpsSz!C2($*!(4Do?KA~ zYLWEz6@NA1=ht1<4iucMD*aA59WUe2;6YU;!|0N0g@K9Lr{RyJ+uL*HgRWO&M1K+@ z@&=+*9SBRWuIH4zd+(GmD7x~~K!Y`D-CgO=Up28lk;QQ4q;K}c=I4#c?d8xYJS;8G zhd9Z8CCtSpnD_J4c@Y?}46HFR=h7<7x)Z-Q%j#&@J@eK%*_LG4@s!M%L3t)pK^^q`8q=Jc227T-v{SM*& zKp-F&1J00qMmA=Xt%S^E^jc%y#{In`dgu!eD0=g4;g!(FL&QbV33OxWcz0+3c75o9bf>W2K3}QYS9d3nP?Wtu{S-I=DL^F^Ug^u> zt~epIMfv35jizX%@sw&Cym=hoJAEOs69QE0UL`lU9kE}3xiI0eo<%h1EAcp+N=#X7MUjD#O1f#+n!5o2GKnZw%x%<2PIf+5_R03-~qXcoP z3M%>)Q!u=}FMI%UeXt1S1FAK6oQXZ&%>Qx??y-sU)aL&=uBp-(&a>bF3{@Cl9gBeaT; z1c(47EZ>B=Ty|}Vc|0RFdo27<(zMH}Kn;NBzYR{A)+zpb6WPTMO8)F^4HkFkG}vY> zmv{$InO-g%@@4!u^}3(nr;8w<2cU$s7`#zs*kLZCEL|WfQ`$%B3dkB#ECn+s@i86E zJ6Ot`Ci2PDJ&U-QGk>fB;IV$9MZ8}~eE0#kZp>mnVE)Jd@j`ZKtx|7w?K#TGZ^H$h znhYK+M5z&XA2C~xC~mJ>{-M&m+k#;3*aonA$ZI3`-HYK1%DZqNX5-uO5v9hz7}e6m z;!@MU{I374uhfW~Q+anEUvZ1JPGA&vJ`o(fjaqRUrxsbjon0w=={5fu!C;^jPB1<`d;tFSbzlw1C#RLS ztOPgTI{a5A@dC(D-gE8Bd2B3KkF_;|J#1R*agml;l{RAn ztN{XWg4k24Kb22!7AYkv$}-Dj>%Ot;*J;S!gFNYv2m%9(P5m+y0h$ZNaWgg z#kD4M!jS|wHiL~JFU}I5V!r3i3kYrg-h>gO1dRr+e}W(mua%mTvMR#5v3(`<4C3pG z{r$5+tLK7jJcq8VOk57tlaFsK7|-B;YaOKB{q=+;9qF3oC>u|)`|h6AfkPi6vFX*A z%7NHFi*4rL3Q&B>CDQJSN$t=j$u)`VgQTod?uQh?L#fJnzSk0kT-$ho0cA<8dqw2j?18DwYvK(FzLLZA8N!tm$Ry->fC7 zcj$-uSfthY?$9+u^xtd77r^Q?p3Phy$vu@gxa_?>!v5EZD79%9MQ0t?okKS~EA?=! zjgDPpc()+Om&H0Oh>ms8b-L&P!+lzZ{6_nAP`(~YGx~`7yh4>tC_>b?!`(3nqHlCL z#b<_^GJYvU;oMREUk6Gpesvb@O&D_C#|Cm4_kQ!gk9bbU52YTA_#Kf^gBwb--2r(D z%j)tRDYc@Q2^MZT=wG{IvU+UTo(PmAzxbFX;-%oDYFOM;pIl2W;joGW5TJyFaEa-~ zo%k0-Bv`%_8O`!~)R_%mvt`dZkw*|xk=j#NpTh&l!|wS$Z%LhunsK1n?$0j+7NmvE zZkQB>`QKp+w#(p?tlw=ZAAd!kqB&8cyq$u7s>8@gS=cKp%TIEjH3o6jpggsbT?bAU zFNdncFTi9sNH!fSiF-=kZb^}N%64@?uG8s>;;rC-L6gD5`F((Xujz5+uie3ZsXX-b zc3hG}`?0$QjqK>s;)u@F?CxqXn8m^$2STxFZ>gftXjMWD8ggd?-MHlT35cw4Uj7z7 zQZiiOba0uU=NKJJ5IlAxeDgZGonrgh&EDQ@t#a|aQ!eOmg4u?74hL15O<3fsG4;~` z4g+7c{pAe;6BBeV%?+z;Z}+F7G{3XCjf81Mpb(6?jBFjL_^7El-U6OSvPAV9SH!Fk za*Dr{^T{!*f#qBQVfmN<01hLm^<0h`s!%oOmnQA@ofp)j2);8_A3N9yc36A?urvjlSh zX#ZB&S@aI7w?GH&5@nJ>elgQQt{*O&wBPAH?yATX!-bu{PMuPa^Tm>jChxL;ED138 z_ISL`R;xExE_KWe@~&4sy2OM4!av0l@W-m!ExrS%?XwxQl_HSbLLU7b0qt6)Vny2T zQjRL*tj&15VY<1wlO@8uij`9A8+=3ULXCY5``gVfqzuW37K*W*u$1NE^SOeX%$d-Vl|P~p%n*Ar6dd3i!nN}`}p+VlM4T-++s2qKOlZ# zHU~d5eJ-xT2d_EV&kz50h7Qj74@WI7xgINgbWIL4k_U=xD>)+sG`+1G!*~8h`WE(~ zFni|#YDj}@BLUa@w^J0QAMX%hDta@ZZe;nUvu8ZU=?s}{>5=Kxl~r&v0R^CDs(wuk zYK2kN!J|`tB>fImg=O%k9tKo?l;sui+Gv5(43bZmoZ!3lekF(`yU@nnx0k$Yu0VQ0 zh|5!Y*8eS*rtb){T`S}--t#V@UgOg!vbG9lG9OX6c@jUHfqJ4IzNvCcG~yND~|rtp8w%ZtX{4E1*Sz zrnwfDu&9_f_fol;F`M#V`|HsJS(j=Spp7WCjuXj+F*x8WhlaDX6B4|)EfCGKzTeR)bJ zi+H9QdB0+wvB1e>-M~nyeny@t=oH)Aj;6#(Em!mdwc_e7?tOv)2SQy}$L_wTs*zZ( z&Y7Wl5}~>PnjOnm;>18Nc+@U+_sK!D@M`X0WQE zVwg*{ks?cdtd=uIOL+!R&rJkcEk-7nSVJVls)-DcE(Upqx@O{oAq~dCEb;@ncfZ7z z`jZzVnIL&7>8P1`N&|6XnzT4vbflEDi3A3O84bn()9CK0IjE#hTwX&8u7bV+uq9y{ z^r!}xR6ur8G_TrWZCMk|<5ABLjFXaIoeP1KhwGt`eFThalw1rh%Inc^0$&ppNS@L4 zuxE(s0II=cFt*5gc!fQMom3vd6Q}3XKGd~&)p!+p{!qZN@ zDp;p^`nTmim!uequD-WMF0=zJf0)!r<*H&k$Aizk#O1j%|KS8+a*b}1Py8k z(F^cpVUz2hEj6a2lZwbgLlZ?xDQrx5%|8f*-Caup&TFVK2$q=$Np}thdS@P5Ho-~1 zHjR>DZ#C497itAtjmhB)3#mh}vjlC>q2Eva=7BiC!ky)j^v2TkBOOwAg-p`S1N3Y+ z`O4)6O=UnLHB6T1?=;?Yc=S3*5hg@MgJ#qNH-T zrl>}jx-}E?h84*eEV}YiD2CeZ9Shpz%7$Nk>3y^Q(SP;HjH2Q8YGtDcMr(qSpzA^I z<<3Z%`}6CD2WH3>vPS6Ba^>obq|-RSliT9Cf?A0A3-ImQb>d{{XOYk|5lrQV=|U$2 ztUd2<>Xzf`m<QPzeZ+?nI)Q| z_89zbrEv>2AiTsjVtkiHmLRX2k{Goc{zTBN`kjAe2QwDT%&VQCE@tlLGg5Kqcw-HO^%xRP$|2F~@8$C)XOw#Q z(S`=g>L#(PXXwyIf13HJe75n{nRVG?t6^Y*QQ&j7Xjh{Hl$vb+o0|M1jpxlDh&3Rr zuk5+*={22fUK!C#rCCuGjKK%6Tl{26;u!`{S11Bs#CGrc8z z>jBy!6Ab-2n=m4zhux+xoXXW9e8x|1LN+SMPl|-rs1ht95N6`$K$No6=0I_cFZ<2q zFiNXOB8_aPr}8UmZxk^vy=*K|l%Y#V+dOLf)fEPKD)nuyjR2QV|D*RXic*%izw8}_ zSPrjG>~tUA^8SgigcB(aK*%~ewoSV`Ge*yy(KitCv+A=L2b`fqhblduonr;#3oN#fK9pP%3-^wPl^Xck~%8DxZ;SeC$uIxrZ?oH!9Gn! zLT1%Xf>kh~w#!>t^48BdPeE_kFB*BOhm))YM-p8NeHrTDu7z+kqLh1?>mY&<_vndt zy%OzosJPx7gh>k=A8n;9aV&;lLv*&gQOJi5pz)i0qYS!4f(}O6xP3rZG$=wrKPxz|m2 z=QKN=eaP+cO1Va&nAdZNYj^7TeO@1EbMXpa)6Fnar5s^vnfx~ZAq?MJ{cr5XVihw7)cdz8~ zD2|ygviSj8R4>2zjb`F|e$Fja?Vhs07)~a@uH`*->ekcG7Sy6;;J1fV4w45ndChpI zjjdINqO1kmKmolKpfBS9B;mI5h&EfU;{b9!Vo@yQHb^XfzjHlpii;9p^mKcQo^<$S z{IAz+SJ&^s9^kp_OVvMYqbjyq4Bq4LcKs9{?NGfu`7GaHUEd(r|-@uxa( znfZTnnGgNTWgbJ)RATX#%RB<0PTdIoR$gMdS#C4$FqyMqs(mfYQYM3}^%N@FOQKOI z3=mn6I@BzXn46hYwEk3}C_AE+2^*l(pyv0FDQES|Y)aL~Usk0*%TR$sxPWgZp74o@ zBX>}eQmtR`;6^}*!0p)*eqHZmGDsbbz+U{9&f`P?v_AY-37=i+%c$?kj|K207FF2@Z(9ZJn4F$*OPtd@c? z!^4JF*ux#D8I$7a?HvHa)b(0$axm6g-k0szZKM+#aEd-^f4ocH3STvw!(u zDj8niP|rn>^dfM1_9gZ?Js>}X%C5cG%v{Cf*FQyc8fG19XEZZdanYdOsNFS`#ujvY zp<+-@rOgvCD|OFiY&_&J_^PICl)^GT6<@E=#9Zt6WolZx%zpRT;g%2zIKw($ieOhd z-9`yj9lM2}+?QWu37NCR1o1|bGB*37C2Iv>49x~qWukE-skv--PnPGex6cNzfAkDs zoQdY?I2bxLv@PI@Ydi18D8DA;PtDA$?xTTGAg`NrqCU4l1@YS{0&zoMXvPe$5Fbb(6%73x?Vm2+o4~+Z4${vF*UB6UpKCkhed1K5 zXsO=I7SRdN8yG(3fE_w|R`X6eT3 zLs95Mxnv<;k*o=cVhM0v=Ycx%OK#%(FTH#2Okpedj@=PGpKJ0^K)n)@C8J>w2n?6w z&_P` zDSiusp8Z9CiAKddn1Z19p}gg&Z|C4V%E%2cw^D|Sod@%CIYbf#@Mn*zQPnf7s1aol z$U$wFs~u0%FlhH!e>vhv#rChl!+RFxo;qKi1fA6&7A$2B(CfyM=tc?H9;Ci*6lePt zLGv%z8lO*>>!Ys9!Q5J=ZVo%lbNlxf;z5A(Zmr#?I@jGX-H~i@3b4m=p+*~w2*~^X zoN8xSFTi9VS^;VTq%25-Q^QCo4cT>SXc>H-geGrhC8>L;SWlY@?MfLLl%LfX12PIi zerG&z!`-4xl;ef~ew1ppFmF)97J$zA>{j1HuYTH~aL#ku8i23$SnrlB)2j}I(YZNV zUX~AzOe*}=iUnW-6uK@o`tbAGE_@7xv6x63A7qQV9KIzJ#?|Xb-gyY3a`d#8k&_N- zc%RBO9rVySc!$0lzMoR1Pb2afa8J);CE)+F=)wXuiCPx))ShS9}Z|=a?i6A>fsNih&~ag5~~p3B>u;a-BGdJyV&VG9gOwx`5R` zm0fD}yJx`8M=#KnAW*7pq$rVUn4|7VBT}v-sx*pD2X-}l_q9~^eEdqwevqZz;Q5(oSIGUmOl<_HOBx~w-K)9R~@$ zbOFyf_{e{jBt%i*dEi?Y{_x6Iu9?pxV`d z+d+Lakr|_5%H7$UGFj`5sp#4MXkI8H)|Chy6a$m|3j^Z=;{Fd|?-|wf*KG@jBA`eU z73odEj)-&;K&m1jHb6Q^krFxtLa5S9Komqu5TtkMy*KF{5~}nP2qggmf%oVCInO!w z+y#$-Yapa&_nRl0Sjc(E^gx}3~z@_CJntK<` zMg#Qh)dyi%gxh5C!n%Qu>?Ia4j=){Z$=*cwgVS39+lDgQO?52242-k&)S5Z1ZAu5e zbNI#pKhSV)#r3+R&Tm?e7aDs(__B{9L!&55t;-E8Cu`}*ra!MQh4^ZJjnrSlO4{F` z2iY~z{GgYKY52iOYGNQOr6fnaxM0`9z=aE1R7W@8`y_=9WXLF!r*d8Ue8qK=g>{QI z6p?K7xAO^7dPlE)eq}39b@SwQiM*g~2)Hn}W{vq|zTK;sfpw^LjOWx!MBQ|s*(Y*noSjnTPMAWzv9*;SmDBH zMR8H+=mY)jl7#>s((OQ%jkLKG6@qz+DK|Ddol`UWGh~ql_UJ0xU)Ly`*?vcm(CRIw z-};dQT&K%nvOiA*)l;4V=4#g*x4w<9UmlxZ`WxAR!vI89H0QzF9Q{zni?pfLn-k|B z95j5;4Q5%7GbrA*5sDZ1Z@hV8;1-}LmHVz0Bn;CVNBeO<(It#g;z zikSlO$ptiP7A2vb<8XXAA1rMjycNK>_vT_Es_?Pp!NQr{BmJ9o=(O1=S zJUa4Rm}VGKAxEj2D8o0|#_}mDI!_hL`VDG^W@_CfFQ~A+Z}1BJTn%LVhIt3AX&vt^ zXUJ1f-yj<2DfNsWtPSy757n`XT93*FZN~2P8@cDG4UlP!gdDXw_zrWP9?O?W{dnpX zu`g`AzY>{P_F?@MRW|8?fgc}v4f&mf(7!B&&~e%olsQOCz6z4BU;S9=66h)`^ZfIL zmJ8QtnC)I?krerrBOcd~Dc+5imF1P<0)3}3qkG;pUva!|@%r?r;_Fc13fC);jG_ib z)Ac!5##bY8ci;LC$le*#kAG-jp?H#~mnBxde2~tg0+K1?N7x+ieT9vM+nGzJDL*tU zlS9})TDg+ZAO;Fnbv7Vk>~C{r)pR%}h+0MsRT?+z|NbJ(|He~M96Fr}XkREllcjE% zr3_SHG3))wjS&!%mxY_H1!;BTh%MkC)hV(StDXNwa`5mOi)P1qRuL`?91S?TRvXO8 z=2Z_Csj{qw_%2J;7Yy5{t9NmNxL~)EE4#=(U6z}tgNUE)c5-h()QA8rWkI@2%pd-r zn)24)rcAc=`sIm3gTW(l2FoY6 z!Tz(Kmu-L(9#5q&K2f#-3 z#cOkg?xN5$*QZ|;6r~TY`UdZ4m5L=_>nb%d=s${Cb~Y%;U977AGmwTd(#hbC{EMX% z^Qn3${QfocoA$ZrORYi?;TKXO`3up!nnB~|WpB}$KW8vS1TsSQk9~mYVSbbxtbuB- zx$qyH%-jGazj3{>ljwgbqFwKOG3b1kP2{g<$?1%NUM_T?FFI!N zIC*^8I5$frZF?IF|lr6#Zmt1pY6VS{((^*R}kQ-4E8((*m3 zKfA8D{R!_fQrENZCq2AkhwuE{F4w+VxMC)EU6PmcYKR!f8Q?}=kf`Z0CQD3rYlmSi z8>LrvJot}QvRkMe79--nH>sIK-}Yl_DVDQp4MO;C$W2lsaX%;l{QIiOb5f=8;F&Zb zgRaJe<>#hSEpA<=B^XlHBQf~!rkii#-~21^eft{2p$9dC)RM^ukeqaGSJvPLAv1q2 z03Zg7l@v+!o(4R&e?}!l;SU+Q$2@qrAdwI;*`YW{50TL35X=C}mfnyd5K4p+C*w;@ zxM|owuIBy;M99ykGMo;Y_(WGfD^I`5Rl;D%NHCu!oD4<^J|{NEm2}4n9E3uL?wr;@ zlitRH;mshKgCOz*lJLdAA0Fl{@%!J~nLMeinLPd3t?E62F_+DuwiQ)Yr)@3QLU%$G zxYqqK=wXmZ93!9w&(}W=Q>MJB*wXr3i%c1D=3yb_c~B|Gl>Pw(isii}NHd>oQ~~|` z@a@JO-ten;Ui|f2jv{Znzs((gY5c@x{wZTjRrFn^Je^&N$uuQrs;M!Cn-f3GECDxn zUV;OiZA6I5N}i9Qyc?L%&6S6Sb-m`BR;R@?~To;`{a#7e*!L$ zm#+=+Q7#XDsDsRS_a=|`SvbB^IcTM29!rq}s_4nAQ5T6AUuE!T&hJ5&IWvcas0EqB zg-ijA%}V34c`5Z8&_g5EfgLMv%HPxR|3alZ^6?3#r9C75m+8(JGK+D%ZBCr=AC-<32XD7mA`4qT8W1vBv0u2(4 z#LSR@;I%%Nfq|9O$15hntQ_WX%%RXi=Pj&V1;C$+0fXmoEC+=VcL`x?&v$w%}Hd~X&aPvA=!DTCSY z;E%ZgjTF;`0oH2T2xB;y<+<(-&Y^q2>xm>Zi&x53+bI! zEnn78o05&XM04#FGh$=rOFz-L!h&>4-z$CXR|Cd=6X$jE06Cgd1L!geuKTZh;Y3c8 zAA3ChdY2VpaoT7yB2)%Dw#L7*2h<%`6GkjAn&gL=y07oOMUue=hvET3`Nq$Ln~r=N z(}fvizZAG#7}!Pq`u9o;57viYCSH#mv?arRVafN2qxL`iS0I{#a)kEWYlI@hl)CzNDG_>;FF&+W5*YDiM>)OlACJetZl-!2VSPiA`Ft+U5DaMM`-fji5nON*U z@X7|T!s!1R?^iGR20QXv z^$1D3?boiwKYo$^snKb*m(8|q)8~?}`~J!U@A$FsmHw2E5o5YHWdgdhabu8lvrCy8 z&u^9f6p&33oc$VT!q__!FEk3zaOjOr3J6j(pXZfxUO43+zPAm>6X{f{;T=OeDIz*M zboKkRDoDfn3`aGwkuf;KRR?Md-z>7GD5Ls3=NQi+ZewnRyw7REc*1E z2csmehReem1n7L-6YR*0L0(K^j6oOfe+8y;47M@-!BViHs4J=BFVxl5Y!-8^0VTx2 zx|z|zhEp-%`)u~snQar$rb~{dUVr?U-tx3KSba+&82XyfOfl2s@niHN;sy&1;t%Z| zlev^Ost@Y1w}lJjn6DZ}3Ez@xQ44&FO|lrF)_tveDus=p5cB*mMJm)c%A zuMjT)KaPmTcHxo2FK(vcODuOfSRNd8QE38XKn5qKl4@W+oh$zrb~as*g3s;7P##Fx z23>Zs-9%0wWjspy=^nKgknGrJa#1P{Mxv_w=O5oLY%qpv%*hh0XW72b7^V1$htlQsW}_7^)`%yT*Mfn^KITN1&~_6n&DfrrdR968M&zXRaG{E zdYs4CJ62Gw&~`!Q58XmX6>u)f66C9p+_LX-NBhhptvB>v)w+SlR@VL^4cECZw0UrcP_}@ZgMX&Bn3Se9gf(UtCWsr^}S1dnWIf^YQMu0G?&nT@MKQw z{ZmS|FTKd^2kRs3 zC|&^Vui-|EOeg*qBAO;=)v`+b{lNTBJO|m<1r=9!Wvz6@AAk!n?*syBcF^Qx z!73%wBvb5ZcoBEf+9jVCe+A)Y;p^-`>ao@b=} zv0Y@T;8Fb2z1MD;3sq`*4J`)dt2E>PVn`PB2ik@NMsve(Hc=H;v-u$otnL%7D-XI!WE(HfybRLNa`v*K(=F^)g?LWV(E7$MA7@{3!m-g1^W5 z5qH)aAGIS0m}a)R;BNeLmC%C*61es8>l2|r68x|GIcKUTJ|(e!TBV0xFcweNY_dlo zt_J^J?o(Z8b^NY-25((A=iVpDNi+~T;kDUy*|+Y`*&hck@`%BTID+^Wc6T@-Dq87B zrJuO#7uH~wg)?dE?1y*e``{=tQwo6ocP-+L*=ei59g~rD{u~t7$4*yMe?2R_OkMCS z6-U#uns;R}bcws+@n&N$I|z2;637J>^H5HzuI-E1sIV0X+!P*~rmpU%_K}5ai}s@I z^N%W=dy}bZMBmp}POL_-0h&unR5CnkWX+HbDQ<$WP{~EEob;;(^8tviH1&hje|kTI zf8Aso1kH?GWt}weBa?ck<-4+0cz)0)TE|IO_dFN)4hguF3)l_V`Myde2r8m+ji^Q zh)k?x#9jY3gU8Ypg9j)GON2X903z_xV=Go)iR6wbPEBS3jaTZ&`>W~Cn0-cTBc)ax zj`z&JvPs-*Ob10aAWov9|6oRTNV3b?t#{tF|G(H*?zSh-PZWyOCnRvlE%QRfTUr^w zjvql(e7oRbV5**XHMLrzCO}qp5yX4ty_FwMhHT!%7S`am%E9AX^Ioi=XoGN0=^G!_ ze3j*)!9`W(jjU}Y&_hbH=&>9-XYaEw646ISm&b2($vvslCts+(k)pY99E)CM(ZX-O zasBrBjj+}EG+753F6j2XP!AKUA}Ch$<6++Rq+i7p$1MxE+?N|${Ah!@l;qp;UKro^#a*1^4@(l>SbPd&o|fP2YTXn zMno<94|0A>@E%qJk$^JhU*o7b;QxvjjQH~qg~8Pde5Be%^z9v6zR8y3BHpyK?xb)X z^o&Gd?adf_W)ak5`^v>_%T3oJZ+uFW(Vbs)pl=JX+p~Z+-=+IO|1U>+?LL#x5p<*^ z%R2Yf0yVi@H(w$(U>lk3I{SqX?=v3+-`-WZnDcgoDpSrB)&cp5zJH-Eu<+Ew=~ZN| zJVjXQ0O#J{;9oxL-D0f@%X0&C<<0w5I-RsmafLeRpf`)kmuU##yR%;_tT1mg*xFkH z0N!W*B$$0PuknGIR=5EE_DI(HOoBHf*WZ42Xb;HOhkAi7mIK9Fd#P`D#eBu`(A=bg zSFAZp^h>_J^~3&G<`0~gUHIXKkR)lVbah~DCb5!i;!KQ(OJVJ*Aqd2-=n=`uFF+AI ziyqW9X&n+$85lwFVeq!O1(*k7(R366OBT;N*nF za>D6xYj*xdR}zV^Z=!=bgVbQq^QO#6mBh)F+&?jp$)^Te=|*TCisYyBC96u@=w?BJ zU*oUJ0rjv?DwRSAu6W|S%yoLkLD#N%%9{er*Hu(ypWFVqJu3f)W2=WOK%}jjFF7) zM}L_Q^#0PqZ>K|k%tV2^z9vWm-Dd?Lum^raG&1?o*N4KeyFV|AUy0nD;FGx_tY)#g zTv&hiZC>7!oWi5sJ)icyjHHdxikh)&KB@;ON$0rVaYb_W`ihMK1za4@3SMP|@tTYe zn|S!H^cuA=P!Sw*Bd%{W*DPQ8>p?zC=E{Eg<4TdT^bdjfq}N9-YlA8LqCemIZUCtt zgIiP1bkQ}4FC9KvD*3wqllbWocz$!$67+e&Jh(KT?Z<@{W)PR*(n4U$J#>W`L!Yj( zp4S_ck<@Y*Ay9#dZ2s%*ci$lATd%)&exxkYueZSQx!Sh>nj6Yu9cH!jyucIwpmFPG zEJqF2?r)A$1S;Fljyb*~SM+f6?8ar|wjH~~^x z&E5)8)hU^Fr)TN$*zobnjIqWZnh8c&AwdfZ8NzAr$Y2yr>)#egUlFGYZyFcU1+z)J z{M2`RQ-(fjPZfJ4J_n!rvgG^WbVJz1#g><^LXE!O@1M&$B$oo&%N0Gm8#sPqs8?XH zYIrcez<g#Ru_Usr)$fjm*aP z;WvK!m8Ho0g$qF!^cSz*`G&l-GEi{cBnj-JW#G;m#!3D`g71Tj4Uj$_#`gX5obYJ= zJHH}!hM|rJn5!qjlub6{nc?r{Vx=v`a`hV`($_u5Dx43!-F=d^Pp;_w|Aj!$V1V7kp5;>sP85ZeXsvzaAdU44(hNfb;wPgeE2KcOnSIH@s) zCG6HFiR!triMsiRDJDjb%mq=A!PdAT_dzgi7@WPM& zP3IqBoSCZT5+FZ;l!6IEM&$urkL~ZH45JQS87uLB&5_zZEYJ)EUJ0OFXO0d{GomNw z2$iD2{_!dcr!O<3_`&U29I6hQq%7!uJ0_?>-pC;r!+bIs4~ZG+3=}J&H5>)f?o{p& ze$dKTjXbkWRpb^+phka4$?l;hcV#>X)d1Q@;}41+*;rW*q8Hcj)lXC&&ck$(y9wnB zn;wxIl7KoXd1V~uwA59Yc7Ajs-O%Nr7Ml1XWbIvnr}{PFK29d^+f3=x>&Rulc^O|T z8?4mfyN}S5-7t&rzghZ6hn~QY<-zE$x0}9+IrFOtG1`p0M9yJaJs=(Y|3wN-=O}6~ z(rNDuD<%MkcK-QTk@-aMSy~L)3sJ9^MaCk6YoI!(IiK{Ph!89Ho!P7#r?13-6bwJP z*ZnJ>-UPsy0%>*^S{EHlPL?j+2v)Vm)*fVvpI)(<^i64Qxa?{^^pz9tp%__OuS2^y zDzFlj*gI+X(}@`a>L#_HA=yO3TFaVSER8(>`1H~W4aTHMXe8-uw5QfXN>5ukGe%OCy2K3LOLYB%*@l+a;a2cIJayfD-)d52l>$3-^QO%PniUXw+ zKX!sgr(KeH-yV)lLY~y~E)V$Ba@j}aiT}dgldAwN?#%e8RU;c;+u$K|vwho@CYZ-xD?ZkoDI=GYlqW|&%fsc^Iamzus7Rb;yYUC9% z4DDgMKc~_;uJg1mOxWQPdL#cx#(uzq0z$)%Q@VXY^QO+7X2!oWSynRXTa=J8TIGwb z(O;qi=oyz@2Gf6f{3!wl?7i?l*d%ypm#2RLPRl%X=))nw#g4j{odQzk^nCnvy{7Z| zsVt z)KF_d`D;%vf?I;6Qe@Wl>TGbS^nw8&yrReOKN#!=FBsbHH9wVBeO^MrRVJU+)de$; zuu|c?MI&X-ongCHIuR(wi00o9x?1LZ5X&ruP?}A0L5OBX4{mOHBujXF{{7Wi)=3`- z>HRqGdv;a!?0gc=AW>ghGkbnBHsRTnt@pUd$c&Nvw*UJOhMq(c3 z(C7RRka*-S3r|t|@i0>Q%Q4cB%k$7s`tcO+(Qsga#f|-;o>ykujrOla>OI-Mv(Qn@ z(zx}umA|B6>y9QHG)-DZh?;Mnv-i+yV<+myVZYDW1OXG@Py$|{<(f!w-_=G=|DG9R zm2@Nz`1{)`H~h33J0scLiwPe0v5lvja5Q}O5QW{ylNDuTq+ba?+kz**6?cbJAEgLblh<5h7v3%lsF?4Tlnx*W+L5mN$*!G}BN8Q}s~!DD@RT@i@X_4)ej}ABKV&r-jv_=F!Mh)E-(Gp?lAiK$ zv`W(eZUFDI@u@!}>-u9i9z49bKumf=SytrJ>>RYi5X>&UQJvi?OLM$0UY}FH25-ol z@mS?N`MO*D8o+-UBz8QE*=ROmj)kMTWXy^3a&^!m>}te_9k z5}nRP`sRkJAwdx&v%IgLBR8|E$QZ6r%MJ5o1t$rJUp%{#=IvMsxJz8DPya01*6H6o zTuL|G5mY?VF{;Jm9phA05H3f&{VT&AvpN=gB6;o)2A(6T?=L)so{VU4P_UPJB=2^v zG{mWS=c`<~6nSr@7+B`=GDM8cNJC;jwV&fMH=!QT62{K4O_qu1b+TNO4J?NsF1z9D zWowqbkA|PJxbglw3m_fe7dor6mC|^=8obt*RV3SwK}I?+daoZwUk4DU{@6B#Cv8hpgmKa9mDBa~^!*u0JLCF<#&GzGe9 zy++6WCmObMlVcP57>HxLAcmid5Y4A%x2^78yCQ-=hn@SBKVV6k>zCb0s>L@-2Wt&H zvF0G*j@PKqHe2mB#X{m#-u25Y9uOpvUTr3G(RM70N#PurjTdt#X**DRQeNYuZk~ex|>8D_ zNKMPCJ}LaxO4Th0>eMnBMNuLio_TuDtQT~b#KJIxi+c|g4zSVr~S zG=kZ9(=486V!|@=CC2%3SUudc65m7n;aS!)lQ$x_e zSo(YWjV$DLU{A&uy@$YTV9wAa;FO3rE(@U#5p#z-6Wcc43#;hZl!Nw2mFBZy8zaow z5%SzcRywgSQPWxz@%uG;5whcm)k2*}wu(n;I@i!%m{YA<-ZnTVZW9>Jas7lS_qud! z{%Qty)L`q}S)UQN7T^5BDAN8vZ;bys20(2BADY17P0vrywo;$34HM?72ndNWD;zNWDcJ2xe%*u6&vEP!yu|r}J+egKsoM5AZDPc6}U&m|pjJ z2$kII6`?XkTY~@mXf?BBh_ie{lCWeGbQ|?Xx=m+WvWae6p)99Q7gILJF;M$>1EMrG zL+Gq|eC`OA+Q9R@K({s%jPrL!Q|vgu!#r}=JJ}kT9Nu;&)MHM!Y%yLI^HCExRW6`^HJ}$q!A%qcDCW*j%ESIV(0DBVY&*e(n5Bpo^0p$ut#{TjGzTI z2S3QvqRGTm2t^}%=v4Y#^ysNjOUGrw(9XUq!NBhE5@G)Q1tr}?gc0h7X-TY#taaD< z;~BVvsu3r>xn1f&6 zgbR4}KFfy_*AVy;BWqKY0U$QLuYafRbi2X#>kddPS)8SGx^`q%l}!6WB-()t>}+dEPVQkJ0PH3GWns7~;RA?vmV==*k z8FtfEKOUM-O^@&0?@PbEnDjAeG9C7_m#~S>-ui zk7086yQmGug=vM$Va^$|3OSI+UPO8*!tIY!5W|14u7apv)df?f6{^B;bZ_B|EBowI zJ#Ar%?m}q2o_M>NWfq1=w~2wOdf~N$lBTb~_nrwdR7@RDxizPA&q3UPeVMNDByaeL zQC+zmD&c`oh+1nhT&*5o`RBNDCsfnZ>12o-ZayOc|Lt%xe zx{anj=yq}loaZPBR`}Tv7f`ISB(<(aZ???7K&$!e567`5xuG4kaGW|Sy-3Jq@|w%2 zN^p^wh24sricpFg>eYkeUjp2wJ4ZkG8A{#u4#9XguYCKyR}b*nbTg`^3o-tORCv0? zfeyQ9u=iz<{0?m{(j%$I92aPtiS*c&ALL&ny8)Imy1Dqg{LKh)39qgwL%Lzfc{r{x zfUXzubk<>JmmK2X#*Pq)#ho25B36y9=2>_<(`gE{<+kgYu&gE`z^7uWROi$xEdPY)1s0}3rS z*tw$|}IO`8lG&h9}YoADv`XZx~wMwe5Z+zU(oZ&>|bg~^dclRvsM5cT>fs@kl6 z{eivRISzR~%!QXk+9JJ2`7v?(1MIabTRdMkHdboYTluXp=wX(gm81brTd=pAdSa0e$aN7|kY3q9;zk>t z;W22R(^YCrGOe?Mcc|-ZROeaQh=$GFd4Le~e9_0tQTk-76b(?#1nJhH*}%d z$pxZSWSafa9D?tCU$+4YN5>O(@5@J;asqQ*5~o8Z@u;?0nR5LwVObGLyjf(Gr8>gN z)Y+hid3j?7s2J+CLZOzn*gcRdfGb%o-rdcYBAH zf}o_%HYVAl1!RT$DM_|m6FM^vt;Ua+z@@OGuQ7po{q{x&M*}vf<5cR1WTF44x4{3n zfpeTAU$6e>4ZMm6$C&=>27V{Z_223($JyW{XEP`ZWJs)Se7luUt`wp-!gZW*Xd`r7 zXm5vd9165E@ovD*mez)d!o!R!2Q9Yi>J83OJ0GPjD<{<5*wG)Dup7`?zO}K^XFcw) zH_pqGuU{mEdOpF99uOPosj`0;O&HFaak4~s^mQy=5I85uj z3C}K@YJOhHUz}c*&(aB~yRuql<1C=u*wEnS5>5Ix1iYG3x#UlXGX53OHx!~q#bXsd zF8sb%WNUPmUu5g-Ec4qF<<%W8lS6755Sq1h$Cgi2?40{?Tkm+gm()uy#FYDxDjIEH z<6rD6Ty8@*sAr1Hq zB9}WfOR{YFxp#$&6(^@;k=e1WN?zqy++kNey3;+=(Qv}i6#4eeKTq^dcCJqT>vhU1 z8~Qk&GwjR`w8*Qy2Qz+t_VUC?sH)1~^xA+`dt@H%hCp!V@9l?foRw%`+HJ$Lh^@kR zxM8VhU%yB_7SpOk7X(&mAF!!9AGHMQPS)GZKiJY084^ozc@?uQc8%3OSG_>!sUg!u zm$-0wVY1tTWkpV`rVX==;P1xUZqh$ku61WRm3ii4^~ZE3%QHz+iRZZ_w7tzwA8(|byr{^9LVw;EY8iFEKib0FRqY{|)Dk$*}(zcmy~4T6z< zE8)H^F6H%w>&Yg7?uw>XFRVf0s|$LjJAbK!2#dqLdd=w%h%kZEY~&;M0Pd&vDP<^6 zg4kI4`-Svt;FTG|oM2YG&(kPF6%~Q~=cvs??;QqokN3gyiKvm08Yb~p7~QBx24&`G1g3|E*IMqnVDD-cD3F?;zeK=69Yb{`-p@LNxbBsn4~I;0m?4Iyg5W zChDrzLNRTTTvLfx#n-bJ_WD)YdX0-IhdSZh)aO7&iE?aNCW%Bc+mOucxbQF1J2-7t zjb;a8WLS`Ch;#UPfq}#CH`4W7;SFt=v@tII zabl9fZ)<8qi$YwNR<+7|nU(Sq5>O8^HI@s|(wjl`?x!=gXub2ZWb6>q$MnR%Q}#!) z#|kUGQOo_6k;A(M@SqC+50fv`}e8pl&4quS+C;c^a_qb~EO zoheCmI!C42+C3)f4^4YBl56PA)XI&JOSfeGi@a{1C|Du}l)Zf}`ptMcb(e|ouNZ4` zudMHH1PfK;MdQ4cuZMA6(j02CYF-chPtZle+GeUdxc=7?avKSRo}mVf3(19lbX8Ay>?Ss+M>&Ga%I(RG}2uf(~F;|Oe~sxkNi0! zj1v$D`!qqgim*89kr1ACsw{*KCuWyGt$%SzOKTwuW+pZ6{Fymex1>YnBxpb-gb#7ow@#OwJ;4ZeiRX0Mg5L_LKB?z+wg5V z8)wxUr!R7#hG-F^m8*EhU|jI)PsQ$1e->R2NNID`KR1)IygJh~U@M z&I#3tFF!u<9^{`KOhid+|JvF#8-YF~oK|d}Vx=vN8iRzS?(ygqH54X07m1*kZbox+ zlVgbAH|=xJpGm=$7}~^RSsHLkSUVpQfwTbu!23rbM0Yr*TM$);@*eF2xbraIL-Syc z{_@NsZ@gxC7GznCK~f;<-`CW?TMVV&zpuDXadJ#}l0#2{d)fZB^Y|`eFzFxijgeC0 zHf14klnz_=THG1aYl2FgEFF-+RuOw&Fh;#4pMA=7tFU^z!|%wdsFPTS->}&%9TP$J z9CnvPk*ap$7qR8ETqliYoz477p`;R-N%}t+I`QdAw;4w>X@rwI)0V}ijS16g*kx*A z`Uc8rO8e}@MASWq{%-U5HWVHf?Y;@ngc$o;D9v>gtcIf?Ui{U|ae8cLb2vJqM%2!XU16P*9{l%fhDhJa!UnDSgAAdM zMx?h!9_}B_fN9JBMG61Ak|dfLCkZ*5n2&Pl3O~8d6#20;%wK<4-PhYYxdgyh>x){JDjc|+2#c)nu`#B*= zU`UI=_qL%$;3OUXwnXma`h`wOun~7Sm%OEnh*@=)Y^(P9G9V)yeKVr5g&&KFgk_ zW}ip?#Vj;!C>pQ!8(?#7?5z%SvLNacbQ0-Z$+Lf(bny7@(){^H2f~xjL z*=7Z=zfJ0*mP{Edq)ii6ynvx)Dw_Bb66tFCh4MZ;AF4Gn-bo6j`@%x(sU=zeD8_?hyBD!aZ9=EZpY zoH(xuwUBEa(jQ z2?aH*MMK0LN#V`2EXh^NCFmg`78gW*H9n)^IHa6=gP(|(#PK3aj!ahBYW6Kxu0PzT zWe!Sz0H9Pej2AGc-g}mJe!ULB9JAY1&Y8*Z9TB9Mt$X5mr2T0<;kPzv3FoyRAZY|! z2*f_HKPwGLV8}jS60EGqLQIL!TfO#}^;oR{&`{CG!^U&cTXXvVwbRg$qk@_WD(7?? zH8Df|k|(`2oJ~e{-rx29^D!2sOL>G#>HG$Td^D5Bf8Y`m{k~Pm&|Or!uu_o&9h9tg z;?#7ye+5@n5{**muN~0Mqqpu#$r@eFty|^07XXqintg|&05Xd@ViwBt1Y7N9%W8~j zr7KvtDp|P9&PW%zPG;2?UTn4gdHD{f3w`i(GfL0?_U9fij6}(igs!SR;{newc9!l| z=A}zc_OsP<-fW~{i35j}Vqp>7g3mC#Mc*!7;`L--Fhj{!WZrVIAd4rp&z8=1<2dU{N_ZWD-i!DiJ+=_eusiGPe*ApKS6eiA)!4{+Mjbm%yoLFIkk>2t z^>X5ip}~1TyAW+wRE)E}Bf#aV7@aL*jn45i)Sp~?;%L!Eb;|<`R?^=-Cm9hAgk)0_ z?B#@D&HLy|A53Kh9sAx|G==|F^Z$K-<4rT|gyC%E59`loSK5<6lTy0{{tg})DWe=I zc^qeSDr1s=9shJg-${?%ky#dY$;Ku{8N{d6xRvL>oeU!O?l9ZMXn79a8B$P`L0;=AfRj zG%gYQTyok?eA-i6e6hI$qt;_0SxSl$ldN~FB16{hL#Ijxx3hx_H0&lPHD>Fo?a(f^ z22x6g?BkjS`Xd!=j5x+B`Mp>on1jzl@pI4UdguMAsB-=Lu3v77!<}`*!NaRANTjDB z$KL0jZ|~_nhCVveW&LI=#LkiS^p})6i`^asdq&5tp>#;r)n$at4{$+Lklq#EcO{wl&~%7!KK4hPnmuTbQ6<9NM4_qH7Y!PY9s3Ajp21{Jz zK39Zyh@kKvy@BUdD+XD2a0@HX;5nZ)mG*CO$bWmM|HlXSz^1KfFQA3!ZN{T)j(k%g z)A_;%$g>G*pLna$|vjLNX4L@p%q*hHV2kEweX2VlybRstojBqAwNNsS4nB$Sl8xP%thVXZ&*@6{ zZG!Y~oif^X6f1W{a^v$ApcxbCBC-%d$gC$i$IS5bM#q88;%}KHo>^jkx7m3)hwWBh zApJUAca)<8b(KxKt9gyx(cYVFwNi)+9bj_!vQSNQ?Pdv?fSBp-HGK;gkpB!ZpEX28 z>@?DHoPk~P#*zYZrqK~SC`@da)N71WlN{1z2HX50!Zyu18)X^1$5oJ=oF0QB_Jxky zy<4Z7Q~71MfQ~-A?6oZC2dj5$9v>6<7-qdTvDgE?x!u-|lDp2%&e%Tt<8Zg*)*aUACicd4FaWrZr`Axa6Y;{0FTRUMpuopd>t`OMzMvg|0P=j$I4 ze@{p-x)Y#4Q=_I$;^P?YbHUd^CYf8y8NW_nQ~@DpW`YNI6NVe=6`nDBjoR9bMre~K z&E(Ig_+ABuWU zwcn15CTtm5?4BPh^ST!>@ z{8{HT!~IreCkYry2IdWlY*6=*(Bo~X4Ld{1jCdJ!^7trtoMbvl>(S4bIjnW0k_J4| zsAG!-vt0iyfBZd1{JRp|$%)ZRK;oiG>JK-xuZ_p%`d<0iV@4H6so5Qx*vAZ72I`+B zDLY-4(c~1w5}xty?3@Xp)$+g4xJ2$GzL8bsnChPikVm zxU-B!;wD{;I(eBrsy*=;ZwPhGI{lL8c0BNV;i~ShChVo59@keLWt2V3&9$+kv^p|^ zwNd3B@)|Egs8fH?8)h#fTt&ty0byEeOhMZzbPVq@#hM=cI8#vaVVzBnP$X}3rVa?s zJJi|3CrC7@ZtYGq3xTX;G)5XDoy(<|j+n7cZJ%zY5w{9K5JCtOY$l~ri!9tK6En#~ai6?i-^ z@D$7@(C5R{kah7NvghHQ)()-(d+$`DA_SK5dM1orehLKmd0LG7?Vb9#m$}KnG}&vr zXEEDVn!e{|ICUZc=oAz(+)9Wv^qX^*fu zl^)Kic#F~NRxWLQs>Ik0RdcN{%`kHZ3*!E|MbQ&SPQZNWtV7{3YaG$n1UUzgKp3fR z?a{g+l_&US1`C}SO1zv-u%^8OcJZslS#zn7gwJ(1fv(>%>0+NFR24dUlu2~1zvhB@ zl(mP-I((0pjnV#*WL%uBfBqWOVY%Y7T{^P|Y$dwrtai;cta;L8ZT3P@o`mmR#IbRm z@8ONF@0V(x2a59<7#iHIAAN{uH2l!nlIVZ8)$$HgT8K{X_Pjb0N#`utFVv*4dnvfG zt%0xb>wy@lc3fp(udtY;=?EVdMRQsW5JvI+?BLa*Z_vEwY;V(?(Rsmhh6U#Mh*l)Y8Zw;VIe*yg}QY(Vggr);hx$nP#)ptTv7hS;L4S_81 z3#3{p$hPPZMV>QL-lxwIVMD;X7{@TB>^EiXl>!l=+HIIF3fUMaP!Iz_L`XC*)xjS= zt-kyB{QCC>#Q*5C8NXvzw|^HUuNGy-9hyIOqeH@zB~ToAlQt0MVXh?L^viNY(r;G; ze6Hp@`D;IDIY;mNo`b9xqXfO-850#Ui0y(>h2~1a^dFVMlZ==)RqUJOr5M!Ed7nNu}?j;q-XILCy8APSlv7E9W#ulCp5eh6cXW=@+(^J;@`e=L}0 zXFns{QtCs(1=kHMHr|oc)$7Dz=A+IcSAK=bfSM9=QJxX(5XcSwjhY&ZN*3apKTl9) z(@)B7NzL)22(do|C49gG+cs|=q`a8wns%@dNjCgOA?|fnWG|z12RPxTU@HurHXmFu#~Gfs!Q}<~tva9dvhiuD#mFfzC1h zyL|l5g884npZcpBbRrK_4XBE;=1*t4`8IZ*(ZizMP118n-rz_tSaGDs3@>@A<2le~ zmS}k=ncI^}B2|s$PYQRP2N+%a=uG$SYo|j1Ifv^!2|XyI{8Fii`<5M@%594v7-1Hb z%A@sSIF|svxQc560!ft5J6%Cir~qx1IO6c0w{c7dW$uQ&($6z6y#Y#p4_h(^obMfz8qsBr+xqcoFek4O)&ul!K~n*FB7%S zPSI$8wVF#dZVNY1l$#QRIywld|Kh8|=WGxgB05KdMb=01eC3?JN!=4o;G7ovU0PMD z=~sl)1R-E@o3a45n5>Al;pe+jaaM%=#f|>YUAa<&LgW{Fy;!d$6(MQW-cmsleTX0@ zoS>u`LOAiPC)_v<&cZ0@vGT=wJ=A?@GrdfDC4TKRzjJC&%}B?sp}YV!xdV=#al8&x z;(++h&vSb9;K!?KPwU9PO2Gg3b5StD@r~BaF;j)+79yY1~zM9NH`d&a+3eoD1GapJl4*Hia}_8+>uzgODiep{UB z^!i6oCyTf44h+AY6#t5smq|+ZOOp4d^BN0AS5=7-z@<1`Y-7{r{)Gks_zflPisFu6 z`P$m&x99CD7MRA!6t_4c?1tjvd6+{d^ZtcZ%19is57LiPwVLc4z#ASmkam0Vtzht^ z&`>tSepp%=>D~3O-RplI|No{V_`h<-GhupnhKWmqq%uCwRRP23u36YaUTJFWA=fa)M`D@jG_KDZ0p8n#BuWg!#0Mm52723Y=#s#)n%cpFqE4 zoO+9qy6kcHP3KBToRe+-BUZ#`aTIpRWHdmwv%%sQzY-&Iw)AnDZ+iexRdk(3v#l%$ zWA~YD(*;?t4w^MtHUcLjWVN+#B_R@ z#0+if)E#I`4t}=9wR*uhNu)Bkp(Av+k-f0|=&Q18Qop=T8a4BM?F*ZHW-sg7lRU1t~;8?8Yq${a9Cgg=|v@BM6(vO<41?_cFGe#}xs zW5aM86`Mk?BN_9wloYhl^V|*MZ)p-YW=T$u(^@M;OUzOaI#qUSJGP|ZaS^Br3zCh9 z>j-4O4G5&5VQQr0hD36OjU2b{fH-caFxFF>4b~XR0o5lhg=(OT^#Fg!4lK(k0M>yQ zd5zkpHM;QfOTvZewskdc4!dU0w)qbZx^QfBps?U12EnO)E7~+MOJQb9Gk&cDj`izY z*%ePCQcJ7m_t8)QxCsO#_T>@?rVRXzuFeb-u_9CEeDoH=oTuskA2Z%xVUo*o!b>el z?*0z*NUq&jWjUfk>s;rYR)fA(feuAhi8wT8ATjWK{oFps3E+5*ZoB_p%}is|ZWF0F@BwC1ZwjkdrBNUy89LkQ!t*)OF~ZG+H&x zW2ZP9Nhp@DDk#xYYhyD3AM?pQi!m<^<3G<{kKlhK9zCO`FeM31Z=8LdOdN*D97 z03yhkrkRmH6Po!thj>yMQWjsX@xPV54RXCXdv;(sBE%Nv?%9@%=J98PLk>Tj;j1L-j&j(?VkMz@q};?J}Q9 z?T!#+qF2+VaJWD?AQ{_d(Q_j2v`~oBZimJ#DIbRgF`QZFTpvnSs}zJS(*vPT@D{3B zQQ~{UPb%Ec&V{6pMA}M_2dm+VJF41EhrYncvP*c{3H5|Ux zL`2Y;)We5tG8-A<@3`+v(<;oHRK1oiCc>H!hIE1Z0vVHp>9h&02Z)4Rz0e{z}3qJuz03` z8LRqwD0IH7dDaNgK%=2bWy(G{XPr!E3an%9RX$w#WwwkxhcC8R= zLn@*WIJ$j*OA}pJVS3PSyh0l>IN5j{-DL1-MgQj{|PX`+6#lu?h!MmpQ{Ccr96_evYhCDNP(28R( zeSGq*h#R?{d8rA;v!%exI8AG=%iAI?)!+fiqv5*V*Rj-sawhOgyZHX$#5pH@!;r1R ziDKhPnQ3bStMPuFja<~>BQ9kh9K#8yhwtKiwP(g}Bjj$I|XRqwe&chq*@B5!r}3ajd(34mP`~gEIF$2iqBN zQH%T_+m=q#*r`HRVz`nB&)4J5*1Drnb*j_QbqkcaDr9@t1Gl6g`lE979U!lxb3#MF zdLR2FU;@6%ZhBWG--#pfv$K|v3fhNlN@J6j@=pK{`yirqP{!4T+db}q*axKoE3=~Y zopW2-!hiS=;r8;_kC+wF+UO<)YVRavXmDEdx-$;!D@WKPq90r85l!}ds6$UEuH`+Q zwI{^v{}=eUsYxp-HQCF;{qR3B&o$2f|B!he@_TskX^{FJ4JLgjuE9oshc?Z!ahB}@ zk<+2&#x z6ZP4qqm!bOAu-I~2}b=2urasYA<0r}=*Aasmb)iVjY-VX3pOZJWv9OduqO~mYsM!7nBs%>EeOf2ZfUQFiO=Z}$aG_|q1};YDBL!Dh7byyu9B$V!WT_eJM+TjS>|E!&MlZV5q}lpmjMonF8!H#8uMLv5jK zLY#LY|0&^D7Ex@H#zQE+6YdGMa2@7W4AI^!6ocVOVQffBOPnlYjfCr2WvS89j$6N9 zIM{IvRrszb4z50xwXsuY{E)%u$xLIe)?C!CJ#zUp)FEvZ%h1eca866fjXbNjjoXKbEK~pF{bN%O;(T~m6=&e&r`P)@lSY# zK=#}^_@x7r3{M)6O2Jev>OBlly&b+kE@KJ=uQGd6ecRK4a)ex4FEkKK-w=0J!eA_oexS_`Ix_|n)-ZPwR)hvWwp zkT#CfMXE$@>EE3)*lB*IX)UtTOwGY2)-cu(b*GSvD593Ug5gj+FS-88%4ye9^O^gW z@<7mbYl)5XnRatr~2`~^4Y-fkiAni z9j*)(>A&At2vPrUIZH06p`?!ItI?or7<{17QUqfr4(EXP{(H*O!0o>%OMoe4pIRYh z(B;iqLLcWS{zi*$EdJ6$K_H{f?bm2EbcBm~;9s1jPjIoNbyZ{bQ_hI{4ot%0&IrVg zaat{e!0^SnMhIOP9qd0f3s5F{pSWO;6OWZ;0NU(u)5v);cV(?ng++g z+}5XY(#yuaB|1O@WyaW64eTNNRw4)+3N42LkY8aD8b_+6`F`b)x&L0qo<~_ zrBbGN2V=|idtD}t7w*CZUwORvzlwV^u9fkD-u{uwF~g#IH}y#m^amT0?hgxz;L@Y* ztht+-+hpJ`n|z%&DT)CXJ*$E*ON@5 z$vt`;5I&D47aNf;)0b#fW|Alnvd8rN?0uwypLCpJeBbGFAar{u2ZsD5fggB4l$D3! zn`FZC=0D_tlRDrFFEPE`a|*82`0|ZGSsBG|Qqu;eIYDNrOllJ!nH7U|db>Njz-6sx z0t-G@No=1Zc5YV|0+CXZZaFmN9(8vN>80{xa0!v@Rtt+7({yvX&xr31}G$G zf7opcmSRZSH_6BVLH1~J;Iq#92)7|lg48-`z8=^R$5Z)ep%?_h**XYry^uovOzvz7 zJBh6|W=Ppu=*QtVtl7Qwx16(jrl((rmqt9+Oo7mGooAm3pYX5q6{umd+n=CNjO%)| zvDio$B4x|6!1m5J@zas2a*&6b4Xr9TIVKpmjbXUWe}b|aaVc9%mDy`?kkt#S&infx z|Aw@5-&b+*i&Jag)@fm2W8I~m$t;}_VAwHmq&eg2%{3Iy9#JH+(rJ8;Bh$d^q{MRDe-!*4UI?@Q?!{=*l;X#&{=RbGud8 z`?@de;Vo!DCm?WPY&Hi7$x@?pR&{1Ys{de8m5Q$?`6b|ey63S^(m*`qtE(_DZce9w z2o<>t-Tg97`E#~iAjYn=6RNWTQKOs-ivlP8NorAeA&#f~1r^M(-@cpwbFlC~00;r< zs{UmF4P|#-*_ymlsL$F{y26{09EwlS(`-4mL8fy6H81V;txMdnT{KMjh2Q-xux-TDRH0SB$!FqK{!3AI4;}@Pd50%(>}CiHWQCp^FK9j9JrJNg3xkVYb3D zRm<#C&LpS`D8G=GkeJFzS}4ZKcpRXiQY}^+1peR@OGAD;L__D;k9jlg-#!cf+E~kL zVD)l(KgA|(*2w!oC0ifxIN=m1#_VE<7J2umNz*qbJCGIW^?+GAf3Ub5bdUuC%DL!1 zw<`0M2sR@>jvuf9Rqn{ISodWOr+o>TDr2{uxN5wKexj^E%DMD=PVSFVE7Q(N7pX zwe?v1@~TO$tw)>NOR3ibbY6iqEPJ?CpsI98eUTBq?(R@ts2XUMsIi#D3I;HRc}WtA zH+Bld;)v~*j&3uS$+bDwL9k9>oBj_RL1@*oF)sa^Cse@fB4mo4wiGf&u`>gEUys=LaME|m+oUeG zG0{X7V#lEwk$P5J()%$^YLK>)hZ8cLoxd3S2AI4@nJTZr?#JQf9W#f6?wnbF+s44t zdF%Dgik>VpXh^k03ZTS(_ddIuLvSsfl@8-%RX4|skKdq-C{7&6pb?x>wGRs0J!2-qe7k#ST0EVWBl!$CWf&}5Y{KDJ?U{Xoww5jmr#FH%CTY1IZHaIh z0V)x4TZ7{J&6e^E&3e>C|B(J#&V`zIj*Xw9#y(tEc77GU3IcI#{8 zslnOx6AsC>!Q$Pc^Ii-ZFB`kVyK1nynO3-Gk~azBat*<@iks_17n-K=kuHfXG;?bhBCStHgkQUL z50GeS(|cW0L!1Yo4xZg?4z4)r1qf8X@b=odnbayk9%ZV3PUBy7S@6r;_B~mRCA~uI zj_g{ahU8_4#K*`2Rn=YM79KCpOj`b1C28@uO48}JXaUXZy9|QQ=aa?z7)Fd+7scRl zv$gnvr*&N6r(3jUnbQ91#!Nlnm=HtL*v5 z*1Aw&HA6E|iP@V*0W4{!Br@#F{}0cl(}76A-YFFtEp{M2?}QHXZGPbS!XU!|_T8ar z_6C#Na~GsD`hh_Bv~W(VP9Ip!#=VJ_CuL||-?L!S`{eA2NsF#mbxl*K_>SS{O+xDl zymOgBv|1b8Ws88XMf2lNgw39jTXcli@lY^C=~lbK*B} z4<@NaIE#+M?IrxEx$oIjK#ai*2pP5!zOE5FwlurA zGum(KLqqBhXf9U0!D=H%hib>U<_Kc;NM89kP2RQBUFO^vfnMr0ubLRXcXtn4s(hj;lHdEco<>loEgQKHrwS;kp*2n}3 zqHS(dmb`3u_+i=;s&V{{80XK_YJq0X$DXYsD?GVrv~tOQcs9LaADphpUAIQgpqGbgqF<{hn3M# z=&EpYj(EaWkyzn0%6C7^?7Kz}8ns0hSzUA3PaT_B3I@`uEq%`gxol`8XixV7tfAA4 zbF;U<6(Hy)LOv z_Hw=P81ZS3?>X%`)3M)SMJQ1dDuv(C9$xR=hbSMrG`yH-Xg=yYk4I+L9$Y$Jyc=tn zFH~U1IfbkCha1UH3bIa%soeF-J(R0Sf?~5AuKhT;T=b^Dg~aQ*Q~Ks(P3UQQaXxz5 zXVii<8*O;+r=FNzuRT6GA{C;*&JSFu`-`bEQR<-THm}80*R(;{lpA)1Gd?K|DnH@% zcp^CW=u_tjw!nJK(Lxr@C&ha*JAqt9{Q&fu{(gM?(NNj=UzLCVHkO0Y`A7Pdm;Q8R z033*%qQCY{JTE=YbdXxuVgxt`G;5Ig;M%krY=Y)(Y6H6%)>MXPr}_>JHNN?UiPZ$T zaG-Xj7b>qIVMQQCO5*yKsJx2Qf<-}l=?}3#x(C3LI3bUh((P@htJGb+q}^yC@{q*B2=kc&6c<{6KRZGo7+Hv*kY6y ze(#Px?4rDHZDh?{38;_){Z8DMaXqVDU)=Re>utSrWIYpzJWZ;aL}*qYdH`V-NR9U| zJf}}CmiHT~l{$cyGpE6`6E33;YcZzfrInQk#@gka9MaPsA0O%$arlvQ!yI+6d+(h4bEPe~Yvb|v!LsK5rno}rh_Q(7F?2!k? z7TxfTs$tT#G~%nZXq4BG9c@+YDSvBv{{sQU{Th}xGm;z?q$MGVw^TcI?0fFB--~Uv0W!8|PqiYq7guV%pHdevNDJ8R zBFJUTEtH+Um4*H)*eFc!?17Q+5bh_&I;4@v*KwV*>L6N*f(t$q#7 z-v-X%h;Tz7?D(YOP6Go~m}w(2-&Mr`*)8WTd&z@uhG?2$X14$-NKkkpakY;t08khU ztccc00R_xXA8CAWekTAJfFl9`=lFd{9Z9%J6|A3tF-?Xk%)YfmEmiD2kt!AIoAvy? zC_pW67~8pcwhe87+%~BL=bEPWP!_hdS9cx)YpbwW*#c=5ZW_Pf3jIWu@YIEK(OmTY z<+Xmz!o=VCBtEkw-wsuQ$0~pBZD0qqEPii$O8s%%>en9R)+QZh1 z>uw(3_B8{_4GCJCoVhMcOGj|XHrjC(@bdZsw zV*8P%+hpMzj5U{D7b$3P`nk!Uy+Xbmvk}OBZh|6mm|vE(c{Hbw9G*CcgYNKHcV(ye z*il1))M*uZ`1SK#a1oKHv<$;0BLp!y0cqB(R`m8_m6^c={MWBp8{lp|wcMRp8eZ{&nfg`e0%8Iq^1|BU5MLCVSCE+Z>3|GwuPI7$!$6=4s39rl!HrH1w7U~PFzBc&T8fRcY`w^M}VG}QSdz4FhrQ*a!vdC1eG-J(e5tlL1`rx3tJsqT6 za?EH;>fzHKd(`pUR>5ti&9SN-(>iL4M{7#hWG-MYzQIaiQ0dEN0rfxay0QHaAxfO}FD|eLVEZO%vN%2*A)B4D*GLLbhJd6B2?Dr7K zv8utCjn%~yd&l8rWg%XBAgaY0Cp+veY)KQ4dBv4OVV!eo5yOj>6wGSv2C%4OnH;}i zT-&Be1h5|WjxtPi_^CMUo@BqwWG#qk$IV zw(D*v`8y_Grf&6u+BjJWlk7}+)2Q!(LMN@Rd-fp+wyV`gspV@ckk~daBXIG?!^Ou$ znblk{QIv>qt<8~P^3MoTXZF%z9l2;B%t#LQI5tNeq$VcY@6}Br2xZ61)0|TrnV7oi zma;dqEu><#{S3XjJ#tPOHH$O}q-xCqn?T2vVAV02z0rLN`GV=F1M$gw>K_j`I%N#N z>FbaGMOXZ9_mfZog_9>W@YdhiVyVnC0?C)W?rp}9wRs_mT286Gg`R8JCwhT5XD>Bc zYKHg+2Udv1y=CkEutg>j*G?m6^Pm{o7!zZ=Or_aQZk3vyvzojA5I?4{yKge9heUI( zbq|yv*GTE?l<4LkqT=7w+0Jq-Sbf#aRP$qMUJs*-LUZoY1$~xh@;UW3MTG@&`$bHi zNk@a&T{4xP&lW)%2`5l*+nU2ol6q)8Epcwpl273&8M&ZE^+iP!YS4>_sGj6b@>_Yu zuXgsse+>dxI74zDdYLs4d}$7&XcO=|1cPtqy#x*NLYj{NC15&fvf##YpyP`A5Ye6g!d@w)B zZM~aj3$I5FcnPf8#dsd|SJQmXNHEP&siPzAGMdFR{%8d=*>^OBn!L4S zv7e##1f1RTS_(PXQ{rG`?i$xR>(RaloJQ_r3krI94h|F1?DRZmv@(4$M|V3n5F4=3 zvvrHG;3wHB9?z*UYDbM(C6h;jlY&W8I32$qbZ~*FUF)7sq0h{JcG@Q4^G^+240uQ}lYcx-!wIM1@VuD-6edc?vu&mV43guer)&Qv_ zTjk9a0#$7@os>usOnQ6VRX#Sdu;QT-n0?Z0I~ij)7Ug;CRViGe8{d<$FL`(UKgzhnDE=YM1=9y0Nh)8jIl_?*Qe1(==D?G3@(O-rqv^*|W7u8d}! z;jqMU!0DRMgH_~)1SzTpNK;}v&h@;n8Dc*V(WeO)bR|ymi$HVt%uB+_*`Yctz#lZR zbHg(K8d0D(k?!p`%{l?CoiBJBN2{*p`+!5^on_iAck~hv=NCQ%EJT3pm)hP*HPU=d znue9gpGC8!Nf6YMiHzu+ThD5JnF_ZO<6#RQ&4#aN(2D^uS8a5B0O1e3jEy=tFg!FK zt=Q@Z3jegMBUU3{km=4_b$I#`4>vw-0r`7KG#e6Y7^4foLUK&&!^7cgW zuL7xXF1}pF1o|uwx_wmXigA zdO|%VowCjM5(ud)E8i1Gh7%^1C!h4hU-2|d5d-^H?(4(D>B$O|rHstuh{H^)X3evM z>|n(h!%v3aR*XF--Ls$M{*g<)iELG(3${26uIf~5!cyIhbm%8d?0w18I=n6&m-nYz z)5c7z87OX^!_{b2wfSfrK|kz%KpO(6dz7HW-0+%SDp1$#Upj_(>0@?GCh(W zE)o2)AMbs-nzgn=#DhELl(U;&b-($g71>F@^t04H_}6G$MV7F4Os(g!<$47Q;}#wz zxSg((=ES=}R~|7SKjyu2IBN*{6m2c`^Hj>~TUIU~dxGzadPs>BUsO8tK8USa7t>n& z;k)&tsSr`NIIgQku|C9=pU$mW$Kf$obsOME`%hg=Mmx-}?PYTtVczSNRaKOtO?HY# zHzsOxODap;Yb2hWk)pqkwjU~J;2qK^mil-_^X8O<=CDN^-4;sF6ZYH|f>$y(0PW9} z+{79G%9lSWEu6yQCr@68-rk}ZN?d;g)*vokt-uN`k(66H*2-Ip0>oBEAA(N}>4@_{ z1{9ulJ9tD2xINe|TyBfbnBDtip$fa3`%HrC>7nSJrrG;-Ybo8?rI!!i^cEDt54L>p zyDbDvlg#?Xn24Wxd-VDWMj3Zxt9>z8?6VgAkcfu;Je{CX*69Bxqn)33XRAf&uK`6-31MiFbJWz|U@ zAOF10>+-Bo#&taGgvzAyo(94)(mQ>uspDELrp|!vvXPvpHAqn#Az>hIGxcCwDfpMU z+79pgUR5oje|V;#=luoCqy}%ZFLI6h;#gNX*wg5;{W;&(OKG&A)*OzY>PoYIMsLw2 zM@s>=)TPE$sa8;6_;9&LG4$p$zNkpw&8PtMEpuE8mYAibmbI0~hW)wnF{=6G_(Iww zyW+@Yeaxq}ejDoZh>nLStp(%E?j)rIHdla-;^npxr({2M55Le$OhGL0G`QeqA5`vj zvB$k)Yv5IvI|KSH8=BQy2yd@Ym$sRVVfmEJJgGI013$WmsU%R0EI(*+#W$%(Q~Xf3 z_5>X?)*s+jrxnGHZJZv-PP@vTf;6}{8JFi}@wKN4tTuM+%ByvTKTxMECRG*IF>9#8 zyZ2^q+>;x?oDZ&>@YjERIZy983%`=_3Ql4uc;7kW^e5z1x{bb8?w_J438%i--j*_o zhb52CiNqYPQ>!vtBt#uO7ti};xrgNitzY!QA$^hk?zUdC|9ZLUII{OrNY4Vj4T`DFSO*_vKAD?IA zcZZ`1C;Ye--QMB0BDc6+j#VfpA6V>@3g){fC~YL(H2L}I+M@iiH9=TXd#^7p)7j1HiG}z4(>HzF zGYZuO7V1jtWUg`YtF|Z&7lVE=XV{Y;m5HJP@5*9W={AP5uD!%1GhM`>JKmkHH!WQ` zS()$3ZEmq8&dqf*Sn#t{7W|MXF9`wNUuPY^rRS0)7pIg^*I(y08K#^)c1iS3_%F0I z_2-vttGel9gVt1h;rS*n@dQ>NTnCo&JiGnf;(U$8B|;o`Pm9v4j@VDxe}JOnywXed z);u#*C`)kpQ|oZ^Z1`v!JKaVa{OH4B>UDDO{$lc_>b0`mnthz|kBx&v(zt22N`}n{ zw-NGJ79`Ebr|^c{BrSC3+8VD_#bt?2c%u#s!A>@HJEcZShbM_pJ+rX>2wsK!n(lNr ze9znWdc9mC9RKhLvhUhDMa4Xqb3v`q!kSty6+ z?uQPOyF4vF7n1}>rjpQG`rPnYlTfw$iSeM9IsC#*eQ{j}^1S__Y^$1B&`MPM<6o`! zc9UwJ&AJQ-6N2yGq#9fvMPB|XMGHO-#Hq}HRvV_E>kgz7(#m&~nG7rQ92x((jbrCq z+nt}Ya$uy^m#nmb?iQbj0pWV+?MZLShZQG5?#!be0+EGpfRkOIwL3$F?5&Y!!JXLB zew)_2g1p7;w5@vyheH;tb;M>6Gitl;5bONaee+}(M3ocn=@YTSHrCL5QBcByl-!wk z=yxi6Q^PCc4k}tVX5DRFz{6O38DEYPKpr?droB3!>b+pHtoDL-`^$W`cBZ5AqkE@+ ztVIWS(IzQB_D#?5a5@&dG+Aw$-@f+EIqlY~DzwGUd%{GWr{|UGNzlWm&D4{07AogY zKC@hoXRSN>qbEN$&MFo;BYafFj-Th~I_tL=NbktR!t;$+viw=p+HrENMQst&l(WRO zjNxDBGs!;QjI1d)-|Q2; z1+mb0C_;x>cq5x^r=CE-BWGfn`2~^!CEHP|WNcAL3=k?lW zJ??a0Hma4BPWX65T4Nxm-@S;CU){F9n3h(;Pn-RtB3?bxzZzA45N82x>oz|3_sh~& z*!$>R+{>S;h4&KNLV2?nP2 zWJTB6Rk5luYJsKZ4E5yG!uDN$=;}3Yizq5ZpnLG`dpA4PVY5T(LBJU@3c`ZtHiF9u#dq=RJYw)ZQa_>92I5#X6^Lf`b6}Vjewf*i- znV<{Tz`d>rNTqdW*N=_3w_hZjCAuMgGXLZA@qpR>r(d}RYA#M+ zhar}El_SgHpq}1UtNm0^D58-|*p?d9^(Z#xl}ni1ybn^WrU?-?Hbx8M5z1mO?~5ZGfNF4)7-?jot}=Xu&2Nv|QfISO@crV0 zCz~mPrVsr#ae36cULlP|C+>gfsXhh`drl&{-g)gWXQ#DSE}BoNd%5?ZGfd*{G>v|E z`bFizefVWs-j;e_`_dQsW+E3;m(#&HK0o$)wCY{*6Jj8}Yv?5zDtqXwjjP{Yh2A_l zrM(aTvKx91{mtVGsiQ+j42675XY+O7kxUkRvw^9Ix_%s+Z(e;5V^M34pQweko7l=4 zd|wC#`bI5uNu7%ocN`_%Oi;Crv?sp`Aaw!!g8hFboWR2Nt-l7v80El|&H6|) zAA{+bHzGqH&o49}W^VS|Oo(@+n$E}G=98(J5^F=ySqy%E`f_Fb@r+!K3U$?Lc`Pfb z!=mwM*j7F^DTp;IQR?a$Iskqj1)>b4NKrSya&dKP$J=2HJReLhCC$f>CvNOFz2xg) z;=Z6wz}KU>xG>mC2`*yRg9qE7p;6FW!?iHQZjdtdS$PaA^|Qtm%APn2Qav;)*7uq3Xs>|Nk@{1 zF z*sj=$O~qU$>D^1a->SS(L&Z8tGWf2KO`q8tl^vG;LyXJ@8>Zj9smgv}9r~+vV*{_a zu|t2IGWigBdgT5=8|k1+D|-X!oWED){LKj~%~pZkk(CTH|5BIx3=<98fIR?5g-5{N zOx}t6>M&N2FKKA1%pLM!@w-ZoXbhmf`r*j}`=b3hWVg2WUlF{f__8(Td$>#Ft8G#nsFMa5x{sHaM@Gp{c$`fN#UwyX}{)JzyzW&q+4h9J0<&Y1E8(J;+@1i8(mrJ%q z19?(e%Z%AC>lJq&%6EQvCTIfofD2*~FNH=Trf3ziL9t=dvR|;2hnZLgn(X`_n>|oq zyNwpPkk+ydE)R6dFStz7&-cLc(uOcC8-+)U`YG^W{WL{KwjxyWNlq-{vzWCHT1&No z!QSTPS8iTr5Mvr$W3Vmo1MzX}tSQHI2Hrq~G8(M)#^XL}IKXh6lotq9>J)SMs+XIO z8vfk1n#4jK%Gg~ihI*8&xE0j}I5Hhks4cuV!j$K^;kK&LmRIPpOzgoLDvGDa8*vqo?x=GcO%aguTLB+YKfUM_(-wkZ9 z)~Z~t+`v|zp{p{aW7z&WUx#s0LIx)v=_pj0Yf_`~z3ifBn( zlUCYYRGj~~@~a+pO)WU48NLWOxqID6y$45mfC_)Eyi`9HLji}?Z~@up&(K~5cC?aF$-PES2R7g; z&VTH}(`h9>`U)Ur*Y_yy?yzAo2hl^X0r%ZKs5q9*PiH|nGVAuc?VAoGs*mb48sR54 z@BJ!@3I%GHr!vg7rulxbdwNx`TF+EWE_;0P5uHkM5k#Jd*c;bLwJ3@DUY#ma$T*ne z8Wb+T$uO=IbYxmf(XK?V%{zKhe~osmJiV5udxp=iRqHxeQSaLSVe74axt*{r#Q& z!P!3?&iL$lU+*hkueIL(V&E(VK+d3j{>EjdVaD7~!ZEd!yUXd}V;EFm=5x59sCu@c zK4=v~o3?ex=JKJU>ZnNR2)pzNUVla6eKy0OU&JQZw)ve#n zSn#~|G-9EjMaX$Ynx&H0vK!VlmZrnbd$geZGmU<+0+c<78@uVK$~8wQ=9I+^%{xJS zaW$#0ogmxl*EA$_glzLG4yTiNCp=>7Ie6o6=f_DSFp13z$xUm%FgS%lPa8WmuMsj5 zdNaMK13ocV;Arnp_So(CsR7*epFOvq=A{?5PMa+DXtH)5l#`!K6X2Rj)!@iGXoyYd zxd#c!G~p?4DQ>;QY?<@p*wu#_02h@wg`@~NpYFQF3b%rqmJTe=R5Q_DUaUo(tjCdB z=Fj;nR6Gvc?cUT?VSJnrS;A^)vNXbndLWjSa2bBLimBf6X(m7a#c0F2ORIozuvx2b zElk62HI$>l{*eV^Z-Xpe3(`fAcSN`V@l@D)BsO0iIsnL(1zBZGd8^qWYJHJRd9E9S z0rlRkoV~&>7D{gi+!-B=ocf;_8$y%p4cfJoAsb(rRdCrx4M$w2tJNh0F#_WVBh0-(5fQMWZ2;7kJlDau*o8H ze?1~#FLBjsp~ntC`s$jsWMi+Q{c*zcc_;H>#-woU*}+yuxr%foi|IIfWvjb14T zvNt^QexT1MVDYGNllhD+?d^)+f4sT{AAm;XDDL3e24QdPr(1YE_A+*Qg|4??r-Ho% zFqGKP&#jCJ+V_Dmim1jpE9_8^pa<*?RNO@%G$X{p18z(Ioii zxX&=QKr`hPu*7J!Ku97`Q#|!J62(QbAshyUwYssmmmfBdE{*5f6A$l?T5QqbwKco# zYRnJ6o-T1~N-I>KVK|0IOr2h$#1O8f`r75(WyYqThB5qM*mr3&Nh>|j>2;sG>sfK8 zax3#_$mjOg-a9%Kg=x*^U{q~9kD=BmI>pr?#Quza=KRN27AJyA|HzApVE*{K(EmC; zvRIWNf&t0n^MVSvN=M5M0>4|qw-=~Aet<=9FZ|7H8tWyx4h?-SdS1qIa`ef@b=XoP zs%jOiA;%^eUEB0#4L4aCrL|sKKE>FyoXS)kB`xi)xUVRSs8?l@36S#eW_;T1k}R+- z(j4#E5`ShPoN>SdJJw{u8BqZlfp_hw_6vM)CsxWg@ z*(j~M9_8u>mgU<|nU_)9E{creAN+Z6yZ5bVcl4}6EwkEQ%Hp7PZ7&O!goj1g@Q*-r zCgV*JEyum715IjxP^Y#|u%BHYp6HR%y1jg7VVR2Yrg>#XxAuC4e8VHzd%@Z z2npLPr5Z3FEzMTux1{YvR{N{(_^Iuz9b=N(2 zt&Kh;t0Zm>#G3_RtW1Tl-W=p0E&&iTg@}}UgD6o`y0|VhP+EE9mz#AP$h(Dbq$-*% zMvWWfG!UCVe!WY694%mUSp&=4w9z2A7&@tu#XD@M(KPN`{cxTFHTxk(`y7M}m-Ki5 zp=~Dm{gNLWk(Bow#7vdL_pUD1iJCDjy#JG!)gWt8%Z{{I@&?Zv&fD9&j35zv9%D~A z;o)G%l=ddS~O+Dit`$YB(!dp?{ywdNa$|`K_l5-9J(AJ+; zKLSNAd+~_)P-YoIkmhi$#PrZ|&%ExWX!Yx8c!k7>7{UbR$X~3J{dFisf{!@qp1fPC z=s_Bqjv7!?Um5o?#nq7LHDmP8%q$QpMxjWwRD_)Hr`tZ$|Uhgt=5zqT_bG~j#f z{3xnMbOMbC6cEuW*${d`&gh(*=C#zA3hY_nt2owraxp^AbMKoW^|I9GLi}aSmcj>w zVTD~_1i|n;#!4`|<)AJ`XrsIt{HA58{J`ok?dysh%PF3Bk^h#`Ow7}eKJ&qW^~)Zu zx-}+jJoOVCe7)IbFwEY}g+J4Ccfj>nX{%9kbj}y`a90R%toJ#6u26M~DhgWb)Xqbi z@s1a|a|o7o3VJ(T2dg!Fuq_;$(?+u;V(onnXY(;52vsU} zAslt{5$(CdBf#|t)r@RYlqP0!8ya&(meMy0-Bre9WL+SoiAL@<{Qlnpm`>-D4*wO; zdB;Vy#cLh0#2*9}06_eD7#vFCexxcIi6dw8wqg!`#m=r`K&|GZFUaOG^xR*j^N{%i1*n+Sq$1G<&M7L+UC0jL9r11 z7t>mD{n*qrj4DgNe`g!`lXckmOjlb>Z8o&c8tQ3ZeLrIWb6&>8{9aDYTe?hI9-7q( zC1&eM2)H=rXtcec13x-#bvr&|n9A?@KI{sL$hpY4-MKec*=oQUC{O+RSoYD+0sJ#_ zLfp}B%(SuN&w49;qs9{-;;-);zpEugK48W&m4Rfcc%l~%zfTD?mA=eXiFBq<))0en zdN$PM5-5Q1?TVa|SUk>j$+MnW^lG5l8wRixbeKyi``{miG%{r{I>%i3igP{1YU0W~ zL>G2BJp`%aG|c{OB=+SDnwb@0PZQ70vF(}!HBFmFsW2Nqijr-6#_zUJsR9!*tP4eQ zlt@<|(fcf~^qEZb8xsviTDfZBv+l)3LhnFSh$w`7_G@R%gxvcd;e9^dvB?|&yKN5E z>AW(06d*Zp16bz+E-44r(?dHhUO5_7 zDl%R<7qni_VS}Sh)Vzpc&Uji-lohK{mFE=}4=oQa_!Esm8}uYRm-V>yE-b_v8wQ-PTJ_Yf#o7z`~xEZ;8Tbm z^+a(UAz48Zzl{V#@kh9Kt=cDbaxeu&XuW+2x?YPvmjy=AhMlu_`MYG+B&`>OMWvf` zDc@Z+5*TUE@{!hB2pYJ94Z*)=o(UIOuz5TZlYb|6&bBapA)xLi#{^1rmtmj1GD>py z6*ODGW#6+6|Fp^TAhwLhQTjC?|M_UXvTc=X<4_U-}R8 zYFE8*4(B=F7ly?UEZ zl~XU7HFb?c3Xsx%CW@op@Fr^inIgob!hwG@G@2VJ&U;W*Lnsp|+N`mj8Gxlf6obzS z=6>7%02!)i$Z5shMTJ{8Y7R*=Z%E<4S_@2hU8_3b#`r0ftmy8;=YK;F$`-Du0y`V+ zGSyZRA>zuB>D%G%O`EO~*#0hkh9P&7IhH`IQ4?w(c@~`zy01Z~aLHfvx;YYd5-e-x zD2ZNh%Nq>k*u+<2oeKlddk|wv36j3#NDZ(6i|V!c`=C2luJ4qqp0~a)Rki+&+Z^#Q z!g$R))L%HgmTwJj>|Zx9Hg|uLDk$*no>b<(*}Gx`uHm_sw}ILR+hWikzCenIqHPWR zv1D^=urJe}T^(BC-e>)&z7J~|AXhOs|+6VNhDak6XFx(qGv)XG1}v>z4F|F9*nazlxxU&P?Z(jL%3FsU#VgJLCA5XY(!clQ+f*@uO zv%}4NF`+NldFU#a6p?^XYtP{O!gwlI8JCNF9sF-s%zw!L_lqO~)P5tzr+_PB?hMup z!K3>TLE<)8=1x#;NypxPH=|Y;d-BGxZbC`Qn^WH7+EUu%GhNiUsQZQJP+e`RHah{L zB9}Jj7Md{l4lcUZh(+ybiT;xiQ~$zmrQL}Ds~_Un3u~ze5~rqvE36x4OGGg5QW7t- zqzzEszKBLd3ed1xl8EDuVxG$TgW_v&U`;V;%kXHWkaX#qRPe;!{26MzZ^o)=xP0g2 zYK*@;YR4L}p9^#E5Tlo3U;j;^n*v^cgvIX&`oz(yhe3#4O9X`mt*U8rci1kmL-dtQ zxpPwa%XD=p$c>o4Sl!Pm=3o?nnoo0^e|XQ8v|E_A>HchGv^$X6E%A9O}^Eqs8F!*&hz|z@}RPX59X#ofHM=|t&L$(BkEXtY@JZd(Y*1fc~2;mm*aEy zmay;8TePSB6!+`((rN}k828c|6RT2b4(S}NFv+kG3L$%g9t~?%U0B2JttAuuKS;Le zOLG_y64tG7_Q5*>VKpq)?B4yqSpa|Y^OC8XkZo`V7#$r40wgWdpYF-+L#6C5%61RZ zC-QagaIUs;!=d?ex0ZVS>nmnh)zX?jKHkkD{|r zt_o=J=V}@!zpQJDrV0&u6uE8jN-}qpp({H~!?Aa2CtQe)MY|tWvYI%J z11Rj<0-$goikOmjJ*p>Gvr37cme;&|`Kc*C)$ZiZyT+5BFw@2B%Jtp9*_E^^%>G9K z5*pBkkQ_j!KnWQ8T&mH~UR=9illg3en7xl4n|^G|ETL#eS=;^sS@jbyH*j?~tj5@u2XxZnzhQ4S8ZAL|}&@^|f17|b0kVKu8+FWxayl|S0F;Vdz# zRbn*HNAI`j!Q{rLznv)s_gDGtvvABI`JO|a&dmD{W;2+l>p#|O^t@5@ zUE`2iQTVXmr#5NKWOdW!`3G0i5FWiy+s)&Od}P*a?eZ$k7RY6(v5*T*%*1AGCMhmuJw0*wC$6EYH>DDxB zY3n{9qfUQH=9U}~;$FK3$oo6kT$8Y)#IQZv|74)>(2A`p;P^$(JpsI99MZy+5AP&1 z3Il2>zO&G*ZyvsEW_<=EyLQ7W(ia?8g~oSA5S(jF)kd*{^yno4b!zISbo>u}5saHA z<`-ullW`rn<+2yO4=tU*_XdA7xbIG@1k50cIbO>s%+*C&1+-!6Tu!b-_SPQ}%AW5p zjdhdO@b20Rjubu={+n^gm?JZVngH&KX`+7Tyb_ncyC}W7-5>znZrtB#sS(Kv{LHIi zF^L>NfXNucOfFddwDwrpSJot7gWtPZbw`b~`5Q;IV zZ2YuJNo2^-bn5OA5RMV&TZfBfyfI}mJrgvYjx?Pwt*COn_+fUY*q;-|ar`}Vo-~D$KOF`d^y=#98xn-Ha^-Ff@2e-2O(mDlqum8;AeI#uIKRbdi zCkyP)f3cgYh5w;?^@E~w|Ke(;GJDirCxkfJ{QSfC%(`YI7_0ZhDd59|mT0v$OSLvr z)pebduO<}pogDk3KS>kVwRqjB$lM;2Z}zU9;O64ABKhX3qDWUuFn83WQHHrdc%UWW zy7tqOM*ml+xi2mqZMFZ6%dzT~ygAOZY~w;YQFRbjaFaEXISDJtM37UicXM+{w8yqi zMU?U-{BqoTSkJ=*xdZ7Y;dtYg%YqWmUD-@Zx=ZpLzzhnI_;K{L-BuyMuPK`rVQ6eoHZN&69kll}1r$D4}e#gAl~ zJbwWEm)9hZ;yz2b%qvFOePy^(wc18VEZ)&yFW)j@lf+v>h?oHjsHvx_eecrs79+jO zyz>W4SqtYN>p$W7XP^%zvsmWN-yZjTf@Lsf!*IOC#|?9ZmV0imD`%TUC8LZ7LB|=C z=o!tK&W*o_)s@ivQwpP=eAje#E@XWX9gekp^4xt^Q^=y1m*dWFPr$=6N#A3KlN#AY z@1^M$MlzWwi=2Zy-nhK`n#g0N)Jxr4x zm}>UiD_2k9cSfZYPDLNDIeB^D&^@%~uhND08p%qI?%esuckew_?tzBSX;$<6PBSWd zS11+z9g|jiCO2vcl9oT5(vs|1RNonmwK1%B5+G*wmKXAf@zE_;hw|uL1E<_{sYGpF zyP2Cf^zq0VVDB|*eD~Y03>nI7r%%cZ4I-mf#|JqbX+9N!!3rHa4`*|u{_b1PZ+mQd z!_A>8=Oi87Ker6`Y(6Po50_c$o1LnWy_!P@^SjD74zDF|nR}}iEKoITo$bM24<2Od zBdz(8XY@4HI3_w8`z|PUr>aA0>>e}+6r@TRJp5d=zB73ggw77BFg> zw0a@Wy2{VuYddQ*HbtIg^*3`SD@AYZz?RcfhRXWWjoDLNG7dBqSNG) zRQspiy%8C##FgcnCtZ5nt8JLMhfV_@LYULeuhAzZ6{PT!tdSWrE){08u_@ABgbE9o z7p;-H*=sI$b*4{Vdl_8vrYwbw@vmH;6Y^JkYfc)15U(Ru5L|5izBp}dc2*VDn#Ct@ zG;oQD8bHbT0=rnQg=%=^Nc$6M+1a%k6ao9>fd^Y8@Srb&Zxo?2;cifzSBd7blvKk@ z%8X-D;nQ^ZE0JlgL7bfsh#AxzS2E-5h(B3cwzl=s_hf(&NXqOhG2LL2ZcLp1c3h`q zR~bc?Lz1~Ob$YJ&8C>Se^xCgC_cYD6oa)xn8H3gPM=l1?+uk@4xRF9n{o*9TXZXVJ za=oa0Y4xkMUdbj``A9oj?k$H{6y4VOLospvl;@E$hV&wivHxN^RijIOgAm!7zCc{J z6pcus&T&_5XaIdpc9}oa-)u5|hSwW~z71 z1npv*jQ2ERAKO$TaTvAp%xCU*2)Vs5F8=7Z5|er9U1o>b+zON!Q|}DBN&zubo3!ip zHo>23orksN;0*DC(%&G5e&KC~PY0~0a zu8kbKD%ugvQw6Ffivo$=1bu>D8vM^F&7NEw-UsJiP3}&efcLMv!Yq@igakX*eXHFB zoO3AT&LDoqVwEhgkm+J@fdv8U3Li$y<4KIwX_mp&C9%jgL2qPwd7M&Mh6~u3)#ziQ z>b^wNB-eAhbqBqA$Duk4>eIlW;D~5cQ_bp!2NW@mfZl{U2QHIPI9e``O2~fExNb{K zN*!t={mdZ~w<*J`EmJ)yL&hk#NrR!SX2WC|fLe?l>G}1M$(zqlmG`&`)1FKfzww~z z260gB04uS)wqi6lf13>2ir6*e+vDAHXumoSHGQJ_A1wh2TOp&@P4s;}wFB~&@jG{g z=~gYA=BZMZh4Gx;?U*?I#mY;Pyp|<)K#eBz9`HZ+fiyIXI5hLspRAI0JjIz-TW?*I zH~YpF46g%*Y1Apz7YoZTk6@se1rLNQg<@tdO4(1ct?3|oR?afjjs!pwr7ieB_$gvP z-QSav5XIIX{?>8-lc{Gq+jG2btkYGhh8akD9n@6mpRaA1C{wP-R%CSgygoiVQ=tnA ztI5dR(-V3)D%Y-7-po%_+H!NhJr=e~zQG-~Ldo`Lx;!_iS`pRz zQ^9xJdwmADiT7Hs07+fg_OmT0BNJ~l5U-1+xiXCz22+4Xl9sn^zJu}|4@ug5s)NN0 zbjHThK7c^W0^x&&KS}9r`!)2@Ly|&vlRxtMChHLqLQYFTdP>!Ezum>w2?*ctnm@6m zL=6zX!dh$tKzDIX{aR+i#r+A$$#|IB06Fw-JZp(w&u-%CdGaVA0Q3@}|7IX z!M-YuN{T#nWQe9Ig|Zk!iu-lyH#eXgz%k_tv*2c*yQj`}>WAoc(+%`fl4$=I2U^|T za;%g(_i(_U>$>8zx$|9BSSa&OrpU2|m$s7{wFmxzs00U- zs}PpJ*bFc+%=}KY74Q7zCA;hXn95+to~)-pjou5>@>aD-@k<@Uz_ZHlC;e-cwB5x9 zvRZSswno1YdpQj>Ztr(`$!fMd$n%>57(f+0O2Z=aZUP1yS;mf2Hb3Ym<4Gi9PDB<(S3!eTPqRdm)St(F2_Xqu*us3SX<#BwuTmHh`;Dq-5ch zMl9=NHm*m*Uf3kFYA4q@YL0cycEOd6Fr6gx)edJyAz~^5drw}V(0v-D6bL8+4xzqd zYk~6n)kYn^CPvSUANoc_@gDSc5qV5lxemI5XA7BL1RH^+6iQhni>e<-MNxW|4xb+= ziW*HgHEBe~ivAG&aUa5b?lpPPVIGJO*N1)7CM4|S;XPu)ThF%1U(<3{&rmi!?_Szg zM(_xI%)xlL0>fklGSP}xzd)mf3m}F8BTOAc@c)RN z6~H;jd}a+F4lN{DPIpzi3;lqX^`_{cq13V9Zp!zrPY-3bd{O)K=9?oIJA)2&OYb;J zUg^C%`IQG)Y)&G7_X&fjXEy}|*9q!=>JzoZJax6HJ3}fYXGrj58gB~Oy^$=hy2NlO z62#2A5Ae(7=I%5B!36xjq};bbW&xKyAs8&tO_qY9t0|RjP`|Smu0gP>q@J<)#)lmS zQEAT%#3=pwoC@{(zC{Jv1Tq5bgz{L|on3(K0jZHPeN`d@f*&anKyd1nuxp)jGZjbV z4BI}pk$#4iYU5J$7*X`XYX0beiZ9}O9U?%A-fv#VQ2Q1_P&NIPmHSSmzE*jTk(k!h zKzkafgzs*L@G?jimz8Z0_Za}KU9nGj^m1}Bo(=+W{HEpVWSWCloE8M}R{t@MVh3De zNuodNSdN-h`WH!gvOwxL^J!gMe}R^BPe@*;m&yeP>l&=l+qC?+0fJNKc;0=C9^bS| z#S&W27oKW6k@_-5{8_1wh;BYi+5KF73pZ^%Ke{~YB+^E#vwF*eeJgS=X+86bA7%|C zm-fHAiKzab_+2oP^pxjK+cJouD`Y9@{xcQ!0vj5EIJG`zHk;`Y3~pdjSa}ET^vfTe zdDHN@$WoJ!8@pRl;enZ)U$5-TbY=&HX-4|z&X5w7tAm6AOrp0xK+M!VWqP!V?Zq8@ zzGz49l&Ocx0juF>%1zZj)4wxLIUk=+Sv4H9X?@Yb|NE zl@spbvczwC-GYyLX}5h+Gtm2D0J{+aB>@S*eRQJHQvhq1YhENR`B~6JD*r2~s4o(2@{jTV`^6@KpMqDBk8Rfy19?Y(h$EAt zPNfY0P~;6!qmgn}t*Nf0K&;=bxTO`^G+-nJ7TYb*W?LX)dAP55CU{k+Z7a@WX&X{n z0apnb7_&Z)&{j1+O$Nv1l8+(Ix`YwYU6D+g2wK@&qgeeaw%C=?Xc5fI= z)gReKDF-mWU%w_I7)7^9E45kFssVu9p9sENt!-`|GQ~AEaICn=BfV?c!E^I3fO$gs zi&ZB;!TUQ&TlIyA6x!eP$sv|iV*CTXlEa$3&4v3qW#s4?|yn&en zThJv5%6`7y!wF6kzl8|A2{J+0{4U1H75Vk{vBY39+{P_O0bLu6qG8 zmCu6r?T&MYK9ZjMmk&+kH{ML-FlqB|3`krEeA&O?2^f6G#HT)*RbGeVnl!v`IU^p5 z-LJYUPv~-Jxtl3Wx5A>{?RY8dIRy6{y#;}WjtUEdz8|`Ld~wU((| ztbJ1>d+dQ-vKj4|)67eI?aQIdQDGnlgAMp~>}|r)-YC$1K4;%pRU9J`M)ppZbI@Za zTzFTU1!OXRl4p%u31Lb6(Bb}gH~RE$~07{h&`WbV-`76(Y_#u#3Lki;DaT~J|vC= zF1Nx=$&sY|?W^2Im8%j1=Y%l;G@eEX>ED!U7XY^UM-W+JR2!yX_HB>5v4r=LPW_oU zy)ZJ>t-@l97-Hi~>L+dC`Lk-sol)i$^as28`=$+Rsw@6*m*?%a_EY6g5&l#Jyc~09 z=thAGe@7q2zl4IYWymIE(-DJ;&7m#Q9CqRj)Z3;}OO;NhA7hAxZ} z{Kc-K)ip@Tu>I_(Mw5Nhgoooqub#QEBn{gYP+`;C8p56cKh-fO8ym-c%r2X`*XKW7 z1GWe|aLYjyfIdCy5`YP^1E`Vdb5ZLyGCd( zv-f+)ao+wj9unXQFigAB5}6*@lYT|qQN1>N)|NsBsSmjFEka~f>J!f1{;T^0(>`^% zWdYPpgjs|Dy5_ISNleDXpBZre{ixGsCel!~@d~!-oa%Q*Kq1EtQoFISl@(J3wOLrj zc0(xxu{$>Ovc4?@E638YY!1R;BhirKA5w&1zTOCT3!=HxCZd9-0A;-8jV-^g70Ss0 zhMKbR{|#~f-hXGryBe-l+&OqFdMvyMTE@F2u@=@?L&=|Ye{vSlE7vYtbn^#)8R%kJ)g%r>#6f@I+WlH?(8 zN}rDjaVDFTOPhc;^rpOApyl^Feus(aV<=x3pUQcd^+K`d_&~~cfm+ilLeoGnuX^eY z#HIU(?%`wYe6>DF`8WJQY)OCC)n*=In?sJ1c@C@`-v3dg^CKL&r>Kqn7``A4*1+XnVuQ*4K5`NFlph_2p!_72G`Sh}qJ(^ttKsaP7-0 zN*Ug#ZH;kY(;RhtbayX3Ms-Ho>R%DldMIgQ{XU+Nk4MIHjFxGyb2!ynQigeBC!S>~ zV#o+>w;4p&pDPYJ0vei6HIiO1Nt*B(?nxw(cpOZdW_UlT>mJ={8ro&@3WtpW69?L2 z=WNn;4h5gHnsHo``I5PXxyEhUpM#3F@M&%5JD^8#=1Tqxb@lDqwf0SXvIOyL4|G?Mh*{`=VF zh^3>e+!Q671uK68WC{a3>v07qrO@uZ2tYOiQr;4Y>6%1s7AN~lCZ8Nk>WEL)vh9DJ^!5BvxW31BFdF?C%+SH;=C1yN)m7OW8oUY)*@yVFtJ9aST*n zs1B+n``Sb~l7TOdLp!F6LQaD@NlYyH9q}BfWvm55I1a2#=Fq2<$3wjR5N_jtrSy6f zXvkcLur%_1*hx&)JZpT`JLV592b^r-DQ)urab>*o(6d87q$+X=%rt*fMg!nu&i~+} z=H;zBPMP*Z?{(ziX<=gLhl$Ur)*^zO5=K$qiF!Bd$qx!CSkY22m_H@hA2RfsSGWKkpot z41m1To?6yhpg?kAc@?dGXy#*$xa-r(9MCc*Anzga!nLP$DX`xevwteE{_81u+@7RK z%=jY87Z|N|Aay9&(g$=leugkIntO^GarEwn!w0s-1I~se0>U`rM&s+*%6l#n|4DDU z_(vzFGJj?);}4rtG-Qwd_kHxmtvgTg?{v%uG}9FOv^w&_i70QA#eC@_V7; z-2Y5snPAghEHXJ~@$9jp`FUC9n?>2C<@sPO@93R^y8r_l3FgIi$mym8?oVjRt=Ue+ z4B(nRJ;O~y&tICaC>+IznP17y5}JP}vpg@WKv`r;p2Q5qE5G?&lq+F@bq;SjcE}tj zj|>uPd$WdDnKcFtIt{V_?`Oe7h9aHfMAxLUHE)JweJhfiQ?zNuFhgekPL@X{R4<5%4rFxcI{!QaE^5 zp8!&uhUu3?=~Ah^{Q}3Y0V>1Ko+Ga%RI6tzyB8a`%$BQ2*zgf4qB4d_jFN{9YA@Iy z2THt@E#W~apnqX7txjjv7P72N6?m$60!Py}m*QNhs?N*Ij z6q<2Vxw*?Mt&@^IF?oPb^AvVlULf}+D8ni+Kb?$9|1gc3IDI5ZP(RqtQ}ihd;Fg$| z`z_2ox-89wUx&Xb^HrELnI1W)+Q0a@0kiC5^4XIA7MeI_@o~9RFTc(M9;N0-g$$#S z;iK4&wf@WRTXukG&ou5_5Ikc^wjK~C-5`ead4yVhqNirQ`{m-Zn*%o z>ZnU^0#kN&9?n>JrFSq$d6p8q&DV(uyAo(!inh(kGj+0FL_?&TS&4$#j5(JTIq5IR zuZQ5Lmd90FmN!@D3H<4EFs;;)kbeSLI9J5^v_?mnvDq@jw-=_JOaejzlxzmdJx79m zcqQ&mQp1I>Gs{Wu%`w=p47Z_$i7q`>{1Kj-gMakXRl4igfrJ~V z>>pxt#w@U%x{agKh8(uPi-ee=fA7p6p04)voxmI`Qr=E$4ntM?pKsCvWrQ@?|``t^T- zFwX%RwP~G9UN@eWueX*plU?f#D0o8I}(_ zMu}N`183U6$=di&P;?nxc?iI;xGE=uua-rHeV zna~r{9M9 zn9Q%cZKo;#XdG+JtMp#HPx>3izn2Td&@*a{m;#4`r-lRPwI{!ud4IMxE*W9I5V$O? z7_b#FtG5VNF-HWW1Ox9MjC1h3P*9+Z#1Pv@zJtI+X6q%12Sf0T{yHGYhbV}yE@jJe zuYr=kKdzu}zuL*8TAQ+rh2^%#+}|#u#}>F6i%g2YKLFp^94J=mq%dO{k~OQf<@P5+ znlM>Y7bFm7>=-eKGMFL0`1{^Y~ps4w~PF&nfCb6JE@0Ps0gngY&HB& zGb4Pq>hEs+3N)d(!_>Vwe@X%}dEf~VTBsGQ^xb%Hun=1bROHGRTyWm$@&0qQ$D@HA zuRim){Qhp-a}*SO?$I|s)jKU86$5+8#aaC=&dqdpmx6hZDvEWA#Sy2nj>igi$T5YwHUWBS5}5Tk z6UJSUPpmhE9iq3F;5H)D`@(*Aj8FxmY4lF1!ZwMFKn=#l6#fQCdp59~9n6n{6N$Jt zCAEnbfo?UF`Y3axBG$Wg#oNpm^P2FL2F&GCQHR&<%7rN^(oB~V+1p4O!sXUNkaU%k zNlr&|7Z3Al?@tNpEsH+(^9yFJWFfBdoq4CW*GGK}|I`20nPq&(HF? z7i2%x@#SjcEJXyh5muJYB7>5>0j5Hz_9#*$gfOSjqD2O0AN{MG_B9&BMQId^wg39= zf3YG-xODi7UX54{6{qb9aqiVHDY?#tL(ux~N5F2@PR!an9_11Ej~^%A=TMdv46x~> zKI!|bB$IIr<}UVCrB^wH&xjwm6OUL+4>gECF!D4ulYQ5;PG7(7Hi^6~y3h8DfShwH zQFb$*jzAO$<4+apcwhc&fo2$0Ezmzw^a&}MYeLBQ7_HaS2*gX*lgPWyW{13jMjH0Y z!CJ63bJsv?9+sTa8c|6!lVc|1L|K)2l1j$neJ{!e&yqPLcn@~}pZGc zs+F;}3%F8MA9Ev=x=xlY`?8SWC}-hcxU<3Q^kgX2soaA_Mqo2KAqiRtYGeja#$cO; zr#BJvrvx49Uf0U>$oOw=)BfvhuZ6;04<6-S-88DqO>0}eN)VF7L{hrOUm zmb8e3Wz{zlQ*?{%?Ra}gNo@Xldb#O8Ro`7p7xGV7)%GGE%dj)K2PBhGe)l(;f8Kog z|K-+l_(P}ArE&we+FQ{pVv8Ld^bKS>l&LGxrRBUTb!0sLScu@qFwK-6ECWk&;Lhfr zsKn=SWdKftU+1vAOobPcXOl{tB{7}RVf?)dSm>+oBKD1>JT(MdKTr2n7|S_$N^U!y z7v=U{&J^2QAl&~1`I~=Ci#>MLiT{jy;{`!bDQ~oD!8oIqf2z+Z zvLwg6J|ycuw~|dPyP?&TaCLx=Kv(JCC!t(ApgMG=D8Zq3674Z`QU%7!;c*ml?*z*D zCAGC=Bt(6z9lqX;8Bc3@Y@AsYjvXQ7QIP+Lx@F{H6ESF6XKH{pG}N5G~Gb%^%mY?C#dpedmV?|*u zAzO1DK(PvO^lPy4Od1M#OLPCp1Tma+;OFg_jdCTJ`s#az#1Ynq(=+CQYwVihi;|u# zZxm9XQa;zmpx6N)%SR(jBV*>&Sp!|WK-@>??a~e!$)W5Qq6iY^(MBG1!4={MkD?vAJ#Bs8f;YFI!C+T<%AI>gMOV+FEDv@+( z2rwF|irv=3#h$q3%UG-5OpSW9QK9heWP*VE!1GV*KUVa#6)XmReCFaaHeHoxADCOI zG~hDYC4-PU!K*f0r>17Qk-A6Wp7Rcd#4nz@5yao_ASfNa1+{tts97M+frZ9^D~`wm zf}{5@kD)_KmW>3j;(mhgA|FciTCEGySM`Xdtn)p~Pf5}K|77tAGx4;93u=!wR$W{j zk|f-k2=ty(C=EjlC)bjb>XmNVS;KSjlF&PTxuhePDlBTLm8q3HFvAzXr9D28&-?N7 zIj?U41VrSq5^f&_UR92Yh* znMP6R74QhV)>}LIS{%%4S$bV9P8uUgr4DK=iup0CaT41FsZOEhf%W6|$4h<(WdhQd zls5;Fc!`5VS$*DfoP$mRSmj1yP*v*l9W9%bQ{Vc<>jVFFS^xDImHv0bvBVEpf#QbM zK+6cy@pdzSzVSdEcHjVab8%otpE9tkRj?bYb>j{)i^th<1B?ZKOGY66`$-HjL`OpPRw$BpX`~ot_>^bl^u-hqvMJ* z-ZxiW$7x$7wMC<6%!f+0tNU;Hczf7QMU#$(S=rdMXMOtrjN~z}SpEf){tUE}USi5W z^630`uKnNp6%|Nh=J>qB{0lxoE)^o_Ecx@UAvN#ilnzSWT`D>bMJbPfyfGqOF&}4@ z{=e4J=21Hn)++t8)}o>!8^3|gZBN3|b|#BUjBUNS)`zuEL+;;fla4voU4hqdC!tpw zg_swC?r@h>@Mn6&Oo+c_=cj-H_awLN>i4q>Z&Q!?o?ZXBM>k<5$+=<_y`Lvf@iOo! zes_p;NB>o;IG~uo5b&giWs^?|_U893Z?9xibQ2)CIWm5|FC#zR=+|h=OPH`3 zPRQrU@NzsoKS*#8h*5mb^P-^pVJj6of@;)XMfp2F(|q&3VDfIiI{yPuQ~(+wr_HXJ zk&`)G=ol*Q4TOlAt?Nr3i=A!XGyix`_LjI)7QX76vUd-N^@M!f`X3X+JklkbhI9l6 zhHvm{&zdXSwF*ijv~M4@-&~KYaB#2$u9Eny$6y*k-e-}nfHdJ$T?n7KzOcxJeN6(7 z=Im9b2N+U82e>8o#`s!K4{<{NXWoS%N{wL#4j7p!7Sl>GZJV-out78Yu}>&w;D^|H zGn#pu{Uzv6jibjGYi1u^8rjy_P}*CdsG+R7a8Y$BtyVuZAw#{BB(iP5&f(Pq2}2Bi z>|L-yYg`deVJR=`@@d~VjGQZb@-Tl>R3hop=ckrGC?7afq7J^#!rx|Z}{9G zNMMJ+ad+IwvLeME>(uT=HwXQV@1E-*Fj2|FXgON_*76?$=i9R}A;;End&5~@2rP$Y zT}Eiv9k*Rt!ZZj_^SSv(Vhex57$Y}P-mzY|s zd*gObY=A^qLL$~wPOWcf;n_s@qQ~s%h4)K$nQ|`B<$<_<3u$}O!wkR@)wB;0&8h}x)A8Y&%i#C z{&27FZJZu|FkAFID)bxmw0D3QCNQ%sR)sko31ZlOFFm=RRxrMr6Slr^`Vq|`g|Hpn z^Zlt|h9IpXM|jLER$+T+7YRa@?{rvT&R(XJ31}So(VhqsvJWQYfeDt6Q;Tm=DSYd*}IOp3eoLa+KU%luJI_ug?2b zCVup}EH1OzFM|Cux@69_sSX>dL0hRrs7RKv11cn7q55@QwUrxgx!b<2h`ijwA*~MP zk#~%|DI|VaXnE=6nB+OG1ru*9GoLlwX@B2<)Z~dx%b;^IJx3Kix@7`-a>silwmcPfn`rUoC zm%#)Xgwhd~d}M1Wm3hkMOzZK;NxKK>X5CKUTq1EH z>3pagwUTMP_Njx=9FG&NS-$9Id&Lzw`AXz2o8wsAfz>r%S6X;+rYV~{( zCAP~qZsajPc4Xk$=SmHe=*PQPJ8Ij?f+7#5W8rgjbMGRM73Y#|@4$MKxt`x!>_%(0 zCN;T{@mb#TI_;#q;)8B6vEg~R71G_Mx1k$isor)5#QB$q41;QRwAuju)YgLxp9P9f z;^mT$(!w(aD74p?GasLy09!L~m)1=UtnhLN%L`1T~ za$k&-k0->qZbft6{hoFAS8*|Wd7+Vi;gRRTc+FD?GKVuk#WaC+td==xokw@ZE7Aca06wLQO+#pibZ zgfemai{8I8ozb;nP=H;^$IhuT^%c&e;eBeOOA1?u? zLxCP|pr9i;w7)FqZIK*|=P<-?XoM_&KH~$cetpe7%hdX^j(Q4qLibRoqeYPXPyOQA z9KM~N%0TMIDo6|lsZ6puVJn4zWN&AIvcH-}UH&6{J-*S%%sU;MH`)c-PzcyOEjcOY zUNpqN^axk{&N6a@gh<63`E6z!;Ix;n<@7nU@Rg+dyP6M|eluc%P`wNQ4;P&|P;&j< z!rb4aH6yGXp2gKHJtfWb*Hrq>`rLrG<=58!%;vtK#Cr93xv;HiCfm*{J!Fq1w6jyXT3^t2rw@I=1{G>)f5? zsm~6YAL+k8Jri&^%rSSrw^d^J{FkSue%|%54KrW<04xO0%;aE#^nQpxhtQeJyqks} zwEFX=$BwJHbvWT?^98}(lZ3F-?Yk0C0de=twv9&p^m<;N_0J5+J)La^sy|0o|8(Rt zOaEQ-18nl>??;0w4>w+Dkbrw*&m32LOVp^;8E|-jzr}AXoT<2!t}RX*)$lfY$&+eECEaj8Io4pWvT>yH*Cjj9 zh88sd(M6CGk+uLm$jfeDTrq*Eu=b3}zjhiP?90ZM*S=l@tY@bExtDGhL*@n`F^sW* zH-NNm>vtJ3E<-DV#U>&SV_nj~5hksI(0W{O8 z?MlzhoF_Dr!Z| ze>3?3RNj9Y)%9W=GJkq!KX$V)*FcV!mv7`b?QBJsyZ(E6Juo0f*U8ZNAmE7=)_&<# zn&?TPa%;(>p}E=PuI}#9UzTk*ivNsnYWzV{2Y=)8Rvq-4mDIa)3&MqoJmaz>q`5yI z8W{nT$3p7Q6DVoiilNY#pDb&*Y}lUWvEJ|*EU$Io3xMOlETA4z!XBJ3U+I(`+D<(d zY$y?zX##AV`zFWowf`A+*gJUOr_W}J&mxCfV`&9qWp@6TrJ>#6OB9 z9dB%eNFo|a-W|{yAAffe8N#6ktuz=3MK|nJHnh%AnTY9Dq>6iyeNyzZ_Sv8i@8>yk zXLvzAPptQ%S30CcWhBGY-}-2U_FKR0O{d>@J)9GDz%n(yh3cWz(U7yKEOYpXvtB&b z{nyHMGPm>G-iQvktj_DpV{w1B{o=N= zI5u%}?%*$yQXtJAs56x5M=mCJ_}Q61RRw?fc`R-VM63s@phh*3tC@gdOwQrmdw=*j zW3*z}z(FH3Dx%-@L)=9zMKKRc%!*Y6Pz8tjQRwr|i@le+g&ka8e6$=H@4r|BIc zibXCgYsKRvm^VK!Lvg>h<^<+}K$InOHQ40H#ccp>zh6TGDg$E>lMT?!X06NuAjHjVac;>yEKNJA{U3X3Sn7=}} zOpX8Bpp{I#6Qp%pd+q!>C?%AdVr2r@09wKOGJIgpt%P0lCjvoh>(@I|Sez*U^#ZsxD>>h`?e22gq5zqON{UN`MBZ{xOd zr=V7DtI)UU;FQ5*S4_p{H1(%%hfaw_0)Ok^4n+Zwoe717d6bucJLct3Hg5I)NNCDJ zreCJS=+`%2W434)jJB3ai#MP4E^?C z+LLAqA5-q_1!aN53@#nL7yqCxM6y;ibyx`GCSQ0!Z#-_b&q3a1{pdGCxJ?$#l?GZHit-si8}2Z1twb7F-f%PostV??V1rVJA!#TVxD8?0@##EtgVtF{`-~=Pdeu zS6UlM)@s!2;x3BuyOIoYGUo%>qPUYL>a9@W`5nwV*_s@`OM?h2evZw^dwT68c)dpc*+evM`H(@pu4Q~VHHP{ZS< z6PRJapTP;T)1jR!qYYGv--(bLLm_L*$NRN+)%LyFeVh#O0I~vK2+m)@s=s^}@uM`W zD@pckF>(H2hkpMgiiV0TcFS?C?mLldHm(H^WFxTD#P@C6{!$Rzpf+b?j!A#}nlg%l ziIXEn9hS=v@47iZT8T+~uVEg`2spOuv)Rt1K3~7;JzI-jngok)VGJkPn&hBo^(thW zGQoDeRi|B#G;7PMKBy@B*U9|nEArnxIdfSOu;WPm#2LCF)&E~!08V!X%GxkXfL=67d-geqH(N_1QV<@T8) z0y4fHbDQfxY+%>baN0ahMK`3j&jkJ}%Qy13FIeccxsI5AolNkBzl`MVp6#Ng;p1Bz z2IV_7P;B|!=m%~DB^fRC>0e)yuES4f9OzuCFe|n+$?;{c8^Z)ZW88s+Bi`l2Xz$J- z`<%9q1S4OzzqX&~e4a2K(O(35*J+m`y8v9IqiUqWyL>zG->vSyd%n|fTaL-dn+xd>-bzm3NUAKv zCtJs-x!iG1HeNFHPw#_$vJYRQFAdF||8*(82vWIU;vGrTyD0EL)|D2#bR5!Ff9=zu zK3QG@ZpxP}D%h37SKn-3x^_C}b63DP@9~g-F#Xd_^R?cibq0FRR9s{bn_p6I@2^WJ zm~2oxV@CFY-bFQ(NgQ?I;SEfd7D4^;AVmrUF!Ym63F{wLL9u(Z-^o9tk#f_h5IV$v5bpJ==&e`^V(E{+#r}^)m960({ z)4;oplt7!HV90v~=lwCzbGvn7+qD|CGx@vdifb98+3TCEB+W(_H31`}zp3KgtV9SK zv5{Wp7nuRI$yg0hWz*b9kV!yl_Q+u4y!6J1oyNnySJ5nAT&6k9J3Vcd)(~V~m39_N zM&tM2wTP!a+l9Zq=SiUY+9r@yECKRZt5=erO}acKY*~m4{o+qA?jvqWRYKkV434gM zAhvxd3`AthbvM+;4Ue2?y%ys~Lu@{ghGCQZZQiPMpR8_{u3fg%7ZnkOx86+xc2})4 zkFU9GAL(G3{7a7dU-8!e-LoC3_0MF(#pYOFSE>U&62xA|DL#?UZDo&i%SX%5cY9ar zoC((>%Dx)ONCSXwTaL!l`AIvl+vT5Vh<6!2?AD`BweNxd8Qoo^1tJ+9?oh^Q4HSCY z>6_63^MRoy63)BBL6n{Ay)dVfrA8<^4u8^U2DdoVDu^BmTI7Xx>YY99u_Jc7gr?`lea;%n=7N2 z@O4>%U!uEZ!&P_g`KP=4pWXHU?#YE$I%U5-i8~W?<=%lCHeKllZZw<~mwqCtD|ubU z#A^3i?37k`YqrJ#@7p?OBzO&lL;Y#Y+WF3Ox7MCr>~XAGR)JitP@LV$kIgX|dVSIS z+^@^#L(g^r(Q9F#$PpgW&6&+{n#`AXv1ttMGBU|GsPksz*iAxfLd7;~#apq}8j{#? znUd{{Gw|?$ds%M|^rP4SUte1eI>-w?K_mqs?&509V2zao>3oN`LrkB3H!jgsUS(?h$FX1FLW5ohtMp3_b5$YQypU^BWN z&9ffPHurx-oIJ&t$XB8G=GE%CpW=OqUgJ1zA0g%Zx#REl%iI>fX4j{g9=8l36L#Lw zu%>g{_D6d9dn8ZH$b8tXk@TkW-ra*G&kn_(`AuifJ>?g_C_Fo^c<^fbW8DwiZr(Q; ziG>=Ta;wyM5Psr>G(P8Pz$5aKSKQlU53|VQWP0@GMAR^UafQ5uWk2*@;9Awa30)bk zTZ$bGoJQFn#pRkyC1TfWcX5c&zD7GEf zEDF@P@@=Z)1QnR-$ON6O%kOVeBtkv}x^ovLyss462#aj;J_k%tYa`YbCa|9zN&`!R zeEx2s!k7YSp$5UNqLc5l=ULWeyq{AG;k+S<8oPah+F+rqIEqLqZY zc~-?0|M8}t3i?JtV~+qmm<)9hTmok6(S*S z{2lxa$>}QuJ@&B&HYeKC6c$hN8A`CjUt|>{`E)g7_|p;mu-XAeG8{dAJehNja0#hc z0D(rfLHAsVD>E-TG_Dm93yD%(NSERcGygd8$errOb!jLBU8-HT_FMbrxX)>kdcKJIS{VI0cIg_*&RdWyvx;`zz(H1V zySB?8=9We5`*JbaY#&?GVljWlN)j?drNcV2*!y~4Q?JoLduenY}i?eaGgNn_r0w`@0yfV%-xmo$wAMf zNmJyPUU~Qy4U6hdf{}3v+LcoSPaRMDTvQ=%wj}z)TqQDOW~tHjSK-{3q7l48`>Pln z{j~g)E(U=rSwiWzP}W664(!bY95L~d$gEAY$M3}mjxNA{#1p*VM$38=gmri@E4mhv}-fy%FI$Aj=wWx{Weym z#@QWi#%@)E_$@@QEAaAaC>w?4pHO16Nm;9ucYU#a<(Tg}@;Y-(`emzf;bCcxv%@?V zOg~fwdP=?s?VFTRy=X6p2s870&g$FWl3E67El$RfEf(VE4kTG zbL08w`a|O;wC||H^(h`|Bme3&KN)ka<*Nh2U;f}v?vT)kG|mrA`C*D@^Jcig&g-=hUE_d}xp1j@^K8t#T+JeP&-gt|v9EgXQn9{!no(~Rx zrr#tG&Ri>+&6zXSFCYGjT=`6kevtyUo(K_}t-S;q4(7^E?f+MI+P~lGy$7~Mv17wH zlfowFRYJ3WMq{w-c4JHvMNMa!Q@Jy&$weR6=2^6ON?=krKB6JyioZv@H9H$(2vrD# zOz3v-a@Xj~bhjK>XIJX%N7Qq(T5=n{7al#?+E_wa$2d{J5Z*P+b2IB(c41oOb8&Z9 z?{bqmP#m*Xu#NKZ&b7EHq~_}AE0Kx+Gh)R2iB8=~@ia{eA8hBL5 zSS@wh0iLVi>YI0PYtC4ST&NwxVqVMlp0f&num`D{)sc*G(lohi{!~I(-!AK`4=L5D7OWNA z^UF2D%Gql_Vx32|kDcHoYhjBbHAn2`pn)^ukc}=s-MSc=-j2lFQr)HaeY7_S#5P}j zB4lT|Ond-_EgB(aG+u48R7F8V*C5rF*yIBY(LfM&)0Jtd>whV4v8aORm$ca*!1O+Rl`DsT`GhUwiRmwX^cDu>P3eprMT!zCH5*Z8FuBo0(l#ZNnw-5eRS`f zgA+IuOKN_i7fl@=96vr+t}@f)MRgxjToQDMsz6hgTc&GcK}MX)uV9EWdgU15r866D zJ@PUa8d1!QJ~*F=KVxziWikHbqIY0+gRwd*kWAERp_VVTZc~QE{t>9rLyh>P)ZVAT z-;7J+{6TZn@OmG;a$45QNxs8{hGWD#mPHZ zl>h$Qe@W?e7=bn0=a(ncQl{E7cEal41|S1ZtFQ5ABcAuT_LA^k&k2J&QQXW=<<+gm zJtHOQLsdWEK3zSNF%OLGkk~yebDmjzuD#g66pfJTYY>a zAJ0h3dt9^7(#4}7=apX5;jk-BBsCr1MAfTE_FK3`f~NKZ)lg&$`tvBqK*@4ud}&u# zZ+>Y>V&qywPEadB5C-l4nc; zo-mF3mDLd!+tttP|1?og?kf3-&qabxU=jwSV0qCVbOMme&Ep5a@ggRYUn9G<2c$^ zFXe>g9RcU;Ox3VPkQ=tcl#mlm_q6sO*Tb9fu4P>%PY4g*5nLiVb2{>)voD`;l7;!k z0OPgOYZaEM1dWwb1c_a3pu=XT4Alz`saLe{9TpAN%c;pH%t4RRdAE?O4Kq_q`qDy$ zEsxflaw}Cv>zz0CjY4aE7~xTMod{Rv*N5ghtS|o2{?zO0k&DPWuc9i1*)(@7dfB;W z2s4YTxE?AQ@||#xzdKGBIWzI+;oOA}U5f!o<5-%j0@Y47JHj{2cc(f^86}1H&A~Xd zAnmfx_9HN;OuLv{qh~dFK|QL^OapThKdOKiUB{t7&eGt!Y5nA0mB;^%cgZzOGsLhhh48) zXTjzrnq~AXt}swD>U$SJD{fvc+&uklkUB8sv#D=C3SX(qfXyEXWn3BMFdL_4-|yZe zcU8Bb)2&TcBCg-tH>l`EpQQ|m1YQoU@YS>O8)Yu;*6{Kbx|0@cCzx}eV+JOk%hSScSk6S+b#Ve@TO_0bF(8&mh%;XdcA%rc zV`X1y6lf~+Lqv)Ak9W8pD53N?T;myZ*s?LCBOPLze6muhF|Y>hng}<$<($_G!=plj z7owZ4ccHoJbAgq!pW@B)VDWzcu?i1$;_$z&lH=Izft5C^*^<{E# zvop9)8r!LB;dAfrfMdApj4gK;yu%|=+chZy7>W@MBxMygmGr=jDkJ5E)FrBTK`@GZ2csV(99Tm zB#1D3U|}PR>(a&qj&VWp)euYcKzV;x(5`nd)}ZJoHnyoBw5+(n)evORoY%|Tp{x-7 z*_aV7e&4&;)8AHSKlf+qOK zKuc7N1EBYpa+S34b(Ol+v}Upb)Lxzl)4=DF^!@n;*z7}(q`562P-x;1R$x)#tx?PM z3Crvj{(#}3kOrRv9AV zMUXt5Wl#G!Q&PIz7N>ysSfvNb`A-Q?!PzH=VbTc9k?EvSiVX(vJ$V@A_8;+PFdFqr>9R*r~$K6~K=?A~? zw=uH=RnHR%KGSH|D38t5&6LkU8s;c=8lkr;$#{k8_Anc_V~3_(ez~yR>`w{B8JRGq z)u&Nte$=WbRCbJ;jdn{UH+3v`AaOIf#UOi*;J5`+7qqK^1{icMivQ4C0mrxYNJ$0qmECYmRxRD1UwR`lmmRe5$JqfnnBy-0nHe zb^s?yTt)-7DgE$pZS2;@k-yC~!*vuY{m*T83*p}r>faza1y`o!YdygHm>V#Z=Xuge z7JABHJ=2BR2RpC=dkDSS6zmIonE<)lp~^^xUim~tRQ={cWULE%bt8E<3+0#R(Q1uD zQ~)w_wT4CHHsltkvcFQDC{K!lz3ije9J=GIE$tWBR4u$o7KcKn8_U)XGVR_>X?S5g z(w(u1?F4x(7I2^YyM;wIvcp6DTQcKMBJT8p?{p^-OjnzSM4ZaD6vm@Tn36f|8U((% z7&S*lMDizF<8wD|BHh;1gWhpi(vaV$|0DS@Jh{zbwmPbcTO6dil@+(umGN!a!X>wH zVxp=i`iWN^-G!eVZvVOG?+A&x@ZFW`hn!pxT-_3m{tc(JFHW5%`U#bb?lN$FQ>M8m zN~$dm2!Tuy+~|veQaMI*X>jkDE91h=0Rra14x0eMBjQlRp{ZVdG{Y8VWcu^Vq5egR z#ZuGP*^)fi^mc3G+5yqh@6inWR$Sr}AWQAl5L!gpuw9NWa>S5^n6d(;-3W49ibAO% zpQH|1Up6%lV>VIKz_j!LL{2-FJ6_VM(un4+l*|sk1j6qHb{sqa_zDZwf_aCO49v!k z{;bu!cU7d+-%fA+Gt>BwA>pu~oDeTg)N{|$yG78osW&))+hFBkGJ{GuZth`N=fOV3DVQV;ob%>+{s>ajF9(Rb<3j)O<3YHYmiyf& ztfl61;hQG~ks9~^HcI@%FLBjhgn(_%EObX1-UTk-qnR_QbQXdT$!Lj86#2bCn^8TLYX9y4NomEmY3 zgHraA3%k>l38BhK^Dfm%+e@?RJ zO)58ZWAs(rX~VI^c1MkfWV@mOr`{JQ$Q$ZJBFeud@);_jT39qo0Nd~eQpOgB0+{Z}JnH4q$^IM!D?g^TEalMMXcQ5lcEG}(*MY{Ef4L|-X z$o*d*au0_cY2xoEh%6x2m?_Uz4|WF9U6+GWE!k>b@@;AdLzf5O(G1m5nk_zDFA4Sx z210xa3kQD3VzHbPG~+@fkehf=0*?eAbJS=T8gV)mgMt8Kd8=IzER5F}_#VMeUh5lZ z42v3i%L}^*PXry7|8-t0@fkfJUhqO`XBcCu&&|;?SY@B77%}7F7XZZqRS89du#iQ3 z0)VPGjc$-To8_bJ%m$s>cG2L36}im^7o4q5u}Y(wFSGQC%kwo}1_?p+)iX<9yDKzd zUXy>!LcVje6BJY>!i_YFhrgi%y0r1NCfiD=LxM$4LIBIS3@_*Y;K^_`ny%v_5tBsh z?IJZ=P2q1|f`FH&@i3!r2hjHlleDkt0x~yI=V7B03-ZSsP_Pc`gVT`JwP(1H;l+la z>RMq1Pd)7MP?G!}tL>T6s{CU&7N_vH_F~J{ZrE7eL1bjBEmf9;iF-LD1i6JtjrrD3 z^(peQh>4FI9o_Em7d^mc*yjOhmZ4D}PLXG!r7NCSr&$dU_2}f;TwXzi@}|fnHmniY z@;T`5tF9jd?Kt<(fI6#3?O=d3_b&nXL+so^4vsfQNFkI*py0NF<$5tTw@63Ny}|FVlt#S)Rs?Ok0S?hkJB-$^G(9(;B|51)+7ozCt^dlL8Y_F zPo4Hl(M{Z17swj5NY(xH;h|`phF{-lhAZz*T`o>66?UL(#v6TQt6CcgpiSV|PwrU^ zj%jgbs%`0DYg$(RA)Nm^-r;}m6M%k83#yN5m=vs(I})0)nTr=0d*nX*vUX6QKhhn) zHZp<@zkV9-6Y7PIDR8pS26uK?3Bp5BC8w<|6JUD5!4q^wFe^nwE)KG)dfql9G+L}i zE}jeYVZ;qRdQXCe@-8*jdV5{RDlRRB9n8;c+?jqK@7wEgto^6X9gWhHej2p`1#_Ez zJW}NW(cGvyf*x0g6JtfPDuQPEdleTB_b$IN;uZ8fgM>BJ_Pr?06YU!M>RCdptKE$A zurXuJLs5)Dlg*PBgzse={3KiW%<}~kK!xE=4}8&}$r#R?OL@_4@epg>VdgM{`@s;h)RLKnZRvek zmE4$QQ+tINGOb!4g_8)6xBtGJ8@#{FJT`3L#zyToc=I@2O`Abi>eyu+%Ef29*pd%> zITYF;1Sa_3H6bTsHhMoRHj-Rt$S<4>u~ml|Rvnuww+z<~NX0a{&aiZ(<{1nfebXXy z0*}NLmM4k&9#U5T z{+1X`9iqZR=BO;P1o(+jbZs1^8FDu?6lawaGeE1JeT|4@Oy-%fLI5Nhr1t;7E&z;* zQ)jMfYTjd?>-Va3LwysnRcy%)V~h*nyYi5YUd1Ju>c+^ya=%MVH*nR9RC+`g&wOnX zFIR(me5I&y@Ykwxbg15+;h3CV)@Ul-jM)pzLDdc@MOf&zz}im^#wB{=_vTb+FOYhq z>0#2X+;>*ntfTAqlB7Gzs z6TohpHW!WJfu5Q3VO+Dq7!Ax!A)%M2UVlw(h4@|Pn!i7;M*RJN!y;BfbMd4>0x3V@ zhFlHx7b*mWrPz5*ro(hmgx)S~vP+Xi-8dy2qvmA2QHDl6J6(q!9N(`=Ledw1++6X- z1=CGyI1Yi__r0hFZqZ&dm&!{q*NRT?7o&#dpO*SR=c z55Ah`yiuw)0p!2Ozb}rLy_9Sb8%{4+9ia7Z?zk%bHT%#QAFH@%PuBx3Gy}!Z3Gydi zqgz*=n>A{Ta_wUa`TlZO$MTDt@2TemTH`04Gb2_w4E3TEA}SO!>VWgYK~NJVt)4-> zietrXU~A(^ML!t+q+E!oh_JRHeOmtT_*_0WM|~-?w-dt-yc)A85MS^J0jf0-$qqJo z9dYvE(as{d&w7OLb%oG1lRSu4wdF<|YC~8Q2+v#Y;NUGL3J{SY7@VI6QfOE!J}Urj zuby=4zfD{J5#0dAauVRLQQ$ya_{N%ttX^NE?}mAB&+Va}HkfI}o+{MLp0(3)*j*c>T@VdRo!!QlR6^Ru7h!cmU>d0s(xj0Tg`^F%qCMJpkwP8|~XuX)+c zMp-~(-nhj)zudsIBEJanAmzYs+=t;iVEcUw?shU5yZ4~%Ee1C{Vozu`soo*SHMyM7 zKYoYRgP54`w?Z369Y~@Ebp=MxECERgcXePU>DK3RKYe}RAGx9qA0rqEr&ClzuoA-< z;PW{VzWenv>W6_kgYnh6uu`1VM7E2UV~TLUZ;A!nu89uN3@DW)JvNt)RK82GGVn90=f37zl$dFc z&Pv}PFIV{iHKkpYkohnE2p;uXo~z(-PV+u~uXC*gWp4 z7%4{X4AuDFqEU|wfMQEEtm|$X#N2(Lrp-<5rRWD={!>k7saH+IEA&hQs0Mn5tQa=d z8mB-bX%x2ToU#d3{stR3??}RrN%9R4Fnha??vkmpCiE&!>43ss zJoT_64?My#ugVLYlpsg3a=OxfNlg2lKPrf1LIAhAQ9Bde}e{{@q z-p!B7dN*w*Qx-k#91O88o1Xa&gT?V6%iw*;x|QTyDBRX@mT%}kP}QkDS*i&H;Do%#*2XM1B#^LJDK_3@=o!}~JhzF866DE$eBpV02ikntW&bSW zNJsQ1hq?0FP#%vnqXkBdEqFU()E;6Z5~S8Ub_ z238s$Y8D4MF12{AZpe!NFxgR9YU*1v(Pze6mwJ!X1(ZP*&X29Xvrc?uTQ_ifX;9#@ zEf*-5U-*li*%By~{`mtfrUbwDVW>=U`J-i4L(+BkWv*>0gA$#cY67Vx?_F2$a#<-Q z!rD&YycrYp-!}P8m09jvXsf~%ENue2Jl|K5F$ugM3+Q^TR}l*9NtMx^?VHoC~DFz%6Tu%9XX3YhmQeTU|e8tU>2GH#av`@5k2}z&iwH% z;yy-tK=P!((Ok0h<9JP|SD4p&*fUmX|XkTh1&#?C6QIWQ3 zd9$_6qS_r0%x)e9;p>j$KYY~Ng$Wfa4XRf^`h7GEU+1q{2%#3pN@ktuQZNHrkpk3V zkfi;S4dLZ&2Xe^AhZ-%GK?z2fGxChgAkBL9o?p_wm`r5zIPo4=Ixj-Nwf((sND|;0 zfgvvG7N?zrO|IeK2>?~mX0v*1V7|Q86o0F`!0e9n?p=_B;YK$Cd$DGL@q_b7amgCU za|9O+F??y%=qt)rfk;~4)vTZF5^AfN|D5xPrC%Cj-_%V+v*rV>m&i5M1?G5DAe35< z4Izq4L1F&SCr;lbgj0wE|CO8px7+ZstF<_TT5%>x z8$}M6g931-O1pML&PI9BiD8H~mycQMr8tcR=Ax}or`q<7cM_pv6zFnWO2?u_Zq}}v zkRoE8_2{>p9RL6e^ialRxbBB)exhb^J7egihTj_E=a<9S!PO)C5k+$fj~=7#6%d!L zL37#yHS^V2;^yR=Oty_ApKHtPQ52m>=UjzA#Hm>{P@;1}!`rGL+?+$J=MgV(8Wpqw z90D++X*X(Py22%<1VvGN`+^z48lail#Y}(gE_9C>mwEbqJHg%q2=PYj$k9n*2Xe?p z8G33l7K}n=XNLfiIPg5*YELy{Y7VN8IYZZ0!^_1iee$F|bTPO!X3pz4FE0s+8g(=< zTRWh6g2*n)TYFrx=uS1-TrnZ!49|NiqMSID_m*qAC2FT&Sv?{?em5lI`F`E-Bs;@> zC%H*#8dT5e7U4lJEA_KP1CLCJ=Tj|c>l_E`a&kw*45ZbfB$D5x-NHlVHEFGkcalQ@ zmSS>`Uq(*@Y`T9ir7NhU6bx>R=1;2DS4XeQFBK!ddk^d{Tm7G@2mlf?@V)QV0v*{F zWpg5mGbv(}3wB)PQpktL=(37bTiN3BpaF`DEm7gDY_&0`a%v9!Uyx0Ql+={O`@m zk>9fN;PKYX3F6zoWB_!f|B*5P3IZo$%^Q6{pZm_R=cao!`tC|%!Nfp|ml&~1%NMVD zbdf$o-vco53|aXOvk5{PE$JvQMv}|W!EXZmkQIwvVtmeT&}!FHBTH^oD{9c9*DAzqoiM+Kr5AdDCr_w8)_Syz~j zMb?-eBGmT1u&Yl!n(id5g|UP`+-adw-!==O*k$%g)g&A!TaJp4k7XX~7~;YTuEcWi zvBM5!Ota(p$dQisgNlnTcng0KdV)Tdc01QkY&Qkg>#`{>l*fNft6tG+ zequ*2&V%vA-4~3vngU}O@rs3j@TDt;k=P(=@nX;H1>e<-iJ~AU(}h1^6?p1?8expu zy=+|S=~Zy$UJoc2D6>t~P}eLpOQSW+k0+cmAm)s!atf++StLKNOLdmh8;v3WFT##q zQv#o@uC8V2OWSJP9fDSymc5uzpT??0OlSz`Z(hG_RDq0be5<#>zU#G*ONM6D11+AR zoEvLR&axxg0LaTb#wKY86Iw@2LPX_oe_Ef5K?p+=ZT|30r7p&CR`48^l=7ZoIT}9_ z@0f$~{iA5KZ?h(7;)$~5gEutvbezygq<p#m-;8NHMkac3+oxQzWM{x0vS`Bv5A(IxK?ATJiGL@qzuF<=ooJ zYcU$;ur3!RfIQ-c^N_TdXizlEfd~dibW&{siu`C|!~ZY9=BU)1U`M|aQV1yic4*Jg zcf$S$RMfkHR6XMJ()V$Z_8x`bAna9w2JC~_F!-CGA8JbnmuDaHdeFLNQG&6XBpv$5 zFzCVpHyQzq{*j0kyecE*K`o~+D+CI(N`d*w0S_+U1j=c!IfuCeEiQ)^T_6x1<}Jah z67JyR7&_(?H*3H;j(RVA-LX8;n~J!!US={ehd$QQ*YYBt0j*CMvm5NHp6emvnUCMj zvU+GDjNw8@$a@}-07`|!ZLRSml}M_x=^iW{8GyOH8gG@Ct}$869C8k}d=7kJ46RPa zooM&HB!y;N4N#y%-iZd1IDHtsg_L;IJfW-rnVSr3e8!J4p-mh7X@6O?0if|V48DD; z=qpxfwJ%U}YK=-=u?xgj>5>(_KJnl^-5_^<@AIHywCi>oj>R<)ctgPtjM>L2DUBF( zm~3dW{i~9^Xx2JocY^`X6`?P4r4`IUC8MDI*v`ec9idXb*LhW-)$=%!$LP!3c{o@W zq`_=U(Rk^UQGYQra03u=jGsUuBIva%1xDpELSQaEgx4qzuPV{t2>_Zg5U4I`(7qSY znr=g`Og!saO!a;F8%c!zP@PdRuu z_08NqH%=v~^kd-pF;bM5M(tNLE)l|mDgO^7JP%Kcelu;5P*MZ@BLn0PI?C)Cow!- z5K=2nBX8q9i<(cXuyl)nE-@CAwt(Xta)9TS>ZS!wZu3KrXXQk zJ{p!|(;b%mDX7tSBNVPTy$26Qf1~sQO9w(X3~v?Ac{azHXg==zwJJctCd77>;bL9g ze%fKiwm@n`apBebYmk_wCat?)N&+`C%C0HJU@Lj?3>!175a!$z=90HY#zU)$oa8YD zS$OoyGa$n$N7PpIA~EpO=lUlLW@&+aPuFE4=q>}u;(+=djJO)U5f z{|4fPTE3~yGGW|g1yoj9ho#g?*=YMupQ6kOF8lpPm~)D7OH8)I#?gSOf`ZzOqZ2;g z4kLdGb}3%<7M*%wJXp{svU{^~!m;V9;6)Cq{dFlL3LyySG2aTsapYeQbjIB+)LIaW zr$_}{-?&hG7ZeJa#^V{%yP@%#J?oxAss=)S#%75SOu2XjHTNY81@uxA!?w3vjbpXfOwzhN{LZ*t=V z2IR~}s$e#P)mENu6pZ+j^d!HZZkdmfO6fa<>vdrqp!CDx>?WYCLIZPJ{vAmg!knR- zzHq=FrP({qko#O1mVlgWIbC1Hv6n(S$L|i%T7yAffz3R8!+WMtlj2+SeWPfm=j@h6`=a7Owme*n>yS!dV6*4 ziVtq7e~ClrHHR-RUy8|xTho{4dwOgX__UV4c)M#Ybuu*L@5Qz0_1PO$H%|^_`ExP7~C%)r0FcEWk znCE#DCH#2T-j0_>^IR=?>krjMK4dfGd=JR|B;9Q;@MWI@&9B38aE#pNe(A`C$<$n`wR5A!AUG1}jSPAp zI@N6yF;{?U0+c#^uDxI4hb@BdGgYHZRe5~TM~6M8S{`Cq@a_u9|?*V_B6b)Iu^E(sTeMxs5<#aErg4 zD||h(*!)L6!@p?kx1r^WOYs{0eT694o-@hoC}l(o%}p6>uXX}7#}fZ9AiDqTWdCSa zv}F*jeSlI`J!0?f6n8EV(SRZ~h~FAvgi`i&T&>CzmiKtCDCI+W4yF{RSAzE6dL$-Y zmzV47yUp$F1Wy-riXX>vE5r7B5WYenSgQi8DnhyV-FmUjp4@H79`Q9{^Vqmqg4UM~ z(9a-%K+{sj;W&9vRg>@RJjMO?sqXcKl+UeUP~rv%Xz^8RAngm0E|rxV%2kv*P%^u3 zQo~B$6m}nF+eaDV_`{eGZ=rJhTXCK87iEILAK{}%1)!{-^5&Z6{ zIvLnv50KD9ZbWk75^B#nOD^POf#o)PZm!73Bqg^B!=t?UyD+Kwx-nIm2y$m{GAHTU zSaNyuWmd$hbEIs9YH{LXJ9sGn^V;l_%LI!4;p$ zGu#Gv>n%?F_I(HI9iVXY0MEAC39ihHFj?>LU1dE_4vesb*p-$nR<6ur7c^j}{%{ndHs2NQJ*fScc$I~1w9hQ+G7`CWl4Kyr<{}g_sob4JM&iwE? zu2?a=)j^MaV%#`rK8hv027F4oGngwl=Ege(@nyz{KH>z9oE$CMXIIqfawsv;i%y{e z0}9!Ha{5sLU|ql13S@^@wpvp=ml{+#GGYK$S07g+sq5eV_u0;jkxon~-&s4_EJx4s z-q7y3Dw78AC}6ONL~r$u>C&V0iBliBx1@RHLb$N+*wKqm`ejN1{0WW()R$gs0ATngw1mC~_Uz z7;bZyvw700}sj z73^MW6wJrdjrg*cl1vGnje3VpUdJ~l@ft>XkeisnwH^82$?f8wjy5g>Cm;QX z^Df-##{sC3`|c}hgzzf|YxL+`#it|gytx68KNZ>M6=D~Lj9QmF`kH~ZApk(DEGPN} z@xs{aX~;dvzH4wIlkGmAWRjxzt_{>OU$(^ivS|4^2SA`)x@Fu=M|(NX5LRRjfD|s+ zJ1|vH+2vd89?O-2pE>K~;Aib6J$IKoKB<)}`kTo^k^`g0z$I{q!*XY+R5$e6engGO zwwjiX?fNMHZ#dw@zLGK>>Zr`A#7G(bBPNv3`1iOp|H+9I){5CaTPE6GZGY`~c%rC{ zLhrZ;Hi7*B<_w|@swv6#hzoAE1ETcls_)|{A^`o5Iw6r$eBXrosEP}yL~R~~?RXa& zSf9cTR>Ql)SgSU4m0j}*=2N{WsNB}VPa+AjNxE>7*PzFG@8+)zcE_9bsxDZKX>S(D z6zmiHi)e#v@k>}`3|P$nBn*k=T3>|)xKH}y2Qm(N-^>`T*QW{II$lTEFK^F3Qki_7 z0(7Yki$KeLfwk=4S}+3&Oie2QqK(afhc|KM!VBLb`7gp}*VUElTYmydv!l&xA8r_w z&M1xbujS2{Ee}@>g5Zy_EeWMTVD)R=)B_n&#cWg$A-QTGErkoQy9SNH4W(}3lZzk_ z(uFg820e2voj3tLrFc*aXA+pb<=L3GiZT>;(ufhmebLi~urQA^q%^j>o`>GG|02?^ zKnEy`8QkE=K9+K1NA6h7V9h~^_|Q(vj`_X~a%0R-7zXGqNjn<(0f(N4Y3)za=m3bB zsg_$8_wVt;*aBC00AYhUrf#$fuCp%rJc`$7q36_D1n$lD-loIIqk__VJ;K&-|2Jt# zm)M}sKSs2*$GAL~{53HJP$1bOQ&fnLTL@CN5eq%dsM?`XG%%t}jC0^Bq6SfZW4w>P z)kD^IxjOVCG`57|A=ACe0PFjr&&^g9xd%F*?~D!m8UO(O&IFosEu-Yb+gf0agnosl z!l_?=JCIx|nW4{KB@Rx1Ufh158?m!DU1@}opR?7msT=HA&qGn3oK^PeW1BrV?Zt5C zUkq&B2lNPxFUD=Rp46dKo?J_#E(J34Pn|laBBNaIVo2sZOt7SWT*|fWh|epmwaK^b zep*z&+e}9)o4R2HTo5PeN*tZG0A#*aFyoEAm4q_o07FAFe}dbkfTtaWMuq$VhNCKP z0}K;xPVsq@0X`RxRvr*Oh-*|4-gsMsh)=?sJ?uH)4t+q=s02tSY*XZ$6BI8o<2vO* zv(al}?QWmoK=-XyEWVr#5Rx3%Cwc;7Ec_B68s$4n4mNab32L{+COr=qb9et{G|{LP9Ie?b)eZ^C~k%rbtOBplo+@rxrD)NpD!V3&V8MjQJIi zK2^@Ax>9Pl>X-I|Veuf}!%{X`X%BRlszLDS{1|grLiK0npUWsa9G@<#A&+^qA&->c zt2@&W<^8S{`1nNeS)z99HVQKEj#nC|+p$l04?cd-!xm{BD>uIxPf|5Ek z+tqAsLDe8mKuB5K->Tvg9;T*{>wbpG^^+*yijoiXt zuFZ=F5x#)Njx;a?-!0?KY8Yy`vt<903h6oi*(oDhA@B-i6achcXaR=0cP{H<<)f`9 zIb)9Myz@yNHtjF?ix<{Uoh{Yr5iJo;O$oOd)#CHVKGS)lD6&vIhe}mi$6t@sd`Ny? zSJf3bYb!PNrtNt{tMKwp(g7Si!65$)2cnbA2V9c(L?Kdk`PjDp#&ygz=;?U??wLLqD~TQt5@ag4&i-Jy?4QE2s| ztjBV-rt*F+jUgp7r`Vj{RZ_?@Pg0g4_8ydH*p31CJcHLL3KLlG@h|V7XHTfjB4!Rq zw)oBZC1db**#S&8js2l&`@`+0C0jmd^R>!ZRgy9K=khCw;VD zO_pROS!$s_t?&RA1N8y}nSd!pbX5H4PYbz|>w9R??#CW!ECdVXwVJGusr(j=JUmhv zvX@-%(U8&8atgh%cXxHnd@<49Wwd?MEDo}o-S(-LMHz0{^XM`7_w!RV^W(fj-w~dz zDb?+hNvhnD(DEKNXVhnWM9bx}m%A=^yc)?0$O`7Up~1*^{ffg8sVc{28LT?|>!+5t zA3uLF;vv6f2Jd5CR!pcW=!SH-X+_A$Bm8>o*!GF|%j9fSF;6g1(g2a@q0C|Z6fo3T zgbR7^p261?5t^1ds5`pJdySxmxv(V|wM#cOLwS8EvVKuJp|XL(hx_KeW9jpIcfN=a ziCa!}NI(&O>RN0<+l~=h+`4tiW4qh|i-TYT_dn|9Z3T{HOf0`>Kc{gfdO=8yuX!WO zADbotr493~Hz) z?-r3)cYU|~k1pc~Y=4sR?i(CiY zC2blWCuK=Ko>o&(zf8j4*;v9*28ymV?03`b2<4Wvf&<)X{;T*ZG@*ZKkhU!3Knqx%;0_%XqiffrC&Il0M?dkNL2kdVmj0M9+#ws`Z zuBB^5Tnd{`bT#w9D|Cm%C@WIbZ*Kmf;>1RB!Cz(-Mw%?YuhQCe)7tjn|3&RL#whGQ z0yR0Q!n(>#(Y#YDEh_Mt^qKwpPRQu*X$-8I;M0Pj$V{V2RLP3933!D$IJGT!BeVv@ z*D-uY$NlwfE|bzeUT5U)r{Ehtt@UK-H*H}k|EV{29hmy;6>t)O=s{qBNe)&v0r@`I zh!Je>cI42oyq)Fjr+DKv!VjSOsT?ledoZgXKqAEl;9HDR2>Soo2G# z1M+I$o!AOks+c6z0q(u3-4f7)((VRACC!x_j-W1(sEgG&2#l~wTOo97LAJsu$NBq7 zzO+q@C3UTcg7waz^(0Vsmb&W~S^MmL1AfU*dy;lh{^XIR))Z&ofWj@n0D>GaPhF9s z%rCJ*x8VGv)~!b`MKu4Z4^rdVw~ZPLw5h}PNldk0BVJD4Kjz@cIe*V1)dikz$S%Gd zh1dSUW1tJpFRZ$0Z2mR?%#7TdUJ!kY*_+uxc(mYalwN$8Pc8m0q72i25oNUcYTuE_ zmJZpY7~@NueOx7HZB=gEJ9Y0%3)s>DUZ*&t@RwbNAGVlZ&Mj6W>7d}AMBkp@IVEzA zR{jq55%fXc7tt`@QYb*uzGE3dG}dDC748TOT?{|ZBb*TZ`(w1J?O}#DKp-}5{gTAo z+wM_bLb5`55MzV=ShlmZbnJ`KNWep5P{(53uRD3?&_5mdGj&i(mSfFLjy47IVFU~_ z&UPSv^&OPFl;;Epg4IrbwrvG}QAJdYPuzTcH0J-~w4q9cUpD}_uA^?zQp=zgsB%PF zhwVczV+(S00J4gdT8jDRzZBOI5BA?UilGI6r2RfZu3-oxl~PhP)1nD3$jVu2|LzZG z{O4YZ4V$yyo@xA6KrgL2$5%!Mw^!vr*4me%4M>?#htlxPd!N9v(=>`Rm7*kqNDpD= zYa}&Lml`a>*$I}bAYt&qd$ei&QWAC7ZQTeO?aCF?cITflS4CL^F%4^}JMd2kl=Exf zk=Uhs%sw5;{y6jQ($t-yC2rjsY|u_gwZP|7oB}Q~0fw9`59=5h+XJA0;|KOH$BzKx z=5=<4=c(fTqUZVgXea*OBz_1 zF}&}&5k84kxniSsF$pTL2|wM}`pJ^Vdw3A!=`l3xAV~>(6+IWj*Az~tO1l*$EDF0o z-H&*rm4tvkL-smLQpQRI$JjloNfN72kNkxN`zy}=-)JA)@FL1OU+8K(4jHCG=iVBU zdmGB9ym2kia_09^#AdXmlOHt==`i<^^7v9e4xc^mH*k3}G(gv9pc#s8A*%E-EIrnv z%+$=(`7KzIOp~HcxgjUJEvu{2wzeZ_RHy`PR?FYU7MPkE=5>)>SSpnb0bC{^6>d>{ zy8*L3Ukk(f@fgUT+AO7o;y0fG&U$y7Vh&@Lv+ zSi_QOgRi1D2AMkpgLWR95k7su#{(Q+Lmz{Z#=$qK4NgVe!1jr@yLm*W?%Fr(U`8m& zi(GGY@jp?<)KzWjz^`?`L-&6UG9|DDPGX3COTWa6j8dsXte{l$lQ(CS{X-Y(fsvvk zZEu|wa&%aE+F*fJa_|J^p>~UVCcLqYY+k4P=xvI?A7?cA=;!}niPCe)8s>_)@RC=4 z?>>Id(rps%{Z#Fo7K9|5 z<`K~X$nXFf8Vjz9N#OUV;FKlsyDgW*KCiV?qq6e;Ljo7(bfPFGV4jk(Y-{8?oDIFc zxJZep`?}C05AeSMN2rs!ZZD5*l~7(Itbfk$H7x61YoJUzt1!1lQk&CEsqNzROT6X@ zqH=+d4$(v0-t849PO9q4o95M>QGh6ftA{)0x`NDV2ub0sGF3wOj$OWWjoCFm$yT|3SxY@dli1_or~Y zr96MUxMYJL;TI2WpFXm?!`l>ZNyTip%S#pcQfT#4o}@R9d%H^kyOARYkg#+A!=rI7 z5aT!aW~n8Wk{?RbLTejuLOou2law*#emz=d2(?rHnJZ{qt9~TBXPXwWrux>4RZ#^% z+@<0l6z`1P5q-g@W82=zE#yf9k^hk+R(c~c1gz}6GuQVZ_HX_#g3N9Zo}CEzlc^k; zBYVkLMqsG@gm6uH@y;Dj_x2Jrp<-=N7}7aage#3lQU^mwr<6OUdG{C`<5RS*62EqU zd0>Iw%t}7Dr+Fh&YGilz9Ima{USg3-_c_2hjhrRw2WWc_OU5*$LhA%C>TS5G2Y)R5Z)NE^{B!x&0Iceo0P ztO4iAs%wFgaL|TYY8DLz2M)&oqy6^)f+nY`N{4(Cl4ehBawDCf9$~_lT2PjiwY#Pb z1nag87bQ&P5VAcB`70ZV+dV|o!k=0*=;DXSUlPs)U26UqHOP^*)OJ6gc{K z+Sc{@KwrX6Qot*MVZ*jFTE-H7Fx+ilzopzx>)0%T@0eZyf`yEfn6t z8>4~lIVmjMpQc|J8eLHv?Uud`Y1{ix|&@r$cExDl>8s|~@XjcuU4rRRqL zF9ssIO4VCcU4T(q?T|e4bNjEhFA<}oM8JkrquBR(C6nBN zUrNZ9&{i@-T2;KK2Yz0o_79ChK~&d<{`9PB1$a~Pl;O>v2V>OJDi-4;Ua-_ajX4Ym z^_P_=wu(p)6lG_k=*ZrGSu38lpBCV8w*44SumeiOa__VhhU~Wc^+Z9Y_$JZ)KO20u+(Yim29;pL|chH5MS$wK1sXwnoqRX;`ezb}ISg8(ZjLr>e{nfc+j zxPyx_Bw3;?ZH~#IkuSU#Hk?f%R1T)?z8}?|XMYRQZ>2SoXf-}G#a*wjXSjm9BPy(ajBLcS z6v%=Ise$pYZhz{pBNcNqxx#yX7OLyaV~N-j2m(FA{MFS@Ai3myc33_aoUF#Hs9}DgD_<`-o3cA|!9kEB?Ki_`Z#=r9I zTY3`^*S5&h7}FMjIrf9R3_{X&KW6pN9+Re`8kCu4EQk`A`p1B*3*tVL!MU7gO}6* z0btg~{x>3Ig?2#Lc~zMnu99u7=c+K=$1$8)-wTfJPfPh{{8{8|6@>fD9;1ni2G3QM z_7-eW%LQ2}N<$qTcBc^N_S3_kgT2<^mr)ed!m9-*6{TmJOZm^iv~T@@$#s4e#}+or zl{$Iz|9cxEWnksa=esL%x&PRVEopAE*+nzh6t#hAT!^bf@9YTGO?r6FVPZX#wyD)y zdt=}tiWkOrcX3x%%A0@(m6JOr?7TP2!4-aJ1o=Sg!Hzg>sX;OT7eLVBNkfysP+vlB zQoYTeZ#jS*M}rZ31AwCG>fP2|?@t(m;veIdB@dhB8|xPBFxA_RUcbPEmbBX1#kPQ% zwZJ1wd>gHpyp2jB(QNm$pbLZXMabWVg^HjXua6ut1WI=j#;qf>QkM@yJ$h&vP%L=+ zL+$$cBD0yDKFs(cDG^0w=*Hl&2@acl|3gMs{gc_qpBfs}a*R}aatGVadIbPIe%e*E z=$~cMU)poPt<6q{#TD0}=c@B6)w#Lv)R`9N9!|mJ1BAuNq-sTw&*n*pBrLnkvEwn1 zCAnIy?xyy7*i0bG4umtnLG1^5K(PAlGNZ7`Oo2&MvR4t`*l0$*HM zr})8|dQc2eRXt5HI(Mm$-<=h-*wMHl55ce5J8h=EfpIIx@J#y2B@lYL%+s~P7J4?! zF;#{@tM;Xy0WlHws&~nEdjWMuFbmM4?B%Y2bxr=3v;X&~rJ?HbUMGC@nJhZN^7bww z_~sR>bb*2C=`XL{?;;SwR|lrQ2(TD^DSL8~O?UeD4e)tHg`aLS_;1$|N-2QDl5U^}C*mhs~Mx12IQr_qZw)?R}+3)?NEtlnT z3NfkodO+9xq+VPGbC5Om+mRB|6VWh=4@9)plUO(mhub6oAejy zqF>*+CH#e>pXLAhQALsE#S`P@@_o&Z14f}X-+igVvupLc&<_=U$?T8XDsOLGV5Fb9 z>M=V?n`H?^gfJuvxx7&@Fb|ezR8`PSW=`mw=-^@|_p9F>&`=qhZ{%Ib0P*c+pk=VX zwXU&{IzfC`!5;ASlhJg(EDm!Th36Jzpbm*(Bvz20D^{y5@x`3(H7on`*w-=Cs18MY z|GXj$QUp|FWV^jsEWKalviKzidF;+3FCm9?9G&mPTx-Fts+dn{ay`z`p95 z#i2#VOYO=DA+TavquO|hZC0|1hlx&#(j|GPsgHU&PwrQnzBTL6pRe~#_g$o(EZrU< zI&~kW`117@pI!}(Oz5c!IWe!DV-wn2@)R~gz9e_Ryj6GU<#?jWdC;UrcCe}2Ow z@XR**>?o4?{AT+3wcYynPwNc5d!zV9`ig(YKEpI&9#%#O2!3vI*ZOC{_V?HmFcJE4 z&n`Wom-DgMkK*PdP2eh;O#Rl{WF=xb$jpa<`Sg3>+0;&h)GbDwnM)a1fUPP8{r>9no_$6jo@xwdOX34>PlztdwxtPB& zuHXr`w~Vgk#C0~)F(#3bHs*7;6s>p61WZzoamL7mcnW5`3n&mhrY!Dy`taBZx&DP9 z4kK}^sBS-pxGL|tVoBcO??$7i_{i+wAjP$Zi~~F)&E8n8ZgQ^uJ_oZ>yD-0jX<>N9 zcBlXZmk5^Y0r5(sjAVx2o9O>Y)cp~D(cT+COnFauF|+Z1_^~8D+3&y8#tC>DYIz!&XE>S5YIpxtN;GnofFXW}r7N-~5^wzRP|4pedk5wEa@#qc-}r3s}qDl4ay>}C@j*Qc?h zf2%dmyfjR&$U@U1k`tXLaXF>$Jz6mWF06%$Q-tHXQ!BF;26hUlx6Z6Uqo>GU3(3|92Jodtm&jQC=rGBCb6# zb`KcF>OK_o548Ctl8Y!y^uVgslIEu+;*ro(me+QYi%B(kv&vR8ogv#tM zo8qiNJST0`vSGYs$-%0m7v9;0T}AUM@MdtWC_7WyQ|5LR5Vo>?NoD>P>fly?mMXls zO@+*!=D**@um*}Dv=pF7Q$fV2oB^|B#b!nbXNQYi&%=oyB*KDhmR`Cim zm^WF2Hv$+5SuUI4O##;#D9fJP!$d7Md^+0WOXz7^>zMlW7N#H>phlYZw8Rjs!y!oh z(fBm~#EvG}bTch6eLCm*SLG^AEGjXKwU!lI?>?8WO+FHp!Bt`o@72VlEVaIAaM-J7 zlFc=YqoWWz;pm;;J4@;OcQjwG4QHhZ2}tZZI+WZk$X$AUZvRf|)R`-EAlzuRxt8LW z+|AHGkD_r#wa|GF`7V)eFlgasOELi(9Bk5_bYr`y? z7?ymI+%0G-WyBGx9ckbgEmk~4n9S5px^oA`dsz{V-5zbrn-02^x0vTF=Ux6Ls_SOX zlg`%`DGupdQ+47GO%Ww4Cu?JMKg$-{4-%AbU8>?($Qq2`RF#9E0W2KC;Jx?o&M_-iFtAQP_*9hV6*8m&>#lDvO_^?&{?Xzs2 zHclta+bE?I$auiT+`zA%^?pKky;2J+wT^vV2`M6peNK(Hs8FAMe7rU`H}d3_S&qP( zkYJ=s*xl3xUhfC5e$C!!xC}Khe|lib{H8199joM;9tH&O-KEHwRWOq8=0AHImEFYpUp;#^a4-BGGX~v zm#U4fy;BOJvrksx)D;*zb8Vt==AJZ)fioT%#Q2Uo+*=_`BE)Ckn`$PG6?l=Jk&5h5 zOH4zyix{&>AQQnA?D_B2dCJ(acG`8rY{*6ChpOK%&t5&3>hea1v39G{;p6osv936A zLxyUxwzvKw3++++)pnN{Y$HeHHlVQwYx0lIXI_}xDljiMgIs%J=6LkBK_>l&)y%b` z#cxlubhXPbdMtjmTdRHKO!GbeD?v7bt&sn{TBFAI9}o)D#c!IUe$*IOWP8*_j`ZR8 ziON4@>{3MoUx(X|SJDJ*?eC=;8cpI-eRYV3n}X%`!`sWNZ(bi+rw8r!hB>Pey+0e( zTE#rRS7Lu;@#B#`_T=q5(Og33#XlZ(%jUYw+XN9lhsZ9&k`0BvA$be6^Z;j)Qno6P zkkD4tN^G=ap7}z!hsv{W6JHOG`Xx+SR>9fG^drps%Ln$=Rj5=2bI+~QIU|u>urzOj zYQ(EcpKfF#N)Iv{FQ6$*C<9afaDzO}rN;LRzPXkk>eqXR7kE4U1P+Y9!)tUeX;q9C zh-J_e*thv}!D^@YWz?t&yIEBb_QDR(Ru-hkohn=KGW-AOsl7=*Cm2WB>995~dr@NO zmugsJ=CLu*RrHmkj2Kv?$JmYMBd?t2 z&o>)gzh9qcQvSnzZQ^(czv0tKuaXJXSKG6K9O}&s6|5H|<1qm=b0o^=@rO&=K-4b2 ztM$fwoNtR9-@Vh`xZQaFEx75rtwk{|`95(QR9mvSOG+9=}p+2-Hz;blLWl zH7k^NG2k~y2@iMdY4OG{ygu#lJL|Lwaga$O#If^=drx_F-(X+Sg*PqYA|K}%uNa-P zg$EXA#C)-ef*ic?ezy`Kqo%=j45Vhp%X!#d3f{9?o0@r@6YgnyQ?O`!q{V4m4R02mh!J70{Ng(@m!tPv4IP11uLcAzv;IevS zi*Myrm0Q=0WdOXE>!X|yWA!snixBiZDGh|c=3q?qfxdeFh=5HgV)r_bUT?5!H) zN}KDU^sa4e32{X6kuDk6x)eU^{Scb_dLp<1{C*N)bV>DQE6~5$4I8F25<^xwGr{ut z=U>hCldRV~2`ji1>;qz1&Ud|?X6)F+y_||Eo%kV&$NVnF@Y_>#ATa6Ro$o}nzU6)j zv7dZ!-R`bd+~|c#CloJKKZfi*_1v(=NAs%jzD80XrU^Ca+4+$h?uZR#trv}6HK<%s zV3DKKr5w9kpIH8=p0om!?0ON&c~!*2Uhl`s{y&|L|K69(u4o9TeET6`S|97Vp-g0S z>^OAXosT3>OqEuh6=bbpjT1B1*|_6s$i%iR`dvHWI)nSlgn3_zvS{1e3-6UYUL_H4 zDc46lnQQu0oq4MZ5yinFQtPqS@ZM><+Lv6P?X~lDpvW2AaI(b3+}bgv5Mg9{o7va$ zNZ(z7x$X{(@f=-I%xA^#Z0y_H8{#Y%M2xL^q+SnKmNG$4zzz6Vd=rBU4kk@k<0jaN zfsw7e#mod23HPWbg`vEwu{_85cHydc`Y?k2=yJw)e&ph7kegA}qli#Nmc0y+s*QRg ztLKoQTt{-aM5~8+e^dO9`JOGrYA%SLZM&1h)oZ{=peZAD$2!k^A`z7dg@(Lo)TBuVZIB_H4}xx#bdJ z{H@Kr>jEmyKo9hZ^|0(Xom4cD-huzGq5L){ed^%(&Sb^dl8tBee$MyjZ@*cLA)cWE z!|QeDCL!Yzw{r4UfS2C1-EXpDyVT<;nEFj+#76w8?3zM-Aj1wz+|p|HFN;5Y_gIN- zH!$};>xePG?mBQz(QPq1t2lFpht3(BuXyJ`W^io4d#eud&9#O2LD<(b!|Z@UqIKpx z&3cxSJ0Nd2!5L%P@HPLS0$e#pjXmauq49^=3@*m%E-iLFjej5%dJ-uxecl@_CY5bT z{-zW6EBAwTf~5BEGvAl6y{2-iOxg5C+K!>7>FUNUpfU4mKjV6eXKByp8@g2TUSbmH zTxoss1;M!YTq9@ zJU3>zWzsRC=WXHSr@pIl>alDfqjuwD33LSOHU*O=3MS^$6Nh^1%Ohx7J} zBaX^B(ze91fsCj2O_<-szslEMt&Lk87Qoc*@=g`ywMKEY$e2l=@ZyxTh+iqaFeZkv zem{0tsatutOWq?(eOwqQfAYT$=CfCC0dam^oUX{ET?g>?Fhp7}Y??`Kb zTh)2XiUU=#1%&hrX-VJ`(EA6fA*_lylcHw>m+v>O4dev-?Yi2c?4nV8P)Uz9d4q3X z`!^=Nj;kfNBv5rM=Yz@&O&sBCx4&s8E4=SXC4@eE@{M1#30!dRX=c|pM@CBK!xVY? z8DH=@g9blE=ZUWjyMuT2%h8h~i2_D8GTY?^m&G>uREb%=MfWn82I@>< zNqsN-Yc=hSX}xzUuf7w?dhpqbU1sWX-27Y%?VB!!dL2+UZzGFSHc(GWHT;)2#3*7T?&UF;KiC%Cyq12U+#orux3sQ=Hb{ zhp%q1YlqWo}a^4yqUc$)ML7;p5O zOksn@%#Wj=7F)*d-*BoUu0~tGqusfEKti((8ETEj8`;DdzP6Z;aR|IBHTa)h+H>Z6+ zD0zr2_}2!jp^DLw^PR3M#Q_`$*Ws-km6W$vuEqaov7r{o^(g!T3oT z7XJ*L+M8VI*_Wznf6l$@onWvfl#8D_i6AxI4`$pv=h#0lAhptz z0U69qBhT~rc;5_@z5TGe%;nv!h%qds*^ zXgR!;>!lI!`x+l?avz#;1EeDA92zv)hxeQ3S(N_J_!P1`B+ zsi^L|ubL3ILFb8D%|{%4`e!aZxT1Xl9jkZsX|+yObVIVDDe*MddS+JhSvrvO{0y=| zy0@od54Q2$co5ZFlGV4V>igX!TFJ@M>@VEmU>V!hJGLvwPCwJ6(V)$(Y2Y45ChY#2 z8o$AKe$Ve7$^!XphOFuI9GDzG{;*TmcB|pW=R~}EkReXzjH#zQsed9XuV<+rmme>Y zDz!53-6ILEpR6~`m8X}tbhp{G&MhZ*>IDrQQ+d)$$5gZin{?QgaQ(%$v|+gnQuGN>ojQ6Vsj#;{vs%bndED zg@c7OB6G3lQwxzr@o?uT#~_8cdyAs&WIFBNdZ{>hK{LS1&<-8o-L8-P!KWEc?)YTxKglt>T69~{GSFO{ zuDL!tm(j>lpK<^4d(B3YTc6PQKE=Q}#}QuCj?{d6PRvS=?bJ77nnWW1e~Yev+y}{= z7Z*|fPcHzLkZ`>VSLmFZf4>rj_l207*kU@0R0H0yyJcDrSY z>|AH>XDJW3SX|BYTh`jf>%#nW3E6sObh30&TkmHBkLf*|s`>R=-MW8F0!R+pK(+^MmPL zflb@Vff_^5AQsq^Tz4OH8LvKoRed@6`IZZ1rZX1cdF5w(yZe5s%ue*$XcEM<(lJ(Q z2w{kSz<1Qh3anm$Ztz{^s`5Xf)q9=1{bVIY))*TpDuV~WStUXzIRvYf~ZR~_`O{J1I+d`mnleE@@t%`y?Xigk+Ow4)g2U3&O= zNUko6?(QSaw{db6JLMA}#f;4^#~jh3zYUL0p#B!ZvtQD$BikQ{yWhc>o>!8${ccom z6X%Z4kDMIpczE$%rR3q0)l?QQO$hN(=0n1iL|7iZX-56QCUfB{TNQY_-c@`PDF$w^ z)cM=iuDSIcjotJB>M(xg>eI~P+$eu(my=lg5B}|<)zb`3wSN%vV~w{o-BSu7H(lZi zS3gm2t4>ni4(^4WENa-8DTJ(hjbo(!$7LO-H8-8in?BjD#<3(^@=`T-v z87m5tTj{UPQDiF%wk!(@sdQ?Imkz!AQJ{XP$Xx#i%-1~i>7*;O(5Um&$39i&PYMEe zgbu7{-qo8sOb#fw`SY@PjmdE>Dm!QuYW}Y+>n&j`%|Em0Efz1Hp$h(3%ch>Eh5>mHvU ze7>n^;k9#|U^l7DU&(amaf~uz^P)cPZf=Vc51*3f88bwuwp817F*b`Tw_&cVN2ZME z&x#uJ9Ra;u3u(m`&iHjqz^%`IQ+khb*r1nnzI&=S721KokehCOc$?~4DnJNg62Ws2 zzNl#oA;!A>h`6VrPufvDXA4(-fmlt8>}Ntr(4$zqM2G0N@)l@Abm}|`>dV2p&s4v3 zs6eurVJGO7-D19Es5)4&@}D^<{{97|y3zkcEA_06T1R51E_nG$k8?TBgqzj>+?WPe zqy)T)xmm`9H{uO%PgeDvv>gDzQ~*cKwJ7ASJqMXLHn-9-KZ=QH3Kk8&pk7z*oKkw| zJy52}YDIUf={1|ooR(E$uuq-@G1<`Ely|}yHx7$bDYligKea4S7RraFlVF=-N!HTl zIpoF+huNlz?rESP`}oT@zx&9f6`4rrO4I*-^EzDq8pa84GLZeF&-(qz+#jRPtD{T? zYIa5Dla;yhYF-ZNjFVrnz9iKu&kZI0JCP?<^Wvr029xfS=`&xvx!%qrZYnLieY-K3 zuM_SCzvC_IWY&<&`nw*1p}X$er@|I3hbT<`Ve`p1PVwUL`;DaHyC*Up$Sr&+FwKhJ zUmG0E-5pQMuh`&I^847!wp4MnK6Rl`KKv9{T;d%qdj6TR1`^=iV+iFu@#*(-biDqf zD#>di4z22!RLNQ`VtCN<2v}~?##?CiVbb--z`}QIb+g2BIb+^!ck$|^3X3Y~aD6+n zjJT26yX!i5K`!8wK`!o6f{#=FnN!I@l+WMNTuE!s|2BM1(K;g?Yt1X+%w0Yi6Jk>@ z#Sv?8+YQ^ieR{CpqQQ5Mk%Ym;;3HO}hb_Z2Q>4p41sr^%-PC*UZr=0Lzy_GvG%Y6S zW=nGJqs*UrIkQyp`-6>IH~>_#Tfl-B!wVWZ9S;I^zkIlM&nD+-=?5#GiQ-?KJ5TMl zoYRZiyd<`M=af&pm9IlTLNU;RB3p|dmBPBN$>x5H#TR)OzF6H0DGU7P?27-WwT)*( zZ+YFdGoZH!W;);v;7yivG$Cxas53pUbejI~we9}NijSJ*)jJFA7jKKbtE=|dy6SsG zeKkf9n%$w-%hzkm{%Tly$75w`+~VhJIqR25j_=LE!zH#I-*l##f+X}yd>N{(E265LMrCX=zVhuhu{D<)i%-kQ*$&KH}jV3Fq37E~xJP}~5%?RL+wRvl`EEbqNnYMb`@Av#> z$%WoD+mGv>y&S^}#a0*j{=OEkX}UPFYH(`yrTtjZ$hCxgWA%F?KnHjwbik4APoK9_*G9 zA2Gz~7JLwg=`^Hy=cQ#)H!Y94mro4#th|c*b-(I~=AY=&Uo}9MHzmIstSwpey|GUT zRGia-(VC#o)^V1dNY+m?t6`Q#mkq!}b-Ta1+nH5?hdw^s=R!1r6&T?+xO{9^5~7^;v82Rn=2Mk*_O>YtcV!4Lg}XJU|*Ey$}bhvV=6^rEJkR z+`_=x+)U@KpHZXpDV4SXpZ|&E^j8=LE~EYygsGw;#dg=kM%6qwr!Ij526~otKdC&P z@mZ6|Km|~#Bhy8bcAwY* zyIxBmvuRgW=F|i_Uke~SDAPXEdtw3Kj z!wlm8II*g1-T8S~e27i^YVRdpA_bA7pI0bDeNGwupx`P5mwXo^f5zhW`>kThhmEX@ ztG7XET8y=^ugbGuGy8L}u_$PafL7BxxTb{i_=v@qKqtP*Z%1`1s3U%)!~F0OBav}qx{w%|pK?7n z*x)96uBx>PFJ7YJn|~%Vd}32fJd0DCPw{Zrmjd#2ec|h@TV4Z~ zlsLBk4`*)`73bD%?FI`F2u^Sb8ba{kZovWsDcmarhv4q+?rs4JcM0z94#C|W3O#SW zwfDt2?Qd)E|6IZatyM8)j6R;;r_1dDF|W44&w7% z_HcarX0RtT(R}BhCUChtb>zdF*ZLiwd9cnn%$KQTQ|s+SZDJuD$&A_>oGnZ}m7Bmj zjQ-lkTJ%fYm}eC;Yk;fop=F!A?srdJy-JZvZ51jBUpugI`aG2<4TldnPQ}_$Udwg3 z$xe_~EekPfubmiL9i9TTo*zOU zn@*z?_{W3WlW0{POja+zvYpj>1;77oZk_Q3o+89c6{0K^Tw3R2AOGo~dQ3V}QvY&i zBypYc%fR2ZNzm$Hz(O_3<(gk)sZ4=%c$*eH1|14tM0EBI<&tkJ z32;kq%hey^vx)dk{nXVbe&F*}Av#MX!N~_h^}!?Py!TUx92ni+ zKmVxk4zD*SVRIbi8h)C8FX)!tm1JgsTK4u5dYMrV1(C3H zgi$j-Y^vk+$95B6;s0h#xe4n+3Bvv*Xa821_)gU7nC-RQt4O?12Wi9m4l)Of8ZErd zbJ(2xh?}6k$5{dUvh$=&YbVUo^C&WxgA!;moGq7=4loPUXz>~Yl_t>Qd+&+0Yt}pD zE6j374MiV@KiXXGFr=DguJGr1{8{{EnXuSY8@bpy^Kt&!e03#VC4Tiu@R{oq^-#l$ zDJ2FhDMaCTrCOD-h-uGirJ1f?8R5P1h%nuEWo(hq^ZcR2KeKoQ@Xb(^cT%?*?#nj% zzgL91?S~Y*_ZC`0KbxuvM*Z}FioO0d5$(n4xB|Ps@H_Ku_1W?*QXKzWs!gBaQjho3 zgJfyS%m^QF-QnrF38RrM8ZF)(aABUA&OsRA?yt|cO@}uH>7KF9e7u#I|4Nl7a_uPp zfP8`7bf+>0a7Dfk4iDF12wld&+o`Y=#D*Kd1+EH8y`*8_y~4nlBd;{*jVsy=3`pLx z7YA7%PMTFLD=pEeQJd|AO;%XiOQm$T0ltXKF*s28DUo{hi6$6D&#dH&y_w{?B; z@=0N{U?5}lCe_7!eY{vkb0A5ewCHjs*c3M7(8Y4Kl~UJgp5lXH40F?gDBQYb?a4PsH8S=TevZ7`H)XLjjc6|lzRLh|8gBbHH zX!rfN6>4~R#u#R(j1g2UjB!FgNg2>!{RRBi^oCL3m@yDV$o9q&CHIuFD80s61b0i% zCkg}~oqm>{31{whI`{VB9~yat5oFGs#0`#TZ}S;+0#wrwcMV2eg}7T8vcPmUtPbn- zMvG*vMur}I4mOO{+)XBx$KxH0b~t)yTogdjm|R*c{+F(3=%xx*G<<2w4*|!Xr>y+}XzRbG8F+nRws@X<_o2(#I*p+!}Y{TIO zWKz~IVNL2&G?UP3G)(NT;=yme=2F5~O($8idUR3|jjlJIVixMH8`vC7n`jPmlxj#W zab(Beo zJ)-y7@CrG1oXkim=0ohevobDBmsJa^YBfC<^6N6vEvDibb<|8%>|a>CM*0mg%wb6r zt1TWFp>8QpZU)VFIjH+{AS@cBqbG9kp~}Ci2ITh?81eAU2q9|h%9tf*1glJfFL@u= z7aWrdHOsxT`nzMbU?Lr*v#6TSqE4e+uTyF#i&e?M1oWz(*jj(Hzh->-q}}wDQKyN@ zWGW9+nbQyFxv)?RB$)B#npe4_I>i3>0`5@aUqPKZ>d>OptKOhTQM{WRmy&A9^MzlT zSCF6fe4{6}fmC3rwrprsK+=g`wJavaw7x#+AaEO#4p{Kf#sWH(q!z-i(xnF{x$)jy zflMszO0a^+oXq!I7~YrgB)vzrCCW6}Vb4Jbyl?K;-V4v8KW$LPDT#Z|Yh2pOs(9|~ zYOn+*Rctq^&7qT+C+phFdZTkI^$*Q6SM*Ad)v1x)V~kdd%avtbY9U%=p{pfvt-Tt= zq(vdeM`3t}T$%Ao9_O+d=@phc($ybbP8I`wlvT}$Z0_xQACt6i*MW?z9YVPxhp?sn{<`AE^?C(pNU`Zt% zTkfwMDNz@5?*v0oVRgoI+zn42+kc)rZrhvAL_I&bJeZx#FhZEa0WCkM_0;+j+hw;Qc!rr9@IPWQqaKE#}8d~%mdzt|a#S5o;@{Zd*ZaHueo z$?sXD3E_1-9hlWU0-4b#-nPa=TjAPJbZ-q zLow%Mw&$4=l?(-(i@nWKOsCyNZuR#b4ba;$IfoLJqLMgz(DVqASSKKp4O+-tPkfic z8fsrjUlzczvvpA5V}u9ZE<5Smu6kZNHK+gd*ztR^Q0Hx`9Qwcc9*p5LNa1s0yy{)Y zNKKaSu;G@0?z{it6pz`v_2;@zT=_S3fPl?p#y*N&gSLVPa86)oiK#TXF^h zO8ffuPeeLzzWt$tjqWkA!O`qQ^>1ajnwD}2+QeXRUxdu|#~D}HIMVqntUW!a9nHliZalEUpUgmLEl|LK?;E0%k#mEMK8ns5%?G*{-s_5_*2r^aiWdCe2 zj@XY;2E@-hC4oQ9Z>)tQ@cS`bw!h}-&O@IYVi$=N&_FV<2}?lS(EJZ%|%Z9nvBk8?e{L9CR;7&O=d2X>c{1} ziSbFG?wLzOA32TCLu_!13EPA!<>pG2WbUu`O&~7C$3{lQ7RIH3e4<*eW&nczk?5)Y zs&3P?;7Ykxs?nmdXn#ZnP**Pk4UK{7m_PxgV>&d+ZF)G_kE7bDlGT`lHMJ+%ZrgNP zZ8Sz>rqUFv`PlN>a1a#Z8|YD=%vq=_;ZppfrjV9#*_Z5vhnkjV^JV6*#QX=@2~e2j z8gnXnhVdcWHJIHX#RO{`+_r#X7dldT?v zyYu|V^){~*vgfFZi9$CJLzAHYB&sV@M3!5(^2cz&<#xd+BYs7DN&4Q-#CXH;0VvP_ zD3Gn@WL`;#IWJE>RpZ{_v_0FB{a*}0z{X&O?-c#GRJF}(GS`~xJwHtsOI5U}F$>ah zdUm!oTLi>i$#bmyt(#+Bh|fYXt3fyOKrC-Pv7m>D%k>FmAgMdvh803HkNx40Hyk3h z^+q?V`#p|SGKIg{J#+Yfw5#|6e>EwmF-=pPF7I&-izt1K%?m7Cvp zh8KFzaw7%e7HdtVEJ0%8xY#k7%KEV|aEJu)CkBPuVjOPOqa~j?tybI!1PtQV=L+@V zOqTPa^$IYT5dje#7l-kKa$!~&0smwL@|KIB(^-3iM49$)Mqu<8AB^2AHJK;14ZwJ; z_6K&!fQXIhx-i)jBjC=H`_k~TdD!Z*JXb!q8}^Ee=peZ?|A%}r99feuFT5gbzsVYs zaJ#?HH^9~ObgMh#Pln(|jih-`Noq$NTmQWlOgzslxC>a6%%$>_7=VAuIdTycnvOA18$$YVQ=oyTtiYF<#~nig76u{%W2KyY};C2hS~ndFl2srma$7j zSk1ivxcOVDH@wi0S>Ojea4okL7K!s_(dSOhpp1zCHjs zv%R=lX80mrClbyqd*ZH(4SQeKW!6aoc+v94U9MA`9wxW#P07e~{3|Yx&Rx^rE$1Am zTLZBJ@~c)=`;R1Ps%^$j_3eR{JAeXJIIfzn!LT`!kvc^w4scvlqPx40;)hFo6@V3Jsn06#8{kJFkH88)I`4vWD@W7tWP0%}v zSB*EAKvtKma~HoiJdkU?v`ETpt>}V|3iay$teg%|;c9^%x6xx7QcTq@tI>3#8k{ez z)FF~b^LHb1TZ2K?N?U+mXoPA$z~R1o9n+_rK-ux%Z>F5Le`#EGWTzE5r@x$G&OPxP zpEstZOEqkeB>fVB9JY_8*|OP4b_Md8=f7cBqO!ZbuXpw!fh8}t2DXc9ivc&r;eSY^ zW`@^P%^Vg>M61+H+Ex8`8IuF8`nfa^p+S%RiI!C5!fz`B-Ap7wqM7yw6ssOY_vs8D z=d$m~Tfu%_Zgaql)%HPsZ*8s=!1U`a`2)Tn@Mz8bb`*73h1WkBBG66p?T(@9xd25{l;C**ER3Oz@pZe`VD{GNSGHRD#Q0<>{gU|C%@pDS+*^ zllmmhUQfN|nJ0gJAzE@i9tiaMZu66KJm{`(u7ft?G9C0yF+VhS;%kv_L`x!)puxgu z4xht%e+_U><6Fd=#=Lk#Y!jn0&Wx_RtaWELi1Mo`fc*6a8)Dp9HW|zhkKtHyqmf7f z_(o^afQ<=!Gb4{-rKmu>z+L}ZU|X~F*@^*nrQpjz5CN!|g$InIK?XJp;;0PXSR&_Y z|K_{C#J{8wm1`NNvh${=`7htsSMe$ABGT``2Hq}ROQjN4sj|aKEL-hXuG4sb+!`xn zT}h5ss^`e38wr8=3cLBFvetm@8NxuBg73Xzy(NP)gAU)^&$>$NY*tnzCpooz8KQGd zyd^nCFJWacp#m`MP1Yj+uf-^ZXX~GF5Z!Oa;c;-4{@`v)35>Ghn z!|<5~JKP&iOFaY3X-E<8BIRa@otHoAMBsC%eN=_$-E;HrMzZ~_54rh`6s}XY;vP&q zd()YNA%~b@59sKJ8`ML2wsWLAwxMVlQ=$*IudnX)P;f?tnUS1w1Fsa|@8*_O&@PB1 zf5zFFC`z@FzHiIPXB@u)d>lhQ)bti7Wrti>eV7EF4SYsuKE9?zyp8Eb#ujsdx{1Ynjk=RJ)p z_-rQtXaEG!fTGSQB0CrLM zg(izsh?dhbxjc;`K>CcNsxH=8=0h-PSS=QihpvC2x1wjVyG9)Sc_@}@4kZ(8tt7EL zUStnvurzsSsBb+f?sI=~0U}n{Y7YT7h|=K34JG|W+W5t*KBP3t8m@Nz&LlUAdFwE4 zn<%|dft_(5J@4Zm>xjHz>!CpReRb~t*%oX*f=+g4Kx%Cq_?M3lgc6WhM`t<=mn;A9 zxY9=?yPrSo1KS)Q zyOkJBqN2I@v!y@Md2fOi@HZWpIs0I8{XC0`W6)hVMkQh|q2;Fx3SMn7A_D}HXw3*f z63(ytBD4F;kz%L4&@lAJWVSXDr>kyA`frE7Hjw3E0EQzM4|V%~zzNZnb(omjvP0ouh;E=jV9}; zy@IM7=a{hAetb<8Q1jK(I}mH{VqdPl+-2@q6U!6x>L*`we*t)vtO;7nLrpGE2O(Uf z`qOzjcGDT#&|T>UdzVo%BUqjPh7A7DuOa*c35h-eenZKwUfDkxyHH!BL0+r2?O&17 zJpdv9XVU(Vcly`iOnzx)x|gg8ftD(n!&@S@fgDVN=_NK3ZqVQshb9`&EiskRnC{v) z);t+X_a^8w#+cpNqPX$#d! zn?k&W{ejY6Dg@(~Y*Mj{ZMR=k1pmzat2-~~8A*($Xc&)&eEbgpz>!<%*N2=TNq%Q) zJ`-v1I64CEov$UGzTup@%JIB_vai)>BaT%_(#2{xXskkiwG+r~9vBL7mU>*aW{5fr zx3G{;=dp-F6P^x>*f?wriP+7XBLGjXPtpE&Gut_W|7Q#5fP>7JOF!o@Wug1?QCgh8T(}p7(nuFIOug4>uxqb-jP3$HyT!nR{ zC5e9BdrxeeJ}gfZ#uE5WfDb(^S;9U%2_Gz2G<|^Hy?oZ{EcA^bk_i?lU1K;eTEGdr z+tR{>f591#HvQ~Ovrxs~RxJ;$%T3}~_CW|i9Bs!7>yooJz+y+S%4&tW)SA7?1e=!! zTU==wZgQGYi{4-Tx=*^F5sfy;A7SBTNa2i+AX&88bJVQ*>I@YH(2k7ztF8B+Lq?IIUTVfRS|Z;11kF@2=<@!k)KFV1uCW3((Fm}N+J zy*Z$_-CY`ZjYJ4EK|r%3w3D46^99zC>#qkY9ODvlD(U7b!qiJp-W8Eb1 z&z<1xGMcl&KA?0`042EflTz0Dk8Gwgmc~tgiubXzZ`K@+dOtFgYv9fc&ihP;KJMNM zYEq2^z21CzzWqj6zh~TXU}>KfeW@; z^McC##^An%ZhI|KdfJpGz1DVy3xckr_p+#{5p;mp!w1{%R#Lh{y@cA__@tR=tZ$FkNJ#_w^ z0r}1(Yvs9K1p~D1ERuVShzSXg?r!1-h*>BC|0T2FQ6tSfTOBCU`CvkV_>k{@e4Q9T z$I1}QzU$QBUwVp}gGhAO841-M z3x}3MlO!6Gp%e87jc9JU@mlfz+J%GPI=>8IhY4N2D>Z!LB>FR2;nBh~S)l63>8^&8 z0a=Y_QvCvW>`w3pgOfzN03RFhdi%=mxRI;s)0_M=32OM6@sb!CS<{7!(x)Mc6CiA+mhZFdLh=o1!-^?3eM{Gij~0K^L5gSwmXRGZI z%F-0}&wX;~?1!!K;zJ_APqoFMxR@RRJ7Be^mP*g~?&< z2CZ4ohx8&*!{uN~L)1J5nJ(gb#iR<8&ViYC$mHij=f-$GE1u@Z5WaP}(O%xBw^ilS!X_Ct@di^yfZ4^HS@q z+^n&As!{6o{V#C?*gKP_Z0wLVb{e>)>-yi+P4>+z&?xn!{lLPJ+84$-> zlNpi4I_uSpg!2-HR%RxhsuE(s^F)xvO*+s=YXlzHmt8z1y!EgW zn38b*&|a}fwm+PX@o;x(+E2$(nqem{Da()bi}%_cvlq)?`Y{{_AKO7Szx&$M;~YMcMKgq9JNe#s@i z@A{HshV7}VyEk1V)5%=+36IT` zaSiW2m{?xkY8v(u^A6lyf8EcQDBzGY0X*N!kGaDsR&D6j-$y_E5j5L&3=={XJY*3X z)kS(*7m0t9pD&WUAs~7@|5O~7`rVVv$IQzNv+!?x4l1!F?TyiBl8%c58d;rpnZ$$1 zzoy~9lflS-L}_{bpL6|NiQSmz-#CG1iOGaWBG|~fEdJbC``wAfcJxjdMof*L{_W`$ zfdf26IIj(sG>IrQkH2tjz+8oS>*fb6TuGUy-kZA)1cl{J0`LlI1&T~c9QW^;6Li;yb z`uAhi!xB@?Re&EhIxSah{8*<|FOw)olDAJQdnBERS+?pWEc(4Sv0D3wNI)x+6HrXY z9`iaZx}o6S3$>=5v|5zU^kXl4vd$4>^*s41RZv#V#O-_#7xw|AbF$iI#rCxJbo(73 z11*{=(0shI)jY1g+)#M=D3vbU} z>9t_5XTzpsT~j@~H^1F;Y%72n5L0#hd`g@x40klC{9i(~Gq4dgqRDrburfZ%l`oKYp=AQE|Mhn`imdYY9)B zVg1*>n)~{CJGaw+%O9_QX3Ja>C1>f^$m&2?a`pG!(eV&g6?zPpcf;v)&JL*CJS0!%e_pw!LCRF99VmWu`v z3mu95g$63J(Qh+cBO=L-#76-O=^xkYc)+KO4&u2=LvjMjf><{z+@D=!PWq)8L7wEi z_D9nol~SF7SAWvH z{iNBd_@^2U7!!Qk@HvFKP_Fs!@=yS8Mdof_4k&3WK@Mpz)B|rO8x-9824kI0c8AlM z;1JPme|uu0Zv7eKsk03|yh;;1f#*vT0}QEY9Zs?$I+Dy8*3BGOCri4dd`R!*!KqV~ zxe^T)f}|xzeE+amCvbeLQ*C!x+MFhT4wOu82KpkFYA&x~a5c{B7eMcrk~XiOyoy`u z&%N|Fw<0M$Q)o5=ZxfwNQ(F7%n$CoG zpioVAix18=&a`40>5Mwhn!O&+{`c1X>ctu{G*VPu_l}WvsOD1F|AYU$Qe>??x{bJ^bn9jenqX4y? z&hl@=LDdA{Wh@>>N@1Tn#atJVGruj3R1$f%R-?;Ig?5E;rB*Y36DWIzyShrd+NNmp zY4a*g0ufe6c@v(`7ie;p6`sO!KmGvPuAbVMjpFiFQ)NXrsg`GTYWy*$f2zQ>@Q?Y_ zAp6n3@Q(lLQD5jSWV%F0w(5twHWrnn-lHs+^@iUk#rRXN#MrnG3SVht@ee=a{vdgt zx|2E_wK>(1WS`*z9Q<3AzAe4n))zHbM}o^W1F`hK?ToL3xzWrJXIAe~i4BVj`|!_o zLygS4QaI)1f(h7O&(yu!{dqNytbRT78fx+Keu?-s`Ie*Ul2(=Bz!nGIM93Kspm5}H z%+_7!&oFoUwI5i6#!45G3<~h`DP&qqeC|fDQgY5 z#%v)v`8zdy*+?}OFUfPJrt93t(zruJxb1E|XJW&2x@9Gwtc#|1=o1dz{tIm^Gp#>Q zWHXX!gIQ^7cC@uo@G7Zs>yfSw!7kv(JOknjC}&J(t(SHpJz6!Q3{l>>t(L-O0!&L? zX3tH220ZRK5HhH*oSE_nb>d_*zh0_wrtdp2vg{SWA;)Lb;Zm&#w-A$LW=06kk$d{` zT9}n$w1cn_O8&k7v-B?l{7bjeE_-Vom|0lQuCU_fJqbO7o;@EWvJh#CQ=jk<-xVwsFC8;+!@HgC<} zrvDUY!0f&RVMp1Yl{!z_UvY;kYP9x{Gw&se#ZvPZ>${KpKV11^AuFkBI?hnT*genf z1N#NfGxSF5OBz`VhLzBI^F{K(I_xk2DaA+YY_nE74Da%a6|$lIm^931fZabjwCIr8Fr|21)?J|2Op5>usVd-7^6z12?abazrIBE94 zKEs&L{OFhQ&db!E2?Fr~f=sKD?I3M25zZ|rkNq5-9ulJffZ9wz*9sbMnE*xjTd z{Z{qppQPDYM$IZAz>K@}tBV|ejO*gROwrt@fFm&E0@W= z+cnu{qC9M-R?tL|v3))E9=4=Yro9Ubpb|fcesO1Pr)>7Q<*+wZPUu8feQWjMxcuK` zU3l_WKI1b)_0&?Ga~WRM$d5RTTCE?;d%`KLTQD%$RlGMJYFzGZb@@x@#cnS>fFaPk z8l#yG24g8XxV|7_8X$^eja*&IL{Cm_cMqKi2`UY!s|L9Uc*qXMn0P?p(boOA#X7Ni zAUYc`Mf~`FOG-bCc=j4-*#WUPDb`GENGqv}JI6o5!?^TZ>k=GZ;jK0|yt(rj(^>F7pd(YHgg0F&lSc&No!JH61RSzfctu1sIcZ9`Rx2zwGL{S z^Thh@!I1NwHUdvE6L{(!lmNX|3;jaW*eD!^s5_hKh&eJ7HE$Z8ul?NaO&#*_cx5#) z*Iw&e4K<9vNmF5j++SHCrku|qoCc#aW^>>7Dxx7+E39q7)|KEkDqu_=G$VCvc1N|9c1z)Mbho8(!%H=FL-FKUjYbG)U`Y++Q}|@RM3PvUBOfr}?N+dZ z0kk2{p_Gu-b~eom$!T{iGqDO6(ho$y5zLm#rp~g#p!fDgkR|RgEcPqdpZbYcWJAxyA3VnDEMGo&uj z;!jzwIcP~b5VYccYe69RBM)M}^(5H3l40v<`??sGbPf-fiv@2^_@yl+qn>;x! z?}Zb}?mueb!mSRx1WYT6bvl*zzMXUFJRrsdItjNd59&sP5zdS2fRT%{_b;aebu-^V zxNt;sKL>t_FTVCQ6jDYPC2>?XPmb>d)b-dSwdj1{>fAS~BL6t_n*^JDT_ zwW>T;2*}(&{&M#)!>#stU$lMo;b32Mhku+R{lBvS2Dml>3zEixxm?j^1W!A5Cq0s2 zJ1sYwiwoLqD~b3p)&(VNRKV2EJwRd9yAHwb|rz1t71b3Vy8f@Qo9Mzb64 z1({(kkY#6GBK?3+#MSK6S7t$XmeVGcJ@WCc471vMa;7^_g*Wiaec%|bKv%>6y!I-R zxDmg%t8=^{16;$$oyG@@0bxbP*Fs~feMHGJKKEkmRPJ;WUk6O&dM5oHVzV%hq>Zny z@o6ry3IdcPVh7)YF<`rx2JC!eDAuJcdf<^B=L0DZ=PGpXf< zazAGhy9VdWgyHnIcJg}d)<@16O9sfw^~r+lMJqIb`*sD<9|4$sY?z>E6u*TKg{Pi1 zny*}>_c5L7x}75w>6AihtmZVnvA^9AYo`a|m7oTTRAx?n&!w96s2i(C+?OP6ALLVK zd126n&jTL{N|%&zdz`DFzfYSj3qm0RhC^`)2@ENJqpH_Qi-4p3bftw}_oLz#5XP}R zz0XEE#*|I*uEuOi8UiY%7~{V!u^z+ua1~AD0Vr#d7?^X>DB`un3${B&yD#+TDwx=} z6lI3|wJo-z#0&c;wb#4cw}e8nfNg8B#`L|#lGCb7jJ0*!>na3>r-d&xa>M!-zUL|3 zj|%5uV|O+QsD!M$zFqEhK?4UbT}uNRS+M~po%)^--7N>q^Gt)W`VmS=otzeTD)tTyb=(oGl( zp8tl9hP@GU2v3A$p0!E*u%^s{_@E`&S5_H?!b3b<+SE(f{?d8BF2g&+{=jFnw`MjX zOjg#%&g9lfg@l3WYxy3eaK74T zM;CAlgoV}lcrE@L2$CSLDNMaw_q17Shq>#v)uA zpav}k?es@?kz*o+XsQKqlXH=9+bFwNx+}|N@=%t4$k9GfF2c#C_s^5hlxx}dU>P@T zfIdB(w%I)1A&cknFciq8tL)yTbq8T~&HrGlhG@N;z;&;9m9~0A!n>W*`49q;4j{g> zA=PyKB^wI_*DQ&26*buIMkv%C?`8IdnUMe(hx1+Ai`2n%5pHl!;p&7!=~)~E*70VU z+deH3FT+zOLsjChaY1|WbIfOx7$jQWyXpo#y*HCslDWX!eDSuBMe>UFCtp__iJ0!- zCv}%3bBY5VihYaglFYlqyfpsevh9WH*DP;vGb(1x0VZ#{B}oIAEMxz=<`3=#!kn0O zVoT;2SToPr4%CI+l%0n%7*eUemAgJm1AC-|VSbJhNW0ZRkMdABpSr()^$DwZj$N63 zB%RmD@0sDp%HFI`q4QBU9Z>WC;;}4Z7_=hv)D-^K9SN@kl9=ocrpia((6i&Un!C>6 z^_(CVfDHs}PepCCWBn};FZjFYs94>Rv;;G&J-eCp&$qqoA*BDl*NXPDh;y#oT+|jKZ~#=G_Q^LO~uOHG-%PGl?t)ww&B}&5MnsbZKJQmGh|)Oy;{$EQB?^%vh=Mng{2~>8tOqi zA@b`O!!;%rVfGf%o8Ju6CC$AC2wUghXt~(E>TJ4T`}O`ny-Vl$stO#A|9KPhCQS`09#3_xkN*|Mi4sSo(MH_?7+FH*5O=Hg^N3dHtMg z@#c6}MtieJPMgP3nq-qs?07MeEOg8{HI-PNHkH{#k&xHYjZfUboUhbeTEnMrw3p7X z_Dy6i$@6m`lulOrw_U{48P84vGSX#mz&A6yhY@6?v+3W#u{1jmrgnVk-=&A2<`=lv z2WwltWX#W&Y4ajE`R0ZPy_P^)!F(%+X_b=F$9x$uez}un-ypV~#Qj##MU0AnLth3g zdrpu`DF_}>H~RWX41AFbCQ*29TA0S4r<~uQEQ{Nq6XX~i17s#d+sA#}SW-`YZwtCX zZ@K4?f?8J3{iO|-fu)azs1^~O_{BeMBnw!)kZ~-;_+8kK4EuUzvLL&IOhnsEV9fI2 z+(z>muqaqAGD@C`Yo~+`kDF@#Lxc_eYg_I9-q|2;9cc1UViLuHaJwd}jvuF<9t&(W z77X^;59-BH!~fk<)q~$Lhj$`AP9nz%Cm`~xwceZr9>TapJh0s;yJKzx_n{S;?T!k6 zJi;lp_2AnJTSUnd?^gx;EOT<45en*e5{J%&b$-_g>T;hc0{2b(yM7FU{Ml$VMaj0+ zX*aiA0zV-;`GR$Gb35d*lEYcvdUN`X=laTbQyMq=f0vIeEKi+*u1Ul)u;7H^hhc8x zv;{jimT_&(fsH`um6e7O%wNu;b?OWS7W9XB%(hg^@PBm3d4$EIlU%PA^M%lnT~~pK zuh%tFKPXtN*z4ew!|vB&hD;I5EU+ZR5w(|7mFc5P&S&lVAkSkl_kaYh^>qg1Nj{rX z56fuwc1x(yTTw__P3PEe7XatM4vY0TUB=l53s9u_xp+`H`*zTML`D>@9$Vf!9mcH6x2-zH z<1kpRu{Gq9tm{!SrK~iE&xA|6rj6IqgEXuN|Fu0e|0i$q|Ke2q?{DEhhbJ>0TMg_;x&+otDJ`l7@%gx$J5dj8`C#^=b>a7S#-I3Yw*%Xh zd%@vqckizT$I|SN27n-w$`1KTY0vOV{SxA<3sv28rmr?0GhXPjm45LTN=o)m*$~;d z8jjN{$~nwQvM1a{7o1;|K-{e(Zk0+QHT1OEC9&AkRN>u(jqHh(|=b`)>+|Mlljq`-i0 zwlFXg%?%HGZ6*1=5&s7xjvot`=vh>^cTQq!Q=c3$<&p6oM)Z zDgRA~_Q3=uw&y}Ob7V5*!Fg`*3$>u#T`|Y@1kdwlb0AHF$OSqSK&qh2naZPDI&)ZM zrXasj7lLGHE+nE5QVLrcE0@J=^ohSEB`IPUfsp$Z>3c?5+wDG5et{q_Lq=`qXf;*2 zqe^{7BD1;UTWD;QYt#Z{~KLq8<=gmu=dJ3-A&hVJEWF6OC+&o%?SG zn-LdJ7Faftzef;Hx7`2hAO64jVVDvL9>ywg{$R}*;|%B%8FJnauVcR7ps7?jAU~=M zV34I~*}3oy%_E){708h&zz?Bx{{*_orEEL!-pzkx83w!T6U4%i*~DpmFbICkd(0lR z$G}!#Jj$bQG}IXDz2=w)?W#T=JYEzRsS2}mcypt`(KKA#Nyh{91~Hr3>`S0n5u zodr(Wg^jWoTca;`L9(W9pPZr`l;J$wKPYLH_9^P9 zk{+pdp-r?7J?_P$xGspa6JY>*B-9(&Bhr7@NW3v`;{Wv;si(kL&cq3{vLJdO!m?0) z5?IF;&WLTN_7Tj>u)mYqTf=4vP!f|D-BXW^yi+cDzh`nGA;AYva)Whc_&h1W9haE| zK~KMs86(U|3h~#0p3_5(?kFzk=FTO`wFX7Y*?ZoC%48eIi#=vdu`CK{c3o(3^VD!? zND!nW8#xL)lg%#g_U*VW$%D*GrmBB6G)Yw;7(dp&>-scU^azn~*dw49;1^*uACPx5 z4`R}ntt(Lqy`aad3n_Pk1Ui)r1gdps_q}$V1-=xjkfCPP8i8|)X5rA2@b(gswODyU z*)hILb6>mT9kWD^<)6NY{9`JY zRFV**Xt(G_1rw6kFy?uZv}Y-%1Rs6$X_Zoo&Sur?UPF&Z>MaoQkuu_qA?m)&O8f!& zyTcHA%|~1~!7HQ(MMkKJZ0r0Gnr847HQIL5k;XE;btnlTOCEj*=+m2=Z+?}8mo{)8 ziQ6VsZ{}ekaygWUKBbHw4x=Xb^1F2XczfP}%Ha5|zlUa2ntns;(PNw>;(>RCnx#KZ z%Mc$G5==B(s^Ep%ulwqFbW>%xDHj{8_YvOAJA}@1A~|s;dErT_{r_1JVeQ00Li{kN zr61hQKXZv-EUqE31js9MT$OZ@`BeJ_sftC)-OTHupi8-!Q&lCBwAkG-(Zgii@$+@DwUZ8<|#w+bsEovKNl2W#u5+Wb@8e2ZTG4CKdilnUz2T<_kD>dSm;$+ zC;}n^g7g-V5|kz&y+lA%x^xIlKza#Cm8w!AQUU@ZEucW?(t8gz^n?Hj1bE`^UY~uR z-M#nOy+7}ta31FzbIknaJ2O(K0@;MAf>N{8A8UUtY2K7_N#sgKaAY{Gnr5eqD7BKk zZG8yRCX&Z{Xp&YojYDp-wV z<5t1mt#Ytp*iplV$p0(D_zzd$??dVfB{@(iXplMvNlL=Beky#9;v)xB(g9-R3gyW; zrN0$`2KjKjTjH;*oQ5A{Bu=iV_x#wfH<|8Al)`0cHLwJ9ufqIQ` zZhn0hwp4m82~{YVN$kjaK^1@-W08AirYFWuu#3BI;xguGyQK!)rX4fR^MXyrmSh*i z&+!FjNL&)L+YtMwzWsTk+Q+=NGIwIv$rbVHlH|XiJ~mesb2W14WVOH~aX0^bK))W% z#rZ2U5{lQ#T85iq1@pH}?WkdoeZ8*(iH3@seEN=$m2uQ~So@yjqELO&|WZ z8;q*8RTZ*5W^0B@4YIgzu#7tu4 zdrTNgBXkRexPPcri4IT7cX#N_QMw~2%{C&;?6cBoa%y*Po=N-}`xfPSPdA5>@&?^1 zJxv_PaJK;a_oEvs(|6kkHJIS{o@T$GQaafDY!8=hcnMHQvk^hAT2LNDiUSjlx$tvnAKWnSEpYC`sE+QG5<% ztdpton2b~gATpLe=!=Ios@0trhAl`5y2-v@+ZBN0UvL>-=4PJZb)dN2y zmF5Y{uwrwJO#s611;*Z-q<9kg3LKkfHM#+)}ZRXJvZ~st>@8AhLc$Zj@%!>N@=uS#Y z*PAjPe5>jsNr7~7&K!P%oyD4o&SWo`U?l9+-fkQqv;~SPC)%0Pxqqt^gxlIZMZSs` zITY8ZsmNpf3f}svD!t*v%wHk*P?k*k;T>irb>7vhHTvV;bbq}U594a3#l?o^MONx^ zWO+P#&S3E%(qD($27coXaP?J%6d}#~lcBZqE#W-uh%m6KQpF_JW3XCdM0wC5Ki*sQ zzD6`G6E_(qBQCGL1tfK=Z-rlBCna6~Z_(wya*3X7WGbyQ;*P<5e^e9@WiVYcUJdmm zM)h5uceLso*zL(rET9h{xNMaH6k4%{UztG zFwH0gn_7oDDbPZiRBgoYDIjUbo?K)aJF{Mv_A(8=e|4nyU-6Kl$WfBO@kdRXj(+_n zYLP)jmqF&*IX!RC9BJ=19l9_S{_aag%MZ=0xVmT4$$+04gxU(?H+?Z)&fu^4;z!Z8 z4hi*v=ome*W+ck&F+hOHGP?YvCJ|6R%i`J5nJ3k6m$_35Tq|d$uQ6g&?J&HP{isG` zY3$ttmuE`sKO_Bx>~G@QO{m9fbm58(UnU>3_7>x8tWJixtZF&GkA5M>##kfDoGz07 z;@@D>``)9!DJ44bBv-d}ivz>GNP;hS6aFW<+kZZU%xc;@q|X+(%W~_cL9U+>j^9E1 zU3D?U8KWO(b2MRTdE340Ni()G()#-_>Agdb8qze~>1a!@B3B>>XKiLA*wTj+HE-$V z2v3bH7v$l;L2bfkS2?ngSi2ENo~IV-;x*!^7|p1};sl%CEK%AQ65~^fN>I-$rsOm9 zlH-`wH58__;kkI<=Nly)cQDEMe;Eglt0xH`JkaPW4|<_~mNQM#9Iaus z7b{61HRPs%KGE2T{!K(r29b9EDxSQFo(uX<9YJeO_(ONH`Nc1g7eT8ixuMdZ;`BBN z;v52NC8I4^VA9r( z)z~PSFoi$@SK)`qz*>iKaz=MLf|E6@{M6j~wd9y|pHaA|gdC$`vj@GZo#Uew@b6ld z)rq`HeeFOgSmLm;^w*4>vVvFl$nx}BZ`{B4&xHoMYJU<0=}j(r7ca>lD!jcvnZi8V zIjECy;(fn3=q4V2Z%=~bH70)<(z_@6@m~@vHe2Z}jMrc5ylP_=mPp*F9Aj%9XS~c= z`x^Z1no&o(IEHpCky9Qu=#-1M*IAX9?t$lg`a1eW%1bJSeqzOP?-_HM-(AZq5}k=x zxi`F3>3(}Macnk{<3W$@X0^3ZDqt&8HcBs^?_@OG$yPy(g$7j}%HAno=*Y!_5kPf?fN1itp z5eZMpBlyT3WvAs)z2=+jhL>GppDLJO!+7&mR+w(cB|c@j8z~2rCdTn}ZwWO&W|Di_Vk%tM$sqSIt$EB(Np*qYxa@ zA>x_teyJh8XtGBOd?Eqb*LPlYL76k<%;S*htPc{H7HV_T?upFsN^QP#@hee%xj z_K!MqGUaI#>i_&F+ob|ib3r&;{UD!xLc4w9b7AGwO;s2X%STP19Z%DwZ}WDC zk*#PVU9;@d_@&z_g{o0X-`hnG($0J0NV^~^4WPDn08Z@!k>jagx$cf1E1*wpd4c#I zuy`S~=-vi~N5cV13a>S+qH#rutX~sYrEdJ3xqCO>^ltp;XFohreHiuH^1RuUH=cYp z(>`EpmM*iFpJE92i*{wTy-N{f#^SS4qiZ=XXRmwywYfxDn|-vGi*D7v3}2Q8DgR^= zIIf^Bd{ABN-C;W~V%|b>4ORfLU##Zw4^_#LI;NjulSVkK4#<%@Pk7-6Ij%k) z?yBPZJeF%J&)-tUcH%F+OuI2v1lk-bdS%`;VOyfN$3Ofw;uN;Z3>Gc_fxlkj+4=i{ zXfogbydd~*hUa;Y3`051`59mLS*10ch1{1i>;n>q(yl^gB3V&S>jmbMiDs&c{6^3Z zBhfqo9yVGWtMK1+T2t_qN8QYvfug8xu}CvhLn6e8zXe;Rt23P)SSgsdJy_}!$Y?^a zXVGH%X^kmTn-Ji6PI9^WvY*L@c=~$#Dan(6KdG!Vxi@ZBnyA%;B@-9(ypPnw)M{9w zOQO8dT|Z5$Ua)-KZp-l|fenxbl@*XSQgXY5jt4p}Iia3jjuKAa-Y`=&Ro&p(NNxeu zoV(v#t;O)hf9jwd<=OAE7$|-~XCM}3QMtLILIa4Njx$@DNdR}RfN_P@2*%pJNfz)NnYcW~t- z$(YtXMQ!(aV)S~ukPphlrl7N}$2yRI`&NMoDcIu#1SwVXz>`&P-wtF1M#^1n#@hAD zKbrk!ZA(%=Rx|Rrz+-)uKJj!!CP1!Z8})hWk;zFcI70UvSK~-`anoYTWTwVX_w6kn z=eMTL?>~Pi^+Rs(zb%M+Yn}a3Y~ru$obO~h>=WAQIz$$F9bK%IXsE68%cef67JRM@`8Y(y|W-%Y%C7WF_#0M`jlwFMA6y8Whvue zw1q=>+C;wNV)FksWxB7&{Zui`$JE&r`jJVFDlu7B4aXbyQ1i}Xhc_`jQUts3X!vdR z?HCbddY?D%qvH~OSoMenrx2^sXvC9{5Zep8Q1t-=V4k?NgZ#IHfMi3sz-G(@b31y+~~@imGVz1_n)NeeJbNK?gIhg_!7}3P0(#u8X?X}u?+dhXFqMq9aDatn|&n>ADHfzj< zn!0>_JwK>-!lEZg(`0LgHW#$m;YVkI67yw3eP;i6g8lzaLPEvZLLp@HKKh-DuM0k_ zoV=an!J0ny3O{IPQ=(#*Rp+-6EoS=7xD^{kh3H!)DT;#35R%JRWz3fHiv5`xDS}b+ zGYmq7F9}-RtnNa@cZ6YkGY&V+hj=!sOv;OBynn)fUDXdJ^g!k8ww;)-l*>JAE{N4v zyl!`oR1KWw$j(rXWO_)>hH$PR2PscWdaC*Noq3C zgf2!^R){xyR0=2wPCJ0xMeLp%t_?SMP1=UH=(aYBBGdh8L){sWMKgKLd~=xXh2bQc zNXGU??&(?@Taz;(CxMy%U>T4A>WaRH1e79=(arx*ttmJTrv=1suAxETGnLKRs)KEl zAHx4*0O0SCFzT4AmuN!SZwDL5MXBEAO75~B?oPCRp@2l$J{H`i^XxDX zUDLc}=;>S-)uv|Yo?EF>sRENqSb8QDh5QOW*fd>v1Tx%ZU1M7e(FY>F#o5@GDHXKU z_3;4440BoXjjvsL`R=J{y%|%_Rk}4w&xENjU9ZTjJYCAjFSiT}7Mn%KfIooUQ}gSQ zJv7nS<*@rN6J#aH+561|fh*QH#R*x~rW~BL2QHm3Z0gU+q6>07~zf z$>t4IR>Uufz0I6>F)6rLn4R}SZtfh%>40s2oCfOu?zEr`oK7_yyXSe8EXTBKIZTj( z4w`a(#`|@C@Q*c`;c+LoG|~>_2d|ue8L|C$#L0gZ*+}vIsWARBgMN(2zwL3$k|)bg zlP&6Q99LT`7XXt}33{Srhe_S&HATH%8psr=p!cD4!rH_~d#Wq1iai!C;tJ^K)R6jY zqFkO5MV$Q79aWDcWh{xIBne9(aT97|Z6_MyrD>*>Tg(K0JZj8ywfvr%X9w&J<;&?B zX=HQZvTo=f9>?x~&f}2HlX#pp9&+nj z=Z+1#L+rzmas15cZrk{Fzy0Kkp~p_~7| zU~r88oxz!7Y**XQ*!V0YEj`(5T=l^z9;ky5FDpy4>o8F4cp>^pqsu+EyxzIjT&h^` zDnb3ni1`$B>f|Rg+?nb?`l%yr;)`tuYRSl}4Y2 z!?kO7)_QbwV?e_m^z$n*DTa-SJ0lIk*_WYr*h4C3ZExN$AcTs*e9cZ5CU43kWF|#|U3J z#^N^$ddpYooE^yHABs?JoW&iB&bJZIjc&vq{iBqnbvEK52O@2{)`{Yh+nXA?p+!o} zHF7EsO(K7Z1k~o-luRkabyyx?lxnwDbD}3vr+8K$=;o`~HeA8!U zDC(hEsn4-$d~>ZKDWRP1ax?ZphM2heX!zT@7fqCIt*sKreD}APZP3Fcvhf^)Y6%N8 z@pTkjX*^OH{nlqiseRppAGW0O>-6{C1>Hv1{kT!zp9s$hfoAr{u?rL~!eo`~ z@89{KbAy-sWQT%_REatN1+BAmtJ^x?_6sS5$A9TgXN^_AiH!D$U1)EzG~vKb(3uvG zt2#SlR9N}&ngeVI60Z{>fBH=$c=ZwVxgZeP6P1|x)hOu8U1e-qIqFO2cLAX|xX?pc z{if@M6Ibu(97jevi)N&OW2DO+ZNmj>>@WvD32?z>k0Ns6$Fu&m&BFhB)|m{ncxPg& zByVuU>gfI6?YO_99v#OomImzsN;>$-*4D| zJZU@`E#>aOQL>MwB$rCuM*h<_g-7k5Z2JH|i(uq*li@zX^4> z5506h2;D7(2fNMOUA`FQuAu@>g%`HtmWUny-~ifvZd5IFt9kwSSkt1sc2yA?bLnpx ze_x&ZFB^0<2CVjSy^JZ;I#>Ib(@lki-h@xKxpbM$wEL$M+ull+3I8aFeaZAMrWzZV z^Ogcexl5~KC#%Xk;Gm;eY}ykj;GVq5Y-2dROheF7L8WY$ zq6US5p5s-5Vzpm7uL3*no=G7it2_pK!9m`L``rYi%gT}+^u|4UI%9`XU#0bjr<-69 zBNnaD;cGX`rkY||Xg9BOvCCR8zrr z9gJp)*2+Clkw*#iQ-gdxrPe3IiQe|M`H6juV)ww8H)JX}2+dyXE;uPDe_BPV+70(A!UNAbUl}dNO(#i z^Y(VVn34~Q z)dr**^*WwLu~>pydWFSbG;&H0Lkd^74WNmc_+EiX|2__VD1eIWraa+O8@N^oI$l*| zLz)gTMLKd4RdqswC+i){tuw6RAoO)cYIp1|)5jV(GezfmkwwVaq0wXQUN1xkyLi^< z+#Rxnfkzt{74mzY=$^Rt1`k^(mFLvQk^V>#Xt;Wf*y<~5q>c8yRl!Kx0tPOuq06u^ z&^;9}BiqY!BV=`3hO}I7Yo<2E=`6Of{(9)hp8SKe9kjyo?V1<|#E5}|HSM)&KmUjK|7-P@!t-(`ZAfK>ror`y@XX6hF*@ShZ%SsmnH5c0%#py zB)MzfVAqu}Ur2;QZ;Te00nm7N21{3(s=9xMvd))D|7^-vf~T z&tZ<#PxmxAT0g=bh6)CK`S!f6LAoDVIC2#u6q@LecjNvzT`0V1lczoHFD*Uj9U$g) z^h16z`IGmiQDV|7=}@m&fR;ZMa7WMG=z(;ZFin-|e?XyDa-75~`*JB2vD0?wNsHio zWa6#ty|ANPd6LZJed9N2tX)O1`g4z*z^=!BRt-LnJBceBHM`g?ZKoIi?gQ?((Ji)D z(sW`Ae%R}(KVK46z5;bx5AfG*4!1gPif?^{IUlnM`H&U*Q1M`4edNQs^?SaGmfh(R z(D810?DRjBJ(K>j0leV=TExAmu@JAV9omBj7oFOVB} zwWRgiZ({I+kCe9dQwCLT+uVdj=S2=y3ji=BrmBM@D^OiP{Kq!yFhn2t+@8|w7m)Js9<4KD0v*0m41=9b8E6PeB(~0e!k$C#? zeHBv}^QwvHI3pPIj0R(xLQ@s33Z*(K%ODIrX3X%1zYapF`-L;l4FplrxZ%_Nu>a^8_KviPZOxWOqz>2SB-qWa&Y z$TeniKiqZ~)?}vM-tJ&f8Pe`%p&099&9cyYaKgEGHV{MES9T1yaBUPmJ4|eRa62Q{ z*L-vK3E3PUR4GmL$M)uS$S?7z;`6hU-!c0QFaN%g|M3_0`B1iB^P5rE5C5DHbG1d2 zc*i~Vkw64<^`@9tB?8`etO+1GRSg zW|#QI6@u;6Jt;*JxB*|v4P*3^no_G922S86j^l(G` za5OS~vc|_LhZcjh2>&)CZE<#|yzckJ0lxdydG_!6MXaKA;E?*TgCNHTV&1H|mx~+u zbmU)ZlbGc#R)bu5Z=6#l)f;Q?xqkE~P@ZPC8+NXygXU%5@##<1$f5@Wjgl>3z_$f1 zhouN+XVr-6`NO#(_YjOB!ah;`qajhC)~^nIfshRT^$s^Nv!|Q0jXOUD6c?QwKBm|` z*pl;E7>hWyuFz=rJxwgYMlJwg9cC!3DUA{po z)p-)R$1PqidO#+I!hMZ0crxRhL=ferb-9ti59_dI;;jsVmIC%Jwa?efrxKAk{=FyO z?;MT{EvHa$R{ST>7p?k1qfQ&DfGP0|O)%PDqkd{YE^6z)$<+38;+4-T<^p$y z>lJd-j4f?D9Fmqtn@_=hA3w7YTti)N+}5Oi5dLPbhPZ{GSxzwPcd_&`tl;CMS(P^7Bl%8!NoK;z&(dc@3`S6mGm$-Z`f;({>lwXQ_7h6%(l2hD#F zeCF8wB*cM%EJZ-)3Bxk^;1OnHhnf?&^FxOx+dFTJkR^hQ6M3|FMx*>>9qeH*(6{(z zHkqQRh~nNDFPL3Q?Ku&TL1zST<+M!r?v0CBdHwFDx`|9!2HYtcHGjXHP&b>ri$4vT z^6hj9c`tpwTX*n71ngK|l%CV3q4PL}EqJDczwhS32gVLXxi@Mgsmki4Csqk7M)BaD zA3Is|=@1?_yHzlpC48)X<2UeN0d8UFc#5a`>gF4q;AoD&bzBI{$*_hH#$xsJJ6N<} zTo*Gvfx3V`*JEr>;wy{Id@FFL%T!9xD{3+k|BJ8u)z|!LKfVO~L#qrV-@NAMre0h% zg!dwQ#LmHk+>hyrB$2+VZ_;VE@!_&c@>6!7%WfGE|Cr*fo5b=z` zX8aqqcybwGTVf&_wDD0+DIs&^DS~yaiqwuk#h5{XS(#u2DN&7ET1M4r? z2xmpG;Diczs=>i*a%DC}>lyf4?Kne(phWVjRtJSUd< z+w@W$bzOThKwPgc+q(6x@eqMI9Chnfc9@e*(1m_>iO~uFD3T+o-Wu=1mFRgCQM<=%vp5C)vRl3JzN$A%omqq5&L90@|6G!L_|d4rksIu9f4n zE9EMx!?!}3WWA&F?Wh%A!)qpaZ^*ow|6FVC zLsW#d4qpe;1OkC8Ul=^R7f#m99hUc8l9_Ik3W-wd23IlN2s#9W_DUthbeg*N)I0K0+o=U_?0*`& zNA6Vm#g9o%v19CNPd()edu!=XE`?U6H=DHt)34FvUk@Ib7zU3aISg`e2k}9L^Tkfi@2O|KF5+jnLZ*eAPj;OgwrWGNf}58r%<9^%D8QETsr6Vc zP{f*T+g|Coz1)jt;atpdb#|?TBWAImT06V!{H!>geS_yJ7o?32eRyo`X5h`W^7kx& zkNFt_Ilq4?4e@YQ`R)FG1rs~8^0%H2o<3f*8wTYEzCUg{8wk!hcPrS_uD(d0)LtGX zQ#T}6w3L(DIT!#H&o>9ua=+Ix4}VMP-n^C%%=JZL%H7MmeT>&jOEeYif6XyX5alTS z^z0>n0F_UP2a3{{;5#yu3r=hbR%V5D;B9<$%~IWjixICaZ$gKQ(MQPg_tD|$z-o2} z^k(CNp3K~Z$~-d9;_z{HV1chw-RPIIh!D=a-N2P)hjCX~*P>CSE}j1FO!t%#>Xrbx zlw{`ZF&-=b(Hg;fGV4I$@nX<(e_RY~S+c(rtJKro;K_i|#gk0;+oq!q4SM(e%)E|X ziz06VTN`}b8@tNX09y{0dN^|RtnK3To|WgosRKT0d1R$T6g}FUuA2mRr0Xi40UTf@ zD}coDM-FuW5#O}{rM62ftcn{P3<{`pLcVZYdR=^vKdUJCy4?BSmUbn_R*vQA0`05z$FQaF@x znooQc6V0_@c11q-#El`IcnAFR@Yjhgw%z%Gq>fcN0Lh6&re)&!il8XTSMaRVd{%qi z{wh9cMX?hD(-8{x|1F-(%)M+u7OndS?~N_Uu~!}|h*K2{fW)92sU$e%Qd7*;nuMMB zV2-!HJEkZ8Xnz(QSUawSRK6tkFq3`t=+#B~@1}#Y4_Lg}{^m@hUW4N?(0+p}cs1E; z@5b>uD2v+kM+lpYyX8su6i~|!34PovhOm@(nMpAm5asw`DhQ_zk>aA5;t{Ft8cw4b z)+5X~py${3G9JgBB!v6@=+Mi0z+S;AG-G2i*>=OkPlxTvh7tcnIp>QSqKB5A-86mn@HOmgl1-Z- zJWnZmF2Iw#Ny1tS2?)fyvynR0&22I2%cIQh@a!WF&hLOo8tC(#>ULWl_FxrZon&uw zgWtG73$5sE>n8NrGc9G?-**g>H=SGo{pH;)4e*XARy>c+4t)GayK~&$s>xguSKx;J zufjdoO6%!Gi><?d?hK8>SKwP85QnSQ4rxVBd{RQkeH$>)^ZLD?AuwV1si*Sc?zSP+#r+zQW3+;^ zB~MCJq&}bhAZK35LTh$v$J*6-VPquN{cI2ieWk3$snC~UZ2Hw{v(9uKA4O|8jJo0d z#3IBu*3r_Zr{4jt*6-G z?1Ev#%b?!S7Lh;xZqM-X(9k1jvC#w<|YJDKcu%Gp)AM%evuD~kF_I1`7 zjVs}wF%$vHvv2QFfHl?RWz~mC{UYQt*DTIW6DoF9lS?2|&jpi}NQw#u7L##%J_T!M zxYntAj{SL+hx!o-MC0^4D$1FBtqnJw{F(BLB^MR#Yh>FdAJ*a_0fLemhwJy%qlI#v zv5%ZuXbVZL>n_hQJ!G|y#|Iz4Ma_?5FPk>J9*($s!+jqFPGq{wxrnyy7JbG9Bvz?z z7-gW)WW!p50Vtsmx%3M8Jgjh{sO>E%aid81K$yZwawm>q|D-cYY(kAB$kNKL&mRnf zxh}M_6x|IRC#qB(7gXx{<7YPf6>?LIHy`X=zHww!$YnUHWb~K9N6Jvl}UZD~-3-+MOn% z`#5#=gpbWiKDR7}#*Osr%^Q5Ejv}C1^fW@U=Ff0*YRAPYlbE3!~t(A$8|G)Q^v0Ovz{1srgEh_sw3%Vs=Q zyKgd_zA!1Vb8x0K!?-uX-LE1GIgbcM=lX7O?aery=b>T1c|{R6D5WAH{=g&9D@5_^ zhl9sl@I(+g@ASe*&i^{u!tmvjBBPcX+iBZ_gzVcHn9RDyy;Be=fS0-J-{`fQlWyVj z@C55vTBsvE{qen%LExL3-d&0nIRJ0kFN*oOMsJ<ax_D3Yd8svha&D(ES#UJir;SGS3#-Tl%8*U^Kqt3$45GfHUm zt9-3q(GlRzx3=-L+6?Ppk%}eY$e_*M%Gtf9!7ztb1FhmilzS`qv}cn^fvN&=o{sBr zaw~QVI@oepWy;X=ojZMwI8TycvG7{LjY%2n00~3IC5EtuY1x>Kih%Rvy>h*&hoIU-H^T75lT*k~r-h8x^+=~r`5~m4Km5uG}aqENL4>|meYbWC??4(&E zkUv>utBG~53wA}wp@=EHe`1*(e6cBctn29?)qLREusB>=-JKk@n{s}1Ofej?96tO< zH;7=dzQ0T;=tlt5vX9U)u=A8Xi`^U1*_J5@i0a^z9=1}+tgzFyiU2Nc%ZsXIWYOyK zVeMvy@pVhY`|kWP-Bl^n(C?=26o?Z@l6of+9WGc%SgsoAYTOH=Jq;09$Z%_tx^uWY zCS2ao6YH?$x3GA)zX!_iIsR3laB!-k>foY7)eQSBT90ZV%5Kj2%!@9#E&7p`=DZ9i z4P=rPnQK{iw#*!F?Z1Mk<~&eW#9ovkYqv zNGjpspy4P?v;WE$eS&_s*3nLi*4p~}+`0<~t_*k`AN9QO9HdhTO~|m;RgI$7V|T%q z;|}oFqD!Zj_f`Yp9E^MGTF3zkaO_@CQ@-R;o&kb6-RkAT;Jskw(@9z@nFItO$) z9uYCPz;pEuxX4@_{>BmG!~_vCN9bzPzzZ``m&P$DTcDc>=h)fo8?l2g%TVR)OzInC zBMl6>x(qmyakZo4+=668n2u5Px9v$wO96~##1L{OUug^p{WH_&}St}p;u z%XK9kyN=f4QM${y9_feg8a}`3V{_+jOfn=43Hkni`-$39|FxfJI~8zlrEUy-zp6&nThfS>t%YoYx2%T42$Ms%Ma3l!H!><0LbaM zai)B^Lt#?;#e{?JryhAoIRk?NsX5UJ7Y%WafoJU}Cz758^5hldhKT1avZ&cNeh^fe zAgRiP5nzY1yG-P10qu$c)_2h#`>8dz;6JRXZwjFive%%U-NyO%1?jD!zm@KiW(p=w zqoQkm_AKb;UnL|M9+=>AQ~jZC~h2E%3A&CtuOICZUB`v z(+lpOt;IGA3mkJmUTqFmsItk}SjwXl4TrfF&b-abOxg^8akq22k0hg;2j<~;hlhcV zX6`Xeg*{5FM7MoUbm5F%%vsR*^YT9b6RTG*ITR=`@YGIl2yZU7ZsY+Ee6-G6QEoS; z8xy)cEnJbSJNNQ#Nm;FXr(R}KjENgU>4*LVJY=UAT|&|*C%8MUAl7qe0|^8sT_LQ= zH@|oUmsEK)x6Cqk|(w{vz3L8R0-xL1D)L}p90a00i)9JS8SNv-gFKszb*QhUL2*xRV5%fSJ=UyEh|%!S3DR9vU; zcDY*+KPCnS9F+SO&4guAxPLe2Zu8hV-#cA!sPrPeK(Bsr9*>nKA5_Z{D$TiX5qG06 zW3L${omSLi#Kr{te|K{RY&Y0(sXjYxlVdUA(y`pxCpmg8+IPjin?_m(DlZh4Mm;4; z%H>%Ol;gzG6XgOguK)ZZo^3!OxBN#zF;X06px3Mo3}|*MR1aJ9J8m( zG(lA9xn4ATiZy&5avCiNIQH6hqoG9EwWWl4B_QalxaZL|kKgCfToUWbpUvpZ*^j~z zq8;D>Sjj^~5WWgF9INs|X>%}$ebhorhl-3b1;iC1ADz?7Z(XWsLFt!tb)a#hN23ZA zJipnQ&99kMH0lB9i+56bV4LT26oC#IXi4oZ<(=F8e$4YB+RXMN2B0f1FT(t8XYJkI z0}vntB0bdHu6AsxwZO9P;2=_K$%m2==ub{xjDTj}m&<=7<3n7LBo??kd_Y(o&|u4& z3BNPB&%L@~-cro$oPst9tV-e{!;OYSKC-jxgM;S&Y>tMT)Ai_l8lD07CwaEir_Te~ z6oL(uF{N6t;usn4_58=-Un*j=Ka`(}TyB z*LGJOEh=`Bj*+XU5vSV6+)-!VyOa2{@cxg!oyDRyEowQM6Z8aG-OH!=gKLB=j}~bG zjPR2c_~{3`I8|_uKwS>8=vmf55JE9J$qG8a)3_g8}b zO6>#OnLB}Nr~1wMsEBS~c3#c9w}LlI?fT0m+(jk|8ondfnj-y0w!9S~+bg)=QOm`r z)-Y2M|AFlG!^8`)pQl&O+hZSd`wy<@cVL>Q(X%rCE$y490H_`yP@YGGeor_K86dnT zGiIREx||1)476+lcz5kR9y@aR5I*7Re!{sjr0QcTkj2cW0O zH+dT$oXY&ae4}Y5#zf@4t2(FrDqeMaWAR=$U`C?F@s~A;>n9Nb+Rn8Z--5j+dw`Kl zKS4P{wnEZZ?E{gM1^_#?tP_YuzjUqr^mAyK!`KL-YSJJs#LPGVe zmG9+YO%tpiK<>fVLjY_c(9Kt8L~me9AV~4+F8Cnsriq!e?fyxCTVYVeG!STOA}}ZK ztMzK{jfVNlp`xO!;t)cv$?&BK&YWw(=FSek1M(VWav|%06=~HIAx!9K;WdVlZ$TM4 z8GAmD`^5)ZR=(o*@#t9K$}L^v)BOTHY{{Ed2TxM&s8p=;8+?j&B#@`uv@PgBuZmyw z0AT018F#)dKeH7OOgr0ce=vLs2+W+2+i^~irFxmnU7>XROY6f%8Vjm-;5$*}L?s77 zE{dRUq z<0owk0l;Qj!6|J@=j7E4D|v}^C%+FMYLtGoHaS7CT2P%&gDp^j1hI7hov$dU40 z{lXQ3t6xrL)SKy1d5jHEuuvV7o;$jpG6G@wobMoD%>x6Y13J8)~zxjDQssNe^ zInl_dMHclO(jxV{IuWnK!wiYvV@4pxrokU1A-K#yC0QZLsk01)HN%BL&lVz|vTV~q z9>sx!g`yAZ(rxKVwLc|5+zVRu0I@;gvlAAD7dIC!77MgrG@hP^yv$ZTzR*D+{fFB# z(pQ$q`pW*%337+>E*6;2JE~ zu;sh+G`^921;pZ+;EFi>t-Wa(SfxHvrQ&l>&zkYlJ8s3#&IbuC>`;Ge0o|FcBrpwa zR${^_RPInu19RXDyk5cfx;n94}wBNq%Oh7v!ci79UivE1$d)>m{{=U7N{tIFdCC6K_o?&dx19kd4xM$~E#5Al24A^w$q{3z1 z&APRtbBWFpN?6X1I?%UKI$HBAl}?XEYOVk6^{M!A(CpOM(v4osd=8Ylcvy)D(!o%^6F>c}l;8b>wb%mSq7A1MIl*w+g&%$RtbFZI~ zdw`IWnEs3!y^0Z1NecWk}A9SjV0v z=ErcOFlQ@u6cf!bpTvAa$ZlnOl%*0GC#BI$TJKI9MckoLKe%o4gHoRBl0e60U zUEkYt^p30&eVEjqTp)DT7YZ(xYLP#znZ%xD9KQ;FiEeC15l*RIc%fqM9;Jv#_ag%H z@x42~u#1iXy)HMJd4>G@GaU5&bG_Kp{pxGz_^rsI&~S~;t)M3YwLwB$LQQD-8^wn3 zTUm&vN5@{X@T*;l$F$?W>m5uX(p+|mkee-Q#oW()G}+6?0@#KvtmDOGl=f9nUJb{} z6{jEQ9<4q(YbO$nX_=Q79kDKAgx{c>=FdAT|Z%)@PxfwSnI@NPcgS1ZC#QcPt_mLZ3 zII)bLJ)5Rte=83v6L3X<{PP)p!vR-}h9SR5&;YwQ#9$gTnIXJKWn^=AL>Ou zZvu6kaW$0v!|dTkCpxU<<^WV%89K6uIzvbekDi)%iU-%fBA&AW8_P+o4WY)xnb1fF zY~vAFv}Yy$!xpq^PBM(li!N3-wGmRo9VI5p1aiKA#YEFm=zRFLl2S-!>1lz}%}150 zVu|#2YDyT~#9bmQgI%Cx;0q9`LF`Z>L|ZsVto)N|C5TZA^GxQ{R@+c}M@9J?Rm$~& zC$f@jr8#8|+I2Gd}o%ejn+s)1eZQsaq=Tyao{t!quM|w7f z^HJ2t^^vf172SH~2>abfi=bEMw>9Mfopa*+-W$JKrq{n`%3;_27`MZen6+t|@K7(* zj$qy0$K~WrBj1(eg1lQzJStwzL!{kNV9#$PiUaoGdp?A0#@b{z`zqqV!>2@`&7Ez5 z0S^2S!`*wYK|4HU=lr~-kwI|$vF`KdxKy&lvPNyDeC(=@iygXM6}Nigd|b`1LlDcb-jkA#f8G&wTX)-zHSTQ*?nc&5QtD zzMNt2r70>se8J1y9;2Z57Cy0JBh^zu3vH+u9~wgL{}mc93kjmSX~59V-;EaJNMi<< zC4L+vZHYczdLgO&1@slzwcwsD5>BjEv0hd^>4hW2q5gf#RUi&l(&W`U1EqSRWdfu2 z1saHrcL3c!g_Ft>!RuV!vko5yK|wh`+DhzaX}SzmjucLby#@nZb0dUTd718H1t8SB zYHF39=`}%MpPERK@MCF;-LtK$Pz|Q~w=`$L7c-aHb3|o%D6=Uz&QG=AuXO;UC_6Fz%CMDgk&J~r>t?V-6N`P-z|i}Jt^p%dODuoQgasaU*sAnV|^nwGAW zlQluVl-#GYx{N7NJf~m6C0)#HC{R68W_(v3w>vtn846 zJMJyFt8z6G4@ejU;$qItspQf76}B_c|3lY%#QTyV?e%-08^ z6_hwE`vsx5=A5{)v8H{8o;~LKp&4#v_8J3SbiVDjX#j>E{Ib|5)4|ACk(5K^_e$mi z^Rw1xb8C)8I991z*xCynmUA!PrlUlHpGZE4>DOGeVH#Jy*QO*S;lXsLVA)XtNKNFlwCiA`>X zG%au|*2G{aaUrny0X*96>L?FVp)kZXzC6J^Zpy2uW=-30pQ!DI3r%G@7;1HU*SU-P zZi6|4>Ao1ed2ph<9UC@F(Jyp4uW)}TIJaERFQ%W0eP|y76s4px}y^31`DfxJd^d%4W|Y)4GoE zE^gWHGu;k4*0Sa+g^if_xZ#6e=7b-)aOCQx?qMD#KWh}@ zzUH9}yS4wTrTc|iTj)3Zxxlgn)$Qkx)O7PJ@w~*k!u5`}S)jj2H{emv6jPpsFa=R? zd_2d{Jbp8>KeE!~w26VUtIqj4e$4WJweS3*jWXIP@Ryj66*f17J4` zChjd!MnEGzaK~*4lPhdut=z_JhBMcmmQFq`*Lr2DH-rO5eP0s%s>f}f_u(IvnqOPF zv2Q|KzlvY+U!q7r=5P}Z%U3&mF?NQh6{0~7@#WJD7LKoiJJrM>N0BgcvTr1IMGjW2WU+Lj}mz}UmhhgCpEk*acA;@vMp+B7M>K*5N{LOR3==z{OK(5d=R@ zk@M3Pp=pmy_MM4j{AW48?b=dev|9xt@omJ^E=&F_R%_)Pi1yTi>}ka{VS6q3!_!5X%_PF zV&|CJe?i2aWv}t2-`hDyrV!bwjW#Z8tzu4RS%5ox@Zi*|ZeIf={7?euOt?QYs>gRo}+_N;%?>mcyQLlnFb;F@+D#(XyvR z24r(IT;w)OaVb2~a5`N(j6A6G%_jJqMrum2p8WJ3ShH|t91^&+^|UXRbzE5IIjsPC zGdMXOC<+c3MC2oV=GC|Us(uCF2IQYFT(-~o8kwY6FipQE7A9J);hAjr(Y_Eyd$vgMQ$k zMbmO)0?f6G(womWjN=Lb-+@a|Y@ALuLNb1OEn|gEIB1(G#M4Uhe(+K9L-a*wuXRs? z@5*W}9GMGBl6ShWTgsm)QcK)w3icjt3q(&I)AepV9@vWZBA6@9Y1=^zU52GGYoWZ}V1Js_ai)Vfc~6ut z%%V`G{19LlZwck-*q34}l~}AX0UE5@cSH{Z9=aVq{(*-8?*RBXq%5?FR!~Q#$`TNA z3?J!u%jdo-<$})cz3lfLlEs&GO*#+lMR67D=Um3@fqPjQFHQ8?0v0ww7&DpcI>=?d zDrJs}_giCmdlT~lRu2;6E-(wa;;TwyHu2oQcaP6Z-2WcxXXkb4YIj>n%OgR(jd>C4$1<#^2;|1CDazPlkjGYNIR{o9kszHeu6 zpT-pM9A6Zo@;0_9;Tof5YcKN%g)k@?0!UbOmmxXEq-t$NsW}AZa_-WY&I(-ISX$O+ znIJQGuZZdt)S6^yAC%z$@rL4z$``ve?g=WO+3G!fWS8U0O@u<{*;a(FE{+jZ`*M0$ z)5})3$5j(d@Ma~9Z|DYw{v&Xc3Sp1;Rh~v-@p)_IjZ3-+lmbu_u)pSmPNGDmt#h^n z2J2;ejwQ&de|RPDF>eQ#!`4*#{#)Y*x@lUvURDnMm(M`8GPT=>>okhzkL37S9|+MH zutR|`M5~yV4Ntbzm`yao{JIBtFf#I)_sc*E!9Sk=+xXP|agP6%1B;#?#d-G^1Gj)4 zuKxT#ZGF|7Z`>ig@`scHyUtO=u`ME0W^jIQL ze{3#&I97C}e|_`4&L7k6w5(|8EyOj7(`r*fUx)z_i|N!49^Y2tewWUv5cYTSmMRZq z)n4=$kVW(C$KA0qukjkquE|FNXC_J%esqc& z$^JX5I9`H+Q(XdE_FmN#igIzjnhV;PHwgD`p)rtOtV_m(ijjHab;SSLU62f$_A1$` ztRShTuOmGNIZWPV*2(#t9si18#ANC~MRKYJBh8dan8nSsG*Xjw-mk&4zX`s&B31pJ z&4s@>Z}cvUuUA6lL;=Trzs(S0Ci}taTbO`IMd$aH-nA#r4;N< zAW0T{g<8ojeOZQ;b816vQQ1bff#)i`!wEk^=1X#S;NLoGF00UjwbbIQXzg9C*J=R^5^DS=`01bc`>oq^v}{cEA6(*?x=(9m$WmnTToaxe zII^Us&QZ{^B_v$<@N5)$rP8TLGHrjrLriO!geQ^+%R!-k$J4?8(xxy*c>@Gj*zHiX0}}U zuv|?!UY!#&#T?QZ?_s(a&qvABXs;Y={4VYshCKSGy7^HvAt6kX?t6X0b1}63&6m$^ zGtsQ7n!n>g(`>SDa#5qzne=ZL6w$q?=8F2p6+uV$f>G;Z7%LaOAYax#d2rT4BA~i? z3fZhRxzaLxG(6A}G=vPOo&sbLb*G`6t$3Jz@G%Bbi0Y<~T&4GA-*o7@I_R{;z2L^W z(CbFccZkG*UR+AEs3WdOP5aN&=8(-XhXhVxu4mOiJ&M((%Z8r(b&i}vVEuJ;Q>vZL^A$5XW|N&a6d%R1O2 z9!}&|Ir6^}q&I<{AL3otN@N;8RX@z2JcB`@Pw-Hc?Br)j_gV8PT?xDsR~WjSiMd>@ zWh(-_y3*8pn6Cijpt-1Bj+)))kX0)(e_*fi+JTV@(Kx)l=r*|HGo+|Ip^T4V#<*X4 zOH$aFeY#)pI}RXq_SK}T?u2NOJ2V5f1ioDz?M`it(|%?iAhzt&i?GtcpKl{;-ejLp z+_W8B!9^s((XxHRr;|gjyKdw|X*Q80hV$v;;SoX|?=Jg9L@Ue06Bt`Z5$HpvRgdzL z{Gvx_V9j~4Tl@ZbXf+V3$fAa_S<197cWYgmOv!f<9}=SG0F1D~lT-LaqEweC`c;6nx^h?j8;0&LXbo`%iJ5x<^{LCV<5+_ z_g1xAm91)U{GnADi?BQUhq-IS{NcmnX2a#to(n}8QOmpeM!@Z?jDek_l15(&yQSJG z|DWtu%gqIRW30eJYy_}d%DZ3e_5#Dxtq>cU^@v2;^E*yGw_^wnA}+>1t6WLP(lhsZ z734UU4h-4fuRKft9c|z|ZWm-7(Fx=r>O)9kolM=?w91DDklDBs8mv@}0GyI}-$<9^OIID~QTTk>O ztL><|Lwn-$ydvD2GLB;&LsdDcVtzSExPTgV)jU8yXqTRImCxAe^ij}iUT{$)JHX@S zflEZAov7+-7u2VdsG#7NNY=U&^T{=K z$$PR`2I7z_Q12oTyI9lRrHX0I+D-OyCN2l~WW&x$qsXb+(#G|aGd{Y&0&vy(XNR&7 zr?+GG>vMDVpeG^dzu)DcSnuPj<~a;%ytNbGiW<8=z4O#(ic3iPXwubJU+Y%FmAZ>O z0}`XA5S+fYt~f=7SjI zh03Rw_fPBSX<805n^S*qaXx?k7b`rovfc+HiL2DCShOo+#dk4N^6v1`uv&|0eVLVFBe@H!-R)7ASwdu&jo~{`ygVOOKW9RrgM6%6! zJKn&?%du97pJs2aNI?Kw07$$QC?Ez z^Ugp|Bd&>)=TTW1UulY+${V;~HO5^vX&>;jI-jSG3QO$hp6UR z&*oaFJ>u{7>Cx%(jHS>hZatG< z&IFdblb)2DWi#0_mQSoq>)bre+@`g(p!Wsm5s|JU^L&FCw_Bt1Zi5?9{WxISgGy^= zi^g=yUjtFg@>2$_9%I6ry(~*Y$3e6OAcQ_Kw@fkUJzS)a`6OaFv*(N>KpAH0y_`{! zQk0o99Mgv8ptkaWO|07Y4MT4W3|$dyksArXZ#VBhfa0N|%{3=P1qFIvO|G3>5s%w1d7H}jINkY#sr5l6x}5jV zIMj=zy?g$J=Xw=7PCzLc)NnQ^R|2;>+J^nYBvVRKZjY(v4R$8VwDauQ@s`N&+lN#L z0Hk}@4{+=^c356$A#I@?5!o!3c86z*y?Nc;0poQB@`;*qUH0FFb>pT7EvGDo?X4(F zB=45EU4~F{OW_C9*8FigM}~&yOPRbo_2X;b^f|eIFTm{Q>C~J-xdFu53$(nMdui#o zS(puk`i)OE6l}PO6km@KYd7F!}YyS1p|J>?ZiypGmxS^ocFB?@J0O zwnSx|K(BV}uds^^Y zMU*bPiFE(TFYW$Av&I-!EXFxLc`tHA$+QHh>j4~p!26`(`}f5r0uO~Ejb@s}Z;>%N z2;|qoPOnb@f1K`7?P64cf4#Cm`8P6U#Gr7vwC0Tqu~B~*9tsV9SF#KBPSHc(hbYu; zRbPM@wZ%|!j}eq6QU;;)&7b^!Opbq|Bc(o+4bg(!z^COmb6f<;yJ!8zcyGH{G}X$Z zmWGwJQRIoTDR^n)5#yIapKjy~-^mX^D{TCJjrX{hJQd=Nc_ym~f4S`I&PkKcTod`e zY*s66@ z{c>G9logaJfBw}2?UbjnJ~_J_g?5e>)=oKS`we`NUH;`k%f+0-@(pD{!;*>qz9Ok4 z4)~zk)&n#gwC{;y6cQMFR9EZfee+;LMNMFhX?fh@j9E7;;>jKdYGK~@_l>vy)EvL? z-L-Yfaof%&5U*8F^wasFux7XAZaAmqDRQ(P1Ut@yS+T&=07)CgQwWlUXG`VdoL#Nn*^b`PJlPq*r$H*@sV)v>7h3W5&Jv zFvr(VM<%qi+O}VS)VGY`l(Oe3A`yv#p7dtK{B=y!utDyJ4h5Gv*c-28v(fqDS~WzF z=hdG+;^E=lwn=@Hj6^t4o#1WNvbGi>a%l5jn94PD?5-|+U#8*uV3;zUq({<6pEqFF zroL~5w(%0d@``{{R6~0e*8<>ply);47XKa%-Q`glLOZVy67aTV^QHU?$b+Q{&#uNh z21lRg6{JMQ2I%u`x?_joBj}l@;hbN`W0SQL$CaS=0#u+C5ugS*=*9fstaAbgEavYB z7BkmrQ#fvC!3gK^_m)k$A)Hfnn*+bQTOWd4ICFwo;EB5|@VKB_Sufp?=1#4MWdX_j ztRZs|kw4*3ewh?A^)?0Bawx}r_)km!l_-bLR1(UGr4A-oju-%0^2FE*YQAmQoO|bg zb*$k8ACEN~y-StsW#ZybDY%es`Nac_8+k|2?M7Mt+;B_Xt%Gw8I7==I{GR)+$i#e| zx>{Q^A>s~NyI+c|C@)+N3g#=GK&L zgj}*`*iB?qx|c=3_ZYabo?e~@H0oX4bpQoZQl$UirR=qp8YP&B#NZk~d3NC2)yX@= zgwkaaqyye$q;`$K%vWIBpqb-@3gZXo89D+f)|CWK4>hN?Q2_zzL7Qnl z7XLB*AkrA~d7tH0rOt4+VnL3aJo(4xpduFkSC$&%{t?SXmXukllz6Y^&mHV{q@OcO z#?jF^8~aOti(P;>RM7^m#9K)pZpVJKZ2aS48)@}3eeIM$_gdp{L!J9>$fWU!2q)>L z`_H?TJY7YM#1bX%%>(XK*)hay)>azsl|XwjE+fq!_X~>QV1o0_c8HCLc(71+&r^dbWA$eUkgds!H&VBl*4>A1AS{O3Ii}Ey`c0r1nkd!mO zp6@5+@RlF;w7Q*1D#^eCZ!@3V~63*LD@sphXz_A*om?m6ZgZt~M#N?g*1=AG9B-jD4? z;?DM=2@G)S8xCnkNwkI(EE@`7Xm+j6t3a5rau+uS-j zINt|zYHEj_1u|-mZ>Ow&KJu^qD=(H@5AE}UxZ7ok+tW)Ds^@QmRnGtXz5wobwZc0o zbTQa9r{>ro1#&OiR4pe-G2(&|(JGw=amRL|)z@iP`H;ZlBl$sJy=%_;dIV2)dz7;<;Y3XCiJ}I;Y&h^meo7Vz#5K=-!f9w$cz` zv%y&+%Qf}8C95E%qqEJFo4lAlVNn=R0ozlYOAkL`_a)FfEOlsA=X^AgZZGm>S`}?R z%p^ts0+rW$%P%F6wbSmdQ%-onLH+ETC(ZjAAzw}T|CQ>{)x)Ut)(WCMM&{&ifuxke z{(I`Ne63^&{X5s=6b>zj+H-HO$>hC{{pZse=U$_jCBDSsP%vm7fNQu<=S1R3bBclM zW}sJSTH=mJb+ZPGDF;rKY0?^Z_nM&`Bj5>eg)|x?;C`5!`yhCB`K&Y-AdE^c#|QnH zLP$Luh|2c3M1`1}_&FtG@<<`;BmNhm$l+oi07FQwys95AuYSo|p@tYOv9H(V3TZ=| z2`qSdQO}`Z>}kM@-UHd3VpnRTx)*TWS839!--s7^|ppF`3A zGK;;~Z)7&(620NuTRf$t07Z0HYPO?b$XquiSIGw{YY z-*s~Q(pj`a5eVTzygmHe=Y9f6-&yctKnax@oi%l*rXxGx4QV~;0x$vg&GK4x$aQ9@ z%KJ}mlxNZZ8a4-f!LIspskS{8qW2!?eDi6$gE8mc&A~{Od#k)T$197p+Xo4^!*4*3 ztC(dTayTxTY^7v9pi|oVELAx7qEHltDgkq)&!fxZVOpr?aBPR%iw zTG0{$h%E{47d5>M44y}>&=@robS8J?wx7W$P_=+}O* z+&vt1r{s1ebNC~x;H~6)Y5;wRSf=CH+8dF?*p?3QKG7@<>lKsnGatm60t0G7px{h& zTbhsIl;_xRA;w#=pm;^z1elWi)wW^gJSgB)<+Vv)W`7WmWz&SZ(HKM8&etyBy{vJL z2ID5*;cHdF$7im#x480C>Ry<6P)2eKy8=G(x_grb;x;SF7#wt(2T!v-yZjtFdM1kN zM5JeB%QyrqkSu&Cv0P@hSP_=S76wTvXNI$1aJoGT&Hx62Fe zR9@*QeIW7kkymEr(3a~0*KhA9ExDUFj|8Yvtzgzdjg1+zfU^4ptyqu88%@rkjfqTzs zRPS1NCVKWzLDC!w^U4X9_JdMrW;cTeCPnTALhZew^YWzpn%7`h(+1Bq`yaDDaR5nJ zI=q8|?dg89J@`B*tu;UCWKwiwYGv`4@}kZX!@H;QyH^hf7k0{v4_u{A0cL{5%I5$=FSz`nC2PDF!HPFHv5reM%$CrIGAU|0ZzX2J z-;b}mH^W!PC%P#aO-r2MoVojk+}WuD3pXuXK^>HnCHF!iennz99#1TZ6fPQ;-TW!k z%fN=L ze7NLzh0Je~dMM?fL_6b2KzKwef zDIvE;D+XWx0!m+`X}RX&D@7J5r=Ghg(OJjL_kCj&kj{@xW)oL&Kj%o90K!?NO;p1Q ze(B(~(>SXQGK%G4l=^mrV9Vg}C56`XPG2ivKH)Ge>kf1BnD_N@pLR*^JTz+7i;0bn zzea^XA~Zb$GBSXa8?I1W6P=hliEa~Irh8K_Dt3D8bIS)f8eSnhJ1YlK0vq@-8G%*I zTKdHk(v{Dsl};0Ze2cvR1rfCCIY}v{6(F!6SP0-n!hAa`-l`shfR?sxW8JkAN@*by zXC$E@Dc5UM@xuiIOEjCb7sPj&l0}EGncK?MZdgKn@7*lt>?@C}j|afcGXJ4Ff4upQ zmKqy?{JwbZsF(tIXF^c<5JsqMXn6i1wd0MD^MW3m*Z*U;x2&T`da-uf^(YD{z;6d?p8z(xZY@xQ{Xyosv_arZc+qC0-!0A~pa6Z=SsBjEf8OZ~)J%qE46UFlX}?{^tS?=h3P zs<#EdbbCFSlZWVIJ@`Yz+eAko!lVw}75%3HiK#qpfaAJZt(DB$z2M{;Ibg}00Q zaDOH(5#n?5iVbx-f#~GNgBZ_1HYhxLN|54{l)zzR$g-*1&{dEA;rF?<2HjS(Ynuqo?i+lIFge_1$eFyaS1+~?dz z%Z%Ln%HrozMN#X0@0a84?ppCj1h5naBhLyVIrU32 zqJVn(kOfjSLYLz6gVOa@*oz27UsZ7lO~CDUUu2b^Pu*}ZNH|Iu;#nZ`26Owaf`Su0 z_9|x6(9#ypxrqMHudehS^(+tfz;Bcx*S0plx$fNw>%3gOFEOkH6Q!?ufLI4A1j_AJ z%#NEWS1X&BbW2&lgYfOTYRgxbFSS-`nmfggEeTB!54CKSm*i44(X3QzN{oO*)25~Fi7o+=`K0`so^~?tM9uLzEoX;} z)KP(5s+st*p-x*#y}($`l&KiiKIa9=qy-h6f$=cl@jb|RavEEY<~$FCe3FcLa9-wG z2y(6f=1!a`rQbo|N_(bQsrEOLhX$Zx2l(IhCo>Ak7EbiJ_wzHA-(IFd)LK#03CHPj z(SO^-4`3%>Z?J1mb((?LVK+k7<)v`?AU3?IC!bLLX-890CC zxgePbXmF;No!@0t2mUN4k#RqyK!VN}N}LJZ%!JH+wOEv#+N~#Bo4ZWe9oBB3Q0oW^ z1AeAiSG&I7Go{sbc7&SKNju-FB?O49V)`3~nEe*8cnom@nYms|+3d&*&6|A|8k8x@ zo!lXSEio{YH_jD_*Z=erH#aFrWVHp_sC9Mt?@Q$NA05^-;=A>A^TG6)|L9(xh||pj!u3nSmh-0@)i#*>%J&luvsq2FppLP9XK-GaUyIm@BJwbJ z@vAyg!09ZT6)q6G+&pY=uxHHHb++!*zlMLx_a_;_nmTU+oBsxtcieCv`(s8~(z}jt z-O(wCe2Qa~lBM@(lmpRDc)#}T-{RtopkO2RXf4Xf(C23OfBBF+q2|0q!;1KJhbmt9 z9r1I8ulm3uQzz(yghOoQxE1lTl{)9z1D)$~TyK~{zwsJ_`8`W3e`DHVwVqE0J(eQ$ zMW>2NG%LUN5f4-}t;V|3zzMHMIpxRfUj=P(Pa4I8H_V)398UBfOG$|x^~DE9b(-Kd z;V#_z_H=%uw_~4*$?(1``fMdei7S9xIjXc54qoDGzxG|8Ak4we=oC^wcxiNoj@BwA zt#)UcYU~OZHWtpkF9yYINod|i)E)|@o$}CD(kT`9ntLop09};=Gk(8deL&N)ZBsK~ zN2ho+eSxlr2K#1;3o11)S^mkJAQ}BIwRiDa2SG*HD>{RTo<)pHuNov=0KxzzQlxas zf^DNjtGAt@?hN0r0dffDIMff&%VUEYIRWqu} z{i=PK-0VFG;P~>XhHa?Vgf=+OXl#y_Zy-s;ICJo;C&f{F!&Uoh7 zX Z+D*n=MdkKuR|zh^u4LRg)4U7*=E@`!Uz&SeraH6w(=&BF;EfeYWi8ko@@PAM zB33voUU_SQR4W3jV>&n>doYpq8u8~sBX`*ar1mPe88QO#&CTbdD_6~TUH||_Joe}I zNE$`)i6nP!236y)&z>k9&YVdR6&iB!ze;_}?A3?H>3o&XRuO1qEDg`W;x_h-a_8i4 zRR5%e-TpF_>s#dL5$o7VnU_8DL09m-39oJ~ADd+%bKqr*H_!GZMLiLny*}5DH&eSn z@6tm)`fSh70pkJPs9Irax6t^US`%}wWZge5O)lAvQ@&n>n!@6^;vzzcFk~G%}D08|C31W(?MW7^ z3Qhmul`ydVX6G7couehtycBvgKQlm4Z_i|pf25&%WcXJR{oMV>QBKd{wub^iE_J~d zo&$URPX`SsV>c3W7ui-*GOb@s?wk6#PPAS)p}O97PPhRO;U}Zxm3#{-NuNJz&Zb#q z^>EJ;X*wlN*s?)zK6?Pn&rYm3JPz|D&9dc?=sq5zYB1cDe5aC(tHh(#Wm>u>%3fmnYNQWJz znBY7~4eAu1u@w;W4xUE%j=4BopWr7OFzZ{c^+8TTIevYyB1SF?^w|ZyuM%e2ZpB`| zj{Y6X^v`1tPU`UUrHJE|3IWQM;|(H3m}}qGmGhtB#nf#F7HRbf-Y~?d`#`eK3G)G& z8%``Rh|Q5F$-6tB*epX{okW5zq;fpY8f*7N%9W8zaI_!(H{FJ#=^n79);I3>SEaoxTCi*1N)v zm-~mD48FMj!&Uy_`75o$Wl6qrr@vm^yO=}OD^igoOJju3L$lCR9sd(z8am6>2sjn0 zR=0Fj6)o>n#xXG+{GEPE-Hnz#_&J!>}sugPwJY&G`osw4bSfD-`sO+=BBJ1Ihq z*TkoUgb@iRu_Z=wQzc(h>3o^c|K1AjG}$u!5tYZ+I8IV7CykL&_&=eoiIK5JHoC#2 z>g}V*kd3;j!y}c~rzmtbg06K@roI3U^K0!rtAk`8c16CkfVx$CC+@!(y7P;c!#j}w zQlL^f`}x{jAft?BLu$H{MxyIZqt0pj8Z5`0g~yM72c>JS0)w`?=w3+-V6PcNJsM&L4Z z)N^xVxAB03mrZ~khJ^KF+${7vWsB_u_{=<2QF4kOD4i=o#A`zdm>{>U*`v)tS*=?k z3-w)&!tk=z3Nz-VwSld=lxMYMX^SqeUwUp%n-mr3kmG_3JI_RH1TC(<8N&c_*sCt-c`j|Npb-G%XNmg{+KYMN5GEPymJJTRJ zpqdpY*ziXKS^cD8GA&1-EcEVCrj_rIphMBav`4dV(>+$PK1)rIFhePp2t2oVH6H8) zyXL%EfJErK6lW+?t}ueUXFsE{0Sp6EKq6Ln6T99GXBz^GKq#TZCG>I*?_Yr{qmJV- zzw4&njp&*#6?ZJ3fJK8u>AaGJUHt%**7cr97JGf1;qTU2U&l#QXsOTX*l$CMQ`5in zNw^ikz})!-1?ktXIvIZiDl~{&>v95FN{O(liLRvgFR@~{-b!hZ`L^PVVA`FEf$ObNMeO!0RPjyFhV|BCm;g*$tVQ;* z6^0Pcj0KRig}d;wZcBUKZo2`yy@_Q(A`u_E*U=zE%j+*FeB*fPzJ1+wYfdO*J%1T8 z?T$=v`=}>wHxI)s7Ng^el6fdHjnWL}EUQ2KM7-TH&3q6M`WlxUK|EvLU&lX@?*X-h z9oW+@CSpw3EY z_>RT!843xp!3DBoApdR@W2yRKvONf}8ELeCd0Cl9w;yrjUm}{$FzfJ4NvmRDjG|hJ zr{Y&q+~gObOCC4e*YkTxOyUJ>L#84x`t>e?NDEM5*d5na3+|01`_5JW?y>6rd=O1W z!`D2~AVFA+5B8?;D-brBTq;{|oG4p%tWeoKTobZT(oh#C0KsVo#s;;3+Aye~x(KM) zj>Xab=ej*i@PD`NyP90V!7cV`H==2&Ih1KWD@Yck=Y<|{v3YQixENBTJxNS@*vW)1 zzK-jqem&e!#|0gZv68Zzg%83xrPW$D2$!jdw^=ZcC%>Zfjmi-Ilbc!rhS$$mk~#fx zz?j40R#N+`JERndwkP|oTi&lG@5S;uR@^lmyGhs5b9l$JLzu-|+9WG2{qVB&AaC1O zL!uq881c_?|08y(bm278^AsCX8_k178EXH~N5FuWLw&9pg%gH~UO1k96Jm-m*c}=( z$|DYb zHJ66rx%N28DsZ{Lb3ux>K5D@(0Ftfr^mXj}UBhZt_uQIA(YcC5yQ#Qi8XRy-^|B`A7ucyTE8tzkDx6|wT(;ud%D8>cWY2Wc)1Ho zc;m0oWA{Me`iRqauC$;BwqP)1Kp~7tDoRVUIuu5Tm*SDJ;bZ)0o z8uZkeoezcl5?m%JmEmIy(o6FGK$UUbV3EL;Au>0F_cZb4^kmBAUktp9#Zg7(loYS$ z*VLxPwP+w>VX2=i#C5_-jBef>O*bq)WWO$~6Zy}CR;%1w_tq# zj%LdKQ;qIkRG{lPrM(t1o@6Ja-dfS1S)ziBT0L=X^veELpDQ9yYuNKI8o1YPalXKP`t3{=9ka5!&5 zXj(j4rTE;IxZ!-kPn3Exuen(VY~PnZ&7d6-W0>uS->x%u1h*jO;+zs#7{%8=N%0}a z6-WfLZ8B+V<4%nx%+naGaA906U=1a`bl3c^cRF2xX~D;cV!_T)ne_%6G0Ej}3#If- z2xa>7AZ~#Xi_#~mh2l*R3BWv<4rQB)0*PI%{99lAJyOwViZRoYMe1; z0I|i)qDIQ3Nc9L_4RW!Pv~{JvD$YnpE+RQDTb}wE@`ue3bdlp0By6JlUBzff5-Gxunuq6ky`q`>L0UYg#;@2|fK2M3rgZH;|r+s!p%W> zNJ;^h*~sS`Tz_KUNf~*-M{t=a6LXhDDuJbX6m(W_^d&cWoVDR?xHioFWMtq+Zhl%!%$4p#de2@SgIV2h)d!Y6Qg3ZN8*=CuQJVPf&p?@{`sT!Yppk9tr%Mt~bv>6cb=~#c2sxv1NOiRn zQtLobLMl>f0tOao3%n-G^PF5KXW2qDXf&X*B6@4h9y)32AK5;n?e#1FUUSZv3LuWl z24OQ5=IPJ|@t$+s!ub!E<=^zY%l^<6`I>q8>a@+Wr$#wX-9R(l=&ge_OTM?mLzKr) zoXYj2MXCJ1BGyBO)V?Kt?8ez;M|>B4rw$CY>2MY1ig~gn!$LY}<}3L1P{=uog{T_% zkhlPH!6qK$UGc-dxdGL}b=nyywnlN&qO)Ut)f5HCM<1OTi8}sN3N9|ASof6t5DD3>;aGk8S)1!}`B0yvj+l68_*! z;Z#}Vy+cYCUSp&%tElC*H@+{AqD+Q|_)&%Yi(2|0ENUJZH+Ro#g?_5(ckl)ai%1SpW z;dWg0{FMDm$KlOTc9&^-C2zX)k1_#}B!6X8oZ@24F$Jv1H=_771ih)&n;w%C$i6u2 znlGeh7AP!3HTX?C)w9psakc+{Lo;oZUvSFwj&EU?V}y61$Grf3~>=KD7udh-eyyCe zSdebXM>&43;3eGI|q=a9dV@j&e1lJqF6#jZ5TVJX| zYuGivmJ)L!cOdB0E6UzVV49cVpalMLYxIMo+LWz)ALU?YBrqNH%ts2BsIBaCKKbmG z&+Ea=7n3Ep@XM%kKJpd}m7xL=@}68M+5A(+AZp}y-Vq^y(VyT{2n{wCTDwebr9|G# z6D;z9QQVynIhoRCetE!<je(W z8VX8yDtz~e2J=Hi<;RwHKK=Evn4@^tU+DWUL^7h2#o}~8jL{b{%&z1+sk=GjF(n#4 zXG^z=6!34%*BoeqgZ3?mQF93AR$tbNj%?(YKr3JFyV1jl%Uc9e6K^ZzY|Pbl|B2dq zj+X&z#Q>UpXqo1}_N*t=&Z=B4yboA&d6z>zhPU0grCbC)ioS-8IMz|vTy$rGB&CG@{e}n803>h`z9s8<1V{d4%`AbIIeF+`V~=<2mc+M#hBsiQ z#LgP|iQJK!7UM5tPK(NPbeqFya=0apU5sO^RKld%%{`=r4l|xjn6nB0;wq1cw7ctm z%VgYyW6Zv+aqH5LC0~_v8(v1nPx0fEMUZm>bJiAfe>N?r#wxe*kIZ7w16<^rat>?r zpi2qiveusY*J)Z*_!ll;^=Jftz;|vAY3@fE9u(#iKaI8-)f{+VF7n9S>p4*M^WK9&S^ zuWb>YKTPu@D0cXQ-b%BVPMYdBAJR1^tSq^lxz%gWJpkdHjz3huTIK%f!i!&|tIMAw z;i^5Es`3`zroTR*aS&Nqq~;BqjK*B*YxLc;!^$BmIMXsNk0XLZh3IHr9`Oq z^n;P#^7w-{UcnTTC{aoeiVLPUj6mL7kHmr%SITmPMRnz9vBiksF=eGmQ(+eQ{GEay z4&AWZTR#&*;qTR)D5%)~vKYTuW}y{dnT0FMQ8BYs60U+ZJpcJ*iOV?RVolM+#vK0E zVBk3X-Yxng>-~mrU#n?Jux^RmND+na=}5sA$FpC!D-(*8{C75bLUSu2ikCiRd)UOJ zHr@+?Ybd1*p|;y4NwJF#)1zNT%QV62YIcuL&XQSKJiGO(wmsb>C_=cvjX2+c!jyMd4 zI1K@^j)4D{N99RHBP$oPt-$@ntcig-VXwh|oRVMz9rP7bZI5;p5urQ_fiX8XN{11V z$^23Q(|%4C`y3Zor?x6eHsKprCzrbaPHi5brdhHV2dgNEb6Bce1JRB2fP6ZWg@}5S z#1IBsdV)Hg2l2N;yC#_5x?gd_OeX@PN|AW1*url>NVd@qQk?SGf}eRxV~lwOgQtVu zW1aCZyVj~|KzjAbW27-d-m*1cQ> zPcsHvTP7Ns{IQD9v)j{HSkrXTqD9-b)3T@1Q9UqAr<)@#1yst;q)!Wf zk1MOez> zh;jgruu)S(^K!N-PJV^S$!}3YaTGk2bu>DzmNz*u&wZ7b6DdR z9piY1gpdF)ww-$3;MJv^r4&$IRq*|pHMvd&Av*@=xUTdPH^&!nxo1~zJFD^f0|@=` zl(5FJawCXRF=UMgVy5XtbnFNZm*Ra6NL(9wI1a;!;89hivuE$<RIfHm8;4N-PyBoBG+sJn>H&Gu8de`4DB)RXik%n}xpZYhCz9 z_FokhI$eAsgy~)U>gtP-MLFE)KrZtG&1lu)C>tVg%U0qtQX<`9uBiUFTG+A$$BHB~ z+El&&w&&&7>2doH0qYa70AG=5y&KZzVS5?7jprLtC0#zlu?6I;8d05n+Xg{c`i3W> z7LyK_>Iypl3UirNGM+LkUZPPra7l_*Q>z$}A=J|#UBAS6j$ZijD0idG6;e%@;ET@v zzDa)0u1C!`0*Sb{k#!hu>;-$5p!CBm=H=GANI<~XD|A(ni))SUHF(022%FA$!ksewTkkv7+9gB>v;5KFGiO(xk`|>hY z#*;n(?Dq)6?*rwWyzP4!yN>#+d!zRuS#l8INTX;IHHCWTsB&?^V!~Y+4qlC?u&FbB z%2R@dA!aTgEL7%JA7=(Ls3{NGQrtrYuDw8_&GpslXf;<6R^&ZafoS7+mD*O$SzyL% zExNN4rJC98<3+R<-s7!so?DF}Y+lP#otN{e>{`9Rqul~ALefNabFEa+qiFIuJc|t;k(N1 zwJ8=$yi|~2xk;Dr(DHLDr{CqnQPT|-=@~9n7N1APg#JIlcvcR0F~@(%BDLJwLae|0 zgzR=h)J5Rlivfssw~GoNr_awYs5|TK67TkO$!*=oaw%F82j_e5g$5+5EmwRxx%s1z z>a(nFz-*9mZ^Ap$wfjui`lSInYlk3(hbc<^Se#?>^9z;Z>NW?l<14N9RR+Bg{ zEJmsBtqe(O-R+Z^M{p9iT>A{rLJ=7Ceb$?Ue_W9jx+waxo04Z2wLFD$=^udFv; zvoNI0Am#HP{6J3IS$dl5dx0;aG|Rpgv>PIANpEepgEsgomioC(^(^L13q5>b2Ee7W zx9!2f)9M;l&u@3Qx&%FTd`5|V)B4Xu^4}+C|8k}_A^YQGpsQAw;P}&!MRwdN{^`+} zNY!IESVSLbT}+&sPp0Eg(PErBrf5&`?6lCWqOKvd+L%9SFupq=Gc0gf+T8$9G0erA zlS7E#?Sys6vpMTS)_R-<^wXJ~CFGSC@m{sH1r^@dLO#T?pYyuVJ}Zu$ zV&$0|ExR!zRW9ZGz?}U)d}ySkb^QY&U%<4dIintv(pV#VKyS?8)aiV+wW8x}`qeIc z?wTlN*)BXlUQ=hONNZQNb3GNlOZ{|`vyV08NQHG?80t51s`BH4e!5XIwok`F@BdJMD5V1|eY=Y=hie{^Fg5&b#>ENpUz5 z5ieU^BTSOg*LDyS*=>#eShf#@(0uK&eU!j@hMRl1;+sOlrUxl_wpUCD8~^3<9K6AWKEluR z?xB|QMwsxaZBeFFgX}cyp9>;u$%B7bO1&36391kIow(-RQAWWlJr%!hGJxk?3+2ou z>?LcjsHFZue%Ih_+=1s;NR?$)QB%FyeGt4>vvIp1Z0!98s*CNn8-L-B`mY1}1EKRA z)&liX1q4IQ2hMbD4iV)%C3kN5g;yo|uQdb=tfiOR%7*-E;(}66(iJRkwdY0kQ~~&RV37i8|rHLq_TXyMr^O> zMm-~urFE;!V2>)%4a&hZP2<;V__|09nDsc!0uM}urb>=7{L*ZogQGS7AvWGjH48~i z6#Zxg5*0fz-Tx5rJ?)QB+PF6(~PLN-5uM=Bn~RCe4>vuH7zkjbpQVIR7yU5$;n7^(gM3ORlapz)Yk>cm-uR z$5d$(rwE|Do{3}2HCh;|ME#o@;pf>&-33#>NU+mLHcswFWqp75vyw-dWt{EW@SB zQMl*C?_HuuGhwv1W!^ZPmN;!KxB2$T-5)*WRCx^`0P5N=x611{{TF!j{$Hh03M(k` z>l3(N;8i`8kmiY3ho<0r@u|^l%co8Cq&dDSo z@08TjD#i9PwP%pS&+Wu!i1i&b8Fy{q)Mg`er4R**J>HmqYind%;GFvVa83c3#hc@5Xc{CN)GLuJIg81Fv_~I zdRkQLx!bE?1}{{1cP&$oK6$1%=$hkjj0h4(9y)K(Ux`?e)KjlfN4%vM;>l4^iJ3sf8G>%G z_Ht%0N$Ko;h=S@#uTfKmkl4g2$ctPz!N>LmZuI7iO6(diEwT8<6=hiLCg_M4F!ePT z4X}gldS-tF@D05h?wMAh9T6CWKR%x)&NN&E&q0}%LO+((<@!$3u7R8nfdy8F&gb5@ zWnZ&EQkn-_&WrA)2al=SF&oY*q6=Zm_<}DzLobAkgU$E6>KUyDF1`iTgnaFNEFjwO zoMl&YN$fenV!7{S7j|oBd#!>8?-pn(r=lMllKdJ?ZQ%@z}tp0ewV%Cribn@Y)fcJ48MC*y+Ho(HVKV8X(I z`CVE73Z-J5MoxEapWsGZ@SYadMXxB#uj7CzML%xD%+pWF< z8>WT~@UBySV8t6!l_vc0z210{t4!_#6A^z=Pyec^`Fo0cpn@}!I($3i>^N)47Cr>5 z1(We+?|kZ5CWglJ!y~}t{;a}It%9b?Kz&k76cFXqBGj5&-q_VLzp_JsLMq58RTi|AG z>&XYWZbq7v!>fj!K_?2=a6Jf|7f`9WNh-;{roUUlA7^`z$hDFVoW@djNDYqnBli49>m^DX_V!fr>7}TL%tZ#V`jQSxLadc}x2B&=zfzuHHbN|#7nx7gcZI(wpq&aBrcSO-jGiKoSO zCoKR@k=;-4HNV^&^Q{1z9d zZ)t8xs%Xwrd$E4EH!?H{q69sjP}&}_XunQG+F6l-iTX|vNqhLnATGO_V11x=vv0nb z4_i&Rtm9cJ*IO~iFBJAEPMcBldLKC8T0m2+aC&Q}fw=wXbX+#~dCR2ZEU!+6f_TuT zi;Z(^M+BCQd7_fF#nmzkx$mz!Aitb8ME7%7z&p8KxZO*+ymx838{h`8dBObEwWzeb zT!0YkYF3jJq{?)MNt)|e_qb}XgmfqTdL&E>smEVKCiml#KEZOMo`7svv0QGF6f(Fs z)MU^FT?ccNNmFpYs^!O`w)GG^HY{VzeB(Top0Nw8+a@5wcN3Cw=|0eF-&eOBF_txw z)_eyuj<qALIYdE( z2wxspf4y3-2|`C>NW<~akkpbJdQrfRWdN%23d-lNn!LZP%6}*N3Tq?)2;N!zF_S#W z+j1v*kzXyrM!G&t%XGB~CLF0N)63bZbzu~eL`*p%k*uvPI|xf;03(+{_c_9~^lcd- z9Z-a6dzwx76DUQGRHZL(-nC@6aw&!X9=fR-XN3;1vxsDe+^*TFb6#iI<2Fu=dn_+1 z^ePDba0XUC3`*eulsqK7yT*#FQ@g;hlpzH?OQJhFg=ZZ(U3?I)yzK#lt6)NR222QE z4kDO|6nnLGgnsdjm%sr8UvvEhA9N9H;?JZwC9ej!$FIh~R|5Q|V5ZJhv%XN|pWPx9F>keoVy1j#yC8RDPP!gsrBr^FzVus%}1Pn(pN6!Bj#&_0L{ z7#?tGN?g8?=8mS;mU3n)sw_K2G;?A&+Ai5nx64;!|JXrPlwp9k7MOg17^w)obF{KqE z4ECzctL8ge(slCg&nwY@qr}EX^?thd`g^UIXa&pH7v_QU@F$K{S$8N7JUT1ecgaGk zi@1vOPM&vhllHH@(7ApE21Tx=vvmdvt}(l((UwNsB7r3%!hR+p;8E26xyLrSN_%Ix zN>Ug!f_Lic6~O|^`iE&iZ4WooZc(G*&c!9eg6U3jG@HQ&y3D)Kg~V6bN> z+W%X%dt=u1Nwz9Md7N$TA*b+7$)WV!$5JzM2F=C(R-b`HVwEae^rd4=WaUQ-MZ_}f+M1AvDUFQE-6$3>;3EW%ert=>Jb@|6}ww%IJkh!cE z9-hhu5UdM6hqrpvDv}Uw#gM7bk>N1Zx;8{>nja0L83^F8iYEUY3Nc7zzV&b@;7-hQUG@qTBd$_FvbC? z4s-lus}UH4J3i0*M!-R%7USc_-aJ5HHk#Ntnogj3oygo|du91w%~h(^9Sb_bxFI%% z3HBm&j-2}FI`v`%$1Ks@dMAEv-F|oFg`kj>+G}RtS)BLF;b*t?qJ#tm>+w*N9lpOD z68$AG{5x0xGxdHu|MvOa_fjsRqMUMzxHHnp+|M7_6Qg>B$UB;hkVQk>bE1nsy<|`Y z%jLU*^X5)|tJ*8EGL@vzjyEI1xmyGqPQCf~5ryOVe!5*VvyE$Z~zc$%K&7fY}; zm|CjH-AY@OPyl+Q)v6cqP`6Y6Z3~i)A`xi(V_hj+-9_yEf&oKZ^rgqY15olFB5euQ3{KYyrx`%i)8N3j^x7$+-!Wl-k~10p7_r8H>+DIX@ynw<}1p+ z8KH-tjh4Ns9&sLMHjfAPKlAgbykk5a)NE8^05@k{^@1{kmhs)bM)|{Dj9|n}k zQ#Nl+CSQVSTN6AspRUgYX3=DK`wBmLyjYKE)exNalakZ9Zz^6_Wqqf`1V_1*S-`BK$ z4uzCb|Q0RVV4 z_DxEmLCY6!FIT#rduMBlTDC)-EgNtw*(nJXWi)Mrqw1xzfsF})R*$5q;R4}h*iNj( z-_|IW;;e&do*&b+`)mHp7`StD3VP4fA+w!^Qrc}ULSQ%bKPYUVQZKhV|Cw}Sai+@t zb|SPd%jF+4-=7T0st*e=6T4?V{(}7AJ~Nc%4>0J=*vbCKeFM31+QgzM*>@@ACW);_ z{}2H$0V3drA0l8xK+!Uu!+`&%HNaqzzGrU|jlgTQAhw8=zT`R$=pKnbKIl@Ewm%6f z6k1jxwmD@R)gCYmb`gaH!Z7rA88)&W*C&rS>O3{B1K+nD(N4f9ecZO+FyD&^GCymDt~=_ZCbY zkesPC6AJk$6;4FM7l?yagPZQDg=eDKAL6a1&ibm43wMI<>_`^Q%L-Ts85Kosl>;x@ zioFQAahRZv1`^43^D(1hdk%Ba&Ic`=DQi3pI!oE;4{&x*$Q)6%+8wCy1Lo|ra&4nU z+EUuD42#_-)joncB)TFsE;jz;^Y9OrA>PRU=qKOFuKGe=ZT938EmMGQ7A}31b}X~9 zML|@|^q-2ps8myT4Dpj)I5mfd(BL`r;Oq@4QHV`~x;hD)ju)&Z6!=ub&1d@tL{CmC zBsYyBTnj|0#w4tIgY)aX3a+*@wYcX2X+jQ968$bnB6sKjDbv$(EN~}2@Y<>1xoTVi zB|*j-8jG2fxOR(7;*V-|4Ceff*`sW;8;<<3`+D z_h0;4oBd3bDGAi^wqzR^#}kN~OWfXFOm{VeNxO2lKfsC6a2dp8?a!8`Pt`O~rQ77SG#f+LP8_C2v1IQqY{SIkkl6r0N|0 z9Gm6(t2rT(WmNM$23GPZg=*9TTRes$53Po1Z5_lPd-4tRAt z%8a1c+LCGt!c7hX#!L*CYv(G?PPl#Zy_|!0Sq*W}EpKP0BX?|S8J;eAzT>O$%D(dE z-)81y$}gKlz61*@Y1Wv(67LiAsM8kW-Low8txHP30!9oFPqS&`ls1$I>rdv~b`RV7 zcZiQRrNlA!!hJVqJ{|?`gNA!P-d=oBsYkrvV84qiF;E+wg<00zK12h<6YEQ3?rX|B zHv*GI@L%D`OHs|z|L_9%pYg;5F9cXnx;6P*ePK+2bim2~zbJ{Cy9K|XkEW&xjJT1# zAmh1kHyH-lFTo=@9&M&SEB9OJOo=@fGb0r?o0_LHGYBVmIs-PE7gvOdH3n!}<@c=X zLcaYaFp|4sb}-|7QSx!^5R!R|6IL+pO1YIUYN1tO43-`w*@SB}Kh?#Q2@$zp>2A60 z7NkBUbdYd^SgsYY^^j8}81nWiY|#EozsoMlWejJnK6ys2J`oYVNzeS+YqL9vg2P33 z62Fm80&Ia0s^yn515iAV0-+E^Oe8155fgpfCTIJ2xooPJH9g{@r2Bq+sspkGZp75@ zF|)oetA7}==uw@9wVN#C>I=l4K!0X&^1igSn>@A5B>hwM<$4^BWE}?@6wL9lg+&r*m2Ck4UH2+CNqE(zUw#VXBqS-_Q6^SPbng+YeW+L1){2_r zoEf}Q)K#D7Xt+F(sop0n@i$@3avU_+Zw679b-mZdf7FpvQ@WLc2d!3eJTEoN!V#C9a>0+;HFqkhtod!3D#9{qxICeXAJ zt|+}XefVzGEEsSR_?AV{4xLaa*pd&QC17x7L(rTb@m{>2=hpe*m-xJs#5yGFs51P%JEIo52Qt)nw|KzW zU0&!Q`^-AdI~^(W+=q+vGizU=mhJ1f^~_M}e0B;JOwo(?@iK)A?@bP80^*m))2V>^ z<>G%*zo=Krj!+KU3iUPc+{{WzT9Rwzg`Xh!RbO&7bgRDd2p{rbE%AP*c=d$O3lnQ1zAUoyx?p;FqFNDt67i4h)%*n0ze~XF*bu3Nl$Sw9N zMCuYtv~wj=K3?S}C|Euomsa6=BZ;{XL6+#oRYbE#gj{4%11z9jc9)>(dyOf0t!Ufb zOQ^wuXFJ9JFNG(6RUZB~CBf|PC1JmYnuuq92T(3*V{Y;+s5`NX61XG%^5LK23$)DX z)I!)MnTbg zs*3IgiSYvfap}@I_j+Z%Jf%;B7eZRNA6=g2%1)NcGx8X73p3aE)M@7PnmH5_-J$1F zV{ovFGX|aVT_f?cKKCILIDPjDr*qhm^-*Rm(AgW8DIV4;z-CWC3Abp1{q3n5gHQ*t z_xV)u-20k$)@Q0TgEz`2YX21b)zkp_p{Tjhq9ZBF60#Mw$VU~gU4lrEWj&OFz+W1d zMx;{QefxXO?ARF+Vrl@MT}d&poZVloY``vtR$(o-b8W*YGvcv=GW-c{l7>~-$^fxt zQwKJ~wF|c%Z@y}uWbS^wPeQsP{ezNxD(e>||#Dj<~ruP(MejLY(lSb+PBqk z94u_XT0S=$gw6ILyTDtqMAne`4_E#zE}AFqHhWS%9MEqx-J_d6{3v|~x5(*DBnX6p&HWM}1;>RV^WoIhp}4{q$jGi*xIqQiI~4i({yOpoHc1UXquIIeerT{lCjUZb}vgE!8FmkH!mhVnWNyQ*8(~o zh&Oux;GiQcb&+j?IKnr5s=8`_9gbantYj!y|T#7o#OrKmkwf(IWee7JoMm=ra7b9+?K(i(<~svoxF!3uMug4QRgpa!9J4d-rio7kSvs zYK|PC&~5IQo$6{w>8a1&e5@TjTM@g@B}>9XBl8b*q|Z*-7TMA!PDpW%(aue0nVY;ZuE6$0IB2sx&C_Us!lGFq+mS5ea}Ksk(yPHqo{3}}4eK(eUV{b&6|q!CdN zLa0j2OwuD?!eKI_1b4GD^;Mx8+|Z(W+G2&l7O<#}q}9(bw>K&^U~mWy@`Ti;MJtb7 zjwdx!tcz>SLioaS#%sOmJ2^+P{Yy_~JE{m4+eZIa1qGZPgzPL_kSJ5T0PkSAOX975 z!yHB%;@3y-77CJjT}m|rSq>61^Y(WvL>a3mC!aM}FZZcnCX|wMm+ce79977TON86+ zLymzCf0pImVq*Od0q?(3+x%4~S&d{l%e572w!!`3ffT5SJsFIqo32EO>M|s>EaF4V z5?7ZAoLyTFO9$bS5qrRAJ%JAJzG@vFur%T#`O^Lu1rVRUztUw>RjT=v1Z6&QWRvNr zUz3@wU!t%3^QaonkLni>KY#w5jrelo`)l0Wm^yyqEePw;?;F33cMR&sol!+!7s&Fj z`?z=gbLW@pZ`kcT^kT=8yYJ?UuUW7)9uilbfN&cgE)kyk*tVno`K_S;)y(mlh77$0 z1%&7k5lPq0mSZj|Sjbr$C81s3?iq7bo&DbAH2nQQL+Ce_*Et>RtRSWbM&e+WU-{#D z{C(~%t;jEDy0s$tx_COIT(nHKV!+fC0a!I`!b3{e1*C7H)GUgksLSc2*5a+)r3rZV z;P#}=ELelighd)4hwwZDN9M}!DYbbP4MH<9*5Q;jC2IpGD`F90$i_{Dp~x4h?%>dI zTr!{Rb9m1g)T{@^8xcenk88EMblC8kq09D8ZrEXG2L$YLcR;D#&Z(mwgsvUg=Zb6I z*Q6r+AOqEPftG%sR^vp9U(@pb;Bi&k9Z4C??+w=l9fo=c82%f-KF$cRhHc~@=KwSj zPXSGY_TMxS?IPiR|I|dd1hRyyU;s^oKt%r|!@aA6!YD1P=IvW*vIpn>DAD@x1Yt$8 zNz|(tSbzxS^WRh%#rgK{Daw4G3r8)`6Hk^@t^=Yk{qaGVy=PD>4n56PT2x1K%c zw;3Sfj{~likg#E&2RTAGOwRq{7jGm!;Rd*DBH# zlo=mN%`MGjN8vWT%PI)nAr{$D6{U<-8e=)F`>ExEIMH~>#_%`Ps9+km(5^Qxn=b7` z&F&=s=LCW3q)<@A%GE?sv7Pt;T$~xl+SSw(8(*Wu*?B#^iV`yUE6q;F<@7+=D70$xW42Rq>z70ye_a=E}!->eC@&qg>LeyEQLBm zaDS%P9iTc`7Swda9sd4sL&0wnzx@0IVHgDq=myue`phOsdByGT`UdU&QysyNlKxzh zny>9&f&H`VsRa?X1#5(eoe%Htk)6kNm*&zZ5vSHJr+acSCv$73i{)*0x<)mascfbd zgaVG)1)v-|SIUI1{>~CIopRTaYm+C=pj|Pe9N2dSFYooNO?O zP)G5Cv@UQV)t971bQfFEOz)K6#r{er_(ujgV_LY+@>;@u|Mu+4f09V-|6L;C9G-O9 zQ95lHc~y%7#wbq=V5Vn=e1ZoGZ?kKgbY-Wac2ELw*f;^rAmNS#Q&WH3Y0 zg^DAlbH%afZ-e6&tC9+t(~i0~ZL0Q5Hb?6x^xGj(O3ZT5v-3}k zRzP4=ot-jqMU}8I1&yu*GYjEYlW~<9U%xhb!NeXyX5(&)60`$}eHj+r&a04CQWU$6 zCkeh=ZN9VP4e|7`tiiWWIRi}M^j<%t<(qBvzw>x(oAk6BIypK5KdE3(eH8i>wuKX~ zz~z7#PG0tlwT9Z*msCR2F?k*+H4D zH`ZSz^u!Jk!9h7|Q=|8+YT^9qi0q#p?)z^bUi$bp^}{porgjgI zC2^?qjr2I}o#u4+rU{FRjIc#B1<|%0nFR@YKo$0tysX*~VVO#7f26N$;DdwS`#d+4 zM`%*W6w3)?dmyNoP!t2PG1Uola}j78T{~thi^}hx4#-vNkzAk@su7^wZo=KwLX@}C z&r(PaxWx8YudLi~2es=NhDX0~f!jF{sxI$6&U^^hgl`n{t<3A8U8KVO(o%O(aq4qr14WWor0qm;rc?ybM^b>MpWVt0U^_-Sp&KF5gKsbuQtI!!^-O7ram1 z%BbPeWHsPIlcD}^PGJ{%ZTm8{U7`&-*QgBkb0rB5u#2Bk+54am`#Cq>? zI>j48ZCjSpC9BCrO72~QDd~0OfDCt@ZIxNKCTvubq9X-iJn*C3sl^bNwb{&kKIEQn zS8fB}SnhpE70HMsw%2{*4D%9&R*zc2z|`TQET8mLfpvRs$?urjR{8F^=p;{ajatxh zTeEHF@>Nm&aLAS?vmUdQ^sk2@nT5^~^83BF1$(qlA6>QQz19RcR})3}?-$OqrzepsgHo>o z>IsbmJo`UR)5s2wJND<2Y}~$a0Y+^!d(otHPW|wt*5^*P?DDTu(C>$U7(Z$`6!zge0jpiRPl zM#TRpKe_B2$ zpsSOhTISll$z58OU^8GXQMI^>ezB!F<)veP)(_>yFhP5BGBu9R@Tv1MQDt69Lk;Zb zz=py+w(q1%RV&SZ40?!QG`!)vH)|ricjZM)fe-B#*UEgBU}Ji|fj=+4&A8Z1Lq1;j z<02SulG1S{9;N8KO`9&>vPE{y3>|eQ9&%Xg$k|Vj((l^gjdJQ1e`gg&p~9A-y0bXW z;%w7wd(qZV;Xtkx@%ngl_I$1j=4$50c|DyWY|E#KE<=D_H z1h#(+P4TA=qZHa`icao?=h9;R*J~L>yAwOjli7_@h9)%(pjw#pz_JSF8mz7JSK}m0 zS0uN_{xp1bTgv=ZqILY^_D?62?-n&R1Iak6l*MS^>#N}|x9PV0f$KS;vhUe%Kg!@4 zKJs(0*o(^IAZGl$6B<~F6gFn#Ki?s_eOpm=9*rvBuGCJYS2QX-kS1|QsLGa zAkM^kC6;a9TIXgH>z~pK4N76te>8v2ZGfeX468B-BtZ?y4>>*D_lPpn9W;ewsP&7v zdi6E=t${>7iO^P<}?9Xcv1UZ5P3GL7&*K6DZ7wk3L zb|e;q0{cuOZo^#UnI3)??{B$zrqgO;(Dd)!{jzZztM`dVW3cv&)n*{% zXG>zYI@6X(b#-+c8XUW?-Up?dlI43vBB7;DZzK`CyUqLvT$7f03)yHgE)|fwihNn% z(jCwIsswFISb6KIpHPGuh2#ii+hbRx`M>3g#crIPn zPHe?ZJeN>re^7wko5k*5dpf4}yCrsc^Q`jC(5Cz!&srixU`e{8A@7i$ea=a;*6U%q zftmMDJ!ccA!CUNh!L)SDIzLD+#Q08}cvh8-(n}unPWviMnDmjT`^XT@(os5PfKu@s z%6D7fg6~ zoAO_uSlFH$F}X6j(4?`9zs(qWrD2TqzVw@h6F19QA&~gt@AU14xuS2vbBgir#wcB8 zML!p;4shkW!?)oL`}W=9ivT5#(eVEC3xNr&X4j?LyCDBi!t(0uO$VeW z&~Ge|x@O8>qL|LcHXib9I+t+0mb_Myc_{f7Qt2lQo@6qYTC+e4Y}Unici{AhYb>;2ES z_DM-U0QyH!SNKFi?y#Lj)Z0Kn z2B}Wya+p}@N>FyCDT#Jf$1&nJX#xvic-MlOVJC9?*kMjBm;4jo)^&5{2zhxyPj z{hNw^fNl*I%=c+kp|!!uwgTU_>-K0K!Jj1k&?bf1_kW9;*CRG8VSBkFVbU~b>%gdO zqOdZ*#+`(KzFbaxt^$RZQ;3?e9H+cZES@#942<_20l29nZN#YWrZxLS<`*_PpJh|R zMe(dFnb7UB)?(NMs=);<<`adCVJ~LT(#25wE=p~?d`IhkL*b$lZ1s+pKsyIoT!itN z@1C0(fdsowsW8J0T+X6QLut9A=L-_6BjgSJhZ_VemE?3(#%j{*XxvA7f!Y!7vU0^b zEVyO*S$xi5kL-9^=vrg{v4~Ii@236)+B*#yK$L%u3#24 zt%v}~TMSm@+N9@8>@j{0Qei98dZ9yvB$Yi?CnUE1g4z}WyHB+J_Rb2OxI*9<_Eqp& zr>2?$4C0-Y7_VA74@a*hey%TTz8Lt=rf@{rKEbYq<8Cg2hl(-ptio3uEp9H16l7@c zL89;>t6BV$R_N8Iv}XcJ-FNY7lL~TS`}CCq(zxE2y|6}m?9OP36i1lLOWB*BK^=$R z#kQz|-W^stN1jZ8nu*Th3Z7mh zTeK^VDcv;~;MB)9Bb0Re9h6t8lh4u%vP;K5cp#e|wiFc$C?<#OsH@ELtL~8xnK$u7 z@#Puy#TuwV7&6bi6O!1!G&}kYtbZ7nL4M}@NbB-c$oD**agl#ntAEb9EwpZZnk$MS z`NsRDqe8}9lt_0Pi&_xq=J!&ZnDX%lzZuXAl-uuA@U@mZTmFcK&5vk=zWc3G=jWoq z%+$4);ppfHY~+#WRl65idUeT>_MpsjsL!(Rz+qZu*>M(Wf1X4y!SV5>a6P~FEPKrU z>W~c*MOou!vn^n(X2H|CRri&SePL;%$19bEkO)b%X@uxfud|+Fe`!C``AQBxpfI(Y z?5#3h@O7@;h8BB46oxNR-B-*No~q)!!equ~i+AV$(u`WtzF3A@$xNbsY>LnPIO*Kx z)3oGiiGOG#tu-*Jz^^U6AfFtd1Z3@@05s94fswdkVF}q4UmW|uxilsa-Es;Pxi!`N z$BkN9u-8i#;)X4{>z?hspJEr!GJ~q`01vznzie(COzEZLeETQSM@)s#h=; zm6X4DN! zFZe-Ovgj#*-a#Zec*EmOrltXZ7y;c7GeMNase#qCkJ}3$iBg^tQ%W3lltx5>Q|4Vf z19(~F4z}{ePb6@c1<6N<^50AHu3|14kCBga38X{B^8BdR67vnzy$!}ctdmTSI#Mog zNyhROGdW&$*Aw?KURWtUI^C?g32I|(EluSHWKaN-GK<)UT%01qg&E)#C#%uaBZjlk z2)~&d)?MrNXZoC}X-MVm1%+;(6zFy+c28}*EW3Oc%lsY~cLFVl0F!Zuw}Cl$DO0rx(Ekizj+vT+9hh z`%`?n{)vqrOyVjDoOefK_;2@v#Z!SWL5|5sfztH3;9t;?;4D6Iu%*vEY zp&poX+=s`Hlr_;%1VGu`a~imNb$(Py?#qH|2D{F;W{(m7#`w81M&h>C4z7$ryyzF$ z2g6odg{{aX(@?stNEY42FtPMi4fTgHBJVRBvfP63_X&tXByVw{+d29~(F+0ROXr=jcT&=h+#7MObn!o7t(9g0%OJRUDp@q?o)w?cXf7ho8Pa_I!$w zfXqf>d0Q1LB|nbhwC)>QJWzBGL&)^ThAO*ga^~^H+iBoFgu62 znC{^QV+v9E9jjhwPZ9LOLsx^T$!b~3*7QCPV%s2{lFodO(g?tNAlLf?Nc20a;#^Wg*wwiFF7mYGa$g36I2cRkqFf!(14!!t zj~aSHMOge`E+*bg*u}5$hQT->u6dexW2Yw1Fj~|1^y`c$Be1*6%g)4f5Yw2*gAje6 zKkllobNbJRR0J5y(wNy z(lF$_$?1v}u6Z0|Cmne}l$1kJyLphx=yh(_M}t?~wJ)6s zr=%AMS6gJstF*C%t@}Q_cn%h0f`h5Gxbck07|W@)9C}6KboJXB;jfE118r;x=`V8> z?(cCAI#f$j=w82G3k(l{kX);ImL}FoxjHCd`?h5{GjFFgsY+s;(CN3!*2g&ef3F0o z*FJNho7_pES>#Gvif2lYC7NFGgCqyyLoD07De+SI=|gvit6Une?nl1q86I%a6gh&c zk9^gO-O>JhAqb2Q?N3)eNO&L?79FIJ$v7*A+`JZ7XSy#OhXL}-t@NiaIj)^hi1p;f zN6PaQHQ@cb4)G=f&G|jQ!;ZR>DMxypG}A)QdACe0LHqJN+ZAUY;F&}(HvwKxH7I6cgpfr{CHOd=VgS|P_cewOfNgW4?teVjqRI*+ znde1KxkiO2rGO+eMyHsq{TwTC3S23>7{1=0yu+3Zj@HmJ*;(RV;SZxMarRy^Au1J{ z$=&m7jER%h*Wh|JlI)~|S>?7+4ySRmxejpo=Lg)It#+>F7u$sN+ts+y#RaDWAgKWH z^L7T9=ngumlS{N#HYXiVU2yY1bXPi7MLC%-#o+TtbSM&^p{(4)bic<4Zpi>82AnJS zeQLhrt}ij=vOz~!ufT1@!iBmiyHZ}a zX&R+5KQIbkFbt&~p#;hmxEYan5``K_Y;D3OQJcQ)Rdg$Cwe{pgcBg%PSyoqFU0dy# z-b(W&In~vY22)Fj8f`1|Bvv7>e){R# zH|W`dxwF?}Xj8`kw ziB{8So{lgrf_s_Gp+-9>r8iEAG!5gI{U=9MeoGNSuR1b^;b>cBPydtf2m0-_et~^K z$PTZZSdA=s0=^u_Ay%IdbA_Fkw;?jV;;D;~0pEjD<0Fz2DCVb3)^&WJ?ae0Lys-n% z(vYocu{?76z01%!Y4ifX6b#p22y=NgB<333*t?45s>^dV_GFaYt6OW2|G2HZL{ti2W2Y*?xoo8-#EX% zXqbY|%eKgOVR8bh6>chai+`}PK3(Nbkd-@8oY5`Dq`VuN?{Js)24CNTaF3|5ox0t* zXLxfuY3^p4Go&l)BM9H#vfkbO{@d*({kC)~^%Vz=vQ(ic$`#lw%T-kmNY5l2pR0 zByw6Pat_%XW+O@xOL7iL2r=i=*ve@+F6YBA=i_D!o0-}7+53C>d@kSL@ALZn=?|C7 z_T2M%f8HPW+x2$4^Jtr!E^*}66z$Q=;kLv7`%xR1kOGg_G5SEs0ZC5nH_nr3Fy60M zG{~pW7qm0{E|Poc7+0hg@bVVivE6<hR^dSjkGu51xA{YkLVT0TL#3R>iAxeUlCkaM#p?E zh#MZB)0sYQ&RkDmZ%&{j*2E(cFPNAFFz1Qhl<(Q7a=aw+9A(r(A$Nl?)W#1c|6}7l z?tk%^5F+eaxk0GP;4ReN_$|xZM}LbP4f9{l&n?T(%Wx|j5klufP`a@bIS0)0f2gG!re(%!h=!CAi;!QQsaVM4JJ}*aH zbJ9nh|13^&TH$WKdD(5zPup$td2l1FLR<~{o;rH+e0|i5=yOj2?nM<+KD||NW{>M; z+y7n;uX1tiac&TUlYb!+B(E!;llXjYXIcb^j7a0I=2aHjnAX0dBG!6*r0=eo6mmWB zDv#M6X3re6O#$hXQgZ!m_=ik{7d~12g1p9Z-^EkVS-j;+HtIj<7w=ws+i5-hMWHz$ zPe!Y^P43JfgXg;F#pXXZPO7N<6aAE5Z>IO_GqhG+*d;4q0w>MCx440I{Bl5d9GF`d zEJlK%yhY0objPn*FFiHWog=V%6I#s?Ej=ckGjUQ4F9Q*CPXI{9k*7Wu%Xbs}pHm6& z6KS)?HYi`CRoqXUSV(m@72BT8Uh1g1b@=pkuCTV#`=K?H#?PTO&+j=b@Wonv7KdV= zFArt6Hmf=w*)-#&W`pJbzLc=Sk57 z?Ga}WV(wS1seWC-$q@ff@kB8eJ7K`glv*0U>;*hJ%xOh55!ihsb-wFaCo zH_1P|j7|vu&o1vLi9bx9NAH;cj`{Z3j>m@(O)@C0fkGY(%;>JNs8;e!F*VjaEJ*^h zD~@65)?#}-ks5;>i1$UXw&&o0Wwj}W>ebh&?GoQFc!w)&K6W2+atXQCDO6#=-l+`I z``-Yt9Y--Rx7d1IzvWR6-}G(c_9&^4mX8w_3UWS^T5$lD**1Yu-?pA@GzAb0ekt0W z5{1fV{0)N!QhOGz2%tYU^;wKBbZm<*yn0*Gpe5>j?u~;H^RBhrCqiycULK6ue{}jR z?YfcFhehK*hp)YCM>BQxLzpvp#+B0s5ci(?X|-I$oXd~xQA)SP9izfPM@QfU?iPFM zezelMg|L1v0K|cSwWHIXxA_ddk@w3rL8&KV$V)zs&}3 zB_xenyF<|zOheMKyUU8K$#4P61_4)c#>K(GcjETpv>5l^WiQa4GJ zYiGu!H)!jZ>d1Ahy@# z#derU^l=7wc(c#Mg|Cy;Ys3Ik)A}4nJxJhUyd?i<6F() znCqKatGRNM1B^gGqmqg-?gdY%D{AekahMhM`rNif{2AstPWXVrG`+5iaPCPM~*IRne z_n;shHa0rHqUD{P6GIS;IrNPC$iFqu-}i+f%(ki(C2PxmxD-AzA9Y9*cN0^_TpwY! zK0tt9d}$ajv>bWS=TCm#VTWw6sPwXf>VE#@SymM%qGtL2+(;QR z*>`(~H)x;1AH_pK$`OInFBIhe1`jo)&2t~8*M-r{5v{555PK1wxt2uiv;r8IzVnH_ zti8aarph~j?T4j?aFk!Qu!A=3+~xnH+) zOr?;tsC0jNAbqk4HJs_Rb^7EF=gbfdqVtLp(GUe)+)~;mfLu*$ey@79TwMvRh#u z+lStpU6U-dPOU2<_-Q-N-VSCCXbJ~<&Zjtw=k-50J`u*+te8uD>?@Ahxd8K^#r+(Y)`6RmQgCP+sLci(LU3IhNVyNjk%W-wl$lRMrR>OI!(FEvy-Hhtu;3= z-Pq_4twrYlg(uhE|G)6$4(&L2r+E^cy&fl_1W4Np%n++txGTTJE4{B)@AB#%i-ah* z^o!2Q*k~%ye!T5~YeVJ$xZm-kaijRTiAP>G$@yz}T$YO&V{d;YgvX1dt~~zY%f)+6 zV&{S2Ns)&66Jn5-ud=b^MT3VO>=3JpEP>x|mzy+EcyS#^hmIV`rOmh2bH5HrsLo{v zS;z$KRPd^*=MJ>kx?Xz8yR)=A%{#hx;fD1oF5s=1Vg+on*Ce)2AXw?sT_YVZ-Ib64 zCNA`X=s?y+W3R#FpjC(kh%;8+*B#Jn2wE4a zA=4Bon`(qRAR%9IpM3G2g$o!~MzAL%12gK-z^|O1LB^B4t~$$Z8fD=&gOz^ zqBLDi9$(_Dy^}c@wcBg5%oz3oRMy+~iGGij*(TK!o*c#>r>cO3*F}UZR+3uj=LpRr zj{3%uJiYR zoxwFf!zbInr=Ts_mN~Q`>w1imU59E}lK#t-W2XcB%2wt;WMGNwRyi+yX|VrKoi@dRJ}R#d}=*eDWpwS z!#qhjAB>es_^|jYR8#+^Q?a)6PdO<-*#HG}Wik&6ajgo%&;53tmiq+((mdYp?I@f} zzq*znSVwbX3)IC0njvFNopN%CC=&dJ& zYj^csM0s6=9^WZz3rSAWuQsxDi&Rp-h;#f3$hFqs^VbdswZs?s&IWC5)Y|4rtPS5f z$~9qfSJ1QLKgC=)I+QW$jwXiMc$EWg{*DQTlcP&YpmQ*EQh3R#>n?Q=Mhc;VD4x&3 zoL%E1K5ICElJOv&{AWR?&*-ph!kf{yybLb^{mt8==zhUiDZ4 zw6)2<)bLapHd5lB<2la+nD|$`51Drjf3A!;+1R+pL~RIgbRnK>9C5=|j9=Is61#YS zx%xpLPc$2#&Q;Dqd`k@}Zw-zZC75||*&Adow55+7YK;$$iJuPSPP)UCG~T--J(uw& z%<#Xn06IpOwWuEpLwM>nJz__kEB#DCRT^r+t1Xt~X~iR%wPG`scHH&pRpX71tPm;I z8>X6+iWY|5`}PKE#nnb@pvV_#Rtw1kx4HL&dS|u-1TDHgboR!-oaO&`2yS}~!>U?R zY;uBvfAlobt%9q|Dy957eCWSKq_hq=9Ki%p6+LzaUsLa@VzQ4&&0ET2tqtzVLnVd;H44!IRWnb>mYr^o8|73-Uz>s^2U>8_*#3W(Glx#H=TV`^Jm6Emg^+ipublo?2WG$0yqOl? zdQ+>gsO6ND-Gs@WXms@XSc_sy$@xDWkAhlmsH9sjhaLSAFx;E;ByzGNXXjaVa`Rd6 zM|?Kwcg88H%I2g7STuA~i0NRijJ#4n72r|_aPWi21%D%aY1^ffA(!F8_4V4OPHacBnHcRiD4x-`h)Pk?SlXfqw z>M%u)0&TQVMq;0J@oYo7!8o)@RKrsqWsl{RGC4D5bLBjn63m&t+k5J{%LBPJ5l-!*=RSuINiaxVYUjeR6p%#f8#iBxU?4&12Wh z20Ai|yQh4tg*yMT&m=8&ODR2Vcm{Y@QvU=EXDx5~spOX)n0km^8KWXR9F#Gu6){EQ zAp^Dpi|mf#RhI+6#@v>3}_ySGZ3umPeXo}h7$ho>ruN9;Vpm^z7X(Ehp#nG4p@sc(hn z-s+Q22VO&G%infh)$$GoF^8840s^{j2fS43IS_bvn}!pyj%{??E@|-3Lam0cjVun6 zuw7!h`(ZR=V-)zd{=4^GJ%x`DRAX^5r|;V~MUYcCq)7rf$8w^??2tgI6k@vvW{^Rg zr}p;@+WQT>ga_L>K8eq`BkyCIO$$&}lWrl?W0 zwg!Y;o`^gJS$j}8|4yIdA=iv*}=V(JUUzBz` zy|1P|5Nj>Cu9+hKF8`5sRF=NFG>w3_j;6Vr3}2ALikcgFDT)mko6h(2i2&LsH4>mH zQd8G@ZFvLWr9;n{UK(!w&sRqMwZ$eu#7dgXa(i2eLz744>dLot8gv+817bGMxF!48 zQbHKx-UQs*M~KSlr$s00l)V-GZF=@lmQ-8l1vO{M3 zJfxODkd;Z9QqRjfuNdEDH3@)+0~a7q(GBal4V*n5ji#f0HVcL#rN=a_NYF6{OnrqT zr*;AI;>yexJ&fwOJ+hEV)TQhu6Iw*dyEKXYgKYe$Atrd0jk5FKs-#n@Nh3ofc>L4T~1>(eR#%9G>{a+(6b51I_Q~`@Tg+I(q;f? zF)PO^Zs`tAc($A*-$hTgB-vM?u{)zW(Bz>(`(P!fyk^%tPrX?0kdxwi9U=i+LS%v- zl}qe}-;_$snjSq_Mi{XbrB+FOg}+~6q68e~uVS}Kv&ZhsXSg;+auTus*m0!BJtgEv zx>Q+YZ2TaB-e`;-@r1GE!B+i%E1o|~7&Xd??6X;S%^<-2x&2fQW(buAKSGFxMFL&dWo zKbN*EL6LGV_Uce>2*CcRFqT#?^Xril+mq=^_nF8+z_-y$i%;@+i9fJvZfP27-)h4d zBs~e)A7=@;%>uoRF=Kjuya(b8y|6OPoqwg@$3A>mmH6ZJ(AAMgy^mob~7O$kIozHXe0f_HW{ zkL^dRW-L7LB?e2u$#`F^vlL>}bu`^Q>)?F(z;4aloZCox{7@K+t&NzP8#?OYoLXA+ zcl6P!9Qr}m@LYb>$DAR9jFY#s!Y5dNTDRTz5!!C>y`(L8jf;Z969$L9R<)z2ZpDfw z*dM@h_VAmCz)5|*q8Q|@YXN(!^$Z++U7k};c!P+WUr5Ju47xHYt><)x7=aP{f<19I z?jK4klj*=$V$-)RM}|yCK2;&}Ts~F~(QU72IyT?NFgTKTagpx>B{)D+x2xwQy7GXn zL+I`kB)Bl_*3ZWu*l$LSVY2wQ25woIQ@pWkuOO*8_8XV51((A}`XgJ!<1`{Exc!b3 z)@Z#px0s+>IlD3f?Jyx{u%xcq`)z;j{}t82r=o@PtX(?Px*D3(xUH1Pqs?hK`mTdifgY1dZ9bmiZZLD^;>o?HwLlJh zQ-1Lm=h6!kN-;`_=mYb<{j__Rl|D z6UWTx<%I>P63SIP9NLAo9Q|bRhfmb<%`wrZXgWFNm2dqeeCIrkIQfg-TlJc1;Jik? zpM=?a1F!P{^9DR~$j>^;Wq(Y|dh92TZ+JpvD+PjM9@M=3RJ-N|Jgc$hVqdW4;UI3Y z-KWM7?6jBzU)zml?ddsgT`9RZm2ll#8B$^qfl)NT$mv&+YJT)(|5yLERtrO$ot-Op zDxD%@wEzz)!rojTK(G|^3g4-_@!J`GZ9b`O37R{om~q51?0xABm*8eyR@r^=O0SO| zftnv;rX9n-82veLIp}5G9h#qoY93A45_c1bLEQahIyw~Yc%$gp43~LY^ow4UgJL1Y)3)N*hBr<@;9k{E0^m9Z8x49gNhG@q#vOYPtk0uNkcLF&1x@b?RM| zp0r>lz3nptdxj5w82V=jVUClGK^N~;Pdwvo&he52~eJIO_^LhE!C5!FMIDEm%WoNLA&< zF@u#VAr#Nl+h6O~Z-ejzurJE56g9lr8b);Z&GNI21Kpd3Md=={OY?})A;~Y(PP8D zm{x|Z{$77MbnBR=SxK`0E(4x)bfzsV)N(Z>^7U*)C7Ust(>i)K0rHaRzbEj5bItyo znpV%+wv2#+zCo&2C*%8$KED6U*0l%oBbP!TjfalgdxIN6@~!KlFLp*mh?>vz6=&4U zFtxkozpxq|oocH0J|ZW!e?nxmiZKrZ8nlY3(lhn^V{ldjJ(EXLLEUU7M$-zv%JOz7 z{v>F*SEFv?OE(Hw%-pO2O95)R9itG^0d z+}EbupoKBMUXzgBIG!KzQfiMN%qE!1axH6uzWLMTxWm)T21d!M`;UxRI=tOq1mgR6 z)WN$}xx*SKR=l3>bOe)IDwf6@Fgxbf(dD_KRJ}I-ZNADSGkC&OXYQ)lJgE6)GE6d< zwjOEzIO<9DXsWAARJ4k&Cgn=fP=~TVJ~QAQazrn^VfMT>G=DP2A9sNN%I`PiOIy?f z3}XzIP3uruS{w(h)`MPatqx~=QH*7n88>d+mM+=l%&D)suj_7t+4U5k<}XieObNy zaL+;%-;bD3&9#&TkD+n;JQUjnH^W@L~(Kxgs?brcm_woHGRghRwS?`gy zg+vh5^&)v3Ssv9(GZSm47M@yuhC=H$*dj-?v_Tk6AnrxSW@XRB%pig_&I(56stE zN{_np)BXK|wtV${Mj2M|M6Rd@qcuPX_=R!*Dd3nrtJKwouEfQ;pElvP?9DHD1KPNl$m&hv_ zoWRHV+do;qVg9p~=?v?^vWd}gVb!fB6xf8it_$EylGNENLQ`TJdIcXBPS+d$%qFmA zpnGTbIqGF9?yY1ZGiWZ{VP~TXgJcT;h@F8Z?g}SB5qkU#| z>ZaT4KXu`RJ2ZmW7>5Gq8GkL3O47Q!%P&8>qD60jt;9h)5=g>kU`u%B?8Yx0#MPHZ z99S@{0FJt%%(m$6>?eoFE!QU)F%&`RQ?_4jw(y6M11{ z8oYNP4-kU4t}A-{E110e>St(}CNW3A?vaRjnqO`$xyqoOvp(D8t?wv5?sIp?z;bVL z^Scsj6r8xT!m3!84G6?bc+_MLTZlZKFYEAVeU@07X^$A07{-+xZoD*JH}Y}eBot%$ z{yrq+8NvI}Hu8<@Li*678j6O=z$hSjJbM04`1()98$IVhdmJ{1*%)xzhA=QF9W4y-)`pudLs_3&szQ?hS^BVeYwRe8BJNqZm~{I$+E z#GZ%Q!fE#`wNz@36VR~T&X=Rg-ABaa@3#S7J(i`<#m-wl4S!YR$IoAS;Y1tX8?D?| z>MCHRBT`#)#xb^`hDWa@bYt?-TD>#I5Y^}VKcDK+MZDd8mZ!6R{h=_^zwcAD2CB*G ztM>GCVST5&sglmf98(mBjD=lai;NzQeu6M-8E z@1R`4wER5Jq>R^2W~k-h2+E*ek|<8AdK{4_F~R!%4Fe=-dCnlcl6SQCd&kFUmTeI9 z3g3|YH8;y=%(S$Z>;vcuY1u*5DUu+n^MTC3!8X{+NQ=ne?quy26qM`aR6XXX23mQ~ zHS%=wr%MrD8Iz-x6QPRzF#UTpn7wEVT?nQmEJUlnjc66Y!^WWHN>fJ7^H-cZt!#W# z=K6ZfLfGGJe!o0Eoe|Q_+mlp4dC@`sZZeae*tsgiH)`5n>5eiHy!yTLfHdaR zM}aHE-3|XTBdI-f8#w8+)8Rd&8@pO3V@^_9yipFHWGpOG)Uoh+5@}^gJ~Q!iAd`- zA;=*E53$TnkQoTHwAhsXwy=6_{V@u}(-xkdSR-!!EYXXRcU5Uv-@X)hqMl@(J>st>K@@h+b5?f4N^czt?cm@eV#27 zBeG}pfSl>*WBD%NoC&42!(!V}3$r!DY9R}kV$q3j>u)Mq+P}Od6z$8c%Ouwkq@&h; z`qYzak~%^-jFNHRg^(G+gp#mJ>&@l_*$s(mV*R0YIh1M^LYAPGOjyPTGKRgPZ+_7K zW;V6;?E%-sw}1@!h>qrD6{F3t^SzAiz8JfMvLAw>(2tKjjZ#hjtBa3u5*-OV@-ccg z;U<6Wm16`Q=J%V+4r}x;3`&KcvgytPENkF-c@Cyfer%{zUq|e2z4s*Q^uWNR{qC!?O#*KT!DM8B&S08T zk>*Rs;)qeNjhP~863qVPb(O8U`Vf+#a%bEwOPy>%c= z+%9uw0l;I<4}S_)?n#Q@fL9MCrJvP_nhU zKOHO6D2lIJ08N%UDL)0pKGDl%T#xF^wIbUFH!dy6pIgDfdD{Kc|B1djAN)|3psM~{ zZ&SL<*S0dkWn)p8P{BENW;s(Vv7AjGdu-ln+9-n%b2U~P85x$nBI2N#Ddi9{-4l5- zZ!<7l!jGAKsO00dPTg;W!>)Pbm5(4JL3{2X6Ir&VXLl&41%|k|au+BmteS?0U zsgi$5@0p}VUUL#$lMH70fTrm2yPVAvbc2-R;%e z4uwp}E8pOw^6{T!3U#$bKKiP!1f9)+THjQvokfp6jE9#JoI(wkXnn6vm% zFA2M&|E|l58I^N-@maRIgApR)5wp}_?R9A6WpEKBeHT2;%KB@gxT-#tQ!BW}ufO>M zfDBlz(oY5!R^3JPpadt82H&zaz#d`a-QbC#RuxJtJykysz+?gA169jFh{y{ziF1gU zx^m*Sa`kvGDG^e9?NgTha>gL6I(V+dB^ttwWOr#+^~A~hd6KC{gNDU#CG@7 zftHJP^>&C6Lv>y+!|b4!kL;X0S!1}x3HmwPqMy&XB@JlX|`GVaE6 zs-!lrYCSsC7bPrUAKZqsN|R1`P9bl?SVc3E$Bw$jWqVpaekQvDW2@<mw{fkAPd( z1|Px#=MpSKG_j3TF3{_%pF%aC6)L3jwsj!;?f~PDEgjlTrYifP7dhvcU(3xdu0A){0cVwBcQc5vFwn-gY`LfQQ2XY}+Rr7yg9=7TmD)Ss z%E{&=y}~L9*F;)+89yW2*)MQILY|&(a~9a6TnNv|7LzWUyNLn7Y*R1*$tl3@;Ps}< zr)eFd`-7?0PRaz>Qea-LUB%@;Nld|lm)u3-c%z?v>yhNDYR&}a+h>~lkE)LgXFeVR zQKdf|7rXm2?F7NkY05HF3()485E5QI;z6HqxilY!O4$3u3gw^wdxYW1NUyG5Ei8KI zbVkr3Xtl2c{D7q?jU~)PPd>e0a>qYN?@~msym@cFgZal*mlBGXy7(FHF{Nf}=LCqD%~lY*4b2?8+J&;JT|j-dw6R-U zSn2;|s#{>$^R0>@p*N!q6uJfaF!i#NX88fek~Y6|%$L#qz7`}QD0LiqH&FCHEobt% z3dz`a4U?V15A2vIo7EZ>%5%JGADsVtbcy@K$sxKKGQe+37RkX;;6iPO@4$CDV*>0T*R}% z1WS$BPlg#=*)B*1IH-^Y#@a0Hu{_(CsjJDX-9Z~lwqJLay99KkWu6#J?Uy2<&Q8V% zq&M0MuF1W>?^ijAng$qo!=E!@5z(`x_wvPpA=rmuirlU-RWBt?gY(M_tt@jyQOx$NL9(U3W7d$a($~}P^9_7x zHDyhYR7(<6wtyrPx1-Xr@4jB%VLDb^^UWFp!e3sSR$d;w0Z@q*0iic*gxcd-*)!)d z9RCkT^skVRacix6HR8GQr#j1qp)uskKJ0MzyM(6pNp^I--Syh;fqt>_6QBI(dlS^ z<<$R{|F{1m|CdR$zq{qXD82ydw4;K$Ow_vi>D_5)iweJizs#2an3i0G+p9x-T4Fvc zm;8%!ZB>ChT29uDc4>}(@bKlDP*l-dfjlDEHYG`no`Mv-;CA4Mp(_(CmlNlW-k)~0 z!xTBfh5XwL7e)@Ppp!O7RZ%h?Jo?P%>(Ltx485N|@be?PiXg{FZLM1Se{f8yzd1;n zov-+O^@3ETe5P-moqw0V>u)cgLUfhexxJ#g<%@_<{jaWw<*`R#F;6t>8Q|@+l$T9D zHR9DBK2^7+z}Eg|VA`VxhxdE`!B9tUiFwBX8?KRz(Q|w%-(IxPjY$PTa~4DQX7;nu z)n1ClA9k#RQR&bUVR&Bc18ru%8o8hlU0H0GRBpqwshD28v7O}5BpjF3%`f{V=K4>k zj04Z^k0t0V%>w4$RoZK+<@le2gE%iHvnIZ#(8S`b#UO3{?bc`k` z|U5vQ`xMM ziZ$RqKY=&x1P$H^xeYWCSk_)-g?ZNtq@Cf}gG%MIj)%i@60NRMbdu#n*Rr#KnhHEK zEgNI|eqV$Z#Vl?tarDa>pC2kuorXf67I@;z{_kL*_S4v-)vagf1Hodrp?bu+&YRD$ zbqhMp-8**=Tqffj--vv_HB@hu370$O_wmmNV)xQ8lu}l~4kqCy!sjfDyWD4Qk4PbR zv{U9lw1k~fr$MAtkZ%6Se)s$qP@dDzBrABFC}u8UXTW7Q8krk86Cc%c1xhrvhpYL^1c}_?@_+BMpYh=#1|5-niG9yB!zO5uf|>=N^kq<4Y011Osu2PFT7yLfR!M5_CBaQeEVK zySEFj(FjKaf2Mgg5Qh`4fLC{lU=!ti1SR;L7kg*$@?0-g4KlNT7(OK&_DQIhLo8!X zmaRznj;@FF76-e2U{79HbJ|6Te$a(DKUnaBzxl5A(BbsIuz+X(k>(;DV|7<)`4!HN zJH<#=;YTYu9MVrlMrpRU_8<?@mfyuOw+kAvtd(d?)^4rX{*6muNcUzrN!rZQ;I+72nw6LR`@GZbc=6JxEbTc< zQ{SGvQ(ak28Sw3Ph$>*qJ-@gveaj0aq1vNrWcPNnHuiKoDx~Gc+M9PrWD<{LUpQGT zUMtb!=RnXE(O*29G^c5}XI)~gS?GY0SQp%FGrBkTrE7)eklLr~lj4%3%~XVW7Nre- zPx}0p)@!+2FS*GJq(DjG^4aYhYI%Vzj=JfP4ILqeeMZpNK)L}yZE%eo?R~7wcj+=t zk2c9RJjtCe5xiNEiP*{it~j(*M!tgJcI#4lBNiPB>yb^$$$rqrS~TFeYz+B|Th!Kl zTfx$UGy>KHiNWY`%G)OXgt}Y7-GL&*uSM+K)L6yG0YS|+wc~I=_(YJW_^W+4F)fLg z$j*J7Rvd4DmeiEd=)|%S(W_!=2ikLRAvb{Nfs1e0>{YBHVS^u|4fyZsAWEVoF-rr6 z{44$?6bx+2STpVqeJndqczRDq<09&Sd&c>*~phU-zT4Cs;bcvkqt_k<_qi_^w=>3OkW`UTcZz6Nt^HIH zdERf;>7yS`Fe zkI4z`_s-rLtfEv;JY4SA_!Np4p~ClP8k-+q``yul9NNMuQTmgHdg`{Ww({Q+XWhj; zVCIAo{IY@K^lQUb!T#8Kp+JudJWx*VKg7W2u}5ADcLu8%IMy(_DRSuSRW;1S2LeJ*9k(F21afDqRu5`_3Ef8;OU^~0ij3`qn{xFDb4gf5B?75H z(ck3e;^^{UaJnIA6Ep*-Lqz z<3XQaeu$HnmC=?i{y5a^l7Spit(9)6TP^cDTJ|D;O&d-)z=sq}Tu`hm?9c)Zl?QW5 z{xw(dIWL#L?4%y&*Tx|1XAh!|TRim@x$2Rbf3#=h2xvGp8m1B}R=%;Zf(G17t1Bd# z*vg9>a45fCkX4$YNF{+<(}W11k9;aHS?I1JCs>Z2c(&JNZ*45Nc30>O4A?~Iqw0D` zlw;~A4`9e(=@( zgJ4NkW8($!`(cZMtxQMmSGQfXt%em(ZFDBI%Gx8sPcLXM&g5;U$`o(*H`TwK{ereC z^Ru8ibn3o3#;wPG^&6GESz9v1+5TwcH=*>ADGkfScut@(;xDlfL4`Pw_~K8$q8{-=&Qg zhr(0F$4bN~NcF}fCqAW`YjF`;(#KP$`(j1a+cV&9U-USQeDv9PGopOvo{EXVd_yBD z_vB##+BiUOCC|^Nq2v7_PU@tQ7pffJx|ptE=q(~NQqr|pl{Wxgzmw`&*~PCgA&k;n z#LxNPX7AzwY4~}Eznyk|aqaRIn{t*YV4tYu*{@<$y2t)c(Rj^_y-0r8r0S$|`~(gl zUb>Yrb(z#<+MOfi>_=&%w^q=4*bgTOrG65iVQFSDus}FqR9l2d44*JF$|+6s^=*j% zBZ=5`O(UU3K++&*bdK;^1Yo2KaYEy^VjC7PI}KA9x=*Kg*-y9xMGJhfx|eWmeXdq8 zW7{+2t^Q2me5K|@X}L=M7zsK0O-5wJxL6cIZVkxr^R)@#4amy~xvz65QDO-?F@;XA zrv)Jyq~N#s53z>yxn$Q^q`m8F59#D~;6`E6W-KYF^* zd42B^mPtQ5Gjg*4?lKroCpBC@U;pO#+Hf5CGave1CfYf}Rc>XA+Tf9Urh}TCh|aH& z;;w&ib6L~NiyP=ycbiRh8(!G5y*Q)YD6@skA@w-{PKS@Z`}TX=)zbrSutpX%adQV* z?)tbrCK3tW37-9Ze~BcNF7o(KqLqixOr^`tQm!#to(vs1&0UYiF$ekmeN}xog*c|O z^;dr*UhJx)k+)6X7S5{2jjNdHHk6cWBLn{8KrSgq#)qU1@_1Z}BFb3)5;h zC9WNb|JVG9Lw|wLiPCCu7Zh%zncJ^uFi;&7$ZEt5$UnCY`^71)Yd^%YFtuj3$#;wg zWSf8px^ubs9uqgN39W-B*Z#U^VAE2^_8hqqXG{SP&2yTRrtkAq#lP7vKHS59tAxR} zQ`%Q=PA z(sy|%doHcI!;6)?qj3H&f363Z+qS-)RuDjRw#BN3DDUvHb$NgllSi$U*<7v?=la?p zfn!%&T4Tkx&%IyIve2i>0RWHoCn=Kdo1Kd0r|h?GhDMnZK(dFyFp2o#)SI8*&ew11 zEuR*9vEeDlWv{?o6(q@00FPmj@H8Z3t5T{#XKWSA(8nxJck~LYu02}pgMrZJA35f#YT%dzc7kc0pS$l!9z{E10hXd)mE2-{);j%~JRgi&qK(&(o z3r;lqEfEzr9?8p0sp5H-GKuJs9u-RwG zpw9P)Q~cJq#^Q;&20vMUNbs+0N}fK^D=<2o=fP6!*Hstk>W2H?!CXDgjw{VCSSOwi zV2y683I?M>w$>>|E@%m__d#uZ8GVSHof^3*7oOiu-o^L^dwX#F_!2*EWbeDax68%y zKyF|O`{{AbQ)hNWL~ONo$vb#L;4)N7woayDPN>52OEcxE2n61C@?Gh`@<3tnP2bPn z+`3*@^p+nJq!6bNzf{enB+&I95>+o!^l!*Oz<$XI0;vj zX{7%UoYZ-6KZ@`+Pmf{PRFuM~V^J%zGhSFh+^le0=~QpdZkM;fN`|0jJmIE(WX8@9 zkwM5u4^Mo*OOM2gnyc-Om;fti1_3G~5ClQ59>8B+6XfN(ewG(dTm`xR?;lSzcz=*; zuo8@F@6&q|(~{M-!K?=2gga&l`Y9BaNveSbk4Rx(VzlRPv;hbAfDktS>`dl!o9b)f z$)8SYj-bbPm@3a%V-&A~VjuqfR8eVBZD88|%JJ8w?cmBC{Lje2u<9oOL?|Q2NsY%$6`rGkoXOxd4I%ivqyppz<&n^Vbuul7)C6+U%&YHc` zQ{O>!86I1iaWM&gT6IdJ`}g~9t$BSwR0?Y5Sz`I?xu(o#%6)bo)>xfi6aaW^@w+`D zdV9lGe96Jrj8NZKoJz~9DxB-fq9tMBVGQBeqHD-cLHyrLt3=R3Q+uoozsNLh05w>|XSW3MTQG zy5X_A3E?D`8Qc;yD+!Yt%-oAadYB>S{g#t9iyBrUs$;x@%g@}lH_~6dQzS_pvu7<^ zRv2-nvJdrn@CKZpl+*V56#P3}Y8dgT`UZT%hSO`$OhWbmxeBU@lJh_oOdlnMpzpkG zxb2z;e{vSL#Sd_WKEaG&IaPRblhmjeQxSJ1866ct2Xp*_Si2(FtJ@F!sHJHR8B8+R zEpxXYe6+b0#m*EEKyX&7V5fh_8j0^E)88d=TE1+c2#D1Uih>!C)+8Z6nZDKys~)Of zJ=WwY&7o7!)eZE~juHpN^nEjT$nJDfwX~MwHk$`r-yHkD243ynT52uV*g zXJ@25WYY<0i2|{97d0v-P-5>93(7E$G3Ro}gGsIS!L(HdP}{Z>kdjBnsEk#>8qf?B zo}JDGY`^}CWztauTZIWcKuB-oRu$tRK6+G@fM`$f`mjUgFcIVY8-roVJD=pmCsqR) zm{@)_(%}HJpw`Tzvn@Q}$%!rAaijO$Ez{-xGg9Bi*bLlK!sV&;Ko$5>;UUffn6Vi4 zr^aOM|1kHSVNIsp+VBVnag-*bNK0tSI2J^tNWu00|)w_-<$K{q8-__so8uXTCq*ACKey;gRFMSogWk zb*}STOU%c8lWic4%^i_}Q_g}YnRQ(Ub|D*zG`kIo8#$Mdav-qfe85{GX7U(AxcC@G zOlF;!&-Wr`qx^;*fP(1UlrV2(FgdQ}go8R}+kZY_COD@B1)mIxD&|?EcwNUu1|m-<(7ZSKKPDuKTDhWPpmQ;Y_3uOP#K& zhQ=n~gW6Zk4OMW^8S)~Xu$g1}2}Ni4w4AV?_Q*%_VxmG9a&~-?>C|*hpQUYAAM;4{ z+O^M|{JIUXh4o>#ho~jZr?TS}d3qs+V9h%7ZvzTb^MsSNX2}k1+TL~ZIl+n#U~}cz zd&I!D<)>rm0Q|{@jaxc@?S?L^EsC)ZeVc(Yj@l}-Fsnm5RG>GMsVuiNvJ|+C+UJqg zv3x~yLq9(*O@bMkpo1UT6UI&#j=MT=)zAa7`BtY2vOT+?r!@9FMJ^67a})J`3+l`R zQ^EIhOrwXNeN)_IiA($j0OA+QImpc3w2hDIK|cJzsIZS$cS5VTeOuvu8{N(wbO#^Q zWH$7oM>j>{i}5kSpCR!Nd@MVwRK|+fJ6NaLeOHQ2-|1lNPlO^L7FXRJcsH^qB2x?0 z`D6G|fzk2brxs)xo_$C&5wYh}8rz?5Y)fRSam_mSg_e!Cz@N&rER2S7B|1iHZi=D& zUIspsQgHS0n(b^(4@bf&+lAOH-G`O(=XPMy!VI~1bc5{!P{`I|CH5t-H!DfQD{ZXBy%32CvdJO_S=1^Zfnq8PV7TodVim|l}(skPD7uL zh&$qy+ucAajW=Z!Yg$(CUL~x}4ozV>PA&S6eW86W6@!Py&QzNYKdN4=y!IxcGfXJp z$oRKAL!qi>GWSJ7VNaED(=eh2in5H6Nz(9<(J@wmdMGBx&n_o$ zG?2>bSK@mxw}oBMm4Q56H>ys;81D5>p~4S)|>Y? zE2N2D%y38UT3*he54zX^h;C*lCtHe6x6)&qMtV1lYGt8ILBR5_OC}Ol9>4e-H%;Dn zas8NW=ljPp9~V0*dBq5Bf#F#qnpXjr$7pOP)!F;d(WP{1pZDE$*p!diMJRXPWTvyV zIXLw zK5~>3R+*Qx)jvHWp+S}oPhIv7W5$Y9n;T5+(u@u}0>_R8Y&p=sbn{ukfmfsU$#@;taiw0 z&=j*n5R6O8S%t^@Gv=^`@Wk-WZ|j9=p$cDGE&>7F5 z99s-#d-o#0AoTXRs&9<3Mr3i=IjzIC>#M>i3ouiYY^*X&$G|-~L+ik)sq(VnYfp^s zH;#+0m&nCaAg3CGN1B4&CAXhtKl%=u;2hLSj2cpBXQY0(2)fn04uMH^pHyb;@JR)- zJF~`fjG~NggCq(L7KVwQ?QPTlpIq`!#4^`B7h~Hxsmis~0tJDF6*nySV6o>0%I$aN z*W8l5$Tv?W>(`nublo|@xsdY(3Y-7F2)dV+^D#do*xP9WVc5 z4?Lz)z67eN@46}5+D{2`a?L-in!5L8`F5H1r(Kd95Q--Mo3x zSvbP!22_vbLEfXg^6DUj*VHXVZVlNA?QFC=gB^FLt0`u{fbV#t3F}QO9730|1l4n}$X2utq*R zgWfNu&un`B^dpv$Qi>aWh1UX={N|0~% zVycm0oA8)S@sKgWK?l0u*3V%?yLwJ0r_IpdeOB1Ey08|%q!3Pm-@po*&a%76L;{p+ zoJ0hj3%sOyCRDN7*w4o2s;!}l!7qpOm`z%X?~~|ooz9U5{bBQ8*v>)S8r}>ch=;f0 zglKhN-=qhvkMT(z8>)QYmN6nfJvXBN(7q9PUmNjlClB=r; zi$ckfxL;m{pELXk3!NzAthmAT?`85<)4O4|fPpn>_>-1R8ZcH}wd5O(MLal|mSe8@ zkyn>6d9aj5+=x=9SYbH8VTt;btsCu|r>pB2-o1pP_F8*wj?6|6y%%YI43CA|VXvIy z@}|pcM}>DQ&Ad_9pZ>L4-)Tghv{MiMvH{!%Hkd-KJ7DEv4O-miu{4Dp4rgR%o!+88 z)>tY2fnMyqliVB$Z&=;Sb#@LOc97LsfzEEP`@|UXBpZvet`Pge2Kv<5bj((*++de60IpcjkPhCk0RhZZm+1YGvQKy;j$*)aaq^&w`t%Q1nLan9p^?Zr?uP7IP zWL}u2?R?!MYI4LcXe5`LTW8^W^0qddVr%BZ*wp9Mh7F!{s`gPFFy>srIMbImzq!vas>Ty;8D$7*ayXC;-- zv&Pjao5Q>-QgY=u8Nc5Fs%4*}WpZ+>%`IzNeHMkTO<0+9^IoG?z#ewSLt0WX-i~Q8 z@+1d3W)TAMTIhN#Hit^4< z4#J!7oEK5-FQKG|>$ z(@f#bmglL6hq!0Y)r9d~$NJJ$_U;P@@ND4SomUqg;*rb2%bPLgQqUbN_8u0sAZZ)N zoK|*&GV~~j9cEfP8D#O{EH8}$?B%ZB?4sX=eO~(|sk7+^i$$)^&cn?i;^tJWu17kW zQB`Peu<&y6u{w9MxItlVZFwiRn@ixZ>)1;RpB@h{xa)Wm{b}{@$%ad9967U5#9)x#c^NV5FTrP%EKia#*N3F{T$}AGs8+Y!h5%8F} zH46RiOlHS=KkreIbz=P%2Pt0NH?mooZGQ7`4G-+$RqS<8%d)BD=B>Y;(8bW`QLBIT(pud{6 z97^Vl+gR6KZB)3YS=6rfTqjbX za#M}I&mZYv1SK*1nTl^4XBN%!YU9{XQm|_tpO*Fq$#XN~M>QZ;#G6 z2O_NvR(flmM&U(#M7BQB2v?$BcL={~k#lChsG=t#&v1>Fg6S3znN!cBgk&}zWsJP$ z-x{fTuu11uUMWpG{=Eox5E$*|g=Fu!QIS{+03F9~)&JwB)%Jy<%@CBR&KY)2@Uw_f zZgOCiC>xrxzV0TDnqq3bYc$aO+O@{0RjY0s|Ek`&e;^r?z0n{o-M*A!t2}mVGC4o2 z&;hzr+|6CBgG!AjRBwEB5Yy>ofd&@$=-l;Vdi41&z}6c7t0|W8Sfogt5JDZNFXoON&){|K+>Wq4~QoNU&lCwKMK4~4^+jm z4tanw8japha?XIOxA?qTs`;{s)gFue{qZ!`X$$AgvEAsDFu-3wbE4{a$&RcpcVzaOc^sQA(_1MI zAU0M$V#f#`@=uGD$x__NS5z};n22}x31!k~!wXJQlv7p7Dh@>Ll#R}I=a=SfzS9AC zB)u5n?spmfA*<@DXsv-brs1fhUumiDeg22B+dn;j{J5#qC}^Cj;p4;zW1+AAjKoIi zTp@Pq^VgQE5%G^a)D2#6L=1KF_-h4*a+q6d4B|H8VdUonL@(;{ygQh3b5TsFp?G!3 zUYj?Wk}k49++n77nn8y1tE+t84$TPb+|`k-e~v(HG;er3)=)Krpz5JSUxkO-$kD5$ z@~tv2qPf1I0m9aPIg=lv&iK^HNykdg z>`Z(JzuR@m!Pd-G9y|1$??uQ)35-sPp{|Ww)V8=b_`Ht0fWyxyEFw?xYxJJW{Uqt* zTR#%emNcyU?L_SkD~FE2qrVIZhqV=3qdq@xp(qaz1_8wmGNFA|n&J|t=X^KMJ$Q20T1_ii_>x^2`7=BWp=X-WSCks!; zViuN%q~|rh(p1f%+hybB4Ya8kbRaK%s$n(!k$DcS(r9d=oMYgbCifHGVw#8Qd&qj& znZ_OM$a9hYD*9aKmlvZ?x7J6sZfW?;Km?f;TkO5$NHGJKVT0kf9qYod;!#e%ZK4mQ z@rB#b{LQpB(TAZoPB=H*! zp^T5;O{h$?G0j5!AoY{@M8aq|5hLFq;u(rWqjB^ZWjLJNNa*IC>ep21OA;c3Gb#&T zj=6ym8Ig_ZQyi};BP5#B`r-@ygK^W@Tms0tMd@9cL@G8a#dm);zD)(Z-NVV(arBLk z;B^|iz?7TZjFmpK1bZGH-SYEe&tLbxH}XS(Q%C5QL0zfFuZjx;(v9Ki)UU>kBQBbH0IPe(nfE+(3+5{XiysH-D>n_axRn}g14 z4IWiP!#vw)Q(w8!ozR__MN$&%OlUWKVoY$T18xv3H5#h_5EGqhjlU5h`VW1L|AMQg zE#us6!cBqEJ72Z7RNK99GO@%$_wyn-vF1G=G(YFa_+}4ZYTZxnNs*sc7D15GS2Ft7 z16D6Xu0pgofsvLs#SreUeT*SmOTG*FJQ{JYg`!KPnwlGO<{jU@JQ?7|*1~EMG+z)l zWDXZ9rdJ!gi@QuNNb-*aCWUcCn(%6+%xih<^`oX7GZ>9&DG`68qDjw>|RN8 zjF7|5k%+bP>VqW|FFx>FE4iA$5N!e{PrV$pQTaVoA_W8dd=>hP*_K^4+&5Ql-%>gS z-=qGFnZ4OCQ*Dh|`O>oYo$UyiwY^R#9s!63+)n+nRfU5})1oS@icu%vYBrKz)i~5# z8qZs0ug=yr9nqRL6sRAft#*feB&=D(kr0DLWHk8+{JQveU3jS32J1kWeH9<$u-aXm zVT&41&M$zmVguIcwf^|-kZ{E^O#(RF#{+{Mu~#3_o5`j*uf4Ms|F#^qY&wYVQ;GLD zCcU%rBH)ubO#Ah?2L73cO1-+k%ob2MPq@Kpif@&MqXLuoKEs#?oWb680iWzCUmEdY z{ZO}MZa}LCb%`6SrB0W>_m|QFFsZr5(EQr$psYc}!Em+5ZS^lqAB(+u7UEuGw#16G zodN@s+sr9-)su87Y}?~P9q|h7Eho*ho_Z6u_o|PuzAuLP6t^NzU0$77&Q8NfQ1_8! zyJurn4E51*cd*%7(0j{_-$LA7O*P}Q6O>~_%8fG?GDOaaN5R#>scDhpYW=N}Ej{jC zEZ(=%0!fafy(cw&rB`+a}ydcHflDO9cD4_@g3$esbj&Cvpd2R-3?7rwUp1_TP#bj6XajCC7NMrD}Z z_?oAOPb5b!Uf5aXuL8!`LpdYT;UkNTU=PCQ6g-?x*zQ_Bb3uR7Z*13QHNB2sC6utY z;6jjLn({ac)SQP6aoo(JXOB)|$cQ^chVp%hy848YNiJqNYRfhu)+NX14)i@%NCrflC|&rI7pr(vU^|;@loAech3kV_&~I z^YtX};01@js;5%@h4Oux&KB?Y7X)W2*O>03-H%qK+)E-~%MYihN&^lCSfe598GY*L ztriIQCzAvOd!a-;tcVhm=txrPqFzzxy4)1jfgPdt zC=BXj^r<|XWm!2_G;R8~<7BS{Hp^`GN^guzd1(c26syI?+qzx)4*^KR`QTW5y2^>4 zg@Ue)@FHYIZ{37Gq*0CWF)l=&yrenQ8q~QiXDXh zO-sV3$-!m{YZFK|^nm{f%u);Z00-(1|2w^6_jQxZZ09fVKn9 zS1w#3HbfCS(z2N1!kl`Rs7H!wudxeQ`B{$A^mu&o_q{9slrogXD_<6BP${mgKrmCP zn2}=#H6%F9SczJT{t$&Is2BJ2Pwb_{$oSi$TjM7*@-$;*gD9{UMY2=a2t8cd z*NS{$jlS91%Tq6O?(naQqMu2XAH>Xu_@r@~gFlH7S-fco9yy%gE|-4gzVtb8lS{sF zhAsT9F|&E;C7RU}Y~&h}i#WTmTjH!Tm-=wJ`e$gPIT_!oR(OKMhF>*wo>((O98b+hns2|{PP>={sG)Qey!rl%P#e7%hOv!W~S8ghi zmecmhTqXCe#2#%sVwu8wPFy|JIn&$S0{b2BAQTXTpJ5#Ay|!0C)BI5eQ`>9!%nThq zch{B&KI2QSMRD!}E%X)AdyEQchZ?(E7g#O|M3W;XTw#DSOz>Vp&WjEX{wBH~^pHWPX zPW|FITVm}C65RW z>Y~K0GpjpT!VzuJSuz>H=%lf|JtRc&H%01u0)I9pyK*B<(sSGry)tQv*_}b?pZmz8 zexPklS3p*7X+}Fv-D(vHTR@{9JP96HcA9i&n+2t}cJ37k2T-INk(P8kRH!EFp4)RF zZJ)tDZu4F3t2=LBo`6^3PQVEXkTUlq&u-V%;4>bVkMtTCxx5U6QX*3nPY8!g3ixlZ zFMM`lp%!M#>;VhMsb$I34hk;Rxofl9RP4VD9sjShlu^1Irv4ykclPzk71^x`d(3Z{ zudXK6Sj|o;HfMc~NmEk4H`#X+BUM4{(-w1naZYD-Y;sV>IVt1;h}d^T4MpwTS8LVh z;f!@^9pnNjy6`0SuOskGMl}a(Wvbnwe@2Fda;8yTRBGtmm}Th z83o&KIcq&MG8|4XHE!=*w{?oRfHo#y(<9BW~X6tnUAMA9Wa@`NNd!~Md8 zoGozuYw#SwE2YLh;AFW)Dd33-fC_DOP8_km5d1}QdzV=CgOkPO$A+VzS)-G3e-*2W zr%*yqHvP}tv3Hn!QRKyZ%(cwNv{`)E?I)uw9@jxolqffkZ6RW5(azbwPt{))jc}er zxs1@3`GpAZ)`H*;EG7hV)GCy2?j57MI&aya7i)^We-iOh#VVtm%ZS0hBH-ym?4j|2 z4`=1e6wK3K+WYrPBr4++7B&U@b$!veZLYvmo!%>g%_-@ifD89J=VMdudz1pOk*kI! z%-Rn{YIQa{f0ol13Y)C7$-%ToLZB*3YJo|$W%1%6lWi6-w}r2cBp~fW}rVRTOuiN+<(_9tQK2h~r z_;tP0x7K==^syZC$=KUOpnu*2q{0H)Ne`zW&^|cUtaa!r-OYZL|8QkupnVyiedxo; ztB-7S@^X26%KO7?-9W<3`9Dlaw8H{?ibSZ7cUFJMo3PjZA7`$ktrjPCF5P!>O##sU zpJ%szC&^Uhu`K%;I6RWL72P9j9;+4l3X@CjhCgbtH(@6EM_Gl1G9Smh2E!j~h453q zO17jscH@eW`%oWwjl{f zPI!E~;y^~V(n=ala1FKRHrh!n9BkNhK-WVYp8x!=9G)_I3ypFUKWYVSPe{><6AfFN zRQD?qhE~8@C*#Yit69+6#$Itl(kL%usngqvE{|S<9^*7gFopL?4?~n1j@P7|5&2PI z^rs;$eT~2H9`7jr_PyFHwk2Fs-FYy<24lk29 z9F_8z`*!-Gu?t4|86|IHqwWpk&+qrAm;Hx_Y4Pur4p#>)Zsn@nJ^Z=(sOt$L2qrnK zT4Q!UuB^lVDqb9A7Us^z#idlg7R`Ra?q#!!?lm|b36)q;?DH7eET7p&C6To%YMFVk z@@#Bn!!f^pxqzr3#5;5AeIcZqD`kZ*t#X=u>%yMht}+o5_aqRE#p6Vwo2-1c4pv=J z-eLyB zK~S#6-&b(d_@Usag_iljLjphqlu4f>A?1e0h7;;59_8<&U$5<=Ob!G;qf=Q_K$YAMe_?qS%`2CVByP;DJDFH*aur3zw+YeG5-2;~XFCqGWHE zP)4^#18mmPaJ7YBoQ`Ks&eZXmSJpr7CfAnYove3UbeNreqIKc>poo2I>6-6s`H`_-P2pR4fm;tmW~)2L*;&kAkNim z>Mg+Q(X)}5R@ZSEwL+sNVUWMZ7uC;@rbyRyvmY){|JXH>AqW+0wgN|MDV4QTao=2| zRJYK(5-VUR?^ZVYWyMJXuFC`M&Pdt|dC+JVDFcK~f!^{n@uOlv@l4h5-*6DxxUD8wT?gQn+SHj=%%UU| z;U1N_l%~+%>i^QT2VdH(a@YF2Iq=3c@L#f%e~gZ%(x(8o9-R0X z4>*|zWmEbdofXOf`K1p7PK{Vz`^bT?Utik@!uR-UJD+@k3bt&7uq8urfX$buYx!EG zd)s~zn`$YCa!YHc;6^JAjIC>suw(kVq%=GS+8U93JwXpw}xGKeB2n zaIGi98je^Cp*5D!f(1vPd=lBU{L|js&br@=k^9aanW~`9!0)e5hc~Z5{;k(v2Mu-< z+qSzro1eO_vHn_PkB6<+q-8>0vS|aV_JSWSr14?dOPXyXu*}mx9};wBx+SGD0%CH! zWt**`rdNnv+n92kqg+hT++gFsX;*GSVME1O%KOLXfcFhLwPNwwl+1MDx~}eyxEP() zqPePT`^b#BXxw6T9C;EcspNuhpT|KT<^+g_!QBOmGNX}wG(mtH1I zll^<+*_Cdq2{=~ykr}dh`Sz60inUvj_^#!#;YYNViu+UmE;DJT)d09u_zsurwx{_2 z23#If=@|h8ZFcb7HT+6us>1yQRa|*=3&|NKiCOyQ{=4Vck!JG`N5bOBUHfAo@`qi^ zHB@lpX7(9qc+Mf$@+5OZPoVyf)}`*-YO_T1aqzdz-3e_&r>zWEZYAYjK%-MX<|Ri; z#EcprN9$))1JaCa`d$sJXi`$Xq&vIxtELp9fwTBAt&T#h|$)f4$+sP@ocCRY+98HMXwQf{pwofc^)Trsq2g#IJEbYNs#?r{M~MV z*{cg|7^D;NPWs{kf5j00kvF+u6ff(HDcr~^E%CJ%tucP_ZS2QpJy-FV3+NLfx3Fyw zKc~pIe$x3Mo&AEOx55@`7!-3oo&ht5Lm)!+5l?xu%&)DuF8SHnkN$HuZ=b6pR+KnT zA^Iz)5Ncs`8zh;`qaOcSXzo4hu6i*03iH}!dfA58u<*bn`3H$LLM|_rTdk0L?{A9(`yz9wv>2$iyQ_f+ ziqYrS){c3Y78L*Ad%M2Yw&u+T-qjT`;e z4i^j@#ud*PPsSPr*|FuDBF8)&>4Gp`9_>7a4(jiEoXr5CUwZ2GkVW!=W0{3s-pjYOeu50Ox*ta$Hpi zh?5I=_wM~d(>mYdgpP;T{Tp#YGtWIq*MC>Hbt_R+YwQqP=q%MQbxgn6+V#9+M~o}g zTmds3RUjnZuIt6kD-hEp+%GSTgX48{^dv$T9z)Cf7gBV?CCFw+Ebc+Pp%dXxR{Nxa=^|Oj#S=+9{ zc~3oDS6;Rqb=rj^dbPtCun&`h_zOvgNZG1g_T*Yhq*b|a@Zs)zwCRfp7&LluR&i4! z59nRFKt*_exIcD*)T{0Mld8yXf8V=s8z?tG0;{6CU|8jUBT8gJTdgJHqgt{S(tzUD z_nmRQX5{a05qE7m{Nfm}F<8t7XBD3NJ z6kSOxXd`I9zJ20syP#3S51swhDRK(19|==yU6CWa=|u!5IBw2AZK!T~ezWMAQtR+S ziSz~d^BOqxu~@Na$ZOERrYB=`KwVDYD_(*>h+iVYfUdCTzkWP)zi zTv&Nx*P;~heO^lNuvh`e7%O49uR^0z{sFh`jtMzC(>b=)+37@#R&A_CO2E8+;bZU| zN>v>t1mC#KiRtFGK930j1u)tVfAN9(mlcSwt_52{=YJpO$yyp}9(>aM_*smxO#-W> z|3O-`DeptB$9)&ntz~0`9)JmAijwVKq%{^*El1BT&wQanI?2w9JL_@6eQPm3oiKp2 zP5|;tYrPJ>b|GG#q|D7#JLv08oMjduL+wqQ&K81#)M)a5_aL&BE)VBa1+gYfix>Sp z9i0VX&*cx-0Hdceza9MD^EC}#x*w%?zSA$)uEiqaLX22gX!{6_FeXN@?f7y}~LXt&_vG2$VK{cjk`K$_(fo7@*<-lW#2GbFa-&*jhnhahEes`xW)0 z&|!y+pFN;PJ|@&o4L8#=rA~>pLZU}v>Q%sQ9=yMZ~NKba;osl2lf&L^V-f~+HICB%$Q zidlSF@Xpo>*?m7$vIhm49u>YktJsj10(FHkBw{WZa&R&@Nh(_O5m1=BM*;c2SO_4qoCTJb~*j97{DyzhaoxlmQM>eM6QAcO_cspp#EP^Wm-vK z1i-`+4qB*W>WuDrzt~h6ko@cH--J^Nt7Wj_%5cDi-+ltJ$57YeKkmGJ(~-gAHKvTJ zJXFBX)jnp+qKVV5qS>s9eCTP1y>cG6&wI%G=O7zk(22-3eqHwai>uaBR+?UNf&ObE z@9o{i-ps~>!@O|2JE6IG=6&q){s9LmLt5+pnfRCL`mZUM9CuvH*3Hy>3~rp|`5M#6 z=??Ju46NPeOV}%Tjv!>^P&|YK^~CMjC9eB#Bm$xT)?r+>l}-UVM1#IzeQTX8Gipr2 z0?df>xu0F8p~(!l>64oFJUemmmJS5AlAO>YeYQ4LVd`8=s)M0_zaU{Ma);ys~azBC9vmnV>(<(25Wae*|!GepBVx81;{)U>6KZ$SaB7N`sh(iljw__zU6U=c9j>7 z`BsMR?E$!Nu0=^G(x@ZV6}zT4GMNV!lM4Q(KOQ+2X_bM{y-vOFy|YC2zp_`MWw25{ z2CN}L*L>5XI8 zLZ~ahrEWUDs;j?i6m3{%%CWn9;G1m zBB~LvcksViw%<{%`tFD`$ut%Fy^5t-gJoFB(3vEq?`yF9Ad<$)KyC2930Ja=uIWQs{Dh!PD8x(w1N{aR5C z+j;|oX!}XVoN~y40{et4)w{V89;L8REf}t(*{fkSsL@Ymen?PbpMTu%?74dlJ6F3d z9@np!J@%?KfrGE2altf^lTRo=7+k2sz%z_hr^Tcg&vC=iwERBBv>^f zykgl-88+|aD>SHN>6hka5O-2t_dLpw+DCLw)KVHd@Z;Yje5b4>e-;>h`IV=qb+Tj^ z^1?gE6Cx*niqgoS(kO=Hu#()OAc6`L>4$cOSSrkNY5ES*5Sxw+K@ zyXae)J62bU{A}lry#B;um;PX!$5^B~0-c&ji}~)%b1JW<`PO63p0Nq4Qhu2r`16@N zK5``MtlTn>lI#JcFV7ouuLzDwuAClrfP}4)6a_k*opzLORUg^rmeEAAklLZa^2aA? zaTEdt==D+6VrqNiVthIIqr9nd7@-592;6^l??^sTaMIapHkShV*K6SaL45!akOH*j zz}uA}0ivLw|JCrJ1o^)iKDKWEe>Z$YOV9*y*)rv@jYA;)g+4R#uoREKjWGXw>PWVt$XP_!C*v}AU^hX3Ef0zgjL8x9;KbDoQnO`$!4s~Y}l zb*1RMquK+%XJb}#EuGI&-urreYq2+j$wDjpE{KpGz6!0xruEp3c8edpf}y|i84yW2q*aFJ6MP}uiShgBaO!^ zBEE$}*Vrr?O$Wp|pe2@`nyUMT07A(8T}6QKT@g@uJ5#B3GHqUgAmRA>AKegB8f?~J zn+oOEl@W45*?g^(%evfE;}*j}Me_Wa+h z5O4pmLeQjtI{W&J`$Ljtjizl;G^{7d9KMEIY?hsNQJ)i4h#;~Ci>!%L&DdeoqRL%x)Z&Mth_p^iuSx1cG~x zZ-i9<1_T^F=PaqI&u2ADgI|P%{={dy-7w#W@YAcvhXH*cd|U85fAOm$$8z6xY;9(V z*}jSFG-E4IJA87>U?|Wy0>^1kI9t74cE=4Sg$`U0i-~bN-?z>frQ)IQ37tRe{UIX! zX(nk;f>z%;0ar=$%P`=v18CiS&6JyHu?MjPZm_VsFj8o-lUJj?Q-eiO?xELkz023# zE&(FOZ|N$37Y0oM7$mFQrBTO#D&WnSf<_ClnkA~u+*Q0t%s2*%=>&yD*}ns$76$t& zY|VY?JT{DX%M=NjJ-}$nIIW{i^?Q||Q(fC5MYBZuCuUU!^BSSgW3*f|9ZyaG z0#HUte}m|AN&`5TZmGy%_<`2AyGon%P~6jr=Z1pN95Kd_9O{DayoGxM&H_+lAz{xg zwPw@U8en)-V`JiS`(h%7tHhzwA9(oq^QLG0m+i|%q95tFq#FLMfd3oM908L}U{ zrZHWsABK7d)8nNtu~c*n)Tf=x+ABXCIoRC?kw!?Ib<=21ka`e4y>g0g+~+GH_Cz$y zm<+%j=*TuNE$><+d>LCpIow_<<)aOXAhUiCD7utt$1^4T00eUvfgJ%e48{ReQPtAr=jr&$Fe`fRoj`z&BOBNNGu30UkE3^HnOcNomFG#14Ig$Tn&#wa5!T4E zy-OFxHfcT(UT#jgT~O&J=(C*=h{p?{r6Olh^A1}ToABfFPl<0u5x!A)U58BY^`ehtC(cSf<(-i)lu%t zlsuBG?~$kSAYWX2dAYC#4-mx2qcr?t?CKjJ5gEFkTpiGvaqT));Bo3a-A{&vYl}yt z%BiI3^vu4iWlAemA#{t5eLH7Z`&wd7`JD>6&pVHTio8GaNO8Ug8+q4xZLsqat~Rwj z4}ysGM2C8t!*IJ~$_-sNL;HK4?}bMrkFUj6JY*W1Te&UJz`Ygj=iBD82g1D#r1gdP z^S~tv4saPx@syO1w)bG4w$E^Xs*d;Q@ROc_DzDMcRTsVPIjB`tg@lPNw;cwIdO)FH zeb_SP{Ts`asyhjHI)+xhb$CWc%Kja?ka|+!zUGr8pk|~|YhDWvD{;>~`!aQ;8E(=C z*vPpy%2~49Ut=p+e$R(H9On6j*fBTsB9%tAS61-lP-FqK-eA96$3+a#QT}FMq@E&q za;nO3k)*-%FV`{L?jNT4G1o&E3Qqi#T9Vo_eeX9@rNO(QnfIrSv-Ci)1=O5>t{PFR z?4C!}Q}tgkKO)e)Lksh$um_VE?&myqSKO%GLN;W7Zp3IP?`9sYe#yJBTaJ0-8VneU zX{YEfQFBCy+e6q|=@$-?eV+ zJJ*;tZRz;$^U44np*r&(XJ?O;eZoan&IkOhWs~j)T-PL!bUpP*^(pbH+}K~;{PI&cOl2R`}gfml5P@w=cbQMJ$`pP3*lV`WxwxS`(Fg z(zp~)k$qV;bLb}MHs7O>W!6K>?mCD~NLjwZ17_Dyi4VVc(H4o$sPg>!_R6K$pyC^N z&tgk*h*En#?``AkO3C5`+hOR9+|8k~V8qaZ?UIT9U7!*Cf64aV_xQ=~A3vLUQ+UNo zjkYH}Y4FOz6O6E9KPCM6e>TZ0HGQ-I8Xs9sN7b`_-K(-|NuomVsbr>#yRiHb&Pp89 zUtOp8TBLfYs@F*;Zf4faaSJd<#$IIsk0nM_t9)v2a# zQa`UKx7O$MS#1vxd+xTP`-dXcPiu9~d0q0W$yXzBG0XP2jeq#h(8BRV5lATUbBq%mBu{o zshmRfuW{-2NHhD*60LH_R>x(R(MRmtgYC7WPpTWfl?*NVgvA7q&yE)TKg_*VR2yu! zHCiYXsNgMaaVw=*4T`%{ptwtM3m!Z;#R*cRXtClFB)Ge~CAgE|5*+@#-`;18_x<+2 z_dXZr;@mJs#vnIY&w8G@=9+7+g|nK2aTIzzU}g-XTtd~9XR)nk@nSZv2TRS;JpcIJ z&3MV4IVW^-?tGI&3&CQq1TqzEJ$d3uMafk1-wz=F$CKSUMbo+zE!GOx_Q7c^@XmER zGSz{{!j{}dB=#gZ>HZ014NHmg$q(_1Qmw6Z)dQ$`83#nBe3M(zwlr7T`0Z3}!Q3D% z@&OwKH(BDX-WifZE4~nj%@qX*y;^PeF)t#!Lxa4M%jtJE*+{Npfn;-WU+{9UkoR_P zM{(K>NU@2M8mUvMnoU)mnG&Pv_E(7t>e#GwAU6S1KNKFl_D2{~Z8^U3qD|Q`*7qVj zMT_Jl!NX*IwaSrJ+8K?_p&{oIM$jntV)TT8r}^n-`5P{$DaR1VBQ7MeBi&;V1VT+0 zY(&SQuWTIouU}JD4Fb36MGOO5e>@|H=O*f--9cO}Q)WMoHQ#J-Ksi7=;d>d)#~V=8 zZl&bG`$ey=0hWRq-KNMNHN;L$9WOF92X!Ee&YaKe+CSQ`35b90HE;Y5&tmK#cNt24 z2&X--m1@|cJuh~^O@P+kNg9m^plm$%>v|fSi0t+xB$^vctl>Tx5?$POfLq@g`^Foh z|1G5&Ffdt=91~0kj?R%LL+gek{cu<^a%L&x-)J{<)IJ&?a{)o-mQE|EmyXyEiDQVa8ZvB$>Y{ zjgxndJas_7*ILgEg}?f8?OOSn#|b0@8tn%CXz%t8FOnW}<@=P=0|NgH2N1!UQjV49+GI+`3xjq%sF82ENe&Hy4_zdmI*B15m=zThzMAL3okWz&S6ev z&>4MCM*yPHJ(p%l@7sNa!%%ZL-1Mwh%l1C}Kho;Ir$JlygCF>0G}lwfG@!^x02x!X zD|_AtzNy@QYn;!pV|JBrSG>C^@BZ<+oW#SQ(z^G>_6o1awINzBW3dgIT;;ndj#mHCQ&=eqbFD-Rba}I z5ZRE2<26{Fs5^>J0WWXmNf-;swOAT8+ zbhiusB7}8Xyv1S;ytTe8l~@~GA~euObr(G_rn@`ips!6Oh&<;MQV{qoa7}d=vsytXIYvI=R{G~pvZF|GwS?L!J+m1CzrBI>I zkXtx8hb=P9i|l^~Ugc6Thu#;Jp)U3UoQ&Y?p=;W|1xv)RlrYHyYmX=1Zb4PyLgXp# z6UQKi@<{md8%yK;TfIb&-XKar;+*>Qr){qVV|mSRc&=XWR(~)?f+m&1|5L-0{ht~h z0KU~I->22DptZ3`bT7aL-y`J{q}7JxF@w7%J;fiPXhHO9vz@(DI_ZmkD{(OO18Ieh z#hzregh!Sj8JIQ%pV>XZbj}!*))M%>75dLM%^F&6ee4%fQ_QBL-r0DS=XJJ-wmuQpORdQ@QvYdd8M8;T0I($I z0+hlJp-;sdfykMfXXIa=F*MebmOXapS$yu;LB5!O+m?M-E^svlw)|4pCl5caH?=#U zTiL7IO4s1tGb-ZM=DXb@0W5j^d_XN;cWF!J={NqDyOyw9}0-Fei-bYbR1owN3U!0bo8Ko z?TNOToL;Bv)`b-yf4}g^If!Z8B|){l=?-xZBc}e86%M`~Qj* zMGPPNJwGGc7izMwZm_(i-=FtStdaP8j9YDpe6t~cX{1<2(9M!Ej11{0;`JvFl&_Ar*Jbi~YF+@P0IMpNo|Me5ip>c{qUF0SgtTwR^Tk zH0wv2TFnfIAr0~RDNo%pHa)1<1sz2QP@);GI@1pLl~2AJ*7!xqZp=W}UWw?4y$ooY zLboy(VbT~t(CqFxZ=5lTFF?BLVm;Gxx5!y4B(po=PL||jev}n1$K8cicpo&A6+L%ls{NXjyUB5O+m=@G08D8j3kji)&W;i`KE$ ze5e&nE$jJjx~|t~U6;qdbX_Z31YK8I0V5KEYgRnCTqkI}cvcdemd>B@;UZ2^=oF<8 z;a*Z^@JrIa>`9kJmv*zA6(IUM23bQ+z`^1{Q z%)<*(l>NxsX-A`w_J@EA7B#L%vq%Izll7y!(~xgcDV_!^3me35>V{+>< z4QGn;CzDuo*seaVaC5_9dpHc6Om|eltp^T6KPgerW-4qx_V5>qi-tItwh{tHE*rf)e}2+FRn4!c@J$z z6mc&`G;;cQw{`7}53o}&R?VZQ5@QY-meo*Dqpm{K&piHIfwKas8pe3A&Y`V+fL?gu zx!smRRmxsve#utRm;V>3_S7%_jQlsXL3#Cpw~tTIr_E@<-=c-C%w|RY)sN4bA1Ovh zEGC7))gm_iLtpM{@HbmXKw@Cp%G&p{#4;?!&}wg3=z?bUmYk9pG4Y4ZvW@5ft@P*3 zvqX-l+gLFnn`w=auf+nDGhj~9#>=rea_`iolQYPjeblg067Lk8tyoFRMQ z!{~6a@z0(q=8^gs6b4wQRQ`1}7^J+ocAKW)q!HfE?-O7F>qpjsK!b-gW4{7^t&sOR zN&oq@$h*P2-VJ`;Nw*vN9jgDA<~;KCG!t}WCHYrsDm6sIxwsD9mAj(juiNak{qbPE zf%^WUXAf;RDd&0Kp!jxme${WVJJ@j{Z1xTG5M>FR&?8z*U}HaC7^j<^iq8eEEfk_( z_GZt6DU^OweRrWtlfZd?%2C1;@XzyaHFFNxtNrmT@P4%-^zB%(cU(WUpL*gmHf^^! z&)(n#LYLqM_$M4Q04s82w*6ecQGot|2f%phb|W{j28jIf%e2PomjjTAXjYI~?(~K~`#q{_n`+AJ5)@esE#LN|>>8 z9ln~Ic1aAl7&!a4=1UR}rV186m58V9GinhQo@bl>6m*+1qP+}E1x&eZj0iyYT0pPH zIF66wfK)q}+IEF&g}!Fs>Nq8$XXam?@_mibOkMi>Q?){z#o!F|MBbeCEI0ip-nFE? zXXplk6QWjMeGhfa)r%hnn0P!--&fn+OPEbwN#cj#NWB zFO9at@pqg^W?EkEg2qD0!BbJ*x}#^1&FRFeP5No?eDLdU7F%Evy54^Ew`FGoSn-x)lu$$ zp4;F}v~TM^n(T7IiSw2C2nDN@_K;|0c^PWA(O}fo4=oIF;Q!%rdlk7?F>X+CckFV< z!EPbMbC9<;pK+Iy)`aRgo1F^}&w*B#=r(1sv5ha9l5>s^YlKV%N?>7OVq*CD3JcTF5EA0z{@*{ghW&WpGkR&R9)Fux z(%cf!gORMrBT1+uP9}p3Np`NG+%)&e14pyf z72tMngmuXsMQQlWJH)qj11C-}V7h?1rq^QrQ6ZDnhl-vcNU3+V7GmA)7$L>^I7E0& zH$9agYI8eh?oTiHAkG-!Dmz7etk`hMK~9mNh&mdrmEGwV0(|2Jw>wN}_2cwRj)b`I za=^|2-+In-9nO>zc~i@9-Ne2T9CL{L&d*10BCB&*0-eKd&zGLH>zatwMuvK*ndZ`t zrsd`^_=zW4EmVAp*fIa5&qWe*0HaaX8!1h*iPRTBZyMuDh9MC+TX1$IynmtC9J^+}lnYArtlfKRu|_Ku~xc)E_=Xuk1A zl;s_>pLg!_#18-fnl?zk4*!9TlpJN`Ll#%=olcB6Gc-a0FirIrb-4o?&B@=sFTjy5 z2F=!Zix2%>$9xIZ|1-!CyMG%p10bl z%&Mm`71}Xk>H*S{2p(-+I*mGurlf9NCsJOT>i{pALXvx)wDa~@1mgtpS~;cOxnnR= z#Q6-Hrr`iJ`|-DA*H!L#z;`^sz!Hq9?MJ^Uhu0`_a~Ltoa5T&Pd~s;*o+&FUTRCkG zLi`?PROr|>yo%X*QLnej_0~n_`FIzdNt&D#{N1MoZBuitvQ%feAW1t!o=!0=x#9Z;|XE}L!2Q2PH_7^z~SmMR>cpOAAJFPpF%F!q9%5z_Jl~P#R zkUdYF{aG+!GiZReDoy&pg?ILIkd=k4tYYruN%4aMt8l_+cHi;L+I$>klj%=*x_>ut zzA*S832(SqmD@e+06(yNKLmqXTU!z!K&VhDWj9U{RXOZ_=XJToeRg}2 znSN85v9_B{iK-mz9(#_}nE5u~<_TevfG4!+Y#Qz|G4uttm7|w;SC8I!b9~%Ych4JzhBOV5@HXq`2YM)3lw9v=)=s+XP6V^XU6=e$*W(%B#^h1a&eYC+h!8{WF{%&jM} zQ{!PZZUlH9zW#e;{+l;f{S6i-hMj4>_V<#1gk4=1tG7$~>sJPh18NFv?p`9ggAg1Z zi5%_x$ilT}kc=Gs$T*(WnK>7mSOl@e&m1Yw$qf<8xx{BzGhRz?W`tw(uFR>oRC35I z*`Okz$3Pw_UFNwsAH?XR9_C|u{@G2hgo?h{lc1o@tbtIk^32PMybnu0ChGJ;J6>8{ zHJNd1?V2;~J7Sd3K2*BcptpQGwD|3j}-ft&;5(*aev0g&lPJ`?oGq( zYJwjCX-pC&@APwb+=5{-aWVT|Du9UjZR(6m*r2OhxY>RtCO_8fI| ziqNe-u^c{)k5`n^uFN6HiLuFMGSWCmT(=1C#3ZBV@6&yMRxw6=L_Yd~%dfOEi%BQ?9T=aV9r&&Ln_vOf^2` zFv#c4Oy7jC`|M`>498Q?O;W^<$5X~9z0T-W@~Wh-taW3H&Q%BuS4l}8H`ZItc(8TZ z$*D(*C|??Rwfpc*!*O1$;Ccol0YY{b1=Kq4bG~~+_aubu>)P>%@|_Y82>YI~i$`Ff zfsA3_QnoNKK31f>WWwhKJ5PH06LJO;js6wY!IUo}i*6@u4W|_YHZR6U5q7FZm{5jZ zdxk~ERl{EqdI@;SdbY@EX)!qLSawSXIY^2eD+xc_hGFlRJB>+V@sr)Mzalyur<`MZ zC0-*gULYs_iguaSlvUa-ev0TYmSv#iu{duN`j5hA7I{L(ebWtuaZ=s@$for^9S0Y(fdV5m!lcUQi- z?Mo|ObS{_els`@Q2hP5M6FoTJdTaO|4@YHGxi>Cr8&2ddM+4xdRg%7Coh#!y>s3-t zsjuqdy4E`HDL5bjuZ!JQbSN87YNX}jt7hN4iyUCuiaQr?|IMw$OK^Fk}N#2BBmUo#xDhkh*c*AffFj#j4*IW>RKjKNQ5DOw!$Uk%*@eo_USoRj!9B zDH>W+Z5@s#d39d}%aVSDt$O(l#GY6LpS(RT;dDq9tKKMbj*S^p_#^E@t# zU7L*aDUopE*}tCQk2)Dm{`lc2*#@R@u z9;bJkn3~cFQ$k-o^AFq#as4Wk;`@;HjF>o%^_h2U`3bRbuQ68R`0+;;mNM}$7()uD zYiZ=YIdN1UmwPvB3Xh#1{o;^*`KZ}&1~}MElUikzE|v<jn}6V=|4Uu;g8o}rhS#4B4XwMZcP6`sp(ZiB8Nf#c z0lM1IR#gr@F&W4x;{|Fa5+o#-eVnFNP4y}9b8_oVD3A3iWp=sU4pT%ghMNmF?_y7Q zqMFhAn@dqYoQ&`tc7k)hL5h7U4o5KpGn8f^>Ly=aFYHQd=F+-^BD>rq<4SGorNo_D zqI_xSou*aPjY?uWr)*9~EM3dHsRJZL;hu-P9tV@^n`V&d{=7Sv&Gxs3<;MH(QWDVj zLTxnQ8_qbNTQ%i98BtVRhgz_6~4ruO#@ygp5*EFFVYWn4Gio;24* z0J_PVSS`sQ^k)KKiGHIKB>69%{5NIre}L$V8X8}zSgwbi4RsP~)1_+u)gub;6GPUP zFoi#*GeOeSzL{1&DJqs%_XlDTaTvlQd^?32|g7 z=ms(owbBd`F`rcBNx#>u5flhPbJDpbb9@gCsU?8Jv{>-1((}-!nEL;FD^u%Q0@C`?uiwV!7blO}Su33DcbF+LG$-D7i8b zMoNyNkZ;{2(e_FeCD_V}Aj}}Z^wfxQa8i`blh0Q)horELOz4eD#%-z?QMpagNQ*Q@ zq9Q^i7_d{Wm=an46-RE&y-x_N<+X0u^*EeuWs#H0hY<{N6+Ky6iB|R=5dNu#JzY(+b#F%6y<|XP_b0PpBU5tG0<= z9RDcX{*bwhbnL9W$L6ZalFMh&i=|AMS8JV1TD*$CCRAirPC*g7jlHk=6;J;ig%Htt zgCk4eE%p;Ro8#g+D4|KCGU3@vErQSd;^Pw~Bm%jwpZ`%^1f2`)mNx7=C>`?BIT}13 zE?{INJk%!MTW0wmh!SDp&g0DYaaNX3q!2Xw7CmICr}9!|=pq zUupM;_3n+}D~fC?iLJeB^A;~9gL;PLGf}L@HdWjT1Z_Eu(2~CU<#WEZ$%*n$wTyJc zjLYBi)O-ik)q+mTLwvWmNL*y!;JWAux5|lj*4Z-WPV>@F)dTkeLtNe6e#cv=g&1j6 z*vFXCVgvfJjO4I0*#+39v}pkVTYYltfVb{Eb?ymas!&FnCAPr*DrObo_7vMo?8|-p z-hM07l8VX_HQUl^t4PC$f*sVvfw9eGnXyfGqZdmT7u#FrO6JNgk)^jzpt3-EL1u zwl)T-aXlArT-+lT@hH~ei0A|h(=2y^^^#uwvy>=*iE%glEWMLx`&VFgzDJ-zs&sl> zG`Hwov}{z|P%9cxYHop#Si2kz`#ua2WjxkXm>m&2nUnD(MJXAydoQ&JNud!RSG6Fj zujT42_ZydK`0eqCyWo9<6Laz!*h%nuL(W^%>Z{Ax#`GJ5-I*(%7m3?}tI4_oGEZXJ z*uR2we_s`pl1#SGP4_vax9d7Qj4A4HNT7(*0}vyKErw@a7Al~bm};sWNCt4uTqctP zF)p;H5{yEVHS9fgFD?@~5dF=&mI75hABHm7VBcjZ5l-{xBZ8s36$`JW$mRn(KELc& zd*ZkA$!yj%QQxZL5rGm)%hg{Algfo?qQjBge{qvb0n6|?`y_swnIPz7NS~wp&MM}(*3)wGL@bLdL{WJ9aDpdqH@X^nF{B55F9Vi=+(`^WNb(C z!lu)^JQ|P9=~3&iYhfqD6-z$1UGhA8jZbXOz3+i%ib7r^rOk(48VA$ac>>okxEv!k zSGV2hGh9{{%q6d*pxcYv^XXh24fsK{*xE-8eSLg=m)vmGTB;;`ke{s*RJi}>r_Yu^y32)7sSrHSDTQR#ef zJ-11VPh6)mK9=Mr8`HMe#uLZZCMLr~axyiWVHoHD{)GcSir_ zwvzomSyAV-4|-uxQ5I`lI05afX>+(-=cycaxXdFckxS}j2Qu$&T_woWMw>oo|LIcu zGJ(HVlZqIH_cYDdnG;+;xx#;+16-vb)8uuZGiBzh5CN40wDxD*STEREM=%DVPi$i8 zG~@m5Ow#G>ABzRn9Rm+USTah+C7_fTjTW)gdb)*^`d`l8|}e2e@A_;R0}Wm+=4{rsW!u_z1vm@e@4acj>I^~9f5o)wU)`hwBXRLj|v<8>TQoROE+7OSpH}X*T$}Jk~ zJ$@GKws$Nn6WU@-*jUXBgaz7dwvsN^DLS>Ig4Z5_k*{xqEO(MJ~$_^Jaz#HnLC;tYJ!b>#z6E8Lv|@ms8wIu+x9_C9nU_mImx%P7Uh0WFplp z*P0ALYyumJwV5uraysyZbLv{GioNf}z~v_#Egxa$V-0q2V4~j3xvDY!${E4SaS7ei z`qyd#$iVEqL~5ye9`l<6I=-i!LjArCb~WD>g*Fh4Hf5kj8*jQF?OTN*53)ZT8+HyQ zFhH8FuaKzA9%`*J!J;|lt<;IP7MGg?GZ{X%2hB(IF@ZJH^~gDgywvfx-|%H(mcY@2wxdX^yOfwQF;$yd1jETovg1*WsTy7;4X{Y+tkaJ+v< zeV^$u-E1t^gqsKYq|5Q=R(NziiR$I;{K8gCXvyzae~8DS>&N>&%oq=%)-4~1)8nDj&v8Ot_y?kxl;-+4;=A&lV z(rNGz+3aHgJ~0jU(8f6fkt5FCHMDV57x?Gm*|!EBZ9y{HPhvSxU9gpxXSqF4@moRs zyV}#&x>ich(!Yh%k#%(SCn)$979$PeLKtkRCpUHDdF*XU47^vrziE*DTw};p>(~{eSpLPpAKI1f4I~_S2$3Lqz3xma|cfRN;U>W0w

Oo zX`6*`8g zokH9Lzo3T?>2N781LqY5k#b;-ssqx!uM+{ z&lc?Iqy4WWugkdaZLW{wz`7~x!waa(vJ&WKGL*01R7OIF48v|U@W|!vKFtu_Q>gI9 zp|By-1L`@mWfBt}5?$jlNOSR5k@gKLV;Hc=1n|uG=pwVse z>oG%)zoXmM7BW98%tb7kZxI23*u=12BBL}fx_d*Ro=b`FRK~|=ojgVvrv+kq$I+9D zdU(j)L@K#62Yh5zZY=O>h62iXe1NnrspxViMyQy`<$5{bO8^r1E#d^%38rwXe>@LC zSCLyCTwA^Pg>u`K9JXVjoqz`KWhoNspR_jL>8p$I_$gx8u3#!+wkewpfvsKcf&8)J56QVU@eN5#H-c2WP3z zskCncij8mwlRiugUoX|6#^pGsj3^y5lX%j+1Ok`$X?ex-*X3CeUCB*AA ztQ#RGD#J@4+I9ny>-F!%J!SJ*Yi`_6ATjR=Ts2b~DFz;X21EDi>8^`AK>n6rdH|4KA?}E*Oww(w`F`}5RTu5 zE))4%I_kzV{|ns4Tf~41lJizigR3{D%;z{B4sOOr2JhBY4y6h%05jZI7+tov5;;*8BVr-3Z^DYV_+zjw*v zMu6iTtL{G0VXc|uMmFm~B8GS?{C-pn5DvIon1i=jg(Xuarr(`ryDnAFRhrd*rM$)GegJ-s91dyQ60%#Jvy`z69oU9Q zwSdT5YTu-{g`D3APK=Mde(mx4>%$wS(yrIFFAA=J*_m+x`f0dWnEGj>f&bpQmZbAt zf+zXA5aa*(&1euN)CpmblFq?K9T}$N@IHo5#!$&UzGh~Xm^MyXd#xe_M`Q!8axYxw zI0Ou&JSdD?rrW$jZ=%02!YPc?mcDs4RIuq#tnnM%e3;@HuAg41seS|do|fgl>gb?9 zFKRsSPP_4ixMxKX$srs|fr);J9}lGhUVh9S54rjlis-yD*9pF{2H3=r=6S28vEPPs z_I*H1NbX8VCL+z5DKGQbg8(IbPxI21kz9&T7hnJSYP8W*QsfH%<+r2B2BDI$9iD2VY-i$ zyUlVKbjJL>VPuv96{2!|-)j88(b(8{F1e~ll?BhGx1v&sgvt(-(-8`7 z4yIW%n&u`1lKS*Xe@{t>5{^h}DX)48`5GtOOl~R^c{%YSo@sVgMg{OO#4|U;2W22Gqc29Jjgw2uRL*>TVss(2r(xD!vj;Se-~N_EOU<4Pjj3+iQ-X7?wob zdR77;IC}9zFJ8n>6GQS{D0#X1Kb6f4zM25+qqkspnVPAq2W&a*U$op+p>es6J{)>B z?0NUg54D_D!;>}yg>~D1b1l6xNRw1q_1IFxuG);lKfjPD(<%bK0a zz`jg6&)D)5(~Kh6r?WNe z?vjn!j$p;sk!NYfVqRTh)0QC%v%s$50RKv8y$!V|LII6m=Ix zvcUd(*B2MJ6a2v2oDRc|4qvjBz9j@FNJ#uLhZ7a9vwAHY-*ah{4z0A*VsctJ)4< zHS>S!`9yiy+s@O`JCGl~L8FsyA)>P*akngrY(d57b_Xc%V|~(OV!F+5YdlcYB~-lP z1j8i5#sWZ*XmELYYbj9A&6+!+OxN(5o*+zcJ#LG3HLZo~YVx&ZiibD#-uRyzr_$5D zLOi0w2knJ#!e6jexGs5);0vr05+aGM7?IIZ2m>xxxS$eFc3Td(IZCMw=92c-~il9Q8vq(wlWPx!%(){Bf@ z0w62Dn8` zYGP;aqqB1w=yNR@34b|79c(&%V>~zhk+y)~xgX@V7HPb|s)&e)Hx2W;_esA(CTq(3 zAEcZauJfg7hcjclve8-z-_+|ht|hr`MIEKrDP-ESdMdj)-D}%Bn>zMPS~U7?8f*6ap3gQB6#jy|j+R&! zl&R0M+cqOaNwxQw)9A6+ize6I z9|IgNC!S@^KLn2E2TF&*9oKudpJF6`IZiYYz;Z%;=ySJdQUrm8NO}jenI;s(iM_7f z(MrbstI@J=!$G-Sun*A!NuwaSU32d3`EN1Zou{0uYX=T%HiO$^H1Io16(&WDOGpWD zZ>)oB(Z)%~DGg{g~Sadd;l#hc|1jJH^hHZy%aMUwe1F21a!;QNy1ucZMX*2{;p_dpg20w8Ild7r zqviI8HQ!hh<5Gc>IUINZ5|-SfKS50p2-P~V4sw*=c;&2hgU0c&4EnW^#o?d(uEl{` zmV+Lj9fpgwx@%B9cb7O>)6ZAsZ*)^TV6z6EbB7~>p9G^1rp!6{Hd38F=MFoz-MEKv zxj*YIB8OoFQ=%mfxV+BGDp9^YNXOm#H03Q_pVpqj0#w`6-4e3G^A{?kjsQ|0pVLP% z$umxvD33e;%YA))9G}Dx3E4ram%R4Bj}Dem4ZBw4h8#Wp*LKa8K2euV-N4ruhaFME z1J}V{-pGV$NyjPhY_7+lP2qsvhl?wBcN;xQ?1d}`&;MX)8}C)G*u_c4ZPf}1x!;3a zIfhdOhi>I}Cv#c${ivYGbWbf0w)>&grJ)QTiXGI{><1ss56T^`+mmz9C3kZj^V_q% z70-Pa0%_K+}o^CxTKzTrA(eGJbS0+(T{Z9^!kWe#*@NLh; z{)Y(`K$=46{v~{TdXwa^-Wh3z-m9UMrb5+l@9i~1f$WAaUk(Oo=&R+~$~`N7iq-g7 zH*SgCL0K}?q95PB}`k`U($vZiomaVRb_=gT3E z`<=bw8=UJ?`sS<<(W*+v(Kmi$pkeEF{XE(cbLFf z3S%KSBs`&ccN_CKa0;!ngROX>u7Pug)NK=8u~hY0C)^nxqzT%IyE~W_su`!2ig&m5 zS4Mk%ExX%vSE%ibTg1uj08WqFcH;%oQSm1Fnzf&%h!FFVrkMZq@Ik{d;_i(2u#gzC zA?+(05`9psRO{e4{>df)IPJ1tpJnNz37`Hoo#(1Zc*v{Ct};NEtoz8h0^RGQTn}at z*IMh=t}371q~!$AX2qNOH;$rds)2s14P1A_#g!iqUlD%gw8vbC!E#ifqw{4G6>r22 zdIIR4zvS{h{yc#5%I+!^8#O;*r%ALKZ)_%kss4zV+Hu*a@2Vjz_tOxIc&>G)m#)(g z(B-f#SQ9O>VP*QENtz8?e$(gLLch>{BSCc;RY{r2N_-x5bf8OSdyXqwI%h-8$k^pF z9NOa_ab{g2=rRlZa=qI@F#l49{Q&>I`Nv}R`GRRchF7Cx#?q`yp5E>i-+>;T{I2o& z(i$$XxzvEEZMV%YK;*&hN$7{lYkt1fi#VGt`I)k@gD_R!rAO*1wSGxc?JVimV16QX^9gEo7@wX>zbK$$*9N@?@4rjrO3aM6DYA!_P>zF2Cb_QH%q^?dW!*`xtYn3oO`2V^NN#<0Au7|_t?769VB?aexd|vHI1BQ!Q-^^jK8IO=^kFzFuh4Tj%dcAGSRVX0qv5Kb8TBn2`*Tu=;j&I z&Fs|6abSe9iNYe&?7!c4tuIuJE4v=p4^{VZ9nKJVlfR4jc(v{uEbNx9g8Ye}#yf|X zm$r}V*X*B_dkHE$c(6*FU8|(Pd%`MJIHk#d-n_}>Iv0B`1Mn=(Ja=yN{9SOcv)N45 z=KWtVp@gWR!uR;+3CpxD@LnfqZpjeSveNnB6Lx2g-0tBN0jEC;z=_DQ{am8M{E;m% z0A2$gK4S6WsVXjh`syR`{D6^{yA_PoL`e7%p;_2yr5x(yn#SPw=71MugwqJmZPMVq zUHbJRjEDoTKk9%F+FVtw+(NqKV3{&vaA8E-;(BszX%eu3b0AgMp-Ys;`ZRqBcDt(`3;=`~m}gw^ zyxCWMg;-@DqmmF(Rta`-&u1r}Ji6{Qh*k6v_*MdW5jBR-qj1W6zZ++#YJFI}9qw^F z;((?a0J8ZcMFSsDDvEcP0nWuf&O9+u(~>k+oL>Kr7l467cuTEYD9WyS~F;xGvmbBq9nDWepq6yVuWjk!@y=h zFiCRkS%+X)w`CmYSWzz$l9QjqzGp3;nk^{ViuC7zjbuKpcue~qhd_?KrJ_Y3RN4Y4 z(dxudi-7wpZ4iQodwb;C_Xj1l=bp{zJqc`3P=CMi1+N|!YepO6~4w3e3G$n*6W(6yt zoA!xJsrFfV_H7b0OQr#V8a~>pKKgpV=8a48Ue`-a3Wc8fPsfz6+-vue?72i6*O+>L zbS5!~;D4!nZw1G(Yk76n9_&d@U;h%%xP|szDzyxIg7101lh|&0ie1R?f=f>tK#WlJ zjsL|l8U|_N;qw2y#pfBkbM2Z^5)g`H<&(jMtqQ^Gx6PNl&w`$>eWwc|AjNt5dXr8A za^FxEOy56iacyZ5h}9dM$aes#nON{>pq#I#u1C7eY{L4F9>j?fe-BoOQEku5@X17y zU-XKhCVg>q)2Km&U4WC4`?ahI5P^`_Z)q*NfMhgY1T`R3XXYYM~9CBf-b_+sJj-d$$&^!oI>z&$y1$Y#J;S>Q!bkHp<-W84TY z{ECJ*d7XOsn!7iMA4jqe{yNF|!DZ}iM3xlsQ&3D`p0qV&3)=TWXF1t6D8$K~oo)%P z`J_+lF2HRcnbj^TC2sQhv!oo~-u%h@M@@~%3b*MFYjGRyFBq0JuJb?*@l4$jiHMuq zL<2(59?3=Mjfmx248@C!TwFKnl7@6jSJ@7_f<5h;y7toa&SB(ZeDq_xFx5Ct9>Mj3 zJl#Nf$(4ERv7KowCD2%w(X~S-F8SpGZcQMF0Q1PMVXr#XV*pK?x|~RVTkyQUjf}aI z&bfO?^it^hP^{(;z!laf5%4n;{X=)_Q*ljlx+?dav%s{KV0|UqXFe%E@bN_`ls^7=9a}txGf>)smv&jb8=!OMN&YSdBw9i!g}* zaM~Hlx~$#;i8yaLM=vKKdzqQGH1T3EQwIJBhFJSp{jvm`%f)0;*e% zV})-`^vmFukyM&nEPY+mXOr?F$w|-0eXd^Vl}ybivR;^rN=#`c90ZhBpUl6yc4+mA zi!R*@Tr4w&ct&cmWR&TKCyreRY%SA++Xq4nRU+ zto!VF$2}4hv*bg``Iy706j{Nav)VNU3tXzpKPUMp@cz2(k6US60=}6cTRSzq)cs9m z8GmUxaOe@Pi`L! z@cP)Vld(CbYgUxh!?qorG_3?L6({4$6{v_M&U(SW!moR^#=Q_%chzsKtkL@L9QGit z0=fG;ui@|1Ku+qZeETSFl~g9U>fv6cf?g>Y7}l-k_)NQ{d#=Y}r(DQ3Gsg6JI;&qa zTS7g}9p1J$PieR?jaFW{!E&Vm*X&3@y8~>6HiMx&v?R2UoJ4wZ278hpJt$zDyj2zs zI+oL$HdVaSLeG9E1%sMJ|buxzI0QG7LoR8>GR z=D&Dj1^x|j^btEpFfG#_QwH6Xi$}wVh3Sl6!*)+UBOe~mKLX9v+{k3Jv2c#Ts{6Xe z9!aHFOTFua(#%$4#;_A%5!rJ6X-(mAN{|5}9TJ=Eq)r?qbE$i}zej z20i}p(qq0o1}HT>3>b0>`B_SI0)g8$z!zMXtbftm0>w#NOo{$9T|8rc@mMygbf(x^ zM|`V;=N*jFt_ExQbsaP0jVi@G`#6NP6qzP>+?o!z*`!KUatM&;s&1eLy}NoJRiMSe zgZwPDy5h!)ap0>51^-DCI89nRbU9>HbvoX`IhdOw%QzSg@?lwgb(fawmm@RhlelN2 z4?KNy)p&lCmrZo+eSsp+X%t|t|AQ{?=ka-0Exv%M1>MUylmkA>>H{jshOKF{-YLJN zjoPsX?bLKkt3U834~p5^r#N(TewOWhF+41=Q=5OaJhLPs+nrw8RE*V_I$eiao(Q1S zihSgAv#-N2%14tW1@qqsm@j`$xsJ)pup z*hXAkV01Pm{=jz_>HrJiU%w@e9AVP`AWK1gDl2W@xN$CliPfZAmjlDyhq zCUif)*xKRJZ#tuAKrg^SAK7%?O`edJW}K+!(=>4;w5mm*@|M8+SjPNEPUoJ>;@p=| z+<=4Go`WXjRRR-6SpiA}VDdIS6@}vyLG!)hle8JJU`Wf_6_Nr13@@pH+!FA86?6DM zWW9A<(|@}^E}?`15{lBLhzN*E$D{;AKt#GkK)PepHbSLaLQ)A4>25}+bPO0Uy2nPx z>bK8*pL2hI=bXRZfAC-rct7^KuIu%ziyr;r^3P2XH;f}eiLO?t?lP{)OzJESU|J(B z{!tx*?O46E&F<*Jb1ooe1YMgNdl#BmT%lKgFs}US6(EV|{DqW*$vF8{@UrEu+bhTT zg?*RNlWym2DO)|-QR+OAG?x5^nr z?mYWrN=geh$o1NpAKo0z*$UiTukrEO4)s`GQJwu{;=HlTv+OQ!fwtMCidu_tEtfRIo_&8cQt5BN(?SFQ_E^0bzO9eK%54c$rEOTu8_1B#?u0dvj z2PP{U)dZeqb!P_F@j%9w=s>iN>h!Nj<`8I|K{o4M_BG%kueKrfiHLLs+vDJ%dbXEz z!vDkMRgz1r%pIJ+`&O1y>A^e83L)2rsM)ZpEe-Fe%mIDsI4hnKc(h9%qh@LO_+C7Y2RFiB?<*c@j0AR|J)7c?*rdX^h$2)~-{(VLP zZEVl{N6s&}?~?wjH~o<%%nsL$1n9Y_$`B-&`En?>g^84-j@IWU@3QD0Q=ZOo_etCQ zAUBG4qqJP}--g*7zYj#Dz@_2r&ghB(mG-XC+*|o?-Eh1xsNkQkMfFv^}Sy{^} zHszr;ctk;g%}ld_2s21n>cM>_t|D#+b7?i{IWAGXT(kG@zCQA`A(H=7pM)P(xPsZ7 zyUhJ4fR-W29r}77sa>f5c7+y^0|S(WW5R)t9h*OZ6!_T0_x)tAY19%W8dJX}ezZMX z7|2s-6MS6iL5FLqQCOE*0P9imr%`elzT#az6!t=2t+(80jL_Ig)!{{!ti{ESfbffP zC02zaQ#I=~PC#IfM$C6{or_NMd1@ zNOHZ_A9!BgcIQD}5$da;a3$T6f0q~#ZfmgzSu166U?5#$ivJV4U#~i~Sy8`4p;Ks5 zGdvg-n$wZdIcbWBZARMfl|h4xMFdGu@p*C8)xxH4-sg{#0T;Q`KhAJMPt);dXT>5i z(7r7HuUWoVMrCDmzp9V~sHdrCb!lCt3@6xBsWv6B`FvhO*vFc?t?2J>=gMcSI+ve< zqlez}1d^rkJY(afHFr}X%nFp@ma~97a!A0Y>e7+A1D}#NYOcC>fdq&^^3ayi@odod zaaveK(<8GLUpo!nky!d%Gez%_O{wo#)*7qvU{CvKE0aQzGjH~i2O>`u?JCO1_$y$g zYtm4WaqD@=ecj4u{+#OXnTX)3EH3(yzRPV+zUPa6Ycyr*?>O@+)OUIJx|=x?@AzfS z*EriUoBI`*s%Xf+C;pSg?3Ye{4Cr(R&MB3z6Zj7=Uj0&zP2S4BzdnI3YuhyTS-o$o z9JUq_R5)--kCw+RlLZh;CCt9{9t*d=(aqhsg=KF&PsuRDN{h;|mC z@|}03yv?@cZ1#T);%B%N=aGTJE2@zr|7b#PrlYZ4j(87O3I7HI-24O@~Vh?>ms+Wj0)vd>VA*P z*NLS*Kvutp?yegYjU*~sm@*^nKzP|*_vnKCKU1=`KN+U2zF%BAE_q;SKqV%F`Ut?ouE%=Ubp>QP8I$f2f&$>*#Ntxc4BFMhTyNO!reK zj(r!^G$pdd+3VBwk$dDMbdY%U=GTfq>2MFYb90RM@5jo@E!N7gLFMk|Tfp_)>`+Re zJ(r^%H>cwrO5fxQ`nKDI${ewP*x~QbnFWjlg~Ey)6nMB-9#V9->W2sReOX@%9><1| zYN#qpzdBbR9<0EAc@X~Dz@^7m)xbG&>#!GLw-!Y_{c@>!zKpoCQ`c(V5 zVo#Jj`?}%tK@FvxT8vBUfZvDRxl{nwiOLm4{L6VM-I;QN&ga5Va6M+>hYgPuGhJWW zKbi&3sHCoTtW}=vgoQ@~xp~$U>`+SSi#J0l=E&+1t6pmJ{%5s7BD|nUPl8%I zUn1GrCACeme~h?Vh5yDC5EUaqz{^t!I0xpyplf)VIm@7EH>jog;(e_=M-c)R>pLXO*w9Fs?oB0!j=QF04AI=$4`or zt0R>W)-@w1DS>JGh0&+#4zLA(I0K!idb{Oo)0`Uq(4>c2FJA5CO}%O_b{-+0^}i)9 zPP~=#M^*TG2dJSU?ODyEC!yIW!9&?uRz@zvWrJgr%ive0%)pZs;b@G7b2M zD)rY_eEpJ(j1aH!5q_HPu{Zt8yg~CX7M~jo(hf2Jzn&<*(0%od{S?F}2Ymhdk6A## z=b$Y{U6IC37RRiNEu+ZyTRc1hd1UXfI2KeZXQlCZA*YeHu?(^;3|R-{D`>ddeVp3& zuX&G!7)18(dCwEa$CdPZ?yV(xeABz;s+r4^#C?}BhwP|W zb8ml5eIybod|HV?)l;qY&L7~e8kr-~Xt+{>3Q?B$+EFpG`8c((L8jU*Q#QX(Ta4&f$pc>#$XZMm2>g_+mtDdX zr4|53wP?KXcD91;GNLcofr!w%w$kC!jxP%;VZTToW(`(r%ep{uM;h<5Mwu>oJ~(%V zpX7nV1H(2Yd3$pL1`2A6=8H!Gw!B~I;$jceEyf6g{y7~g$r+6dl)l5a+@AhF-b(LQ zFa-y@9U}T(W4Dp_-u#?P%kHYNg{h&UlvhdBf8WsWuH3E+$(Qc?^jmn2t}2w#BgwG5 zIA3^c_vQ4Qo{3L)8h%xXWi?24%R-qjsA4HA0SCE~31TXn^h!x-viog}`UvkJG$ z;sKRvKR{|AU{*vK%v8}ZRM%mjf<~yg|La|~0KSaMQYHRZX0bb@32$DpXUl3Fg;75F z(j;%kwq@#4_MWZj!*A*FFW=~V1_4`CA1=2VC_UOBGXf`?X7llOW!P$=pV`8(BT;RxCH@ERbo77wcdm$q!&GNXIoD>p@u3CA>YUoZ6{`}yQHmt!% zR-wiQcQ`~@d>jGi%rPa^znL$ex}2_$RUx!Byfl!nryNI*R$l0xnKMWr~u;AGYF z>L=H)HZCgbb8~Nbe&@JL)FTR(kPC1$CO=o07;=R7wl1oBkn$puKROA&n;20V{9>IS zv`y(@`pM^Rxbq$T&v}m@47cG{m;=tf7&y7;R0=7+Z}TwL(zqhRP#763 zTdsY~;p>pa9kFWIVG}s z(}j(}iPWAW0vAssg8BlSV8aq#S_dCMqIr|Cz}CxI)|#P;L08L)8ewTj^0jeUHLl zBaKDW?yb{F${aMoC#IsuRVe_cd^~z1zja~6mo|

y4ADr7y%j^239j``i8?m&!dY zr^yzS7Bt$N>L*9)U|_L<0epjn1;@F%SwQUGA5?ZMknROJ=2t^uBVGh>*{!DK{M)JJ zer_-a$V+KD^#AI28o9;{6H~R@;nqbztZ9CZS=D@=kz|yAQm2qy<7Mp=2qphEKUvpW=%b?L+&M~#H8Mhb@7W0=7m$AuyuqfH+50mEp(7hQ3(d?uP zT)_4u*=Wr>QOrW#{|$m7~Ed7^BkFrmuToItL=4|DKwzV z__8dCh{Fz?W`TC8>NYl`ELIJrMjn?`72RG&O%Tny_~7AAhh{zlG=+bPw3_p6%NXyY z^4YsN;rYly{R>};Uo^E`x|nVt5jNzmEb>&BT4KjnM2-xzL|OT@SDEX4d1uxs2RAf zYxu{)`?Px9bQtFA?CCwh#`v~IV?3~yw>3eVpjgeXALd*d+;pPESyl8-UX_EErOpO| zV}rtCAKyklK2&Xp+_CMrr&MR)^e`~UEQPwtbT9Lbj6>LPsk6_+XH)uy&#tP_WBd}$ z$wZMRDaU|7RAl5+^PP7aqGF0S`u&P_?$f`!{ciYSkeigCQ>MoP23sjz+XI+N*RI5a0c7vT$;CCO(&8eSV zOwc#l@XVuA=A5|#TUCyxgypjX7=m^3`Nh#m9@+jt7>`a55wzwDF#7Clyl?6co_K4Sm#_c_KLW|^ zM-$AJz0yN{^*B2obC50}!nw}2LFY}U9B#8KwZG^rcbE9Enyakn*NDa%TOW|V)n zFPbDj06*jq&}Gi-M5$&1#h*+vtUr&D$j8<*puLuAS4=FZ=lMDO$9i#>{JD*Fbs)Mj zxo0m`{2CvuKqc7eE#2+U`FI7F0;iJ?piz8tr$$!Z=fLCytLJEh%ByA!L%w}Zkm}Ks z0n=}~Bl3OzrFHWRsp*dE#scyrB1-`fDhg3{KI~$^kWjc&b9+qu!WG2Ogcu?6@r9$S za2$ruoOo*t_)&0R&+}Jg2JBxvuM>B2W(1;9ZHsyE9wxyb{l8>@X{$8?#YIf13qc8IMuNvIMe4VQ+v*|cOrK1ghG!&R@yoWaikuFslPR@fcGtz}^ zT7fvbI;NVFA(TXP`bfBs|M&W~)A;Z{)LO)adDDxZi)X$my(qL`BvI*$H3$jVD6-9| zuUsS4g`UIV;&XPmidIZ8ZfzxYoT zX75)_NrEtrxtuZ8Q}gSLX5(TG(IEE-wmz{&|3v7AxyjDjmvu$_x97@lK4zcOQ9mY+ zL*(c4Hc$Pm$ms-={so`y@Yr)SnL=M$1CS1k?rp*h8kY&|msWs1hhl4}Q$K&7^-Vnq zRe8yWgbB+Gyx|poE`{@bmS){^_Y-C7D%(9?5qHJ-w#ZarZul@Rv-=e&qYyC}tGNK-K)f(?oTU)Eh)Z(PvJ*edWx2~~N zh>q`b%{pIdND6t%^_zEt>{71r=o78CL$yz$`S~AoX?J^GSF_{8JP5%i(sr^_-QZj1 zZqL#SnKigh+PRNaWW5}6J(KFU$|I!PMZF|1X=hPy7c72V!?(?+uiyB{SDGDZmb`mD zWb1O2O=oNy=@6kZ)ukauV=Rs?kz?{WA$9qSc0W-BG=XM#%aZ7$fpN2D6I2N4i zkITlz>WG;upO(=sVzm63;1qVq?tQVD+1Xc8;qox9$E>^>GpE0v5fX+elLOTRLVAd* zw}`0@PD5MeY*|chKO9!smi*Obh~Tuh#IkuYq2_R?Ebr(*YA(><9+;O&x2PqFJds93 z$I2lJvP@dYTYO=8#5!eiQt7DAS2nxtTIqjUtD^YswYq5eGRmv|Iq!uSNt}3j%g(2k?Z2uQ zQ5!{J6b-3$Gp4revKG?AG%tKgH5J;|jwcSQA3JA_;74hrVD}wjls?#SFUMp&9hbj! zx?te%`zv8aRMjqpw@(%t0MB#r46lc$4!33xeHMkzCHEGaysAvfnp?ihUa$U70kJb8 zKca8g9EJ9-07IBe9EYc$up8}OAX-&(*qkP9N2;D+W!&54BvdT)8&+lloNt{xfBt+w z--;HfgC0CIS($ZbjQ=josoa`9(`E)wk&9R^?V(==-XYhJq>klZ{Xj1J?ruBYtwmr) z!0Gr0n)4(Y-z&mZB7`XE7yI-zK@fb>?f;AJ*wfj!m^S204^;Vr|QINR%UTF>ryj@uA$598*jCwR)F2vA5!Di^?lr z1$|m_qUmBSMxwooFFt*bd%2O)ch+5xYJuazDtgrV{r!d*KG`}6`y3Kd^H}elg$`-p z{s&enL+D=G&61t*@!Jdtpn!4n+&cxu$D-H5P;h$GDo!0T2#Jq<$>UA#| zP*217%E^^~{OL4xnG8u((ZBWyAKiG2T#Wk)FSLlO!X`eueOw{F!2aNOd{Aomi<;=5 zz85tN^r-iL5F)8!*M*#uJ2&iP(I&(n?HKBAweVrbuc^f@P?B=HIxn?8snq{W9=#B3 zEmM^PbbUS)5ylZjsR>bT-47V!t~=Z`3GtGcTnfDGu_G6Md_gW-cMjhH5aR}9^^xc` zt!o{8i5^MLi487IyU$XE6Oe1#GLzzP4@Z5+zi`T;{R8kx(Kg@&j0JzrB0%^h6`8z8 z+qR#{T>Q2&^qycMmt~m;hB-fhbOhRZt`RlG%^ZHun!Z|q+3anze7%?mw&s45{wD`( zUM7kE(b>3xJ>fN#VLA72FqlffHYs@T(Sn~T_FB#-6uY$XO6wbJ1jAkHi@3O+)eh`z zWpO^3)5#$;_+x`9{*f-<)^pU9*@;%$T^R=u$N}1lydAM}m+KFf+&BO}PjdO>w>LR` zyXhN7Or*{=c#BFY$z_F4I9l$@d-i&n1hlsK+!_%%Lv@xDP0RL4g$*^cCMzV;HuhWk zoFu5@IC;{_Bk%L`XxDKOi2>qJb3jp~R*A}2|CTY&VE+}OMG8c578@5=R~tho2TDgLKXqU07OR<3Z+cui2( z{8s?FZt6iF16oo6ggr-JR6>k0>X7>(c-*3AXcMKcHsC5;Lwks+AdC}eN(1e=pw*8? z1q)ozzql##L^nM&2-vTqx;D48se@4Y^2G-hBQc+=a?`ob3|PI0IrX%PF>@qd*EfYq zs;)=<^{;iF^^V9^{yi1hKB(A^@$Xg(K#vF4W`|14_}JN|;!%I^VuB$nohm*D4-D4Y z9@Vke!{@c+V@WJR{*&eTVdK^EIRIbP%o(_FfslIrEEnsuvoP>bGn?g7lLZvUg_!}H z$0zCl;_74$0=jpO^E9?%#hIb4%)GpGU!Xh0U7tVeCePpvJ{N}G^zE+N7w!waYs)?S z8Xf$zm0F26FzQXqfNi69@3-#tz;tr1?8Cem;(3Tl;#Vg7Fv+ciD3zQV)cFuGZu56u zZN+dS+ob>LhSJ^<2IoBn09BoM7nRrkU@?>N_I+#Ns5l*gC3>mf8W1Bah>(!!!*O-t zB>FdJ9Y2MHzpaX-b&CoauB8_yt+Gvvr8=%FRM>_7_(P{>kjj4QDZE$J@s62N4>syP zl4sX;QlmBU(@yiGJnErErO#}NU9^u>YC*5quSC!MEeuQ&qjqLBATQ6p9n87&HTPcv zKKlu4xMi5LGqoa0m*)`GAm-~EVs?A(ZGxx^bt39fSuByhLeFp3R80qXSJ%3EIj1`M z8QJ@8C%Z^-P1^h_SnYkOEcv;L7)I2tW8V|5tVe#t$qUafC@>VvzcJj!jJlQo)aFX{ z^>v;((L2smxeIqbns?+; zPIO!t#tBg|hnAKO_D0Z*)gz%PHah?wk8z{y^Xzx3y ze7T;I0qY%UStiYAciGq!ipj6by^U_e?Ft4Uzich0ODuY5z`9%IE|YOS`};k%J&^cYa}JIrmPHqpU&Jjyct2&m3pg&OWj)<7mCI`4 zs|c9I9^X3eUEXRsZ*30z6^ti?r88)>uYm(k@ECM`U?QvSAWSyiUtM^8>5MRfAx@Pj z&{qC;fbo@lQCyG#;$Jq1q5$c$XVd=-bj^m}6lMM=d-%cT1p9v&ai%#ZXz95pi$lkT#&_INcyq3ra@YeO%^zU!7D0KU`tU5ikXU zm_qVm&}>`eg_CULEiVGM@3vn5)4_haRfWNj2F3L!5nbzXmD*NM zK%nVyq?3DQ;G@LdKxy(lZ0-;F6luGzb8Z9+EIq#q3@sDkdNP1{-K#)gim|8Fh}eBn zqzW~a(TIF~H4#{<=|~KW#fXP1B}Hg`G@@}Buj!Kh!oQr8=|xG75x`5rc;bI+v=hA? zrsA zfb!KJim@Hi`kzMEKbmRjHete)EqS3_A6oEPnV6-r zF7p{mrbC`lPD(D#W>3kS8uGr@evS*lt?cq37nYowx^hj2&i+NzPqG8{rL>Y75mmgC zMeN1+!_^^=`v;NaSh8G(9rr^Lefc+53CVifQ7)d_@!u(Qc34C?L6|bvuCH<^MFbEz z|KL-NyXF%(n2f6YNB-bD_daiD3I-0Ukc%9pxR?5jXzRJt;_<&5B6+XoLG?@4M8}bk zN1p)(?p`nFgu>C)M2*T$pLR2#XD{24^;}I8KX&hH+{LQSodOqaiN1c%m=2;NU^tug zMFr8qVMkN7L`FuzD`e>kZ62WXec?Yk41)`f(v(^vTx*6sFHL&cUr4tJZ>+$XwGOI;+ua+zw1u&(n3#@3YRrrt*x ze1?ZC=lhfJUi_gd*Yb*VU*c^)2)zu_bya0mVn7%BZgA@5^FrK%5kw3Y1KBPZax&Rc6wXwFI zFWSmtjtN?tB1Yo=)zr|g4#5UqY#opGXy5zJKqTsDJ@!^rtzb2SLIs{KW{cdsyKd#OZe*I#GIQWJn%Q`aUbrPP%xn0P_F!_} zT7EM|m3pzvOva?|44Lxwy99(J`%rJ$h|b*SuQNNl$g9n4QfvIr^^MJjRIHd}z=-L& zi5hhkVZCldr(Q7CC;Q#Z{G>b7mN$r``c@19!^x~r;aS)tQhh9+BMy2Pdw;}00z1-i zOvCVBHL{q4RLR13c*$SnNCuV=w(shE$6%6)s+V9_+5NZa#@-W=?gy$xBqq;A+Au z!_(-U#olTU?30z*@p{g&Kze!I{$R?C3Tvju&)7hsgn4F2-dTRPN{iH78`}kX`Y*HF zb9CL@0Dq1hDm1g&u%fhq)wDyX&ey8x24I%ma#iSnlthHgf=i~}(Rr_Yd~yc4xHxa~ z%h1Om*M>XU=^@9BM%VANA?m)jlhd<fD^kS>h)2Tml;K!Jge8Xx=_$U&dwu@93 zaACiFpkQ8cNza1z%U`UTU{+uNC-W7a{G1-~>qX^NReyzK?k8NRxfd(@!yeZ!@@g<0 zYT0G44ZUY~d}QWQe+?l+TV8^DK_siMk>fe8!4ThdsXx88J8wDYT5d3GD{pwy!CBusHDD zR|`k}Qj-c8l-dezpD|b*PdvUi96P?5wi!=%_$Z6s&#g;Syjm$%YDC|{6ZyOCu?P)l zCgJ+rLGyU;8JC)WtvZywu8#D!)+3<&k@5>%Y55T3%~KWxunSs+0ACKsz1{E?$6Knu zgI~v$7tw>_tcXmDJPs|_eARhe^f9a1yPD{JL+xTEy++NPdQa@jKtw{5H6o^ssO-FR zHsY92pGPNkB`LGlse!d*#cbVUb%U{=;p)41&rMG4T+FlCefFuseSBVUWWI=mgfhFxo_p#dK9TqRNN*! z8;9ZWs)&j`+o9lmq9C7St~B_QEa%y;DL(tX?IbOS{%-{z?~KZGiSFRxuAcbsk;$-# zcL@CQ1;(}2-rKT$J5_{^^%K!u9r-F{T~1;DqH7=y0WlCHDZl6X85B)$iDeV*yjL3y zI|#uWG==+~sDGFDe$4X*eB%k;ONW}bm8t=#Uu|~2L;=g!&Mzj(;rr^5_2&CfcqLOd zp)BCQ#^{1oZht3OIB|)nu`n(cOZ;?SJWONisgpTIn;yB1a>(g>-2=sDaQ#;3wHN~LlrqP@Ie!%4!-}zHb;nPe!y7o zl|X}$#2s9PIXz5ccSx7yfD4xAOUH%Zw#KYp6}-pla6|H^poDAit#-1>(U_+35MmCj z6yDQ313*1wqdt?)NW9aul3{UeG)M0Vp4gc;F5;pl-e>|?4sToKrbc;kos@(1aEB_p<&4a^+10mp%dk7dgyO#({A_S;eW_DU(NZ_;oZu7rx>@<#3$ z;QUHbU7xT_p(y9Y{qr!@><{rfT&=kMkmr-A`?S(E=*#1TVTnp5+WGSB(dCXX&RP=} zs7zKof7fjY=Sg)AJ`L1?*h^;fIT;Y2qw)~pe@+MH(ck4vU z3PJY!z5&Qn3Fp}g?z$P4VxgBjA~Ba6<*IN5;ZU29mqOiq6?r^4>{%c$io#K%afyVI ziel8dm@C^C%ADWRtcaFLtjy&{3$B=kP8I*lJqp^**|bUiSL$00odMxq+ZAgXF)ijC ze&tUBrqY)MKWpFpBh)kn`Y00ib-Ec&ioZypPlIH43j8PsNjnhot)C7Cs*9h)5J;lhqZ z3jh_(^7+iXPp7HG`ZysiX5Q1uHy2fm{9CM7b(Y76RpO%dGH2iKYzAvJ!R?UrbvsRt zvrnNGKP>bbr}a}zVsiXpo7U36W5&HdnX+Tc`GvtdzLySAa2@(3aMqN6NlYf;OHv2} z$!K}bDcrWSN4q9tdg0UBQkwO-JUXrQ#fm00dVy1yKi2!39$zO1KSIw>$dlAUm6_5P zbI_c_?%u5<{^2Erb=CE~ci08z)LgYzXNG*an>2!we?`imGTfS8!9r$h?GDYNP9V3G zWWin?Vi@|`$`N|Q=i+g(@Uq|ZsIWS@%r_I~=GH9Fxl!f{$4*usMjW+~mc}aeM6#T= z4He1jwgNfpf7P`$<99lAK?`!a6m%!wVHKn`EBA}qm5fY3FPoc9ZM}H+j7YlYUIqPQIH1z*P;0LgTP7x*&8!IIbWGE`YDSO-6zCu zgX89^ZH*>dUa@X>XBAxDuMiYm1CfCBjTds95ks|#Edd=CQMI_*WuN%?1BD;ux6ua; zm~!#WUK55#Qhu>p=b1N!>us|kqI14<`3tU3UdFjiz}5TMQna>KY8r|A>tfD-8<>LA zvVfaZ17UP)7T-Vg<@mUyyY5&wb4ty{?p@N#@6YBFR}bR0ifpm(+br_W_uYP<0p3h< zDm)A0qSU$Fcm%WBcP02fih=mgMD*w$y~;Xa%vhG7<&IycU4o!qfcFpiks(9WP{`%T zQu91NpiXmsboC&K&s96aC5+Ac;~;Fbd@oDR)`jI*fxLwRfBD-Cyg_&%m)~^<7erEq zao&-={#KHS%<5kiwM>m= ziB8r4m%SGKTgiLza%_?;R}!fpb(&$i+rQcM-aw=(FxjGUT{VuT_tsWyWIbit2GMSziCxQk$IhHkNw;mYect|e}=ambz6}fN!UUS|u^U*Gjq5H2R z)=CzfQPw(x$Mr)eL;}v_wm+DFhQ%g3{dBLAE3J@sq3J$@`RaJF51-isFX&sXbSnq{ z$JzY%$J`|gR5% zr*i0}J}G*;i?)u=*|6cxMlS;40%^!|8|tq!akWSItg>2H$)GMX7SYY{M1l|J;)Hf5 zTrg&|`C{uVho4|_FULJ3Y2<6cp-}yzjRbBb&OUIv15qm^jzRNK`DRjg?|5k9RZ~o@ z0=l^o)u%H?Ll3pmKW>@&Hfnl&B!lWoqN3NFuk&BYVf)v721d)Z8tJYM%zLHhCeP_) zMj-qh7>ucc%$Tqgs^&!-e$xb5Cqu~WWyY>sL!bFbnM{B-iITP$Q*Rr7&HZ@Fh?4Ih z!c?X2LS;~m@0oqyLsr;%w%@^nohe>?{BhOss2cxyK~ML8cY5=<_8jc`G=bIAbG{Fq ztgpuB(GvFVzq0^NZ}2;4a3OFdNtr@sOAyOGZMX{p`&y?5wSGB&^_g*!UhD0~dsuv1 z#LF!z-++sQUcbzRUZ+Vl<(cIaxK;^Yj zitl}0YEk~wLj`VEnjrp{%9qTsxU{NdaXusKEo`4$7Jx4uK2F6%_+lRzd280@kg7QJ z+bw0j?^D`J^2&E^9EIa3Otsnr9OrLgFiLUr7xlkP@{$PixZOE%<4AAPAAlu1h5O73 zd8k*q>7j1VF)&eedaHTtV&1X5I!0n?R^Qb9dhy;Taj3|6cFux}?$$*c+iHTTs>aG^ z8JQdBBjz{#?s6@s<`p*UU$Mo-k^B)4qCiXp# z&i|52VdMnlexHsJgMXRL|%181f3jqiEotHhNkhgr~=Ie-MkO~GJuHUPOrMBXE; z!|qg$shvp6iFIUMK-<^i&*gtL&*7KPNV_k7`Hc+f4i|2Kr!X0k@ ztV7)ZzXd@7!f2*ful=_uX_B~N7l;SmM!==q4Ejk1yvb<)H*Dd?4&4#L3E+p~0;tC! zZ1&LuNF+QUaFPQ&rS4~7>Rb}DXJ45Wa7A2&4s1%I$q86_z>lJ-&B^xrI9S^H=p^CFO1!q)w#mOowJ0(uO1P@l=Ytu=y-d1CUXdUm~rAAt^(Oz zgU^Elkcl&N9oPz;!u%wZWJhdyf(gX>dBD}&7BaRO|4|pacgNznmduJ8tJKG2rX&m0 zNNrso+absioe`>d^^mwmWtkjQ_5-w-QTF4GRE&jigp#tw#b#-{Q@^@>U{V5{DaY=% z3!{a){6$g*hcE;9Tz19gyiwwR$Zq^-{x_Cnl7(JIkxEM)kV>- z8MSib*;!sW>7Mbe%h!9=;K2Am5fiX!ZUU84_^Hqx$Ny7rB0De3;)Xpn5z+sN@fdirKc_4?i&Ldd(%x=*6Dgk z1_v+X?L3ZLnh@4x;r+d|dH!|XN_z3!TWE;S2eVRuvhx>4Waeks%qIWBrR~ka&O@d| z7ITX*!kF34exnCJ`OBuY3-})gX!;DK-{o9pbLerg^TJ-z{!a*CgS@3k9Hu?tC{%m` z`65FVV4mlTE3tqz=99P7&KM8%MmKV2_17PvSM*m-n@ujH&QV#O_Y z?p>2fd&29tTB(ZMPl~ID@wZ&XMw;?s3d%uUV7GPAC{V$^OyXyre@{irAe9fR8Lso1 zdF7{&E&diO_O29*4xhOIS7=CJGH_Or{-5jD|2k8yszH0&7G4ZXk3)x?f(Vsv{Z&dI zK3RpeikEiH_#Bz(okLrj_QfZZ1W#X)F6I9CoCX}j2f!b98N3#D*5a8ZU{o(PC9qnP zPI;$WjQwd!_u@^#D@Hqf5@iu`v)b8?CjjvUH=MWA6g}Wk<||-B&Z{lgI>^W7xOw3D zoX{5`qL?%yAX6=D>Js&A#?;xG<=C=}^TSi0z!lsvJC@p5Yh8&bpq6Fb^6w|+_PBjB z0}a#Mun$i9oPE0I88K%&>RPb(33?vNSvYwrkBdM$S-`w)a->LHC+S?b3s2bNXA&R{ zbJ|!;YYvwG{$@S4r1~tqZpGgbemBFF4MstowoUfWOWC%feAy|p*P?+m;t!xRa&hCa zukPW`2G5L~CYchWTrZEo8~a-mX>@UN_-__*_@Nhw4M&SA5fC`+#pdoD1aMd*B;gyM ziO_e5p^)o4`k3KB0`gtGgo9kfTkhY+3wlIznMsa@@`H>^Tpr>1t`CElS zJlAt4!wioejfB~237PtF&;V_;m!xmoRTZa}?n|j=5x>2ezCKy`KAaT=LK{VHq!RYrKEL5xn<)kZEfugQ5bFJe0pLKe3Obw@86)s zOA)0Hy(c^3eyhqEQdVDS*kotFmbX+*_gIvkRvCzPN;r4iX~3Z1pfv8@Jsh;$iz`*^~*(I!1w6#nB93Wj*Zk{{lX8wlUpO=I#k%i_GW<{u+^W6L;T37?} z?K+)Iqs#2}+#cs=-a?5>A}@HIPp4n;r4E&2OXbj`suQTYWewX;0!|Rx^P}ZW59ea# zjwtFn{P*$?b18kH4Ohm^sNgU}scDt-YIi-aOoXdxSil}9YGvwP^HG&2@b%&cWzJyjprTNkxbh8ODhd6-z zR{Qvkk^kC3D;zdCpf;hx`R`XS2E5&HRS$z(;PFAz7q#oqqjHUYP87a4rtL80#Y|C& z{VL~0`e7?4M;7J2X~9VHZn&16nPbfK{<;;NcGJaJJ-yo!Ii%=m2k|aOZrmT}(2w=Y z4QrtB2=BLteA!aWyHHx&3Ydi`i( zYQe)Ao(atCnzf*`-44P>T=(E;SWo3ybnI-)*N-(@6HVPu65@ZzeEzbLF|Bz0spsd$ zUZ-!&Wc1tVj#g6lx;I1x#sKk24J~a)zvVq+^f+(dA#OIk$LeQCDW7gtC@=DZJY$z} zDD5j<>(OmN9nER}*sJcRGc19If!F$#*hFt%+@|#9&AiS^-a@X5xO%z>;U*LdLhSq4 z1H86+mD`V1gRSOFeeY3sw*1HoQ=D1JuYYE{_JA}y39+2$T(@Few|IBYNXh2=v|sV* z-lvFk*sQe>ShJLngP({JLE8u{mB((J$dntvpK{ToA7jH{N7VcUQdIGRc8wp-kaICU zYtE2514Q~qp@^U@+r8w=wcWF4BKz6+x#gSNV};c-ks6jIZJtU!2Q`x;6|;M8uM&op53rheWk9nQ(w&E(s8PYwwrz5w725_R|om81M;7TAqzPRj;r)g z7oK%XKPB8ZxrLQu0!fKBN9}2~WWW|Ii!V7@VY~Izi{=6hXT+uggRT}H1QxmNj<9Rp zxHqYO!?26WtB?(-dY@ zR4R)f%jPi#K11`y6&7FIpkqlZtDHuW-6c|wEN!9^xc`r{_YP}1+rEcKL;;m9pi}`d zA_6i3(otz55>!f%l29ykq}K!xFcj%hq)U|=K#KInF-tYXL z_fH@^Je+fOTYK%bIfv(bDoW5g#-AP5&CD%gU_ycSizMeKRR-`#vJLZSB5@5%wpsga z!J^j2q$if5$OLsr(t1ayQextGCrlK%~#Ykxr>vR^JnT2*}I^bV@9Khb&ZYVEE` zRnlAROD9@U=pJlf+BApL@Axra_B9aa}-De#w=b za*pKs#UOZ$4|iZQFV}gFSU)PfN^eY36J`?Asm%7lv_pk89R21)=tWt~7x2j-G~X%u zqg;swOZ8eRR|3uB;IL@mL?wmn>T=OuQMs%!_k>EPhNe3* z$ye^qU`C11#`wpU{KpbuqrcGW@_t+CKXb`(_{|f!A>+m*owY?|5UViebE}$cc*pzT zC{$qi+R>e6x)88P|J@q`ArSZme)*_g4cBk1q{NQJ9#`jW$X@xdE0Y$&*|(DRO^L&; zX@AU3&}~@lfj4Oe$4i$kI?miZfSQ_!Fjyqh2YuhYYaJKy{Z>3FWNctzq0(`EJ9Emi zsGhlW5sBVgf0L6tepjR1!*|)l!b+J`YB|=0HH5Lj-(eF0zm4vR(p6CPJ}uCRtofq; zzLqN|JFg_W;=G&HB%kBa_k;2Eh)ms7wDs1`y6G`#mAyOkQ&I+cJX}k!N7;FUTe>If z(XKaQCh8sG7UJA=Bm`>72Q>IR)C$6uQytME z6wh?0+QUWWz37(Uvi^IM;jTnQwq1B_OZD5$qiw6|L6f!-U8|`4faSXQ(3(I`4_Ha% zw$;0P`VTJZo_R+7Sxzb|e%goa*Y}Sc08$H~QL+I^_NYRN+I5M}eW)$xa8zZ!U^Xzx zLgx089H{29LopZ-m&0YrI1cX{Vjzga$y#BscnRa2e}9c;lFq;~VQ0JOslBO!c(E8p zXvE#n_)L^FmBB|9@s)mx>(ZAOl%4(Ua1dDj& zKrE7w!{TUpKEVP;kni8GX&`p5#q4UtGpz4$SR~G>L|+*JZWbHh1ViR?z|O0 zYOQ52k^O!|9e2kxwtEj$-psKYY%8lT2;a3XD~);$%S_5xEaI>YSfG9lo#iS{JpVl`fkN!`ipdq(sA?ZHJ`Ftb$2UWH5)fny6F@g09OarMSS09HCQ!?+xNTHb`zmiGY4 z`f-omGR4Df504+%VySDd!Xv)#p^q5x`gN-y)>k{=9-Yy73pW zbJlyRG9SU=m9tJ|nS)rrX={`|RX2* zLlapDg(FPkd&YYa9@P(CtV4z{4r<}_1N|c6F2tt6p0DU>cfRt4%z54$hc({6=uwRz#^5gqLs40>6Y`p-P!8ClIvm2Vepicawm#n3bukSD)t-q9G)q>m!n8-B zdySdgp6sSaN+CsoGQ)g!C=_h$dHLqJpDWf3-x(6Ld>^P*U^3ZB%Um$1k{uzt71R(b0h4#xqbN7 zV+!X{{O7{~6_3{w)~7@NW9v-0C{7Z%muG91trELitZL$+<3lTs zTE^|W3Fx_9H>8Tk$vW3+-enzx(r&8vfeMJYAPU|SCv@!vX3z5F8!X2o^lW+zo{>sf zG$lDqrTaVARcVOTZ;f($7-%M-r;KXX6Klsr(5Lw;7goK@9l~S}H7ipkQRA-=b3({* ziLv2Qm5Sa|g}T%h)v`&$vPs0f#_J-(!{>$6YCFdasvQQ{Uxvv1?#&Ol@2o8(jryRc z3J{c(tJf>TxV2sw0Bj4l#_qDQ1dj?d_3(?GIQ=%KX~KT~>d=^!NlVuY$Bd*$7b!we zJbI>;xmLlQXxjN#-kx?KVE6MngUh2C%?El0xyX$B%)D>I`wS0co0WyB34`2g7r#Dy zV)W5|{38on`8B(nwPpd+8fFl7+qW3@LLF)ckpn~KL3-|L_dVCq>!XFwU?ndb)oea! zQYY-ENpxgg!C^GnaoL4U)ff0}3>fR?O70)B+IQPTa~LbvoSCzoV?Ocpp>~DdITLp_ zqYA&czGJ%UE2q{7dA_Dng%ECzl9dmg(hl6nRzn>E!3C47E;Ac;WG0Q_VdSi}$PNiv z^FHfnJM7A`3Q7oK3~OKJgp+$Qo<6XcYf=UTugS&%LBL^x+|}h)2C%PBa#Lx;d>N*r(X!b!bDAJh?9FUunINJ#8q57Y(_FKY*oM>Uo!&~5^s^0}Gl|!M zP}TSBY2fL#=Siz1-b^`Zh+ZalNUWHg9?QZAZsAUXJwt*uy%$y`|^@*PdU|l4FA0GY^X8F1XD+dvpA%w2?}3oUjZFML0tZeHWSV zoD$;ItsL(>57^JLuKtFa{2%EK&C1!|I1Yl1$J8gC2*j|+D#KN=M$bO`GYM(YlO&iZtS#K~ zyPYOOxZiduzZo+})tYjQzm=9eEbwM3kKRSqyjCNihk-xXsn*6~w4V3%_3rqX?>T*^ z!92$!eGf1Ujes{3c5%jr*Ko86c0Bt#c~5p)7>dcIcuA*dxu_V7zsU^@?y1Hu;UBd0 zvBGSHlzPR==0if#b|_(=ryAB~kWd8HY_tg#t}l{By-o3BxpW6WU4RlrGC_h3G4H>; zceQT{<4AD#e-)f4WF9V!nqSNJXB;Y7d3ag8n3n%(U>6g$-#87T+@uj}aY@!IPt3@q zDC@N;+==&{vcTLq0co2BPO4{?c@&Z&euIY$At5cJmve;76=V34)^b{dlh(}n1DX@j z5LU<75sl?}TCg7TCj1eH!i?qVXN#_we#fRTB;oA*kmQ?YCwn}uum<+X$<_IrV`;}} zvCaKciS_B)B$iH#c~#L;&GSQJUAz%_Nz=1;+(&IizrYgccj66}UB<_CbBDKGO!jW; zDXw=(oYr>SlBUj_)GUXoI+Q1+kpUw?Z?hB7d2dOeCF^TMveE1cS91%&ujPp0`uS7% z6uZmZRkvY}Uy`;m4^-oY$717vc>%rJ;1RWY^8?uzmV9i z>3o0KEut4!cDso>rJ(Ev7+iL8`=0aDL$(Gt{j$n~vC+|&5t&bL(=L~Grswh7Zy)|1 z5e~1D{DIF5PFot%{*rEl#o{dAxZ{NTf_^OmBeFfK#I6Ra$A}oGQjVyC z=GfLj>o#ngZJLn6yWm5cq$UAT&HHubbn%`C0r$Xl-i#zpei=gXoMFo^y+uhvC_c9` zdFlG7ZK+8u+Uu9A%sp^;M;Fibzp&9XnvUyJ=>f=*dhiWG=C_ZW0%=k=aWmFH8zf(7r>22#l& zCM{zx(zcFNiP-tTN4?rdXq`e%>`EH?3QNi%Ghb$#EjHj8+?{shW*D_}O2t}w@9`D& zBuQ}yFu9)EhfHtZc3-|+#T_g)dE(r<>F?b>zaC~^$U)hJC$u^gi=RQIe`nSmCq}fW)p)x@ zG&j>Ex4$RxUCQR1A;3PCd_<=Wu6tHwXAhXIujRI!KF&?a7+E`{F0JtDeDT84yIQ)k zKXJeI@zDhQU_zGNxet0!E5;)ArDusiy}+*u-rr+p17rCBH5V_Z1~%iGPoB<7M-5Ch zCT|iP93^m8gheC|$xIQ#-`le+mo~)pzdoj)zloJ0l`$c$nmV}99Pp=ieTDo5RLj1Z zS!g?`FQErIe(r%duJ=AaK2_<_SUPDjPw43BAKgWb3ntXvt5@smP&HS4W_$JdA?wiB7OoafU6r$9#KA(=v0ZUXG3|0D3sUE^G5)N976qHf@l+1wL&#e|?0I6 z+9fW7Pb$&1k481=J=|kD$r9K_-OH&M`)f3kToRE&9YJ8{n_%+@D6T#A5U=GX zCw9hqxU{rXsG{Yr>AYN$oWXdpspAow(`aET!Xg5s`h@yLx-5U_@_VYQCdVvmmdCh} zLQ9#7lDx95@t#%jGf0hoo-CliD7!ad}gy2mqep$7oQQNRx{wg8Y zSJZyxj^tj~SBnYDvab(LDBEW0J5R8Z?8(<=aOG;Lqfh_Q8GR4F4=n3u8+df(k5G&? zBmIUTW}jA0^$vK^JrBJgo176O=P0q5yuI~m!m2twL-Zt)!V&X=N!y(7@>LM>BR+Lv z_ij=_wc{~!W2nprPx_sG>}K^EFrH4l#(rJ;Nf+*#f1D3L`oU=9dqGvM>ZJhhz%*uj zqi%{)CTj_*)*P@C|)N{x6*r5@*{}RlnZ%0##$?z4hZ>8xNRzH!a*h67D`1Gx8*UP7}%g zP>-r$L?PshOrfxR@^dCOI5>BZxgB+7_2aZ^yJGx)W|huenNdxo-sp~8@phGr>u>|C zhGs`=Z?G}HnKNyh>z7YfMPC zl{?NJ@$x>8Kf4I2C>7Sd+EiMWdB{*4VX@V9bwmn%8f0buUgq4;B{@%5K~4~bqS{9v@V|MRcl)R!eX$fS>ijmUFDc}GMwxQIq&Q{bSl6K^d z$(NEyh;Hh#1!iOg-P;o@-AJU7c5@(#xve%YZ(38!n5hvD&c&@lh9q2sX?L9$?JrE7 zA!B`sWW}V~uYE5tlpExA-frasVC93exGz`#xc0xd_I`gm+YhgiJ6Esc0)~HY!IP47 zl6d_FX-K2TGalE84T>_jK`t}hE^e+D{JhkaQ! z*io8A4FPPnnqH4AH{-J>Rv`9jvn;A=i;nf|V$tD;D4g+nxQU$pg{?~i?>+|lDz}oP zx9YPDHGDGPYg)AzXTL@}yi&-EVyAOI6YD$%$aslp!q&q$Tw8`9Y$R9bRp6L;IRu5M z5zR)f0#5T{9ELAxL{7#cfRo8(Ww)Ng4a$)q@A8QnD>^Alfr=11tO=}pQrm!A%}gvE zRFm#!_aHvgMU*dYTueH3KYUmjFwG>JoCLeK4w{SvU5NulWkdcv*Lv9_} z(OcQ;bXQSPd=?3$E72`FU+FgwDcRRZtHQK2W$Sc0bBGZsTyUe(Lw`p-JKaU`rS4cm z^>}hI(?cmY!wph5>@(1u^sZ0!$>Dm7NM-15>GX-QLHra)ETPL%cJF^?BjSY2tzq|rRl*tNgfW@ zSZC!>r7MBc@@lLpV$RB36};3k%sEK(b!iDwc6#wocQZ2m*X7|Y*(hh*XA$C6yu)wu zB?vK-;ZkHZ+3hk{jUjN1nSO)3%dUctn&C)u$nBS=zP{mP1uLevqi#F^-6=jpxJ3nX z_v^fu7i7$&Jzj+w;0v*xK{@=AyOvcm(yb@z>O-X4zzkPta8z4hjDt_K;UCk@4Y=T*mLw-v9WO^$y z{P&9s68Sck=H|FW4>@9@(HrG5iTWRF6-C_+?PW!*V?{)J3V#KSJK$+c3%>9juf1@M z^?1~MSNu%xY2;p|Ne)23GrwZ-3PA!DchG~(l2!$*G3R7w0ceMTwOnphtop80G)%J- zBo_x$>oj#|Ks<-Wp<|aVPN-xBoO-HUL=79v_c5Kuo4!mi0H$&ukJZt!JoQExOjsNU z{m9ONw6m$*XM5U?jkF4j|C71($Nm1d@Z^KvNI^L(`)xAX)nK+%GMA9 zCD5T*n?5UzMw{`1MVsdYW!-rOmcg-?A7nfKh!>WJC6 zk5H;vxoS?C{h77P|3M!oo)7A{_7yt( zvfFRT_XXe^06d^MEW$mYUneq9%mP2JyKVUjq^Ey?po?^;0h#<@PD#bWy^NeoH z$imBSQ5lLM);MHVV@JGmCRt_I^5QE%vn-dcC?R5L{Mf!SxPzH*FLp69QcF|U*a1hW zwM|+lA)A$-T`I8JIf?%2q6$Nn*@6~qG^`}i1BZtbqUt<_fD1db+pOua&Kgy+2;S`+MfCGv+Xteh=7{+Rddl9w)tsgNV) zSU*R|%HSL1!r5UI##l^hbnumyh3CC7hXIBH&yFWy=9&U?*YVsP>Ch6t2f~?|VG+#P z%Zg&i@QKgVaNg;N+G9wv_D%1tPT)Wd379n;f zm3d&f=EJLlSrV6p=m`-mH8!FKU#}Ncm>^>OtaK3B14mbaNiH#6Ce}PDJ0wxab!%B~ z_%w`t6W&Hf>LqTsG&)o^U7DToLJKW=FX1*&nF2gK2B5b}4IqjV#0xL{J~70bM1!08 z;y<7#Ctn7EYvPt&mUOqaKj+`~@BS^PS+8S@L?O zhkgAqa@le*^W3toq|y%si`eZpij;fxBy820+V@hTVO!j?7AqxGSh``ad+C#-R|4tN zofowPuuY5M6T&S$+Afqb6&KcK{rTQ3T=FjWXdziZ2^8ow{Yd82Qh>>CNV zT68-jrAl45uA9`u6W=;-^5%Np( zr_9#j8*rBrn8JEmRWM180B$JbwUQFJ&ipH*tS^ci?rO~EPAB@JM7`{|Skj{?nx!h9 z(*CuFS}2h4`#?BH{xYb)yz9R^;a)|+{YoF<{D=Rqnw^XG8e1rd?fkjb5@6}$Qy`3$0lpA!$$Q<$3^UwlmK zq$s+-IPe-1^r%&F^rk5BoP^`j_=mbC7@}h~dm;MBxYN%6W%OA;uz0cPMn`I_i*%ln zAXPPSm8XM`<)wt#mm5bky8x7k_5i}!C&LRIv)Uu*GMy7jh zJi!MoAt}xC3j9umIyqultR_l*iH2a$_vBU9s$=Uq+Z1W$)qN-cloYOXI34^D^`gG{*VCvJ3Wtv}(FO1uZ zLt2P{CaAgpX7QERV@L3PQ@(TcAlDj$QarI+*C|77bD$2Cf*?mKW=J2 z-QV}mn*yr+zI7l1HUm4~Aytvk2Yg&?@mwu)Ob=+i;z-NL1!x^x{ID29fiT%>><9l$ z|7ah|#PGHG2z0C3Za_U5C-p;kOF4(#esV0{jx24jZh6_S2M4#NE{JrLn~kiOl!Z-HC(vlm zl1lkG`>GQpa?|tLRoO;fiil{&fSG0J66Jtn-4hpzrf{LMGU*L&!Gkb3+z-Sj$Jz3Ft zRpZ4v5Zb>sEw<^7mcXihBqoe3m|jGaBY_By8R26oxsoH}xa!xg%!B`UI2QsvGQ1>| zUR;wCK9ec+A#3{Nx(gLQ__`3k#(hA?f&S?STCYYu!Al0AWX~>1w0JgYzXSi0 zq7EP1BYt2|i;o?7e93rI!Ey0T&!J{gIcB|B62ik)y|K`whTDw{Vt*DQNGQ2slm>JF zX2BU1Q%9lH*GOnqGt`o-1`~WB-$zVJ!0#L{#7E4;&n*G#Q9*SMX{}woaqHL1Y)UM+ z8VL@?@rsZoHFfhi80ESvdp?0xjQy?$K0yPrMOuaV)z2P_=t%7Clu#?RGrlk`$D2e`(=)LjD{R`$x<1eBgc%OG=(a?iE-}j`Z+3C2|VX-#Z zP~lb=Zbb1j80{UYkWRJ+;a1)e~)ATz{BZf&UfA zQ!*iN+gWb`rs3pP#X*@q)1(i$`*#%EGUKuMclX2%?gU{6J6rCDUm(nI-Dw2)>j0h0 zzMNTBH$SBj6@tq=M*^LtO;W3yr!_;mFK?Kh-pLpP{ZZ`@-|Hs=Hp76u+=j@*29=rdBhL ztxUX0voog}k%;eTiv9D1|5pjHB2M1q)-JtV;urbz<@HU_zO`zB)*z#+S1;(SFoxb+ zX$H|j9`M**Wr2nX63tUN7#u5)c(G_5hLU@>JOOlszAh%{<@kZV~*)Smo=92efA+tUy3-_zT^atZGHHfP@u4QhXJtqxyzj^!QLWg+g8{&8}Xeh>&8*HPcj z6ubVS*sO?FUILqbEk#{mOcyq$Pjd-cY7%yr zssrPL3#3&*KqGi)vICMS-Kffh@6TV`O>__+>%9pc(U_<^b2b+yYxQjF6P>LnrwN0#S`yU=ld{CuxrWV zau}Ey|Jcv9If6Q2X(1K5)yi70gnI>n6TUEo1&i6^IoBdpM3(~6K|uUr4t&E?U3uAt zvup$;X(Mcb?Z{#Gu!ub>SZV#H^6+yy!(!jui<@x|UmDM*``oqEkY;H_x(K*XVHY5j z7Da)yoq%$X8xONE?aCxqy3h)5E<>6)7QtcE1GXwT!BSYrMj zg$lcj0KWIYZeL&M#^=dT=ub}mG0_+v5~w-X?1MUQcl4apXnEeNkx|0ceiY1`@-0SR zl`_P-H_{oPUe|~g7X7bx{^u3AULe_p+N!zm7_t5Axv&V*c&E>NCd&k?nWvngYX&BD zYstOJ#$56I*{#u6L^v{>yCpwyHPf%yR}>z zkYn*W87@pJNeqI?1Sv`r7PlMEnJwG7Giq@p@i5Zy=iNk#D$3BV_VpJFxfiaUd-vph zLieCu0$&{$eks`y6om|2hv423?)XC=4c}M(Fh^RjX3X?J0M&ctbLoEA9(G+W$$+ZB%Cm#28nY*-9~%&n-yJ26^zDH`#f(cIWG9Cjrexi7w2j%>Ub z82~ubMUEa%s|X@r5d;e_?PWFAO!R};c^}C(hgIGUcWk`U0oAUGImNB;owue35u4-- z*}Aqaw&vzQWsv_V537cGZ2knaLjXBCME>a993E^(=jX$fyx24R?y0(tUZm@!_}Pj4 z{FMK=mt-<7nr)tgIwqc|%YWVp;H3oRJ>|kB)au-Zqh%}YE&>=MRe#O{G@x8A#Cl_C zj(#??{M(EC$GJ3**hiaSa}_Vn zRe#N@jf;W98HE%#FyJ5$2#{eCw8o)rDJuj(3T{0_pI-alUX_i#}0&eKlJaqk<& z)RL=rGiMR29;cX6*DQ_lcH{LfT6ez)LF48CYac-$D%$0?X!;%ZSoy*y7*-d!JIw~& zuo4nwfi2=ClNd>Xx3_94z*;uQ`p0+Wl-OOz+LKVcW%H?r*{j)e%&+9oJkMqY&N-c5 zyr?C^uXpifFbC!RzV&mFA($^t(F+&Hp2&0rQomz=KwY=ezpC&&J|{p#GpWke&+m^-8%PLhFzpLLoTvEL97 ztS!gj3$A#BgW@s9A53~;4i}m-3aOdee4!2+93J)y4?jwxjiVEVTx=zc?Kfx*VLBIG zG@}#CnQe*(%5%b@gc!lXP-j!$paODWEScO=%T+WvXeRTUJ0-piz(W_%-k$p9eRiy$ zp*J})4)Np$u9y`CPDZcMD3q=Yo_pabzmdX+L5T&_;b?jzQhQFL*4{ch39ZgX%{THU ze!V34JQ}qDK|q&VpU%92R0J9r$lGcgcagx1PxTSI7MIXS4WhZPl2U{_A5ukeR^s*h>? zUH;pf{==XA{xjYmPMw!a=-)Atm0KhT{753ZjOTeoj z;W{p|H)yrqCCWY$mj{whkc5P z_0}495$}6wN}=sj?-GFHm4$M)Pd6S;hER=+Sf-Gu#67(qjudKmjiGGM{74RxHm7~G z(qtyD#{SF9x#ZTGg2|Pgu!ZETeAmTp^Cg!v620k@*(yn`zbg4Xvs%L6jJ8dV4%zqN zz|p!k&md`lp_h8-vZV+}P2ZdAI?c)j5`KREk;zF5EPr0!$XZ@^NU6EG^&a2rP#3;{P{WhmuMF(0RAhPVBw>WZ&)UP+DU#`M18;^7^C4n_oN(p;5V1ZR8$fkN4~J z2^JT3xW;U^>K@awz@=FJGBcmKq>r1x+}_Dr4{^VlN1d?77c4a-SCEtV?PXC;qV1hG zY#kBH4h}YX3sESe7i!VIDc?C4J{R89S$$n>axYzV&G&(taih*fJIf(tyCT^B7ytV@ z>IqUn>phe8LqE4pH1vs4;Vif8Qq#aZ%Hf$hFiuUMdia61**w3hBi$j)TbmR}EAk6R z0;xPkf&`6$*_VWC4tWQFd%e~dMBWs4<2(85v3?ve;p8d*=dcQbg7ntI_zo+ za4@1%S+kKrlMA7$IL!#14|a&l62vT}+_^|O*Lyq<)GmqJdJr`@Sk@n=^*Su{jkopx zFQJ!C|JQ(|i>sw}wLJzzMxc?t^Dmtj{O5>-s!{PCm0g{q6jvvGgX#_1XZkH2A^hmh z_fSG1#O-&L7qpvhNnW1i6WBM*-~k;SIra)EPv{Lw6;q_neq#Zt! z1FS;G-uW}sP?||j^4H9Rfp>j_go1?JQzmarh0PUm?u0*X?J@-3-l_+5 zmOsTPkR=7W2kaTrS#(Ti-5P;NZ{#Ywsb4x-h~RL|OSrPA2`7|i-Nf_Neq4!q{ODV8 zLyNXp%DEJ|nB_QHa;}6$gISc`Xkp|M5A1|QsMq|?4KU#qHwv3eR%t(EkgJEW(+n^S zW~(QAm&i^7bWVgQJx2VVDv5UExH=(?`J(K9XaNuaWecF`Ye6neD!q2FCpr-FxoSj~ z0)FKO%J$v&ewFEf{v*Z2zn#g?3E>YzI~4d~TGMb#<2OH>)@>D1AXA)ZG!Oo9Mzr^o zCpnk=oWb!%AOwR<1-sVC9N%p3mFie(b&IbD;;;Z_E>7B1qRbQV6-^G<2D!@~E?f>V zssVF#H7a?%1jJSv6mg|klsKbi>fw@$*Ic=*rpCvx+q)C#k=1L|tK7%daK5ei#tUIP zexQv&F|(p@AEny2Eb94?Y*y9f6L&|ZM3Z3zhh2+s3;BH2`THsARIah?*EZ!|N;KyL zS7uD&pLuKhhzntXHplg@!e??g|86^zCu-pR5R<%>D|RGPW;W;YQfcVO?eCK8W+>k~ z%e?yUnc9E(YQ_7<`+@H$1o8h2f9=Rz3)O#cR1uA4DCWwn7otP@CBCnF(4lPl*55X6 zZudbGB%JzWfsunkR!n)JS!q&Wn5kBI7k}$LYg>aw6Zf35P^MxHbTQ@q+I(iL4tKSg zp>YUy<+4)JGGAUV^X>x-&P=c1_N)?*UPHmT$w=<$WJZp?D{37O|aLC+U0T} z$NqWi9N?mI~< zB{IA9ei1!L<%Oi>hUCM5W@v?$J-I8fWJKzH$)B^j;>Mc{(>#nk`g3*Rzwj#(w67Si zie#dfMys$gw@JAA{9f6Kiv{#&eB#cIKsVih+pZCl4;RvFYz?$j?S;pNJ0ZAsFB+r) zItD6Ipxo>4IL_p<$BJJlc^UnqwT-55PKC4nW;cF6>?X)S@t;G|;msd*!vQxm*8SOT zs;J37Mn-Nfy#hG{(i?S@bh5ljjhu8Lj~0GiT~HD%Vl%cWOrt;WE4R&Jw7cG$B`!12 zXvl^72F72*Cr79ni)m(mE*wF*mJC`1@7E;r6;yD2JJK;?vV)J*k_ zq8>d0Or`(DREJl%{30 zO-^p7pH&j)a)xJABT2hO*nK4usqJr;En_nTdS5s)(>QnbKKqQ0Q^M>xnRy~5;eo^8>Q9uppz-39P{-p`Rnmw(f9gs1EZSC zAi6km^QJkzx2yeU{MLZpwI)Q`yb-pG9lfkX#Z2fkWa?KHwJ&zp?*b@U&G9Q5^wP$2 z80X>EV2>IOAlOMe+Alm%o1UKN0A{=A;Xh_{?74q)CGW0g{fE8${38ApzE@IzxRUB+ zU--^v4;?$Zukg8fj&YZt&xiUY{OOq*`1DbR_qEXoy>=Je;UF5 zK){*K2*MU$=L_u$Hy;+5bhdV+yLYtfHB?+{PG_pMz72?Qo+aZdh85GAWvUoc^pRtuVV zdduvj)2@@l>MQbuPyk=-gcSp{M4Y>vAn>mabncJ!!i6^HmRMRxU&mPubUIz`{HZRf zdGEe}hn?s0Sk2NWNv9!*FderepSJG&2C(NdFI z)i~NLG2Td{5BUn;pR)TbQ~gZb1#|hRDbuOAv{b8dJ)~^Rj9UrYV%Ze?XNUWKatL>y z3otHK(_KC_1M=@`iFseg@^GcU9yE7B$5|1RsWim&+V{$w35Ex08|E#P5<7QKsCTnN z4z4emg9~MWEs-1hTv=U=Lq~Ab{5DwvXnx5y3u#H)=OVR-pMjgdM58cY4*K%_FF5d5 z&@=GSHbZ|vETXSqC`N&-Qfun6b zOfLJ8DIEn#{oQ8&GgTr{3I6d~#X&Qgnwn$$wUtw%+8)PF7T-{SGWW{H*w>(lR{&mj z8VpDNt}pVhz?$gkY3H%O1{?VYSY@3RV&_!^mR7DVI}+{YXv=9wEzup+zlgQtSHF=;P zC?Fpu$I?$y(&oPF`Gs;eI#BdUZ_5t-XaM*78*ye)BTms=F$-MKnE`qw_Bop2k=O!t zZ?QbsF5cvWY9aI2*FNQ#tQyx1JV5VC(cW-@HydV}syfK9&&uBZurKqY+O44Vn!*4{ zl$H4NpA)1121Wu$aGMi&zSRryo~?{%s2hLfW>j1*K>P7x6QnvrO*gTQsx@pxqKeyc zESMf03PkX#X8;b;u0wMTp!HeNgTQ)U@`lO)nV2G|x_SgKu+Xl>UQ?v0v4ZyhUKrT+ zQxmiLs#g#F4s=)gEeU%(*Ec!gpxI0QQlL2JCsvQ$Z`g#*FwRCC(NhytrFbmxjouIa z`n6q`vZ?=r)&GirZI=^Vj&Tm!HOytk20&msz537Ld0tmyZ7KMM->9aqJ87cj6)G8} zWwY%IZ$Fjr^12s?o;&B`>czuBWV$hGT2;V&@%nu&_The3n7nJtcOb;~Ht zFj`w&Au1K}VQoIJK+)eF=sjx+!nayu4$oHQF_TIuaROEKYrukm>aS|^5!2ru;oshA z0Vz2)>L6U9Zo+*})pBj9%#w(QSk%G~O6h}HO6shpgFFvLYdOkbP?tz);tsbcyyX(h zo#a~h%T9iaB4s+Xr#K!tNrD*B+IP=l4pg`HP)&vv55Vkkmin(SUr|U@p zoTmt)tm7gIVM#58PwtKv@6^&ZbeXW4u-x!#^mxga_ss}%)Ct=z@vb@LKH5Qw7R6aP zFN-rAZIsnYy-mPbp{0LR%T^Od$)^I^_@@3+mm!a3GT6gYSkWs z%_>e40vTh}wXk}VhzJN`6-tS@d;YJ}`oY4fRT>)xL>tP+re-MpZ!b4C`M$ez{tY>M zxY$$dK=eM|-`IzPk}X9@XeS0Eg?|cL5a-AcTTE?*mD@>6*wP7d0G`E8UfM=@xArnJ z*f~$t;Uy^XJ$228AH;q_-;V)1f?Zz8kU(wo8gErG*TbtUp#?V=M@V)fz{z*s+?KA6 zjS22L$1L&-JEx$k-Eb?1w2+_YD*^ozE<=baao13Q!`^jtXHi01{^&V;$%P#tb-`_K z-jkU9ES9J0It&U~o7df>1Xzul$1GT(#l;J%hk#}VDT#_d;F$(r@|Inl{p&yeALa;r z+UtiOdqG;YSvDa`+gwxF$v!eQ^}6=BTk~S*G9Urr) zw|9J@T|NFO#N0TaP-0os-m)EVowQ11Wa?T%tWxmm;G0p`^?YMKl+hgti{azp09Uw0cEtjtgNw?8vK(m&$4egKiMsx2up0t`eyE3wXgcM zI7$t0ig{Ug>7)ehIZke<>{6L>FPR~)2lqQW{c)kkj6y(9QQQKvKeDBh!M$Y!C;NUSW*nztl=Y@va%AYRK5tMQIks}X&qw)(ZN3|!$ zOTu^f@=(Nd90NKXdU5UfTSj^Iy5u)rI#t;G$M2{eEp-IhB`iZ@SWS{L%71AJCU+m! zq~;VL({^>0$F(cT^%-UgNF2s%BPlt|_!K2v^C(zs#*;7|TNy7QY{bG@q{*}k9GmT1 z>&`iowpSAwq(ELOq#lo?9r4O5GxS35 z)#cUX04lwr`z;G{*VwuKFzN@$T2eSvHsl$gYM42K1mn_M-`~u%{S1N6eF+Ixyqyv= z36^ple$M7P_7Sbw9N&@t6I*{NGO+pYY<)kA(bW<|+f~kbreuGJD#r~#O$Y6|fJ`jJ z3~~=OL?14+B8hYsnC2cG4Oq#JCSq~WwGF8%w7^9zErU1iT~Cd;DY)k~_5KJn>+q}M z4<(}S-amXunwulbi~o_W|79sa3h?fS4=MlX*^0}gX+7C%ir7yVL`(_P>|~lAUF4nt zTzO|{V=$~(6Y^s0#I`pwc6Ie>p!s4Nw;e;hV2NaV+C9RGU zEDKH!FXBJ2+?$dqX#|(HtmTYJJ57gyJ0co$=x>a+$`Z!xaqHC{HGEl|d7DK?&{BUi zu^JtE=ox)Z<%$Y%Y~wyH~S?T%69!a(Ps zNLlC^4+J57e~eAWGQOd#S*f(Jgh(ozpQ}K1Qvca;S>I{mV1K$-kqxdf(ENuy=WhpK zOA5?1#T=uY!;93FzG=q7myeS=LZW?QWP&xHJGgKQbQ;r7;rs0HyI zP1XIbE0t>zkafBn9f5-H5^?;I1)=E-jE~tF<+NOGW+M3(*GAsFC!;l~({_CcmDMSwl>N4aJKr;C7=?>@*u9 z0AmBz`e9$~A;$9If}b&Ny?vwbm%8w#AhUvpDFTq1^Jxm=%T&HF_iWm9v$#RWdcGo;B*ET$svu@3A7G4B#2++*iHLTZ}$$ZS?< z_tSM&ia9I-nqdh1<1}Ep=QmQm0>5M3L)I6U0yPB~n;z1(n04(@n#?vW7GheN-Wo`x zq@I5#C_=jtIz!JzpO+g87CnYzY`*}hDor>P$1B$G`>b1)ZfmbFG>)Ui*lwb1)d>77- zZ62~%7a1!i82o>vy>(QSdlxpW2ny2OEhRCcbV|cPKpIJ5M7p~bq+@85l$Oq+OS+q( zyE~)?2Ka6~&-0vf);jO|{_(BFTC-pcEav{j-uv3ub?xi@`fA`;exSSryeaEc4ox%> zt%JgcNP-u8ulC2%ZnLZoa_78OEd*!zMfuy5&=9`dJUr7kK6e!<_A{jCyNkNu=9{w; z%liE)mg3bqU|ek4-HB!}f_WWq5n-^rm^ZP>%lI3nfX#dlcG>}h8tzOE*_H~~>Rx!W zsqJB9vGu-2R%@~DXn8EDY^f~%h5#2|M@$Upl;KN>*6Xyiwn(A~wjd+_yx9=lb4Y2N zbph3E@i#B-^(Q-QB)=NEUa0SD#QqiV7tenb;Q1qH`Q(FKrB1ijAlOYuky%|bbUyGA zd8SnSvSAiRc(6Z6Aec`nui0FkZK971f!m={qFZ>+^v8{%=p_!YD|GFJl$d`AUx{6V zaF{5sBtQD%-~M)NV+(hC%+6fCYo^k3`ytT-W0wZrCtKBZw8jiK~QsB5^N{nsU8 zgsi6}_>m$$0YBmUzr3j70q?F@8%1@stnM4>njISwvMAEFGTVg}m{da=GEpDeoO*%x zVpWHj&yX8ld0cP?8E>X|R8hi$C3OCXKS6c9h-g}LPjSwH&X}XuuVtYBfzkSzz@o6s zeS@>coooN20xxvrV$Lv-+Adc3u2r5vWQ8Z`Q-XZc1!I$q)y2XPme70A**XOa!P;vU z=lM?smO$!KfevaKx2ABe5I(zXgPpBWoxkHVv~48^7fFYcb)28vUQak- zVo}3K=(lj)qt3p96BOJxMsbrGWXXsd5h~PhLx~cBVfol63$aFEFq>j5jJ3)r-9+zs zo&tC;jF2g%fN|x8bfuy$2W*`Uxgh_CE1{%N$He2&TGS6_`aGYhL|X`LccAe1y+M}K z@NWey&E{Y%7Dabovqr6$sUw**uPDFgJKF$%=8~>oUFSS`N?-(AR1%uaG|y6Hw6h@# z29d*Hc1Zf|!#;dSZc^_J;ls~LlFr}%KUb3vDNY=CH(MZglirWnhF`5En$qwa~^RM&PQ16_k$f6(mh6{|?+c^kH9Ibi!;Y(~=>$G8s6#zAa> zXW7Tgem>rv1ut`nbUWwur}SxBE{E24jFv3*V+mzt0@6J4&K_5fLyz}b&8fmC&79k# ze1nWj>(LP5$~kk3g4)wjSca5Cy-&a2`G!SFyUa=xqPGB6Hiiq^&%)oI*)6WNs{9F!$tHk{{MRt!q;PH-D#S!C<*@Q zz#tbht2MRo_D;|QZo=2zA#FGazZ1~GJ^0yy+s%uF-WSLSU#RYK_;a)VXV3oY%MU)_ z-6lQ8xJOg_F-pQ#fbX2q$5j@0!uJQ2+rS~BcZe|_ zizZ_Vr8E(Gp@@sZBdrBRI}w)yU5myuES~+`w7q=Rt0(322haPiPK6f(7DYxQgmXeu z?6gb57M}dIp^p|NXmE~Z0`-)z*spOb=|+FD7_oWddeYU%*@j*|LaTRG9PJCNmAnON zx{tyN4bLo(Vq>Y(xJ13ROSms-+Qqtu_|CwCRI&Kf;oF3Odte1o%1V%n6tF;)hK=?w zWro~OgY3(QXmcD-f&+SQX=K&?NoIbmWTTkJObx#p;?TYg$wcoC$VP8tZZ{OZax5g- zdZ0us?=2ShuFD;P<35q?TKDO6v?tBAH!UK&4?sdgGDE+10&1b{QAF?O@EkATz|J3G z$InU}t^ilAo8<3f3(+}$``4%ZKiC01?c zBu!P*cIn_RMA(69FFge>TONh1UEW+Q7Inm1?LkC8N*PfhH%@5iK!dPjERm?{bWg(F zmV981n?m+WW{vJM$6b^PKbX5xY@>zGFJtTwj(qH;-Z$=c{SelYCfH*P3Igi1*>Yot z+4nbRVKOrj)OYSJwk-8Nr+TpWZI~}_MgH2&pYMo}5V?UJL^@$I!``GbhyL|}^3Qy~ z@hRKJnD$3GhAFyRt|;D+cCK*XVjEKWLM~;=SRaezDIyrwKTv`@qD6ify;*6oqXXhy zj1LLXvPBfS=z13irA0T>Po`O7a`*i}PDH^TLW~eaw8QXCaWVrt$0Usz1|d`Q*QbOy z8@H66aqyehnuVUGTp1s+%Z$H>S;H^HDEi&r+w_?4}yb zLXYaY%R9x4GfY&Cy^!=aBw?DhBm$b=W?f~s+9}gY9kE+dU3|7@SH9mgTg*_r3(HIp zK3bA6J}Bv7Op-BL%%xUhJ8_-u-ALlGO611=((K#(v^CTEusUFQO*mL_wV+Xv-Q#we zDLX>=dQ-W=?=g0GE+V~985}J8vf&8vi;lLW8!7Ft45P&d>vOBjup%0HnsSX>kb`af z63b5|U-@<|3OYWeEudBC_SP8HSR3?`g69kOQ6x@yFoW0=6S>`Egot4LE zrJynEEVE5>x9tV}%7U)YH{nQvWjm#->U)y1 zrk;$kik2OTC4|@ygEP&jwu5>n+g0DVd;Ux!;TA6tG#N}*{)|E%zyTcNNDwkn zJhs9K)Bv*je@&}?KajU>$hVI_Kynw_gg;wYFVH#iB|2QA8bVec@FZdC4(0h)5j z*$SN*$AZd^j5lE6m!Jn<&(xO`faQ62Uebp!kUJD*Gl~2u8St|0SrWILU=rLl-ER8I zDsnr;h26GQa>H3t8TmawgXDRt_%s0>xxWeiV5RbzB{KC!UKZytz5#z}k79{X-H%H- zl0GIqKfSAQYP~Azrtu$$kYIg_GK;&&2Mk+;N=>~{JKTy^d5TO+?4&DVE#!H~3xY@y zuf1`OfM?;CDP#Bld=`sg_s_znsji9l@6UpW4XKCT)Fhyv&QB~Kza&J2Aw1YtLmL9J z7;k-1JgKYu%&t(S@#MV(K;!$FIUy zQ~0pDGY#iIAl8KFI1N|l^}`2ECY6*fZ-@o+cF_p+HA%ZrqB38e)!0mgiOQ9c`MPc&h&=2g%_J~9{SjHA4;7qhQm9?GXJG$I#Qx5{Vpnh%XG0* z``3~Dz5S?>deB@|#p4&zUj=VUmOSo~{leXegZVX7=}X$i%10FSHO8MZt&F#LkR)SD zZ`)X{&~Pe44A397-*Vya+O+oo|1QiSTiKHU91SyX++!&EP2pdm(=LGv?Kh-t z`%A~{x9M_k(Zxt`POvg@a^)~e?vB--XCP+qMM8SC2lD98;vhQ=OwOlaQZ3}9oxd+Q z8Dyfy@%qX7!r~JWGkJtOO<-{i20EIRk}D zB}h7eyWW1$WS54io^djfWJK?{D(NEWE4UKMM|lu5*8k4z?YC^VvlRTGZxxTk9F9AP zD#$)N@;5Uic$j%ls?D!zCU`J(Y_HrVOh=~kz6&Kvn$^p+R#FftrU5nqG$H;>X^jJv z+svD#`NMqGAMOI4a6Tyb=TiJx^tt@GQZ5-=_5Zw69(+D(bi5w+!kxj$Ne^awqKP_) z>%b>D8fZwc5mcji!VmzvXZ{N@;BE#b;2pJcg}`3QfwSOeQUcCs0w+K);&GoQcti;` zH8?@b4+DW$X!9vW9oy3rQZCID@+hg-H3z@8nh<@?SbTEM5&Fae#q|Vi z2g}pK5s|N~N+g|M`z-=AE=rnj>u%DX1-^|8r9ZNfcrWH-I(k>mYI%gotMRn+W@aC( zsp~AK8^g-Ea{6irtG)5b-Vb_6sjA1>54GD60ZR*^;#biZRWwbx=V+IJl|K?J+a83h~{e}n+0&MI8?q)mmO68MS;R8+$!B1B4B}}_3a&N9nr46`-XX8rtuI^brV9|vi)1s z33l3Q!}8}H6MeJ3{jQ|QKEibq#QXmoD}@Ig=ffzLg>1`)k2P4m9W zlZ6|2!{aE&n^ec=UzmQkYEWLKJI}U&RT64y(eC7nhb(Buj;$eR@203smFQb;hEj47f-C~%ZWK5>4!*LucF+{$QK}( z>=P2k7Rg6hW7CdXFY7r)1uvNYr3^vT<7f@1G2GP;|C;|Rhr7p&vQWRYRbyfPQj$m_ zB%{cTecz=;!C0es6tjgJ-VvCQ0CBuzVH9F;mDRo%60H3e67V0(pM@x305s~>WayL{ zXcrI?WM5TcorK)QU9FU8x4uvn6agkEawCWq-SksJ1)W^?78#zkOAoY##y zNDCa{&G^DSuudxgH>5j<`xGyn(2rtV5%Pnn8J5{c#rmYt=&jCzBw9Y%+t+yaf`(Dd z9;PHf&;Uh!=4iy7!G!g|_Tg4p0s%RtNHhW0x_U{C*&r9k>)bK|9k=Z~{yWP4PO`wRAMV2nhf484H`KgZe{rCJL7~xU-dJV|zOmk7ttb z7pkyD5#8~6&ZHLOrJwi9uB~BZZM0IJeTi&A6l-Zf-Hcgd9T`q3xFB+Mx%&EuxwO;p zFv+q!%1IRd3`o;6JU~SogECZBs=1047mSJ+Sr`?-5Tr4UcW&!jA|H-gUKp@eoaUza zRHaMUlm}9|jW=EGSggj@@f7Jy!>qJ*W`$iqQNzm0x?Ms?qV;xD1NWHQ3;^E@*|p*N zMBCKw!vN6r;tl0GW@n(sa-K;lG(q2cf>F_PaR*iePO@x>g3h|w%sM9(g|aEh@x;|8 zpsGw;909mq;U-IN2f}5Zv(>uMsz&(N-mi1m7c`BEjhC>}p8>Fnt{zwhd_&57eC^i| z)9fQ`kq`H+H?3b)MNL=cRZcCe23z zTd2!0J#{xRiG?wF7H2!87=FQcp$|D=npWUlG?!>?oX+UjaGw0J;=`!+@ow9x&SBh^ zTxd<&W8>SV3AM@?577(m(lVre4zF^En}};i-tJ@4eU}0 z!5J(;OU+TDu*tW^wsICd>#6WX3CNV!g(yzR_4pB07j)r=99S@0ruy=$Nl4+A1*ph) zZNGX7`sm4YD5#NO5rn<#_~UGUOt4~8Q=gK&1g*yNctW#kaK=I>CbC+u#X2FyrT|Y* z6GHmWI~TYRTN|7O1M6C+ns7?q1@G${7mxi3VypGmi>uy->a_XX5{0ivik?Mh{MT%M zurbbiq?*StdYS74OnMx?+HBm+i;woc!~34$+K9iAswfQ{w!p z8n}{W=O>`bTDD#Q9gnGqf0SwOTgV@e_oBtj3LwfetJ zb!Uik<`Yxi zjst3*Cc^@9K+z-qA8hXTor3*frM-ziML|bnhMBS8`V0U+m*X! zDn1`Mn$nDC8#Faj2XX5~@GmsMH)g|Z1g6Zo_N}^?c0;1bRj9*>B_n!NbEXUfUCLNK z+iFEymj1kQ-W`yzD&n4G>(Q00?)k{RSG{=Yky9gdeG1m7R!lMd%Kr;nFbmA&alP*n zD)?Aovke>SFa%HfN%*M!MEOX^*auho4dD@Td7PvPJqQ0a#Wu*q_;Fn>gOSmjc>L_R+k%5Yn}!4CP* zLl^MkofmW>?21-9PV%+iGiR0RXwG+b9fbQ$9*33gpR=@5)lT(4e|5DDY@^#Q$ojgA zf;T0+94jxZQui#)lCr(O@qB)<>H6T>G6sN-pTp`VG@@kVAvd{`!CjmX3MZ4YU+yQ)5`$uyUdvP5z&jG5Q@u}-wmmP|+c4ayZ*TexglNqn_LD zMQxg8Kq0RjF-}chHo_v}u)@q#OOlIVcD!8e(k{}(*!E+2>JG!9Khvagoce(qB{G34 z0bNe3z-h?OXbsA4W&XpTRc1%#7>Q6YoO_EVVH?TcuyVwrZ6`ZMl(QRBn(Emu$)uyL z`Bo-ruf1cC#X);WAghup=>$J8Iq2l22BMPcGzi8lvTOb&exr-A-iWh=RD0jHuH(lj zRTAOe?;Pt9(!{bvj4semgnk@Ibl%u*v@9s9D&_YXEF-t6>o};rXbNhbHc7DtKun4* z1atTUTk*+*^X^Q@G?_)Ab;3pSly;S+wSgzx_}Rjo<1Z__8>{L$5+(OOWLD!+8v9d$ z{WtY4r#HvQ#S4ZIohnPiW~DT$9{k%s!WW^68S$(WtbdC{QVNt3{4MY}S zB)4fIRC@PpBSO&9X3c%2C%3I9nAf;lA3o)C?j&&agT5`##bfsLHCw}JIV*j7a3XCC zw;6?E%cu6~S5Sn|cfXPe@h50fe*9vhjjU(RqxhDSzFVpYY| zr<(S$sg89vpVy_3Dq>%s&mOL@1PL9~19!uocGYwpbid+4-|n#BF`eeV?V>$ouXOC- z*xPc#TwYM10ehlAXHws1bwHLc<>*}SxY4+E7rcs=O*oJ;bX}9d@8D(AZBnG$Y&pmO z?JQ_8@Lk16h5db(1?X~{3>kkdb>M=nm#0-J7Vbj`=j7d#?Q`9VqnXu8X?;ILTUGht ze$@Nwv-9JNPNzr3A-U~%2CXa}n<+lZo}!f0vfcve#g&WUwM)>&hk@##AkC^ONU4+A-3wEMJgt9l3BvE9C~ZA8I?mGr<^Wir^0A<`2sPo-_rVU78N=O+Poj@X4A_ zk!I>JZo5$}m!~gF40*y^y*q}-G?>TDnpD1)P>~JM>q2cCq+f2hGHgJf>ZG(bId7Sr ziAz*lo9+fy>Azff5k^i>)tR2l{oGPPTxoTdGqt1I%(O^i7f1H-^0oMHsF(=}$qUtq_`IWS5gI?!_Ke7Jvl|GO5R1awAc}#tpN;|B!k5k#_oZsu! z6<~Zw#5H4D@dFzY-M>YOvs>O*@|73?pobnPg)TxG*1jQV)KX%SNH z)h~+K?Z+2YvtJ%}QHQdjKdbVE&F z^P)VIE}z(&NtgTtCS<3UQM<~@F>$JKF-1&g&YDrBb25yq7t z#F?adh^WfDX4#fSy3BjobW%~}>h$YJuSCgE4;9uLZj~BwEVo0$gsHEUO2+s%&sn2E zkw;G}?`)rHiqV`Alo<#fU1`a$h9?nzxqA^=wjLs{EpL4AZTHE52c^|qrCXE$Gcyk9 z>h+UDi{_hiot(}SeGfBsJ*5L>Hjd9oXgr-FxkGL!4I3)oUM%nTJGt-VnW(6Wxz%oV zdFkr^j?a1)A%cgY+a8Z-0=l|BF3bWK@gZGJKv$V`Kd)t_-NTX#%bxYd6p}zH=MP~X z;*-|XwCGrTH4>F6_B*6fmRIw!x3?X%#0{;hD_|`9?AF7^%X-sa>|jyrxy!J3hxAF@ zi{9hUsBb1<%CHPNNL(K#EGL;nTt*MSbtg_UK;7UQr(yHwsh%TumuV)I;9ZXl_QpmJO${uzO?NEuyXW#d3w}-6xZwuKAj>)Q@EW* zyxN!|WWoqV<3ScR(mojdS=4E)evkN9EAC*wDdJl#EMrbbpX zIh{F36taZ6ox`?km*z-zYQ=_gdBd#PtQk9T4zpG_z=Pr43V+}OcNcF-x63Kr;soaE znYa#bCFavE@_;5o)6;Nqi?>t1j7HJT$6hS3ap_wMf%CU`ttM{S+t3}6iLj9GVUb## zBO2|vXE&fmI&XN>7>5S|XM*&DDWd|b4ABoL-5Bao0G?iW1)%JXbLd&Ey+N{447f*+ z^+owQ=iI8R7y=MSnUGA%m9|(GgAbneKcPY@Zx~%+G|AENw9;{sDs4AoN}{Z;Km>WJ zGMXdH6W5p!q?s7&jHyDWpzXKfc|N^KO3@}~tU`Rc?;K@BTR+2!5w~)7h{^1#qrOFEn7@L~1WXtYwUWJ;}mG0tf9Axp;tB?Kt?HIYMgtkL= zcd9PW8E&lm2|==1Yg6BsJ5gSl4EBjS?Tmk|2U25VU8l28rh%_PBiE*Kk{WQ=!+%7B z|4<3uasrEI(nAQCwfuMY|B1Qgze4gyZt#1A{X@YtDey5bFpizk5CbAB>`4dUd1n%S zE|S>TdESP85M(7Z?`SMsaD$?$?KjCzzYAnE>|%UfX55n{@!(G~*gX*veeJn_$hn3s zYmd+@j*zqs7-1xYKIWBou-s~Y1jc}1q$Zr&c9w=3JQjTep7wp7*~WNF+Jq_)4C@Od ziFRbu%XatGP$ziA!zh02;~$VJ!miS^b==jdWx-`K25{g;p;O;jnY_s?*mpMq7(c~f zFLLp?du|cNkR-~>2q8C~$Vi<$T68Qj%9II8cTF6Np^h>j^W$zG(FR6kgJD=UIP`C8 zfRq0E7Uu^R1hab`w^AtJq?2}%_>nlIr9j=n%Hy~;_vQI0)n}JwshibI3%fPkwAn9R z9@fxxB3O=s#jLI0*{faFms&XdKj<5XXRfI|ai|M=!IEx;MtlRk2h_jbv&G1GG~FE} z5wh@KA!lfKI&S!HUO=(-;ewks{P1bH%Kv%+09uH>vaYnSkhW-<{$B9G96yiIT8f?f zO-q5*#k_O)s;(_11y$~hsL+N3bV37aSJLpEVEz2CiFf3D#^i46VoL&CDE6pkem#`x z)w^kr;O@A_$J?3D45;tQiyH8JN^aO+wbCmlS+*|5OHs#=D+Yx?41~8n-4xz25Z^Y^ zkfI=^ps2iw0+<#@KLe{gX1y{eooB7UPUgQZJ}TE*T{alxk$<^H9LsFX3rY!x4E5G& zM(`iBUusRwJI{7J#%##BT=~v_(_g`!{KaG%V#Yqg&sM?iNo{ZRs@%SuG2tQru51xwm$r_Azvn?A5>&ZXL_ zob!(71|SkK%oj`n>0cU9Y+IBWTO^5i1!Nz>m$?)LOBVf)%VrP)5Pcw?lXIPwLksT=L>GeS9LXbHF(D!0>r;;;0f zxGKqBF>CTEO>LQ7wy?B5xs8GiTNJxqmd4it`CBqRdLtR<2yI9>W{S~^oaLkqRj;+K zK>+|G4?&D+k;EEUl$lJ1V2MGR%@rmii2;X*pc9KC7^g{?&tS%P{wK`3Ka2<3em28NA!1H=M}Qj0ew6jND& zDS2MFyy2gf66Kw@k2(U+O2v2miI=;F>+g>t6%c-@6W7FBEdJ9i45hWRpdma1_`n6s z4v#w|E@u6Dl*pkGvyQu9Ihn7BI3})Z*Xeg zumzds0P_OV;%Vc&NTsmcXnUo?8I5Jnl#+9niKUz3otb4>s_o#cNPcxcIC2 z@HdiMoD2Z8#p}ZJz5M@C>b!Q6q(PY6o~IXs#D5zzWXN#^N<5>A0w!cH7jVYH`EukLo`jeEhpFgUSo7gkrQY=JpSIi3WDDX|581^+A1QZ3(1_2Epm=7yzu9H3mERt#mbyf_2^!_S0t z%W;w~-+Er$TG7gDj$7G1~KIf+dIi+s-e+s5IQ>_V5CYX_wl6<_s5Dsa0V@gL z+Ln>wP13dL%JS6e`^Cztk|I$(69{@A=B;$X zeWM@MMoMX}4Tox;yqhI-)+m(SToBNAw#H2-NVV)bx)OUFXD3+w7nW@2^SVm4X|tg= zyYG~QlX|%Xi{zDqa|h2)Six3ljk7Zon)>mHFIQLVohxLhy&6y-f+lYgTvF_5mw>Xv z4H_%eg3kvuM!x|~3x{LLx}zZ7B;o5JQ*$y!6>_g3%5SQ@y&n5SsJ4JpcX`*oJrv^QEVh4sY8df5igjUJgI{l+?}VbHb< zSpDcJ{63C*^TUAt5Dh-U5v@e6d%W}dR|V>ii7b`J<|vU&6D83*--45foFxApii zmHSZ>ozwpTaXzWL|EYvmi&2cDAoMKU@A*>$*I?Cl zGCpZ81TG@mge?`%i!3yGg^e?Zg~J=w4jRBIZi(p56>5*la(66L<(LT4hksy#tgOh; zTc2y~`m%JsZ#;R$7_o!hW(qFW+KQ}J2vwOH(Jc-qIYv)(6!q?qzZT+NUyVLFcq?xOvot1GCtJ9sQ{iG#$ zWJ6*f-wahmnpp%?X_yL$e%oZ2F`QNyw=K{r5TWgb;;UeE@Ww^vD z3ATG`dWYR>1&LXKN(rQgL%-YQVJ)F)gFO!Iy@A(zzj{#4U=}2^yEYB)K7M*F8{&Om zgJu}GV(3>^FMJH7J0H}G2)?Qq+SZXY7=4z!rgnrt2N79TZg1EPly$kV_Y{4#_TF?o z$;$-`zdvh52NCx9+DltQ(n@TB8tmeMPC%mtr2KVM98D+(_pT%{dfU>G*R_~Liv@h28Yi`&jkd@&i zb~5fu0)ROy-LAZ`9OM4l6%~Ehq1X!-2tqnbd`esRJxyGODLG*iJSSB>OB!&3I9Dx-&;`AcW}E{h#=4b;cH zk1k$a#|d3F2WCd>{QC)=gIZSy!7tk{-DrB9*&KC>Mr z$rT1)8nfJmabo^VwTekig-(cXYq)G9&CS;m!WV(GVp#-5&&}Mzz}xl zV0K94uofVKM}+n(i0jar&2e!#&S}lr){RKEu6`sSg(St0$8}=%hW9BHl7CD3rcqK_ zM1F-So@w)Tip*cX$d2R}QbypXuFyB2N)5xgbh1WbSC)vD=Er{q6{(i%B|mI*z)7!l zo4=!Y8%?ji19W_0=JK9XM=m5<_A$Kwp&d%b!}ffDT>_OwbJ*x-nW~?EIHLa!iR!i; zKzvsu!vm?jpUuE*N|k>Cvp|)fF~y{L-_|abvlfT!uPTWIpX**wC}xM$!sfr*{VZuF znl~tGe-|QrVNN`GP_?RrXKG9aMsjJIU|9q4zLOT14WRJ(p;Cq>8)ON>7h2 z@{Nl{)yK8pRE*E*`9Wx7HZoVT^NiDw>8}0hF^a?H;6UNn5-<%ie3D(LNh9C>8o;su zA%f6`A1bmkr%tPxK552UipzYA6^9+xHuJ(ST1LrCOEd`e;O=c-y&`~6*mq<%X#YXK zG|%HH>8ZrJP3C!e%tYGI+T%*f*Y`V4e0H=s71^A7ql=jeoclKmfOz45z|;cyltq(; zg574L)kc3aTKk&c6zX>PWH-<3Vc2teK=fkoW;2A0?RPY__LVp~!#+-O<)eaJGx>-n z3h3zlVhTh^;5_m<143l;qI-i~$2cgx;V!H7ki^@k7D#*l$G-Sq0;GloEZ;l(_2(+^MDgMBTTtO;~k_*A!+l!A3oj^MN0J3J?Dd z4A6kfLa;>1TFieTeWRkrJ=!wH-;O|k)=EjNq`>=$!?m}&y;G?1b4|MG+?%-%<}7GR zxl1Fv$U^Sc+SVVf%>ncbhF;`tx=R$niz;l@)(WFJjXX*u;OTa$3>ROOl3tb4JX=l3 zUlk0UTth{)0kIHU;g$tyVbZ{dvN>y09?=Hj%YVN!p7*WbC(DNrpzAtkshEEC7u?}_C>9^@B1L5;rO>4b_TYV72^R{9T)_bwKFAYZz3 zQ@wej4S#$aV;P&&ekVuUy_Ln@v35(Z>B?mja4I$T`?`-se+bgl?JdaWLR$FNc-_7` zm>1cgPy3y2305RiVrtP~SAnD$5eooRtR+M%6tG(Pdwe<`CHZl;Xma;Yvk&1sGi(l^ zkHF0EK4DRylCa-6S$OamUd-K*;vwW^jVO_%Q*fO!OJH=Hbh^QztqvxBFQd15;gUNVvZKPdMec&60O-45qj~AJ3&${ zF74m1`HtU+EOALM_dm}GIz7_oN6!F*7@BSu+b=Y$BfK1z0>kKZR21~?e6qWNkFkU8 z8e1Q0vREA@w402gxts?yDkS|UTGMz4m*poBU@X6jAb>#?!6gchp$w#>(GrNCr+v)pyiOSQt_T5e_5140> zt9kn(47>u&makNV;~Bt5Vi&i8}sH1ApZnEZNp_83PU$Te7>c)y3TWV_gSh&SsrJNNLli-g~Hd zkrhbfLambu)%<*~VrVv<607XjbxP7mn$vkL&rU@B%U|4+Yc9pp)qslbTENMCmXh8Y z3WfRN7*zEiQaEhh8haepH!FDF`Du02g>o3N7MJ?ooQ@6IHMvy`un9#B#cP|hc-+nN z_Hpo(r2>o;ATKhJZkyd3QxY;i+nETjdwo=KgC*4Njj%IM231WN-Al}7!bo4Oc#cRB zLoG_0=FaE97jMFJZEsHcN-T5rE=qw;TNmGW*@eE<{thdsubtiE#ZsM^^Sb)vN8J`$ zoKG)*r8v(mSd(xK{~+#J*Y7sv_8*j;Byo1k6*i2f7lH9S)i8)xz!ougynL)2Y4wxxs>y`QouH`WmHR zejhIEx_>NWZ@H+NQLDbx1(5lJW_wwSV#_vt?+YI1Ay0~fs7F}lHqEzJI{nT4FS)Ja z)HTWu+qmJYkawNCJF%(r`|YccfpN_Ri;@Oy)YJRscrepN_nZ!EVQGUxnn+vgcCv;? ziuSS7%?-Bb)VJJ=a&W|f%JLlF#=Dnuc-vQ5I_sA_p6~MscsxOJ>E969woy2 zi3J>*Xl2+Ck9!^+x)wF*3sGp0LJV-`q46S-b9-l#n>WSN;0wL|x`&#%8~rsvbCYi^ zM3aU|yGv1~odU7oz20H6swG-XE!56YkI3hncgv-;1gJ0{%DstoKkzQT6dJr(v@xhh zjE27Aq5jvv7#sfD>5{E>@9F%`KS1r$QW~5ZQA&v-gD*Udr5{~YP#frx7w{(i1R!!nY@aehQ!xm$NeME(;$^u>fP70#9=7 zjG3_9SLnjlODJ~ADiq=CecGPGuW}eW6n-H)S!ej#>j>Kra#rFJ{-7IMd8ka@3L>=n zni{^$R0@sY=9-RuCFo<@^GS{khOX-l!wqx_vM*rVTYI0fGwJTh)tLh&Q+?H{dmL*Z z?2L#tfSR(Ob2Y;ZbMqLd(w$m~59t4^1pLi5!aM2=YwF{f{vz>0o(PxzeBK09zY`)K z${$YQlzS$UYr~1OzzLW7Ha&1Cs68)?gzdDq!-Y@A!C;j;0QGq^05xYz$yUzVo;qI9?~#-Fm3} zEL7HC#0GD^D^TGFu1eFQbXgf$^{3VsB3S4j26|CcjJYJh3~ zlUs;rEC8dir!#__*xP~4$fJ6`q7_-_1grL#k(_6b$ZyNfn54xp+RN+}N>v1k4Q6pDCC^`4$@_3+napnu!;Z!0(`v5#6f+U+l zIcoa@0=%j%N9GPFxOI!m0)IHKDpVt{3|0^+9`;3&*P397?hVTh<}t$~J^_@5R|(Bho@Kl4=!!k~ zlh*V-3?bPfcsrH3U#aRrG%fxPS%`u)^!|)G4cVrh@>d&pHij^x+u7Y)Q0V76R`0iY z=v2j?-ACFEcOcBKI3>PZN6!O>AJ0s=c@33u$WWTZh}`rKZhHk#y0tHp3i_4XgG=_D zJ}9`UXbkH53`M?5gXYvo?5sI?_Z79#M@8$(vz2`Tuw&}o*<6=rnHe!bpIln)x~2e- zQ&z8VXuVNS?4ahCH98YV=XPnjpH<*%JT|%BtNE|2`jPIuKyrf+cJ2Q8WTt}{=<<@S z98dur@H%v)?ItkIqCDdp*I61A@s&pJCGLBs)=Rg4?;&9UoSlj_`#&5j{!xOpi2J_2 zT&R*@cCt53zG_XVu?;jOYa_*TQ{>^3Ir@s@?gj6wMqFmy76u|1Q}K8Z&{S?R`I4{g zzRj_nZPIKo+SA_q$?R*!jqaXWxmw%q_a1H(r`jbVf(Ew1aP>zPrXdW4v1y6ryV&`2 zl5!3@Hy8PPMl64NxM?0Ei8rz=;z?he(7;_OHjUaxEeH5H*jd)$OAxB=NG0 z`-n6g%r3X27=(zpafrHf{^a^?>y3Zy2S`%JX+9#;8v1VQ&leZtYBgz~;w^nZEvPi+ zT|V*XA*ZlmFE+^}9R zq!tf!)#SUX=R8*YC`pr3_pf)h8pXpqw%Qe~+T4F^lGoGsu+^Q%ZQrmrb~vbBDjvP9 z`|n0>CKvxRafZyjsysX-#X7A63?mU}0+T~kl~&x*UlW%^JS z$lm4X(a(f3&n>9F$Z61(TSfC`KKCp~^V73u#rZ)fEsviOWKTWE5#2_9>d-klRuH`1 zt@}MnV(}?%LQd_;DkPQrx0joHR4FUd?d6LEY=L>p%bg_ceR=q|Tssncd3bR8)Yg|k zSRT)ITpC|51T-Wn{hneR%RnGvH1km=4DeovcpZlesPghL(w_iQLvo~;M?Ln}DbArx ztNZ1@B96=YxXt^oCs5ygRO9<>-qIq*d8fdO#c}+h0S07x07yI^I$M+`kxVO1L_<5NI8{jV}k7lEJSf5fO_n#de$%EBeETvRyJ3 zU36Q;`rF<}?eLT4Jw!-aiove^j`~~0&={%qhZycp)s9D>s1taWT8!1XZdHoGvR((8 zC8NLI3u@8SKf_s3`IMb26PxDBg-q#ul98zt>@;-*3|EqsDM>6XQ@mEyo%UmyiF@K> zc}Y9tl1SZXzYH=!bv-1!Rq%5wuG{UkFi4PQG!IG8=T-%Q?JOE_7Dp~nVapG3ob))-Gc%ZEP|vc+&z!FQh}C- zvhD`!mnvsh+y&aq`wAp$57|M_kMgmnAv1ko{>`S5$NS@4ffl5<)*WK6~xG_WSI! z*EsJ7J|yFYkxb^i=2d_H;MJc(*mpT}22qErB<`;oO}k^0S@Xz`A8??C$wL!6n=Vx$ z=+S4ar7U57`od#;CY$ZbL_-f>-K8+Z6GyAdKl+jNBDFD<(vzyGpJf#15n;P#lGIi)2Ae+hrP#95OnKudK?`hjlKUy5{fG_QHwioDqGG-xQ*>5rD^O4h- z+O9k`R~LmO-&y9_q?;newvfaE6C#Rn`_i4Lxd7^2aNR|rj#%NpnZkc2fUW_nSTyq& zy2VvS=orXn`iKN*K}h#?jb342ypQOQfePbR+#w|nj#6MC;gxMPc{$P{L$j9yctW9n zps5i2Pm~Ud4PF>D)hWBorZj({n1vYWWcKxNM~f&{z>Vy?q>gD>9wZi4My;1sTTsw zLmvn*hsZ&)yZs*5K%yRCnlR&Dq{`FP9sWJ;;!NT9aZRTfE?fG`ajgaW0)UsD;x8w# z-dTd@@BEn?DM2dZy(WQRJd0bT`9X9^XM1%NbdiTxxkVm;yP?$(tF`_hDn$$X6drUC zeUh!wq*{|xN3X((Zf~NJasq|~+fpG$lr15MGi;X3@FOMpi&e+_54(jWwB+va+lJFc zfM^k=&N+%5aJsiR5^ujTvu@yhc9cswc^V^rC$urb&}u|W++$ZQ@7YZeDJ0gC`0$w> z-WWjcDV(=BeV6C`80^`+3csD}>W;Vd&)WCZ7&pPsz<;mw|9h?H_p4dMkXoPP;>D}Z zP-XCWj%`)faOt>Jb~DG>)nL#{6q_zU$hmTlBP!PIYxwIf9zQAo#?`u3Us6ZkEqi7- z0vu8av@`=G(3al&>CPHIb&jSF@;((&PGLR@U^pIQymVcbzUDw{L=N~<@ZGNF%HKi( zexkeB2TW-1)m#U=yX@inkF&QK=b3o}-voYZkcA!+cz!f66<;1Ti%PC=Ze-<&Y?kIh z4a!1Cd$R%c<0U}-c=WgWF*+nyYgHTm(rSQG)TBv%B`a9yGife4Jk&+_c3sxv#|Ae@ zl^sg_oVjteX*!zBzzu{=KSA~hMrWB>CR z{AUtY2=~$$?|x}d2{F`ne;~7tS}FwyaY@&Nd&zj2jHUnONj?5xhEELQp=xcdqJVW62q@sd}xCJ;16V zPpCa^SxvlB=x`qaf0So)_E4T^$&{XHI=v)9jh~Df^+s0D_%Yae3H6Hd^p-mg9)&E! z3<0MN;2C&b()IkONs50=EB!gN1i`!ivnNt^MzFbCqzVQ|EsEON0KNT%A5hEQgg{~{ zbnI%tAc=VAjp=|%OITTU9vw-W2O?>_IB4s;0(WsLFhhn<@9eAZ*mv9)LyT)6?-0s@ zkuQ;w7~!fakKu}+AoRx{58=r9V*A(ygeeiUot@RKhgY7&mu74vS8cz;-$B8-Djylf zT?m@Cb}<8NrJp+R2BN}}VZE9c3DC<1<;`hcVroQ>-^hoU8`8B^)`ypyeu4C5LmJv+ zr8A`^{G)GyOnH}$AjRg>Q19P+wH8b9Vtv zLBExihX~nbr|3L?_iQuc-W~{K^_VREds|pbnt}J5a&?u9D*;No<;6<06S{Ejq+E>1 z2Ia|B8q`Q|%4W_o0@LfCmg|rv^8k;|fv473=bfe4==?ELMd(|PxXTIx9X91^16 zdr6f*tE4>f{n&iis$+ThM_&Nupa(Ucy)aYIM=WM6X6KC9Dl6@#CC+)>>El1}V8y`3 z5Q+{<^6AdhK-q2mVQYD|LB1LPyuqgUz11u`8@+BS|FN^qYrJZOd@56W)De=_YcaLd zB|E06^viA6rVr)yS6klihVM1hOubLYEa@-90F0N>%W^5ESl$3WJi*{*8u^yhA1$og zgDFOw+hltr!;IJ<*pEWv*{JnKL)GqIbjI>Ml++HhLJ?}meLy?RUjRu#?EfD?k~Dvo zfa4OUr9;I{d6NvGh{j(=IEs(sj9si`k3-O2y1d3+xW$|HQjfl3uh)OEA~o>D1^(_b_m@k+Lx~F2-ocgy7W** zUo{Qb#ionQ<(L0ht9P^U+dRt6{nh`n^srw+{ax2&g_CW2G>=UeFppOn;BM%RF3GLI z=-dM(5ncknS)r9v6mq=Rk}2SY*^FhIum=iIrNFG%ji)q*%rRV7{X9F!%W11zeGbT6 zkLH*3jn6SCSX@w<`M zE*oG2HWf=Th3PSRs#%YL(N5^eF@^5K$?SVy4WZ{)Le5Wj1|$=O=lFF_ZiTEExPMYSu_@Ab-d@u{xN>oI9ag-BYj6Hf zC;j~=xSwF(lF0hIAH5=UAnGO)dx(`kGdATUB28p-?&Kd9%b2I~%%ylhL|adFPWp|v zkY#n2(^4F12_5=~8s2oM&y>qe4IS9xNz$e18pnq^MeF;fIq?IG&DsgP@R&nD>JeBFaPWi!rw|9VKvoV#O4Nstuzv0O^9@#~u zuMXm@(`=yf7q>G2t@7%41WIo&Bvj@)7p+GfRmbF|G@6g?$AQp7po^gbE?gf zgp~DQM(XpY6Q;#6a}FiN^OQt`^PvYWv11AOHDqo2UrxBIGf=>crjY3I5AyF^^mx^g z^F);HHNcp80a_%z3MjrPU-9&TwmR?)#~AGafRw4gjjR=ze0#1XsSWNIBKeqCfvJ?h zoHWJg6$RM#6@8+eT9UIK_^BR2qT}=u7G>LyNEri+n-w2!#YQ{FiEfoQCLEcM+B1jH z?2HyJm{c#p4ZGbBAHxo9r>wG>_F~V-2+S#tP@Ty>b4_yB79DB#U!J>~?|=%!uS!Zz%3wP0&Et*6YR$-ynBd|^vxT(Y0YHA)yK=OeK%ILr$k(yZj)qi zS1zi0?fMW;3}y~|hlUMlmZiZ&>cj7tDn=~Od7ZTtAPj9r^j(P-vzPcbW}qwj6No9l zh)2gK<#4`}{+l~K*g}2xv1_`PP4{wqP{m9{505dZb7u)zE4>DvXD^JauYoc6UQuH0FbdGMBW7xy-(jPW{e(BXoG-=NRv=Ps2jZqku z%s@}YA?#H_xn*|xqFGK}x@;uu5rVAM)*}Ys&h?ROla=H#69eDHm2^$wBB1}*RMuH! zwA8lP>=#6Ajn8Xw&th}x2z=+Lqq7_lMkQEqeWHXgzxWfwzy5PEF^3Tz@Zw`7yA- z{(lLzrjYwW0%YS1OZT#^3xV zk0IVInKJ(-k4Yi4iY&WzngFl_=vnjGy{~!11D}aaBxK&uZ}hv5-o0%YZ^wBU{(gU*sU{JchLY^9VRz$JQL1W)`j9bt!+H2Wuc>^FdOqVVs@V}NVI`P(%i$xzyc zhB#1-&TimG%l)BnL^QTCx=_{J5{M+1d(**HX2TF&5`+lX_d?%GHLSlm^JMVE(AA7( z2EFR4st3q}18!!1rMa)Z=&Yyz8TuRs)&hDM8*Vv;j!xL4s1NegvSY-Lv66mrnwU1T z5H$owL|`eD=c+hZ8W#Vo^cMMaaAQR}++cjWYK6$U_ie)+8XZYHrBGcilC&#AL<_yw zEB9wRrI_aog+PaIuiW&!6jD)Ox^+4Mi#*?LfbBJwtCY}mC!b9G&{~T(~z?oZxbE^N0Yz#_-$mG9+9?B|lt&R~& z8dwpl@?NBkczbit&Qpm04wHeF6);I1TrzQF|NXvcoumlOePt~mmfF}QnB(6A za)G|SiOGrwD;ubKIM#87>W!`h9Sg_`b#_sW}n6AbbCQ>gr0 zDx1g|++jA%Casgco0(7qPhu+;EjTmgL1Ac?_!xgIZ+P5#9Fd|J?4i zMoHGKSeionSu*nI^zea(sNMvC*l(*$agVM!T*vONP6=M0+cjDESc_gC2^+EKxZjoI z;x1+{Uk}Z%+-@$<@2Q6hO%=`sY)s7iRlCjeCN%(|JjZ(bthy?l^Pta?FC)fWDDHLn zNpb}VhnD5xH+-}g0;tEeYnG?n zdc-arS!AKuy&rOprm)SgvfJAQwi}5B%&03+G!Piy#jQpJ%;^742S9HVZj(TmS}osy zBq@I#ba-Iyb9pyHi3`pfPP(g`+0Dy}g#79+WaZTUXR2JOCi~dhc%gPm-}mVhQhmhGkhW zW1lEL4D(CIw)-i%dM@=zH!0U^f!3%t`wyoM1LCJT8&aHRRBjZY<+ayPOZ9n7zSf}fr3Y_G&+mspNY5uoXXCd0*%(N?p zNMry5jq8TPOR=dupotjM83i++e@9rsv*BYz`jlD<0Stw{oe3cC5OEb6?FR2m-l^LF zV$x8=eC}NWt$gHR;!uVPb2E+m`P-`bc59}%?F+A+qH(`FL6EaH7SY*n7>u?1**l;U z3=(fU3_!9)9(`%P06pJAp0;T97+5sAA5D2#xZ_#a>V>tS=*Z=wLjwnPlcDpZx@=-M z?+aHc8&dP`D~ZmPn`{mm94I-N&|hIKn!~)hJX1V$AfGpn{Dex(Hf(V{vVPX=PO8Nv z0&EuxAT=UR)&*3J_d46Gc-`lS=`?R2Zv$ugv)2Q@6T9mp`%;bB{zo$tnDLrT>p0rm z0C{F&yCA(`!L4V*I|NXhq3Zi2`yEp;`_%u@$Xusn^TH~z z$94`9KAI@OunDbK8Ll2r0$iExxH#bIM03ZZt&A0^Zt=Q;&Oj&*;ISwED z>FI%5%mv>!xHB;_OpfOSoB?B|VmM18Lfrbm~i zGtB&sBUDrMWyIWqvbaTASY;XIc8c=@E>Y2969NsdO{6u8=}^8Q572=;Mc|%T z?|Kj>csH|f!AN!#2<5CSlBYYug)0?Ebum(=l_%(pu?3iz)?&mDF^y8RfarJ+_|k?4 zwd*YOz;1d$w#0lzLW|}pwvvgF@!EE^^@IdjmYMR6NNTq0FB#BV)2{SasE*AGiO&drBn^YUinI*%V55a)QoMY7VX)WM`FPS!*ICe#qUzQTgHj$4fQbR!PpF{b;gh z{nB5|@%$LnMdU~c9ufSgJ7C0e-hD2i!uaiD-Ul%Pl91@T{p2$jQ*r2(PE)d{QI`r& z8^)n*D~VG*l~G@I%ssYmArkeyMKBo+M4w>-Wb^kQ5~V2Qm9uX9?B*BxkWJiVtILfB z!%h|SMCK8NYckZ01qgh+gS>J4cfT zn9?AVF*^8*YqR`Jm-4lI#v@iIT{%-gkf!8*K5N%qYP)f-)qGeZ^mIF}ted~-d{}fl zJVJ1CaGucpht{Y^C|Svp_R3|($&dVkm^wT$#S2>UW*G>uioTpTJIgjyXygHh|hep#g;&N-^HI6XcA*p1F70GwfP6$WW#vA zV;%F0GmzaMVUA?k;@;87eHGMTOL%e#fqR;hEibOjw{U`A2so>YSgG0r9Ok!ppM6Q6 z;L6kzQ2y^15*#G&U^|f&Mq9%Zb}$EGP;|=k8n6LmFMYic0&*F28DX)ss-eQ|pu*YN zZ9qPdr9a-%@!`Zi<6^0>r-!~uG#Qq5s4Xxe!iICpd{M7D6x174Ceg z;W#y?KX;c1;FO2{0h#+mVN$i_W)BxJ?UB^wDwdo;bX4zw~z)Qy)?HxU0*` z#^bp3&_Xu_90&Ks>o!xnrMwrOZj(`{eU1c~dK?hsoT1dXJT2Kuv+)=kYW(4s&lZX)Ei$oMXpq#O*@U5 zH-u!9Y)CdR-=?#O9bd$=uVOJOE1t)?+dsqYtT!T1+jSo<{?!%o#*kl4eM3dS*_P~{ zo!Wbo*JB0ynGXD|bl{u5-$t%~h3&sng11u?#X+Je=<&oq(E0YI4M?i$Wm)m7r&OOX zG9^RrB1Fcs={x~PStg$*D>y81m2_(e0h}js0dr$#B1~3P$78lr1L5Iz)HPV=%*RzO zV51M-^21>Je*m5|)qmgqzNA`Gcp~*xrXcoqMN4uvq@H*ESLKSAG5omGg$?21l0=}_ zTj~cv96mG_Nlwsg0(V(@4|f{qXsY6Vf$&A+PD^Z|poS^GoOKX^JJ%5CvOaXapI$#g zoR*}8$ZJL8*W)LEtjiMfeD#43r6dZ(f&`y^j7>=4*Y`>5%2r+m?T_F`k_>C+4V?}D zkjF{QOIPl7-I?Y}_JlyleL&VHb;N=Yk&@ulF>?ehev3LYceZ8A^sXWAd{)YvMG1f40RQtf4upp|yZxv}{<=%Z)#EPw(|9+_`>29U#7TJg%2pp`Iie{NDxxs^0>E4O47(ZNd z=$&gRm8;e5^{89WESq|8#wmeoEB~t2`qsS-z>uvH5bUlPK=+|3VjWJx;`MD)hNYUj%qYUf4C>!w<{pbgc0kS79)KI`Zjtqvfg4+X5W%ZqQ!)z31? z?<$%6%WR($(kfrO#)XiVdj95roA4{+ep}*OTD1b5_;P@d5w>j)c|;iG;Bz6l^^5ka zZ;P$NN}`L*R-(@8L4l@$gQd#?^~opFT|2-OJ9HK-+;_h|eWWDB&QO)Ke@?z&eY(H1 zMq1^)240Aer3)=g%MXRwS4gK1@c3XG=uKu)PkEl=z{-_v4l>;zg1tN!VmC~N)HT(! z#ycOhrxfJgu2?y8 zP=ofz^q`6KoWjaa^CniR3T(~0Mu<3VB& zWQMZRKGAu8kN=XZY&`EIdJ&5fdmYhX6>$GP*OETvtvoKlS?{+=B@3l9XT)WlgCeu! z@Ck_Hdmu@y>o8N})?}4kgDT?6!GM#Ytgh2bPWK*cb&Em=7MJ<$3dhg~RV_0Ym?P|Q zPjfTS4gq=Ugq24$w)UAUFeljGH<8iTJ(c1p`{eD?!?-uPp!_Su_o%BOJV@8RMjYzg z_Nj2g!ZkA~@J3m1A3lXg^~A_8B@p^^Ii@mVZ%p4USb+x#>|)0QfI`^JcEDFL8RXVt zi~8&W-u3IR*4h}kK+BLdDCIeBUY3ZP?6Q?5^UMI)&4t(nKR zA;5g!FX>5p)IoB&U8hgk`pxQ%mg&1?=a}tLhf~`HYDuK(n~-(#+WciU%Z`=shVRf1 zrTnA(?3-a%{^r|TOkXZ*0&31*gqKlw)Ds)mJ|xqW!z*1Da91qig{AmE9-J`t8W_Y6?lg9r{>v!;XG5GT{jH{2VVN%jLgca#Civ2E=!QI{Zn5hd5Z_6c zB#L%{-s2gO$a@qPa4)P%y|&N2?@aA{Ta6M76hEw`w>IUa(P3&Yp}?g(-?un7tGmKuEDYaAPRkV@S7;`=M zi!u39uNCq_K%!Yk5A5hn1L?hRm~=yt167U3-PpRZLTF@}9SvX6Fc{1;u~Xm_dCKI& zx}C7YR|&2-LF@tI!T0eu!OuX&9X@Yrel1gYFMsW6rSr!674F@n&x;uS`N~@q3fYQv ze`Nn$*KFyi$;0AKJ|OD2f-FBdp?+L6V#x+&+u~3+GXzL|l+bYxUg5n_YuMC$an+{Q z+QiG+s?#H%EKkbv<@LR@j}($AX+sZ=ich2{}Elj znJRK04{k6XQm1+!7$n!jXVGPK4@bGj#~%%%Y#|n{*3d|~A=9UWYoJ?@eGgNA6^Rw# zkbii`ji^y zik#s^CYcITL|%Zg+RzW#{Yd&cxZeBpL3)v)k+D`~alESah}$)rok5NT2;wF7gLY!W zrCQCx!vS+f74eT^Rw2z=@W4Kt%ufcyH^r|fc^c*WFBcW9?OqGsWq5=5EZf46;#eRP zn873d%6N$fjA?wjkdMsBq!$=slR;}Uhl~I!;|hS>oE89OH_b0Okq!iVFLY4hPU{>~ z6srj90vAFCGhp-6syD zzr%dT-bf&Qc-c&{#uT=h%gs7pJR<Kqkj(zpbdfw3I^vcR3L z^|RK{$^kI4@=s3RqmR`I9K=1HVV9Lg&eEUB34koY93W(?+^o63Eb>IpZ0V~>1Iv*3 z@u1pJnExWR#}xlwAIv7tc}NU;#_X^wNSq(!_4IIOgr{441>a$|ZU*?L=CcsHZjJNX zk590G?Z?5*;@H??VPPkZrARLNRPC!j4X`--`8!Mfh_3qxSvX=sZ*$Hcbb*$ch*(_>bsc#FCQMlwqb3r*Y7#r>MqJ^8c_Rq&Za(gK1O<*G@!whUv`o`fF$V8dQgp5(_G*t{DgR@ z-@hR!TegY*;!wh60r+rtvIy*Y&JKJ`x+g343cCa|gLErz73AVouX!}v)4IIqY)`<7 zaE-8Y3-1ih9?7s@o=$!gI!_EW0aT=T-+sDhoa8bbA{a>^cPZzgK<~ZdHA{LdR@ul8 zH+=omvIxoA_Q{R4jYQk4x0bSc3V@&^mQjoacjjXxK%}=*)7+r-=mXG9FS&8sMuRqW=v18g5$n0L@mK#@= z%%;jk+0=#<&&J0F!atPN9R!^*t|j%#M}G*v9&w64xH zj=O#((^_ZP^%M=k67SPp$%PE&=?dQLV6}yxECZ?Y8nv17oAae5Fz-WVhgqD{CL(|E z5R0=>$r7LzN8B8g4J9M~Os%=J@zoT;1;Rv(`k+z^r%ESUZIN+31E7=9g&{6Sl1cab zfL^PI^r|N|^_0Wsf)_f47RVydQ5FY5ku;C6oEyT&!n0Ke&Gm?b;&Ort*UNc3-pyEM zlUiS#ui=KREeK%xY(C2!T{7}m9GPHODWB*t&VG+kxw}U>mV_o92NghDtT!7&E<*9k*kesmt$_tRgr~b2RPd16_C3;3`#sKE*a{a}^d1aEI`X-i_X2%Ft$ydDLh``O#ojA2&X%UW zKw3)rF`I?b)UxO-5nse3S4w7q;lV}UviFYhzQ(w zKg<$6e=-oSoycyJ^B`xA{HuWTZp2*}p&xt@(v|$2=vWPyUdVtRP+4ZpzvPYvAhRn> zDf5onw*;2#-wds1)46)~kKOeL10tLTHRNg4Sv;s`LwG(*aIz`mTem1Qg($0Nhv#}2?0+Q=^49j}cWCFK_DDz2Z}zMBmpHcZsH@-c+9Uvx93Ec( zF63BbKC28Pa4{V)Al62<=j-j8GzYwujAdL^K`Doq>|d5Vd3k9cHu?LOyN9};bZmyt8T`qic89X7u~8Kq!fsU{8>9l=ic_aI+$0e0 zfVMG$ZL)a8`3l$LYR^PF=Pzrg!LNnW;d;`3sQ86*SA@X6y@O5#G{i`ha5h?OULd0d=f6glPcga@Go;#wiVey4w2zWU%^K{HrM{(U9f_RGi-#3h(v_$PrBn8e7v(|KB9DB=Ot|L3!!RN$cKPpqV0nHL3JLE!4 z+02x;vflZ?#(X-QwYgx2=3XG3V{iYv9{#XD-7CNJj}pvR&LuKdGUeMnVZ!hTA*s$g zctoo5FZ~tXjNgS3Ga(}(K*))e!`8_&@qp%CGm%)ukQPneMG2iEQdkgMQ!fIK-Wov^Jy1nP^&=R|XU;CO5ZOpXD-Ig8^XPCzcM@#)?aq9S5 z60ZU*&UUTMO?7f`?mdM>x&TNYqnX`&dtjXbaZ>qmVNser_iDS=QVb8E9Hxbq^p=8} z5kXqhw9X2Sx(k2aa<4Vw#YIck0t*+4DE^ybh6ocb6h4VeUN4fUU7#OZ9B^F@ zFu7NG&pA0@;t(r}W>dPqbS?iG#R238s$1?}D{IL;d#*(8FWv`9(QyRZy-zOS<=gdB zdqcMDsJrmWND~BU)K#THj5e{VT{fD+LZ;P+-rvanhI-Xl`EIOW;cbTWn&)zh-562B?QzaJya{Div;( z>hcUN1AM4yAk}xF+2BPqOWgY zEg=~=bFzVv3?{eubZxPPvxwH(q3{R!QBaLz=6$apotfgG{stqa{Bk8M1NK{#qP38E zR%*$~2-1VwD%B*zl{=em)~63#xZh!Bo6DERT$+-QRiXcMo^}W91m3t4K^%#FIt0!J; z9Sr{(Rx=MA9v;GYjkA}jP4^t1w9EX`gi-~*{VBQecGTrjuA2Iqlrgzcm=@#)H=oEg zl^Q(_>!G1n_E?VO2MP17bqoMNhN-eGAY290WPog4`iG{D!DWd@( zf-K!(r?*p1GF~qLa7Yod4V*wFI0u@FIO% z*xs=%_5!PNi!pxgk6o!h6IJ$-;`9vGx*2_7uk=crV4G z(9*C0(kx$xFUtRfX|gRQ>oL6BpB@}dAdJ2>uJW}R1$Z#81@X@Mf7rbiiTLkM__qe8 zS+_P?Oy9{{1xi0ge2CXAP3MXu5nN^;$etH1ZpsXhOftLUR}JA1aaqR$%FQ%tj^dWe*6vnfqg$$b9P4P<)8O_3&!6dSYir>+qrcMbK}omSri zMkh>7QY07W)wflK_&)1d9x#ys?hqvZWMAd{DaCQS$ase)ALtIIlK?IC!33sQlEGLf z>+wcccy!}=sVOtQ=a5CdmSac;kPHqxQxv+7e^s$SOI}&$z;wR9v(AsNtg}i=PEW}X z(kD3f^32V!>zlat1V%FWDM3JHgf9}z_r1bs zghY}?61n)A8%R&QQ9EPBr0aWR4l1FxNmjJog(YLAD__3#g=)N()N$Ra2P`KYyp>CAQR}qe|yn9$6j$W|;F&#%F!2 zP#dj@eunVM1$jT&{aV1|tsO;Qr*T2@+%t`0Og%*#I5@d&{z}ImW!JKyiwc}Cpkr_7 z>4)&~Hy76{1ok)kX5sg~IT|}L{flRy)la~3WRa31 z%!r@zO?p(6Laqr}Ec=AsMXolU%-7XVF|ff3Xa= z_1WVw^(c3DWs;js!TrK-P@SPDOy{A0fjL7~>H}JbMOijOk`>sIJvqZGoewf<{Tbi2flwfPjy|`LUBlW_W|Sjk-MTqEWj&js$(Uz@gGf|T9Nmeot;Vr;?*1Lj2KgGs50bw6 ztI7PA0r^*(g7a&nk0974k+c?)Wa?>SrBjQ442mk3 zdmp;XejfY}Zp7Sk#>RJC;$B06s5i?EGTied=0g@RTA%g)P;*F-THaFwYlv3%&Ek1} z!F)Kkx;I+lj%3Bhuj>P92N!BX0xEr_(kSwwYHg}$rMI(Pb3@g>y_^M${yqvHlIr}2 zbQo}o_A|mUSf>8s;o~6=fsYT84s}c<-xyji-PI1)=FNifynvA%KVb$^&L{mael)!2 z%9#oN&_po!00;Fflkc07#Xp@8V5j`+%m4Xe)t3OP?}!h{07d>~^Td$h%GXZtDWJZX zSP{8PGIcB!&A)g~>CcBpEKl>ud@Z5pHyYtO?RS3O-Pm?9>}$it3Ox;n_Lk2mN4Tf+ zB8veCNFi>Lb~W+>?J6`PKrVf~RY~kRJwzL5QQ6x!l6fY$IX#v=vg~@y)&FX)=^kmj zknhKz(Yl25Y)KMEJvyG|guJw4x1U*E6MJD0fXRY^J&j3lIt(iJ8I3d*&-RRX=$%iD z8sI&3Od|00VxEHnR``09WJTXC;-*Z&HT4v+ESP;64T0cn?(bAbk_h{+{!ND+E*J$nj`_i}*GXQ3G$1iY`nd)Cl_x2X!7rbgl?e$|CK+6Qbj?0)~bB>g8p4EuM zg#=SD*YQOzzh-`xDf8yV7g%f`d*HrY%1<3{=Rr;IZuJ{5d?;Sqb9j&;fa)Pdh#nI- z6PlF;Y7Ne~5AFXt`E-n9MTY(?enj(P8GUc$r#4{;dpQ9U@!KZ@-{RpQ^{=!3`hmj@ zl8EbMYPd-gRy@}VnQ;wW_$7llaAJ}lsCe)5k~oiMhK5(L3>!5Bj)z2qYl|B(E3K#* zj19aQQ~wP(5OLF{ud(_KIPl-US*;?Zb(Kq{#|5rmFlSQRUyj0GjKrUPJ-sSd*KhcV zsW91hw3$tzbc=9AxP)R~-Q(w!K~=Vq`=|Bgj_zc1Yhu{xfv z;Jh{du+q)MSyBI3R@eKz)0H9mFTP!^7tlI#$bDRMs0Y#b%cH+!@%CphN8QMj4qkEm z%UPZ)VnJq>LsD{ zM2TCQ2b3!fTI8ODuu<@jgj~ex7{=#pPn@qEKfZGIIf!%pO(?WPs`sCAz#M1uLDw|UZw$SQ;b9LLQFv95 zA^3V4ToJlSitc*leJqdqCN3V0-h<~uB?{bn3Wuvb4rC+?3a_pwFy45BLR1-|C&+TZ zqWLhcI8E(>v^O{6&4@5qev18;TW9N}$APf{*?uhJM%T-t>FP7Jbc>_BK0s7*b*fnQ z+}DZqFKhIt>H2d|0t;R1Mc{|o4cYiq?WOOGRMJ}31w6#x znu9q^mS8;J)>%cY7_jSp#(~kzoV0rYxIhy)^u194xIjA_f9N$4<~O)NvwCw7VYojl z+Y^K#tP0Q@{Y3296cGgpQOR$YrV%*X+xlt(G_iyMAw&caLWnRGaH5{YiP(Aq3LwnE z&Q6gMBg~$d)nv`Sec6WZ9o43@iYdH&w;+6x5eP zni$t{nssr;`vh`R2H|JULgrE@j{4*6B}80?=Ds(s`T2z>Hr}Ef`hq+(W4j70b*Bw!|ODwe|fOV|2_bkc0R{ zJ=TA%4_5&SMbh~!(?gO!AClTzEiVaFFY)oDAWHtj2K%>#s;y!!;6y4wkMg#R{(8s@ zIGMiSiGiMrUU^cVcy8!Dx3adc=+U?bbIyc zlIBS(F|{Y!&)~br?$2myYHNq@ck?IPKP8u|zDyV%)#gyH&{SSD3VWoa$2~vJ$)c;L za$pq%Y0thM?M2$!UP*&14)x`jeYUY{nH6l)wNX6s+8fgVf_-NQ0%4(T3ANrSuhw>sD08~72Jy_Hd_doJf?!2nrCq*n8Vm- zE}qV7{lX`h?FVQi`spQ2FuOKj{wn(Nm3vmB_&NW>4e@Vgui!miOo?0D?VaJj8acob zf8ZyBJMA>aEI3=oW6bbA;AKCRr$hEj@bEkhucW8H1xt5?b7q$FW^f&TA01tkBYQI7 zayJ{C@cnj6?s&#!3@hBy2tZxZUUgB^aQt~ziRP@o8?uU^Uo!f@Vbifz06X2 zmfl_5(ji@&y<2!6MF1k5WGR<^A6yW+!cqenRaord6t|vl(v2jH{IH(Jv7x56H~)0b z{|kO9Xrmt{Zt+?X^2=O<`z%8_r@MtJ$uUE4lVC5ajZU0*m2`-VI8>~^4dH0B#lxbl z#~4VI1u^p%VG%goOc3PqS?asKSlbWWqWdH;q#g&pNbNvFq+ynoL*qi=lWd-)f$OF* zN*9Z2=Z;+Z2av3MG0z|~5O68v<>XV1Qi@OjuGd#V&9KgYQ$Tov&QO( zporT%?8Bu`oS?lyHLvB%!>u9a6P_M=zQ0|tcenh^mh>GJYPA2&MD;>RW@pw!-L^Z~ z-Wj&?mJ~W&4Wb8=-w+J0qhlZWpE>kRz0fKt&_^LW`n`x>8bpwnNmvD-(ZzZx5~QxK zv|sD+{pWgGln-~pZb`-`pcn@ar(BocwcHLRtm$r`x==qj$;`q7FBvK33Mh=}=|)8h z4<^bPTfLEJ?d~LbokQx^02I8RwE91~Noy@(%=Mh@T3;q|(+oNs!looyL)M^U5utxP zHh@|$)`U*E!n0nsaEc1=sd+=pOk|!dC_vFtpPluTOLWL~?OOj_xBCY1ui6uU$##uZ zili8lVdRg|ZwmV$RM|1e!9t2zsD)94D2nLi} z=o94hK4zA^PWgjEqYe#|kn-xNb*^`o)yJnzp?3la8E?{&edn*Z8klCMn<+wi)*J3+ zeQ`h3EJsLgdr(CP%|b2Lz+n zQuR8Y1xMreJ}=y0yvAaUC+^F*3S1)B>y+pMtX{k&*X4tMRb-gU$IlQNvfxRWZ%6iK zawBuTDx>4nQ}nRkIHdVw3wfQ1oJH8I&m{_ES`mqz*bjojl}lRI-HE~`kv9?)ekTiF zytM@G#`v;nhugG*y)Ikz_Qwx-idQ=S4|DGw)nwMS538tvC`A-dN?d!K7x``Y{Px_z@$b|0d}lntBzZ%1L;$z6tP)}9@1RVv$F zd0*%biRbuE_aXXbyaapq83~z{OU)y~;ipdU3kA>xL%&_UJg=u1eGqX`#bfMzn1fNY zxklJ?kP25Y-I3EzR)-Y=BZ>@O8m@M#P1v_wyPB-4yl51Al=QT!+w!T2k&8u4jKx8h zFh9$;?jdiZYJT<*ugg{PRQmPa7kxtr_isi!bbr?ylDIg2Nioq=IM=EfXb3=6x0G7mCNqf||0Z0V zaqUm&Z@Bcf3EP7lf%&glExQe502ix7c)c?(f;Yw(b0AVdV+(!@pTZZ&zc(p6PIpGm z9pS8<0p((=ZnzXK?8PtW(+uWp*4y!S&bqRj<1`RXRf_JzG_v=U;7-xJo2dVVuz9V$ z%W%nh@r6#_sUOm;TAuY_nP>f=>d5c3Ufc_=KYIK|)`L%@0!6bAT2=HA zpvBJu>bT!$$}rfg1!(az=rX;^c={=SDK_#jnEl~Z0QYyt0Q*Q^R?p1MO&IK z0HvLSB~)!t$KswJ*LF)msl{s`Z}kUF40Hi=xu})pOD!wiPPu1B`6_26I4|PLe)?z> z2ze2xX8ZWk66|FX3(!ISC#U{v^Lp*x{hA77WcO1^|90}u^Y8j3e3wzCGff?A@} z;7cG@XjMfxBYu66tS1=K*P2IVWNO&Dy)l(=y)RFS(z>niO>J)R|Ve1)U|acoEvT^rwqm&;<`l_ zP1c&i)VwA!x`mBDsZuaeO))YxYCO9ub-5^!hfV1q^co}Fxg&GJ)h}kGXF{&NIet!% z0kr3ez&1uE?B}yeuTSopC|{y}qV;tA+SBo7@N-%1ZScPZ$iM%Grr<6^8o-u3Y%}<` zpXHa`Pq%2rnNIy{^+892`z+IT#Asy~iG} zEQ=k!lnq`hgeuqD%VXBx$!x^hhdH#=VyZf0Q>U|X3RPrBTu)vN8mp6gc#Jt-cUl{$ zO?ynLhP^dz`I4AZ+O)ZI$BxZS!=D61|GK`7PT);SG4ZbnK6{zRyyv#)LBZIXF8hJl ziW2WUa)k*PxUwxm-220x>w=f|S(M$ym)^?Tbt})ra>h8;MG=*<$zWu|K&jBnzqUp+uIFy64Eu@C9TVffSX%{X6ldP ztSu{3%{ir!4J}8l6N!GyUHvh`6(3WNOfB2Z9hpz(_imYTX}LSS=phm)G}=dimsR_I zY)q=Jn2^ZBK~pGNX>dqZ^a;x{H$p+{b3vX5I}ff*J6e9>ieA*2*eO>X{~JXCX71D+ zcU`18wbGEZ$?g{=8bDbfM?b%@vJyQ3jrZDYp&D4wTE4Hs64eb<>D)nGj7hb&g5Der z@>w`R=obj6MH6|A{VxD6Nb$8M_*nO7R+UJ2)j|o~r!PqF{;wa~3gPaXLnn-VXUl_m z9-aU5bLG;m64P%h0XRo*Y+lHqH0t*|`_m@EAdrjGv_fH47~v}WMV*-w@~d=#f2Tf_ z%sSoWDBn=%j4Wm@=oXxse22+zaYnmP&o`P^0pw0s@?lv05uNn~6@en3yJhe<(LPQj zrgOtKG!C2OoM$RyRHhyn6vacSpSX1~Y1~QyUO~S! zn3!aV9t&7x>s_n@9W3&0c7QOj16mnsp{n@!T!l(8gl$nZl%Cz#PlmfESI|8RQ%xI3 zdhajoJnC~yMsQb%Y=M0BIrB0*hxDCuwVdUtgn1ty@q{@jqutnx3d}`+m8HFa`4SSe z9OQWC9mmxk-u^alGgL=m4!v3P(j?c^_v&&b2|`p!X-FN_itU}W%&!b`q}*5YZMD(z zjXd$+%`Ck;Q|JL?!FuuB$Hd$xf0_AFZLv&ko$quA@+wxex{7~8IaOaeAZ#+R@MIW- zD_z(2rewDmL#L;*eo%eA-Jwh;oZvt0nJ9Gv@k~#L9EKuy%FBZ(-sMIL3^E?Nk-{5{ zEDNAdo5y686zMlg3eAq2t7mw}_h^MVFy?Y|IubD)H@@)3Q&x}k?%lg6Xmbl9I)7~C z2qk4Fh|`XctZh0K!BN=qfyQizs0BFTn09rB9@p+Ik=!)!Efe0Sl;Lp#=!&pl~ z>kq;?85z5b>3%^?-Q_qY-lw zoNNT6!GwdT6S~)Xg^nO@DO}Fzl}j*W7a7>LTzH0lEm5 zs2kcZf|>T0{*zn>g6BU?(^cKV2wHtDM-sk^?ugp{ZaDtH$2H==>(aU#|Ys zSE;xLWdZDfy5glsgoB1Gm)Y2koQeuMnR?y$Gy(Ff$e|QUXXOVBgs3d zPkZtZ;u)nuW2QGLyd9T^lay=;YM#7Pt5pb%pMIlh02pBJFSc)L&JFV-O>K&*=#`|8 zy<=2&`97OFdgu#-&hYB$e!tP2k1=ysIk^*&*{iMCQ@60E;i=273+>0F20E5(knHU7 zXCVS#s|Kpx`t;+>%5x-w=66;GUKsLuaQ$Dg;6FUn9y+1a4p{hlWcjUa3qLx4LW#Yv z_tdm!%TI#r5HZHVo>RBEENi0lxm=s`YG^sLo_1NFrag#@+^XtYDkE3WqwP#w-Uk={Rv`(KHjw@_MLyyb_81WJfoL9@+XhK%`DR z%N>BO5)SG#h>Q9lAoF^!_U^TQ&DWg`$pUF%z_;8VU3)RuxzLT%@KJc4zuUe2s^Y?2 zD*MW6y}Zsqk8$7^;V*hpjQh##!5eiaYTjd$mNR`jhpb9p4{5OS$2Cao4(lfhHNy?F zyne{#R>U1&-k%$QVE^Af&bq+QXP6>#4cWB4B<{&>eV8sPkib6dJ-^R_olHLkT!Ae_ zxNt5{dAV=qPffG3chA&3{=24`ef}J4db-duCPED9oRuG9G5MSoIp&D@hR}IAp$A8g ze%1p7%}n}<4mSw0U_yfGymZTZ4m(Dsn6;`nrB6yf(%#SiX|g6VG(U6pMUc|u5v%T^ zg5@{fJw2bp`JeF^A;`|7dB#v=fj-7hLFbA+emDb!vX5U_w(4Yrwy^8XQdRA%P)i9! z$%*%)&~0HKDQ*AeI~u%-*&{ zkQV0kU7ACOn*wWTTHT)b`iyATCJ*iG!Cf*+KkX9cylwKP;IL7yMZ_dR;OFsDwbem^ zpx*{JT7#!wk^};4Oh7C;PFYKXwR~kx-$&?qc;-RFY#grjoCq^}%W5x(TkDS%8$A zbK1W#)*(QE%QsY!DY%4yhc&AvZ^UDt-K+ZeNnL$p=h_Dg10Ha4NkN#JsE-TBzo{eW zJpITn2cx9blINz7>h3N;omkGu%~5y)@!1X1yuH3tIXVe@WCf}JNVB(pO@@XDLQXYC z9{BJCC_x!;_IRJp$D~)KZ5WuvZecWCp}0v!qx=dVfAivdy7A>PPQA<4^XZGPaOjNY zB#ok~seZ~!f298oYS{W*S&e1&MvHsw+Q3B0c#5yiEvC=XiP(+8Kx$E{VwqOJW&e7R zwwL(YDUx=U6>0!S9FcXmyc*oYSB5W1JX2RU-e8hTwBwd+%PHdjuK@%2pK`wZJ!ZUq zhMf8#X6)UqpL*Zdo-pm`-F82;JMs3MAgUfJpJHzSJLvNS7uq!x1PK0US;^f|-o>07 zodvw%VoMaq*pMFfioL<-o|IS#wp~$mfRjB$1;qg*e~F-EcpYZrrXd@W=?yU>9p?Im}y+3)KtBQ|>*h6W8p+-6^K$G|x1h+mtjnM2mWwZFulW{!)MdgF8;Kuo28y4}Z zh+7()c@r##mW7os=c(sdI`{17L)Jf@XaDp0$|=CttQU(PCK7+ZaOaM-RXt>V32=q! zB9KQR`Yb_Z6~TaKy_x3%!YvXPR-{?L2p*mC_^C@DG4WL^-F=SewZuqwhtCh_pY^rv zQxBo;7Eh>(s$wyzsu0JS`T%bj<2oP)4TjKd%?Ryt5*cR-TV;ja0^WT?Bczz4gBGengR(n0`o*o{z zS$=QnPgY6kUFs`#M*2^kBK@38!Jgz3J^j-}GAAcLJb$9?^x!aJIA%fjs(sst|3bw7dZ;~j z>^sJgEiS*i{W}1^K*j+-`A$Q{JO?9525-CG?WMRDkI5P^bkG#nch8I$IjW8Tk$oDDYi)AuUZNx zvRj=QqO_P;Hnr9T&>GIPvMo|2cszJ~D9z;B%oO=vf5pX8jd^E;vuUUzw0>=O6(3D= zD|Da#9=hKW^A$p8M@sVLQx^*h0rkrwN?>Eab3Ii%C^6B-zpHC}vwAtibGdS$M8aoM zrmwrV<>}#5L`wBS9{UjC(|EM6dZwy3u54Vj?6Wy8z*&RwETjxymI&*jj7y>GTWQ7B z=Ar+x>)#)0f0O%eX~);)mOoh9cbAG&vwHPevs>H;{CEhuz%U0?Kp0)Nu>4ALP&2p> zUn**tOfaCgIG$nslGp)(PEP^SM8bDzVh1%L*4cT!B&~f0WLT%I>@R`LdPe zkTw}U*9$IASypBe}_fu9$-$K3-$Gq^g4GIt16?CGY4hp#1DRP-f)NzC7Tj zS9XY3v69qY0k;?SK+0!NWF=MItid0JGH@WpP392nX8>`Hua_m8K5<&HoM0WnSysQ1 z@b5Ol;RXg}6Sj}Bza!;1DIhLYj!o&RmhIm@6{jwzfxj)B18!Ma0RZwNL3qGpdd%Im z#DXQvI+)(&SVkTSI*E!8b6rY<;{+!PLVvXkP9j`cajv5THnR+`HzE(h6<>00m~{2z z4a|n?87FPDvg137(&QUZmZ>V)?n}cu05JCZBq0?Yh#i=_b0&`Ed0#nJBd(qI4>_di zdRudpzy>=Zk$@OE(m-}3k@H&|p~ym0bKw;IF6nl4LvB6 zg-au(b&SOV-}u3w*n-6_yfeIhwg_B1^UEM}b~$#F)9Oo1(m;MmBtdeUQ)b-v$PS*m zHE7nl8M^%1AsU*aJ+**2$rPZvehnNZ!cM{1Unt*cAEtR>R8$MC6>V4^I92F5ugm?K zlDx1uL;tySzW_ykA@5|UWN}SS^MA#40OV701v~_Rb|PL1Qrpn(X3}}|iikjSIv}H$ z%$-g%2&ZL`M?X zlLfM5P|v_iuHfA;`_CBMDi&r!U}N)S1z7bei81kh=HL3BsVyhQ*#yO(s-#Z32d<+dB{H zNv+qey^4uO-6&(lio2Ozw+Ud=rhO3pD|0%(Yp?QRx{3#?>_#&S0jAdT+s2v;JmT0t zW-Q|0GnR^l7W5Api>8nmde`9BfQb_Cw$$4yfU5Jtkl@G2=%8aZx`wIGH=4tiKD!-% zqW+|MOi5J3OqN_+6OKlx2{6$!*a;c6YPt}aM|qm*N}CE*^l|AdyJhY3Fx3N_7aF}J zh>%1c9mV4OlMs{L^%oo>q{2t$rJnUf+*4onn{KplRy=Rj2WUE<&Fhl5<+?@U{PQNP z22e~5ZZ6nkG>w?B&Qr#&_@-ZPUjjf~rjg~BhpR|mziCwj<+W(ddUK&8@wH_26Q8b} zuJL{~0>KJ79$P)>Kh7%Cx+{*VG$%M& zyBA0(8d7?g`#&Ik2egr-Fs9LsO>Sr>8KO3G| z_8AhyI1J26vZA*axy`JMW<2A&?k?rzx>D)n)9Hw-`L$9tJZmoei7x6*RVcHsYNZlR z)#gF$wLbtHcF#e{)%Ar2qy!abciL~v?s~4MGXck+O4!tM1$<`BpJ!ZHDH(YjUoIB( z5gaY{1dL!&a0-yPv12yxo9my4s@M0X@M@`sEv+|v z$8NBL`^jl~M+1kOxc})}0~fdGA-yen$h<7b!MxhuM8me`k``fy@%z!szMrF09+o+^ z^e%=Q2UP^FB8DbYZouEL<9ax0E8u*oz~!Nb+O_KM z8Ihi~AbaT!IhpyXO*Y2^BIcbr;aRIK&=W2z9o&xvM=c;IT1QRipHfs>QDd}@w?>2t zv_3vJ$~Q^?flv~k>xbbgyqFL!<^9N}FYKi3&21? zR8+wD5NrSlQMqXrznlkSy!%HZ-oa-$kncLw07|zYtrDEo;@R9_27*0O`I)UGOZL7s z#KvbrlQj)~--+8!PwJTH*_sLw7-0*<+gGf3>H;!@>N$t*-w#aU(~f zU^A$%JRi8cW_{X};??5KC#vvMD9GndOXWSSnkZFLdGHdekn!}CR$sPapj&yJvVr?V zmOXL)p1J?%wCAMmT5S4}4f5}*$Zdf3_Z@yk=MMxTnk`$M6XXpe-sjg5gh#i7k%Ol3Fs;3jn3S$?BQ zVF{aqOHI}|mx0ZPZ3h*xv6-Gd!Jpt74|##*zWvgQLq3 zQ5Iw|gk)H9b_nltbl^*+zw>pMApAnEO{K~@c~O-x0A18&V1Op+rN%O8g_bJ0aH9kE z@7h@xo)f9^G*c5_e$Qj%kH*%0mYD>k6cf1hyLxqvCa#v*!xeS%J?}9Ar8teWP*a#m z^0$xy!?oe`rHA#!X|&QlK0&Qxfi%qyLCUUMq)4;W!2Q6DVAF3L+{9@G!+Nd`oysUV zmwJDlrMtMyRyWCY{BWq>Tq!gFF^p3@;Ac1u_+zciR#u|EMcND7=%Hqqr-%>M=59`d zuv&!XHO2LNt6xoP278tV;Me_GDyg@k%LlG&G3V6gdwYC0>ed2`t1Hn_=ytxV3Pnz< zmWII>IS1ZB)8{GzN<*f57TG;Bs~3g0gTS^K|KOXHAiVVOxffaTQ~jFTM`b2>=Y~-= zG?2CuKm@8$M+j%4xXzJIG7h%uj727I9QR@fw;(cskH8E^tdYVlMLN&aXOzA6jw^{T%c&?b=Oausg5?%2IP8-; zuy~$2Vmqy#7SK;fx?F4fC9)=xcZ-)(PwcdEpWVjy%}H8PKI6*lF0x zSIQS^i)^s|*TCf@ILF+)z;>hcqb6s%g!YBZ_Nory@8)F9%$)Uz{GV3-k=s)W=cQ-Q zy^vQflz?no{DQ6g?&*+#tM4+2G&56f&Lx&X&&}UV2sZLwEa~#1WNFu`Xlq)}-Jl2ZE zTc#dOF_fcz64fQGHk^>SUG-77sm?C$h{WskG~p+rZ4~vu1(|$8v1p^hX+?J%r=>Wq zVA4)An)wj2h|&=G4E7-(H&F-;aAo5SwAECY%$qeu5cnP1C=RD1-96EX_w(~x`DhI} zlgr*Z2Yq5{Q`lc`&r}>3uMofWnv2z!RXy7^^s7(cit#38f@q+#kbNUqU{XWE>znJB zJ&Kto&3ITJdS8*1a($39^;V4pTBeYi5tOx`!)vV`W#P zeEW5-4-|nzT1L*z(_sdospUYh&ydFe3SQJ+L|h0&nMZSX@My`+)Fq1;71>z>AKCKH zAvk*pjV5>`TvgPgd%n@vMlzH_O%wo9?H53*y@QwDq-gYd=$?aljWe<*IQ6j_DkB$H zUK+?4P5pUunE>j?;`j{|&8<>aRvKSwNg#`JtXnBKD-%`phwe5|YsrjINZxwMGLZRql1P{0}c<`C2?<6Pj9Xc0D2kl`(Dw>>y53$hW%$1+m zv_|Zfkk`}62<}0duO|bzW@p^W`L4Yqhm-2B;u`RX+eNQ7K%FLIm-Ss1VFleiX5pt--QltjgTM8Ms%=PyEE+Ik;q01^F9I7^E?)t3zhZDjQ4a@^7g46#Rour?{R!tQ z%N}6!h$q@cxvf5EpjPirhnH@!>5}AS7y8t(>&9nCXB0j>(P3{0l;>zdil7an5e3UG z9F*tUMV)m)5*a$x+D~PKX0#B}8l>X)Rz=$d@jiHPu)71OJ(*WlpT-%d^!c_wJd1i= zqdKs7D&M9k6KhdY(VVDOcG~KF!TzqAM>F{@y;bGd_a5FFY0z-@jVgk#n)b#&dA8Cx zFMVq6g*&h9pl4ygfz2o4K$`Ohoe{ThH=yZ2MGR(w56@~2%qjr|F@J)ZacxFT*n>8e zPHL#Aqt27ofX#KiaY3%e_fW@mxGEXKJh(^x`My{v1bzt8ww zJk~h6G!u{p8>#F;p6aHTe3avZPcKKPhDjF1-EQVhIFIy?XC0e<&m;QjNlhERX!-2N zdYBIKH>xlP%15zbF~GN4U%q4`VcNH}rg4=>%#h>t!>9+LtOmcTPI;m6g2 z@}jH8ilKNm2}jf3iMs$eb{cR0Q9wXZe%HvnJit}McIeW;P5NGRqxCp&VTJ+wBMCDO@|Wb`(n_93ryL`*MB9xo zx*sH5VjQ$9BV8sy>4!P-T}5(()hApTC(S|DmZ=F1eZ)rs7o;Asv6ecl{tpQ&@14M+ zL7npCHGJvZQ;C!VS{JHRdotwrLhR416}(Hon%e5&8!XcV5N0-=fipV^Te{#ifxH_3 z^&RB}Kym(&c729Bg?gS_Tjw+sTt4! zZ&x(J*1=B^;0WJCcg}JB#ggTX8w#hKFU#4`5nj$U@>8MZ-j=^`r@FElJah)TN#aeZ z75&#v`8)juyy;ecU`h0C(t=tS|7gyb$2&H!>L96CY;;kVBy$Z&MvBi5II%9aC)V3y ziV6oy@>?Dl=N1JwCDh}=vFw~_&ljOm@^>vj$s2%pq(-D< zz6k2$U4PB^L)MU}c)(m;!ba`}+oX#(hzh8Il?_qv@p1qqqn=o={Z6`AMP>J=qeA>B z9WmQy+{%C$SQ>w;jaM+4SyHxYE^eGuS9GwhxAKmf4yx51&7v+l`(EAX zqmFnq#IC1=i+O9mo-XLUzpVH#V@(;x9A;kj%e{p=6)_z%$x4`USL3R3iMczP*)rZ> z;XeGZH!xOyNcDE%KLYg`-u{GY!@&)&_8&8(D{{LsaB0>Sq$(dq|GC!oqKl~qIhPp+ z@ui_*De_))>q=aXjb8i$xXw;5EM0)t!$@I|q|v^H(LVC>l@)P!H0fzn(n>%qYkhKF zwORpXZ!EIWsj9~B8bn_4gp$L2;GTX#Gbwr?#-As|Zm@Lor)HVwtX(#TDnYxX&1ENd zK1oyK4%quJS$jX?Ypqk6leG_6W_XVKP7<>Rp^^^~)ufFOdjrYvQfT?SF6HT#Ah?QK zbFQfu#6#v;ZElKGtZKrWN=B%;4+dVJd6-As%7oH*`g;MNv`&3kRtO$$Nl-09oweqK z_+B%eS?tswoV|=nRCCY9B_~^obY=}*`X}WK0G5otky+M@`NraiA2Q9_y!i7oTz+>U zLyFV$0Flkp4y$+3c}}>&5=?KrIx0xGxi4sP=DK~9x-finrw6tPkLR~%I5>U75b|JU zgcL>Bt=ndh@gyWtk-Q%n!0o`uQy@T3E!q!V$ExDX<>X5axrCuD^X9@FBWn`;B8RQT zG{nv%vC{HV_$-8_!!#Kj!IlV{#PV=eQ5AoNgHeWsIIIi;BA?gS2H{2HUNMgJ0d%M0S zeM{E>xbLcmKIU7*sc%@&v4jq~(VJl2>pF#%Q>Nlmoo%>B>f-K-FHmc*Ep(=3SIl6Q zOr}Ta^JsMv>1c4hRd2UA@k)>rGk>P&2FyCZ>hsKMv2f#^xle=ZD-K9lY;w)ALrvd> z2MbR%w6(d%Z-jyQ2Z!!aFC~}rKa&|dHNFo3W?x@2L4$0y!Sx5 zCiGP{=SBJH>1~L35NCC?t4go{|AL_8DWYanb5F;arUt0F&smB{;C_tje}9gy&0DP; z3%vMmVJ+hP(!O4A<`_7n{Wm!5FtYEQQ(aH1Q((A9r=#fHpgtE0YeDcXNT-+*fL=-@ zRhw}sUI0ek7sP|#Pr_j|nsm{>x4=oSHk#|zV_=&V{h2(9vZRvj zy+}QP@GU(W6umrhnoNmq(JE|cOy~#c)U#zPpTnZwLV+xLad(x7F-nIUUe6dX?3((6Kgt+#j3H|r2}bY;1s?ZZA@mEyd!+l*DN$2)y9u$iX8IXTn7 zBt*1j!;}Hk1^m+u7|6-L(^0-Y-B*yPk=$Zw;vmd_jz<~8EhitUAJ0kv?^?2)}UCnrWAB8Aqd1u`5+K~l|JFF4N|-`U%XvO{dHMDZJTM2*q6iWNT$4x#a`fuG*xZw$Zn-z-%T?n^|%bbiu^- zQx~~*0L9Ku3LsGs3JmLrEy1(IhYeF-L?Ooz;`7s`!VW#f8olfl>F&d{j5<^CA}}&- z^z@)%YR>d(p_Frw*g_ph$7{@ve076$B~KDWvnRn&KUz*VrqEF^tku@ZtbHFCS?j6vlS{KnvbewQZ}A|LN?@4vEAaK zIstT+JYLP%+N~qw(U!W$Om^1%W@=Km6=fV;-e%dzUdfOZwV%D^j;3RqI(p4BMx%L_ z7f+9sD5#*gJt8;ICf)%{_#s!B1;57;_jvfDc|Hre5Yz>#1_}!T{6JfS{uVWEAPq~{AMJSd@n6N;AECmZ&$Yjucm|}H)AEU^?Pay~ z!tVrzG_!9JilYyBw>flzy8#3dZX?f*i4&r*^pt5C{5r_5SreCy! zpuEBUvGel_r|IFJsQ%#wZKIUwKIApZ297KmOu7+EC>pJkZdCykF=SuTk$DqRLKPV< z732psAPnx1A(Q)#r{# zH~+qG+arFAD1SVk{8buooOS^)<%eaE^R|q`#ipHK5&FaqP<>kLXB!#uZni7qjI)Cq z$J*38mQRaw?OfM$OFJW-7n*<)qxUGiM7huO?SB+}dTVS6KCMR~iSV-`!FS_BiVj?< zs`nEPxU*QG|NcBm1I-p6?nH{nq!;B1LHu{ra@R(p4a(bxGm6`=G?&3rr$o^Jk(qs5 zR5tNyD28xlvOA`O`wiaIG2Eq}d#QTIGD37o-#(^1CWz({TlKGc z-M@IpqUb6BQy1eyR0Haft9Az?4uCk_!o`s{VaL6}4A`ktI?+h7Sskx;s76Yx5Jjy`6LkItu8NT&N%u=Cq}N7JSjI;hQm( z(}wb~Z$_XwIoa|niLetD9=yDOrav-7R%&Z%BOy}IMH68+?5;rXW-q7lBWFA`SUg`GukoaMNXUhfgt$sA1A?II%2>}LB7#K`whqmvN$d7Mo;s}wRMyndv zTD~xCyS4ARpqSE@!`P->7X3$udA8*+4?%bH4{a|)-QNPdrx5=CtQ?#%_=rh4zBuCG z9?P6@KPv_M|CMxb@okf>zuXVXvA>_CKs(W@g8$D!IpsIEv&t*lTWqcH-SM~H*z6Ff zOhA~66heGp^1mqgB9g6|`90t0HRq*jXaj=-Gd9C}mU;yAlK{5n;wD&hFHJmxu!#jS zy%iK0{G_NI7#wJic8GEy^;V8l_St_O;HUG=D^W*nv0asLmZy~s+M0ErC(2BL@=>|L zu*d-0L9WlNMjqvS+8P_Ep=2p6saIK4O_t{dIFtd^BGrQIiEy96h$>h9z+Q{quHguQ z1z7^t9{=1-N#tqIr<_vHoF7UhZq#SbAs!)0`pWe^8UcM7Co%J5$*f@Kh%>7I%mhTP<8vj6K4+i8ITpa z&wVoy1pMLnmOuQG(DcK}u#GJLDvI2U+46^kRD|0P%TN!`yVh#ulbQby#d4_pcW|`l zsXVFV)rEz~$-Jy&&CbR~yZtB%&@mPp;zuiz!%X0atqp^IUcaDT3$?fb^Zyq1X^73} z_9v!>bl6hg62yEI$18F)lZ{-!SfL2qz4-Q>^#K6B%A+;+0BX4-i5^>OIm!PwYPtW5 zt+6F_+t>Rysar?L?K&H49|UJ6wlFrl8!QmO+ULQKdRNSB>>)l%1qZe?y3`!<)|U5R zUFZP@^d=AV&ZMX_>Zj(gsTvTz0Q;&krbY}K4BBuIc^YlnJUsllv6mA~e(0>oEryH_ zIg$QNjd->W&=l9iV? z)G#=r`l%79Q7SfmFhkwD`wn?PDcw&9&fs5Xj*gspw?SYs@j;0Zfv%FvY|YU+TTTStlujZt2VSJP-SNhgqKLZ^hT-saGFTqar{J^Ifg#K)haj@HJPFk@>R(c2dX# z+()3yWfZjAa!v1Ihd8|54edmuIF`u?Xf8EnFqzuygAvbQiOdB&RH7gTF{ddaARquU z+myxrNm-5=#^^r3lJa*OY`=-C*u7}I*vWB07X9$@&i9I`1=3uy>Y+%w@xJsq9(?Fi z)u;>8@l$6!F(CA%*@Y9LC}M z(-KjGa%$b0=tsV%Zy>SSK4o|s_?H?ntkSC{7$fbr?l%T+J`Z2gP78Gr5V)xL2zJUQ zECJ2rWTHmfiwK!|5yL zLq%c{ggkc%pC|AHONs$m{+qSg#1?nEgBLKw&W~4ew!h)u>i}_YwhVEIV~fn&Ue?X^ zz3IdMOpEaRn#tdX`FV=K1H)8I#pjNK$YfjaV0n#=_tZ3Mue})c#Ve-9&CS)^yDs+a z_)9~Fx`NI4-(3~+L;4FS^1$t;LN=p!YlR4qOP<|#k)pkC6unOBT|?b+;Zf0K=Hq3^ zzOGjj$K#^#&}ts|ZwxzqEDc-DbTHyv+G;zf`W29xaLH{U>;31ZwjuMsnzjD*V7u=- zvYyv#d9}UFRzT?80l&tsucn>&3V!wzm)E((e9@;*lmnhj>J@T7HAinorb6^rl-p$T z!_zU@Eg=F-*OXkMLTh02N@8VKhOGPoyVJ4E38OCDSg=V{_o_#MX?NsP9tc!pnRZ|s z(3V^Ib_^D=`k0lMR30~;0>AXw`B*Q$k833B>Q8j@T)0p7)MuMJo!@8pp=hI+6tRm1 z^sW-nK_A2jMgWCwTdjMdhzq$?70c`?^EZnjvd5IvH2uXUdO9srwaJaXI8DKn`@Z!+ z$E?E9qi2gdCbp!(9$T&9b>lk?#%ppt?63H3s4?C+ z^S+q>==`L>o3gM61z8v#yc(}%ZibzJc=i5E1k~u{rNX@%=PoN{sD%1=n%=}gHK$Qh z>?$k_NKnloh`WM%QKi5TKd`e|O-=>!nJ``?Xu5as>`d~~JAoh$vtduu9 zMuPtLKQ!-zQ~_nB-5|P6uYf?Z=<&=w)@1`W_q&CLEh+I&-is6jIMuVq9Hb`;Zi-4G z`^-WQfbNQCME9uJ$+oV=o1#>`eQ4h>2XyLDWz2Rq1%sc9$wcOuJ2&ISC} zEC8XEhVi=b!HCd+O*;Vvx$XB%k5ayxgiT=4cT8SlXs2~@IgNo-ezqLyX+*aVv zjONN|9N-JM$FfOLPu-gB7v<6&kB_H-4hHTtsw%CZ*C&vdwb|)#*C3}y7ArSW*H-}1 zOQxbvt34Vqi~yQxq!#T|o>-09HE;*hUC~}o{d?waHrg?DJ__7zmH;GNV!MV2p6~mo zzNHuXuEBN?~uQ5q(`-fqzkGy__~a7M-+Uul7cJ3|7}t23Qwo}x8!RoRyJF0 zlZu5pUsB%WOfxmpi@3uFPom?Fuuiy2SoaOpUy-nvNEX7*gxfb{wS?z)Iq0nrl{5gF z)~VZ77fmL+FWrbCa9~v525JSz&^M8*Qng$KK__QDnRpTIzi_DyS?$5geFS&!+TuMi zr@f($KTSRw-osGcn%aj@ocV<3BN7v1d$g&wL&zQE0P=D_Kq$$MnHJD!yxrROevDG*IGl83{M+MIcf_?TG4elbiyybh_vg%m zz@0d*XL7+VXBzt(f<+R3EhAcQZzJj5atY^WI2w4e)vd;y_Fe{Gdqih6OEL9atPD$L zp+GS~qFa`wT(Z#n*&+2+i?4OtyFqW%Ua~8Cd1MCLv}N^LpHS`!jy(-jN&!) zK}l7?K+bu5$IAw6w4eBFvx&)o1~7;Z#=t^CRGU8xW~zDdY&0OUpc5wqf|8DS=oE@K zJ+_8UM#;*rMlN8f$N0rJR$6mM=YgW^2LQ?+1fab11KKV3Go}OYOC(Tno7nLoS>vZkMf32zuj_)_CcK8&>;;#b z_j}%`+XCspIU5L(Ri^el*QrpBc-)wjw)aKd@OYdMa|WntAr$izRcv=k?+1prUR5Gr z8)6rdZDRYz+Hob7KAHSMB~-4*57CEZOWLMWWmXeet|-)l)PYLx75i{&`3|O{6KtP(#E~w za?#Fi*^c`ZeQ_1gDNf={$G(nNaTV%mJ@M4}ylwH$ zxy1mJl=}w3LR{(acdizC?(QbE#-p&cXLkZJNS{*xNiLw#S7s@e%MV&L+%(p4p|3vJ zN}V;r4SL0v=wF6Z%u^*?jh0uQCtl^J-YQrH9R!=J->iXQb?I@Rjyqg!+nqop7K>hQ zy!8Gj@cQHEWJ0Wv+y*;7BS*7_46;ll%2kR;Ya;!?bSmD-lC-oktVAPW<4na{ygCcy zmJ1g0A>u&SXZZrcd+bCOGrTJ}$a;d;@9>4=yMu1-ex28C@tU$JKk6>|VpDX~{i(;| zc5m6={jc`6Ol{xIATQ=UjkIcw@i25>uw24vwa*&=GBfMY1DG}1RfEZ(c#qHdt@XXi zh?OwUw+uqBl6|WwQz@Htom0!@lsS6#=-b)6`&;>VwbbaMCL5rrWF;Y&urrDyioY}D z+AS|C3i+%hb<*l=+EW3@FfwELRX_Cwv%Q3w?OX-)TS<@Uz9UsI9Y~Vca16o;30w|n zPXHmjsPit}LL+&9jOj!4gkF;JW_v|fuJK)NI5jr^hKdlFJb_P#4+Y=hw2X3pe%u9A zMaE>L(3N0r&2OuA0Ch=FA6d|ggT$_`?}!Jw=%KVSgg0ju>n^2J4+b&Ya}hL4F7Z0l z!tSb1OkO|GJ0zfn`=)mBzFZZ8mb+VovZ>}^W3VRvFzMe!HQR3a2S;)5lzc4$u84Ct z(zs)nFt>N%dROq!&vUD_phxHUJ!3}O*w zb4DTkSxBfQ>Rmtf)Wnsv{?=qq*p9yr|pn(iIA z6VFrCV-l<&rCMnL`~8~a^Y(dZ!qS>Fg!@tvI7K}ae&R`qZ@XI%D`|*LZ<*_u&B^Id zM##$pM7*iE%1ET*DnwX$8W7>zF@w|A4Zjb1sL|b370v3^1XDKI%RMN4bET}8dr&Pu zp_X9o|Ex;1{UT%r+l=>QHsm=npWL{W-)G^}6?{hX&WBFF89F97;Qz4po?%U{YqzL0 zK@kF?f>J_PKtN<-e5OoY>o~sSbT|loV=C%+v|3861VddntJAiXyzi z;QlqDOTw;mYfX3YDlL-z5wD!8?C!6Qk?9=RxGmKcetf)T`MQZ;JUDq!STOn8Lc9*C z{uYK~j@;Up|FD1Z_&%N;gGfdSC!+AWlY!7ucdJ1drP1nc#lzEg%c=&>t3w->5&WBG z5%1kOLpLW6L{Fr^7Ujq!nz84`MD6;047aWLmt@P&S+2!A3t%!P^K#C#WS;ufQO3#p z#Larb+>++@CB&~wC!JLW66Oo#cu=ecS*%3rA7pTGC^ zYc0a^3piUu;D8kvumu9-{xW&LWns_%_*TUl{ld|}Q4{d8Hu0!3QM_~xqvF1`|IoDD zZNJ{B7e4T4ccPdd;JI|sn*mM}F8PZFVeCY6_G=JgxPXg5KTxWMNBO#P+K!HSzxG>tZ|4E+vlb4G-BfCFX`A->t>eAp@?`n!| zAyYNu*vPkCXN8}-=@x>c1BctK05dyvna>CUzRN5Eh8wr4l2hI~3&hHSC;lj?I&_^q zHlcXec}zXK(Ge1lpKpzah&{Lmj}3jimY-Sn213!z^XkYs)v-pm`Ff}E z(h@GbuI?}h>~H_|AW7`cS34Toir4D(Dyo7Tke2(AL8Lqv!`VPBrmHEr({xDQVq(i_ z|IuaGWfjtLH8Ln~J^w7+Ae`2zG`lZ;4IM^D`AhR;F|Lu7=-cUWL;On~W z$WpU8s=|=nMC*OL3hVbZaJyXiZE;1?#j}A#GQ=se%!qhEJCbQ#H(1Zg>~s6^mWOyn ze%iDc#6B%xJnicf})3ckzw*F*pJA7kTNp%>^x_&FaADb$?-az{8_rWhGn^nbY0 zv8GR~u-KoeaG8!bzraSUSBC<1?VMX7Alomiz$mCIs>)Sg{S>dTL4k|2P>XmrJMXu7qczY4wG?Xprjw%zN4zlg+$@sYdtCeaLTb@lPqVs{ z3OIZ@{%0HMf<@v%Lx)}BC(}QvmbIERwObuP{tVp7X1!oKat+LPj;OK6w85Y=7s(zT zzVp~@;N_6h77Hojgi?5+w!mjcFoQo)-%IDWhTbU=v{?T5JM`PdKITdzWH-Zq&*<{& z=D{D5A-_~JJxO@elKunb%aHy5Cgtl;*mF-mJ-KC=@LpR@a7fx)NbQ+kJ@Bo8+X|@_ zMO-J{L*rdDG*rIw{}<;ALzY8ef8=W+>iFM!Z6z(jQqj%+^-a8k)Z-!wdsWYNGdQ>z z@%4Z^FBRA4RO-!uH+s;Tu<&!obN<&!!Pspfp)WTtkCIi3OG}zAguK$1jt6NWIYoMd zDWfmny}ZbKl3szXq)C5!I%AzfZLeut0>YFU4vWs6Gr9Bdi(u~8Cn`egDjU&6z@0CM z_w_OdE}>?<*-WQV2UU@zZfN14+UT9Af7=Rxsj*c3mX}*P`7yxLqVFXu`r(ioW#yVT@e;*o zY9eKMqb`tZXg-r`M^z~@s@0nix%-nB4U>hJuwX57!4^nw!djdlqlxG9>ji2EkW zMsZcsHKpOB16ob;!H`Y40I-12wnVey2~2RYEA6oe00Rx)c_oh#LYm4-eY~Iysv}b zeMlOe{<7xKpG<}KiF7aj7oW()FH^%ms{fiODyjVrH90{2NXGvfYQkHqCVBb!y?$EP ztAp44(Ys$pR3OV%2H7)B2M`-kyf4|@!ApM0{UWFSs+NP3KXNF>?E-caj28EI)pdKP zEgOp%bTXcV`k;0fxi_y?!S2>y7Cb)8k5B6B3E8eJnk(8O8}vlYD~BT|k0tQ$XXbh% zUWTS)h^iO9lm29q|NOD;+xH)2@W0-*$E)BSb_zifs>gaY2j4bYRCJ(OH;`4O1*Hdt z%G5m@{V8xyd&w5unI#x;DkB)uJJgq@0$Ul9q2#t~#0AgChKhw^;qFl6>e06rU+vOz zm_>U8J;r^N+H>ZHDmUP&iL{Qlp`(O0PWB&HtTl%NxuQJ=7A!q?6|KC)xMSfe`Ksl5 zwetqeT31Cri?Tp2>xrWM>Gziq98jVFZ+8WKow8>GxG!K|05v?c1VkWlI;eq~H1&=C zwArwJ(+||&p*3R73-5IpaehPe?|v{eNuMy3Z-&0WCzp1n@=19kCpx%|3O3FrmCb0@ zPrD|K4*sowc%qxMtt2yBQp~4Hz*>-0Y+$A7B)=e?-};E$)|so0EZH_LK=;eL~7(WicW*Xf^ciBeD~6IF?gYDw?iG4sUOi^hM9 zT%dke{=XrZq*US&KVeaDP3qs2m48RD{`{Vko*;ehG#chx0Xogk!M(EVn#+`$3tvnN;_ACKl?b{j&sEu`aRP<1Kbt*}2cz=&))}j=mwuerAzA<}pcan6 zi#U};#1@BK0?p;xAu9iQSp7yb46*_SNwn-05ddb15KzQXE!f9nQsgWeZ!V;-mGM1P zd?OnAI?{Ut=(-EInuW%}phtr9SORpDwx^eEdbSl3e6>ryE(5$ks|==j_5#~SKYR2p zgv>b9pi@Qh&H^5I2Pw%fG=tu7%=*lXLtD#a)8XDIyp5D`N}|c$eacn#=uZT-HHQ$Pap zw^FBbp3_3TqzBV~jhW7R)3#t~?)HhP%0SY!Mi5I6Lc=Hmu&>`W@(M6=$(A7J{ zZSPg29BlrQ{d6NAZtE2{B-oP$wC`bK&)Rb*))KVTgDE-#3B};wp>pmxPr4hJG zW@BMmFDAJyQq4q(GeQea81QB}S%mF=9jXnO6?4lR@v9=Ps zV`YZE6U7V8eWlor8k^}OsY_Bte1~W3bo&+2!WwSQY3IKIV@Wo|hS-814cd7}aka;b zJ}S2LDLRtp82&`GA#(YE8+v)NO0L?aenxsF+=xn>KXs36QuG`!5-;wX_eR(u3QcB1 zU!*#oF2)(@yLnFfp+{)b^$(mjL0<|^&Jjffh+uxGa^1ls9B%l-GOLU-Q}s-kzoXs9HF6 zyc}6JLs{QXu&xaCeVMoMtO|PZ&E3WN0i~6=hAusY_a6uQd?07@Kh4{c8j0U$dUZD} zXrKKc#WazEGsRc)RktVpaB3-&3{H5scu3qJC$X3H+m+87v#biylEhp|YC{Y%_~0}L z9=f}DcevS~J_qDRT!{SAcXA%Z`*0)N+*9a+GKFs%ON$a0Aqt`SaGc!Wf3h+)rLyoH z%YO*)RXAa}A4&l|nfa7W8}{X_%F8*HsIB`)*~5D&n;cAs`o+x>q^SL?559-!$7=%D zf!7_=^Z7vK&E5lkrCt+j&uEWpI~5~&$M;<3uk6OMMrnd)y-X8$xX&4R!`VP`~X{<1N> z1SEw0gK(IX^E)=lgKHT;{|$uar1m%BYxB(PG+(C2YakQ8)!+c0PC{cxUkzC`uT2zh**s}_GJphG^&eNQG z=rXDH%e*&koR9fgA6K12_|kH)7rmFbSLnW4W? zc3#zv0`fO>`}%BtN4a{yR3Wy7H4W`3{imzPh4z821w+!N^JE=m5B%V%l% zGBv^sPYtOrwx<-irS$m8LJ-pzJh03+IJ9x=^|W)DMY(cYtqqm)VJB36IMzP50s_3YSHK^Tr66rUX*>kLA5bXrVgmaDcN zUSZThv8wNKF&BNKhB@9FTnc^}f%wz*dyv3;p>le+{9EWpLzXWSN$2~gkF(@Ha)eAL z)$h5SO~HdAB}9FhA9(*JnE#Ruud7s_l;S;k<^A%gLJrA6+oYBbNJB-i0Z>$X6F(A_ z8c=<0>CQ=c{d(g~KVtNZ%tQy1g1-h*9X%1blYRA+ss2m7BDO8l(!pe~eIX2wOtC!_ zd(P@Z^?%1&Ha71010?4*X`9vX)r)e^Nx3Mrt zC&G3U4TmSj120ZC*Ym*Vp37X4I5q*N7VpJuakP%=Vi$BCi<;+o3%v|8n#jZYw0IY% zQ`(E4pE&ijk?xlf05V#{*YBF6zC1H;!(rAL?Y$VUsBGV3-ul)r$nB_~MjigK)V9i> zjvgr)Hp!R~KdYdXsL{^W)9}vk|JcJq3Y==9Oq?V#Jc)+6*MmXZs=fO#(Rw{J0NmgjLgIp?eqZ={gw_9s8TGz4No=>}tB< z=C#6tl7>9cHeEft#_P@l?4F&HwCrm!b`mLR>07N@cLb;#K;>Hr0|XWy?|;Lf#X7te zJOx|t?3^JkeBB4?&i6zto4TDh8eP%D)}@AL=3xvRI8(xADm`S(qp?w@R93QsUjowP zKc$*KMj7{ef-Lc?9r!2&}oD`||S|I<${Xj29 zCqfAyst#)aXrr5MgCuLAQ0CSEg@6JtnW5HlCsi0tM~;Z&26D#asMZ+fsE_m?Q2b+5 zPdFrj+(MCYpPJ~9`5FL26)QUAwV7LE7ry#2%uypb8@vh0)KVtzqZMW83zJ;+-XxMB zHX9O@#7U!$@PDWKJ~>)s4#Xua>>hH-HdgY9#h6Uv1%5G>Hnq{Slppw?=m@f$7enfYqnqeV3kxWtKkNSv;}K#yTYA9i1$x%q~=O-n24Quf&c6NW8n+ zMY?dStm$Zy_9kIcEYi#;l7$bI1nA0_p**=C=2qY&S=%jwSMqKhQb>b4UjS+M1mwt$ z9Kz8)(N^%Ya9L0#U7+!;fP2IeYp{vJ5=oPj+mJ(H0peT!pFjCgBe^$rEq)07eq^nG zKDqz#Bl9aWa?Dw94Q>y0808=sfF7U$^t{#+whlW29f-s)&kBBl5KvaZMW60%70G20 zE9m^)+jsABwG0|O0;s0%oIGThe95ykzZ03dKjR#glbfeltL48tzOQ06Q|rIvF)LSj zdnn+iVwwbO9z;c8kNK>5lo>{1RcQ4-Z-T8?)hxJ* zei62PJZa>dtWl_|bMLV(w<`GRv!0x(bYskMh*$+tBuS$xtb0B-;b6m`+oPLdUg7mV zVqADJJ_CZ8|5@L3QFV|sA7i}9upj#81$iDU*Q&S9r+ej%@nbTh{3`bIe35AjxhR4| z2e-3LduHV49Jh6J{|ZsYbhmmJt`2w2Tu~C9Y z;Z=!TPjyrUov`vkF+v zIUjAws1k_yP-kwk4taH7yW_&#D8P5X65cJ2?4a9sfJyS5;MWd0Uweh$W5vtY>|aY6 zv%NJa{$aM{oMnwnlv4crwwc|%Z|e#zz|uSbJF zBHuId`>sj@njM5}|LcMIeTulr2-E6O@h2xuB{6d}G;;U8pLTJ0@SN(q4SPD_&AaNk zU7HZV<(~ItH|v-QX8Xe}F;HOx7dOjKYhz5{ZpW=z%J?|2~Q zYsd>|-@HzHKUOP867=zFj$;Sb&X=dKTrSnw`3M9quEI)MUW52Oe<6Qa6lL_sPZE@ z{aoN^CvHu67{3_nihR)s(`1GWjd~dDy@nh}JjK6{GBcF{YF=lPTh=eg883#sRxz91 zI1{47lHdzm^zF-ct+(s%KC!%oAQaW9e0wLjdZ>fRY>Vc}0+GuW%b2IHK&1CZ5aant zFwp4Mj5O(CS4al>XRCyf%Ngd}iNOo%Kd=j*s+5Iv1@dnO;;3dk&04QJZjs|X4Y%Xp z5sSB)n38Ge|4t~5Mxd0s|C~wwnPu)0_@{`uIFE`~{G=YqJ2#M3@x16#9-Ba2k?wZJOr)OsW%&a|lz&$*x9t@Uz^O=X1oVEO?^6ChykDI=GLyuM9Qs+Ssw z17)!E%8yQjjsUPaJw09Fg2|}(&@YxBN5@|b`@n^FV>o8a_1+HN>>W=uB37S{j^Up7 z0=Qk!%rf%0yEjgw4%q|+6%V#X;Pb%og1VDtw8|n~WPci_%O<(TxP0mDyzhC-ha#iW zNPYKp4oTCjK`D^P0J;e#8EY;ktkDwaN9A~W{~;*A_=QL9=(3!A`LU>O_dgSjH0zLk z&m(+68(aBdSPARaa_(pSw#lujZ}RH2Xt7p@XH7H4LiqtUGL5%)JATp<-T;K`M81I9 z^?EEq6~ii?8T^zr1`{Bz8?@;*jhqmwk}j~Ib-~g<>#XQuJ z?u^13+bwCgU2n&oPE~w zThCEfi8q_Aj-M!=ebsS2f}NH1Ye2Kt|Az>331#-<53aFY%#!Qa5UY3|6@#SYynjDA zrqQ;c^XE?m8>N#rCGv3Ji+xy3ktefd2BhLRuPrVw4_*Vt?b&&|?6cd(#c3N7N-ven zH{?3yzHnz>%34`@G}o^eV<7vSL6e@UwUmI|JK;`4JGGM8pQY4mYO18uJ;fuGJGd@C zz)w40E#UFn+808$3*1#7v=U=g#Sb#CBHEyOkT1s#nJe6v=hGFQ>e|%yep(YUsPTIF zs`WM&Uv9!XLfvYtnJudNr6s#3gaiOWJ1UI)g15uR9yZpxaIu*zj%i9?r}FP?Xfky8 zPyO0Z53?gCp|Mq3=}wNx8$wi5&$|Uq+wx5*Peq{%=iSnLTMhy>Zu1PSSM9iEMbJJL zt1sw+L~UdOHdixfB{^;rKLWIMHioUgD1T0Nz*1`oBwx4RBu+!?C(+(I^YlHLxMA8p zn3Ca`1Vrx%f}iIA4XI89LPTnr%a$d&qJjL(BxZd8qZ7xr>%6P2iS4O<0PtEU0ME5| z^R>U$=@0brVCNm~$@#JFdGX;6v zQk3zHq5dR>3o`gXe|%A@_^+PcVIl39n3x>`I;4$sZo*OLno8qn`GPeujHcKo5_gnF?x z@m^itM^RG`>BK|sdY$>11(Bapl`{Dr#SM9xMQ4-XA6RrDF^H^d zD^M~hm1oTi()rB;H6$QuBOtkd}}W>d@oK68a8_i>yG8 z&6raBVn}xGLgwpyh!-A%XGtPt7W#kChB)$l_SF<+l(%6oYNM?trsZ|H7KEwX#rDDP zIR{Ey44Z~SKKhd%W_E~tvSSFOOmsJ_wS??rO{Ke2hq3|SQt+`E!|4L5H4>B6E#mT# zNMeSr=>r#meMmJYK9IkbqCVrNLaM2&t&MA2D%3O}VxC{TBd54A5_8US`|fSl@~pPo zMHj8c9LxETj0f+yZrJBZD%U=gP**&$lvgQ%sWN1kBTF`t|P= zZIFjg(d+b|cx$EC{*dv%v+=BK3q=8OS=(75(iw!Rawfr-MEV=`s%V( zI-C0dUW{5#hi5wg{r*?tNC~~A9YO+^iJmz>7vS6^gq}If_rXNpARB0ntq~)T{zCBkW!*Tfx)6ol+VWVCbG|%qw;;*~^x_wf1m1(yYL#yq0NdS^0*P5|h+<%;*&0cS#mSrr|=kfZzC? zV_(X2G`^W3Kh%8fO>X^J<)PZIxI%2DV6^@*@u$*+wA4NGjCYU(@*&XsRlVN zIjrOOJ1K@^?<33JzfCfHUuAl4CdwFbdI>ejt-da^)DqkZ0AF#2CGsUkqzEb6*`<$t zH`IhJ6msm(R7ZPABn)=`)q!0| zKp9WGzT0DIn0(bB7iP^%9%%AGkUC!-Qh&OfO%vY>uyW;ta^e?5LlO?MZQUDd|?lz92Q%4v% zL)~j1kK;KSaw%w*OV%y4Jw38k~(^#hFby=NhGLxSLg?XV>F9e+P< zy({WwLZW{p+9WcKcZ3UxMi3T!KNP<=annNzOD^>h;u0K6{L07XBYW2iMVl8vFRq8a zdhsqutBrj0N?}90dA8CvWpBKH`SHbz{-GUrZ$XsWQ^OL-*gE$oeib->%TceA=*7t> z&qmmX|I#I9GEh&YBy*(1x^Gz#-e0F1mzI?aQAG8A@~X^bG_gWl|Ce6DzXR3^0{U?LqC<+rYMiBGj#^$KZ}CdqN^G1Eic zBn0+k0r=MXlLIlY$ID7Na+4HjB7z94UnzU5OZwIcOP@T1=AdacJP^l>G6_GHvRSa6 zL=Crxdd+wpn}i48-A2LAjL^`8BV(wy%jw zRq9`R80k&6e}p)KdeL43@jFtSUb`VQv`WHOX4p!Xh?y#=Lj-p;IBj$|q6)Y?A~OF=i-lM-`+bCZa3;hSzX& z69Cp4jt4>7gq8IM4uj&l;ao@~4pj}5SvlWW_h88s<^U+M^zr>8^I@E8gyozr<5Euv+)q!Q&PB-S;%v5MD zKoDkmyAE)a6PD{?+_MObwlQ(sxpTG(G|f;X;2vT6ouEb@r|+2^8G>WkBsCw=WkjX; zFS3v4WMIwi45wvT%=d!4x}@L&Q$Jt{iEh3)?nuFhxHfM>lc>~3C4rbGN0UMC$|L}> zuRhg=F*zfS3Me+yPKzGOhKV}PrO1uv(x`lQS-=>6YzuY>NX>CSx)x0ykfvR0T=|x6 zk4)%dDKN~eZ#%9-j=I7_K>`Tj2)6N4Da%$=|@=*}hklnnu z@wE>5$#gt&f4que+nJ2j9p_ez;MQc9)`^(4}i@;Yvc3&xvm^3sN201LHasF8O_Xk;=8*)m%!n@@jFNh=hx)x2$3V8>0`BPm|hbTta-9vVmz7>z#UM#62>h5sWompMgd zGoQ|_cM{O~QkGlb@teXQCh+N;M(Un{U(peI?mZu}#Q1)N zbx;MWe2-UWgFHi{;oF?c{@sz4kDQWeu9r}JecQO}vc8L&$)@#?VTW5yI%Ykm>k!^v zVu>aSPVl5o|3DnlLav;9obU33< zI$istF3(!{;@Vsu@V)2l9J!$`s~e5Fp9It-IMr0dcgU<#HDo?$sYFd}z5Ns}AN9S5 z>;~m6C%IvZ?Qa&JMWg)#k2#jsvj`U;ZPc?c@uxas zE?ckStNw|R{0|>EOX{ig3PmAK#1N?v(TR)yi(((z;|zn{7Aq5wnmcIjO?(cggKFzB z;&*-icT~T1S<3i4@{YWsYT{7T>wLrF-eq~yH#`i4SobAmvF)ng@HK?0R<@S8mJ~)N zZFjq?QH<*J$#p&bJ3F4LV29`=qSLdlOuR1PZ6ag4QT$++o zq;MJy6{}38>00VW3Gj8h_CyE*_5`kj$R_vu0TRw_>DA0jMV$1D#Yh*buSu0^21(XPL^Dhx}TL_M(tC5LGK>nZ)Uc=anw)rWDh zImODee|z+Qdl5J@vYcGYo&uEKA6Js{1#e_m_C&^7P*qd;-Ipb^aYdp;IqB(0Dn_er z=tVKVAICpY$A3&Kexs$AKsLWn|H`uo)Xg@rrjb(_0!iu~=Q|FckeXt8;ei>%jAt*l z0@Z`=(Gv4^ZOKU9?P4BU{R(!$)ia4rsb``$(AXz`Jtk;J)c(7!$N_D z@MQ{OR{Ab{7wL%M^yl>p0e4sK28kwT9A`0}Yza#0k~y{A!%zc-KB~6S*$PC~Jpntn zB^=&|9ZQLa50jQtk@DK$XI%D>tw-Tu=ORrXcEIi0BJYd;ad1Ov{PWeny{hp>#5X=K zR?7qG`0HNqy#j}12N1Gz2`KEacl93fK2Y>|l}WtL{fo~sV~tquRq@Vvu1;)MOiCID zwC_S0`9e;5{KIX%x-Xp?r5rE`L4%3By*P?lHw9g->X*1(GZ=B>4H`~`Je4%S<`Jdh zUe&I!f`S5m?Yg?&%F5oa?GC~tDD!(Qx9Z1+75eQR9XVF3`2Jn?G`)0)KSO!puU6#$ zc|lUdPR_^gFkdKQ(qgTpmyU2f)DI#I34E!SJ!#m~%Fhb^oXV<+sZ|+@4kSLfV>`6M%FksD&A@S1 zA_Ip2Mnkb%T_R;B8N43KV=|-!up0u7FiBl~+z1fgc0jOf_ncPJar|ADVFIVrDJv2F zjvJj{hPy?M*+@5KmFQ@zskQ`Kp5EY8(`tJ`O&Ti|Mjrc9)<4qNfuJ%MXk$VIMtrSv z2&Z|>m+m^0Q^=O+OVFH*h<#;`Drg7b0u%K( z?ntlp2{aa0Dy{eQ^yClBH2vqDd|`}OXc{T-bk?bHG?T=SovFx(t$xqRvU7B9--6Fv4IJE(Qn#(g5;|vG-|d_v zA8l^zS6IN^vPki3pi(9-* z;%~Vqe;x@giKw($s9Z7@omcig<-lMYGIFdpXLAf@C)V$bx8o+MrmB5I=O*31j}^U9 z?z+{|BF#UzaC{fL{^J+@Ux343*S;0}u@&1t%Wgi&^eK`o5i37_)t3BrM{`#Qp5Amn zhKioIs!;nD(!6>AR5#C{`1n zd^r^pi{qxI=&Tls${E~ktn<|yHdt2sjA~!}#t;9n(lAnyz??~+g0HZleJL%qQ42U!ULj{3;71~>UYFW20k z)XHmrq)lcun_;lCK=bL(nrh0h(1tUpB`u}hgMTaSG8w3b78UKsp6s5?G=Uk;q?cGd z`JG~n37zf-iL>81Z>Qa_4UOtvLv7NnL|Munr8&=(S}uY}Pnz&tF)70?f5uG$Z~I$2 zO^rMQMCDHgYAb`mW~~4(vWcJiC#!V6CaRz*weRSaCB{61ay?GIY8mQ~q+6Wuw@Fl- zH>EOY51PoAI+r(5xe_)6+&sf9q{P)eQUa7}4|I2y0E~NdiVY~fX8~yOO z%&1p4)Cdhd-j|IP8OnZbmo~TTb(5D@j*t5O>c*$Y_*)krGf-_mO|t&-0{BIHbY1~A zpZ?MxlXdt<0c2@qRRw(V2LQYZx%7;zd_P<{*&LC-s{lMjO2LspX zV5e!>&ASiy0kWR4(bb&z)vcis6Q2VpaxH5H)&+jvq*-lg#3QYmNi|u@WB;#kb<4ja zpmiZ!NvF;&c9zIWzce8z#6b~Tmcuid>528*Fat`m=(*WNt5~|niN(j>>|9K4R^KQ! zU@nZEeD(TyrvC7O(+%<)v2}%;y^4ziQ9`KM9@mEk>aBTrTDr|!ZXTi1sI%`LqIJ{q zKPgk<)7aqJ_Eb@W4<_O_it0(dHiXdUVhb#FGgt7 zCFXe(e^^|IUnmNUnS)1GhRoF~=6SnejADaALKG0*h&Z+{LSjpmON;KvSJS__1|z;j z*)W?oJ@)`Z&F9N`!6%nDp-`%obRS5FcSJy7Acr=OoT;5Ak9N#uQ@uib?&fA^s@CAv1=So`4_3{*0n>L&Ho$Wj}%U#yS!LBu^@3 z6d8Sn#MCeI!6K#PEu=(wed4e!b)>9vCQRn(GL4 ztkmmas#hbYNfh%FW4+GLN68!HWxoj8*moYTlqEMNxYp)JDX=VOoD}F)%8O-~wDT9K zJdXS^c+bHZ_`<_m4 zek;Cy{C19(QqXOr?yIIwkNn&8EN_NC#n9a50jayciYWMWn}&vCyTN^Dv_YYa{KoLA zm5lj(wFYLR#`9<&alD=w3^yQY^d-P;jR9T*2<&&ptei%b_roX#q0xRd_^sdD5)MIZ zOB8#~_T}Yg{B)OzlXk?7SM8v&iNDvo|17$mZ&SbhVN$rKpqR-0$x*GzX*rZE>@#jZ z2C=p;`eS|w_0WLF_CY0AuhKo9tleb(bZ4_fM)&;Gv6D{LeT71t6=rbc{HNr=#aA=F zILXA*(_pMKoO>H1%|G4j-JmL5IH(sxm&WX_(x7***eIwU=$XA)Sf8lz(^B0qtxYhr zH<7$0&Z6qeugU>+g*$HW>O0f*W_g`EGC8i+n!M5W^5KFbYHL4e&wC3zNjbAL^GDSN znry$aYgoUI86vS!lxg)w^}Cy&o&yzKG~(vQvziL;)mWpMJP{p(YuSU%F;6&_BOXi` z6=>yaFw@$<#@HQ=S>{5T#Gd*X^B0g;eylM7X7VaL{ZV1QHuWp=ov_#0HFu|Ldu};7 zy}rI7VubU&!uq_Hsa{_}Bxb#%{5QD|szzc(@Ds|0=RI~!q@Wgc)ejG8Q@y{j?_93) z*FVIp@Ywel7Q0R5uJSrbH<3!Ijc2pG;N zq783j^17nc(NuvY2%UuT5~EX7t|Ux4}5Fq#Q+E;1}k4e#i6lX+0eoSTqo z&=FtiH)$EB9)>VQlobr67HSr=3L82nSBlnaW|c#Ahl^)@pStd7+!!)5CqmKO7;Lz{ zrT*0)ySQDu_1bD$ME`0E6rj^s+;{2-m( zo!#>9mBQD8U-oRwTRnCE`M~pP7qQl`cu$1T@Uq+G@^ce$qe_|>Jm>~Z7=^4Ana7kq zd<4HaB=b4&{!`CcO81N;DrnCf$o(M3Wxleor2CEW!OwiZ8eujWxBZ#@k4dDg#-@f; z;sW6hLsNF59}u0p@H_#ofufkZEjSS4C7LqQaX1eVVrSy$TPdX?kvWgJZW_%nzAq}W z4!y!sq{Ll&z;uVX~cGu<~O z7i)TR?E_**kMBE;XR^|YE;q>^C1_~}iZ3j`vC4l}auin#s_CVGRVEhgDQ$Z?0_rOF zIhv7XmatfNi09;djkQneAEop9h4ThH)b$Vlc(aN6HcFHQI{D3aSsXIBOrhHlB&seZGZ z92miVZy!h86vc2YoNqZNAI?0s%IltYYdRKM+|on%JhE@RXa)R$YBW+nV|}mj zlRJkc$nbtRYQ-APb4$HUMobgz-V7giMkZgmHef)VCk?(@(^NJmZo7@kKM&PP%BUR7(eDOBT!M?euOs zhNHrAk}}_*A!IB+B}Z;FbA6JM@VoRLI)$PTh5Zfq?BVVB)P@`B)hp%plLG&Vy=4Su$Z2&>^j0A#~0TpJY5PmoQ^59 z?=rt#zHmC9Z+Zb^K-bgmfW<$QX^e_`k#w8ko26M@TgO0eZn~5+3i`2FkX`ctdaP`+ z`43-)d4Gyub;q>wFD<^2Qx_7$dH60eQuoo4hV?kr`;uN?D@6<9Pqt>tpNokf`nbFM zeyQ_%c3*G>BCM5A6-XDtCY|tDZ(GQanyQo~-Q|=?^w!fk+cfW2$7~NkPAdp!+N}-e zOqbW;Zab-l8L0HNop0ySypd6M?(=-h>1LLnQv%6<(u|I#`|4aKwY+|M;=y9GB4qPg zd&UTwdy7e6po!BgWV19)Qq(J`*O|YGyX8{A=#!s!YQ36tK&qD$sP1Tl{JqvjbuB`U zle^#hQgFWU^6W<`WAq(_Cxdn%1#WiMD4V$ZYvGM0tCLM5h%&5X;n$d2@dtDKa5!F; z$zWBmBJyA0wLi;^yTtysTn+Ekk0^aT1QcREFq|!yeoYva`lSaK;*0GmdzC!zo)ENS zMPx{DW9O(`d*?DdT_x(ZjD=gqG9zEjWl2*5$1~olp~D}Hc`gaL^odMmg!7;Kc{uXb zY~9&y>y*1_zT+9NK{_>DI%=q_#s`|Wb1M$q<7<|trd2Z#I(ubu8LpwJKIUz{fh%Ip zgN5tV%IhcUs!@p+&FklS^xf5lMc#(r+2z_6mkqoroB(ag4+O(M7=box>Yi>N=8;FQ zzJIc*%?Mqw$}jcy?;yRbap(892lvM0-d2oL)9mD10#sM=GppF zo*f1UsD^qUIU7L7bDfqkmUZPMVF|qrK%X7%Gm|vKHps-3yn2r3XxGzBckRU?xeN%G z(RMl$8RRVyQ%VaE?;icSAfUzI{@L{k37MokYD?@5` zySb4xk!*EK=6fE+0avA*q68M%Eo*qYt5w|;GKGg7A}>$;DTp1JQ)?zE&E66@w}<#v zhLeESLit^4H&f{XojXK`FZ(|IMu{bY>Y{)FB4fi{6mch{0dbmCf#l}m2;#a|;ZiW~ zEBVoM$1_6HwlS;88!N3qFZ&FEOd=1T^7nb%89~>yIZR2yf&e7W* z*sM6-EUEJx$Ue7|!mgH@IxM}Ik(TY5X*LI*%jUK>$5TEWttRv9*^R?;g`wUk+x+|( z`a6%8Z^W}JgGcU_EHIk^Q#e5*KRBK|*7#&muRG5ia*annikO43*r;U~6?UABKW-XR z?Jvz@w89Gw3cnT2mc5xMnO)j&Qq9vNkJ@hR?45a5s5mbsAM;htr!)j<%^Kj7I#U%QDrBid2|k@OyE94>Qx3gRT&fX$g}314f}vPD?4}Pvq`qF zCZ{k-M~2OO@lf2<^S+7C5L=jNZ}gy6iEj3>?m@Z@(@0B0GpFMM6~{qf_*{=TMt5wivnbyLryLY-H>9%l+4Q^2wCWhmWY%c7& z91346T7O=F3OcROL>h;9j-QSgwaZH*p@?7fgKe?VoWv!c!KC9XGHEm!QjUprN zJ%mYeLHqQ!(!YSQJqdWQ>UF@;ViCeq)i0>l@p+^|u$XBEzCMnr^_2`|a#l-b0SIVotB4voCV6q%$ zjIzfbSIr-dA>*hj{n~fQHq-UWg=*J-wJyx(IA&wbb?Pw>{vC7jV?n~$%5-5F^Tp?~ z^5cd0X+GrH>59sS4RmQQzKcKTlUqP$rq1o<5SAQI^u>Co50qvuURIut92S9YhFg9Z zug6%^)?P$v>E0jAXq8)4=1O4)3CnSJYdDSXCfMrorKk(Thf$F+wLK#H_R&SDkMr-O zJ$keJCMF^IATn(qC2eo%ZUGluKNYke7015t%w?w);*}}P<`JOsW_w2S;i;y-TSsI> zg}(E%{OL14A(x(hczp2g$#U!7Eh~+tEGFlaM|f6l?twzAYf3D~OITL1J6&X!ukx>G zJ*|rY4u%Q}t*_>rp_>ZNjW5%OSs2By%srU z*n3B_9rpjjrD{}((H1pAQCdY+i4~y~HQOp$TUDvOg-EQns1bYAuBtt2uTVwpReSFl zu_6S?FTL;k`#ksk{oT(w&pA0KpOe3GlIwb3*ZcK;4Lgkk$<0Y3Sq)H(kj0a(b~-!n zUP^w(A)Eq=M}X_Evr_FJ5~wXG!wztLR)_;c8Le_hAS8u|9W1s!B^c>KG$z9iI6{~UaiFq8gJMuW(U-fN~ z#DC1QN-8k8>xr2Rj(9d8!To6(~j$R_>#1^H`*te1FuLUl6EDIbFv^3la3QzW#nJ_(YVYK5w1%GT*+?fn7?T` z=my>h@>|U?)6+KZl-l4m$Zwae8>ZavSXjBl9k5F4FBbVjC({|gBUPIVX=w@M8Em7H zIU-}iU*DkScBlBfJa@7&0z@=6ir&H-({{1}aj9XRX^`dM4X`iIprSca{>a9K2Vze` zdVk)meg!m~dKNsJ^abC!qxnDOtVN@=nIGtT{xQWWciPciul77QysyL}`%bN`k#L;- zuvx~^d5v1t7xnAz6ml18Gc44*X$ZkZ)so{M{5~?|j?3l(QRZW=|ccK-0P%G0wT9)6y1w!!91` zZV-Iz>N_pjPx+x8=0op3I`!#j+mx@IS~cpJOX~40P?0G2Ag5;3Wo0RQt~bJQ0_i@_ zo6lS#N4!BdrA=dQrWD7fLshmmzN5|gpY2199AofKKNI5o*V8nfj>#WJc&(%XeG27KYU=hX?8zd zes}))JeOBPpSLEnpV~swnv-7=uRyh|{_ZZ+Enw0M1L|FLoz+YH{bW4@%?{hDV>?)_ zfv8POs&+Mb%`c7^{fp)N@1l@^&mos0rTd1ra9UfVF=fx}Z?KqEqv!4zL^h}p=elFv zkTR;2csMJ1Gl^rBkF$6&bX|h57q{L@ICQ}8Ulg&xOYt+r~_R`nqr$1vC*{C#@yNSTtb)& zeEN^OdrHJ(g3l`gffboq%w+UrZUbvb_G1#&$SVpztnfck&F3;Rag<%wKQ-Gv%s;3? z`tIfVo}2|&2=EeR3%L37Ox%`6D_lD7oZ1cnWWf0zGLs|n<2r@7g81YJ0Y zljDD+jduCAa?hfS&$TTRz+bM?1)Sn11Jn_`cG+B)B@)kun@_q^0zW$uV5VMPD6=k~ z2CJ1p#0%9fAJf+PLn-Xy&%^$>?b7~vp+zY!zSPW>MxT0|*c)eHZpU5bze>CCuO-p*{w;_=f5qF1>RD98Y?2;Dp2l|K_sUrtVRcULZ@cKb`$fY)s5 z40Ik!C7G9Q5-hT>02Cs};E9*@)>W_ZE^uCZ%Ko2IMnO@Eqce4ey|JzMX2_iow}txw zxfBQ{sM5wZ3$~=xtf=88Zl{eB$8e&sfqYe#otZ&g^=#&X<9|{vFWesjF3+8(#ulUr zcO+-HwX?qYnPArn?qCGU980t4Ne2L=b$|CvupV`&0;_v5oVlE?t^|&CIh)Jy{40vx z_g>vsu()5D#P_S=lF0RCU&c#(c!mu!RtldEe=Zh^<&dB->2e{(>hGSjtcrnPGX=aD zWLH`Rf@#dOG@bZ50PRI4oHEi%4tjr-9(;3+Wt@z2JXC(3VMB=lDK_-;CX`nt&(s48 zZDz|OxBNSaBGOZk^cf}_dC#IWDd~Xgl77#s>=jB;k>Yz9*rQ~p?%)jHO*I+7%)IVW zSl+Xnr8;I6_fk>B#d-*SBKz&o&yVWWBS@g>$;)A6u>$|%l}+7_a-IO!*8I*cF%tfx zy{a6ldz-ny!|I)t+80OPCr?z=MsG>*J&@9bR9?0+&`&R#uGUr2guax-XvP*@x{zvr ze%Cws7KoV5xV>UX?B}&9e@NstQS{mJAUa<>qmRl*%JD_lb1@vscx-P=Qeehyja45x zP#6g0>3bRA2qjBjAY@2Mf-p!_b{-L%>bm4YXnSGI^o3W>qi=q}_wiG!=k<4=Dqd+4 zV@?;m8H$wWcOY@&dGZuOY+aej|p@6=^mt8P+?rLP@#hl$TcA?451L&Stg zgZ1u@yp-!e-Gg(D(k=n@>Ye#RE`w0lBq=Nb@OiDXgZ!<9FUqs5#<)%t^q$w4tZ{-uP=b<52=RsozZrEo0jw(6VLuN(9c;WkE7~l(xfk_6DO@<1?b}xQ} z%6Y6m%2ge0fMuXX!p1~har@8rORn4nxW?&MvHSH%nWe6naG#<}uYEsz#66{`;0k+% zzNK#`$O3T>9f|hGO{nVpHlRhtteAAEJ9f_#r~>F=a&nY71&YSfn{f2K@qm}CdD6Cd z^LL7?6LVdhA?iXGX@e`!L;&Qw&~v9Lfm6FSIMn9D+qdW^28G)n)wCTw^J$J#0T^lSjaIb-G9@^pQ$L6awm1FwN3w9PyPEUVIa^0ipIr*jXP@;*f25+5CHyA&Wb$jNFD5KPcps?w<)|MpMGQMO{1XM+Ar3#kWl06;fk4- z98>iH!vyn%VSF1h>>zMCEzbb?R9xUDc^18oA48Vq{m6Z;=J1a(#_FE0x1GP z5y-711v&9vwg@KyQejT_H+bxmsU!z^?!cwY`WbzWh8{D-;%vMvdLcL688%wK=M|=0 z5>+Irp-8nwjvT24Gew-7jt6P4JX2L!f_A$gHNiI57(T09+sfv*Ic0QzcIe8s<1-H? z!NkmdjC)6xHbD8$ z;3Z~wS)hh5SIwti{%K!tLdLpq!fPOcr@`$qALzl$QtpT^IlvF6#0xCbo{Y!Vedarw z_m6$LT`7bk7opB-^N;KB0Qhgt^Mo}ec(4~Tf;L`@wDkh z-_hmbbIGmZb9M7>{{XP>umwRsK3 zKE@=A1}tzct_!H?iErp{(k+3U%8cU#7G}M*1?n=fL_W!f`oQjMacP?kR~h$GvkA2> zFJP~0;AzI0di(hI9&)AEpR_35kGgP9b!fVWU5TC+xJn%;d;Cq!0IbeZuJFj$uSHe_ z6xrP5`4d~;8IyY$8ao7vj9GiCTHEcVWX5?%10>>cH)YiJ&WMc8KFNpOFQ8d|BF9#* zdwg9X)V1<}^WFk_L>U3k_XW9xDF)PaA0*_82E`jed%!jCO8e!fc#TBJMV&bOIgW(6#W(p#Y^*}n@{aPHhUgE=rP(Eo^$Cy z$St*NmsqYohLaeCkf-0W?+_DlzVyuQN2+q+`&|1`$m79fu0Z)ix75@3Z3)UUCyG?E z)J7dkNg#lG2r|Lvxa-GPQ!U?GZprmd7ZOL2)v&{g78bs5+8{4`q`|NDQs3g5HWzdI zS8k5BUl%mi#)3xouSwS8K7%NaLIyZkm!%BX7Q?Q}Ud31LPzV)2k!_lamme9HF$c~FOYmjH45>qZYu@Ax@O}E2qBg@u7&u2xr)hb+ZPZiWY=(qI5Cp)1;3qiSR zpSBcRdd84lnU~J*pJb5R2Wq9sXgSvB!^;zu$>)9zDVcZ(`*n_6Hx_K7_rWEPOFXFWiCmVcJ~@{p1CS#H_1@Hmk*obsS74(jgeVuUtzde2|GH{eCP1+< zD$1Py#yf%~MdLB&?&y|H^uY(Nfh|!v%GGdPow&b1wHHNk;)Wgvx#?3^bNZq?>u`LE zo6-}|%YZ|Hg$Py>8e}zGl6M?K+dpdQDtga0Z=yb?5vXyP-l@Cqw1L7JISvk>#A*Eq zi?xXo^<5C}8E4!}@ST3TL(k6Ygc7eg{hg|$tp8Yk|3ZN20xFpHh98cs4i63sC`6d}+6R@S^GB&&{^f4=dGi*acqY+oXlJq^BjM91 z`__JiSx=?`rEDyt%)GA0-1Vr#k_`83!fb}_)>UYTM=dop1iaiz`}XV;|He%X@*t&e zhbN~@AHda2S8*uC0;QINR zc2F&5m)_MrCGc$v4?zCDkU=pcv3!YX?_Hy$#@|_#*Fy?z(LEO5yWSe>yUomM_xSnL z1{~8UU~W-B1YVB|cHk|o1++)!0c!EI=fE_4>iJO*#z)yPW_r1;c{S@7H8l9~?+&_u zyDL1P=)O#Lq0NE%RWeFz)zq35=>JmH^oF76`)g){fjaJ)H>>v+b4=C;V6M@>%MZ4a zsVoOa5_~!W(`BlY08p)PDx;&jWkD@0EbBV#9m>~Mf}zVZX` z_PdFIFHiDi^|fFi**ipdEcbdJQl6sDB8>Gq{vl-dZrO5Jn}>x+DyUPeL*grdeeD-M z8F{L=%8b7ap@w3Q03C_G*<*jn|9;m4RvctkyoxXSyb|9i4mT`jB7Ttp>mHepN09ov)+z>H|fvs@glp zOfIFEJ3r)4UdDJ?KaGrBU9>Tb0CL1_`xP_{t{;Gu% z{(V)w3YPXXn!#gRYy9_QZpKbW9h-N{Rj5)W`P`?7=G*|?7oO_lb3uHD<7Y`+*jtr; z&6<*)OV^Vd%%78yHoORoo^`jNJ>Z-wkTHGjN>|jcQqnfkC)62!+F;BnHhd)HsvCbu zOV{e>sVvKItp(4Cdg-XrM_3^SfRwYMO5h=!%o1 zJb$&2Th`un#6l+KvTp1tQ2VZh2E#Et8$4!yxLDq{G_T{$VM4u-x>k$OQ~H%vmBWZ} zQxT%<`n5dYz=-$u&(4_lIy8MBuL-}}kqp`%FI@hC^V~}pq7AM1_K%jO+$ECEU37A^ zfilL*rPA%?TY^g$A1`Q}7e;l$Ik}CkYW{C^f-|6kOEC-!NS1!t{OTk}`J-x&eR0&y zB0#5!#O^IGiXAaJWHe2U+>Uv7S5LHfa5_4u$Yj~GSzd-z2fAhrLW^%Z3BCs`@h|L$ zyatsKRlW6FV1z=J)y;u)&**7M+wFoGF@t(8Az8mZIjnA6OCC2Yuq3fa@=)U-$En+JO7O;x0?Bi# zU0?#I=poCnc02p_N(Jpetfzy~S;x@R**XoMBlho|lK}y6i>MpmNgsiMUaDY>#nC5&)SH19UK44wQ#J?~Q;tAx>IYmP3?eS6WzxdfV%MX6!SvoWAcoFF06L1$vr7 zrg-jjs6A6gbf{>^Rc=!t!h>!$CjpH}QGJ^f%=Z8m9NMg6ViwefTazStLcsUPY68yq z(HjQAiN}qnhZ24lN6mwS!@)Oe*GcMpx!Ap3iWZsrE2kULK z(_rssITfP^h$^tjMKDzCE{-=1EgDR-iYFMr}xv=jpU)(8Bu_s$UVD>t{kvC14)C-TLWu2}7YG}KO?45uuzdZ5~KRfK! zpW{B-wDqccivou6dnNRso~NBaBip~X32uyP27I-EYiZ*R$NEw{TWM3Vj+dW)2&w%+ z)7Kb_=57!5o3^58&)I)H|3fGhMf-2=;2;SfK0xdKI>|t9MwScrot1yXoVIHiY}g%y zT-ST;n#;xMrZW)mqDr0rqL;n*JqC z(tmU-c_GyIFWj2+OM9a4U~M;_f60M8+il>Ve@aZmc=Z6`BT7t#XQE!<$@W>?_-7B| zNVi8+Uw+E!m;LcNLKedJq9w8amqrV_`>2BS`tKjKwFv@bPT#n4&a$}jVS;t&aHA_M z=pOA?f^a?~2TBE6-Qc25o0R0NuGwm^^&w;hkn^o9N~s4;S9XMJG#iw@Iw= zlw_`gQ$lpCu^LWThKpsk8P|$T<#k(!$@_Ab1%Y>1sf0Tj=Vb*}7D+9DwYJ{rSfAL2 zI=`mzz4Z(2IT~>;fqt4LE>8+ZpXSU;3yx}Pz@CC+Hr?`1N^&rT&!uZ%ci-rZ+KX>P6u%=; z>}9w(nC@6GMjMiezIdFy{I+e(;b7R#sVjrMTH}+-)oXN~H};$#UH$#!`iXYZgXc1y zJIZ?HQ=~CNc2e_(B;DDJSK_1he_BpA*T45dFC0!6mPPsQ+%fDB8j5@?gL%gnd9|73 zw!l$GbLj1eFFcqun14#LZ?HPrBWsopPtMfqzA2JGqWxxd+RbDs^Z43_@lpryQS3AA zC5V{aZBx~WQR4>$y!!Cjh2a+~z-{~x8)$<1Zh@hAgUwW#|a1LA^mtsYcg4K`v#e1O5@?4Wuh#xtZ z+V`~jV-Lm#_j)~Tsgj88<^0v?So>JLMHmrf)6JK;$==CuMc8JvM*kwaTWVrk>l75w0vIhQaz3b zPaz{2!qdXK{Z}kIQ;4anHcT5f^Eb$KgkxV>%1PaJU3)Je&6JKZc|Z4exMNArxx2Z1 z&t~Zr>$y>YKQ;cBu4sL>-Cu6=UySyuCbHAV%yZ}z&(+Wpu{eL*x0$%fBE6fGoilAx z!?IV-{=XQ`|FCPiMP3N9kDtYxo4vr^V*;}46>M4yMQ>M#8T{UDYT%d@QK5mBB8Xo; zY?=1%$UB|hYgVbGQK)-OIzl7Bx2}GX`FaT2Hkw2#H$L-X+B3z!`=ojC zwxH+CIMF)3C?3_hbR8db7#0>DPZ~ITFBWc+c&$2hi(Y4_<&faYC$P3}DQ_>1u{kCF zi3Pc!qUqH8Vm=3oO@?|+Sv|!W6{|YlPU-?rM~@XqR!rVCIx*kg32^>iiSoguvm8@9 zjxh7=HIW~8rF&a^_dP`eJ{~tVDn4gK5eI{hc>X+^SBjY1SHhO71~=7P)T4&V6q_Ee zO?!P)8z2B`MO8Z9V`XUO8WhfA6@$cLslc;kG^ zo-)NwC*77?X(p5TQ&MBYuh?V%pN)-r&?N+DT({IYZthmoGcv#ouXD%@=y2+>Gm@5k zj-dcWl24xKoW!L0^5R>$WWr-JKEOJLN(O@Whi>0N4+igX!BWg z?jct!>`T*6#UkaGpq(UV0=p09CaJVb4@C`U4g-NAM3|m5czLn;S73|Pjr$a_Ex&ju z0>g5+Xcr!vt3ogw=1Q;)=}#xVyymIpnVpsazFC#qmoqM9KjCN=-21pt>V;{1e;G!7 z@PNhF0$|o3bli({*)qRub|Qu%P9@E!Aie+eB?954>4z0> z3N4zKJ%S3gUpVBO6xQooOp6qb73sdXK{yk1?Hwv!nG@kmjnF;UK-f=|nLbsb<5Lxy z3IGPvO}1phV;F!!*w_MTa?^|M{o#5SC7N;MxF)~R>PDw-2$yh}fVEOvHlJG8JH`4_ zb}n{N820y+)B5>6l&Ilt4gHdYIPhjSns(UIA^z((KDqN4vI@G$apMAZJCbhi9wXD< zm8Ue{Ius(t^DMxBm02F!pzbk;X_NaLRNF2o z_$vMT>{7-nolWw2%8#PL%NB!|?OcjFraahlD&%QWi|QIF6nDeIS?fl?KhRlUrWepp=8?{+O(3F+6VamVr7u2zv`A~!9p|82xYzYP+tw{Pp%C z$p@#d$}C@xQFPwy2IH%l;kt&*t8a+uIPM6Hp!rL|U;Fh^ru8sX))Idxsc^knx}bhY zV!E8~&LR80NV?t-ODsOu1%+E)xj{ImfzII`L`rv@(d%InHegmT_0J1fphS^h0G-uJ z-~y|86z4vM+VxF?qU(=UVlU@wU}8=r;8I$U-TcHVQ+My)1Ry(sSY?6^^5}3SbWA z=$x6{$8<(X!~yn{@c3wbIHKp<$RAlOX20PJd!%#kVa2g7U)eM5X{ta~Ka>gZd}V zeztv9t+EwqzNv0G>xFOPz&C1_^9SpQSk!_-?qAMTL3sh0MOO0rIfNF}NYpy7r>OJTO3egEJ;g)*1O z>p^^_13m`GFXuCi-$~>bx&h`X&SlBupFba81QT!IbhJ|Lne5hU2z~x2Tk%?`_^ro> zn3P-N#XJqw_E8JH;22gW!D#j04}{BhEca&dbfS?wdAi7Wz00fA&^v?ly_N1HR2E<9>e>FE0M$?Hc=!)e+HVy*EIJ zVSBWnW8I>ybah|!l_gj4iocZ5nIGC7%0+!fvDkQ;sHrNue=s{Dg@qTsf$~go9Yr{g z-EHG^bs8Gi%_r+ylz1}MPdd%Pa<7m^;p1c{qCL1Yu<>$-i zk!5Rli-e=qu5YXHefZ_#6IWs2?7LBEZ5C6f{we6g<`)-tr`&0$ zKg+&n4Sn+@M^Rk;37-G8EOlI-VXYb{*b6haJZ7pvQ<|GTp)DeX(KPD~V%$@q-z-#~ zG%Qg!shJDne9in#OWnn7kW0C1{X6Oo>TZDR`0lKu8_Tyb5^8Mfa|HbUcHk$e*r3vLqGyxaLmN=4t%lm~#4 zeO@h?#qi<_iIFf6upCg18>&P&;JA}$Jz4#BbYm>K6XGl2%dVlLS3kttNyKuS7$+gv=kAY9S9VGl$?Buq@He2BDh1EJx=&EGHD3aH z9!)Lq^q=ABJ&2TCV{ktG%EPG>T)FB|t^RM~6X3xwJBrrJEfW~o)nCh3lY%rsi{-gj zH$K;UBc_z$3sS^+AQvCS-MwezjT4a@T}|I|lInSfUE#<1)N z2xFvA??-M$sumZLGW8O7<0Tt0)0g%neDE1{(M7^?KO6%sPH5Ax}}4jZ;?zs_Y6MAmbGv^ovqa#t}aTP z`GaO+%ybvM_|yFdS!m4gEAAQ9fyqnzRArUUkc76_JSg0!_MI?ISXgXjul;0R=U&Nt z?eoHH;h559yx~njo>G&BWvh;G13r2AX3aAHlgj5p4(JyLEa|&XtR&@!w&;5M)EM^g z*qx4UKQ>I+;JUWAN6J2VQVlI$Q8^F&|Ro7mV&uA0-$<|)Uw#i+ZCN7m+< zv#{l3>eN!_5Kt2D!=LUR_tISluGhYKuUoCBkFVF{8$ZeTBhOGma8Y=0U!*z58tq7C%lZ_xHiV_AjJDZEn*1LfUfB;e7!C}<~Z7O!x2H40*pu3Ff$Pwm z!^wE6^=A2d4YS_dKY`y?c|w9{V}GuqShWp9 zGj7MNd9ao1@RKm!Jn+w`=!)6!KMv<>0VvYl&j{4B)$W#Kn*+UgFpSJ^w5R#q6Ahny zT>)}PuOODU>EukH5s#syKw@ zu5|rrO17%qySuLijh5|S-sUQ(NrR4E8P0r8_=K4+Zy_nW{8UYQEdDP?hkyA45d9b@ z3IUwO#tmKIZ+~h{g=y$okDa=#rgC+ute*3v*xS8E5^j)0a!OE#42JR?}ZPcCi z1k9D7%lmd?eQpMyV_?$)&BV~^RzvnmohCf9M(V}F3b0xSLDWSjTAvq~G%XY?+M{g+ zeb?H&Y-GW%ojw|DC^#a>w_3jG>|=&+`NiUZz$m8QY~DuRcL+i}+tWueBiw#IM3Ffu zHpP?D4${Eqs?J`MZ(@Cxr|*IIdhY%2z!k?UWS%#+#57>0|- z{YU(Fx2ke;sV$t4jNZ%V=7>QwBhkKaX^gubxAGFzK(Dq{+3dh&eg%9~l7 zYF1mi@5z?aHLS-YY9HT_p=nENM1LOb^ZD%%3x{7x)eOGg?LR}TEUsHEu5F+N(*wZk z*L(-}8)z?-hURHy6DOIDCl~>(8NRXv;AsRmTBTLnS<>b5So&(`jLrXPM~bWbFNgsf!n&T+EyD`qCKX+ z*p-fq<$)H8tMRw6paUNbQ;7u=zl*C9<3@)iO$BpT^_^0uoeO>J=5Ez&HVylGr7USz z{MR5P8glD2m_@_Nfwx11-g+e}xnbX-V|B@!rKa$vu}OsUHXy^LsgG$sP?>fcm)2jm zl3Ia_LZo5mz|#?aBeXPN&jV=+9T}2dPah{3n_*s~ znqv+@Mh-(j>wjj?IaBdHGmD(cDS;c(-P${WNRYBS&DXwopN!x_#mBDgoLHU_dYgGK zq?I-_ZkhbBW>A8;T4-<_BG>Y=TLBGO4w*lms1jNBj|x}0Q`!6;OC-JCtXXKyM`Do^jD zjp&S$IN@!x{>a9h3@4#8Qe3J6buVkccFC7<5y(0c3tHWt{)rFY+QIMGH|>>}7@^+7 zOfC|ChTRmgp)E|_{bJi~^eW9msH9fiC|h1p*1BqR`m<2+@VkN69w(2`RkYpJZ+e$v z1%-NT$4kq~`d&L7N)~>>I@&G%$m~RH9Xjm3OR3D2Kh1F3KI&rmZ<&71RQzRS&DWd{ zHm%2V4OprpwhAx%dULx@GfNS_YD{}e=ob*BjvS2~$KDMb*Q`068ODfFyo+f8YRlBY zPxg@dmSar;q5vFoh?C`vD%kw? zuET&q^NN0d!d^{W3#b`8d%TF`oKD}X?W{EM@+Hj_;<1~jHJm5u$GPJDx7@uQV{QH! zQY3pnAQZHKHol}?Sbn0n06MxeDXUz{@Fs)Vsr(1(Dmw&F*mR*j@k0fZx4O`fxz=p< znPZ31Hyo2bc|PG9$&d&p3VfCjtF&}NV0%vt#bM}IyeI6yv?>c#F3k8D-fwAebD)>? z#@RsGDB{oBO$^Ng=ATzW+WGH(X=?wWQhKQ~*ndvr0nXb0v1(h2%Or1yH~^9QzB64S zNaAPx0GXP5hxxmc%PZhAr6UkP=8a`%xadzV;Jd?7SBB%%=(h80vG7h!&0XXxA(=7v z@AmOJgEv3^P0%$9Z}AxKb)pr)yBR&eRN(2le0oeI22Bk5pkZ6Fm1z9O(WDyl6Luay z*_5VXb%(K?$*wvealigO9`^rz z-b>^r8M_uvzqd{^$S-wr15IWYlkPZvp$~Vi|slmW5lX;Ig&|c-?48W7y5~)Z);r53@J6r5h#1Gaohnvwrv2z67M>EZGuoV_|~30VNs#~P2-B|wO+R~vv-rx^^oe6$3soH^ zmvRdoo!C>f(=gBo9ulDG@d@%K<2uas2zx7xW3974b?mpjNPjJ_xXeY;88rJepOO7r z={R;N*6MuJzh|TRL!B6&*6_Y~;)}{BNU(L$l{K!74MvY9(e<6a&@?;v{-K3U82zT@ z@;Kz$vAp}a3LLBoxwqkCW@)E^SYEUPuc%gTTbe6zz{^QGaCmYGrJS=eDc_I~Ls3#X z5OBYCY01+;VrhSK;t968;p3=3s8C+E;c?TA0n}#k13OQ&2FPxIzF&U<#a%McZ)!mN zh`TykThm?7ZgAPOX~s>8s4*v4r$ow6{=Z)fqDl*2HAI}&jh*-RV1g<3WsXJ|Z99V1 z)w&?7rjubI%H8v<@$b%N0vS$?K^N5Lqh>WuEk^l-wvA|FQR`4| zWicHq)Jaxxgis`m`Qwhgnot)9Ae5b`@2&{?IlylZoxAXo=^uq;kA?TakUy^I-a_~- zgRxAV5QuG!caf8O_IjxJJ4(rO9^d%~2Gd>Xcl#rPBm6#;0;^M*!zL9q-9yTL-x zYsld4D*+*r<;j*mXUq42)jApb^459K0;k^gKMM1CJB_j5Y?Z^}=;2gV zqN!BlspCyLFRZ>C!72-p|EckHn-kYS0VV10s|5Wnil6#yH^z?9H~C?II_>uVkutwK zL2-WV-t{pKjEs z?liow+xQwbl`8EvwN*Ip>2%$s*5-M`##fCg885@ap&h83YZrfFRlI>|zHQ^?nK2Aq zg^tk>b=oei>94FagZD{9=wyi4#m-$}F`XGJs;TH_JN2%sYtX`-cb^_kW5Y_E?225r zQ)MGA-^E<<~;d)s=vos`?fv+ve>$ixpGd|C?& z6R~5_6Yu$oZ@ORWSUu!(x`PQH)QXzsC1c;?+VeltbDL;K>-fnufpO9UjxY=ss1XO# zrGr9FHwUJI>Cc?c76Cf;iKd>fjqHjgrh|Y-E!EQ~^c2_rUa&CZ`gh45ru8UXV=3ps z9H7zwWsCD9t(!`u-;yqR$)|@MmE${KT;q6#azGu|jA~Bw{KPMHHvqhKWCd(CI)BRUr%2zfX=qRL?S7BWRz*~#J&y5ZiZC8^?nE zvHu5OOgc|BYgDH9&CTZ{uZh7|$7`TQyvlcs55@w`f;uOm zem~NO2>J4;&wIF49Zp=%agQ0XI?eR{sqR=GX!_ginW>kPtQ5$wA2FPHJ!qFMS{ilcCXjKToJDY94eV{aB zHdx-KtS%>2Y)#r1?`Gym`c|b=Y}V-`??%TFyFTm1pForQGz+FG?0b<#)<;!7`sb;p zX2cY5gX!C6^vI%`h1HQ(a9z>g17;!eY38jx&!UuZ2z9W|;BdxUH@2q7*UqAh6KxqF zZJ)V-g#Di_T$|V;wC^bmdUd3klpIA>)G9+AzPzh~pu!|ucxNw+6&z?|df;y|#Tjw|<$WJ5#!Rs3#LFvg(0DFBpsOmTesRv`#CC|-(6W*>GIaV*O$b|jZ28r~c ztYm;)q2lrkt;qXCz2(a&9=Spp?X{u`SEHP{xLi%w=Sl=SW}WX-iyUm9?DPy6tVl z3Hjq8fas81O(kXHJdpr!2u|~4yHyT7n}P3M;Lsq{#q8cqvAG9cM~uMtxF*aPh}QP? za^v=FaAgp{+icpVjc)ps#dL7jV*sXaIeitKh&snc*&X&t+L;lzSQ4SJ^K)lA(~(kJ zNm&+Q9SuV3Cen|VM$Hb;X;eG&)$@+iDaCHD>1?*}NDvzGsK%j|;N$Q^3*?wf*bMi4 z-NYH8(m0OZkMSI6Afn$+T&9<=ylA{NxLbK_h$f}T8Z>;nb<2+!3>llxxLKJCK|gJ4 zIaz_Ej~&B0Ta}D&4UHLDr)7oirn(K-6_&{4Hl3l4i$P>#etV_|B$JZFby$Et@_gbl`F5FZI%5EgLf0>kOfwhk15W=~qyEV2 zYC#`SnEFhvIur^^0&kJm0V-O3wySF}HRD>%vn1r97(;AwE%h87HK@5fU+)D*(NUTq zlKn>Y(EJT3#L4;;jDDuHSb9I90RUggJ1(|8F6;>MTraL>t=<15^<|dppyjM8vDvw% ztK%1ukYPCmB4S|ZCj-+}-~)>=_6<$vUt$@KW&}J9TDoCpkn1c-m41t$ooMXy+6Y!$ zRq!1D5P#vi)e;imKN%-BoI@{a6iDBMnev^4Y#WH@4TnahKC#Da44lRAx) z^dsn@cl}`Fi?8QOx60Ut8s7dh*|&C?ln+jSKrQaN>qP4iT3*`-Ugn=|4q* z9-)TJK9r566MqEJS#RN`HYSB8q(bZv{i+vIZ8v2HY^B)%X%{b6%C)yGzLT^Qj=P5R z#~s$YXw{4G_rfR3%T0YcB3QWGPOdPYiK*D9c1C2?S^gOLwkQ>=C0h_%TGV+K_nko0 zl9ITjveOC_~Sgc_)DX zvF4nAjh@5;XXtIxo$*2X-_YIk0b#xWo|)O=@MNLD_LeLzFl@T<)L>r!E{4H-?3IJ| zH1xt_y1-4pS!o88*l5YT!M;aW=MAn3n!8B%(U^fvcd$GCX+Fpq066^!8hl9yeWUKaW6fQff ze5;<7B()Pawdp-d$nIPhT?(HIX!0~}q>`uyp(NKZ zmW-tX%ce%w_N+U}j0ckxo$2Ck(MqiyQfrcwFyP8d>t6~^h+{m{hzj`Do@6PC8rjPI z|7)ddnL}fZnwla&eETGiz!D3%Lqqi!p4%D%WiKRl_r_ZEwju)BjGgG-_OoLW`tJ+) z!6`_G_sO+QaZji|DX<(dnO@%)J59=pmooMt{oP+?38ysEm35<)p1u;L#g#FBntFZ@ z4Ks#(hb5=0V|56YvL(0Xs^@$*wO)^eT3(*BJ95=<}&JY16`~&=il0c z2F*2}q3mpI&PqWjM1@Pt2j2s1mD5CNnit`tuH=FP90RK!Z(Mq!@#nbu^85(mu;KrZ z_uWxVrt7}r-~f(PQF;+k&{0H;lmH1LO+-LslqxMsfPe@nEhM0HX(|rA2?Iz6Arv8W zf=D1BEfhm15fW+$5Ze8i*=OI``|NV&oO{>0Yu&Y2i#J*P!S{a8`;_1B_dIXhs3Cz^ z1(}P8eK76vbbZH}XMCBqEKbU-o`9C7sX

aS!EL27I+%ohD=0AhxTPeBAjsO=#Rs zJ+r7JBYJR(O=iCmOYV)WEIw#h7(uy1`dyol*A@5x?-7}@A4RCYlsd7~96OX36!67* z?FGC#O#NXeVd9I~%^>Rl0GUmHI`q4_D(TuzbNayFe%%$O%Z%W0$W4GAhd)&MSZZ9m5#XYTpdOz!ifgg1 zr9ba9(gE#)=Vt4PP{_l@Z`g2%wJ#=00S`8#cbd~@W_$eZvqPlvpZ!D~f8NKcwy(4@hLw9PcItm#sV`_7Hv{&AZ>pG_BuZx?HJJ7pv zv~D0{rhV+1u5SGL>HW#ytg*|QIn8{!)Rn;AmFENw*zU6aV!iz`ffK%oY|>n;$WOoo zpm6;n8F{q1l~{Dq1HW%Mv~9xIV%i21GPVgoj*MKT1Gw7<{9^3xCfitU%HykBt3$~Z zJ^P+B75V<8Qzb=CW+`~E9MR?Cov?H5Xqqi9PbbPC{gN>*OW3?7EJLub92BUze`dOP0#{6tLEp`tJoZ%9&>u)z#MC#ktKd zqPX@}cw0r7xqd7puQ9c92&_&7`Y2K&BX`cTWK4Y{qWA#sD$%c?#@LEgsy=?X-f<07 z>Hmh&zOg-WuYi|{UEU>h8oh^k@BbiBRo(cgw6l6bi2O$XGC~g7O^R0P!5%zt6B_`G zb!V7X?KB3RTMbQ5O$b?!v|jzFxcqsW))(t@6Fc{Kb!?e~{!3{9R*Rhl;u zeJAgTkxJ6<=+Wb2&lmPaYN%wKtSN~rH{=w`q2bMT8Chw0k9M!H0_i$fOo zMRyuj!_C6|X09MZu?PoUS(%+eH6@vSI;8K4qtV;VD*+M$$W8n}P?^K&`6oJI603bq zk#b0SQGVw-)F?kshW{F5x!t;L`VHd7bVyRIpjXQfw?rs>UbNdrI_^qD zNaK^FRVglXcx`cnr^h6Gj|rPe2B999fLcgC^WO8Ks_T}K4XK;k8#AeP28Ba@kxT(% zwsQ<%olzH_Uz?2n7NkG&zu`@u|Aca1kv^L1+>}kvj@|Y_?un3;{a*m37}E-Qu%k|d zdd>FHqIal+UP#8}RvMT8aNQV^wDX*iB>-)tZ6}+4rQnuP2k&TsEZoj@dt;Yr(a7az z*`B9ON*;2Q)TA#mNWWU!Tz)d)w^R{_JU}puSXoK!iS}?2IZk zxZgmM8XJ9ninA=*nP0VWvUIK0RxM5L;6hIXRQD6qkhdlpfNM}AM^XX<@b<{1oo~3{UWFd}*01D#^6M>uf0N>G9nwIl&{@aVRL?iSPzrv)QQH8hx z5*<3EQ{A!ODmCgU4ejh26ZA$-iEo5u3|GhcPo@pN?U0DPe4!4z@=I%;8#lz~po-~S zXt2XqY4Wx6c6Bfavu`=*;rS)NT8Yy~N%tc8_g4Zr#O%|oRY-xlM!Z-}j$t~-h#ENw zb^F;hI%p(P%Z*nN3)#QcIFi>U#Gq?PZq?i;kal;2KE`$km9JyTxq9+Uo2{< zh8gT*obd)M*2dw%O@e$kSxAEF^>4-hlV$zE)?n9doj85o?$-;{*Pv!nWGchdci+)^ zEL{f=>#uVFia5YW2>r0^SP#APt zV$_$MHUUM`J4S)j)<64(qle|QL9i=!V+c|IE;_VejyI*9F|r)!wUE){2-FO!)w)os z1`TL-EhuhaI&Ua8bd8A|tT&w_1rC!_)DH?6J8}C&^y=aSW_c(N7yvb&TxEy7M{BC4 zRkV@qSHaoIJ7s%bBWd?*UkO0H6BzHq0E0Ff4BT9|*{c#;S>hhBTwfYu_;pWLALYXF zHBxt~yfJY`VA_2|Q?~r-y$vr_5~&03IN|##Y}6=VwUCiJyexm^L%eCj=C7G|N&+YH4s{lh{dA&HEh9mqbu!R|0O>_#`8N4MFD};n? z`aNxHvq`bwLNLNXXpWsmx@K4-CaJ@7SBPlaWg+6Qhq2R16UR}Ku~%`A#~fL1mqTgqtR*y#l8~S3M&mN*ZRc)f zPR00bgA{~U9d4Br5neYqZXO8k53E4g8ghysxaFDn&x`?;nc6Zu`J=qa=;zcZ?Sn*dknMz(nMjmxN%8^7FfLmncYaxgg)`vnTib< z%5{FPN!Uj1?~Btgb#iFfR9}X232OD?gk!AlZ0jfh+I3!Ot)Cd<78gF1Hx@X|mhy7F zZsK6dYuX46eG(QR*Ge$kOYJVmkPEkz=gVp8; zhM=_A53aUO77h26g^62+W|6RH`k5paWO8g`pHQpv!lL60Ft^eL}M6 z)~oF0kTdb!M)Pumci7~4J?-*JmSxxducVhXKfczus=L0ZR6Oz`cWxZa%O;3F>A1R} zufVRDigc0?SCI=h;{I6GY8{v=)uL1i;&g}DZs5bWBRa14x*J+Q#iL+iaN;XViD&qs zHX$^LP?J8~_vEoS72L|TN>KnK};{9t1C851ZrhQ#+j1-OvY0`^xzRY_0t>SqGIF`KB#Aey1~ zN0XgqZzIRTq7N^1m6G%L;N}46_?|#s+QTVTZ!F4sWbC)eyFOOnJY#C*-o8>h!e_Lr zhg?r#Jg!?>D-s!0deHs?QR)hWr*zsVq7>ogL%TTo^?-3%^L^yyhF|xFRVRjfz?=1e zYtx+>HwF?Yz^WDNwOw<5;cwgwB79jgc8e@DUB_&S(TASTEtR5RgV0j!);8fWw{I_J zx3vUhjSq;1yIx~}WCx)N1%}!mmLtl_03KCJ=tmcmK3A>r1UWSI8>(0Ay-)t+!*bdH zR_(wdp5ZkY{cN_;q4@8B1Sl>)>K8?@xBn_QLjzEK8HO%Qjs-{l9EJSl;fn_0$(x;U6Mwes}_4NfS;I z;OQAxnqRA!+uB$rdg#@*>4QNowXGl;w@k(tud!{Lv6=l<;~-MqYOSsE#d@LDxBZ50 zZm9mnQT`OS0u|5S{6mvi;&%tPOAhV?_N;*rR^aC^&}Wj#C;cKQ5+3uZ`)8lh`O4EF z@)bIX;QkKuPdz+zj=er!ZjCVPiw45PPGakBTP5`AyeUD*{x5G9z=J*-YP@ps+-r5ogXo`Ptaxs1LQ|7;?#W52p_=fRj= z#{*$E~etrU0nL z@U(HfR`nGqkDV5O_MD7R-`4|h&+#R{;kwEh=rb3TxYtJh=aj0Y%uVqj^lpVs)h`!i zGLUmdyM`*;1AxBAcZXp9Ca8bIAn=?T1l|14ADTp(tqzZ8o zoNni5`5Njqmfo5i43rc~H?xtJp|n$SzNA^pIUmc(#fi#*I(yPDL3`L`-_3Wmu}1U~ z6}VyD!a`xfH@?cQmLvxSatgGfCs0YnnbS5 zCj1VtTi(pv-|h%F_rx!{(7D&8QYoBB+m^B4>K{mGhG4HYAv%?q1d?Jc18xt%*7K(YJ17VTN16wotlyPV`jY9+|d!&nVEn8x*MvVFH;IX>OYMWxIaP)mkR}3SQjnoKPuC2r9Le_Yd1W9;j z^J&qw^i7Pn_|uzX>k7z90qn{T`dUzGtAx|R_RxW|T)>F_=tY~=51kc=#ptJQ0UfGi z#|}1Wj1H#%J>4n4>z z<&5?x7S~L_q+JfEc!XRkA&3gE^-Ag^nk@Y-0$$n}I01x)o`MZ%Yp*-rb4)&C*J`HX zL){Wxj&>||FRYnfLkOrvtyS1Ko1k7W0veg!Ub7wQ{Z#=Ad}EC+I}bG{s8ksTr!)So z2peb)#BFA0E3dH^y;?X?SwR4o?!Ve#R(0Y;s&>W~#ak`+{Y^4^4v7p#b8D;%K%Otz z>VwAP#1D)H%e)_C_v`~j$}^d1+2e3(Y29NxRYrdXqH%X{d30nj_~nX~WBRz=j;r*< zr?CBCw}3`5Mql<}a>FPltfm7Tq%Vv3t24g`%DAHo6GyyCx|0-267PJG(~`TZPStA( zp1;}#J!{R-Ch#KLpt+<8&@>VLXnkz*+B@&B!%ZIvv5hyZXKdkO#7+5uO_b@7#-*O< zLfL&>6E~ytjH8nuOxAC8N8jJpiDFd zX1lLGcE8j!7i6t&f5J!tp}>z$wTq=WD<~GS*28uMR!4OKoe3`Ly6_5)`aEa+pAlt; z-`BA4nbkZoR$Zi4EOaAMFe8KXYY&q0m6d)uXgMxdU=-9-8VYjWh-Ezf4BPH;Jfph2 zdwlG$Y85_diXE}7f4#JO{IV$NQ?&zDo0c0~&24R+k^S{a>&6(>yqbFXn$%kD{n>Zi z4FM^jwTQ_*68ee4k^OS){-7M9K4N+3O||$+I%8}iV_<&|3{*kt(~?Rlp~$rh*6OlI z6Rvf#%{{mD6w{3C2i3`wxd-cxF^}f_M}XuLQDT0_ZNn1oBa-2M^)Gxx(^K}_*Cx~M zH<%7*>V}6Z?jPw$MrWZj$*BSIneb!frQt$p45F>R#2Y`ClQazMei%2x9$X=jl}CdO;876D(gg_l5CRkSRr^(>$uiKB!h zjJxZuvB)N=f0tsOZBv08XO>=#DF7eB&bfyKOD^~2NB@{$`75H=L`!WV?TGan7FM^r z?rm-sRWCvsTtBYrY|LZSF%qd;{mwnA?v9^T>63d2g-ISx?ELqGrhq`&I>q^9vADue zb;WfDe=~0U%bK>tU#j96Lx48kI!a4Y*g7h^cb6_E-!G-r$YZa50-3zP^OWe=5tXT% z=sE-=)WR1=3Z)c%UqdhZ(fmYc%9?IslvC@yN{?K6%*Oa~8q1?Y#2c-dpyAXCMZ?Bw z>FF{ZdIfMfkJItyc+*Ry7vXR#x!z^h(~IjK$LPc(rcZjT8)Br}EBbb+V)NCCjBD-r zGKu?M1|FdhW?z_9fd-){dY^cPTI~AN$Yp{8++E?im$DS)dOJXwNkqI|<_E%+;Cup) zpyl_#YD_nwQ7nDjE31QN1QF7!cw5@|s3Cqz+$A96b~16f$Vw-hF`UnFLc z5k9wG@87xDPME+zb|tw*WhHn1dXQq8v{*>rasULGE+Eh27s||4pfm1ocomgnxFd3v zm{C-)y-rw}!zAqB4RSX+M}50;CJF*E0F*9QrT1?x!%|Z|R7zt6k@<8{rTW&Y zzXzkjW_N+-z>XVzy>1h`gf5)b>;21qZ6VIw;q*}*L>ZRKGmlw_e4|{jcMag()1piF zS!&7gk{RIq;ZSTAqyo?Yj8)GHp>ECV4wGf__8C|0f_T^@)fY)I5brB8iX}yNl~0ni7p!f#&n?V(qtH|J3QY7GB=k$B|$$c27d1)MMsNFoOlm3ZG+pAo@R zBeIktn#I2jQwBU8mIpAHD(?s%KMAru ztyUv{Z5c?Nys#pf@uK^^ES!SnMleft)&YSBHL5k)sz1J=<{Rrbm|3cUJ^xSage0LC z_R;KNSZ-FqHVwK)hw#m!Q%}Fwf};sLTSXfk1iRv`GREa}kqpR2N(OcnHTEE%Rjh*C z*4DF2^ut9d!}R?TExKZEO=Fe9D>21?%2oZla}*rm02XQ(=^RO>qA3?sh=Rl(Oc^JMLrd2A6&igXlA1W8`XS>V{Gy#zW_}3s&Do zUBzXibnaJTTnNNBI$A>_L!oM*LwI#ONpNVn_L*Z4denZ}iS4|uElZ0T{$vDQU?nSc zhv&OaVGZspN3rs~AfBFx)+;icE?$Ts4`sd+4CwVeAS(s!F+cVu30Mx{Kmg|w5yJV= z8sCf;YDH$Qrx)!#w~gi@B;tuJDS{V=iEAGhOH@C8v_%LVDpPb19ZyGIeDc3>JeimW z=?81J?9YXyp0wGq5zLB?{`maRegxIO9}KKU+(X^sRM*gt<=NB5Gx$a>KH}!}>v0mz z^1ju~g@xQI;)U;qKcDPK7Ci1enJorlLH6wIV$!JFYaC)PAoiDL%#}9nyRYPW_v(&a zO`=wuxlA_MPL2Z&x1CLB5wf4S?^d_v4mz(K8Ie=zoIF{1K@E z)*!vioujmSr-mJ_Bri}4?Uzz;F3OgpQL@k&3$Fbon)Zi|g5i`f5Ph^jiQn&8&w!@Q z+tsp1#kOISU1ez3C_RofDU=$rq!NznNZJ}5_J|nY6Hm!sgH_;fWX_#}`N&U?+zgAE zYA>6^vuS~Z$X4k|gxc@}ZPE*4?}c00e=&%S_^#F}osvLD=s8vIPXxz(hiSDNUHaeWy*E?%ils zw>7-4ku8L=bK`_Q^bqVHNo{*#U=Y5)N2*JlP_={I_Wx?4>sA=O@g~lbUgX-;C9?9P z&e@~5Uk;ytqcdmee?Q(|pYxwB5{16sV69L4=}VHr{BWkyCkL=!2nB3!#QmCS!PO#O zKCEYHPeC;DR?#nvDC^cY94V~|qIBiP_K`bSr>rz|(N6(qO-+*THICf;lKXR9RZ&Ek znW`5hyp;-G-AQJ8y5QYO$`XRs2#7q&LGNv_kzS$5bd7Y^{^~w zQgsb#UW&dOu3SwYy!pjDjU!o5?uo~K-+uFe~i~} zyWu9j4s$agiqs8zmZU4VGd+hWHBv3uq7dQkEn|-mB0}p!>i7rnCO&RWUdP1&aKF2-R$?RjZV5PY)lC*m;+TF%CDZaqmd}Tqapm zT`PcA#3#{~?2-(M^^{;sv*(%~RVLTMd$t^h$(y2L-Do_;v1u%;fd%!n`!^Kk+#w2s zdU8SaU!gF6*Dc`?-qa@JNGNz>Y8d>hdboz%YwQihvgq_aAZ7G)TmCqpd8y}HSXO=v z@ka#n^?H98ai`@lAgP|&!HLl#JsWE0 zBM#>j`PCC$BE4A=t-@2^@6A;TxdxjU$=s|Xgzou&MMC$-Gw|1S z(`}x^w8`+)Vv(@_i+Hrm&P%g?O`vni0D;dYGcLW;U1<+9&#>T9aiKoC(UG3mz!Qx< zd`b3GuuFu_#nS?Qzm~qPq4K)W!ae}F@Nlg1tfsP32KHfk3PF&X->QrnziTvf%f)pg zC*A3|9{fglYvy?z<MjB-2gHFZLix%4OXTTYnH&x zXVX*G7XxX)6D7sn-wz8C>yc(zx+}ZwdIrc^vWP4?BLJ;74c<5U^+0`9AyQ#(k zSq;Oyt)t=cu9918FGF~{TF!rN>FygdRs#|)p{>kCk#1+zRC%Nw9H<(Ce8SbQ{MKtK z;6+iBxlFEqWEg<38MVsQALtU}UH_m6g=0w|I*#l=CyYY(s44O93_9Z<)I6E$+Yqpm z{Y|!W^AH%{8o2vA{{PoE|1TGK(dW#gw9BVxmBQC1`vicFTTX|PBwEsR6wuEWt+|(k z(q(#v_9k5W=s-9f%9w45SDu&XHr5TYnK+&!tHP`e&$E$bo5FAL6?E>-&!i^Tr$C8( zMym9om{|Aj(g$J&KQeHp5szzw1G_F-MYZrA*9t3JmXkV~(&J}F{7Z9XDbQTGBU-cy zYJj)hGlHZRO0gkeKxx$+1|hR6UZZTYWJ$=IgUa%Bg4NP%Hzg4Wf0$DTUZ_Q=<#v$x z_VD}iN7&G{Pt3@&_(Qkgeim>G?*7jC;6LLQLYvw|R=i3a^9D1IaF;7}k|Y`7D8u^p zp8cO(cGZd)jEi;zVQhAM(DIAq9rOhcVsLQmDgxYQtEgU;D%D0?JQwPfnq&in{~^4! z>Ja-rP8aS<>{FlH^RwA0{6ExG=#tw%q4r3n4HqN2b%wfXrwD955IDj3ST~7Q1(1BL zx_vRlY@M~f7?28Q@f>?DFMa4D(LNU-e_}6yhN{hDqZJq5W@KW((c)6b@I)bY$W4@q zFji|XX`gtSanUIVQclxtiAg^@Z4Yxx_N>BXwBPy$?g8#et@)WLr&c%=HEy&4`NjdCY|1iV?rQW4Bio|Ttiid6q?ysWKIuB zih;W-fc!P~o4CjZ{R;1}wTugoORw*Ia{5o6HC5=%?D9_`F?N8)T%q?sdvD9xw5t>2 ztrO;!p((K_)E!B2_htZcW zfz{g2nsbkoUe~%|Yjy0`BW_k1RtvwY=>J*P{I}mHNge`C_s;?~bikYLNAw@%shS=S z3N&^(F8cXXJzM_R_M#57y&ziZul>g?fd4BkFfL}T0+v%(vsuEooxw%ji?>~giv)ZU zy3Lk{Ta2vu(Kj@vZ@8Vbi%E@&=t-rR1C#(zW>I%`Y~g5nYPJ-Y-@F3iZ(3jgprM~F z;lsZH8vY7(0t?$v_MZXrI}=h7nvt1f#O|JJ`U#rf&=}$A_sWG>I9E1ALSH~8tD+>AwnYc)It`xhX@S0Ks@Wd&9OH2glwK4YDQvHMW5%jX992nn*sU|U(r9rSGqdl zv;NFu>#z@WRgV^#S2#AQX5&sNPOd<0gw-@9(oVYgAK z7=;+mT0^7TzbQpex;@8R2TzZ~^2HE2jo+bBGs2APEvyjk+hvd|Gs%Qnyv(`@8;fNK z%B?H;cY(8k+rV_~c2YN>rZy0Lii^{ALqJBSBY7r3>o6Ev`H5i>SfR?Q(y`C@f0`;C zie|F_*J#vxhOQ?`7n5Y%DbF>&2?1fXm&&tCKS8S6>|@iP1;n5xe6%iUVcioUtt5qt z?D)97d+8~B0nBtq!AhCW$i&9jNG#G}K?B%KPvt|UHl?yX0pd3_FzcI_JUM;S zUe4Z!_ju)}2A|V@l2pId7Q7XQs@-B3cPq#Q$8%>KvM>nyj4Hw;d&~ZAwSsHOL!=E0;^4=Gq(D79WqY9iT!LLlQR|& zx=W^?%AE-Rq>%ge$dL-V#n6Ta7Mk~p@Dk4S`;KYWCC7A|i5 zxt}l2kg&sA+Gl^^PTG~S`89qycDS8W(B982;2^d|i<{RKV|>S9k?-NOz2aX$!9r<% z!>N+<-mbS(<`Opm2_3t_Por0)=AYf47%P`Puuzx>BEoqfB19cVgeVE?Tiky@jsDjE z|7W;G==5(9A+f?4U#Kzhs@nr2>i5o3FdH5YJ&Vjt9E|NDj=+M&Sj47oRnY)eMdF8{Q1bxSL|$@xod{z{ z#Sfr)llAKB?KOo2?wtQjLJkFtI>KsHPPU}$EW!bDMWC(B*XR|E1xRl*|@kE=dIxh0W!^!l8TMeMEuzqIbiXb-#z}KQA4#UI*NWcAG#f87GsR0QDrw^gP zCvUi>fOSusp*v#ob3v!I%u~kcKGhsfP;0}lKky-TQW94+>Dh9fI!eFkdm5zwvA}1i zF=`o~gs{Je;^^t_Of&a;^L?cQKb>BwQ2IO3gI8kUS zW`iww{hqT+tz%zS_JUlCh0Y=O@cIyYUCqz=%gBQN>=ORLH;Lfy2X`twwN)!{r}&J& z31kW6OEAvb-S8B$mpCD}ll43tVlQE`ye#BSt@yD0_(^ha-4ep~E4jl)vedn-f{VH% zxUkc3aq%=i88^ru0GkXGpR%6+LI9!4hq)}ZQG|Eu!%O@G>4tVL6T!P2?ZS~S&Y!fS z*-qFrwX80pFdh8w8zN#v*{h&;dYovn_2T z&*oWA+v;|Q@3hyomn$c5`|XA6siBGn&9>Y_AytKg#3F#C(_^uI9UlDOt|YRKELZ;M z{fyHu*wHatH(X&)YwtP%yr)UOB*{1>pWQDm;_^-NZftZG)(gL|0{ATW(5wu974;M{ z-4BUSh~JnF0_Z5X=TuM)+<_-fbRNhu71OuNF*^QHpkE*#ogyRh#4<%ArdB-g;Y{?` zj17cbu`I~;$Y~Bh#BFqC{?5eM2Sz;r;r5lNd(&=drGHWU>SVK}QTFS_1iP!Tce<`roXcGXMWjKTLWV+4gM=S2HVq9YdvExbh#^!el(} z4oh3;Rk?U*oQ z#u=&h5c~UoeE>A_Psh@sxY`Ry#8q{9X6jP8lp@L+kA31$dJ6vGiS)tyM3xDsNR3>v zOwVia3E$+hVj`ay_ml~!kg3?HE9JvIf;qxeKV%QnOmSr6J3xv(s;m?P-tixrX|)?l zH@UHV<*zsirs z8;)6dY}b3u`R{Wm0X)U;PH|=Uy6wi`eC4yDX_Ue1M#V!`*5vCqx^OlCsJxCzKQqJ- z=rhuC1JWh>3HQetael7Ei=&`IcyuF5KfN#SA^Ir_?Xln{$EV2d&a+mrL?e2#dD_n; zkC*|Vu+4JEXv0N&GZ8ZT{`|vOaS3{OEw%Mbn2IZF>!ZDp(_I(aRnjQDl~f_wyjD_=(cNXdI}~-9H?q zww7%=Ojcrpb1b({7*`h^IDZTOA7qW+JqP*>Fe4T4bpTaz#;36B$-U-uU}*KFwAsee z5lYZY$C0Q zz)i)^wq6-EI}F5w=%g@(J=5%MKqv2ovok0GCRdI>4Wi3m>XDW|ekz!Z=g=tE32r5^ zv2aYEW@f@T&kp^lawH4XNJjY&F=xnS_x;U~0)%KnI#yj#aTv0Rc`ub_^+ziJpfqC!tXfDELTO#7t7g$ZlH;>jSxY+xe&|NUyKa z(Ejx@opAVV2bU>>s9z8+zF(gWi#>QyhKV{XE2R$eg&7n5?mv?+cphev!!N!5|I#Y_ zvC>F92ILF<4&BM^03TK4uFdHeMv=(^cazRC6L>Zvy_I&IrP73%zwp5KXxbib6L;No z(MLtrk&n@?sjk1a5}4+&Sivq3gL#!N!yJp)DH=%VJS$*tnL*x?XClj$po~7PyuZmX{ zoucyi3k{V<%L5}OevO3_eqrFZl=*CSEH1yUn}C7tpYqIplQIM85UP*9%sq zZU;I_&!l#N*1@JtXNZhm<&Ff2%h1LJ7GNYK^rmNKo38p104)=lW$qU7dLUypv10c7K(^GlppOO^sLvuRero1n|4osGb|#XABy`G? zq-C{}nkYsW94W&ki%T;Ye0F3Kspu{zR*x>_?r?A-Bc+{N)$i@fT$GTVfz8|6k^2unB_&R< zB>z}n;{;M*9Vz1y6;X;@ptxentvx(q(lMMqzAVcAiC6Vl6P&oG>B3R6(@ZT6iulm9(qoM96qcxIq1cM8llTGcZsJ{ zFH%0ma#<1*As|*2=T+;`x6WVU6;^o=9b94n-XepxF$su?-tIOp=oE%%D#-%AFjXd% z`63!V#s5iMmGye>&UK7@jAs%@)wL8Sn3W3;o!#%dY+bVEm(ri(z}-ex0pTlo;(PcR zl0U_~&RfTg!xK=9(Zi98*BTY6U>L3gS*Bzp88EVb!qm zE@$>1R0n@N`F~s|O8({r2Y&nVjd251I4?YgSH@*VSrYI0d2I;bEq1TvBGEK5B?$lX=_WQF2F z8Auv+i!S-CLx@4?Y>kq|n$5PA42z@y#BF+t1Okpiys!uA&=T9~48Ueel+v_k(?Mo&2A=coOEZ}!cnvENvf3tINP@=PP0!9A zi4_v#^syZ9&WtVjpNbsKPc40pctvNEr=0s>`iZrw55$aDgDue>B>085gZJ)S8|1aL zGf;n{;=m@)6s1C7Ri(E?p3T}DSOq6F$oakh6zh}AT`@f>IGf|;(3Vusv`kU>773}1 z(r^VyTig4xSX^^Ald{TeOjXQ|ezK6SeUn0U)-n?PZsof~aK=xHDlTuulYP^o$H>%~ z??1*qa#_E+*>E^bwOd>SCd7hOBpm~Ub9g2o9@A$LZ`m$Tr~(EfNZrx;GxEK^ISj|X z=gY|ans1+W4**%eEI+j2MfinNPGvbo`_jkL&(YZ%wyrFibZLY|V{cQ4eEkAh<)*+( zGPvX)H3#+;o4pZBS2&RXc~QJ~XDF;^m&qIE&rY7NNWgop3k5-*3FgIGE_7N%6c;xP zfLtZN-DYCG{jY{8$C5_!-ufz;H78z9T2zId!XH8@D6i977b|#WlO> zE+NIy@{R-{n;b(i^$4j^XieH9rt8`9?R=XJq%k}w-tt?3`j9~rQa;(->|hyMei zO5pX4{Yvu+2b$Tto&xuKoXiNSah7*DS`yBDb8=&JtgwwFF6DsCH0zJkk`hy)mY?&= zDBV<&tHKq`J%r${NWj~qfe8yrGPP!#d&ZP98Hom_h$c#m^M$yCJ)Hq0(V&GJ1Dh&9 zDIuRLd(_6d{EEG~ptgAp*iZE(+?D`lk$8&AHV1}ZJIGOs43YLc+^cM%iSxEgi!EGf z zx)t$6$8I)w!Et2~`L0r1SN(4XK&P6-dH1s+r=7w`qpR{I+nB;^y=KzZPkpipJWqT> zB8`>ppHp}kdyj%``^~wJBVq16BaT+n8{FZjj35OxZZoQ8AwSIX*{rSWCE6{8tunG` zb0{k$;5uDO8o|mK2!GW9+JruIjdr_4O9X2wYbHANN*xF*R22>15jPLu9lCm`Xp1>i zw8a?7D*PEm8=fZ-XbkW9U9KU?0A?SziI)>1s)-{uA<-FOgCz7hs(H5efXB*%JDwAA z+FU8GR^-vLVS@Pij(E@D8WgszHwLs0g#Y2>5k!Y@^TZaVh*OoBS8ub72sov(mn4*J ze;`yf8ap~Z4FO2nn(xYM&T3aw`wUS|O>Xh@B9G1QbKIdg`hYGY+kEDmV*xy^!l6vZ zY!m!lM2{ezBOtIototc5CGU0^k@%X$CKv+61HjE`Dp)FPdzA*OagdhY)GazChB%xG z2Gy`U33L+R4)+4bEtm6W_QK-?1yJ{Tg{<*aD(3aU9&+=7Sl+SayWPr8c(2|sA<~9E z=UOIHwRe-)7pGI(Kj^o@_!{vV_a zb7%bP1O3<27B5jXM`e`Tv9e3OXF{e=dUHNLawGNCcgI#;f|qy6OP-**kx#d7d`MmI zLc-@Mc+ZKt6zpa#==$2cYYd23Q?>_X*?pRLPq1IAXFqzxZ3?wyKmYvtX&&~Y z-~X9k&v?(Do21S8vTiGos=HxyL>&)7%Ht};}`9OQRbJ!dPfGbU$Zy2;)=1abi{=(%qo=Y zWu)Gc_&K9~z?2JL5D}yAg;~3Y@;KclNgT|($LaE=B0FtJn*{8Iuk1)ptANBbhJ}PB zaUTPoJ>=x`)048l8d=>|{j+;1_*gz4p;Mlb|P~ zZth2rG9rr4(roLhAJruTaPlD%E2j2||5#Jgf|7$oyRQmN}ii0xoPyuM=XU!rlg?kyw z3w)Y3o-2=6Sxr?i#&LDM*{d}-tfnRNmkZ9Sgr0)PPlKmoXZ@Jd7y9OF+xpI=LlbIlZAlVOYD(~u zU-}goJ=QDH&D-5_jG^2!@>;kfA@Sg)T~Wid)h`}ArA&Hf_BK*!MDU`x*c(DlW`3Jg zNWsO~$-)eU5+Q6X@sqa|h;dTb$XC$V|E)rP($SAx%#UIn$Ju5<{2vR z|INuYysf$2Ht*XDis#AG7yW7Eb4Ns1aE8m)PZGsjcL(~^BKQPu`Cl+SSLaNIP51K2 z1Yp)o47-1T$Xiq|fMmX{`)`?=pSO5m%w-VcPgf{;FK4^fek97{0-LPL^I&e2$C);L z`mYz1pj%z0wL*nPY66^__zT}D7$lp=V*P%np316+n@3ozgdRDi$J%AN6!|ALIRaOm6oHMd0%+9 z{gB6g`8AGYP%lY;^73Jr{@YC5q>wPx{vW7z%cg=jbe%>x$=+fO-x0>x*bi8DP*?JeF{u+GC=b1#@4|Ze56JSa=76wiU#9{G?Ot|BG&M*nNYa-#hn( zoR=;=_QhH9wjoSyPS@s*TwqOVO{n_msi1V3+fDO<7fKiMpKaQs=9@!GgWZ?(Gj`dl zcBNm?aaIpaQ5J)nj~C+D($|01O`cn< z)91bI!7KN~DME_dJ=_^#NX*wroiFwAALz(6+eiYnm~H=TBkQ&MvyG?mB}RS2beX4< zVcFY{J6t}Sej<0fcoVPKWf>%^buJ7SCa^niEDl%uYS%wRm;~Qf80a~kn9uV1$#h$U zq8C*e(VO{P_QOpOV)U(nxWFZ$<)fb>;%@CGr;fh4VDja-M|1Kcy!5{hW|=DND@P19 z14=*Y&4h*&8cQLD-lBL9ZToMs0^gv(^{dJ+yfSU5fgJ&QQ(W%(-0+*T;E^_%hsiW( zD)Rbnlgy@!_*#n3E#gWTTL@2f13l`V#QxoMZjss_&&J&-WR@7#uH;?zG>+tU|NKiw zVQlPtw!%-=vW)t4?tU|s`Mm9!LbU=y>Sw~ly?cD8iY@3-=htTA9=-T->`DEcX4g3h zi{0<^prqnEC%gCx8?K+R_C5Lrw{_-Af8OORUt3MbKD|tay4x+4FJvGE1;Cnq=*nvsi7!{s0fHikroA&4$?wRf~a(eh!m;P zrH0-D3DS%7-aDa(4haeQ<-PZM-gEDF&N$y+jF3RaSbINf&o$>sib8X$pt-9a&)CjV11*@ao2p;yYt2&rxi74E*?3wKQ*A3|YQ~ZpcJ5K! zHy1nqcjKEulojBUw9sCZj2Q*|2E5Fa-b#vd;<8Y!>1mCkiK z7X=Mx62kTr_uDfGi_aY08q}QQ6ZUg;c!ydmQ^9ngS@#4PhjFO1mj9Eng*jObKa~xQ z@M}qsTD$%X@0onI_Cnu0^^j+V=;q|s-c}8T4X-f5N}eEh`AH*FV}W{T%y5l+o<;cD zV!rK0TME3mctK<|t-!?CQbpKf+^uduFJ5Z?|HSWKtqHp@&Dv1GLiXUdQA9edc)2Uy z7$qaYk+s@t`oFObJ2g$BQ!zrv^~+y(@(I^V%&T%X3aU0~HN>p*ZM<%j6_I&_TN4WT z7@BeIxX~m{J)65jur49wpidXP_W_$pnAU)QE7r#n;mI2ws0F0G3fJ}D4>kvV%aNYU?pCylh%s#!D*V8gg9S<%gyPfEU5`KcvU z5D&|7ZXUa;DPz%oS7YZ_}S4c^YattS6I|TbOF@8%|oE0xYSgVdFernUcv-+(9oQ?VwZ2~ zbt=CUAI-x$y*<~Mv!1DN_fFkaz4RAu{#SeapMH5v;;#>s zuhmeT&(01gDeFGvh<_;kA|){%pfD86%axYc@!9+!xD#*H zBoNZR*_3W5F_apuF_t=059#KED*6fsb)pWpk8y4F+P3Z1|8tj4$-oi>U7ioNa1G8(R zyx5q<=@J>p4j>j&BK`PVtW;P=_o+ZFxW(FziJDFLY0>KGSxDr&uH0JDM;-#L_k#ws zg9Y04<(C zyG=~IKX~y!$J}U^dHZOK9>-HzAsoISH-2slAAI4T(@N17fmy}SI^VUkr1%vMqQFji zlbDNslr%~7H8Va?>{u=3GCkxHSS4`$LY??5+lbr`xd<3xdII`3seiPr){SA?JN3afQC zzo`~lp$TB;12@l6&H#K``TGrO%}_&g<0V~2qBN7AzS7W0?bXhQpB%(M40@CRxgBE2U%(epHB{B}i9FJY2zlS{X z7(Xa9uk&u6+PV>yor@k^V!fc_puZbwwbJ|AMx_35b3*^RdbB0_s@!i6wB1_qm28PC?1 zlPpDF_PQ2Z@i9Q;02w(KB&)2yvsz~9+@VnR!1(ufjHtX0Il-Ke@CW4qzGUS(~U zAY%q3d4Xkb{2knXn{I9%(+%dCv<8snI*g^A-bt{3$7EODJYH$K^mj&oWk6@@v9NhK z41!wS_So!imy}z7W9gdoWd=yyUEt?;lmw0<`u{wW8lK>(7u;SPRP2NPR=YJ@j!W!_^2K#DUdQ+LpI=x)6JbApdmwSW%eF!}2ecPAR;aq)9 zyQ!Lk$!`S}JwI?7S+ZK!r0tD1O(XvoFT|LWdiF`Es_cQVVQ!m?vaW>Z~T(-ZexJ? z-aVi$kEdQocsN>4H^k6!Nma*GvRVteu^%l0u+v^lMTlyfO3vrr6v`{K-i>F*e>0?S zYZdsic!=;juEST%>!xKmM`-eBH!nmHPUioN*A$`e?BlesJ#%@hzEuIK9+q2Nc`$OY!>yA%_3FxsBel zY#$ZUGIG7{ygBUtE6MWr&A-zWJ10%D&yGHdluX<2OGt#&N)#LEB;2(r;qm@0w(3@` zC1W(gI1NXfdxw^a#3SyBQ91oEd`GKztZqv8CN!}uz!Xn-3kC&5QJr5ub~m*&oxpZG@F`eh9`8zcuQ&1CLr`u&nKpw9H8^ z){djm8q#~-@rYz@WBkCAZ-z2$ZiCOXhWY2slx1ygBNkhLBayL*xfCia!Ak{F@5*eO zaOs-jXpP6ZjA5t0n+P>;6Y89ort$Ix79G%>et_ull*ie8bCS1fc&F(HS*~oI6NaMe zK9KU&%#2@SRRLmu2kzftmsyXXduC+nqmi=#qq~|1M4m$B81BF6(Nfh{zek;iaqCV4 z!5*5x@+xV^!8QVPV8*fbfR{_zB1774eDD-D^tn0Qy_-BSbeMS}>oDHLIPHNbqo003 zHYFuEVM=w=Tjg|-f#oJ;oB17|(d_)QrXfmD`Lm=OaGHW3xA!3{pA>kL@^@u7=yr13IhCYVScX`cLa+6=i^v-seh?bE;$ofJ5v%hov?(Cj8UMHw?6pr* z@@lm<;ge!hde2G62gdDv${c(BX1VztHEU_$(g52d@g!n-po`#G&b`E0a8WAd`orQQS z=gDe4+7mpsPsV0r1I)12dyq|kNDn3m{5X30ppck>UN z1)ZfH?kX#+76*f*n@{E?Bbme|znlZ?L~dszxsMkWc4A+!fe9Vg>+(XpX61DC4%#K) zxR^ORU3!(FR!JVI!KhiiX$~&$fC9 zX|!8eNfaC9iwtFqA4s4VM-qb~BY3tIKvX#Jbikkh4PU~++K_9E`1~USNtW$vGWK$s zGw1s1YqOtz|H?^n^?4&1$5-clu;1zhWZsT>Pi_9_|HpyAcT1cGeSzBCKcMI4wD-}+ zL2#Ltorz1Zd8vQCv3DE2S^$HNyn(s1yj_2lbNR0N`#=BlSrlCum&&xZ@&dIbZEeV> zo)(Wu2>patU_mHqrX4pVJ6(+0@@W%(dXxDm!?1JJ1)J=gcCaz6pKEQ$PmLC1p{czO z(-Jk~ZIYMM-2OHz^6PpUkdY-(#4T)SWK>@)z+gw9F;y+-L*S>MI+7O@LaAN0b)d98%<&b8e53 zO!Ly7YIeHcFtVRb#=2jYv4yv@!zCztw~H7WPC!4vjH zOATlQfAoV_+BAwRIP3Khq{;vg`y}Q>Yw|m424%BFw0f=G+IOA`C+iiTX8k9S|30bJ z+f#^qI?oxHY_GX5KD_K}`LI#5!Exj5(wF*6TFl#rN{exqt0wz3$8AJ-^zlNjEIYG; zI^%)}l_bR;IXtIH3*vzOALSbRWtuIYSzVv`@7Mvi!|_eTaF)CH$>JVx^JGpiUlSWq zu^E$KlpVqIPJT+tvSmD~2W>sGPwqCZuzuYMtStMBtwJ5*D#zW(W}V0177&SVeL2}- zG>LwdNaVZ;Mi_riC5RrzQgHlW{z^s!j|Dq2edA@<(|R%!jXzo}u1l&XU-2q7yqp(LsY^u4g+`foDqLp# zGeZzhOq;haKV&TAPV`NyPCl0_?8n!i3S>&#O^em44%U}6-fcrDKPXq64pava{KBkZ zP0RSAR6!23X-#pjpshYFz-{qG*m9nHTDDH;7d=a3v(XN$YTys2HA5zH`ZDij{&Lz6 zV=UXpf{^%>BW-${f~@vfj5fY63xWTQBYgjU;2wWiR?`);4f+;qaPZmvy$w$(NL7~3 zbEp+``#)m=y1|>&^z>A?E)T-^f$VfLJEl{6A}h(mmi2;iDIK-BmcX^@|2f&%AJTNo z9kFuVvJN^}>+AB!1GTT!6Mx>5OFm3EJ!{|Aiz_fgRZ!Z{lnUJQVy<|yzmT1RA?t|a zCI(1HCDbOs@EE&Z`be?!(rY75X3-_TqO;SlFfD{;Hii^Bm-wp3+p)~6^yya-0{xHA zf-mUic{)elWp@%g8VC|C(apeb8L`b=oYX>Wj%< zRFYhwuUS|$0B(QHM;31f4HK8R{IgIrP`Ky8%gX{>Y(O2k0o9=rW?xS1SL{6<*igMN zs91UEKbd<^1l3p=Z$omN2y?e{<*JU5vEeHvxSv5DwqXiRtd1VMuPl`A$G;V{hE8> zleLSMqvw$O9FGO&yKI&2*XJ>#pPm1Au;K4#kr+TxR*`3vaeK6s=d_k3-R-~MtEc`@ ze<3^BP9==kr{HewWJNKqdlcI#57bV3t}CGy(6kOj&!k&xAWb~>6ojh^cffQlYnQM^ zXD}-?tLR|n$GJ8sPgGfr``WllVRc))jLmJm>1TtCG>O1eLF+N8$8T;ua-Y}lTh5ST z>3%mfuNfwZ%km6wR%dO!F_On9v%ec{Ufrvi9fN;=M;w6OzkbZ$u<$2lWdGLrF-O8fDIe!FP_^Q(57@ z{f|8>$B}w1-y~+k20X1(j~cGkRrWTacGizW`~mQj}IX2~4jKZA)|NS0$I z=51lEWP7zhhDu!u2^hgM{xVye=bZrUiwE_BjuhZvBlv+*yXb%$Ql|E#2(ePbGl-7O z{>&(M>q_g-g{}(z5aOo`GS=JA67J?S)p#eXPgE4{gkQRmXe9cl=A_b?9m9evKsX=K z*L`Dfa5A*Rc{u+nEf+h@?i7RUOwQcXO^AuZJD;rzJ>4GM2nCj8L-*UUk1P8Kb`$)x z^*tAJ!s)hsL10yyTIWo=%RRvc9NdCIf@P-f<2XZgKBctGzpK81Z_sEEK7Ag16x_(f zN>@Bexu<12?L~sKc?zdRag+vZkeRG0)zpV=K-3P#rmUfEjM=d4R9qHO*?rA+Ka#=% zU*VnBQswqGYr3sd-m#vWdx0(Yf-bLCT;kJfsnO=pRhwY_+KnsCwtb^Cm%Uh;?M!>w zdG|!FX?X!!;y)(8u@%iW9uf*9{Jx;;t2}J{0!*3SCm%c%=e3C5?eonE=23#OY+KMO z(x%HiR;N+i^rfXj!bk*Z*#5@;4vFMB*3244$&q7E(CGRs#OY{jjRQU1h{N>QH3@js z%;!m%wBUw+Yt3k%lL3lwjtcp%DB|Y7#fg8fKE*EMAUvxTC)c-yCcpMMIPf4w`Cm=B zvVFBV8MS3?;(&H$Y1^f#Js2??*s3A(C&)QJ-+kHCPP?98Ub9(=mAu0;Kka#<VA zWj}hPa(S=ZVQRc$(q3)CalI=t4ce!A8-?qw=Mgm$wZy zRQ?>xaUyiv-%lyo`n410=za%=abkMPHdfethwfIiivRBbj5e`?O#_@ z9K1o}yO5>?z5kJ95&EF&zCh=%EAuLE!seJCnzx|Shj87 zxCh0TcDcQvzRVk}LmGid`?3--T7~5__x4tObufX@^K&@@ps?H9p?&JBUCjd+GSo7> zf)(YexeRclV7|u%w@?1`r8|pJU=p7g_lJH)7re(kQ0AZc)m5cV}v`oMLaQ#)j!nBtB)xD_l zKr%DN$DkE5&t0<3|18Fp1u6^72AZby(hZ9X6M-|>YGGzgE5j&`YVv>SG zqSon#(TV$p-&JHu|5tYtNa;gO@TP}t=(U8V#E3KoYV+{>Ji(MKKI;)t|AGvC{`~gP zUu0fh*}={}m>y%fd`{6mc)I95luR1>(MymlWZ)XsG0E)-^^UyrXGQn!SfOtxuP` zUTanRbKcwnvdnsntDl1QLt!(Vn5aVZV&aRfbRA5QCX(Q@hAUa9fGuteH`~;be~Cbr z4$v1OI#bAHA2*9O*>ieuZD;`0mbn9{fPEn{)7)2jAl8FKv%TO?7TRL9Y@S2#qK+SjMYp2f%00=w&xr5SxSOQ|b+OQ!LA`ZJ zHRKs;1-mwYt6h~KtE*8Wl>-{tgmdQSrlBkB4MK5p z0(@mgt1tc7{Zr<5yqi+VvjknZ^zxWlRHuG{ zwg3`rH~6!UyV3?Z7?Lz;*pIVFxV;EBsMK|}D{2Dg!!#n|4iX$UG-U8mQN*F;N`MDM z_yA>Z#o*1o9`6$HJNvfTsT>wz3#ng#Ny2p~`RulJfYX1i$sNHnb6eTEmiGONtRlaz z(7g|TPA^vYfjn98Jq3HmkirWOkgOCxVZMsV$d{j+2QNHiC~#Ph3I1lNYr699(S=bj z%g+KD#fS){@}A}kr<4@aaf<6b8#d)V+K0tuYG5TWll_p69Sz}>M881lhF@r(4GSJn zMXAU1NiXjyPOlvq0nd8hj?Xs9j@S%O@{3T|d77}1!f^MnM_F5rfUNlaTvJG3>bmwb zPO0722g#@n|2z3=ClE1o8qYSGOK!AV5!e3)3{R5Y=>2&3*co>~8ZE4uTh6emL_?2` z_16ArPa;{WHVffndq9k%Zw0*b;PZ^Gj`E)W)JeTy&VD8~B@)JA%ezf=>ixore95Y$ zpz`n<pQdD+%8hOLMgYJq_m76 z%{IDCKaobuZRd;@&%B^;B!mt@rQ-eQj|Q?q9#Om?ib%4Q?Zx`hT6=ILD$96j?^aCP zLvst8x3O9hQoEh&oe_*B00{+(xr&5{KdEKNQKws^Q9QMNdjyhvWW$gsq#M=HR~n@v zHuc4@H>=Mz{phdsgwdlpPT$1#Svn+QQpa+e1y+rp{oqu3m*^}pKQn4Okc)r1 zxPIadZ|5c`a7L5u~ZQ#6(R};x0W!uTe*&`;?wu8#A!ed z7%DSPPknIjOzcbUJD>lu!8gGV!WETomJC$nz}utYl?as+fyjeX$d=7p7(gV@^QSxA zG5ICMvp^BgH92Tifwfni^#K3k?CNz$}zi&-I z!(6TW?MUL{M`c{7vnoA~p7F{7%h+W#aorSlm9^U*6mF&bGP2r6JEU2qhl){J*!Y1v zn{7XZb1w4pb>0=z`4p90O(*1LA)O||bY_R9*8(XjtKchi{8dku2{L3jUHdLMHcm0t zC9lwBX>aGt<@Cug{S?!V59Z3oY_LHMYkh#qC!=CyQ7Oh+hrBT7=%i-LLM=~)P;qf5 z-qh$BUIYYVV!}$kIyqJ3sFAVA8|3O`5B;Q;g8aF!fiFpi2`4|2asEfaTBq}uPRg4+ zN3p&E@gsBq?l*OU z(|8^_lS9E?a3hFKjScO~O##&5wY>4UzzwSd-+|;Wei0u;-igsIR@$Vwys z{CU5!hbGgK&(C^)GP1C~vM`m=7|4`UEEv|F!_dd6iJcm3jpbbWnp9Ks^D}Qd_K|rD z9eObrJZ>AFiD^dpy_&)*}=B%P5Ggoy_y<1Ll?G$5f0vCed9+j*i?D7Le%?u zIMN^M(bpw&?whXM=Ys*HgQb$wVP|$-1tHzX;wBiGH;5feTjr zE87~D;q6F0hmQI{`wm%;QKX*8vDsFo@#>TTaubl>cU#0HNqCCHC{Zk?hI5}m)w#`G z*UjGVE*!{6l3sDI8nP>Y9j;|p;*=L!WG>0Vh!vs2`H1A*JO46GgM;!DZTT=?Nr+jL zueZ_(4B9$o8~8!-4j#6_d2guhZIqHrEfFC8aG(7ZM;+xIqaEd#flwg&&C#?621+^@ zk+Eoc^wIRBKeXp%on4ty3dX*hV*e?Hq(4Ubmi`U{*oi8)o4B!gtMZ3h2P0Gv ze$63iyz)R$NvV!f;Zsvs#-?!|(n5m=@?*+#Lg|n~ zT*vO@Sr<{*TWv)`@0;8pzreW(-1%{>WT&>GxjUIgwT4Wfxt|zg`kBw7|9G_GV(Au9 zlf`;BK@Am7mDa^?w3Rj5SvI&q;xApxqc>L?nfh<>48VrHV#j)M^q865shtq*z8q<~ z?a$|D+&!7Vz04S4LUZ8fdC_0Xe!vVFkz0>|+;tL1>o_Rhe_G73- zN-R?pX8E4^hJ9U{=TNf#dg0q;O|1v+tKx8Fz&@SKeuoZsiURhaxV_LcEP*i8b;0;( z$pns)e8aDCk4CYL!<1sxSsC2lQ{2RQ6#jGySKDD2gFSk*puTYVcl;ZQjhX}@g@ zhAzFe8_05Z9@A0Ae@k+6aS~U;|M&^t94djStGQ8p01qR$UnY*Eg-RL|U+TXwC~oYj zw?o!VJ63PXoRqs^yD;3oUwGie;^+>!w`+H~6nrz>jmq4|NrlgUVN&m)W=Y!%qU+^9tfg(3fHrBoNPB2#~v93Z3x$bS{CP$uPgH`=XIltgut#aoO1grBFv;@O}wld|or zP5E@57rAe}FM=K}jT|l+f+sXmV7kPw>k4*-?=()`;nnI~e^T^sHX7|s*W&vM;Eb20 zWl?5`Ewj$S@5?D9@=0pzMvfJDzb7>{;5T!d2Q3a0C~bF<;Y|RMQkt82u9gRX8flY1 z%WX3;3YQHS)TT)U6eExuAPnE^{TF^9nqN<$#?Dzqeb_Xn6w%6Hj|@+HI$1DY*;3M_ zEyeiwtHwd+$a}qzMkX!+u-i7KEn5yJ{40x?nQH+ZYV1xdlWCr%ENtq?WU#LJP;5#< zh(BgmGq})LwPEcdz2$t6uo17(5DT3^($Xsyr0HmJbdP2-@q)$g>-8&a*~F4aLvP<= zO$`Q$W~5@6$=Nc>;>)+PdR~`Xe${oZhnr=sEvq>B4gLnkr5(Y}<zo&VpQNKQe!SHzYf;T7*oH8?yvF2`h?8fal z9{2s?L*gD#hzEt;tZF>080^=~j4=bKu`|+~77;_#S(i2|r!4FWs~?t&oNiXmjJMb6 zlmpSnB~J@GShx8+RMB?mM|yT+wJ*P$(l^e=7BARuR0R)bT6VE;aRj&nH(Y%QV;mc) z8Yx8;+H&aQ+B?e=F8+S9Ge06!|9LzAgHkWO_oIS!yAZR(=riDvq|vRi{$~B<6F$)$ z;1^!VzSu)h9?y1={AygIedd*z^n}GVE=MWIIn_~8gxNOwc#R7++i&;PaU`jtTxF}s zeQmGaN^q6V7>>+ym>8z$Aana)C=W#XLz2aU2;s4cB+o=85LWC;p^c1irIJrmii=Kq zuW%$q`_A+KK}KN0Oujw%`eF~!rZJW`#v&(bm!Ba%eBy9+ia%FExz7}t7k z*sI?^QaJ|u5LdDN0nC-;g%G!|rs}X%lPVU`DJmx?aI**Oe!W_g)-L(V_19rR*d|Gc zZ(CTBW@}>y*!MbdwNnRTp-FsVANd?4eKF&UYS=DHVd;lH)c1g2R(=ovRSh=!0_<&U zA#K&Nn~q>c5?AiZ5@&U6pkDdM`YV@pI`z$)R2mIWm!QkuPyOSW+3!iRw`W|n+uiTe zJfopQ?JeOiQ%QAMfzGL;lT%lDh@UZm$T@&bL-h98oe`pZ)l!PP$XZBUf{Lj(`b z2$WZ@nf(B*89EnjK@~TRYm2npaML1V zrze}BC>>FDUm6$cX$jdG>-GFnNVG^-56Wk&u16BJaZy}sj$HXRvxKHL1Ajh$$I)aIM z+EndI#J}9(dvqT@NBUJx-qsvj%gevTCg96nOyL?cdxZXr|0Gn$e(i}#aI^+FR%V7% zgx6j;0dM$N1w_r;y0y6on!4|6c?9B-?mRh-1$(|DumUu;czkxpl08&&+a*2o3Tpke z_JOP9leyN-%_HSU?u_F{JvQc-ZV1dO9WIhLz)UJJz9V2OtqBi=%F8=Q@-K~)v89pI zJF6ovUG-$>&vrYd}on(E_6%H4gCl@@q?}G+`Jom+2u5k-G z$5~f1$8pJvF$AbN>M1G*9Y5Lql`>iOK5{$#I#78Yl7p^#8q#CQib}iNop2i;q|p>* z@ig2Q-J#Af)T$#btzkUW&~nYDPb@;F#}KW&*Gk(yk_P+ryj|mZ{u`sK9!qT;Kim6D zM1y_%77*d+GXtExeS-Z<#iLjAgkfvqF>*>*chv(ItAjgJF12{~2a5y5L4;j@Nrb*5 z{y7*QH01je(FW}Kz~pr~6ac9xUuCCJoc(D=J(jP5*ixtFT|~tzc02S3Li1rL>3mr1 zChPkFnD3Nu9h4A;0#4b$#0i)H&8>F~-d9HP10r%S7fM|n2%q?yQIS0J$A(DKwJjgr za77m1QU=zGcFX>ra!5K)A}be>^yuWR=^PU=*-Rm0Vb6%JNs%s~_83Nwp9^H6AY~>P zaKDIM!ua=*SQrmzm||Oc#RGzrK{m&`q6kA~f~c;c0+XH^4_wUjk9LuEMz4p$80JzFnHE zeRhCtRk{tCl;fg2ND2Wy#pZR(*8oAaGkDU(Ps+6Wy%#8(Zb>Tm;3aOkHcXv~MV1~)!Fmo6%(7!ZkDg*=4J3)re(O6=oZaC>%7151*c(D*?p=tBfs&}bJ6)! zYw4?4MNcwn{NXxMFCW9_mPNpQ_|^E(XheIn;Qkdv+7j01ZSXpAQsa0G{PMe*5=lAd zX}5gWTgbsX{p=f3i}49nxy;+k!cO?|Z-|`7)aLlfCA(Na&#L?l9AM$kR{mf7$#`&m z!=w6ysXIG8c9PnF{Zi1>=UB6ZX^u9M7v{4iPFOqfZYR(7IH4V2*%DqZrnfJT3%eA^ zT@;JqkY4D_XTBs^vr+TlM%BO5<+S;6Kmgf}| zul?qlDB4@ss+_X?2&Jtv-BlDJFqVp2fqpN;`oI*gjq647Q&%9koe$G;(#+75Z6JUM z<__fTW|J|N^nK;M_(>kXF0VHl%>=NxD&CEuA41sV_Ouiyz4k^6*kE z+KFz{S^{K6j`Kr?HxGAR)dPP}h~X~FpY)iEfCmRx^5k0fcaSBbHqmU~&fDJZXl+{2 zL`oH~x6WrCIkGT+cz83k^OtTIdl#o}QmwGeYLwpU$F-` zG$=w@?guSzNZCM5TLQLT1bH3hc08|E3#mtqoc!fVYJ0~V;zr{T&azFUJ^Xf`X?zhu zetiHcd>d|{Jm&Fh&tW24r#u+Py@i@R5dU(;jpGE+@6KW46mE#=U%R`u;j!!{z6y`l z;@Qne->l3a5@Yi9FdqOfeX55XYD~*hE***ZMX)scv|o=c3Iurb&DHGQ$jhdAl}Nv5HwSuHcRDT}(>lL5`;lCd8GGX- zt2Ymcey73h_2S8|1T&x_IlsrXPjQL+M7*%fHuBlt>{-g^VvI|kUeZ`WA5EV;_8{)G zj(?!t0GIV3d_Gx#;iPag2>!|;ta;~<>ktPOBE?IC*Ex>Ir44M4gC3S5lnHXph5>%E zltzft01Hy}xV$5bW!tf4({YByh2q0q3#n+%;_A90ELR*gGiak%PzMLuJ1(s|5l&(@ zQ%-iSgC}NxH6|)f4kI*H-`OF{H9n#NUZ;KNgj6D7IOr#un6Ad4+bg<_^Cl`x9AdVDj|ed9o@3eO zKmz+N!?nT6W?zp9EuzVyxFq<{V~ND1NQvZ05(|pL_#STT0ViV7=gpn!d}}9CAVrR5 zs8Jv$tXP8=KCVoj7w1y)4s%}{orZVcq+HQm3muobm6A%2K5+0R z|EPL1RNqZ3djdC)l}?D7Ep>Nn_kqLH@GWH3JitDCvjV~@Nq!3ykFEyGsm^x$03Lnn zj*0-4{B~`^eb+3kn$9|o$f1bF#RaRaTZ_9*dgM}ycox4ESa&pfT~_@ca_^s-^{>j~ z6_wgwRfivb>PY1YXqt4__JwL)CWfi5C&i<}iiC5X?tB%Cf}28}OLkx^HdoDZwia*txQuPq(YdUF4=aJtsajq=7AuQ8}L1ds@Rft^Fkf z$r%FFyfP7~bq8DUF-lb|o_w2Xr!WwZ)YdBE(?r(f80Ia^e zF!hat(($ebmL41-N=v4M)~-~&m_X(5{-=ib7iaD~tKKdfXh+ul$dxNQ%b?60j{-@3*XxA@P zGnb!Y6HB_zS^in~BNf|=Dby!?84x}`YTn#0krO`x;dFI_&Rd2vmhiIn6ke-= z)=OH>ceaKV43PRvc2yhF2HCs`cMQyo?ojIWrob<^fpne&NpWZKj+38)wGDFCTe~6q z9C?`iwPVfS;OcQ{vAUq7@FP1O?>z%$;kEWB_`}s)NenWQ-Q+mSh!Qoj z_oFRaY_bP>3QopEIaV*lNYlARNBbUCoZwKc?ZV>U9v73TXva`EbgY|5^7}*{x84sq zJ>B2-2)wDiy{V1%$hspj)|+}e8&m?l5|xwId4BviO(ipyoS?6{>etifhdpzhbELpp@iq(^ky=%XG)QfV$yo|J|pon-H+;}*o zeMVCIjc(%6q+QArw(Tsf1jmm7_`>h#C=q0!d^=HKHpzYZI+|;V3HG#&P=Vb7_1GAz z`;14vUtt=qE5$usQ_02(;n3vNDYx~hQ$gS5l#ypS9^=sARaVxJ^5PWZQ>w!zB!#+Q~1=i!8B=Z@k+Dwb5l)H`I zWhc40DV%>Og&&t0d#^;1^G4p@sCebIm`XeTMEkiKUp;9(RU`DUw)8MQZ|v6zPXC2I zM49H4!muU5ccRf-;1I7to4(p=iFKzH49R@v3Cp%iEoO&_zU4Rqxs(};d*GY9kWOZL zh1?)DRBjyb~@<3wt^k8saki&G9w=tiDy9B@yR}elXmExg1L_P?VL&H}K*D z?;ag>FAFL5G{QN*Ly&n-BzE`k4HPrZ22Fs?DOzLV8s7e`_8z0ppAz61FBQa-v=Y@b zz*y*;%B^~=iL8CiM8pP{S=xcfm*zS!2VwzcUQ=3!Xfil(=KF+0xs3vWgiX;nDaL`b zfCylDlf|j|?(c-Bm)Ra<5A)5EM=Y%3QehMci6|7=IeXFh`bD+jBS%)A#t$P5-ZEX((SAOe?>&Vf>BKv#LOBzYsSX)NDB0pLUj+(%?tw zkKQaU^j<1a~F=)g7`9n_ip4%U|L8xWC17(zEF9@1Yr2Yr^5PUQWv zF4EdO{OKgt;gN*u8ESJ`6$}qGZv)q5SGBA-9vX_KSrLrnbsB)V_(!sBRq3tYwX@MO z*xYPwEyRATk#X3!((VPd!;%!0t1pw}s4GV#hl@t;!$f5ELC(2a-f&=o^0Ws)yeoR^ znT|2Ct3-PkRbTC`uW~zDx2)VSJj_>E~8IgXEhoUmpAMS-mqS$7LM-z+2bsp3yxAzKo!0~koeCP8N?1TqB@%#hveH)muVj%(~jMqO*yD4?kPkZP5Z>I8jVxf@ut(-*6HR86(N8n1?yfupPlAd zB3Ds*6hjGrhFUuXkn8@g?tdaa{!3dXaYF^3>?UyCnNH;+*b9HoZtG1-ClKg+vJwHZ zqV$0AnpD`^1o9k?T-N(eyTt^X#yUMT{OotsIl2SOe;7JLD0evhc0a>w%Y_n4r6Da!6PBGU7V0UZ4$ z_>Gw#Z;xv73Q5_xIN7e66I@T1jQPx{{MKK>+`1Fm@=N{~wg~0Pn3vwcgIKLoyHl9v zxK_kW@q~T#_hL&fC?w8jo4ScSxEGoA;N}a<7W@%Vi=!}3Q5vQ$qzf8pC!9bg3 zB!h~M4sp4w`Aw%MO?OriPV?IPz8lNJt2jH%@Al8N^4);t1c%xW*p1n^OGO&IKI6d- zmd_;~z4JzQA|1@ghg05PE|9tofQg>RI9h<#jH(kB)nw+`ZId%d5z?WCH9LQ)k_2rZ zAUI}p29BJT9awQ!xRGuATW_Uh=K`5k~SF^AOSamY4T zavLa_ zs68aOHiOE)k)My$pzjbroNT@f>jELsrv~G1O>2e>UiLAbbe>*2&Dz9$@Hgh%#hs943s&Y`bq=De6t4Flr)nH&r|1;awd5Yc19_i?8gOgo+@#j7pXjut z3>5ovut@Y?LJ?>+^-=Dg<60*s8L`6>8$7DW5;b#M*+HfqhX~lgG0_@Y1_{v?!^lC=zV1m!B$>cZt!ANiAK8ar6`w7Dp?EHaESgo*vTR#ZCT`V# z`1t%Qr8_&TBA01^Z-xQ?OZb@O>xRN`y530x@ui~~nNy{BOVMXFufp%d4M3P*PJO!1 zL>jB3e@-Q>qp(9`(tx=4%^uUJJ&YlH*m(Bdr@h>6Y-sANui(hmNFgxZLA#aj;1j)u z#}0ed$d92)lhBdP3JP7Ab`(>;~5GN-b?l&jvA1jseG z5sxp}xOH~Pjw`I^Cnany#e$0|xBFl+K5`Pq#esO|&~vK#7#Mg0;33Ja9<=!xduqkg z!NdPjcpq`WPuFLdM&+@IvG2NT$nIpN7Hxkzl+Gqxfp&8kvrmP4+9i6CITW$u9HH$W$Nu4OW;NYmOz;xKnDD-f?lnUb?zT zk#0pJhHQpPKAU;Zja}=m;K6EqD%G=Tg*d!h_n^=L6CTPb!`jBmd*2pF?zNBlQUpJq zn7+?pv(tzkvk7xIg_5+|osP^PiL0KbK|Yly#n;>TX}9zg1@4OEM3b4RSQq{uWA7af z_rCQFZz3TPJtEOYpNN*Cmk~h_F}CPkh=?AY!5|`97$r(D1PM_`?}q3ldhd1gKI$0b z`Q_Z_>}T)iKG%D_f6jIJ%gkEewbrLOfstR79jOO;Wj0^?LEc1>O6Yv%e0^3A-^M_7 zJo0I1n)**9E))!hRibF!2fU}3qF5@Yy4=UzRlm@FIjNep`aaes=r=u!csKFwZSCoS z?e-J_x^}W;=AE|ZXGxYCc#W#K!Pv=o^317k#=SxfSroEtyQHi&itHvAs(*7L^XKV| z^B37*fs5+T(%XGU@`MzZ*Si3q6J0Z|V+q-^+dD~iP?unHEUAYJUi#widINxVZ0>!4 zBZzRCRB1omMnX+zr;cZAD_`erTpWzY_VHwJwI4g@qn3TZStVEw zDVma{g-*D_b`12hLYc!3l8@jH-G^w{{nr_~gDeF$de!>mVNbLWi?LT{HT;H(Oiq}9 zABu`aNBoGGTdL7?-H#Mw`toxrdj6Y}j2~jPB>epIS*>Bk*~~Q}M>r?z(O>+oAO<2x zw>TExJxDxyBJ@)TV5A<`J4WuU(FL8R_tHfcR# z=ExuLSHhg61Tu6>6vz~i+UwG94(YNi{7m#Tz)@QL=qrSiK zJXJp2!u(Lg$woOF^5n)X0R;h=@o6_AX!S`PC=czUCEKTnu8V9t&<>|!urT-l-( z4u4Rg<#n4|Pl~R|_y*^|)O-`_XhhGj5K-U5grJnu&nx+3?ryeK;}3PRHNf|^4NhB| z9R8#>^BlU`^a9ZGW#RTeUHN#kG8Aq5CntE$4U63MjJrL$W^7{2$WTMc(A8w|o#AC5 zk*=|C#Ej=s5AV`SvZKwIk+1ef!^N?b`@Ec=%Ek8tlP&^wFEFQ}HGYa~@U9f5o`Bo5 zwr5W7)JQTt+O(3|t+PGYT<1y#r+M-pxjZtpo!ef^f83|6G9@8FR9?0z3!5%!I))bB6uuJdg3`usV2{rcE9_d6$6YZwf z?v`om=u1o-_P2+cUAjNLQ!;6jm$l@v-lqzHl&*GV`&q3lQ{p-v*+}vuDkxg_nA#?fq$Mlir(5^tSm+KOlmPeBdog>dgt>5QDYr;U%&M0~ zAL+yofKp)T?xz}1>gj(|#I8ksU2jIe>f5vui=P2UJxkRtE8M7u@o_a_UTTj51mP%f zl#m^~Msv5Ye)or$T$-j;n4Htkxxx~nz-!qe#iCr`9JyKZ?0TcafX0oyLc3trI!A|+ zKFDQPVGa6SpUGLJ3mwfZ;B}5Sb+{|lhKT9mMo66eiX9SkuQon%e#F+-ei;xdtG;!u zvG5NJ1|&9Tz3aE9!2xB}s;PZ~t~gN2qP=Vm0d0SBxv^~5@j9xDtCVwI+YPcce9|&> zS?bd+Gm?q9BnPL#O*p!>gZ$ffK4yR38BJKNKdbN_EUxIr?T#!VAi`gAVGTvtImHCy zSjgL&HkAZ?!!_sA>-Fb)@UTo2Y%LM7k~^xMBk11RrRz1k zXvp0OHvLY*+OjMnXCUx|&gxSK3eeE4kT(i}3m2%APrt5Srz?^$>&k=K%+#N@JQNc2 z;XX?lpaJqA4B>QgFblzwJV?QYx7blyd8M<)_gZOn#|kM6zBp=J^)*OL?)L>g>IpxI;Ft~*;XJSLp`0(#`;3%!Qob=*cCT#?y@nDwM% zax>rYH?>JYG4cy{`--6*5h1F;EuO#&v*RHoZ7``pP&ul zXR=%e6QWag+e%`B#wnyo22t8wEYgvvd=cf33oLMH^af$XhSkFFQ zmBn60z4swZv~Oe`cjXmU06mWTNNlFeoS3zi{n+<%#ubJ6iI6$2I)Y%zz8SQ5loFf1 zHlf|?@FSctOxB;wsE<`l+NjnZgf)r1I-c}4J>P3a#GuvFO6^W&ZYXqhL8v6W@*k1Z z48213@FM(RzmagQC^iEz$Wb1-cABgZm0ejj|?Te~}% zVCrMdY(+j``75#b_v&sArP=$F*|{Sfx|p)RB2d$do;m5_D|pRhUzTnUTz^N)-Y@C7 z+~nh!*FKg=cMt?-KVPZ0i2|bqns=oSQZVNn^XXREDA@}qDci*cM+k1&<$P7ZgU8(P zq|kWlmnK3zo%*i2_;+>5tWx`AQTL{Y!QAGz+TCYi?Y^uh`ZzDIu27}3fkv4yOt0iF z?WNaopnc82zmBF1M=nDPR0D)SbY-izYwCBY+G?c7eq3koj*~I|ESYJ5lsK=jE`tT$ zL7@LQ?bO$>T`o3Tf$tbk`Q|=D&(M2V;1lVKQ8seFa?4u1^Xv^%?GZaY&EEa6_0?*@ zqZDPuqw!Y6%!D&BEATY9EMR!w1j+Izr)CRxu#WFj2bg(5*MphPCJ)YdZ#wg|K)7Uk z6ZW@&DnRy?!xi@0)8G!J-jRjX3vbSsONH|9lhiRk9%b{IUufR~M4$I#OLI@iPxhR^ zX_iai7kgtsR9@XM?Rqme&|eJnB$D>8UMcX@zwd=Z?K#mo zz8l`E?ewx6;zx+Rcs0?)Lk#d#;T~k-CsvN8hkyh;L69}|7RPLyxYnAPh_X8Qf}90@ zp5FSCQ1zY6?6j%oG zaYi9FKNNwB`aoxbUfbIGWAFr4vam4e?NjY=L4{~}@&OW&PM-t+A6FL=!f(ImZrY<8 z599o(Dmub%I%gba78C9npsLF36(X-?=+XqGSQPeaUCM-rwgM)SG;M%0tWEJ!HZCdL z9B^i%4@RoGyni?{BRgI@HWg*?!Jo|2r@v?atv1iRgo;DgR|dPmsf6=LHw)EJ*Y8h8 zu*k^x>0ZWycRxU~Q#ChXL(lwdVr5U0)j(4HNAP4E%Y9mt3)bW_jWWW5HxdR<*+%Fb z98rk6ovOlpY=4SK&GY z;zPmPbyz{=Z?fwL@hpoW)+4#vFLmQzYmJDk0E773s6j3fxkih2Y4=_}q2HMQ@r2c7 z2JUFg1ls- z@OYV}L(PkOOUUj-mzxZCh-Vwqp<0_S-=vl@h4_yFlss2EzS@ZAsh&6q@8yTGk<)&s zrsSQ!I;$kSwzy;kU2+DO9)$*cXs3D1Y;R1sH@rc;*Kx7UJlZOTVSmgnW^`0pJxjEA z2w|8AiI&9`7bN3SDpmI}AXhw}Qh>7&C2*Z9Y&cjvEEPfIQ4%@k^@tS%&=^GB3g~&5 z#Lp@^Km9rV3Gg27&PUnhai_Z)J51kxci~v{<06Wp(B>P0B|L*TELH&aLEK|puA2p zZ~2X7kIm+E=Xq%FA08pyK*B@e=MI;WeRhyE&xhNlB=<=m)v}k-AMrdNNk#GW>Ys3f zeBkPNAR56^=%9q0yMP^qII*j$axaAV7RI@;vQ)ARA8JP;-^2PveIrF%e2Np|@@4%?SJa zg`{PQn&-M_vgof$yik2$nW6cN4zgf?vEAT;aDJh4hZ(2^*=M;1Hh!1?X@!DE!6DpdC!#8bG+guXuC=!Dym;eo1wcElS zqrR~=j|2n13pe}yR)!NtSJ6tT-I{jv`A)4?4zLd$OYM}Y3i576xo;IK8D0`Dwi_;e zr{j&BuX`Ux2h&MV#jrYW3W!a3p=%kd8;^kc;$sa+WX2OMu96GYy+ujpP;uy?UG6{t zn)SyS_>@2=64}M-x%YDzwe|{N;FQg{&v1XqEp78sYfK)Y^hC%KJ|L%S-w9imDke=x zLCuy$gi+T$|ER#|Oif0y%hS43^C_KH`jj)xwV@wRQHU8O*hy=xcs0s`5i?%x_7%Xm zl`i-kJv18%X0{?_aWxxw2EYtt1dkcF%H0($J@Tak=c3i!dB+rvsokR3x#l2m-|!wW z?2@P0{auG8r103U&`=8B;9r1tf~P(@8Dwmj?Z9Ga-AX@Hh_Ih3D_?<{(eTE-mLO8^ zJU_Qx>;$KkP(e=nA%s&4CfU@>p3X?-MLGE2kTI^vG`^73B$f!xwek8`2f7t2b<)d z%?aW4oYk+tOsmKKkzbojIJHjVnfdP8FQW&|`myz$jN^vj>+Y8d3SaH0ssB8lC3}yz zl+??3KW`>PWXYLFey_hihKJ=6TP-v(U|GSm9Jp&N3 zP(CxpqjUTJp6~;nc*{4+hR^nl{UXgPt^bLp*6$4tCBORW=KCwsTvpOt=?UnvcGQ!Q zd#6j`lmm%(JYRUR`uq?&NTJe9IT%<%O;@u5=7|Xis-Z-Qj8t((WQMumggNJYo#%FML<38 zL2YAAjyi#k6xP#n-Lsj2U+-P_0iOQL`NuLkfDXYbFfjg7*2= z1~u1B4-egT%<0o`HEzapDEb#lV5}f0Yny#35W9xl}(cQW@nXB|Yp6!m5+DUYk*=7)%9Y!4@9c#BM@-(_H z$wtI`BJ*SuxE<^E0ZSsnRp9(i1=dXks?@XWr>z82_ehLP;ai|v_M+rQAW)fY*Y?d5 z>!hXfM`WG}Ca`K_uaS|QWAxlyJ8Ii=j({6GAH+|)^i`lF_VcStW^qhes{yB+?aZ%8 znTt#x(vQ_T6k|jIL+P?_wjutyu7ylxqmQ4~;Po#%)!}xskW;1anD|7j?uem%eSuo4 zH1|a0$tv8@kHEcqYWht6U7WB&V{Am~uB>1E3FQ2&Pu-2QBSei-`sWnWyF zQW-XAp95wxm-(r(v71PR!^GGSagE*2bdmQb4WBkHl^c)Jm-#rJcP1_kjkJ)m6jj=n zy;_*dS|s+FzbyD%C?dqSX(U~|6Ipv{?pM9L8$pY#!qF2mk9}~ape*5!F)(DC?{OhM zPls#sp90GdRRU~8ee%y^OMP!!K_XQ3=74rl^96zy3R&o|`yL)F`K3@ow_g-PQnvyT z%6F|vv-3W@o^8M&TYuQm>}O|%^iYwMi;3l;fwnJwmhSi(wNp(v&NH1DMVGrYgCA#o zJ*EA7wf<-P=zl{E_)R5y@tXgm*vq^DJFoWOl%;yP#=w$4DnmX#2v+(K5*Hvaw!iSk zT-FoOpaAQkCuL9(+4JC0EEaST0o^_VjN+w^M1ldwY{2Fkwtg3I%-&crx;NtCR`O73 ztuyq;ZHaH3l`ADn;hzi1SM5RDIuhMsi>Mu=~#dzHWODaxZH zjPJ?!KknTGOr!A_az5M7epLol9u%l3%77=pq-u1X2%%Y-#6iAVXXUapJ#-t$6CuPu zrSyB>g`=$8nM!rEl=&!< zUl2FkTX1pUj~XA;+$O1m#?9n!ejGbv_w4rIpdo+%pmE)!K(Ub%48C|rVPC#lkiTZ$ zOiIO1z2~V^&E@KqaAsKWq|t)K?brG1;pm&B}cQ3%Lk-mU64Iv>*cEJ#vDP-0ff?UOZ5DlyND7(CO4VM%+OTqBc&^M{Kak4gg}S$ztx z!{YYABXs!fEK<&B26f1~Rc8fI(LSKlNobH}r;h%2gtoSJ_E_*PDMA{LdPD0nbg*qW zM<}evZP;2LRQK7xO_{$oL0`S!mb~@paUawIy-ZR^fAQ(h-QVXK(^K9EGO(Pp;?4uv z>(3A71F0rN#t4#Xq*RQrqiFK*xS{x#>l}4hDT2#0u67n)qP_&WFLH zB@blHgl{}R>y?utVNz zxmbK%@3+HypnA^G24lVG3qcvKQ)1!$-1TOz+#H+%0^k2Q3%xz*DE)wkCCrSb%3< zz~JpjpNXAF-|UKdoUD$te(PxGeX;50`(wtC66I~fhH@_q8T zw>oR!vfF&X`Bcqjp~X-Zw3M%~ZW8dQPxh&tb|$ag=;{u4>Xv%j$*Oye2;uv#XN#d> z?`pE7Tkgdeik<$9a&RG{q5kKnz7?`;251yDDY`r;WwA5Q{b0TxfS^E}|eq6C~{!b)zzK4yJ}*-s|K5^aoe^z$4!pYwRkAIH&pNIEO9-7;-&V-o5PoOEFhBKC+ruyF1;`LwU&CqG%)23b#lf>Mo_UcIFO^0dgRyPi z8819z?t$!tdQ;p_qmgh|V6@_Ddl{4Gllfm@8aC>;hQB=%?dw^Klm0HNntV)5sP1A# z6P#x8-?)_-72%)76$_ukR)l@b-ZUa(5O#~)BUKT_r)q~8O7|kEZrp9Yp~31Stb;Iy zxsn}qcBVX(Q3F9xR(F$@rz>2D z!{wM9kd9=U#Z9h5qoPbKEdI!HwA z@82G(9@Xz@Un}|0tXlSivG|=#M5?W;hVt0)m5Asr#&jHi!di%RAvVn29NM|a zKX{z2r{CAQ9M={m-?$X$08<8S`A%2u^8z@nMvmi7!d0l~olWpUPeJNxb+`R8HFO0V zgsaWpgDh@LG)epFDvuJ=psGa@z>#!yY}EDZU||t1KztH!8h8qOB%;uGK9sgo4481F z->F&n$i&r@cuT16G{bk-8*gYFl?v}-BB{sYHpWc-IFZhzXLi=a8k;4mLJy&8wz*}m z5qwGhVs_(2t{G|2AikNYoa|KdxeMq5PQ{Kd-2VjNVP_)UjwO!bU0UfAB;{Q4U^Q7# z6W=54CD%#`mlZ*pE^F`l3kCk@Za{Jy27gv|XLi?nr(B)m>2uvl>?arJG-!TcqQ_uo z_ATXd?p|Be_AaO)S09i_V29K%zt1@5#l|s3Z&zN18GHWpI+7Nwng>i=#>Pg5S$83>65;bal-ih{vx1dDq|K6Ld(66ShN6jmuN z#r4~$^;}=w;!Mi(Vmjt?di!q1I$5uz*y#KD>L}K3=W^N0BX}*qEeeO9g?_!qBzfH- zm+n*F;pUTxD@`XYk1pH8>p5gAMe9?PJy2;czzYrFQ%7=w zuj1$(nXX9j!{FAFfs*6VJHNe3a@+^4t(eBpoc-esMFZE|=i%O25~fKttmZr~e8zeu zFJm|cA}@K&E}}@iA^^I8E9_WDm2*{twuM(Me6fTk_#UU2rlz#vn%p{! zT*C7kcC3bSf=U$ss~=~7#lHpxxUad}KL!ObNlIxWDIZ;3Pp+XDXrocFiwV!JvJm*C z75~jZta13B&mFChW?4i6MZKraGCTC;X;J=z?y*L3RN6TWO8V5A<#bizTkwg351KM9 zOB@p?wBIGi4Ex}lb6axpwI)B|pjns0*F?6m+p*f4-ekxB8ngb*aBaccEl+9MY<^)W z-Y&FYiVxZu-kC{eWL|qOBto+lHMsV@S@(k!##tM1dzL;>?9;RTlLBKVILIVP;@8>@ z^&M4Z#p^xJ@Oq`w5oCP&RhL|c;NiA9raaF(oL|m_lj6WmYlcnT#pPMb+-Vaqm@ve`V3;ucE!9nl3jeH1ko!e1)k+X0i)@|5{p3%@f z-2SmuZy8`j)5+?+wXg7mYoRgV%GO>p)nn*J&0<*I%Lo?t@mWFf%W2q=xQJbML508u zrNpwC)N*@@q#pHg-TE6tMiFYLRPA9*lZwt&M3ZjE)duOMo3dB8_cMfUlj$?rA4*8A zTY+(*udiUEcp{Q(+vBPCeoN$Kf1>mDN+++*46l=>DCBil8mrWOF5 zx$xo$eLk3DRktcSZRRWMYflOm!aYvyY`DDmw2i&Eh{>u=6F=U~PUAPYJgz+7-s6mX z;S%EOSGy~u$P}n1I#UOD?2T)?Neh9MVg_N>dKc-t3>5 zxb%o@9S%XuRR!yRvHIadZ^5UF+s7g2TiP$mGty}2VMpa-TXoo8_05hsKi~7?@{8kh z^mhGNs^Vaj`OX>EbSp+xP<5BV)n{(Xp>})g!xEyrpz^F_dMj0S#u`vH!kh>R4fqj& z2L2q(5~)51dYSKc$tYp|IyWv>h`!~-s<0gMp{v-UojcrG z1@|-|?G5K}Txxu*Z9)Y#&7O|ii)?6e{Pd|w$BE1bt8=S%W(~xHc3w}T)f=JY0bkpA zEo184&nxW9TeFg~2=Q|>uP#0JqB9(xT*BSka>B1SE6R8J?;0BAbz6T&Ud%;fqR&}R z6J{83Sds4mo$YAeNs}sS+!uO!KDX)k{gP6dq|TRt zZqHLl%u?n#VUQ0sVeePPht#<@6SB~3hcIqf_x7G(Lx}|Yk5SJq2a{EnrKtIul$j_a zgF#1+lUL`YD#qme;@K&5sEwn~TherjNNS5y1uuC7l4@|CpZ%2nE!EZEVKbG}Oz5@!xCgg) zpG$n_{8()MITjZt2iCZlHnr6jEJ(P6r@_2LCAF|64GnduP>f(-G4iEtEOisU&}B+P zjG92krHVnx$i^$3=~+F1LBZ zPx48l8o23qRHV+dzZ;Lqc1lu>^K%=CZ;CV!j+G6ymULrkP2;e6t0RIXNkN1)szbh= zYuJFtj)C9Fvjw%KBnp3BXTV^L@d_Exll!i=S);gznYpm4kC zTF|#VithT}AL)TN6r|KUjy$7$6K8b3u?}IxV$lOy4zE8`Y#CQ1c>)kaXahG zhnwB*LAN9vrmGGmU1n@GQ!DAuKE1`{@6LG4m7if508~HlLb6}m(!hpF8OUG${A{f=TRp8~9CWGh)<~f- zkW6?4RsFF}$I#H$IK`*t*uYl&)pmCUpvV%6CV4tuPlX>c@mtz1bA)m+$vA(o$G7%P z=p;Lqe2^unXL3Btte;ol?NFjX63P{#__CmB81O((Wxz%Ju7WJazY1cHyP3S{=4DcK z&CTm7^XZ9;c7uCGri%Tx&v|15%7xe_ZMGW@F(~mvBb*ocb#nx_Wd>4?-o0Gds-e5% zjSGzhmAfvlVlvxAH~vd5Y=7$SYoRx++`Ql)@4Y<8gMa?+^0BcOP1Y zpD0;S>QlaoMBo7fVY2!Vw_nBGJTflp9csp0eSA0)cr^n5ZA`LXRg1JK#M#1vANqMQ zF4@FZfIDefG@`Rz&+DLiRDrcEWU-${-nJqt|9eKOt=zJvi9K6d_>=fCOS-lFD@H`w zCdnR}8n5{Z`i#_$%0*ZHo&hw-FrlrYE(B^_3V$#*`FwSGG!%ZyZjgLO$1HuiE0pq5 z+Cx1JK}MXK+5Zy&=ba{RW)CfchlT5A6h-|8OLZ>xyej6KD>rJzoeHovoCQ;F+70zl z=|}de$s;mIMyO@QyOquLTYzC9y6RLV-6_nf!=&eR5&+FzT3K!-)_DK%2Ln-viG||)6`m;LQ~!qAv_*N_ z$S88!*?bA@(Fqg_vxsZC!Y#cPv|fx@NVv6^o2PI#w53dqB>q{WEqPwhlQxm!RnvFr za!vB5tnV)82pid60_V3nD~f{knw0{d6wuLw(I){EC!6Kn$U9@V0`8DI6(rD=RZY6+ zzn2BK9T{83VGh6`-9+buwLxY5+)nFPbog^@(a$SL>hUt)drF6Y|H}W_EAwvxO|tUQ zpOODC)bo+1{=qpPft>-c6FdhaaUeUmAf2J|{)xpWl&5mkY>WS&2+AA_#o;CObWYO! zuJ7U-51$o1Tn&^yJ1a_z_2fcmq_*M9c}BoWCYmnz4vM~T2!kEYpC-BJPxXtJ8WiTq z0?!AxNc6utTR%Q~_RWIR?iLe)m_^FP{+ZdLkSyk%_CfbWF{WCfq?CvC~M)cV*D4>NW~m=~nh4>^WWF$*2I3?q^zKhNe z&6Pqj(XWwwx6{fvV_0O=xM~OMJ5$eZ#j6awe?pl5!1-=tC|f=A^j=mO`0~REr0j0# zD$mo7HAz}lI1DQg`o=mwu~La-@;=e-Z%-exv*%`E+B#bNV=C}%*YM)4zwhmTCo8P6{a)<@>!OMy{{APEe-QU3kIy7L z>;(eHf82<|%#(*IlV&SR?&r+&ERZLVA@5NR%9ohEi0w!-fwi>^wWv1z&OO@i++51` zY@H8`B29-ZO(P`EU#j^CXXy&!f2i|IVrX{nw_lTbT4(bJ*s)*=YhMxs4G3MC3{e!StIb@??5w^J9ZFaKYz9?$;r%um1n4QsjW^BY z32c2?9Wv6_J{Y&6>5CZ%Ph8D}z}63Nxd9PbzD~rm%3$i5HD6^?K+ZTDLeorFd=sF_ z6tl{}_%B-6D#z-4)3jwh3k7nM>Rq|mCPri;Lj6fQDODsvkJTb#S8pu!%8!=s7@BOU z8wUyGBCSW%(_UleybIszzR*Vzjk<-;jUVcli`uRTGZj5&*hF{j)qEg)+!q<-;+VCb z)k|v^y`_s88`06#owyIbp~)MKDy}Oj&JT@+9G3SveY#K+aV?6I5`|LnSItNLp`mcd zLKGmiQ`ZfZ-v3q>Co-xx<9c;lsa~wm@Z!K->Q=%}l~=(m?my%jZF{lCFKz`QD2RQ! zVeJjsM;j9}xI^3;YTfSs-s3kt75b%lc57b=`@h8K>-PTZP3Jdg6c_n~dQV4kS>qqU zij<*$kW!y5yfBiJ8b}TSy$e-<(}8a+UX755K@6xM)TVO`Kx4&0m_}3%lijr508#5X(c_l@g8cV!#)i<)IrF<#1>Aur6#nSb7ijd~+%I zZG_jw`|o#6v8^JU(m}s7z@uA8KKn-@Q+dAL0m79e9umvX-@oR6=L)UGb;;JRn!XcQ z{3m+#l%&z;H!Zdm-7!|ZIPJ9RgUvE2U2c~8t>qT=qy4xDRt<#ESvimSwmw}#@DM!xd$r8TkJo=rEnq^|9B#0I^0 zvI%n1xAfSonYgY4d7b>Z;27y$fa@&9Bg?;fK2J5zeYR^^>h0Tlje>C*eC(!1@CkU* zE_*vFINojB?BS09IcN)C&z0+rvvnH^O}1>V)mp#ZcdZ{=Wp96C6zxDclI#W%K3<86 ziu~A^uV1=VP&o^o%H1-sPQ$l=CtGf>{`z9ka6YqJ5S~UT$E^)ij2hTZ`V(E5Y?(Bt z*(N0_%n15WX>f@i?Md4`=FlF&Ze4T^*^PfCTF;$4F4@tu`uj}#_x|qV18nxQ?I-03 zJ9S_mw~0M8eNfX; zn94lf8TfTfayj;9&&AW2_#0+dJ~&%P1H`kh5$0pze?)zvIh?!)Gp9KeCXw=bn|nP# z%}x!(ll-K~ROsuXR$8@PSoc^E)NS7~-zQfcgr7ai&agNsqBKJJd!a+PL;=8wp{-! z;_2_5`(LQ<*KJN}lDdjZ#?~8uG2wwe{#J-g{I~JoX7a4-Re={*PZbXr=|cH1FFt0l zO0}^6JGH6h4&eLl%+~UdM=3%KNNrMY26>yzWh?e3*sW3jUSJ>v$-WP>c(aec-Z`sL zjke-uW(?C-vtx{nHK4T%@ieS<{5kjw^?dr*@6aX#N+`PDsPCFKT_g2+f5Q78b!(QI z4(4&;z)i;DriK9G#Cjn3AseRwsMrf)x7HCPq(*fcrcl2z9~hYuHUKMscKB(X#@Pmn z`dA>$AW0&_pBW8RsJX7F+%5;S@3n!7MB_xwVkCM!(Y zolrKyxv+m|nY~OuOM}e!Y2g_?!dm3#pGRrs;3m=xx0$GJ`GWflUYEyRv5#=POqy!~1?(*4eM~nS$S?qu6 zk!`;9|H-WAXC!O%+e`jKg2?f`7?k3DJ&``qUs+D2t)`0KVy~fTGfeguIjjX|U+yUR zl7L1MjE^vxCJK^^W$?CtWjVRD4#onna>QR*PMbiMlL1<2r3)b|+T)vuFPB|WyM3cf z>$7~gRl41c=!l>M+TJpaBRdk%O7*ftf2^rUQ70573Dek*eGm^|O~$xskZ}$Oov(2e zM^|rNYl3+b2buhX(z(jsE21yTZ}&3W0*~v$lA?}wX(J?2!!}U1p`oCp zP4sFl-F-bjXcTZ%2wzb@aYVRCBO8LcYxJ_iwCmwZTsM_HmEp9kV_`2#4J+f3$A?Xq zZ9u7afw<~ExcK}ooa4|Z9KR9Lln0g1cT;o96zEbe2UkvzJKu%*)!B!wGi~=e^Q;O7(8OvuVP=( zI#Xvd-V4=8`9sHdi=zW`beD5@6cUr+&^xIOs{J4db1D-W&A^pd46)u_%1qh<$toO? zmp19Pz624^-UH9ie3ojdy5Ritc_Y^LBOMV{)7|X(f)F~4!TZT!>mj?g!@B^JxxY*_ zaU!4IJmvCA@uy+J+Bsc=*@27>b`<6Fr#-TUvP94pKP-82*7V5yf+^HOo+5hB#@5z8 z-c+&HW)9u`$^I8RcwS_Mq2ga7<|H|>NIBNNtL$#uNEto+k+q^?wRYBQ`)q;}Zv93~ z5Ip8>gr8sGKHb^McQ`!BWyG!l?OO-A^rHK(p!WaN*SS0!ndkPdNI3mJp0(RF{#F_u zz`JHTw^bw3#Qk1M0o4`^dl$K8{Vp-_cSO_5|BYy(9qXYDPTMf!ByGB5^4aEb-zJ?r zzdH~)$GGUn`%%127~i4ldzORFi$Su|II21waDqf>ZsiDpU<(V)TrKIkobhhCx+c0J z>Uw|Lh8(>8x%_&7tp1QuRb4%Q(bDmrPI4R1*N*UeCfN5Cdm?`61D|mZ#uyJdH032m z@^~bK->8KwVyllcaFcY9E|vV1e9n_N#Hgy;*4o{0e~(gxyd*U-$9yq&h+Wh#w)g?I zBp@!*RwBfnk19$fcD6D%_db(|&1(Z)Uf#muIR4xuGxEGP1ARn!zWX#iu{f zwWe)-)akN(v@chr+OGj(L6;14XECqog&%W+bm@KX#!?MT?#nB&!X`S?P`s5(nYi5b z+(kx9`7wTtg*R8nu42e_AOc3@uOmSePx?2n#vu-VcqA;7PrQJ1g;Tv}m7{808(3F- znUWVKqMcR;3kk833Dach(Wa8I=o!h>r5tH_20aW}G05KN4wevwnU_(mI=5T^%j}Y$L1}2 z-%0s{xyd}ciC$Lyb65W_pY|Rq0aXFQlCo9&1Loml|D&%-g323K<1{Nyq@Kd=l=6cl zJLF>{)8e5R{_S2`i?Mm3IDWu_K{mAd;IxQUNkycCUA8S`#`PM<9d@+dNTje z?g`URb*D4Ny=Yn3L7@5h?6%1(Hh!az#VHzQdY!#Tzcq*V(YK803ER|87 zq}O7yia+J(qxR*hxS^IzYZqyuEq&VAcL1I7AE|?XN&B|y z=nu(6CVGUq+I>g?(dk#`_Jsp+~w zr6*`GfV$(lr=2RvZ9$Xy_xlBLKs@_=3Tfe28abl=1tK2+&-=}l)jLu-vT&?%STt>hN&R-J{#~(mPG_a9&Ds~+YC-dDE z`_HimheOD>E9`$hXB*=6l)R46++(YeYXlaGb0ugK9g*Yd-mCQ+lVM?DmW9>?Qp9;& zX`ubWud#v^jH;c+w%z7%c~gyp>z9V+)$uxAzgOWaYS<~O?t+8It9tsVBSzn#pI6og zzpGO3F)H5w^q-mZpZ~;vd@2Y6{?P{HogH+4``tITGZCG#!TY1hJdNbY8C2>x+TMlC z-;j&^DpcOg`?R04g;pMQ2gJhyS$vdk0fn-Jv>8c)vL054Xb4W^~Kwfb?^upj_mO}k#o1k$O8bc zI`a;83OF3pUa)A`BF_u$>C>dAB;!s@HbgJ(uP6|Jv~BvbOeKUt?(V^zMUpy<9Iwy+ zTJZkgJ^s}5_rixb*#y=8<1HX8*jad9 zixD#?%<1c$W|e=1hWG%XA>B*b45pZaS57ir>9Fw*HOdJsQ<0oj@l~bt<}_H#eG`dq z9-6d=Em52&?dnIx#exbrBPGg$2BTJp3?`&ZviPp4SDfq4<*J zrOrfW&8O*}nwwK|bJrDPgVhZt3r35MTh(fHoUIn}^W1TfUxqr^{cILg zSx1Bl7P4+7xTG(KQ$iTdZUM*6@y`uV?R*q$TtD_W>khsXEPH4m^{^`sci^I_v8M~? z9Vk~;9)J1Df}eSSc!2#Ewug))y4SgAPgihj{5dv8$S)vqRpidU!z)GujU{a!=m?%w z-*0`;9yxzSPMs=bv7y$W(= z{{015djNqg$rvu_6(hy&xH3>{DI4+Z{Lesf+HwuzS^Ras(v57P<4sE-xQ;bX4|9!F zqS!$x&ua;mcQ$8_?m2@m&LruaO+18lc#qi3)&0CJkZAdTSbOWRDBG=XSV{(wmXHn= zk-mYU2PqMe84(erMnI&yyBRt~knWU}kZw@vPU-F;XUOm3e)s*{?DyOI+0S=;&tDu2 zm&f6p*E-L&&b5A#R6|q(_{5m$*9(%~Q#d?W>A}aGA$0Y2a)!Iuv$PIO36pfSD5!OA9&^6*Cq>rJvN3fVbJ4n!@@Nx8{lr{K{m5= z-MUWY#iXC|b;VsL{6iZ+n1<7flag5IOGg43*DGu^f+O)DOhv*zyC>x^k>SJG&tG!p zAAW(+SNP1 zd+1BA7uM8>j3o2u=q7rOF-oP~tX}@_W9T0lz)%r;60p0jxT-fF)AH~+S|92R6J7aX zo1iEyH0?B&vV~+#E>CJKjW(vz;6hvujPrDb5! zbBxQGK)SA0M4}iM*ni@BSOBh*D4ys0D&8$vEuux=u26FZKaAvdJ}>2^ zcpr}?;w)1mMj>i5(gxFOC(WUhZdi*D6SP7HH*0c>SY?%#WpI<*I(@b70u;^VzK%+} z$+$Zay8g&eJ1;re1B-zin+8fhyaRCM4$O0bzPM~eUcRbIN~OaL$*S0|fi6xS>l|mI zg+TGN=|OUBFGWu=(!`+lUDY;M$-et0d2IRnNsq#f0p81nH1E!`aqIYG0=cdPx~JK z=oYE|iR#`T4;m)fJKh7xBR$C5Fc4wn4?W=l0zh)!nHpjlwCD9Qjmj!}?OJmF3wtlZ z2+DP6yd;BoEC{y!)g0$<73@jA zftLp9^-^7Z42}YeN@}H2WVmvKlpe+pnb??WJ2OyVkQla=RnyY88xD1ojQljwjfM!1 zxGA~qzlIC*6g(1%-`ZF%I9+-gAYEeevY2{2b5%xkJGc&bW&7%73J7jU+a}PYa-#)` zS2YTZ@WRhgd$tcbou3i8I|4qH3bj~snG5lsZ75^O20Or+t@m;P8^lH)F;)3Ykg zBs&SHw$7ul0c4+r|CD_${tiVkqEe$3^@LRN(@IB+os77Q(=zfZiH4}>JWAblmseXC z)Lfp)nQBY(s>6)5bmJd9FeK2?L4T}x1rFemi!?5g3AB}l|FC5sl z$sWGJH>P%kp=4FZ7*ZOE@Sn>Nw%<6wd{L4IDGf0~^|Svi{H#~ljA+Nb7JkO^BJu+6 z81H}vqJpJuB6s2((13cynz)WMa+8YyrGyR_{m3)b3ULiGmXo|qIrX`Z3%3f`^BPaS~7 zY~;9%8Vd#7OCg-_>6<=;(bt-dcQltlIi1-;*8M*agtY4&c0zirNsg}Kw$v?$e&oFIOMiR@b@fX(7Bc1}FX^OSS4`fx_!7UH6t z-SF{AC}uYf>2!On_D7GaGl}gORd_{jQkR(z!RR*&Hyg?+v$5T!B7!gn^k~uXK6~+G zOf1|KK53ue3;|%>QEq3owbwNCtpUWP()r!RiPcNJvCC7z<2AkTiS94oOe;oiPXe-| z#&Ti8-M5LTKUwchwARqLGW~98jr&ISs|%lDUi@UY(@Z}Sd(-UkjhOFeBC$-yQSFEB zWwRU3<1uZ_-}yhHnyod&IzTLNcp$Ud^qIkZKFQU-LIV5wkmEriQ`7=$0#Pu!Kag9N zt}t3?<#0g(%`>4QnnH$voN$LKLks;Jb;~VA3={`f(R&t^ugbI1Y1L`bR3#Jck(A-?!cz!4F$5^J@f?0WgBgVa8V8 z4nj1cF0F4}Z_+`h{RBF883V(jVeGzuweQIAa3=LvhIem7J3r1ggmWhTVP!?V;lT9` z%8}8{useLNbJEb2V_*IYMz_W~qh)^3DG@P~w9Fz{QM8$CDqwNhVLW^4=GaJS-dKFs}KvJ*>rDLCqEziIrfAU`32dEtK$jv_pmr*!)wCgH{h zwdZ31-_9ME_Jf9L!r~-xJ@&udxDy0S>_ytm zf7?M!xa-e@+)(pNwxA|X!OM3y zdGJqz@&2^qrrAr)UF?QvC}hOE4n2B^2DQ}+e_MUPoa}-9o-)zlvztw9QZSl^TGPH= z#r_h9a*9jT<2RSsRiZPOL5fR*764{GdXBJYIC{&x+!Mz;bellEXH?xr(dE*QG6bCi zLF1jZ?wUhW3ZC8-TboN6$7OIg|43N8=B~ovxLz;8Vw@1ndkEmuB@cV&z;5@J0&|7KZyNsL>t+41vAf{S0BejuU?)s zj*(&P+R&IsfE*((euTb}u&V5FIX?CuvOn&ePB9H|cq_=YIoVZX?pAZwSLM{F^#R|Y zaaDE1xk1t0T>rQKcwKDo!KTsd^GotgT3xN%Zlc?fcDBe(qiSyosX1U2D<*e<0{{k5 zS@H)CRFVIK?8qsbT7S+Z%sO{5Yf)4Y%+=5hOQ;ni>DxK$N*Oe=e?LHs5#C1*p0d_R z;9qx}vI*avSkFm*eXcnl@~u}fXW?kOHb@+~=Ckf_xI_Xx%2-shKzgw-fOx*8;PlK-)gCBQ+~dlzGLrYRHt$PW72RE0+5cI?a-!*h*Lp7SVVg zRO~YDQSyr4!&$~n=WPH}*dw_0V@hEvmV7pMvV-X&v0=n8LUEI+YUP@3 zt(zHZp-q&4EehT!_-u+|3oG47Bh${$NDNW}g+&Tkb85ymC5+o&h%Ii-X{RI=%q6WUTM&> z+}X-OAN}Ttyfwj|Gb_n;7gHM}8AW}g4f%Ja^iLm_=#m%~1AZQSsNN!%agWQhIybi* zx*>UU#t~u+qCr5YY4<~G()qCiYctZx+jnTbp=PM}_;k}^JPDczILF#W%VXC8*qp(l z#$)5^9QQuJE2xv+r6o+_`0?315#jTi)-a)8JC{Q#+v)hd6~IkbS^SDuj?Tnk+R4GE z(m4z=p;x>+wFnc_2dFttk%uP>3fxm;4wsdM^~dV=v+x}#lWSPXwmrOJL@vDSZ1>Ej zzLmHG7WZDm?0_7Y=4DhTl6E$W~RRO=O)=iFR~^MLaLz8-u(_ z(Y7k%lk0OP?$`&8r>(ZU2G_uLTyee8%sMAJRY4fQyP|B)7I=%xOl!SU&^|6Z3Y zO}2p^3eU8iL^@hgKw-01f#jt%3Ag2XAPbRIfU$|@nFKQ`|qGIkztz# zXfFm#`XgYFiRl^k>F+)HPyL6R7iR^=er=%P`(bO`s&a9x@r!$>JJN4;La^bo;x?Y6 z!?ayhsPMkp)Vc}0LV>&CJ>K0g(fJ3p+YTNjL+uC~|EQF%`6JXSI2iUFS?%9q*gT5v#q3cNSd^8)DVvf7hSe)e8Qd(^kh-9#6 z910UzK{=20C)@1c*e{Qa4YQp8wmT8GN5y3**NsN7>bdD9W_GpqSYT=l%<(1gaC`;grB>+E zJevPY9ZLJ?%e6YxS6OjL8=ES9F)t)U#YY>tp|Dx4kY6l7EUnC?lXdzv&-S9oI62qw zAe~Y!hU+uV3s#=Jj|b{?p0Bt|mV7*p{w98hpJlDI6zuwjDGH zAy9G)jZyv}?A)FUX#kmg`hlQV(mEPkbq~p#odO!avVcC6*IK|IZl`yz(yZePD<@MQ zMehMZ3%xOnFj}kWJWVQ08a(ew5u2z4{?7>I*v9WkRux260>5uo+!}w zMVZlE8Gn#L1mp$yx0@)P9`7qeQ<(kX{U2v{AZ&Htr!MI0DyV$&khAKt7mAu-1Ewr4 z7q;Koi_c>&jnbd2{_04_N$xq!q11^(g^XOjbZIgS$A#qIae6xIB_yx-9S1NFwJR( z{1%&#u>drBXh{Fk=;aau>CW*kJME=4{IG$%wE86%-e|q* z4Dd~~AwaTO32Ua38N_)5JoUM>E}3;y70;16Tnx6( z<9j0$lasLKzk775XrK<<+q`kXscxp%{4i`ciB=3_SExD{nu$k0%kx|7+fru-yZLF1(WneU4T zeP}a_hs{`Bxxmut#5aQ+YUa~Y`l8MxG5sI{dj7`_X8Ygk&j&Mq(gb_{o6K?Zpm-~N zUAs6LVT*YR&EeusNnE12r)-Bp&5o2ZwmK3l3gwz=FT!fKeq@AeY~VR|rZ|@UcAnbZ z9#(e$c(zq<&{D~UErto6F=b!;=0E#;UxQ}2Y4-$uAyI{Meg9py*a|NCx=cOU?1MW6 zoke{%t8V{j-+DAg(Q5m8COg4(pjTv(Qq~QUx?)^Fz(LOsG{9+-sQ!NYO+inauFiZK zJ*jqq!NU^4cUgX4VKHWz=?A9Oge`z5lFdHiun3wi^!<6hm&6ha&<{ux8?4P!W1u^# zpm)^H-)-g3j!otj2uOR@>&G1X1D3y=UruPvobQ)nyELk4?;1I1m)5F^R@l_Ds5F%9 zfxe=APT!Pja4qYi`mhK$EK05%GexXI75fn-o`mnbg;m zbZ*eEEEEjJ?9W7&9hA#RaxU14M?;A0N0=zV=fvBh#o^i&d$HWubxP2<8a$xv4ZP+1 z{XXBv$?h+FWauJ?UF}Qhk5#slG!o|mDva$+1SGrEEVFrp0m?_RGsx0n^s_c-vp}s(r?a-#+%d$k{#Go~n|4IN8Oms9ydP zbmJKPci~`2g1Noy@Ds47%tkR(STrsQngZNhS&n_OJ%HAuc=n4>bOO}qw6c40CEx~O zl7raHQBRF&pQZdpA~eh{j>Z(Svq|>|FMsOT@78;K>*B8Ow?E$?e39Y|sZ9+d#LYD@ zeZLP})Tgx1wo;1H=zw`3d(ml(mThx&<$<966X(X`#xXP8*#mWxLZcJ(PmipWDvmu3 z4`S$Gbbx2o#K(m3P(e*ryMH2cl;6QT7Yx5T>D@^-^{#4B@x+0UED7UXMPhn97tbU? z$*-Y^C_5~J){H>n;PwERAAuxHSxjV~>Hn?l!Cdz^$2v{bZNd8TerbTNwJ35;MZpe0 zcxtO=Rpe1P7cyvklc6zwYpE4Mk*Ue?QiS5M_|9Z1MXzQ8D>SDIc`GpYS-7IpQN$d6 ze_Pke|9@o^HFRc~`FyU_GH~LA>0=~KZ z|8+>D>VwK-XCDeaYr^uvy}TqkYnDXZYX%?@=R0mgJyoTEBRFG{Wv9GDluchP56Lv( ztxN8*FyN6jJE3O+usEJI9v^2aLlqil8!t|(CM{Xdn9c_-FeJprlig46i*B#7PRzJ$ zM;?Z{>C`7!96fZ|t(SLKfQ8!{HVwhV;-US@wAi(Zg0qtl)Sfg@iyl`khKs9b+m388 zA?R03)^}Z;OB`=C`4EYlp6y(orVBaBhqMQ#ce3^ca*Y8)Oy0<7VLj*g@6cg`ucuDh z#(z*=DWFI6hT^89#Bl9LKJD*^EYvb;28*pO&Zsqe_YA)0(HT!bL>ush~G1Dx!IXPm;J)HAE#Mr-F9Bhg%+Wkl;{#^M)fbn4zuNV6F*6 zQT}(Tg$p`M-Y1wy|7Ml=uM5eh7m|M_2w)D>G^kP*0ti|k#KN80?SGqbC-4~*6@o2O z-B$QgDpj@J1R|#aZeuyk)vohd;+0oJW*%@o!4g{dp|@33yDP8SP}F!?Gdd>k2D>`D z4>Ss$Pq*fKC1yT~J0HFZeC9%eWp#R8Lartrbv-&Fr{LO;_6ttx|6mRuw5) z56%Gh9M^sE&F-OX7eKFpcc)%H+BCSZA<_KuTFIsG+IH|LCN`@TGYHCi^SYFZb1fna zBTAVwd#go_lCq54e*`7vis&LnMhI=;_mbGih-HgugZBdr9`0-1$saOFEcUX}PI1Ju zi@}vB#JUng0Dj3YHW?}HZ!r5m|4r-KGJ+vHbKcS-31)Up;w=nz2BVCUwBFQ}cklASjdI{t8Qa*gHE3Syll!9wm}U2WE4 zV4Z55?9>UUKLU(k9&t|T%lw^v|Ml?zL`^xi*YSSsk{rEL_wmfhttsbC&h1l^Vspzb zn+u{jhiM~98bR~AB=?PHn5#lBoL)~tWDWPobWHn%=4|=C!4x2oRZ3?yo+e9^f|Ur|AC9>t zjCKebk16tU*K}v6^$kQ%f3z0D8{K7R^$BJi4-}`&&st)>RZZLa0BlrleyV*G8EjIZ zv0(=IkF3jZwHfsYyshGuJ0EVSX+2hGo3;>-o(~F)n2`PZw7iiO>0qwsQ=_q)4|1o*(ZTeY(v=#7xiIjf|0K6Yq!srcpH+KjAbK=&(ki#kjN4i0k{t z=(x$!&1LyF$A}?4CPU}!LmRivHit)(C27)|7iq2s#HK>V`%7%#D&ryoIw=B(x=Fm) z#bKkFs>E+|R7u+LoWw3Hg_r-cS0CpLJ>UjUNM%^>a)8uWY)QjT96)7Ja=ajZ|1u0MCpLTmDH~^EmStnTDI;-CT*xW04y}$+CX!38&FKuY^nOjeM;d}$&UkjKY`Xj! znI7`Rhz+1=D0rZ8stLWGcM_EnZw_aeJZGF{irAJJ%%D^vqA9gm>E?AOM!1euSs3{j zm8;3!{HLMJ0Gxql6$+@%eUb9LBP1M*Mrx4N+J9FE5!nN5Mgp4>jIs?RoN7L;kJsFM;ycKF!~JY zHn7I0%n7`*r^|yM_d}m|J{x}wKF1NUUzrSPYJKVN_Ni=F0!h;iF%dS)xjqPu!Aj9&y^Jy@?NqDIbWr&v zPcH-=e&c4lf1)GaKvA)$?6x&XA}x*w$!ZwyH<1XLhsTUMsF0q2Lhx3^bD|gG6CU)X zwFf@P_PYa`SU189;$^ms+w{Y@yU!RT*+~^arO=P})Ha{nB{`*ZAy9cpJy7Rs{g0ya z?sttFe5&qA_N)1s8L>%;s5}UO_-ENbK5QJ739(J|6a@5qtDG1}LFMw;Kpi(|WH)lK zGI2hM277olE<1WBJQg7@PET)n@`U|sLQ3vfp+?oCkMG=1P+33s^~jTNtlz&rs$Dfn z0%jk2Xu{Fs4mTIRF#PFn^72LTgXx+r;?+5hW@Yab?AU-(AsNf$e%>)P8&z^V{UFNw zgfvoj#U98kCJuNJ_C_rrdp1oJi?})p8b*Uc6H&(8=+lAu0$^T#lPwv0#QW@nDvYoY zZeJ)3Sxex2GQEXO4;sIfrg_Lg`tt@^@|J(9D&hYQS#r#3CVf-bjsBWpQ|S2==#7v+ z4Y~Ip*T>fKdhgPm&$hXt1tmlbYUWZ;vJ z#~5I{rXcx7`>>2nu=JNKj2_MFpZmG_7@aqc(-2@B+?w!V$Wr}IvB5v=w;esu4e@z?JR0!}k^qOKqJ{&k$($R%>JK+c#} zf=`UA-i#P_N{rP@fPH%ZdWsJ2qM2qw$wUmbDS9{hJ_p8*mrt0J`1fLnkAf&ECP`M3T`P>Xg%!4F3M|>R&0AMo&h>^^~nPK)Zlf)&0EG zXs30l_=4A>>{aUZAYBY!Upc^(qwbSsc4)o<3yP=jVV_s>dA^sTz4ORGa8QbGsp~$~ z*5K;p+KY=l{m}g4#5M9@tuqAnW65IIeU(tnVk`45I}wcH!2`*r+IKkV*MQ?uNk(_0 zK@p*6pZ_|)Z+^>v3K)?;Fp;%OVdoniGdE&`SgjiLLAC#_lYV3~<4B;YY)W*8jF5(U zI5)2`Dn@Ty>(hFRD9EmGRqb9$LBc&vBJ>laz^4!;v8$^xtm(C zJ)|=SfB^Epdw$KFGYk2XIcKDY(jCIb{&H6|A!k)Y)l>E_=G<8E#x--UJ|f>MimDy& z{YWR5x2ARquawy~3){xZSFNK`h1?8ExiekPd~Q+jb|fz(|K}xA`b{GbyQ>Pv5r7g8 zBHOce)TITL6JjEPTCbV6>_!Ou>lNvbygo}DmQ)3gZ|bWz{gP(9o)W4iX{o*wV|5k~ zddB>f*T1z*)0O$0pHi?(B`^V-0WSfiped+8>u&iep#51mk3VJBWcR^o8*y-w*nWmT z3LeB1#!Dap;NaYW-ra{Bxwfg-iRV8MirBIMQ%Tzq#e-+HHWHwpv=K9=(nCfuOr0*K z&LjMeUy8fFV{nM9z;S{mXe7H7@9{o!&{$n6r)v+~kUtC3U2(hq$M7rYQNBE3=sU7> zlxtCaZo{!}xHV~k@a7M<<&2}(WTMU;%yU3SBYgIp5daBZZxynhALRdWt8~g-Zxvqn z*tp8gC1b$BbjO_8(RT0#96{!82Xf%5f`GfHkj&s251x&TCM!Bhx^#hN9v>#(CcM9l zEtc{~i6dG}PMd)NyB3@7Xkeb5rrz|IS6GE1eBVlCAeI+RTu3KjyOb82bdHX<7KP*& z#}_>*QUcrdkdm7NEvr`z@0W*KDxR*O25w>3YrjH24tI8tZ;0qw%BVvz0wOoJLgu`CC`N!aY4i~RK!)1ca;`dZ{GyyTrj-{X5Ap@myzHUaGUzP0EzZ8(ju_x6&S&s>KiuP;cBnP)J zs|hhPmcLt{@C19OEbI%+v3MMoMZ$?%uD&@??7gP=%^;!6N&&_MGlHK4c_obp1^xbg zdOG>rkBW-Q_xEq_@!y3Yd-lP(%T>{nOZtx|J2T_8O>VnaiG2ofUjRkBFRLeQTz!{2 z_dAyH#n(Z0=~8?hozHG5FUqm{RfF0pZGV?F(>Eh@c~#ql3Z;*O`o7za^Tav@!5vM5 zQaY3qc{qb%q9Z1B-)>*Dkg-DR>Sghzs)aDao@Np6#XgFW8U!54!#r8$K>z+nzbna} z!_S_R>C;Hz8_)7&k$`?yIs3=K{r&*o6MDwh99Ajx(lTj|Rf)wom`IkBX1ydD=J;YS zfOAtbAT267=t^aaUAL314`zEEx=lg<3R^_+}XWExSI+{BN z<=Ooq>8Ooww@tHhLgDQ>=AYIWX_g!-=NYf5^3luqtJYLByto|B_sfN1s zW?hP}a#_xKW$-hRu@+<6{i6^*q5;+r?V8slyXfZxr~^XgPGp%YuJHbEU{@Z{{4@5Hq1+|>MzM^5*#-l z%ErVT(dc)lkqZAxNF)(}8T(w5iDdjv=NzX|h)9L1Xl@2~$Go&;eruI4*!97BuF76y zM`|&zF*5%H3tg$$}rDL~XT+GTJD z)DY_Y?uIP1Pn|8x*dDaV_W>j;ky7e`Mci9L7{eiy2cd*C@^|7F@;}e=f83x(D z#{#EjExJ?M&$3R9RA6X+>-xBmC~3ij-aP=p zQ{=c1Wu%E*@_}qdqzqfUGB9bcG8KqD`oxJ{=sSmKNq_8zn<0xxbBqw-U1Osy8I^+L zQpa1}OQ$aCwC>v8nc~|2EZk5_jm%fYm30GN@I%qyGL0Vf;y=hkZHW_sxNg1plGGF62N0c01n9{l2+>H!)3@5 zw-4&0+LX$K*`fLYxI^V!U1_@CyaK+SlKOYuOnZ)GZ}G)@E2#>BAJb?$bM2b)v!cZz zdx$mf<{aHuIh!qnNgc>8p?53%a1(A7+@ZQ7>yUtj!OtEYuj@PdyCfF*e4{!HUM}v- zdVGGR4oeh5R$7wzX9ol4$(uVE9!9U(9{djfZx5I2gQtfQ!y|UuwXcxj%gtw%sl7^Y z%=(BAHeWH$HRF4WVmH4uGq%d6%1}%ruzE~Kw)_0xKEN9yuUuE&V{*~e31(>L4k7Vh zsQZNfP{VewdN0Q*?YmMkB~_$8rT-tz+Lu`}V~?A4 z^!%{&<^w1K2-8yN0pjF32M)dqS~sy&su86CBfj9jZMO2Wv15;2d{akLM7RGl_XLhg zqI8NCHVw$R<|#i>N;%v3w`aaW)XH$yca{6x@Uo1LcXjTj`KQXAPe>V&4Zb1-3F;Wu z{O=sS4@q)+J*!Lt&~}fB_lT{c+vw8616E}yM3Dt01IHz0lyE$k$u$)zzFs=YjZfUN zcOxU>Sgz9UyS-wEREDsi6vu*zCU~<^gUWoWCfVGglc0lThNMw{x^p%^qNRwP&DcfSK3&~^;xwhkF4+z?~z2}lj5grbrj8|IYdv>?oz~#LZ{p?tmTu=PzZ8 z3I1Q~8AZuC#;j}h%zE64o=-sW1DY))Cxq1AGHNe4^t)CNw|n%8UV$*`X;3IH0|_h$ z!aI2Mi<0*qgJ}CObsl*zZ&)OC(uz{f<(y1@I`S;+$rgPuY$8y zQXiDbhKuW!E-5E{jX(-XSq&A z!pSNUk8VDjErvOQU8g0rq>~nM7blsRmN~NXbvjKVYez2IcoW+TJe#xxU`NGDn6_yQ zikaT;q^!6D8DQGy6h-$_m$WmSvlIcBqDJeO8U-62N zI4!(iH35qp{W7(n7)zn~y|xIeZN^-*laVW0$@SEj9l~f#&*}@-L!~i}=k^I9g}q2S z?xj=%C(ElYBAbUnd8lp{h>f8MLE0CsTPPiRoAQU8*mbg4_@j7^7$9KhL|yNk7wPK_ z|1v~werTBdXTEmQzR11#aoja_P&=GhRinQJMp}Khh*(zaL50tgph_LtK3ZgAiQH>( zGvudSW%z<2Zwgpe^WhdTP^5sFd&!aa7-pm1ghMY&2dD?wlRE;XT}|KcBN`^-Dc=m> z9+0Pi-ODfgL-Y;>80eykvR({%df*MKHRC?i3OL>GYhj98Pqlj=vY9$en4e1)sOT%O zqRVcXH-Hha;P=s#y~udfzkWrTFWU)~I!8pe$XsJ|m+qk!rCU2uPdBSby9_MB3CQXO zv}cEoCCaXcAsMYi&Kncb?}Ui=%<(J!Oi0An2}zRYcg)Qsb2A(NR|(v6?>Zs9gnecB zeDhgl3@^aH27hus%@AMRQ7XXryVQbw*7>83dB(sJ%J@=FmutAcuK5P8xEtQVo3^w; zwRthCFC{}%fY~%>!#%5V=t>~|!-hAn+O685XWi0$ViN_QlU$8C*S=&dzI7da;I=_@ zR_2!)N{;Sd*pt(^&^5z|rl)QC5$pOYgY5Zue+O%eYale>2)fj&gLuv8qdIPmz*Z$-_ zgLF4H#lPM_rhjgr=TO~M{q2F;P?F~mm-`qD!q zJLXBV%uesED6ufF&l73f(c6d7&>@Wq`h?6}nT*L8=oSMORF58^o9LTA3opF*nX;gl zfhs4LbL^)Ke*ww+!p%{lD9hV#)NpRZ5t`Cl=#VfM8Z(R_4D%ZpZ3$#bn!NSsl`Uib zK*4)%Q9?1C{E}i+nbP?%<>jEzM%P;b@V(Pv5K_iFqc2XEMA|#_{Bfmg|5zXg*q`Vy z2nM%7{s|?QZBcX-z5Qn`CwyJYEtlBB{$)hm{E%Pux|XvM|K_fF^W&FJ*!g^O1o)A1 zewY&SAHb9MuxE&+LJ1)xz-Ho$5*J9X$yXIXINh6AkZ#zMq)~c_OjyfV+?RGW6D>HJ zqtQ48nfVG2c7a1#MNRJ;grI`RVOhrXOf6#cD(*9+9gp1uUm&^S*;jA(efGF|sK)K?$xLSJ`d1)3|6-nuOI zdT52ACNhs)f*%_)n|=wNgX;x_hc5VFEu!MtK7j$k)o#=OYAx4vF(J@K zOMgeBpLs8n*ikM(=uJ7(9eEf*)pNJ4Ir6-4&W5#&oTMfLzvtW%!_=+XX2vo7 z-6$1m)t4)+F5Wzkp`XH}k;;wZ1+X4x;>mk5yl*n}=r0F;ey%>L+4~ob{P!i?>q1kS z3=}T(JMMohG0G`)PSkX`2t5X7=o9fK_N4&%Abkc3l{lcS-Q0262K@U; z&F^}g>zpw-23&|D;ee00g4w(uWl$Gqmc_5m{VOvw20+lB&ayuZycoha+2dB+*ZccQ zkT!k@3HGy5-$1LqfXkofblBtwi;Z=L(in)_PlzW6@j)fpML4HQqjIul8nQdk1t$yC zMvf+p81`3KMDGxUUE>o5$=ci&$_vSPV^ViQTCV&|594^jk3I=&RF+e4qAZ55{6Dpn z7o9o&2#QK1!Y*RD3>&Ut~AXRfP;qvHu7gO8%EWI zxN4n8u+6^$j+7YB)jqkJc#X@mzFHgloUAVUQtlKpl0cs=8{}5(6~AJxz4UJ&Xvyk?ijF(2Cf;AAwd+PA5r>@MS^lWrjYY%5 zHQrGxbPUIdMX!2gV(X04!N}=LlYQ{)U7C-ZMO9Xst3xn|ZZLPHnrZByAR6nGL31v5 zAY(D#AlWGU_JyJ2ylm{GfLl?x4NP>ov2vBZ_JWAs?J|l+O8Z9&x^bvr+g0$tVs0tt z&?cu^Y)m+eFzIbbj_%XO1k+Hi0@eNU;i<7t5RW5mHJrPBwSY;>&S}GF^}#RuRkMrD zWvds{d`Iffy#}y|Af|HkZkof%4msa&qK9x`1#OU00uJUW~2x#O~95?oa zj#t64+S%hgMLwfHrE{=8K=0VDbu`=>j>lNBv6P34cr%#1MnLem~zw*L0o2@@7TMQG=hbYI_DYCW5u(?G` zq+T`Sa1B{G(TLh7{s~&Wu%8+}1I=8`Nl#f^`Iw!q=Tu!@oI)!Yb~o$ioT;>FKz@|i zx=dfF5OG>{CUK)$eD$XZbJV+HR4l$nL`qDTjc zrF5)5WPhz3w#ltLLzS?ERU#Oix>u4M=+AZoJE!8cYR0#|^+Dd1^#*#5IY;`L?H$0z z?m%BOxoiX?%mUjfi$~n82}X~<$aGJZBx#yF8RLF%sR-UQhr1tDXt^B4R3e|zd?-rv zjFlYVpaHmLpSMefioo!Kx5v|b;Zq#nx(7MJhlqatbs!l+K`+;VwlSWl1jWr8DXo`0 zXs`1N6MD2)l27bYdgfIm!z21+7;llJkYOEJ(VL7fq1g zo#SeB5fbxIB(?03Dr~U1i!wMm4Ch67HQ_7#oMIn?#)XD^tDmr27kF7rrqbrf9B^?W?=^vd)#Deu?^`4ygbrHrzO7T$-W(mHOttYjkx z7LS<$2@zkzqXOcs3K4k2WP-D;TIl^pZ zPx`J#AybxnQ%}OH^w!ThJ#4`r*;*9X-0;*ie}k|O7f*x@lFVzj>Xd!NknN;KTvKMi zi_0IWI|k6%{Gi|~^2M6olVM0sR&sdOVN9EwvADzKSjr}}sbEP(ZCcd^(6=}|=o`)2 ztl>>44zumIfla0tY7|UmZcZjkXYDMS)0pZ?Bi!{|wq}N)5=WUoon5cGuSm2Bgegl5YK+_=9iH`V`K)(t`Q+LfO)|zRsXx#M+u;Rx z_#QH=L~)MI%f;ie>qUyGGmq^Q|B?n!X?$G7ORk=kNP<1%XW zv{KNlWZ@QK8EC#=pIeSqcVEJCDa3kD4ntO$pHgQ$+vC>JtW=L($QT2*f+^F=*w4K2oyKB^Z9dsr<^D^hPjor?<~emv~>7KP}v*}LD&H&xBDocpw@CSI@? zy&_F`Eiw0Y1GnP^TAt{=HLA_y&$nEYeOk#1Jr_I&<;%JCyj!N#5VkRXW)9ev#vOf8 zrerG6Dc~^IO0m0_@=jSp9_}~O#WWXFn_LrMPH?0VD?w+H)$8E4$i`*ow({xvWXQRs znJU_@9_l}6R{!-yd5o8T*g$%FGpNsT-pLe%QOvuUXJT%)T0CwwvRpi#Xl=XP#+Ilo zkExxuYaNz1E$miQ+uYl@7xnbJM%%}`Q^_8eXiEE~dBh|Mf?<#`wt^08%s}{R>`7fw zFlTP!YX6I*T3?At)DXa7rk&C`GYhURj5D_;-7{{j8^#zmfM!9W)ui1P$crixh5aDI zs`i~)4ii6nAqTd3dRlPInIF7YlK}%{W?t2f4k{8~P!_%Jr+Rf2@ixv0?&|gQc`oLt z1p2f26Dx4%*P+QRzMNvd{naqKly9?gFH6v^@#@2~ZVl0yl%HwFL}wF+Cdy@LFHcXf z6Le~fOvB#2C}y*wOnBdcEWg`1NSuf70c$VjSsaynhf%f!pbr=ELFSbyljl4@mlEYV7uoDf&L zRHs;|5!Z29>sw|wY6-ent$Gujq7z?ce-8ilUzGT|X&^K5({&8P`EH<5NUzZ}Z^kR4 z%Q#L-rbGLhy25rm$dVNG+QxkIruai!%zPMpj z+vS3Q26C=p!r)&1PJfwvJC}tpSmRR`!nNbw>Nt=9^b^c$O6gqZF4rS2fXkvin!J8{ z+hO(_OyZ*ZV}jXRlg94B%8BfR@uJ$pAKwZKGpJ0z)V8lAOk~BLlr?kTEoE>=HLrXz zpx3Yocpdu|^$KC}oSypKsFvb2}mxHCCZIp>YvVgF}l zO?uo24;{^xOBXqM}kF z-4YVgEv+ITT}q9Ru8nROh?LSO(jg!s;AlpNARVLG7~MHQnlX5O{O|j^?(2HqaU8s2 z<2=vr_ml2j3y1VQ&1IK74>@8bjzfQ9ydCFw+Vi$I8;DVpdMy{d#StCbFCAvIJtVrIo`vlvF3tskIqak`{w-mo?SzdYaSKzstqmJ2(D zeDq{ahgkPfe>G0kQktEbx;-8=i-hr8ZAY-PM>P+masCJ~ES+8QppR%HM<3G9`eJW1tV{$h zNE5@oXQAR?oJ27%S#wlE*sp`9+y$zAQ(u;7B;1x?gIvGzi3MKxG;DOr!ktb7Q&dcD zH{L{C+TgO!#+$EVydgI6qxDtU17c3Q2a#tvLwMCgky@Kdd2|MoKQcS1vOzLqU}**S7C)eUB+ zGp1J_-=W7dDW@i0pTcaa22~L@pi;qP-lo@=YnJs%Qv#1Q&-{UB0Kq1 zSp%1)WE7YG!O@CH0E0}!GCO`GfA_y;`F~iZZ#=h)?)#WU^jN;U?~M8Dbtgc2Sz$@xVrL6-os1WStnA2G^7rQHXupnt{!$1$~%6$X}CO*?nEf3 zrFp(@R|+L5TWcqYmch%x{1VpeTYY|G%JwScmNKSGEm=&=pe5bJd*`ia;A;)Y*en+~ zkD$jg9o9hiiv9KTFrll91C;#99NDKQv<+*s*d64OW;ENcnz;al&0m+B#ibBjj93(I zEz7rU3T`L@S0!av*$|FUppDP*+NiUoM-^cy?-r_jw&;vIj9_r}xX961Dq16yi=FdE zFrd!AN2H8H(|1_U6ePz9cm#sjOlDlyX7=%eR#hjAZ1J#S4?8so(1SZP@NDkH_BiQI zM!!>S%cf*AKkZo;i7jbdzk3_WFz(>uC!WOTorH#8%|>r{YbYL<2~&(3TYqN?LHS;>RNr7${x^rdGd!046MHW z;k|W~%qN+igJ-F6Rpm!|pegHMW7dUw$<36d$P)Z?VNJOXudTYMeoGkE0cf?Z&^PrR zxFlqQy#cs5#fG}wBd0}naqfMb={s>w!*x*fDuSlQFQcFH+hFIYj3G@zi zPjwjCs^fU?>2&Zn^g|Y^z>;mK=VL1~!*!wKx+|x3e|Ip+da`CKH$EAIzr0+;$id0s zmpB9Fo2ASr7-YF6WSq|tH5U~3G4$jbOXw`m_C2oi8Xdr~_?~tAM%ZMRuShqXMWfud zb|M2;2c?`T&N7e0mm4>-485i94CKSLJE;p)Wp^`Fc0>BYZ^< ztuX#2P7W-5=kxT`j94^I%6Zo;k>_h*Nu`1$+t5ptV7vwM5=Db7^Xh(GjcJW%g?%9+ zgcyk^xsOP&&;ipan?J~reKJqc5QpX+Zcah}Y`_i%Cs3PVMD==IpWOE$sxzy~3J+j{ zA#5K7MwzE)$;&!pk4n$x9GjW;X1qh5>uFfK$*?l{Unolf539vb;42wkEx8Q2+ffqp zesV1#duQ{x8aMlBnD~8YtetH!&sR+sxq5_v|LRUll=`Q7*knfEAQG|wzNiDzLRd=~ zD6u<~DZ@b5HdqXP=D@o%-DK2t8EYG4o*gLF`M84U$~q$fSEBV8U)E<;N9=&G@oAyS zNNrzLR*x*rpj3Cj0@A2DW027wS9%e=IeTA<*RH`Mox^!MVy+AAL=|Y?a?ykBN)uWG zk52Ih?@f9IiZTEE?7>@Yt~Ge}_||ftb+Q?%GltIDHcalp`|hp9e}S~mZmClNGc{k` zM(z@~`+v#E?C#wPe%}@Mp$zzx`T|N8ieAZSv!I-8!B3MoH4d(eB z3cD{?MLHl~uoQ{6auHJ58A(}sXF)U2^M*asyoW&KK=8LNVwXD^n=i5NKBLGx3rcfO zjp(3&^(exo>WQphsNnX#w$JB~r<;Y=d8bI0!)i>MZ1dM)5~){?s=_lpH36H8ub~IU zd$}5|QPk&hvCkDq?H=%}_cG7lYy)5*3yv%oaDSGl`9hFA^3K;-yHN{oX65iVv>c8uHrRu zBW^H0v&8vyA%L%8ZSZNvDXB^7a(Lru#ZEQiQp~(9G{qBAGvighBIWtO@U~p+pNAE9 z%Cj8(PAX!=ryfiFI&5~BEP*txB^z6OO35KyWV)=KiwAfJ>He7^#W1j>m2p7e5P>!V zr^qgHKU6=K;zN(}f?@f2QRYsz0RCspIJ6{cjq(u<>L~s^V^?P_(LZnwk2tnjq8aZP z&GDHQSs%C7Hc)d&LbKR8_84E(Bj#5n`S1Lc%dYIe3eky8$~cP8Y*syQoLZJje0C7e zmI#l}x#cSy*{YS%8}9frXsZtko55A*3f*PCSO)KK_hX9;w@!NwG^SxEO&vc*#x zF=(;y)YwW@y@L4?X!{dfqF;L;A=8g$P1WD5%Q6*ySf(Mp@C+njrL>qWeN&K{nB=p=O$e z8s;_iljw;ipq;qG_QKeGz&-?@i$zyz(` z3`BZi8TZ}m{+IqpP3!VnSUV5IVi+oBJ!=xoXQ=M}`U{ZOch5&G(aFlYy8 zJWm`Q6p-E0CqQ(f@%5loZSWzEEtDf-29p0(uk2*@s`dPcj(Rdw^L0lC!6yM2$;~(( z$9tj3mdkTAknCiK7Ktw-6&n1UUz*{_Bgwh1nSak`WtyL-kamW50VS(swbFT#u zZX_`pLMKGVPkrUHyzP#N3wqZo8~`AY3+%nieu|43;8=Z=QI3+EFP(A{S>|QVr?R~) z=AN?PDj>G-8SxbH&z-XbG+TZVJf2n|mQl!?96U}@gZc_>L0eG?@W~Fdu7}(_vQayg z%G@BUS(@!kekIfn;)?RV2cc}hgw90$+wqLVfKKY~;uX`?L{`%9hVi5tmU(me>AV_~ z){py|$i?bOJUNtOcC=MD@tof!wYZnVS%CmXW2+w$kJlBAo#d;-Dq-Jo?y?nImB%;j zc0(vXb}8#M9PD1mUSziu;-Ce*T$Qy7yBMlKYcrgH*euo`{Hzo9fQC7- z<;U~>Wc~rxtZnK%k^*Hwmvm+&`*|=SduqFyy`xKs7O6ezM&?Yj1)A_NjnY8 zrS6A3YWq;d$v}u7ziEeeL(~$G9u@x}qKT2L&O^|dJy z43iO?o|%+y>8UmeNHw^nU95+H&6?R@+X(nqQFq&3Ivw!Vd|G0bGMYtZVYiu%II`XR zeq;l&-6gmRZbc~4k9TymRUf%1;(ZaM(L3XRh39LTFDZ4ro(ki&Vk|bNghK{8<>7H) z>G->Ofni_u`aJBH`haZG)!?sI>*8Nru#0{C`Ga3aZ0{=2GFzHavVw7G1mAOL_0T(I z?o}v{1DKn6Ls{c~ndcj))L8C6`{_;_$uX`Ok~ILj$~;;;ywzJ=u@9@6(cU!hHu1;N zUh0Izf8vj2avdu#lms4?(&p9r_2SV7#beKopKpJhygAwSk(BkX1@DY`-7|hLZ)!nl zF&W$}`k<8^+>@S~+z{LUV&q;ZycVOYA;U@)_)JsLtxn`p7$Kb;^VOesaX!tlSYW%+ zZ?fNPYW~8l(GgY|$OkS?CGOa=4~Y?vTiSw@DbJ>0iUDk*7ie#gcIE*~q%Tl+llfW( zk0n_W3(DIRHI`Q*B;+g(fDo3ojg57~@(w-pI5oh47Nq=GJ3M<4QYjkFTj_YZ95^iV zNa(Tk(#kJwgc4@qjmm~UrrA5XY3?R|!D@LE!1i|tVk*yHpHDB;(Zav?r+1zqbFuJY z+wR#!@y<$P>S-XB!Pinc$~Q~c^fY>`P9=LwZ9=s24OXKrPWJp6f@#YD5>uVm^1NiA z(`V3;Xc|Av?Er?W+%J={S#asO>`eEJJD4!`Z<+>#1PQiO72j8D&B(>U!;GmJ_oSv+BUI2DA(b8e^$XfF>ePerFMl^&*=^phi>96pyLmI_=nd8 z6N1{EyT_8xn#y+vP(Dv~xg?0#+NS{k{Ev^c?Grz*y}Axh6V8pbbFPBSRB`&(J`ysB zJrf_u@g~$Wx=UCDCmVmhJheir5oRkjDOu~fQ^2A|kgb`Iv0N>w?cE&KNB)rYq(HA2 zTZ(3|MfR1hGgy`%^VZBZPgML?Ot*$-2kk2?<~L&Vr+4!tBl4R=$lJwaBEsgrN<1{t zpO4R)>p6;MTfNVbMZZ67Sqj~lh;J{UO#@-xpSa^6ol81{qjY6s&UrO)A}4EdWPdwn zFD|mDdm{oKcKOTgS&AJ`aa=8HG#sI)Q}LPyaM}WED{)G%{4Hiq7I#q@wsV)(QWRwGIBX9{~Ue*lAHV|^8o zsPq$uTGhRzH}k^fJ9nVZG!oBV1`~*Sdk*M5aw!D087&n*5#6V$(_Fje!wN^289V$Q zi+A^Xv!}}NBp!zf9v%`HhE&)_i@j^DUw)TQFu-}5FjvLPwEj*|NW7Y0=2sk}RH)I` zXSv0t5F<&HBW}!ID(35XdwAX7_WJlSren$S==^;Od07u*<0?p-WxgEQ|FYB~VJ$}V z=K}&;@XOBqZ`}flKgxA-37>*Z&i}@*Ii@6xhp8z5>tKq^(H~ZnPdU$H!jk4rNmsOr zQ2kLI+&ig`Hy!ytT!>^qZZ6<>B!2BLTr4r&v)wh2EcRqbp12B7?ywZ~^+Y_ z*{BY;@Ju7kM|yc#?OQnh6twJ|8gJq!Nwq5))ZbJ^f#5SX+zrdQ2TNLyUx)E(l~yZI zK_DSnP$AK{ojv24>d6@aCsEKRLZ6iqT~u@T)M&$`^)+8GX5c8;A;gdzXZT@IV#~ua zs^z@bpBZah&TH3aq6A&~;bk&uIMm(`cfB_ZRgtkRafqja~mBXMJ40T zE!{u+BdUC55csBPJHO##_i`BFx;Ph}XNIG`?y^w9#_YEnB@`!q#6En)Tx2Zdu$wZ`YfRdSdA%QG^AlR=zBb)65^ zD38D1EY&j8m&0w__v3U1Pll%e!qHn0Ji3)THy~~_S>m|Nz=FbWfM^{ttd~gLMLy*| zIC1$>A)xn{rm!{mwiB?^8TbE5a{`s_ThQz&hW>JMWWc%hyZHJc`MlEOX-c$+YZo2; zSC$ecJW;6aB6&0=@#K0$oFxd0jN92wAcM3F7@=}zeDQ6QY=Rp8#)}DB8prg!$RYHJ zir}@|mHF!Z{>*Lt?HrO|H?HhBYS60Y%KOvBZt!-Ka&;OC#SXKT|07Geh!?Uj+>scTB_fAzdW9>8|K`+4i-8iJG+GRFD&C!p2) z*RP+uKYy2GXj36!8!@^(lJRgJ2la_-RDJftS^lix96A5!cjjW3$kdq27tX_kDnJa_ z`6rW>X=;&gfyA8g15qHCLm$3ap~l6N4z)=#wS$Q^>cIJDq`LdVTwZpHbTOn+@I_%h z2KPO#-#>Ja%pH|8Gw zxup4fW*1R>2FUYV-WL%tkI2&fF*(S9ZC2z&Fa4AxWlWzObfVPYaD^%9i94ys$IjtA z-HXJ8Pei%2pbOoCgW>&GCY%?qp-MkZ0Db$n5BEgElG#@t?ja|(!?#LGf^UP)GhHX@ z;CpRAy7UW#)lx@bsFjx7@lbeZg%{GTOcg0q?l>t5DSUp{{^Q5fGK{1nN?qJk-=pZY z!%RKQ5?b0KHkGLA_f#Q;GoQcyn}hXv$achT6HU#D`i>k>7lQVPg5^2Pcuo?dRpA;D zme`3vJd4cF07JD49NkrR^Q~G(KQnDh;z&UL)t}|_cOw$~0)&xd&V|fE(`&~W9D#Km z=1I_1=dd=opT?=!+*(q?)KbpHp5JY>Qj%vtxPffm9iKF<(UimTIQ{N{XR#_?kky!W zhC?z=NYJ?~E2dHXFd&|PxQhwB3erp9U<^8Z0WeZ&a%xw5OL1_;NvGOKkceZS!HoV! zQrR%)MZ0S`j!kE~e#U(l2OgSd){B0RzrVAjDO)Z+>%;Ao-GBU@RWVwio3&d_c)*G& zXwM70l|41+UFiP6_3o_!b~adx>1-7eRuC3qZX}vux{NAfxlox8X_~*XZyLaRItz+JW zYxO0m7HbSaYZ>0=$h5;B(l7P8n<;AqX9VK|`0iO{TeuyTb0DE7aw+1aDVZM3!aqId z{IEz~&zXYBf%k!5fF0E$*U}jv+x#wdZe3q>37Vr2ySg9De{cZhm*k{ijHzsp%@(ZJ zkn}c1VH#mA8k(?bOzPpmFPAoyIl(rabA3mWsUMgBMFRe!%k_OHwLZkUz2B8xbYFy*^(-59%HxQ9_n$1epZ%aaf6cH}FFT21%!0K<$$;kWg9e?+;I#@WqaynN_qer~%NZge)9JVHbNF1Z83FC z&E>IoLM)V`&nIOsY&_`s6`f--mp(*Jd7y=NVI z_3-*mOTS0nO!(j0GDQ}xraL=j^EPj)xj(wQB+YaE*8Cv;3PjKHOmls`7#672Au*N~ z$G^>1b(EJpb^7^RNcQ(LP-}ks}YLx=5Q_%>&4z1HW z@2kGZywnTcYsmb^=<+D|M;YX~1ZarT$(&uSO8qhDTRwo@^L3((c0LgB_mn?jK|}Jx zcEH(ztEe$`7zBdzK2Nnxu41JWoWQ`%ZOAGN6-*Y6BZX2%Ktr*#qDDEDlJTGamMObF z1@qUb6@X_Yw;<$e*D=4TC1t;y-y?ij(eF6^D3wN-5*thQ>@=3W1!uq2{#P?rC|4Eby)y3(y71{Gs1wx{WZL^O|j(?FK_Npm?T|gM)&j_5M5Mkg*YZ{vG8ul{O#la0*|u7 zsP;_!?U0?s^OZQ4#ZD6lAimVJPi+0gp?AN)7uBF{JCtNu`)Pgf{72?Sr#RRcw7+o* z{>{3Pd6N3L`V;U|`eFU@%*iYwR&eG6{C_SH&p8UL+9Gu%z|OQ=Ox}^qY&lF7k;qDD zOWj5PAzZdA{JUuZ8X^wBOoEHwz;$88(KPzi5FT_nqyLP!=agA07?keRVpKcsSg!?n z;jh@@tm`=;TX|I@h&eVdo;rVR;_5Bk;LrzxkMSl_$z@b!V#=~Ppu0xclp=_WDvVUF zU{*-Fy-3Ee;Ri9PFb@qg1NKlyJ3xsx?ik<-fhLGE^qUFxQ6wU5&J0&8Kb_J`83AN8heW8|l*kJ|$r^J#dplOCU(-?iXf0AUgPYkH*7OZb_spbr~(CI zQ!7k;kKWRWtlzVGvC5p4&ldKl_YlwYf+ z#HOsG?6A|qng(dGs7|lKXodX4YM9(W;=wT1c@pWgdn7(v1t3s-gHmg1>BW9h^+ zjLVl?DbYqGx2;)n$?Shsh$sB!+;mwHLvZ4{HeTP!`+|uGR1SA;Q7g1w-56aPjA3qA z^JDI_&DqPaR@EDc1X`SS>#?TCBdVp;=pR|y7RB%2?$+FWPm&F$DM7zXJWO~R$nb#M zC_3Bww}RKq5%fR^wINZZm^|L5S0-+$Cx6SF-$w11Gkf)ihZP9OY-+|rw-=oh6p-)Vmw*;rP;iy=ZZKiwHQPYMV+OGWwh7fHM=In)fO|A(m z(kyTK&l)6RQZ+J@s`2G1Yb@H}Jyu{9;R|#9LjMP5IQ(gw;OAIkgK?&Q1RoP5iHAw)o(r>ew9Kgo2@d_rB(zOvB4hno+g&a3HILi09_H1 z9aJx->%WU50T)BOK8o4jZS0)oe+KS88LqzuxZovQA9!LJB=<|WgFxFo`_a)a+Tq?shmKD&h5j)!-4hEAXi=(Vt>FD8ZGCbgoNc#Hm3qYUKSks$)|7x|!^i@?#=Y)w9 zF@f2Jy5V}6vCr%V%&`jvvrJEg#2OYk`>~N^oJTbFN*29frzb}_7O2(_o^W4luqGrZyNBdok zV;X^F+5s`#&EPkcdew#H@^AW*JJ$=2PYd{)rWSRTnbd@g_h3i%8NTG5KUefckD~#f zW-7x@A-mBtg6{*tsv?R^GIts*MB$BfUo#y%3K{RRI)51+4yRClp+p4I@e|}MWd8NL z>Ww-`O^rIO${bwuoo4TyYf=18ETNA8-n;iBKU#_N_kQT_D7*yatJ~GU_@ctnDttIq zLo2L24JF4eid2J}rkE3Bb9g`|@8ExrgI2Uo6#~~>$o`2$2m_YXpz3F$z(*D$953${ zVn+QL>+X}WPo$h*eEaQ6 zY{=ZIqVv>Jo2zM+qS&m6Rd=vkJFh~`AvjU5UqPE8)zjdFJ>8pMGS;nK9sW@aL}k^g zdzZ7KmV#`1ANohT%cgy$MA%(x==5mPtWxdupL1Y6_{+1|EBnPZ!$ZYdRaNb8nkS4E zQCnZBZ~|eKHFvC`Z4c&2WvyiDO0;R^J~3i@4x!oW{@H${-pG;dSKsNUbzA2-eOLI> z*Y)P2H+Q8gj2?yj1^9}mYI;EVl&9-29hyD9=EJ}1aoaEQL$@Q%9p_UL$kN>=4W72Y z;gTu$ne_yCf?CB2@fkosUEZ{@3KBGSR?e1sXQ0-N;oR=o05l5eS(i zT-pFy6i)`|^E87dKk`3DsqXXdJ>Nt6!p?Zi}cf}=DdD&QCi7v)OzuK+OK zl#?yLai%IfFS+C0MfO_O7M`DBh$?&z$+A1ty^95f7IHy`z%A`vroid7z8N)-`Tu| zPOKl_z~@X9l{e%f7n;|eC;TM!idU92gXPkKJS)LRX_2{_sNO55Ro6%)aU$nqLzR}@ zmm^}+FGBO5u&;Du^n zJe(|?fnN9l)OEnFnBT;xT~0T#TJteH*No|xDMw+VA= z`^3@ZIq&U2x@RzYm(H1S^5({S*vNyG;VwpmiARrhod-dihZOu}+noa@ztiDuQ>6ZyGOoMYJl%8L)mF!2yHI$KNVX|F!Bj+t5Y|=D{mC>)x zk^ECm{Jf3|e+GZucBD@~Sibnc1s5Z3Uu){AGH(PNW49LEF(}42p1YM%M^{BGaCx{Z zH}F$_@<6$Qea^-HTJ}Dw?cm7_rkuJiwC?&%r(&I7(7)XPIB-6zD%&vyoN6o5TjBr_ zf_>DRk8hZxm==U-Wc)nX)EB;deze!y@v1Af#bOdvh{!p-$nP4o=xg#$C8&FILWB^X zsBY^mo@~8^cFUSMk6vJWs)$j)A4??RTyJaOEclY^q(L@hWG7LA`1_-iF`)5|Vc&vi z!~5<A+K+OMcTCP<0uup%&tFY6okO4pQ}^->Gks zuqJGH-2;_ZRD*M-_mGG>GAuFhUod&%`VnHMP=-FKNPD#vsCo71lkGt2d+)2L7TYeL zKHV1bmq`uY-QV{?c#NOx@A)7_4+FYuHf2s``AzYqgQD)w@t(=f|HrDJ%XGae_-^LS zbN@RK<)2s!JDyt?H{IrMeR^LLV5d8eUl{%oKkldeby5MN~Q~2OK}jzOB7d(UjuN@GzmTVxG;9R_CLBK=t*bkFkd_ zc#IsVtJ|&B;xhg@_Hgf~C$qbD4N<;{PSU-dC-Mt-bDWrZg~ml8PArj5MJq4;^R?Z_;(%qtD! zGX^}f31Y590KHsa&p?(ir@FEkn^iKMyMM?61C}GUn1ar^Vq<88*)R7Al;6gg-oxn|L{47*H7NDm`G(MPl7sqM-QV<1N5^5nU?{i2dr0`$|&Ic-ZDm z{CrEF-7Q}Pg8gF*!*1OD5G-{6gYvbY#xu)jq)?Eu>xQ|?^5cofpv6#_uzSXrH?K-^ z0=IU&BOj6J`d6zaRQH-hT>Ln~`0J5QC7IcePovEt0SVT)ct+i6-CL%0lPsx3rBObxM`Y{~~?JWZ@ zj>o7^Typ-0>%jyG=`K)ZKm5@BpaUxJ)%R8pBpmx}WY|o45#w$Z4i%7q&pbWr6ru=>X{NWzJEN772PnGp8iI=F= z0+#0L(;14~fO5GcuBwyff6*oL_tZ@P5y1EOhhk>_O91~47|fqNmwCyI$0%jlM(}~- zwvru6Yo6%$lg)<@E^_lfSNPcJQmQ)ajBqu7{`~PpZAjm%yV5`v$XPYx4?ZC3G zyUI&Ay7Tqn;m#HSyaeazUI#7hQ;!1q7SImB*a{st0?~dEJdbAHbj*z8r#p|0hd>R*d(9SPGfo)p&tC)p?FGax7pFM zGrAgpv?qL=!upL||6WrNC)1)sl2y*xYunfEmEw{OGEeE%)hvG}>{6T@uk;BR70bY5 z^)Av9A#)H~4XLyPM=;?aGe<=({^vbP;QbED;o+u(QTfjPhB-_fBR6-lj$7$W5CG->Q1te!(F(K1EU0g)*LjVaRyyc3K6xT1g#UqB0K0qRv#nuws-TH@>rkL>= z;;GhvPWqagcpNaA2HR{u=@MQ<*|&cS_N%W2`<=PE7|93IT^QgBFpr=QeB1%dXhU?4Yv_Ks9NA4r+l4QLPw9sa;;%l>vEBRNzL4!U^vILj6>GyrjN< zQ?knj@aw_jUwpDjobj4L4N5P)@w^uEUjr(RGJMY4*L>7-mQVF0bN<4+_3|_og~)He z<-s*s4an4j>_1qHoHz5OUl5i;q@~<_+5{B+fy~X z^tnK+j4byLl5Df3&bKo)#$Uuwng%B}dmDn&MpFDE5#7}jGmis_otjbX6M%?96pt+p z_{N7ZfbB5dd)9aRD;0hOwm5A3sIK{-#NXg?HL@AIZGBzSy*RLaUBM1%6DIIII7$X% z>U<{O`N}qUg1UfHq%~GBDH4eRIXUSYd%4n&$^n->7F38$@#Xf!Jjx!R$_k3zDZ|0t z-sU+0+?AzU^euvasL!Z1&Y{C$19>DIGdMP*m8@mhF=<{NG!yaLViy`uJ4uzpy#Tw4b z;Hg=ihIlQN4ft0H1*%f2`~dId;vto8NogvdGIKS;AgNsMcS*{&&oR~UMvW!7p~M{pz&938FFUj3ZJR`;27>%_6^K3#UOY|>^?AIol}fdQ0t&eVeO(uzll^MgE`A7ln~5z@X!;c5Kbh+ly=fiB8Q}Pgi$qk&j>!2 ztr1m(0{V$5b@7v^q8<3m6kqdRqX+Uov7&2uWcPCckaGF#zpl`Yqm5;+LS(Wmd|Vq|D0J%3%KX*trVDXBr1X}alZY(x-9k!;kZIv^eCv5Eh7 ztd9v-$nw_NshIeE2P;p7R$Qzr!wqNqeECwrRc&gj^aR1Fbst@obXqBD(skQke9^<< z8}EsnmF+E+)U$69e39K&jWkFV5bKy?>tkpssUp0i#{o6S5|Aw%=GB@h2#?8C^N9)- zL+u(xRM>gWu#a6+V5BMyn`y^7<2%+b)i)mYR*Z*N_Mm5y1I(|S0^9UBcy^cBemn4_jV#SaH|8n-ZY`BFT|u&7^et(v*N=G*QO z$XD##@#Fy?yoO6ypP~HF3>56ea%YE?DL54nPB7X12oOu#rh0V;=yI<7I>0gocJDM? zy$~GDoOo^XvSNp{G^H$T1GQ%Qu=0>o*W52Qa^QuM9)Abtv_^4;XJVv$(nI*oH#`m% zGHxcnS{8n22U*UgJE}RaS99XeztVeB5f-de?k?YG;)NEr@wAZ10AU#5zC6bgrP$53 zD89ETzt~wH$bQtXrC?E{=UxhOaPuIJij2)#4PMM3TQ6EPL z9j)F@=dUpuiuH(?N;vWy1@Po+E+s4w{Nl8daQOKhky+Y&E@>llTmEd>@7Z!0t0iT* zPIJ$LE_Z!H;Zy=sW8JAN@l4SFT(%ccd?md+dLTs+jC@65LPuP*);+Xz1^b2gt8Oi? zMdbn;(DY)++S(l|(?>NgCMsD6-g8_L0n731(Dh>c^?cfHy{Xu8zFCj`MV3^xvIN5E zf&v@8Ae_P*v*q4QFqt?jY{k1QtT`zp3ZQg0hUp@!St^z9DA7hW0(@PiM;nqwTke_I zND1SJur^QrAgjwS-(`mn3}1u;ZRXN)3xB>u$;Robt;E#>JevU&z{{3t+nogq0buWp zZ!OS%{eM(QN`MN<{ikjEgqnI%*Ho5r1#DUPQFegRs^p@SO%4DrYfoyNmvE==`Sh4v ztt0AW_%DTO{xZKsp}XHru5^>QC(mK!F~G%Tl{OyNd~EBqw8`Uw)am}F#QsdEWw@*0 zyDVz1Y-ZsXVrg1rDJwwB%xCSyH30igpQ(@=6KlR@GT}G7^F`>QXE%x|_M>Gq2?5RJ zgOxmI#TAWaUmvF>vf_#b^P0>1OcA{P5i7Hoxli#Rk_9Ez-SCWq-^Os%>V-Rk3d=|R z`nPNJ_HwWm%*9md-;$x$H!uGQN>GWwnExM+cAb>{H2V4cjTfz3k0O0uxP(iF-O~RF z<-DloyU59x57w`;@(gya^5KknOI7=NFA+!yFK#vafc|4v*5>?S^mf;$TO^T^D+&oa zv9i;gK5zC45^u&epXychcop2D;$E>EE@&P9(A7cR$meig)q(whA5M&+G6v+7<3BX% zq#S%~*MDvlhuTbN?BsVbGNnZ{Yk$a7xfd12%o$Wg>d<*f6o&UhQKZDT!dwk9(7|!% z2ea%SBjBu@CGfi2_u-4SYO~VXGUlFDj7p}4*s1@qWr)m^JPOfx32II)u8nq76O{zw z)JMJyq}8_mOl=Qqu&d2>{&%wERdI*%yU+IaKHZB7Ka%xer~Qx=&I7HqLhkrt3!AdD zRY&WCY6ptSh4GcIJcfB)(eN-TBTk!zqP{?fm^7nO^y%aRLJkK8vJJis$V$;)oGSyH@re$ybF!Q5HG8GSBY3KC#Vik? zXDsx}be|0m+t%ZK3IC};Y0733^AtYu(!_Gm`|$+oMDD^)xL*L;T~+nE(dGfJ0OvND za{f~j+gn^xuFAhfQ4)vRu1+@l*)6e9nj9Y1?`3rkvip6f?MUm&pSzh>;$K++OF(j3 znKrZ3A`1aOz3{^L8a1tDd*vrJhwh?cFSy}Lug;hEL!Yp2EoS)x4d@yYg)X&&vZ*&( za2Tm{ct@3@*SOA!BA3$9@9#R<^7#|*n{!V1CIcS->LASPV(?GA4x^~9Lv+%fZ`-h} z?Z?es0Uvxef8SJ+1lWr8;a^Ki)vO$=z9)F55FrUn;nbq~r*aF_=q*Eb>AsfxhLEcm zM3oMW2gllZZ&N4xTH10$&I!Q*?K!kcFk9Kk*5qh8Q1L0&xYr+M|?6H>Bm1RxR2LKRddRZ?D+=%6oFg^uN02@PGGOj`i7 z)=f4M=8A^ED^&R;Th>_;)ic!oQ?)1Hd7ZndOBED{0T7&jA=A&@Uq0Susd0anum_Wfi0&kLHDL9T_Pb%&&@ z-QrO2va0M*pJG=i!#=6Qz;9ynlGz)=gQedfcr-ad|5D`vakag{hS8^561xMFx&VYQ zaI%i;rVlQRYvpgbaF`K8K6BCz=>83;WX&5^uAJM%@|d}8rz=t+=BUMhaGFy*R^gA% z%)(zyP}nr&F2M0lKxRBG8VYfv)0c87rU8`(+a zzO1_R=Pfg(ADanl;07x)k|h5qM>k-gon-%ECxxc5Pz-lgz>qD&-!JDxn_$>!5^S|1 z3y6sQ`tU-_fINTiUDdh(If)L(U70Yv38VF`=kmg_3uFw>S>h+i{~vqr8P(+4t&J)o z;!?T-(mNtur8ku>0s=|^2?&TtQF<>CQ3+j|p+{=yAqXnHg(^r3T`3{708%8BK;V0D zE!XS&?)~jG_88~IbOht8BCU88h~2qu z7Rx+&V$!X4(ZGDQ>z09gKu`WT&TjQGgF8eA$GXKbyKkcdub+T$;>dx>x>=>dE!QUheXsSEBx_ z>E2V7$7`!^S@$RH0oBDG)0BOsp#(~wBTFQz!1w6RcRL&~LMB{oVZ8jEZqMw_X#AOA zKqS;r+K`D{{c5ABu(NVaK%aI8|1ZnAsNOim54xb|{r3z-z^EFJ9*~co6E&$IV12%5dSC(3t-=|8?HpL$r`ubtl39#r!ll#rfZa)D?Tl0QwI20YYhg=ZO@*fN zg&4_zSyh{GWD+_neKWhyN?&o_p*}#1^L5rcJ8ES^|CI}H$>CR8aQu2^TULcjtJbQC;%Wajq3)Y7`kq@d(FV)U@9PNq2TarSpAOM)eWy3_id{Zx7Uo*s zZ4XT2DWuNxU7lm6Yt0osip=$k%7j7Mv_=0Kz7HqGJ_r?!epcjIgLt@bOpH_AXtYeZ zexg|ZPU;^UnbEe=RWmwbHO+pOo+U#cPCt!*PytMLctSy$=0`LgMjkc#@VWOY!H&ng z4f`f0rZ&YUdQ&>(`s%`$OGXkw?N8l}#IN;S&t9!|r#V*LkN6j1Jq{BbWDA5ci$QW<^nednGL&ol{A*OoW`RI&;lo2?mxBFKzm0KP}F zX6?Iz)7~5`H6?Tzg*ZWWJd5mjCduxp=gF&MZ}wciSIwu887RH{7d3aC@pvw?33=de zbltIcq@{e&w|#yUsT%zJj5y_YTJmd^1+B@}kVFfLNk2+)#D3oxCXPtR*+(wX?(PHFMXKHd4i>S=r7#AxA1%Cli{Q2G~_mmDg% z`~=OQlQpzz=Zy8q4d{=cT3N3a)1QhIO*o_;?WHI0Ph6Y&vhqD(-^%-IuVY=|!;j&#Bbot1-gPv_Hzv$om3IuRLw-ly+^i&r~}Ii6y&HyB|^VzoOi0|K+qFynY1ZHwXLMAjYp)e`Z`OGou7!hlS6iCOkxqmyp!AUG8q zM5CJ~EBXE4^S6FElDQ=?4#%eP`JtJ0D#rwI2LmYmY!>^h_Bh1qwhRxZ!YoHg2jxL+ z^%9K{ZSc9?j*pW;3d#r5EsNi3yt`G70@Oi8Pw9eVR5&g=*Y7m2 zzD6S@^GV)^ajPG>I20 z=Nisl%XeVj?R&SxXCo1+2}(P_>1lyFVOgPCTDbfmLw70-f*_;Htsb{J%w0BR0xUh& zyd=2_+ef!~pEGq>gKZyk*k!Ji-<}tsQR+Z<6lu~5YVY1kBO}mC-w>7V%u06LSRCbl zo}Ky}ocd5C@Wd;s=2ZMu&3pQR9W4mi`9%lf-|3PLdzVNww>9q8G*{yBqJ&)iJv0|q zSm?EnLqv=kTN)ppp7$Ay7%`O-V4bK+l_STw2lX-RUNR^JRW4>8q6-ki9r+f!qrAM* zbCPcfh5PR{tlzlR4X`Sf92CANx#LJ*$}&e$X`&&`Zy@4@-N-yA(Q}erf#*ST1iZ?R zUJzV`TY7w%k=1Zm09kvf+jFq9=u0A}f8|4A_xle}TOcL3N)94#xUeIwD*GILXoF)l zG3ogkHb&mNmgEP0IrTo(DSy50zaRd6bYoXTz~kYFPt8sdjqyxK*@@DgbJu>}iQ_Ms zX*Bl6J!os=`2FaDlQrMPKL4oO#hg+qxdf2>p;|ap+#!1TlXg$mZaE`00VH;aue4SzV?b8E zl`EzSx+n=H3WI#R`zt}#4@9qw zndy64x|#7`$PX$T}L2NI1_58TWSqfiUy_Cn90=~A8Ap^+#zz`>G zVmsB%c1?D%m&`pIgK*Z%O^8EWmOEWbzC7+W#)#CJts=K*rfMk6c>@1NGulG?+)1Rf zbyLc7*z+>xU_YMePyvG4VCDbabbfyFl;Na`&a>2=p_;3IU!TZErr;Yq(@ztL_=^?m z@oHir!f1YA_R*uRtdTNnK}|(LZ0ta^SO&d~sScayW`7m>J`Z&hg3UuMO_*4qQpumo zo{DG4ma+z^>@BH6tUZK6t32lTjY@CU6SIvpm-QXCB|*y4Ip#Vcxfd<%uNU2-Ds|&d zDN;Tc`Y=z|(Pp<&XsI*dDGw^FOhXJs2BTwro)7qo(s~wC){QPZG(yqA1=#f)1kBHD zX}eziIcKK3da&cz>p_qKpnQEQyNSkW?&3+iiTxOKhxBE5bgPG%-Fgs<5G_y>KC*Cg39s@OJ&AhEE@05 zjqlC-@V7l&PwW+YLC$qRg)*7 zW;8JkR??Le8CezzOfes;-p`1{miS zXZD~ZJVett%C*l(1ZPD(L6=7Ow4yfX^YK+gVGYt}GmP;5lTwo?w2P#j+M*ymn|lCW zo#w1$VfJKUletW}9H&%Sk&64Ap^=&rrB4LHxq10)84y|TsvJAnAd~92|8%nd<{>oR zmGDg4bv`A0@w5ExgWUtVCyFPXpWqdx!GNJWR$aI?O~oBKI?b^0hnbH?xSiT{>24Oc zj#)zyse2JDi%`GtDRk{t5jBZ0ZdwvLj=rkdN9Xnk34$7= zrjsg_^0`G*2|`AtI#VyTE00e_{Pzy*J=rf z!jy_aRhUk=E%u4zc1cmpZeleW8Aiy1Pp^Glr1?);Y6A zr5?kP5+EhQ2ox?$7%@wTXjnli9+;aME#&Oz3QmJz|IauM0H(dp83q=GBLEl=^N>~L z>FpHcFmkh1j{l_P5&;#O?F>B-$e>ro&fMh2X~EK~h%J^^mS?gVeJQhv*V^?J15G0| ztUHWKu37@S-|$WO0Z~IFL#^*fsW&aTX3e)rrbYx}e1WvV;CMOW@qO{Pr@I6sppSo; z)jsdLTy{YjvIb+R0vA2W~UDbIF1G80yQNte1Zu)&QN2TQ5HwYe8fWQZu! z2(xCUBMe>kzZ9x>v^O}^PG0-+MJpxd(n*!;1=rq*+5PP#eqz&K9^=;!PeLenP2E^) z3nqUzs(LPR`jgH@7(btC4aB+0Hyv);J?57wZCqYYbBCR3z3flWN|V(`xj-5c%$s@t6jD^MbDT!ZpP(We)hurV)->Z{a|d>jqEdxyqLKGb5dBl z9yQOy*1qf_S%C#AKgy})D=~1E!YEyz%leM-U{XQ$A=*oe zsrjr=pn!gc;*;-Hi7Bgx*5r|mBFFLeJ>|Q>sQ=EF{yG^6GD|YRtM2Kz#Mi0+=4%7= zDEY`Hy$XiJYiS=+78+wB7PgWiOd}TOM@zE@rAu|lk6!7# zzZ4U7Xhx$bPSAH4zGSP3I3u@px#}*4eovbeFN6$9f%?%2KIjyUS2-ioMhp68NhsPE zM&=ouD-^2I%A$TKQGP?zV*63ot@A-o&17g&rM2|VdZf%(oj}J>1`viQxl74SyfoBE z1?{gMw&+_rMe?JlIVHD@qn#qn7?d|FRE82&s>&?`q3xP%S%EMTs)%VL{MGXjmGtM{ zq9+-TLrv&$sG-pT{Zpv9e;jH`CQa8q{~l_@$-?#-fM`=HGC0bvOox*@YtFN) z%Cga--%J6gWY?qPWom}%%VCXXRLk6jI9Um_PH3Gn80j+`;V#6%A#fC9=@kHVC}i{^ z2qJOt*oeyrU@9HB4ijpiJfxdfD@|xFCCnCSS7fHdvBp<$4Ov^2qi&3y9igannIBj5 zl?O-D(5guvMDE@Lanf6#ObOVFOHo%EvRpP`^YR!1VvV{8sX+fcfq(Zx1iUi8!H=$p zSco9prGdNUtFvoZL)$I4+XW23^WO%B6apD6#1WduClhjfGG{bF0FM1D!~0Jw`kCTY z*dCvZ=oEOZ=ig6eiM;lyVLSH{3ruWR9jh5;lyK)_DTB1@n`u3v*ReXaIcKA)cXcCi z++86szN}O{Eiah2R$vUpy`Gfc$(A0gV=f2;-GZ_*mPdqxg?=xzrI>IBS$Sy%U)#>)ql_DF5qPx507Qpy1q|BC%|I zKE;OFnZ`mm(eYdNoQ+z(coWj3M2Cd>45Wk5;T|nWYv<%Znp6TQ3{6Gz0oQ{hpYh)Oaq;@rL+*ym%%OPmA!R zwH$s^hXdQQW15lG;ry0T9WBvi;snEtfG&OuSM=>i;;xrT;i*doQFii~$u}5VtnWvh zM%^U`GyQNoWhU!uTZ#=keJ@>2ljfz#x4Q>#2AFMmEng}O-Oj6}Ucmrqp-0J0rF$V& zTF#@i*hFy^lBu{S)TReIPxbz_+3qVEuQ`Kwzpj3>`w@x(Xod-Xa0EZuBtc-BpHJj} zNOS)E#@t{%&TS?ZqX-{<`(XVvSD#j+zfvU!Tuk;B?f5ihW{cnz@s-^fnkLg*Xklw~ zo{u&3RVbf=Bz>!Jw1Ko+UqLQi`XPqrZIxOY;;Mz?ebEva8 zbNUYP^5Mdy0jYsdS;7^^hpHEJ(zY8rTF=}J(rDEJk?_ntmHLGC=;*+D4}v!GU7c9e zPd5TRHWs=&uzzwR2FJz{HEH7f%Z)VJy==_yx54&$PqH2z?C?qgyK5GKi5A7%m5DZ= z*PJgX`Fk8iR#&g2y#NxPjX%bJB9`^sX?DqGx)XmU=#f< zgls_fUL%kKC#K+dZKLsb#4Q{RAr1*jQi9Rr>$S`}O$cYcfaY7gq#|{tjuO**IrC)d zSq}Es<}@DJ@H$=K+#q9Daeu1ukRB;Jq?N}8YMT{y40{A3gX&6ENFNktXV|KgXv%~d zY(&xzCDL4FSHi>xLVZA`Q5j~um0`k9F}Zof_@doX?VYneXUQYz@@2?^o)|i-fqQ@R zq`w~jH;d`prd@xJ`{1o#$NMWn!!MHYPO@AIW%Ilx*3fOJgKj(woK4@EjA`e9T%Fh+ z3qukzx7mynu}Hzi~YQ6qE<6Ye$j7$T}gA@;3C8O=mF4=3rOfdWRHrF80XJ=8f2#A_~b|-2;9C9}T$jk$#?eyu3@=V!`3)1vo|^K-7;8aky*C8yZA!U1+mm zH4@Y}V|jl^KTiZ*KrLVA@Yc<>l2ORcBoNro~%-ugZj|rMcj%Hg1Kl4dlA7 zl#`72F4Ss=z1it1Lbjjb3`&Fgk*xdG88cp8l=IZP`EKK4h3cSRyL9O#EL$2su*f`q znm#i^m3-kWtNT)lpwX+lc>%FA>)g2O0kjA_CJt(p8({tU(2QZDF!vBh864<~>JpaQ zHHtUm&FEaqp$Mb{!`)#`!MB7=-c84x*Tdos!}$$gS(6%^P56Qb0%p5KO>lcfg6wt z)X#q~#Dvgs!nT8T_ti$ukg;cGI9#PaH;Gw%QyLU6pv!{Wc`o?Bj+74|HoyR~xliBQ zRMe3f-)ugne~9p%?}ww!EI(iRTFrXfd zWv)6#k@|ywEa)gZQEosT3NnU!>ieqh8TsFhwl>mwWv324=$R`NR9?d5z{ojyCXFvm zOc!hv{V|f1F__J^q24&lz(6fv9Nwu7WGF|}D<*RZV>7F<0G;_~GTvLO?@dJB z;~Gr@P!_R=i~Gq_g$#NM;ubzjiC^uGlpu7LmIPtAufEKm#gCJ`>%LqPe%(p3Tlowj z4C^Tj)W+ih@oPY9`o6{7mO?A($5afOlj0k_O}iBB&ZChId*60;PnWH=nooB)CYXWb zqGjO)sE=9)V6ir6uI;M58AR*8Xn5H%DUnLNuO@E_G@`O3ii^d~V?`5PiJ{z*c<}~+ zY|4guY+;D~VVd`Jl;^u_bCk1J23p_8DZRSqlKEj+P{r4Lu0E+qd1LpwzC-lLVbVvl zClWl7+BDEaAMmo) zrrE?I0k1ji$RYR1+hs)=)c?f`S9cHS=l6+`Clci7UhR|J^75 z*EIAUBl&!SUFVT6ZsXH>oG_xM^?rT%t(A`pVoPe(oB9t1bqhLu2RYZE6W?oPcI0N! z+19bIm=*_WzF zmN5R&Q<(o+T0@C$sm#^h28|u0!dh=vEmx7h<-E$v%Cb-lCT-{}W~XKcq8JGXZshi+=1j+*m>wS+BpDNgSC# z9RXV9f2V+h1jb__Xz6P`P*b`(H5! z0B+Ip-z%6EJ$%kDjtHh3duz#?e%RCf;WrMlU}bBWVy24_t9B8QD}#u9y76&7B%UxJ zjEsON?%u6PtpS_6ZkR45R51SW(F9ofaxxe|2buPD@)`z;f*Rm}6KW=^p)F|h03Pgh zCK=)6t1@Sm>6JHNKHo%q(M<+COq{$gsKsyBCBsOa+)OH-7c^-$8WL1Ffrw_D%~j^!Ne?09-Qg5^8`2!b@kk}Q>=c~C z7x^xe)+cpa=ooe|xgz{Itnp`o1UTvI1q&JAU&+G%_05=tHl}TgRPjxdo|TvSo*2i(9e5CW6kiHw%5}#nz<;=01&2Ip=lGq8%j48MNhE`_>}0#>7wbS&TYU zftUU@c-pWsU&(TIjK&=3hiDT1?bXA0eQQj2wjEgp;Db$?jDl* zY+Q%lrP_2Sp)O7-E_u(;NKeVuH*8RZJreZO3h~G0XuA&Y!O(-f^>2b`dfA!a-fkXC zU#sFAbDwg*(QBNLUwvXyz5Be8irzFDlHVj}{UuawJLj=gG;}$~#Nje1fY*BOOcK-` zBYf7!K1IFiP8W+U#G3Yi-f0T}69JK%1r*Z5S%E?V$yZQ|7}W|dY?(o*K@cA1c!h)p zm=ysd+o(;eB5lm4JX~9jTT>z8m1A&s*en_CN_A$q0eh4XU;8a-qewh`$V1JtQxaZI z)!JP;dAIcmh*D)W+f|z-HC_C6aYV^LU(uM(pLRQsq!C|;nbWAMUYDg84Pio}R zBtMum0HFoP*Plf_0L(R?;ird{e>!6O55}wUj^d|>6{TCRn0x=F;W`Iob4l^rQ^eER z3CBR*Wf)lQ@^{F(is_VhO#19*ku$X4rVY0@hG1ij5F1!0j)rmsDjx1G)XetKIU`hD zqz+7rbzooi)atU)2UU%nhP z1B`c}8aeWEBGwUX3nSk!i4jSh*gYnTXng^f=eI*dYWrTG7D^S+S9PemU$Z{jbN?DN zGKG6~l_PNUF!58&K+%zy9)U|Pp;?$5QuTQobx^L8_;~pj9!lYISqnUZ7M=MP_w*o0 zVIFiwZKSkMo`rn#o3nV0*`R%!u8f(=hr>?Biwc5S>8_J&*iHoe^9Rr2!^bPtv(gtE z5`qriL z+9kMrWnQU^q0vvG^&k$|_za9dWm!=Sks&6^4C(;$A^^3e^nsY@C?%d19mmX4;?=7o z>Kq_~Vsbf{00iL6ibc&DCgkTd$zMtfE3o!yK#eS_D6B8UfR*vfA zh0`XkbEFsC`a+-y@bEWQ0i;8t>oAph?H|Zsjfci`Nk$p`z0l|06X`o`x{zAl7S!BM z1Cz?6TYNE$yw;Z?_@RfZSq!C*zT%!!THs7>BEwdpB-l51Znm+`yCltHg#P3jB+R_= ztcrXXQZ8i1LQ1Y*kEycvh ze{$^|??9(I?^KWLn_bzBH6XF=b*FBT-AHQ5a+V+K{S~y{$&v4}d(H5JT3ce2V!thy zyf-W{Ym%ph<9<=dc6cc`kDgfGVmW?+Y-x&hBA2S}tynbIYnyxYD}Ak2FP6zw z!sueflrLmkKjPJsnh|PJHRJ$zk-^YdlTRjFe5Dmd(o(e66^!#Z?4Vz#W*Gx${Ih2t z=m2^3txpMmL1HCCi+aXz0!9Rnlyl@V_VU0Ns?3UnNz3V|8@ipPt~9x9D8`IUVialE ztPpa`5r#>*on(|casNZkW3cBVK_;*iGvTDR!-rWx8iRUlg`OL2iFS@0q2FYe{B6^xoOUgN!@0637)PpQJuL_+|pU_p3J_PB#W^X!|LxTAX3O#2~158}cbd*lYX{ zftr`8&(LyOL-T{oSycxd&0~M%Cy(po$T)Id22v}_!>!wwt!T!*Kbin*aIanZUg0hl z9=qfjw50+dzAVihb@z0~(gvyThZ7`I%f|)$)-bqpq9tLcv4Jz%(RtVA!+V;;eq}hsqHXQLicAny)`l?eK8-Ab-;j z&J|7G*83$vNuH2j#CIPX*_(APsLIiR@KWN+xwa|=-Jr&VjVqGoys9lWfvhQAuW5ndkAh; z7z~yiXK>xpWFCUczBH%wp$rPD-qr`G7YUQ&sKfauu3sHZ{Ku$M`7^W9A)DNx4~tYG zLgeQL0om6GHdB)$=16gKs@7BMS%bn_!t^7KoSz^@jd9fJiYefRd+V4HX`b8;35Wv; z&W+&?SzJED-C1E_F{aS(4VuHLywi!ET%T@w#3v|QoH{2*EjN$8_G8KWNB1@Tw7@P& z)HK<*1bPtI+x$bK zN%>~@(!~!dy{^nYr@6?Kj|twNPk8OtjfQ1;0mHpDaVIYCqq&Tuh~;NQVE#MlWp);* z_j}^iH``tl3uV(DBbD`4W-A-OnuN7aMqk2U18aExGutsXF|uX!&OnCUxWHBS!kAnU z$RL=sYk53m)m&b2l}H-zvmQ1LJkz{g}rKJqo>ObZ8Ha~Jzdf5o=y-E zpT*>rW6tZD%!@WWSDG*!s!K}LOn(hQOX2e2pB`-%!5t***b9w@b?3Xx3QA1o$}>`4 zG{E~v|;_?{>Iory99tRd+URF0zEmHj!7Ii*l1`I@8d!mnDA3J@%dqkw2xCf+;% zeK}gLDiZAo-ogNXqtgK5p|+P&RO(<4#&9ulYbYh_jQFAGdaJ|K7aD?yxsWZ()W1s6 z5A}SX7`BVnB>c}TZzE*|eX!h|sT(kX(>@~Y;m27ol`ulXdoOy{Fh~91F>-0;>94BLpcDEH)l9*+l z1&EzS(KNRV=uktE$ZEIqD^uQ&&1BpDVq>;a7yHqwK_;%d3;i_feXEUMN za*m<9Dgl_h*8zBB#?~$IJ%dpwg0rd%L^T#Ke9p@)-=K{FU=>Z6c>L|NUk__UrM$wv zzhcH*Ss}rg`>IIuQacu)X?oSEKg2zGn>W^;Pvw}PyMcMfkwtS}YA6I{&g43ZLx=_G zB^%WbPYxvAN-c&d@!%s$iMzLJ0!Ht1LP9+fNgJI=vu@uiZ}=AHr4U(`iDNuL`ZIrY zZvQ8aMS`qE9k?8C6_v<1&@~oy)e9q^gB*K?Qg7U)U;m=GwAi(5c@gdSm~(fe#kZ?d zk#_jD+;+};Y~l!o9fRPq=js4|%CX6J9XNoI34uFxJ2pox(LLW2L1sYixdt1`?D>Mw zY~-C88VN<`+UvJW1vsW0@KbC>glvzA&ch+~_5sqrXiZu&NHyvEr@apixTO)}z1wVM zBjV+UO`)8vCzrfOa@2S%AI-c1f&t`0Q4T2ghyP|Z>(RZvK;PY){;hv}7L9j*M*0D6 zdKKVadEX`m4B=Sqrt0*m7!qHq__jJQX>lxg1=_JfxstT)F4+CSDbFO2&KwY&jNRPe zUXLsEoHxhZRjh;NMiW6hTBT_qx6BI>RLV?*1QdP z6Xvo@SBlRxIBneki2^M97prJaZi*Kf%3NL90`g27#dMi50V&G@!p4OAIUKv;N>i+lcYEAG^6XsUCX zch^apK&CbJA73Ua$I_3Hq@7>-Db97I9N%>Mcp(>CT|Zl@e6g`X8fP#1X(}w`E0$q*-){*|QJodT_F-jlkCv7aXq$b)OdqH8N2x>)*)Y`xb)5S!C0W#?O%j<6gg#08l zI}8GQE)Bs=4k$f86AV>dcY(schFj(1`EXUu4p5+z8LR7x(Y~-digz@jx8uGj7EV{R zi%&|(=MR8@7C6%s+lCk0_Hz8yB^vrxQ^6xM zp<`O|=Tlt2IlXS9A7<4u)s3`R;HwD=WOByB(=|c3~%=-gZ1NIud z0%uehVoB}@8dzGeqqk_^@{a(Gd)msXm01Ygc6ED6@$LPrRYNv zmJ=tZ?dL!joovnGU4|~pax5l=e#Oq z9JBh7Xyu`cU{cz^y?348Yj7<7=pcX6xxIM*SXp~a5Cl7r2YGgPCZDJu_~Ub%)tMF3 z)za?J^Xwe@xeUg>bG|$3OwqP5i>%G@vD2h8L=Qn@Jt6qce&#HaH#%Jp=6|oxwls{%F9{sfxMJ@k{jxp|}g9 zXi^>Cxzp(=DZh&}<8(j3b-u-jgo``Q+=a|xkru+hAes#`$7EH@-TP=RJkoqlQd6-0 zu|a>zx$6QBl7;QfeYPWM2B|hb$^|RQpf`A7J&DtoHB%o)=j)F#z*pq*HzJ5eu*1UO z2TCZ{PNV?}uTS+-k-Wh}gU~3bAUJMsi4k?AHQJ7|l(r7zwmg;%di<$3{$FCXO*{3* zQ(}763QLjaUX0+R1ec3RJ)@qQhi|`f0fxO^8;4I*OqbUYmE?++^;vr|m7(%JS0y3W z=;fE1#Z8};FvMmpQ3ocLJ_`-mjy@z2@0pKGuD5?$MnaI?2GPn+M<$O8f;Tqu`&~N# zh@OO^demGs0H2k;sgI;c6O3i29)rZFy)miQt{42p`MhjAPA6#&mS+@SJ#X(U=~djn z73t&nNMyLiuDEUb(#a8 z&$=N-t9$^txURC({CRJy8fKyAIk4nSiJX{t_^tAXqrHMRKH(|xs{KIDF~76n!6Q?< zH#{-+wVtFXSq5oPBTmTsZ7-JgDMoW1X@A{nS9oEx*%r+T(++4qz&|%}=sY>r>-a>x zVg9wx_8!do7H=jkmK{lpyH_9AJ(5%Q_l=+@cNn<+M~A@?2695WSk()AAI@AtS3~U7=Oi*@>&SKI z3X3PZQEd)!rpuc_4By98ZKAm6%veN9c5i2!UUYCtJlAhdFqI|0_SB5E1*xm8pXbC7 zru$OLE$rf_$k7vOq_`AM!cfOJ6r{|nJZBIR;WxS-u_(YPUFrtz9#R3METb3(1$kfF zdg82L{Z|@Sd4gaUS9vOwQbbTT!}M z7Ij5_Z-I!B%icBA?g=7@E#RzxEAiu=ks~*pZS?`kG=9Za3G2w1@&zc+F={G#^rQ}+ zzEdUl+(2~bAzI+gR^~f_TlH!(x|Lzv7O27=bNM~PU6mD_*xkE47>w`}WDnyp?ey;1ao^ClcOKloaOy8l_wTRkM(VMk z&hBvdme{8s8T;7SBjroSY3`(wKf0iuQ_=`moxFzCI{qc_dgA1-Spdi2$5N53)|kCq z4yn5^G?$j+cXaAV4^cLmZ0T9Q*nF;a48ifhba9NyoaKl#HJH3!x1_P$I-mNCd9C5d zO7X|na~sEL5|AiI-Z!>D{mE$@op_^1_4>KYb#V5;X-&#WI;J$9PiiTGQa@gowFt#= ziWwAKTi}VIqtlM@L%Yow1$sDbX^ya|$XC)XZMDDVG&p)ahG9YTqT_f=6YvEplK7ZX z<>rtopL>O!TJ>dIA1)9Y^8$wAkt>$-Un=x|m?oCLmIeZ2rHfyO0DB{OxO5g>jTrV~ zdz;R?!Ua5%nIP_HfLzJ0vX-K6X-%WcgloBUZxk>o@uBmh{fa2uzje$9U>ZvgyAySE z>41W@Xh!{6q+sKp3GF&ivbI{f{ofz_uR>h#hw$fc{@#OhQhNwZYc9wFq&@lkAzw3m{$LtE=0-q`ZX(nB_-_1fF4L~PX@MspbpuQVJBzN zZ)8om)s}ZID6Ye4(VViD`z0M~01rSG^=fTILfc-Os#5!!hv&X_FgV3-pudrt1PdC< zRLM~eFr%rII+j{@#)46{DgpEdyNgJRO*(|42cf0SufjO0GhrVKDz(0^$%~TGuG&rc zBZm)IQGC?_kchggxdK{GhGO|Np6elj4t^?c@cE$c94_ z9ChR4-VY&VOR)W3vc6Z&FEA(lym2`sw5?w-E!Ml-3!r(zKZ`T)PI6rO_|4b(1IaqH zWL9CyESqWt^C16XFq$+bJx8s>gnXwyt<8-EhpE1z%6hXB=@M~WklG@49&H#Q=e0GU zAE2$6#mG~Gm*~>0_0Rxom#i1zK>C|AN;jD=2;SbmdsHsAk#en^gFOA50Zr6sN4Bzb zYuslx1$oD~hL!m4$}q-z54=_;tz## z$OI}om_9|~3_=yv>M8{ewz%|{LCTT?8$uv?M~x&vyy}S7Pa`^tcC}h=gE)f3N($Tu z_VXCl^A6W;bprjT8V`r*fJ^Wj0w2K`mn79>pTiz%;XJeT2Hg)^*AUua^-#!=g8;pFzvHn&T=?dX}# zKBJSgRor_sg*Ix|R8+kDl5MH{8VIthW2+Q^;i0j*2btduLx?-}Yn}Hkyg#oaNC8%2 zPDG-rE&u2wRZ_Tpx~F4OpyF6)0RgJ#4rULwF~#`S@*8916#Y&X5lpl!r{7vbo%Pn; zU2SsD@!c?HC-kS8sCjv;S~|9dN?6B(<(1V)xkY&$ZjoIE5No>O%LYJSMLmnH_-x;j z3goyq6?PXWpUd+C{SKZKn7MyC9opm536U9k@JqbAeu+l{Tk>%>-0@lXf`w1PKrT=Q zx2b`XB#cd-Ers`V!5DxxyNN5S0snua$iFv=z)zB`)g9f8yrdv4U$I83UqVw~A}el=wrGmL)Vz8U&oF5#K|=%3fPD6z<~FVn zD7iyQ&Sb!df>O(o<=KNFY<>ymmmR_mat=EaMsDh=)j{J+aBn-|A*?pgqVGuJ5GfHf zn16aG!JN5r&D#?{ z{h8{qKMTzj{-<8eE62T>#%skpzv(Q4dznsJ7^G28jmvwozb%!F`ZmLGGb6r{|Ak5p zoyq~9(|TCn%mqm|?#SH)Uge9*LEUbv?2QiT1TxPVeS6g9Xe7R3rc$4x#tL-QNNS%m6lD}(J(rN~^7QUGyV9O` z#NgcSiJOmFdZGHB1a5A|cbzct0#l%M7ihn;(gX!+ytF_Mz=`O)mM`>CyQUGuA|_zK zfu9)-VO=QH3}eOj+ULL);smTmniK`s4a&?A-2AQs_(k~`zXZB?T>KlqJls}$*u5*% zFGhl?Bd8A+TJJR}>(^9e+4z$dbV881y9LRjj-o?OaxEOZ5;o+Ix39_ZlbCkD>Z*LX zCib23@89z?MD+b}ETg~pP!99EQ2JptWezZEK>MWXz%j8NfsUa^Tu#1XF6e~iYDzae z&kOU>W?=E$NM-I+O*kX2ttKI!@u4f4YKDdi^C_Yj`MmK%kEITQuZte;`apHtmYY}UiQA;l%DZwQS+^W7Hj4z6A>7BYGWV8g(5{D zyGDMkkdC%|X#b<|bH04x&D!CUWq8D)nT-1$GaX)MUD$Zp5VEo<6fKwKd2PVbwfy6C zJ1ScU&@oFxc^JKfm$B_iSRRnEGW;pgJr_JSm)ZI9EW>fW)t{*vy7;xqsP4mp{C!HG z4sr%HA-)qX6pujfEo5Ab5FM_$lC`(=qql*!W)0=-u`()IT6-{%{Kc_;e8r{?H!#)y zZRbF0*vv6XcJVps$~nhQi?d~$uXxvO8#L`EH;um%7DG|QtKiw3bYj5F&TNE5W8zLd z>&U@W4QjNR9b2eMA#M8Qr8c~6zPszeBgG|ghCO7;UrN`;UqB3}mkRWX|iC%7I8 zXPurE$dfl@G|4F?6y%2$uEGJ&$LNTZuzWwK8I_tgvgv0wh+PU2oA~H1GG0QE&EE~_ zjSde9lDW>XDmLbPqqq+qQpx)r;&6}6Z>(=oqSxGY?BpryF=eXlx7hp6el|K%2-sj8 za(HcnZcRTj{Y!x8)aM^ND@>pH4;*5L130EgK868`ua6YdQ8!+$jMxz2otHrNsdS>> zYAyu|Ozk}}O!I3=-RPcny&0t(;RRKQwyb{o0tfy#7Z5N**)7%^*Wkicd*b(-8*Hk< zjrd)sqIda2Awac(PM z9ERFMFW)ES-zladnnFTx>2<_`_iSa709ZyZxo9VCt@&XcJr>M#f&S-+WZH*3Q;#L*p9nBEpO zR96fBojrx$^kxFlWeb<|@yFNxz>}mwr@RLN+`%;&Kl~Ioo0Cku=k~B^N<=BsmRV$E zSo#+qrHN;XZk;9qblr~ygB5=iP0>Ug)hh~oQpw%Y-C4v~ZiUS~xS1t?SS^E{Kck$V zP<8O`s+RxK6$;xn?IS_!<|3^v4ggrM|q+wD;A#rYihbs!Vr^IRl5* zcYi>XyNQzzwxD1ci|fmxt#%9N>nrZLQ`q-ZJCZmc%CWK^<(G!cf26cfwB0_n+nb*Z zGgFR1e3js#Ad%{l9m*SPSFxOSA~HrO%Mb6~e*dbUxA?lM_nhms&1F9HPrP=W+RZhKR6s&5MJ`@Yqt~kYtJ@ z9H2(n6*M1h{ocmaxU$}d+YmftQX!s2`Z&LFJaSPlu4DM!WDf6SAACQmV=N0Cf-ps`TV6&oTfoS-b=yGg<-jMpAaMUf9QJe zsHXaDYxogSz(x~L>0LUg^b!$}4kArjBA_B&dM7FowvLX1{mEMqbOLu-7PSg}IFEQ({0k@c7cXAh1b)*yR%zyY_VCRF^o|qj z&s#R!U2yMBSSHinf>^RvA)fQK*Xi1?BP!pvg$D4KdBn>=z4VThWQP%saxb;U;Zn2w$-hY=d z|JB43;SiTs&~~x5m-=r5>AwogA?v>*%To6Jzs9>aA06bMhWx|LLW&rploDM(zk1!n z=5BBJYxR2(Uur^^{$De5jxU@8Hx7ObG?$c{pVpGBq5?tVZa*AZ*DM`#?#SgRIBh{# z>jHmHmqn7wXajw(x=-$RKFmh@*U;{CU8(pu@ro7lOi*Hym_~Z!m&eHJFTN!??(^HS z`%v834<@B$)2g!!B)0U0J1w^>vJEZx&uPQnJIm>PsVk~?u;GT64TEm~9i97kJwrO> z6WJ|9Zx3mK_lubsYH+1mrr)_hQd80tCkNSLL@zt@oD;Ezub*^RKKvGZ9c?~YxFu;X z9;W;6Tk%)D^qiO}d8-p-o2d)m6f zceRy43*l6JxnEaR^~)Z*R(D&@Cc<7X3cuDAf&z@j#kzvu!k3aVYZ3`^S)JY%C;=yV z*IJDo43TY&lXkBl53Gi~_)X!~`9pd_AOX_z4JO|s(gt*B)<*M`v0tpO`5r0iCFxwg zojHYgkXi?e8qlJJv!B) z!jOB3dbx8-2@n0QiOL)}EZ4XO32kSTEsE$ZHtCn9EC4Z% z-fH$dTq@oqf3_;dFU%Sx@@N}b3Obxy+Wp@*+drRXmdy@tCBJX@U%1HfnS_h38s?(> zOPF{w>h!Z*PZUV@+tlm-HJeyz-}Uu1ii?6hNA|2FU*TNf4!ehpZltzDKHr%}TCUtg z6e688=KofII3ia{L9FNHL4@NM{a5evz;#6wO_EWOe=L7!7>PI+%!fNUg~qIK1Am}M z{GL*0g%pj{{~a~p8~9cvVMptqs^YIxUqN1fYIX`wHrB-jvkh{Z50wjY!~CnMY4-=} z#ta?vq}=jjn*SJq-5Ev$Y68iCWF*VzR!ln+@%Nj~P^zl)2gt}crE{4nkn2L@{^bRm zRkLS=I(x8qv*(_I;avHbdnVdrw;KBoJ+$Fqwcp)%JQ2bYPt>$ zsw)ot6(>VGedy@Yd{aS0Gt~U(o%h0|TOBsTV9`#wJ;Pvh3nl^O4QuUBEX<=HJT25Z zdg-{ZUMg89r9P7OUGHK~5|tO#7{xQ1)Vz~_xzxl@A6?oouZuIU`XDUd5VC?4n~ z4?B^9%={U!4~oAo%ekwp*C^ydm0A|G_fwOMvW%kG*Fb9d7zG78mx8=B2v}?arbS-; z9iFvUj5UbSInC1JT$g(#9ltn;zdWgr>aGI&a-${H+b4=YW;Xil_YbZsrVK+!oVQ*x zRA4n8avZ%ogU-Ri|GZXxx63`Br0)&;=AFM z7OyP+W^X~I4Yh=14a-2dyjN;VcdI{`Es9r7lP)BXf(mNB0XWQ!kN~H6kLBAQ1(c4Y zjb)nJ>ua+2Ol4ok88kx!zxr9Z)aj%i+kbrPxPLZ8h<4gsG=~1n1bHLm-7cJO11>Lu zyovh4lXfm+$8zo(Rpklh;DV7`Cgo-n0K^%56aG(O;0S^3d5ks$a@@3v)^mLGoOn7j z%?Vr27;WzUk6O-yiwtyJvnosb7&`MGm!JReBlTtCOjmDfnw|)~SIg7Z-#FCtR?tyF zUtyomJN_f)5mEV*yISaLlPZQJ86=K&tJt5N=6*f5RWSvxe222w&}?xWtBavh4OJ8) z5=M&5yT%}vP9-7#n%Jd0+v;bLKbxjK8NaHz)mM_2wE_2`4w#W%m{q{lO>?Pn@JT4gyo!*x2m)G317G)6fwwNh(@Yc1hl+ai?9)9(c>fi zs!cO41sKeGNA9%J3IA&{rI&1>SrXIW-KP63s^2vhAi)-}gIT)UweQ-jndvp+hiM0} zN7HgY?;@@5V{t5RdcM=Pzc|(gZsQVKL0I(NmH9J-~tk^yZJY}xx1>)be zRK6ak8>`?A5dGbm;=Vg5T;pl!H_5)Ttj-o=kgMKnORaeCrsQH2wGu&`l!JKKcvR7X zijiKtr3bbMD3?T8I6{-Kt!`0oV5Ewss|gKCRXVzi@IeMi`{VXlw=0fzWtKh$9pO4- zq!;Lp6;ZW`LPCEh2W|S|e^%jL+WP8*VxO-aKOPx5t*9AkSXsJ?b6u(M%6fcc*0?+B z)Ae>UV2iW^BBnt-R)?qF`|N0hEZsso@r$J1K!E2oCq?(QHkb^X-*MGFDJNgyhWTpD z3ACJ!Vy8j>T<3rhZ=WxTM2NK=IWu*4$?L`Q~y>=e@RyDjMcn^y%@mD1Do4r$3D zWfk;E2DRR>f-&uRlS9^3$8hd7@}}XPrd07x{$^4oj)2ScRfKupbyq>hdUQXE@`)va ze?K-cbDu>--3i7gdZsfMwoA6kJrN_N_o2^1P@vJ+*gDfpX_!qdcsauN{G_UCp&0sh zuCC3T%VY;BJICS4iD0jKGmkk4i)h5U^jv3Fg|k=Gz20e28x4HGDn)hjJ%CjIKiZ4q z6Mi0-L07Jr6=V2oYW}jx(!cjMQ-5l4Tu%TS{$ZO^lAm@LZ{X-1Hm12OtV55-wii<@ zq?{Cp;I}i_m?KNJI0+7r25Lgvb|+xAJI$EdLXKy`7U&;nj|*UiPuzmkX70)#ZF%I!kU^|bh} zEFQ$+j)67vmHn{X_F{z2ic1)aMJoS-`{A+D01Daji0ZcbaNDlr|1{4~1N* z90cHmdFq`RfeKyzBbeMuA^~qwNG@gSv48V=@5JVXFa$0pss;V+toK(*N#i)4Y7HaGDvpP20OzOA{cJb8FAs2u18X8-LSXZ$({hTy>ODl?{yY%-~Pno|C;p)P&mWc?j=sYY|(z z7;tcUv0Kc@gZ-joK|~06UdZ;Az)5rl^VXrqO)?&UUED%&l@6CE;>DEH@Mz!RqLs&V z`z!mWzeazpDW&^dM!-Sazv{&4g; zkq{c_YgiJ5y1L)J)WE+wYKd39XTcS;E_LqTFzuIH0C+sG|7+?(r<|d5;CewWVH3&T z1%TXVh%4Cl(n!kOYIZueI)Y6$cS~)e-*|NHXOLoLgGZK=hF*72<&}y&c6Dl6|GepA zJb_eMTZAgTd2N}hF+rVAZ@NkGE)aYnm=MXC1aupfPm3-=b`bqN!y$nIKd0eIUHKpa+YZVF}Pbw*!xBvfn1l|AdJc1C-33=Ls0(kDD`+sM(hvY~Pew9SfPQ9Jd ziA!RPbmYxZ0RJ7OkTX&I8gd)j{v(rc)%I8g@f=S>OM2IJ;7 zkWkldkoKK^pNqAMX}h+oN9;?2-4BwkF}~us@EyFZd%h%xZKOw)ltPQ|jCxSow6$z} zeuc_F7M()C7hk5|HYn2d@03TD8%ezaFEp;M+?ympRn~J6(K^EI-Zm-`bpB2?Got^^R|b#xL`fFF+5| znZflZ*fiCX5E1Foyyga^i_BSZ^zK-0!2Cs_#UnReZ>7h9-W=DJFvzes712-_)}ORW zgwO8+huTxY9e(O)aLH`cb6BAcnzX0zZ-HVlX zV(Mj4Od853#Y$ydF7;xjEL;bT?gwCZXtx9L7H+>{qy~dc)J!6+` zlAb>4757(8zK0=6m%Aq&6J0^X?b4n}Q-YG5kIOm5(Nr)<<#6F$3#&&^<>#jlXGCe= z!~ynF70RzkYgEebRg5j(!rgV7={$kOki z-IH`b614J?K~k5G>5-&5^3lclX|EfGbs~6l8ToIW;z4l1#c`M@txNh5+NH=cGv!F*e)?Z@L*T;s>_bJU?&TntR*~5szuby^Z z&A{tf)z2ihw!hx?G+&5{c=AVx_N$97v}CQekW}Qpt8D~aY=;a``A=|P7$am?BCXxf zzu1j4j#%8+=%LZW{-m)9sYda`8;k6$m+pL2#`KNv)`Jy}J2$3@nH^0l5O9sr@%Gr$ zgOH*6UccMeL(h)nm6Im4S8M!rPHRmU{X%-IE;4F(@{dr~8AC9sG%zB4Jk)20|!EMeEI1E8-DXcq|i@VC*uLdvLd0aR!Lvt4& zFBtZP4pY5(5pGZOho>1z^MF$za_J!exBG(~7kzVFz=I~U^vmegF1-ZgK`CD-a*7Zw zyl+K1``+VXda+W(uS_^WVa$$t&Wc~uiZktzI#8Q@oIMX=!o7n*Z%&T(eTt~`N7A#~ z!J5P@_&y)Hj*mKMo&`Cf0QaUSN~PP zkjMwL<3BF{ZH+yFe@+HWKOtZ^$o{6AupM^luf(A?6f)J&%dFi0$~PIYHd3k^pa|aB z?DuEfTnhm?eMtVU?=%B)%=vgY2}yVrn%?Cgwsu}cTS~|?31x9BD9WED|9&zS@iu59 zobX_?_+$|3_3(PYa88dTlSYISBZpB`f*RM_^;!c$Gu1y4v9FmtvHS> z0xKSX$4c!+`7(I1OfCEONlOQw#?AyGtZYI~5ZYi$2;C(Pho306MRc8FP_}iGa7O7n z&3x#oZz?PFmjRFHiArZYFg~9;XfFxv*yHhR;FSoO?Xn}ARr&p{k5`DOsSGGIld@OS zjoG>N{^sUtGo%|Hu%D!#9B^E9*|V&EAxB>%lfR#waeeI``~w*W|CMLL@~A(FwkMNq zY`?xz$8BFG z1M~-}N3)=Cv#ZyS;|jBbhK&+J3@%4 zy?~2!1Ploec)K#+%MNB~xWLrwDDdK@ZDS)@>yeC-gIy8y6X*|Nfm)oaeTv>l$;8^z zq03$PWfW--fdbO!^R{w(u8YXF)3Dt#DevN1p%T!C7~^Jde);UC$i0U7=>x?M%}+<8 zNJ6pK?eHgo3|HdrL(7#2l_9ny zhKo_<(*|&%s$0~1V3*Du`a1-enr)j%z^Y)TdzYp=m*t18*|;g-!z{k!3$d^-@^9$a z3$d0b4L*N6FMZH&u(OSPcTp(qq>z|eYG3T}+fpy4$lLH)5h6ruv+H-^^J}5ZeYPxhSH*FGtEu2odq4%zQy;r4s5-tA8}>~<(=yyfC&qv3z2SSjp4{u3^TFeBtcjxz@O9cn?RuLI+J1X$E`B`1Pf zg0fd$B)EYuS)cJ53*Nv6^dOnD0%KP5CdU!hwu^?P-GU-HopG5@b<}hPhYUV_!*Q)I zVj{oyHQ|Nh7uz;H=68ThLCK4Sr}#t!ZZ`OdjQSM(U{M@ZfjnH_$Q z)h!eI&+AWrxKYYnan;A2{t;914Q21T))qbmAO&%9y5$oRTXM4f!c{&L@=X84=_^D@ zq^g9`#NDF|K90b&fKK~jlWzvB9}$#v{LP2Q)GO8RYGZ0$uxb!(i8_k2zA4>E1)=2^ zBc`%xhLF_NZ{lG;xb!sj)`BTvbxUM-vB88^IA#?$%4slOM78Y zN`JVn^Zx3Wxfh{-&%H~Nn#rC%{{c1ZjcsD$sUCI=R<%1?A0|c>Rp|{_2(jk-&sV9> z{iI-j;0v`m4+t@_;yC>6 z-ibjkiyaPd@Y~mzz_GJ=YN_##Las_IWl(f~P5lIzY*fdwWZW|1ko~39A7snqy_-;S zAAUaWaaPYaJ4)r-Fz=h?CR|Id&@k^G0Ej&cnsXQwDMNQJJTac!mg8S?(-FrUBBVM> zyLWZ@&-Vh_J1&6Yv;J1W#q8>>=5FQmTdS*?E)?}OF`0L{K8bg_)zIv5Adj)Ax4dA| z?YZ`AQTJDFeFg%%;LE1VU}3EL`OWcG{@~q{t<}(oh0J?B1`SP?n0BAwybYYD*X*9N zQ&`;%b!(46ZdKa8+g)FHxIRT6{4Twgv+&cRUetsNr7>#jPp!d|dXy<#wRm_EH@EuG zSmTb-e8BRGn|dN06U)>V0Vv0Y{Q$-0=bCtQlCSc{vJb~?<`5d&$#kd{xkrCij7Vg$lR`zv8l$t{An{$Zx{5vgvR~Jsv1SD zHlHk}V4k+tFSC~zK3?NO6kJX+y))-fC%dz1H8-u})q5AMw06#%d7#X7=b26u@w=K~ zH~)-*M66&?n@k6N8qF2zmQTpIM|~DFKpINHrGGg2Qb;guPJhtIk6^F)FoXIwNPF-~ z%y^Mw<;Au5lJ8BP$0)Pn)_OQ#Zi%ZOgknCGNLIY_KsxMpFTov26K-u(tKv?_#Bktp z5cv2Vw2mV4w|@z}1#O9+a`iyIz^E--*hQTlUF(ogFQ+t1OMH3bM&p)G>!Lm!UKu;S zmE7um8NBvSz(|A#O#ldr>;{bZ03KRcLLiH0d+%bpq@Gq95|r$N0q!?Jsmu z`kIG{XLrYqtSeR;9q$wi0+repX4vNnL2+71*8^C`ICVE+_vYgcY#Y^nyn6%|$*MD* z^W+gaCwNUy;V@SlJx zK>Kf?4OcG{_|NN4f5?%aijKB9q9|uS1>Zi35>sBHSJpeyAO7|yNc+VfL~&G1xaZ4L z{(8+n0}$VhCycHF4HGHi(+}I$>qKXY7!qRh%mG0=wB6$@wrAsX5EK6sBK@qtKRcrv zXZ=(PemP@bC@xOXV*tHy7lgN+f6u9Gs3uYC%Q#R#GhFrIALZJP@#L7-AxbF<*Gb|a zg-3d!G24RC4$tx1M7+3IkV{;}pF0*)MTE!*AbiO2GX5Xl4F>)CfrRbJQM5a&1O}ZE zkG}P1+G2Iz>+B!58KYDtTLEGX-{^Oq%L=U1%{fiz ze$SaMabNJBb8%j1VT_#!eXX7^Psx`8@~?7+&lITPwX%$1H5o@Hv&&(uPFZnEkJM7XQTisu>cdwC7N^SbBwfTNYSxw-@S@tI zruFlD&4rVp@$JoEH~khuWT{ifwK=oPLN?~nIJ@9oFKI3H;i=CbO?Tx={TLmT+fkH@ zDcRt63YMboHpnEs0}IcDFS{6ZcCDjHc!dYqA}i6QuC1bV-1n@cJLaj8tg6wN#BIJq zl~ooEra-sR06kIk32}CB<1&}sY<4Jnui410B$>Q5IUC=!_r=yKimLT0?K>5ITjket z*1NL1wF|Qao6PL^4pDf^)7KxDDxs!JgQc!(5{F8T&)>Z_sn$fWZt`T=Ej~yVw6Y5N z^Q>PFpmeZhFAu@lKX~T6@WHg7Cd0+4sf1XbVXLnb~w5p7+NoWhn z*c_lL$Lbf|z65w}xi~xZ*4-pGTTee%pi?1B^O!JH(#g|~<%Jcjo)mK%H8rpdTL>Ci zhCB&-u}ocUWEeV-Y;>t|G3l7b_0yPKyyV_XwZ|#Fz{{D~mUpjTF1UAg*6%z!>5nv` z&#$%>z-UP@;K}hrie8^K>hVI{F5xouXqrL2HrymtEcQx=$SNfS>2uZbbO|Souh!dk`Le_77 z^^=Zp$#ef<6igtmJbVmwbv`5<)4JPg---xKf>e>qFR<)J)xBRxx6=#Ai;Hou2Co?g zn=+`uS0Q82J9>{A%Vn6eNVK?!iY#$kC6O9%J}tG-`eJOCq#ra$ny{OmY@UE&2_;5V z9r!)?uVgE%ST~IA!_rUes-b@2fSu7($8aOmQ3nP4>^s&5&1Hm@kF!OkRSV{&GM%dX zvq@7>kh6tTT{)59u{_=Wg>mckcGIOGm{`hg(Nr+}#PFu&78S!n(azTwinm)PO^6w$ z$L7BneX31t^M8`JQtY)jwhB70ng{2%<)8S#4g%+_@y>?lTI8(`SoxpC@Q)39a*i{% z5mr`HMqRxpQx?4yZR;g(9`n*3+?fW02lPX8$c0*yhC-1T*6>gGPo?G-`ohhy)j3R{DwYhsl z4jt$?S0AH@yzGAh+WpJrV0i5INr|w88Z*PK)-HTx#*DE z9=i59`<8=dd#*bpL+wDnvLc`%1<4MCcG85#Ex?-Z^RS0TKBe(6F)zz6Z82WB;gLqB$&LH+ zgxv38ibbo|%Z6q_%_bmGGBfn2mSNfDM(GXmXX_mv6Kx~ev0eEO7LWFC)%0E(<662( z-Q9LLRpqHBJ7jE_Wc?6l&S)=l`w|0kg_0+??d;J@yChbG;|F3RU<| zy4ekkq~c1+cfu`+_I?Htlw9W#jSXDeK)f_t{_XS9STt6$pqXp@54!3}Sgf=f zg#Pv0hB$TrzK5TC{KLZ94XD`g*h_0Y_15f_qIExT+DZl zWPVu|T27~MFF7}?XL|Rro$PNv4$i|Sz-~aRdRv4I%7%(FSNtn$(T+iWoI{X?DOxZhg%#sFiVALqf zMP;6Uh<)F*1d?EcP|C-254#&ze<9`Pi@1StHvv1}!(?qZj+fO0q)`e0rPD|HEHeoq zV$t8V9lJr82<_k*fwt1fvrXF+e1B}}PzR@NHX*WH;*9rH;Eo7N6bK zM)d*M9iaoG_d1?S97$~VIls+4*|JvC2a&fbkyBBTjy%gL-lX)TX{ocq`$Q5^7$dxq z1TR39mC7wMi874DlN=z!BT7fL&G&^&0P?3luI_}Qkc=2KRUC;l!O3(APE5 z`k`^{nK5-%>-gvgf+S+4h?!OazWuO_>8z+cbdd7gc;QHSh1#ypy~c%$Z{2(81L+#BhWiOe>q5?s~5r+*ExfK07(m z5xui8HCwxK3DmJvI^U9>!({4zTlUIgs!q!4OBoysF55PAC45@}`V2kmF3uD;h&XPS zsEs#?&lFF>D=mi#7(X)nK+7&E>MUE2b%$n#tyXc^y@)A0PMv`RBcR$=yztC}!xs8K z^(QE9*>`Tm*DPK^5*h0Vp|d?k?Lt=Ewte4PtPV8gX1$*=AXl~59tvu3u6HvP${S5j8cVT9{!g|%F%Jl3| zDN;G7RQ3I5g_~zJoYnh$9&-kBBhm&F=*(LGf!iUsI#Ho{ELWiOLBmwOYm^NEz~f>V zai%YlytN0eZqn?Nlx>Zbsp5WLHCB_t-qZ|h0|%}oEoo8Z8;L3$B`X87%Aa0zw`H#G ztDn^vp3e_9j0cpEaHLzyO?!@@Si{0u@ds$D7`K*vbtcp8h@%BT)j^Yp+&Dq!jo^TL ziW=mtFEib;f8)QnKWF|A4Xgcoc>C(Pu%A{J*VNtrxc-#m_Y?9~vc(EE>mMM3t8=4r zVB<{$r6{e4?WJl(5zd7!h%)+iaCN>I$h8wo&km_`6s}_T7-GLtp9cH$#4a-K;$K(l*Mmu)oL` zLzBwFo*sSw@stV3!-|GW8U|`aEk5OL3`Kcs!{8t{KN(RtvF># zB`6WOT|XfjkaxOIEU|jOS*AtD}UBt5;2!1Mk1+j3|+N0-QB88_F)?*4-6L%-{ zl^j@S#Zu2BjkQ)v@N-BPamVof3oc8XeHc_sc|rFBeKVq#C*zt-2Vo z+^Go*xcOdS;3mVIe`&0@W?V&+UlsU|MDP98>K?j-JMt?J@#tT1Q&CpCa#2wjJr&3o zP2KiVtk(h!sU7oSP$KgcXf?B6vwbi^HGez*!2{zlj<6GXzp-(9{$Rp7!(wn9X~BFW z?0B(q1ygE-&(Shdi7jB*EIqpgTpo!dMV)>yT50ZOpj0yI$$gehQtmBL44ozdhMYS{ z;5C=Hn*eRm6t>yLDKl@v4d1msMwS+QNFq+KKQox;!?x@VO%xzT;jm+T@!Z>;aP2Yw~n}buxn8xc^S$>CxSsD)QFMRu35` zPow|N0$5@^nzpux1s}g{!Yfy6t>$a3rf6ZgZs>;pFcje1rb)YbIAY5rys7@=(m;W$ zDURK~C7RtiBMOK*YDn*3lXZ;0RV8H3IbdCC@>w7MJTI-jz2M_RUW+dCGKi`bD3Mq27?IeoT>+Le}v+et0 z@h05`ObtTb?|vDN-P!hq3wVLs8J*2(e7QQ4Io$uJMlKfbBi8zrbYnfhXO|$1ZL7xp zNgyOSoqEH!#pmqL;+aielDwdaY;2qN4}dzr0`HfB-!JY?l)DUixu^J$()XFz?0;$K zq?goW(kBtZtFL|94g4Q%{a-)6LHXiGfmzMF7X15wY#W?cHp!DDqkCqkTkf#%D3IDiKhFQ>A)euH|Xuy+W@(;8|MA z9p*rc;l(&i0GzGwH(#C#39dlMotpgEO_i`cS62ORE+VV+#1Gqq&bo^ba9+u*(Q8=C zj5iTv4?ay`_37-_T)+CglxY|Kz;{c=88|whVSeVwrxbNw~a&YbJw9(sG zT(m>r^Jo@(Fwlh;9|!68p16(3v$Y=NbNu1n7tiTk!7h2z?UvtZM}Tub?;!Z+h=TDy z5b&~^{P6+zE&>!b$H(mY-t?q7x;SEBm1}A3rsGcVnh>2u0Dqq%O0~(ox;uGpHeet8 znq-@d%W^-Y>Q_w~ZbXtO(7tNqP!Q+Sy&B{vP01!o-;$RNori4z-+snOfP^CyHjZ)`cJ&;WQQh!at-@3Yk@10UYLy8F{K zSdW}1wlAyL@2t(uxY&Uc@D;oGm`SK?^8~Wn=y+XESPkYE+W`A;>HYkq)vC3bRh6W5 zFIbl!ss{i+;1N^%o9u>lh3KrM>1wsJlY}=1zX49U^Z=bRy*ZffOlre9rqyaY7EK}x z(f~}z0;;#jod**WoL3clV}waxt)@=C4PwOdv)>?HLuF5$_wc3OpZ-#B<7$KlNaTv^ zaq8tgXcXjYOclLP8UUu`o3++!R-ijc{Oy>ze8eR7wq_&`{5+;+7S*Z0i-g4Ks6GZt zYw*&UrkCLjVm~6jqb1^Wjpa*_ZlMz7GUY-IKf!wJ&~Ilu`kNc}2d*Wn(3yWX7Cxj8 zssa6u>I=W}Oy+SdNn#bN$6=+%I@M`kX%2j`GGu81zZ~uUu-i`1uF>qU$=OAyk};Yv zpFNhFMz%0{b)u{anHF82^t#n=%T~=?c2)S2JKG`+PnsQsP0S7L2Ol7c1E77SDeK;V zJIuS}(_;}YWIziND`*^X)&-Z_fKIdZ56Bt(MtWYg?V7RA*&(B=hfUKKM5m!v)&0x{|2J3ADK#LeuY8K)YPuXJeTc=RRZb!2>Y8# z&1e9Tec`!my#jx4GA+CA`nj)T=1ZO&SKZU4H(j5>QzW}i>| zK|DWc;hh|-=c_HyJdtbe-L{A!2*82ctpOFP3OD8=%dv0u}kYGuDcLBH9Fm*I!8?f6HVBRUxfYl6b>Sh9YwnlpSG1N0xY&&mP)YL0K3EbMe z==W)`@~NM(gNU4*s4xs9TVTb!_ZNIL6g#|&0npcNL~Mqa+-rdRS=YJx&pW4w+7>=U z-EUx#*dNY2!TgOMAa_ZP8Fw6xw1WYQ2fuG_Q)~vkpL2m3-{>DJv~Yn1Z6SR|v+8$1 zH`GITzg)^-Rws6_@)rqT6Qe%jM#I>ve#Oej8SCyK(C;klyBTU*|J)&-p;c>b+dW_# zTv0rVdAfp!oU->N1qh_*8AT^`7C)T_$tLacOYJJRhe(D$)|QL(($#OXVib33Z%Z$B z7Oke5B1*mg3Og_;e5%>Hkm`VoE)m8+wc_F;(9-GG#4~O6-#Is7?(< z8JXd1oGmnx%)>bVa%lq4E}oD%JayF(KG^oL?@1XtK-d_X1Jp}>FFAMYjTeZTlGkFa zMvS1rHpp9Nzt&Up(@yrK_9z$T8;Z$W!+`f4`0;LOl%Zu-+aJc+-XqVQLU+B!>@=^L z#d518#1T&y!a#W0lR@IW^X&~ISgdTgk2CQVvYY9>bw-6{yI0#DWM-Q^j^y>-Q}C)% ztsg=?&7NJ(jN2_`zo=YeN}F+Ux5*?YLo!3|G`xkCnCU&pTj5xJB)E6tp@Tk%G^5i< zZjmV{xsytNa5&&=w>vpiZx%#|tRWH}F5cXVUD*vXqOkDlH+#83YSxih7m1eIc5r<% z7^cyIvk+R0xjMHbW06y(!`62DR+n|>uby`f#l0_AUEzxTTa5{f=B|tb191)BC|dx} zxv()4I@KQ(XQ!Q@o@5!R|*?!r0t4}uzqW66)%+29#tU}QB_gU$zh4*xX`_<&uh z|6v;R{T8!qk1z6k7BtaE0>Ok*iT#A6J*#}X)YIFXOV+(($e_%ReG;`a2SxE_%~FD> za{twqh}R7R-$ZuPa~V799?C{Yfswds|B$aZzkdo5aU!CK>aLu0b zQ$NP+@CiA{iT8i?&Nx(l>`|J-AKnKRekEBHQZy_%8x2>)*E}|!sAtTT?r+_V@`Kkd zso2hiQ(I2z>SJZf&^v z*_eZ~A7B)EZ|TKjgU7Z>8(eFux6B_pbC(I`1Rx@${OUoT{7aj;K7|8XTR; z^cb=>s+_g%wb~_8E7dZJn7>Ln8gqfipCC0Bd621ol*s{@Bjv&7B3DI?G|0otC=pH}Ku^*xE%8?9ci<7Ua zLz64)?SEm)bljHrbCT;lk_Gsmp3>{<`PP#9fQr7C3!7;id_2|pm(@8jY>Km_8704M zFSSw6KSI6dK=7~Osk+|o;&je>5?)gDJ7ny7YpLHd#0nEpfruKU|qG;yP8^&yq;B__)u&)Q2FrDKa0eJ(=?us5|Q&8=wPu7w+O(g_|9wA;BC<$4)o-+i(4Cd3}` zf1Xqb7A}dsH{7phbUrf?L3wnp@a8(Hl>G1w+rervcYSd5-Gnqgk-g?jTP}DU`5-Y! z&t(D=)b-J`cGAJ4z}B?w)a85Da#xr%fOT1dAi1S(@BW78@JHewJz7m?JO1KwQ;s9$ z_A%PXHNkZOQvtu|R9WlK5JL{4kna)N zz$=w3O0sF8xr%Xf*1;A%5wgPt_(a(DJn&9fHEwv9X5XwDzG|lOz#Sl%kitiCMU4MdRWKI6ai)DYj`unL zn4_g_Hc=!iuV*_MmBrbt{5{jY2QX94FTBDqc!PXWp_lZn6WHuMi<@rM0PTSTM&V+~ zxV!$tA-(Dx73*5RT+y@o40aXL4goLlYW-0@N)Merd6|vhFx_@TG(?aOx>YOK$>lVS z2RsV~AkGKNHmB`lE7qE}S4JO0srpHw_LA%WCYrZuAYbVY7V++RyZ#r2pE>HNeb+j! z5xtTJvzdanpfjCg?dYAlkL71*vt2td^c-EPvRgtyQF!^!ryyQ3Hjfy;zku5xx)^nc zv^KxFugQMvxD5$8=Y$2nveP>yMxe*yetya8uj&iK<1d;AN7nZv-i@9Gxaot%z8>`A z7oGVTHdEE0iSI0R9_`{|(94$hTsDEKI705LPJ7 zPxS&%M^m_t&#+y9pW1nnv*Tx-Dg4)9`uw24@GE1t*~wYqff!YG>mdaNk)8Y6=!HMM zjHJXs1wXHTgs}jd)JAwIVVW*VZ03EMdLf~9Kwl};Z;d`BTH>fS+(w+QU}e?qZCH8W z5ux*H%k!I`95}nia$Y?o20otUX!^a~^8@{?uugpHIV@wn*6*WgBke#UJ{QH6ZSz|_ z?7dZU+UWq$I~tSU4cz7`WRqI!RX^M0K1957W6<8_x(=t58t8u&RL;bTEn~Jgr#YCF zzp^joszQ4B{P;>bK4~74Gz+MD&*o+v;QV#ffN7J+Z5ElnDWGfa6R-9Ag|mxZ#_Moq zh3Wb^YbN~pw(B^{8)?dS@s%``Iz~4_=6Q;HD3GE|UNwuRph9s0><9h{w2g{P?xvT`a}7h_>fdRu9a^+N5iHZ0fG2k zA5FFV_TYwvH%FtOqClP&t=-~6$mVLtT-3yB;1))`OeG9!Lc&!^yohL-jyid(@nwA^ zd(62>XEc8M@+w!t_J>cYK8UO!r_KE25~iOPIPINCA(9px@U`!BLSKd6V0Uy-*x9IG zg^!8k?NpeU+ile5ig@(Sl}3W|J(ogn3UGY5embz`$rLrE$DAzY`@q+};|cwJ(C15j z+NT&Z|6<;W3oW6gpp!{NJq(W_aKD!Rb!#G^yAA});#8z(u_B4im8JjcDu!GSdduum z-4yfSMBaX4+qP6hewJ6Uxd0OyY(&DwceWq|iG0vDJeVI*!UeW0_gH+;C+~M*vWh>a z$8);tk&LYL70mDBz8mRpdyI3{N7IkdgbT`NuN6fTjYP*pNU)YJ1Rr_`hhU z!b`==J#msHR~Z{+x=_j!uN*t$0>_kGH>p+!NRTbE0}T$y0PYx3=rbwKnRhY&vS;wP z^LmF6f?eIV)YVep{9^xywfBr_vfb831yN9>OOaj#RJus73K$Uq6%nLGi1a4CCWs)R zBLdR96e)%liu5kML+H{==#bC?oCnu>x4vtw{q1x1`Nqf(Mts2W%=@0#Y}cIANJT)~ z)rPg7$!X|<$6~%=^C7_Kxcr_2KtQ_Mm7CSw)wR4Ye<*0(ap)TB=-t$P_F)q5-ON_vC_0t>`U6{ona!O>sq0somRWr^Co#p2F9hbE&(Lk4r3Bun zl=4(93CaBesHil$xxd0)An!&)9y18!-H2nFng7dO{PoW*pm&=RCsN(|o+cl`o^EyU zpR>0Pvl^9(=)o!T$=Y{K46w6zgiJyUJ+Bk0Q7Yok3Wo7HxYbO6VQ#!)>ay+OjBL}7^(aCnhdhdK*%1nb!$O1((bS8+2LFr? zg}3K&wX1enM^aVQxp&{=t-er=ZR9Z1&b4xx1oKTD=W7ge-dPG=j~ z5;6GQyc+X~>Y2e&U^0SGrh(DDxi##}K6%MhZ8xwvrk`ZJs{aMp|1ui@!%w9MxG-=o zk4=wvGU%vI)@w3*buv_wMDwX$)!Ui*J0nr+*qXBI>vAV+!czM<;(V_&(;zVA^H(;9 z3#Ue=$xiM$FSPD`L%*176gaa))b=I8j$%tlDL!PsF5NfqKzS!(c|L7MZpPczA_scJ z$AO%B6no*-hQZk&K8sdo+4kJoe2xL5@t!bHb$=V=A|c704bzPZ-O(c(kFl@Z65EKk z69#>T_)K>e^_`oeoJS`2>4pYai31%!Q*9-=tv<7?{rP@QNyiw8Tsz+MD)>g5WGiJ= zYaN&MV4OzRCi=+s;92V7v)G|Em#QyLS1GpYoYG0e3W~dB5swlY-vFzD)m-zchvSSD z^iaskNuX06JLz(%VKliaZXk5rHae7Oqg>PQq~ZMqc00Ryo*{hBsJ%FW5sP&=vu6sE z%Ua*UlTRBL5mT-}?_1WAPmVLuO`qEQqQ^OoKMLCx=7HYsg5sWPR;Hl5Lx805G4uuu z$my*I8dSIDzJpJ~S)f+jhZI%hO;FQ zSYV+s7i;Nixl%fjYsP*kk^_1)Ws{ZQoQbp^Z%NubdvpKQesLiXVN-4qO>0j~?Rb=J z;=QP2h`94JzwpQcGpu9IYTtdCr_%%=Wu7^Cc0|Z&mr2zkUzsL#hrQPSZa{ZOUH_zK zbDa%gwl}^Bp^9ba{%MGtXQ-tEwLOmtz52pymqShks1zb3vaHuYan6`@5=}l5a41ZA z>8L$RmB-4EEKkww^elp>)Xym+9EH}mkI}wVL z3nNC4t|1&yZIvZLM6?z2H2{-@g5k;csl$+yEFg9^9p^F@qCmaIXD}Bv8i%_);u5a<^L?;omQKHVk+*|Pfxx*p61SV)=T$EAMm4W@zTe@ z5&%m!Q8b>LslFq;>66=H%oORmIKp}f(WqxnIg*&gXAu<5I2pXY3aT}21cj=`6ea8B zK$+Q$^G6S57#4;$?@;*cO0Oz(uA@QMYO#H9kB4(-*rYW+?vqaDIBl03j%vB9zh<^a zt%#8n(N3R<b$aNN;*u1VFu5qt{6?f~TG03_9SM9+Z(>SS^QaG0nnG z*VVXT_k>PAz)1A39Ofs45P@{)UNx>}v;VI8cy-A7Ptfsas?f3xH``SF)WxqgZtdT! z^9DGRxzpAtbbBlb4;%vK|4AyNcH`bNAn@K=^&(a4p#ecuSdDg0)jm|(v+%qnJCa`S zNk7|2mE>r!w2tD`IXc$Pb^l_&xKkZ{oXCpLOwFslcjsHhz4;UNvM|_hpOOGy<0=sB z7SG={o-PdijpXM(=NQM&OWN42?Brvhuf&$&Krl?;@nF_M2Sdn;gJCPJ_#vaDY*Un+ z15wqNepv{=(T^lX6eZ~JvBSZOokle7@U^=1 zXzIw=_A|YO=tOnuOCHV9l=>0A?^LNpTN)_%3a)D}P!LVL8NJGjqYiQt)uN|O#$6U# zqZid@5yrU(ft+$W zi{ys`4|+M|rV~o{??#qAyL9`!+rk1~H+Y)bwl&kZj<&5qE_Rs~I1}@JyyLHWEz!c$ zzs)Wa>?y>m`7+)#se=16m*%Z>{L$=b(CGX1v5Y_nl|vfkm^|XD=tzQtj)MJ@TT?*w zCGmo|v|)dd@!Ssvsz6ISQb9gbBTaTA0YfeAjeR3NT%DU)3e`%~#HEN5#h(BkPgc(=eCAL}BZ2Co)3~{RE z{VpqJ<&bGBqf4lDZN=4Kg`r>cSK3heIK4WOUX$bNHSw=s00?Wz%S|n}bG(cH%;ovj zFQTD=zS(tsNecuIsPWB}T49U60Rz>N)c9Y?itt+%OR;kn+}OLE+=?t?hY2q-AWt+3 zKCz@%>oBC@_QWK&FEU6wmaG?VPXw&N)$Gf(oTSjh2+9il9Ycjjj`Q!z3Au<5!h?lH z1j69pyf5Olp*3@mU^nrlfmY#z&^TpJz?nz~JgU<{Xpxv{G^oQ@20Cia3=VxZ zqX6OG^Hk0v3vWhzl7T2577oEPb~Ir|KSCuIqLXOA`LTs-%Nz$hvXc2EQaj`kqWi|d zDG_pfT3`LW{PNdStm&n>J7acBqAZ=i9ZW?f>R(IQi zs5u9(IP`&*mn1GwCK~nHhtsmGD@^0s!EO^@%-}LLM6d(1>h>PSn$B>A!zdM@t%%T= zJC>=)v~;;*FcVJ6HNNbZ2c$qSs}Mo|{zhtCu)GAmL4?mK8G#uQuv+wjA8PjIgA_(X zBgzalbJmR&x)(V+cG5Qdl4+kfoW8DU-C6j-o*^ofR7wG4d+DSwE#BA(sah_|aUPjy zf6u2gxQ(-w$bW^=z`32V<2wOBoO04Gz;vI-o}Q7zF2<~aT>O#5Z4&-x zvfN%)`9k$EQZAiTorEj;)8bpmn0KTS%T7LM; ziWo>($?`lX7b&C_mz;oNb%SAug+p*(--S5lntr1@yo}V=5#TU` zu|i-sIEqRNvk;VQ<7d^!=4OT4iLcidW2$`)?n)P+cC0`cb$rGJ!V$v?Fhys#YgYao z;I)`6M~zC>pLn20tWR~%B|kQMqc6@+9w-bn3J|#t&CnPO0fe+GRQuHj5s5H|)P_li z$!KPT`*bF^S4__KdW9j6lr#JYbXqu<`B5oHfwwC2CPC8HTvS-)Vuzxlkv-Me1iPABc#*{|Z z&AgmRuY*f}`2Jh9eszO8uXfHIwUOz!5nZy!YtFOViC@1x$G)5dM)F|$I}oU0U8j;E zEnQ@u>aB}^OKn($$ur^EiiP1az>O#Gxe4Hp<_i;+FE0g1=8ipH zBe{Fp6874%H{d%|(YV0+68p5d{wkf(J90wgIP%4zEKSnIFIj1cSfvT+%c5@lT`F)s z(Suxk1D4HSBq0)t7#-PrUuQmZ3|prJX6uXduyxktZDi}q#}zV~Hz z)`q4~%O2ybjhB^o9+Nz=HJyrNq<{SO?VG`D!hM5q*OODUnzuSu~-6+E3&ZXL3 zeMNBg@hgLOeDXp4_p`b2l7I{vD?@#(ttr!DVxe;Uk!_Pz|N92FB6h(FpmVY-*|SmJ zV>v20A~3zB(n+WHrLOzui7#y@nN?Y8%Gx3~{E7b5o4PY1e2os%ww^t&VeI5tildgA z_y!$7X;d@b>^%{A2&tFw2$Escff8Kk;;Ql9ahcMpUdW$8qd?~f910X zEJEs%PxrF)WftXYS%0#<^=VRXZ++|E#6el{L~^t*&DR5SOkac zy^Znb`9>v5B)WVrOE%%o!c#DMr2HODMX%lMGM54RpI(J9PvfOYBe2IqxNVYxtd6?5 zfhRpDLH37&0?%TdTMUYH9Kl1T>Fmi@97B+WjMs4XEG%4XTrf9S^D|h>Dvum%dlB9_YP?dDc}^SGp?=xA9I<8nev&$wMmwM z-v;XF@|uh(ysmRew;BX^$I`{BwhrBKXJ5t5u}7GX)9WMCEn|7YBE^SG{mFqJCelw2 z!p>RHB&?bu`xfdMcPF5=J9IzTcYDmbG8v{b2f14YNb$jk6fM(d(qoG|re%}TUF+&1 z>;c`1Gd+h&Oz#~(;i*o zgl_=;ue>B5OWfew4vIU!@Ae-M__r@p!v85l>C*D^Zl#O+r;R2Fg|JI|KxJ2)c|8|V zQz~k`h;WUxmY^dfIch)i*-jAM?Hr7bDY$myZj(-lnIWHUX+nWvh)HYk4a;fhzW$g- z#>e}0xxP=9e}iYrOQ2ymjKhrZD1*an<_ep|%+&zysNMJ&xX;aoBo_@Zc2*^z!`GIX zPzG`Z_8nM%srNOx{0YjORJS>u8XPFC!ws8#5FoISa}P0bNGG><&}NXoc3s2repnbb zAD5?mB+ZP~Bvy{U6PVge5mwW(aD>k_%~*Hqvr%sv)gx3dH`n`GVBJn(VZA|VV3#%& zS22&CoYkAs;%(M=(n2|WNkXkqQ|7BGKqc{pC>NlS(Nck@i{+97=d|Q3Y(sRw=-vR)#QM2R#)T+?n z*=9t&EMQZBl?c?(y*^&Aj81fJSH=h?lH+XxEhL5`dLGr)JMEUDdrQgIrK2WD&C~Bi z08Kinv}HASD9B-Sp?a-|=UWj(ip5y&WG`aUZb=_I7bcgHgYFP0O8|P=^mHeb-&M%J zN4t$KVCN&$$B$V&Uw6f++VbQT0HC-oTH2u|HJ@pGJZ@DMQN4dk=)6EJV+{<{$Ti*F zbeTe~yG#r%CRIjNZ>?$6gf?ioow?7co|Bx`KhT0pz_1%8z=qDTVLgZw+OsoU^vrWN zgAN!TSZJ)J-TW|w-gwV05q8v|?IG{?1x2aO= zcldh)5WR=kwqNfqJY;c(ask?+chJYqzCuB!%fEO%SypmqU?j%vsOiBVx18i6#ezU^ zOLHA_Jq?Rp#&z|>!e_9fb`EK}IrZF_k^^F5D~D&Kjyqb?T?>Z})0g*^r(U!{%p7=w zYiQI+R|W|Mz0*Rnl@P=pqlMdy+5Lq(9S;w8wVOJ2&3JW@sJB9yN>6#r=61PmVQPu0nN zftM_Qy?3MnE0OEM(<}PF0qlwSFVzcrS2i4Hi4p=x^HOV7l_5-0EjAS^NAB|#K=Tfn z>_M;dm=hU;=-SAOW}DGk+~^c^6MB4l%4R9#W}jDO7C z5p6VXQ|u%JtLR>+{#LXh<31*;YimyHQk$LB_CddLT(cUH50b>~757ly-dsxdDm+|_ zAED88eCBaHeJ0wX!dKyYG8ZcQRfnai&WBWD; zFsTc*))Fwj_FGw4$<6NJJ5g`dIJQ#2>eVS@Lu6_3ZHZEq2$TH*thmvZMDt9Sj@ol; z?h~KT^&q-EiiPX70d}$o@%fR$VjZ%=LgV0G&{nuXshjMmVTZKCycYi^SG^i+FN%x_ zU9aVKT|?HwI9J?a5-IsCZMBNnfY*Td%g{sZgcj}g(3+dm7hn>0Bp$%pa~ZKGb&KzA zf7|)$v}*(#uK$qlYiFa9d_d%IsL%xN$y3^GSI@;wsX}K{G^A(3$1P-vnrYc;0DH`^ zKuEY4Fw}s+LRv%D)6c%n&Hbv};{pB&oJ#~{;rrJ`_|pRY4T*s|KP3Pz#q&Vje>Y?V zD0K+zTR3RloE=R+^JLX5zWCmrK>CcieOTKAdW;?4wA!C^E_LXZOxM1@f#cWL(5wQe z+KmRV)LIeSDQULb_y)x$U28c8(PMrLdC7apo=0D;r|fi(0i@9LinT7<_EYxisoozI zYE6py0o|W)s^mj`)9;r9#(6rYL`-MyTezyroEGpE$d7*!*q=iqY70e1Udd^G@i-Zx z4YI6vPQ-|n3e+;1kxhA(Mc_r>z0;XjSq$K@=1y*9KM?&@_OoQ0R~k~ppN+wHmh1{gVm@P7_bSL2 zo(7T1&8A22)dcqqn5xG0?3RC*?0cWH%kN5|z|e<}{NcI%E}O(KI!N?MM@s<}YNrvd z;?VvoZdx_)H6^i^w@MI;-IhY6uBA~Dcgv1#}5(zSB8ocWevpediV%eq7vWVtk7 z#+^tIt>u|6IRW$#mWIilHf=b~PS|(w#gkvhvz>Gr0k~=F`eZ|s`(q;pp4-M!E54BR zI<@1h3XU+@;SH~!Y?WU?TIUpa%vzWPmY{NJ>bRqONO-T_#$(M|pcKX4q#zOtF< zGF{A9HZ?^9q@FzXlJ~izd*sd) zWU@%qw`t9xfKM-%WV&-53wfVPdV7n+kIY{3)$!(JSnIg5t2d#IxkSmz6S`v-%*QSR z1$IOklcp+hS08nX~EYDx`06BVJM@yjKGG8u62ddEBq;${Yl$aN7;Hw zo5EQA;o?@;SECf{q3b;RB2FOaN)r~hdlI@_iYJZXh z@Gea@eRwZ;*_4R+llaq;{^(Lv0K}JxR#Fk_`BP}Yu7Iufhr^UAED#h_ZM5X>*wh3T z1+cQkUk6v-boPlw5{DFB=#xIxL%mi3i!>UlkEDEVQl+M7N4@h^ zx?M`+pXiAHK?u5H?i8@{Lpvq>;!lcMd-FUTD!rAEq98bf~ zFvtwt-Xk8SkgN^RRhu7jOV4K^l@Yk6XD};bOl4R0yOHj*=;zZouf_6TBW~jSfiys> zGF91)jlTu>f10J=vQU+OZE?t3!H5@Ty}#}PPxM^9u|hNks*;?D(lYp4lu3E_ujrY{ zvlq{~!7i~?0S%PUb;~xQQL-MJhNcP5kK<_ZHht$p?P}F9p6+01zEefENBBE2_dPRR ztG3#~;@e`Vw?3GvB7KCthSH=z1&7r_ZN53+z?n+=eV#Ktcf$=lPtAc@1n4)pGSo~w zj*f5m1^}1)!t?Ck9%qWlxyvnASF=Zq&x~U&SJESbxGDl0$U7G#i99+DJ2-(stB3VU z&q>#2`1;Z`t~G~GWd$Dgg@e)FOBv^8PG@B$;v$RvyxuLN0I>|*x5sE!t~5QAGRP`K zB#iI*cYa6I9hf<6F_(rfd-Z}-XcOKw9hzHPUtBaPtzt$pM`IkvSY;)8WuHLsTBO;x zqO|yY%Nbv5!a}Gtf7~GgJCfWuH9(}H=A~Y z?X`cXwqpC~v~|_B%#i$?^NUmf&Z75=vsCD#{}(40qV((JfF|0Ljp-F~kJS}ZE6k7< z@`IFPf$s5ME~u{ZIO#ZV*N*#T-aD86+gZA`6aonEG7J$PY;*MLUpZ8EfGk+NykQ{l80uy zE)-e&3Si*zt?rUaEG3pXZU2~L{kgEL_{aDUi;#B?UY$X<>#KHzMgpud9ok94FvLmI*aqbelG_icmBh44(9iy9#@W}y*APr+tr`slO^t`^f0Ey z1b#3$+~$yz+Eyc$}Enwf1dpE4lBc{v0BBrr5(X{`A z>+_eYz3};!odY_g75uIhs)|mx`&~OMB)V^aw>hUSiwqH4HzO|9txNL68OFno?7+H! zyDZ8CIi7*DjLMuXo1S~afqmNeQ*3Y+^Dyb17=63Z=F&rxc$$&>aDnu;M)Rj1XSuip zst!J_7mmPI=*C2Wo%R5Q^1LOi6!VfP=o>ITz0i8q!@#OgY5f@jr$z758PlNU{h~ht zXrgbS&mGMd(-&|m`Sb1#Uc)* zfexBh3}RuIJFTPYQ?)C22Ilh$Rt_VbA>%T-o2lNBAxGb)4z$9l^V;8~IaAplx|?-c zF4x(T?=8W<@TO;PTLWf)zEaGtP^q`LhU*Hkc}~I8*#bK2&}Mt(UgB%k@})bCGz_>M zRm-_fVqR+lJ9BD~P{D}gg_nnsV6;h|gpMz8cEG&5+j8z*ZJ|PGP6MC7&iz{S#eULq z*rK6}4Y*(!a^K5w@Ae7Y8~uyobmf=PyJr|QL;u$a{r891t4NUfx#ttNV%^2}f06Gg zLK5B)9$Eu!$iKR9)SOkk z$Hq(N{lt^J#E6rRhK+usr-aN#z=+%LiO@y!(j{h3ZW%+vYRhlM-q78yGSLoRJ}U1` zWHk5@_1^rIdK=*XLe@`v+5WSKSX?zD-GoeP_7S*aq9*G!;Gp%*nQ3w{6e}gzJh)w| zl(qcl8$G>9kZ@dF3BR#CQt+N6181Z zbOTxSP4LANX)hai?dxCFsmm@&}t7V!ts?pAtqeU6dpA=9Fk*71cpt|{2?WbI^n^nh2 z>s9C^QKKdzxg2L%U7HHybzScDYG4I;TWQCoB~-W6#?!sy#c^9}U@mcq5TpgQR@`IK z!FNoHhAu1&rzr)csXG2?%+0O>HI}L#nHF1EJ;i%q?UcW)XBzH7k2H==T*cp2sbu+0 z7)j~Y$1kl9**!-49>d9?Mqe}3VZi)2ZT4;r8wB#s=iwkStiRD$O@2@E5c3LuWzvOR zn^hndfaHqIri(AE^=a}w)^obxa?_9BI+P|{c5}(W4IKZOkMDfzlsxDOjv(0nQSx~I zNRK-qsLuK#?`KlJqB`O}|qxLtv_st$m*zp zvzq|guFV*5Y+6zEgibkPF6$VvF}EeKnU~z`Q>mjL9DxpAxNW%pAQCP!7quw64Y3VB zFKJtsjgEz)JtL78Lpf$rh27lAFbf9j=i>IIo7Q5ZIbOOMc^xVOwMHX)Et zEMY@L0lfiw;tCiHaVit70Onfz`|MlQ2yZ@dDaZ}^WX~A3EH3$gJZezw%l=~ zZc0AJ>&Px1rTqK_@)#E+kcW}Z2QrS?UP6Yc7D(t^u%c+qIE(JvW9JGP2RGjEHTw&FxBZ4&s%CGQCaI(Qx>BQL@)hkw2xCJT z+uLLnt2#y=0+mn{YC&?AQsZztO2(-)9Y4tj@F553z0aD-R4qaboBl`PzSaS;0vNcn zAqZ+_cHNr6c1vxJRhT9lR&JJdM3()~e)cDj8lT@iPJhA!O?QHPf5*3h%Ryj*WFi~N z31Gi@XVB8kYAZUGH|jhxP+YTaKch6~0w{WkI}6ur+;EwV^a1Rsf(e36NkC<*=W3(E zS-|UIHLhAsy<;(;EiJW{9s&zz7JG&H^-I>M zL1G_C01EZZrg|3Wl-4!JcUkeAQd-m}Tdkz2L*K8fi+y}4IZCB|xLf0xu^kDvbEMjJ zod*f%CxInm=K5=ZIBAOK=j7^N)7lPtzxcg=_&fV6`KQkNJkcEe*cW6m&I z$Noy?W|EY(-wnqLLy^c~ZPhvKsSM(tKk5u&EB`iLID?B0}|T9)UZ?ett0HT&h0%_ zjt3vr->ZJ*b67^Q9Bm;U?^fQq;vA@utf#3`Q*PliFH|BP-c<4wFV#(lA5V#eLOj?B za=}O3-?O)m@a7SvBR+ZJj-_mvI{5TprC(<|6;W+wuzjN#wqTlfkmJ0R^Cf*qTBuM1 zW+eg&%5MIAphG3w{|pZiLbYYHFZzqi<1Y{3vw|SU|7>3eZs7x6OOZ~H^F$1Ts8tN# z%6z2)>FOKd9_igkWZmDTMI{gPGK~pLHuY4h^{H{xt3Pj61U(-2&-E1vIgARZ7eIfoB9Cl%`SV%wR8!_z@`>A5oR^!Q zrG;fT|A(Qpy!JKs;H34;&v=^$zK_yE`I`rs=Q(u6ZtvvzcX&#G7v88rjXtR~FtSg* zw9$?Ex|4;kwURX9UmxWYA#iV``2GR`xuWD=2J0Pu_paNbHGxVhjH7+}6X%w3TAK@4@g_ z2iSJ1@_Iq={~Yo@$t7wsZ5vok41xa1dk{3Ic)Jm%DmLlJcwed)VF;^ddaq6(p*nH% zK*fLWLtl9^d%yBU@ResgUUuQXrbu$gy${*3G&nR)f2k;mD}f!MI07>yT6QuxW%Kt| zgG@QAUV5&@4xlQ5O$h%wL~`qSL#${HFhsIZ{C_n>GV#vOuH|jk zpO|Ow&4BDiiYQSNoC{em^gqXw01b*9pnrF`h+%2|Fr0N?lvt(SJAW~yxpD1zqN`?! zg!vQS;>UcY2g^G)KK#G2L1{nW0jvxbF}pqsg!4hKI1|C{?XkD!|e z?YPeB0i_8RWK(pt3woiu6&OhurkeiY*F?G&e{OarNq*~Vx{HoJtPw&zi{=vD)UPS5 z9C~9~qv1hwT275s@rq*4C7#Z5$l>MTI)hlFm$Je>>K;D|{4Qjv1zY5t@9XNT(GJ?N zOp;g+mj(JzP74(xYX$G%A_WeCjEMhLR|#og#Fd55Ipi=fa{NoT_n#W^PyHFVdk#4z zo-PpEKQ-!!Btg+tSFrmq7=1TrNiml=G@QtCZ$|L<@T*y_dXSMCjx#jAnM_Lj@xfhC zP%oS|V{Fj{Z$Q$EicfFWTA6)-yF~ni z8_?F|Y2*Xx2uZ{HNb=^s_W^Bb6gn$I=QOfI%bEm)Xjj5Jc7ArR5aO|h9^Aw9+epJa zk!7xk^YK^QLW8EN{;$3Ed6m2AHPcaySjz)}pDTd(@;*;=I;N0e`vM z)H4#<14+lVujI_qi@?9#c{ZDqfKK?wP@qe9TSAHDd(nRF5A6oOD;IsR;$moSzI;C{ zh4A&>vSY;jQjU?@0{1s&cHFBlTqFpxpr8(hAeX5XBmjJOSA^ti92z&qNa%Q$khQeW zOzk22$umW@tijNdre+%~h!*%gCr}IAGb)&DTC`A4#KQ1=> z?vp~3uDJD$+k^*7m!$3dn(T~3-UgNfGfQ50HHH$OMwF`rFTiEo7n{|M^27lH{p>j@ zz!#KF6N2tgMMz+(bp>eL7oNe^kX&ojQX|3wGSJ!i-Mzj-kT2AnFYlR~`3-bKSgzw* z&KE7|mJk|zF-;Uv(CZohcfBSVrWePEoOe1#-i567S%x0ClgDWB?nQD8hV0n1hlO0o zN#0d&&=j$Kf_~`FwEw$U}_*~wbiVCsIs4lbCX@LD>DKdE(5gL%26p$ zyqr<5l6%iwsh5oKshag#C`DQFP4RtW`nO>VI|KjU zhAreXlW%g#>>jY~L?;dhkfn(P+{==-*cD&C*?wP-V(A`20(tO*zX##w`0>Q7?|z+b zZ;$r|`hVvRn(wu=l>Ql;##|#BWV$c)LxT*VLMG==%pYFf0ttxQlgBP%+7~e;khF z-q(W7-o6ao^B>NL4-jxb{RkDRDM4B4&kr_c;tp=fK^0HwdA=E$>o?WW)<2ZEk&D2j zH6}ShR9Ns0Jh*>OF8<%TCQU@*`>mPrHsAH7*I8>H9$iX)#K>6=bjA-hsC;@P;9(a< z7X(q{A-xV2S0-QSH4Nh`-1V%e-7(7529yLO6d5LAM5W-+j!2kKOWsZIHB^`NTtLwE zAHSg7J0RyMYgIdph3Nb5RfN*%FbL()ycg3f5i~M4{x>|odpB76t zz?d(ZcOEkNxcW2G{i8Q)t=BxMyi>zi?NrAjV^|fPA1%Y)4tTn;9hf);#6hRnK2J|i z!XkChIrcILn>+z~QMil!3J*S<+iISh9BTgwZvVts`~m)7w%WrMV*1-wZ=J0r62>Hg z+)7(lhl=J6ILGOTs-r*36Q!2*z7M&5g}~n~TU509olx^@B2IZ$M_7TX`a5}i@23jz z-rT~%g{i^HlGCMA=gqmk?Z?`cgi(`A)!+I$tDF{PEtMIoJ;6k4R`?j|k}!mbK(^0i z>7)0{OlkFQqC~aZw0rA1HHL1JI3=hE1&*Ef!7>_iF!8_WuwGTy{?5qVMYnGRn z*puy?Mz4tOhGn~B^5KcXZeoxvAlI`jBPFzmtbq*;QsKG~l#}JYzH`+4E%g*+{-lP} z1`mlu6Ojd5VzkayCvI&cF!{A{`n&+)TG5@HC27>qGaqEdUTzM*pNumB3;iArPbf4Y z@5X_{Ltn|UiDNdjCCp)^HJGH{PjDawbmHd3`zLlYd#p4Y zIsSk95wyE9UpXIeJi2J|`NE>lBv`Si)*j4fXQ-e zPaYo>Kitgj;CF^3j>B$SpnMgB579*(^;S^NLXLUs9u?A)f>&S};liZYYFHk{Y*$!! z@eJrJa^DiNj(A`yEu0QslWWvEgC#RmbJw%_5`PR*u{XmqCyBUU5{D5jR}(l`Uc4?z zKh@d6ER^iz-g zMq}1(?=piSKfHrYIG79717$?UcH@HRhg*B%lEO!IP~{xLl5;WRo+lUy4%tT@1|yB1 znQ%kCQgo$Jl@epb?%F2&8OuS;URHUR7MYiqDV(f%ow37BJ;=hQL&N1DQga8Y5g6Ut zNpAo;Y$&t_+>0z+9F9I(7E@+NZ&ZYDdPkR(;V$SlszCa8^n*#D+LI)abj z0qcMJ;bQmpjFzU58=AQN`x$3h@9@i2twZg!Lxq{7N50E!MQ(Z4j_FHR7=$mfxCf5; zReWE^JTVkwk;U@efD1U=3rYP5AQdWuEpA;q_!M@^ZPH^ZM`yPRoX^R)9$lU-FZQ$; zpnuP8z8a_Ne&|Il>yHT$36-(j4BP}(W4nkK2-G#kg!vS{+)NtnuyeyWjb3EGXH=m_ z+)5|V#ayVSOBH|AZ9Y$njsV`c&Pvts+IshqPBJ5r9g*`$=WtzS68D&!z)q>embs<5 z7F6oC(VO5e6pG{C6-=ja8D_+$0HiMYW9R^YBI}Bph{PAem?&s77mR=%6c9N*m z<5*E^i&!D3POJpfJyr~SJ zi7Qd{eJnT9BMxtkqp0FZBCJz%ys(s3C9xW`)@96xeH1?+BfDxY$%?2}J77IX8CZ-< zx?@?6#cdorJR@dm9CI2?^gb2nR?mYujp}-sIyRMx1aC{9I0cNdu>o4-gN(+c=#d+S z6}WUMtzV${?jbPT!1^uZ>$utvWj)<#>0#5&u_O6=p=7=yqC0}*o)eHPS(cRdT}Mqt zCO;dkn2o3{b&|zbsT#+G2aPug-$^%7%<-6;*GZ*`j()*Iy!ZF5W4*Gr0gmg{D>Iq& zD{?;ZD>6LEEEkn zQXVEFU&J24+Nl2!(!T*zgm>M>ss7HJgKPG!zeOH%i@@UIR3U~RSP*x5GrnV)+6V=o z2coKNk-X)A!k#N$UxtcH)dMQJjKgTQ^KM}8%)nm@`-vF!P-F7cZ8C<^h2>=6D5Jqa=b2o3)8+`ko0UKeujK9aO!&~~!suJ49 zjSOIbaaM6a7w`wSsriK^-)STGE0Io#5)7v;!Vuw5#%nvNjW+4=qK?5>y|sLBbaldV zUOI*KNaw2 zRg(5to?P&iC;I27j`>lF=+Et|V;N2dS9Okj$xYoqtVLKH#}^FTd);WD?`(Op9$ge2 zfD$Eh$6mD~^~f&4w2pT8CX0G@wOZ9)car9|!#)@l(9}$v99vHk-)mag%uAM#A$B*a zD#J)b9Eq}=LTCa*wK`{JezcCAm|51BL|+W9=&TP`dvs91#r>da7H(qWxivB}v8GSe zBUsAsQR-~XzZ)A--B4i`DqQ9P9WVZF!bOO&E+2TQsn5UZ!y*?+Bmup&KAOl?3%tg) z;JS^2jJEG%f@Kz6V@0sW%)4Gw33n|QgS{tQPW<9rFk^AH?y+(%YOykwf^LNN!rBu$n>z5PU*>styY8A>qRR@!+*P-?AICR#*a;3ZC(y6zU3_xOpy@{SMX!@` zSK=HmTPQSddXXKh+ge@IeISSu<`^u#5-KBV`Ang{ReD&I&_nJ=pVhp)Efm}GY2cv@ z{T6BN83l|E{)ou8?kCZj4LB|@o5cQJTUVZ{i*)`*7@M@Ft%7w+dWG$MrvCxh)~QgF zH7Zl5<`9xU1(f*9Nl0^VK|1v&zY%7zy!>FAydgLg#%^$5B{}@G(|>o%M%+)_uV!A5 zRzjO&xTH1!YAHsBfv)E*v5D2JQ4A9atzxXvD}cqY8Z3LM@BBX5E-xP*x=U`!=@ z&X&@nAO1_V{{4r#mjuqyo1e-gUx@zpt;q2`ZhDU$J9x?*^h>&4;(L&M{lPSa5gD~5 z{f9x}0o{3Kxud{|ITe2F@~bju+;|IzJ=CsRIVT4{2adfQs4mn(VT-Y${vR%@&tEV1Bcv!^rAu7J-s2jCi zTw^Lkk30RQUz6iO zz20zXw>|RS0qGVu&)0v&s6X5gE=upo8Nd;35_b7RTic$zp11gu_PyHCEMF3@qZD!@y3x%={8Ri>_0zTHe5_T+vTxApB+X;EjQ za4~O=`c%+wi2nC`Bu_N)v2J5ae}_b!TJKu_cixa zGrDwBf7zQJDKSI)JqM!@UzUqZvvG7sF=NsPPp21wXJ$KFgKH~vWhCt>5$XWuWBrBg zt{v9~D}bs@i$k4fZvfd%9Tt;0jN!usxXZ|s4JCfQ>9=k4FdHv9rWHJsA?>;8nxeuyzS?Fggd`fYWS5$DiPGVBcB&AL&eAZ zdQUSq(#~qiu8|CJRZ$x!AKe+dw7VD_Vb-AV$0hpL`}KO30yQ+vsV<#X@$9$Uo*3XG z@iw3URU2GYv9}U+fFLIbTE((SnS*#9$ zK+qnAM#TTius}<&*t_b3(V?WQ|ww% z&->~QZ^AXOjRRUYQg?b)eN|)K##4CGFC^X~NyNBzj7Z$$b9L>woJ!uG2==c(3%(*+ zYv26DO*}Ut{M#epx`;RRT#Kc~Nv|5+FF71M5es9FTe|KZu*_oLqUJ>@c@&^MpwZMR zA5(Y(B1bJsAk*mTIIqwP8kbNlbH1xk~^ zdB~-$a<%3w!ynG_Rx8KT%nf4SA229#o!wY&%91P+HZPHrqfpDe^B)fqUq$>UE2BC z1sL`J1gQV~^1?3xr?UJZUBPXl!KvgqbpGdIL#hiW5BAuRjY(f}Ht10?>k6}m;CtkS zpf!la95TFBmM4DmdkRH08hb5o{HTd%P=pMYbn#3SepI^I?(mVg(hb8o#n_YzDvw46 z5183KnPO8Lu0zzn(Uz^Pw7PSq&3-3Z-NcA@@9y zFC2($$qRL5*yz;MoRsK|0D<@NWPC(A>!&is9Ena_EVE>nILTlMH|*r97`i{`%Pxm- za32P5=Pk06GMpalFt;gKUYvptywg%veDL}mfparps1-({c)q=QY0{POsuc^~Kbi&~ zSsWhJo`Jreow$_A0*g^Pd^Wt2H$;l7oJ+x?)?<3GL-h0@_W~4&I}%&MbnaKRPPWf6 zAOCnTH-&uzh4xP!jn%pQtRY52Y!9t(0ciAZ;oR?U3V3Q%NHKrj`T*tEU+^~HyH{eI zdjB8p-aH)Y_5UAlSEm?qifmIU>L`?uZ6+z|6e>r^PK+8%k!6gbQX$K9QVqruin8y* zj3N6vgqgALOS4#K24jZrOTEwOeBbZ)r|)(BmOp;K>+;7mT)DjFzMuEw`B;*l^ z^=MM;dS*O$YO+<``9W<5MM6Z9*D(s35j^ zaj)an$E9&u7x#=N#ONB`{nnVRWMXn)N9wdwR#GGj%zayS-94xwWfOVe`cSr|WjW^y z_w?5Nn?9d2FdE(FD9FxIf-}8JO=bAE%Hc5DFf2<=K=Xnv55H9<2)vEi!u_NcNW`FK z@1R+k9i*JGIqrjWPny)m`aSr_dj5SQt%y$Vq}{~wX&E*p@@Iz7tf<5pt5ieWO_|jX z!LLzkJp)KEkMr5DIFZK?o8W_amn@3>ywb{7t!Mv8;9ameN<^2IRY>^QqkkF1YZMgE zio<`lcCYT;Qa)Nfe)+K)WzP>(e%au!_HGVn@7_;qIiwnd1RSafIKny8eQ0{F19LzZ zquiHSFH^3@W_16FE4zdfBLrk&0;ugMA=Yy*7guFHyp;EAF`eWrUeFUf^&dl5noPT2bb&7#08kT7&2MJdpZdJQPyINS{v9M7+$OgR_ynyNj_Bgx z&;BkJmG5MgzdZD@C!95|Od*CmYFFt}%StLKNoPAo2;s`}6q1x__e#+kwbx3mr)X10Om%_1I!3k6FQFb3 zY!T>Oi|=(wO?jqT8XV!n?D_EZKx2e$hOClCmT~5qCtcIHGD8>uo-SLoRX6s#b10l3M^!4-a>GzW?V=7uix| z_Rx%CZEmox;Ntc!B`u_ge~~5HfdgPX;R2QEc_Rmex)|up&I~OTb2qZ!1WQ>kat{fygru8Y99m)>KWR@QehE+!jBMdnJ@WhxmLr&cN(3$4h-(h>{ zw9TPlF;!dCIi*lRoz*oxIzk3|PBAlEQR@(Be!8znqkS_8bcL8s19H>g&y3QRDS?Je zqre3VqICwH1VaO2Ve!fbjE%MBkOWnHFid{T>;Czm{_S<+c{^AjR(pRo4_sN|I+B=l`0siu`lzz&qsc<$tI#=J z&Vap(ONja;!0v?6&2=0mmF}xW=cU3z29G=otb$XfyC_aMK6g#5`^qmso}7KM_S@>8 zR=BN+H(~29Rr?lST+xBMjwjWJ#*z(S%(DJ;+pt^97T|JChlY>CowH$rge7~!b<;q8 zI;}>SbJYbr`wa_V-6i7huovCR&5H>4mmY#zBRPyvC+fn%p5{1 zsn>T@D&e&_dGKQSN{?p%y+EC4T%M6`RG%3i2mBISx0Vo) zQ}#z1ad~B;T~Daj82}7wUGgkzv;8NdiH3>d|5*TjyknOyOzjyuig`+Z-VJXq;|{n3 zpZ50-!_GlC+Irm(S%udS9XnlGdvlww))<##;TN>GvkQz9eflW=?&Oo3Kw(W1g+ZTD_w z!ri5Md71MQ{+S}ow(&V$uTC&zy8gs|8PCTOJ6+F3hsEd}W^TtH^M-Cam#^Qxb&oDW zh_z>%7E+x2?oq3IYZ=4!{O2K1`&oJc#n}p__<&rCEn3MWxuQKrg0lC)l^q>@K@SF_ zilD-oA`3B52W)+#9QCEc)DeUJ?##zoe^DR|CBy7be#jA}-#h6UP6konb=K5G)~qiA z=GPP@V>aWB)ry={lN&gSwYg~&*iA2|21Ca;PaFc_XVn&6d-0{K$&;0QPEV@wp1)V> ze|fRdHZV5Y2Fm}|Hpo8eeYo_*Z+57AM8V~&NHQ^`C*UyZJ>$@MOnluTzqDU@?R_aV z68GgI0lGi4F)vTZ0k|=I7(>XiEg>W*xlIf6L_A|io}NnNJ)V97j;t(20z_fK0eq4i zOSOuMy7i0Nws<6qxyO-TTjLlZ-*%;ftFz@aphvq15h)wD3H@C=|7 z6E@(ZVt{k$LV8B?sH~7e zT0FNu%a!RoT?WA7358~R0VXBAKuXVTzAIt2cY4rW+B0uDvl?W5Lf8Ki^7J+fmLXgRP0+intE$(^(7<4vYE*t<=;7{Jn1#Iu?_Dl2xEAcM>j*^?esPsLuR zV61M~+*?pV1;EMKCrN=F2cDXBwM9b+_?d1c11>(OE5pw$;#q+Hf z-aW=O{{vbak!{C6_O>RJwc4HO?lG(FSBvPmSDbag)N_%;nv&KQf-wS&+R83BX$dFvQ4;xYT{LmHh;b!+{%_$HR?fiWh%s_rffhCO2CFqR?>%wHIN&@9(V5yh@k%W5`pp~*lSvZJ ztj(|cN|{_)f?k2|faK840MEe{wt5_)Nx{bZuEyL$K8n1~`;2Xphq6oE*Xs(}jxA2M zF?+aTSZk!A25l~g+ualVH&Xl07XWtq20$J>^c?xI{G*R-ifKU&d4q&`I;mj;bx8aR!dVyQK2(CPhkY) zp0Tnf9pe({E=mLFMdcw(3DKK&!xc5H0nI}5=Qb4I?Lk4}q|trJSKY}mvn zBC_VD8391U&FlQ-v%fl)i;n%kgk* z+zlb%7|miZ+#D6r$tzs^f7IqMnK%_E`$Ko&*6kcahUWHS&!69Q1SCL7nRiL zke$&`MD{;uov3H$nEc}=X+}B~Hp`zieYYg&=yA?gJx(~hA*&b%R%3M6qX<_R5!GNF z@6{+OE={q7c0GTG2Fo$x6U-3p;oxbFwVXJQkfx7qAPk?3`s@T%Q$DFb>hka5iUkN=WYHVShEkCuNgkJ?)hY4Lxw*4f<;Vgf^!l51_Y02Z99ySzY#ZSep}fM=7*cL!oV8 z(&q$o*95HZHl2X13LOD2=K5Xq{L%@p9xW}%o>6TRYi|eiQru=+c4i|SJ$XMAD`oal zqW|+DF@cM{TRYEAJ}Q!&dLMG%?F8)hrZA~albeup;5k};r=z^kDH|y1 z@}AKc*VuwcPn0F}aKaRN#gchTNa*lyS z49U44oAoCNG%p1#r=0ejY+0zIBwSB59_mG`JbyjGob?MVZM<&q#sE5c=>7V~XxkO8 zdNZYBp1JU;9+J;JQL6jMtb$`W@j2|xo2?)!5x?N1^y!gxZ7Nry-;1vHYU@&;f$0YI z`9FR|7k*#U`yVLE{NR709#%FexF}_tS*v(hbA!ZLdwUdaZ?z;wR2+3{$s*FzXFTlF zz|T`PJ%Ibw3~tmj4jNbn5!9Sl(^=OIPLjtjMt@yR{`!a;qUIRAk23jI5eCzb`v}Lw z7O&Qg8lUvMSNtdxD~>o1GL#|j6mwBZ108Ia&5AGBxy!a(qGL>86J(P!!!5J4qbUCP z$uo3KTuD~X)O60^&O@1-57AR_$Wgcj3 zmZ_oy93us{aqIpJ_S@-A@41pX;5TVU(rD?N%%TliG-l=G#lc$6cj)d!ic3B32s{9? zHXJz0w`*7Vlnb+;y-3e5_)}E+phzq^v$M`J(SOn|LT277AiBn(+5pO_IXyO8`r#`G z#}3Vdz=4x+QWZOOSRijFgnWCpcQLs-(Q~Xhb_c!|P-+;O1{+ZN(#DCG@5kik-)$|+ zCk-y@6KZ3N;LVqn&Jw!Jj4)h@Uek=5SW3l6*2Hs#90^sK2}Vyr(`Axo(h10DZk9jf zhAnipmdmvme>KH-)R>%>Ey*vzO(>XQS3F@@q^ENc?Po{ddAl2XH+nH|L&3Z#j^@fuxbCi2svhYaYLM0VbN#S7>R z*_~@16GWwuKT`j4H_js%!AY( z+gR7^2rsM+(ya$E@>miNA#2S)(Mos_9M1U_uL>u>F%IM`PSA&VMm>e0P=(;9L*N%~@`c%O4N!!*DLJuzkBKX$$&%O?_wb)<&z>FK+;ND}*SxbTwP64LwaL$s zSx}{wUJw8PgH-QNQuJ-uaRTL1LqTt& zTM>%<=)6NzVP^@}2U1G@eoFnd1nYko5S|0wcbWIam|K#4&Lj!GY9Zc;Q=67(q2}6e zz5$+X{Ar#|6=C}ahns*A&`MZq?~4>G^}sc}$Mhiq>~_@9-0M6^cmidu)3W)ZnC+Jd z-!)I;6Y7M<>*@_@4g*}l0nufSZQ;59Lq+cbNIPJtQ#DaYM$YG89rQ(RU(ORKoCP=)9Ms9BOlMM8$Hc7IM9q*7-pW ze!Lyn_T4I?^q3xcy~LqG-n6!4K!4|IQQox3gE|!zZta?iKYMnmv;(zw&-qWANo0;Y8R2~4hP03YeXMd+k^z+zJ`|= zc`-f43Dl5=QF3x7q{V$BDcG}7vA+~v*-rrJSWi$ z_&c!t;?7~tM9vyQV=5();f?|x>+7kw<-&XtL~BskU~zz0F%>i+4_&>8rIXfK*%P7l z>#g3$ZLB4?i77^70fq{DBm6%X@!#)6g;r)SD({1Fel0gLgswUN(eb2-f5hVxzBr#36yxu@SyCkmH;# z7ZP0Yt~nSA_tSTV+mA)IOouzVFS039;mZe^NNbR#_nevNj2-pn%%qFbw0%tJt7IiV zUS8h*Xw=&jgRY`HYLBHTlv1~MDmY0=^IfZ<)vA5&lAe4v^rjX!K$lV%YiUcvVa!Q- z=nF(O0m%5N{ZNJ{{j9d2?{LVIO1oVQVC_D8maSlBRgl>dt5F~%^FX7_e=ZL5I)^`7 zqBRED%~3QCY!YoYjD&bRn7Uqw_vT2?a?i~+`qXz(r*!B~PP@et1qYN}_|GDo_|F6< zD$!!(rMA_+E)Wrw1d0rbW2t2Bc&A=Z99%X zBTqC9C>0&V)~8k6I)_=Pg61}zwS=OGBt^dI@@z`@cAzc5qhC&-pAQE{eV0O@*_g1g?ypDeI_%9-S|j2*v_Zb zRnV1&OpaeVi~xw);y2!2%cFXD<4UcxY+2y1+Il26qvDK3k+XGaF=RW2f_JBPf3Ylf zJq|v*nlfQIv=ZPmMxY^f`IJ?=H3xy0%?9YsB~R^p@+T&CuP=53EC#y3b+9Ed;(fdS zQg|BQIz}B6Fxc@FI*rtsN#?T3frAh;^Q+sB)9pWL{;TJ=l+ys+DMZukA0*Q*87=+>X?%6F;@nbrjqw-J}aWNP64u0Upz28-B_T%^D|0YcmU;PR(>BQ)gP zb^vQQwN?iAXxIEkE`;3gl7ChN`_McH+Jp>|tuy-qh&>nFA}?>X*)Fo{k?!6Nji1W! zw&rI!&LVm86>clMz`#=fh0a6;Jw0Br@(BS3(YCa<6>)3hvcXA8YFQDS@_Ity=BuGN zAKlWqZWJtOW7IeqPEq~6U0~JT!mfOnM@N0ch8=bi`wvKgx`S(dANN9 z)$^hbJ<9S9d%6XKfn7l8FuRf<5FtluxmtF5nN$tH`yjOgt-S&EE=8}mU=Q4T*zA`G zvxX`c(C8pfDsG3060z&^s<|7ml$&_QxWv%8x$tnC?bzJ(etD-h&A zo!d8^DkzYyPmZW!E)?ZS}1Xhkt zMw~EHvg}Z8Z;cy4Y)!G9Sy0G6k;v{80#?NaQIo*SalD!H!Yqe<`3UVY*yK+zAXj_{}Dp$eJk z+7p8&cX?~8OiOnZ-SSP}05JO<4l^L-7kOVn=MSnDi2&XC)a&hm!*~2G4V-_Pl86eb z%myHt$F;VT|2V`(MTgyx>>|%{H3TrNk}-%WbG}2bM}lz zi{Mxd!Ae_kD;6m!5cm?+B5L=2L-Yfx2pu$=O?m` z7v}FKy~NcVtF|MBUn9w#>k z(EgmijD5E%tJOB@_D{a}+q{EkU#^l~p?|DLz}R>BoA0r^GbbwuFuM1cs|a(S2|GVv ziO&CWEA|%_&;|$lRG+Fj#X1^X+E68tm&!L}Se7F{%)((hpwf9KOs;;&^&EtyG1NcL zF{Ppi2ww2Q9o=*u#08tvqdUc6=+-eSy?VL*5|*rczXmToY_WM#U0QDfCI61vJlb2Q z%6s$#rBxGGe{cZ%fB%!ZOP*Xxkbx0Kh)D@Kz;J`<5*! zMJaFRN|6N^Ot0RoRqEWG=j-A!9VhM9_VNCP!dm998*Al>j@^UX{}z&_gnS@ij| z3!z2n%MP6^hhuYSHX7yks_@e8gMID`;y;$vf7!@eM1cS7O2WCbp09s^g6OVocV|iS z`zrs3{%o)k8$d%6YUwPs+iK^dw%Q1{p9me?OwtoDz4y9s!|iIo6Z73AN@7H}qJp zigqWX43ezY9QU`HvEfDDQ<7Qn+#ARSIN7834itW5B1E_1=PsoKZse|1qN&qhoCWY5 zwrea(fOPi2Pac|_(4&C~z+$U+M*Sa1s`1Kqi|v-bEw*>WbN|0*vF*dkDcsCCnL&%z z@YHvUOj+`t1Gs{+eEaIUjd(!*+sL0g!74es816$y5$lC{KZKfdI~i@?6DR&+l)N$_ z?ladn8O_;Z&!3(0dp50?FYw#~y&j&ZqrZHr{ZMvj66RxT5Qy!TkkPEz=HIf6EALK` zm7nK!Ih8nL&WhIOt~Z~3P=ivVyT~Uz0##(P?bU3+&NWD1AO2tgr;lBJUFB)Lg4(P5 zo1f~%^lcqYGdjkw$bflMzc$#obZyc;Z}SXAAHyVwU&v*27lHSB!$&b76uNz-`k7Kr z&_z6!-BW@D%u(ENWpz!Y_*74qWui8@-bY`0r}f!j1ONm3kDKgavQ~})4u-gG-t|g` zzWbQzs_XOKe zH0xXSv45I$?mV{`cV0<^uh&NXYJA=RDgyU=9(`b^ikc%M?env@FmX(z|4vQbK9(C_ ztq$mQ)28%bXttWh|7H8EF?LKKL|={3LT#agc2zu-v#|vDZbLdshTmSG230wK(*L7z zfPX`dU8k59EU%(yPL;T#4O+=Ppr^Q?JQf7y6hky?@eHx9`nX>pTp!mtewGR$*M}J)2)l42?NkbC&zk^??cqk{$mQegh+v zgb9sfSg5Elypkbsx}>q<-TadEW?mcME3mxdX;&iW;~X)-?V7VXeM+ffr(c`8;>f|V zeL}y>2vxTX=kD1auZ(|KQ8y9>y3c%1IO}bXL@u7j)k`g-geq?VCjky1zn}1a@kZ-l z*&XmsjLv9j%*UKWt{YQB&k`Jn=5MZo6nxXDrrse_UjjWhAbDQ~c)DKvdw6{mECIk)1JD5y>dIdi%$A zep1J02^kiZIT+Kb0Xn_)N>w z6!71(#yiAx;3PXi&)kxY8Ii>K-j5_?V-Ogo-w&F7=4p=w`HeMPhB#_xl!jD4gI0Lb z&K9Z-qt6QZzPg`MnWdeIDKM6$7eZ9r{>r&|wR8_NvL1!>Yh(QM+w9&vlHmh%kWp zKDr~Y#;T2cc*lKG%Rzb7%ng;upIlE-+3T3l!Rv^yIH5hcP4$HofONw@AShW`)~Gw^ zn9aL4*}s*QzyCPz8JCPL;*|COh6%_TC{pp7E4YcvX&`;*i*D-H@QU1!H-NPBnF9w~-u?13c4gP^2Z0jb4pO81^<&Vzk4!TtuK)^o z_XY**Zc*Uvh7Rgsc}!^y7W3G8GqysSa}S|6y59|$0Ml@_ZFI{Eg@9lf@mI7#3lOGL zdP2q2B&2F?lZJ3l$xe$n>88jnGW?5so+Km{-w`AbOo0fIKT|LH zYXn3V6&c-eDDyxKl{lW@>v_Ofho74_C2*5i#+W!FbH}lzKqruN8|_i3IxuG7&c#Pt zR!s(8qTU|4$`8ofk>|KSDqKTX)J0LL)8>M-*hn&UPE6CAW1}CvOov6L(|ET6U4iT~ z0Zz!ZJ2{LmLyYK@=Id7?kC|C} zx~;5%0{g!vtgwg*K7>W)y7@$u59r`E$+^gkdVFr=npu1AB?Ds-_-Yv7Pf`yZJnR>m z+c)*j2F!WB)&0jxn7+3mgKSN0YO_s2Mv$e=8N-ZYWKZ&Noj{ z`FG>!!vCAbQRB+hYw_PHyp4slQ{`t_xbt?8zbzzIP;1fO3+dc&nC+S$a=iykKb^Ri zJoOqURrD^?mYAf??@>CoK>{wVEkaKkBfsPYK54pKDlaT9Au+lu1P}v9HE&|#Vr&je zwlG40M^+_s2k?SA7W}Y+ZUg_r2^#9?rpPw!o;U*1G3qLWX!7YE838Bnj=<0iT1ZmD zV`HL{8f!3Em2bvp1Kbm@r8@SO;~UOBN5e0ZbNAFjk=JxxV9q9qk;xbxiJ7?0qYgZuj z+*l^b26vxX+HN6cO9leS1wd*7RCY77Dm-FDryXfbUOSho-vBdm_8&2fJm7U=5RY6e zMS^^f0u<=xy}?Q_EIGuP$@gZK zDOMMLG-*C00RH2RjsG1tj<~xZvPD+rhRoXVD*HDcKujs+tWO0pnIMhjN)KjHGti7k zY7TVuepo8OtmA-8&)OZ5d|2pZfcw-*8f5rv1lI#xrj;Cu6B}%fqe9vp(?}tM$G1aS zoMUIn38bYRIi(7*QrAz0WmV=(k+%E>aR1J5+r`X}s7Amsi4@itka^i03 z#{ovtz+QCyb%P42`Zk)yG3M&OKhJ-1MatKAT`it{Nhe-@y@Z}lnZPdw+RE_f1YT?P z&yWWU!q)nRR*CL}q2#9%(KsoM>(GUMg?|CN;>&jISk;MFoi?Vx9&-5{^je1VcJ+;c zHfu8>ZRqO~U_LG35j~;T$=QH7(Zs%s&o zg?Z|4Vt6ey>ps}~iZa%x7k!I&JXB!prhTl* zPKrd3whu9+>fD;+AzGuI}6C>WT zeX5={cO*exWnlUHidZWTWKZsW$5Qr5gv|^RQ|_IOhs=gk@E1=j z=|9#poz@>u#eZsD7U%eHX$91Pn!*F&shX?l(S50>B-@Hr$F78@D3<#!aSr!5cGI$g z1PK+i)~7b{DpMm$xc_vLu83LiV?yuC5!ZkO6w@0+a$(Q+*dOZft(CF~_gDLp(NW`v2CtshFU`r+d{UBBNOj% zo79tqu}+EvM=p(?AX6e+wesugWBb9-jll>bwh`|k8yVL14~?R8x6WGxS8m$LI1a$@ z;q=QQKjTaf0W}8I$h*VG8;a`OUbH;wssolTRi)$3$r z4z%17NgG;Fe)EN3G~1I_k(p^(Qo*ZD93t@eQIT|3dH&{EL$+$*MwF-}P9r7GyXl^& zozI62X8qfK)QYLR1B){a2<)hxXs8XQq;=~M85iXnj(w)zLB=v_u~s)ZLxDpcQ7La; zJzYH^Uh8Sj&R$A1so+K+D3dE6C(yILdg$MK)%GG(^!A{(Y+i$?E^Nbx(U9oyWVBI> zP{1ZvbH`TOUTUB5lSCA%AU&OK2;AY0<6ptMzd6gBzJ7SWq{`>mievBs1YK0`g!jU< zfgq6AJ`}0C6}kY}T7U>LV2zrCkFjLIYLdTxM7V!9qQ(Trn74g(9ZZ+N-FvGWg49;l z&`|!IISAyo9U>@@TbbB8xnm25>&n4oq4nN?b{8(1irN9aeK)$ZCwBZ^YmD$%AHgTD z!sl~+Tus@OR8|fo0UJy0C@9{n1f-0Vft1lD;G+P>OyNB}e)L5D>Bt3`H1TgcZEXj> zZ)oz(#5-5d=zElt6w?_7~!h~WUd)$v3uCZy%!Ppo*@EOS0}bk1>oD~ zvgaQ38fY^f0pSE*hNO0qw~1RwV729-MF4lv_Vsa;;qlq!DV659o&v#E?W&z!M9cYg zck^2U(1W~-&CVKrPp35;j6r{L%NS2|9CD(7Q5NI?S^uvl`S&CJ-L~2ccsrcHsTo)X zE-M99b4EUlc$y@N`^SjT9aRK0+eQhjkLfdO%ZJ+%q@jz-@F{I(%!ict1Cj;63GJir zHeGjQzYGvuzJ{_}MBW26$UqMzFKz9v*KT_!Ak*s1jTQrM(*Z^fPj{>wI$&lRZxb@z zNC%0`Q^N})QS>AjbMOE`BQrE2Zdzn1p_9wat*^TpzGR1pFJpM*Cz^cA*@9M}_muSk z7+Gg*XABI0;;9=x`@xw1H&!ZdFV&>t$_%1%tO9`?P-y!6RNcR~ZMSitp@rZ4dz~YE zL0@e*cbDn1nNUv@DUq@=K;3}{gwHpNboxDz4r|zBcx{z^H@w&!XbDSQz8-brb0a2l zX~dz5-6+Ap<(#41q|94Isdz3Maoo%rZ5X5K>8!Chp~SdxvL7~k+D&2|?@j0mG*%EJ z`zz4s{78+vmt(ZBfzIVgnKp#fOiN;t%86Tr#+049)gw+=+v`HwcIz|y9`~*KluDP5 z31%34HxuQ`i@M;b8@OU2UrgI41B!5|SjGCR6Wwg)tCony8Z)Orvpp+|Z1y@YXQCd; zznDf}S1Fx}u6=T_a>z8*DBjPX(DKx4Zksmh*)+}}qTQtC+_dEAR|Hj@1??%X89dAD za4dm_5|A{H44I?w7kW@~2#VY#FRw-cDybrioCjG;*cIqm;>Vy_M5PrK=+{e&%uHCE zP4SB9(F$>7&1R%`;xK%n-J$ggR!{Wq-Mb)cb5lob?(p&fO2TF^zXL8ygzluaK24|> z;p%ofnSsHZRif%aPtBhYktI`PfxstHoSP&_Dw~5;Bio8CX|zt-g-w~8}_M@spx~ZMv`|K&-kxj+d8ODT;wmzuFtQ`G$Q4O zd`3Qd5Lf#Pw3jz8UGHu^(?A&00W%UE^qz%w4m22 z7WwP+85VY_%mBF{D$|#RWHLN$mltLleYC4)9xV}kO8cy5t_5(KZLy>^3bv`6O_E5s zxAYtvX9e8EX)d<-KF2==KdT33lJR8DcKLYo$+iQ8M|jUBC6xA~-tqNiztBbc@VekR z%=JFI`q;^XES6?RVoms`VsJY9dN3Hi(4KYy{1O-o4cLT>W!ov@Bs-?;x#Hg zXJFD(Y9P&8iSeTQM&)WS2Ns+TH!vswt7uBhMSfUMne6||jJZ)u9-0}Y|Gbt+AK6$! z{lJuxqVbUPDFeVgZI)|aTd?lzKT4MZ=42-VE4ajo_8<@~;kT0eovB~chO?}S%CyHy zm1xH{>I%3!jWb8nj@|p>fQs|02uXEscmQ&AOvZX<3A@B#8v9*GqlaFb`JiI^Q@ber zy_@Qzrfk^xCe0$j(l^@p)U+lTbp5@JReA1ago(~Nz<(O7OymUi#iHN|FMXOk*OJuO z1BGdD$+^jv7;Bg4X{;7Gl`yq7W`d$g6C9P4!@mE4y9^#eXWRVwmd#3mo;H+B{$zp8 z;J|!6bkzwtfEygl0<&`ky3N`kZ+(`)ydmR_{wLdgooWCn)Mn`}G0D7@m1^*MX8V&i z6PqbA6nj_{caC4)cAxzWkd~asQ+eB;>ne$;5YDURviqhjztr_}%d=^UV&2>&mvq^Z z&#@A;Xz6hmcrK;R)%G=n_MtWwzf%Qm%er&{V0}eAF(FwzdD51x&l=yn3A{;#)8Ua)ZEz>ag3^O`YgJQv z+h;XdtmrA(EOV%?pD}+5tI@FD8TfY)WW%2na#8_xdW?~rY# zuJJEw=fBsK+>~vcSF-o%l+f-(0T6=daV0nnWYfw|nr&D?NB8Pvm^FZQlgWLUMJGQ)lJ{ zQAssc!t2mv6PK@|e;*9=DRYd3ln5P(M zW5IHHRA9V-PF~A0O7SkY+8OPTNs>4fL zmH##W&IF*KhhIni_A_1Lyq&-<#_^$}B>?=8o&k3Hy}=ctk`J+2x;fMsb;E}aSPXrd zwCEYP(hTEo4K5hxoFE0PU8x^_i zrTuHgCBKn;X`;;xi-IyVe<{~}^0;qS9B@qt{6!SSl62Q_Vggo?$K&{j&0%^b z1le~2nQ%ws#o>~Q)u6WZiK34q(8{AZ_pi=vT(RD~9wz^N!qK-zqx}Bq z|3jm3?5{?nS&^8GU)?(8ZHz`)x)tNJe2kVr>t{CgvyDoWNW5U8f-z*|-F@|8G_An) z7!c%IpU!Pd(8-V@+`bQ*@AaaWnT;fWLI9%&qi7i}$k_e@W3+`ui933#UcmuLBN-w* zZkKjSyIcCA-HEOln-N#g&s$84{R4c0tA#W^;8WEU3pbLZ8IBKULhE(X`)46bv=+Cm zgBi#H=14H-^I#ySzDW$A%iII&?#TO0^>k=)UOIj6eU%UG;;q8gGW>ZaiS!xo`o5u5 z?WG#xEV=nj&M}e>o5f|3PdX9NVz1@9peXl1oTazm{FMKLPp4$+#S$Jklujh}XNIke zr>z$#zbGGA5t?|C2Fbf>h`3bmn7npl9kToB7AX%AQaHiK2yH1PUVZNUB_2fjXHdCM`;gB-9 zCdO70**z9!Ev;&f+Ze~-Ky@^jOVTBQg~u8iV;@0b7e1u462SSuXeMkx3su;4r;4Co zSE5<{C|A6xV0C>6VhRTEoVdW|iZi9%hS&$|RTx>r^FJ}d0L_rxvCV6nr(o>zaZAeV zOCO)Fh)PTUnxqLZo$gFQP}@~E^>g>DE2ZIYFYnSxgDf4GAeZ1*&PmMqCd(L;SM@x~ zdmr9gC`cGA<Sqnp;Q~!#eTUJ77`F(%?Yg_+x}ngPZ$` z{KTuNg!U}{Q~6)!Zyy?8D_V)v-}w$WOw-JW?@+4lun)w!@k$ceZ0BLM;fRSy>&O2h zA(TgU78;l03_MY8WQg55-*3qkSA2cJ&wK5}%^8pSzSpq$x!WZJ3jMa+=ai*{ie89x z&eW^gCx?^)qG62wRB>ahbMJ^?tqsO zxH+JXHxrYEQSyF*XCfPuz-sgim>gN9fPzsyk6-CPs_{Oh0aKhiWT(Sn&a5y#Y?(GR z>zT52MEuFU%^vqJ3$+eb7wG3~st0W*VC~%99-cR-#sTNfWP#9qD$9`+TP0yXK;Cpj z(^FZ6w|PNEt@8jPp4K~2hmoi`%m}qF2BwgHmXTD=G#$LW_GxLEakwAdX zGG(+VpZz+&0M>e9b+%;oX7P~ir$QdjjChg=^s>#EKu+@w@THEPKFVY=_2yQYM3PA& z@^@f(tDeSm<<=&;tyk~O6(Z|3;?)MB8=sBtW<&y?^Hijz^fBCboT-yg`B$gyG}vD{ z5XAuc3+hdu(XW|cehsWCFkqzFX}W9#N_p^hW#+iCW^qfro@4_%-(ezsfkq*`hkwRt zIO;F`-eOE}yoPPN@^u#r_@ zrZk0!XPj?~*%zfzIs$@x1SZ-VAUmPGlWR}l<&UYDsIQ8W3b80Os ziYMs`NL{o2Q;SD}VQsuGYOvquDDtY$81MC~j!|Mx0ETHwi@90rRL&5;MF(b z)f9Y-kjG2#-^07X*PKc9GT_lQC~9i6JIpkdd2!3T_V?HqAqRgucI+mjE!lCiR@=5nYiN2}UnhDExR&1i2@!W_ynzGTBm%a-|(v6$T_{a7Xt<>vUI+5cbj!L?wC`-ZyrM`e54**@(Ro8aJ0w4 znnP5b0?Vy9zlx5wssAlyG4xQqAYntI9lP`p2pZ~2SM>RJM%15z|I`z5ZfEAnZSMGq zV$Bo9pH?xYvvks#-c2$(V01qUl~Xhpp$uN5h&E4xsF|p^dGX4zB0q#S?a67x+T+vq zpPzg#8Dz9W5A}V7k)U$rk zDTw^kS*4G3Kj!H+?oCyb|*iUV^_PQ~1$G zoTBkP!>8=lR(C5YQr1?u`F!ubSMp3g6_|{x;OASxWaAf=j$v()UOl&?BARDFeMPJK zct@H#{iIF)yQ_)CdPvePgREoP+@go)_>0ud>{FBE+D$T_U0*C-X2u^lJQX6PXp#ml zulA0Mue~wF5b^P}2-Ess+?{z;(s|$aZEUn@amks~T*$0!G0iMD6f!GoDy?Zu&4tua zDtA$E0ktf#QfXIn&&tXL36~UiO)3#J758010dYYPQSkX$GhK6C&wbB5b3gw*=Xg4F z^tAkb-{rHs->=VS`g}Yt)Fbi3X&pBvfu)>k(7b%TackPtU|59C+%o`#txgK1M6^N) z!Vb4-wtkjoah^-8Xufl&N72o-qZ)^3kleWSiQw9PeOcyAQcK0s<^3B+dJ;pYZl=^1 z@tWK)oU}aIW21s2MsAw28*0d4B$K;lZ&$9hHhc?&P1m?cc*(n+1<^~H%2W@lk{Hv7 zSAv~tlo*H)T5lj3{1YG-YIs;Z#oh8K*(cd{<^9Kt=q1cIOwfO$tqNTmj9{jC;&qd~ z%U!yI>+a+4u#Ee$GW)hxkNy;#ox0eO-)70?w*<5&%S;EEsY?d$aElp&LHq&?jap6* zs3JpJBpdZC%ky(>t8Psf_c9)9;xMSBs>>4&Gql$cO$Jv#3vX!{{?;#ygIZS3&ItFL z%W~X}reg6=d?Tizp(q)$ny8`H6S=r6=^>Q2IFK>8E;}^IBj&roC+^x&wc(FvEDDtClrwjQw-X_yk1yh=%YrV=P}bG#_>fsQ z<+ilA9J-G5ERAtSeF;ydHUOA{d&LPFP1ly6w>({MZ0D^x&}2QjF>$d4qJ#u}Lf8bE zV7nr3f3d8@%WUfc3>mlHxz!B@BSi)GqmD!7yVL^PqT@UG@B4+kuEyKcrxV5ih0y^7 z7Ef`9;F$TY*89?CODBT7VJppbxn-;3xrU_bapKCa#a&*bZ?B3JcmEIgY`J^Y`+3kI zabr`-2JAK`eg>n!C@kK^5Yl0paMK}`KNJ0*i^UY%Hx&5 z-wXx(`E0h6Oqgb(g<{$UO&Kzk(26o<}(eEOLfTp7pjOcC@M6uy>JeeWR za18B!++Q-7nf@#6r==3>h+h^i_3U}5#pJus7Op(>QknMNdDXs&(ctS zUw|uS|MKS-l>Hqw_aPC1OUqMjWxmnls`g<&w67_bWVJQrHQKfa?~YM(?;(DfLMtFW z?g@6fR<0Y)g(55kmoIeE%_A7PllNr9wc)Rrgok3IIcD}IOD+Mddt7a)5QG%Afk;Ix z0@n~4#u@~{tpXBpO6k4AF2KR_CX{`&_3%%KF4aY&Fwm5C0e@J+O$SksrSPEY$FXBE zw#zM)I9ajqX)*~uV&6b>Yo?_&xkC^EwiEYdv|+?>F3cLCbn;XWywUf87R6T)UgQ`)dwsnJqE1Kpo)9%n>o6<(ANzW{$1Gc} zEVh{(5I1ogoJ;za*Ni_G_Mpa}KeXNh1i{l~KyJc;H1BTCksJXgi=AE+9al_9_AM0rT3~zbStDlayVS0gnxVG`g*hz`V@ox+=pUzS4#AUseAbyoWPGM-pAVx` zx5umbpTwaBZwr#r^-Y)vetfEasa$irC030fZkeL03N!_qEyB@Ft081pH^Cb z3j06c`Z?&Af~NpnADg8|HL%(gl(uHikDz+BiVYE>;F&GIuJj9qc2!NsD~sb%nEqK8 zf4Jo=*FR`b1NFAYG2^`0)=-3v0^ND zi_TsL@5-x5zf{p7e{_z&KEnU})o*2If#2+d08w1YqfIZ*a0W60R(9UklKn$~Y3KAE zY=ytjsLXS)zrRqy^>)Wj6;DYu!MMUKl5G)GtcTl+4{ORyHG^`}*G5;Z@wLJTzYo$& zA3LA|-%{HrR~sK60zmj1Q|^n|F-tApyQ7Vse1Y&AY0?5KZ-=cy_?4M;9?&tqGp;`= zRf#7o<`wMeBAg$*)H9QdOr^~*}i;V?%klmyWy7(jZ<93M@sdIe79qeJ3TLv&$Jcd~Cqg;!xs``d9zgVKnjA1-`@!New2+t@bmAy+I(IxRm0 zY?P=$@6Ld!bi6L0_d0+$|p^JKjg3KfYHpW61@8L9_yXyl zX3t0Yd1%o5EG<ocD3r9Bum zGYZB2^#z6Y#H#S1$(kLCv$gJ8@uu|}v|=rG`!=dLj!Xu$|7LCawf$%siX5NLoBG{K zL}Xw6*=*VlSQ#Gut065)^ZNH26ceCM5pMRV{vcMBW0K=b+De&!MUd8$Alu=6)6)&b z4@~~D{5s^by&$mrZGa`_#pDg)lSjP_-8X~hh=pDy9dzEHtaVxP-d*3E!__@!B5h+U zmtfFebV`>$kxc0?lf4`VRyZXIdwA2CnhUV+>VSZow0THnCUK7|GG;s}NdwC$G$#Lg zw%_z2@g!x-aGOw}c_tb0bJq-9X1zuOF_c4thre#Z#yQq&uxX5VwFu_tyI@FtQcm1L ztSsEKKxKLWhA#``O$~+rR-E+%atkOI zuCb=ulr|f$`z(#v?2GS`Lk2R<+$;dGaEeSLK?MNR%ZL6t?_!zD%CF>&o)N{do<3Pq zzFLM@kh{LfgB7kG+xhSNE63u&Wf4l#nR9#ol4PObCo4Ck>q>+9RvdJn6S{wTUbf46 zugaMwSj?d0#DzcjMzm|+0TFlETb%Km-9aY=1DOOMW4J!GpWxw2aYnH{NVJ}ne+tpyECcpn==UoIFlN`IFryiEQBxD zZ&w2Eql-`A+yUyq@6IGqnOx->-yWbl?Qu5o@|Emn98d*Wv;Dvlu5+O*wNiAk0wMFC zr{|v~a{vC>6Lek0x2%)`E69*p#>0xcLmP{x*Km)yZ9gYHBa?p}!E}|tEpGF;Yqt(X zkCB5vEGROO;uj1z{?Z<17;nGBbEtVn9&Cb0w8R|dF|)ENMF$w}qEI%K%{0CcrF5;3 zcy25}@KI>f!85n2za)6=32!V!QR^TAUZ-J11ZK3Mu(u`gM)I~fiKtX5Z)c26&<$B6 zs7F>dRrchW4Q0+Gk_17swj>`c>A(Lnj~&DNNIu%)lC5LHM;6GaK-vvXsFBQEG^q@I zJpUS#O{)Q^gvT`Z(=2`WFZ0|bfO}Y~yv;9WwTHj!`o^J6bjFkXzpitxo{QhUE}O2K zxicahcaUy(M6jMhQyzwFk7oSnaXS$dK&GNMo6v6?>0hX)9_=D1kD9Im`5XTe$Uh~U z%Ik2mpj-vC4O;oBP|YoRFN+j#1D9wnogM>kn4!cip-W_gU9;C4el%76&4T_+FX+%K zbrh(jp>%1cesL;b`8z!T$gc(f`FDN=@{?DA{7bE}W^gW1v%NM!I7Y@UuQ$LD+V1l5 zZs8Z3;Lx!;kBy}t>f&X^UA@AIAGra8&-164(3{zw6o58$Ab9P;NWm3k>T0#B3dW@f54bVw7=}tSOml1><18mE_7g&O0n){4pR;L6`bgG=y2{^N zoze31^Cc&aYI^QH^t1X?7kI1oX>+ZOpg$P;nHWEI?c8uvqmMdb$QKk@l*XG%CK({V zn1H6fGW695zDOo3JN!5*^a^VfkFVO+rPXm5vp6@d&w}3MDXkX2kA0_Htx|8j-|X96 z_q7Z8SHD&ZE?b$4y|`wEPNidKGH2MCrSJR8`4WQHgCo_cO8$z(+BoxZJ25GF$l zS2)FM1#i4LwmV3sm*Kd3o3!j`c2epuyKbb|yVz)hyxsMYz24-kS0? zqM^^ozp4!X$CHUwxIVn5Jm*^3@gP0T`Xj&;gOnt#Yl@+4imV>-rjc!Zyj28x#$D!= z8RU*wNXXHQ)-UZdzL4%H2(V2Fxh9(GaO9uf2q<6sRw4AMsmE6#^y(zyDumwbKU_RI zpm??OgJ}*9Vf;*R%9gv=nkn)w-T;-mI56 z95fBd=CvYDRGoKf140-$&1|(hma)1AGC+oU70nXrH8CYw;i^V|Nr{Ui>Yr~& z?sc5F?fIf8q=DLPI@O={p-x$kYX8NU<8Xlxq5{C;F_CIb9zGraiY%f?B z0&E)2+sX=m_--q+kFlt0n^nXUOVF`5%z3s@38!1zKOmeQ0K#-sB$w4^%sxc1GYOyreK6-2;x z14pM?xK6|wYr^BZS~XJa>y4_$Qh&GI_`_eGstWzXcJuR2F8L1@z`=;Hw-Do=rvtN^ zh6rbN-em-BeX@4n>p@-GHYCOMfu7ct@0!Nz3T2Beu~a6LtY zqEgkjo@<`zV=KOL-uZw9Cm%`zEI1oiEjXswD3rHvd!c2(XeaZ-X)BgO&WaQ-#rG@c z{ln_3|B&t+`YnO@uT*{iaUdSnTD=or*?V+$tgOEzJ(;*?gpHQx9;58ibEwyrM>0~{ zS#?gW=}uZ{84C~F11z_w8;+H%_9B7+tE>Q3N0%Irs zJB-~2M(0ZYW}6LN%pFYY;4z4mAM>G}R@cCM z)al-TvIb<<0?2#kT~;Xoq7eVubHMLskK3vT5WDVl@7RKRZkBZc*VO$Q%cph-bz<;=-zg?B{heL*XWF+?whYSL6$Rt#3uIq*a z4jIn8FNQ;3=v{Tl5dLt;fJfqW7pHD31)(JekUk)#+?(+v__R%j%5MDu7bCBAdK3+fw2v<`+&lpARIiYKvuc)BV(T?l z-wD6EWQoPk^12k@Z)dXeOZ~5K5e*4qBh8-vk1i`cQx>3kw=ElR#^#&W8f>Gyw|aPT zNdoePV;=Aa$6OoWnA_2Qi)^~u6#9*0jsQ63y^1ERk;ZN`4PF8%oiXpcbGVB@K+6O| zwBQjMMw(;#THwl=U1VXPb^C76N999CcFg zGdWH-m!wZFi+~Rvz z&c0WLC@rc!w;<2e%)F;d*B?+us;8xPmVURTrsP(1s$F<#u;>lQ&I~yseRb2LdL^yP zEH~7V{Jdu6%;M(OJ<-$iJ{b1;pk+U_PAFiv@q%c=0Vp?j6l)hTVKCoj$JCEB)EtcL z9QkOxRtmRzB2Md{CjXNY(RuAt;9R|cpsG+=DGH>!%9_$NBmKJi{*dj<<=|vs29eih z?#Zqc*hmnuewZA)nb6fGPo*5UPY!cPS8^phw1i$WT5;d#pJFe#p8$Y1tKOJ^!6SW7 z{Dt>rlO^x8cVeB?d0jvFPdL?o&L)NAT=P0=F{(i)xCDGYRGU9Q3`Kr*CCJ8|JvVkd zb^-ESP1ya#mGG`N3Uu%=Wzy$tK=4bgdI6t9v>Sx4x)MUOaWq@d(u-Zl`4qM4M#CW+ zCBT;Y>+1V&x7NY@llL!>dj-e?jx-%A$p@-wDq{tz#G@2de|Ypsj2W_4&7XD(7NEo` zm#?JkF*dTSL`vYD!Fo?lCuim1WN$c`TVetQ*W5ZiWCG_$5R(^d%wW_p3$_|GaLlFC zN?e>xi^uWu>}@L4i!xOn+6AAfsWbPkqZ9pA#^OO6ey3Q60TgTH|Au0{b9-7iApA$M zG8ycCwLgUa)BLL#%sV$Xtp>)BPiiPTARzrx=lpnMLi(i@jbmSwF-KM(Mz!qz{r}`) z7_BA;?j!ZLr8@$NtPz!&6y<=1+dor&B*@XD1$@J0I||g8RNucUfk#1ZlR}vO^|22Q zf5-&E>%nm5Lxp5UsOtR<6+yYUDzjl<&P5y$O3W1^sT08`ZZh5~h8F68QHuV#;xNF4 zy?PjE%syQ&dsN|2{JL7KO|v90{#dz_ABhuB6x|<$t!2}XHg~Q{;N4aw@WihY_?qHk zU(Af<2bcY>YOzFF5nwh_gVb+^i^OnZxI?oEV5Cn+m+xL|2X;i% z$!(IsQG(Ym82=F!{nc-kpx^NtOJwr9^K(7@ohV90l0ete#g%q@aR;)V$UVmvzN%|Z zq3qGa{-$cM+u}Qo zaPP8$H;gmREF%8C;GXBB=TaqpAC708>^%_WW&nt|L3fmz8$N4p_#)y4suHUrZaAV~ zX~QqLRCORrofUR#>BX2C10wE)uOjXsKS0Ed`YPfk7l6PfQZvZh>Fa4W3#-!I$ju)l z1|q}#u7dwmBluP<_-{Tm+^(Kkjh80rve~~uV%}@tCmxjn6w8S~j5r_+`=VH;XDY2K zmXktu1hI7hXZkx&H&p)5prH1VGtM_tOLaY7y~175k9L~%l3{)Z4hSo!(W$1i*!Ss| z=ouyc3Lw|B3O$EHj5JM;EcprNWout&D{5pS-pHGUNK{K#$72fnCT7lGxLLr`8G8TIXZ)Z1 zpoR(%-n!D)(cy;r9jmMeV3oabW8?8dEYnA#Ok$<~Sf=`o{!r?Jt0ig1@7k~-J>@q2 ztjB%At*4=@1C+7%u*Watim`;rYfSaevQlPurHd6gkSk_LgMep}J8D~=2K5B99yY6{ zv}*Flv8S{R(DS2K+F&vN_}Pf=TX)j#r4Od;L)jG5yNBsgxah zC$TaS=#Tw0&(XZQ_);dJ^WTWa2=ISRJZ@EdR@rgCZs3EShsNU5J8}0L8?Jn6$ZHk0 znr?_-YrD1-MS1Xgy1Ou!Q9;6oQRtYe17n3!VZDms6NL{I!Gj0kP$${k!^67I{sjnxg~_%1&N-De*%lv}k50j<@9b z>jlM5>e0!&@gX{M%C@-F%laz?Z)^ucyCy%v^`#=_Cb0tpxApKmUe3$3A>Z)F6SR{j z-@UAjYBh3=nvmm6)vc?^{C5O#m_wBQR|N5V6riLu`l_US2Pi3Bjx@tom6S=hpk~|K zTj~9>_AqYpX(-Zbox#o2HD*j-yUuyx;YZmW5$jlbtEGgP)qFB0{Zi;ZDJ9Hm99Z5I z3>1@WI{<~ph}Q$6MV~wX&D{cKsB(SkEIT*cU%U|}TEbjhw7M}Xryl8O zy5lUOB!oKg(~v+TV?m?KK_#O_Z^px!6SJ6Wp=uy{hw$(}VN`Nh;x<*4tsQY4Erb0t z7?@LE;DA>L56Axw22M&%F@?I~Cycn8g7yCp8=e8K3d!Z+7ymZ1@UQL(Ao;elSas#D z*j-p$e+k=`s230&lX~kwRJ+Uzz0>VIv1Dm~=To5Nk5i_b!znxND}vyp+-dZ~S;5xd z6?ceV`d+v4e`opjXp)KwW@Fg^%hwlR`DR<9?-j$EEuM5NU#;!fs50ym&tK#HBo+J1 z{Ba!AfchO5h(BV=47Pw#o+FHIyOHGs^T)A;rMEqy8#&<<^*r)5%R$|V9y&u*w@1VfQv&IKIPk(Al6FzdD zRq+v=2HN%PgWf$d?#X#2oJqu=$`R(<4wy!wE>8tnIdNI8Rx!%kvE&|eLyxoq0&&LW z2At|9D)Ux39C*(Q=o+2bnfN)*EwXXd0&J}K_#JU zDeO2lgFNWms}$;1xgJz6Y}iUpB{tugzIOMNEx16p+Jj>0meLUhUl^5pHA5I^z(`U-_?j5JFPqK`dPEVD-6W_lBVm{ z4yQ>b=vj>cAV#)tUd=Gq{H;Rc#&y?E>r~{T`3TtVWUsfULRja0_bBWVbUJB*hS+#a z#WI`0c+7zM4!&JbP=|gF29-J?7k?U0YVIjv(f7fg+NkqBn31>?d-x+a9GFnP++y)* z))z{LeD?17)1$S~DxjLMRL@l~{)xtlm8$?*2bm}gq045{X1rDgmJsJRs5SQRx_H&g ziXw#^m>Hi6(Km7J-P+J)9pU79@$|_9>POwC>Uws|#`syj3!|H>K@`eRpsx&G{5J+~ zKk+Mr7Y;CZH3Y%m7`)?@T5SKn7`#NYcDHH8NYi@x(S28yt9uDnH69Z98!^Bv_SN_# zBRpX8FXI!bsA^pJa{Blcvs5TeM$+s({L@Pxw}NH3iGBDOfs}1{g(+>!r?k)sO6RLZ@dN#vCv#va?kn4JZt}GZ+wd&HAQGLs?nm_;}NaZo@a8OD2(qIh=pA zfRPfu6+GHLczV!@kS+^QXaYytMFRJd(Ufc(e75(5%B-!sMF8*+r?@GM$ER5(8`2Q` zgvL75VAI9lwPdU1_UgoS?P~xK6u3kO28a{nM*gJKQSHhhb8@S=zfcd#_tMRqoiwQ9 z8y^>ojo?W$ZPEC}F5t?D$82V3KjQvk)6t#RKXBW^Iz`M8Cbc=YD2yT;($oF`?E;y$ zfhB}GU{$xOr0+9g6+&QdQegLsqMxU9|eL;Ki{Ill!h%vkom1F3Jn~U)bVpnjd0;IPy zbicX|WI762v73@mZ{oadq>i(I*{YwPpVAD4JzirfH7FL4p^vAEdy%*BZ`JMx?o3Gb zDSMrJ0fr@Yzf6vwxm0l3ymazqa-$5`3wpHbZR4AbLx3Bm+!1KsJ5BFvyyZPR@_xLG zh1c!%Ex{xi5kxs8u%<2064s{Bo6})F6};lNz#soem@tdl;#4!)pyI3jP|I3J#jBuZ zz3H=Wcl$eCg`wsR3cJo+mhiQ5D(QS5D~GVu_P8UEyuA?0rboAMrN5t|Yz8i6?U62d z>?*T&L-L|A!0d%jcNst2Fni`Jv$vl^`NHg_{?6xgyEAE8Kz!jiG>I|6R5h~QxUkc@|@D)X}kV1p}9P@oB?FfX27U2H%(s(G&b@%_Hx7Tw5X?-OGU3pW)8ZNz@FJ9&po8b1kHcw2SRL`7LA z#cI%>OkH@6L+7GL9%es!ae8_}xVmIW5a;j-jd5>FPd;|;py zue4#6Bo>D>LWM~W3Q-@C6Q zRKDx9{8wu}%KWkbaL~5xKdAFcv0sO-LxAH<|Fb?#*Tkc9YW*79QZKxdJLY z*}Iq%{Sn#Es~NwsA^d_*>G+e{B;Qn$Sg7(TiBD_j8H4R>g2x$g4ikB*$C#-0Y zrp{v$9_`a5P2gpQoczZhkFS)EMRIz_UXdE9;DkXj2h}gilft<3#v|WwE_j^5NVTOm!_M)8>+2e~ zIC!1sV>rad4QVS2PU$&yx$YKCz)B9n7m9ek;k}zSKA16^HX*16SBE?KM5v;c!Jl61 zTkCF=I2ddgF|h0-hZ}w`iy6X<-_i}P%>P{s3Mdt%B9Eksj9(QSm*_Z~-#wsp>j3Je zk;VI@ZVeurvL%F!E8RW~7+Arf)I7Ba^p61=%%-~hO%cs(AhBq&y;`zsmSU!NVB*Z9 zW*3oxu6Uq(QhJzjGitQ>#o=4DIyhsq3_iY`VxMVw3s^` zuLfoH-X#F_{{|O$ciW@T0fIOa{Z)1KKi6LU6u$%744H2uR+h6HvCx135xo$nDD{~t zqIHro58gPTQa$R>l_q!ue*|4wEDLD4z64NEMsE(Z^o9*Ch&c|k2EATwbKLahci|3w zLe%TLXKDwRdaFW07sskn`zm^P&Ai72&0#fnNiLQ9i@VCvld(ze4fATGf`#%07;w@o zEzad)#QErvQP5!<`;IlH*C12A{5=5Bd_UflJwD!5qSi5P_x86_#xwUUSbqKAk4K7N zJs6T&bO|WJ)!3V^++Wh97E+&V0!v#dumw4X&)$V0XQ$-)?f|v)GT@{^=L{)AP(K@X zolMs%AMGEX*RT9leeRxgf^WpAr<3)vfY}Y(=L;Fh>pwDPTNQAk+rOuf$_M777nBQU zIv)qIN`^%Z2U9N8Mne(j*6F2nAW9(I)7}uTvF$Q0B@h%_a3R6DZ&riq=v@v+8#zSv z2QP?2J6`1Y%GMW9cJ5=fU5Hq*Icz|f=z2CC%k+IB)$xO*ulfM}`(Yhz%nayk0a0+- zY{L&9=!AF_TAr7J2@iW8U66HQT3N*v(@YPvi|RQ8Gk*KnH4+vm@k>0gR&FEB(+?hiyu^nDc6<`+4 z)g~_anmP9z+EM-;uX_nn<%sMaA7`7aEw;owX5V=ZER2ED!QEi!gt=K~iRvOPfM#1| z;CfPK)Hh;bX>M7u^111iZ0RS{5ep7xD>iD?Bql)C(HC>N-Ls{sy9dDw$(qi?CU8#Q zTzfW@NJ-SISSBx2wT+9(ofQQ15}5JCwuA@(d4W7() z44W!)pVor9)!$Ps2HyHokMZDcUo`i=Q<-7KaQfNaUTfh8av9fGS8yEjo_*py{CH_^ zo%$s)$9LtWDaRkT2NyD*Me=2_zLx=AJQN96cRoehOZlyCaKQ;Zj9-dYP3U0s6T|j% zeoAoeQrV6kbH+_Ow=F$Tta`;R5b-rHE%hl@c2&?89^;J)Rl_K)nqH;f#5sMaRdIim zC+hzL?ViQrRik77QsezM1@_e+$VjigA{i{8n20C=lwRuzXY-|0-_#3`+1o3&mBBr^ z0kyN_Cl)ZIUjjW!3-df>dDi+#XC?jdIFSB+PA@|*E2QrQ35KwZnJa#N#>4O2rd@4^ z?{z;v#p=``4!+{>NuCnT1C~FkjL*d(s7xu&f!VT7>(sdc7t?8nBi>olZ!4u;NZjcf{y`1QJvEW2H9|Qf58mKH_K4;F+9fxy zJ=%I-)*M@PqY@bHVOJ*{D})BpY;l|PvP)YW(v6r|Zt{1P+InsSYDiXrr@pTZFW_mT zm=JdgouT)=tn}gx{h9H9DK_kv-jz_bL-5_xU{4y*XDO@{O<>cAi{0|TL^#acs73hq z$(3D`?}fD5&Sg3gH0Pop?KtK_mW}|%G6dcUDfRuO6UhVBwjK8PdkUK;)pw+3W{lZ3 z*aVQ6jQcbY2CZZtaywxhM4!}@nh8FvjgN6^Eh(*->KY|w7NJsR_;YV9WUe*F8{xe^ zusK_+mp<9U6Ex#P9lDo(!0nq3no^uQ9RUkz-H<+*x=47oro6+w_@F`iB&gbAL7)XG0&)P}IK>{O-Rni%^hUlGaW?5- zsaNG9U3325H`|Jc&bkTjEGp2U-%Y^UYwsfGjvtPg=GGCOI}W{lc{FP*QyICX>Ftk!wKHqx56i&NF`l3vX|j$sXrP=;*OM0W*VwV_ z2P;cG-7Epjd}n86F3veQyib0~BfB!3X&ac0Ery7N!VNbtzc{re=)xcmp~wCQ!1?c6 z5ZGj&q-K1|XB&L(v4QNEd8-KM{sP0lAHgA>gKtL*)jr8qE=;}Ul!Spjik;l z=YWqd#&ckh3U(<&y+T!leY`2D-$^n!!779Z zkLL?X>SgHy>cS)4<)zo-rOhE1jTf`DcqyvYOP`gqA6riIUZsTxCFR9#I%TO+4PFlN z-95NSMKzM4$X`OJ#Pp7wrt4_5LHXz6l_X0e`Zs@xU;6fQE2!j^r!GEDC9;MM<#G|1 zui7q2D@HfUG42W8>Pp4D)1>MZ&Gvj4O?h00a%w3UK=ev7iXpS>gPNk!F++p&bAwc; zZt2p3^#fMtd|Jw>Wgi59#j1^tyPCiezC7U7Jyb5IhpU=r5owXMYBC*_sh?%;%H=WBDbo14! z-R^l#YnfFzqC~uY!@k+Gs835!zh4$hti@GtfojT=^p!D7_s=^j!LEV!-S@it4@Z(C z`v*tz@>rsz&(@cov^bYLf67`^C)+@CuMA#yb13AQ-j5LkUbXLB}hB zxg0Dp{icWYtSnL9H6u=0gGx~-+F*vHV-xL|twct+b-3G+nozXVGfFA;}3mC4<)r_S#c{dfCEV@eFqEvq%=0sRW>{eT!_m zy-TouQhY3uF?z0TSCHXF znlf<5nW>)_J1%+n$%G76mFKV*9w?$1vKT?uxSLkQvoN(OH_*}qP@I$9tLQwB^-1)e z8~ZrUCQ`LYkl+Mr0>~FCt`F#;=$9?kfhxm{FIOczlH^BRMZwfo-{@Q5jmCtuImGXU zff*`JRbiaPn78(7H%(U(s`eTVqEC01^27PI)ZIYM&Aih({9jSc0ua@h?qUFy`h8cD z5?nbksesh%mK@{$JN;j=8Nh&C@PJud#-P4Y+we(?b_jaBa7D0qA7QUc~pI8SB z-F>`LQg0s|=%XLCcHEcOq>rT1uTJxisZ(S8sR8na9va8KFRxPeY&ORY6b*ys0>_g+KF@NBM<^T{D)0D;l;o+3-$sFj}6&r$uNP4qoXD z@8Z+K+W;c|>xksAx~FhJcYEFF+wt?q3jMZJ|MlU(*6S2!dTWtM9?b=7)L`qF&% z3B;ZaTXeLWyBC0gZEWLlr)i@~RdmZ5&E?g!@yTikGIy8TtP9Mu*9AtQ?_UiqKe+&L zq3Pl&Yt>9$sj6vijraQ|?_V=+Dq>8W1_mS1)z zz@eU?{L~gr{8LfAmi1)iVcBt@z}C5Gs)FG(Js~w0ZHf&SkLwyfK~*ha#=(s65^ejp z&sF(z7L5e5YCpo>=F8gXU+BtVkuc8ls6Kzo#j5F*bBnDJV%yU4%DqaNgNl_yi{l?k z$_cA?aH)>1T z1ltB~8z#)Qx5=uYJf6-h>wz~{aE>3VqsF&8*VhAp{{eJ$FoHX7A0v9ycJV#tMdL9^5=|27@2e0GcU24-E?B;x^2*4Q892(CW4*UvC zGoQsnw4(g(D(V81_A_~v%ZCR}mTD#HZG3lm_y)ixK=K{JIlMdIlwhQtQDb&*O}Dva&o`7utfUUH0oj zIMGqW%ex*oj#$kXSrI=Wu6^<<8S@^X$`yP73)8|bt z2$|d6ueKEuiEH00%gdmkN|*0R>q)7>xA|Xe`9Us~S5&fStYV$g=zM#aO}t_VMG1jA z40p*J7#B0yRrF8+${NjyQ}ZV$Ec1`WngHf75}?OD@xOZjCocu43PqZ1oK1qA|wWp72&vMG_3n(=Pi3;edLN2vPixS`0x>=o*yuN82g3z|(GbB>> zPQUD$dnxks5*97Vl4cuftkjZ1)_?CuCdQh&w-P5Nt;hya{@2SgFY9mO?;nIXjx&_c(S^|`MT>*!Y>VUHHJ z2Cq~n$ug-?LvOgNCYAQU!|F>89H)@8!&(~~kDZhbqnd);n5Y0@etGoRVQ`dPCs(^S~tZ z)Ma7kXiU$PT6!yUl-P6h8Gu0$TpmN*lTmAwu2W0~$<_VV6%veeW~{ecJGf;l(sgls zgqIV3nb&n2^!)I-&2A}?dAR;Hz{q0w%^rwlwo+vqiAUJiK3g|iI`LlELs*PWnI-IM z22MXwW^aqN+v{eDfmpPp^IfffqR;&LWRz6DYcd>adhOJ#!s#>CLMrN?kjeG;h`vqY z9utJ1407I-0dM|(fpJwm%j0$(PI;#*fuNa^boZ^nLNP?I-c<`1-tH%ER2nfN&S>iL zc*Jm<$GqNBi=puqA04@)mEd{{kX}a(^4Sqbx zWUjzdE28&;Cz&jy<-T#o^|ZvD(l&iLG@McF!tH*yDS(XoUT!`-LzqaeC=0CIm^|s` zjFy{U7b=lu$-w^RXv4d9DZO00S>77jU{5CTS`d6r{D3O0{)E+h3~H&c64FN?06l!a z5-T&LajA8lr*Lk((K>HM?iub|%>4I1Y?QlhvUCA3_5`2v4naDhCDZgRs7AAg{=bke z|E-nqrcK*qN2d|k6&HK29(X9LPm;wDc+Dt3DVkud+^yDi3%Z}I^{WJtS0W49_> ze52j%cl0#>)J9ipnI?O3MN^a&K`KNor7gcHRY}w%>}l0w1G1Ghwvi;&e}!LqxMp|9CCc^hb-Jv5Q9fxaaZx z$K#8oP~L2+&16>mrIe3%3-lM>Z~TcT@7++aFRjVkDHLwm_u8|(qWd91aG_Ck-oR(X zBKPXi9f4MdpJ~ZT2qd})xF;%Vke@d+m2v3ap2Z<+`soKt zg1UR{IP3K2^mtq;<+?K{{Rb#hlijd-086Of!2Il_4_w)=cmMNK08qCdUyXaD+w<|S z@7lH;oE~$OhkL{%{^WWku40fw*&KS)&b2G5Lzvb=nD)fx*_MH%+yl zy7Hj0XKgPm+zUT2VQ*Sc;kRJUA`tH@sBM#vrscLZIHaTLL$T@vUFaEC!f+M{<=Q=4 zqI*r)_=OX!tT#XkX>x~+ZQD`<3#FPFAJ# zV`h_(_IwKi30bcuZr7v*BVOTOTD2%x#M3}fmRpwYF-(pow&K1U<>=hupHwsx;#wcY z0UX?{5Wo{=U!UPA-NY;+5|*ktUpcrDE+4LL;uq^Kw_MfIMOL~~gTr90&Q6x|jr!YZ z<6hxjdCn@KTsK%%elf&giar7<%D>w9WPh^FibgK^?<80MLBOoekbi~GFnh;G+c*I% zH^q9koTNuucWP2?L(==CnoJtKZCh#dvQ0lr_x+UCKpa&i277?hnnfhs|9lF%?;hc!7=DmZb4ye~k-n)x^ewAa; ztX%P(Ds=5UWNnzI+UtBL zpXFEP+O?@lNEVPc_7Tq43G0iEO^FX5GA!9YslkDi=!CPm!=8U03tyJ_;SfGUh0s6tVw`rBN(wL-o}*E$rUQ1%Lu zZTje$Zs;<>e@h}NBg?YAh|pE)pa5-d*v!CY>Y6-nI_tRP;ouw+TloYGwoe-jg6u9*7$FaF0f>o&>`so8C7TS{agKLfl>ir?fPQKTWyz!w(G>S8_3SD&uS9IqOi(rmyPYM;ACzMF(O$-IzrR z0h>F4(gv?ItQbJjk4g^5#+hob1xq{0FqpQd3y@35{Vln~zcxK^NB~fbRYFcr2|mLe@^Sc}$1OXmMo9h}t1s}u z6htlPDlaAVf~zmWIP176{0Z@Afks#CaI6vHxETu==gXU*;BaQoO45+bb0AQHUZ0tY zt&Nk+2!IeY<->5PairPb*@K~LHS7Lh0sIw*P}NRz3vBppmShZ%NdP-^rVh*)rl}?S zk6pemtA>>BFU)i+!uXejoACpl5qAMasiIjLIX+^^6kx8KAp^(En=8*d^>(f)w-3Vg z;nwvbm&)fz0Gv}177$Xp45&4l3Vnff4{iEZIr}ez?bsxVi0edgDC_Z_|HImQ zhQqnGZNrO55D_gQ(ME|L#M0YH^b&)p(I$vUbVjcc-2@S3bfWhf(R=Sf^xheSQO9WS zW!>e;dcO7C>wC+ev6=1i!+D)Y+mHR&kH~S5VPwxOb>?tkDE6Nw1Qv=(0HQQdd|F=* zPz%$yCB39y&zL%8-aaQ8^Qi~M)-a;ntB=V_t!NKt?l0*NsJ`0@hsEGaSfS&?XIjgQaFh?5Qe{*BiC+p#6rL0n|5B=k;a+;nY&RdMoU z_cKr2pI?$|7#N=x6!c4uWB5O% z<<1JT|G%K+8j9Na_Uryo-Qx+b=x?4Svge}`1{(FXr7I4q;XuxQEzq+}{IVARnqHcC z5en2I3){r%;PqVmRgm+z# zoiE>k-d8!<5_;1u`X&=SFX4Q0pgUM!bAlYfC4l<7Z}rBV<9$0u1bq>78?yFv+8PHY z28l!ty3>y;K%T)eUB&$vv<~Pl5SW~kREm9H{zLKSWdeSp<3J_B)+H;q+gv%p*4(GY z84tbc)o-q*9e4E*jx3n)tNI}Y^ML=B4*vPqnQ5FDEI#QIjjPkwpQ}tw zi)e}qlzu6dA(Dw`#Vvi7V3~lMM&t+O06!5W3P>plWemvdj|UdcDiJYP2T^bVP$m7{ z(r@BM*|+SDZN$LIr4P5_l1YB9l{bhwofp_}cNp7jQ3WQMs;DDfJ2AjK*B0$dIR5#` z-~cx?_B6B1mL6*7eHF>3&W!LD+GAQ(P;u!K$LtYMaB`Jjxp=yMKeXy~+u9E|`p=Pf z;S#bC1~6gnmlt!6RL<8tkE^@9ppi?K!1;GaNAgu7-W~57bKCJ@Hccj3z=&Xs*_#0B zYL%Am(2}>KyU?Pt@tv?>2WH!`>0BOyl zTFh8D@6oABewOKP#V>T=K&+5iZDsMU(RV>*TA*y)<9I6-bNALBq2yHVFzEb5P7&eP@}oKfYrz}mrmcwa zW(F|gsJhZsD6$u`@G)d8_v3PZg8!mmgfRc}76|bD1P=a6KC{IZsAv7j!uGX%P;pGkQfbfZ- zxK=S_ey%o%=4dBSnETrIywM(vqij3(J|4jC%gb|LR#JUdLO^^^TB4RfO}bf2^4>j? z`|Vnfx2^9SmXk<7Wx8Wo+D<1^dccd{-h^GMdUO9ALHW%j;SM7V(dCV=D*L`>N zOx*cykLP3{B@ac2K7&NAmnxIzCo(n8^9*>kX&K9a3>dvSrhPes3CaJF6Tp6-`ep>~ zlLzlq`;|Z%!3(|y31j_I*@UEIH)vwIb$>IK!)ZX8`w>&zcr4DChFMwuhlE~7tWF>y z$ecq~ME1xpRA@)V)s!f!tw;oI(n>Vcu#DNzB=A0!Y_cGSG*JckDj6}@o_$(89-avH zudcrR)4Wq_dMZM^M)OIY{ZDl>53}AMdOcb?)|)*{d#rLzB(^xzSpVUN&j;Cs&J^#` z$;Qh!7JRyysVAEWus{8Y4jK>VXSjcB<=s2cS^gFfH5s(@r}am+!3#w1+U`o=(|9nf z*@ir*CYH4fAxXJS^&wdawb2D|0iYkiMWD`{0A!^4#TRwY%~JZFT>TBrl&V;7*~e+I z6A&@C(HAtblTm^>pXW3P>M@;KY(u~y>fg%pcPERZ}Tm{z<%ysbWnjy zS73^AzIE90?xF zf*r$9l}-y%G`e1?^Wayh11VSSlY4_!#g{^1`+P(-UvO{H6*llAgC1@MUuBzQVAH{9TOGf6~jFs^) ztRP+?iZL%d56im4`O_L6=5kAH_UevE>4UsakvBfnL#pBj5(I5r&`fvK5t7miB_{6E zGu1p_s)?OnHi&bUwvh@{%~!0#21d4KuRM*Yibfv0K3R$DX{Gs3ckrL5M~u}_=gNI< zurIr~``O^Xowtt%3EoVKuVmP}#dw1#_|=LZ{2p}a(IR&B9TFmZdwd**u^^Y{c6F93 zB!h}8wU2V-fw`L-2UTDcDUzMY3wh&8DDaSHSJCqmLG6AI!ey22u6Rp>hLT+w8@c!C zB1Z(cgZ^7@@l5({glOtLx%e+HSJUVzWn#CCX>6W`l2LT_fS^xD6|P19MhV;RvW2RN zEXh=<7o{p|Y#E%oL84N?5rFi6_q#TDv{PH0G+iw7G(G=oj%_BH-&6aI;k5@Oo6D}2@b#&$9uKj| zf5W*2kl0yXX-Huv5Y^j8@zHW#r3SFjAI&NiOVk_0r%T!5PwY|8J|(Gv<2k&G!pEkv zk?Ce(UU9aCw7|%v*hj9LAx}>jA&clY#w(vrE0j zu;7i*zhP5jGx>`%^zrw5O1A*?X5TFW+2LO10u4_K$p>z~pzt=z7c?L4f=+oDHb`V6 zj&w{A%5G!B5eYT&i4^tc#-LLpsbcVVB@NuUD0>qVE=bf;v|jahG72Tj5o%G`YVbHR zSgenvJ-Am!Khyv9X-K@b)QY;H6`djcDfzf5*#_!{K329`0#TO6>)ygaT?8^;aO~4k z220#hdwg4f1ZF0IS|d1F4II)*VN^J0KfW>+?1iRBa)LJ@)zRvpFrkxSdM84b1*Qk& z+e9o2rt`YM$MPb_e{k~uG(I11A}p4L3-<|k(_bIHP3XgbJr`BN4QcX)w)r>lJs!0y|UdR-~+W6{p;2LYint0417ku;qels=)mB zxw(Kzbbxfj8-Afvjyu{W2a{dBRu(k(?rR5>1>IW1h>PP3hRA$r)i_ZlIrK>$q@5v` zbP5fUcdax|mu^)kSZ=&r7vS_>9U^?)I_&?B;hJ* z%f0^}{P4oO6z~UEw8w^jG7?G2S95i)TD4AAfFX+OH{RPJPE4#cITed++)Qi@O@wDvNJW7VaI4uBTJSbenxTT(ZhF!%1)uc z$4Po$DL=z(GyHd_=0oYzl=ieK;cOgwJU)+!FO;1jpU?Q$jZ*!N_t>yDhO@NlE&I*- zQOe5dH0|#YLaM8Zw+F=Q3y)DC*k0rUDGx;;-T;}%SiA*|2HThCD27%esUV*~zqb%B zd=ao^NT*;?aq^ya9Wwt~tx(%N_*$)Ssg>`(-L+bw{W9^oSs3>PkKF5V`MXElwU|#t z7)AJPZINeqIF|2Kxn$#|mk8gcPdJkO_E{L%$4z|LN>fsvoYhwQPCYD*i$FI>k zbx9+o!ZHMYCYfD>zV_>88lLuxzFg#^ui82?JyS=(aa%WGP#Q+wg zm4%SzV5-m~OI3a>oQS)gTtPi>LxELht?CEej1p_aqf6+L=bo`Qeowm$3Oz8Ak^^|m zhs~1VZ#8HsE&K?@7)_eiI0rWdu_5^`0k%7rD( z!u*e*7f-_#M6(x6mmQpd z)f<;uTz&eDX(L*tA&+E>KisMm!m==me@eGNsEu`0MxsEPu{a z3m6S=9WTY=kGWI?d{auGDcD4YlI^%Hr=B~6}=3?7n!9!eCGtadCjN*4})6sB3AO=G#S%299s z1p#5aXo9~0d&DX2Nd>LGxY}2P*sFqq4}xJ#-m=DgpP`pV@tUHB%j&wG9_)`F^=L;) zQ8A_jIc!vYuzyp)%wUhFX#;=TA&d>0-u zf5BpQ?75${+plq*X9cm|PIwYcMh@0}`k+~>#d)@?NiiA1@z}=u@-&;quH~VCO)~g% zu3kkfa45Pnw`^Me&Lv{W(a|m7h+RGSbE2wo6MG2XMO~@^8e%Uw^Io(qhafBh&!TVf zNhx^>oFRY zW1wL}F+t!W|FOH{OW^EkX7G1g|NiWN2z>eQ&navUJ5CF}3vPh^NXyMHH>^K(+1vUr zP?rWsJ@SlYZlNR@S7=yKEkMhnThvMI!aR7exF3_LJ%$U(>4QKxwKz0KLyH_#>6Se{ zVTND1PjNJny@?({Zk6x|UW-9eNCa2x`@JKV zQ{eBSmskrL>&sPvSjGpw)8abJOUIz|ShvO%}Ax`yOc28Y@<_36Qj+^TA=vh;d{)TXvsv!IGNDLb9 zmF)gT7BT#(CHyRg=n_v@1Fl1|{3GyO6IAPfCRR#BuK!d%T6W7LYZ=D$nbc!)K!>4M zmuI`~=Kk72HTRgYHD#JCDm%HxDqw*)89vToB@~^{<*|I5Tt_q4C(H?{CZOIIR&vR< zHT@TGXfBck(v{`%svzPBGi znA-Ca6Rx{t`YdRLk3nloQan9!BIi+L$)sYB+5vTYamNQJe<4ZbbK`pZ$Q#Xa^(D;Y z379`PSq0$$CkqWN<-SBRJs+7vEiypFfxI`bm|uK>LmalB2R1QGQ(lXHgwwh32`(E^ zWfWv$uH)4HPQC4Ik&fF6_GA0s@*Irf`=aICjN>?P)4_B`@f*N&AFH7kGV+16crahK z2<5Wa#-qGvh9v8+5z34_`|z#au)Ad-MiD$03%`@6;dtpvJ`AdwICZjwS`{2zA|o+6 z#`p>R7T?4#&XtarCW6PR)TE}Z*2lh$t|dIegLoV{)>dDAGKXjV-^Y{dWRU3Q+P(We zpthR`d3}14345!(nAavBFZhX&k0_kbs-KWuoJMy+3L>%wD?t_|F`;U8?5FZ_oNFsG z4;DR}zodZ~5{w@(#dF{~ZYGfo$s4ri3m#?YoabgzA8MJVDX%1`Dn|wix7=Fl?`A>Z z0mEf@j~sp*pajGy-%~XO)nAKIMzp2o7Rj!LT6DN#i40`U^?vt}Aqh-K+SZ@0kY{bG z{U6em>BcR5LyL@DKn}g~!{=>5Cc(&S2$yk`k`oe{M(+0LXGC2AiAQ_j3-1jL=pWjZ z21jj7kp@RmzWko7Dv5$QBZl3a(Dq@KO#d`Z`jy2rwxXH-oXuB?0=ZPa$#BAaim|D; zK%NYUSIXlI$0OTNc`D%5S7Eej(3-e5<5oGZf?(4&sHd7bNMMvj_9%`qWL(!ZTFEoQ zR|f}(!iCkCf5=x-V;hb&sl1+B z2ex2%wd%eMZVKEZ1jy4$*t{dy3yT3+Oa*uKJC`ewAh#pP$Njv9^ABwI&!eG=4zBq4 z2loYJmxCy!153gL8HuGu;LR=2>JpRQex(NVtTratyMDdyXc z-#Mnezs*c*>4_dZR2>U%ylhK$KNCJXUf(Skx*ck{6JRlUOIe^KpjYq{Jp3<@_s?I- z0BQB0#O*(Ssp<0+$O>`&^-}@~uxS~rKUYZ=kf0KU+9Buc9*1r^r*J@c6LwhB!WVqO z`;iA4LRmm!90j$I9qptLm7J@B+IJBpAe9E?3*6ptO040bdcq;~i@4s3XK<7DV##b5 z*&=zk*wJfzL(CX{-}@n?H!0=gw4?LgT-em33Fn233GtjQ41f**hJ13Oj`$_Sp10P zOzsDV$Xeq2@jmD?Dpl53FLiM0E>5g$XpX1&pIHyD2<~)v`I6(`OM0(;Iej?LD`hp~ z>$zPlabyPTp4d4N?G%_l4QktK+ftc|CW1yUN4d`M8)W8Ipa%uU%{`{c3fj*bbNf=G<#vE+HHTc?GydMLtVjFTs-A1u&n-V>O#?s~tUIVD0bir9GTbBnPMz2`th+U!q2Tk}E|U6@!XK zliuS}`*RS$-&aCA>kHJ+#7P%gEI#h^5nv|9=RNdxd>pXn&TWQL8vDNitK>??lWW>z z5ps8H79Q$7P7JEFnIE`@XJFb9sAcwaJ;qO{;~7imtrACEy(}(VyPCiBsK0)x%1dI4 zZP;J8+hFl4Y??<2z@~+^-Fq2YQwj2*Kl$kuBP*>4O{f*^q0DBw({MSP9^DGGq$~#u3Rpw!BP~g zjA_f=2t-CAFg-pm`G@Sfi_{wO{z1}P`<0Nd($Gb<-o#SG1f-ZtQgr}cNV^6g z>`fBSnr_rM&s}{ls=gE;DCR4=_gT-TI<8`_!M||Q!ErgdE5(~MW_^A;PqrTT*SQ>ofy3zAO>`?x5u1kH}lG4;Ar>I^f zO^q;#${u>-Z!Rq6z_W-)H*N zWHG^?BCDzz_H)1%{hA=+`<;YFVWDFBcwk+VY_Oo}2j!z+(*b{?^nGFuHK0ZUsDV$k ziHzdCe(RE==5b@<#Hr)QCIFyWtRTr~?~wPnUV|UKCV$eR-ZvL;75^wQm=4>VoYl21 zH_fFlt~(AmqH;l898olioB}YnqA_}mKx#X>vzUlwuAlwgU>DFDS zv1Lvz#E(&;>;;;+tUyQn*J2dEUfRDzK+H+8fx1A!dHMwT%X?{Rk)b2rs|mR6c9ZiF zK}7GuZM)#W3|CdAwDFQOmH_VKW$qIbaTqGEJd2MgPnv}^0nY-E4z+zagcbBh*U2FCFrabiVJTY}wf>4!pn+jpVED2oum&0BwWt2iHOR}qFPc+#yCPKHxg+;}=b zDWJpj%=X$rht>Wp6^40nQl!;&#EefWg3%k1PZtu*s0u2>G>*G+vUe^6Wiz)tm?2FZ zvNmgnCsuu3z1zK4%8#|QjK?nhngz@zHMe82I#;E)P^|nGew{?0t>!KJ`?uS~RZ1$T zijsKFRQ~oo+@=O@{e3jy@s98>eZD;+24cKxUZQT*;cZphtsJ>9yJ&`--zdKRZ0_2vWecad;g7Clv_>aU=4 zv?{~O501BiOq5q@pZ+*`7*|6NM0`>H8Ym{aLq9Kmx=pZnRBH2wGiNU9<*qE4wLNO@ zU~`%8KcB^;ueo(2%G`Jn6hO9>@jqxpy)Oy-%RXLtLhI9X= zLHzn9tMqkl9ppTEvhu5ONQD1p!(O17PmWWUy9j`(LXvx7RSWl;nT7!fbdK1qAqPRj zr6y(uNQ5vle5M6P6kD>+`-ap~s>decA_;~PF&ia}06KSny$RHecwmgw9 z-ozXgqRa`&E`rWLrD`e?DXZmYT%wcB1}Dl6g2z;^6N?bVK&ID{>x`JvOUGTmX{6*m=XY) z6~*GE#xDt$hVAr7dDc5=U3{W~j^V-l9&E0{@2Xw)v6pwqdX9eP{OMbbT$GdO$&3(c ze;dWkn8s6{*QP?c&cRoF>tO{}{75|Iz6n>b;8XqQfRg8@y=Q}jWFUecg3a zz*T$EC1IX%k)URB?;yJRA^3LQU=9YrExLUnr+#wV`CcnZk0re(H9(+ITwtAW9#v5m zAR$3T`_EbjosH*0yp5)=m~ew_&DiZ8Mt@yx|9T>fm=K&F=(C3cHnfe&=YlxYeTdN> zTI1kPdVg}5O185+PFu|P(ZZ$_Vf78BVo|lWcF>QSE!f>|<(4QDY;@^0JVoD65P|9L zt*dFo?A`e+ejqmGy8O+_2yxJR+qV91%O|)P5Hs{vY`)n1N-^>=_kFrxNqsMVvDXz) z!EB0@T%e&}Qsr5PyKX)_Z85YsU%3A+l)G9d-Hdh`HRv$}Vt#hG+IZO0%1U(^&x^c0 z5(QbDW-%Ps){IBg1vFUlXJ zeihOw2eS+rO-v>k>&eDYmM&*wkTRtc%b1YXfz0HX+XwtW{oUI7N5F{05qs8!TmEij z)apQ4;Er^irj`FHqC&(G*_9Y}v^A;}?AH3zlhxJA%KT2`?9{h!QZjMj7*yDl?D)3 z?H5%H+=haP?0W8ZT7(h7Mqg>vbRRcSV z9k6fM2o$f~^po{r0-Y<7ZR^kI^xq_<;|NE-4drGKhwVTCCg+18g<@d==_7t^NW|)c z`vAfV#Kg+FoX-b-TjHa=_O;7;Ut+^BEgVz4t+@p)vosG$M+ zpi!ws+rZRR^diHgK&@4iGjaHBcA{gc=T&R?s$JNwog3PJ<` z-QDj!V|q5T4m)K3gJ1hg&>tJC*rJOc=(zh4%mJXkQM~OJx{oLsF|kK>sSh#-X;32+ zXtdoIDL$54wCahtAS7IjB1<80pJ%Cfru2G2GD0Pm88#LqyHwS7^@3VtX*2=Z1rehF z#Fh|5=}W7vL2vsCLdKE&<6MpQq4x%~rCCjGkjB5T<_}77!1m{dZ9a4i-t5v%RlBi3 zvTy&c5Q9!>fDPqeU7XA_nvcGCn|1=a>G#x;c>xQy?s@#pb80715%Ka(RJ{AYyIUNl-f^k37Fp1bDJXqrF>Rf~YqiR}g;;&T zgi&d{{DBdlo@e$vH}9f2X!2_W{?$Z(@t=wB*Hix768FiIyiURc_0?N%Vuf>0 zFOu8Q7c7#{d+-eUbB;Zm7(pDzac}uD1Rcg{+EMF28f^mYM<9O(9H|DNWmc*VwQw=a z17&q5s=2NGpbMzE=CMu?TNaSW+B4+&r#SFbK0j`&?!s-H!Stl)LG7X`M^!UFq|@!c z9pTGa%S3R1Co0~}iaAWt@$h^%iYvI8>c)&%(hMY#)W1`LF_zXy(c!|OaYCk_4H}o7s`kbct#YmsS_mF|$MS6O7> z+MYR9D%E~~NFJ)7E6Itp%+tGqH1+PDT3XqEPiX=#i6UfUs!V<=(>*j@BNimY5)uy-m<8N8!(p* z@Mni;(WJEdi8x#&&^C+zkwANBDp3==?eo_RT0l{9nSosGxg`s2y?O3kpub0@@eTrX znkU$qrhxYc|M1myHBET)t*YBh#WVf^-2@g$b}tI+1F*kZjfxoo1|%i8@hbK*!KWztMw|o>V1qR>pS+=`*aI2pF>z0dYyZiTuf%Z`SR{DAY)$-q zzCX0Z{qRuFJ%$p~RdP?1(NzDg^$WcIFH#-yy6>2G zCBA?6SJ+KQgBYOtIug`F@W*WymwKI0>1}Mc^P;x=Ak>el)c1{6NVzu$)2h+RA2AG2 zyS>k`2TYCo3+dIe5x?oc==Wl~y5p-YmqdVq0my-JyLHdGSI2{tVfIQ()DxPK;=G+j zm>;Up7HL?jZyjldG+?jz9w}8nwY{ym#UMi1h@~T8nmlT zP|x2Akhu+*H=Ib3F(M zgtk0!WRu3p`}|%z8$u)cRd3yo6#*X|EPpfIBq}#Swb)kU@#yqXz#!xHwm&_8@cWbR zN4S%Ss{~bnk67z9M~F(N&KYaM1RJ$)^AfLI&5*TDPC~ghW5wl?{NhVXJR@!7Uk10_ zqjsYccI&TvDz-{&v`&DH1Eo9Foz~wlNM%b50ylr(6VbDR~qV zgp})3FR`capb_-DfDYplPdlnCLQae$V)t_@L;ac^QQtDAO(`c|44q4KzDzybS;uko zjBC4x1G*ILD|Co=_JXs$J4@$$HLzG3^B`~n2*%;;`aj>lxE8F8h6lX8XH*1tti$4m z=u>ledthm@45{5{))u@cn!zW#8AP!Nss6yec|+WF1)f~(rb@W_igTDs1joC*7vhOw zBJw)?_%`XKsl5>ec;mhtWS>p8o}I#OVz0B(u!<5FdrlnEL?C}JM}rBgc%9y$PUb_T^-tP5X1u#S7K`g&8%(da zeHq(;GSBBK$h&0U*|hS$Y*%nG?NxA3dV6M-pj^Pwe>U8EHj&!woSDUybW#CEK+P*G z4$!@L(u4VDhGvyVAlB$4uPHXC86LUJtzqWI^L-^D6pBL6bT!%v)qWJj-4DC0nfE%I z^}1Si)-yU??R7Xmp5C?ezaLY{6yi155^&34v2;`P#^o4Gt)PazO{ zXzBGRVb3hQKk>A_um;I4oW$)Cw>y`Yc6HPF<*;v!$6Ab@_2lOc`?uuMO^jDdN{_9N zVwMOGRuPRYnAm;Y|(h=aJR>x!?w5#Di6~ zevmJ6BG!M^Z>pZ*K zz;>-0Ur{~F^Ihw%d)M66o=HBa;kEThO(snVG_dU$;A~E}dtT~U4He+y)Jb?JSUD%p zPhFyq*7pwa8uv{TnXAT!E(%YxYPIs+`PY1ToPGu!^lk)qYP;BSR(zdx?h)5&w7&TL z{C8w)n9!7=2Ws`ldPLyQN@amLRs#!cHq-Ulr^z`j7vAfcLOKQKJbG^t zRreZtY?=b}QG|4(PGP&{5wo)8yr;<2mq4e=Rm5`t+@$@oa^;jsc(`J;N|@Ut*Y;H@ zA_?P2s5c|=w5!wbPy1yObqo{ zcy_kX8ou3Yi)6qavI15umDZn3jnDDi^&h$F(?raB8*_5Kln5VK+Jd?$cl*MBcBD>?=VG=(# zUIdq}Cpv!#ty*t*Bv*NZsHB&>o;B_uUGGF{r*`+vl;FHq!lhR_6xRPntCsv~(^LQ* zhBcO9IE85Dim$F^I%c;dWKLb6zX@W~UiX?Dx#{!8{x9F_Cd(<>*{n)$}SnD=Gy zy7D{zIoA{M<&%q@%6Wyoe7#C*G_}>+PHI=b3ai@4DW%TgWJ1&~d06ymfyOa-?ZCt5 zqsPhj#cs1LIGcLpeC92HvqGb{`zkxht;`cWB}F4A=w?#2l@uZi#ZM2DoK>%F3@9Uc0KtnD0?_Fo1)Hsz#cjT6>%VmVam zv{Y7%!dUOp@aRXAe_rJB^1v6-ucPYvZpX{KO6=V>jt>> zH z>T-G<0zUfs!ZqT|3Hg?|YRY+L+zbB-r5~^FvFPg5)r=ecB$W0djmEVP#io|+C#4#- z?$9{AMC*QzFB+T-?|PAWYDppgta8pliu@f1;x%lCUwf*09s0KM%5Xobl?kEW@{?NZ z34Pe=+Mu(I=I9k{@Z;|heqL9=?kie(qfe|%#H~eD+e@$U+1ATAiWGx{%Mb#RA$9v9 zO67RGnWtZRnHF~H$7vV6u2RHLe~e@Xe6=c%B&^z5BW;tHxBry0cH(N?@P@b6QzHJ7#a3=N0s!2q-~fxD>$M|5@gDHu8+w54C`z2f`T zKvHOD|8OpQ!jMWGFI{L(pY zUw5p5K_7*G4EpTJxIfpG;lfC2Q1jGQtzg(L5oWu}Y*dlKDk4K6F@ zxgZBizfj}W6helHmlnL(WZtK2a;njLe;V}3%m4p3=rf3V;Dv4Y+m}z7Kvs~QY@1%zo6I&OS(m@R|CgjNP>cb1fj zt!YG0ws}LfRk${eg5Igd+PZzG7k7(Mq=a9@0_z21oV4j8>@bm!5CxK;Op@;_ zL|E^DipBh;v7gdu51OYt*Y$TvS>#x~T$i55yemH!PL43__w3Q`lRPk@|Ky(d>ARJC z4UAzT)(x*YPp!W$-a4LOBzpVu!|NNteq>iYpED6fHj&I9``u{XHMr;ZT*{Dsz;o`i zW0`;rHh!}9Cz~wVa*rNm7vbDVcHgZmAFQVXM%hCJr&wJbQJo;~L>VoS!jo<%51|X& zXP=dt^oWyJMEMgxjBf#q{U095C%aSP2E2=pIz^PYUM|6^2Slz)vr}C7P!|inL{`Pe zNyAmMPP3DklUiW|-fpHIpe+08wADY(0#00TY6;Gcp(C(2Ul}a-8ffty!P=$b;bSUa zTjLyTppeFhl#bhVvw2T7K}2`0)mt`A4^OmjaaPz>;0RabpNt2NOT>MFjO0%KrnH4FO+gP=7FVxlH z#$*Y=f5meRk^>D!-=JC8eACUHGkh)2{9qKZzj^C-MHcVt-yZm+lDa2M-y4wCx&Rx3uhP=_9WW$a6N4wLz za;XnXxn@wyc`t-jG1neoR=Y=LxD)8WqD1Z)gF)9BE$gyo56?@hyAlv}sBStc?UH40;^%Dr7OH#CRxv0>fppOOYdmieYV zD-Awt8z#G7${aUdc_wP6j8jNvOwbW)fzb<$Tb>=0$Lbq0q+~#L=^FDa_7lyAxl9V^ z+oa=7;$zKmW)-j5FmRE!dEnQBHWQ-BnnlfY0#d`y?oCCW(qeZP&F$tzoQ95kenrDh zcTX3>4Hhhm?pC51Dnr*=g|a@T$yC3b4t%eCf0rOdg#HwZ_$t0=c8V2=VP()tZDrn1 zC{7((GwZN=i_5BTo>TD61w4&55cKd^kQ_$mF;8m~LS0R_whLzW4|$!%K~1z85L(JY8Pzd5&UHC~{joTDGYZpbu8x zf41l#>;-yMIqRmrFKp&H(qB2{I6nU<(u&eBcjhD>{OwrRf~k0KmA|GnU_N0=cy@P< zino||kZEBN=gm5fu$dC^4>9pvTO$b@)H=;|u1 z1OAgfo0AP%Wa+LM+y+ASjiUFSiwv61Y*PRnX6;b z;rWBUfnJrS<xK_ZqylDBEYH$lkcx@~L8ZGoLYR#5mV~IwZvvv0 zX5vIUx+AYp7v%I!^tix;!rJ|>Bdtg9A4d0@pC__5*slM3!ZJi%tIdD`BuV{&23o{mB>#-5cq^JfOOEl*!XB9O+CCrg+MDA7! zo@_n7PKt?%3b{n}b_IUxNVv&o>dgEzWcjNAMRxGhhM5hsAozQYVWH(-H>FVFK$^!b z1DU{z*P3{z+w@`YfcaI5wY;B-m5b#D7gKszy{6nRqC&Y?S9gxQo!^FJX>Qw<=g1vKNilY^gKOnC0_nBz|lW)Ldr5d zkxUTce$>7iA(Hr5bM0hFJc7Q|W&9Gg8eTo7D9o?1;C?3~xQkeE|KYy!OfiPB=_{6l zp!%{?|A;g^Dfe7)%2>fpNzJUO{fx(GcuzxuOHpH{RDS9Nv%;srSsq(_4Y(~3@cKC1 z2c_I$vhQn7cCEps11Zr`@2`XBLFb<*Zo~Z9Fni+PbaLF`xDKxWr7%}eSm5Zq9#_X)9@h-Z}{?U+Q?f)bI zqeBGSBYHo8(rUHK*o?ga@#<`+1A@cxxTeN>e)4NSO2F2#Y^R{dgxoI4w~4|HMPMo< zG2Ii>#gMzSPI!o-a9=qJP#Jy3Pc44*L-Tf%P(v`1A|1SQWTYEKm7C_2BYa}BF)q3S z7oXeowp%|=TJ;RBHlOICKB9R{fAAa>P-Rx7^Lctzk&l0uzBNWks8vzm2-RWo``AZo zWmaDGm^2vX-c)o~%?%N&X>)DAKA)yW*M+9X(YvCQ)2b0q7%6 z`Pn;i#46PkFzyBGrs>!%)igwFMd}K*N4a7{!=|XCP?H4Ld1)(^yiBSMGb?RpLxj{+sL-= zKYIREFTk@*Pn0}%_~4Rt^k9yoVdwtUOVm_hP3);qt-0NU1-)g#7$uRLIge}8&(u5I zRjL^W#t#TyFRI-4`ZF`k+Qf*vLY~3^Em{hB1GO;Wz#~YZb134T63F}bE@`F5FWt8e zDm0a%P3UkK^CZGrTTgho)MY}g6y6c@_r(3j_`1Azo+HDn!AI36NZi8JV&;*tevQ|bi_p}N6Co(Q z+gj4R3kvtQY1;UOBj_kQp*=|M264)}z&1h2IwX);LjfKq$lrmlD)kHC?xrm}$5C%D zgI0Q)_8_njCFgo~87@=Cgd*f8m+Z~@<%u+i1;kPQ>IjxjNSwQw`J(nHlX}S`1U6jU&+10R!noe%x(ndGe4m=aQGH*#OuDZBd`LxHce`hj@aW9i8}?A22CQ)(>znPrte)--!0& zV~(Dppu2mRyRk>9I204>6ire+2MqT3QD?r?iSjM8Rt=Vxa2=mG4hrY_OdYr9tFQXl zEUlZ5%*L!+j$ zblxXD#mbZB#r8_a4OfG2C(W+nWz*}1?gQ2SO%Z)hdjxV021-wjRHn(6Te*>iC5EWE z;<$7GYU}zkcZGNoV;d`!=7hE}Cy|JqVM@=iaOJcXcREN{^ zk+9D{Km8zs4LTfwoh@qJ_xD^&w-&T`&VZnm+BbkBpvNG>|Km|*G4v{D|SKvX7TH^8{}A{v*% z8%SCA=0c}Q>^auQDWA|SE=41YxFpxQRp?ym z2g%{4J1>a#L#Zkj6jn5**pCUlqcYoHosv1j&ps?Vk@gQ?* zCbM+=Ng?897?cpNQ#6&96qEk6GKn+ieU&t&YkyZLnaM%Z`P)fz)m5OK@Yn0Ad zF%ndCiFxng*jQZK_CPboaG#avN_U=#Ul~6@8`*g$;v#r4#bRocXd?hu(;JZa)cE6g z8S5ZqpsSEc%VJ7kqO&7+j`AYmWj0RfRP5m;AlF4qmiODHgU@Sf7Ce}$nvXXMmmLcl zn;JpU^5x4DHM;>*J6&z2dXX3mja`JJB+%;eW$d*Jl9j#yZP?icE5(G8 zZQ7UJN+oAArE{Ck!Mhqyv{%aiI&x9&2DxrvWPUCYZQ|r+3fP|lDAJ9Rt}Gs-agt!9 zup%{-i~l@%oB>p>p-qQv@+_ux%_grNJsR@v%QSf_2~7V2HmzZYgV0UxvU^< zlHyzk1h`DwTIGQ7%!EMIBAxJ!qK6?&=|RA{(3j@hc$$6L(kR|fzcF2t7GaDZFVw$a zA5wg&9hz^e1|;S&m8TC$^vcB*iFk21p3s87s$R!%#s$T+sJ(l`qN`0`+#{`x$Q456 zK@kO$x(B>W;y$dha`4|&3t&G7NNa`1fCX}0j4{!#*Z0Y zf0D__&C;Z%pU{$pVPI$AZiHJrqB?l?S%=$zp;i$c(~%>PV&Js5kW;UHLW!;_+k%lw+`jt=e|vJ8 zXWFLeiCfW3ypDw8gign0|OPOTfc-Xt|5^dmv^*6$B1JD^omO6BxQxqqyORd9cum7Bdhgc zVhV|jlQ8~)viEmqV4gg^otyfR_JZwS^{p zi0rbvxYa(2(r*0*U!<&Q_8_^Sfx_jxj>ooSPkoVzILCd{Lv+T=qV8g$bFQurwhy1L z4yn%SoL3Hs-qGSDEe3@Q35(8z3)LsS&?P{p>~XDnMgK{{Q{+%|II`T;gLZFr&$y98 z6S!5nRVW{+4*jdi+3Wf-5H#{YsWSc`^3Cx)btJ5xW+a1uT&Ak|pMx}k=0$KWYLJ=c zA!3@Xl>m-D*jRME6Hh)mt?5bLKAS04a52>Jd8M@;rm7@#>z<9kv-M;9T98m@D=wHD+swzprro%4Z^Wp^)e_lk#MIs&2gkFm7Vx1}{ zpUPgs78Uzh)V5#?pKzVE_t*U%tm)7y4$DV+7WHoY-6C+Np?N%1zD$kAz&t{|9hUkPGy+!3O#G zXr&q`LTh!iQ`uIU4-=R|Xqe(@QzL_E!b~p@UzeuE77Il9$+aZkv?n-ix(deP+#qp( zXq`VyXC2c`#hten7|-$GWyqDJbbs4sbHGejq)b^lakDn26sA)68|@HNK51~aVO|O^ z@8dAsYcEt@#4VMHi*-cTzC**<>n#lF!B;!08^_xk<;Uq`DE!2Y##tkcZIO+`#B52Z zI3>O_o^QCB;^<~-rBRQUS`QaIXiVOE`cS?3>TGu#M_wb`nCS8TgNpPjXcNBF8;h*%#4+`WBJ3XT})0r}XlEalk7$7HFV9(&fRjx&D6Lry50 zj#}(@=k~A~I8eZ+OeVe2F9H*%u~M`jYrL{)DXzAk<-^q>t z$TP@yUzBNH zr)8E;=nF6)*)isP!g5?~F>_`!`|H@%c&4yoc_Y^fa@7^lZ>k(2Uh%L&`-`CU98aGJ z6Zz0w>D}ITk72T9bl%dT(vL*t1`uA& zldbAy>nGPvUJpT{@ShOn-N$Vlm_bw;8Vvq(>J;-=E9(m)=jI}W9GWcwYCOZoyX)hk zHOItjX$s$Gss5@@dl(g8ilXaU-30Hm^NK9qY8{j{RW1Bdoh&p?cu)!gA)=zH0o%h- zwOr~QFhAkBIORnwTuII3F{QmyG>F}z=P#BgJ7!q2)g;MvlC7RGd)RQ)3@%pAl={ff zjCCy{1BkX;hT2*d6;-Lu`x=wbRgVWaE<%xwU)6%0(SxeQsVn60c5TaaY!>)6Ic&6J zv0b=$EQ)B;fmg|C#ukeV1p7{i0$r@DO`5@0Hj@-3+id|2M6R&4$2_Gap7k&Bs7XY1 zk?UtV;1*CR=h&T&40$Ul$|{RI%oJLK%(<(MZ1$~#ORBw`AAOc}U%Dlz?%YVuHU~ti ztfCia5mUJ}IJpqHk{x>uWG|A;s-8jlsL|7L1zx0fy3xQ(n1CgIx|aD*tMs4B4Jg>e zJh0hVFdK1VbZfNkKT10Int;QENO7@H((;_I+T1<2CIfQL5W&MUcPcpWmZo9uJyX=3 zDe3%7EWfny_bg^z>gV}15Mf!~V+w1V^&b>G&aw%ff5l(`Qvwa_lXJZi*2WCz#6W|p z1PB+;r!`3$F!mRca^w8k+_l*oIc5t0PdVeJT^f1OtH-~!J;D-g3IXf|GRJ1GG(zXSe zRXc#&wo2-x_ty_Vo}nDk1Q$R->V}5&QdeJ!1@wQc84X;u{YhEf4}fGw{2w7NKyE{VY{+hD)P2{3e4?3Ol2S@obM)LvVZ zo?VgBzwz~4zSv~_02`qWg>rVhn2I2BQ-?t>cvfAsREvR{|Wr( zTOT&>Sdbmeqh{Vp?VNqENeOm#wrE~DXqU`mS-)3pa&^KDO+DWQv}Q-i6_tMuAk8>?kntt&Sq<}Cs6nHq zzXt>|t4aN-f>YIVUmI);%r>ZImX3i@>&!=a;bzK;N*LDd;@guEq_>`z(@m>P1DQ<9_)H#sybH119_7A6BEjt^Kp3=wfoRL5Yb(8(d)uR)C@ z?`4z1y_yO^ti?2_+cONNA}2&;vu%B5RtBcfiol+;7;?s8qv4=B1pMrFZe+Vi2Y<_8 zEtFxgDXLJ2w2K?O|NpQ6{^MnJ#e6D>PHFVV0(F~c_l-a!;X&yZ)sM+yE!f~b*t@vu z>sYT(c_bZhWVyaGHNKj*suKp*l4DT}_nggDDRdIn*8Ft`h}99e07@L9gaDuZwvgNG z3rU)zoE^%KPz>7OxTK>QPkO!pHW4h7KXMkm)|fxi|JYa$fR?kd^BSwmWNbmy; zz(Bj)V5XbE!=Me~s!^|9dK|R+B&X*&1-f2z@VJLJgv+C055}@Y zM9>qXgzA|)Xdln6K-Yal-{DQre(vBqrSbgDs}$)V%)P90SGlQ8+wm={6ggHe6>(Ae zylR6!B;2St4$%96!u<@)4m^THHxZDb1rHvf=@XaUg>!u{qx#MIb0b!gsEPB6<{HJR zC+Q_|vrdJlTGPZ>y77e^M-QODj8l!XY3<#tOD3+0UN=E*x~-y|MN642-}2sw%_!L` zK&h)%;d6Z2O=TJC&new#|-+Mj8 zKhzbG{-ROh;)*0tip0wdo$4p-BY*MJYt@QMk?r4Dct)m#tqsyj|( zmEODQK7XAMGB#t*T>}6OxLi9~nO=xo!e0m;Bkac(jW2_grhnJ2JL{8TF#7{w;-eVY zB!qu4pDt7fOcqyyS>bE4ouzq6ixo5^KEa^RTlbiUevcO0(y4yyz$#^1n`l?girD!I z$vjm!M0z;BldSFLsm|IfLJo5Cs^jxOeoa9pc zBZcUeW}$NXb+qHy1X+L@7P3mO`Wo3sezkWlO1K`(%0Z<_r^%Mz2@MK57ovMi-u&aJ zs+jOL>S9OXGb?v`IVZN-wVk=W+~{w`|Jm|^09jFeFt={8zNSyJR@%i)#M!0R0eoK4 zC=y7ASqWB~J+ski>|N-{xc$chjhz*KxH-g*v0tgC+jmXjK1)$k(~d7f?d3l;m}Ym@ z+0)|;YDTAVo3*Sia~4H)O9`KXT)y5#rr0=}qF&c-KUauO+|(mC_X$`?=yxsN(`bs| zy-jgq*2Zk}ba%jSxMI`3hTUKDO8f%TCTFZwybgFkmr;j}6^e|)6J7Vs?MUbjZub{; z+j+V2kR;>>s?%+Kl4Jyxm+(@-0Ftk_LU2mFyDE~$daH&AX?CNDFgW~w!_8Po{tw}1 z%6hyCRd&Z^@!e9o2G5ND12+r58~Y-Gg=QUgXL2C4l*v}l;UOszYxXwyBijqwvxNq@ zd#f&l8ZK5uP5qM=PV7$d=?U>egSVY$ENAE}fx$1Rzi@uJ*%0l~U`)oPPku}Yb-xi# zN)oIYaOEMJ+eExaVVw*Q*Ry2+B}wU4m=2JJIzL|=`>KeusJ-O5A=$=yO?5Tn_%Y@Hg@U1xBVF*5%9>7H(Wn8ZP z?9}G|8l{+ms-q4pP2OxTvE?>Lnm~=1InfTzMQ_Uh<3tvAYxrV7)ofJ-C-izWN9nFa z9jT286pzlZ=+%%+X}`OC^I!ToH>Xp2#qIji&(DS2(Vt8;* zJu<$fXuiDn=nFdfYHhmu&TXGu^zzh7(}ZuvvCU_)WCh|X^wOrt`6!<2s!@Tp4;9`p zr~@dhb`CR7IMp&`4m$r~2T^!m9?R+tqoDMq36qMHq%7$* z|Kg-#dw~g8zFVJKtUR4ECAn>GbkK{``cTD|R|{Z!n6#xpX=yF^=93bq@35;M*~7)|bzOTp`0H$iwG^g*{#ps5wNFZD`0LBS)j@?;i`A@5i_3veL?(skbDliw zP3K($L}09(sZAXC$JJbgV%6;abFQ1u9x}zpeV9yGviN`m zTQu+?M^x=QoA?fWxy@nIaGokP(L6)8jb-tp?-6i9+aFn(6Oy5C0_@CnxqI$|XYiF$ zGlr4)9F!$HXqg*p;;hQ)PX&=51=%y=wUKI;1+q|hE?3L1Hi?iI)?&m8ep? ze8FS5&J=I(Ga+o!m*Rpza~+1)s-}0UpXNOEdD-*pK5lUzZ7?t@2ws3o#(j6bs!N_Z z5FL6^4{uY>e7c8-w3l8>Ddgx4=S?$8_qfs+v`Z*%2o;_IyA0NCrcqHi*8)KAxwWS8 zd|gz|nyL>+4TTe&Llt(L>O61Q#L2<;xe9Ld%bTLyU)V;E{yZBHz2ok^ZJ}GVtXVV# zw;%mFCUjzHFg>iQUd5Xo>MMe4pV|6%KJxZ9{A}HHabL?ZPW9E;G3|8sHxEo9L~ld& zJ=MFaDg0{Il13?cNc}QdNhBG~Pup0t+`(LuX$DTiM2FA1b#Xe*1H_X~1KdQG`&PhE zQ=-Y^P=Uv0ShbD_b8o+)swP(|yth9=qQ%{`zt0IUd45G~6#;>WGa0_%8hS4Yhb5W- z7{#7k`P*hwY8JcL&1iX!X9FxT-(l{OS32h`QYG1uBSYbpacWk?ZpR5AJ$s3b7Yjb< ziqnF*#wNn+S>cm6h>GAm*54NdjQ^Ma2`Pg1o?q*;T*vA$CBdpdH;)6{3+U(AEVgrq z&;ch1+inhrX5j)~kk6vApM z`!TI5?p}K|vSH!B@^k;BC6Tm$pcMia#!QXA2?tc78 zqxrH6``~G^)wfgu%2cn*rk7Ya-|y0;0FogwH1fja>up{;UZsu`oH6{M$+K4YW-bJ> zn7^tVHOJWgmZq!0OXj=w^FYkUt8ilLmN*~Fxm=YpxXFG_%2#W$`@_Ar=a9=GKh$(4Subi@Ztt?sa5PscteU2sGVG@BN>_cY59b;z4C&*K@`bK{ zC7WetB7e4biD?Ji4NT84cXc;Oz&RiIS&!J_g8nG=Ikb3(*{COOb-T=Zk%bOjtB$qGZ z(90>h5{VBS(hi2PMkMon!<`Q)Z>&C;m@!matji0#K9psB7uYVTtUVo~JfhFS@sanw zFv-Ku?4eb|!(sLv5?GPgyzg8;daeUy|FCpK9>@H9P*S^;Q|M84r>)D)Qxj9-}R7+Bre%CabaG&!nU^uCm4lC9uxbskYqJm%zo|8@s%tBe;t>#m;5=b)CBw_S^YC)`a=@Oj9l-)1NN z<@Cgdw!v`3q59`%w=%6(MfrMe*ER)8SL+&D8ZY15yDk39JryiQ&9KP4kRjJrh!~3Y zGtrm@Sc6Q6ZYL85`G}titA}?zse>%2xpG;)L5DAQl(x^KNg8GbaC{qPykv$?D~Z}S zKNL=%9DKdsHoJ58GGXl?Nz=`#G#jIt{~-4c9xnIj>BZO4@Ap-b;?OTNp{G#JLy zPU+f4>0Z9{+CT>d#(e8LkdWh-2ih4Ad-!h+HpyYt?aH;8=RySMm&$d_x#sB3V+q zMyvH}#4bum?Wy*Wg1vZ);5sU^E!>Tj^!)snbb1GU?;h`?PB9J|z!Ra_vJmdD~ z%~@!}@dUQ?)P}%9&G0Qc1RK-hx*xL z$qr?2!4sw0@mrEh!fj*D5<lKaxP) zzE>$ET>C@?fZJ|#2b5kDi(kGZmb49wnla41?pG$E1sBlyo6$)vygNh&KcI_$kokhR zggl?3(_ViFfT?VK%+Mh1;@4zXFLo$rx_|Vzg^r3V&WER%_0ej|Mo^znLw}E6Rl@lF zG1}8;B4ypn;Pgo!N`1Vhl~pxXZBvhpH>K*K{BsSiE`cJko-Z2MeqfWk%T1Nd^B=f# zL`LqD3gvzLo`=9!DA}!)3)#>H#|bz-fbu8x zdFXFZAJ`z+s4S`;!B%+8C)pnVVA%kB03%DFui7PjWthxk-a)6zY9F?)Guu{hmwOnt z7nJTviEVwSk<9%Wf3dn)E2(U~Us6F2bmYfvH46XXyNE?Wkup~69S0&q?J}z%8f*}j zH#QDkz4};^;jYDIZ3h>NUKX`R#SF){6f8sLcqx247Xf0JYg)4dKX|xhO5E3acd-p<5R}IK?q3?4`*EnGD$W+$u$GH8tI98z#iN2_5jwLNHH*VM7nh`@~`eoHKlb+-69%(As zG)n|O$C60kL(SKOlydA}Yw#&an_K!JWeK{r;LvpN8%qJKw|E)kqkG;^9(It^Cti@( zr9bPHbXyD7@|G~Rdp8Xh!qR=OS_NV5oPN1{oNdl=K-6vPHvTm#^bclz03KDr%F*;< z2B`CP!98)dQ~Xdda3_Os2)UN~&4Ba0=$YA(W@q@@ZxgDT8geZ@ht8(dJa4QjL6ys} zpXOHO&JQCZ*SFx+mYT4-SWIU#Sf=H1nHKdcVNmtxX`=|FSsP`S8BQ)?s{|+h;0v|N zO*PsruJ|luRZ~=(Qx_pv?z306_mqoDbZ~oQ5sH(}N;jhudAn=fXgRfLN1`Km9eG2` z^%Czo;4k^N1^w+30H>}Fpmb;HTCllsMD(jD1%ksxfDEwiQQbYk3`*B6v}zBO`%Bx= z1fI24X~U3ZR~@CQs!46S%STjPqqUI(JPR#~+b*%}`*V?ju#8JOA#nlPqP-BCw=F&- zn9ed;e3x4tNe1uJLqzan$M_wt+vRTiX%3^yuR`krY25Af3mfa~e7Cm}?6N-b3ZS$* zR4jjy`SEvhelkX~rcV|$B3sj3%Ee1(j+C|66Lb=LvCo1z8S3qD(E3=}LfZ(41M&1z zIHafp9lFplpPmJG3fWKF1|=*|cbVc{qL`r@fvmz8i3#E4C&cnjZ;8RAuOq&+tH?Ep zt>tpRVC1G<8%gP^?d3&(T`G-YjifeZ2Yj2qV%^7>JvHo zG3}D7_S1-1+QXyTBPW{xI`n+EecLy@3pT}7i^jR*{a63igA-yK#T@V~8nwIl&aBd< zzjopmf67g$YwQ`Ha_}(w4W>}I_j>n7=%dtqc>BIXy(jrZy&39N&Ke+HbPKh^`N`k* z?K^hUd4UdXXfA%j_)Xx?i`5_v{z67W;gm#_mF!>DaJPtY?CyNEDU^g~Z`tMof9lXI ziyetRzss-Z;X`Pvai*k1hI~)x(#Y3{k;&=f^B)Z1Y__Ud;C@pO{=hdt$7!w_8;x`7 zIADA;Q2Z>SVVZ!Np%u3l<$ajl*TuzQ&c|U<@V%&F^2g*&zluRR)i%V(#F2l5N1Zn% zD;lfBbpMtll?eJ1YQP9fJ;$xs)OFzxca3lR@tA2zlJxJdG|pSBzK??5VIe|Irh9(d zUGyHLf~_G=4scTm3+~0Pz6os@I%{+9qGXxsdcvs&<)25C{3j1D8 zVRmRi5(KeDhhh~GnDD3A9l!jjcY-Z&F=l5Rf--^kip=JW8=`;mE&Ia&A`|?zXk|My z;g4`DbT@Wyo>Yt%4v!a}ByeT8^!iZQmmB{6{@;lXpha#y@rjq`q%Ot~l(_Bn35UZ+ zRzhBO1$@4E$NRu=qx;wOG}n`e_{4j&(f!556jfyyx~!t!JU`2@``GohY^tT5xqvCd zK+!5!fa-%MzYFK3u^G7NHbG^GUrlgZ1%p-*arjT+({MSBb8orP)BOrdghY7ET5)0C zctKs3@Ra>0e`& z{>KjgU+Hm{2VT+L&H}AW;HAbFQHLy76>FdaHK4}b9)awZ%uf!A+^i+;ZwT&Ja4pMB zUf?v;LmJ3l-84L#JiQJvOb0&Mqy2t+_u0^-3iM~zs=Ky>+qPC4MF)GKWn>>r*H**~ z)cGTO?FbG>`KH%+4eUWwFci%m#znYJz$nEb51wzp7*QLBQ~pqiprwhl1Dwi{0Da-7 z&3o%r8*R>yzTc-f9v==S@}hB4X{(^?{z$$i_qtlk8*!jpZpU#UcyPD;XWy1hYol8# z-;VQc(VybWZbvFYvsyi0#shm5-=A(wTIAUK=8DQ8vJU-XAC)O+6fQK?ue2P9x=qj{ zlXa1wEFg}kT$gc7ki_>|!=ABj+W{62(h~6FhDY&9RJx(HzLk?T6^c~aT#LX3P}~+} zOg!w`^oVakA-INo3cZ{jG1n?oQD}Ap%fC_FiR7kD!IF6EFhzb zgw*uskhi056P$_6t4jCSGPMZoJ7q}n3`{j*C91a|CgIRO#z==p=ti@l{jWbOBE}Oq zJ?fv8O9o^?j^wTH8_qjimxH+@M6`ypp~03C?AZUX0NAyVtd!7#fa^fSC@K80G!)J? zloT}Z8_OM1(ullNZ#b%Ue>#6JUf+28?9|w%udlLP^iAE(oWkCDy2)Bmm2!xaQ+FMm z-JmMT`jL;|jBh@XU3`Of(>fxmf@+X|Q||AwF!=Y|0xwUzfl4N-WdnQ_)(6hY#YI6Z*<2>-Qy5>>lA^yHiVtk0YIH z_3TRM+djO`eeNbe=X{WV_fs87r61(k8`HUNGj@oCBD!wq7(+*rFcZA^3&xd>I{hH< z4;eVmU40qf-kOa4J|#pR2a+wd4?&eBlQ;CzNK*k7ZDac+M2`@sqzJPSWW&zP>&K7A zxj^~Xht~2=a%nDv1H!!czN%`<4DgIi=XYpAQ-nH29!XayT{vmNX{`CpD=rI?3{C9$ z=kJEG-B-3ZS4bKT8jl{V*8cg8y+fxIBs{WNuCZw)@)oB@CU)CyEeml;_xa(bWW>HC z@qae>lkwE2|r87R&An(3K5bR;>=Tok(`=ZhE7PgOY|y zh$*}&-6wurMv{0C^8_OM)I37B&5Pmj8c!f&MLQkHLnc1@GUJeiZK|6eC zY|G4t9Lab_*Bi58q5wg>j{&KL`p{b)sI>ZIh{ zoBKSb90T$J>^vxQtVWt&2jzjZhcLvn(}ZKq3@jZ~9avK4(5G2Au;V1PNz``NGR2W9 z&R@)OB_4Bib)f$`H*`qD5pWX0fdRxIznV_0yLNfa4H7oQ-)A{rSvBv}%g(>4{WnSf z0|Z;!>4KW{T2`NQ^1y6V9%}k_J|`+fbkI5|xdM;|55j-qDnS4s(K9WlB>yBJ&*<5+PpNsh zzMERJIFp9!%Y%)&Lc@Up)Nb0~g0i=F=dC zU1#O<=sBHcZ0g6i1NPt4yQY@CzX!D7u0(%(6d)r+8`YQ9{#k@}_7|{PRlqialr{dE zl+N^h7$k}kkH|KN0g$&YMobmKlyb}gmj!yO2=xw0SoYj6vg6jf3=fboNqrJ@G8Av| zO#tYVl9Mi|mmV_@`&XF*gyqv8ucb%}hu%qw5N$m-*Jmb0WsB&O`X!>WFNmcto)wl} ze}5rrg$>>aZ1?+;$#uN8d0#G3#RIf$uPOl(K+0I{;K~LWq6j+(Cu1ek)Le_vre!C8u;U~0(gG!?eJQDvSPLD zfvCy~ZFtj~W8v6O+n{4rSA(vh*L&Z+u;SHMcr0rmP>Rb~z5}9vias$%iKW~_o27Km zJIMW0GQJ*&z=Bxme{cEwOJIEfbd)i>s&0Lti_ zo>q=N*!`l4*YXoJ1}*N+RE_!lvmo1#=#=)6Sb))F^V{*xUDu4(fyeh57b)9;b?_@P z%vcF;R@UF|xO}fdDj;Jm+}Wh)c$|hMc2GRPe~5aw^aaN7Hw)h@SaPZ1+3UTOw1nRa zvWNp|m#y`(Li-0G@7wP?jq790bdePas%gNJPu7hZ7|5?~9pP^|7AP-7f9k^$9Ih`Jfqz%K(MBnIdeW(qpBkA? zu#GDdPmI9_16~*;vnYfipE7mDF!T8cYx+iyxQB&9PXOc+`LKW#!*e}XiF|^p-ZmU^ zJwjv3e(%StYkFl@KT>T|n&+${e&R33GOAu~RJ{QHw;c%sB7Iyvi+ddG0)Hq&hr__@ zs`8fbzVvwh3j&`Im#svS5e56L+R=JaR?n@k1{o@fCnrbpH*x8%h_TZzxz}4s($eH7 zm8Wf01}LidU%wnRItWNb46sd1rzx6 z;+S+P?}Bw+p0s_SwRR<3XnU|0Xo*)t)(cj|A~75-}8sC$F&Z_r)MK5CCd;6 z-pZJWbkPe%`7uQo);F3W0E@gMb>NL!>J0Fr^XplBL|jsBP zTy)zHAOC!?g;wH-r=snM3hB`)^$3NI8%54c>;Shyqz>Lc`^s4;y-4&t=B=8qyl6dD zo|ZyfuG^~1kNkjWRdT~ce}W#^vWcT^^!Ao);Ujgp(R8MH^O%#9QNYc1JzE<#01MLB zchw7!mmY2-dN+>zsUwshyVxOwzvc?qd*5vVyfJ|Ef2gqf(}b;6DS_|PkG?aa1RTKu z{X&<@75OM>#}!!OXHfod*l}-a_>p+}3=js+F>9rwD%QHlm%V&Lc?M|teXPO1RsyB< zR<*%sF&ubbp2%~38^NJ(dJ!13^qcW-VNsS)Z1DOsl_$rAztvZcJ=XXYW=2CCZlvea z;9`iynC3(-!~Kg>Plg}B=PJM38cxFS?mfj@cfD~`gyeIy>SXXqkn-7h-bhzX#;vH# z9z#Oq{OrM(tNm#Y=wf2gH=*C36ppp1X{Ocg$CX!;^ULb9mo1bGgKFzR=F+;>?YdO) zsu>H60PtjP%;{SVc(M`yUlg4G7`%b1@TUOvOOwI$vw<2F%k|Ifz3(#&0}}jCcQu;a z91Gh&+E1$gzUkO9p7cgzyKuKhl_9z+K2m2}R&?f6kKEslb)kZRU$v%@pEiPd^gqts zgjWJ}yRo2Uv#L-DDQ%k()e-G9j@A0g=Q<0*6r;TmHW~%!BHaII#&@N zzx4rS@lpMbP0K>ks?8B=(03TQ^vVL&3Wzj3`DSC*o6j*`cLo?92JcnCII4m1@XL^B z!ozB~LuPH^ViW$On%|RYgEG19ruJ&BnQARd#sv5RF#YDa%vLj`LVjBnTM(yKAa}Q$ zQoj<|o2=Y7Ng+JFUYZ_^)Q{*o($L3hi5&*yS>OU(0)ET>rmI^RS`8CA;}|;4T5}+i zG~GYTZrDgMsnshmm^&O~hS=LjHaWvx2mFPRMsw3uBX)hy1smi_8uy>NUp3*cD(|`b zZmzlqG;1t+-WkGi&tg!{rl%91gBrSf7iJ}i(4g-hJ4O3{=jHzms}6tMNXNk^X%qAY zZytrucp?Ov61oeN10$+)LrEFuh zxJY-UHh$3EcUw1M(=!Op157j7hw?6>_c`uFAG_>@)mZiyT6c(6haiJzt1Jy?E$U3K zC)e84O^iLiA^Xl3;W{K%Ix8Q^cyv3%Yq#nMHw%#+1XJY3F(w`qa%+2qwL&hF7?WB0 zt1Cn${~xgD|7m4@2Ge~2zD~7!eDIfFW=@_}uSHj_K#IvZwW5&6oXsC z1X>67DL;g5+&;yzt266oTyorT`ShN9_lk-ZQf4(TaFH|EXZ?0nPFV;Z@It-f>i}U; zyesj6;@<^C_PeE{s3FNV{;q^G{-MuilW!V1?+lqzofPMcohrh3%LbV!R0`CsD!1VIqgu!QZ>TjNHVaLe;p=u(dy-DaHN_Mzf83z zZg&#_?6B96AXxGg5xqtcU9F7;@f?M4?g6&n;5#CX)C8>>MGCF2N%yN~dW(w&o)=Ef zm{&nAA0BB%JX{4jj7x-p==)^#6-%L?voFo-d;Nj?sxv48dJ7krZ{s;@3?oj657Put zO8YD#%g_Hs3;CbF_-}!v01f@&YQ>t_AM#Z%AoS?ERWBAo{-%89#bW~)N~7Ho=PyOz zLK{rWhN{W3{4r<+EDglCqsVvpVb*GQpm2SraVz*OwT&kpeiRgsM0%L^FzfMANyo2u zSk5wTnv}ifp%jg@VGxF=h9@Uut_Vof7FzR3uy`RqVj_1!^3nB@kf|>JQNTH-{)dzo z#o`xZwQ%$I^4h*4BpKvpBg?th<((vCCnxzqT*szqFZ-1~eehVgr`s|7?$giU_aRt- zM$qu7@(cSTK`(YuQ0<%CluP;MPQ9g?Yki;}dLI4u`8nC|nk7-yy^+JeZzr*Pv}G?v-ngzWL(dkDYZ7XM!<t7ZQu9 z)~YitsV*n4X8*ZBq%4rOMKKG^*)SuL%9js+KnB=)63&~3<24IVQTv^tI*{%^&x4x2 z7veii+zHsCu=D2@1^X2)zx+p0p(6Mj5ZS$>fNRDyLi-MXEWf2p=t*cCutMQ^1iwKL zrdUX^uPdTQp4|-6ss#Dyc?$VeN?wUnOHSoX?6@vKqvGf!{M@UgFnx-p>XDIk;W~8M z%Mp*BO+>0*;X=$wJ^p}g`b)Ze;^s#ZRj5N~SDcv=IbaxL8Lk%@E)c@js_TJC-dG~%l@f$wP zT-SLXv5s}DC8clRZi?K6@misXsov{!f8SLo>p$bKhoSR%xOQSSs}|RAjH0uuUyof+ zzvB({Pxd$(3(y2we^|sfec&4O?7rUYpHk= ze0u*M?c7M9P0BBEt!lrznSA)F~thWmzMr; zVf?tRY>-Sbm?jnlLW=u0n=4cIuMGMD0@ZhXRdL zrE7c|5<5zsoo196n3AXA3m$=GI?-{)M&x5@bXgHGhcDGZ{PoeGsJO-04~wyL0w5&3 zV8X)N5s#!Jt*+kBk^ilEnVd6cUNo^lx1pn|qIY)u@N~(dUChk2fKAId_{#;N(euJm z@ss<%TMzxGcQAh6+wVlvt`e&|_tFjqJ}5A-YowI(ucGYpT4QP+WQX_u&o z)I|6Je@o{f{OSNag9lJtBHqAS6&wR7zvU>-$q0_)6LhPj5K?kryV~osT zXx{eT$hx?R>?5O0I3lYuwVz;szJMoYGcfQ4DP$yT?p43^iWmjr*Ac5H#1p+Xo}b!~ z_?QW9I{YLTo)yc?(`PYU=dxMx)?F#J{bkslRC5wkPXURT&i&HkiU8zeDBim+A(!Fd zY?#1$DP6UDW`^p=zU7<~=Hm5sl|*%F#Lss8;kwa_&1gKgX|WayVn|Cp!R?!-E|(9R zWWt{@rCD%9YC-8jW@3V3*LW9NUk4|t`O4rSvTHAR`h6vmt)c&rheut01}!1zzSF+W z(y;NL)+YYgcX|Wpz{N@{Q&)&5N47kNx7KT| zFEge2C`i!A6S0$u0iN5i97FtfgU`JjTx+2CZuc;+y|yzbdlWv5`^%%VOz;&ybcmH) zpt3Hw-HFhdN2m;Sj1)l53N9->+H^i8TGc}$tQr&qEttH8Adunlr zGIQeBdrLSSmt!n%dqUqzl6p9)vni!0zostyOI!hTXhvjbAm<4Oi@V>m|7D!46$My~ z0wXMCVHj9m1V)d~&NIcGvM$Y}sMGndZJZ6TgDR1|38krqgc@-)@gJypI~P2zcoMkK z;@bHOc2yWDx7p5mr!s{m^y>z?OB0LYscb`%+P^X!>T~KF`Iq}CpE@U;560wb_EPVP z%x#YsC$x8}{(GqS_b%{X5Bes4tlz{Bx{{GU*cho5xWF}QKLvVhXEP=fbKXE_ShQv)tr(G zGab8EB-e6>kf8>(P;pBPM$2?zB4JK)7KrZpt^sWKrhK2C+2QEjBHVptXq9 z$7EVxE!S=k$*kaswx6ULS`F|KmM}y85`n+e&`}^q?g>hEG532%zf^U5pnAXnCnVQe z3)w4=iRc{rvEHRuU_Uhyp7Xf^Y1JtN%tul$Z}Wh!#t>;6ub2)O~Jj| z96yj#!q$@~GwNe@tgi;r8q9h|OgniQK}IF}U4d@@OC3oECWe=j7) zDQl6MvaYaupiYTU!8tX1u%)~Zy^WhatYB*#+-$hyPi>&v& zQ)^X~JSsafr3W1>F(hA^J#<4x@8o{DPy$VZ@%Ux}!zgj9>eBke-)BVQdlBtDVa+w9 z+6-jSK0a3Uv3qeB9KJ9_H`NO|TFude>r3|sbl%DMrqKsx4X5D>WTF|**FbUk3s=ec zTXXc_@gAvkDi%>L3r&2(_1gKw+Ucl$ap7W`htK^{;(kM13gy5~sg_pGpHH2)UFCSX)e)#53

8uM3Ouo5PbXP*>?{1Fp_YQ z-5h%}P;d-8dkfarmbXBb!w#{NNtqd$bl)TiWT_Q+tgnzH-<{+uiVyUi)M=rEu$OM<7pZSDQn^Kh2DawvU z=Uf@q`(H?8mES>(>4b6h0Ay$#r?ct$f1l7lSe^g(PpSaJCsh%-;sG+( z-9NAX9RT8>mLBq?;s{Ii*$9N^;hZNkRI6#jnlhJ-2P%m;KD(l#jX~)-D@biG44SBXV?1%tTed2p^JOW#S<9 zbir%wVP(;~L!@9^`PG39OEW%JGPMgIkbu@=2Qrz2{WSV1khjM>$&?b0u_K!`BKr)W zBIk@as$-))Qdd*-A*$M^aZ@wH1cDNkS%UM-RfgLg;hn`4?%KdErs1Y2P)JFp=DVBP z^__H0XKqEl*U@gw+Sa@lKcB8EnqVHze#I#AV730}yN zJwnwb`WR^Arh#2YlQ-sUpXJ!ns(W4h<1bElA!{eqch7+#c!;tkdMzfY+GkJz%MaJL zxrk>iA@3AT3evoEb+iK7?;FQ(K9TXiyhYpHIv5y|s{$jND)yTa%-G|3%Zqc8REm32 z+%YZ`=L6>x#k=H?r6#v1)`^BhR@T7=^SDJF$6Q-aivySc+@++_12+n2NLS;9V*ZB! z@{b_X()KR($JaB}-vjv02f;Oj)GaxgZ;s(=S&-v0VuE`k+O6%FT6O_!K@RuQcdt7^ zWvdDz(_CF-@{tHJ-p7xvS{p6TA+!CH*6+v~gszNtgbPb9(Pt@|%O|H<)r#e_g7fADZ#3C^ ztrx@tJ`D<8M?CZ}^}Pf{N~#tFEHtZ?BFw0rQMPXGtL0p+;r`V6yH0bEg>Lr=B3#@X z@{5$n`M1kMoa^Ew)*^M?X#j(4cw_m=t9Zms_5Q5|PL8JzjiKkO4e(t#0zZokG?!oAwUVOqL!>gto%*UF}KWjM0fW;*Dh>?*!evs-FQZ})MJ0< zQl%T=T5<8VlD23M?4kgNFF~8ZAnX)e>qi7@%a6E9aE?cMzn4jz0`*-NsNs2ktFn@( zgPEsY4@ig6k`PY2nv*ia_4#2>U?`>{$d3wrIF8xOP<}ApDfF$`?v)gjz*V9a)=nSh z@GJ1U@#VW8$opIspE~65#^`^F5AxNUPP2wt)8fT&IAjpwcpaO8xQ1>eTgM>2v8?!u zLU4<=m4xQsYHb-Q2(2lcj~I6;dv*+e{IC*E(+GTtHT^KT9YdUkm}P^b#xzF&RPnwq zadQdV4$CRUwRN0Xm)NC$#ZgtM;t0CLB6pFQrdd||Pwh+Qk#j|XwF_;TBig%O6OJXt zRfC;wX6Y)sfOLx?@4RP9Cf=^&rfeP|Gt2+mDbgN zrtw@Y+zX(Ps6xSm?Xh>GzFcZ)Q0dSU^}zz+bV8)yXS*4Z$^5oCSNA<^V*~t`{Ph_` zA}~STAM+o3$?{9;d}7-Q?4`6_;tN*>j1)y2f)6Tx`z0Z{IjKaL>24)hY9od%gpZd& z#v26rFY*;D!&z-)gL`>p$i+JXpJm^{!|flnyY~VU&|*+XahnYGZq+ADgm(CEwa_Tg zk(oON*`*L`-r?Ugk?zuA^5L>)P~)(2R`-)6RndB2U=onr__ZY1t6=IMQ8Hcl&iz;h zOWyx%`)>-O+P$rv-PTEJ7M-Mp`=-IYcMB}_nReaNi)sxM;E}|+KVLeg&!Z3@c_8p9 z!szOP3XVpP{*TT;TGEQ0mrp8qAqgzzbmAcA8&8#Km&Y{GaQ-FnVFRX;R@P`?x8S2=PskR;q#Vry0YmI4#E!MMI9*pMYaj8F1?kfhN<2S4z~ zZ_Qcq-kkG%FGZO1{%R^4t*T5ehXz=gFqoQ!?2fd*m6jZt6cH1i8T2NMoIcDtcp+Tj*tI}5Q*TxZ8S{X5c?~NPp9Xe z_eaZqfYXn4&u#uKnpqUw-_2QsmxMHw106=CsG$S>9@eQu`NZ&Z6x~jmkOgt#VsHbi81qHgn(DWHFaEp0c!H(6D;_CAa8kJ;;>^LOU~{|h^)9I{`YK`1#Q!_h zAvv$9jzfB4#!u0~inNji0QUFdlNixfCs%nhO!7O-Vqc$>YD~OcsS<$eB9kVHOnx7v zuvhoJn%IJ6v~g8{5uw!!?A*6XRPN!0((b6fR^(iaJ7T~euxZM4+|VXCd>_f3f-*i~ zF7S}mFxuI#^{NSV-ILU=RmH1EwOLP(dQUmVHlB9QPP{;Tb6PWQ4C;@SDoZsVj84#z z(bOA7qkb@?I7W}>ygnTa^W;Yu^0Do?I-Pu7h*G0dBFZcu(brZ=9w`)dOG9G_P4r5B zMws^vh?dxjRQ9tb5B|F~?Z4U_J}kV)-ub7R$TnD;{huXe6oL0a$og+WVD4&*&E7!o z8-wEoe;mk~<$tu<@%)?M^H%&uzV~+s2=E-HmU3{;QN#Z3$0jugvb$U0LHBsk2N}s~ z_QymBq7EgY@&39^duB#1*mav;Ra(NbCQ)o$t$TDN|4AS-n>a59XzD4a(+9O>wDgA4 zmA;IKDGN)oGU2_;6z5#p!u!xMlGur2Az`;IT}~(9BJ?olOh^smO;I~pj_m}?m(|ee zjKTb<6$^x>QW>({qd;%ca}A_9_s&P9b^D#2 zRdB6zKH*TZQEl*`4H<_9p}>CQOv`t=nvk6}oOKRN-H%uYf!}Ir`pdY%j_t zX9hSJ6ygg)KuT z3M3LnE^16R+fTQAWvfm|C}wYzfe3_8qsoF8&layuPj)76=&bFhi*CFYBQ>butUS(I zY2mYo&}+-|%fl|q`l}#MwPtFjFn^ElUYGrPUPn|E*IT~Mm*@Ll6Q561i>wkRxJ-QR zp4i6-SYbkz&LD*w0AJ{rG5PCKh((bB&VF^yr42&x6lno2QVotq_=55KQL$Bwlo}h# z8B!F|R|Co1U0NkGJu|>aBEh<%>5bJdF~-j`bo&J*&`=Rk|D=Zrck0#H6Qt+(*WYOO zn5XQ5;%x_;Ztw2cGy&|Fg$4YDW|VFBUtJ^BqcNmZE?e zX-Y;Gu~(|>9*}EuEtMzl*37F(8it&&a#J9ez*P>V{MQH$$#t^6ICP_~N4u4x*XNDL z^uug#FuT=@E5et~7bZM=k@rr4K*M zC!V6u&=CVYL00h_KW?8^btO|81L{jIHT&fN)1CP5!ua;-G<$|k}3?-Ej=`7`{%vHq{;3Zkj?@g3HW#)7ezFy z7qosYir~G>Q?4(znuSoz+J&-Po_sFasOMfN1bv=H*@%>#HMtL7@h*Q%5CYr1OQp9N zTvcg;qn&izx?b(OtH(Wys9A8|5uW|r`!TBrSjOGz?Y^6LzxEcr_N8kX0axC2iv>6( zLn_5%d2LF;i;d)^-%>@Zt3}TCqjL`&9jd@r+Ez_v?>r4jn=Li74Q}tuu2}Xm_H>il z(ZTAc%QuX4RC!@l08uH>x3bS@#B3t7OxI!I=hKL^Y+6g*F`G}c-dWdDtZ`OkxNf^M z#RetV^m722xsrM#k%O1@<43Y)u2bFmy==jD)^{a-A8-q_bHYxVme?#B#1u#9p7H#) zti`sQ`I!R=$rS649oO?Dp2v4v4SXBm%1B7RGYuquR#j9t$P4UKTs!^w@<3ev{NaSI zVADXw%2aPj<5Q?!F~#q6UOf*pu9TaBO*tom;=~7Y_Tt-aBEOebb8iWk-dU|tNA^cV zAqQ3Ot~dg?6~?Xj-x$<6mfv{pY2K06PjQjwOdyhRmG)clQ?`q{C~ig%$k@#rj)oR0 zcV%RT`Od3f^YTQT{*pC$no%e(awZOlD0-LnT6{lGV*hb4AY2eRp5Gz$+x~fqn^H14 z9eIvMh{w4{{b{x!0+`{xS-?>cIz8wk8c+Lx2^n{zUxF zBZ6;aU|lV;s=lqe?>@DE?-;d9Eck6Pm7U53<>cf@7TEsoXZ>VeX6-G|<=xX?GttAY zeJ$$YJ2&-6oE`*>cU$ForFTXW;V%a%E5U=VMB}nLz^E(Z-7)|88?$p>_L5Z5#{AwJ^M%x)FD&&(66&S z!P&aq8Ld!43aWY|Ky_eo__P7&XeJ)r@zT1A6P|TFYi`T-rMfnsC^Q3j84D9;)!BX- zz2YBN5P{)?05(B<(S1W;aJ3u9Hn23D8h+SDT00$Bav3(OS)Ltg)wThe5(kW4MX!$S zrw(oI?08&hJ~gDRf0R6X^r&qnY}VTB+)ww`wBy0(y_8uir$w7Zz`9Qd$4D%*@O0Sh z)&=VFOtf(Jjt4`yEnul$s;nTCt)dC6o7Fd>Pu=dKk(n!D0el|3V70lT-K`D15Uv6K z^2nk_wS=j`*so^_w8A%?ngLUn?ICJN*lB*4_Uw|PiTMb4U>&;Dfa2RAy+p6O`-@+% z_5@vezERcJTt0#XxC4`YdLn`bw6J*01BpuG7&F52XvvmdQf;Dx7cq;$_&B>@t4UKT zr&p9{1Rl@&I4@iPU(~3%Mj1@$OM{+^L{7v#I#}>LyIs$S;P@RDJZn?#N9D9i_Y-Vc z(6e7!ik$ePU9`IrjyozDSPQe!|NdC(){4YkHU^Ul~N9g1&c0)%Qi%eMZJR3>6~< zH~S07Np}tqdp!RwNgatRa#B+~&um`uk5v!B{brXWl$JvEQ=soFrsq14%6FLeP84oJghVvBUGBd|=ldshV(7M(Z~`|w zxJtSR{hg*bsSmZ(+}28d$9N%r_0n`%h*>uv;CO|@$PQ?C|3J6AK9!(THUBN2cKjLM zAFrH##}V33F(}O301y^cn*CLCmMeU*oVPeVLccg{i?|^ox+R%BKA!D67FXg*Q*Eq> z7Xn!VtuJi_^dZv#vy?5utb}@qLX{|w4X{6$%ElIg?1Ilk?v?zcCIwl8-*_z##T1 z2xImD9pszpqV=qZIaKyRKl5DyJ|(SK%Wo`TIgkVnqEuZNW*~nA+Yl?2-B9H$vNOyf zSEZLQdSzU%!mm^hQbYfGSS%70vK2#Rlwc!mBF?|JqP0Z*&gXWadAvF!84Cp)}g+06Z4c)`;MOE6pQj!77C46 zV69Cxp-^Do!DWEs1(qI9w;wY5V+s*Ou%1utepv_u%?1a<0A^kY-$I=w4GV zK4hx(Tq@EHEAWd7?c=Hk*tMRdNs+z%b!VFef@V_RGC5{H`F z0O~)FMf6(|04=M=(&`;{h@cFg{ojU76g>`$Ns3(sRJ)E3b9U3ZlJCP>N-b7^Eyczw zTAQ++WiNxS_84}xAnZzacb1(dA4Scw_MCh|fHfY20aQT&68oVCwk`{S(1o)zy9k9- zJSAa3s!Y>aX2Tn?79T#>lZVwai{9?l8^wZ}{`vN0!Il4+J&*up`KK}f6{DeU^CISew20H*3IKPIH4%}vwY%{t;0n=0zKO$R zBWS?z0Gj6%L=VVDnUdk7L6oVUpCko4arpsw3X`V&jKmcfR87jdM5S;=Y>y@$2SyHz zN_UYH!ShMrES&6MU6idc6rkM_Lv4ThwX6}7h!H&r!^LG+b0taj(`Ra~xNB(yi~(U? zdPhNi$@5DN8DhLghL2h*V8b6>f+Va zCdU!w=l~{_X$jp5pp)@?m&EO13}=(MX{8_PZ^$t&M7i=b@ekZC>FO{21QFHK&Ch!$ zX7A-!q{JE3ZMn~Ic30imjbIE78a==y0^n`((M>Ixh3EZpZ!KU*oXWZ@FSrVo+)_q^r#p0Pue+MaawO&=-+N_atlYFQ9s;tz@zkKJg?2i%1zs9YfhH+JL z1|wKqcd7p&5&VyApK3^in_xplL@$4TGVx2R^rO5G|6@V~Elw-zw_sm=298HnxM1vr zbb_;uP8G^^;$RYy2&AudAG8R`U2?Jc8>*kd7gA=x(a#_Z$)gq=f9HPK9EGFJ0Z=5| zOPAZAHL&m(&7FP5lafLm>FlwY-MxS;;1tnGr!MpOS0+&9Qikoj>c(D0+QZ{?KF1(vV+ z(RveG;Zw~wgul4`vOu~1h4;r~;%OjAE&$p9Y*HBb)YyuEWAIvR^w+LEQ$$3JT!kC4 z(HjVJWWd*I>2s>xA)nK5fl>2~hDOM2H$HzV3SXH_EIzM^y29d&&9HHCr$zmDd7+EYq5K&~BtnJJY1dF6e<;a!?A zmIc}$MbFTW4&EP;E8moUD+-f`0|M(Zk|RB_g`l&zIKRfNTo}p45Ag`||V+ z-$o^Ai?eWX`NOUMhB5&A!sEN;t9Nky{2_mgq5+zapY)LYJ%cF^98V%r9lA=PLjQ7X zlK?eWt@TpX0ujhI*uSOzTRZl&d>z2~M~||I*uy^QX?6DPM9A}Oj*1)-&b)4Rs6eJg z=PDG;ENO((D9Ul53wXw#fe@o)aIZAZYE$pEhneYt;xq=gw%|sQ5&a`B=0q}6SbX5) zsau4ce`&2NgF2-AL$S3D|B6TEtLk(H{p^f}zHGaTMaiEj=P}G+<~c6Tc1#XtQWRcQ zOHmW)@hd@cH>=cW`QeP6eV_OnW+3$5#-!boXy{sW9g%7h9AO+xOuS9hxSOS%$FbX+ zom*_25mPmbsh?Q@7(0#@lhMOiHU)UMY=DZcG6F*TxHfy2ylD5Lyx!<#0?n=c5!T{r zK>CXu>L#@2%fRhvwo&}n)a}$S)+$QU)&gwf{yC3#btpxN299#BVs;AR1S!2c} z4*`P+UH55KuGK?nM_gDlyu`2h8l7Mj5vr@jt7EfkxRoP+KCp0p0KVaco?c0>?Cv+C z%WXQXwHgOR3&^I63Qs#8#k@OQ@Lvf@!fEFy@5J|_q|q*C^m09lY;IF*r15STxG7<=~m1GjV)(tc)XUS33QrpH( z{nw4?u>O0QYs7$B^8R^qaz{Gb!2@;`Dysv)nN4_b=*#8QI@;khqJ zBt>;YNMtyUpA>bx^p~%EIia)J$#0l`TgI0nO(;)PfCJ8a*TW%Tn_iUbAi5Djw!%sS zELL9xyrVIYM;qrj2c?mSqRm66SU}q;#R{0?4jiHqNDb}MJn26p7KtCh$AxpGu-jUs z`flhwn;AfNG9E{ufqiS2W0$m!ttzfkqqx>;##MRNwZF)+QEg{{Vd7iDBQC~s)P#$1 zBCr6oGwr1Rx_0>n-1TgnqB-lv-Vr^RnJU?&Iv_78ZMa#dGSMVGZt82oU?^s-V!uRf zwc0~pB>|@uz%Fmv_sW=l^@^L~jT^FfYjTPyZtZrtU0$Wg0 zgIA3Ml_achSh?P7?#exg0%M86vwVuHMQ@uG&&OM6OpeM|Jdar#wC=!-dzZT^0~h@~ zSQR<}>KfoX@g>u#|M{-3{wSN3-i53GejuQS1$0f%mxPZuBMoq1iU2wQrucGrCr>V0 z)a{h={H)o_3fP8VsO17qtHo!V7^iHpr@P}Nv^6Iw>DvpMvh5u6c zMSp8aKhU(x`fE-0&%$p#@UOwvwoXQ>Z^M(z@l+frS@?@XT9Aj9ZRk+&T#OX~=RK-K z2DGpB_Z43n+qf>ZGE<`U18^bPahWl`K_R7?$a?9!98^eIj%3aSbIyAUMQSwb_v2RK zAUNS|?P*p5@Omy$xX3t>c%?x~HDNq>5j)!WXi42%N(S&nxc6Gw&0;x?G;FMyc~e6Rs7r;soqCoge@N^KV{VtN1;a)7P2 z#ROlB(TTbPdd4}%I1MBQPRVHqj@6sCgxJ3&{WPt+f+lAc#k^wGRuO1x(vTp5r za={b5GT9eiDL1Cmw(Uo?8&g!B_{MB%N{eH$P0iw0e5KXGL_CkBlI_y^)4V#u1C0eh zOpF*(Fq`}PJ>VC@P>-C^ZcDiEGPwF(laTZPkomo#ia>yh+)orcc>1TVz-NeD~l4@(u+9bu( zZqB8+@RUoI-}CMJRnIRvmI>qPmB5CJ5+VRT^8H!>=6WN#h{m6_G6U9V>H-S%MiHpV z^KZqrVHpCP4JhPPGatgJ#%^l(WwiD_xjCT2>8g^2-QcuvK2(e=cuH5R=YvQn~-;* zsH$=&Whu4mlFu9tV zXe<(N0wVAh#AbdtKq&M~%UQBwlgP4WNR}+P`k9w)gsHJY!ZsZZGl$3e(^2)Sq5d&( z(4mBmQW2^xCqfhw0VMjq9G40;WIjm|SLG=A5Z9oeJbJXwN8o<#ljcvvlWCrMMM1s2 zwL`La#<^I-bRnZ1xY*&n8c{86dS!7Y_-_e2vOd}nuDtd~JOSCmo>RLbhu=%%V}hR7 zr}nIRJ)|-FrxrjgJ3BUim5B-<7>S5VDTDi49}j=*Brr&viA;Gze@q0Y?HMHB_AOAQ z)tQU^=-M)LQv)ESTSQ-X)70NtWB#SY0skP&Puhv^Jf>8j#=hfxoL03^XVJkRb+eOE zj~+Ou&$FmCj^%=66llj*A7K5Yxdqi7nfi$*Hm@W%UiBC%JU3xI%jkaFkPFP)oUl)3 zD0+hAoUBvhoV)T-Bflr?-}m}(|0im*u-*Vzn(jrPrETdVpBw0>9Hxz&jU$Zy zR3t8!NnafNWkPg>^Z~!jl-ZBfixd+l!EZoiKXpgW=i*ptXee1%nl^l>DsM`Y1F*t0 z15}g>bWQ~o?yFibjFh3g!~4?E|9xfyAW%@&9}C#N2l0jW!rPZZqRUr=&&Rdl8 zzB)_h@~L9Z?P1RO>W5MOaedukTpk?r4**qg(YNoV<=8loh8gaw(iI$rrt**q6n!5T zBP0DQDi8OktT+M}Q8c3KrHUeJu@AWjAuZbc0Bf35`XAWmt?Qx8w$#GXx8r_atJi_j z^+*=fxgtjw^X><}V6+q^t(30A-qQ|T1HkKN`2k&?`ZX)UpT;YwEI^k5_PLrP(>f`u zXrtETGo&WCr;TRtPWoK=AT+RkTo%-{%&F5F#n*VdKs$NnBQ z=F4$2WT_*(g#_maZM#K0DUCJk-UokeR9D2a=-iY|Pt*Nn+L*j^?@aW9Y?hdu-G(%A zzJvDjduqxn2|hd2Pd;p@tM@1LPD!&QJ*a@BzkSaS1gKJd_5U_`w}eQKRp!*fH^XEQ z;r{JLTQhM(T0{iJzIiSm=3WX^^frK)OVQbL_0OJARFV!b^RQL#j1T6dh6Gs}DYscv zG++yD58})M#t*BkJHmOJz-kNpTD^?f0sM%QKjjA?d?D{rZVjJi7jRYzcxQeuwa@`X0Xna4T5$;M zg>)4)AT=jLFW9WTLGPQj8MPw)K7IDfW##T39f3)JQXH?v%v9KBX>$>v%GA-YR(~^6 zYCYdqwbTn@UX-uQNpayCyZ-4xD#L*bD*}YbW;qOUs-v}eV$B9fMkY5v?#8{}sm9|= z#@LG8HcO@3hr=^gYzs&sqQWccGw~?@rQarc0n$bCamSKVd7)k)VnVDuv$In{qu);V z<*A$&1lfvj|DyioOe$v{_Sej!_ z8`|XjCor%j&{4ezH4}OTk)Y)th(mjzZV#q>DZhKN(=mVT{PAr_Z_EwkS<)cFBmTta zckOOW!nFMIi$y#<(C9R_kYTAD+=D>Gkj9-)Br;g{LhWAH9JM{_9sj*}p!x6gFcGG# z)+Rv!#R9{6lub6dG}>;i1hIo{sb$-6~ z^m3#CaxP2&o98I0D^w4Egsf%4&izg9GPvuprP|36$I4@62rOlCM*Qf-2m1iQFPS-cJbxg!{%OH0yQsetz~<=5M;#X0=#w&pI&f z?BtT-(A8@tHMp@8Y`yXOs+#|7VezDCRcCyy@oa$rRC+bYqv6%46s3;|f`GEaC4Eo`jFLQF z%P7M&y+gpV(TSJ+)D067G@-^x%#y%YIuwYnt53{Xhf%MRC+Jg1j^mY_wQNCkVAyQjE3usmXp zHG=s#rW1Afi!$}3kZ6KN2r#X}+$foR^2SB^GZN#jUq^ld)aZsir3H^uJ>dD%MCMXc zwgm=0n8Wph1MoinM+w?y-Ctv+F(r}7AOpCwc zvDh6>073Q3<+@>MY%Jqo`3Zaz7YpqSMmZy!5iXJ|iIp1$E zJ86$C-(VWI^4M~axWqVFaiJ3u$!MtADEk!k&Ao0E@lg zEti)2T=)awh}Zt|f=hnZ-#4&9_q=_439eA4ly!=nVUKy>ubFvIbyi8eSZ48Q!cRBB zvFo2i>#5fst}Fib2?J1xw*=Q8_>FREUo#2ZFySyLz@dq2KpXcHk(dEURi2n?*J z(h#0h=<-T{*+2091-ek8alqv|lsjS#Lvm+x&JKlE_Q>0IzoX=kKtJW~!qj-f!jlYN zr6e)rrUQdnsA#$dOwkh&CC8H=SUZLT$S^HE?D)F^2DlX4r)jbsMRN>m!EZT$exi(} z$Ho;!gRuszD4dYsjTR0js>d?ccf7vQLKJAOV4I=WIO7-K;-z#v1SMksI^xAN39NX`2jOH4#_3P>S-@qqlz^cN>-mm!j%_ejd;rVp;z{{d~om;Drd^P zw;$Xh+jafy?WWi7WiHDpZQGH1&7pvARmpVx_VfFfPtGPS#o0fY?~d;~;C&5k2Mm?ls&S_ra@89dy+0jiXB|NYeWW@qde`%*(qP)sd3?dH%j*mEMBACKQx1`xv!6P@m}jNm zyz=7cEyfqsPJn>+dK@?`r7w9>)27{dD=T&-o1(Zs=Y0&G1)kz&PF1s=D0`^I&5M=` zsI&x3WCaZe8_z<=y_&Ri+=tQZf(rT*TKhBDcfG4;Wr<7yTSbkT3D2`sB$nU78(~=e|qdk%q!5VYF(K*Jw<%>F!zu*C2ts|AXfPLQLGQklcx@Z!{U3?vXaKk%hk8W>Y=2%jjMx>;pq&3AE=6443|^i69``)QY7`dceojlK?loF z_n0=COyqM{6@7R_TrvOn)}Z>(x9=Ue4zyS+y|Ii`HO4vSOjx3-SPPr`%}{OYde-9R zttymt#Z}mFjb`y{U2tVIGP?G$LLZIfN^=9(aSHXD+S)~ zMJ5p$s7da-krTp3AwX4akHQOmMAOxBoa#dm+^p*)j;Lsd*sc=!hZ)!e!_SZBS7&XS zAKMS`ON$uT=!O-?J59@;{5%k5ZO@%Kbs~l5f6i zt^P1uyHi;~^s!en8nZcWv243;(Vh198OWmCE%ROx+z&yAj5G^>wp)L|{eece&f%#^ zAXM~vmpOt^esnk^k2- zz*wa#XNx4ZYVRDW;|*Imiq?3Qbuvt zBS+g6wC!<*`VjB3{u6mV6Ms3jGdi5|k?LK`PQc>P@K!l`_gIrld$O3TTV1(7Q#-=Btop1JI6p(SxFMXNc!#;Lq`XGlFY~N9CH*fi z9k}KzC_iCFBNP`s6RyNDm(ClF1cvZH#`lv9eMI(s3(?K6%LuR9;4_#{jxJ0tT@;&s%=Y5vrK zgCgf_;cpnB3&Cs=fgW-kWzO8706G%_A>O+LO`KOp7f0y#I=F5-#pMu6*Wd5BwldfF zNr|AMhej8Na5*@LK!mK_9~vRnejFGVGS^ma#ev2zLnzct$|2`b0?A$8~JDIkcb{t(_>a z1e`4!%C#81cQMyeVRW3_HlaywIsd;CFw zhT&lcxTTv(V(^Ze%C^}j1>KIQOHC7kkR#3-(~vVm|J~})cKodrUCAePmlG5#xnO88 zQ?fJ5zU_pjNgzAV>}w27h1btlDepBKMJb)Hq5P*P-?QLAUjYHe6!%{m0=nLPmDNWB z+zRECm5k4&E(kCtDM#mDS7G~`cD)>r>j4|t!itfg=%Fh2yQU=y!dEgMc;_ql)r*|! zlrqhS;?J@w_mh>p4m(J>mc~ZG2aRVYhRpjX0v092(oDY&^9xEMapRRcBB8>G^RvH9 zummyXfgANx5xv=7P8dc}i-i?gCMzMF%|Pkvd3vrYWTN2G*#-Kz*8bQA3e8D&Wn3(V zeUuY+Wh3;bnGq$bQ}2nJw;yaQJJ)NL^@6ZH;nj2cI1w!hnFa5MT$V}G5X~O1eC{s` zPPVeR`jC549R3thQ+2j*z6aeHF?mcgCG2(@60N>XaXGrtz8a~pV0o(ueWCt!g12~3 z7+uecW%Vv~3lO7bJ}nrNkYAy3Se6F}ruH#2WS@ww>1%bR=x@3>j=?`Cg2p!heyz&Tp^gMPe zKfLxK<2gr^cYG6eg^dmhMFtu+lIXoCZo~wAW=h(v>D~J|HR(8^39bYrw+KWoUQ&BH z%ebG6tN*mDT5NJtpBN?wO}I?X`+$FEK-VwJn#{6)GU`68HTP3Vzf5$&e4R2{S)UxG z_JVf@&Oyu)f8hRTelH=Dd6R+hv1Xo{Bqzyw00t%I#`6#4`FBHVmfA!am6l6ZavAU~ zJ{KgvB@r}Pa=FErlKB{rd&QV=*{!OhB}Co5$_BJ-&qen_sPXzzaP5wal!%`7@UO=S zU%Bkh_seVhSUOJ=`@E8U1fP!ux&I7w-XfB!^}3m)P z&qc}Yh3i2aL;oZQp8Q86t6;WYU-U+EQankH1}BB}+%7};Fu&V@5a1Q+HnT5jwrKJh zIe&G&7wI@d@vN6X1oJXdgh^h4bwSjq*m@pbENE>7aaC`0v`^2cnOt;Mo^##VJsfH$ z=!yk}g>;baM0#?54tzKPsupW|qKIq9Y*gAos?A2kl2Sq_PWMBMF=}jP5eyY2(zZF; z`7q}r1LJmK3n!-ImQTRH;|w74EWW&Jd3%0D&78@P*E^6>4<<4 zk)U)bi4YNKB26HKCQ1z;AiYGINEd0+MIcn^y%TyTkU;3a56|vC>+U|g-B-ZZ{@x#N9L2&`HO0rt*G)jC#*$;T@=a@#03 zR1zW-u|Yz&I1?9tv~LMzxE!>xpmr5g5306x26(z>ivTtT^R>{L(_{`aYXPqW!=y_3rpdr=QBt>^*}X zUDU8kRQ~{by#k7~X=8*euVFNjasF!B80D2rTzWKme!kgdGUTydPenXu@#Ltho?6l9DlfmF!=XrO#biogJ(|o4AvpX8^7j;PvrEo ztwTEx$EC|B?g!r**lgxizNwIj*{jT5IJ%D4(Ep*A+;~Z($^dWSMS3@vpzN9fr?x{wbxa36=yOUNI!7aW^#i^ymW}gBaLd3 z)|;#;jc&&>G1N^deL}BzNSv5n!p)Fr+o)=i@uIk}^z%3MuZ9*InbRQpJ8xQJW2m8V z4xb^L%B|9#R5GhuO1o)6OsS1MMMDnxs_L3(r>#hh=Y7j_X_P+`!8JUSO5bNpyStQr zAkfK_9f@BGVdr6&Sw-kX(5xc#Au(u>{H!diid=O-RXUo8+uGU^-PVektz5T+Ce&sT zA0Cls5pArhwK_!}Z+!9W?(5~6%pz*csB<%2Ny>T6oWD^Iy(!fCI-WazV=2{&KQOhi67`<{lr zS%p+iD2TbcZ61+N)2{NZa>J5us(NQ+MS6GH`Z)FeYCWybnFr$$QUsj3h{d>>x^VC2 zy8DKNOz512d`&tDOy%0QwwnWAkdK=E?sQ}`pmb~%5)gZKC*v}Q%&i4A!7zz?`M1pd zlU&+Lor26%f4fu6-yL&xRL!hArUZ?(>s`q{-X4qPt8<#O*?~K*5wWhNAN%x7Jl1UN zZj;g8H!QI!THBFs`rt)EH19ra7&>EE4a7n`J$C*CV@86=_TKJWr<+e6?SX9G176k?ayiT&*~OT`M!B zXmsLtDlGwO@eymqF$;zjJ6f`W>e_|A0)AzX$E}&tx(5lm?MqJGxke{32|7-f-;S7v zziWhp0~Do^J!j#I{69$VERPrEZ&W#*EdedDK+@6 zP%J?yBf)-b{Gu?m8sGPnWsl^?gzyE6(=Y2 zIgwkvXBfCeG~9GC1^_fpcAdKq(P)gaR$C5&X9?;NbpV%`W4}$`@m*SE{~)UY12N9p zBR5z8zEdzp7~vFQ_N@Bqn0ZoZ`o!(ARnKY0c_j!iLM3EtV_)h+{s%wzUvtoB4k~om zBtI>u0*{Fp5>oMqSol!zm#U1(ZQh^6&oS`*1p_IQg`ht7qgenvuq?eu2Rc9ShVq5P zD92&~Z&EIE{RC2W{jllwQfu!yLx&JHy9)jt+0R}(-BD@gXY_@6G!^j=E3)lJP;0ZS z)&A9n_<@a&cs(SGSCk-Sr`K#629gmjnaW^7cslQomctN~+auVqe+=aXIZ@Z))9wd(cjt*yWy=66z${hxMXyB17`|;pi|9v{IoS%UE$@kuofvKy@~l4K zxw^3Og*n#CbL?gWRYu|c$^LhWDEZ}H<6}yeM;t3V zH|YUR2OL8KqkqTonx38KJ@{R+Ksc=oszr@~IjcRGRLp>0)FH2b>ndh_pVBtrgwKhr#8|&ZABTHdAqYGn-~oYaZ4hs; z1v-ocjqWz(rA7Q+>Yi3dTyA?RFEf8faLM#xkWv=Nq@^_Ri)BZk%N?<}9RHTU%g7x}Mcx+qOC(h&;m5iMnU{a@! z7P9@&x8JW8TT%(6i@bXP+g{6LRLD{Jzf-FJ_Q_9L?|T*`;W+DO`UaLIDABIh?yDwB zSrfelP9aO)+L{HkETi7NWj}bLdjqmH+j1Dw#z^Yw0LfF?OtDCD5mXVUYxSPk=QX8UB4b*)tdKimH@ypb46l@H)ChpY}nKBnPI z@4D;T+wy0Jo#xV^KWAne4IMguPA;H~yN%R;+>A=hlP4=c+RZ+GUz+H9q&}jhUs$p~ zkmwEUQO{n;Kqfx}yz2wY#KU3t+taKT4lpM?rl@?P^UOP| zq(=kM44YQfB0zkeTR=l6+S#o4>nvywY&$QwDiSQT-Jw5oj!nKU?6L<)rPx4RT@>uNXib4<4+C z51LVoygTFdQh=sQFAHER8hc$^`lc@0UjfPAwRG4A#@ph98)TQmowhR{D8j8aBVN6U zU7WsEhrpdY@a|Qa;gg#mJ67vlauJ7Cr=|D{sRG+rBb50)8QE{ell0%@$JY0z*7f#S zx}qELW{-U*`D>UZu>|o|etk4p!&n^k(eO~r3GhqUB}yEBN&Mm zC#+Z`tom5Wx#aDM3*iusgo4ozsBoyE)f8uWPKHEH9`}@qTfanq78_T}lY{SV1-V1- z5A4De3ssZQ6%$cM_ayly3(6+d=IwWQnu}v%>t&VJAfRia0~Yvh2cre;mQIigiIPoD7Uv&!+?M{tb?22fgDxSuSg z0XT-nl(1i(gU|V2;*b*_W^r5*l)EE^Krc;u z2C@kxAnogC&)T6`R?+nH40BJ@Kx|qg*JgM*-r_v3{7Nlmxvj<4LmoGi_PezJ9Z9=K z!SZ&_qTQE_3v^!IbJ3M$js=L5NRT*f1UB}33si&*5f7uIdMggQ`p}io-bmm5#v zoc1l5=oW9mUn6&{U8p z*q%}jyRJQl*E=fxUAjZJ2_g;pN<%6_%eYMx6Pje=UZdYhT;+LQ65~zT60u;vGHJ(_ zcJbtO%l1GmJT&;pxu;>qi2>JfF%e%@Dx)?dl)5B6@VG`d|9aDOXnfkF-- zyTP^c+=${qg@dT&c!d0k#DL*l#k3yF+2#UPE&(6sifEaH<)h17Uk6~a5#IWpl}*UE z!?vAOf>7Gr=vvrY)zT=6D&+2=vX>;V+&Txo@ud2&u!ER5y6t|vWPy=*V|KkZh7+}E zT4X3QoFDJ)-#c$)8woybCd_skLTzmF`nD~|rLC*26Opa5a*NAgwJsFQbo8}H?;R$JE0ka1R_s{**L40)O22%?C|szZ^zta4{d3yB*69QCA(n3 z`z>ubH2r(z`NWa-FARZP4vUj%TwiSpi3JWd5#IhLnHn5JCtX2`7gU)>pQru4xmQp# zZzoMT8^a89Elgdw38nX0uW^4fpqxLGtv>Z)jLkxze%57@0;LPE0tgOftqFq=iZg z56bU->WyEr)*u|#ZIc+F`9C(%KiT931ERD#Eza1N?2Lp1w|YW;z!8rTZaG*kYUrUZ zsNO;Lh_?c3=Z&T5i}{#QTQc9g?eLfKw@q=2L zfn0FkkU}mXbm-@&<3z_!Ys;+PHpIiYd(YK3M*gbD_u1_9wj3QMwc7Gy2c4!lj}5v9 zxBrUcH*h}mUm1KF$liIEp{&%?&)=m=rt`pjDRfnN6T}1!0fo|6rJV~p&#Xov_u~;A zo@;Cgm|^aUld`-#44sw5zDb)>vosD4pe(xxW2`3W#|JwJ<})PPFJ9 zfm-9!fJB8FB~^w9!l{9)f!;S6EH8=59(;nmE(p#R@j@=IkUftHkpjiOckR~|wh1zS zoNLpMn2UlrE`Rj>vfo;#F6*-IQ7uYj0$36mIv)!dl6Rl5I^lCIsr7%;g#5>?mSF=5 zQt3$W;i@x&x@QQ=U2!H#0PkZ20zr#e;}hO{2&zg54D5cZ`F{@@G!%ZNKN^qwX;wKh0+nTZ8@m^ z1#D|h9zE{^6uo0-|7~DGOZj1#O&}HXkmRsyz0@{AdwGYSi#`vRm5B))eO=DY1anPE zR92ignesJoISRo6t)R986SoY;86YWz`g2~p()+lVzlMZslbZg4!0C_LBq`_r*vgi| zeMKNn8=Glia;RLHxl9pE3sZs}YbK3Up?H~;!pf?TeaFvj+{a_ehV{xdE&RDi{%Awt ziVhiTxx?^~cBG22$C@*~QcN>AL~@L4w5L|%K?Tj-o(s<4;TMsOSJZDYiFMpj zPVb%Ens6r=aJ?pt>UL+S$NY3TKF8d$F@EX9E&JJPjZNvahW`Q15 zNL#^=n+XSmXX5*|C8~r`WSboP?T08{lTr46YpHUaR2{(8UKAXX1>dIyt5U_v>gkI(Evzo~c#4AEy9B?GqlpCZG_H z^Ah=j@vJaF6)Mp~uv?WI<(h{xp_N8FSG%ulVj5Jz&5vNC*FRd+`@um{?!E^!Y+u)wO;GsX30i8 zYOkJt{mBeGh_zf9N892rtw5kcs5m0G0)iV1B(a+xuSWVko7D`X=Dbiis|5-v6vJX* zo|dt@$~42>+_T;c8T&()*t-{$H$zS*xLKm_V5Ph(yTg7Kd%U4xS3k$JB5Nq(N_h@Lq`9n#3<&Z z!)v_lZAg-+e!h6S+gA}qCqp)5I+|OM$IBtRjw?yfV<^F!@;(!9m(RZ`O{Sv%b>LYB z8oc|$*UTEGAs_~qaSzQ?nMqU9tOiW&5?oNY*0ej^ExdVgG zI!yem;mnZ0+YRVm##eLMbHp$56 zdzqrCf8RoDF+CE>sxCq-8ZuwtNT7d#&)OCHJOFDVLbV}1|E9-qxKE`3mQSeL9mfQI zT;wK!PDaxZ)$rG%=gA5te-aMu&KRt zo8H#?C|Mb#07O4>+;=MHoc!-vtEDR)g}+a1Iq7ok%9kp@(I4}bL!Cq|kE=MH8Z!_> zMp^(;22@}nV@nOqQfufUGe8WI+4)6Z^yO*4T2IYdkuc?Z<=T%uj1ciJBBP{Oe-!<5 zi0&27RCU}cJo9|*g?zgEoyO$;fzl{mtoVBn9RHDPu?`#owQp|&y6qj(u|j}SSt2H6 z|4n?cFpBQ5!8ujIT1iLwc(M3=p1#ala5=8I&A@T%%^Slw5e-LZf76$-HdKVaEzUPoKylxtg~a4XvIj7KL84QsYX$ z?7ot>C`#;OG}Bc-9{Q@>&c5_1&+3r;UL@V3TfFBha;ldG9fhTJ5jQ>Ly!t)Kg_?! zSKl*`jHlIQen(TD`6%;!f3T|cZv9du26d>`F1sN&b2xt6F&d!i?#+4tKwuX!VwtHS zDDJS{Hk5H2Lx$)au#X0S?9L{Z&F*C?IJ2ej1ayfA^7YQ_FEQ^_>;v#Cj-UxmNsvhz z+O54xWouWp_cBMp?%7~L>9_)erKap$`Vgu}W2CANXqd1V(K~Fit5SgyIQNl?Co68d zhS}B$^j{xv(Qir#?1uD_YWb&V>m+a@Ry;i^2s90w*Je-sZ8LNdm`9$S7yBKcQWa~^ z^utT|a1CM<#(43QvNiAdr&U`~_Crw#?Aa+2;LIp%Uj#o7r{r?5OGXL3=H+)`TVROD zt=Jf#XHlIUlCN z^~yNe;@A`@vi!O4D0o`-m?pUJ{G&+ukBj$;k^ES=T=&j!mM`6uOsk2@q%0u2QTz?< zS@}#*G>oUdJIn+3tr*D`TIjvN{4kSM0Z)pw-_G+2V|!gC9l4c^Je;0NFAe>~ne!U5 zo|0_b50oEfvS}MY%u2Ec%8X<#PMG^R(SFesGH3m3qjDh>WxhrGthYSmo`tfvby4rh z)fAyuwT};cWmOpJG^%bcOA)nqKk*MCp&sfQV`aQ+s& zzn3+Du{IFw<(;FjFX|FMFK6z7Z4ETpYZg%?kaP|n73`A&y!=G=Ma$;D>lTEd@|Yq@ z0MVx*J1x|^=m~b{#b9isHLs-s8D%A|<=h$b%V)p~N(c*d*QI+n%YI^8$rFq#>SIq# zxkHx1TeGj7vHOPVtS>og_TkTTIN7YVJ@-YE?Mvjdw)R^JBxW)X4@J1fuaIpl_Zgi^ z9_~>bW~foVThjUCp#MSf-~$cvu2o-8r`-|!kq3WW{OoX{d|}Hu=v2}4y6QL{s{H!e z)*_;CVdCJt;3M5j`d2V6>l-ozf^0vja5?++^b9xE6 zU4Tdp6bveYDoRL>e8Xq2?#w#p(#O)#U(f%1baRa}`J>d+&G%C`0~tP0D+&6{3amdZ zF~M)91%xLZ20cY->8_H3id1Qq8PpNE`)Jkg>h-t2_cEw!d$4y|dzIku+=_`e8jJMu zOxz-~zca0=%H+i*O9A{Dt|UxUU$S(LQf)-YhUv*C^Qo|bRu4JgW_GU3M8GLSR$gt+T7bzPe5N@)ZI0)|{r`9Ub;pNiY9m6hi}Hlm z=D^#RCJ-oC8h!<$${-aA#rxR;>jE17`Wq~_N^6oc`_ne74>ar^&(sloWL79^>7wDzZ884?Rs(fOo61WEm8MgTokt2nC6{HD$}U5{)L{P3?)_JN zxxFsSP}+B)23uX$Xhp=~k}hYplo6pd(_l`!z_rmb`F_#IwA{49Wg*&*U#i6J8<=Gw z46ZMyX1?J{ebw*#?{Ll;ir%dMEz$qGktFFVnODr18fR{q`G0a_KAdDePUIj!d79;s6fgCZ zZtan0)Q?AtEW9O1lIkK}TfP3J42sS^aWj(cQj8k0(fXJF57A6qpOD^4gu(}jU|w1c zVj=J1r?bb*_&!K>Q;(&FdG2y{=Y@EOI|7-@LLiTX_Y`Z4bJv+KE1}EdK@>GZ6m%34 zs57C-*1G3z)dbc1(Y4ioK>1--NfFA{Pbbn_-P9FrvNh%N!d>TdZE4 z+rglqW7qP>?NB5qZ@l2DtnHTMO{w`1#Vw^3AFO|_fQp7eju-G%4!y!L)BAp;l%?h< zOw(cj0HY*eKU3Gd{C56(aQz33LjfC7mM7~=Zm6^lrep?!-ih;za=tTA6Y!LM4==J3 zocV!Tao*5^RgYxes(kA$aYV4j_6k!UeX1NeI`I}O{h1L8g@DzDn>B;B%*(PT{FO}1|J|DU?06c$WEUKX`F~ubO$66R=+Duc{T$IF&3#iB zl<0gdRD4DFI-W>JhroC^9IUFTu?z4dp!-5%_F3lD7sB*bC=OwG&j>&*ByzJ|naUa!t<2x?gw-eFFb1WAfe}j}d!M#vqY+VIZsP!|yLhIMiYfHf_J~c^;QXexart@4>t2Kr zsXgx87GbXR%t7BC17e0g8c8tB8TfpdomcXe<}L1%uPaBw^;D1yZc{sPCq;%pYSSlv zQjBw;>2IR-QaMYr%19=b|7}{=+9@PUKp|?E1$&6h1{I8@f3}=A1<3{e&r^jGGOX!3BY9u)H$C?^^R?p%T@JFc-M42dv&vGyE;ZZFTmj@t#tE;u6jsn zsOwXnwdqW7d5iB?rei}PnfECExIp%y&3X*`&{7m9?9(dgrvGXKchHTMnP7~{9$rZk zVZ7Y7zc|Woj^E+C$w}j8Ab!8#+zOeRW`We+!zS$2;85pOh9PoFw$!nbowPBYDv1Z; z$2#oQKl|dphQUg7;ItY@q!}G@zM+TLJVYyugN=uCbxuYX?%p-t)V_VebqTbX^YHoq z52?nTA{#KkDXK7d1%Z;oA6mAX0|E@fji&FtydTG=1e8i6g{g&%1(z1vzU;q=GoZZB zLBUo-SbT+(u}su?7Qj!ra_?$eEK9!yY(QVZOjo}eH>=E!$ctnR7|>r&>F(*k-0bQQ zXY6XOKTqfL`S*o8lHA{lP0!Q`e+;0{0aFW=t3d1X4dhuIKJ)rpS?0%3a;|1vX9ly* zq_ONp1n+0(jLqt>*JO7ZfDO~;hraqx6*%9Zl`;D&sA$GLm9_rKQVz~DWfG1&)$wx# zc-M+A-MjOz2%#=D`c0RXBtjk1=#SS$;^ggeI=7~mwfe2E<}r20M=5};7avq}jj!ka z1*NT}l1~N8A7(Ba<8Dq1O)z+p#A1Z0w_~ds7T;HWuR(qFNoH^Lg@P>&TJrWuQPxdx zB3`Lg+FBM8jHHthnLcxy4_E5l2U!vRlW z&9BY`K8Ji;;%?K#_d9>8?JLsT69Od#crISe1eRLB%NH#Jwx-kkAB0_J;_SZ%$L1)= zAGZeA!gK;$={73_$tR-z%)kF%bM6V4Jn(>l0l*;9e;o&u+Vi8-{Wt#NU;H)spyAEV zn;*rY_3b9Vm^rVDtvFJ->!xnethOhP>xT zt~;`V7gfaTYYjK+Gp~{b=H+(ACJu!=B((!9gguhw<0uP571~DVEba^JMOEYRj4xpxLZXR7pEjmRfN`Ijf@*c}S63IWgS(8{!5lJ9t ze%Z@E5D9QPfSAcvt7TBj*W3Rm_{t3^N(hJ`0bRVLfM7nh8gW-hkY;_m+Am74_x8hF zoHs-ehdMDJj^hjrPW^Qxt|9Zv!UcGG1+aa#9M-SpvARgNuT>ynNlm(m8PG_i@IsZ) z5awdt##1#0I1DJhfq~HKGa~M2YskiQo%C7gZjP~c5H%c`7nw{+!EgoMUq{Op0#*o^ zCr};t)rUeQzWP7Rlzz)o4->#n)6cFwuxj$aVKb3DC!S^fxuWvoAV$j_Ql-OwxC)NWn z;5D9g2U_NhU!SI#mFVg(T|K}H{C&L2E4@3RSbB&O?0=q55^w*-4%9t(#>uQ)Oy9FEQ+-=xe;wKDPb7Fd zy@Qo}kcFaQ7%r=TsFqoN*yf7uzkjrh>{rN3E(!>xll($m_-fuz4k4LIdHIJ;e9f3R zev#n4snq1hSU|j4<}jVM-vDm%muk#3WorCdGXRl8C*P4S1NDB?&D4moHRoL3hHVO6Wje)yK3>-I}cboRAoNpx!N2sH{5;lYW)^Yk= zxacE5KEY(!YnOSRjJD%rvn9Gw43Hwxp7Z)jQ0rZ#Yzh!ac=!@06@G~u5_d__foDiu zU!zeBvdP$_E`#ik2?257v*Y}pUG-0L4vz$Tj)=)SHi|unErKisYAbAA$2j5aEJIo{ z;%X1O25(=rE4U6RSGpZtgOb|nPb~zWzr5EI>>cfQ&0sjT4PO4W?MJQ%$MXnvE$o!C z$NrY-9p*(#13Y*17h?Yi^KsDa-7gi3EZS+gM%d4T62%!_(%1?9l5&lo>emg>_b7RR zlMr8eZjjjV2f+QuTX&HHo4FBj0O;K>v+d|5I{mUk9Pcd%y`}FSrgBYOEE{26X;|!@ zY+UoIm9FTN)hs$f{?TCf!LX8RP*mmhRQP?_F}K30)w$nSd8tfWK$X%IN+YZ#F^!f+ zT}PtkBK@Ka0Gk>PSjG~VrclMNLY!@5Pgn*+7N?a{Vsx6cd=D2}GNb(%g|8vzUZQEi z0Xq*o96niN!=#Za&R2tzq~_6cF@D70hyl)Fx%Rm8^H*%6VV*-QD?YD$ZJ=D; zy_>!DPidBP70X|Ei;JvmzlqY9z(Y1;G=S)pfF*r$MA18mrx#m8Y2ETs-~ipn&losX zv^8wd^aSk;N%%g0)x{70&DH;pXZFYKdqPV-)9cc*l3Qk41#IoJ@1-7mfKhe7JNnXs zcdD>lq=v*p@?W*gOe!6Q$^QX5e`+%N1Pa8zYAY^H$qIQ)4Wpy>jCfx-Pk0mHRFOys z@^R!dVttu>rHXgy8v`$Sg4825-K-R_WJrlHa+v{+#rac*Ym~IYz$7lfxSTAVYWyAe zS|{oaKSljKrVC&Q`|q)00uO%N@X{&)qCfqwU&YUvzJ3sW&?=31uMzM>pi5#9o8APc z4TZVsGH|%HsPzUqkboC!8QZkjtig@|1vuQvp873@BrMi`f&aRprLO%KU;tG91R&I{4od%VR{xX;9(?xv>jJLu zPgMhoA@B@Z3=8Iij!84CgBh1%?v~t|L~UzSozziw+jhJLxA5%?{ulwLLA*FO zYEL}dr5D&sI7U+PEI2kYB)sb{_i9dt29+qUjL*=PM~?^<5B&WENN}#ralrm73p8Yj z>Lowk?X2`ofdh*uTml4Wbfh2XM|Ay&U?iva>i!i5mRF!U9=hsFt<-7YrIc1WPZ(m% zDGzuw`>yxBiJQ54cCH{sg~+JPo{BUSbF|NxRlbFY$Ks6nb+KsJ0T*-4Y{YZz+jEV2 zp>w0lHDhmbe6!hGQqHxdmv3FVY8zjUE50$0rbmVk4gIiLJeQB0Bcs9w+>6eWfqpgx z7~v3NNeUeZmEkoO z@6O5^jVG(6A zo6DrURI=Cf2bC`g;?c$qcwpQ_2x8^-UAy_VSwOCbMuf^M?A65P`*Cmpoz-WzstHU;gx) zkq4*ToL1XT$g`Jm(xAhIsh6e5ouQEuaiOWezthW|39e0`YJ}`#&OUf7PwbQZqDrg2 zmebcjZ^ntHmr};v2wc?L4|IGl^7gQ>UN+S~^Zit&9AO9uH8&hnwR5)uCsjn?xKELV zTPZ?rT3g!V-<$lNK;A)#-Qbti=IqG5LIH|O3J&QdUHG;r=5Vyn8gF~?^+he3+cXl0 z-xAm``x|rfXC9Vs-tZ_ft-jh$KfiTWE_~qI4L`6#t4U~PAbyTEmSouUlOx<~)Y||V zRYpG|qy77h`QT}M8jki}>@Q_bO58>nSi#c;6t1%KlODbaX6gO7TcY@1BTW~1hTDRsa=uatGYW<=@fZUYgW=}nJiwYj|0_Z-18n5dJXCaWImTAP32)^*Bi5Fa9bIYu7A$|Fxy6@AYk zZXts_7|S=Q?D!D*S5{OyLk6L9uoI59-MzNsvC%sblIr|Y`SKH@;jkw zy_T-K>Ah3)k1~I8LqHxj#-5G3g$wJI4^Dh{I%S~9Vaq{zTsQ<2!b>A7Rk~EB%X1*n zU}c@lpzKc*oa8dXy=eK%@&;VDKUr@icfqG+b6Z~sXgk^*@*@lBkx>L-y6 zHI{L98Cb^R&2SX~U!eweQ}i8+%L`P$*sBkh=!rvgbDuNoRJB0Jy)2N&Qsfs#KvA|V zBkd5+-A_7Bk;0o=5s-Kh*{q_FDXve+l52{hX9|$RuJnX}b&>3DZ z#T#-}gDwX5vRh!qFU$Zo{=gr88lOM=KM~w)tIEzZZa=l^uk^4~s(=YpZf*PMtUwr1 zbrqoX0d{s^zvs@VcoU=sZJD9r93gYC#BZkfaoyk&k=`aUb6_px?u3-{dilb-G`=DI zub4qk73)1ne_h7^?;!b)Y2~vcZx;X?jqkd*X$(rZzdGP_eKYoE=6B(Wu&iEw?x{Wz z_a(tDWHQOk(586${O?0rsl|^fU6omJw!lE4;L+D7kRtZq@8SgtYL6e}0x|{g32J<% z!)uInuGWK^L-Lm1(cVaR^+6Swls{_y;chRWW+-{fAyR$#D7R=`WIGFW@?&j&%5b7k zt@>1iYtU(kEq$=^pD-VzKn~mq5BmwX1$ps2!uY9qnuZ=QPfyU@4}<+O$SbC&418#h z=59&xw9OyzK9%yv7%C_n9BvN*jxI$0>)&>fd)x41R*c8a-=?lvV`E?UpFSao zho07Xl^p`l60=izw&uy_#|n`T4e0-%HJM zS^NI_*%CX-up=vtY<5-GOe!8H4UW1rGMZ&X>9PBw_5b6o-K3I}_&Y;kc_~0%hj_{u zL#wRF-U#j~kKSS@lG0|>6jNXsML5kmo%~yyH^F^9-%@$cE0P|Pdc>IZ)yfOGaYA6d zi5~xo_7>%W#Qu`V8<*bZ>DRPovS;^Rjc^pj<`busQ7w}2p3Y5KVYW#+RB zWYnTOmPYx^rzQDcUCf5vy7URkb#c=Hzm+0#2yBp*B1k4AYS%i$cj7q;9Iv#xHjD2R&R9;(qZ@zFRv4=9efImz1 zXML^2%Fm7Q-HBiZC_9~Tj;z&H|KfD7uL-WH29}MC+Y;5MV|# znfb`_zt*mmj=nbbIwJ11^+JHo5^EKA_(IPe$9NT(?oEq21fF`CuE<5FrusECP26SXCb3t$^JyL|ebXIU)ZdlU(R=13>M6P&i>L6W@fg4H7VlmZdWf4w7Lj>l_eqR#)-6i3nmoX-9hqL7T zWS4FOuc-Je8DJJ5OIH3nj{HeG0GR6EgCPSIIRg(_7^D(4sXGJg)eFceIJ9n8I9Nr< ztpUZ}^)K;Ot+Bv_tEO-ACx@5tn;#*62|X>6-6TglrEKrnRJ1(6m#w@G@TF0>rDtqf z?sR4H0-_<6YuBd8Iiy9PS23pFDY%e+b9TH(W>#4dkmI_(X#V(Pqs9yCyks>V&I`fH zId(GcPB=nf!BnofODSIC`hHjlrw4o6ty-;i(YAK*YzpP~Jb8EaLBn{)-G;wwBbEX> zQZMG%sT(T0=A>ar5X`bCPX?&TAiDX@06KhddN2Dg(7T$e$9CjQ=+A%O7BPuWBk3qDjP;r zz~>khf37&2L*88fZt>aYpOFe#H$Q)~_eu4KT$Wi{A~Q^Q5lXxFNqb7jPkK)We#Y9Q zRTUlqU0AY}2HDiToyS;h^%Sy)kEHX5QOkqH)`5YlIhWa` zHl?oqC8s_Q{C+a$A^!@tIK8C6LdYj1^i4pgYPXkRb3sA{LA;?dl1VCe*BLgc#t<7G zGdrUj0h6?HLIXy-%)cG%-(4E~;_!yzMS1ir(4R-w8Y7?O)=r4v#vD6>nBhoi&%z16 z!l`%iI8LuxOEjrFZO@{ZK>H$cv(x-`8z5#ecOuF>GLrVQDQmT|o@c zDqfz>k^t3?Hq+m1aXd7qI;N{8scvE#ZrpTUq+eRZGpJFsrJ@ec<)EiU92QlU5&7&v zK4m(;X_X-$6g|=@C_^wNp3rB8{>WLmm4*lfJw;oY@`5UzvVEbFje@!v3Nm|N6?Q5< zs21xNtIe62_7nzc6;N9_wyS?um6;(6{OV`I^)Z;TG4Z72L!pDIwn@K^$5NI*6r8Q8 zF!#9r@ZA$m4kG_7_xYpQETC;VpGXMUV#tvI8sTe!awCFocT}i%I)79slsEf4jvJXZ zseHS(*CD%MEZ4#p`3>|J$>8mM!Ik4os`h_Az<rzEYmAAfIlFVaeVoDDaS30ubtfKnQL~1CAplUCHGgcv{Xm2T*`C-Xu*f5w z2qtbs(rmBhOs*JI?M0=tP)QgtlY+DY%oKZFxqj6jgnF`dq@ZVPSwfnsr$r2!yhQ_p zvf%jY+w{i(lAP3Wj7Ig0{dnz{Eilzz6k2;o+>*klYp3cLeCWC16$4DRdmKJkr~54@ zujZ}5sQgZItr;L)`@P>kU?4bwa(uwAO=h2`Y85UUH8a5Yy#p)5xtOfL7(P!rdE?ZG17L)! zQWFcOlqzd*424e^7-=6m#l!t3vcc$==3AS9~i=yQ~ zke=qM5?g|&+E_Skdc^c;8t>?P;8=M3KGMqAm`{l3P1XPSo!VF;t#q+Z;F&mpRo<|^ z3{Sq0@F07p>xSOFkC4x%%+Ep$eA36}5~WmDxM&nrBhEU?iGd+lWa zcbEbb#&iD}VX^Su*k)Nys(OsD^hsQ;tl+6yeh0`F8Hl@B-$p zEE#PkatFY^>s2f3L(aR^+cKwBwc)}8w^h!+&j+{`WKbH<=?~1H_3_Hx3zktEnUXgp z9$H_KQZ;Arq7tT;yI~)^>ECd^?BV|-?91bl%-+6d+H9w?vT|YCw6dbrU6{toX;CUG zYFx^jJOZ?4fNO6R{>bOyD_2vxbYfNhY{aA~jjvD{-NA2)N z(#JlAUPiSIH&~Aqo`;h8BZE0Mif2xSHD8XLWK} ztb;6$pxN{KmQ*_M!bB&)%lGjGealY^IJ((``0lO9@ol3jjatsbMJlyeW#Zrm8MYe=})L^#uHWy>3-Vm%G}cUt~A6drgq6FrcH)zODSvX)S&s z%W<2Ex~@r9UHu|X_HMZ3L(d4g&>acm_{jvfW>vijZEF%!g?>+LLJsI#L7W@uvNsah z#F0+1S@u8X_ z_1gM<#d@H5_CjVpvJsIV^@O_$SJObtu<4L~_q1c^*;#2%&+LD=UQutq^VQjj_14H~ zS}H}W^xn?Ndx_sN;5Gu$(4r@Z)BJEq+Y@xfA=P7I*5|(eWoFF#>4rG&I=$}afJv<_ zIs3(9E8|D|VVjLU-y%Md*R$5F?im_4Ye`F+E3dDkRhLUzl1NGcBX0q>mI>ABw+6T8 z?(7Ll;8rB|lwptfa6cyJApkUC#QP!k!sEO_Acl|r99tnf9dwAmdN8Z{!Rga%Bjk(WKa2G9${WP=HF?v{Aaqu zWl6&uo3=pd*AwLC`y6hP}aj0WCBly+gl2b&br>>7K z`r1>vN$mceO?k(?r@me&9k_R-sPjtML=oOYThS->Ygg-x;j8~@sQ>5Ke3*6pgW~rO zsXrOT7hn7@cKe2S&W$6O3MoErEb!DHqPpw=&DL_`_xrBK9%e4tzgHapHtxMKj&!N1 zZ`s=0`>2ccm4m48#jYd9w zOiR1{(SC2?_Mkoc$2Oc+w?7`HX9U!)7DOWF&*P84_73JVwju-a&QJ?R64TfJZ(wBp z4CC((oA6!gJv072j=$Ee`w&-%MliJXf^F|U??X!3$mjc-_^-dbj-$^a{$5VM_j}!{ z#dpI9O-ln3Z`r?%kFS0h^TBeNcU*~7fgHdbc=>n~*dekv!3_;OUpss%^EK7zV@!s@ ztF?yM+lQ)Lju>Dj7_Tt~x9Sp?P+w-WZ>zYxG#(L=29p-apkD$a59qf(`$XRv&oR!@ z+vMe^%=Fm$Q|H^D>h&{XjZ!b)xBST^xXl!?wr#BAB+V?FN|uQ+fsH!04zflA#h80v zW_Om6;R#c;r>)z$_NQwao|e2lw0-A+%N(SynKY$^_J-Tz@6XE8(v?M88syv6!2ADy zEPd{`-;hZ+Z{$)Wa~)^B*GpJp=4XqlD8ul?Je z+U+OVQ5_RXW}(CEc`uA7k;`&kxNpSlZAj}te2WKNHq^F_?Tg){<3Tz}G%y*@`tFpQ z5b#JJ2pXWca(zoiUZg^30~?8G**av; z*PK~LKlseNxcGk&1CE|UctGByuiYI=JXSdX^hRXQ4f>F z6^}<74QqB18tsqbPc92+x*yOaY->;SH7=tTZhgDJydhBiCN)*};2^U$*LKfd~Z zOqqWfId(inCSLE&>FNsNf26T@s2edcF=5|t=uG|**u0mGM$Yii+5GL(SLUUL`NFyD zj9k_#_T92@=--qKZXNGG`w?Av&_KK<(;m^p&sI|rKhTO9ghR4|b(&*oVR$bC>??Lx zcHB#>hqP;EU|g8fR90Q_0MK`YJPR22BA?%rvMoFR<%?;I?asL&z702WU7uA?9Qy5t zH~ZK~_Qx}oLrZTwwYg3YZuRiy%*g7>IJ)B30sDo@M>*J%u#VwXob~xfsJX8ZgPc-& z-kq>GsH5@mo$#HlJ{5{alSP5pATKg_H=l4vbi(${K4{nk@Ar5FIVZFTsgdDaCRv?} zP{)U(Q?(1RUE7)a9LuNvFAK3!+pEn}DEo&%)09M-k-l{dMvaPL$&GQg_oTMiZbYM78O`qr?M0 z1Ic2YOw!kI!xcZ>Z#uW;>dYf<-#)DI+~u_&wW8z7{#AWRW!V=g@65*fy8Xu1f7{GS ztYokhK^zp(+Lg?poFoQSWu~^=7nt)n-incdu@saJ3yfze;#o2(EXF}>ND}p3wj+@F zZfVC{lFbbD&%Jg0f-eal4xU^87Wv3`me~yb8~^iLMJsiBW_kMT|Mqj*>Kiy)sJH-b z<3Zm5H493@DU*0OU#KlW=68x`p}g|aKl46QXX>eIuorLsDcl(hI`{5c3fb37Y<>FSYh;f);&i7t6FO}ffGX4(w2OL^BV>K4b0VxvWyakGZn*{ZpE9FNcrT~1 zy%lU67T~H2 zGTuzFn3XYM{R>YeojA#JkQx4UuW7I>lj(DwuWw93&&aaN;AN_Q3E|+2MxybSq+oFT zKKNnZ4)w3cY;C8>+++u+&{e7tUf~>}ymhO6#iSY5jQ8E(~luKaJ)`ObCNdgBx; zRa1ontKcyjm;_Amz#f)56#m9vU(U1cfT!L=#HlEfMSH0ID0%nu@yK=8WM@??KgD{4 zk@5Gza}~$X*>|5Fh7`k9g`*9m7)F|2ctjiB1sDacZG0AcpXoQB=t`7)dw3cBOwXD5 zMG(8VLB1RGY*0Nw74>bXQg3<1CwhS&fA}aAn9}12_X8b0 zr80!i*&5GS-9U`!)7uZmv5mWtLsumC`tls;_u#m*w&5Y7R8QGP!;RM9tz62BC`K-- z0IhKE7sPG@u+{1#ENF}cIoCyLxbP4UOohcnwGS}CfWKfg_b`XhU*Ts(yPya9H)wU* ziHf6!lIzO;RsP`vB@q4#9C#FOlQ|3t$jXc*El~O(-lv zLsc+D1mgiQVBi5&@uyg6vTao1_0q&q{x>vfISchgq^`Z(puX_QobV}hAGFb`I#zf) zpK~xsJ^hmMU7m1v7b(l^6=t+E8Xr^1Qvaz(p?sOQ-hiS&MNPc+j*T5!)yEdHho@-N zOqD1ar}=73@VDtA9yK5lcl|Y^hOqDQ+r!IQ=M)xqddBU3e!@yEgaVD*g8w(=IGo1|{C1J_cA$6^K5u7V3?0ys=J5-jJe=1abV|Xvti#e(A{gS1} zv?3zIoXl4txo(07$yl;tsGX?P2l)PABp_oz$mef(sy94EAyHk(k~XryMnFseWCXZU zjCY4B#f(8sO{U@iacJ7zE&fx%be~+jf^lusfoXM^Qp8lJz&lm~e4fk2UK^j(14Hv4 zM|6qXj!zZHdRQqBNgWQ=C_{1u9jBVju5#}O20?##f~9Gt zsRLPIAS2y2Bz9bnBHrl_fF5v;04M*@XR9APi>9GLo68E=K_Vq~7WD*658$&T{xp^= z5TfbPc*}X$;+k=0a2FUT5!wRdN*^{Y66%$s)Q}esH=#Bc9+YeNc($4gD*<%{S`!O@ zB#KYVqp>om({|iY4ncV=V2|Eob9R?8ffabPqTYXoF@uZ=g(f6igKsi#E^X+yvD$)Z z7w;Fn1H~;Hv_I2y%IKEU1?7-|1jIwlETuU-wW^T{%UBQ>9(@lD!hxTKnqHxX#!{ED z)R8QSHA}*RIDiTd$mIYmhlTvr!^AQP>#S@dF=b6I_U4$!&%2&W{ivuB)%I*^!#fk& zwiDBuW0ZHUN`Um|)pzQQTX>6l$zE}NXJ1}mn=n&ViHfI?H=9r8l~Fz(=;Nso3|VzayaJf1p3fl|TV-V`o$MQ|x)U|Q+# zC%m0s6mrI1_S7Dj5=qt`BVEc2s$%#%(Tu{+kfeF8<)W!{ z_ga*?r}G}iu8;Oc;?GoHKlaUQD*)MzRM`~eN~fH0Rl=tq?MGHSlP`mZ&-g0+T#({6 zVw!Y{{b1cf{&q+_Ix}^L`0L$WfQ-LZAu>V!E7%pJ<;*K%G!X)TI`K$Qh7MQEX?>zo&s1*x%+e9!Q+o{0`Rl%4r znJ*>1yD|AiBsOoMp>s&-;|0B{!%o|faS`yuFC*~+|OgQX0~0n2J8&>=^q z?`%#PvX>Y?3O`X%Vh0S-G&z3Fg#%K4bKrL1T8a`{AATlTmlZ*I6FC8h?{A-Oxb>ze zpJ}T6;8ZFdgVo0fYxK*c9RtNXp9kJD+BKy@V@UZT&c`E;FC1&(f(V7m6YOI%n^jMz z`f(r_lgb{itYdK{tqR#pubdWRT2~vL6%HqPht_??&ziYetoTd~&HRbUu$%dkGy3V5 z1wWnr+2?aXx()8|4YTjk;fFspkT#X=RERP<2TajD*X=YldTHL2D({)ZxY*LQhnY*$ zUqZtkWPAp(NO~@o#tTBV+STb?3?;o+{^H>TPb%tB$vP`5b|^lvtJ!*K)=Vgdr|2{* zio=o7TTq8v9xO5prj#*|m@8Bb#&92@MVwvGS5T8_w)(_{oHW_c(TF}%6N;upCSh4Cab-0;g%FfTCnUvV>@gX@<(V3l!7e`gBL$PJRAiyvC*Fg-ivJFntB;T1 zO-5E1^1#l^6CFr4pbb?{;>zHn3x903Y7B>E;~FQ)1qoG~A>L27PbDA^rvg7720bLy zp~@k2D)0_@*bKIiHC5bhAh0HR!WNc3;cEk=L-5gnm3}%6BU34O)glAHI*a>ijOqQSf`z*5U&9I>OFZ%`4k3EQqYVl^||m zh6slpNgdD_xie#hHcm9DHQr&I(b1A?^M?xJEo{BX66@J8$7MB&64uB5DRwEv z3VgeWn2LrQoTu$&vsn>}1dr+BxQ}=X_ltNe;HgmdNA`1z2ZD~1ROHtO9~d~2kFOha zR*Zkj=tGaEtop3(P*heblJ4XVysU;!(jS3D+gR!H?>LBAf?5~^WMh6bFx0x~Q?Uq}dk6Zms!KD5i}1ZE*5 zR7JkYX+IOtg)B;Rpu2~C4B*E@tnwnM_rz{$Z1A$nTV$OM#M zyMQ- z#Nl>+rNiT+sR2!5j(t5HqrsR3eY!pKENo+JQ*A%p_np6y^McV+k*QutvmtpY8sg9w zR&~`#UNS2M0uRNAH(a6^UkR7OHH@&8sR?ikiwyO;!4Yl|ln_nHG)#R1mqC*d$EZLJ z58>X>-q4#9wCS}2NvNo?j|CF%u>)gu+H(46!O+Jc8o^*vNVGAZ$V&zMpf=Sdw}&X? z7yen;jDJ#Y!)9Al`++?Y`j0}(MsrIt13NNsxjfz*y_W`&xoAZyK+IDXL_j-o871(L zeGz*a?ZYmR)%Ets(akLE86U_2sE?pD!p0Pe=v+R-|M1BXC7j8hzuwlWS?(FuCpnVq zw{R}r+NNA({~{xOSza_dWdRm_v7bxCB3;%Py4Mg*b?FQ~NvtJ;CX`jue1g4a5T7m9 zv%Yo`cHiK1f#It;75a3?*S_V%Yhi~ecjC8)mtTrcu_eo_KeD}5q3P@^fg&T%bBkX7 z$_?KY6|gqSd|1)BSzNkrcC8L^b|y3w4=o&SC0&Z`Z2n|S+GvE9g{yL?GZMcXr!hs! z^YO&UQG;>4eyYEhBDs&A=?88CS2JpVqirwcC#_xOTUcX3(HJ+QSh^v0x^$(bScw@5MmtvaqYZ8Pcvm_ry^ISg42{J_U??DdAUD z0WmZ-`y*a(Rkn(Ct=32UcXIwF6LhEi0f+wGS8IcMZ)b*&hvnoD%{!5JWgBg~nHqT7(>}zo1>9Js5oRjQ z8}I5Zr2_xs9deU`3nu?M3jpcX2d(@k)hT3niX(+;)J_^@ngkI3K^w$%vSl>vV>WBr z0Iv2v5@UQ2YeIqFCzCsNuR!wP0M&qo4+cvBp8`VZlAay?;v4ri^SyB5Hkn61x>=7j z?S7gr{L)^hu$N`|gKg$kpP)u=H5c&{fYK=k2E?(~#TnU7=dNaDD)Zr3Dm_tgB6g?P z#Mscn{ciNqD_+q3uwf^qeFS}44{93`9#KA=>HF*9sC@$??U($(87~~#9dNHO=7C-J zy!Ed@l2bbhGfAI=TaSOKH)2wI?@Oz)-QX9DY$sk>9EqMv6;-`?jq3?gDUZi+6i6DF zV%+r$@$ci1W9a^Y;K)~bEt*EV<>+x-esvhXhx~moY7whT$wgHgKMJ`9_Mb^7sYd&% z=|@mrdTwU!E9^?e`O$cyHO^jkoZv|8qg#{TYF1$lst=O8D4VgkKoHyp)dB*Z(zn^W zy`WFY6A0&4?kj`FRb^_nwxvoNd+P0u?Y_rmITApO zR=39HRwwqO<`PU4YER;wrrTrCifK(@fvam*32f z`N>o>a76O(L3VV0y-APnClhRsYX6ILrWv~LUWqhe@rld)*c8-6P;%F>hoXL@c>7J~ z&NH9XpSP`!oaNKcj*P+a(TlC`8$wcNTjD?h&Ct@QKeH%bEZB_>5)XT)Qc69E4wjnB zI_QOCN1-(?q=}dMo}WW)RkIy>zR!;dF$=ojT=Bu6EhPfHdf&ENdE(i)GUm~?63Qm= zNHkGBId&|3SQ21@E{@)J(8QK<&w(aeWb|0k#bK7-qgwZf>4^~@OFGIAQC3Z zxQ3$*q(2hTVtKDsQV_owXqne_vA?d0rcl(PYkP*af#6+9ol)CqHX+z+YCO45KC#fY8nb0+ zR4Q0iFpp)H7RT0e14*W3urezuzaC%Ygt4)@<;XbZ@wF$h*HP(>@o~m9&OH)|?J|OF$u@zBKE$2Jx1FO7brg)6$o)|tRJm0Bjex2l-g|vSGFb3d7BFm}$x;(}E@9XV4aB#McmOOv5^~F^w;E6Pej8FcZp?%ywxmm^X5%V3 zjwU?iQ8(vDiyv8KSY2*Xj4DPpkJQqm%>AZZL6kTXD4@#LvS?9k)U$62_toYkUg?1R zB{oQvXq=jzUB)+bD#GOw(-D~kHR}x!a z*Qv*seU@*;j$UP67O)w@(iR}`H+2W+t zV}>x6f<4av5)zG2kNC458)zzfi5H3Ve%KLEwweb&f1QpC0lk5fXr^*Y%)lm?w4o}{ zi^hrrZlU*xcjlMzxy3uMG580x!{tcdTYM%n0p1JOc(kMp`3J1~rVMR)M24DfBXR}4 zxun(RRX0K$@p^z<%@8Rfx2WTZvV2?>S!?G~jbPLsKw#wI_E5JBPP6R3<1qI7;3P}S zO+-!8ILBx`797t&Q>0^KL`hGzF_v1*f?b?wdc-G;v#sIi9P*Xb7} z3~dXIrOjklbt7~|Ky7C5Z@y-*mEbmMMqIr%3qV^1w4t{)KanqMOk*R=VEXu^_Ylu> zX=)svU7GW*{itiO&Hn8}VbX6^iuGmc)`NZ71^WsXW}-SO>lw>x2oX@H!)hk8W$GgK z*7o`4&J)=*jh!-TVaySDxFDU6dyGOW*U~5*j$l^_;`E%z-cV7ub1<+axn* z?!6+rYAOurx@)ztv@fYoZ0S`<$CVNtf}tEkgBaz@KvFh0*KNnA^)`f=w;7(X_ZHlI z!U=wA99Q~X*1E>o%I|y^_~b0+y)Lf83GwBupkO=f`|?aeqw%rZjb63TN|~HRYPbB% zZ+6)ZCL~!Lum=~1kFCfNOLV7?le1$PsL|~wQ=9ML&T0;sv%1={jg z*~Fcmw*;?%k!nb6_s|N^ydqBPm!5q$S{D)DRn)^$ItS#(54E{QR_&=M_O=GsfQ{ERRz8ENt0@{TSTAX zYaNDJxRpHOVNi}YE;xzPs^_;H+hgr!=J|#zw~E{oJo1ZKTm48S0Uwhh#7 zIfjhv8S?FmwhXS)gX4%cipE$gw6v6{JUQjueLq(ffuJUg{+$6O=b(sF6KMwP+dq`% z#Nz2^3=m}m^sS^*hZOi0q!GFyJi@V0&$w|YH|^Tb@!SvZ%Jz-cOY9Gt;~G}KS2)F@ zPG-A(pTdciALvOA5uQPrB2GLm_*3bpHWRFyW@9Q=KXnc_3_24)PUoxvN_QysFd1(OYrt>47Dr*DZ z*)SR?a^rLAAEdFyzv7}9ELq8v`n!OCRXyC;PZX0w5bl9MdTebCGa)4==5Klso&?HZ zH+ADA3rV@=@cSYANP%{NktUQmmhb*mOA%tQkaY#&2UEHmjLw!Q1v1ioYhQ#LM8e7y zuFBAfwEyaFRC5u6T6gacMHV80Yf7h6npwH!2)z{O<_iVeq9+Vf0nJrq3c2(>fkIPA z>>aJdZR^TZQt<)FvtKs<4en7pI?{r#Zh8{NReyTS%7`vfU2w&|q4!S&&apif<> z-}X73<-2iTcn0_sSj5?bYzOj{?jTx!+`9oHBq? zWx7H~orN3OB&f0Xv)}-H`tCYl4^d`ljQ;%*yYn<2<63@byp$E>T6>2RK%2$^oW!48_BUo}x3i9XJXu_UOoPXRXk{>mJf`HLDO*M^%bDD?l48#BgVILaeWbY^jKZXdVR67&T2gG_ zTQ`{wda%sQO>?-G5FAmP29(yIx09x_fjww!a%VI>!MIlNT>vDanarag$g%6JVHJt*b+_S!ekB=yhh)E5=hx>;0PY!8BMYuDphkbuE_o@#3w zd@Wed&`V*wly%GKJm&z>@IgGZwe$1GM(8Eh_x>ix5U0O!{sN;fA#009awKOX`;(rM zUUF(eTThuyHblw(WF!s`#WveQT|o+lqkoq{b8O-XV9e)zvMj-^8bz))18WV9(?`Mm zZTj$TPz9}|cqp+7RUO<9$RU4_T~a0yMzlv#Y$K7>+S(x#jB#OCAoTABSG%P0^&aY^ zTmNW;Is>%0^39^8e_&+>zFM14m4!kgLI?e5WR;QsaDQ529;1dX@mQ{cIC%s-@OlgT z_AB5Jl)ebf?gida`q1;b13R0s^BdFE?uVc#jIE5EX^LDRJ!))Sr4hp4Z`1wyM= zC@h>C)XWkk_unp+D(E)LPbJZM;3j5vhwEYE97*AXWv_UsiLHgHfg{L z!B*LxLG|n2HHU)6@E&so?xK$eZLwu4MV^3#{hY2)bR}#CK(1c?ICYeJ{0Y&Ue746r zCsRECyy5oWyGFh{*iO9M*G}*&oncMxf8?92e6f4y$Wd!q5GOOLp8)Kj;&zbEgvxh| z_3boI<0}a${|6(R^d%JwX^UB%=AHLL!61F-5Jf@(b92>Ex6X&|PipCDicS-MP?qdx z)sRi#i3^SptY2rUUUH~{pR?f+v+Wb2HVN_3R?u#6Hqmg9bEZvl7N+$H%zMTwPvzr< zM??kApifc-5AH7&vxXj?83(OtJTerbxn$^vToXXmxrG1n;+u-rlglcDx7)hUM z;h0P7n*J`0{I=cL%lE!eHX2lAVdNWcJ+>*wh#9x36^O& zp(>XSIZX`(=ITa5OvmmF>Y=XlKY-?5JsV6U)GZOP`ASasn9mSPFzBSD3&uKC3j%Xl zgP7e=Y(rH@zvvXPt-#4FQK2*D&Y1YEtx8}GA7)CDgk2*sxQWFDLdCqXv-R}6d)Zu| zT$yKZXCSERwbpH5rmjbqdhquq#_`@)5uROD1Z_@T6Q26bu`nA;u`LmInePUbdG{=3MTsNG^#bE>Z=Yr8?_h zt19i8RbMaY!7s6+K~*NH3UZh|LdCB~AikK#6+6;wo>Y_)lC4 z-9r?W!C}55(deRl=&u91IM}~$?1<((V^ZY;T2iJjiWv{DfNUh7Wkb~@NUkjFKR}n!T!P`z5^))u^8AWre-m}_qD~= z;uG(QoeXiLauPq5Dx42M7;o|SkJr&f*ZK?W6~C9M1mAIYuwXXvu`kOLltpc`o|Xkp ziA)x+zRixoWCe(VVaSw~AUPJ^v1utqakv^EA``B)fIbH}P!y_NLbw&AoQ!4CQW_uQ z47a}Q>bcV}r|PgF@!0HF=QitaDv93?DDTkk&^-wvV;t`7JxN^0ho+PWa}~nh2Pp#A zmdbV-K!^=0$RxVvpy8kiX|S3*#5khwMW9V8x|GjpL_S^*hpSC@Abaq?#3X?)nO}v9 zNnC{@sI}T;LGdyybO%r<8%?mi zF^^^o3BI$%0v|CW(%4uZ4&2_X#B6_QS@5@f-cop8i%?$2m%$V(xDx>yIOVC5Tmf_al^+HSojqNb1Ha`sdbXu&~wVwAwnd)=IGBh`{pWHF6aKqJGj;8YIh>w`9vT zRZO5$j@M>gT>4l){u`pe+e8pv=K_PJatVq3yR32Ok+ZF;UU-%tA9A-Xs> zzPH}pjYu^mx?G#iI4Rh&Xx&1?mA_BSpqlH9X72W!p|{*C%F8sY3))yDeP`l`tuo2f zr7#QKw@AWI0-iG@w6vxgG--eD{a*F*2B1c8ZoqGCrb_Ct=%8HNZLi86}Z z6VO{3TL(Opi&yI^$)L_yP92;0RUyMyh;!C^97sU3#BK8NQaHgnO{!R%N-FANi#ntI z!O^~?wMBAe9k=>*F1VZm>2vBtk}`#Nxd5T_?LQGGYqXRe7C;l>5KVZ6o>1j8+g1*% zA?_M2tA|5WP?mQ_sgjo*c-Hz4lYiw_7B&RxMT`=7Vd%7`uEc**X*UN^x4nhv#+-jz zoPU(FY3oiV@V?jblVO+1kC-AsRzvPQ+?f^Z;8x2>3M|^jV~I2+Y@+vLYC13$SvrLl zJXb?0Zt4%^u&+KVg3mS~g@Ds;&z7OR%*7@bBKl~jO;*}IM~#w3Sfx4suF$ZZAtszM zp&V7cqLDT_on}v;vqgN8OK79pA0ECIJZJzL(zf$xyD3FW^-~}-NcD0dk|;$94Crpj zG4eLp4?Mgd1B*;>U@bx^tOQn#EKeFqnJhb&9;xSzTw<`}Fpx z6tf-v63xFhadkB63jzi;eJjQ@RnIsH=k$#%aa{wQ;=Tq3^h?pjeoj1*MTdQ>ym5n~ zPCQtKUUmFT0-VU6#x5>GSNVepDR|0-RO(x#A)sg$(_S;Hyt%;wuJCO#xXD%5IUU(g zs9k%_PNg^fSk1`*GiSqWR8g&tvc%h{M8Gf&-4fd+sY|w-Q1S!7E*_7%qbZnQ!KMv$reFb; zs9k9e*}^%z2_5C!REPwPto5+(Y^^&&bnaPEZ~ZPAd(+O>rNF@?a-(Jw7#Z2mVN<3t zpy+<9RJ|E|+c9d66R#mEx|WhG8pcQM6kVYtG4+K}MhNy@-xr#qULVlhVl+`BiVp9` z^;jB}BYz=Bz<-HVoq`Kl=55)+iQ%}YKP_~2&g}RgeM)(r(amEzv$X-Zfs_(=Xtf!6o z3QJXY2)q{*{%J>Wbpg1!ik_43f@MwNJO7BB5Q{;YRiB1joK_7B%tf`=_WNih=B?7iBkf9#=hY@J;Mi!WhazL9w zk-pW7$NGet)^M1BDm()I8kvQE1GL;7T$pYukn4HM<*1A-wK8ejGjve|Rv@vbva=gw za;Z&~u}ibixyw-5-nt=!7yZSFn`MQpFQrcf2);488naIH`!L zvb5MbG3OdX|M|X5Ra^6xRh~T$XXs*pX9RcIgIrfd@w2U!>rfUux`v zBs(WYxppIpB&sx7*@z_a5qrZv^9NmF>>(l;ju*Koq2-iS=qh@Ff*}L~#-K89vDpv9 zL0S7#>KnjzcNyd|R!7#Dbjm`xyhnhvdmIWJibf~^M63K~aoLZ37$SO4{$g}Iua(I) zhpjwL_}>593M8=989E!RMILg^n6jl*^Gx&Zn$}h_Za8H3wfnR7@zV3Bn*N<=n{G7Y z*sj%G@3lG#@iCA>Y!X~-ug|1Tu!1HfC}6gF3u!IY zG;%q241?>u$x$TrA-Q4+nc$a2iALzm`;KHsoXy5p8wfPTfbihY6{%Hyzti=9O1p9z ze5!i6^7WsIado-B_6^4So+u3qa?wT8{Lw8nb@AQD_CFA=e3Xr*s8E^indutxvJY}b zL60V{kAW>9&?t#Rjqeo>XmlI5tj9N&ZFINfUCr#h&?R#j{!M{@&@u8^e4c!G0WFJiG}gPM1J`gQng zh#MRs+~i5lz_b$a7SIqOnsP$P)~>j5#NdUzz&(-(v^Zl@RW>HnzQ9HjFZtbSy4ya# zTpkA3;e4EXxs_gn!p&pqT$Vi(Dt7vF$b9mrO8{grwdx$+Iod_0-_<|#sY%cbjL)mzp zUITcX{hEt0Qv`zIEmia+;bBUL{b;@Dg0t(^V~U!C&T0Cn^i80zsOp2-_@q56PEvJg z=B8hF|MXTrXrI$MQt2Wa+@E!eSx+2OqcnfX?w$&nk!WA6|G~|$FE%>?4UG%F*4gW# zsp-`5$G!t$x-3XiccI@WmdbeJe{qy=FTEGdXqsG&eKh8zKrmA1Mh&Sd_$etGSI6j$ zjqQKZOvSFpb`%^K4J$~XVJUnD%J;93Rmw*S(oLM-8a;HU1BoJ3xSL99hE`*H?|*EJ z(HPPui$B2KV$2W8QM|xHwxjQ zXW`0TA?~%BM443iCp@7JDV<=EH`I8*_E=Txa_5ur%Chr&gsiX+b7_tb?PVWhZ%{wI!mSd@V)_0Df=l;R?tJ;@ zt^j?5)#+EBJZb*$_K^Lft+a$XhYxniqgTJQIkG5&?7H(;mXTBgx4M&Qp30-W`!l)E z>q95(q<_*_B>CGd{4Dg)c&f_4PT@Pu#aIRP)mXp6Ow=xgs-IAeDdfiO>8g9sKrG%& zDNCBDrbne*@uR%rnrs|}^a$nI@wm)8^VuK0d1Pf8 z5;*1S<@^MA^^JaUmgGl|`GZvZ!zp7zTj^BRfoVexxh$@gl}GFD4UX(745)SD-Yxcp z#xA{o=}i~ZD}P8FA#h2{H`{Ht>m#9(^94e5OLt}WuZZ_9Jf>u+9~4}Z^>9-tY|FjZ z-u|!XBCvyDkfV9F_nL%lYL*JPS>6oKR|=B7{h-cR zNmg$O|b6r-*PU|_XXg~Cg5y11s=6Ut*)=q5X6>noma>T9Mz zXR-;d&kVZXrk`WR(~aG_#i-#>!nR0-a_;){OY(}bG{AJrrUonCx%=``il<%e!6&ma zuX{z&dmRw|=sf1C@sdbxH4Wp8?h6z^c3Ds&@qY!)6UC zG&T~frBmwglQS#FWqXfezm8-Ja+n(l&uZCo28p!cZm~Gu@)gG8xIKrZy2A>YzIv`j zVc0B`DxKs&?KKr6qrxm=0S&z$t4`C{Sq$_$!3i51SYMJWtR7E|_ppTVJWVR}!$>WZ zsc}VPLWw|m{yvLO zrHZ{mq8UuNDO}3Zb~}BR*R+i&Qt|`^=c1)Y-(e9yp7!nEx-)AU^a{0+*CF-*OAn=F zb-F25&Vzx|Y+BElJPjsMT9h+~oYnq3MmJxG6%oNU^@E!W#q-cT6XG#iw&kzUyQ==(h01>5{xHnWH;M1D^=wlkKcHh8xUVgLs+? zI|r?m)imbfw%99E<25w=NqAJUJFTrZ_&@in;5X{|z?Fw8@%@z3J~ea6Y+bJW@UfgE-H^uYX75_H?+6(;t)je*nIG8Dj?Ll?g%YCf$obswG_?tU(?G6htOPXzBc^rO^CL^ zV>z4tfzYw#*S50UQ!x_-4caBFxI}@!1^VVblXt=2tdS4g4}_9HQj?4TjI{gbEz0!& z{gXI3tOiC%4Y6b=*^E*uS_Qkx6wF{}+cLnbuN7Go+ z!g}fMqu4gFH=w`3IUght){&m4F-24MAzTmPW3vL5aU`F?kYo2|G}InI`>Ub=ZYtT) z4OeB=!$aJe zJbVHmW~iBBoS?V_Bn#jcTuu$0OCv+mN}rzWZmpTp6<`q&_7nm1WeAO$C!hry%C>em zeYQc~l_U7I<4vNQeS}O4Ek~vZ<#~R8I1(=3#b8Pu|I|4<_;qAiQ?teM7 zphE+^kYWEk=*%~)39MX28S@xyTK`qu;*~*A#pWxvWpwrx!mk9yX~|e(?x9fI{PQoc zvMTT0;*qrq8Nx$R6v(yjWk#-M3BageY&F(;f6SHw6p(0Au>;W^`?xr$lAd(M2J7Mk zsIu5~)h2bwX5>+XTMj*mwmOV38pEYighv(AWx5~y4=K6IIo%&7vu?bQyvEPIo|to; zuD|k8>g}%!URk}u=+eelQ?Te5H1s+6Bip3nYPZ68g>nGhtTPz;Kvh*lIi7aSZ;wg4 zAx>$C2Br^GSp3yi2iBx!Sv^*aPm%}hd_Pxv##UBPC1=4A0S!AJroe)S*kD*+SkY7$ zCsp|?5=Ihfn5j6L9_j0Qp%)(|_==o?0Iwkx#RIidM)EF%J4@Wd&V3YG`dtO6sN`_ivDaUm;h-^K^Ge>-|z_?2@%lo~r35_kfV5xZrn;@K~Vq}Y} zY;W3Gqke)y*<@C-3n$9V#)&!6USKGIY#G5>bzM|_O=Q;w*Rl1`fuOy_UA-0ZyozMF zBQci=Lv#i0j}!!GbG)1@#Qo8F*z~K3qoxt@@Zpgo`qx=2_CB1$`#}D+ZRRt_-sZOL zZ&haG&yDTybm2Uwb5rc?EYHr3sF^$*@!?`imTV&!CA;R-p}H+gNnAid2)d_L#t1c6 zyKhbbLWez6?G$&uf2PvMrk2@&wKWgYDK8K?SXrX>UcjRC4vv2|q-9Y4;_-pEMq~~P z>~C$xeXCs?A|2Au8?oTz0{v?IwfvR0REG|lvk+G_ZX8h$tLZdA7DscPDi+nVRzQL~ zzz?ruOK{EZZk6OmYsyuwZ>ZZ57Yj&^4ow)}0M70_5RP+gr5Y4s8d*GdM0k;UidZ z>+0WvyzH-EUx)(+ zE9`|+`N}djO$lK!Bv1eGl?D?XkxcC zAFAV}EhP4N(#c!(hAaF4esgY7)ErnY1$C?@DsL%-SqM>w*N!Nw2B`}AtXl_x` zM0h(s{KlQNZ}dvOe)v-vUsQ3V99W7KX}P(9`r+IPzjMwPJFyPH&SO%setif|oR8m| zoqBy^e#jWJ1J`#ua0CC7lNU(HX_@8%FjSDGNKLXbLr&qg>@H|W6WeEjk5 zP|8)#dD8K*(`ctVIe%j#M5`viafnNd12D-vy zIOtx?Q|&vio!uGJyD~xbo-2;TCv|{kt|k61 zc<<((LGDwyVT{AqVDRQ z$q$teSC(>AoW!+7HD_6i4l^1KYsE1T^ypua^ES&#EPXh zyW^PF^C0o=vdn}hKwWmWt8@nCg-aa?>NIV*NsfLGdBzt5v;|tA@OY|EeX3+HmBZ2{IDM$Q4<>C!t%NeZ|kL`q9L}8ETf6T zP}%#?P-`pz_lX|XSo~Ckk6?U+tS#?@69C5GOE?a=1B{QoQ1BT~>C?log}1+XEGc1_ zZNPBAjxQ>r7L&A5K7d8u(7cx#G;OpacACkQB1{i!q3X6Ql|AE`zb$Yx(TAmzP!+&lnu2)x2ZHA7Cu>-L@lG z$82 zn^p{qp2*A9C)JBcV&yejkC*i;hJSNrmZ#xoc zrdZACq~fzVvqy7~xMQ~BpD0lzD^_+n?0~l!j+?0d^SmlTvg;ln!;`rM0qYi}9fRw1 zxON!OUV8qE`?;r@t?yqdk2=0qxY@$qLa!+t(v|jsEfMDZO`MdS0JLcmJix>kWA=Jj zN)iL_>J3(ad(oFi(ABs)UEqIvgLpb?FShOwh^Uu#*d3}%q%~EEtMSq9$KicUtLX)$ zI)q@2FNnd8B@>3oRzUL0c3^BWe4n6ZJl4eVexePAyUq|{l9aq%JsZCCS>O#E89WC& zF|izoGiQ`$6tnrPT2@wrw8F_saBq$Si;4o9=fAsu#>U;FQti=GZX7QxR=EssH@i#^ z*kTOkvEN&TQ?`38kDZq2teJ9rikaf`Kh@DDUfbPUdk(H9;Kxgj%Xfv(fnC&~cX}@% z6$Jg8tDxY2SwE<_3^>wS_NIjKFK^vb1y&Bc`5kZKZI$6(ww*riz?#?~5gS}CPh-^v zVG5U2p|Fb+oz>&rv{bZ$6&1f1WH?lna;z4BAJ#jnHts<+i6*V1c$r8zoZM+xbHQAZ zu#WTjzIY1m-TiH`3nr7(cBu>U=rzM zMO0Y`#lX7uUq=$?WxQY!{@=j@I|O5ZF-oLFR%Qo(%PiKAQf!xj=*m4M!tst!{23?7 zvpHAoY-4lR)mT$UA>I9!=-8Z!oAm=&mY%x{`I(d56Bsr@`7p_JPw#ooU!aTLK0Qo zkSz8!Wf3oeP1)Sfd>d>$mCsm{G8S3W7#@&cWuc=g$Q<<^nkGFns()|P zrBo)`KLPqe)+VLNk30Mc zj*$<$9aR)5s0y~idOx97Z-)ZSue68K)I}Ub8+hs$O7W7hEUkrUZ+hTWNQt`3ue_=8 zSYl!Fv_U%=8{U|)nMPnbiK)jWa-4=@MtTX&R||YNRcnYR)l8JP^8YVRjY1@ zpAe4er%nd5PF>m!TGq+MBoe2hd}l;gw~_ft?QFP3(j85)L(%IgN$Xyz2c>%fTlKR0 z#P4J33!jS~{WHaqHq+t2*CiKy*ZpLy;YnKZGKM>zAR4Z8)$G2`HQCFm zTnz{-Ha@^!TT~$q_g9YW3wihcT09{;g1fiQy%2F_t-(&nXZm#AdlEsI8i6Ju%3#fj_7jD0Q0y5qt-vGpj+aEY-D`# zT}loz7}^H?fRRJNDnJEG@LZO1*j$C+69Djm;Y+^-AS2y?u=+vohLCu2^dejxT?J$f zbiAY^A$O`C4Fa8?B<;qH4UM za_r;3CK*tmde0#Ok?HFVRxDHW?v4}Mk%~5~CXwuzrB1mBIY0PLw`?KL79GA{ z&av=wUp#ml2yfM;G~>?lhGbrL8YCMMEW`I{%~(wB&m<@ZpIp??9dNJ_9V*R)xGG$~ zMLEY#(o(hOvfE)Un%;JBPc{6vs1M=_i6eIRC#hs1N6#?oorFTVP+WdSf8WCJ97GWE zp!J&;QyAzk1OS8HM{cTM;ssL3j_yACP2b03<+SNF2~R91+Mt@Wdmexv4y?QH0AoF1 zpPgodyil->KNhomaG^nx4QM_J&QYL^P=Rs9Ld?E%AMTQ{{j?w&f2s>^D!F%>XmYHW zbSUBC;!g9Wahn)QhJC4!h&P7;@$XjQSZDppZubZ|n19c9QOVP-(cuBPE9Z^kMqDC^ zLPx_er@EVdq@|pRvT!%N^8G%i22%4HWG6fo+c`=+Ulc!W|Am>hUe^wNa#_8va?%XA z+F9(fB1JT3kAVqq)(s+5G}gWWD||6{3ov2>cEuGhKAai6&U{VG-Y{m$BdzKV7e;Vz z%SDI#$F3!Jc2ga#XWNsM2M7MLCze_)8W77O*WrU^pfT-LYk<%AYq#t})91yJetC?$ z^+4En-BNa` z*_y*_&u$0eH_IomX2*jn283RE)~RKI9rz2FqmawB)80tLL(FSmDoyR!5%vFv-#rYD zRx*J9BzOH`>l)w#4AdJxt@S=ZJ;Jb6)lK{u)}IV*KQU?ZtxE{Q>_rg{FsDFC)@lue znU?jE9=t-{q!D`zlJF1LwA#3q=1Z$bK+T~0;J2T!$TbT>c^X;ag~SF{gI-Ro^O7g5!(BAR(I1!)|z?eoKJ z%yTO*THRugDdLV6E&enIZrO`o0Lcm65>tE-6#n-|P-zE#n;#!gaatl)qN=uoqY8T6 zd|^!{B=PDjXjZDawc>9SqJL(Rz7d^v*zT|(0Zx|9i_@3Bar?>_)kOe_bf85?Crx{= zO&;q_^gez2`mWIndlzIF0mq3oZbkUmCw3>TFmbTZzs-3zWHq`6eY)vkz=o2>y zK0rjb&a^J=)R0<9AKoMjk=i%(LcI|xo$ycT5M*-F5zLjrjKApE*}Cigw@mT?h-wh! zYtsLTl#@*vq{hfnSLU16(o!KMFTf?8cE3R+7&9Gx^UfLwfjW#Wbj_)0v`o$34#6d` z{zgBWvaG89=3C9=+v-jlEI8N~$%y6{6J+6Uz(_U1_*li&6oKc5&;>;QvlphFnf@&F zU6Zx)>XUW*#vd8ynlB~u&S*D;eX%M~yRc{1b7}3d9yc52H0~T$zdYtZO6rg1%&}qe zWZ4I~9HkA~a_R2HmU5xjK)025tra+LQ6o`MiAKH=bsX8I+;NTey9{Ksl$Ip~27&J? zzI3XGE!Zn1V`Uat)t8-v?XYt6#(ukmF`pQRQZ}Hsnk}%+z@I=}8wB!ZK;%Uxf5f^7 zH(olrtvrQ!D5Ax=TZ)C1_hz7J5A{bcTvDBrqjx8O=n8NMj}TgDU_*L!W0!04lkFqV zWI&nO1&DfO^ox*9lK)^wE|ON_{r{&IAwYP96AWrMd%8>lVsXXh`{KAqQF} z5%%>l>qvHZSG^BU%z^3oHux)&giqV~{uboN_c-sao3u^t{?$C$;L4W}opRfp7vwIaY+Ch5jdlsr zXH)ne$KS!cml8+2zfh#G_4<9kAn`x5(S$90n;Wa^sY&)%nzO;Vm>CS>F);7e zzgy|fos<5S8XyojxoBDz0HHEOk#)u&Xc^q_2}CozOq!j;dTCu>8otAtv}}{#;ZvOw zH_sC6xl^Z);`Vzg6}?pXCXL&2Y5{(h7iHrK48=NMd!UKtHAVu-S=}-?`i5`xN`~$8 z#d{cmW%SSh^we#LVIS1oV~DR~*bXq~l9DueYU;2RCOP`M@V{F}S2ck!i-&Iv7qP$T znoH|KMw1)}y@xZN^;qJK9eP=;;bb|bf{%>;;&ai5?f#-y^sgoJ zBwQi}oX&=vrLd5$8s=dIX~JYU;QJ3+3hA!JMev*=+kyHk+f08+7k*f^X)*Y8;`XY6 zN(0vH7f4K>E~PNLBys112i3Wsn@^{gbvq?_1$X|M&X+0f-nOcyitERqjh|{LtXO3X z=fWUaBOADLx|Ady`zV7(XnDNR4awi!cS8_MrcyTO=6y;&^!M&Sc2;!h?Wn?XSV?HU&{y=<^ z`b=D+@5!%X8FC_lQ$1>kEaS^S;#m>9GyE<~K^EV;;aQ*t5l`v_8`I6i`)BLo^84U` zwYnr&r1A9q+q;(p=7spBnaAK)#-~EV(1w(JV7>YPlP_ z7=3~ou9R1BO720Mw$o46X#np91B`mL_b>dRns%E=+}mBihU}h28rK`*nj~M%0O^dK zAkxV_Vl=45%)#50z!^4pVykw%{O-}Vs}Yi)?wlWYWqxctXe#Y9+*&+7*7p1LG#844 zc2IfaXh}ri0ixfkW4~+T_+vf|3F_Rc`4seVv!Raujw^L~{V|2`zbpXd6Fa{p&cQ8c z)@}7zz1IP_Z_AmajxtFR>9@4?luKb|_c~uR&}KL91qU&eJ3B`m4&O@dYLJL-{2d;u z9%M-Pp}J3*ndHHS31C$E?kIPc>L^9{o3wt`JHP9P~S0MxKOiZlY(2!*ePo*E8!bJaK@%w3F78X1ihF zp8h}6Niu(Anj)$6l~hU*N!ePg^X`5=x{>_!zt_Nd9nkn5m99Lk2@0i^z*&ci1F`Ft zs>G&+r?qT$D^N84!b^Y$t3uQE5+GtvCfJ8`=)?AW5hph<2Zk-u#aFbv;vn4E z-0!3QT$)%I-V(_k9PYmvM;rk<>VY-^q!jA+ebs!tGyP9Jbcv zYBvEECtk+)9oX>o#jKOt>aD)EI4M_cx#|JUlFznnHRCOPM)DKCr-li_MdeO;ojKc7 zRwhif89Lysix!nVVgwfcStT03&2=F>OTiYAjDE4eS{RM)-ZR7G1MPw^T0=au)|AD2 znUf)`defa=v@f)?*FC}SI=+ZS>d!uhjzc$z4=#dy1}E)0hNk(G?q^na=06;l-Y!mn z`_a3>z9{iYFnX>ogqNOR_uS?m%onqk{x(2$D^SoRlzHSvvB7>HRcnwZ;Y@|34Pgen!(yX=0S zb3p2(ln+Eei4G6-e;d_%cWrr*n6mk#5SN(zW;^m^P>*+j8&J6?*reJHK&9fYhL$Y7 zv|$9;aX&zCkb+D+raTJQX(V32uVSIvZ{^gO^7>6@yR4Oc{Ns*hGgF@Jqr%)$Q#Zc$ zF}O#YS=kIxIOA(tq~y^^3Uanv5jU50JzQ<&6$_+Rj9C=lp_EMyyf=tB=C+qh8lY^s zv;<0`S~aJ(ZuyINhENSN8#7_#@fO*@9+c6b?K>dh*?j!|yP;@n1JC8L<1_E&T`oM) zepr6~04t{`ZhRj}*o4Hbuclxp!i63DwIcUNzI}7tsIVXj%!nu4D7n(@MAA#{YbgjX zN>D4EkySvLh6qKTYW0a6CnTh)B7vdNEZ&USWL8LPTJpO%;^8lQjQwIefPs%SQ=I4x z3nb==Xorlt^hoGneVK%dIJx^y>J@-^?-=aG#r3-YFh<;W3pP2!^QRHJK0u_ht!tlt z;Qw7#knD?vIDlx8Nd>~BwCle~0>S+MGadw{7IUnnerdDqMgM?4SigZYxhm-B{y#s0 zWYP^rm7(W2+Iy&!O+)H)P*1CceCB~7O)bRfYz=5QNbeg$in=`$sCyHRG5jtG*ql8P zPGl^tmNo?Oc#V7@3QyY$6$#73Jt!nYc*3H1OtBEoYjEBBbm@yYysP9s-owv6{LXyt zuyka+@~P%|h8H7^bBVueMt}G(?>5_fTt=VnbbOZAwl!a-{NwdFdhpuJUrD>2&dIK} z_EbsUg{}xvM$BOb4Jti%vDYR7Bk~wRxK_eejj9p|YeOfvSgj+UP3i1-_w62J#qGt7&zTBHR`bgbu7PIWL z;ie$X*{*b`lpr~A0WIjx(e6h_1zi+X@V5X(Mab*qe_x#d!dRct`O(MVX`PSz%JpNy zBaquuON1WafT5hxg3|PW#m?eCVUK$q5cDjJ>y}?Vb=mUIs^12-3$I==eO$ddB71q!0J3{8z2!w(!|in1?oHb*c5}$Y zrn@dUu-JgW1Atm-U1^rGbU=wH*rHRMZgQQpgr)L?Zg(3wl!iOwUa3n{Kkdj5wFS{G zBI^;m&4)HAhpCV}$-cJYdD7m~n@(R65Zt0bdc-0jgS8%O^hBS+73#l^Z4|31SzmzN z9Ma3ohXJX=A^7ChHweKhQJJxji^9avus#IjLW$=? z$!={q5ARUneOG+M&@umq!YUqYBi^j`N#65`#a5USDVF#b=4?JYU+$8R9u`Y9z+skr z?FCrdV!!&uDcl1!y~}owjQJRXCGMw!xEyx4dWHKhn+!QgxSYEdp94>jll*l1on&%1 zZ7fM3nYHMcl6@NrQ3Ia^r0m~5a4wzRE^8JG$kzO37xbjR#lUNA-w*2WU#`vMCS+uo zP$-R3bjmNcT#Bds*57aPn$eXW&XKlsrg1MRmlHpSuY&-k9l;@lqAP<2JL}KseNi&0 znj!xj4z~c=CYo-3jMkZxz_fWpc*&u4MnYFRU(PXbVT@?*i6cDl*t?p>chnl3i88Fg zQcZ@;0t%%vJlb&)PnNT70Uppt@jj!qQEx~ohotYm`Eexrc$UfVvyl?v1Y~(e#R(wH zk8FpbBygHeq$W-}%lqDblkJ3LM(E|`YuJ;jxqQVAkxrMeaFYJ--!o|vh@W-wR^N6$ zd{(6uxH9J@`+PfXBt855e?$rx<2cV0`Ryal3P|#yF1cEZSb7wkk+9{}8)}?-;|K0N ziHGIZDzP2QW~OoB^Zm<+H=GV(kz#e43#ju|Y;$z%jCLNsZ09l;G$!DLd=|bJ@XTp~ zIK(iIB$g4H9KFP*tl|n|79;OZtp_F?byH9{N0GIe<@mgkGTeyd#V8cV4)$12E3h%V z72;MH5xk!HJ|%7KWhdo|1e9?)<@XhZA+lx=$&$z@Pbs}wJP8L2Pc?tcFp2*3!@!fh ztk))Gt6wqZmnEoOe!r;etXbIPs+&u)p#)rQaAc(PAdv=u;Y>F7?d>@oGZz;Euity? zxq*yT4EJv5otQ7$>5>5U)x5ce7R+Szc>OYc^fub7Fd`WhS-gX-u*qD>qU7deTyMGo zq)6!cVM+kr`oGW>;8tuiZ8eWRE&qT5F;2jTH|#fYW}wmcMFoHH(eJBsHlGG?z_R|) z3X}g_0s7m>t6LcT%wHiSY70jDJok7LkzgX>6WPG#F^d22MFjNtnjgZ&a-uh$dSw zHt`C(3?U#tm${y{3cfvmQPhP`&lE1Z1n}9b9`k0uDP;Zl!{E(XmBsUYW&4PQ3(G3r zQv)t>#;QEtdyBoN zIsqF%$xhOp^yJ7Jdb|yYMxq>9&W$RS#WHujYWl<{ee8QVuu+YYShfm`j2ht^P8@XK z%kabczw&Q@-1K%lLYOCmN~zja>f2o2&$tZ^Vqeesx2rj_FNi8scP{B%vKd&HNEP%< zZV{F!Y|P{by>7>Y@De#+KN!7^%i~T4HWa+pE6IV+AIYyBIAZ!={)U$nwSa;i-C24?pgfi%D| zPA`55`Aq#?KoOsTJ_9J;=>wo*wCyLupDUU*H{qc+>+8V{n|g+Gcf#19s2R7xfF43#x*lY!SjtRIv@fi)6oxz1EjeN* z#r%|U#a)V=-6_OQc~${KfmaafV}U8O79=2?OBROs)YXPG8vixAnKM?Oh&M#9_4Kb} zNkB&*MOzU`$QOyUCI6LCz_N35&gp>TxGleI+6V~C=_JuEB-rU!1g)A$4_wA1d8rTU z1?P^2wTI<|nRv|gz$QtN%B9sSCc$9cqrUA!e-<}IHUX;SsIcyT@mBz=i+EXxqyT!u zK94a=iq?gL;JWG+$-QFg&d@=|d92s*b#h6(U^D);cp;4XCgjUjlZfjJD+|-wHQ{lb zW+G`dNym8Wn3DmfNS~rJcs0LY0KFto8l+{1XxL{9D>H~XsBxdTl=`78jr~5&dIUVN>aUf$)W}cn?|b=K zzhf`h?og?4VxEH;XNmL*ms?(leNdAbVDJV@YT*kfzJI#_QbzK(G^T;zg*f5KL*i5@ zyIE8b?sPMi1;9QuOMOxqWBg5R0+wmXajoYAK9CCoR~g?O`>b~I&E2~|Ce6m~082xp_k z!Ecb00fO)yb!l6E$9(5Dm8QxVYgnw#@N%l`ZzsYT@5?bRU+!!E%q(+kei8F5fwIcP zXeOmZMrIWH?&HPwuR}F&g@oPTAl#NLNc{LB!66cTT$vjUIXL7g{;kUgC6iTW@S|@AE$SD^x~6ZK6HM znb#v8eO2))pxn$X7lu+pQm#IuYjnC~0T#NKy23$Lm76;VV7#VGl95ryv$X3Ci&IC- z$UqAcK_T8dZOLRgGlGF1Um`V$yp1bBs6`)cqYc8^C2b^JQadkBuMxH+?CT91;irl8 z_KRj6JZh7J;rXgFp67es=ADAZ2XMS2Y}7G){%NDSeHW^Ct*K(HTfN%A_)F)4t7{Kp zbd?>#>D{Q{a{_R4Z0!$!L**Q!fHNg(H+19Zkwx&|Pzij*b_26FUCOC}s-dlq(R9>D zbJxQH{|(V{nsASSBt5k71A7kUhx|TMJzi?3f}7;ABr3!&;`QCXydK+o{G8>@doDZj*!MOs_IBx|eJ+wS|E&$=j7Ag;zstQNgIXmI z7^+l;D61`%w`PIQw#*Tv+?f$8T%ve28aCmAeTJm!tCv!!=P9*J^6qL|N6CkdIQPJ<~_ zyjjeZS>W_#cn*J9nl5L9?0$n~W_a7yFVE2;trOye7}yw+va~dnST5CH+z`MBPTql0 zN;_1*3fHO_OqY-e?JSL{FhgB>w8E_3g~i_(@Ss}?eZ4}I zJA5+29T05i_1shj>qojXkGjoDvAm~{-ZDz`(j<8=#Up2{m}F9bI+!K0tCJ0XD(u;SEj9G1j#H8H>eVrJU(HW+NIdnDdFWo+cC^%Xa( z@3vn3?a%MFi+>R0c`rCBO8h!Yo|tBT>W?=@aZc0D5Nn}o_f&N3--<&eW-9`EQ)u!} z$vsDdpNsDa{~daby-JTA55Y1*o1s-btl0ceRY{Qv^q}-?U7dwV>{wA>JVWsH+E<&C zry+Z)eB>IzwwmtJTN*Hg%Cot<>JB!QiAf0Mt`teq8p+$)>Y`NY)&~+YmWxGxc1niT z(jfb+Kk)~6H717;u|wU0w0}@(bmYT*gLcX^m7EarHy*}2yLY&Ajn{P;a(nFEKP)&X#lA*9T>o;h*S(WPQCt zv0X_Yy?o=~`>@NgkKvC^dnsXwYw%A2vEU~oL0LXKkT{+jthtLuN}HfoJUh9^gjSA+ z$tAp_?0X7F@KsEUD$m0HavCd2U2M`@y0U6WN?6O5Bkdn*;XcH}8OfQ;&VE?a;UT`5 z&SMJyIqIxhPmti^5lh(nSMFlhBThG|UtZE4ZV))sOL@m?_9L0})g0uGJ!$F2z&XLM za!8C%t~}jn=|ukh1&Oo;8qRX!lCTTJtIjjbru=x}jxJWd_wqpZm9g*Q!+t=`0)9h| z#uO?%e5$ET_+cNKF_g_oVW`M6T#&{ju5Wb#b+GaxuY1YOu;#<-%N`|j=86hupNAg` zk5oI7Bq?(~=-vqoJd(vq&Rt=frx4eZL=)LmVQ! znm0hvgl8MJWl+rqIV=0!;7%h`d>44Rz;bsZ~ zBYZ4JMd2v0EOm}V)eajjYR3!l6SID@@j%@FyF{TPS5WsN)@@bj>KO30WskaB$Wr*h zvIt=ga9s*3C6*&>2m6&AYM;U`MrcbFa#&(^9WuVHb{om34sqkRi8GLZb#l6> z$4YT5(&i2LI388NszEI8Nxs5Wg*~?4t&(8x?gcLIO$e~%WEDWYIS+hFyEUeTnhBZp27| zIw7OqBaQ8?hf3Zs7rh!-67AY?Ps%;rd4gOU$gkdK^-Mzd9V)yhMFzqjPF=&vl_0cE z0)JDiu+0*gpq0ki#Qx;{aV0YL);x%KSGpu~S3LS`)^WxJTE2VuJ+9MO+&sBE9(x9B z>W67;eg)BQM{5<{19v3A&m9L3VEF(Etiu+;?rrOEGyJQ`7BPRZ`R$}$ivAj6#`#Z8 z2ZZif23feJ4Ir{riM`UaZlnNO6`kp+il*mF}5rzD$ z;!bkA!kiQ0mMNjP_lQ~8$+2d~Bep|}=Jq8$XvgC+V&Mni@{%l2@G?0Y3@s+_M{!0%iPEu3D&UYp`PE3Ja*BYmz;@p{%BOh6sGP9~8onrq2AmGd8-PG=9WP zmn_8#vuHnu{5EsLcYoXwK0NT}73I6CA&tXgnh|1|CADu&TS9m_nluD zS3E9A4iueevw1L9>mR&a@S?O7AdJ~Ug#iFq%eX_-x;_dnT~v)jaU?;_sDAagn8X@+bV2K ztb}x}n}5}|>KGVxU>a}AdwOkQ;iejth8Zr~SohdEX4nGz86I2OCmy`T`$1QUuRo9~ zObX0;bQ-h9BcuDNx#rH=&Z@~?c-o*PocFWV3|o8POl`dWHL^7IwdlpvH~QDC0q+CQ zIT5{lYVAAdXV~yJ%f7n8!ymHMp6CvzsGOGj&vavttr0P55xRW9`6C;Z{&8B<=3$ub z(FZH|{kK?$in8AjO~(6jbQVJ;?xZlcIFIgH%qV;{H=rMCfQ7^MyPLxM5XqzJG_sc< zp1Ld~zo*nPB9B?ynSwS;jqD-DJp1ADz8Fee5R)Imykxc0kEFe;DGnYF=`&>g>lVpwDVPDx$Ve1Aa z98l-jl85rUl0r{qHkd4qR#TU$=s_&i*Mh@T(B9%B{R@Pi^7eei*CJESMp9+k^;9$@ z+EadvQ&3G$)}C^yD5E5%q7i%r_>V@$bXPKd70Y_UVNE`IaDqO9E6vq0VHlZ*3g24* zq`r~&bQV=6mg$Qd_{3MGS%7l5m2hhgqc%P7FGO_n3UXQ{K5g0#oPOynoB`P7^S6qjjCer$de>G@y1>b94(K;aNb!PTTO`fS5DgPV|MAH1R>*5c-9 zd2S-PHE_+7Fu4&Y?6PR{;sl=+iak90F{0#?K%F?0+|H4AGJhqe&`Sosii!OrExp)GuZ&h-r=M*B2)G}+x3cg5XF<#o1^b^A@Vukbr zuCJC|WN?l^7sJ0y8Q59z1%O1trSE>(`2Zft(*ucifb88>!clPv+^=(%ax%TI6g)*z z{4Va28urANz+qyo^=oZA5-yZ4#05FV8H$lEi7KdY<=Kyy zIxT&qt9vHa7^h)Ia*uGr?;`irx+cjMWe=ql+O|C^nTd@lt|Uf!-Ljed@fZO&fE~^dOqpnxP``8lOgmUL^xpDqBh?~(yZ=*p=u{)U{NTB8s}elQfKf;r#brV zMPg7uL4C9^!(PSxtEudgnppqM-(KIvl|s39!40&ybcOJ{@_k|qYbYQw6roODro6{! z4hk|RCKk8oyoE~(;X6A5@nE5DYCBSm#z_7EnTxFSJsN6~E|_Lp19wu18Qc?mLDvLg8rgFR#V6h9(6zI;&bO5d=IZX zI%KDYigmKqIq>~NSsbh1wUUlk;8&!|EoSL5A(I|@73bo#8VA=F$+hneZ~f=P;#GwG zJDOk8stq_ZefdN6q`H{!kUR1hIV9ALM~H#jht0yX)`&~?BB1V#Zxlz>@Um} z5EJ@tBW#0HIaPQc9N_?tk#u}kFENbtF6^q46t3n672jI(b;sKG+~>~Y3e0cNWAc=( z!5+XzwL6%7IbzVH{)XD|BAkxHsE&qE#SnOmR?z&`{|@mU!Wdx!M~_31pp*m$!|gOS_* zhM4$9F;Z*0TSdDBA4Cu-JfV!hT)oDbQ zu;NjsaB&ZEtj52$G-Z!axR_aY#lSY1!&}4gzg6P+%CfgerTQv8f_`^rvniI$Vd-z# z=JKv!R&Ur%RV9_u^)7VYvrXm1qNKYWHth;R!_9^vn$#^aq$$U8@|KdLKt zKw97Ai_b5H&F{y~*DA?!J%} zVrKgF&B5&&%2el^ zyee&e>*#xH$pqY^^90Dwe9GkfN>^opf=3|LZ}CLi{jNP+vA&lmgz>*gvikg3_{pxw zYA`urv1qCIQ?W)H$<2mwr8OffY^rn5K$_Acvxv{hX z+SapLbWJ-~d!VUJQ6|>dpR* z7LbfXw6%s;DM*yfDC7Q&z7&Smq>5_%#{;Fa0A~JX?p^J)KCmW3lSft`t|@8gn`%MC z?%SyN2Q7MxoozG1SS_laFjmMNa#9E*R?1}tdQsXrOEZ?za-(O;FK7TCW~ z=XhIh)FZez=_n0!56?;dd&gQcFrscJEZ?p8;pBFNt|DBzs$EQEOe2b^FReXAHwxiE zTs}$)e5#d zqb1gyGa0+a93M3GrZHn_CS8mDZf#CwXrfin#O7TE527|YA!92!q~87XWfdT+X${e& zq95vj?mNv8`?^8ZX@tb~S*ynXBxO?oX_ViS6CLJ|%n5;RwzaXFKf+5ppG;Z5)nvxB z`a5lW#??{BGza3%-ETGWm#-?bXw_8WgqwWoW>!SakvA(ACXjkI5>K`%JtSsC6Tu5} zi5Vwk^qN8|^d{Zo+KZC3IRqqtAAmRB_X!z7UwwEK061VU=4j4WQHK{Im4yIjS|XmR zRt!9@Cch_=FA2P@ssuQG+A3JY8G}UlxHJz>nn-czr1S%e*02RmW$dR!Q2-7TdSG|K zLFlLkC^-xRJOF6jdRp`W47{jm`hCMFv1Wa(VIiEM%F@@FARJX{!$-yKV20tq_!n(> z2lNn%Co8dMDvJ_$KvzR%;a6FM+;NJu1pg}SlX{FI(5dz!*s_B3hPYcn9vt;Fdh>!) z<+O;exM192i9`z(v{y9kRt#?@3B;VY-C+0>mLMoH@^kmtCyDw{$s_6FXT`DkJ(d*$ z9qn^|o}yV1k2>+;6YFLmTokKO_(v0+zEd>Jc>6u!bRfTRg-PPyBaV3vAzzi>KW6-P zrFxo$!h<|b{thg5GOD27mDe_RrmV*SotDNBK4w(h30Y0_I-7i3^Sc??;smr^1G8l1 z4R?epq4MmT)_6FxgtVn03RGBaxKt=4U=PDq8!>6V?6UVcT@7M2pS{K4K(D*+nY;H0`|*k(M8~E#cw^_5^1RV)74i5D zX+LaQ;f5ckN3S5*_QAFB@^-MMvK@PC*V`I2*Y8KKJ~A@)QS~QJHr=Z!i@6#G&)2!a zkSqi9Bjoeis>fzcyf8GX8PtkEje|K8y7^_Cyh^om#`C=IFHTwi`hi&@N{Y%D`Xh52 ze`p_6*XcwVcXUGJIR;JpGM~*9+TZt2_fq!*Jg3R;`ku5zTZwJ$3h3sr1e@>}aA($1V!+qGi|_;t zi20~@^LuIs|AXCHJt?NY#&W-roaTLc{!D*e-HND2q{Mf9_oa9-{czBKi#Y-RBED7h zMBIr-d2=hNoH{$LZict!LQ}8JC+h&yzWOukgnk2$1QPh@RF>#aazI^|u!6NhB{|xA zB)N*ZCuHsWC3(k$I)5rDhHc+hNlPHzV)X|vYPrK`?0h!jB{8nJBP1;s?wVmEH4`h@ zJ}ahPgwvIdSm<+Nc2c^Z`oh{~^T5lC_7LB%_4vUA#3giY=qn9e7rb0D_SMKOa}}e` z)h75$T~1r!dgd6|VWeCvYKkRuCGMi^JP$j<&LdkZSZxJmd7SCq#&J`I&7A^C7T}k$GSJFM<63#l3Mq6Ags zd@UeyV6bOvCYpG&of_bJ_U(^U$nTcC7PpxWgRSQ^;SNJNUq4R-g6Uh29k*5N!>-VN z7iIroIMhp-HEZm$Sq-Ez_H>w^AeSyn&~Fb$0i&t^`ahK75%Im^Q?vD3Q0=kqwQ9Uc+B6Ir3^&L7gk9JK823xieDb$PdfHjS#tU@5-sj9eE#;l(t9xY9&X5 z+An|~N;>Y7J&{p?l3I|JRGo$k<}bzFDh)avFNp1rYW~0W-aRg+_3a-=w%86KTcR56 zHkHyyPMu~DqEZqPWhfbTl8jE8X-P;94LT?tMnZg~ktm&JqBNZ}MLMccGt+dQnyKcz z*7shu_wzizKYo9F|NH*&SYGL6M%KFLzOVbb-iPbnHeaJMUxPAuCH!KuvFo1^*XOtr zaf91&2mYYpDpSkbmj*Sv;z-KC6q}K@(nc&MXyG@K5r^`r{IR{P#-_%;nr4glbCMkw zUs_%RvQwIQHR+?)*tR&~3X<*o2~euyqCn*F=jYKal(YvB*cH|rv&9`paO7&v#1hjd zqhNDhuW~_x37b?dlLhB*G36-$#M)^iV%7?t8i0YPP99Kx`4h}>W)1V>)}4Hs$)15# z)z3#Cp@Z5tt4ZZUP3~kSI*+y}_DJX>guZL?lZ<<@=%7BwCHcfdkHE#%MS-jVc(><< zEtgR~6zm4fak&4Xo+tck)z@SK1$lz^O~*BVI7+T0g!1s^G_XOHLxZqAl1!GrP`(M% zms3UE21Imyvm_cd9XE4EXrnt=fOOx&5*G&uoMe-_fN`S@f{%tFIE3SlUYZkQ-X5P* zo8-5SvxU!#lCYMf!2LXGZRp->wNXzv>H@V%(|lVFPry2dJ6cJ3+2oxvg91E@;I`K8C|3qi!n0^WCxuc|9%a;hMNP~(ald>hh|`;2PNEX#9Vz z5YU2=E!2#P=r9f|%P!wIgIS`s3(6Wy z>yGiS05nUhj^?OjsyM;B(>WWDa+9EMA&y9D$eV5JdM+l3r-* z;w_&I9~&|Z5mSI>q?aPgrj-`c^wi+Ph=i$R2kREv0(>A-0VWkf_@#Q{Kf8kesk7YC z`QOPr@@=2fCg%vAssMS{aV$s`iDzn{0OJ2W`@2Pw6(!j40-)spA3Al31nAEII z6KTiA21#F#rJgh^<$L{se1WA|6uw_0TCTbG$!`fupQaMuLLzHtOIFsw&jB4vBLpAk z_^kYKghE=-q~G$0IKtli%TCWhC?9z=321u2FVf6owqO=~D!R13TV*O6iQcU5tH-9E z$KACfifp&qh^$!$!*c8tV19$Vmc98UCr*g_8KuY|??J;!&`h0-QOFtj&ZM?MlV~>6 z3yrCfZ{v3Xk`Lvc;2G->WCA|dbuOm#tVLocH2L#)+gVhuDo;sby#xt;r10vvev_Cf z<8T!&+}Jhpr}amdL&2Qex_>~onS9LA&wq;U0n*+cO+1%a>-!i@OeaE}Yu~DiogIgE zr{tOnR@DY z|1e{HX_`;J20uydll7SNZ<&2qJ~pKdc9Pv~JR`hMd=haJxoZy|{~?&mL6qJNi>iIX zC*U$BNsPZ3&OE>GWZPDaq;FJ>4!G@%zU(D!iFlJv=;5Vu*^X6nxEdWR++zow!&sCH zL++wvwf(=j;(($iYfKlcPV@Tq@jSC#7|cGs4nRV-$v&xjkGv7ziQ8g=%wLhE$|Lo&6b$0l)QzNqL{6| zQsLQWz?2wNi|j8wm=!AzJ|Fe2#JUHBn*u+($ww;N8b}a279e?L4~3r>Kq1+|R5y@v z4z(WuU+bg?;bO*L6=q~))0iwp-+&^_JHvIA3`j**mXWQ|ctYExw zr})$xqI9Ld^meaISZz207Rj|QKchrc1wgoKQiG)Txyn58_mFtfTF9rkCv!a}XrC;e z+$*oiqERB*Iw7>2`IsPuF=Uh5jla?QTH}j)ch^kJJ5IDYCS79*BkaOJ#0u`Gu~X|E z1daJFmY^z(6{Xql6a6R9^>eK<&-Oe(+BV;G=atvWNk~-)-VJW1=(9&6eg%PIDxH=a z7SRiUUp)aQj+vX*12$1WVIb#afNocE3^)@;6nN;kNV@^oLsNFjp1O5I{!m|?0lKT= z(^czLI|805*?Lq!H;gf*d92hPcI*vvb&Pjs$>LRyWdu;mW@3y1z%#Zm4oxK+X1)Zn zxmxl}uMHP|Sx7GBNng+Ak!U)EigQZ(rH_vv`=!H?n>t!SA+LC%KtchV~FK8bbvlRuT5wiN* z?Ue!5v{oAu%ud8hlF6I=m#}@8`oH}h>3{_;@0sI}`^XC2TavaBeYItIPz9m_L{?- zM2l7An?h^cYn5ys6Oz7E^-D}`J3L!L{Nl;H?yohxVhOwuhm(vD>OzJKb42|qB12e& zA}KCU>j6_O$WIl$v2fSTx&W%k@QBdofM%2=D?tSJAdQr($_)0mjkl!_)`bmmsrp;s ztR?%_YJAf0KRb(^L`>1B!^K}$-;^; zBILONQR1@aLMOhIIxR@_wF8V9pg7ghEU|`}NI(;fzoZ!6lSamN^b2 zJG22iz@X7O@ng5|6rnhQm&D~#5&av!Wp^#@9#R*n*NJc48kWejJeva9K4k0cWrQJF zU;^og36pa`WlpHu+VyEr_Qt|Ym!DTjOht?cmIXb+AwW}iQ>>rUxQY-tvf^k;Z90X+cR*v)qV_Cb&_-wk?MkB-4OuPGU(m`(w?Q6G>U7 zy!7f2{79rF*=D|KF&`wLX{5E7%srLsWi>^Hgmep8$2VpbQ7BeQcouVnAi4Ny0cI(* zN)Duim;|`^$d zA`(9I`1Vk_z_i);@G%AD=(yXXXse3HC$G&qw=90N(Cl~hvCPfVqw|+K$~?m-tzVFN z>!Qt@uOkrh+PXf8)VURze}r$HALMmwbDy;}o&vN+GN66I*4QuKl~S5l5H2d{u9bNp zL&_@R8zSFD$>u4zcFoTgb(SM}d{8oq!0;Z=m+DT^RKvL&kdQz`hAf=J?eT!c$zxkV zvOFpV^*9ZMW#`5t%K?bO5UA|`S?@#u{rz(R)CweQC`LG-D40+zxa5OVCO#1&c!@*{ zUe0?B4&B^HBSO$q#0O&IkZSw1LI6CS_X>fK&n4kwk2uOQ(x3#JK2|C!c#hDJJcn`(koL~y*YCa3vX{ka;e0(dB2@hy3ZE_HRwIRkTRysD^x~SZvx*tR zd0&%AuDD+Dsnm$7M+ru(c-BX9PB+=1w{VXCtu2_AT$hOUCa*`6@c~GnZhOs>%eHd; z-W^uaK%!u03GkRSR*}6;yq_goc!fpDV}wU@3PlzXYmv}JEf;a1_V%MBD!EqG99kNC zwek@oBcz?<8ql5o)YT)H_+V3Tuv;f#3oslQaQ`Ao(Bbi|D5?gW15JqKr>$x^i z9cFamtKLtSf19~Cw=}Bq6d^*)73AbdlOozSWI$EU4o6P@6xpsb-{1Lxyage?aqpqM zBkI`32?GxOVkSTaErmq5h0=Ki`J^FE60S_|4C`pP0YJ_Bg?DMyMDhT#J}m3&j2V{X zeYjz`(ya&4sMSE{5Go_g$wGgim!l;eas} z0}aHa_-$AfyuxL7vhptI3-yVmv$rkLEpj>QAthdeSwiJm)Z^}Jq*Z4@Ibk+PsWk9LNUN9!C?O0=LP&(Z^Ls^!rN}XvCF7lv)L(Ts3q_>9 zyI)3xFb4zb|L5{%(OsQdm5;cpUlw@4L^nJkvsc$ z_P$GGDTJ9~u|a{oOoMm|BN^g^|8Rx33=i83?Zyqr6D(wPQ5VvXW(AcvM)VJBiw@6( zdW3n;lm;>7%6^_&25-mFOJ=N>b}Vy@j%sBTIUaX1;gk6vRLjZ2d_VI_oA!q`@87tI zEaT{>&TXr=juYy6Nr1K^hXiyvK!-pT$7^WtQezO11nco_Wma=!wgn&-vr@quSVqF? z7V|1$dtx=HIKF68`hP&;$db5zJ(422-Q z^|J#Bqoq;4==^O^M5~ICD3_L$_9Is#l(q;Qxn|n3KRIk>hp(y zLR8*W3^bo=oTG41;JpB-Y}cxc?_1U!f^#pTr9|0skVD|d?(sP&jF%>GLqw`Lo9<$E zK+c{QJ5_(kh9qrD>I5wY%8~TJUr)%Y*z$a1L)#iAFN=IRBFuv(x0P8SH-HwIO3|&J z_-Vl%Hy7L`Xp;zavdk(wrE3Z!*Mt38ZAbE<)9vKYB%8ggUy=+9=MMGtSk?X8Pagi~ zubg4|=*B(wci@zFzgBS5l|Z)E8?nL-7c}YE&&n&Yhx6S zx*WoG1Ci#Z(IFKbD8^8}_YQNg>j;{(;!Tk&O1M->;-?5z@Tah8(X8|i&|;#)h1OoC z$hbtiB-0LahOwWLk35qwD?hTUAj^V58wITJkeys)`x(O^jz&il_vA!VLpUrY4f!x^ zGKpj>{o71r^_q5*YqzkghxSU-cHI~tTdYhqY-5US?p&hTw zvbk4AJI7U<|Dp}HbnGA#uW6> zfF?t zrYKcWlLx`@omzxKUmh@!3tS6`m&4~+yPb?CbSvYgp#u??oQ2x~oeGboY(oAzk(=Yk z?1AnE$u~@%!*EDCD*VQD73`D#AV^=bjWv{copBu2hSSBN5$!B-M{q3uTMDs6=e&aJ z;g2*v*BGMWDq2f!m#OhG^fdJ_di>n_jd@fV+4Fm#;@9Cu?Wm#ht5lJ8%Agx<#~Hs9 z_r9M&Qg1B11jP9vTWGc*y}~IjVTt0PzedNx_Tc>N(uL{d7U(i8sR3U=fvOmg#X$t* zGZLn71oj{$n=1{OheN*5z?72Y0doqfgh~McaXXL$`d!Ab5#<%+52gqaAwW>`UyxRa z?+QLS)EjUn8-E3+SJ^|i?AR4Fq*MBKcT8BpICbI-IdcSlWk*W26U~i!4pqA@8(6Hu z^%dUqiC>4|8evHvhrH*G?-+me*QiNUV5Je7F0LD`ypmjQvsd<>&HK(4q?0QX*j)+d zkmiXq+ne+&SC2iTtOayzJ&&}uQffpvpPy3@F(6g~QM@&t^yD~LrmuORRYDxH8C5qS zLwLZ!;i=3oOy5;#UG2`J{fnTYe-edL82IQyJ`KHU7vaP}r}ST`B=}Bp`!_Jk|Lz?< z>M&24!ufgeraJ_Qvyt);2f#q7;L~0BR7Ezj=0qWuXCqh5w_(HZP0A@Dn*n)asl2=v z3t4)()G@~M;>lRraoGN65_jeCiH+26fdkNQGpjfb>rypnqhTHYf}dcHClcc#j~%}S&AB2Iy#yY)zn6#mV>hQf-9^bZO{&n zNZaTYwV7QHIWoj267aGw)uknW(kvrv3Z4%#ZX?86t-%;11h_Vs1CW$6iSI}JV95gn zMW1~@p2CA-!+y5{3b5zGWcg*!tzd_(1}G5pqBIn!E>Qz!z;GG0nOZpv{ zCoRw8dh{!L#WuK>a5&(2&$~r7Y#bzgLgW`0#AH!wK&kBl+mF#yp%-f1m3YOks5)?< zisN0oNlUN~k6xyM6c{K$$+_hY9RL*t^q%%Aq4~pE!+F! zYx>k-ElM(u*vwDk=fTmIet%K+3oa7OfyiYn)juX+1sn(vN_(^ z`>JMwCE^>2G{1#g;%AMw==5D&jM?N6d95)Wzc@4Y(uO&W={4mxm8xwQ`nL@h!ADB7 zxjHrAa}d*;s#!|F-BWpDmw?aeOi{sro2Z*8v@+u70qnnH)R$Iw7^fib#tBlTY%%^J zc8~A@Glp^tajzi?sp*hNILJY5VSq5?=wZ6JNFI~Q!jqN4Tfhtih8jCXqA!QKLXh={ zF|tFwOAKd#g5>{mNdo8)atQVU7pmrMQ7|FY=AhIRyNpkUR3Q6@I)ul&OgN>?D~P=w z`*v8(ixL4MwOvG7E$uBiF5;7DO1-{DAyqnjpIl|P==8qMpw9ASWpy;UgDBEPsKY{I z@=1stQ}6P0)`o%P!zX7C5D%GmMhUehBtisHZl1IV zx`5g~GT~dS*K(l}B)!%H2LSY*j0hl5&6B6aHZt6PvDVdp9r@fE*tf8PT0G~a-BI> z^kfqtNe&}A-|xqY0f5CgappRjB~bwF#)Y3**mqb~9|TZzk4F*p zi7$$#4@tPC0h!{`r z1aUqFhjPxhH=`k{mo?4p^9j6o=`~{4RD@@UV5Tx2zzrhH(!X6HIm=k%Ss4`QCe=yThD?;!sfD-Fwf0G$@r56s%Uo@Dvd{c{- z2C8Z11ChWV>di`%eXEh0@-!WX8z<-fc1Zj5;lQ)yCd}JaA8&qMp~|tt|3$B<-?j^g zgM;-b4@u{~vsYG)@2&&%g3|BuiiAsjK6=A#$ZhgzMHrnt`HN97P+ZT}!~F?(;vi3| z$|j1bOy~Zg#B*hah&UZFky9hCQl!xcQAQgNC@>r{K@@&);9Ufi_&|ouHmGIh2r&{6 zqSz7+bjyVgg_nTVT%rWbj7u)mBH_}^t zm3e!`8y^G|)xDGhj5mY8mZgxSkIGM{w?u~@`di*_7qePsob}FY4hz%rfHQF_(0196 zAl;C38z2O2Ny3KryCrf*I|TChnh)1GW5WBwwpdZyU>-0Kpx~2wG>>2%G`_PWJIZY; zzQDe5TXxLrx35>yCohjfq;#8hoxsml7efK~J8=xgU?Q0{Gj($iHGZy~-50kda%?x0^&Fj3okA2*>O z36Sh`?2=$hc1q~(z|r9jbj8~kTajK$F=v<|fy;3bS>$>RneMD@y8R|SY}ZOcTlx+q z-R4(y#-ZgmH*JicZ@Ou@!?JrzuTiOcX46T0aqXKt%ed&xN%IRUlgUt!3C0G%RJ@=O z&lFs9^viO`jt@Fn*Ntp}W~2TA^~1**2R5<_>3{`c*VyaLM&hCQkaQ#sIV@v+umM|@ zKo*T}r@=%71YAT91uik*kIw~5u;o;@_C$;K@SnHkrIqA{7* z_wGu_46GJhsrgXi1R4i$P9K3SIi=<-*q9~ayMm7h1wo{@d4=sNAO=AU4D5#L9n z>OjsKza5129I;W$rG3Cbj>SKXeT^Lu+D~vMP*fs7|2}X}R@4FV{%_T8u%-x23vF(G zv`K+(Wks}H3ZwNvQwcnfTl-8rl6$nr^1%=f>>dMvquO$o1l#k>HaX;IB4j#yI`&Sk zc+E_LGo{5Nm1wAH-wlY?Xb!;4P-Pyyb+k)J`)Xc;Z?-D$q|SdV?O?5}#0TDINAQoGSl$8a@N3!R zW_i{vJEXQkrWze}opbkiCa}dmdwRejjuv#tDdC&t=<86?hCP%Tq8|Qk_z}2Lp3gDn z$g-ms?3In`12fCyYf-Yn382thWc!dhM8A&=$(Y9(No1Z3ABDKsBCZHy704`qBF`YI ziZB_SRf}jLM^2DTkSYW@E^`4h?2d~m;)-2_@3N5Bf!G-p2)w#IVHma%jp2UTuG5aGyr*ja`@jN}q;eJlPBJfjSW9AB^S z5He*NYONhaDTZBsEbfFQo~UW!aBHGh6^E;omLV<=e<|alG11G_6K1a2)m^_VYPQ#n zkaY6<OYY5U&J#VD z_z(H?$B+RMLkc}7H#@^07@##DG9jOqfh*Z{K>uWdM?(t33TP8hTmTd&*a8qg0qn%V zpdWPtL>X4FK@s=g*FPGCahNFq2Ue-n89s6i?mXEV)z8gU7H9Ed1r_RtHE<0T!aO$B z3t9^g{h%oB3Se8R4>-KDS4X8miNkRvF2Bl7d`ze| zr^6g^HcU61!V%|ks!cPLdktoyZ&d%a z?-g&s=JPKo^w=C77WC4@&qx5^WgqYYkh*{nO9E%0w46MJ!yFq~EY}p#WIDZGBY9oW zyLxviM7br*I3Iq~LP-fQ#`;%%E4&+5@ODeZHp>0N;lEYo&~H4<&0phvzc&6+HG75c z&IgB9haNJmeKQF1mdd}DEsMGYw1lC3q@i?j=##?AJW=6K6Ylv~A7O$p*%-*gYv_s0 zn2#}26prGUf(;7A$^<3y?M4sg#HmxL#`v+%fML@@9F-OD{0kq?S zPa6k5xYtyKuch~*dk@DKxQuFD9tTVZybz=TBTbK9y7AFF+Lm1&Aj9{MeUtujRo@+- zCUm`znxmPVRE@h|CYV!MR=&+~UcdV=79Iht`jGh%+hi*@rB}q94$E46pW<&M3efst zX8@sx%yc8%*4gW|p}8wgLt{2oY}#KivTe9;_RLRsZFyF)^ns2;=F^!sW1if0#LUJ} z)@A!U;O>)jGN~W>qvL%#1lKY=hTNnm7ti5(ui@0KKCc-+yH2ck8iyJ+=%Y*aTt+-07&g* z#e>S{5fVq49*0C|Bsce;{31n1n=qpr^EJ6~VYSe@JM+RSJz0`phc&~`-wqs(v%v^N zmiPD2A`+6(i!a-qRc4@6|131r4*4zvl68{QXG`KhCobtndV+@JdQHYS| zoo%$7wQk{>ZQXYdnJs(ph-hW>NAO_LegCmEWu05Dw)?ABdFju{QeBd6EjylS!_UJp zmq|)E`ULHGrW?E#CtEd#IVb}r+DAZ*C8Ke`d6q!>^ACij(v>j(@nZgyPB|{&-0RVz zK*|Im?SH&6jRS$sLrj2YMVx>qf|wAB5i0+qj0?RPu>)>CUAaxpv_q=i0J>-aBGQ&= z`K>6BQK)eE>#lhAiX}?XQhS*a46 z2%*NpsnNKz2CeF49BKsOq4Z!}XHpr^4d8$PFtPW%FC5`*ATIl@4k|)iv1OGMjzabI z^%yHOONX*$&?)(@<4_c}WYW!9R?n0uFrmtYnn4}ex}Do+jApXtJ~`_4>ZM)0rk%o& z$&DxJM4!Sajs7$I=E|#%{L>7FMeN3lD+Ey)M~P;Gph`s);!Dt^m zbLpMCh3Fz4*ePpy2gG0^I=zbd9{b)Yr54F)U7*(^)}6G+&3K?GH9e6)kKMqwJ-)HG z{rJS6(gxiG4|n1h z-IMEVmBFU6>@4o-{rvB2YzHDd^;2A~j@SruOBdp80564%hz*$ns7c~utzyFyntj(c zsUTQL8MF7igRiZ;TdS!tzCX3ewq`uQ-T;u&U2(|Y?%%umQvBaLF}%1aew(v!y10_0 z0Qj$g?hK_Moq-kf?LF_04F65)NlZOTtFho2*y$Xs!L0QG(W}4x^mZRfW*ZF&g-=oV(M6ekFjv{ zmIy$k*!ON?i8mTvnH8D2)5d&F;=-AK9Nutfo8oZKtCDr*q}Y$ItL}DR6p)*rY3SYC ziAtw<1(*oIm}mx2U6$P4Z&gDRr?GT!-xmWUQNI%G_F?hD2f_$1`(%1m^i~=`)u zidifEy#CbD=ws`_=uN*5l>Ak&-|Ix>OL4Ml^c~LcoOER)Di{kpK4C0VVu{J1Z;Wl| z7zJp-aDQ?Nv&GiD0B>ke2Bgf)@9;M!0HKcOW=X}WF+A9^(1=$9T)k82n+kw&|0Zw$ z{^^6vY7u5uJ$Sn?CW28A*(b5qQKZY@!7MUTp?w?qg7iQ@HHQMFh{qU*)3~@Cd9N&2 zJ%*A3WF4zIct!;xEXWYp*bDW(6h3I)WiQ-Srmn2--*3HoM!Ir!Y^_=lZspbImG2jN z-QD?o%O}zz@;a-M2G2P2mP?EH2C}<;o;6Q^+SZvSGER7t4Q!e9!iUV52-0eLI>x5V zVL=7|u#yuFqfWI)Dn69BhzGfwn!wp5UsA6>RQ4Q!4=X7IKrx}_gz4*4_L@Z09d&=z zOHB}~XwyWdm*95F9dh_1I31i>H8pjM@?ZT=yTSlmD5_=l!}kIt;W&r-UKT7AAsl1K zx|jb`tQ_Bg0aE{4$wBp%X|wTGlz#A`7|3VLvT5iOFPY)KY}K0OKJDv1?pdv&T6}ZH zn3_50E=Sey+kXPu+uOQDSt)3z^8Co7;=v2Iw2US(d;`sETDXNlH5s5wN&VB*DI=bC z#U8L!wM6(97>^X6NAW;3odh$D6k%f!b{Y8VfMA9y1jMYw=AVvcgBKcA;gb2N%}aAt zoe5CRk$3$=kE8u6PEi+z?%~c}(^@C|tuUbR1?>uODY0kKMZ$&G@6|9vfbiK2sodJ< zUdzOq_0VOinB4nrrv?|ZTj5NVriH$|TkM70&6~8n&8+MzT`KlbD}uA*jv^VydpP85Xj?uH}5%R?_fV)LDLc zc8wcDafTvKvS8Dcpvm6bSYUG#KStPySuv2mnm>~kUw*3e>E9)5xv=Wr&n^gf7O0qC z-+^EShpN4A*aBWPS0N|@PVk?Uy%P3wO;jQ96u^HWoQ8j!y`f_g0?fAMoJshL_@ded zM1nibF^3xyPf(B^8{ftw>6CnJ>ssaua_Cc+T{Fru>ASZ--}5`x`#`9}AII%li_Cl` zYyCDp&CrqY#U2}JmWzY%@A(wamtixX6t-*m8o!-G-;sxQZHeC_Q{S+DR@WB6D@KQu z|6-mzkRu;|`xDhxyTTvNfAakHPAM)_sD~!ICqQ)TeG;m#TPHG!T~G{-L_Agcwf!rR z(wdtTatxI~EXC-R0(iVjd>gHw-$suRcEzjigb#G$gYm#hbFWVoFfDpd#Ey2IYEy9) zBN*=s)tdTyY~v7@6Y1K1seF9SZrNcbathn1rT@!L@sxi&c=gq>NXe#W9;_;|UgFBc zo3)p6c3?=W6|;P(rH@VH>HiU^VeaJ z@p|C?Lc(XjC=+HDnD+-Z7H4 zCa!P+?k)6^q&iq9M_g{MWd>*0;2RTF`12@q@R;#*iZ~dAC2aKH@M+=ByK&u}L)jx?rgUfBA$jf35BRedQ1 zJL`MWi_>!bd$C1(g3l}vx1F*PZ3JY%(}h$ragdTvJ`GCAN%z*{6ZcxRRQCy1t`aAf z>dKe6H$d`~W@mZOBmZU4__EiVy4wAUrNxUuLa^=R){~#q zJJEHEURHO&t)@i%dd3+L8FOBePmHD5d<{N5si%r_a0E@=_B%m>!StTd*?5&alr$$P80kF!6uy4)9r zwQ}2JhI*q_kPY6)yLtsOdl+;YsrvvLkB!=8r=iQ#toLHB0cC0M0}z6NC=EO`n)8Qu zo$m7WfG0dbsaHt;dpbU$!FAa3jD*hDMDH9myJM~(Z&^3dc$6X0D1}D5hQhUKQ3nz~ zSqOzAO$x)s4b;m>7b$y$1F==B@GNmE9BUP$G`$!?kclK0_|YKJ7Ue@S&hhBY5D*)Fy*cf}Mr~CKC_7aCB38 zgz4g^hA6(*x=V(9Q=<@Nf(u&SJKIzNUzYm#q1M}J=(Lq|o_hoLPQi-ZFQM8-Z+9tz zhQgK?=_f!VA8*a`1*%fRz%Q)_r?@Ya|0-4N;y%Z{Q--r%fb;b-LIr-fi6I4nNwqI{ z=@ZgBI?&M^q~9SK7rHzU7TO-?Z#B5O5j^tD1<*?RqU*T5>N{Q;B(WQC&8N)77niMk z%#CNsn}dF^Qh8V9B=_j(3Wr! zws*8p0IhJ>Dj2}ZqZe(2fUCu_o>OG@41St75FmmkAmr2GCA0J|&YzjKV2$&2ja@NO z5BBEk%d`ue(N<7}?~_gFl18(rv0 z0_axz;-ZJh%p092UJN(TJI~sCqYjznP|on2@W>Yn&uwjA@_fte09bulPT*_{-2IO+ znXQe^NKRn!j7iM@_#yI#h{uu4(vz5G?Zyl54RSNnkha{VhUS`ffuz)f3%d6s+q+kS z|DN!(!gc6u7WDtzO_Z`>v$9D6QUB^Cdpu@l+I{B0M4_wv&PiyY6DBAvNtODr=$Ty} zHH=isEgCh1PR(_0sBlc}&(wqGV*+PlgYI3CtN(7jw(o0G){yWRKn$mf3SwnkKNdha ziO`ezd_v0@sdr^lEpvN@vNp8@1itXf?<1HNaE{EBQN0siLcDM71f7HaT{}TYNj&_L4%Yi<)O-1V8ArTIe|DzCm09$_>(5wR4q%e8cJ$s3Z&*1G1Dplaz(HWWe`7^P> zN;j@pcJA(7i#e9D+{w>A-Xv4Xx$TH{8%=q`Pb!q(U_66NcGOKNBL3KM8$Vy&8>Ho| z&qvL{UiI9d*JJ)061DkgQfTrzlW9(G<)9bh>JQ>XooTdnlAC5!t7d_SQ!=Rlj6+TQhoyd)K(b3JsBE|Pn-tfRcM8eo4gk@t#NYqvD_w>6)y1d zT?Xi7w-%JmstzT63qgC9{;1mG)vYVZ3+v{b%(thh^3&`T+uTn?F>LBTT-VTRd3@=i zhQpn;X5$UZE!w-GH<`cGK*Jn$_-_~QOlM!HczsND#T}5Dq^X9j5|F~?CH|&J)CbcV z#8jtgA;keaj-RQkVZ*ZF8{kdDI_*t{8bN>;y!eYAdi!1|XjMwff9C8&$-pW6t?j$2 z?R0^3dXe%gynOk2C-Ks3nlgYtH^_IAw=Mp`++TX1JFsfaX={}u0=g*GgA!hYu_Wb59RifAr*&p(m@hG`q^ibu z)LV2N*qNXF2x&9_O(XF6GQU8Z9`b7_<%&M*OUlxBx-jaq>+k?tj89v=HREL*Q0?3W zc4{xfCe2aHo}HM#E>s?OsM;b1xWJ2F`Z@9M^{0Qr*LFe7R&WDAJUSFmkOyj$sDO&K zMq(x)3p#IG6v$h$Dd}T3m%j6wqM3v7DBb*P71Ij#OuY#0Ts<3JKijFy>Aa=Nsq$<} zlPm4?#i#EhJY876criby4(DJbo3D29+GnWyqVlz#>oIrs+TejWF@Hajm>zj2)Kv?s z_=Z0qOK38180_bKJ~t36|LdA}0${xD!*|#>J$hv~P;dGJyvUkpGFK#H={}RLJF5vR zu4={uqnZx#AN%;`A9*opavnMCJ5$MVB{VFV@Ey2cWZ^h*>zh2#HmEM5w{|dz5`RD> zhWch)nZ-x67O|LM`wJRA@1139N$3I(4K-<9-bG2adNxvb(01wpbn|F3k<}T@ns}uW zZ*?_&y9~KeK1L7TbADhLEP7>~cZh2A2Giok8X_`EV%zNJ zt-&MIMNbS5z*CQ|>w2uEer<3&c=WHZ2(hR9|34fX$yDo`H~n~jgU9;-9&hq;D#3a- z7;fh!4H+BGKFN29&W?+WF5>1JXW2cDttuQZggrxY_#Y{88rq9}Vmn?q;f%o1XEuF6 zj^d(t9K6}TI#96|V>KH@n0qnm{P$Z2@`gW3ojt#-)ME{&knh@cW8i^k`F6{R^{V1Z zJMw$_Id@G*^rh^XXi$-7;0~ODp1d8btcZ$eZ*O`3I_5cdazC#5>N}>c&)AdHP&b-C z>q|(_y5`Ys7dSj0o!^mBcYKq2&8vWZ&St%yOv?V^$49NumlmS_@+OUm$c+lM8(v%2 z>WzPIX1ws)Z>n1mAj+K+uNq!)N1b1hB0q0!#?W-ny~#rFoqIqU%|vg*8RW=0V~a7v ze(gUhzM(JqZ3n=1R>Vt<_%@8uP?7oA6I%Y{=Hb7+`@w)vH$MU0$d1|=8Fn=hI|9ej zKHlDJ6Wg&>wj%m7XvqX_6*MTV|K#@@Ok-#B5<>`79_-!BpIp|jhn<)yUeRL;Rq-3e(tJ;kzlkix3A9AsXzEF(3xn8sSk?aJs&T(5`DL)Sov1+ z)5zm?cR#UL1np%Qrxcasgz&Pas;#$AJJa854LcM+Fa(Q=2Ze+;I)iwQyi$|yZtlIQ3qvFCg~n*A#0KhFCWbT)1w(%x(aiet0BL+tcGK!F=kJs6tsTwNl;h6&3BNRet9G2eJfHITIDZ1m{0su030fWz1JamG_bs%-3>Zy*m;WZ^Qo`2 z#;>x+b7dTr?*ggQ`LizTVAD-#$6i(Tq`B%Y?q+VAONTko7sVlsv?m&XGAUW)^sI-y zb0?)Sy1^Q}qqh~jLC_2K{{c-o5al9$s~V#BfduR36b`A<~Hnbb-!| zWG;^M*=Zi79;CTA*7?%RHZ0bLH1zqsO8-|wz_mZ|+-76qH*cm*wR+5MO&@dLzrc3) zY8CRzak5}0`YZz`)ZE{!QQ{A+2hF+afbLwgvc>Wy?na}C?stAywvq{;WT0gsc)-tz zC9ws3OiSpkgFyY_F3W1Z2;BT`+Ut>$$~_hTcGI0m;M1;D4w8XAZKZ}QnoyV`O)GOi zuD&i4x&#-}a*oZtzWslH|L+L=?+E-~jzAgyW*MT9UlTd6@5yVO8Q|Bx-OjsmcAmWU Fe*g<_%S!+N literal 0 HcmV?d00001 diff --git a/latest/ug/images/contribute-q.png b/latest/ug/images/contribute-q.png new file mode 100644 index 0000000000000000000000000000000000000000..15db7335085137896e62884e9baffc48166b5e5b GIT binary patch literal 807135 zcmeFZc_37O`!`N1m7-EfV$dR4Ci#?orlPb`smRjA5V9LWjH6UkA|*?fNsCEYl6@T& z#y+;}jBF!gA7;#U&T~fH_xJw(p69RM-?z)mInH^%&pGeyx~|vjx{k*eO^i2f*tJ1O zNNCfU(?*wtgao^5BiF5kHz_9etA&I%o^v)dym-dYQ2wH~$1P`92O*);k6)RKT1fWn zs4%;%uzH=*v9l8wHb-wgc6Oaw$f9ES+0&~YY{j0qnDg%GhAbPSFK<7~Kat&>V{5*n zdd6~x*g+M#-M6eVnN<^Cvx8=XsL5;^$q@`}PSC^ARvq)8o%^8kalcUU3;pZozo1>L zFCTu|v3_&Nsv|eWr`W5CVm&0TxrDPwR7m} zpx_$$Yh!JWqe3~>uYV9gAa(?>a*wpTxzVM&L(@S)qdv)YAjRHP+|1559DTY?QBk3D ztx$FKcNDPi)~$mlhOdGjpB-y{ctqrUIJp*Q7r+mSc#hb-Hbi!Z;h`E2>y(%Q?{FZl()vN3hPH&ycZX=&67p43|L7(zPx+^t3o@9~vCw0D^9o#sq9S}TKSVX`Tc;83^i*aDRU{=R9u@pWXT-H1 zD<3rrJ|I3g`hCy$O(*nzHShIGbv+$}J+9XwF_~@J8@2Q;^G%w{OjMwu@5cyDFOi{; z(n>GwBINF#?O*%BqE}aKH?@LRYtj0t!RRNFYd&mzw|vR<(O|kQ@t5w$w;4-OOP8u& zAGPq9xk+i6FGgR%tfSZ(8swbp7M|LDXKQK55!uG%z|?gzYC7ZWme zbJGFQ#L8?B+wWb-68_0@!Wp18r|8z(&8OizgAiHgMU zs;N4!AsX?_E9bPT^f|J9w`;~umFj~zmKj@6G#3lK&WHG_$J!!}zr;P)h7HXZ2@&p7 zYT|~*{I}l-Bh+O7l9+er$=o}2Xm7Wq{(AlI+9%f99!w3tc(&U_+ell4`a%4=o?>+E zUQ5Y=U#0Ozjf&0k>I&}iGYTp41zQl3fv5MrK-Hy;UU;&1{!GAo#WvkG^)|1ztCvN8 zi(G%^dg9K0(dd_TTfG&EW6E9zMFhR#Meq{dp2>Ode_2uaM7>Y_;rgRz_lzC>5W0}? z>12M|U9*vo*E<3_4&PQ=+PEaQ^z8NP*9ot~Ec0GlxMf);^xnv4+?M!>`sDJtFCF*O ztYiD+xu1R?2^UH4z(=RvU2o+%)#d5;UbZ|ky=_`}I&`h!k4vFMg^u`lmr^egy{?Yz zOFmKf9ycNRd(GlyjxfjJZruKp?Pp(puIoz5yq+3h!HB&TwZqUQ=GyyfS)E%mlP#t4 zQe0lNqc6C!Kc3Fs`zW?JBZ>(DFWJuVt%sTqwSKAoaXZXLmU+XYD20%6I@`h{ zYH(AzDMyumjPJ_d&ROEHHhGHZg*t_%ua()m-NgL>qBM!%iu4P^xH>w9%($% z+*r7)U?+2@w9FcrGtWAulMhcGzO{=h?I@jn6m_fL`TL=HjV*~8M|Ip6M9;-l+m3yy zw;*00NPCo~khY;+EiE&R(3H_M+_a&I89$&!e4X3W-ejJrmFQ;`ZxN9n?|cb6pSZ93 zgT<1_nlpMB{*g`TFqnAzZ`nLi@!khTPty#I1wQ^e!p!Cx**R(V{9Z4;0V?`5+2`wI_ zRLw{=rKh=18Ew=$%s5aB8FanWdm5-HB(_fcfVk794)F*HRf(X@_B&#>T#@XMo!X_p zXW3|-!d_MTleKCoTTClIkNbv|gf(w4kWG`@A#+WRd7xk2ddHyl4p|x9J3qSvx5RFF z5zaZix$dd;_5gIf?(MT3(N1tQ-0jnEEmT8`Y-74tSGQ8Gj6 ze4?lA+iz7#kByaDmFAUXPw#ubKW*kb|9jM^`9ffuzcanPWR3MV%Wq<-1ke00W}|AB z%6DUDk}D4L10MO+e2Qp3Pi<^#RM#-KRu6u){YAbq9e>B3896nWRFz~fIWgls>4uOnj~QO!0ba=EECeT58{=9!uq`%a!{N z40}|6AAY*eWZ#Eh*rM z`($EXYHmLJPk(X7+RRHGJ~L-~d>#BMXC7IG^{NHN2cBi#FMm=FOr0C>!vWpkxX6@9 zzNnf+7P?CNigj4Wg=~5jCBwtx^lc}--FJ(MTR+dYY$5N_dwo9fVC1Bn&7Fw5uHSM7 zN7j%7O-`HoBsXfaivlh)2FylGY|yg!lBM(A2@J>3<`iABjvud##ZD7TkrKz)V=_pi zcha+}^T%4Uvq*BceO)q3r-F-rJt4oUDbR2uXK`*A1gH)5_R!1daqdR_PNmWSgP9p) zHC_0ykU*^~W=t0Hs3>Z3V3cR}a>Y2mP4tn(L7;jXDQFO=Tgi_&nsf^`TX8xwW+@H!T!M; z%9xs2?)J(MZV{0L3n?i&}!jbLTlhXVfcd*mihPoDd7V`A}hyN z2?>Qc3&DV7rHl!@75qGhKY}`cwjwVc35mjgZG}JnZ&v-Q^ai0fBLCW78wsBiI&Nlo z<_x?w!+JY7xZ|8Wd^S9YON0-s_dIS1f!iE}YlJdbp|E z+I!eJsQbHl3a%rh@2?B*x;gmR%KN*yy5n^H4HQ>O=)(Jg!$?K>l_EYa28tFJF3KBv zcss}+RX?PDND;L`US3|`+y0jBWusGntHXa8C_4H0cI`8!&UVKM|Cec`#ZQ^H*$7^`wYGZO5>=Ow*E?m z|LfHM-10xFTKrGd!$*!D`p>HWaq9nD^(xN6+t9-ezNruDe+KMt<^MeSx1v5$(Dwi6 zi$5K`aun`q)CPUzzef$VAu~JwK0J`SosCSdz*~5l34TP3;jaUKw($Pit(LcBMgxR| zjtQMHI)24pc&gkj!@ch+wXkWaul(pu*OA(;y*0I&UZHC)Gwv(aCfe2)6<+`Z|5BhipxKPz zEqZb9)D`wzB5-mMAe*X-NCfEC@$=ub&3M3>(=T1fNtr=~~S0B&-O+ z&Ytc;N9Nqjk{Cm9lk5^bTxYL4G@!3-tUPfL+WL3_8Dv`%w?O%~%rX(v=w86OF{&4s zW?kvycQR8{OZnzpWYEpaT#CW2X_9(P7n7hxf|3|+vjIO($ghTf<<_r0|5df8%rLg& zLXFyWS7+K+!aldntjQ2Z%-Hj2Q=1CBs#_u-e)eV2xL|Aoq=9`6EQe}TX=69`2AWa3)aIf36x|p6Zd!R7<;!N~npvi@4taBn>`6(Jc9D0tFqY56vK0&WEN5m8@yocQ})<jsQiw0v$8nge88!XG&%lIyx4`gFNExs)${O^-WfooeUrqR=50Gs;1o>Z++Pxrm3 zoKXTa2DBs6Jg%d!wNYF+DGQu6g81S5?`N{+)ewBcD)F` zQQIg6ggQ}~1m*&X=fMfB@UHc6%{8hK8!U_Mla*}~k$Bs<(yaEv41~&W+7Y~I0KPG> z!Fkqe0X-LfVyHrKXm4rusmtK$J;yFS;^8Kjw=Mm)>L?6ar3ZNTLy`B|&L!ua%S(T$ z`#?OPhdQza3?x;WE|9i|{+4PY!Ly@qDJ(x`sWZPTaQGG-c_3r8`uMJn)P*R6{bQIw zAfB!od>On1-jg^_IshG9k;Bxti<4Z@&$rl)Y}TYG&)z)-$o3Ce(*a^*m`8wIa1(k*Kzs0YmDJ916E>nfmG*5L5*!46Pt+qK(JKGmiF1HWtW67{OXx(CPB z^{-pyx*M~cv41ky=dJp;m#)O9AO|s*fG<@zM0FrrL;=d%9*ReSD zcT8H>))gWb7M#pY3}SL4&%;LXml9_)>K;tcWV__0{-Xe{bBgA`@Q6A$PqRDW zrk|<`W_7!coTi)7B~bSe$7-HW^E*9aRKTpF3scM_eu)k2obIk4c|xkD4tvlkcghC_ z3&G~Az64?nFy*D8)Q77_Cuxmg1j6;d8F2toU6KCr#J<3;OCyhpPqE{|r*LfsjtGwi zbUiFg#y1^-Cn1oWCanTi;VWQg+(CrM>H?Fco%#z{R(RP68;E59k0h;!*ihJ>cgV^; zm)^yMWe7hm>AGwX_dz1a>9c9YU4e6L1QsT$QxcHPFUP4*Bq}cRda%NBeessO0c;y5 z7gPE;#|q=jcjH$pSpr@0CC{WXNn_A7z;s!c^OooGZ2Qe$YseOtz0?!vPoS$BWJ69mHKb`|SOFJj16ypuTl4Zt|sdwXL zSCv`q&z|jm@y2jqFOWVn!=D>}VEpJD+wj|Mrok0T@G{*mmSYC`X$ap2Gd0qe4fooN zoPu37vVRXJ(CbEqA9r`Pj;5F3sSnM5@j<NDY&kU;RW-JQ83{)$pkE4g(x3mx?kR!P_%i-I+li6T9kd;nSqm?$AnE^gU9AB#@^}cs5UrUFWVM}e=Y{#*Qze2 z8-j166o{BhCkoP4AQx~uz+{ZJ1RVska(={rvzd2XN-zZNBGwRxX9vwI4P6&M{K0(q zB<*dcmO%LKF{tMJ7bkeI_qoeGk;=+hKEoylXN81yYsU#D9z6BDhA-+XL-O7+z)sC? zZ+Y)lgx+%3Hu7ZB0jQsRc5br_)){tZ9oaOL$?hjgV+5nf1yk&Pix?mlK;3351s#yD(7SEvn;GZx2)(xmG1`=P1yeNYDwA zr~0oWoza)vo7EiBc9$u)^F*SzqtAM|!>xQm;uZ~;9g5X9KkyVCm~_i^`yLGuC8zpr zfcg2VQ)m@%2k`W7kwY#SQUFW4sr%q5NhN=?v}G|xmEai8_4&eOE8YNkJMCdkRq=`I zyn&H_u%CB6mexKFmnpSVJo>+iJh+Z6UoIs(*Id(ht^FUPPT*8f$caTh(xl4rB$1RAknwa@o3yDw4m^6S%5 z6j_-4>qUclf0-_%_?=Ha#wZ>;v15=YB{oPYaK>$+fVo8vp-EUT$3RD*C+KQSSK^U_ zQ}a&n%2I>p@j+ODxI?X=%Zx_T_FiCybxBf;#hb}({7`xEHuMwx%&{VMZB4<{+Z z#sA0zm!uQx@{rZ8^)U{Z1}>@X;Dgv_sT>ow--;A+H;vq9O`|z{(TWxrgwRHcpnv49 zJvz3|T3C3isQQa@;cKdN#|rTEmd266gJvftQ`JqS1Nu#GFj+;gDJx7y;Ib?{{*0FI zg8<=tFhhIJ?0kguLJ^^?lUh#AgIAC{jhv*?X$1&`MPJ8Qb(?SFHAIZxsX6L}4#*@0 zk_4(~pgBs%d}YNIfHPfN#@BRkN{1^=H8gJ3js!1Q0<7S6cy*Qjxg%U2u93Z`QS9TA zU-dnLon7N|GJiB5oZ+V}6)ySdp~tOr2I2B>4Gh-8>aE@bp?e2Q0@sy!O1C-2HLwhS zlMcMGx1Gn>x7JkuwmZ8@+&4UMRG#xOG_Y45TJutO$N?%|4i#H{!%koF8+MtiK7m8> z@U$VQ(K{6}JkYJh{Y8LmcrfLvem2Kz@E_=yU3K-&?*=VhPv+$cph{VRnRy=>;-ePE*ma$_>whEctKwwAYR!64RtUU_=xTOmGdU z2oBi73OiyfzrO&o&T)bUz&@(i5eB5r!kH6{J@ z0UbzEYxaEEs(1FwYOUoPWZvv%aMH5GSYoTN(znpvh6U!UgQQ~4Z?4y=yY=RUsj1RV zU#*P`EgDO1OS`raE0mGc9C?rAt!+D&`o2VMB0sz!BH=sTfQ_(574Dm^_5PN~Nh|Z7 z`^tvQuv!s8Az;=+#A`EiI4bhBnJtwcngw?P*u)x&F!F zy!N&1<_Y=(V%C)E`qi~gj_Eh#*%I{?p*qzlNO#9;iawoDTs^X%fELVxBhanJgr#9h zN%Q&LPe@tK-U2YU8p^0R(IBq6>t?C0;goocM40st>_RF?Xe+lQTF!9ZEk;*P;>J zNg5@+c_=lwFQ=jVRW9B(8IABAoicpf&t(647xv=lY%VDzXLE&O#myhvK{kew4ck?l zF6EJtt-B~)Qj>z!kd+VvvyW_Babb1XGa@V>XZvv_Mvil{9Zslrz#5Fm-iHfq$j{}K z@)EVv0o9*OgxK2PckZxyYluJ71G*p()`pcI1S}-)jo|y=bzKOUVHxWzS;4HygSsga z!w+d<9}6KT$hPr)*)%_lx@Pwe1#Y|Pyv^)vKG+@!c+k)V@6C9K>tk6in7~(sAt4BJ z_ir6oj}sXQS2~oFeL^&q@(wQ~hv#0AOGxhv3^;ETD(W_w7F5A({q`_8T=&8B=WYVl zD}%|BE1#q#?9_8${y;-k`@iSn?tNvO^E84}wnDIl%5PaZ#VaE)J}(iM3SrConFqJ; z5Bp6bm2oAnR z7s7{&2MmA7;3x+4`bqR4b&MZ}9n+DY8A~397JunPe?Z)w0w&nb=E3PH4TJCTi>Fx9 z!k7j8QAYP?s)?ef-&>uYAgPxgGD4Pw>5kT>I-AL$Z9~}s$|HNrmAMm_3P*}R;YHf6 zNw8W*Rm7+qS7HkPb2)_7euTae3pKGnWQROm>KWt-T&brd^Ez~7b#y1&>8n1l06BJ37 zmk!MCP2|LTPK3A?BKEnN$>}UPQ=^h|Vcs>y9P049%4PoS3#Qz+Iq<3%fB|Qy zSnlAV{aLLAD^vdS%Crx(*%B}IT*rsa;)oHMh(OYt@si(K-+v=Jqg_^97;|nm+-0QY zck0iJcldT~2^d4XxePjp3k+z_ECB&h(G2lAkwPEzF#4#q>49eo=J_O97gm>1Wt>;j zjIYeP@G)!oU&UL9RjtYjqeUCv*7lm~pxs@$A92i72h5^AO>|6dCVP{S zO&Lu(K{OibM{@O99Zfjg9noQSA)_zwY;B-tFNbvZm0_pB-mlE7;<7CoTo)H~_A{Y3 z#uN$R4 zM%@Y@M*$;0UykM!Xcz7-m@U$pg>f)vHuuXd` zG?S%ndUugX9MEFKnxz)7$^W@pTBD)D1kxlf3SWJbhHyuv+yMgx_R>aVRdOgRp+pRdE)@D z@nB}O1h}kbRLZXulO7xW{KI=o&r)hc);%F1<1Ry?DNm!_7RDzfeUZDRX+K+|3GcCH zXU%TN%q4AO9tY#`%Znc*q==0d4#rOEq(8m zT=)ezNh)CNmS8?c5J+=4Y|>LA!=Gghc0kCWZp>?)BV(tpU~V zH&+Dok7J?jPOje))z~hrWt1qDa~mbG@Y2bQ$Wt~=WFt#rK0FZb!B}wuwys(g@WS(i z)aDjxuM<)Z0lF%(LtYf)O-YHISnW4t(t~5MVwX*lP2^^1@7qzFS4XZJNt9*sb>^MO zpk~8E^%(`XMsTjUaFfB}uV5EKpc9kD_V@u-(U0o`%s_|@Fi6X+o1L)gTLD^Xu%>Q+ zkTbBx%k;Xmdxi`O%-w$qHW<>H{h|sLv8m{o|7)R4QwZ^Xma)JfpNAXIB_@#)7Fc`0 zXsci7?&IivE^7KS>4ssQ)O-g>5(=!K5q6Vrxa0>a4xK9@-drWMxw6O8M?Jjy;TdHN zk@&z-MpESauR_V{qp}Gv!1_9vrMvUdu-kD}ajn~Q->spdIQ(eK2mGw`o{?5@UwgUt z{OTa4)W#rkg=FZVU~C`XA6oJ3Shx&!p()2g<_S8GdH~F-@OsHMURnJVRLzR%83(gr zlqqODzov!L4ofby?=+W+cXfsOz_{)f5P$+@=R(G30Uln=ErU3S;PA!p4J4*U+P`{- z3S@b`;o(R}|AnX7&7sXuxJIK|y&*f!ZM=w84@Dcsv9npsF7X2S6pYN=X!{NuIBCR~ zbxKI|2m8FL*Rj)%#4OxoUM&o?edRyP%@gsuW#X>R7_OH@YnHfcdKjlb;-!0JYmVBK zEF!=s)vz=+?-DWjF;jj@Z?NemUi4o(*b z1De6EYAMw;A@?$h%8x6tgnD83Wbngo8g(yBC6MaT4gZ$wVjQr7BTOX zL-S+ybgch31D(}U_Bz-z+*u}dn#5vYn^PBN7iRmKN#>^3*g&w5g{FqO47g=NS*h)) z+3F)Ptg-kA*$OSLx5V|{uHcDBPUfOI>hHy;v-^YPjE>ETAFb(EkUyoHD4vE>d=UC# z=de$`+E0dV^BJ`Iq^=T+*`xdA&VhZC3;CvXqZN%6Zi@!D5Yn~t7PqOi5;bnGPBr*6 z){7ev`4UbelqoU6gP*%eh-F6r0>?|YNeyQ5V8$YOq&WaD0^~fq%Yf!MBBxp+xM5#h z!A!68qsFPf*<{}? zNTBrC*I=S_NQ`3$D+oF&8vg+tlEck7SOHmukUM{XocIU7@PiHwZrvk5%p5~HQge8? za1rLuB*q`&Lapz!y{A~nyfZU?0;)dgt52|w<& zMR>PqSbjBZYu`7n&j@YJGBYFEv^gugwcjJ6dSmjD`u57H$`sq;z#byfyVnqnHH#Wc zDylt8=|XYX=kUG8RJT6b`#Vf?>IQ+)^edegz#oAll)xsy7L4CWf+-yW+$Y54Tq+>r zr}mVja&(3jr^bjZBR<%FgBS!HtAOppzvZvfhl+a5-iG@T^we5xA!Y09g)xkZ+|Vl2 zP0g;I%dqL7{sBBiJ7sK)Rk>hJmO@rxhU{}zCP_uE9aE2XKMKWz1#j^XKPrF{ScYLx zi(KmTzsIuL2~M~QwV$#9rt2@T&3GQuKPh7C){U+bDY=St@{Yfvc;7f6huN;TJ9y&mU)Lcn7tkzP6(zW8O>a{zP&7#YHyY_xYS= zHGmEj0=|{XrClIF@Zw2?VD||EG4G^(tpKC9OGKVy(~$;rXK@Jn7)1-F0R9Be1>bgV z$ydN)V*ylpYMl;*D)9>PZFiILz0zMNmk z*16=XOFAw}IFMN-FdCb6y{1EN%v0du2sPB~9vt9sWH;c^Dixp7MS<-?H zOet~kyBYWLuh;=U_MPfT(0h&xzY8b#c+h8qO%5R%^;BWnU%H`_fOl1h+y>LAndrs` zuPgzWDIqakjM%i1Xn>KD8m0hh)NqTT1fAgv9Q0jTy?y^I1)A0|T95WM*}9=)q0fQi zq=gA?_tp?2mt!JgyDuxHcJz!=0zJ)QOa764S`zs*@#=Efa6!jzMhd zq+b(h9HtWCH6wg)c=pM+$xU=qyZ2T43G4wz9aLGeVqpceO4gPFc#Vi6;$e0Wo*{xc zf+J|f0ol~D$71GuupdscFcxrbX5dv=@+pNMUjZ}oe*!T5v`qqcD@jKgsz~OOnL!k{ zX7oZx;ti<9xZ>pcfh(ZF(x;c+V1;ua@C45ZExubt2<%)lNWoqR;S{}$eDf|`)MQm% z*W)xsw^XrOY=6U#ZxTz!g(m6A5A)w;;(g=|>&TL!Vjr-UpJ;jc+4_80mIL$ZXwi%V zqWBE4+i~|I*0uK%`6>a@W&VE2hnK}`7&`jODuY?;@?h#z8#zPfP&rm`3`p?wSHUq| zGk9Nk)fnb8LK|66>fE_rJgfq^*Z$tD0^J%W;1tLKX%gFkYkR9cz`gfP>JRVe(mXWV zYM~M@^RgbT4uUUtiMC&sKA!GFazS+MwWRfJqHTO)U|pQ;0qQ73^oJy#fx5( z^%rkAfP1*wO{6g|%9+MMkZ;|%(vJ;{Y#4=`uCQlayF_7MgwzLQ;8I~l0sGF}{*WV= z?ULiG@B(7BjTKix+6j9o9V}u6dWrx0D;3zPQq&6rwN5F4Pg4bdqpi6f!DJf{>gN&i zr-OMQK}YctfZ}>!vlz__2dU_ZAC{&Fu33r1n~vs=&l|_4h#C9%`$qS>%{un&u@Oxo zNBg_WK8=eSxpdb{;+NA_x8akrZOZAIXUd6Ls&2iE_elL|?2k&n?cB+Z=JKgMTGM(x zF#mwE;?AiDf|-08gBLc%CQJey`UQA_14!u4%o&#OI`;Mk?0h!!vX>m2 zW<3tVWTfi~IW8c`k8myUsVhDvmVc_IQ4mB>WT`@B9M)_@1r+<&ixBt{PlaIqUjR5@ zGHR;yjR1sa1(>&v+P;2pWU)m*SG)>`LrPRcDnxA+RS1ax+Av)#$E|#qWu}upVQgdkF8Lfj zW}#zW)Maj79p)1a@6=UX$V|?NVZ2dbO`0iTiyBeh)-SNApI{JZHiZ=pM3I;|VgnxB z2{`;m1IQx?+-PtUG>(BS>L2$zYK;0vKN6>*%E#>QzV)DhcK9E0u@MUo%Xs?S#TkaJ zWMwK9_Q7#!JO+mZDF4B>IqzZM3WpDxOp#nZz$T+^35aTI7O&wd1KD|-HyuntPxV*v zv|<;My4WBs_p*1YVM^dF-}dp8U4u+s>-UmHp2RdWCsOW93iIcMx_xfb4S?!dInYZ{ z*1^Q+P~|20Wh+`()Q^ex6PvY`b&E=VUB`SXHS~)KI@YdS$jn*qbxcBsYd)adw2(rUewXlOuRp_*F19J#xgeu1!-_6F3*;yV2Y>00MIW0 zj_*&8=+D1h&JFp}auf`G=9Rx3$mXb+2r?Nd4s6F2Uo6zWl>-;JNT)2ZfJ`)T7N#oU zVD>C0IUUw1e}LNxQ^`xrujIw|SK?1nAr2UZoGYz2Bmo_!2e@Dli&6ooOWG=oi_CA+ zkC*CrmK~E92O#BDufR&nD~=&CPQQ>1OaxUh2s^*~CNqrNL52?WAjNE2^BVTo<$>hl zw|mJkBm>}K@H&)t)TZL+C~*mWjIN0yJ7))NXe{(`SDBw;x2g1uuY7>6s@vRz-n77= zs1U`;Z&1rEofXX{iTG?ggzALf1Y1^wqn>M;7&nriP00^WLOjvm4)`Y7A@~vZP^(XH zQR}$o-!T0tNU&iK0lflXp-GV@2tT!7J%r4UB>i>ILL~%b=4g?C;QGVE)2e6HU;Bf-%`iUOxv6XOuxJ&(>O#r_6A5)=yH)~Cf?!jiS9vmhoo|;oY=8N?+BoOZ1o8Z< zpw37d?k$gdmjro0g;D8QrLmc$Oj6aZiQrMhM7athDrbTf+cgh(zD0lNPA-88XMLyI zrSzEPk$7_X$DZiowOSLQqXEdMigpyMEr&+XjlqweO&*F4{IW-)YJZ&6XU*jozPn4l znVAIn$oHlPdS$Eb3-axe!q;Qt-VEF3VVSQCl^!H11^jf-k@Z(9<9TlEC)gqMBID+5 z$SC|yNuR4+GnoE>UZhgobO=yzFM16$MJ2Hiph^L!+yNv-^$2YAy2ho^m?e*TgcY39 zT8-Fz2!5R&?yjnx3?Rt9=H)OYxcQLzOg^Lx-td54K?792BOM*>hK{p>uBlo=RP4h6*XteNaB+1_A6@fD5*=Bu4h??5o<<#tM_&h6gY==laAPsEC&U@KB17!*8do)abO?84}v5tyyf z{38k4WBf4EAj_ISfv&mEMVrxpl|YCZ_&Q$lc=&qjDzkIL>*+^XFWmY)=+y*+Yj!pI zB0m-gPi5x*fP-<@n#&{U4l87lA1O`ObUekQvjNStcm)ip(NWp3J`==80<*UNas8d3 zl6d6BqkxR33_uEU5303#?HQ`Ray-*T|UwV@m8fu2n74IQO^2O^A zxu$4!CoYfJE4pU_c6|J7xQnGy;DnUNzQ{v54Gm{E!yzTMv55`uIxQ4E0Ozm6wmn?nG+FyW1DxF9t`+X39d@2<({f^A zFWF zftWmn>~;lQEx4Pa=-q+h|2&BhXWNQc6Vz;@HsZD}Vt84QyzPi^lGs&*f99gWmDzaE~Fz5Wz@0_sz)0asi=ZbFLnCqXZ1j zzcJV7BRn+AMe7I`|8gKfX|js$7YT3{fgn<4eEdHg0K(q6`Ut|%;n9{)0Gs`E^YIYP1)oty5yc%r^BM;TWu?)GA2u$Pun zF`2>~OAqC;ttS_ypJVUan(O#aMoXA}%|0C0!@92gDvoU6Q;P~Bmk2l>!cj*XSu4GW z3or>J!C~h@)(~0rE)-~;Bsu)u+8bqa6na(Mz(7M(5^b0|*q#UllDgl0rNkxm!IlG5 z+CMyopZ6f$2&skvK8YJ}jpsWa1LT8KwCX_>X3mf9UU*iHu%z%OfcXl6XTdqaCQnK< zzFf%W!>+x9oyamI42x4LZf>kLtw*!yu54oT zJ9ygS&`9QuoEkB^$Md7=If_IfAf-aAqhG$yXRyG9(Q26 zy~Z~I-4!Q?radsDoArDZqXlI1gJFHi1E8 z``zU^4kqn_;5R7<#-6NZ0#Ar)z896w}G^T2oioPNV^kc&HQz3r%CR1kPZtuE~S+KZ2c_nb7P4` zN-|AF82w(3tR^LBUZ?s77eJjTUD~psS-r+l)8r`+7CHiRg3<}*Ftiq1W0}fhwuGnP zoP6)EOC~*IcZ?V2q{)zL`wz^VXVlht{jvkQ*Dj1*BA8%h_C+3(`O0MEeOkV_u%K|( zt(#I2Q=p(iD3P(4-0aqpM;X1BjbAjJ%Zn;InrB+q9i8h2XS?C|FHf{&jcITxs$UoH z%{UP5Ol#h8t2Yi~rW?Y%N_h&9AN-ncHqX*g&INF@Xr8%8b+&pUjH6NDKQI!~%7?w# zCusSLD+H7c_FF1n5Tpv@lKwUa?wtSq>;y{I2BJ&8C8mMUJltMK%yh@m@ z6i8>lMc8q1XtuSs->wFAXQvJcAHB%#0$BtGD~bnZ^KdjpJ&cAQ5}v`{&(!{Qbc6oW zw(iP$1w#Hv+5*yB&n;;ekYz{k!abtJEMcfDohSpeuJmV@1FYH;%L6 zEPTM6+qk3x*6ViWr#5PL_4^42%M@9pN4C~(|({hy$$aP>1?sbG^rAt_+nvtLs4lj~_ zyqk4BAj_G+HKa&Tcw;x{+1||KgC!PrwA6ia%^r)qN*oXtaQqXHyC< zqD*|K5?rD_l+Fxz^cl7w9y5FxPr%v6JCfu8!7EN(JwI_w^w`KAVg_juroET%4OD$k za*fq`1=u-`0}=9qTo?_>&f-HfSzIW0oT_Ua!MJ(k3@Ui_4OTDE>c{EN2!n9^LxN!H zo@UK)%3k*0S8Rw&e$PZ|PUAKVW4VOwuM%)gB^FIzVdN@;(4ctUxL$9Z_LmtA)0Que z-Hd=u^_B70dV+iyIDY^WROQ<#$cK^Ur7d%vsxadQvyA=YB;Bm7fN6fzZXYBxa@`~+ z+lI&aO6!_c^Qf=5qn2Q*bp&czGjIJIi|-$QF3XLgB~r$S7A=o=~G+uKU} zfbW&FTo~yz3?{|u3Xrb~GI7f%+|0-Yvu#WLUaimM?B%C%z$d(~t85E6 znZildX8ufJ%Ie{trzRg=&h6N*PuJz-W#2eAjiZe1bOTUKnuXL)8kU$9JSF*MoIzp2 z5N3-gLAtyX9?~FYHWT~-4Z@N6KI{Whcvyv@GtU{OSF^r?6Nc5$PY-K`C1eRLtr=0n ztzJmsG?MCpdgxDt+LQ|IG880^-D*BU&nnC$HO4MT@P$?DNyk$802STIw_M3}b!02K z>>cHtp0NjwBD%9u1u+;+T8c0JBs3q)F&FeP70rcH6Rv~K;F-EL22`F1sidCsZc3T? z^H~Ook>J~@=MX!I^H%cDQ!&O&wsfLc^}VO+{FQTN5hgg*tU}aF*3$`-xUs9l+02R3 z{Mlc}2*y2zOq%9_sOGTPpxUq{;hkvY{kYRMVQ-ro7WQ3ghSS^+>#k-!51Q1S&FFI{ zITH+>wet>#O$GLLXrw#3AW%}?&#{*Z`AOPyu&xanRhTw4=+?H!Brd*-OzDZz#Y_Am zeUTUjYEgI7@SMYgnRxP3*=lsl7Jwg?03mX7QT%bkvT zOH&9Y>2n$2IeLG8g`Kz{9Y_xR1snj!03sPPzD4RES{zQiVyVZZ9DYf`1U$?j;7pn|5f3d?!X^9k?*}?9RR4K`71rw=FVw>GCoeSqgmoHH z%4mI5LwxQP3OzTOb9GokH(Lgp2+K5^LfVziQ(gGQT?`jVyj@N{gs6`sDj@iwsJ(z9Sj`ID+ zl1Fgll~#H0En0}aiWpPi_FjMO_jRH&P14o{Q2|7n>4i;UJ$f5 zkAtZ&>aHIG2gmzmv!pzWn^{s{ zng#D`5ZPo`3pk2dBh^xgY&2i7bx+}5roxGpv)(IVT@n&ZiPJeAG4z@gH_syAA&Zdf zAOD76&DzP>r#}4^$y6H)L7x7Os6ZeMLAQr zY?@>LR_qsK&}7Wy+eMuzM;X>o?wAYU{C_z6_Hd^A|9_+?h0>i47^!r?l2VwBR4Qe6 zsZ+_ZWbz}jGU5eMM#C56E=k=r^Osc<~)b7+1Tv-d+WYG-_QN|UEkjypWn4z zS1xVX>-~H^pO5F`@p!)8p`YasYMf#{TF44EP5?(#@GiQk8{^Xb@b@U11Kne_{53{eltB#$iT??i~*B5pry=)SEo*q@neBc%dQ3KGUNO6 zHn5BbI_*QQQ8V$k0)d5}NMw*D(+sguibHUBg_LWK_BI{dY zxhQ!lsL-ybV^v`^ONsItn7XY;yhK+|`(UXi(ajQ$KuTFgwdu3P+EXgv*`^iSdI3y; zacp0EwkhP2&~f1)eyin*gPcYEfRY5vAI$zM2iXHW#~@b{E-9XTF-aLrL32fM$TPS* zlH&G_{!J_VD+OIH*{Nv$-Kw`OdO`q(B6skV!t`8pf&qHy)Rs+%`+(Q9;@ZyAf@-XK zDF!kgcF759f~t(3gt6>1n(OVT27Guj zg)b3d-o9o}F?NIrOisBpO&5yux7Q%enOuLFzzl>&^lU{YGwj-KH4LcLbntxCz&$Zy9B(@~N^ z+9tpZFCO4hj~H#$_6n24nmMc7Qmn73X%>5PYVE{^+>2>#=zu4U^lUvk@aJ`g>q>%M z-Rl`ZfH7{9;IKj$&a}0_KoE}p)_z$8%5;LR;tWTqm^1>wekPey?8zzKP!;_c$Q;kM zmV)bw1)a$Bn)TyI3;b2Jb-izb*zoM2O@-TIcRD$->slzH7PzM zh(}X!B)?Yt7~~e(psF+$bq8?f5U1Jq<^)J0eE_$R?Hzw@h+Ry0H`q~2_r@U{wvr75 zO~=G8B*Jxs=$rY&kF3()kYfZUl0y%7R_@)s40I0PV>%iD;kq0k)Axy60ZDk@@5}I| zA{G4tl_E*|y-s%|BN{D7oF_3A8;?xX&k9<;#6MU~ZK#_}W?%rx*-LnD#rg+4e4n|C zuDN8*>ITPbSh)C?p;^_?ITNtM|4X$tJBkig3zt}80|=7@g6Yiy<0F#esYiYwuc)V% zS;qIP!9(VP;cI{3cpwu@0lHmo?s`@nbPz;A_s2UD*T4Y|$xdv6AQm}V2Uq~OwFmFw zJg97f3a9*>J~rXe3)sFka-jr1*7M82YNh3a&&Rd|BQ}$c|B6%n(K0r{c22;J$Ngd@ zTPdLuN(u3nxB}Gpusben+<4-yBquZ?;iOGgAu2$GQgCgoX$A7Q;bP z7X635ipUSKhdS?c;rc6>tgfx>`aPaZpjIK+$E(Lk2&;TUy{Xn zA|($C0fB>FmOjCI_X^f$_LDVM!9vr0itXMed$mA0UY$^1Y1DGVWiDYcWqwImXxRi} z!zf!&oYjgkjy~FC5u4MFjESu(3&ILMdm>`Q<#5&<*h!6@+&Xv^e7vWBF?wzd`bo4Xkq}nnz{hByEJaSslE-0|SOAtl<6VK7x=Sf&*(sSb=#TwfSE;g5J&m{Pz_F=ml(86<`#r zR;c`I;@bA;IR>t7^~>46X82*85IbJ)c2F}6E&)^{0E|a9uIkh;7B-eLyjRv5!xyq0uZj<+DSOUa=(IP4HTElgk_& zRpHnTW!Ve*zTru4QRA<9uZFzmv|E+|OA0IKC9==dtjSGIu1>}}GwsLf5c%^^(j(p7 z5cN)RjgKHM!n4_1XET?RzVxWJ6tn7w6|u}aBc7d=qwd(O+s$^fl=Dk|y1|%%>Fy*r2?5Shst~d(^$-fZ1uN zg$0_sZX;;ji0x&=n{_|_GPKnwVGJG*pQH|24)EmQzsPt}a1;K^R;qz;1TG+sN^WzM z%m{dM*!PyJdlSpgi@#CIzv4LCb{t|((b&4()z<45Z))n`>SPY@>g!rPm^P`vc2aL@ z&VD#$U5!M1-0ex}G*;~~#+aBSbj0sAaVJlw%~VC56O;iw_YRXgI8NGtIv{JBjCl6Z zLQtw?=#o3g7*4m0C&L9tm49iY2+V9{Csj1*4!7j+C#M@xDiT%KALx7SSuOeG=}sw!3n(W+ zZ&5SRlOVs!n>aV)KhV_rVwzix3VOVXb`9xejYBv#9WR5cGrQiPf`d}kgqiBYhYk|= z_Q}v&ZqjQs)l`0_*uSUUM;M{Ktliw#{u!j*^T}Y#=yLa`PI`92e-XiV^5It zTFs**C~>1sv2@WWqY)6;|MF%<_f3V8`7KY1iS_qWH~BdxQh~vv93e2ZEGf|DsSLQzGG|btk2n3xuCiYmlkzDf!loX`1kv~XgWD}kRIi= zNJ%ppdss%?s>R3$b>?gkX#49*l;dm{h`D^XwbbG!n$s7$us_*W+@1_+b<~mWHINM$ zvW*TNDODteElq8%7*VS+U;1XXW{95s6aaai318mLE;hZfa%}oD`VKiYbfmsMKQTM} z^yFs2Qw8JGf+@dqeZyGE^R35E84Iw^h#im}CU1Dc!4In2CiXSn6A1hAFr1FKr+$k| zPN?Ju&U(xO^dvvdHmUkhQ&tm}rz_MvxYAe8uSSeU<+`|1*B?I3OjGxW1}2 zEXr%A1m)Th<%9xeRnm$l4hhOE;?tp&I>|@4#PWN&8uYE+yk``#yu1i8fRCZmHRa$L zM7p+;R@{1yCjTbY+n%X8XU`RH7EDDV!#yu(l)!M$!YMcIsi@9-T6zIXzLoZo@gj&9 zJv`WL(7wQvnV8;;H=oy{pf+~7rv)5#dhR(>++|Vjf|&P};x&^tU89WLjItImAq_?Y zuITSXGn2B)OF<_9u(G&PniH&|Nl`ZyM1Or!Njogj-cp3b?SQ;$s?Tn|!lz zzCKDFHYiH8l9K&EaXztg;VuT>Rh#!Px90QLyvzzqj*htLrnMQAt0jo*Lsc@4m7o_; zQDy-IDtfty4P7DYJlZRNjql(x-xwpjc8YCK{Yny{cUwwNe+4%hm@jX7s@jMdm;!c1I7*YBY@M)}=Vu3;M@5k|Z=B=?Ucv$;Vna~60 zJy&NRo{To*3Sc3sK!sg-l%IO?KW9+^18=}+5aYh%J&CWcWcB{#$G{|D@X>Nf=bDMj zOsgT0;{B$uv+}5h&n+zU_%V56|CaIOJTMn`y$}wymn>e~$xU~&rfceiz~-tY=0zp8 z@g{+q6f>Q}E{4dZtDTs*1@mNJxRt|}8tD<2S)lb7ZQG5Ou9`T_>5ZDQ!aYDCi%zcS zZXY=`|6q{M9UAym+G^gWs>*rm{|y|_uk`9@MO9%icb1A3O7}@WuCU8 z#6JQ=guqQD33E+00w%ykazwL8dqJ5tY_6UxRx^bx`b;tMCqj7{LyNg~C_yD!&?{`G z@=U3Vi)1)q{&G=hcN%P|%ND`;riy1yz@fbH7Q&r3Y52t)I7-aMp*s|un30A>B-FgW zn>9Jh*+BRR{EA%wW|@jr;1J)(x}rN#Q+aC0TUEpUO1?#U%Qz9;jl>uM5E3w-04jF= zz6lVbN5R0H=E~K%AU@fC8uDPpJk_Scj9WRPXvGfoyHZ?LdcES6+JG3I5x7thD;;dm znDlJ|dWx$g62GCs5)QO`uk8_t0EbAODu3ml-~SWwDlu5fEQSixo$YYLg-oVnz!NkW zJDnu#$%Bcesr+RkOq_@bU(6lZ3h<18Z_gsUy} zB^}$9MtC}B=V`p`i9n*Z@dL)!&r2ijjstof5p;;;p)N$wYIv^60~e@2S6_)QCmfz@ zf)0U7;5$U_QB(DRl0`f^SF~vs{{3rC_(0dRD0A<&DaYN!H9voD2@Y;*4OBaY1$Ty> zE#k3)4K!we%4Bm&{dlVNHi3;}(@nTwD0_#o^$b+*en7|MF8lYYYF6p)pl!9HB0lh7-{>vTs#4CZD^$k%JB0{NEp&$Q<6t z9M;kv`G}FceiTMYMUOAG3Wm6NiNGy<(k*;u&KoU&<7s9LUU|-Rc1t5dZd_TD_7YM# z&dYmLu05|s0$qqE*3z&L)kfo-5ZBm1ebN=ZZh!kOtpMMUKNCz$H1A*QZSTR4{b{3~ zY%c&TUQODoew2c1+^Mv*qd0{6VwLT#grK{Bk`zzn-FS*O|4P%y@)WFBxi?cIFK>+4 zBr*=5;V`d46E85v>)F^%7rko3=Hc{ZwJEb()Oz$3%UC^%Gwxymob=(fcH6SBkpLDn z7YUp5&`dcr6DAT7BwR^;8bLTwv{Pysyu&QB=JHR}%IR1C-LvkORbBl9ad+oL(W>y} zJTyN~QdwC$=P8*DqXH`ihBJ#N_zix(TVnlBC+wy@t$6r~mYu*Bs+2gWbw)9G2io^} zl8p0%T5zFhUL<4m$?8L8KzkQwhyb=N2uVCMT|1#h>O|^WJHF)P3y?`g^i|;1{0OC6 zhEm^m-%v5<)f`s)@qB*3ZDc4;wds-mS%EL)G2ul;x5BE!!;B{g#$t?q5|ziaC$3R{6|r6qn*zbCU)ozVRic6m6P`VtEYyA z>~h=#wROS*D!+hBU}rLf-gs^pfh%#)VE3lQNi<#aajz!&qu*e%9pIxNj*Dv|_#DC%ML;XmeDftyXGwD>F%!w{) zy=aDp&LkM|7@-B)a7jp?awfo)yJUkN#{W)!MIr%O!a(-|$Ls+yf>0FJ))AH~lcucx z%b);)s7^ahDq8A|4mNmH0k)t5TY!mvz<4@TUMw6rYN-%s`G8H3om6}7ma*3?>clip zhh*8thA(D3ghVqHGYMI^=ndT`(X)#uANzR(VUqy23qLfzIeg$^2CKZPoN>%GAH^Tq zHX1R%Y3)I<%*z{V_aJAKU-Q>vN5`=yIi5Xc?q3ei@w0FW#HgPw_nV+|Gugm=y)CR8 z@RNK%DT&VurrtVcd75mTo635a0Hi|E^E_NQ|2~Z40^`(rhqTz^r~PpP2lRqcK$fz6 z#DDh;ZdD!zOZ#nQ($Hd>1mi89^cEMvmcJ^At5?g2t%pevg-0~pu?*mz8ouq#{%2yY zQ?Z0BC0Z(EIa*`hOnU-YkCXXw(ECL>p5hzv?PFNQyi(Z?+wt01PRM-K*t$fTATJ>7HNTyn(3DHF} z*sLs0jLjLv;-^NzN*8I7O8HjyWsa^OV}2hTHS-XTCbpV+ru8FUk_1=tK&YRF_l=Dx z4A}*rpxDW{&B*U=nVXc=k8)+`aZx(UU1n-TX(%tb%=e9gdKb?ciQQEGEO0iNEcO$q z38uc~n&hE)lsp*UH+asr_rje4N*)*z19f0xuNU^}qD$DG=wT&c1jAuQGyyY@`L9yJ z%8Q2$tm+7|%Sw_FnD7mZZzY+cIt(wDPw>0^e6Red55*EjvFy`Wbe5v;0}LBp5f&I* zdhS&fOPE9}nu3vxFGL?DAv)wV-lFEgrQX%3j+Pgi-}6uuK$v^QnRY|v&woE2`|L+F zx9*1=a(LCXHFegjc6}c|!jMk2zW6vS(_DkwrFEA72BBX1%QB?ql{+RJfB1eM?s+)n z1t$-Ca@@hy17v*K&1_K^Z!2grT{GTcv17@uRy5}=Nd>@xgoUm?*QbgUvlZRlWB==q z4;%~?CJXHUSa8jlI%Anl<)WzEY=y0$Yx+v_zBcPdbvLOZ&&E8jKmF13<5%5P~=vo zqh^GQE`I%4qRxXdTkdE$-h6qc1RR=7boWtIWc&c21?nBSP;K`^MZWoB6dm)_W$1`5 zOl=jn`NI1&!r>+}k){&sLJ%^UsdWp}k6!5HblD*r?S#=Vu0M=RfUMv`i|GHp9so-wCVQS2B3>7Azm*N| zyFi1W%gZrd!Odafvw~)AT1asLijqLafBB?ja4Io5HUs{CeJPlq1*T-` z@ryx%V#xwr7zLm#Iekj+fW7V=D@jv*Gm=il15K9>}9E1v>r;yY*=unvWhyS%1 zETFb}s17Ix=Awd|4(cmS{;;jgamh6CEX9mHDys2JE+c>6+TfWF-TG3Ab>oyz$BdfN zuyiM~$`^mCktFb;gyDfv(zeC4_17>kPtFWq0(DJN1i6ca+*; zqA7z0*r%pO#6Nlo;wA6!-s+(xZE*NP9HM^&_B!sLfv>2=%m)$?{b=~u(RL`O7_$Jb zZpQ*p+tPXApRfD(*TcJHofflHGtGG8Np1*XBLc~3w!^dNIp7J#l@tFw$~Z_}8aT0o zaFqY7vSvaLJyXj-F~Is`qPB@q-A+jB_w*bfVl2@LVLC1Sc_B_`Ll#e$g!8K4tIYL!TVEgw?WFL@#AXY|Y{&h)I;FldO| zw9DdT*TPpzSNv&&vdA^#HQ5G@SdW~cES#L$#ZpaF0H=mg0uBkLgZ=OIWoP)6l9NDz@`pt& z*Mo+P?t}h!NPhHj-3ODahjo1yifzs=f65^pzSrG6fujK9Ieg~dQ$p;?+*o(+eQ>bl-RYV~P=yD_+~x|{=; zpV&heLzbq^lUd128Up;@7T{!qGMM0NbS~unl3FRIwJTew+wmdW0|!-;LeBlJej^*a zgX?>>Hv{K({To=ux-k;X3ad6Sy(j1AQi-BX8M)66WMmQz^N-xS5V09 zF4H;k8h0w&j$+#*xEzYopIOXnvyANfIdt(?`30ylYeXYv!R^^P<(#@!-yf^Y9}LRa zm?F>WBR1cUxu`ROHTkkvOHem9v5dALujvQLz2pQv%T}-I$Ay9C$T(|3Mc8L=4x*u5 zKyF7Henj!f+}ps)?GR_i=2xy7N2hw9N6AJ_nUYO=Zy=4zBwLru&>B?<2(oR1BdTets4|Z!exBh$v^<}r&g+V6K@If+~;>b+>pU>UsHCEcd>6DgCPfKn6yI`5oqmV$ke zP|T2sVd6A#CxS06)^+>OPIu=)35$BbY2is}Z_VV9YS@HV*zei6{0XVVYxtl5Palh0{oMY&9Oyw+JrSF2 zLEeKT9jo!&UX3v_?3w}mzOdjHB5$yfM+d2vV@S}beH}!;RMPHS8_>z zG)y>RC?235tr^)M0=lG~|64;md}Slh?XXah62;{eBCX#J)ou6dz3AyblisVxbt?>7 zDNfXn6D4{Jzk3U3tuYesDrl(#7Qu2zq2WHKRRXplmKk|`o6fCWx9-q{DfcNKKh&3A ztne*DHCyfie9_chbHQSTYrwhji+9ke6f2JM534*E<6S}2;DP8`@5hRJx9nByS{T)n zw!EP`ZDY!HYJL-Kr2dfbJbL|ui+cR$1*;!*&Sp? z$;*riH8Cogv09S_=A>jhUW9RhK_Iw(uLpXb7CtXWUH*PF+(okbV8VY?Zg!Dmfl9Ag z%mHsm{(l6{eOV~)2OL|=t!4b`pDU6YG7)ZD|L@(Eq&$pPL#;3-=-TP?-h6-SXoO=S z2CPa;fq0+%6-I*TePpxYWxi{k_@7tPcttC^6Q!H4O{>~}w*5@M%>YEQnrdCUIHKDN zLFZsCX@o5uzp4sC#0nwcxew%3k^ZlyhKFc&SJabB)p_>2LGxFhDY~#nbY4r1^&xKt zL@8ZpuGGgp$8#!CoSbK2^s&7?G->liOG>d4g#R-w+@V>&TiqSEslPuSg1iGI++TV> zmVn|z%N-C4VgS{m!RcWd#H9Bc5s3|MTV18;7Nat)Q$#MDUykLNFKCAV`}fw;WOW(x1qN zzq&m-sB)NLJa7U;`V+{~O~;#l%3YN6dzBQaL}Fj62qPTM#1USas41C1j!p4CgbY0q zH(#`a0iqz)K=Xsm{dcw*Opv^B(|}RDqXl!dN$QWvXA9RV)iv&C#(V)^+7?my7SkTJ z{_v6?jE9Fz{LJ>cT@E*%BP+t)zA8RM+5GTY@?qqBK*4dQ~LljXS88 z(u+MbWAWIC&PGnX(Z>WX3;WN`wOFn(W4hBMeqo{#cYa46HgqOMUCQC-e>Bjt&hnTWCF;m)!-)%CmO3K`I0KFkni68t&wK{aFaa4dJZkijo3W$>_!sz2&N zu^;M@84OzA6qB%`F%TA506B{RA0pH^;I8YF_P2Sl)l`wUjj~cev!o08 ztE&1*(5VLrR$Gkap@(MDk>khUk6P(+=rD0hv1XnqClopfOo_ZXU!CmW??B;R+w1*I zt*>C4!+Q6m=g~_)2LsnXF#DRVc%hSsmvOBYB}XVJ8P8fT33CJ`BL;hjc^YR=i;`z5 z-eTsMWn+D1z#cNyhGah5M4{jyOZD|@(9+Cj08K>TDWyI;L+D?f^3OtYgDbsb>kyDM zv9-)c;_8$KYyVDpWaX<+PNt{{BW&u2i^t*f;txilsA)ik=wCrBhT$PC2=9^XVQU1x zvlPZ5iu?L2ku8<tQSt;CAnz!sz1#owvRJE~Vj5+53`UsjcjA|QfxhOpg`|MyLnDlv5| z)fW9Dd;pr$J2@_*G+150f#S@1KY;ij0IQFkKO#;cuIoK32*>PR9bE!&txc!=98SjAhk6 z#A^>4YPLwE8MgC*LvtV2Wj~feA7Mm?Petpabj2kU#Igc<4rF7>wHn0Q{dG^Z^I@Log}80w~}#$NI_vx?d)|Cd@f*y{pvmA#b7-P zLZESlSoL|~k&&=k>Oe4z$b3i&$({fmg_H^}#KLL@@j+F`q?-D7ksL43Ua6!3?Ndnn zIy~)FGH_A3P2Zy4`5Sp)b68j-`AlrpOU{UT35E*E14@_*m&W}rArM{U)E{F z#puuM{QN~`6jfZkvwBqTX!Gv8bxqU>Ws9ogiZTy(B`EuW*l2V&J7E8L(m6OBP78Gs z<-Q*ZEegeJRsR54oB`E#vG=O^_&IXA26*i-na-R=!uVGv@a z`jgxK3~OswYIuhc^@)er}sKG=9r z=2V^hR%z{@Dl&VdI1dwO&whXJwT2A6)sNzymorVy%To^;G!V@a#2%Ga!sD_K0lk#H z@#`Mx9?LEh?HjWH{wZ3Y3fDgH4rgbu1y^Qn2F;FPV9>c*?vQ)sufVaJL3`GS0h!eX z#_zyf^7GQMdG*4^Y^e(wV4(E9e}iDYnqgz-;Cu4RbZ*A`3S}uJv&Ek?ed>Sxf+>V7 z9^hVe^yAYQHky~awWT@Z)D%Qe)ywp-uL@2HYn_9JLfk54i&s?Xbg5uQE!QY%&r&y` zsaDQA+!I4dJ z_B=y<)Y~*Oix+8#Dx*pM`Mqy5zwNZ{h;-k*xO)B4+O6greV$mhw54bu0vx88BawIP z@OzzKoa7zJy&OKFz2yt*IAv=c|jJ?jE*hflT$TiM-w$H-}v zXr}uGhoH+FK#(JM6rER)_*hbqO`i_m8)qK7;&o@cGWx3NRac1a)hgt*>tAkN3w3Q| zmGKTJowHX9KE1t|7{@1kZu+$NgYecZ50QaIjRVc1>jyG3(USc0&4Lxeih2^&l2&le zI#nO8fSo>_ao%K?r_sXC!}q>9dFC_lRY7?fZVnk@=G1-nx+x3yzL+}ish>hj%i&Mj z1rEjg3$Ef16~w5kuF<`osn{nTUVN|al*Un`V)+!A$Rr@hfLN(Jg^>b1V11n)i3Z^> z6sBY=g)kbU8)rYfkot@t+SYq}C7iAjHhx|njUzu&b$Ss91mQXHfgsWBd)9N=<(IuR zdr-_M5WTr8^q;X8aeiyW{WDTEyvYo*9F!UHRGez>m99?^vJPt*mA(7JXkY~wX9QLC z45qtb(=oC=pYIVCo_W6o%3;{G@?NK~9E615J5eV1dp}_04zjedSmM!PubZFl$&M>Fv?&v1H+$&a>^ zwO=kJjdo9_nH4<5({pAkQ;!eq)_u|_eYRj~_0HiJY3e3IStq@z?J9`b5!W9Y>cuat z0&F*@ZMnPrN?LAS;pe@c8_|2Md=^P{dk?&SopAU8ZdKRY_;;ao@4MZnOBKkG zn(|&D4ff<0^_Yed>a7vWw6{F2*u>K~)M7inzv;#vrKct)S-E@nG~27A0{dH5TM=CD zTV4O+Ljb0EI@#9djJ;-03T5Q!EA%Z6{pHTVhPDOxDVNL%`L|<=vO(> z&U_LFAwK?y}GiW%EfbYqCw%uK)#~yNAbleZ;tY>ra1;)8`4^g(T;Bd zPTZMNrLW%pd*hg6~SJI~`ezPwZ-THu`@NiXXcCG1gbp*?{^xo$APL*LsjH^?8l(6!W^vFJ#e$Z}#kM z`>{KkL$^0(JI+q8<+iI!DJfRVja}cOdO}k_aUv_@q)_L&qq5VdlMU$OI;d@y;y%M7 z<3(n61MxjA&L(h~Y^TO=Jpe1d>(Yb}79Y%?)QM-sRi8Z9*jTY>7rvO20E*mM;UI6o zcTE0BRXHj1pfl_0r@B8kyi9ToF?`|jR7v&52hcCb8uMSfoJTF=aFcI8w1EW&3wrW* zyf@i4M!G6qT)1sxoRx9^{Wab~heCM|2;{8Q@Gbs|$DUM{)lnK~-? zxas`iJvncr_3mh0*oyqpec|2R+k+OK9or82m|s_a_&uFW%PS761wZR&|N4WlMN%^r zq0kAQ7hTw1J$9vd!@|$LBk~O_Z0sM*{W+7@4exE- z-JE5HLjx@x;#aEnjaBBuoz~#CaS;YNuFcbO^|r>(7FKuK5%}FmdcQAGz1Nzvc2;ww0vr$<-2SSH&`dmuq z?Wz1LCc_U_VQuA<+E(7{YQ`ukOR^~#Sy6%lzOGh%o2YFysm;}t;pF*T(i}e-Uk~L^ zWeW_uPpR%0r2+5nIUL5JH~2mYo3Emssyqd5S^*k2WJ9CtzU-1>olLXVuiB;BDo9-U zfsR`wK=Y^l3;4Ucd2AAlFu)}u&kTQ+3ps`DTTV2%1OgZkfX^pAJ4mxot#Hmu)L?DMlA#=0hV%2m9H zUGhj-I}F*FltmhB{@j5679alTgsuBF7j66{pth3_>4^Ub*{akvelZw83(T&AkcquKipXmy?kqUZ1~R2aXnR1o9tfc_N^BV+(_?j`&rXt z4xy)575EjmAZmp#iB84Ic6vw8Ej`B>e1qKAe$w_Ld^*a}c#qPTLm=M5$s*(O>k8~~ zH$5PJ_d)-xhEl>+0>v4kdPXDcdf@t7`z#v>(j9T(3H^Pyib7{k2$P-!PR#TjLY<<7 zHd}S}ZDGhR(=F40G6meL-X_U8I^ydE`6f46UdP&7`Uhv$FS6nv^lRSZp%dtxGnd^d zT_Nt@@F44qxlT&vx+3IqR)83RPpf$K`SQ>brkYrI`j6PbDp2{O{YHB0*E-_=Y*5$< zZFMU5JNfdcXJDwr+U8slZjfO5$CVit{9lE*)^hlzN8t}DcId?q^zpZ;vdch|sQXOa z^a^?Qqz4eZzB?Qq{tn)#h`AY*@`q?zNz%H8kAaB`=cF7YPR=#) znn@-88r2f5nxN6(sm3_fycIl|38?0zeL|qR=Ti)M012!0Z0lF9Q|}gyCia6&;1+}? z{Zwa}8&qX+n|F9p(B|8AOm@2|82!DwGKOQcQU|t1Y}mGf6~@h)0DXwK9)#F4T>7f; zAy^wCS|oQ*lWj~3__rUwFPW+VY;0!$ISE%XNrOp3C}E7+xNAXwBV>Z|orec+%M5Q{ z-0{`p*?o5HskPp1ZtsG<{slC322IyKDB4h+?`yV0b#Rw&a>KQCmt7~4U8e7BylT2^ z5xy}>=Svkl4qTjW7eD2?Q%NrpH~KRb`m~V{iOhzSJ-uCIVB*+O;Me>@)mXXKxkG1- zOOFMjz&Ul+Dtd$7PFR0x)qyRdMcdVjw#((;p2vOIqV~Y~>(s`GKPytwn_n$1YnBZ< zIBk841RNEUcJIS6`Y|*@R*$}fgm3}0*JI>laM+sGXXF3T1UNdt6T7bY`kD?rG zo9%?)9@@mi9F8(S)xvK5Kylv^@$BxhwuGxrueh07ubbb+C~;f99oi~PxO1R7BJ*IQ zO<<{A;W?7&$oOGrQjeP4=fxk@XJRfcTqlG+dysC4p0C4IUgcsreaP|IIDC(UU4k8E~`F%ua>Xq+Q z-n08O!u8KRL7QH$eNZ0M>hgCT1VmF5sSuU4=lofKRSgZw{nc(E9Q!)IQqqOq{a(-P z54y|TP%yuDQ$C()HuJ7IZA-{1Henghh0D`Y^s#j(%})ew%}``W+a=!WIV8;+Z#`rEkQ z6u_-Ni^)u_Xtj%~-&b&fdie5)M_Vl*l%8Ip*LylsRtsZzrh}bf`0w!vHkWZYB9)q$&t&yc(6Nj5 zee2Z@A2h4JVL?H69Uw zcDmH(AH-u#@XGti4D)TV++5+%A_wXxJfvE+J>?YIDwdm0Lhf-4n=4OO<5!VTg&mtK z4F6h#XUfuvCw2t9Huyi>jOrPC|KX0 zw+w^h3^XKIs(EGMS;sOM7mAxmEzz0Vp0O}~8 zM}A12+Zl5t((XV{*HkF~rHAD;cy@4^hnd;P&>1PnF?w!e`7wR9dIrzYjO?(;iu%El)juQiW&8gDGUm#u|6UxLNqd$-^e3dy^6j+4KfE zb;a7U#0Kf6WG?PMVgBUF#pMUcBeJmOi(fM* zT#a_@F^E@68Y9y_IcB=Hh3}jTrlh+sdxb6Lj{^+Uc?^}AUp5w>LCZ$59bf0(=qZRt zdY}T~;rsR;>9yDDvAEP~`+CRTdD@A8odqB^%+muZ!7}~uJ)r{s5_J{)R|bBWm_&9p zecG}$K-LDho1)$y-&|MconyA#x4L%0lDW#?tm@orh21#@mHYRow!g>_&!r%&t39jS za5JT)f0I-Z_?{nNCj zl(Y}f6Ilbk1zLvFVlSRkF8rA!_Yrxc&wk_$vxCKjx0+q%rxs=SS2dCnt zf<;Tcv=I6+qrm3meF3Eoem{1{&SJynf4H!i5xPo|?t=XQFZHLhoTSj3Emol8T6 zhlEQ#qXIcR4f9&C;)E@0Ga7h(-FhA`n3r`=+LE=MC8WV%wX=?lvnxja-V)DSOt@qb zJ}m)^4V{9a%E@H}Z$(t;enJ0Iud1_aVsJ%vM|#hUtjeX~(BY1eH@$ts0P3Q1t*Yppcp@UG##QsUhHt~hX$8dcaqR39sV169*Qz0T;>Ov%7ENKH>hMgHBP6!ihalp# z$bMfKBf4dVfBK-z$XjWM-AZ(1ug}Lm47pnnq*Oe@UF~od6hAoe;+B(ONmho60VKA? z7KHdv8`jJ;EJx@=yIP$fzh^ ztC8A#y6e#fwmd501VUUEV}9UkW2Hm(z2ZDf0n5XNw=g!jkd?R>=0g9YntlN7e!#Rb z5mwPayu!=3LM^tAVdAYlnysX`y^0TjTgSOyzu$P$z3cNrBBc4bFYhM*tl>YMgvC$ zV_5?5X;l(GgyQ_|bD0T4th#nglAxk}Uf=da!`)|z>z!|3J%N!Kd-A0&K2udrQRBrV zDP+HT`7eX%f@(r_e<$7TZ?^e0NuJ4!mrFzrSLHvK$U5t-O^{ne^)H?F6?DFo>Qh~$ zd;GrAhd17+JObS+X%E7a4@=?rU3sHn=nrgtpV|%IEbZd8wrniu!DX)1+Lzk-hjc=A z?}`(_m7I+M&anVsf8q0ZJg{+GBhyFC&+hj>J|20j`{Qp8sm}$|cA_NIKr_u^`v)tZ zC}!`kRl}-;<;JxvwQ8BvZ|#P*x##jXt!Xjle@qlSAw1lE!Y}E3?5fYcmz=V{MX{rl zpvN*+=8*1Vy2<)z2r^oC?*+XTR*DaJ25_G&HRDs>Rs#G`?etI><9vDbDx;_!rpK6} zmWmK&U4zG|PI+nN=h*l|lM#vXNstB@kO}-VpV(ClDl~;c>e6EF1+^LwcQwT<-C~XZ zm{HaK-S zS83ay!UOj{pT%z(R}W~o3_|mloe%8u&$bP3Jiz|o6!0X%hSzd+CMgNeYEjL6TYQ_87%j{z31Rz~s0K3b%Xg zY^<|$;pd~qrjn!=MsC=s=_$O11$`}@9;7;^rRux&!Vep$NI(X+PV;|i$>sU_()DP} zCpYAbG2$o7H~9VPIyrNarKe1HC+ugQzk6Ia_wAePRgY7oZ|ZBUi`l+0JW|1!omjV! zMDb7js586mrb@*p`lzHu6?{fvP0c}1_6(ZT(lby*)?9*Z8mQT1vX<9OToAHJpqMO%^zkrP zD~CcoB9VLZcS}LV%VTRJcU=AC58CRti!J1_**1~%!kACuQWCWK?49wOYbsXSdKP3? zt6eR?hA@Y}8tYVd?%h+Z!Gb>G>P4#uUhOH3Ya@sT2oo*|#^TgpJJ5hdhjz7(@u^<1 zib_@r#E}c-9eF6=yKwrax@gLHBJ-t7uVtXd_>f1hnf#N41?AK6T~Cm+_SELjo!(n2 zpG%!q3+xXgXAC9p0kp4Tvfx+rI)#3=$?Sxp$<%9PfEHId-PqsNnRw#=aQ4+vQFm?E1EQcb zNJtGO-O`;RpdcvWkP<4*P}1EXp}^1`N`rI^NJ~h=fPhGs#E=6cd_UCtdG7mt*Ymya z_x~ixmEII6#fC?Q>&It;(htIKw zfhS>zsqEp;WMZMr`RRU+B$D%hkRbQ%T~)l5Ptld=zC^JVnBn^(kw>-b>s!HrrC$4B z5?z2Eoa|1JHYjojuBNqoHP{7#MX|-^&7S{zYZZLhQ!&MnUfxkr0MnEG;Uy4`N1<)pAuZ=F> zjSl`%1o$v*<@|EDPl@8OXC)oRcf?Co;S)Og+ThVTju%af<8MI>vg367lVy;HARCI& zFJ`~Ws~b`MF8mxxoJT`@tHC(0;l3^o`_}PS`=Oo>N5|ip&G}q~p1-cX5>YIH#;d#_ zSQ0CI7l4Uo^Pi$=A2ZirwOz4);pv!h9zDY(=YUVnDr3z)KkO-+Xb5=@L#B7dlA5ma zj~8n^K6}zC%RN{2A5`!B=;0N&GyjIjkQ-x9=JG)1pt5q{Cjgi=nsypF=Za+00%b#G zBWAr%=A1Iq&79L{gA{NK^JVdtBdNo}oPcUe6HZjuY%EE`AZ>iO5GEEKY^SKYXu(~J zT%(f@P+0%?j^Ttti>ZlFzGR6_n)o^cyCWBm<5$}{?U?Nq=>v#dN>?dBVP_P zskq|Y{^0lRnM2UFN;48++nYA?xr$k<`(>Cmk~!~Fxz`G(b!lpD-lxEG%?kpdbBQ7$ z`Bx@|_g#nR%l?ARkFX}MW5k{aHrK7x8{X{ng)8!zbw_z&@n+6deC44qR!tVPeEZO; z|2)C?=cXr?``$drAD?{t;lXo1T5qfN5SKCDwHj%ghIqmzpSYPt z{p6rvb|3c+z1vQZ5?NxRB01U3>j5q3diTbLh(QDP8XJ7r0PEQy>Q*tLJcnD z*e1*Ux)e2Qo&!=CIv;$o{1k5`&iA23Tn1$k^ub|hSB*9L+Nu?uXdUFjXMlQ9;e>W6 zuniPEKwG@{f?xm~a*(}F!Q0Ht9Z49%`R=*m1lbJ}Dq*(=XJ{F^WEU^D3<<1=NW;As zUsB>SE+aY5pCZSNn|U6kNecHwk8+TRzIrKBl_cym+Yarv;+S!JXolo%TiBjoBB7)H-DcLM4vV1H zujQU|TPZVg@5_&pKnPu|AHVw|L1KVqgvZgxS6b8NRlTL3qGgQjEokm zxjpE&v)azk(LmfKWYpuvh@D|@l3NJu)#dckX|r=A`iQ8ESz0He!*lx9*pF(vM!39` zUiXIA8kyC|9J+x^%Q!x41Qb_+VbgoZuvpEZL! z$aBpXLt_w?1mIrB*bC;tMI92*R@~0*R%Vb@sN$-kPJB89$At*%J#FfhXE9~73PAj3 zL1OClIyz+r$wn7Q*h?4t==YP>`0^NTj4O@SF?wHa?3)3iF6yT=){Qu5>Q7qjhd!+C zz7S8ZkE?UPb=kH8f7zxh3eICq;#)GpqWm__k)*kO!k!51q?iO4`nUe(k4?v>9mBm# zSokpc?Q6^stW#j#lX<`En(Kx2A?_V1mP-F$q6m{h7IAz0O+RZp4<@(LN;~)z+xJow z9@!ASh18qHk+P%1APH8B&NV)uPIf>muhB=5@r1MS5XDzd-yxh{5abUT3c?qkzF$Wb zs)tw@QUdF{J*}pCS@1CGE)^#WysA*cXXPm#1YJ*5v)+$BOfcSRBX82`HC*kvZ`Ni0 z(71;E<@?FL7>h}j`kDq8%Lx0b5MP+ z1~umN1d;EesTF-zG~(@j>*IGt;?qVdFH0o)dmbx;>)& zvS7})a+O+_tDsKcCoDAo2dg}2yM#9^IQ}siesA*kV%fnVFFaoTA1fG-oH3_usLm`2 zWztz%bM3L(UK<%OfJjnlZ#@&a8%N&E(J37fUi@To`w7A_^ckhB70m-^AP2dI3_9qh zALd}`@AFel<_~me^=G9oT)Q_mvfb??o4$uo7fCc8PS)M=?7cN7HEz%HVx!{=XKDBQ zsBhZeu-eLEE9ZZc8I1~lOv*s0ghnAi;tKz0y}U>kWOmfo_1PxxiRNIsAN7D{m%aV5 z?(xwfqb&dHaZP2Zo**U<)LW3&jvouA$;L1(@yM+Y8Q7@-xw${LJ z)*YYim?^Y@v$*y!1k?0(9t#$7$z{qAMgX{_nmB_EMgs+cA!JDf2orO-!= zn$ReISDX`EQ>LZ{D2;6{<6_$O{+hI`U~cXFt)|8O*hT~07D}3y0nLxws-hNs@y)4p zKC#p_W^~2{3rC?2fiijzutHgS>pY zDJVUdd{OP)3fwDJKKMk>1jd_5Pt{oAvI5jjo;7du;ZD zdpbT7TB%?eo2QvxPmA>`)+@WB^_G>NDu~^Wk#Smn0>)hUqL#?jP%zJbmw$@Y{gep+ zogtkf(}62$FQoN?eG>1cWTG!(Htavr4N=|7DH;#XYyjR79_-J!nx=xATS*<}MZ%G-dQGKAvJEp`1<0 zL7#YT)9w#$vaUuy_zK=PyZ)-^=lTQ`YwvWz(qW;8Ah?+GE9gGH_U)PmZ2Ev`Y-&jQGhCY~JS;xE!??mVb4YZ*Uw2ZW1<3V+7j^9JJNW2M!1) zju$>Hy&$;`o~*LI)xK{#7)yUvou&Sg6r}H;WA@8HAS{JN2Pk7+%bQge{m4a>ez(F{ z`s;a=n2D^Q>6A!ZA$^XJ0!?5%HmXGPd7Z=$M%|dJ*6ZQMW|H8Ax`JTt4kVjk5`+J7 zyPfBD{A5CW9=GdmsnXQ$ zu=W%=He2PkYgR0q7RtM>at5D&X%r=B)O`M0n$GbcHiapwiGGnRr<);2%D3sel zZ@-jjn!I-QPD5Jk8XnjmKGZVoke*un*v9QN``fB-Jp5fF1tPNxUli}N+B z40Cd_!Du}nImKo1=tAlBtiVa+$iny&jYqo1-bWBcmHD13PX=YI*Q`Jto}w$4qmz{_ zvr#-lN)(-5(cbqo>m?jZZ2qcK-H}&yYAwUl&gYwU7?KlyI6#cc5Iw2lgGGC=Uc=%XW+gk6pR`VfD`f_8 z?&Cct&Q87UTVM7gCf)jl_e!;()!De9+j#H$0Ho=ibWR$gC9xsNcVAkL&#G-!ko5DV z?7pY5&o>l8>5^EYrkkJej?(rZx_vRorBca%2#VRBB;R9vaUgJhlBt$j-pGniEyalA zN}OaCoBLsW^x3PBnr&T^^4L9&VI9txFMgk{jYhnLV9YFweQk6l zn74&Qf|h+;oAm1)o-aO_1T4F};OWm187IwaE3MYQJawBF!1?Jt@FK75=V@AA3aGTa zPtPxRLjmzD%IxvhP4J8p-c3UJ8vRrpDB@s&Z1Ik{@Mcg}7qrgs<}!a6WE;^<5W@IL z&NPT#$m?`(`|P3DaV6knD{E(tR$0N|MSj-s5dc5yCupOYfM@`sPWj4AUplhQFCFIt zM$YXXiI5zU-EkpDTxGjz`-Mtxu;T&4ZQV23ZT3jv@&=M z#Eh1&CCsaw?jn%zC_}2d_8w!Yqd?6rdp_?Thmofo&0fMvB)JR7Or7d}9-!;~yQ$yM zFN8z)`e0747+9jIgg8j?-P2)MvU98z+neuKXVBg#T5YZ$qV521yPPhN|N0k!&4-yv zj`@QHgcR8WL{%Sx-Xk18FnR&|;2bXsg;Yk-g|(Wc(fb>?eGeW&y;YRLq_0KK%~_YX ztV4d=va`Tf)&M~3AVPvEE`5qvy~x|t(PtuhQmH!YznNFpvcmEP;rOHKt&3wa4HVF} zsT0n9gqAW?mVB2CuT$i-BXx~pXrr$%px^8@&ZDhCe7cmc=u)Q;1{yh$9&-ZlYCX|3 zKdY2*r^0Q*bgTP4lKTw2qq-OClSiMxGNlOyr^8m!?kaakrG$~}2i8B4)+%bq3vxeM z=Z+?hLV@ zznK7*@}3@6?hTjX&0>IlklrR*T`oiyX}I)8CyE_gDoo`!Xnq)FKgMJ-YmS7Or>f_R9z&VwnazTWM zJ>PAWkpWp?o48`UlZ^%#jX4rU7FYR=;`LWw=XU_IF{}4sEW&L#vZ8qAN`44&HT1{o zA+DX#j+rw(25bpNylPDg3Cr*qdU4FU$q>Wu^vrNTrR-B|hsbotqUoIznpVQGCg(&Vc2_Io3{7F{wDn+byt&oAH_-^6wF}k^)kgg z+!lStc^89lk-qgc&eA68K%X{$%`xnq0#n>&k%BKT<7e3!H{so35<9cu2_wwh|t!H0gq|HO_ z)BQ#|MYAHm%?jju1SrXmsQW{I-}r$0Ztav zDKtSu19c?N9AangTr3hP-q@#+At2(tNKE}aice>*=n=dx#xNNyWwz1-7gleP%}ZRo-_d+7-CX<5peJBMi#@OAVcr&3))T`!*NX|P zj96N(tL*NxW5cx-dhY3t4MV*>!}i;roD}$8b`*}T(+0}k9O0W(r`=wL zsrZSqB$<@B0CH^m7X+ByN{Cio|i6+6>1Eb-;I~-)%GC<_0R440L@Fm zy&=ha=dh;y?0Ud>gCywQW_)iJ^zk`bufjx5{B$AkU=I+~9mTgRIs_*i`gfdX?)Xtz z#R$WH)P69d{VLlF_pJdL|{}%-fx&BWK4G*c}^e? zX<3RCJ3IM=4K8U^(2`mVV=6KeA6%T&$E5Gs^T+ON9P(PdH$nTe&&<=k0!x!v3^3tL z0z%l_8s03vP}ver{njke**XFf}i0Li=N3kS^! zU&-*J+`FJY9&aK(l)e9=Fu->%6xA@7TYdS{liP^n08nIO*1CNB3V;q102cO#fQ5Zk z{ZE6(*ev&DOXK@Ip#ORV0oF^ed#Bm;iJjWnRZrcXTF4*Djeb5DHmPS`=NwNG@*y%I zI@QB5vkA*3hsP^6j>bqITO}CtFRP^q$Q;)|Z!5Tm`5RkObV%N3rAu~3z)*M8;xpY* z#JN!lnX}v!m?yCH8#e`!>o4x<&f{=XQg2%*M`i`Gg)S6ELT}Q0bdAnn(KsP6t4u8k z^jAhDxy4uGGkua%;W%DMLhT6+ID(<5W*`P1hE9k?BbfSf(ba(QmtVTMi9GNkmK6@T z-Il)qZa2}<7a)B^=}z8|k`V1RhFQ7iTg>w=I^;v}k2KMFDV}(O6)g)<-ZBoc|Z5;IW|ALc>O9B*01@YIn!^T6KWk>ig-q3 zIs*)##f96`JnEkv@;Ux!^#(ve@dTRN$bR0TVn4x?5Rqnv6EPk#B#k3bq6)7p@b1cz zt`g?}W03G!cVG_i4NaJZ+!5hmG?UX)q{l#Bgt<7}=2~X8iG^U&OB0nPWlFj`b}t0; zdObH45q6DSdS#O5`m#fmjFA)sC>%SILmt!V$?3@q4V7jzh{`eQB)kYh3emG8(#%uE z+Lt{kK!JsOMDZ)nTT+PcG3qeM6T}ftyYB;IDDE)3@lR53E1VVqCBO7}&CgGSKCwyf zWEV=j%O|+(21!64f<2vQp*{H@o)oT*(x=OFC;|W2`GIZ{(8LYy-j)C%8(+Xwqc_Mj zi89}Udex(8b_Zaph(VCnhpMy?+#}Dzf^)9n>FG#A`m!QO#)EkR&Q}pJm5AseEzk9G(+^s zs2S(;48nV_y21l+g9-U>Kk){Rsn^J0PSR;&ZA5+}Um~~n>Sqm3sak*@`DoggC_c<^ zngFlTE}fetrCi5-?@8(5$d(e1{xn~AVk8A2 zg~k+XSLi3*qbck|wTt7aLqy$>s(!~X9Z9~D>#gi}H?8=0!ftUkmXr+yhon@D(9%|z zT6maF^i}@|&s1ePc6nU+ z>Hp%k9a}gz^!_6!CVf-dqhx`*q?HwB*fmne2qx0+2yOLFwpDtv#HN9XxA_$tZwAuD z?tz!|SJ{3}m&Vc}t#0}uWEYn(9Cb1IiE=2EQHkw4!Lg@`l3Z)!yq~>dJ1cl&J~Id_ za!<4XNAN`stOJnySg%)88&h3x%ND@>p`Fw2Qfx0Et8mPLxwD!pP;Dg zHeyq-^YMcwl8W)4OuV~23@;|(1!7uB-(DMq8h#E1tZAFk(N&hKuWx^Id^rH5zYwN& zwvq-V>;DGkdem3war$O*`Wpt{c&!+a+rgm78n4`5K9=hvo?x>e2IPScQsNs*U9$hP zhJ6tWaESpXZ@0ytus?U_8Q~w!@>45u^Q4~0H|zMlNw1KIwSOC8TAZ-kIy!c~*H>So zmt;{1UM8tde7si>mgs)AD5)fZ>#?71J{07pTWx?~({cXT8-n4D8dF`)l>`P!^I(MH zL2ifr^(kg>SM{1KU0Q_7?HF`Ew|6O6A5EsueU^C3|NMy_QI68s6l0B>Gs%Pku3MFb zkrSq>@T_QS72|0Yo1#yZ39hfa0X9GE z{5FI4j(jzB(haPA`|jL(W5Tvy1!StjxQv?(5n zTTN89`ssYA1i&VnEC0aJ4WD}jQVHEZoJ?nIV0G0c!kC7ry{--49h5rNJ?NI8+d^!0 z3ODH97BA8Xi$B-}e!K1Vccs{HKYqH~QvjSB9UFUDxMbvID(;2UobHzS-9@+IlxX1W zWphYm?}1W6ldeAdVu{Zs8ZNa(iEq(8p&i>PRnp-%{kF#D9DZG&{zs%3uBd>=J>U3T z&BiJlx2hnnJZ3!!07oJO%sfAt(4vo&GcA%LKPmb6MOCtGrQRs|2lsUWYC-$9)(qi7KI}Gihgf3OZJEhy zawMa<(E>V>b$@D-B}3N9eYCALOtvhPuT?k3#8tip|4%$eDW-ZQ0{}g9Wj1k z4z3F;$^u^**EmS;l#@j~FDkgSUK{b5LZW*S@?3!{NW7xBM!AqGH`Ug>U(czpT&#OB zGXVuSJT-ls+w)uv5$xDMM|I3*5>=Bc^8J}8aqq&(i&EKRv9e^_)sIY=K!9}|ROP3r zi>ZM(xN(1}oCd+!isb9QVLb6HwYB6;U|#}LV?#`|TM@o5O7V3mdcE>4YkQJ39LIYi zuhNvi5Iu^IJ68sMI+!r?h@kKywxRU`I5Y>BDiStz-WG)|Y0Rn-6Xsv2CMuum5H@hv zek*pEl_v&seDOe!2wu?csx8eQf7zbi1Rv}+(M!2Zp)3nk%*Oma$zkTjKCJG)?otqW z;rB&9269vei7SvoI#Zo2o)q$X(tX_=b!?8@X{G;(gddD0(e@O6Qdp|(sws{3G`@Zy4Q?x!*cjV$Ev=h^D#bE_k>(NhEDhOb80wUTWhd8C|rkQTt{Atzsci>PY z^P3sc$jrXmYx9_Ic271yz)tK|)V+v^pS^C%e>QuTtBw;zq=|~c&au@!$zcX<_O3KI ztrY+>L*kcqRUb_>svN$zdlB}$p*~5YWo$YK#{0C35hQEG`)219vA)Yj*?e(SKE(Va zx-!JzUp6ZWe-}9rmMzY~_He&vu@-$H*nK$;g^OJy!3A@z@s_?^Y#}gK{4VvB-RpVa z942Zp{I5bm@uyHUVE@PQ$8-r09l7hhMF_$&b6RL5)Fv?Opfgl`uTZd?U^P}c%9J2| z)iSvwM7o)EIx9Cu-8G81OToBXA*QVQ$?W4bF^K6F$3f(hcDGz1rG-J4rcXDrgKp%k zYfYY)7De10)}5gF8(&GY#*^n$;}ET5VG&T>W6c^bx(~XKO^M0fC>DKKm5@=n=}!<@fb2%jI=V%Z04^1fq-gA&F<0V_YL8Iq)|7 z!1EH-}d>~)HAo{#F3kFOm+()fs>6op${nkB!(MBZ@))V+%o2Q8@q%7eR z6glB@{sZ>9*rLZ0?uY4~$!ogT6*2wsr1n3t>VW3$nbuH~~K zpJ4XNU{a^MQ(Y+T32KCtTK~}Ct)tXomrREa%DfmVR*3FXib{+OsFQTSGRFubSLTeZ z79GTWdWe}Kh9%<+3Zs>E0EVaTfPL)*4%S^ZUI0uO=2NkeiL=lmhzyDtUGZ*M*9&D< zJX;L`OCR>1?T?&QXv;KCP6)aDYd6Z#E6NJgzB{Cg`ScNo5!vWAx}Rm&KI<*5#@otpQ_V2i|@ zen>qi`wih4Eia0pqr68`MNs}4?HH0L-VA1>I&ht zehbWh>f;Dg8+MKjDbTSt*~eR3D3jAUymrC*c2;q<=R%u+j_fMlWebeC{h$Zhy3KVA zWX>~&yH#IkZ$=0|#d5CZA^gG%KV3v;I4BsZHEmArGAM(rvD;i%c6KFcqz2BlaEPz6 zN6#eEmwq$SZ648A*dhPwNx1^9OF~s@^ctUjz{x-p#t_(ULJPlpCHL99Owoj`5 z!#wx~s-iJ%E5gSq1s7b@k2|E6jPMbTUW=^+6*i zX|H@aMjf?58cEJR)n1m+D9X8V7S6-{GgB5)AX~3(7KZB4@l^?g7#g$9EClF zYPv(@()OJeqLKd4M9G1kXH}Mt00$Mv+y55(B9Z)?lP-knN0oA6;R@6Mhm7Ekh&28; zs1_Cc>%mwrMYHG|gttaRb&a9)F1&g@Tw)Yic#)APBgI{6fHq&=1u}nZ6GEcG&uV9x z-XPBIS|Uy)$|7o02 z{e;?>oqk#B+0(*5y~6%maMDGV(K>eU$vLs;cTO@5F6~p2M{jMjbQ~sA-4Nj z#zcPGU3T`8Y|mf5Qai!1DZy%^wr}PK*PZ52w6FofySpKs|E!dF#vi}No9h_S>AvgP zp-9K8AwCy)$yJ6>aakh=ke=bP0p$Gbklk?@NaEkf3MA;;Ei^tznaay>&48>$x?ud- z$3{%Rw(ymJzM&E-`YKMrZF;YEJl9ZHZf{Ku!kX@^rOU!SA_81IEMEaT$GW%m)v!Pd zJs@1^M}x>=H+OD(pQ>&~-Xkm8q!D(==nQTr|1LLytRLniXlBLoG=0t~vywew;9QK_ z;3W6%%Hy5av5k7`%L1MzRdZSDxx16NT9J?;?Gi`vVK7F+vj6NESUgB)YbZkJ=i>mK zuHrWeUOe1-rLt3xM(QWwSkFZ0z|-$Ec(J^a75Y*&S6@a~E^ZbOX}|}Vsygm_+u?ba z1_Gf$(Stg5}}*h-K4{T5Hb>d~Sw3 z16SCpH?=ap9anqV^ug+2zcQO$WfwVhe^oQV@4xkm1Y;h2)tA3pF+#qD3Es)~on7s` zK`~|Q>unk;PkW-)Wd8ZBpbz@gi%cxKd+} zB4X#ijsvqV8?TX>R!EN^#U)#bU5(e;E_4`PdWeTH)=-1J^aTMIB_lHeVi~n#Dr=+C zLj>^?`=SL66)UG~7=aAXqjph0F@Sy$?5>?8pvIzxezH2~FA%1ytdBP?MSeDN3EqGl zj~276>T_W2@IHrf$wrpIltrkhxvNUTrG*Eao)EX-diE0C8_%g48 z%mtsf2MOBEist?`8SyJQ>u&*A{w^V)JclsXRC~Dl3}8Nt~0BFw?Qx zL_)flpinG6G&|NjDI+E|cYu-8=2-jdMG~lnaCYBuiUQ$@3Vcx|!F~9%vB#T<5EY>t z-d^>cmv7TeQ6Fq{F_mcst@{;MH#mh4Xkf+E`m2O4LNdIP)0)c3%9QMO z8@j2PVt}F=c2BTOz}MDmLfywpP{XL(1DeHa;f&`BskNE5mk@tyC-&nnujwygvaKMj z%`8SL@x@?Dg78k=FP-1d_)SmH6D z5RfQS*~>)|-|$4-c~UeBw8|%dtc2S|D}S}m={i!z zBoC-S%qYdx8A!Tf-mfisWM;D`r|}R(8hc2*N^G;I5Z@{QAq}jQF13DfLmUm|591uePNeLKT3S*ZBOHu96*CQ1ilP%;Ef z+WZ9Fk;`74(Q&`WE&k}bzjxcO2iYd#u$Ow4o8uo)dL0xk>q?fVd*6TXd_w)>exQ=g zdIxfIOHz*kDAb5+N?2zOd7XwFJ&P9M@3D73%oF(K^Ik+?gho(CUn5Eyf0jEZCX5;iE2`0TV=(1ZGgiZ3Vy8H_~abV6|C+b2}nvG5B+Z(1k z{Tg)s$J+dP`1z&{_}aC&)uGJHF}IV}i~C>qe>W$;uOJaDaUi5Gg6+vt00`&XO`muy zquaB04;LTshpJ0*LsKdHjU_qv--oGWy5oclz$(N2O%!OtZ8{s;!E)v3!(?5&!^O;O zWpn+>P$TJ1+4s2m+j(PW@(D*NPX+)B7J@SxnQIo!@54tcpwD zzK%8ujPd;2#`yao+alI$@o-6z@^pm&S}TDxbg}d5f}dn{RQ&s;<)6sFXWknt_-dFQ z$8T&Aa+|`7#Z7Hdab$8UR6J7n$yk{`TURp4l#2LaV-ly6ibgTo$^yGb^`N>_7F(o* znY)`W5?!gVxk99=aZr8AF5QsuaoY?SM~H^7FYzhUDB4<#_hdp0z#ZnVyErJK)MZDj z9z(Dsc;Zeg63Vx+sDx9L3sYH)YxuR_gr_4p%ZwbVI&NTQ*^Csco8~C5!%$sB`K5I? zCIVv?hc~Ym>YZ}5I%MB1N9X9zL1W=wdtb$B)msC6{~NmC#=PQ6QiQB^bO`ArMFA&> zt7RvS@Y~vdTwH&9$g08NdRE2kOHk=(vC_bqsbB-3fzn5dul}*X+{#ee7J#2*~`LNwLu7ZS`6S<@OFjM8w!<26xqJfkN8Z z-Xbt-YF}+sV#@}>(azV*S+lSrAn1zcCDhsI^(2L54IqT1AI*5cA8IJ&>kPr=4v_L# zku8UBk0fk$U;_llA+c9=BE;7wtdthS+D+gG^TckG?fgfve@x-;$SR9>NBZACY*lYibZ;R5{@!u9q?=_Ay2`DD)){D*> zJ|1Y{0&n;d)`^N2PrcgWqmg#|(NsBTx_rWCmndQsDPg+l2xG((5@c^+%O){cO?tGW zP|N46=#iLts7!-U0nk$Wcy$hO9Na5MBN@~;C^~4s>5jvF>K-d(1gA$T4~B1PW_N0R zujWcx#JHbzzm5Z@eSf=cF8f{&8sR+kSBNs4c4 zYi#sGgbEv{OEq|jrd=mOHXx|*&|YI}nmdi3E3Yl&&tvc{ErI{`&iF75=_{N!Mmz2N z0O+~Z-fs2xWA*o{cS!3GUFu#jybK`(&!3n?|7{6@3!fY-g2}H?S)LZd010F&0*17H z8uVSoSvKcI%WR4vTu((BP8^@Zk+DUMNO+W7CN2Xx?DXa6y-*pL*9b$+@qk%jvsESc z0VkdKisr>zjgZVB_bynps6`9J+Oqf*ajbIty@s54dW}PbR^`LEK>o;41Lr9c97jHW zvOpETZrzKSl%UGhoK$a0(oC_uV-|K9r^62lwbh-IxKUI@T_$v%T`x--)^!d@bDN(5 z+e$2%m4G4#J;3Rkd<|@Ko0MA749AajNnaaANSXE6eg0pX!tb*sYluaUDGg`>mfzch zQD0FjA_rUIdVg7@{~N@#BU*UAA4beH`Xbdfv3Az6-+a+n#KgVtH)Zp?y=TX~V*l=} zNZp=7)-MQu(hmS%XIC*`bzYPkS(6te+`W0Bt71-4Nhq=SJWxt_fFUZJb0^W!itBtd z6OObpLWSp3LKNORwjdq|>aM6)OZrN)uKc7mD9k4 zi_(SSGWAHd>wEosbx^l~sd83hE=T%-eilxT z^FY5+BJRX?wg=D&Y>@K`X5N_TVE~)iLb-bv;|=dOmKeGshG&m0K4pk4I>gltWS{m8 zLBbfQ2SbY*Z=B_?ulDI!cip#UDYKfw?=nJJ?Z2nMO*d5lrBU|O8rE7Rs1m;U%U$w6 zzUlwE2ZlkIT?BqHA*gnBiuxxwrJ|2wj~BQZM&%$Ru$#1I(7M|SwH76O#oYxl_-M`* zHZwN${Q4?f?TPzNNNoa}c;h2B<7p0Z@r{Jc zhJs*|QX+Eyim<8}bu+TEV5{iL2M+5*8>-;xSKlN0^}JEUfz%N(tFJ1#jq%ng4=_#D z-H5OalZ}P5zvOsO5@G9i<&>il41F3lXE;uM`RG$s-LqKZfWh^8QOr{y+T7reCF9?p z?SFln|LGO~ZsK)-j}?;y%8MwEsKz4K2Ew>rm62^E;uXc*Kr)AS(i)I?Y%Hp6u&Bx( z%2sBx-=RKR1X!TLY&dd-(zv@4jrc#y8KbnprIRXP2}Re#8lJ%qMmDPHj>O72rwIOX z{?hF}G;+(OSl;7@-qK^t_c`pb(zuE5*Bzs;f6mkaeeX}RDxtlGmnZ7~g_4@bUzKi! zHSvMh@~3FAF3naPZX!a;d%Hd?GHYqw2*t0=(`{i`Waw_`qEtuqTJP|+ z5!?&aRjkW-ee55w_=wC+!Nm#QWOWIR@s%f-CLb-B96 zsN%sAE4KT^{F%Od<*kt`7$=N*un`Kcty)Z6;bY(~6J5oq#) zFqA)Lm|}$B0sv%+&8%mgCUl=DsJjot{l~ktzl`eES^%AlJiY{K1)xk|Yo7?ZCDHx5r%3g8So-$Tt^BN{+rbSgg@!65}Db zT3?m6O>Uh`b=D68lGM{J(hcpQq;oat#C>7TW59hN|lmySgfy z!rY9jahmxQy;wHB3-PmldD_A+zF#*^sI5H=CB8Na7BlCSPMJySJ3ug14}=$Y>A~~y ze^zxfX`rKI})IGDc|L5!!#^pW;y3_*jn}g45^- zU2Z3D8@VR#jk4yiZd~RC-MOb6*;^*yu|wmtELXvOpzwa_x`O`dr-G|Gy-uvBY14BsshQ)kc)( zRBcfN7|`C8$IcAL{X%Nyrb%?8%Ra)cwvg;Z#b>XRXdfQ0;5s_C*>1Ef-Nm4r3}6OQ zTu+E0GFK^#TcW!vHzvN}&XR6-p#}laDkdEC71sB$dW%I9iODn;1S^)loza6}?LYI2 zD6|-XJXOKsqR5p#IIM($m&N7`AgfB%k#^)Z+N1|nu+nbChoLmDoYY|VAoOz9U0*Ss z0iaR5-KmL>aDYv6x)$bw>p z;N5w91D~oBC>)(Nf;{yqjXC;cr`n8P<#Ym0Iw^ffDGsU`1&9^AH}3T7EQ^Ug=>$p} zL~#j-Rl=3n?mE(vDheiV6}aKOv7f6!YXL+b8{&O@9AniUs&-KnSUH&|ncbHop7*lE z4XOKeWAr@4uQb*}sYtH|@t|6C<>f$Ez$>*1kiN*H$_jR;KEf88B;B<27oL#8VvR^J zMFSB!Or;oIjqK79%hiAL2u!V5i(nWJRQEU%Vqxi&RzzvP>%JS3+iq7#4>GdBH0d7r zFOc(pSb@L5lOOT=^(!PP4@x7x8s;C9U*P;?ZThen>RgQGsegpSeSm1M)B=~0ibLW~ za#DYg>B12Ug_045(I2ioSJ&0)Bt&t@n5~4i=8Jbu03O)NihK*MRL8lh@C~jgwNHea zG^=FF*0~AlsLJ9uWJTSf?xGTk z@3T(4Id-P{H7@%bv@3!PRsvD7Oq^%rv!8DUcz~hy>)QUE)cz0H!`WYUjlfU2`!E+84q_`KGq@Y3vR6WMwoch$ zPm;;esO>}Ugj6o)_hBSdE!Q#l@D|KMd(o%BX-9Do@kknr7KR)XxWC6Ft+g5MkAKjq z{9e0JK*k%|l(fc}$kRn~zfYkUUDZXQsSjMQ?*IV0_#SBBG7-09K(U9TH?jP&M;>vh zbbZow1z4r$cn(oysr*o^_t6t8*A>Cuwily1E+Nm3R@r#PS8`$&IB8uCIt!KJGhNta zju;};@XTKsSokaklx_o_98zCJ0~!pk>=@9E#QDgZel0x%bikqdkbgx&Ot6lGVk*qZN;*1;s?5HlW;*xY6%U)vE7OSh+`im$Ib$^3F|TeLeE> z`dWBpy+#!io%l_U!A}WVG)D>GbAi^=XMGGZr_V~{+$T7Aj~C6AMAmfhR?HuILC|`n z+|YbopRT(y0U1CiS6Y?JeQ=LOV=M>j5jKwUEiK~CrBTtwiLUs_$$%sZHq6KTS2G}Q zGdGoEdSU1kCW3=yx%GQ7bee`yE1~7cF%G~)D8ucOQhZcQ`|e4e%oVY|eg`HR58ZIG zd^0k5WJCU=6G*`^3Tq$r#CizYmU?jvkZf5mu}_}M;(x1HL_Ayv_X^JpN!%yg+=$(V-yET1-w z0|{gFgiM<$8#i-y7cn&^n*o4b+Ya?SGz&H!8Q3Cfa9G(x@Bxmvomfz|ir0xqr{|ob%@V@865_!i6r^QrNTi zXV!sgqgA!m6<3A1{ z#ONr9C1Tm&HkIVuOk}t#N~1UE4EaDzg5PdLNFm7!8Em562 zrs3LxXH%{YuVzxQsX>y22KE3VjVQY@2h(Z$TMm|SrW78Fnk?x3H#bX=m}%rrDgngJ znYzVbtP|wT*TJ>IAYJJbkA^E8D#Mg4fbBrtxKz=sU!z}Ugra||ik0L~E-A7xQ+Jt9 z&2aUbxAc5WXfMDrFI&q4aVQGX1!lcw;T)wH%j_5QOBgL41jjBiEd<>U(U?FRK0mtn z(8InmycZ_0MK?fs*ff~~e`kw9iS{pFUQ&3k5P|0W0}k4_*n|$_mY|&UE7oR%FMVh- zGT&-8yh1ienzt2cdDy1nPe?+Q@}iLm<8F+~C+ zAFh4fPBwZ5+p|1#A)H%gmb0)^{2$F3zDGmJF_G3L$xaJ>qc0B4qGoee;#L);N~bF{ zy?ZH>W(7WQ9fx!QsRZM zMYiL)So~CWwO?!vm=46F5Q+Sklteo}SkaY0{Uprc4j7c)9{7MQL_WI~Ff3v7p-f0ndtht@QSQh5m9kqB%iE85UzPe;9|5e z(-Xtz(6+?c!vb}1%FZYa!8X1ikNM|9vCuYMq*>FY+0BXAl=cM7ZjC-<#f=%O{EjV1nzktRCD#0xe2+~QCpnJJ%2e(#LXWo6^Gw;S7xMByo3 z)5Bx8dB7<5+cV>>RFNHyAJoXU2UK*@?n{sK-SQw#C7k9~h4&W+h-+d#*&GvsObP*VPn)|DSz_cnUU0(Jy`NTGWhQ5(4C{KrO*?`>30w$b-r z+UU`}jR3_)J|3Z{AR+|Rhs?Jn&gVBqHIAM`hhbN^o-V7st13-H_FGJ-I8JIyIYa3J zN4d>zx%$|l7rpIDuP(|SIyJe`;~%A}KsqdnDpgqPvo7B!Jkv${W35OCmrdw3o`-O<+yTwNc*rDi*wb5Uw9^$T(x{e{ z`4nAL7n2^x>sTXUbNX>LD%86xqHHbc$$aVpiJQ{ZF8{Els3a{()FIt0*kQ6a=XMQ0 zTyZyp`lDnK$a)*2<*T^&3PuaM_wifck$p)97~~gjxFFU2lbbVn?=RZTBCva3`kx%- z|NXmYpL>6y`lE~Xik;}W5KbbCT?{#DNrr4Qu=Z$4IJMoA9uoi%o_9>N`3Gz=(jeD} z`~xI1-J~X6Zvr)x&!Jqw4#e3)DCH?db_eOp&unE_YFWSs3-%t8dXgrDY$k5cxeY-C zLtnVRUgt26fSYVToy888$SLl~PUle+q5zIY;{&^xB6_4Y*RvA9WA7ddh;+O$XCEdn z&4-{$dZ@=^(_K*NPdG63kXzf&CX`X!U_-{8l_~whTpCoj*tnYA+A!?4PRxeWVzS`Y zVWR}&|8hJbNm{VJ2XHROX;R|E$YsnVXkI_29Uy(1*FIpiFTqn>EQo*~-fe1Jkfi^H&ZVeroL4b>pg5tA* z&s@~^-a*6zg#O9W-sZu;Ym>j9f9xyxKRhb`%a25#ViOaAYSCRjy40YPhY`}N#sky3 zWne8GfXf(0#vLF>7{!}5lF#4r9Yt$gN|70!>_e z_wG#OTeq)E5_vtHtAJOi;`ELAK@&(5@2G|vdc!@XU7@)r6ky+z-h7$Utp8+JVzdFM zbKXCbu`E1XN~f+=hvcXPUHqT%H*&xV|GT(S4-vJ0csPxJW9ouP@geJYP>iEbk}fO1!p)4S zL_D?M_Ki^a5e+f~Tfisn;|4`wDjt+6LPo?ck7zvPCGUQ*Fegj6N~Nsk zWA1W`&uk&Rbjc{$*nE@5-@Ld`5acfugqwUV4HSI-F*1Osh*|^Yc+HzA)O%m+dG7?= zd(o=SG53GzMXvW=1b)P6+{VQ%beOutjtt0-{&DHUFOkPUN==O5x2qWLAu49ciL2dt z6ZBFhamQe2Fp8~EE@V;~Zf;0)ryvr#Vx9}f4&_HgbxAx8K1K@_$}!U|+u?_*K%QROF&OJ^YhZctGuyD}wGkH+-o}hHXM=w>xGMCsm~+ zvy^;W?B*?4Pk3b6ycF(ugdBkxzvpu3!1rgD+s{>Y+leXq)6i96x6sppvrP{Y1489IyiBUKDKRrqX zmr=#HGXh96c#BL4T^@t5JKj#}ZElKwfYERz*<@JJWr6ZX$PBrwy3DabuYn9q31rC+ zu!ed$Y^qK&!Y~p+u^dL!2SARlr3Jbw-SZhWF(r ziuo$((pUJL0zztS3~BMwE*cS0ORrP=*xLwsT$Ca%KaR;hL1Oa=PcLak_H|RH81)zz zC66Lmp;gg)OcV@hv*TjwFuVQ_f(%t}IYPyz+%mD$Ogx$I@an%)PPF=k<@jBGlW0vF zAkqEJrxN@ro;~6cU6uB={IsNenp%+vIXX0h|9ZAYKY8PPEBjfzg;hu|jyW+3`bv7G zgcYnao1(Q*5LszKJsz^urGz)pnswWjM2`J+n>s*Y)9~5VYx>??k`qmU56NS%xEcG) z|D9kep~a6CcCTtYY{NYT*mCCpw5=5&3Rnto4o*8y8~R_&+LeqIRxg-a6qNey1E|5{ zi@PW7fYd>O!{*>AK-r)nCwOYN5obC}s1Sgz#`uX#%I)m0Rk+ZRtcm{9OsCyRXVe6A z?oHn-wYWET(|>@57W{;Ql7gB5M8|-%my#FvXYGjfbW3qjqAz8JB12YGI9IwbWrDOr z`j@qGX&4+P-oq_>Q%S*`D=81TXGdMG5hF7EdEgiYT{iPo8S=5)t+n@1ez8!y>GCU9 zs4F6kLHnD>xcVY_!~xkOb0eZE+=5_%I(O^m7rfxdzPYqPxwF4kzd@l&_$@PV@A}#>Zwi)0a z-x{DNwy51s@w&_nrGbca{*;lV6mZM|c-ZVCzkjf9?HK>?4kYy468_HRg|9#OrN;}q zc%NsrYW?d(SdVUrd6I7Z!@%A|n97e@v)rafwU12a)T~MC+#*?1*@ZhGYCr}u4#UrO zo6g{pAE(hLb?z{LHre+?CY_I7nr^CnqnsEffA_S1_?R?E)AzH)xcF4Nw3ZOXL@=&7 z@%rcJB$sYmw{1%v3Q5a=ohDT&eO18_9X-g@N?+Q%{S&tjbOKcogeAL3hh@%V-o;|`9h20_lA9d&BFwdVvx+B@Q{l}ziZx0a9y&snGNn1$= zGd`wph@2WG=y-!35$2!qgdP;F{J2e5WCOvKEg}FiqaOdP2H)6n1C&C1e(RT963K9E zY@L`Ep1y0FQnl-1XH4etF9}fNZbE zqIRLZZPk!159OKdR^nU!ZVx9XQ>{*;1lrl}!)co|{CjNqwT^l^mFv=R9XC9;?g?BL zer(m^T=^Pv;kyGMqUaA?Su-@vA!W}LCMwpU`od1NO(39RT|&p0QV>KBevKY=cRle! z`FdvORe2)!=ZaqX2345$r~66Er{QDWf6~kUG?=^P#|91?7=H9zo*mercBh6cEr)-L zO;%b=xp4ozy*jXIbVI!9w(}lQ9KOy65GF6TO(xlq)k8EsxEKHySXE%36Ph ztK5vxr^zLj*3P*4Y82&F_VyACWJJJdU^f zP7z7jQo~_)LtIs(c@{D^r|{}>2>fnjHpRKRu(UO-_FEmfWZ1>&1NU>kcKWC5iMxxi z$IcC(E$s{mK=9jjvIL$`ct~XZc&^%%rnX(jA0nYqAc}h>4TjaG<|0h3OHn+FbF(RK zGI4gebDU;vE(zqfe=IAE9P)K+E_@pk&8HTDNBZy23!i^|q_t?VZAWSR8Sir?@&v-Y zEU&GEAp|It?gI+BCD!wG9Z`F0L)7<-m@f3Nc0aswJq?jB=)Z|TeV6Y^fI%+S9eDYI zOXx6WiG|KK3!m?uz#m0~uw5dt1Z5rHd-`$1Y-)#{-^a2{$^NxQu?*wJ!a_&6G`cJk zkIacL)PuRrA?KsXTRV#O@!yhwX@cht9Xpu?Eor2(Cpl7uW8NXQ)5{EQ`7kh^ELt}a zAx=OV_<3YDV8d~1cne#^aRn`?_IaVVBKNrRF8&tcvto$QNmsG_bOGak>&ldiU!_aFb%*hSWgxSv|i zS=aBsd56*^ZKvA1ZjI?(R7BU+!e~iBw@#N1m#@}O9aO1Iu&MjtYZvU+5^XCmnjik9 zoY7*uqA{HPPHTCu@s%a|($@09Oqayvbnn1aIolUuI(OILH4hag&|uP4jOXcT)aknW z&@{|pb9%Hgrt+I|qeCR(O^Os7;90{Q&9B`y8TvSy8w#8Mx?N}`lca&#!2)Q9>4&D%WCsvahmFI#zMu?~ zfmx(pg{~<@+!1y2_0mIkoA<@B)w``pmJ^!CO4}NxyeZA?O;nd|iPZL&dYZh6KeT?n z0Vqe$X|!sr4S`cKBu&;^n}t7sE(Yx!K!;q&qTJ_yC^h#>N2~-mXO{&jJdyHdb?0m8``L zs*I%5TNt812Z36aR{};>M!;|!7(j&mlC|2_6=JruP3R`5W(GP&N4o-IjyE*U6ZE9b zJHOk1j=GU|^wIk_<#p-0PIH6J$KzPZ63o-{f7z2yK+{iOJ|T0(7Dm#|+~j`ytPY<@ zCs%mYMRzJ9k+!>3#x~qI+83AkJ4d;C2T!oycEt zd-Z9$#4t{9vEFgph_#?Zd@%TYD?NM<&_N4Cvigl>d*Lua>EKK_w!nMPo*TLxU1Vn0 zT6)^7EfKutF*Njxqs zc;3?`rBqJK;;Zu}r%AzOFNr`*isv(aLZ0c0=T?>`tla3FC&T5`-TnFbWhK~OquRF9 z%1!L!?f$BkYqI56@0Hauske9QPf-%$d=>l)Pp+IhOEjjAsDT?y zPUX+9X@uP>fSXwdOdJcbp#NmDP1aqE7CE{n3sElWhxr*2vqUzJ$_VSE*YO#Ye$~A1 zg|bbwgef|o!*;y!B58#8eV_QVR1zqN_$c3K;MO}9LLH>}bn^NV$)&fCn0cwTWhglV z?8gY|&3gtLM#W3>@OivJx_QQ9y0}vcpTfdJgE6vE_}@bL1;89}iWaMReY$S(UAP_W z;z{PapD>^&tp5CI$tM!oO_x~Q$Mh8@mOH6@M_b`Z{`?jyY>t-a(M01fcjVyf5nZ}I zo^gk7!5_=KaDj>{j~>+Kyb0#op@WnC<4vnC$i_H+GJ<|#CJ=!XBr?0JatMKxV;I{w z+w3lc;?Qd(0;#>#EoQ+W<=HOGJ5?cZBIO|k`qH54Sa_%$QRfWNmlP_ZU5@IqeYftr znKvkCNhGZClSFbo+bn-%c+|zCNMAWnLBMtP&3M6wF>22f6^qe~z;_SBfzOXzKp9v8 z{mbV^;}4?53he z?{3a?f=SuZti(L+{*#z2fy4yHx#e75mdyXKOkj#b#U6G3PApV6J37Z-S%}T${b8bN zn0l@{Kl!;@YH9Uu=cI$)y8ca@&l7xcS9|E&&J8Vt_ zAwz36rJJlekawD=T_Y;sk(pnMwO!D18C5Z!NVCO1Of$97N*LQvv!$ygP^J#&p&0M? zD`i+?PQDG&NWR3?l2+Pb2y>y2@vsh>{m^iap+$?)>m6?bAHA%oJs5zn$&;q*EBwT6(s9(?xYU*nH$uxg5-3%m( zbojwVx}_geSw^%zd#lZuY*0N?<*(gNk}y>5w>@@SVFQ5=G+i0VhQONaSS>0SPAA>k zlQx5yHoi?!m;Ktcwy?0e=D0E#{hf?$Q;7n(eryu$pR}v@Fk8yfjX1JnV+kGaGK&`Yz3J%v&vb@*}d8E(esFu0JIR zyZZ^x?b7SiDGARVoKweDW@EHm;w4N|49%ObN`oui`nbb(wN1x_@!VO8gNmFu!pC{7Pso-()=^ifmOEMc-wam6;Fpt_!giH6M`N~E$7eL{Fod~QpHo#RbG>s- z0S5bOm)EC7k2k|j7bicrV8-8)=$-Qmstjk-#Bcl$Ac0eO;WSs7iYb?-HO?-c77K2; zbCz8U?ahQE;XbaP?yG1&&yzII8>9kKvhk;;9_!xz;{-1EEMbp!Lro@p!NJ7spz!^T5Y*8{6_)8d))(ss-B z!<$i$0XECvr0^#x56`!yj`lad?axE0OD3ik7qop-NVXO|k$&9fe@4TE?hJi>4`w*_ z^27CmxH*evOg0a1>hlX{?QioXk?`9=_$4d#yuu3zv7oGVkP%uP|*WBGUcioHf;zIzO`cBGsiv+*8t*obQ#twZ_o8hzrrD-0JsK~~CPSF7g%%te0^8-)c zuVg;NVzh7#^0kWq%47DLyh9U3dV;&NmAgU`-tj~rT#Ui7e|afe2+pw>Yyl-CfK-MZ zXrlqLVb|v3-i4zKxu^o5a$i0Zd9NAtvE?h8b01r^B%wjRX5mMD+VuaVIIQ4y;=Uw;X<}hiLUS^(>v{SkLj5&+F+V+H!NpRzt9U%eM)<(tPB@ZwQ^1+JYY#(KGJ(@<%4-3xtHTc#rM^;eaQrFM!)bY8pL za9}EChS)@B80<%phJY7}iHt47Tdp_N{ed=rduKhNjU^!2`V2j0$wFKdJSqoHjyoo#9iS`{A&SgNK2IH)daC z>{D3q;fosXGv8rdz0pqtA#Zfu69{J(XvX{Ww-+Zg&Fh?>Z!0DPdp(C2%rB`1YdFTz zuW}33pwf$8DGu}m2UDUY^_#uI46Q|SwEZ`S^IdVV4mRg4CKyJ`RCfz>v!lD;q(GMC z1FfgqI^m}F8KUp_w~u1bFYGkpjA$94Nm%Zk%?6csxO!%@N zNi7o{FtU~td})d;FR@5rFeGH_t;^Wy8P>P}5ZN>nR+YW5X`CL@r?EB8{W~$a@FH>8 zF?>QRPqP!UJ_Oqv>~qG!$j*J5Ky3I!5!8RCrv`5LTW_8s`%Bd`6otOL6>xmH_U;#O zsybqpFs~enXuVtb5=I1iXu{Z;3iC3&)@4=Pnaa1Juu&I?E2=m@vV`0nhR)Bpo*jM| zUM${_lBg1{8e5&T^)(qeAM87u3HB_)&RF7ZANoZ@PXLzrwhpay0E8aHPRgrODwqzK zZ_F1SC^z%~ZA{C%2TBe5p6$!tho>f;zgPtKzF5=#O{P%P4J}Z6j=`Jg-ynYY#E$eeTq~{Y85~)aR$i^@cIe((NeR zPc%Siui%QS3lZfo(Nk!3TJUtzB;kRA9z1Ge_uR7> z{-*xXv75)Psw-b$w?ou*x33ks7*b*?(d~#|mEnAi_;^s~F{IjTy2Gv2qg221Q+9li z7+1b2CFL!z&fV&!%Bd;sO!*?Ih1G`@hqs5NMaWG~ewoB81KRGRslMxvKm!12@UX`-F@eG!^C(sLa4>oiHItJvJz5|{ zPr*r&DFqH%WV)f0+)ILHN+IS(5;=@X1dtz{Z=f(~Nw1Zj)z)m+_r@XTTIbz{McQHm zC#LhgGN${zc;>{{*y)q1AvAFPMUuo&!4Pd>*b1m@c6-+aq)*yKgcm1rCXDphzm z-Xn2he@l;;T+qrgJyF5iFoR#HD=^sgeo}8dkupsGwc_(kiZd4i1Tzf_;ixdPzYDb_ z3R%i4X`#w7(Unc^cuiS7L5~l*(mZ4RT0Lvdnh$Fhxe9tN>cuw{r*?8v0?a$-TCrlh zR8`;QAYy!_K#6Z%Rrwaa7{#&L0K#01Ui>f<1OBjDppslzUgMQ@jCk!Vk`q;ly;h1` zjxGewX1Y2Z%r$9INncjGG#$1DBF9m~mHyMp=_0{vI7&-EeW7q=^#^-3nrUyGe|dD1 zi)kSc)cuC<#;Q2IsEVXL(6;?S?QW9y+4r%c7vzW%uDV77XfLx9*!q=D6Bmr ztSaVHkr_?l`f$EP^;7i<8dtGJQTv&uSd6BFXJLpc3HF`ol^4|)PtTjYOZeDV{HM2S z?rKkTOIt88{xqxcsgf>+@oUJ&52oH(Z5%<1rDGytma}JCE=ElvAiNtbyVbk#i ze=_Xx#7{GDR`*Zg2gFJdi60{ho&VfdnXMOXP7^m~96}VJ!&Z&a2&2ICc@zUVA=rUi?Sk&_7 zhzX}()E@8%pXA)_4);B#pI;O8xiL6w=Q)|rPQOXh5h<Aynyl1!spzY>fbBbwptUFkX8UMHL^V{DGk$atW zr-G+-wmuf;`~u6Hhx+a_I?IkzKijuU{F7Zda*-99USS(7?QL?Ao;HG!c{T{8XboM3gfmBAWLX1*KO$t%`d2Th@u6Q^IK$cqIj} z<7DMQYir|kw>H_bUK&cPwniJ>#fv!4FaILlF@5&rl2WQOgL>vKyu6IY(3`GLk7eDn zraCyIqBy{OsWNC9uRIR$O2GQ?w;O*6mAovUDe?A`dWm?@1pMx%TXy(Rtv|9IF=Kbp ze+5jac^5q#M3^U=JlzGa_R5cYd!7KZC?0x|FaOqCwh(CP;(T4@yZ$`>a?ZYwE&p2L zeG>N9a?_!z`?(Zw^&2u5Ts7}JcX7BiRh$CQ>>7`J`CEHTL*Is%7(vWWcLYe6RQ?3k zPfgEoN8bbW)S=)tBmao8qYEu)kmWDd;v=BZG>BM6e4)pHw7nc87J5m&{&`TAQun1a zH8R5|e%aPgji!SvG9bu4VB%R$U=EEW21>2SC^nslLC?vDIjZY&w30}|Lm(~NVTUk% zRxA`15c!#ETxK&8R!N+2mLu-U^aAJAD-wVay^d6g1CK|v@&Drj@cvFEPQmeRX?1F2 zc#NMm(Vp-5*XwPYT?dy!ZA`rXHeu8CLV3Lc`2*+h#Fe{=O7!~;za4#m7 zE_!}!EM7Hr;2YU&kSYAIJHW-rCwEXK`ev2522SNxYc=}UR$+BaZC{rDZ_!}AB;g;@ zdP=gM@6&4NOMx+s_}!uw24P1%37+jvO)=6pJ_(RM`~$CNs9IEA9U$d?LJUEtD+QEo zcj;pMcC7(4|D`Gc8ou}pGqmZMGO60&5ae-i_9Q3dFk`O$XPQ(O+ol9ay|5bAFop@P zq0@irq0WcL`P08h@c9omenosAeU|VuAx7P(OY??}^WSRn`Z#f&sSer<&q=W(XRhFD zo$U`k>@?cWPPJBTM$Q}WbQ{`yNJ$6}yNo0|Ezc_4h-9Z_J8h^4$oWAC!gZaBxL$BM z{pE6V1bjcLK94(`I>35!B1Owz(q9t&~ump|9odA4hqJB z77sEYL#U9E^K(vjHEmq=cwrw$qCqa&G0+vcuiK=5cip~*;(XMTwZTeJJ*sFDsiw4n z!H>$sehZ$2xEnpoE*AT{?q;W?6V)Fl+*g;+`RwyM9jEC`=7Q$gLgp=MTm_$Q^^#pfZ|#YFC*1t*!|$))_w7U$6=!) zwpN*sGxAI$;1w`h2bP>Bo>!*>7Cm#8<)KKL$1DuMbnCHO^6tOQv0ETS-W{PJK9hd( z1U|d8!rF~^Ogl?4StoiBAeQFuJR(IVMXp_KZS`g0gX8ZA+hv}9fTD``THnOvEox_? z4`2d$@rAP9X_r)4=%YPAEw5WgtuTzy(ig=$8_pCH96HK<7IA}3v>H=XPzuDxCrK0%)xZ#MsWpdehxBhNp) z){QG>P&V;g8!?hXEp$RA(yQWWq!FXyyz&-o{sOa+HdRYQ&Y5katQ3tcS%o7><@f6> z`u8R2*{)xi@SjG$g*9@IrpRCjtw%8=Tz(#CC7CL&>ouiX>p8OoV%c^?nc#VrvHnh`?`rcMr$_%wd=-T{ce^#*ZKY2i5uCOhr{1ZF0IY zu(x-WHC)-sr5~1KZn@iY?Gh=^7Ff^x)w1ehli`STW5Js#%_mdVS#8X&o;LiG^6ku_`Lgh<%zDd1crkAgn#kTBmT`?`e%0)B znOq>o<3~)ifZTFpWQP49>Yyu8e1ZG9M7Q7EzUMEi`l+~5rAuET5PxWi^E@UJ(Ka3v z{P!Ne)64c^F@^2oTG#MlqIuW$$8C-J?Or~#2qNlTVmPTJ$g*P8+*yXZDv0`RX9ViIs-{FU>di_ZX<-gEqdjxJ-yM5?IY$iPpUh(at9HZq`g}( zp0FE=J+(?7#IY-&doku#M&&X(P_?Xyg%G$rTAMeWGhIGWDSGnP<@CXu7&*`@44{ap z_0c-di7YDiB|e7>H~-*wSTQmKe#FwoqwkuL6*%4z0=b7X^+(^+AU5`Npsd;%H?x%N zG7*K|eb*W5WsFHfMkUa9;%-w{U~&?kEyALiZu_n|`^0+etnhqP1ah=4pp+oMsrvyQ zsfY)uk7RQe=$xFl4A&jo4AuemYce#R<9}_c`6$Ir50_ zUl-Y=G#I30=(Li&x8Ao~Bk8Msdgi&A1;8lTd9SqV7hgpx%Yp|GuS&76TLql=J}+Y` z3j(r#dlh3!31FXl=!3}3iJFd~FUcOjfW=v&unq_^RZ^)x&oi zi07^qk0Vl(_Vp(MEx$mD%4*XKVLR|?N6aq?rgFVu^24HFa5W2kJupquj*U-0#A$Mt z?gz~7$7t9|E}o6u76b|ac#jPCHYNDZXUOz$xs*jqaZ`{+lX*_K`7lu{$2;P5ltqZQ zug3^FF0kU3*U2EwFMaz}U4jBb%Ue;%zzld36lgKkLYSnvE10C$R~cUD5CUO-pVus7;UiXjYstr~|+Z+4xc-nNqza@}du@#}P>2UTe~uQ@CFXJHjD9Ed z{7us9GxwURXfTnPwU5qzcGY*W{s2SHTHo!KVO#nd(5=j}FYh3&&V;zf9{BD?ec(FysfNqA z4q!4grWZU^bgovXIQdil#13udrVZVFz2XRf(q;qjljwGmp{2HMcp`f2!KTdghJZcE z+o@ZnxNG-!KncS$M;UG5mTSk1X1n=-BR>2@esl?q*Efo9G3-La>ER($iU(o%2#1r( zCvuL4L-9GA=9}Kb4HKXix8`$={#R^gFcEt21GGb+&8x;`uc0NJI=9&eGz|;z0E7@g zRAdcs-8Uz>Zd_yasBduHm+5;^LiBVWIk8m*q-3^wY6KtiZ_>=gzn90M0nzl4Kxg12LQui8XRNyz7^} zUST$Nx#sRe)I-t(s2!W!GnUd)nFX$!0?02957mQ%<~!?EFY1(dmT?OV)j!(H=YMpi zn5r_f7kU9DWH()lWh7q)e7JHK)>ALM1|B}co-Mli{MZXhqKKy+t~ zzU0+~Dskdn6x0(RUwrBk-gr7*iR>L-y|odo&|pNf)upWy8gAU0Ra3fPRjdiC*5`Y= zcMgZ>tXy{OX%&IIUh2;GPlON_9jt#8_K*##E_%qm+ZakNFil;5gCGR3zzdZNjFQR$ z(Hd+(!Szg1ChVCR(cLvyu@T$eda=egnO?)C>FPB+jOJMy*VY^ zR?#Ms(SaZB_2N*J$X%E2wN`^qtXFQs;b&9#v!7V<01{6ntOWL{5^pb~FS+mPIO?=m zHigsbhw#l3BM&g8HU6AX2!4!ky@l(pe+2eE9r=;DWoGqZRjt2{iS}HY;n!~jcm%E! z^)<^ilX|(?1~(vY8-R4hKe6)iW}(r2=!|2>US7!ufEIsU&imKM3lo(zu%iXpw-34> zG@9P4dHSt&PE=i2Ulupt&R(K+O#zrePMNZ#69Y(drjtySuE<{BzK2oJ?-ZZt1ykQw zQ{Rk4mJQun+!(or7u`~bqdpZ!;mdU<59Wy$rq-~RVdQr8C4J#~;xJT~G`ronZ?M!W z0pnAl*t8@9x-d7ll3WN6sw?cJ66eWph?C1S-1*KRNJJU~;)L%g$sJ_!&_kmYT~#3? z16Rz{o4y9;mE}3UBQ;ukH>C>O40-OuoFK3{@dTRa#RP+AU>+kyPeCxhNMW2?P;1!h zUz!ks;N}PkVc>>SpM|@0TMCOi$Za_tE8Mb|4!`*_oi%wekp~QUf7MD{B>$95DF;}( zTWz#=c}evJU5Qo4#mO952Ty1?9Qs;Th%WpSXbY+dj|D(M*C zP!-&4pY@a7T?i`AmV@;z@t~H5*}50su#O2nylx?mN|z#LwpH>Gz$tU?r9n&n0oW|I%|eA-LEGv9^&+gS}u@Uhfcz z`3FTb>a;U++qL+SZE}`HH&=&MbD3CT!9pH1PSX6Tk+<+EVJgt5ujxUCZ$K2hZaMoN z@0sR|Vpfm-Xml(C0Y{!L#klg9^{k9W#>;wJ&T+l4PzaqCh;}7y;jEM|?e&pcP<=KJ zf%(vU*csn-kge4rX51=5p}y=VW#lF>XcMxiKH!f{^SGPPIbCw{*Pj1GF)LN=!QznF z)qERIRg`K)vYQC-{Q>j1eS3>RoGH^U{G~5%LyC%@LUBy{Dorani=ax%`UQY;I-Qm} zH`;6Wq09l(p=2{?QiZf*(t;D9MV29}Z0xJR4%`|;lXBl8QErB~Xf5A41A`M}%1tDgkO_yFZ{ZF_GG-ajb<` zXF_b9+>hYO)0?sR3iu!BTFaF)ZtYnqrZk~HL!NQ>hKXEmoqw4OGC!huR5g=jv|=yi z1OzOB_}_mWCmA3m?&F9W&^4T_u`}KUIR6953i2(09?wL_y7m(e?9+>Xn#+q#(iD)3 zY&U=q$NqZwYl$-u_aUd;+H>g|h4TQSr|dZ@CC3rU1v?nr8)6F*AG0x)XBE8mPST!u zN!o?(>`pjP&S&Nfq?l#5V>FmXW{-&YGE5|Bal$Mv3`MJ zV3Mxs`(CD{^z-((2@)HWnl1YI8+v%u`AKU8N9>!gc|0hBjd9=%pr5XvlYR@^>67Vm zGQ)ku8-Fv2M15jzWIhLj2nuX|LXb|`@tS@Q2SQ_z^frh4p_vUfaJ6fSu>MT@2+cgHL!S|PL^@3zX}-HJVvimZVog_Wyn!iy@=F2=_cPfv^UHx}APAIeEz~+cg}Q>8;>+*3&p= zS~c7lGJ2GoDB)^>!S01ttVOD~%wc(B&f#O0SDr&`Dx1p`Ps%wLz25tP`1aDt_Hx|^ zSx}7wNmo#zO5|o~`~6$rUGH^K%6{5v0q#&E4&Ogf$1&;(0l*Y3jho-|!?LGEy7X=E zo)u~v&DXvIUTj?XVCfJgzSZ8DC;~_XAz5?vt=k~1*Rd#MYq-6!U$hv$v$=V zY|*~pPuUy0HB+9FMGejT(>IgIJ*+fkKHEB)?CVT)OrSNjc&q0!)>ZZHCM{)?zK#R{ zqi7hYJVmE{F4G<6i#;Xn;OWSd8l}Am#?2VC2rlv|4ghrz6#$W~`*gsmXF$isq|3>z z3~`iweW6n`>Xz?9z1#HxDHs~(V9JD5GJ@B*5= z{gU=4{0eHY?SIWwmuL#~R z0Xw^g=uiV~B+ge|DsBNGuC@nX90ac^}= zu29OpmY%9<33kAnNtMf0?tJsXBVNi zam&r5Yw7~45kIRV2Y+}nN~wyCX4_V5T)3Gjb%BpVhb_yZ0LmD|)S>!Z|D|D+R;26< z?JUW7(d$t-4ISfXNLDEeY>ZNo}7rwd1sIDa-6Rz4Kq{v zE^DJ(f`z+Fgp#~Td4SqAKiD_wsw&K`!9V-22-gohwH4ZfZSH-Ki_9nyQ#-qTAy{wh!NEz$OAWU}0gj2n$M^-3lvO;ek?<)K0qWMG85o!~&kJ zo_q$g@Whk*avC*FK%;%I8!XG6uuKB zeQJNJ+w}(=G?xbwF=>+5Y&1rQoi$2Zk z{jNXIjcnoC?)sIwB*+65Xt4*tJ;PC9O|NxX8Gobz_RH=i)gIgiw&eycDY#I>g5Dx zsAgc(Vy7pW@{_e^2B$sSRu|n7rZ#ws-#Q??%KK)!)>Wo0#yG3bE0UAG;6h7oHCN)N z#gz4I08kEN72owAtU@Q`&8&}`U?;x$8TEya@>qC?b13{=_ zqQm@L)2qZ!0E9uQ zf7#*BUD#Mi{5ap4-2cwSTo=opOJy_3)0}rs>58zg~P0-Gig>qj3I>*cxg1a{qh$l9qe1 zeq)H*THbx`(~#ZJ%#Ht64A|8uQz0qdOeJo@;2M@fE;4QRFRkc6t820ne}rS2Vl2<#cgMP`WZX447+ z=#s9)Z8aFOit$%cY}(oM)9t*4+KQ>9RcWqClUD@DXElXw8$%xXN){m@-*6SVG$Qlr zr6J@q3~g3N5tdj~y_%%-u!$q$Q{q%iq5YVOFSFO5OFKRk904ls--QAw32QDM;@^{^Z6PKX6^^i}(rlJtootjKWvV@!%(3?$8@SnJbUU$Kya{OgmNPEF%xA1(8`|Pk>XcvmEufmm9$~J z2`o_~KSbkT3ENB|zyUs5a$jPOONUS^neCs6FAEXski1R?y{SYD3bDmn5KrA~{sAjy z@aPw|+>HeN?ue!|Id_}o_|{-SS@vFq^DX0V=j($gtAyX;7>6ki_ov%*_A`oQ)I<6I zG$g$ynD!dZu=cT+GVS792BpB7%hbPSs8_^MRlJDsMLw7hjL^%JX?c z$0q3t9osfa4{n6Bm+zk+Ekk7S1?k@wU`fY|e2yc1`fS^4E#vlRsOTY<^eWP4dOaUY zX==(C^|e|^%DiLEbEY|Mq`UC@mw6o$5P)IG=wfL2p}@b>AdNJzNMc}^U2cNkjS-zx zD9zc-^d(!5X6IHtzh(=^Uwvr)R{bb}$^}^tq`6nURti|1O$aX_z>4`1drr4GX%7DK~&^ipIy zhV(Y}Zb)_h_M0=)3}2|fLI&8Ex?A93uX@MMr1S@yN1G^bkG(Uky&xj>nToaKzy$?BAb0zYY5L@JGyB4AIIslFBuPkQZVIu zhui*~!b@85Rob$T`*V}`h-hr~=NlRlu|!;Vekl=B@xP0@GfqdfZ6n~@1%U8qN@-gg zXW(~zdgKsZqWDzv@t%J-5q=UzIO(|Bm}oXVV0U7+|xnuKW``EOmGqrtc=O`(l@TH!Z8IG%mb z_{@Om|MZuNa4&q45t~$!vg*t^N8o0zhlu$@< zpFUcft5;LY^C|g{&tijJF%?8P$Rc`EIw2a9QodBv2PoI>32y+KBKWFNo0fYL|3KfW(SCU-7SgRslXePTaIO$V|7jY z(2oATV4wD5WZRSF`)azBEK@SPKgf7Jny0a!jMMq5OX*s#`ON~Q3ISRSVlY#qaAw=H z%++4>R%BL{_Un0K!Sqyt2}6%oy+(D^IntJyxc-O<@EwKH^mMlaj~-?H@xY{QUVr`u3Y?J7g7dW^?%;aD<1P1})9|DEJl?PT9kBG@O! zWbNb!@Q6r!Z%$zO0CuSJO#DFX>clSwf@yGu=TF>cxHI4Th96629eD-mkK^gU$vpth zb^fDKJ4ppwMq;%+g*xkEdAHw-*n{W8REeU_??RgwG4T#V9>_d^&#;%;8t+5f7@Zl4 zUpVf}sQ`n$(^;+Q;g((j1(B0 zxB9I0V9hkLWBm%H?95RbLv;otAY|EK(AOfskfi-A{!#s+{V8>LUG(b@nuq5aQj)jB zZ&-k%fA7Wfk4?4`98BU%nD~Ln8f^(Juufk;B6TGnum6^*6DURYlOF%)EOIEz0w9cd zcDK$2tc+Qv*}QaVRMlpPCBmrEE`1#r_MN8r;~%@AdjvIr8XDgL{!2!Q$2WX811woK zz{aqrHaGtikW(hf>DqMx3-;olvf~g4ENQIObP+9v>Tuc+>W&Mwi{2DC;Rv1{`xlPa z<}4c|r4%ln1BE2w@botyI&)qek7{LVr}l~L&__wE7g$T{sA{NeooJQy)pj5ci~XA4 zO-?EKxX^@uc%M0)N;b&B$3da-LJ!vsE6YVu=reUpG&!9~#Ty%7-)BnwL8qgbp)OR4 zWCzO*H&XJK(Unf?YM14Lm1x%J{Uyjs;BT8mEWEY$eULV7sUF6k&V7gIF z6=TbMld58{YWXQEuFOp4JG@8s3h~AAhOE|Q-@=0ZJ$j?ier-FVS?avK0_O(=lwYNu z80?=$x%M9m;*S{sR<*|NLen?3R9^ayCjwD8FKfP ztr02%>OWA52!#?u4Kp=lPaPb>wTk-PRoE=^vkZfl57+l+H5;vX^OU0PW#K7YVEB|k zEvnsW;-*KrR_N!%&CFJ4{`J6^XCD7D5BnE;LpKS^$KU6Qq|Lf;`L@2`>jwlI2-&LE z9m*h80#pO0as01~Xav9OfKSPdOQH>Uw17SQ`_3r&=dWm7w^bxh`vE+{q}DFHuUp^s zy9LakK3h@Qy12upDnj>XDqkKE_(#c0r)OsyPj$Y}0SN={hs-r#@+J}!Gm;d;L9=sy zdIdKhH&FqkYNpRa8!(;KB&u(9n{3-^>tzkh&u`%Hd@^JKaev}jY}os!i5+Peu4=l- zn4vGqf>PYA>?a_@_b!@7a<2Vyr&LL!Wg}V7ro3*d23VDty+agSU!6B7MnAPE0h)}V zaVKtoR^xmC4ozycP67N<3P4RfSCKtj%kKTd_#841IWjeg>WJge6xE1ALVea~g{ay1)3Dwc zB^Dih4wnx_9UrW@rN{((ju`HBT$X&gWW{OO!4~XRP`T0yy$M^b-lnJ3q>>CK7ji+~ zClh3Cly=M|OPVqX2m}2kZ5WShvkk|7wKMU%R&jL_l8vo}A-LEr4Vf|^0<)8BZ5@C{;#Tx zC`J|WFNuDj@&vxn0OctHn?l|jl+~2 zlHKLQ@IQRw6z14E{7j6Fuu$igV8NnoR`f2e5IN2H3hbv$00NOKrej$o%4>qtbBA%I zd@V7nRixb#iz=z_rb@*C5DwVmVXp?nQ|w_%g~GLkC8yH+mv2q@boHCxPbRC;kqoI2 zgNm~#;;@3AVuN{TF*86cwA5WO!$oh z1RmMsIFaREPHTYr#XzoEp8Gb=z;_ieWw9)jp1R;uYqf|1vfS$T$(uS{ zVk5N=5&p#?{52Xv0lb!7VL}=L9LOANIV*zBDVzWb?}w{L_^jTS(m6vw!IRp6N289y zqo{vwR6F5~PwXRd)z9u|UE#LLEKMn-Iiw#}L?abUuH@JI9PToKqYTXI{(cyf#o@2_ zS_jAn!C&WnM*Qrr@5SKFe^(RR8~p)W{#GDphkIU)1VC7WW?PSeZ7yS9;Qfezne80! zCY4vR?uehaZ1&^lf3tP|Z-mdzKn3H2g{G-CuaCfi8~k4H*n`=(9(|HT1C!~N!&KHY zRXMI(qg{YB*lxZ+gug{D_ z7So`%L>@ZoMCQBp$S-xj(|0}nN(LtaWEEuB198NWqbW2ymHNNKym#W}wB@8$dl|L- z6fe8|RhHs{peA1XZgJb}v<%in+ zlu8zWal`6I0n~>*Yk)***4oSa`{mR4jUtd6(fAXRJ?zMcM?h&E06&`YZx<;HWiCRbQ|kFlwedTo zwKDVXVzqirA#cK`*^fKoiLmI4tl7a zyIuG9p5dEXz)Gy-o=SNO{!iBWf8~m5cwj{U4G9d1=Mn%z6reF!{XlT?h3@9F6g^23 zF$Ho)`Uov94Oh5t@>wFAW@jA;vDl6N(C_zGl{tvPkZSW;D4Q|9IBJ z_%vMecJH!hWqR%<*lnM_2o)KzktNC#^fY!Hi&!jj3jPxLv>G#*f(9T#8VVWzs8d7( zu(2{mu+-(+rl-E5_m@0IU29#)^#G&#E=#iLuEJJ8Y-GOUg}cm7sF7r2iOw?aF9v9? zyVQb8XsF13!p+5ijLvO#AF9U0=IMd{pP{j8ZMLR|S5DCrb0rbzLeHdU7-AS2N|#$e zsGEjl>Ysg|B-ziFvzIkjeTg6Gyb2v6ydHkS@JC91x|NW z+~8;4Q8O#xE_();DC&ZO#Km0$fHlLOMqLyI#E3;*2td6orY+m_&+%_nPJw{U`Kawz zRwi=IY<~wLCH1=mSTonv4ied@v2!YlG=OU46?N>v zmR#|s7i-$PX=dDgyQZ{3@xy%yQ{r;9>*}1sYTa*6NphT$9wt#cF|-+R`ZTkzR0IX4 zLz5(YG+ybTP9TY;)rM7q1UjJeazY)D^S*t`l2KputBn+u82yHoU4LNcEXf{jEegCe z;6i1`9{$}j3-F@>JPdlXO=~&sAH#9r{#7+HY5-JsVh0M!%whydipprGHT<3>p55bI zQN{&klFb$I0<2En=v@5|nsSUsJCLY787}%B;?kR^;ZSQO9j<6AZqc3YxydXF`MLpZ zDIxSa{dVe9Y-ZoXtlY=D)74l_*Tt%zxA0_1@#cXce<93P;ItXclj zoyZ)2ti#e%mn!D^A?sO+stUICvuD!@*G|!txBV{j=iu9K+x!7vKNPr?KRr9qwk>y* zvy&f&0)1dwLz+AAUlTnLJuNsOS^v(%OBnBy!A&;#ctA<^San`wmz z=;%@Q#+6|Cy=uk>SqTlV3RZLTUX>geRwCE~_@5#=G<8Mc`C`7n=WK@8#gWl-TgAp& z&=1+AG>*u;QXIiwM%Kwt!LVu1M{-;)H1cPAbp?()l{2|NfQ4QwjN;FUE+h<{1+Ehz zW;znm`B3+m5x*4)g)hEXJ#kqd8hM}5BQ2F{Q3Brmyt)#p>)lV5IffV#o+s~HfM`9MBdlTGPP|kL zM|~BITp+L8yVkU^>QV}&{xW+@-LAgWn*mA{HqX4XP@;EKMJj0|@xKm`?d|}-@(ic^ zyHrJnSiq*SV>x2dp`Vd}5d24-d4V`d_q~}(jz*6F2J-ncu;6GoBB%Z0Wr-TWQQ@ml zQFyv5-?Ug5bpJv-((thK7Z_lQUy)|1i0&j!(GzLXx&Up}IwIsts+y}IfV78u_97fq ztV%MeBqKfj6=2B~(t7yk{WP8E%P&0I!p#eFcv}3-?>>9IfT1UEzu`_Lxia-WOSzmx zt`xG`?KBz#fiES`H-1`Er3Jaz+A*4?_~r`u=wB<}Tax+T{cy*^G}L}k!E!Zr3^4KP zfuaoLp|O>9s%_m~+pJg8?=K@$tw+zNju*IWPPLPx+qJw}Eh~K_eA^qxAIRCwjXmW| zpdA>!8-Cgr0?x3A^X>#W12gZCm9Wm-J8&@h;>R_Pf2tvDUT2-v% z-7LH?T7^fbnaIBH8d)QLqAl3|_zVQM&j+jX#;J}Jg zHV9A5+y#lLfDY7qJSk6i#-x0J_Sc(8nlc>C2hBU*LUj>VqQGB@fHrcYoq%kKuI1 z=9f-)CO8i;xhJFmg!PP6t>JHAQ|F8(-V+x!3DIF5gRX1s-KGlOyX>;3l9 z1u2GxITLJEu&X6-1ZxZ`!Lf>v>xx+oBfj^S(q%B|yNU0W8K5!xOb6szC;?m)IkexG z{pb_y!ZLWac81B&RYSrg@vTKqy@=tU(MC0jRPkx4ita{C1@h%=I7BHD5Hv2Ui`~}1 zro@aK)O>%xV6b#FB2tqL<^Ts_cSXk%f~ty%<_`4-Zsoq29fJif>re_7 zOandgG_VJ|5o~KPd9WZsnMy2}5y=q^ADbTNi~ddq*~oK9id$R1NTdD;YIP9!2+B8h zMP`nmCA^QnEHSm)XG#k1eY^T~m@{%Mk$xHqjsCIf2(+dWGWqz^ulpExB5K~IlY)eU zdj0|qE}Q5s&?KU3#{1jY^sxd@g({DwFY+I$SpTxt1TtJaJj^kQ=&c_iMKs$JjniNNmxWT59QeBL3t_k zE9Q+#mn{wg&oF|Z6_(al?~n~xoyB8d7C`N;>-`@P#n70xAu@;d6ZW|rVMR(q>q)l5 zfOaH2D5m0p@Xe+@IVouKM><)%_wVY{&*s&@b{xpD^6qxtiHe+ID+;gvZDdmKV3uac zTKAlP^LFCm+FW2AT8;HA9yLhZ^vnjHV`bqvrCq#i#3Ka=%4HOZE|0jENb8BmiNBsS zTHx3v;<^NL*t#%N+k^>+WQx4);qaS<#~A;WnT%v1Fu8EtrO3#TFqcEEZ5Fy5*4v0} z^lDn=@#C4SS6-IK8n)-y1B-63(x%ytqw%>8(-EcHDh?oq6%mdzO4eVHut>t$I9y}7kH&RUcc7VJ zr8tiBKv0l{O$wl+1o7syGXAoy$W0o9So?m6`Cghh!b%qX-&@{$e##WZ`Zu@v+x!jW(If&yF5zl>kRekOasMM;O$4Js>3m(r0)jNZM47zi4EO&f+Tv-=u|1f z_J-}7kd^II_QDsXFH4xPS=7bW*`BAnm}=lWDy>AaNnXzAcy5H)s*6E_UA9bz=CqzD z$FTaHV1FG9han*`4yB}R%A?g*qx4W}+w`3rbU_~4A`(5?Maa;B4CNJhcJr7MA{{^8*q1oEc;-_9)n^qtWEyl*-FBB%pP2QOeZn3&lqEzHXy zcQk>pmANU8zlrNyIataCC~-*Iq3QzCk<)Q#+siGr1@;Z7L@xSh?JE!<^l~v0fL9ZR zA?U%sz(S*I-=W*pkw)7Eq(Neh;gx+P275W7S&V^ts6zkx+waCjvL?ij)k9tfY=n-! zb9LbGTkwz9Q8j+Z;v@Y7&xMb*H;>04Abm5&$Ye0fWv14*G_R&qeI~hLCx$@Ym5#s! zDL0o#cwsT$Jl4+>=L4G}6RPTE@wY73Z$iS|_ew7a{e40vqJfycQ|J@m{u`=E4<-S@ zmH^xPz_Yc}DxBx|$MwlOgJ(mEn@SBL@4e3x2_{((fm^JGIRx|fYD%#6BKo%(+tg7v7;y@6f6xY)pMlp9+%SFI~Ps8b>4q-Q85%>f-|Ljqe# z0aYMbRK=X|1+2Bs%xS5En^}#hZN-v^3^wu-tS8tBeQZcAyUo)aDRCX!nOxFWpjQpx#i{UD#stTbR+g*;>(&LUM2_7PzBvJ;MB$ z4Pap|iG_8_V(39IPt3TUUL(pxr+&-o}L=cnLTm^m+})Kby)xq~UZ?8A8ZviJK5 zO-jnpB_fC#a=;>1^$tjjGdL)&bOA0zTb&ReFtz-+wy;vOAH1hR%fF3je0^i!Rm=7XLrt5ge<~tjmy&;CbZd zTw%uy`C3vUc9w&#&{dp%yZ}fqRG)PS?S;h!aL!U|JMm+ndBhq1; zl~7WTCh76~i$YJ$dp*gHyyl~y>dGCEJaL8FP` zB&$k=t@$dg@O9?$6AL}Z`_pl?Jx6kh4d{q8s}iM-d&;pxPppLFlfOrB;MiPzj-JB;QjzwDXOWwh}!oTOBZYWSqu!} z&I*~th!r7{cPQ<#v{l^DiF|hwobY}cD-``1s}ITkp^7;v_z2fz)jC{7fyzUJ+ZvkA zG0CFHqIu(iew6FOO8jq2t8b!i<)$`T|T`vEm?#05hICcmI zwm?aVe>|Jv3IY-;P$FV%L+*!bQc{a%@9;;2Ny5wRDhf~5L!`DZ=#dGEsI_F6Izw{_ zt)tUCdhA)b?`tCA=9*AiNjUMsuYk)n#nCu5DGUi9d=cqb76-+T#rU4&IV^c>K6^-a z1E7^u?}H7F^%MpaKK`whUt_tbQ1*#z{mF z-w41xxx`mLyP6V0%p|wp=KeO62l~yBrda)O!iUqR)yO6v4vHg3FcxuMS`7=W0(vGODB26rpG~ zbmIUm^~Q*%8(s=9nCUEEM&rA^s%Rs6n4pfzi%ffdRJz*12A=KB_+!{1GdquX9 zCom(63rQr@OP4^4J^Yke&W|d6(4%6st?fHL;O1gy`j^+Bk%vQiEu!JJM7wm@r~$Ta zrq_Pa<^}(}x%lf`)^|%V^wYA>L3{Zg;7=agWPbmrhSvXpBQ@rb0WFOM7c=V8Yk*xZ5dW4f{ zj2>)8F6CJQ#FQipTR{3iWh*t2>*vM<8eV>g>t9`luy1$J6FJwzcQ{ipyn>4&s5?Gt zSnC0C2|)(SKLT0*hsyTM3*xXl>Ec%Lo82aN}3*rq)rMD=&JKhLooaMykx2qWHusvwsq?g~2`#k)( z070$^MR)=MJSo`$OX^V|Y$F+w z%^}<_ZUks5>O|GzG3O z#uGsRarIzC0~P!DLrCiQ3Ph?R*7a`{58bt9C7DCWNSU?`)>i^wdOu)!!vc;Y>S zRVB+~2$AN^U?lH2X+>)p7d-J3WBqCONX*H4q*AC$y>Bq17~!QZn&sFR*X`9|>%&Jh z)hyD|MS(p)^^PSsW3`H_!6tz`(8y89&zcrVB_t9sqq7z^oS5t)4P~SO%Lt3L2 z4t?**#f&OL*qsOc-S(btujx3^uq1l59}^>1u}aEU#pkqS!(;=%vQ++QlU(pwi|HQh zr;T9o^`;Q^)laP+2{4(W?+;!)n+4klhfEy&U0?ZMj&z;@^9Z}@aPg0?@X7I$!=gOc zeJ_BPQIA_VJ^L@)X&iCxBGeeb=!5i!bMXB*EU%w-7kA%ay@leh`myHjV%W%Da!x3&Y*cFGU~bRl1DL zVyLjlqVhtw@`)>5YVw?3=y*6YWemPMwYjMw)lQIt1fQ_CI8=)m2hqB1z=mP5Zl37< z2EbM0i{PAepqy%5l8h&=WXI|LxxkVKZnkgtLvAbdb$A``F z|45x$9_Scj0?A(LRiBJic@K1(?C-F^NrzH`U9B^5tzS!$bkpF)fE}Rjrn75&QNA2@ zbz&y6Gak!9-I+L4ByOKYSyY#N6&HM6@g)$3=6~09{(EigeF$j1lK)kz&wX?B4jFwV$ddnCHuWej;m8{P0TO)6$=-pB^4AY)T2IyH36J zc6-nIPU3&mx_d-d6#%*@Ni~;2bH#v<^60ARk&*p9aap+bJ;%H}OG)Fs*-TSVu@j3R zm&0saMo9=dtPV4H|Jpt#As>S?blXP7L zQLIcj$qWOD`(YPOcl+}e7{!fd7GfoU(@=|YQ_)_BY{0j4ktZW=ZvE9_IQDn zch&XTeCQKk48ItDRtmk`vjkHPi*BYL9(?Q&-vej?KBa2_&4wB#f&4CCzm=vbT>Avm z@%*Nfe=GRHDdkUN;}Z!Qjj&E0KhzMf2XbAY-a6jJn&w=vxMSBw-oJgTkJA1D)N5`+ z=w7``8|tS$A;4U}|Hos*OILSBVwN#R;-S=0I5fDS<9Z*l0sNHT_w^jVlR_m(XaGD` z?G*x$)DZe=-TW*u={b-wwOLKC2LuGT+)__udm{e(P5zHo1jS#tJ*Q42pjixJyQB?q z1oH!KQoz#3?(|gFTynPNL0eBAeagJhuIVN5aS7in;^kT;wLh&6@Hwh-x~7<{4pEzx z8TlP!aGh8Q<6|$-(w!vnu_@wa*Gptnk4Wp&sN7~;-!Yy3yq{3`GmNS8)MUR|5D3=mOg6?L@OYd*1Vc1FtYtCc znCj`gd`J)@i9^g=lZF6BczY-nH6Ecr_&X^ z5E~yZzH|hmj{|*v@U9CJHSKpjZF@i}S4&CufsWW=!6cMg$Vx{qx6sJeOr^}L^0|@Q ztOWvK??BB*0O1#{aEgXH!@mF(D!q$~elShuX_;lnbjQspqavm^U3`L0*-A*!@8_;N zXC^W3Sq^~X3CLkQEVuUooa9mO_P2ma&&SS>%;YX-S+2XmXt~DqcojH#`(a2GK#4gm z5A3*V=}7B~SfKrayEX&t=Rez*Z*)Iet@1`8d3kwb`z%6fJl|97=7%u5QV~-3Ra$0x zyfe1B0ZIZcA~g^X=o$B-yf`Z{36QV~pIpv%1}QEa|-YJGWi5Xc-1z z8z$0-DxNwmbrH+&&$%y8>$aNx3yWIEsh@43O(tZiVR<95di z#3bK48MGCS^o2Hqau_}{7=r75n0E2j;HakOIATm07m}|cCNJcu!t&7!-=~x#kRCCJ zFN}zNKe|!qZQlL6vau)`i#mK^YsNe2o_J#~ihNU`IA@t=F%lnoWs&{7dbfYqXv1N+~O zxR{eYH+YY-7N)pRd89aI zg;5LpK5io#(R<|F6%+b+Nas_5V~w*1y5_>l{%SWBMnIp2*Ye5x_G%eANQ+*DJ1+{B=0h(C+#zpL5CgIBi)K@yBzz z1x_DI6~CbR!tdrdiwJx<79*r02QudZFtCy>q|5o1 z|MA`w*K06o!9BCTJ+sGvn^T(f=iJ`>xmCv};(QgAFHL-X6yulfcC^N?T;Q}@-tej8 z_NoIaukA)UH?Hh|{eiMT1eSQCG5nDSb48;ffcbROIq4(NCU(D^$fC&vUaqk6b0+Fb zoy*zfi|A$CHzS*{ou!2ont$!PBDqg(>*P1?o5N(oJXkZ<=g8_^D=fyntC?Ow%^#JG!zuLCk=Cp zURwBzK0oM@m{dHR?Y{*pmGc`9=1%$YltHbVnO<-sbgxl9=1spJ8e%KsK_mU;;XCVS z0=}Aq&vs=AJ2sP$+%nfUvo-4nfQ8$%$_xVb@4*s>H3#@c7jRyy@qGQdKR5Lj2VOGw z38ogo_tly_@v#)mILC5R^?V-s87}WYt93^I-#Wrm24dkyVuB@0fQ@TH=?|nq}m!lmyh-SO)ao{Z8{(d(N89|N6Pf17|FwNx8czu8F5jM|x4+l?3+tKN%FE(r(5nvg8$VSFgu zfmD&ogdJ?RH{*Z~Chdc6gbx!c$2ttY@10}dL2AsbZ!Lke>=S>tRB1comAEw${n}A%JA!?-1z)wvsg@DQzgg9`@U!)vOJHDr+5qf&oN>z&-0)k0C4g|w)jD# z+1khtp+$^X@`RZtSg&m`xxq#7di&J@oybV_t}H{0Fh;(=Otl^9C-1^Q8j*g*i4T)jOavtG)inO?*CR&FDY3GhLA=iqD1JjJYjNmH%MR`e+t0f; zFnRsOYcnR~^3*X!d38@c%*)Wv&v1mqvEx5e5uha)`S)DO+BvnhFM3ZDEAN(B1$Tf0vQ}c5!z8t65iXyAff57I`%buX+89#g{wnk z!dDR&3#bP>7+%dWe=$bSCEJK((ccbFps7!U@y^N@CgGO74p(D%Jcv~wyQWhBicDa} zq_kPP=MkXT=)V$Hq<-NzkFL&1P z0y-f#EB@3QF?w!Qr6L=Z?z55X1NVMp%^sDn;HNe^vq6m4@%*jfT;L0*i&J=7_odSB zG-B}lP@$1%*HAK-a^$_Z4dEGzRZ(iNiFa!KF^$Ql&l!>RH1t7-E?W9c{c8B(XeHUF z&_8WlHsoMz3D?jkh?9>#xqKM0P$cgFJ}L+bN&vU`)h(jRs7|@~L!QkDK63|nU2}^h zshr@0#x=2Q=}}Z3_%d&OBs>7Crt0M8yaOx&Y_VA78d!NH#Rz-c9{jnf`1S_>Z8?ES zh1MwFDhNl(fA6yIz}4-jRGH+e4p-<4X~Fdu{dX8+@gNoQ*e@%R@nUkel#Fku;#)6W z+mkGT7cpBZ4x5r^&&o>!`}yuz8=W^#6Nuwg5eC@`+SLwUzv=O+t)}>SHK~*y1B`oM z1?8M6tKs>3-=l_qXDdt}$Grp~@o^M}0a}w3x4n%GE z)#u?iB9&%VW9@`7h^OawQ}5evqnfZYb>hl5Jie6)oO$%x0WGv?aD%N$_!*6;TGB%W|vutUSNkPYJy;C|v0E6_)sKV$)2viMIb&Pm;7 z`rV+cIA03Bj@w6w)pH#?Bo!7fHeW%sC@ZFE0;&a)-y218feXNu_NdKK>;E=RAqVLs z2F)70e~Xrp51j5Hsz{J;Exl+PBn*9Vlpk;#oW;n{0NZ-gaPjiB4k|(?M2cbluy`da z99rOhQed{`zyXwc^9wk8lt;TN(T^)U5&gC(`}=EQu^oGZwlQ1ZX;3q0JbNzl=dW^j z+0(gdZ8%iva)t&px@;xH81NJ=AHqRTK*g=&Yl=wpSg#ZU_iRktqhx$YO6*099(Y`O zrJE4EH}n;``F& z)>b$k?b&j-Fv40RA5;QFuGi&&6&0_~-PjW1y>40QUxNln92y z;+(@(Oa~23>)NfU^-67j!jq3@Y0VP{CYMnL@c7UJLKViGaB5I@uDbSqYt zCLp<2JAGrK%@i6Pv;A74SwzC=&;Ed0`5p$*=0gQ*@Tu*Vq%BQvzca?DW`&#R$Sz$zvpZVtwZh>eqx|d- zo9{OL${0I;adHSOkdgoyP5a5`FTm_uu%*=TXA@uqj#|>~&t>K9WhJa*uo|Gd+16(d z%rAQnCuZOzbH0t2a`hUO!6`s$sdJDUc{{$L0q6YC+aS(z56a9?1yYlg#Dj~q7^pZm zyBbem#>t*$!r2*Vr>ET0wh}1gk%#Ki5+v1S#!kFBL@i|GL<72X1HRnK(=ty$%3zxJ zlMR!ugZJN9mZumiiIK(GHEkrHn30Q0SqzB!Onu8ts;aGbocPKLK3z|jp78<_gt(pf zU7=IC6H|H_CTTZeYj)R2<63&M%0GY)I8lbqu>#a%E>RftLlD=gEDV6tyGQ`CAVR2x z=lfrFL+ksvVcrp+twV&qG(aDmz#|r^QG2}84{cL+kw8uFg~u`5hdHNW2g4aF(-_G! zr55%%&$F7-(@Hu)7=Zsdg0yug>8F}4f? z^e81>8SJJ}6dgS%u>D>(OnH5O8fQP!Knhi6^EfBK?YqbC=Io`daX;kHQGQJJZB9o( zFo8^(b(-^lYmeo6Eu~q)vF(-3CC;VAU>7%MrQh}LgloTP4+aj^DC$Q_+r2GkbGhpt ztxRO110d6FTcd@8A5!ZTyqMucRRQFqoqiWZ z7UEp#NzgB-|2+A91oqDWFR?Z3VQjcyrzE2h@AT;)OWmwy=wi^e9L4ge&RB|5oAQ^X z%KYVBrCWvDpE316Plpd=YWbAZPi*HNH>H#_?+?rw7mD&?GrEm^H4;DSA=OG-Z~c)W zE*v*u^Hhng_AdvsA8?meD_#_a1%2!-yTAHEhi0u|%JJ6>cj|SQ5Li*_dCxIg`io?512I zrXZz1YY!znzc<`_oO#|lJX}?99{6>HTy4H%*khu7bZWj?ltrJiR!h7+r}Zu+ZWiX} zZjfEoSHflkNNNo#JuGwZo3u8u^@^JG&h z#jGxV!V$NJ70(WW=GroDg8A^*L@smeki9&OZ{wN6g=oFo9wgv(;yL}|vn<8lXjsKcetGU_ePy?ZacCXSz-eYrn^@hjZ= zGjyzGmn>^e;`CKJ*|*|1QS_|NBP*Hxg}ol!xkjcxRKY|DcLY4dB(zcMInX&Yl=g9M z0$|6az)lFWYHIAE<%6M9GwjyRa&=_&zC-l>?w~YP%h~Y{B`>q~uR9(jl9>R)4%b<- zcJXD-AH?xbiO4E5A+x53#SEb5UpIYKmwVIkN8E@(w@9Ab=aS3sRl9vcq{6Mk_<}1c z+!&n?XNhV_dc_ti#iB5UR>2~R)9o*G`wO}qUbf6)&WGFoUmpdIIFD&$b}wRuj% zq-N#yyS=L|zMA~a&bJZ$X^95pk9<_K&}P8%q*Yb%HK~4mO4~0@LUZdtwDB9!VpXXrhz^xU`bzY zBrtLKx+0UKLSYvUKTPnA)&IuV_LH_jL}!aJI1cQl@Gxpv{pN+)P=ucBTcyY%UnJ>Q z_wf~Go+Kkz%^UW}J&w%h^CuD0e2OWNT;?7-U61NlX1=YI9KJ8X3@R4FWR@N+KvId$ ze!#sz73Xe|@?;~?j|*LDly6=ug&LC!gEPEsw&WEpBi6#QD0mKJCE{S z8XW#VWPNp1)NR}CfFK}9Dj}UCND9&&(%szx(lvAn0@B@#D2USC-5@!L#DGW+HMGEx z=jZc$@A=-d&cCe1S}b7peO>$70SH&zK9`9)-|3MFNZ$bZ;&lwk-}YdDS~j5t>m6P# zq_1}7Rwmd5TIEcclS!bpFHc-YWJif{?Q;j)`r7nx^)CA?)3})XsvERA$uSX^-HWO|}^3gi+lCRxH9#30H8(6ALX^g{Ly1-%zi^#}%7g~KaF zJQhn76$gp7N}d#UO)rK-DjBfmk~z6~AV}`m!)qQ;lW?_gx15)RT$MQVLIqjm<~J+V zJkTkjsVIQNGR?;5B_*+jphe0lj>-yU=M6_Nrwmk%v zH3)#{_49y-5RP=C`|TO8EM|k6gmn+TY+7ppe)vf>76Y#cawgV+q)7N*f-irveFT5# zCXe__B>hs0PBOh`zOY1UO$NqS%*a;0{slSiYa9!f2?I$>4_-2s#1+(p&zAv?HK5on zvy7=LXeN(;+)6&Z zB+I#z%AYNOK7L_9paqC4DAn6Vv!rOA=9{bmo& zl+A%pl~(g@REJOdI(0sdIZFq<7u~t`hEm@rE~p92h50-c0h^vaFHxD$`!jR~4%AA# z9@oH#Tfhk)kc*BwFW`RC#*cg~u$+b6$FFigU2;fXKss`Io0M{=f1%@MBNdAY9+9}6 zktpUjocmdJ^?X>_!jL(M(LnV5k>Dbtv(oIg`MvTWv1*M4QQoN*GYXfob&H~88Y(S4 zvI*RTTpi=k*`QmhLV=@>w%WMb3-fjVyqk&+g*2iT^UWDMe#Bp zR*j${KEUEPhbQuICUZ+#crYI|Us!*;0SQ3C&lPnsBzJ+g>=So{=3q4;NQhv`x`ldrui4)@&(;=o&EEg^|h1$ zsgYB;)N^y6iLxu{bP0)<1$OLTuB+ptmih&&-UdDp!s*pc*SO0|)Ar!%ev^7^tNV+; zoNp55=qh;CkaGHg^A_zET~^TS%W$Nl+=d|ph7kT8*4SuO4gwQ)GpP^IS-FWtj zmPt;nwc4`FbWIviPy3eYi!`lwx=i+ne)dr1e>$ukcbNSmly27CX}x@3zvJO!N_~3lnOn=B@8}S&YX-TwI&;;{+X~!0upKiDtqK~cfZD!E zSXVZ`(rQg~lcB~!zbyN8U$7q;nL zz_S29_1B*g>-}Gv?XM2hi4OFOdN$KZ0bL%4hD4NA)NaW|(VHy{w6fjDg6wobgzJ~hdCivb&uep&Vs7APL zj%zm7C@&O!celFPM8WH~Q}InB{WfR^Xa8SSvc?0HmSH5-*+x@NTDZsuHkF7!)O__r08a%lBlu}9OZV^CNaAW ztR-2t?gaoa^Q~Kwhvj7+suW?8ulXIlLC+t-VVTdaPT>|BQ`1#Rs<9tn;RV(8N+{~ckyVlfQ_n6<#nitpd z?xY=VTg>n%_7(|BFU(s;3Ly4|*;Ky|O*~?_JMzOJElJYCGo%Yuz(|h3d9^zfj)zE# z4E)7l%b)-aT8~#FbtEKZ`AUKyI!VPYa`s_Yc)cz`YHax2swO?A9=MyzYnmoPh*VO0 zo_kgrG{4u8YO@66vIKE;oWW$@Z?@Y5-Nw=WGHx32tAvuOn^vX8}Bc(`H`(bhwlO&EprlLq+bm7CK$(5c_#3Zz_~4 zVBtHl6e0UgS^bn|gXFIYyyaea{o{!jOoqdgghqmhB!-3Ts1d6P@EpIaX~gM6itux+ zkq@VF;&U&N4}(Y(xAo6Pyj25J3mSV4oc1rVG!v;wT3-M7InVQT4%HaM?+jAeF>WEH zpZvoB(!xI=IMXa@3i_Il-H03C2nCC!kbu5n1rbDel8&@|saIy7BbDwdyUU4mCarHK zkhCw9D5RF`{jy9Tx1Gs~O<2^51lKMK{97D*u6 z);-Z)yN*7o`2MxQpB-p zv-LG!`xwT#aa8-g-U@j1(x*i8b#(E!E_z( zI^~tm;BzV=c~L}d012`+ciU(*CcM1}{7HNRd{7r{s)1O16SdEVZcznsfd*B7=cQUV zRCr_(GD_K7eC4!jvJL(#1-L*O@^mo08Ba;iDeWZh{v-P#&EngbU8_XZf*sjX#{5d6t#{ozZB{SOR}GD{ zgx~A5-WUkqIcWd<;>n>}J^DQn>i2L9pZ={oLFA9}78$VsX|pxq2l7`^5V3BkQGpUU6%;tHVNZ<%`yk`j!&huA6yBQG>+-HlBj6id+UjY`uG09O z!!j)?F6hqo;`WHfRe2x&T(bZ0^-_OvrM`tL^LO1Vu`2y;q||>4YM;<|-$>@I2)$xy z1>YGQ5oanE2`s#8i;&#@4eo_qK6as`eJ6awv;Xlkpdl$9GL=iKJ7yzkotKIRQw3~P z+2)?@8>c>j!nf7}cq9S1nOtCI#WQX@<^vc_zs z(=Z9H8)1%HK1noN3XJ5GoMI0j6bVd>B;+w_lb;$Qk zX|pst=9f<%e~NL1Sxg?h?8XpBWT;EjIKD4B2!xAM)_QeXn{lDj1>xN`UU{C_tj1yz zM-1>xklnhE;D@rh-wZL(#d1S@RMwh@b~ug&x=`c!>V_mkuat}}q`u%}NAq>arrs`L z(M`BGXf56^MnXtwPN<6j+#ggU{9?auq(bsuc!;5LYn9ROz+1JpTEJw^ZN~szG(s~0 z)14vs=;Z@0Q-iR}?&e-jlUdW#)=Z0cqV%8Xyf4a%rhd~#1eyH`9h+SH8YI= zzgvrtk{_&{dTwI|1c!$Lx8n9f{do#Vr&W;Q9s=~BM`Xi&`@fCZS`T?>Y}&u%J6F$a znQ2@FYR=s$U-!CrHzB!KT5uU85Mg!XNeWT#^g-u9tS&nh0wKz(fAjgV8-b5PqNKKHx_jHSt+e} zCQda&qRs9+vLKYTliMb)^}NyjIX-k8T*Dp}p>;vu5}QqAJ2z1Y?yZCCyNB-soS>Ol zT_-M!b00pUStbS?YD9Eqwa}VjSS56y&n)lj5rKN3ez=Q_HU@*2grF7#tOTg@)LaD! zG4_gfG5iw5BA`bi*R>>nHvBEv2a?ICy9?_jcHWb%dQW;~=nN@~CPgv% zzaE-2DTp2{wpLj9p7=IEb!f8K)|q!sD@xZac<+7^phC~kBZ3xEe8s-c+{1vjxHo?q zwqvlD4_}r+ze6*JXU_X{ML>Gv=8Y5*$@=L(mL(RKX39?J%3VYi0v!SxC$UhT&}E7# zaryLuD1Jdlm+Th&D;b=kfJ*8EfpfoBFZQqw7-AY0tRlj*h?lE^j43d z`Szb)TZa(FTYxZP75`!B=xbI&!};GhjfaUg*yUcit2;f|dudD*a#Zn~FD8vt@kMfX zEsvKdx`$voS#W87{kco#(kS?~H!Mk_F+DS$F+Uivo-><-=lVtmW25LE zWj@}lI@!GI(Rp`oYc9Y4x$0(`L9HUGw@ol5nSs zsltfBpuyAn%L(%ck>Im*pnkAfVT+PXL_^K_23c*F)p)oH(3x%1<15!z&9^^ud;0|` zLdz3L=JVE$NvyP^MSAFVLT&_XuXq055Ni?mq5khu6geU6Q~jmb3POc3qV=Fu5{>8? zJAzV{3g1&Ga6{a;gLP$&{eBwXXnQwI+}t3AdH{||5xE(Q zU!=Lbj}L+{Xh6ymeweyGbzEbdd$&J8*`J}2wpSgB!IMC3OlP#!%OsK-LTucb7s^6S zE%&P)y8M(zl_!GE2M{Sbov>;yAcoh7NiJ3Fk7qE5+&6F=z5mEp#oL3)+qiY?hB(7x zKn5jTc`XT9X=y)H)82aULVZ~(NUz)+(Yv0Ml`$yB$vqLFkLoDICYel&l6wWQ4sC`j zE8&D1Ih8RSq-2WYIFJbkq!)5_);k}uK8NU!NlXIQH$J~*(;{&AfnP2b zxrwW`?f7XnMFyuzWM#L`kf~OrGZ}ve7>sDYGW357naW+x_^KhdG~olH8tb^0EhP;< z-Ba3`=ZP_WQs$PTHpA#QjU{amj>pjpnK@HEQyQ|#5S{H0cDR2LSfkp7IidFhKlfad z-}!)4QP@26fIp_PHa#zZ6uI427J(_6eCDmX=s59ZXXsVA?^x}|5PNA*k;-yWso3ml6m`55Vq*ES7TcPY zG^}kI9Lb35xyam7f9q8yQ+322r1canDgX94FV})36ERv+FfF>M^IkuRx{8Z<(BLbK z9mBxOCc( zKYv9OQm<^wpGC$l}8p&@sC6d*$Sj14UbF&#MMwS_b9Od!oY ziRy^3qbPXl3u%zm*)o(h8*{HGuUm&=`)ptuX4lxxE=5#Q!@K6v3E*d8xxP10 zoT)t{p_DAB2)h2vszhp0jLTO`e(T|U@iSxW$z?_<&=bRS4|mhk78Q{>n?18d=zM)k z+d;NkQEO>Hc)r9`9Yv$^P?DeDhJKr?aIlNE-ex*&+jzqd%XE14oePHKvYl^oWIn6s zbo=YsOYu2p?Jcb}3cuYOkBSXX-d$}6E=YosEr(x5B_+6_rKAiGr8%cH>q}@l+qA>0 zS%r9TAanLgh91<|V~D~BILS;p3Oj_gXsl{(O+HTFrIZ!y4+e%4>eDACT^`$yXsPsxNG zMhw2oIEf0eJq1%Yrel#jJE|In@?8S)5)v-Gr(Q5d^-ZojQuiAh0by-Z8(QO=G(G=O z`QsuP9j?gl6BbV2??a~vlBpj>{njU^(=fmh?sqTJ3T1EdDkk|X{B%fF(CW|e_fD9l zx#j#5-%)+Q814((!BEIN`rwDW(yf`*I7s-gV=wyD16A2yG=JQgDoEd z2>B@$`N@EzKO-@RO%YD$lj9ytfk=3;n}b1}OHklZVjJi+`tRo914^>o)qZLSPAX*S z1$#U4%59Fi={*jK!=qyx`4pVqjTfnyNw}BB4gStqoii@01iykHS$x@#>DyvyZv12> zgGa-o{5bA5399`y#>q}bBJ*YFjy6QF2#0!^+LAUfB!9I>{1~(&pWjR{?KJq9k>{=V z3QYrgZrO`Qtvqj$DTItj=As*}Bz?*5PjitE$9Gmdymq`JS_2xaNzT3w1ZP|RWm zNtartghyhMDqQ{`CSd?%c(vb4KG3<>P3@r2C-Yq}XIxdzcYM<|jG7Zd85J0CBlu+l3L5NugN|6!GCzFX8H$&2oof~58Kbb)9>K*Ev-+&*!`t~N~D}Ov> zss?w1zq5b&i}SX#^8|ERv&gu!Dp9q{qj0 zuOIylEHNBCCA1il>9IGvmC0-`TSwNlCWRxdTQ^$1)ya}CvSE(J^mdqo(<@Z_!6I|=9?F7)fIu2oa6ap8cU@qgG%a`hjU4NnV-;s84uVCa94-so8Tkw>5 z*AbnNBAk&+RdTM^6!rlt)srFK$R+V>oj&f0(kEz1zHpYZ= z0fcoc=1_x*i^V&fvDzt=)XN0iujU;ujq_%jZCC^f0gaKRRb1TiJ-pl)JjiPKTjlFi z;j!Jn48$Hp{Ug-U$7}Jq$ai?>#~t!o;|2eQYf)1NLq&7peibZl+12{ z7_zwrYD?-@x@)^@_IG5>ZlsnlEZ?YX`^z+ZcL~-pH=LDda+vH`tWbdc3#pz)r4n=C zTPl%{u*r=er`#IZom2bV;JD0@=Aqq4%mR*Yl#>lfYJTpLHX-TqT-;v|bcf6k9O^U5 zUAvv-CmVaz^OZT*;6QeXD((LtO@};<#`X#>*GakwbsvtfO%q`j5a+QpD?iGF0^xSU zKHEKxwHV#o$cWFe7Bc+P`oU|jSAGS+G zJ=;5{6q*`&CqnhCrTLVO$KcWbWC5sovA|E@pGRZV95v~U0VlJro73t~#iDAqBG3mZ z>h39^o5kf?yE!yrI=85=%FFK#^npVb^_ejU7$4=y!#hXq`(lRF+m~Re<|q<;>+c0_ zH;wr7J?hOT^l`Kh!t|#Ce!unanv1d49lI2M=d5g0EPdTeq33>v(H(VoYuk((jqTfQ zIQHy3Ch1;hbigD2ZJ}&J29|Hay|}+xt>#wSCW?nBmTgeydBJ4RPN!85^Nh7r1u_0&J0o5O7@xQMPPY$mzNRUsf;gym}h2{8Ke>ueGR32O8GVdTKgnm#UZg6O#EN;IU3JN+Hwy zFe6$c{Wb1<;KTQmJqka_5KP>b?`YqGA-75nNl=N@4*Mkqt;G%`offO% zM_KfZ0yR901?xiB;|`y4yiQK1Uld;5wy$Wl!o)uW6IzKm>-2h$qI2P*DFjzu`5m-; zA>%SDFBcH1-Q)ISY-Nc$ea1|CZ=ip>0l zTdn`HbL@1;JjX8Av1;YkXh*DaPE6Z-7Yj|J9~8twM$CU9FsOH?oD}#Yb0^qZF(8Af zr-AvKBhYtQVnG`T3SU0t9&6$`DmF_iGCeC!Q(83XrW4O=*v!8i@+#}rxtb*(deqTefFhzet zJNdbNDxE}ocT9%}w0D-<54_uQN0mjX|UB(l?7x2N{#_`}p z$1=Aw?*AS*-{Xcgo89l)UswKxNVgol0b2A)9Q4>rgG(ap5Vx$~{KwjXUih^ZYeYc$ zv(|`&Li7T8A`~iUw~-jstB^`-tpR%)_2H&ip6U}H8znzcI%d;o0;j|*nrS*F^^H;# zZ8FrWg?jC&T1)g$;&6p8N~n>P!qu6MMJKEpts4D-#Ha92CA5~?-{?V4o|0M+Zh%sJ zVc2|VDx#nG(9weOHDL6YIPwaBuh_47R8jDJWM=E#W8=^XEzcj?*imuAmzfFm7Ty+XCYzUy6LNw|?`VQB-n!6F>3&L!YyEXGOF&69WWd z#H9V|OU}RVi(l8g9dA9FKbf^0U;JY^x0Bkp`^s_MRW<7sqWfsKDOk`+z+p!H%20(b zS&bZOHtv&dDgD?IJzTvcM#JdhW9dK`3x*^F69%63jm>zut!muHXew@rMiFDmnYC22 z(V;W{_@138Qhi+)x!rF^W2i#38edfW4?s3LF@R3a1xc8Q#q$U4f(TjUvZ#_Z)D(gP zUuO-(vQ1;eGJEm?AUUY`9bHU>v=JC5x#yS1N=Fwt;uLitPOH3C`=7#ekW_OV9goR+ z_KH%~l$fL`=f0aZU=Je7TJQ;3YVbw&t7YrE)s1alPFSh?F3YmwZm_ROeqC2x(b|dp z7aD=Nat)irpP2#uH|4LR_ikf6Lry7aky51CNc_-U^HvV0?e;~?6V*8Wqv6-NjfJL% z`xAxUh98bT<-hV=#^q|~2HZ0%I1q3c3&{$K!EzZz`em8rB7g|grrN&i>2sF5|K{yA zo&w(fw&f;J%J2vf#x=SbLck`jphk4EEw%*JWuD!L)PDMX9iB z4h-x{#~?OU=)nZsqDk>=RrG?<{c&ajb9Wmh>Hg?LOMHjg`9w1S`eK47Hk>h5) zVu~V)#%=uhZUCOKJF8#yyEb*|T~7QxgFR1~cORmjL)Cxes5;Pul;p$Ct&x8`2pZI% zsiJ=rfAE@`gY{GC#Qw|S5@-7R?b8$Qiw@Y`$MI7+(`zmyZrQF%miY2QMaPb~%b{Os zK=7nKO?zOkcVsk3&z~!a15l807272i`!%+lUoBUq7tEPms1VUzNr8%1=6D&_>BNy= z?OqflFQg|RAO&PA_jea1dkV}y+}QCxzBx( z$EGQvOl7kbsHWo3+$8z-9XE#5lWAOa;5g-^NA1l;7&Ew=ma@ATNADc`(^UA5mBTT& zB}2H}X~EM+0R7{z$|PXBdH|(CGT(C6VTVoz9e8Tr+nhFC1c(n*IBEi6m=kIBZ{ZLV zOXrN{y+K9igPrA*N=kx8he?0&;cMm1DpRjA>`>K7840(o&f&|fJ4_$7q`5k{8!-re zW*zu6GV{s&({x(rQ}3z((;T=Rey)&@+XhW9VmY^S-|U~O6X3^Vz+0@kpL%m9noR{}kysv!}eA&)W#TgjukeAGS&mW6sHT6wMA1B|mvBPl#IDNoFOCm3EU$Y^~aG$X z2H~t1NzjahByyNPh2-$Fsz6&!PpXVhW#_k8c8R0FSU99+wh1|fVJSVFpk6p6vUAQ<@HcK{@=+cne zc1Wtoi})jJ4=2USQ57ZN%zY$+uknWTDr+h1D9ZjNj8oc`drn9pO8vF{bg?4p(u6UK z0bJl~C5YsM98#xg;WY%{Y$Dom^cSqLxJUb$2$3pYwgsb zjKKvVj9@Zi1NI%HSq6zfjj3EG(~?@+OG6t8OpX9ZZ89J6FNR{({f>)YF@eS((pma* zJ8jDXk(wJ4;(KVQs>hm|b1yK=SsqkGpS{HiJx3a{{K^i^+)nMegsa&QG&o1IfA=1g z&O(OR3+!7AA3v?~m1_*R|h2B zqFcJ<>UW`u3dc`AR8H#4t$PY^W30>s8T^0+xBv!>SYkoZfR#irf z*b+~K3lnI!p!YjCjheXYDQRgpEM)-DKR4(j4&)kMw!jBIV?M|FKmx^@;&{ta#NMWSuA8d<`7? zSYfB*qgSBAX=dC1vq&$*f(#n0JC4eP-zHNqkWKnFuKWOJKFv(b6e=+>$41I%%}pS^ z`F{Yr`&AQC%XUgL_PQj`Ly2LV$Sleo2W`qspuPMhP|aYQTTn3pge~xOC6j>u_?ep7 zgmPy{PA6k2@bZ(`n<39<>(7W1 zO1;`5<5|#>UOI>u!UM^K{VBdr6cVZh$oitRxaxm5%{>y~q76Li8L)n{@0HqW*Q%vO z?Po7)dri1$`s%%oNiaM0eOiWYkO!b4rq=UARdi9JX{=)%^d;r&`+>zy`w6A!7i!lb zUEj;aqa8CE9S08X7ScfW@LdgP@!kO~fQF4OKTQQ_WUK1M_D~-`Xng}WNTcCcI(C$9KbHTR!`kLJY+2g)zszxjVbF_e+}2?qItK{5m#i1S02 z?J@XoigeOKx$!ZN;0`eX!K1s>HNlg2=b!4So>p?hdf%;m6)c|7bf2$1*j8nr9HkYD zI7?IZBYIB>*!4Hnn@1({R9*i(ozS!;ULc?xHFw!r9f}`*2mz8vYtNwL)qEAR`o%bP znEjoYxF1>h!fDb$paeGDt32}J*ojfT+DK|AkF>9%qvp0SoJ<;&G-%^1AG$8TqB2EI zq;c>Gn5t{HNci^<%g|D#)4<(wO+wZq~2ixUbwv@dmDkCBnP2SW{; zB%YmtJDU~I{*F+yOh4y>>RWuG2w-=5N#S+Sf?%0Zu}^^x8>rOQPJJ5i8NC2p_Iw;h zX$PR^xq&&D#Cnu9slG-SB$_ENYs;9R4YG7jFteTlK}db-{OO=e<~|F3jSaR!sY<uf4cMOFgl``w0o7>R@5Oi-Pf=W$>b;)HX?W_Mf1cCEaIne{tFu z?JcSlnS^EG)F1E%Q)s2dT{FIzLSnCr4Q(u6U&kwxE9f?MW zL3;=K8*o{mWw;drwjK;vn%NN{Y{OQ)m!v*O5HXpVsFzW92&lby0-vkZ_})Qy^7N(8 z!E1Cn_k9(q7K8dvlU61pL0LSw))un3H_gg$0tbJ^uB)PH7Eo;&Es|ta^dGOb{2xrh zZogHmUbcQZ>?4Nhx#f#$eGe}C(|-^5(xb-ANk9E)Eb;oXKIE_2yDr6cUd>jqFre+6 z9LFD&u@k2j9P^?Vh%(Zj+h)T8!UkWf4rQ|T?VCFkI9GNAUjP@ShB>iRV6isnd_XtZ zTCW)0zaRK{kN%w-Z`E!YcEKxhWk$lfc|R2^MT-c)BMF@ECklsW{Lg`?TmQksb3>Cd zT=(~#wI8}UI{qeEI5fT5?e~1t{KL{j8pK2}NdIGw7;j*1x3t2|?G1b~o< zf|cDZlimF|e&DJ_0HKrjHM5|RE8-k>-5-18jxl2XOjo4w)M9&~Gth3>)zI?LtiiX{J^1S^x#>&ihD_ACb z;W*V#r$6P_VqO$+9tFY6p_nQ8THbnDPdgNq^1n1FJXi%0C(LcvmnGYKlem?eeQM>R zZ5^_sL#=#GX?*_WVpA*dIpXJ0yIEvY)IYJe|6}#g_#jC&QxiMYaSTSMTVhstK}FOe z)SC?i#{+{Q{jDp`WSq~O3`qF-!h92;1`Wc4RRr3N zEA)6&CueR`GYOCD2n5-K@5ngq8|<;3vBVpK4$cWHn}li@7*a@?P9g)n>IJ7ZNV>Q8 zPDPuuH!QFyk)b7#R-{dI_VbG1(Tb)=iZ523m;6q*n7NQp#b9h9Y}_~d3ScXGTvPU& zmkuvj^D(M1L>9gZ8;R~>hZfD^(>G@qy{W;j!QE3SsP-L=V6p{KMvR2~>ek86$#Au> zpbPrRe{W+)i8qq!Ifz~|im`P9U+&*$;P4LbmZbds*eyu3aWTQ|$Q*XtNbVM&p3cNBj&Bc1$RaRX*(^RV=||;1;j;9U-3mXKV){ zf_Br2#>sGe5d?j)!9t`jY{u-;%RM!Jf*qBpeo@*!&-#?~R4}SH-a|6WS}Soc%YPF? za&h^ujx?KHryz>TL!p)B67Nl?BxktrmQ99S^h@`_UKa;_+rZFzxn3} zW5F{>4$tRIqq)nJyC#=HQ;M`RO^Ds2#fOMsz#H*RLYp?bsV7>TwTJ>+B{ojF3SD#ef=iC0 zqTd2`8U(0rjYj;C-jn+PE18ubJcA|878Wt3yzi1-Phv)xI>q8!gWbcjZgtJR5)U$% zn!0LGYrV-rdTQrg@l>y1r zcBgSe9UmMeWxZfVXrA!`votZ2hXN6Qteq0`T^K~2L?;zR&A0F5@|dxVmxY^#Lwx-5zl)utmJafA6e_i4KrKn17zmC$Ab8K#YPhnDi8}_C$);!Z z?3xorLna)HJL^tPZx{po58(apQUZ{8JM-6H<&?^W3S7c?nIGA5fC{~S;OU(Kn*XbH z9gF=;*hnH_mTg*mFO<%dg5u!I8MMYgb zdOJZakHz^3PKrXN+I1b^X%)%AW+hAiuZHSr*ya8hkXGOSH?6)L9jc7cxUJIu{J7<} z@bS9`a^#|4bdRH=Wg;mlx9O5{k4UP#gn=RtE(zgzU78O~C~JZsuVGpSdTFBpR*7Dm zRIvqw0=aY`jT)8ZsJtJmYMj!}FtnX;X%q^4ifAn#>30ebetj}jlb$3cA&WVX@n|CX zk+v@zSmRS2V=1}3EM$rd8-1`qwwDmC&}$U8Yi*d!gL)^OQ&_~Wu*8Ef;bX}OapG{5 zD0V6hN)ekezBf%mehqt0y-|>jcFiV}dnp>W&JuTMKM{kGaO$Vv^OttO2~Ep5J)i3E zi3o6M7iJHzu*{3jBOFxCBB%L)(cQKd@#LlWL2rF9GUtb+&!V-S;1TO2HWt;@8Mo(o zSpLI|Cv7+DB!q#L-{y+AZ7tU_F^wT;)+r4KQo6AZGLF75*kj?67Az<}vOIyBu2!~e zJ^NN1DgCRlIBw$wIvuVu|3!mCqO}Qz)P67z^b;P&z)3_J<%^V7u_%d?pz4djIi68qc;3%IUNz8vV6el%|GaG zGV>RTmw(n2C4QPj&@jVzA=^U^Re3Xk;Q>sO9Tg-8tL^_laS0hI`)ha8nr+u>tx98Y z85_7~m1E}zkOBo@beP&|u|^U(Cth;~;X0>^lXX2k(A+2P4>GdO049Duy{r0BJl}%V<_@C~n-qKmte#(Y}A1IPh5Zl{1hO{MgdId@Yk5-@oG%0# z{7KkGKC|fFco6&3<>04_>m%A2fDbMe_E;%$b~i_|oZI%g2>S`j+8!`lSasng?Y%nY zZ465q_uI~N<62w%>KNr`wlOJ07NdMj=<1t+$o{0{OOZj1@rOMg-}CwQjLYe@)y!QH z8yDqIWVRX?0@Bvm95qFN!1$5EQ^X;k-nMgDqWTx5z4}T^_aBj( z-{xsxhSr_L8XMqVd4Cj`w4$s$`2eEi_C;kZ$PEg+!Qv-}^SGu=5;RaK*Za{F;}zeM z+pa6qMq}TOklZiSL#Jg4TvzE?Nc{eyQJSHerT=)&N>uG71ca_%_t_opZY z%^*>f+ALGqzsvjLNAySw2(iP3cyys8<1w;*rspo_*`aT0GpW^1YW0exppk)R$Tg{S z7kKrm@JhX9dWWK^&|JOaRSAoCaTgtdSJ^P$Z>hWO>G!3TpBuBB<9C#^LTox9v!5@AwQ=+c^mT3DAR;;Tsm##f|VBdNj)T^oyzT0UjGT8P;#hvj;? z(QbqGk*wh_)c8JJqVE|er>hm=Yp6$KeuKOEv^IOv(6ZxW`#j@=`4SPZ6JU6vT-31LHjVv&_SNo ztMK43#tlOv9Lo0rjOUWpYz+)T>lxJ4>0O(Sg;5sfCgo2E?{yc*Tyb+p)vt>5QSPTC z;#4Eh5#mkS{E>(9J48{xn@}a)jrZI?2?{+*>m~J>Sq0r;nvv6~YF>~fJ@ZX%|1(7_ z3#xRoMrTI4{IzniO?iKeu24BzO`&P}1h=yzPgy`gc~a|u%}CuE@gk&nXfh!p+UsG^ zyZh`>Q_ZMe zzz9p~``7iK_11)mMF8}lZ7NL+m+%t`l(FjV}JI{N_;A87xLB zzcwlHM20M2n-!4dyKKgHH6-7n@ND^e>KdA&tI>K7MWxP^*n6LUwMUq^k-%{tZh28M`sD{?B* z6}|~X_tj%kA4```YJKc^$o$Y5lu2MTs@rSYH^< zi?VlSH5S#h4581-BU4OUbnT7N&_42^8w7hPy1r1(YM|~=1ZAGV(#;Aaj@e?@o{PBj z5}`be`z`fXmDHQnI30*~zEaJzB)Gv?3Dy*q$t7fi7k)?6gd6)+Klr`hY<*9{^@|0L%HmelXsL< zZ^@~2uJJG+Z`>`r0{`W(`5^s(YF0Z}HOscvDTRW-i51AToQt8(@Iu0f({xBizu*n*sp@Q0^(WET?>~)u;G#A^1oKKIm97-E2tgI6=7^~)<|7k?0BP^sen44 z)s1n)YH1vm|AFlCD_QJFYe5gDG|thyF)u}_sH0tVAjY1dqQ1DU-4Qvo9MVz6 zt2HU&S!v9gc&QFuq%Z8`{Yn=1dBm1O=m@zif$ni(iX4E2LIR6vovx|m@)h%Q);}3; z7)hBm7kiR4pkBK|kgXCb-_EqEVWlxY{E4|7C~E;vv%T7U)1&U92LWQLd`-rcV1fM1 zcW_y$-&olL#K-MX9IX$V<9{6mxv*>Y83PpiJf^M84 zsNLEjX6OCL%S+%40$Fl@Zehf+doVV1a)2 ztSfbYKE6mYo|Iqs>Zj@$FLO>X1&^`Pbq0h1tYhzD%Jgi@?>?mlA4;m_Z=^`WO`O zYV8|~U>6+woxrwIc|y^LM&|EM-r03kSb4spfPri#+(3HQM~r~0!RKxu@qcz3{_7zA zxIq?Afva)8WpGu^c&Ix-j~DQdb*DNkME`z8({#y0K9?zJrwS7BP*YJCQJa{MPt++J zgVjNt;apA{PTqKJbHk%LC~?_qzRN(#}&f- zeWSS5&MLj?{CMPCytS^AuLJp|P_m?v`w-)cb*elzImc)2v@qs|61>eaol6oiOobM~ zyi1>w;+|@ot4vgvoOcpI53WYN(aj`>5qq@4$Q6$BhhBnYk^k#g<0*Z(-$;&TT;xzx zXP%Ul2&I>MI`WVaZczX29`fm1zKu&?GSv&%Tw^~;zk~*64$f&9QNJ~;**@NO>34A) z#%{Zu$K)=D;=yJlAML($Q#r!>T-o5sgkO|Sc(ic6YvvD4lM;+cH0*{+^vJEKR?oo} z)PR(%0(DF6wO7(g!Pa*byb$ljK#NY=5IELWc8NePD(ygKNeW2fB57iC6I=S%mb{*F z;m5P?I~&0)G!*2O7##4rdQHSCuN0`#reQWwpawE;MGq=8$O>fA(p_h`NmjY{L9YG( zHcS8)!){LPY9ra!taq;XGkpVU8^)s>zN=fQv!*;N5<`sr7mkw&raB^?6a2_I^Gr-p zw7=P|8j3mh7;QRNs8R!IO-$53z@+MF+Gg#f1J5$dmD0x~PQs(uP*}dI${F1Zhhgqh zTkjoZ{v55Gw{kJcwFHm7x%VKh%GD}-jts=PMHW$|YTvJ^${1&mz0K46wj#RZ*AJ7u zYi1-IwKv{esW(Tt+eoB0p9_oWSI?uB-u7`?N6{Z4V_b_AopW8J@plT;ijv0P7@Y7A zW8^}JyDD2EFaDQD0<1DJ0>+Ng>B(HlVsQgq>W{I0N!v{Ine&K$ot~_ttc`A5$Evu2 zR-Axih|C^m_ym>R-kx5yxHGNN57w5NNG_4b7VBm|VQ|v*TJR7orN_Vps!GJ_FqO-7 zM6j2Kt?yB~Hh!ff5bMKoVJvz?GVk?h-@v=09F+HMh6QrQAlfg^3>Dc6y8Y`Y6K(N2 zF^{30^j)>@jy7nNRJ7*^xc0)QRE;_Zp8{IxiJJLBF10XhK$t7WP&gF*yI@p_0pxaz z>?V&9g*aIy?MJze|2OyI)9JmSKQoJ}7RWzmNcDnI;f$PqumCRWhNCyjr-Z8QN0GwU zk1aOL#XNGhc+kdg>6|Xq6X%ETI>VW$$1lLPM{J#@q5{#+O)=@32ze&4!AyA zxO}5?|jiCFiUxt7YC>ZyXMb*(ey;~vEKd_2xwXhgT9U257r5oO9d7_Ah%?+JL*r^ZLNGGea2&HIe&>svU2;MBj3e% z?zZY8V>$8Km30-;g=xbD9pKF-`y(Ns`DY94EsIp7N7k6kI&}g zTZRuQ->7N$g-R>cs-F&`->ENhi=xk)@OI&+_ ztrH`SW^le>QwXJU!dzW}IGbc)wv5lMy|EPG=hk4o)T(c{$f`abMQ*T|U+I|3RkORb zot7MF`;l5v$%N?AboV2o$|NZ;on7H2RB<$w6Lzitwsv)iN)4Rv$EFrtio<(#VbTb< zwU2$dk0G)=!>QLnQuq1kL-~2DXGD5kh*{+^rrLk8X50~(k?XkUbQEZ+Gb19MAeyxn zeX}54zZQ1W{qA7s4}RV;+Y$`)yXef_M~%M3TJqK2hKcW*VwB;lOfBk1RCcrQMpcmOOz2zy zwT(WdB5u67Yio{=+Po{Vr-OjwW+Br4e!)3qR?OXIp&!Ej+jm7LDK15+?hAz4;JJ0h z`V61|Utv&knr z9rKV7eNgFIm1p)}PW@vOJ)6W6J)BfzBB#Qbxz6}MBV@vbt8bd%?6jv_RW&)`{I-iI% zme>?iQN}`uabf3|?g?RNWQ$N-b9=mEmZrwt<{KCons*i-w@YLEMuZ>@~Q7n zx&uz&=H^bk%xtWjM&IMR#?a%t$rUH|AnSuHAE`ZHD4P3HO^Su{>eD3Unccw;gW{nJ z5MHMP(?G4bj-6)d90<7L{;x9Bffpj+qDCu~8#E5um6#yNq@0*Pl)-DZ(rAf!fIozF z-Q||@_2oF3FSb#@TPr5YdF#|Ru>Z9HQf1<~>ACP7K+yS-{huxVxjJIuBdc)RsO4zqvr5rzb#8r42h@F`9Y##-9u93qDWFzS5CYCp z3kjU%Gb1gQ2-?s^aq_U{*odO&@#eyKNtt@$GNL%Y_J@(O&(1Mn#J1`_b&B!62B;w_ zGJlU!6=W59uo#DoN(O!Z%`l5Ss?;cN8Vk0~jKq;A$1R(}#sh7>4d2N;wd zCFtKhbfHtZ6jry@fNlt!dG0W_`%E0|7A8Wn9)BRS_ibg!;?|)aKEw&e&<+dCiGS;f z!mB$RWGnfUehJHjgwfdshsFo3b~yXeW^nmxxb98ysW^4rbohxSY`{%VtY$*$%{;dE zfy##AI(x!jO5FrV%hp_b?(^SYR>Ky?YZ>b6lK&DJ{;N(_HRjtwIYOnblikEU(Eu&b zgm0yJHZe8u6U;uhy9{M)c`7sryz;-}M{lOlr0e{ty{fIk5}O&5pYqKNwH+9sNP-LX zr8r+#uI;uQd7mZg$*?$}O+vs`#1{lpOw0~qRPKx@XA^dE+C-%D#A`ux&(%wEWAgDC?m6)bXVSeXDqVH?E)) z(tezjecP*-{^R+&sTLj`%#QiVX0iBjTNRcH|KFEWpWlf9q2R`auU!YR&bCLxwgobv zzWB5I6G~?5HJ()&73F82SG$aYSIi&gKb|~_Bl3W3>JGGQ<@;o4<%PewL^sX4e?lnje&f7cGAtPTQlGOQ8#JrMcY^=Ja|${qQ+w(8(@q@)G)}v*>}xEDo@%HTpR- zJ8>A3XkJSROg#OY`kp4XB@9?4Vmc~u_&Z?ruL?IplOjT!J47a)Gg1v5wbR*`nDEHJu{$gKS%0kR?QHB#A8F&d8i4yde&15&xLJplj z(>zupg1Veb%5RP1n8(Ma%VR;`v?^FUmTQg%EpE;w)y~@l^MsrsR1s{6P$9Z3KLaCo z_+kn)q~cq#aMRBVLR!(ubO^&;o2?8~RAzg3OpunZm7C6Ug~81qkfOHhIr9qHo5eutO<)+`U*B|x~5GaiH&D+?Z`b9JUG$H`RYpBSxzI7zBdOeJnZt)!6-=; zc^^*&CoIb1;K8-lN21v7#msTuM6PsJOSg*M*Nr@H-lr!4i(kTGPQ}Gf1ai_It>&kS ze)kRbObs*YeF);21>6%sZ>JrKDtVu5Htr`@gsi*dmwmcK+&QoIBS-a&;_?xUrGIft zeJ^e_Xn$n1c{^ycOhs^GpwPVM+X?X;7_<}~Pui!(t%djr>2aE`GI!C1@cN|^8)JU% zSNtw+`rdeKbJ&@kYGpK&}) z0vN;4D(Pa7m)WjD4yHGPV&jWO=Ds?>?YI4q{!8hl>d3nVtm9-pv5Be>{GX8mCIj@r zE8)v@po`6zkDZ#Am8GehUGYm6wRiqzTY1QUHtEz$lH&#}9+cvi?w^1~GAIO`*6RB9 ztgoQ09P%nQ;6#yDp_bCuQ>xx`%jm4A8CPWa@ixEl1H%K1HaF%eS0D0CoSk_Xw!5oP z)>)7)!#$&(wemr8ZXSm^HMNs9{ey!P4{UPQe;+CD>5A8x1Z4enbB z2y-sd=Bi)|go}9u&@2rLV_?hteiL*-q1+hN*<2Obd)lPI80`UgnU%vrYJ!DBtRd)h zc>j0o#J6-CLJu&pZu8>t(Cw=uWi?}#h{cqLodApfa6W@{m8xm0jT#uJZ-|62@O3u; zl8b78c02p0AGzs43Vs__WyCgvGm0*=AJH`7BsztwV-{uRHT7Z1bV||{yrA-0=N`gN z0$vvsycV@Q|4YgD#_XI#Jy`kp>y=ML{B(WiN|>@aVeigDa{{gGw|MsI)$_O?3iOM7 zw6zyt+y+6dv%KkJ@3c0e#UarmhpnPK5LhJ zb63p}(?!huO~HMIEyCP3q~*{uwGqS-s&QugK7 zUGf&hY9CNo2;J6lh+ezKuz8nUSypd_5|qyqE@B?M&?Zuyv0`KPV}XHUmX_>D#6-w#8hRw`U`u^1_&s z0%BFwwq+*#wy^xm@_P3I7P%3y*$!ML00SFQ`yP=n?1&kG%b2F6?}1@FO&fJ<7jAJU zd9Muc5cfB^8-w<{r27HpJI-1NjQ*htke8C4+e9b;Fw`yFY)zqg92dm)sudLBc2e%WR?yj`? zEpYB@_3O)s&A+(gPZ#v)smHX})*>z;k~W6*#fjsjZyO@&`KZX3cmPTO+c*?n7rnh9A?CLDZunEGW$tBF%2)gnhR zENvUJ^#HNn+Atx5u2f2e#2LzvZS~x&`s;-l7@%y}?iLzs3ONLb)lYAIL;ey_{)DHJ zV&qrefxfeYhN-Lkdj^ZDcQ5y^>h#wdtXgaV-2~;BnT|xe$dkOx%U<4CVgGxmS-sXs zUNc2_9t$r!g~OaSPj?rzC{@-sUji6_>ZBUPf;DZ{lx_Gc};5~h0t$9`QL_lN{6uD?oZ;=wP_%{qmG?8(|sDHV^5<--(#F z>5Drmlj#!a3T>_wNjomhJY4$Sv8ni4sHyQWP+iPKxxsoWViV|;O9yti1A4iY@m8fM zr`}1W@Qx~>};u4dWIdI5_G4-oiJ0EM>iKj0Nr>LG6tYyTPgm&dKD z&bI|D!z%zXdrW^CEF?+QH6nC=aNHpf<;!{ zKUBuBCj<4_9}~G>-nrhygs?=17?}s?h!E_sD2P$WDn?8J0l|DSPRibOV!=C&Pa^00 zcecE=7Sy{8^vUZ3t4gGO()1D7t@;~>%eBZP?NY2xS>sd4FQ>80Ry#;bPSfj=v$Mim zkA@#_`*)C8_w;taWt{J)S(Rz+m^1H2r07$fsyydV@nNN#EN<%~Sp)}15^|q4!*bnrO7ZkAeqKJ!w))k#L%w?5JOPW$GPK)Gdtj5hM4{+L)K#Sv+y zHG>?G^z<1Y6Z_E;O~zn@c(1@-{({i`6os7ruV2M>@`Epvz4=xZw$B*&J$yEWzx%NK1L#Ap{nTI5z@U{miQW)C*O%Za6AptARM;>6$ zJ+KQE2AWoxdgf{gv{z4O-deM6FrKN1;csK)0Pjx15*O3tk=H3Wjg$lRHEJg-(jfV? zFS+Yw%`i|y92O%66cuO$&+fR@XLwWJuI6}oUEM<)Ll41*mI#SBHgtX!-vQP%#q!AH ztz}-Ys7dO_6wxAU^);)scux4L14@cJlyqM(Wzq^LM7H5!x0rJRIWF}Z(8f`8C4M&$ z;c5tl4UuHea$zYwx|8YHfAaa-bak+UqVpPc7Gs6VA@=RBne$Y> zhh-`F*~|vm09*=MKO7da_W%p5Q9{foDu}xGcAxpz<6NWr1-4-)E~CvI@NUo9XX<@6 zmi>gn3TAeOB$e#`=oHOPlC>GJLaqHe&0LHSmf$B;BjFzlqNDrVuLy%H7&0QY zGCg^|yyXkK-y>0nc^A2|jV+F-Ftx-AV?4%$kxTfPPhxa_G1Z_4As?7k6yjw27)Oo5 zl&%taF!19#1w8*qyJ48}sxA#cDPT%~Z?Oe6dHs6+tNNLY`a72!mz9J4PdD(2{5tgl zBZdtWMt@%qzCZw!N*9&+g8{pq*ucYcE?1n5ctF`w?)QG)bqi82Fvv2)mJP9EEk$kc zCH{ogLoL{-xd_&Fl)HvR?*1GYjpm6jS3rJuI@y!+|Ds6z2C#><Sj zk7VZ%g*`GGri>uwq|E?QVHm#W+kWY=r(c5ng39z2h#pK)PV~2P62X192yJ!XSjOpl zi>#9I66~*ZP%j%96DR}Mj(hq~)!kFo)7&h(%+x}WkL$|E>sY?gn-xN|KW2mpf;aiS zT65dLq0C2Me?ug&^`4tsTwdL*wVXfb7PHci4(&|OAJMkS`(V1}z?&6Briz0k%RTKb zn>1~jSJ@b`=1LwhlLy5*X4b$L6=L3-MLM!BbWR!B@>nNU_&}p#KN-AwiVt<`%+vv$2vxg zyZ(u>7-lQ(0t@lneSHUd3=b;CR-o*~YE`|A%py4abj29~*gwq?2UfcbTep64xwDu% zfP^2P2ew0t#jXP?T^z9Jxg_*LKm2nMJ;+e;`7A4X>_mYAS?5xQixTghdhqbf>?ZAm zmLyqDoJzae2D zNZPqSHu)l27G3aLR|a+|bZfF|eqzSj{MWr-zSv6&nE?iah3Srct!|)FD(2sR<#P4o z!l}abCB-8k^rX*?6PCVb^{-?{ra=L=ctxEz%8KsitlUp5;{VACUTO8TAbt_K0h zB(nFG5LI3+96@ebm8s&gmx5d-ppDDy!$7UCsg2HN&P2#(B81Mf$H_yUXckg90m=#v zK;8jtlK&x-zv&LHdA4x0(+~BS@9Y3J$#ZCPcxW`ziM!9X`0r2oIp!uv#~zao$6ZL8 zQ6P(ok5a=9ydYnz7YH_YlQoBKCBLW4Jztig2J=1G2UX}?@m$9t3T}#OFM$ITnXx3@x4AiDkN3XZ?+pz#BFLzZ^F zWq5Sn?*u(SmZPqbp3MSGF4~SFSY-Y=xd^df=sMd z#tcHV%p~S$I-|rVOtp8b=yNAx9~UdMS{Zox7Igbq`AvWLWHss)s$ z{4AEqT5mo%9{lPyBYB_HO(Qc&->g)dril$$P(7FoRrkWjm zhC8qNO`m>?Ue-t$*NS}m&RRp&qaFp!McIlI;^!27?~Q4RQ>$izF>PH^&n7ZK%as@2 z70ONUB+QzJ9mu+Dmwimrsp_Ra3Y9-v=Hxp$87ifB=h z7Oh&S;3{@#^+CV`*SZh8id>xbtPF`tU*}Wx#RC*W@$?^vT9P|Y8MKw({RY16aOdNQ zEu!0)8*k1L>Rf!ns59Q4l4TjdiG@6A?Q-c0G{}%%r-OwQ484-fZa7%V5cl7j&6xxC ze6s_7e1k@ru-OO-^zq>)6oA`Z{h@nRfn{!g9;`vF-QAz%1jn1RMf|y5V3N4&5YE|k z+KMWCUqzmeE9iCeyQS_Y?801!8~5>o=vp(EzsV#6sMAwMLF!@uc*+!KXmmi64sjwm zfW(X*)RiYCC?bAS!y@u$%Gx&Aiy@Bt<@rZv0g-}x*83jOdRN{7L{FjO`nHkK_%MQg z^j;XQ^t+QNo|lc&K9!D(MT)*RT&%x;9tbshyoW~WqLeZP*svyVy3 zK*#eDi)ZhvP*8u=bmdFb1%c|H@NnHrP93@8WfCVp@+kFGKBN~o8=EUu%Hq37X)<~( z^)fuFT!N$t8p-me=o@)dQCed8!xRZ9olBiv4EpY5=Sl=90hM0pFm@tOrYW97?$&vl zD<+c4z-F>sm+^AEGP0^)nZ5ahv>8{IYUQa@UDDN`lMb@jg!Y_siBR?82aTaG&`SMP zk`|$*)k5B)b$)XFuVMXPM?RoO|Mbq8S+j@Fnd3yhpvYE>=Z6@{=r zp!FE}YxmJJfyL`A3X`H8H_Ue&v?Z&yWtZhN?^%aZqUsiIL|-|hYj>+iwBpkuA0YZ8 zi=p9cr2vg+XnzxSvTpcnHVvyoGUX~`IueUS#dp;-mU>)1CFKTZjl$%GvAZTTfPSU~)R@9?sT_vUPGOD&g8*Cc(88#kY#CGV(5T7lr~vXEvtFQGLt&7tS7d zW$zn!G6(Dyvc4=o{;4YpI7l!hO0^fbgR)+o$MalyZ+Rs%i&{c4mFc>Uh$gF}wn?;q z#8tcPXb24heYde#-}WHjS3Ky}b)JZm?Tz5%G1x(Cdz;a@#^%Dv+2uaNRTPx5mc#OoSxJOn)0#+vz%8hkH8pq1tUm zS+t3OCJJ*3fX0L}MW6hA3X;5enxbyDi2jqVG~!9DsyZWRIrt2r#T);12%tXQ-+M-Q z@lPk;@rkvM-Z!bOY!6}-r?vK()%sKwCy_7Pw-EaYcl_*9yvcM7o5oI2DsjHz z=VGZ`vY{I}Y^kl#mcF;_IF|3VB>{)K(Xe4$pjRu`_*w#ZJ;?2NxG;Q;8V zVnRv8(L;K3Yai1sv9II6uoGEeF*c^Ai7Fg_p)l_9Upw%pz>6jxxPmknD|`MCn5FR! zydiIqgMpM~twSDJ4lk*Kpn~8IdzP2l znirQyl|8V1ZFA0b3~Z+cqF%%&YG!{&#kp8)nnh~V5VznG>TRaXO`2h|wIe^=lg!DBFm6 z<>zG_a^^#8IY1QpFD9Gk7#A7<=uEYVDzVn)5gHlev6SWnG~Of}57)m!mG&pAY%s+T zs&KWoe@NF`rm8@YtY|adj{lo9^oMe{D2)6{#3|YMM=^tz_h69KqkMJs?eEG~`#&rn z{^r{Zbg8~Fr}VW26C@LBq_ES{W7amjN# zj!G{$mV(2Xhp=;;$y^c|5OxG{#R@w!K@*GIM&aGy42MPIu+g#h$J!&*Lonx+Y{CFM z23CchVDNpyXC9DwK<>T|w5O-v?+GLUea%}hnhut7RNPkP^+WLdbV|GTCV@r8nzc*@ zvOL7yRb$)yIQjqmd(1}geG;Z@~0Q&bLqan?9s(D{FwE zul({l)P?j&B*3G7xU|eq`X4`e+LIysRU5srFNu@8+56GQiD5glz&zU z?d9dJ%5~KCE-#IO)_oS@uICc1g*Zr3)ZpyFhDuvWaS2f?rB|>>o)t_hJ18ixe{)*V zg~il*_*HDjai#CY%mw!x_o8ser=+@leJz;PnR4RX!vZRJgj{g676!=fA$cpZA>NDclvkijq>JpnJP z7pTF)t)|i>)I`jF1O44CefQ8$nQUlb<&Lg_He32e=jtiXsq(Y*{n{f8s3Dwdz(Ute@EeL>%v{u;s6!;YFIf(OkVs5o4SL-ZxrF<`K zRASe?^1ei~YN$Qh`!afqp(Oau3)B_@@>qLYA~3r!7!A@=Mw`%OD7Wigq~=zVOvSv3 zw$1TUR=|HSZtMtT4{>zEJL%D&oggzOIbl;bsH1VEt-@_YY~LV9UV zxt!ljIK_VoeNQ<~xtwnuEDtpRT{aIW@&E5Oj#{|}vYWjOZp|d$OrW*a`umXOp(_IQ ztT5}3Ow1xe&R}FKEaB7_|In>bDmxGZ=dILD74>MN0&5)ZtvAae5^aDNn=*6w?=f|R zz-=I%2t-Wj{}V7ASfG@=M&@2p_T}Z;Su%HT%m2v^a!=#`qjr!yxC&Y35=3FMLE<$n zXRKwnb4eKsiHMH_-r~mUUfs)bo{uJde?M)FBzb3E%bGN zHuC-xTn|7_>pqBG{XdG#(i#4!`v7flKagV)KTd8lwJ*Oz@d!c1O*g?&54dR*afz(<2pjR`IspPnh&#AYVBe>g$ zLwQ5%`Kzix4}in&Ti`7=^(k&QWG+^BPHVHPeQM{r0^sU%vsR318C*@G`B}9V-K^o; zReVU3Juwci;4`f32vFH^gAVkVch5+BcG+h~P7+F7GZ3sPG8E3?%*v)j5cvgcNfUBC zUD^9!!;mCPq=zVFH~?T8sT_^FnG6*fzD|1Tinjq=BDbzELZe})Phs&6&>%?Em!7!h zpUZu0kR{(y`k>0;h=3FK#iIPTe}LoqDTK(-v%r)brm}}S$@8z1G!sCwe2w-Vh}{zw zTdU@GG||r;&AB}HcR%#PV)cAUz9lOIq9?f@Y&e)+g~d%d6`Bne z)SLu|(6X`r`~6lu%LjzovuCl}{}?I?{)SstmrKv1D_G~6WoIXY^+fjuDD1y%$XsQlQUy`R4gsFNq$)hw_19PqQ?}m zIH65o7T!;sMv-C0Dx>)ZZ zzs8cKxTv1aXG>>ZlLW`=loIDzS1=WU>6#($b1l<#l>j|y^c_yug|)t42p&QV)5N`i z5v_4o%v-&vd*BM5tYh7RQ7-@jg?&)U7}DoE%}Z8Zy;7|g8_G6Ej15I7Lk(3(-jhIU zPTT{H?5F8;if~DsE5OJ+~rB%OaeF^ zw&wZHD^;i~1tZ_4?gLN^5XLLZ75^x=8nrjK-j z9-B{5S^EYSafO%y&Ncwty-9yPQu*t$W!q!Vxu0h&d?S$Ak!6<1BB%Sh0MTX6*|E}u z)aiGL_0i(mVeBfGd!MWP!<4e|8qfrg@TvS!&Z&Z@Cpz{YIvR&L;FxBlfpP-mZ>;~Q zZo$PJ(EI6G0h3bRDyv)3?-|I>y;_;7_nVMu%(_XShJ?xWvXeRW@qA1s^Lqbcs;*=2 zw;MP6i*Gy?m&&|lPyzN}P@h2sQsE%pOZVtTOzL{dGj=B$S>+TxH`k-$ILh$nsW!s? zJKUa22wkmIX6NIOIy@nF9`^NO3>SL{Ut-V-!XLY>J8#H(G5(Z!h-mN9ic2}LHMjNg z<~{FiS^7hLkc z7!s%ze^QCzHV2CA)e1<)zmZ9s_qMyV2P`&V-FUrxn528(-VW(~PB0ii~ATr(%Y z4Y2_#n`ioWsk0eRJU(znWC|!J5e$;W<>LlA9|U|Be?@t@*0vED(-v()qQDf()2mjN zs3@1^rN}qVTF$A14FNb~T@(#N-L3M!?F1X@s~)H!kmR(mQ!9t)^QKzVfTbF#dYi6Kc&*U*^<^}Tm}_oK4UD)b{C z0W$s|Wa6-2lq(%kPfq(Jm$jTkUj? z10QdT+qaP)GeQ75pOw5RfTk53#zVIKV+Obhmtbd>yjprhzFJi~n`)xc&0nZbu%0_J zE9jKP{m>1exQgXeeiDWZHPC-N4#m z6y~3TDK@ypjHu%dScz>n6qZie&11noS}w0+uiwxO!#{~;?@Y99OOvMr$kJ11j7h6} zo|*0siotW5?o1X39Rof*5yk<6SX7a=NQ<%SeQG1x&%r4~fK-@qHw^Ex}QDnw` zX7;qn!aqZ>^cd!IYnCyacr+|q5;V$=+pF7+MeQogkT@<#6zV7JA0Gxbs2nAHNSpSb zu+M*i@C*#HE0I1DFBP4i;b4IE9tit&nFbXS;Np8TV&oyIw)sxozX@KjS<=FkUu-{p zmDo&`d1>XZD~OTLJ!WEx%aU?$-DW};7hkpjzKsXKzBBdRU)T(U3GeXIt+{m%@sRC> zHc9`giqvw)jWF31ngc4EiFuQ8@g2%Q>3 zg`FQWI^6MM#3|o4adAwo6LrW}YS9>}FKLJS54vnhIvtqZ1hU>i`cDowD`y{wRkg*g z29(+GB_>E2CVcE|r&Qj|GvsQP!PcyN9{V*I&|5>z@r|i1#1iOcIewuEmuhp!{demA zsR_9r$kpWA)X#q^)_TuJyuJqN3pfjO6F<)buH)+rVN?$9zUyG=jZkxPi;rXph6|Mg z$+;5JXnqvDRV|t|pThys^P1ZzY|&HTywQoGp|tPPQke`;#X*Q`HmIT)PWHx?TuapZ z_C)JAiMZh2Qnqc+V|HJSpiwxjiqEIhtNJPNd_@C!JKw=sdiuJn%6X=i$<1sdfIWJx z)gwi06E+^Ls7=Fl6;Ea^0k@gvw#L_hjcX_}evdYP28XPa98bm_BjYF`23$%pqrt`f ziJWf}tae|5J}8qZ=83D2U7XnJ7OIE`1RvtYyX(JY_GZFP)J}>?7MCc)cLD|Wm1QNl zg3xY=BTr5=cG%#9Im*0KSq0d*MwD^Hy#KJbS~$AV;S}b@zC4^AggDX@bvu7F@1cF} zRh<;IVa?d z+qb4tp2w-MOzwwVKCV)qXWwjwfNdI<4Wdkb%bZLbA=+1+z-o4fZJ~ck3d}?bwn3{K z(S|3vlHI9k&k&oV(Zx z1}|q#Rp|n6iR?}$VJB+&hT>_t*%&Nv{>!O-G1EzT;*GSdqxMa*SKWA z76k`KeYT&6)H{3ieu;{-<;O624~I#@lsY=0S<&ou>6l-}%iVoIi^lq;@w_cp2G?}+ z?s6>R-GFj+ITpFd6nXG#?Qv`B1X$%?`@4=G*)=BZxUBaGXSK zCeWhTH4pKA6(mmW>+r)=$@yvKKM2n@*+zG1R_M$oAJeq>;2@b$in&&D9#7^vqW-I^heU zujGpbhqyzD#xk3RnGQ*o(@tr56^ei#l8235HxzJgbXE16H43@_-Hy22MEPO@xw|92 zqF*`g7TMOetqp6g7BoR$+ERsf(r=&msz%4TmyYb_$;FLSnuFZb6ZUm^znD40WB$;Z z{qmiQGk_z_p(htAL`o)a8G0)?b2L4OIMj?h>-k%%ew`3?t#RE@LFkLp;_j`WtpaxB zA>ZrN<-3ay!N)g!<=4PbwO`0v>V6teob>eV3_A`SdYyEUhaGe*o_pYK!o=6`4QuQ@VGYg&Np-WS$|0Pvk!SsP*|-w(A+Y#MeIm zj$Q|jPL*T_N=$~2{=V%1D9Kd+VATqP;_sGVj3Z4sMDBP)2=})>&EE8QJ&$~#{LKKZ zD=3zB;l~euBokml^E8!!=MS81EhJ(pj(D$S2GOtit~qj+8-WqC)yD;1$5PhP<2_qn7d1P;3u`AvRiLIKz50pU zfETf=@Hjo$^7#-Zn=<^X`_qd7e>P*qEb-V02?P1nyr-jg&7Z|nVZL_d+ywNR3t$UZFX0h?vu{^CLdjj1`#&vUqB~TX+pko9FiQ`@cWZsqU%@n$*{h(j%Dwl z7j*%yo+ySWw<&8sD2oUywCBs@w`-FkU$<{`uul`Ju@rnW@!*PM&C;r#a@)J0Ny2Qq zL+`p@Y>KYvTgoWIJe6J;vl}S*ps9ZNH;Pt-h?8z@3?uHWG_}6QVcO|BLR8Xqi3)3g zlRG4}TywG}2+PsP_`|hvYCm?->_L7dY56#4z96^h;h3D;fkK_yL5eNZmjnIeDc`7XzqSZW!IlIqRf+z4FF)E)#O)EVo1c(tR@+$=XXU2DrQ{$}TWQzxGV|8h(oGKMQYcuZOx;?*XSh6v77=dG8UH4wE$O<#v3~S zxUF88=m2j`<75w@3>ncqZcqV~&z4wfVduK5QEbA^cgiL50zvd`9RosS?d8##BaEk3 zyE@O9+c(xI*|6QrEm%xN?P6||s)6$aMZL2Tl&z1l79-YJkPUe3pu{Aobp0gp-}kdCof=oc!468Yq;wnkT#Y4%St@ zI_#KHCJmjs<$y9jc+f{j_U5n=z-Vj@6XS6uTp|7HgO2S9=$|jLVkO8G89?FR^7`s1HUJJR)VCIOSf1(!v3&{sL!dlaseJ5}o5lfwR|U!P9gIvzNw^k1E> zzrgK=n1Am3PRQ?gW2;|( zTP<@W7@kZ^&E}y^4&Z1NTW=f1z=@A-U4@(6U&78s#3*7jcl@(1DW?vDycE8`;nnmi&RbZ-d zsxAAx3gKp*&pHQ~)9+EWYud^G!`WMhMYXo=!vi9qG$^2yfPhGgbPNiJN{4g^2q@j1 zf`pXPJt*BEokMqb$I#8t3^06aeD<^VexBcNzu))0e{mecg5#LA?sebSbzW!GcsM{d zu82V{B(u9r)LPp2&_}Ccbwl({XBzl#4mQ17znUF0zgX;Z<)cJv68X&6f#<$l0F$*g z62p7TfOaryk`gXgua-yq43?$kPCxJFp}y(6!gyhSb*bdb*XObA7a4p6VJ9aK*U^<^ zXSww>3aAyiV)m!<5*$3Sy~~rCn3mp|soE^E1qEF1Wi}^xHOCD+IuclM=^A`N);`!o zc7G4=be;phZms6o^P8w$)sCx2^_%;jn`24#nc z-F-y}+84SEfmyh`O`15;EZFC@S+RKcxWhjQ>+nf>-^F(lYB#}ox81SB-B=b6i);R+ zp{(xFt7^bgs@dSb+)Z6ZRkRg(BXdk}WGqb4NtcGjK3NXJfw zjcZR|9{D#WL?iCAQ_DPLo!G`DmM59OYo;=67A8DGOs;A)B5CTzqR7n zKUq?8$j$S3GCG*8NRm?I`F_NkeI9@mOj{R}|6?WDX+EgQ7fZ@@E0wA-e79pXC9W7hM_J30{QLU0$pKalDUIk1wD`STve+>i>pF(ckj$_gWtSE>U+MhZ%q{H^fajmTX;;_1eAMi2Os?TI;F0U0tIo9p z7zk7Xny+NlT`E))_lWH9%_7a&o@(YO@E|835SNsiweGm%CM=@`7iO0HhF9($3%Bk% z&HKvJ9|f(r+<}a)j?}zHlD_Ci)sN1|@kGVtKP&$EZ+^8{n8+t7Rfk`H5?Bphw!a7< zbzLP8)yMUGE#BX<-yiHWr#RKn&JAJkJSviJla=zQJUF_v+bZRVDp@a_VmTg1RYvOn ztI8-;0z{d}{*0OJ{Oz~zlS_hcT5E}Y2=GY+UkaNTOcHHQ2X#5XHhen!HKZLK$Nae^ z<>5J<;+={zd*W&qu&5r^^T)vBbz2^(PhY>{o0=p-yHOFhNC_n)Bm-!WdO@l+5C95d{Q2sSfEc%|h)nCh4k%j>5 zMOJ_;q&zwc=)VjTEh=&<5q&=fe~N)tR=@Gh+Pl>q46~H15KFgy+U)b{VG}yD%kEne z812B-lK>?}i+Wt4YVFIG1#HnD!D8fQ(BZc>JzP?xCfG`Kt5zj#n)g0%hq$N24#3`q zz2+~hp2HVxKYkMli#(eT4XamWvnZzp&AZ#*I4^~11cRGQ$9K$dm|(Fzq5;mJfn>ew%zYZ7n}+RE zI!fX>0&16EkH}cOc7i!1Do=7>w{y&UNZ|?`9yCXLeRgqlOHEm<~9rqOTJBTmm-PTS)uhSQ}pP|56fb# zS5G7^T)gaU3cscT{#w^LJ=zHj155#>215+JlI%Y(H$!ASZ3lA(!Zz5q^fdH5Pt+O^ zW<|NGJ&=oU1gDDmO=?WpYe8bTBHf&P|p4s??k_P4^GXz!-!Ty zIg?_!f+UPNtgg>$wuhsQ!)dCJe?lT*d1QKGr@}DA{nYBIA|aL#K*9|1I_g`*b6yZ! zTA4iDSbpmT2v}OEJ@`>m4Wm8R+Wq@x=CvMW`@=k<;n%fkzEbTRv4m?R=l6-V#0obSnuQy(7Us4eUbCi5|aY|XY ziOID)BF`m-Qq^|;)EU?1W2_Tl_Xl5pxY~}PwHYib)LR7nKn8@{2+PmW^iS#>Tw{-l ze!(+KmXKI&rO+D-l#xe&gp30n%!W35}T|paWa_mMjpW(j3_m;gu&Nc0QUaj55p|R z&pP!}?-FZzGu0i>b)v72v|(NJs;BAWy3Zwcxy}0Db4t8d)Dz!AvnF-^wfW4Y4hAYz z8bDJixTlKFoVc|lE_JARQ8&y(QcE3XZ~R@a{75(9-Purl17PD)o-Hn1f-Q8G7eeo^ zhkJ41Zx#*=UvT52=L6qCB3^&78G8q~Tr9N&%Oejr^+eI?io2TSKv#<`;mdW>xuP1~ zrOSBU(Zi-esy4`}BP6bwk-MG90MHUvUW<6mu(c&3!)h*@P=mE#KJ=G#LT7!IW>-{R z>(Q~xCLVkcz(qx5|EC}ch*@yOZ6SzkzuGS4#3m4^V0`w1iB0K1qPClD@B;=icXo?5 z9>hJr7Xqf-;kKr=>sAl*nbk1F+=V&nGfFZi>p3nZ&22Z9GV%&B8i|7HoOV-cqa17{ zt-4zgI#ygg2tn&kDRui-8}3T+@+@B8<3Q(<81CE%sH~Z-ChS?zaVATP&dWuf5()Ls%YG@BBPGJYD_N8_*-`T5 z{~zU$EBZa#03TFZh}R%6wm)p8R87Mat}JQ#{jgd==d)%_sv};3ozXML^vq!W3HS38 z=?rySJD>&Y%0hOj1a8?V2nz|YQd0`i36(n^ATnO6Sr)R$3vs>nY>(mSdlTYXOyA0^ zCTji-G-FQgq`|y+h$fA`ImRjPrGh?t=xx?*SdIks(}u88)oDM3!Nz-<~us$ znoOsZSEY-xro{6foLpmbD~I%b)hAu!jaHDe{p;p8o-HTv#cGpSD`RECR*CukN;kw~ zHiXG$U(&bAr$O$3%MPKu&Sejb&3+~2aKfwoZeG!kXKkVYGVhF-&Rbq^nkNOEx!#?^ z@R>y5G7q#8UAogXpB_7(A{JW3$*$6q#2I)+>b%6ndRC#~V9jqJFx8Fcr!_W@OKs10 z`QYM$@wT zSxO~2s)={@YCRZc{Nmy$yxjqeUvlNQc-w`yM8HB&$XSYq>(wsbM9fkm6}*0tdujl$ z`bTj*Nd2YZ|ElQ%2mUU{~90ZA!_shGk@i?|6tUQFafVBZURxoX0h&hOxy)dxBbT`%li9LE~5v_g|5 zMfwxIOxB5V9j`7Ox;__Er7>>t zf@uoKu=dW&_BkMiMQ%*89A*0qDqpuP3@0V!1P^MR z57tHzzpc=5VH`4*UWb5u!2NxFfoW@jgX#4TA;e7suh?dam@%L(z`fO}%c zMDJTkT3!ys?zAeAbRF@t6#W8wE8!5mZhb-xUZ?yB<1w^k3gGtK{5k?q(t{Aphfd$%}3J=k^6g3ZKpuqNeN{Jb7 zx7ZufuQ^a^QdDodf0h)#eFXP(`+IuEAMuWh*eX;QPrU(0O8(tq&T}k-PErQ>w&;VT z^A3G@$)X4?A+puxa|tb2l#4&mXfZ8w9MQ36A1a%~ZIBZl8aFEtXOPdYa;!`#Dj_hP zi2ZmPhwGfY^_e}UK{?q~esssfp@h0w!E+-My)7S|nk!9iGS+)q3Pb+cw~Eol9m*A9 z&x?t&Q1Zw3XqYeX|0RFq^pp@l_i^?}U7^h{pZ=cLBl#4&+}h7GZneq}w4h z{z_W-9n$0Dg^mu?P)zP$Ju&|)FW}D*A8U+5sZ?}qZ(%fHI$TST-wXyCfe%R=A&m?r z^OPjUy~^MRMEf|z+t(!j58R!BWW7mlNtA%8tRHIQ%}_A`8<%G=8XkIjKKB9e<~OaUQ7hA36&2E0{*PG z^>#TEPzuH+@Quo+m)hOIK=wpWa8w77^4SP};PVEIe6P$DBYdRgG_{(4s#M3h5BpoN z{l79R-VvcOfmGY%+s;=0kKg?}-9ijb^n?+u81P0^%~NH=_NH%%yXPPHnlAr^v9!a5 zuRuF20PFV68&P9SZKl;{J?x3t_PvM9@}=&hZ%>Ltem>mdNV$KpBVCXEN-A#EH$W0k z!mTlOEermO+f4r78bltH22u7>%A^52?0>PA2^V}`VedOC--P~=XeMx(5Y(7oPe_p6 zjbj=wkSj@L`b@fv=42w}*oP&ofe;iQO|S4SQv38Zn|;A12YPCMI(KmM zAnds$x4`4qt6|E5E;B*E!#kza`1@W22e3qX$+*IuF#c=x{E_tJ(=E|>$2&Tx;mq+L zu0WGYJtRck8js6URX~N;zhrL+U$$xvT4 zg#r&;!zF(tiCm?V08Q(4p=~y8F$N>W*i!kYi_Vq+9WeuOsRJ|+&kzxQk0#bYLG)=B zJG?bJ+?9(yR~omT@cYHE=ElksJ+qT6{98gI?|hxjTbcDl+pyG*BLl=FRA@YMvVA(` zMEv3@KokLhAOwNuEfxXgN8|MB6>cH=Bl_gOe>^2XEg$OB`Kf=pf)comsMl;3#4i}K z(Cl4=(Ityfk@`wE>Rj78ncO+cX(|-D0>;ZPx7b)Yj_;wu=CnWTx?9nV5hyQLOalhq7lA6Bm6kzC^ZKYA;3KM5iy*Tdh=QNz~EOXlR;el%d4iXt| z3YOSGpXD#xvXFulo;%p0TciLf!`kOtC*!bh=?jaPn&bBc6bFM2*nQ{r8EL1jO@r@f z6bQ!*8EJ${dOuk{EUF?TK5N!&d^Vy-!)f;TOs4hGbhv8{7&)swKAm;A8M-*qaIlH< z(<2WG3;aRq>F&_-@j2j&uDkTGKec8BwH+Nv_AdV)*)D%fXx03_DBMqghh(c`VN3^Ox+X_f3j@&Q-YElUzUw6C4%Rqwy@+AfOdOR3Z6 zcYUX!n0Ao^+L|;7)J9wE0QA*Z6;}~ z2TZRYb?YU8;=sl!OaHX*Mh5^lkcGf)f9IdB2op1+Q$WKIvjkC+w6}7$I>0)u;|R|c z=_>VoTONmz)G@*fSLmrxF-_+V|JLk{|DoACCFlu3Y4$?p|EAe%(nM+YE(cv&i3|(e z+c1YVcu@hT336&u zpnf8Kxh(a;&{!eS*K+ROkyjzAZ7fm$=sL&0KZqbX;ar0y<$=Dj)ymUw z9(fR7f}n%x0B7wzZ{UmLfcljG@B1>a>kbnFD<|W{e(3+Oa#T>&&m;q-^#^ij09yDR zBA?I)`lKAe<@wX(8y%OxXD=B&!7DhEBSV=0n)m`YmgRt(ByqD&oKtbbp zIC=|QJxLxop4%it`MHpK7BuM$pyBn#{VN;n7j(c*;!bqr{7=P9whRzSr5?ZGX7x{3 zSYtdT@VN^(jNxZpvZFTQtjEuY-5G6iB~Dv7&>`kc_p0UdyJ%mz^lApv+?N@GwEro! z>&5-M)Q zr0^OPa)0Oo5_xB1)9w5heXdW{OpHSnf=fP-3!}}BKtTAf?>&+Ov4Wn<+x){J?ekU~ zb&O-y^ZgIUxDrt|2>p>fC>-C=mYnXSNdq>eV-u}TpQ9uEL}Z^O>kpoR0<9zuEYq zZSS5Re?PVszwk;ju?Jjg?=MQ3KPp4;jXI8>%Aeo8^(jpRz?Q-_i2rUMnzF_W;rIR? z&Og?YY2qBDznB(qnjyHd6#FrGFWGfRt-eg{@Sc>&Ne2*HQ;RSw5Ge2so!=@VA1`nD zh^lS^fCL1b|5`G+Sm=PGSs5C^92r6F$6djSwxydKYOFKm-_de^o?0p{sAaSYrdvq; zcW~UFzx(r;lYEgHhtXJJF{4?a37A@j-SGwNtJt|(UGADbZtG(7jOABq4SF6BmRv5; z%4p0lubD?J{1n#J5BqtGnwAQftp8(X`dt3ze~tsQrsK#+X8I_UZIEcaII`CdeaV5@=^(A zXEYLW_Kqrh+50&Z5=wJ;FsswAWK&-su;^{S|H>r@G1X_HajS7Ud?#LG%TMFLuo;UX z`y}qSU_-&m8LFj-b0Icj46XU80(XGm_&i)3q&3@7Ax-uq9!OZ~*$uCMub+lW zSZe2gZf2oPgKM_)P?MX4KJ@@6F4g#DlEL8ZyKv$YGBNZR@{^XVa+r#ig9?Pd4MxI6 zkgP4iU4!V#)ZkG!BMg`0@Y9Ap1{~#i5%iPrBaT5rklQ)X#s#6L3j&fMkF+8WUhCpe zDsYp%@(L`N&6uK0cgAtIIGIgjA_#Z&Vhh)E)#x&{;}$Q>_iXo!hOspYuq!f{NwKdf zpDq!1d8=aDdw_OrG2R<-6KeKrb4}Hb=vp9W)S_(-9RBc=nt7GuC>iNc?xFm;@NKqpO$ z;JrMf9p9`;><%_m#(LW?nGKN&o6PCoJwf{;#7d)fQFwtitx^{`%~1ZRzh*FPjxr_?S-=CXeN7 z9C=$;eAk!3yVXpY#0YPY$Q@y2zsL1(B~a)K+v+!F%tV9i(8V-rGkbo;(U&XA1!d5y zgpujVGN+4jtgW=He}zfC8lTRyJz$oyIp?P+CmP>s({!9tj||RM?aK8A!lcAZW18EQ zhWtx@m@W6>g4VxrDjY9uD^AcpCe~%_4`mW|*u?h;RnC24r22$x6Zn(ZL0Y zd*YXhUdhbq?TA*ogrUtK!aNSHi>-lPP0_V7u*(+3D0zne<7onqT*U2IPwAV7!2DI+!eljG|Hm_HotZwBP?^J$N zAK8(V_kNR(n^QQOFd1{(niG}=)`w(-^+(UOgwWJS^&*=v z+%W2^aeYCU;~VOptN}DxU>iD$r{U8Z(}}Ja%J;U?dD2I`-~i$Pq~__*?T~U`NmUbN z<6|`P&AU#hYJ8G3o2vWdTvVUghwWFv0Y$X$xf~1yDqphkmDdZZUQ_IJU;kiVX_QZK z9(ARfD_0qd)+{gthf-S3BHHZAfiwKJ{5%fOQQ=LYGpX=2>%5yG0NIu9jp})Ys!wEV zjFy zBi)9U_3nvEWIZaSi!-YRfn_Jm!R@*GJEg1lHqLD_|ETge7OLEdG3i)snYYkcYs3uX znpD{gM!B=&Q>Nj0VFvcPu=Fe*AhWK+GstjU6p;Nj-T$IXy!mx3L2&ZJL;379#7RFZ zXb`{H)i&asyJGZ^WfD?qJS7!=^6NW|$9p#&k#)z$2g+HK9BEP==aSo_C5XIy(?~C* zfH0MCW2W5In5w25m6lCG#JZ)jHB%Uc*)kL{9On||a1moRNsRX}oi<+dA`7xp`{LHJ zaw~VHOo`yhmR2dR)-*95g)!F?;k;ZXu_8jzr;p*$AVq-?9~JS4Y}k;MTZc;(Japk&#rc_AJfp0#@~9U%!s1G+G1N`u#_nSoTzJPT#a%Rb z^-LXVRSmELA0QnM>^Ub7ueFWpPfF`VyT5~aY?NHskz~Q;hbbX%221Puq zcu8Ij4d*uL?d)_8W^JhA`8djdN&#QGguBf?o^@7dnRVC7K5#l1c37X?bLtci*UU?H zte~|z39CfU-P54KXFb9_y!?C5+SvRGsK9Y36pPmXv6F3FxP^M-Ocp@cXoSrz>70wq zO|k~B9%Tg$w1%v-f0WIyQtgh!`<06P5$}947Cb%dn*h%V^yQWeLy%+it98&-UXAx) z6Mu*|fhmR<&uzb*+^!$*lut$><@Se!=B-(dt_l#%V<`+qQCPXEp7B(Ckg}KQrvi_j zj^0$LDK|;LAh^=92C&Qs@EF5O>xyDlb{);8<)dX^l}rVO?)!B`S$Ig>z=CR5JE5(E zTRk`$ zD8IkveCg?i{9KA>pisDDyOc4$*J+4%`2F!2@6)OH$_>}_UFY!&A3}AG1giy$4l&H_ zSpVJ(aY4b8WP)dI4VPWSJvq3@eQC!V=o!oX`t^4cQzIrR#1_FE)#*CV%+1%Z7LaH2 zMgvI>rpA%Kw%cN*+^dq=?pqqWZ^DiWZakc_*0R?lQXf@_c*06fyCTE;?guYb#V(Wq zrI=D?QC++HDPXrso9uzG@7gs4YO{oTmlmFk3Wr4zf@xQ(vycj_g-x@$v)PO&XntE0 z!SSzhr+FSbkE2tq@3V|QlPE)ZCp%ATGu$4Vbg2?uDi%Q#Ol0EC*Lihm{jbJIIym$Y zUgMYT+Xl0e;;%H45hrXO>{=qW(AdeFIMKd-jSRonc~!sG9HppCYISTS?K3dM0%MmO z$juG0ZaAc+4Y>_d-nu$A)CRNb&NO(O?W(W-w0dRYMU#mM+qm7Q8g_cDDkQ4bX^)se z`vH%toDZHPOd427wdW{Nd;qpB`BHXubz#zX!uNgMvD(7n!~z-p&Zi9L4TV0Wz;Q=m z>nvsAtS}sGR_!;Q-{>Ai;3i@oo@{L&f=(ak8L?ey8tLKartMN-VRP=aa`<P?q4B&eJ`Y*{|@PUGw_PQ|Id)V>Yq77 zfFYP`UsBh&_95_&5QCWH<4t{=`@BS`-58r429e3;EhiIQWHoQY*V_vM@I{KXFDGwK zYc0yHNmLpR;mhHZ^c|E$Bep@dN4e2}dD{J>{Y&Z!2d6oa2(0~$D&<#Y%q*S(+yiV5 zLNjBDR^R4ctE*n|G9{Z*_1AOO95R4jiuO2xjdt~QD~@v(T-sJ5d=Rtl;*XE|SUfLB z1}b(3;*Lf?x%3ZOpx+cI(GlL>`^OQV#R) zZKRbivAw_D?9H0tKj5syf=o=&;B{M0vYdL_UfzspLRr`<=f}ga9~b{x@$nU$NsZMD zSt+ptUq16!xrbJqfBjzQq5#=$k@lsV&*O43IoUCIQ;Wtc!p3mfOf8m>kig}<r|y zDMvW6-C=GgnuR^+2Zhs~!R5TWRLp7bRF(#`wzk8;b&a+0{@<(DuYo`#8jM{S`}ack zKiiYkyYvb&=!-iPAfbTe@H>Y6;M`ckiN&WcWQYZV9_$fw3ui^)Vx8UTC%L5~plL|2 z`#Jd`uKmef)AqCoJn&Csw~;LFPvod_ih1u&q89cL5sdI;qPqBd_@6S?5FKA0U-w-N zt`!^Pb6!?MVY{Z6OVI9HIXVaSo7ZA9FJ#_aT z#nRq=b25zF$So3xd+Sl0qjPQduOPze4ZtoMBU#v$IPV&mBsfa&+78j9aROLU3j~Cj za+M)S1lq@wC&Q-_?e@G$PSlkCFcPY%wO%jO42#*c;yy~>D-g0$E4(Is3xn~N-{?9j z?vwzA@>4I)&XTO4zp%Z9k{nWa@CQn4Yv()Ug$*e7=BCD{%G2=Nkq_K9ioH4#2y+B= z+#+o*#~0P~D%J-Qj~;JVL%fWHhl1=E4A;-iEw|^+e)-ELNX*>mI`_L$yQq&Uqt8`w zU`j?1gv~fki6Sm+4t&G?m_%ZO%u<+jjpoJ`IX-~7N|M0CGvlu}Z6~hVNmA%E45ZI~ zx1|x~TJOVvd$DYBU4L5P!y#%?Z&jsgEVLfkG{xOM>yLFu_GglYS8o}u)me!spN`s= ze^XR12A5rOvQzLtbl43-+U=}=#v+m(>%Ii_yBqgYBNQa^o0q!o zj;>p+LGU;4PBE)b>M!?$W>#wFkZ~kst2-B;Qkv>Lw|U`HdPx*}wNML(UO4=X*=xm? z1uu@Z^vd!3cHk+@o}7bvSkkvg9OnkvaP!@b0nwl-mVou-61{484gAhjxzG-=7l(D& z)xoVq9<$8rXU6uYI&Yz|rUcb?ADm5NTxJ(voQ`fXNs>7bxW4aSxSL`;uH3tc=Z#_4 zvTmAaNox5+xV?&*c&c>fWPEL~P?2M$qbF7;?%MN!&umDrd^hF#^lQfO452dmBfj-= z9H`!v$BQa~Z&0aO+kkY56?Y`2Pv7}L2uJBkC46~z&qKP?Z*mw~pw|G;otvqSd}#rp zu)>kQDg0!m?G)_+pJo}te{i`XdcEA2U5(K=Ryox_P3=-v?=m+wbrwm%S$(IJaLHK7 z@{weP;GV?H>J58ecis5zVTgLQ;v=lR*l)K=AF2KQTzEnZbSCB6T&O6>Kh zF_1&~s)l*oT$={N)s^2TLol}qms60_<>8CaM=Yw>>Lf+Nuwq)oqfrRI1kGK~)ts=? z9CcfURx_(lloj>`$m8z{Qaq9fz*>GQ^Eyb`T%q)c_5Se~z!IOn^&2=~LSG!?o7FdL z4;v8EbT4V!2^1$NChb%0G52Cx?a&v$#hk8HT~Rky!Zdx?tngjoOP@-8@k9OM zM)hJ+q(M6mEj48z`H!(atM+M@?<}?0UjZS<*~Y&J^Wdf2|AqTT3WW%tI`)5_i7;3cl%mEcNEi0 zcIAXvBEDjKAg@YycZDp2G?<5;*83Rk1!~?26*p)ENf@e3MpI+=_eLKqZtHnFpq=dXS z8Xzkg>plKprGYV7X<0v{TX#_BTo-jOCWQ=r(_xoyKxXr(MDNU#p5EqPfQRm#lES#l zE?yN2PR->-#!M^Og_n7yLW#1tC@M^ErMTm6wz1I=@@*`H#X;-wWg6LuxHo0 z-H?8IFk;Yh>Qmy!xA517gUaad5y_q_lQ)wc;U{00Huqmydb*5nj+CwAT?q=WYt680 z*W1X*LP})scqh?(PCW4T#wLPaWwJ;b&`D^f%*Nb19SQhCj9$3Mv4!-Fxve5uK#hm{r#1)#z0zPtAGGtrtyO_d8CQq zt;##ZRCEpZ+@J8vd_1Rx`oQ zmOM2ayA+sToHnxlE3h*Y71$a79RUP(p3>Hyek+WoX#Po<=F!Ky3eHhP#@jvn9oX6T z!;YUf+*%#~_7on4s06(C{JxZ|d25hZmL@tzEvPk9bA@ipCtUp`wkY4(<4G?{C$02{ zPTGSz&+B2H<}{x`cb4Te4FurLkLHrRN)rRQ`+Y${Y)t5n9+$*(n@kPr)9<9oV@-P# zfJ41^sXECmX3QhN&SQ^!O}ML9?<}>~vpaz~7nHLw8lx7KRbk~8d|j4mE%J2|D{SLb z{k5GHfN*pJ_Uff2;}wg*(e;2ifSkVl5)}Ya@AQ1j6F)%5kU=%QY@=lskZjOyG9dg( zB#i&@7HZM!oB7IJP9vRWBORO%M@i`7@7}7M*mWH;8j79YsJy(dHWQ;0-fi2hgqX84 z$(cC}^m$y~&rW4g>P17`C1JE0JrOhDc~`*dZIv`cu-*(ZXYm@sx6Dhhd*N3A06Q5K z+SKTasj<4nSomuoQ39{ z`4@j&8j61CDhLM)5K>B~V1hRqsNt&pWzHpcyf^#oXFqoJd0-Em?zuNHC=Q%;?2|N9 z25a#Q49fwX+E(Rmjrgfc@-_UC*{_=e*0NWqNV{*LCLOrTQXh8?VU0Vy~0NHqY+FetT)f=6vSPc8at?u`{!FS_>M2VSXx zC?GO$(e=~cUxEKz?75u3fk;nub=1VzZ=m&Cqt<6D1|X|+&M$U)iHG(N9kq@^8vejt zs3}(|V~l3+uZ)vnXN0m^QUM@)?>1Fbb_k>=Q^cm)+cJ^abtRyzXMCN zHU1u08at*eYW!DVsgI7G0{yFe7xXGPs>41Ym}kGBS4hV8uHL8{xw+*=H(OT*yW2CR zkwqD~U3h2~$W9m0YXxxpD}CX(CJl!#1_EFsNh|QjYc?EEfdyh_v~O8Y^1cMkR0 zeDVYqGog%-j+34F)cP95PDb!RIN~!QNcowCYmCam*_x2~vh|D+V0L|l?VaeKReaX4 zq^k7|`eM_r<|+kppt(?uU9s7hA|-P9i)ZGiMa9V_{-lr_rus@_6sXh0b;(!)!Jf9WNeiI1!osMcz%xYpgAx&_SV8{UVOY zV9S5#BQUKOG4W@T)B$*f0QBQ^;qX((`Qn7AtcRU{ZfpFDJmTy-5e;s!meYKpHU<0k zozcU`_%3;sbLCDQtj9_6m|EBGD2%p$MMZ)5!LT<7m30&bB+F~2tolaFCD|d3BXm7p zvGbEdtOl>>ohvUk)jnGs22kcnPbnl{Um*Gzv*@_J{CIN)ct#`xMcOuR@>ASeR1qJZ z^2NS*|8kgn$A0f-s)8w*bob~IZOUv=dSHgnW8oLaf-?_Jz?0khxe8q-;4ev)aelSh zzb2^FbcN)}d9Tl!Dmo28D+L5*O_9hB5;ah0{j$rV)q;mmJ6z_7 zR42UGc9=qf!0VV<%W!6Q883HM`|CYl(E0rJ*`#t7dEc1=Y1N{-?P)_8uhG9qh z>j}C$n093>u@0KS{H`CN!C3WEWuHb|#q6!SXneM0K$N@&QFG2S^+aXC{Q_-UV_HwW zKrCEoblBb_O!5`d-nJkq<72wKc z$fcH^ls{FRPv~-4c0}}sgPdWB`;$+%D^#6%*J~lH zB}s4J#-VZdd#Cd)0La5JFZT`^-h=y)_~iT81F?l8!^bj*4SaK!6#HK9^P`CeAMGR^ zxGtPO{%G${Gs|0Lx{X&>2F{c%mn1DpE>LW^L9o;s_k^agon9N4jpesNU{?%~Yt{{y zqiQrx4+MX#c8+o;|9hc=1u1y#6EHWF9*j?uFt-+$;-tUNw5z3i-CyrmZZ+@8g0oJ_ z=NUWSupHAn{?Rvd=UnabgBdgMZ9DKEew?tXmz0r(=H+I%H2R)B7*M0fxx^Gh3N1z) zTork82! zR-ZH?kZiA^v0&Wm@fwQ?&luZwZ+VL;b@LlohA%K>n}cg9GjTqUN5nzs^@KtL&?9a^6Hf6s^XdRvCaFRbQV)9RgFKgUw$EZBE(8OVDq7nr_P9M$5%XBYG?XkTl3^cxmOSykm zGkU~?LfN%##WgBrwM_gnQBVe?>iTLbYxih9C5)>Tat&V;1L&_43&*>LPL9*EtLA-P zyYIK1rkPHcUP)oc&N230Slv(QE+{=7t{6hp7&1J1Q-RCV1_=Nfh>8cS=EepK!+xOfS5o}AG z$wcyUMKHSv#+wA3JU8V!Q~ot_<#{Ocd_YqATt^3>z_@J;-ZJ`i{Ar@d4XQ6p6(U0k z?$@n99A*tOF<}6PV^8Qs43@2iB+YoEg^+UP*j`MJaEhvo^UnSF`+>oZaDX?>oN&7ped; zus&t~AI=6IjHiL1PH>#u-CGUBA08W5$q~Z~B^G^K{K5za63C4uYK#q(lKJ6TA502} zM)RSjE%86I&Q(@uSDrAQ{K(_A={Dj3l=Q`NfResCorCzEX)yr?^moQ?a*(nJBK>+q zuyvK;xrTy1_q2A+r$6QN%3v<$*XJc@&p@`$t7-Jr*FhQoO4$V)t>%exbxTb=3hts+by&n zk>1@ceaHKJWZkFd>%RS5ADpp#GK_*&9PTEPg6O}YM;8} zUhFU}9Fe}QO1v78cWirQW>Tq@xh`<-qg!#>U;B!LPhq~wVrEn%HidZOYdxeoVW8t+ zC{1K{Xn9ST-fis?GDTNzHe)j%QdAOgRt*N@oN4Yv-$0!yVrgg0@w5GF{U|Dtq;LfM|Jx>2WEi zx81PLKK(M@Zg2nUDuqkVin9P4eGyC422wjXn5X*2a6BobE1!<@M2Cl6Rm+RdqiZc*Rkv$3eT2a!6ry#fr5lRb+B zq#Hb&kh?C}4nq$R2RT0oo@Gywp(i_^q-G+vDbELq^nY;ck2H+ZPzaW6#h)_i0tOGr zww8}D46(&0GQiRkvqZS1u9LLOdRHq!=Z7og9~tM@k8f48>#aX(WOK06o?x4Q%)5KG zAnoE*d;HeS=|h)=4ZnZ=1jju27tx|DN%$M*ep01DX)*|y>;aAeZspOgXB!WkQPA>( zAx*VJgAPYc@BE%;;x%F}PW`mZ30$_S1`)Sz<~Q8B=azN3d%CF{J|j;bU{bGYS{??^ z&v*>Ee!>I+(u8Pc0B|~aE~PD0(`~^zZ_aD6p+tuL0XBW*FA>{bA`L)*w7JGiQeU#O3fJb9cIfvq7t-5B_W1%-BQ@V&!r0?bePLhbS2Ot9@Vl((rA{;k$z(Lue_V zRTZN!&io9c`(#`Fv(`_NFI=YQnDV0;q9# zXWvhIghLrS;I-~eWa6du!vOMK`LL2Nvw30U+HzBO%Sy|2o0bore6rLS*IW=?X+O!k zH7nQ|8h}HWCVJ6HEl^{YGZ5{Hnts)Yp2{@w`LTDV2v7V4VdwIp$T;&5C}jSx5C03d z;6T3**qq!a94~dXj#}gjDq^6*C*ie8Qv!=(^pl~J-KG0+F4t-rcqXX>XgLm>;!23p z5W{17js`?y;#rI$n*+L|5RFSlYOjO<2oD{Npra|>9DQ?b-|`Ib%a*1U@J*5r(MG=zrnddryk$`L)&|X!@0I?!=of5IuW9c z60AfJ5xtiv5d_gYLG<2-Aw-F25xqr3@4fflMH$`bz1P7E?`5s~UTfX=^R8$6zHR%y zAAZc>$6RwB=W(3-xtEPlz*6g%u_7x=`3mbsp8<^IPiO7OamC+IvZ1I(f4z@xjZT(?jV}TEG#r z!|dz&#O~06;ESI!DNedSy!{UHt<&AT^~Tl$#8Vb^e~3xsHTC93I`K8pTp*682%L|F zY=u3aJU$CIS6M!HJQ@;t^(98j@Kv5lkse)!;JR&?=qn`NN8YRBZlcBWBWdlzSA7T_ zcat{m%`C9>?Zu3n8-3CZwP@vz$2aHtdhMErlNDtgP z8q~S$=9>;AT;2H~70AJdYacJ^L1JMSOXwz#OBA!fo0fH5+z+F_cp^>pbd^N=p%UAv zrDD4>77&L^#d6w}jQD8p{Qq0geFA|8N9&{xQxSJq{38`A=nlFmrLxia{R)JAPmI zLpL4#Ado0XR#NQU?@&pvs6i`_#7^e!OjqJN?edwY^9eN?y3FITXwiv(707p)+wn%G z*+cVx!B=?ENku_B#I)o@cNIZxRUbzmD<=fmm13!{MTKe#GTYZ@w}`%6mI%CR&llXB zETQWqN|kF+26Iqs6``K$A0p^3=}yFgS_*GpuNL-1W;dE{5f)vyFRHL25rkIQ-aGu9 zmG!SWjuhSyXQPS9gK78^M>~~|C`z7uXn#UxM9FuA#igB|$Ho_gKa@{_c!=j0FD3+= z#wjuPGTP`1tkWR($rs)s72)*bh22ICdx@S%jH#fUUAE)^JN0Y9Kcj}yRt+Al|wD6XP|o0D?OTvl%Wn9%MxQ?YEPS#rH!2HCEG<~ zfMy|X3#k1hYCfxgFC=6hB+I#sM>c(r$797+qUH`Pj=>|G%=agU^i$op`^lol(Guc-zQ`SJp^fSDbygR9-VD9e{EU~EZ1)*Hwo_IV}r0G zJs02@H#G0Uo1)ft2BD4rIZxZ)F1V%QGllIBF%a3_N4e6uhO(f7XY zXmPe#e}qU=)n|SKk;lY0_&ad~=5-|8%E3Q#Rg_D0#hfWl{H_N#*L5goUvqlvr(=4z z2Af~J@a%iS3d80bJmln06*&&E0fgR0Dd#qF66c|H=>j^P5+#tAE8OlBg&rh~{>9CR zd}A{rS;K^$hE+1s!@YdB?I@GP->IS=@AwVW@uXQn?y*=Q+&?L6Wn_-L2xz zLg7jBF|l%WCy!z^s8h!w=79x}dbRgxei1)ct`Yd$&-L4LrI9GFo4Al!*YRV{oz)@J zY5Z+iX(|)S9E_h#YV08EL$h9epuKea1QF-oFOkVRj(WRWhazF#um391>=(CBu@~~7 zk?5~C|A)Bp!L4A2h8+LpGu#wVK+sDeT+9@bdd9;N4Tj&<+wjLC!Z7R-T>G5zOq#ES zx9PReEn@~ISNu%!+w|H8x9PQKOb*d!Kv4AE65M28jomvUma8RFhR4=7aVHtQ00ns|Wtg9oupT z`(iS9sKPRJGDmT!oPcWt^~ogPPrjx-3P>ST17DWLuustFOwEs6uRKv(Z)=hyzs9r! zrM4y86XEw_BmNF7L8K|-ytxVMS}5Ba z%6v0*ledxO_@}zZH#Yz%-@Iw&rK`WgCjZ4yF(UkzpakZ^}v&xst7Yvi*fjUR!il%^-?6|%#Y})m0S>u?* z2tOdkp5=m_m<_9Vbu$uB3hx}$ja(lA9FmV-zLGxAWQfLP#AFBU@Tp;+ zLP0q`VB6l(70oH1C7*b9kP6LxdCMjQ7?i88ay>edVUGAUw#XuAXX1_IH3@OeW6^LH zu}=HLeH=LE?@Nx~o8a~J{Y%BaFRahux1^r%64(D;V}I);Pk(Q(GnLi_Y6V(^An5>( zC%8nBzbDOZ9bq|s=^!Aue;ozs$E{ZAH38Cth&JL@RZ>hZvZJ>QAHCul(-&kp0u~g} zm$2u3SOg&yL1#Yf1ByV>EG$LxEIr^-PMylqNs=o&@hp500{w}1JRra9{K0DTZcggQ zJHzyqL|t?sA5G8Oq*=1D7k?zp#(WUjDiYenP^a>u1HE98{+`QJvlFScp*55*?{kxH>_SO5)pL|+T6HWj=CuBB2KgXzl+acJE#ucZ~+Tv0*%0DczA5 z6$i)w{p&CZK0k^a#5H?O^#r-38{FKU)JcSa^_mY+(vmYG578p&dMm$!U9yqeM?n`x zSNM?o=&($2)sR67a0$^uau%$r<5`SGr3pQeE}2|(d7@S`%?_*xHJa_0%y&tTB$^+7 z&7-owe&*XF3aP^Tf`FVlJ6VK zAM*3{PH3TW+L{#<$7yLO?R#St4_io4D|CcJpOI^IvuN;&)*k4=4i^X=uSP$qB(4DPX8zq6ai>Q4ZAWua)-X) zwWL~h1vPBw~L6k5gKIY^QGBB4%Qt+dg<^yWzzSIv^z z9j;CzKlY64cDgO?7(mShxZ4Q>nvnj<3h=J3r-8g+Y*U8&Ce1fW@gEDoXUb_B{3HDJ zPRM;y9oomG!6yq=Zxb`vgfzB+@KHyAc zQU-|t+>-eQ&zU$57_E^Yv{5Ht`OgI`_K0*GP4e+Q;&j~6)(14 z?ViYqra;VvP8q<4tOmi-<%&iJhRk7HoIkENPF_0}M@m0)IaL?7w0SJ~K&ABQg)G&& z3DZMBM0HO;`8mZWW*<-0c9Lcwp0Aun$V21i8U+X-l(Q75w`Xh0tZO$j9WQcoTkiR& zo<<#d{ar)&cde$V=IsJ}_HK6VZ@b!m4!O-D;M)Pi0b?QVIa2^#AxU$qq4R2xR%d2*~m)1z7$^lssv8;_=-`4 zQ+L<$R+PFcu}&oYrQ(Q`hFYV%qPCuSx zQSdVhJ6SB56}XxD$2Uag3Bmvd=Z9PTvrWgzeW#>rX#n~%SGTURprn&Rt;yT#YOikp zi#A$h0+;2qEOYXER_)3!+qu_mz(Yil9HIX4A$|thrpim5f3gSxr0AElfC9gn4Q(LO z5J_`akVz7g+tgpP{+ZFjOR+d((*d6u{||WZd(=u)9WcEO*h6Len`S&8wchMpTepObYP3NN&$+A+lNOj!L%M7|E2r zoQYXOCVNx}kSj*Uv|4$0Iqk7)J?tl%qh6p;t$`met6%w=oB}}fHT{L6 zP!nParw+*IV~rqM=4@8iv48a#qgP+m43OQ8D|Vi*{?qa@xpluNeQTfi&nl}M$RFo~ z?+9J;rcY>!vhN=w-YmTf-U-yl6rTDBOo$p$5?_wuDjteFjr$=I>Py0S9p^BnFBJc1 zDfkHuWyy*3f<{h&=}wM9{h6OGl5^Zh>Op$Sq^dM0Dv06kFA8c;Eu3Uu-3mXg>TI_~ z($_DhUbdzwQv+xDIG@;X=hs1P3e;Bo`7nN7mvI~mn4cDe9Gjm5cgb1pR2^>|pH8XR zI32%cgwuD0gZ&g~4~=`CyP;Q`m861TyU-B! z#%f)=mOHRw!?xkt@_N+S46Mwo$HYG?*(HI?cD~+8lvIZgt@yt8Z=}^3aPO;uySU_p zJ^7Tj_4Z2q;gmdV^AQ()>`m>LfW-Pz8)<|61=vg}F_!`NK$o-#4=g;2_ZV3C?=E<4 zfoNmcPuVEt%FkN$H`iC(-bgpg(accRx}DNv>qJ{51V_!!N0alWSj23wR4as44NpP4 zB8=C1sfhb%w^1!i3`5&Fq!P!(QD5lz=Rgui8*J9nHcwOTMzi$oYtP90q6^_qRIDQT zkvHMhe~m}Y@JE30%XPAd5WMc6zu!*`x9$`vAR6k)nE2XCv6#ya@My$ zKlmkarA&QvAXlz%t{`-lr#JogVA={;66}v)+U;q>m&rgdZCjaX$)}|rlUQBTbm{Q0 zq3fe|Tg?~lNACqr$5hfS&*xmLl3k{A@{6CE2a8zr}g%H!!e}e?J7vJ?|cL+ z(if>)44}*xd^`+UX4#@rEg0%IAKh6Nu&w$9h>S|WQ1U8uvv`yIRe*8l#}HOp+gJ2< zyi#z&yAygDJdh+jr#5THkXO?UkJ>mx-3V7P^E;Q5!r;yPLYF5xW^eFB2vD$0PcmCr19#5ZCpJ07hgSIu;F4-Osw^dx{v1H(JQ6*&eO`sXR?8SgE7 zs1+|;HSZy2Gl$^;=JQ#`0A5A0(4V|h?fb;ipLrwKhD*v~f+pK>*JUlo{iI(Bx&ut- z&(c|iOC1yRG%a0(igKKdFa=OiQ$3eVXv>tqs(3(-9uV)b6&_YRNNTj1 z!G6cmpK3fE?7a#YVQ@&TtFZ2@7%QGDG+M~0N|3}9QZ>Y{f2vOWnIYA^2(8ZF)}S5?#OP}4HcxX-6Qz4BF# ztwdeVy(6w_$~1B8G}gl%IAj(8QD{vw?ZG6*Lo>EbbJd2!_k5riM9AHws7A0YJNOuU z<-K5LzaJ55!B+d>F^%Dd-F7m}sjim}vWBtdrET?I#T)qx-+kRn+o)#sShnCr2|&7l z^DaNQ+M3F;>PoaJTNBt59O49&FLrN>XwG1t)=jT?9Tq0ML*55ST|_?toP>v{9ehxT z@mP)=@2JePz5~Pf#w&?%BrA5!sz{0Sp9^Fh^Pk#Km?+!r`T#U&^A=;- zXlQnl|dFe{q3}+t7lz$#l^qwkd7M| zQzcYz7ZL<;0Y0+v!9;Hnciz0^1Xw~F=%3tzFL7wmVD|kk^&)3 zH?Zq6u27G>$CE+bqm>W>GQ5?a5SxxZ5EAFp{+VGQwJFei>V<%P4N9cRQFugr;^5l0 zj}6sdI~TN}JH7BcY{g**;4re2ri;rC27)poulX-kUv^!F{9xZ-^|{e^JAr2%{J5sp z^kLN~nCkVn8%%WCA$C83A@+$v_yRk}t&W=vU!+^Aag=AqvFplnGS|AYAGnYvK=WP~ zuD-ate0R_*#e?ozPvP3|qtJMb%Hvg=;nUxmbW0#_J-+?B=e*6hJt9P3@cez2GcRidnjq&s&uev$(UyGoVppV}NQm88!V|7aVSqI`c+ETnP&9?#Hkb2hV zcv^;^NO!82!xGu2ejCsvYybpLbalE;9e8I~KYL)615B{PUwgF&U$PYoB@;h^kEm+7Dx)| z>E*VXv@3*<10AxXb#zG+_x}1&wD@+Of-t6NF*TpVPdrNQeqhWu9!TV=0*;hQ8LtPR z$V2JJWZ_^D;S>x(b#3d4nn79R%b)uRmWAeicky1NaN0gf5o2UmKMG||Z3-7mqbZaN z;}I3lUMXAKXM~T#3bdt(EvEAX*YTiN48B_Mp_gD?xO5}Drb^-H+-JY?{c5!On#fxD zGq;rIAHEAUPS|iX_2o4b%v;F!sfMiU-NbQ^$LLik)w4!$DPpk`3vWkrPrI=lO{b!% zq`W|FCeocrHyg%}t5@9}K=&0i(1}3`+vKB=13aC({uOQe27aak#znJkyM7emuG0gi z{)vL;JBJ#yimZvzy0uEnFH$iB-kpw4=uiE;2iHb14Ya1fg06;$kCj?o{k5kj^&2|# zP$p~bztXML5GY!O^~L(bCJIwCagaYKhD8N>-IEyrcm1hf)n|=JESiZiOSR3ju8@CN z+g{oi?XktvfL1J3kidOirWjhrUbm*Tc(K4$3dqVcKWU5aPrYx@Fe-~utU{a6w=N*y z6Wn7hxbj5c-*7m;7M$6*M&-M>%|kLmc`8HzSwF{qlNnd5tH=02Rou2?-1Uqt_hN_` zw>gqGkJMXai^rNqxGYmG?@LonyOiK)XK>?(x!TIH-n_>##L;H17sAN1xj4~U?Wq_| zV?6D8JygvSLg7d#gvW%fG8=W!VQ_UZW4p9ogY+mUFl9yEc=t#1>tkRJV@+E>l>I)V z?-^AwTVWi-xpS(%yJ~!6ymNDamf8ug>)-tR?+pV$UH+eY98K|nT<%eVAKgx`j4ee* zF@qvc+w#PR&HU+7NRcen3hneOnc`I59XVkh3liUk^2txhiazsRs)Ug5Y)pPD@@{!> zWswYP&#JgImdH-m$`4lYGWsL zxs0{0S&aeC$0!*q_qBMl9iZWdYA8L*4L zIodvxN_Dla0-`5)Y8wuYC~tm4U%(gGAq>`rn6cIEyqK}bE9gaDihk~8EG}#~n}#)b zp4TinhrqXdb=q$x=e*A6GK}0P65$xZOBHOE!hejs*F0sClS8_$b0$KbF>8n7)yrx^ zXKLBA4t=a=-3;MKlS}igWK++b66u^c<8UFE@KyfGg&Ln86m?o76a5LMK5#?~qFYUd zUSCA+Wa_L9CJW3&O4De57VLr^+@_jOxzdG-9QShqXQ$Y*ClEQjw(53D? z%^}vad|BZzc%*^GedN-$j{fV-$ci7FCPGN%zTwtDnL?S;eq(Y#d&*7i*0l1_srUnk z(S8`W;oE!mJn|amZK2kIl(qv~OQXUg)jAEwI7Q#+YX_3J2j=Sv6TMt+gfhhGoOYf1 zs4J1R1#(k;W#3KDPhWRC-CUf6)L>iXaTK z(-X=N*P{9{;ku#|c*X4Z0=D{o*gSL){tU?8dy0q#vM)#*4>`JKGMQ7fdeyp@X4LgQ zS0q~1C0n~3nV)Ug2)z0@E9Q0i>85u{B;@r<59+M^Fx8v*p3kgPQ29o29*TD*PZU8# zJdp>ut?v=^UtC=dnvhMc6U>u&Z4zLA6;y0kx=Wd{hIsa(ieXSrZOX}U`O)0FM(;gy zPt-{iV2)8$Q=eEcZVp#IyP|b!lR?z&~NjgErw;gpehA8g;qSEV-EFwe{|HxF0HcM8Csx{ zrO=5hw&q7593*VBzZAf3Bfs3UX!P2d4irWy(o$Hz$DOBdYhJgIAGI^kxUc2R2s)}m ze-frW*%?YnW}BV_Mtciy!NBKj-U^ucn&NdfB_p-WEn-vlKg zlGq4IxLJ^Wq?deY!~V_giVCy*9qpC9Cr#@yTt*YKS$w?6y@!RFG zV;68W35cm5bIU{%2RRWw6>!-hw>|WG&;^eHP?fF-$3ea>mw9)yPi8zIqXkFb6KO9Z zare%6IwG`UAUp-|lV~JB&P~~OQ7@aJ#?|#7NeoG@JL)yI-JZm}$ZY!RHZv2g+VFVB zxR)VYIa!_iL{K@`DU(>`Mk69nst^K1d8{Wgv-HK$3e|R_lDn?YDp|k$klUtFyJ0zH zQLQqw6VKKUylsNjc<54J5}r6hGvDY{|I4bTVxmOtiiXgpAOgr#tRphzUc_E)GG6)ZxNh;Hd}1=2&h+L zo0vpLN6M<~44#?>NIwzxPUr;vh0U_D0=9qasnXkCJv9erUkT(}tAgrr~d zI$SZ1{H>-lCE4nee|hx?Q)0jj?!*@kB;btPaG_A=Pf5X3T9k?dCBce`2snpsI$I9c z-`V^4YKW-nrb*5!8AVWjRXNM+y>=yhgV1{uG+n5yP=*aIGYnO5?O>|EU){Nv{}1qjzXG~zWe(W zb^GRUFN7E(tdZQfvJoIGRw%AN69$_&HMs&Q3It!^^4LFWewY=yHll2n&)fds^Zb7M zdMylq@CW+OZ{AJlJ;>wYAl_B6+zr&rjbF=2 zwbEiybUsRXQvLl00n?p(LIt7tpkgk7vX5nmjrcAFdPkDFWjCplOp%*)ou7flb)VZo zML;N9QTLKz1N;Al@r{g4J6*QM5zta4l}XycK^|W{7N>+#NLO77+=Uo=cA;6R-X4&z zQ8TDPpyWB!!vu~DEPv$(H_Wdm zTgZXlG|AIzM+bu3j(V7-Tc2J$N!yIJd~U<3SrIHuCjR%n?RQk z9M@6coM_wVesV0x!gDO9(U_q1($w~ zuJ-kB=d+HAe#1nsD_W|M;0bJSn=SYgB}qL9otcIT<`evO>ryf02D zvo%{`st>#wXFHp}u1zdhWh=Awz=hMLywj~z-AsI$6_{1IKmQ@Qx?m2xW0GeDGc9EO zOcm|vs73MHN772@xp&o=O0jK{bFSCvNz~z)pv|v7_4%evkE;V1Wx;L@*`x;+wVLVW zLKnD1cs<#qfMC}`JH>fkhXa1I@96nMrOTZdG>RFyS3Om95#}gUYK~ir?K4mb=a{vd z6mk@4oG6SG1#~t8A8*7L%j(TWVUg9$FZ5E6hr%S^reMr(WE+=R5rNLVE;|s9LVRj> zNhdHr!sic7JHzYXrUGzpb=vCah`nmkBC(K%k2Y00Qs$xiZpSN3T{j}0>u9E~N-l@8 z;`jaM#cA)|!%lm>FS{WY@#Dcgf1j76cb?qG9+7+I<8%Kv>QPbAJD54>Xp&Dxeqv&d zG}C(j6f2dbg&Zf&IdXbB@=SS_x#IBcANLOm*e3Jc)baeHT7xQ2ZXu%Hv+*^dn)R3P zK6Nn~&560rtAsz#7P5BPu{W#(r|5OBJNB)+W;AYR3>DhEcz_n6en@kAB7##y=Y2Vn z`iZQtjw$jE9iAG!E$U+LV3?p$-_vtxS#e0+XoW_AnSN)G?B-cMbfM+=!ut82nQL0? zK-NU%yxDT{e}-?M{TYq)Jpub2-~!YHg(8FlJ5b@_#vW8l&w{Bi6=kV%vze~R$}q1< zN)A$oxfb{$vGnh^6!O<3^Gb3b{`{7eG@U)I_t`L$tz=74P{LW2IYBvpP@1N8>3}38 zlujr&CuJu|)yx>?zF9QiZ`T%gD5s%%FsL*ddPXgxk&CF*((0buAx~0^!j$PweeQ$Ry2V=6TJ2AxF9Q8*e%5<1% z7QIV=ynV@b$X|d#$uu4BGQc=2oAHeo(LJAfAk&Yr70F?M+z_qt*5sBIhJ}eqHgWAo*t-K;Oh<-GsVgmqVN2MYkACP4!EBCl}g@eJ> z@x&jO8qVjntG%MNpR(7ie3kr3!|${K*{v4hfUa^B5$}y;^g--bDJ1b{u4)q{iqHhO z_;oRxXKB>7~3cO8gb%uMO&4%>*h_}Q)D9&wUlR07tA_Srp~*w_^V@;td{1c zeR*-Hiz>4FO9X{G>p|#@bxM%E2W#;qbXC3So+Tc#7s8b%3z{|AU^HyNz<+uIx%`?c ziG)&e3#WIVups?sixqAmkNxFr@MkwaUO>&9Xlw}To%e-Cz9!yOqrH7$ z*2%nBJ7Ce187Ok*q`~iPCTl9CyeEHnK_`8^dvP*t1jtsd_Nt(hr|V74-`?+}hx=bO zIyyDXP_J6_LlydxczZtR2<-hd`wWu_Xz)*gb&wg^+RZ=+dUVH z=fjJyo&;*_lrBn->DS~3i;am4MTN$DIpWaqi&Oo$<|pH}FzS+Gzs!Efy$bmF8w}9u zd#d5OCy9iI_B|NVDS2D`#GilK?T~I#@T&+2Ee&Hyg1=J<+48*-aNi{etAM!Q)C;fh zSsZ|J2&$)}wpM{k(|3G1?pa);iwgN?^CJ?p=kxhIKlt>}`tLgM0RuS(4>~>-?{hnW ziPn{U=#A$>LoK-my^8k-^b}1SKn%{P2>v==0i$k; z>spWDl!=?AQ~kg$jvIynBluG%F{p-mFU4~&XF}YcKd88Fuhvos9MVY$%DE^@Mdd%1 zWocU63uaEqmc~yi(qzD$W_Q%CK|82fPr+eME?-Ej=DqwS4W9Xh3JPTWQoIST}IuDiUz%E=Dqp~+9srt zjRs4dRqKV#CSkkuYIKqB<*^oc@QcN#QUYLqBmaoqnE|4}2 zK0AJw(zAQDPm(E54z3hF#4_yLhczWT9|_n7DtW@L-4EtCjMo`q=9g~{YfZbq1Y!Hs zUGJ0*pIc&$y$X2lJX>ej-ki+B6ruc~KXnf`Jn7o+uI0u#ep1WKU-`!6)VC?u0z5e;_C9hID$GcQFi#610S0Ipu4zT5T)sJ3Pd^c|E64i+61L$oM&~a&LUNX-X zg=aOn(s+`H1!lH=KLx?YSp}VrAL68BLBZ3{xU##tc{&n8x5d7%2a;&yrc?BT(lMg4 zh{iEXjmE>d4tp8!DSu$40URrj-w@GR{L@)RJ<)_k4XgH(M-`W&(&E(P4>k!zP&tX` z%nBt+tVw3^*+rTvDxB!Xj&e1aqS#8aBLSj6fW%|P9##orf2TGUL3dUQu2nz{T+iB= zaIk51{m7$eieYCKT8IAa2C_L0WZM=oiZ7sD?LN9E+ZQn3;PC(%5;CHJzEHben5YL% zTy8C}0PdLeg&Z{YY;n=-CW{RhtC~=NCVszR)EesUeSLr8Q-e3pkfn@m2&QO5DLHzk z4f-=@VH=V;r&0MR%a!g(U&<@Olo``R>zMA&RLGGmVs76%c4xNmH=;BG`ZWNB5RVtlsZGUV1Xa#sn0z~O|}Zb zQGFG(4TZTIF4MtvKGdU2O7b5J*0tqQMmJKsTzZnU73*GRd}D2LHS+VX%~01a5dE3J zWvzvnQAFACI>uWKf28Qjl^Yk(H;%c%~b)YC46Q!__;@ zI!|(#&<^6(_3kCdEEdsK9Cd>Cu%SZBfuv1G8qWUaRq{M}=bCON2-YX>vv8oq+=#n3 zb;dMk2b0jo1idbS%lfj`CMi6EE4YW5hIJY1$nKZfue=MhIBima__BOZ;j=_T(^CCC2Pu?UfkL8bjqdJdsBU!-Zbg>SYmn zbp89H0G!}2PsE$Uif(XN5URf<3u4%0unA$7n9xObd9g~l56b~eZ_+(>hnl+rlaF|ovjO=Bi3U6CdVgNiP$QuX4 zxr z8$LQGd!6Cb>3f)@&jf)Gp@`a}=m{3DKKQI#-LfsW7V~(&t*`dms4RArrrTmI;&Q`{ za&|&`p614-8Jt#ev>@9R2)$VyGE~C$sn3l`yy$H>eCw$(iERJ0emBV06SWp_5Z=dr zukTz_;MuPlNBRUY|GKM0zqU&(2*Zxx$vUH41sD3lO~Zv$wRP%+zDW`|OkGYQM#2fh z!1$gIeS4(mn1~*>Zj3$}*F7FA2R{P|%w{tn#iCyJDAw>|-mBF&QU`9nIZf#tJ@jmZ z#v_LkR5Sx=lavxd>|M3J_L^YG&&6ye&_}7)m)Px(t;en3sM-#t!p8h9d2;638hOI8 zg(~wDeH3J`4gXxbT|%%h-OI(2!35XJjp8L)y_>rY&;$Nk-5_zoSH!eL}zlJhFkdh z1t?H=DEo17avu?1X2&Akp+@8S6>(&mV@^u=Ip00w7k##Gvp0pHdjWGmpi5FhVvHuT4qjw~Lq0t??BEY6A zY#|_REym%V&klj|Ai$U%*?vPHj97?hN^t1?_GA%g062usgh3*dHr0kBd8f-j7lACU zs<%zrldSvg@49vd1n(=}PZn^#KV#G2uHjXo+QzLt-l%8axWH}1yZnU{J(X@{27c|b zC{=yOx+&wHPc35v<=*v4mdGc3>NPLa26uJEgkIgj*3O+|6T`+-;5Umy&}+wrnVp9* zeogvK-cPIyd3scpQxh+%OZI~p!eoj{Smz0f$Zw`68e{qaeu=AJ5uW-y=a693VAWP` zUZ(cpdo$Q}%r7}25CQLkk0hck9CEpt6->x$-1)_Bw_+jyk9(4K>J`Y!N>DbG5ftM& zU!GPA7D2QSwBA;@KzBvA!B(`_2?N=scikobfri90#t6`_u;8i2anDHf0O@$nWzChfxxz)-nJljz*vayC}WTF_~3R9fsm>; ziq3$rk1*#o7r;7&{QBlk9_(av)YzMbUpx4k#&TyX9IvJD+Ff^?UdrX9l#%_Ni$hEV zn2B@3bJ$~}AEZ)mZ*@%myn>@QE%WR(jSDQ7LCWkU>C&(&`;Zb;h-#cs4{&1=A~Y%| zJ38XE2&tAyx@&(S4;^dG63S`X$_<2ZloPUmImO>h@OlgaWwl~{wxXnug&idwfk66Awit+-kK=7q$+~1GnUEJ1`6?R=9*z*PQf<4@SFB0K;+0(`K z0G7D}&>CuFxU@>nRJ-gXDZQ@Yao+DXd0Sz8K!p)&54s1(20gF6+{z0C zj&UO2=%b$k#;Mizh6e`M%b{B4xGl;hI0+)D0z9*|Lo}Ne6+*5X;KrkExPO@3p|mQp zjsLO}xk+I736ZO#x1S&fbO`o22V*yjjXQ>)*b7L`>P+5gSgc0ln5=o9nUmij(j%QJ z6f|rG=6kN2gW))~aH#Dhz`PT`DH~#M7j``@LVy4KCms3%7z@gPT(2=}trX!Evbru9 zfk)9#Dy@GPnI%!1vNIn0h&*47ZB2^jY^9j#_q^lTGKI~^97;5p=OZAwbQU_(-&Pd& zAtrYGy7|gy<~pu!Z8WuRtM{OvotOWA1zg}eDM<0I-g3W>4 z>}C;H_7EzpBqqe$gvBRm6191#z{+gNNW5e>|9Emp?*#w(>U-vKUzLo;NkZ6?@+wMI z#rbuIvGH%*xp(LY>L6neZ{Ad3OPT5SuY6$d-wBPxvH#psh{^-RF+1+ii>R_$@KY@t zJ$pec(&zk`lYg|zXRUBq?JWM5&Sifx>@6VeRiIgB8j29SUUqPlW5g6a z;{_N%cI(NmcWt(xGS*uhfA_<;cqx|iF0^y{4M+!Yssqds@9#I9>s~>AGsojK_*;t{(7qdkdW}r7Hoc00h$|<9%>G;x zI-H-5@@X+7KJQGGnSq7?Le>kSNgA({Uk{FlB?uTPtIqHqy?AVhg%(CB#kUMVfr(3! zgsiVXkA0~0UiIg7-yFp@{Y*-V3l_r^J?U&GQO8FsPC8cBM$h4ghQ3%4midV%TY>F! za<$Mw);cFm9TTJ_S6Ht6SkO9F#`5N3-Es4*QK+bv`((;`exLGo4;Ty`LJZnMSPv{z zY>c(d_ED`PbG4t$NtpfZBavO9-dD5FpPlSXq?U^DY@|ulZ&gmMEw(`$h?xXWF*6_I z5rJNDKmIV4($H#=XdNk>I&-~HK3t*As`LOJMV1QIyPlKJUX=6PqwWdTe|?1*IvxtR zp*)tFToQoe%p^f9j?|BqGk2?GPTfqN6@|UJcI)=tJsf#k3gFheS!G~ zMLRnJO)TG+*z@`=QgD?1>Tn}I>(j(O(yJB~F+ZKX zzSK+n3F-e;*}q=|yuyQfL2JA37^j1e}nsPFMv$5s~f?sCC!#7BfRi?l>U6d zJNdy9LBD9Rhb1@xys< zbTKXxd4P^r=VKt{#01;GJwY1wJRCSR+Q?`;>9#D^-+hHrm3BEbX3|?v!^af%`ViC= z@SP<5dsMoP(MoKnhS3O%kJ(U)kdaOOqpX??W%Tc77XZy5(6X?GiPimdWi8P*B}gWs zAVKb-I{E@bxCrT9a1pakx@VQ$mTX1QJ1e&Sym73N`IVk1m5Ws53bU_B((8LavjM(q z#oUyZk&Z=(02E zbOj!g#B4xD*R|U_!U6jKLt5rF^hlzS8344@s7?#_Ak(oEqqlt;LwOg9Tn1xxC#@XB z(%-`r*-CNfePW0>Sj>rqFsDKs7V>MpQ7RT<`*buM*VgC_x*rP)heXg3r7V7Il)JqW zz!y3h7U$=oVQYdc>rH6OX!*QAq0U>4%~07izrqewdFCHCcAkALUgAG(S_iu6zT}oA z?xWy|1mUY~mNuM;8`DN=(c$U6z%1t0l%xx5XsLZ3JYVMIXQz)NJ1!+Pzhq%+KdX5W z{P61F=pb=4G{6D(^4Rb69DEO9D~UcuLYAB;qxRW208}}C-U#-vg0u6)W{5zxdKL%j zZpbV77k?IyA2Mg?oS{w_Mew{_=7e_KPn}PyRXdlPbT@%vq?S2E9 zpL90~>Awh{p{f}t`nXhb$khxLJozr^FL?Gz9RRXwcf)4zYYz891#AhRLdRpp%kE@> zcmz2OhYr9&06#p%*@Ip+_g?!z#rZ6Y-~no%=_?#Cvt(57zUOntI5WRw_w3NLAu^uP zUzS}EOe467I5_-y^I#{*a$&V8WuLnn3*fnXdM&UU?r+=PYq;Fk2qM!Y8ksjF2xpsQ zQM!eh>~4bL1?PO3gTO_G{?8#(Mo;@NqJQ7$4Zp;W15Li6m%_!-ALKO9zQS*RA_^Fe(Fv4Ut+$-B}Jcgk-*=zJ4L!{qgj#KIK% zu-0jdP))l;ZezwVzIeccC19>{<6+G9eMx!d5EiuJO+u%POmPq~dy&oRS&d$U2Ukx4 zRKB7Lrp){`d34vip5Hw~CUfz$K10t0HztZn{yx&%G0GrE9f!v$Gnj;#iQXtx*y}zI z4flhPhFQd&@uz28XZ0QK1?G6cHn+(3kmz{u8?!a0%ruUI=oa^|CjfJjhhwKp>J4O-lPU*)D_Xh=oM^s&ze}%;}pgtm1?7pe#s0b za~nc70Gtyde{S1Ge5j@x^5^;(t|WX81gs0O@5BCn$@KRoA^%B~>z$7y0cR24_O}T zYZ+g=H;%S7a^GiDwB5nYl%`S`JO2^?Z-lPKA&}-&|TbI*T*4Q zFQjA|&<#0$`5J#d$BfsbNH}fgzAgo6Q!y3!np( zlzY5?G**o_gb3cR12=ZvXqy48@?nBZI|u1y52K>4;{M%@8+n21M0B{v2nYZ9`2VXs zd&LZt?)lgXx@h|CHaZXLrs>wX_!&3*^Pb!{;C+1%*FNzTKk!~+wNi~fl8ILzTj#eR z|0MyU|HIl@hDF(ReSZiEr9m2oP>>dplm-DsN>C7K6qG@wbLehqLApy)6p&_+E=duI zp-UQue)o7?_Z9b}@B4muK5-1EdK{j!_u6Z(^oKgdY?mDw=mt9xbLo1cP@7ps%}#7&+?SR7`k z#H2nFlOvWl(lC5Ggk{9D`DD;|+o=^puPg;CPj@ZQB{;U1w!_>ePnjSiz_VC_zl&F2 zbj5H&*>%|Y{X_j8)PoRO-PtzPQ)CKav*~pMY{<0-T!yiQR|G#&OhMWio!-s4ZYi+6 zyb*F-@G)CW>h$Kx@zgmHD6O0~gne zjSX>dMvij{H#Q1(32+b#8qqq zayj3tBC1Q(QoNU7D82 zHE(UbdC>^<&?-^>E;*^{{t_qZi792@9eO^C>m)s>{uxPrE;TU+%Rn2%;{B2d#Zdnv zSVO0_xcm2K3Q%9_wSshD^0bvmAG89?A=(1KV#(p=2;wIH>9%44Q?AEaMQaFdFItkJ z-Oc{5NkVbaqk%m#tg6){-`XRk3j73XR-$~CHoFVFN=)gy30BHR3_vr1T+Wd3Wv&S1 zk=q!TyBUsk(ba;?GnapppK8Cv)2?Km4QZd}QA$FT73_{T}V!(0Zo**G*%yf zTWIEzNlV0ToaJ>1)P_K5BaRH{2azNmAvCcGuC2zP#FM%v{P^_He@|Ch{&N|gX#{A%RVlhH()m*jJ|kW2*g*o{@(V?np`(i0JdsZ|==Fcog0k#42>oQ8I< zq0ESts7yEhMIYL^8v^Yz{iHUPxWiYV9p)C(ZEVT9!9f;Y8-BdED)xiwOa|DvcuB}B ztu4}5nHSztNbiywA;?>#`vTSw_sKhUbht{Yq&)9mB2_|MW0YE@e}=4Vn@}Z!oqV~B z9@L-;QWw-&G*2UftpzuIP9w^w%NX>jJj&z>*M^jcg5q^#>yuBlYZHK05xr(nb5;sg>J0th&+Kdbka1 zYswO(%JGJ^*&x-1 zM1=f<5{1AeSG?;$iqX1mqJTJV<|~e|t5W}xkM)xhrP`=T;0%;>HAkFXcDSrF;-8hTf(!p?;fO8J(EO(H^3 z@y%^t)82K|Q_Xvf5rz`jIg_M4?l%Kjp&c(OSQuAU{Aw$#^+CzE|IPh26H< zGn(<8Iaek1jZ!t#05hFG5rf?j$z;-X9(tDn&6(MR#tI`Ex7J?c>SFQE&ms7pVQrm} zf1Ta`YB5W9u^M3-bxC1u{4+!S*PrF_LZ_=!_0wMMqstHsD>!{Bf|(@>5BB=2jsDp) z)iTtKjLc?aL;?n>QgwHE7aJx+1-x^R8(L{2!5f|De-r|jmps1D=RH7bb~tUUfi=Lm zIe+L}yVgA(-R?f5?y($f8Wx_1W509O@#sfHt#Ng=b1hLA&lJ<1Z7D<-A%qmchFpj7 zA+QRzGjwk#R_4j6m<8=;o{dK{Rw0)z!9pL2Vm=V;cp5PzJDPX~?xpv{uwWK9s74>W zTe{0n0=Zl`KF$ui(l?L@go);TjG~Ub%fqpYDXzQ|@SUESiaraejamn%{Oq`kP>&Pq zbn6m>y5vpE+w@Qogfzl;$en;dA zS`!Q-!bw7kYl=vb)JO|sR;bjm7Nd}fRw@`?Gak`(A5IgJpc#+0p$K7k8E+C>cxs~f z-h95S*Y>{pRVi%CtJR(9{*7dBEVTkgbLLrzp$-^9gbYo%kRf?R5pEbmZPmlc)EWeN zrsPU%XdW;BuB;OYYDX76ELVA?8Q_(iQjji&;4qYIRn#75b;gqi6ZrwbHGykGa&L^k z?gayoRM9@6Czw$oG*5MNcq3r0I{l#m44W`nqRANG_ZU;jj*~QC?Bvn@$+hWS{FobN827aW8l>PV5Ea4{C5%VL6oGSiY}pG(Ah24YTh$>sF-UQ2DL zNg#u~6fZ=QFl$ThwS=qeX{FN8c{hxO6Tby5YMTtM`GHgeyqcp5LmQg0C)$QR1F`V# z%lL$evj3uB4SO#c0UQ_!9|`uov;U@Gfo3&}>TzQ@N$x39@%=+$%izpZY&y~Md?^9R zHQIvKB1x1M6`fcH+|E+Db>P+{M5J~cd>6EWoS}>oiS;u}nGr;fUsgZ;vI89j!@sCS zsdJht8Y?jNYYZj~m4BS}x^spmV~bXa)3|i!7@uQEw4AqogE)$uHTkg}7`%g3tu`}I z(#GSyfxO8y{{EX6y^em-S8M{Jrj}y;hihs>--LiGyyXlHgu}irlSktR~yI znzkju-P0v5n98m(JmoV>566G{#p&4H30Ll|8APVs52h)^Ry`qaTmN%b&$+9{- zTx6e0lksT|zxCtI?u+^ZrMv|FN%P$<7!UO2t&bkH1~+}XHk?>b_J4f5yWbtAFJ_N- zUS%;l@m~EqcB7x{9OTzgB<(UYi1A!5)RVt0VI{TeitztX1G+YrW)MB z{gNEc4(~qn{Dx5RWVyk?n-~>F@1!QU z@Cwqrr*+ANvE-B^)oDAX#9*jb3VW_2epFLxn{)&-&Po3G3J%l(sUyI;5}{fmj!Wl^ zFwypyuUJr!mFKT498X198 z+QD~4ogFklB~Nz;H}^_BBnW^=w$;*Rt@+hPSID~$Ch?n%S3mjpGJMN@i`8H=ZfJXe zxffqtxL)0u*8LpQ2*>}yZ{G7T`YbKgT)~r@9@^Efilh=Kuvq_b3uPy!{q6;%VMCT4;s%=MJgqlQ$ zG2fV=PN9_05ezC8vEQeA7#x%X;Kk5A);JeLzK2$H@njJfB`tSBDZj4@%lLbtB0*w_ z2o6c{wAazldqzl2@oDu-O{oXw?{xOMj%O90n3}1-b+VIpgK1Yvex(4MzQPZTyaE{p zug|pP77+oeDknvk`$Df*2;0QAC2B(sit_VmXch}Pmvd7Yb5!0^jyy6?hR~G8OtTYx z1ue7|fCEU`wRs8AGs_R3iR^M9>~dJA&T+rNz6RfJF;*aK(7r@91*x(MrT<$m^si|9 z{slUj{?^y`N%+@!VW@OAI_GL3HEV-4AntiR+cy_?>#2xqN}h8>KnCwv;>%4A!kU3{00+yBC}*|$*ln$*6~6+ zB!GsXnOzMoMt!C_@jMik7ma-&*nyUJ?XzKnhZxwNHrS;jh^RhVjd!&U?{edqa?i#B zH6$yJG?i;s${g+10!LN~by59KwIv-S^lV65uf>m}N~3cbQMZ4zgg<*n+l^peT4^Hm ztXt?#5Ll_`6LHy_14EqzX!RLd9{}7PlSm&Ly6qh%0)c|t3{YO**&kHB#k0FS$i94> ze5zH`@v7dJrG<=PJRpGg+f_S5>yGQTBj(1_`5uH&)qIX%3#YHHmBll~mmHsor1_d# zS7B`O5lhmhIG<&c<(3Enr|+P2H&?e>T7rs}--PN5=umx;(fi{+qVvD5gkF@==rhp= zSvH9tXCb*Guh1#_faQ3G%1iCTv%5*xMgRybr1c(A1xiChWmOzUH3ntcso}Br#4M0K z$H@}$1?pv*O`BM@D7H0D>;ME^0m+GhCPU<(R-WZRtr1MRnN*`JhQ|+HAUP>tyhmc% z2U*h2s8@%p01A(EN1GTs!Z?>mh~XiOh(}$EFY%&8UTceVe~>X=RURcUU4R#a5jTa0 ziER&RB5Lz;sNrOL>WqRY>3n||QngTILjJo7h01=-YB2$ruWo4e?DXYE*22?^(_nZ- z6g_QTrjPf%#$LGu;|CZK)7_Z`sUZPKQ69UTZg3VBk?~eddwXxZhZzzPi{HvGeW_Hv zie!+RO6l@PvCWho6GQRIrIH5JpWQkBPaYD#EBHi@9?!Go<*A(0nV&YTHrNDU3%Qp+dZwEKzc>i92Q*FKwu zluiFuekw9}w37!mve0>#le8$nNBQl@%nlZLZVO331QsVWitZ0u7d$Lwkt0>)Pg)nu zDad#_GhjbkY;Gq0S@K4*%bIo_Fl?hxlt2Rqu|FNb-iem@giWrLP><*%mjqn**Jf-N z%l%e5c|J~%oq@oe%eMaQBk}i7j>Ld$19t+{lorrdj83M*R1=x;E&WlmN-1Q!xD+(w zZCrABBs-=ez>)%IV={L-@$~uW&hD)lU~N`U<|Jd&` zC(TMj<-ciGcnAXh+rOt-)&5^;R<&rFRoCnzZ9ucqu)(@B^rTbfyrRuMpj`5mUKsLOl6fDWRWY2PPke`<>oCi9v3I7lh3FDGU6hy_ zQktN%`jWY4*&0%)I?lOPb7;}J(CqSQLxO}&EmdD9{=R}?nXOK7VH(F}{)QLU;8t6) z_|kYZ+2IWo`|&>tO#g^8UP3-VPV-_x!#VS>ThqTbh9~K>``86{AoSObJYPcSse~m2 z!jsyrm@p<~!>=j0SE-CmE0g95it&p|g-};LKnPI0T^*w?fDXHy=7;3PtpI+ug0_d< z9-?F?&!hg;$yh!+?<1|~JYj*oz^e+CnTeJKefJ1h9$R~?UA{!8ucbjK^f~N5X*huGjcI=lh z55vPw?dBU@+?s)1vFWS^#2+Pun1u!N-8WSwS`vIl`99^~dp?z0!2V5Aa)A`|qb@W# z!hZd{5$`<{`ii-~F(rlg=*37IAuJi5D8kg;^qg!%IZLbuDNC9u6JDh`WP52wT0=R3fTU#l64(i=_u zyz>2%-#ekHE0#y|gq>L31HWEs(jhD$y$fmHSormGuoU^xOR?w^NJzvdP$Fgs3_koQ z;tD&I@@4_auBdgO`GxblCk1&qdS>|6sLQ!xD*!%IM`G5R*WmO3AnJHbN;6G0>yK`0 zt`yoEkf)9SnPqyoMH!pwUeImxjnMli!h4$f7U^9nC7IQX4nEAx zH)}>hZ#Xqc=96wA#5pY7CO#|@g-1Xme(X(nG?(!Y_O$wL-N2|7JIYp zR^$FtM(z-H-Une5G?KKm9KjZj!+Zuxe}rxB(b`qN+ru9`(R+A?!#U!&FU|%1;?_n> zpj3Bdm}sbQg(1O<2yU5xDeSLAXHjMV^ZsxqVD$>`1A_qS6I7r~->Nz>)Ov2dZuZ8V zNvS?|MZtvFLb2`wP{?EHjoXiGYc0Jpq^Yu>TR&d7lAm)lWHy?DukYZJ$LRJTqS_?g zNK+|a#iAnd>wDjpx#mP>?<8rH-lm5+7bHIZ2hGvCJ$cLo`CR93IB{lHHQ!X0r^2F0u*RS&`s{l!jE4xjaX?Lie4+Q0yJ*TWxpeo7 zev2Yh1!N63#7>FeTWRes8T9kH0O z8-uLjWVruC5O9VM==utcbVd`Fr=d)%4eJm=%>jXGw;f{gX&&aA8k_z6$Buot~Y zZqKX@s##v^cKCH*`~SZ69v^H#$3MRE&=K!NiR82~_mYY8VW&iiXcawGRGgMF_Br=0 z#^?(YN8QJB817g{Fqa46WsA=bDGcx5ClIg?dfhh%vF3-0lYk06LZg%NiB=qh@ZJ@(A}={|=VHYbYViDl4M7G88OFuIVxcYix<$&;lDzv#qhN$hnaha`oA z1^Zofsd(v`gX=T1POCR%ugnJlvJ%Q)8s?x%~Py)D>qUv5ZHj`6>)|+=Y^r z`8%28+*cxsYm{%-ErJ)P;I>cm7!7_JExG%^qxZH4@;0_S zdqfJt!UMqQ86v~HSQ(8Yw&|xK*{w9;5ln1q5O6;k3zn$^&{?E=Wf%qdd z$#KQmwm$Z^R(dbqyhT){41^BNz3SZVr0eqDAvu`nK}yS?gOo$Yd6HX0-N#)K#J4ie zkf}}8QN#^)W^m+_GPZb7ij6-jhzPgh-S;$h)t_r^G$BAyR zJ+e@bhzC#?lg7&2CoUPzu;7F5=D)i(iy8cD4I+866g|^-AVpTg zTlu64H8Ge-q@{i1*L8pbe{jM)@EP&@?Yk}bqkE3mI3{8?gn{u9KMKlHPXWIsa<6Dc zq%4lOI2v`oGbHCq(H40Zld6x)wuS)JyABPvJ?(mAS)r6Of)$`-X~(fDoOH`0eMsJp zHsv^(Dg4MKI{g~3HZE8H@Fjt=Z0P<2b54)@ncD)3Pw}KNLKWZ2Em~PJ&Xm&MeIgAH zL?&!;g(r>$l6$HCb9^pU$)UinM5~tZqJZp6{$m2VjI-eEl>MHfGv^|U=TmdnQfr(& z05ZMqKCDB;MFG=j-Bqtlr&D$s%sC{9Kecdj>uzX?d+R1@w~`g12RA(+T^!Ige~jbk_}l4TW!69IumIhIBMmy`Q}|#$ixva6nO&-W{y zmVx5brKB5nE7#&^ixSEr1Ns%~=K7Aw3(pE#Yuht&Lhc8K&Et013*|FHe66nUnlzTK zGAmX>f-Tgk^s5m}t@hXi4)Yg{%=Sj>=QHc2LBo#NVK{@4zlhXk*w7_EWt+b+;wU;o zzjA~H*nYnB#HI^J z$tzkCbzNqtS~J(`2MxPlHj>Aa@;67!9=hPS>Y*^1{=48<@UwXav|f_jKU^*8YcNQ> z8IrDI7n5fQieXEml=0kgu-SlJdGBmxuc@h09kqyll%Do_ZOT!X+HfFbpnjNB z7Zs3Pxe_=)qv9uGH{4}Al&U9h5BMDn16a%ot^@TkiZ4j1%AS+t!bStrDJ9qMoIap} z){JQIAUfMZNd^VOQ*0NyX%4@dADT0M%;v{~58!)3;i!hqE~mjMb^)_q+_odP1_~U8 z(pNe!MJKPk_t;}WlPZ&d^&usBj#O$od^vx#wF9d4%3}2F~ zlr?z9{xbJotWWx$UO7dsgk-x<#+mxI|(ZdL)*|7&U?*^M&p43nNt|UjJx2Gzv@# zMgse!abdC`h6Z72fPud&!0HY{|YpA`c+R#GtzPht9l1)VNcdh##-w zC~eVttW~>(_s4@2@}7Jgy&`cO{nL5YhkzD*TB@mC*{aA&1?IfwIHAxQmutjtEyy$@ z@rr_@Du98sK=vO7(zxw1rPfA4Bh_jFrV5bzZrHRA7)_x|_lgE+mJVB@coJ7z)eYU2 zBS(!I#zT$@!`D{Y?$!3nF;HtC^^-&p%CIxauq#$0+WF|p5Lwy~AToDFOjK8K&$E

PoMo57d!Ey;`nc@6JX%EjlkV7Km!-BI-|Z?rnI8#g~7mbGMK(cSi5s zD<)?@i&-lY%+Osb8DHU(yzGo88rnC-1^zz%~eEc?@v46#S`JLZ%B^{i+AB{ z3VTb@2WS#Iy|?IMdp%aF^m4cN6cKnOkhlq_9nwA%8xc-%z#exrM!G^? zcpB5G?Pd}aQ7i*Q_AA%(N)lK4y4zu8IXJ+0wWhZ@QFl%~RcBqTu0!)YkB!+J#QWi) zq0l11L-T5|2y}Q&!hcf<*Cj*8aWc1q-^BS)>8?N42$v^r+hACjso8f9^ES~%F=PKJ z-$pmG24!q%OH`~tu4-GaC$1l1FNOFulh){93$m{|B$uQvYPe5A^^*!IC_IcZrR;C- zhFH|WZMN(FWmHR*dnvUy<7_-+rK{wuGu}|3vNH}I{gi$5>Kt9J0TD2&%_CBee+apU z%M#Zjuv5AxW7N|x6V%3+7JS^5D?Xg%!8^x1blZGsMpKUXMnMM%Jtd4oS{}(*P%##6 zJ2uPlcmQ8ze<-nYhTx)PXzBwo{VfEKJ~jy7Gj?Wy``61L?I~K2`_#(uw@StLH-Bol zN&51&AuSr-ZCC2!>_qO3A;LOOk-|-fveU9MS16`}bO^WV^9pP8*d(b1KpWk#=BP`R zJHusZD2x5{YsirRYzi^kx3gKHFelfhs)GH=MWFD5lWFi%|EUKPQhoE>bEI6ZT3u8x zGETa`(6}&Rh8&G&F+yNo>~D#p+qj6PgZJpAhfNfRG>hy;lq93&^i4=4uu@d+6_)HEJa$*R z%kXmkki{$ERD#rjX7DAe)Hkv0fV3?yinPtw{=upscUoyU&&4PuFXbzV$3OM}d~QGr zijobF-eUmGB@uXm9~A0M2<%MFKR^7Cr}H)F5vCwh-ttU(h3E@z_7c*!J_<=T%pW3I zLB0gD8@`G=Fq7~A%dk!44b710yE>4CvisMIPpDc$%8yF5Pr3<^I?7s#r+c1D0eQJc zt7}8?>VRzGoXsZ)oaypQ&NO)7khpM{2=uhx(a8?{v9As-y1p7F)4~7i)gTR%K?m9G zE49SG-d&A&H~G-zLn7+yOz&Z%Kl+_A4v=ps1O7DF?CfwINOJlg2AfWrV}eg2auCZb zRH>-PE5r?)8)}S|!&vUIN6{^`P~fdJ7P3R3sJ2JtaS7@pXiwr&C|OC}`5@`29V!>K zq*q=Tesa0TGLHik4CtG6g`|xt$V@i*ZLc*(7VEUiYtMLPm?~~NjTDrKuXHJ>c!4qy zox{o8GRC#IlUmi3!n5u`lY!XGN2l|qBa=fRVsP~)St!%+6`XWN?_|_d3?PQsEbb{(5pv}-5-<|l=|w;8NA6Kyb!^eER5EJNxl$YHgKYloF= zlyoq&D~5xHbJ8mViuN4?^>21$2yGH*=9rf7s>gjSq9W!51UF5iRe4(FD;p1FcD@;nYgO~KRnA9v^)Np?22jlMkj$b*qB=`X>-g)Wvp|i?Db>CZYH^s5<8MZ?FUrx`M^e;OifYDHToUB4f9z^+y%20hD0ZgP3D;>8AoK?JD~CxvK7{_Uq@M{w|K$BMqhn z8)uQzIMP)rB%3568U$NSh{z~?d1>oUZ%DW5H$%9tGVsROtu%(n-Xu>Y-=vUBIUqb-U40(Oh!2T{cpmsk@{saiv5Pme8he+9OH5s|B^`Xz?e$by8g000&hLBf~4{ zGa11ab4+sqQN7&BDXjsmIX-v#W`Q=3bmooiE%&b!(QUKZ#9sN1e;QocJbw4oz=JX7 zi0h#<&~FE~sHyC2P}oaYe$9^^Z3=(JhpIsgn2!`aYLPnE%f>IeNr^syLSknBin0Hy zD|wClJb-36oQQuNa=-!P{%1AV5QvVjup75P88aYIiKR%!tjqo|Q?wNsfP3Nmj-(lm z9{c=_F5b6zcHO|~z5+hfxmR^BgLZ{4*5J;ZDGC@&(hn}8xWd>KPG(@Y&0+w17 zDXs|HKI#Vf?A%0k*5m(;jROWtae=!O=*8b9?av=8P506Ud-yW3)TR4r8^%x{domAwIuC{KPU#|*~zJjZEm+?mL zub+cea|b)o3(`*L3DOltT=-R`mn@~X1-CK~i{7gUPpqrqgKK%LNcD70A8PC$OU>-CkeC1IVvw@B|Wl4$ULl!jx&8BPOL|VT#E$ zD4NgYn-kjx<3zH2$oIr+c-G^5?((p`#vGBOJEf7VZ;u3KTZ+?lyH|YF?90+wI~ChL zXwlcr5_-0{0q@QjJ~l{PM1sI?wo@EBe~D|EO#W^D67{pJ2sj{e$U`;+kegV=*m&7q zos3no4>tBc&=N0gaV6s?(zl;hNEZkZ$QBuy3x0fgm?DI*KIVu#Anz52zQk5Kc_ADm z-*3ubQsbZY8xx&)J-T+bC9VnkUugnDLrsrlLMaDqs67|u<$@~ddr!y@o4%$ADeJqG zju1L6iTRqrYrbf>B8`>`h_3~%@JB}^>nw;1M`-I2+;IiQiV4dlz?zan@;}y;4I=-v zru6*Vni9o znZPdoufHe^R(1TJ15viSd~}ws-H#kMH)_Br+9&Jof=j+_G118DA>Xj4@S(Pn(?Ztd zX=jl-)&nt?bDJJfriwbOMIDh)x`}H?#_>|1m@Sq#EVT$D4NzCqD|!+rb$595JP3qk zP4PoejbNREp3XFY8k;7eS?eb4dqDx*kmp9}6<=3C)udtJ|ixoFfg?Pmg`_Tqjc!LvL8@O*KEm6C{-}V9W5*3_c7!(S8QpE5xJfFO7HBe_N3R!mMF= zy>HJl!KosAL<_6T7Bhl{J08G#%4K%^me zD(9nGI^v6k}-ZV!- z$Euw^cuX8mqrs=-QIKwnl*?sv9|<;Bc=MI6y3-V0o*e;|j?jv1Ol(Rj%xNrQDaNzy ze$xxSRi_b;A(5F8)D%LKY3tt|cF&GC0$#yq>6Qty0}0S3C_wc?9tAC*1~x$ncIVeI zvq_u)d!!lcYy&HOu#b&>2!*Z{y}L<-(e6QI2)A|uW+C^R0ne8ar5~#YzQma>!?W_Z z%YEeRsszAi=%R${J^>(<6jX(iFEU%r_)+C7ey#<+nSHk0Y>A+iy&)5#^c1vV#XkW{ z1olYZ4S*;p{c@K}P;Kyn-Sg#*BH&TVM*#eBF>WO-dPCaJnSGXQVVKk6@FE(J|41u) z)GZT*!Vg0dPw|jf+RLP+wLM7tG6WYW^Sdk z2FvvYIUtyVuNssMW%8}oN|lxKbH$_J4Do(vYx_ywu$WF?OLVkEmLZ5TAv}=Ttq0*3RiV!fdb$Do8HeWe=1AjWIM5p!g zL0d^(d)wqd8LKYUXtSdJ*VqVs;&?rI{&C#OEn{{yiOuMcFt2~A8j-LpbTd-%V@yaR z5@fia8wr+E{jRI)b}m~FigwKbEN1%?q+pTimGsx+K{D4qv}^x%0^wXT-> z?Jg*${M^O4kebV^>TH-Vwl-wIfqnRz;pOkDwS0K!grA-w9qAtrW(YLNXz(SYMgA5{ zPOy*6kz|USy=#pK&Y9~oot6)h%Aw!WRx|T=G6`-|;65c4d03E6<62B!a%w~c2taR0 zTl3f*h6nCRAp>RJE3~DI%9Divds<=?m8? zCn?TmVjn}CU(6?%r_k(=!%E(N1+XiTBw!S>Je&yvJoMuEQbDvdNfMy<94YF$JGvbF zU~t)65uD;OJZ$@Z4rG7nnpf@>*V>$pUfC%aQy&mBp>7nPBcQ1- z?>%-uoF{)&P{l_m3BZq=z<9(DJ(f-?GImQiy{yl~>sqVxR@*n(pXmT>T-l!-H+tt~`7 zB){lOD5}g`{e;D>_`|q`b34m&8>6eGOE&it4FjxBa}&S|*|XU0rV-x}o^)dEe#6gd z2~1v>4;#R-fUj*}{}?Vnmda}2cMJfmz5px~08FB@=s1+?jv~yvY+opexaQkxQhmWl zg|6%a$*x2mS=$nlyV8817d@v{5 zT=ya@P~@a|s}_|KwOK@6T?9skch;E?G-2S?E>|E9h>jQRzY*3Q#R}}W;un(;9KyFH zbWakxTw^kK9zB&xN}b|5>n4pXpui|Cn+iH)bi#qRZPF@jAM(z0XZK2TmoP8(NvH5l z9fKo(67Dh8z8YT`zmxoBY(r$f=YV300q(I~hv|hqQ*^?+*qr)UT+R2q)LZHRRXn}J zI`b)eXfdN~>e2j(#8Zv>iuY3%y(ev006YmsJbb;daN{hq`*;AGl$CbppnL(vz+3$l zC-mJ5sgvT(Mbar5xB_Y?{%r%@(XE@QJr<`DO0Q#gl688|9yIVz$qdc+J@ajFjXUBU z+z^?rc7NqsxKb?JC^ zV>0=cR$?&%fRxubRqnIp^!;r6?!{&y3H#H*}9HMh#r0%-!5!7cjk~nMm-k(Lb*LAfdj1Iql^zz}ct;?NuOFoh-GnTx|VY-_GDG(+4jIbjP&=&6soQw zPcN9}hBSrW;8ovaCtkV6YNQ+r{=T8wURkDotg#|px%nsZ$_R$1bHjXxO(`}(+XY-6 zyV@`EONOEu&W0q#UVQX6SbtnjZMhOKo*DYS&s2_aWWermR_&YH{;wDC#J}NtawpO6 z{207(ot@rRUU&9F-z%aoA|*|ie!L%4?Ftz%L^V@wBPl3ccJPaHCex+q5q;?txEF!u%1C>&bhI0MKtQtgK(tHW`eTA{^ z&Y5hI!uKO2b(ZN<`ObGM%z^u0w0sxNRe}N(U{#=Re()i)>ibE5p(v3F-N9Ud)QRzc z6nq0r*(YG@q}X1{#K9jQ0~U5Rgbq}GIt2V`&Bc}7x`yVTyua5nNYnh{i24e9&RTktAYXSUzTM)(C#W5@DvxzgKj%iKd zZR^~d4HwaS(4ac;MD_WNw!@7?28S``jjXlf*+s_P&`f}zY% zzJ*8dwmV4WIO4pve_D*?x z9rw3osjI8*xw{qT)pGl4?6w!5D4elP-|D@zaVZ6+w32yM213u1m6`lknD{eV{QcuI z73NXH2UXX-idP>DLnKe$zuKI&r?i2-ZzOHBO2R{mKe`c(%z7)XgL804EOH^wC#6;% z!Db?&)>-)D%Am2DL}x#1IeVDl*FnjrW2`Zxo3o}}AKoi6MtXcfX&fUg3{SHNztk{x zK8He=@ZWPt1rKQWqxSprd7n{;0RrJ#_9{C#l=gAZ)&*SS*u9LKE6bujEQksyDfgNoV=BY@xEm?Zsqe zc&oHS`!(p*HLA|z+YsNZ!*Iu1R%<)Xxr>31)>xW&tw==2szWX~+=y2HmmH8@&{{7AnyDTC9wf+V{5atb?cxiQY4EWAQQ+&p@-Vb1@d#)t$8VTt1J( zE&TxjtZA>%@YLc5S;*>ZRVTB_?YNH=-{+Jx*Kb~X8f|W1 zpNI%mTp$aKSnF=9^M`cSVQV2zwN`)pqx#}p?}q!q zr$b$437H)4D(CO^qw_Wn#pL-Btu}#{uQ8p4zVbwU@1}nBz6E&`oA)!b4Y;bBv0yBh zxUIvSPh|CWvSg3u?_h+wuGh4qjEnsmHxK(f7=@kTarhC{X$w-PDYL%pI@disY22t} zN=C7zfAIHFA4I$2iiS1*c&`*KO4OXNaAm>zbAzw`xZT{dLy1PB>zlXA{Tp858{<>4wVIw2=>zi;a3Kehq2a8C}dru{WC?WKnb`xQz(tEWBHU98D?bP zDvc>T{HFPg+7xM);*sj|liucyXLrakncQfXU4}Q@C0i^q?}(=ywN$hVbX2sTG*ahy zOo3p(U5hxlF{K;j?v6X4FeqB~{QP-l2R&kn4|`H(9*X(AZMOg_Hqfh-;l4SWyiNRC zOWQVl{Mk|Rm%g*XHq`|R_xG*B*P4YHHyl2{t)J@J=&&5i_3(y_u^Y9#_)p66cM$qd z9y3etD#_^|1Fq0f|zpSU-QxLiYYg3WF-yHqpfrcg?%AK?V&8h-iS zb35$Ak5813QMc!m&)Qi#qaPk;4YSSHFjj6HtBAUsl(iS^b3e)&m?3^_IrlB<5&Jn} zjOk14H$|x&mPV>~*Z69j#InLQ!%0@X-R{xYXSamc6358EO|Pf1t4wz*`#r_A?;==X zYL8SXc{BWFo`=NNxA+T}t}cee;#gTL{@OK@W=={G&9Fx2H0%#rnntc9y?R&JibSbL zXhTOoI2HIU`xxi63gEO@hAdV!-km+76tePqpwpZ~DfF>%UwX%Kz_Brqid3wz(ZS%x z*>HvSkK?^pIFo0^nz-S&teYBxa^0`wc5sdT@WeWpbUgRPZB)X+QXqige@GLUtFbiB zDdor1(0J+Vg~2L0Uk>t>vVOW5=G95mXJJaQtD)U7U7@~A4;0JR>EloP-JQk9f6!u~ z5y_8F#*3j?AKog2goj3^l|#SH=V#xm8uNySq`)$|0}XkOa%c`eGL+~R(B|_VpD!s& zjb}(LXGND!Qts;RJ_&u&pCMplZms_z#6USAGNBwuzB5~OI}^<;*>l&r@VKfANK0)d z1A}>rEt~jO!=z*P9AaMd^68W^Er!L!?tG9l)aVNrqQCBK8maAlEI;)kKr(;)v%+NO zhfq>h+sd(gwFwW__RCKd@Otc@wX|pXO}0PwOWEQ%1XowXrED1Ox9|sk#NTeil4&};A^<^ z6qUwkBA?q_EZ$4wIAM4my49^!*+z|sGkRhwI80`1c+FhZg8jpw4!<_7bz1AazS>CU z$Ga*5r%AJx>=l@}QVL;>I!j%)&j!y-`}EjqX)@2;D4ct#k+8=2Sr1~R@4SJD8jselIJ8MXX#t;Mxeu&<-JbBl2qfv^_z^V zXV)FNHWZ8fHq4FJr+Q9Lh%&zC*qRKU2`BqFjp7Gvf2=u$aKzILBoqr%9;ZJjmYSF% zL*=-+(FvcbE}NfsQR$hh&b(5Xc`kLrp|{CPno_H*pd7j;W`w;vV8J_%|MOb%KleEL z%0kVKx9QQppE(rX!mc`QpQb;3z8UI+jX}cuC602Mtx03N9aE7sxZ!DIHfX#098b4ZkeT<)n=$d_+Q}d{VTS5Pq|kM???l(6q{O zjd=7@3N?Sybxb(F9kzAb^c#+KXYeIC%0@8>XG5S8?E}@djd^B^M{IudJBa*j8`VbYyX` zQZB3UV+F`$dC7BQGWmqv^lEBjx^i9V_L*yX_GRjRmh+y{-J6$4Fw6;a%!zYGE8pz8 zP>y_TJmmKcFs+(lum!&$x-~C&fxKwyS>y?^Xi978Xq{w@k^f?2VY>g#Zs78;I|DT z>Ft+!EQret&!dfGc7WqEji*!gZIN$0rLDRlS}Y&))v>R93%XYjZgR-S#~DnZ^*Ql2 z|B6*aL11V-x%&XIEW5nWxAZ(b7Kyl^>yvFt&)aEha7ewMDT+~=U1f=rZkKDMxJBto z8bU<9qIdA-=1RmfUoZCSI^Wf8{R(v8l`OBe`eEAAJWBH^pKpF8hxsdC5h_iQlA|r$c zL2^Z@?HO8a^+3MU>vL?)6``&@g8$b#W#-9)(MF*S>D}NQXFMlIY%fHwR&(jP^J@fu zkN)hZ^h82PqF&+o?53Hfr(j5j8q6gH6^!y+z#@OFz4Y|<@`YHfv-@fKXI|SVc^+DpQ+3*n2%5Vp!}-XayAJRhF$|5i*?&$tQQs-~wwohc7A@ zSQf^f&+_d|eEm|q6;$V7VcTgizaVFCdqduvrZy4bXAo+jkl>a>@MrjE??r{hz_W_a zDd%GtH50L-N7CC_@c5PUQ}JP#VL3Z&EvxX$`(XT^NykNu`EIAr@{y_;$1L$zt~9TQ zL@;b?!e6sh+<3L~07w0bfQV3UOHIq>xLIgFbbVF?s=BiqlW3iUFJjP;y4&D>2pjV6 z6JlRg@f=k(A5o9vWh@wz&=>g-#jIIn^D#ldaU(3q6<9*1gyNO?r7w_6KUyc(gcFvw z<>ax^Xg}39WT4Er^>IeHZDa>7?g~Wv;0rL(JnRln(6%fe39z!jDrnt@Qz~?F8kvlP znKqKu;NfSgeCM;}*vwa>OH?&-4)qmp;^D%_n%NW`DE$*`1K8Blj8CT>#h!l(BbUc)_FYjLe4aLdG=!FBqIDPY9Rmm^dtQ6m7Q$Q)v~58{BRjt56(9- zU|w;c&9xwf44qPe5%5*Sq&?&}9PJd5Ja2qes$?HM=4~PJA=u5I%1JX-#bg}JASk|~ zY3w23D)`~MV-%-s&V+;s+t7gXGQ&R8(wYu@f9bSiSB(eV_M6g+rK7SC?$LrWVi*iJ8r0#HJ8*NErO5!dw(x;oUP{?9Wo5A1 zGR7?QNZRC?wBT;-MLs_$UZ~TLOL1Yh#og=CJ1+4^FDo=?t^Keo3SWLXm|OUP`S<=F zz%71P$ml4kW$f`z&~pyT8B$AL5;cMb9zMF#`2k*N>@iIAF@Uwh*}7ufG%(EvMBe)d zjQE$E3uL}TEFS8%TxiJV}4;etIOm$x7rxxMe-}m5-9=KvRP1}XKx1Nc=^$* z){k;-9>ccb`&KC29y8v3mo*{Q0?dZ5I-x@bP zv6^PeA7{#FwADR(HYOi5)M;@TRV;`dLuE;6GMUukB@0QtXk>y$#!SqAq8ZDzv@*cB(h{-#SHI7 z-^p%ks*+AbFtKVc@B1jbwM8uw{DdANp$?yEw7ZM_t7|G)4|Rw!#UxWPTq{T*G@eTX z#)4NS#xpK|z6@nhRI(}4zy`5~)Ko+fGnehI<~~QJ&R%n;*@l8}lRvy%moM^V^Py*>agEoBu}fY*LjmxBQI=uq-kbJnVYeQBM!~p63Od zcq9+3iK>hRt&F)zuV`7tz85hxaa9*977RAK>3Yw|ZO8Tq?!$UmE1!_k-Y!L(siY#o z#=OKY&bUEOj-|c0hzVU=wdpBsrdZ>e)a{ntxOUIDLOSa(t#TV2xSw%$VKxqV{YhF*902k6(Q3qxfTxpU2X> zPDo;1vz}4cS!K}VUA7eA7R^%9{_P@UjI+c%X_b6 z_MvP4WVwPnF)_|QSOi*g`f1{Pyw^NfbFyx-gdQ$nYT$;nT>i3EjR7 zgmg;qKWTI-nf1JQI{AvLUqe0JbfdVjx2iOBAM@jP0eWlky#!%*rv$(?FhoO`6?}(; zqzK^5y6MF^>!BiI-{ilgm2TMcyR^xyKD39c-GB|%-U2e)KkS($qqmcZ-Y)b!%2lLqD)x9g@S=MwBcBU&Dv9{_QmQuRW2VlW|M;?UFDd+v&`$a|59}Ys(PmkxY zo_U1sQB7yB`72&-x1FRREpG#*E?XXAZ}tX8(IGr;fx+vV&EDs|7ng`nf~hOJ4*DrH z99w{sqcyT5OE)7s1ez{W=(j59 z*1v<;1Hwx}P-EY}{Bj!RG#Vtb8oqBBeT=)QDfGK}!e`$h$V@Aalic7s?~6F6Vm=-#(+ai$ z6$b8*i5kx2hqw+RL0eoKvkr*pWGLjiN1vJ<4ngjY=F8R>LpSg3Uf8fT937`bApRH% z#y*tQvSl%eW&xA!mB?4I<$}tk7PD-HiwnUv zfAyvRF-lvk>6Xo#D6p*V4N&(JzBe8ldcsBjo^5mGlg#ccDTDUJvYgQbb>9s@ih0CD z9irHektr3Ca>q@a+E;{d+P_pynzLW3oQ1Wk@V1{Fxh!;z(TW+gIxJsj;l zatq|iyLk6OtSsW9#dc)+^)!Rm-*>jnW#rXGv0wxZ6`F;V??YT?nlsEWJ^&;pleAohr#o*rfi*9be zHEd=0Cu(`)9?owJ_v{Hyq>QjUEJmACAKRz3!*~y5=7ICo#rx}?{#YW`?_4mh%{5h$=|%qG0x6{<^pE(nbX45 z>w>@fl74w|(L63L#|}>M3_z~)dHzH=xYeUZd(1RNY6ClJL*+n+GiX#FSBT`&BM;(zGk6y89Ws`W)Q=EV#=Xn{}oMS zx|s#1ly%R5u+aMBbW_~nH&WV5OXH6uI6}t0+bom@4c`gS=VrYjnnx2~Z|EXsM;mOR zL0yp*Hdn{ah=dkv>QhUFajD*6I!Fmezr=&qtdg-E<7!+(c&k%;r@)4oRM?oZnICdm zqS`|Cd-)jVneh`MwBPXL$A<Mn922EM>ET+dy0U*C1o~`39jM?LzSz?7mU`n_fP@ z&OkUMzF_ngJSM%?qWreE?n4Tfo*}uWuM7dCU<1k7rYsgGU;6>4>RzX`UXwC{Y#TnJ zK0?jYc>0yk=y2Pr>}F*_VwGig&S5` zJN{xr+XLa4y)M9gth!uhvbbU#Da0;L{6= RC$o1#>2bP)e{l=~)kE%LgjTCb@pi zh7~?xXZpUg9qd}Gdpf6Oi{{+Q2CtGF1Uk-E<)s`a9>ZDkJYUjnX5kmNV;K{$C)93N zNfz#CeK^3@5)BL30n&mP}Z*^zvqTdPr(*Y z#+J;5*|?-&QlcIl(m=FSjW)$J{a~<0bxLzu%+QL3H%W}TgoXzb@4+@U(+U%(&v&#t z`=L#ljdKjFPA`0hcG0oZqQ8b%O&GXkwD~?FH6>_Y8ZG58<9Js8)ejE~gWw?=YBq+n zqLL%j?`jN<1KVp`PhJCdRilU!Jd#|+6+4gAai6X%y^eEE;n`b?>|awC8CVd&Y`o3c zYcr%xzZb{|DPoB9U40$oPY+dXS5QAkp~r0e6;h7z;JOigu3(17Z~UT7n$hnw@E^>Fh-b-Q+CgUwNcz{kI>%wFqCN4G zzTraqdZG2KVeEtSjKPyY`qEbE)?U?b#m+~@^yA{O)Xc5x}zy4h{KH$$Py_JQN?38y(n98$+9q?8C`a=?KBtJ-0DuLM$kH_-sU;VUH zfmjGIqS!_X92pS~Z*j&`ti}gg04MX(WDjH_yl|}EOLUt-<@+$EKNT$;8?u7YkjYo z#&vKnsgtC|l0Ml4ZD!~t&R+VQr1&vI{`5`2{QKhU$F(Dn&~5=z{_U}^>gkdHE8C`4x9NXg4RaGqPQ)?xHZayNJH0A{ez?W431=5r(PHKJ@Z>5VE3(J zEVHr9Tjc1`^XHa;tkBhYmo<88t;L}QkJlK%xVM|4ZPtK{=XabNuBe%arPfvu8nBQE{O-*XsZI=&$2=lNl@>&N#12v_( z`O%WH^ow2B!P-*e`;_x~wdvMvW~alHZHN3cUqzb#5bz$2-pp^fJ~uz!8t)3QeWVg) zawAJ=D^=2#Go?~6)M?%oVAU1CfA(RUsm()Wn5bafX}IgUY6VnS9;JA$r;p4_tJq~C zdId(ZDQIr7hk)l@q=iE>?z_V2k5A4pXiml4W)6~LEyCF!1+v}}Vb0w24^zp0SwlCq zyX3qBzi^=xYHqGChU#2_G9o=WTz?SI`jRFaJ8u1aV?KP&HctOGMQVi4=`9aG>u^$e z9jxzL{3hlRx2dsEdZl0IVa;eg+aoldev{$i#YaJ$ZXlg{RityKQ{OdsNdJ6$Il9op zb6Wcz_XwG(1cJ{aiD)9Jo+2!o_{ZS_)k$Wd{P#ZYi~$CG1QAx`wqd;E z6fxG5`h>9+l9YHMA=r!I^k9*G@!Ji& zowCEDt?rkz*A-pl!Nx}7%wdMqnoO`o)GYhyUcYm6zw#;{gJ(u%!_~H54|g9QLw~5B zAxD!=_P$TIQ*_UwKfeVS@7=qvUw?32UPuUmgkyt1NAn4r7Q6!w3(PL#^wi)-$oC%t z8-9}BJD^-t=@;6SY;On`kEAM0oaB=DJORW5?|!LTEJX-)s0M-t$29TjaL7Fuv^ws5#@O|IJHx@Yk*1WcX%8_~F4+!;IUeYLc(uZd!iD#0%k*>i*wO zGJ5^X720N=pop}<62M%&!nZ@R=nj}%XCfDD8`|m9&c7dO=!Cn-GR(DJi3LYR?z;Ak zi7KtIY&e`F-a7ZC;$8d{PY`rw>tc~fvUK%K-{rZh&EW|U(^x=qs(kINR9HFNZ)3vf zuL`fcKHYsb6W;s9Lj#2$Lw-->cfu=Xvx_ULVF0>K+*qy9LPyatVMA-XIP=5idAl7T zL1<;y_;SrX#hDf6!&1GJdegnOBKS-HYSeKQq2@xs)lVmLw|BM|a8`}3XI9-F88H`h z!iEm@K}^-9@(SVs@jv!AVzfo4w0pm;J-JzHSv<=7mds`^#U{U7pEdHH-PE0#?lI#8 zk(QF#CMHwoJwZOWe0IGUDn!YMdf~JA^AXNaTrs@3TH?2)`O%*vTx9T_TjP^L3ZbC zIjRK^ZG3Nwf9NAH_*uW=RIMR!1X&r)ev~MXqoR$3b`K-Zzq4!Re3_J(H!+q-U?}1v zgorN}-&{cjZf4nE-(0|8pU}(;g`MPUw@%+`&snRgbOvw7#2!!C_fI(s;=jr-x&LJE zC%X7L&=Y*2^DwyM`p4|FieTh>I0D9q`xri{2Jy|<;1Sjf9u#x zwomuvC6UUDYT!=tV$x3z>nl+)RVeD!L;;w6Nr`@1XrwD%mQw9TY`4bVGpI27SkQs~ z(i|I&m{iU(Gh4BF?r{|_aRVU>B9zY1d_dK0Z$4S_-M$_0?l-o3^hD#{lE^s$XSnT_ zG)`4m8ttCL3qsa4l`~KE@^N#DVV}cKf{#t@o|&fyGuCAE3ppm-UmSOm=?Ow2*^Gq) zzSDPS1)D+VoBdpS4}x(Sj}ucBQRNKG{zANAWwf0VQW0WrSxNS2*Th~^Wd8<_!1M7P z>G-85uwK~3R%vJnf5r4c#J1Qd7yH{r^p~v(;c_9YeXrv^`)w9v(bijN~80;pu&@ zE+vBfr8gwFuw+lf3w!W)C@ZZA2mVpg(A{0Z`c0P`miog%=^;ScQ(thi?3f@eVKE_m z3Id{A7ZSbs5zf@Ua_mzW*kyzz?sQ5kQP1ot)8{4e`O_n^z(1pQ_wl4FXDIiIu1(mU zXOalCrX+hkY2>%_>uG-A5=R$GqbAn3Qyu^rgG#|o*pmyG%@7nx;52t zBqw*u@dP?XDS_G85Rd2a%o`I}NHMR^zY;bP7h+j27Yh+i7j#jhpVi{Z%$BU)AdKvY z;b|?GSiN#}pXey$(?-#`Gr#bdS99CS3d+LY&bmdzDK@g%JdJ}0P_1iO{!!Z|j5K38 z&@=j-55r=-@U^%G!jz22&lp~W(|KG5YmSk{BuuEU`h&xf>#l22Im9`ghg#SabywxsC~Kj#)9{2sdH) z3_KvkJbQHmEQuq!L=r8UcTz|sfo$o=PP;xZG;rIiB*=Uiqt7M`D_0*%m&Z+OQyVM( zPBlq8tAr3J9}~{Hk7q&aT+XIpw$IG>8|B3@_Hw|HW!~J%Hmth zkmMwigW~@naE`Z*-aLfrDV?-(M^h;XpT=QSN{DjqGr-CT_jSL!AF=suu8YlaLe)6E z#z?F0s3eWy0MBTfzyG7z!VFHUpwr67(eT?CW24E7_Z#j@BE_YoON36-OP*t>MBA@z-sl#ta^%4Cc`sq;U*!6y)|-ZpxqhU87dx zHuDcCHI6FtC_?z*h=nc9W+Ar8ZF21$jfR6obGQ-Gux@}cS$AhwZZTlLuo_-0CaluC zc~^8MH0+SvzV0MvCdA|hz*fE5LV`NH>C#T8xx^j^)IN1BHZ^ zw)sU}Ynned$7-!c@<*guRV}H1;q>nHTnfLptN*I45a7K5#+P8c5AE*3V(7fwVwxYt zmGwD-EBTy2*<+S_<&VbM5t+`vXj|P?>a$e?*WqJqXugAbgZ>FSADf^1t}kPpI3VhdF1sXWPaYHdpme(A=i zwe+jhctG^>H9MSi8GBnUs{O8e;KrPPSwXZNYHdVB0JFZJ=^~olBAszsvo5VYTK5i& zQ+e7h&2cCYEn~{o0YXbxD6lrHvGJ3UUDVJaA*YCe6@~<7l8wG0eL41JDus8*d8%hN zHBwqfD$@&5VbpY2KPp@0v%cqZhWxsxINH%f3}cNYT9c&R>>s~=%=5kXjVkSlwneeD z$WD>|6SDH5pt!aeE2m%U(lpH=0}9miep5`^UqwED0X=Mz^V~cWviM29Xksz^3(kK7 zGJf1gb9!PLJN@^Tcv{zlJK2$>{^qKY2ixmP?3KsA*}`2D0bD*TQqqFT87BEPE%n+E zO_@Z8v28C(PO^Z+xhujC{_+@`lV>a!i9+^9B9O!^mR0E7?;}Y9^s@T5SbV z3E{&REtRKcC_hf~{f?|OB;gRRH`$hnkKR?R%7o;fi(~a%^jUrZ&{pq1yhs8&m9@)1*7f z19J}aXS@Z0)PTmEt4gvBzDDDMFQoRfZ5d0)v@)jM>4Jmx!iWDldvoJ~5J5>8V4(hP z6?Gbr;kz4;AZGMdJiI=kSOjPi#rz)4KXzM30zHR)BRIv~s{yL&+q9Kp4%b7Aq)qr^EyLNPIRR)15q#~JY zFeH6~=+oLAOwQCV^ePEr6SFMqiqnQZuyO^88LTUH{bA&#T;Xv*@#xVU7JABEyyG>( z!7+yP?6jJ(EFA%h;x1XpLj7e)^- z8@cGi3I5x0{7-IX+!}V#1qulDV%dFkcUAb8qi$E3%5gmjYgfCxf5ahMyv_5X|KgMU z?{B&v*vLc#p()CRO`&@{?UZY!M}lhfA7){JFTI6bx7vK(e&FO02|=8y4Mu7d84n;m za-sX#SwM!(gA6Y7Fp`B043HV#<5_}EMy=OG9bfXU2M|rf>i>cUhg=T8t!bbg5)9Md z#hPMw%RCeq!`6UXSlM<@F_C;27bX=g1}$0Pd3w0r#n=Lkus6(NBqiq@6&kV;`Ths6 z3%exTV^8^<5;q48@4%`^CmO6FMV+SNUl*(24D%cfBcGPOG5hZ4XkqqCfi$~)MPCIX z1O!)uU~L&k%BB-X?Ya~`^|LFIF;n<>jA6TC(kk%KB?4HFXVwxy|DV*iwL9orjh6s+ zTAn`B&@zeEtD;n=xxMOlnZZ?;;k(58=Y_k-?Nztg!=5{HT5c%WYo$epRgT#s-n3Xt z%!vffK1HV$=vH6NZhGm4F2v*z=07L?kvTc)X{ns-UF}oVfQ^e|d601%vPI)i7OGEl z#WMajMF3ft{`4@YCZIsY)!{`ZzPW7;(@=R9^ho+zz2I0~fBF0Vh^7Z4g$8xroFH73 zpgQ?$DIgBY~yFkI>DNo{Xu>X_7yh}$W z*r1SSFZe*Z(r2t;2af2&qVx| zMtssMt@&mZ(AeA{kWC?`Hz%JNw0~TJQDrxQ!K8nP4J%Pk5Lz(Wm?NW*;{957F2zzm zn3Hzg1Ef(k)XU2noXaRbg5~G3p*MDkV;mgskafRCT|p!}>33tZGu2oWD58+3V2ZaM zY9rH60>cI}?*oWAAzuB~u%TXfn_7|A+s=ZIJ{KoWgZGc83kw?)tq9{!>g#{=;m|S9 z{RgG6lvMa#U)*Gp+WF zFk0;Uyn*XcGMB5wZ-LQo5IC4^4bYVpddf52bPutax1kh-9cEIt6m{1IKKj%Twg&88 z&@1`Cmea+f=`w1tJ=W15<_>koGN;Mru;JF9%U0iww#eQb`b>iWvtxEiC(WaA5;gzE zkTJdLlYe;uFvz5Lkn!sId@tKLFWY$Des|y1K_n|>EDO&NQ*cE6k${|6D@Z07B%5P;f(mVVrOp0spXA ze8ROnOp5M+YNkfj4;3ZFsSDpCWI|osQK&+<(^&izbd~KK>$T^Z$yQz#*}GS#HJ?++ z!&%KoRP&Aj=L?z5ddUHN(JYK(=CGI-^~B$q%50V$)NuIEE3 zaqMqJ?#D5F9aoNG@Rn5rPhY|(S?zynu>Y{4gKA9Ll=W{qn^q}<2iO3s=OWOY!v-0% zn15%?rfVdV-)78i&AoC(|6zh7T!AgJMB-k~xDeJI-9bv_YS_AJ4s6pvvAujNdqsbY zMl<~M*&8gnkT)98FqI7kk#?-*wW#)33l^=tdN~D^JkQi!&EYOMm8P^KrGC0236${; z;WjqMRxw@JvACPXe&DIwl6v8kh}QxLnH}p)wnI^W+8U89%*1!?j*dZ~KGW38`J%*U z^f5d;(_--i&^-x{qF-8uXU2= zA;n<=IC6j2jSoPOU1zR81U?OO-Mr909X_{UF+zwt?x(8%-jn~&+il=Y%W)sG(FgbY z1&a+Phg5olw%8nhlQuC;kP!O33MJ#I(u>SsA#c{NTplk%MO#+~0`0%CUJra!gDXW_ zw*5>M9#{RA1wVgg7k%!HXM$;Quja1B2w8VmF14$a>qhj|8#dvqw-js9@2gR*R5*P# z4;`^ZAGQm8KU>cRB85W zq!Y|0R%NoG<2lI_suv|`lqsKK<_epp3Zd+~Si-5uHx+q)>%baesSN|eE~IPiHKQQp zoccEBZXI|oD9r+mO$3}v4-EH1muCkp+Y7uZ%+`2Vl2 z`|qB`fRf>Mxu&3hK6uNo#P&MTcA4`25689x^XNo@$+!3f_pc+n1Mb-%-oU+kNQ?0V+0Y>YBV=1>>PIYETC&JJ9~HyE^R(j; z#%Y`J0X9rA!x5q^l)UbF0Q+F~5E9#~=9w;rs|RuHRd?(|6AEmvl4$FrNTG#ICYAbi z7@$kDpRI~!i|`DxqP?m21k2XJzk3$2|NXmX83c1)EZDjSG}crDju63@BHl?h6j{Ax{YMRR1UE#03;yfO(m|w>M)#{^)G<0gxhWN06X{v`mJnw(7EAax~%&}ZaP@gIlY^Nw}YB%urKXp z9SI282f3nl9aPR>c?o?9JIJd;bzhkqqr2DNF5zy~o-d*2hcAJ1Ih{r`fnfo#3n9I_ z&zu)_Yd}J(n;8%IER0u|tD^ma?+Pnt+{&k>z{Y4D$WF|Qr`>n!hk%H6G&M+(mV<~W zfd7ld?u4BE!q{;^%~2dluI;)M1!kl2n;?OI{eJ)Z?NRi=lmU)(_+A8>r=@pJUx!Ue z8I&5YNC)=c84ZMBy{61;(0)wh|NW&%5y*-S&(t}3koY2&ITX)xQ*RHEN_^NJ(%&HdBVXwBP+OIaVMp%M53*GF zf&vxeiubw@8RHuktpK)Q@^G51JKkRVyhK#=wC_|b!!;glOBAFbH?&GV;RqgK2zw*W z75G!@Cd3#8CnA5O!5zS;$#r-iV5Ck=k@^nlL?etL@aPuv3XHk7{%=%}YNmTj$)ICr zDb9K_ZXBsJh=xTO2Fwgrgpb}$fDPf`QkRWu$9vDKP5sQ< zzAGNH7<8>6mS%ZJ13Ltm!MqJ;zs-S5k23J_xsKC^IRMp_HMYmD`>X<)p3BD_(%n8? zz|^mEv~50I?T204C!2X*F4AP)D&yCIM%EKR2Kj^F*Nb-(zDc%ezPElcd*dkpaQ~rO z^881R$N6wQU=FhmRxwJqz6b(aMJ?Z6UWCFf8EzS}tZqA_fKNQ0y7{uDavkU#VrTZg z@utJhVqw|KD7PC|O15;TZ7+c#oY-BQ7NL8i|LHRvfPB9!g`h8=(_#FQQ^MBQ!+SQ!0qM zhuOPdiVa(rvkO}6N%NcZXlq^sGA36=E!uUwc5}qEQNPjRF!{I$eiI`$)8=?lm}j)P zYz-~M33Jj=YyEcr{cH-l%&gy4+ZXZ*o946;YmgVYA0kx;QZYjuo$W+rN<{(mcA!m7 zMZSt%w+r1>7}bYCcb?W7C)>6^TCD3>EOo!6o!_>Gxf`zX8sBp5IVU;AC#1o)rw_-)AcQ-O(5_M z4CFGTnd2!Y`4OO4!ma+7D%K2%o3D^WvcL;jEZ*c*&@v%6IU^gKOd6l#WwU3Nv_NG*2mQTZw*CRc1F?`AmsAk?MSY z4t-IoA(aQQTJIlP@)s&N!~TyCTcIjl5qxH?t8^keORqL*ls~ zN(xchj)6vK$X^>z54>$GKiIZC)V7M85oPz>4;lg{SL1Ip6eIan9oy9??G2rs8L+*k z=gG?dX&k2|jLX6fMn?;yg3zs9c6nDRH{S8T_m$?U9fbg&;sRgO7y8gFT=y!S1rb$c zsBK=BWcY!Y@Fhd#6@*c+wA$h z*_mWy*Dhb3%%lv5$9Y+A$uoR*R<%-%cPLShpNO@d)-jZ_ERJBNsZs8hTa2_rl`zT# ztW!9uhYHC;3N3H;VS#N%&%y}Cf6j^C9EcvU@iVY?{@``1{ap8dC0Gr|2TZff8HGk1>=YH%SA64L(-?D6Gp(o2g5P6Wa`s8wuv7wex z@Z)D*MJL?(I5{U?w=M;}w}}!uj4$a<9F0{ZS;=vNp`Fs0q>XfH;Dq=8u3~EtqUgbY2v1pDQ)_4H z$278^C^I+jdP-J*{n9k60W?jxjvQI@F3Q-`29@oPzm%1K(P)G&tbIA}Ip~i2p)YiD zm`QaVY}QV35?UjKF~xn%zOPD#?ruK!mG- zG`qh@MBM9-$-X_KTY{$6F3MNT{J{QIhvxA@zit zg`)o0X9E9H8Ax9SIh1Uj>27lYQbFY9u8Jh}{Qg zmXCQ6B>Vm4T(HT$MOW(ON4Yh-N*CTxKx|CuuiJG8{|%I64Y9GwT~MaY)FFIuHTc_^ zq`wJx!lul&2pt4h<`|`qWM<3)u1}QmYF_bm--2$_sdyahRxl;>P4u`p^kF6ZWCnOt zYAr?2xd*!jxi>oV^b6T*@HUf=gLd=a^8FFqwBrr3Arv6=hdCPcIiGTXkwqVO?`8jG zqYG<)SFrw$@a{HhRuR$rT;~l~c|vH3?|{jc(%^&Xh=B z9O@#wm&CRRC*IYz*62kyjZ3i8DY*x1jfgvQt~pXEH^OvOUTiewJb4 z{Gz#>!{Yub;YNDmxRvIxe3}}>wvk{gK?9Uo>`}UzA-pqu2*A7Xy9Qhxg)o9|B&6JQ zd2$nH-*iwv37|}sblPpV7CCOCwKLIU3(mKMIzs)r-b7yZ`lEbnCBz|?=%|jplGWtJ z6DX>SF|*o!wIWL^Z`qSor>aQ0zrK2}8OPsX*zg^9T3S%gN|^gCONjIcG(>T?Q&Jsy z&rZ7Mlz4?9T4f#6#Dak@E{(+&3Vpncg|f6mIcgfawmcb_XaUaTNq=iwqBXMGrh|KL zKNKbunScM+Q(BTei%Z~xf!a`HTTB)|tpyII2XRcH<1zPRKGG%Lv6M@i8qGjo8D2z+ zy)i=5F9C|WRZq8tXNy=UwxAi4pM_hE@AT$&R+HZDNH(CRjCNjOek9!=N1Qw?bdff^ zbR(+vIuqN~Np_WcJmkN#Bex4eAu?0IGB^z7s}ttrS;rr6uz zWKMTwnA|~6zZq1bf9d?f(>VjRzZ+(94Ax9r07$%c5D(r-&%Y%|@3O6JCIed<^F+&v z{T%w=LbkWghOSR(Ef3hT>ECsmrdM@QIsiA$r+X%sI*udilAYEG+O9nOFCKlB!i{h1 zM{JN_l7(ok2e|$<;66{qF<75339*=H=&N*giHOjKn=dgLxpD7*%4TJ~Shvs}s=N@v)2A%6$UVA4RIdhRbcCTSTgqwLYX^sZ#H8_ zb$7Z;P`X|I7;1Y_h$G7mi(#2)B;&=P3&BHk*Ug=XB{<`WWLX=S_peDekF68a&{Z>0 zrO1)x$9OGLC(KjA*q&K15+R+Kll$da=v+`Ek3J=u$2~#pL+w)n&j9f)me$l4&G^bJ zZ>)jIo2B#HoJn?4liOL}0T3l0s*nA?TcR5OLzUbi9`x6-5V))avsX{YGWzFAkKu}#z}b5%>}L{Bt<*^ucP3`Q}j^g>}2^zTYurf1? zPHAJOqr{d(A8^Q?iaB50CJ;XS<6&LpMA{M_j%|h-V*5+kJgO82XK}6J=AvN;bg;`h zzv>u*NdJ0{d20qL94R)I|6n~P9qTIuMFRcEQbdB+DtML&-7(3eN2fiiZkWPY5ns_; zT4sm23M@yd*(Jakc1w)cA44)fFQVBG3*}O?YEJwPSe?E z%!}UI1`P?$?8Ad~;|aZ)sqk*XLp`3{0!euFqDJ_|-_NMNe(Kb;l7%d32cA%$_&HOL z28q3yKYOtli9>NYWQ@Ns8F}{gT7ufNQjR^Wy~;Xy3B!B`;Lp9aswku(^}=~|NAUQI z)EBk=C=nSK=l#B&hiFCSFeykndxB4lmTA0@KUb!W($=3z<&7}i1dq(JFPRABdQt#Q zc>S13q&2?bPFE%JD8CGlh)wJaYL7S8fDHG_V`aVYW+&?ak(%Za50hi?px6%yyu4_* zac>WFV4St}h}_!_{BzeH?*L*?(XV(0oj4Ty1zMG^q*uwvQkN5tTRMp*>I8lFak3HI zA$G6tP_zP|Y1d(^AG%#tcEHB#ku!3HaHWw;oS$s?Qg(J~>vf(rXHJPd`)rhu^|dux zcLLDxCeLR8jBDjVf%sc9%SD9Y5oZkfe^VH)Kl&}pBKI|g-M+b}C?$2-w; z>wJH+7IoL;`<=t^(>Pv3?^c=t7avCJra4E9;w{zDGFu*ynQp{dOCsU7AKiHyTI)}HixT1dJRpm z?~7bKtJBK4Obq2)(;#>??qx78Pa`D*r`>>8xNsEfg1}YrA}&_2K@5~4J}pb3*$KPH zjiKU!+r-12ULxY1S5Akan`<&#i)~Q>ju36^WB@vmqShb8ZPg4c^z>75iwO>dm$Ob_`MP9y+I& zPHU8^F!ZVa#T%i|R+xZe(UFD5VD#><+*}I*tg8;#rRS&(GKQYV^^s@hM7l>g|&mLXRIkh}`8|7SCTgr?&1_ zABR6n$#-#|TeFYls`@p{@ADik2WNNlT(8^)n)_K@9n5h+_LJtKy@NdE@)s$0Y0)du z!jDpaJXSJ%3mwAcd%n)SKa6xIT+(yKLE4HH9sKP2Guk-rMquywB6w`^*XiDOu={63 zUgV1?@1*VRXK|2+Ku>Ih&C3^lIYH6xZ{y;K(NK`pE*M=m?C}^$1)SF~V#8mqYlC$+ z@q@xeopaHXo}p(YMP5%k$pqI{+^KbmU~;w2POmZ^#8la z{eKFSR)W}W8w38YONUe1L=zm}PGLEC6Ys_geX1-1#cz5td^fJZN!-@(!_0PZ@xo`+ z1<(A+OP8In~}RCfqIUY7C4$f)jT+d?wtjnYW>scM0F*@TC#J`bHyO z<#gvaZIb|WKA!uIp#F;ItHr{0!#oB_I)+Dkv$tsqqn*}A+OzU9^<5Qs-yOV2X6&eV z@@OSjZIr^8P=IFrfQNt(OS)eAaoAHeY4v(!%Gi`cP@T0uGWz@1;OlERUWER1H?Cu2 zd*VkO`rebd_WYf7r2rujUGR0;xGUOxTQYq7!|(0)zAmm)Bdql2Wm300&XZRHSPJae zh`mx34&G4!V=F?U4@B!_F=c1~Jj-Vo$I6#;)H;oH2ZEx?n5aBpz!HBg;-tLAw z_#)eXB`X3k0nkv?r}~8DtQ%*Nr!H9`mT%P4<>Y4spZnv<&%|+>R%{#T2+{98uWX1+ zcRgpb;5-SH^gzGXtDS{XGp@5?bNh=QX9p{!ZNn1=8^DC}s|q=dn(#MWZsXho%(x1l zE599iQM}Y4F8Echm~Q*hE-(pA276w#WQZ%RPMVj!4be8L;Bt9oPTe$!j8ceYy+qu3 zDVDliE**$viZG-+vy9o11;c+0J8yNY-w1cmOyXzbQVgIUAA^0IW#pG7`Zl~h;7rY; zvHyi}ngX*$=O9cf&XWkYMx03wdnTwm#e8E4skTqOoW;pB7$Ejg*Cfdddh(sCr zqre!mMoq6H|Lue2hiKu)v=V>--)vJms-7jH z;Oy?1O`TS&GP+N)2V=L4U8Puj|C{5?O*3pOw*laA%nY22Z?>G?Ha zxr#r?zC{ZKh?Aq42>u?alTh#JH$@K$Uu7OHr2&00tN3B_LWzQROPQ#%1<*HhV-25#xMYcRPu{XtJFJakiU3X6Fbm56mkmfwfT<4SN-Z(V zK;YqceSXvVQK?@C=Xt9FZdvc8GeaonCBIffFayTc)bk1yohgB0cqtLI`%rdip=VDD zqbFt2L2Ikwe)$V;+JCaP%}`cElKdicXrK3PKVl6fllP}8c!<9LVIe7wE7VXvT^}yE zH-_M*(u;1w&J@Cafv_9CD?qEQ#?&4h z>}H2W4mQf3NOwg=Q|Po+_FCpRS?#oZ5XKv;|(B2SE8v`Dy& zQVl{~2Pbon%We~Iv#k{kLb7de+d?97(4;}0!Fp%|8m|{wc$4xW#jW=P^ zxs@ShaHFi4o~6Dv(1a0z5_y7{m}};Jf$;Hw`&WcoKeb4_s#^HNYEZjdw!9{yX7{;^ zI-3f{7owtqD}0%dS6m#Uq@5;(eTra<>4TBPxYWqwGdKko#dx7SQ0xw;goX*dB7s_>}FZsv7h6LLWfs z`x}HO+=VAa_cc#!krF3EFkhz%SB6Ii&2i!TBRxOO^4a`fw|n$eCDc+qle8J3{z}z5 zpajs}*|N8gu1QlJ-o6zY1)i1nG8&A5}N%+Vw$RUVMXxZ zt+UmfoK=<;l9*-5-*ro)poE*zIN6_>ySabx6a2mmp}EYt`{Ha2U;7*z#I`D*oDYXd z9;yUz=O$aS%FdKK7-y zgt-qGD9YDsJs;O}zv+x(J1McbzL>h&N7&>kX(c%YT7mllZT#Lp2KOl@jRozKz-Ry% zD6Q;@8@wcRZ+;VfBPDj>_>V=)^0Ntmr;B>n>+~&EAg}bB=kEuW1Y6eb!UFNel6+}w zWfh>STw9=eZuvaJ<(KE`vbUL7OYLbB5EkyAJb=|5ke0>A#Wdcq*Kutw-w^9gAxp8p z&$S3kO~?kuA%9g*HG1I{ck0>wVqCaXR}*~!PpDN3okY(fkmY;6{;WH7NqGCF9_os| z_`^5%gcz2J{E$%?Wl()HM2X8S(mpQX#zxw;eghwsgFp|w541;=K?)YV!d$a;_mj4h=p<)y7sTsn8 zdh7N{fas#y`xA!yKi(&hw1BoDEc;<3d1Rj~GO<79&D>CRv&9a5)_J+p5!O|{PyKYS z?)D~Ke@R6#=wkH6+%G4YBlN7117=)(S~PJLa`mK_NqMBj)H-XaG_JIa)~=bUka;8a zV4#qb33WujbCae7xQtV<2<&1{A*HNBpC2l~%rHq|m0A$i{34 zV!agt9#qLH4nfi^0aF;vJ#`oR`pwB_!adZB-!L;6C9lEzY2P1!$$~C0x{{_%`C1lb z;RwC2##l54rS5sg9QOGnK4mvAz~%?&DLz;TmD52#7V`hR5+ZUfUJoELW(3)g>f3!R z1WX=g)r=Mf2w?;Lu-iwAG_7@O@zn8yxFsF$UOvX990CRL1R_n|iYBM(td{%S_&ztE zQTQ-YV399cdfHFWhTX>DWJS)?SjaS<-7@TZTZ?1I+5Jj@(TOzj>Q1Kf4oie|#H|>H z2cv=rh{v!D0msbQ$8ICyS@F4Aw%2^0e!ey&UAl4JZ9d4_ zxkEiI2#e~;934GldV!V*q8*x&v4dr!n-W65i@lzH7_W#cefboUgF%AHK*on zdS9|Kx{9W0eY9${;hee4-MigK+0aTpJAmR*cpSyp6+^BL#0hq4k=NNNEp?~=D#UV9 zJT}TlW)V7bxwaQXc$8R$?)B7dhFpgg#QDugh$LvVwG%&wwTuny@V|MW*^nTD5W(rl z&6a4{kwqMyMAWkU5%^8MGI+OkiWOk54AO>)%!?UEIQ1(14l~JMZgFMVVQ$XiZmJh- z*k)<3qWH5JvswC5$zdh3&QaSv28vVKo?LU>I@?LE7?k#tYc*M72kzI9Rl)Vyt2Zb; z{!wb2I~40SJprAO6jI64`O@NpKiaE}igPk(>F2_MxBT88{r{BcOG^>?qjNs)aZJgq`Vw#P;qnvt-mDtk zO_?`m$HTydlcmsK39b3{7mM>Slnr>u9Ikr@qmV*8dnF5e0GsNWJbFuM?n28&BS zyscrXh94A!MaTI^LoP^-BYN_j}FR-Pbk^ z(_cR%qBod&e$UQ&ua-bw1$dO#X%Y&Rq z(OQq3SjHO07Ohec8hFwwxPgaayr+Sh@KF14&ZLX0KFSAX# zmT5+o?bkCOM6M+q6N(1v)D9)^B$OxU!ytN$k;MY#OK&~Dd{kYRx6wjo#o#Ry>Y(Y& zo!Z=V2QH&N3dU#DE@Qw|Yc^*mlk(}dW|@hx7N{w&fwjEnpI2_g)IaQyqlh}p=X1G9 zPf=25)!@E7MQ9>NFN&=X>vzhjT>Yrn<%SycM6+gnm8 z8}&G^%T4y4gwmW9i_M)jC~e-Bot~fRBc9{3nQ66ZQsuHPXKZB%6OSL}`W@bL|EOVI zxzL$>htIryY9cQ2lGesJGG^?vvGE5Ui?8*^PvRcysr8){O8r@P8hP6kqrQyjcN_gI zC5oN8u}r;5=8?R!}7za9b8xLnQyfIZX_-IlL(I21eKp1c!u-s3~B zcKG_a*c7RN*wJ^bgFm;{O~{J$-w&VGpZxMBaLM$@+WElgY>{P^>fQcl(POE4jlLhL z{&R@?bkb% zkPEk8Z(+}Jc&L23+h&{o0;`;AmTNS4J?PAuI+Cp>`NP7~_N+j44*Q$4yu!LABpVnk z7i(yOTm!?rWBAesTE3}k)GiG7ypS|OT%1g|tUX?$7P7e2RhYh|d%Qvsp%yYJ0F6F! zQ=W;BzIHSY%tcY}C$dE}x5{x?qTlFnjX&#lF_57t(ig%`Xllcj-V%Q|MPzh1OS_!3 zvht3N)4{pEzhOk_0bxGX9vNd$sCcl{=yg8)G<-Uor&#+r*g;zC()fHhX>D!UFU`-* zQq2X-lS9&i%#9-fU8onEjKrGh9m$-~O@q&+tY@x| zA*Ex`a=FNe7x#7RcTg+}=IUnUyScWTq42g@=Bu}nO$gz~_1oFHH(Wnenh0Ab`0qaP zj;g7?=T}^@T+MmLi7Sn^VbG1UE13?llas3P_=+utWSo31mau%^B`bnZNQZdLE%D9q zP7V>pEZRcw^}(<2xh-FyWg^`PCT)XmY+EZLOq9x=dLFv?MR3|mgHT zKNMJ%5f7ik+*gjp`)jWYFQrJG}FZPB2 z-gU$k1KOX{%Ql_)T2Jf#7BLf^{p^aAXJ(pjD}=x0^`=5ai`MtnxRu0(mD0WAtmVBi z+Ltk_QlF=Z=F*}>X0V#NgGJBfd0L?c*KJ?Q<}Zn<&T+YBmvK7h?nIR5*dACbTdqpeVrIcXh zAO1pV2=d&4vP)&0`3NP2fAWy{`b$vBdWiu`dN3cFksl1(tyxGs6*tOwHZNmI(B_F= zMLV#6Q5(c`qXR3sEKGk+#lY!DxhNppb@KsXOkS@PJPZG96_}7ixQ=%_;2T&L1IU@ zhgLHo%G>z(8tqiS?Li~Yf}%nXw@vhq`QFpWbe+Zz_xMlc zHuI${oh293UC4z%m%WOKS54(_AD%K}J=!lA#a8||Yl^4boAT+DknLCXQBo)GRV4l2 z;Ry^=oy(5q=1f;91Z%oP*-BAom_!o#p9acu?M?lt^3^2E1h}sHs~6ZoZk`>nT&7VI znWJO?#4e^2r}jCBX|mM2DCDByuf9k$(QgUlsYAy})QV)wE%rlo_5jeimfm1+mI(HJ z8}Q1%D#)*L(Hmq}UWX$vD+y-@{ujdcNw#;H4v?AC)a}PwIp>Mm(Uw;Xf>}W>IdX_1 zR>x76pQh^e1bSb)&B{(Z$MGI=G=7v2`_?dEymX0xC`d^Nq#HL5Q%rGGWMw)HaR0z} zy1Df6&QEw@qL0pU#<%b$nln7}`id>e;>|xx&@26M?YqWY&Jokwy$?WS84~&2ZiK6+ zi7_s-!f;0|JIqN6PbF)I({4L;c`Iipao?xykuyhQsnY)xt)d=Ut^Z&mn|s!QIPK@k zxzkhW)_kVO|mT@ z{iTf2?a@W0a6-acKR5>MJWOGYk5A(t zBP}*c!MnDoZ7+A03uiqt3u$f9pno<;N9f5ltL2hun zHZlS)sf2a08z1XtegQLc^W|Qkf<_!GGveK7Jb-N+K0ZUb$FIIPMs5A}L?++)v3hbg z^lhl(oA^$n70q$Kirs!}Cp$`}vK312*0YACaa1GeQmh)AEzc0BwkaQL#-?`mp_jAY zl9p}b8IFJfm5}Vw-dGDNj~0#4@#z^L4zKb<=OMdJrB0SAT|*i>mjvH)TetfD>CjZx znQ`k(kMp2d410`to>U1WG=lf!S+&+C$_%G$cqQ3HLuDyt^_^8E4evnpa2KJXPta^| zgG(^*MZajx&63ToZO4@@elzs?tx+>yAfYWd1ACSlpOk@i5o-4Yy=01*EDcq-PZYPN zacb-ERd6!cW7I5t|C=31U91_1UYRH9oO){KbdB8uA6BK6gnQ6FeDxIJCwo2a-c8ms zR-cNepOk5Q#C^2cC~3h*%rp--#(9CE?n9UDX+b#X3g0=VCn`5b^~LoU`dwWX$u~ua z0TdXc9P37p7BWI42%Jr~yQJ1QuapdNdhIj^y&PIWwDm+>;Gx|9Gf2!H*)-9G$M$Os zx$1EfU3FjPMXyvfXDM5|@InyP-rncYj@B*a%LOq8pz!0i1G5Q)pA~RP;t11SEPG>A zMVJ5dJZhm}6%p;yN~c^IJ@`R$C7da#?xD94r|^*&#^|bzKxG4SO5R{h;Zb7DBgtBc zM*XGg9~?6Ar|Rc7sQT?$Ow@0&zUSZly<82(6$*Dk6#58D$_I9|_rmOrsOHE(oz7@p zVg|r;M;{<$%gGh(`lTrIJ1}D>=n$L)Bz)xo3#Ap#<^(bbcmfLkrIT+tf`{YIk`t+c z<{tqAd4u~7QyW6G=}Mf9Xh%tW`@X8@oX}5~v9`v6M$T}qln?-zksTXm%HiIN-B>sr zQ|Gtop`sc);Je{^{jj;iIpTR~vDBv@Tse2maCNz|JuJND&OFsIwstALzYiq3PjuO9 zgE20CvhjxJ^(IKG0U-OKUJQS{p7qN~`BLotdyFNPd5WJi!Z1fu z8s}d3#?;r!lv!-MOG^5hHPYvNSL_dV{h#BRF{>FF0>ura-TM_-yc^+e&JO zLW*CX%&GgPUN9(ie3@{GJe8}~A4alA#n~mbRMY|%cV!P9+Fc!;!o^!o3)~2%9>(Oq zmtOj01Dr$^rJ$@uV!O}qB~b?UB9~QKp4RbRb%gk9Z2 zXg3mBy&3*I!vRqLZ~M$Y_y~(-TK5id4|W%#G`Qxy?4NUTzP0S^3(Tk$=1Nwxz3mqU zE-Kt}hjzH-0y*(tNKu`g4bgdgIhDkd`sI^->w;0j%LQ>I{4qR2HDlvU#d>qc((+ zZ-xh#=35#apCnf2aKDiHBs#kDY(8NSBXd6F%UiNy%Gqn$L=Pp%T6oQ`(q5JMXU$nI zO34!K`Biez_{Quv8Y**Kp1=pn#L@P}?#iO))j8ouaIypMhF@h0r^-2H)BLvcCp^AT z*#X~z{C8W*cXPti8pCc9q5;TCUFzV>u96n(@0_k(m~c-Unfx+d5eJBoU-=y`2%Mm% z3akXXOaoJ8pRA>rOm#X3B5SnmqF96xCEfZ0YpG+qDet&qk|#T2_`RGG2*h&FBVNRi zJ&rnzNQlXHMVhYBG$xu#I8M`uZWA#IZQQ02ElXo+rgJXK5SEqfT1G!QM4aP&5^d3J z5)2l%6DQEfFxykOgy04XAxHu^o}F2|HS|6F{+?y%#o*@ZSxUGhY91>-$JJVOAZ603 z6upthv%bqEG+E;NLUrS*-q8=5qdi#IZK&Yh_<3RulLRYcRTLH0z024?d+7H?H5^=! z$Jge`Sicha-CH2j9w+qw+RaDWNaP=hb2L##WX@v3lA`b$?MTXs?}unyPBx?rSC*yL zi5|K_(W~dG>=Yj!lJlIhVLTubO2$&9hGgzXaD5bH=8;yQd-!UY^|FSCxp6Pdx8;pf zz);@_6>6pjH`he`MFDfk0*$%>5vKS@(E(j&+4YZp4%9Eoe$P>4@NvRttPtH#+_0LK zM`+z+_Y`+L1GLVEH%_V2;~E71Xb zmGA0oEGcram`tW4G|64qSp{}`7rco4QCdeMMO8L>;{Ln$f9G;n#T_!kKFR-J~^R1gwQ5PBtwrv&D^IpD5ce< z7(oks<#A~RySqgR?DSS4Qr`E?0<>FO=?AjQt0n9V#)Lk>&2gmkwF*WL?x5fkPkyB& zo~dZ4{CaefmU`heOO8bapv8ptt)K6GEdYocQ=n)>Jl}yIT%AC z5f~%lC;Zaq``f#ukpiN2XLN`cq+H6LA1lyN6vy2L!%ND1%WR|+l2dzwoA-L4hUL8# z_8PejR9(_{lNnHX%aIn}I*yoWS2L*e2l5yWA$cTJh16l|EQ5MSsY?~Y=wTKw^5R%% zZdjnP<3OJ4K#D%mrGeq^Fut4;Nmq81hMI{ex=Jgj$BJzJ7u(3Euq@if%9;dcHHpHXXL&SuRiqrsYUtrEj!a;OyRGB|Zt!c5VaDuWgGII!D663lpDo|GA^o3o$X+zkdf!aINVd8uC z84jl(0!229gMa;1ja2Q*=Hx|N<2$NdCvWd)PpAoS$81|21Cx@B$;QcJ5j3s4*8w5= zCaoaM#d=#O5+dw%xF$QX>>aveu6DffGeaw*gm{N;4kweEu%IUMm2yGsrj?TG4FmNV z5MRKd(o+$Wkp(+v= z*!2Esw0wMe-Qtf~-}Kp#@vP>Km(8E+#qNIR_1~vk3lsmSpd^+K{5HN9t$#{RfMlEx z-EEvZK2_mvb5>}UzV*Rj*Ct_9j~%K93^ghLWQy7 za$sQoMECqpja^LlvgxsRY7P$iSC`b&MOj@66?#LzAIQX>eSK3>urdc1UcC9cE9?$8 z;b$By2kown?kSf*idjwt7sRRNZpQpQfv}}6BcVFAMP+Wj;&{|^arB-R8?o3tZ+)ldv$zXe(=iqKjPJGgIiC%`{Sh)q?eg&RtQynCC(`wrPCa5>}BPImv{5Y=QR|x{j6j{w^^xcq9e|V7ED4=ckTxqr;&+j+8pxwS9QK)KNe0w`8Y2 zsq_dVR3ekq-lrQ+7{_6S=Z^Xg1GEXS7L=JaTQXfcPk3Dk64kMEp1GNP89f_U&z zeC)G)8whzv53L?{s0o<}De=?9pr)vskz|@_u(o%4rH}$WpE5(CePWdGosD;TeESQX z3@o}wg5|neLSExw7IK95ktMDKu$~uIp%qwF`-Sz%3dxj{kmK+w+~E&fN52tL^1_bJ z+1Svz@TudATY4-QaDjtQQMvD!jxo0e!9|BPO+!O<(A}?tMHE=&gNqW&JUoPcM!ki+ zXBhc!Tg^Lau=uob2nfN$cT$L4T0VJc)Q`&DD| zzkXzf`)}`?;fj)CPEsQeyxlm*FZ?|PR1lV__GgdhMOo4xghB}Yh}zYH4rCd;R_a?< z>fg9n&*Ky-$Hyj#AqzzpEzGriE)l&(qE0*no*!sn#A1Q5vX=1Ol-r@=Q8jv7Ln9>^ zy4}XAXA&`V{Z>k{xW@YY9p*We0{h)}N5kt_1x^cV`>nb6^;8%*@2!PDK~5*ZqP~6P zLDTY@GUc6jv5MdiG`8)J;IzYRM;dOx>?vqQiWX9G4totMtyRIy`4p`!Q&>oa9bjtD zx=%@&WC#Y7+%hz*TZt+0qfl%30eI3GclJ7n`GcL25|7T{VB%O^?^y8GFjf>N#LYi! zxP!w8MCl6~B{UMa2O#eu1JZqe^($MJ7Sc!9j6?y)%#ia3AJ`-uEB<}?%D*7p~u$4Ai1Mr)-C(^A#RnoekC8 zH0_0TiX%zQ`S^59Ohu9k)1^ey;Y*d|i^GHR_It=gVym9g$ZXoOknEZfr*?J8wHn{$ ze5OFj3V!eV$$xV5Uo7$b`SHg853OpJGPBH3xj6)S+Mjt~9u z{gGSjlIvo)_mYTDMa?pRh!MX1xJVRazBc@RVJ$D#zPjslZwV0L#mUbP*Ao!_Wu83d z2_c4N53wro=3Uw6ATr_4Bp9mlR*0UDL;6m0n{vQC#RqW9C)nWJ8|;hD4Tog@Dd97GZX)UreP#DU>Y-KYL4 zRiqmsiz2Yt)LayQA9Rl^E?dNxP}0WXJ$c-gEJ}+>fvKx~TeHbxS7uEo%n^vr^lI@btx{g#u$plpi8rPcukhzb$4P9wsLAlJ&Oumf9oir#~v^iUZv*;S=0vDAlvo z@L7&CIa=GB^zFk5Q0FJPTq6eyA}UG?ajcrEYMQalA?+@y2N#v zcsMk^SoyJHwwPb?rX!)ie*f#JBzmcd$e5a8&%0>{5;sliYB^M3CRIi zR+Hp;LkR2Ln*oo@;Ufcgv!pHBS?e{#zAUlDGYkF2z01%Ox6H4WY(c?d-$G5x3Jsd} zm-0M%Y`Uc9*~p^N14ZYDpT%jMo#qE=%}bl_anT5%di6H7UN34(ktUFjJ*dS3l!vrR z>2WVp-hRL5zo%<#h1cE%b$}@jI+q407a5?qH!pzv{thDWl&|Ky=ECVxEE!mP9Al)s z;7pi;ErtBerKCfC53BOpZQZ|lTmBu@KkuyAhg!0q+I35t5w_{b4cof|{EZvDCT>T>)k)}d{_5wi7P9#>;UaYg;@_tI zv2_gTExxU+dro;#q>g>oKvxle95}D$Rud`8A$BD6yft>X+y9>6R#?A$?0f|sO50}} zhu%_F|CRdMXTEV*FRkhL(B=}qX%C@WIfQ9y8n-PI%{4j)s!KNuR5Rp%x*RQnVbGKw zq|_C>AttULOcBt_N6~7$#i|cH0$TKI7;pIfZG@=`WDB9*ZF~QJkK*Z`fGyqgw(8g4 z?Pz5o>}^>HoFn%mum8gBc1ucAWlLd|wXW!a?Zrp!XOHI}%dp>=BQh1-Yw0Vg6IOxW z^Kv=8-3s=uL zSew3WZiFw*xJ%He-6OYD-90TGh{xPX<8SMZdd7*#^FMz`B09AAGs9O&T zY*b)R(;-t7*@2V)b$kDF^L~#2@l*}#3#q@okDmQ?A5B%7&mN21XBFbEeO47d$Ud6U z7Tg%zW}6#ciQ60QXdgRf!55!nu?xF_tfSN5`(mql8c)!U!QhSea{76VPtyLr87L(h zd~T59GEgDndaFdwWN~=;3`H{@!o(^A1t;ww@ zrlMMbLj$N=v-UoR5EKLkKeVNa<8MQ$&c>*oEVYlYjV44ARHQ^ySpZ|p?@K`_XBW>g z(LD_kFI=haflyLPW(hrrGxq%H)R%PG$L4iFb~mci`u2()gjb}o;`<7xldYFYbm#3s z1ckLtPCswam}J_gMPnTUYbC7D!g8oo!UcGIK1&H|&UDwZ|!t+g5}mk)CN zN(3*lPymA$)|=XGZ7$+TGRN=`eS^3vn)b(1W$FW66ASX!*(M^DuF=ui@{%hC#4Vn_ z@Q;I?+tl>TC8W09YU-V_^|GGYrep{&giUeFv6?T@S*2DEuTTGbz_0fmkL_Hjw$-C-NO}>%*Qe`DwkW=x0ub_MKRY$u|m9h za{SY~3G!ugM?&XyNI}RP)H@KSSvMSxsi)(%|`UEDCs0{p*?ipS$<3eS13^vwX;6Bhzot>p?nQa~0>g z!)3XeR}LLAnCBJY+(fu4b!go$hqCON(ijGX)HF*A$$l@Kf8efkW;*1rK z+!dGh@^qMXRn-gLAC7Vyx~caJD%~GK$PP!vW_gl6yfm;Z2M^pWdbzNEBabHhsYvRo zH#3>@;l2!vjV!n3egVGoxYZr0-?PTvKx|62C^75!iaQbSaF>%sx2*J=9N3;)xP$Jfiqz-b3xhH zEjug!{UUt9&hnii8wM0bvd3t{ud)0BF@&t{VDYLXI07n z9Z}H1Fjr$$)qi9i|6U1GzK^{v4MAO-PqA16p4F=4yX3+e5BJ);;^IwYr5zjBDE3+^ zBY8gv7~PKU$Kk)G5$mVcmO$oM94lox&XO!#mcSH`n~Cp4oWmv30gX z&j_N^i=W(aT&sK^HkUM+qI$MYad?;VTCH{>8v)B)V$UI+)+eV=Yo7(8o&9Ml z3@VQhuZL&roqK&w-)k;e6y3y}K5`pN3%xp1drDiwc?5HGjLJ-4L}?eyu>n)&DHaUY zE1K^&h~P-JEJ5{}m~r7bGRIi-5&Q}*vQTJsd>zKv0n^zW0MpWszu5mwpWQ^CuGjrQ zSet*FCC_dsd9yZS2n{Q1q<#^ZQ}o_;vRt)XvE}Gkt5A*PWX{h|-}*yR2cR_QzoF~> z@2_N-2(0BwDoK|&KmIOSp}?dczdw(unFCr#DCE@1?tvv0g<`N^pWT`M@kh0msRfyK zzxe3v9_ZOkW&UOt*5Q%C0^y_TI9_P4HRbYC9|~fGm2q*%1Iu6&ArF0&^k;lKPxx~gatV?Ainf3t`jb$ z%QHf;a5c+rYWS2Xk{S7a4}mCD&;}G|c2&ze2~2<^1!AK>NcGHNO!X1T;GNDddNTtUS^h4Nu!mr*+symkvP4r`e(l=X_pQi2yex@EQnPAkvzbCt`Nz=aNY~|2S2v|}(fZt5B0vMwrM)1Av zg*Sc|h8}>j5bq0G$||yT7y|uu2I0!x@p<&%YUn3lNiO(Fq(ny%%sr)H{QS`z{DBc5 zhAm)}3%~L%|6GJ&cq35^BKIk<4a@XZ4uP#nhjqkrNxnu`i6^Ky> zwDOD9|91R?y%``+{z@4ji55Dar0^M&#(v=H<-}&52k2fX$Im zR(5~4JHAqh5iyW_H5}e z9^Dq1WXE%USF)0g>jfF3+;;V4cYB~P?D-JAuOxGq{h7NTMt*iaQh)7H%*u85H~7Cq z#Q;RXZwFX1k!@~(=@8Nj^%IX`k`VpNkNWbvmU@VQWzUTk@+(Z%whOX0cE(zbJo%e$ zB$sbC!pwt=3qvIL4qKJ(=fXF(pN(MvV1ZGDdvAK8ZgrzUV~S*uzZKrRUec2W(Z5N} z8~tAw@<%Mpp#$mX``h~oo8lD#HZvDQEh0K0aGqDjDX0|}Nfa>GWyHX}GS%gnPScCn zit2ywQKvps#jEC{&0(Loa{5+J@Huibfy@s+uOY)Oi%3#E8qU*_TrPx#nN#zN8J z52>$|9KRP*cjzBI?C zK>i0JV+3+Nde(%UY|X^695U4*xbgeon(`bH)x<4C`J6P)sTLwf-T>RS_3z>>&`ZFn z4JD%D%%?gjF00R@gm`kX916LrI@J96Tx)-vN!BUvtwNTGecHw7(`it$xwM|AWR>mt za(=*q&|9R4EEcej!X!>+ABbRxx1{uMnjGn%Zd2yw1Bu+`;HxHvF?l{;o2)P$1ute6 zz~N4YF&~@%p`9@1cTdd7_h-{?XT{O=Ug$5;NeXAYJ&b_i<=6C^p`?s-fONeR+~RXl zuurbYUpF7<0Qg`b82Hn4{Kf?Mk{`K{KK#$lxI`Ce5OGbdCHV_2K++flfNqSV3l#L|7agk z$GyqKv#COTz;~8@tD5mNRuv{{qv|z0Kz19kKSCADWO^?M+S{ z;ht9j!8oeu`gRSUgziRz`q_rN}a{dA+GA{3*<4{)~z;t!$(E_M6; zYi0_i8VD%3dVhmNvF!!voGIT}&k}eqkl!joNbs zPh*!6x$vha{p!B=jVmHe3V#WNicj4zC(TjvT)L9HPQN2?x5(7{d41*eobtOjvJ^Z< z6}di85!oubV@N@zygnGN7$y$*5_WbLE(%vk?q`1;*kW2=8zf_vZ z@a=Z<$Mdl8*-%naDl|vWZhBW^Jc%C$>t{Z>;1JPXpuaVAGbo$klyz$VeC=Z_R5ku$ z)#(1drIxCN8PhvG%X0A33fEUsr*FgR7niAYx(z<&d7Z|SNr6@KQ1|tUD>0q{&zWt@bFvOkX}dQ zdWBjmz5v`Lr0g4{{pj^HHuev7-~EKoRBG5m;jiAFJ>*x0pir&qe&=HgV3!kN{D-Ch zSq7V{Rpu~WTMX;1tD`6j>wSGoToLN9m2 z%t6^qE&_}L^8JOebI6Pp7C&;<;kuR#f$S&t$Xgp$oq$koZjciUVxax8=Z=T`Ri zp`t%t7t?=Lnbg8S(wy}>&b#wp%j3Vo5{3V1A>TO!8H7bpZ!n@wK6W@VC4?-KlhFBa z$okx}Wo0*umTliMlWKcc1{K)~?}r($c>2IUQ34`YsP;otNMB zl9`v%-Lt~)qH5=Cxso*ek|+n(NHxOs&J|keneIfZ-&G~J^#97{90sz>_seQG060%7 zuGGF^y+B@Fn^zeU3_rn8BG-#`)vlu&^l83B8+gqIz4}&npJvaX z!f8qG%d7XUT>7+qxfDW4u_M;y(L}d@q^<@FAEIOmzuJ5&z>C#y^~j76(JMG^O5`HQbFLT>63VuH&lAS-rq6|g4;s45KjbGMt{w~9Gg zgS;c9oXDOC>uDjftbQeZ0cf>ev!+=;0sBxI^vWMlI@-K;^mTyFB*32zVFU^$s>kUPS7j$2bzB-lU&W{)y3>a(klq7`6;pADLlHhZ6Z8z zYZc|4bvZ%r22~sqa`_f`;~4%3pHQ2{#4G2A3v4xxX%gOUQ=rY9faCoF8DFGT7z$Q8 zzv>$>xZ8Gd0#aTv2TF?yljaV9ouY1V+vYiO;kZ{Q0Tu31}32<$_|Y8k2;>-rhd+11U;&yEX6!R+B_59D`)v_d|%2ERMz22QCXPbQb|nm%Xub|_}vVcMS;^Ek<7|0ptU)?H@ep8_~w2*@AU0UlAJ z`*FQ*iq;RF4|f5=pEPANgf~2_f$|Fnt~BC>)cHtk2gt-be^}-GG*dpaMqmm&I8J6b zy>whpj&qny(hp_o))#**P|fTL=oz1GVZfU>dXr9!&OjL-p>?Syar7MoplF-`ISya@ zzcN$tGgLwVZGP7=zZgoB#>qwakdVnr0ePxFgO90Tg}@zHMu2D-9V6&n3y^%r`>(jO5|_;kd!7>Q&@A}B2BhF7c^H66W9rKs{wh8RiwKoNLK|hNR=G*3xYb1W z8oS~;)bmAp*3y(^?Q&^WuVw7F=XK-=!-v`StyE0TA}d0q0;A=#n_|cCk5btNkg0UV z>J{e(T!OT=Qd33hq=ye}cw)U=rrtI&iFR8I{z;qU;L+A|V3R@RS4m?E2tnP4bqK) z#E_!Gz)0g+zkTn0KhN#nUgvq=bN+bW|McRzj5TZ4`mRqd4w*=-V;bTQ`BgCH)$OFz z6)=kr2$&|r8UsD-3voqISR?dQd}4?s10f8TgG%kTZby}kr=eh9wxu)HlO`8TEl8b3 zxM3C`{Bad4k4#&rX*QeMf`aIc#w(}?d>l^0k1Sub-rMP;Rysfq-p8ttSDbSa{st=0 zt>osYRM}pi3Imq+b7jC<9up!pGe44+~OJBEy ze}A6z#jQ2t(j(p5o`A3$=|S(=h1LC})nb1Vb2A4UY?*IyL6GBg?il+jBKu~&G?9)&vw)3o=F3ogbOAM-G zJ&rC8p^3^Oe!8Zkmy;{^b3v4ancG_->E6KI@+a@4)Cr^p^rK<8F-z;GO;Ljh$lE? zG518COm0YeeCCZVP$j^()M3$uCc4UYf*3FvFG?J| zR$tk!1%QQOIw<3c624J5W)9pRRvWW#qoxe7i06xiYc8KeZi(?BV3{5h*XO_!feIjp z=-FP&p6%7qHpPSWgaU9HfK<-BIdaQgRTHZa##RvG+r9bbEN#ta`&%8Y#qG19ZS< zmG{>9tU*7PQ#Tt(J~G}hUa?w!B{_kiD~633Sf5N@W54(QIbE{hgo3tq!ni7kL(imS z!NQNL+Nj9Ectf_F?uMKVUo<@tFZ2x61DJmHYi2GQx_?6)s))IvlYd*hk@0sY{}W|s zH<0VW*cp?zTpeFn2PG3XM_SnI>THzIbZ*(u51u+^G((_it=-;Izd3xOB?UOM!eq=^ z6ew+A=b80w8v3G7zj$COb^LTqP^^wcCu=aTp5Q^B zPSmMHsxmtL)TlalNB<5Ym`w`_@e*N(A~QjRn9V!`wOy>Ig4tqhNv=Rs3C27dRJhuS zl;p82j?^0kS>V0Gu_{^(Kgu{c0y&f(Q!;8fb(%i4S2w1^VP(%3`0h-d?0I*JcQC1v5lBM)c`*iv2B25mM!B<((Ea^S;JL>HiOsNWyP#-9m-SUJtUIyR zY>S*gLa91-4;sV}Oq?JVc+M^Bz^r6EUaYclPi4xzay3WqyXf5ahj?8d!#(#732Zym z6}KiBUbY431B$Gp^*e1$HyjO~JpwVzql~SPv1cSg86_jkeu#~)n_I7TYt_!H5Br`q zvt1mVSRK><8R!%51Cj-?WuV28h!l_RVlCVQT}*AkWb`8upz7(8!A;;s`T6EF}2Rf9|L%EHq@q|BP-_`_CWz7d&S4$HBv{PfyJ~ z!q}1yJCjM@7%Xup(EVT|c}$I%;nk^&e(uc4X9t6*A2{xc4{XIzv-!3!)-Igawot+# zG-X#AOXatFbNGh|Up1wY{QJ^tJ~%*$uT4 zk*iV0gSq^U0?bS2X|cp~K2$GV=StIDOrqTs9xOh_{D{ix^g`Nmw^v&nuGCU>6d}*^ z=On4y?AaqZ0jl1GR1Dr<+1g(*f?KZdwt23>$^7ZBz@jgWaSOmE2uw*%^=Rv6BvCOi7TG>o~1}oHd%^7qPRjc1KB~Jqrpj}j8QX3*T5zIb39))Lqqe*GhL^z`Fu zn=Wat3v1rD9OcDkM5??%6_37%Dh&O-afgoV@xzqmx-QN~&sdNw!G|Pv8wjO6ZRmM+ zwV?_7nS2FJm>uWh{GacWBzcHC!(|pfy!D?y`1joxVEPAl)(YgufNQyD>j=E{0>iv< zqwRO-J{ON@xzWB)5kks!2hL*_AB@u>PO$}Ya&zXwyvMr=n8G?(EMH%nVkq2Ca}dMQ zJD0ka)pnz{(yOvPI?rp@aJmfCSZtdrHM%ZJZ5H3SG<9`2s7J**ec86}WVO=R~&a8D(bgKMi&bAu_I<*l7Q~U zXR)A*I>-0+40?dYfODebu@TXNpz(r-H6vBhdx$N5P$rkV3~ZZ8q`nXY&3t_ZkjpGc z`OWs0#Mk4&2}Dp(^?lG3lu!R2>js*zLR5lI+ND(x9QUG{Mq0ueXudfCj-;iw848Y? zqgIJBgk^aGSLIHzp3hlYg6ntq2{wSsgR-U|cvsA4RVRcTE1Hpn;79cM9DMjpLozZR<;7l#*k)qh&S$& zOk>d*ve*f$6LLNOy7Rcz| z02L91Z#iZ5;vQOoLWqI3(UcwR`inu)?Oj*h^DM@huyA^Wf~);4-~7rz?nKx3ywAqX zS`r_k;uDzi-G13GKxq{KMgg5pw{6jXZ;@Y~MEXn+22aH%9nH288|~mN`*O89;sx;_ zc|ai_6{FkgY2J;jp-mFMPJ406@F1~}Y*eP1m}a2+ytW`xLQwlqRb+1{f!T7rE32TP zm)^Jsb-){2eOR>+604a+e*1pgO0`Z(0*O`hnXW&^p{m%SliYi% zH7e3Mlvfd-S#0iInl*B|EP>@s=Co+C?YPOjLa0ZbD0SB-Q8}+r5V2R|v`s2K|HRVU zF!FDZrJ8e zKxF!LthrapXR~bD>SN4St8>>6syE+L{LseU6N<~dW=%UYz6W33`*9#5j|n)-_+#mv z&i7<$4Ul4#j(k0_NljKao9*FmV?vY8-Jgf^wK#pM4*?$6#-5$<(gN9341Q}siXW|+ z!0gI9SjsdaEm7I{!?ZQB)W7&`z3^YN>R+FqyAuSGe;oY$=E6UNKWlkjF@32iK&_i>9J^`Ic4?X3?_Xs3xpT3(xFU?%(dP8vc6Ud}}KDcW(Aup2Fz zQ5O0S)2G`hZX04Hb$qRudwZUimI!3}>=?>J*&ul>9FnMAWPegB-XG&yho^ z+MO4IatiF=-6Nu*dCw&sd{IoulEU?!UR`mBc(O=k)^b>_DitT!9s$bXYEy%v%_0hJ zOv&k3fja6<8_TI!dm*;AASOU*GhY-@IZ=4Hy+XShemkAifAiGrCSX)N|HY`dsV}Pn zCR~wJsqU5&Oa1tW)tE|D82X2wp%TUCqt*1P;o1Dw9xadWX4EZjr2e) zn|=m2^aSqbx`e;o70PMgvpG0x))Q)Ofmks3@8?ommn#qYiXwk`2h0?^U4|e=qK0?~trR=s&W^R?3#M=MPV{_A>S)1T z{rf2?Z7zUIH$!aZGXSzK#ilDcG>dib7VjO=H2OSX$@1LG`~Qp~Ywh%npO;__X%YGI z5V70UN2{4FOPty8^@dfiLx8rmVidlaNuF!E8;92Z%ZB!Fx4rRh085NU%0!h2qInMlB=yZRnBgavTR2(wrrPF zdc4#04PXz`;MnffP(-KjwwE+@j@$QYRsuzC;Ey|F9G}S&e)`&&xGfyDeZ1}*`V-W><*<@fU2E1T zHMRNs(tU)Mt}d(j;jdTKpWKbR#h*(z%gbB;8y{86Kl`Z0jGV^95<@w3AI9!l-`g$ zA{d!lNA{>GFj1L#wXZ~%v|_4pixMSz!nqAVS|pK65{Q||^$?8x$RnC-*e0g5iZPq2 z5g12VI7Ulh+FDW4-o#lm)%YwWzvJMY&x4=6`jSi`Jv7skbsORm-uug#S9g`a(HA?H z>r$V3`qk~)?(C7*-0&B@8^OdTrIz@TiC;lWU@rR~66rvea!dW;Wr*z>C5B&Ckmv7= z`_^tA*{0gX;up*bKV+=*a(dT;?4>Nc>@m#U*OA}*MW_&Gw56q$;LOehN=2r-MUGQl z=lVl=0Ma3t@ly2Y2Bh-9)(+WGOiH|$qMGfD+ z)MT}N9{q$U&W-DIlxOlJs_Cw%bx)2raP3NU2Z%FqM$;}@Q>9|kMkF-DC^IGoQ{?M1 zWxd^N(4z4-jS!92smpa6d7%>@6k;b+FFyRXORdD0|EKh#?^tt|m-yKGYs85<=N~nb zBRzgRKYL2!p#`&<#%y38+xQ!cY4!`=Kb(;W7$>bnCi{nN3I|f{ z`Ri{J=$6Sif@LFs4^nNzAc#C9{1$>I3x`b??+`i(54P}NS@vD&K&gp+Gv=fp7bGz& z`xsWe_Aay%S6r}`gQ#?k!e|NyTHqs$<)u4Ia%9|lBlOI9s@6^o1lAN?No49bdrBzG z$;GD970REsEPXGQli<=g?cJ3V#0t3z5_hiHq$>%p=GF&L?-?hvdQnZ3))qD4E>(JO z?>Z=916m4`Px`r&+8ok$wx3~wPv^HWXStu)Xz<$V^xGg1(76uIaN($wqnH*gQY==n zCK0RTHL>t&2bHP+`tOV6PumT)rZ`dCZy&1eJjCxKU^0TLa+1=ZZuRks20E(keCP{4 zLO8oXC+TtDCNuSA8~iTT=CD00KC{l0oe7_K1K&}|L&dGBSQk_6y3pl4T+QT7rr5Xj zeyT<+#_jm2`!*>)5e1qfwf2e z7VOqmKs$MPqXwTgn0yENR&qNrgVm8(qu1gyji6 z+_m>9(M@0LvZAy0R^JO@fWeeu+UhDsozgc!Lnu8{(P8bsL_J_<{dYC+zkky*uMW0P zM?{mu?||c*o7{goYcY{;9!b2MCVwa^_Ct1(OzKd8_*=rRIS(wits-TQylcg7BYWs= zY9L8SrRPa)-Bye$L)PRS;Q?dUNXsFEtOlO_4yzzfYh3NQq$*Ks+OK+U?$7Dl zOwvUi|HGw(Ju9-uqeCJ_(anr(VmA}vMBTe-WkQf59W3^=aM|jM#!cj?=4O{@_Sr8$ z5xe-zSG1iQd;7|08zPMJ7P|nOLSVCfoFTrJ+A*5eDn}t_wB88LVS_f7ti&{f<(sM_ z^vovnZ!yRMCq3LL_BVbbCTehRigJE5AOD?%H;OIb0S~N+Zm0PFuZAOWzvIKr@6DAD z#q5OvS44QTUw?Y|pZ~inFz8Mr;0#RuYl!@HO9gcJL!?p|B^wi@$$IQ^BfYk@fnw60l`08TXr-3u1I1ZmbjpFTHd{9niiQ}3YjHbp3ws9*6bePzn{UN<#KK0KFCQcZ| z2r;a&k!)x|h+lI)QKDud`PsfP-Y0PdSE`U1SEapz*kuXfY()tKUs zeymr4vfV_=dy+pv2WKz7&F=>MHLXARkT7a$ z^LqEaD`uZSYEXy3F_VIsz-Fo|&cX=6$tb;9I;*r9W_LI%M~k6^_s{9(pb`{I=nA7u z9Os>j6%R`q6kV{_D0huZ^eEgMfnrY6@-#vTn5TAcOx^A43DUo@*P~%rc4(yaVN(k91k0DwOZV`dcICKN;{lJ3!L@9xBuTQ(4S<^tc* zzmZBxufxr*HXxUQU%P%g@qRn4miv&gbdzwn`KLDzsY@&B?H7=#i-1a?phqCDJgWfw zmh_97Bbswi@$~6Gl-cSI74v{t;RF%u`Qo;HDVpYxc;-Gx7&~9pwGcwD?F3=UZ1-vm zh;E1^Yz-q!oO0s;YD>m z04v^o@NX>KVWXQRfp75g^IZXq+QV3@B!_X%=S%s?7Oc`Uo(ulXzuH;?Fwmsv+mMxo z`ptaJ65tIB)K;fOKSm9-&ywm20mkuc7^}`L-7?N%i)5Yno2dYSSQBIt*4pwkmHl#S9nG z7Wlox#M`@^-se-U#zY3!N&7jhby--7*j1Q;mj4`vI>u$@SyyuUCC)B0mqa|l6SHvT zR;}Zy)Me#`N~tAp>lB+w6W=sYVfmOeG03Zl1ShT~26sP?<1!Vpu@^`AbmA6H&DP%O zPm{`#CA_r#!U(d}oy|sHF$V4iuM}xYI&V^762*0Wd-ehX@2&C^ubl!!N69J~RBdS2 zT$t{9S@*d7t2-n%3h$zsPD=oSUPVwM&7Tf{xS0CLZ9t7c!gt&wfW)-|Mr_m*DA)*i zZl0dQSZ@Z8i32g_IV-6H3(!@(dO95_@1;7FaSfn{H;w?jws{C6KWJdWcS6j~1Y_n@?XGZo8iacv zx)Elg!wr27PnS|vx7%fGZ8^~6Pr|#Jj9zwU9+YHFv9W&yvj!+AuR5+|? zXmae;!(=-@*00LXWtS!0D>z>;nUa?HRHHD)F8x4Kb44RKZxBC~pP=^*V=hHp@Gaa{ z!G4z(gRKV+x3#ToBg>{pLyqxe_ygAx#Xd#_$JL(1Wfja_k*U|CuKMzG_Uw~pe}PVN z*1^atLD46BBI&WQa%)8zNvEvV0LzA)d}$qQByHUuUIoPF%uR9IP=N#FR6|&wE_871 z_yY0{Kg{+{$fJN4s5MfkA_eX4%|ZNvT&zL73^Ym#4uW6B+28LML)6~`gr?mwkgkbj zEL{`kqB0o_AmL0YWsUxcOKv7+b>Q(6$#rODd-Fhgkl^hG=oBX-BB7!vt!(mkI@^i< z9t~GgG*^2A=tib}`=BHmSkFVyd{}rVDQjKE3y0l+3Lyz_h*oV+nnf;+%Umligg24w zW&E+bhkNG+KQq#b59@GoWx9`Or(OHn70dDTl1~@A+ZE$CPpB1lZ~jZ);+wwRE!7tD z81@z1Chkm+ zVvwRj+UQtRLV?8FkR*Ie4swmr8=Wb%wjfU8u~8zTJ#H@vd{}`2G2MbO3hn zE#Y0JnAt7?n7@U?+boj2|2IZC8rb50GsmT`b~ z?+Athyld`zzyWdq)gLS5W^-r#3=u-=18lOcw@mKUjuSppAVsCuzXaXfe7Fx$VofZd zU?$^M7xmm(;|imY?b=~Ywh(B>0>-(|c2srb@mV0KSgk%NrIR%xBpQL^oUA(r-RYOx z)#qh$?g1)^5_mMIa*P-M5JaAFJrb4ZC&N2|jb`KrC?$s{e)T zmAX|R%gd}|-C^PBBf^*ec}oPuLY88VooUb8|9;c{qK>|+10iiP=-vA=C&Ie$da=5| z|EjZ*y+RwaI(H?4H^jU_h&E-#O$j}#EO_#woQ$ztgr3{s-QEb!x5?GGb6OjD5v3uq zp6g|XE-M=bzOE9?Kd-n=CkA~SduFE_`B=>RwK>kXY$A$tIE}GO9;1!KqiL(~?Po*T z33YBh*S}{Gl@uf6xN?FI>^^B27s4jE|J-D!klP|2BnB&%w)NeJ(Guv4I zm&q&FB~wa@?kZC@BFalv*mOjQdxD^bf4{YBfPVrc@`v8bdKXH;+p#)=|E3U zJfz{})}D-T2471ey5mc{^?-a@9q&Foi`h^D8o&Az0bZxTG(2NT`;* z*2lJx1RS)pznLG?GJft5OYLQ>_M<^@Z=;KZlTlqY*ksy>T0w5n(AT@1@lie}o7}j8 zNQb&%ua1vBceHU9o=!&%(YRKEDY%tasdHwCH8&()hrIAkn{Z}7*%KLIbv96NPU089 zbrTmBPDM)-X(+Pv+<@7YV>2?UEtkpHlmsMQlrvw5s)9ADs0HH+>*A`Xni8%Rm%~f7j!_^1b=zvHGQ;6am7UpPPK> z4a5gM786kgqbopcU!!Us3hTCz(bYc?iZ`Ng#eEid>PQFaOZ~!7vQ-Uej61ZsZoS(&p8kuxf6+7Oy{@JPamPWEy16e2>8cG z&OF7c*X~`GnWJsBLzV>-Uy9{c3l(qX!>9NKC=a(Y8OH-_I$HhvxtZMS2NHna|*`Nz~rYMZBr(HKaXWJN|Ik` zsXg)rV^|L}2U-wZGzOpSZN}R>Su8sY;T)3ZRhZl6R zx|WV{QKEJteJ6w!@Ob}J-o!_(B*WfDI{0c-=ebEaM!kE)PbWfj#lru)!S5$f2q9EY zK7Rsb1mIFUo{^F|#T~_QD#*~d1t=$}LhWYm9P3X64O>AzGIJX5+ttXiL2%)a(;4rT zm>FNu?pO^>9|4~>lmX5i#y-+w{!9Z&6U-I<1W0H-=R#J`E`Tn=CY2d}>F5WC`%n5Ve8X^plb4hrcF=zrN%vEf9DW0FOqxJno&WAaZ` zM>l3CB2GhOq?(8mJsJVzhe03Owf%X{^@x?k$Fg|pt?`SBDoOhy>ff-i{v#< zd`Z?;?S@)6ujsX_?PBA&s8<@u@dTw!QzaYICdIWjKf@!LE3zw#VU!^6O0U_OPB7;cnEcski|MI8n? z<3|%q>nwHjU{IUg$T3oJ4=aB!NMe%hv*$t#rF$(>=F@#B`n*2yW%X;&rX}2$CRI9J z8V)@}#;I`}IFP*~bqEAzmv7awgE?e>GJ?euh-;0^S-)ugu>;2U!NE^KumN%a?z{$8 zs*&0;GrdnwR!%LMUJ5r8>ch9{W|$V6Hvc^O-X=LHPp=un$_Qx^ivOmF+>n4`qcGD% zTdu#e#|&MD98_`iFa#7p2bc$+W+RZGgWfyc!wy7S5ojWqPE1%fk?@e z&XWEHryOOSkPvQRy5Zc~oBduZb$W|S1R*JC8$$Z0hXi3}q~IQL+bglKfM4X{P>A`s zE2(Mp@U3HjuH0U4!G3Rfm=30h>6y~vkYY7Rt$MJ8E7V%K&Q=|1Gr-t#v|x9K-rBjC z2#6uSz{-h2R@$4uyd@3Z^@VSHMeA2`)#-xxNVqXyEV&m|o&-J#yZ`A0sZa^r_61FToyV*APrBBmv!-0$6 zub^1nB0mGO)zwile;SrL*9%Gp)zu#UM7Q2_hI>YqCc{WO<3zX@7g=V2y)M8ZQVCzI z$5?pcD*1CRloBL|Dt6~5sG4|fI>UHM8H+uIO+d;CHZm9A<+T*h%VhTjGC6*0{zAMI z0y6%30@q>NTM{@sz!WXV&7ZaQ?$nmJ8QK3dYxZ@*7wkhWAbmNuZ)(6YOl8d$z;FG>&vF{1#2P(lU&> z!{eA*NlnaMi&SzpuY8oew}P29?cQAuY-ebu%y*k*T^&aZMzaorkV;TznE$cgw%DdR(1>)JU4K?9)?p@l6(lTyJMPUSQQVk+$kHkXjbo;l{b1rBIM zRXBn?5h%CvgdqKM!P+dpV&JDc{gAI|+3Q<_;(*U$(?V0lqs}95CC+8V?^~J64T{N!O&CAR zpKiH=ds{3r2HVEMFZT0FndMwIiWn+QtZC3*mWSbvD`OMBRZ)Hgro9Hy-qt9N{%zh^ z7Ig>rbuSV3lMlvY?H6I~tVDy_ zep7!5R@;_nt4jOVt)0bp5h+gCme}Y z>~e@#AQLW|I8YeR)yf@r=y@)=(2X|yM$k#h%j&8V@?Rp|*QX@PKz*YXcoyq890l~9 z7><$8WS#*EactVX&?nvfA#9FSDkdNR`_9&KXgV>e_C0V5-esWUItU4$D%8u8rTaXk zqekkFRSOP!QrAXx5v0yNvOWcbvKCO6$@3RW7gbJTA4OtKF2l;4IbHC3<@XQZul7|m z7vFHAH{L#*5QNUL$Z|0PYPwmVz@&ezKr^?~+l=QytI;hMTwebyz~kupl0zqtWZ z9zp3^-;N&4)cx)#V+~Z6q=9)6vbeTkWz=heUbMe>Gk>;P)Afy~zV{4DUdX!r6A#Hn zkGV@ZLb2~bE|69@y_n8XM|G*d>)@_l`^;u?rpD4%BhxuZZG|JbupTdW|Y^;wu4xS>z5h{ZQdNBbaX*7j(>SJ_F=CWXx zjQ?Yd%y?VD9nT1>*}SkH`EuB~5;)u~p!p;n9`4TwNAU=6{;y-ldSL6IRa1!H=pn zY2v_Lzh_3+y=#84S@S@4fc@tf#&IiNd2F!kLNJKBoVXUL+3?*B77U zWeeF4ew}FVW&@ziFU6@d!CLS0pDbq ztL+iz!(tov{jOjxGtfRwnUl9G_ueQ9M^M8bsBf-}88_^j@}K}jUzjhOX1{F{Q=}-T zFqU=ws8-KA`-}YUsvhM!g?DMJt>bQ716+D>{@ucL6ra73fh&jh*sUrR0^K4i|JZJ^ z4HJ5`SSl(Oo_?#*oIFz^3WByP3V1ColjKv?+as7jDb?7uVd`dFZEOKU-c~Ww16=j; zBZQ^YGoi38162IaOH~UfQQ6iYgnzQ#IvYrJ9dh+v%4p8Xdvl|~p)zz4(aTVm+}hA9>+=z^6Opxv4kUR0C7wcTqy zX&EU~J{-}rcfGx(oF_A9%B-tX|EOqUMbBKl)(9h&D^(8;XM}Ht*3p*FLKjlOr6)H{ zy)m^|OIV_WWBit(kF7P$^yLGaN|UL(Y8p~gEMd0gF<;uMIxBLdBqaz>HTy>Z--F;u z^K2S113v=3n-K;|Xj36%t+5t9!cbU|c5A3d<9uFemSdW6Q0>Xhm2K5-eq^BD(d|5? zKn}l287>&ry*`9LSbqvjQcV$Vo6cwmTE0@Q3v-MRo6V$D@xMXfMd%3tCTb|nL+$c- z+B?53c^C3MXFwBFNEH-EgIq7Awx`Zbsol5sUUYll-+=L<4MfT`<0C%Sb@&D+|nKiXayUKO;;OkDb*9QEr_<^~ai1D`$* z{!TU=t(;GK9z<<}YhfwB)v~=YCc?&^on~qFe8diT;oG|8gb#CReH3(*4Z9*S#h`YN z7>+l|Ym3Nb;>ogKJX)Mg2T8?^?kWWYe}(4uDq8@Ykm0u(IuSK z(xEA=T&i?ob=b09agFq_!KsP*tJaZ6K}y;hebimeLWF9WZ#%YBNz!32W$PGQ>}+Jn z{snm91}&-Drc6LWlMVN(++UmRZ>NPBAnP5?x}e zKZ}yk32P>1#T2EoB0`6N*7PWUKBf%$MYS|uOE{`FuXshfY=41yWv$ZteboLLt=bwf{LO2A ziaZ`wk1Hh|Izwj>$XjZQ25jb!3^8{vt7bHWy6-=X%)4W3JWeV9_5a$+U_*v}eEsl+ z?4}cpVKCx)AXPKjbB;s)ej0*~@>c3eZL^XFDv8}q+Mvuy+8m4w4mabH%J)5MIUz5t zuh*EvcAQ`D5$zqFgYE@u6S}oxfk!Ay_i?KM4?Jec-NN?pJ!Wkflz<2^oste6d#Qcz zn&i_YEJ;TJQ6v{4F2$|NILZ^xXX)+KRUj8R>=luaIr)rPmGgi<_WFT-?7ljR&RhGL z&^3p(n+fKUzH8juU70&w1;_342;XC%c_Ew?r-$*T_!Cg*@;9h6nhrLfUav1XBg0;$m_0gd91({lnSuTILRW-3Il8G1CLu#|HEC)Yh57U|cRdHD%F}X# z@~-qF;+vHIlx>64zg>{C(1M)3Wj^`a1!03ub|`Nq$NbHMM_R<4?Gh4HE=jXq+#65Y zbF4)!$`Sq~V>?8+Q+gt?ZizOXBGuPxLbX)bxN^L**^WCzWI1W0YmB5 zu!**+%OBnkS#Kk+~(^-AQ!9IrIX_2gbX-W7G_t@{&sO3p~Z1jHy`}n z;<%Cgd9KW6(nf5$DF551Vf$LAZzJ9H9Qz@{m1U)On3ZjlZhh=#c3ad{s_LoRZJ45F z*X#5_MShtGHpzn}CRO)f8TBI%QOB|N*cgj#0};nwtImqIX(~-W%2;r&$7~PO-S8!W z&2suDilwd=<;5g(2KMvrkpau+I{`&vk{)YgIV@~CXrlk~tEgWYw$5Dbc_Fsvg?PXR z;vQ;R%TtOB>;e<_(@oxyOlqSA7c~s&CUzrk(-f*G>=mU(O<;?f_Ju4rr^d77=V@*6 zD9Wz^*X2c~yH&#bzuYvGm*m|s3_D&|d+?RpQs_b`Key&V+U>J`SMzX^%{@>f4n{g` zU~Wpj)k^kBxBo6phvWi^U8&7I!DDQq&BhI*B1=1KQM z16?_Jp~I4nzBCj22!{}n%H*!mtonJ!;?ViL(jpDr=?Hoy9ocOIKgTurc%We@lB45l zkd&k}j%L3o`OwSHdfc)$g-zK0eVnSJu+pW97ut9jS8z~HGGVAWT(;!InGzLq_eHv( zClj>dQ;9bq=sk$M_CH^=p!-KQZgOg3ozP)8N9$Rm}j2{cjEGa*} z|2+J5xKTdqSfY6o7#yP2^Vy5CI^EO> zsSfD7KJK>uf}dohVR2R0sHDFp%CDChgCd%{XXl5E#Rd)hTxrKOQ0DIH@L-m&8V6T7 zYcPw@$|QgRu3IK9zN9HJAZc|_lGDO(!uV0 zg6(d3ChaVwFpxl9Gih^zIcoLv4+Tp?C^I~RQ(5K{D?Ppe6GaIyQTSAImjM&SL21F- z7!xKYXR3%vmGi+~5in8M(?*LPv&ghWRA)amx3lU&QnxxhrRgKAt6buG^EUDIP%C<@3Xrv~7G z388Gx-KMLvdyKjQ8E05eC@Wp%zsr6{z>(wfX4&DebHmjnfl*tFjoIRm+Cd@3^P`r(%z@ZgG(17wCxuHh;v<0J~0Hqj>52QHPk z^t(u@S?fiKl{GPVbxC37T3AMXiHIU=9q9u+0=2h0G_K|~Wdx=j^_#{|()sNSQw8s( z)l!`>K`T=Q#t`Y$4EV^gOA^Md@eWmyliI4^v5px~9#l$l95&+(-CxteG@Lvbw-~eZ zxP?-(o%i5eQ=T2ggnBxX%59R$$@cPV`c8-Q3n&nn85>KvFI_Q<;q6y}1y}8YaNJ-J zjeEjr4yeWkTMxGe;q@M0n390hvuY{L0feXSnvK&r%TjP$T$0!JVwFBP*%CUp?D)?o zRJIp%f_ZH|xbV+E2lpKlaT;(~h-U7*lL5iFn$}F4A|={k|8iKk2YXJmN0IQGOG?xs z({~M@znBQOAGWL=w?v=C(YP`s91IyhmH81B(bEDmVcm0ynAj&j5J~$}w4j>j zXe_C6zx@o{Jcym;?wFOnrPO#<>f=dkT}ta=TK9|)soL%w#p?H2-U)@r2D+-qWSOK) zIghm}d&7mpdmzNGy%`cPQ@|DF(LlrM;ly%|YkfZJc)QRFXmQFVD{^AL%Msk~o7%MM zrhJ7Kx)OHi{j;jOmE6}Mo#@xs*`Ew#66EDc>iGQWx8Lroe_aDd^V2giHoaw%*E(dE z<*Y(K2e5Ky0DOBeLiZ;wPUj`KaQ=3???$USUOs+U0to;iN2 z>9+AF1j<|#%Q6#fshQ?7X^LVo5QKDG0t$m`%p1?a~W@4Ok zy0`4>_wqS%EoC)?;vC^7RD*q86Vw4xY9#!e&HiVtZMk+M-f^9N&NY1lA2xmZXJsb<(ep-ITc;=h;3PPZdV?^tC~q z<)MI#C8^n&@ZkB2w58lL%pQr%g}8B+0sSp8%cbvS|fBkLsdde^b$n&clPTX)Or(>6<)q-r`b z8T>5O4ZMvm0EEkn^rC%gS)L_T{E&i18RhV>Y#_fDUq5AK}RzrhH0^G?+8+M(JF$ZM|p)RTD z4pPT^6Jj~oa@jZQ#)Nig^Ky>gSK=5!;V4`c3@hs;;P;lRY3vbe4h2-3;5JqqZ^cl* z4V~?(khBrHVN|x>E*!v0Gq$}sG@UM;lrS0IufmJ0qxsPNSgE9g)!d^;#og0(yk$~? z%JwAQ#6hfm2_KOo27fps1H0}sCFE;+(xr^QB=2}%d0TA^910KCbc({Vj^$T%DDeh< zYo&fhQSg>S155k&HFg(NpF0TKITFr7;xkCHRMWU0_mdPWZ)|KFLA(p%+VekBN>6ct z>q}AFxlHL^B5Zf0v@+~V=&^|V`Vi;^cwb%hnvMMG<6_KhH+2-;iBl95mFRDZpEPrF?(P`V7it zjn|JtJJ+qJLJo&I|01W8X57k+)L|MH(0@7nZC76oOsn3Sk>0$6M58MfyIE#z={1%d zlSZiLQ+r{3w`Y_@UwF?eLmqXMO52eur1fI|T~}FSF|)^RPGE?ya)~yDssi!FP4f0? zqXv=hofG@S;_6KhTdr{Q?nSc}+-IBJ`8aBs4B~eu&D?ZNfIyk>Su+&4uR!vVJAQmX zeygvlg^>M?%d>Jim>9dehv!bCi&Y+elI+dbhI49(&iaZ!h~~T_1%jjeD@!R~4xqEnF(=Znbt{l69`>M&r=!I}?i4DB<_F zI!;*UN+U(wecI6pgyD*W(Vo^UD|>MnCiXmDoDPeLKS=cLxd|g!Iu`C^5a~AjNcqrX z6=PXHUvtfGorkvMDJi7A#bl^T@0chxmN_YOc$p4;qfvWoEvx?wW|lL1O^ zDBZRFUT76iuY`)coZ?yaI0_K=1o15)AfZ&C3>aeO{E4VYfjIUmWB@Sih0(=7IsGKQJz3=h! z%gLoQAh~%Wbj?1m-R>qYQi<6Ae=+x-QB8Jh+ipY@kQzWhTIh%fh)53!Ra69|BfY37 zy-N>B2LTbK3W!MWB2ol`RO!8n^xj(_K+3-JylcJhv%c?f|JZwv@$E69!$I)RUFN*z zbsgtTi_?lRJcs{5)YyDxi{B zrqzT=ggo|N>o#iC239iP?(>8^!*pt34q=3%YpR|N@T~!&(uV0O0e{3y#Ux>8hQ)B~ zM$sNHm=955c+69RvLR$n0-B?HlK5=^WHAv*wTc6v{98buV&MDBU1z|S_eT8>H)9^q zjK{8$B|2L(%rRPsITpV0lCpi^(tj=n|Hg`gRtP-NO3PIGKYtG_$Eh^WFB5TSf{=_P zlK&PqSVa(o4O;|ZL)&XW*kEoVu; zimN&XA~-})Z|XIwmRWX~?T&wZ%sYFd#xCJEG5->nMF0~YVqbuxpu9TzQ{g8yZ~9{y zIW_8Nb&`aPj%@B8u4d6yPs|qqzPOGub|M`o-#m+Ih0%cskq5F z&Z0s2V(S#e1)U~F234N~+vGvI#kO{t#qm&8y8|D6Jw3`a>4c;9_z$27fSoFz@!5Q@ z=M~ADND9CyCSCJmNZ^T=y$QHR&jZ}<%?)`R%bn+slARh)uh4SX1cFE{odFz*9N@P7 z!Emp=xjn!GEG(8yHVjY))Rar=zOW;18lPplT3UbHPW-DWfuxn?+WedUjS~3RNu-t# z?zWmJvh4rAyEOdQWB<_w{2WMc1`PJRa@_iB7WZ8uK%_6p*y+W%(y#TslhQ`FeWwkI zl#b)RO!dxn&pKEqCk_3TFE%T60&F#?mn5#ps$?Q$zqDwR+0_D6(K^vpXd9#MGUkz7 zekEV+SgVSbZS7*$D)X&~<6`KTx5kyirMSQn9s}tSLU>Kg#@^Idzoq#WVUCI{ZZs$` zb&WLqX-RO>Sl78ul9$zpYC|%3lsC*Q;-?>gskpu?1A3$3LFpNV3Q)jWNhEV2Tky1# zfYrwZ=#I!g$zyM(@U>g_x;R(fUVp(E$R3G&r<(BKNsRayDG8hVqX!L`gYFiB9+d&` z^L0Mx(U0zhmFAi8;+t)ax=5Cf80>)LF|ubv?T zU^=Tc@Z!!tm>U*;-VvZ)Tf8I5$+5oFI^fk zu@;uin8 z)*`{pkWI#&l+nalA+;b*dBJKftck!924K%FmC~s+0*W?}OS$jKjwRq^rTOi`#mga) zbo^mg^$oKWmRfaho)0II2AV(oK(7JC*1MktQ>`)jl#K`~H5dN#LFSeua3AKT_ukj5 z{;8dD2llVl<1NYiF)_g`p!w^|M5_<#1>-m9TPSu5+%3XSc&u3KHkx7-Z5V7GxDLw5zpd8WtF_+s z3s(20$n7q4KScOjjNMyLiBR|oL1`l}Ikm-An#;p1Kl1$NhpCm%^$~4gB_RxYB|2NR zzGAoCi_%7y#Q+ARwkWp?R&M|xXo}-b@X-lC4F4tfdq07|V_Se6rZo3^0ZFEwkLMWV z?*;guAD0YXRuI zPSL3wd0q!q2=}nFTf-1s+L@~OsD-|XIA@_x`U!uoRhE}EY4~u~r8=t4_I&|hR-z%Q zC3FNeJJ*5jFI`}&^wE;VgGukK)MuQ<$CWdbk0^fCwA!=ej};gDgj+lM=~f=EdeakS z0JC%CQKr{vD8#9;u0G{s&_bj$nkPy5w5A<77BA((q9j81s5Jn=rxGBcrVZKy1ecTv zeCiK2tz)J6z~^BU*Juf06Gokg9A9RrmoourrL)`yLUbSWlO?t5);X#XH^DQG^U!RK z6lti(@U5@E_1`P5K>zt_e!N6DvS0e~((a$X2l{p#M8GU&>2lM)iyt_=1~68oq9cMo zSdy@JPHuI1HO@2h-mkS~nf8PXDICrn#_HGA)^8*|QILg0AK+XbJJ&|MU)q;WdVPi- zNnrIdoe(z!4&7&V5SchBtK#=%K&;h%&yg0~szCJvaLv~@dh4vR6qG_^IPGZ%bE_;% zPS?C2uFqcx{eZC`qRU*k5N<>Y+(WyzLh~62oQp*)c&as)h{^WFfEiyi- zPa2p#%SI>64(0iA*pW?587)-jT>D7+4>`ra8V<}guE1VZ|Dl!#QqJWGwK{g80vIF< zPBz5%Rxhlmc!-cDAa%W%q&gleMDqSP{ z$6X#D+3XhTJ)q*D8f+{GE97HxemG$lV7$xB8Q z5mO;B`o2_sm87ZNNSesd&TnZoysce+?>;EWukA+ZS9rj-3hX#GmTj=^D+6q!tJH7n ztY(QTY7mwmLoMsQ5tM0SPoZo#YQaaPU_k8%GVuZO-6i{ye+;In0{LomfYY&5$1|vi zEZ_%F-gCQ~m^7GRYRm*@f9p(Y>``zg9?)U3P zU;95r#I|FAlk#5qiXTx8jJT<$tQ?3T3M1rViTeThOY=b6@5=tS=C5H)q+kLAP0c2= zW(bZbLs9|KIRqi;V7L-Vti%UJ&jq&t1a+b-%V8WaEs4yv`@`i`j{)j&^_cR_{}f>U zcbDq!M-Q$63S#*T5IbWBK#y+xAD~AinEpSZN1Z0VTdq9(HUPa1$f0k!F8%Zo5B@q{ zVU3Efy+A1VNCD9aB6=E#LJr^g{XIOC!RR`nO-&dBte;w3az2~|d@{#*mf$|gpzELI z{&2zEE)qyJO7l+N|CJ^Dx2=x+BKLosa5(yX4~TC~^M*-jYN>ygnrz*rRgIF0Um2*V zOpKUlrC7ahHyW&}0`*3hb4RJ>l`gc6bFu&EpwUzlYpjRZDWeA0vv55dWzhd)@a7H+ z$hto&lm$dcIoSgmce#1~n>SiZ5PLeOm5&Wr`#$8=k6bY z6ZK$1j~TF_XdzFh0nJ8RKVX%PyWa|xQagS08snT+{v(M?!_M6b2s;pUE{d?ZE-_vq z3WSS`pXo4a35{CEJdY{Gt!+e_uWI4_X3-TonkHZJ`Lvv#ZGhEY+p3CB>Sm@eDSsQn zO$ahbOg++~lxWX-Y`1uJtGL4MdGEv5fz2WopNvRdq7)dfx2la0vJR|9s58f+bR0&t z{1@n>HCv(XuHfFa4gR!eqZTC!P?-iA*T{r99mM2XoJGg1I2CE2QraQe+(hM%+b#>O zdq8N==hXnhSa=VBhQonB@OZ2jJJYlMg=mqPIoPZ|(2;Ob`Wf)goA^g@z!ToW?u>cn z52Fza;#BIt6HLg6ylZqFBT^haKw|l>+Gm;G1x0YSLTruBgez4F;QJpoMGD)fxEoHV zBBTr(?KLVP7 zvXK$~BVe@mZ$Aid#NK=;Dn823F!)+SGsF-Z(P@BqHg+JoitW^y&Cit@12`S0QI@bl zZ5Z&5CB~(Q{qvR(lt^ghB(}_?|8d~4 zn*Ue^!|SC-dUhn$TKTC4t*514+e5psC#c~uq68K6;p~ahLhKjr4QCp)TBvs9`k|t8 zM+`RW`CuiZ5EezYQ7gc`jV`)x=33SM?1-jEL8!2AW9$m^M1`>NNd8u<5$yxJio}?U z<=!B95#vlw(0{}v=^3i8z)kpF3Jzpi=Q>m=e9Tls zU<*IHeLJ4Mtw&^N#@gN%H1J5)1KM9IAB48Kj5cqM0RH5<<7V_l;`_AQ zI(FNtAH=p9zaRG(8+mJ5-2iA&-6KoaHv@-LYpn7H!b3VFi?@i_Wl6NvFK~XhrOi$q zQ5earI$DZAl!G&WttYt-oT_6Xh*&VLu=gRWB7Ugu6zF-e z9gCZ@b^|`qPoHDrXfksi0+8QLx?ACY*vf>WfZ9Ol3Nq~v-{1Y%MngEVZC^YO18TZ$ zHfl+}*hrU%|F++@n;ZnAH7DlaS$0isT-1&9uS`8$WnCidxfBI7rAM_!8|Ygenp%x! zdWCHiYTU^&Opk-Qx6Si2uqgTH>c~w>7xlFl9}bx}q|AqjE+&=dQoV}Jze|7tZx|}r z#=P_6mib8PNF)ens-xm@en1_{#)8Vf)$PcX)FC(vI=xBrmB|qYQ-YtY}dEhfl1Z%}y&u#L|T4Bl|*QQYR_~qhW=i>e4;H zc}wi)c*a#Fvpz&i?DJ9rG)hv)QFZr<$JhNKrE+f`Jcvkg8$|EJr?+(m7Oa~1z+_jz_vI+AmnLgk1i7h+pqGZ8OOt7{NFSYN znALvtbADQrJ6AE+T?)&WYm4WVwZgN`T6M&BMc}Zlh_h(K<<$o;%uvdHWI|i2$=HUb z=~)p>rnz>4+|#O4PtKO3nFQ|Q4RK%CU-n$M!Em*(M*iW*vjPRVyNv>4_9hS_IrxVr zZMIR1%S>#^(3pI_H&=@SiX#o!T_$M!Nr6tzpz4n@=;$Eqs#_2g2O|VJ-yFaxd;7=_C zA^20jV^qIyxX7QV@ZmCQDf^kQQ9}0FMwwrmwE^NFLN$5RT>LA^v;D76xJfuA%7WGR zdtOg#vYk~@PgaHdl}s}w0_d7uVgcrUOjkdKPYHCz0y@Pi6K;J-8ovC9>*9hEegA87 zmyy=HA4uH`dF9K=#PmA?R5zN)s(>|5MRiX+{ZSU%yRax#v4i*eq?wl8Lv zu4mSHBm6eX8nlblSmn4b?C~)q9uS%kemx)l;Mo0@l`z|4J>IeZXE+j=Z7CCkPL&xT z210LiUToQq-%D+;_DT5o=d?Xn*?PVZuX``|a+MpSZHML`&l?Cm8*9~8GZD1+Zh&Us zMy}eZiPJ+&RfKH20Q%^0S61AawGKX?;lpkBjq8cb#VHl>;RC7-Oa13`MYzJYX$!64 zFnTNNQw7&_^+FO5Co4q*{jIIDpISolz_{R(U=q{kud#tYN=+{G6yv6<{YDspug)wC zgf_q}%$x?;obfRo*fU_@eNa&(A@eFd$ka`j?rt%loLLvp$)!lQVb7WSHo{2ggGIkv z{A(L3ArGRSWdhG&R)b&Y{Prnf(x3E68>>?IUopQsVBlIwfXjvL{&cPM|3WZq;>c3>7``k=C0b;|A4ZF-}N z>zGg^6*&U?TY)SNvi((U?d7NkW%~*;dxl~ccJ5v{Trz$oYgJR?xpQy(&0E=pH~g@u zo`Ec#)%KgR#wF`Ic_GJaGGU%%|STx0lNVX`V9e(z3&3Fe5iA-WzfoemUT(`WHd1lshS+gX?AL~ z+W2AX^OSSp2qR0g5uiRn+7@a!>`yQO%MIs}Wm4SKLS_NOkF|xk`0R#Tm6CUbTLmwF zKQ2o>QYv4?E^GF=;`5)^dgtu3>Nc&>*uOrL$%nliYXt|hbyB}hS9om;a;4&_i+Jgc z7>(ZHN@Cu~!?g}7;mIZI_T*J{qs5=Ve7eG7DIpTukaU^aba7An*M358E$;AtcYVBC z6#>XK$)oLRfiWT__RQ{qQI`tf_Xbi$it%Bvedo>R5S(Ps2Whdd(L5z>-$j6l;C`NE z=(2AjdD`Np{M_ux^i}r8wR)NQ(Ull#oT=fW&G%l>T!9a}utQyiF=Nl)nRl*Ktgbnd zkJOD;;?Gq|hye>`J0Ua8#qMgX5EO~^gja&V+Q$uKzz`0mzTd+ zdb2vz${zA$M*Z6~UYyWH*htSBDNt$lA20rPQt;)Px~Y?)xpAcr8a z`dz!<{L1dF{g$-%S(|@4o~F}mW8D!FWQV;Ky5}piold<%@0j`bdR(52aL@rQ>q$(fPq`D5kBFTC zW!Iy7roguGoSe8RK6{2L$=qM*LSHkv5EJa&Pq6~F78sCq@}MEA>U|gZXQz^f-sJq( zAj?H_e5vrugh{u9-;vxiREIA&XXebjd+QDDI6!8|SrMX;hn-i_jw!KD1$+jbE2qD} z$*`xc=x*G3NPG(=Z8I>EX5DXf6F+wD)K3em5NUX0kF3Y#?zK34BiAzzxF$U1m;LIE z0k`GYLQT@$kkG^pt+b*U3DU|IoD<$?G40hy8zPI6N5B5Qiue$CnuaXbkAJ$^jXI=v z=q@;$5O4p9wH4zY5~oYpY>kBT%G$-`=K|1{K4QP%r_xWYhdW9J4hs_^635LqIm0|= zSTg%~84<%lX}F#D&2N4!7=6&9Y|n8csap+B>Q; z2uDIZ48e_av}$2wyKy38Z(7iDRX}vJ4XNwBaE-%07wVEAkkr%W5NGYOoGV)zY}kOc zdU=#kDzwCJTKo5vOdJbaz>nH_oS3H2R)fS0&rJrh*N|AR2Cu@JEMj@bt5Cb`(J1!o z(KjpYLFSEBWP#!z_nZGVAS)rHUK+RA?D75csT812w*H3=&iacDZqfTY8ytP@N0_>{frP^;v7-2SzFXmg4`}_qb5rCLVe6V+hj!#050ufmcxxB z5Ehw=jg%99vx+s+fDDk?7_t0Z{zJn3FTaq-7FcN zE^_~|1@>zcjUc7`+z&UBFp_?0F};bSH!aQI_%kGo#YrW6hAIhL@;tj*xaRCNwi#dC zBxulf(qoK#8xSUcgHkM-`||o7&-hwyw2CMug)+oS1`1sb7&s3X&o~aP*Ae%2?Sj9= zI%Pnyy}zkLP8m#ZPRe@jK!0sp(j3houvNF#6XIHq1auUWE-_x|EN|^9cs|}}>b1I_*Zhtw zGo0P7gpDDx_Wc#j?o8x>Ni=wxr*SgBbc6|978WA;* z_YU_*m77BoO}=Ox%!E+SX!5|ZC!#=UgmLQet*lz7k940k#++A9!mnXH(K0h{x)CCE z^Rf7EIHxhBKTlv0&i8u5g*}^9v*Zja9J&Ng?6__0iV}aesTDi_saH}sgA0Z(J&)#p zS9==A0*c3kHN$u79lXvvI}-fU;2E?M=UB+wJ_v5xYfaN8)Imdv_vV2AezRFA(GR*$ z{6v#wc%heJIpb#hB^^+_NzM7^#b&1+?^`8@aLjqL(@{5|qWNuLB5;#k)l_*v1b_0P z?zgiK=Hz)T+V4(luahrP^6WLF+=_~?Fk@X=xpoPja>@6L8g~5g}YTH2?o4$qB z>g@^STeI=Zp}c$HxQ(Rw_p&%MJM?9w%yoPJ9$fOzP)&bY}nNBBy_q&CN_gWrHt3v?Te zU@p9*&C*}Z07Z_ieyQWJhSn zW%IW;_K9z4UP$70lEXc(u}a$3>1tF83)8Eftr&Cn=Z<)Zgy6i;9JD$j6Yjy2R*0{| z!dbI=L=oZRbkmrek4podt;V}o5WxK=JrFk1DehV1miVtd&`?joi5#( z7yF%zFr5J;VWwRBG@S_ecg*^yy##aiM|Z28s6!ulZ@rCX2$Ie8Fq@cb!V8XF$MCJD zgyY3>j5w~&dNhlY2~H++4k=zXb*b!ib7R_%^KGd*$JB?#q&;$Cd8GdAW`iY->zpY+ zyR5PQ75kS5>+8rM!ht9B@0o4SzZ2TTp2!Bxzr85`GaLjs0taHiYs2fjsd0ZH-xEXa zySOly%juG$>_dnCD;k0VoQQ^e8FWLKFxYL-WV2$aXS?{n{SE(@MXiy&)$HT)yc7X%`%znUgv0d0aTVx+VzXIuKy_;}Rn& zfi=2p>h15t>@^%SPA%(%)Vs7+Wq(D|2m2J?uvrz^aM}E-Ol#UsSEM=LOyf9>KoZE% zplpagSdGl*jg31Ui}-E)zGY3fJD6_T3=!2n`d8laa9ZK5_|#^Me@L9|pbim=<)R|2)ux zD%n`e%b-ZwMGw=frqj(bnJ(4)tUAnxT|7~@>+}10F^<0R?0NzW=OpFvep%-_l0U#8 zr@7bvB10KpTInx9eDW(aNnG$kxjWqGkY%A-HxhH6@x2*!j^)Z(`K*#bwMyo~gVX{m zuEP7IcqdOQ+u}PyP{)z@Sk-1{>z}~!hhB1DE6%B>IwQfPs-wR-KO9mh7V_(=FKY76 zsoLgv;yWM?<89tp)!qW!@;mzAr7REW{T!KHH!x!zs_}0LT@MJ!!z!hY~BTiYW3{ zWn1}2!yQUCZc~ODX55MDi{p=kTfbql+n-k4H84G(Vas?dzUT2;sj8sE$d^+eo1MC_ z*4>dVNhPljIex$fXeu@UPB`{#^Wq?2zJwZ|ED#wCSnsbg9eD&n9~ZrQ~fTE@Z9R_sZ+oFee%c)W8Tjf*jU|!i3I($O36v0AlaT3ao@g@Ph|WGM3IWwDJTnf7p^}lp9AW_P5SHpemuMF42f5NKr{hG` z=3^f6DM_9SxR|*0=O1Qvp7v+&4)6dr8-5*kODAoBmYf<4#4sJZ4vff zX;VTrbdXH?MLYoO9wTP`ZJ0athdDNnL?)KfR;%1zG4+!gsN-%gAK0uIn1>=+%QamVIh0Ge*%1=%xS5mY zR(t@x#<^t~S0ew*@rkF^dsA{R!@@TC8$&TLFlFciUq`3Ktyq1&2 z!-3@o8V7>BnvJLl?)fOwm-l$pI)hN#Zi@X7o_a*R4RY^LO_+LGDnE@WDNa*Vi59x3 zDwyXgO9_>S)8c**eC#;WT;$ONv^wUT?Z2^~&WYnol>^6@3 zyIFH;@^2O_VJ^#C)w;N(c#M-*V{npfPK!3HCNyKSc!Qd52FE?9f7MkTvshz|dbYjk zq9B_rupW)eHD*(XF%E2(*DW;vm0-eaisbIfw&1xK%sMQdKEKGB*09>BBR{J-|Li zFj0!-8yfygah&(vg(vk?aZ%4CMwmXy*aP4o3rG25GEsE0H2vH?gJP>sMd*)f6Yf%NuoYc!F9_AsPBnKD&&V- z@CO7*B}Qq2X4m)w0h5+{z}wmP;nbsM6*q5*=GGjOzka*ArO|hrdCbuNJ@awx)BSbX zZ0_}?4?Yer6J~L+w+k}wuOiW1qt)%BMG8U+?`c3Dbkm2DGc=B{qdDF8Hh~DY{^0wW z2dAs^pRfAR|NbVo|FwLK-8XDk2#0OfPjYpa#MR~}ejw&IhADkIf4&s4*QN>yD=_zq zC)KUS&A;JV8maE!Z%(CHrac2r%9&?9+&f4SlkX?&0`Az0XC#h~>VY!5#Tt;0N|4@z zPt~S2@eq9^4XBf*(dJ!x;8+t(Z15l;xalZ>Co8Bw34eYEXUCek9iu53hd?clEC!}I zQVKemotLDZQof@3K;=C*IN%>@t2hx|J*`WV?dr;;(r@Hj^@=qKekqL(G(P3u@9xXG zpLc8~{P1kadIWUg8?B3^aC@ zcNF`{0#7At)~oT1X7#7-^c_Ne(~1TKOS1v~+ z>|YMO5YGth!_MZehRFWRhaN)tPk&h=Df_7!V4)E;om~79U&2PZkXdI=SBztSnewx; zup=?rJ&|iKr(_{Krug29xm-2J`gcp!FLvB|&6{myw{9l=-B9GKG{JnuEpwXWkHba9 zzeGRncY$h)%%Vnvf(*(lrS6>cWIXknBi)kh!kjoz0My*vYULVvq`ok!Ieq=KijTo~ z25vrVz9hdfsOr%<*qD5%KE?@Z149Z-)yzf{w`eaOqt1m;sqT{U+<6Y zyMGya{=o3-s;kPqzfK;}cTtaapgU`Ot?z?%p3JtyzJ7u*);n|ao;;2K z)ime&E8&fI?n&ZYqEj-yUgZ?xzpFr6@81NjdRw6#jJAo3CJC=PnKJIS3OE{yZkEf# zR2bq{c1W7PZ2G&o%>iKKHS})|yPZ1KiOqwe=n3OEsXOu-N*w+Uh^}k*3D2V2putX~ z4!WNk|4{Ut`rLS~y~dT7pC=JVH5+iS?{56rR$mcRzxz5NI*qa)_gqoRtyix(EbUa3Gs;hbLs}(qnX09`|AddNO6j7q1y)P_$H89+!LafaQa2k3m;-Wh>9qy@D;db{U&%ler`f4vJ*~Ha zL^Zn&&Qs^W{y_im`jef+y?))VOY@@q9eO_w*Yw$9Ve5 z(qkLaXSLIwNAv4^3iifqhaKf@;EPvItb;|!US@ik7_IVDd;ryq&lNSNe#b)F2sM4w z?7bY~CQOR?@2GsrhJabQ`8xko{3&+`rdkl;zrvcJ#O}r8PrV#8TW?wy)`9nX?DOTM zRq}4PUXQvu$iyiV+g!S8{`O4HwKH^nMo06W4^Sse^Zbl?MJh?=xiy``5q1!AsCg`V z>vZExY-4_YJ@+1X;lNmNv#X%H56Qn;iqxNnVH@Ix+}1<0lsoa~XDGIl&}E5<{D`?u zd%24@T`h3C8n`>hH3nu^7@Y?Bmsg18<;YFxOO)olx3)FqDyhnP|Mmc*cYsd)+)F&m zdC1>>`fq=mzv%CL%AjW)pabGPK)HR9gNK&Xi}b_w%g`HA4;Sur3Uhs|G3|-)GDoXC zh}U3S9|>X%ea@HRhthdH)&uy5{NHH>&&1XWU`ubqDIuO{Q*Xp6U}5!Rh6Bt&De#FI z2tmsFET)!czHV8uZZUM|Fh9T z#Jr+Q2ZAzS4X`c5*K3V;B&HjAvu)q^{V^^bn=zcL{{6zIq#Qru#!cd;moscE!pwf^ zL@Qf5fY*b}zD^Oty&zRKbN}cG1(GB327?XWaT8JG$+Xz~7l-QnaWiiskC{@_?x?b* z&JjN`brp~-FH95 z3ZQZnwK4obnj2NRTIKIRQXUJf&I_(;^f(=yn1uV|=UG;!h3{C*Q_aWEDl4p;o2mi~ zlfIWjPL~d|&Z7k1tAj!UNx+)TVpVFT$Jt*;9A4dgKo*#t>2uqp(HhljgRYi6J!+~P z$!Sg)JE4XOr5OBn3@_iUYKeM-A)D%@lI5~@!*q6z1Cv|Al)i7b(ySsJ^Bs1SSJ`~g z#sGhw#X=w5w0&eXb)$1B(0Akqlw9%l)!WEHzm0 zr1xBAGte%}kNBCH4%;h3Pz$1d-(IRF+L3+o+|c8kO~=plydO`wQ2l21&Eq>!U9?4| z`gtO8m49p51nu4+jHnHe#r=P@m6iT)EZK||$m#p>XW?aO!aoZy`=kD!3oq}a-HlkJ z0W}pj&`{?C8nY6>d5X>Uwi=*u8qYZTaaGlvG_a=&oL_if*!MF--Pln_pOMYbHA9_* z+OMUyDh5$O?{f@C$6$}Sy<^9gPyh$XEaAqtp6Cijm(qb$V|`>z0#KA>i5J2ltO0x2 zolDC2^Q}YYjmL~RsDGO^%%`!u`}P2Yv7H(j;DlXECD&{@P`;`CfK|st1Jn~~cObS} z?d0%Mo2LLc zyo`&MDij#QziZ0Cgg7_ZQAcX7@8vdMYI0Rk)nR8ovOGFHrf%EKnzav5dx~@F<7z>*s`zuIJx=Rt2|{1bWDf%_JcHGouOhlVQk}WZrSGU zX60D@_s95K2%$y4Zg*b%ry(9|OUBc5 z*wY7ITL)?_KtnxcW9jpUC&{RA*cMsP+;MjLOR{uiwMAV4wJZ4c^Y20}-~09Pd>jMY zs8zcKB-A{dg=)IGoX&vd!YyQN^x?tlbwxE{6)!{I{(#7zi42vvcPyE!V>zo!oN@|< z6PU?Sh-0NGdKo48-v8oX^>fW6IOr?T5(>|A+KU_3q|!8zmYO`xW&zo>8%vPjyhd-$ z`{Q=AZRb;FhGrR_G<&b6i8zZbNbf(B0`E-lYo0awbU4h9$~viCTJznC2C|eg(%ypZ zwP14LV|Lq(Ht0DNf>Bb%ie+z0&~h-NJ1bG>bT@Fx+T2eLC+U9Q>!7eZ+UT^z{SEZT z)%j;Cje-ZkdisW$vo~OdBJ|ZKpr_zIHyi6 z2c2oJ_VGeDA4bg*<2~iMl-X<1ubhEq*$pTdbQ*Ay?&50MO%{0c{aL>$`D~o$6mKzo zrnC92naiEMk#C;V2JN8@?&jv@MFU8r^4#eIl zQc#`&3;xFmR+Jo5Xk8d;GNqav@sZm1XsT#2v4v`E%)MibIB@ybNg-W7)9Kx_9szvq zS>`A+9@#TyQ_maMPrs?|J8I*%`X20ZygFXMlPT_FkFhUOI6dri0A50%i=vj}l*RkkxX;4xE1TU4v~J6>Yx#o3nvA&sYZaqbcrqsoI4$CB;- zpB*eaXyYcD*o-5^gr9b6jlNGIc-G@N?urp+^-NFUS=Ps7&!662$~YJN1anAo%1(%j z$IBfc)rv8*&Z-R;-oQvbon+5$Ax~cVck#aIAqy3nzXGXk7u`P7%Qe< zt3VuPk+fMWAx4d!AHR2EDq%4DmZ)or6nA;zk#Q+-RJmT_0^O~@KFPmG4M9@X*oDS2 zvgE*j_}l@n-Me6M$RGGpJ>5*5+6knbt;?J$xL(Rrs6)YBm$yLzuj40MOfI6Dy1w#y z=%GNYc2f9Ulyrhar&m2=mp!Nsr58t%nEIx67cxt~&Q5 zj@`|UN6cSZL*VV~9-9(Z3%|=hSfW{Olm1AhX6jQu#GWDI zJz5SMv^Kp_CS{f12J`hF8g^P}jcggVlNuh;7YwRZ0HFs}brv$t*(2bX_4yZj_IKvG zE0&+JsP-SFX#MJ;dmbI=m?joL&$4sUF#Wo}CFA>#)x!_fr)-BOHV1xnPN0WQi{GEc zr601C^SBQefCudZngxEaTsE%kq@-KS>K2LNcWMxrxhDOI>)m3n6&yWm?smnA3Da`A z+UgIN$ySLh(U9iG`JMLPaQY&HEVp>X2#->S1)h%Z8bvoiy}w3*ovH5n}$ z)7wAYKRfKd?3B=A;j)3aTaA8l1E(`?Sa9Ikz=`zdaD*R6Fc38ry~OK75xa7ar{*oibwotfc_pLy5bF6B9SbliC@8J1L7&Imy( z?UYDfSWsoHUJOlIs%{mCt?=8lJk5p9e9En^-uA}|ohGzBH4}2{6U8*`>cg^%O{5_B z5#&%B598aSmHqxCbJ~{~&JX*B)3#>(J)V3(P4fMKutbQX##+B!0Z}(fl3BvfYZ+F( z@u=|y9C?2X0>2*AwHi$}7n5q7?(-}bXu0k;(hfd=2qD7*_w)$S{T+zuq!7O&5VsB%^j=NkcJf?uklOUU8B9rExoa_-ppCn9wx@){nH-4 z)7TcePexmv#^}pt%%4neht3 z$*>AUBPycUGyB2EY8j~`T`rwiE$NsB%T~|mC4SiSug{7;5d)~N1X;i9K*VS9zkP01 z)BWp(BH?cr$;(@h(N>q?`>H!6w@-KPSIA7HT>F7SU~?LX_ldTN>r;sITE?DrvFO;+ za|mSW`il-=3AZVgVID<}*nz{f%#Dh-?%}`co7V~17G^GVj-RF+Mo@EO2ayGc)D`B} zQP$MfrpNt#KKLv{U#6ttoJ*!jOLJQScNqb#{|lp(qmORn!!xDEUMHW46%)wWEM1|j&8xAN4hjbjdI87Ub|RotNBLqwgtd~=&+|HGta@3yNUnKtXk&# zf!?~~Cp zzWW77m)lMmOv;rUQ9qK$FN#h#ccZ#9<+tDPiPNV;T@=rHHV^lkR94&FPNvhv&Jixy z317637%x%rJgJ+*^{rVTr-|ugEN$@nZga(>Gakp?Mz+Jr<1lJigrvETD0a8e=H`@B zC?;iZtciQXR}#Bxftjc{rA%yKG^?p9-%`4R9z)>L;j{HidE@uYpN!*&9qRM$W~{g^WSac={y$H^EgRZ$kaHi#)L-ylYwv%p!2kVsGB`+s26S+_ zX>k3NLvBdM<>sA-O!#nEMGz%;F$fRhnb{BiYHfTv&rZ%J4tjjiR6m(avO1iT-(KPBc}7Gh_NU=$Q!i*Y)Hm&AgZC}L3fmuEEQSa~M4W>>vh^Kh*C#oMj_z7YTQkLQxWd-RRv z0psm|?^XZt3qg}n^8BPA5`GTuVKHI3wd7l56HKCa*S|z442M|6#*0%=@jbLV(&!Ow z6BP;d95N9|^lH$wIe>k^Y&R=V&1V32pfL^oV8Yxvi$pow4M;Lh1dD z{**|4Ib)c^eX zzxHo=1O5Rrq9#+?;PIhDOP>LO`>#VX?x)^}#7-myYBnx)P4SN{(PTsKmgK}eD6Kbd z{}}l;;Gy(JS;lMVP^17mq~fS!z_1|fE@t_IS2_vu$fmF@Lg234eo^e*Gq5T}uDBcK zsn7}(ttYF#DS5RFsi?yj-d>|C-H}%%%(pjXZF*&4PlqH^xTs1v)*LnTbtu>f!^Grf zH40MxFXrAetf_R38V*<)3knJd7)B8h=}n4|s3?dK zB2q#R1OWjRsZs+DDxIkG8WHIwQkC99?}Pv%O*)~58UhLLX6BqZGjllC^ z?0-+5eV28wd#&o2ukg^F#GlZcXFX2E^Fwpa+sD&c`#*%1M4#|J>$o~vLwJcjgH!aj zqSqm(1drjbb8!!lynb-@uX^8xWy!@LZMTX#{}Qwx?+5MXs@!GE|BBeZ$8f^_ncjjh zC|p-$?cvqriRFWo3FffaX0NLqOX=KsV0ACJ&~S1rO@vcmIxzW0UUrN*UNtI(-lLZX z_jFU$jaBkB=m3Y!m0$?Te(+mTa zk0QNmtW=+0UFe-CC#4j8NRuUHKp|9f3K3}=VsX)P9T3O)k|?Suc;m(m6B+00Dqn~X zs)0fxK#m@E+=w=&Lh#=~JIzdfo5>Imf06(ucTg}B%XwpL7{%S_@fa-xxySY_Ca;k+oH0Lcia_MjNr}^dY^uj^Rk`Lt`JgRIeIy*h#rkS+Ogz zb!lp8)+aa^>+UOVScT^0-ayTzK!54ukjqqoZUTDZ4pSV%@S>G4OqIgT?aZVShi^R2 z7E?S-=*fllzLeH5lHsMSoLgQ z4i{rJqDN9(F(p*BRzXT_Dw$(3`B|->31Hw9!>UCp@V{+%PXU8!m4kqZZ~_}GBPb)1 zl-E#bnM-dYhItLE&{`b}Fj)7V4=L6+HY`7b^YG~|v6jFZC5vw}VwlH!xZ$={pSG{B zy>*}bH#A2dW#dWv{oq@9qGHwt;^XJ)j2`+&WmJKfgv3dWiGL~!v?jiGYiq8Tl0ZPW zr81A&D&i&6*p)@>C4i=3|89TBLKTmL{HUze0e3H2GMHZMikC2ER5`hW{k9yk1?{k- zhf(0F#LKrDrQZWC=M^haVrhF9xeI5v3cg`FcQtlR)q~NS{p7)2!$#bQ;-w(J?d2LT zxHO(22yEiWjXjk}*e==}B_!@vB|iO2I*&RFq;rv-8ZYDj-0i<+s3%vu-ZNGMvR!w# zmWE%dS0uKWq5B=V z!`V7WadKIlKiO+#vh=$r)6M)o{RklGpKAoaOuo@zP@&f<%46#wPP8!~l5xKf-y5j@ zG)mqf=t@@i-r@ z$~H_?n$h$g7D$<<;!&J21Xf;M?|oAyUfV_S$bI<%sdoEp;QA&dnQ>?sE*=&FWhcZ) zroum-8$F{VtgD$i5j*044b0hIZ$vSS4%<5&Iy64vy4&ZwW`!=9&$soKgecC2x5V8h zlSf0`$8X$R73i6Hf-YAj{x#a3F=P0+_siez=f7)ebb#h!kr)R!OzG0jP}3dNqan@EMT2Ho2Q{TdK^4ma&a^RFx6`%M&iywl}0Rl3)r-Bw(i*QYwdQ@~DiWG&!;eVe&m(nKe$1*O%?Xi`xrsd`y}p{X z?Xwxa7|&sSUP!Rl_>~*l;G&rMr=<5r-_y1Fy5i|;saEw34Gr_D8YzW2`yE5ygEsPi zZr5M>hJp`1M|=uCRC>f6nC+{xdG}8S@R8nkrcHu_){fqqi|4Rt>z27xtW@>+?4^%| zIt$6pA0jiel}-Y>%ys42ytjGmCnG8d5{BQa+W1wZFGOU?2WP4!c3f_c?9gmT`SP?^ z3)Yca*{0){7oX+rFta0(k6TLzd+A{Eo+q1n=-K-9nn^o6(Rb7IEd6-c;WxZq?H?iq z?P^d6Q8Rc+Eq>Yp=597=Z!*r|e0nM!KG>ox8Z#Y8jFqQM_BTN`#HbUZI}=*osP6zz zXnkFcvD%Ccbd|+9`iPJ7EyuuvGDEcxuPMWrkkWF)f#-BpOpVFuGw93qDWBsYl@u#a zpz=wAq3~zYR6DO!XgLS>u@vU%CVKiGN#POPBC5q++Z3D2Xi|}UgQR^Ygr!EvPOLIsi9iQ}a0;1;P4dxYk;^)dK&S+)gbq^M;ubM9`VNi9Z05|-@`Q`RmCfz(4XH@i}z#q(30&vz+)`T0)U0RV9|s$%I3m&pKVNwUb+E?=>@x)lqRa zzDY^+%}+!^51jid_VvRSEe$PgEzx?hM^Snk{D~^gI{YOL*-I*5$ND_D5Cq&#km?V^ zmXV$Zmx|Jeac7@#@a{cqo^>otZsA1f*qlmARR`h}ClmuXIL$O*@>CK@t(}S4ZDyg?+WP_px+Acye+d*w zB8ImK<)f3$VSezK+U}=CKr{747Z4~o=xCxNfTM|zSRelJp9=4(_>=&u{EvLrK1zGF*B zw(7ZT(5G{VJyPO&60n>pN@W$j^sD14U?10!Mh&KjZ#P*0h#t^;D*?UtO7C+ZkaV-Zpk?mfC6XuF&WZ-t=ZhvK z+XSU6H)RO$})ZsZp zSZx=RoIjX6aBGeTk>0_to=Nj_A56Bi{C)sJE&^mLYNHx`yP2f~l<<0Xd zFi*VdtuzD1-;f}323twA`xpNA2{w8C2Ic5;%E3mj-BW(n0j!2zLdgYURj`h5LLB#$ z*4Ks3MCyEYFA0EYR6(u)=Xvq)^bLlw#yQ+IF9~_~jUFs=5l|{PsPz$>-!Iqa2g(W# zipf4qZ4VeP3V@!{4}UrAQ_gTkQ7hx+ov*JG)zD5bcUF@*mHyXfF|((K!|^Wxz+pCf z03ocrFH>M3=xI?Q0mu|YSOPKy*y8I&=>kyu9xDMq2w;amBNToTF#p5Fi5Ide2DmtF z0)2aCm5q2uVa8nBxpC8}do6N)+RPv`qhL2_v0dtWLLuWl>GW2k61*wV`S8&yha=IN zH0S4wn#gyA!k%MQHkufYK8_L+&dpY_s4;!t#tBWd4E;G%gA<2I^7eTG7N3B?>gmNk zn84GQ&&mK9?g>D#FLUnQzB>`O%Ya$lO6`gMaGB(>l6xS^xY}Mw9GVvAI=`5Ap_%c- zdVsVpk`LJBYn>$$P}LV`39h3DM4!@MfZn~VMf9iRfoOa5tr?boXfRA{>b#^BK&FI)=3F$7fr4H6v^u zBG8L`h#RQKv8-B~I;WkZ=W{3X8gO)q*e(g#rz4D-v@$7(cw?g>!qU=uZix+Ah;~x0 z*5={n0X+t!4B%FL%urk6`%jW3*X`SMaBYD9lQ_{Lx3o>1_A7o?NIq&cUHIo^h$3Fq z_}){%H3yXO~Z!Z{@&H?U1+0C{89%6e6d%dzy7N} zT#E0Y8Mrs39D}hM@Q2KXNAs43xd^}nA=7yCVEh@JXHILyBS2!{2_P}R(_mnbnZGYF zU`wXBo{LL8&&yo3nJ!EN44~SKsNxPzY|0%CTAbv-8r)jeRhrnYh4bg`OEzELhU}5W2x13hu3r4m#$j zUZlqhI6!%}k@NiEGgcZ2J)N9TNTP%Ads7E1z!@-VUt^%-rd=#f%DU%s63^PRev#*J z1@c`Z`}*_S;aqm*_HB}wT=5Cts`VZ~gghT+z9K=~-|z;fT+1CCtuGIq{4< z@jky*L4C_BeN~`k)K?v?fc;r~ z|MkJN?~i#97w9GID_24ybCBWX`yV=fNeGvMQ_i$CPg=pam4m^B52Nq8u&idBzI=JL z%S8YwhX)Ymy7J&UxX4@NV3vfRV&9Xz7LI8^GG#KeR|~$8%I zAgKYlPHh`4yE8?NTlQC>Z{8KkqoC|}-z!~5!~a@n{P|oevj5pH*-eBUc)g==SUdF~)yAgbUCKkr-T?{SL5YHN@7uJZ6IdlQM}+yR=3)NmTP|Cv;b{)Cvk zk=qkuB>bI!L{rGf6hz#|68V<72{gG13}bb+_#-`cIe?{gH-lD$7b?8dh*|D9CB06` zi>U3boS47A+uq7;o?G@Ml})afUw1~!ZnYN*D|qi4YrFmS?OQWgZY~XX#3x~IM}gey zXy5)N&b)GaI-~$Dms-z|xHqF_UoRR*cj}N^{5DGrf0BqFy5`|sz(<|sUFZ*FIrs>wjq5`QugkHiwLS36xol_>B+i|J?d)@DE93q&6h zX+^(phFedX^;&c!^I$otmk3hJ;wXI9F=--l%M>Gbm93N&lAuN-i}UL$0+~%PQmz4l z1ufYz{3=T-kfWXQfh!~&_EEAD0x6JZl~8&2*mIdb75sUh{`w#v0@QU0ZwEvE`s06| zKdPPGzgk&yJ%Bq3Cm&GM*;YnzK0MBp^767S#tGT0V-jnr$iWLi zX(JssqOf}E8_`-}iR&{$q|S6l)=qRxBg9tSqm8V^T8A46&J-SwMqTKBsk0^OSaQM* z--1moiaV|8VL5++di!t?RsJ&?)b|@dRz#~o@bnAf8p}r;`^zK&UB^B>xerRlC^6dc zHs`C#+tP?oDq^cg-sCme`kG9uN znI04Z8Cavuj{}|Li)tT+Za~8`fi+umF6JHBI_8Qyt4g67N9k2CQ)HK{xabxkKR*=^ z*EI_jz`EJqDRDqrU5=FJ*rBB4J@Vc>*O^X_O|Gc*Z}bCZFdyLiJDrXpnOS8K8|R{G z1-(|zDwR(M>$z=Sg`e8Xynjl7@S4QZ+jB&k)MbF+pJ+5F<3J~1yl9#NkwXr-bV^|w zy*UE5zts7j8;q7!R!7^A>*g_mB@V46t5Ph!5w@OF$&M_^;9w5>79tpO*C*JMF&aQj zVCH2%_EmHNTLnv)b3f9XrsqDFV%VMs`l2Irkpyht3)t@p%-}yaG*E{2a#+ij^NpS6 z`-DfpJI{A1wXONsLkng7xp{q@S6 zO&qZuXvLGnqs$Y`u?yHa$s;#nxnoGSpMSS=^2h{6`5XYuvRf)y84Iho(GX%ue{~B6 z1v{Qj^NkpnMyWl)3$UAU$qm8@EwLq}559A&!I?ECo$F$&4>3g@cb@8FIjE}>n-7@Z z5&a7CJDZfaZDUC3Rp?)-W~2;y>CFv`UUMwnvj-3iN~ZTB_M~!l8HCSC&m*J|SHAklP-AHV@CDrXFU?FeY_hzMecV0k8kU<(=Ts{v!(^ z^lgk$6+}7RvKTF2Gzags11*GOYhnNSZ2wHUrm6cUOE_-)=P!SMuvFWRh1{|)eiaQL z6n=F9$jLpv9}ics@ETm5i+Mmcaj?30-lGSRy>UUmcTPH2bMibVkgui4# zwJL=^o7F;})HGC-#ZkkO*V3$0ppLslx8Ca640?~TI>6pPOS;^|<2te&UEo&(G~;82DN50Ou01|`H}^RBf?>2w1(FT&~}Y&Fl}^U)oO z6yV>~Q}}5MB?3+E2&j5axHK>Fj>Y+fjd(vs5B$hyme&-|T31)@ImsUxs}}=o84+m= z4}{g<`D-fdWUF=I=YvzQ+nKh;5hn)2$5GNsElBv9)sXpYGaohK3y~~eh2(9lxNKoi;a{zCr=!5inqNUd|w4k8^T4{GX z-KGOxj(9;e6nAPp-<{}y2zYb4_QkgtA6OC&?vId)KRCo6l*xhqQ2(&}ZO}K5%bO1S z2YKgn!@B8ge3!5)rk+!2g+GLqdUdg&k&`#lPtnE(rkHIs5e5WB(gbg+yLv9S;HmR8 z0ParZPJoSHPk6(z>FPh#ebJw&KVX%k&==h|snc(UM0ccsDboFweZkIL^_G23zmh<@ zV%msfd>YJ<@pV7YH4!1x^is~5~$&K@4$@crPI*MNDC!BT9hIs&lNb)lVy z$qGn=X?aSxn!+|kOnD)JdH&2^1n^tv(7x@16j-+HG8zm>Gj)Vy;|G(|3X zdOf>R2x6?hCXp!DaP1Pe`J5FJQXfuU$nrBKadpS5FxyX>r{J2`s_459NjSZ!3=CB; z)XOH*8z>64Q7iz|j}R39%F3>;VNVA08XPzHXLs|MVu+?^kk$A6+%e|zY9zdyJ723S8T z1CA1BK%wfLl=b`mS86y>#SXc&$&S2*WZye`p8z4DFd(?r>biZw`D(zvPg1O4sI;THbh_bYXIv3o>qfTp z*WmsXa>TLEXr>cg+?>3jY9Jp?t4rYY7Bzydqjr#d@8fWQZ-$ecJBHx)It!AxuJTYP z%&6nO@U#H|$#`p6^`$8c)<7!Fj3{UL;-Jb}{Q{(Oh$~q<~5u zrQ1b7w?tkPt!||Yo|oW1MqI;G_l0F~+Z>NHb$DoO;@1auTlmR--?L486JUr>b3|F> z1R?sb|J&mTm{S2BN6~msfMqaw4GCDYpJqn8XC5U}{Ix1K0kCKl;>K|YP=4n*FDKs_0hYy)3Xi9|L>yi>?wQ1ok=A1ez{;;m-UD^E;{y-$cuWAaAkQI9&=2obKEaP<6rq4{8z`hANr+;DC*6ha&2>F z3R#$o2$g4LH_xTss?o;0_uR!xM3z{Tk3YH(Ibr+C;&T<+v`=p%!N0}{3|J9uW;yE5 z$G4=(G$eM^C(>^@JqH%c#CuWL3Sg=u159;(&Pm5x4?_Ah8EM5FWb^jebn^?UZ;Ql8ye#)HkbKRz3W`LIX`h?L}G zxSik>@jeb)he8bVvvaf++p2|5BWI~h?~MM-r;|eq^}fHSTjx|d8TM*J>%(wsk~0FG zD&FgMBy4KQ(d6-gI=v`bLBWXkwLWmel#})Cem*%_kH94UzY_`J+yD1G!ZqbP>f!*E z%sXJBG8m5{;cn(N$~f($z(LH|ix7r3KC!z#-rKFnShi=oF9FXu|BXIFTuApbW?&M% zn9Xf{(A^Q6-!GQuy$@mkUL^lnS6d$WgJgFLGQWM>{j>9U=96f#bxoG9Kb7jPgs_%g zoy#p$Q7{m(#t!ti{`9}(r#O`lSpQG}>z{=P8X^DF)MZ`WhA0CGQbAhc=j zBDty~Y3Dv~gTZ#7YA$!@eVz^8NO$}`1+&DxAos@;v4VygvC{!_UGiW0c4sZrH>O_Q z(Qp&5c?>64C$Tl4zhjF~MBG9r1i);Vivp}dGwcYN)^JF@4VQ?HSwowD{Vc- z$Vmf~KUd}8_XYdrKY&pRQc0=qi&Sx(^CTDO$Ktz1?Iy-*7sfe>18-Eq9U!l2)GS;* z@a@&Esr^#q#f#GQruASoX8Eh?j5m~nHA{t1T~e2#%^$b>7BdkzD_9-X?c3Cn5~L7; zd?tCl$)fZ5(7aXg>roVkgvbbbym3)x{VTkgybORkR}O}OL!?s+Y&6QLj#m{IveF|An{q#JmhMk#J#pN};jo@9s##Pt2$!7@`Q1mY5_KLijP**m=MkSE zhgP2_87ycb&{Grr7&Vbpjs)Mqg`fOz#Q}bH9_G{{8!;9?aRl=S=-cmD0Wc#Z{%8~e zJ>?0_MICfeOc@tpz*%fwCAlAb7GfS}W)Cxri3H$n=eETF`ob0EJDpcx5qR{1S~Wk? z!D5ls*1=yBoZQ!=!iN|UHSfBs3QgtSK){v3bNF)@j2_keNw&5UFWo_-yu%ksl_a9@ z=aLgCIx4(0f8L{nSUGw=n&F0db&BoL-#Zj>26K`>xvbzRI8Ibu)A@P$Va z4cHrT?$!o#w}sIsgXP2(@bkGO9A{?2oqS-RdeI?z-n?Mi%uO;50Sy*kmb$An z5gv_0VDxOdw^1AD6Ae+2iYJ~lM>XY92-U$Mh{ahHATpJ9%XJ^r;+wLa0r)U%w_d6p zRM9c8&NA-z0Zsfqz-a!C`xTN>0p99miVi9y0zLO}-3>XH?f>2-2q3fG2FX1r(5OI6-`@pm2D$OVzA19<;wz%57V z1mKpl@U!t;XMAa3lu3|lup*cgZf;OK+sLWqHNF1OTX~~jZmz~?%M45Jt?pEU6TAH} zirEW(@R9|fWuKRj&J=W$SM8nr>B9(17pdkZRF36ceamgk&B4MQ7l!PU(JM`upP`y-;^(FXnl=@P(*==b^dt3$_>zdj#61FHOx7%(T` ztj;o>q<@{K{t3@BR!HwHymfng^ds!OlY`gC-Od?ykjd%j*y35Zv3ij<+y)r)XnIeR znk$!*=~E>DMyY7s+#?m|F8K(fhtj?YD*&ptfSSpyB}~=xiH|^=Ra5g#%J!lW^rY>s zd!gkO<&OjG(NZ}a_JL+1*YK^qNT0)z92@3vTfm`!ln${Ew1C$tOiuzFtSqc2r;cwC zcsz!1f;UR`f(J>IhbF$e(1`^Du<*@s*6IuwzXAUY+eTY0M8e#l$7vFe-=dV)dox2$ zfHcDPz*utH*EP)++?IAg4fg8v6|vRt{U~~6g*h1=HBc&BI6 zo59f=7r*E`EsuD8)pmRA&e`K@dKwnygk&LFhqDE8C{EtL`3BefPT(jOl^&9(qS)6~ za^?T$bheI72`|QPR-K78T0yXQS@AQx8lqb%Z;2BT4fLY$UHm}Ic?JUzCBU_8J@tr> zF?ELg^Uqr1&j)#bpfk95xXYj3S{v1iEWN%t2Ny=INH(THDmqh5czQKze)4%usB?R&vNV73hlj>NMV>}Jb%%W9 zR$f&bJmgSgy^o3ktaie!C+8b=7AG^;ujtagvpa1d6cg@wg(n-xN4bk-LZO$PSKi}p z+T#84;PLpkEy*_=6JUxT1i74BIAaOkBkS1%0|TzZy&2)pdBQ+1x<1~{8+Q3Y)Lvhy zW5zJCUY%4}RV&-B(X<~d>Ws>DiNStrjCJ-tJpdFZ+f0_KX8}lr$wfx`zlOQd_50MF zdZ^Ej|G`oby1YN=#o19p0D7<=P$qJLQXEm?;wq!B2Ts#ID8KgU(app3sRD!D)8Y#S zDks_~QB*8vtELw;K{%enZ-kJyxCF?EkT_Zv$S6N@>MVUa%qzA7zBqiCy$mx|iQ zMoG`TdEe+3VBRYio(!=TPH){TrfLD;H3V2-DMxw;qD&w^XJ>{n zuH_qeU?H9RREXrp*Vx>fIqm&fDns_vqj{5;*I;FGhcHKcBtgAzz6ygDYN4T+ztScD z=n}fj_IoL@LXoEjS2@P9`~800D99i5LfgF|?N|cK;1%VQHJEkvo|`(2PlRuC*-kb4 z={=<8IUp-O2cVe45(7P@v?xTZq9U*$#2VBWs5q5T)mM6A<*IlFg(ns!~iC2`RGki0k zw(V=m)MGs46fC$mjg1CWz!=vYVw5IYdAt{EU@$*4Xg--#Wh2Sr*IiZmyu>mz3z3lpZAvmCCaV8`90Ild1eWfnPz`^jHS%4*)_gCN;k56x}SVQxyl=Y z4`p2jn5v8tT*AVj_z<)Z5AnYWmyg2$Tr%+dnsL*Az52a@uoT<}*N2>{E%zru!>sS# z?-zqTLaN_nPx+zsu`2v+6)eRNz_w5K!SbxNUCJNB-W~-{lQxvA8?n!SvI?3w{ zxLJ+6X(OCJ2sVO9sKx2w*t&jal0gIsUdv_aQV5={Z>3*)Ess(ST2=wpEIUY zBmcq8GzbGa|`!$wDLyU4d=&G!%m|0*ZlOT8Bj-J00l0s6K@kLV@!53&Jg z7g>1a(;l7loAu)cPq%b)A_W+0;itgUv!BA1gwWdqjlIZ{?0}lysy1LZ)^UyP&NPR8 zG5-j0iUq?cL>txiaBSTuJdlz3F7;~%Wvf6T{rk-6?Ew! z#-tPZeo14Q^tzA5fvg(-)sl=*Mey`aq z`cM!ZuXemCUcsFuYYl)?(drO~7%K*VN59gQ3#_OZg1OJ9nd~UcU~`|Xd#g2A_<4y# zG^Cc?7K&VFd{y)6s;82-$`!{m_R6_#VpqGI9E@)d?17b&?;y=I-c5>b-94PDamQ`rbevjjNnK-Jj`bUIRq zL35;|^5*Ae6iftw??h-iShmc?PJk$6B1T`S*hj#iBqkyJg%Fzwi z7NxxDG3ur0s3=w;qUI^(>e<@KIaR_*{X9}*tn1WSKV|}R5&-Z}H3txhq}ljDK7?|4 zhi=19!G02)=Yq4g)+Z>CEQj*}eC9 zc9~^IO>~N!uk!Fz=l1L#byyg~ZDCleDm2vTPi(RawuZ6MozpUvU$o;3My)J45J%fO z7^{KI*1$twf1$8d8?^nPY_af}(5M|C(i^cIE}%70eAAn&6S9ZDsMhs)_1}9?NOq>twoki%<(5STj_ZW z7ol1gi~VtEuWF&2S{^d!sj2t&H8Jc{`BuhG?(2zFTT;SkkH!k}kDJRuIsp0XEw{a? z#a=)a^n9JSo7e74%3cG0{bg`Y{$NWU-AADH4P_)@4uPT~SKH1U`>xFXj zCnzZ{Y8FW4G;4ZoAS%bnSx`5CwFPv$@`sY03|8O!o;B>NNpn?Bbim55&v38KpPVu% z5fI`Mmq!$2ZQc&C>D)!W1^ps+Q=Z#Vr17V?NNdWKqmP-j6nJ+6ldnR?uYA-JW~dSM zp=bvgsVfeIHE9$L0RAe_UwD;8?o{-wm;oaW(%eum3E7Yt*#Qe(%`n^qma?36ZIZst zMIH9(FL)wqYsWBF%n#w_Z3xC~yIP^Q_E0;oXsD;|Tw_O-mg3CNdnr`>V%jsYx^EJu zF6Th#m7m|fEi*GWAi-V=Ei%xhs;x0SUZ$MPkgr|Fp7qjXhl1laBPJE7N4%(o^~QpQ z9{ZJ7qX8z08#8(d!_NK3K~N2xr02LDykVn%h@%s-VKnsxt8bSeyOU<6-IpL&!XGe# zcJJUTnW_z1Z|D7V_vxO}X2`RbgYunLTi!isjpjdai|=sugKp5^POrHFg3(;GFQ)Ty z)9}`JVV9lLcE5yvv!Fa92dSa;1B@%Zt6b;XzY5-|UK8E3_jJ!83hr#EpYcs}8M>f< z@&Tl_iagPv(^t1#dV?x5wEm-4tE!0m1jsNMh5dV6xupUC0$+I3OH=>;`@gps07~Eg zB94X;crQlo&c=$3pB+w$`#=$at;KV1M$|RM>bc*yeS^zJG!U?*Jx?><_mqUIb0r zE+=i1gQ!AlZp00?iSH^1Tjh6Oham+$wf1$* zhgQ>UM89og?YA$Awu`w{nkbHUtKEn(GrAyl^B0ic2xXq~V*);9D^xWkA@0y?>jqI| z7)$o{xcqk1QzcYx{iD~Xz17zG+5QH+8?-{=#BsM1W7VfB^-wXw)4)~P9jhB~J3+64 zs-B7)xz!lAcZRX!I>Q*no)wkW9{c*a$HGlnm+j53tKZRHb&K{>^@u4q75`3$pZY7E z`uy~3^xf*Zyos?z^W{TZHuj8=#j?6o*jCk8priSQG$KgG#9Okmfbi0Bh{10uYSjPQ zr4j$VauylpGU?(UZa?(giXsepGcDd9?iP2AQ!MznvNrE65-PvF(!zBFN$>QhxKS^L z%1t%ty|`rZaS**f?#grG`#bjW3J$Qp#`xFBxd&gIwv0a#71P)-YuVYkZZ6Q-fh7If zE_pKpNfnSkn#mk{tew@3q8~*zh{_ZAd{13K?D|Zmai12Cb>4uMx0HVNlp3LBJ6*6! z%3#5K{k^ruNwUP$L%))x7KrUG3Bz26yBY4R6U4C{)Bn^WDK;$V^{T|1vU=tmo`kbv z#AA)eKo@MM#t8b&b)5#zpJ&x`A8$$j$HnD?I#LvD)V}${neE++ zIDt6;-0G1x(E?M_XKfHb1oJAZV}ZRFyK&A2!;!((K||2DrAkS(2hwdbg)KpJiAKIE zZr8cA-To@>qO*4iEnqDzmwP>6hZt9o40@r*0;*hF^2j4vA~AG9A$Aq8w=z|IRYe@Q zEG6v5;N%Zu%UN8xJU^b%LW0NY>?bBBB|AD9tNGZFLZMKH`_i!@Rgs_^Tp2_p9CNwYn`+9W2zIG~sMxoD(WJlPpd3GC7C_i74$kv9nM>Bc#xINA(&lQyWaA(d9Q4A_tM(5FgnV(f4xtM zk3NydKmNK-qocMh4t-Oh^yM-*aOT;oa_KL;3!8CE!L6dD5_?AxCu#a|(2biS75a{N zZ)AW>WBGYCp%T}1_*01L75`}R=pOau`T|k1B5#F2rq1?5$*k2pF#0u~SN)-#Y@+)BM1#A@CIUvZ76$WRP=rF%z}CcBf&Dy(@o&DGNOmIT zv$Q>6Lfdj;V&;;vw2#qmk41hOe+TxjUHJaxbLPv*;Yc|d#;CL0g1?ZcT(!y;_!F8 z+#B{GNT!c3!#8SfI}b>g6IAkC?T}t{mH$k(|RK zP26EaQtOdpIZkPb9u6+v3L6sx4r9e`9aavwoqDl1GvrwwaLnk3{@NHemL8oQX6VnZ zfyV_QhTpypyof7@EEOhCw5>N(_P7i?&Wyp{Yzz*39Su;dEJ0}SxHn4YHGK-welS-V z_dHK^ckG)|{$Ag_cfx4(*A^SWMtE-NN0uLnVHH(H$Y9mq`YTRTTs&>JF8PEyK|qvqv*5dZEPn^u)zDK7wKE! zqRY1BLeU<$+wsQk;g@dAo&Ug$_ZHor;<{s|I-3TVcHobkb$!l(U!_X%;)ZTG~!jY zP+jl08V#4p`s8B$f0b8V#beXy-^r(Zi0r$cWk8h)BkL|yIcT%MOuUQH`U5*bk4qIr z3#(ag8y=~NoHg&^n)#A^TJhINefMSstTFvP=!*jGwSB<@kSqR`O5<8*`I*t1yFLRp zWx_4VI(Iz;bB6%whSWJ3fg?VLnJI%u$=jmdkcyP$dP+NPxp|xFnHxB4zh-Rz{S9Jr zYE$)A!;Ayc&F%4!>tg%&tvW}IKvDG6+AqvZAp3{j?VZ^dn1{9+UCD2v9NMPl+P#3~ zh+R_A@-oervK6!!U>;Wej+*bgxr<(DHh%5Lbz_Iei;^chHA`@8I?GT0HGu1wE>f8tA}@Q>Z!VQC%E(Q9E(pbJ9P`ZhV6v)G zSTZmk)KKw~CIT!i5gDta9_1)idgzV#cCyP*?sx)0-=5$s)9A5WIZB!dbNsR={try< z)!hDIN8WVdV1)RUT>LG5CXfnW@C3ovgh?Er9rDKjlX^h21QmL=GnQlSqg4NWbvd9c z6WG?DS0y~~CMrwbg9EFVb$~BhNuyCwfR>1r8C?0~e7=lFY1DKI9R^Vjre|ik$*}++ zoWRZm?#B~}f(A3EZ>wFI!q{KW3cly6X!SyY+AB};yklsZisbLJ>3lnF*xH!fqREYhC&6sS+*i~o;P``@w5fj~WpAuz_dmLoO*chU$-73$(|B<^&^nU4flxa>aHs3N7VUl_aLZ@~Ox zuSsa+hxN*7a>Ajl>_RXgHfq1v={F7EF!9{Dx9!+5=Qy8dMGYxIZo4$7&JkLUp?Ai1 zr)wU8n&R{^yCdTI=Srts;u>%J@#tmj4W{>xmz8n9>qm_4I(nb}cBkPVG_h9~_LuLK zUzgh*jCwj={e8jHn=u-GJoJ7i-txB)YoQ{IZ{0FxPq3etQTUZSTzqr8<)j3!Z~*gi@j{IsKW z=>WmF7ip#GwFrnJ72)0+NE^B}#fHVPw)kq{UT4*@W}c8r)A5p zFTe`}Wj?v|;#*V9y&-Wsn0g-EX}rCN`eO2b5g;6rhwa- z>M{*@e%JOMZ+m&8U=A8p2x^-KVy|IQeJKI*1{)h>m;kd)jf&FPVXFH5t z7VEnc;5;(kbdPcT+X1_;S6_X{J+HXVw%0pe64|ltyDs+w7S#FOWTPN!V%qF$$2!-n ztKm=P&6}6El0`SW4l&QbM{+Bc4D37jtSqqf3()6xhR}qI1ka^tS_Sivpv!=B*=(Qj zUW}IR59Ne6vvFt-FP3xYRjVAc;=0t)mU^7374lQeh0v{052(wq4W?XXp~Kev=RNAQ z4Ckt)5@qzoR#$Wy|K5e?5|HIKD~uY$SakoWf5po|nPV&ZV|-_?uwiYX^Pe5_Wxt$b z%}iAJdj|t-5P$&yG)<)e{m&PFu<@b`n4CU}S}ww4ta< z)yq8lI~jb3fBk>i$$%Mmr0OZZK0>6m8jUye>e8ihhMoKeB@H{rOruRTk$%0*)dnk* z1dA5edWKwg6GrWvbGi%ySW;dix1epr4AIC6)r(1%v+Az2iK=kY9agcWe(=-j|8$y+ zM+Fbz3Nb##1oGU&xh^CN11_0-e&|a# zwig}|Lbg|LZ#9(htd9E5{qSW+3sX0L@&!Kox*s@uyiG#Yaw$4TYpu|oB`f)Q-|L zN?o}IwF3U=IN{!xHA1lyAs&+X1>O$Ip3?>MlVVIDZ~MCQdF%OmJEH^3OLQ-z7k%(g z)OIJyOyi2qnZ}ocPy2UuYq3agH=%-|9(!_0)HIyK`(@Keja8tbB*b@TaugeEh4mBx zQzzQq)#AI67TM@dtdaBWYyfy84M6F<_ppp_+M&yVOe3zCXOYdSe#1|EhY1Ni_Sw-~~FZ^?K{mOcu&UuRE=AX01 zzde}d{=W7IJNEQ#=;N8g4ggpEaay4|OGSYAAm2%2R?K0wC-KoyJJ$O8YLjW)3=*3ffUYEWY=cYDCL06&C8<>0lJsEF zy&->~gKHyb;wVnDbWjQlY&V*ZxC(ktvvULq4atna?4)o03l6b>_<_A1fSIALqqAR! zB-|iny96M``Yn05mQ!lg#3!4U>)C!h?_->zZ9&ceW&3TRA9mlrIZ#sEaGr<8+P6%2 z*0!v-8{`AFayeYAg}(0Q+joD5hIlMfjnS<`?3KIQY#Xihh$_ghlyhRKoJ2c3f#3Hl zWqMkC(mz$^SfsQ~3^Mxl>n*<9KQE~;2iQGTytXbdsph>w&@)RpZ>bmf^=<8R=N7bg z9QK=}diF14TID~yywVnEb2{t|Em>Zx-j0dh({E(QtCQ1yIF1@K2Y2H_LkXQwKFCh} z#vMCTqvaEO>{doEY=V|L6}F#pD^7l6vjb@>*f9^eq&+jhM+Hek3zW0hyltaI{@GHf zo0jemRYf@M4j#u;bHhHe9`^BN1@wRF_{pUIz&GN-;* zoPL7kh)9z|dqz8ao_U0Gz;Gy%aBJ6*?_|zDVg_n&KUObzpdQ;R?&0l@y5^W1&r)kI{abWw#IWGK% zpf-eKHxPzo&1&(oOW}^!jVgERI~zJ~K27LfF5fYUci+6{Mz5PdzZ*TN#}t3+sw6My z?zK%z7L^u?(evezqCMI*~o&1E4%%oQW#F>o z@L2k);`uU)mL`~)W%R{nwR47k-fz+S@#e_pP8@1v8?s&SQ)ezBWn_?F9A%Ll(QKP+ z(rIOpRRm1d#GcITTGpxMZmVX0bJ*+RqPcSYYIj6vQIwf3tpQ!iW@EfH^4zueop}Mr zS|%6nTAkuQNzboJ0WzhYj6DB;6s7(R-tJ$d>Zh=Mny&Bvq3%7Sn%=s-(SRr*N^dF< zIvZ(%(jh@wC;}oNNG~c)>D>erkq)7X(jp?g1QdkOrG+BBOYgmeno#ebecp4&bI!Z> z{eC}Yz=w>PwdR`hSLVFt#CEAA7b3d-xAka=9Izf)ga3bRJ#y~3eQ7y@^{fs z_1fIqG(Ty+teZ%M4GkxO14EV&uMHJ}00xKONhAh2ECEKp$0^brn^70LMiXu)@?!zR zR7mv;j-IWtCDdmc(D_*`7C=3;^Ck}P_oJh3)*UZ)R86%5Zv3Bd5KYKpEvRjJxD+42<`9A5Q%hs-AkdOv)DhL;F;hG1Ckvtxp5s0=R(` zk6@6C>G8?&@KW_+&z)`eUhla%@P**dG1mgAnclN(??U@i8}k6J!zugejrxNl$?W>h zW0KE?=5T`vuQRmC*&}DqfmU_(=NR?)w%y%z;V}QR69dI5pR+D}xAt_GBl*2fooj|D z8Y^Dnu3fqYn`wW(L;R9CrnOhLI824n?Aw#+|5c+C(dAx383%Fh>HmV`PW|l+(&T(_ zR~}BxTttVwkw%-$8+3iwu?w)l;8Mg;F)s~Pb3(2dk_CYyMkdDD8m ztKM9)=~?0^@OU}b61+ArXH&P-`BzS`HagAZA!(^+(E9UTqnDVhy&8JZ-z9MChaA_x5EgfrXw)ZvG{S32Wa`b)nbgY86`RgYi5~y6y`@i*^B-(4 z7~sT4!?%bP{8-(0aJYTC9uidbBK#6#gZrQLtTOw;kHJ07;D8IujR!sp5f-@VsLZJW6Q{2z=!7d~+ij#`jWU`Y-(znP5D=X+Y#>Aw4@ zgKYT=$N$|C4qQ%++HV{Ew^mW&lAzp5C#y@nG^SGLiOMs}@OfzV+myCapW*^GRL7e$ z&mMF+s#^PwW@Zl$Hg$+Y?7Ks=AQ0<(>_SKBG4$tvh3ke@N8ea(*s9=fPcLg<4^nGS zMr$Jhqv(byvOk)ehH@uywn*M+T~hv=A4*#f(MUESS zgf;#SAGY)27LCs7X1o0qeB>GMTvcJmkDeDHTA4Cf17%;8i$Cph7K6)@AF>7PgEb=J zyCEFI(>oD~p7Qb26X)ZnjEZhan-#ALYqyedv!wI=d~nq70Pz1|E+vzMr^`ag+>7Wt zmqS}FQZ>6Z2#yBP85Q^DM(qaBt#g`!A6259`EY!P7aM7$sR=D-t)!2eZ@^rD!mL8dk3h#+6hQqeK z6ZllhXNxr7sY!3-c*tjK;+Y&SC^qEpwJQ6g$5Iubb&ZTcj< z<(!(j$mQ~-GGO`AXiMS~uyDfhLLSGj)8RQ3-Ohqi>KfK*t$&ET4KZ|NgINJdJR#3VyP`)y6N8U7YcJTi(0BUp7?7h2|cF|J6Hr# zTYk^y!m6?Uc!8cwX?x*ODXt&uBK4y2ISor@BK zC+7|Ulp>bk<=@-^g#$NuNA(H#Caa92Zp4$@YEFD<2*tDnmOa^(aE@6_ zPPz!S_+puYoPUL3v+d%LVO+ktP&JJ?tvAl5qR#ZGg-y8&o*ehrh7b48g-yvRa@%wt zFX}KVc|6#2mu6O{Q-rHR@ni>q4EDD*eat*xy=N}_fug6bl9Gs;Z})rV3`I|kQE0~f zvl{~;o^##r0ZCh@ENED<^~(P~OScspNE(8BOS{Pa_W}GrhfYs~SV$eT(f9hSH$#b( z>}}JW_+4{O&ajeezxcL0*@oJgWaa+C>wNEX`{nsWuxP)ZhJq^msYFX&Vw9;blrsLW zkhS>`>Yf^X3RXnWQ;8uMTH3O6-aTN|UYsxXtS#estrIDVP?l~>8PREV3s|_?8P#=G zZs$QDX-B=k+WYACFQf_xRJ0Tbl~i>tH4#(Av?*yDhb?6uC&xQgp5{^z#XJ=yHjoZ` z5xwvgEqb5=8cZ&`*1GUbsJp$Iw|Ws16*VWU}PpErJ+oVi!VKsX&2 zo$WY*+>ktX_sPtu*-TDrVw0~9_I>#tkjU5GZ^ z660>Lm({+r^x1psp3N2X3A+B67mizHvMTmny5Zg}Z~ML+Q@@bLyH!I7x#~Zii^1A@ z;-BMlTqV0jtq#>{vQ)LnUYC4{`j6En|CK}DsRIj6R+0k$W5IOf+yD4*E=gmjPCVo1 z_^Rz_YFy(iSM@^)Z3DzZ<@Ab0M@DEy%n$mq- z_Ot|}WPX%e$9d46~ z<<8OYCmYqUW>BJh$8+yvvtIC1zZB#H6Co=>w{LGXG=|FJ+q{1wQDSdM^!E+S-7%5?T{uXF!^=`!y5!S30EX z*4z-!)?M*jp)F7wXLi{qkW|*T!s3AzsE|b#_7D5Y6~4-Dw;Am9u-2oEwLzb=^j2n+LkPq((ODTK5|HHmxlfyJwQbh#A_ zY02f>@>Q9EFZA6bP75iz!RPIoH(UP@A?p}37*l?F45k_}BNj>Nl?irXFr>(9wv-b< zi0}<_kFlg|aOCF8NP09mSb0xZXb5Z0(rL7(FIP_UDw#>5R^fs3P!brj&=?(c-&7W` zulw0e1mE`(TI94Ow#0-QAnVEB4!MiS(fvaZ?Bp+Zqy_P@64lt4 zZinEGU-VbaiY|VW8l02(<=v>7V&Rf9O8!`xm!M+MPjh9PT)vUn>QUsz%8aTmRqci^ z;4AG4qd%E%bBjheK2zTx_p>d}ZezdFx{8Wq}i59rdt;puXGhB&>?IoY*;%AwY1kU)I!T*-Wp z(cXFNCq`Yw@nDBdFHMMu-;kl4P1*|qRPJ3e|H33j3+01y-d6+I0(UuLA3GBW@uwCo zeo-P94UXykD!nU2)btQm!ZTu`4Cm1pUv~>|GpL z88J}|D+t!Q9^wnDmh-7%5 z&XSK5LW4uD3NzKkO+c69V!Z5_EX&C% z#Du}+Aak9%a$9-R;4kzLi^E-6D*6=tC^x&b(Uo{QSsTItXW8#4qZZL6vYBq1*2r75 zCYo1)JZ?l}XFw}fP7Nv`(bj4Dhv@tv19l?*jJ>mH{||TZ@3jBrGmYI<;+bgIj;6T- zy_y+O4$hK3&a$}|vsZG+8(D;Gge$c|TX)h{xOOv9beqkXIFa*R9~ zBV|Z3DW)`oPg}f%E+U$u&q&%1r?gUVO%^14&uOAEV;=j%Llbiu6=Cb4d1qqFg9(bB z=6?u^F%__=-Gs`~Q0!lFw1PNC?{$)f%{f14*a#9An8Phb3+HvsS3YbKCPsPaCRXZ1 zhW&!Mmfem3GZ?g|pEQKg20RkYM<o-J zPXKAWHXB0qRTQ!BD|~Fak|^sXz{G==Q_|v&S2fa~g5{Jl^3J@lNu`_XjVDcGEGT7+ zHYZqDJbrIFaU%!y|37ca-w%{R!DWsr zXxy~^=LhU9P3~q`P-a4#N#f9cc+4l!Y`%bpWhN*6J>hq*fP%HoM3qH)Mou8u5-UzgS%PX$S}gQz6A zIK3wLj*T&a0hyTx?_20V7P4lfy#JU=Al|(?pVKlEa?_$k$xSIFio(K}8$8f6PmcsQ zv<0JfGX_L!@Ge%F!An_k%~nZvsXb}%--hK64CfYLkRcchK~lTsSSZo+KKf6-2)H$E zZpafD74e?;k>zz@hbHiBn>OcTr%4*tFih!T|M0k%v0Yv!w&CLE|CVVS6u6E6Zx%P)mUv6jQ?COK{7;#$D38nHyB~r0509tn?WE%?N zyC_n}cupoEj4K9s#E}lmU z&@$xzRhiE2<|g`(D5`)_0UT>KBib6mEW~n8Iaw)31?wbqkK~3ButgWrSZTDA_0gO@ zlEyj#={L%NcGc$r7wKSn>5veVEUqJ?&e{m<%R`7Dk@sq$<&u*k_IbDsV%E)l44f9~ z%DZIuiAt_J1?K!yM_LpOY^^M!#8CWep1Di?f9gu+Kjn_3L_707QPGCoHngHt-B0}6 zVP2J5D>It20B8<(^Jj#(6znX=IZwf`S*N8Y1rT4F#V3%~(AIqeRGowMh@Uy;0##=LET9hBG$LKmO1En;=*MwNeO>Ii=QShuF0^HiF7y%7Z|r?$q$ zTk0WJbCF-L5TzP+5al6F15McVW|D^M3I%b%g(_H3^|}2Im!&uVa+hGfOZBIJI81-v zy!>mIrB3lU;(c!&;)He1I;6$%Q4Ra=U-q=yn%`u~=M-l%BbZ%tdKX#52w&oOXRlGF@g~UGGl!-K*E;3yzJsY`P3YN9nnsuL`3k$ZUqJ1#3Mb z!&DLqUh4nS;mKz&qi$?=>kI1Z8)>%3fKpWy?FPC=z7C3s2)9rujM>w`!`JzmxKkQb zLPQh_AhN5v7R``dvQs%{2vrvhm~O|MygMI}o28>gVo@6!W{5Cu{oc295T-Xds^uR^ zN96MRlc>^T;|>^5L*4G-zxmEa#D7i{GpE8MZP z`A*!7VP8H~0J%AXVt{E)^N+v)9)E+4Y$IcG|Ix)9xqOavhH`3SLT;Up!Dyb2FuZpF z2Gk}I`TB&nfLZu%_U8Ey z3yvq0cfW9%J3ft|{1uIA3l8U!M09D1f4xiYyUVhs7f|Kn$tvr$@r9gD?KM9W@CbFP z6#AV4wK6c|?DIdR;&l!n6|Y-uYWzd^{=S8|yd=hPpwZ0n;|!$`N*Ur$te_V6uZg`O z(EwhH%50dP|GwKRM5HIKdzs+(I_lkW@=fu0h{q6kG4CF zt>#|a*;fX0?i zkpa&i!XqCk;&o~pZn&%lVzDN+RQ^gVN>oDJo6im0th*SR^kCpvTnvz%;`PWb;8kY$ zGdPD}eW8CM0TtXFA$j?9KL~9oq2Z`Gd|ADdlf@f+RaSDvA@lMueK7}$!a}CocmBB| z1OPSzuHHD326b7GA}BJToicOos!o^)$eyOne(rwQw*E$DDcS2t20qs34{=zxYKJho z4>$XgVw#&iE257_JzAVHkRql6ufhQew48A_tioVo#B`xR^qjU!&!!8OdcTXQc1fqe z)K?3BmyuS&z{AEZW@Q<(`UCVDqoySk*+S;CFQ_JcHE6#h4Cxj}s*7k{<5N0)M|okY zb8|O7;yARSIk>(xUsFI{$Uk34I7-}k%np-_o+!g}42pE8Tt1pjH7_F#lln4YR8Aw> zFHHrbE*q;>P6LF07TMcO7?ONIXF4yR_hcQI9#Va{Y1v^oRP(3fxjACBe5WM`6|!jf z4Dwt2DE0M=Kk3WdB&s*=+?onFdS9Y2(w(v1XcnnSLkv|poahv(x&899=f{$X@J_~O z(m&AqK@| z;WWq9WXA?$;N&y^saPJVsOlfIok&5~GSr>#rtIV_CQ<(Af|yJat0d#*u^|=HK74Q- zfyruO)D^dvhcI%^WK%I``^imA$ESV6Cg9ec?Db~VDIq>|4c-C2yC>2VUQoom^vV73 zC4cjJ$h6~H$_WyB%AAgv!|YT)3t)P>S*M{Qj`BPGe9!7Ms28zWKX_8tPPfN`INH1j zM%SInJc^Y4+9Nu`V%36AFMdhbCgmu+sG!Uk&!=nhyt1$J%OSmV`6WrDg7{@+BtFH^ z^RJzm5c0A!8`-QQ3P_peFSa%Udi*3Q&7B(Rx*NaisS_Z#=BdtCqA1Vl5N2?|1Pm0cBPuk@uV5ZzhGUtfhY~5hjv9Va8BbdWKP5a7R(4CwHbPm>+&+Yv6_-1 zs2|oP6dvz#QZx`8(++h=*B$vlfSFHXOW{UlAae~6Zt<`p8gco#vy0@~kLe~>iG375Q1P>{aq@eIPN7S+>tXnvLy(_8! zI^9ayZk(rr(xm$=wC^v9=%x4vuQq{`jO8{49Yac*#R5_}f3O}5^jNitO9n}r`*PJB zZJpRtQYgEr_jF0#Sbsgi<*_z+%-u2zMv_e`t?raEPi-Pm(N8kJY!^v zxfm=}`Eg{HkA-&F*tyHND*J}dwmH=0vCsUpbL;Zf5kEsu&?O&$pxp6gw_m%zwZNrA z0k{UOr8aBgn|1|6a>{s2LZ846rFr4_b6EMtkvzh%Nc8XD?H)`%z6F+4-!M<}{h0FZd#(>zi;V z9pSMP=M}6!Z$t={+WkQ90F*Vk2;}66)O?^`6Us0*)$(_}C|k`*hRcZ1QIHk*rq15; zt(pMC)t_#oJ`w33FiLpHmyw57u`P_0XXrJ<-lT!mvDX6&{^MMdT8Bqj7biW{v!C8a z>-gliUZ)w*>ycM)QXHr4p`WU^KoAU8N@xFA%?nB19ee_-zb|-*RcZ1M*%I({@E)&6 z`0S2(%?_{g1}%P^MFlWk0wfB)mt7s3`Ju$WG;9rnfqx?+o1jXwW{2lMk*3jX5%{V3 zL+`E%hfu&uce{%VDs=WMnmMX(R^*`$rSS32S9&hCM2}ILAwxkMIQ0-8YVKR+i>VDo zHSjMgT|^NDD{iGvH$tZ4gSKedil^ujr@8w_Dp%=?oAO_OUe;1Vxq-dL91DHT5lp`p zVo$G;kqJ@X5qn(|Zo$0p5#^>wVI^o{4(*}xjb@op*u7G`^bLNAyr3oW9VSOj(Z?;~ zc}iwOwq}D^pe8{{Im{Ih0HVcDS;l&mkJu8xLrRdKYw5dLLbRZOP>UJp{!0Ap7?U|A z0WqC35^WXM!jyMK5p(WItDi?qJaZ{Az`GfUt-q=lh!N^#_3fXXMax%pPTUo0rXst= z6@q+pz>bK#C0}(9-4qR#Dy%&>E)q+sX_L-5q(I8!eWaEKxs)o(&*M_E)#^+4?C(lv zW0<^`$Zh$EVM@NFfTY^UCFANHx6g%}vv0uUXWbiM3BtH)#?h~nN5l2TtN>(%?=JHs zo=F_3pvXauKsG9{%`QgZvngZmuA@nULgflLiT;Ke)7BIAjEBM19=$DBQ)HqLs%`b9 zo4F{}t6uy{#cVFGEh|cwxIu~@a)n2+A69p6?X08g8P$-re%p*c|G0Jr*5>t8x{sY+G&^M|B?>kukaLczOW>|X)QcOngW_VP1^+qaA-onHsLjJ<`u zkbmfYwrQ9%N%~>n&Bc+qlnYX+eA4S`-(Eu zc=;H+r0+t5ZIYrH+ih+&g*75I3GENNYw9*ed%0Gao9eCo2V;c1C=ec_yVBI10D`WB zSj<6|2rmV)S-A0orKxA%v)0#8B2G&e{Z8*P^5jcBya9lt4SPpzBU2_ z369jm>2n?hk-gpccIC5mdsY(Jz#~~L{K^@!Nj%BS1pobbIK=5u^+s8%AmM9G&lZ9X zb6LgoQ^MT4?i=3i>Q-e+b5}P4Xp={v$j}Fe5%}ylo8*(a2vFswut`Y$>w1;;{rlZg zHZq5pZ>6yvAK9lLeE0ZKbtblyw4=vu+C@z+5@Rk{PGe~+T7yiXq)1;ig* z|M6<=eze({e;Bs?T$mPxzwt^+!*cHwjKqA~MD_c6y2^7y z_?&%<)n=DW^Ypw@rDI!A$v!OsDvB%lyAuK$YJi)>l@9#_fcJM*uO~oUqyU-_wLa3V z@lOxp2xtga4p~8t?PSc{6AhkkHj=2+j`#Ma)L!WZdG5+xE82IFtEV2 zbDS#x7Lr+{9i*%yL%KIShlf>^tj?FsV>f59V{;(`vKN!iq6T^TDk>{GdWpwutmt|o z>!+(^3Ph1%H62}ZpX3^?pV3c0`PvlRhGMKfZ40A>B7WqV5|h+|lygj*IrHD$v=~Y% zN~m|bE~F@^Tx;6PkuPGgYd=+%k2<-Vw4@a|*Pb$h%|1>Rz*y>eM3Xe!VK(Z3eE|}F zh%)hvB<`<~D9II?DnWdR3%)cb#MRY1u7_s9zgSP}Gh2~C0 z4|o=C>MyN?YzL4*;TAszh7y@9(xStjCuJl)H7Sj;|2bw$alc!?cCWo%w6kb`dFNLE z^hOhujcq95I2S^9kf}l+??HrS7To~+XV{!r05Kx zgFoD~au*_OlIJb97RuJDWItM@UA|f6jZoH2x7z9p-*5FDNxB0Ky|)o8?l#KD&xgKv z^2tCZz(L^=P(9_~Vw<4q;<-aH@Wa*R zRsY>oet*ORdc#+5_QSla(C`0*I2CB$7`fRN(3Q8z-+v4CoXu_HVR@8FrUvSn-?qY& zzz5CIj?~U|r>C7kLvxzKPxbR&8VM7{ocQ`)ytBe2exv|o2+D+Q0C`4yR$rc%~_9o_m? zRT#3|_zSzAn6Le&Px=ZcZu9(0rm^qEcC{W#Id$TqcgiYLNTQHVulQ?e5B=g|IdLp4 z?JZ@ER_B&U7FjJxGoxJ{&0&I^;lzURy-BM9vwnF{yyu%@J!i6Qn{?d)pz$MrPS>yd zi^Ag>`{qlm?UjpJt8O2`({7J@N1b_b;7|6xqv7{IE2MF|M~E=I%D9 zH}Lf?y}G2q&umc#6+!WSXWf<8_NrY$AO(=R@*TE|g8Z2eFvlR!B6TWX7o zy`}N?*Ek-=f^sEuz_;l=jqM>i&oqrHsXA8s;#cg3JlS}Q3 zWaS4}p8P6l`I!>(!Vn)nSpMe}fu5G;ka*APSovy)$Le@hb|}1WCQe}dgS)T;_;AA4 zT52ig7?ru}?RfcMw*e6HJy;XsA1J-QsrS=u_P;R)7$^cH#rw4bjNXGZ%WsC$7FFkNNgV*BM7m*?uyR6Q=#q&Wvw3JE9d7plpiuU3!9px)6 zk4+Bx^87a#rR?_Gxh&l7Wvjqg6j_Jjc?LPQk{*9t81vtO0v zXC60a8af@5`3dhk*hpG6GY@wY$3A{giH}f76^#EoVPTOdYIU}W^V^?U02n=BvFMPI z*b>oLY@Bjh{?hv=pm7%$teE?LfRQLLuih-I&_%lR_K`~5m3*GJevMM2dS!tKZvWf0 zHo(*YXKMBo#Tqi|o6E84ZnWL&zBk>*I3xj%wPF7-0Z3Ip*gSYf7o-p!Mo+G>9)xd- zg~t@S&9=2q9*$wS)p?H`b1f(VbXjd>qqdWX->kl~hg_PRA9}mwB60bH${cR82YP1x zwxln{!=lNtVR0i&=Zy}iHJQ~;RAh2-%peiOgS$=-WU`#CfBZhu#MIVwoY5Bp{o zLEr4SRd}Am)TYoMurn1BHfkKncR0{3D=k>R>*l7lxsI-*iI$leHLlw9o|M?AVX7Ax zW+(v+p7+-#&{`FLr1t+fSM-X;S#c-+4%qL>Y{G@4(@Q0n8;!t-sOl zdL!HOIljla#@XeQG@FWybl$?PoJ{!MMAlTqXd?7TXltEpL<9BEw=R8BLhBo!7p_1@ zD$uv0=m{Xs>P^CIeFA6D7{g`EgEf^}Y&WyK=Qy?YNe6b7Q2p__L(x8@*#Q zr^~iC=RlTcqt3Hy{bbNxM?=|gQNRi8Q)V{0U2gg*N{IP43ix_-{gAPkBGn=S+_L8JU;MN9r?C6B`d|kc#E6?yJjTQu~qa0a5PL zD^EH}wUfBF1-#RBJeyk@vyWZAGi$=M7unJKb9Pp+o!DF?)j4fTOi0~uc$%o+5G>@2 z;h7xTZI(;^>^qN+zLyJQj0msZNL63eY8gmR&ea3NZdJ(aku2c4a!UZooTh8AlZl4= zMy}CC{3U`|%tEdN&tzik%)_}VLL*i@W^*=;b~uY$|31?g$0;MB>(1 zysK^z&$d5-5WkKE8P#;O(|}UeELbdr=7Y)JQhzKH_^owBrCwc7-df|i&xKtmbvLnD z_|u7|k~H^rcbl|FveG_V|IC+8AyU7i(Qlw3!~SV95E5y`PBpow=CeI{bfwzmA#{>k4 zsAiv%TlwfQcvm^xyw-cbt9jF5eV}d`T9uP@x4#U zub1l~l&&x|>9()b=G$v8sXNOCQph~$t+4mhVy9c@89Aic9g9y!T$;ngvE{rfrySPT zg5rj%(6s7WKZ0mny<6Tm*Nf~!o==0iF(vMdSXIs#BI(d{+ z^RbmN)-<8v8^-*3&(AqEOC8zJ7X;ZJl-E(W;piHlt|n znJafN-MSxLc?ki_Pp?jUFJD=G_5@56a|G_Wy^#H|f;WzNyP#1!)|C$vRk8AUBT?@C z6U)O)Q4)m-@S7c+2Yt=ft*R%=#`}wE7@$yLB#K#XZky#Aa4p^+^WA<|&35B}W`W+q zqH|dmRUlAYr6{$SO1JK=d7KJrvt^|U!?K;)eiy?0rnOpqkraNk^KpNJ4L;(zde+<> z5Yy!|X=A|$nXkj|N8H>0b4QN_nyd(_;XH>CryI%zXd|0{wx8vY$lK_%>;f5?XI~PmfdXR9j~Cmm9m{5CtC`D4GA#TFFYaN3pZ(1>s&tSRX>bCObrW3fLm)MqGoL)q{+JB;mL4@S zDwhS_3mjOJzblMJ#jCJiQ=nF0-%ocLZMTP2SQG2BS!iFR>Yea3Uah|FCBXTLU#Gk) z#5auP3c+$keuT;Ey-h`K3hDIir%^!15Fb0nif>*0;O@nw{^sBT}H^GVYyoHc;A1 zcvJn@=Lsxm2aVL(Ohl08w=7a9UMg8=OKuryS{Ql>VLz>jpwzvL=8PrfDs}tZ0Fy!?%^+cFKXY0{BXp zZL3=3qaN%WtGYY*;Lgd7xcWb>v>=Q~4R$Pp(!RqfHDAkQ>%K}UCrC`VHN@?s6Ss%qrdElIjT!&}70~nS=g#le-~|!|NHzY3 zlFzWyk6FsR9yyM}5k9|{0EVSMG3xVtZ)tsS1D+h<)NVfUaqp4tD;x5+`1-@$_0=Pt z+Zeml@iHl6Zi^ZPB@uQznj&@3(m{L1 zZA?8pH>(Q2DE$e&^!3=+^g+&_mCBtS$A>eS5UCj0!RkD+mru16-zLmjhyTX)cD|VI zJqP%I-SKc25}Nh?he_W=+DvRZHtK#f@yg~rVKQ@nXk-^#oYxZ@BZ)Oj;{MSMapYXT z=MT(3YjO=qHHwq_mdQ+ba?$^gNuXx#r>F(oa2#$_*e1FWoUr|sw~>mQc=LJdmO<^$ zDFLfy(YQSYe0y78%n>{3Qc$HE5d+Y7HPCAb_s3<{U5O zn&BBaL?^+AjdpKh3%(c7R^KizKTj4P_*}Lm>x_|Qy~7{KtV*-u6JSTmzt7T+dEJwo z*12nTzy4&Yx}+()dM3{6o+*H`>(!S+_x%fjD^DmiffCXP4;=^?$0eCk#4i0-x_Tf=a%jo-agK+4mv&VL^lbj zz>r6>^MU(S(??&D=h5OL26Ik@Kj=$Sgr$%A%dYT3uqfY06ILDu7{iH=Cy#VFS;nK1%ca`7DbvqP3?&m|{e3+jo+x%FXUrhvaI==&XAX>(;K# zj63lRgQV$g^@u$t#UPxzEsENE#kBN`$krouV)o}gUa<)!0wVZgps_8{pRm$xw8gs# z2p3p6jQw&Mso#t}26zuz;hN*q#;xjdmWXSe9_!SqQP*dSIp`YuH52?lGJf#+TfeFX zFkLH5|DWo79^#qMP^Z&%&$$N=Rp+QiUDCMc%)%N-L&6||P#ZX)(;u3PKf(=w+p}y7 z1-vK@5>rG3^7tVPu4JOS?XUL}??79`m|oGsnU~8;?akJ7=wugi3H@cQ(Kj>dcJomc z_`d+7$)$!W{DHxzNZuqJV@wvE8lE_iH+>w}{xH0$%t+yy0wdbzSj`myZ%49mKdv zW@BzA27HVFXpe{lif2RkBu-HH11z`Z=HXCWye;2@&A}^#NY<_xxOOC=9}nQzUrk1% zDBS3{b4+(x*KfOfyks-UpJo<|@**wxNGPFPTJ@cb5j_J^5z2WK&ptAv`Wxr320<|7e*?u3}jCx5`$AC`m)=j4lfbDb2XM z5z+JLF3rmDCPrHd|EUgR!dasD0CRp=(8S{2rCSna85C&amqgg>UuB+aNir>*(X+61 zBWb8Fs(8(*w)E}UV!xxrbYF2C!I5%dv&toDXW1tKCq_dT9Wvb4mj6usO;^@PmW{M~ zV9!iJ@U`NupHtkMZH5+8K+9BaV}ii-PZRJ(??$f3zOrZ1h_-;Ny-l7JEtj1zA3xGo z9&}T4%h#PK#;Au->jY9NUDGBjC~iZGd#a%4PZ7o=1!by7^{K3&PM$|P(IB6$7q}_& z0L@i$M*9eF_V;fItp(1(7d7WzK1*S?bnW5P(Z3-wTg`X*mv7~Ksu?=bJCdqkI6CmV zJ2hK8iY(nSQ>u<})0h7?&`Ji2UB+S+qoF?AP1iHv5|k`r?2ksmx{3sn+)(`a+-|pJ zJHG#TB(4YmWuy-x%Ftj@HC2TGpbkrch5S=b0&RrERhg|nK%XjVP5 zzkEmk3Ik3Yk5y^^zmf~`m&T`550ZP;t#EpDUwlJkKv!{#r{c|e@>xwqT(upI$LOpy z$NZcMSe{AlFAtaOnTN9i>G~VIvC%|z;sK8?gdk`gi&TMA8jnG4U`Ms7zJ(~kbXD^c zQ)%dMj;PF7ScZ4%l<3E4Bzf!<|`0UG<*j<*GYxz@yAqUWAF#0aoIEBk4e zlMcsMft#ZKoc(91sY*GT zAEIi2rCn;~^pcQS9^9iPa`;gsS;X{_=b}uRvvg>^_ie@#V)o|fTJKSjO|omE)-%1G zjgj}yeo`2@wztMOLoW6sN=}B~WcRXqO&3qi1Cow6(Zs$_NUBl`v;X*=ncpGLcUKXM zUbrMFDkfcEtek__3k1RJQVJ7!I?8ndfb(OOv0cIhT0tW58b-`(Q-(!^i9 ze4Z~?c2k^ZNXbP>D;_(`zM=udypKmWsRO6wD<ISW=^zm&bOx1I|TQeW&T&B*FxI zv+d$IJI!2Le69MR64TqNGRd;gVsr5b6B-bciFKbcEmoNL%M=veihIV_pO#KT2#|Yh zPS!yEP6b4A1OO2_OM_GH1Pf}CRYPax+-Qv&yeb+cV1QbOYMZ7 z#j69^vpJX9D+G?OgYi{UY$tGoAhoq(U2LI|QhsAFKHeG6nJUt(8T&Li;DOx6kAd@5iUkvJm8gz^ZoTO9 zWQPxE>6*8=bIfWq-#23xA%s-u4b&!GkO?6!ni!OIX{uf$iOp*b~) z)GPFwwMQ2x4}Es~avHCALleBV#!E*I-xWaYLqTehY9Rz1rXwq@_)ykkx&+54A7914 zhmx|gW|p3d-K37msC=5^IzwWZCZXqMNZWraZ7skv!>7xknF z@KM`T{fzDvUX)VL=}CU_ZSz`V9Jv^NY5i5=aSkfLVHV#D6suVdK(S|;M^KpRfG%qg zCTNjqwQF&Xap3B6gv{=blIdbn?vcy>k?oGGMP7;OY6l|wuROB1SzcU;Iy{?7M-bX> z=#KzSGNs=ia!pYBiXge?sHQ8}cTDjMd4O&M_|LVq1HJGdvkvIUq?ptcmS|+qFZ!n^ zv1J|PnA%@tJ3vKdt+LLxSqFNaknXyE=JrPu957p@l9aVN<;U{`1qvs0O?c!__@dx-C-Cjqd}rz5zKqq!p4vVNJ6 zg`zu;aY00JzSD-)_|5GVw_zT(3DJ|q2IBL0i_(7X`CHw_Iv@S(^1E4_PA@yDdomti zn`IR*rMRwj<*Bk>tve(^bM|X9+sG?!l@B0a-zS76ljt!6DYeoRph)q?>gvb9EwUQr z`eYqGnnr?v`F)XW?jWT@hUeNB{!5$f{9K*Ip~}qGWDN@Ri67?Vk=m?V?l|_UewG&e zDA-Jm4wqFKTB*TCOb;C2tEcDn%GSW%b9SBXK`^g~pf3-Kz*da#IeY608yohziWJ$65?Ih;z>k#pD_{rEHWyQ=d8zi( zTMfibp1-{@W^9|NDx=-WiHs)L{oaB~>^F=lbeoZdEf7z(hy<1!hR=k5Nnp+l-?%)^ zVCJkfXacD@#4|$FnQsWBqQ%c0eDVYGb9c=5*W$im@Sbyz$B_U;?V8FhjHwA^6nraq zb27*xd>Od_P%*S1W_ba?DcFwg^`J4*yYnZEM&*{%gf;grYRkujG-Mzewknz;)e zu#ABE4PL5a!~5{0gT%fNlAMM++FcrZiZ}1|z1~)yrt?(LZKp* zzk<4>Ur=+&+6oBs;AysJ+sl`E+JTMEB{AWSDG+u3aA5*K?Yq3)n-(taSc(IvRz08N z{N$pK1Hq4x!2!P-C-*EIes>$^t{UAR3LesqGvG??y9L~xtNcO{Cv~!zMZo^5?#`0cLg?5HDpXbN=Gw`oTB&qd;dHgS7WY1Qg|PdGLuA36J<5 zaU?Lg8PbUt%seZjN#*ra_ef9_JN+ab*xiI&GZ(lxVV=!)8fh)el$2juqaDC%&}29w z$R$vna|3)R^=AS-${!UCTOPES{l=OGscMBP^aw|H0B3=p>Ta_I43J-@{qkggJFo)H z<3);r5Vs7wpnBp3C2zYNYW?;dh2M;Q{RmfyS_$Nf`2m#|0EmwBO>&5U)*O}kE*|JK z_+VmDfPpOU2fb}O9DQ;EGRK}VgcUs+c>pA3R}ThBctF0bsts-46WUyeLpGwD&aXTX z#bvQQ>K4M+lQ5N~_1x(gT$;ahh|l zbo;Co1CK=CxYvC)U{l*7PGa&~0n@{G*4q{nFz1m}?fsEi{AIuQ$0$@<+vA^X)r0Q=>(&3(&w^p)3W8 zJRVnm>eZX-1|a|kG4;hu+zI8T7$uJCVHcRzlGdVoYFaF3Z;IF7`L!_|2!Wcmk`b0$ zcn@SNix1%wfG&bNqWvVN3iz%Q{SkR@2P(*Ohi7VSj7a6&O&m+P1fq5G<}Ns&E-ZgX zeL|bYK67gx&xnnb>V9&`Y76hQeePoE9qeOI1y8=&be zZ&XZMxW+3tax9QJcG|=OMEkP*cOTU^OE4A{Su#pNBK)LSAhwx{#9ctpQDv~OHD)kg zF)}X|?z>@PBI$v&0pO-A-@HH5L79saIL^jSE-9q0P2KBVbhVS2IeX5#sS_^ASqC zny_VGd(-2FhqmR&y+Dnb`^){hHORN_EG;gUXRqb3G~(lH;l7#vYrm`riddm%!Z5b* zlvV2WVb497)85Xk28~67XvY{JW+PqHNb`LdVVcE)4?}ho$IUj`^znm6bWp%KNbk|g z6xNc;S|xpz4i?mROA_pFV7gHbos=Ogkv)81CmqU#nST&GsSS@$v(Iw!W`FSQ_ zd~o`M6Qi*1db^kgx-q?*zPP^W3m{#uE~hW3Jgrw07T@G^r5Y4b?7d%M#KUqO(;bPp`HQn)M{lqEsl*Dd0)r|oV~^Po$V(7e(V_M5xTzL*tk32URK9M> zJ1jJ0WPiDtkm(fO6oAwhUfR@a8+3p7?0Vl;w?q4awf6o&0&6_qAAA2o-t1!C@otX! zY(Ce0t3ek9V}V1!eo4piABF_NhnC`rDun&-3<-+94=Ep)@~$Ee7GU`gXlyi)%p*VY zWZD*sXl(=aI_YnRN2@H0+z71bs4i|;wlC@K3iDXr7|syr*gN04eRPj_)GtoDP9t`j zImBX%DK#ki{5_aL+3u6f3NS|^L+p2=qy#FGY|WEvfuIH45Lz{xuLSu)Q6Vi>lu=XE zk3T8mf;z!q=BrDZX0PxKb(>IJ6-}^EzhAz9z)9~g0WlAf=MdYBfpMso`=x2|)mC1R zibp5mra3u=!C9eCcnDwM#)mYbP{43|12Z#ePxHKUmMBK96=tGN&Xm;2Q(cWSp2 z_}9+NkeoTY`vvp;aeuAGPwOpG%#|WsH@?DD83qTM3)uo|U31n=R6;wEXWVYBqjr^O zZ$DbH4+W%zk-vTcPRTc*rr^_bn6UPJgV$E-fS=}SO6k0g>XTnC(}WBJ9u=*Sg1EI~ z43vo@vt$JLiYsI;MgIQ{PyiMhje^}J9h;IOiT9fZq*Q5 zVT|w{Yf=_1gAn$%6wDx{3Lsu!^^S`P4@8-#8gqw>h&cJ1t5qYXrtL378mIxT&EC~q znGE&&n}FVhl;JR6Ithk)FPcULtCpeMdY-^9DpG3t-@uK7w*Wfku?$Et^Vfe~>xLH{ zB%r9hj^_0Q=%;T_wrf>gtXlMVlpPynEL!I5m$mIiBHUNZEdVTyK0%SXII>4_z(9uo zwSCA1y53Bc_<`puO_#fMznOOG+OyeN0c;}65!=S>nd*TyAOfes?ag$pWA>5`p` zHIwGU;ncqD96OkJaA6ea0=K}yD|OF-Myqq|+3?{8$ z6o<82EcvNCft+Atm9rt$%d^Ai_Y((8QDp^w+q|#@oSV=uwWW7h4A_z70eL!Q$!xxEv1@@i@4QnVckCxr|!44c=dhecQa1= zMf`qwlqU1yDVpRk?T%DGGH8T|1pl6+TZE?*In};>goqk#N;eEELZ#@o)pq zxV?&`o+`L)kW>!a}o7D0q)d%f|3h^}Jk?!Ls1|m4!viLkVXYWBT@m{r& z_aRV2^pO%lJ>f6K$d}59Kag|~@W1DCxd}N>q;ok@cvB`E?&e_=f0C~7>aHtG*hDFy zA=Hp@T3kWT%GrGdFe&P7CeeZsNZ#cu0>zPNMBlCdY_1g2Lhx3)}{^S8*C|Q~!f0CpABiV_H;K~s;4NCQoL!V9itaRLd z8_p_)leUq^0w7TZ_SQ~UdF9WzG*4WyFrpX;ev)}=y%}kN23EYAt3GUgBxxOSBkZ5$ z6E+SOuO8ucbl~$${GLlsc)jmv(>qpe);9tDh2?lZ(JG&}maRDlG`<`G08e3g5bNCW zceAU>pHtK~ObYG|Aq6dSylWGNQ+|_jW3|c7#>e_J&#W%e#Im>Yp#TH_gZoKa$ot8E z#Q?6#>Hr~sGN;+=EXOdQ2kl98+{4?6#OObrH1Sw1WiukvoKz&$4-yVQ;}?l&YOxrQ z4N13-{8V0$Ny3eCnK_xKl$O{XBAVw{kaj&GZX)WNHFOTkiIP2lYOy2b4hI?uG#pWp z^*gX9F7DW6DeANU3y*lk(6vHABKyFU3XfsH2<7VKCwzYpD<;3T-cI2%G14|>hEyuQpq8lkaUMgeSnP5;$hLeF?Y zRZ&@nV`k`B?%?_1W@D5CAsE$|5tk>LXF+mJJ%zGl%x9B|=r?1_c}_pqz|#FPB#2mY z4riH^$dvq-nCcLaCiww~tBV(eD0vBF4qV17N%;avT()$4e%ibv!mIhsqFL5?)?DQ+gq{D5_PnLmg? zT*rAyY%CAg_=87i5N<64B#MOxE?)=*XEx+q6$XU~v;^k~@c802Z)DY*qlX?FpVsm* zr}^k-Nnu+gvT#hz%$8?~mq*m<%Vh@RbP3T$up~b<`@WX*#9-e`TqopHh_nWenar!u zmXk-%GTo}WvU=kV>&1^Ze`oX-vLgqQxr87f z62da@3QZ}FLO`c)8x*@9jg*AeCV7b+I9kMaU+TL6@5#{e5yg`v{falr&s}Wu1!|f+ zNbu@3;U8>)9AIEqPod=VCg!sSf+7K)9dj~uD3^XHE=yYehr6mtIexePfV4kBxg4v( zeu&bzwEnD;B2m-6>>Ih80^K3VFZ56Ro_@4AK_;=KfSq22t{1sDyYB_sS81;GqzPm; zuxAk^*`LHnpT}r$#^K2^Nq7!qIOu1|%It-%%Z7};=G4dSji>VBg%Z9olCVh9BEMU3 zJ!}Su@+C21%NKYZ|F7pSu00WVI zRdBZ;xK}Sjz)q!9-1CXu|(YVd0g+v?ozn?_;jTz`dAJK*4#SLr_>RA(ievxeD9?3YdSaJ>S0Bqt zex`nrN8o7Q*XL<#b^6+qi6 zwa?%kCg;`2=Uqfz+bFWfI9h;@3-ux`2r z<=t(H%U9DzuryMM!M<0M!ioyc1XP#tfb@GOYi9nfj;&OA5uRPtC*g{-3bx!Bonx-V z0etDwo4#4B25yu71Qv1~RuA>(9&tSPwLPl}Hgwe*;s@@?gpT%G96(`*091~%zH${lr! z!~y;6E=$gGOTwOWV>HpE#Q_lqD6qREfK! zJc#eh#cR)jlqOPgPnsJ^4}^}sQ+{2uvB*lks9!Ac(cdu7n1?M#Rh z;G?!oj)#0@dmnlthtasg9$vVXbxx1(vNE=5N2kp_sq%c6s*Kt*BE7d%Ro@p`9K-?} z=LIDK*>E+Aq(CRByuftq`xjrZbleBz9#;tR^e@iWA0S_m;z4MoX&r_p+z8nx2YHZ` zjU5j-f27=KR~ult>_e}8O6o>`^EMYMJ3P{XY=wKLc`|gpRTnJ?F`uGi$ni)dnnD!m*v9>#>?agxFE=_oG01%zD=&nM#uThE&x$hv{|<0l0=p9P6dj;ru* zPck4IXu&7)@ZP`jz_uu4Aw9=BgBb_nBek_NIU|)n^};fgntCYAQw!L#eScAy)e!)0 zS_9#8++Xk*e?%-oxRehzQHMrr%-LG&R$luKna4jIL zI)YfQSUof+E}X3*&~_@60bU@2>x=h3UX?kKmFFsviwWPWQUb-Y;Zi+XeWN?a3E?F# z(^pxW+t2Zzaq6~?9-B-V)A8?wz{JVC(>8}TGk~bI=@-HZ9&T9GX9Yn^MfhyTg|dUH z9J5UVHig8E{ZJc9P&jbQp$u$9=aQ_>MZ-2Ug$-;kQI>kr6;lL&v$N@bT>MvO$MB(c z8y-7A{`TxJ{t@X_Jp$58_kr|MyQU?Y_OeVR@Evv&gYR9PQ;_lF`wusTFzJda?3?mI zS!YFIK1MT&suMZ)n?l@g}QM zTXCff+Ll77R(es(i79ho7Qy;>lcJCEd415@JMpIJVj!`ZR4@V!SKR6d1=s?*_>3rS+cONrbugo|idv-=Z$#7_O7u{VaDh7Y z*zU&`o8A>67hxmM=NtI(@{CQZ|2EIDathD-7&4iZ`QDga3J~2s*jn0l_7Ekn<8~)X zzzNYbnQ8eGtfho{;Q7mm_vYvps(0YL`3#k5oPFqY6(hh;R@?*6DBk7@$mfbJn5~x$ z!&yD|nY>V6*R~n?wyttzx5cH^EA#`PV7RyO02vwUHA!Vo%YSV$@TT_z01Sm^&NF`t zlt+vHGct4JBLCm{b(>NueGp8f$@fSvYM=3H(%BT8@WFL^{V{I&peXKethgDVrEtFG zOC?y(Rw_OjWni&M4B^s96hFXUi2NqYozS>5u0l53RCXnoGA$LNbt)&Y!vMDIe&4b2 zO+IS!^VDlo$(B#{>f~+X_!3pzumL})S&vml+HM6S)U8VUW^%+%9+e{eaz(tz`K6dc zCjHZD>YYIqgOl_qZ6?SG#iV%JjCkG^T))>d*U15hZlItAiBU6rtN94Jx!fFE9-~Wr zYTbNmrGAO7VU35kb#u-0vgvr5_fLY)Ve`G57bws^*taT1MU~@B(|Uih3}^Dm3rvt8 z;jv_$Vc-68n9AbwhtQr%e^A}lN{Fwe;{xr2gSw;zyYD^5uiH;`yRohv9;h4I*^G>;p4zy=h5r02%8X}dV#xZYW~ z1OAs>>|gr5iTP5ZFVb~}N0xft%qg8YKFp<#Ep#LhTWXBEZxSWOXT0o@q~{TG)`4gM z=<+}aKX{~_Zl^dSd&dWvaXEqyyIX&6X)_{T%OR5_*#ogJqSRKyq)rQ#l@z>M0bgzs zdVK+xW8&36+${gDfVmI878&|At(m{5n15=60^UEPATa^;yHi*&J|9h;WEIMq1?n;l z=$}~tZ;uns)*ULKJ(N{!%E|WM9xuyM)N56D1$Fob%8K$O)1MVWrB(LuuHYTj9l2an zGpgnkX-*p5fC9ILXq9D*kA2!rmCAi6uH~<@`v@cu-=i9^AqqfnKm+vT*(x%4CCLMM zSD{mM=>3)PO4a`-(c?GZw~dIVXf+_ySFkE4a*&AYI+XXX5qrrS$sg;Q_y4_j^M?1wSg)n_M$D2 zUZ>Bswx#f_&`I01&%h|bIrqyR7P9X)59AfRDh3^?Z8Ob-E!lR`)N}yz-YD6$=V%IF z2RC-~BL7jx6>*scL9M;9e%JL{mJHeh4V<9}fbNr&#Y%6~N?5mF^8gMV5|#^Gs6@FS`d?ZNl25A252pGMmU>maJ(*Rky8BY(PCw%rOeW)7 z&)>t3J`PZ7boP4b4RL?fZ`0CpK${6|FnU~x@-;9sKR)nl`pe8fgvV^;>Ezr=c=l-K zs&>O_Dm3v}Z~DIgtZ7++m5cv2p;5fIUFzmxA&-N+yQgg9$a-Vmv^o`!hu~=dSL#%5 z4C%sF-$zzDkWuHI72(0kSffj$ zEXvgUu1C#WGXUj>t}w`a64gk-5Zw4~0M@YQOAIg#rQ~WA0t`EmtP`9huE;YBo;Zs&A0}V{K>fYaJ1wlw{5vvCk_&Of^so#fliRYq6A7ju5fndigjFzqLkXrYP zUklUfc4$fbuHnsRJH#Bzsn=PHcNs}jY-ku^r-^3>2;Yhn1)Vk@%{gDBSf)74gs*#^ zch7Lx9=&v3^A=ydDi!bXV-8?c>K_C0{v;c7uN^83G&T?LXTy1|!DaV;1n_~7GJh*S zN3}BIvf@bfLIz1CY>=z{w&@7}Ws}3+^e=QS`};y3eZQ0FI1rb|nh5c@rwOfNWh@;b zR7wx!=H#?&daImvtiZX*XnHLgXZ0qv;$k*E3Ay)jOS024>}W2K3xTy`3H(1l@hK7n zI*{@y{@ObC|2iK3aR~mLnNN}^inIvjb&tsJ>jut4FhMjcEbR#^?+BKe**fe#^nW=@ zJ6hIb2A7QK0kLt<$u^EMf&aP7HcUKPr=_^!U9{kNRCq+g_WM4Pc62$96jV~Su`DWl z=NG6cZUkeydP6>~X0d1<^be_V6%QXjX+BA*8grN2a(zI$6SX@6;(O%J7zMbg^DIv) z4D(8NL%zB4z!o_eMu&aNr074UpP$uob@BrP*m&Vf^N@)|;N` zIbE$ezDarPRLr+|$dvoGgG|Q6mftgOFE`W1EFE%x1aOW@B~;` z5Xvo!(0{i#g4K&o)x|Q^TXw&mYpduOI9y*9m08Y4Z`WwmnYlEhO;_H#p9Q&J9UIq7 zacJ~}2btz1Lw5^WpL^a5-W^4ifcH4jT4^Z9a%;W~25Cf&y2sAi(%d)}Y+duMpE|Lh z89D5BHQ4TZTwdZQ5w;j7>z%VJhs?ONf+d#9Rq(YPd6^C1Qo7?{D zt$#lG_e=T-R{lpsT^nSfhVhSRBYQ_}2H2h<^>xZe$s7Iwo+8FN$#iFY-wky{cq5j+ zGIT<*^PXw#3=+w_uyJ|;cGb_ltR5kA5xHE}kptgL6gRUD{TQpr^As@(V=-T+W4^>q zf6QM4XCPz4T<#Qrn38S4D&ux47;9gCs(*wejw|(i_Gx0NSU=%L&dxNqzig^~tF}h{5^1Sxj>X-dg6yf^8 zXT1WKK}j3EGBtXM+!%Z5Lq@m1O;pMJ93vpwnk#j*ZNNuGm_BBO_?^t4@ z)ZcP6lq!jo?#&LSULIEF`1ds{UydPzYk#TCmwU<1G2_E1(9qR|Fw~B^I+Mh1y&`JW zH%}YlO9MsK90!N?V>52?ju=BS`H+MpphHk@cK_DRv8NFE&W#8p=U$k1M0$QxS<_LW z*7)6biMJoY0E3>px$aQ=Dq6i*kth!>H%gE%2~ zv7h63?{TZ%td(xbV-qoz(tk`Tx(K6kj7M34zwYa6z<@vTkwjIiw(Tz3{exuT>pH;W*~|?GD&F zA3WaS($K8xK~u<9mW$%`60vN__vl+r1_gVkGui^K%`e1|bOK!p(uJdSYPu8_LI=`j8De*O z#P7PKPb>3o3S(3m1M(o`yPvN2NNp{(zx2|cbPOFd z-gU~D+1p#e%vy&5@40cMoR7Hpxa#FOwZnhBpwdNp|z#T!A`bZxS zX#mL3ohD1YNh7%aZqD5Ai;sXQdh2;$Id@QA!vA}8wZfIO0fEY@V%C|bt3n0O8}rFi zG(t{&ed-uFoRq6f-*785D1W92nSf}punkNupvUoO%oY4IyD_A+sikVByGHzW;mz-l zfb)zLt2OCZt4ZH!-(k82<59wX)`eh=o+H}u3H@&71+M#E3g=?AC)xKjcEPN`=lx2f z7mKIXS&Z7jIr@d>q)w2hT_5!Mu9gg9A%&eB{N}3)L_dpIT4LKtGgph%D);-v)1EEH zJSx$ep^QA#C~LL+hTXn&m{Ccw807fNZ6x*SXWbU!0w(UQkC#i?0SQL^r?So8E{AiF z+Q2RM6xeudzii@2Efyc`&S6j-l)t0O6g)(a%n(5mnx3?^fD@ zppx;{9FQCf=5_v5Tf{*Oa!R_B8FfEOJZLsZ-L-1wfr$EQIv*5>!c!KvHRnucfU?s` z`tPd#=MwN14f4VP;nO6N4gUL1`0w9I^bs<|28EP?fCv?IucHL{7Mvy;xbk?Xc_Kd9 zad~#YjIS=nHu|sVK1V&GO?WvASZo>=DXht8Z`w4Odeen#EXDR2T=Tjjke(j`r#zv6 zo@6O_SR6&M*nF0HJ{`JsBy78Hm`4C(Xw_#^R*g=l^nUq@UxFu3VjV;-!orBpdgjs( zd-|fAoZ0T?1>;A2kan9cl}@+5qQ_JT{|f3F>(JV}GS#k5vCCt_@UV?bTQjJfb2QlV zEO?0I-H4C2LA+R~svW0(idv;n*vB&VuJp{vNH`IPg^7lBvqOTgOe){cBk`+?Lmi{m zZoRrHY|x^|#Uo<-%`Ft?>(k+K9`7^732GXU?ZWoCH#PfdV?x5PC1yR3&abhW!dk-^ z(*09Y9T=hXh9hB?zZPV%|IT_u>k*+@@8eQ^|1Y9>?@`1w%~91pP}*Xv#G#X^h+uv` zjDiY=AqkWgNsEf)&7-@+0zrLltv)*%*CBIaCt!0FPaqq)+LEC3t61u@h4HPmUWfMD zd1ruhWViCgC`I?!40EKakmA7tZ8JOdD`{odpsLqYLIvQkVY7*Wa4Y-IVmc8)!!Tpr zL+mmpE6-`aW0%!==FqG|67x=LFkycnK)!?e;LfF$@HuBw*-g^|@nii`|+#-Ds0~N~{*6`zPbdFJ2Ls zrUiAbRmbVnmRdH5E-XMpYjIW7*~|sCj`#&z4d)2JUnxaI`;XpHS)Pqn)L7O9!*`NO z2i!In-S$gH)hf*25_^oKB<%VtATCM!T#F&T5@SJ)v5Rw!HefX7-7=2ZU_G{^*yxpisnekAk`8bDE{VuJ^7F6Fo)t(0#e%w zqn9jtwH5#oN$Cn1`ZOw`arvWNv zJl7v%!iBm_00g%~RSE=cRY1RqXL57Eq}GHq zceXu2C%nce`!>)Ajp*%5sCmrgt1zTCK(yIiT9=zPl)yWK4s>Eo^UB^1sOZ7!90v zG}0eDRR__yE!(EjD@yq}SP9=r@Wv3o!vcB5dc!SEB_!0oeS`e6%nMalnR;K-XbB&x zd6nHF)F-_43t}`eZ6kBRT`D{j!(F*aKngm}kebVGzkqxcz zfAV8midBkt;$8TvyM#QVZmqVK<;az*Nzp*>*>mBZMJr;9s+JrTM5wE7bVAwT|l#s^| z*`2>Vo^AT#>92tVXi|W2680cV1M-CjIOacD32smde_XP*{_k93>a`C=BFwTaSa=G6p@N}d(e|TnXDy_j@HDBWy?IK zmtdXy^XQ@?J>w^_hSqvWZ3W98b}JK8aD>-)iDu6FHY$Wax3;@~=Mm0DYGaEMhXISG zv}0`t`x42eDx%fNt3#xAEmX1V+mcx)eH~aq@^$Lj}hCnOpu3ek| zdh+j9Al(e}A46bUREK140G&PM0E#d5aq*I5(5WwaN3w{^G>iha<&EkW_?eCp$j?t^ zy&Oa)_LXyv&x348 zvd`Bg_6>!Z*Snd+-ZdABUMjSfliFpiwhIhB_J-ap36ZQDhx2!kfG_p4+_%fSX|)mf z91rFrJa5{S*MmyWl%8mvqK>iD4uTsJDWz}_Fu%@+)uPwXXGp=+%}e$0s|9K=l07j8?@H#N@)-5t!7k5^fH7OA9s^pSv6hd z!s?;B^7XWJ)XTHlTJNNKU-QIKU^X9VnXbp|ML`9sf%8lWQI;xO=?3Pyg^OQ9%#9n^ ziZsC}n%fS=G(-VtSfJi}*U*yh41$uPnT(-Ou8l9eWd>82phf3XEgx!C`QAoly6W)5 zr2%5*k)5u1Y!E&t*2l%C!{x?xvnnV0sV1piu&m*YN}W1 zOVNER$L$ZB-xlBi4YeSVl0PC3h!eD<<`k@fXNdvD_V+#(L7P+#Y^S!RjVj@MG3erLEJ>k5qnF#fZWk0SEps&OEp4kx!+H z8ou}YN}(bgLBC9Gwoy>+H)9CYD0Mhg;yZ8w2wDtrws~o^7-&tg_MFt@LOT94T`EbR zoN-#D!>7{WTflt$nx{{h5gA*{aKJah@#oT=qgaRb;oVG^Vpc$S^|Ftcx|*czc1(@| zE%bTH&IV5TLF*<$W4+_O{8KN@#zZOfAN;3}ndW|qFT0LsT^QEvk~OYbv6Pp}APF@v zr;e=^s~QMUruBuH;){hAp(0>L9s~t&4$b{!dwln+msY(*y}B5H60lZec-X%k4ZoyZ zrms2bpJ|q@FCXfby$hw>KW|)pGG~@lGS1Wp#GFw{o+qOlYjhew16^aJfz{GEdHfe^ zr?iou)iHg0^?bxW-%96R3poB)Q7UA7C|9M{J-h!On3e4x%<34o?S|?kZ#hB9EwWzk zW4%oNGAG5Cw5~&ak>qN^$3={Q#=w5984BxNh5HH z&?CAaz}k!Pi61DlEAJ)2!sEf=naa7@iZ>`qHucyu93;_8WAx%Iqel{octYQTX$mV} zM$~$OddxBeF(n7t@}8B;;p|Ou{;I)MQElf581^(Ts}?gYpA2jUS}D;R?uN05o|vqH zY!RL_{EIz(*TY(4v+sSIz{udV#Q_mkcH}6P-v_`_CmPo5BE#6RG{?KMZ;vU^$jBN{ zQg!AHoicWEECzOxlQl>*(n&-CLkAEZ^SdEUNLOO%4 zLMGL6wPMa&A~)vT!_PXPtYxWWsYHyp1lYceN!9VS7LyOJg&c)TXQs}7P_75f*Oa4s zEw|!A=HJov*lj|lq{?K6X+R!qw^F=^RUB*=qH#JV*JP@KK3WGNGjAu>Bdy{h1s^@V zJQEtu4xvy%KCGF!?=Bgj1qC}bDm62O6{RU`+gstU79REFz5R}7%pv=~KPCX1z6+K? z4TuETkN9YvlYy29uVD(GEteu|J+exVVbl~s!EIQh++U#r$HBJWK4Sg45k_6A!U%~Yl-Q)3? z88W|&+>p6YAcnvh z*0XNv>lKTJv#M9jKI>EjX0Tsx1*Ik75VsJ_=J{!)d|B9*;1O5K3H+fljqasM$Y(m9 zZ5yXL&F4p}N`&HNKzBEo>b{IyRDE*-(VMHZygi?$f01iuih*#{E{QQ0t1&aQ^H$8U zH80JH7HGbfFZZm##>P~rI4a0x)Hr82kCY@|6N|o{W{cvzu zeY1a^APB1`RoCz_z!>Sc+GT020m$OTIz)m5w~I%R!Sh?osM#b~n_R6CijOsLZED%y zb&t`4`^x}=7qIderi|{|8xs4b3d8JJ!-P-<& zM9PeP>+l0vg~MI>36Y#_a=mO9H^nl|^B`=1Tt<6peQ`m{PsI_;} zzhH1s@s1NCd~vMB$Hn*#oy>L1rm?gat;Tjsh{t|~ln~L#5C=5(+oCu^ifs&@#u-KaR>+deTSZySRD3H^a+fIw0hH;i8qbYc) zI-OL^Q4-dOWCz%YWkKS;G+Z)2CT`1r02E`GTRhc?aVqp>+(8koMUYQ9RGWlx-B|W_ z=s+3wJR=gYrQ}j6&OW$|-8sQrQ8R@pjIL2PwciJwc#qv!WPCQ{?PE6v2?S=;_#Moy zaRl~4lM=g>F{(>+f9>;%GL{&NW9iKSsEq3XSW)f;)NhaQczL;-jdC0(1iy?0*X}ac z?$WgDiR8@IxHzD7B?(1=oJ^7NNO*;6B78({i_j~Ur;i5w7!JFtV3C$5XhhNV(-?v` ztimJ~Go>j^JB;4ufUR(4u&jFV{^eC;8Yzl33R3HOEX&nS@@#R$ExUbF;_<=-q??`7 z=qUG*Zt0|YMl7(F!=SWbwu}N)=riL_Y;BTcU7v7^65i)(lTL_W!lk?# zpwYMun1x5+7-W(<{-lUZ7jWA2amr!-&?oyy{Jhp-T8mfVhe8JGl2QgLIU@JI_1yi` z#!!lJn%hl5Gf>u)53Myc7T?YEy7N@LBM>1+IH*57`0ei03*|d9nLL)00}j%arb8CL z+r4MJ`mGRlkwR_wJ25vPl3G73PRmYmel@EB3nb`tA-tNX;d{}#5I#5i(0~Dal-T5Y zB$1plKCpK;N`3CEV8Xyryn%0HAPYkPFQ~-aA3c@okQlEO99Px)%C5Pj&#Dm!z0|UC zzt}=w#z=sV!nkau--<|N-yvMXo)DKW%k>hE?J z;WrrV`Tnd$w_*)tp2v&3IRBuR@yl6b zx8Qz$?Xrei2?Fm2m>Laf+8hg)M>Xr0t1$8f4+)r0eU&8w^PZg8>WL$KKl#LX9m)r* zh<%ApCE)UIO*mTN(g9*Y(`Ar$1EjY-UzhV(Vf2hQY5~pb)o&+r+lfsq7c%4kMGG11 zrVFF;iv(yT4Lm+GzyxQxIVi>dYnv$%_Iu8%5`@5-hSQZo?BXz3t5o8E3F>`LYJ9PH zZGHWF*BU?nyemq!T#OE!wk;G()O2&hI9(!q5n8BGR$60x%l~@!MCO;%x^xoj4zrJL zJmUi-PcB#;DAGO8k7DNTdOk?0r}wD;a7zqLSiJo*`zN3UX@8hTB+BJU0yQy9$gy8T zo-QoNd%uu0ZgO)iNZHVw;ko>U{QNzY)-xJRf)TDV!=|sQ0JumIU%_%Y(h9ELE!!h* zBpP4%A{SU1=ZE=}?K|}{!-964R?>O1*IUQ2^%RSMlv9p~Ay!Ip#agD(hMq&%}{UcctEA3cI;v4vqQ z*Yuvp{e0#eI98A{@;`Y|67L;<02wcuBR+Qd_YnLa#Oa?mf#uf^HMy@Pzz$V!;!7lu zb;8ECV!+m6h@D1HbNJX{O|Amj=BX9V4V{xLtfD84-=b;*96z=jA&^g*hpO|tJc{M+ zsA&8KUQtGJR1^(%o!+Au7$I>lP21}$xLL8T=&LZ1Ke+BUeX*}(%SBVYJVGLsT8Uyd?QW%?)K;w zqsFZ6nG-hg?c>nNt6KZ%f@U_gHK9!4o?+>` zOq+4@2X4m2O@KfQnYp#9>i1WpZvP-z_bvU#(RL?qVg+}Z3K<$cy-?OXNxs?e|0-8c zAIepB?Rxd!m#gwE%zQ*Z7XN9#>Y-d|(vdyoqlwtco=L>A!dc_pTVe;;oAMu96{3L| z@i4};I=R^yA`Sau!U%h5kBCP>;$+?3;tp)N7;Hy|YwgH-;Y&qCFK|4mNrT!2c!q-h zAJV=uEb4XbcR&yjB?Xagq(!8=OF>F%Xbif$OPY~xkaFnm7KZLdK)Rcu`}}dOwf8>j zto?p?&qqeME_t}0`?=#6G)XV}4;tg;26K3aO`4JzxnmNTo zA;(iVxH32Dy{ue9UO4F3(ob z`2;pfMxP;k<1PXDlB0axS*997dU+M-hJ<+Pl73E6Fidrx*(s=2%sY&mmTXLFkagn! zA=FpCX=)jQp|3&;FPqRQ5;Xf@B6qY*rNkW%Qy`NHvS1efwy$|9)Tegs`tU z<26GRB-ri{z|<&-1}X1@)G1$&d$a+2=UY5y?{MKtNw4jIYRpNH<@;*+%A(N_+rRa% zHrQ5(dMuPp4uAXn-+4xFQ~28>R4*{XwT9CM2(=mwkra_GSnA(IUO@Pn^|U=^gqS6I z4d(sK|1(UGW}*8b098({g)fApZ5jD}YHxy@LMpc~M&IZxQ5Yvv_Pgy7nrMy~r-xodYQ)?TC*a9y-zR-uE5=EWXSzExu>)CdK9F2rgroFR3E)PT|wkI@`6r z=RZ_aRGAC4st05>igg+b?CZR`0xC==2V~3T+~fHWUOvOtMF(!-BQ&zVCE!2sDY3M` zBB$ncqq$K2e-FB&`(A%RP;C^XxczBwoqgZiUR#z?gxySHT7^nw{RC197F_N31_a%Fkp#p6A^-CR7=hs>l(v zBlUQ766{crKou-9``UAs>6q%RdXA+@u~?=YIGsN(=JwGes! z{^rg9-B|qRS4_m-J=7r5vi-%XzE{1k(Ny1HLQuV|;ub{MC==OR6L6%0-4BZZ$m*Nj z67L5zWT(SFa+T-=3rm+3-yEY>_2I>F_>e$qG&c@DrSYx?U=X#_;hP=~R!lS*U?nB< z=gA0`NnlpXRl!voH?YTC zqi`$r30^0Qg4aUUrJa(_(IME1V6!g&z`nQ+gK)@o<$I5%gKuS3v#LT+Y2nLN>933CofrnZ@usI&M_d0Ge80c%1?xRrB7+)^r=hi zfM?6#IIwkcj+PVDXS|F^1EbomLUr7nhh&Ny2;1Jz8ZyOw)l&?7L=*ey(@M+J!9^t5 z_>bbiRN*O#t2epcNL(NWHWpl&Wn!9&bp;SEeD*y7Je7-ajOvgV=Pqu#Don=*ml;~5 zN`bSN1?WHw*cdQfgG0i3C_UFUZgEok#ZX$Xf1g*h#E87NJctS1z(N`Seq)LsJ=^h5 z4XB=s7_hLCnP;dwkeBWd;0|eh52uVi6#ad4{sjbHVm2>^KiNq|y0rlly;r8-Jh5JJS0zBpsXW z{HHVg18|WD`4dcGf&cE3n%_2f*rzi(a_L>j4AOj%K*zE7j5wVzc7o9}6~zF|2D)QZ zQ$G&DX(<%0V7HA*U@BR}O&BAzYN{WAB?T_XK_$Cb3aOTOvl=CEo0rC;phBtHeYLuMqov}9nRapXgzv{Z1CmwjGoG`*KYhP%R8IH(grBxqp!nB+KPNcV zJ7gqbUXVQIAY>7HGRSA~CB;FexP=%>fDAF6)7vF&V@%f?@RDF@@tW1tLR+fa&ri%` z$FO%Erz6+;35z!Rj552*EYA;rD$Bbq*r!jnXkZZb7ZT-xWXNqqw-?S3aQ<`VJgk_4g*NdNH1BV4og#@nF>nj zPccZEO$mgRmsH%eT@Qw#UqoyNDqy#qYZz|68yLw~#^X zzP@_fsxOE+sIce_rGACuMr)lXerl)-5Pf|ZY|_-1eZ#H^DgmNz&XR}813KAjwu=|d zHm~4;bhNH^Q;}rehS>y!!%*8D)qA4v(-7>4Fq;fD;;@xA3?gyUwT)5rKIb7uhxl0C zrw!NG!Tj`ui|;mxQzm%hy(USwqp<=~xi{?83+=6rgMs`_3|sm@-dDQ#L+6vKNBg@S zJse~K-lc`!J=k8Ny)~5O&equ_M@-YI}eCb#|z<)0deFfSp1;;GGzH6#*$r>7yJC zQwJqd7~|R8=cTN}yoD)FWBK4bJfWZ13c!^o6DhvdG<~!Djj9^n`{hJ-F&C(>X0bi5 zMbO68$nV~!^4Ef?h3%h!$9~-j_X27DjIX?;2PisU`nk>jQ-0Eu5x;*6m$Xg*h4_Cw zPT<25tKXA>A;ExY08WmAVCCWjjJx-6AlwT2gfiA6LGv`>PaP=x*`x+FDGhL`lIaTZ zFiG)Ff#QfXLcn&ZN5_qM2m90sHagO!lL+C+IPdFDzYgtT6|#9b={!Xz#5Q#FRm=Ky zh9RcRQF;`sYp%eyO%P5@Z!Hp?0sP%JuMQOyz3|Vv3#AyzVlR%aNjDg~iGC13*0J|`OQOI`HNOxWFw!-3c7*_#Y_A)GEHWb!|Pt=YvnxpI{ zX@<3FbCk(i{qD1b1lx;HvGVteE^GzE+rx?2LElmB9B^t5x|Q~l<_Y1N0g)lcaLaDZVj4Om|qXqlJCm}^*u1S8x29un?0 zLj+^|VQX4uANlsHlw;*XM0Z!KD?-!UU$xJQcj}l7cJHq@)E=4n z1G_;JHuYH)&+U_H^A4{0pBQ|10OQBCuw6TR{okF1w*gSdZ0I8Y(;xNEzD)kFZNvic z>nC0EXaFrhINo=ZdM-}dp0M4&RT5KhNj_bU$EZw%j>v#&2OGj++l2`et$?ZI@77B(``1T@MzBaYU1JnlQ2>>YP?sL6w7ndQnM27Ekxlz;;uJ74T6R$Tj6Dw$uXD zdX!fM0^fe~gQKGpf4D0-8MW#XXSw(~w4kyxeyvl%x$X6IX*g2L{rfDssl<)QkpP%! z7nkn{De#+HHeZSGJB><8X{AgjF@aje?k)g#$u+*ycD4EVqF^0se>^iNNp<;`05YTe zqSncrH5tJ6Ab?iL0Kg3k^S?_98K|z)vS?DrI6JtxE2VpIxD60*OEng?3$Np1%qM?2 zRxKxyemc3Wvj6^lSgdmzz(=y1(mvCfp1XDKy49$Q#FyH!Rhg~Zj@p={*9s@+s^r)0yMrA8l=L)m%0T~!v0_f+waF!_%<0X6R@G84tRxuCSH zP-_P5^49&|IFG-l3q51eKQVDh$ov3NZ}Ol;&PTUBhv%BcNfq_Tc@cZ?(QVARsy?Cn zbDF7AR=##cjKhL1|Cc?I7w!25Y1gpUhXS^CaJ8my!OoTPhGo!7c&1ojrg}lCvYT0g zGM|FrZ4#WGr8HhHt;m-boo@m;1P5;?zLSCr-*l53)cycu+k%2Lf#}bMhY-YUd%c2b zjN#b`ZpX-bBX1Uy=I&i|9SqfsmJ$rku8a0nyl@VJi3Btc6kwCI3OY~{^+2ZjRFiCw zRG%(ovAw1fVs76W0NQ=OK<(i+p`K7-0J(pAK05d?cRyiWcL3{>`#^&^>F2!YWEHsf zxM%wb8Pd{xa;+^pZ9bCHG))RiNsL+%w>1-PMKJ9Js@FVHq+!Ui!k~(k`}=)>W}wq-dAodEHu$hDT`jlFpfRC)PwszXXE|7d;kymzp93NR6PdiLd*%*5_k zD-zA?eiT1Hc%2SYLohxX`hpTyqpLxLiL&%LP3LB(Yne!W+u;*)*=sklk8bQ#9j=!_ zpLWBwzNi}`wTSLM(?}2D83K@()$EDM=1E96N8g5T0j|9lKkfo5*$TBosj`D436qjL1(W0cvNA zBGU1{9_5@D_w&dXK70SzjQuWeg!{$s0|sT+_Qf3rl+kMw^dc1(aGbcN?Q%GXdwtI+ z4|cDSUsB4pF3|_3^YKt?@r^c&=GTtuk}^lo+w&K+nQnLiiq?n9%u8mu;bScE5)`Qh zO7-wpYQ!COMb{!EgS}l%TZ;T}22#UXf3FZxI9{#+hf)Q#zzbdyEWHGD>W-&o?X8kL zZLirCPIef>&Fpk`UMmwacS)34xe;Bk3!|Sq&-~&_HMMCn(w*kh)^2Ajzkt_}9 zdjRv8;7OtJQKCF3%Xg6tCG{)v6)d2mV<1gKR+s6icX%ORr|Gcc6SZ{5?eTGw@jSfA z4eY=eET;T=m3B*6RlNh-b5HVk+@^Wcg3?Qa3-h92b{CAl(#bbkN}%FMJfCRz_}52& z-`N0#S@`c3oDU=lN(Of5t!+X(ZEqPaQEn+C69Ks&zSZf^%%Vi5Yg2M48t<-4?R0Bl zK?ay2kOj<7j~e0SPykM5Yeqp@LMOC3nMeRz!nR~|EYdW}=Qzc2Q&JRIN-j;iqz|yu z>}3s89ZL4X!)uIxO1)-mwg&nZ8?rJMviK5_R3Jd<4FW}@fk9?G;`<8?({M5$j4Krd zj3r#TP~0_C*D2G&hR_jq1L!quMAP0B5)p76+#g6HdOKUQnaGpDJyt2}#F@rnI?)9{ zbvS8RK1h7~FWgS)Eyf^_Iu3p{CW)bC<5812VI8BrS@{NUYD~1H;fk4v4-LaKJurrdrq2l+hm}Zu?8V zdo_j{D{C{qP`yO!)g|o?6`(z<(h%%?&zUHXeH-$)bzQd=@26>TlzZWXW%Esz$Ql&% zrxt((ndd?2ur-dsdWUzQmTUQRRZm{FE>!zPdhxrfH^U#|-*IWvLlrLgCmJ<=@m9?} z+-6>o3Ft{!bS-xw2h=}1OcwbLYKPOq_6K#VXK0toy_BEhdEOpE-?Gxa99`TU36JaC zKU8%u?h;?9n+)Up`LcXq7o;vN0Peory!$@Y_k6xx-Z#mzG@-BtC(MqK{~srq%kyLk7^-j3FeeFu%aI1r zfp#7P&vY|^>L6|Cho?bNfae$tv+1dijc1uSg+cnWi!LW44BksB0C1rf$u6btZuzonp9cS~25zs&N~6*SGyyl? z7K+TBlrzDK=82h+0l^z1|9mz>zc(P*d}LM#hH%2MK^N|uwyHv| z$3HqLt+%$4Tv&vOqdh4MHBi0O9Ckn4V?X$+#Y~C#+}x;-=~0aG0c=wPC}9(5S*y2Q zX35L@P>rp-&S$71o~+s`H0lYk)V(TCvsAkCaxajB$R{ux%+J<)uDOi#Nyb-fx}}o1 ztWe}KnCkq#h6P61OoER{gk9}w8PMhWAiU}6mHg{t(t1(#sE%N5fs=CM(-B)%Q^v@X zqP$o5w~h_v?%Y7XO}0u{`;=PAe3tGOr!BSQ#nRL*a#2`Kt?M#@9R(P2ZuvOpyp zI$bjdpbwcR&mc&8fh{<<7!bYh4$wWm^P8_A zdiHYPN=A$Cpya`;%RxknvJ?9CPWv?P#`^~D!|6F+-NNyy^{@SKBC~w+DuzkRM+kGS zS2uw))O{-9<~E@zF7J<+mbCA0)fqs$F@uq0R)j9caDgrUYz?>INf|ExhW*Dr1lqfr z*9{+pGXML$2c7aaI|={`e&QD3|1E|f@&<<|2)hWEil6Qre2@^|=H40*Q0rD98PJF% z;KAP)L`8O(lVwPz=y6fj@elyVbOU&vt?!wSY?1iHFYH@5RfE$+kok z&v7QAYi>^yqS)co(pk|K35vgoA*44-?>+OKDpNMIq4@t1LwHcDpQVfNnBQOSH#xTK z9pXZ9`Nx@=bVFP1| zzLKRqCLxOekC0@QjS{9{&)=m#!K^ZOoZ_4odFTC&<2sd(-7lB5`MgKRkApqMGdEE!Lo4$gHj|-xLQ~vjX)#DTm6Sd>Z*Bew<7PXRfpTJykW7Y)cii(F z)?}J-6JW@1$TvCoE}vcrE;s=!ornTtiiGk|S3Q;Qavx+tE3SQjwLmATQB(7NO-dLM z8^sboyh*Wq)mJn&z>j;d*hQmcjCj3>)+_%a+d55X%t2-?e=f(t|O- zcRiZ6*4aSGV(l!7w&S!t}$VdsYG*~UcNbS!7HWh-@k;eN|!8}PZ{DB4N6 z!uP3~McfRQvtWJgRrHCQfL~8}KNjJ5>JA80zTNnKnVs^d^1_Bz>U=cj{MCy{ezcZa z$C<0U(D~BC#rhVC!ihYZujg@#XDLYT<5d?GXp8vH2@2??=%3oz>RNm`MYTU zH8JzfM!tU;nJuRWH~;I)D9m}UXv4Gz>cVSLZe!=;KZu9T8?Y4N@k47Dz3X93+zK1c zM!ije4(GB{0Vp)`c$Z^w9LX1$IW^wy*#C_+H|xP$3O$gWoC zEE0j?+ZW?C{#n&(4RX9t@%sS{K+&-}I4C`Bw(?&YT$EMl1^|$s-^z0{>~lnxm{?q2+a*9dj=RjK`&Xo|13#IwFl-U3qI!G)IuSOB4nX@RCqIIM>X*%W z*y8li#bmB%iwnT4eL@)z(0xhgkJY!wcc-0F=waN_VPMo*-F)snW!`DrDI!P>~=WZDWf~YG8KMta|N%uN=B6%26T&LUahkS)roF9pJY$&E(v={ z>?K>(XRGDS4V4!Qz*{mMU~B<1&Lkm4DPdobJ#uh~kz}yXTwhs9iET`I2!bnX9@UTm3`nAw}{II_@ z0RB^`E?=`<@2dm`OhMK}q^^D`ql-Iz9@G92&6Zugs4%f2qc5|Ga*xI><@Zz@o>iDV zmGPg>s8}Ha>#E!|HDpFQoa-h z=q;@}bY2@9#CXM}Xb+yd=sBPFy1!v3ToNZ&8-HCVrd(iuWF_NX?!ofkTS!@{`~6YB zD014D^~ojK1x}F+F<6`rCUQU!2Ql5mwC^@7QPD%6@Lw7dng66A5xAwV@_4-EMQW_w zIr-Fg>!I${2)bW%7#F!>E(YYAnoSaX63!}dcE}J}l@h}xauD)MEtskqhSVWy!0J27 z2W0_WsS)l!v2jTpD2M1{K_aZ6VS4~2@{CDH ze^#C%6+n01vH#Xd_Z2Gs)5eFI{Iv_^;^?Bh3eWA&b02jAr>({`LT8@|6p3 zsRtv9@e5`FS5{7r{4iSa|MUk*Oo#d+ItMLkMVxe&yN?g$s9_h zpKMqL4}4qKc9K_&7OoSmaj0CUQS027Wm(McDlto|W8t8=-I856t`}#`)1>^R4l%>&H>_yA?<_~D`w!iiP zv^dpIVnn8^>M!9C8uznac#>#mOKg~C`|HLlT|=USfsk#H?tQM6mg9X@0@YK?jDeOHx_-QODb&7J94G1eEE(V>zrO{{yDcArj zj>jVy?>jn(Rj(wX7y!F8Z%vRMBHP4&gnv_GTG9tpTVHib9=Y*UcINQ+K!jY{KZbu> z7b#|YLnT>YETZ~pqCkV{$Ug1IP_`XXED*9OUp($^Ft6t6(th?9HyRH%A8R75`vHI@ z_tWd<5%0V&^;jT@2JfkdKi-xB*I)}rbuQe1l2O~q*!60i;%b{aJDhSkdJN$mb$zOP zaY>59uhKDfGk}&$$Z6^vdB|jr25?-CeSk^!VY*d83>W~W{wc*La~wWW3wy?!IHkMwJWZomKQgOem%KxSw$c;|vd;)E-Drkf?KwxqTz_`*YM z)WYAGtH;0n&6$0>RbDUG;G}BASxbHFicU6DqvWEZrrL0YSoSqMjNZFG&jVMr6A)|q zU#4st@JiyyY=FSR`8Pj0ZWKF@=vq6_a0pU!*MWC98VuPC2u#Lxgp(M8La_-S&y5iOe zj4Za|tVl%T8FedCX4ub$H-E6~9!oKuszkvVSzP-nF-AiRPYJNi-lHk(T7|8@DB8BA zC-%+`0>y_6C=WJ$#@(x(=bY6OsLye?{!{?YG-}Y5pF|H=z6xETsuM@Z~MbKpjQ^B&zXHt!Ohff%#dPFCFd}z(7 zH-NIQVbxa6Z|+yEO`8&`m4%aVl2*pp(OCS>=Z0`4!3~uut9io=i6#u&2NuLeXW@5o zDPtL>9G2~OhMm_KUdD9wHQ0jUAY#J0?7}!Zxls>_%&w0>Nf%p5s@*PET``?xo>)zd zdJJ|<*>{bYq)_w#GzuLwGubm9;xNu5uK+8naB;!42cl;U)9E3ps9wMVu2O_lOdK@k z`27rz%P;>US+$nvCmxS_4>YwZ+lSbij&tU8GdA1IX0@wv<-pI=>TJ8pUzHauT0b#p zI2N1C%-m)#sWvY+Z?xkZ=zNlfCDUwtCi*;EZSOl0VC(V+iF@lhzr^0(LJ*#6z+%>L zRHe^p0Yl3FLxKRxWQ$t8;6GG~ZSx^LV_w~3=3Ycb&JN1=(ZX$RKH=?PkQ$#@4)JRj z;fV`d-P%mFMpDuq)Cwrusqgy0^g7=aa$sb!6Wn6BAkk4$0YSVl8NH3GXD;cpH46A?L zyyU+d%E}h4a8XKy!iKfh>dTX%UO;gaq0GCsF(n4QOu(fZFPDUb(`koL6O1Xc>P{Fl z?R2HPs69SnUh7L>kKD6h@uwrB@C4x=3HavIp-IR&iQK0hzE0Y63halg(5NHy$T#BKYv<$9tKUG#tqP4#`Nt*mQ| z8)2>FBX8m<((7;vD6eU;Xi!(mtWyF&8M8@7z8Rpxe~@5d#y<*3uT7ie7sn>5eb&)H z62?QO$3z6~$Ndx_uek2;(N!l4x`QYay2dA9kz4pvk=Y=5Has}(W}n^Ez30MO!H8u% zUC}7b&4}@5mSOs7uBD7^#OdWPYhS>7`n|@-EkQ^5fbzn{QYn~#{VXHnA`7D)LP!rK zNC%)&o_6G0e$-Ca6xKlJNcod-DObsNGdsF-9u>~~48iJ;UIymm&PqL7F;iT02FQe6 z15~8l0zg6#_M>VsZ%!;S-(}Q5VtP4vrMIY-`d3-5x3pa7Y*FlGf9_*MawL_&9C{fg ziEO`)NRNFZtr2dQ4Rs>H&si}6Svh-t!A};WiXb#H8Xn4XF1zO2b~qhQ zb^mMH9_VXCa?byc{7nL?B?Le=9P$}0m|h^eA4KpCvHbO(FX`$u*%ha8z`e_f=5#QAx(iN<+5rB z(^;p$KoWE}E|Cg&*-5G&4sk0TZnB#)cwm?>Ujw(H)>a2UlF~D#1$n@Ks?;A&{J^g0 zt*@%)m{7Na6}8TbFOur^U-E<7Tr72@P)SiIV=V}Za`>-v+9cCZSZm1$2O+A!}f zrD~h)-<ny|2e86GqLCSJ!pfP$RF%%5>iYlOgwM^5kLjBF8(^9tn^c zAb)kQC#nVABQd}8J?)3BGi)h`^Yu5SUHGozfYt{Rh-5yHHC*Xa+lX#3$>_LV*l$mN z*U}j&yQST-sCC|v&LQ|C%s;L6b=9Cq{>;lS%&SOXoIi?qz%GfNaF5)X$e-aTt*4yS zgZlN1fF+{+X5DYhCpFfOfX$j0y$0u`?s?2<(knoi^p*H&#MzU|$_X7tu0F)=U@Xw6 z9{SbW=-vN)33IQ8A&S@Rhth;&L@kLu-}-uBktwJJB_QZt4`b&!c0Y$f)Bun{DFsXg zM%Wpu;2{eBWIhnH5rMVfFp`suOngZ+&Vtd|olS5e^qOmv02|I&w6+--2E63`kfvGD z$lzdMiuZqrVZ2bM=CXlaO$AbS0c6Xs2w&TJ(|972$N(bG|5gpd&va7~FZa6q9a5|v z@K;ao{pCvLW>mjh7j;8Zi+BcXysP-6LaU3LE+*bz^!7{~mF?u?qqkdIPu+cZ#pQREFwBO*plGD*UE_H4=7D`~@~;QEzUm=bh+uw9(nv()g|BeH}(C ztHo`4#<@@Q#u>Y~?Gifv`o>w3Kb zpSx$~9??g}n-4U6d*5)&>t>jD9_e+Ne4Vff%HJ}Q@~#C$J?dKywmbyPFEp(H^ ztL!RQf)_bc2Ft}D{M3YHU#3pFJJU2TwOYP=*fRKnq`3@>ex?Z8yWkriB^^|cuN^x? z9OQ%tUnr>5#oDIKo%a#Y&0GGQTx<^8Z#rqRMlPY=-OHVS*Tl6uutV?`?p{3gqSx|~ zgFxMJ#d@lnpq={-6wr?3&sPn(qgST}fCu>kCsWD}3yUbz@Wts*S?>__oIPh-|!TS2g$~Gx57d862XT#;M2;7?U0s4DU|k9cZ8TEU01mB8#vU5OccDv z?{Wbf3VA$Q(;28&Obk=;Nbwa|3oIE*7|LZ?mFgtcT77e5$f~u5dId&ksKo_&XSyjV zqj>?s--S0ivnSRLGYLzv8MyBWYaAa64yialNvJ<7{5ZkzX7PS z84U0rm@}R`CCsCQG~+R#^Bc$c&OIM+eaKE-Crj1b<@R(Z*)6NXFkjW-@Wj^j=#jw< z04VY+(qX20j`DyPbtL`K6;O~9y5DOGx*q?GY2PG3K+--^WNv*Mw1F!+xx_IauD{h!R(rn;2z=Rzmr0qC zf(^VSXDycrpZz1XYs%tLGN@8c&nx`{#kgL>A3yi3FHD8btlmp=9^-0B7+`ff&X`UL z`)D!4ay~tQm||_G6B%r;txMS8q_mt)TNVpXXw21IKKBOuMT>)s6vV~X#%h$v*Wi1n zX!|s2PfgNTCG+G4YZp6+28VjdV{ zWW;9ipIBuxsr6ExU`};znd!`Upr#y=uZUVP20hJ7rU~1k?L0GSZSI_U)w?A$cqDM{ zy5>4pWSaEVb>HXrdMQhL^rnvBYx8*XtviwL5ORWQBo2t8rxKM1n|IZ`WbyJc$?8MV{*Q76!Dn|(6Hl76eI-u- zdB!Er+h~QdRCIkvEHeiQ<7fUjieLhE`rre)t& zW9-IJ^!Je8Xoru6&aE1G+$2h)Ea zzT*1`<6(oKUtW1Iu=sl-`FBz`#s0sFEO+063rWwxQ@Cot9QHylbfZMkt$&zN5@1pt zzQc-2UV-ATep2~0Ri1WPI!HK7YI_V5AIhhdY{$2JQx$qpZ*v4~N=6nk%f=jSm5_M4 zmoP8JDz1mEE3t)Kg6}l4`7*b02gKr-ikPFWBF_KQWPngc$}KSDNk&`?n1fBWxYjLN zh%3%y+_~aCIBbUzpRM8}nZTi~twGx}v8xJ;ynFIPMDtzIzRplh^mFe-S&-Sx1zc&+ z$t8rg>ZWRjAm#Q;c%q&iVqXl$r1~#Hl9`sOE3L-aLc-D_RD`dLe6@ATBZX>eGv&9W zn(v*mG6}RNHu7kd2t+7?lkticf4SZ@%Jzv&mWXiu(%)|YD!}T&mbt3_Dv5m=q-vZ8 zeqpl~`r!S0-oF`8{wKtri|z4HfkRxJZ18r5yxYuoN)9I)RBI4xB$f+a-w%5PZVzxv zU1!ayEUH#xm!UZ?u_^MXi>tI*0{ysm&l*-tTzRqZY>QRCycVNlMWyrYd=l-v5qnbc z1Y>=LVMc{~qQb)Q`)-6(4pBwI#fe#m%jb4JRA*VysJSAGF|{? z)?$~{!gRgbjEF4-7<3iXZ2A;gJI=m>k=xj~Gb(9Hm5c6uOL9v7qX(j>mqv4OINMqne?{q>QQN@v*f#!gzCYg`Cm>L z3LjaXXvb|ODy>0paywE{uGtQL)|hXQP&9vub?kL45FDm=sD;Rr_1k~l59i$sl)lW9 zr+kX=^{n+Of**e7>4!d0^CAT+F^cm8>!%f0e)6THI}fFhDE12y^Bk-3m-~?U8Sr_^ zlm)a9J!@WWDX72`LRSvw;kk-r&%0SWtalkvgnnoIMj=n?4##%Rd(FDag)B8UvwB$G zx-ZJI<2>s0YQZC5PYWR3Op{bwu-?gi*EP5Yw&I z3b3G?!WS|L)&iFjCMBbLcel`V;p9`pQIP38GN`|Ro*H20;?zP$BIJpE0QqtM>^rAt;-Sh||$)Jb|I zYv~2}WVrkLrDBZug?d+71OcfIF%_i%u*$o9$EIc`sFp10_SG$n#dC~KFz-j;0#yCy zkO-pDitZc_g4JhYW<2sCO*F4n3;Ukv+(n?0eY8xa?`MkiOru6D-tuxhZFS9r{`LeL zq$LZ%5*NJPh-%68LU%ZqP=B4;fp>>;^vM*H^6BKb2O(Pekrd*_(&209Wf98FPeOCQ zR^8C6S8j(FHBM!dXAv*QD6}VM)TfSggf7mb4pwW5TO+mkV(e6HsmyYRm93Vjq3->B z^9|{S(DwX@B*I2@beS&WfHaR|W6C1tvMI{Vx()mh%|>%8yq$o<;|T}bDmkb(=fo!- z)=NWvRs5x$^WtV1wYa0&^IHG;!AZ*Jgd@zYXl}`{N%dAoJwOHFuza5LMv|#!$R{kO zE`uNJf3t`})~@VA=kL$U6yFsdc2blC=Tb~c!ShtEaD@EjWSvL^7@;K*Sx>Sf{`Jvs zr=Nd)A>1qc?K!HK`?CBzWDs`VQtdNJt&|vOH6o?_gO(&y8hgnp!WU&YFpOuGPO{xN zoRlPk;ILMOv3fC6>SVllX%(QCl8KTaksSj@&0EDzZ$rf|I3fW6N+%{@quBZ7n^;Na zWa@AXv+R2ZJ$zvdR1-ik##laVb%n#tcIZHv3C3w)1Q~5jtcBzFem)BA@iq@Xe+mBz zsdV|lH3-49cdp%CdeD_8Ry_6G`M{7_k#u|#J%cnOF|W8WN>@~HXKY;_&_NB~iqbt< zt~fwg&|Qy9=68l$1quKj&GD+JUaM52a4O9Q2qmkT8yLU61DVOZ*YB=Gxo=Bwl{4v5 zY(>>S-BfCMjP4EnhcVLIKraBUjasBk^!x7ozrL2=kg0~Eky`q>rXpvSxWf$1+&Vg? zu9+ok-Yl`Nt~BPz^D~$&sr~TuIrAd}(=C-QW^y#pAG>5h@?e{k_(|tld6>-%#R|l= zst-J3ws6}Bi83zxhM#qILlW~?Z}B-vCsssq3a?j|6br6Zq)s;?#jhfDoQ;Y2{R=Nnp5jnzdKn0)* zd>p{P8QmG%qV4` zE+(}VU@Is!Wf3Y=C2N%S>-oVu|G-&2GY*rN6i&Vs!^5GTFKByVjchfEhD-a{w19ER zph-g(Fs^PaoX0tf347a!?y zzg1rHZL#&KrWV9EMFOlTGZn_kFq!*Xkr1GF~t<1Dvz4U8Add8Qo2PKGN z&f_mUT!t2*n25rq`Unq2Fvv@B?^Qh<#MuxLJR9FFVNGmcFAXp27O16dbSv~XVDP|i zmtL)kK-I5rmZ#V8^%?(gV!tCw6A`f=aFTemaJCG{e^@1vFHl%zIKfbGrDR>O5!!bR z#9>#hEJe|4R_U+lFdJToQ{D0)CMZbP2YgTJTWHgjgs_$`IyPLw-X72PlN>7ZNHA-0WXo82+%B9NSC zX1mLy?(mgvvF~q{O~6dqlz>-du5=~85O7E4_^hS==~RyIPvw}P-siub3MJxO8PHCp z$NtM1vvLs-F-h9~5*1}6s_ECC@Y)^46t~hgU!OZ_A}UNUUHdCp))Z8`&@y`YOtY1q zb?XFi9u-}F#-&ZUN~@3IFMA$hh7bq3w8VC<-;S{7(M8;JrC%oY0%S6Ap01=xg$|p$ z73AKq{+mi;J7?dO!5@g9v1bkpaX~FPItM5!?d`^eY&{aBHm_vIAY1u#jaC21Ohv5}>iv3Y3WzBc_3T@Nl#nIjBdicAU@j4Yn!IE#Neq?6@fZ*X8+la*_OYac^;YQQ|=JUoR3hQeq^i=Hj8&7f$o(9UK7D zCP)ct)%HPY5BxlU`bn0UerHKLs09{(wfF!?kyIMC%i@isp#k1AZM2m*60A&*=grI0XG7a6$DjTu{ITk}x^F?i&yj zS$QmuKBAtSGw$B+g#2gj{VSRhaqk~{T=U8QS^)Nn+&}ioAZ}X0c^EL#q~^k&T6%q$ z0bBRkh5^Sy45haY4-{)pCO#*(N>evfOYX>#btpWfC^qRzounhXJ#WeMkq*RSOxjA9 zg1Yq#24eisDd_wnZ?7W9HXOZ_qrmJ}yEV#M%D<7NrX4mMZ5E1$hD<0n_M&!-n~LbW zGbi1iwd;v zi$Sq?YAb2|eWf!|-8z5i^+kp+YxdZvhS&hg2)l1!$ z|4|10$G^WsWJdG;P7RW8My#>?Kis`{P}6JIH5?EHM5!X3P(%a-r1t~?sS*T4kSd@e zz4y?R-iwIRA|kybNbkJ~(nV_Mp@$YA!1u#*pL0CVbDw{{d1v04_s;}%oQrGkYwxw! zT6=PDfVs z2elB##qZh2Vn#$ze@UbX+XJkop7+kz&KwUkyWy$8a@R>Z1S>KUH3SI!yvIpL-A_N~ z?~!!T%8n-sa}Sg&(RSPhTa+4OftNnOeY5E7MikUORGZsj8H|g3-m{y-xIkxw02m{}0HS|di-abDK?V3eiW_)@6a@*fq?HMzww zpp!5i)nEb6fWx-g>$mLlYr8ZMYtoJvdED{ShVDO3<+l&7#0Ug0;Y3q_I@-QlK|@v7oS z-I>ST1qnUD**8B!7Y86EeC+Hlqi8cZ>eUFHwvwf*v)=%JF4~(4DwlzmNeAZ@_pMgE z#+zuC$-w{eLJ4vK-KQ|uB+tL@fWP@hT7VRE(%u&t*z3XldTl&LWcPqmfPxO zqIwMyYC5co&CXUnn8b&@#h8YwdyPC_AX9sIwz8c8!R=5M6a3V_jL8GnE1h z^mXVq^Rz2fZZrgraJTI-LoFk*w-VL2?ngyRw(@5c2D{rQIvB@g2O>M0@Rh|L6Zyaw z`W0<9gkVHMlzCELepuyPutOGLlki)l+{5h) z1#08Is}*51e>D;R___SYHl~4V06P-I_zS1VA^Ao=wi%k&O53%Myua#Uw3EM0<{C!5 zw-CVErtiJbo*?9i2i+-sY(&qsj#-v6>2aKY^9bP)Y{5xldCN#Z;jN0}9!m8zR`0bz z`HHH{^)~*Fc7ROUw)TqCXjuO!W`q?m#)uV|k*+t!meF8~=knYXZB~kbqB?lNa>+dz zxpRs7$F?TKsXCAf%xE?I$mrMJ`%(9;g><74jiT1BD0psEQPwFTBm1c||vF>c48b%3rn~Z4QMIxlTE_9)s^V zi}%;=`cLcGX1*vd(Lc9n>MN!e@UU|89F|B^IsBG(GB}l(_DQ8o5YNzOF=88~Qlw>R zS%66zs?uAw5a<2v;k+jRtXQAz-4m{(`nMPJZKSj&uw}GhMxs~vrxhuX_JX*4=XiF4 zcW-2c++a_^7$6nr*azty_ww0Tg!!7?2X&8T)#udch4+H7AL6tD1IoFmXY*ugDy&~? z87<|GK4{AB(`Xsl4?inBeU=3g8`yoM=PvlEC2(PXfa9j#W`8w{dRpk~H3AlPlIvGr z>6hay1+U{q2|-$4&HFMB(u-S*!}9!?pHX*Z9ru!rw!P*p-%EQIL7EO9ZYgvtNas9y z<bB>;)yfsL6l(0V5WfH>-y5e?3E!T*I$H?Ax%cT&TG>n7S${%`7S<>zrJ=j^ zQ_~NGs`K$a}Dt-T8Cz4XkD}mZ(=dN$+WO!RU^cbb={Xj6F){#Fzru&GLGWui_cU&3btc73>h2bFC%Y0MrNvh#)G>HJt;&=9Za zgPxnvRF7VoxfwMnif@(M!^OuFd8byV-bZZ-I1YM20TTXf@7Bj(dD$6Yh3PgQanCe| z@zC4U&R1KAb9e7+>sPVPM2H}5eYcbTcM?Xu@? zB129L=V-Q|xwyeE5eDZugXH3t22$6+PL9;@{Q(PAu=C)Y@qC|1Zl>kRr=0q@>l-~g ze}!{neh3ijUzR)%3x5GHfBoQZh~Pg^3V)gT5a3mEvNH!hb!3bScDH+nR)CbYSjzzW zfuRK-<}ZP-N?5{YpOh@c*g_OK(y{is1rT@AMGeR(knXe)RTd`f_)(~3$MuyicAlrn zx7DrX(Q{!@4jtx$#$#_tVvB^bh<8H+@UBxXepDAO$kbVD8@S~mr7M7B{a8%&UX+`_ z8*R+gXM7ql#+4=4Rj+Vf^na0nE`6hqr3Dc3G=dEc+yuB){KzZ&|CkdS=t4OnMxsD1i zgQW@CVy>>%wsr_70k{8v4vz(3h$3`hh+_525Jfm6rrzxaFX)At+%`uc;@XfkE)_#P zsNgvHvw|1dNhj;}Zml~QrLbR~MV*MA4}0|-riy3e6&#}NB|loqx3nLkIVGy%I)vO4CpU`*ej|XI+`AGm^@xS~yu67!tMAxP zd1cDm+Sn+uEa{8EE5OJ7ovJuv{kggyMIB7yd_laZ*6YZp=<`Lpn8$H0ynvQpT@JH1 zlIIyKbJLiV*z-5x!Tdguc%~k6a5r?_z=TCd<=EiV^i!nI*DH5RfBZ)56HRE? zFvbZ8batTIlVKU^#q?vOmT?xOYWsdaeF{>GH&?@;U^jWZ?1`5X0pM~e*%qZ z6LFsD(XGO>G`PH$T^Pu)R{9{In>e5CqbQZ->Nu$HZ@&>LoDg0|6twAii{4=m(Q@L)6X{Hb<^~8;I*WDRMMELCsB`jES-O zLhD%+lT0s0sblgdOC>P z`I`azkjS)-t39LcxvZ_tA~S9h#ajoC}aX0t*ru$N%y)OMi&-X1aQpnl%{9ZkkfmKZL^V;be;mP=*5`7t?oU@FB^h0Id zJ@3JotjzwMr&KACoFUUyqv11Zrw}-e&n3qX>_}W;XTtJ!_&wpd*43bBJBhZfr&yoj z$3)B`?2O-jczrk6n+Ps%vr1YI`LToq zSwPm=fB4c0tADq)v)MT3MNQBVG9;tw@o~y6d<0uD{plwDjs(rHuQmXy0>pYpNReJq4)E(d6yDpc%X$#AmVc1lNu` zwATlyTQj1aQ!%?z)xfH5O*=)e@LpKgTWskNbjwB6oTniB&>7bH0 z+ilNsyfuAI0OuZyx?h<*?kunegWAVwKjv!MW8B%gLnu9?`+81s-;+9WKa1AWD4@x0 zGRrKC)(f1xX@mJ0VLT?~N?fxwBof=)4orKgqbEru4x$IFR}0g|@#o{Ij2JfS_or#i znR}DnMt6*l;(eaBWahazwlI*)kWW`s*!C?3XIfWC%k)1oVzRy z?(1te(l!`MC3`nf(*$b z#VUQO#kC@*5;kx0fSp3#y@+ZlY~Z+7_4W9Eu9?1@g^t(8h{b~VeC3yxp>wP@W|s^< zFbRJqk-*DA*Sf$cAnqHap7sM_QZNENL?DJf)+-A6oXI)({aotkq3FiA!1F@q^{TGp zv~zO>Dyyvq3GrmNR*sS5=#qY7y(a=+q>vN{vSKDpD6_gHxe4VqiH>^AB=wx;b8c$sx zC45svqszUt;HXB>U}(ExQSETkXL>$*d-Lbk2%QEz!cFXSEUA*wR8mQF(rqN#ZjAeI zcpFtSRv6>o?X#?{BsOE565hQ<-I zYsv!78zr`w4dVF9!x0Z6cuF_uQbKRvY-~KlEzFV4bp#{tH7_OPiy^9R%vjs3Z(PPKC!b-(VLqAkFkmfeoX%J$Iy7y>r!g3Pvid!X<~b zZRD|}D5~W?z&CO+t;iiYWQ}YMk^NZ~LqnyKLjVNLvz=*WW{@|%n!5OMGgmV&vOJTW z!BYp*0YzLD0CxI4WQu{GtyVgDO!N0}GkpDNp5!#~n9oqP+#6Mr)$)NonL>EA&R!JV z>b)u`P4@7NTNV9?l7jHf7wAb3yb053bmbn6T+aNOVXI-;Z(CNGX0vmr9WrVZ~*tPgZO{@m>tjMuvE)rCkkTbhKNk>svDa23EAu{{moB ztplEGea%<%@}sS6+v>OKyq`|P%@sqLaKW!Q)(d+=_XrLYP zuQNNPq&7ruIkY(qPUP7`0oJS&i@x>Ok<7Fido6YWPI*%ff5;L4JERc|s+k45PBMA& zjI*gL6wbqhJze#M-t2a`Y8uIY1r{(b;kzw$v~?~;hhhbV`nPv^V0pG15}x&U+5XBZ zHD}0yOzV;JKtNI#+W~F(Y2D#e%7h?-)xPO;nNJZJ7EMz-6QEr^N!po@`$Q$gD`i!OC7*0NiQGZB_H)%+=Vi4>rm4)Yw#b_$i5;4ILz>)2^d0FHJF z_?=!_&_s^#I~h>z@>f8bNo5d^bP4yb&G5WS$y7MakNNspVzD-^d7>dloUJ@|Yaywq zAs*&>i{`YbZd!NMb#_#dJP7Zord}ejj(AdF1P%VJIDLEpM#Zx%i~jcAKO()%=GT1b zX+L-6{S6YbwC_7}x%chg&AKyhzimx3;g)j5JEIWCsP*nQIgKQdmtXsGQ2!>&UHm&jY8bNX8r z9ALkvejw^9hPm3XD}hmvGeP>=b4KG28Px$nU{8lkR?y7`uVC@4v;BqQb>0LHVWF<$ z6veXntNMyM`m63gjxG`T$M>D=T@BiY-ZHSi`gFCK>s(iKHFBu2GV*O6%ux*8XbKcf zb?;!)-D)%4UhmiN>L&<%tG14^NC?i|X1_aiPans;9USLpGqkKe&1_IH-|{S7;xM5` zQ_NhnH^ochmbZMo8!FG@DJGb}_7(;_z_iDaS0Zmhs8SzHRF%iKFl_owQJbwFSf#CQ zfeCI37}_rci{6nCHs6GVV ze)3v6WC2gw4&Ue2`87j_DPJdQwfaSjoMbbHyT9i-|ol7)OMRY!!vms z=8zUMY>J6R^%z~2t(d&YtzrV-1VdMKmWlgrOPtRXbD}kEE79$8wGykz6y)ln?4ZJm z@3wI$MgN7Uq=i2fV07|-AXxB**YE9jJir^HSr}{Aqy9+=P<>sh1c|& z52kzslgX4seKZ}i6=An?(8!iU*pG@#x~N8MHlZ9@gAp^M;SMlEbF!!fGVkmyf=r5qp`@1r=N_=xc32y9N$rTA zixh-#JN{sIGIbaf|3rsp{R@7>h;b$}$RU?j+v#A^?X*~KIdbjnA&f2LQ%UAgtqa! z4=y<2KC4X^le~vaYaA&{rtc(t?W|-GrO%pxxlITBtwzo zc{)-uI;;K+wFWW|+rpJ&e?G7=7Wm+%-skZ;B?4df7>8prvD^~iA1jEoEUelTr!t7C zJKd_de!@_y#=m&6<^EVtoKTIgx?Tjz4Ew6w4geU72S!R@GlY|&xOFUrnCpq=$hrJ* zeAch4E4xMW3%6!sL4Tl1VSJ+JIP!4_YF`0w2j$K*S1Yy) zuz=3y{W?rYs4} zGA@Y>qeQ1)vJ9RQsP3jV3j1wjg^~q2pW}g&zJD8Y3h@33PH2OCND)fFupPJLJVXoPz|@Q{;qA__gfZ>e$7tPEer*4mI{RhU zeMo98$EaW-Rg>gQa-#<0;xjyI>-VBk_KDK(iclr(M)sIA**%uWV5l7LuEq(nf#kCETUm1b zRBuTvHa|&fFucktb62iTe}Flc*9e_sD?ifj6|dq&k?w|G+Aqne_h6$^P;v&`qLXxV zx)q+iWCu;dPwM83`X#BVoelV{CLO16rTgo)mEGntv?-XkD}Gwj+zj^5wJ~^icU-UK zIUMt8TG%;Y^M244I5Y&he?_>_4c-tpDD+h!b(}ZFsZA(hW1^gBITbx-H>?yC)R5|8 zTz#Ct<;$k;)l=Sh(Kp5_@@*_zfPucEPEJ2J;%=5s`zYYr@?zV1wYwh}r`;r$I^aDL z#+B=w`g&?QNNHr2OaWRGKg!cBy>b`0x=Y&Bnwu?r;5II+LpAnON+a;qDhteYkpRG= z>yxgTKAA_O@yST#8BLZ(r#$BV@tfxX(hz;2*mvSQKlsS**wQ+wurM0lRAbb)_^{c< zey#~L+k6=q?FltaGLX+PjFAy&q+-6twr4S(Ym4q;zT|naKLF_i%``K#E5;Yc%z(b~ z_SX`aEmr_Y$L4%QSO@t!PK6n~mNA_t4)?S}tGeC+aD}_Bai4 ze69mH5=>TgEl)-Wd@H2vG~atN5{sWH?RmP66#E%>@uYb3KSTia!ySo*mJ8fazV-&) z0qW@n=kvV`IJB_@uWyRBJ30Ine;V;yM7S0M-B*E-*{d1 zqO&uGwIy3Ueelcvs9q4nD;H5eOkSP*gV1-3q)LeF^rip4##D{JEHP#%d{XzVmpoph zW+a4La(B;1)|#E$eq=KX0e>=1qAm4}Qpxptyx*n5YlqVieym4bc}oMr(zpEloI zR+SZDH1p!)f0p3!uQB*Iq#Tg%sQQ{swX7F?5AmcsHKVf|mjR?j@njT1!lGnz?nX{? zD-G)}w_cC}%9es*Y-Fm>DCko$9dSwq@V*?l3NziD=Xkw>zj{#}jmwnda`6cSTQRQ2 zVxsLx4&vI#$|3NjN_AIv!<_ki=JKvWiBP3L#vJGOWzL79lrrDRU!+jDPsTTrA9+S@ zmcu{O-Vf{Q!K-HG0!cx(l^coCh}bUk#Gkh4n&DCILlUB081%dFmL?w5fFt?mdy@am z6(9YKA84y@ThpkI<2~Psx7%wvwPeGkTHc-b?d`sPA9&9LKQ8P1+x03l{FB!Om2;X7 zi-LjtpW&Mk`mOoD>Z8YH!m{DjRBE=SnWdaqrkuzpSU~KmZyo7Z?ZR^}nJZU)0IWy? zcuB+oUL;qYRhMzK+73OUw$P-rMc4hBG~W`GsPgK+a)3bL$+kqgPHd7Wa;DT9X%W<~@Z3?3%4 zPWer)Q;#+lBvO(`yjE@I(DxGv0tLU_#cPCXdVrk`*f}Lpp65GzW5uRLGg)PCHY<7V zl85BSk{}Pg&+G9sUKrpt(vMBR^fY-Q1kkpMP_WOQ5=%F_ZmxP9;7y#ji z`d+K$0B*~I<1mB5Q>+a#6p@sov;JxWOK&%^7 zJxy{w{-@7`+y@`0az4DSQ{o?4(<=@QE!Tm%o?D>RoKQ}iAXCwxfp5&fUbb4JuCTv_ zA__wJ4YD)YxOJ^EVb>@1&Z30a<}PnD0AGIap!ewiSPTqTGONyiOLQMgE?9UaWX_O( zy{W{1+*G{A6jpL@`|?jrqxox+j2NHR7r%@`M7dYq&qv)uzG*;~f3p_*p;R^ZIEP2v zzx<3$tf(ltTQdnN&Un;rem_{2m#(S}s>zf5Aq*-X?qU2{BvpSqfy86KD0x_RV0r(= z1;h7_d6j+JnbqUQR}_Ns-qw$Kl`OH__oEi*{Jwx zTgCn`3eg9QLeymeqmbe>&GX)_xV5M03LSAp56Ht&pSACJ|m;|de=SVnSxA*B32@E#?QH`{FM|?FmA687C5fZ z7m2=uL-$YYHYmq}YHaI7a%{p|@4zrU89?rFpT@qe`JyIXWQWv)2`_N=_RPn>PZ4*$ zs(roYleE11&QU^hiH{hhTpx^c4c{Q-Dcsto-e~C$#N0(k$1z2ynPWLchrcOTRLx)w z=vhcxk8Nrcs%`cLOo@r>Dt<_2%pa>4T6rIC91e20B)?2hfl20tVd73io==Z!gBp&G z^^8;9mx)#GR>@t6w%5M-OmeK3%xsQW-8F>scwZqFgODi&O-f~dqu_Mzp0VG-tJ%+@ zFmR^=pk|mjPMrQeS?`VhoVUp^G1d<;4eN^safnTqvqr}ut#JX=<&$s%UorFb(EAC2 zHY%>F<{jaTbO%2RP!(H~J>NL>J0_Cx8q?1wp|$iyrZc;~&_KY-G*nWrcG=;CHEO8`aR)tI-$CkPBBh*Hs6%k_5-T$I1Ar#z_9vKDfto-BFpLA689M2{H;oh<9BEu` z%^MaI`|_2mb!7YWP?D4f_`7o363c@EE%4obc1_x&f*+pCr{rSTeg%5!%0P((0F4x^ zJwVg>aruU23~w!%pY}h@sB>juOCsTjJ3>U-y(O(RsECi_1vh|e}yuPdW_5ZLTf#QMxvLPYSzk{50;V|UG zFoox~NFK_n-Mz3Ok-S1@c~-)6Xk2()`ap{rVUf$|+?hU!OkV}#e9wcFghmYsYF}^5 zaYb_8^wY9`z3OMd*)RJhSopF|t+eoK9$Wpj$=i+8WWJ9X`~nT77xq81+ZrP1b7M|= zg0Q(^U`Y4<2GoQ7-O5)ym`@$hqRW12VA>7VTn!kOY_Ijs6Hl&hL2A{wqU7v>XBboB z7iEI!!wT57@97G&IU91)ioTuw?m~8!K>y=|a-R!Y-GXb>e!Ka>^x#K})ezxj&x0ur zY-z`!lF?7ZhXBx>PY(_=Y6945oI+>ng=1=WJjAuaytaH+>WynszUJWEhYh#9k3(CC zCZu8PdKHWj1_x?nM@l|NUB1aS3JskKrcl`P8%xokv8mayxjf!_W$kyLWJ3vk^|`SK zA1S>T;XYNI)PA)>p0~Q0xXvvyXz^|azY5xPbSri2rj?Tp7OML?aSLk^p%qup>;p^( zV!L*`AXwYgFpA|D4DaN}bec^Twv(Yx_tlFzH|TEE)5_90iyL!WKRXdDnU9 ziXE&1Q7Af+y1XutDFxYOjHm zG=#}zhq16>Kk?of!^uZwhYMg5;djxC zdKwB!?hgAjuefEDeue;6)v`83BG`@gg{vRlacL)7{>Wg^`} zQrN={@}hvCYljP_YC&30^r|M}rvQAMP6qTj;RW(MvfylOq?xWL@+z<72}`cs;s94} zOnscgF=DI!l*g`=W$WggXD^4($=Qo7nclda8;xI(9KHmedJrVUxqDbn+WQQ8P9*it zNLb%#|8iIAImf<4*Vb{9kGSA|wd#e{xL9q3E<)(fS%wJ#sEIcbzk1Zf9)38mNFg$^AJGpp3bu}zFnf-=~~99 zUy4aBXI!O;r~7t8=;zC7QB^*4mvwJE9kgwbNSF|kzdJEr#@pw3mgE#puph6z3vX38 z%8naTFe-WUIZZ~ug2z_3DuY51gXSN0v+2P9SfVn3!w)KTZxc`mU7J^t^zg@GauE~A zcrdt4U`+PfIxTuT+DJ?b5yRf!mPn7`S9ov9o8R@|+R=`dPp)b*s>7Vz1Ym$CxUuvX zb879L7pzqqDf*C}P?IUXwyi&UnIhMS2*VrKCG-tqaI~o7_1uzjA>=9|?UHxyydVZ{ z)@{uVaF8cQim&^M*Xn)+CKqDgBjYwg11Qc9qO_l0z_6jJ=BMio2qJbyd*vpVKk+#o zZSlFiCTo#tzJTSd(8Vk_N(v~`o;@YU7^Mo6!~JHz&&}h|)Xm#uX%E*X+N%rWy_Qzb z+bM=NIZ4ffr7+oVnxFi%R@X}`bvh!n5fIN%%W_)0%mim}9wZBCe7E)i==J>84)ASx zghgIm&&fVdV;@esMBYErf`1z!peD*LNvWisWn`z!LdEgu`8N|>rswHvSBS5IJGd$w znV0=e4~X)L3=T(rZq=Q7SI%cj3@IhB2=4q?@tOD@@R*`LiIfL&SlUb&M_p+G{EDKk zjTza?UKIJO%8Q#Su3W7P6a>x{BsBuq(`kGnDH&p^4Q!laMKfIf?D}fZR%2a71OZ@G zaoBvAhDljQe38*Ce<&(spGK@TRwM%h#A<8J!4g|}OI=D1C*ZHPuV(7K?)P)Ny_gQ` zDm`QAV(>(%8^2NYylKLjvhBGu+Zog>W#2Dm>^M8yBQvJh825Il!K9lZ>r|9Gy!PbG z&I_B5`XW!fJ+nMpHz>5|{!OEyC3*b_puSQP*y_g+GamyZi$sEwKbdfL+cEfo1pt9F zWpB*v&4xw}D@^pRzFqr+fKqs&n&cWrZk+3mfyYJ#E$>pArCMvNa(ug|}hW)^FxeA9&y|l-)7On-n0&=aPR@;r>Go z{?hQTvG$+p@ak+mSQK#BIs3hNf){D)~ejWv&V?qy$nONo5_u+lq&!F;0I;Ug700hYmP`7 zvW?3Oj>c)&Qb0BFVob5Hl+CtueRdVceSV>*No%*#;?hvdRbO*i4C(>8bpO6|e|iKm z%0QYDkki?BE1l{G%Xao8EAS%dJ!0&2G1B)sjD$LKjwkSi0VkD@RC~e48eUGlJ6e6U zkTdj)$Y%%v$dorRE|Y&f&ZR2@3fFVCJZ7p1-rUOJEtHRu*C=~}`;67PK`YA-6fFJe zXfLiGS6k~0AWa+Zz`_D9Q{}RpmA$(TOA!~cdp)_}mS|d$Q5^{At1Y<;v?tlK-pPd0 zo$rgR?zOuwCsiQz3z)Y7W?UdI1Wctydjc_3nqp4b9{pP2JxW)93GIWPW9K+z3F98z z_P^dcFnDY%5shDUOjSxZ7Fh9h>#5@&)Ow-};9uLXia4KLULpxoh{dcsu0RcPeeNV8 zC3gWGg$QTG8n}55&TN;)M2-TVY>%)`Q@K-8WrdKm2Ltl9G5!6F4k~rX(!%H4 z`>PN3X+}iO#&<>6^T~d^PiJR;ZCFkduUE@=#E&K^Y}?<}Igp{RAM7wc`gFTHDql(l zu?<5B~0xUba6ihn9NG>cpq%JHwOddB>zVjIIE_-4a zF&-aAuWPEHc7{yEY&S)FrHXEmcgf0%#pj59u3z)+Vcssk!SWH12JGaRC(^QjgjHS4 zgnscw{g&iE0wf)(qvEO)2dUp)DS*rlsCLY4TTg%Mw*JA+_~?E?W}1B|RWW-nEM*?n z-fAWTZ+$_&s+#0qPqIStRonU9%=?{D8PqR%Zl3mt1!d~3w&zOC(rE#{zdu_6!$4t0aZ;K!%u zFYsUDEckxROz22n8rFdswusVO2QZNZC$&pST6?_+q zd6baQQe@}gmt$iGsS{eMxGXP)&8WU3}jnWUBM(15`^71VS5A^mUT4nK+S zWEY1RT|OtArtr2)3GN7t8r{wuSc`$=l4phKSRrk5AlTemi2cHo>lm$EwQH7EfS66e zh@Ks4kz0?^8+X%*!%zE)jtf&LL2EMnNLL}>Q1MudsrwWYNGtm`Xo+-m5C^wUdAq5- zGZUoXc+}0Fc$N39n8&R{vjS`=YlG9m4Y%C9=>b!A7_T&-i*iTnjF`zS^yu@^Y8eU3 z?`P^R%)PmK^BBaz4k0)q-NW=#A=u_A8(Wf4S7(7VjR!mDdY8$xG@>B5K2~I8PZUuq zj8m-s4Er?pJqYuqar4tJ=JxFevjAH?3(FwEJ^k4^dGfcrRzP#%7qI)&aqAzq?za!w z^nSm@Q8jcF;6hN~S}QBCe~3I~PgkJX`ZYWVT$>5(ZcDfatZryBOl5i&{YFQg(S&q~pagYaEJOhvLqGoA9L96hYVNnyrtcxYA5w3k z9!JR@>}Qdz-@8w~d;2n}GamIBX8T@0cy))3J+`CdiN3uTh>eORdOHT{GAcHJ$?MPu zek<#VJ!+OC3cTcL4#nRNr5Q(87T-h$Nd|kofL$NW?br9#$C-3)_9tvXN=@2NRBF&M zM`@lXhK6TtCVeR+^p&aGj{x+l^{z{if6aXU?tVYcU4*UOwUnmcj_tSexrbXoc5y;y z%t*A&g`)z?;9CsScJeHDNK_lG-!^+B1@`ujk`npt#U^=JL08a%r4urFPQ}{^b0bPU z9^RJrDHU7H9I9^1qMbtpztB1TUo;O;b-8TEM@E7K<25eDV)vRdSr`*R&L!y)mbXk&%E7u6UHBe-J& z=;fxVT=Dxrf=nvCBDw z*j58mRj}mnV+NBD*`VuE*uvU+D?khV(Kh-~aoQ((F@mE^L9^lH#I~ddSrO)`Cjtu8 z5ByDg_s28h)Hb6Ggzz#qgEPTW7_z8^YR*2jeRp+WEY_A2i2@dQh-oz#B(J?tQ7e=r z@sO)~W(h`YUVv!))`=SPgQA1LaOa=70x7#O4z@m>rn<9x}@i62N zEtGLlE^4+%-~A~oW+yl=AkuApFGth~a|c?b6XugyzTSP`#sZzq-quMaHOX_t`Q-GI z!tfWQ&N5$DPAnAnYphONwCpp&hqNP0BV|^t#QbD4<>>ymFBP5q^Pe*=+9B^D3)BY#_+q{I@Z%GcgLQ8T#%YQ34|H%<|_!VC4 zpvaJZksZGxye?I|ucE58cXp~~#djM0$UDrHlUb3E_}K9w1e5HeV8@XkEi z(&hcGASh%zn~9vIwL8;eO{aY)+F|d7_lC-gO{qWp3s_wu6-{_~Gn%r5vsRp7)0=|x) z;ec`#-m9zZ57YvSs+A;o$^==rw<&5i#by}a94 zwuu}kW0n70$tdOF?|ph4pJFPH1DKH!q`k8g0gRXG>0JMtEL=4R0GCvQ3IzToLCJq) z`(?4Tstr1fIPnpI#AVHcqBz*w(r#7|)>8<#WBq=%D*3YT1J!qIB(A7d@EgP z$K&W@`=_%Gb6j1gjyyC+B{{eGwyOu$j0=uevWp;PVEa}bE<=cVJeDRW-2)R#0tH+e z1huV4DTyxAata0x-1?L`QaoC_H<{(O>nroHp3g5t^~_h62hYR;Fgv+ZB>hj-?@!_h5ZupI?Prx%*iuF0ifS zd&VFIi20OEFUc+xoOKk>avSvS^XCU`LRxQhlcTo#dqdYN%n_--B7?mgz3Trf>b)_ zUjsUx1(5VN8n6fg!_6c>Awf<<2#FKbVmUFU@>8qMRtDaP*4cDX`GU5n(A?+!UQC|B z&`jzPZB=>3oz{gYVj~nQwxz-0l^mjfM;p2_XT<^ba9}~JtL}BD$9Q1o-n{Co6{Xri zX;CKhUh}>JbX`<`!k8fEII~2~s7lsW1Du`yuxE5HV%55ov z1PEqJC2i1{EAF#(k+;gYf;gmQsCR%xSfB!<4`(e}cSNYCW~0ntWw1&!!uJFW2SyR= zL_&KS$!@)AG4!n+InGKjP_n4K2DQUR@iwrCGoV7gE=9N$Lmn1n?J~)^Ufgrg_qAm0 z$~38AxYR=FI5I4dt%iq2cx{O5?zDZ$3xarZ-fXq$0hjE@l7RAP5pc}v4rS~6zVY%H)@0#hP|5e-mr^H9eU$_|o@6c@s1(H<*3}-8x zqSOu%id}1a(@b(kVYx1ev}rRRjMIjoSw-seA3SR!fl+=sM(U)sK)1;BQt80{$HTIn z{ppguG4MWmb)LTOc_RBNHiRxCpF~1XWG(bbsIDTng7H#$A?+uRxW9Rby&otRC$|PY)Q+Hzfc)XYa0P+q{Co|1X0GPstst&M4@h%)GK@GANt4>dN~pH3URs zgjyApkE5g!e!lc`dzSV5n%eovkLZTO(?b;9yQ0O%pPNLc$Wp!P#W}e9;Z0B31An~i zfugF)7r#9K`Rh0XV#h16Aep5^&%%3VwBVQao=D5Sc% z0pf6Z=ZU02yZ@;ox9rwnTeJ!F#?b$A{%e>ybv5okJ=aN(ntNjtDc6u@3@ug4fo(XU?|!qX=_RsPp<8xd+#f(XVDYbiKZ9Rrfz0yF!gliH4=C{OHu=wX zPnz=2Zl;sr!*$%*@e9~$l8wM80kac;RuEfv3twI^rhN@qNtClYXD84O7lR&u7*SPXeN#Skb*{k1xeT zU~k}mUTQk%v)`sYH!UF__+Y*U1<0g?9O83lmFMbzZj#+@r;r%aH;b^_>r(J{U!LC{ zjaJM{e&w>BqY!YkgeV$*%XR|X5dOz5`5?bc4Dr}lAaH%sO#jXl_wp{hOY#re>x}+O z<^HSJdCdGjJtsa;Ba%CAnJ^}2U}K`z2ObSHB{Zv9E@2k1cLB$Vxqj9ecx0r)(R`V% z7n-Fz1D;P-@Bwgz9BC~)&Gw!aaoJm-NVp4&%NAxm+HO;*nipIJBm`i&YUJ?>*G*dM z>^t}oCFY|R`n-Wc|J87!9zULT%dk(jH*RbL*Z@w%7J?$BDDlX_+PJdQJ%nDDgI41vf_D3lgV5wG zIfy`$bB1nm2k5}JapugKdEYZt_f~y%>;ByAT}Ab(6`!@%v-lLR{mQn{;<_MCIcG`p zLx0haus&Rc(5z=8myOz7CP?LSpO-}eH-bLX&Fb7WYKUkEvXB!$f>$S@) zq}G0Eoa-ZP2Oh+UR=>h+nQb!|SqA$GezlZ2c%9@N%%yh}4D8G-Iugt8Ua*k&G0StV zhttgLo4MDWZ{R$3HFo>KyI!+?1caef;zME8xKMwe6JnU&SrH)9=Rvsk9Djc+d33gy zhwcZxuW?B~HJG@gj(>{ku!+N0n-(m7%mxl4FbQQJ#u{mUW@CX?FL*rG$n1qLPfUF!so{YTKSw-qq;bUN}Eo9C7)L7|eb_t4Q$Um1I&}R3pRs(b}`2Ulqd{ z3%DClE24iBFd1^jyKQ^@d%%_JqdNZUNReyPcHa(2PwG8To<9tXzG9V{abd^jOaxiG z5BnQZ;v<0hZ}Xf^7BOyi*=gH17lUZ+nR{M;#&_G5P~;pf%?UA`HFIsW zZ~j~~)oAST++)F{1Ga2Lwr@6il;T2N5Ov>#2U{cG)qLU3lmzi8629kcf3QxcCe7e(-1#U{=Y~%dOr`pZL zNwwMl@yaJtt5y;819g`&bT9KPIysZBaC@pX2GIpqLsense#5sq`gbN=BeP-K(8pm@ z{`2pk;>;lbvB27$W&$vm-``#9A&koK?n;&E^jJQS+!N1LE2?c)wAqnSf2SHN28XEO zF+t8oL+{Fep8u7w%>H_5lz7HN)ft$B3p!y+xOlm^cHz~@K1&O*P5`G(JmEu{58?B9(TGHU){6A_peOqZ<&MpjoPp7ozcA{gp(vW^!UptQB9hs!jjB?G4? zMJD;MGvX&(`cU0-Y{^$ij4AtEG>4ce{eGqaGND>+!1^$a0m`-&E!@-qL4U}6G066B z5v%vbNu!Rw!N-04zky6FzcD5-MTz@0X+A3#%0Os_uBB{oSKV%1wHKNuPBuyhb@>Fe72+dg9+42!N+V&f3Dq}TDYM% zN?-Yt!UD$Yol@Qz8GvmEMQMR~r&s?q&i1W#$hXru8~dzX;c)?I6Ct1j7%IqhC2p#B zB+W^~fOT(4;g4K$`tCZf9{az4QeKzv$%&2J2CUlLCuC=dnu!Dl5gtPrKts55a*Mk5*1NmE3rO zAfUAHxUay*V$sC%nL*dkNipuR;*GaAb^9hiGaZvylR^imuy@7aBDaNzhhzd@OC=XN z;RZw12C+pe67xB9D|NM%4hBy*uND z%{@oXvptM)E)`LrNXU=G%>*_cWb*%TEw$LbZl;Xce$K-5S)WUwY?rf7FIhkH=#DOE zDtlD7>vO}+>Ql7hPPopH^g$!%=qJG zTUU37?>Wr`tTNbO$1&i-y=%ad)`J-(49RuwNds^a$1#YBD8W$g_yCv-syF|2iIQLJ ziJGy6Z>&Mfz1?Y@$nDiZ8eRqhcb&hmtoz$wf%|IdOCR=u1r^amqvqHuU_gmJ#RBU2 zbf{8ChLZo&Q*t@gjmwk@?}>=B)rA-7WW_)W9q-nG{c|;e4z)`4y#Wc00WYY2Hz{^# z`x5noou%PUv(vL5RLc+SDETiL{|k(JZo+f2t%cDG!~NB0|Bryyn|HG2QZjn9I~(Vi zreg&1K3P84&8AjR#OoxW@tTIQ%oINgTNp>RN&|U=OYB-H~}%gJ@*<8puA z2Orq&CnPQ;h0#%;=X}9w)VsAIVQu*M{-xI%6ckdd)DItP-0l_Rj}#QVPW4L0TBA8k zft0`S+9t6eEXhW2zIYQ|t(pf8Y9}|OZmm0Pt)_1TZA2O1CWp2Zrp!iG-q`6lco(+1 zSnN$jr;FnT+eb=tzdGt*-K=~zuOn(m`PE92(xEszl_S&mz^B=BWeKIS>kb*?-+%F* zOQWGS_PJ&2)?CRhg)MN>b4TL~?P69%bn6SXBqNlu+T7)Y>m8~iBXsrWeC;gsY0~^0 ziNoq^@%8BVK62ZFSSVW2!H{wewSE^=0NKu@af=EaJ9ihV%oh^@x^%@qy+a#RXXkMF z*bv?{wSS&S$_%BX*qL@$_()tzhx^H;U}ocfM2Qj{Zbn_5!nPOs16OyhGGha3k|qoI zx%!Uo)rS-%`7(EUC6w~Z@C1)Nx6jXY9UniOk2OgM)g?{=bZbg-^`47d2w!x`Wapd8 zF&4LeQ$i8Zq$($P$Aa(MldSD`h`LQ3`{;XnCh6uLb3~gWJ9)xNb%k+opsHR3=Tn$3|_ifvw;aTdi5K1}UghyU!3Iej`)UD;;Rx zG}SED2Hm`f;@f&Ee7jg&3STHrb6PxZYUQg(c-B&JGUzUY+v$i;fxTLqm`L}8^ZwBF zOrFa{$4EJ6a{l;iVva8H?sIeb^%CuoON4h4JFMO*}1f)ic0KMLEU;aEWlRcF3eOAJn4s1%vk2rKKN8b(EnQEMo zpu1IGVRny_f71wEYZOSgW8-)Gux_8$V~JrSLd)G^XIhOiTH1FaCPCNG%Fbim#o%Nh_R!^wj6sc{?X6C6q9< zBpsW;yLG`XEM|gM(I&3(q_HvkRgI z6vqg@PP7FilYFBJHkYMJzn};3ngh+BEWvHHm6GLt4htwf@zE_aKIw2W(m|9l8w#EF zi;Xjeg%lcehxaG-g3#Ti%`sii>QNS$C&A$wmNwLMSoXYqJpXwvTr& zs|-8g{4T$^;Y)fTR$&|_>^V7Ds~0iW^1R}m2*#J6_c-3eP)Y#39`y22so z>uPI?htXo}Zmnv<%N|N&q3(g|{yBE5cn)y8I&xi-f+dOzG|nd1)<-^AUmnL8){OG} zq1GnVAOgzVTYeLym$bp>%g(iKl|{_t zgsvj_Z5$DaT=YM)$1c~-AcSUXg&!l=?F%bX%wg{21;-fWzN6HmzEQJ-zV(pliqUr| z?&aQy*l{bB&q8m?0(PaXkcmyEd)(Olev+MnH9Y)*wl-+Wesa3jd+!`ZpMCoJ>h_dT z!_LUoH{;9*x2_0_L{FmpI{r;<+SNnS9Ij1e=ljk)U!bE=Gr4?Ix|eyXj-o`ULn7!y zY7^JS_H<9Cw3pK2YJ)mQm5sDcIUU<7V{ss)Cc_9`GUksVohFf8S zNLL|pAg}x^x#vd*_>}&mV3Uy8k!WZR5i!ULn%y7tf2XN}#Wud~Na7^=W%583aof<*=R#;ua0Cq@Ia#}CFzAI6)8Il34qNzpWB z(P#3#BX1S+Jw=`M%*rIR$IS^198K(Ac4bstaDh7MYd#xTsg99?86S=FP1lrYIT*I| zJWDW6t~g)=!3k5Vesa6wo2st$KUgT#K`sw379L-voLgI)H0sFoxOcd3MK(ni3a2CL z*BKB>U!qP^JW!)GbJKcQ06v<@QTlap;A=xee90@QpoSMigsK~)mbh)?vve(}-e)!C zEl?0u`vYUo`e2z_p^rqdwb(aap|X-Pp17O_-qQ8xK+2e$VdECE1n?l5#n7h<9Xp3 zJk(7qJv!gF>vl?Vy??OpDsQxhNNNw)rd!SKm$GT3kX!&6=dUWaak!9tQ;eb{DixGqrP-o+L@}2Js+t$bEG}qq7Um_sv?6B5Mb>m@3;E?m|ujvVV z=>WG(9&nC_qaJn2eqa5{1{G--KX15L6=#K`xa+R z`qewuse`yrX|w+;W;C67eUmoq>KbgIH2m*uf%^G*-se%mAc-1^1V>uQd@9N;K`5PV z(vq-4m3Hq=y6FvWqL|l(wUw&&J9RHIE}r!Xc(}qGZNU}VMqVisJzWY-%Z*J9@unA0 zRO7aV4!n&0FjhJkt%_`MV3hWwaXx*xHGW~wl+5MV7WhP_O^@jhjg7D8HmY{X>Lr1n zNFd62id}(x&~ zyJ~(QW+}+87cDl|IIrAH;!-qpp^VF3?$L&c37`>jpTV_4z4vKgHapO#j+o zWZ`QtZXG`99`T{mTjw#_hAwOs$pr#qQip0?Lze1cNU_^uPB1oo4$3(g6SyoL)3=>W zW5pjqp!e)%gXe?4FNrL=HBq>L-+Vmlws!ni$a;$4;|`Af#>z)4adeU zFTTSu&2vCr_?m+_`*M1y@VI(}t;cM3f8}8Xkk#B#J_vE=SvH%pts|J2lao-&zV}ID z;6<(FEOn-}#9P%Pag*qFA*(~8QO_BFAm*Ho3oCj-A}QvpV9e~vM)6S~O`t1xo%DMB<#xhkd zLU(`r{$PGl_wm%!!>tN(&GIudFeWYzYO|ZH=AN}!ZE`o3Su1c4L54>A3>;M=?%o5T zpnLBPSwZy-p6^N8AQvr9-bJD9!>71mY>6JPeuuj(a+bfV#x9Ww_;KWL>MD7KCyfY> zOgZS{B(@llt{V7wEFQWun+CFk+mu<2e5wo#0-i%OE;n9-#-QN> zeVOGy_G>fY??cSTJ#q-K8{kZ6D_|DViw`k$;7W%5|8u0;{5EWsyW0Ppl?1!~nfMw$qhtqa)!=(1($cnws()kY?R$ z)ySOFf~xo^XF?WRd~pSv+;`)rYm_pBeUHL}V*Ks8XNO*$_2f)<~5c|We8 z8aF1Ciq0r6ln8{<64+q)hdXJGJh*4qs?Y3h6~?wAi_m&}FBOqXDRBYBgIu>sxV&Bd zgwlXTeuHN{#*w`}Dgn#hR7uug-s9(1Bip&ze{?&}>3Dq~qNCY3U|A7AU`iMc@x`P;QuqZ^}I{Gt+f3km)u7 z6E%)&TnwLP2!S7N>tQmbRnXG!e(rUd*r{$m+e%u=FRu9lVcqX74y_duWT~ynbpUMO z`3WV!dgJaUmlfGTVI{odU1>=&NItpvs%(4wF3K_HyJu?f9>=4l)ka^_@%2-+$q zMd|ozy%@nq65qyN9MX5w!?8&cPo8BaCbwZ<$<D< zn^!|c+$*SC$=m&b>#=u1b%FDJ%ZGa7mF2OkcUmMon)s5=3B>G1$b2$#qnujkIyTs{ zbe~W2U3m7cx6%stMD8<<0En^txJwWecYA_}E`}P-5MLpZOUb8!%SU3TaINB9sbZml z8;E!ABW8;6z-Tl?`?DN~Q5$$$<8^g~9K~K>prW5}FzheI{WFE3KKaVfnpzaNT4whW*P^&`?FFYB zo3Nrr!#SepKNwb!G^1J#Zv#h$wY1xXGUaJ7ofQrS5H%)hI0o$=%JBedjQ|I>3H4$T zuOQaRxu0XXBgQHjWfxO93*m|fj(ii->b0_nSH5a71k)!MgUbfzQW1`{S)fHvU;#R= zPl!8NUF&ok?7~3Ith|%0kS=9L1vPao$hMrlI#OjvtE`;8p>%s)X2a`*#LJvB%x3x+FD)^+mCi z(#!(aD7WLGR1m`Br&0rSwSWNLfmqDDmKwjx!}~k1Py`cy-$(|k4%rF-DPb! z$?Nbi9%|y?R%hd%Hcgict#c`v@9fJD2T0w=kDsuB#?6kUmxBEpj*X8U+OS4~d(iacH z8Vg?t!fbtogi|dc?m~~xQO;d@T=rKIZTSDxb+R?Ff~qN)RrP!PUm&RA+Dg<6?k&z} zR=!A>4~_f1JqrURp3L*1&Qj%~$);X~B^8*7fFpgQ{$!b$V&IUplarXPSCqm*DOi?Z zRMBx+JvXj&*t#z!Ryjfy`)d{}h9o0xEuBi&f1R_nL*FvZ(3zkLV`h9c!*sz9>}3GS zG7hg8xlxGFHJzO?Hr%>=3ewFEXA_ zSLgBEDF~zt$f*WO)QidT8l}743z1>k>XhbF4B^bj0Z#7&1(*AEL3Jw=o85uXqsF}| zP4LHp$`9#7k0go)A_3aosFz|+d}i>@=|DoFS+gkXro9ChCBIx2dWUFHBX(!jug$ER z4H2w1y3)?&cCB~@gW(BuE)bIyO9OR&=~p1Ymg`}m*2Cgq%CR*aJ=hJmTu2`U;q7X} z(}Vr*MwX%WA!>NNmttY(BQ2PMJE?l6xB5?I3Ef!zqF}$ufkw{H?Ux*-SHDCL>-9;* zLt5;5lxB`Aw-gLR`mK(C$@O%o`j~4b6WUOAkchTf(m?g{+$hhlm$A1UF1`ZEXOgOl zZ5-hA%ZCPTt&nwH$;-t7BN93Ho*zSIunl`<7L{DLGs7PoqKn}MaYcxH0r7da$Im^l z6&-aLOd|viJ}WhTLe-4+tC#~Nz7ZLM<>;xLY%D3LW{37`<21G;L-+ExUe!@Cjw1@b z@7-IjoOH{dU0&oVEjrfPjOROy@@nU3K(ZiaOrr{v%OU%Hh_~uY$^}A`56eYBUf~zz zzPUc`dbzE#vEvo*yLIcXSUMpEO!8fwv~DFh@jfL3C!320B%xJ3^W#o#76&*gp(hrZ zA287J(;^_on&U2EP$dGnE4PM$pk@=jI)WPf>wtBn2!E7goJ5+k^&;b>wq!#=txe(& zLR_HUIPoEq6~IqV{i`)T*b(=~AD@eRmy^#4f8n_kB?X|RGg zR4D57f8bjb>i`Nco^%oFBDRH#Jipmsz*PNgfnz3!-J;2{i#M*E)=l}ffpps(*OXva zCA4k4+Mi9wp=%AZYLI%<&j z?aCYKguzsbFVMv?&`ldxMp@iFUOyx6dlB($% z6+On?)>R|;$`n8KhEy2MH0^5uDLs16VvEePTWNVo@2EcY{_Jkl41kBPtI)D|cs^5Du?^a(s23DL)E^hBL7-vh1?{= zs_Ixr1+WQR&;q~{lp4XwG!!NEpWRoDwu~*wuTy*{4&aM+G-eEc|ce3?fe@s!+(if8`urBTZeSB1^ASu~MoY)IX-ivnO( z+Rq}oiDa_f218(c4e6D#i`;a8{l30&n7F*Wg{y+By5krGHfNo#Au@Nb^7-~k`s6nI@o841$_JW207#(1&2Gj{qa%sD%7^P_?|eti5azqMt5*)Ujd)DF zJcS=^ia&FMOJN-p?^;hij>MZ6%KXc4yuOIJ9P-((+~G=wr|*}0nTVLGzaX|1*!5h= z--8NHNi2$hlIHt91{ddo3E!q0-QA3+M>WCZhs!(hb>&y*x%*BT)1-?=Uhdy{`%_@L%OcNd;FYS{6VB8qftldZwy%gM zV$QAK$|PkYWJrmXP-sT!La9{D=U0LNLq^3i+$7rA2m9lG9K^=KJ;pFn`gAP;AxdIK ztzk#w-K|U4nxaDJxF1_9Q*-4s&|rkBMdL1@?n10lXKf28I>i&##tLkpn+8UbDHpNj zV9%u^tChhYR6M2Z&Yi&rKVQW$@X6xhbu*Ct7nNl1)FulX_hn3*BVEN8*5*TPWTv5H z;$eA}fYS|oPij?ciLl^YQYOLT(TqlhYYi(17cyj{9q}aI0wI|OMhPsxh7!xU4cw1v zzp>svvM&#cp2A9ohE_wo->s=d!kx#LP|%+x3^ zeq%44!^JiAo+$D5{4+hbKK+0@oD1w4KSC)vq=rK}Zf$c9ImVW*07-vA-R>Aa!>z4F zf66*A0b}CNZ!=xDv*Pt@R}4p+<7(l>@AM*s@ZErwR^%;?4Th|I z%tEz-H!@f6s?~eUk4&AH+qILbwSH|fuHn5z_rW-fp)R(Ct%#_kfycEs*8bT%Sbs;H z;Apgr14>lDsEWrRDVaR>uvPTbhyswaZQXsXNHY%Bm>3rY_HA|KsWb z%I>ldq)dTORUrQXaK8QqoiJXk)x1T1i@K&$tGps~7$oR(Xjly8~?IvW(t)OoAK)B1<+=DtTS?ac|zpC$Cv(hI48 zbbe08e=hu>`QyQC!@*PM5-Xf7bn_{KPkJ{KrpSyZeiq>6dZDZQLN~6uZEf_ZV-5>PhypbPb zzwf*nosFz~b*fi3oV!~N z>3iz8LW;}!Yj6d#&EWl>txL?T0u)82@TCS^2vX9yuv~W8KppwvwT6{HJVGkz9hL`K>>|4FD0Q_ z+(&u|iOo^>p6#DyZ;u)=)3Y>WlDE)o8Qy=K6*Pdi6p1MM{-}DVn8OdzGUFdk@Y8!B z*&`i;bLUn$oXwBEnoP8eyZzBTnQ*W0Ul|ZT?R_}_dP#S)x<+957aa2+RqczWvRl?k z0FN|sdgd`rut?|KUe?*XiFIO!4_&aw`=2ZeCTx;S_oh?d8;a?Y-})hehSrhUBzf;! zr+TN<7fiNUnmjf-w*LCnwh}kU;=cKY_^}R`v>J3X4AWQ9TeKlMQAytNG>DJ1G9a_(#Q_!#zo$EB{n zJLv~r35i9C(EhIc|5IQmDdZd2pNXTLO5aOgJaOSg9>P4g28Gw@^?)z=Yk}HMA9tm{ zjP^mD4R|m%cfUDY&@l6{fzn|63uFAl$U{5}q^tU3>C6nghLsf4aYt2QrQFEpWe5u_ zKy`HN;7zzhEJGI-Z{II`{&{+-sVkawtbohWt=V@!A_(NuHpBb1u(<=v zL7~(d&KeJoSKB6&k9zl0!pVgRum_`xp}|ggfhZ~Vi~z`kA#x@apQ0c;>Xgz#!^DTR zwuy4IUR~)LZD=NF=E)Ui(D=`VyJ7ev`$iHL;I>XdM1ZR58k=@V0LIN*`{eX<{t}lH z!Hmznzw#e>K)3)i<(zeZh~j^fmOneSXcQqn1R*!-ntyQJdJj4-;isjo=MM!J3u zN{%yv*}-DAJbMjaoh=QNR4+)&+7=YMLD6l3NcCJ%mGuEj)Bvg>s$+I#-Z6Gfy+c=r zy0$*GP~5%O*a2@rB2Ak2tMQgj?3n3Kd|?%H&-Smo)_H<}?g7X& zn&;twu`lwj(i?RPTV^n24a62%x-$vrA~)T*1JoM!XPCzm z)R-80AcyKWrT^m3Km1R9^2k-U7NiRs81vdJ+v~pCSn$H{8ISiyLXYsej`F;Oz|MyY ztjTlo*$8qCs!-%GRbAOu^~hMG8o8Yr`I+$rUoH1l!lHEMIC;aPn0cX8;K1K%qG0<& z!&*O5gvrcopvq}$yp%<~PEq>TR!G~8CcWsh30|-VOt-|D)=*z8aAJ0v?TQ!taIjgc zD|TJ3z684=$783BwxDY@a0p^~ls@O%lOA#h=iyP1=$c$H8^}Ez7jNt#MMh?dGrc{)eXh+ruS$R@yKn!*t2K za6qZdnx7@T6=l(d_+o-5-Y+Y3?S4E><=GBn#6^uO`=Z8}y_dYl^D!)oC5;4`*#IIl ziTQ}X%^LBFG;MYKf&0f%|FFOexoy6jJv5kBmKy9g5aViHI@T1WLn*`m^>Fv+csiGJ zmvdWX7K@`qo2=J?Q3c`-LP8-D=2&^U!C=$c;X!-_M4+-z?`+6nRsIM?C)TDIpUT-* zYFJxtA&j&2xK*{^$7(GLbf zO?XB}1)$NK5^sXPB-a`B@x-5j6R+U)b}}QwH#JmMZOvQLTDE>#>hR=7n+NY9fT}wW zt;bt|rfBRYFO{^z#`t(3&`i&R?~O$9;Iqi#TWhW%PEx%x{i;XKcf~TbYkd!xWXiMc z1&}u0w9c+!O%CU6cci>8H9eF=zTemgdEkS(%QY}@wDQo3OXk!-!xn>5=pGT&o-~Vm z=8YbRxe)CZS5Cr6)yhF0!mJ*b>~M5`XyYGNFJXg@D#{kXbw)_?*{j#j21o7tK?GA^7^7SZyV zu#j#AC?zzx>%Js|j8jyUN@-;ZwCYGpch>!NuE`>M@78{4T)Me2*io}oCAs4FAl%&H zv;wW7S`nl~^zg2dJ{4Hj*NIbqgm;$SLaCh4rux0AE1P~;Lrz!R2W(rbMe#8{j79G( zRXxu{)MwFOE2Xlx0Km94N6P>vtaGefd8{G(${0f+qfS~wSs^_cJ?pmts&eSb%ZZW*h(QfITNc*{* zFU}hR=!dDnjwO_b zI5D20Qj)*v->3Zjfy=WW3=e6nPqo&#y_KhtT_D~DU1Gdu&AbF+1uMJ|ZNjs7Q$G&? zUkapkM$sOQMQtN$^-#mPj+3y9X!1r`et4hxLRZJD>yxmC0t{v{KOcdp1P8VUsS=%$ ziDF?_XlNYCN5RfPVEHws9+$*+UiR7{IAzC zrpy!S-=y=0%8yINl-~z&#m8OOj<9n><109a+7}Tp>!Uk=5ImVRRew#~xrV^4s*lea z?*qPMaYuiMoNq84UzlO)%7co8G$Zctr1itW$HS9u<$nky?g|1SIw0{wkf#7hx86O8 z=Wn#2sZ9v@sLd{&@qf$eAA))R`u8Nqx|wo*?|UgK%DErDQ;%U9!gS6FnFePDd-O-~}EVBn?ya#Yjlg=n7(Y zB6a%B6R^`5p!3MJNSUvb*zNRi@>4Fx50mYXr!MHz-)3K&`pG&OxyTG^LRm)AJl@Y! zbcn0?s;=YkgETg)a@ZW3BT0SJ!JB&I!%~^1Q#N3v)Her~IF0q+R5un?{2R$vQ zm=<&X)aR))^W~)C2-z(Bq2~RAY%+BJt6c8= zmP@LcN^QaSU-u?Q_bm-!)HkcNce38I_&UhzdwtsJsZDBXn`&pFqUq))j?Fy|WP>{| zTtK$PF-N;uAZb0%R+|FnN(WT?TJOYQzWp#Ir#h36S+XjeTV33CrLE{2NON2?kLSQj zshf9AmQ5%v>U#Cc1N9Q>H?ctha)t5A!DFXbxfEY8fxbq?c^D&k>lzIw;Wce+c6<;i zA*9GF%g84UmF$WNE47ti-wR{w&lna;SsWWw7xVM?0q3CcJ-+er@Xhb~Og1a0n_@Q@ z!pgm=_!G`b0A0Aa@yA_2;+Gd3g%Sb`=Rd84nOc+$@IPW~=z}wVV`V2FHx1u9akf*S zfM+~%!xUC@NomxTd46@54$T3_>yfo2FaA|g5OyZxVjI5)+;~xLp!$PiqqFT-XC{&> zbOZ30%2y&IXseGh2*Bbfo$9oiJz=wCE_=VRd#WL_DMu24NvD-xQm%fkk-tg4m> zwN+aYBb_1E(s7|@WWBzR!#VlfZ?WCHOFLWdv0g1WkZ9C=pU!8y2)(< zSRQSJn5vI$UoKcSg0q(3xxMvVX4jmIT&aLuN4)ZRF+f@Z`;}IC=rTWvCe%(+N~gMmUS!( z8a`Vzli53>#O_WmE#ocGp zhHz3Ly2Jhs>eTwc#Y{FnMVZ}l*-TCV?_K)P@j)!i5fF*HUxtu6|Md*IFz=OKamVAi zj%DZo!P|e2rxJ2&{OJmbJ-TH(6l$rk2?1Y8A*1&e-V91_`_GmQ^&rG?mfM!meQ9}d z%%I$jl&*%qk(jk03*g8E2X)Z@(~150@qLSbboo_CKyWjrQ5MypcIHJcW%;-5gd<$21 zw3JhNXDVND7wf3UNJO^iWg1sVwJ}^fXU;Bo(5_DbS#4fxG#5`p z%U#j5JMxe7?Yz;=)c5!{lbK-|iet(J&P;LBK?Z0{7CRr+EwNX(>KrQ?WeP0R6`SK? z6_-8^rBr04ndxMVwJH;dY9=|cV(kGAPC-Z@7<|}FH4z%NEwG@`0}b@EHJy(Vc%sM( zatzt(Sx#vryZTSW%1&jO2VaIlIDi|U?Tt*K2Y87UEi>h8%sr{w_xYXJsp;Q+@oV&l5Xeg}v|TfYUS0P%@w(N}wa0>eVL&7v7q@oF?WA z4jbcqJT}vkZNGY~&LC+OkU4yz`xZv}9E*nqFEfHs=$S6Ws~Uy$_?mkJ?H4?a)k~3p zM!KhSfv%oW?*_y;Go=Bd(Pi)t?pT4NO#C~IXU63PW^Yl70$?Y z#rYLdh4LjVj7b;Heih%%D(|Iz5+#Y3XUM#h(S!ReY~x{9w)ww$x`Dn;ut)wQ+_^ zTxz?D<=}rV(jJO8=W=x2GzJFkcC~ud#W+0gAmFl&&Lw`#@w$=`<_qV7v7>jO)JkNT z%`lMsRXvcA@T&x1j|c@`Npb_#Z5?rSXTzXX1vTAQmglG}^&9;A^-d;Bv`y^Wuh_RT zY@1~g3UZTuw*uqINkg_g0M>xNKmO!zjQ5(|$y8%|*cbD^dHGxUzR;aCNQ2vx%~IYO zSq8$+{P^M9n@`okoh}+^m9&w*tj4m)ueo)uGFjc>tgPMF*tr~DXCL{8!)ga6`RL-= z>cZH*`b~ePVNG|^$plVjVg*Eo2CmRPzvwc2$9OWj!p{|;F)xrQySR}1^3`4R=aN#x zsq3;na{av^4@SD|zWD9z^l^^XV2a^^80MkbM(=BTbP}?*6cgmBPnyuEkYN^LrCTi% z&JH^8SiknDO|XCMKqC^9@;;a#U5@OS!io(v7@!x7{i&M*_gDJbFK}`{S5l(bX^EB; z*9=AJ^H6wHj2Mc`^*#R-QacQuS@wlAesrnn>Ya=o(x9jC_z?Wn? zzs8W$|D2Qd=s433i0vDdB`fiYgD+ltCy)8yrEh2X3+SoQDC3AJ!^l?mbYIkSCMo#% z1wv20U>tc^@U)Vm>^|B^$HHpVRVTOz9nX**S7FTN7-Bm(u4H$OoJK0p7WYA;Yd&b& zbOc$K4mL&E2_K9C107T)fuNf-!8fhNFZCAE3YV@er7}H>3kDZeyiYuZ=t?IKtupGexf+Eb6T$mRB$+uSfH3jc@* zUQ`E}H{f$2f1_yE_)fG?wJO*7Z(jb^!eqJMT6n}ha7EgocZbf}4fJ-ktstw_{e=q+ zw2KpfGOiG>KUjKH;Tzc;AAjMXGA=@Oq0<>MYA@z`EDPs$zLDn4en5~5UdUsrvSGOA8 z;j@Y0J*bJJ9rM_z8Q_fgvum9Ki@M?x>6;sZvp_Q?MG>7;MV6Cs;+4nJondfNmJwu>i=23a;siYqq8 zo&Z%@x#0)5QG{pGW&RVfEgKPY>TsmOH=mmZWN zt1+KNv zi?MU5*XLQNpwmanr686^lWCl87oK0Ddl;(&{ktVQiC?7i1i4SwsMCkYgG8&;PH z^e2k++Zg{6X4Flfu#37WBlBP3M-0pRyOeVuxj=~GOXh|&)HiRFS=)rWw0b>K-p?yk zJOPrwrRzWYJY!=6PASP;Sljv7E5KeWON=D-+3TFOJ(ktuk|wOMtNBF8w~;gHxnxT1 zayUW?UiNW2pcs*7_omCGmMVyHsL1`3Z7JTTC!!nnTqMD)_wN!Ys9UHO)C~)Bjyb|7 z+D#^zI!vu58w;5N<1Pl@+@LCglvx6y{iuKBkB!z!KLQT-i75mXd#zRq}N}&uyVyb~TFGt{>qan0*h8V|^G%F3SGzjdMhX0~^*4*-PISbK{ zYu31nfxKe?O1eyU#Y+Gv2P=N7@;7N+Q`zr+TkO+~zd0+p}cDvf&-%uOrsD!>vzvAL5;S2;{8)JBYQzZ$r*cvxx zMdnPu8iF55-R3-^8d*~!P^5EoILDGU<3BlAgk5RBXXH??lae75}R47%Gp4- zmhxxi^V3P;d?}Eb#jWK&_h20pSA)>$dxuC9@TJ+Keq41+MIEjryvHd&c1&sY4?GLy z+#mS6m z&G1cOtL{1==E;QGa<(aa&5i$1SS8wVgq52OKw-t=10u%BNDrpoz3<->!Us+J$JMb5B}?uy)L+|VTjuW^M2 zWBrSVYqWW!uTt#zumb{o4-_Bjj1Xw`GBVNXYUa*uLks(NH|*XeT4fudsw@K6!ufuV z7uREtyzn$}67=p3)dlrf)8$!Nh{qvt(di1ber}<^u@9+tRS(+Do}ro%3bg7n8Vs=) zssFO>KmB6Q82}qiIiK{6?QdTGb_(k+|2axlfckdn4^t!eSM?{K+B1(s#sMu&CRY*`2mIY8z>0O8tiu4jlK%_~Dl_HRc zEJPr5La)-K1{6Xk(joK~AR*!WaP7VJT5Ib&-^_RZIOoh{h6o7`PwwZg*LB?ksuthI|~N=s->mboJfpIIlz?oXsci7>^!TV0E6?MshSoUhOwQRez7nv zbsrDYkPx*z73{TYT2vW5_s~Jq{gP&H+XIHs$P-{N~POdk)-VRvivX7vOcA>}LDOu%+&j;kn zh32w|6{&x?Sq`TeXO|*Mx^l4euw+(wF1KZMEnL0e1+W@E2~fRgqbKX7;`1A#B0IBA zvOjQzDaN=Phb#FMle#mIJ6o$$gwlD18=5TFEUt-zIGz*kMR5Yq9aQ3+~bVwD=u5w`y%Jwi44maMEB%9SN*+G4}=08QGRts1PrBC#}wY8CC&#Jl1p1- zh$H7}jvn`4EVq9F`n@F|n{Az3t|sh# z5%{LDJok zATvuecE0w%Z@hJQ&(c?)$#}AVHnTvO;ixgdCTV}g3{ko@&9;mSi(yS!xOFRoM*?-@ z5?t#(f}ZJs+PXJ>Y@GiawIfqom{#9l7JJmnpr~TmTWURe=VPQmQk8r6Kpg*UXX-rK z?@?0I*XQqVXABkK@$83%qQ^BCiMkOdE(2H$bry9FCy2^d64roht@TM4M-w#oKrNC-Lr&3*Qo7{LODp4> zoh<^EOD3kt=M=;XD|z3!Qszv?e=qgEqE`K(K-5As)PRG~3ZTCN| zN149g+uYx$@w2m0*gYGC(V3q$;eNR1w1Dap+#u<+)OB_Xr5j7Jfvmqjqe>P*l{8Db{dPmxIU1~lbO|Hyobh*fT(@>n+ zk*mj35v5Tc%`^i!LNcKO9 z{k8wIWwYM(%g8=7qyd*X15F*y}~NjiBBe@uf2iO7s3q4Vw<@w zxp`2?SloOz$HsmDH+u!Oks(zc{_T$a?x+hM4{?E(o~TWF%7y5`2Src?KT7sT9bDsQFIyLWUnSeCm++fQjJrwk z1LR3%p1=aQ{rnSbU2mYkv33)`Ua>tFR+(iKLG9_T57~CF4pYIIR{;3t$QD0S zTW5F8f}QrIUcdY9s?vOS_v&No=&2Kp;erS2 z1i&hT61J;dxz-x3F9|l;M6HNg#zK$p*s{i&#&jT8;E*826Gex+9GShO7vcrbatTJ8 z%g1`TwtLm&3Ipn`_DU$Qclp1cY}A0cI^s@da}PY#OeoIxZ%P=@Z<1 zkQo?vS&g_5)LRIVU7HxodcZ0+5K=J;v*l_u%8jDa)z>uU9-|04enCE)GlbWbT{&oa zn$u1?1-XZqMGXdG4|Kk8px=S}umC6Umq)RtqzUil zA*cOi8VGs!1Syy0CQ=@BI~_p6bQQ90pQXL71q5hOZgX_+hR$z{m7*nC13lKHA^=?= z)1yS2&OVmtB{fg%gm$$CM+X^%v>n6Y_b|oZ2hcmMNg%Bu1MBpRjmw?6;ts0t*?28K zhpr>4v{J>n&8F48{5O%tscm?uoYnbK<#tL>-_Rh+|4eIVr3T= zIT42R`6cjg>t7(Q8L9tQKwL59|E{I}ekc~+VgM{>MO{tpSC*2q&HaBZeygzp^Ar5m zjbDr!0Hhkwk2~udG~+gkka_c6c9C53578mi*&bzrJt_w`Yc6)$?{@3wzAtNeytA zhwdx-Crgz3m_f2Q@x9}~Zr-2lp!CR5XfY`lFZ4U|0I&K@d+{g@5GWsUO!RhJ202!l z_<=({?kF&I*cfM3jH=`U#kFzYgTHDKO$%Ch$2bg9dkwSD)}CaP64SG!SeV}D5K?aw1=Yjj^OUfQU30^=xlk-^|0EnssL$m^p(0xm9#Y(PQ zWY{%^zajv0m_4jFqP{&%7kBy8k#_kY6ENXNt|nxpt(Kh%E~RvkD5=2GhU(;}zlFZY zARv2l4GGj%AYjuye0%4trCrlAT9Tm^TyC^{a~FZ$f`OirQWfy(?JI#c#~j}nIVQyI z&G+VzIDLOUjMZ8br%?`c4Fc+xKZA&!^EDECvbybU(_ojex^w1&Bqd(^AMMB)e_;CjZRDH{`tJ_v zKOJ8K${+G3Jk`?KWtG2kID(!fckNF&=dJ&W9AO!}(FM(^MZDqerqTA6X5i#s{Uf+K2@h77cX(>fhzxy%x zF$vwXv-agp{zp$q`JM$zhwUxhmdv7vZKs}7JB(*}D`y$r3B{|@X)8{ZYe6fuV^K3f zs?J6F(Tx?pslzJGo7}}VBcEL;A;bFZwD!1(JQDpQ4xo!o?AgKFcz=a&NXA1(ppE9I zU;gvMi3kHeHtWxat$%LqT+9n=|Nhi2J>Zi5WX(7(vxTNgp5e$JJhiE_89Pve+MYV4 zu6+L|05sjVBDEYeOGt z^^t__qogl+TpUwL^wXlRBFE%{F~YG**6ID<2D~<4kmd0>CuzH)D(0uPgT#FB78^Vu zg?AJZRx<@L6GZ_k`ATTLBWl&qRs5J$>leFm3Fm~EID=_|*56HrIx4MEP z9R3*r;>Sxb3GFte$62ad$i*18sgU?Uk%GZqAsS3p~h`34@n` z1e0xCTaC^k+8CVHW7CK|9+gzEEEy9)-JHA5fv8!qa6s9wd4e&G^n3+UtQ~ni2tpB$ z_NnWuN>6ljB5E8s6#bx=|MMws#ra@U4I{WUm6P-IcmXTVE#HQ{9C)s62NbcPACS)i zcQ&-XS6H47_0xJF4smE8=U3tB#jT+gVsyh=*HM7agd{e|i31HYlU0LN=B3u%!Ftwi zh4oP!*x)x+X@cCEC3&O{J*qv_Tpz>8{ML9JH0(3$VADQWVtsryMXvHbk{<8c5(qAS z?7faDixA)$`_5KyqAX1ll;BBUpC~lm($i}e^ei(rd~CDhb_m&?(iVFI@Z31WD$DHP z$ZsL$zSj)brMBZDBlrTaiEC*q^?NtwgGhdXw70X2h8;hphd$fc)EI4r;T&PFFC#W1ZHh6uZ2sXIqtV8WlB`wq zP${R4L~|q2<)t=WK0%s4+d)7S=7jqec;~hwAX|{f2n63){vBn)OL)dHWmiv6$c&&x9p1q<5zP#JimL0Q6(w7|tG%w~9CiiT@*ucKygWY_l zy#fym{nlLwaYF9y($sG0{a3TJ?Xm?jGCdHV{RLqrGBBN(^#BRT#~3;}+pi3VU#KWu zPlw~~EaZ-~Vsvd5@I4-zIaLV90_PHf2KWK7d`it-y4$x?8f6BdB&3p(8ZhQc$*R-W zb!UJf$lTYwoWpiKl|4QarB$mH?dLcLtuh=J`F5x=6X^$}PYbD0mM6?MQ0mgGHY4RF z6HZf%tidPsM{O3?d)#$L9ha8029HGixU$x^vsv>L9j%_?Lf0=LffcpzBay zCV0;>k}s&9^fF-k4_49kJlrKz7Tt&6{$xkqb~u=DddqsUmxO6O=xxUdOxJaJ01U5jQ&DKSv-16^g;M4HIb;?vUY!Pp~ z)fQ9PQNO-3Y%w^aC*e6Y!^E<^OsK+`5AT4{WE+u{0jNjaorC5GnsKvoqsY*f7gKDi zzxdzdm>Ao^UFKEoNHp&6uJk{Bv0I*hB0Ou_AWtygPu1v;_L-L4z`X=8p3PH!hGVcV zL+N&n^&g~!&sas|bHag6~*nUrilhF{*mdc{5ZV{8dQ7_n=iA@aEykI9=iDY4LWS-r^O2VlZMo zUy0KYMb_g>D6n0KC-Mhuu}a_3vIxjtl%@a)GoL;ZKM~%QJM(nk0i6o>&U}oL_?VUj z0GXxfDjwXk^u-!_U#fiiYhFDM*xYR8^VC{Q0`F`~JKaIqrYNxi-xCA&ykeL#d|vT4 zRmIsu;(>=jx?VHk&DbhWqLuOdI>}s;bCBGWh!yG@uGk9He7Vzb!-N;uZAi94bkZOu zm|_|x+*P_00{mYzEwEwba(j_v;es58ud8>%WhX-%N;S$FON($Bkwy}ODkl`D-fpPc zjcc~jAaf%&Rp9Lc{VPlsgdF|}sCkK}_XxN6vsUS8v#6RK(|{GTknYKz^BhuTnTc=7tjuSqAho)^c@zK{q?#4{D`w~ThJ@Anz!))kfQsNV^2&K)ISYv<@c?nDVOnyhn%v>V+&GEESn!5r@EEDYdpzl?s^k+g8a*ulQbH z)n*Yo^5}{hNach1k^zrK6f5h&>#n`3ZuhkUj>)ukv}Ux|og)#6S8V&&*@foB(Nrg(JI6zM}136yj-%^?QyFerPw z1>2GU&sw+(SG&Zy8R|KMv^j|>bp@3p5`7eo{usf4Sv}|pph;(b*|>W zSa@Tq3#ou4mpK-htV?;G*%;VXS!&zbiR}`*# zX?oQp#QRhl&#n%q&Q-cDHe7bJ9UsVaE-G`^g@E(d^~#LduX}a8#u{PPKNdx!%$^{X z>D>s5-4Y^iYt^hblg92pfc*Z&1@3pHvcl4N#})ZtA-}I`eWfv@;6xR2Wqc=bmA(?j z2hBbQP#c7u=ym_Z-N-xz+}xJ-FXHUe>gQoU8c_Xq=cJ+oKwfu5TxTD7-#Wbd{XD*w zpZ+91rzYljyS$3*QqofXDHg}0@Zj9cs7OnCdK6h#q|S(F9a*ed1O@6~y+F&I2aV`N zAD5=|{;-O;G_CWp#4I~l?V=dV;~w(bWw6odoC2#u3e8DFN8r$d@pTJN+HOUtkMPB& zQ=TbVckB!Ds%Nw|Yyf*4qvT^FGwmd({S~7xVnZBJFni>04($$5`~J9@pcexuUYh5g zbyhm}-1rKI1h7Nfo2mG?>@!>_b9MHE(XV~bO=rVJv)O134&QmMPuh`hGNd-)Cz~r! zChxFVk&fkPGx$rp&5z`I_abvl&#+{(_{n zKw=r)us`}?4=)Xcg;r=ioRx^I*l>>D_|16$xs*J?UbZm&G0J$SHjZ>&Vt(zbl-aE+ zkLhC*3D#(`JwUiDwQ(9O4lqO_|y z_N2A%v<$c3d(PqVCGEs@`9s=$#vfnYJ9SM*?}Bw}_Pa-+S4Lu9B;^aIUyrN^JDvDO zL#x|O%=W`wW&6|{K{@C?1d--Lp$*TLsKrkqy(mpnG@r~0A~kE#(sYrQ#+Y6$&5Cbk zN6DQKKCzVpHa8^>K1t4M=i{JlEPQLSFC4V#$=i^Ce%mtM^L^EGAeq*Bk#(NbV6ZR8 zH$AR0HlkFU9zqaY_0X8FyR_gOr_6js>@N=sbtY~Q2iy4(fCBoHM@|G6zwVyzzoLF9bpe{C3s}chG9H?C!S@thO3C zpa_Wr{hQ@wQ^NsN+<+^M2adwNtnic%k#mh0i-097Gz^=~tMZ9sG9@ zXH0PN(h+DpAIuh%5OTF+61}LQ>?$3+#k7_nApWrmc$7KaTTyu2h_@(ag3=jO$Vd|kgn2{tOI$x3fMv1 z&nsuAH)7)CU~f&$EA-;FM>APMq9a&OcI;1M(959dPInQ+D`Q7ra4(f|B60S3f)FBi zabP8GVqw5>oo~L}sc&is$)gum3~F5gh4#+v zn4^q0W(*+cSs@zHyWO=VAjU7d2aXHxWCKYnFBiKsp@d0zuVJ{SGy+3OGb>x=L>g~( z!k|O*5>;Cc6K@;Kvpp5QjNS|Z8%gcdrI|L9z;3@CrOg{m`H-whH@chbG*? zDk;Y2K;zm78rIWtqX9bHH7()b%`--5hZZeGSBhsbY+?e%mcm0sROb#w4qaX)EP$2q zXc5(_-sH((?~o@J-2?} zy>H?Iyw2GXz{MxEKR4sgm!;_I*DKT0t{p@YH(QI$-QE3$isY4Dolw5~?zno4(kxHQ zyD~Y=uT_17(k`pasv-Ri8IL(u1))O;N>{F+Bq>xckQ66~Sk20WNRlZ!^_!L9YZ&B% z@(SHK)6}#AQ`e7mO&TEi4A(;@4O$R=fqjha(5@P-O2S+O=U9SLeemR+c)Vx6mb<%V zVqq|xntiV^I3GrUz!ywzG_ssrdc*@VTMeIWmS|Tkt99G%40(J1fuZ;9hc|C+S9oqG zEl~JkCGbN3P9|PH6v!5Rrpaz*%9N;YGj|43p2&t?<=!vFydQH8Y zuwexgXIF;wphlG|nA$SGDy1C0i_fpogd&c#$Fq`5p?git-A!1If`4X~K4Z5OycYI*yD&5qxto(5^mJ&w)M z9-l_Vow?@=l}giF!$OXW?M8dPV^WcMs*CQ~i`&>iy8J|`lWBiu<5`gXzOc%px#tXa zN+v&KM-$2|(T)QQ2XD+jebpNCageZD#?@eTwrBtSsLs1;p}Nn1z&>9)PRaQL7BqRt zpPUdYPn?eD8b~sC(PaBn_}sNX$1bg3rS3_)fGlo6rE4rgX{CSIeZX*_s!gKtUF)P# zNMGr=H=n%maB^gZW#S#eyFo(baJLV!fN-1AA(u9p`$8Td4%o z+X{5re3{}WfvRsW8{f=x2vY~igevO9=cxd^%{9;$2~3sqHlnQ2hti&X)=9~=rbUO~ z-BR`D96{u8zN2SHjZLa}6lGaUjpV&r;Ih4{i2AarQMvPN<#(99N)CuC;P{nm^VLpf zX2d?L7RQX(7ur>zB`O$Ml|UiK#6R$WPWYpVLpoEDT z724kykqQE6BgKWj7Ar(kU54^xk7CSyK#Xp{+~+I%#OMZRMM|gQX$n(58?ejfFAx4u zb!Pv)BR8J>%p%m;&ddGVo3LGXOdG3I={S?5ZPmb)ng+9Kpjr=}dt~i|fz&;nPR*eV zn%R9&s$H@kPmcTSglZRd?=$8JCq9=0$PL4=Bur^01MewIR9k+x;kM}KrAZu)!EgM* zZjcq)2hQ56EqGy2gg0CTeUjfd61Xh$G`oevUw&T_>78nUd?pM<$!e-y;wDjNF8kSa zf_YBC>dK0w^N~L`+iVOE$l0>cGuv(nYwj>g=P~lOA`5sU5g|Z^!g{|`>hnW7-#br$ zwp-LTqBn#QF03>Dbc$5GLuu3Z>ge|oHkU!Yl_Ob4i|NZ$QZ!Ey(h*Hbf|jP^@SP1Q z^f}27QV{k_mO)3Gm3J1gWx9lSIY9g~woD*Y4+3xFDZYQX@7Y9*wCiG3l`w5Cbpw)7 zmZLjeh}SgQSxY!GF^Hn|EQBgf(;eu8*&f%9@=>pwK;LFO(%lp9^!T1d&knoAMwjp8 zP0!P`L|3Ffvcc5zZ8D}3lNrno+IcdR-K^#5dp*v5v0_O1!|l2xal;)U77}9~{06T` z`f$Ku-zx&ikC4}R2Ij_CJ^~ts!gMwoY7skLT0J)%U2ShkgZmfiC!$DJ|%{d?;x?w{o`Tud!Y0l@Fpd3Q1GR;-LAw)wG<$VOL^Eqfwg zu+H^EM-gu%zX=Ao;ILT1ra|uxM3cgR{ES&`-e@8^fU3Y6>;9mNZ~g_~EUB8fCKE@EY0QIc`3d9^HHP3C{zX1D!geyA+Yx(%w2^GW~f~E2U~X~helbf2OWr&?pPzum`4O$Y4L8h9xH5IiqpUb|txxM&RO7NP! z8wtx$N(cMlC2)p2dgX)a%RKrf&iC-Nz<$Mz<&wd-;MG{hiv`z0p~|Ie6O-p=VMZCf zHxW$(!)6%j+|(NAwO`~Tc4RwYmoi3Tv;)u(e%rbt{A;;bitbjcv&p|29LqcPP zUK3J@s7bYrH#|lCc@k>_zNv|2xMr}KhkEOD+_Y(_mdK$`chlyu`NQy)iSRXb&mC~pO z`YoTLjhe$&4Tw%q;K*SbqQSEloh=1-Eaq-8_`9>I=4ZPKQet^@o&7J4=`T*o#=qKY zKWM6I&lB|Xu$@}LJ?}pv*)3mR-)kAoY82nLr{5sT<5hojq^yq z1Z#?7jGAmLeL&T(buhk&E3YB6c5cyiB>5E5ckKfjzZ6#+L8`%AuJlw0R>f3BW)4VU zyjwMEv_5|ttEYjVwph<|im`!T$k_*}P|St55Bm}GCt`iyc$CC z#P$c1ek+_e<~)B1>^}FK)^gC_6O@QoK%7cuew*{R==G;@FS%`J_-(dP)0;^TAmj-L}H2 zsf3ZnrCcpkJ$-t_(3C>lRDv(6OCc^A5|gUd4XsuAJZp5%<8fM|r@-yNj*y&Fn0%t{ zU~JnJYpL5j73bwYH9nHA$Ar@~avZ@r2E<$zISU{f17VQCQSRav?oTu22d=sLiOyC;$c5ncafRz-XU8 ztB6NyAY=|&;f&6!&sUhQH$jaRti03%>KwG{nuATIJS)oBDBFOS^M=JmrfS6mW&Bc; zxxLv@7v$oaUbFtN>t;@A`O(F7@TCgX8G!@HMk(ZQ`O53Go%_h;$n3Xejum)Shm6dY z=(0H@9l!3VitRDSlH~JMUz;abv8olm%cdb~+Xsy83+Yi4+Imn@g|d#UfKxhRN_VH| zrT`iMg2pK)n;@xa!04y_917!Mts7cI$;X%uGZMiZWn_0!DUN3k^|2ubw_4?bM(P{b zeDSxO-cCoa+ELabdYM#0(dw~xCXQEV=K1%3E9uizvz#!lVr05l+Vt%Q5e8u!F7t{~ zbl^n5t#fZ{GO3XZyDepWn;O z8vuH;_yZe z=Wz9Xzb!LPxAK>;tsB*b0IFd?82zyuWMz2#$8Hc9Wh1N0C?#q=9ke8@kXyrkK9i}s z276K9rplh--#n)Z;>ob*J6#n+4sYd&{L9V0qPziy@bb$q6xppZH*t}MyhPO2(ELPu zd@Aq)(`;48`BW)+^s}5r!g^7nbC2o7^>xWWaX((_ORrb~Pm<}v=DPb3>`l+01ppAQ z()z%7FF)BDYX+qw9JYudx@UV#*1Dzq0yE7FD3@s4p&-_vxXr&ghetqE>8<{9;TLuC zwLdajp6dM|@4aF^A0I3}b7WVGLAq&IvS+U+!#{^=xrI31ST;5FfV(|NFb>NUvU^iTBuW0<@}@eiN%4hRV|#r!4=t`Nayg?*nEjUQya@8m>ji5Au=miJwV{YPr3sS8+lXa0?czp(C`|2|6EJu^k(h!BXoH_7mGhl=Hb zp*ZMj)idXIb%0=nqyRce0Kw{D_~maYcsRUheNICcJ^4BjP+O! zKieRp5!|c@^}5@~=%_7IJR%i*?suEN9S%@99S51%BAZoz``h>bth*2XD7IHgpiQbz z(g3-*h~uL6bW%d+nOse`RF5<%1cX>;-CD=xR7s=Yj$Sep(thi=Y&q9`7f;W8ocMBd zSr$lsF)u?%a&{TJEGt|$`sJ8uY>7~^{Ags&B0cju^dM@0w7T%519e{Ikr_&r^DIC3 zY4{xy>$;YUuCVN8E+t@jmuB_C_yz9hFz{>j(f^@Y$q-j8A`QdUtROyQ>qxYm?=V*0 z-3W@<-sGP*duieBiFEBN!iOe@Y?!8HDZZ136W@5Ro)!>#1DIgo;hWnAY{H%+2`sK$|Qy4Ju6wp?C$}@#Zp>(*1KQX*$60Aq~N7w6n5^%{kZ$EPZNI5@iz_y&)ty0fq6y z&w_d`ug6ma^*tX`AV+dG_jq&ps^&~qs;!R1$^ts*k2d$!L~PxfGn6wZf<{-8MR_&+ zXkU{vYy2w0>6ytSWNRHwwd->A6!_5crVL;LxF*>ce!@EU&08Dn-}~}mx^b6cl6&9p zc5>brjDjPo<4E+`y>)(zJ1Yq;o!uKTB89OA3|~_D%D366sMAcs7aeKZu$W6bUiu~E z!lNyafo%L2D&#BSrO!6uE0fULqQ&E>qVG-l0QK$9bP9OFFA206wQinu{^_|M%dzJ+ zxXM&*d=^h5t7kvs4>KGw1{~$ZoBKCAWO5rqVY=lir+eD#3gDw%x-+oFPc3FB_<*_E zQEz_bh5{H4;CyY=H=4%ETlE%ID6f{76j2rZTKVajv!#h)xuSmkjLk;-i{8bjj@aR2 z3JW2}oGq_8t~nCI?wt4{5X|`nG(OS>i(KE3h^B7Jl6hwRG@FYcvXl89F9QA1{}Ba8 z*m1Q8TF>X_r1B~Q(&4necvS%01sliRZKMJhK0#%?xhn85aNloRg`s4aq?J7;Wt_2A zS&4-S1{{d){Wdyu-K{c+B5lv{>bjrN@j^_sMcisEqAPRLK z(4SiY!L$di-TS&xOP$!#{dBU60YrJ;)DS)xZqhpCiYB{42!9idw>Y3p;xm18IFEndZG4Dq?QWwhu3R53LF zY*}Fy(n@wV_v5Z8xG5kCUJ*7`-Zqw?HYot#?y6fFi0|tsH$>QIlDbJ%Z4-uH#2=tc zIULOZuGmYt?aR-u`AN@kR-1WIePb1dm8#dXjs1zEnq6{4c?2%8DM?B;7Rm%)tizFj zMLdg(6Q+Km8$|cXL8GoG1Z5<7W8*|H^dLb$V|IP2HBN4VL8A|3V0u5X1NE)lJ$B)J z0T1dly{a||hr@(?#6PGe)SfiiHvS^~cjuM!1ehsFC1~sXBMkrRpB9FvWH3zC*I%D{ z%g%GEymF;1C2Gd~lg-_=Q$__h`Abg)KRtO-2RE=Uerg1HpC98v!bX6FW@?rY&~|z|l+@0$EA4`7&``sXFKmASV=Q$kj zxqxe8pusZ8cWrk-wr1_YqjyJA&OG~Oj`o33W4o2pc16BjCnMzh0lJvUSYt?BGN#3B zUO<+EhA>}^oDxm~Yl0*Aw~0AG^N931*^m^cQU|PPY{%6r!}uW)uGn9 zBciXYFI;6i>GNmkE>-LfXRYqGHQAsD$+S7=%T)Y|Kk(YGyG8#WO(q%gU2@lC3Um%0 zN_=%(g}xBisc@`PoWoS_90)gn!5Tye5>E^x?UGeJb&*|3 zFj=(FUdi?N$TGEQqSq2zIyVCl4qy}v5WUP?TKCy~;7jF&qv|NHm_DGZLnVT1N=2xE zt~YTqS24Q^s-70a9>zbW3?n@~HGHWM>C)@E(66*XY0M7o5S$x;z2`t|H+;9g&AOU} zo2eOQ;3CI(s&(Tbe$+0i$Uuj%A#G?^_hA(An47H*yi8b3|rhl=x+Z@ z(3?&!%mCoofS`AXEFkDTr#8FMlRP{GSf{}3s&l2C$QJXHAejf@peMNTSA2i>rGF%a zIZC_tMd?#2>=)Ms$rP>*OmY03(gPJi9~`duha`nrePY!UPcc9CzF*4r))3#6U5ZI^ zkc+m6+nrdsKM0IIea9|L39mwffI1`I-G`Z3t0 zskTu7xn>HC^8sbz5tM;uZ3vwB=vV>g#JfIuH5!-~%Q;yZ35%3H2S|C-6K3T;MotZi zeqIym9BjNSyk#&ev~qr$z-fcBZp%m0BgYcnQOt9*=(+298JU6LRjGtb6JSzm+ol2^ zR=vq{Sm=Mu+-@=fQ8(t9`7zHw4dL%kuIc_|3V58U`my_~#gaqoz*mOAPMW1kz(QA{1-z13(GufaH*or{!A0po5JA8ql4g)wsmtqh< zhABS;BVg3r7fild2OjpixE}9U=h12-e_*1 z7@dt5*>#zm2A{P8i(~{04e>m77CU?@ud^^@t0qqz6ZC~UB zxF+gkkFXuv%~+GJkd3dHmw+i<9<`2iW&zpdHFz0NAYQ0UK(9MYq5(p&YQWt*SRqsI z3#c88$1V;tx-7q^rpkvlY9(x81kBN;t}8OnLMhAW=Yp|FvSn-eo+orFOLZF1|M-oi zD8&$@GP~K&)TYY9|~N=4@lY2*NFn$pVt*{o#XSJ`QS3J$hgfFt`jShq`Gw- z4j@11D=TY}io&uI?LT!hC(%G^d~?|8mC!#ry8jAS)gQ!i*qHsx_bf%LETrwNIDA}j zpS^qE%!e-5BzLR#0e8nPmSxGx-@^f{v0zG=+SH`7zP{%IhM(MDyIKfc50zjMIeO(v zgb86T1dQF){^lGjClLf7wBD8kpRS2ctQkL?<_gfpHrD{!n5a9f)%t><>fy<2X%qEv z-WF1XTJ{tv#AKkXHSw4k+tbIWtG=;ft@(Ti!gP3Xlw53^WA)*q{zg#&$ERS z>2^(Gay5;!*J&}Y?_+%Nd|OrdLeWHlZesTU6dBq0_R?Z$S&_McnY38=&(AS<_Z(Yw zUxxoR&j06m_3@LtS>YBIG@K9VXmej;QNMU2GpXdRXUeB`ep@$P`d(wpK`WLX`N{@&K)HgqYW)27nJbCsM(~+0ai_ufa9mf*`Hp z1_l*|iv_<91yxwY%`9@Ziq4`=S;;I~OVeD3u`R=hce+jya*OqGD6!!IMgzBoWV^C) zX4JZEYpk<}-yxW31Ix)A;P$2hw7r$r=du<=-RbUFqmM%_#zkhaFBYG1`j!J?u%2)5 zMBgjQOKr5bjkrpqlEuoI32T_|$3Zg^Tk#|h@$@2OuKIH4FK)gp7Z53B)pc8bdh}cd zOn*!lB>XqB(B2v%`IAs7m5&dOgcv*U_(-(J4g?g2DegJ@@In^AN>rZ4ELqRVQpUZa zI314Amw-L3Fb5GBt;k1mREGSio-DkMeM!z3`0$Y)Awi<$+ZJpjL#c{D5~v^8r_?S( zaoA~BCZZUeAkfZE<}g1V^e=V9xkT33d)J7;2kxowyHj(X$*NtM{xnM&#(Q+{2dNLS zN3Y$M1=-d-3;pohy}G$~-`=@$zzyD7@E*PQ>btqqArhYYRqk6+T*uxiRYGFAiu;vr zPYuPv>do}@>qCAAXnQa9ZQ9*M&*xqnN2?)M^rftJ zW;ky!L)Yt<-*BRyDbU#{p$%b&{HAl0wZl$B-CgP-(@V9y6)P=R%5jGJLp|bITDZt+ zN*(VVWLsF}HF~ENb!{e@LA|Nb*!BBuW+Zh+qG$tpj=o_ZrK5CnW^Ge>Zf2bh*^H=_OdjR?B_uNKN*GNJ6 z^ynk={dm`Pa`&Y=R_rvoiNVzq2CP2g3Oy-DPl9~8F{)GpKkUtpSdRbh5=MK*fpW$z zCFxeKeT(MwaXAb1b4HSG6`S1HDh&{(9%Li29}O;hZJtxjNPxn zyi#orkzCHvLz*9QpZI86@WR3@DB#$^!=3NtE%3@Sx!OJ}{!evPWdp8b=k|mcu+g27 z{dxB*m7w%cw>QFdz|{OhxlLvsWaeQ8WJ2FQ(d5R}5;6Lj;K}P?cdM_u#*{Z~C#`Gs zkp+CKTH%kseT-a7xz5ejb&cse&M<%I%7K|zu5S;6q^EmG^zD{xDQ%GN@>|8hL{I3n zprYBJsqccowf8WoVETl&?+!Z5W7MRH7twbZU0yJ@-FrjpjQQMH zq0^}?fikPGR;{WPy`JJQ4b#>8*v&@;+>!U)=iXwARi^dNQf3-Z5zj43og z_H_My)4(VRG0?cUe|H1#j#u9FXm6ze^ONP6%(<^yGd%`fjlF5fT3tGgAJD~LTfh}M zQk9|h7dfoHg@{5Y-h<8EghTtEUk($wVybMg=gC`OTpRUHK0Gb{;kEZthe6+5arXPF zL%^s8HELacmUn*2P?)L8)_taT#Z7uhSH**sLw>X&PDfgyaT%S`e^P|l|Em+a{dD&X znRTBZYWkTC|6!Se>hD?D{8?#_edp0<82+gzcGc6J)2~vJ&6y!HcwU~Dat}#vz9w?X>t0@rqyn3tvl*3p<`a+c*kw-G&E<|3ErsSVGv|A+ zI4{|A;nPyBM+gCCxqf)BPW5o~?a8M1+^3HAbf#s7v7cV=jAD154hz(IeczZzE8DB` z-MAR9#NMQ+L#&i{87t?4tq`xpraQS=&B@~_k{uJX_b5S{J1fyS8Dk&(iZ8e3Q zP95#g993|?ntM+xJNI#UU35pbNrd(lj;*_?XoZxyuMVWQrWcFnFeRcY%8$YXbj2_- z9`6o%tXZBz{pL75JysokIBcNH8oFi8DnqW-S?+i&WM;24EgsU4qO{p5edm(srDgtX zm&drxrYNswbksJR&xF3QjWDZ7$y;-Ug1+7|V0a-HOu)2p-O4+jvwL_1MvL0o^y`Ht znAw+rR3x3c5URo9CghN#6E!UOOQS2@H99v!WMu2FjgEZvy$V19a4gF-ev}j>2GUt$ zH3rq1j&e;k>F+(Gqq1C9_wuvO@5=sxI_vgm09x$t3bH2wUvxSwb-RnZ|8Y&UN$KfF;+v;M zx29vN`pu5oUxe0QK|`rtbDQUa$t#w~y0>+F>^{_qaP*QzUtx41(|fI?-we6f{F4_; zN&kzl?+$1CZ`%%4HClVLR&2GaEw!mpwMWewQMA-*?VV6st3>U#h*>l?wFwnMw6@x% zu{SY8@W$`HpZ7hE_qlujo8$XWKF2lB>%7jZ1wUz7_AH#VY^K(-@!OdB&k+3T@|Kc# zGv`vncqR?e*}E1YBdv=Gi8d}Yvbyc+J;$@f(3q~u&+1*pC8Yw~b$SxnrXr#i62rJ` zhCoY8$;Mfqv0T|LMxCLdrC68v8c9>!fB~`B-QI7n$w|E`K;HZ;$sSxX@=QH(srz4YD8G zByHlYY}=&Q+2}$W_P=wKJ?kJPf1E(vzcC?D)8xIi^2^5STYkULU*GT3<@??5kBvkB zm-l;g`F>ueg!H?7rw<4@{zoufYxIwJJ6xrxe?QXSbf+9yjvbxT7Hp3PPYA|)MmegB zMHoq;#cdb~9?B%OQk<8Bzy_Ff!+qJ36u+ea*;Uv&bK^2G_S%`1UJLUGK^TTEwsGHM z3hq^rmuZoFyV{;3(pzM5NP>uz8Zbfxq;aBTK%0~B){g8ZDdo%HeLNYb;E5UILP}@E z);LCedqWP~?bNOUwq$g_CNGsNUeYmTh32G^e!>8Z{8Cma7-@EuOOH*}2m4@OW1TSj zz7A9PJiu>3n?6e(3WQ)Ans!tF5T#b@ZLXP`gC|IGHI*(fV$BZ9PJW7bn0xraFTIlz zyZ=UbSN!Ad#`!C=zo=u|F@lyM(HBI>;`zIM zchZbiNEqs3!1a0C9GIeO5z0etrGp9~UH6JKdJlDee4D=@m@(4GV|UmbIWZ({ zC-;ge!at^GJSD9WW6zMdgWJ=hFfd=+wLMdI0=p-K=$aY#CX%YXh#Utb-`%l+SWq263;V zX*)+_=3ajb+ex3?DMQ`9k#4N=fYsk#C!3%44zaCnu3N+3zG$Pl&3^fQ(vDXN+hFwg z-6o|u!FJtTHO|85e%{t6laJhJC!KorWxL;Cpq*!EKEml2vOp4u^plkom?C@Yr;*CH zF6uCRGRW=cTYrpO!8%K<>u8rvuE*EX-6*dwySZb>f{em_(Yk{wZ2^p#={I@TJY3gw zl(oeYpU~UiCFW3|H_{>EYO%A+OGiFThSjd+bX+`)3@H(~wi~SuRTk}g#Y)5jNIk?=4*r+SV*O8MA;d@U!{U=jTqSf5#Q=$_Ch4aPE99kO zbXzUv*?|qTLvqWmWYL3n3TXCY=+`S%^XX}|z*xa*pG z6O%isR7d4BmcR2Kx@Yz?&S;Mh;rT>mAtxWC@>!b9M@{0NSlPyHs$v$9;+a-2ncpcplPdBMU8n#JfiPEtuMp8DAqF z)dXZz6VJ7Sr|Hj#hzz(dh1EYK-TotH_}wd}=k*S3=TEj6@Y~=s@rU}?sn&LK7s5pY zS64KWL9I2F50jM+lj0LSswud9NaWOTlH%S-HE6umf}w~vHb<>ITS0bDuv3-9!@7@;Y+R6qKP9Pu&!KGea43 zrK~I8-vhiBQ$7Uu)N?H{JNMSZCYa$qGUFxs~b}|^R#6~+R{_R~1_AZmml0@D6 zzkOj#mQ4Kbm*cbqK#x%OA#L__kl4n0f~NY5<11TqXBhdMZ$9=sCjBvY+eeC8yr`w_cG(tK?a0p09cJ3KKxrr0! zyDJWoZmA+6cWC$Y!`}>i0a{XRc+=>IAm6LI1v7wfi{e51 zXejWItbovFbtwyGrFtK8j(2$s^kgOSYza`|Zbk01s7|MrKcIXQ*CnZu(qfRikp&4N zQzp`Zl4@l3Nccze+!g#lw5sZ$uZh@*il&mIU187;&1Mc=VW0%5$*j=#=vA)tI+iD? zM9)zgiZgjfVS7{kSsoN%QMEAz9`ig9Oc!qT2{fT>Mvui%LbL_qA7A z3vvW>#NTvZn2FELHJY!Cu~FK_RUeFrsV=x#b!4q6Vy6YoJhs4cL9uxRBt=*H`A9U6 zrQN_6wMd`}$D$D=18BKuCV~!N;>%1^zAlpW*vc^hO{7dlpO-~?y+yC8oIm?EsYh`y zGb=Bm%{*2Fa0p>~ra zGh#~dud6B+X^OQZqJ&#cnuW-u=te7}_t25jBa&u#r#v&TH=(nH&I>U~4L#`>@yPzs z_d!+uo4;( zP_%XGbo*=BY2usGOuh>P{;Ve_Uxy3zfxBa%i2FS;g!ifDesTD>aBJ}SG9XJ0)=mHI z3tO@gj{iwzTwq`NGYP&=d=b36C3Bk5dl6LMGt>en$GOH=LMh)yIS6pWFvyHMxZZ25 z5k>(;DBqP%Gga{|la2XNE>f$K@pp|_IJITx6TL-MeXC9;;0+K-3wB-@a#AE5i60Q; zmr{>z6GF>)4rOzj+`R9mOHm;mrbEI`pIXFz^wKk#Oj!u3tSZiVoAzh4ln>R~Zckz# z+{-npym=wY{*FzYI*w5za4`>Qv&Th6qG)}8JWsXA9%_KnXdN#C$+}jOTLStC%UsBf z3Ga^%>Vzb2L3=OgZ#WMjn7jv=e_pY4|JxULNSvv|ShxXtJNNK2K!R8yk73O55 zQS(x@e1vx6rM);u@|sX(^!j+T5}$$_q4-=db6sSHQ7DlBCy*f{jI459vGJ7#S`|6$ z%U|^Oj1-m-ni|mwAP*C$wkrcv-UGa^PN}(MLPAlAc_>`#O&m=WyYOhM9?1HEWL0&5 z=q})H0Pcy#5U!F>F)-qI+*uxnX9Tk1o{WW2lPF?d(|{yWV2M2O>Ys0p8)+1|h}A^D zrQWR^Jx*p-T09!%JQi7lnh?+lsVbf4km^hDp(N^K%inxugr5*-N_6){>;Cq|P2z8n z0FpMp-vNbBNnbC0bZiVfSo7I$N9?0UWHetK-(8Z;c{dx;7D9*6CQT>F6c>l|uH9=%e;vs%8FzBqPc*eUS&2!d zlwnel{4ok=#6p>%5bP5jEb0wV#cGXB7Ka>&-X9&%h_)?fLmGpBhAXZ`RSaYdytE>~ zX0o;DTgxb$+7a553F7(`T0mHyv;?uOM}5khF^31m4DX)(E%G`ugn4X3Hkn)+i(G!& z6|?+w>G@l%x(w9L%wfyGpq?9qyCKfEkk)?Fe1wzQFl7QvX7~oh+nT!eI(;CTmGLNc zmSmYSjPmLSgJ1zypQs~sD;&;wF5ED;oa{9vN9b&M8YiBFV3{YLW)U7J9ub`2?MefhU4Hx!+Ch=Lvvi z1*EKQu7Re<%svt*iBT5S-kSk&n(ddN#`L^5B9tfir4h+x z`X;WS^B~w%bOssgyZ_`}%5j(8$?|q8@xL^1cgd6i!OJam@aOW5FkdQ?ws?Zn#}w@Hpn?;;~@?9E&2kyu?Cdt1N7Jm&3N=IPZcL=gX_%# zM}f%#Xj}(`-(g*XSEUr`I?XiMHd26cCk(OR6B=)_vlU54?~m&3cjX>YAw#pjBxz)} zzqFMIxG{C}{>B1j|fKUjKPy5cSo@_hp@&B>=d_ zqrZ=GfJ7nG$x3u8omHPAUvpe=`KK4+WXbdH>Od9b2NQ z5kh@XU}egc*U3QO?nyj!<2pRLOlF&(2XLWM)?1&nO#zHzb{5{^HK z6}n|$5{0=V9Z~BY+Gfi)KA_Q)576+LKzI4^2_(w~^41oX9%Ff0y^#$5Xn18#Ay6q3 zFo6N0qC-+(bRR^0a7D)814Cz5v^txZamB#Z{Pb~7r0RhEED|VuDjKRW!PLeP&5a}r zRSz}g79$wi2l{6n|FKRiGQ7-qd9N++{ypPqkzUR|I5q_2+JUY_*T0C5Q$d&@0rENifg{Ez&>GI&-#HOF}AM|e6Otdj{(}5iqN3^ zV*8c)U#4nCDwk8WNE{CQhq@Nz$*@mBV3Fa@J&k&WNiwNn}Fvfxs~S&{d5E9-4|V z@=ofUIF5Fp!r{x7uIQ}eh4*_jJRGoB@1$22VinF;XtWl&#N7@G4qAn8S!Mv0CY-_h z;!D(1#N*)xB_d8F%Dyp&!jBqBZ_$M&}_d=i@&aU1pRb#9_^zPmG0JUpEnEA{nPG690~ zy1^>tFct3HyVto4YSdT6BfnYLo77Eyf}2=oH8LHa`6<3uI=j>3R?!paUR(e_zgJy0 z)6uABN)R2cJ9+AxIr442;Va68r0wgY5zK!H+7D=oh=>Vj2V{}j6hLqzBI+>uPA1pCvuiB!GK|&aIY+DK9(-ey(vMqn{QlboSCuO zlRJzwhHe(~By)c^>=_W|5b{3*PX8WO0lT?QupcJ@m?{_hNZCYIE zVr}v`&5m$tGlMzylTj-k4|m@mkW*>ALiM}<+f=1nLGi^p2%qJJZgBsqRF|k*H;uIR ze*Q`_$rEozkGFz&h+39oQk@#ra?4#(6l!M#uH&`@w!Gt5OtvZUF%`Igq5k-^wx6FK zcnOy^tEhkZc=8)^dS$G|63Pafk;iT1ZwV}{jC4DTE2SJwd%#$OH$}G+c;xCkpqsZ3 zh^@0i?DUVeEVmbJUr$*-XnLLolF~>k-(5w)8j_$gKTE%DecJl^Fm3r>Pl?>(`0$mU zqoMVa#)Ah>#j7DXR6xkitn#rp_&xiFL8K`|!ITZl zTv4!b97EkCi`%rMYFXJR90wQgYJi_ok=d_2n8P&ZZ)j{mMij7Z_F*(*oA1kd{AaOa z*dj}frv9@d%MeF9y#$sc87J|vdd+!c?KnDeJ7i&tbuaXE54erYvuaEpN=82I~Llou+Jwbku?UIbXl{ zd6m{X?wc7bEqQMt2#U}nJzZZ&&^r(MEpe#uDyuDnIwKAs4a`vc{N_IuLjU59sB>P{ zfSI*3DOXiF0r7jN?QWc1B<3g;KXEq-X%o;o~d=R5`8!)->nI}-i&Ax^ek-AN#bMYB#$4PGBs1(u8 zZe-SLv!kZ2&5*gQvh`x?uh*4Kr|~`IOHs{pX4Z|1CzjUgg#PhxHH_(mTW<4#Qk}rr ze)VUGkic}zOY6Stynn6|MEO>JM@BYKAznGX6~3{?AtFgUhu97oxAyC7TNrBIUafTh zAgg7r&u>V{X!==xdBKYv{)kH$2c*zpQ<5m&vzREs4dqxfLN4RD;Lo~*pw?uv(BR*j zr_d`M&r#Iu$L*?5)#elliF77MgPpAr72hZjoQn2MF%_Mr&dL_x=5%m-JhjJt(Yj6R zH?#PFm+NWW%am!=g(i>V15J>L$&w$jEx~}b-U5yfBFbkZt^t{|a>6yv&L)gamJtKe zgbIqG_-aQVStw;!K&=JKUncnk<=TISrA;+cnKQ4CsRL~IqXA@oS|t4FaVl1618feEUGd%-5kkvtLz;nJ;f<(IXF;4TimQxC7QgD4fmMx+!_ddp z9y>b2K@w5AdQ@?midE{=b=tMqQU5_6mTJ5cO0m6&uv}Do6NIBtwI$af{o3O)u+{-p z+$W}E_lZyhaPs>^^bGw%4p(CE$W9K{MME(yHIGUzX70Nnwpdw3tQi3&?+DAvhzV1W z-B>7BoH#8TfC7nW4FkLlX|H_9@+af#eO`(&1F*dm1`uod7RQpb(fa*fw+WihyfZ=I zMi0jAiRUK-6J!jlUo?0Hf|kDYrxTL)Yiqyb_G>3@rt1wr1+FFR`2*53qSKA7$+KA| zu1D4aPf@eT(F^nF_5Jxi3OEtR$Zn{R zwYA6pjl$Z|fbPw)?P+cHshZ^`s)@;?w#vW2ZIylSYdVwL_@9CXU7Y2w2kcHX&r@T#78J&5i%E*2qNTw; z5u04&Azb0WFD}D1#WwC!?UVVkh@VAGqQmrj7m~6&G-L_v2A41bV zSZM|lMi9^K`1482>Qbm)QtdPXiRX9`2kSOXn+s3BSxsb4R6{@GmSF+pq4Z~_kTmL> z3~ei3V86P0fvcL2W_=JrxNmjScfq~GS&qI*jeW`70N+*rX1NhW_DsML`wRph6XYsj zHbv6*02I=DAiEh{x4XpJKnnIzuN9N4o0V~2ueJR7c6*Gzm0Vcn~o@p55S zI93@$C*zJSPnuZ(;WB)l9k60Jf-r;bd!-L3WzR*v?HdKu?c(Q;l&0&&QIRRIPp2tB zGwYUbE*LZB9|FzSpG&eYzDVJyWpdEgGlgRK@XchxMnBVY`e&*lxh##Al3?Hr2GawJ zuA@E75d;SQ(*=?IU0Q*maF6pbbtK0GyT>zk!OoBNln%Xc zPL&+bSHXw<5#~%s^Dj1D;%1VrK(h9=#}DaMSjB550vlHobvt4-alujTK1b2BCsZn3 zEH0&6sg}CmGgmEt4Ve=;k2ZpkKT`J_Eu1DRG zRV2imBwu4lL|RXmnkrK6-xRO5+6#Rd=(3I_3$=xha+{gI#Ceu)#&oqQP#6+FTemYs zHg24N!5iBA?!D#p!F?e#^ni77<5>{(g^yB@-PTw5H(yaRw~xmK!WLPAFK5w{R)w2> za=hv6xblvffzR)*8d3K*nfvQ`0KMFQ2h7h@Y%VuuZNzUWAU5yqO}tLJVb$^IhW&%1 z(^rt=QdK2tfANj}O*Fh@0p=$BZrLY3=aud0JoWP_$d^+m@imw@t~P1u*8bu}tLH4_ zRJESzX@JO{f>&%v*CMO-(`#V|J7=<2>0FL}JJxUdIj5yJ?@#w`<#L2{c%8>bKKeml z$=`eL_N~xzhla=oREOhueR)T9?eldL`LbT*AC;DI$7!oDAp?hx;%R;inJ)75eGAn= z9n}WI*H)VtX4Sjo?+VFJJ@0o8D`7Eb_k0Fb+*(|=@sQhW4VNoj7Q9+G=M^55<=7P? zTs~L-i1q#t#CNF+ch;j$|06_y>rOxP`ShAg*%Aj~=w(`S_0HJPu?PJdP@Xz#<1e?T ziy?;$@^jr4bC7shSJAK;-?Ra(u25xvIwFa&r8yAV6lt^fV>+e?crziVasSvkQ=_pLq2 zFBv6VE?3)g#Ive%mc)56uk&Bq1%Hai2#NFTwFMFI%4fh_3we zW408{zo&2knh$;hO8{gVf=tq880%RE^{`Y<3!lVxIb_$2FC{EBTx(LO%G{wcS=@kv= zfW~yLdRPqA9Q!Rbc@I*;XgiIqhUj6)rwFZ+n*6*jB(g|YF`F|+BU&lYRgl2wvGM)Q z`~GchXaO%m?~WU<0^uBOoJK=3?7T+YE$+$r!lRYp`jz3UxgNrZjS4QNvwhJmDASWd zJ@&=4Kl>(0CI3SMKkH?;eo>}EJZA}(Y|i1?rV#HEYvA~kA8;PEjYks8P!rD`m{EDlZCB>W9c0{n1A1T8{h(5; z3?<%hjnHfCV#>K!eIJ?Cp}11ha1+OxGuQSxmyUXQ|ZjCa7yjq$-3$-unzPU7Y z)NT#^PFo&l^DY8OtR3sgG>Y7C^I+1-6CK782%--`+4iY5v+Dx}%~<)yu}& z+$nxCf389nN^|89ha#%9SmjW(rlP(d7*CgOMO@*T(ovV-f)=*P=&Vb ze}b-kx%f$LuX)((abUC;UkZJ^yx_!_D*55CI?!j;jp2Jyo5<6X(Rw?erJ|o44 zz^Ga7jL$q+3L9X);Oc4!2_g_-LBghyrN1mZzRC9-1>^-i*!0qZCQXY4Z6)W4E!|3^ z&wfKXb?&Llxmuddb^F}w=x$ZDsTrKp_^q`?)L2`KTG8L%Jmk*SHDDHebu+5rNNh7iy^o?$9#T8u&WifATq4^|OW7}z z6}=i{dl7!*mD$Lq$SfgtSXyH9^N8*1SAD zTfhKI><=)-Jvz4Oq)tkZfWFUKkK_Wj9(|C@TeozaqP=gY z?`y;8ecTqL0v&kdG@l3dex27{h)=%cBIOz3xPEn0%MnKF<`4f|EX0ccW|BzJKRhPr zF32QDCgKUZGWb>&I|FpQVuWvo((TwY)rzk){Dqq9`A&(~GZZJBzK{2GnI#3fmhbie zgYba&Mh#KyAd=%^@%X~vW1gC;B7a>ssvS42+Wo3lVc(iO&W$dY8LTT(dU{L%(094J zc;$$FJ^<3Qo~sK3S`W$yjFqAcfd7_-K+}uC-dyi^BiC5KO{i{ua&W}^@iN)lfvYRR|baMhiA%@d0;!I}DK<~Z$ zsG5XV0ztl60s?0(Z#cDR0qS3$J?9|PDQU)b!C$>Ianw^hMb3eKz#L)zVkKFT+X-QH zZ)pfKObNRzxs4O*qc8zT<#WzN{+ZpX)J-C;mCeSnKKINUzsP-Q9&^6id1EdvYmu^g zkY+=DR^p7!06k1hE0o)43>nysG+E?)ruB%rziuW zT843~;b|=*Wb0j5>TIuGpg01FO%guw16q#`Pq#|kmm{V#K9|50$>M}<)T-rJ@i58ahSQG9ILtk&kNe1Ga`Rlh_fcQT+{ zKk|5p;23vkqy^$(H_I}UxiC@+&f`+79nK;@TfmD)Tn(ihBF@6RVo zcr&L{=mq7`^$40M#_sGtV@>|*g?3qjTn6uyCNcQqVW?M7po$kN1f5kpHY3GZqElqR z4e*>**>9RZl*pmP{MH6=+_=6zqsoeKW3)AZddYgwS*Fxpf!?`KQjxZ>$?^=tN=@Qg~6DbZq5TB3wU zT>bTT%fFwu9-PR9nX}Lv+v&UAk}Fq>7wPB3IyOXFNE{}#P*Ha*vDHmgmY$9#DR5bF zC48Ju;i^`gS4nsesrvB%{4SA{SV6e-{Iper_+#wy&gRjyDFbbk|3A?*k8!s?o@#ZZ zy*#GL`#2+DY1i?VO5d`xfdk&lX!%LU(XFV*^5MMP4^(oeeB-lHpyJZ&7+cS-hQbq* zpee?)X5*~-g`i&_QE6wkOF7G1yit%Hp}0SE$w&xQ<8c!1evKPK1Dda^0U zaTDC_S$Gi^{`kjB;<>_e98nl05lr;_)n0{AdDcT*tv*%P)pNn6pr1uKei0@~n(aq9 z-+o#4>h8hETbB?|cG(wZ`_n=SZ!ZNgNn9ezs0QVFGxHE}AW;J3f@3B}du93Bbyn9Z z@XjF6jSt2TVh*IPe#5Dz5z+75ckig(5XGLu@TbWGKTk~tra2pu@u>er&yV}vAE5Mg z{e$Lv5k^|T?lTc9@sj%ivzgQp+q4oy^sM09-;R7wBm2`t&kzEsmf(hp#KS#(gn6w{ zJ%Z{L`#t}%)5j#rtz$c95zFG07dx}%utOx;zL7n1FXW>Yza;c>{>|al>-6`5r68xl z6%u7|f#M*r*_&Z3nsEPIWlke{`duHww|6z|*qOrAz*sp+aOg5^RM>dWlr5V~f$4mFt}?ZNc~_ahu)?)^Vtlz)vB!;ePFeeg0{mw+&-J4X?n(tO63%C`TM|Ut zJkuWUXeE88xn$wf<0-3!mt2Xa$6gUNr$Y>R8|*i(Z1L$Ysp!d^uT*4KoUEx>d?iti zdLh6b@|4pouKwb12Wy_6*ZZm-St=KqklN+{ZnoA7!A?!#+#;<8Jz%b8yDEZj% z184q#!T?@}R~<<)5w2>f4srureyOx1qXNX7o14DQthH^!wJy!BXMIVzXv=515)`89 zieKLYy0!ZZsj0MUS4PmvG%q%a zQ?MR;a=~vaRHkM6@Y#CJzG(x`yZ4@KI4ru(Km}BJcwDJ6Jm>OCFbd$mnQ$IP6Eh3X z0*p4DzBNu_J{mdA^t0f6RONh2yqfQdSi>)clezgEizE_d8wXX2u;i<|%jxc!USuo@ zmZ|Qo#(hFYEcXhwI;XZ8WwsB4D@A>1#W_7v>WH&V@yIXRp|SWFcwFKg*K+cg08A+_ zKfn{1x!40qU_G3M`1#?BQH-PWrqvv#a&jn^!8tIcLPH0vJASnDbN+MEJ! zXNw6%11-QuRCUW<*p}Ag6{~j;ryR^r zvpnMQ&#(RopN4t0KS&KNeCD+<4*2tt*&1e(MuNQ>F`RyxXqiHJHUqmXiGV*ek&x!vzOEO{b5{g`dK@9KmB!PwY7*6O_b)> z61~ZTs4Aer_1%2okTjNUrQt?4)5DI?<6B5SF|ueH^znOJNr#>>u*;-9m7>`F;pInC zZ<8$$W6JNhy$2+?y!8>p3m0y6K6)%$-}b4s@7&%GGS#~?8@fZjdk;uNWBGyB;!L)c z3Wrx1NkV-%W}%2#(SLqaq4V}ZM16Z6sg{CS@pjxbcwrstm4SOtj9 zsxU|p-8pZ+V(INSz1&U1ZPSwIvO)lfKI|!w@YGr;I*o;ghbUt6$wF_k`JoYP!ev_H zYw5sAr0|We{pe4Z^f}4cy65-)!jdOa%{IQAYuaikjd`3O{{-%&)6kCJrq$Z5st6k< zc^022r4a(*bnfuWjqi>R)T!wp{UCZ+#m5ow5{0Wwi8pE;N4d@FVDI^MawF=k(c+dr z!;SV#fEl7cHDs~H@hw<-vukHD>IlzlsGE}`(+$pQdvq8PF%9S4e=qBX#@7auR7~#w z(PuR*k@mIFzx7ZLH~5SPqO~ZHx)$@VeO*(V&Rl5YK31bVDOQ}D6-W13asOEG+SzgL zyz+?Yb*&AWH8jy@7e<6^`)!;19|`fCZi!g9ii_(g^Ex&)`wcN_24&EjQ+R`&;Nt$HK<_ zTLdQV9I51|GY`|ynrFr^&bJ=p;mXVC?>o#n6=+U(y$_Pp-k2Us0nkv8mFnj2u<)|0>|W#pb3DPrKM%GirQS zt@xzsJ;?H2*HL0EiQeos_teXE1KPaPeMGlg^TaznIAfN_*2@4hp*P4jicooGt{N;p zUh^@oiyaic%4i%=#!>HetKGf`QYJ>PU^bt!@ksHGNCGli{GY%OY%ioQpmIL~#d@X{ z|8nqKx0Z3RqRCt1!|O4-!V4U~ZuYN*yx`17*^f|o(3o*ma9hAUJeuv+Qhq+*pPrFF zd4!-_jL~F?Qwm|{BfTa3c6!eO#Z&cQ%EM2t+STPr2-Mc{X;cLc{5awHO3ClQHAG)G z*VnbIevPk@KOnQ|r^}PvsTr9~zMj`OFo^YEV@jW^-Xj|-^R_(dtROC&4op>@6{dKS zaLcWm$$Qtw4(oQ$P%%{xtOD%Kuiii3CC(dh_K_e;VBD9jQcm0v7bF$r@6s_a}Z+Rc_C8XC6& zDC*!L2i!OrR>EHO#uB2bD4)PDUw~M8}jKVnx+!s@Y zFHD1f+b+5u));!Zl7Ktd89Uz*A0&{19C)KhF~-pwC`fl~n?R=7)h&9r;EE5xf=P@< zfXNEfZB8v(i66LVrl&=u!moTXEoz%y-bcJ*DrDAdf__a%%&Dw))InteOVj87)2 zvq!nezJqHnSW?DtW#x(M3C;dWR36wfCVd&+{!TI4vm1KT${;4kYTTYDNXyQpjKI%L zE??4Nf*X&SUV*E5b+?mkA)_E^pn9XALNv?HkhWAiZHlkBC7-m2@fK*$=H$ z2+R8b)fD_7<(a>*oSTK&pf+}m6F`M{?!Z}NELFLW26B&eikAw<8oDC7H3-d@{dBq1y@^7|V6cEPkL*gn5P?S|ZgebYETkkXAc>Z&u7eRFU9l z_1sG^A5n#id3|k_1>-2f0ttNkdz@d}ddy7yDEQZ|)AJwbE|1w^dwPt?^V(H#Yi#Z8 zX2MQG>1Lykcr{v>WHtD^*B=6h!gm{S78Z2=kvUP++ky|eY$}nvY;)429#A>X;oDX) zw#fH!HHe~hQqLUDT%9P$TWaop*soX%gA)2miuaXnjeWm5A~{TIKUp@GSNZK!%mQTi0e8yE=~=eU%S??aP~&WORKvjXrsw8UXP^B|7tJW6_@0H zNTboiw&DK;ZSJD|7qduz2L(J2-6MHGt}^sP#^+neJq>XV2Hzc+Q|vnLR;t-m1&`-E za-9Xb?Cn%~jJbG>c@7U){?Q3$e4KMZ0H_j7)tM8IbX$wED~`9ZANG$H%>gyo(WPPk zsAeiICRsOb>Q=>)rp??NQx&*YN?O{3qVLj6YL8dszy1H~6lmBSJS+5H8Gm7htIUJe z{#&QOvK8I$pQ3Hwsqc$?0`^|e7!XEG3e8KebQj>Oa(*g?mn!^uULR%U{fQyI?Ts>k zB#yu;Le7L-bZiOe2P>N%3a4z;9hGgpYw!5J_MADx>yyi5jphnm7^3BIwQai<_nUq6 zJRR_C3W5h!N&ZUiK{PmWK%`c#;Y`w>9*?FE84;3l>GT!a7lhfHcA?Is>t1iKdo&^W z9($b^wB(niRv8f6Hh<%|f(!iq0KDEL77#7!N-eimI~YG|Y8OV+CiP;qRH;&Mzq7`s z4AbH4u>PvqM!Mg%z!$Y?Z?No|!^+@wo=it{XVy8H8|t)JbsWeP@Nn;$&tORHtkQj# zM1c89j3SF;V+p}sFL51f>TRZ>1)ku7y2z7FRC|Bw491SO$jlb>S(@UG8mMxJ4F&;5z*by@wXM8+`LcKNR%JfCA=yp zluSV@S&^BwN)9GUUBUQOR71<*EYER;=rRG6rd?xoZ+yr}A@#K8!zrd(yu(Yjh0*iQ zKIAyd=g$OlWT`{tDq-5}RT_oVvP#gyj8ZP@7mNDMmx`zZeqi6n+M60XX8ov>x2r0n zH8p#F_50TZboYIWt!H;;;nufs!oS5#=GpGsR)EO2!ZJkr)d3<4w+f~Aj7+6Kw1mmH zS>hA8kICqon=FiRhLD%@PCu;YHH&Ib^qsV+9`&D2JiT3ec4|G(5wt??hqaiQE(_XD zbRARNIdrk^HL)~h=_-H6L6+06a1h*Z1S)vg{7|P}c;O>>xuS{9GH#j2zSD9bMy=e@ zsZdO#9>M`O=u4>4^(Qn8N2Fx=r?s;JC`I>@dB{q|`J?sDuW!}~wRpuEr?ev<74wOL zu)+=jV0yY~EL?oPGef=AeFaLDBgC_8=1c7&Z$TE?*f0I6BwwMYycxVel&M-&37uVK zI)KS^#t_hYd#>)TTtjf&RnsKjq>SPbGW(bpEL z+f!LqyJ`UWLu6iu)UP2+i>H@-=bFCAxURn^;ZG`;`}uNiO~Mzm)I_gymBxv0ZqY?b z>$kEz_85wu<%?(V<^E}?p>Ihz-J0_^fsJb(n4t$=*#9T6A*ttSFcwT8WJ?TqB|Pyk z&dsBa-pff652;kx%vFny@f1Tvr?Xu*P`3X{ZlEzDzT;#c4&|r1$^A2DI6p-48i7!& zDZf}4KcGihyD+5wkhNW7w_5{&A3gkPn}-u*3d9eh>`@>I<233$o-*Fn#{bDS!ZdVC4*8eFE^v}VGti?n;|7{>yVxRnW@yC*5uv*E2SF94?ADhCa<=bGLLu-IvMpI$Ut8PW9HqXZxx=({!|&(p|ayv<&%ma%vTInuDghyM5L;k&X=rhne5SxGGJhw z%gh(X7d=dEqYnZ2jimk=&CK3fJ;eIppp1RIk{3Ei>>bey{F8}$kC(Ftg3QNuCF`sf zO)b5?Wei&Rwx@*E+@hDSmY?^0!#Gjo+R9D5`1zGJC*YDEiK?A8Q8yBye&L4erN}6G zf2|!M&+Qf?*nafETJzSiEmi284uEH}an zVNz1B;Z9!NQe}Db2Em}8J^E~Fl?+fR!XoBkVOhpLeYh%aUiNGyT0rb$IjNz$7Uo%O zoZYGOz+m|mR$h0w9>q(7Vr8uNp zEKClORSG%2OM5nySrq2Q!P} z%@%*b#xt?0#dM{M5lSkoPJm@vm&5yDxZ($sK#C8z zw}6}dCjKdP2N~VIiyt6S2TSl*4K{_D1WstS8=z8n8&5ul?RGfsN*v{wMcX(y@}Z)F zy=)L!?(kYm{*Iv4hO`-Vg_C!_io~37iGwY$p&jH6D9o)h#Y|_i)6~xMU9C_bowj9G zmvDv20_YYI4d~ej{1vp~hJ*U<3O&&dfrk5z@w0jHiZmjI6TY|eJ&XCsgo|5lY3lzl z_m*){w_Dr)fJlf)Nk|Qiv?w4jLxYG42uL@GNJ>b<&{EPVH3%Zz-8Gby^Z#!+G3ou^r?szd6XS6_)@m|q3B7h@Cqiq=f4Hef#A#@;n^{>P z22qC=#i)=ZXEErofX%Q_O+S8*mTNC3Lp``|ka&J7q`DJvHFJYohmSs~xih%G@ODV! z=42k+!O^dWyK=YVI_7_?&WNOL zAs@$)ooVJ4GrFFKIsX!7gHx;9nPyeH1Q>Z1zn}RY=XV&oR*#t=ovca+y07h8E|;sDSN@dmyuDqN$Jj0_<_0 zL#3}UUta?4&FdFmO%&lRvVq(ZoZ_78Q3eRH1>6fE8|b|-xl;kQU8)6>(423IidZ^& zh!ak67HhO}=P626-+;iW;uePO4P!w055@pM21?scHmM)Tx)gj9{d5*KNI>oA{GQJF z(8z|nInG=!MuiEqu`D2@5Bb(?S>Bl^92tJV*-Epj;Vb!U*2}$2wB)n#!gE)w$CIBZ z|ENztSl1-L-y}$?EEs$d?o-ks_}#orYfyF2;X~t5)uye?c}d-CHxI`4J>!IJ(t|?W2gQoyF@vzP zc{b-f1IM+lU9Y=Fy$~;yKqMiu=KfD{NAdozzn~vz4C&rk&$nvQ z!gCH-;u`$^$L(==m)WdIjq>_@o-KU!59Df;Q}S8W_)ux0+HMMRq! z`ias-7fL#mOkG=SJxRndiF)+!+HU4-!|St9ZZr2`;Gx`3HhW_)1sL+vd-~WF97uH81Xl;CWN(BQqo1f!3Zj z!5KFAOh0!S?zI&csrpyXtM%2H@cP{~@*|zPcX7r|6R)luLm+vVd`97^5xYzGL=L@~ zw*ds@FQ#L0!HHvqyLV30;;=$E0!TozkCw_QjZ3P2hsl3YMt;)c^@YL-CZ|tFuvcfUaP7KUB~uB!b(qb08|> z`nyNSORkOKF6-g}fCKhUIioM!m1el~{mU*aN+{?xj)z1#_v?oy#F0pqE~Tr6%N7GR zjnYPrp5Vg$5#FD11}J{=<){c_pt)Hx_aa4RA-&zeK|T21S1=@sU|G&;gDTnHMU7|y z!S{wuydZG=Dgd!JS&nBNP3BYg0<;B)-!RVKWe#Hf%`URYap$kXyw@U*R`AHPS=U`@ z=gmDnn_APP`tLx$RulRg?{lB-I?Lku@NLAMB1a`aNPbzWEWLY|)cbw=OAUVt@9quD zDm&2&3;NPGU3a`0_ax}+H=~AJHDrc1pxJ2-WhR?Nnq?%Q#f1H(B^F`c0Ou)_z!Ywq z%0jwY`m}<^D{Y&V&tK-V`2A}H#`R~=U=LI1eI_4X-h1T3h? zprGfed_V@RoOoUZ3rO@(`69|Yjic|Wx^On>C64c4YMO?IhDT?HLmm?`l}DR=f0eeN zxR=i$X|p7v@3zFEjvLMMG&6A1@w2Ht3G~5g(-8hm~S5QNFd;CJEbq;o|k%jSgkB z>`MtYa;YRm_*+w_++4}rBYmZpOoO+p&Ssk1n}Um<+h}9FrY*=p{CLq9JeIK^_1aYD zx$AD~F{CP1Ca5;N`S>)%K9&vZv6wtLCcRh(R5dm~E$4uro@$%4C2=-_aw&(5CWpV4H;$j+oy(ur1}r)5>l?HIQ#LhM*o^$R zT$6YF(6IlGM1)nA<;PvJD+Nb2I7W{EwyV?FmFs%HH9qqm z#r1*x{ud(BH>I_$F+Sji)!*|^9J6PfZI}E~xa3Jet~QR4jU`*cgI^2hc)w{`Jp>p$ zI_I7qp&+4WeGiY^!>YtspAObK3Ti?=@Ahl_zIQNiEc&o10o8jf3MkFuym}uh3_OlH z_B>5SxS!hf7M9R(G?Oeu-%Bx`@4~~`K07WyNe{=V8PJ1tuzpQL(}mv(`WzHa*67O0 zU8kA3=jV%5bSxB8fL!WH2x|2ndX`O#)z>|{3M7gUJ8==h(e;}d{k>a3?T_2AvpnH#HMKPcv_C=v%Ju@! z@kAkVdyY5PALwu-yR=QEuQUXAwSIz~m3*ZG;0>P0o(T;H<^f^ioLiq&m|-mdcufg7>@vm??b0iyh%Ai;)rgCq?v2(K$Ril>n30E$)z% zkU{)RNL*yOD;~BrDPDBLDB=fDpBcEh|3rvQ{)rH~KDSS)xB2;V&sSNofV|p|jd#0p zI$UL}Rt2l&B*3{zerei1fuh5Tj8zzD2S}5th)a@tU=y$ zyujb(qUc944>THnkm8b@+3s7Mp*!D+H@SD}k1Ea3 zp)?EEjqJ25KlVMOJhW(Q+vSv#I4UrqSbFCo8H6Kj4)h8dp(!R+9#0fyU-ep-b##`B zWDmR$a*k-~YTVm;InTn8y6$j0H&iXV;*1vP;H|LFK8~o1<8qMT>u8DEB}{r5aPgjzi&Z#>X%pg||h-xK(|X zP*=`>q0oRmbXg->6`(}oZ&#DxGmDL2=K;7Cjw1)WTKAH({9zB zAED=gaVeVIeDMW?vB>HM5&t4io;netCvrfgu~_Tg(Am(?PT%67Q>2J2Y{Y}iyjCji;cNXH>*}=z|ZK)q|(3J7hF0<(Ytgo&6X#ktj$v4;;mk@0`Gs)vwdusf{SRU+sju_V4>hD?j}Y{0SGs)>j;Mj00to1$&<<*#Dh1(~71Af*8D6!ya(O7MFI3LD6_$_ypgkK(EoDJZIH z*fC7D%EE+qNN8-_C6UQ7ETOJbDOb}@(JF)-b0B{WfuL88Fi|zbED^Zv&)WGGtDzVh zbYE5Cd2!+^Z9X!kQ}g_Au^i1?%=(dAJ+81NPLCv$HnX-I@eDdhsPSNxgKOLLFr z>!W%Tft&#HJg_>-f6DBr@sYzIuP$Thj*JU z2QDv0cx{&BIRmWiLW5N&JQ9!L><#-s`7!s+QjZIPJjyMdJTrnEf;WL-s^L2HDy zUB0wt?v8u2>DuF7f#boi&DEcZ!gT`>DHoe>k2}l^>TZng&mlzb+|lb%8nmSl{LTX1uGOD_oO=&Zz0%7= zs$N?ZzRE3pG9($pl2o%CZ&3AXRraK4yT{fls(zn?lVw^Z;VG{=f_k+&cy;n8(0#i6 zWqFOE*i-b1x{ITpXa-dnvMYG7-}oucmo5BS1S;1S;sSG&ig}E+L*-g+!Z~yJqf9NB zP<+^%5+9=~1FT)bf||HGCxJV2YZvLVOem-gv>THJ0beWemn;5kHO9id&8* zV6iJzgKY`l*RTT&eipD3`*GBPy~$jK2qv&m@ryYAdhzk+-liUY^TsQ#g1(BuqjQ`wRCcNCYMNd3 z7yw{Q$09P6E!Qyc;I{f|$+;faf>+7_Xl*SXJ}vpYO*{JT>jKB4nS=h;d6S=9ZuC$$ zG?C_qW`{0;M%vJyy6{0LZ+d`SngrmRnipIad0Tf!o%;+y$)mG zHFmHq;EeQmB%QduY$h1Rjb)v@;W;|>0n$4_F0yB}qB($I0&&rp=TXn9@CX2=domz8 zW?h0h6LzB_8WwjsZcjG=lu%ti?6LC34c%ace??$m&A* zO!P~E!VY4s4M4JB0u2nBO{~28`vCnEcNBzCk~w&lC4QCoJfQ|ymoN~&8~F51KMeumUt zl5FlT!fW6{OJ+2~mUr!Rnr69h1*s-z)Q+Tr%iOQF89=umiBi!xvUbf8v-W6VJC6lhoh2g6Y%24IJWB{yy3+BIKe}Jbs z;yc44E`q67vz1N-)Q!0}BFNJ~LP?+Goq$H?MA~u{6tK{_0Q|Ab*SqDWf+y~AoC)v< zKIzzWEbAVu^jire-=0TI)BK4PO*h24$;H3Fy6P9uE6des;0r}3Q(}(Y+|K~IF!YZ+ zr{%ibneMd;xfXR(;v@Pytas^GQuG`K%2u$9pAjj)dE*=OFvvS2!&pLwIM%Qw#ldMz zZ{l~#Bg_@92mZ}zRI`H{@36m9zgsif6r3f#i`<6{G3D2y<&N``79?F1zc3*&YVK92gPVkdwE;2_UFFftoRyr zS zY?8QVF^*Gjp&UWEf?K=6+t`q{&zBc*789XYIYhh#MG9aG7$Z`eIrx)=>=sJ2D`S19 zv&wLVFiOgv$LXh#f?n>Xo`ld~$h8pLV*T|aj}C(k@SSzew*Id_{qrAvRAkaQ@VuWC zgTw^4&U^RPfSwK~+jycH#h{fnBG5c9!-*^Xqo}}CSE^!HDrzZvV*qQaqE|WMwjr%F zrtT%Ah1d^zlSMTer`Kc{BK28DgwNby`8AH7J4=MH6T0h@p~iJZkp(dm#H}@&oI^-h z{`u3GLxpkq`N|9rNe@d7X#*h6TfR1};=2e=uMhy#XKc->W~dKz1~~aPSo#_YRHgOwVujK;)&l z<$;|x@~TeWFEJv=;JV9;(i()zMyd+NAtXL(Z|tML$+CQ}dA~As-w=g4i7P0`H3UVQ zJAB5K$cvC@=b@)0-VPQPA#^({dyBu4Lb;L8D>_V7pkb-(H5R3JNf|r=%em#F1g2Uj zWmrQntt~xFpgc8YicfU8y%)=_`bhyE-kbFrD+Q$a&^U_}mgpe%LwpyH|6_DeUQ%PEZbYxBkn zB{}0a5n|?ETeA2HE9zKxDu-qBtE@1CZv%YO-BG2_&wWpbti11fTj`&!J%@Q2=SI+e z6)V+Nay`vc`n*4cj=bd)Ap#xMP(Yh4$y@SeW0$Vs)*ZE_XfM5nYZfXs_NZQ`KVvWp z-s4Z=Hy_@69COWeAJ`7$A)4z52r#Q=HlP^spSDH%84<9z&_>&-e=ftnUri5Lu=1io zLI-!|Oxj@0cLxz)&eKRbV>kUDz(_HVACdTn*xvK8X}r9Ddb>V))8Dk#ts+HU}j zQlsgDDp#%KTPT;1>pQ7B+l{O_3zWabttTUoTPhfgC!tKdI$*37=+r~h$?Z2VuhZD< zq(h|usDIrW)a`WiXXssvLq0}CK90bc!FfwyI4=G+Uh;U>74m1W+F*q^DnwRp&*8SM z2^$Dg&Tav#WxWXYgjGO z?kr98|M5s!NZcGLP+9fAKV^UJrF1OfoEMmL!%sFQrSQ2&`K{bvxv=`n>9R)6`s4m$ z!O|yA6-@ts4|MXWS5!{cy2$UfJ=5*WUX3q-4$x#D6SPx6{S)@b0OkVI#e zK%mmJawt2IQ@3RFa+94W@d-rGI4EHt=$j>P`Tadr**nj_u)Il5j~C2Q4jqSzKY*yr zc9vLro}j;~aMk7(T_KlLuMI;o++N)ue14CRH=H;sRlC8(Gv{Yq^2U#m=XawAO0y!y zZ@`1`x& zEm00O<{Y0FAs!|AKVjIU)zTjx1&PK@5M{ zr~>A58#UNeYg#}_A4;$J5&7u}06+J_W0;gZ!$ukOFN52&wNFqCNTLg5rJ2?3&=9he zMCRAGe3SI)L_$Z}RQ9P#+214BDU7Lw_i+T0GxK?bg9Hb2s7}ZU2$=}ciI&`m@95yK zyu8k(d!Vv2z}o*Air`Dg2|wGsJw&Ligr1nq<^4(rJ9Eh56&RJf%q<4uD>0CxZ_^a; zV9E6*M)8CaCH$ZVp6eg!Z<6>FL0tXE3;F-?*3HqrSEuXJa&vBAhL*j$tlt&WUfFke!8a$Awykzq&* zk3A~5IqPaKe;63dts^?8kt;6Thho@>2p1JsvO9d^g{s~|J<7f(^(Me<@*%mm1N1Fqg;`3&DeW%>GoYArh~OB2+E31#D4Orw;i(NtBH@(t`W4t;nf)>FQ&y$ z_f*e~M=7d~+$^WHH;c5^8-8Hl6&Td+u%@Z?A&AN&(s+a$~Ic>GV|ATEY4zuk0&N1u~|V-L+A6RqN8J zi)*6t9}Oq8X_a|8e_jALkI9{z;}F2Og8DO7`}fG7ixT(EEsPQ^35!=QHJFq|q!CzY zBq^+vY-N@MxOTVqY3(8@R4@$_-#Hl*Tja2!HrSqpUL=u*a&N;2)&bNidM&eV>Al|P zb!h_o2d>?cKZ)%tvB#Lf@^Th)U973vA$S&@$5IKY%9{xNiuX~n6u80KLX|(!BqOqS z=+AH;EdZ;NFHjaaV`Pvr6t=?t6JZ&an@Y0+&~g+V&|N$vUo9Rf z9ZS%zAj$l~0!4zxLlg;DHX@3Iia`3FZT@)etG7{Xqi67#q~{=yFIo^&!U~Zc%QzTnENau4$ia~n8C9~A*$S!eaJFHZeG11e??TJ1N7>+$UljOnr`Q+#?P&l$R3Q*vJ9C#4C+$yKgpBwni!D``Vp1T!d zDWdhh2^vS?jPo8igQhSnDQMicsFJidQwgeR zPR3g&@qE-b2crbjPdFohBpZj??u;IEpPJl|XbD6jE{v%FT9k`rA_|(oXCX8Sr)2;` zP^V6Xq!9G_m!q%G>Y5&fIhL>|xa^lQeBO{YSlM5m_T$vinSw(*EWAzY~SRCX!q-qKOrd$!oyiTVgTEu z+*4ggQ%GjNd=)Z-Mog<53v({Ddd6DXrcPAnqzoP3gKJC)aojYl->Gz1DZa;&(rpg3 zcV&vA_Ebx0{Sjns^3Dc>2yyt5AncdR`9XxZ$yVWIASK&b)>4gdp{pbt$X>+wTrl-9 zCH<8GK4Jn6J7J&Ft`Hsy7yADBP2z2q7r8`h(JW-&;(weqKR5`hv~tQToU&D;7RvCF zbk7MfY?=t4YIbGLS8g_)CU?>-m(I%=!!$TpBor$>n0D+hS#sV2*m9xgvjC#3(4_k4 z0p3qMZ~Tj{)~9QKDhvWxKtMbmNwM7f@o!&cLpr9{1XvP9peqh&3JA9v50eg)Ed+-y zPDq2Q^bb5O6M(0M*=2o;;Z3DtY<|xy#xlqL%<}>9)`m2Xt2P@Gl=EVP7wk|7$aE9u=EHB# z2X%Il-RIyi&{oxflT$aw`8&ggtKDiVL^sZ2!^}FH&f>HDNu~qW)kQ%2gL+7dF1{Zp!92bFh?(I&9pSn(%b~_2E`A_5Eo* zm-X9K02sMM8-J{f-RI*e092j!N0Ans%BLhj@^u~7E2D%oaWVE1;9dk88v`ZF@x|hn zt&Ch*PMC(FnTo-0zj+cOr^BH~xH_hlaf?Mlm#DAq;8HRT?bahvTlgJkk)1(1LE#kr z>Q_SO=s`J!7!@tATw)NQeKA3*6}q+@ZEAY3on)_j%W65}X)8B5G^p7|3tzqhVul*xjtd`>T zCt^@W#^4g{FWh6xgf|oF>F!^!ol?5aiLfUqJ59=@o5U))QY~ky=LMSIAA9YED(E)T z+mL-E()JJx<+7mHzSYDp9tJ#AmL!uAR2#f{c6~#{W9c?iH=;w7AQ%7Bu!--bS@_>z zcgQ6|kON%)pT>d)!feO#1pH!R=yz zE7!P?gdxaEbgr)F%Ch-$XY?*;(s{-l0y%7XY&-{_AFT~_I|{>UA&WN{sQdUnxntt~ zZA|*NvHQ>UQr@Ph>8b-jHo z@z6g=pVecX3#|AcB}O8N`VyTek#jy9kGC{bIj-kGzF;T|fFw+s9voO(VN6EG5a7p2 z^++FDP8K*?9n3i#$DbGV>fB=PMa|0xj4&_=sxkleJa6BR+DGF@3`qZVUQyo z9sU$I5hf291O8KsUk_nBUU%7^KQ<8axVEmC{G^^Af3?o@a@AjceDGZV-DKUo+x%ET zD+lL;?4lKXxT@k+!E-AA-KDAdq@y=2PJL^oz@hx)Xdi~oo4>Poadt7VH^~eiq-kyk zHyj&rRqCIl@Km?in@{>W7EOp{xh5w*T}sojpB-wk{7`znOf&qx}U$ibs{+F=M_C}H`DH>bd{hsoUUl7U&YSUYY$o(Aj@tKh7nKUO1 zRYXbL$sbNB^!i6@M3{Kn2D4ay@S?K97H;WUUcUGoNf%R*`fC$0*my3~f+X{7)R^b$ z%gX+f=$F=R`|lNgD04a0=!K{ijfc_>CB-F-cd1w4A~W#)Wh`*He0nk}T)DNy+~xtL zsq`z;3CKHXEeJH)d0?4!nfnr`?PcnJ4%#4*=9PKdR6#Bx{9{7*GPm6?H7!pPD!35K z3t#Z#JVQqtW#>eQy&08wn@!i&jprTKhUeXWi6ueLu4}=FQIer2cCw~=w1r&#`F(zYz1L;Lv2A%Q`4lH7fR1v@i|3Mj+GfADZE+E>4%M z3Q2FPXZS~Vn)A1qyZKRx_RL zu5LVAXx=(>m`0{n|4!ADeYH=1jr_&4HDgL%rlC0h;?*6kYw2UC@ntcUp)R-RSw7zp zd}6jwMB+|kg~8y~D56hUei>lmSG>E1zN;D{k`y+55~mD~C<}!g|7gX&mXxD0{v1d&X5)lh#mVnRjtC@-v*ri0#{8aPwL)b`xH*&RQ%n^ zBi{sw1x@Wd=msoY!^6&&%KLZ&2BlW%Qs13!Jr&=pNy+abD=r;$Y_ul3hKYdwhXt_M z|8$r?`h;h9Xkzy4_}Wx3R-qb+5Yhc;qj)(ecKU1J{m{U;zBBhUEMa@=C^>L>N%y0c zkm*MrMO)94Cb`A9C?KK8sB5q+9-(fx&6DCQ9c6theDjzt>df2UsZ^sgV?a?;uLKdG{n&O-`}f>j+r4oMaF#S3RLhMeJR{ZcCe@9MIosHnxfb;4>Hl=C#QR^nokoJAvT^UFV`T1-;0 zMN6_Sa`cB5*W}El#j${z_6}bjE%rG-&AFaKW;0^aFUmKs-sMyX*j%oI z%p*5k%+3SyJt9PQf(qWekbvy%c})dprx7Ww^N>n&ux#FLYF$pdlb#)@Tp@RS@!V4ZJx?wDJ1?C8105|DV!f-@0UGdpn-DZLErq1ItZ= zONf#GaqP8W;4!l?P2EOIn3NeaZ<+@H4OD&Z#2kigc=A%zwh;KxlZ0H>_J$mM{ppT1OuS2tVL=!i$pdYQJ zn8aw;a|BBHK91qsmqAnZbSZL~Bqeup^7tbvA5oNiKAgaR7rwL`OewRe%!}@V!+Ui% z--tC5duUULc}i5+pfzatM%yAjiU*5t#FtX4xC@or z)iSS66AW~kud1J2ZuIg1k@e4!#tAh+Sep!_*;A*!VwV6#H8;*3UP>^o1L+)#1q1Ld z;nw^EEea&$L!+gGG>ii~5awA_-39h&I}$bg0NHGKa)(D5cx1F|dK7Uw%mKE2!Y#f+ zjfq}HyUnxK37O%jeFhiLy@5b%<(JVUAi@u@9Q4jqm%i6>m`f_xx6TblRSVGxy`kT9 zjn{k%i{@qk*|BuHWb>$VEYBf&CzU67lQ#m?eWfH+APa3Q^qeSX`V!%$Yv6u{XC^D9 z4g`1IW=wQVqLBWb@hj=A9b1waC&&kCC5)7jI*v{F%vo*}38ph}1h1kHMw9*?KxqH9NqOEI%WB1`Jv$Fqs}G-N6VH zEFBrRJb!U?-GqwQvmKD-gRR|?F1WHsXIud-KmMW>AsP=HLYU!9%q*ZP;rdERf7#AU z;eqfe`1NUL!SD3^1w0=+mAMGZcIR;uG7mGmnMWE)Oiu}R!98ua%9X)NF?syu5UZAuSjW#80@Ccn^mlGl#b|c8%YJOJ{-~lj7G@w{ zVK!`usqZ#dB~f7vrH3|~!vZl{E?X|iFAQp2n%}(t#etC_Be6_tQfUFn%T$VMw;?Zn z$kI0QNEZXzRt&oL{5}IdCWh^=8r1k=8B9<(GX4l@iUV1LyPG|4IG7C-Tsx|_`Wir9 z*3?)()kr92!`rl9w_U!Z#I%eRYs7dSPpbD@CQdndL;1-Q?fAm9?8iCGe* z&N{m_f~Zkdz3Cbt)OWeP8P!E&!&WK$b*@TH613%M1b1-*YfK4>=YDSCuMYq?_yV~G zpU;M8JuaJ37AlH({)g%_ZNVnI(8~-0I@@zDjUV=T)8?xc;cOXd6-AT8YfUFxy%L9z zCp()15+I$o%1!FMOHGiSYM%*$yuCYyZqi~g4XBOgcE?;%Mq+%a@rLNhLO2~G=zBKO z=o(O53e8Ecru(e)Q+&0wFw=1zQ|lZ{^p2;5k0uC9un+Lv9K*BGJ^E`ooF&uFqHK{M z=g{>!k{TU2etS=}j$AUX_d2?&u1G_s6^P0zCiLBAume;te=x;LRU}j5j&zSD=u;PO zZzBsEx2q<2hSX;x^4;`Ilmb+l86xa&JDk-n_`gy8R@G@?X^r8LM1{7O=vMXmh3tt}Rv~dpmufn^3B=00&%N@#dM-$3v%*$F z%w#CFsB3?i43M=D-0CrMq0|eJNdHa>Vz|_Up+V>Cs|Hq;z+{(6Yn_06cC;P;`C&Ql z)>*PmXt!`bnYr`Yo6_ekw!GHD%PTDpy5~X;tFB5|d+)oMW zPa0k>WbiarnK2ist==hKvs0@vKCHFx5slN5QzHT?i5`7CKkFSDKiHtF>KIS%w|fBW zFrTgpp(&S@Y+H`s^&c83l(;;W12h)XG?iR6625Py(E2E5FBJm)MdQvb%jVinzWTCk zpfq<$$h1SVXc-OhQq8#IPraw6N40A2s$mwPpc>~G(e15+-l9fzrKlO3=3R9in}FrF zJQkx@Dv$MC1MdCKHfQeBqfkuNb=VfLmpVKjIxA2|ZA{acv9PU^wXe(jKE>Jp)#w9F zAlZ}w>AKHUF0i{+yte}g;xE<$4I0E@I7jQSEK#66d;Ge}(i$zG5s~lx&82G&Qf`@g zkT71=Za%&=ce&qhSHzjc@K*n6je%1e+;@y{VFM#DE_H?Nw`v5`S|cF;^N1?5Ea=

y_R45CmG-Z}{=fW` z2>)Z#s=jNwcjHqrk&-bqk)iD9WyDq_^%s7&0%a_EfA2RQtul?(P>sVTWfnNblH1v=2*Pb62?bzu=$}`r+!4KsxwSI)NWhEF=DaS ztfK5wejy1uX`cxWI+?w01Q*Y|y-aog7=kF-nC<= zy#V=N90BihC$}!FJ*#TyJ2iP(Do2>-+)kiXi@+_Dh*qW#Rbp`HvxYUoePW61B}-bj0ab_u9uOps!r`NYY!o1^ocDufA*E#!gBnym62s( z`FHMy?zW>J2gRM1p1n-F%IA&M?an{fQpzA%2%(CxmQT9uP19On0-p?`-;WY}regl*Hqt}A5^KmzeB1Vjz; zFR4@fHEtNbDdA_K=sd{&Uc>?H4`ULbCGFM^Z3kv9bL_#NvEcG498s5h0P0NVk?ans zgME-PUFOOOGjfDdNO>WGUG8!$CQ1&<*I~jGe}zlKIrcM1bS!wntt8azyY}ZG<5AN3 zjrZTcb_n{UOcN!`uLp)2+v()I9QqysWv|G?N^;+HeXkW{om)0ZBUva>#Yq;-uN4f} zL;EJ7fq%Ot$@VGGWn1l1O}bM0`TZ?qjx>*mr)(d-ML~d42HlTLZ1BUe*SrhC%21}t z%8B%MqH+16PvmksRN0_FxbW*A;etRMNXYZ-ZvFbW(a{i4)Kc;JWYbTx^3+rm|X{g54itaN2=^~DSZ=cmoA z>rRa?$;WI5N`%L9fxDGoa+TJ6myJ;RMA}evkIh9=YT;v90L98g-996xq3cq5NZ$Wf zf3re$n9a0*;U1_`o_B~=(#+3E!}W%2l{Kb%$+J-lzV{Eq&Hh@NjnQsXlC{aBr)*I< zmHjHsIB?5VW=pt!guqM=n1tHAJLPKT6pY}-HO!Sb+Hh^nBGbo6iO41e_5LJXFZs>w zX}ygeS7fN%I;?k4s=Rg2I(jjG>zngLF9-CCl7LJT=O>Vh>giu^-({_p#(dv{sSmAk9n=owO*(6$A1q==l)JOHIHRnRF=19kj2hqaW z+Uf!ruVtoUnR5lQ{5wOM4DN4c{`Fx;-}w19I;QJ||K88X@y8vRkJ06CCgmct;a85R ztY6^ZlT)d8d5w^aB^nH&w5#@|+8$N=ypW^7)#81qxB6PF-UnPFkKq->9cHBPWyUZBFn9!a}j1f6!mMr5EthHIVEMyWn} zSi47+20aRvp**o!y2H zl@vOCA^|bi8#wmrvi9>V8dG4eaQvl`sqw~MVZK0Q0wAL7xXzWn-<{cRkocIJBV|4% z3tDoUE>|)K2R{XZ&{iQlYsGy)bF09gb{=f2JKVB@?9_P*@~WQ#^BcC2eo8^>DG$4P z>;t;fsj;WK=a0!hN=>Bz{3h1>Wkc*{RVj=10D7rtna}AkSiyR#qPf5`IUKe0Vd zP$S-3oXS(x>-UuwAmxkeRlg{qgQ*Om6GA%_$+_zzLRWb=Q*POVFG)$D*645cz)6yVH00LaM)axIiI zmhqyw&zxqIM9%W0^{!swqU`F5e=x{H=AgZx!<_Azff^}jlGFX!j+<4@m{!ttar!Hv z{#aFoUM3ulPPxC{ho^owLIdH>?AYH+cBf%CLc``O17OkxFpQ6YPy^Jiw?Mqgo)dMS zE%`)m;W;teFpY@Q3JGyCB?ImIBDcMqAT~mq3*JDdj7GluCEfbuZS*beER(74AVAY?UAmQqK@JVXLZ?YMs-K6h-rz${kt3Bc z#Z<#_?N>RR^5V=$6lVg>d@ET?{yCmEMgU_LurGHTRvFGGsIMz!DYOtG6_7D?U8CB` zovUCo{fe$M51vi~WUU^Q-Bv{iqqxg-0(oMqJ(gC#{T^qhdBVyvHiHx>`!IHMM%v%0 zRj z$=>b{2A%vfV?RgNHdO-v)n{6};@2l5vmT3uG#RR57?FmlHi59STI(%%;7)}0a+|qD zV_WbCg$VJ-W;428{pO*D0ZXI_!vXy}SP}~Zkj&7=gYkM4qUs5xG7M1_`({G}l<@UI z(27$xohciS{?K*V^UtsB;$gpOkEdHUu_yBgGzcbk^o?HjL%$r>vcao+d3UJs{H1ql zSpwgG|0Nt2d0v+`%{@Msx(YAJ{SAK>Mm-fKUCbK-$|1$B)vxKFEG%dFr{N-Hl@uiV zYq8wkyg99^JL7^>zsX~NK6|`K?Ez}{6T^h|Vx@Y7k4Y1qWj6l@Qgm<8rfITOlig^3 z5~zE<|32e#LEnzlk@V-8g}Pe&|390D;8;C2fz{Pn7BND~}Zmi2~b@3ZAGS%)=G$dcEox zOrfk%>vO%Iyn%FiBc3CCnd_GmzriQRFQ?)45sgqHphGJ;ULbSXc(h(;<~(IW2eCY> z^rNyqK@<6Xb67u=deGeay0;E!mf8M@>B0-zI z@ql@GEahNl8v9ZGAJ)D)D(ZFLdq5NfrAuJwkQSBhE&=Io5b5rck{()+l^(>4~X^Onl4*t~j6>NPs3v>~IJ*X_ZOg`iE_ z)y`md)gr>vdB|3o3ht=p2*RNqY3>|VTr=CNf@FTXH#)TXTtASFcS)IQ$;fou3>#634^G{>f>G$^QTjZhNZ2id49vvst`;~u{lmnO@ z>OtoPPjT~~VidQ_4J3Q(HUs-Pnid9l+D?MFn#6GEn*bTzB$+zMM*DzZ*=?< z>aD9r8CwiEnaCqP(RWZIWvoh;)M(=bRxe#uInk=RF09cBEq2*)s(|*&d3=?jM(p_g z(R{?-oJ||qh+f>Y^dY)q>^iEp@tLzcD*#!(>%EmKUi6^+WThuQ`OEi^l2x$X;g73V zA3Qs^$Q7een3k$KqC>?M@^)mBIeKLI3Y0sD_|t0Ayl<$yyn;B(&yStPY>h>P)|H%$ z()QwqoN}#v9IfD z?d9C}vnMH{YylQ*Q1j}Y*NN-w3Q3aYP$82_o-!+75y8xR86xN*a;EceK4Nam>rskI zw6JIvh-IYxS9F>bB7h6|HrQ|!_qX8RKYsWzClMgxg#bIY)jNCIV8#>9fCAe=Ws%jvk}X=VW4V=`f)E2pYYj&a=N!~Kq2 z(T(|jf0fGmk|Jc~sGQx5qQ7Sx5QggS5mhR*Q0b7vp(AIN*4NMf+&cBU%0`SBWD^{6b!QDc5n-@iXsEDR01-TAG>& z1s5-d!8sYV?)|Ipeb9sp8aYotg4G0Z_@yk#n6HKov_w7t{E)#Kx{NY?b8(Oe7|+!# z?gN8`$}}$+Rpq3n(<|=#SS*X{by(BId;19xRT@ZbIJyoJW6r5KENM{TxbN9y*?j7h zIC##%8Og}`G+c2=L@D#NQR2ih!2;NMHoc8FnGbqiNz!<$|IK||Ms>=Ku!PXwA>ebs zQ(uaQv$rL>o|Iab9zfNpE^|UwCzv|RUsvGREmJf52tk5YA*+JYe!tI^Njp%TIhFf` z-s8fK`pfDY)|8#^W~;xsDjDVD=~XXt%6zI%6`))+Qd#w4X;O4|Az z)YBGf=P7L60RBQ44e5tpBnter;sIgHnnmYAM)trMq0z<=2iX~q&ui@$Q+^TRz9hCw zjzcld8(B7t?~LSSRXzk@ouhITNe-(@nDd*Yd8-8Eehyih1ZEG_CZsUp`pKwjKy*`m z5zaWPNkzOSICuVD2GmFwjdi=|RQ!m+w5{7V_11U@&Ly^9ZByO>wxNWjSL4pe?g2l! zxqJ9sW9a>?Q5VtB7B4@`&NLzJSr*S$Ax~B?r%pFt?MZXr`@gf72(t^Ba@V;;t?otT_leR@w3}?eN_W~$i0kkQ8_B@C`C5wH;zRQ)U_?hBwkS;M$uOay9red zNP~@$KjY?NTQAgo)7g}m%X(}IfU?nd@^I}}l+x53CI%IWA7t*8;x)D^a!>UD%^%m+ z46&y)-(n(lL+dOozH~kTaVC*Zo5Hg$oJgU|tXkzqyDM3Avx>L1Q|hJ> zdh=Sm>L=5=o|3l?xno&WDX)3Q*CiTRBjI&b&S*9Y#JuGu)ngZ+h^r-o*|L;%GOrK15Lhc9s8lr7lx&4esF zyg^DlmFA#513jhiyxKdN? zg)$6091w7g5EgERW+$?>Cu=)Vn18iY&zdGZb!}*3|My)(gd zEj)t%lix5A`==aliFK2A9?e2T$M71awxh~yn{h-2kcrSt zkQ;7RN3q5}(BPKf@U7=JZ_J>acg*%qR^b94w^3wwOluco^TTdu$@#kim6@1?i~wJI zdN&qYi7iu02euy+c-#5m<*(o(QeNige2LU%4VIVLA>A3$a&zz}nF^BIKl{N~wH1N% z!J`8Zfe)*AhnWi-8`0YR77-N)D;SU<5_-6+-zEafgD0w#TnOZVLA_eBh8@<5g8Cy~ zUp-5Tc@UTyUCNrRgf!jU(VN@fy{bMv;GVf5EVXX_8uKj8Ywx>DC!=cGf(JCbddlGR z!KgYhsJOK569ov)3Ft7B?^G*wGfNl#t3JhjWO3DgX;NGK_MhX9y};w+lpe~1TDn5N zQh9(=`P(T5F?pB~QlmMP`i;fKm-zMl9{fuXQ?Xo+veEYnVrGJcjj%AJTzhFl>2|a6 z#da_YVI8M=B|8X;VdJoFVO1h8gYshuG_xWaZujv8{3_j>LUxL|H)3~~8)E>BeEfA1 z&avXtP>BIaNxY1gAxqR{BjM@h!tgZSic{tC5gK1|r+$dZqk8!;9i1s`m!7Xb2~QE{ z_$asA1zDnyJ2!^XNZS9#2;Y&j+>sdhWvUw@k6M1F=VbP|45)aA~-}sMUC)n?P{sFIR+dU&_G{{boWGEq`%r zoMhjR-b8NZwW4J4Et$y_!~=Uq&+yjRQv=0@o6XBCG|%xg&*3x|47lN*Oqz0yw4HYb z;zksByqKVNoNw)S$a+h(TEMB~_>>*JjL@RsipA;;1{~(g0MTi_WY}fWxJKT$;)Z9Dl?E zOfTEiveVbN%|TA&txpxZA~182H52=YWU(Dxl+s+xa)5*q2$uIg9$M1s3Do7H;Ipkr zi0K31X42l{;^I?y=B=^}bp_%tMXr`;nD+f-d78##wT3f<{$MIFumZ$ zD1m{ll56-v=dbm`zke5t`Zy`(q29abJNl4NXZ~;GdIMBwaGeK`GvXC=-iYc$($t7o z&OXZVndM|~au$@rdR2Lx&S@fC{N;hEuDKqzoHUyqy1^*d6!uVe%uT+q_XJtPMC4!` zVOs`zrsKeS9KJmHx#jB#kLi|=jn=;!=MPtAEKVX?S7hIhkh`x^F=NC? z{ptg9LBs+e)BrtlIU!E!D?q(nm$~BlAE)P$;8K7Eq*N7}nT5Xp3TXfB4}C`dkqSyd zxR1Na<#*X0G%nIdbw+`cSusZn+>O-!E)vd1IU-FcW@F3h%c_iG8yyPLTJ#pCzuu?9 z#&AreS+Pm9)EUisWs|Sed($Is41s0)r{uQ|JFmYH^uH>P3j8hpYfbJJs}NSu$uXIc zW3Lz#kWDD*h?`Fg@-JgK^JppCr9xzVBFdTk2%0N7B5Q_CiE6sa&~FFEBiJmx?K zg>1Y{fO_jr(?tGvvB#(2F}eYX-uZvw31a^VPKbDU3wz7M1&8hnPNqUA!OGy|LJ+u; zM)Cq&9@q3uQoGDkyS_#y<8x?7E2-}POuhN7ST#-}i(Ae^uAKkO(KwztAp@NvO7_Ey zDkrcP)9EpUXy2EUO^x#x7ix5LLv+fr0+3~8F-Ha{HHttEn{!8wDWiU?AQZ9{fSy_PS-Us0Iw*AN3_U*eOq|g}Bj%=%iO*rc zFR`;18iZa6hQ1;19u+lq^wWe@_0xoRL|iU+C8iRES=@(I_RG@Oq3>`376&G zuSX0DdFOpjcfCHgP-^*%#SnHglcy8C(ShLymShi03B(@uIX3h?ICnOMi< z?t?QCSLh$yiS~PqQzytF#2VK7KT0`W zPuBF`efl`^|ChQA@J#!$KoO|7V8T@X7*Amd%pv5|SPr=<(tb%J6ImjmFyh*eK@v{n zC;76y&lQ{Of&}r$5qZPgnVJZkY)eOy^&qTE2H7lI0D+^tAUAaG=o-;%g@R2(dzspdN#6;W; zAcKCXO$^h%oHSo=cBCVIKHDAF7}Iq$Qsoz0sUq1CSQ-ud>SBS!b&LdHkEz7Grh}-c zb>Mi6dt>!Sb64$X|G!eWgMkus&(*_aiC$350Q;CRPd>1c5}t&J+QHvtqazfNN}GZu zABZiA74Igo#)_KF3Y)K#*2vagQ=g|7ve_2l5t{4AqPO$xhs)hYr=Bbt8H#L`){l%v z;g4s^&5*bc3&qso_y`p{3>Ppa2^h4J*9~)@V^Ktt@*xnCJ|Rs~<>QK8OjFx26wi|@ zno!hf+QG{7aNu1NSjt32J6Be`f8{!&(Vs8Kz~x)=>rE~$=NOI3uA=qH7=NC8w>mjb zH~@Km-`Ky#kMa*Xp$gYAP%Nc5FVoxp9p)*I@3B_(RCA~KyO{KkRlL;mKl<24_^X7n zMdtQ*wi`{k{w(WU`d=6QTRbtFr4a-yuHxP~=0H*qiLu!@6pwxc;mFbD$r~98G2Fct zximV-(l$CKCNvi@j z91}7;u=i;E_9A=^dt)MHh3uJTq3k(oVprPN_oG@DLd4}2h*dVjoSTS(j>k)*g?p7e{1_%9`_EWJ$HoI7cY(&pn{?^U(K zuarXx5?7(J_jjosN3D_G`9IhJ;pUyPX4r@cvziv&;|HdHsoe9F3$AQUCz$zfq1itO z9#s)ozw9yow=Di|2#(i+j|E}vS(sb(Zy^-cm$SrJsn3@&;w7`#$>5!z`%HFFv|$p_ zoQ;v>Olwi{ucJr2Ci%sap|vxa7?h3bOVYrhvJ)Y99Ja#@KEM&;Ve^M+#9I`Ua(WK4 z7BIO2dNv^_8~u=Q{FUr?QCNd0@HYl?Mz3^OyV#k+uk@d zLP`O#$L798UmtMbcpL@(!9*tg2NO953Ek|o6d#;TSJ*2y(-lfh14%DNEh3)>83cH; z#yxI*dD!=>#pqmO*O{EaL!Vzsdp+I>6F~zJxAw`uu5UC|oTuymKoP~THlNMWU#wp8 zZ;Z`6{O~mIcV2xL!EX-Wlq!FaaxXwm)-}*Qj;g|wZ>f=8IF;dcOGXvL(9M*;hLinTbG1F zUdltRw07cdf`&6;8l@*V5hNKTLL~n9dj;t*4P96=QSgp=7V7bi91-7mTLfC`*Cl8P zuOYpfQqfWer4PYfoC-5qN~fuQe-(>?;_o0urm&}WYiMR{;;Pzq=$5JStVfIl#A3ud zERz~RGP_v9x;h62%lauh?Hb4LPSBxR8C*N1cq05FyyLp=xlR6VSKC8zO=BNP&U2e? z5Ls_QW6y8QVrb-u;jVkKZ4dyC$s>fOLRHs$RLt`tTM#6ItJ_#@Svmd*z%KG;=n!LK zQGfVpqT|xJ@Ng8fW#zTjI+3?rupTghM2OG=KwAtc0vAmVo6b|i!MtoGgz!sTyTz6= zavWx<7-n=R-Oh_1Ch8~tNZX&3;!Pqq}5AP@*x#adb zzaA;>gb4jF*%p3`WbHjJ1x%`Vpc9Lqd3U+>E*8OY^8>CX4&}}ZZtOH3N8L%5ozLhu zrlcG*E?q8Hou?EWzcGv(-_)O=CjhK@Pa@cDhSUB`^}(~EVanVV4V93$~Movh~?8kzi0=4oYdScVwxdu9r`?SCg8h0uLIBn66>uN`4#+GQuKAR0s)Z6{yO{K$|+N@=9jA)rIhTw zToSL|YKI9|lPO>}oib3UalLa|S~PHM(qBC==)Px^!hFCno6ySvpb+C8=}Jys5wcM) zRK62MeD_9L^JXil-$vH7Zg;GF%Ik4R;Uv5W$Cf(;{pZ@OOC#CIfD$D18sKY;K6!O^ zsTR8EchfgMgj62+;HEXrxLZj|f131S?5<^X#U1~qCGrS$M;UnsfRMpXPD|O0Pu8X$ zk|)3`i9n5zKe;Su?*m}Uz75D$DYrkUy|EE_sLNBj9=pEh*1e8%%lh*`yg3Bg!KFs% z7(Lg2My+5yMkBq-FYO6OHc#Ie#Wp{uHRhp;+A^9<#<0R#?ZM&aLU1#af>cV)|$hVN{H2ln>BeE!1j|^jE89NbJSKZV5 z2J`L>nKgcPKa$-TlQp*7g15<^qI)9XA9o!6$c@|y++S{Igff{`wFigW(*xN_6QPj(;Xwa#3ZR!8$wZji{ydg| z-F9g@wQ}Nh##91uyX^kTFs}Jx^TSii+oJ}rd7S%jML15|LSQ9tnQ}e}N#mAXbvx+U z+&`7q6}e>yz!hk}qke)T4DxS8bB#F+sPAjpPOGuI(`O{7odM=)xT>XW^gxrFjDuD4 zubxaf__1oj)GposGfVyJSASMn0^8&Ok-WvQ{h%4?5g%fjh)Il)iq%MUT%JII4(qV> zU8Lma+dwMkSy3>R<)ut9#M%sljX}je!0p%YRKDEMPc+t%^8nK#Kbg9Yn248v($~$~c;-c7t?3y+ zGlf>=wtZ;c#p|gJC|xbz6hYvE({e_4U5DAVll6(khgz8Zc${hl>b~p%=__JDroz9_ z0By>e*}U<_Y$9EH$i?vpa4+m<`<^QR&$HeAZMe58QL9uP4A4hNypCaZ&%a#nUVZAX zImU)66P951B$Id_mERM{9%%r;Ukd=XJM?_>XAQsC!@C))I+%+4eH?qy_$!)O{^~`p z&_dN_ow~_SviQK324?5L^UCTP=UWZyq3A4&vvA7Fnn2swfCGsaa!iR=Q+UZ z81l^1^42k#YdsH09Mb`$dV8si&Ag>2iw*k_?9A!3>~D=Z^p67%y?z3Y9}5JC7QLGM zMg@{sG+l~EBj$Q!8s#uiTy@GbT|P$3cWph1hEG_WmILsr<5Vs6wDM(30UGh#4s&y| zWyQ1@fc5ZL$7SBvNHI_IxXQ0Gn{9ih!`@B6YV{e|VDiyl0R!H>wVYg${zKQ3!T!|J zpx=(|k>ptJ$iIB*dF{Wb7A@6{RhPInVL3+pW$$hqRhKR*?X@-2l*G5_wR{)et{1$oH{$!T9c^dK16W>@$&YDZO0!q$WH=V z9*L}K#@Wcn@?cLLI$_Y7`zfHATCv!E_%Y>(yB5$K4m|uJMs!+i_cXjsEX^k*+Ld_~ zDibutRNk?YbJ>m4g2LDsIdH(uQmj6GSS!?IKY9~4?hQLONdo8t#kC{I$Cv(xvKzZa zH7YJ9FMAmk`<*`;H(_1#F1yEhm^y%nO=D?TLF7$!7J^n0k&y_)nqJs z6!qqbft*^eWb?smuYCZbWRZ5GGw|YF+|E_X(BZcIpS8jN^@!L91iWKF(FvIFu?e;a zU!77%TR@L?UB!OM#XmO&+99;MHPe)^qoN}~ zRm^#uAw1~WjmpcdaChV!;jjTfQ#E^yRX}7~h zw&R=CEoKtV-V=lMu`wVlRjctbET%kO=jaLb6p80sWDpO^syKDn!BD7zcPE{k=a{bT zRenBfZn7Yrk-KVyYYLtJ|4oq4cKAyH2jM zfQ|}UsOs+xe0rAc(R(R(SU%oLkMs7nv(&!bMZm>G^TUuVcWxEfW{Te!RTa!{t$MbV zG?4vs*CS{Dbm-Un@KvhK%W75KyLfGnPSNUfCrx8M34X?;DhNWdp!0m}v^?nuQ5F9K z*pN+c>g7bf<>sE0wuO1o_*4nW2wK%^pP!C%WHeoKw`pKgaS|IX%8+@xO_?a0peMd7 zJ`KbKh6nC92ND7eoQ;Q<3to$Cb4E`d887QyTcVVR~RscO5KAK2!B>KJ*1r z*K9k0?lyz>C# z$K7;nXw9erNuDvW7fckg3lIGg(miRBIDs!}=MNfAeHe%Xs&s!>+EcRh9#7Mx&Awus znV#7#F`hlFNSXIKeN(sMGHi@DRn2V`GyQX@|084sAV%1CH%7ido4GGbmXPR;j5~cA zjor~EpXTxHFeEK>aM@irH*F9T{RKd>MXmkxgV*L#xH5LB(pmIj?l4>3m+p-N-!8oS z?SOO9C2RZ?AT_Na7^^;M-!Pq2`Y_3~Jv(1L_bC*x5Bh#6g2TARE!+GqU`#cwH|&Pk z-0d#PY17hqGmB{EZ0TzLIW1G1P_rN1ZHmini$0q{cS@An3r-v#j~8`!07(~OAC!w8 z694jH{|k177t+@O*!5+ze7V2^TF}~c)>C2s*`^?JU zB&O{`_M0~5nAi^cD&sDIgX4&%X-X4)YX zm__#ym(w-H=Gkg|Z(W$~%*#wEd;IKFB=6jUG`$59;4 z4(aS7>>!2h9!K)brA0tQXLb9t)_kw2ZTA-&DI%J5vcu+6A5V-D2hmiIt8EG78S@8T zJERYU*44H=ub7?%kf1?4rmPz4!;T)sc`S+@Ctu`xcv?Eo^S%A*uxpOwkoEX-G~u{Tyl*TW@FDP#BHm zcMU^IN6ZZVHDl0Iv79l#N#l zm&I^>9zx#}RlkC+2E7-nP6ziek2#lqQ!hLGW^E7lSlw&3zSF%c!RN?m?!|eJ+I)^m z=+s0X^kZ?J_!X^{J`0Pvg1$Mei%riEx8FRnD&gjB=S&e2ak^YcNEmb?Lqh= zG?#9H&E_+MZVCQ#v!!StEA1gCI(y>wo|~9&QZC1{D)*o7?M|zH0@BRD}ne6 zqSxz7P%((?%4jkN@puOWJ+!30A7jO(W4ul554{qLjy%4q1g!SFy1N3wzmqG0@(ctE zcHW_vb*|9`62MFAReZG63H=tq<1zJ=lFb2u1oROLtY6t*b$q8`>b-+07j~0}N0CwA z@f&4XbP3?i7%BolF*z{t-kH+NaWdKK6I#C76@ngNQu2aF#S+o~saS%G4Zj2^kr+Hd zj0gfHk5*^1B8w!27zt8>yoe=iRWE9LYo!#{o=IS*)Yn8HgoTtPOkTu-)a3Usw1-fQ z^5);wbiYonb`~rh{0@%BGRmDWsjBdc;CWLijS(ECSmcD<(RzZwK&mQO%fTGk?lf(` z$?$>ZlP#4oEZBt{gxR>O!#&HXJtK;VXy0VsgqD?khqZV#AjvVXw`PM(qAGgvLRG}7 z{QQ%8uePxG%o3q>=a%t&A2 zwI}H}$2cc6hsRSihW5H1Ip>qCyB$JEsqwmV?5QDL+n+Iu??=3N+wt_|;mXQthW#p0U&*Mw+ zO7Ufqfe!*P*INVKD+D-a@2BMSjkg~a+u8547}pZQaMDq z?TG2)SdSiMqDn^Z$^R@N1@hSCx7Lhz($3_4AkdNpdjRf*tHIw3;xIw8$@4R)JdJyl zy|F*Wt$!=8dzA*2J+G?*$m0e>ocCAnBh@*VO98EmW@`Y0D@u8gQ&oF#5#)JoZT*gq zImxO{a%b?Y7f=U|$g|fVd4&meIx}fu&gop1tHlcA3DnFtRZv>KjBQ??TIp&kXvA1CO8M?D&dpnLy-3x z9qaXLjMzS*i!T-z1M$p=%_{2ckP*X{vO(iapUWa zt0k`ErS@kLrcy5G*Tebg9<_4)$MkZBZ$zzPH#$D5@&fB{#RwOJEwm`~N0F3vh|IZC z8U~>+{~`n}=_W7U&X;~;I86ts{-#pL&b6$kq=^7f{J{^!Bed6q-{5lkYE5nv}~y$5Rz#bFaS_ZpztL~JD$IsFJ`dXFgf#yLVE>R zDepO7@ySr6pU()YZbq(*9Da!fxeR1ac8wy`Ro7Ssj@s>b17qo9y5(4eBuo&n2Ei@m zjdM1mW>FRdDOrc3cRIxFj_X?|drg&Vy3aBuzg0^`TJ$(EB;Y=p(Ofz2PIl{&w82TC zPS{WqBjL9a;+QX0r);tHrRo?4m{$?G%tAJ^MyKJGyT8adg`LEZuVooFfP{AwH*Mk- zhUB1SpQ_`C`u*FYyF}evo<>mJZvTbWw zQl1N!fHucyeo1E$$qPDZ(3nX@f!F5gV&Kq!Rl7Kk)oz~k#O41|?e6^xT!BiD4JQ{{Bm<%jfRPqWEWI#>C+L`*X;fxt-!%o^xl8T?}R|&2uNMh0aBMn7~5Uy zKX9ezA50E;TC(UW*t9Z&o>K+A!muAS*Rt;l3gPt0z*LHU4eyJAAu524gB30EMjy3s z*II*Rv#ef9K~PZiqwk8Y^-En%&s>un>v!)imNisKAz9dI*Z+|Vsqj@@!k0O zysE#o!)R3li!ihFs-G-GJe1$fBBrVQ*IuK#8j2yDw6xc}UYCR&fCSKpn8?5Dr}2Dc zo^nFN-j+PknM{mcta)u5__92~1eIEBRoDC8(LpP!XZOR2$Uivv=Y%$ew+kfd^^nrF ziE_`~Wawa*4MQ+64MVI0LR{q>VQJHLo)sc(h?G=K7`~RN|2KT7)_nrQ`PKt(ENAum z_+kh0%#XBY167leT*6}k1{a99W6k`u67*g<9n6!R`{7^kVN=WJ8S8_ zbsO0_aw{A2RGs%6)I4nt=yf6TmhNPRWE3A3_6kmz&0cFk<%=bkC3I5VAvNo@#{P6h z=x8WZZFUY!;#)!*zpNw{je6fgXLL`3Hm39!=3GmzVT=aKgRpO~ghg}foz;l!6f8(+ z=N8Q5z`l=J4r31U+I3>+;OY}ipx_74-pEFVLWjh4$A0_JA_*O42>MeibZNt36DD;T zMK(8L`bv1x^5(l0dgs#8Xe5mH@d6eWPHU}oIYKx+hxg@ufJ}jMKqP37uwv~K%*+0+ zq+oLWMQWfz+=qNU^-@7z=Q9|U|H7)A`LZnk?U)S@r}&kS4HZfBMv7WDH!v3>eRrep1Ks+#9e|(AVjrl?b zPK#lPq-|cOrSD+}k)=ngWd`OC4&{o|f*gA4P`*b6RChOb2&XjS?r1S~(OLL~#xx5ctuhk-8RbqgvKO5# zS7tZoa|}Z==c6K`Ar0Z;z?q?Yu^en_mBxFW-02P-iD-r+^<+8X4Q^S7&`(*5gi)?n zh7qs%J?%R9wvO6yf1UKD*;;y&RnWeQyX%15j~ImNeX>9=#qzxCHr$^;zVoDblE$2VZX6_&=F`wg+#fLw9udADG&K$N9$CxgDu-CoG zEGA2@;yT!~$zp(R@o{YE;~lCVNAH`EJWM)%*0zg135a*HyCtf19-%BfUPa^Ies(yflr;!|_!OlVoJFMA5Sm@}hhGR{WclzKz87vra-(s~Wy$2PCtnwPp*BUUL` zdVyvkFz|4khocKYK$$R;++>w{*9cMPy{~|GzvRFZc{PNVm+T9qN~WP;t6DcbQaotZ zfJ+k{(w9i$=_kq$q^rlt)@8#tR@;C8CG^5BZPtkk3U+enk?%Zq+cJLuE={?+dE4yr zXSEf{Zs$)8-;ASCj8%0CcYM+BRJ3fLPG%~WmZ3q=n@y)kX?&O7cvD(sjuQraB;Q&; zl^xrpA9%bvCl@Lc$w&@8&gd6Ct1UPb)FA3K%jw@c;HX1xc?1E-i_NX0hug`}gG8PC zHrpMg?v%HtW_buG*U|3&z)w%^WIMZ)kKkUiBgJ zvc#s-^34JyY%j@ODyh(~T{!dLvjY(!1<8 z2f^!_G4SYl`3NlmC=WI@^Q_eHH52y$N!~vSm<~H&e9Or1E z^?(BwqkMt1{5F&Fsj_ z>#!uA8M$&W7bV5(#)#njeo=4B9G0X;$CrmJmRptqZ%P_o+qlkw00`JZuOZ zIwTH)C{ct`>7K~!#mJE;%-9Ad$8uIwF_0*yC2_7II`>B9HUJbyI;H1+3D2iLQ09W2 zr^%Eq4FTiv%A#6c?n@`@ri*WWTF$-SY2u7kN>a^yiDnZ+(N$A3k-qpH5^qf`mYK>b z77!7a4-M-xxxR2@3aoWgizezSFF-$vOaSGDm>Wl3M7xHBgIp#f^{w{0Z-t+Vb@$s= zE%L?d?CN+NWH%yx;qv0DTU<*pi8R^B7f&5jlKo(iaz<-?7hS5+T|TZ`R{e|g#z+yx)WNlrpM^t(Mbl% z`F{%XfK;R0#dn%(^Xld$7Bcd(Ve+3V#`;fkpSKY)8Zy<&1a%#yY*AEXl3?w3)I~F1 zR8SGSzJgwt$3aw@rl5xW{c9%sA#s$527qWwM|$bKnXJeAuAqqmzKhS$_WpX=#O7bDHY(U1`;4NY$u# z#OLI&P9odvcz(BeEf0+8&)|+vsJvditvpRzwdmnEez@HJO?DsQY_xUvE#8Y@#hf9H z0UZVjjJD2XjN|gcour9ht{DX`(omYS>8u+!u)&_`bv^-gn26a( z?XB|s+=2Ukfqtu{BVaaX<1vAB%3uui~cmY|y8f%F9-qn<1dJw`m^TbxLi90XzGv)*%@y*#GC4uqDZ z5|R~S_oL^NcmA1LyBEbqI-eRifG9mnA90rOp=i~aeck{IYC9yke6=aZcQ@v^Ki|3k z>ml{KX^>Jbc>b-&*IswTExt8H*0)%5&R1ay`Z4Z`I&s5OG^%NwbfUECc!T%?_ z!AL?MGg8nA)$JtgW?J_sRz%Eqh*CDL+p8ZCb4gKsdVpodussu5xxB^nZ8t^CG9Okpc5XM^Y*d$7m&sm;Cc=VQ~FGA{*8 z^+NV#e1C|G6M1aMsCMuy0wsCO>%hC9)+gEcy#c&z6}eQ^7ds8#lTXG|Ur}_d_#U@m zv}Eof=|zaZDPTSSVtC-)@r!GjQPuss@mv6S(6Mk`vKxa(8WZj)Up(y?s?X*~XjPG3 zy_tu3ae`9nPhls&L4L^y(8A=M=XXh~1e13?Er*hgP`Zsxh`pUipI7b9b%AH@B45Zl zd)~F?LZs}=l>mCN7R4bEm}!0AYrWIz@|W}In^6VY$Pk}Me=g_4rEdjQN~FE> z4)=`9Q+fsK+V-o;uiTg6m-7yn3ZKYBOjdj=x#}c!WlAQHzc??tMKoAn)xM1w+Mfkn z7?!8;=H;Q_j- zsz4suMH)fYV`fN&dwsv=EM0Tz?jPbmm&U})1zha$9**XV6aSCPa?lzxp^i$*VaZc7 zl6vdL2Fu_3R@!n0jh}uim+1JpB_dP4he&<0Dt4TB;ih~s*GZB)*N)|EK3=fyb-V98 zx!cw^H(T0_Wnlnl%sG8{QJ?8O(EvZ6OX7*U@JiFV8ArH=1EHm4zrOC#WnPJBAl@eb zJWdqk--6P!e`JX2Xvvj|HPMZx+?1(H4EJ$pN-z+-~$O;1UT<;IH_t;bx9QAp-Dk+Lrem~ zYc;Qa&@ky*jmCq^%Z)#fw8}Oztm8pLT=!O4-{L{Lo{=>-eNdI{)DP=0ya@tqzI4n- z-GUkQb?VfT{E1GohlmU{rm3J_biY2^Zu3_1I@tfle77LbsK58~)m}oo3e1B$9Ky+D zVH)M~f&U_g-wBk-xrdFG0$J|-8p>(+Sv$m!OeM|&^azfa5{(AZw)P9Rtzbq`Bjfa@jcMjsU zcfEAa!urpRUL(LSkMtekb2)eQFwW%=TBF~vu0t8vM}uviq#OKtnOGapWQJqJ@*JnF z(>{Ew5ZEoR^Ettj>jR!ckCctBC(CdZ?|tJN=x|2EepOPt)6QDHplS*Z2(TerIOS>GjtpAD#$EB| zxg0z7$?N43hcweDectmP2VL%A4LyxH9^yw&)m}JcMCD^qLiO`UR9CR`Duf)^1E-CJ zZQ3K|chmNBZ6zJymZG5_^p)LWCj&L%^qRhlC8-`YVcy;XsqTPHPD)USEe}Q`9XUv7 zVb{Saz6>$-Nx_`FvCRzo=-h5;6GnF-3tV`JgA%$hsjF4pKJGyZ`@%pZ^)M7cpsNOz zXor~i7D>AX+Vt?kzb(zVw#`+{zkD%_Ye(GI^z>uhHr+g@c zlX5UnwyD4KA`AtSimtov1&x7Sxd2>vKAQl^aAS*M*h{_{4!xlFfwD;#^9(?T!+0E< z#@EI{I~6UB_S6u8q?3Z=^kj0X&^P=dS8eN9oTL=&-T6_MZ!e-Y`ie|&sL|sXgO~_z zu7eKbhK(Ex;II3uEa?o+4@cjb7qpAU8;8gEy_4f_wOsEJW|aiS?A&{Nmsjm_pSop_ zZ}MBlS7Ht4Lg}TB|7zlq3nOuKbTXTiQ7%3{1F^x_b_S* zk0Cqw;C904d>{8jXq=DEc^$JGf(CJYjXw8&5!O~+G986zj;~SBYU|Ii8ya9{Ctl6b z4|Y0BFXxJUo&Q!en~BazIWEWrTeYPxE;Q5O_N<<5mrwXZ-Bm@2Y}~8?Kaz^`oP(;E z=u^&uT*rnV;&nJ6GJRVTI$?v1nf=R!#C$zGXzKBOzYX@=da`yz#FOy^_pW;VnwMxs zrL`651zw#-tamQ3N4%844?`jpsBW4|*Kt$DY;Sq}55C*F^2Gu5j(70;Wv3TDzsG*) z-xt-AQ&ab7tBZv`Q~FHgI{BI1YVApOj_WhcYEIrcb{U~BnJXk&bkD`R6<%VvZq?bU z8z~gv3l(I!k>acx_>j70@Y5wyBwz%UN8;II7>XJ-TvedVr{3;k1U~nKta}1Q=G>KS z#3#=Q2kZ48n>wpnmL7XnTKjU)o?iACTp*3Kvj+O<+{o5#FJ)c%RcI}qmf-0>Iwfp$wFL|tU=@NGk^)5dqbi&Z`@rq0Xx zqPq@JZ0Tcs3W8BpubbYU#*56m9!V|?sK!CxFea;ivY{#X|Ox*3F7Huajso}f>*97p`P zJciMpd}A1jCoipgouycaALghpm!^f(G$om!=(P=`I1{g@-hv<^Q*n?xC30jU!1~t< zl`cX-5a{WD#qUzl8sXET&@AX#GqV#erF9Wv!Xt+8HK0448acbveJAPv*2I zx^z_56}6t`%BJ^cI_RpiR^&AeqKh^!s;bw_UZ4vle7pM4P`bofPY&#jdH<;NG;=uk*?O!`NGgMcHm)-+(9xN|zEtijo4-DIp<(NJ)-@h)9=1 z4ke8`mO%6gEDL4 zXH-L75xjf0)u&d2TVMjCNbjk-UMWd9);!G&Te(XvZa?LAl3Om^KV1Dm=6KI}AdnVW!_aJKa8%!ncWxfGMg6L;V`O?7rY8gi9Gb@;gIuVP9TMKV!{?}LA*J%u*7 z#qghIgiOl+?svZUx7FDRL4SB>7dn|JHtl`h^riCpi@^It1?o+LF&jT4NP|BJ_;jQz z(!2J&3epnmc=VBj#S-I`6BhhNs}hM#F=Xt1R8V7UZp$in?qQCu)Q4`zRF3n2R+c!V zS0))NDZBbQ0cIJ)V&q+e-a`LO5vIL9{G&Cjk0`Bv>^DcL~%`UH|Za&l>M3c$GiaPW!vNfn7W+?y=vUAwGzLfs|(IIU(oQ!@W59JV~s(EA8(RVM*ZsV&!VXK5xc&j?BIe zU+H7XHwl@kYD{jYwnJ}+*#<1RtFp0SPr$aiWWYl7G>H(*Qu$)}r-RiYP^A-F_LC8I zpfz3{MhkDI#EV=tUuulKN=jF^Pz!fsTEOh2qOR7O`+C=hH2LFhRUw<@5{c@F$jou}!NhUO z-=1GsJ9IV2%bE^pL&bJ@TMR?bM}*6d?y`8&!oR*?dts$krt-G(tx+}S>|H7Qr-YIL z%8Ws!&nJ1gFE+Zp+#)y_x9O#i7C$a2?piia4!>pI*I|*TeQ!#2WK|;M{6oDw(G$tG zqzYP9Ex=9+!_PG?-fms@&yB)ci@B=+7~}BXs30u}TiNR=?({#bsR3Wek_FHWu_M%`~V)rcKiD5t^C~e+Yk=1M2=X zbWP7CCT)r#m2!9OSF{BQ@j5LvV<#tB4mN6xoce-DYRghqGEAFqpMxMya!b^}+<4ul zQWt7r^V!`N=(u7do%*;y(!q_0j`(b|q48@7FE- ziqjo+6<*9DTz*n7G%3IQ+6o zDm98cDJfmwEO++*9eDGvo^${KQ2o6KXiZN2?@>^c>CYb0^ISxUe#!VfmK=3l0|m+V z?LZMg;wk|l3`30NcH7Nd+YDTN5AwN3*o^G(+M-xjz8jtCqw!h8r8gw8Zjwj-*fgR< z!kpHwMjpG?5A(Deb}m9SvSl1@>3ipnL3_)mtDV~4Bq!a!L#7DQiHg<1m#3}3o8U|G zV4KP!b|B!LW$?9Eo97e{W?|k7yXsMOG{d_8(mab)W=3z{)>l1i*!4OQ(q?9ja%ET7 zXFWNtL++5Wrcc`rsfGmbBULfvUzc>Dn25$el=yM?TiC@pB=L1D9WE5AeD>J-fcISH zq|LzM-(CUW+&%Thg*!~eSIxfqFB@J$Y`%oj%IF$F zw+>}E%ydbI&uu?jr94uI{=)c+-EJh>agDNuE0+NJR_SWp>v{@RQf-I8PL92s6ckge zu4?vvT%a2kK<41S$Y3il2aVq-nY|mQ{PBjY@F9mnA@|b1iKZ9 zos1+_1IfEslpNiYwS$$dV`U$YaL8A+z2IAo7KH>Bu?o==#$u-2W+a{Ogy{ z<0g27_gSl&Kk45-%Rhg9=by)vULS9Xc)s@{WmC{Y6X`fiKS7c)>f`s#%)&g4`_Qz? z%3N7GX1sW4&2Fcjos&Cx4@th$a}>?_TAM;0$Qe4>9>^~tSp92cf0sZ#RH*Dk^%V= z5f4f4Pu+($_=x-SnJimIHDfE3Lf0PMm46rJKyt9J%T%iS^;Dx`V#-3=ZSOg{mxB#v z5pmcpgANBCRIRUw)L+_WbB@B0o#~jnPeyQ3>ETD($WY)tSk{`9`a8b=|Fj=~mcfCe zWhD0h_g5475VxI^`)mffTn?t&zU@HGDX;8v@ARqDM}~H1i_emETFA$}LnVRtU$dA9 zY`IZtyLLpWSo+X_(aVC~hkbC+F>&cWZ^*a;Z$_fqDeENA`{>O`!wf$!fFv>yMW>qiz0%|T_o{m__{mDIwELU3!otaqPzLQmgi1dHumjIFSO7-s;>+olt(a7M2ekt%@GL*MfR2VRabJVPbLrlS(K^k!5+rCkY{)m&NylZD zrohKHt2S*N(}%A>%m~<b35ux+!~7o#g7Gy=u*S73VS>@V;&DXH z7L??SUBrmKa%fpvO0GW3ayO{iVpR2qYqsHLBR)qL6MoYU0N|2xDav1Jt5!z<(d9lk zFJfqr*uN8^ZKv|Dck7=QNFNT=G9@gQ{r{e*{{8b6gxGPJf{H3$Ci3Jwp+)ciz(j<6 ziT!tzC|2rO?=OUAINOyw+igCnvYU5PMwLS=5bME9gFJ_S-K1brCp92-4t};lf1kbeQeWM8V{aiTTAQ`@xGI z0(YeE0XUImmC*ZiNj!t)A0y)WS(uaTe8o9VvnQA;JLPrxqShnjL*V0z{Zn-o-^|6< zYM`B*pg_67a`gS=Z5evgi*xqAmw+A3m1s-W^+*q3 z#hr|N`W{!v{yq73ORU!v!5%+UX(EMQ$+>8#f|y;`s-c*U@S~{V+{K7)_Um5mKl+oL znMkEw-ZZ=W_?>$mtbD*Ok}Ia<;r{hDl)Nn7K%5?Gu1NUjvHAOK;9e{}5H3#3eddq* zA94E6HYp%Z%M7C+#Vt_S@l7^$8D5WPNSW-Q``j@ZLhp#h8s-(**nfrh6i5hhYhLVs zyOyobf~jQo+8g^3=}mj);U0!h&-*pI9GlW^uoth3{y}Y6*{Rx2|F9f;+LtMb>0^_3 ziwJ-6kiCM$1(sG_s76co{dp<@p93r7Lx68~yW4e&iJu_4kK@M=QetBOD59Ae3HAAs zcd)_7h~yQNL^6CfwAF!j#+akuR8By{t^{b4-#lKUz)W%+?!^d-r6iG=*Z~>|E@7{C zV$;22gNrW49TDBLz!h^9wB!2M&+^Z2H5Q7yV&t~{ul`dO@aNts2(jU)5ci-%uGp*K z>%vr}VU7q!j8mfWd{DbG=v#)+G4f$iIbCWUJpEL6L}YxqF&R+Lu}Iy8(0Ptj4;aG2 zvfFF8lFsqSN=uo*PH=}gpOt$YzP z-NQU&2_QvWiKP^-DToRBVbp}>zjmm?DL^Kr+(|7+OAbFw!)`#UDw6<`_tXBUOJ^km z^%WBgvF~=UP~|S0+*jjFm&F1sf{`$D`MhRly53bap>WIE7r%#Bdx%V2C@szupeCYT# za#sV1g2@JHWbWE^#_i9rjtI5VL21}8f$YS&EHLIW0EX?L9Ug*w!S01mXn@-qc2%n7 zKMdQjfG|imp@QbSE#o<-DTYwAtvP??v&T(6KL;b3kipb~*9;@O^%$QoCE{x`wk3Wa zb@_6{dVgi)QKhxH0@s197BoWr;`y#p*yGH{;+YH$F$hK=+-xNTee5guy{`(Qq?@9a zDt(L|9_}`fT*OZHC(5F1s!U0uXaGVS5;b^#b(=8^&Xl1 z6JWObLb{yg@|(F-%b6}y&-j*p(|K2;0|sb*A4@x;ZkK+2`+YVFd=BibUwiE%K5E~5 zo>&GA!iYlUZNzp5EQcC`FFek!q-?Lg9UCcceL$JWXEMvJExTWR5M2lOdj?DEk8ewg zpCS(g8&RKplSCmsltlH*hVyeb;uCTDtS{j2G@`x)7C%jRG*a#v|jq@DvECaaH#i)Pxlg-DTGbnUgsC2}YVxnT|Iz#IwSsSh&*4!~(A4`Jo zbGzD7rk+NC{ujS7qe$w20*wR z7Qc%XCsu#I@Ko+O_|ei;Z?(y1!Y>&q*<0Q+=-$obWcnP*WoWu|Q9raJndH6aIU|B% zxiu}j^R9O4c8Sf$F`V<}CP+&7F=Qb>eOiuaCq4hHk$nIB2K}aV*crqosek%&=Ig7% zYh&W33yH<~@{yN2fL-9?^7&~fqlk|k>#Xm^FM9kTz)sVb?z0l^(EdSOjowbE6oB*k z?KBxME6zTI%vO9H?t_H#ZC$3e+kaht?Rg1M*f~}*#u_gJtWgJkqXJ343-Pv>!gZ(N zK((0iz-*$lsju&wmfFQY$Utj?1=uHLu2*b?xp`i#HP0)R5tpLwuL(mRwpsdt;tZ|ZCM7faXdWpX2 zHb0D8+A*Uyh>US-tUv`>ll0~pRxg@HAYZfQx`j>9+nP5Y;s)1ZOc|BRkA%uYHNKv9 z`7Wy#NG_igvqp3)99N$@IWNAUTo3R3FrlOZMmU3^Zz~@ng&Iyrq$+jDj0vUDZ^@WB z6^#4PPx0@crFxe?=p_#T8o#D%Ep9tMxAzBD3L|QM7?Q?(Hid9aG;eyA4OVfzO0GVR z(50R-B~&OjPlpa9CohBLmyBxx#OCX+v0+b~v8c<|k)&v249rz6f3d6kW~e@^M!KqV zVXQKWOMqx>-eFCohZ#DMUG}8gwQm|+8SA)j=I3JBsfdU5>YLd4Og-psD{lV#CbKMO z{Q%FcNJ5~^L*;P*3^t|h1*OV6nmcW{4F+fI?#J=M@g%H|nN(?omde=LnZ|0P@EGQM zFfl0Wy61BbsV~KcYb3Xu1~MG#wxw!&R~W6k#(T-}d;BKAqOG!kmig`FhnjIG0MlaM zRX_KAqK^OTtc*z6h8AGX(U!vg+?Bhvw|jpg>*bh!-dJNx)ph>~GiRkb$7RaG5)71U z5n?~VuZNkjsb!u)5N$7Rcv&F(cqiN$?V6w?KfC@U2l0wPN|nzl6#SoF#DCQPex!uO z04}kL$R(%cbYe4F2M6F`XHPqX@`!LVmwIR+Jt%`nb^4in>$I!)bwRRH%5q58dxkQh z9|V>synupjg$={D^swS#IYVFh5m)!A8V#7=xxx^-^--5^C0XeQ+d%F_#&AB})yLZm zk`z}0Qyf@)=?a27mqhI>e^kT?c8K{rKs6={`F3^^4X@bH2GvhpEg>hi zw7k-mLhx$&W$D1E%ggTPITC&4jLLG#k_lh{TKL{$ATE=`H#}RWPupktWM<$>MJ%dZ z#BsK1*w5)smik*9f~Vr~3Ga;g<@B%Z`m@0@g#5n!&a~&whuS&UMHVlaEkBg(J7-nq zcTd-p@H8zmZ@0GmV50|Sq3`jRG+g(0eSL{EX7W)~^Lx7)H*>upL2uLR%|N@u+PriS z^blB9s^e>%TZ3kMI@&9aE|U+xrg~-YVC=+TFVElV?Lo;xIVA_)g=k&35paaMXy34r}i8Jq7O z!sp$9g{{+H5tw~PQmE_1;Rb#2&@=psV&1(@UURDJ{?Q-NsFaWrv9Q{P$#cMdSk@}JBg74*#d0I2yU5C@F9u%b3N_t3Y{)w)j;02$bj&@2 zp6WY8v0`Mkd7S6qf@A`5*9jTPhV$Gc& zfS>jU@+i@ScCtm~Um>RB{T3o=EOu35qu)Rb%HyiEo~vr%-4!7yk9@4E8Bow<%;>eU zH+nOg|H3(K(hzM!`D-Kz*eWu?R6732v}57nRZ>}ni13?=GK8|n?&mcyd6;cAGyWFP z!v#p;z^^*~jgo|$H#*FhIz*H!e))Pyu-8Vm`uc~OZKgBdzE&*WDd1alcOOFR#EWRV zoWP;?nF z!0HOc3>WMWT`r$s7{%P5j623w_K%^RSKto&dG`>QAJqyxc@~;R;E$KWt4Yy*fc?Q? z>`_U>k@(w<4GfP+0viRWi^%O{M6uP#<76ewCCwq@HVTky^NXK(nT$vo(a zj72vKGH2eFh`Ve)Fe>=@MJb;b$u{ZYvsMh9GbFELrzVq`F!la0@SNGFWlt^+kw!xt zwOQIyX4_=G_{=s&cJmZFI^@gM@XH~NUyMwdSU;e+jKqIl*xjWUD*0L}oY6MF@9z5n zeM8%i?hm-m(vk8e^Bc*$4rVPAHRr3Ww}MXgPDWc?YtF4X&_>H|40e3auN|2&`+fF) zhD(eAo5xItAU9?Rt?dAeKaphi-npm`o4c}?F^c#yGSyw*w?V&ut84@E)X26}Z7$p0 z`s7#lrF-e`T9Wr}8N()z;`K@r1T&Q~lrp{no5;)kCeD#xe?e_8Wdv4%^~xNVjq9ql zWA98}H@ohAKS>Yd_bYcv^EPTbXq}2}lm0L?@lze#NNZ@!#bo zb@U9y*L*GE6$TD!%U>+{IquCNx!S#PTjh|$y7hJ>E^+p+vTKtx8|D+NJdd!o@c?DStXXFKNKRZ%H{e>_*6$y zyzFby(Sc^I{9<7A@mC!`gK_;R4_WNaX&XrVi41n!*qVQ$PJJ&+bOw1U03HRZxK?lwQ0rdap5`z4AMcwe4r`o;9H#Nx3l=ry7Pv0MCGiAX z4lINFv`l*CB2@mJk2*6o-ueC9ZaTIQ3yX3ecH=kZmUhFP=tUv43K=JhCk;KQG*S!^ z79hw^FGuW42rhjnw5N(pWEjZR&3s<9H*;eSQ1GgaxiNt%k$e*Vke_YgDqwLT^E^Cu zI9@voqX1@)OZIDrvW0xt{^J#*rxt7k*BO6_3`tzO?OiG~zS#cJ^T?{8azB?o{HYK_ zw>K-9JHTqPlmv#}O5nWZ(X7sbvjD#^`hENIRAi@~-rV^n z<4;#vK_0YXC7;Qm&31p}k>NlmkR;`$`#wumkYn6vQI=f~8@-?+cmdK@SUMdr?f&Uf zeTVkryJ;&T2->|_I68c(BgTz_!BTSXaFIEIFb)Yne|Iu1)+XyVcete zQYkDfAAMc5USv>GG}0sK4wP+^`?9cc$DLz`fmX27>{p^pmlEDzEPzYl+HE=2m{$zI-l$*WM{aN#&d1iuLW7Q;rt|VJKUNH^=QtFsunOeQ^aY>ZbUhC z3qs~%AW`-Fk*(4`YiiENAtX_^Q zj5O(1glbN2)O}e`ya#XEeL-i$=(4*!QzmdUD}|hFHw7FiuVTJ~>Mw=FmqJX;4i@1z zIts)u4qo3ON448tGh6P}wSDboBi+s9;nR9&La1uBc4JNMgtJuSca2+j+N6yA8lQL1 z{*^N_fg|&US<|15k-u$f{Rq!a)2lW!8gWYUK*VT?BY7>bT>zMjNMPHq9L(GG+*-M$ z3-9gS){>v|1x|zd=;ys?Z->vjAih_UOAKpwr#*^4bNC-Yl;!-yb$rp^yg?D|i5myv zM1I~KvB&Ac3kefus4~O4nd9lPJ&5|;>^ahDXEF{(HpHV*D&Nm~dkb(F?Eux3^#cIu zUA4Lpsui4dTsZLrT&@{i|^y3!Zl-sW_#qoRJ2s5<05;@O2Ttmv>H^7q`if>>~bZIzXvwiDcVj zNSCmlqyjOE^^TVWmP+U?#WA~v`BaNpup5*5uGCd5kFZpX8Gp3qlkW=aI^|ltFDSeD zjO=j3*4%O`F!)6zuQ7!)p23T|Wpokg0&bJ*5Ap7b@wKw{;By|F5YAr-d@?VX*f*9&&@X_EbZE@Q{1nvK1&g(M_)DMDN9w9(T(u z^8h|eW_PD(tYX`j%uK11}RXSe-KIKKvrhL=34`gpk$!@FWZzzU9%117n&z;2tQ zn2j>L$^7ps2#t~MGW%86nU~*Ft-j?5#-%z`WCY1@hPM#UT4v77te80NoK_`iJn1P# zDC(M)1`E0iuKyTyzQLx9r$(k1h`wk<&4|FydG+S55cL9%tp;GchAu?aTai(pfX!}N z+{g6C5#sonHs|RVDj0U(UXsKad3mP+=rw^{h5&ysjx9Fr?brfRd^#2q;ZLXhBb3{HHkjCiSe)aXk-)$P01>r5dMvy`-adA@X@ z5b}Zy3z<3xWgGvPq+BGR+?tF#Pdc_Ad?BTlavJq)Z zWHhgq;Cf|J=Fb#aKLt_}5)cv$1Ae*?>$2tgf~(B(g&GWT<#xt1E8f=*h4^YJ8F~`jDs3}Wn{eop?qHmA&w_<4l z=l4>xQyuq&EYiTcPe=v7dB8x@q-v~qn8(@aT?S9F8uB_#l# zDg9&dD^{BoaZ~=WCmkK(Kt+jn>kE0owyDCR@L2!xtdRA$NW1QU=g>C}~%4Xeo(wtlRWat_E zBIX-Ap1V7m!E#}PxEa8vNXW&imcx;#0lB^l*y|!;cQBCCGf5t1Fy;dGI935CCy-nY z&P-p9|H$wf??nXeYGe<=f##TNB`--_=*GLAbfq0Kdth^M6c45`d@dghy|4;9Im{gj zS%m;Nm78be8kd&+_FvsL?SCk@|3tAeso)Vh%85`|v)SxR?|;AU7(92C-qgpuXYc)G zGxp4}B{(9q);o~B&042w zFw>f_k+s$kRK??l`v!&Pe|vzs=^`e-|(dg>XoRT~6{Y zWxsQzVBHgnUBJ?8x?6aW@E8jPH0|*?QLbZ{9t=pS2ds~ zw#xuuQ~pg0bF^sp^UdQKO>-oha~jq6%ri?(sDKL(IpWkNeQg2Ki54w5ttQ5FQsGxg zJfz{c#x@&|sosbqZ}IrDRxNa7>5U=g7Z3YB+T|rbu=a}jw@5h?!I!TS>)9`#Op#xx zedZm;CTB9{W2+J}_wTlBedPYMFSvQu@N0yc7nUn(!#}{k3b>(GzBA(A>jCuL$0Yc> z?QnTlB@_!Y-rCO#zS^?OwmKPgTd+BRQ`aI?h#_aKeE3@Ff`=fhM+_JN>SHge{FDUt z7&9Ad)@J?IK|87(mitx{UefsTwsOMz!TKzBR$BG)To~Ks%o6<8dpFL2ilbp~5K%0l z6ykkI)YW^N$bNwv9oK(FM2B6bpCnKaiY9%^7p4HaMe?zNW7vuwF&J|GgdVWr@z8CH zTzD)qV)y#$i+Q`=vCsJrt*M4u^C%S&aCC?l3P1dc6;`iC*<;;44ilDJWeeh7ke&-2G+gN(2&t4 z4iZnId@wo_6+<>NNUm(6wsJ0j0znNAZ+TeV$s_h(eJAl-$4t9}gIG7c0pbJrEeOtfhY_;AHrm)VyJG-$t>F{bZ+M?KIENohLVM#E(R)a7 zOqc4#GiMq_u~$%K6b%M9VFOhiSw%2Gh%bG22wo;b$l64@hmZDw$PhF~+RdW3kIvIT zj{kPdFVgI%?DknfLd;%QQAuN@vw^kL2tRQf8+OD>@$B7H;O`C~dqPRde9T!d*a}2Mu`Fl$EJo-h>)X zPc#`4nXK5NNiX77-qg=a^(Gm3t?vdCsgy{fi^iBLkqFQ=og2&aLnMCV`KAn`s&9b7 z-L;x)D;AfN=3d67*U4_7DVGhw@1oW@A|6gl_ArEganCq#AjCJHnI>`)x>Ve2OVICf1`UVr>T|6e~)WOS(=SbJ`zt zhr8Gby9`}{gydSZzYu~xWez9tU&?BuR{izNa|IZ*7uKnnD+UI?dF$5u(H}i%cC z42A@@ml1Xo=Y5egJKm^7Pe*4?as4@EG3m96D`~~aotwbaSPW=$bF#seRj5`1%`j2* zeLaQ5o=9F*W%^W>?+UXvsV9pt1HfNOn0y4x5h;aT{JM0ILj3Cec4yZ0=@NR;4-sp6 zCZfTUH+wcoTnjKxtvzRb`(=0Jz_MbV?`;!xSgthFm)8$d?_qV2%i%lM#cJog9~Tny zc`xXi=YzunDFkEiGw?L6>dP*|7MgwaTk>ca@$b*Iq*lX$k=9^@?xFa#dJDy3m({np zmN24)|CAp)yV7!oz*<-Z%6E|#GXT~`W&JWU(I0Il1n^*9Tk%U<=H z|ET=``N5wwe@z0kLU{FVeB2PE#9I*f7L=p%vmjVRCGtMG^Su>MA=q|BKm{vkWq9FB zD|ol$K^N??&@jj3h@oj0@jFxG+wAsC&+&WmZj*QADj6dEK2@&J22Cz4jifAbm>fDa zzTyR!(#z(E_QRdGsG~^GY%fUn63B%J6I)+pPc_k%N&@pbf~>>Csvoc5S&XPo@>$x; z+~OV7Hr=Y!VOh>mp`mAVVVfpiS$uvt+zYl`<|d=}a^VR+*<#^h8)3jFl?2b2ipyD^uVV1HcKMZ}M}#^t9NWt5VdsB!F1VBh4#!mR zwx)A~exv4nMIKWI@Rxa<9y6jEb}l5ABRKDvL`=tNVd6pe%w^s000g3 zbwDqp6Aajej0yl%La!wEEps<5IfIw)^B()-qJdN-Cbgie>a1fiNkJ1 zFwtEisPLb@7lK*g##(XXYcqQVHBNE9`NOVQRMwJrb2NnHY~FFgwvb>0{wDOn#Mx9v zK5-7lS8md<$;_|)lhJSbY~HeXUV<07Q zZN9}m%Lm@ak#0{q$4(s=pTW#^m{D1#o=qoi}%%9&h_C#EA>e(6rvK)-gW;Z=wDu1N|*$p@fS zZkFT8*4#j~u=x_nWhJ=Q9!(}4bDPhzAttG19Rc)d(Yz|uh3zmQ^9b1=tmU<=zgf`6 zWdBexu#bX2{<*OPKjZ5?JFTo!hey>y#>&nW^uz>r5aDYS_-yjafS+<-v8){oMWpry zr;i7)eAC*rVi|re`J)%+L*;g=R)DP@$ezf5UftK8hRn%@_hia7&|+&c$^*sPc<>0+ zy^4APLF0nS;~?E3R=&6z+N?j_nLgDZ<$jkW*<@sD74}SKs@yLlUUC*D=xWJ+owh03 z0Pwj#5q~~}TLfXWlyl$cs=Qv&-HD{tA=#s*@-9fwylfb z#+{G-oNE$g0&*I4n(a)~dZKv^Y*pXMOo-U0Trzr&mRG@7E%aiEW8SrBBq#c~0$s^z zSmPG!iBrdt5qBE(aS;bxf1L=~5yKDbnY<&N>e!t8`|WT3AY*X742->( z1@gY1h@`DB>-0$9-JS}j)Ngxd=0+nbWbSwLeOD9Z+iG5BTRzD4nb_aZbWWOL{{jUT zY_Rn@BGpG14vJfi{Cp}&w|__Vh#h!Mc4;dUYn=0ZXA(AZ28sQCvwU6EdFit{nVk=N zIu_H&ow379^Hrc|hnwI<+1o&NJhJ|Wv;Ca>1=OH8=?=p&`w_PpzD@j#kC=jU=OZG_ zTLe?BX_zL~CDzvU?b&>akKjr~(s4S$UW!I()7@e0@?Z@N1Jyrev4s|*C7FQ&BSdtKOQ8l z?CE-x5GRS5?90TiQ5YWraIrGc`&}7G$4YS1HMCb8>wr!3z`d5^E*Y=)l1Mr}5J0?g(- z)djX%o(}_iwEu?CTwdMjO#fZqz`G~0lvsUSpG%W;+>ern0H}^f=8+9HlUWLc@j?lG zpR~`k+MTfWroMb4F;yH@(p5#=Xj}6FIRFQ0OVQr;_Rq00Y2uaN5IH6eqnq|hoH7jLcX}`S2{BGmb$PZ;?lR(Bz_eL7Ph>;Yw#01d@SW*igxO`u zwK|}EBfzxRuhUW~vtD9B)^Pmk>AKdddpwRho~7&8HYH~tSGw6xeD~em36+FPeb^p3 zbm#m6gO>IfE+v`1?~3p_NY0d840USS*M-Y4!zQ}85hpftMmF0AMwUim|Ev=eY7nMg zVb$HtF3$!xK3AUOP-w)B!4$Z+MS)~{xXAGNqkV{5lUU5)wVB~L`?}tcy`P!164IHQ zWVW+>1NvO}(S(?E{@7PdSq}7vPJniAUR2ys`9$Sh@{8YIf=6?6gwp)}}Z~t+m9KUbRp5 z0t)u|r1@r?{PAfoxITKBc{HE(#rKM&hj&aucPsW)L?RCmu z@lhI3i*Be*rAj;)*v|Lm;BUm4LcBTP@rWMHK;04@Y(Ae21&l)d4Us;}E!Pl%Mnctp_aaBWKuIINhdq?ZIa<2hwvo?~`9lg;*z|p#twU3vee;aLtxN%X0h0Gw zKqsd7SzJ`o^@_r{5Fe4nv*cS;>pgqzrhqgZx1jN1v;&@g@Yl1J#pCkQWVkXB09CoG zqWqXX2^itq?sweVNsId(QV%$y^fz-Yeok_$HX7F)mfWj*1+4}kX;1aHMr^(6%r5G6 zAAt>2^V)H;uEg!5PNDiYQ3nA#*$B8Q9yxt#r$vIPc zraJsKy0<)E=FhVWj`Pq`jmJ_jnO>G6q}X- zYO)om`K$=w56#ZI&DBjwUT$fbX|~rik{JLFBIcRvDE( zKd6<^$&m+VFGKo+OF6&7>tA(PYf0_}Oaz`y)x6wgcCq6_%4Pmr2?OffCg1P1SZuD0 zu=ibE*A}YQURk4#^X#fBPt&<-YWAnKznK&zLbjbTN&yTwxT}yp|nm^H`$Vo*I9T% zhbQRk4jo%g47Bx(;~b)^!LM5W)?4N{Z8lboxIuL4d_HMT^Aqic6J5nNH$n@|;YzKEDf7MF`t*dmqev%ugtU)hDSbh09{^y4)hO zqQsl??(ddq@s_BHUL@)-p8Oc%qlD;hG+Vv^>NkhEpkrrx(`mWQNn;+N=0ogbhZdz{ z*Z$K*%9!fCpt#Ez6vnFjE0BdQp&V9EoL(T#W*h7OV)?{0dT%dZcR0V9+VH4EoJ7i3 z%wmLAKdfxW^F!)xALF+>^!4o^Q50Of+Jla8)z5@Zg8<;*5Qe19?Xfpv%(2 z?)`j_CkSH>j?Wru<-g+Ky4WpyTaH&&hLYZ5!Lj9h$IHwk+57AW5@;(x@WND#YqvuZ7ln)bL#Ac69@WlXd!i_R=k+nOkNXPodL1%O%|Jrt z^039MrT>g*u8$M%czb53d3P&vC##)om$O&QA$bbB{`9NNLJ8gMS_z%l%nMl}b#YHl z+g}-0L%SEbE+(dI@ws~1_Orqitrk^!xXkyg%Ft*}6Op-4jS8zqWkncb3OZ+MXBT%E z<;n&)+Kzm}o@ONCseP(O#e@CQH>EH`19|0llGumO>-Xio$!E`^8Kq7KcfDV?{@9$3 zh%9E_6uENGbMhQghl7x%6{q0c4P@{nniKs|x_%jhFN}ogz%;(D^`9}*M)95sVI08C zC&w|_8+TFgM;TbIg|PWdDE6LGmiA-3CD7H1&~~`wPiN)N$_XfjB$en<6beW8(^E}w zw5r8476J~;;s;HO0@8#dZv@!Avr+NI?0C?lPUVT?!&n|ap^Jl>lm7eN~}TEu{-1(uUaj~|wtzl8~! z*MQc03IKYYwyD_wFWo_3fZW%YX~xz5KVjF2=!g~kdva(Defgzk@ua%;DO+!ggvwhg zS0X35M7RhgmsLYQU~LkBm9V@lwgqsY-t?r6l*EkmgPI)#5Mg#pkL^}|EEX^gEJnge zho1|*sZ?6yC8EWfI7*0qbPx%2Fz3dn!r(3`COK{0d4Oog95B*W=tN^?-96*V{(NB2uV8Z zx+^hti*R^vooRzyMa37EC$8M$zIzS_9{UyLM|negF-ykK;AMi!8_Wcr<)gpM+Jwd^ zUb5zj9da%Mc+-QW7V$Q73*hhHSa>^(!nNPN)(O?LR~Gb~yH^D-s>B{3r|Li>e-|Se zo!`y+a?|^jAt%|jE9TD0e~DAPMEfXm{@MZkZYXi6lMy4=mprnggmfktI4#BM-NE0@ zJ&}J$af`C}mSP9cr+$c&==1yEt`1}@miX87`LKBI6f#X=nncWS%+y~i(iAbV5Wp2( zmLh7K$o&by62{vUhq=)pti*EX^`GG2Gm&2157foS%s9E&)X>wim`^KRMpW-j{xjQW z8QvS7s`^G5A7U0!&KwS)W!Av(G-I8s3dnpQIadqz2-}s8^&5!hy6|l5F)W~#obwYWRZ>`UbHK}rYk8q;MP!=I%Ou!7Xq6AvrD!Za=RaWB9ciaG%w$S*k*R_0uuF zua^)!2y;6OFFndyCFSc>5(NFa%k9;v^H^@H;^Bi&nNh*=^j@9EGi@rQ{4$E++>wta z^`=z|D#h+(J?NIW(~-?hCS`A6Y0uP*L_6Fesywu3_qD65m@rQO3(@>eC42~nNt}*w z3t9#UfXhj8nD#9*h%|&OyzO3TKi1qHgNR5jm&l4d3hPvrSqk4QzdaAoQMr*y zm15mt3*t%_e&q_WDYIaGtLU5OE=@uS6B5GryFkyr1vfX;H98=qqm3N^*P5Pxzs5Y# z^rEUy4T8H%KDmDGMaLIL(xrqL$Ok~0lA|b5%3RI1N*%r8sT>zATzE<^uLS7dH##`& zSiBt4OvE0(3-NJi3ENKy&5^rh@=^vLL^zZ%)=s|U9PmY8E!0HcYQrHg&l{%4Dh zZa=bH=KJPZ8YyZG(ccRh3V1BQ+UTit_qO@~na?K?)*sOEOah$dFMI^+x#Th{4m*CftXKEzBUDs3yApmP(LQH-q0Kvh(GP0fkzjxD zK|hf>Q}!a!{|5spt=>>eq395iLjM2b?meTL-nX^UP!v#UqI42EA_yYV zAs|&mh)72u6a@uDnkW#ObPyr}()*%!5b3>lDWND*LN7`PH4xzbajmt_*=Mufd&hXs zr~5IBjIl%(DGKJ&U5e1EFf_WE&D>EV@$kjaH^g76i59-tz=eQ+Q%zhzF}s8WYII`E zTicl>J`1!rBVB_#w!Q^-x<#wmw8LE5v^<@;GWj21c^mbtz@mi;xY!H`vec|Du`&Ko z@PjhHQPR|^J{h13O_o% z6t=?8W_if;Ze%g!a+Q*{+v5?w z70joZG+C4>wbZtBN$15a;tv`pK}w_n7GNfWx%ju92Z(!LGYw5#Q;0mRw&Q#jMn)k+ z1sqv?FSnFvNgrmZCxCDIVFecMkGP%0<=h`WBfINGHP$TKV5M>-r+KH~d4D)g394-B zwr`^D?kDd5)H_XBIV0?be_Uo6-|xs5?j+0(*7A~|!v zuifq;`#S1J#+6k^gX4|*)4X#mhd=M`x4wt`kW?SjcrAT2Snjz;yj^UZw73?f{cBez zy!T@~p5mqrEK7{|(^CKluHu|A{{DYZcX`I~x3Dl) zTZpwuT1YKEz76v!*5mXfvfEpPS4I zbzFqJWWKE!uaK>NWJe1C0H5CWz#wLc*KE5p1K$a~L!u*)t~i?woo3}DE&iQ@4CFYl zJCP#@*;6r6#eYb(GHEyx5SmiUJyp9+{7IkKnOSI| zE@D0~I|E(iO z1qca%3?r(5ICtO9?^Y{SjwSJ#7Vew2X|C(1-(1k7UlsUXUeKm<#{z6%KR`KC1$*@% zndH|M)MdU~!508MD<3Wjf;?fWuKa`Co9(wKFLK{swn*zW;;pmE_-R znoibVRXrh*c#&}+3II!X`&^Hc3?0%+hWwFLS}W!hakgK(113nF+AJPIG_I9W_4Dc` z!ndvGCssbY^xKfPWkUw}WWV$j%iI|=Tx?B5Jndw5=MZhtuclWMWU)X{x8G#Aj?wbD zWZz#^QlkIa)On}E-cSH!6-o8YdAowQq99c5gz(Y!XHwB_yqWn>Vv|zfEjd2f=$$S> zbBF`6C$pGI;8+I!TjU$^tx~1YVIH1$gpt|7s@NoA{toiGz*8MzM_H<)wh zY~b_ktD)&X4}3xx&qSOA^3IkOO+NxEzI1h*2RfhETH){X{J+9y1-A-j;mxmGXq&}o zH)3Ow&^Jh&g77b%W#G{|W-6ZMX1>W#NgQ8_o_`%F8K5mGuO_RT4f*1N_$3RL? z;3NUdD^R+k20_+KUY6>}RSJGAwPb(4!9GihijsIb#c|fr-Re3-jfDVue?5jRym1Z$jg^Lik{BT zxuNtZM4Q)3?vbY3CX3PwcJ)7a2#AUAJqj64*bxvRBU1{IlP{a(noF3m{Uuh;ldw?7 z<1T82`?XxN)F(VB{qooTM)P{l&$@+X<+_0a2BsFMCp**4@TrwGb&+&lGFL3~aPEw7 zc>8>QXVE((~4@#kZeNyEcfEY^wr7 zleY;04Oe;sKnkeg5os*wz~3zq`u@ND*MIv;o^on3ag%2xNdQ>JZRL8?6zE1WO*t`( zC(To-1GRWI!jLEJP$M3PT&(m#$sicI;tHld#Bc}{v&5)k4_&2&db$hr7tM4{(4(Q^ zPu4j0L+w<%vJ-cTYF2b}BOkJuQG^v5=jYrYeNn6`k{_4Fg}Ya}>doFo z#<|37yVwF3364qrUdoF^IGf=ASeD53r&4J=5Xz@)&(WBAAb%^^8E35ywk@-=0Y1b=4S-Mn*oTjkGLsFksMGFBu^E&A4KL&j%A$+IOiuj-z4M)x!jx*uq6IB zEBxz&Pr$u1d+>^ZfB?kOneEV|^)8|9y_^P3iYg-e0i;mrxkaJ)BqrH ztz3iq;`!+$k-mP(%gW238pnuuN%}x)%!I@T$4jJ>(KL`nPRjJdg3Ro&10V9!DGhRL zWawc~(^E>XLY)``7fZZ$ijiUdtDi!`ImJ_b2W+FoeF?=w)Qf4w4G#RGW-WecKWbhu z(WzAc4?zFc~m`>fL(F92CZ$8}p%IY%+PgDI1A8Ru*Hfxy9f5>|0|eV@kLw--X{$SPXmvM7_h6P&w~ElgW7zIcbR}$*r1JCUD=Bw_$M~O7-zF&G zHxHYC1=vUW@*DGW?2{A-_+C z#^wRbQD>TK)U9%Q@5d%EF{V5uL@Xvz=9qQ?rlX)WzE2|1ptWU(GNBQ%N~&~@1GcKn7u(VFa7Qz(E5a`1V^`3qazs!s?$rc!e_=i&^mQtu{CB?(Dq(uycS{j?0#Z_z z4>C^&#BVmzFMLXITyHKNGcl1Jq;w5umX^a36}dfbsDsvEZNjreDMc&uJ)fzsJ<{8i zpxfP|qozs{w?^lmM5QoDu``vf1cT_|1k$6$po_^^z@J?E7`a-Ao0MIz{%ZX*ru^IQ zm!u(}0ZGxk9KZ9gnDcLce=j%B`Upli8^r{2y?{w@xZ6&ERK?$Nb|{>c5a}d%6YSxT zTq3;C+Ysc!-mIk6e5SVc1l-H0am|&!2PrGDefZ6aQY!rrozh%A3_co;o220h6)7#y zNvRtJWT5<Yr`hd(@q0E`g8m~b7#}Z2j{Guo0!U$Nx zX(*n4QO~2j7gD=M6DZqKaM+Uuj%^?L7)DP#BTXra6BfpLU>~JGpXyQK3`>V@kwMpN zLUQqc$S-naE1#*Xg~ux_+uudn>r-&uVRa9}$4$mSBueLa2$LMis5S_x5*(>Rb1u5G zPx8{a|HQ4Q-R5YMAML%slzxciN;$ODJ)Y959u*S`0nCyjgVHNrSYzp&y$`C3_y1qB z$}T5J!}UT5srM8J5LjFOQ(#T1jvJ`(zR!uU9VpcJig96$wIeA8Lp&DEEyDz>+bUW< zE%zSh!b}{#L@As&T1?}! zZc1ocabF}kh0Hr_|KU``Ir(W60{GK9vXt+4`abVPQB(g8HGJN0LYBeQfp#E2QxYpO zpLM_IVH5;ZCs$jbM1(XB69&sChRY2@nPHTP0;)xPZ<1lJb8@HhD0wc!1Mche+%uW1 zpi@`HMBMM>DbAht*zC8d7_a-dT?J)NfvR3gA3bq+A4;S_gSgR;iTcX+Be?b&swE&?w&gwL zNyxb5OmDYF4|(>3*QIO)?U_C6eA(E~%g8XcnH*YqW|yB4Pw>KvEeytZA@kA8!u3Lq z&2Z=hs?qT=WpncQxaT+iqqIMs&EGth$nhRxd;T6TnFIbfb};A5(oOk3$p`5Oa-`s_ z33}t|u^9SYiC;n+w!4*aQG&{O&L{i^olO^FG>V*s$$er}R?^i`%4TDN9%sne{9MDO zy==f~PKA8;yYQOY!$fh1mF1Mk;m5SVd+22!6F=bwi4K(8^PH2Szq$fBe!^A1_TxVq zhwN|Tct~%?ig#Ep2Yld6zAnuR1mAnHkzE6fvcwSbsz*WhUD&a_umLiyI&;juSRE3X z{Z@enMi+--Z0vIliCObS=t^F(3?dpPqC+X=8vO)u*PMDI4_1JlRL~=DH`CHUSYP$g z(XyxgBkPWqb$kWI1$}8big#f|YM%%8oy9GQS#?xW&FHB5f(F_clYEk8`6tt>!zgh& zF^sMhhdP3J#nNT@VBr%^6Qs+zB?C^3r{aT0wyI>TcU)6P>*SXEu^y0Xx1YtX~~ z6-DNKE5(DhQT#^>v(w7DxCL?i6GQoZyC3;`DGpyIYi$T;H`-@VVgFI^D4XuFngV}p z{-JZuAAi@*w`-|aI06`aewjvm&|fwcgOojaM#RbVQ7y^ zQXOqyV71i5rGZ~)`r{uZ_B?L5^If;%9`x9u4m(Ysq*vMzr3gS?bI zbTkCgo?$~p#M;BKeHvZPtSj9-(-)yDkjx?yVzxX>*vX9NQ#wWK)?&}J)s`&d(*o#`@S zPK7OGa6Kc`DLN5NBDxkC(=e(AhF!72rK_!k>MJgfFedB;-{X-LPA|{#eCGKxzX7cS zce45NF~v2KOX2c=^UB&X7)Adi+?v#^x8!u^AYo1dktjG}qhdt$PC-t0DfBnu7#-u(P?4Sk) zwjn<6xf{)A5@(Xk+_q@t#Ur#>GfsY1{+>4V3>ln!tD!5uDu)|NFD#0Pg4e9|h6|=6 zRu=x?-d$DNjYEl@Y%Du$lq-J@3{OfVbwOF`+HG|#^j>MqFY^TV8U(fK?d5!;6VZg0 z9h1sX`6zjc$^D{ zxPkP}%8<+t#)Dxm6LPN_bo@g3^tXKfTVgX+n9Z92>Bo3cwHkJwweO!<`~Kae-hZ?< z$yqQx@`A#GVjjI@8lq?EJP>btc6C)==Lo^8Z+~utY9a7d4eo}V3(|@-{G2?D6rF1vl1U2BW~*o#VI+Nbp}wL497*( z?dz%q!?<{u3M_ixyRVKgmI)NtG5MH?&^Qd# zMJ;<|`#9Eu!b2$wd{}7(r&n&=)!;n3MMW|FYBQHXW#cxR!*fM^_J?`M!xse1GQGZ8{vE$A7o$F zS!fOuwcJW<+hQjn8tMZ}PVrc_t9FKyYra1)%8TBd%Sbz1)7!#YLDC`eEX0tF9^iAa zqxySAoJb^z7pfB}vuK_oLks{aE=deeUTBsL`xt;EOgUHQ(nb;)d%JB8mQv@k^@Cov zJ(taEXEb&VzUTbba?$kFfOss!f<>VTrhj{0!5A#Csea)pDot-Mj^Uv6(+%X>I)Nso zraEeTvRjZ1XbG018x|h1pm-YBR4NV#cR~-@X?Qf4PjJhwPpb6u?xpep<;a_&#%VW| zgJl`Y09O+7D=Lth&7G-BM@lgimj&x~9_X*F!^zw?8??;+SKj0@g|B?2-4B{fIZOlyZqBQ%@k;jD{oBy5m(ET<<9{8xcKbgCE>et(n|4y0m( zzRk zm69@NrDXDoWaU3rOLRUOtROo&n5-m)3Bi@|U^bs@&Z|iqhQh5c-ys4abyI7ZR(nT0L-+V7ox}&ksHTbeD4i3u>mI+bFFi2}o36|ao~`@PNM8@z z;cl*!99o2+^JE-~XD?n!eJqjnVxEIz+B(~k`X$yi(%bkgv(#k;7esgPfu$guN=c3c8n4m2zrX{okPZu!#ZV6Q)F5`G+%}hwR7p2(3n8BEa}C5jhMfx zh>oHB{<2`mFV4yKEWtpwX9>=7I>)|$_Py(@Ux6*lBzDGEZOwe% zY#;A-`ZPJctK@{z+7P#-h-+XHJ`aLzh~XFA7e?a|_ZvF62N)U_Is;&f%m6&Zd~>ZE zDWfQ~roKSG`;OB63W7nBsA0|DV=TlX?76zpGw|NCY(Z3$fbo%`Fn}p0=x8b|5a|1) z)mdMYCAU3T4Fx@7*7v^mf$08TF!gi7SPw-ZLIN+DM`)_C32JodJp6@T%0xG;zm7rz zdxE~R*qo)05AF=Oolo)Fz@~T@Tp2QrJ!}JTDvL%Kv*!hS;xt_xI~9m+C+T3_sikdc zsbtR0#=l?e*sj(-(R1vAS>N|fT6dY{c)pG5?-X0#0;?n*QR?D_rG%H;-9d`0^_A^ivUz!?du*G&CPwJ8T zmr|GpDur*&ZK5oaZ_t-TQ*dK9#9}L$hR0+V zxBMV1G}Dl{Mv{PPcxKhgn11?nwzZ@yhVIJIX1UeMkOI8+%MA=m+}#(BZ;!(w=C-nv z$&u1~+Kv;4feC)E$BZfpo#^!AKob|hAD`U)PlNeToB@~=fum&qRLy_oIs@oRW)^%R zUJVlw&gO`}t@tD8K6}AE%ih;NRRB6Jq~#Kx2S8J2C3!y?xJ)XhT8t&5@7f@Zs=+a; zQ3|{5xlT5aw?X|ZWll(_b*)g364>#M+9+}@pGU?Xr%6Z1T5e99=Xg~O zxgb9tf5;A6dnid{<9J7JNvEhP8o>(c(W^%B*l;3;;;Y&d5)uN{lOI-P@)H`zfy7@7 z|6#x98sn##F>`7A3Nsaj)a-Ja6|CVZs{5GoSjyou-2i8(6_M&~K zMxW;Jw0F@-O$p#`>K>b`jFzMImxa1>KT#4qQ7bU-Vk;r$4qL-m8@jiZ1{%wmE2vBm zfgIC0m_Joen8fiF!%Xm7nk*=Dc(V)fTx&APEX82F-#^-YqK35-_V-U6g@ z80tW(sE8Vh31JS}SWt+qCa}L>M_?cO3Pk)7JFG+I9m(Sb7N~K4{&sb7Tz&>x-)cs3 z!oIUPUU>}!@xZH!0}_H-echeR%!hl6VZ+8MK(Qz}*ptNgpUALWCmVqGbegR`Jf}YT z4I{5SAay1r_`n2G=@b&BIC$`3O3^gb8m$yOcws!4faC#l_EHW9`cYaW5rp^`jm_Tm zY>D{chOvVWdLo}w#(5wo2fx=5sq$q|t>Nl80KsKy@ytw;vCYdc3<-Y18-6${|5Yc& zGx(Wlr15K!&ce@~Mv;$FITXV_s)Y$VnZ_^M6LRJGubB1)VP^%Yh##I%m9i1aJLI(+ zx{vxBsnns<4M$sG9;PZ7t;P)w!~Bb)I8E5QF#1XDlsK6U#-8>9$qimXQD?=il?hYZ zTePo0bvC`s>q5)a)92UJiC)t!=212D39k$5koIn14my@A#GGyLbCIodJ(sKz8_C&1A znMSil!Eb=!EFyMJMu%bpldSk&K@VJ|xzdMz*o_n^Me8bw;LLpmGYe|~WBm8;RTuX%>r)xA+c_q^irQY4ERvQ8xQDhf#2!-}5vjN0W3 znHOz-cn20KJhz1DN#^lT1Qg-D-`#)+Z%u4H8?bQl!YRd!UbZ3Vedr-$I(C0C4s&l5 zX`Kr_iY_fcWutS$O0pX!M(7kh@*D6NHoBt?hsE!+WHj7YkmL5ssK>Nt9Z=oUVM40{ z5=y<4Xc2CY@pKQwEhoIG>GWLwv5&sxQw+5620}Zl{r(Y!*gdIJ@)+aYWel)cpUp%J zgYHqid>uDQ+$6A_GnI3m+q0gzJ!`DSvwt$LfZyNdweXt{6X(|Oxd7JE2x;ZFqe1ZO z#cmT+1}A`&o_>Vi;1ehcHduSTh^!Dn7Y}lywNvyXCkHCq#daS=N$4Q;!kSdMSFKTfr`PePNC~q(-6iMJ9&>a{wVP zUs9G=gcjzH0Xy7+!VN)d>kl_}!!7I)7clmXg!Dl@YI+HN-@I4!- zUb@1=;_>KCBW9RyOQ*T@<4GnUK9WGF66VQwS7fzP($DzK6n6op|JluvyZCR!O#xnt zc3;m)@@w8ene-Zj;{C_8bb)Gxn2=Qr6#lzje@)0B{*V-ZBjS5Wv)R>7GLy)+df!?h z0x?yvjde$HM35P*bfaANii=|o)ZO*CioeR};DO_5qMEYjo^~YtTjL24{d}nCT0Uix z3bW8yNDS;QmzU*Q4!8kWp54uecScznmp?Mq_3xmHR~-G!I2Iq6e54HqKMLxm z7V?Uw7Rs^hy)7gfG=376V^@HS@MD;yuhh7-Wko56qJ_{#M7N6Zn5zfknT0O@2~JWV z^l+!hD0)E-PqnKKc23fBM`x5OkLCm5PfGIL2|aetn|Hr|@pwGUQW$bfeB zgI&bKLR5v(z6`R&#v)Zf`cYHs#i&M#*PNwu;P%rV0{hC&jtp|LnStq^a4-v( zaPz}8+tMW3%PT7hVbsw*O)d zvmccT5~kP=MODEHf}2$w`V2!M*VSLh?)%Vioy3}J!$sm4(81jhriM|KS$*C>%Z=*r z#=~ZTlQ>5q4y>m7Mo&hZ8vuYm4-1zW^ao}iQ<{awQFVJ)3M1}@+2rvd&sKCw z^0b-pP>QnX+ORO!VwEa#?g@Y|z6+-$@=DU#jaH}z0`0~`mjb`!Yo)$W>z?*xMUiVN z6b+Ah(hLuPgFcpy>jj#(tZ(XCS%!TG9TEh3GwHrR+r!gFDv*tL)|>(`i91kPxOk4g zrBa*?!bu(_{j+sIXV$@9njLa@k5u>rDy~*{c3XPvz8!E|x_JNk;3bGdWl*z*iTL9c zEQeS_!4NgRt@p8qL%~F+>}Ev0v>23hH#aaR3tOU$6_HFg8ZONj+f}n8JIYgfb=CR? zZIaAbA2#2pvk;rU)T8nx>}zZDg8@7U=d(3phOwZ8w<|cdc7TcCmYnd6WrvVXO4HAQ zDOj@+o3~qLCBR@HQ@X8Ga7c1939*xJxE3vri-7HxYC@We4h?MvwoNm>tn~)IE*7T+ zo=<}{_Nie>loC)Dmj#K0H~!yOeSZ-|g&KZinyWNw8OqUU==lWU3x<+ zg?WNuR2SSoF`GT{exP#zpc=&y8M#oE47&#iTTOPdn9BnrsyMS!P*iaP08M@e_A-z}k1|6+XV=fMH<-)}f zOC5!9DZj;BnpN^3GF41d1{_IwmXQ@8j$C|8YS(;@&q%VI^=K@Pbmz1jzso&2h2OL7 zDYHi_V}(q_O%V)&rZ$*}5AC>_xXTUQ>oE1c|%jeB;RRmzohMinurnAo={E6YNe zr8=lX9usPzQ<55#5Fa04_BraTzr@ChJn#b?3ClSZc+T&4=02;VxW5(sV;$A;H?!y$ zJxuCm_?APH+B7ikTgA-&~i0L=r=kOCA0 zI_ShuDX+%mWL!~Lpqjrz;Ihi*>9BH@nR?~6UVgPBKa+d1`UaNKC<+70FE z(HQI7`B2IT>4~86I1vkliB8y4h4u(0RXLIK>I}f!_Qg47Xbk1as9|XsV%c-d$twoevrECs<_gMtg3S{ z;_hBw-fFwSQ*Is|Xy6*GC5X1oMNSFUaIvL04%e=w^HDk#<$K=E-o8^_>=}iu>FG2o z|4_p5M?E*Hz%u^R0!e!oQ3xx~hgheQ=*wOxP7^n~&Max{kn2`t^70?RRQMR(SpdD3 zA?d(JR>3*Em@nd5(p?nifn^)*OdjvdIy@*tdNqn)R3V(bO#}L0^(A1UO-f+z%$(9e z03)-zDoiM$j^N%(y6N$mHZ80I{nVHL#)*DIu_0QqG%yIJB%R2+kvEvEtbLgUUZuOi ztFc=#X3zy(4$UkwS;!YTxw@NMaY()V@Yr1Mw67<6ye-?3ZLS~${E*_RTQXA;(Mpe! z^_nTOa+AffTn{hnQ#}ntRHSs!TKT7BQDE|hcajq6f(fhvheKuX6}rZjlW|*G9*!>x z8!9^cQX3qF=K~)#-g(uatP&O2aM)2g@fZ8yr4j#M?1#z0b0RHJojfNdPImuQecQCj z`}SMRtn%|tnSUB3Hjz4CCA0u00>?-D#cCCUvZvC{o6{cIu?THui+L(5vSd0!m@4zl zv9b&fOiD?!m;AW*vLZ8Z540A$;DV=`RP=kCXl__~XqYkxVz( z?N$e?dWt5gK|`8j-13k`bsp)^s?5x12Y;x3w&V>3I)`V}<&EbA8o(^Kr2q`u-X(qW z+c{DCH?$DzK{^@<>dHkgT6}MR@sODc#Dx~T_wcGjFvG8_!qVA^S4d8S=`Yrpf9?oq zB$kq(U%{kb^A&WNoKVq*mlkZ@)0Ra>hQ&2h`%|$r1G9jn%S;lb78$g!qb?_y$ClcZ zSW*=yFDe)fc(sN-?;sxt?RHN_^B4%J7Ok zfG+CU<+LzM@DXBqjfs^oC5IAslL>o>=|+ZSUu<$ zk4JlVa-PuEROw<8W>42V7u$KQV;KiT{90LA}6 z+vy#Bj%D{fsPgnR8^&>8xj{;vk|-64SOR4dZViq+vZuH_unqotAVgG=Qhs+!Vdv3= zULrOJhP%qw46k4GoWNGBX{i7=A+N0>J=P+{ijgUZ48z1gcNw~u*4B(6Lyy5{M3MhH z(*V8bZ1@&}15Gcxm}sBCiep2oH3z8;Qt+E}6QFGD`+#xcap^-iRQWR9G17YruB}lgm=CM5%e3(s@rr0pop<3EJ*E0PlV0kvV zDZhROw(;Qw&TBCL1lt1sMuW7Zr-HDFz6!txuOkDGe!;7))<6bzTHr9SdpBG6`-SFm!EOd7srnX^g|t zqj+dFO`I2%RCeSrnu2R;4hysn)Cm_oaq3Yw7nrdZ@xard%G!&j=2lU%J(Rsk~t`H%MZ<8NVmSS)kVew$B9Nt)hr>tCy zZA*$>43>qnKoi7;bd1b;U$z)|%<8-`juW>tdb=Im*)nn3z+@PIAp6X(WWw6U57*f6 zbX+D%N{sN|V|D5o?d^+C>*e!fSraMV%lFLE-t>Zy@1h#7+Jyut#MLorcU!gO1D$z( zJ=VU=BzZzA3_aj8Sw{%+Nb!mh)1%r0N`NDw#l?v|BgwL&0YHo(b(pA7vD+Gq0%jM7 z=G@Blw?~*b=ad-yHp!MOv~;sgFG-4EgDYoy+qIQuA{5ica7~u7z8>Ifp3~% zIJiN=x-6FtTyGfHYp61A`>3$14Ux6}Ky;4|yb|PC8qlYrKKZq@G*JCGBa)}Gydyj; zqFCwb`=zIP{Oi(mo}-T%WilGt+Jb2UTiPn3RL&;jDIO=8m{|^FpdOrwnia%e@3wm- zzpxH5@ic=x63W5J{qXrEK$Ax`R=iY#|H}%ySq#gUcscs_(nhIcAr)OlP1Gfmx3Agnz;~h8J>S_|Hoxa)BmNlWI| zropnN&n=iNUqR{mFGH6e{MHkT77~u>`xO`YcNTANqSc%q{Fu}s?(3A^*1ky@>>P1j zH{Q6g$}XBzdz(q`+0EM5goI&x3B%8iom)8U$^QH|e|{SvN!XTKH_vLyu`sH9Lx zyUJ17Tqw-#f<4eNeC>{$EQ?Y~{qLM9A%HUl##+g~IrW_DQt)Irn-|P!N3AR z@CLe%WS0EL5mYgsKYU{UltqNbt3F0m32CJIu4 zBy%J3XOd`iXIv{^Z0z2h+72vloe7t^8Le+MnBw0L!>P;k_U}z)fW7z=kB(nuLYIIO z3$4wRvJ&6j9f^dMQ{!i<7_2aMR_tG&H}Zy!!K|Q{|Ki2_bjSf6WXD^IUoHQXZIZ&| zc&LF%kdp@^34*KZexH33=gObgT>Zjl2N@xjiZzx9M;6(w?59?R)Ts0Z$NYu^?KZZy zE}j_$Jv;mg9aH^nHH=x(xFu})WAgUQQw!ys;=18&2FPNDh6%*IUp~U%x{rKO-HXLf z>a0V+Hr?pJ{uaUWJ+28514yC{JrvP%cyJZT!Y13WmRMTAVKex809V8s`p76!{mos|e@@2MnT8-rWz zmH@P?K-Y^Dr0VK4trjpSO;PREm@}Sy%$NgjU%pv!xjnxad1cw;twAZUp+eBk&&Lfq zyx7Fx5iIEoilvEnX|UDTcZuw;N_SO$iF&ztD(3he0M(CfqHZ~y?B9|3==38*%Hahu z<4>{7p+jEs9HKwnC$;ws4UO^ggZ?M`^RMM7>$7pD9An67L!CvUa+?qv#UB#kiR*sk zo-~B}s(4^Ui0LTgMO?at6^3$RV)kLPZ;PIEZVq=u*o6j6237m=?ofO61C1>rrrmBe z_!<|IC!hi`#I=*@^?V%nxkKfsEj2QQVaPzc@lNBO4ty)GxLV{%_h4Q3$25QUX>pvR zJxY2&(wk7{35j|CT%7B~A$y7CO6ozmVCv0v8<<0n>akIfLRaX(*H)fD@KfzjL1M|1 zyn7m`aft~96+iz0KXs2>sHihSN4OZ-h!~>Yt2VI}q5=72h^|@_%W2>yts((pthQ&g z!okl;x`3fq^)$35&wb7&NHC(VKMo|v=V3B@?~j}j`d0lqt@V`BS092BFJ{G)mp=fc z0yjqHyf{<>vPx6@riqrxi0BMB`9JTJ{cLcH;g)q>{@Fy1=&Lh%eNuc&qPO_^QglH7 zd?(Kp4Y<=9-$O6Y-k)ikb?^s!67IVp_2e3E?qa~8rDNS}!2)^Fgsg5NFFz1GQXN(X zKF-c6Ln3E9`SAOTr+$&*PSum?O)B;j8c$^Syjtvd6Q>Pmi`6WCiV(zvCC+ zfm~vEyE!$Z%C`wtx9;pUZU$t*pkzj!`0o|E0*^75)}Y&09;}~i3sSlD%e*NK#7?$l zVW#to|JeMRxK*(2@pC=*^p{N5@k^Za^zB~0_orfR&h)2qBx#+AP64iTPuQ;*WbW<` zKDZ(PQGzT)@CjbtPky5@tT(mRIVVNJ^2r%`VCOB29f}=FdnUhr>arjO6YM&jX1?y8 z7`x*daOH(lf@Qc(%01uV^7fQXmik*YJ=SKwF3>$FJ)C_#1_@`Tp7vO6|9W+B;FiaB zr|{rpZ3QJRI%&r1xB>*lA5$Ey+VLiCAMYF{glgCQdg3K}XPDB9Z?kSkJ_K%``^<1_ z(1b}~rp)Ptd1>Q^)D@$*5j%&g5vQJi@Z|%fm zxW%V|2kQh7)9tjd)hFEVk%Mm^4!bUy`rh?Ad@;L8Gq;(Ibu|+lp*%t113n#x zalA4h2<%STl3kQC3B^zVpWm?49BF?$u8TtZ|YBrG1~&KT~=hIzTq%i^hC$Ip~L zO~j^cayA+tH{69c=ol6+iD|3i)aM$>uAB(a89AHIQHKj^eMo#Fm= zel8G=lfC4tXUKJhu`I`E4%Z{FD zll2TP=1TIK?clc4ZYcJ`2W%e59#r&rkU(2Nl05~HS+0zYqsO9sSJ+bXc`PS0`ILbkIae=9 z#by!J*WehTV6#^m*;vL6MF@SK5nEF*G&Bs5|5f&9d6oU9=Rb&tckRSxT&$|rf048R zD?%FVmwz~ZH|7Ru_&)v_UjnD0kXgqLV|5Xp;+^eTfZv6S`MIn+|E67Xl6fyYD zn-`M2DY~2p-w|}L*tY7YX{EkgdDX(|ngUW*d~3AjLKzxU|0X31f|;3XQM;N}XKY-?=mAXiL0I5&9jLdP?_}X`R%2A@i)^J z{y3J5KEKYZ4j2$_v!}D#C^8mwlmT=3zwuXvDetnn;mF!d_?z*tp~arvp($BdQ5TY zRC>L#9o(bgRl|;O+JbUA1 zkNP|o-8>PoM-gCrTv{v`jR@|4jq1#jK_Rm^dphM$`r2;4weJI1Md;>rHUFXsBfUgR z#0Ny!Eyx-T1ZAp>(JI(0xkvbPDUZ_*#LQ@=Mox-|AoaFN+RwgizOYhqc$3fXXXRu% zIpb#Ck%{=v_uDN^1Wth#6yF8$+tVcSdORSB1_< zqa)5dm^-;)H6Z=k0z((w$4Hg>CsU6*yzB)h@JGU&t1q2bB3{}((Mq;nDqDz61c}$< zWe;~5%=%Bi3%?w%^$O9}nitz#JuUdUcd==207QL3K4hVzmGTm$2_o&&NZ*I5JzQtw zaQ+*n2oR~zQu-~igsfK#2PZ5i2ivO`1#Kk&@u=u+A;E@ZJH~wf0^xi>Gt=ZV^bn^v za?5%u-sM|QZv`&lBhvDIGTgx3_*QK++IX_=#qM)@W)HXk4pMpJ)Z>1ZLqUsf&@W{Oia&A zRNS!!<_CTienOjk`n`WHgTbMSZJwP7EjYA=P37Rq*WnXLgZ8AI41MOp2)S!rMJ9t91IGEfV~36 zKr3B}y`}dG)!m(j^|Sehn(CgTi*p0lNm%nK>OTg?`J`B@RCHw=y2*_y0R7=>7p&T- zATZ^*M**-qvH70bkpokL;Y!>ZiQ%DOJpwuHy}Dn;tF$!?5!Y@WH-0&(bR2oOYe?!H z{gg3C)|b|pzkbiYje|1qXh2qM1A+T`TV>EB_oQ5GhQ0{jn8L~Ok-XCGp1Awm-uIS% z6?KpHwTMAH&lUZgUD}*D(PRlsyq?_$`GM~{we14}dPXc{s@qv2#n+4vn0k5Yfm6U0 zHcQ{s4Xy5=bt@A$9&et!2ua9fb-q7#G%476>B-qS3JKmi$C)2%qEe!1eeobd$Ac6&8TYA>MR^Mn3MQEUy&Zh4+os7w9hj{svjH%j^spX$P+ z^+K?Q!@^?v!u9EqVbPv-9{Q)tjSq_hk2`aDXvKyX#l~dlR8^2Bt_J!Rl``o3*Lq=X zO|GpxTc|>X{izBJU3a7&_4b1&3ugcoxM2gP3bz}9`0aX5yGbzz;9sLy?tvC6%BDCw z){|V@*MBt13U6E|(>h*CkX`UoKhYHp7o*)f9*$`tqDz8+S=^M?kW668s?DKysZsBB z5SW=Cnp+jEeVcU{MAh8v@#Aa6SxJHr-KVo6*=~irGby!$66F}*KiX|#ilt^_R{#}9SM&1M#uLpQ_ocoqX?-uU) zPQqN&^%!19Tg2$r)?O_nU7K5l>YS~K+$*PzeQdrt-24~hLFCfdfAc(GacK=AcxulWk+^{k%bg^zr#VxC{! zXr6M-g)=>H<#O>PLKEym6HT;?_rx+k%~ZMVWo)~P{sr+pqC8uEA;}v!k30VxMD0*H zYdtk)03Iz1`Yv}k4DG#53=d`yh&*^G;VKwUgA9=gQnOE(m2Gx!L5gf`%w>qw@oq4d zsc7Y?^1Gv7<(?!CeH!NppUS(}m=7kk zCQqHJ|A)HwjB2vox<*4$K$K7vkrt4q(nWd+0*Z)$iu4W&Lg>8*M4B{3r56#EULw7> z(4?tALhrrT(2{WO_-yz4?fvQ)XN>RsIsc3|;<&F|tIajnTo@gw>ZM(@zx&;Sv7`D&b`e{^=HQyUgr8dXA?uI;1v-tgt zJ_USEdSm`kMxV@Xsmg_;<;Z>1HQV+EscJTg1*L+c`kg_?triV>|7)A|d*+9e3F0l4 z2NSAF3ib=$JI5$=x&2liu7!Jhu)XTvcvK>4c-P8oS99dlpr@gttd^KzhHg^&o;z*v z5~^+=ia6SxuW9rkp60H%Xs8ZTXnxdJcXPa>`QbTsc}pJnlv4|0B=dDtGrg7^6uyY&T*i_wdKnV=HsRQR^I$m z=Ov=)3{`wWdEBIVSMh9XJdZ5Tn3Ezqr|#U#&+*sDV_su;RSpNSUj}xVbo%^%HvLaF zsZQv0@R+8e{v4l$h%ZFT^8hm)?<1oL188pM_ol8lS-+^^tU+}H&9BMncIc48$1cBT z?U&g@oo9-?k!&MqMiX1FUSBmon+3Ob@eIR>ySJR#AU4vpouKg-QxT}t(vdE?7X zb~5w{n7)@8*WC}-==sPEQ>P{wl&Jc?Pc8W_>1iCf5K$z=Tdr7`)b$DFhi%1+gfXA_ z%;Uq3bU)OZnc|jCOjRoIC)N0LfaGDssW5Mvnht0kBD%UIe;Dt@$Jl?X~CbYUGd&aAk3exRXUDcFQ`ys@j&9u zHt>dwSL&(7L2-VleM}MO$CR53xV>|VgFT(xl7JehL5Ih*Lm{>H;SZGA;Jv$DDuxXP zR)aGbG2bfd2hIGBwDxa~QT1fc_4-o|3@#7}(L6MU^NxQ!d;6X^xpSP~X0_n{_ba&c z`nFfob!cO?{c?%@Jy(wDNDy`4S;+X9j>;El{Cjc5%|H@O#xPZJR&UeWPpkzGV)`VZ z`CoDBcIAwLphIjy#mg>_;rb=sQ+(+ywdcF~BmEP2lj`@>3O%AHYb;9kd@n?TlSwO1 zTJ9ury|n3&BJI9GB*a5qX3Zub2jD-B*vAo9XCAGH>Ed|?_mw-|e06zKO* z%(lEyq`!6(vNtumEru-0a+_CkT&IzUXiU5&N%Y#Pn>Q(o=h-Q@ODuiG0|DGP%7BO0 zVMBU5szS5#E5NJ6J^TbDq0x$>4Ng_?GVjF6cgZnwGGiW1Rd-gf4mVHzol7Rt;PuzB z{+Snk+WBe$M0)S!x?urwQnM0fa=ZWC@Rkix-wq! zFRDPGHz6~XedwnCw<_wE9Dy@C2dSP611`RzoOLwGzjhv@fStz@4;+&jMq+IAMP|E9 zV^Z|rf;-VeNXeFX?9f(DO6K*WSBiK10H*e}yLE5q9tke3u$YAO1{8TWg_g|#d^S3r z#8AKC%E=PjFl+@^mv8_@!i z_NY{R_ghQ0XjijhgMEV(ZS zZ%!b13}C4@j3>Ww7g-wnEsl>IiV_nEHQ42= zxvcX=pY(Nn=dD*b1T(>FJnOQ?Jhg7lRRd@X7v0lA7J=#~qt=BX`9ZV!w4hz|r3%0_ zZa9$SjrE~_0}69r9(w~8@olp&$H9-mySuZsVH+-wG~fiM!Z$uzs#EbrYTW=#0?h>R zJZ;EgN`#+gtzH!0OO8D?3KLRgF3Oi(lwSRO5vw+EAH+8bKGTH_`EoYPch0I4{?;X3 ze-C?JTDb*Hc}sBoCnl03Bm0feg;>+FYC+YBPsYIm5Mug1c8oSVlnizdw4W8R~4F55BiCs>bSZDLcP z9Fz+>TgJ}m?h0Kt#s6;mKja}KV|2ype;pq=tNhnVyIHby6+kOYsa6ov`aYKG@_i{U z?)JdvZRwuaC!w+hi8Poep?)(1JR*LGqT>;Zg8EGT0WL`FqIKB=SqN-JBs)h6Nt-2y zXxaP*Ao@p%G;1ZC#80(juPIY0_+MM@{+Xj}=&x%lm9RGkVKJkpiI%J=5lr@VhGVo8 zO;=cc>}3W*w(r@)${rN-1wHmVx}om&#KeE?t>(U&-LhGidZ7&1U8$}Z%^Tgyqn_e< zX^u$Mi?kZp$+$Du*K%iD^rK)MR)1+U%R^$V(c~o_cdSm*_*n-hNrU?`oGrwMIDEa8 zSLcyeEQWEOYk*L|hvuZUL_1eW7gzeT-ofWr$*i=qV;kQ#oZHS6&TP5P`@rvWvAs^0 zi!-Zzm-lk-=qPm|0beWLDaVS7y%a&4h}7bmT~tC{%Z64oRZ=@8=4ZRQ{4A<{swN}% zY&wLW0XkYg;Ks8j%B)OcW1AnYu$1)h23XxiRm~@GG}kSj)^}8FLN~#baEp`58VwLg z9;Bjl`^ix$s>hIz@jd8pW*rWW->6jkaSGNrG0M=nk%xO4zqJG1JQt7q^gg8pAD5N> zJ}j!%_~3UraS`>1RK89sk%@u5|CQ-sp7aJqM1Jw(A6JVc=f8+36)EtGiG1GC?v0|7 zzOi>@2vgSKY;t4bsrd7bkNR zOkE4fWfN*`prNqrHU`5_rnT~Vh|6w#D#i<9?8MRCkw+p4faR=$WvK-K)aN=^Un=_5 zu8sBFWJ}?B_{71YN?*DkKq&ywjD>`}EQ)|-ilcvtdR1Q~uvc5N7SjGoom&0Xik8Gn z+r_ZTvhhT|n(deP*GAYv7&Pgv;K|m9DX4W!A`w~z(fzgSF5l^QWWH>xHHx*$Sytff zwNOB1i(11ZH~0dJ87ghXLI=Dyzg^X^*1e+g6zZH^?|Os)c!NQ;Ubs>{42PhunAib2 z12KOg7D`6>!Qj-bcrZp01S;`vN+-*#%r0ljG#uc_0yUceJYMggB<*Aw0;KYmt>jPU zIpbJ6g9}CX5hbWZ*R!a(r-j{lhEBXk@}PG`&UqTBd#stFP7&hb;^0{@K%63sSiM~J zy5qY)^WVd2>#VHlG#ttrB?lv`9L-A=6Dr%V{PM?#J1=%a2X%~`7#r@2-C`u7&Ii6S z|IILq=86NT#BI+_uf>-J(Xuy}kJP*vRd*sSEw|<^JCV{^{-(`0kRJ{AF zC05RNbDZu+(3wv$>w<@xUl$=3X?{|5+PC0?*7YU@X>To@KR#wPi31H?!7a|wl8ZJ} z?@sLLoA39iJ&WLj?$;QH8rbY-m zuSVUbZ|saNzG zPXQ&2<}HV&Jo8uFjt3|fJd-zF@TtjHh^V_8sivzS`)ghOz7Ca=u??Gnl!CFvi&y5F zH+P4b3g0F-Z=lDh}&@G04!X4!lvqU92^oHhr4^jZC}uzF|E?w^XD!T#V+=l z{aD_D_~)Gp3(E$lTZ95*8uxFw`u|OV0azPzok4~DFB0ZeP_xksvew9ZRv{u>(HBo< zjKUj{DJRn;fH?k|MUdv_NN8eG$7c$Q`ZxMXV-2gt$CTxAnE6Da8ZE!Rf(LOqd0@CIA@{ zT}%d=Q&N`TgR#`!)GKv^w>Q7z3{-dq+r(Z?eu|6RWBh4zyexgqe4xPK`YG!hLp^PK8SICxsn*N%X4Ky+ zFNEu`->;muPA=(FRee*=CVM+}rYxGDj{BvLphQJw=XD;9I)JS2Z~2A$E?0 z{@D3&Dhf?fWZ}CWc=9vPlbx~m71lmgi-Z*Vax^*abUH2rJw~Dc6dEn!Vxw1wyJ$hu znWs9Nb<&2VgW$(-U-xXM$07oE^J%KIzsr3>8$^?jGs|Sm zTgTfH4qdKvJcaZLI+rVhYLAv$TKu-Fu2TC|7DOzD(#ar~N}3KVgPdW|2D1&Z8z=abt&P^;UDOc8eL~v{S(C7by@hor#?#xd&`XoDVwS<6gvloz zB0*t$`}^V#IC(o1z((#)xqd?yeP60jVB>IKLLoGbjq-IH-zRC{pcE*3!0`23uC*W! ziN)a$hu#NuW6s^vtx=(4PYzQ_!2HhdwZ2hh zV16FZPR-uxpuR&V(yWZdBf0{CvD-a}1t_SP%uT`rE7hii?%yb82wYG zhesaJlF9F?9z#;Kp6$@b8rUxc(1$iWK3R&(XVTR`*Sx^(=U44!BhgHVYU^A`;=DPf0Jo^_di%2`wNXxUijo%#_I;Ju>en2|eL`z+z zx+EpJb$dz;OH8tA7LfhD!VsV zwWXX~&g8hJ>hQ9D*FR^x&L-;pz#u}X5TrY;-h|zmStE$O2?Ca z&NTA?Pw6~T`N#7Wv-4#;$veQpZJqr3gOR){)r|fw0IH2O)-z^My#a)nPXfE*dMd8A zMP(_Vj)R@ZeQgKDrToZFATK(}!A|HbSQ;HM-AK3bpPe(X6i@_lZnngm(ArBpZ!228 zL_~c`7iWAm(&tompm@h!I>ZhRzkS%nei9lgP$x0$jD4FC5(AX;?<+R6;__-c5x~_f z1Fok3>{8hT?#aw_+3zwvS^;2$MJxRD`akG?{~<2>z3d-RS>AxE`S~7+N+Rm$#{!Op z$eLrmm950Nmh+oA&Zg~PIH{4>)ZGk`2oWwQ3i-<5(%@Xgh5C0uu9a=?1B{l1Mi@(3l}(oD(!+Mb3_EWi6E@oRA5s6+b9e)jziUabnr6R;UTtc<Muv)bG98hTgKdXobF88 z$j^xtxP0xU(Wpx>F6lJJdw-`hW}`B1EbVb$zLctA47b}E zUWuFx9fW^{{oIYo!aEyP4{z7$m{`-n$KZEEfEsna@bmutt3a#bQt23KD9w>~R4o+3 zTxnPExH88+$Pc4Y@fvY}q3jEW!H-JBCau!0i)-R%2k10Cxtf$ECjn;8R*{SUWrs%J zj~9p>(7Z(yUB2+Qb8S75uhW69O>pzi13Y3{hn`ci9y;)D%xz(rz_557H#u?;FjrKE zSs)Of#wI)`gW(C5$(#HY&i*F>ieH9#VN-6|gkJshplAP6^{rWVDPspdYes1??0#5K zL^AjpnX)mZOx+@PLt;<`3{)n6g(53xV7foI(R4I*>TRi_>*7&I)3YrShePGuByrn zOlyL#d!$AlI|a6+6{o$rV{KICKhy4& zxP50!Q*9b8J#w~P2LwLg4G7GxbrmHxJ))B`cV`!x&Ws^eD%x<_Bi|J$N1j)aef>f1 zRguq}JHK((FueY#B_Q~6+A_?nz3yPrQ+l-H2?=fQ7^T2K$aCSEUSqp)?}NV0t3^Ms z&%2ktTTRJqmz4wokbaef8|vv}7Z=Vu(dT7mk7lF7>W&Z6%U+gTPa0i1!~<08P@pXm zq;PtM{(K$T`GhY_9l=xNO;I`rJF=_K*$>(++Fl078I>!hJ@Ucbwz@RrdI+@J_Z z2`i~*GN~HNGdU&jwV(KP*qr3-iz~*+Q4U}mba^atLX<)5k{=3g8MuF>cyY^m&5}Eka+Or0wf;7 z8-l5dRBCzGr@`^6V>}o)$rSS;O}>--OF^m3hga9;_YvU{!9|=0eN|8AtTaT!fxVzc zL4fR6X8rMZFC>jcf#;Eu=8n~u=#^kq9TqvQYa!&;uzD zVSpN>l=T~n`;Yhre2~AaM1bC;@9N$qj5l~b2qU-cCNJ^SJ8ZOmA=KWTL{vfXgR!1Y z>MC?E?gZRswk$&w)<5p)TI5{qx6aQd9lo4kdO79L4~_E8oswsVczef z8&>+?o;?A05>CxG4w{Nefq73Q&<_T+>qV}jsStV4wYwl#l;HM}8DhR__9n#?t)R(~ z7Rt(`?s?3_4+Mw4&VqSN?N?sb8dd>BnC}2t)o_b?icPTwpV--tWzIsgp&#3P|~JEohbH1#2Key#}Vpo?Y;v(TLpc9>C;lt?%DLi7!IbuDF#~yk43V!LO9h%e2i!~BxA9HOJgU^)>!I8xZ{I71DuX%G zECJ^0uCv){d@$FS5?*?kc#GilL-&}&kr5=@UKYe$W3~A1h^Uk~zuVeI5ALx+lY=1U z%l8&TSKs`^s8tgk^wiA4**@mf>Gr1kJs8k>VEC>Oa+(9>d(VDoOE~Nq@Q=Ndt>m0Q znK2TpX1iC6%^41trt9++S^ZnxYCKjDCO%aVh`1Wxsh1I0C9yx-&uldeg|eQ-#tS*It9(SgQ)?X(uBvO9A=64(sb5TQRo15V*IDzCMeFU12stU)wLV+;?o!}}*H(Wz z{JB92l2J#`quhco?Y}MJ|@myYC<>e0U}qR~8)QR&K1vkOGx_ zCk;3aWXvND(!Ln-jv5q7Dq#KJZ~3na^OB94cgt%KKRY=KQOOyM~#g zknyxb*%;iY-)y_OY}He(b>u|%07o1HOsA|w4^VMcGJwO^6e*eND$Fm4wPonlI6=?D z)~L|kNb-yRfjKrBVIpUZ9){_x3Ca_zM&h=r#Ck_i2sx*=nYRg{>H;&7_E5WCl<7Jf zYpOAM74rJwT2U09+#TD6CL(gQOam3(JI@YW6C(Y`zrW)DvJMJGz-lOh08KTMqw-I=}R4|E0j!cStbuU_&5^0z4O^F&Ihxs5-g;AnaVP$u< z6|vSC?2mn}+vZ;qkGwD*B_aY!QB-)oJL_}J3ezfN0@@ehK<*uEGE@4#h=|e+D2IwK z|1dF!xREv#jBd2xh9*S@2MXm7VIoqpH0C&(w+?Vi)N#Tner~uT*NAyF8YE%Wo1(|S z5ySy}?NbR{9RG40|K%tWBmg5xkyz`O{PS~iV!H4~Pr|%t9g*XSl#x;Uy4x>-hkPnH zh4G~qat%~o+FM0)I$C92&$Po@98%oY*!x}?la~l%;&p=4@dH=SN=u3DuIs27nV{{| zd<)lOE@VWP>C##Gng1A;w&24jFh^4tiuywRAw6H8M2mMy}WcIS_i9ui8P&+fMO3+7WG(F}Xi|w3`rIjtY z{|qNnlCquafn|)%%1bG`3vS1Pn(f}Z3q8`I6_x*Aoys(eTDsggPe2vXLtwkm3#tZ+ zuPj(DtFQp)ysZ|uSk*xk`&p=*`S(#N+T$>eqIIMA)Kc82uXBEht>DvqwQ4;pv4T>v)&(N24hmWq z%JQg_dzL_h)wU9lT#2ml7Ek-CHHS?dJlLk`UF_i(3;QR?d z%wcOp%07=IjdqOFlGHiLm-|Q^CtS!?iV)LadV2c^Ae|6c2_DBEGHb0b zBb&>btx@+5Rt6etgm^HEVk~p@2G=zQe|3Ozyr~>OMnlN1M?tV#R6mDPFjHfD463isZvmZC1=>Azn*u(>(M{igme0vg;{> zCBi<&$D_$t>={J-gGJq_U6G6&dF=SoDe9ce$0Jdm@)Y(j23gOKlTfIiW)xdwvX+7R zhH~A_sr+wWmVw^DjhjHf4_%p&mpzDLX;MzxFPqgIVRl6h;|IP(|4i#~xne}yY{ZCS0M z0rH;mz8#O<_D+Se?NZ8cj`{m#xY6U+i`h+NpX8>hc~;ACKMFPt)iUL5VHI$=#_@MF zJ|zN=R3%m7iAh6NLsvyCluO@4OwfQ<=^90LNrkq~3jh%&TJPo`ZH6>3oDgBcTjWyz zdL(ZMN8;FYfsmT1vAC=NVhwOgqryuvSzd09M$LkY6w)oaSlV^YCN0ev2p6z9D4DQ1 z$c+KTla^!$#~l`PVB+Ct7w<#--GI?aU@D+%1V8Y(VgCnBZ>w=JooeBJc3>FTe`Z8( z2{{W}M_%BkXRMZ2b1fP8z?wOJ5hk_~D(?X1(M2K7iZptf?f|wZFNX5Z4;PP-unmJW zUsB zK}gU3?@ome*#C^#_til;oxE^qwtF!b+7bT(d?qwpl$i&0JSEi`f3qk_$}B2f_pB4u z%5tV9Z(%2*9@itzT7&E4U^Odm5FH~ak>R(SV?&m^6<_J=evTW+fS!EcU>zx|63wSG zA43!OPrZ#g+lN&S0i6?K6%Xy59+GJ`lYIA7-ZyN!`!Fh#TWp5&yPm3iF(sQA>`lZF zNjj%AY?_I8BBnX=HRYqCOSWOSsLyF9mgR6J82^D<^wEIb$!tl3&u5ggTX!~TzlQM2w;8C36&-C6Y2F||)U@3y@ajVyIXZ)L+J)sTU<^+B1J0>kAl?OKC z^bPE!PVqM_{-k=;n!KeCY!7Vtrk7b2CE z2sC_^2PwrFxhL+FMv3tyH#{#MGVr9>L{9GICv*YbOs7K}SvdPk&gO6BET z4z;fnYsb%BMct_okeVT5Z>y^m+|A|(1RjDaF<+oI(=HmA3IRD+wAOm-ipAY9y^QE9 zyNiA4Zi}hw4y+zeA5kaR03m0ix@OI7ioGsVEm^E!%nc32GZxhTd^P_8=PuaASLZ6Y zu(pfO#Li_kEESx*2eUXiCd$>}I`@^Ivi$kNJ)kF?B%jIElm9L$|6P2}{0jUjpN!?o z-BJsSW>Hd8w{G8a3ekN*Ri(c1Sj$Jum4dGuN$pU-ibBVx=3mJARzF0IqBR)7qe^>q zw}%+ow99zr%+ShqK)rpH!3fVFxe=ULC#=st!LYV5nY5=^T!Gv7=)HYfy!62fx6S;- zRECr(vz~09ql!D4VeOue>Dqboe4-Bi*GsgUz;DglFcuJ9vx3ho-M&C-B=emHMi6k& zuv;41GIKdy8n9l^M_5>t!c<-ijt%!b8%JG@X5H{e%!T@Hj8%!4&D;fy_69BJKys;g zXUxjMFl{$Ks>>#?@G;=t4E(YE>G2VAyRB3KYT{nrUafJ08-eUZTfxb8k9X51N;0<; z4b096#76#Cc>G;=Y7znILsqlSH`c!e1;@#M?xr}%-oV4ph^69IP3UXRzH@2sQh02s z7cQ>nhbx9T$v?WyIjk~QqTWRzGRbUCZF%yc!f9we&n(_&aN&uI4vBy^Q;rQ(qL_OWA6ELOyNMihzYA+Li>XB%Iwq86tU zXaY)OfIUX!mPirAU8@fj5LE-wm{%F~e#<{lrVSgdc+?MjsO5|-*o|%LD3hI)>4mz? z3-#zKn1jOh_P;3SmFyL+1_9#+(lA+yE~ zzHzc~RGy|tJf&)~^I`|9mOfabOz~&K{lZGfL+c#kSjYl@pXh&PX;by`rouF!q5_|~ z0zhzj>sUx23+_z?wY-d`?o0CYdbrYyER}NF$to>ze^Q2?9KpnE++kIS7A^pf zk022ywrjz9>>+NWOzDe{9gZAE5@?PMbm~&W5v+bA_@Pkxq%i}Ui#BD+<>g|x&0BoW zi%%Sfzv0v!RR3qE(e95ocs%kkL|Vbme7sNh2*uOp>q;g`eVEbBW(fSPn_VZMbsOGmAgej%{k zQjL6!=g5c_gqRk$!V|MdldxVClhEAy5cZx&Yf!xu!A9?Y(cFI&V$`d3`N?VHUHHoV zy}XrdU+0m!kGyLUhREHjwlC?-u98NFG7-4(i2eQ1Nnc#=0Hf}R8dXXyTgJG=zP{tQ zOa`mzZGEs1ScxyxYQf?}(X?ml19J9qHXeW6UBZnsUlfx_~;0Y@s zXPE$G44#dYS{tB^Obh_zpyOHW-a_C%Q?0adQxX{!`0BL+uA@Xn8FRT~U8O42W?I;1 zsuz$NX5N!ok+fm_ienKqK#|__Fd50;OsZe%MR9=*4Eic!M>lm zQ^kvHF)3DY@pjwIkM8*{oT}{EPtQ?gJce%vQ z-nnpgCKAlDL096nGK64X=ve%!v&zwC20wt+Zy&NBv+vywYqGy^QqzDJm3+0Inxj~Y z3vaRF#~xAxV98qAmC;6XL?B%8 z&-Q|^>R?m%2UggDf~`S1!|{$&d?Cr}^%mo85s@&90^N4JKie@ornJE-t6o7CySJ!f zVl&i^AEv;ALi)tl>unhYa~SLElG@2h0;-DSmtC*XlCy?yE}> z8%xE5VBOFj_WUv;;$*F`ruOa(kn*^$MQ+}~ZJ-@vCj(neR`#Ti(MQw9|==c|_N#h}~QCf4q-_-C6=gFBLtYy*nLbPbPL08U##ACOdE3TJ98`uhLb^VgIIU?mr%uqLDU4D;7XeQk3LxrL=VnAs`2DPw%K=#mv{e@EG z_Mu*dJl!U%fwW})b{^9r5UaUp^n=`d&aM=<*`F6X>qdR>N*#>CD2qn}L8A(X8MPYp zsLW%$axpOHKB#uJu%?SgPO`)hQ`6OTu1ipdYRCuu^|9ZC2Xz(pRo*uW2sBgm=sV43 zp*Y!b3FD{x=6^}yTEpeZ10v|w_x@_bbGJ=}sX-<>8a{VeWQfkwSR1pD%kX%r?jUqI zsPSycjdtdMomE(J#|6eD73PGN!fc&;!#>N2nIA6#kPuhR_enr3Uvfju`MnQNEYNjr zokvz*HrGvVXLM3ChO=NthA#tgrP?3etr*c7D)5kQoLUs5Eu_m~|4xETYzE6t7*7!* zcLs&0GvB5&#fC|~kgtWjlOar}_^u%jM#p*FSNcoV6{FnYZo`93mIB*zz~+c`MHAHV z@%rH4r~zOA7P1ih{Aveq^^`m^f%kR_iSe<8ypW_8i(8;ITCU)-w*$8f^9j36Hf60#{Ab{~+hAu4sHJo$?G@1h{=A>I%ZonRlF>Z2C@|0^K zzCx0ZN4SW;t()JS^P7(6{S1sUq)Gu>gREu@h|`4UhSNP=PhP90ojeV(3ZBFt>(*@M zVvZk!tyd#;@l8e+J#q|trQoVLGoYvAuQO_rz7LEt9Nd5I>Cno^PrjZpkT|$J4A-?~ zeNY#rten8rEL`D^9f`D_-5ymG^5aOtNrZ7gtnE1B;CqXT!;`wZYZma?EzN#>?dVE7 zO1+?*${krZWl$cyztEfN(>q?=e3gWQkl-!CS6t@FpvRkE2Vzy@{0@8#yrxJ{x=U53 z?)^RU;te=Oua&pyx^c!y=|^FPem!pUmB+qYMjqo@V%|G+->61yKlA>@N`=B{0A*cT zc#19mpMy6!@oX3Y(VvbPi05Dj85_0Rx!qHWEk2uAFu1SdaybIRdJ)Ux*L}WHec>hy z%^eu6m+sYjoISYWHXJUxCfN7N7xPT;#Sa=wzpdizz)CV-JAbC4)L~f_OlAmfFv=n- zS~sZL?zC5O31ZiB+hx=f991yRwr@}j(l=*vVkQP9j8kq0*cfZIcO&TCvODuDAtyCF z&`PJh;47`R(I52R8e;D8y8=D~w3H}A0<*b!fG*Q^a|4Vgs;vCvX;i6XVW)w^M6FlJ zVFUvqirfX&ZWoEaSA;tHZUUUZAwgBGkCSF(oBfGJl{-n!Se2~HX<`1~Nzii7KIL=bNlRQK;=>_H=enzcunk>(2p0$eM5!fBGlc z^8NKHz9QJQGs#q$+t_13Anu<1R{Wf9lY=?G@+(m}N%h^_=q2T>kR!)*-C6Ozsw64< zcQEs87#Ih61FfM~#gy2(OD@Cw_JA!x^1?GA#`1quo|71T4<|b8?JC zj$3rmPse65_r20M~{JyW(#{3-!q#`8M0-nU4 zqt&CZm8rAx688%lt71L4a(WpoJvDG7(zQI{PD`jjrr=&at8Wshxo-uzHkS#^NnE(% znsl7KhVK$GNdwR@6mdV8ofs#9%~W9vdSC~p_7|2((@$Eh;C&$w=@&88iV?vfKnNLD z@^KVfvdmEhqb34EH`r6Qy*_990K`cY*+ryx_nZY!Tvdfa-wn!iDD{CId^RkD-rtvZK-dDaHoS;}N&Je$rzYe9K{K(3 ze>O8y=c_<@JBJk*{>w!JGCQVU5b41;*^zp6odMx^w@aQ6_^+!c%W(T{rH%aB<->Jz znuDq-gldyQ`eTgSYCDaQ9`VhTlQTjGNg|I{2)abXlU8ho`|G-?tmhP zjR!Ewj|W+w&sFTNDa$o8LKXOtezZYgX{Y=|nv=}_%$}yZtcam?2RT@giO82EZw2PX zXWaCNhQ-zjLl%)0y2ix?3R5;lLj@2sbIH@c#7(+TAm^Y9^^^J=Fk*U@M)y1cGp;R+ zZa}l6!#P^a6sD9_>|4%;szlS(a(n3Koh>=N)uEi9so5afs zTt?hynsn~Wj_FIAYg}#KFtvl*?s-7cl%pA7yHPn`1kw`aFdT8-$l-?ERC@=MBISjR zf@0y9YFF(?F4Qb!RtV!l$u2sN1W|Cy%@T#`ljF;wFpG6Grak7lh2_I!Pgi6;M;=YO zn8p6^+iyh%#vGyLE6_y6fL z1ON>>7|T`yH3fm2Rm*1%AeadjmOTNZFDpYfUq&;8PSCE;8D3GXMGRyLu9ia)BMCiR z^+xDtMNpp#ZK&jH38bGU+4%0t+n6>+r=k_)Xu7QAmH{Qy%Y3knTDJ|HH*#J-iM`K|)SA#5HdAYlhJ8|V46U-0}$8Ow#_$aqWS8fyq$5fB>v~RR?T^4Th zd&mTF-&qSxH?%#EEE7!#SNy&Xbc|qq>Cn?L>CL&NH@6AC^&yfL@|T*DlK^LM9xwj| zaPciih zNli;UMg4(`>(9X^L5NUg3oZ3a{P{V+bodpFfFu(LM#iCpRXH*>ygK2cKS$V}dPz%De(aSefx@rsU;l#+4xwor%0=t$}`+-Dl_!tE0x#bCG`44PP_m5ym6;Uv^S>xE*xk&7)e*S75^B; zw-p-`63w1uk6t4WL~zFkLO8i*9{!h>HBid|1v4#fkBay&*$8W1(Er{5-*3z6Zs z^0kAa!uEeGo53wll9j=(eL(;xq_OuygFGU_STafh1l#)(;#BC zY%+P}JxW%XdB--e8^@X|Ika%)nhp@U1k$qH__r(8U1Qcp!50JN?he-l2qRlZGjnecR~ ze~tQMz>NS0=E1%E^!(q?e@hb4Ht<#Jzy3Fyxoz4^li<970poK_uvTD0 zj>kV6ag9PcH;CYa}N3s>wRk8d+|fcEKLrp=#1HkNKRhHS+_nd-1mLOCSud3dR8f>wR~d;Av)gi^SOLf$i7Hfh<=b*TpJLlb9Z5Kw1lB(+qN0SZ>MM)>D|6zgw%{}uU zog$E*%t!u)FdfYz9t5Uca0ye9=7WflL^+#aOv|B=H&R0#2i?6x)L5j7*sYk6rHvle z!2t@l5yq80lP~{x7%B%R<+Ft1s7W}P?+OrT;soFLk^XPoym5v=5NQo}_dfH#AO5m0 z(;YTKQ})uPe%XWn|5K^BRqm4qyq!~g%Jc`HTC7V5*@)&;%YQvI*rJ~W{Ywjg^gqx{ z;6uW#-!u_`nOZPgE(OT=sF~ko%j&d>-5h|->MJn8c1v&5zk{NV*SUDkL9V91@|DmW zT94^_G?=E&XUOZjFg#gim629k;6Gl+u$tuA>R0U!bp{0Q+zzHvmNamCtxvzsWdK@CGdZ$++t20)gyw-SvZh?H z#NBdcO@kl3VE_>c!lNv?sWRa3ad)8j5A`c}*j`;?)t9DMG>yD`g&J_JWTdvV!J#0D zaJjqXe`;YxTp%DoOas;z|JOnMvLVtym0$vBp;PTscGGU86g@~{V${y>)}i-eF}P7P zRAJS(_jBF%OI@`4+Sa_59ULqx&AJaSp$2XP9pp#?qv(a=r|A3E;xj~Cl@!`O zLaty=30!D%bd>i1v5ZCDNVw$T8KW(1_MQhECvRaDMzTL9?oJBvLZPEItX;m-Sew6X{iTnwWdr?O9DF|wIkFRCFqx4%IIl#s2@_&8%2QQ-QOK>rV#p+pq zc=(Tt;r``frp`9nt#}pXkr02l3a2oSo#V8uRPEkM(Z9)z<#A?MTBvNhTl*rF@w}_& zqXp^+BPM?&e&H+kSp+;eD=N{?g_2!Lf!Q417aWx|g!mC5hibN@5^*PkojuwZX4uik zGr1$Zo{A#VSpoO^==y-uEH2b^_udH+X*0=;Vq9+KY3Oac+5GiTi-Mx{NmQte@&!4z zeIm51UeS7tz2Bk@F3;LNJ;xZ?K~Yo9Z8CyG??)vVo&pqEj}{6b9h(0pTWImjaylcP8GYcOF`3=1>(O@2fc`%$I3k*W?nY}}{R{dF^oV{nSSjs6 za}-msl>|*Ppg(A^kkd$p0`!pt&d>8a?|XXBd7gjHb*^*%G*_hu{61B#=C3T za?`Ou0FQb9R=U()E;`CZYU@R^2_jdUL(_kacVO#=xUi*zxbxG(?(T#3pOd~GBA;AI zGbwh3viSO4t1pU@f5+5(Aa*Xpp0%iO%SN}_r^!l##=RxZxt={HD)Fd zl4~)7fdD+niwj)9D>Jes-ZhxD)m41AZvc4zy8eiWuIG98nx)Q?wpfH%;6mM{yHMf} zGM{07PkbieWTJrTdBQHXwMR?9UbMu{_z{Me;1`Z**#YByg2#ySec{dL@~o`z7jnCY zpJOTCZ3$EQ0ePdFWl8O#!sIp5?3m|=0wE;BEa5FKV3D0L2i?0_7SaOWDKGjip(u?D zs6WqJn!fJr-+6!F!7}{PQcjttsZV@7|FH9h9X4mfVu!HNc0{7VDn*r)5-@H_M{eNT z5deZ8wX^ogHtZSwmzvMkwG*C*Z40l24P0%3==k2GSAv%}WW81Y!U*x3lg~^lxX=Xc zLLt&kJn^o$JfgN9W37Da)%*kajN}p&xfghQXu7iSuoQCj{aiw^{;54w+A=kzrfmcE zZGnY&dF8j=Amg!ryDuWEmR0|)R@y%F=lG;{mDr~2Y+0aRt}EIU$5YGqWXHhe-CDh? zwPeC;#t$jWwrYT~ERVE4)ufb>j!w)iKi{&urHJ=l-V#T92M^KvUAQ_(-@Zi$agX%Z zKT(xSB^!m%mo=*Vo(|0R7wCn$TC)EUq_1#Vbpw2g`9hudC=fi@D z{jpLggj!{6FKN6_AXY`+eC)!K2B@*~?&J(D)oJ*$<`VO_fB2s?hCTa^=tfp0*uI5T z@&}RP^HEj)3l8|jp)*Gj>}QI836x&cADoa?!{0Lm=BmJin2^pOLkZP#(igC_p?qJn z5J&gk!y()K;YO67-z_hS`>)wpwBI*2``_ae^cJ>s#wYL*y&q4-f zbiH$hV7%(8UsSw}Vu)G83u`%RX5sJU3wvW6UgqWwH2=a>B1&_t{5{C_hDIu`q~eZG zXn@a+%~In$t?Us2gmpi0oDtb9OaSnezgc`qUc7a@hig8I}sQiFk zuG&6jnwMOCHtBua6=0G<6?8Z8SuIwS!uj+!+m`I+h-ub>8Jly2&p7`=>hUCJ(kAJ( zq~$2}^5~8iKmhVunuAamY&ZC!`J!y<=V?RINDJZJZdTnP0l>4+u||nOH5w`)_bWKl zgV?SaveW@fUsFAcFI(6uZtNOKaDp+0^%xx#jAXk1=B6HWd&ABP7ws8N?ExDlgS;m@ z^gU+IL0h*}oXt)~*K_X-=_6sBqtjy+KY3cf4^!^J&l6hbQpf$=D>hZ2CYKf0OH??S z3U1m=k*CqhpZp0Mmh4O}Q_!29e=D!{>vz|E;9v?YGx9I3^ozPTf7NQdb@|z5RYja| zQ1ByGyTgG?!R1;ZAU4$Ddff93O<~V|r|Knz(pM3$1Al$}R#`IQyA>V&5=VC_GI2;v z+b0%A@gajx-b_9@b;2zpXw`JRxY-$iYCWlC9=SIoJU0WsN?vtA#C8j($)b0=k?v2P zFW|2!fDBBMf;s`WbzRX# z^)}3R#4$Fgc(uBCuX8%;@)2gENYIb>tL4*OvY3S68P*}9 z6_<~}kQc6u9EI8)no9ttdPSr-4zMK*JC^Ocm6-<&MH&Di)5D59pQt8w6zkm|(iIRpc_@uL%#9=pQF%V~)V3wA%9qQ4308FccVf?a} zD>lXnURX-NPz6MY!_;lX!!8bukwe6$mMBTs&HjO{THdzZS}9B5z>u1X0KcfWmd00B z@Xpnls*|l~Y|9FqmRwT}dD*_5tO$o~=i24S*&LVJdak*f0A+k9s69an*d!-a(rWVn z7uGx}eOc(l4X$!+NLk_DO1`28HaFhbG}9clLM98)@nV4;q(f=kv0u*is0zlLEerxjIMWP)xnF$5NNHIE1pm zXlM%;(^K0|bD1=D8*W(AHxoE<0u0i?>&`aY+>(JTR6h7>mcn8GUlne19ugvKGff7$n9Tu$)~p7kdGm;SV5Ns6o$Xoge$4ma?MLemXn< zA?G*>Efsr(J9d;fUndrwa?tbbSqf*xZi@QR8K`(tl8E27!G;1 z3n`x+cs7Un9MdK|DuLL#DA!(Lmx3QtINZY?c!4dNR2A?4dTn_l%r3>?K`x3bTBmk5 zm(*jUx47u>Y8I`wh0m?t`6_LH`KzBY|FN-#$2lXCjI|MHoCc@r=gsMjB4fCzr$1Go z{by(F1cutn-*y`esi;OQB_udpa$Rj^mhGMCWFm|Lv2-xeX_N%^Y^Ym7MS>ntY#-R$uS#FTo)z7~T zcOH2IPm!Q-)#HEVC|>#xkC^nwxQ9o?D9cr5zTk6!MDNRts#TCo`cpeyLG_3OQpeA> zMx9FXm{5;qEo=983%&7fC1||aN}Ru5YCEg5zU6ex?LVo+eZARs`qZ8f<^CtS9c(_f zP0pz0S>qCZZOM%_vwx%$AFw&V_T6J?!=>YvpZASMDejI?yJK~wQ2FJaW&sUp>al^p zxWrB{53ia+*-*G&{oPN{YX&WJ;OGK_YMltAQ`50uYE0&Ew!~HrOP~oUhw^~XD(l}6 zwql!(v|jOeCrdf?OH~!)Z??x9(ULln6_1r35iQ!q@D<-^vt?Lm9X-pUocp&SX4T%s zMZRuEeG_bY=C4@lJXvGzHlMv+;yV3Rqc^Z%W2*-Lpwyo*n>t)xMiwq~rVPFZFZfF` zaW|gF`91KluTet_4At(um-dhaOiX17vI44=zbMmF;Sfs*a#XyM{2(5*9jXnjHuw16 zM|e>zz351!PWS;Sg%q^F&bjT0FZ4tDqaQ`Tx{e4T5H$p6EwMrlQS2@yzx@QN{Iky9 z;v9B7It{iK)2Un(Ll(A#r-v8ESdTJJn0MFBmu3W5 z&E5ms7K`yvzo+Z7T3ZL|+s&4D;SO;iw)MrY@#fnVyOM(knBSAI$hB$CAg@{nG^wEz zgCD}FY`j49Uz|Jc++>zN{FVgxeUe8c!&4v@PQn=y9jg8AF8VjGa_@Is4G&OPnON#tYuanmE@# z_rsF%V!&OA)=bGQLjb1-sQ(v|UgB4hmUP1#+ob7p3APO28UG6ZwrYO#=Dhz@u>mjHU2ZwxQH@6|rZ52X^KWDXy)3)qbq=Lq0_ZMi#Y?1`O> z#O!?|ePo4Z923jGh_9OY`E#t)^zbW8^;(?p!VXXeIM;-25-lizxsQ*1K!_sT5xw|tPsdz1O2Nd6H0KEcWXn&VGh!Y?4TRRbU!Q*uijf$g3mL93WAHyDv8 zH}Pk-y9AjZg==m8x8gs;b`%X@0*y8a9lw3X@;l7=hb;>qKu;ci-Q(m@XZ#|f>FB`i zXn+vH#mTFzuIgYtb0brQ_t#=m&w-w<;ZMm!!!Bv_7cs9@g9U9Kf-6hHTmnN$9A}ZSl9egFK78OUUN7GKlPKs>+YRI&Gmt#(YtiX63Rt7N2Y zz!h>iI=P<*lmPS1M2x&JYY%>ve#Hy5B+%}wajY&!j%VZXIZ!P!TS(<@4}_I?U%_uZ zE%gzFUWPK@gwFq1-741)Ak(@AfCSBw1v&PzG>YTeMez?0AOUnc_N^dJm5<>ej-|i) z;S0_tDieED&&Se9w`682dVWct6k(f+9o^`dQ%$X=h92OM9&g_2SM!vTMs@1=ZCRbT z?PfDZ>+ctQ3>|$`K^)mAz@zk5?H*=QE4`}sFrbqvRnhR6rwcVAm70`ZhPm%u82Dh?&_*Aama7rhOd+G4Zp z#fMF}*`Y^du`B2(O99vU&2%X$LfQ$UloNT=c#yv$bj~eO7pgShYo`Us5~xc{Wmw9V zmvE-S1ZL$t>mMsG%LLM4?0HGzg9qL{g>y9}Hp*=j?uisU@iv%RXTOI+1WX!dk=LeSP&P0Ul@XGZGpBUrA7T_q}!K9V+d6@*`k>gU$lVYa;#4nL4& zS__@#lGGo5+6d!hNiVB$9xz1cjc2GF>FAiZ7DVnf*N zwJeMoWt^)@_j-UBVV9@?{y9x@Z8wYQ(~ycA=)|C7Abwk@B8|w17qTpNDSdjEk|zNe&~QNbzoCnY`}`8FjvZbp~)z52MUZmHkwIr10nakW9>{($+Tg*FLQWscUithiA#lVg z0oi`zGOVXH&(bHO*py8>=`A}?eA6_1W35R> zXdkSv{=4qc6eZ6?0vasgyUstk>K?9r^LeK*e(m|vfEg(FexvVo`(j~;`_^;|Il0>_Y-3Pp1n$Nwv7R#l?k@i_>#x~N82fJR*RKR$mpXk>Y@CLHIzsE+M+vn;qBDAU`&e-rhM{CrC!>^xqZ&G)`N z<}>gbn!L2xe4c{$)Gpz$zAsIEkI^BLHrliuG27qF z*sa%Bo*GM&_IDm4*7$jeodY5Kgvtg3<^=GP+BMtrq%@0h16c81c3X+D<-k}&dFw{X zea;-5lIUpB52tW8Tn7Yzrlhm;YV9X)4{hKo3yS?jAD5Y|v6iu@pCmkkITNS*>&4R6 zadc?#J4wvO>n@kwm+5h=ZW`92kcz4mfklp&@z+Cvwg9_ab>gt2P4xC~`OAeBxeD<< zflC9X@D;;PEqx=$un*z7Gw*Fv%!IYh7$G<3dHLUKUSI;U+84{>xxlXelf)Z3r0U%9 zj5ee3(Op)hjf?tz2%n}@VOW~9Qq9_NxiZO8{nb)(6I_+;IU2?=B$OLLdP^m+*kvwT zv?B5TL&UTUbsPWwCPifdpKycDVXx>!uO$v;s}gS}mFCU=w$0g?5A6FPfgXun{kOY$ zTa<rf&YD>;-%+6)Lq!AXts2rB#2W7>BEe-VNl?;X^lDP3%R89sIlQcC085^ zeZPyY=-S@a1!j%()qIq0o^^oTA~zg0wPwl=g|G+!A~(Bcg#r`DiKg>`r@4D+-t&%K zktH+o)@I$Ia{Sf;O1s&^W~pWgf=!KbW(V+hJ!IrET83+Yp^x~hT7UCFqvwv`t=E|M zHv}END{pNd=;10%-&0c|pI8Ju8uWMXHbS=2YxlB;sZ489gogmsq_(|!5chm4;<7Tc zQ9Q_d0GNyE_lo;VQ^yFlFYny_vxUB6qx#avOzf19`;Q)>Gk&X;My6gXC0c=Qb$;ke zfJ#*|AHRB^a8ZC$`{U{RF0xXq9850GY8#kKN_PWkB>-4kDd>x2&_m+ENQO3{M5Vg2 zdObHEe1C3#yknP)&>PxsC`HlGoDHDZm6K8~QC+JC9P>M}%T#Kui;cY;Fpt%?J2u$Q zeYa}a2!ok6)j1TQhaKpKotS2Xg=I zL;FllzuNlG$3Tp&0c`w=<<_e_pam6rm_qACsjiPgY*qM})&S_{t=p2MJGT}ZO4dkC zK{{<;Tv!%O7cvv3ywfhtBh_!CGW?eu@KSI*)ycNq*m;}+FnDeqK*6nho#*S+#x0Or zu^6v1d4$8X%#_iv4bN_Kmf{7bwOH|FQ>hP>%+*)*srsr}+nQHOd=R@;c-nX{H>kz; z(&@|f-@aSF+oN{!y#x%$u{Tz{qCw@jdcXKiSoO1|*TO8n(LiKC`&?Jh1NGmgjQ{6U z0_ZedpnuMsB@+55#8g_y=+fejpO8z+goJFPZ49nAW;?55+Hf+~@*v~zIIpWq@{bnn z2nTPYL80O7%%$5>5Q^DWh-DuzR2<%VgxwNv*)uK~0OHnA!t&g{!asrjoP0Eg(R=FH!26NPpLY{CQytdeU+Q_1Y>vfdSvuRT^ zyy_w_(wG<;sIh9%PXX7NkVcf9^7h{I*z|O|mSQ1Kwx38Zu4x=(M_unfcL>mJChx>A znq)(m{GI=D@d6AY*akNK@5-Wl#V?U!z_hZKCk7v$!uU``2~QbdPf|o7hlpd^?n?pV z>u-zt8-;&v=pH1DbA!Zqe7b@-p#`c-6*w2AP5*i&{&=7&?7yHM^?hrETt{lh>}5G( zr%T7`#*cyUZZkIs3!NP9qgR_FUxcz05@Do0#7sT-!jhWxSVL?+8Rf6SfKqL^5jbe} zM!x?sKR!>DL`u-|Tr-wdvb^?M(KAy{8d987x@-ToLVp%dn<^^WmJ-z`N4=bbR4wD9 z4~P*td=E^Z81w0bF~6F!h@0cPZF98`qZoBRct??zTpkNvNCQs4f#@*~_ZEz=qZc)` zmi}IizRQojNF0O@kciTLuDDLPL%P%W@R;>ZEtjx)%2o$z$$wfGr0PxFj^D>|sswmO z1P(3fme^+VSC@`7TD8<-t4#CDhM11SP0!gHrd$$^1CXT5>yq?(XuqCdH5Y%y ztbbUKSM%UX-up>~8?~aGFe4pMPJ2qSN$~0ZbK}TkBAZp``OHSJ7QZYJXUOw57Kl-P zHfOK5&*Ps!8x%J*-MRDbr$eje=B|2Pq08GQ|OdadM^HF^c&AHzXX6=Vfk}t zZ(3iGmPwmUz)GqzdcCxZRApR=lc zlskF{7}mC*g8e-=$+itw#9Nu1Y`q^t6u@uol7D}@wl!oixUv0?#0H~<`+xifPVO6tvEIDA z{y(M2Z$Ffy&g?6_^RsVR7y?Rf4b4PjR%YDc@fiQh`!Qy88@18%ujpBx4o|F4?PM$@ z`rfK)K0g;>vS=fkhRREmdQb$~i);*eH$9#aR?hFft#`Rmj(Z6fYUL#C&?N7(=dtEs zXSri4y0~j0$0f-J-uH#l=mnY7KZ-0joDv)i-3S302%6NL`N4D!iD1!vzAie;#=MR+ zAaVB(@{kI7@o+E9V5UB*#%R( zZxh%t^t%JE1@_V;WpiCp1xTMIVFp_OsF&OYmSlP(ukQn~ofc03RH0sDMwx?pDL&Tk z3%ed>B>U&b#71SD6PpRsN2;4L4x=SE<~pT~&5^d01=OCt&*m;VOS6E>14%y_Jo-!L zv^r(a7Ik5NC@RGp!>@Tgr8A&@HYr}*X%n3eXC1>aU|t$SE4qH}_!BV#!R59~Zk+>w zS%r4*=gIV1&w7L4qU5r%ujXEz9=6-Qe&afcBO9vpeNM~dGaF}%B%gIt!UrQe4^0_N z*WvFByd>KQv9m9hOP#dcEFbd-w96|h>yddD23*t+O3#eT2z?3+yBZ0!K^ zvrCq=jvvGj<-PrB_(Do|9|VAcihenGt={@Xn{Az()!d3&J1(z(S7JKgz(jS$My0?K z-2fv#=d~80n*uwNhMfaTKXf;WjX9~p-{1kBc2oXW-@!0(P0Zja!fPN%yo zz6bJH^it``4sO4X$Ih^g@&f0J7RL?YGg&m*zLzU7r#ENlv!h#7{i=BhKUqJtZmRJ{c zNNq(!%4d~Vg&|wEl8@W%VB7K&V@AMVo1`B6q!y=Kti1Qbfh)W-D6?#Ro~>B(+H8N6 zWso&ZBp)TL4dzx#ckpLQu zac&-_9MU(z3cCGdv(kg=$C2)3BG#gbi=lV&h@D3>(Mg2;;?>ah&snY>95tPhwEmEJ zVw^Z$>_1;H?W@Gy%n6zL7&S2d!YC7mMdxF|8Ell?6V3%Ai0n>nwG(?3#*Vtu`e3Ze-7_y?8a zooafz`k{in?SEg1vCLj&_kjWfUz-daFRt7E4x4wi5Q8DuXM@1IAAzK!>`{JO_H$Zn z$vV=-?p|_Z4JqGh^%M7E&jOQyAh1eNl@i+SGk9l$b?a7?%~$EXJqBY7-fd#i!uMOJ z8MbdF9(G+#?cW+rne{*UZGS_bhgszm+7+Qe7_ET$;><|DFzc7a~b=#@(iz&+9c$9Sp$iV}>_fPz&SD=f&Akf^*y06=TXQX(`fU-<$WXWe0x&5ccKO1;wK(Ai{(O55 z)j2Gce+7)n-i)3r0F0t;w$8m+YI=S^tmPT3j|V|eHw-$-vdZf~n^iJ4n)A{<>ap?( zyP~f)6&9#{Fq&J$7_(PkQ=CG6KPEv(sz4mK3KNw2`ue^?Yq;I1#g>RugWpC5Dk_!1 z8wTn@RQ1sdC8Izn(~}KBJ%g-aUasZ{lMwG4-0!wTtuVx)ifz|p5FS$rn_?wC>}{R?TT~FX^l4nHW?paQ%>a#8T7ggc#(I9 z$z$k)+)tKQTWYFU`NQP|dmV|VA> z1YrQZqtHob92d%LN=I~NEEBEM^G(Yx%HG}0_!tWgPs1Oc*eYM`m;p556)uF$O_ zD4lNJzxvDHS9E8TAA&lw3MevpGys342N^ca%R|Mu+yR#d@_!rZ4$g#e0ei(ie0kpt z0B8nS>elP!@BeoGWcv2$xt|d;%jRbNEsDeWIJv+G5;4CpuCLA`O*VoUm!cCb?6_H<5bNTTCOC`Gg6;~afae|?8H z-MjCs7hU9xo`Vmh4{&>xdbF*Fh}pXzeJyH>IYCb^E~nfRjw3 z24ZY30VF#c2v?`sRW9~2=lfz76&$~(P6t{F03jHt6~&2Nt-61XVc+rKe#*jpMjR9s zfm2-P83^la*caZ1jlSaGjJ>9}me^GF^EBP1qA9@IBBXIr;f*Y5P*k zv%vQMMx^Ne6_LW_*4LsHK>oBBD%xzmP6|t#!QB$-YfSLp$wc0Z%^U8J;5+h1e)mcB z*wDlWjfopS-7r5p4;+!DG_#y{Ah8M}L~`cH@7s;Zq}?3RB3aTK0hGI@hr<(jhoV+v zhphZj--?J(`y0DPoGY>N?ueo;b9w}uXbn&HwOMnfQBT^=y2jMg%>C#S2~h4G^(TDH zkK*eV6#kQz0xaBrVo*MY?MHR<`WQO@`sc-wVU{}?sC5S986nAq#trV&*{Ewive7*G zy}f}|k2hFJYgW}IiMw-B<&!8$0~h8wW!}nv~W ztZVct`gE6A=7yo01r76mt{VsV{%ov76zY8_XbV`AFuQf_w}ceNJ&hXwT}EVAqDn#LW=312`PG)6@)e22#=b$ZWwdufy{lUn!+?t zyJ5LzZTn$42%c8RpR821xQrkA6LoA80O=u)N1E|Kof6_3rh_dP~3i0R)59`4~WxPvQ>O zv*6kIoQNnqZ^-dII*2O{k-gvbForxbOa+FMp0fY2a({;G+~Z)51e&%Z6Fln_2;?le-gIi%!ZrS#XoZF9 z1q-4?$_dDnGfz-*H6YC=XgmAAPZiw>OZd7wWl|W08W(l&arWn4G~zPUC0IqxxVdXq ze6cZxFD8s0>%Sj9ey-Qxva&g38bLA{WPz`OQiUg&~)8e?2@+QBBgvi@xNE1Y&Ji=yuh%>2{eRuPlTG9Sl=*V3* z&%Ob3n-o@olKYmB4zs58z2L*VhjbG)+211e|Ig-4SuJ>$x@DSnA%!@*Q>SkY#15i(a2R@~B)#bxQT7eDu^~UaXGbMVjWmOyB&h zHLvIg@y>WI;S=VZ97cIkV6Nr<_&|CKYIkW2!gG@xz=$5Qhf!X zzOyncM@1?3faq`7rJcJv;3KnavTfRG{U`E$u8M(I^eYN@(Q3qGZ^E0rlUv%b+jNoo zu1f1L9%103=@JKN9lvxO*fT77M;d@V^CDq_@1HK2p8fUf5%Ie5uY2YoGskVv2k5sW z#hnTQEOlJda#9c_^zA0qYdREBaBibh!y(Hf(9WLqRtk{Jl-q#OuC0iQ)TX39yoad{ zMO*~C0f(kf+gP{11l)(CJ`qx(G>L`VAM1N^4qUr)!RubEF6GqvjmHwX=o;%!JqsrY zA7vFf%_En-%e3TayJ`8e9A9ESpLMWaA2QE;5EZt_eugO=y;zu5L5nlNr-bV8EsR_tFi`FZgeAi>@9o{h)Ck>_`$(Y&cDM2Z;2~@_&{m09o%AHYoy0 zz5|uMXP~~ddAmDVwOc>TYc9Q#|Na9lzoq3ITwyPpV4*PEbhhojT=qozvHRQ)**+DT z_sS@^%Xj@aFyVMiJqcE;@HM*D`?xfyq$_m7=pj_{4;XLx;M&2beRJp37Q+X%g#$5j zom2y8R=(Qz?l`cerl_(!k3U)DJdAwmy+fpIzW#?rEqRKpK2SDIw{X=zy$A*lN_$Jr z!?VDSd8;@H`KKKtyT4;(dpsrob;of1xnum9AGMT^Ozz(_YcUhXvUftTEcr)nU`~S9 z0hxZ7<%z!I?HB6N9+Zn{`%t@^lEH?MENR#Y;I!~V277?OVe;pTeSNC9*2LK?G=~Tp zA={!)S-+X?l`^~o&q}YJQBP3AXuI)vcC_=IxTI3>_W4iq4qKZ8SGhp*&$-w-4j!?Q zVm@Z+K6M-jJMpeDCq$*G>-yivcm(F{wxz@FY0I{Kt-TjyNcIVvsn@FB%Ha`cP)42= zxD+)yzo;w!`Ql+8lHkuwyeecx{Ev4sPk)}f`~Th>r2&xt^d8D|$hHVpGQZ;meRs2t z``8G7;mC@*Evk9lHQOX)>73O46jpG*X(Ou|PE;L?Y$B9QU%d^3qQ$k8PMyeBjcC*P z;LBsD6EK79kvvR^iygnuZ{c&&&4Qe&w2~0*K~DAWy$@-A{W4fi-QMADr~Q{_w`&a@ zhd;6*n8RdQ%_`Q6b*H}0c{;X-#V3qE@GB27Kg$cRM^*(~0K7z3TN7PX17tVzqK zO~t|L0n0uCj#+5wrJb?}{gGQBL7@E8{LC!NRKVPwb*_n}?vf9W^FL)Jo<6aE{hn~< zm;1Ntx9`mU_1h{A0$BMx7~<3c{lm`3M46Rz{m-u_-wC+N|0%L!>T%HJ3v`p(yoXbo zg|9;OZ>oN{xSWMcOv&JL_n&-Nn05_#BmA1=z8nYr?FAr$@izNf=^LFtyQ9;aKD(&> zL5>`5u_t%Q7{-eMR^^w3udLFoc^_wYg^!~AnVFG=rQ#r^PAqk<)6F3jbI!63Op{}O1`s1} zvZVOZ-peec-~QBieko+gZU9B1z2>NJ=V8V~QZCb`3)90L+b@quv@bml{ z`UCH+3jW3_A_qG+D4I_)F{Ff1@NjS!mvqkJ+EK>S$K}Xw$;5soVYeNoPkrj_y%n%X z;7?+Ar?S^}8ued^gDKkHbDfN@3UeuTs|7#dDBdlIOMU?@9b zexCC@y~K9)9MDG}e(tAvS*w|q`J*OHEcEtSaoGk7>)^S#*vSb9Ph(Kt$;#}qo!~V`1;v=dc7CUKNW7ZeEz)qkg3LOg#H3+&?w2s*d3H*iG|&&zPN!zhf1ma2lg_;@w3r2D~qu)mJCpb~6$KUzYMmoNLanrB%uh{hM2@QahE8&vIm% z`>%eToTP$tjl(!m525ZWLlyt|)_X$@CnwZ6xpYb`u51bnr$al}E=$`7=fZ0~m zD~J4QNXISaGhx~&+HIQj2&VC!K7_*}YJu+$(1#v)59L1x{Ex8bho2i+TZjMm`~Ocr z`F9uf4`&W#nIhhx#o@1&BA0G{oJ-<0X-gH10Ht#9ri*7C zeoV;{cB7pL0V`-qtCQC?Ht(7ke;{S(Q;td0Th1-|NV<9F z(B-3k#6}klJbjX4XL)M{ztyc9Xv8G&5E)8j`uuVxDIXgdoO3$n2VubC7@tFN#@mJu zZe6DmTZ{xGwH|4S7&rx2*)Q2?O^(Kqt^(|-a2z&bG#@kF>YbZ-Ox1RK_}<~?6fLmd zT9}I!Zd~pIDC0E7U-i6T!BYKs&=GF*e-7_y?)}%4+dN(2-(J%bqTOsjc(^OIacX1l z@yQ8=8zhaUzaoH?1jT0`1}&Ydjhh1M8@K*-LcKm0<(pQQ`BiZ(%6-dqQcK=$(cY3ZQaJtFoD^=WuM0}XP z28l5-lN`-@n(QDxgerd0d2Hw$nxb^fQoEUVefFJARQHqC@4QN34~Y!oUiT#!zGBfH zn@e^Byh+fIRjTV`Dwp;bhZ{*P;|Z`dr>6p#;b7bWwTM%D&rBW{_FKKT9qD_`n8O6{ z{HVHBtSKs9eHG*R^Zns)H|d3o3CxEMHa>ni zh_>li<9ZbWo+8(`U#@arOg6gdMsZ&Dnr!#(Q^4d>_}@t*=~@So*d0|w-fL=@vR@3xsSx&SuDBAZ(Pplhw|PbZAkyT9abGw8Cw1! zr_CdOqPX{`&OrzUAFyq4QqkG}9h5$PA&NMSYxX}q8?aUZC^Drvg+z)qPZ^8Kb#tJ@KN$7D{3NWfdE@*-msmrn=Tox`OIy>n3-M>xp_ zwe-a$8LI~AU^{wauo2##x3;*>t+iC=T*K}NyjlofpI|j~3j*iI*Kghtqfo|uh$!OM z*!9Gl>RWepq~Gr*Igl1A7Q={kwR3OMg;B~!mldxiUmB5x$x2Upoq<{v%GMU|jMnh$ z?+^l7j6VLt2bHc2zw$Aolc*VVQsG0k=iFKpzou`vy*Pe&X#Q8E@4w?d8HBJ7dB=Zsu&9`;9qzmt*Y9-E= zo;SpN!CTZCH6y7OG-0X;9VzvOj%FhDnXGyRPpSS{TSnC71Oo3uakJl+)c=Gq|L57* z2W($o2f7k*OQy^FfNO(Y+n>f7Zmpd8VW_LexpX|~6z+QPPay`IB+24ltlrV3*H(|C zq~)7R8s5&e?`7)4Tub9L=&qS>!ao#EYhV6+axnv<(AN@j?R$)N?aZUD(8z0FdM%M{ zf%%IP{L}8?NB+=1d%9gQX6b6?X;ARIZ9MZU3+YqPz|Vp+H^ucTJ}VzwV+NqQOZ=&e z+3?(G%QM;~2CP+xXfAM{IG+%Bp`@?(bSm(7tPjQu2-SB5S=ij;)#{)mjDKy36j1ao z9Xj4n^tG1l>P_ZH7JgM!dPt*+w^Vd74kz3er?@^)ft_CodV(+THpt`;m`)NARFD?Dsd*>Dm zA8dEKeewq{C;Q0iH{IutN;+SSh?muH4NDxY^t@$w%feXLOcmMM-=iB-T<(oXA$6OReIw;21+z*fzxPNlU!GXva*MuJ;o@l3?LNIBtavpHXKs zt_XFH9qC3d`8w`wC?uVDUxH87Q$0I+b?xmfscaGO)cpKBbSGmn9oRV35IJ)yOs9qu@%?UxY#Z4Q;y+JLhvwQKqO>>}008&WFb zJlA9&4C{+nooX|r3JE~G;U>=~{8sJ{geab+NGAk(jT@Zdz42xd@AasBI;{$kpvk<5 z)Em%D>Eu7-lH5mFUh7|i^LO}5DSh8))lRwO3x7k3Qd%o7puKK?*`8NbK7s!1P_KiM zZeL+le~RYCy|YI5Uf5gZmdfc93pivB8Eg7Kh=SJ^ToQZ z<2ugc__ec2GjNUe{Iq@j8T%KPg(YpD&PtZ(>1`_~l-`}nCq$^(u;0Qe0|p|o(QTl z${8Yl;~6J+oEQ^B>2XJbN|#3k+VA55<*x@X5-31Y{wdnvo)f#+xw7Au*%qz*gdQmG zH{Eu@dlo~xqLaS0UPq$khBU`zF;|MW5eLKgi8?2Co8?v_Gu~(6ECFKAiZ3=tC|gSx z57k&&11Hr)YCiSgBp=^N(se|rf zy@KsQ5xd$;TMMdSbB-s}HJ@s%0&KZ&`HTxpML$pEg~ z-Am%;6HB808sw<1=gV5=?KgTb6P0kFz&kt`w#Ln8vJ#_EGLtPRPmtgMFiz)J=E#WD zBKOFnzZ1De>DZXjP^q!LHOd`oh_4zBZd{X*L(}D)y68tSl;(BhW^HP+g3uRRgtIGW z;;HB6$ak%G(y;=~&G6gWFiy}O=><&OMlJo~CNPAPlUsGJ@atc|NFcdW_R}-gNpB#a z_lXS&!=xs;Rj}i*m-kL{3&QF(O%^PaxBX;xA2ijTIUBTeC?)L{R3GUQ$ z+k$&z9lJ+6h3Ny^j}nBHV%f*trE-eX(r%r{*%)5LQuxGd#~<#pjeOiq(e$3f28x^y zLM+W=sjzJk#`i!n^d8dfM~v>D(a+8pY7E zOqJW@&y~`=fCq4a!nKsNZUk&!@RUwUIO{DFoNM5}tC%Jqi&FR#aE&e@1NQl0$LXou zf7B=^R z%$-fC?d#m>dxJ|s0Sah!9wN)p68SFx0d~X48f(BNU-PJ+PL21tjj##}g{(1;?qjvp z{1(q&^uyh)}=IOr{L`j6H4*X+s@(Zyg!Q8C>*NtZs%xB&lgW#Ve) z<{b^eH@66+!NodNRiD~ioT_ni+_Qra!P;y)3AoB^$^g9fn`4~qQx;=*<%8PnP?er4 z3G%q_YNU7t6X)Bt>)W%wwYm}L*!=SI(0cR%?+Pa;==C1MQtSD zp9VoDKlHTctf1kBY=NIsL`y+4%H?6FbMGrXlfIX&=`mRf414#5tq=!6!K1I3s^*fl zcUYt5w4e~ggWGPe)Geq|(jIFX$5aSi)vA^j@(;MBBG5DPQ&gU9x>~w{_Z|)TrV?lg z)0RkEQH#h(tvp^7U4hnQAQ`EnG|fyUj+aaB?Wi-+wt9tiw9rdKUF&(NxI((*OT}zrCv+<`)#6jSb=UOS4`o!@z z1+}5F80vKv5WI`?y$FP|(y{lI57B|iMlzT{8e3_zv$;x;i^?HNJo+(d;_W8N4{Q`m zwtE&$GqX-i9@-*q5P~bM@1dmCES)5?A0EH4*O4gP>a8(WR6}{T*yKehik__tNVM9G zObwPvJ0|Dljk!l#*+`H-e_ZoEhOq{6Yu)xZxnK3DRmo4MR#Y%Fz}I!RJ9axV?SwLv z1|29jAz3!bnR~0k=$+fAv@`hLw31|?+B(ku{I`ojJ*-DNKjuRX+P%uzPV7+#jzq%X zVkezPh~wwZ_ww~&r~YMr&PE?Z!}h>T72%z!-(|alKPSt!qU%k>KNO?SQV1x4bEF{r zk#>x7N`lR>o;bbpUWi~vmH{2we9S7Me+kZ-2waN^N94Ez` z)GQsvo|jD_RZ0Z93de|CTNEA-Fa3@f8G+fzR$fO$1&Ut<2SxZ2xkfB3TMI!z3r-=L zk3`Kv!Z3lNsY_J?+nI$#u8RmG%T%#xcAW4G;kI+MVg({<#HK#;oC6mF1uaMK2?v~u zcHO!C*xe@O!feFz8P!|1)kP%XCT@9>VpWp!VVE}sXOQ?pW4M(gkt0vIgzMe1uNxoFJ6``{Vk4(xsc3X5Kjso^!@X!>D0LVI#gj3aYACL$O z6^<9Y6LF7~zuqR)+m0QdiJrrnz-8&!n~)s_*j)n?jx~#(j8F{8I4^oWd8WFX=`HIW zqK5X&n>gl*)YS@`X^_b8iaBJLT&`_v_I{z~kh;tYZdZt_1|Rx*unceuBrolyMZ6Vq zbI(`>1$`i}z`meH3&T^t*blFQgxPd^?DNSqi{NP zTd0T*yP{`J0CUoZ@EWuR;$ei)cZX|ZQxub3MZSz(<<_A zF8S8s*80C%`M{?>?7lA)^i!kaw#>BBhFs{7I<1~S-TT8T6?yAvu+D0eukOY8kU>{J zYYR^a-w%~u=G?qV9{00+1kZ^e?@@dV;!geoILGkTYEG%^Sr)@?h^}kE;mNJSsUz^)+2<-!emO(wOt=S>B=YfG264N)%SN2@%?BX?Pc5}Ao zi0;M3_32wV5x!GuB`8pLC4~xoiSRBzOCvq6_Lli{J$6qxJ(bw7Jttnub*j^afsV?T|2OH9M>X z_BI*V3K_?E#(8-n_8G!2CV3=79_z*G;=cp>N=iquQ^MV09jAb#O=F%vn!kGZ;9qK^ z=nt2}RiwkvRK`CISH5JQ6oG4WxLrlBe$+x7kbb5};=O%chm!zFQLlsJl_#KE_x&#N zrltGJUpXtszMPapY(@Na)W|zY$JO9U5ojCN`7e3rJ>M1Tp(J~QJ>5R`0{|U8`y8mc z-uOe)kGxM8KtS);4g-j+_J~$kZfAl+*auIliT&obsBhUzmc!TXWQ>iGSqb&Db_^4` zi3SPzO0DB({X`GnNkCa%?{HD19zgel;rD1S=mS--3^k=@^bdgccrf1QxGu|IXKXYo&7 zEX4M6`}an6eGmQI}HpLGxB^ss!j`wRIEf5cJco|Ekw+*&L^qZBcCnh6ZB zKzcTR=QuoG#;?*-LdvqJK+7{}y9T?oT)9hqjxoq87-K>*9V1Q2FQ||^TLn9f4Qj*6 zFPbZWzCVENuC!5<5IoGH)41r!FW1qs37Gb{`j#g;Z>Z+;FP=7CXdtk6!1p+y$*g2C zP``zJA(axPlx@1xX_Vr39Y6HO-e#DZ==9SQI~@ocr#d7wfe~0P&erYDlfcyO5l|S{ zrjnH0VF$76UjDXSB-}yZ50b&{&833MsK#!Kfe!D#%RWGtUH@49A!hS^q*Wzhd?dWRS}QmO^@%_S`S4r=*gY*wkfHu4fw4+ z$uh^i>6zCu3jB17L0pu4BdaT8Vj)%dgWQCcIW>B8kwOVVonld8nDMEh_b-;( zn86$Gcz50pe1yB4;OS(>U&+wv%LS#FwztrVg)XZi@G-REePjOird{DjCV+!Bne69PAT8|I7s)^gE{7i0HuJvR`DER-xQTi$vlBsYfmjNVijv3fgPno~j;a*NRkpgs zGjrdR#5#RPVxg-))?TcQ*AhwTv^Zi@8pX}KGe0*c65x$Q)^5RY0JKF;IS4h zecOl0)$S|y(>=m&VJvHd2A`*%4Bz4Hcc$APry>h?Rk zjl7oQ9njvO<2t7X{P&HA9Xu5FK@}+Y%aNUFs4ia??2D8G7|1M;uRoGXz(Qwg5JF4E za=KLoJtq}!p9JqHhX{lO1zl8X< zv|g%C`uyXFjS@oF2bpDt-jM9Ad)E-~TQC68F#OlXmEYw<9D z+ijqGo$fOhP@N~9)3o_^>Z%Q7K5APTm zqChV^)oOu&jkA$2Z#cb!VN(5)J*0%(v1=+qizBGY71{`>Q^$TAUu8NvdVl6yt+hPc zc1^QJvl=@W>-+0av#&a1KjZ~-9X>y@O(_k~hq~mf%d+bk02-je&#IVYE}uRA5GhuE ziE0sfIa~Pd941i)YMRFlVFfFKTOy^_D42%c$?a(73>Q4bf4^}39R%=kD5zZh12nI0 z623_TH?dzG8j%I4^6PQ)Z7#V~+V5hjE|$g%XMYy+DI>iYM)`Aav5V<YyKqNtp zh4ZA6TyeD4zsOJ74TgVWyOr)8+lr@~Xt^ZYq*J~gc7(`qv#&>ReEroS_zSgFGCo!1 z9!oe$JB*!Y!cU)C3Tvr)PHaF7UgUaj7(iZPTZybS03 zDGu7eSU#S(I@UYZdVi2F0^Ta@VCsC@X4u|mgZ~b4CyVF2-4E-2x@CWFgQiW=>-|Ff z7^3iLw1>!B<=_~B&l;mnr)T}!pOEDMvw6=Qw<8|Sd04E?vq`iW3lv1QxfmR zw7LyBK}0rlZSna&P9^b_IDN!1D1oLaWC0G(ff<@3J}FkV%H~Y;z=)B|6UD#UakfMXl?V(e_9PRpZy>waz)MT=p)MU zY0#7?j*$MD=ewi}Ku<5=pi8!g%-M&0BkXIX6+5A!JGX)t?Y7hdNg0z@RU@{xrq zy>Gl$yj~E7z(il_oket;BpD+g)XMM8=VR>)({yr*J>SV{wRBHCpkmJ!d3uwLkU+3T z!a7FNP}Jd;Ud%^WkO6b)BA+1ShL!aqJ4xTt-H303TY@jY?D0eSj{U|Ir+zEr@px05!$MSOucm(uV4*j3-w!oWxcdq3;Ad0M9sf0I-KC-;e*_<_#F_>1=i zj)G6FpzeVJ83n~)>_nDddd}uP%XsaSeHzm+BajwjL`?P`WSo96vLjwMuZ~aq3_SB- z%I=DV9P0q?!~O1K6Z5Jt+Fpb*k4)3tJGE3@K7pcQ6~CcoMptJj@E3ZT zIY7vLOxY?e%n`iPde*?}G=$1fs3l{*Kpx3H6G^aaf8$1RyP|uy@kzJN9p9;Im|RwTc1DUFIVCwSckjjqfaB4rtQW5> z65ZZUJ0Ubf?Bd+ze06#D*glsxU4{ifA5Xd^ zB;tSihKGiRSzg2SasdR6QvB=n^urB$q2mGUXP@b0fS-y&bMrqZ#e2ayU8?ux`@v-U zcJtA+bHdbi)$ZVXHcrr5jX{q~6mRWJ`_8XPQUjpLCPj^3xac7zQE=-Kx$g7zSIeo{ z0sFOh3qW-&A{EHY`TrW)C@zP#uA?p3KMid^n2BBYyp$F1 z;NskVW;Lf?$bqE9aoVdL*V(Yd3nB!(ggszE8-3yBT8%{<=aFj-we9N^3SWj?^-{5o zkBn}qJ6mt0TJ9yMt@+h9(UMy2-5Y$3gzw&ejm%2Mtc1#)hQb_v>h>whK9LFcS|VF2 z!o%-U-q8;TQN;_iK56IVrPRGIX3KVDl!xAE6(diECzvwFN+ zsbT!I0BYvHrdrb4KuG!U08aygAlqXe-CfqhMfpNOq#ot^Tug3h@*o_}FJGo-pO42h z95_`zbXP3hG&&N=9Hg&2s($3pa0)vf@Lc!YEX!opRh=DlzX@CsRbHURqTVM2B^l;8 zWhzx;(OWbbQUrCX9ejQF_+ZLSKQHtMnAv{!>~Zr_59=5OfP7XXsP$CeZipXe^_EU* zcx-|h)bJ#PUeNL6fCF2?sB^&>Mo zn`6!IQ2A_c{&vA}`{O>nXHk@{G!|u=SfXts=0nk!Psy*R*31P72;l|CRJPMFuq-{O z)e{Y&y#Ro^&rG5x98%xOr>FBumF?FtWjD6hzj8aJ(l5w7ki-ktf~otF;E|aw#iu`W z#c`eNwj|UO?>0X7euU^2nlf#WW5Ke;-#gxRK?k=c86AP2Txv_XQZ(@I)nQf@oFl}C zqd^j=MsvxI4HFPb6ta@e6ueoP5!Ls#5YTcbl!An#n%HqqkFr$0H~Vn%!pP`Bgug!n({zd%F+_;|r4C-RM6+^(}? zyNWYhPa$8c*s7NNEn@FY&l2Vn--c~*i=&A|!zo;bD1?>QW9I#MdcOB$^1<(&WF%KN zW`GUPgTHCXGa8UtyK7;7pc+|E6iJ2)l{ljiN!l|`i5=Yli3@#bTr@|({~{pl28@s2 zTmz)8;5r*bO6qvt8ptOaA`w_Ir@VgUeg&DEdl2r8QT&yFTF1^!pijUmaRN~14HohT zg!>561^qx6c+|f2TL#qH_z~3E`lO2iV>|6~aTaV(YWI={Q1K1|d;VrrkIc5Nq;KRD zlaPeY@G|!OIxm$7J&d3?BUVvG#G1e+; zV7jq?HxWVI7FqSB!bmwHj4&-SR&xj7<+=(QzKnaw21(jqA3=fa4UXpPpBd?C?6}?R z2c!W$Gtftn*Y{ACxAY+*?}+g`539bsmDA-4;4uQ{o=5m;Mu@<;sEJHC6KoAwzAe}u zjC)Rz1N`{Xeh0lq8*o<&Ri*73_!a)Wg`jc9N}u4nyeL|mHixKmO+e360^@1_Y*quQ z{b3XXgb6bk2(yMh0Lq`{>TZoC{vunvDasuGf;MBWS%>%2(6s^vHmQTSRki=4fRT^z2 zvzG=Hn*@NxQ6WU6c{Nn5D==m=>MaL~OpQiz>DT=2X3f*7`50ZaTHR9`dh0}q7t4$O9wkW#5%u9l+@to|`S#6(uVli6 zI!_)UNhM?UcG0#0)0sNsHyvsZ28ZEjR`TFUSqv5Ce>Nd!I;;v#5u^a|enhiCU&QXhp@LUtX!Q&Nb=QDhxJte0D2@@ZD9< zy)1Ry!Mg@ECIVN32K<{}>7|Px{?Zh`a#(%IiH_GjZhJjy2_y?*xX`G=HbRibOE#?` zN7U(Dq(V(|Y7#>3>NXi2Iwq-yL~3~1Cnz5jc<kW0pF*KWzwrgQvTSQ!!?xk2cQq_2U(@J{QZyTGyCv>1D~9(()tTvw=I~ zA)vPzL;kE^htn^rnev1duN&nJ!i-nh{UB!@XDPDUiAR@=$HR%rh|XGU>t{_=>osET zxN>T>fh-m9#fIM_j?gBmH#s(OoUex|$H{EH#SGmlYy5lmaF)KpO(R@*QSovfXq0%q&cG(7RBYDR(W zGcv^*Z+is@ZtPU;VYM}p@&u>W#8=ay;jDzr)8W?gtAh_G9}1a0ciajJeB?{i5F1O<4}W5&@E9Vv=znn7{d}pXKa3??xYua z27y~9If%P$nFhc)X|K5f+EbycZP+xtGWYY{JLmwRb+YovD*mgt^|I~v;E)Fk*Z0DL zHbNoa7_6ZeGhx+q`vK*Vmml-HrAyf8`@Ezh^*_Nz_o**oqf*q*du8{Z0{4*s&L>uu zP$HAy-*DJ^9}4lti}31&l8L{BMI2z2t1@NjVRD^{-AzQ0Y>EN?@ON1uJlkc^ajjo&Cn=M z@-t~?Tbou4v|>(U&kb~6Z}D|PXNZKn)!bN1n46~sHW*N8JO@2wDmM0sz6)&nGJ-qi z-x@Ba9ED+5h)UBFrX_QV&&NvYbpQht{50Q2Q;61$<13&{Rb6;i(e;MWE$*V)sgmmC zVi?99vc>4Mvs*7X`X@ePvOuSK$?IdqYiHBwS<>kEB*X8YR)>47TU=~n4>?>iDx1y2z6ZXJ6 z>vJ%lUyaeHvsVa}`Ev}vX{Lr93$z3&h!(OQ1KKq!0x3qzk^=G`G3N&)bl`S1-le&O z&v`bB_k;x<2Ez;%F0)t=l-bBa*0nd5o%_)XFWX4*-YVr7v@#bEa0D3d8*7^Y_FN%UriUctIjZFAQw)}WX#O6zgW@hqh7s~rN+p(G5C@MS2&w) zpW7zIn`$#h=Ix!8OiC$A_PfpN5gdP}f0y7FGZ>Fdv7P!aALqww_%n8fwWL*F+NOKR z%0mx+upW_Kp3-q-P`b;ZbA2M38tCkowaT#*I*~-~O+@cBvpYL!H^p6_gh|S60H|}) zT0O%d7AM2!SePZOe7;#c{l3kCl7f3~>G`%s)bF!#qNs zU!Fl_Jev+KU_H*%8z%31btM*;!C5EoZ<^K9N^2|G-jpGh!^J0LEw{Tey5!UI7wTf)xY5K|calseVAj?}CA;u8GR6oFxJ(JZe6=k2=jQ+Y?&apcRJLAo_aEq*A7B1fhDsV@g60~Cfmj$g5DPOE zp=h(G?|$?W`_Ai#&49jg?^l3~(H$dYWTy{h*@LV$YPyToBhsbvc8wi{c>na+Ly%(sn@LHT)pyC zKfPB~5X<5e^320wqaH6BvN4LI{T)oV_-a=|9f4?)yP5gao%CFj6ku4^p+^m8mWQ@-!~k$ab{hWJc7FT zwj_u&Wm8q`lj2!wckE{}?h;wy`AH>#clB?HBRlVs4=JR-X8aZ)f+);J&waOIVP;8) zdDEqa8|7m~d#{k+G{2v;JqH0Yywz-U z=8?}lLB3KockV1{l*$C>u#E^kxUnEj3z$5wiHp8WD5*xGsLFMYmEjjC6?x?F%P<;y z7~m3wI-3qcnZ|-d3_2WMSsd-xYDV{9>lAchpU&K)mA1?-666VaZoEieKK?0Y#=_-az@ZlkKcGyq8idv{>^ud|UFOR35T0VV-^&E}%%K z&7trMAnel-rP-D3ef5n36csOGIoF$jG+6(iOW6P(iR2top=o*i_?PDGyTsrykyk9I zg}nF)rU0y{*6CBHVCf&@$3&_6S@Ot@g8e+&;H946U57@BFkq?44Ej~5K@u=(#o&VZ z2E#pBG>}_Jjv0+mV8!e-5cbhCIK|(H11us6C2;k<_9ugK{Q~uAaE92Wv1r#3+IH-5K8k01kjnx?do1pYk)^cIy zN-BMphZK0vh^_39c1T9G$+)MJ9KQS0pA>)^cPW37`&3J9*Lz_*t}po4-Goh>5EZJ|2sONw8pNtH)VeT_VV%HKA= zA%9;C+i57XCGoNtOsvS?q4&H{aB!?;SlND&mAh+cnYr>jgGWaVDBRCShTqkcf z6h*pEwfk90zux_67)RgNRGrINkh*YfR~Tr+Qy$`f;?nj>ztEC79lg&>ITiC?~lR6T8wy*4cn55=z#&J;(R)sunsO}-)?T??o>t4G zx%H;SUDxn-8jk(_)Vd9C^OJUKoVO~hTf`RBMb)cWStH;`DzHWN&T@!(p5eUuc?Q)G zCts3IdkcLZJq*+LD$Hh60ke;O1JKfzZAme5C3oAr_`pEk(R*N5Ly-MeUN_9w`eg0+ zO!Sk#>J#X^BY$Thu&t0Y;Wbsd`WQdm2_vnPuG34x;w%1|OLolp%qz9{nsKp34V~i? z?FD(5L=MBeAIPBZ#LNUic-*ycY&n@|(?NxTVz3(G9*E@dfAW*Md?cq1iH}Y*lnn zl03%Np!oc3Fd7I_c?`|>)mP=;GYqH+q0`UP?)(rHAX?}RAL@K?oGC}?P9^i{A+@0Y zEm**lJ&;JOdv97)zUt=`KE|dS(z#Dqj>Cu5ZiI~x@CqUDv@xPeL0Fc<5QUj#hkfv1 z5O7HI3oN!!_jyB93G|%3eW1?rOWKB=>lEpg>Z-_23OtL;{IEyb?Fzt0v&WwuNd#2P zqG~zmf2)}1mlgB;C#>V2DrV^0AM;HDXq11;)*k3Oq}6Q4ul)OG`RcM|dO4dFB)E^E zbI@mkO^=mQ`tta$Eql;0vH8blXW_G zHIazE)wpyaV7}qvtLXjEv)rfS&ahwf%%hzohy8~Dwbk!YP}dcZ*vu7tE4TV+Ki5X; zIFTmV7*<_AXhm}73ktm_gqQW2aFE(5F$KrX7y+L_;Jo^@24rzcozqBJ6ng-`OkuPT{(Q>?nfA|_ z46`Svb7qa=ClL5!p*Bj)#+n2C(~*!0-SjZ%&k7xp!9hY3a9&ByyG?<*#xYY;H$A z==lbao3r2Im&p@JrRMg=EMwU66Iv*eQU1QK808n)AvNB`sbF~RN~AlYU1>YZFHge1 zA`jb#I_zkz#HxeW9xxd;$<*IvE)mT9DA@m#ZTh~D8QHtOtG5kFO5wA~G3q=k6>&C; zAwh?J2?r9KC1i6e)Kc=8M4BNV6{QUJ5MI5mwr{Go0Xbo$iQvQPONVEa4eo7ox)~dY zgdgt_i@F=&xSTP`uceH4-fG(U!gekVlDl`1d*(G%KkPD<@)|yU%5;;oZ2C-^M$qy3 zO!4g?vs->VV`3XWCnNPe7RR8j6ZuT|covsA3d78H?jyQbAn(4fb?^?sFG^%FV$`{I zvYyr?cQ_*ed^kff3mBldvVJE$^D6*MRrN9JId_NGcUlys2lAamVmUE#Gk>X;z^KX7 z&Vr>eljnlQ!1g4&oUC>$cmZB!zJ)% z$#UQxF;|~0i6=VjFX=Z$Kr;f6Xwm~z)5&0F0WcK{?f z&fggE6>Q2xFOA(eX&iqrG~|a6Y|)c>&intDYy&b>lKx}}M1Lp<)_@l8kQH%r#=eFu zYC13V`^f$u2iuT?I90Kts9sD?{o%d6#f6@eWs|#=aq#D#z#}?W6UwF>_;j2%f7Bxq zuTm4~Au%@k$Wb?jhW3z0BZCC^Gqv$ZFbeR04vIC_I=t&7@4cm-lhi)Z2k%5#v_Ao)j82Kw&kmMB4tknIN1KiiT>UTKRN=v61A#VDEt>h z`u7k28cN)>$uCvE2r0fseGR9U`iA*^GeqN?EYa^-o>J^2lxJ=KD=0^Tb8be3c{GBv zY~HJtgC%_Kj^_L;O%<^JLK76TyR5Fe2&7JCpOJgGEnJuAMCrXuj$L<8n;*DUdeN zqPb){YU_tjvy4GM@IPM|=yjZZoj4Fe=y}4Tv{ki@CWYz@NFnIe2z1Jaz9uRxL#|$= zB}s#DkK#>RG3lthGK=-snHV)NBgHj6VK#}qUxuHNr>w#)n&fW<+Dqj?I>7Dq^_h}Y z1bOV&)}!?7*>y&X?bc?GHN`yun)IhS_WNBwi>ztVUF(XgRMAobu}?0<;^1XQHjQw~{zUVUPOWy`N8qgGJ{xv32*#fQUQ3z>48LtOHVuWnt!OD3ird*xn+hFG9~y zfU;(EA`hD?m?;YzGSVAt(d(qNp3Cq7%nV5R4R6!NBu@Ny)%f-n$m{fhkyz&5K_b_U zwH79q>s>Lc^QRqPzUrUmH2lWaT18z3vkUVid=KeIPC8S}Yr7H}5`=Wh-d!y3Ul0pV zzP5syZR@5#<0u1vyc(7D`W|SQJs3nfikbO2QMIktpj>;V3d?&k$csP2B%VWY=_kK$ zHv*Y#;O0ZqmW}~AMV&xSQ7-=p`1VyV($o8}4-0IIXdyIce*jYp z>y{9mt1vCHG+qJ%mbk7z;B;YBj0*zOlgr;^x|?4a#~mjyDikjyQd7Tu?6kW8*$JB7 zUWNTM8xe}PXoDgP0q8?=u4H7pW*=Eidph5nch;}}eQ|8aVT{dTVA1D(Ox3)+J8EFvMBy4>R@hH zDc_!BAS?E^%MF+gw>^Yn?uwm{jb(hneruEs`KH`gzchR)Wz+*xhlf@o>I<{#NL<_Z zkr6SIQSu?L7t$`lEI+A+z6J&ehHykvbm(B(RGb$T6h^6Q-nB$&EwU1_AhcTe^1lU2 znN%>;`abh{03o|F^iZ_5B}}*p)r?{3-R~lPxTsDd@7m|-Ge9v!P=t6DBzo@KKuVWH zod_U{j$Aq15Qo8Zgipjw{uErw^h5`f$qMBE`5v?YLuc#=ut})%Y!KSMsJcuoYz9&b zFB@2nNtE66g@ye_n^C$*-*%^NR0_9?3bAVs_{gCA5rOzOoc~NhBbJ8p`h<0 z16;GeV^a!g;^M9*$!yQEk-`<6gkm)fe@zSWBbS_Q;K69XJmaSBp4wsF87`K=SIrXY2;%?lo z*hKd(&!J0@UyiUH;Mr`&`{!FsFO5y~E~yLdAUH^C(ck!KhFd`zE-U|dfz0I{)Ol`4 zfd;^B2CpRBYZsA!n~7bn<8YCWN5n}Crj!02k_AIetyR7TVPi}mxV%W*V|DQ%bH$IQ z6!hv|`oySTY^wZTdYJ6wNfECU+@L{?Ky2~$z0s@pgcez-)Nc*T6>0Jg8}E;(=*xNY zNPf9amxSG8Pr!bBc{Ty97!>CBhg~3SzPvJ>Oj$JgFDnr5(z~-cp2KF`v+%wEtkipP7MRqmxP!!oSz} z5F$tipX}WkobPeJl-TEOxV%Xg#nCT#b3>)#U*aJ3 zr(ZTkcM_KMAkh0qKvY?<7$?YJV<#QcpuL_)ITe@=nsQmb(zZQk!h5s!&4(tL=M`uB zfe^_&1+iNp@wOArr*gfxje(x}h9gPZNNvY93&5vv<3#;(YudqPo3o9d*_}y-Osuhh z{>TeqD+i?Bk$_+CK1z&QO@hEnr@c*W0*E{Ca62=$A3?2@_iw+xez}-koCDYPVp9nk zs)v6b0R9#FYX@}U5MNU!H8)c#wN9tiX}4NgZFg=zi1J-|47{)B)p`xzJ)sfYgG6*APdOZ+y5g(xD5&d{v%@7o$qio zMK$}ePEmtNzmk0ggD%BasT6U0O_u3rf~z|@T2Nm3rQ=W)9d1(x^h5%7fzn7tbb%@A zdPOUjII@w&H!*O{P}3RVt@+SlL4{<=f7Dx6`D`(r9!QIY^FzuqejTtS6(U$GAYoZ} z(%!nSx!#RpLU$?dw?Eajo(t#B(gg9n+fmPf^Jk&4!?Y(?;V*C46mV0Y?5H~%^zDY| zzE#cT&k9_l2!d7gk#9(h3d#%WH=<7OMKKD0nV9J}k+3X!PUrUB19Xgy-FCn9+|z+) zSH3m$n?*e|Mb^9f%*GQk601p`B8s}0@^{@q-aq}`XE%_n&@A~hCZ=(S;_aLPCK+l> zwFu&*DQZ>j@nO;X#vl9NIXxDkI(dDi9Qg0du2vKscGku-zSjDDQvWzT-BN=Y+6GtU zdH>J{GW1qL*TZqLOOW7cZp4%LfwStJPKusukc07cS4m%)mgb(P$Xt^@?fby+C{CS6 zv}JcvG8-7Xb$zrdZjya5Gvy+km4AQ2UXbs73AcH?}lO;n!#Spc%)HQoGv5Bd?z zT@{kA^RDisL1KRobMALDFy(c;hKwE{UpX+Zxskw!q`vg9C|dw&WA*LXdEwUHeq=PF zXS>xMJv=&`=VKigw}3IDq^79ENH{_Xuuv0}Q3Q#kX4tfT(J33RezwozBny!Pxo?zpV@=XEf)}Qc z^P6(dHwxOW&CVo~5cxeURn&IcsN<~nkaXgFJTY`7pQyNHU~2BH=(CxQggW3;4^+gu z+BX@m1Apu+b5k5|O;M1b*l)BpiV%>*QGdKXMk?p^&cgeqh9mHUE}ME7``MA$=GUD; zL$wiQ#fNudeIN6D)nyzbBanv3Eci}ou;}XA$*)R5aQqeq(<%0$3xKbirdwn&=RkC3 z{~kG>1pqn_MIBTrE(ySM1?2kANG3Tq(A#-!wtyJT({2ioM6ugyeJGVYy1LcN@Qi33FLlc zN|c-!&WD)4ya6QR=Z3rmSeyF0acCMJbw2-t=CB*cy}G>fh%iT@!)o;KfI)@S|3lkb zM@7B8Vc$bYNQZ#bP=X4Ah@`;KAT=r=NQZ*bokJ;&Ff>StNH>UdNH<6~Qqncl00TVV z@#OD3=e+A(?^^GlqD$A>?(g3BzVGXET`^x~s-AfZ+%^1yPs`dUkQe{?^s3y2aqv0y zDiv5=f-=%rlXT?uR()$Lxsv4s=UpmFvf2p`$+i$fO-lu}QsePf#Cy50TgT*Kilrvs zq|{&sNj>8IV!C^&4%OohcHS05d}tPHas8T3BMSY6t!wRH^$ zSqJ7g`n>Ej|w7k$VsJ_N&qp> zF-TBRQcf1K!y7QyR+Rr(N&#ZN&>P&{*lU~MX))esuV5uvXEaUI^S;R2t2+Hkw(!Bb zkup)xf@^)ntnDbm&_M}SAWJC@t$OYMxfJ9puXSD!$tiS-lr+{5-eSwTKNr@$h&Fgd5rFeyMi7t8CA*Rv$Y%G z_-hdRJH)m2i)wLr1!Zr`nfPOKpABz0-ELaMvNv?3*ZSmXJ-m<*iQ2;?s`oLJb7aRz z80QEyU%o`7$89XeuYNQ*`gG=|`!IWIjplC-9R>UHS`-;tu$S?~2CyNDrbyj~esrI> zGFb-`00XbNGXpzMnwx1;mc#CIwy@%NQb0IYo-c^^a3XpDKiV6`>p1B)U2;sDPr1d@ zfYPpdv$pM<1mY3e{QM^9-L;PEdO#|`fq`gYpn)fYhlWTyabSf z%_&883%E|WchMfyZMD%C{q0BW%;pYwIjF#0G@ELNvaE3_|kpq|p2_P)?8 zirppX<$2pQUgeClL#`BX5pJg^WxEA9_cU5Y!-{XZztZ9o2kWU`v3%5X_iQX#9#Wz- zA9vo@p#V9(Ga6v^@GEqg$@^+GJ_T)L#&m6PZ`07kE1dpH41rxqSFL0%+<{vgzGTJx zL0oG^eGK`mQ??2B0L)xr>NPg zx2W+Y$;9^=WkUR88>wRhx9Rg%Gh2%PI{9APV$%kJghUv(&V_z(O3E1rY_gH+Fu`s#%bKdAW~R&46M&h;7@kFnzgTq;+VcWh z5v+Dmr7T4_?&6dHxLpq3jlJT!;oGhVT7EHaVNF9m=e}Bh--XSd!F%MJQEHq6)B$y} zq+)RaxD2lkJUZ|*$Cgy^?MQZXE<0NLDzD}IAu}tu_+{IBJfA~PjYf;+py?f=+O2A} ziPfh1Jcd`sb*FpfPzcYOtA3?yXbnX0F5cnWRT62`hn;$rnX6=^_TOIV*#w08K>53bGqfTwr z_6Hd*+whK#i^{-L1AD#s67}!%rw0R7w?!{IDHc9v5EG_U&ObPv_vr9k2x-s^G=6J@ znomLF+iYpR`;Qk-LsN4uZ<9x#%x^b260G_dY5ufwv-*d|NP+<^NDT*x%>38+6-McM z2DBkPF_x8j0dJ`)FT;Hu8XTA{=KDrQeTk3ONw z0L9R&apj_@TQ+6OKXNhLmX>?IX&h8-fYe&9`>abK?Ojd9zk10~Ki-0-kz=yZhKlmFt1Qw7|g_9titeei2==We39~A6GJ2O#^CU)AnceMRcLg zxL&g&Czp;%xT3}-(5UI9=qDZ!J+*Z2j^R*oaJ&3K-JC0*_Vh`L<1zli039l~ga=q8 zOs4ulicfThsj#iw!PS@psq9;ia8h4d4as=d_iTT3wwqy`tXCR1Y~2d3hZA@Q4`8qg zV?=PgXMUhK=XTJz5VRwoS%~*~<*?Yy6zG>E*)|!Sb9xr8&L@J9d!F7T7iYRrc*&Y` zjxSz6nC?9{of&bpFCND98%bix<)&6hx)`YC%JqZL%>tp_=d#kg-*>j62Z*3zmyR{- zb{*Ur1A^e$gDROzQ7&=(IyV@tR&(XNO(o;HpxxPNwqM1V9^VH>&$WG9BLH9bkBui; zHJFp%S;$;9Am(7OQ=A%?0il+cpwg8owb^D_fe<0C*@xPAMMnF8MYZ37YVAiu;ib1~ zOZPquM;La$(s!O0IR7rgAq{Zrf9%iS9~P)0ve!(QKXUNOQb9i&bvJ+0P5u?rdC>D~_VJA-c`&4W&4_1oHBExzN;Xpujyc<#BrFB=2r7tVd`>HgHy z^e7B+EK2;yLq=e1tt?iTyrW?f$pjghD8$L0rrzNFw2wk^E?R*YXPx``jS?860i(JhVd5;b9 zK+07Xl1n5@Z*uVj384KhYYAT?O?$+EncneC1T!oW+)~aw2Vat4YNtG)SWj3HZMWNqb&im-&V)Re#0u4baYH0 z1Z*eDdrf_tozMEjV^;2LjXG{{9>_3#@c;*WxS<3znJpu5W;yRa2dF7 z)Tl?IAXvr#Qy(Z9J=Rf|J}QTb6WBByJO9A{VSnw}O~Lw#M3+>l>#5P(H5U!OXJ$uY ztOZ}k^19-HY7&+*yW2bX<;}1Rq3FpWL31?xlFxF?ZP*sMuOaw7cK8Zy1wrr98Jx@L z_h3Vzf#Jl;l^JlPVBb{Y??V9>ZHMQ9)r8CH1%>l0@f63_mvdr&##0yMH!>3F0RsVX zV;L~aCTWrM&@_6q)=wu@o9kWK;Uz9WKe?2!C(G8w3>=u>)7*Euj8Ym4+8)4=mz{&< zo6K+SHQz}}zCU5pRgXM+IBz2837L5%UyfaLNB)r{bnvTA%~t zJ)Sln_#Zt*uMWHs4h-AWv}xPYo+7fj?{+BCz$#^ydVIGkCA>QJ0JIH**6MN9y)Cp2 zgBELunI6Sc?#g@)Sl2s4d7kjt4U=d{`G&>4aH`8S(v5tc^%w(>jk2+VIuV^zsMmL~ zg{D+rl1ptqR<~V^MDk1ZC~~PRyHV!OOf2)~!&B6_8S>^LH10=%dXT%Ppt3t~h~xcn_|Alr?JjGHsu#$zk!HPp9I(4p;3WxMlfqbj$g! zCn?}}?A<)nbIE*2XB#=Al679!PB^>nCE#E!6|j#M$LKnRP~BFZ5SeIe+79Kezds#j=|U zO@2o9aQ~y~2(ahpUnt>&M1E()sDoow9F0p1a z>?f;oBK5TmR)&Lu!gMZvCYQUhbS$DV13wdJeoZymIdY$(*{jwON`pATK{4lupADKM zw1|rxUkAu3_l*ypYzcw&E^Be9$%BzSvotS#q}a#&U{H|$OO>&n!Ya!%k169KVXT+q z#z0yQ4cYELHufPppyO;}!ua1$VH)2TH+^xKKs#jn=l6*(mmb16g;ZEFgYh^#AKtJW z;tgG83#S&Q2{N@T00i@#suqW9q-{Y1ncCGvV4_jY#*lc3bC4IF6De$vGjJonaZ!wy zd}Umj5v2i!Sa$m}(7h%87Orn5r&)IUMVIdjkT6ru`ci3@Fn?V1_+Fo63$(PvF(^`u zo4{kNTZ!;f3m+%$*DSmHe4QQo^+40TBd`XhJE87VAaWRz^1&DE5sb)b5GOq%9aZ;C zNkNe#jIza{XHn8l>S?GvaJ)ZQqNhsV5(sH&@%pJKsMLk`&>7QE1vmWt)?nqpoof`I zKjAWZ0ckhE+1Ewx3Fz)Zjq>{h6)W)-$F)rHd;o_pen6S=&OhlpV$NmKA-m)t^%0e| zP>&Ul=((}bO3pArp4wS5&E=Ol5r5C>(CNV0n?<##0P}@=Kh4RgLS!ml#Tl@R$rIui zYt6Y|Y#$bEb&|+w@JX`FIIs4n9}w$k49Azgto);E&(Fa__bemDR0#Hg zi4v5X`-PRk@Ij?e5D3qgoaL3uGixvF_Dz?a%=NArQJ#7*ZQA%fO}Vytkl=njUD|G( zqjs6en$r;3!l1SMXSy?MZzR=+X1&UAym4K7s|l}hE38Ja*ED&jJ1%&Z?;$74b%$ss z!Iuq)p?rH42jDr?IzJV6O)BU8mD|F~;JKf}_4$zb=I_~uicl=+_FfxKbwa+c9@e#j zbCgI!Ux`k^{`2^&wMdg@jM^(HLVD-jkN0gh6Vn7V-<$ofvTV--9nv_z8Glm!zkB$P zPNeVrBlNr5^2QWmKEwr10}nRQrMFG}!O7e5yRCrJ;!~q{RoIpImlSmzs0j)<5qNt+ zC4D?XJnxx`acOX4=Gk68;;c1Nhks4;DER4>-HV(7T2DKAVN&zF2BgkLw3r*2IVYr= zCL}g(qmxlDYE5^D6TbDT@8Lr}8MoKOMm!7>g9X@N%U=5HwqN3kVV`pMBwu96+j}2( z7YiYjU!Q<;W>8yPQ-UYR_%$&+RD$}vm_N7ygEiy)DN zLu`1tscc@;{^amsC4Z%0!U~GBYn8&2Y2sP5ay0PfkNdz(x+8vZSia{} zCutA-kmP{pzCqYP{!c+rxa(Fpl1DXq@7t9)o`dYr7+@1fpV+#ZVaAquOk($8)vEew zkp@adDu%0}&`$2??zi^xHWN8d%ES(xld7l1vZ2D8GtbZT(_pj>wC7G*miw{<13P2v zyz|ItID`oO9CPRs8z+=T>d(}T+o#4EEyz+UHioTVQ%)4Rb1Gml$Hg^f^!<&(+u_ji zxqrM=cV!KKg$Y2kfMF*1smJF*Z%Iy zquD$E`g-z z!1s#YnwVfkJ}8M)^FT14GNuTbA)~+y;%yGAQaIz4as8PL^bfSR@(zgz8toPFdjX)m`d^KKtH-@(lY+w_ zh2+urqf`7Jcv97X)k}5f#jzd0-l1%O{#i;XI>>uxvc3%lB zQji-avPGy0gVdS=TNGQBQW|#O?(=7AvL`d#rZROrTZ@Wsh^Q4U5KW;{50}y?_LilS zHYMV=uFVDL9CK-ceCnM>p3+Ok>H7fCafC2i69r zobrFSE$^43ivUyB4cMPw&>v^&@0;p1J-WIrS&11l0uG8mkkA7l8ikbXu^)e@<*D{@ zj%vfig5)>vsIU(h_&{sHx> zM$v0UaZ=Dq{tR$>M|Hf0>SjNVW+zH{;BTvxi(a3*#<5E_n1&ayPBaxOdE`E-qW?SxlHT&aiY2*F2~Qwh(f?~Y@Nd-0+P1ecV=~R$a(&VpG}ddI)f(B% zJr|3o+*=J6xBW=@j)5Wh?rdwem>1!S4E#rrw%a5tlDBnKN?z3YOr2f?7L%sC)dm^X zcSfU~H#Z*hB4kM_l^Q}c8rR5<3WSc`l;cASIf5}6Zj&db^zN>V`@d5X|20MO230PVzaH@}N}xwfZPXNiDkz2qSF z4ayNYdm4!qnF_<>69hR234(}^fS~wiHGgg=!%P_diP66-0}(m{j41f4#edR&_N1>t zm`uPO6TUQ!Zfx39_}=5D;8BEeSE&*TJy{e|39*o&zdN?vgzJ0W%2>PjP+p_V0#4$l zAq_}=|3WY))k(xeR@A&q9r2Eh#RMGlGPFa2vnb^~&6x`{(!7FSeT>$3;+Iz|%B@OBRR2nv73ZClh@ zOP;GL-n*9?g6r-IWoa*c&RF%d;6vMoD6ofdTVY7gawu^_%*Ik+j!w4Je5T>u~Vy-Z+gVwfAG5#EUJ6MJxP=C6>z zzuijoKvPJ7eyr%_zw9jZdip9#eG~^W=F&iOtf?m#LhPzyg1@*(Z8R4-k#K-f8Jq-? zeHmq-ev5&3FLjW0i|n|yGn^R6v>)tA9XBf!P5dj<{&SG`NQ^<=RIuh%!A&>s zk-)30GrJG=_j^d_n#GILVpc9C%RVsEs|Hf7iLiy4M3e9f-}gcU_cV+Aor?rx*p;oE zs>5CV>V4Y4Pt%Zw(r~bcsm##}HBPvsJbl9&;HJA(9Z4Dq9WB~`qJ(((04{P4Sk9Jm&tn*7y7C% zM{yiu{L6{;Yl}T$#UuhyNt`BLyZ52ex*YDlEq+aK@@gUmdUm_yAN;{Cx9EQ5*f$sT zEbKAkBpH{MYZAKK=ZJr;^P2e^DQTJan6QrfkakN0%y2Xs*v}eH2El&Ssq`!v2s+( zI>gJ@83wVCamshr5LjR4OxobA6zAsqq#bb?BfZ+%o|rr_*^_qDC`-`zMn@`#&omSm zD!fj<_X-_QfAgb;LJ+>s4FvPdzbW4z-bQby+rXv$U)w1}5?v>Hw6=u5U#b=Q!OP52 z!pqvb_-X-2t!Sp_^S}W>Ne=+HB|9zc|67Rt7SL5z>?i<2>^*0Gh1lPS{w>5_YqPEl z2(f2;TC5G&0v>+$)dPaEe}R&U04PcL8z`Ayk=Red1fpd1spyDDqDs~fGj>VXw!!hm zsE|z)O`fvvk1P&@j@znBA~oFsx6Y1RRFUvACP9J2)?6HC`^M9f@GTo)qfESeOy5Er3)p_xBjazR3}GomYI90CmBKw zVOXhAoeFy&T64)KNow(6L$Vr+;-$Yb>@9e_)YWf!>|k*yqIlbK8q6Q?p*cyB-#N*? zwFCak4cvO9S$Es}PI>35^D$cST$zrQJd zhwnN$vFayuxGb67VqW|%L$d)GYB5oRv5dk?P2ddfnd-_-j)Vf4Mt9d$($PeZ>948)#uH_V-A&ekq^eOBri4R@7 zDYZ*tLV(jFljXVaC2(u?SK9t7u5OFIwQRL&qy8!0_~VMZi;upwz9tWe^opNvk%Br} z(XXy}nnlsJS1fIhIlSV9o*{!DcF>A>1P7_~+NOTd6n9leQUJ9u3m|ETZA5A#Stn?K z2>bT9aTEA$hy@T~UyhEjFK_~kCpd83aVlcv`9v%MG&04wbmelZhy2D}PFE4h<(GpW zecCl}4Z}LQ_a>I4-xCwlu=J%5r!SS!(qIOBfaML)8X0f_5%!Sl$G;-%w?f9n^P=GW z*}7}N@@Xfkb@s0dY5LI-_N{P;2ww}PPLgyCz~Nkh}HlQxv(J+Z}(s~3GhLak7cJX?1}J77?Z zT7vI)46^m|;zH64;?tIjtq{vy=`Z-~6uiZ0OrP{*6H3QrqFG+kmc2_4Fwj$W<>0D5Bsa=^ z6_+<6FdP53ZPzUYe4=HB4iSI*+5dd4v|_)s7ptoR05NAeE%x@|gK&I1iG+81#A#F zq-;P4V3(60$Y3Fx94+ceO|pSJ68Yj>w>O66^#fsUb9E%Axefi4($5GRf=tIoWcEhk z39i6MorlgrKTT*ftY^7H9AKP)_;)Pi0C?FjpS{`>W(gGT-=X-7okm3NzmK_C;!$R#oH6~1Mp(|MWxY2C> zDK#c1Y~O0v5VjMEQq1z~! zoh~>-50Fp~9oHtrEh~EjjK0ZIg=lgImMF5F_nRZWufdxyYZ+*$tQud_+~4XB5t;)8 z31MubHqAgJO#qN6sxAYy{&b9f3VRf6{pDctP#g{Y!sdJb)2H9il<7$tc2k_1_Cel9 zV5*BFv7el9tKb)C+W7e<8Z@0)5D8X_UHyjpNC2j_>ed-Z^b0gi`W-aw1wd2Ne}bmo zdHMRWP+^ViyEPli1)13ah^LyT2|eh7D>wHsfBuK8TlDPI$Ao0d*yIjq&@?~M?uFK> z`&KtAIE5Ngc#u3I6_jCsN*E0^RtHk#pD2B*fK_mih^+IQaDb&e4*@%sJUEXt0GfUm zCkF-oWGl%jA0hW`2gtRv&*jZH-Y*^%T&-3}CygBh02pwOZv-@O1<`-T!%rJcD;VXWH_j&nbshPc7n1)S#R5k3K3kXQTLn&G0Ny2d^Vzg@g%h3>{a3A zhgi;uZ|De^;vB^$0d?|Oo7;hyg^b&p#g33jI67a4 zqR782=Dh^aPPdl`GIZ$u2FiIUOf>6CwTxUkHI9G@T{4#p2mqi;Z3TGr3LcGjw7ZK>U@qYf9Y&_r&| z3l!{6uV6P#nx@^WyJ(*V$QF>EajvS-{w=CvUYr#mT_B>q^P{5YdI1?PKl!I7vl zKy=Y+W|HK8N}UY(fS#Sd2Sb>-NKYc^8C=_AFTimx9&l0G3?`+bgibr|n=h~3M_fEL z>Zj_H22?2l*8ppM_nljtZv7|ku7D)z^W}qyO<1}~YXiGz2Ve+Ab0vM_d-=ef)y!3I zIAkdy=!!g-z0!*t7);$7FTUf$2M-q94GSOOeK*=1%AK4#pD9;r7-%VCx-7qbzUNqe zf55ZxYUg}!G~OWFEJdg95!7emhD$ zjC^?;b+DF2eL%Z*O7)sL%^|HkBIF=E+?)CoCnBW!hW&TqP}OK)ZIFxQ1Jc8;(-yU- zQ&fvD_FRG+$59MeaQl^v@8IktGis|w1(uKFSg)VD}$5&|RJ{rIzkT+U

K#3&@brwI7huu^$i#3ZSBtEEcWSze?8@Axo#sPKaTnMB^HT-IgCMdJl;$ zc|T~*?8Yj>6gY^H8x4M6LCj_wLXt^?h*Sde?7rZgxK`6NET4&cq)GVDJ-|K+>X{*5 zLY9phGKpU1Eg;ys%Na@!Hi>x+nyX^uwD&zIN#0cr#b=aaFlB}lM!72s?=gw@Zeg>pJcJbP!kS;f^ zyF2R&Sm2NSB2y;sbxdZ%VyoL^H#MbPJ~-nWuv#o@C}=ttJNT5jjr?Y#YQ5}ft|D<7q|P^ zqIfn0vMi;`zj(P++x~}0v^LPstbD6$-^03*N7rqC6r(_1)_CDypzhlTV~XF z?@2{nrp>434Vam@5vv86fozi}TVCsrlsf7*67&5sRK?4t9O?mHw9)o;C2KQ~D1P(u z%cY3XV1+ay!gk7yBe0^J?g`1~{FdCaCR5JANg1Wbj;s|&ttge)Wshv&&1_6&G*9Z|3DtmE5V zT7zBAc#YnvjOCkhzG8i5=Xsg*th-S%!eZdjMe|;BIS*C%_nN*sqgkRcq7!-YAB?j# zpP$}$|679@&<3DKH@@&S*8iQ@{5AIaNQk`=4H7!SX___GF#H2SdEEZ_#sZ#VpvGC{e6K)5=x9?;rcX$46Z1$g$Ag_0Dw9gYB$6?ELcfeCbuW8 zZm)MgDZ=c|2iIpW)mS4f2>s9|^jK~2KMa&kumUb_M98^9<_7&mVY~Cg+x`Fo|Fp(Q_0DrGH~&GquD0Rh z^Ib2zM>hReo@CAZ(#3?KZFB={Gg)8fi^Rx%w|fbo1QrG5?hk@Noj60|RMS?B4W}DP zw!=Q(x*F!cod+<~TBePm_U9|-R0QiwandR->r87hZIM5w$)8%F({yItcivTVx$RfS zH+R*mDwQVLl)v~vRp(;T=doMhUUohLWMMgt>C{HhHPcrvFjo>ch(+!&4d1Z-7Ft;k zJc@eWdJBhYUL9x)?L<(ht!-EoQ;h{fLk^Vr1&_pp7Sji>rWzJVymjwRHlCg(4Q4uw zf6;e4iXBoL7EV2EzZXtU2AY&^ek;=z7VR>tEvr3aJ51DE8u=wa2I20r94xW%t^|L< zW*+NAQRLDGRy{f9&AC<0V22js%?Iq(o_!MIeItPeN@O9kl*8AxQ1kc3wPdHjCm)dWgaGpJ%O`USO5*xY~(_Q+FeRJH^ zBV&s%F;Ex6bzfj=t9bv-Dr4q85p(}9Lst#{#QqFg!tD;qyAUltc{nM*j0Jarj%;@dg}0Jpv z)T{Vn(hU=`Us#{NO}T2iqk7{^G)^q}Hj1Vj4iP>$D>IRXe>CB_yjk%w6euGZzUEy` zXlHW7)o(-xo^=nMp?aLPP8r$w>@x3=;PPrYCC|hMLKU9Ox-I=Qo4;6|Xf! z{f3%6@K&T;CwcTc{%!X{h-BA}o6&}d_U#ZL>@2^Iv3DdmkB?by*sKEL~k z5{h~7@V>n&4AZq}3;&0Xbt7OFQJqH@9WL~`anNqREy}>;G-C+QhqThQnbLQr+-9JD zxX?xv1Gdjk{W+!;Ogv* zuKbaka@-0Et7&ohz};sX)&FfSkp}X_8~^IZd!u6uJXLKYB1B z^MKBAJj`F`0szt`oM!Khvq|0Ly>dr<7<@Em9C+D2T^uT?FA&O;dr2QIyoTIs&$kIE z{5sD<4^xL`LZRb3jXI-hQ-X8OR+9r5p>@}IgXjHTPJ~r{o|nnK#p=7+uJ9vo;pRz( z2V=Z@Ei#dyWTg>t)=Gp?jWyRH;zg3h$-Wszr2aaOU7g4C&?)-^$NA zGz0aA$(T>MImq5NrY7~_`^4+d^N=ZY9n1_51P;T+qF?2#<4C7o$Jv!#YShCD(EETg zKYK@qY6|DD<*D6|l7fhOPFuzA1dqhe+j26WvVFU(ZRZWqByqED z=~jc&_@RsO-Yi!B>|L!b&F<9IpxW&jF@HjDTP>KX+m2L~S8X8JMZxzlfkNRx+_m3j zJ|VC%UpQEO)d~;O&=ZyPY@<;U+-_FkvE%f*dGBli>$;$3cu3i%d`WMW&a#Y7dd2$#h8$Z&NvI4w9pFY4@Xu-5YeX zQ9m*ovhozu)N>9y4Op;0g4#d*)N&9?lo#R(B)>^Y$Kq|eg<$0nLCJhn=W#2%GmZ_^IDCMUberWA*kb zTu`HrkSusNLCwRz@zSb=R&ArYpLNNhJjryRPv5&OY~gFViytcBk(h>3qb5-eS8uyo zbtGFL`iVqe;&DTAC+krWbf9`nt0b;_iX7yYN=?qtTA#e;GU=~5hOEn0P;dL3hC0=;1v}cK2fWvEo;z&B#;jI~ktzTx?zBzHyxQ3CgrS{e)0)m9t+D zjNO!cUqe}fvuNNFt>~X-v1pbUSdrrLCkzMzb)L{ZSj@t#-kY|Y574VDV6mM$YZ@E` z6j5CU-Xn3Ks&V33@-Dc}&8wQp0F4E;#>v^rSqf`9dwF-M#O%*xWQ$q`9tRrxrwg)L z>`$+TYe&n(@q8%70WIRNLxu47-2*6u#ACP0V1x6D8>{$cjJ4eI3(J%{!flYl&&STS zmK4N7mRFz0-00qdw7^$cF=sZUf^YNzv}v76B`BgAZ*|d|z#d%ux7p(V`&I!IO`{Y2 zMx!rdAa#dYEE4H)lXG=Rit)dJhZySaMD8v=C=C8qq}#i-e=EM~`5FRN4FPODxYr%7 za=4dSvJpR&xIWdi=8B7qc5tk|iIi_xHXL{#F7$cAz$*`4yunHBkRp3+BPysJ@ow27 zQJn}RbyymLAzciApC$pwNy^w&s~7EQe_SIJ57FQ@9o3vKi!@;Bc$H42&aDl|KgStPnFZ!_aNa{OWgLS5r2oO9nS z9L&?mFX?1yBn^0ZUUAd-#qQDo@owXZr2Wd9?z#OBQ*H5DsBtN!vUn-bvOrxkUs-84 z>&bB(E`N& zv>YdGB|oD|Q^Iaqq$9KwzZ{Hi=H#iTRTVo~Ms96u|H*OKSqyKT%-EcioHuAd$)G05 zzQ*dXsM-!j+*|NO>w1cB%6_ej>PM0w*v~FAENB*YZ2JELzy1vm@pU_w_2@yDD} z^nNlyan(6jiC&z@+^ta|_IyCeYCI4s?^!UKUKLWXAJp^FA4YdL^0W0=syF#MH2IQ~yz5J;~bL z*F&)FSL1b>YoyDPT*@O~x zJep~*7t)>}+few@j_Vz4+}WaS*4EEhzmXw5xJl@yztSx4K6XnfHD~z;7ZXG|tLQlW z==%qZtSUQ45R*|cjpIhF(BW3B{QLf#yU5b#4We>K!Ll*&6^JsqL&?3TJR3@O%T#t` zDL7uID&EV@S*hveh};Gm_yuyLt}MuKG7>*P`Jb{CajkONz1+6VM=}`OwLQ4Lx$Xe*$#E%Cu?~au zP@M7LvHR4GAysa474MGubvTN_!6{`dlN1yPadm)MQ})}&u05VdnevKN5(r!NK?<42 z-~1#Jc)_zrX{#r*oNwTPnLx`D`!qgjEfskly-+vIgU4Ci@N8}Ps=(YT2;^$Yru){7 z+l=1jIl2SZOtvr3+SoQt>NHKWTw>)i$L>=2Ro^=ERZB>I!4nnDBqAt*^x`{EcVTeb z5P(&gx3(L5c#?tu5b&Gr#;=5{lXoE3BI z#N3)Y|3L-x{wj&VdD?tHrl8JzZzbIm=H=O_=ivukjNbl*xO!y*Q6b-VPuJAk+ss-7 zxz=8Y9EsTTV(9Pb}{_P}=K%K0YYEEQss*cu-@l7{i zl+bd`{q_1S$3xc=Ea0JzKg^i^(KUK65&R2E*&y<%ZI2TVK}#GSehVBTga-4Y;rYd~ zk0xP|=JzC*z)ZAqz+h|9Fp)irE&X>EWNwas-)A-Fg0i(rRE8sLt~4>3YugRG~%-}&~Q5=->^ zz6?_Zk`qrq<&r89kE(g1f^Ok9YrB@n#e|AkVwo#+&@u=(Zlv+M*^7A`uF;%|oAG|s zwA9U_+1>{x+g6O@zcKEWFVPL7QlMc33{7+$S|aww9_{*9FF6!;fSqg;vTwl#ZxYx+ zR8H?aOfd=HThW~N;~UtH$K)128EIBa;p=}QJO1C?o>Si1Hqdv^3kO3WWsHtn~XDRZr> zy%l~u|AHn+BQcn-{bXrYR~cXleUi;#U~oRLxiBHEs_?RX)25ys%BMC44!acEYSe+p z_9_6NL*OA>}ULaurV7Dh4#@c3s*1y!(~GLz5T8b2aZ zx>v5wAK$#~D9=D6V$=AlEV$qWP+Op9tY1$ziE~x0($b3vm{rZvCb1=mKPGKD1AxLI z?B0N`bYA^VTz>wA&J55GTG%BKO-x0uxO-nX2&JFcb+r~|h+6gT z2G477qxl_I03)+Nc|@OIOw~{V;w|*S3R#j|B&zhwKqo?et!^_C~es*)6bjEN-2;JTu+S=g03<3KK^V52fu~m%y7uC zJt8}e!R4m3v#q5prh$=~jvA$$r*lwA@)T(RZu4TO!kNH|jUFlue^_3w`v_puRo)S( zg$JU-Y*AIzh1kB z&G(6~)U3}i#hYvWQ%xdCg?c=#8}XS2PhPR;P(CByr3i@|)84xLJBWxM|0SMqWZcau;o+MhQn3}hIMZc5nJ}c)~*kuPVX>6JqbW%pE*& zT}&JBQ)QSAZ1HgB<3lTL_*Ys^?CM{l$OhYbu-nk|*4)~~e8oC+%($Zm6T&{TmYjroOknv#0DBFbgi z8i*O})Lx5oh^`sPU^i{M%nEqozF2IGPFGqj8ci){IB$zj-*i4_i)UuV2>>Pvot{~} z(d??%r>%6II44JE4ymq+9wVl=tkKl-&9tA~acAhLP+@lQ+!?;uy!AVC>qoW|rMQ88 zm6HXAm%>rOC!x!7)`gEQP-@M9f71uc6`+n5sGaVg9d=>3{84f!~H5ecR&`xIno;)n~kD`CtSAe}?Ci z33M6ruB1;y>Ce(!UW8TpO69?Tl)?*a+k1`qvwz<7zU}_#ExYMat@CGP@DFWfFV}A@ z{_(jd{a);kJG?DUQ6&N8Y?xqr_A$K6t$ic8FJtea4efB+pu;Wx&t}i9N2&h?;)5?f zWl)>qi*FrFO*nEFI$S0>_TnAIYHq^X$K?&aKKWe4@}x8NHxi$gsw-@&ngJY% zUCO)$x(O1lTYSOVcC>#B^8W?JR}K{t0b~S5uVcHt<3c0=0(#E=Tx`K$pgzHR|IyDN ztQO3J%A|$T4o@JJ5+Ky_BC!pS1NlaSC6AuX_?~ayysSEm;_H1H+>U;P5v)$z)J3N* zQR)k0JgK>AII>>*qMi)^D5x7nNxhbUPgweevlx?Y65u*^M5trcC|iL8IbSZ{`)Oe_ z9xVFVPuiwRm=LID-Lt4MCoRj@)8yUM(+s>8Vr6n-oRd;S0oA;DH4F zTS<5xST>DC5{6vyAUsKj+OWLNC^T031!x@C}TFxt-I~q{W8`9`#v%KhcKlJP{jd?}%eIis<_CFe64pI* z)V1ILJP@3`s^_e_5WJD>ICcJMxCLli#-WbtC(u6iBi?F?M_@V|Ei}Tr{{B?u1F8WI zyz@Sv5c%NaT>aHe?==Rd_d=nbPrx02Q)2v230xubr_lB*LXv(d`|HCy{b%q~+Z0ly z3ZBP)Z33C�@^T4O%fQMoJMOwY`sfH=uX9qZK-E3?exx)5guh^lAY89tV$SZoFtJ z&2g)d*}ZfgW3m*ehhrH|K9;1zgXmV2LM)3cvxlUk$AE9 zLdgtBi%TVmpU5o5-cj-bk#FNiheJX_&<`<4sC3HTd(37hd0i&XzWlvc1-TY!vl?_z8@cWD6ZMw_7j?Aom3Jg-L%6!SKcY{bkym4!u z6)Gw!)>6;}&E#1u!7WRBp}I9a$7ClosodFa2twUsue^N5^&RRQ~Xkecw< zr4A_G`Sy^QQ4r5SpS{DUy_sxzwhpHYe|k-Bj0n?yp`8L5iI+qe5$^YXCh|o-{mvZm z!Gpop(N$2~yMNcTMP-a+n+5-D*!A6y#;YUP#z8@YncwJ`Hvj3kKj?NDbMV@$YNU(r z)#;odIcDw)O}F32V_6SpFkON9(|E!&HjVz;E-JdrB;o4Elw~t{7DeR!4ai<|yP3t@ zd2Y8=Yhg{4KAajx8wFDM{_INS&gfN$LRS4r|M~DP2CRzgW^-{XwgmISp4sD;^Kq-ZwcQQGEmz24TngU?vBLdkGKP@`DjQfO)UHG8_p2LGpd!~4tQ=iO z8Szu|J^(c{?hGaQ1aHz7<5eoIFjjA@igO=z`=Y7eHxV03KV>2hyP#sMl=lFTlZRuTiU}4e>NeqYqNA!(vJ*c&G{zb_TxOj1U)=^k>H5?~2`1RPV z@~tNMw za}9luw2fw%t-f62dv{P*cHX%)(K1IGA+TR&T$TH2zj39>=H)^mF*AXkK6``pPi{}> zmXHvR;&BF`8-pL=Qg-kYj(+82pUi7uNM_ewW-}XIp!LR{0v~P3}fHEY#0u>S*_52n2KLe>m>8t`+f++azdX zz<%icPXeH{KC&jbImfRN6N7vdq0zA&zu(680{5J_1+^2PXQBR{oS(|vj$2qy`8;ne z0{>aT{A&i$#tz7=HG+}I?{&otpK_OyNK_BqEtOU--gG&`1~{6h0|xHku(_)+3wst1-#h7OK; z7?Yvx;c}g)&cdU|BF6=J)g+aOe;NukdrA*yR^@Ss1|@5CwBq`RFIzC*@$HfXv95$L z2T;U7E>4aeju$-kW`ZuB*~!=OdGFMA0V}nDl%)AJ(B?x9#x?;Bz62{l^U*U>C3PM9 zL}KslVbg#Om@6&i81}Np0D}Y}$W_(3Q$;o8b1oD$fD=>8{`nega0`3rhu8D%6%Z#j zD&-J{ctW~H+kh+VrQHP31**9KchwsE3;d~whu4brYqnW0A4Jpy3<~^wdqpkTnM$ZN zIQongpp6BZ#^+Kf455eU!90&#;ee`owCi@BB_ga}Gb5vmrGTxMYrHU+ zQi;q^)Su{{B8<1J8b+`C=l_*4gOK{2;-Kt7h9M7XukjmYP)Z508Ie+MeMD7(q;KHW zUDc;aDK8JY>?qL>DkKe>`^fg9bnE{Mfgj0djZG?JNdRvo0Ga#0G&%-0`^!Dc z>rYdKzqlWJ`ild5tK&&enLtMY<(-&spP;%Oxg-iX-@EKE4P^UEts|LPeY?%5^?CQd z(n2)=L0DkJ{hp=kwdHxpR1$AjC&~s^6A_p8qr+soBi*-5)c1J~3m1i3-P`a>h!3X@ zhNKR zap76&7x_`U!;GPWjEzSP}1IKf_0eM(-c^PsS62R;n|*Noj-amP_51C3{PRnl_IR z7XZf-BNocvCli4%9K_%YF*YIaFOv*W!S9n6j2&8SiIOw7>t$lc_TZQp;VP6rF%C~* zy&VUytQri+!$`9?4R=_e+*JZve z$l}{VN&F!Gj?+7r^YnA2o(HoQ5AgW6TOLA$%u)53H)m?H2p6%;Grmeb(0rF=v-<(? zjbd+pBVM!Q_Lty{qy+X}C@wG@F8}iQPahr=|EAFKP|IByF9Q@b`kWaLEd!AMJuIK1 zCqQ=C`YkXB@SI^b;aIGWWq1JDmTB-|)2dXk{2?W<2S)j1yBCl@Cp(ptlV~jK>S{^M z;#w@!EvrzYbeC{n4m;LQ%m8ef8z;V+4{29N7nOVp>bX;fD(*V|*o%DgU=$xEleY}y zPlFLX6-xLXl}z9hnXgYXffB;!tih(Ji`F-|{Iwn_z!#-c|VP0lfkr=E3ah3x3mZKJi&6%O|;<&VLa#`H^?a zeNyyfe_{TgZ%#7blGk-za}UV^pU?ABa=&~M+JO|x}K0gUq&Vcx1{+N@Q#e5M&X z6<05S+%x~eR_aed^N)%`;pR5=-HPs6*nS=uvP{hh5uY?4V z0q!%crUapaI1VQlg#*|-Ba;?KCDw|Qkx-Ft*3{+a-z7^tsA{C+#ZNmc=zsviHl4t% zusA5|@y)}qxHSqEs`%X~xU}kOszNf}|C{UeJJwU^H~swbx@NpccI)UXK6MbAA%zzu zDky0j8|hO}TU*2_S=S>jXA+74wBtVGvkPyFf!?V`h^WXJZpCO9RpmBe`tZjMwq&IB zce;LLNr}Zr6S;U&gLnsB<(wg&{4nxaT0Hj+?VQpR06I?yQ(uFpg4FpI+S31ps{ivH ziL?W?mVUdz-s^up`o}KxAN5uq!|lS^)RRhFfKD~dmf`${@((B9i1!0HrmrcPcYky8 zP5a%+cWSsbe?-<}W~Ey}?gX=`=wqUgA6Q(Q&7s36SH3d~kS^=()V<=`Ggia1Q;y5Z zAfeYgv1wQ>R6h-;RvZd5f^{?G+93(b);gX9QKHJ|kL2N%<`~oCQMjRmMsfS$f_i$% zm&$e>50{XgGsMt8u>@+KI#W_E=ODWsnH@D0})NTN$!uDjBTLF<~U0 z%U|#%>HTkpyKS1MTZ!uE{97t&_Rkq9>@~!ElWEQ3wawC!?~Dot6F;`qAfSqPs7QTv z*UzU{n2ujU)$Ac6RKl17+|g;nf(2lZ5-Y2$S%(^bbP%^ldI9@zN~q z{sMnl*Wq$Wk|FY++O`f602lu3|Bws+8?%MUr=epsD$Jh(wDfolb>sCnmYD6;cAWiu zm(1UsaLw0zDLPX$(wHyGnN;TrYTq<%F3RLXyh64oDph4IiVjr-PlsvyH^-rFYWTZ{ z8%H&Q?E9kS!;Dxwr{S`vjy$`Y0L_U_D?V=*jWhbuk^g9B3L^*i)DF7f1b={uMg54P zknPinKK#caN1Vh^YQ1$qp7TUK2kFK#(z5=sNemMx2@DG?ah;d2ZNw2}Tnf1_Z;6(Q zXv+bIAXGgsmc-e2r`Dsgui=L)!JX#3Dgx>6clr&GSEH zAo1JkUi{OZ=6}sVl(#Z2z>bB{G8t)btsDpxjO7bvw4>nXeY4ElYEHEOn&)cCF7z@$ zC$W7=9EYdV(6p57WL3e_!u7hA&8F_)<0_IbG2&|KHxt}V?x{iu|8^mMx)denSy-a{ zTSjk_?L6wH)pq&Qm1o5&sh-nfzV-h!!4(1nCb*DW6I}2ceZx56#c1qSfMn01H~xLc zNb0kZNi>D`M98-4UV+6(uNu#|nw6)v31EMH%^W-!8p+L9UXduw)%M1^<4Kf|Jg5eC zD;LYF)pu(M{!FAW8t^n_Srz}!o~8=7WFv+D;c0r`|Mo6F4+*Av*zIiFVk9P^ZzP%2 z`MnK8jyQnNvj_`lxKe)tDF@2}rC|b?KdMN#AL(GhmWaUxUCuvNEJSr1N!k znL{}aFARp)>Q;EL7Ku3YF78ium*~FBcAnTI+zYoipf5cMlPZP&;el(h8LEuC+wsYW zW`+fW%L~(dd=b3`FOEr``fOC5^5_5AX##?!R!eYS%GQGdLy$2hW|1pYnei*wi4gud zyr9F=P###5F`Cf5%FBCwHisb>4>t-^^c;U@62kPz+X1cw_BHxKnKHa#el?Eo1`LG5 zAI3n)ZhjPC|4z!tAuO)KAWKjAL@#?(7lZiVYxxkC?PjmP zT=2LqhE%BsppGNT4nc1t2cskT3%6N)+cK%$k4U-2XaLxVJoK+onm@YR<8ErM}x_PsnCT1k#Fi)3VuLIDLKYth##sf=mnyu@ahYe8#-8SZ;`}3 z{UX?5koX=TEJF|~Y^Sf&u6lA2n|aVoHP1cn4c8xvTBmF6UW2^+Kq>O!AfCBWpBWHc z2H3jKUG0*Jdo2v2_~3lwa$Zr*C6BJ$$m@Wt(|`}Z1^R^Lken7@*SY{@AM+c5d>tqE z>kLAd)u!fP=0kA2?25H{_4LtA-PPTX!}Q$&=kphOn?LeBH!I(D>*47B{dFqv+!j{2 z>39A)5dNc9`bWL_Bkz{XssEk1c!@*=L`i&$N$41c9Fru5k}##ib(UW(F^y1~pX@Ty z@o=_l4(ndfJYSTjL+z-GtEJt)D z7nTzsuc;t(Ca2Gq;cwVeD8zxr_SF$cvDopR>zmihEP&9A-8wRTypWURIY>uw~qjd)!iPO zy>)Za2O1Vj8q2i^%b%yvS+R=s0W-nT^qM&;bZs}C&9CPrS?1?LW+&w%|HR6F|BZY{ zZu_L?-**2i6HwzfHWC1atQafF(ty0ky5YQb)NvuMHVH?x;OQlvEPswb*jdqG?}Y}u zrML}7yWkNSm33vSQ4Dbd+=iT?$|okD z=;)Gq^7L-p)*)`xT)g|O48{DpxrHoF3pYOQc+L%>ihG%osoPw{{yhml!S3^Il8LHs z{Q;`{#7r#&$9$JulZ%)>^8h<3(dMT9m=rDO`Fudi}Z8Sj(WLcS`ZMSl%yv z1y{!lksvrA*{pQ~x%2wefCdCP=uaYJiB&bG2k9xAw{e|f&J_U`Gt$TC%qiLc+g zQnV$i?y0(7z0DF-;$pU7y>CfIQP1;dCVhVsSs$s-5f^>OyK`ui7_6mJl2xQoxQGc6 zJ|#uv3!9KV&$`ZQ9wbpR@-!qI*gTO48Ry`<*dFTFgsfKzyKYmAk#+L}X3T@>0{60I zeqp`^JYtVInoT0f$7*mVtsj)=>C8W1)qcMMxo-PapX+l_HTg@RGxa*4i^96mJi8l0 zp11)Uok%HZh?2c9Dfnq~yy)UjQv-@s9{>D=07S};<2@e0q@<=TJ@@lUF=t|qFM5}> z_vN0zY=_A1u8pGmta-B#SJYZt#gFHfj;uV;V#h7Y~MeZt2wsQOE|K7uvoG=T}eaPqY@^*3TpY!hE?K|J`N zO&@&BqPzF(pPL1e~9w%)E>vnc_VK)4sI4v^By179h2fK_~Mz5QGqxn%=eG< zNY~)vK@+y6qj&=S()cfPplmVEqcR+?;f-Md`hl+?iibKw}<1ZDA@zm3$phDXEfq@F9b3olmLna#Jcm2d)n-*HMbijb%VLDN@zvw#g(et}(2TC@p$Y}W<@2@C zjZm>81yY{)t{9Bp(cCNXrHD9#qNGAysEK7EOLBnR_A|=v zX^qI^b;_li>6m)MpB$*e@I;t5u*kH~v;9JS_N3vX=N+14-=Z&MJHz~%;%K{zLbqS385=T2LzyNgV^MmJFln<% z&>va=B-zJAOhU!d907u7GL#i(S(K+(C67;HU#S&MjI};$Fu58N--HV7L1nK)JLNqh zpORyU^*?3;p)(vsHxr>8L^ViFcdtNdWO+0f2F=_JC5(_)cb$5TJwJK<(#V}b45UbS z9{de;%06uzF$_9iD9Dl!Ok0e_Fwbsbm zbNheX&VTy`id3c@jY0xiOB)4<79@vfq)G-1N*;02M~`-x5-l(bNSYJQsI$oP^!P19 zzj&PzG2H|EQPF}2Nt{l*a|y>Hr63ns^d&A> zpB_>*>W>)vBuw}8kg&80@$CEHn>2*7jQO4x#033XB{i8h06FbA%FX|Yf49($Om?F` znai$jZS_&dmrBelfD}}*(O(5^E4HHFXQ5F|_h>7x{>h^yfteGWI`5{VCE`$Dz47Ic zr$WAsP1iptq7t!`P?oKFUi7)MWahZc&X7Q7gU(knq%%}(KDQ& zpnA#;+q~W@?oFM0@K4io9BKm$ux%zcb`3!ZnboQP!lSj@3o@Uzmxoy2xZh;I z|NaPMC!^mz$`JuMnEP-}wX)}Oj)6+c(7vJxHnN<7kzda}fuDKLMQjnJ23lZ z8`b!V{JEL_?Ebg(1iqo&<5>Ip8Fu$y7Fq$RxRZH0-yukwv_|C7j;*l%9Z4d>&DS!Z z)gWoFq3An!KNooLg<5XDnChuY-~Q9eE8mA2iLRqjXtzE}@B~gxS9dxNJbQs+c0;mJ6wO{Ye6(~)9eI6*+z{T4W#NCRBV2p`uyQ?D ziio)xAA`!)$98nJIdp2ku`}-RxBUxo4kSM?{>3e9Zy|mUTHW`!ce)ZZ%9qKYEQ&$kw|^r$tOG~$L85(t`^hk50ej=}CP4jIB13|U3 zx(%A=5FIX|kM1VjPEPNR+q0=qDc-TZ($I0!ws7C8F@2<4gF1mP{|3LV)Q2X?c0Eh` zk7lK7Aiy1sPDlD^FFt?Cb#k24ea3M$dbrEy#A&bCGyJnDF{rfei+qgMs>_o^`+#PF zy?CP;i6ae!tcwXeO_`s32%L*1k}=Z=-(~mJKM%ESnCDBMF-07a>}|0Ph3#Y+?Q8Gy zEttS8GV%z>1wtO>5BCtl^`P4pqeld0bNerk5hHXWp{X+2E{ritpi_ZJl$m6bxA; zBv}UPI=Wa$Nl$}yv-QtGjuy5{0Xvx`d-+BJ>%2GRA)(0jzqMtLrO?tq>QVacEPw9e z{(4V5A-pYjSihl^8T0;%e@X*--J$1~)FF~|(XC_RBFFp?4@u02bqZ;q{j5>ib6%lga_gxlRfRRY5Bz{KOy-^dCUyEB{>jz4|vv|8cpgC(CE3V z;3Ijf+9#%XcGdI>b9eIm znft-8_jI$Kdpq8gHHW~ek7v=bv8SajjX?U;(fe70+2UueDx&!oXd+K9x4L0%%3twW z&-&ShBE$*=4$8bW3wfAGTy-5klsyRDU;fTf>4`VhFr^f{Yb#Ny_v2LX(zLc!_StH6 z7LU`I|4XYP{~veD!>{KdR}ZuxbJeE4CqeyKFJv=@3w%Ibd#-}P_0N?wQT1nxmiz(< zjgU>3i0@c22b~ayRG6VM>Y}kHN0rX`+{+TW<4L_Je2M1cW!G*&&Jk5@X>T@+WlfiY zB&Kj>Kqnbd^`y>J`$KeHB1p(4 zvG}3Ym4rkl3meM8)E&)^g`e>jQt7}2>YqMCDyZ}AIa*8H9hA6Pt~zd8*q!qn2lP>? zE{KVd6huA1CimL@a-m0RpYx~J<@cdx^>A^`?vu+5a$|0@i4cBahoD01UzS>y4aQx% zY0nn7Q&;x<1@@cb9Bbjbe$j2#{gDBJf!~T=m35vvr~bWIC%=te@_50nzlHTb@d!%a zX6iqp7tq&a3gmo&bE^{o5Vr1y>U)u0-4XBteB!xC!u2EsVix_F+o43c_q0;J1Im4l zWCikq+@r{&mG-DS;VYIijE&b#nI;Yv@Qz+XS$6Z&T=r`~@@+|b_pU(sY5_Gjpc4SA zt;FX)gewWyx`y9d)1hH7s~F3qrvFJ|&QpT#n?Wt7pC4uR^iBlcn+!<>`kpWq;fW3w zD6a*e6M!HFbOILDGPd8t!Wh-WzMUm>8OTg-%Y(5T-zt9=zB&PHa$vlj=-l=hDWcZT zoPW*5km=Y-Wj-MW)kW^sEO^zFHf8AVe>=}=JUnwJ^jV4G?>L)s?9TH>u1z}aP@PMp zn|hVves1M9E4E5>-XfFsC3W7h#D2hDS)E&1$@XHF*BQ{#&wfS(x{D!Eo}uH05jz8a z@ArA)7{O8`EjIXecci}#Aij~?2XnuFD?BO}P7Yb9+lRWLTje8b0G3#V}~7{qha;8{DV3lIUj3>EGZj@GZP0 zygont-vh4CM}&_6ROe{yK~{l1gk6J0L`By`;_(>pS6t#PPr$#mf$zi4dCdF}>azSi zPpZTWotyqd2Z3ao7*PFC}Zy5h{|aiHg<$ z>HwCt=(c_383e}L)U>}r?s17(oi(2siI3@(kBv4Zj|)etu?-M%-^7_zPcH6%pU^N!I?edz}Hlu2Z*w|JjDTtrvhsk<|=B0|?O@d}y z2ZeKsxpkb=lf1k(sBM2aSP7ValWWgY`w0H{5!4e`C1{Qqso)^>wF}m%h7O^=&}#lb zcsarfbdU2lrS8RUxa_!W1VUS>kiCN0A)3a$+8w-mIu^)oq=1-QI&KFE=1 z!ZsUQ(pXYsGnwd63fHKv)Fqeq-VUqyNCnnT)&v|RmQSFKeOWaKBjuY+6JF!ZF-2Bx zbuJ@%{4A(jFYJs-^;#v|HUFh-Vh#a?41Vmkg_01kL9M?z?PD-0g=dCNGM>p^Zx<^1 zbqAAdx9@&S|8}Y8cPUR_%CR@#-GY}wfHT=@LG#J7TVHn(WLqBMG%hJs##LsHXVwwI zZIR)4+r%ji(JVVK3!!>5qAo(0atc{4PoO~GanY&Th%n<35EO9#05#|G*{vUSnpmD{ zUvcZ|2k#XWVn|%~$#8_cxMPA^=%X}^=_5RdGjtQAHAUUDKO8d8Y?}7Y`rBEK>H zj|CdVQ{ULo#LjYFg29vRZNx+7L0T-M6o{`_pRbziSEyq-P@-q4pi>)3>e-b;uQ$Z> zKOYq7nFed&U|SjWL&Po8PP4z){oDnh2iCKP8$}9w{C{h2?gs(w4GWH&_3nRfZvyFl zg9Mm-EL zWZ7^@*_&6R$T&O4OhL`bw(@|!RDtLd-vvilp zsw!;#$#FK&&D;PDq?5|zeD!Uk(qKP3GlM%3_M%4?cIJ;uE%d`H?J)bN=jGFt^+r6> zDkww4m%Hv7#2`J_L+%~-Y3>*Tj1NVup`G=X2fNrqmF-b{mFka?`vcC!mw{?z@{h#{ zWY)I2Gs;mW=ZIv13(QricHq#ogPa~rWm2^>HdsmKajbLpBS|W34g_yMdFV8vnEQYN zCe123yytu6<*+|m6_7XA-x+iE)?g%{*U4nZFI7YtHS;V6QYa&b_*RbTGX>nJXA@15 zQ4$M5j!kGHcCD~|n~U+EmWe`6ZIu$eA3?7;g>Z3xEjBaMod)@yb%@JP5Bt(gv(vs} zXYTg=TM`m+y`3N&NzPsJ{Vl})^+g3ffY;u3s% z6w;dOQLL=@+DVCuS7kdK*MN;(Wk!!%CAZea0tYB}=vNIAp)<>{{0FU@%g~tY#-|l8 zB%gG!pf{YArkseE#Zs03FRx+03MkEplnO(7YS~?w1@hf?|s(7Vvl-yah__gKMFoD@@aO zO|?m^E#6pz7^q{J-pOZ#>`i?Uk1;i`v-~wqs#kT5H*a0OUpR|i7$^**r+#QM9xL2D zHlQZ)qoLB&bk+#=(hNZ7je;j@B`u1IkrPR{K@eH?=Bc72HV1-;e%49$P5_@3MYDn3<`qxs4IUh##!yaj{;Uw|?Q zK-C^5s`OfD&;)+DY;^)bu$e}3Hn0@89<}RF$L&zUCt9Fz2y<|T{U;bo97(0 zM%ETM%cHsk@J)QYF-32OWkLtLc$tW+uY@vh0AVrY)djux4OOB{3FcdF)WzFTfWR;6 z`%sNiE2=`}h6LHPD_Mq5DLLV6r?jGI((y$%nbpm#{&fxyWbOgx1@!a_ zsdJfTAVcOGrTYp%WS8;wgwcZ@kS3N|0-15TyKw123uNhm2%6GZj+T`n_BuydX)`4l zOAmmvvwrfzgEsY2z|6zD%g%k`p70m>ckKicX&yA+3}W1?i3cUk$6`Lv zvZ$zQJU_cUoHk(mj3)BR{m$hAZKCJl7AfZgzXf1_Kc*b!G{LOe*k#uBqUmWgTQhw3 zd&tH7<^KK9j0J!@O>@%-WST-f{8_79OCu`?nh2&lm7IVulKN2R{2s69qjZv|%c-_T z8^df-{kxVwd|Jd@XJk7MZIhWmz(vxrA6c95Z<9Ca={Zh6{XKZpd znIZRGG5NxzJvR$v)9j|PAy}M6qw{bF_ATZcSss%BWC4p%dZ?lh;`4R+2HSHDO#`kO z?fMVn39>YVEU^@g%EFwWNIgH?Xq4!77BE%sFL~ArKKaFy?K;UydYnm}1`)WVP+qpfibF%xP zOXF^Qfe0wz4aOmMtcpemrcZk5x7rS^3%u!-kSPSv+)DU;JUhH<)-9uO`$=Yfu~Oaq zw#)M*|L4?s4jsd@D}wnb3$H09!if>coWl8!q~P%AA%1O-YAU-`(d4JEG$(b&Ify#m zS=?5WWwRGfR;kA;$-G)mfFW2ZFa%R6Z+b4rUsHd$y59}z4}OyufiqR#ut z^IcLb=Pk?dRgsC+E@7*ncx{L2yR=Q-+K{U@b*;LC4~HVJYO>FS!9U_O-!vaVWfKiD?ig? zEX5qn2o}|A?ry_6Vl&qe!L&(b<=0`8*1R*NCuE$eK zCdX89UU0ITFP*h~P;Rby=$ohAFi5_{dit!R&3HVVdX614xm>sQE`5)@&ij|SPDIfjoK^wO@Dr%=JXDV& z)hJtxcbI(&I-~M()whab93BPNchDd(H)n_e?eUM<$mzyPz!~0rd^|$0Dld!MYjr~c?U zvHxdti>)7!P(^&;fUflg;}X%>S3Rvov3ZxIb0h-H%w2s{rImnik%mazU+4-beWZRF zH^iNh^7CD|EP#1)wI7!bk#mEFva2D>##l8AK*Vap|{Sao+zswi9@)8&Q(?c--9FxhK zbaxc4Via6^`y&E?EWP*CF2cI;hw-!U#c-U)fzKT7vQZMJ+{(c&r%ZS-v!(7}eenaM z$>j1i)+Y(}hOr{Jm}Ur0! z~R1$E23Oa#9vFiK~n9xluRYvic^4we+$5=F8t4@^L zV-zlwA?dQs|8)}oxvTaT_4e3eLHw*+|5mvC3E{sda+}NxwWzeL>ee&^jbyP_HlB7Y z7zTZ3fGEG7$6oKrZe#Mgf5qe?-_hzw2L^L$wx_n0(7Hc;DMwld?^sashO2z=KFTYm zJ}4Z6QBJ@KPNljt(sOy;3Yy_saI&I&{~ubX`JD^w#9IF`aID_tWM`Wy?xnX&^ ziR1|P^-H|Z)Shn>DfhzpsK#g#lST3TqM{3h@*Z8h;#a;S%(FG7^hSZpgTrAuxk`T5 zHJm5e**7{bQW;wZ%=z;(=o1t~pFxK1#{Z5fA>~y{H{exzjS{aJB0?v52-nCJAubil zak5iiNi5+l9tStP3Mgph7rNu9Zls38gYHPMcR!uFXdJ9#D~K}p?re8DyG>wD)Uo$I z(6g-rG`vt}RQv z0sK3@8)(+j9;_3X0m6XI;fr1TJk(y2^|YKYP6$Ie;(l~@&W0xxwe*K{VBd<)t3 zY@#(sd%3qe=xHIor^fe0OZ<}l`4QwQv+72BvnCl5%?3oPXN#)e)T82&0pNg03OL?> zjEcVh*JBP>R2MNa0D7*$LZwD!3ZsQ2@hW`{$9!x>%0)L%>Sg=ob9-Q{9F>b=h{>`t zYKCEtviI`vc(C?SrM!uYDjbOai5X`FF3$>*2D zG*KQ5Rrl2&oNkEcHyeJ;g>0AdUX8uI`RHE)WfQ0x;h!ShySq?e@H`d3bTBi@9D1p4 z113ttxEIJ+#ur3Q`2RUzByIyHwEFyi1kBNI3svOJr3NfTWvFN^p$7f;#3dLACul0Z z)L*qy8XdO#``s{rx$cz2*(Dn%%A)a`0M(ub#O#Zkx}+lRDd1@AarQ+QEt|gosI~nQ z`X`}9nd4Cx;P^1bT<2vWNA3fPhKjh`IoH`-li&~S+V-O^RODLqqT9K@IU0A|IvNAn z8{_TT-Kr_d@lSZ%$&52lgt_hZV&VrR3WcB3HUw^i*Qj{ePgRt^|)UZVip)@KzF^{$XgG z7emSjA=PF=r+jRiwvItX7<@0Cyo1IDroN(H zpEBt;L*ucCP5u6mZ2}Ggv^NOCa#~a|*X>SC2turcUe8r@;Dk=@vL%Wj_j*~XQWf7K zEE|SK!S^*^m|U{M%2{Cp0?+hz?yi=FGl@~JaY)p!Qn>>5o0 z`+r|a`R#7X6ud1STtDqK{>KFM+rvCT%y>qWvIDF|;&exSB_x@ zLFe&8W$o@noOn8pi;`Jf;ap#MCsxC>?vIg$<2J}<<#QS&=s^&>2E9-A;I4n ze-V4>;7Q@|!Q;bWRd!{{;@5{?uG^oruhFT-cI9e6+g?$Yw_9{HnA9&uPHmQYZVE1k z0J6%4e#~85qf*x)U#M-j!DD%aFLu5KqRX&Y;26Y(@D$^k4@k)yeZ|Lry!sh~I0;UI z&pRe|kbA8GpavsIIN@~C!?8!yREi6JD!%eOoqf5;f@0|Rh&q4zrYrh0Qy; z==*mgwb#nmu@<|4@dDL-lSDzF^wX!#REZ@4>hDH$bt$_fHOj`-KRSsq@^q3X?WsGoU})n_WeZ zn7`oxWV^4#V;51oN*6W^$&17naNYKWXw{~YS+oC#y0eaoa%;o>fGDA~bPOpX zQX-wwh?Jz%5GqQy#K3?c9U@AHh;(;{bR*r}%>V;Kf6sW%d(L~#dCywkU*B5azu;Of zo@ej<-21+--*wfn=Q<}&u1rk+uX9@U9%?}U%n0%Ae|`&p{ZPa0*X{0+*S->YgD;wj z!b>LPvqg=-ZGQ-c*u;BQ`(&L+sgQ%1GE(seG2g^Py+MpuG4{g{(O8PbKvr6+q9eI^ zoh-lC+gZxB$36xZJR>HucTT-cIy3DD#PH$aJ|P!Fe?CxGCj1 zP5h`(j8}BH)6;-vWg1JN+)*I`=aJjy>6m3max5Y4JBv#O5!!Q+eWf(f}~C~0C|9Qf@P zpLMB=5lPVn4Yrqx_*JebqNBm`Jh8kaa`H(ngz19g4kg#P*d>xjFV&g7rc|3uPw>L< zVkQmMv1qff(Jk;4wX8`jH+XH^lfXT6PbI;`X=|j+Z|kwnYo|l@$FN!G`QwWT!&hH4 zEmM{Fdn!WK{&6}=kf5&ln)8gOr2l?1zkdVu?mCDYBb#Gr{Nz1sqg@D3q9=(iHd|+zHs$by#1QKG$GTO5y_5RN3auDhOY?*2PROIimJP0!g(a^p|7Aa1 z;Lh-x$sjeuwTmUJ{(vyUZT#pCC-)ub(a(Afe~}BKyrDYv@XPGzUtcevIVG9W5aKuAV3+?qSNCwwt3m3Mj5OiQ3;?%7qFvW;sL zFV6SbAE}sHNKfdEf9xMsXVli(E<|+w<5z#S244TtzAT;aT7DqW0-}VO@5r!Ng=RC}K;dIgTL-{JSN%^#@@Ng~j3!q!xEZTO-EVfeghKt>t`WHOxh z+u8b&DhyCv0mFPJT0m`g%lTFvu+8|O@{{=S_V6@#?jaFx7h9Dtlli0ZuU_{wFeT)c z$y{;+>E$pn??kK?Zv1@0jt(Hd=}Bj)jJYKrblf(g-}6d_Z4Tf!9F*aulcyeLkvan& z%kC@?-tTPwhiclNu09#H7wFsj0=P0ioC-*Osz`-b?28WwQ1^G#_1FSUi1jA%n< zDETaPOnQ<9Ndb`XCWifN5F1?1Z6l2deg5N=-{iO&e%q}ZyW3_|*2O;t`Okwjkh}y& zYagcI<|Dcuu^yOT?SRI?GFeOb!rzK{jVGut#!c}!n~8sK%DnPIbp^F6gn+(o_Y+V8 zL0baX^WR|J!4&e-1wLaRPML(!^%jYw#{M|+O3hq~ASEZuJ0tk!5m&=cG!zlQ4LLPO z9H`JTZb@CL(}+870yOXN{mtHIq9(tvTPjanlaG$=E{#vA8}*s_SJKd(>nueWU7> zy@@^_5-UDwjJac@6rXDfh$?9me3U^Cu{+Vvi|IhlJL5CyD(A+rGaXvgXsUe99+!<4 zmL=@`?8ipH=%pMrV*jk5o;w?d0OV!yFM3BTNCPiDCmrJfi1Sysyn6GS9uvtC5Vbay$c|JW~0x?uh)`2DLldHQ`rl( zh^C<*RDL{wm!Iyx$eEpsc1GT<9sX2{ko>{`meS&4{K zFgDG4(>(sO%h_Xd^3*-5JR7qzQSKXUHVv1wHaMSuV0%fLbUJ7P#JJ;LGaoXF9!^(xW5Z&K zrkvwgwO{PC7O}@;#0|;VU7Pa6+=(xOOfB7V-=3~DVoj!R4G?fii5?5F z&g0zvuWPOyagBF=)`f-Gv6NepB=aaox{SuGg_f**$bb}YxgU4)O`RI_mjLV#jNAQb z(B~5E2HNr&Qj#bb8IpY(RJ``BTu{XsoMRX46h9@-*+&T@m zYuD=Cb;fcySQp*lvC-SrIiz#q{k(G?*NNUpozDR;m|U@Mcf_#cTh;ku1*=Gk??3yo z^A+cUVVc}cb4*O8FK91d39p3DEZLl`pte}@FzNc_N^Z2^1mqJFgM-m(VY6ew`lO)r z{1hedyKqjt^Js0~-=CD;Y;XzqEABL~Tw3K=Rg?lU_r$lit8B-=E})cLkNEB$57xaK zlYjbf5$pC$cIVz%g?c(ilzS`hjMbX$RQ5jvp@gW9B7^El(w__QkFVkH9JhwZf5h%E zFQBc;zx)3YwB3@*hJv=K#1Oa5bE8K;D#P+Q%tnmn!3|v!C3*|m-L%^4Ts)EW>{K))JbbOz5K0u#za+I8T#?#mWs5@eru%_^M`Lv{A62vSZkD6O@B2I5!=WX1A57X~l_|@d-f#GW zQ>OSLgn^bo;oRA>_RV%_2FSi6Rszpu}^ zo#$B=TppJuzrK125Q&6VauouDlZjJ&o2OUE{krQHYk1LZj)mi|!V{PBpwKm#=vir6 zzs6cI*t*(kYOx0?T2P-=VO2I0B~$M5B7Bc--T$+Z^wpjoC2<9sv_F_1x}nEVfm$6*qP{lUytl-JDey>3*d^{a#}Y+9$dkI` z32phB;UvAz7*<>QPDfVZJmYjZ^InO)rvD44&LP8=i9xZ!N&?akZrPo)BV-0nG3o}F zK7vWn6b;9zZbzD;KwJNPw`9=NcfOohCB;D>lOZ%TQUf~f45J)U?oA4yEiwtu2{Umt zT>PHFyYb;;yJw*3sMzOJu^%KK42d=Xo>pl5{PR(c79on`=l zN8M>?zp2%Dw$Qmwe?mflLBC#R^+KYst6putp3u~4edlC+_WHu#z+Q&sOXpiy=nLc^VGCMpoFhKQNCbYO*S-+R1rj>f{+V!#f$<9gM)M>Pg$NIQ1$~r+N z5sU)A`$Z8=CT079pa9R&Q?r&S!U4jh_p1}@yiJFV9Dh5|C1g-FNRY&g`@feUs_@^M zpSL8iyds;u0?<{kt%-Qh1(l#;?^M@8zk30szlW_uL}UdSN{h6TEI;0C1uI@|%2;hY z>D|xj@aK^UJ0t#gjvHGr>y7wg!rO-NGT7^pr|v|N6{@yxWx)4tVvFX5_MthhFo-&F z;W5q^Ina&VB`D6h$DOS}BYpWoF+6Pl1{FLjk#;zP^pem!Fx(|?B>IK(>&4+@U0sX0 z18$ymAQ8NU{-{4cK7W94#25l}KZStqX9U9l!TfVKjO<5f`_)u76|4)gk2)VLO!PTt zlojKSS}>>=l@No1KfK~L&Bu_yv5lYbV5H?rT2;DfPvJ{%?PWodG-kjfA{rNdR}S>O z?`E`fDU7yw&V(7^$Z=@{_6%lkkVLYvOn*Z`b#f@EPQt0*M{3a_bG$ta`qS?YwXW}a z^la^@nS{#JJp!e}2tdSVU}i#BlH{}~ShO8kAVz6+?6NH$9)4C>*nYR-Xth!;95=jz zl(ZsakO)L?CE4@2_Vi58d4*Zj%4h%kv69qTcS5Wp070(`T7UI<<7z?o;DEhL5`{%$ z8zc>~?^eAEaEHJIXRA*(%xiYaEDWa-_D3)*Ub?hh5DN=p+=a?EQ@nik56QM36SFan)83NP(aSAL@LgtL`P zJz59Bl9W=NP5g{oYmE`#zz!MM+V+ulSVzSfJ~u42me%0L(~N7{#%ZiXgF%x5qa+Tk zx={V0Zyyw_#Q#2DYTfH7BJ_n+V~2{>$frL@cHRsi@W z3HcWdm&Y|82n2@vS{?pQXvJJGi2B_yeR+Gna1@pwF-XxjJ%AC6{uO6m!?K^FjxiQT zuTBEF<$6gnx~$R>+r^1G{MHQZl~*@L<@c%VEC}CI^U6;1c6FTcC?u<|uuepV3Gt?{ z-{Vah-Wk67{RNl^v~6{p9c$Y4n*Og`knM(|DV*EW06NH!1^NVX(pZO6Mf=49I00jh%twiyraV)YlggT7a(4hSPV=s(*XD z4-hK45JKLPF^E|I=BHtC^_V^RGT?EH7{o*EyzdweAnO&g239AqhYXxuS7ubM%dMD? zUP_wCfb>aK7_MK~ocvv9RfQUP=@TBh{Ck`Eit_g}tuYEMi`7^H^f{mbgIi&l>2;-Y z&wj%5N7NTA_T=kb1C&&7qU~X$uTt`=ctzu{n!__2>|X?Te7$;`WZAPFuZJ~2xJZB) zt146@7UpvskSi->^{1%0WpV3tvc#lA@ziFVuonf@Z%Vj+CsjxZ<4f|u;tT%{mXKKY zLK5U3c3!o9Enn2o1BaDC-(HuBEeo3Oqh;Y&PDXB~T@GkM9JokM3$qL^OWX(j>o@zW z)>Uc)yw;ZoB6W6vadi=6aYQgJwwJfjqd{Oyku;qKFq$PQ=bNzE;v#(Uw}>&rp=x~{ zmmy7ORUKfyL#`Ucy`l)ZaPAsLKHgF6uh;*+iC1F@PA;@6_Z(t4)+c2E?be({X~j~xW;x}A=K7TV(N z+>N-g)9IgFtllTk2}ptUjRpHz(QLPeP5^e{l+7}Ny11Rt&aOSvyS%SDlp*CdIvK`O zYu279XO_|mz^UjnvX&E`#teE-Gbeulv>lowtIbH=g{irLpAmKM_@(;KT5yV=;B<#j zyB+<2yH1c)#@ex_0ebx_VY_idxmIPVU9csBD%arq7T}<<6LAhMAy$5C%u;4y(4svl zqreX*iB8`0JjyM$wz{|i`pKV7r`kyIMc*~#6>mO>b!Gt%wWX`X(wT(iqjw6RG~Qo98a67#&0{DbZUy4(=}m=+r0%lF2d8C7Y|5Dx@sik zhhJws5tXfG9ktX4ql=0rG(M*pF}g)g6C)D(RrVuEj%RM5Hm%(_fd>{K<{FUuQ6Mrh zAV#8?@9VO|9@-q0Kawm)w3(SM4?}LK%#@1T1>u^nitzf(z66>ijNHH9=8;Q4*XWA} zPSS%N6i6o;tk3M20J_fTKnqBh)z;eAjZH0)^AXN~n~$D< zFiz5WuR!!y;43(_a5|NPYQmRVSnrz3?Lj2YsE!*ATzB;Ho&%F@>~#KlJM~$$b6PSf zr^B!EF66;AXsQ+MGeX<<0H$szCjK(@5do+yW1{4>-18;CUBw1W8rjZhK%E)Hbmt`ne&O zjB#kP&MiC2;mGi~tT#$wo50wUB;4S#laba~3pVnTHl}sxQz*6XcqtxVD-X|eai{fu zv6o}CgJt$oI(JP<3nbNdBPmyss_sjHaEwGIsfGMa53&4LR6ouXE=b+&4}sVXx5!cp z2AE?LY@-vzn@0p^Vv3oJK&t8^I(rnLs2(~EVUEro!0cBlL)mN`3IJ|5VAS;X=hCU-j*b)E|-Dw_Uy zzS}XqdIFf*yqN3G4_p>Vf-2cy>OZ$hy1PbUBp=$I?4qCByW=wbsp9b`A`s`^R4))i zx%R9IXgW>1Op*{z*j&|0;7k{I-4(bmVmDp+cIny0yE)~Op}1t)F@`&@69S)WVKkB@ zd3NUSP4pvYXU-j!grby3c0&BY?wMr`^F4#i?DRoq8B>pK$dW1QuOX?5(DWB7i%DeG z??moT@7`aSD#hieRlaD-9iR$_iEuV zl!2nRi|}YYa$9jr_-nKkAa#_PoOWxLa9>Qx*j|s4dr^aD6@-i`1>||3e%dAfWxg*V zgQDw#uFz-a{=LH<^dAlT?`hc2>w$0vq*igW#h{W)7L6gXq{w$+7j=fYo4lL*x%)Y! zJQgNd%=sjLz`tpfLHPO4*v-3?6Ob>uQo?_Sf8YGSg@5KZR>CMFz)4h^O`L`=1P-s z@6*~REU&}WzLH~>WU5X*J7TNhl?MF%>2R ze5@tvSBLCTbe_??Ty(A6C<09OTGOtxLT!c+wY%_9QBMfRrstCg7S}2ghr0dq0xGV< znQ*Ka1l4GG!->Uk{;Os%t?n`fgzxs1NMz`=Mo*sqMeIs{zt)r$h3Qc<(C%$A`^(Yi z-4y`nQrMQX;iCVTss5n}S3Ukimeb7I=AQz1i;e$yAvrHZubV0b@@?>)H*0idz!%M77Ul3418VjQEN-HW76MK+Jg1*dS{J!R zfVdl@<}AZWGnjm0z#*zswXah_(k-S%e_3iPmFLE@w`mtf5(U1Gq+xDF_s8xC4GQH*uG{+a8Y>niZI-zg8T3oiVw5BVRSGJm&E}t;x zVPBfgYcD&V+PevxzFRXG#5RfZf$6b5-^80s2Ei{L@YTvOE5wL)g&%G(QBKrIy#q6d zbgV)E-N?=^t?Y|5i0K-(2YVTvpl(Y%6H7BS5z&hu{tALy0XoJ;#Q?7G&Day`alyPj zE?1E95=*gjRG4!FmmByq_xAr+{LM!uX54zsU_qja} za_&1q7CKveEYfwqmy|5C)*bBrM55w%euU_el)U<#mn-6{NA*WPuA1LMUze3h3L%O3 zBr0qF21!MIK(~fIRV-nX3uD<_?Z5Ww=<8vf&PoW+cu@On?Co2$Bl`wH5bh3iGIH6mp(c|bC>%G2X>g{ zJ(hcwqwPBJ#~H6jvmU)^obTCdNjl#(-tvoQg5gx?c^>^}hxb1Tj*Qpi!ydx+Vtt?g z*9(dUA8M#MQ6I3^{_jWb!EZ+{Kd2mw<@6p(3NwT;Ak8Df>?r?kk>e(>sT3z&`rV!u zf&yq>U_{cVL=7tCFJ~rFI>Cxxj{Eb~^+ovnOnl-936aaGQm=CR*sflCP;!>+!O~zw_F)7|9LZFf}7crSwWb59C-h zn1mqS3r8yAA^>6S`V(9X1DCIi*{zh1z@o3D+Wqk3kHeJ{hx;gn`DCj}6}Vzj4XSd7 zbXx|b&JCE?w|W5qEK>zX)pD2w01ep>%@wMdhQ@I>SxFsPnm%4m$mpa`#Ba{MJ5anCZ8?+pz02;jegd$JeEbX<-`Z z>V?qP)j+HO1BPlu?ZQ(Zru(PBeagk%L;*u$u?^s!f%H9k_nnn%@(Okaf}U!_vh`ca zo|r(#htwu380~}jxYYUWzQP^nNj_fAFMW}{;h`SW0GAA*FkxV7#!RA6|IQ%**dxQ3 zmeTN&7{sL9h)IlNYBC#;jAo89m&!YHtl;SK6YIB!_e(`MQ1IY z{*p1}vHD{*hP@4mQ+#9oZLfv@6XCE2F zAb(y{emh%9P~LQGXSZEoe>s%@tLU`FcyPs3)1^C!E@&o0uOz0 zn-Zj*M_cGy-ZXxYlrA=HOBb?D>F}9KgRT(x0E%%pO8-Q_h_`BdFrhHSqEhD{B(k4A zaP*pLi;1-YATp5b@P7>=w@@Z}CwV@ccwZ%dr*1f!_ATylPF-fhW=FnfPs^6buyyJ>Uv{W^fGMw1k^r+vWOeO`K}r5deo27umpbhv87rrj&Im52 z?w@GziP7yC{V`Uw{Q)xY9oQDT*-`_gP0r0vx;}omi-+}!*_}#GL-mQIN#S{Bh|%nd z??0ce#lxGQ#dBZ!+nz5r6`oWRUav&26&wcc8leiyWuU(Fa6`Nc9}{{G-{ciE6%S?gXED{`+l0hwm4fWYyKOQm zcjG96W}%%>m9X3@W-CbpG06LZ4=mbv8}qGF5Vq)%EK)iBqADxb}4WYW`0=Ml@irWp#sjc>`qR zemaqk4m0?lwV1;;m68B;D30JrlMdimRdv&*iFEwZ40xLWo`xrP(d{RMR%j`{BV|fk z1YE~nF^du=sGI=d?|@ci?CakrpueV_5*)x7l#8rXWc1(9=?1)CV^Ao1rIUmOl>Da3 zd~7eiTbC0~cZZFM-#L?KG~kCZFV1TABqb~n4IhWnyO z>ql$LO&EMRp*$J$=7+wUp!EQ^Es3|dV&$HMg*=X`i||9W^~4#7*vdw<&sEk(e^qU# zBY0K{zCwt}K%h3hd3HmeH$Dv^Dc~vg%_EI>AW*ZvR2&{8Be#EuVXMvpLYMOdZd(_& zId@(tgY=If#(=Dm@1idPW$GM~;TXY|zhMoyrwu)NyNc2H3O$wV?_CkV5KR#1i(JHC zqa)$}w&3P%f+YkAK`b}D5Exvj=-NdK1^;GWrRmIJPEXvfbL6=rE{qiLAOx^7Ox1cY5lnQ3{ znTmJ5g?r_Ta(8nW2yQ0ND7pj5wOR(fNX=kM-KBQr%k89={a|_+;%fnwyf7o|T&cnR z$KrEy)R)~n^MS!vVo>xYODtl`(!x`?%YSnuj}T6xQKt8;DqKyHgkR+OA@@iQBkPu?p;AFT)5>vHi;7CMkP zm;=g_ef|uT0Owp>ONQZr!;wrqV&~h&3o?^_uS?)OJf$CZhr%ROWG``Q-?^3UL37G zg_viCpQ%GGQ+1J`(txv1rtM)gAiMVGfhD_GCFO&WMW zZPHV9|1-oF2(D2T#sV_kZM}a!cx*A6YdXCXfP_+k;T7Zyj{^HYN1l8WglFytLT+AT z&l20&CU&&Tg{q8f9vcxa4YsFoMweXRen<{t?(15d4Q_fy>YS9tM z1v^xv=XY8%RlhYW{DPY)@R+$~vjZ~H@&2`MCSI^qO!qCUhgy<%#ANwy3Jj9u#H>H4 zRdw8!r|s8Ae3A2*$Yk9g*0yL4OBSgEwSGz->vR}NCRBS^Z4Z25p&`2QZfgGc04;gr zdt3|Muv8(jI1CyUq7A~|Cut-Me9(f?_&_2j;w}(Zy)5HG@jsTy&rBeia6HqtCiWle z>-S}3e#={y4zx?iFDxRak9KD)P!3&1fk|kB*UWbc<1|dbMM)5iOBrbG5}Ie;gKx4} zf4+z#4h|J${M5g}X-|h(Ppw{lV-RvGg=w<|$jutHF0AjtGrfh?{+q#EXd)m6-ZX^J@pMKu_7F=?GI@ zE_xik298lW2n+VW6}1yq0b3X*$q}QZJ#V3&BDPyp_)Y|Q01(-O0wVR%YL7D2QqS7m zD^tz0?gCqnO(xfQQ3;fr_-^6Lp9w~PJRpfBR4(C?@s9EzKl*zvAu|T0H>gs3dJhw| zw*uss7JV8W-d8Y*kvd>BB?~C;$1k_HQ`1Lbf_Zr}Xg~G;2ZmG^l2s4-1BSE!U`Pu9 zhQu!tnY>Y?d)srh%QWnbvf*2ri{cUvL?efRXD>w#X^>LEn{>0$&lomwycBxZ6AXptIJSZZDn2!k+sV677g3Xt=f`>FP4crvp}CAU+GI$?CnAe`DYxA@~_J>x2x(-HKpB!oAxK zmCpwkBo#97YVS)k!UfS(xR>Vp(%LnV$SN%UQI2AJL-mb4&8ZzDBo#=Zs(bIL*JFGr_2Hrm)rbLlY35jfZCY z2I?6Q9w5(<`{Z@E(`l+;>!LsA&1(fQS=vhFu2-K8_z2g@SJabaPcy%4*~Li%$FB(6 z!HZ}&!jLeoE=>Gj%79TX&i?+TS7yU;(#NTOXNua?4vx~ineitoeNV5KaoKu%m&)E+ zo}y59Fn0K~Jmtg>0l)Fk6Pk{L#}=TEtk~Q4@(A1j{R=i!d`=fy3fE zY4z$68Jep5AZ?6#WKn6pxr}y@Hz-qQWK<}Y(KT#!*@>LrTK^iGSiV9775MdqK}#5Z z4>a0Wv;Xve{QY0ysH7u!p)4wimH?m_A}D#UWC1&KQAGTN7!M$3%|M48&JVPbzJu98*{^QgA zx9?e*j|3wDND$4|1zI1B4`r6OW+;^5{XOCncr4Tzc4~4hDUuntxUr^LR*_#axZ^%S z985BEXb;vdv*bj$_cQ5;7?!&-JjaW&k~Vovr1qmH;l}D<#B*iGG?BBR+fTG%qlz5( zd=n$urjE>DQ%y-93VPl9Wu>;Vd_9X32@-+kPfEFErJVxEu+Z=r^QbZ6Y9AFRn zv511&Oj0+(3@0PGfFU)AlY=O*{3@I;+95&m#({W}U4#vDcz8wF%N)T}ea+ySGhhMVCHkE5$bv!HH_$WjjI znb(^c0L(VY`~aSV!r$_{9j&9m$@?;OAE5GupAzOIx&RMo&A^5Ee?1@<)B|$Ssfqm8 z2Za6m1FBROe$Jhyj~MtmozLEjhKtAYAhed}U8RmB%uTnUTHveq!hitiGt#GYygoeR0RCvrK? zlk#dS%6P|V%se4|_mKgX2%zgWZt55J?=7GFo-U?1RF)Of^KKa+4>%u`tT@N}yRNQ? zZ;<|VJ9Ak9J2`<*HtcWv_m8*M*c0&kPL_t&hlW=wOJM&VC(8FnoT%6$5GN|)1@Uht zl)@8RSv1S1-X2zkL0zu}fH={BFUxQsPV@{p97&DEKaSu6E+R)`LZx7n%x3-5puqII z{qkT0W0YG<7EB{Df3_!wl=4|YA(yWVgKjBlt{|sqIO~ka*N>4l&x{t;Mdnp+|42SD z%hy44pD)S1G+j>NgRcjijrMLri&?eA5ZYFC`m)k>beCCv$AS2XamZMFkCAoMKY%l!jL)FUbzH3EJZ2K98 zV0P+B_8E?c6^q5jdEyrw!%Yfb_3|1Fbmy$_@q?1{sw`G-AV#Td`~i12j@;t2u7z(& zYbqzzsMJ0#=z745W-Ocfze1{q}p z%>P6}!C;qX0a%tHSg9^AS{mQJ4{7R1z_cd*CJ1G5l(t(J98gYRYb7es*&K*=olVx6 zApfEW6$>AdgpKCw9+6cjUXtW^aG5t81ctX!59p>57hDaG_(00`b1;uZ{9Icle^Agr zB=7=7$YkX^vJ1_5fmFjlqX{|(v5eVY#_|t`373b#RNP%=8ZdJOZP8H_C#vtEc^h24 z-PN8St;q3>eC0V6*!f`iMni`OAO_O(i4edr5EbBflO?Z8zCWa5IrE$qT`24Lq+@~idTCQBcvM#}GI#Q>;o3^z0@>hK9$b1UGxt?qk4G5oj->}i`tC5vnB7|V*HQN1Xa2{|5e4yZJ(;4zN@IXR(s_y9iB*;`AGISB9@>k z0nJ4d?oZA4JvB6jM8ds^nSVo4DO_8K)kXMBHo_Z=p5um&J0!Z~VG1X(k2EVQNpo)o z8aO>33>PpV=p9hBh$uj0^Vw+zlj=Ho2L?W*G*+()Q*y9+Cehh0!qQ@#fyZa1<-o_T zs=*nDBbwRTE%7sOfzVcsz4pE(QiBQz8KQDp&d3OGRa4?dGHs@anD2W($3-wCk+>Aw$F@3+8xY`&DBc{Jp}H(1BW6j#F$*a098j^PHqw8dWusPo-2|$Zp|Wtc1x2p?~6#Qn#yI- z0Qg7#Rh&i7mQiZO8JnMAd+o34dhSAlAN?Uh3U#Jtl$LC{%~4;Sx9J&owvyqt(+F-z zKazjr(DS1`PY1}2+2p!NRbhy=jj+8?gRwgEdB0ExKs(W5J*E>VMLx|>2S2(8fFyu_ zhAzS74E`ZbUvBDcjmO{xQav0Sc6KOxGx@WccnFS^I5ny49V)`fQY+%97xhvxFz?fq zB+HAVrT(Um_OqSNj~*$0se6r#kC^kdTSD$xCGIZ`zh2;rQ|1c` zWg6~h+<2ShV!|x_B>%-q^+^9x*{EWv9z$+r7f$5Lg}_xim*x6C*O8C0@vdu}KVElv z^5&PU-0K`o*- z@enCHY(DY#1!ONGNrU6}N+GW|ijlC>R_(x^3BE;4yCcBm9;?~!jv}(4u?b6{&fZD!t_ZlB(P0L1hSe+x02) zcZ;vx#(8d5q}B$TcG#GC!V6-Qxs+1MLBPSpxT69Jj$X7Qu8qUMs0Yfe{^E5o{j)+{fIkdupv z#wj`)^nWk-I~U9wo_;s=@)sApX7L*rdtAYsCyyk)|~?BzzMlOP$-=5NE5(!>AgTlIR?zpVW`z=O}7O7pio*Nu&`7CVHO&WPP8c#aWe>GLL(0MIFf+t$8NIt$6 z^-Z*(YLs$e*g+*JL6;p_xxRU9+M@Z_Dn}DQ`-FLYS_PV(UHT z6J<6&TGlx2QEKV9o-)+1{AF45hyyL(zKgwa;m7~%!Tf4RNeE(4egaiWylM58AOQKd zm^niK6PYZ>eb8*xbPEzB&^r+5jsGE8klQvV=I}n>SP?waQzQ6H9aD{c1Zcg5Wc3N#)W<8Em=^y? z9=&Z*P@yICVK=JYM}3zgk>N#QcRg#A_^IcK&{tETv|Vp^+NUgc7L$nr3Fk_eBg4gU z`^6DZ96-J>)@&LslB8TV<#HH`lNHPkIGgVXHL&(T0MD?WJ269p(BK_D75HA8=!}E= z49PUXnPs3D-5Ua zf_M1wOWM`1OU=ynp@?vKRZVEc`=(y= z1xh?br@PHW`e}6xuKT7Vt3x*ak~_h6vPfaAA4no23md;)f9!v!%6uCw0uI5ytRdj3 z!;tW>5iqbHV&}&TuFw(YnuKNd4xykU$7z{=VTBX50ce8piMgzs?N`{>oF`C3(}e#nWguG@ag{Lqo1>k2#N zT`enmyK`WHyJ)fEi2$-x%H&pcbL{t7<@-tfIar%!^*dt zrcz@~6t18ICCN8K-DByGi#gDw!vNNskp32+W?`{~^I*O~tc~9X(yBAWLR<|T&y4%q z1(f&@EMb@f0m>@A0v-WbsaGLAE2c~kr^EVzgv9`W1aj$8g@r_Q5xxP^d<;Eq`JF74 zCCs(6@iSYr6K5Wezp8or33wNCQwx(+nBPlH@r1b^k_2)qDVc|YIuy(@Xy3`cCw%nN z)8JSkqu%c3KJ%D9`I-J0r$m?}9S)&-RzQb_+f6Q~D>8)_?ao=kuDi$nHVPRnPkz3q zzNN7JohJ+*u$y?2lBRrfS!l@6C!cj(Fff#Og0A0b+9v!x%?Arhy&myEEY0Nvfq}9- z1U=|elVO9)5H2|+9i<`XwgG8wG_!}w}P8ZK?@ zy^^7;z?e3Y&SBZg>Wc1J{|q+E41ZAOYzY3$xoze0G_CPeVg;T-Sd!z4Gp&zj4}Ck! z!9sqbvvM-_so+dlzqJ3WDStNW+FaYRVk|HHaFO{Wu@6HC>-7oYL~|@c{K2ojl*8|( zU0Xv%amG9x5GPkPG@q4syNgr}J>+Hu$K*I`*PCQmIUDw$BBvrUnBv83p4p?%uhelU z`KoUNr5jWP0e?1ZJGbQYQsM~E1JMz(R!kaq+m72s&T_Kcv$tn>gxVhW`fF<4kt1B$m&*y~QRp57J%PXtIxLG(No($uOOERZN&DU_DWQ=r z1A=axYBzPtjV$E$R~-l<;0xzq?6mRDy@9`!Q>&;}TkOe80F z*^k5CKxJDo4F^?--C=Z)#tmzJ8TX|720SxgA+9SHXn?Xpv8ml=S2cgR_=woHN> zkxybZDg=Ds^Jto@A#pM=vcgRXGv{VeMg+>3?TD-(Z8kHihb5y$ljR%;oqO0wd9wwI zo=LuCUo9>|BmFG|yyqs4DaW57;C1>VVd;{8hJfq-3ITV@!c09oBtnIN@4R6AGXxx% z7fP!WZ7u^L;0>-&p_VPQbNijNG<%FV05NP*EWlx8IF%k0F>H4I=}FUU4>#}1!uI`9 z(zi$0)@H%XKWjTvI5Qfr#9sT_qf8crk!d6ANqh@Y$2;xmF!MG99sdy-Q*Cd>#6!mr z?XdDt?RQ#?>Wm<~;Fmw8j)fk7*>UPF1M;_W%r;<}$!txQCGE-K^4U_d?U9W5yE<}} z)f?r88*WpyYYst(Yx|>|c;Ypv_t9~mX7RYtY`S+oN zm;jKD+qZ;#B@R&~WsFD4PcGDjVS`9&Ub>b+YS3Y!SpO=9#t8J@*YnEyS~JDkhlSnW;Zw4Co_DN$tu@!$dgzm{XF>i^UKlx|%AyBN-eu)++18LsE$K z9Jdh7+c(X8KkI!b&54jv9Dl~q;|hvWqvKxvjqL_Hzf&l-yA-nceT}!3oIV^u)Sl^d zU(Vwj8+IKNF!~mBD(uWB6h{!8nf9NXs>4j+#QkdeI}B)r4M5Q!_~1J$F-VYRCnNcu z?}<1$k)g|J*?!Lj&CpzsxK<4%`@sR4hQyRb$C{Nev$ z?JdKi+}ij55m7;uF6ojHY3UrKQ5mGWQKY+vQo2T@6b2BG7KW4#=?+Ojq`PD2_}}B+ z``Pa2`|SU#-zyGgZ#|rub+2`;>pDN@nWR$Mro#lf%@$&1o;)ljAulx{-88LDmP{I- za#M)shSFmHFqWTP-L9+P>CC*!7c4n%wX+CkSX8FtJj1UoB5o6Cw`MIl})l1D^yrlcQDaFmMOa5QaT$!)NiYXF;nE; zdPtvqnK&Aq>X{uFYSe}*!au_&0Kqq1)yB=jBS|Qn=Zv9;b7sxd0#oJqJof|hy*MlP zey~(!Tlk*tn$O1#RuC5|b11HO3@rxsf5Gz0)Vv;(adB965j0S3v+iDgfM-0$emo7Q z|8Y9-k*iYQ(R z7UF)g3=J4^6kMnSwoB2%?$FSM#O2tbZP>wR6HDUa`ImdY4}5#{fPsUcQ=QUw+wVK* z-y0c_5@>HH8dDEKQ*ySJQdO*vs)Mc+#K^U?`~*D9G?EOfM)MxCc$74JK* z=FgT#ad^ZCgTe65$CCY48Q1-y^gd-9+({zX8UG$@Ij2g!ktxiF`T3M5fo6nhyrXyX z;G?+9D*PkkambjS_q`Y9Owfzm%&Jj#T1Gq|Q9Bw))XsF-7XlKsKZn=coP^VeRU4MR zbR;s#<-||~roh$h?Wvv|=*C#lE78#PPo`_~avnWOkPBjtGdUy|uR-#JW7-YXXZuS| zi}Z?5km^8e45PS$X3gb#nlIVxNzL>Xzy7sJRLvK#Bc19j)u z^wKSxZc~NB`tOl@`Eku_R-fYwBNo@j`53?EpWQbnJqNPb&Zq6?jD4-tfGvzja^^Lt zizPhMaUey%Da4qu={s2}flujSVkbMs%!g>ME_2zv!5#Q~TzfEa^5G#6l z4((w|>uj3c{QszDv;2X5QgL3)BTjb8$Se@_rx(EQOZB(Y{{7%zwXLIHmw`jC)cn3a zjE>=};_KzWkKs~4W$KK1NyLAwwBk7<6n)F^_SZt;s$@ZFeuA{vY(#ZVwLzHiCywGZ zB~kcV9+WpzYZET&+&T*;rGy{kWOQ;`d)+X^)FA5t@ zkA=}se8jTFV4Wtf=4Y~hA`nPTiORX*j=nrD&XBEOC~?MJ>KL*NjC%xJN0r$ER;+t! zhOV%8qPM6Ab1sLoqL`+W4u2ut5R{zelt;!-j(2!BCE|VynpqlqH?w3xvB>6<&E~i|uTLe{J@FzwW&5Zb zUOO8}FwD+Zq^&&r+Qed3aX#H^Tu&M!uA8}z3;?q``M06Nz+1oy8w_ZwjA;mHvHS>k z6X=*j5iMA5p#&+a(4aS0(ztkl!mC}j7E^@J{T~U^J?I4K{+P&U7pL2QBuG#EBSG3^ ztQipuE70a%SUeZl2x&tvt@5;oD&ZUaPaXb=)?mUBc4G1NRV#jPT<^5 z9YZHb8=w=UtyJpJ6JM){taP%Z$&rRKu=h&-Ayvdi8ZSQ_~QycR7(2L9TSm znnX#>YE8uovoV|2iy85~+{*rP z(R?+Nib3YK1QP_hA+mc=t@=HO!1sDny$J1FsK9(|ee%&~5ur`sGLN;K;^@PW@c3Ka z;iuyeI^*wKq_-w8N`J--g z_ObC+6GUP2L_!P3AgomQc2oFLaN?z=N$*X`9m7_iDhz$JQAc z0g?wWZED2N?%ZV;oCZT*n`b=F+9K`|xlTA&s3~P1=DJ6@lw(R*hDvvkw4Nxy5R%`4 z_Jm5!JsHsO#J&BYTiMP{sU03CmwOad9HP!Phu4opiTAcmXp+{0x16M_ABsY5JUTKw zIZB!RIk}A|vQ;c4xKecCl5}SXA)z{Kd^zng zoMA#ZW8o700^lMwIX?1hvXsn9N@_&t@aLsJ!k-O(g+FKh3V%-i75+RL-)`K!{EzVG zpFsGtYLmY_7TC9j88SIl;@EhJe7yFC52-CFmuY$~d%FAn+3x-QB-73gF@M zK(C4txGSkFzn6l@?LG5iyAQeqQ1aR4BXKNEySCJ%4z#iXPK%Lpcr z3X#hFg(rm)i`Ap&iIcSTv?MgX2fIa`@kvagLbC))M(xLY=MewE2MF3ATK#8Z0`fhZ}1->lh!+~iOo}a1D){AW6 zHRw2@?0+s!;jqLZK=OoOsKL;Db&(nqS;|<3msZY*WS|bdK&sbT;DWBG!K7|v$j1aC z2t9v_QCq?FqW%89D+4bcs>#ePH^&+8i>7m&VS+5x=1^a#V42nNHY+mN`>MoE_&euO+)&ll z2dmWk-dmO2Wwt|4hDzp7vJJ^EFLq3g_igxbU~36&w7W~^k{h%2$MARpF z(EB(ED(q_RTD}bb$35xu8{qse?W;M2M*i1~{x5~bTgCw_fU_!|4&J@TSIqf?S>7k) zSY;<|hKoCRzC};G5<2&kg){LTSGy7$o`Yu&n3m6J5J5Gf>AT2EQ*#<4C)$*AnU}`L z6_$OUQV6TqgW5XGe4+DVI1RG?R^O^)xhv9GA!M+cIq@N2cfHr6a1Y}-Xnt^R;5${g z+&Ej(oMBZlnobY-MW-V!U+9%%V!2)mQ7rF}8NNiMGs4VWKG*?oiPi`2N;k_SRSfcjw!(Rom&b3X1mj zX1`forJSD=goeg!#%~p=9Uo5G&8xTdXRfPsLMqz7%Yd;Rd%2l-us`uH^y}JDbUt%| zIOQXYbqG3lzJpV7vQzCfgxMV|H9@M&^8~2@&4(h7qVW=5RY+@jO-%<@F@Co_emm<= zgd43(OQA+LvpOubL1}Z?KEO<9aE03O{dQX1`v7BRWze+g8qkrF4;+4>&%TrjA(YU> zn%pSk%VM&-+D>ldtHuKVC^%hLZ$hg;3_NB>%vi-v3IRg~vnoJI#8FF$JW2r@Y}XBD zQ3j1V^aD_}1&p&l8>JXt_JQ_i5_w z@>{lXul7wE|3SN3mZ?_ZC?FUfBQ!7F); znHE+*8PEcz#PKtsY3!ebFxKz0e5*{gKX8%Q^fce7YgwYV(-WP6)DrdZXrba^!m-=B z2AuG0h)e5tmAkESnrWnbFThcH(n1HyzSe6>cRac>qfBzYA_yowJG}+r$ zN%`KVNV2g_%NLf)qd;`hocY9D8=jpl*ys#xVUIkLkxoA{u9gRy<>VuV>+$eY457S0 z@p1KV&z2lW)k=#z=a{OvEK1pTuQ;Dy_;vEFnzkI~i1$u6c2qLt;9HuTBPqm5ahbUU zAfZ*HTWw!L4Cv{Lv>RktHCvS~S}uzuw}CI)=xa0!qS9rzD%&hRD~4h)I%7 zdFP#Laje!=T^blHxfdl*gGn@W#H|}9U2hN~&MD{-`kuCMhHs?eST2*>)rthhk*97y z95oq!u%tTlmXFGVW8+eo#*kxvjXZqc|CF?_1lTjsfah)Sk%U_mNaB=u*zR|-)fUl? zpehOXNv4!L?mN-9NRo3p__`AiJfX+8i}Us$dj)oLRyqa|fVA6#x9?(COu@X|=cbiN zc3yuRLG>tr?Frj0oR(8uANvP{MDis&w_(R5{}=_PcC(?rV)yz^&sJwE*3W|mnDFU^ zdZXQbS`F|$%8n+QIi2F7yR+q{8=Z_zzCHFLHCEt5Da}o&Z|%l8YZEY9F$j6N*`DgE zS2;^7z&tmLF6^zcuq&6pcr~LZ5gVf(2}RrVUSy8Xg#mRA0pZyXA1MO=DAg^&T{|oLSIea3 z!>c47PVo?ukDX5;ol5^%5`CaTmqdGH8=L=VVEkPY$r|1Mb>*8QY4mCxrEQY~gCvXI zlm;}qNb<@BgRp$DzxH28M|}6}yZ7#oldBM4&wl!DJui7omDZtnCl`WXTPjgj<;!8M z5!5**Fk$)@3fL=Ct$nmY9)BOc$D*=si;T5rNVn2y z2B~;~!i72+ZS|5edrMb)2tJP?Y$B2tQV(Ie^~dJ_(N&NmW#({XjIp_5+B-Ew$!4+) zcfVq0o@-qmP=}08OdbP0@TQ$KMzkP39!rZ|x16m;y71e@!BBrwhx_XV;ANVLwxJvQ z`7gSe`Cdm4{Sc=(bP(NjeD-Rj`o+w!6xQd(fN5!YU8k0OWP+Y$Xu2v+cdJ0qW;bX3 z?Nsk`?N>GONo9xkreef=4?CB4yXKLS-R>k@$7)XztooE=4}4Dtvx{G@S6+U}+*(a> zV&4N7U*b*s(oS#=`IO|_XIETHr7k*oxgcO%f3g$~zV_wre&4NNpEhjiNmE=Q@nn8M zpy$g2!~3k3O5cI34L;H785ipjX6d zZCyS)1|)iTnbE!oxnO7TmWmn zpyu^}w%WYjZH@Y#e^vwteAn^GqODi!5Z*lB*Z)$l4m?K-iJx~=7ye#D{a!a&QvMPW zi(a$u4`~EwsRa6K^a`S^?kaPl#&5X5(aAy%Slpg7lJpGULp!pCg}~2Fy6A5jtI-~a z;?^8nj^qCnS+j;U^7%m7|-*v#4LO%oqR2y zQ*4jov!<1@??|-%1$pS0PtJ9JCEEW(R6F0W7yX_y9e`cQ7RLYx&N4$rptXQPf1jh4 zkdZ5&fy=sMXUEqKLZ0G1SH)#QekCFpkYu|)LI)P@%Om%i{>SMV!w9I;7T%AW{M(IR z`Pdp5;gRKBPeP1SjsW$%LjQ?f2{*%mrvB=Qe8k!ycpF}4nbvs_CXuF5{|X%& zTx=BmV-TvMIHsPL}xL zQ6H^1dvaxPQNTriI7t)*w4AH8 zlJF~)=G*|+(7O$eZA!z%`;Bj!ZkpewAugU%kl_opeijl)8~6aS4d>`nza8dVG>FEP zWy&9!k;6>OC|T?I zT=k+H4^SHy4WtxV=mWF8WGz(B84*&;8505sr3J3x3+534&}VZ2X~{Ft=fH{?K5~C; zO8;U&YRTDf{IEx?|3{kodVDEA`OmuFpFfEVG>n$Zvx(zxQH4bw$ICP{JKP>Vb zNTQ=!WRIgLzM9=sx`B&Ok-2dX=Ee> z9n~rXM745mD%_#HbFv(MsxsdW-#!{rI^B>7&-@8&LRxk?mK+0^jfr0O4c`9#Vf?un z@nWEt5k`lt@xLx3Y4kGMzxwg0hkw$#rrib)-k)nm>#Y%?6BdK#9Pew;Onaf2X}*@)=eZU( ze+vBJgS`Q51ZjNCSV-?}y{2E>11Zbpbm%gN) z|0&n9Jb4__(2A9y0LwzulJ$nl1uC6CJXYFC33;-c_NYM7SV%OYiNCHHd9Zgw7M`v?5YQ(~uCd!gMo@=5_M%$$Y8VAGl1Eyc#_K zPG8fB`~;({&x?-xpH#3BCIuc)H&fzSx&05`@ei#XJ3YE>A~xp}+zzPDXN7nF%t>8} z_$wzB3~I9g8iIf4q&k@tbDK-=3H>K0wIH0^H|H@2Bc2eJuw>!r$HWE36ZyO6wc+-Nb!hU(VGeH*~?HCr)#MRw6eL zi^+r-p6Y?iyQ^br3l0|YSq&S~yC@Eq&Y|ep7keHoNJBj3J{di z@L8%|x#PL1vH#yP;Qtb^uS9|7zP0G*secrizYmkj1JHQSQP|l99U7M=u+W3yyF+*4 zTiQ*cB#w#Nv3+9BkKZ%4?9F6kEdh9|5WhnouyFZJp0vMuQaty3P|4vKfAN(KgQf+0 z%gj7|yqp)EhSk@8J&zuO-cHtnH-@gGnKa{>-AEzR5y|3J67~>b5G$9OCeD2*9uSiH z81#Ujt&y(d8j}wo>j1UEAIQ<+Bgvl7G*O92io4D|-P8fQt_|^QOGU!G9TL}!R5^AR z0O)NbxV~qRwOmfq*v7+mk2wEgHdR2p9z*c;^8(aagq z;43C^@C-|kC<;uY@7-}9i55!51Iw)-LZ zy!7#>=$g?xIZe|SX3|QCD1KM&&F=$Lq&}q22 zjQF|==j%ZN*^?P#Y$;{yaR zkc6UhK<}fmwx?E$z`#S4do9BtB4mwFic{LGzLr#2sA~)ugfzcNPRV;L%0Cy&nL3xj zdeSLH$B+jXR~wcv%cg1S!1jCEN(4GP!<3-Q)dPw^s#2X!;Iq>B88G(03Yo}Ipm`k` z`o-(tnin5kf8q9E;A+wDw(F0?>{P`3lEZ8ed#q=l>^>tAI?v0o79yy&GE8^V|Ez_o zVUJf<7CE@_H_hlizX30P-YL|Zwtx6-Nks^xWGw3$v_vI zZP2rr!MPy32hiq{oO5Nk8(0oHoIcV{sKzY8Q-z{v#-vl8x#mJSpsjZ+bB-ds(4*6W-52*o2`3a;yCrB!8?Yzb9jB$Mtro9*nT6kSO3j&E~sf* zz3e*$8U|>oD>l1s#T_eTjYiDG+S#@bevr4IXv94+;R3H@)EG8Sxn9u*O%UKM^waC? zqDU>+H4T_tcenArmvXt{9RpYOLq<0#ojgqr!Nsx8^1jjRVc+Ef@3U$1`@rR-x zVcmT80to^b|9R{i5730t!R)g2ziolM>S#Td;O^}iF-HF8IlxiUKGyL+39SJ~YNtlQ z@99hccgDs@NpoWJCk{QGBozfJgZ-hJi~su$hP}vA33hZsYa!9jKsk2gvGb>l(U!IWbwf7rh$$10 z&>G=kOM|Q=e>d8s*ZAn0A?JG`m1?jFe!;JVRtpZNfk^^Xs(4OWjBIEmW7C>mHrmWFNf3M>CR6N`#jOQzU^xW{3GJD_ zp_GAa0Eqvfx?INTGK_r=e=Q_D?#`}K)#;p#vg!q~QvE2rF9r#}+?gJR+tEMupMGKn!}Z9(zYftb5Q+3#~m4@3>tRmFD~SPbiOl6|o{VmOi6J`0RJ zH`sPVMiuUeZ?phK+%Rpjfd?-CUPx=H)k?$?nX|FM9Pb*R-4?W||#by|LSm;;Dv|K_EgyK?J&>r3paDRfG0AS-(CqG#8 zUbBBBpBOQlUdn+D7u|VvJgE&1LS2;^yg_=s1cSthJ9iThlZ@6i`=e>ygTcIlDMOae zr?+>?*2eArJiClE(9&UTRPTTFh5p_hK1cnN`fkMi-_-Y6Kq}1PbH~?gz4M;9H^~%h zaL#So>>C_p#qUJLm)|MVrh2|>)+t&yE<|VQy1atuK%5p?nG;n+8NG+$T5AN^m&%IO zo;*mMS6p>XP57jtuLgCBmTC_~vz+(+B%$@({-H{{ep2k1zCTl|Oh!1j;k40_(ZLff z8H{VX0{Q!$Sz0H$CKqt#jZ{_ z@V_8a<8wG9=>KA-7!+}BWQ10FEOMY<69671QC+PQP8rYwQ+e{yIQRKZGahzMx21~iLfFFK^3!F42TxRR)og>Y!FLqqWdbFbwtRH z-&@ANSM!nn=&wzr)%#8)Ubf0tQ%PwfQ)%+nZibssq5vV;B~c*jxA%{%-~QjSeu3u; z$okFEo7?w5ke-&hjy$}N&ib7KvVMKgS-(Q*<>;(m?HHQ#yuegZKceZV?Z1yVd{DozUMmOu+P-gBIzC$>@dI=_+%XA z*eOGt;qv?sh8t2f?vDQ#!);{6#^-Z>d<}BZG74O9(BGHp#Jo$L9qyI)d_mE|TzJrY z6yk7IJg!YCcboGC=Y5d){nkf-2;?2nch-c-JN=9--SgMf7%#+ zoQlD+4Z#AG{lwh3`(4&Cihgb|M0+vN3haCAqxNd*i_2hV>|#c@uJ8G7_6{I{x#1ZV z4mRMZUzkgq`nK7XVhO%8(RNW>2n6ra-JyKM#`fjd#5hnr9{x%D0!DgtiiTKgqUA+^ z33uDNqvmbEYRx?e;Q96gQkz5EO{nY0bWH}O8v&Y$-oa)&SYubXZ)6@dl}Ud2U$km= z{%5kNF@=OKyy)5^lqO@$Nz`LEK+5JeVH#Z2>Y79*NoK(7V=!ltMri3vjnwFUQSa_@ zTzh{kcwW=H&`96t>&f*Nk&b8_jxwWajY>USkByUgxOnI~ZK61MGeP@dnbkB$52+H< zXN>^Hlhl?8G-Ps0mFl#r9r&(E>!$aS^NpR3kP*tO3qwa_<=*X8r`+*x(fwP&+jw^k zeNWVdEs8E4Jq=!R65za>Z;89RS9g2~IawJR05H_m#L4Z3GkOy~ezsx9uUyNB^Q&uN znd0lSQ$BmU*%ryLTMxf)m(}l|SZV=Lmfq1m=ErrRS0YU444+kzuG|RL!V*cE6rbxq zfk2p@#bv{`{!@f;XJ&lJdk%vGzkTf1?lUTQnq;lqdZc8- zt>GO?={*;{cg0WNqc@F5rY9r`I7e;y^X3O6jpuG5`4Lr~6&~lk1`mC19n-|dY|nSr zpL4)~;ZZcxPv#vD)(bn3N8EYas#x^Vcm_OJeC+V))x~O=uiP_*W84bMDV3ontyR0{ z-ad?ZC%9y!W`7^O4 z@fxsTB{HgW;@se1@=U|lB>7*K}eE4g%mI(o4Ew;?hML-J4-4_Ejo2wF%seLXc4Hs8sPFdPhXbjw! zTI~;8%>$-C*S(BJipR*&o@)Y8swu19@olsobH>1~f2C(8erC5E1iso=6FeB_Fg8ln zC8W8nwEF;#>xu-5XyI(aK z?-G!de|Eu$aMv0;(0-l_;OKaohg)eD3@VRbF6u9pm@*x1ddV*{IFA2C%hK?F@Yx+9 zV=hUds(z^DBzxH18JC%UDza7Y&G1O<>HsGYU;fiFYJ~>-LpX``1N>NyEguWvi$`vL zSH)9N98dYX=CeLY-I+99?;LyIE(NPYef7Vg3iyyV2Q}b%7p`mWq#;~=DvF?@e0*f` zSuo~G8X>a7$pWu2bfLPu6y_3AKNTfZuyS#^b=089BwVlhAHsIHz)WmpBS98*(nm&0 z90zQ`90;E#ZR4rCSNQyZP{ke~e3!PQ{erL}^}N5A&-UqVK|L>TrO&f0BlMgV&&o9q zZdXjh)ZjkzN4I(EI_MtRHJAJbU2+pw0|DW_?e5->mIZD)+io zzA{evdpLgs=(e#*82|ks|5x=~O8l#R>LGD$NW2Mk*2L#D`->L&K5PmAw3vRmAE3@VbHnCW}0Kj9KC zHdI6YhwfFdJFXKD`v0O6zC?g0Ttc!L`UsQ;=XDm_=R)BfgT5k#$hz&>KHsRdZE`xUHVOT^#VNa=E@H`v_C^%5!C!@i(RSFosifAj2= z``&VvuC1PQHJVorJnZI3HaS*ZJq-j0Kz(WiAA3A!!YRcwlf?(o<2g;xG}(Z91ZWUp1A^0<}~d&r}&u)LqNKdBOo?#o8N8}tC$XEiH`RLP-=x`rTYyIh?^&{ zjnLXd$8&1f!me8CG;JqfT1)E7>62m6+VGeGTh&OXfnWp{jDu79_k^4nU3?Qz{r0r~ z=eG3gY&MF2jPC!jGqbf6xZ;E4(B3w)g1aI6#3RySF^cCL4xd7ZEO4nsoI*nsBkWUn zHN`Fmw$wj*WghP3T-ux5`a{DskD@Z zkNG!!7Kc)W($7_rVQWi&SXZR}Ze3xTlEb-41Y*3c{zR1-bhyUDRZFY%?o{01+Cy!T z6pHe8j>)+DV`>!0#B$*Iq^9r@g|lJ_JPPId)4Jl*Q9bI^UD0e( z^1M93Fcr#%CLAy>vYF5pT8?pyAdQlggcRTV2-q;oHIv)fYjH${^`f7K42kYNfXo)^ zZNyrmorw(uY8uVPh7Q;H=yqb?(aS{n*YcrZU{+Z>Gz`3#fFyg=B`&g=8Ui^P>3LgL zz2WU%{qhSvmfy0W19XtZUC+GRYiSsuAw5;x=gY4G3*3G@N;Y|*=Sa93`34z27SF+^ zX-v#~i{^_jLkuaEsR6o=k%P--mnwLP0rClKwAs@P6#ta>&w4ZO3#;TcXqq$*1 zJtnx_F!?ytIl(mfw%V?oyF^Z{t3*GGMhCWoev~*9`rgjM4~Z+5Lq5eYlaWrfI#59f zjqCtTB8BXJhuivm7`r=RI9Jhy#PxGQPjRx9m%xocn(UJ?)m0zXlfLCMl56;snu)Yd zd&+?^EGJaH6iC)(PkYRF4>7-fTd#nxJDQw+RtmLu1C(w7ay0I|=bN92nopze=t3Xr zL!_naC*_g4h3ualw9f5T>Ak2EH&k_$97pHzG|RVZy8T)97Tir1Jbllllu4(lqpKYx zegrk%y+**8>ZpR7~d9sLL3k@K6tKlk)p zHpkApp*ig6)qfi5#DFZth?^$m-@3;}8owSfpv8WkM2y);zk825717RQLW9UWSB^M8 z&miSLR%x+_g5H5WIPVGd*KI|}6<0+?%AqoJhEs(@EOTj`q@A1r(n#rict-h3uN|K3 zIrk2bVtDeXz_m=&MDjX=4Dq<-#S@^k2YG=Qz)UV)nFKM zqXlvxR}>>+2crWW&ePhk$1x7XV*8O9c&d{VC>=%frdk!+|Kgat+1OPFwJc!Dj(4GS zAVOj_HF^Cc#$Vj4_09b63z$I) z`D6vDqlWVEqfKzd=NgNeZC%X7p+#%8&Gn%jHWUl2vzOG^`I@#?fQewB zQ6_s?`Pl+F^ipIiHUkGGqxE{_#w?Eid*>B#xldwuYAXzDC3PUh^wBry@AkdIm|C7imke_Z<{oy*D zr>f)QQ$7DP`g!L_D?;TsyH_A@@@I?K5252NuF7efA(@Xv2B`aZivgAEw)GD$W!VY| zSEu&xbtrwW-KgyzvIs<^cc@P)Fc;Fk(>StSzF(3hUlnMAQtR-YGgJbu87}tYwh1=3 zwcjeEDL(0&eZUDxNg3K9avmVOM~z}S zEl8rcR`d7%YaS5nBDY59o^(l5(6a4!9ZnypaZd-nI)ERh!-}niKomw73;56o?4^chFxQA1#7D zhg2*S4i8KAuNlac5q{n5HYum@txl97&BiSm89Gb;0y8 z5HJh|rgaml&lCX<0p9c>B6dinvYv6aJ2WL{NWJXq@^+Bsia=j#8$IbscmlN6t6qLsk9S(Fv{{xG-gG*< zo8~e(dd+bxDrqY*ICf-RD&k?%`+F$yY}5xbdR#|BraV1qu5P92;aq1AJ)w&}IXiZQ zyJjEceo{S;xgkvUxOXC^(1O{Z9>`Nz^?W#GmpSdR`4m$Et5*|Mr?ONskH*)&UfAIr zO`{}ckGSxD7|o-k#(0!E6cxtKKKxqW>rBrtWET~Yz$~G1b4euY?6y&Io6hNUW^ICV z^1Cikh=Qt*cl(~|L*U}1O5Jvf56VBeOL(nFyn*1vbM1_}&*}5u;<^~XXxW~Sbo77B z=YO>{xmfA{1P>i=_Y53IgyGdP9jixto8|nPFFDZOE+@)*tU0GC!?*b8Nk}tNa6}nz z_w!01*F)Kh*8Cx+4=yd<84 z`IpBxs!#J%M$^T+l-UcOijj|`CdgA;FIe?c6w@Dv5`BN}F)TYaG0d3w?l~9rVTw+R zV3AV3r<%pYz}qR>4{L)rc-%=-p?I5CHQ;+ODs(hCakim)HkIup?2@uvJ*sUbw*F!C zV(TJBZ~4opX@8~5MR`$zGlzK9!^sDU+2wFO*4CYDi}@eBk>T>b_|kN*6$Cr6ExeXk zW=~rRzD#x%lyr4H)=YtTI(1BqmHmru5$yEzZBEU$6YD>ILM=QM zuDay<-E>*y>3o=Ch!vJ*EB2 zLX^ecjzn2&I9HnjLTuojJwg<{uhU4uY}{B^=wx^NHZvE~4PDWEW2S=H44e4W1Sz_Y#WAL zXGO|Od}*(^JR`g|Td%6cj;5Mj)<-e}?0_?%4Ap%ZdkDUz;)+ny+=@qGNPi)g;#kZR? zoVmeR4{S-+f!Nc`uz90qVXJYjsCj%i-^Nb3)0xFvLEjBH+~ixgro##e8DxZ^FMcg# zvsN2_j)fV;g0xf@ZBd{ge7j;= zM1n)Pc+hM{wXUs6_5D@DxCK=^6WMFP&|D5FypSR4!-7@CMA5C`H1{#aKy1B5ssk?G z2Zx>%zo0%F@y_4I_LGVPtwcYNh`*09v+aAnTDYO^TyD|d&3Px_bKv85qdvyP@hua0 z4H39wKbK-CAL%qJQZQv9)c9ZQ^>$3^Lk+9VjgS4Rz+?@RlK5ZaAt}((lOHYr#Ls|*@f2FEMROZ z$~=-u-@a0oueVTCVdx9iE3c}2Fa$LR{pkgO1VvdX@~es-pU-ptkfE+IdrMquL&|UX z4OlBy)~DMH7?v;_RFfr#GrQs5a~;Va_s!j0Qhg4zZ?Y5(P&l3FJ8O^~oq!E1yOFC) z=+WaHqUbun^nJqf+m^tlo5786kQRl9lB;lW?1{Z^?;(ZN=)k)n^{UL)j$qLHFPCTA z6mxW^iwyZw9{c*Up9V_^K`vcJg;bqO;kOu=d3sT{0~TL)w~KhUD+LYzSeUY)2<0!u z^hQ|Z7(ssY&mDmIRnc70muJ8)f4=tLKh&5pyJA3EFbq1(#@+hfox3T7KbSl*9TShA z&5692e8nM2>2#uSOZ)kGvAcd%OQ^}+$M6|E^V@ZMrCCeCo#eWe8lO9rPWZ+QLcl*Y z4z=czi4F!p^|lR=)YlCbuLDt?u0ED57|c873Ykl&Oaq^m0N%G6r6@yysA z6vjgLN%I+h!TYf6^B%r7yvM=bpTW0wLuGuVjY@**mb#vDiix>)DY5mcSB$P$ENEJL zZs6~kw?{5V5VWQhj=-$AfRGk?guK~18vhrepyTFoTK$H}TQ~5l4JW=A+#_Ijq>mXD z*NnKInq7+V?JK5s%GkWfg;a$ z$*V+1PQbPYKAUHvKYbbm9zY#pRtF{V+E@IX>|Z<+qXBdYg-&NU&2bHzqO)6F;hqcL zDpO5ZeirK|FS!+KNe{3<0t*!81^MY#5FO=YLtgGQ?(bgX+3#xOC zt!ni{P9*6l2nCt@KGC@>%6RF)wG`Ch!Rl(eMYYcbL+)#z2L zWVgVeYyBd2d0?;Z#PM1;ua~Xq{d)N%zZIE$Ib$m2Ql9#}rm2F$(~z3Yw#%(mxl|Xq zRQp(~v0|G}zZb&?o8F~fv#SX|27BSoFt_{M-}#t9Sq0!tpCO-Rb-Q}NS_@7gAl8!X zJ*e%7ci}Q+r?-ObCtSdJwlFLxKXHosIm6WS^P(_HD$woW_9(D4J?cfx3+1+arwi_l z)tfUN#8f#gRcGLea^&1P&W~O9qE&#UFTLrgAjc|Lo~@y%(+s3DgJh?YIDN>~V~+0wL}a>)?I~H6 zVe{%=HO`vh#T#1fq|}P0kUP7dzzv78$cuM|Rjac>gQXnCP^tj#baI(e44;Qa*9z}( zIQ;3!@sr%tMt;W3?zWil9KlmO&O&YR&p6Kh*}+eIMiTDwdM26>D!F9HX*DbDW|}J! zo^i`opzr8;VMGnHgH86}A* z^@%vK{VY=IGRWe41o4FD>sPoI9ix^F^}$MhW>@lQn2qn>V}Hl_M)n9bHm%pL+K1hr z$$;&*KpILsw@{Vf+*2v*)^_k=t5kf9VYL1*ApcdwZ$!tP5VSnx(@|KZSUI%{3L+3FhZY!o}sG= z(!J#DHW;?wTNZlm(R{=H)Z3n3l8#HUGEf2OCybx&)|pp&&1|L3J_PXe8a8kzkIhA` z2;BolfhmtSld$~WCc(n&&zOyntM{aZO*wg;YDem<1`gs0lbrsWiW~=)( zDP&l0cFj#{WGAbwY*%yfXU$Zg4*)BS{gzHV@rwadAL!VQ$clgatpv|Cn+dn)z$Xc7 zXx^o7;M&Nf4}r!TfKz3T$idf7L65hDK68hNm4(Ai`@$`f!7wMD5ZYoOY6I00QN^X)W);-2? z`Yxn*8Y8o(^8y3hBrOI{%#&}4_guZydMEtk|6}egyYEs1jb6a0j^a&O|zIBw4>5aKkFimTGs_{k>u;wcT z97*CDNh2wP!hwHyT_*}QY17g(X7!@=dMXBGkT2idn(_dCxnWpsmVV z!{tYzC65n)a3V$FX?nHMtfOk3e@8`GRGxC?iOH7)cH}pmNt!rC^3A!FyONkt= zuZsRAxx3d(s%a8I`vA_@Q1gi9+sWRT0koF5P`ri!48i9V-A2r%rIBh%rDQy%!50Q% zL&n3=muB&TWEMHH$0i52qCymB0q$6w%J%eADRf6SEk2A%IXm&Vm+qXDEXo!BI^7K; zSz+73KOUA$+DkNk#ClY+E4B$8P7V2RFqSGQSkZsE*_{G#=t&+abo zQdJv&MqIAc$~>OD%J9Uob0`Iu>|D*df}^;Lwufi7sx4W+aaZpE3BlYKlgSxgF`<9cS}f%M6@$&Y2T4f?RAUckqh?N zS=^Nln|teV)o3)pz_FcR=gxuYns26(2ltM-xL zbe5`1uZ;JQNPG%r@JE{jtz{NJ0JptLEp5~Et^W|VHPGg;%n9=s4dohQ+*snYNnw)mi?u=u!>iFF!-?iXhMKz zzm6C8C&}!^fS%K3T-VWq4bLA_Ch0RVu9-Mwf)J_v2#KTC>=*v7+aaqn*QdvoTRI_1>G<+$FRR^u1goklRw_u6gZn?CIo?aJ-%OEnNR=F`?P$ zQn1OFYU0#M&dJAzl2^aNBJ;&fvhH2#z9O_RHySJBAfSF^m_ByAMuBhk$g)}qXKW%p z*3oHdUp6wxfF_fDtZYhXyKrpQNpr^K+muBWJw<)+v#8daQq|s|peM?sM*WV1g_EgE zHhW0!S!&CG&I7=OdM`pJ_IpLSRuqXC8DvR#!e`az()8yr(zacTo`$!sRdap3jA-5bX)>7U^R*0Q+Upkcx2hvGrk9>GM5T*ENGwGwO z=@;TcoVP`-#?NnXnoFM!sBKShroDKkVt5D2AR6+Sg3E!-LP5X&>v@399L}*)slyp9 zZiU3zY*LhR1%A>-t1xHvQwe^i3=6(FhR;i$&a*oXb@$d+_NRLndk)K^8cJ0kE32t8 zpMTqaJmVv73rwB=lW!BsM$c zD7gemL?OKuH^-Db zxK3TwqY}e|q?|sqwrC1mJS4McD&T5B_kd|m7}w$$!JA}m%bJ8EGW==rpH7&@+wBIr z($c7kD1tD*nCm|Tuc8m%Jt=;r*OqsXO8)Iwcb*w^;~@`sq`;SK7yrIeu4t^ca;B=t zn$6%4VhOUfJ1@L5sJ++j+%}LG)1v5tlxX#s6$Qz{=5;>lY9t0Su8}S$@a?@3sYiEI zhJLHriw4^*VhXq#Kd_H-H;f$P{#;O29%3ynCj(WqATIr@e>7ffUmmowz_AN;ax3#o z&OT^A7|gBUC(9t`rUG~a|K%0+q43{=(tyoVpvcb1f5 zW^5ZTw}r>Q>x-IwwA;D+niRKpeI&n@NVp(DSG}fs|7!@|+nroS&NB*WbG%3TsTCVb zbvK1ndPB=^40FYJ9cgl_Itp19E`Nu%QEC=+l6R+Uj2YzAa8cyqqTkIpt_P}-_1t@W z3-tE2{Cs6cIzy+iALHGnb+-b0CD$=E{kc=u{S`!dyDH(*z)d>aB@Nvl9@2Og>#Op0 zcHr>a={=KG&eqrRq3R{i!z=gqX+WYWzgl z(W#7q0+KwVlwoONm92m&iQYZ_N=~pHU`j$basG{sO5j@u1jBn8rFc5X)yT+^@~FKv znol5cIJ<>}8D?)G)ekE~^H6yvDJb=j2REZ4T1`UV5QAjLX%?-14s0-=8)1hUlO~jS zlsqY2#HTqxQ~o^YE~=?`>fy5)q{MI#svv2V$a=!v*p9IO5TWlH%LqLP?W1|3Dpxd1 zg7dT&f$h=)3>6Z+wGl%UTYcuoesR6{Pw%( zjtd7C5Sie6pDl81JjPc($uwt}vSgTYiy@>F)%)yHFm5Ng%$#e?1Nd85S+J;c-L(5Q zmaKWB>1mdLu$}%XX;8^gD5JwcH;nj65ynopt@){2`ww>F*hw+_U=fNRf(+#h;!;0N zsUwL&Y`x2VkP1{#8UhtO_**@M-lQ$eGnUan-tI2X0~2`?T)L60nk7XmGU~w}M%3vC zioBz5V$eJfEW?G4TUs?N5AcQWoodXb7YN42!~;PEeB*;ebt)2oxsK;Fas(g{8CqO7 z1FzI`r(f@(Tf4JqyH)Xv&+TdLx7p2W<%q$eDxzgV|J8F|H<;gjulvqh(x0YE{|PXm z!Djg5xut`~r*lucs(v>#UHd{Xq>-CEb4EQlHOevxmy(4M9ihi0^~1U#p+vdQT?d(a z+rEYF^W>nGN);7j3K=3_I!!2;gT8qkrPhukpFl< zFU5g$&Pz|H^PflYzgu?0w@?4oi>&Q^nV%}hSHxFBy={siUnQXT7YjM)Es-mJHOwfh zP)ZT4YG({d#4P&}$ree5n@Aj>@-wNAxsUeNNpT)%ShZ-KRs>_EDTBKAoVd{?7H!CCuzIOlxB z+Y;e8W-tcywor|)VP>QMGoz`K08d_{-rPn)_VGd-d|JA1^1|Z)f3HMc3W1?yq&pSVXu-o~w0qyGsl1$<+g6fD zfuqxoZ?Y92R~g$k2W(ExX+XR?x_9uIk|??flnDIpu06} zGqO(lUw``RKY)N$#*gL1Dn7Y2AMe#@;_*ejZU@l-LqNVSh%kRl2R7MYkSOgKl9O5@-Te*t1*#t*0H_H~Pva64OdKh$Ioj?1fmG@n$~oAlp)P z_@vztR3fTZV8P#Aqgu0{5E*@KMIeM=RuP^C+)UAf?%#GD{iLaAq9LLhG)bw5#F9+TEG3CF*^MUcAw z+UrwziF&^%_^8w@yttq8Cs8;E|6V`{8R&LP;Uky3SjCSdZ{#=qT`tea0){9J6k;{HG040CtkKAR~F_VkIsG61U#C=s%;XUmWc1RoTF*A*KYcPq>)Dgy4j<@+oItH zR_5ns0gf_>6seDb2jvgEpStr(xqYoir8w1_c7z$mugLaH^93B(w)dDH2nRD@n~ccw z*SDizU2f{;sh2Nb+FDrox1R8VlH43#I8n*xh{6IyQ zBYM^!f0`XvpF+i-T@(_&=m=I>VL9!>bCCkG2eVslx<~wuu0CQ>2~EHCx%r#_58)@g)-UTr zM&iWz`BLI1wPLl;Wmx{dT?~B)^9Q5@r5R?m@SHgyhbT^s%~&}k1+(5&q;g)+)tLFZQ_>r z;{J{YlY%wBvJ8LFv*H=cyc}*ZQMTjeo~SX?X#@M#scMQc(&~ZHYw4+r=7?1bYPAb2lDAJP7u*H~~Khayi%7 z^pozLpe{T^NARp+e~MVk3KG`S+{(rX9F0Vh=W)aBK+4`nXsQ3teEip^AS4n7RItIvO0=t(}&=_YC9?uRj!#Nl|wp%+_Hgyc`}W+RVc=*8lI zP4T1edqe!9bO1Iarf4%(abuP(_=vq8^}aqM&6g_ZK5-j!?>8LW&^W^uTB$GC_ae-A z=o(`sU$(DBj{{{@5A0-!Ol=l75wYz^4r z{Zp)ce~kYIgtd#?II#z8M0u#onT(tE`Pru-O9)970h-=vH`y3FBb~#|ip=;v$5A)1 zEq+u8K;j+T*wSJQmSj-TigtUi^bYJ;Z#En}_8@J?Z^(Nhu&0PhqbbN9PSh&hYw_P{ z({ghg3288V6@3G5Hv)dD=y8^_yA3ZiknqPNUK-xazZMjObFl#VP%RG z-=}%Mscurx5hS)j+XHb}R^%toG=2y>mbtgGX66_9^qzdhBMv-=WpiE$IB53$N^g?f zh19gy`@gN0{@3^azr4b(9}QdM9HYnL^~QJyPq}%qCLMCdFfr@})q9*LD%$1|V!nJ4 zLdG8;l5A<&6sv?fsO%Pw+T%P!9%9N<(+*k|#t{ztxDQQ%LbR2Sx3F|Zn#CPX1r#55 z@JkSH45=m9XN+lWBo9;b;_~EwXF`Dre!kSD3{9mK-~2ach>a8c$5_4MEQ~(h^$hpD z@Es2DFV{+tqxq17R!;MjAR0SQFIs>S=07^gmRpMps_U(YFFbysWNqh#G0ndyX~?s6 zx>1am`BDJeFtd}-70e0@r3lQer*wva7 z#Uiz#z?H;>+yPvQ?7n`bCVM&kz)il6f3z)bh~`0Tdn@1$@x4QuW4`Mq7~phD(DPyG z>tBP++iK935s3Ap7B>F9C{alCJ1pl2F~@<Kbd{R6wD2s(D}{W%WCRvf~NtJJqPhQQ<<0m;*y1*dS9tpoxDp-y;@N&iX2I#MaFMn>159`oA zUN`I!m%M+Xs-2zNhZ%1&Ooa$fV&bl1(9V6$isy&Ivd(`vW!7$}`bzFUqGxlTH6}`)@5#D5(z6K*O z?f++rGX(k@+@I_>>)HRgCN~UWxuzh6bor{L?R!$^MMRrK$UqAZn*6d9ALj%KvPa(8 zxL#2&&p2fS>|&QL$XEK54Mh=Tjr7Cj@_`t@%z#xiDA$j z#OUumc40A#JSFK;1(K>4m1y<)HL?-jMp5Y+UxlAk_kK!{U+<_79a>Q@AMI?Tb;AmY z6lkUek;VwHfGYMjwd}l5#;^$VeQK$!>hY-CWJ&yyZ8VIhmT*jKW+rE@F;J~YoLZ_J zd2tnNFw4omVetGO?DI@j(m#y?Bys@M6Tk)#AGUhl2;864`d%}h=!pay)KYqCa5_(6 zb(UrM#pw2KJ04<0bMf8UklAR#1l-{2iA^NuH=*(OIAb+!cHihUQIz=Jf;j+lC!weR zAxS;gn zWY5-NLJrvQh4cQ?f2kZvkFj z=^iH*V^=v?@V7lCdH~v*;4%}3@P1|Bv9;n#ejGn#^_J_|G&que$Lng#x$0F5(G0C6 z{FTiBeWmj->3MVl!zZ4iUa$!j?9H2tu-wT!G6m#WNdlui54`oN%=q(7pYEf`XKJ+* zw11KVvEb{z7aGpz_jj@UC#D%k_D3GWo_CqcIlXB>@c9eAl^2c6E0jZ%V^)(7VABd` zWCciTj+?^x)0`^>J*xGZ0gino%y9enQvIrun7*bJO(o*97hgMRS zYq5%mrNsna#?!8VhZ$V?E`u62UVQpn?wOSAcD_=eySd(*OyR}6pPFp?SiEk#P@Jm9C zKErKNH=D*i;$w^&f8Z|Z)jC|SBZ6+};9F)kEQ0POq`+sK&}sb!6{ zMu~s=(Ab*3r3#RLxv3um^EDgO=tK*kKMsMi<<0x&yyc=ElhfmKF$bF@qt+t7%lsMG&UsO;m z_4V84H|2x>AKo_IzkszYMUXuXC#d;V=#Bok>os^?fef>1PI4qWO0A;pp*SL;0`;P5 zr6!R@)#_d}R)b9mue~-&m-~b?Afq%UJWw=n%?{=>jKFCVO^^$=B?h{F9`#D3qi^^v zyNl{eA{mS#s&9m0Qv&JWH2}8W0(c>IJcm^84y`XQk;##t-l$lGm!NQNWw{)jWOu|% zA4P1Lt*XfK0iF#~r-$B2tP}3dH(yD016_>y`6JC#G^a>&^187KBk4#XrnDtctDvkh z+4j)9FIlLUvE_FVhs7VSoB!&VPt&&Eai&q&Vr|EuXl3Q%FoEvy@V)b~Cu{T3@rmv8?n-j(4dB*{zfphC@D!vBo5+&nrbFar;eS$tUi8_0 zu-g)^pt|uY?=UnEto}-UdK}-|>>Tu_(pi4O$z=AgQa%ij!-5{z$n&NB^J{y7cijx~ zHegqOQ$*p-t=wV7hH-JUWl~iUG*DO`*!fMhDrvAh>gvz;C1!L{T_an;ckn2WB(}M8 zI$$Z)kJPgJ#RKgfYbIuntk!z609^{@pQRFrQ$0G#_i8V%mPWTguYnMOHM0)dX32iW z*nmr>aTKX=uFCCC)}Nc-#t?~3JahsoS<`z{`O>E*uyjmZ*!W%$2wd2<7fS;5M|ig} zyhqtsS|JdKzn2Nq_QFIjH~RX4}^r7DBbmZ}AXC>>AejopW} z*fhaIJwwkxyw(ZML=4-~S7^(srn8Nj+x>j5#^ZC)tF4;j?Ts9F?8#a8O_V-#L$8XL z48-V_84P+$D@~c1F6bU!)N{<=@c*Crf*rEPeR{8_x&>>M6B0@ zCtb2P2f94atz0(coHg)b)GeE^!m5t|Z?4M=IKvB$85h+U z&1I-0X4|^6oLcBSY1Q15^XhnOF*C$7jYCb3RdGI>OYr_oYdQx4;5m3|X5ANw^e%25 z>Q#I=qs+oTJ#I~zSG|^uUG4P7CranZN#8$>fLUC?3M;J2~4Ic(gr$K z^@!|C-Pa6<=Bo?GOG_a!EhF8HDi<>&dbyDATw_AzzXUHk2oyM--5QCc;tw&a;&jMH zVC@FSX(CTy-D}a``_7EVJ;=seKSbv21vP7Jw!$Bs^xI#E+izQ>w$!2kO1!q>13Yeg z4-p2Y)}Gg16PSbT&n5g=U~9j5c`iGvH8h&-3=-IG*kU-|*4YW5c^3m*;RQ9(gJ5N~9q*57$Rt80PPkHWYbKcOG6; z&DCmO>XmOD>6|-@Tov%@j!W#USwJDqUu^4>be!uQrvYVMorKt3=jQ74=GCw{*NH?^ z&6d?K&OUZ?e%a@Tv z(gj@!jw|RVs)WnteEmDQ1PQlwl&lyXx`L6(_9!{NwUI;~usAxOcuVn6Frm?^j(dDK zM)9llcw1Rab-NghuMrZ;j^73_;TS_{@ zDvrM&Db7MK6)`?8_%ycay+%1ls#Qe}CbTf<1?)ccS8&^a^ji~U<`G=|JvVUOjG zdmIWE6J_Qkhu3ft?+e_Y5<7R-8}1zzP8pY}OyA8-dxH(QOM74% zZuS6|qR;DzJ3ze_Si2IsAs6LQRONr~q<5Xd1Zm&A7>3$xL@Y zJc@DP-(DjYLxCsO=N&v@((DH*x~|C1T1mUI;HCXWkvRvc2Z$Pfy@K&o?|Qui2I@BM z;|+c_z4SECma=ea+O1MQiAJ5=6#u4ic)0*jQzx5B!>n|UNMmdjK)AJxQc9~ASDsPT zyGaczD``IS$@ecZ>egWn%1Mvg01@*jInAr9HckC`r$bK1=S+Kgz+z1D$|<4AQ9YNo z)4QBwKpH#V-mF|js9d-^!#tgxkLQHsjbx#16_yo3Px9}85`)bE&3a-JgZEj zjF`pu=v_XwF5W$wpC~j>kntXpopci|j8%I<%|Xw(x7Vypg>V{tt2e!x?h$RI zIVtf72=b`2;W`JwTm2?zObow2@~y?rH@qEa=ZwU>bk*3UdktLE;Iq8P^6A(#(WPJl z->Rcn$3W9_SV*{*9HC9Vj$0Sf9+0e!IKopE&n5*YRR=G2?{Bk&VUY)2Q1_y zH1@T%fY-#wi}G+y)=G;&f%nI=Ulhp% z13ttI&Mq#iE8>U*q-uKF1@>LBqXlLN3dhL!J2#Wx<}(YW6Z1KrumEW=tvJ*lOjy3x`|$imL~B*3DN$q zEbP}3@5Ej*fv{KXO(zR%L7%Bvx z!rsH{LfdFfelNrHNvI9vh0*N7mTP-z#G`u(igJ%N2>}^(dv{4FqphgzY@JaG#`s!4 z?E?}WPS-dJ04rE``YEtQ#;8h;ZdJDk-!)W5=VI#(uR2x5gO^v(FZvyd>MrAT;_S=CC-dRM zJxubc_R|(kHYdY!Pfnk6rMNurr z4|6X8XS#uhv<&FHl}S_q>lr#TaY!~CjYZ(XN}<9tc+*(dAd zRH{z)pnF~)$N2+E4Vm&PdZ2-b(4T7DMsvT zoZ1&aSt0ogx)vQ&4Y&krGzZ5ppA%L~FHUgwhtZtO@e#{XU@rt9x#W|C%~Mib;Pa{; z;Yu);Im4f;+iMh&w>TxQ1+z`&SANG1)UM>IUnMs*BTw%B0yM1jlLz2PwXODuyVPk| z={)#hpZmA?3Dfx@s70w#0K2$ROK>Uw^G{{_Fu(3bM17|eS_u7zi0E4;WZ^^ z9E%H%<@AIpwr*RgAUzAH>>d@1}{x}{Ad}Yo^VgUJGa*LQxU!;9B^qkmtqx2 zxDK^lqgDX5zJIk7EW56{-%k{fbJAq-y^ol$1|@Yq)A7SSSJ;*j-%7w$mF@A+z4bYs zs0KwC?N*xGK~mHydRA{{`+PJ0%_|LTra7M<0rErXC9@bKu1Z02HMdZ?q0S#?(@=jcXS)Vw)&-o3N|{-8KK)sVF`g; zJB`5h9KIB-&YcE8&^rrkiG!VwQGE$?toIut1=;!ILT1kNTJ=SV;(;S~indW4YA74> z;=Jvu=-<2<^k*)SiIe+@@2$QaJrzjwkAOM;HC`SCcDh)adOSDJ6%vk{u9U(ZeW69| zqbgo>3qT1@3|YZ$eQ#qjVAk{U(VCS9-AFA2jR_v?`B7=xO(VYk9^mRXG0tZ=_*i*| zq~60cJ7tYhQR=j~<>p|Dof9v{VvTZ&>wu?WDYUtDPHt^_fM261`tadbk2dT2y{C9w0Nfrqe=f9v~h#}fs=vPk$T85o&spv zVNOc7N?-3YFX=O;&*k7MJtn;p5LV%#fHe++PkJWGl1?JU!)bgB#R5XRBHUY3eM}X$ zoo7$dYrE5523*bt?LgpyX`)7-8~dFi$TcU3?>_DwtlV3ohGc)11Z0CgYjK6<^rZvb z`S6rI&$u~2Ub|$o?pY>*8s~t^kQ{HD~H8x2+3R90QsXM^}%sd>&yD2XE&pc3*eSS8#mWGN+ zF9s}3?b6%!dYVsWgSKyJCUgg?F&elX#eEcK%spT>`>`6BZ)0C1dG*1i zXmhIzvCQs<#~TVtL`ty01=7!k8ypr-P9x9t99}TZ%Z~a_bDaWO!fgyOb%67&uPXI| z3Zi`+1$*@?=Yt<9RK@GZVjy92hhcsom#xD3&q(3JJ&CMx9;7S_B6OLM-Oqnw>)OW&`S3#}oe2 zyU2{lUk5K>5C#9|;QbE51~w_ej;(WSStgs_Ca->}e%>3c#m{iZX*a#Ktoi9QADGY$ z)&10|wLRXIjKCNRF_8ZmgVM@uk%mWChzbkipLPY2rss%;N4xaXyyA@*%oiScVMVaf ztzb>Q+!7>U+09wIiSST6c~N*=5cgmEP%q`TN22{b53F!7iyen`i)Za)7E4;K<7n#y>&rn+qlZ$g?U@m zr}3qBSerUkxx4_t_CkWd?K}HB^)qLOV-8Vi4d}0B5>j`!6Sx}hL}y_v^hPvEorQ6d z+oXNUJGyic!FY(zAy&A1sBJQwN6(0Ah^dUn=r7+$0`FDUbh3#;nmvlOU-Wmu!w3Qm z5+YZ&lxj+f3slVa(#8Aw%u=nA5YU0MG9GsCfP0_>q+8-VE2}1$3$4lttypdv9Eta{ zX%qp_Gu<8&-6`T+|AVO8%w8YYr}3fBjWG8RX?tmxe$-P0-Vh^Wd4?GGZCbCO##xsOwgNc14qel8LD?d~=|+TRJ`PrH7iy;G zmn`e7I61Yy#W4m)PYlHsnf>5o#7_Od|DwqGXBNKqX&oy{9Q^~lB_R@-zLU6${R6fm zqkOQq{t@yaVooUKq4Q=_N6-MvH!f9=*9@kQQOsuSApOzv*Hsz-~mihfSi6_2Ec!bva`IDG1?q621>{c0)d) zT3LGIkF><-tDg6B_c%XFcb2yhO`QFUTA5G;La66bu#)~S4E=9-uBhABAS(P4seR8F z3+tn=?X}K6%>pHPYQ)s0#OakF`g%O%aR-gmwaw1~O1C7(W%qk=2MOIl@aA0#%_Eeh z5v=$rh3X3_OFQY6V3Z(75PBFu$~v30&W%zrtum^tRjBWZ9kk@Da-0UE#_lUOLdYqX zbVDfwEbiRT5E!{h!>Uc~(p%D`NQXxly)s}i?3IWW=$*-#h8BF9XnwnLX(-57%om1= zhB=;EZmTyvJy+ueU{;uAhk?N3c#?BgINN1ZhPhtD2|h_88{GtfH$won8E^y2qR!5D zpwq|Ta7RWDOp^QY1q|m_2fbtBlsinX`2-0F(BtZDZY}cgZ!L{}Z_13eNfN_)XvNV1 zD*=Z)&}%yq@=S2fEk87{;wF1(A01@RzTh_EH8x8dOuT2|G9DWI^W?V(1BrZIBFN<` z`xqcfEX(fUqD_V`!r*xkMF-2D1cR-DgEd*+$$Xf9Q}W@mdt5ev;uiz$S+M)4K?{Bt zx6YB6q3zhW4uufyB}T}UPSI>lh`xUnhoXp+d8)yu;Y9!_VX7g3khvvEAuVnRGROea#9=3x0Pg2{!N z7sW<}gZ&b~Si#hg-Rs544S4Ff8Hs;KGq57`qwB$wzEZsxy$-3;TFvjtZh0~wq#vgP z@_QaZN^MgrPbZ!%FUYn;W|vZ?zoG%{Zw+l%_PCg`M)-Ne!urr(umM}kQ>1)uK*@c3 z7=$p4{y@6(aH1LF!n^s2KlSU~jy}KybtH&>Od#PK!$?n8R@?$GV>L@AKy~^n{V0{L z1L@qmvofrc^1J%c*}C-1Ok}OF{hqnh>=?|XqxOg|EI3ubP6u&tH$~H22)DVf&d>;!MF_Dct^OGx~wVwR}*vhdcC%kySF{)|j7Bq`r!Sn-%Vz4eWLjiYAC~_>Egf}OCMpgST$QN%(oUsjDy@?3CoJoCdD1_vQ~DujkHWhG=EG9`g_aW{G5BtynukQ# z^Q5)dFwFh(Z6^E$zMEs29LHX?;(b-sz{mAy6I6T@pG}Yh$Vm8`s7;uL9D^|Z4W6SGi}}i!JNWXG}UgrzGVh#;Ko|8foG}+NgYzp z7#a?VAgh@PVU8hV~8%|zK!(|xCFu#r4MsGSKIf7!xdzwb}~Gh z_g8D7TXAFNq&>kMLccNaP}Rh+{cF>Oo6%81^~kchx7St_MZay*?O47Vw`sm!-It1* z%Q{oKyo0K|{9wf<@gVm*Lx}+ymmV;d|3b=RF5CAaBN}I>W}}dz{Y)TZPUiTelM`SU zFAlr5LLr0!A3Zk?t5(^%d-%5lJf(M-Qt@3q@)xIp9cWICmzaD@$4_)s!!{B%`PPZB z3eaC(05)}x{38gw1M14U(W$+w^kh3T?SDm^`fY$)(kNWDuKk}{@_$$F%KV{HZO0_v zWBAp)O1nB`HOJHoi0XD;d=)=L$r@z`!m8EQ0Lix1Kv&>6zGbUPKMmwg327mhMvB44 z`r`Q7o7z!zoV~jp8{NPpf+eh1J>Nqs2DYhXV%z#Ok%!vh_cxPB{w%FO#*<%S!9#8b zv}O4Y3TP}GJO-J^kWL=#R&X8uQiy2;{Sue*RdKp3ep$!yanR`YKsQp!ZHc-BCW;M? zq#Mh0i#2dZ!vW=Puv`0*eDO#S4Rkrz94>Sw3ij&W2x^LSWdil5Nx9#D9&_*qKsEMXQ!)6T;ia6YiVPCZ5 zE(>{h3tx$}nFM(ep*c&qJ_I-H4+3>s_^VubDhIbzw0K1Jyy*4=X^|Zw6QzgKUuqm& zAUR@}oAXqW4S&o!YGUk1Y?#~fm!Vp#&FnsyHuE$!&~%vg7BMDXbQGxyfM z!`T4~*D9ih38Cq)Po5zwkN{%pbduU6&6e(Ul2p5t0;hZq3Ri9I@zMw8z7?4euha3p z!xcW%o^DIq4EKpB#67deUOhFhZh=Yjt{u8_PHeKoK!4Ua6vi zX^fi@z@ukeVPVc?2T`H>xp$o9OP|pFRkghl1JsmS%M1wXe{(|l4<($B_qFRum?~%~ zHqZ{x*b?cJW4PTS{;(LLLGG(uTMT_nEmqi#xFIoWmMhxbM9Ttoo4DWTqCOs-t~H)v z9uB$eUR7r+wOU3?t zE3t)Hg396dI87T4$V8Y3zxT#1Pu_7>>}Q5Ua>*^}6{3~t9AY84m{#(&?jn~w1=po) zt-Ke9!#rS;SEqYpX(QQkyG_LI?PykElaZWz`jq~nc7zdKNWDNJsl8P!h`InUDOoBH z!WeDB;B#Ak*!VO2Tbrtf`3ur#2e(Dq4FnST<~+ge5yxW*@N!hB&9R>Ir;YRcXUbXny^6CK9ojXM!>bVC@2+SBsKg=oK(UU$Z}%%9t}DPYy9g(HicG zUVdGi_9Ky8a+>wz>>zk;7JZIKY}axVhM#-OzQ&N3#XdFwL}LI;QlWai-KGGNtT~N_ z&rIZU=mZySkEqA7ge{2|zR(OKXQI1ed;fUNxsPxAG*|!Ax76L-)$|C1J1m4#3{bb~ zP|=1Q(W!TKy^cfF{=cG;L_CL+YmaknUui1*;%_D!v+`SQHtozXimbe9I!A=T@1IF` z=_5C*sXD3w5{CSj8T0YlC$MKjEa$duZAqj1*`WE%U|R352P}eZ!h6-chwq`wo*(k? zy(Z=?w&XS@{2xUhKL^xwYS2k%_y_KvH2hF)SYTXIwcD1#f> zq+=OxKEZ2LG8H)_#cC@wriaIPEQ*d7_tOf8FFfHQma-gQQ0$5Sf5saqg!^CKKtMyl z2K_Me-S%m%p0mx8#^G4Oa}G!{YWpzvLgn(5x+;I^f5{Hu(=_E2(f z2L(}pY9TGOLgIjy^0R}SYGQCv`;vcJt!*QxF6*;X1mr0XKQ`0pcHQZN<8eP#|KV}B z!+P#T?pc26iy=GIa8nR{@Q+1#7D((DA%}R0V^rjJ6ze6$K`*lsW_N~WY`r{wyHzb2 z&r=!XKRr-p3;Vdmb7qM-{G7s_upw@gqF{B)2Ll6$E!5E@R23+Wm^q%j%mYM4wGL}r zk@?S}Rl#V^SE(~X;bjC?7M)U?`7K@a^qOn3UcR^iGUb~t-C{li)z$dkq*F}uYj>o! zh#vL*G`eUx%)6$W`>i~kzB6-VeY7^sJ)*8L$ia}08e`8_Wj_tdj~tsbyeQ6Ltoabn zlZXfv)A^K4?P#Z9Wx@Fd{dQ5X<9I&#i+kWkFy(F3>c2Z-z*H0KGOsEY@>X?yhR8uY zS(iq~kskq4kS!(L3Bb;DXV$*T!|^W{kHOPU5tT$!AtB{eBn@psdzyMb6i>V`-ZBljAJxjfDd!vpuHSzP4dr}I z1$Z<$YrJiU0U(s-!2gEr|3LoGB~v;7jQoAPmJk8Dj%%skyOW!$1UBSS*kURkIV|=v zN_3~e1MRwALrLu@x4*-!W4sBv zqbBpLDA7t=fKv4|$ugYLm-t*ul^8`4h6(;@O61-bm!R+Fwi%nQm7H%=I5^x{G=4D7 zyo8LTL*8W#mD9tFls5sk34y^bem+W<_`KG*Klv3sH@53?*VP3IQsu->R*A)* zvsDNX4w!;tsZDP)56EsC>~@Z zt-Vvt!L)xd!H;ip`H>3~hPA6+?rzxc96Lsk_^m1cAQ|dHVB`>1C_-ZEiqGvq%{W?9keJ@=EwFMn$fLC_B zN4ItXE5*Ea8*5aZs}|vA;Ds^(NRj9i#;=xptZgE5NppD6dUb`bt^Ybf>OXL(Axf^MDavHNDfM z{_@xD(_R_*xQ|kz=yVP|#JaRJcBXx!-w}Zc8SZczDAD%9Viu8^femftoFvPd)AO8e ztQ;?wFHii`?QXoWRb`*ua3b!SYo1;}O%Z*_fVx2L5Pk*hO;W}?ez@T81Xw$bPkL?^ z*_s=CP6W|3PJNG~aJzQ7LibC3tLJR3m4pLedyV~%XI>w0JvxN%WHIuYP9;R{~!A(^P)+*`lA=RSZb+8t!$omtR4ZayovVpBP|2y-u z!J!#WL>kAv;M|%))`ErHlc6$>5KkJ`^|pIvBolH7*t& zllGUtfY@)_-GQKcoLKLAv@PKa$@DX=*7eKpCSI_wTnjjlmjw9{ZX1P*4Wu zFR{;bOI&Q!3R_exlj8xpRmu%+6dydjzk8b%+eqasA>EyQGZ*lv62vzv*jQJcC>_(- zg4{~vdw^{i1lgJ?b`LV)BjY{j++SId*%H7#7=AksC5+K)|GBX7GK+kO_2YO;EH z)wH1f;`bV}veVk9GuaSVQcs4vm+wV?zfNZ@-Wp=v_y7NRd+V?$+pX_^K$K8g1nHD6 z6{Lq0C5G-UX{5UpknWUJQo2iGR5}MlhVIUxbAaE4_r33DKYKs-K92YI#$OyBTq>M% zo#(mMcdhSdDTut4*nPZ8NqX=qoi^e-R6ZE~?xCtNciww*WG;AP>lV#n|DNd);5xo`>>cHsuV|A(OWR_c|Y3rgQT*hmjG! zM){vN*E%yVv0wapp6-9IFex5>#6LtESV=gQK2N%%D>=j}E8Oml*g2iap`+}hmUU^~ zlXDx74Q4Uh)TbX0;_uWjB0h*x-1gpron{m_1f5I@W>pI!F>~^IG_oQcTgn?aXn0M! zymsSui5Ut6J6myay?)L3ObLgEoi(@dIoKNkIvc{8;8Vn%?&S0{;v33_`6|dRP~5|c zrSe+&{NM+FL0;8856(v?_GjF|3R_DZBe9^bxIbaSjA?d5rRfF8<>FZ0gb+=Drulz(2NfPp9pl zz97ZCTOV+u=X9Oc-`UH!& zpP^i7Jj1DE^?%3M0^Gi$JNCQN9(J2=p-tcd`O|`VHpC{paL4MQK@MY@SxYb|WDngD za{BRP?fGwmiwm%)t>D_CXqs_+qT@@;!jO()Eid-^I;dk~jWy3Xj)eW$VYKDKq@kW4 z$ru$OD9e2`z6BW?Y|=`#q<&0aatt@%)TMYl)n$TlpFK5`90MP~9dhb^Bq>ie>kpOH zwUvwd6Z2uicpq?N#yz8FhWISjbal9F7M3lpgvmo_()N}VjHvJ`iY`a495G==2f01F z0AtgQ%tn>7(fDa{sk5$*&~dWCOmm~32d%}9{SO_>th?vAJKrsObF;39dQ`653`<4% z*teLYEv=cteWZRV;6S7UzqDJ%xr`O+Y?_B!M>k$1uMO}lt?V~K!imxHZh0ly%(dlp z0yhu1n9<&O&o&0NNBVF;KQ%42PdpQpu+g!1G`As)KK9-!Q( zSdA4Dak9s9YaBx^EUVJEeZJlZ4}JP|YOXtdOJ4y5|KKg(vEq8WhCx1k7|-fyKbqgc zzR(Tg6JYG`Ds6Kh-n=%quSEt(ST4~891{H2J5+*%|fK1BX~2$}(qS%UuH?o8!enF^jKs*`*LzAGZ=z_DkUb-cCO%w~ zZLRR*aUwP>ReKQPi*cx!khbnaCqTG2B!3GrWR5Z(x)Z@0k(EkyFUG9cyB~1CxUS;~ zW2|)H3`-d4`G(~Pn1z?4d5u1r`W(L2t3ZkA@K7Ze4DV5x<^#J{9k-c+r^y=s2`D84 zl7o(z!6eYWnY}g7LolTQ@KZ5%jX-H>q1}74j&6hTy^a$aM0#?d>9XNEHM6NY1z@)` znWHTh`vilp{Gpp(k&c5F3;(r(pICn1@kceb<$r(2vx(kz>9PCNakmbz4Pw<}#!=C> zKJ;edlj~pL;~pc`W!%qOUQ-iGsg7dD7UWs9j7+Jth>BhWN`+?808*lj^0S6-ha&dT zqUGyg-1oNR=o#A^miqz@-3k;xi$Az?7`%N1fJ)R#WagNaJYjb!Q58Ye*^4CA{9)4L zY-t3KV|XM_j!OEXQr0U7-$5$TFg#I0AeDPk2?0E@+YiHQbx%B*jxbvBj*Z2FnV>eI z1z$H3!F6hEqmj|bP_i|1z);OvslH#@3V5>2ffhYLY|ig0sd6Vl*^8CRtZ47?2GYEC z2jL|~DsNKC8KN;)r>31+Ycr1s*=8KT^sp~&c$WmV?;)zfnRS&kFe~Jih5W&XVr-FQ z?4(~MsZe6Fj}BzI6C?BQX?Jp1>xI7mZIO;;HzohD96Z58GGD1mP(^O&EQXyt{Ld z>j`tXgpkK3i`_{i{Tssz!7z>gPn^t^L`#W|)#j`!5%{rC88GG&T_qyoT$? zF;`qDQrsbZnyus16Aow(JkPNVJy$elwCP$!0lO!zX9q1MZ$G|wqQR0bf9=b1q26e) zXUCg}PX(Vf5Wy&PtJ7EY3%8jLTiF&DrhZ~OhQBOg1W+x27!|NJI1k_m(+DlAA$h(R zcoOs)N%QD?QhD;L+M#`O1dWQ5qNVBP!Bb1(Cqdf!n(JtrdS?)w4M1Q z483*JV~GOQ?z{ePIR3*+dgqV5k2N1JBxmA1g6WU9JnMHRQ{qrM{{^4lwZhxVhS&xdhO`r%D?Z!_?l))hXQ`0#s@BiyK==pvoOk90pZwnEUu`PJ4>mZS zP`z3k#l(F8w$Y4-uI_8gxhj+Msr82A7;$i@r5kV)F(wNOq}l*GSaFxeaazu-);ns$e3}K?{h>rtfE}^asMx)?(0e_!cziKu zA^ekuulEX!)MO=wN}!`XpBi8DF26K{g+)0i`=hmrf5#nDy7lo2$wPPfv>a)WvIiPq zY88vNQ0RX=LehmRD^NaILDPB=M;9g5QY3XwB<;D9)1`k&gM%jGV^ML73Z*oPi1w}= z{^~q#OjriW6m;8-@w+za0bsg-Z!BDMrSb(}y7qXa{;%Ys-(jX`$L(bj);9U{KR_Qp z;(eh8lpW~WyDE4$^Wu}b{cF+6A#)OV=UlEEhQg5bJ# z>1aGEozeI{gZ)atl*!{wy@wzC(z`>|*HfE3oS(bGEP@NJpF((_YSE$>B*o|8=7M%Y*NFe>3gF z%RzPJd$h(va!$40t)Pp4h2(0Z%4$&WB-s2xJbe9Jy1>PoBz&YJ^&}fvB(+~# zhCCSi>S>&p)X@EFumi_op*{S&+J1`Foen!p!%4h4o6OAMQe0H0RNgS*EmRgkD15mf zWjXpTIItnY((|l+DB!5A;$^g9IeELP?@jV{7rn_jB=iaWVRbbC^0j`>i3YVDJNPE>Guirq<5hTR-0-_me05 zJqql-3gurb&4o`)GWfH3I@d!(KWW%`c0773R|jwmst&tax9@^&@=n{1vT1*Mt)2|s z!Pjipi1h^Z-_3NMl(XR!^zWnW00(2va7C!Y}SnBphqJc?+2FA%c-a#?P z#zO>;U?PbM|Sl_L#%rdYGMzgL$^2fKkv`4<8Op^1dIiTReCQ~B7d0#v^zOFsAP;Y zp$osy@UH!ULqIL80dhi}$D2!g=noji{tqHkD)Q#GHRl>oNm_~0pTz!@42+-UWU&4@ z9KJ>$Ma*px;t3~d^T|%m>RcbDIl#}7ZCvEB`ITUB+-q=BB5@?q9bg!s&kg+947MN3 z)atotSdJX8%m<9UA3jNFN|y`g$g*Q4O>#R@-$UaO7V3Oh@Wc3kw2s?iyocDBOho&% z&2&)HVPCAq!?VM1=Vn3>m#H|c6{#?ewgQb5qf`>+1SY2#7aHlr{DH5wosAy2i}L-gYygB-{5`F)t3JY z?=$dkc%Re1!TWrt5Bme}^Ck0rk@&;lMZDFYD5xDW6-JSn@+eWARf+PNy~4M6pI`qo z-X}8t;y>eku6};5#R7Vh_gMY!5J-g(g2F+iNez4`6-h!EoNfQIM8DVJ(@T6{IU|4U z^!yKt_~%M};lcO?La9(0-wqrC-qkWfc~phh^a2|^1;JBj=Qx7y^2{h)azH!Szu|o{ z{u%FM`7d~%pZ~!7V78IZg;yRO6%qOjXVZq`;E}8GRg!GcEi^0{R!^lzZ&n(bXjE{8ZYitjmC9?^CV@g_D1W|i+31i?!M#eAMU$H5y=-~ zWhRHS3Rovxby1pok2XevgS{Hsh8S2;A)x*+&7Dd&U=+N^BmGdic?>?(DF6TVMRb5> z9_?Fd+vGF;fBn{94=SeNeL+DrT&tLK_zaMbBy+Vs)9j_svxi1^kiXkwj3PunDXs1# z|DM!I%FV+_88hytqf7mE~4qdH=C^*c!$^<($+KRAIrWT+)Ve6!x_?KE4Wi%pF z=u(%Gse)ZL3T63+tV>)5Ho_mhS5sHTa{#FuGL>OKO2yUsA=Vj1n9WLUdUmZqh1O9Rqej9;5=Ph z%RlixrWU?;?LnV43%Ag|X;qs~Wrwp_9dB+d>9G;Gz{=Tv)3$AfrHG3UQz9<6?_Zt; zMB5(M6;F^_mnyB^@dPFe??lhtRM-mG5S^52$bMXHRg}d`dFm0?a)2zZ(;Zo{sb+ss znp8yTw}*L2r;B@2A0>EUo}-O7NO_c82pyM&wc7NtHAP&xqzzP~+ec&3DGs|?1l{>+ zR4Qut<1F-KqAP2v*H&96ZB(O_i08_WeGy#VVm7C6G0Qt)OlUn>(jy-H9eQ~G3f~4H z_Q!C6Cp<4+-U{~B5kqbUUtZX1d?7mbE5SfBQiy3KxfGcoeQwqzz?}&7CD}5PRVaCm z<0)BNQ736(`(`lRW9F#$*Wy*ecwBMG3hskhIz2X#J7HQjiOiCmpk zYaU~}hW@yUAG`#AKc>*&_r6f9JKwOsVU-5_*?< zl0;YOX@u;l2=`=?=6elsqw~!^Oy2Xgo;sPd#M1qzk@v|O>pJnym|_GKwkF%)GlmpR zjzeanae#u&tuSkQOtxp8@BR^}@cSGsbiqG~-LY;OOzl7~lE^ffyXk&|9(OFTRjy(d zXdEKTNa0dcI_&BKSZh&SFe1NdSV_%&c6n>gqp}Z-ueOQVN#(V+Vy&~%T6rDrQ!xEv z)4=r*Y*!h83-10(?q!iUrj~}P-X-{j<SZ3i8A1QfuPPS`>|Pvv)7RTb9X*pk*5B^Zj$ZN#@)2| zi`^t96MM^UTDXrJrf+?qQqE(Xx5O2hP14Ir`{4Rlo-WC=m+OF^dtL30b)laXr*MlE z!9+AkZ+Yc*%Cnab0~#!^8&Zy?Q@M)YT9wP^$lj;-#d;*F^87tT8VKY$`d%3KrLU3Z zkaT5;gq&ySrjqYyE;@(cfjB5PIa*Xr&bu&HGlGW^is3&QfATFo<>=gjh?Px>Eah>P zn$2hr`D>r&UFGt8`!)?BhHMS0#iAppW+VW3 zOr6!_X%)wS0TBvklTjPa>7~Cs8JaxWKcxm*eO?hTjpo=Fc3gw*Ryv*-RKB5_npnfa85hyB#R1BQ&t)M^Np^oNW{(ivN<65Mx`lN0$@9ErfDgL zVw{6WAhhv(D8;XKM4_#^cY_Y8O$6})Oqn#^9SxnQF;_Imn~!<7A82SYA*h%@K6>SL z!-~2B`!|K++38;);J*bu^Duu=Y{1`yVlQq14g8blWJKce2hB-L7{BW^qh_cCQIZV) z-35`*7)J2%cvTrccSte05y{vHva0JIC6S~!nn5Wum8Wx9!I@=g$=X(>w6tDCVz~al zvYdd$C-qShe_w=0B*R7ofqke|>U@|P_M7Bnh=GO@FCyt2;vbXc2x!?JG-C^#P_F)! z9}t&M(iJK#MOscPuXef_zY|k!BxGgs99aQ#mxN04&L7hqm`6l4>1$v!f@U}V`WUNR z&tZZuC%ve=O-oVn%et5kAzSz;_R;pjdr?z29uVIE(AiA=+ywq56(P-I&pBIojmJpU zd?CJ%49I)Fk^3&tA&s?gDd;<`adKX;WOGiGI+bb-z%Qaa8v0rN3*<75tKV##s`vEe zP8J{}FYovbu)+RE@1Iuv%wYV{H6OtKW0_TMNe zCdmdJfv@-CuXwLsSX1tOsdpE?M8-Ruj3yg&oY{`)#nXk~@B9b=ZhUxr#l3N4pW7JP zsvGbKg|FP7%`GT<}XF9ex?X1h|>wKQ=r#Y5`21&ElZdd^95q zhFKJglG<_4xgA~F*Ix7k&CZU!+yz~*pDSYq#(f<1HXKh(mpqSGZ^*^kGmZvwHOF9J zc^ns>`!LT^Weuk_LJ%W*6YlIKSEs&pMqQ$3aID{=1_LadRfkwl^(MDF(QeY9dL=EX z=>C1K3)*z!-qXi^nOdKVb370SgI4$=CL5=T#p4Bm)}6^VznFw_^41uz>4XI_bYc=4 zwLfmj7Y3^^jA_@~GGCU&mmm}uHJqWA?9Dn2kc?sne#<17_Es~DtN=E6wo`9!Wg4%1 zb_EQ&bASRYnD9Be#e8*p#z%{jdS*Yj4cU`5D~pH7drbdt_w>duY93 zt#nn*gvaS$cFqe7Dn7r!t=@5+e4;A>^IJ>oj$7~}?FQq=!zkxCX9>40&-Vc4iA?c% z$VNx2%J>#+p*j)k<`A_ufq}>e{fe|Z(A$8FbA->=j{hUx`;(`A9E4El$_f*!o0ezm zP4ne>86I?iw77Flt+1svXT7R9faN0UPT$)$udo~ZcXRQ;Ke9hDf4cEv;qf6@yX5O6 z3xLq@>1#%9$Ue3}Tx(}d<&%*AA-)D^c?WK|Wa{BN;WDSD9V}xl|e_R~F zE0*U#nI$IyE1h+}OtL5*Te!IZ`5_am8%ENl=|GLnl}~Ig3)$SX(WGKm5-bx+gitmhv?KWDc)Wf zQn_RWqC~Q~j$C7y?h&<^$0ZxDq(|F3NmyI27t8*nh#kxCm=Vhv{})B<{4a{w+TT#b z;7m1e=+((o$Wip3*qX8!+O-_ox9|1X^|+|-40q~^ryQi+25I)ppMYjxI7ZBP&y>QA z)+kE48VgoVnk(*g;DHK)w$eG9=4HGNM{kyU^<5jyZ2ETUYJyQQ_l9zCqS)(6?zKSH zZ4oVpzC~5y8lV7dl0-(vlXW|a(@ZyGQ;)hJxE-l`_0?9HAFRHea&Tv^3qE1Ea}Mu4 z(0UQmSVrzV;eDd@&%WJi+7rRV%gZ;vmN+Gl#{0^U1`NoNp)hrw) zl5tW;_tk|PVk^fGE=(UJXh&-0hTX)7ZG=wc8xz@JqWayssJfkTJsj3-dNtTsv%{RGD78&?X8OB>oD41W}ISP1e|K zl@kOE&b+vbFYEa2^JU_X)1Q7v)lk63r2D}hEp&Ax8XWIYwsr^?)D6wZ%=GxNz_?aM z2z$JWeGmIwn!315S>`^o-Mrb@gibkBPX<@STz{yIcgk_(ivp&E9e*0L2Fo7deI4L-`nUI%lvD!7;D9!$!XPu*?dr~^1XKN{{`RoyRpm27(> zaT1vosoaYNscMy|-c5c=-5`8{=-Qs_E6*w~I-V*ukC6my<9g03=XE^>FOnu(Gxy{h zUN-3nm7c(d19B+eQy@@87%$``Se6fu0ZgDI*=*j6>3v+Cx*j0{t0cF;&BAWM{X}B@ z@Z2)p;k)Cs zupvJA%^iNiCbf^>aT?N(oj&hmeY<+FN6~OJ=^Klert*k;e&YQwIwC2?X9VvYx>Vg7 zP}RB==7CP+*@+a%ptzPsyJnATeOm>mW4mQZ`L6XSW!&rzQ8v5X%1@v2Z`Bley4~}C z3oQN;sJ>8Os4}A1?-G4OqP)?yc(%4nLa8DXCc$n;=*9PMf^t5WnaBA$Ywua6e|)RPv8?Fd-?9M2jBq;rp)cS0+wpaR>@g#BggIHQ0T}%QhJPgLcmI*E z7OWrQ(|BjTWYpgDedTZZ$_t#A-^Z>;IwM-=AUi&e^oq^MY1Vs~Z&!Fr=@#AuL*E+Y zOvzyS-??Y-xB@=rrvErSwbpsbqrgP(S5wxly09 z^g3+6G{CNa^%cnb21+&FVE>f#VEm4PB*8C8lWRrYR>@-*q$YIcqR~3usrNy^Y(Y99 z_l-_h#$u13O2M^pIrQj**tqCDT&jo1Sm$#$XtZ5DK8uHwK3P$9lc~i)gkAX)e)?X5 z=@@*oc9h(&@}-Vxo96pPXo6d*FtC8k(>TJd_ao!vpchh@_%gmS>*aeAtg`S~n_~GT zOm(*z4>#|7msF%7uVJ->ss0{M;l-iep8BWJk=we z7-MkLIt8iIr=}AVU(&XD4IDNQ%YdUm`>^pZG;SShuFDR=%+B=E`R&3czyPaYMLuG#X=?W?e=D)WeA98?ufpNe55;f8e3DIYu;(W7 z7E`FEc4}-35nQ?Xbhvy^2paeX?2?6VC>5N6xX3*~x82EnE~NW~1A(uo_flYG@b&R4 zdPT7lQpdTSy9y);3LaM#I?^Pic+3|c88fTrzE{2w7to3}-kM{9?LN%m!G{G$9m?G5$`U~|nZWU$K zR;J+8q*y!bUnA|g zh*A_j<5xH$}LcF5C@| z@o?XF$*JdXhWpoz9^Y^hB9NW|^rlprTM|^#El9fsL?k!=%Ml3*Dm5br@*onN8n)HG zy1+%Vmv~FL)55$aFmacs<+Q~1YS5)ssE7jVvYb~uF#x!7=)&9;Qkt@dIdovx=dZ1@ z9RCh-_nt-LzDEMC&Z1EP(ukz1cc9sVM$9be2VR(@Y7G_~;LJSnJM@3A@Rj>rPwF;G zuqMWqrSEE$TI+N0R*3V_b7K=2iPCJGR!^#P)oAJgYaJzraJFuEaHX+DRtZo(+v+z{ zhz5%Ftp_H9Gv=jjg(7Vd2xT->7XWOrHKcUn(ct)2yP*|QrNy^jICAZk^z}js7%-lD z<+;$?V-h`orFV*k`Y8lET{7P9;E^DUUr!7T@of^ZE$R%x@$3Z!KXZWh$eNxHy zDqXcJ)CDgRhrddt@G0M@d12lfeyI$*x_vebjnOL7-OysUrg7@t48B5WK&~T@B^y5v z84->Kv%-5`tEI;X73t$0eo&z1>*_RmPL0Y0 zWnOPNPx-CI!KfI$ugr4d2=A!mNSv$_WX)vUd^KrhRZtOx;08#dDPhs}6D(Y)V~$yi zXR2N&c#mAw*wuCUHc6?7T%zxKz9N?x49L}p5SO0{;<-o(mff}h#N)Z11Q^DIX@ z=O#pG(_&(^Wkgu3iZWH_Y2-!n3^H1$mmc)S2R#q%o8Ppj{BBdPQ_H6@DQ+K`z5en7 zS|=a#pChkVG-eSkVa>O}MOAA6U+CFaR`ia!!{#*SR65C%cgfduc67gYG+zj)ySdp- z5{?ksFS?wgShjb#4KxgmsDWEE=-t;f=l@pr`e$LoaDh(o4%#<~Hjb`fUiRniav>Nt zM;I;cTI1g=-*ZXB((lz{4wJVMnn=1vsAN;{hS*dB!|l5Jga)EZosSMWL^6UcIl#57 z>LUDjf|4$T!0@kPp8eqzx*|1`?Zm9qUz!?h@O?t{LTuNMLH=qqs3AX?WE^PtOAWRc8~N(1?6%;9M@HedcMAJwQ%^C3~o=!L!@R2zJ}*{&RAOqactx!_5T2` z`;O_)iXPX4ajglhFq>|0IO!lZAjuVYqyf&>SYYKU+;cO=n8hS2j)+6}?KREc| z^^0Mw97h6S%=2N^b~T~zwrMOCp{*2N%QST_XGarYEoZ4$`(22-L2c_v<#!JbMijtP zISL}?h#-|av3E{qX6mNBXL*9cG^V^T{0rQ+J_^3ZR@OTm`8r8}os6OJt<^X=kX0|% zcTCrY%ue}&rGIl$=OWlL7J1<0GVPV@zDah0zU$R(*Ra{??ilyVvMTrp<(w`{w7}(< z_7NK!>Zi?5!Q()w;a#3_%pJbtkdZ3LrkePh_Ir!>&~P9Li>k%mi`2Y{__2BiJz2EG zxdmByrp#rOtIjX2l10mwdSAw#R!vGoEelA8yvU&>e{=k3ZB(CD7xMu#H}JYdD$rxR z)#dz1pfTh}0+|=c@#6fzBLfmT9)A|0avrF~X1I&1XX^pEncZg@cP^zh!3WXEh@}v` z!&sadeW8ahvF9^CIY@IltIb7kN~TxqDNkK4YQIHPwmu`0zM0HPL^C&^W3Cu79Z&U) zVGilE9JydM>;d%)gxyWf(g;&bqB0S4Y7tbrKqG+kEm~)Apw*DjbVl z;G3@WEgw$cFFqW@KlpIG?1~RLzc})TFeKeIv9Unqc;JMK1q}HaAbn3s;ZOsCtfK0* ziV;ciFLw!0F?GD!sf-mC=B^zBM9KuttzMWwr3HCn2hq1Seg_kySKYRN!SAc^<#si% z(T_kmh8nBU-nuC}!71kv`BJffdmp`vdmA{iK;6%7u1>+*hYkjlX>Xy{<*oa!fo3-? zf|GC^o3ElFc4upfmuK;?Qp^x@KOYXj0T;G+7fvVJPQj^k z>Um@n`E79cWi|mV>BZ57Oy<}spmJ{ojx09#5@+k0Ntq@;8{{8#oz9csNbfer%dn#m z=G&a}T%y==+HB-ctGXvp%2nI~i2)F6)^@E$s%IK^xKDpPyG)`5_UMf@-_@bNo(yEK zd2N3f&J|<8!0eItL;>{hF)-X1ebUOhMv1?2j5%Qj!Vf?E^92<;<>^9hp>k+|simENW>q z8IDO=vdd%{+9_rCv#L3^AD2TQV^tCSM)8E@KVcad1sg6U?aN_n?~?V1F+buxQyF%< zHxmH6VU><3dH|3;L?1udN1bj?j%+-~pO&N0+PdQ`zgT_s?;b#3ZhbikGiom>1q^JSbdSg0IlNArbdn zwkWucTBk}Z5A(l-5yU=nu&cf(f{UbUH;Xkul3CY?^%8C#FtPPQKdHQ`Zoa)Q8;mop zzg+73e73Eb_>hN1WXYceO39JK@xo8f?i7jNTjn?q|$V7T=&FMs(bs7`gp0ncoCW z@QPdN{9`z^R2IBj`}UHH$@0e7w+w3|dA$ZqX#7diVx`j3o>Wn$TNKOl52_o|gR6&w zg`>&b5?7eKhDAF~;YCCSZvch0jpB98>`>*)wj@g6ud9I1O{DcpjSAe?ov}H2pToO9 ze|?A!hBKrV)DlK}Cd$?>G72s-0~l$#^+W@wV@q=9Wp&>PuHc>FH}DcIx9fd$hF|G& z83Ln}9?SS%D~TH0^>eV>j(SD~=tp`4okVD)V+o$S&n!Oer2@f`991=`eXM4N3+9HLpa)DuL&J z9^Pp*5sB9>^#{4TK&`h!gR@wqoRxAB@*09b>1Tn=e;?Lkz-)Y)5 zD5}GMSMmHPtIbLnCB|BO&V6M-Q&5r(QnU21(;>^(2qtuGBW8>*Sw{0>?y*AHNIuOC zh0l-Jj}Ym&x0B)9%J>J^8q1Dq9Hu2LIOET-RjitK4d9j7ljT(9zt}r7S&J^Q8@{N@ z>4l~Nj>g)|qvsV!Ru+CD*XW&-P=4z$P&eZ9O#O`Ds$6*uyz}j!3SzQ{OTl*UrW9zo z>4)2D7s9WG}_kTp7-e8VfHK##_NL$d+cWg*ZYqHzExeM7Ec%-KML1Sa?)Pd zFL0}#Ic0AQdoiGge=v}|)TwjI!T7QsX&%%0Q*$}(h+d|2zjd)iZT(1cLN#~oi04)4 z_Q&{3?ed>2>FscKeSV(~?Bq#LKdl$UZ;pnVc23ehq(D;o*aK0PXC+RA*ouA605F2I6}MOU&jO7U>*XuM(g_sD^*!rwAAo z>O`uF%+nHVUYgj566rk5Rh`0zvQL&l6Vy~S5Xj6cauj+n(> zwLkGBVM%4B6k^%lH^COB_3CU-Y&p{&rz;t5A5n&Br$+N8<_Rec zz&P71E}uMvf#1e6Dh#qqTnk>T=akw`)$!}O;NEKPJqz?j_b+fmVvYsN3wW$*OdI!n z9zk%BU6J+DX~h>=Dk~b5Nombkk7z)%0_(0#UgIryU%%1S>Kb(k3gOk&JJo9-Q2CMg zd1J%!r}<7b0f^>I?1)uTh{SsbY}>znY0U%7G@wEgH8pKmtlNJoyGA`y`%%ZPDQG2& z?MY6SFOpy1slQNHw>Es)fR$w`>_n@Z1JQETdMr@sMqj$F`t9Jrw06u=FGwVSQ~1=8 zel-{ETgm!9vzaAMJQ}>jHwDOU{613X zK()X{`yro%udLsT&~dfLsPp9``N1kA{CAs-vt~+`)5477-xl~#jeFd83ux zkE#ufwAO|7zQ{ogmLI+hiJE6QNBGUwRzr4GHhtm~K`F-+V!Lbz$x#^tCDc!4)1$Q= zmJtV#rD7c5w*Z7=tM?!#xdvK~#lZ5Nl{EwI1Mw1BKlE-$%ZV~2ieeTl?04?x?k0NB z&p4`*Q^pHX0QGA}pJ)%?rhCnc#pO|cZcKHjzk|hJ&w-Y;63cestiSI?sJ-)UlODud z*M0mBbY^Cej+S(gBH15MoxnR`L19NIaHc$NIY^S0kQIbI&9ZG-CEvAf5k~bP?|_h4 ziLJvV%3@IS{4p!z)@1ZSflGB%ru$-CkkP}Hd`8N;aVA%iml=yACIPRKv#5NA#Xlz! zb$sID9ncNh`pzX?p3g7LiyG#FLimCIe**?*8QP=os|Q=0 z%r0RG-Hzj`cTp4zun+W_wqo(kS`l8(;Ae6Cjjm~1^$d6hQM;;+STjI2W}Rl+IB(s% zQmpUQ>xlZPRl0>^-DnC?Qz|}@KH>DE$6va0q@ni$vc6m_UXZ+k8uad!0G{4?b26h= z&x@4~mbda*!g|#MF6-$PjdR}_3dDO)cV5g@Rx9wo$b8T5+`p3-GA|HYHLzJc2~>_) zlijmv+ZiD0D}idEnLhFapz2nM@Ck$ou87f?u4AbK&&DU3u?gDn{2SGg-L+%SvCU2U zQqibD`j7e&Wv8N23Lv&sirAHmFWMW&$Ud)NSPFOB$;`&L^&~%;OpyS#M;AD1M;QbG zj9}-C-S5Fvrg~Ar&$XBzZ#roXyD0+y--vOopR*Z0lH~xW_aX|Afqo(m+M;%BGH^IO z;J<`+k}X~5%NR6_3xE^n81H@|6A*v8wbEZ8!Nmu26o=Aok$+r40k>DsJ#*ON-(Nwt z62GsYo45SeIQ>+h&R|};=NL}*sq^;x(obVIf9046+n$9828pc1^x$OJghW;VqfH|K zE9d>;RO7t!+A@*INJy=<9uHoY!`Cw8I55_KSdA z+EdoW0#u@fRHx4ss;XQ9oxr@Wd-FB~;%Stvym^^lEe?qNwF{&xdSFzP%(ICLY_i$9|w_8OYhHrx4A3Pke49n8oK{@de|-R6bT|HfO}e z1_tQTAL@@a2zOFN9|ZC#OF^AQVbdoGQD~x>N2g{UuA2y z^8J#sZmXQsRM&*h{S2G`r=7N+hzA-0F=Ja^!ClCWi)V9h;@bG>=KUp}(hhi1;2uv|Mh!!1OEo1^ut8G%{Q)PfgMCAj<5BuY26gYu`&X&alT>Lo_Eo`Ep>+I6};WWz2t}-u4 zUxtHdH=G9Kh{aU!ZntvIu9K)N4&N=1weBtDqXIL0kXOdg)U4NvFbX zml?b!j;1od!ea48T6YA22~^_! zo>z=V0Uar$7otykma6k*M zrQE5_27dDYe@P+W4@ma{UQMnDTw70zy|{UeVe1FOAbp}A?yeTVaC;~Ll;uGVXA9aN zU^|*jqDH(w$aW?1f06BoRk_PoE&rWtN3;lK&RQe@THiN>zQ`JN2~{&Gz3D>5Ij>BS z?YhTA2_m^8Ld`|YbX17(%H}aprPU-o+gf08Ra|j2E=HEzcV5vD8qF3uP+}X+BL@Zq zNYLX5AZyK!*YV($gcFLs?QcpZ6X?EV<1t2l<~}D2gg-&zA44*_iG_>K&>3&ANuM)G zUt0q@s>{ygsJgz#3d_KAU!;4}`D)ruFqLnJ0}YBRVpdq1rRb-rQ@|(>>O8s$xbk~_ z;+}9CkFBwMl1^u5@YeDhG}`p#5DDCh6Ci1UblqJX{w7xcQdu#4uWQOI+0rHkm4<*8 zdvmP*&@0PI_5*ltjOQIFB!bj2d4}8Fg8Zg*DQaJ)cP-PCChq1e;CP@7T`Pd$tf)Ue zl^PV+6jRcm+~@9?1P3(LmtOO&!L-~~1$u&#%1_z_UISjnQDTGYF#}(fzD~8K?m4%q zp3MPKVdUc^A zxcM#4T(snPs@(i7bU(@mxxg404UEzN5v&9H5NQ@TP#5nbDMw>qhW*RaFH2o-p#v2; zxI(;fWLk4i(pS3+%@l+$oNM^Ab*M*NnA7Bv@2eUrJ^%uOK!PaP7*OOSg5IZ<&gKjU zn%bvzJ0dHRU0!GkMm(ydyF*i9=^jN8(#=TeQ6&GM-Kte*%5_|z%qfTi24 z=5B%5x7803LBr0=o33qNU^nwa&Lenn5oO7lUJUhF-aqm~pnNrY=JGnW1EW7IOJE%c zysxSBpg7Jg!RK4PJ)esM9+%JA3G1A4Zna-suhrJmL2z5_!LmxNXWM*U&k6ZjlJ-3xl(+C>KwC%8? zhZlSE2#ts=7CuO;xLfdU+{!1E0HR(I>>HIkh!+r3T`;mNp4?-4;hlZ6Y2jDa1Dql| zpr#iEOaz_=AGnpB`x3v(96;->!1LwFbeslw*4)yIKZ^K##ikS*7XgygFB4vf7TdLqH9b15e3RJwE|H+_*M4pf zpn}r#vh~=F2!9{f>SMTNnu-(ceCSKFa zJVuWFE@#ZK%}h^tPizEr#>ESRtLWSQpVTA)VXgu;W6;7v!yseA*2g$7*K+h$OawK} zD{2kfiiL~V=@bPJx$722P9o!ZK}Ju~NXjl5&yzT%T*1n2k8`I#7(Y%habg5LG64pV>;*skwK6_<5)HINMT0cuyt^~f z&yqy~DAzLIXy^<1+w-m#Hnm}XI$mmc3J$qJ*iX&_nsi*>-Iu3AyhW;-d-N|D#qxh( zdN(1aDlOix>AV{sU;E{>19Ws$v^BYgwu_h9f9UrdPF(9!)$I~|mM)S6Pslte@Z?hp zj~7Q!x|UP;bvo2ticr)hY&AYPt3;=YW@O7Z%@>m>4__WlHzL{FZM@2-$!qN@kx&-k zPcP|mBVCYeA^fqCi?>$RcwY2nBpT%k{blxq7V$}qt=sg=&Fsq~PxxIu1?1jUbSKOt zH6qn3)2-7Rp$KtnDw^Xt@ut?6J{N&k=>CtkTQ;{+HjR=udYp-+9_ZcL3; z+ZweFw6i=5dgvRxiQ*cc=AJEzG_71rIll46IYXX`tfVU=sP*ob#4AXVz+VR#pufN2 z&WK7wuw1esN{nYiS;(I*wa_7|Z~H?|2Uo9VFSFy~weh z+__(G#7so8@F>oya1ZWQu@$tf-Y8&I6|W02^$C`xxZ%MH{my23L%$GQXM9Jfow)RT zYwd(K(razTDkR+|^WH!eNWyDx_SS*-F7@R%On;uphBc?ZE!}={rB=*9`_{+^5(lN@ zP5ytZy=7RG>)tmE2uet&)DQ|Nt{ZBaL(nE!{&S4FiaD z_mBevJQuFD_r2D;UHg6B}+WayPQhww?S zvJeGJM;CI(h^pnYu8?D9p8;wnqr=StB5gE<)BvLd+FMRL7xXPkT9dbAgwZ2tZCL*x z&@t0}AP?$}cb?jjw1y^?(}HtFU%4jFlhTBz*gKoJEVqM zi+F60MDGMEL<7OrRoto96`uh zWX|l#0QLNncTT4K!<`n2^DR!P35>DcN@h0G?Hl8zo9hJAtyX+m1~$}r(%kOj=}0J;}>kw%mI%%QS3_{@mx~wAe}UO}Nh2RTEHd^s1$(RZD*~d$Vy# zY^E}FwEAtz3ry1?2tFSi=S!Ih=XT1iUz|3NBwb?&ocq5E9PP>l?r1zc`#5?zt0MI3LS|dz3(3X zh9zn35v<5Rc}}q}{^o&kXtoyAgi_)2meT3xFwde}$$)c${`uTb@sD5y@R(|2C`%>oL(}u{8=OwSjM4s!_tQO3oS9^Yi2B>V_E*7jGGlqn zNH_2KR$1D=ZM5D?lLF_D*^^Y9{w<;P58{%}AJ}tBED1k%4*#pzs%+;Jtv5eKtjzKa z$XUQ~w-jVdCq=J1Vm60*` z&1Ve>h`wlIso0>>BMq+_9mH68b~v`qU{iqJXhh5b6c+CKlaxCLFV*W%%gZ-O-J+7c z0BJgM>>Kk6%GMgmb3^G0Ut41AZ({kY%lm7zQ#Yn7z$&tmq4BlO9jpOJ;Yn-CcCohwZpTcX$2-ut3H~3}8>! zvMJ*Lrj5ocq@nY<7{D?lSFZFmL=3y=_3oiHaIaNQ$!A&-3g>6Bb%%57vys(7#WMh6 zf?lOG|7^s=@9#ICS{?}X)bd@M{|pB{c4YlC)H~qqXr=bz6EjB~>xCl9eU|TY->+26 z583;W#GyATUq(s5m+kON87$*3%3!^JD1(t+1fR_4Tku|YguKlUia;M?6%EU`&HVRwoL_7`6^=IcWaW;WA;7MSZ<*BsqbigTT8Z^NTHgr;j2} zvD^cXxrb{Wo8@D3?%mP6n;WHl;bSH=4s-%9Won;S8n^iG>dssxrl-2gt-Fldn3k%y z60VG;zXEF{y3D4!{*4UqT8rg_N&!v8L0R2*>6TGLy8>O!jF|bq&G1xpF4w?1xKq== zfg{TeQtOe2!eWJ5%oJD`Egfv0lQ?A-*A(qRxZu zV~CZe&f`hG_)_Vn1j3}?V;wW0ln=jL-HU$KE`Gha99#EA6&q?rr+IeoxlFWt32x)3XSvTS2VIaw6o$rQg$6b)#3DR&(4JVq!s*NVy?yqn3tI-C0g^yU=PtD%(DOcxuGN&s$oeBj6z6K4C!RnZ3J_H$ zH)07e=KHGv*~9;*02#=ioP7z99B>fLumgyp9e#^lL|G?Fu>wue2F~NI%|<$3>%m?p zNEPX`S0ViMm4dbdY4U!b9ZguoL?3*#@?piL>B83eSPAU;Dl`jp5%zu*FZuxwYHHkE zns^`<(SWJ=JAZeLQzkA62<5UH1pgdyvZMY*KuBz9Yrt0mip(P4(hrSJ5AT~@$0j?c zXci~Np@go)WgW(6RWyB#Bu?OaBCfe{KMD0wy*LV_OjB|HQ!c{JGG=k9#s%7N60Dm&i@wU` za{++LMc}}V7h)1^!7(RX()EFJcQy6f0-5oJbLE{nVMsQJfCLY_sS1hv^f7TcrqOTU+BXzFC7too9I%}FJ9Wc1fZ@?y#@hB8wO1fK%k zny>EWjy<3b;YwoY_q&ywOfMUNz>G&smi`x>m)^f}Eh(YLnRuB+YLkTzX$Er=1>~{I z9G{=Dayy;J2WEziMYvma^yfq>2IVMJnrv){V$_n>GsNvzuyBq^fgS?rO8Fz}-99QJ zNZTB2HeGimCoG!qu;c;!ggU|#|Kxtd=)B1&h%kPHe>y3Qkj}=ZIS?MU#%dAHB)szJ zZOe)UlIto! z4D(|Wdtv7*U}&?{6W4NnB>hk`O!91hNZ5UUg)ZN2x_-3GV#w$HwD*Nq%~tjLoUYs0 zG0j_&uG6iWKH!5CS9&%Ra3W9E;YR&bpMQ!iCs2-&04F{PU01>Etow*0s`2* z;mb1`zl{vTJeTWFom#0czxx({#Ex>j%k}4XDeRq@qOqXVv(Fnh9)5P!-1*w-_VAjq zGMkj+2ATEn%tKbT@qu*pgvkHVHyi$?Z?-ERbMnC=p#|~OhK{>ov`9m8@dbFlRl|CB zU`HMZ?DZ(KuwsV}(nJ#z^+^2uv;;~{>Zoj!fu8c)jdR!~)xd(lyNSFT7(V-+%iy&Dfy*u7WRLmZwALo0-&t|g?Bq-?0~E5yfq-mf zYQT@_xz~rxR!cXT_?{>+si|iZmGc2meed)qVWRg6m)H`u0z&-*?+(Dq-Ls@O?q0j| z4||14?~5~{|J~E3XTws)KRpw=fBf|0rxkfmq83sA(wjISMvgZ8!=7SV(x;FE zYx3u$DqTPygS!G1qT&bgfmsg!?vh%)CfsuZfS{=P=VZpQ1+88a^tnFc}%;OmdD_B#v#Y9S9PoEhQD2p-! zQemx}hLE&f^(u$Q>E^cr`4AfCCOq268~Z@rUd~`!$y(^L(%(cPI`i(X4H54T$3CgU zR!WuD3}z{JB!I^-?BH3;h75jvG77Y?>!SsFan3rl0Lz@ZcmlGG+c>euQ%mu;D*aEb zqWAH#mt%l{a2|audO}j&5;K8n09MFG&p9PNM2eg3nzul4Y5yzpqAUm zs!`oW=#dz??&EvBchjxDOY$bT-mbjE46%_3?9J98XJ{xM`^k;rWw*)2&E!HA20alt#^bk31bCs1BF{pG%Xn{i}8bFsrJ~$O( z8J6b~ygNHNC?%leK#H&DQ>y%A*I`8iMB&Zaz3(B4c?A{m2S6A8Q75iCuduocsN#nz zp@8y?&fZdQciH02W&i=+uUl?u>UFYzdx&ox&^9k+)AZN?q#Hbv{Iq_%x>a?&RD)S6 zI(+u`g5;Vv(uA%S%TvJw1v{TWE!CjzBVkhOIiU3(@&ds}D$j819EP}s?Q@ha zRoqZ}S@p>IfP#JFSc4aG&V9|yRQ~upb9s-Yu$FLC#BDgrW0)EjVd_}a+_8)AB9(Ww zA)#N32i=7L4L5gDdi9V|YKh)oDsG)2pwFNXQ6wa!zqG+q!ut57d7T;^T+-uk!?@u> znLvXbXoso+R<2z|uka+2HGuK?Yt_P~x}9dC`A$!L${wLQD|nrA+~F!tYXkO`t8`kl z{0$h??$@T0Li#qlnMm8!Ex3x7Sif5&Vh z0&Gq!zMC^r1^*nUiEdoRX}+_D#Y;IMDK2aKhvq}Flrc}fifl4(QQ*LXIGQOKIonp< zW0#iL(47j5chC^MK(3g=JPzw1-=c6sM(#y3r9+^~E*8~ArptD~tG}vy_I7q_*UilZ z@P%>Kqt_ZSZug(f)ic&{^9xGCM(4t&VHn}t4PPeoaN=*xr`;w(~eUyeY zEC~QYM*mb%W5`0c^B{W|yun?e8O;59Cb>!Mmnj0LnK>Z%%nbE=HZ`rsuM*hsugbCz(1T*D1-=du6+L61{`I=KxfNT{Dj z@<(tem2~sf@E9_L-pbnFtX?my046SaKqj0QY9KoYwm=HEUl=fuic90xr-O@gp z77MQNHTdmYSpF8uFy4pP5v_*k*090qC1e^z8TQo?6~g#f62-*_&J6+Ev^K^h`I9!& zHE9WPahyM%p!9WmOHZi?(5dG=fUTUNQyRbSi&uc&LOLNQ4MeK7>@l_+Gq%5!@clN6 z2xdJKwj7WndU5%hstGF&0mFFdcS$^YkCE85UE}Z7Z6!nc=z$QqY`UHyDY5`D_wkf; z@@r}Zp`A_o=o{VP-0!r2wc5$f8&VfK&9Lh??zS32(WZLts~POY`~se|bjJ}Y;9`JF zvH19%LkgcVXODDh5in98Ew>tbOc810=C%E^&IYy6S%IL@Ljv`;W|Bo_IUwxhxzV}2 zk?0~_WXItJ>Wl&;2>zxR#;Zf-dr^OsDz&>$Bs{xr=Ljv(vb0Df{W+$4pWo92(j-$Z zw~E`Si(;w0{@Y@Q{&El|MEH&KzwA6lSuW{n-;GP>9|9pO@Nwxw*%`41%oLyyF`QWy zM$Tg;U9&JTAKow_6HC6k&&3ruzuy3qas!m0pcez0jCW9-;X-oYT&0COBR<4d_pL1^ zu2kguIW3_8WMjAylyNj8i*Hc|UOXz41uRW9b<`fTVr#!ot-M1eA@mlx>Wignt^Mx7 z$19IVcgf9hVx8o`IM^Oisu;2*V7D>=Nrr1Bt^}!kzfUSSc+z~o?E$CJ#;!sDppWbp zXT@s-igqXm-fcv|VY~P<_?-rvSoM>wx}%?D6LSP!`s+0;ad%Ch)=szp?I+RQu=UoB z!HkfCvcacBWy=#YA$-+b6Pq>L^@raY&TQU;sfDru-KD(~LsNC{IGS(xyLL-Fb#}e< zyyN}fSDi|PtSjYi<1>5B>3AIPnmLFoU(8dUTHb#V@1_3_8AG&yw+`rSsi%5Q?yx2r5{Wd=}U^;4PEFLI7SGaHC ze7*aCiXD%2Dza^#K7!x7bfru%Ox>dmzb^32eom6p>Z^!}(n3ZYbr(5x7`^i`drqO; zJ$`A@r)X1d=|wf@c(L-cML4L<9XUwJ9p=ld#+%=Svb+Z*42eAzWJ{6udn%XjV#{(z z;Y<<}KufCjnhSNgmp<%ZhiPX+z%`G;=*Iz#QNlud@fqhy8#92U1mmq2g{2fp9wH&m z(_TjiM7`Ik?og%@5d%$X!QWM}81$@*UZ`S>Bs;=`(ONe=|27 zb;T}tZ?ob&&*_I-fUC(2$Q#3-bQ6$3=f&VQGU|f=O4|IlOvD>pOOea(G}YG*%&-3` z;iOdmOKpxplq&>4&w_wuVbJ`|X8KnZZ}SgQ!YlGye0?sy0vkGgPV}H6etu3Is`M&{yYdn~{(0n<`!?vmM_I{$^MYZM}gHnu_e7tXR+9>UO0$GJ|?`Z}rhH|}W5{Xw03H61f zz~`zy$E}0@HpH1+76*daRj~i^sz84Lv^gp|*h1bCaw%O`!j-91+(}s>4_lpm7Q~LI zcGY4N7|3!)HopH%y1p{=V)Z7tw>bSahdZubTW~jHQ#eNrhSeayYy z@u){zQTE93}-zdk;x&%u2f$XnEyJ~~KNRz(@1%DAxr z7a9-9&}N6?|DhIF`AaPhP)b{TgZjCXD~bJaMn&o%5;$^$>zkGH;ib--6A1egNNXVZ zA<#CY3!cBHvTn<(rCt9yaD>?f2zN@N^4#AS(o#@aw~i& zU*ORWHEl2*lI2ZuY$>1g!2{|sp?3euuGEA3(z`|NSDVTIs`|E{8+G6*WwipF=mKT5 zi9RZV$T%M}9KuhWxZjlr=0OOZqc`byn6y- z6PJ_eP^pTw3akCNz7u0ax8z`)B@VP7IfkR;y-`;ZH##^U1i;>Qsr1pi3n9|9m`AB- znILlKp#!`(CUSwrl|v4(!#fF#!E~k@dO0CIvEy$Ui%w>@DmNMTKWbI zi$*JKCadzO*TLuo${L_$+yq+3V3IGk)j3Q~!)h4`@LJSUAR_kVL(fi}cM-ID^KD^@ z1zOH1GZrl63mgABkn%Z$u=}$Q^F_W#rC|X5s$D(v++_KvW`c$^i#y4wjo@(Kk$)V( z0Ru#-JhKAb^0F!Ct(O3Tu%bkOkIEb98L5y`IlucrjSnwZ21ICVSNGpNyFaEWG!&Og z&IulPJ59z`Mt%Un`c35X_l~!IMm=^aNewuPobGS&pb!i%o|AcK@{Ip`kT2M#dEP1)(4Vd)m1`g*(4N#X{k);!S3Yp+fOR&6NvfIN zK7s{rHmTKh85%@^CM z8%w0^4(MFpQ$QVkAWn0SR7C6a9hm~?SQXn3LL-QHFiWl;+BAT;Slg^X&Agx`$esPU zgJHi$kR*_%gkL`+$jNtH{=REzgmVG3<)0Wu&Au~+Uz7pm-uS4Y$7Y%X^c=l>wNr%? z`*3S&@)FERx1Q+ovzWoIRxtc%!ipb&Vj2W@sU@i!a9}xB6e z52x?B5YE%ib0UStrYQ*C9RQ+u4ayfvnZ?UxZ4uQ>#x|NZ22YJ>Ie@1`q|#~iTh)PV z%gYVhNT9pqKYyvUtN;2^sn|jGsl5py_>!5CQ~|m_IF6O`2eOE5DLJu&)o<0L1dDsl zNTn*oviIx`h>KUMEy%)wrv^c&!7;auh$KFU&Y8%|AFFZIyXv*R0FTeZPi_nio^+62 zC;_tJZ7DHKR``4OybJx(~S$~GMA>2+kVDrW>h9_e8Q<8#Y-A{cZR~KMj?)(xln10svV2~x@ zv+KsE03>~0!RMi~qdL;f(bV*L#**oQ0H#;#g>{)qaj1}~x03>=OOxCAIzt?zS<6q} z_ry8oQC=2btl|Eqho7-rawm^gQbzcU6Xx*w=qUo_+G1!aoy(N=sO1}}alPZnBi4bbh+ z69gQ-7qplrU~6W4-hi4^Sr#V@WvnQ<0gPqmwX5Q2d2eRttI|FE6d0`86u;N6{sq%} zg%G^jhRb19a*eULNgJ4J#uT73&^ihL6oH(-Sc$xYeWI?N{bKPtdcMK>}SzU za9V{1b&5NV53%nL`@=D@j(Bg@fu{00saJUivKV4B)A(M{8R%g1^}g9UBdE3L7Gz+R z1Tk2DY5^3^Z%#Kf@K(fD=;#vw%cO97mNWabnag>PtpD|5pc7`jDmnXs()#Q`v9OGn zPj=i85S+nZ-8%w=u>0D*EbQvf3hPeVChgNtx2Fawewqx4o-dTzJD<(4+Sl&-Gib*s zpDr~XZ=He)E~3T|Xt6rwV7bO0CQNj|u#!abCjY?iy4{qn%Oziw>>Bnje)Dh3$85?! z20&P?$NiapS78L?@57i=Y59p5M3sPsCT?g(m^Hq|#U!*N-2Q19Yx_w(~GM|JUcr$8<7hit@2ZG|@P#pDs$tQ3k9YA&ORwk3TMd7wlS*@g@{9&@ z*I@?MXXipX9yyVH5!ye#eQo_XEuA%<`>K>PK4cMS=cBH?w{6{SC_PyFbjbu`h91w- zc>>u-1mB}$t7hA_X0t+%QR}c>k-zShYye4^vFIwP59?s6>@|s*cUR^r#i7HdI4{A> z{I!_sDXAq^y;ONe34pvjkNOr-|4k8I&l(Qf@O)Q3`Eu&Ht<>p$={WX!;p~Ep^3{CB zIiS+pFRRu3T_Ag(`w+-T8h&5fe@U_YrDFe|Dm}%P^|F~&#{LACJ-v0`6_9agGNZ_P z`bv6KekOu1o9!q_42eBeN|(4a5&Le8elL=!^qC>~Ub8@(iBcLPiv21e;-Jd6ajD`^{D+DI{IG|SmBuCq(EWFH zb<)RXG+ACKtl28bN^-v=V%Go7&IsTSSll)!j<~I!sSOMlc&FNzzS!9U#f7URbrG_X z2z7do9E(#W&XRT?ME32+c5TvV_Q2=Eb@)(0pS+gbR1PPjOwAJ?W^2|K%k-|5M|g5@1cyCva9ic@r&q z`OGh=SE{=yvdH)l0GBO%2C~XUu?zE?=QPV8(5JNh*IKwj z^kK!VpXn6Oqg&}Eg!8#l+I|*`wEmWJph<(^0NCH<238>1-|-^QVcTzX!*kzo)#mrDf1(1HvpSm;Sb01uW7yYJ!1Rn^Mto^EYZbD#?{4v_^`pY)h2@HGEw|2TjKwtdh*wrILrqjbPj_XI|=5xxTNzpvhRi z5-U6Bxw6o$Z{1hPqL${9kY~@vLHmmvj&%~agvSg4xZ%yexZ%2G+ppiVzBCWY!t9f` zJ!y*8cUJ@Y2sKHRAisB5-5sR4SFj(m_rCq+F}ME-%Gj$ls+FH&zo(lPG}}bpXccX8 zO(vOhMt0tpC*yy!^;N9-am+qo35ZmB{Pa!$VHo#^Uq%d3bF5O%vvXjN{K?OS8hMfEjaQ z+kSBn8qldKXiieBum>^4%$?e5Lg(0mGh9P~R+(GcYw?xgy4rcA?a~0HivHbc;Iw)06;Css^zK#YvU zA7SP5yL7GHzx2uekF!_A1wLPlxh~It{OI2nPHUt%h?`gy$5q4(kD2BM-aWfJW<<6$ zb3f?l*7HPN`_!TVKUk&uiU~=ab$_Qn65p{E@(iR*RZP}xs*&dz8v)yhh1j${qT{B8tY$z$`O~zi({Z48RIv+h&=Q8o0s@|$3ylB0{4%;z!3x8d7YCE5TrQkShCgpcU%-J(zte+$efUa;&IM;JYi z7qQ#A?2=@zzOwC#y#4-I1Xw12&9MUFDpLMUjDfSgg$sE;1y4p=Jvr9+s@=@T+3-ZH zh{0+N#WA@UL;A@zTTase({*&1xn^s{8PhGCghL=#!{owD&V$?S_edO!LEOayd+nqBkLe(cyTil34xMJY`<;sG38_ zKOzU)Rn9*y?TqzmSi`#(S~byev@2b3*IaqGg>>y)MKSZJiSiGxVmr1%GELW+@Cy8+z1w=kD+BJ{K4`a~^P8bkpxL%&(X7-a#%U7PoOJMAw6) zvqT&xmI({tm=@I^FpWD-a{gI2@Eu!<0O{Bh{ajHJ;huW|#Al-6_+H3a+U3I*7W;D~ z2!!|=1)uA`!w1ckPv9LPpL8o_X;pt_sbzQ)EX!~dHJ#VuZV{&?^^3U0tBtQs`#BFF zZbhfv+I=`+@t&=N;N}FKHKN&2Y*$NqG+mu>+`JB%18ToX>jOG4QOFZtNSB1(!LPcx z)~yMdONlV#-D{QYfPufml+nee%%@A|x-FDg0X)1oDSe<1?1Al}H|FaxsO~q#^V5J8 zYO^1<03$a--cwv!C{keC zSo|ii{24vC?p?pK%nK0*h$N)h@*xd09O%s?p%f{JXAn?pGG38NhPMjnU*L;4ok z?(RUAti7Os%i)N$%C9XO95Ttmv<_-JS%pW3V1kuGm>!5Jc5LUw12T4>KWv~J(sM9FPE$bTzaXPKUfa}0hg?Ygqw${uxyP>)&m7x zY5h;u!;sdG%=(5lA3UNhqsoti&jv5eS<3>WV1U(R_p+h(t=~jEI-Cqyz;Q9-zdLX$ zUzTv%Raa&nK1IFZ>!ClS*P@ zEzfepC?^P{4#nyCIiR+yuet*UxJB*nvU67Cs_a?}un*2EN|RxokvICr9FjLuY5gzX zBOoa(;Lq%y$FK9dJ_Eo7v}1%xL!RDE1}26HocsDEriOA7pJr6EGL zE2%&pCT(b;K1O#rG(y_fF+*%=B+FDefv4^GE>K#1Hricf&kxbn*w}VTIs?mA-zpb6h=>>hSVPf_mIF)J;XJh{WTB$eEM-0zxQ~$78FyYU>;>8 z_~J@|tM1^e?@NaE2b>_l z7!m9|(egppI~dtKbeBvOp1nl|$z*Bc;MQTuWoaL?bu}eCb`D19^Lb2B>Eap%x)-O& zMjBPLs!x@5fhO-nueB+hw}$QA%fjSFX?LGm5d&=1uEv{E!0-GFrc(vjf*0v;eHbyu zr~A*cLiOooard;0H|C$?(4w!5Ab`JD0DJ*ENZ#$lnbcF(-a6JFY_S?tb}eQ$r1X*c zD&eZmHjTDjX(=@^EH=LZQRJ~N=tu0Dc%Ue?5_l0G>yo=#*)sQ$LCLp3C@yL7#iOa~ zS)pM2SBlr$%2sw{JJR*zVSA7~Ot8G3mD=D0Zd#Emt9>$C)RlK+G>@bS=-j7XP4~V7 zp!FI20JQ!UBet($Jx;79TI1VNApb`%k%((`Cgh|HZTR(FaA;vde7XknVmqkLWJsak zF;#252AjQ&5&MTRV36z^qw|RG*_VY7pzYX`&&6y22k^g80CcgxBRyDWp6B1h!fzt^ zPJuHn$F8x_yHcF8IuGy$h>q(jh)47%1R zLq|huT!x?%WUJevEaQnTH#BsBTUs2q4%Kc?O~kOeniVaoYPsCOYWVEy_v(S_)iSII z9!4gt$8_D-5-ky=QV;}r`cU3o=Y4AaLp7);IU)mIxlcYtX8j^$?K7xYUSBSYsKzx* z+C(rbKGMiOE*)OH{n}bcA>`#ykC7FRcG1g@X1`slB#Q`7G9W#HxuUYdfbhImudVUh z@QjcL!ZQLfmd5a(H|x*hRJHJ5;rTsu)9BPHvtj0bQ^0c~l_2m}3HumNk@R$!)WZQ&3(anx6UO~FkL})o z&az(~+k;7dgmk=@Xm-Cf4vWxBG`nllO4T18+h6(r@YsIa7DLySg+YGurNj4{eEhvv+e}_>ds5ZU_Jb(bZ=@@1x?@x?TF+COAy ze8TY*?}sm!iR$9AL@A`C(vp=0j<&{vY0r*dKUp5p5pLBobZ8aK)+*;}n0pNOEJIpJ zwZ3o6q9q2bbx#1|((WgI;rJL5J?m!j#=Ye}P^~$+I>(=0(p~L8@!u^v^5;|hwhS7) ztPcl`ZQ}kKuKymxxj1p3%3&qUj7fGI?L@J#4+I}C)ufV|J;4QwKHDeXxB=m3jy$m} z4mw2!N#Bx!7}S61gd@B7!PHQEa7obe3b(NHa7ehW`7NYCxZ}MnryS7U^w)Ix4tV8S zJFjrCLXxQTiI3mSa_aXF^DE5}(aJ1pzbv+wFD z$HYKz^&8F0|_EgTl{rNz>e5?B%uGnKfg`c6s_wMv(Z@8fnX zy<@dN%sgfvQAPOZ{F*orqvfQhdr|G2g;Dh%s(0kez+nRx%%GFGw}M%~N4He-?B#C2 z2*IPZb8hk7EqBb2)fe40d7~kjsVkGAcU6EFUynwmyLXi6yzFFN7wE#;g7c!?5N!T!J?Wg#yPU$c0{5qTjwCLF@=mj# z`=(pilb`r>*aCLhUElkGmdi!)9}KoBSb$@pcxQe4zZ{F~uW{P0Bg0tA1K%rWC7j1r z6%Bte*tQQU!fg+NN^S?l6+ecenwURHpXtk0xf%)?D>8m?+n>`0`28hW8qkATL)L$T zslz%IjS4Qo)Zv^G@b4>^VCs{y$NCC$rBHFG5(NX|grttrFfof-UIMxsSBh z8onq&h-?9AuJ?9>7M_~q)siekKnR0E$YT{ATi~briwsALSu_kcnbSk~e}Spl05G-V zC79X)S3m-bHC_}SNanle7=qK!F|mHw=tMO#O%BNH=vyz8LH8S znqF)-fU39a(LZhW1Bea2RM=P=%+%POjVUGGN1V;Vyx(x=BkMIfjE!o9Hzz82FKXoz zZxyVYX(m#?et-Qv8|%)7dS6vC4Q9c4!bSm@GdI-tHOTvnGy_u}87Vm+i5%=?>U91# z!T$QkVQidRELhIFrr`&)3Ro@Qe1>j5j}Lq^c$(9b@V0DDENEW-I-eY`Wps`D(x$@a7Mq>sf9WYFL#ZqkX7 z`P#jFySJjAKnThAGiLDhPxNH1m`!(^?hRe#<^u=PsN~W02%%_sX?N-JXsqXtkso8e zOd^ejb0mkmBzb9_LvIDAW2zr4$VRH8%bn*G1KTChVuL`sO~~os_yXyt%GHLKZ)eHr2b^KY$_GLcEAoyv|AG zF6Gp_2Q7E!*TgxQJtD0pGc}xsOmjfO$9Ip$CHR*$CUqHXXPu?j?jOy&sQ;+bN_d{$ zmuhCTJds~%S%kJ76ct&RC@tNHvFL9sH?VN}HZieYBfVAIpjUX?u4Rz$Ysu-g>rUy? z7lXZVz1s%MqdG1&M_D!(D~CV4NylpCN8;OHi8IjHLtnj8^=o4#8r_353G8}RBk2_U zVy6yAC)pxD0Mos>^Pt@P z(o`eCXDjzyERXK}xY}SeZ7{i<`>^H3ZXR&uqHs;qVx{fsPxt5h^nn%ikLvY{*Ew1m zwg-_oA63AZVYET})Cu627bz{-c_h^^DeU3DNaA6cZ8hq-YxeW`OVwnDg;TMN7gl$^ zxj!x6I!VYvZlg~^m8ynqaT^_~C^ZBAxlhQDzZ`@`7Z&Kfjx#0M<&Iy0ub%sS#4!q@ z;fpwaCg|3ecLf$KwwpI2-Q>|sQb>8;W1KEndwak7>rw7UN~5LL>F3a64SOgiuz+zm z4|ALi+?Itb7$mCuh$^ zV$8!NqneM)uw<@7HIvP+H-4PcL!1F)4%!5?0Wg95OoDhxs9fRwp7|^W7Cp?oXfYf$ z#8#5Q4=V41i|LMJ>bK7N5z@G0-{ug;-zD2ee%l#aJMXSM-Nb(hlf!-vB6tU=S|@%1 zLtbn1wl=u!iQTDt7>{Nu_%6NvwI}>dvZwIGl>HHllGfy5^$Jgbo!963v7di#6bhV{4J zLp{a1;R%O41(^lKOt+<=Ph0*!MQR$hztu==4Kq8y2kEijtWsh%T-e5ck+w6e6v;Xe z9ilY$ehUnjQO|iLw(;69QpnOsOk&%g zw(*Sc_oAVfw(+#~WFt?L8AGFz>o;Cn7l;9jD%NvG+i9UEAu?V!vB0NuT;C?{aMw)d zPj!O4MjLsLS2>S5vy3Whw!K(*ylV=+y}fkAUE$Z=Fa08wWfD+%Qy3@QbBNy)2N5u=%s>}iB{VQ9KI;m5qh)(Q#o#?h z`{jD%wg=Enprd@olHHZ1OIO%YfO$QKiw{sH zC)hKav>u?11AUbN>K}|GRf8FIcU1rRcGlf;#3f;1v|V!9aGbo6`NP8uFa;LCoiVr) zP<`RGpQGnB5;b*$Q>%gf#yJr!pTn{~QsU#a8fNErlO3RC&FNRwr{KI-`0vJ&EA9H3 zyhrMiuqt&&JskvqoAM(pi;--Y(@>KzxOUusi z7m!1*ZpG*ebMNExYa%r$SHtiHoAF>`2`kP%NpybAZ19&Kue~w8H5=6-F?7}^u%W4a zkQuIoGx37?q%9}&W(Cr6FVqgGzH%8;MXZ*ry=!;OkETSX-6-_gzqtpDUDX+7u*C<}c6mIzFvnrjD|JeQhSP=Wo5U;Sk5%fHY zLE5=i&vZoNM>PYcEyDF6?+N+fH%4q}+a6aD^m^wk6ka(V<1rVc7JU#nkk9W|!49JL@d;d?v(V$sYTQ_6JUd=PHSJg&1=%65f()g!SkA z4aZ#%EDg-+%9(2PpR!04`x@nq@)|@e##as`LsvP_PAMno^p z4Wt;)qyU$r%hGqO#55$|>5WRUkwsM0-37Bz|4rCASlDKiXL&E=h!|cIbe@eq?UlZK>**@Q{v;$AwwXItGQmJg^lD~_z zPCELSrF95r?-&Y|#>_yzB}kXJ_=X90xDzj)_MD7gkhjP+?17s1Hk9eCRnE0_ zzj*EHUsy8H6;~{NjIy4Qk}+U9v$7$+;K}I)^$b@e5uDdGd-w-%^_7ocwnrz1)5`}@ zl1yjl80M_ovu>5Ivq)^0LUo{;qG?mV+GPmN%PSWF0?8+R^+TBLgK`Y0EPpk5XynO+nWmGy<>1~p?1=d2y>$N! z>D^=fNJW-(7}_D<`@D~&&vQ#>oU>d_rE>MS8`0!WK7xy&OP>UjskhkfJJ zT872JxBKFQ=DCwt^9t&7FBst$^g9=Ni!Q394J~b6OyKT!(#g`Fo7ervZYMKTnaq}M zKfDOgUQj+Y)ZFas3$yn;*+5BK%q{H1z0J_LGa9>nkIH*%ec_3E^R^chwo8Au;tjgD zII8DuFlOuLoC*gapncr1awp$QxW!e45R>1{gMURy882C27A{kdVP5C2mkD6O#wLAF ziNJ#eU%bhHN7o0wn{ysuoAVOnZ}vMm&QrPWsurlb0l`VKj*Ovs0GB+T%M!Ohv-!FK zvna^OW=&jetL&U8b$oDTuq>3%;SOniPdbD|3R5WButa6F+duXc_pyx+*Q4tXYq<_A zMmUWeidV`64j>*U_`D*42!J#w-LvwFa`GOW5r;B5!0`U?*Mk{YYc*l-9OehtVoU)h zQUPt+E-4t5Z0GT|G=o!t zu~~ZG3ql*z6h{+LM^h?;C^o5S*{^>%H#UbGuDa{U06O(J@<6{ij*6T?-J|B&X`4maB~{!@ zbCVxSHWig2Ef&}9&V)eC&n;BREf#F0{!#5(I#D%z_((K!HWYu(Z!i{Rm(k_#w3sD5 z>w|*&>T@R!e!tOo7g^s2b{(IOez{uO^fhhj^~hW__AUOhAAau_lH`KVnm)#yh`kSg z88Z;@Yw&wgL@FH_{nM6~W_-OSr~k7rYBbn2qJ`oNa9$D6w(QP1-Nr|7$U~G%G!Jc* zGd6RJ2K_?!8tZu-Hs5gfY%*Objj(Oyp>2}c<@bApNG1n=ito8M@JUR-AH6TGletf^tNTG1a*n?}4pmqx8Hk74$gv2)t{W@L^dJ&jiUkD9#WY&`J zv!Z^hy7|W4Yrqa^^gY^sEQ2M>LgcJrfJp|JXGQlfR7aHXDJ;^_o^vSOM2SbbU+hectARde#D-({Qw^o2)%@DU*V z_rcG~cE9uAskpV;gW#vHL~lzA5ou%I5jfgE`CGt0tg=1pMlpGQ4M3#jX8V&Q_u;_d zHqcvEDg9EA0&r;2T;(L=A1B|620 zqv_w$!BVmtb$pe*L$m?sxX>7GKv zgUH-7VXp|<>Ngn1xT`ut27-Lb?KnA^h=Kz{o~=F~#7g#tV^uVZWC`C#*((;Cxi08m z0wU2{p$#8tI6@)}y>`lD-h8{TYI8bn0UQo)RC0-bv<#ULFMtSL@K_>R-`$4DSewj^ zTf{$LVR=Yoy&c9}aao?34D|EI`5=`PC}wp}|Mnt%vLWEou#{Yn>Pu{*2RW?pJ-Nzg z>3D-VAs@6_Bn&pIyu4%L_F2$$M19D^y`sBvBo% zqZz#m%EtHiZg2gDKA}vq_2;Y0X4;J-P<| zmXYn@X4kK@n=kJ_zeLV0e`xM`u)>32W69j`gHDxpaV#HtVukf)RZmEWBy>FDL1UKh z3{QN^&xNk*4T(-=Y|e*6xMkdoF^q4((r@bK77f_W1a}NRFg*!~SGf{!{LZg!P+t)0l?&`wGI}~8NrS0B<#U_snh!Ts zx7TzP@ymZaY$+F$DR=t~mGt6MMM!8*#%V@~!g`|owsGzDfhl~|8YLFZK>6Z#+kbVeb})h7e`jRi4;V%H2ssa+7mQ(TCFRN9g$)2l=n%Ei~T`tlyiAPanKV zpa+Rrr)Szox!+HR+~(xIzjqs8UTpe$Az6;=#g6h0_`iIHM=Z zF1$W9A;9QGTomcgb6=tls{Q3h-AJR#n*1jfbU3~f+92=RBoQ%%WNaH>xTs2wzYsfT znlKj%XH?ab6PvGxD>V|b$dS8}1KyY>ti{eI%FiH$3CH$@-2v+1FxM`w6wMj(klRm@ zgs{IG(ci!gV#a0c69g?IvSwT2@dv4ZYh#{j*?^a$isemU$9<TF42*vzIeq(`8@^?F07VsFr}RSSS`V( zM7Y=(!!b%oFSm%XmB(O_Dq#s)+gjwnKY0|{`XNQqE3oUcyUNw7lB>x(sS%z{Z-Ioca)k#Xs(&oAa>@vJB@yg9JQC_M^t;& z>q56uMQ$>ay~m@KZX_(Uk$oRZK)MNj&$cshu985NC4($(fx~Hp^Xr&?=CWP zi}dUpgK~Znto*so&kl`zzzJV@&WaLtZk~RMjQ-)Uc8CDz0EQvMf1TU6D^QkuTKRQu zVI_xzFUH1iJDkLqX$Q`+nhh%L%hWzf)g~89?i&c7-l84yddT6FhPDBTS(kLU7ft4{nMTz!ukSb4=O~ zv)V_1a_f~`06m`L{2Cfyli&CSKY+#@Z=)0CtB?3< z_cdhk8z-T&X|fLjRG@FHqwmB7ZIK&)bH5=9AK`~I2Vu5P8@%+Ixg$beE|-Vo_8V8w*QmqVR4g5Fc6;yP7#e)+@uH`5Zt(%WVe`p(O+Y#RAj z0)8ERDMbQVRAJ-nL67j|oA0-H&a2os&eT+En?hpBn`Y7A`N5q|C6BqC8?*6ne zx0x+qJ$zRsO_2zyPMzZfZ5(G5w{J(Y`8l@Dt$4&GgxapB9z>qlq4KnZhCF9X)ie!p zI~%$6@O(xThx$bQv)yXtIDGos#LMl=LFc|wh3&c3;U@csFbO=EYUfd2qJ_|2##iF| zi?+i;SX*nqqGL<|H<7b(Kl`&pK6AE_Io%pFl^FI{Y{J|QeB9r0| zui71pML!UtRh8ljq69h3*_~QTTPKby4n?oCOjm=E_iqS*3PK7xBpqt2{5i0}F2{ss z)PBDWasgMimZ25&6lu`TC0D+5S6w^*y}hA;Rd!aI;uk1~L;!l$7on4ApA%un1n!mRGr0j77Lat&ox_Y(p&N1AC0GY z%w^qDVmaUlZZx$W7;XO(LLy4!dP+$+W6SI%35vH&oBee}#b7n{r-<9O&Zf#RNdR0V#+QDi7N6{rA7iL}6n_ z#rWWduF8&)z;V&(JXH3-k$AW<2$7M!KUK(_FJn6iFQb6c=w4M2qyRJ8uC95BN7Hfw zIy0V6g?g6=?IAY(O~gNe&*vXFBwY4LQNwwF7p)~!*R2K)pBPj7 z63MT<6G|t`5Aj>^dD9oSr|NNo3Ot26Ax~02f$D&n66J?EzhuEWSqWj^cCx}OI>jNE zijmpp+)Fe)LtwaK#Ee7DNuS|!=ZpINpJb=FhK`L>_?%)pOCKL|H0cdyMeLGn6icax zFUo`D^e$TCZ}>7y`5>}pV(m$MQhmH20l(6oy9pN}|1j30wz7w}_sY-x<^bcl9wxL$ zA1;C2U~rDv?I(V}87S*+CKp6yeQ@M`|A#*#iWk^<=VY&Sh}INwhWkk z_$Ci8Xq6Wbu-%hKb}U2YnMlTfm#0A3jk?SyaZYiee@R$@w8>>{q}c7O6>b`--vH$W z`Il+dY^R(>@i1A zmD5B!&X71Gl)SuX^>Im4Je#5C9zkJgxG7pA{XCRXp{LH8?*yHvDszQ((XA9&>U_~* zb2pFg_#IB(ae>$lBB#u2 zyxO_eJO9`UG_L;Dp0=Q9F(7%YhVH{#wfD^4`F+2=oblD4P}3wfUXnUP{BQ&H@)Cn8 zLD3U`E~M(jUmcF$B}5{`Kiorb6MnC%fo?A=TJ{Gn9^tle>?p5`9ee3(a1@ym%MED# zQL*ue*Cm^q6bAXgm@VjN_PP>sr~VTHxrGiq^01HONDG>Acjzv&pL`ETUk+uZ|Cpk@ z8xYk+(b5<-%ivr1?2=+_vOM0gc^nh4Qc>eh0qEXjd{-U*n>Nscvw_~3uM&XelP`~O^o(LrHauevjqC<@pcUvvDfMEIRJNP)+J%r6wC!v@13t_;O79Z{ghuif!y3G=M)|Cd@BC#(&`-{`ju2 z99a=n5wFQ%eaVVDM{#sQF^fZs5Khy{ap{`0ENN;$zFq!v8F~3t!VTo#_V^6Fqq~M# zyMoefnHx5`V)UaW#LD(4<9>iJcRDd!=bS8^|d z?OTAt_(EhSrPJm|aEnFLW~X)&%|Ymm8r+Svqg!7EKms0)zuJ0T1!32R-K3|aWS@T! zZ|rVDVF;&0{hwm6JGZtx)ogs7!->fsgJH(eJLf$T`9==!O5U78m%rN#Sby=tF=^t1 zrHMTo{{_NWvU`!oI1HiqW}0k>wk<2Mbfp`9{n(tvm*?&6R`Gl|)S@E!`CTjX4-PRU zV!i*XmGN>oR^chj%exQH(alQV_Ud>opk-G`zi7d(mY%az*EDy`*Cp#10JO*74R{{l zct9Jkl@c%7;qQ6wHLvf|LpVT5(I+I8*BYS5SEkcnBE@`9C*fS$Q`-@xtx5zn%Y4*i z>m}3euH-%KM6QsNFa4rvJ@vs|ygzQo-cG6E^d*MxcoH2Hr#X)ew|4Uay|?ULfL68e zH7>#8@t%X;&q4L?PIiuS5+P|X{WQB%Hc!DMcW*)U`i*>61eNF4kgl%*bWVjDie8J= z>s0s~Z2UDh^ULt|=36G$FtkPnBK0x4ydRdUKAZC(ZYxSS0mn>=;iONJqX>_6qq(t0 zfn@%{6$85aKZA@)@%dCHljnV6wY*qgBOA@|mR{myceW+?bzeB&ebS5x01P-Q-YKKZ zm>NNar8&Atg{nnK)QIxI@6d>>jG!6+j45y2J16gjhnt^E8zkTNEzZz*3_Hc0Fp4RD z;-M@ExUeA1z$v-?%&a@8Ieq`z!A}wRu-6~ln`l2@O>gDfb(Zc&oeRb*%P6sJijbnY z5|0ueIlHgJPIpe!!U5U-zWkC~c6Tr46&SX0=<2(Yr5u{QS&3qJezL@Hn8b?7VpKl+P#_TNCp=xDsx; zKZ1J7X|mfMY5<PchPMW#GkYgFOH71x9BH)t)>d24-#$IAj-H@lY%$DOQ|Hr8d(Mo zn2+J&+?ysAW@x>#{A7jLdnl7U))?PTtEq8P!_nD3ST^*j@1&?^M1!JkGR0A@g3<;Z z3CSqn#XhqL`kMtnSh^SVjPNwA{$5+DH!x_Is8bP`9#1Ycd=ZkebHpyU)2g!Azt8XY ziJkp9Vdpo4b=s$Kx-0WN_R#ke>mu0(%3S30WYOE0#4Qj1RaVPI3*VVe9(5mzmUFcG zN^s87dtaWHF1yB841J&q`y?2ZNRvQXSF4-Dybsx(?Gar^7*n(W^EQsepnkizqArT4 ztUzlS)el(*Ck<1HFRb0_76stqzp8maj`%y-G^Wng0ft2X7XA4qPX4VxA2-;2>uB9| z?o$pDByZX^Xq)%Bp=p9W1@&3;v?;oJY8*({Tl^W6%=~qUzb^yy?T9CCYcxPF#p3IX zRo?zN2AOPnpde^0^@9<%<*?5TVZZHDyY(d*K-GQ1)Dy8K`g|dO25+@0S54Y6R94yJ zt^;d3X)jx0DSV_&G~HwG>}VdCg`Dba%Z2)S&~RL5!=g1Ilp}60`JF8_^=U*_sa2L5OFjscrf;-Uvj?bxWN@@*8R6VxnLAV$a!642tH!;m1pDkm!^4qxzJIm3tq64nD5Y zSs6{Mw5Z}|EPWDMR3{Irbi$qW0upytUwioqvMY~a?xB@yJ(u0yUbs9BH1_x{n{th&zn8jimG1wacyu{>`WcM9kxkt)u!POK#La>R)!) z>&jxkFz+?60y?|hBH9woeTh__;${!rkl_)p!{HOAzCuF67<*WWK&62x6M$|P3-@^nY7z7l0b z1sQ4I@M^$6;AP)73GD+7!KVD>RCU$doi2qvb^L1rjn&-TD6s(7by`v>-Std&sx(V3 z=EV_gI2O5EWT1 zbk7WmTl*66J$V^*nE!@JUHSXrq;c@iW6>A-!J>m($4F(Yx@^r9wUhil`18Fc$&O|2V#@U~Al$ zNEKG^dp=&RutZZH#Odb{~y;u8#|1&S3LXP~aKCb?3D4N>|=*=V*=z23i-HDatOP?{#vn5rt za!;eBs%#7A_&?3$CWR^yBN|CZ&90WP#vSn?blb_?oaQ=F;%@CPFFb?S?U z8Gb-byei$@EAg+)p#Ko-KRnZqbf*n25hX_~chcz@#$Pj-U@Obtj8Ir7ri!O^U%l4u zmka4m1V8>ygcNoZKu9qm*l49$FvDO@)$K5!jk_65_Uji>9WM7&fF!{^kk6eNo9)pU1i)4 z4X;1CT#C6KcbUBaAIZs@j~7FPC>2wsO(h}jb)LKBli8?fYi-A9WzuNZ>o&_YLxy>Q@J+_ z)a{W^Z~lJUcY18Q{*+Tg!*4hLW~md(l}EG5E8&A9OXepkP5Pk2%3veCQaSParNe2t z^$)?5WOtC6yMj}}8(K%p66in`zrU0fRP%nb{_xA-EepTBH;Qev+FMrXn^Zq#N*_M0 zPc%r_{^>OMVa#leWyPa(<47`u&`*0;vEkVkMZ*nMT_3E|uoFpgyDKuZf-3B6UAtcQ z_cDy#`q1tXDEX^PFR)2>wfIZ z->mg!xO}^MpJ#$8mw7u@D#f0qxhe7roX%OEE)F)V?G<|mzQcreH zjl(&;giG?Vm3iM@PU1(}hQ1^K(u7I-xW%E37y2WLiQ6Lwk(xRPcbftp(AcO%Q9*S~ z9aU@9u@?N#%Z=HfV;FimS&Ry*G5+0k!fszrjwR78x+9B7N?m1R5)>Odt8P2?3%57@ zS6pi6CPPlv*LIFqqU6hbHeJeH4TVUqOAx9PJ!leRtDjhH+GceFP(GxmBgOB zc8$ZXZ&E`Z&}A8?#i z0FEtybgb1xQ>5zX$VuFc<_ zHXwE>k3T7l&PcpY|GYa;Tbgm|*#uBG9Bz#$Deh|E%j_+7G~*-zS(d4g2Op#RO+R2^ z3bnD{*&ZceO5r_MmzySA4o>8`>R29}zD7_@?lV!Se_4+~~t zNhPdyISc4)d9=@F>FISpTi8V#k5ZF(4bTmvrm110Jh%+i!|oZn z>5Tmos@`5MKoIdR$YWWXHhfxHS9ws%b6gEmCG(I7&GBk%Z+s~=X_+=`^8RCaahn^SjHGl> zcPT`ZYh00@y44LI;@f$H&w%8#vUD1^BYBcw!kK! z-z_0J5X4H};}H#=?;>P1H4w6L53uqNc(#K5+mZy&Pp2}I-I=o=`>GgJkF*F>eE&^P z2^CRn>uo=fxorVHv8!Dwm2Zf;Oc-x4-sJ(=n6F7Voe&AG7>)xv>auOG=l%jBgUxl) zZJ514)PP?-EeF!wXm+}<+I31!f*QLwU^GYTRdkd$?8HYH!%e`U(HxE4KF2MlX7Fm{ zB?rNT&#b=3HtwS(M$crQ%CfFt)#U5$Cp4`d2+x=RdQ#%&`I=2MRX(q32VlfTe5|8T z6qW&J*^d7u;Vt9=G4J+2Y82(byqg2`QNHw@HzW!W?rz8S^QYTC&7a(#-vCat3lo03 z6M}VFrzf>Jg}N~gL{VF5OW*yJ{D2ER(KW^xf(??fj7JBGGC-LhDu2KD9Zko?$tKsf z-&h@bSR7;vb26`59SCp7oq}7ynIMw7j{aH`V>p41nV$BHK0mstb#idhbsiwdFAf&#E1B=*zT0*JMCrmoO@OTIn>?pHVe^aFRau%eU;X zP2X$3LL>qtzwXt9K?OM^)zR<}qRE&{_T*~oJ_x8^zTG!+Osjg9- zPcpLagVu1J>wx5Ah_pkZTR2qperOK(aK9Jw+BQJtEa=3x=W{vye&471Q{kF0QL#B> z4H>z-+Z$g-@nP^xQ>x7C`!&aDiTVb+&vlyozC2)z<2>X>Kn;-6Iz@=OZ#Nqh4`vi? zO@Nvq1Ejt78pYaQGh_YPy?FaN7|BZY@WUiM==AvDxD?fcibl2aY%7Q%K_BOCTMoK0XwU z@P;VwsTcI$0E!ivOa7(B`=6^7w04!>}4pd2T%bB8{>2y}wGMh&#A}2*T4x1pf%$9bbSj+)8z7Vkl=s;;Y zT*l%7DT48qJu_>T`=6eL6I@W3{gmek9j(BjJ-?G0XW(k8&Y3LCI8!J2O&o_BnI1gi9Wl%kTo`yUY~;{ZFYrvhk%KU-Zf!Pg(FGJuiqoK@M~(l4417s zc0E~*;E-YoUd}1ozoQ4X$wBefE`HO1vtL1}30kh&0KwO>SFSFby<-%w7kZ*%`{Vp? z&3j@ythR3<%(Se$17AjRL!@Z{HG;OnN+INq?!}tr;rMXzaL8g3B!J+w^}O}LrorvK z!#s!++*15c8r>#e=?!pFj=e?mAr)jLBvfaL?04Ri9AIDKmM2|izdK#QX!X>j)^S}9 zQ`LBOz85H*PP6T*|9pIj>IjFB>#252JFNge4^N5Z1)#hVUJZ@th!9nu)4C%iSxv(scpN%yZsp7$^F)X9II?jwH%@G2@cNy*f?E6s?~diJ&~jL+bZO!` zeI1UrdL`FNdC;S27JY#4nNBN~kHY6=#-0bwoArGC2R*DT~IJ{T5vNQA;$> z5-+BxgfG%Oe5l+b##_N4E{@E!S$4#I7fiF%0YKaQNzWFuKDn-k=9vb~RNv)MckdJO z^!_oW@d|K6pclSC>VU4*r+O}{QQUB+y!(ON=_Bc0MiBSU`_9QRG5IqV`Fc~8$&)%p zGaF~Rrv%}SG6^xc_RDpoY?bhZZ_|KAy1&10Jpr%Ywi!6X`Y^bH>&AKCn~UA;#x}*a zA(e>ISX}+fpJGh1B{*7hFj+e%u@kuLxDzeQ9_r`-P(J`l{b6 zi>5rU)ce`z9zyW50nkugh3oDM0do_K=`vSRklLQ`j-Lpo6fDr#QJ6Sl!>7Y2u|Y6I zNbLpBvMtAvRa`a;+56)`Qkuf?A1`!6pIh<1gf@2g=hg|KBk$Dn+|i}}z%l(faj^80 z?v09aFLngd*k39$U}61DH`gW&Pz@CQEuzA&VA3>$(5eN(Q*=d?A4q8I7L~fm{+wr|3Jb=*y0dmigt@FnuN~ zvz}nd1bZCX#@p(xqXCN|9)OcbcRMVh7aVLhk||^RBkOh!dN5&FRW0 zcldPN;W5|ebZF$|>04X%FR$Z=JZ=JnrWHZaT;n)6>ri_0?ue1@YBlEyWb+lLBDRAc zH^belqpjdvq3=9*S+29N^Foqn23JU{>X+)PojG@y2aF>(yY4(F)3!BnreMO6clk+# zXF0FYFm3VoiiJ_!mgweg8%08tw<)DVy83tciD$!m<`hlip4GHjVD-TE z_PaKh`oO-283&}F?x#~_b>V{epT)b8c3a5>2v@Wd2arTCf6b@R$XEC9AK)t z+_)#{(pA>caP?uVK}hgJ_Tu^%xCTU0!Q#DrtG-f~qO$r1z&KjcIK$Y$&CO38){Br> zxvm!%_Bc~4wMmqFMzqoStqS<{h?I0ayJ!E$n+ENPxhG{&ZHY$Mq2eE3p1Iu2_SlM| z*7^Zt;kxeA7L88e>YuSDQL18)OM(RRDAWaBogkROi_)bfn(yDo5w{%|IUi>c-zkR^ zj(4VWPrBY+XL;(Hbr>dyVVR|KI>hrgrj1qa1U2?}>Zp#FQhNI(!?Mkmu=x(zH+{@E zhhx$(5=Fl!5Am#sr@k>x>!)|@?O@67yWavjU*Ubx2*3dpVIPs0IZ7OU9Z$#>>kN#d z3mC6xcP*Xy;kAO=Zz=s@1?zPb#u=5=_lMK+iq$l^^(|yr#M!^Dwi;KTICHgE)?YP@ z`S%7?{=W>U%*wS3jX7$>@GgQ=DU7@S{(~zR?R>fFMOEuO8ZM8*-<|AtCvuW6S1_!` zz|)m7g=}~}859Fvgwd{wq3^x}MHd!FAgC08N`Sn^R%A%HBgi!&4xfy9cgIk)Ygil3 zYN=jv>%n>AvmA0W2~j5I_=^uTEh9%f$zO!&=C~C>p2Nyrb#wxC&p&((v9)OME-PW?gWg!!Q3Yq#V)uj1PF<3WKs`P28;iWjC=b^P*5H0OzrJP7HAc#; zJ;w||PF3)p2iUt8B7z&2#v`v~gJe3W!Z>5efj`fO848F3A8Yb;YdcnQ{xi}+}?005{@GujF!Xq)7f zbkcvL1-`C^(FyDSo)&v($M@thxz!477(ECeTcpAO53x?J26tgB;zqN<@B>?hN!C6+ zx$f{qNGGnBUzf=%<}ae4D$tr+-<^5PWm;$0-=jy695aa#oHeX0GkIAgesE>hXTA5$R{#Ra8fT6_1sRhP1$iSTOr%C7R!<@ymbOj1$5%5#dY*Di6!j$Attu=vVBE z!Rb57zpc48d+rC@BylmM_gj}$><&NDi_h9+)V3Whku?$B6_x^;^MquNCGik-k8ed8 zFgc)EXYU@o#qvOaa5gCl@0tDU` z@h=hzzQC=>etd=I(*zqizyqDAdezvITp*L3-vSTyIVzXipeJ%y%+(06K4uQKm73gE!0n>29)KOK4`k;r=0B6_V)RK@JpeuJnXEV!zL4yWS!^x4iOt&#di@|Bvf{ z!U!BErs(xyJX$H&kPxfGuGJ(}qAj)Cni|}zXX!ymwS9M$PNMW)%;edJQw`jds?1{Y z+LGgQ{BJaqk*m_Yq;*&>Tc&wC4%AFDGF_hlt2~wm!SMF_!{ClhU$-{9 zx`06V)f;pHDNvszt{?`o^(9SR=jYJHkzCFE_B1dz=!h?ja*Cm)CD|eYl+Ib@i3LRK z_0!Zv?f>e&k@NAar~mP_spx;x)2BQmT>cN4@PEjJ|CJy2KV-uHArt-&neczeg#X9M zgxZ!sCJZGKNandlvp&;U>on8g^G@pPr+eg9-`|%WD*zmvpvNM)|LT~jLO4Ut?ZPw- zzx=DW!~S})Qzb{8qJ_Ho;Ki92f-TmtLwfFVh>SKb5Hpqwu|lv0VRQZ%#p_JNb%{6E z**1ZK6AWNLvEO&pc9L`yG%YJC@+`dns0z16d1QW;Ezu^Wp9*k@sDeA6E4x+z#e2tD zNWqQoB~(l{of^V5-sG|28lHT93XpdX!~1#GKy08FO~iG+p8q@IUi7bs`#qn9b8jFr zW*tV4R|;3+Y{dmG)a)@Fnb6qUET{zocY4pILSplE3g`-H)EYfquXgL1_9-d|^9yx! zux)C~qZqj7{@J-w>;LeF^$&@8<6#5*&`H;h^#2QpVZ|R{!g$@{6d^i+V*(D{2u8l=5soaWW&lREL=C|I-x0}AhHKJYn03;{0l^ki6aiP?@ zeObFP&>PUrp;Ao~({xG906+@KE{A#W|sg-EDz;> z|BI_Dpd;a!z=VxDKv_if1aO;dn7&oh3fo$ zroH1wrmZFb(X8YNcBej`_vm|d2~$Lv;Ya3H)x7HStxvC({A6FIr=_Np^rWJ{LKS3= zSPp!FyONU8|9DmB1dpk$9BV*^7$f!{H_mLs5JfOiO;-z><&2`iok*(qBa2~{77PEQ z;B={3nU?)B)3C9{2Y)2SB!h~xdcKH?r;EL*_OltoOtK&2@w=r;kf2RDFIN%AIuyI| z{&CQicCIMY=dt~*mA*76Zrt`{`#C~p@-3Yb(CqHfOGN?M19m{jtB65?d#B*m&k%g^dd z&3x3n9(rA!Z2s%qA%3@=i=OIM1LpX;bUzgok#9Hs+EslyY+0DgSCEA?LHQ64cGq@$b zD1T(XaS)ydL3L8yP4zUJX+!NvAEo!fF#0$dYg-g}hd2xII{lWwUu!{{sc^K zFGO>RLJvCxdrN9(C-*-|*y{%Lna)0~nGM`@MIeuXHDwypu5>g6NnIZ)#1AGa9*jT5 zm`Kg~FL`c!FFa`G^+#p-rAi%kyQtufE|ChJ^x{4Q~TPUbNbVc{*&+`!PyG0gg>3>p{A?<(jD}cPn zO1>uMc;}A&pmAP^jTAx>$bgsKsNWjRW>_kR;U(w%2N{m6_gZ6G-7X&o!A=xqKka9I zS8F20F7=yadPOa?%fK-bOV=x2ICsSAkW12kBkUS`$%>7|A!A&=FxZQ>NqH)i_048i z`}DL1`@eE>@4^h;mG}mqZKR(X6O3wZn*Qzsnoycf@p^T^V@q;#e2(SbUSqA^-cJ}p zH{@Ml<_L7o?rT)YmR`s)(hfssWn%7T8ft+oB0h&j?#Chb*PwT4@}j9G?~b{mkt zO1FTx!^kpXR`71m3<0q2^hGP}eX*|KIv$7jLPCj4gZL9X4CY)tYG?%ml>(B-$ zmFruO7s5M=clPis8KWe=z8B=)_y1LLSJYQ{>Tn?I@(T1 zf`l|oKZh|N?paRd5+|U|)sLYy4gou@(Y=LAey{4QzzjRcn(-zgX6dw;MOi4G3Pic0 zvy#n2PySC2TP<$#mWuoglYe^s@27WUD7p+lbuT8u=>j-R9Bvmcoyh%h6VJ1Iiue_xcFNx3Be|g9@1IxTPrKo9nlcA->BV!H2>JvcuPc6V z$-ZBK$=&R_(__VrUr)vkE2Of2?GNNND>+_7G|ygEMlBP_6Zl~zBde28Hi^_~*}(&R z!bIalyd3dMTbnYs)0MaSbnSWyP~=q23B^wR5`nShxz#vn3!@`F^K5EVTVdP5E?%TY zCBF!_yyPufq(IMlda5`7^zh)NC!3dfqcibOumAlteVIZ)1?2xw z!(EeuNO8wRFe*xyT8DA*3JIMtB*oLrM{8~%3@V<=h8iba8@n+Jjx$p5)4SbV6WUk^ zTU6N?f;TMti>>-Td29CSf-I|3f*Hn2XSc$)-~#H<%%Cs5VQc-D@uvMj_MxVWh3B91 zj=3y_%ubdzL0V)(npPc*?N&3iq>iVIPPp;U$T_Z@KW!1}3E0dkxBHA34pU{>Em=R8 z%%I~XBlXvp54I(qL@R=Acf`NF4KNzpvvLa^>%ua&cyR`mKb+xCCLeofp3YA8W zJ-HTP(lElnN~ajuqkgB2M*jZXk7lLAPspZ%twv09d#U&6bE6cAK^fb0!~jr~n9(W| zcRYccn~$=@7J>>=OXcoz1q4PX1gwOX9(zoz*UNuY22XufH`P7aahTCNIiLZR9YQcE zVj(L|b|xg=`J1Q5=D!Z_zX0|$A-7xjOaFW&=vlSN89<5r1Ai|5m$&}9Y^^+Z$jDVX z1Zw}Z>Vf#wO$;fc2B~L01l~Si4Of=bUHhznN>F@o`>ljyLm?+{EBG$UmwI#w1zWbYqu>SJ78LU$AP2{Lo}i5?{Cc?7_rSlK8lD|OlE zG>kj7I2um#4LYeOtbXpxu+M&h20~u5A)P~-T;{$Lc4^j1VBW+0WZi44Q?K*h^yf^px&M;Lgjydv>0EB0lD9HC@}orU;kf!?Go)9YI@KvV@vH=D+>r%DlP55)y047 zf3NrKDx-hm!Xi@JILa-j+wLRQc6AhS6X3M&Y0ydgo_|iTL z%MELnEFJ{oq~yV#{qGT_e@CGt5WIPOY&7 ztI{d|G1e+onbk2wy^`&u|KK*y<50d&$1*W|Tuvcs*@8#7+%31_fP)H{N2bBZiNWS% zS_#y|g@c&xx8R&7S5u}u6m;;TxlMCtWAdtznSS$5q?orIki=%9tAOpOTuC*h6^?&` z38xVinmZb+y@>bklE~ISD=ffB1;|slLF|f7latqQ|`Rna`yS~&k8kiEy z%(wG-mQ&UGh#VRBXW1&~i$uBI^2#28;K!cjx5-;t11;-a{>#N^8K(!Xle0|0qyO^O zUzh6AwKrHMkgjP(zzeru`}Ck$LrPU9N!^QM^i|bPh@!^$6?P7$BSAzu+v}`;yRkAo zGL9zIRS4lCFY|9xI&-a=eR2RvRjA0CK}?PA-@pPA9MFXa**%n9Et7%A@O+qNpdq`ZGg^lrKPsp}NP;FZ@w6zu>dw7w?_U@zIGO zz+;)f@{GF*NsAXHJRo${HY@fc5D#$GEi=9|0qLPnq=1sU_j9k}zbLssoR!>K64n2v z*1Jd_A&`1w1Sp2hYarp(BM*AiMk&)B@mi0LoHuu)y@Fr=AYOq6 zEwYYvKp6Ta8@9w3Sskl)k`S`^dvsjlV};B?`}SzX+6&d|Jv+LqtnpkfX%(x1mcVyh z3KH^pG;mWr*Y>vK1i{s9> zOg#6Nc57+|J;5RGYf2-k@sfB2`cKkt59K zPNsVswH=Ux$hj%?EAZ`Y&~n!Q#oC)kC7t$fz_ePUX=UXuEtA&d8ksASIq5W-R+jtD zC?zf_nF}D5m6;1OQ@KTuS*eLDF1cc(LZyP0;*RBpDYy$Lg724Rp5OA+bKduy-}_G| z`Fc*LoBR8@uj~3;*XM@ud+tRn=vJl8h(Fnm!5T#I)7A1AaYFzzT^u;0!W7NJ9?qUE2SFXm^4B={8v@L{SORW-T?+|clU1Z)5rc%uZG$s4(0)^TKC zgj1t)`eVIcp-S%Bn^g}PIkZlyI$5`5sW$swBK4p`iKxg(&U9jS5!50~M*b z$L2RnZE?amH|9#4(10Nl6FyV$^=+7C+^@cFj8f-jed6{-h9qFU^xe$W~{kbQ%1MDHuW64meBoxGX8i7>ovDVm}jpX zc3E4E-FH70U_Z~|pw*t=RHsIh9YEnCG`M~15+ z(o#I<*CwpTM+xM)iJXzJ5O1^$3i%6y5aYw(&QQWr!6V5vImcyFYEGOP-N}nbS?Sw( z#g+(UqsiDU2*&EOoT%Z~t{&h+8A};&>5e+6NBuN47wekZ5+xmo82g%ADnabuykN;M zgK@;w-1^+*MViTiH(^<3xSkiLZrC|Ypq!b?Sek88Ac$^C&u!>3ZB2k4#g>~2-yGOO6}Kap zN?Q%#cdl8l?W8XpRZQA}a9k;6ze;sm(!S2rV3I&D_=8bHUJZi!nTN$#97sq7axp> zSLGA)*3SC_HsFdyOA7KnXg1BGpl9YIY36t0DiPkAtn#rn(sv!)iAQQ>iCYu zjJ~-xOd9f#%pV|4Fxas|aGDostu7RLXzl-qpc_E1N>W8rXQwvqJ!Y>Qd$1)$*cn!8 z)BSAv9c1`@L_T(S0N<3^lvz!n7|Xzn?zWg9MI+X*Q|i{p5f5FJB~yyF=|s(}c~3tW zEUr&rTFXWDJPNaqT$(-!7VWTu4s(6d2m9Du+mK_fUL*d>>CJWJO4szS!dJkWhepd4 zwCowlGV&D$jD86>rNXD5gt7-i;`^E@G_HBMn%PGL8Nsir)K6ETC_RNCg#<$B3oQ;e z1wqTGR;wN_gV{tsjt1P zUo-JE0=VowT|zp@_Kn~64(TK6b2!$cKbgZp4~f{?W5IQEv;aQ0HvnLxQz`AnL#wBu zwo}T-)_wAdT6=bHB~+)DI(jPLev0uVl>azt&`BcU;toZvjphb?Jab$Rj9CjG?EUkg zLYg9M)@3jjKZH4FD!ks^S$y2G@CRMHWqOj{;h`F?`CzX|GWQ2AhK0lqoej{vF5m zWxxZOC;D$y+s-trLQ*4-lpoj(NsET(+xqZBaQ;h%kL)nD#r@v6>CnQs@V(&~f*0~g zQa5Dj64!8MGAmky(w5<{h6xsK6^6|zJ%>#8XzkUbJtt4~*;Og*1)(-_iLUeg2`$~M zqJGA8yM|KQl7KT%8%-N@8=(&fx`&f%R@&(^tp}ALH1yd=kk!%NcvQrkp@D$qt0fN) zQD^{}pqJ;zIF@{6yybDeHf~;1i5iMHiB=$cy!+{W&xg?$;T6Q0sPlmL!6p&xg4&;J3n z*7X(GhnI@xApcd6Scje&t)gOw!v* zsnAT7$>wCbt&Z66m^14NZKxg}QM3W^b>lzI(GoG(C($P@Yiiw(&EL&NH-uWEnxrv<*#&*C}ct9(ZhI& zFSV?7foRU100{39AL^n{tFeUF-?SPW7ge18P#m|mJ0N}q(jFfOd_R3^t=R9N>YGwj zZDnZmA5it|7U28&odjygNllnMu^NATYyD1GZGm$ll(o`jwY<>4HAUnNzHD_!I^}ij ze6unF%qJTTcUEMg(z08^d#x%IVOJAYlDj20tdUn<1E-8S(S9{Fcx^GC3dA)C+f@d^t9r*r2?-3sb-T$k^JhXvcAPJZvOsQ zAF`Ooz`b_?i5_(#j;wAp^pWwbiw=*f(~|{_QG$Et%Y+<3nh5NAUZvQj60=hL@XN>J zOVJM@CmTtU;P7fegGkojs$uUh(@)$tUXNcHkC^#ZGwa$1$Z3-ucA?(~ZE|}5uuW6& zdTZbql8;-j%-d<*?&NjtsR?$nw)2-AxtCIn;`pk4KP9WQ-$zgF^W8_ZV9dg4lov&F zlNERACh)wE5#wYYU6W#ojO`)yO2*&ES1_AQ#rZc#R$)^nBO`K1(Pv0HX`=n#%)P#meMz3A;FaFwyX8)1EFY0lI%DkrWemItovc3f z9*=wF);E@0bA7DKf>ZTNBMamufP6moH2&g3bSdf8Y^TUy+mu znoWP|j*ve9@3x(L+q@IbtKni;2(8T@0p)QmFD0p{$Spo;u7g|uO8*WtE&(0rzpP29MEWF`vF&mR|wIeO2Y()vCW$sm7YqQn>mNOmcf+pBZuKAlgI2 zZt8?V!i&>`=}*lN<#vRsc=ZY=p~tq&aA9)xahl3f55-3Dlx`aYSs{i-g(625rio~o zNlGY_=SUV~ZTRdibw-dw!*qRcBzy@+M@i zyP~<%>XH6XLd3YY+`^^_Q;3Z{Zf)9kEc43T4%thhg@e$QBix+S+5Q?Hv<@%EzR2q9 z(%yp#JmZ+`x_0+%6%2xA0+@NUw@Rn&OS5hBVz}Br!M^S5os|K&FDlHf5 ztc9)d!^Y|s7*oSUfX+RHrAG=z3Mmo>#s~(ZqWqQt zA9+s2G~pEJ)pXsI#pQ3_-$q4%3Se%Ya{hiVqeO3qvg5i>@AN^M&M|Cfpi%h5?xar( zS9NZC%}>co^JblH+0>Ii{;XpYifj%KB}8(w8{c38;oRb)do_!>dklqcBaorEuCArX zA=YSHJwVDjOZT9M$&Nb6X@=`VNqZdY`5vU0*HDvC3Wxbq-rrSp`J=-psoqladh3Sk zMzc2>y$`h&ZvE4hHJXXPl#1~wswgPvzV9kR>0K3hFl&40>c|*^FI;^pa8?R5z_cJL8|58x@*~5)BcEFa7 z6by3SetYZzryVOq%7Y1&{tIP5CljEZd9xmAFTasYaRY74nqGw+nhfm36jiE=^`RM5F3jteZzdwO2p2 zrj`>hJ|J?%H?ZKE73Z$#1Yb;FEMs`OBf+~!3VA0SereMUM(zl6ocF4V!>|l#oP&%= zkNe)rF$3u)fir%o*vWH<#SflpQ$#c2qB+U|nk*6aON3lU9Zs`j0o-}_K)agbI$z%0 zkNp5tXg!=u_zO3uU|uU6PHMfacsi3={*;F%4@`lGd`+f|R z3(tzxT5=E@PVX)+HFgC1TeaBms_Q#{4!`r6{>Bz^dq_es1sJE+p2FRT@!p|&=1FLz zhZs5IPeueoRO#$f2nDQKXJIl?k0n9WFuq-cb_8BdJ5--f(J&<|`%`K%Htc~Dd z-g?!ee>!aJ(f`#GCthmJPSAAs=9i^!YxT2c3ILM(9EKQ4F`jO)c*ERoz8#$UaIVFw zAy8S(0_e%ev&~ymzTJGzBmi?2Fb#J92h6p7>p$j!<%1o@7xk*T=1yn?rFF#kO+4s4 zTiVT3wO+fWAXY@mm}$><*!c+yKdvM;E#}`p$|PjxWqZ>MoYGxIip-Lt$d?64OUrNI zA?lpwVfd?})*@mYu?qp`$9xG33oQ3*BOtl?@uf7fVYylhb&vX~$&v^B{gzMG8~ar# z(E4O{I;>fLrrSb;)-ii(xNYi;+jkA3Q_42n4a zj7A~$IH^?`b@w?*?B)@5zlK8j0F6k`j!M;kXN=m55; zsIVbD0BMmP%;45U0iXZ6z3KB%Wq+v0HK1*FG(;7wiz%CPqJkx}39|JiKmjPO8$GCh z*dwIkqKaKO9LL!L5+%wpECDG$#-;i@6}U&Lh;dzCod4ctKCwk^rxaWjt*-yH?;-s! zv+bau$@J}7haLQFYMYZga(6dn<9n&? zAL(uN%RlTxCY!WLER`&ShUvEYE3UF6(>9?7S7j89fWJX5g$WHg*@K59OE+x(Fw?nh z=3Te8@0A6s0c0h-PViIfe7}}p6*5BRCBbLh`l*HZ=v39Z6O$Xd&E1N5%)S*yml3z6 zG7j+90BRMFiF!|pzI~niHb=XZEfqu!vCR;(b-qB047EZf*v`7D{#EzU!Mt$bO4By4 zUS8EuL*10u%t^6%UM4*(U~$-AvK4=I0D`k)^xCm+ zJB?dz7+GCkgWJU!`T?D3S4G~(Z`~Jv8)baA?Z^XfIiePPoqUO#;xj^4-3xTh_-1LW z8?@8nT@?2tR{_oUgy84oEbUb}xT(vf+$}{lu`7p+E(-fR`FH=wYbvpv>kJm587gsY zlIz29mx?S3TG^^#L{M4J{Z_W5^Eq|N4Q`oC-u|e&BEu{) zD29n$aQeYVp;_MK)Ajk6F7-h=9v1n|8?QT_JZg{%SRTeNjy?Sr z3&4K?PAkJ(ndiTKB>lwT#MgehYfI@9fQX$1-@Yr4!fXBtRYYzIYkm@NUOzxHj=X#1 zT#|{*(wmkcRzW|T2$@nGV(pb*@NPbrpaQR?8nq#8if{Y)cwM_wTp0f`I?x8qo@`ij z+JF>{%RiP|;(M>ySoB{4d@DCWo7#3n7PiZd%quIjS|8p#DhDBEqDJx(@g|$DvUc8G zZz=Lff(9xKCst4q1@{Ec4dA2uJCW_^o*~!Cn6N<6eWXrB9d&M8NN(#K9gvU>$5W;< zE^fNc`K+uzG8F_CHp=|U`&eNz@g)A;5ulwBewnVcdHKU$AN8LrFn?{;egK$_Vm)Ke z9b4ZRZf!n&`v6Eis`>IaMv;96TcujhR-a#scK!Py_V+?6o{%0@5Cmh?#cVfd|Mrs} z&-L!*!c!D<6*r_PJ~dmq7*c1Z%}8;Yxuw9{wM1@dBf3r+OhJla#0FNGydkYSpm>kb zl43zatLA7gm?WMmYlU*oV_f!S{N!Dj=LxIO4$97$&ruT_#yYs12oBKnHDXwpHfqc zVrKB*XPC1Ks~MJXf@uyco&+L_r4skYd)Y6;?0JhH9re4t(IGAiz0A04rhr`Mviz}5 z+Rp}%zU@1Jz1F=$=|=+6Y5J+8Jr4m6fPEOwA)p+pfvbCKXH8M#4@OeWL+x=vJ!k`4 zP|pWta-_%@?|W>|ch+xe{S9PM^^3L)!<@D(BcxaKfCc>fHS|{Fuj>^oW=~{VJ_gHb zsEL-DIQEh9dF|^%7c^uiXJxNX6zux#$>qNWAO{+)hng?Jy8`}zW4x{zwh2{6{R-~A zcGPGW9#4}@QqT%dzd*^2q59+He)l>zWNg-0zCq z@r-Jx`~?=0{l|Fa9It6n)QdXpZxGnH=%Wq>9pjIGS}0=qhiTkGu^_4HQx&FsZ6)N0 zDN@j|9m8%xtJsFzP7*G52XGLMauu#sQAgS8@ILIBFY|S3;>7;)RJV(t&1XvKebnVi zjRUpA_l~?%0(#j+sxUEnI8i%IIswx)GOkAOuTFN2z5qI+!aM|A7^M60#Tm6d3BOEr zIyveZ4_Z(uO~}mnz2HMu&v?0|$(R%=6PgR?V?ryUrh*pGDh*EFoC?(~Qh?10y=| zh98sOtA^7)2`pL9z;~#;nV2Y(4>%pO4|S4g%?k#W8RM3YvGsgPV#KVDa@v z*9UI?RybS43#*SEXnlUCg6F6X&AU;WCIg5-+~r>H*hx6gad~(_LUeH{){dNWqFWBg zrLF+PXta%f>_mS_5$PheCW;Y_UB^R_M4r_vlLg2}v5C3RLPc)<;&Xi-e-*XR zZk#Ul7Y?A9P$)Pl2X9#;ZOt`dfXyFe`sLaEJIlxWF6GSMF|Nzz0uB)<%x5RinS;4) z-{X(jG%Fmz`;2w3N1x8|1Zv5zSMKlC1#C~VJ0os?OOv-sSO3-l$EI%|Nk7Th_0^d+ zFMBVuznRSV;qikw7SFr=f*PKg%})e6I&DG|m*@nA!CerVsf`>h7{>}x zk27*%@%6?#e=oA>CjlLWP(!qHdVTD8Ki+atV98C~r_?mFFlHfLsq6Z2b6+`z>o}7%gk3784kEo5vdRFPt~|;ovg_hlGK8T#j%s3V z1_K#^L63onbiN*T+W$W-zlbD)PQm zFSQHwc-1d;7mSORDd~D%X2pz=z$MxEL8ax@FW$FYR)h72O+ykit{pPxl{-~WJWVp| z4z1-mr>e52=N|%2wMPB5lvSdvJK{waoI&f#*_*V@zWv+V(Zf z`#50gWUlcpj(xy2WUq2AR;3@b)BMsAOlc1sYlIC{)QL5yUdM-4-`3rQj*TvlnY*z2 zT3}Ih-Bxxn#=-P+v&(~R#*56@xu^Gr(6 z8>9c0JxCx+G8=29fvJ!UIe%mxj?Yf~tHZR^nKK$wuzZw6k)ZgaIZ02`0yMW**B=#RixAT!9ts4w9F=%VA&OgGu7f0poM8suJ)PA zJ7}BHC(9}GCRE>^8r#ZW=L+ZZZ}h3={n@AVHdEnO3r^jMSb;#0OsLcndmK>6DT>4_ zcV0QOjgh#Z**UD)#uu3ONeG{{6=1X)jn0Zx=B=J$vGr5=KpbOv>n9$~1N4hi!<(p; zFS+Reku2f$u1ppCcnfN}9|GRn+F3=aHVG3EMZ>{`9SN45N$|N+JeCZ2HU!i)vD7p0 zQ@T%F%P-gTdN4{yWPB|C5B{TZv<9h5zbrX`P`hVIJJmxFeenRS|f zwzj>U|HpZf(Wu7c={m6o;HC`;V;0hhS)ET{QGO|gRbtby1rr25hNcQMXjXYB50Al& z(zZ)2E266EvLBssUa13h&2Jzsk6*VK_?;WFTUp;D>j<8ssfMY4TIsepX4&RW&PR}u zBYm0blRM*=ce2IdaiR=4ncXIMty^D{NqLVqV9if43CNrlUMJNW)l5uOm zESut?v@Tlr_I2|MbpWhHcHbp&u>b90XSMm zFWR|Az$`x;!S6++Ba7=RldudF@nhoJ@qyW`J3OKcpwD8W!;iwX)%TiX`mk4yfQjsI zz-JA?Lose`#%wLuazSS7NxYAV{8f6@GaT&d=P>>M0MG!T=5`eU@jbEzlum6$sk%7+ zD2!2jP1CcM?JeU2YTgb%6g#E91TMGBpqw;cbP#SgD0P1G9_)gz$(nrb{`&q&(}?%> zy`13oxF$}w+82^RRfLLYt(kD|4wwnQ1Q{uS8G&Y)n*| z0T<#nHkVYU#YgXb_NfOl2qSq` za-1zZ0~TS#1=*t7gwKSpRT2$XGP>L<=Df03@SG4FW6>i4-K*rYMpREhwPi}0`-dQ; zhbV>tM!8yuy@ok(JSoMb^z@U>PmlR%BK0^e?sKZ8o>{1bYRq7&I&-S53K8NpZvZCt zsuJeVFIX=$(K9E5JxC@i^AYDBuLDvDT_Ry}SC>i*t#?SNldqjx(>d4sw#lSvLcx5* zLYt^ONzrnEQ!i^!Gy(R3(w>*Sv>4Rl;(d2niiy)bBTjQpHdnpg{3K67Fp=||P4Sqa zFfGTHigDN~?~iNbGwT~+uyJr}9ja)$VVv$FF2PkV-kE=4J^s+Nzg@=#yT-ipxnX#I z)0l#{Nbq=ub!tXeE#%l@(Vb0ahR=wMP5!{G-B&(c^zExrA}_UXYDB+{Y5o>KNI!Ai zBo%!a1XD%bj_eAaM&ztw<794!d1+u?*!h`T*Ah`OD_U{WO6%@{-A0n5jV?|;$!MoI zL`JF}KITctAswYj+6aF%mB>THZ^wwurP^S)qs1L6jA;@Z5ykH`WI!Vgg4{^TcdA2h z%nYMpcWR^sxQpAA@>BKcvQ(wOVudZ9&Ij&50yW>IH}$!~0jaJu)LhLm`M)y+?UK&f zP0C115$nxTODx#G@NHX%ZL(4FXE_)&|916p7Dg~`=2&1#nREn^%y+=n4Ghk@tS-cZ zSD&m(?KJu+WVsDlUE}>ShyKWGWDaURpItZUDEzc&vJcYd3 zx4wYG(js)a``tsA0r${X5^d;%FxYriD_SC82Z)yvB$_7uQvudMmuX}Z?i|p_NF;$I z9Wo8)Ea&E0YX+8w%wE>{b{C=}|Ic2Qp$n%6JY|40+Tktf-6{PRZ|ENMG5d+8T{@rP zi;v<^Z{dR^TkK{d!}9ZdZ932iOK@Fs6($$75XNf!W1}<7}IG(=`zx{*J%8qsm8lA;TX|m*i^7-tK7cF`uC!gSb(jRq|R6~|un7-(O3)5C%6(bM)YZO=vpMx1O z(^}QOj$~HQHoJkM-`qf?e_l`k)oqHL-E^Y-*NIAlW9Q_q z+6&!~mk4*AW}2(RCF=SVcU}KPzoC`=7ve%pf z!y1T0!6A>c?`C_hDvMP{-{Z~rbh?T}0vPazV)?~~b09a8_0We}RdsLivppfTT9p6x z;6pw|N3UZ6>I4g6uQroq;qZ!WOwQ(3O^Z^j0{&=nzc!`sqAV$;ZVqa;2)) zRosqn)zxq{A7u88yUKzq zGL2A~DpJQhp~9kSk2wFWDNUo|_+~1a(T^y35w)p%IEUk5) zpaPx4`aNHY&3@<}!eDwasJMNxuYhFfz3GA*PR5?pfynL+W4FyoeVYcBKMJB?+bk?% zBWCu42m>?PRkGilNXlSoL`tFi!hbld-a7cM-*_Ff4(Mj4b>1l23ca88qJ~@UI$53Z z{-j?}`RWR|Mw_8r@XiH!iin*oOF|UCO7#?lJJi)@z!i9Qifhjj@s&pXiv)BV=X+ zHdENUAV>SNpZ1Z?DQ+z)#%Ayw<B4srV67$v|eT@OuH+0;zYQ>tM#}_ra^O{eLaG z^UhN*?HX*xIWJf+@ zE@caU_w+o`ws=7f0hpGbl+Ur5nBn{|OJp)se=z-L&C<@GsTkW~Lx3gfl5Q)D6gjfx zxX4Hw`$tWt(8v7{(E(voaw)Z9!WK8_JDo^>GnDtYYdi_`!;c55tQ0}s;mbGYWs1e3 zX{#N)5Obu>GCOMKP?erAX67>o`=z8zaD?=+AGe@p3`8WZURy4NRvqaNrnoJW)*5Qn zHma|@7&-)oi7V=RtlR-~`b*f6sBd3*@72Sf(n#V z>#19xM@B*~W$v2JPTbE>zIuk7nTQw+BJEmKX;N8khV=BuL&u?c-Q%b`l|XhM&Tf$m z?8qVZ9gR>Xe6Er~qd(*%9mhaGzH%OLMQ z*;*yDQsKsCqS4tEuzdzWML|8tkLZD~FFiRu!}JD2Y&4Dfv1%iO)g*Ds(sKTdWx3H$ zQ$zQ2@x7MKlx{Lp^ED|sqjy2Ek&*^Th>M4-Y7$eD8=q_iEq@rQ<-`?wN@l7ozF0+J zKeNWf+Q7NFJkLvbES{A~dbh3^O3`tf|Ah&Y9{1DXR42*e#L(pO<`8MnzP@z8_*)L3 zBjo^lb~zpR=F#6qYy4NEb>W53f|1u|yIviRhTG6@fuVaSW`|kIXjTxZ!`RRu(C7k9 zEosP|wU=nt+*7QVa5?wxk^{kS{Bu=qTwu^JX8-{JRc1wGMpt&si#y5CKxlWf(-0?O ze88RU=o}&!e&F~IskgU2O4^!HQ?%)$<#kZo=jY+mM5AS1(=gnZ;McZgc(th!kvs+T zKr<65mWImA54328%9Nx}h^-DO3Lotu8CCR~ure$L?$2CWsM`P>NcDhmVL=m}Y>Q8M zAYDOh!*jdzbaN%>**JF`J8H6X=^eNCQF^AwY*I%-rR|g>NZ+;Ol|+5kI>1>R^yxU0 zP&(PTZr%oDazg)z%XhXRM7j-C-tGDisofi2`BVIn-%myAxNY66p{S~DeoEBvzQo~7n){(ZIVy5w5R#L5KKN2tU^hG7lXWSNTU>b$ldL??9q|UTY}aho0`L-( zVO}q5l+EQ0;lT4N$Q?uMgp97E_fl@pZC6(4Dw?Yf19vtEqpxfVU%}>ElF>Itsx&Qu z%aDcxe19@ZJkU@$#+Ho#PFE4nR+!R+=ecf8HMJQDqzdMkCRpnLpU|5G!N`%`0tBil zE90`1O>@SzuUj3BP`j}1(;L!NUMm1)c<9`ir{9(|pEE$U^Jzb{GwJnagi57h*noYVL!?o~8HJ_9sNM_}b}EAJ9NtZ&?7)QL*|p_?a{wbhz}b zB6!`W(HN!b)88Dfjm^?7$FOUz(>IU)#(r8~v7aH_=I{Ke9$A{?^7GHDe%VT-$^Nmk z@8Hr|!oG|HdqVC*EbZGL7|m6j)E>^aty^yX6McEqWwfpU6DKH9xsLsK^(hpKMgc!Oca_|pFmm(eiv$H<81pvJD2l*b@jaB) z#If!UP`Fdd%GE?htV=DWyI&`NIaODYhyrG0bm!=$q6+H^kPJ7J%Zd|S64~4T@xJTY zp*jx_lIo%{Ng0TWc`>DU<@PziADshSBk}>jaU1pbxqL0h|7*KsT#@n&llkv@Q-I$* zZS_yLU*}@N4bUvhOtWZ1{hu!k6xw%g7#XNPXH}*6nfuEv&e#fnfV2N zCc-v&m#Y_Lv(iX*{VufTJ18aIZc5wctZ<`KI`jZrnRT*sGew-4a#^$;?umAQ`IIf? zy>>r9RBjun+=HCvfDeVU)7>o2#Wu06!18{$vl&m zyalA)`sfYxTf>-^G!?6O+PwbTN77Gx=ePf(|9S(?-Fezdc~w_wxqRF;C2K(A+6vt@ zP9`RzlHJ;OA5Vk`H#*Fjjg*>a6`?7Xq`-9W1sV_AiX_!;tGuAR8J%RvoOD z$EuSQ=rw~=VI0*DEy}G8Lw9BLY}CbH+CSL=RJhd}=AV3UNIj5TpI$1Cy5iU{e9~WR z-Qk!rDt~VtWta7` zN_skKVRhlX{z-Tk{ndyd9Y0bGHgw0Bb1lBE`Yk*JNO&bnl&cq=V1b&b z+R%l!ugR^MOlyrPLwq05Opqnpdv+bHCsR%yKi?-4iFe#VD9OaSGRUWb`|m4b3Wr>W z4G=*40l9eoC!|lH&v6vaG2+V?N-vmN%1+6Q<6k|Vsvhgh`i;hcVmA99FN9y)4I-+o z+iPMI3LL(K-rwE=MYgOiao}476rI6p))OM6pnWN%j)v6_ELOzTTm$x#Xi#+g8^3wI+|Vzpc1Ljd1e z&SvCPUvW(h;Qle1cR!Gx?VOC7>Pc`T2_VIqDU3s}YG}_5ePd4h_(q*w%T_?}k``Y_ zD>p6}WbAbn#LqW0yWY?A!%g-LMZ>Xw82#2`XDvkF7`vvH_s{xu((VR?5X8MAPpKKP zI^DF*lJpmKaxxhjW2ud7%OXoVn9?qNOri3<_#USNfWg6OvL+8q90Vfx6b zDF4B%(nUdUMt;-TwQ-FVQTOkDOe^)kl&}8E`J7)g(mr@M%Ut-RrK87-Uw(4aZyI+9 z+csKpeX0^N1?oVdO#}k%KP*<8&kmUb2A~mpFh%U9h>wA>_{Pp8Ecq0HrV^JBHVvq929;I7nWbDI_+>9h7G54nE!ZkJtQPCFJiP?e|L$si*0G6nyvbt;UTz zfug(@e-37O?aJfnybbI2W@(k5p3ME1=~N{iTk!k?o~e%EzO}Z<`%G`Mf;^vKYBKnK zS`2k0T4tKfriP-?L5DRvnfBWvIukx0*h3QYn#h%{7P02sFmLGOl3=;dm6>T9V!0}P zjh>|{g@K81J$!}!iS5mQPRVlYFonN<5V?KK^j1dumH{byFzm%dD&SKq1^iWF>^`R{ zqREUs?hY2vHtnd0MMV1(1*1g2c6%@Cu?gtQf~YXoV!9$a=+C55+AFmjMGy;cs-=@a zn_J%i_L)B*b~fJwE{$2z{gnkLG5!PA)B0+D9#aAV+Y-V)fT22*Uk%`5#EJc{N->P^!um=jW%jN;*FgAXB|y>>jbH0MMt95fdXC zcMTat?w7Y-7(mmRd?`zzE&?pSoj>c_ZTnoF{ulk!?)sR^ z=nYBHfL*j2TMf*m*#|zrR9)$D%587z<`?&~?M9N#0MrLK{d+BeX#CLy3t=IiX+f01 zJ+iB_fuY7eL|mGBbv!+D;BsV}Tg}xk)h7N2q}HJ~nFqfuHPVB+T?+TwOC34ieebrr z-k176g|ron>}2#S`AFBhJqCiphNOy{#*r>S(aCg4e_ZO~b4sULe(`)p9D2u)58ZOK z%o$9}GUE%pI~$YXXLOoW`5ZZtO;O}*3~spaJ*&mhl37fpQjOkp&l>iziO{iL8%I;W z-8Vc3WM*%Ar(R(!%6hziln(S`w$RS09gvUI3e*j}T#PS~;BGrovPZh;1atJ13 zzBY{jU~txaQF8{}z9`U(x^V)V2%(D%7lQdeCK%D`&S_AlfoP5XnC$hviQiX=|MzS3 zZ!b^st;Xa1!A*{!BcM^)>z8s@md*(~jv98D>|_%b{++cKGsuRN}Y2Z?`%)l zKHr>Vly$Jescp;Dtf7fOj%ucj?dobVaQaxo?N?r%?ys;MHsrGbkrKMoL9hIM=uk&hnngz_Fn)0hRv}p<52v8U9Movi%RF_`hEc*8-_7>0HmS zu>aROHk$qH+qBIX*c~!mw%!-$f0}h(G%N^v*;-a7f6Q*B!#?}%(Ns6D-4I$bJ24ZL zVzF)Q<*j&@wPQ<`dQj=OW@qr!upn7wWWam`0)`=HY(lQOht${b_(2VKv-hz0;CVSQ z5{C`JVHTVEB%{$o(^sCYxn6x1Bc8L!`yG2WJKQf>nKga;$d9Wl7z1SZoj1jsdT(+z zm5XEaf_@K!iDcUVy&)5r#HdGwI{kJ@Q#^Z)*+(d4k!`VX3rK2hm0*cbL+~R5v+3s4 zSaalhcKDZS!7ApmS5ZB{1o}jw3%`B8Z2k{pG*U*I-ANT>?+to2GR|$m)mT^!_DM*KfddS^S88{Kx_FksYV~^;^Jr>*szrR+7ZSl12{IC znVI-H&q_abc%fm`JzlwuP)Ur#$cZ3M8z7pbcn&=|CqX<{suk857=KR5HFM&5pPA?O zg@Y^WGl7XkQA5P#E9^g_MOzAMYRtI21ZHe=t<8yC_i}0_S|r<@nFa7^Tu_xES0y8E zCKxCAeNknGSi|!oTd9kAb}88;P#m2K$Oui5wS0ggGMudT{%aNha;CQZ{{L$=A!`79 z+tZv4C+`23Qsp~%pkoU#kH&G$SL4!y4jsc?&0PUiHnq>LJCI7JyBy9XR2bcbbVD%8 zhRyB;Lt%1RhZ}y*yYsF#BGt{M@S?dBg%@ul+vG@G(M6*I>mnzLCCRAyWAMDDEYC<^ zU>bm}f@lh%`Opn>;q8(8eMu{O+gPF4XR~|jHm-|y(6Eus4@IBY-m#T{@w?B=%Cxd9 z8H9XH>KjMton_`<#xV>TvvVi8j=+$~P%OM~tXfczKd6ycj8~tphal(Q8UZ6D4Cn6- z=B1jVHBfJ31OuX9fL(GNU_;W-(jFbxvvDgQNol;w{-WUOu{5Oqv;R*8#|nThMOMPg z|05DsVC6gJ2%?szy?QPmcV}0~pD=+(`XEt7yo*-7qKDxcVkVxHTpW93Z4oo^wBzT? zD?L^FsS;F#a!^s8t?pEJKp1b(!WPvvjtaGm8!oBbgPwV3kLjmEIS#;GVIPPErjQ|# zsiL|6!iNJ6!8=#<8K+{lv?U`(=W_nms)5&C<~wOj9VgUB^UfKth~JEy?5T zb$qk1&lOMdlzHvMjKf7atXE%TSt~h%i4*)ZUSjH@d z`P?Ql&X5fLUN$Ih-;Pkd0CNSo-RUVxvOWSQcd) zi*%kXdcjGDNS0qjOnG6pUJVX8<^x(?fUPY=NKMxp6f8>WK5f!Jw7_BN`>d^WxAwF7 zl@Sx!38}nIPP)=}P3!OtU=Ca4ns}yWs^|zX=$Bc0V@qteSCp=P?E9peHOU)X#v|@E zY5pFt2Gy$LR_B0d&9zK!w=U)eUpipP#Vhh+HQ+3+nR{~pe|5kI82OhbHR1yni)Gvg zzyvFG<^!H@cW=pjI&4g)9>_PmtD=f|5wovlU}J=h-}g2G9#wg%gjR=o|5wCP*N}dd z-mB+mR|$te31l9wZMaee#8tUlH%O1&MAbQ2_CD6c9XQdtB@BONi*Ol6lxm(Vm74T}gZhNSJ56*xvLe;mhpj=ijhQ zCt;V;4G=BB#Vj3;U$m9r_&x7TFyurR)NKW)a$7x4+r2rU*;qxyy0@pzbq4V4^}@Nl z%ebi>Gxe^h)ZU?iNtEuE@M$lPt(@Wh93?$~Ev6;vqAPYH>et{M-=Qt+u@ahTs|CU2Q~v zCQ@Dib)Cj^1OXGtP~D@z{78wY`MtiL{(xU#%tAu(A!FT>TP!M%pI`S$Iu#C>73|Gk zd|~_$FdvjfWlFz=u^Td)hY*h=otf!hodXsZ*8>?UUFm>l0cF?`xAIXI{wSm}^MTK9 zud?4xFHgEq-GvHCWYPkGvrA$77Y2U$ppAWt%TFZ{R zf9CjM+$tUC$?p%N=DNpz8s2W%uv8evlfbm49(U5bm?~`1Pm?B-zpxh;NNcOPg!IP$ zh9CcRwtoGKk)yB0#_M)z7H1icqpnpizfhZ6BZM?fMFcgtb zHujE{7;Bshys#Dxc-%+Mm@NGh5%uNmpY5<#cqolBh=v9oNS5`%z;vC#H8$UgXNAG+-v_;s*l$_0p>!urtC7)N`__~d*WDu0pAH_a(X`c~0^K4lDg=j1fUG(6Wfe@!q3*i*$lCmeP{{Cq6AFPR zMRl26W{qt;<+hWI5T#U;g+p4W9RXGG*(U9;czh9J>3d%HW7$X{JI5|Ugch;QVWTbRASON$~wb>YiirSJIA4Z)t>AIUGxzB z6|OOImmYD>k9=rCsS4eFB_tjC{GK}LaH#9A6|3=uuiyhmjzH?$t}bE(9}Oy-!#Sfh zwXcwC!-=(7fg9!6v+(FB&mPM1ZxAEDsXb}kGPPs>N)w8Fm^Tw{dRwlRLM8^B=oXFh zI^;Jjyy5H2(PQiA!CM0xI_ABlIQZ{!#16k+xV!mz^!V_boBtw1?|mJ4;WSU9w2?; zKm>k9HM$xnX_CLJ{xuY#l2n_`s3c>Q&*6YR7n!JDm$Zy7fe$q4uRD}K)x)UJy}G> z3E^Mdo(PFUv=XqJ9(Dd{C4CWsCI#W5#R3((=FP)l) z)dne9=}X$wCrg`7CGgws-J*%^}dC9j08|U#!irb)pTn+P#twl z*%m8j1uQVTVtwywv+Rh;T~S(eTmzr}`6(#9u|*b;RRgdDwJ+kbuMLUg|R z`cdy^V;YA~mw!;rZhAanm74S^KGGu1Mo}_AL>O5AtzxidH zu21&e9C>T5S!V2@u`SR|8t9%0WQN;o#tr*1Gwo0<(+F@H%p@BU7OshlxlT|%wD3sv zAjT?!upd#kO11*f#F^{3j4xtDYi|*&bzI)e&iDeo z7Yo%GgHZ^j6g6UAI3aK1o_N*`BK0HTf!0X^gbw@BE{so+`Nsb`{9&Bq#(=Q)JmqvE z)z9GuesNPBz44%uY8_MJ%gP{e`aYH7qrF3n5DIPEe2f)PP7V0Zvq1x#_;{{Idig5( zDjX>LYB{XsCnv;PBb;%IB8ejL+ z_F+v{{-t@gV1mOo5odO0Um4^j&oSA9&kkh5mc)eqjOi|RA(a{D-l_5bQLr1L*46O2 zss6`tZUk6u!wgcXOVc%Mqa>hdV>)#KXR=_{y{bc5fs%945Q~DwBOgTZsW{h1>lI46 zr3GbWD3`!}R6V=hjLVyo`ZT$^V%z2f zFhXkMbb8L+=H3C`FmTy!`s#s;a#;gGah zHs~|Cx!l6XGx+hI{a;bZ^EllF|03!8VGF-^7jIrmb$TB7y?giEpO}~`ae}Cm{lsp7 z=xCmVwL{C#I|-M>axWGvm0jFV;-tObW%9`(W=xOh+|u#&o)2V?p; ztzS9|jROABh6aX*@tnQ!zrq;mOX8t_>1r3?T4{i+r=`gF%(6rhH`lwUz8n)KXTMAg z*NJ~)MUK@OX{;>?xllr`5dbqn@mh-OsLsnFXvQufzG@Lb?17j^-ch?5uhpRZS3e>` zHtm&jv|HG%TDJMY-#;*wlLZ}jRr`W^r`_Bo`r?w&B)S!ag~?}C_4J{4)}q2sqe8H!Rt0%f)ukrFR~nk; z8uPq?$}sG&fs6$-a9I|aj3_mSh4ABS zl3~57tA_xF`e#C+_Rz)mo9A1!@zhtY9^9hcGzK1_xu->(=o9pKnHt?>$eKC)teL(d zS7oW}8jBFA@dzbCfeEPxjPiR7%Ryhg`+G}eG*P?w?Eu!0PBY}7C5Zdk583Obo}=N2 zKpZL)D?T$8H12#J#JSH5>S22hCLNd&ZEFNdxLBtu?c5S{>&)U#IxXEbH<(NUZ#kH| z!Q{B9<$`l!@Bnv{J=heyQ3%k{O~V|1g2zeFyLHA2kDPUlt*tBxR{(!?|qC*5^lk=E~Az%Fc<|A8v z=qV2a`s{_oa_qzPcOTv;w{hy5*WlK$T<=4%gF`FrhQZDST%-;xD(P->aEFPysELGj zqn%%+-Qe=jj=trg-+tS}tF|We8BBgW=hbGccVUCUroqTk51`_Uw7SfZoGg}C z94}&iQs3L7S1ik;*2A{u4yVA4Eb)fW8LAnK(LOS&Vc_^$>@=%-okPT{O}16mYpC}* zT<4;3EmJldAM~C>%K+Jl9#5VyDsZ!PQ}pTt#`*xJYI7ALg-28GaBX6w!)YWu5x&X# zL9b$BaDG76$vsMjO~6^X-drd7>S~EHiOZ`a0nq(ZDN{d} zu(-B}*(-V+2^f8(U3<7A0;-2D6NEZ5f?3?zFSouaxkn1E0iT2_;(g&0wCApeU6ZSQ z_f>1uGZ|A|f_3pD<5&9x@plgrt=Zcuu4l}I&9t^_{;~E}F$ECz8eZXE%|EnYFO+rE znJL|UXNGfr^Y>3y?Nuw;7>OnYw7cKlsY1Z38N>tGfI0(qh9&8Pju(gB5G~)Da0)r+ z3(hfP)e0q!iT-E%sJ}3bYRvZINrcM7=@1(bu-$g*D&9AthSO7L30)2Fl+FYN#%l(| zw9*iq9AIqTG_;X6MduU&N9lnU*NFc019v5z}L)WIK$nUyln163C7J72Os9`gce zsf!~W(^CxGD=VRS>zx+%05voEhG#@=)0PLxfKqY=w*L@&t6KeLCe>0aMDjJ)dR`mx9c7;4l0GyAFbCk%gfN_g(A`UJi)Y z))GeiC>8!kAC2BPoh`j?5wp`cx)3kuViqqunJTW0H-EE#kG=GULW0lpC?ARa-+OO_ z93~Tk#lb$`#1xhyOLMy%GS1CN>fPZj@>#rfsdR7K>)`S?c^%J~_k(4>KE{SV&+jx- zYTLQqfNp;a|I@0H4mZAqf!&L44)#&2K`srT8rMwfO$EPjfX}0yTuj$*hs*LlHxEDk zkdhGN21AEI;5$N1>%I>4o1X-l9jDepgvhLwxOjEf<1d!s^Y;}{G2q%*9;93j9z5 zrrpxAEdrFg)DcbP0j62`u#(s}H50v1{M!N(TippE3YZDlEX3A%i6d=Q^g7 zq=qVE%|9nBhtSM6WXtiFKs}rHDui0)BK?XQ%nD~#H`jm5!kCR_MmTo6sSXq(y+tm+ z;;u^byP6w!{=SI|a{8iv=W2TMVaT$|DUH68!0cq+k zuY!DNfx|zv;A=mSGnKQ+x>HSj*{QsnuuXn1*Sfa#rBHj#()B-tyJ4^G9PP9>l|uRC zae6h6f0uZd8PNmvLIBd2jh$abj*vTVPRf*Vqdbb5(+FyiZ%)q(Q6C%=0MpddG_i3- zJ{0dW3ajIyiP5~pW#{)`=X8X^4F-;rMgT;)DRTz>r~f)}TFmZTz%EXRxVE_rCgw~y z37x#2@KC=nU${h{gMyPQA@Qojy_vD>(eRt0iOph6z%wn^JUKXh^JKm8f2@itQ>lY0 ziR(!y4@1xc{&quE@JE95^LB%|Gr0ZXWG8d2z39n^fLi0B%GuLMu7ObcHh!2C=5qmn z=?-fezJrcss0u0tA?yoj`FReQTux+G$GS#zDdxR1=9){bCm+;=6ag0r3`TwCk1+{v zOz?aI>NA=Fd0AoIZvc%eS^{5B#Um&dr2XEs%ug%6Rn057=Dl0+CWcDidJIAn7?jX;psy11qx{+m(xBcV{7I7W54yO!|XdW4y8+(K^y)S2YQ;Ob@aX7Vc zzHax5EEwI+!JvDkuUzi=H6bnkM6l*%Rwb#^%5VB{a+i@p0@wJO7Cwp#k`@ch7CXdg zQ{3{=2J2m~`^r_`vjmT1#Z(vYI(dlL{k-uh=JCz_p}^0b=XH610xiQi`@etiN}@Jz zWDY#EXl~q9iR=C)79hb4u$P7^ER7{i2^>E!5V8+${ThQ?+xemy?)-tPuE5v%UY>*1 zkyM6{T~(^KwC-wi2xaU5zIDK551*m7e@O2rz8?4<Z=o>}JVYb;)@w3%7A$iUFW$^%s)!u{Dd4CqTjxU{Q3VLCE z6SYtWFy9xUiM?}gfA>D$XJyNZrY_2w=j_-`oO#YQQr)uGKwt*CtAz|71yg44bfnbz zKj3&v_cjTByw5N}CJ~9XZS8j)&K9|d0<(x*8mr0n^dt2c>we{3WsssU=#F<>ruMNK zekqB_IF{)|eO!GEjmEcpHNME&V=KgsSHcx}$LfkmM@xuaJ z&ll|jQ?B3}X4Kk^AoE+rRQqy=Sm+~^h~HqdzYcO~CYGM_HB7Ga6u%JXfN;o0cl1(b zcHk%W%>pTsZ#!RBpae9kAEZxm?am_I;aJiDjX;koIi(dd|w~9P4_Hx7noX z4Y^m3XeV+!M%+@(FnRYj{L%TyhAc?xow1AJBG~k1hGz`F3!XmB3qOYK4N-AeEfZ~s z!V-TV%%|kJ(-uc?+x}|$1@Wtlt^TDUGd;G#R$~d|wrZcDj9I_y&{9!dAUk*sJ8Tl( znAHFZ{%TB&@N6bFpc`tpG=yJlx!KvYF(Q{sth4W5VeM>f z0t7pp7Gi(RKOXG+Z^dWj_qs@)ZQm16wq`o#KbthXb%7g4`KZ4}6oY8RO~JN};KH#x zOW^ZZet3zc(*WP}JOjzNWcy~e2kE?A2}DQBta<&^b;NuAi~M$Sa8A$n*%1H6H9?z? z(-dS=8w=IstM}u3`nR!p%`V8kgvy+a{_Rrx#uoraD!uH={{s+G&DtYR3 zdLJKkdT6Y9G%S@>Z+>?3+717(0Ya{?!>4D&X#fa zp_WdJ-9$>F@5U89xYkCb2pmiftFlDFGzUS5y#RKH^DaZ7<}HsGEt=bJj;h^QVYj^u zx%kZELETJe#-fyk`0?rv6(!UjFZ~@dkOhr5K@*)iA!5$x%<85xK6MO zb->9`up4x>TPXS9*{SGT zQUU)%rRBkt-5d?_ukS_e?_zfIxmu$2@461|S(0WJT>18*z{_H~fj!#+2iK8jj9_Am zo`dhACHhk#tYAtfS_d)bJu2hc7dBl`$#u5E=!(X-nYh2I`7KJl6z)phsAgi`1>|1d z+!Z?eDRgKfwDHVRB>MGLI!=Z}dUN*s&NNQDW}q;^+p~}Ny>uD00GD=JOl$SNf%4~v zCe8^4koK1cUW+M>L7$lrGpZUo4~l8=fF=XYXTx@W_9No$7dm14Al1z@+6&GLb)6|D zr4hoISHE>QlB%$d6sm%Md^%XGLgVy%6U)D>R)+S5|7_lQS&{$z;a%AVwj&#zzNaMz z&i_CX$1ayWWDpW8WKg);I{D&Z#Q0C=PSL!rpNWjVFyo~7!J6~k>(?#LDt(hSq#kWS z0~E$SL_D7KytO2QeKHj_wQPf+KklryEVXGYi2$BgRA#+P*|5zhwEMla;-dfEeDk(A z_LjS~3rHC#e2w5od|6k-F!2Ag-hG_-)zG<^S;I-6)Iz;=*r|=%Q974TjEW_Yn#t*0 zmSn=YbdY<{>8Vfn>zfFF%Hn6kNR8tRdrg>dVR_s7QX9+Ym;x{Tpsc0JvRPmA45G>r z3z$Z*N9n{gdN3FU&toDApXU64FOqh`!`UCnr_0GRu9-tt-?Y-|B!rUMVTtf-4e*JM zyF$%xeZoK8&hi_)_qC`ug2u)GSwKwEtk+IG@^KUi#b5{LHCEYLhQXKb^Y zn7Qk#=_5_3i&9NTtlOFCXu~}HSU(f4miv?l7z-xdsX2JFA?g$Vrz`XO=4C7V!Mh|b z>Y7!v|HsOfo(5auCSbJzsC;YYF>&`-#vG!MAGMU-D@q(HeC@KTzUu}Wt!uUprFIUj zN=EBXE2cp71xi)&v`AYM@$0^Nb!s)cG1a;U3F~Ru$1>{jY&`2FSkQ7XPP6am6Dlz5 zcrpii@wc}oJGMSOXY_dv`#SN{R$Zd$K4M`Var@jX zzyh3eRJ%-i*7ma+NhqvmE+pi5wmr?v`fMA|V_;#gQG#8F=DVg2=J!1Xb!xBOWMB8l zG4bCSIsTACd0J}Trfk+05#9E~Y&|E=Y`e*}l7Gt#KoFcr=Xke6FF@)JE|;p!+Ocz9 z2z|`B9Hd->7`k4C{_m0d?`N^uzhigks`{*w`VMPp25G4hIYt~Iljgvgq;3O;8)I5? zCsjggS`&e-T9im|puKWxbKhn+F;g)$T#Baw1Z1iy+vaJ8dfVq0YuUQp=?fmMB>2a# zgWradGizZEv%Cb359s^cJod(=e30RamHJR*J9ETdkjdUf>QwRAcQKw>Ko-!^G65R| z40rI7Z#DD_oO`hs9Qm`3|O!M}%%;hmZ8!t^{5DL9qK(S#nzzU4#fvexcA8h{v|cBy46mYXZ-r3nYSjEV^W+^9rfob7H%R1y0w`()tN zjr@+OSg&rOA9r^Y`X|3sG$bnjw%oh|KjF}ZkIvfdwDTrc=O=KL6^l3*SI_2+x)v8Z zH=R<`Y{SEaMtiQc4O*1v*jaS&Y#*xSpiq-SIXw+L1ZgD-`HMfp(E>E;LHV1d#y_;6 zWc&lFRdMqvvw#I{3+4Ju->OdOC}}?ZjOOmkNT1BcSbFp;mBLN3xDfaylW)vJWMlh< zRO1xXVRFIQLJ}wbGzoqrYpneN)!2UCp>tK`i9;FDwm2}AMF(#43XEIJ@q4j7wI7!#%kCG*^N z*m!K%m{~FOF-o}qz22<`yK(s*;eSWyeO?K?5)`PZ;N%C1Zaz&>Hk3r$l}ewA>M%8g z@SMwV2AvmXZ)XW5zP=L9&?%VBfL#Yvo(^OQXxMJH-QwzuGhEcMoRxd3OsMp-y6JD- z|40bK$_$@Xz_bc-=F+-ezOMd0MyA5jS|@N)(3C3t60T#ovA!BBgHW*z%Ruo`lTXoeUMp( z(^;07YtVGyG7t#b<6e56bdcgPPD_(L6_ywojBQtBKE)-K@N@RcXIlXe`E0+FDn+s* zVdVmhH?!!#AO10AXj*slV*ce^;Zb`9gUPx)mgZZ$rTf$@>{G4g%oHr&FE(zgdzH-i zW<;Ocw)bme-7rm zk!S3NX@N>v)+)lyY2wIgYUNXBuQx$7jtkJ3pPfYK8E!7Agq3+GLQ2)dRg@ zVY!U+uI@LvvbJS#BEfd4C4E88FTaDYU`bqM1IF>XZR@xRhN|`SvNf~$-Us$AR!W@F zVYvVh`#UDfr}t2`&BMtl_po8|tB`k}swLuGFW3iNUJkJ(JpMx$n98fs6$@!JTE}0W`N4p>FtU-zVtjc_3{kd6U+BNh zk#ZKRdbW7Ma#&@ydS{spn&$g@!y!tYx0`RyP=HaE7iU~-SyF7i-4w%>M*~bq7}o`d z-!}<&gxmoKN`GMhY@M@G#-#iI>v;KDIW_BW2PXPtznh{(ge>cEJscWA zDnOxlXm^M>$uRdd*kA~|`CHr{dlnHrnL@%`A zvY|DiY-o9r4k-IS_qQhUvB9D&FRN`gIF!nCoE*{RRp##L8*Rb-Lh_#``%M1C2h)e_ z)=C0i?1f5&6(JMEA%Wf5TfLBa2N=Kt*5K%V=w*QL9DMoi6IYAbPt9vl$%&k%$iw!Z zTy=pDYod>rxV6tLI~gS|k+`Gw*7C&bzoZ&Imk3=<6p_IfnC(LLO^bDx#;U#tXbj}V zG_GBWKPyBVAdN5HXj=ODkK|{cmK#?;{=U*vekVu7&M(PQi}vQz4+~LG5y{wB{NjD` zaO_g_P$EutGEWcfuR1hS=pYjlW_}gMs)!QfN{d(^$W*EQw(j7y*#p>gy&{e+swTCC^2671M%Y5Lph#U31r z(>==xpYixbOZF8a)MO+0g+LlF$VHdDD;ih(dh_~w%>aXEn?VDR%|R3y zQwQp$xAh?dsfR*WGsTgCPj|)_@8%nK67JC+F|ONZ1*x=q?u$kuwk`|9|qyNt&UaG$9>F! zY{&yl6p-w`ZjIxQRaHJH5~Qibtv!UCFazQ3r=7h+Ks=tmo;Y?23v61BUUR&a`3zYsqp zRsYv;T=1D^CcU%JC*|gJH8$HDZCQ^?ubtSpMLUsnCRMhRiJ_$l$E55A%7ph)~Igx@0{WUD_J znPC7*)F5`Fqo?*Q5LwUJo<7rSKofyp6rVm9m5PQ+y1+|pL+^j@Oj{RQoI>q0%|Fp( zlFJE)iN1p zf~OJRKl!nZAl*7k7^Sw*dy0EE)oSgH?E^?x$l`9?n1@Hv3XI9hu@MqQjH*1cSp*#PnkmEiV(-by#j|@c2i1=%y2XhF`Q`*jvF=K12 zbAZ;a9-rjqZL^|i7E!()1qWINZJ)$ z-i>^ygn?9X~yorD}H_W`W&R_fXihgx!C1~an4g`A4MGrnV{#%3}1II%f?85-j~l; zI2FLA*;R>SjcJgdy_3Xanm?1*{#Yp;;S%G9wJSPIYy|}?q)ax2W8f}psSLaNaVXqc zymV-1hi=?=P>~P?ELZ$kBfxStI08l4CJTI<=hdn#qKhUZdyF|sX zvLimrKqJI&={(nYG#HU6DGb(#ZjpX5Cg3F*p0El!Os}HZVC90CU2Qmc?Lcr6B94=N zQ#og`49?f2s&-%e^oarLfti%8X+>#1(xvH3$i^l!&^CD$fI6 zDnHGsy5atLca{VWVOt<_iV3(OFMm`1RGpet_Q*R4FqJ;bkmKzZ;}ELh{@|Nw2V;o= zJq0Q@-&en_$hMhFJ0GrNr)wG+3cWqK*Y~=k@A9nD;3c|$On)|RoMrkdT^&5)$T;9^ zue{DZ!;t-P^8#I_HDgHnYgSNB^)&3)md;A-^zpMJ1p2|KA7T}8NU zKC8-@*Y*dsX9u{yyrMmpw_%WRsF;`O^S($|qT!V8a>!j*)pm#_7E?KHYgTepzES?R z?%|F3{CbXmbLD|-KN5>DW4|eVZl}#hz~m@eE2&7^$APA0O*}=DV;YQc!MGiiBmz%4 zK>(;9()ffs@5ep76`Ge!WjYxf_Kk@ET79;_ zz`9pwWqn-7mkbUDR)GWW79Zg$m%0xS1@U;_HT)Z{9=;^!RBeq`d4Fn7J<(elr^|0l zz^cKzj#O%VA&9p}(?troyuPQuMT~3VjWpSA8nMTk$g{{E(|qO z7$M?*;0mzVK>>@_@lFl- zUqZix`b;|e+AVv>4*qg#=7M?+ayJ@Jjo>Sdi(SpRh`hl^LJvYEHfR#q!~tRT-7V_| z&};~WI5$U}cM@t2JklF!b8;|kH;8v454w=E3pS$ng!cD-q)0Av44wV9$5hes^k4AN zdvZUPq0O`9j>)>gElz<1h}vw#b*w zSv_{II|p!w*Vt(nL$a@t&W6d)iZs=;T#Fg=dA3`xUi$vQU!Qc=s5oc7T+})i7P*@> z)AkQ|vlCuIB!!&3a(HQeYuEHHua}LN>EN%uNX9@aPe)stYtw9LnOj>hXra$LkYB8^ z(=up)OWGo^1$;R}+CK&!YM!T}Ibhy(*G#s;&3+`_gm3rDl3u*2{pp7|OWXRn6p7AS z(c3NwZP}01F7UEEIC9kP5 z2OlmKx_nc$kR?1sA;@cnpXB_1?r`gs{y6(AjRg?OYDZ62HI`pEgp5VmA1>Q!+pV+p z^8_>wY+8md9Zpbf2%(VGCgSy|XQ#cD)a(FHMw+u(RLIVzQFvv!S&s;djm9_|kR3NN zWrQ)-RS2x2P0lLH{m?tM9pQhmxUZjzti>25M3aG!W7J zV{*|YUF)V@(nBa^T1iJK=1;9zi|sw4_(#BeT9F=rS?Im|-0Z3nXwgF)klTtYDKA3? zyeg0f9J5sPbM5?6wsuu&vNP0{GA#jN;4QuHJVw6oRa3I^+wbao-)v|3yZxoYW@&;r zkIZ29X&ahnt+kIVaRFIQXXXUbwj^R#t~<%)Kt6Zd&pfZl|U0 zP4i>nRzi+J2c%xT5`C6?F{+ zX#y>9ZWWmyRhUu`=1Z&=VFNOr-qD})>#$cp;zLVTE0v$=>UiXDPj3X; zJMaO*rW_dS9F?0?GC;1l+>l1XTqC)~s--C&pxDp1+GfdYH@zM zA8GcNO8vq@DE|8R!7qP>o#0>mUT*Y2i9&8?UE$c1l2UoE^+x%{#yz7pcgq*H_wsR= z-T0#svkk@NSw22+i9-0@>pq^qt0vne_(^vOGwXr?Gaum9Eh$rMo&8^DeysunqX8&? zl2B=+PB3aJ;$AcC_*>rD*!J&%-(dY_vOkr~)fIsDJ+8{5n4VPZp61=CZJlgj0x}gK zS(7yZjW~fOG~>C>#}+V4u_*RaHB#e3o8^JIvxxpDf%U62`XO?5K*8mn!YK84T(}A z&3*NB7V3B!c3Szyc08Jo)k|`b3fQ|XCNpn{oDX--iDNQ5NfzVlU^hX@9f2>UJ@#xDqAf@}ujjeQD^aW@ z9CVEXx1{pK+5fk)i$unL3%8}_hZ5UGdAam=;wHSEOugQRtK97As>VTo4)sf%Gzw}> zk@e>3o$4uZyV?BuCLgaL{nShvXKK%O1MG+?Cn1ZGT-eat?%*(^v6m3d72`_EVXSh7 zCLwQ5mDrwF%JQXQOn~|rSqc%(Hloko%UZh6raj5vdu zzkGR0c}AK518q#_W#?JQZiTMhX$PE=Ea?#DL)Oh<}!b-8q)%9A&51@lnC#WttrdOlr|#? z3y_S=r5lMqR~_ueT4x#nX2j}djBC`5B~}w1)~QX}hji{ZHN^{;c&%i=9;3On%3=lk5AD8N^iK^%<>i!S+D zUcXY@RNnZF6_s>An7jsH+T}`oOjP=|EuEypx=i!xPyIl7<&g14H>I#1<5=CNNxUmb zhqE`13z8EydJc%eGbOZtg<(Wx8%>j@*v*N$x70WpdLT{UD_2L7r8cYPaghn$9E1P` zNabzmyy1^Wx@89OgPj0O4DIGhN5qY9q4iH#_|G*mNXHGXt~}-qIgSSbmON&Eal}WT zD$*37q1XNS)4a#251Lac6*(;5Ta-MA${aeZo47=v652zCXj?*N*8YAy`3aoyc;6NS@4}dS*1};#tNO0`IPxdoiZAdtQT?=L?T%eaoQH$_Jp+urduT~+B*>|qn;+>|t~;|HUUatUwa zV1V#c83!8ek8T76!lTaQ=b97^+)_j5M@92aU*(p7S8|M2L)T7fIGr_Pv~di|KO)wT zzZt;_t1NO#>{axfveN0|(`CVi3*Qvay*x8S*5`cJw0SQ}TW;=lL%LIzJA3V2zJ z&34!s?ZVgMo$!iHYs@hXF>M&Q)AR4+KAV$igMB7j@hR0F;`{1yc9fR0@yRyPFfF2| zUCSFLv#|oM4!abN!MB6|;{~v)I*0!hUTrfK=8q-jY%>DfMM;YQ`_CH_4@?AU9#y3A zVjgzR-&Ezaob~>ArAd&{M$f)8mqjaCW3SzCW|-dLP`yOM`SUkDeP`w;HG{HPb9CTg zp8Lo}QlM$)sA=%hRZYTjvC(S}#^-cTzwxG~;2vqb36M5vzT2; zGkeci6j@Fl8BEB35l1c3EAhY|_J67EE8m(!qZx(iG~{dKg#4P{A(@08S7lTCYpb8n z3r<9>L2LM`ZxPy^UvdNO{tbx96oV=+7b5|cWmfT9>2y8R35F}DGHd?}NJZ1E-LdrGJgOzTa3*k^uPV9?=bMx31qBOCwP(G-(h(w=kz z`&Kg3sFh|1-$TyoD4#c>Q$Z{VG#E#5%`L0yIWO%~&~;GM=2h=s`ITA>+`Us_7!1FP z7UQ4#B4^MnX<6ex6zyj4RierZXelTRP>nvk5J1`tnK%E+x#*%V^2KXC1|`c`FD;g z?AHEe+@ZWcb4c^PSm)~!yY9TKBcD!vIn%@!ra{wDPr(LGs<`6h5K3UZnOPzdmurs5 zYgMz{P1pyHKW7?XC#9P&q&b6)dKQO2N(C}o8@a;Q|(9^ z;KrMBF}JV`C7;(YuWGZEld!pyBaOj_wdH%mg#c#Qo5gfPRXTjlT@k*|^rX+N%vY>JyBD~kPSvPg{SW7L6|VvAfEP`<(;+-krD|+^ zl{s2d+{4xLf^zJ8wvQuu0k2C^ipc-HwicVBnPLT;V*>&j2&6rs=FiIASvx+paQU-( zaof_60laTzpPvKO#fMS5e}~^MJ_M;n+&Ced?~G~gz83E*8HsoVdl`2ba2)ko|72Eu zZ`A!X*@T*|NtSxNLV(eRuIUOrwhlpmm}v}M_f-LFz4q?73Hwrek)~v3w!i!r3mO| z&a>lrY&-LW+1X9AF)p)O|Go&N@ppsKLpBrsANaMHPC(&j7F1S3P13%9WDr?Tsg?~m zrwY?DOWk4s?rc}c0hk~}C%|7E7Pt_o{QU1g8y@No!pbbp^fda1{&qU5Old(uVnz9u zLl-$vYea4^aq?S!NmR>u49ocR)r{eo2vXZ%%EUif3taF8F2ajZu5WpVRB_5z`HW4! zPa&iAX-dYQ5q!SL+~gTa=t*WcEI_6)C&@`)4p2iorudO7;(2!bd<{Pzw({SQ0mR%Vl!+vDf27K2p%z`zHns53#|9Z11J_sG5<7oF=Es zIfjS0-{N5ZUT;5K0YRWtub};Lq=87=ecFeAZs^eJ7F6|{AbqZZVt5&t4Va_^E=5vls{WRwrOQI-#85;~wza~^ItCnX9d-tI2mJH&2_Ir?D%}8<5cj;`Jl$*7y zPk84qseaT(6)Q3g<~A~!)jBBYR0Y;ax-4F|En;2kfjndN8kUK!;oR0dqn*wtfE+9Q zx2S!e;Z>=(($JU@let`hXlEH(fM&?5s_%8XQk`{X(R>%eWqsQp@ZnUJ`M?H3a4xad zyougtm}9un{`!V`Vo-F)ElrY{&@fM6;`5*C4Xz*!p55;bv!AT1veoJ6xvM5(S+hS=(*2+b42Rc6TmeHngtGGrKg9f*QKt zKx=h-FJVxgQ@etJYQw17^fttb?rb?O^v(43o&zKF&IEK!9_3Pe^2-W8WB47=S!Grk zzRvFjlWHL6u)^%B+=O{)rdl~d%<~2to2lF}x$Nvl4?`iH>ecTsc53%#$dj>?xq4u7GKREmPea=P6Q`*e7<0e>dnzGe32irE(tyl_z~%L8nxt6FA7cwyVfWI zlO;WHr$qir-t9Kipyq_X-QdmwBc{g}aL7SWa?IzeH)!8pbUfRvWZ!gG zQ9U#4UqX-faOru&OrISYUU0>ZWb$fbNNb?y`=Lf^msswFd;VX|-ZM^>3YjtvYP+}a zDx@o8R)si)CT2{eHsGDxZ4XB&eIE5Q%R(9r_N!mXOX6BuAR~w(-nBN0_pxiX?c3tT3pKN?~AIJHNb3XR&#o*OD zeR5UJH)|A;jsMz(oo~MUbcWV68m$PArEZgpUKKNIsq+H}cP?SpxsI=bNBKtKv5jc* z1{xXkS!l1i-0AH6U{QnhSXW(z86Spo(RZ~Kwa)(D&XT$xX^#@rNedNBiJu}|2)`dX zJvsnr7mGdCJ#XEI6Z`JwV}HirS?yZWSzlU8wnF*Znb_qSXu>4BAB*EhO4rB3uw1U1 zwD^|M#-o(!zLC`_F3IpclM?EN=ArwOe|1uz!%a}58qaxC^rNH=-_Ko5Zn)IHaC;<^70wPi(QX+yx znkX&wDnyzz0Rw?RC?O4!kn%0wz4tl$+UNYvb$$P=br|VGL2LgFe^qkX1jw5ycZ<{ah}vcG{*An~**B{?IY0ZSXwP z!(E3iJ6@-E8=JE8FlW@f#Rd;7>^{{ZQ%^L?b`GuV?VnGR*Gp`*B%hN1PBey2Dnl?&*7R4;gy(fEC3t1VI5)_+clnr?57a^J2mfB3-ds@sbdziSO`O!`C}wpQ3O z$36|O+?Fr6WOYLG;59wQ>0<_gw(#ZB?l`ZIy_eo?vl71OazyvQW9u#64X0mBxl%rWsT8`OC??){QeKZ@Y zAA4}@3DEfY6Cb~IF}?U${Kode?Vz!Tmi{}0egt)}cE1yvrk!xuUQNri)#N@d z*rr=#amhEt(W=3rx30Rds55CB$56D|`Mr=RYiuDCXbno|U7XG2m|hsSX)x{b|Lg7T zokP#f77Uv;PzOhqN#G%=V0huUqw;*JOPaaB7tx2~LfGI#Y- z`nPovQU3g}#y4@sMQ7r>3&z3At#+1d)0>(FwQ-#}`-*TR*15O1bn!vbkE||HA&bZexXe!( zufSp4;IKJT=vEN*B^?~PlU{2f5-Al$|A%$0UZ6_*tS7-+*}f9t;#(7PIs3LKO^gKQ zOwIlrTkyRO%Spl!SlyKYKxh7EL}#=AY3nBpV;RwzyY@l2_PHfey|nPPTkWPn^*_qP z#A;=Yv>u1&Yx**Rv+uR(JH0&H_PG9~M4jv^;J&aBbg#2eRIjK=%mrR>P;xO%5801u z3sso9-7h}4B2qoCrY|}IpJaYqauODjO7JOoDJ+%XJM%HPXUh)TuHJ&cv^HRcc?E&j zGan87xV0};qzP7u@)BwYJU!Xx?8!`q8(`C-Zt@@7M2UnjhvnVEnbSk zjcq)S60*%Ix0Z{a2GRtty;SwC&5AW9;^SUMIt#hxC%44_UHrUX3JC;A2I$ciey zTt^2=86vNg7_mP-m1f8J_-BkW;DxO6Q?JhRAI#3x{dESMf{oV74yKHBX z4GB>}YdR8>Gj!bv7)Xc;8_s&(rx=jwM@DwE$TUfP?@wuz31uZ!tnO3*&n8ne0jiR) zt3cuVIcrmeo67A&XBizu?88rxds{5UB)_|d%o;nr%=v8r6O)O&f=h`L<75&KU0^P} zR$n}2F5hHyjc6SIdr%Hawr9p|?peeQ1)`os%LxqQI7;p-)n?+;9`Mr|wO`MaDcmwcbP z&7)@5^A6fIg9b#u)Dxkb-bx0f{tUMz*Cuz`{r3+r2Eup0UgpRQ|8{yR7&HL2-^&I2 z`Hb{Y-woFm6kDE)3dj;Zx<&Lm2D7I|=wwC%(gDpmJIp(k;&^<^SKRabu7pM!-cY=@D zR5OE-qJ?Pu+i>}%@hTthN`Pq&%veuWpH2Ak{fC0|rIv>1OHoIYO?c%y7YSFk2o>m$ zmoCCwcAhU?GbRwqYiSD}qo-KRVg9uI%`6Y z!1~rg?}2)r>R7UOBT&hcZYwbZ9?tVM9s@GBA>MEGbrZ{jq=ojpmzXy}hX6(UId6NM z6QyQ;ybPuni?pr%z+RYpmW20xi(d)Zt`G%Tzv;9qX^!iTTRe_lTn!SG!QrfQCugOZ z&q91hNemj!nG>%F$O#?Jtrf!iFW<0#J~*ZMD!Q8`oWI-ok`8!jzQ&wxnBv;UgehC*3oQhp0CUF zLT5488n)FP zhwEPI^$bX={*vlgQ@s3as}Pa$XNFMo0^NT2y;K*7-C-0{Ct=GJ$^V%Gl&E8V4Hj>6 zjqE%8l(}EML}%>#O7ZY>lzzSUr5ui8W`t#oAQ==OJ?o%4Z69b5ZFuhM>-KiC>mTye z36xJ)XRDOZ`PWrku3ow4tXi{7cjmv#$6if z%E+QqI+moIAAymrQ2`uP4+=ALmELS3hLdfBQ8-24wt;==1Q9OA+ZjGrS~21`BJZJI zGAp7tf0-w`&>Ycj#R=tFaTK^UhS_zT1B+i%f6t5_`cNREYd-)`@aTAYU$Gvj(pj-9 zs-FmJ6pY_f_0-xW>#`0RQH;|13uqI1|Mgk_tBB(%BKW`7iBe*AQp+eR>$#HaY_6;k z?kqPcbq|6j8I$In!imM0H_c0+BhED`!0h(J%W{pXL%NQ)NERQKcb$Fy0ZWF~Td*sY zpZ+@d^MG~fjlwS#hmIw@NCMg>Y@WFtR$!P!dxR15`v{98;eIbg@*SeW2{yk_aHZlo z6O2Z!V+9JsZ=N}do_Q5AmL5jBs+0w1USjm4FkPR6u50W2x}qR!ca)ZDHb!w&py||) zDHFlIX=k7723a#NM@A0xxIse}V7-&;sBlsKz-yo`HlpB1!@;-8f88cYR*il>wP3%S zUhqQX-o)5#Bllok;i1s@loE?~bT&loV%HbQn(_dvCFnS5L0q@q6E- za!%M6odv53SIKKp=G=D0+H^RHtK$WM<>_YFGStvh>sWfzY_8} z8g0Fw-UL2{_G8XXGgkiLdG95g(>O=6!3{1dgaIj%YtQ< z8`OQ4qpJF&KA1%fE3SWV6I+!%+gi5a>!@e1oF-RF#`Lul7X(_7Ym_P6PJMZRc%`jC z7P-{OZq2#)3j%&!IuLpyI10i^S{`HiU>0?4;B5zjhJMF+_+i?P#*Zy<0tAPn7f3>P zo{TUwN-p|X?~<~V^#qDW<6V{>WUC<;2SUCV}jEBfjt2Cm6y|VrxWGa+DA%t=9F9l+ZWV*6||^4rm`V zBz#o+WoUsEu*or7ueQRz@lK(+6S3P?_;vlGkNS*NkMSp7Hi$+iR_raW0dp!96Hykv z_fE$xXa2`sLO;^BWd`#pt{K**Op#WpQZnb*)M0d2*+tc5;dg|zF7a0e8IMRKOiiLr ze`1#KpCeu~bo4O4xze$>G<@JrcbWd&W3T4ETi|tEp!xbhS*0uQi+-q5MAPC(;0*|* z5^@KlKW^D(G9*M!&6I-i-c_p^rap_xlZ-?9s~JvmiNjgj#D%9?xuBpId}4BHSUk{Qk~Y{K zoXLrmP(GK3$tu*~bzMWW;+~^_aQm-u`^jqjyg01kU!GE%>$~r^=h2!n1Ma;%mZFiD zmz)%`jbiv!cYjt>UQ$N<<=@75wd_+mvo*x*)lYXeW&lu3>EX#i~#^yb?03 z^cCoQQfS#~AoOSN&1Jcwf+w$x$pn3BzsN$k=i=x36ZR)s$ta=QOTXzrQ|33&56aud zH#=^DBst5+-sjdGPxent-Q*k1UEV6+m1sK|q&>Ft+u&aVGM~CTWN;iAAHy>lv8u^| znxt}(vu~^NtF~(DWsZl~6lPSN)cOe3S+3w)O~;Q#=4}y@s?4AL-ze1n5m@{vZy*4T z6749ib5+Jb5!`EScU9fQQVou@6grfh0zWP+q;xUBaBiu>ZT+K7W4Ou-Z%>cgcg2Lh z#k{?h_s@!myCSFWDu}|YOM_&(Y~g;j<2iw!yfMFElpvYNK+Je>JD3drVtw|;!Bl#; zZ`vS9xTeuyTkz~56l_{qTfyT~jh`C-&qyz3baBX}T3Hw-v2MpM_jG zY#oSsa`<@f-RYhF{Wni234=dzB(Y)CB;@Pt5cCKyX`$uAyxCzM?N~dz?(jE> zr+9DXUiE)9s#G~LSpE6^@Fju${VajWxa(iF$E*-`r0#TH7kKt zr1K@ag+k_Ss4YtRrGl`iv@n_Fx^2L+2L*q*=BJxj=%EL+IX&`i^ci05C;f8`R9`?eG3zD;M!HlID3Gjq4Lr5Rlz#HcRL zhJ_KIYxv!is=Wx+Zn6zDi8nulZBY>Mj)&jtUu|$Sbep#E4oQ~cIhLC7rcVa$!a8%W zxc8-1$YLDY%jAb{d{!bH`J$?n@gwtnM~b?s+s{K8gn>i%E(QgUBr`fJ%`<(u77U$4 zxbDf?@2~t!PuN8T_e~i}^ns-Nb5#N@@p-d(n&!H$`RpN4Su&=CF+sMG6F;D4`>kC=%H36G~U zH&ZX+YAzbPrvm<8y14Xdo4AqCpCFm{TZAMk=Zl<}pZJUR05w&lc+W$l@cUa9Q|m4K zvlboP)_x-O1EA!eDeC{^MU>?q{330HEM${6DbPsuORnH>dt2uk!4~PpV@F2{{-m@d z)e^huofCi3o^@^5{E=JQZ<_44MJ>+6=%Tpr^Cpu57y~G0`4njVhWiPcSv-%`&QF%) zO#{y}+)nF+hW4zYIU?j4aU-ASVuX;I@GK8uD5<^_qgI|gU|;lD*;?gT_O-kxjO!-Z zny<6b6{{zuoY>~q&7Jyd^0HwkA=mJoCf9Ewe0ht%TPL{nsVQs!Kn_sfCCQn`{#8WCeV8e$OXXLnX&`qEGAs(FNcx}e= z(xQ+M>gj{36aOmf56v+5$i*! z&>zll%=u>a1Q^ZVeQTHg&PJ8S8;z%S@+|sSH?+iKjNb-OiN*#l*Xo@|3c0ISF}l>e zoeD){+h1xc5t~74|k=B;`X2!gAl)GF53ie7^?2& z^3xuB?~Pw3=1o`bbt%$)(RlHKdq`?3a%(`5(zP(wv#x^4#AI9MOpeI5fcB{A{^!a? z4vcYQFmvfcoqYA`wB$7e`BHZ6e2b)>V}%Hb@EqP_9^D6qFb|^OWv^=IjZb0=Fy3AA z!^`E7{f_)@lkBh`fahyyO>@w%VU%6?+^u(|aElP?r{wUbiT`K|`_DG9e;+?i-85xR zuI7Or5C6^lH0*t}rADyHdJ;CX8DzuiiLXtf1pM5MEe9L*x83~otsDAJdv23Xwjn&LQr(8IIO)!s6 ziL>l5o^k#eR{Rq5qBf_#)UOZp(~)@HsDDVK4fVtdEj#m>lbVcty%KV}x0LI!!?9vm z$x-eToEa;YGgDC*FMp-0ldb@Q?D<1&mk;N5Rv|{{=zt%)y*GMbEBf0aI`f$U0kTGi zE&|>@sOe7N|EzrePx_(%9+&uS&d8$Q%09cj|81p3^UCSRtpFRNV3M(lgm7m!xmq9t zHoT@4saM%=8sxVe+9s^HJ67B{8oH~*cwVZ(UTUJngiy3VBl`wi-ClcZ2Q0w2XjZm6 z8nv$=LTXuAQza)%#7Z$)w*C5Oic~)s><)BJ-*mI{EcXhbFS|1C z)#sZR@1A!HZr=`b4O`GqU47Ox7@4(=KsHn4mLh9#s|IaGu}2b7N&A z77Pnx4+r2zXVWAjiI&1b@}Z>Sp>O|DXZfFXm;XNg^T`$PfwhmaD8I)3ea*gkYAXz2 z#@1o|9CCAH4Gq`MT?EQ7N8JS2mGcc!0T%`9D{e}9mp*X+WN&qdHuyAh+&46&mAZ9w z8!Q!2%H%R(SX0N2dgZYEcoPs=!u*9rXlmN;KVLpT4i$e=;V3A){hZRch%xJbW*lD& zDDiS-Nu#H+L1lfCqN()X*NZrECiu9WSVq{D>gM|50NsT z8Mi{oujV1F*EdxrE*w8|?s@EwJgpK=vJu__5p==S?x_5chDG`C&yw|Px7I`Zg}oma zod@}K+9rPAa^#O|)>?P{hh0brpx6XN;+@_9zZ84yZ^d3?`+WXyJn-<~NVupFkIlX^ z|6Ix`q|pPmF*eL&p#-c9?LB`;)nk!`8~j~EmbjKUf`OERl4GE{?R{W5!-BK7!CxCu zH&LrTdEP0as0*{ri<+SZygsDcIm3D4)99^--(9<<@ERS{_O|fxVJU_Ddo&dZ8=7Cz zw*5x1C`4y2%HgQ=&YJlGH7j(--h%8xN%*Xl26etEdR}4`c>18wuB%RD#U5}wK(J-c z1UBmXbh>)})d{FB#|l7x1@UWTLj+(YFKqZ*FB4kZ>WG^uQCiXAIkjg$F0XM4Vh=ma zly%qlKiPsCo8V?Oh;Q-qZ-7TPlo&+q(3cGo^%S~0<~fw`p91H>q!7*+4rWA`-|*3lMUmf6#c| z)^DS1iIR_7*)92vmm3c$N^DnV<*8Qh6l;kdhSobDI&p6{ZBFS-S;`aN7viDQjgf{y zX%)&65-*BZ2c3PrE(KhL%^FX9fG}IJo-TR1(kGc|s5~Ix^=o5bR%~unRz^V19mB?( zV@|$xqW#?GZff>9VGnlqdkuD1ize~7{7gZjn5>@KyE3sqA*R`7YByC6*7mC)LS9Ry zUkN?w?jB#!u@l;#hw*d~UUZKR%ga2A>u3c#8R&lhQ~hvi@{TGe`NT`H(8MP~t=Ms1 zi9f*9k6wL+)Fr;bWCe|#F$ao|l70M=GcrSf4Gm#}Z!?KC=2A|WMcI;|Wnf;iRF}Ly zm+!E#c+aQ~d>9gwBW@(J-y$dECqO(9Ng*^dalpp4CDA#Xx@?=?q}9Oe9e@h?Xy)AHW7T)*^PXIVbF0>RtViDmmE2Qt&J!)(?gl8g>SJfPUCB`I z1S3RRZ6Pdu&`K6cmJD^gi8g-&k`K#;xI5m2+PKj=tb5gN)RLiL_%FS%XILwB*GGm{ zq4!*dFQh_+?-vu36|yD!3^!)-w)84XI{%_gv$#*i4j5I!6WhC#&Qx#x%QQ4_>mLKc zXKhK0D3<09Wr!xx+~a46CX!Hgg_3(8)K+yGAmvPo0oQJkehqY$Cx!N?CcJd6L2JtA z_>qm$DpH_#(gLn;$Qi*y{F6+KuFN*4t%)WvD(rM;XY=c6L%VJ4I@8{SxM*E#B9=#o zjEx#@aPOSpc(CVzZ%~|7fTfqxI-#Lo(_&Jj2d3QKLAryBB3;(G^r98N@8RuMO?RUAS{8Fru$*%8Q#t z0?s@vo$o#46M0__;^`pg#cw>(BZzq1a}_r_2lC?g&4Fa}^7xH< zM~itF%};DE?)Q5|n>SF@`T8S}3Tm(n0<=8iW4lpC0%fzXElDIdIRvoHFS>t~tqg|A z0uzigixD&?ZvY1Fe0?EX8DvN3q(f#qjXITJ4%hX|YCxB=K|ev#w8)j!JS0y3#9@CfB}zTm4? z8+YaLTnL{z`O5Jr_&VaZUr_1VJ~TI_J>#2h$_3Y(`kYx4`;40lmD>WgIe*Li>%ak{ z!rG9}0g2BK%Syk*h&hw4_${TyOs7GOx&Wl6`;m;=lAqJjs)F}5*JsBeu_k0=z13mA zKCtOTib?gi09OU5{0qQu?2J+}m)M0ZBcR}+@Wfmt--S|9-bqepqC;q+^S~z%q<*lD zoR$siYEyT-g_h#E$1?^mXX>8Idu|(fKVG%E5T?t?^(ija-Jd>Piqm|J969Cn-b#DY z0pVBy&6R3h=|jQTgL*+NfWJV!1X4U8N;N0fXoTUDDf%_Ru_c2y&KzEW1UGH}u3@o= z5Z4FPxn`0M=6Qzm|7kSZM_4rpxG`2y0#3cnfj`djXg=u09c@EX34aT5Q3}JE8sp}& zK^cO;T*^Z_R$cIjj!h_a%@$1@3DU4Cmo-_|8qS9vDi$@ z(B@Bl+aO^PTRXn1?vV=(`kAa2)PsV%OCtjNdcH9__7n(!$Efxr?iIJC<{`9;m5+O& zpWa3Mounwg&(^%UEJ@Oi5NN9O0k&afqugm5T)=U?y#WW>4-b?Nw5VP(u}5~{jO+R(tvD50b|}g`z*;y_uM=* zJP+t^kuG&LOVdc-F=BpGEzdHRYh4!O9$iPZh)=ZI@fcRUFv!7|6+(34@jlFap+QvAW2 zTERv0!1hN8Kh68^Y`Ty&t~(wUd07q%NIabX;CIrO1cXGQ9+@7%a`2h~wEVHzAiu&1 zERFfP=|aA4s&3Uk4(mDiZgs&!I_ihczOQVf48*(=y}MTBUfYlte`pTo#SfgP59*z- zh2~Xm{ zudUJOA6*g`q_lwaWH(tk?Dc-t{G=9GQhx^sfA&1}H&~duzep^gxauBL-kh}U?S^h9NO^Qd@d+mW)^J1E$f&?ri zS;?`sAbz;|ICw$+-BI_8uiN1oc{kdA-?OP*I&$e7} z>!%zy4Fle<)cg`u@Qu(ik9au=j% zL2Yl8FWXf4?(@LQ+y-RgOtY_B;`k<1*gW9Q<26|>6S0bQJrF?gHxEUdS`MhXguWu6 z?QHJAp=0!fdzwD{BwwQ@0!v}RV8f(6exDTQxkhLr(@k11y;Cu}EGZ7MKi%CRs9ixy z5lBOvfXTmrw;N>9lI7F;K|^Dh9hHJ ztDm}vZMkzQ?L}u%DpqMX?5ocHX%o2AvTMs9;-7Vce&;{)v9+t6>ssT3ih*YEw4vdN zPQ9-ieIUIM1;}i5o*9otEHWB`f?gXziLak%ECVIV@G%saMkLre%_G6b^_az+StE!% z?U;sNiYTFwGXQ6^tU%OzTJ4>vmq7TMP3yp}VVBd89ffPywK(qT&QyA{lIcYM<)2E9 zc98b5)HRF)@#R7qGR0P$U?P1~s}SJWb`xbA@EmV~J+k?O=h-aVK8Pn`U}_1Vf(#N= z^4(?*U&oDY>N2(X2mKtdbon_vHKKLa{Fh;z*qA#F zq1U<lPX;O(`q`P9p z7m|`B4>+CslnLZbfw{zSfaA2^pBEUOiA%1{E%xhb`9a`sWyql_kn z;|4qn^1jIwsAI0iJ=Q1wy^YS)gVKqXE_pru9o-3MQ<9yJ-Xsl1W=CjS(5!B04ua2c zhA!$l2GGaMq}{bJS8CnSnoR%=&@n3~7t!4Ew&o0=lh5wn0Ae-FwdMiBwzaKN(Q_D9 zBlstNYj%tE$kq3Mq+9zP?pF+JM2^uhdWe^f4kF9!@ivebH{Vuw1oF4to@I}20{@G$ z29=v;{FhpA0_hF_>1Q|*?whD=6Pf|09B|*Bbl{ygodW07EujA%^s>J9;KsS(n#f0V zN-lz5N4+}oR^hacARTHebc=&>PzmJAW!{iO$ROD{DF@oETnC+*$BM|3AVpQ;QIPG~WXa0FGI|8NH7%15g6AI)IZ`TgyZ2lo%^)x$RV|It;!zL8fq%~q zuiqM+)MA{p&o>RfDZnkby-XaVR{`dPzW$R`O!^4=gdb+e^-E&e)648|hCYIs+6x{d zvu)+ikP&*hWafb^WsK@YSXdpuh0Zk@JvlEEn;UekQL2?j>K0`J-(Hv`qFeuzHEPHbl= z>6P8Ys__b8W3a#^t8vQhtee5@UG1t#pgMPh{sHsZ4;V6bq3am4Nk*>!=B+z$mI8#+ zEXC8pyIhZ7eiRn)`2#xBl{4#OgQF3j0o{aVf|%WNS%L?G%>;l?E(pu}ox;a%hU8v& zv~HwCA_Ndl0_1Oy?jQ_^UtjR(UnniH!`qqyqlyPj>itgo&Pt{wN+l66JlgrTq-)-Z W=XNTo z&=i!IiRSDvU}47YHh_dO0$)V1W5wK)lpV*8@j6X-_tWxhdHog)L%}ujWge>^PFp>? zup$V{&J}@?Ck!>bjM6}%n|owwnMV#yN%-`)=EAbWu9|n{?@qKTiTD0x7jfpp<5tp9ocO?BF2R&b({)IBf9>d;l@eMwvZ38RWS(^~I=!;?Vq^Kh6yP80j}r z0mvRzGHfz^`WFZNOE5_CDTzy{DP-anjDQr-%!`M3baYThx#G-Ytx{-7#%dnkYX%qX z?7Q{|kKP3N=xF-XZ^FIRJ^Ib;&j#`W zr7GRJn69r5T8lxyqtvbB=6+`B_+>? zeGXAxhdmAN+kTIXKI?i@$&a|3+0O5TYB67F*dT0O2388=zwqae*iRJkR~`?<6dHX7 zOOq8-uoHp&J~{8#+*QM>A9+bS6z)uCXe_YqUGor&7}>s%a|i0)^`Rq{Ux82vp2l4R z=u^vFhIYLM8SJpR6}!q-`*3zUHsWyH>X8Wd5Ob$Q#} z%a6mrL*z)r*>5Iec`1r2zW2xuu3Lm|@eD?v-LTqj2;vpiMC_MucgKA@=bm=%=mG<2 z8&;VXaN)GU-0h8llKJ4wZ)cZ*-4b>$!^R8b6O#{)c3JbZ+N828a>!}7@CX+V8R<&T z5~~F|!{`<;#eBxJ&sn9Z@j`A52?XWAKI2K_H^xea`w)WR@yIgPao&rg+E)3WUUy~d zDYV_)5<4OCSLsd*t)&QL6^lZ8vu^$J#rNPlku!pIHjeHyJhcKrj|;}_g9Li(6MBd> zZu<9$Y#fT=Ovfepd+{sTq`9eKUiEqZxqTT3FTNs%+qaI?a^t)yBT=-1Tkg>%&b#0s z=^|NL83>2c5ejUB=Rrr&dnfh3PeIlI!R&pv-=c$z*by+_{8-n(;^BD=g2$ zqL~}41t^yrBuHniv!M1t0nN5p2>X*+Out0AFEz<5EP$+2=NYf2^^Ubbg#5MwzIYp_ zrp4&8$64*?Q$YPNp%vrv<+@(Y)=Lu7r^TSmt&hJFP-RbVr>>~J0pLK6b^gD6sa^Bov{xWBr*Pb0Rg$oww;p3;Le~i;fFFR4a2zsG^ z6|F*-9nN22>(KENh#-L%I&kHJ#*#EOSTI3%!%xxoPtezAC=wY6Prl8hU1&*W52V$Z zPElzep@2y5PU6S7i|=ICUQU+*Qv;oW$i~cXzQ7slxE`E_K$TLW8=ScLZgQg?x6D^; zKZEC)@_ob+6$1KDH8v0RPCzA0P?Pn<5)mApk$?%It?bT;k6snIUq(mkQC!(Y|Ku1fUTLm=@ISbb#~2#ooe zI?(E&J8D+Ukp_c2>HgMJk2~Vifq&a&luFnMsfo+)RlNx=VK<5*aolHUR2)i!ikUbX zwuk2_xL?=0XVP|hSnxO{9!H&GuSf7GfTZ2lr&J*G+_$6=d?sR)!uB`3i=Wa%taB&m z!}@y)gRy`Uz=Pb1wfflKNfhh^E*`dM3cSn4ZBBz45~Whbn_tQvo)X_aa;78aCtGYK(5EA2VnNrI z4H$F6s4V2}m$r1oH0Y7UQ^=GQBE%}q=K>Yl3*~3zqA!GFN+h+18{FKKn~rFFbTMMe zv7fwyJ)MiTSRHu)j=ipv9(4H+T8vpXxCqkfm*QQw)uJxsZZ$WD2*x@S$vOg0nOyCO z)kTPXO3As1Lu0YoVXP(kx@QED?V__$1O+P3Z`iVTL3GvGxgdDNGAGy?Y3Z{JkHIDQK# z#P%@SAzk{ls~cy`G)FxKhRoML>cbIq2!dL%7ZmHnZ#H=|wMr}eoXxKg?1cxhHGk`_ z*5HzrGFZeN4|qEvdS0w#{M1VXi!r!&gX^I*(;oiBi2vgtIGjT!s953s% z*{lF~`qm9s5rp*NTJr^$=<^nQ>TAMLVbwzcx}E(vkrcB=1(gsZ=3cJT(;$9IK=Ke~ zbx|dQd-0&_%sr_SdQ9U{Vw#+cqI5*r^dFI6Zpi$RKwi(Adi7}&`?x_%^|5<@ND2|( zIF{&@wa2V03(BK2kmhzo44`#Gi}o`TXxK=0+x9Ac3{1yVo17FxIRr*@>FCQxtPwy% z8VE*nt_fB>a(Q*pfW?lCfg;hitOP;u>f-P;jPiATQ%S29H^qlQqY>eJStR{(INyn# zSV=q2#?OJ=YSjfmlB}k64m~{KNyqj8SrlMQIli1kE9rq4-lO9;E$K@5;-)++*YO^Z z$JYQ$i>w1Qbeuavk=Wqn{0_rGme!Gc_4+B;+D5nFIR(6Sfs`rI8UAhtttVJQEhj~M z%w0iuxvfit&Ds(0dg@N~o!oDz1SXQh?+a@&*=`j%t)U*l?@T$Hk^qAI=9)#o_e6vR z%pF3_<;rEN*NrhM(S&v3HXVJz(&))bW?HsLPwDS=sN1v#JRyogniKUFS!E_dKet1WN?aw8LtVG)yp{C~ZZ&!E6 z=uT|450xlZKZcBEb)&*Un7L`<3S4&+dA?<&ktAelVNQ6hg`$Yj7^fC^u_#ff?T+WZ zB^V-B`xut?kQ3QoL2|T4Rmcsm2+ml*-ui04>5P`Ky`lQ6G&N`S4Ffk$?;H46<`dO- z^>U!1u~>;f^#l!WK$G>c2*Bz~%XH zu@`Iqfs}?v@9I^+DE#p3ds*SB^wTw)LVXK})ZSpzT~bdACb=GT?8>XPu1!7tqV(hU zJqj*dFvSh0`)IkWCwA2#97wH`xL%(k+77yN_R+Bngwxb{ZD+t;0@qOd9Y-|Q_`X?6 z)AtY~n$5_0}|((^1d>w177!>=ZsHhYR1K zRh*8H>oG!L&hSRfjnct^^-V}EuZqrhxi_Bqh*eSt%gsPI-$NPNT^MagFF%Q!(<$l<#V9ydAXQyv&J3kuEQN zf*eBdX4)go?iX_`^`z_TFU+mZ^LF6$hl17nil}bQ8Z~hU6oSRZX3p4PCv+^<_@r;* zYcqOON&WH3*7FhSl4+DUDSbH0vkCo`HHvtK-YsV>b8C$?G=s!Ca2MsIFw*4-0xj&1 ztPQSD{WABwa}e($Xv{6;W8eYAI$A}wMzF#kmmbhg_c$@S0(i|Oc6fH_>{OOU1|pMW zOr6gJAd|LR>xXZieBV~rO(WfM@Xk^@Xri{>o@i4cgIS@%(d1{2as0)oZ3XR!U ziEW$W&b;WJ17#or+P<34y)*twqHK;fQ8(a>H*xbB(8($O&;~M;p~H4#b5*$KyCczp z=7=`}Qc;;htdA~~UVqL}n?ag9)Yb?uw`zAorL<9y?xXTUBF`@$ghzJjM`%l;qgPXh zsH1HeEcOQjemQH2)luTd`Cw%as6C%^Swi}}^areyZ2!=;N)_nJMLvry4iV!P=4PAf zMJV>CX=Qu58G~`uW~B|+>7}BNfAE*+jx~uIt1e@_$D$Ig&bcdUox7`_NPUZD#vJ__ zQR;E|=Rh`#9DBNW>r2pNMLLU>5D#ZYB(3)Yy;71O)M=SzPCj_GX}A|}8Tr$bZl(bv z3>X&>k>cM;iHI+gXUp?ph?Kpd%V(P~1DXptfW5V&nCeVps7R2!X(S#UbZEeq0+E)f z4jAlf@j1;(h|Uh<%V1FBDUdkb1>4o zRmvPJ1JS9WA*ii~c=01=GuC2zaM+L(=b$&S_)YATA=Q)cUw(INgEWa---s4-$Kg75 zcS)~rG&|qW<&RP%1nemg2i6ZiA;_mc;@g9IM6?%58;8Z4v%2-<3dh}&34P1l9`o?& z8G3xXJ~yC4Zk{E$xWv_=L6WJzJ^?68;xLpd^OIs2) z9!+b$RmV5wPCt>_{$qM-0~!=7&u7OsQO0-G>#wGRm}6ZWP3q9zsnLsk7f$0F^T?aD zbZjo?NLWaxhl(ETS|G7VmS&5QY0&$#J4QbJ>-z)5tylF$>|d=~a>`rq-qSOEi$)Qv zt1CdfGevE(F-I^)spw)g+7s03e9mg;3a`I}642agAesB^qAHE^nPD0s$Zwc7`^8#B zD8A%AvxPhwrhpRAvOQFKj|515<|B|vo5?v_*=Z3Z34-8SHMyJ&6oY1EjF_gzJbq*zKLWzmHLnj=1WWXj^o?$9NiU<)DToNToz)cB-%TgCDIb>-QC&|JScebXc%`7G)_tI zLj>|=m8l}*+5(e^{A$VJ%>&a$%D^w;YpXG0uiebY7U%e;Ua(vl_kh552Gb4d$I&R9 z7*aZ~-&`ErBnpCN$q7b5LrAYMPnH446k3RL@$?}1OeY&MDi@8oQ>U~x9!-~h?CEsQk%+Z1qoO6lwj?t4cL(Ab4r6j+$GRcgPnD zuRwk7!@Z4#5OVfHQT=M+Bnw5B85$-M26ltMbz0laXB+`ppgBM9|t2fb(AA)#$q8Aejh3#km$29ByenjmP&Z zdCu-}|Fym`07r~bpu-a7y~Sj1mA}p6=(-5amTeoHvcZoA_NpJjv!JHTv8DMyf$uMc z+5qmQ;wcdV)66nU?TsM}BBm}`C56Dxh z3e%Y5iP@TGUv0N*Cxlk049Q%OmsyVeJ!6>TIYiHKnc3F5*lLa@%cscKo{)y~jG;0U zR1B7AR?V@8sW8=WsSC6x7|1=dEI2Do-p)@kV|8J_m8)7lCZQ~g#VR*5lIb}_Sl4~l z4v~a_9@BF?xkM&-;_+*_Q$8u;G1{ z94!ta+=@X<%o?$ftS4qZRP1d}ZqG}9`FAo8dl9u+n-xmIr-B9Ff4#iD#Q*=O`tGnM zulE19^;KH6rWO|>#MTO0tf(l+%2TUtTo5U0vQZFR`#+S)3e@jtq;K_}YlQF@@18yDR27R+IfwRk9)8uzE zf#QtWQ9J`8+co|BP9RDrBwDY3LA1G6f;0$155=c0MWZE`zYh%;Hs$kD)dQT%L!)sk zrKUT{BX9}dApLTr<|uJ^?(S1fOV>|Y_%W>LHgE6-H|Rf8uDWid*vu>#jCod2MOO)y zxWTtGNZE*eiyIS3;7lXE&AB3AttN{nWD=S3R_Mx-3S@Cr_I}sV=@sF5RsHd&qYKo1 z2Cf$#ZhYticYnwoy?=zV(-1AQEp~m++LKv+Ip1or@!6BQ(Z&3+>^2>yY!t{TCs!-q zaSX-ZBzDjQ?GhP9WI8brmxCGH=5xY-abD|F*QGl|V+x^I>c%1Btzek#+ z(uau_d}T^8rUe?wX7)2l#@J7|Ou@n$TqqThX2E5FTDB6`0G|-Nl{lodV)SnlvekVP z-0<+`8ZQJ#6NQsjEsa3$dA~BbYl^9N@}>!m@j}rAnk^B#(nKEJ!s1exp+%$W9Ob#( zTOEeSH4p$X&VoH}$a>eH(*8xA{X7xOlncf}o1f^-MJ%`_3^m&_O7|aYw4fkq_a@D2ns$eK4bA z*~|#G2PC07c&=lhJVJCxKLdT!C-%?gc%BsxC)1>ktTC}#iE}^9PJ|C5iLmHa68;!Q z>vT`F31<~9pQHiFNFr?1YHa*R2^3yj{&9JMC;zc@;IaJM)hL79}cGIx?I?}7C zT|!v6FTVdY$#r<=WikIu!>nmP2<8C|&7~tI{J@52l=j3+#8)FXB|-$DBG=_M1mNm$x)MlebEH_Be55P53lK zeWkIR7FG`0rG@n^yZp169^0xKgvaI`3Hjs5(P2Ru7Ks8nSVxx{>ycM{aMIq#x#91% zbS;ezCfwGb0tTW$VxA`xsKm>$1pM$CjqI z_!)XRNwxyLm?TXiyT|1%SlBuG_WQMll%hPggdWw(DG_XItyA4p26Q%6pE^`9v0yfv z@uvOYwDRlf)4ajk^IEKUk*mWmzHLgZacX0p)O>Z08@al!ZL5L;RbAgSoUwY3-0hO) z(Vjvrt$A(xBEe&2Ua=p+$=fTv-I_?0ovak*dTOdR&hjOxTjUD=gns{#@Vbu&Da>+p z;*%2YagBQdVa9frW-er>3$JTdR#Jah2<6Pe$cA8JaEds(B5a8F9D46%y0cD@$fH3n ztn^x&pD|Sho`j2lmd}yGL!M>$Bl9pOu#Aqqe+n+cLl%nGGMTc*uqUADfnpuScK+AW z)WWpluvH-#s+Gd}|3mjFY({bgg2r~ld?6JE#UB4Y?-0xgL--?UTrbAxLpEc&=`4Zj z*ty3J+J`ePE5P=q1w9o(AuT*E4Ge=Yk%vS zvOZ{w_I4ID`u2`?G6dDDTWmM=zKD5Q_4O0Yz`oMpyDV*MQ~IOg8+i@+8qL{}d%n{k znx=At8*`*q?7$i2I)|RvcWC5JY(ZDoTG!zI!MQLxS@o@V&tplCi`T-S{RV&iw@^>` z?pZ_>EWl0SnSM`}wx!7FL`q%0aW=ji{f4t7)>S6I2hW1Xj81Cf4#ZNZBMpBNc<=Ch z!4WZl7d1iNkaIeuMM=dGaq~ON+&s0;+ugFgjxby^2-_>+MFJ^h6Srf{(H|*)a1*#U>oV z{_74o@|G`3xulPsiA~SpK3lN~L!*cCH*ut%SkH?++*@Q<(ELu1%v|bV|CTX8T+zI*>#dq%Q< zwtYs-I>@%jWcjNx*thT&hyYBYny!x#LM1kF)kRW^c^KSgMKn(zdJ>T^izgb{f zQ)~5uKQA|??m_^tsl zNf2&a$*N|k7UD7}7O!jDPOSt!3u_u`LjqdobpDQ2c%|14L6TTFPOS$HG?@-3J;tI? z%k-g&xGDGIA*TW>1!+;Z9sB`=p=+GQQwtfS-Ak+KHFa6ncp% z%9mdXLmoP+;H^A`Bck3Wi_Z2)Sy7kgmBg6YF=-KIrLWMZPQKUU!LFo$SLDk*&h`fF6An_xMasJ7_*IY~2Gh^%HsH6X4 z1aqI4wxI$pXOrpVUZ8c`6d9jn)>`=X2+^sr#=hz!o#&!Z_-OK$R-DpF~eb1fnuzAP;k@@?&5Wtei3LCxRzy3#o0tm^On0mPjnM zH&%1dDqePHr}zd~B)MJAgEm%|JgxD6OL6lWQr8uG-d7<9=>f)E&45*BeF9@@(sWvY zyO2WaVCrUwnFq;|h5kiNw1t8D&p;Zbeum>v!lfZb+B|r+?(e?8ri@LUgiLzi%X$An zxxfory>=o+neoMsqNUJ<-TJb+&?{r+1+$F}*at{d7^&b@>`o3}9S0&LCAF9{?8U z@vo!1%6haJM>V%!O>0!e&D5*w9IDD&t@q0(&LjOIqN3oMR&So^qGQ@}< z7Z~;6YINi;zS6Ov*KqV@XdmoPtI$(;Sw$L!V@Rk+`?8eT zPfqL9@j&)CqEOuBOR5z98R8JayDEn=ga7R92H72sbnh%E4ofOyi8S&XAtOmNPTiZ) z_%t6@BILPFTIJX^Y9nIe#s#@~ow2L$Gq7e=sZp$QL7A(jl}dm8f*G&kjOLo&DQYFv z86@=&V@7{^e5K>sx{(RR9w&A6;t$-skg3*?J08W1@y}2Gc%z&71WfdSq`3q^|K2N< z(tgAG3RW$_&31LPMbz@-b9ujodzJdJ`h0koa}KRpbaz%hoMY71f$O!G?smWX<1>rSx#*hail@OSD4enqO=6R zHe~#o92Yd_0cQO8k6xnM27n62Cl=J)@z}A{Wl$;=l{LX~DY4;IsFfN+v{0vRDjBde~ZdI@#Aer+)` zx89+M&asMOJ?#+Y?c7f1jmjIr=;848GpEP|z;CNUJtV8{9kvzV9@0*tEoQixqN*>$ zF0@t?2x1rEufPFAvAVPh^JGPi-eJX6ahv8m2D?GyMf31R=7J)3jJenm%Y5Ot!OEGr zaI)a34^v*vnL!F#?hl_O+S_e4JE?2#7XFNB^|W&03#mbcn2$6Jnmno103KKX8=z61 zB?DSa+nO=5gcg#NzPNV*;4lY3`*fKmIDwC!!Lh3r>P%uWhBQDT?IZZrli{HTf#`e) z7E!xL%hLuJ#7v-Ffl0Ih5`(cvHE#W|NLMR{ir*vV`swR#MI&xfporAS^HjtWZ#UF< z1`WMax-eI;`czO1ZKDA4>(bI9joGH&N%4juw*_Exknw)9$|_Vwq4oFfLO=c-WQdAm z$s703Aa?)S?V0(d*c|S6KIU57#bErv#a?^77AHeUx0tfLkIT1jA$tpovwe%YY0^hE z0!{I6gCBB3njQILx0b07(2h_#o$pbeJ0D-2HD?j-lkU(o_2bk(oM$=Pxt@P8U;H0e zP3B+f$sRWgfLlNzrbjKV2wjxy8N6s)_HOs}tezTh-<^X0Q) z=j}ae)?_l~*w5HLhk1v{+PB~O_eg6FyO!gFwY}r9)lE|ZGI-J&Xcu}6NyOt+ta_n7S@n{xHT(9o6QsaUrnw#0aY2xQzm3e&Y) z70*O2>Z;bRK;Qgs%st%~tt3@(<7vbJ%D(TX5ZU7BdbI>FC@0SFM6*^+D>=W!p2>FI z+k|Y22MQ3suGw$Qnqo)nbz~Mr`^O&*)j2QxOX~AY{Vx-JK*e7B#T}v8pnw1B81Q1z zOJifsntyl?hJ}Y677L=IPz1aSr>TVQGxlw1C6^j=6Cbtcl6(yg-(bx=A2(F}csj8q zHN?xBW?REm7?(14h}9Zf0srokzigqhSUA=#*p$uAHJyi#J0v==y!Kr$q0m9@HUj&sYf%) z%&LsCmlJ{bbfVfD=4Bb^mNR5&hT~l^UjW^Zt0DKo~k}6(4lzV zMNfCV9~f?DmHrDUjQuLc(1M}aV^=;I3BZ~)AXAN8Xb|LY&WqFLN{Mfbl-GjSM%AA< zldOH65pg^*=OMHlo`oBjC)-2@VnclPih6dW&Yktl|D-EtQI@Day8h5BPM8}}mtaqP z96%k_TsiNHy=CK@)0V{Pq&13MzIGb~&4uF_^O6L}TKuLvHcH>X(>$LF=s-E;9}e*; zvmhyrHMH1YY*kU4(vWuLFG1quKTi8k{^N^~Uo@%yRJ+9!MPKfHmCVr5T^%NO9)d!f zE2i!rL*$xQ{0%3z5bMhOI=Lz6H z!xrJZcf@R}kw+4tft`p>?-y|e?tPCtvcg#H&;{J&$c+7+9;&&qLVp?eZcn<66)HT< zEbA06WNq(5ynj!DD*G;-V%4d!g)!JlkUom3z~fz1@Qa(cP=7IQbUsjXvrs|AE=U7? zojYrRDBGPcstpqgU)i6FxfO)V<952A;=fkXlKcKDm|A-MP<-c<#<3qR?S69cQC-n( z)&9nz+xzo2-?7K?8NsMx`h?qOow8hOvrbh2z5lhP8sqM%p-(bGmst-q zUf^+6X_I?44|cpzA=vlCa#lD#8jzq0f=z#cFB=u?TCtT8LF2u?tD(B3^%*o<4E?>F zFvOZxVQ9+MhGC)~nIw%wQ#Y&EKido1n=h8-kwYrE(&(nIp`CMd6Ct8;t1lAn32S|v zJH!__Vs)Oawf)9BBH}y(bHChqX>`p}#N>1CQSml%dy6f;R-Lvv8!EbY1knMaG+1^7 zwrMdshed}~3%Gw#=T2p)$J`+jCn}! zrtEpW>_F^5-MOXqhqL-awxox9g>0UxyGLa0sQ0A6l5MOr_+}oTxe`+o(g|RP!CV2U zL32^e>ZiEY@`9M`{*E0j${*ypibG!g$WMusBD%q!7bE8wW*vT-Y7KXvBX(7DFP#oQhH%-HSxFj)scjB+}L-1q^$OJwXn;&m{2AQ?WKwL@tOlMXEDp*2=>6F=T; zH|D+OVI!;1!mN?jG*-^&&XEE%O6fsF|KNddDhUr27Zj!ND{Qy7Y~P1eO4 ziu(ok?bsGH*Hb40>g7+QkUCY2B59G}_cq_T>0QLES z4GsnM$CCRekQ2J23Wv^e-fl``2R({eIZ*LbeMN1Y#*L=-IU)|fjxaA#kOFmX$bql* zU1XCo*gP5XCRI;5TNf3UI5J7L3m`vI zT~Gs58dfe@#AyI;AXQUnHoXHBnb3u#oDNYY2axiC;yE zk5e&gc|2-^yaQ?g1ch}ffc!Qb_Sd{stU1Vh*Cx6l$~} z6~=iSUxWTF^Nw`2Hoyj-Ng~;ikT(R`jRcM$TF?4XJS_WQa74O!f|T8b*@pf_{I@B? zO9o}aCwH9b(ibSN#ZA5zK>#+_|&}y|j--96DJ^9*-llw>3j?UT;8^1J5s+kvQ6#-{_9Uga5+{&Wl1%Jt4Hw-iCJ zX?6>*`wp#+BXh%$k-9sYo_J{j4WBkvhRwhaQDH}tmxs4Z8$UN5dsA0pCZoBVf;^GE zF6Ir9Fdm}3taR)?(hUULI%Nv%qzqfZoL_DxixBGHuKHx6z6?s6Iu;T zw@)9=Q^4Kwib}e6Ct~`pt2?o)R$!bz%M)KGLrv0g>Pw&~JqRC*3}+1*wR)FzA=UR? zqTY2d5^15+m-1sVf!Hnz&9G}l+Q4^H%tA{UyTlhQP$Ao0_`r?Y4jmS2$2~4R`F*FJ z6&ur93XN2K%J`s(v{_(X?6g8liCq*~y1tEO^3X~C(SPB>xJw+rrx%L~Sa_rKZx2k;%34L@oRxeHU}|IcplzQDM9+f&>D_M&!Si~FPRo#bAV*|$axPaiNpq47f$*2c z5TCMnr*!0aLD#X%i~Zuf0%!RamSnls-h&jg&j z>lJjK7<=2AwOXU}eZ3Rx%uRclEOk$)Y;g0m{((7!+)DYzW;5njn0_K%CZ{r{wi~}v z*pLET51PcY1Titj%=9G4j$f3^KHN(7(uMq_Z0enGsFe~y=uF@(#SA@3aB`hN(^N-U zodUEg$}?o%3 z!i(XX8MM?e8I^NF_i2&`tuXe5<^c`sawiCp&)u4}*D%-=>WJt}#xBY41HCFmE6|ne$ft&Sa^K!VBM{%kB^(2-lEh;L$t8 z_M_WVmSV-c{S%g4pCp;`L)Gk;U&d3jgRBjA`96~)uGnQR!rKk@<;N~NRgJ7Iare6) zPf6~Z^Qd@=W46OQvnR<8Q5y&2!=thsb|4`?)dBEWbWBrq7_l1o84Ip$hh48guDn{} z(S>oP$U4~(3c~De;z`30?WS5be}Bni&Bu5eK5~|ZR53P3frnQo6Z_~I z?c?z>salQs0)?3tTRRLzwhL5vG`Q-*$V;-~cp^dH+kZuG@#|vCh_9ERc`g7Ba0mK` zdh?TXix(xWVuFQ+1bR;n3=b~p{67Z#Y~!QyJt|Ht{@$!`x9a0>5f$heW!08>GA?K4 z@SMi+J_-8kBX+xIUB@O)r{E(i94q)uuM_Iyu*RzRwa`gJ!2yi3l&Osw^R!)fvx*TF zQhvfQV%_g}GAGc$ddY=l#d3IrCIcyn!$^qVLYDl)zOgdaC3&vtj<+!>6IzK@zY@4I z#nn_!WI<33#5}%6=k&mA=K5b~cEko}3zUnsReb^XW{*6a@21%E6Eye1_4l;7)QWO&Nji$rXERF@m z=Sh+U556CV<0lmv5iSQTbc^xshe|8^n?J2LHhZ)q@(aMQLY>zh;PwgP9|^qsm{Ib3z5B2f`iQ+Yy2!Is?}!)1 zxCvt1PJlA|AlBA+^)So+Z-GJf{DawsMS8pEbgQ8ymuWzKVuJgVmcx6vLL!s2MY93g zj4-!}t=_XjW>XT1>Sze_^<}N91z^8Ru-mMf?jM0hY za_$(ms3imXqWzbNlfJ&d-SEJ9;-(KVUyyZvl%*G&sG%jw;Jk-9H0$J_E48Bwib7O; z<$+wVjPgJJBCe}EZ*!T3iJ*;tk599;*b z!Yy}FylhDI;&}r8#o`+j$BMxtRQsO@aR4Z*o0{?&NGmUam+Zib(K!-Rxiv~#66wKc zRVy$O6CPWUXdx;?v~jzGkU*5?I``=4WA3CN6ZH z8Uf(F@M~I6Jb%ZdtI541JJR&vaTHZM9n6{{NV{Jz)jp7D6&^TfofaDa2lcZ9r2#VA13B%a>Y~#iD)(?4oNmATxZWa-LzWC0 zA#AsbM#YYuktYqNjcwR}i?3%7?2=eMevkk(gZE%_NP}P~;h>7x>b{4qwglF|$$W3t zv%#%LW4hwQ55_|VPl@?Ht5u+V)YaI|SV=Bd$4-x)L5A8;a6TuzzSV0D(ays*WS z`f}LNyC=$fNG(yGj+FE8VA-Xnrkrw9Yyp0b<5NVHD`vZ*Hu$kND(`}R2~g`UA3c6; z-}9#53yep-f>T}=B|$oQT)dYULPL*#szE$dAS7DF|U4D-! zu^(cq6$U6#?0l2J!A*a{)85&tFsx~tNTY}X=27Ux&|sAcO{}wnVpl}$AFHPtf^!Ce zKcWF1G=2+%XF!D2|c#DW1?oO5!mbj|^63+Ymb074WjSiQ6YQnjieFsC#y zO)X|%cw%;G8AC?%?57`-dCp;I;~}h5Q+Ew!dA6WrmNg4=XHgy;%>+z5~;F!F!0gjv#tHhcG8;F>WvQP0FI%opeY(3jK3KW9?rkDyQqI=W)8$#SPPuwwR|YTF zl*zg9T|RpKA74YzUDw!jpL6QE%IA5!LAtb3f7&yqJ>0J-L{dlwgCV?;a>3#IAawgk z+U9!=_7#-`XJ~Yk%<I1);&vRdJ1dkhb)~Mw_{z<0sFs)fLGTYmtTUWS1$z`0 zfsomt4R&E-hbK$!$C`yp46`kYj!HEEw@RNaZ7;T9@aW|dR3AsuWM~;;qNCA_?E5#) zt7nam4g_;$AC0{rOeG-CsV}q~!*PfD$Bu3mUN%CkOx`UID6qUR^yt{N0KJ}dre*Cbq?V+ zm$7f-5Z!u zbh)O!O~i`L{1ggt@M8}l$oWwkt01SnF9iWUR*p>m{f>__`NU42?ARr{S30n^po^}G z)skpKraZ?rIB8FRUhd$d761mAXLFO@0{xWZV+fZo_CuSd5pf%q3Nntap5XK= z=%<4H8C8ZQ`^c_8OB=+(YS-?1&F+MM>-GRqBH#nlvh}eCjM?8wT$&YKw~2x{ znzHUHvs;1hhFEFMX4QrHWT3jfAR{YTuCkP~?yuB!l8k-leb4ZG?uZ;NAWq7aB9H`P zMjCqB*LQ{qTYYOMc~>bMA1D`eRjCc}_9vNqzurfoA$3)X)BKX6h#j$}uN*r@n_9-0 zo-L;sRv!P^ee%DDCy_gMYy8%vFC^KOk50K*RF}Oup-A%61y674KwDFY96)-+r@uE-Z&@_U8+_ zSMIYoPRckBL8G+D;IYGw*}S1*;2<(T*fAr`8_s_UjOM-Ru^3;BKTNYIa>w%1r)0v( z$uj$YcL8LF?dbxe%D7L#h0}&;P46^I(!f72fC!i(W_mnOQ0HkS*Cd~W@&64q&j8)} z0uW=`>*jZsab@wB4e`Sn8@C48;dmwb>gik+T>%$HufoPsN2?PVw}Cl*hFA?IGzY>@ z*xY`ZwiR{GtPepBzFDo2-7Q|5#F0JR47^`iA>DQj@u8Zh@)RksVson$ z7a;q|>~9cL`sSTpN`9q~Qac-nO_KgT!rGWX|2l5(83rTAV!92dOSypVY1i zLQ>={>{xf5Ba5YJPJ|8hNYym>>Y!Kng3zrQEP1QQ*ZYE6a{&h}Qwur>_7x7Sww#*y z->46M`qV?SCV(EABy(QjXi-%y6Xu%N+9GYrI_4OH?!rKroYE6BxXeNYi+fCk;S59){{Mj8y;GL%wI3$ji1>5T7w)!GiUqbB$l~9 zPaEHPr6mXZN0SA|OUeXz9LFMg4UW<0G?Z8^DxwCZDF zRT%c8oN#q4?|8u!Z8C>ry5W-+RJ3f`JAb4W7Sf}H@&$Omo+YS^pPpb%)S|#~_ZA;} zJ0D+pcIUDHuP^_ad^zUDJr+ZMc_ein?SuJ+ZR|Sx+p(YH2mkrmgAzEtf^Q+G5 z2>Ww$cczd|!z*KGBtX0@fMU(b065d#? zXssf4AhYq)y6XuPN5CF*Q;;UpNM1Ito0k+M(`F}?(z~g2d?&Ls5w4Ap!<)~Yj>G~7 z!t?)aoY}1wyd5A~t{B(bLNVhr1l9ua+Jd-fBOoqE$_Lolt8zZ)*H{pj#fL20CSn1= zi-L*iQKFqv%iT6^t`s9^=%D312yT zlT7G0LG=4E9{L!gz8bz0fOo)-tirEUf5lc?L2;xcBIBJ51j}n*F-B@BZabIX);1cH z+*qMdQOpN1fW|y%u!_oMtKYt`#s@#z0NXu@l;a52_#}-aUOK9|g$p;3@vnbcKk>w* zis#L|zpwg^C{HhaHv1ffT$XlyGxY4cOS(V6-X2YFhP7-s(VhsLv7VZuTp~xM*7O&9 z{6JRTb#!v5lL_<6&9Aph+D779d-ch@2Dkb&k1jhw;d?m+LTvB^ij{X2!Hrn2mLG}_ z*wD8|>BD3W)pFz5m&Q7+D)1kX+Utm8t-yc-sm;JZ@H&*CkctG^F#TwuLS=qGM(Lq_ zir)Yu?AR%b;b6!dAB*HbQXKu?;0WB5mW!<2V!+cbvGDriWs;ZSSh-~n2x_aMby{Kf zjCip@bj0djS%#Dv&&Z1INhA7W~tz;e2w$FRrAv8y8PyfnPU5}F*;=}2Iu9)F79 z_!7*bk8x-g^%CzuVX@$oj|2R5f{j)G$G-SKAEO*8dyZg(%=ao@t6QjM5o5{H;<)n= zih7p)Yor5r2-wCNW%P!ncwA}NI|+z)^bvb~8WJTK?(+2$D7e%6|pdXPh_r|I&S=iSt7H-Nfnau3JIV?AC-&1DXwvEU!`}U7U=Nu)#g|n~c**?odiw?-Yk}vwVf&$`Q*{B@^f#jJlbI#}hIbC`dCVpCn17b|50?l}0 zR_U`~OY0FB#h27*s`md2nNg+R^yF9~GLk3P`R;W#_cMut5%kb!QRK2H>;HNbEeMEz zVi;`YC|snt>arE6C*xUP?W7|wj1tw-c5+R8$XluuDqDarX0HC|GQb%IlB=GoCmcT< zGUQ(0FXJ{D%$oV6&fyrc?x7t!nXBJcr>|zbwlZsSQp43iORs>7h_V6OfEeT7JiI-p zKWXRAKzw9+kiq!9W8x#pDzL126WU^^0!zKpjoVyVz16TQYYd>xD-_npl@6|O*5o%t zE7E@)ORmpG8urjvDn-gYCVjN}z3Blf5B)C1%aYg!;N)!t*h4apeR$ZG)tAef{_8Q}-P-(h1|8Mz>%*r)|9I<10lSd;N5PW;Ij&3!#LOf3xE3MrH5%i3 z-zSlA?mGw@-H>*%+NQixK|DLt9^TWv3Nziw@*rzZX{Jh7|NP%|IqX`V9dUbH%sKcx zaVumC9Z+$2vw}1n1HnoNfx^)YN&XoRfJL7R<_L}kw?je%-*Ln?c&#A>NrZpjEr;{Z z^3rinuorX)3(MzKkDY2 z5M|Wjp+m%80a0eAb%CIZ+QwG^El<8H6)bXOjf@Zg<2(q22@2a;0B0C<(+MrkBnN)v za^=y74=uK_k0OvQ)8?(j+6i(wr}jah!0;7!`4KAj6(PuwG-N~Sq#BIwTf0n`oxRd^ z^zM|ikTE>*ndUNj{B0q8ZL;qR=VgY8fqz}ws?lZ6oB7L%F+=p1@2mYp#F#_+%C_$# zfjf+D(Cym`sHh-Wd`(|6h*M+3#+{t^sa z7F0T8Neh{wTLlI{6bv~rPY_NfZX)^_lJ<8OpFGEgguG6J7BX)fekK>5)@(CW;J{4C zIx{xiytmV=!Ma1oqne)jWycFBJ8kWU# zeD#CgWq6i(*uvvoc{ONB19st}Vz5|9!9NHhNO%{n$Kc^9V9k&UcncNv8G3Uo3-3^I zRDyehdMS!k09#F#Bt~7)@a&nCCRNQOuO9=8z-o32Ak@r%037_DyDE%(s~~`1=qXdTuM`qh?9}J@ zhEhV%_1HasZ^iFBO*}p_agI25SlQd8U%NW^@6p_+?$Zr_Z_wj*go>c8tE~n)H&yEk zloRPL8iK}_Kk>hSsUhoRikT$Nc^@n_h2WeMgSGg{<5hz29r(+SuB^}#avsbB=Y&gr ztrb6^cT0u%WDX9N!L6yue86fv#m)9HfM2?Y5&!B5t2=Hb zR%2;!Wn(`K^z!i;#G-d?#X8R5me{7M4xRq94f|c%+Zc&1>c6tfaEc@g$-Byg(W%}cqa~VEw&FX`CPT10w(CehJRLke9W{)8!F*GmY=KD`M zLiX8X7j+-JB#8X|?CP7^ZHq~nupRg@iw61N?7R5Kvcf2fZ=3rJh+DvcgJJJUHvkc6 zx#vFrY^MeCm~TGY!n(Z@Duod-P1h5gL#q=^E4D%pVlO7+Ie4o8n2z?{WBk>8sR*TY zR#CJxdx_ynPJ)yX{*xr0@&uXSEb)u0I!{inj6O&6oxZk?N5=ob$jzE0kp8M;QeiH0Uir{u7j{o-B{1DmJZaucq(lg5R=GPVH1b$w&WIy7+WjDAEx zJiY?n9~lL;%eMO>W`i~?-P=@sj#VO7E6Rape6;4c9B#<&dm|ErCGXf*hOLw7#{`ze zm>ly%@2HXv%iakIDx9|lsQ$;FDng(3F3rRP-Cy?!TD$fHofqZ^RN_o;xJ#HD_T+?E zdgPlSqx_b;e0i&nR~U#=0M^%Y45=7P{v?}x%1|pZUDzL|br}6fr`WEzhkU-h%h9Jb zM=iDe6B@^|U7sEKm=V!>72=qgBT}DCjym@QPQ!cTxk$XPNg_sRUB*EaP*-SD5NXg> z2Ruxk7Kd|8+sy=3e6+#4*t^iUFO7h%iz-VopG3+ylB4f+xtgl<7}J)_&E{Na@ z=CDcGo03Dk-}s8!i+o{gzn3bln*Yk#_R58$J51#K3qse-Wmh!D8+n~OeyY236qDO^ z$NTK)3G=(C{rlf=R zVxpiF++rt(fn#Revh-|Ly(h>wcxhjvSQyK8<)#Cq{i>|6-&lKq$8da0;_6wIYr-l% z`({))Z~}~P!{pF^d$tv112f?cq9tcdi2d@Kv8PKwio(4X=)tYnI|%&=cdb3yiDFYa zJlDG5>?kpuQ_^ssO-*B~@ zRm%-{J+jSacpd~bxdyV(yUS_F52f}o)*Q+VzK31t!kBX$XoOyBx(#Lm)pY8`W0Esk+qK4sArtkJRQ7Cn&&oa$TXF^ z{5Aiac#D09dX(to9ZZCVnXp0AKJ5Y~^h<0i zE+26D+a}*t5Qb7JmNoew$XmD3Rg2wAe%VbC1Tz(zDvWNr{(zWZS;NR~=$P7&f$}+c zxR(2)!VQFL4{~z@(PYk4!Es*%kvFc1Hs(#mZ>U?Lx|J%O=@OtT_b6XM8$A%lO$q03 zZ`yhOtY1olm8&vFPC4KBr6ODxbb_VX!V8%4VgP4ru%jWBHP0qNZwbLz)3i88`E%+W+aeys2t24rsemr z;wc<2j@Y8xVkFE$i>lx+agIIS&C!Z>wdvs@+wSR)yHugfV7pw}P8iI9*bo+*&#|<$ zLM~Q^&@Hs6h1jJ2*P>R?KarZN#iy}Ovnq8#!UoNjn-w_cI9T`F`eb)lRp(8Wlzv78 z*9}WK8^*JG@7uJ(!%x?5F3pv_+kUeX7Ox&3Dj$C+bp5PT_{Q5v}GqoqtGUH0yC5la%zA;g7 z$O!pr9EqbWHs)^SVv9anFLS;>f9BT1Is)6*da>P$;Is=Y=j`OjQ@&9p1WhJp2W|EU zb^zOM`hCjPd!n}(Hm=m@HhEq!-P=rakBd9QSt2lIuwW~x0d@X=WPJ-*Oxypyd+x*O zkV_hLD3Z`|={7q;NRp5wa|n}f(n->7n$77Xi3Z(7H7dlBl2p2Gbid7%=w8!hrs+CU zGu6zV*|Yb5O`Pxd_dNe+J-Qj5Y3;Q>>;1g%`}wS!peSgG`o*4L=|)_3-R#xqpvjjs zE(ZV3cuyMz+H4rH1ujYhpf`Mpvz*+;@ji(a0UWr3;B?cZsx~U6jV3KJgyn8Rbd(io z0??4E;o0*Yw`x#1S%d^IB(Wi2V3CIZ)Y$_Hfr6y)`EO67&`&BE7W4v@T`C{E+Q7OQ^;bQjya(=-rqPp zmi*k=HNMRml4SZYh4_%1f)PL~>wajxayTT7lkt|)20w+?;6r)5As25iLw?Yw3(-FbFW(|>57uW^@699^6MUGTXRAZzLGPQqf} z!hO^@+0KWnmwcFZl3eiduaghPS5fmmb@MG83g!%5EV0U-FvQ+Hp6VK!PXirl>@pxcBt{e~pqD`y7`g;Lv^l1h*UR0&FuRgF_jq#-yc32CcR zHOx)~^&s=At36KZ)hrg2r)1ymQ?=l5_bu%uzm4^D->_N3Tf&_Pn+R8Jqw%TWs)fOO zZivhMA=JNQ|E3m;;>)V$55}~}hep3Z@$Yl$TT~60Cutv$^BOz18nkK;CuMYK9dhSz z2V6S^e%y8mqbC$v{S!qaj_9!H1R{0#*OFjS_5eu01oYNJe<-rpiAlzYZ zB#Jh(RB)Xze9Fp22!QrgU<7QINJWFrs`=*)s2X0oYOPlAR0SfSd7Gzx1Z29j>=gJ8 zS1R5ta|5o+b={qp@mER9S^rvZIX`uB%^$eiyU;t3H)Ar%l+QjRa}A3Q_C z!f8Tk-1am!moUScLf29p;VY&Rsm|C)Uyw~|Sj4$@5!}KX?|)U;PX3;pFSP;BQw~~s zj5CpU1L_6mDTCK-m4Td6!_jcP0-&y6c6;@6)ZXp5IW=HZV$R2xO7mwiR#!j zDaU3MVM26@NW>a4l*z{@qu8H4aOpV#SD^$~2xNK#5gc^Rd=Pdf!S4~wj zC9NK1>W}uDxlMMcIs6ok8*~ny|D}Tb$l->6E!GM|C`_!c%F>@ECkfGjjyBoaY}78>fG*S zTscFRJVcV@M_6ZN*MS?kj^4Df?%Q`p5T_CO>-q?He}>J#*$1E4(f@Ep-z1w@-O6(5 zqa?{VXE!P74|mr2S9sGwL$3&OSF-mjv$#{T>!9qeG!PI?_l^ z{&F;_6dFX+e#`6WS%cl7JdyGGb^EJ9(^)8v#@8gedfmt7Lit%w7hZNc zQJOs2VN}J1JCpAiTMd!?@p#)9nlMGXyu=`88;dsq%Ln?-GNY{}F^paPy0-M(e!aype!Dm$to|d8JsdU0 zuU9WR`(@#GyOdZcM=+$9|7ZOi&^#Rk_V5IwUO6ym082nebp0SS<{pR!cT&GJq%BWj zlm`nyclI&t)@i>B2}bn2vqvE{br_& z-PM&53Mt}ZQ)X@(?e7Jg>UxnObfx|cyan7-WHL_cY4pZIIC#=%eVWJ{vlz3JxgF(< zPz&H?BjB#AfD(^&LazIhb53MX#5SZE3e+E<*i#P$)VNDgcA_684udi|$(P~o9|LC=@ zeS#^J!d!}U|L^vntq#|v91LIQe{t^|yJ>Ui)pJr>I+{X9gZxB96t&L%SJ+#rOEkf& zZGnfcTe}jfL@FU^{$HBiGKKokb4-EYp+tMCG(rmc`(I|t$UaxQIHHq2mmUm0A*#88 zExjTeo=GLGV-#go1go9BskZ;I7qv(7gJaed#5^f;k#dv1-8;BhgPw2gpob@bUX1O=CQc<SIqP~sNV=~U_yF)nn zkCsFN1b51>R{2JeEKL@IO}VQh!Jqi5h(_5L8@?}5s=3i;U!Vu{Dyv2{ z?I@numG9gRqI?i{(d+3WTugQ#Fci-5>rOvGo!G(=$;0gS2rE3KHb#7q_0>qIOPlew zaFJG*<Rv`O2}_o4`9azjMR7R`JJ$Zsm^{zWv!kQ~4`aMKTk$qqyDiYDyj~Pi|`#J(ir} zWG=U(xE^B(xKBinICPHbAWdAtqSl=);wr!Rn?nAA={4gVUQroX97Hp^+`D>vc4}y9 z+astE-b-=y#X|`D3c-~M!igv%T*n|~6|S1u?n|Sh8+gXoG|>!=L2%(}JA@A_)Qm@xh2%bdhTM{IokJuI%Jz9N-V}Z_O6#G?IY_Z3 zF)Afh-?{|KK+lC0wQ6tY#Bi>OQQ&s3R7?1U!Mm_#~ z$P?$K2{J$9;_5Ht-`Ps8ww#3z=SC>gWIL7BV@L*-6{EZeqby9cm9Wsc3rQuMZuil~ zQ>Vf7cEJaNp`c16ic|tbj2p!F&0{g`(B`Y%V@euok7_W~yPaN$^g=c?EzYvT9q`u% z`otzM=y9|tI2u;h&V%!_<~i?2r7tyCj^myMZ&sH@159ckJK@Xyf80-D5! z@%zec(T_5d-#1&%*$RAsjjX}f<|9TFe*I4LZ4rqZL+9s&x%HZ-e$L5x6&FXQ^cwC! zhm*%J49eZQ(WO#+Wg>my-VMU22|HsESRP$=h0)du-8H=yG_jN7FvXchi$C>I2rRj~ zQzd6nPlE;r;-RF7MXx>0`6iAL81$ME?VCSsRhmeVKc-(Ktf*qhiaerSJEp@dW>vVy zdA&!5(lBS@{l2Hq{uU!B6}vbpIKMFZqeacKJrqaG2qBK#V-Iwm0%3kB3<6jOv;@A3 z@X33tBE3&d;BNd?d@9&HT`e+ws?lKDzMzHH-xAMdR2rgV zu$A~6y{hKEHCpSlnxd(ttH`#V(|n^Xcwfl-k=oU=&fQb_UYqIc)_;(iI+x>98a}S$ zdI{3(BRQlIHZN}n-IJ5$RApF8vd#6bbnp)QXk?F82gC8K@m=J-t2%rcau>Tj5tVzx z1kY?x$MK8$qqMdhOH_h!D!mP)ywEvx4mcNv0#et!q;7y)zs$Q`LFH&;(KU=9JQ;3g zQA~+&VvSZWEJ0*{b#sO>@7^%?8YmP|g(NLcPzt>iTGFvP;MU~gRRID;$mIK0AhoBHulQ9E*JGn&kT3g!Az>O_qI zGwBRG^k z=YYP&XlmD!axWX2m?3dc#xw*TFLyp+n6WCxzc-;JhdWNu#1`#wX!P6#glOnoJ+ac zY&gQkF(*o+3z2iz5-}1T2>WhQHRir%idHjMf*TMLAFP7tg~#)vz@!??{&jK*^U1)= zScOy~S^R+e!9O;tsTEe9Z ztF~ugZ?Hj{fQnOkwa3Y=F%!;LN-qsTrR1S|>5dbEW%*yfL8Y1Y{H7aW%1Y!0qk&e9 zwwOtr=4tUwHY3-X>YLFnq!*4Eq&Ip7@ZC0Pynj0%U4ESis}tnLvnXZDo$-jYvxm`< z1D2>bFN)4hy$}f9nh~#@yIHZ+N70`o3=W_CguX+Ipcj`Iy5OI6~C6 zfy`jIyj;A+<}WH5@xb*{8eQH_M2K?E1m+BdkOD>+FX_B@xGiOP0}JNYD&4@WzcfJ03%;tgG?j?C3 zUiabYaGEvyrnL+o=m117k_&qg@_a?~jRVDB8nC$8J1Pb7%Fo)iNF?#un}efM<6JfQ z8QG|U-0-NgU_Bh~T4~9SA8v8BT#E_ri;ajiCCLB zrgLR-jr`sQXQ31To(Q`_NyO(}lCE1WCNJrY-qxjNp%MWaXIUYOuzAYd){DJW?0jLl zFh8EG#kXTgN_ykzjei=%Ga3A?y~cKw0Dv7S{87xY(OrN95%%S3)H}+x9A#**3~oTf zN%AfhK6zxij|yBROmJLggDHLUf5xC57mft}`Tu_ixt3Dppin)8L^oK_rGw#G0SQN5 z6VK>8g;Yphd35D1`%%zx*cE}N=-d(OjguVQ>j|qi7AP}A?-5;B@CU~*qm_Fdjk1{HlHF$o zUx>FAMT|jfyhW3A{Eyd?qcU?-bFI6|*m-9U$u&JGQ-gCpEDzQUXKfF7R-LR*8c(AC zTFww`;BH+~Mh;Kc0zh4xC3occZ*I6g>>IyBgx67!Q)3Qi7h5p^NS#!y% z#Dz8Voc~UzYY9`#`7uzO8Qb3hBCSa5e*HN(#7M&9?Z`>3I;8|t7)XYNU}@$7@ZCVZ z4hV{7&@n<_-wx%pGA>|UTG(M+afd$q*<^>?g~yJ^yoZMHp!u^IE(~I~Vh9_l<)}T8 z!u-=;-e8UbntN>oB!T1(>M_~z$Tj_B%#y=7)4PGYV_k96D3;=e$chwiL+;~yr@7n- z?p#jaMfu&QFXR5#!&+roLX8)X>`St)Z|*U5fj@bxg5bsto)1c5ljxk?5N3%wHU@=> zbqqXLHyow#V-5L5qWIo3vSyMeY95tZvP+P>U@N8ZnSR=f_Z`>pBznU!%D5q_4zmNS zD9*LpG4~2uhh?Q2ne+TiRmckg;ewVQ!2Mo!UtNw@?XP8yiLwaAYg|XcA^3!ZC^qeh zzc`vEqiuG=4DcS(YHa$}>3blTXktiu(CxN(2scUBn>?sC5?_L!csoRarMuh;WR76$ z&_Szg*qZ-bbB-e0DFZ zqhBi>f)59`uXR8Fir!dX${c0pggI!yatF2dzejx)w1nvq4e0VbKI|lEL2LS#MN4&A z0g{J}W`@DIA?hd%Djt4<^_(uh`M6AT_Hrn!4YO(4)j2)CvZBM+T=%wfe3e>pQ38{5 z{FfH?=+u@=)!@K?aTN+!WUAY^9ZeB5ZAZar6f8bmxNXB*j)V$QsS#F%^h#x*+IzPO z`T=|cSH2x(FZPtZwflOK?Z|Vl7j-l5^`ObSso|n#-8G!^klP(`2g(#b^c7*12PwM2 zusjjjOyiAOguvB40B}Hxq0Qxs_pMvF; zz1s4x;v)Z9>n@zV2uqo(qE!c9zO#!?{Uyz!8>yw>~mJWhR=S4 zy9#JmRA)J2=26Z%MA@Y^->W>>HSX(Hav$CNo>7_F&>5|bp34LlE43&O#Bc2qkB{tL z_N!@SG_@o!xX>t=a=_P)vj4_<7Ny~qcj|V&VW}EO*Bdi|{ZOIH znlOb152Q{fd9{v|mz{A@oxrj%ald~WUD|W@5v~$gNi;?i@lN3Tx*9 zT-GQ~>$VwHqxwb>OX29NofZjVCLiF~t6ac!sHUU}@+Z=}FM+->V7j98+x&@n_9Cj( zdug%lYb+12I9~ybP%AWtI|JrHw?rSD@R@7#3|^eY9E=mMj^PJn`M zmr$J*>E%8O7knmpEM5U^d*LtkJ;^MFC%mc%Lt#889#Wh$5UOdRk6j&?r)DltHo{pX zWmrWTac;9S+oS#M;9BO^-ZSBxU7pMAZ@apIKFRF#4J?m4TLm_#&>GF!z_%-OPANML z-QCq`^BY++`ZscJr=qqqf&GzZ@zj}O-kYJdP9l@N%O0?L$~eGi5U5?3@(gjP)zVj3 z<8{f`isB#4gW_2prM=7fG*+#qXPiUFBhh0JY3|ve-_{(0U3{!4gXyzOncX7K)|Y2` zkDw`PPT|b?f;Tqtqk6oIG>{{zVqO2wnGsdBa2| z)hDLxbbVQ!4c8DiK>OhdCV$gcE!~96Y0ca()6al>o(mpKHs*|e5krZ40JiW3&wwiB zLN^E}k0M2>IQ|V&aZ1VzIv`CO?^rq+H`M)a=7NAN1lTT5Ar%L;Blc(denf6*9?Zs+ zhA@0HHro_NrjJql2JwF7*h$<&Gig{E^oY#Xw(xZv-&2+)S~iA%xWGa#Xj%A zqEid)iF#zn03;l~>+zqohe6IYv`jp+Y5I)y#dfbSB3(fRyoM$C*~$X=RMww^N>X7a z02`{IB16JY9mTDW4}p~Kje;f>@#pywwTfWNLeM1KN<{S|#Iz3NK{g{ona(yuNw$9( zfrYcs;TTj1uW2xE$Uyra^d5rm*dlw$5s%mLStDu=( zJnGGUt4J0+u}$FFDG9o(hk9OlRlp35XfdED8-O6oT3UGeQ9 z#IMOxj+m4c81}X}j+bnCUFB~@q1P5j^jf#;KeTytYyO=bt_LO9Sly+~ycOS=;_aJ! z*lbZ-hQ!eRiTEwFmZj8feB@i1d10td0!Lx49P<2#4WwZv1##6TnWh5m=Mnuui&u!; zmSEK(BXBkG9A+xGVf7|+MT&j|D+Gb0i`Nd7S$#CzV5hJIM*{3SAd3vHK z!kKd2im0h#iXH6HR104N!d#2z@QV8gG%gS~2R6N5=qCHE<$TSYG?Fry>VPu_M5Lu5v_X*zn;Tn%LF@= zqcMXUpMK2@;{!fvjn4}JJ52c;WgSUNxI1TzqpZEnb9y^2Ef7ZrM0htuNo`RI;VAH~ zG4xd@U8sDDt-9sNfv{-KLE;ACJqEQLpU74auDE^5jX@9xGLRu=tPWVUTZw7{7t+Sx z7;;TYwdtvJl)LJd7+EzB8~Tu@I?ZH`fI~U~MrH@hmi3u6=Kq7a@*j6^8(m$sDA}y1 z52xZet`;CrNXOFJftT?AkP|{OhF|Cf=SRMMwPIF4hIP~ivR6N~1~JQC=aavkxFlRG za(2{GT(*$%B-J7mZt!qAH2znnn`5%soEOeEeJ8T3(QS2PQUaay`hZ$OV zyztuNc^kL^Ib44MHG>?^Jj~ZCL#b=XF%`&Lm=ewL!6%V$Gb{Z7%Vz$&c*5Zn4~|a5 z%CRJ{7**)tE>uNY<{66c$pd>-d|U2OkOYSq=n{oWJi2L)nF2onxAUbKgjLe?FT_^_mu-)n4)M+oX(Z7kB&jf7*CE_1{vjj? zW%0AVaekX3TX|qz3@Id|W{2r7%J3_!w@L3u-Z`oBWAZaLGhaAIJQ81ex}BgYw)Dy) zHa16)n1fn_m6;KuD9kM<^zeK|6ut2pJOWNEoWFbFUjJX*d?1TL|3WX^k{{Y{D6qj( zwJDNp3NZq^u{z5wS0!!UA7N)xPb_#qjle^SH-7F}OuV^jU2uqak6;{e5jcmKl=oou zZSA>$HpY8Kz{97GsvzzrqL9GLnv9kI`2h}c;Z8MKpLQiuh0tPkiS_ko{*F7G=mb`+ zhe)wAVDN+9^<#?(u=HMF)9^>Af{k5!%g?0`10*Tom*$8Q4gDrN!T}o`uLWnO?HTKH6mCa88qLAvE^_ zoArQ`BQwwDWw=wyB%UvO(0>0htUK2_X9Kk`2{XhX3p^9tHt!k_%UG>cc{CmnMAYE# zkqjA&s33Tt-50@Uky(Ul`INA@A};t1Rh!m?3#qgW`j`SBtskQhZbl4xOkPh$KvfhJ zDYG?H8Nrbep@S2v|OtK(lUb-c(|Cu zwqX^=pzq3h&}K!3%utZF`m;=Lp=5B8ZWigp^q$x;qaEbc&S6zax9Ts=pV=ke)4n}x zKriq_jwX$5iy!~J6mSV#uQ2iDJopghw?$H(HVIwiDXg$uICh8LaH5d*JXT;2I@E1K zyC)Wln+G$%;`y330wXGNkBSStu$iQxY1^VYUGD+3f*JVPg6)#O6ErhXv8W}~^C40K z_{q}5oSM};HWD44!$Pv2eIK4VxEB@V1}-w>it%iKA%6~#5v47emkXHjA>22Iaf86T z)I^Fjky1%+k=shi4So$c>!HZ0W|yZP(R+A^zgXF$oJ}8*oZBp#dy48XR$sPkuWI=} z5j%xa8oHcWqV}M~Jk8o*hJkl8{g4=U|bT72ceQe*vfjP|bo zC!!*nAY2I&8X>tYBUOp>sFg?!d6%INeN0*JmHmR+p>FmcSU3~66vGV98KPzpGfT+j z)vIkS3)mQ*g_N9&H6H6zPNy`0dTPUgv8_84$#mF~cXmgE270d<#*|B3&Buz8Q#O=Q zWcUj4O}OUPk%irXPf4rxJ?gWZdUPR~;wh`%;n|!2`p(8$kB%MueKBF;t{|;QQkws> z3-PY86*PE}sn~?f5Nu>!i;o^{zLB~PtK1bXk~7O`HI~3&6gheptwwZUXWzN7bfO$3 zKNRKYi_E~i55-!Igg=Mcre6e0*HF*FsPC2AbqT*?+snX-BR!M(eWk9v3g`C+AB=BlB6im3+aNi3CO>D+PSo3_^h zWd%rm?jm_4ef-MQ3rR`bcQ$YWp^FdYsz8kHWTe|nYzFIh_O+0Z;GDpVp!b+X1pMf- zFgK|KTxpOaeA99Sm0mSrMZ(ly#nDF?_DWBxs0K>k*%zbWK1m-FFGfdRA;Oiui=1mC z5WkZwj2+C)k)Ry-BGW@T+e>h456?BVtHVX&0XdF;rBr$^C{4yTFug80qSdJDfhok3 z>GuOi{#X+kXne@x=~k^*cN4p>I7L&?V#}H5&+L2l_seO`-e)*QBZ3vbXBrxIMiqYGIBH0w%DE=Q(`+Rwnj1I<=6D9`~`$A z+MRZ$iYMAJefTjAJp@Yy^**}r-d z;S)gY+4=0UfmBHCT^02s`u&8}3aQU&fLpeEuHzci+vDST1rcxuj$1gr-vp-h-?4tZ zxg_9-ibJhl0%UeBD*`5j29%A&Sv?q&lImFrjT|0QTuvJ&FE6K$N!3Q6K{$Iuv{8in zXO@w)8*(iwa`;s3>GqvFp+^?n>{RMiOvfXG6<)d=myl^krE7}zKgA8#J!1XxS7YXt zH>*<(75vQO4$1U^jrf_W@lDGEqq7E$vb>z+y_7B%9oQ~g)6RX2a?NYpK-M}CpCOOn ztf+P5>GkM~Bdb=_+E>}9UKB?!d}C*-{%&fttGsNNpE62dAdKoF<9%o4*;oD(xK`1+ zr5v0Nz$I}p*ynOv<|bez*~w7<@ChL{s`N8A9q0x_AKpu5>M}{P$bq4rF8=+zsYfkzHAa#7Iw59ua=- zM^pJA)$n|2lgY_AdITh|4asL9K zO%+$FcJe)EaX2lQvCIJt=VqR=&s_)hJpFI_g^dR2ys4wR{C{AyDjE;&5D^ljgxq7T zIwO_4(Xy{<-THfhs-r@TLtxHv4#xatgfen+i?3@(-Er2Gri!>SW_P@`ElKW6(NWAaCyy7 zqIb}B^XATAx*FfsY;=yzy1QO@TE^Ri{W(=+g0}C_5mHenF2#UPK8cEGywz1ZNj4_Q(4PPkg5W_Qw{RfZpG# zWT}EM4JQUHI-USdLzVKY5SSP^k(MEIW0F>JAs$=>*DdJN7pda9TO{yVr)!z}TXkl3JSoIax`MahMS`9(m7uNBr`7zV3XI=6mKN z=H04g7szw}KK4p?s!Ay0%vnJYp!V5I@WTY!>0_OsU*=a zeBCK!U`1#g z1UJ4A8H4vG0)^(XZ$DwGdygf^)V)#ZI@7|+G*x!F1>U2v`j9AD&JjI^d+L+%_uh93 zvwPuKX@P)7V(GI4J?O)IPGZc|ki~r~6J%V{x^4=&ZXr|dcz8ULZW}Sc7C(o(QsV0j z9RXONJaW?vF^$lj^ZSxJ3`lpg*RPSrdmZ=L-7=Vtl)kb-EB8{6hVP3`S*{DBF2BbO z7oB}<7~)%NDCX1P6$6Iik_TQ|4@L1^UP6DiXa%zp>gMG05GUdbdBN$iI{>npoE$hZ z5v?rPj=#2WIWduaWl(<Zk#5%_#3GyeDl)4&FiCqW3`n!u}je zE31xmx71!_-OB#JGFFx@YAJxH1!V^izm@WmJ9XI+VQ$}}83U7v=&3J>80SlZlE|xQ!AjXVs21$5>ByiQ>vb+uHCKGEW zDiciO!CV=o?p_J3W5bU%an{=1vgC!z!FRDvFOJ46OQgQYU=_aBohY(#I&W4^>CK6M z@8a*9<({fT@G`=#aYo8jUcXgN!jc!1Nl< zdBmYSLdLqH07w<|!SZM&U&Xk0xQ;@q`M8I@`ELrHx6ntFRZO`%DdGDy?%?Xw&`+2o zFmpx7dPKx3H~FN#5g#g~b;l46A79xwQzwG055wDr_nE2osLG5aW-ft}kxfL4ge~S+ z$(`_m&*tpTvi#Ps`H7QCsf5Po`g{~EBAV33Y)8G{X3-n!Y|Q+KTcj^Yze3lEBVJ6D z8FyE&_%<5duwjjST~8V?|JbI!7}Qc4^bo(!>4v=e!i)YnwJ~+mMpDnc-REz=fA#0a zhVh?nGm@@~SC7o%di5u^Ydsj;DdBPHmCKjCK#jO)JCtZ7aWncms z$C%~8mPXuzg}c&|;ZZEMRqz#!rsnYBj{m^i6QB@8Mcgjo0bvM*#R=V92J*?^vG#d# z3B1TRfS9UrXV==38FX+L^$&@Y#4!IF{bL#~E-~z7=VooI>K0Yn=L-hxHw~*<{;3Bx zW9{^VjvFVpaMi|3;Qkl4i%}q^lZ?;Deos5yLL&L86zD{?M};$#<;3RWFFA2u=}#^K zwjwmFkCv%trTCtNiA1>lO1TR$eL@``ns_VAD7!38v1%;%wML*$p>83>RqrKaGNQzgyaOz#ifqFkzvyHOr&<`0nfkI|!`e|PaaEwWqR?sF z8;u1py<@U_$tf@3+$ci3h`ZhG`x|kN$tTNxJZpe2-5arJTbm(hVCgDO-`SeYAjU$6 zxtp$UCVKm+EWeGv&RxHQHrHs$gA=?L7^ZdT(dQ#Ct?8#0R?HT$~a#?oBm>Ka~obLQ5bai=BmYiuVt7XB5KvKNV<| zVagA{H)1pX79o6p$KT;t++u(Js=2IY_v*c@HNBrhHT#E@D+4CT5|Z4hOuAz%eZ8CX z{Rt`~+6(C8!r(`liPYJ%58uSXrc~~Tv|N{T;qbl_37X#Vrs3ob=To=+Gjz{7k(DFP z!_Sc7X*?4Rqal*>w&oW$4&Tgz1ITN*UK<>wZ}=RQU#T8R%Or-}(eJ9X{pXQVxDC9y zrEpH;|4^C=tECuhzZars%wQ`xKUlMi=l)#*s?XS~8Ee-cV2vt0C#RCxCehA)-?v2l3vjM9Qrac$g!-FdLOeZg{abVn8ZAG%FSv2 z{61^Jy}jD!=VMpw_GGQ{UUleK<;N(f`>AUMa7eFic*&gLB`EJ;=%7>M+Nm__34Vv5 zWh}13TVD$Ni1CC^R$3IqQm0wrjgz!$Yd=*kjRcUj3db*CHpEwC%$?senY6%sFk1Iv zjZSUS1*~yA0c=>+m<}ENnfaW+y$&L01Bl~z=Fk`Vuh3N66(+JHRmLwKyM5Q#q{M4P zNT(jrcPx@0fLK&9iFV zl^FZP!R3KN!7SfJuDfgkA8-KsntvGE?p;Zvn6i_HJF*6>pn%_gS>(mfYl!9e0gXv( zZ>v$cd^VbbzM^}K-J|LgHY^B*PZD1sjCf91P0k0$<1Qfr7kO@A_Nv024S@CaO4s%P zfDl;D*tZ>7@8rMO_vcOE{9WMsN3YOhi7F^^qU_tl7{ur{yXl8#h`%pA2*pi^JjER4 zK@b_=Yz9dp@|mmR998m?=aqoxzB}B?Ml>dVII^4Lc4ds(%>J#omb;N^k z#+Zn8YUSF-7!d^Qzsp0fu3r6M=cyGdWrTJdmYga+ov@|M~_y(z#_?eu@{FKH3 zc%gg&_mkyOKr}4Abp9GH7!g$GuK`LEvDFF z51Jhokqdj3HsEaekyX+Fk@a(MiE+?eDNRVFjw%9G&yRSi(2?q1m)CK*^ej9t+Re%U z(Lc`w>R%=C4;M<0?wd1X%Y#0**@rLEX8x)*&F-FgU}nus7qQD~N9jByzdCqRT-7eg zsg+-wUU4$}A@-WSBk>zp#sI8J%WkbyxQibS=D1fxtN8+wN~4Sid^RdXU)Vqh;OH7) zZB~IT6_AibN>$RL2FnhJH2)i;ULr(g8J*;%z*qlwgv`Wl-zHr!f~_Qr5yW>;8EDq^ zMhjKeVfR5h(fKJJ5u9Dvn4PpOitW{*kG78W+0K~qyB{=7_Z4z&-{q3;xzPo$KTRZ5 zkJR1n^oU=lY*>}7Z?={?z5XUs+zjy;5f*ct!fhaEbG{d&?9`wGYU%7vjVChrDzpIG zJ-LrZ;6X6pOn?GG0V$-n-gS}ZarsYto%t%Z*Gt+3o|RumyyxrV(u z71ZsdTY_{g-%((>lqb)4PDIg5lXkA2QeIcK`V;AUe%rgmxx=KU<6v>ccpm*T#Mrs| z77+RA_gYVuCW!-t)kQ|i2L&){&KNgCmWI#=aIFeCCcv=ID2vvGm!8U(BM;xBcp(yUH#{S@-mI)h_2pZiigNk{;8RMLjE) zj9c2$cTL^gX@@l%9F?iR`uS8wr?%KozY36t#6Mpv$j*12Xy+7gSJZ1CD)!1a`Uiv~x6&Dd0xZnvo%tS9M|T#=Gx+M$A9&L7EOI0X9@{a=s?!Z%%r}AZCcN>vVruT$o-HOuFWBSDU}=&+GeecvZ=!y|pxj zZupLE8~%NsD$yb9=B_(3-6e1p^kb_v7EFU@pHr6~6s;Vqr#&?$i!?Jj{^!zG0s5xD zc&odgfBU~bTr^K+t|C33==gB=8}wyZ$Jt0lK}E%hQj+Ruun>_aZ7e+sHP00N>xIP} zM|7u0kk7Q`o;93H)ef4228F?-_py2V8&+g23&^P$3M}zZdI0i=T{?aWzH;DV85VrdWWrZPOUNi z;9zy^rD+9q*7W^O1umWXL$nCN`7S(H|+r)gI2e`S++* z$eA89ak~v)ZS5BFnA+ynV>+|{SiNG-tj|GOfpzbEmaZ78J37=TbFmP=ZIHi7uS*17 z7hKR3?{5hkSON0xX`tYR;I;-6HVRE?Y`klHbYXMH6VNdiYn0t4-sb?@UDaellGbA} z>dn~@hL)x~;pxsZmmWh|2U6&a-fWey*M|Nt)2)JN3{ZO|h$y2gn$}k(GC9x1oK*|P zE)UrMJX}*tKm1nbwb}uyK^Ez( z2S{19noljQQv`P))mZb#5DrgbCuB7lrgtbEuR0kZnF$M5DIrNLC+2hDM3R6diFD1; zmz)znR1a7@P1k&kw&-!wo3Ulu#y9n%qCo6G zy0%Jlu2*C7w~C__J+9X&Ne9|>P{q+Vvl!ZdYSzbx3|d2xv>xsBFKu6Pm)Q(BhoL;Kz z7-)zA6$a8L76q)CrfWGSSiEI4E@VsI*R4kzAHTIb|BYe+mmGeYt8^Sc22Bi}IwjSq z5NLMpL5EOOC(Y~ccvhy&U}MQy)2!4tvdJ6`nCLRfVl2B=j&eI}UB)Rtb1fA(I5Al> z;@mh@n6#+Sb{hHG)mN%=ksorxFeP2lc$L)H@e`YR@{e}b0)z^x`zE80QrIko2Ni#a zn)Oa^qUXW}zfb$npd-Zxu?G1=z5s2eev;T+^N5q z>=XC;pUUi#IYtrZMNd>RVFjpLb#Jzt$fh3#8HXbFEXxGIwOIvH8>q` z-lQ*E<)ieLx_4hz{ThE9sRiHe1W+5S!7==`)TRJ#;hHVd_9xysgCD*CuEJ)|^=>l| zk6|gf_encM? zp0jjd(UBQ~FTuvo!=ISCUJ$&{M?AZ-nI7^rjR~<{rH>HjjW_<7apU|&$fwRAb)x>| zLL|U(Jc#3^OIxKSbE?l7sntnSIyTNT@KS(drf-@&@yIiB-^}M)wrpePkz{z@^z`XT zL+*`BJa$vREg6`ow_MdW)cQ|9dG(dw-L5t)pKh>qN#10f8oH6>^oK#qTrY(LLaEmi zWErh9CT=;I8}?QkJ9oaczHBo|NhYMe(&!7#-P6vHzbbO)p0p;WoYVGr4&Ll1tHUJ= z<43sZzi5p7qBk%B_76GtX8SAkJ~h9o)=!^$m3G=E$36wHw04fyz5?@q-w#8P^&h#~ z?3E$f{1n4kXU}iEG4eMN7WwgJ^eNkHRiSI`%%S~p=1}cCmzFm03dES-1{Q4Kkym;H zGv$e?N3%h4Hqx4Xq8>7DI-t3M7Poce7rXR89n3qWcxHa_-CQMrQ^A}6*f}sme(S7x zeeb2Xt+MYM1eahYN*)Q_vwBASUUS;^!ii_!f1)?hR_?B>`$_WqVy2KNu8(nltv)dO zg`eFdIgr^JxZ@c3Du`)X+Uo2G{nOFsDnZu1A9LyceCOj2T;Hzs;mHqdFD<1G=Zjaa z{o|T=L3Tq_>T2^}x*+?x^W5+lTSb3Qj{M5kI+=^!@Y^*j5^YlnXEasQVYkFyU;w1Ek*EFBmn&g~0C+D7T?tC-%e)sW7E3^X4Kb3X#stFk+}A?7 z@l_$+b>Ih^ccw0u1Sk+@uL+{aFB+*~k||A&zPS)q))EBlGdLGocv#jD2tTI$D6&EV zVg7MOy=eJ_d05iwK;D@PIPD$wJqKe39K4upi%A~!HE5Rf93egKqHN!0eh_%490l-Cr6g7ErcGM6OiBN0RT z7+ay3YtQak1F))I&zoNfg3|*0jX1P1Q)=ElP^Yh?e3%l9Ju|WSo^js)> zHDd#!8Wg+JKK6u@uAgvCzdy*pyDcK?X&lHG(;ks4@hJR7B)QA1-kTOGkql(^n4gZg zof(c=cE_Bv&UR0G?iUtRGZL~jAgZb@uW~mnfID`y#@dYg zt&N-w-dK?T>L?t$qDfP&mi9cqy_?p@y$t>s)Dvtmq*lsPhxx>bZst}JYV*MptZro9 z$!Bz@7g^P}_iZO)M{M(QRp4ojq&_>5Mexsy(uJ&kQ8n4|d~vk!E#!W3oKRW#PTs3E zQgd2gq7#++71B8ANV{W@vCRq9qY>z_XsfX2#6yj}jIcf6d2;dXe~{VNmH{+D)?ZIG zEseVg4E{Y7%P9_-_O8?GQk+NEe7292-r|_f5nME$*{JOFc!gwJw4si=ZeR*KSiMT} zdRW&a^1J_Zhhv?{PTNL9H0JqSNZa zNy6CIt!^@xA#R=C9LU|ljB&N+m3P9nMq(RF$)?rQJ1uzpnWhiq|-eb8oklp_|&~m7>ebmcri?Z3d%%tDi zl2mfkt0+#}(w87)r*VntzYbre+@%zKlOMTxR?rz)kT~UhGr?aS5}C>3qj37|FX5Ar zi=AY%>>qHrMc3@cy_lH`u&(S2#uy_d>kX(8h&O#er=!SzumLtj<~k2 z4EV>0SP@!QUfAMt!J_Q zG1G%*>&)3}`3PS%KDlgj1a3&XbT1|v-mo=vQtkVM9p`lk>=K#}VyC;RtE{V}_ruaL zt>gz^7Evac7HPd$yi~WXR>Z7LV>%3va_p%9KfLw)tt4%x0Q&ign&l%wYNDbcO#spw7|{T;Y0n5L?pyR=ANyBCw(;z7mzD zDG>vNI*$R&?io^)(yLJ^rI?vnhP9PTC--PdZg6%Xy_!2c$ILK46>B+gw<<3j7$Xj< z5wkOl5xTH5TtLou=s5p=yMV6rtl@CUk9Hc@+?K4M@$GP9BFl1S^oWVVyR6Te=xI%U zd0aZew*R{OzLYYPerdoX5{ZNWGNB)XZs`z_(C$6$ttev#z2@N+X+Og!Oyl=VkhU@) zius$}Hyh?5{sJiNsBqA|1=3dZLR*7TmKDfx^>FoT37>5qpb>MAP%KX^*E|^IH09ZD zo{LsXIiM!}ubQAIUs9}UK*Xy#!Z~cw6N0gjNhsBo#kg_T!KX!vr%6ACk{}R zqfm83u4*ZM;A2J!MdUgQ6_B@G#Giz=P0}*EO6QM=7R;dmON-n z!!cP+IcfWHk>gGR98!DF9|xioVD6-1Ut&B9y#T_SPEX@51bEIoKy#=t1h|8*LTX1i+V zZtfC0syJi!HK%g#nyLKU5PAqDl}#l%fx)ebS~%*O)1K7JA2dE45-NM8ZE@vqjH{K& ziHOdPTkowobxVAfy{0TyV&_irH(OF554y)$Pv`D^u{WVvDEH&R9S!S*WR16GY@B#t z^%Sw@p4!Iu`PxEHP3n^kTVjqb+FvPdPz zI|{vN+Y)qxC@V7k)3&%;Uw+4BS?0r@!)gKfTSv>b_Mb+oAF|FQ8*tAY9`j6cd6*Ou z`a|}{M7z_tP@YxNcLE5+jRBS(QFgaByY_URbd*zROtBqIb1)P)wex$5x!5i*FW0qR zsJ8YS8aR0S_R+JW*TGNEPq#ikC359yT|Le&h#wO90=ad4o?OlES1C{DLkZt}yK4`%WI8Yw?we?;vBSO&mL;X~5K>4tI@{;Q#SycW$)C zE{7in&t7?~E{jdsDx9~zX4~Ry&)=bh*aufUYVJi}*_Pg1yT&f@;`Z6x_PR?Qj%QT( zpcZaIq|E;CiQ3Aip&_SGCza1#SDX#MN0G!dubbJWuf8CnDbFsQzi;*E-M!P-=hQ6@ zghyXrC{6o|jJe>4@;KZQKFzA*pV#<$X=wAPdQj+Wbrn0v%jfgbg1n2(wUnaxZqZ$jc8Je2+mO%7}OR9mJyp=bIXw2Vi%QzqvDJ!gfKXL`R zZNXNedY{iNQzjG~dXL}gB`YyRKC=FTLz}2}`289oyA3K&og?-Rqe~@a#G^z1));de zu$PUdgO4&Esear4ZOd7$k=6s=Z{04&+Mm(tL`>%z_C+s$&3^MyaV|Po*Y8v0NpF$i zdll8*>ZPcCy*u*2a$t zff$(ow)Lk5gWqseQ6b>7_p~qP-E@=0)h1J7~Gz$cj3&MmtF_f>z_4wx%u3KBQFx`L*B2o2#?)w`QnZP(r33uxYg;t7h3hY?iUwJQ29lCXDbScLcHE!P|TP!tnz=651QJzp0;HZ+rCZQ=>~g2I}Y3MJOM{ziG+8 ztUqv5VsNA);aszPtE{q|hwPkOnr!hlq(tz=1Fz5xY2#O)9azv0dN1Fu*{|Bl$4khcC#?a+&$-JVxLVB;|}5%`m^ho{!H92 z)6SjKmwyF(A{ddI8Dn5B2X;Kjo&)XXbtLeJ}a?&lFDk&fJ+P zpE@*U(2@O9=W~B+O~Q>UGAF~zBFhLtF>IHFw&ShG+y1WoekaUYnrY)%nnp;wm}~AC zJ+!6DkaLWGn(xNn$yw&Gws?tXJ#>DUxqk1K*4@5ax~1k$SskwoTmeT&QtzJlKT&yd za&yU^;@!;MQhV3!)qmb4m3m_O#O*y?DJQ91RrKuvmv6@xRJJ8&scLvEie8SdwVn98 z(LBRq@Z*z@avwK!D1FTSNNCAw8Ex6r!b})c%Sb9{>1Z)aR!a`BOfZiuN^mi@Ur0V! z`^r7hrL1c)Wg=M7^~|R|9F~luv%~)e?7N&+oNqV`w#3tsyEW$0D!pmHz8)>(rCBT&r2@ zbIN|Gwoy;pqRHFn(1XLiJ4*zm0Fs#VUL{UoGSuY7?grA-j zl#@|Pha(Ci810k>>?BYR>2$|vMFh(WiER)+BJRAUQ#=xJ3=y)`VOQ+7YZ9H(vwO7n zubkT;ci@=A`Ff?aZHCofCjG+7!&*1#NPm>swfBY$^T>d*)vh7+UDA6s{eSfYZ;RXZ z>M7^q)`keHok5sJ%{!MmUpm|QUh_S_)RADUa?-xF_JrNx+PO%)Bo$e5Y|f+dYNb3; z<9^zUS4OGxXcbv+M>}rm%dy+fD`Fj995A?Z@zBA;2Rseuq>$>NEh|wwx?|tPCQD=; zzLM-^`|fK^O1R$Pw!;gDr7s?Qf9T`f75=yAakItX_CS}Jj`DR@UvGXDdrR;t`rC9| z>88TnxVco~34YL%fFGYDTdz=>+nbeD%&e3{U+;WXq%ec`cVI@%4yDwj=#-5QbPjyq z?yg@vzT`00&~d0lpZ4K=J5wRewCl?6xW^5}P21ROgLKoxd2OD?Jx4-Kw3}HCx%JTT zQ?}FhU2b+9=(zc@|0-6SZ*j)xE9&ID)B~xOlUJQuli6OooVwzA>t_plTX4whm+I>6;?8mSHheLGv(hVS3<{*>e;>q~0cA9Ai|xue8TuI5g89_(_|MB;?nQJx|*OU;TD$meeP zw#7`1P?+h^kpZu-l9IKanO_P&9~-~0Cj?(&KB#(D146HHI`10i|J&6pbhplOvbs7P@N*4R0Sem3b)&ZME z8u!o4sV$oLnVUnBx#Q=WT`?P4Hu9|Q^^al|_qrU8jZTo#a9{6CxYT(;v9S1_0u#p(_JH29< z(xN29^bo1uG~Hn;^z@zZR;uvNwsg_{YMUHSO6Fhk1AE<~I7xBI>%r%l%=efYou$pO zpOtS-v9YGL54RRPuJ?h_#WP29{o7Zs3LS;_Hwdj2-XpXQ-V=sjXyLv8-oGGxL`Y=y z_!=RhFc%>hkgT>bfVYCb7w}7P&7ZBvt0zLD@TcwYEAY*lf3@Bu^hV@g`|G3Nb3$iK zb@lb(t*O0_qoW7T+0%E^qxfX_z(%i&7C0fHT?Yj(VSSSW^YHz9T&|h>nqR%5Y47Q- zZ0q1@=cpX$?j^X7kanOZyzB1hYbzV*?&g8h4AhZdZJ`P83l5{?WmlW{y6VWAUp11| z_4IL+RaHK&d|V#ANmf=?+sEOyrpdVr|6C4#(vf%e_4U$3p#lN|lmkvGd-^z`R5Ua+ zP{&W8PMlDJTPWdzJbY~fl{|3!|J>wX_c`Z?v-ffF@^$g_kQLn5*3Q$3^L1e=og`bM(>mbcY}6i~gSh`{&~SJo(Rs+9*Na z|3epl6uo*B)--yPHtOG_hTfE&Tl4@P$bBy746ngkc$x|RMD*adBY(E={(AEhsPWG! zLPDp7^v|8S7AQPhWu4_Qc%4%6Ja56wT~uO+mUz_O>K@^PCb;{tvPK6UJZyo5XHtmmlec>g*D_vz=i7G3~oI&nPA_%jJ1!_nCxTB;=H##KE2`5fB*eg z1OL^)|Ca`|Q#VwO{@&-GE`DG1VYMXf!s26Z!&LuElY5rQRe?~Wk? zTlZT6mO%JA9R3K@h`<2suOEr!aS* zB3dSso6Xm;@aN_-u`AW@nS{N2Xr!DU-AqCW2})tOGb-=MZCwNZBd=X^$Rf^dNbd6V zp|QAQ#f7+D@+;M+!G6^Rxjyyv8OjuNTyYE7ivV~JFO%|`p#+r{4Dai1yA+it`-ECbuyyy?^%n!%F9l$(7ng1hy<$I(8IE?tQb!@XXe{JNrX}l-$a{ugQ3m$wJX~lW& zxDX~~%KM6pl=~qS$l18N;m>1wgy-lNtlOIPw3t3}?vvLFf^f3n+Y`1j#k2MFaMT=Tx$*v3)A1yN|Y-Sb!kra560 z0p8lI(pueNSbY)g$7bdgwh&`$3Gm^sA1LO#fCQCVF9>usKd}Gw&*dbsqBBzWoLNKdx320RC$LO^a57(o+SE6@mg#JzalsB7 z=68Vekm%Fw=~i&=huBc1cq_}UVll4628@TU0tsk4{+hq;m~}*;r7Ge+H{Dsa9+uKeo=(ripex>i2z7<4Hlc!hTzJ8NOa(BoQ+z z(UVmZg)D70GVq+7SH=eQhPlp*jRcpq8ya5#2GWFgXnX`G&F~i0Fp5i2F}j->;~%c- zXA<^P4#nLoGeTmo3w;G;@4iBE26qC_NZFXI4_PHSRYMYLmcSX?gI+4#Z^T~%ZV9n~ zJ9xa?g7==6&J#fYk*S|9&mZXjy&r4QANwIivy8%etHYJW?Nn5GjJn-bdxe-kLQ)#N zweEgPjbn78`J7|z4kA9QUyqpIA)de0J%&V2&#B7N9Ov?yX)3DiP-^C%Yg)BPi>R#pkc2;NesQ0IQ))3BvL#?zRo|q$s%kkVy+9WGmj=;2q&2J2O6pVMIn{r+Y zZts~n3Ecbpg}Om;R+8 zZfxj5!R;+SvyrmL4n)Nk7+AvLO&!l${GU#S8nmr%C_ybQI-42j#1=$d0Ryx^(KzD` zkE(G|_wEO;$38svbNBl#HQx>b>%D>+dk8-3`Mqg;cj2A6^Q5HB_w+zDrxsOIGO$;< zmhfd`(ZZwrl?uCp=>6H4Y|P5qP$4N@CM%d^oU>9fs+!lY-d}DF2cG+y#-5RCDWje< z*x0gYEBkF3UIv0ekah#HWeJCucbinjen5mc=Nc0479hcub6`M%GAa?(8Z$|Gh9H{odjA%R#$Qna zJrW8*H&-?%)9+Q)Z4oKlw=S$z`_v*E>v|8|2WHnSeNsDHw1{_zsw@lDVRL zzQT;Wn)`S3aO+q845pz51P3Y|YV(^6H@&|hrr$#ui z!*HH`0I$I#*=&BMYK75`eW!svbffjds3#jmJdU^T65yrhJL7)DbW!44le-9A1S09x z^(^m>qFSFt#935h%PA+g(M`ZA;Fu+FgW$|}=cneqx(jPdk6o8!@wW~9_;z{Vb)SP< zGHzOV5kb3w7TGX-rL7~n`pU=2j_R;0nwb^#dyWk2cOW;&G`4#rmzU~YD6{9}BYZ}3 z$@dwC|T7oswHETzDFxkYG5b)REsIm9O8E+;C8dN%$Aopz{=Hc3eaU^qqJWtJlOV>@+|IyKMTGGyso@!gKUr4c9{cR@X&1Iu&>F!kwEW!h>sH0 zKfb)93_78&KHMP=ykb?_Pp?fPD@o?hPm;{%LyNB_M+7plHA*})*y_LG<+9D-8CgD* zWo-LBeK`YOm+7z(Dd1JWU?I1x?k_WEsEn3=XxAKj&?)iq{kNUq7rq%c*PS#{>4h0h zQGky8BU4rxcE{)|;| z)N$0CF2YXH&}ZQ)x-zVoZcYXJ>Wt?MJv6kr%&rQaekIERmU;=2MlLgPF9-8{+iCQjxvCS?tqtK<#~kon7;bI{tVO=n>i>I72|y})c?9A<%I3+E zR?`Ic?Gko}QU2d6sC?(KQD2pV!eN>hO2W-oJ!pZsBWC87x1G;Xvm;BJ9?wJJ0=8f8I9+AmT1u;+e>qJ?*S$_btLNnbT;Ck}j z&=GiGimOXOa=^bQH`LTH35vUDFcrhq${}Kw`1gD2f3Y9#6s4}8Sy#FhB{%uZbpxyL z3=aBTlGI9a3pPH!Mlmma?PafrbiYO@Y9u%3L-5jpZC=~88&n*E&sPVWX;}Lz1kSQO>X>9@ zre~v~XtZX8*s?-y_TyARNOPt7&ZrcqD8so9cJmZLtLGUfZPX2ijZv`rhsCl!4>GNi-3DK2)mo`W>uu=54{i0u{Hp;(|(D^E-UGnkk(8l2! z|B>xG9Gx?^ET*<~Z#1;-wb;JlMO&*$)!9WtEM62Bg$MnP{Y41sqT(Xz+|dB@I|gzE zTM|yr)Drws6V-PBo`SjQvMPzLty$z!ORxfeM0h_-!*y+MXrtbGUQR!-6EGY2NN%|c znt}EMdB-3{ND)?5X{(1K{bme>V+r@_I%ok_{SY2|uW@Q2k6-t!aRAp`Zr+j)TLB5A z3farXqEYW7Y#Ia-rY>6+w-tF4FuOLHq%~uAs;P^@=)xW!D^~`8u9p+d^B+762Dl@! z;d4^LslU@&(A|?OX4+S5P;-e^aaZn0m^MB3b1p#~^trNUNDgoPrj!22gf8#%;yS6^ zt)x(z9dD22^E7@*X?J>R`Ab#!6r-}5sOeED_#-d-F_@4gqxMNWQ}Xz(Z)P=;Zl&J@ zIuURtGn$SeR%gd1IA^QiZ`pk+CZA`YjGWv$Yyx*L92pCgK*wbYp__+l&eBMIKoa(Z zTB(&*6RC+59>b|KafkA54XaHvu{2U-Vl0hRyfVCJjk2KSh^XLQ3eg8BN!Yz*Vl6|% zJ-y2O1x#fd2tT4mj4Wy73GaVT&<~<;5hOA7C-%$?!f3@1<_NMuc@Rhg(MxoTtHZ4=`R-*(~Fl%I|D0rIUTK@J~1=o2d2w#XD_CNEC(>4{2m z!m@iPuD~TXD5%RM+=x zLf`GA1$x|}+$-$_09+;1=M>r05NA ztc?U{6h%Ei{?%>fIATelbw;el)(i3GMzDKDPqUzmu5CQgq?w5P`E0WPv>-Ik#vnZT z-o%?eHlm9It)VhF#8u*-vudeO#!^atG;Jzs>((VL6UgezPD^Q-dnyOVB;h(QE~9pc7}ezbY4ktrod!>pc|Tz zPA>5?>4sS^@j!(p%IYKsEDps^ar^yu-#YKm@`VF-vJP*Z;#yKD^TJ&bL=2OkM~}t> zvs`-$l0L&t*Vurj(ra0uC`Egy@)us56)JW*KE(Gl)BbskGb3~oqgIqlY_vRAEs2Xb zN(jDw<&{R}ZE3HX6dwcCzC)RML5F)g>mKQfI#lqFxFj#uXBu)tXH(oef2CJ)GKk52 zCAr0ub^bxIM$GO2N$?A19M~(~N}Hs#jA9p@o_`74?)_nFiX{)XFc5T0&&76#_$UKZv0gbwtujH$D_ z*o)FjI=7L*TYc*P7B=c4cAzWq$cInHhGjG^N>5*V;sY+99-r$#+gD!YPLE2Z)i9iZ zWUUbZVh9-Ogn(MoC;*3w!4x+3AJigP&VQsXU&?ZdNF)hd)BhI1THnI&UOoqW<> zXz9$c#r$3agIB@Y3K2_QB5(aW%7x`=U$=6U?=l zc;SZ#&%(df74>Zd`})Xr7leMM$A{fBi0YVbRzDGvdb6(U?ZkdV%!b1ygcv;ycKy%W zW!Dfj{PbBZRn1S5GGZIgS!)@bo+!+;Zqlurs2d_K7C>Wtbx$~ju0crV*8|)ctz7|4 z^Vn@d(HhWFeE&QIN1+)Q4f?TUm@3$M1Wv!+37+qCNF2NOxu-n#y@ohupcOPrK z0RISpQpu?wfo*V@<_a2td6V0+5?jTN2Tf71cp%F=ha0CY*2(E!6{ko~KGy!7H<8a$ zRWnD`d|1w1Ch@|g@>&r-N|Wnd6*OKmY69;JIhH-$_vsIWwzN+{;lPCCHi-2gjlg(te`BBdFE^GJ5eVlJwZQ1Q{roo)Y3`t}Gvhj%~A-6{>C+&U=vpsXher_+QTADClBqsy!@*3yn=B+We1Vp zM#at2I?VdJdo#A&HDQ{~z?S|C&Wup$3X!23YhkJ+x=0A~;*%OwT=`&m#}yA8Kh-=8 zfI}hNg)E{G9LSgE3fy}kC;<7{6n~E~ZuA!=#^+Tu)gfgJhQkp|JS@4c_J3SM-)hqB z>&>6w%me{*yx#*3&AD=Tpc;u>1og6x$c?@X(j0r@%#gp)LOm0@-F-S1GvRU)Iv<}O z`%{JMdKp7Lds>#f-C%0d8qNI%Q}2!$I(-n)o@0Nyk29r6h%T+fZ>{$^)0o-O@SUIH z+owm$KNK-_zoZ0nSccXk2ytt5-aqd}qFKdn!_WhC8V=C{q9J?_Ay6lrN)DxCAWu*d zN^9nr!ghHV@W)KEpLj7Ls;B}BfBuq0|#r4wI)jSX1yc>hnjJx*)N>S?t8+rxpe z`0<|~@N}vDV{PJo4r%ZCwINK&%^`I}iHFBS?fb1OAvm^Ag8KKlg6{fASKS3C#`977 z^xl$0;7=CSO+^rTQPC`56=0UE%&0y2&aM8{meP&-s$4>PG=)GiuJa)TXHvYH+#r)FBHb% zu_gc=fFbZ{c;^MuO3AUiVntvP7!SoluOSbv0`5j*dR7iu{QKg5&h94YrI_3fmf)()E$4u@!3MoTG zIxl#+=2S5iNQT%lRx@+1{D3W~%pg?G+e%cO!|Z%jZ+vilJCUiYcCJFR-doPk8JJ)) zj;whQP^dB~EUePr>w7#^LT+Dd&DIQ4k4&2`Zv&3EakoZU33=##k*hn%9WOE80Ko# zr7}3{LA$-nlhDGlXyh9yRj>zfGTD=&0A|4+Qs4mlIhUjEBex=& z)fzFoj<1)Qw1|B%^NhC`y(Jz-gb3U*YD3D&VwHfKu-Oy{yjDo&h(=8JKt3!{sgTF${!)01+Qj}-QClLv7_UEVDs80(`UyJTYYlm z;^wpaTdRBr*j;7aWV{$YmZw-&gTJoW#6G)vI_@%)TyulqOU^!c0 zGXU1!)p%H73=*Nl0E;0<@H*@PcEChqEx{dfA1FEo=Jb?Ou*J=yi)q`F0#g}$VfG)} z@#p=YxX)7N6hmS1342%Bu5q1%e@!%zZfIAp3#q=HqcRUyXZ*V^L$y50oXNMh*0u7q z(2}KF0%qDDNwL6y2dKh#KhK@xM+cFEE5EQk2Z|hIY@4{h4GT3WantwVE`Q`{fF;an z>dv)m8JidyB-^ojre`%X{OAg0zL)wA23n~fDL>SvmrrVq(B^-{r>3CmgAE5kE@xon z4R?nI(FNJ-LfCkzeRHZS60aR5{Fu01^L<4=FvxJiE~!D4G!_zM0}RrN8IJ;;0FC*_w;My(w8al+i=BhPJn=0iOhADK?j z43kp7p#1_Lr2`$!1J_C@^IeNG?HAK#G*6#bTw`}X#ysP3uroby{zWqF0DkdB-Nq{H z=df~C+>+DwPfqmG`HaneoU_w!qN=L!j?$uw%)IwBZ(2mdyU|a0+RdS2JYi%XH*#6O zue;d3I7DOR%UFuQO=6M9m5nBWXe2x{`pf;?_$qUjlR!xY2p20LRrcKhtNwyc&B65| z&oDo(Tn-uYW?`oPlpEAi_$9mVkWs5)-^(ee-8Fh~H4^`R#XNJBJ9M?&--sbZ^O9Mcb+#--s|-zmPLoed zenV4!v#~!r={g6=di`!{VMY9FVD4NZ)R<1kT^8D&ExhHJ*TvLFCQdOJ`q!%#)9t>; zrZtuG4NO)-epcJ^|2|XU->F6Wn#^jV>2vGPP9<}S5Cqa}9i)fu&n>_ZL^SHXa{^`z ze;gT%!xQ=!iL{8zFu0Hbzl2fZAu8~NvYN;$6V%qMeMVAT|3xhe6aI2L!(lQ2br=$v zS*3Ud7PaC+k3bb6w@hH3=fbMLp~k7fArqxCTuhA*4uJNIbOG0<03C&;Z&B$EJe6bw zlW2lqIb;N5h=#CKW-WO(|v+snyaZmr6)64)Se7X!WTVW znUnP}U%PwlC$iS>4VupahY!36Np;qY#=q>hZ>ZAV$1?|fXJY#-%tib9^+Zp^hG?sl z8fkv~a92N=+t@+z#yVloN6i>BUncuT;eVXL{P-yCH?YJ;)}itF@T$PV4z?g?e=TL_ zeF0-it+mdAvPlz2!PFN>&PjM5DQg54aqctT@m!z39QK;!N~&Mgq;e(jr2?Ok;>0mp za5{h13briBkhiOTr($w5DD%ANL77S>Z)}>5X~?UNSdsI%^+QmS@)((bQ~K3Z4!fa6 zM95p%&W>3$VODglerVVs9gf99K4S!6cBZ%syPW4wh=H0H2sfdZFPUVrj>gUpe5K#I z{qOPMDehjqPBpHM*|Lr^`PX+8VupdGx@n4i5KlkZ5#6M(nR>Zq(< zgJdV7kg|n2m`&GXs^pu)P;Yj6FtlL3yQ0&I-o*lmy{(yr(kQ_O~w8X*?LMm zb`^Y^Q_sRhY6KdoWZ>Q@6T8%e8oYo_ZD++3NxQ`aP&-~p$g^*Gu18Ho`4SK&gTS!Rs47cuWpvho6>m#;d|>0nAmA(1n>g~U&BiV zPW~7!z=R)6uI>Vyz-~^#B&*~#Y+nRi_a8~Z!?0sDzRU~VZ+~0BN4yM<1BQ59mLCNW z&};va^FlD|-?mzVgkV}53CjAS3!u@+R^1+8>ieVyip4@`ca%}1;jx;TbswjUHsj6? zaI-q)CjYL)r2$b*>}X{&uwX^rxp9cG^i#V)yatCuA&60O(c4Akf)etZXdh&_)#*8= z8ktji)_Uowm+`TSod=^$xP=Ya&+&NY?lKlLH7l0!MvgUYdf2|S742j7${yVfhJd(P zd(mJtiJ2!hScG44!tfZRj)iCqA2SANH9ztPcbKwa0|RqwbwON=mmSe7wP4i(2&}*# zx!JvDRBlFo{N_zqC*G|r)?%)EYb<~U=~w}E)kRQ>D_qrF4*Rzs2|__Vb^-%aH|2i`XLv}Z0adrd{XLO5$q453x! z#HZx+0C(kIBB`#F@C)HlX4!)%8}my`{RYXZf9KA+_tzaNEJ4t%xQ)i>O#p#R#W*6Z zr}3Q(#rV}kL^M1xlv*WF&oE*e#Asufp50~{UEauqy!>v$r&Nii@Q{^Xo#*f@WFKoQ;kY3>WNW zksala)r82VJrHF)C|`K}in&N%_vo*h;m;LiVv&Q?ytnz$SV ztLBd$UIRA#p|c@w5Gf}n^t%f1-eJ&di(KgG0mFfD1y2YL!7dUV60uh z97rL;R)E-(M<4467>Gy`Np$skh`yM{TAb3N;ZUh}!A#v=r<~4>X=S2X3#Z+Dg7P#U zqAcp(?$w^C(Gz`_S}w_IH2G#0k8jJ+_TP9^=7N?ZR>Svfeb6g2>$r~lh;L1Zx@x`# zGjA+ViZa%dfv|tzaR+E5>Bj|iQoP~Zv! z=Gk6WSQwjcyWHjHMnq9h;iP03dy?3TWeb$b#feJ5?F>wL(&`p4;P&CBAkZZ_Ph$Uw z&K*d{@$2jkaQa=yWVj@h6+?Dzi1?5*HqRU2j(Tt2kQUO^kRjfyIx&$hhIVLp|D8F6 z4mte8M5o?xFcN`ZGVM0e>7*w3Svlkscn%wd-FKSSbR?);Z1f`KVx0gqW;wa1E~>C3 zXpUjXovH_uuB0%)?^t?pCYcH-s;<Kto%l>Fp% zf(p6%Zyt4eeI<;uVce*ZoYxt6#{#C2UEs9lHEP2EqvbAKE^(bLI+Q=hXe7ZU*|627 z-uz>%;iSQM2H)Gj+2aq0Q)!AAc=#Y<4jV^og-fjNe_7 zjRoxXOztbc9f9pNB6>z~{{5Y`Iw!0c#|M3aW!VF}eKWt{`phKV+tX*ihz{=Cm%{n! z-Hi614Y&frfXVv|mx}2|?>+-h>(FRd`1K9RAH6CK1E0HA+@%(fGxT+oNC8#^Zf%m_ zYPsNK-S3ePn+;3o^vD8(!1JulWq0%TXDEYNjIV?_xFUvzxpD3$aATiL05r%c80{9& z&9GR4wjcB2;Hn0-?OV6ON!MR6qQ0>YE@SaLvm$~U8=ye3Kn`ds2m>n>Aam+NjI}3= zl}%EVhhO4?DwyWS+(t}f2TKR~+coDN6%&QW(;_*u7G_quijvw}rd#9gC zssqt$!Pr3W#*c?UY@u9kha9dM+((x8X-D&aokxnZZAB~#jakDKKjzEFA)pIEm2;NC zE`#m7PIs>v@M|2K{hfNVncf*5-eLF z#wZji;H;sgurAUV8&T?27WdEsPR6ea8(QXK><=vz@X5bI;5v_^GJ5p`ALwmmGUI6)?we{q8iDHdD^W*xSvS$k!FLQP3H)-@^+1?tqHA zF34%}4&iSF7l~GBE#>-a#Mh9+-$X_^?Dd&14a=HIh>4yZ(vLMmO4MTtGCh{gHa6!e z;F`tVUyTj*Q`3mkY0Qbthg`PR^peyI`vC%SuC77DN9>vVkK`CV5I zfXO`sRVQodV6Dijb35&zr|fvA8~et_a)2eX_}#m;epLaXqnYoU z{g@5b&IBqj1vElGqiy`?v<^d)+l}^3PN(OL7l3J98||O^eAQOqEh|yJI%t=^-e~Wq znTzTV#IwFn$uf=Oh%flwvYd7ge5OrtKUQx-CLi;G`5Qy)5S2OMu^r|N5;hc`ykAH^ zckb47m?yCE)2)QWbb)hZL|RYSZWc_drR94f7qnRH418U#@(Dl@mg3El!FiKr5pvmzr5%8+TEM!ghAKyx|e8P2|ya~r+ z0ujx7vziNt_~mUa$ptGXHcuKVYVJi-d0;wR&teIEm6UB1)Y}X4tA9xJHgHCjNx(sN zq29^t!+D#|Qm+C~6MF~eOl%bW8ZTKRW?7di$)(fMaZ!f+d0H-hsVB4%428b099){E z5i|i^q`M2jM21;5g+RQMmYImP_COp!5WIOPRUQ611nbx~^7n{uwz626<==l58;@=% zlyk)xetCvCh(f;We8Qi-?6Nn1F|*?S2l2M`SGiYYR{HcXYYn;euDaaVNNJ7!xapB0 zrw7sEw3})9&^P(Z$SGr{OE=oS`(uc&GeOhWjEP+4eOYGA5+X=s{X~9$Ff>BCs~GAx z$Rk6=D;+#naIgzz;uXMqa1aA4FyQ&RIwriJCy;XxyqIAruGBx4Aekdqxc%hY86wON zYhia_T zRvC=w+>L7Zs{16|DRuidmn>JTOi2F`Z<$MdFLiEXhhhteB?!WM>xwv*BcOt3AL}&i zWtA!6Lm!SR@Lp>z^Li@b5~Z%t6jV2na}2LcS+>TI{FMrTyWld&fcV-jV6Jy42~61w z)OHAdCS*%<1!uKm`C+d8)^wmgJ5PA96QZ8c>5{mJ zpGx9X@6=>*>18liNqB@Oyrw2G%P>sdd^1+22t4Y99M6t8=%03T)HZG1s7C4LeQ}ki zv5R@srGp&1jFWP?2CC>Q>o-_DB^Kn&5-Y>;(sQ?NvEM5DUg5?>XOV-mwCjj_D@@6` z_*s*%)}YWd(ZPC|{p_i8EbAT&l}#=ppM<%I0w9bI1D<}Gu{z|20C)`!0iuvfMP!co|H z%5PkO42W9(4wJ<8QR?IbOw9P7dI15SbxM5q{uYI&(KO)3wcD+y1Z69$%tVd$_aH|F zWFp)~Ajr{s<2TQSIPklCg^U0(1f^9$|tCHNG08N+b z^K`n=K0niW(M}q5ME`}EnKUe^q*967SLA>m?BeN4*5J-W;j4l#0i5H8zvmI(C#5EZ zbr31P2L{OT8M^ap%HWb0yo+XG#LK(1uoQ8_y%LX9!I1YS3Q2d$WE=^^MmRx?O+t*l zzXqGUsWVTA-M#QfpU70xnhY4RYEs!R8Em8@h58fx5>MoAtN=o}Mrn6pzvEQdhgs%D zb3soIua^X|qLIsBE&*a=j7KY1!Z3pe!0|u$o?6cPvJ$+3eKhse<$e&?WG_ED*2ai`GzE@j4qgZg3``dK%34Mg$8Hwxug_C(7?)N3XVkx zK>(fX{X-<5DMzcHc?`8Et|qrWFkF$d68A3DO%~_DOXN=lr{eug-$BM?!wMgm>WWu4 z%8Ndh z>V|}AxpSG6aC@4WVs^rbOFxCT5RW?2t;6wD1BOA@4( zb5XlJ6ZgMhbvnV6mnqDT2-1&~hvA`7KmNB?)6Aj{md2`+W z`pu)oez|TvpTms9b~T|}l;G4VRFm0KvfM7j`j*48u#xQxlWOm0wr8 zkdEZMTn`6+DmklQNTJ{w_LbIGxDuXY62@efnRTgN`f)iN4|yfodsi(dR$|W~%8z+& z2a5D4Rd|FbN4rr5=1R{5`J#))b~>Xo2vmFK24clg=Fp~8KL+I_FvFdCxQQ3=!`y$F|)SCOiG<#$}!UdTA`a^}=_a5oD)EwIR zJ9snn7{3FuXSSWBb;K{s(XGgU2P5i?ou z$3`%oiX}0cG(;&Jw~Qg!K?!)?ng^p~HW$M0n~+Hgu~!b6DM-D$N!xEUAC;jEMo)QSW;{Ci~X}Y5O!a$ zG7xr~yc3C5TMue0+r!0sS#YV4S~zAZWMD-PZtd=sBq#S^L?Ik4!ih-+pb=<_O@OlD z40*W+s0MZIwt-!JO2um4z2vnVQTY15{x1NyurPvD6Z6M%`dNENH>Ic-LCRnb<8hA) ziFB`NECdjq5&X0QfPX*odzGBGr zV_ILfz>*s~8=c9AJzu!6MdH(r6uaW9iFE5|> z-0%CouIs+;+f|8d+-=xsg#g+R!7%IXH3?Zi5vTD=qOmPBNT{SE39{TwYfm8G?cFt; zCrj#wZ8?J_M~Q@kIR^A8*+D4aWQl+h^&d5z zOYv^vAtfM3fJ@w9R72wTjL%D6UdMoQ+Jpde`J1-)`6VG9=n%+6Qd+2G! z9;aw*C?YdiO%T&|`O&|cT9LY3l3+U>bRr2$T|>^oR!U!`O?t1grL4~d^}DOGNA5+m zV^#xvTA>@Uq|5%ah0Sr<6izeA^$!pNnX{sCD2bI*vz_y3Yb3nKeN=lc2f7j|Pr3(R za<6Gx0R!T4x&V??Z@6$;Rx(v1X`S&TrdDp`P4=t_;F$8H?Q6W#suvm?8jH3F`wCH( zzd&s^XDrBdt#}u5n_joeSz&w~u}Y#uzT}lD*1$mpe`INF=Y9czy`vnX-Km>xFTkWR z7t*%7bC7qt-P_r+TEs{h%I34a42#Xn_)*iI0RO)LE`wh! zo_WONV>`AWYx;TIAd!$elD) zVWnXpoy=HX(PulOplvFQX!2WDL*=GES;2n3mQ56Hll z%w%%TuQ+yQdAq7{jxqiKWN=l^qa6pWVdBGvcCf3$gVyjtN|Lt>w=gCmv_o$Pb6Aa0 zhyT)FW`6Ib7ympnXuT#XHJ#1;<$Tw;*8qY2DP8Ss5eRT*uNg4e;RcI&^H{9@?QeQI z9HYdOEkW015=)Guho#~EL_fGt3z`Ooz`vn71&B8@BcWs9QPgm>UDGZ&V>9q7`!u2{ z-_FeIG{Jx~fpNGqCJI3Yk8~~S&OIFT*sCW>fnw?QE&)UQAnJ*@8F4?vew@*Gq(n>G z%pCbnEP6I_oSa|^LdF(jqm9wE$k|C}bl|Ms+yhQ_z_VBri_AQvmrQZ~o(r3wjTvPQ zfo@=HA%6ydQ;@4UNa{kEfJ|}BZdOI~Fk;B+T*`3*nM8DeGs*xJdZa@3E{el^H3c9Q z*}!1Gopw%Fd=d60FsS6VE`V-8e{Z19G3ybJdO6(!&rnqKP1IUB(=E-n{mndnok?&X zK&(9l`Vjyd*3Q4lX#+@nE2@n%7_>9@5r1;;ADoE|z5zk?V=A0rItHemPdr6Ljc`gh z!_zkz=xx}ae{ts21E#Tj7C4yeGV~|`Bmyd7R^&6m`nD?vRI(XGF}0&5aNAR0sCzF< z1DOpdN6VrcIm{UCpCR^nESiGLsit%=&60+N#L!?n9Xk3-xa&E_=9@{C7(;s3s;8wD zXf731mKF)yXue|!xd)yAM$Ssgu^#A5G_<+*m?Hw>kgg%a4q7MQUAJxSjkX*vyQ&f4 zb3_o;v(N5MX4EjsIk?4aP^c?LRePb$@C4%_IxaY&ghZ?llx8e_(C}{7>>v#0%?yp^ zptrjfg4YN`3o-U+D;u3cIJ%bQ97gxvmc+Y`BCgs)Ij%##%t;gEG+=WE2HrZcOwt^V zGmr1z0=lc;A{+5ZdDuTK!Vh2VjAflf$*E6+I`<58dv1fbH8^gZUf`_U0Edmv@{8aC z4!iV(U7qF+6P^cAfnfq|oj;>@kXFE9iB+8PWc}GKYfAKegZj3f!6Y;BoFvp6)E3Ka z6boyk4MI^HYwJ~(JQz$;}GY4OE|JCEXe&a zmuf+uf3j_Cc-Ji1w)x7BUU?!;xEyg?X2?1SwRPg(>4d6Z}*>UI+s@1{gG8& zhme9MIaKdqSW3_f+?Qy$LXbF_)k_#+z&;*jOvNA`pHA>(%aA1r&jB;{&S=WO){Dxz zR28;5FiR|(rHzM2lJoFCvhR3)9D-dtbp=p% ziL&+n#|f`o+tdD|Qp!%V!-l+5ma#a$M@;=DjQiGAc82-fi^`##u_lCLkiE#j>4~Fe zLXv}X;9_`+M=_|X`ypcKl~|9g!_%6a;EPGxD>3c4Ok>r~MsUg!S}~~U5IS(NitJ=* zK@+gtI0j1NvuzUX@`uYzKf^%`Nc~xsL(e_ec>0CGl77W8#{oH`AL2!@N}N+nQ!lykh33H zO9WKA5mSxht=)rxTe%ONs|KI}@-9QBwQGfd0kd{HwsH?c#~(l-D7J6)ujbfMHUiD5 z0J@=nGP}1*Nt{RPT&i+|`<4cYs4*bEUEVHQ-5Lbu0-PA6FL(e)l=+zfS$ufyKI^+e zS?SY&WfH`6Gm6G4W%7co*EOAva&Bl&?P%*eFNx(dcutw$5G5ajN>$ioXcdwy!WPfcjg z&Kr8aaPOpt(qd79oyIaV(rArK=@wJMv$C1v5~tIA&YR9C4u6z2lewzDJtr#=o6l5z zoh>7)T~PwU8M_p_ZaW2yWf=#WZJpX29yP@m5==$>y{HBY$gRkr3+gNGRMN?|XUrs3 z3FMR~NKd@USV-^Drk2R6{0K1Eu{L%4Aq?;;LhOm%NmZ1Dt^^4kYDuq8JG%j_=aSn* zfZjvxt@dO@D=@6^Izz_3EOtFAjY31Pn`}KXGDq+g;h+whht#_7Qd=<4pL>{B(plC4 zeup}GNXvddYQS&zajL-3*a=RWpE#_;_h}%bcNeR&3$8cX=dkEk zTK)pu%m7efcVHUpT0JjwvEHCA!w&Pbg)eYC9HhX+0$WGhatf2_L z!GsOj;6Dcy_a42c3XC|bu&0Ips@RCxR}H+M0Ejtiz>VEOH^1)N&cxEQEv_YoB`}M` z56qlyvr0)gBuYp2(l#SJnA1f9(^EwXPAoPGZ$!DZMZb8OG_p`vPsN zF2e7zF0s3kY5LIMDFLlqi6+DVTcl!UxiA7V1K~N|uH|P0ipWf{qO}z*+%frl$#DUd{WwalS_G9BN8-bhQGG7g-alGhq_ zKj@D+M^dSsZ<}fK`{b5u50Ug1v{t{nqVFvqZb%G_c{Hn<%aHEtHc5$h$+dTvzWWjB zIB8sFX~Ae!sQ(UQ7vWPd8%MDl-%!MSR;e4?0ksmt0w%&<=2Iz&hvyzw#C*7R=vGG{ z?aiNy(f+H?@Lk*>**oK5OVLlmTHC(YNkBIJ;=2m$rQV zR^_w3Efems^nPrVFyUk(D|s#*Ic3g(Vryv3rT4h7L!m*J!UEinLHHdu`F{h7q$|Ve z?JY}!$*E>q+yX8`pA$6O7x^kc37k$zi1k<=H$&ZNBAg;=GGy7tNw~#>B}!o7R%=rq zcyk>=gU!kV6c7|=ls%7Urf{Zof@gHt!#Xund)(yZR6W^i`L>2>HCA27|9+8VUA<`? z_EE<E-(3&;d!0H1tp=)yDx|;t;8Y0J>7(pr-SSwR6(Ao*)%7J3#Sc z1jXmCh-vWCBS4NiTt5|WiJhX=oRDsbTV*&+O+-pGKU2TJaK}AUCw_8r!?V}iC!E2u zEMoOl4ImKhXwGQ&R0pukNKOO0Pm8FvYXpI{#WDghgg`bGxU#o?(Eh3uRd`5d1QBeV9qMRXj5QnD43d$U9QF~HzkEL%i9`Jp!Q@1oMuNH*_6D} z>k&A|z6$Gvy1O5X*k`!UTb;J>9+*Y*k2b5!rd<)3alaT-ge$%;AQS6wI^3Z!&(3VN z)I?_5UUs|RbTmv}fO>0J$?m6`+=3-7{?3V z!;fIzp80kc81+{7a_ymD?{g_k-`auKIUEC*7Z&&3(1qO~qb4bPO4VTP7O*N0wI+k# zG{ErA>AA(-4KYQsdk{%G< z8qBzovQZlGXt{O8j7W0TutQ60Hiw^i@-s5z$PJ7wwNL)kmZU*ri=p?0(XW9$Ue1tB z6PQG_0Bv8)aE={vGb0bV1oTIAkfo&WSZ8oriCKxcQl^Yuf@l#l3F{U#Iy$i(h}two zZB}Demock0FiIs(hK+aQ%LLZI{kIuHxuHhUH}nK(4Z8}pR=(^0+;u6TMl|gL`$v_B=q0BN z7|SmgbBlh-6y$2ZR=L6psE1y5PT*RMt+z}uOeShwu5C_hr{NC3sWJsK{mtitnC((5 z3Cx*6F%cMoA&Dl|hF~w}v%ghrYV9m!`ma9HAM#Cb*c1*4wHd?i<}B@0C9HkOqz1Rg zM1of`S=mwd%dEfBY-J5#Q*}z4?8O&f9qW~_W6qskN)NpGIVqsTWE8OK zq-^)+SP=E+0i-PA(j)M0d&=CdEQ4}d6vU3bk2&|+uXmT8 zjEBi^+qG^aQ4JI?AVw;_0_CKQXtt6ioU)X^mpIY_!SFf>tk>5jw3l%e|uH=24Xk$bI&D?-!1BQRtxE@8@EDYgkf#c{z4 zR!uIHOR^eHBUxw-bD8a&4`}U=tX!wPl?edW73r}CDEmwwbR(ME->d5^OKm4uCm2?o zB?QYYQHb#phnkRAQ~U29A6NzzQ+E_WYt;zCQ;>KBdzHjq1>4tAsUH51V?3{jI=!x# zv@}YPK0Ey?&M9er>M%9ka|DgO0)pH_ENud4ampQ+ot_;aHCHlAQS9}a+D@#+@?((tgwo{Qp?PStu6}q$Hr96WIYAR2ety8P~HgfJYxn^hr>e}p#umc=G3I+Z=+o5{94sji~xN!f;GRuYBC}%qERI+(1EjmjCQNxlH zMt($&Eac>62bi4or!`&J%ouh02uj*cS_++I?A{z5HJv}%wsjZAtcNktD6$TU?7K#Q zVAuG;Q}1)Y|33%tc-;iCX%b#+0;6Za=rHyojFrP-@W-L5ZP9k>o$9C49g3i!L*2X9 ztysWQ;{fXFoIaNsLrF(%*d|uxv;)1>M(w9*Kmt7esx8caqtA8mMvlek%8cLCQ8y_- z=F!~cZu1%bd_K$|d9Q6Lq>0xrT46)fK{u0 zF#7nyyat`PmEk*5o@cQoC(yCp$)GWNp#c>rqW;8sv@d59&e_DHc8Ec?44b#=*EYKU zD)|{r9^{ecVSdBYzr`TO2a)4w)}#Q8>KWPYrYhm|dj7U{r)mfJqAcBJNWi)i+Cje3 znq`_fUVLRk*-&TBT6tw-kQTj2Zhu3-7G!m*U<*JqCOIeWP7U9Ktr9BcM$tWlj1G3r z3NDy(-S-mZ-r7@n`vf_mKQg01vd76L^d}2CqkL&TbjF=Y%fV<3Bc<2a7qvWvvWQq#IR{`01P&9`Jq5cJ z@!viEuUcUtUni*`!VRnvW>4a&o~TtEYuqFn%hOCdEJ8a?Zr?{qwR|$^8Qc8^IGUiDzym~ zyxsy2-grWHf-#2c(Y>e*g@=6qz8-5U3TrzY@(v9VuWrv68MNO4-xYr36nxMp7y~{b z_WbV^rH&@}Sa2-~MN2|$?C?}n*(UwX+%%SZzUEDXq#_RSJ!=(cS)cTuh|qSd&Dmo# zL52(b+;EV^SVn6T{n!s$v#iE}C(3^nkOTB%iGl13fvo}93;8&cG$*o6q6e ztx87FF)>Yc=4I~8{crWu{ka5V1M8f_;VpBKnIe~$4v$%yN+>#l{c5B+8uv%!7&E7O z*%|I73OWo=QZ|zA>5TUQQ99U>Lw8XlG`Huaa13+fF{ z^Fh}m;I=`t3gAkhs!nRm{Xftph(A=PcF|k{OQ0~*BXuzAQJ}l$q7?ptI?|PSq`7SK zaO@1&X7~g{7`rA6E8ab?lN4Ee9&p!KrXr?m;s{B)gcCT#ut2gzVkFsopTP*=eFGFX zR)YG<@FOrFvl^nF?Jm2YG}#RWB!ksjwsR!pg#Y&NXgKFg^J%Ei%##)2+p1i9{BQQI zU;b@hHrJ1wM~DllriL350|#=Z)3wh5-i^8XCTR4hM}8xw6TCsiGEk3RC^7mjWa|gU ztH@znZw2Vgmck>{U66~EARL9sK+WYd-*6IPZIb^!9Z5bYhlWE00o8WK)%^T|1L+pR!kL5MA6_?jWAk@gY5rP?@{JiJ<9 ztDxm1BVhglyC-NNOJr4%c+{-29E8IF>ny_a?h__}w!kQo9GGXXkDTu z46ywJzIaRxaB^=2!3<_2R)diNre~0-18%GV((Kho`~S&C9&-fO%z!0~lf2=aC5dI` z@ra}U_euHb0=KFwEQAT{mRu8HpW>*k)%zPp9sXNPO$r?XoHkQ1CL6Yu!|uc1e7;sV zH(e*|6fXyw@n^Sa-ITqu!F=PCe6QMI^P-+t0Q)!p7P8eCV6q>1PV!f4%LQi4UK`#; zLwngJCa@R9HnB6FyGKg<(w%A(5P|p^ICxst-2UCWQ@nf>jPA39j5O_LP2M9KeEWuw zLIs$Fu*p?{jaUsIH@w7|h^*7SM}nGk&1NfL_wefqGk*P94qeYvAnt@(co#N z;OS}%dl}1y-B|h;EUPnAsGGu~8I|a2zo};uB3RvN4ffU`dzGf>sQ$M{{*|0N&x9C` znZoGZ^{~l+{xA04>wr-9#c(WnNKyQ6C%xu!=vNw>MzecSbP9G#3Nz)V3a377+ZvwR zV8#(X15~EACOg17iIjW&$q|Jr-cPA2_LQB)w&5->paLRm+go5+Y}qmA4w zQ$}$gw5aJE6e826S*brm1aEilmbt8YN&3@FqYcmVx*I)dKC86}#voUSAW9J=$(228 z|M+z&I^aHG^A8SDeWpOhnts`6C}bsE8YpAXfD*XAz?PSbV}H!7-xMkrZ7cB=qn|*gN=RpkL&a6tYo1)VCJNN z2E~H}%y`pDAz=2=hfn{W@qM3iab_060ojNXNNdtWIcu)Jo}>49xZAgoulLnbn7u!$ z3^-?`oZjmWHcWlrsdmkA5RddPnX{=0#F7p&Vy(8%4DCR`c6qKa2Y*0QN8bT|p2|jg z2b_8wEhaO@V77h^^C(k5<amJ##sx8F|n$g+M&U^ z7yo+lRZu8`o{fMoDVJr~)v)&Be_cUQp7LiQ;ao}hLfaa08mUIDbW!LZMKk9&ZV|3v z<_wrKT#niLhA-RAtZ&;IZ9567q8X&30K!8^fA5bQK0^0<{vaJ|ByRK^8ViY?N!`!% zPjB_XS*dj-5%NEZG=+(PL;~0k(#tckMScA-d8Wg@yPH2-$}IIAVJaDkY+#}stVDxC zqwj9GIs^^4hMU?cWv&WeJ3Fbim_?T3HLo3mV>IA;o1bi~i2wyGsqeKe;JuBuEDAIn z3sm`nqz-foAzM6Z$yTT>E7Y2rn|~Y0!RXhI4fvY~LJ6x=0_s>jiWPa1y@B8mNvz5A zH~&@#D%AL>q!2wm!F2>Tc0J0iMy>zf$Fhr?Ej$TmXO`HFY~X}B-NzR|suBWRdMOQv z-Wi~PeKsgRBjnB&(z`opNtpmvtEdCx#Kdi536CxV)Jfu@FsS#T99ch6O4sZ|UJU)7 z{+8u-w^<6S#P~e6R(ADut<{eOq}U|y55BYS`M8s58?Up?3!KAeh4WZJ>Ra8Q>2xzj z^j$YJZ$RqqG@sb1Cvg1}#4Ibuh~-(s=C0?+bdX`+T(<}sW|NEbZ+YuQ9RVWm2*rKsJtT{@UeTC2J{|XoRwN3doAayN=V^`Q8fnq-m zh$3Im7=il@f4@xfYsdFa)^r0~Un*m20nkLHNL=HPJXixB{@0x!pa~U|3iZhVS-2cd zu>J#QbvYpVf=qKq@b+nerv^pMr`KLz#?2};`TyZ~4@PB>5z+j5M2-G7O>|MrZr73Q z*>^KN7@U#6+icxx$K;)JDG3H&!{@ghxK@N@0mcm7K5%T5n6o>`uNffONgCrxdtx;8 zpj(%WmU6C^Dn?Hg7Bp++do12b=3cjkrXx_QmV(>ZZ&DT>H@GJ0E=d!j{fD7AiuqJSs*y8mg> zy2nC?9QLYmC2LS_pjE;|b~ZDd$q7(4tj$%k=Mp)mBHnC1-bTFrDq&&vM|xFFPQpj? zP9#sOM#o>%)lrP9z97sZW zr$ewtbU^GsDgkCKm})>bUdPy~a&*_GUEKml=e9mutq;rnJ&*hC=V9v9F^%)fu`Hs5 z8*6qIMbhgqfy)G!0Ryu+LswCVq31J^tvdaCsB}&d$$<0Be&w=<-n@zfqldYV5&f(O z+MMeKg&EAnR(kTJG7g2-$@=);kd?h8H!?;0q5LL3zrC;Yh24`QZ+VA`L9K zrvyjVO`PFPm$2L2{O)jY+WEi{(|lwOau)EkPL#k=q+BwBi&Kqdjbd41EDBb5-#?FU zOpFJ>zu3p?>oKSr-Vn-D-+McUcW5mGgj|?54W2bsXScv;O3b#gFHss3wcDlnwL5BL z;JO-qLro&ze-9e;4}B9jB5I6rh+8l@MFX?+1+$beBt}4O7o%&bxoCQBB#MpW&>CS3 zC(g=R%qe@;k`UiBNX#^>ry{)C zGfU^hDQG2iUPo;_*uOH^v(iAI6z0?@a6ZlycF|*3tJalN)JD*L#i!C$a(+u;PH9(+ z(Atxuc(PS-)XtiKgZK$xFgiK2aY}-MJbxG|Uq7rY_X4_K_z&^ed%zFd-p_5q z2?-IkH#)CSbJb{H&nOB-X?H6kwY0lx`L3E54JbMJ*aUtnMG*`ZO5N5`9-%|glDqWuF5QRy>|NZUMNm0M8eyf?V zc(wAep7QX|yCzrb_de!3#A8rUOPfz2(gkb8i}6=*|-MteO7XR}E3PB*nd#%YUJg+^Ih(>!SE=^ig$3UgiAnHdS8EX?wSp z2XX3E3y1XS3t3TmIum{lwV-WUr=ZZ382VO|j)Z9)@GVGlo8Fo^&9#BgPO^WX_PsnL z2uE5>tZ?F`k+2*FHcEp3rjZ4VwfQ2j6lu(^*P&2sjC}A&$~hjFZyL)*Dd#HGVd4eJ z`=d>!M0I|vm^}I2IujnzIcf4eJnqHJ88ltR(*BL#m1*l1)9W$8Tes2vo9-Xj#>H~4 zS}>5sFoYuNrM2tNMdKdb^^QMaC=Vs111T z`lTrE3ya62U6~K}Y@E)e<)VVT_L!Pe>o@Z;EVolX8vi_mzs{m=@27n{jy97~mnKF$ z-FHss{qKU0!#3#4`7y~hBW11+86+%LCTQ)uw#!g~_n2odeJ%-6W(r1@tZ9=ko66i( zO7rT0R836%d%ukay`N3OXezKB3wq}|{u6#^+^b+d{_MhE5 zV?ur)q#-8lHyQex>D#c^bm+xih0k*kI;}rH_y7_SNG!dE3-Oyzb{gr0!(8==CGj%B z)Tz7Q7==x;k;%yn3JKhjuq7Ed9icSMs+x&`O<*Xsr2d?VLo>A9Az4qzI`xIB(ra zx8NG6e`wdKw8JjP!{hvaw?qtJH^UytTcllTJfA`ZbmA&n5-0g1F0W8l`gGFl-->S18a_s575(3!0JA zemJ1IJYMZvqlsZ{kLn2SdvplzPe@xoTOH3O#g}|k?|)K3-PxC1e5V|Nx69?4;Hj5X zGMZCkanZ)5@R@5hvFvqFo$v$4B6%qz`LPG>R`Y$v!~k-np=l3DM9qTR@Yz?&WJP4vE9YQEQJQ>6;MqG*4hd98jOLEz;%> z&QiWKhsXXHx|^X+8^yE5%cD)4nACNXLEAy5m&@u{Wf^56uqm&4wW{rGv~;qF&O;=d zNqa`pS3CWK0fe9|;&Cl?I&zPZ{mEy64q`_x7F>v3Q?FhrIwv^C7zzVHZ;*~tgSP=yiPOEFAc(y1Xji^aD5s&qtFiFTZYYo#`Xt55 zFL+KGb?1j^L#E9%HMa6;39lkh&%h(+fVoHs@Rzr!`Bv<7oZ-A!{D1;@177_WwRk(n z+N3k3|NMmROOteF-3dJOC-QqN`EsOXd&3rPky}e@U}GPYqpv010G{W?xp`n7Jno9 znCI4;5FZ`jev0m${5Xl=&<86zG;E5uR)&i&H!~S{PPER9|FNI}Yo|u3sHo$Ut$(is zE_{L|XL%+YBE+Hu`h#MOAwDbj31}1sU@qvF_&vS7MM1QUx0>`sn@8uX9nw@ycC0hQ zJ>LcnO7ghXZe3Rp!+pMH5YS5VTguIGsSDvQ^{V|V&lF54tPR+>4M!-YA1qJV3BhH% zV|=h^g&2e56Tat^RBbDcu`%yXIA3WmyZ%SDsw5AgJy}evt4PuHWTQ~XJqs=u`hjw8 zF)onEry8+nQ2lp_Gwulu*1y@k2E8fkH;t%Ex+5E;yi}=CTp4ixtc65bBi2abwXFAi zi-;ooM0gq1s{J+i!bp!*3REWJ=467V`f+(yk%^2{NkmlDh2e{Xa4;m{#r%1lt+d|z zAL0C67v~=)H%gd_ONZR~zNx??ujZ*xskx;kkTE;!QN*3B4SBKjdlqaf2G~|BaNhM8 z+Wkz~hkWg9b@ixh&rc31alD+WgD*_kCBYs2zhB+eU!fiq&;9s@pXIU!y?!_U{}i`h zc|CL>ybhpQ8Z$=>Ms<7^e*{WP<;OaQNa@?Smi7k-KM~^^9JM5b>hmni@YK99@L3t6 z79^^Mn6rjyO)z%%YBdQ%m7@UfE*kgfx%1`!cy;RGVXiny0-Hh7_?p1@ zjj>womXY?YJw-<&I^VX%vpscf16aFbDA5wO)Rq_om)5#>F(bvrfa>$B!qn{@st}!= z;I{crS?p~}N3m%E5;*ZP7;_3V!+KQKYyONO89Vg4s%Y8Hz43t0sB3xYx$7sCxFFoe zYVS$e;6sE$1a_%@eC}{tw;@0Csf1$meuQ?T%|6a=7W)HwvZJ5@3!h+DvyMIgga}fh zPhE;|$gW&?5dHJ*m#WR#nBb>n^OuhcTu#&Ww3J!Lov_k;5FO;47t}K#?IqgLQTmQ1 z=F}gj+Pw$MVbt3)xfm;W{gz$DV9a$h4vuhVf)@6@>e96nHlS6OBxTJQ! zISS#4K9wwJ>p%C#{b8I(IcW~V4f6Ka;sCXyE>1K1#JO$z3VXFO$F|?E@Mz>OT1Fk)=EjQg?maR zUA(+WHgM<(|H@Ee{I~Ln5m})8o{UU9oP5wQ!0UG8Sxgg?O~Gn>UQYW@?N{fq;M!CR z`Qq-)5U=|dEIfI63i4K3WSe{NI`(nGBm`OGS-6uHUolLLRuW90OxluvUGs#q!3_hkUV&@t+p?Z`mj| z8Qfb2MNof8yxOfL^#p)!0zSa6rfg}CW_cd~mb(eIJ=pktB9K&TR3=a+V=$LsnW=Uz zbO(CfVF8Z6r^KQ*bwy;X=5%`CYQ#*egoWOY09m-J|E)d$|OwbPN_{!^Y z-@3*c-}_UC)V&UxeiA;s^bQ^&ShC-C{^P?0b$Va-8&p&ajI8T#dtx6gCko?|<4uEm zXDjKyi^*#a+khKsDzEnaCk5RA?WIz%9GMnWq_~>L2Ev1_&A0Ep7+1X5(lsDM-Ph)8zQ^yL z8eXxO=wj}D?#M`SC*&v_Ndp`WBO~Q-H{TQe4`v8@+y(1zzr|>&SI)+r)0Si4E8J&Z zr8EmZ#eB)D`eUG_=lbCG6M&6nvF3HK5mk=f4x^v0e840yO?I7a&Qp^IO0iJiAf4Ii zixDetJ3Pl%K^ZHSg0e=2$*IfxR$;MrdgCWQ+mt`r zo{rS`Nec1qP$ZWWvDXdPO9$s6dOE(g4?CR=*ItO{^d&A$-*3Urw~9lHy@3)?ws+nPepmW_G>GT^qrJzd8F^(F z#FOn#IOM+Py_6vRd(xf@E?iag`@Eko(7m5NI1N{N13lx}WwI9jfn6AJE<9jK$@L5R z_%gWmD~fqO$^9vmt)MLav-+vSms4Cphgc5ko2746WjSD*wN13^_hPtpOmvz{d}qpy z>S!6`S)%8y@K+i~tyDp7XtiSgwxpXeEK})XxHT_-3ACqnWY_|$P0!M4g}sC5!+rV zQR=8FFSeLEa+eV;^VL-rdyN}=;OO;{4aF&9Ey!v(I1E(A5|Fv0K(|uDT*&Kp{U16Y z1>woB*?5Uu^+anG>G;oMy>UK?e1du*yH72f9Rc2)yg-ZErX6q*!_}ZvR4NVdE}s$S zoNEo=`6X;`0o**eJ)vy)o;Q9d??wHgvj8*UOW5-@5+CpAd!|`C`4LCob>xKp_K?HO zP{Hl`6#&9SZ`}bqG983(x44#%-vdxY+Pl)$9gyJzB&sG%V!P@hU){}|?4>svgcF*FE*wH^NPa9czCgZ-~tU2#e zO24p=Wlx6h4zYQ5brtooIQ#BI7G<QWeyg_GV&YS|)1NjV<`3;8) z6T`M;zTvu?tV#7T-H(eCgePin^D&&PtyOJ&mDlo}ha+VzhPOnLg(9?gF1|lAdZgs~ zw?f58@lghNyTD$-qF~jA@W?{P?D6*n2h!L>P%X{WrtfZ{_v%FdNNIXpWpypc}T7 zBp!Zn^7u+XKT>$IRMfpA?ls6C5EEXlAae`0NbSj54ukP+=)^6NU?0q){~9hyE#%(1wBn2nXg();s2)7K6|I#9aY$4s*BE*Zosi0N!3VVR0GeA26y ze`1U-F20*m+>gIM;V%Oa*ZxBU#rih&>aShu*J*(I=~O=E(FQRF$g}fU#;vr_4>N$L z?xi7ft-df^LXy@w{}=BsaF_opMZWa?l_KZ0xMcU`h57zCz3Y^p`K9ZJTon`6s^yBh zK-JH~pdwVOqd(+>uYMBuyS5-d)Gd8s_%)cWJF9V3So>2OcBNUIT+BXsB&8^2yG?|w z_$ntZieEix{<6}Mk*_HMki0FGT^+{x)`z8n6w^K&F57%ssQk0!M(82A{k#D$)I~Q> z#>D5uA02&_{bQsrJbJTuvh7HA&~dA+KA5-56#9yi=2c z4^D2g8rtNfJVL_h8q1Vi%Yp9vGfe_BZpHrj%#r82iLS0A0t-Bgpb4=2N24=^k-y!3 z?$FWtM%#PCV7az!F;vj+!DstIx}lg`sXn5*F~Chv?jF-d%)+UC>C?doB?Z?XZ@NCZ z+SpVEC3mDiMlD9BJblL2dXL|n@cJJb5c)u&PF%0X6&DqNV_L!J%SU%2ZwqZR2vCL4 zjlH*0CUVjPfbp2Q1n(D@%uCsTI5IjBu&k!fVUmeiVAg%hj)apqp^&@Z2bYv`8Vrl9 z9#rE`tbNJHRK?OrfNv}mP}IR@K%8AP!BcD_6U;YyF^YgVYD|Nh}5IG1#@eV){e0$zPfw6D!AuKwG?|PeIJ*;_IvML>b$G~1{WH2a3?*^N^)bZhOD`U z0rI`)&RG?I2CBZQJ!~~`(qK#vP?p)6o`0roAHn4qP+SN zJMOUWDr~{+T%)W$91fY^r*{4BZ9^c|Vs|a}xjvQL}J^CF`(K8i=Ldde! z_2U=R}G^kG|NKD3D_Az3W#0d7}eHa)+xId-0{_INhdzYr0}`$((u2 zlZV>i7|q;cJlNga<=C@55TuNDH*n-yiOIKgc8>SCyk z8b9%t0AHjm*A|Y8hPx;+fw=hTdQ(1l3t;@ucT4UoSCc()|I%f#J@Q<4mH`u( zgD<(cg?kmw4go4N7`8}Du0+Mt9U!=SMFAI&<_MNQlEKCS$Oso+l7a4to z9^aOC6h2&xxGu*z&2y$~%)`u~_FUnsCt^w#B|u8oi=Khoa5qIW1t?bbLF*drt>>kSb$}gxHNrSG1xXnnte7w0e?At^03fk*Z6GBYvbC419$9lg zX5W-P&O)EKf0=&2wbby@n66EU^2+}1(l0V7=DMc3V1o-@(8uxn%

z##W+J1?IxonWz94PC6k?g;e`qp#~_iTkeuX20Pg_RP5tSo%D(0LUInf51%UDBJ&fa z^1riW6F!lq?k~3IN80(rw?b};7`XK>A+96oSp`BQ)VZ7tv4cX%BE3dulmfxy=fQ8-rgx4R?Rl~UIjWQ%*@yRUQ_=!_VK6Zi~~HU3A@s} z{hpJ9vy+cy*xLLGpC_cSpECzv1;bLv|Rvf6ELv2SB zlCsSN@>z7d5@NgO#>`|&`7Ly%yDj5fXBXUwwn=VQUVOZG7w%vjx~cP(1dMvorP%mz zNOcuy6m*|fX1d#Xc-rjD016`%7aFIvv^-o;dV^P+9{5&4dC>t*9K{qw3N>E6t{nnI z6VoPaQl|pbaV(?1bnpAd{~N&=3Njr>yrc7e$3gk&I8GH?RFYFv2t#eIuI&@{F<(v~ z3sR_=)$=!}Qf&?}m(zKAWVhp>iLd~ZA@Px{f_a~(3C4^U^eNMR#_Y{eiIu`dV;)#= z9K9FCJ1+t?rhS=c#@SvMj~XAyJKAD7vzUvC-k7fbWC7i~q$HXdV;0*bRfJ|?&AJoU zgzJ0_f)dOeGGQLNy(nqr9Q0;aZi9;RFF7FuQNP{UK$b)q%s@dk#YsQ$vMO$vv6D{7 zs?TrXIwBX$VxB4-^@!7Ndih)1k0t&_)9?I^|I~c>Z{+ds6lMD0Um@LYbdK=B zN8%&#?@r!YH_K8T1M3t-a|$T7%{Wn@A+$M)82P>a+!3bDY<_+)@sFAKKY0#jwvoWhHd>YX_uCAK zvq*+z#bA`;yUZxf%5<<4=vR)T=QzDU@klXULEGIp z^$49hp=X*=%6?J7i&)-Kf~+6$TRG*mKEcL<;#-zspt(K7=Sb^GLpRt3d2>_l(o&s@ z=3C(QqJiulY56Q&-z0WDB^rP44*S2%U=l_fYpRu1?|#Gmq^z1(7<2= z>9u%M@UnDR<)>3*5NG8fRtZ+w$5LR!((4MBmB-wxeJ(wyrfQ z#c0w55pH0w4sT>9P~D8$05B>-pRNs23f&#?-Hm(K;n}z-x(X+2+|fEwQb0O?@!U3(a!;$<-sPFs1ixGnKKnJBfc#W+an?-;NxW z^QX>V9G);+2mHv)ipe(yDT~}XU{rjMLu1-{MSP;I&8pVVsv3@YcPPG7l<8GQk9-OJ z_g?d62I=s zhIAgTGMf7xHh3~T*&G?zy_0`uvtqIJ7$wc=GKBU~sA++-91>vGr!&UZkZCi6R;rcl z2<3lM_v}SI#aKb<1g_OEXKNGaoLRz! zzWaB_5OhMS(3si|Kygxm-YC8*AN2NU4PddL4a1ypW#x=m(!Ij!9bwL}wtJ%?AN8G+ zVQVVn@%o_khLE?=pLWC>`rU77oDlNki;XC|)=HmA%{SwqcH8<}-*?WA)?~pwzDVxA z1n((^hI0?x{F{>e^fLeQg_s+V`)ZDvO49d9+2fC&9mH@AkoA~RsDr2gXiB~*(q6wW zW6H4OX|uxeHC93IB z!nU1CHZ3AYHttse#PL?1$}eW#1O-2=Ru-;iZbLV9SE?*^HdBwgNx)ErI7Rpb0bn;m zS6mi2A)r?$FErbk2dzxqLu>oS%eFx%_WDHzhwJ$|g3(7WsL$0_X!{Be{dmYdjpBD| zfXrkSQd47fE`35M{N^k zylV_{yr*pI1-{RL$42TI6T7t~DGzM+I21@mBaNw_r2oCka%2PCo72pN`$GGkRlCiM z^G`HDZZM$xI(bIdE46W;FGolQ$yFlA#`8=}7O5;3`=R5uqPQml44^=718h1m;hT`=M+Ax|=! z#>JO3Uwp~Z&6$O~CkDwXG^Lpqa@o=Hkd=PMLfrPkkgdGdCj!gL=WEW*A{h#RmRRmQ zva0+ZLw@Yv5OlNg1bgEd#ufo!Lr;|D8*zpuOtv52*HGCfioeoAz-Kvvn39@2exGaK z+iFpN){@d;$iZZ8RD=eo`Q``K`D^3P-(GM?pVH#yUG#W;qV2T>hug0g%3q$IF-tvD z`Jo_0PG##B0Qf{Lp91hAJ@Lv&2H<5E$+-GjjsdLqdS#|5)z*#c#{nb_U=ZMAz#0*V z8o`9QmnLjsvzF7E6|Txf*ByrDB_Uig{1PZKikNjO4t#idWmvPeK)n z4!p=0p_FXqU! z(oP}CrTtbK_otOI%dO;4E74jW9T1`*W%}F~*NEjPL^V&<^|3=Yj;DG8Fx>WVYLvKL zQrStUwo28_jg}G&&^Jylr=PJ&P>Z_Yg?gk%bGRK6XwmlxxjI`5_t7VS=~Eb>L=53} zoLP}7g6)l~{Q&=(72~1Cdv-x0C22+}CPyq?%^~wb53G)+gbY~gtQ10%62de?&^h#W zs2P{sY8>svL9pMnnUXXGnrGV8q%VOQT5^ZL$XDWo%ggR7fDXRd2GH_Qo7z3#*ryMC9c4`EHX*~ksPruNADh6;Z?tlGK_1>>QLE)o=+~Nj zM)Ow<*_+cX=L2!vxU{eG`qvE&5oU2BQq4E4zfa~o{LDt^EKitfMUz$L?1gYvv6Jkf z&t_FzJkn>?nqVpZ?+^i1mR`t}Aa6DM_9iF!(1AJIycqgwKf_gh(u=>aZ|k#6E(8*k z!dA*v8;Pc)dM82xB-HJTx>Vn1>;yRO3?a;j{7!rCDK+)x#&YM)ipvzEt{-5PU&-wOl1f#Lm%uHWQZ#1tC%1^W9yp$(@QoI2>P}4q1M`?C-vnyI1c2l9mqj z#fkfu0{f}=>@gCtpe?vN!`6RE2-7!TzqPkDQ3I#qmPO8Uv3P(kKiijJ{L9#p&JQT$ z%copVUH82`$tQJAkG;`g^l4>C-0WD9hQpolnMf}tcMs@VzR5lEH zB~|vWa!eH}I^r82i@k%(=Nh70jf4)Ulizj_n_|P8P&@z(U_oiY4oRY9!~`&ASzZ|8 zA8Y{*znRu<57k%A9&fASb)IQ4%F$X$O-Kr_syL|R$yuXS#WtA{L|LqMUbaq__}LDs zn}1HLG~JDL8?9_0hy#n}2_$O(;TOyJ*6$z)!Z4CZHSj%neWe0pb{#ySwdsUkwx-u; zANzknehH&bF+V9bCMk*R$g4)r?`!W0Y<*HT!H3vi=TV$ftbGCQH>}6BHO8m>Kcm@{ zW+#9_f9(SJA1F6ghdhT0BD-2@D3e3QgMGTZ&Yp^VKK8=cpu04SmXWh>g@Cc1p8SOn znK@;2X|ypaHn4BIjhAl};2e`Q4hP zw$E*DIo3%l|D`4C^|nf1;P8zTfIg+VooG(;tEDa; zV)0PyGv8M-{;SdFi$t)*#>4!eK=zfN9ftzmZUF@0c_H>#fnVSa z$hc|F5k;@c_9i1MwOb2qH?zzJ7C1fEJ}xTYe$ig_MQk~{+Vkyv<3;89no0X6C7T(D z*9LiG`tGibCe)waI42|yhB?l}40b6uR8_Ak2{{FLmfb3scqNgp#;Yd=vG0nVjo}7I znmN8L>4oKNV_6a*(?zjexD|nxMkw!JR0Yy_0WNguyLE?B@*@gPAI@G&x6&BAFtp$b zcQ6A3Nim_;-=^9fY!TPVY|)K}e3x9LH;ImqtY$V$bWoQ<_r7BYWY#J-7uHGmZacKr zIC$+_$dpa>Y+8*sKJd0bE_+lDR3}ROV_(?)dsN<+7oLk`&J7}kWGwd2?vEV@X7`PV zdan@wMHKELs15~uslfPCYQCUA>$FkUuDtp!?A1&?T=%`FL)gRf9q7%;oBYNSkj1#w zg+68LhNG*TkQmLgPQhp}47;VEZc~(8!^a3ZiPt;}^pMiqSuSNV` zMNsYCxmvgPkhXPmE{*LW(s)N@OpW?WM9sC3r?xnEdG+ZgpeX$;4if#vTb?OImc3cy zQewl#^U}?jiATL$HL75%d5xums0zC zF~%M)qR)&k4Qj*p_QjV05EGdbI^B=+Ck+%wf~wvniM!sGNX2TZ8Tbn4g53mxTn1aM zFZ+J2JTBbgvS!QB2L}f;OhLkqi4f|=rkQj}?-IhzcsB>f@SWH~nHbBPn*^a$l{VvK z+D5J~xehp;JlLx;2Bu+~^-a$V*gA-1qD86AWo=}SF2h8fDWUZDJW*;6JqMx#S{bY- z%CJMcNZ3q~t2jx}Ne&VpxG;OXdx7$8&V_q`XS(-C^b>=Z5qQSP0>Tytl&O3m)&J^f z2+2!ewK>Du9VF=OWK-nc*a0Zb`yG2DeMy#h-F+Llm(k#Ff~1w&?3C7UXsxgSa+?Ho zGr@iP0>wYSIG4**yj-D^qyM0IQa=?BLmXfFk%+VWnp}lW%68RBkNkFG+2B@ox#cN) zvDx<+GQNXlFRR8?B;3Et$}|0j}R!GA^QPNyDhlJP_~1 z7Tj=tQdxx%Y-z+SHNgyKr`&`*nknh~q`B=wm7U81kVUghiV0lI5}MFcFIR}!X3a;6 zNI6!)m(?Z(EnTpzpXk-85_B2LP3Q`YP{T`gfaCja(RQ$a6gMu#ZC*BPpl6tq97^aN z#>dOhQt8X-N>7Yir$ZpasZgv*44v4TLwqY9zsg?s1XaEq6+} zJh}%x=&PjAoV+U>KQ$ z9RXurjZQoww?gL3zJv@%4l^t-5pAU>lr$XlRs>~-do-PMYgL2Jn<(@ZDEIw==E~j||9Tp3>`r;r$R>{IvU=?*| zlRygHdq;P9%?G-C+JP?5TAE6?0dURh1rzyc&8EL9#a zv@Nt}4;0Ptx)%#TLC6k0`fm;UzmF(7$%8h}`607=kNNRB2l<=Uy zh*?%1_s3VeC}L&W%TvLeKyOXWWM~P2@9hgWlCwM$JU2Xnc6yytS8PY97bax}w1(99 zX?t~#Dfm(GF2y6M>G9DKg+~+&4;-o=(4Pm`Y)^9}5?eSm{dn$Q5ASiiZeMg&9Lp%` z4}#LzL|6Nbc!?$nj5ynA>2Y*O23kqb3GQ6&H?fm0vQeo5>dvOZ-by6&O z2<2cxlfnvRn6M}Nu}(r6b2Ef~@Lny0C=TDPuLU9rNy2n(=d7xazuQFbD57?-z6QG6 zK3orEi^v{&dyB*f3A4U7NKt}o5^)lWJ$EQ$zNS=kDg4_5e@dHDtzfctgT{}y+=TVe zAH!@x|27}zWR2wlYHMDhwI8DUTtrJG6V^aop1>z%%ELJSmq;*y*Z-eKg4G@ho3U=0 z-mrYO#m$1u0XL+D}__RB_5G(?=HjY+tn`{2ptzII<#5QB6}; zjHAPHR2(T?R-C>3(|oibd6zzHa+381>Zpo$I!eP#sofvn_QZ7CeTaWPx}P2X=+&WH zLho+il6b)pUDBJZoKYOuSh2yj6|Tq;fV0AdyJxdxL(%LA85B zHXM*I7g!me-(mW)fogEG8ekU%F0R0=w^QPGWKaKlk)3CPY%>3Ne|Mk5bObX~8;L45 zfDGL58i>w~4k?&u`N3auzL8ZX<)_ltqq6PfLgW2XCNm#4B2rAEi|0PZ2woPC*^JL~ zTq*^F{jiKR{G{cNmeTG-W22)mFY{4k%|<2ULUZ*Hm!EwHT0)s`waM6WDbh%@!CBVL z9@T?AaPLjlyMvp;z9vP(RYI)w5=Lc34&07mtBtejnIn-dMRYSkcL~oSK7}ZHyk6a@ ztuEje%=s6V(E-%EGiCi~`j6ZjxXcvB$~R;UTH6zVXL#h$&eMysHT>P0g)?k^TJ^P( zu{rAA18N2yj^fo?M$P-AY0fu4e|z?E^-T8?q0oj3Wg8{!O+Fx86`kzW-xnMHRbU3x ztn(lKv>@(Hn=SRCL$$W(}HRBU-S>k_BNQ9@(=78H0xP zWo^cCk!l>98#l`z!@P>z;lMc14Zao!O$YWMP#fip4Mf#BQD`2OnGBJBWAUAG-X-$u zk}g-fdcK(kp7b`P%lXhbf(YxW#(*)g3$YICoUz|;q_C_?wJFW0CT9-CrRq4HWoeQR z8!EaiZ_gW?vRD-De!EU6T0~0djr9?iIC|2%9GYVVJPG}Rb`lp%9AIn#v-kpE073u+ z6C^6`=NwQTz63-DiQG&7W4_0Q61OHKTxjp3*~75?{sZPIvfUU-AvOyH(uUnQ7+Sfo{G_>JQj4G3|b#oakPnd)C=m z)+qFa`UXl{g{JD;cv>$n8P#Xom6)U%1)+Skp$Wp^FvZe)E;X4KU5X^$5?#JZfTBFk zZP+!I1wGBW0BSwfcUd(}_el%Wdc%o*j$4b?guMmJ(IO>Ty0q6Ui*2n8Nl@S`h8v}WM)owp< ze=9IifPY`8+Lx~WU31nEKsLJ$=k|`+_jcmXpf>CdbacE&H;Prrf3O(|2A^^YxVG?w zJS(s4YpW+KVRtenVBN~pMn=P2)aZE#N~-Alt$xP9r|$d!m%|QO7x>o7NVyfeN-+LJ zd3d52wYhU#_)eVa!CG47Njl#m8p9Y@CxefQtGcV@ME;T(YwOTQePw-O5Lj3uUck}T zE!lP~%rg8^T7W6dqO_W$x~~jLkI&^$=JQ$AffltM`yH%>ehn~!yXd(lc_ZcyxVC)Q z)rhXK(XI!8xPj6?X!$*|9yVBV{hX)tI&3>j^|3J6GCC`z5 z!W}=x^!oz4*KFgi)Q;**syA7rAX<-wugKyKg{FoE7xCMRY~}yRd<5VwQ@!;8ATz&` zrm6|}Ozh*(wkf?%Pxq9uXT*WKy>A}fSSJZgM*;3q-8=680JAv5Xp|)qaGTDIGt6SNs+>Fiiok$m`5h~` z5*4*IrP~Dmit7v`-Ip)-a}`)f-^`dVLfpIK{>8e;4jy=S769n+CnldGMaEv{#%fI# zZYx`Bln13OLb+*$qPSz?sDr)$WC6(F(Nk5`%Hw(tg`#gm4{*Jbso=*+fx?FC`FQi^ zlzs0fqx1EyJGRn?CbR;Zl5!Q;bsW9f`!i=hLY-gNzQ?fZ;Ach5Oi}}@O3;~wh;Yy! zMQDO7?Eet=)}EI}pMUMfDLvLEkRQUxN;6ZFPl=$jFE9QWmFkrc6hXJC7FK>LICfGXYvul6 z`mVMY^k#4_Hw^^ zUR+@QQJ3B1jN@an8{$I2vh&ig4x1D}+UY&k_F|0b!~(iO2_})e7wk_|eS!>POhn}m z0A6z$%g&%aY4n4v>J!P6;cK#$GFbLlUzJ*~WI#410KW4uF0ksQd9|GhS?`KiQrbf& z7N+o$Spet!OaSPim0?` z>BWtt#Ve?%T;JDTn*UmTi6y$X2;jIH$9N^k|6jfJpOyEoosM7SqNq3$a&8d(gB4Bu zWy)g0JFN?ZlUmslJ`#QQW?r|e_S0)q62ZEx1z*P5&uzel-V`Bc8YB3Q!NPu7U8p>& z{R*TT2e?lee@p?I5!lKwGkr_=%vqJoQB#7eHBS9tgQ?ewwSL~A5dd^1c8wKxU%LE- zvfWP1CN%Z4j;T2`*kauMCFL(DZL_|XB1%_-!n+J(54hZc#XGhgVeOpg$BMvmLPsU`HD ztPb3lOLqR)@&EVp_#06hzHkArBjU~f*nH!heuK6O5gv|aiG>!%w3{5earXdPT9U(a zH)X?Tsx2AB{$PQPtT~WuhgjlUloM(Z$kumx-Z*^^z6Q6efG%552EBmrs@uGWhUfCx z^e~OQ`ss4MMzTTG^BfBBSvKZ#eiNdbu)?zokGU}Ef~{q!iu+yi5Ykiufaw220|g47 z&>ulR85+TRzXSj5%52WKno8piEzX=}`Ppk=q%YIFKMgb-RN*p9Xg) z^56k=*!bK5LIQX)lWaak7e3wh|I4TQUmnTtCt-Hs?tD1-{7=%aSNh+gCOaK^`(zLW z88yDlGkbbr(dU3dTBxgbNKsOkw;GJ87h@1unir&%v2Z9>YsF#A&np;gtApQ|doF)^ z$($EA+$9y(9&_kc!->;8LiX$INU#C(W&V^>Mlu4oZ=& zKs|>+i{9M@ynrNk{^mAQ$@v%8njzRyVYqj>jQ3-DLBGki3^uf$CJ(0UX5Ih}jz&CS zLw`6lB^?MMPfoyS(GP_4mx|c;8DF>>$EzJySN?B0FW?uD5fk-o--w%rF|kibk~oMQ zdh>7ECQ^*;CjX*b{B?g&wf`%ujb2&mqy+e-k9Jt{?m5lG_~DQ<+O12E5EMr$jE)0& zVCh>HZS}d-Hc<3ZlMT=5QplSKR%^@j`G=2v#_1AE3TqMz2`NAh1mi-mrLk6{yz;3M z+9vin&BZ|Mq6^>2xP-WK8_Jf)b7a(7+L@2HI#^)aZxU1d*_8Zr$;g)WIKPXv zL(*hyKO-UMXpBzu<$h-`tWhfd=6+jvrvmpGrKmdGwnN_uF+=VQ*cpu!!eN}wo1()} zqDB;BYvUF?j#r#5M4aqln57#u4<;VAq~}KVl@n6Cdgb3|C6jO}cGDbVVyHzWh_A`= z@Lu_#O5*1_U=Fp=tPME)z)0`(^GQ}wTU{o)e3uK&A9brPE#Ht25h9QhKbcaV2H6PT+B9wS{^DEPtBD(6!=BVqD2Bxdsddy^&UrGv1nMp&$^2j zL7jdzQsO`CD*tqni#KhP;{}~lbP->4-)1|z$~8)z9Xk7r_?=$X%l!z{J_ z%iFc|0)Q@sMwGPv(VT!q_#$X0#c2~R3z{D4h!nmTrDVjE^g}#+ki3$Z-jfTVn?bF1 ztku?3a684&augk!n zk&lDtUI~h&m;~QtYj)IYHShc^?d6fzu6)gBRj+wj*IUBnpfu?7oZ=5>L8o z&U%vn2D|A}SPrXpIotL|)T-5R*o`-4knUHo@-MH~v>5A1&~4NHolNqJ zAjj{zuzEYGvAoM-F9~QhnqsmJ!_*z`CD2Rz=&YAWp!Lk76EAh%h>a#~Yasb>jSm(j z{sFQH_o`yXdSu2-j&ai1DP(cVTnGdpa7Q@j!dBjJgm{PO9^yUoBzsi4XgkU9SxO8028xx)ZqKu*lNM-46RFpTV-gsCFkJ^YTvTLGi-bH!`7)lyF1Rr7gEWC6EUdIv!un+PlfXG*ePB)B zb{QLc2p-;>De@}E;!tBVrAswVGxZ{tYp{AS+e2PO^Ey*s&B(U|=*p?Uxx+pi$0^(# zpQDK9!of`Bl+9*8CL|T9DziGh%^KzH=rX-GJudoy>tdk^)!qN&*ZmLs*~@f6c+LuS zMgH;S;+PA)fAm55h5qP&#Z=`|IBpxT4P3>2Jlz1?ckg=$@PK?dvi!rJ@a&nqD>Qhf5uH%yMi%i zg9DHc8OEnc`$b$H(H+>@Qarg?q$gitd7{~`&zjgpT1TwTK>c_pgGDu; z2me%R*i%N!B@Yu*OCoQ?9r^@CE5{>~D1b&2FAo$y+nM=Gnb}oZMPBX++=$$q-HUW_ z>^tG1Vs?g0iF|xtOoFB1)MFePkiq_Ydo;d>((E@_F4MyV_t0(be~z_ zBrsyYb#lNN4DF^4>eFJDC8}FUQgp8L-t2e>CUDy}^jqi+ui{@1ScyZ zj_1pB4Q5(*RlUYrYg6544{B47=O81DF8E2Pp9_!X6OJ0Pu+5}8garelN3fX;Ue^@^ zue)DnrYc<$^)Zdkkm?f~g$jvvye#KN+_`7A$InLB!>7>jo(o=fpN{=M+BpCe)d?eQ9^qJdvS<#)|)g;_JM9IV(J6edt}SOQ0eI~hH?|4X zk~<)Wb?bjAzZ8KBITf3^bbzJ&aX{FDC7P2)W{Ci6g-s1T3*;<3&^U@-FQXbM<$D_2Y@{TRRE@^=F{6wgDV^$9cdNWud3~ zPC9|u2cIZsv$7C3wXMIoP@qUAgm2?9L|p^L?VpRh$NEFgP}|=`8l8&uEtdOt=0@tV zZjB=|wp**QRw#Pt-p6f2nS-`>i&VB?VE3!zxJW} zUwEFYS;a_!C9BKSNFmTzSNXlMRf_P>5Br_DbNcq*c3Jmx{?FpI=6Pt>*PBJdn~YZ< z!LJi-!S8e=jL0GfwCi2UWQr*vTZd`VxqUq{g3rKMtfd z{L4t=w6|#qXigQ+#@T8Vr4fc1VIrFox1j;m ztz8di%bf~uoI}{gSx^{m^~vT}NqpBH)1vk5$#RS6qtvA{Uuw9{M_Oad3={l0yVSoe{^g|{7w z-G%VFr_NhPWl5hZ;=lZZcm3lH$ZvYl4^3&gr%3!#SY~vq5Zm#&4|_%WWW8 ze>EVj=fB5x{r@P|0uGoQ_>|=Sgzu{3$zGOiBMA;Aro8C@7g)_F=@8hY69}hl4Hg4} zvExh$t~>Pm#PQ!24;1hv`1n1z?aJY(OTzh!qeH8jon`0YUmito;DwBNIEQApp7S^D zVr#)Bs4QWpJ9`t3yzO^`G*5D5YBu&$j5coynjEGGg%ykzwh=USM9@!hWhK3;rH|{h zrsjBF48*2!79a?ku7`?e)M1{uEunyYy1{7F-}W~yH|fNhSd z1<}w-R>7z5Eg&>tgFnv{t8WM;7}~ZmR+w7lld_rijQg6WcxDtP9DFVm7qRQ4!on{@ z>_ZK`^-jZ4x3mRTA&Gvhll$gAHf_xBhWC9e#HG~Ac|_ob{q#JMD1M|5+kg1*$V;|~ z*ax+&j1^c%MC5wSjR=$-+L&b-&MWL81ve%EzRj)dg?IBsmC8?kwy!1;5 z`CEY>&kSGa*yR?GcWO6OL3Noc@PsfvBZRtJN+<+wEw@N4&R*KmQsdkb5U^?dPAj9m zgr6+wPL+3-BQ5CsSlE7$8sESbziRc=6R*gdv0|XdOojaQEgt!pi>tIBqj>4Y!+Ge zia_XvVs#vNbSh@d;l;$~HF?^Z0Xk-iBusA?gFJ2W9C4ouM$$8QO4h!0@PrFy_Ek&4 znh{|-8SE<~r&7^tT@mj>Xm}7mzN*B3awyeq?FiGTE^?D1r^md*6#KIrZAP(OvU4io znJD?eGiVgQq+a<$Lzl}mN_*F1$%X59OkZMZ?cD3f536aE?bPBB)B3GjmK?s?$WztTEm2mm`XO15N(YCeq$KLy<@8RJ$#iT#n60u5% zeJWmRS@TsT|<=p?nyA&mQI4>0unVii8gr>Z+wal3bW`VCkc{4Mg z&_e9H4tM%S;uJ$*i#tlV21mQU3jObT|L23REM`2}8aH1P6x!(!_Ml)7z7M$5F8kn3v;+ z%%h9b2C6`Muwl0J-bgsMCyHF+8*aB~oLOq=nt85qEA5W2F5I@{br3H1Uzu^{IZSTB zyMR7%nlRbb6P8@{?MXl=F9lV(midb)N}Et2`mvx#QRJM(uN8&j@DvC+z--xFit70% zFb;jUHbePC){#`v$IO=-_g^bwUvpPeA<8R7$#m+}p(jtXGZJo}Eo8|!E#lg^gtOP( zs^oIF%FKq{jqu=i`7GWIV0D6TZQdxan7y@!wE_ zly+PWNIM*AU`c2FiWRyn^(^G)TdvqD@XpALcdg8nU6gck;lYfpvt??QW#5*|Q{$5E z7FEzvU8>|>HcEV9Eh&Tf;3stjJk_Ne2BSkAo1%BSI;XPva5~LFh8es;R}d?sU#S9E zYWGO7bM9)Y(sx?qcdBLF?j4tJ7O8p_s6$%&Z;Ia4i^Ae0YMqBkhlIN4^j-TVt?SIp zJvL5Dw}7zA=VOuu?i=^dhMn?zH{G%?f7~nIEbOjc7TES}cs}*UYU~;xj1(=w-{~}C zl5B-^nOhmpEv+)?ZM%A>Xk)35XJsQod}VsK^6=UHsQ|y#Xv(hTsl8SHm|<+gyZbK4 zFQ*(;&HOQiE;Bj{y%}{8_4yTYalvT58_dC%*5aE|=vE|b%jjg00J3-f$ZOJcMuzA|19 zPTWM6g*`{F3xX%*I~hI}9yQ`w0W%Lx03L%$|v|Kh0Fo__KKb zsBQO1A8OF%F?mze&OaRiMdmC17$o`7N9G~PObuQoF%{$OhU=bpMW5#{h{9sX3#lzk zmM;rY!U0U4B1=~4IQwQ8d?~x(rSlH{2H;`$;s4b&t7XRcZh z4k_=v#j1Z_#GhR*94$2U8uMKtz_h=M!Uvx&N;s&0VO+AsQ0&W39}Gpi;GzbD5R8%& zKiQm^0*OzNX#O!Qn^5{A^7S=HgR9qd6Mx-ccbEatK42rm4e_Hgk#Bgm5*e1&M7E>A zXXP5^c9-95J_32hJ+TU-1}O(sQG*;{o~!jy`2*Ag>>XZ5(_)f~wbiJr{<%ihAYEv^ zljSQGrH2;qkp#XO?#hov_7s@)o&hWMs)`F15alVcB~81@V@r?DjygiJM-Ks4xA%rbf0ten=XZWiw#4gTaQ zv^!IA;4JLKdzEo)`rn6NrDTZ{G+nZ;>l2nb zy<71j$MzcA;|99g?hhhjheT87fjXacE?2Yf1{R1Y$(M@cXGVtGAIW0JMb5C9aHiJI zrRm%Raozv&!rc(SR|VyFGS5YA|51`uzBP|P)2O6oU7Fj#(W+h6c|n0YyD{?)U1UW{ zA`9)#t|~-(6cqC+A)d4&kAqADAmwpd)XF?|1;yY)vly*(82U?hYPD^scwl?W^pKG6JNYrUpV2LCuFU!Rhgvic+)B75N0r9AmZA)T+E z`Q+rz^3pn1GWJVm@;=qd3UaY>CpOszjo>+zFoyoJp`Yz$~O_-8yj3wdC zLj+$#Pj!KfCM9i-bc;NIeZ0lIp-I(d11 z3YR?HEp}fr!W-AkGyF@aa&9nk>)>ro;qz+GUa4`3xPTpG`30e#DSMQVGpaMtKm%$*Kres0 z7Jj+UF8u?QVDp}#k;ZBI55Y^%oiC)$E!tw^Wg0-Lr8;AiGLh>>w78Vj&S`_llDfp zX(2vU5I19oDk#ZsdFBXJG0=D_E|BDocv<0ITM?q)OX}m0t3CpU*jP#A_u$~!>9}C^ z@En_%lcyjC^k9%Pws1-VGonFq##KE?5kw8T-(-ADP%MY?VqI_an7j@sKz2B4;Ln8 zG1Z3snDO}Px$<0k&^h+B6y5Yvk1MvjrWR=;k%V&bi^B}ZLdJ(_lRh7W3!)w7ux+OI*uB_+D{LQ>(bK*{Wk^%$QYyayy#tXa+d)r$z{w!~9B+&?v zyN#p=krQj4({+63pMTgKG(-X>W*kbcQkGS*0s<&|+bD`W3ydMponKjrzS#&PHRR!a zGYt`X!wHcT4m9#hxau~(oKb->&3(czjy2*?^Z?Qw!Zm}{NSwDILhC^WQP`eT(Q9Wx zp)?7x5vytV3K!D!FamQTO+ay1r$T zhwH;0``>l{-LiXN{un|$3g0xB!-dn@AG%lBLBf{5nzSqRyR<9bTfY-DnFPy3zy^&w zb95irlrD2roX^%Sk8d1&lcoT%#ue1|Yztc;g0NZRJ)8qxn5a;~v2dEnm?iWmjj9J0L84=|9IR;t(sD&s^RuEzA)5FS?6l8q}{ebRc|-`S7RVG)&%J^{AO zFE2CBtwcCQ7`yG3E|Kd5&7hyA++4{q=}L)36o<}YwHFe-!G>2;!z0PxjO=Gy%| zu1M|f*35*q>+JY>*-Lko5<{PNWom7{@M$N!o)d9NIoOa9>nLh+N4oA&D=$kNWpap+ z`*iB94a&~@f%+TDy1IU6W_%mWtCw9S$vr%oHXhAq$cVmBJR1yA{FPInYqS&_p=tDq z)2FAq+kIcx{NMH1*WGR6p9Qrk296vDaYAX!mH9-66NL2cU9PSnXtHSl(l?)%l5OUH zm1In!A?hw(VB4AvVk(DloF*g;NS_hty!&xu$jM7x+WXKj@n(u6w}SXqDOBzRgYFYS zu0DEtPl2V6yLNJ;{kwX?XD|G!p{Ad9`v*mn0B{te4XmMZAMXWFfT~HYQu7LbFXDZQ z3&aaZ9^Y6m!RdsDHYwCc+vhV@U|hXUWI<=~AiTJXs*4mlW?APQ$)|jKDSk+K%sf$^ zDUTT6fUCb%c3&#!TDti#TVw^W^E9b%kBF_VPbIZ#l*B;@ngHNwa9aX7pQOh)waTUA zfMv9|OSx^wqqpmizHgShj88;*WA@&X`tCAs7N$7#EHo^L zRJOx7zwiAxk-irP%)pp)srQUW-RzS0q$LJ6-AYiJw7?xAF|P!@;%9kDuOu8L#+=2@ z5ez!gEeO@sBpZoj58ryPfyS-%gH_2HZ}+)M%jL-APdoibv6j#dt%|9D*vYg`CfF<| z<9!F$2cqXYtfaQ>|H7>P*>f%stn4fzQM}?5Z&#U$f9iEahhT#a&-O8f;&bcoK;4^# zpC8xVr^L+jr?a({as=M|SQsCt3B1#Sk@-SzP1UVL)ef(xhD!P~w6{q+j&i70BQK}= z)4}a*JjG)Vg$w_hZ>McQXQLbzuropFAfwu*%Zzxcs-|h z`G6ASLBecIN`D~JmmA|I1#Tb~e42Z}#Zq+95{(*anrx!4Vc%x44 zqoI0aKQ(fn>1_7XPv#UIRw@~HjxR5upLF%F>b*@S7ZqiNb!Q%Lylm7gqK;JUstPd5 z6qlCx&%iqh504WB4=O^MI{pDf8j#^Tg@Z&TkA_te2n^)qXa%FrA3*-8$vpnR~Jkpeg;J* zClEQKOw_G5N<`WpwC;4HqZ~pwqckV{w5#4z2biu57#IgPeQOZTA#c*2@5*d#+Y7x^ zmCtl3Tbq^p@+;xd)}Y9?a>UuQv6MKJ-S<-3<2Mr9Kk7FmwTELR@92byw^4`jJ2Y4_ z2%PdSK_0AGne@gDI;dAkWmUA>06Pi-l?=k1_IPcLHrR0Z2wT@x70eb|UA7Iv@lSJr zxj5rRNJR7tCcMkWoz7ybD?x1Iycx7ncN&_6A_^~Ka#ldY!?fIrXo#KX;Y%CjFihXJ81Nt zL$~f_Adm!2p>c0*K-WJ8tvW**PMG266^Ra?SUhDT%I2xrbd237dQx)cd~1YS7arn7}Lu*KE2#BE?YTmc++RRMCI%Ye zZFhQl#_-^)BS~R@++?g}Zjq4Jpio|6Kh2n$E)f{r zo*+xIHx&QTb!RySAD46c^7q$7qpaCKE}6qK%lkQu755oQYSBRunS1S@=r;lAMjAz) z`S^8I03yE2aCae&aw4ZaXe{cgUNx*xvagM0@0N~a8Q5sV?|{4|@}if8vQPXO?yyz*S=- z#ki(VuZVHQaI0&Tz^ir|OD#nD`owsn{ikdsR%`9mZi!?nm0Vyqisg&(rrM2+zhtWQ z_IflR-B{DIzgFfAs;uR;gD}ufhYl#DP^(`bKJ!jQVk3RJkxkkSF}P$>CAzy7#9UeK z^3!Yf_+lF;C%}*Qx3PW35)B!57Xx^%e37}z%Q-&7J@tQ5elaU9{~-%)pg70;4$}32PNki4>HJ$5x;P z)tL{yO=)Lsa>Cl_rQ3J?U(o*NHVuq+!2pVV-v~kT=Qq%p5NrUssONM?@^sVv1anta zsReJ}PC||^eU8wQg9tMRAg)0?P8=5$I#_up8X>)NPHvJR&7BKXF~NRHYB=vS{l_ zqs+Rx`+;uuj_v&14US!zCSL3c&a&pp4K)@bph?N@Bn)LoKC>dffS)OcA2i;#`% zMrn#O3e;<8a`Fk)2EfIP9lenE8c99bU>-RnEPnkct6a*ae8^ zWfa~MJolw^LhV(Q#Pu)qbD~u(`vu54YfjoPjm1}hetRD4g-8;#ocB6cO8z%V()h2r z`b}uYJ^Xp6L?>07=G)!}jZ79;Jr8R0a(0hAJpqF6<{~`={Slz2cPrsDuufGmtqC0v z1jwIR;xfD}+g)q$i?-q^%d)zLH!$<*)xYda+MTIAZ>^9(g^vguZ+uw_8M+|*D!B1> z$Cwpwy&cpf!wy`!SRmLl=URDcWAkCp$c}lHLEPzf^vT93JV%WJ6 zv+v0j!sCI}L+iXw(8MQf^h5FlN(DxcRoe1?REI8&P;X@fd1P8#_rBKGdN2*!B|Y}I z7jr?Ku&h73hjnes&=Dmmu12iN5&HlPVCgk=vm3Ebtv7n52a~9yP4|qVlndti zM7}en5Hd-xWh^NXrU$OM0r!&7kht>&`{vp8oQLYk+oD_k?o-S+o zGk`6xl)+<&zWbshlFLu zGgh6mK<>HL1j**?;*~^UD|f_{<6=KL_R>)yg$6Szg;OR@JUu&u*$%>IQLfnEV^ ztBvSM_UdxpZD@ZjGiM{UWvcYS+W=F!qZ)+y)QNv%J6Ddh+o>o$rm6l)msyrWKNu;P zsZwBzrC(|gJZbnkP4V;>edXMzQ{G`Y*)A$j4+pp+OkIza42G%rNtx(MGiuS?nwlCj&?bM68$v?Y0}r>-i!b-cuU=G3ta%O{;1)v~-a)-j9mtDg4flzPYm+ElP!5<7?rQ1bh`hr6qez`|X2IPsr%YFmQaz{Ei3yO8_mynq5-@P|ti zFiOMS-}eLvQa(L(EV1YV?tbkv+U+J7;TvdXIvY`%XLIara9V#k)us-M5E7&+TIaK8 zL9J!fEWL;H?xkI+?j^COaP-&Rk_9dbAmVRfU`kmrMjsOP>wmp7g-gR|c_!ZuUY7eN ztjgo))#mycKUf+++|`I~Z7(`m)BLs_lg08o?4`Tq6uytc5qqVPz8v}<;af|^9ejFr z+Ice0I1BgFX01-sG%^e1hF^p%t;t%sWN&wmm zSfeMs>7<7$COwTU;9ssiaJW1)=SMDM*ruc^dh$ZYv_Por(2Z4|MOiXLNpDo@Ugf#n zH3M#Co~iB%vEzsIGKU@>e9=QCuWsP&PJ|6qiky3SsNNEZEvW3ARj}$h@z}8#Kj>QJ zlQcbI*4jho_eF|##F)(ppX&HQt>VfjY}s_I!V31k-knru#GfBK)35Y+@L10pi-7aJ z1%wpN2WXvfK#}paG>WWt%P^T-vMom6jy+L)PXp_=_G?LOf!tjxuB}~&f2mf=`nVik z5mCcnvIwR7m9Mr_`!_NgjwntHS%QE-p@|ifLjaSAg5oRT#B-9=Z2(qg-##9 zdVV+)b`B@?+L^i9)|G1w>Yb%gBDXHl^~lmIShw#fE$dK8yw#ZeO1XiaZoPRYX@`G* z7<{kH|1@j$U1@(5_OQQtk8e|E`Gq zCcMx&kW1irjE1h@N43h$NAtVl)7^fhMMosbiMv#W`F#t*Hf~;6V2Rwk#DpV;mG>)r z`CQf`GF3=EN$^CCnO1ni(wwP_=;{pQ&jZ}XJ+bA48a0(wGH#)x$GZpK zDZrcj(OrepD@{f(5}{%MTS(@L_3}W(?mF+|kCx7o|`Z`D0hFalc4EuoS-1u89-xi4d5Eif1RPnv)ihN z!u1|MI$aWALwGIFYCID^9?HSvyE^z>^4N~qQ(KU2DVN+E)j1$NueG27P4+EEGmez; zp`xo)tAEs`Y`jR71*2GL8_^+*-Wt;o=}`?SMxB8*k3M6u#ch`G|))n(54QVJN#VQtKRRruLy-`4ZKU>1tdkRHqs;O=shm(VJKw8nQ#*ETn@HWqdW~6Nz z_oxlk|32l4|7|rQpfu((|*$50<_@i3DlXMTMEIKVtIOpB7wkM$ zwEie5l;;Cf&Bs*I3LRYCSGjw=7mF2e9)>l&fEj2(S16k5DI8V!QCmVMhvP zj>u)JQnA0ZdAt-LxF4M~dM+>DNEzx!+swGhOVk`0uOIYjHNsuC8cq8vqrLJLRZHrN z>ePGc9Jm_D1C)UYLS0~$3xL6J)Cwe(imGDi-E)MnPjR5&txPKsunpnsaBB>9y@#)b z)Hks^sTV4qt-N2`Cvej8-+Jn+3&EM(Lg@eKsrVPP%IVqBoE5B{W>IFF?3%GX-R;{U z#a9~d!MHwsWWMKkQK~&?N79{8}E!r~7FN*$5zI zG>ieC!7Ruzh*MF0XOk_Zw=(A0jgIXw1;y8XHFoE1T5B?hz<`yGJ@JPXu6`p?&G_$y zBPcHH>{=eIDdZV-X)Ap%c{W~r*7|mq-H859UikaYhR)teCxIm?OVw5+#kQi#RcR{-d2<_`LxkvNX}EW-qlxMdNE= zwK1!#5B)x{hrD-BFiHV&xJ|Z&z*ozt??;2&Qk({QigInKHQtDT%;h2VxKOXtr#AFd zDNcPZpXWlrjhf2`^~Mdy;%=(0<3Y@?S>}HQB{o#;<$c*dQ5j?R=NyTamEW(47E|fst*GQ53o_@$9!+ zZR;x~h&XQSpw4~kE4q*V%yJETY1msUK+qDZEi$#V%T^$pksH$6IFMwP8kh)@A+BV= zJ@BkLleB!_FO~xV3VO?H{_NcJ%%+xWb>NP)w+!RabSJugMd5_+3jfpq@K#^FQOSD|9$P{<=&UWF>k>qfTR(GLlwPHb5? zATdWfx7+t0It0xeT^(>_zEHJ(oH$8x|K^3U9dMj6$%xnjq$eB}IHsz%5pV3hZQPke zRsI`6V@qI9VT*4-#?bI52yc+Cn8r&1!V?3)8}{dHtrU0^+f=<*O&*I2CUL=dcja|M z-SqPpMUCbkaS_T0+dERH!rKI1|2`43QKArR9Gn*r;dzQwa~ltS>17VYduv%7zqz;( z^B&y&lH0jTFZ4|zI*f5JZ&1neJ$~Cz1)PcL9@9R{X>C#kkFqe)+jYl+_nN!yAuhDfGUVZKo7S@$=RD z1!Y5$>idoqaZC-%Q8JMg5Kf%QXJD~lPk0E+REaHHjvZ!V=)j9Mx0{qyHxJNaM07Ul3kZ8bC}fynek_g;*<6kg>T+WJv#${@0)5_<5jG4 zK-KL8n>FGR<_F)d|0tNadVlhP)uj5#bL$`UxonYKGUt|(Gm>6IHWfqen^O<+DwG@4 ztZZ!b8^KmPl@%u{*e#KZAsB1byS6lN>9MxL!5eLjurw_l?4k7kY@Yx6tf?g&0C;Fu ziZ)Fh{s70*ZsR)zgMO0wu(e=#NHEW$rym>l;nsx-v4@~YE0zL1Qsx7Q=gT(ZLzIytiR>o%ydPVjnleRCl!`yHC7u8$a0=74dpG>RPC#LGD|U7W ziRE2EOv-y-GDu@49O?*S_Kut0AWXNOuCf#6nnsL#dvZ<3dE#BcyPlYejoiG+EA*C4 z83$Mid;0J8VJ3R*I9HXuHcD_)Q4cZwcJZ0SCh4pxY}VHw9J=SY3Ti# z0aWbeoM(+YLY`Coc%&_m-+0Ws%w@}0XipbMv)bFQKb!teVF8ST5r}CnNQ!ONZ4C{rnnX2m!8+4sgv9JT-wXk+c zh>0oX0dlUf(QCJvP?&8R_xdX!_3W*fG`~OPzFAPBP27w9jL>_p-ET!2eecrR|Z z*&~#2n!_6Z`bT1BJ0f96SMWIHv1X^Yr)@?X<7dc4P(*Hq)|qhwjU5rHz5N-<0`u`k zSmh6fpT)nB0Z|b~js}S9 z)FZE>7RzOpsliM>0(rFMC^lmAtGA8;3ESUU5#PM1{KzHj^5ZE{idl+Dei4#Ju)M~7 zEeAH%Z*lu?j%7j?>w4R6ZxkIMET|MVcL{8FPA~+vqLrwP(Vki8xz{e2X4PfeIj^H+ zn*m%0y)(W+c;M#mQu{&!;9)T|;G&iPHWmZl_M-HHk2l#vZTwlDBSODXTY8XUpnw30 zU9!)$-&qpB59GAjeHgnl`_;3pb(!jjSmqd^`OyztjnTSKC?Pb$3;}K$tMSspK8Z@N zT!cxue`?h)wkTEyZ0uvwj!avr<@-0NpDO`j5+fHEa-WLspXh6~5eIXaOa`F*$h^sVLW8?@Z=#ABK@9QN-lCyxmu=$j8#GGP^ z#}Si;@kH~ViZt8bVHd~rmwsQ%DJZ?TmgBr^Jl4rh`!XCYYvnoKrS?}Kg?8TWb2;v| zmkbggS#C;M&?pw^0r^KwMUA-0?W#qx#VbvkFM+xCG71Q=TT0q{B<@%4UaMC9WK&oKIBMn=utbxn7-i%T*4Km9jow=atPN-YCl-5kTe+yLL{Aix_qb>P zBkA0MD5cEtyhoF2bTF<2t8QOe-gMg`4#Un}9vrycQ6Y@u4c4yR_|Ja_Bg(*}ugND< z%RKqdE&%ACfvz^r?itA33bZv`YxU2kyYX!~R1@TlM4ly=)mnZZ=jk?vYoBHtJUg`` zNxHk&`6UCl(bY=OAv}5 zACJ*kPM_+&BE={sVKb_?i}q%}(tH^mf5}#is_RVrKdgOaSk&#-FCYRcFoXh142=cI zgLIduw1{*K3d(@w&@hyQ#Goi3DWcLtcegYsF?5FmL-)XN{^L{Z_w48FeVyz5;0Fdi zICreI?zMjLDXcX`k-9=~zK$ow>pKZKL)6^!soI((ht{iuS#P5C{9gh1eS%N1_Qb!D zk+bYo!K}3pr!MsRNOrz-OHDi;79Fn>=gpvyKcEN}x+#hn(pgws(M^(syzb@|<{yg| zdNg=7^hT*wfxFJG7skKC&Xre5QmzLx{tF(AH6%X_6%Q7 ziBIV~(vg{6{E~iju=)>sr;Fb^)4J-Eu`_#j>sLiWThGxLM-z14+dk$1v@(0M;2xyP zO|!WHPSg9E!J*7Q9+jER(DH``&=ClS?iF7HuTz^EN!+HzOMIXOACoeN0vaFI589A5 zFX{$jrgix-)G0@A0wOg|F2@=NM>Q%X+>#U&Q2>)>3+Fbqk#egCvr&RcA4_wJ*x=>s zI5w|I^=L~w?7T;a4mN$Yatk$|P7B`qB0fJ8`^dW11N4s{3nCaoC-Y0Mo2^4k0r+TKpnO4*J()16(I}tsA4hASINdgjQ9Iutrk+UtsG;9Q51xeoShIc;@ zLZ1LHB2BpE?y&SvKjfbpCAs491v3h>KB#wL{E=41?=rNs+TU|(MK_R~zndyfAkJP_ zZ=psmCN63gayM8ln9`b(fhg#M2O1HX-*d5G=R3k*NInwX531WLq5R5uZ%LbXb>0H8 zuU>0?Uzc(z4atcE{D|_590N&#Zgwue2!Zs;&X2wCD*UfFVpV>8Rm1pS;>%y`PUw8R zA?dbZhTX3_O^S9MeUUyQzLFDdk^K|6c+hL+d8S}MghN#Dn8KqSM`4SF?dA~`VM)4F zN#craFC6B*DWPa`kqud#h9N`=ccmSx%0S$MrcyPvIY^31b)(WKmNw_ug$`MA2g&k+Hl=_hucQeOz=$NS0A^qUYLFwlvw&5FN6kP_jeEUOBrT88X_o5Z`xw6-8K@baOMupvgctE>91YqAm z6`{_+Y(V2!9C6f!ZABz`%)SL^P`j32SqhpnTr_DD(14=Kw-^kf=DB&=_RXw@R?)jq zTO)9gkPAibhfr$GgY&AI+HC3q%S5l-LXR%75~_qB&HOL`D6HaH8i|n2(70fAzE4+; zPoDnBxt1doqMS}I&*wnnh302Gp`PF+F-202gtOPG;A#vJ$Z_NxAk0m10T4 zM(RvcUV!R4>xR3BObQZ@%WQs#!FMT-7hS8C`wIhi6jWi`A-Ok2OzY6|)Y?hokJd^G zlYvbvlw5tk@R~_KN$^p6pHuSw{i`p|FJ0M|$XE^6Iax!Q){dLcoyM)KmlRf`kB8cM z7klr+Jf&TZX6a5xvR<0N;G|LGuUksQ59YBfgYDTpV%eUp^6-_TZn}iF$?OC}+JnBS z|3|BSgOT7Q_Us5&_Cy}vB$#17&!;}@dz^oVb!h`UG;=p}pX*VQB~C#C=N84Wc6l#O z;j5_4>r`QXghx*QjN<##;1eRnsB25@T}uwggR0W-ZZ_ksd42dyO5f>MZxnXR9}gMC5f-oeKOml1Mzp3do7x^ z1n&SFC+;yBhpxQ~zigb2oB$gqrPZ{^dc;aAw$Eq4)aqj918)d*H{Qo-5E19KYh}p` zb{bES+@-LlX%lB7AbDiOA6~*+a!9=4OL#8Fb$#+DHE=t5#^9#_dl7a8*XS|rM;g8a zmw=(40)~r;=2feOoi@OO@x=!fzKZ52dgia3jeorU>k=P8p0aN5-Y81piA|}sSW&_h z%^Y8`8*(31incO{yjsQ`{7JdHLC1_?a!-rNG1A%J|oo{(h4B9Yx~r>lQ^Lg>P`s3q1zyM&DTCy4U*R z$6vNimrZ*7W<#YmbEZv0O|J}a#_G#6`Ltw4dW2Xh@dxS)p!rR%`0UB^Lh{qXfZsPG z9~XQl}Fjhd!M8`w0JQpQgMSR2)vNX zN>_XV+d(Mph^G6%z2V6LjyRfBbt47wlT>8!ty{M|Lkuz2hSt#pZifr8V;Nd$Z#f*X zQ&)72%y|upuOED?@z^Z{`a**3D}AW}N%oBwhVspu=3kg6GsM_Sn8orL7w2q_T<{g5 zED!-u&E!|H!6&;tKd-1y?KifTJ_p>qxIdvJJLWrcvrM14qq3v34R=CfAM@}}nY8EK zEJI0JFa7zej_%<+ad%jzm5x=8if1lm=@%ULrEAigv^CT3-ygl!&?$fFuvPN!GiUxC zJUsT*;mXm-zl_a7@SD~saWU^X`hwX@g3G<3`u>!47Ydn=xw@$cTXGwF;Suz)H<1eD zK3>fq+hB^z9Ff)Ku6o=w`-ts!Ej7!9EXpGE+w_`{qA%Xf4s5rn(V5(yx~9&9=8>>n z(Bgb`*Fgz*Ff9))K+k*m_N)1^&%)Us)Kq2zAU_C|qG<1T381o+sy*KFOO;w^Gq)^P zH$Ol?zh7cQoY1u8cwblc_P<5#@!<2VCs4Fmw6UNMnr)|zWxwq!u6dTnC-aU0DUn&; zs}BUCE~|PgfFri3b%pcV_(-G-&W$%)O6F)eZK%v{iZl6|GT6IV=(#4Yf=4~^`BDnJ z_CgzwO~-U}jdd`i+t-!>w{@ky?X#VMvyIJv$xN@#0mq+@X{ul2>?BDRhVRJ8?p=FH z0LXZ-lTVHWq!WvTUiC}lmX1D9A7RKZX+#NOm{Hxpy^^HBXa)z2!iZyaezz#jdrmLeeMb<4+p*IY!i{^a-(FO#v z3dXUb2woG(0)8z7tJHWv@g6oUoTd`GF<(YWSI zM!U~ql0IBRYw+fl*c}2sRy_AAn%Q=Gha!Ly7M-8R)uacsVlt(g0Ns_6n3o&IyQWEUng`1F1gnb|5Ij*6e&&34Kx2EnL(Dl1VJ< zoQn$F5V1k!H()b;Q1sumaN-o!`K*eR0EQ;D;B&jzHf$P)2*USH5e7#z86Cch6b{dh^z`|;k# zlV^UdJ(_Ch7gIp%Y(BGg^?=iXQv8$tNv0a}1*kP(@(~1i2lO_=k8ZJGY0Qh01uX8Z z>ldL6Fb{13L(;<7bWg5{N?6ezW(@j5(5j~xU(E-RUxlpXmYHnj*r|?V*Q(Z6k5=+D zW_9(<&sQDHhTV!fwV#9y8w)@0`&hj8CDz0m5H9knL_TN%0#7J%*yT*;@a$2>Q!V~F z=5$QJBdL7a>(*4}*&X^Ki_g|#%H_ASRpRai5fW;$<7k>W-$cjFhzm41y>7R+Px)s4 z@s={wrdcIlJHU^U|Do8dR(lXw3%*duO`-)y-_XGOU-1S49;zWnD@LeqZFv7HEnb@r z^HyX-yj<;G4#O4%$LONybeI(aN6RXGUi_@7%-G8U7+`IZQUNP2{n?yh1WZzLC4F>9 zUaymWAMwip3k*15WlLq6jDwALg-Eq~f+H~K6wCwgQI^coCz(wYmGjo}gPgteqb?Nn z$TuYoGT)gC)5#u{F&{_Yj@(*b*ManA&7wiBiqlS zv#0N$m$i!@IIf~~QTw%L|E3F!Z%J%>>L0z*i+V4@y+Zd51%zn69kRrZg z1ulewHVrC(90w`R8~NJEBXm>JNj-?*a=lxzm@{SDA~j`asv=2q@b%=Yb+Z|v5u((~ zk5zol=zUR-!;BQAHbS4K8ysx4tfbxHn3o?2JJ0wD_xelnUUv@8A;5~JMY~TqUszF@$Aewsw*fTppt1Z`n5n!8a zsfeH|K+n(cz9;zX`u)?%|M(JLA6K4ud%2zsC-1J|mwR4yrZ7jLamNDRmH$CJ{6J8W z%Q-}7mhZe!Nh&Sk4y{7t+%BrQHtH~|ELJT%YA(X#+0Ny90f^D-?~OS-1sgUN2Qp#$U&8+{5DBgHPj zII|?6$n_taI%iiNEsl>XE2iJ}m(IqO7r)OjMF?Xdi_qd1eVNZxQr&VN5u zsKatw;?^t`w{oj=Gvt=qe+JccR|HMF^XGMwTE3Tl@n*=xrGNp+qs(j7vIdcy!lkXf@ zw9|Eo2@L3(dNd26^7cOAvN)=a1ZeZNHA#t5eC{?|DD(jot`0L zlIu<*p)*tfvhKKa>}A!C?8(t?5fGj~uNb>d4DO9sr9AB(S+88-W0Z8W*P55vVq=KB zD#)D+2M}2!KrNDpgc>*yO^;J2v%GXYJ`T(K@o~YRq*&((A5X~F)`#yd&~lGPnK#)k zgE(yF5otD|T=9C__DypJ7~M-2Fle7F{N1e^)0StK{vQuL9RQ>>#FlXrI3`eM{~hgl>~JBb2gVo>*E`b(w54CzKxau+kC&0b+XkQ>$F+ zf#N#r>^k6G!#01NdoMLx*kP5P(bGJJs!4n;LSyMI%l6b$i+js?mEY$+Fbt+?jDtP< z<)huN_{rzG{m9}?kcBjPk=sh{(Q>>s)1>_u+O790*>32d&(=b=v_OaQFe@n$7{)N5 zs|NI9noIPw1N5AUjjhbpcpWn|fQoN&9vHjQvZX&@u>Go*FqA!BY<~<0Mv{WP%$AZ| zO*~kW&o72f+K-t-44wOxFkOPZ#XvS~GGmiDm<|xOpO(#D9hoZDWOit3`{I;QIK~02+j;>@#d$-- zJiplnE*m!SRO_6-FbxQO*2fD$W1ow|jz;jqg%#Pejz$P`U{<(_NN7CHEU zUq2k+69qed12th{ByjvZ9|3~QyBpdV(|yV3P0EoS?VWrv;SMWq!z9B!qF&Q~S2yG1BH#G}dh^%ZffMzG1H={ZMb~Z zVfMot!ETC&%ZDM31*V?tG2&!CtFwBUGSV%A*>%ni#UX7$eWuvAYP%(0`7134xj=?S z8V(JKqXpCo)y|fjlb#h{eBoL532$7Hhml$T^o=ihkz3S`dgDdfggluUMm#K-Z>>DC zh}Jj>xIsN=k?LmY$lxVvspw+8IkTH4ulq9RmWH6f{pwaa5GI;o*X&-1Hqr~lO8DD0 z@f`qNM(&gp10nNeT5hJ*C{|Ar|6;``@-opFHmD=~>>_;lok{=+g-we0UIAW8{F?Cm zm4%8+aEGl`ehreg??_{bm7&}Ot-MnFW>CX7-}~%st(>E=>U1 zL7;8r&#$GMt&C%U#HU>jb^ZrYhffg<0*#aIOU(HE?s&;)Ht_^O$7_HB62EQd?IKkh zq|n3#-z%vs5-+QF%aMuS+9-U0NSMDbb1f0i-9r`iYVS3ymiHuyquv;Ua`eV||C^X4 z%Z%5~g6%XNl%7p98Ep85Sri~C`iF#gj$uBO$!>;m0AE*kr^T*M$T#??)X5Fs$ zWT!;Z9v+1BUz@z_LNO9>W5)SSn8q>hZm{WzEgnQuf#8TZLj`0+(8X5rxc7z!#>P9TF<7t=+1pouHc z@ZLw$dG$V1ufgtnW$%%U8yf?pV5 z;s2)Z*v^F+HiZi%gOI92Kv*^hhn2%cZul;9)Q9i{`LTdTLceg+EEPO4DV6bkbcyex&?V^XW%G$x+&^Na*G$3B;KH{-a&Buj)zG`%`eZW16Xe z6{zdk7?2}ufZPz=Vx$`Sc0rWz4t&{R&c#p?o?%vja|yrXbC3Y&h( zaTa&n)fY2>3e*TBjL(uc_62pVtF_BNP7wd)G;8Bykh(YJRQTDDB@`*k%uc{UM=8Nc zo=gxF@|ccpi^olrIbD+Be5R9D5q|yOX*U}qE0aznjoiM)A)a% zG`+86kwMFV+Z)*1D}r7;_tQ_ z6hAk|BWj+-8siHiDA1WN5V9tohbaR)v1B;zZEA--?#!cY%H&~rmR$x-SRSk(+^7MO z=&!dWKbVyODxn~9W=mRl!rgSYdt@Ywqv;_pZh>P~>A}?3(cot(UOuZbppq*@am~myr z{6h#pC2_;sChoE`07MfI3mxFtM`)S|ZtLvHkqQNT6L({gqC-G~K~rQ6uP>)Op5F%m ze1lu*?4phY^ayw%j1Ejh1aT$wvxGYCa@`4O1_P>z1vVONt zgsQ=*31HkwenLVYieNgo%HJ}ep1;AN z(K<0HlQUgkm~JCUe<-r~LXAm5sDPvSQ#KzoP&BCA02p%gO1}rp7YEbnpqstLF{VNp zY8pX%pP5n&RimAMjV_B1#x_@K;g%AXC#9%Ppwm#MS7KphEd!f zM3500X|FdV?pFF_9PhuFCXH?h&)^f-kyl&{gQiBOdF2lNGGKg6FY!sRz zNz4wwn3R<$6kX74T>u?}8~E30M?n1cye>cjW{KoapiaisGyrd7mgHmO0lu1PRp^j& z=1v-ZjSqhCk0z{Frz~nNy`zmR9(-aOJ<3f=GaXSjWjhB?jzR%k!}Ai@9ok2A|H!jH zJI|{>R>VK3Xua1lXHL2-h6A4)$AM{S_*5gH=+&-9T>6o_`ugVYW{#nAkLjEhnQl5; zQw7v}Ln2Jw;{$GNLe(l-Wm>hcxk?PJ`@I8F4d9nXq=9dUTCo|#R8RCbU+Wif2)Prm$tYmQq z9Dtu=;MPD`iPz36BjwsH|M)$2b!>ekRr<-Sa`6+8&Fi!jVn(sTOc_Dx)oWQTInoD@ z0Y}GAUd}cufd%N(qJ5U>c>0CI)4nR!>#X_p{#+Dh^Ru8uU|^hO|EKt86drUA6Qsi z8?SFiQOaT2f|BR@&q9&Yt>IJCLsYuu{?NME!a?DXflNsj8L0TQlgB`MFU?*p?38O`&2y#)!+N29PT);oVy5-vfL`5?HpeO%JIRdm;5>B zV?N+~0Q$k{hY-1OM9nIqPA0YldpBj0OnU!SFE|8STK7BqU>6-H0L)j!cCYnh-TQiz z=tmNP+mG(D7{K#td~Msdc&4f2K^ybf1QE)o_YD;R+`dJlgTD3{TvJRt!;B$jssC)Xc2SO%xc&-}XFQ4DUp``Huh{Nf1s;R7jtI(Z z06ElUWqh7RTjli+Zo~y}b-GKv?JT!!sOmw8LVjwKXJh2D#l+EOL&RH&ucj}rK%G}a z$LjtxuC&U4lk1pH#zVu(7i+kQgZtBSdB%d;G;a7I1B{s&+_-JD7 z9I|H5;2HMA*zHY$ytZS^XU&71C}y}#A`Hs&h@x{ z;c?6hA;qtFlPx}Og2=rU=7YE19Y0b^onl?))XLr!^&Gn8HIJ;jD{HLlPP!kBEc8_2 z20nl!>`%7_l3Z6o?c)FW=qf}44tOB3`4pT$zW)i42=08_tg{&YK&nh4X}F(%$Fk|QWSn>3=^4PktOJ&HXCk! z+k36xiJ@n`plno;j4-6js#K;iLb8q0rgL7+TzLFouZiDJ!%zs8czwt*YaSvH-E>aqt87wqbhaA3w9hzB@{aEOmb)Q_d z@wk?V$cp+;ioy~08Bf|4M*}XrlOE#z(}$DEKr=^It>#ZI0WmVG2K0&|rDT&0RiLFT zBgM6-QxevYj%t#$-UuiRstMs~b+feg9Ln1Bh+p}j&oKb0x0$^#J>pJO&MxrkStTuj z^43qwl+!`SmiIF2@~)X>yUYf57{-S^xDB3;U6Jwe3X|&fOC5kX4JG0AK@{KsJ~Q)ak={17Z_odCRF z*Qm@hodsJG>&ewCiXH*uk;8kgnDL>8dv;jHCJ&6bC7)jYbTui9*`+s`cuQp9f5*W^ zfSb2E>~UiLLU7=2lpW&2;D8VtiRHmq!TK?KwnQb(9QGphkp8H_R92X(v(J%Kt@{ zXUAuGrB5l7XS4h=KFiCNUj|?>*NE#4(bE^q%2mk4G;}cc9Y*I}+uyLOe`gYR8G7B! zZ7HgO%q2y?h z?p!zp`1@XyC10&@@@`!7J&T7d+@bO0!q@u(JqVl?>!tw?FcXN9;q79+`*Ic~k%C!V zrWM>d5LQQ}!VkZkL+zNOEOWeAh5X9bx~+dn;t(}f6KzKUa}ou^-tQ^A11QF2IuWlq$0+Sy)`?kvM(Kcha-p zx&9LCoi_uGl&(G=v?yE8P5ZabYh-_$b;(lcy}{=e_I{1CuGNw|WU3@Ytm!7t-s`Xu zOlr1`iyN>+H%p4DVD8+L8Rxdy_!8n2p|0B5%TDt0$|kvmAv0sskq+|!fMhSpX}jhS z@e=OrIlC{pXSW{#Nc7FW)hVI%6x2rOL2`@-dn~;zAyl>}Cj|(7)UsR4HJfmSB9}QI zh9ML)62P%vKPJ*1Os29Tulz`rhcfjgj$y#gIN2ta;39^XOpiRG50wG51?u2p<-kkFh` zJ-V9z0j$R{HN+u`!}X$J=l^Z`Ik-2xK0egCIJsLzicTx@!O}wEz28P_;sbh_<~AIJ ztvPZqEe2J>L-XuI*YqN0G%iK3mBco-8aMz*@Ci}DbM<1Jfx_BBBi)!Z;>|2pPoU1M?%b2eSfL_n#Sb*H0?8wJO6x3DU1TG_;0II*>gI%39 z`l#|Hbk@lhZbJskX^9tIp$+SqysGf0eWu;;pd^_Dkb)T_#2rEcaRxah4g|s=f@NP2 zS5?S3*}C7Xx0SdE?RwBa;m7_j;VTvN*f^5~~K!jKCYB)uM zM&eV2?Tm=E$yF`2B+c~PRQ1ymbX5@y z0^+Y8=YRy7uu@(|>Gse*I*$6=i>(jy61#2XF@3G0lD1Lj7Z4>rp6#KH!Qax^!9AB< zuyan2OVVjC4PQ)g2a=Y429I5~sVjeLCAWz~3UUIGD7YUsaUy7#jd{=&_sW0nij3+d z8V^Ipq;qZy>{3zyXxVL*>03Ne>O_3AUbJ|~iGH?g*WjN#??+_lkvO-_&Rq09Rhm8$OY)9g=@k=HjNP)mW_UPb`9(^gs zqNOi&H6Lbz1m<-0w1IYhjzIpkrW86R1@y;vE*vbH{t0F!qze18{y*T?S5Xm zSxIpLrhVso5f9<}!=Sq^L86+y-WJLmZ>+pA2k(SQnH_*aH#4o+YTKwaPT}^+D&pk? zEL+-Qrty{2T3t%667Z-6j>sT?toMI$MD*}SL{Czi_skKAX8v_V(mW1P4Y0~Dlw`iI zkGVn~yah18d;kX6y4`*Qj{#1YyT-VA(Z%{s-;B}+h1)K+2h`Yv&Ul7q9N;qg7XtW1 zieA_n(sqykNbgdDSQm;Jun?@WviJr)v_nxZ`3*AQc4RH?GryB(7MX;T2_uTZvaFJ< z(oZAAkKhag!abutqC-ccI9u;;P6N~D9)ayAqIXAe%R{cnuX5nhlCiov9`9u+yhjN> z%SH4lT3G`!k+S=tfMfKV(mI*%?uBW6pdNJliUd&lusUNG7UDBe;%tHbSAsJ8RT;7O ztLFao5i6Oh4?btv_fz;v5_)MfZ=(SpIrt@G5>0x?G#JhX9c=`d zEB&HjLgzL0%Psi47m0-We?fL#@Q__FQH@lhnSR@~E`m9~cHlCe8_~lSa8F9k z=Ck>bVQGU8v^El~nD<}YuDH0lmK)JDgv4loUx^RB+X+s=4cKC7t!#8WmqtFK$GQ?k z?C4s*4d9FDOf05w`^;DUJ5>D3wW19LZX0c=rS+L7x7ilQolr90V4Y%Q-dwFxMuV;Y zeDJqef6)2hP$4Fsp`&T>_SoO@;>FD)QuIh1DA7ODEN>y(3u;fgMOdm%+BsOvOY4Nj z&lO4X+Rn2!m%{R|_I5o#8Az4E_N}pumQ)Dk&_c$C*?%naFh)o_IRp`0yu%{$ml@ep zS+9`Iu7ij)ZsA$ZK7AG0{7bCD&^KYIb19q>&>6;?lZeLfs7qRTS8PH~BEBSJElc5y zP~LsD$U|T?=8Eb(zYK}Px-tOaz@iXUWBg61oZ^!J{hc!Yp+$BFU-yZ=dH(gunTH>@ z3_d55J>0!ub^+*elBHxWNHiGw_kLkEi58hD`Q?HYwKlExpf=k&9e~W*@mdZwKT<(n zDJ?Z&)PSQqMhb&A2M4p2)G*EMy}t!Z1Hu0^YfltF%nHO@%lT07Cb+N78}=qixIQ^i36c6u318K`_9?eH zTY3D;nfU96dSbj?H1WB3$G<+3rHY%!7sAt@czi*5n#QKVA_VgJ0Y!oJFnOai1%kl3 zz-cR4Gj@=~itr?i(NKY;rT*t5gNadFDQw@5(Y@ekrP~UR-V0@98=DHjCTw(=9{oh+atNRvygyspl~&rUWJ5VSnt;oA)hjhJRe8{7tXo2# zjYqE5h+Ez^Dz^uuugU-$r#G2__;m9V`Yi9vcl@`-2NiJ)7~hVOvC$Sg8&;`*h1FOf ztjfVEOCmkd0J;?1aW$Dn{If)biVkK3z!%1avQ2so=jL%q=rgLn_by<|S$I@(lKUbl zb+$ktJl9&|TN4s7y49Pbbf@xIz;XPNpr=K#e6;{-q7H8iWQSc@PfR;$`jpnaf&h$x z=GagSyHXk8b|DAAF@5x$g%yh3WH`=(;?nfp^odN4xfJ=d-E*d`P(I z@HGit@8h#I$x~&sx6}l7NVf??QZKG=fSuq}*62_B7|x9bb9vo6;bL6Yd9 z_Ncx@*650zEdb492eGxq4F$inokj5r?=|L7HC19FdYv-Mjzw&{$WC&zCwrRp5Yo2r zRSUZKa9!e82AHq8xoT0Ud`=OMG9L)%g;|As!rurS-M0JR;Bd{4z!LJ_kcnQ+!y%ql zFK1FQs)LNCkF`P=AU;D2zLFFylU4qSzQh)ZxbNjz^UUXHw+-Q6L{erQDcVhamcQ@>RW!FIa9TXVRTX&h3%)PXR)>mN(HszPPa|@QRK)4=XkT%CQ8ha*eGj zP69}iT~DKuxC@EobsPJy({j|eG_taio?FP>KEB?3Tq;wUn9Y}g^NYX@ykFKGlslX+ z_EgfvgCUokBGdpU568+4cRFkp{mM#N-QiJErjYdu5i#_<(gjRw=CJ?D;)Pv;uY_UttpBQym-PW#_UK_8^(;nC4eLqiwH%`7 z#%;6KiMR16u^LNpv*@QjmL#mUCG)KpDB%J!?#W3Z_P@xuukac7)l>ADjBIAjdZ(St zS43yPi-;kTMw0u`0Bs+a-yUIovXwCH#b%$%O4H%WKEwuq5`nheT!4TDN9z%KZ&>{{ zM9SIvdo*sf1=qC(U=nTdm_%vk)d9u)v4oM)t=8~oK~sZMb=?cM=c%)6vVbm^z)@GK z;4!PelDEiDQZrt+QAt%sJEr>G6<*&Vi1L8olO&<;#KboXOhY zc6ljM&O?u)h9)T!#E)MaTPBzqRtz2ktpY^T81xI2NS!g_+Lm`M+NivkF!q zxj6a>DV;e=cV7G&NC5!f{G3X37O76uOXOUw`224VJZNRgRmiHjg95ok)t7VY_&lKx zd={w?aR}+lTFBih9!O@ubQ@n=2ks!;s^GXC^ ziGpM{9K^gvTjY*L6|gOSTPoCD;b=97??Y=h57>^_cH}}DUQ%GI>Tp70uXmF&6{=4{ zo2+<`52$Pa@MQAUv5Xc-nz{{52BBOxBDiO9Tu;S>qx5`)s1sZ1o3y&D8lg&9yPTwC zk4U+U-^U&QYQtU6E$p}% zJoGb0d=069qZ2gZK2+s(&x@A;pm2ve8!6LL)TG0qUS7@RfWZ4iYE8VjI(@~#yxj=c zM`tWW(t7Ni&--6UxB?mRJ)Gp+@(cK(;Q>QVW8QRRQ-tRU?t zjPPd#2D!fRjt6!k21I7Yd#lat1Nq#Wd(n(vri2PmdV(C7c--4_nabdmw{x{| zV{#OZAFj@`E|XQPHN?+zU{ooNQ3ILJRCPSP_?p0>|XnsAx* zh>T&g`A*+hDqjBEmIbN1PJ!E3gR>>O1W|Md zfty6i38~xp1oXSmoBWB*B;2!I7yMzDK=Rc8Tm0wwaE8H%|5p#qJ`I(ZP8TMX5 zNoH116WC;4%(^j61F1ZILMl@a_tIw7Ruk+)V=B^ydmk*Qe)Bs&-Zm> zjhSs0X*8sT14pEHp5^9EnHbm9l$^8+4sFkvmPG;`Te&zi(6N1d>OTTM^9BFmts9D; zM29vA=$!fe9UZDTML?sUpf;5f;Ixks6N3C`TcSYR$`7j)Wh;!kLaOPFQl?kJ}>+zcGsXI~A8pbOm7M0cTgR%LDrgT79-rg3!9%)}W=_}I1X z-(gnLmLx_zP9I93(Xwqhy^>bm1J=8htIgN;Vy%>mr7G zR+BlgT1_}~D+okjV< z;+LAQgUp_*hL8Q+@+HEk5hl43?uykn2Fu8w{Dggi?j%D4PuKFGxo9+mmEaoGcEA1F z3n!y!5vK6>5RjzwW*X235&I6qGjz355Cq-tB0>{;)MxJJt=d zYQb;WT-n@r=}p)0kUUSD*YI9ClGvrPd`U1~ zIY}TYAwodZKJXqWQrF5ldtwzozJ1#Xm~~Ex0odV*LO}eC_v&Sp|8$ke@l6qhMjDGV zfB3}UPiz5lt`}CX>p#!!mz%}R|4^FVh=+vfx|sT{=8{{P?(phb8=K0p+GY>m7`8a}Zge`yM10Q5&`LO(ZX?#-zCduY0;i zFEcyJf(lPd@sD7#-Lq;9o-pUN#7-CS2|G6f5T}))0$Z-J#8^NK_bK`znXk&J%l56* zRrO8VlT93nUHz?Vsb1%&IQ4zkVt8EQ zBjCpthr4-jsd>650Liwnh0gF@x5!jA4(odgk4RlWXXo*`0_wa`J!--upR)@ZNEpd~ zA_V@aVBo;FyWX(BFF#Xf<}m%$q{s}Jd`v1r(5Pj7zUO`Qtp~8yJ58QwFlt8XLAXL0 z<@j}HOEK-%0&d-xIyzN)Hc=9*8cdL>RA5%8z%%4^WT6mOPzBy!W6`7Sg{#_Zk4nWE zDu_2M`D~6%70t9oPN%KKwa8oWY0{1;dfE#wTV|?&hI~KvDu~W)KUCgtZs^P9S7`I- znz!JIspz(yi^yi1FwwgNXo{ZH=e)rQQU{cSJx9QBI3INXg>((I*V?5N8LE9-_*_UT zosZYbpnwI?8h1hqCH|2ajgDdyw!h@Xf^o~~H6M*#CV{1%#?_Q`w4CnBEF?@Fm3C71 z{)uUjnLT(fU=Lus*O^xULM<;8*?wuRGlo_}vcL$?wl$tMoH`mRobtf}Hzqd1klnxj zKJ~$xYn`FbZni0G=J>?_Bi&U-B6?FV2eI7&?br{;1L@Kw)o7i(n-Z(}O*94TKKoUj zO7zCXfi*&s$1@;)WhMtj_x>=G$ACgs?$DKg1W<9v1G`4u@b2T;UAz0MxHEgQ)^832 z?9UH#vg<9Z9{@9Ifti5)0m^c0*}4j4fj6A$k$?(t%|W}GRGoV-IA3Co5WqcvXjuOMVdD3flUQBgf9>b?BZcl z0f=+7RzR`i!MKj=;z^d=#wgjsIdw38_k0X{edalGHaQ05$9V(}#(AK#)Y!BiY26L? zSPD=Wz)<5Qr(*b3J&NN8OiRzW>DYRbXUo(}x-&EgdI3VI>|Ge}KAfqWfQgJhmfo1r zpu8A&pNJJOeRoG+_< z?i`Tr?r!PM8D`ENpSXG6^W5ispYNaVoIf%6F`KpbTI*WZx~_8u;+}L5cuJ?=bMFHE zfZI3?s%z;t&J#R-3c1XMId+);C{w<+2v}~C#{K zsp8oO@A^L;JRF&7Uicj!JqJPcC!h!HDzjk?`Z_~0U)^7E>y?k11=7omdSSJJoM z;nFVYwSAFJYWT+NkBM9}F&DZ%xRW?b3iONaEFYs)s?W3~s(^pc!yJzG=QqAk6d)tB zCX#!7%al(g?lfz?$>{Og`Q@(bh`&j~@*`-0v-bSArf-~{COA;sA(l-UH!AYOI2}%5 z#fA2vOg9}*1K=fhBWH*_OR$&_n|;e1ZF*p`fTOlK?_MBU6~XR@w^I658h&YBHt<+C z)6vWZ9qC5RQjD$q@hTFtO36^oPUf+2N9PvBD;xZ2|9Ck?iffbr^9UjOL3zFiETQlj ze>Mma`q4Ir4R~+jUS^tybwI+ghj1PRm)>xfea&;ze2DF!{KH9C$LbSgLu*#aqy~4{ z{3n~!{h`BI=NG47p>++Rx=H(&qy=4CP!yGtc+Q?Fm1~~*{*A$vP?d*6Bmd6~F3zP^ zwb|fgMt5~^Ck7hda&NDfbGrfo+M*Mj0PRM!@GpdFoZEvzf7h3slbE%ZcT*ZiEz}wO zzNJc+&T~o<_y_0RT1~H5K7gFl4S`eu`PqZq;n7k15#s4jmYLS4r`r`Y?rRJTBD3Yl zt70o}1ehwAqO|I-9sX9IEgXIM8r0<=lPCf2v_+NG%uk`isjeQj-(Zs;#%8K= zKHp{=4o|VQ$lrdvfW+;y*F!CM>}IExXf5yZ5>*!iZF4%|q6u;bLCwKBixA#}dJ6`V z6G|D9+3QuvtH&g3gV`&?fE`x#Q=B9EvEUyW2Da<91W%b(BPsmAMw)1*8F|Qr%ggos z_^V9#5}dvgl_o{Vhnd#wPVQ6%GW=|uvfhgZYsM$+bXvh9< zmD#}@pfYQ+L_GbW{&FP99cU+b=^VDT0<#~}nb#K{r#Pr)u>YGWHaN!udF27g?WK@E!;2U1K79J-x+i7^I&T*Yc{+?#Xur|7hwtOP!Rha%AnJjqn;B7D5{ zVwZnnEWppQA+j6G2tJIX$*chAFVGn_PBWUj9Utun)l&|i=aeme%buKYoSK+;ar{dL zR{pkl#JG+o9g&Bg9DR>OO>CCa&6KK#xSJOZs2D|?7vBnXs%IO`W#0o5T`4k(jl@sZ ze_rBQo0SJ!(=2fi#um#rl}qaSi3az!Dk=^}%`Ra(4Ym&BrtS`t9E#9OMe8X)mW15+ zYSQi8tMzfb-9?>1JPUrg9P)Q90R5v$oO0}@`o2Kb^7DlT9uMAZ79XS;#BaZ8PRGF*?>lXPc>+fy#)VZtsiK0KOI&AhEAP;PE=4oZ1D1&gl_Y*jLYIxl5 zbSt66OkXWWyQ%%DgJ9QK`-<@W^SC)#OX$HQxm)45+p0Ok@~_YEYd*bfDPSHjjOx^PRO=fQmYROn&l z5_ACt!afXBf;?R}%BecI-rJPrJ8t2>)y}IxSHL9epC!)CwxJa2@`oAX9)sk3Sm9!m@(P>!zqBvzIde7)H;B~}FiK8?dv1-8Twc^X@w z(zxsDWq3H!AJC|y2dSTf;ohcm`Xa>S~R)bA2)iF*=34Mr1!+)L((z%>Y~ zFsgIR?=0Qs=-NU(_7b@X!P8tbGY@hx(glltun4N5>z~%rV1E_5Hn?$S>#4hK`I*q& zW5ZGPw?bBY?gB_4Z4MzkEyz1B`m%_v!8Ck|UFL(}6CgaSe#a_<;&0?gn*WU)ncCNB zFO*X8m|KarQ6JY4$u1-i?x zC7}@E?>bv*)KVdYgd|UFhehpP624=(*WOWbv8%1BOfz?! z=@aX=wm#WX;#)2h6I%Wh#a0_KrDanOUgMG$;9BN$3nVr&jOP?~CSn0cT;tn7b|H*# zJp8Zj7}cidkjnJ~*k``Z>!k}JvzwXqKS`O2Yo{0c>>5Z-Wf+|e9Zx``TvT~jwYk3M z!P?#ulJ-3cbJ67j(MRh{7pGl65=XA>twnn6NIMIal zs@=-(5<}S~rN30!W{SYiI1eK`pRfhP7)Fpjs_`)Y{zlVI@EQ% z_h;i89Uz-VKMoa~^?wz2a0q*GZhBP*d$Q9PhbhdkuE8VxEKoT^TIF)usz@MyZ_NF0 z0wq;&rX)K%EBir=8;gaL#~Pen7@_>l{8L$hTlztqq!?^hUpqge+MT{zRCnzZP3Zc6 zJG=C5Tx8~I^JQt!(={-yBV0GQIIC7OH;CK)EDQC7w#}OcH6f~B!R?Exc2PQ>Vj>xD zeqcLByD&Udt#3VNn!Sy_QF6q>XWV|%cCmeVF9&|Qx_~Qw?J%#24Z`#*vqr=$`(-?R!zVEX1*p1$KNA4CcQ%|?S!Hbl;nJ@p6A|k$npW{~n;d>5b-Zo~*94zIAp*!r7r2r+-XIXS z7!AKcJQ898cUFmrKCX!yJJA4h5A@^>NN+T!E)EIVIG*)`uIVk{kdrbX(djC1`Te0H zQe8Gotmhd?m#wW7=edMkVg)D36cnKXA87bOm*7EWD~kbwUGeYd)MO#^CFq|t)wx@C z0t)wb2?Pv9sS(|;iZqY0m) z*O_I2M0BK-F+IOQYVdR-qnVwcQorP$dd7OrR9RMVN7bq$dB2S1=>g{;2Jx}T^&w%L zP~*(p+y2LDV}V5u=9w*zG9Uit-d&e^!{ZZNH0zs}Q1K6KXb(5?h4$)ei~L zFtG+76|C|oFLfU*aX?QBLW{}wM*$-^r~qk_eoLDy&!0~iN~wQJ8Ey$T9z6LnhM6BJ zN!O-d4S}cyh!pTX{=to-e_$MzJY3|D8*(lnkZz}DnCiDM+vrZANjeD2H+sijS|dGo zK1L3S6I>rT@va70+%+e`bz|FHr7jQ?{*5J z6`h3cgPkgyFn%B!pt{e3eTQOW-1dJ(+id4n5XfDgTCfhRQy50_X%r(4P&nqh>w+d5 z`f8^bYHiXojgR}p3)_R*4uw}%?nLCQeazE&UOQ*Cig_*nX zQr7+A)aJ)fx1=`qMbMLY-taw>=Lz2ZwCdfA4c2&aJ_x!}dBv6wx0e7y z6Ut^{uzqP2Gfc4pNH^AloL6J3_7DHwjV69y&$AJ zMvTzXy^j-Y@m*A+o2VK|{3e_ruPGIaF&p5;O$U}FPX5Mxqd#(>z%oNv6+C8jB2?+~ zzA!(0b#6KWR*~*z(WzQKYL;2;A~g4T?gC}6aMJ_q+;dA87oY^}Y9=%$VucM_RMfm)JS+bC6gYJ+X@X+0C>YY`B9+P7$a59y;ibfSvn ze0#;;5{Ck}N$ieIVGcsv1Ue<|c+@P1iwAz(CPH13;l7v1 zWIjRt<1idmX_RN){VA|?J*&a9^uT#I0bM^1+BqM(&CgwM%&rkwW3drhCh`Olx|WUw zOmuEIaE44I2>V=!f0+~F@k@$n#bQQNr6}N}iYtR0b5Ptd)0|@-3-UZu>u#YdLujY@ zcdGSBdxJ?eR3U*lCL48G06X;z?fPZx3Cn;@AJA&38gET2gv*rmgpEC?Y>q=u%#9dX zBI-TR+fC%uJGqK776*V zFPgbok20YdqkUiuw|Z^PIY8O+AM)I5V(obf_V$uIk0#WHfOYKzEo`6S#K00|Pyow2 z3eZ7@&_;l<3eZ~l-RR4y=j!UYpB%bJ(DNZHv^T(Fk{V+%9&8(rmIrSulN_OGQF%O= zJ)EsDkw))U;}O|eN%RhmDuLeta@`&!?+Z%++HZFQN@D5UrrCZ`&Ea4Y3pl8OAoxo?n#YmQmdDsbfK4*tpOU| zG(arSBGFF&l(`qD&=ea;w~yHQoU-?GbhF^QC8QEWR@>C+#MJ&lj00F+I;+P^I5+>U_1~j1*HzfF*2g1lTNA&y{ zE=+8UoP7Tap7$LXNJH7^DM8M&sW=eFtICi2ul#?ESBe|QvHU4-c0h!g5rV(@{Sn3N z{+OKnXLlfUu+6lQJH`~3m=29qD^)paH~5ib)+GsDp&HAnpfS+q!I1k0Zl^8BmNL1h z7jzW(@eeI>-R3(9_;U?_0itVmk${g-kI3z%2qZJ0OPIb`C&hPvtxKaSJyw^kq^Qs9 zq(2$c(BfO3-iG z?q6-iI}v$e51T4l(>9OAb0(uh-R(!-1a`Qt-oz)`dd6VKKN+Wm&ed3j@yD>!$!G4y5JLo*ffjHv3pWCn?54bdz&;NN2320a)~ zOj%um?^SL2@YtzW@5XN08IB+llr%oQz>*rSAFB5dh!e$!RZ$?8p+JA?n{v=AbHFIR zK}2bDj_t}5?Q!zW;L^;Z;G|xD&|g;kX~$*M~H=-d58XGp+vV3 z2Tp3#Q!x?z3Gbu@k3TS9l%z2}#AY!urwjB|L zIWYF6YYfuSd(J?>kk?rAh6Ju*MUv+AVl>!EoY><103*o+KCwJDA=e<0u?W&NobI4c z<{?2N3cGzep#$q4rkxds9tJbi${_ZO=9EY2?dnG`{Xar_5goR)24s1A1+a4aG7i(n z>~!s>mRHk@n=ec0g5_1qbb;NfoXKv#w}00Hs36EQ6$SQY+D=c()R2Zn)x;B0!12&z_$R@m|Vu63qdKljss^^02yOtz@c(>qGna>mSbuYS(a` zibYMqqU;i;s*s>28OnoFq=c01zr~&&Zie8u_-kU^POiOJP=KHGbrM#Oiw(8{kg~7h zN{40diDs-x5KBBuSlG2zX*VXbU`LBMG51D3M33ty`%HVybIb(Fd9PHeKrXWmWSgS= zz9ws=UcwmS0})hOqFttqydv;oHr74_w5B__eq_PBV_ob>gg{SC-Lh)GburrV6+h5E z-oZhR03Q)9ztF*jw-xV2cALZ-sY>zfSY&-Y1fZ9iLUTcUN7&ET|6mLJN1^mzv)kQE zpm2)vQAD5l3$-!|+;S;J7FK(8T6p3`(`-uR1%ETEi0Nm%6vm};?OQP#_vx|LB%Rdw z6ZAvF{;D{6d5fHMhvVU*8JRUpZZmxfREhKGml1&yitlXoEC+{L!>IubbXC6$xZW<_ zGjPl`4%jX zQDc1;Ku7)OZh4o-K|xzu3POV$%gxX_#=U3&J#_hF za*!|N2v-j~Mo;$0FlmPfucW?X-R}xG606dm`(t$Kvf(WY1brx|fjkP(4l=CN`>w7- z6_YQkk2@?6G(w8}vzOj1rvhKhBZ9BJSp2aRcLies4dO@VPMshP@)0=_n=h4!y} zmyr7dtFSK0=6I7>dzBQ}Wr7+2;pDmDYO#~x#n4E|FxD|p7zdlTWxU!?fAs_#a!8`| z=gaf2F?a7A;DFKN$r7Jgd9HctjeDH9%kjdnTkwC`*5M?&hV~Of+aPlJf*N>wX&|WS@o2!;$yabb z>2qM@Ur*P;{BWD)i`zV&vhUSwby=;A4c=p`dH%i2Ww1ba*A}rGv%xPc`xL+#Zx7ct zK>?vcCOGZc2?uVgj$O|Af;jNEq~sR0#J#yRMOj~2ta8}_ZHp)^F@Od!hpqw~Cj^@& zV!K}_m0L~)4xBp!T+SUiB2n6h&@?l+YayRP?v6CiPYiAXGYDl77Fci=nF*rhYmE`I zZG2h64na7Kn);-C1~IekTCs$1ZGGjsK48}Lin(IH4Uo1(dQ%P-Bp@;VyQRqOP8|B( zii2*lNw6`VH`H^;biS`~!j4;hivPHe7j{}=G6^Qt717G5I4TZqsxt}cU%~kVhPBcog5+75Y9*(IAf+esX<4Vox_K*ml}?a8!hO>%(!|u1QChO)y~S z53?4HI|?#=h*uBw6{HR?K5UhaNx3D!9kEpZyAXTm z^w|zMjJ{5k zD8Bm_kIJ$anDq87X)Y!GGkU}+ey`0MGW~PAD27TA|7udH38xx_*zVZwPX|>;I>70q&*OHOz3Yn)_4Wbr#%T5>b@(!4@Iyu(y z#EA%{HVH{8n99bR#O zPQI)g04oGdI)>WLnhmW1GPXf2gW`Qa4>B1*dJnTHUw*eN520@{i3U)A+Z9zz<)sOu zC5E;H!VP45A#CDwX(z;yRP@%9tsWUhEyUhY6BnPQFk$8Cy5%O~)STDz^ISo>sL64b zrF(|GqkqD-hkvgT1d}D-Xq8#?t+VLjrpb$ z>RAe!S}x3e?TM5%mJfs#dq~dcfZy?ChZ6;qWnv#DfCiv>Il2yp_F|73BlUdX8Fcg5 zx^#@(l}_FFzRGXR^T?M%=wtFnm9Zt~0PU-IxmC2AM{}V(0Gbsrm5Tsy<_o%@pDm={ zKaF()(oB9GnaJIb6O&H^Y}2VBLipJB*;^I_KlfCtcOveOb9suwfx`o*V;%-Lo0`~l z$y9Xy1qJ3A4~}#EYDy&KtdPsj4G8A=5P3@gZ8viG0jk#(?$i=U7m=M)2f)7JT6M{3 zVV3M37RXPWV*~R&oMQvsW_fTHix+TgxRqtGUW{=6WonM9YhjIiN1AuRzG!vz+|`D? z)%rsB4q(_|!XEn20c9YSI|lR+8x;#H7zf6$UVo{tW99l~aKPiWy|L%=lpsGuQ7zi5 zqw14iY>~a8or*FK*@TOE$SJ@+11+@e>d7U8T&;B$l{A4}1EKZ$b9n#HCB&K~aBIlU z7!4d~3Zf`@#lUx!TT3vSE}2!C23NzKt~W|T(8g8jTeFV@E@c-jep}dcWK_laEa)T{ z9ma%Ejvq7ydt6lbBANbz8!(M_!2G7mXvSI2pDU}7pfDNAi&_*wmT7q$FKDkQ3bYqV z-}1Kxw{LQX*C4BJT+qc!HxJO(3EjUeF1|cY(X6!VG?V#s_P}@ zc`?~bAb^~_E3$sdO2@dzJ(wrQgS{o^7!@-#nV`up! zDi_1UUJJZ6tO$gR1#)86{BMIu*9A8i-$QQ*+5dBLe$Sm!4M9*d21l*$^j!+k<|uWo zT3A9mHhaC9&axj@CXC@YQtaIN+|4pkRDa2QV0`Y~M;Q{aUG0+U$TdR-!IuXOzPXWd z0|zBP?0r8pHQp;uhq91Yh`nip6#yHGou+1Mp7yoio{QU!x{laE;6hQgo`bXvIUo-V z;m?5q7m6T1U4#C^c#j)H^^{%=rsP4f5kvhpOH4dz}An z^c4CBJ>bzmKl`$Nd43sh3s5$06EZsKZqhy{vcyrNrl4Sw=1UieQ%LO&q+7#5-XWJS zd`*vNc?vNMUGGcXpk-BbjsEUnLgeAc=<<5TSAgId=+K8g1NKz8=MZjuBT-+4n-4D# zE2!-Rtl4%7rMO{s1F=ZaSBK?8_Fba3)KgKQ68&jgoOM^>95WX49a+NMd+3Qz_Dj|? zj1CK?nRZiA(5<`sJ~Xe?jxbU!0CE6zj>vqN)J28YY+(k6KnVKh6s4?%sF#S@U?zKU z)!lQz&NaZ$B52-MqPj{zU<3F@7y%v^(;u#^oqVa&*J#3&a6|rA2YhkI?K?3`qABe$ zLIqkt?05l;5$(z_C#$X=pE2+a5}ObM>+J>_M{m`qch|ozCKq`I5#OSoiSvE%KL6voa*636xzOSZD0`lRk`MK5n_LkXF#~m}Ew{0;N&a8HNQ^Lg!W}T4#@S@E?*f>50`r}w zD%Ej(E<_}o&F6q5@G}JjMfsOPZ+Q2R{~URMiU*`P4qCje#SfS&9DO~g{_b{GdMugA zlXFb;9CqGLgY|7*FC0033dKXc99{XmNU^m^xrFIyy=aKq_aG=(x&xA%6SLFoYH& zRC)YM77o{MX$nz{Q#<7Qqk2DpmuW(Rj6iJVUaIAD6d&KHMrN7>u$S0SS5pq8U!h*b ztUX7ZW{eUGt@h{HSE;`~@Vo_=$885`9Yl#>?@Zmqu^hCgxkWbB$e>o(WDa+SgQzwI z4-B^aO9vw`3P4APs=slI!6z#0`l5e)GK74^Kj}0lu|@B?mbcJ)hp_s5$*{z@X)=2h zbdI*`W=fog%j(8*o6EW38c=bRxXrUM-4ca~eimm0T^Hiz!LUK-&*!hR3I#m!HlwQ6 zjIt_HK%Ko2D|R^`m*zq3#gd;zU8iJ@np2AAn}AEWlkHfQfdG1J$Sw~Ui7(9ak$z{P0IKnz3lqOXT*6Jl<gbvMl^EqwFnO&+N#py3 znkD3IoXX-s2k^ggOB?&m(3nVnLV=tSvR%AOIR%$v#REQf#9#E!jy?X&ds(r(opP3%hkoB(f~`=_afAYCu4;a@NRx}p86 z=Cw%GXbw}jQ8qm0VnT~^GG|wR=lR$W=jqDTfJyvm$I#}pEG4;$79~!er>}tx%2h1^ zg;YYd&x82w_>`-D^9CrXn$E5G`Z=0Z4CbW0fa6q?g*<^@z`M2+ZkvsHb((MvyRB1Tb>OWT%!$tXv`AEkm%UzSIyHKcA5 zdydwu1K@)itx~gd#~KF>*lumWT>K5?6_4Arfz3zE9jjwY15soNc$SdkZo3^5khv!4 zhV{gz-SMW&5!swj*Vap!rDKp-`rTD6+{S_VS*rn<4ke2@L(5kJ{(_qFzNQt|Bi-pL zX@7F2iMmJi`{npiZW0GsgmwQk_>_}O=0_Yoo;t{bB<`d+M{|)i0h<@4=2ywH@=bLh zguF2*_}Xg5n2t!E|9*Gc6NQrk8WdlJ|D94{$RF6$SKOTOtounw7l~u>k;YDQJyl8kKsk%+sjei&$?5ld)3fu`S$pSJuvk) z9B=Y7%*QpyhT+yUbVi^UmLXRA=~eU8vj(>dF_i?)P6)$ zZimm$sorfb!QUop3Q8%*KmcuwD+M6}jJEn_B@xV^V|IO9s|MpU0hM zq*1Tt-9vn(zrYki+au2HNb;)NP@ zdqm_8uFH45zQ+UKPT>{1RvP>Z5T=})pLha_`(_2Z2+^~L1eilOwuByVRI1E%oMwEC z>PQ9F{u_-wP!xm5;lu+K^XCrm7X;BW)^pQ(` zF_HSQ(f1ZOYcZ=VIJ6HQi_CyNyM?2r15yve0wL^3VkSZ0OTzXc*=@~_HoHIMpBK7E5cTfFpIbq;cRNDcPRuZ#2cR+hT5&7 znWrcTbHEsS(5OrPt|X}$l_ji9=|r14Fl&7Z>}Cpux$Na}3vC3JG4wM>eU%`49}>38 znE6Dkx3j+{^m(jC;~zy$hmv41R1C;Dj?aI&)GsX{&t(VGuXuv@J=Bv@fds#bVHEgz z^e*P{=OBOkdEC$sYU(OK|IO)ecobN)=u8L>9W-$VbYIUL<5To|=wOh`o9b1nYUcuE ziOa2l?nDP*846TX*J%$dv*8MtGO*%Pfo}=CY!gLoiH~BR%+bvT>-cfG&e?RZch+20+`nO&|4v~&3*g=<))&K^3UBr{0-0lt%dBcR{x1#sv41y`zYGj@d z^-GODX(}UuszAApsfTC@Sq`sU6o!Ma!T*{GyB=cBb zYhxT9*sm~V1dCghv%abLx$pI~1)j#>(^+FEARq8AT_X_ktXBw$C%)%VPcOkdN&b}a z=XDWDF^5^y`UbVg{_@B{!s7~L`PzyuA8_c(V`)D~;4yPQ1&RvmSwQ|V4?&JCw|~~g z=?OM-jHAs}a8&z?4M+1})$ulNO~Lh%BxFs3lKo6g^H&MN$sbfeTP){<&Ci79y(j-K zEn~-(Fr5yMrVR|%hLqB{nGNyUV$jD+(4+WdV)bKof|>{{-IDiTef~eQ zAix#=2b$kUi(^}j?>>id{Y{gW4yRZcAWJpKTu@Ywd9$IvUFY>4n-uyLZ>UAfczyIn zH}5K6mpW6CMisY6p6}^``p2&7wMX}ae`b>7{4NeXb2=>NiufuxTRi%6k>%E4!N5$h zWPM6V1|>6QRajDM@D5q81_>@Mbaf5n#nJcBba0Nx&I+<~Oz#1@<(0LOpE9mpydj3*;AzqNMXb^L`NknEM)ivL1s zZ!D;6leE=V@u{YMypa;0u$3M?JpG3=b)4DkwZZxj3IGER5?Pa!{mrkUqwaAKc&{}u zU(HSjoOf8frL@HVNa}*ldTG+#tZc4)lZQHlR)i7qTj%}%{ax(8*+4ki_~^RR;mK z%oq1OaN|*!Z`#>pm*!mq0PB#;gibO*A5rQJ`nkOoJ~Mr?%CuHX#iu_^NcbvKFz*;9 z!|O}2aaFsXC5h<=SQX-j#0=+H!YGn%FZ592#rd#;hTq43i!-&7^TYYe5~lC~Z;wj&V^~-i5&F>4!lSMn)fppV+c|FA$!_K@X6vBonpFko zGigOktv%Orn0`#jdD-NtOH$e$ispWu5G$6O!UIF0IiUb>^h{U|==9Hg$l z!8hIeitZRJFjt&N{X}f^hR0|pr&>u~Op?}N>?-Y>G4V`Uwzo~D@z(>j-NFV*oazUN zeLkB$l_?4cp^S1DmoN+sJDE?Ed%ddRzWgX6lPl@`T^3A{*Aq6=xNeDl#^X=$*1qzj z0r`O@0m-kUkG_&o6lr3T{m6=Mro8njef|vw$Fw*94DMlrbIO{0$uWp}z ze)W!>7>^Ue{ls+)b=DQSrkNX0i*TwL`t9oe=7%x9z|~rV{3OBr2J`ou(zFQ^)BL>D z@&3oxQ*Zr~6S~Y6PrGC?Q+48+stw~-A!a)c-{Rg3% z?nMgwJt>HlHk#sf32|tIy6cXNyLX}IBPJ!0o`fK`Jy~kj9R+%wVlwA`sVKK&RrlU@ zS$|m*=7(E>Ks;HR<|BMRAb(+&{}wl%Xo0F61O}`-XGErs<-dqHa+|NoayF_1&ny&=k{@*zPY7B6Qj_%T#M6t*+h#Sc&~BmYB!ymyk%g|fhcl#kQ~XW* zGw0ryU(s#F4%{rPI`_s5rB0KA1o>}qa=A--hZQTS?#mVsY$f3&<^1)A&hJd&2xMDZ zb>sqzsE8alBPTGHZ7clFWiE`D%P#urtZn;Wy44AuOS}vsFQk`Ysl$QbPfMiu=L9GI z5J4`7naNV#OV>m>qzU*Xy%j6(+D$)@_`-Ih<3b6s()DU;YiXByt{(ZAJImjBwAW^$ z3im^^cZgonxJQSyjKj>MvOd%MGk$k4@GCvZxWC;a%l0N?_E#Isy!Ub0TP1m@o{@cb z2G_N>k^~f_iAwnyrPs|xm?3}2K<)%{@0**n6ciiWr>;q^wo8sWNzpP_qBZA~7yEAa zCh-2+ZJqs=q0VG(R)!+{vCkhBpvUns<@0$gPuniAxDZ(%>t3j_r{U6gusdS1>~d&$ zqZ$6@6wsKc$)J0RUm9AkQwif)5#2z{oG~K$Kb#WJIbgbV#5x=>dH$?3?;GZB8G;(e zdgHDSW6IWEg>3h!+&HY$r4JId2*ef|GJ{ak--LgqGA8uS$~0tVj<3`NP{E(s&+CX0 zkJM9#i#h+A1y&90bQfDntoH^OcN$>fT$0klJ5Q?DZq_ro{9=Ae%{ev7+WENpZPRNM z>)g8LwbUnxl)^@H^S81>h@B!n7JCcsq+*nw>QWF=UY~O7*{fR))=vzXb%{!uzPNXj`dknr;&G3wQYRJkiMRGJS&kvhRe8O>p_nkMFQ^pe&kUj`95^T;pwzFVqxz7({T{pnb-LFhqi)aX;_vYrB_r4A-p zjlPrBJ<38pwZp^E+tz5_`qSr9m&bSARFiy4Omnt1<=VQ8xkm0!yR-JGJ|@_|W6C)KZ7znTuI- z=Irp!hT`Av?#YFBxMxA{cp-}XPFCTIFZc8$okrT?FOo)hFhh3a?-v6C7QVFs&cEU9 ztZ2jQ#~+jtN7}Qp37oz3);mw+q=BTxZc^bI9@$BMVvw8kNqycO_wAx?nVSaG3UVw) zgG{E<2LW?Z7~%z;{VfTt(*%0#FmoK~RDNQZXe-5PsOUg)`%1Wl+dOsB?;~HFJEII@bzS=N1&-?WK-UASKBFuJx*nFJxbKtj|fr! z8gjy^Ij<~y4%h0VQ_M@W49IfL8Yn@|ptGqg?%iG^HKvQ%S)qqo~<0l97> z*GS;+rt5FRt7Eg;%fj^DVuF2vx@3Sa5W` zsW^fP1!OZ|3|*?u81CKu=_3|xXC5QUKN8v_fyoPO zj$Hfr_%jDLwtgYpW?u$lUU7?)$#wQq!)uP6=l)Q;o{#I-I(7`>C>W%j)8IQ}SFewz zHD4f2>`NN3TEEsiZ>Ic>f&uSQnP)(cR(Cj=^}F}g(wOsMo{wZOH(YMs{s8LS!D!IertL{p;WAR>78zE9=?`%FFY ziJ0FvH<1Fb84ea_H3xUB=Nf%LM-L4G-l)1?gMi>5TuE0@G0s9Ap{VG7w%ukv}Q#y!<$fahC<#OV|SL4FDD zc@}E-7=mlqNbXm#%Y(feQ%(qfXqu)S?tNN1-^y|v5kgmaO*0o z&bOU8trMVgB~e{llGx?5oPxu=l;|Bd7VqAV@a^=QO|ar_mN-G@bRIbGo!yMWq9p7FK$*^|8V}w3(cem8N%115DG#! zab_+>qAVg=y8vZ{eU=U-9TC;yo0h(J{-Fh6pt3=&eVn2d--cXEQ7UaQSPhyPma@*O%d;%$VMq!G_h5z{U9+lr+mBF-fxSMwpR!Dx$xS7?uiiP zQ~x^4_iqW|PgtbItutKZSApNO0!z1kmjDhGB znftQ@HG{vz3as=>mlxj|@%CsL?7yrNrXG5ueJc`k8d6ag>o`Hp=rNynk5fLSqP6u- zLwSbJbN*50XIid5bN97taY^Q#1&dYRa{;41cn%VCqK7`(p0HW<__IX(?=lhim+^8$ zfY{494hjanwc$Lyf)4(+ssntyu*P~?2n%GAsl?gZD}_KHfZ|;YhgkTLd|F5^YvD%~ z=z_%6%kcKdwkScR&n&abO2B5~ct_!D@wJY*Uq6e!Kii+zG2K7!I%}S6UG%8@X(Er3 zNQ8=Oy^ykNiz~L#k^KGQ#Nf}Gk_)Ex(*D)p8|}LuSF@`ZPqa)cvPy^mp-urI&qjgiJnr$CnM9c+KXN{ah&HD`m~z~_XK@$K zM)Nzpy9CyNNgg%xu4VP{;!HBnK$eu{*!<+#M(58y^50bixZi^iffLgaAXGhcWqQq- zv_g1pdbbOvP%%mC>I$Be57B~hTa^?}PiGZBs)$(=V5pt9;{46#7C85(Wjww{05BGzP1qvvr zWV)s1bxv8yqrp+~pqsBcr%TCJ^Y^~(SB*}Vg0{ign3M!@=g;saaV7rtuu@&0e795m z1_UpG?1gVofToMCuBJG>)c#cWrk%tiYBT-ChMbV3ns*4Mj zqpS8aMHSVz6iUTxlIL?hV{bT_wr0nGh*)VP#)7@Njf81 zZ>q+G-M7w{RgNk|8_;0$73dRm3Vqz{((bqpi+htV{8ES2_oTEhCJq%hD~?^zfAsJw z-LOGHFzfTWA~yfAPU5>GA4w%WmHg6DxE}L`CEtN3^{7JknxzWa=9!?RXl4^FL(LO-kwHQK60ERv5V9n|5W-=386{pIBQyWpF^x%5s*kGTt-`=5t*l|+0Ov1cFaZO5kd<%VB1 zIL8lvp7Tr>$*4^Q<&$1s7<%G%YamelYuFEZZT`JNJq4rT!tW344RtUtbx!8nVEf%N zL<>6n{TC#+3qQ*+5NMnEi7r#;kJzkD$2r{8G0!y}2!8W5KGA`zGo7hf>GT^T?*(`;E zwcjVz#79&blN<;widMvAWxq|E=vQ)I)4+aiL5_aN!huv&5V-7j&0Ylp@e?;d$MOTN zdI@tIJO%Cd^>A8J^E-Z=?0!C^c zf(J=m3yorK^?G^}PpEebSygpx-M=_bcID6Kw{cU;i!5Ke;`|$`5m%r9Zr2LBjw%21 zLk|&GrTnFOj+wch-SZK|@Phc!v&c;XOXBK?otcNG9HP<<1wAXuH ziM%${Ep7ZnMipZem}~H{PoAXb-WVla%EukRL1$n?oO@jDU=y?$-+aL#AcI?2_Ki$U zSWfx5FN&A}iwHd(=BC#her_W_8HJN5S6Y#?kHlU+z6sk=aNjYC7L*jDJHBY}pw9mR z=;=iMo>kExt5QNLdY363Kq->|fzJe4`k+jpm!me^O$Coj$^GI^S3cm9$}IoyEQxR*WZbDrKFMl_VSCNSt9FluWBQw z=WR52wCb1bxs7-LiWWZ(>-4n65wQNPL0lt3a=SaZe4%yA*XwpQ*1Zfn;F}_L|F5GF z=s>8=#S;5C|0_FmF+JF!MZJTf!yAOqDpt68KH7a>l3@1Bm82L+sg-~EeFI;HnpP4W zHm)@jr(GUx-If<+c#Jo)qN;sg&MY8xy;dg2Bkhn*b@jZh`qHx8pTqvB^Jiu?-Uv50 z%cgvwN0lM>QDB7aU4bA=;SGJJ(@yraqk8jCLN4r^?Vrw3Bb(_G!X^R=!sPtrNL|FT zD|8Fs7n1~^)J;W*T*=^4Pl*O$;R0DHGN3O|c^#iAoa1=Rb7iXRDyy3*ygx^ZAY@v* zaXYHIdZ;aM=C?vf$vyCLCZiD6=z>@GZ=^Hw5>|rvf&hFB8UQ>_?1l9s-V(7Fn)GM0d9!KL{Bo{ps zU#Alv)xOmXti3J3)}M}6zM`l8UCt&<=7bO4;JSQeQhT5(9-9%SR7)CFX-uoDW-4e- zyc^kmY*dD_h2iS>HlvbFZ36?}JBHdvy3w0Pa*S!DeL841CA&UBNEZF(I2iYX?|DAk zF;t)@UPSzKoO)MuX;jQt*cHS66n|w*Mc+}qSkQ5}I}Tz1>P5bY?7IIhz#F}{J`a2+ z{aCkN&ANIQNKKHVqzw($NOgE-wbX z=07;&xE~zN2=3wk*InD+n-JpeUw`BDzo59)1vWneah}w}M$=N4uOlKcq&$L$S;15+ zsxYrYJN~I$CX^~><>7Fd{pq34v$RU?b;6$N+hAoWAwT|+GV^wGa-kV{DjV9E9}+Xy zISO~GbH|G@GC@m*&O|k|{N;hvJ88Go513NEiMGVqR9dqr(+nFq2atX29mbb?A-J=*aztrV%?)y?u2Upm}@$AZrsJEFf0E5yhk>tCt_ZR_5* zcl_#!S;2L^>}20l)wPCgN5rw)WA0_JXTX^iQ+x6xC~o|MuIcXcV6nYT+r3S#NFQE# z+0cK`>>syjE3<6TSXI$PS668qryX%jjYug%@!?A1|0cYS{QRthV?0{%RyUpMi~frB z%+=ITSjh0LH%(Zhhmjh59JeQkzEvDXr@R;CbsUt*k~Sf7J;D(7W`LkMIt7A30qwfA zOnoGBy$4&i)EapBxz9xVc$>p%uWY$rponszaW<=Tj$>%K)xTgy`JX868i!qZB^h%Kqz?(*7}x6$y5iPQIw=_Tfl$pPh6uJG`3^P8)OFB|tW zq=E-r&$TJtUt0PxfE@w>tC<2|7=d#);Op@(D6V^6!Rfp^We1pBs!S1 zVKp_b)ws^5R4?-HmhNdrD)6!k3WH1c8jlx7&4ROxfv4S5q>ois7Ope&|CYfiGHAt} zBRgGe{Xc6;{rgXjBtD)9gvsrR!bCeq=mofa*M9ANI+Eo5<+oq+2NOau^e{quU8-nT zou?w>V$@(;kdoxnE#^)Sru6%C+))NP+F8oa?!UD)hz~L0wlvLT3r=g1HMJAw_uZbZ) zHN!NrfCw@L=tsvure1ZjQS`$+v+X7wbp3Ku4YU0N6KwK8@ zDq6P;@06;2HFfMgc;N~3721$JssiA`L)7!P%(;OZspPy&`!|1u+Sp5G2EKQ%OiVoN zg^~!Lb!P@#lB;%e{(JwQh#?wNUzX~u{wMvE|Em@9Lm6+=0ePtsV^j#yObH^f`;Lb3 z1d6v8Lmhm~v5x<3<7pTP_Y|Ig41VB^kZxz{7P6dBZC zs8K18%_ZRDja-V9Uw2vBajuWUsm#lzeqCAu%{011I9f~Btk79X4T&6Ytnwsil=oF% z)Z|drkM!I+yxE_b$4~l4+s)(ogZP!7k;jC7C8s4nmn~r1)VbMQick6NI0w=8e8;lx zXT2F2*A;gA0eu-aQu#`2u?*TmwSH+SXK39Oersw7H{}W@EEnG99~3<4Q%Irqw}9O+5i1Nj?{?7@I`V>i{gnd`U*GGM^Ns! zniHgTM_rgW|H;h2ULinzbg6upIz+Ds>lsoZTX=jm6GL6Wp+w@uOz0&KU)IvTA8V`j zXfBEJ+K$M_Pu{8 z6ijkQ;m~Sj-15b;JmYiYYLRhL5jRxzMDX7`U-w0{1``oljRkz#$_q81bMu0gsC&F< ztp%MLdrX2+@%!UA?SKPfJqn+5JQrZEYz4NCWDNu0DrkMkQaCj7rhf5}hacVY6AGR% z-Q@)g>P5lhE_xqC%M+)daAcQttYItGT@l}9zH-cxn1%z-fyF)#LuOH}%l@ zG40Z1Yx++?Abwx*IRTCTYcvY0fO@xsTL6TG?Q8Ozu^C2bqt;NyxDUQb+H}ky`Xw8D@e77 zzk1Ob>ie*mFbOr4AepgNzDMgj-bcbUfzzc|Vi^^6Ju)OM0oEB%uNCP$JuAoV3T_*+ zdpdLzT#<5l$}6Tya_*n6ER1bs=4*8%GKL5;Hq3DOt!#an_9HYALFTGmNK6e7T5Lr%>G;) zs~)2GRL~4+l=UkYn>j}k$m)*AakZWj8`E65q+z>n&+a5>-sy^XR&|G?fuVg0-tzoNhgu|t zRP2qr7dCsvzPWoO2$`gC-&N#F<8oDF((K4-Qd_{|^6r4W>I$J#307SC@9QpB%1k+J zkgykL$JYPrH2C0)|CmK>?u9l9A{=(Ew%}W-FFo#I+1SeH>Sju#05KAa=2F0bQPYY> zZv7_fuWOhn1L^?S&YJB5lijxS02Rymo%R8uIeFlM4r;VdBXUgsz(S?nT^xw_4p-=O zs1ItBi^~obMqN0~;aNwq1jgd&;1b`=dYMKq{zV_2MGuE1hSwU)57N9KZ;03?BZPfmk5sJ~->J8ZPmdxY$A9HU3QvJV2PT$Xy4y#)3C0 zgGKdVth)e!kUb8q+srT)dB$F}`#=Kk$=9+Rmf~7E3eXTwg#H;{xZ6MeY#~85hEA&B zd2*6=FNi=(_jg*3vC6g~7#^{wL-Pe_2=~fenD)|dXxf-?;OWR zmk=zy0jqeOuZy+$&zRVb?-B?ZlhCxa=A=`nQ2apE4i0xBy>tL<#(XIjF0QMkuM zTE9j>zw8e`(JKrA2+IpItw&PI!G=@n<5J3`ON!K-;pZfafvkpM@W|*Rfewg>*OV@RG_?UBHSupPR-Q#pCJLABw3R}Zj&=Ij-uLC4VY9T>bqkl$ z`m9^1&CiVnE{~L3(@Mx`fJoevZW?iUg38uH6@72S~SRlg?@f&E8{9{u4tl}6qr;*4M zwPSi04IPz7ivP$%s*QZV81-@TLU}_5B55H&e`rSx=*YXxg+=UPq5>Fm0Nt^SLVYP} ztic2!Ze2-yMB5xfMz?DNT2GWsm*uFO`&O{?o&aZc2@8*VF4Q#>&c3G(z&zsb1qMyB z13=?{b~iCh`-7ei{m^Mu>DGzv&O{Bnzghdym)(Yo1!G_&v(`7Z&m)8c27V1^N&`HE zkawSl#L)deDxtN$#|E3Gj1_$f96vQ|Njb*DGOM&wa0|4LA&@17gn$z)N^G9PY`5urvEVvPU+eWfdCSbwH+( zhb$8ESo|k=ETxT6_=!CgY7CU_N3FhJkc(kVFiSS?8Br%r{WD40>o{*F$}0xRu6XKg zRpq^>eq7?ez_D66Lz(%@aF=#sKy(0W?$yYpWn1p;n|QZ16=~sH_8mj>a^;|i#Yl_@ zrI4I_D0{9My2Y5P!Q;d1_pH}VduLRV#)y03LT6(xi3X+>9?i4KSweOn0Cd)% z9wpq(^0VbVVPjHBlgVXEXHp8=0H(KijbNcTr2YV|y?k2Y$;4AWTksjQGdN zaS6{0o_Yggg5Y$tJ4h4zfP~&o%VVD-mblwd?56ZuxovG8SA|2dsRe+OG;+F>Kvf9g* zA~(~J<+^V`1#pR}br!l@@=aVp&^e2t(S5AmeXWc>e$P}(2_gQkInxOt=&N1sqkwQP zGU(Ub<$%J{Mcb!zKy9*i=#qtkx?A?=TVS8;tfJL>k6`U25_W^DuyfAdMolj8YVcgV zb27Yp4e{9jwb6>`uoOAYM&{P#>N#YJ(NiZ5&c>HV=zpm;R#zIz3x;CW4h#Cq*s-k zfS%i>KScH?Ke7gQo;*32t+2WchWr%H!_6v_OPGl*dK&{awwPk;f|M+LT^Xxw#ji{! zq__CL85$TNsZPW5%kmrZ6Gi*P*H=THwVF5mrV~6p%yhjvpS32%ahcUUu9W###%w-7s4fq-_bcKt zLVz%-rYuAR7}$$ucuJ{)zg82?+mhZzD7OX6SL$k+=-Px}X#;G^Q|Umy*C|%Syn^pO= zLtJ8iLBbbig++f)ml6Wa-3Hp^T1B+Q<3!*WbD^Brdfm((<|)IT^PshSap0z9xhQ>l z7|OHoBq4EYD>rRG^9+3LI9ltnxs$CqgSN5c20u1Yn~~p;^=!XFda;N0lvUG8G#QeR zF{46|5KBNO7Deo8GC zU%MM6J!DF#6)d=|rX-*dF6d}Rt((;$qNcN6?qlOoo~M{kuYbJkET`o(Zg7lWrF|wl z%b%z!Ac9<-QkU=h$cN#D)ldEs>4Ffqm`Es1H+|R}G|1G`up#Y{ZI}1G*PZOwn_b}^ z_;lsLIE{FbSA}dq1%+j=QwvzHt*UW@Qe9|VEAiA+MN>%#l`i9U^G7RMhQ}_gUmv9Q z<1MmfK;w@bqpa+B)aI)}L2?7H(}PyElPl^or9W&n>a}YCk-Q!^yuVq<26h0drhL@q zUk)3HHZ99C=}D|aB4~2!zVg_WxHqU(u+yd-{5OMW^c1wHmSlfybKj8q41;&c(z?Os zp9)bK+zbWLDu>xn7<0kECrh)KeRe=utCyy{* z3`0207rgH8v>j?@-WOOCEB4o#-9WV0LDrPLk)|;dM8_<@L!g29eDtax(|i2fRX_(! zQJ}vnp+}YG1b51&YYhaUtfCl1TO42_-k)(cTuL8le9%P8w5uy4!#L$biYWQwO5^hU z<6$h#Mo=?xCMoo_2YaoOwcU?)dz~k%LA>hiWj;8_7hk#7^K)NVn6JOi^wqz5^Xn{J z=ycep86^@gy|`yB9L(t`pJR4QJX1blrU(1HypxHFChq;Ecu=p%UN$?qYfrqPf7vq@ zdTV*RA-|vLQ>ty4TQ5R$9grEM9aK6o@TbKLX)vDrChV3#_1o?yv5H+L`9yi90hM+z z+{~j~qum9E#=uARpI(Ou>Zmm{2(7)0ReN)E|*>& zEzs6jEyH-`|Gu~|7oGNTVu6nPmCfZIb@B5t(uy(FuZ6!EOrSv0dZ$GzK^&utlJufHY-I~3o@*(Ta5Bt8pQVjEZpv( z;UWN01CE0kM1>UoSA}JN$h5VGapfN#wV*kHDm12lq;$93gNGoEpYAUP?CWT) z(v7cvod2)A>RGhqpv7TX$YW<_1C7#3r?>nYfDiL9T<}4oq|6d?;yfPT;lA z(4dU04f6^KC+A^5X$fY6qkE{Ig1fsQ0&&?!b)ddR>c{Z@@;a^2yQ6NWIEnIec?#dp zLkZXb`jiQAWUQtRGq71b*LKfO)%w|ag-TB0zSo2=6ao!om3m$pjtM2Lej9rUOpOpr#2Rrb38)}`82wRwL~o-;aJ?n?%>|rvl&a*jo;(yZrRI=OzF%Q*nLdq3CGP^ zZB{%@U;TOl-Ow3Op}3jj$zxTc`kNcQ8tUn=7%*fxAcV1(rHCtXYgc`b2;^(N!`ovg z*q5qpT5393i&nO{U`W2WI*1u(E|)OK%?jlBJ>RoopfVX!zUuSoG~%V{AM6|ICB4DM zrF&nyy_JRV`!^aMM_(Tm2Zjrszjd}1gB2IdKR$={5`8N4M!MjmxX|mJiR9n-;7-{_ z0&PsZLk6H6SS#R&M|JGsUXUfXee=6_oUUcL$=($-nKd2^mlEzOaPabGzd*O1`di-) zyO&M1l*t!4PguY0y0c3$&7QwgtETQMai}Mn-s*reznA&#ilEcA0V-UK)_u3KXOsxf zTH-7EbFx3bLQUgN#Ha6N{syP&*Iq2S##=t0|E(cZQ+dPs=dL+J3grM#H)YU@TzE4+ zwPid$qjbM&2##Aexph_aQ&HojHn4Q#k1cFR_li{l0RUbyjZ&{YQ0`m_j)VNIZ+6<9 z(6#N~*RHk9|5V>)C~#q$KWjEMa3sCxG?-I;d((99-iUgLfMFg;?49sxIF`(H;FK>H4g57DtjS9$ab6B zsvK8Cc?QB_>%iR1KJ~TH(dE^k7gZz3iLy8ZPC>8^(8M&>U8*L{1{U?aYAxvuq;_3v zqRVEUHwKJa9cyD7CU?5Rm#)H2Af}2=`z@s{PTrQd`*N-U%Za|0uLou|!WNywYcg(p z`Aw53EGftd2BbiV{WcEOmvewuLdvxZ<~;2{{W@hgErY@P7jz=wp=lLG&DJX}TRpj~ zQBuh4ya+@8(JnITbu6UIO8_2-8>H9>{fKSXqEe2$@w%QRayv@`I zRLHSZiqE{BIq@-6m9zIFm8t9MNG~bmLTI_iuCvfbY$u;`)@Y^HZvSfudrHy4cU@}S zz+`6)mvg?oxc70n#X{VAb|XsTF@eJ-MwrWD6WM&I#2rbsoz!WRRIaCGFE;Xi8OO$I zJp{=8_rwzoD({OmK6d|W=%izWa3e2)GjY6G-WwodtYs~6L~aict7{r;WE=a9mTnQ8 z^j3hhqEAZcyZ{p0Zu;+SBL#yp6G`7#!68n(hr`OP90mv($H=G~CjkUK*ggV&qML{4 zyWh755us5O(S%C8w1~{HX$7om*n1`v6zbb0^w>Ues=l{h@-Va-qwWwin8UJg80+W* zUxc;ZcbjEc((6eOB18p6-Y)wXEH)1Muv9Pjl{P*K93gk)b3g0CbDE=O}$TdH; zOUNdeyCCv`v<(ZmzT9JX3Pan2{lqxn67(NSIdcjr*)4I^^tUbvr7d=5f(4Zl4_Ig$eimv$vDw^3KVE^q- zK|c(#7#w{&1cckC^v{T|Xq2ZO$C9KRWObIyqya`&`BR%Js6w`>gn%y!w1?(NZfh?) zocz0MN1Oy2-%&eZ1rjW2QN4Z({=%s19+9=kYE72_5L+s3jc-4GzJJWO&Va!=f5cHI z%ez5s*Nl`c8EdegmT}GiG^pEhf?*|FIGtJn#}!WP{}n!o5OqnD?X>A^FD{=;TgvxaOYjv4*Enj5b(LIOz#K zA;ce^rmOzE*KvP+$@Z5&f@7ogQy9^H$>Le@XQDWklPG!i?pq>#teOS4o!#$-u}|rf zoWu<>j_$t*syp7b62q3=>H%;~gJXW+YGy%A>k~n&FvxNZoe^;h;ZF#C>|ghW65SG*wnarQ*$3v!`?*k<~8#S1<^O%V*vz7R04c$3#~`e>!cPW1v&z}nQFS3R%klw%Rn{ZsLR z8t1JXrZ--~rllL(s6`I~=Q;5d%G_$ds#tAuPn0tKS5h?6Bif==u2;xP;rUN>a)c_p@mW zCh3ms&r|Rq0@ETIvm0)-rz}VjFv5d^+>WK< z+D9H|0?i1Q=~%nX7c+_fxJ+qo8G+NUI}@j#=@@?m!%A0a!NI=mf0#@IKV-XY(t_eP zF{`W5MRzJjWJ}F(k7c#&i^qPYSe1@eVYqX7<457|AxJAr-isrb2hoaJYa?~ao#devY+z-?4b}a)L z{A8Py-l4PXjG0dG&zNU-!>7a;&}dz(lA|81CBbNrDP6Ja4^8~zHO*VGyc$B-$WK3H zh4}Y{%(xsix$TWWVjdjo{Fhe1a{H#2)9ub6rg$U|NH(O0d>wbZ~ zTpAK0%ZDOg;x=9ogcBtXZE&25N6tS4)Jnm6ka(u{=}ni`$>}Qw8XQ%fiMi1?7**v3<!R&X+E+KFFSX^gdCNO!()W^7OZm9sXflz?tjAQ z@tpy3ks1+@0a$}J^fy;v7MLA|6tO+2DDf;nA^(HE3T(!kO4a#p>s05R;lu65^xgG` zd(YfRm4rvejx6pc=Wq{IP&PI=5P_Fu&Wo^%`r7S=QDR-|NPOpS1CzhXIwI?`0xLaB zM$Z`(r}_NjdGHz{Ign{OrDJ!5&3=}XSSQcErP@30h1z0bT^Me@Wce!_G@sixz2Ujh zZ~(L2lAlx>m^@E)t9AZKp=!ck5Ylsr;p3ni`B;crb`XBhwQ~yh#{E#sGb&Vho3#wo z%EU<4(VJlPl8<#;aCM=kqjDJN5-{6*{C(3&w!7vMonml6U6nZ+LF&!=^%RKix22M2 z9BClk#zvZ-bU(qL=Eu$ISe($Lc*b7__e49~<|D(WDZ;@TAY9Bd_Qa+M52Bm0_^mYm zI}ZV>==o=sIhSJA-(Fj%@S^uk1)ENv>a#ayp2NR|@eHJpQLi-Gf@i|^szd18pHv;8 zre5y`XyI$fZoGRe}F-W~}K+`2fDjh9jyl!g{E7-6R2+-vwo`T-w zvLn5r=H8l8?-F80J<%NW->lYIF{s{!na`K$OmA{k-v839&KC^UXt@7UtHq7ea}{?) z0An4>S0piTF|Oth9Jg9=89gKZy%%D`EeEkSxu3eB6!5gQSF7)F)v4RVgCtFf93Lzn zA`0?D@2UUvW%-Ahc@;1aPV6qy!DKc@#+D>dhGUT&vF}iHOJBwoS2!w!1Uy80p)i1jIz#IHem$^O#HTsx^7BB8PU$} z<=Lu!fS&U3k;J>F8PWwUuPa82{@*yUBjEoNCpMJ2M((I%x_M*g0~E6F7BW~M0OKw?A$oMA3bg`(|YIPwvO9Fkqu=RwRvX9{lDDA z2I?4&NsulHc9bU=y$qrO?_T)}xnV!cMkPl>PN+g7!1eXSLw_m-eMqzY;_zqu61M8` zN_dIN)k>6yh1@U}vPC`uuLq3|^*?V(=H-k4*D{eOTtcY;&s{*8ZLjqVwFTx#S@#dFJ)`p%w_-y+Pr8l< zLe$JrMdR8oo6&_MlGbYjDnZyIi-qJmh#ocf!+b_1$Z|kl81hUwS4Y>$^;{KF84C)Tv4XF5A?d5^y-gOO{b)AAkniEa~66|2RZMB zt9X6K5nzDi3sF>*c%Bth++kYB>4uxh{P&Z!JmoeGM@~3jw)I@5fa-6p5@bsJG|n& zWR_oOpF-K_Av5l>+xAU8o+~pwN3uc5cw+DSXZp|q0BScbPWmjWL2^>GkZf&y`n*(YpuC` zm%VrC!g$6_c5{cU>Q7U4si$|=T-v0YcB#*Dqa(t9B@An{x)!D+N?c+1x$8&npY^ry z1)U&Gn%~qntGXwnsFiK#^pv(eL9XaBP9n{bI$YBEbM}m(iTj9k0*cxUBxL3Vrx8Ss zb0hZiGhWTp!oj!rz2Q2>uTmAcr_H+H%yhShdR<4&Q9Xj;-?{>XQfakwMqU$M*iINQ z9VvzL$kx^X2ha~jyZvz(v8l}*;agGx=iLb0Jet%k*XnT@)R33cqyes;A71s+dG00X zXdoLk%@uIHbhbD+1FyuVdPj~4RJcy4H>}My{s<3Fh#=O3plW7`Z-0=x5906IR4Z9C zpCiH^$!Q{JLt?Y3MUM@iU6&$Izo$RK;V$fEdIYUcO%Fl;`JRo0mU5>bi&%!0+btmD zXU|)k_XYEna0hU%OrIdz7zc=0JA^GwLv9n#zFQ`7ARDm4pd=W5ISS?_lAgs^b&>IaF=jx-hlgKvFSD z)$mo4&MU7=W%n4Y10hrG@G_f2mk+4dV4jMt8ib{maWVa$(Glk(wY0BAns}8`PlI$b zDEWgN&2`TY<@I-{_1E$9+2J<)j3@9R=jqm_TK!|F{uP6|mj?s%JY}*-wh!(<%)Dus?$^>Yul}uv|z_o4tc?{GEQZRq*r6nxII$)z$c}{jWH|{)QipuDJG}> zX?bik#0Iwa!=JVbc#y4F{3Jj65WVuC!bJ1^sizkVMCs0gjA!Ly@s&Tjl8om z+C9mb#SxFRM4xeqSoh(8B{uiIiVGi=w>S86C|)c#?90b})*NE^J0#q|u`h`SYFHc^ z|E^vknrlAo6e$S_9pl*+0U!3;mu>A~0{aQC{MUt>6`;Z{iGMhVHCgj~Jzjv6C&g2c z#k+p#ZfM#&oJo6CcjDBc!Zw?l!#Tx(K%P|PVH2_!WKC)1TdgZPBCg`X0^mHCOk z$+nH;vPCm0KG#D|FlT+`qAU3``q8{??gm9HiN7l5C@FZPH%5Oe#Yg`Yl)HUhAdYJopqz(`YU(qspkld65uFY{MgaIXM#UMb8An)Y8uVdCgf-tV?p&v`rqYImUgl)fw5r z-O&Dhe|dlOWf~qITr8rfhqWg!cHMpU{X-gqp7tl|4U-@|&F{hss>n2rIDBgnyXL_* zBv*Q?yfqFBv4_Wx1bYY4BOo+pvb=EtH?{5ioYv5$JNw#UV?h&K9ARau}ng)NQFt5e8P(SxmL|7tV{+Im>KRyc^YcOEy`KEg1@@YwfIAb+6rE z*XuUE5q8{8zTg{`h6J{{z-RBNU7gNxuN5h5@5;S4m2;y!_0(eLqOYr{eMDz`FF%&h zCQrIBv#oee2hyB-hOd%|b5dW+)|LeL(fSBJd^z!&aM0x3Gk4QK27X$o;b;>d_6W3M zxM7|ZHU;Dxrb+`x7}O7r3*SnCN3{C-+_WjiTGbJEvHearwpw!-+y~|F?Dj@DO^Ciw zow?@t@D^JRmhTW{5d>9WT%et=*0EMBb%y0>@X4I^HoR6dwX7B?N=?k~gCw--S{8nV z^##)Nb0@?`lWG)Ag{yQy$*?N##B$>=qAqJ%J6-ieBJwXvh$Xg(LSIff0Hyek7R?B; z+;7t=sp^^j4=dW(;;&Xa_zh^(Kb5?)=u4pOH|Zl45)M=Dh*D|^bEoN=&$EMe{(6vh zewCBAsyL~8I}+ynhubD;uaiR0x0YBVmhn8iVKH6A!|~%4atH}xXC7eE_~~Y=7Y~^l zgXeuq**Uu-Xg&zKd8Y~7v*dydk&&#qugyeyq?XhS`g(X(vO4kzNP;8y{Q&mmU0gN4 zUB)4czW7zVvN-ptiwZ4lYlS+!?>Zacf9$Obgx1=oqlAt%Wd0A_7iAljv`~-fu;Fv5 zM>dPCqKagpL(Jq%%2rMaqIn^e4DFHOl*eP*+2i)d=Ae&6J!N7^(>`o0VF-)$nvU25 z@T;pev%3+7 zejD#sc%AkPVXQe2h$uu(QcS&U`Af8O{=yFe#fFGVl2ZbW!T*qjT=3~$%wTw%8{(ck z5cZWLh`TbKz{Ny4A@eZ%ijCIut-bNd+Bz3%6r+@HY`th{#irGvH@eLYoxz@xTxd_O zjp8X2rTXh`Eb}LaRWE!Y7&ancS~0NR(Vwd;M1f9|_|f&NVQK-FzVb%wzqzdn+|B{N z>5!#$au-LOMa#g}Mv8UHU^VZPm2*?PO7UB&6Y0uX6c?F&Ev2qCB%sePu+%!~+IH^+ z-cOR>MHt@IN@N>S0q{=nqgBImD*=e5oP?B<8UZ?|Mq&MNbD-?V#s_`0w~=&uZ2J^U z*y<$stN^(`!k-2QA!_e$A9xYo$zduOQ8bZ1h$M)7#uH8o?@|aGo;OK9Sz0cvm7~eluC^`{%!|gE_u`u@`JhThM%+aZP#a z-wZqP-BI(v>a$UsIWjtaNKYudknpjHC^|-x0Uem{{U7uidic5;9oKKu8YShwvdp2x zH+Zn_cnj6o+bo&CiG17Y1jUT6uQzcPecG_0`P(L~2R=AbM8K^W!M7f>joQpuoV&HF zAa(Ji6^V|LvxX*ug;txJ89aX>>LU}86y^|a&JP7~8VYH%I%jzU@D`=qPF<0`G|gId zHdAK%7m_{jObzSlb>m=J<|%JIBN2j?%+#-hOgJ32gH?K#3Fh2H!rxcd1yoNJhTAI= z7=n3`Uii9oDHDQx!?om2Rbvln>W7boPF~sH$6Z_V%(oxKU4IOO1U+*1>T?;wm!Wvs z#pTDlPsycbNh)XeCOcs$f$VCoLI?SCzWhw8rMqj%$k`{eyHG*z~ zO{J)=t3zY7XE$jsJE_0GxTk5urT}uF`Z1VIQFAY2OV?|Bmm~@QDUr-^6>accb6zK% zOshcEr`#Dw>U|}@tw2aBzb}=!h@evyq2N5C#0B%73Oy zd1BZxn-Bc9oyp#p zMvmhTkM@4j#2 zLbod0S6+5f5Wcl2lJ#RYmqHE6;J=H}iidRFaY7rP){hx!$7N_kvN=JW_H@;S{k!5j z(9!m_Kr`u{*0eEyk$9sWgzd&|%qY=N$tIAxhwY7L4SJMQ)_4Ufiu7RIo@ zIYU13BGcGZqkNF!RC__66IWua&5CwbSn5aWdyXOh`!I@;2zJ@A%cS!>$W5wuA{?EYc{FVLcRn}!Edi8$rF8X8fe05_18A{S$iMo=9!TqPO$D*)p=z~ znn|K?1l} z5TOxGwDCI;s$i1%8+90!c+c7TD`7oe_bVY}wb{7-psMrvg(XGiR^P`WyGk=R16Csa zNvAzLOiK5;5~BIwnq!TckVNUX+tKc*!qSnYk82GiIX|fJW0`{s%9YBLJovLWPu+T~ zyTAJf)Cu+D;TlN36UO`lB}F{NQ$QmZ%u(1cL0~?FjG{Ol=)a z*xuw~$LC-5N%qJ*lP$R8OcuK7YpHlOI3?BUDkncf6nU|GN7buGGQTl9T^5`wmgGWQ zF*sNBM`G+ibJ8nV;=e|Js%@NB74aZfr7BPDcNPcizK6MTIo(^_IT6?*t{t;S(fOPZ zlQt?tifCrBK7y_u;Zwy~aUIk5?FAs~V%?wv9zMDn)F`VHnv!mMaON%txkZd9hMX!S z>6``Ld`dluaAb|B_na1~WFQh)P;){P{Z01ZA~~e!F=m!SC?*MhutqLW#>Q>=tuM4g zjzol?$jsbL3Bz*ylJ(;yr^b$QcG&K$Osp%Ik&S>RxNwlgxjZ8Cw1MYuGWVQAW`k`B z2injWob+AUy`~t#S{!oFx#5W6joThN{cDN0?CZ(nOj2eg*Okv->HSk>9ooCSjNce} z>k?IPgb^h(;is74vOoUE=JMmc#&FJtHWFWBm|Fw9ih{-2dN>!|O*?b6m-v;Iz|sGp zbEWg}n(klOL(E3$wPCDu==RwbV5L zEBXna#-!nRY-dNnkT?kL%6wl-`F@gu(S|b+xom~Su#vt_Oz~%|S_F4wtYl5-z3a=i zC<58n&0QQfw?OrLq2Cj^Z!cKJIs!<|aSesa@%d!T7`rs2zIo1=Y&)Yk!eTn)BA)eZ zIM}x@r#g4tzkmH0@kK5svTm28OVtuWIfB92Qu>G|;T`&-xhc^8d%8MVCBB4?Yw9XW zRfz|S5g{AZ%|#oeu5hLJS8PiCOriauB%vFbvOOi|1U3Yr+$uK}evtj+ku%A^R?2_F z#4v3)w^9&xIt$MmJob#=WcynP4ybqaJRTOj18yeiqonUBhZJga(%~d>pV%eo|W{Bc%5fELM^k@ zl6C?#2E@)6f=#(nknqyZ7ZSPd@hw#T>U1?cM?EM{bb1m4y_rJREm{Lg7??a!c$Yn* zNjfQDk!y6N-G4mW^X9eLyA_X=>kr>))Z&dMw$5Tmb!u}aVl~aY>#7SqbMMMHQRDlc zuzOvL20OZ?#wd|ZOp73@k!mkh!R;Kj^vF7meIGUItyj6@os#DiUFftFHJZD>szcrx z4OU5Ue+NsyJzevn%IV-U|9=%8QbpNX#oH?rVoIeBE-4UUE?|;zLcQQJrt5Qw}i(bFkuHfMWErk1* z*O&orpbTQgR|+bjL68npYx~2K)?a>2K>yJBaYTi0j`4U&K0TMq-jP)Vi?UW@vqEn2 zPq%6G-4n_+>fb@u-H4I-m1AWv?V#ngwpg9?>9~xET|2~rZqaW_f`k$j3#?#HZCETO z{+g-DCOtjnoAuBOenp)}lVP-qjojIo!}xDvuo9m1KM>l&BYCzdzh(%*eCxOt&XJwX zG+R!8vndzPfqxRDMxr9C2am~p!!7$kB8|5ZZ##o2T>%~&=;i0plbA+=yabd6M|rnb zC`M|i&Ay)vMLaxaEco;`?%@k|b6yJ(xjT{o;EK*R`5z#>bxAbrU;wusZYa-AeB_Ac+7dAH^+)A z*sNEwjYd0@7)-|)j6W3zj19shHH@XD4T7qpl;m)WtUqTKg1dZ_Y7d6@9LWo{uNKX( zX9wV4c;9kyE+ITvZ1eFGc~MlD$TS-c7PcmHrTJNYsf+`Yc?UU|98MS(mD!^^%ohhv zaIbBVig#rq-{X{SOf4~}!m{33zGnMQS^U!$d|bj#-KM=XI)&{uU z)Ac`j)P@WEn;G&m-fq~@Kj;~7YG+VP`5*uTr!%?Y!hxe3oAvcAG}5)C9S(uox* zVnd?;+iQWOIdh9#BBD=6;VMbiQ#eRN20SC$6Gb+{?+LaJ zh)P_fgl~$*X&3f^;F&w`s0LIEK~-+k1v{Ji+vDC74Y#-BelOGbN7jxkI-6%GXDe-N z|CR7%oi+t0`3$wy*M|nM0ttxqr~9s^z_x$>^02*HlV+bX^ou{C+0-%@; zcJa?@{;>)d0jp5ve`gggOB!RTBwB0VKi7I^6P;UKpl8!8Y_H3HzuD7tEvsXrLD{1& z;}$c_V@;p69$a}GEAzcB$of&%%w=pkcm7|EcL_wV5(HP?^U{)gkIG@#%v^29h|hH7 zTqD0(_ru`NyDv1dPi$tu)%T9`vKVP=3W81HUrrR;1kTXkZ>tr4pOyh@l_CwJjz1_5 zdheH|A^q-7P1)0wYm`0(AF>+7!r8SOclr&eNCeI3_0FGomzT8uzR^E#!u7v^xf-1( z3RVFBAfy;6uHZjVl$d`-I-WCvaMcQ*@`*$wWWFHBGeO6E@^%;d7BqQYaJF!{@e5@euT3fiH?r4OVnI2-{e}q1QVzaFG?Duo}HHzlRy(uVR z98M=1l()x%BL8~jt?(`+8AIYZ3)bHK6#K~s^!aZVj4i1h$v)~9frWH^1H7ueyv`%k z@{mf-)*RStL*b(@PPOI=r7D*9Q!RSi)nqg|^|IIY_m8V8qU(nhAeG>-X46#wy^W+g zV(uf=q4V6YCq4|2V$f^5`lLmiR9*|S3c{Jhw{Qtq>SHbEzqb=u=PP zhDb(F6ThvCz3~O6^ZW=ST-W5A+Djt1_t9liR6GquPVd&=9>y;Nwf3tDN}MV;CX~T* zB>R=4O2)AonwX}YVf`s~C7HN%s>nu!8#{BuE3%`giTtRXRoT%yc@2~3qcshCHXO4Y zYw*0Dv&!tqs8*$G)A)pW5c$z2BXT`V0HysM?4sK?w!NFi7*^vsCqf)vcQjpL z8F+U-3oV(z(M|~We}W|%0D460?!l?P`Ev&vw7R2lO5n*sFuoLJ1Gy+?e^KY6*wc!s zQ+K<6fduTt9Q4b;U756~`;O5qHRYF~L~YG#W_i9zCrk%lqjXaF;`zD9{QeXv?EQ)X zwSbhWWnnkLknX(YO!k-Q&miSn`6d@59Ec)C7P1xc!8PAQ=N3-Jz!=Q7vVg0i5NK#% zaE@^*X=&{Wogt*|XrzJ}t7DfPM{7=-iUuZyMUt#K?)foz*@eKZWoL*FH-|ddl6Lm( zRs)<_qa4r%W6Vd^;LIn>R}%l&No=8}xc@V>CKy{mpfz8*_^^xXvuvuc|8JDNbyyVK z+wVKXBPh}eA~B>$=uje3Lx(6xH$yi964D{vT~Z<-QqrN)-5oP@N(e}IoHahbea_kM zx!!&D{%bDdx=>i_UUz)&??(s~Lx}J3RXEFW1yRSkwFK2(k5)(%98YRYPB>GYn#y@) zaRwIXBduek6pn|P(uUA-@*fnB=nFS_m+gkNKJO`xs0vG z=^u+L;)vSXtBqfsEp&Oh;~8b`RbT$2IiyB?;(AWrWjA_c`to}DU-yCC&wn3n_+E&D z|76{-X8{+@4W|_qN_$IE#-Dz`GVrLKqVt=34t*O2?)oqcXFB5~Y`vpFqd1d=J>BT| zJefjy-pbNLOqk@`b1t1@(=vRY40Xw#j= z1!N{HDO3bbjgv-8xly9m%e{-Ab5+p(laOJ2ib#n0MT_Si0&tGP#|n%>-swq*eJ!Nd zznxD+f5*>0_J>@&#@zxE$aWEnmZ{(XQrO&dAoFsCIiL;iC!-wfR$@RLzQ6`L@BYa0 z&;BFs2HMto#%i0w3h&c*<4?of0G_ytFIvn>sre&t0s3pn z4ML9S%O>*=&qv3qN<)%9yoTBW8I^0+SJX!G{qNx(#z%?Rn4fl-UkvnoBTht)Y_=B( zsl8yfyK7GkoWv;%T|& zkzPIAP_(kjToM1C9z5auquodM?xHtY`^LcLAL$%e-R!j<{ClGzZ>t>X(<>@|?sImv zg^&hqJEUKYw(aqfTm(6nX>LqhiH6FeM)s?1EN1i^9$OtP2BbG{u4hNla8bG?T+{u zRZfBgKM{^Jn86+1v-%VA+v~B}A72nAzO2RT&7r59w*rs7r#Jac&B|tWS|F0(oytL$p#gCuh1iHpQB2$Zd)>F+{{-;|-HRhu6tH2iaJTLAb_eT<>`J`{n?QCl z19!y|0YNSgW}U9BOfZ#Kz+XAJFhGeQZM_{|J!&mw>RxBuJmwVB3b zT`}s({onHwd6Cv61>d%afEC6VnSJ#bK_U4#S96B-i13-Jwuu7os@bPwk<4H=D6~8X zfnu=M=0N)2d!`hjDwECR*m1{#*N5qzj6az*N=#bVh$m{=qsQd`)bMq1tpaWM+7T-P z5!_6D?l1SvozMAu!&b#Xj@^{IUUL3=)N|p71Q(Z?o0Kmt>%4wHYb7V}_Ekx~r!EgR zF8_;mEe%}Fjdw=J&6DzynGM(v-bULozOTH+CIFBr65i~ZUj{zKUMG-hPnp1^@E_cMO=|g6mBH<>2OkzH zLAqhW8+1{IWoNPyNl!^nsw{N@_Ce-6QVPJ1_IJlyDnI>yqzjdHNk2cB+Ey56x<E4`+wl_4KL_*wE|b z{q3KD9#X3Cob~)>U6CvTGycgx-N|FxbNh)@(?BV45sL=z4(iE+^Zs3!le-xE9no6M z+h9)$gw$3wx4aq?WU89mYLFRz*4;#6A~PIB<4hLpY<5s8JRLC)1j(pZV`H|@!a~z2 z?#{+TWb{D)%vz%iyXlYyxv3g4Ntdjdx~->>azB=^G@9BON%!-8wX^$u+ZwpDtA_BS zlot-BbbGV0`RhigGv;mY*{jhF^p(c>oPw*kiAaw!P|2GeipAEt%G5^HobVN!68jIi z0Tqeamrxm*33=3&ivYOT$E+Y9PPqUQ0`~}!4pP2!mrb0uSZ2$E7C(f9MeBnwaOB;N953)A6AtxRc61$4@=2;(l-HcbV`nRZUIg%5~XV7+5*T-c4}^fGGoT zY6eo3SKT_D60ZF1qWbzGigWU>Mtg#i@TLBi-&|fk*ciLlwf$jWc2_IwkBh~*#2xY{ ze)Dm}w_3G=Ji)FH@pS8jIt^_hv539=AwO=(hD+ryPoxg`e%KX1Ru&SwWG!ycSEwuI z`Bp8XZgI$DnKxod*brP;-!|?ghAI~xwg90Z-@H>JI#_$UZ3ANc8Y3%mm;wWuO#vxq zp^b;7I%@HnC|t|30oIY=p^dO`Y1ETT2Fy6F!-PbH*edB~<{PAv*0vf29p$x2DiN@N z&eu(S6xl_vy(I7bPH-c0w4VYK6yOV*QpVtN%9VVZ8q~+B&1PMlJ|1?z3M2o#nZr zhE3J@{%pGlDVE9K`dgISaP_5b@K^2Z z578>tM5=1A7HWpoi$#MtH6f$Z`yi);8MuG(!ulgb2JysoWFP~@L*N`;v?WPjafic? zA(p`0!NU^`FX`!#v5e*fgpMJ*o2wHux9!*y4Jl+p^1`X5^rjab8x+U}wgR#pZOj`> zGeIOBCdRyWB|DSuu4|ENJNzn zVuDs#*)$mRYhFmvd)F>MIkJFP7V}eDTKZY>Oj=?amMjU@D5UZ}QMFB}=2lhzPH_D1 zi2wLH`G$YxBcI#|ZQsbjx(pFyyOW#`_L2Hs^M`+YFQjFMHS~eJt7LX#211u|4Ys#(;tP3L{~j%V>vag2iQ5m2~ZcTbkkd^Np% zB8Bzlzr_F|&75TmcmQfTk6#QtIss{duW>imYCe(^vqMlq|MijeM~c<6S|S$8)~fT@ z+fb{~<>J2;!O7RXWeANJfE6g)lbYSmAjeb)dHvZVcM%@bNlR#Nvzzu62XTiE;cPAJ z7QEjUrzA8^G4ybkiCS#yGuzF2MfbO@wxU<+SJ^c78;X%nU9Ceq%}o`~4pluFRJ`|K z^Zqj&L`qNTB7m(6JtbB?ua`+_M1fxcGVrS(eeG@bY0jn1=q6bKNnuxHE7=0Dx8zo& z?)m3O)2MuV<5UvnYvEM8ri`iAfN6DPj5v#zwWeMQ7CY=2uzddUS_goR;vfbb~ zD6t|cX17H;7u$6ZPp_=NS@k@7jRKAu9e0WsVKswK+1Yy2&O)eLzWg3h`6*N|f5Wf$q9_E3{+uqUR;1ZycF_{{X1xr(b@g#Q>dKG= zK}C9;5s7i%G=At6@A^Grj;=pu`9Qd;7KW}`w`=AbqGy`a(>zS_O|D&D41Btj38rQ= zD*cFYAshE-^&4#nm3%1VU*FyOrOg_8O|E3*FNG8-R>r1|4O!`?rGMvfbRJkq18Sof$VQFk|+H z{h+7Dk7UN3tECd2Q-FSgX~>wpE|0_g8~mT~1}M44&(~wK@C`h-Ylpst*w_?4vwh5@ zn@>XDq=0Bz_-m9r@d9rL3v{)|MZb(_y0WnU4O28LJdd`V!mIa0MQ2fQMg7Y17EuuM>E?>) z0d?eCCvTDOO!Ds(+UjpW599GedL8ZW@Fk{snU~C0Wh><8t!FMNCW+mty`J1BI6$(L zih5R}Pw#YsZbgn>%*M==G4?fTi0ZETbUVWd=_l}3Ky1a!K$;&D?RvgQhYLfil$)=p2 z*?Sd^%yCiwOnY=_=uC?5&ZVC#<8r+UdwrtP%x1V)_@6t%< z9oN)vBZ+*5HU}5w{e}0|;Dc8rEeHR6vnY&kD%2?)n&ZkyU+nZU?&AIiww(!_NKEad z@_u{7pIKeCC#HM>)?Qt7Rg5xAt>lCqd-oSrGe}4Fr8>S$dM14A7W7i1nsO(=|AKEP>Bu{X*4)e} zURM}haeP#y5jyeN8gv%iKQ@U_m@CO+V;BOZrxw-V_N(_7Iy1D8mu-j--0guxExPpn zYsTGnz3n_E$l${8k@eD~Pn|eu^LtjmCvF>E(khKTu^qP*ud34={VP*7aYGo8bOnej zu^@%R^{-)WD|qQWM4u<6K1S?YR#-naJF{IU4hU1mzbp{PzqkDc8*b^+K*~c?hDA#| zCb}Pee<^XEbN7kB*+f%}T1N5wd5~Zb;Vq&YpF-a5%;L=2OSbR=0xYYe0yu*C=uOFH z9%3v?h~J-Y^((1%6#j#v1^pipLvtUBsdH*&y4GK1y z8)W}iccdp07O+qN9-lFy$m%Mop?BM?1C?v6N5 zy&*he#29*dAsf~aPC=^ii<*md&B>jBp)nX@esX`neyc(UY8PpsM*b~iyVod@mF?Um zkRpk%LG}T|R7-4E-(|~pKP%Cz6H8A6M(?V?<9{AZ9#b8>P#?J^eEs-icTF%v#xgkxlMS%SkWPqoRaigY=Dz!pEf%5QX0Wp zpA56|_&7V?LzAgS3wbA$!5p)n`OAdw0t!We#RczfnGb1Z+fJM}0$q(9E-XVjD&sM36w7ip3}&){`%vH<8%zMMnQ>@Uvo;A^5ST-}r3}j_mthnzEdF z?QIfpoEE6CLwJV7o2jZ}-?-c>yNjt$F==bE_@?7J(N@k2iUKTkthFZw-Szh;-;6WD zxjC!Hg;nx@vB4*(TE7PlJ77&!16x36yJ6NzRue&iY@@!f?R{D#kx7TCR`?n28~mbY zl0b}?@oX;(b`li}^W2cz@b0`Y{H9uUn71F6@lWg|>vFa;tF=EwM)M*IV*{A$d^sS8 zUf6r$W4uw?rXfo;%@{9;G;QJf)4o+yRvBWYVJbFuMP6b2fpF#WB{v~CwXLgZyEo0} zn>yEnk*f8T?zmAWtKnCE;QerGptXMSXX3zGdDYsydt$xW=Qo*WPWb@;@0=6b>Q|b} zMkVie6}npv1JM#;_{E|mY74G9>b(6`1tp&DId#e9W4i)uV(UzHJanOS?@7< zp8|Ns84~3dY^0DeZZuiirPxYfDEf>HdipOs;~7z#%^G&%B@hWTeQk{&CCk2Tj4BWw zK^9UuuM^?>Z*~$4e~K=7x1a6YlUPo&HO^}lH1I_gek8NYkV$_Pqi}Uvb!5am{h

6biNpFz*vKL!IhspB)_YzmjgNK<2*3epKV2)or8f`1vi>0{6s z{$D%$^*G#M7elj`R#lNxNkoFQrQGW)(>=Y9X^zQnW79Pp)-X2F3v6hm0QgMrmO=$# z!am`(KOG$*fy>v{UY?v0@kXxm)^KVMjBhxk`7JYquvdp9)xkb7+=wr-das5v-TZHG z312a~-TvfQ6^(kfpOb2NeDn(yWXuj_E?0=je2Go)(_cdIg`>x6?+y7zC?q+&;8J9S z|94Tv9oZOqh#E^qIdU!8l~F;DK92kXVB5{qpYpGYLmux3(J^Xtm8xmH^do1`l~qK& zG;s@sXpDW)I&W>2YQSB~wR^Tm#|XRGvW_o@Ie572{j>3g@xi#_JvI8J`v!_CG`i}` zao$~WDKC#=)vGyDHL8q68ia9M!V~VhdlVk;OLS(q=><=_S%w^Z4l}v)j6t^HuD^{i zD-mbm$XOoBA!lpXr1V9xIVhithSI# zOgt=|WfA1VTd*pSjzQ=s#Bd8A5iy~Ahg?vpj-S&b7w@|C+W>ILSBcbIp3tBY~!D3Z}r(pHiQLlnGiwp3sJvofHT17ipdV$ zgp%q;RQVQz$FAlEgU1 zKowQB`GH}o4%;Tmj2Qg4&0cR&7S&~4P=+B6BZu@9#Bo}V=1R*~P0AV~X-@vz{^#BkiA;MI)RPkrx*G)nd#Ve+yL^KeF z>i+@4&|}30b!9|*pcYA~o#}_VlOUon$Z$8g3GujShK%#Rq+U$@tpK7db_pT2b)s>Y z_GSL8f5H3|pnSfjNa!pn&J-Lksa`7do(Yt|Tqu!Y$J?+VS-2qH#F?LF+M)emt9i)p zuX+K4?g+mBIpocRuj#N2?57+~UH`R`b`!v?_l1~4d&-U1L2){_!NfpF?YdDj3Jk-j zNg8OEOcaO1Ia#~#bQ)x)fjwzCY&(9^x(f@Ym$qsaGCU$s*Y*of_%_V?%qqld|oVCC5m}PO3>A1Ns_84}Q z+}wQ!8=81lJVtg*9Em}Nw||wzenEc2ux-?L-4rD5YVe4bqkHfTi@-5CZhIf^XV}|> zyy*QtWQTfBfQ}d-Xtg8U%`1-yNH4x1J zS<7f_k)%xt@a6jsPBn<}Ze55m;lgZ%I-ZHU{k%~J7E&Vh(=#mM?m+>xR}n%N5?r+rX*kNol{m6w?mh*pZB2g@)meMSof zn&taP%VEF$Y^pch{t310u8LaHGuXNe=e+J>jLU!=55~h$p&0K)rPq&+90U*?SH2M$tvN&Yz#)y5 z{)2*)n2j<_QV znmINuTx#*_{0YJ=+af}e;v&@sO9Hmz+DsO{{UZD(Hhs7+vBEymp8YJOG-`kNRqlng z_BW-p%_rxZQLC1f0SezTgcw(aXXo=Z!~jAk$@0r6J?1BB z!k%&ZGqcz6290K`w{{%%TRK^1@Y3x&C|C*~Ek)_4-EiGwB zfqi2RY6#)BIeoElYl~d6q`pn0DmN9amL&f*gw?&c)*%SWkg0a%(n_ z)-j#xjEE<@0us)bA{sr?4?;NtF3R-t?dGA%fgWe{j1f;7+N#9Nt~A{@J7EnuHOGqS zXDxY``f{2QM@sTX*~(W)jSMm`<1oSz|MkZ~E88Y{=Vhu_`;y4YuOCdQ{=;r6!15u& zSEJ!Ld}zFd9qO@=#J9S_CMAFY(=S!jJfl~+vaH$Pg+&|j6ynr-ED}}Te(!=Rh@uWuGw{CM@az5!`p z$U;Y%&uX|OvFV4;PZoNx_!BE2({mnzS@V6LaCk3+PT{_=PTAuWx2T$`1!Ow!)=hMY zCfC!s)-SoQlJ^vPVa{f=2_B;aGCpaY=Fkf~39Kgw)%>(WPYaK+yoP)GpW`_v_IVE@ zaE{qM{Z&%ixhdGsERJ=|J)e=<23$oL5#La7ESk`3=aTdHA66xnAOE=JuBXQ_YNY_B zeBr!H5@1v{Rkm5cj#SLFvuP?KP3z>#6FoGwT5%~cqFht;u%BBnn+-K_l3z8UdBE*}zuXtrY~reCbB}FDyHZ#)6(lS>8LX;IHM5&x*taHB;yi(E`BfRtbX}|cs_54`*9d!!TE@zVPI!@N2Uq=F zF{L%774@27Svl&)xyD8nllDTluHot>RVK=Q6s&e^EwIzsr4!|bh(r7v{i6qOt%bZ> zm(_O9Ew@bDRI=za#B%mPAl6E?=QzH=A&y`p^PMeFaiKx`qax8hdHa#;R9cL zwt{;zpJbo2gmuB}&zK_3MM@R5$DSs%)&z&GR~qC!S3@p@30BD-^}<}+5+aBD)Li{> zc?;WYWITqr1HzJ>WBnSvyiJ^YPx9{xRjAB+YnxTQc39TJTV&V?ind^g?n1j zf6jS8QXGOV97Wk;T~4Af5d01IpYy%8OTX8mOi!>OKa=~Q-?6Ps8n>)jZ#ALXHF1k^ z-mX9e#_wNQt5WTC7N1G)?r2>OSj&%t^juHLZeBHTJbHTlz+{X}Y^uZbA9vIz^$P&c zB|5D3TFvWo^IoZ(d*|xT&#FIm`(dEBlZsysk2CU>81-6nJEm)|97mhJKo_WSbhf1#yQA|>L$ zkGcMBmsWW*dn4Dom995Dzr%IG0NhyP?ORRHgqhfdD#h$eI!#La>i6Ts=G@rH^?oMr zgn`oP-T+O{h{&Xl!)vhsqeYgyv=LL>qx7A968A~n_x=1T7Wrp=P5;tj{zKiaWWlTx zK&xF_k0ueBL|>~{j08kh1_!1L;_IV4sWH5(QIpcOp68Rm;+2UT;`Ji3&B5M%G#s~& z3dq}JLk|22TGAxkMv!z!b3eR*U}I+b%u5aV^h{I@ciH|~f?0J`*OLM|D33yM{>&FZ{hxDo>k9wmH3!;eJ zk8t2br(o4VrXtN)y&<9@vVkRyH}2yMO|nh zZ4Q6rP6Ds?5jv-!zwgZ>bbXV{ZFHdToI`!@xpQtjmC1Zh%W_#&+IeP-yY5pH3&} z!KCWN@;Lm8p^;vQk)}bfN_1@s0T$0_mBN?Z;J+8~@4tc%(DXt@Ek9RvV0?=r0kTxWZ96l3L7r+I#as>v}A&;aBFKC`?HS71A+mnC&;I&xFwLRqzyTulkFxBl7_tsg5R?SJ_VFqgWHXB1r!!-Uz z;t%k%c~bgA8O;Qf!q#(H4A}jZ8V0|7!0%|j4*FBiCnipGL0J0}Wv_7fhLE#x9KF%a z;dSZq#jeEkm#gOk3~!lH^tQpk70MWl`tsv?GKhJ zyIH46d}*ksBVNr!>fd|n^Y4#GWRSjzTRY=sWpzlL5FhP;s5h%-0m7PE>vsBfHae;a z^OxEni-G8e>)zhguqbCTbp-KD18xXY_?U#51hrZGC}4M94;V(P#2 zF`+X|Rz%~zio9_C{GC;zOA@oug=KLpifooBqGmm(1?8hc=nAp4f55rF{I=57dazL; zzs(i0Hxb}B zVyo)LroVJfx^S?qt0*~2h?86J;u7BCV9y}raYbivT1scI?gowMrD>^gvXI240U(Oq zDXWs)FZeWqe0M2%i+W9kkC8@;AXF(hW8o0IlGAtA?85&jw(xWQ>MgJ>6^M-jBZo0g z+dKV4;Ak-V=n2y8{zlyJ3j!3pZ_<*Qnx5+_4;~4jYYoy6FLiZ~S3-pFCkp0uF+E>R zhdF10K1hYQyPpq$rX09&^x*=}@y(%rw4tyy0B9S`)Y@AF&Jd(z{8wo9IT2jrzp!^d_{>YoknZC5lftKknQjY?E2# zXBqQ+B10z6XThcQy^v4pv;O-Lh^a@~fP;2+Zlk%y5>$N1snz(E_$Z0}sc0*aZ-DnR zB`guG1=+j-4R;iVj__NI_!9F(43_lE7-_1q25a~GfP(gnFLab_wYR4DF9+?5UJsos z;YYj8Zln9BCd4 z!KEALg$b+WLs6s4Bo(B*J*$CPT008Mq2O5jVMgN3Mh%9`-d)k#)@E7|4P5@L*Ba6%6pq(6X z*ZoiZ`-xMqAsz@MeQa{>Iqql{?)O?CVAK(uo}ETJ(({Njx2G-d-9G{m(|rn{00RzMljc&i~BsVx?Ue9AJek141qO&wOdb zKdIjKNn?N?W)W^feO-9p+IGIyc@#6}Pdvkftw)-QD`%G$JbjtmH$s1wAI_)38f8PQ zIPk0RHF61u4qDHrR*)%(A}#Q0Zy#=Yh3HI> z5BS6++&nmUr}Bdfiy{is#H@)@rOcjJky4I}2J7dQ_lV=%j*e#XNx`stcUPAlQ+<|G zK*#=f(e5wIZPtk9a?6|5*4kNK+@Kx7B2FBq#CMqbCQTVB+|PAf_7bS?77#-a87G6g z^$xI2eMG#5!P#mnr!);oAii$N<7uZ}A`D!%i=CggE*Cc6Sj6~%v9Qt)rMLkgLbe0m zt-02wcy;HSg{?vGqE_=aFe(uojLR&NQ=Ov;Vxt@Mx+Y zS|HA|w@hX#F|ZPCl{cZQR+Kv9{Fock3o{{d%6KE(WmNE3jQ27|O}n(}x-3iY*8BEa zjPlK_;uX?z18FUKcmV<{C%-@?Z&Q7K57rDl8yk#mIDI2j0KF-IOI1+oi-eb)08Eh% z4(X%`CnnyUD_qBWa>lOraIJN8uu+wqosxit=y=A|4tY}{E_Rc!#WBA6<*gCmxQHKL zUqJo;WH=bOY#%-6f1ttu(R18TU9_$E#dy&rPZ&g1`yOdM`kG$Z^E-#xj)R41Q_bAR z%zbretrp*M{B3Fv_s`FWY5}UL#dR$`>0v9^Kcin>Mv=`h|UZ;yG*Fe82 zt2IKa?2PRs|L?@*Kl#gl_c0WTTgi$+R0QJYcPyh_Fw3_HZj{7LlJ$5b zHy5_qmQAm4$%-bfmHPdbaNRFed?-fXW-}tKy5y*sD7aUn0>5O{hOh1x^Dn69d-X&= zB2>I;8(!<}j^tNuJk?$)i|HT~o86Cs@g^jsZz_86$bR;cg~5AlALodg1YZvE`Bysn zh!`;;qorl?Aky}zo=2u8STCuB47X)_8+#TJ{2q4%#|x{om^0r!grJn>&dW?d)_~M4IYOK&~&;Wj|pTK3GR% zTF(KmJKSv9oe;auqr1Caq#lik6qda^8|UBPI{*cSl5Yk zuLO^SIgIO@S$5#K`FC0oGb@oq(wio%%_Y+^^=jYzG#0_Wyt`x-Epe*sAKs2In^{9=olg=(h;Qd=mQVq0040=0^rKlko zf~!`+pm`X=oPmpV>#of94UqNrB+&;57wrS>D()cs#$(f4XG*vT7&;pOsXHM6`6WJM z3vWF8l`6`;_^o=%vfFg{v*aRxwOA!Tvr?O~ZF+}Ztzgeo=Ms)j=QfkKY<-k!9UBqX zk-WEUnQw7?dp8IFFytzt*xOrvp1S?E5B1(|{QpTHA^&^m)aic>wndOn)k%N_EbI(Y zm}h$@eZ=kuDgx4(N4$Ux`;yeKSBgeBVM5M0Rf>6lqWV-i=(TWofiWAw{iEJUK?##F zUSg~<$K(J-NHdXRF}?k7C5)>x@Cz$yFm(4Wxf{(~Ii zXZHkb)=NhtA#WTtd_<$MWcFDYhOjx#f_reWx1N297njMFejG(}QKz>p5#_yEd9=`4 z4SN&^bz}__S{pzWrLMOX=+YeU&Y52pG#l&*dH+YFyPkff>hQOJEc2{;))jK zu{LHKsQvb51#r{g^{#byd&m2(tz$7*ym1C)KX!S-5EWGTXg+%X{79SSa-lEo&bH3? z2fikfkep*>`4>zxp#03I1Gchjt!P*FdxL{SU0hAhEDOfQUbKmdWQJOL8it^3mdDFH z>oeQeWWi_IX~Ig`;PW5OmNt_kWezw?;jvIU1(dF29(9DLljQ!~;l^m|ZRWJ-tz*Di zu-hu@3`E;wE&^7;vpF(p_;FcO0C2=)4j!B6{)GL{DKNqPz6dhvCx=p$guN%VD(A$if z_3!6B-#^UOeyjQFR&@s;Xb_@Tt|i6ju{-3RerJ4@!qrYDXK$J{V_8_-g7zq9*X3bj zN{PmXHD2zE!B<8Dvm^OgNm5fz-(u<8((eE7<4_k{D-F^Ww)et*ITtqb zrJZ|${g*^@7zy+h6^j@zF-H3~y+qpuJwk`2eNl`hlF&slSZwPFh5~OqgM2WNx=?&> z+LSErV5rA5*Y(BssPhEo8-LvMFA_dH z%M!xuxYf#`q^$CuX9J&=JMYyTw-JjGFX9$wcx)IOZFj3vV=7xojMCU36=}+Tw13P! z;(k+rsAkP`Q)%4l>df0jaCSUHjx6_{i$;BYvchRIw#&yoUiI+|7b|Hl2tdpQB2kAI z&^wI{dpC@$$+Pc)E%l+dKTBi7cR9?3@wmLeAgC*Q!nEn3nn5FMdv16yc5Lg#U?ASp z>p}KE9~>Ie+oxZ&+;xmDR?|%wZ%=v&7Cq5)Km#ze)6)9X_Mn$gJTX?J;321>L@f{^ zwt#b!KIV4||4!d^Udo|y;jS+ZjSP09Am{6|J7^CJh$uU(iUbk`zdp4ChQ+x{M_`fQ z1dWp_;g!1qhFLEw7EMB9>7)P9(ttI*bX~X0W`gbOnKi;spr5$#5KzH8`0SfKt+Ki;@5- zephoeojBKL!(5a6OwVJK9RQgI=4E>Q=#u753J~#|HZ2PcNx!rMbI8< zVu#}T)K!=q)oQ7!{eG(N0;N(H@q?V6p#2^AhbO3HX+LxLiN79i|V zF<=P<$IIr5rD6`MZBTDgT+bgdz)N&P#_scF7}wbm6M{QVwngzEA#AvXYd-+$LGp5p zX1s*gqRB+Mo(OVVRq9g@vxx;mLonOxt998zg-t9A50YP3J?ecgd5It62dx|P7xwy@G?nK~92;%ROYAEQ9Go1Xow`bIiTY;?xdM(=6&HW)G@1^q#FFSA?EuZlA_#RZ8fNKEn8tnZ zs|^JMAfL_V?nHCSCY$MP*E+JLs?-TqODw-ARFUGE<~ zKs%!Day&f;yD;>l_d+4K1ZaKDLqwvnX-BKNo+}eT9eA$~Ny!8OvW6!Plo2c(^DOsW z3tA&fd5+OvlY5DVQTRL^@fkqbYze`?g{(bJ1lQ!1#=zN}`yYJZAf8gLq#*%WsYR1G zO}Sr>z+`e$ZK^ftp9%v7XUJh5=RC*|T7hIf77nr)pGngH-Q$VwNM}l*>)fJb^4q~U z5<{6`sklCNNeiOH^r56JDfALuGC~4_J6=mG<-_Jofy}bT-Q;t9Y&{dD^YWYNX8(#7C@3VG{lh~W;((@;L6pB zSyqmK!#Li`)d&Rl#j%<|j6oO((s-W!zGN1;U;z7J7SWI6a1J-n)38k0!*M9BHZ+4s zcms0stz*jDYq@CaXbK8|#64F#T_SJ%x^=JPKwazl{m<>{LO#FjWB48GvUV~IE`%O9 zb`*3eiuMalz9|$J1Hc3&CKu%$LR_idmLh%Oy^nGH{vMkIk94t);b zgto)@w`}9x0n1leGY0ZZJBJh^+S&g9X`uY~HT?QCZY3Xjh@BZRooeq_g58aOO(MvQ z?L}%~pCc2;969>=fpokA6_k|_;MUGq^Ee7fp1-uP-Yw*hxBcA-Jw`TVgTC1tHP-?{ zA^tPqVC9H=<|^d6t`fDWl#-m#qX>7RYf}ZhHFiq=4b_sCyF&d^G|`Ngqap9ZoIb80_=r#ki!F>lohm$bDAwY)xHcKJ_~B))+wY<*MTF zqZBi-sZDZ}ul!fCCLbX{5+`^jDNUv5y0oqqIbF&(I#Lx)uHyy+;6xokXJ^v}#Z(&- z0=Ub@NJ$kDB-72!`4nZMZYF?w3Hl+>6tL|!i&GLIB zlOV_9zKhPUcqpfVgGCCiBbpEO(O1D(P)5Gb=>7;!RIrzoLKr9!Px(DpN!Gmr^c+H z6GlTS`!iok$+S0VEU1_-?5@_h)$77k&&Q*vKf8r36~qZHAqxbBLH@lyPE)08LmMF! z*NA#ojn7K?IyO4*I5zKm{Q3Sc!^&cfK})SS(RnGSErc@ULgir65G#tCJc9OJodK^WUPJHxJdN`k?`;4j2?bn|a1iduX z`6|ad2@?`coMm1ayXL)$%q#ZP@5M?NY+IE;(R^3H9Jc9WBL9{DL6A?Z*@%W6RZg__r1kgBsGu{GMy+?XU8ZVx%=T{ z_C11E3PcrcKJeres{KtOgKV!}R^@k_9FPO$W)dbGcD;Xiv0&-G5N!5w>g0yBH zoyxBePvO5M<>m@eX8QT{C4WzoyI54Tl#H^}+4_Q%BGhel`aGmJN^IQrObbbON=(ki zvZN5>y;r@Pe{QVc3MRp+HqfJ1Z{;h_j~+xlk%In}#c&qNtFs#j1afmz*dKiTKb&s2 z(sAlk+K)P=i6t;t?#SSX-gEzRf9naDa6Es+$(m?>%{iX&wXE|Y9?~6FX7%A&8QV)@ zjNJD*o8Ao-mrpBBW@l?IkT|wLLBG}jUY}oSDf9I|37x(Fq?zcLxW zCx29-!~{c3T*G03=1JS2;scL)r+J2*;`j4}Kl*v~ z=Bb@`8(e{jFRx4RMduSNp1a$uY&EyH+hpTrPv(C!)eWtLE6dyI^26$pFbPA0sFQe5 zc8-H;!rKAZgKP0Ex(89c3l;!+EZyG3CkKZ|LN4Ga&VqXKqrdCrUZ?KwiQ+i>AKW%m zJT;&h&1^YPu~qIS_j)YLVKIRGM_z^->mk5->C~)cxIenZAQf(hjz|w|!MJA!NQmWr zEe)iYWo+ESe|S#?IR5|q4R!?u(+>dw(EDe_ps+x=`^nDsTc8>=erxaOf^Q9o*s@=l zGhAA#EXP?XlBUi8NopwrlneR;4(07++G85$VB@(KUEr<*Shf0lP_T@bf+oy2cVGZK z3(N{O0tumdM#9CX0R6uDk=N#9-W*7DXTVeM7b*12YJ%N1qZv$Kw$TO#pWth04l{c0 z+X+att=$f&?9Coz+O^!?0XSt%F7o$=&>*N+tpK=^aT}n1LZ*YFrn`1b{-^Wyj5wjt z%AChRf2lEmYCd+#M^Rt~`q1g)KKS4I5J{lh1t3J&R`Q<=CeRY9vl__>(Ke+}%;Bjx z)oKtw-XlCBmOis8Xl!#bB(+N>;^mt}eDo_~j3hO_8EjdPBbri%!>rOFY*Fr{G4#NfGM*xN9vv zrl~${mEZGxet19CK0N>u#%g`nATF4<7~iT7*zJx4;oO^O!y!%X>!z{W4d8%wnz3uQ zhb?nQ$w>DG*lukwgr-ui{>q6f{&nyFV(cq}qHOzk7eoP3QURq~qy(h98w8aWq(r1c za(4j%>24{N5-I6kx{>bg?p#>nTs-f2XU>P`ojISJ*-?kM?(6>le`$#L>}WyI`sJ93 zN|4F%_@GnRWMYW6bUU<6x7}67^K&Bj!M{WB+e^mPHJK|#Yv*Ddr~gfZsygie=P~WHZ5yhn9SC? zdE>hPOpLzexdd9|7IG=vg+kCN;!{y+^Vf$sEmC(qz;!qB*UJCFlPLTu>id$Utn_@- zc2d;eIX!PN7NznN1<3YPMIj2b1m(R7&ZH1>&YJ?2xY62W3kjrIf}Cjhm!sfh#P~UK zqS=9Q!6`4$4BYX%ARFG^2NN%BLGKrqy+8eIpN`_z7F`NA%_j@aqYNJGH!~@@O?zt4@gLSUsT0GbY>a zBDVg%?U!>GJs`A*`TVV6QW&0BSkWlf`_M!a7*yLyAIp)j!K}{8EIzES_VlN~sVbGo zPy0y{M`WzQ*1*z$*skiNFe~Bt*f;pQYyR^yq_g35=g`}pC?adOV84*uWIldgt ze@;boA7VY#^PtQQ^^N!4?8){(ep^2I^~jh_ThHDX#DPP1)ogAd@r968O{QL*`PtJ` zQ(j!sdfOY#aa^qJlix#GLBBJ6UFwzB)9Vt0!_!! z+QI4EK=@Fxhrr?f=up3P7*8Kd4QXo;>g_!${mVO53C7BaXon;wyYE_zT^H1lsK)(U zQOd!^*5To%h!A z6Se=nL|zGCAaBNiZsHO7>BdmILIRQjP00Aw zTVmPr7l*W1FUA|wqw1`RBocy`xWHpiH8+Xp&aZdqZ(wPfp0K_m$9C|i`QAVRe3E3V zs=vEpZ}eU1K($9lzUdH_e-LW@D%qpqlou%eQ%oN<*BHS>8Ybal!H;2tVNh&h- z?a!L6@p$K_j1v9n&3Kj@MDa!9W4eX+f0F993**H=TTaJ2Qi;<9bN3iI%QVeDgv))6)Uaxihg(hGKCl$bvm>Pn$SrkL z;l6ED(0z$#k&4W(u@kSK^4XAMc|$obP;)n;F?Tg{Gy{}w)hX1&=2BHTjW8 zZ^i<3!pDjZ?RbVLnE#MS1*2z8$_ZBUWMos-V_c z`k?lw7d_0W+k+5jbQ?~zfK~i`#IbF*w_feH`=#K zDTNk4;R>BgwevxP!YLd>$~exAD2@n2%QO!r3XLra^P(xPA5o=-)&M+vi*bO~*T0`wj8+xw3`Dwue(mZ|J_GsZp-QWOuN;y< z?~dZvlwyPwyC6c;C*JMu+(s>b&iGj^!vFz0rvENzkjCX4HT1j^7yWym-)X&HylY4w zh7VcVhUr-q$xv54H<(TZ6V`5Kyutn7FVXA(KxYF|+2wl-;pb)*$$gr-zri_ulkvNG zH@{-`e&2CN}IQACB2vmESWA%gciJc{jG3(yv$~{vXS8X^#Kx}&*pIZ z&q4{jT6Xq&@u<{#WVq}Q)kk=9Mr$)(!99I>Ue))+-Pvk4E}x4_W3=l2#s^o)sdels zt0Rjf+0eMp`QLbOwXYI5<XK_86c=8^-~ZM{r=cWL3ZL1$${`qLQySOfPXh-RRCP7 z_C`x1Aib(g9>4UK8W6C z;e!M3)Zm1}bYcoed2+mzQ7)1x?tt zh4gUwe(u7uJOWDS)A7Gt5cfyF^}#6kp1ESL07YqUTZe+bn6X+qnK8oTU^UY1a-UF6 z5^cU(_|hGHSbydDxpr$ZGde4NGftz_5OxwPbkxH=1KxeH?;{x@pT2N}cTS#ydduot z^d{zfKp$56nFi9PbFM0U&>~EmcuE?NlyL#3L_tJyoVe>WuzNK{aCD}D8~thG1E8qk zmMfQ5kYa*>viQuf9#1Ttv&!(5uAhVuaJ|9Kzz)LYyW(b|rb8INW(Mq+UczVi7xX%& z>RdYFPO%x-Uh8MzFGlQyUIW`ASp{fg8)8!kfoKydzcs=*FC?V_%_~aRylof_TLm?} z`M~s`1b|s=ahY!Rfs%(9PO4Ocd!KG4yW{7j5@c$Z_R3@Dj)Bt z*t?f($#M0|tX5fZPLB6bK7wsiDZ}sYIn<$O z^zVz*g;!t3r9ivGFHM;AR;7E=`*fw*V6D-r`Op`mej+eqn!HxkrsPE>IVgt65z7S* z`n)&`+IHkGV@~wmO%wX9wd zsN2$MhQ#mp%{+ZNcmN_akGVJn(pgC_E)#${fg1JT>C0yWJWgOJ>1m&Eq1L{wy1DdW z7r2vhezfM#vESKWaXNXP$V(Cnk#}nc%QjPskG2~Sy;r@})M4Pb7TT+Qoi6PF-VE3m zQ*+m&bwCF}bDfoBv&mk&-;_a4&A*>qi(Cxuye`J_vS*Y?t;j7zRKI6rR8*33m;hIQ z6SoCM1IFaxvojJ#N32o4ElAXzc!;HxiF3!*DpxlWODUmnj*bB!zss8B`!4B{$Zf zJiC+1?UA4@GlqEnyUzG+VR-n6e#ztGIp@Euv*o(jURq*@eo4aCHju4ksWGR}_$9jV zR=P|=NLdnvFgAYF;^4CpP%}&^vfY_N8y`;uNRK$rJ9$*Nd^=9h}?zvBR`W&a%SoA|TX54cBsAAIXS zoZ~c+Co>)(q<_Eej_>YiC$Vfvk)(3$F!fjEMam{LQ<+>q#RE8`9S%zyETy{S1^skqxyt=#KWwO&24{>GDO&LlpBd}v^BRfOmC_Qh%H0EW3X!EDJaT01<|&I8Hh)aWvAlrFw;CrCOh4~It?J&p z9E=9$*V%p#JVCgsBUxTeoMnw78K1`~IiC{}ix1gtq_8SRo9eW^P|)|Z4g~kb=ncz4 z^!4|L{UBJ4c*aS^)8bvUI1*z8@1#~qy6Rh7L=fU?L^J$zJY)JxU;;{A{#Ac5QaF8^ zh*(@F0w|p@hw`GA;COr7x=))kVN!74mk?fV^IoU2i7+AU_hRP6A~5mg@0>`eqKas+(B9n;FU&FB z!u^eOZ5Wk+Jg70eTqJ>hf8CEDB*KT-R;|R%e*$j-D!1jxeOq$g=6b15ES}^<5DyoN z1>Wt6=gB6$wRtA?9WIHSeyI!RoCCSXMgztdMi>o;-eK5Y)|#Idoo9c+ z?3(=9ho0eWcfQ|Hj%eQ=o%w9jEytx4ACmI2JCrn@uKncr34vb4$H93tuS-m9d>Rw; z8y|O)>7zV>qZz}!E8#>jqrQ>p-`3y2V7mR_U_yZD{Oqx59VOel=(ZEotiGYScf@tL z=OtYw5Ky^w#H3wIm0Sc_!yo=D+Ts04;=Mf)gh~0P5hfg^Ruj~{r#kK3$IG0=+XVK7 zR$AoS(#@kEcZFGfMX5f%$ill(ynH_Q(9(io5!R^+e)w8xDBglKBDt?&`sD+V0;84?3M~fCqPNi1yVZ-`X{SH=b?FR| z5|4Z|52^x@67B9OI&6ZzZrgvd3qK>X3hOwtT@hrLt)jzB*N4}eoaVjBXfYEnattuQ zfPkuFiHB(S&>1?Uy7m~^{GAmEPMnxV$M~HH=^&ssN%=gg<2|goofTCU%%apW>fA4Z zX{K_Q;)$s%74d;mMnT@)i27Sa@CzB8W?*b*>&~0~9I;K!dnn^-tzn4K@L$YQrkTpF z0c{s(K9m%nu#7C#)I2mR!0QQZc#fW&eS_2zsF5`qmrgL#WR4b zsA+Tt=$z9n7g0x5@&oJ?u!zLivn@$}Y=D(jUR_wvIB%7Wy!lvvwjz@TL+PFM&g*A= zjFH=!ocU~7u^eC|3+btmVR&ea{$9&-55Br*q>D)5@18kc?w6ivjlKyxr5BI>8r~41 zb2Pnj#=&ZF6`XeL#8TMOZoy-=-(j&k8;`&xinyyLW_O}H$Mnga^I?57a>jQXpwM?q zev)bY`?TFK7}T)H2*G`FROhiw@l2t0Wg*zvDfB6i2KIX{NYI)z%a3sG4(I*&VM&Zf zV}Wk`uNO61;eU)$1+3QF;rs36&UwKmD5D5|cx@`rp+auip%hDf-jG4d#Gt6LkS#HW z=V9mdBQ1|uvGX^{)0@+Y>q=@5&glv+2S#=5w6QxUGkA03RFwFYSwpI%BZ%ZnImZwE z@{KP5>2T819d6}huss|OBg8SHK(&TxqWYh<9=w(aU{E(Kf4YR3a{MW=ok|jVY!5`9 z;cQ3ad}mrDYLMD)EU*8dC8O}8U5|C_vpqgXLrt6VgNxliK4*XRUs{e@xtxeyZ^**9 zv)Y7P>cbG*dy)PW^OF_t1eJJ4Aek7gpo5qKqmohOTP4q^cDnE56BCX22VRrd=9K{H zB-cqBl+hSVpms^|ygqMCF7Awgl=#kd;ize} z0mzJn=cVm=FfGaU2^!ntaQme;KW?Y3(ZBh%hg~u=C{Ler){+vUBp{$0OmSOHG^z#3 zMqkfDOb1<%BEuk@PWx?yY&ftn(-91L@0$%`q-(b!n(> z$HqFgyV1wqvLW6Zvr6F`gLE6?u;1|is1=2 zw;D(Z@5KbIE}pTtM!1!Ze={ypO3W=h8a_Em7b!95D{%Vc_SY_!<<_}VKju2u=7Kui z>2`<5w_Guwg%rW6^Ef8Vaq2t|Y-4WSA}g(3cYVo|JZ5r`=RcD1Rongi@0*H>7%k`PJ{!4TA8#5Q1 zv%f->D()nno<98iMw8@x&VyEbW9CFwQ=i<%%2y5<%r6f)$kM#+!cc9|gR6gU8b2GD z`9%a;Ke&fZ zP8mI`ab-K86j;(hx8g>Xy2+cR=_5L4-=Fv^ht{7&w zmUaMFG|zw>Vj~JuSuAK7wkY*?ak!WGaJluAUHQw%U*HP5C5|LbX@`vBUJ;@I5_tbL z;9P%CnWw>udnB`3Jg<+^yvgIt8tT%APkE=TqIoEsrp=+#;GZS(Mu^>NK8ph=62lZ< zApk1jP5nTCjSYVmeuJ8;*`2A$&Tc|(WT)X`jP`V*D;EFG!Y;e3+^vxY6n6grdY05_ zlI}17EPg`r0~SQ8YUe4DK_jXG2#Qxa@Y}XHm0X=^25xnJIzxfDl7rwDrrIr%cj{dJ z0`kxDh@k53wGsQZ?3+iY*SGTHY6bH|zYRo=z_P+}9E4Yno-S-GPkHEXps` zVIJRqsHy&(9mtD)U!Qw)CZQNNVT^N5;KH_52&HZ8A^3?$4<|I%@`z)M2+yb}Q)-B5Uw1E0(28dGwQ(0>_ z=Hw!l8^YHzBdn@7vTSnm%MX3=uPt?JSiybZNw?olblE5wXH_~N3;u_C6HB6NyMP==mMLP*X26>at zbS6%wex+Ex@uio=9`!Ih7o_R##H252zWD5jhv4O6R)UVIjdjrdow;hlI?LqX4thlQ zT#~kW(cACI&>)-|yY70x^=u;`$7XR@U{caR>3pzG*zMEKF3ZZslZ@`X(H9-B=J)vg zP3sNK6XG+U$3hZ%(XrGCG}3&PBdAagC3I~cZqTrt^$JUZrW(zo^Fm*>rW(LKtwK?G z+WERKorP>`f9nm!XR*`c&l(`-NY6$pCQxWYY?s_}&fSuSr)$yE+_tc2fx4r%of%@w z$JZv<#k-L(yqx@)-S+0}YX8fU;8!-NY#}G?D`fl6TKMdK-&XK-ng8)dd6bY{O>faw zhUZSYA!FZhBOK52QG?4b&pNTi?)zKNz&mr^{T^OtcpD`N(>Go6XNjH<%{q%}&g@cz ziz?onZ*N)b=19z$?qX6U6-=~QFQwHU>na=*a3 zWU^Wi8yIW#@67Yz@cSO0rd^1al1V4}^RsUB(5i9gSK|8d=c1?jhb&?M?ffh{IuK8B zH2!l*W6s4#Y(pToS2p*E(6Gqj9Fi30hHY|5eN1rP5xTkm8h7i@OIw9n0*Y4{eBO_# zLJ+w0c7y(s;kceibm55$8~l7DgYP)PGjA3xJuSWuIAUX7TFk8ztZFme401CCj`hn8 zKNm$D&;|BoId;lg{$WU69Evv_jBq+I{5kjTndR3sz8v)1#o{hsXZc6)BTy1S$Ip(D zAw<86(XXf=1$fEx{jX#;SaQ#$A*`~)fkoe)9Di)bMJRS8V5?^*h-1_(M=6o(WN#`_ zcg_HDLs@n9%VXe@*J>_c#}Kz;k4emx_2PO2*zupt(kqe<9W?&F+ut_aimxAcStXXQ zP)bpD(awm|ex*;65m!ceCu;?;>ISZby4Is+_NH%dE2s4rh~4U~pbr%*0>p_SYms?I zI+C(nSe~>(x8ideOJl2U6edHH8Bt#=OtDz9I4@jmKWEvE7)&YLQu<4xrq~mjG#K%; znY);tNEIciO0f-*Snkz3>G1~c%&as^=EQ+X=I6JL2wwavX6rO!c)i48*io)SKs<~!Z3G_d0X>6Gb-5(8xR;Bw#B z^zOii3KgyVg)mmPGq)x@421FEKr|e8Yiz{KOxed2YvNDDtKyf8^qGMkv9yq=lf6xU z2h%P|k4Q?5CDqhnQli=409yM{>M6`CE$7IzTlURzuG)eNz@&{dMEXCU^>38_?sKYp zM^dqPc=3^G?hok(dpX9`J6;Q_+^FmIgSjfbRLZyzoX^y`SJ1swzbq+U;o?QJ&R$Vo zj3!C+1>8l7;*;v!N(5Oci|OVr?A(%XJbFBWwRqwu0&aZB*wS8tYe2V`NY6fTS>SHB z;FtoxdhgR>+LX+QTJxTAafVfo(l>NnP#S)!#9!FuSA#6qedqNKK`kfERfY>2mGXMO z!LH(BlM-e|dTYrEnsKW1S=It%%zIc*@q=V>`Jq1nVR1E|tttW0|C}Kp-d`0V`VnaR z`1LZ^lET+Y5(n|~%Jwv+&;}WtK4!+|Mo;61B(VGeQi@Z;W90l#JPt+6KQbH?M*)kL zY$jItt>I$|a@~mYKMA5=D1IUZNd%!k<>XiwJ4gicf5;RDbCPV8nNR!)J8Cb7lWtpV zvGV8n&dZUhQGNMKckmD&Uy#}n%TqK3{^Fm=;ZT#jDt`Dj)gifPr8g2&e@EeZ5qZ2~ zn6I@mGp=2T+(>AlDOhx5Uo;8F{n00AY@B=5DaPh5EjT)ehaqlgWA*+=@ds8e3nUhx zz!v7{rhWjv^Abrw-HiXF^O^cLVlKQCkQpd3Q}9m61t>+{yc9C#!H0CNmxCk>`u=U; zk+%Uv?dN$3XO#|mMp6A`ZuVhx4P#Iap-O}E14{!bwi5F? zDj{||;^E6)SxH%z0EuLOtAvVa2c-^DMdi~@5w-Zel`}pw2ZlU46lw9~r(A)67z>&y zeOQbeSi6F-olVj1^f9GD2SrfZCEpyz3_W3?gEO=chgr~&G<2&*pfO=6#8&(&xqb&z zfyS8LYz}_4W!TLc@sK%Q^&TmfNV;4&t~7(9I|&HATyz_{N1YTk^G5Qk^sbl&8QKd* zn!}!3YllPhSQO~z_R1?8)!p69E$mHN)A^BH?YkZI&$Gp@u-XcILT&!?O$2~Hu zR~o$2)u6%{hL#h3xQ&$wcTv0D+B~&8tIFCtlo#=2C;Xu2yM}ZN=*;-i@hUfl%r0;7rOR6=F^xnOSL9q zcs;0_V=W66Vw(o#8M*R6JHVl`pnYWigono8&v^Rgu*0|36{$J{t0vt zWI1=beE5M^L>?vkmtZU}OBdS>cNZH<#U_nU@#emHUWK({>;fjEA|K{rVi3rJz9_o9 zxstaXv$9zdilDPpTBEqH?&@5+!l-ccF1DAwrebQz4m3`zYv@9bGv*QH&H>f&gzu|Q z6{KhpTx}+d9Q65L8vUglO-lf)Wg6j2_kD%u^D`&|4Y_(dhZyEb))$L2)*Ym-f zHpVCXZm{IdKK)-#Jjhp*I){ZW?ev!5GDgfR#2r{#r%xr} zg@7i?c7_{}(h*kZw%Sj(PTE{=?AbDyyvGQ0>e*~jyP zyEP9;O$tAc|B!N`dqgE9&FANqA5FFMx;!uTePLaz^ZH`ZB9Yt|s`E!1;ckmdd|}}! zRxmyRJkRQ>zn)LH@&7MMzgg!}?g(~0w#gi3%0Ab3iq?3y1+owENUl%d?fZqfke z*XQp0pQs@kn@6B6>i*i-XXgOs7CBPVm!}2V^UpeF?`}7R2oTYguUmGXA$DkDpZX4k zV-F`bHa^#V(`v=;+pd-lI^>LTFdI4n8{?`9$l$?8N~!&35;JOMXb+PEaQ&pgsA)Y z&~*|He-`Njt`{3EdhOw%X?2UcvhmW1gurT^cF~*zDppVpRtt9`?kY6^A_XJu`)K_) zoNuU)f;MF)e*M4>I97M6XK!I>yP_d5=pPHsy!4;3XJGaBb6y>|0 zOdK$tBKY}vLQde>nfD!%>oX$Scf_MbbKnLN1ESJp9;rA9MZWA3If>0%5e*?B^&Vet zUa=y%;KosnUr(~Uz{)dAI*8=9`{rNUnf7MK%B7pqJMJ~asoRgbF;ichtdpgG31WrC zNU2PTw^Z#GaS#!{7p&1&7WGm7++-kf#MKdbzPHNc&xj%MB{T31C)$fyL+h(jD)~=o zp$WuYeY^(j*T0N^Wb+48JlPAItU@()hRlwHLnC8qMArIwM9^ML*|rVJXtuU+bcBda zm3cf&o8BT5J^;E@HF=@5^F8`Bv=_u(TmmsuS@m&Dg%p3R&8q|7ES~t3WJ9xRU0{hHOqtXgX1LxWkOO?OHF#fD zagR(7eCd;jvA%beSGcbc?^36&aIjDOb#$02X(pnjGOf0To;GU$vxzLj9z!NRq#YnU z1)fgwi|&1Ff*6uEKehY4?Qo1reVBv~p>2fq?e>(4bR1*yR7R_;%w)YDm`$iLX4KjJ zmVs%jg)|_9Ng(5*uMoQqz%s51{5Q4JtsHn6|KmJHL-Q58Kg#lhO@()QEb0|&``Hj#>y>yK|VrLFEi32w`a^lTk-pGen&jv9scKSw}6 z;*~C1D6~Jtm>LIhyh9GHM@Sk`RD^*?K)deN-!JdeVQjBr=bpVfXCW!LjpKb{9VY5; za)jl-@(M~D7A7ElTH4c%n+BZL+3SZ4;{7<{PKT|!(wqs+ng=}bW`#+T!GCzK*a!us z56ptac9Jv?O!UqN5jyE7$j~M3Y~&;h0=ZloeDf1#^qjbq@vXlX0LWWdyjHgh zS3~$+Gy+I)ihpsoj!tY)KC@ZDQ!FpgA?Z%dW}lk(z&taV=&}RiuMdF0usjbP!ss6A zaEZ-d8RENiHQ#-UBTQG7a6pnd6FN<>MrLaUAPzd=vT-$~ui)pu(!&&o@x(6eKD2eW zP^aH%jNbObN)~H_1 zjtMsddW&f)*Lk$D>d$cJ7ZZ{%7++JMR}n^;Wtyq?y*4bQN-5Dtr%q&}*{2bXHYNYb z_V(%I74zpg9cN*oJp{@oLD3vZ7tFM*k0D7hp;f|Vf7eGB9+4Ox@nJo z9YHZ;yR&sQ(<@~l-w#1&NnZ?L-c^D$6Dh9J!%3<8v0`C6BjKH#5k>AuE5i;Tx8qlg z(hz*DgX-U_Gn11`>?zfU-^|k=k*>fzoUKxMv6m8FR@C*4m(RFc6V*(mQBW3l{OF+N z_(65NfpG?XQ^2Eg`5VNTYL{VSlm+kgnicyj-wWp2ZJXK+JY5+ja?)vm{&mbbQ*QyH_oEfIbMEJSD%Ku<-2NS*{Qlz~kra+1Bp4!pPaLVN zPw1+&pP%7BmZ9ug^#268p4+S+Nnjiu%5;q=V&q$AfKQIU;Wu-!(vww11H`)BN!F;R_!hj4(s_*uhGeq)mZiAB+*HxD3^P9=k0 zKgLwrRKEjv@J5L$0$OozAN?L#ek_M>>llK^-_v`$MuGhJ&`-?jQCit?k-8X5*6PQ{ zatAu$28a#1^{W2dlNm1p6H)uE&3e)&+G8BHb{~qD30|PjN7ZAN-}&d8rhfVA>+5A~ z8uUotkjMA~z#?gq!!oIP2h80S_O1bn_{xe`d{{a;r$CB?!N-M_)%}`FA?`Vr0PV5( zy4Rn#3N&P$Ad`YrKZ?e(!3!;Mcc`U6a$>HOzwM*K2S`SbLrB@FoYGgx(?HW$G+ZJa zc!bWwLHrxlM85DFu@&DQ@8?6xqe6;#ZMV@I0`jp~()`6$W@f%2V;LyUxSm*4ZRS<0 zNow}(8vg53Hza_-@V%kafJ`GCSVHVTi-^Jc7G?&^sei;w_;zp+5U-Fa@XDw1#oiCI zUO(E7_Ex87==v!2Ex(j?(`|F>B;7Gi3F7P-=< zxmD)cOY!O{uF`_nuYp3M70A*=?dviP8C+5}>?vY>#^MZktK7u^k-Q96=!xlLKd$*Y z*xrRuC?CIVrcKmasA3>{+=NokDa=oJAHCt~O~}==o8)X4)2H0sGjTLycE-kPt0-Gx z2Dq_~gqvfvV+QHKz=+VT2#OkCQ88n};lk5*Gx6~wbB`DqY3QckBFKyARW5@7#ihH2 z_!QRv%%iO2GS%=nQ-;ApY%tdkA6wn#!o@K~4L6}fgd#US5G0j2VsYOk`-@c%bnsH ze8A8*y5A?MNi2S@TyZHX;MtHJ=$`vo(|*c>%R;b3&-j&Wwm$kikOW9=e3Fb1*)6@J z+2?_~NLY$5)5rfYv=*khc_IZ>oHTG(3ybMOCO1Q~I%T1ytCDS^v8UE6hI-k^F>T$& zs5U<LMx9TOP7>h2SZLC@ou{lyR2s!DbN+_^CHr@?jF>FO)8}Y*64>)}!mG_! znGd|65*c`v#~W#F@aOmtN2=oG%2$i3MYtkM;|3iA;r05DGo_urH++ zRnEZmH|=5kJY<2!SZD8az!wlw*5-0#gXMn8E@tf1=6t-OcA%4v%#$&Gu*}C-vj6oX zh5L@u);`-Jt>C-yjn{5g<2a6!(Lk2dGcY#pLZtV1fOdS}0v2E8xHik<3BT;&w$@O& z#SFgf#_fy%-v@jfOWc*Z`LQog*TZs)*Cm%)nVi4wp?|+QlYRC#mn-Q#B+(*Th1VW{ z0p)aC`ad41jBE5B02|5=y|_~ADc(X1N1b3CQYnM;`WsaJiyFYvGb|Ud9`Re!WHQz` zZA6(7J8@cAD-c3Tiia(RdJgL z!CNY$=y!%_rd1#4OOCSY=F}ZN8Xnt{Gk+Ej>99-`p=nKpovT$m+_}y;)9OvQAu{+p z^0qUoQkbJM=u!!LIaS1i(Rrh{Ba)7SAxFs#&&z5$U$3GxxYoW3Lmb|B8^7Wvs`zAI z2nBNAJ6^6R(*|i=BoKCF%I9E+cf0`Bk08rQ>6;P5^%N^xQy7cZvm=k+984h@*fM?{ zPBBh()U7E|GnYA`J*&xzSspZUs8dt%otZ7 z*W7=#prlW7!e}L{z*=@1w<9%pm0(itx{0eL2HJ5)dtwXyN%Z9%#8|tot6g z7>0Ml44^H&Gy35Hu20SDrpLv?J&H1lUXw5M}#%|^bRZAkS zl3si$4v)UO+GGnFcrv>H#e|@Iis69r( zi*dTr@%M!%Pum?iClnCp-{0B~(1f&R1}$}GUz$#&FGc0=F*XSve`~HlnjiXc!cJwn zpYHg@)!DaxNwMm;yg5`5#(m^SL5Q><)KrF;w>R_>L{xkxvo2L{WaGP?vZ&<~ zbsSDcv})ui-RPCCF2?G6yW?au>#wg+O!PnUPAuMidyst&0#7Dy-IqguWR;$5M5~Dk z#6%ZxR*4rq>(ir2TkjLAuYKSJ%E&vzdp_E?ams7PXodP|An+NwA1kssifu|6Kj;!s zgVn*EdVxu$b}b-5d6d7SV?|!7R%~Tk%vvc3wlvy`lg%N|UCxzkRrO|&aMi@OZQZx!URe4=hKRu*Q0{$BrgNx4Hc=fN|T>0B^{ zf&>v^zUj#Pf;T@fUU+cOKLoW8an+R}M~Cn}wj@4hps07=(dA)ty(b#ww)uBp7pUq< z1dSiUemL}}w|kNVe6a6aaOL!EupYBWs_1h~6-_+aJu>AX*c&{W4ptfc_}ckH16ZM# zcr2m}^$E{^y@SfOoStWzu^e0k_E8dD0U7h-ispMeO)oROnF&Hn3AhL9xm}|?F8^c#Nclk?SSR=+Pv3MOSCc~!(%qma%2_Jb{Xx{T#LA@#@n{BuJsuYxY|h_d*R+x{JmB%q zzhur@{Lx+rP+&jz+`?j z_6aN<5U~;!m81LmmtO{1(s;#oscgIexK_L~rabv>v z2N@rUU(Qr^tUA1o=u|lWFj_E_o~c)F&QhUKvI6~3zCvic{yJ6sv~xeF5k`Yf9bK~8 z<3fd-v?+Sy{+sMn#hJG;&zy_jVBaSs0$@X{Fl9#{*lD#uYGopEmlo9q_9u5(_S(== zLQh2r$K4tk?9BH|TnOQM^9!rbp_fM@o#q0ytC1X%0k0^L;)ay`t>5!owwOfkn3Wg8 zj=R5aR(9Rrt(@`jwTdIb)z{{#deu3b05X4P%yXOQD-$5D8GY{BzowmQE5O5OzhMf! z+zlv;GG{&2$?GdY7BKP9)_$$f2MlES*DA(twj`~V+Orb~L>zLPbemNban;~`XJ)*p zN@Fp`VQ)C+HO=dx|1n!CQJ}vShmddB-ltM*)LN8c(5+M@JSe!0_KrbOzcBA3B|G>& ztQFi>8BW28zwu-%DpeD)piJ-@`h1ioFH%KV&Ja;FqG+25vB`DP zss+LJves2)tL$|EQM;U>`M|xc?FJ50?n(Vxi}N^DY9p2?GW#VrE66uDY(X0gh=Xf> zc6i2;Nw@nk)^*Vcym+)*j8|99ki?RDf59K;<}e3Ys$ay>hHQuvl{7Rr3gH-?r_$R| zE7HkEBFKDsGDtQAEl2Ze9G;_e@^42<-M!?Usaq?tcNg`mInXpEx6~GjljK(!$-p-U zb(F*xI2nGeM63UbotO|SllImVh}kIV0BESHSgl?&MM=ybcep49s~pW;fQi}vItob; zokrbpi`Lw&Ac%)Bdb}y(-~fxtAMGc@l^Awb@$5Ky&w{`A3Gaa1g>Z~QV~mED4i{Hm zQILG`${-=ij!@Bm)_p7gDY138+iZ})ZydCU9t+dgL)_OO9K0r0Q@1naHqh>zX;y~h z-SRW$lsI6nY0Qr*?tk7f(>}4GAsRYg{*=-f0B= zyXB4`RMLJu+q1>_L;@0m9ej&oudEGu{OU#mbHjal=TXYf!|HDJ>G#h8iri7HHA}T- za7BG46qg69pR_%xJ^W*e=JUX}R3|48wW8+k2Nw`SoS7MM1YjxFi`1$aJUCaJ8j-sv z9$?{F#~1%3z7i;`MPjl>D2KDUi8*l5sdZS-fqTmAQjV2bRY#cO!alC5nh>(YRUu@% z9cX{I<4w^!U>~Vf*xlkI`cTCI9qr^3ONx+N7PJ9XR>kGZ1CA)}rI;BOzhFfk1cMpWBu&ysEC)cjJ?Tj(5;6tj?*6@(@ z_7ihrn12;raii`cxYviUch6lM7`*s&NE zUHtnGLI_C=M0DELzOvq73B?F^n?4y5aJOP1yrk_RQ-3?lCUYO76@ zn)FtBt;W?HsbT}xJq2azOmTRWIJ%yVz_maL($B$^DcMdEOF7Vp%f!qK;k{i31YJyI z^mK3k^GHUZUOnq3U(*!emA9z#IKy3|J0fB5js&IOe5NuuKEvTg&0nj4>OpiMP7$I^ zjO+yxv9(*3mUQe}UcN-u{+t~*mOre&zzBLt*ud)hNI^ho8HBz$nWFnr2Sw!LX}llh zz5)pu?dl&$CIF!`eV0TZ|3c|P?%hAY>4G{t8otIDV3LXAjtpFSINLkkDpK6F*YVHEc)EU@XU*wN8)ji*552MdfD~BZxZvEn*&Q8GBit%P~weyXDG6 zY@OevIyTeG6T4L5cnV=UxByAsYf)fJQQAFct-|BVWOdxr?XV73ge-ryzxJBs?ud-U zJIqLp1^l!i4qK+7E!^Q_lupsBs!3OsYOy(@`+IH{zGQ-e@j7;vhW9J>zGzfhOdVGi zfRP*VZIcrE+0?FL_Y>O;LeJ%XA7&r6!=gcM)oFgxSNLVRMq%3c8rax~I{eqE#ftso zuj9Ml$mz^gVmQ^>^knGl0=D(uW79dqy*Z(1{VtED%xj&PM_tc;xs`z@Q^zsd6Zg&6 z8umUk9h$w97G(@c#+Dw%PH_82U)tD=6{H9OK$T@>^74N$pkntietSVW{O?uOul5`y z&2t78W{Q$CIxWh!9xd`Uo=ZMG$D#cpO4_O!?`nv=r7WN?be+aK>Mw#gM9Kp$2ilo9 z1N#gfrD>wtQqNr}jzS3j4#f)q3n8=(~cqxSYkgId$$>@<+ zak1EWr&`prm^)dl_PWM|csjp29JH06g7@Mp%{l@)+2zRenAR|E7%*9fMJ32{M(OIa zKb`^`iw=poW-ai5>H|%pdOSm!h^=4pNGt@)K49!#@xoWKYEXF6cx#L{Qg&`IygrQo zk#^k}KaW2|Zz{Y@$!3wWbvwV(3EzU6`d=GZ1Jf)wg33j;p6p7I;2pZwi<*50J(JX! zEonP=e*8;9LMjd0%fTibbo=+uJhF3 z@l+A?bSX8wj(C*YX&0`IWWAkP)}o_8jf;A={_b*U;CJ{#6x!RL=r>@CVVl6ungY36 z&-trkMKnml7n!$MW0sx>Hu?>BnTK@(VAH&&KE3#U7;1KIKjrqndjE^B87g5wk0K<4 zYYmb2YGK~P%!0H{*e~jjYV4AX-*G^AlLBQMvPP3Ul2WszR^XbXNY-VSX%v}FeF!w~ z{H!j_>A3YGxB{(5$ny?U7XW2wL?Gkf*1tv19^e#nbfAUsllodyxYV~Ui4ez z;rFN)yOWg1Kb_M!eFtR;<=>|6Vq8tYO}(9bUW}hFU5gf?e`}(To@}E{bcsurxrwt} z7T8brXl}ALB$7xvQYMzou9cMWMu+IKL5YP&M(8EJ!8{#Lgjl3uaYLF!UvYeW5`^~A zis*8h8VCGKNcn2I1^n({J&c+)?iJE2T<~8%2oF2e)1y)Hb0vRPBL{jD~ zI)yQvKn_qdAZ`e~VEO^L#Q3$lVnt%)5%IFDAHYUoK&)LHWX5Oh&No=wB%Cq8A;Z}N zP}RG#N}c8e)2A4TedNyZ$t)wk`?LrA3r{oLSHpi7i)=gyy)Ohi#5oEx72x~1HLZ*D zqIWH4j*WXkVI>DZlc}bt)afLn5_;bVzqo8dU9=H8ffl(Z9=y!mDgZJ33rIzY*$}Jc zWCC)h#0M8$O&}{O0^}zyhT`upggl&nN4^_e#1&vWHd&<}U4W6BhZQnro!r=isnxS< z>9n)Lok3y5$-R&i+#R7v5;_%6)b5^W&YvsX(7&pdw6c*%VRyV@3 z_jCBc8exk`o2=B1=3ifjhjEO*y**!OIheLi-+?Nk1S&i(k;B67AV(l+kmvm@H)NCd z9cB@HXwO*ZInqYZ<+f(Vw>z4F>dp)qgmOTYW}UfbC@C2gKl0Bk0d^hr3*rzC$5=-i zB!3S6YS}fjCAN#5>*()2{N_*9XPCs;7LNtMm$%=o(&tQ` z*Ks$ax=!NO)wNB4XLNz)^8CUglt%IuZ5@(-ey`6~(P-M1#^Dd47pl~AkL=x@WL|&c zjSS}Ls(Kg}VY7axJHTz57n^d@xJK&hlXPo2o0PLSZt<|tYXQeBwJQhdes|{?XiE3m zrXza3xni1?xC5&y`^x5Y^I?UxWp6TPl~ChluN(ByFIgzI5xAble5TBQ$F;xFTYGsk zJJL*;CFE7sF`8I>%wOXyc6?k7y9W!4Q??rSu?_fr$uHa|*?Q4HtL zd>l_^aniW>W(fzqQd8lLg{DvT66_hy)>>`4TCsHVOk4hZm&oCBZAOyUH93gr>@CN- zd}UJJW=M3~7t^%3NPBOb9nq!#v3TQKOpT;3jsdSs_5@SW>fZiU$_h{#ouWdZIMT<* zf5A~8-g%3276;AgY)1;E_;6GZjl;IO%)h$vSIB=?zfGncNvlghsYm?rLEqP`TapNWF7Fg)z!P52h7!5v+i1s7hHVlv$O**UP}ai6c~xWB3NIQ3o)K_Qnx zC14lr8pC6vVv)##wWFK^wFB0{j-tc9D!G{`C6R1AyA>P(raG3}tHBCUd}%`6&7PHq>GPlF)+ zx&*^D`N6ZN_#;0H*MOrzhWaaLw#XD!r(UMKw_it@m=L5ITFQYAFI=tK!f7PXSoB308&s^Nn z(B9%uL9h~0{7qLR$a(*~?Rc*Zxjwuh8AVmDjWUv$Q?Cte(5rDI_g2i{>GR=mYUyxF z=ANKYVIcGRVH-`ie6{L?p)*JKEycfF>(BTuz4zY%Hw z3~@hM?!aI1uPESwUjc{<#K6@3fwwbO$+(Lr&yZ}Qz30{&zTnfk*V=*QR<JQ58r8|WN;cCtCl0=u`@ zeLT&vUWdOJ5YeqcIVPlDCJ|!zG_6~aEMgMrKHqRkxL!M`YLX;{BIP%DU$zzhX1wS1 zU;Xy|pQZ45J<# zRn5OV_;N5LJsn{T6?VSxes|twKs`!3`lIo_t>jHvkzG$w^qtobG4I#xYoBb6gsp(O zBOO-SR^HRYXWfGjcoKt~|9mZEj&R1$y!=(>YCmDr`21tZS!CS?dcV(Im-n#B{c0CB zv~#5kRi{Zo@95)7h}dg@ryH|S5`d~DknohJME4#QjqN4;EE88SW~aOVu-a7>u~vt+ z9P!l`H=BFD<1j?nI5tPQstZwEp$Fej{?;_g0Kovn&#+b`XRccQOh*`RE=VE!K2tLF zYqy?Hhg!r2&4`&qv|1aPXL#I+UKr`jjESg9&W_&adPZjnay=t(Cm$N!sj7FN$e~?K zM6NsC=eybvp&Z%&p?&(3y7%|-xAqb5$w<|z#~x8<&yrtBjG2tmRb=`guY9RMsFu!) z02XL-O85TQk~CYZlZ&$)3jh4f^=On*0zZv^vqFKCo^)`*;JUBHcomO ztWT+*>4Sj}hsdy4#uu<^cv0sW4$(?S-;5NthmpHTE(?ieEtI2X#CZhnuhvYGgZKy& zWlw4Izk(M7M%Ew4H9TJxGQ}-de0(?ul@ZnO8T2Z9v(lkQIsN_??0ftyt|Hn9qTkd{ z{;D>%a)|}2cC`BMb;{3JO%3`-2MGwO)U%_?P3MS&+#OyegO2wSW8))*iMcEuq5XWl zRX{7suX-E?u+MRu1Kw`Irl8;^K>oyYeFK{2k*Ltgw#KtUUoVzncs{dUz00uCmZI1B zQjcy2xZp6nI2}-r3jLF7m=CB%N_+KuFd=h&6{9Hfp`%3htMX-N7YIyd9$?UR)i(Ot zZD_I!UWH+FJW!0GJD)}tLj8=oK(O`@7pu0a;Y^!EgfNRL3zrIlcY?VWJKy|;?sDpG zEjSfIuwZc>Y4+gtHBqOoKSSHMV6FYI-O6p#{P(fJ;jPf&HA{nwEseg&Je6&lL&WdY zrIs%vS!0^%t$(hmFNbxPf0%Eg&DBKaE4Y1F1XlCFQO^&;Esq-a_NPy@NlZQpK6qW; z37TNNHWy0yZGj1?xgJar@m+6-AF$>I>a&y+fnbL!k@bN74)E~$Sj+zf1%v>e^lv7g zy<Ez2_Edpn{L(OU`&SojEMEeN5da!xrPM@1Z zvR)9zhO;@5-y3%TOXd94H$-czX06CEX{|Ehe!9K*rXIx8?H_$9Hr~9yyv9?qG`3)) zXj<4P`bY1vlmRct&jJW#45W*ci1p@}M!4}xa@94eft7?z^!PmzwTDf|enX$u z==0v;GB&|zTr%PHwyTgAF{A!uz1z5mB>27<2gy(l0w$=>oXVH{^if|2{EsaE{Ic&S zy?%2F>RA2(?;@W>*B!9^aRXrwF<(Ht8z=zeS|K!?#bWoAr>{SVQU)U>k1(e+($rxi ze1t_#o-7CB-_|AOGfi%lz%JZ`CPAYdJ`F7$~k%f zI!N#2`8*wPowwl{JCK0^_t#b%T?J9bz2%OM1%O(6_WLmw&c>?_K(G-anig*r0CQ`J zO#w6MVaDa57lB!9{?Cx9nK|om8F#cxwxTVx=kA{#&{VL!gmmMf7<>0SseVdwo#(A0 z$@1!ds|`QW8smNe92i5)i4l8v8$yvcH_c$&yhQSDQDyq$Q%r~>yvqI{Q~ zoeG=$5Ld=l`|;X&>t!Ox#SmMEOWfB#WVJMtFaR6?^y+eIgmQNe4npaPe$$ykSvm2i zY0-s_MEje-|m;iO8^y6*JzUYGFi-DP8R zw-azLwQaoEiOxEDL#h%rZ2AX%H?xDByOaqo?sZdAw^aY2jP_Cs(no^qT3fza;g zlNIv4)fe>zF4Vc-o?Zs;*KxD8f2$uB6ElEkIqIBMez94Mjg_+FG&dmm66QT=&g5~< zy1fnJr+guhwEzrL`7e2-=86~Mp{mPW_ECe~_<38t_xkvQ!C_SkS%g`pxAM2FTqBf_ z!4LZp%3iPY24Bf556$shRt9kF8&MMg&xbOCOS6F-GvhbexO4K@l40Zv1sWod+J{`$UHF&+=eN1^4oSE zsUAEgIv~+y&4kkhzv|WLBN$J0wGtVYA8k*yi279J5e>XkPWl#zzPUVqKFFHL380Rog{4=|gwa+6vXrY_caJ+x2)} z)Ar^+$qzyC8qX{V2PozWs)VL*a#q=!Ef?`kkPKDGn2ONw-yjkfvE_Su^49M-lU?0}g%AWW=?j#E{o zJsw3BBNwk&)RPeE?arqeibevDY36unq%uN;{TDt*)FH3?6ejloEDM}Ly#&JQq#wto zA3|h$dhna#-Zs%~Jhf)99v=W9pW)MnVa*SPUux5H6het&kT8aM1ta?~z9w<2DcIT?00`&;?OyD-W_d9y9Z#vj9V zq26jOoa4schJlpPzDs`=`{UEOXP1dK!AU*z((VT(NxUCR`d>9r2T!D%zP%m!oa9g# zY-w#!gj=h`@a@K4NY?J>9hrE^;->GPRXijwY@hH~GSa6$9TMrd;2M7&0s7Q4X0wuWC}4c zU7zbEW$72SvLx62@%;Se$Bc3zPygP#a<)3b@5{hAx48G(peuP^VjppWexn;;4vC-z z>mF8X^2ls6pX$@UJ4;V1Wi5L^zmOvsb4E6v94ZP00X6a+;Ei*q9sov6%!766zZi#w zh$NL2Hv?2G_D(P4c!S11frt-a>h(w~d!)KxViGO-?r0N58cts|1l!wtU z+lL@DSFLnhQ(VPYZkBl=`)oAAqi2TL=!;-E&{1HHNrl@8j^hTTBEHlwc!UJHBka& z(;&iJ`?6a`!dQDwY44AlRU+7QD^!VlfaCW{&AYv3?E42&gBr2}Sudj)5y1cG`0>0m z)P;5`5)cK-E`QFA{I&M^ga98I3DF8~ON$K&7sZ3CHv0X;&FnA9e1h}}aH=TR22Fo> z>@aXR?e-ThRkTama3q8OHy}@;_|0~bJt6Vj&ZYVDOSVho+MrG&}A5|AQq(=K-nhlGUauawjBHv;zx8tNzH>EKB!HtUrtHji*G|FDO7 z)3>{8lv@}?0I626hVxPNQGg}-aL=BJ*N#;KUHqS;+^gN87!Dsv=n+vLdg8`?*rN|$ zcp7JN$9ssn{ZQ~kBWFWMLLm^HgU4Q?U^DPt4`7kL(p5;_s(2sB^6I&DgR-%V8(tl% zJwyuX5R=tN$fp-OC{f3<=@(1}zKpY?kfaK4>+Gm__vqg8y{WHuUO%eyfhf>YZDsnmRj`i&HtnH!k`d+X(HE3Wy-~>p)ags z{^p;LV+>0qVOvOm;}pElImGY-fd%piqD}HgIhL5`R=*U&sd`%7H7VK0d);O`116qt zj(;tAO$&{#SxZnpLux$RNZ|-1NomsA)*2PM{UHE0A|mYsCK6>en;VaoyVobO>R&c) z|8g79ux>Co3%e+HjauXW`iWHp!RF2MTU02*hfdRcfmWUhegN*&7tPC$Wk-Zu6~sDd z^$NJpYZ8-n%$nr$MMy>Vv+;C`OKwK`j9WxcTLVwoFL7ms>rPSmw!J0E4{>j(>aN{ zl8=FK4O5_?sIs~b1X(kR2t3QEt@OvuD*}#R1F-t6Vh*WRUyb)6@*pkJ^$uHS0-`f0 zT!RdH#=MEi{ANua#XhB^_@?unfz;FGgzlk!8)I|Qb90O##@H%4`{`boGIMbIYMsHf zQ*NTZ zrno(=D%bY(?r%!BqOpd>e>h_;%L%qkrG=0Mre%t+>W6b@XbkEjx-#y-r)(+gzQSRr^)OiofNPk-i>^8U`BnWt z+U6Wz49ialosVh!(a($T=M79D!TC7PGMIqkq%;wgrM39%J?YQHFvqhEL^~WG9mgWm zzSM?QjcdDVDMSOg;~EJZ-mQ?}ma6(=c{u;bWMB3kuPX8~r{O0xlJh*9 zb3|1gM=YrkT8Aqhe`(#LjyT0`M2nz#X5a9yT7*a2dl+v&s>(?pga?hM_=$?G$9_29 zt|^S3>Ak2ur8Q!Udd$pn>>5N!we!L#$WkPt@M^ethI1O)kTnbbc6?_~(RzFE#^bp% z&T2Nl-#q~V3QGr*4mXvu4KV88V&?5izVcG5M?*(8%a{FHyP)&w(sQ@9y|OCl7Pb(S zcR(-f{N{^`Q=7)#rhx1I%7-`8`Y#&bn-EX|QhzN3g)pHx2w+cx6U3RSS~(fQUf7n( zHUstt-{2Sp%ss?yyL6!=1_K+2v8TM&#MgJv^#b`5-*x~H4{rvny9;rU1sngB1?#`x zI;i-6N%UU9Upd4sviogt&aS&Fa4?`5_SgmB=&S@V`$<%yIV!a}qD@{NZ zrJe8L;*cK}s(t3k|&DH7O7LVc{#$FvQ;{X-} zy3QO&D0|ErqS+h2m2#|azg#Q>DkW+iH%%oJ(4sOyhqlvqF`qqcGAdA^$?V;S4!6gJ zf2%4qO$8pvMc73+s`GY@i9#ej)W^8TdaMRb_bj67JZeBDte=*5@K1Nl>4b44efvoF z;?w)x)fduBwlw|$pFF|P;$CVqdw+8DT6KW;_%P)z_tU|c5!E6$@6X@0wI)2aEvhhdFEW`#-;T zfZ*tVYKSevU^Oc_A>=qX!@&oNSO03TxMg1UV=H@sn+n03s5A`k;=G2P!CQD6Q@UruTp!Tam9R@ajs zrAth^C_X>MEc}<=!lcN*vmi!ad^4E*^Eeh6Gawo-7nkiB5uYN)rX`{CPSB(1UxMS( zrqUv`^F~4acwTd>u}x8HSF>``WuSyI5m8vJdv`6D_^3vr-X2&ZJh!@0z3pl)HoM{2NRT3@g)~~vjGP}Xi`evcEMGf~m@ERP^V$>C=SeoT zu6xsVzy<{(DNbp(`!j)T|qzNc|J$H6InPy(--CYPV@1RMT-r-*h*b|U$sp0>|c z!giX!$iYi5#F@>8?!R4*f9JnUh5q$eRxwEqU{_=@H7Axgtz)U=g^4}_bf=ZkA)BBM zxWn?NwC?D^)mVd?L4Vv=|MD0&@q@e&$6S8bhbtsvrt4Rc(BCFie{%326xuB@=jdrY zuT|uQ_N&FXiejM`QrXYiyl;O$)V;%V(7|6I5_v-LgpoXuk|H87;CsUt!5Wo)YdYE| zsk2MSvz~1ixGKXPJ?d3&WS%2U(A;Dn?n6a3eJ+>G)*iq6l@VL_!g;fM`1F>A6$CDq zw9~tvQzg0AS_MlKnz*Fx8N%yZ537n3d#>h88gb8j9cR)fFy{~J=@JDcPM5xgx^K^` zeM79r!UC%+L#eHlo9~UHdeS8M*QHVP>3d$W?$^W%3)i?#vkyBBYFe1bU_>@*S?a+p zj#fd?WPTVq!W&-EBH1@1`JdzI&sOgG*fnHrKeUO=-iX{QoV}NE|4m4zl~|ZEZ0vK{ z73;QUduet$sl+#-!?Mhoew)J#4`PR^DI`J&sK3B~eB7yz(vl!e;CnX@*2#LbLttQH z0|USoiGY}+17KeJz6o_e*u?_5a^;|7zuZOo-vh7yG3-$dJwOMD!Jn@D%2h;DEP(RK z>wRIW#Bv5{;E3-@?&yxot1;g(q2y;Z)y9+5)R>JBd__~j&AVIG%I$(KQCVBr*kGI_ zqEkQ>9SNv*GC1V3Bb%Kqh$d7FDoEqS)HKCb#A#+JU^|k;$7pkCu0< zH3l0K`p1bR$4O))*O+I6Rn0eCXaY`59X6@FC=~~QSVneps@%BpS`*U&JcAHqdmj!Y zf1k>ZrI6S=hW4krc8$3QEo(gdRXvlV?KV|y$4W&DhHVWt4{h(jXGkB}2@DKYGkVU^ zD&eumi*bWs)7}Tv-)8o0=NgL>c)B)5DSA$_?-y>V)clBfY*KxImk+N}`7_{~^)~iX z;;6AO%?68@tcm||uyyGQxvSA_2cg3>8mC>xAkFFXW4x8vUATP7$D!4$ww|t+xt)hh}=#R-YWq078_vnpdmH$iN2HcUgwGkz-8vKi4A z+Bv({_uNzRA}XB8>$ss>S}Pxu?x2f{j?7u|m@rY|dMDZ7mKxC{Gt~72`;l;TMnpa- ziM31`dZxFwJZNR*lRoK;Z17$HDUh$`Ri6B5CfZ_~Nh|aoI zeS48ky}y3Y^JGY+x}qn&)=KHv6vMT3f%b^UirlyyUNMFAp8WFePA*_W_MF~`j6L$N znV4sSJi*y*;)7%Ne(|37OA$gRGB(}Zb;{Ym&k*cb{^9wCHx%g)XQx$e*W8~?ou6=* z@T6i}l4kudhX;|IP)nfB@RB5ZJq5NUI!Ce&J-N=X*!!kkS}-8K?_WTC=rmVKrZH2@Dgfe7OAebv zvE^meoX8gIbEK9Tji%}$wa?0Gsrv5p$L3hHsaRq_Zc9s5Q@{KWL&$&-v}1mICoTus zpE^Y$da-$_#ZaMLN2}3+l{_ATLSi?wl0P^o6%F>wP}h>_`7ofE>hGO=C zS1uWJaRf+^00s8&B*kg7tg@x_4R}=iQ^&orWcG1CsbL6rLht$uAQfNu6-q{09QT9N z@9tRZyVBmSwH&1Uw+G(>h-kt6JYK9!wl`52*{EiOUIH7?MDY}7I7J));_OG^f`(I| zpw;`9i2~z%YgN>|l9IGJLH4K1bVIEmZNeOX<>}Tp1o)`O8j}XzAP139U#|F@= zoL{@Y#Mg5OI93`~0x9qO)suG0%$1CW6zpPFn@D0h3rUBaYqw5PexYgWT zMO4(k0rM+C6uT5A)mc2=05BhG+fE`dhe7lePjD09YcQXUrx_PsH&jBSqm{g71Zr@y zp>H&OZITVVEGpXuL%FZ}W4K3N+642rrJuA3bTgLx3KgSC{R<<0Tss&%sVm3{kZyYT(lsbl-j%e{r1 z&p(HzM+8q1tmjRC8=$7y=HQ`_W2$bTCM*K^88K6%Sf1n{6$Fh$;0Fi^yOGfg4E{XG zScY>zoeb2LIJdyCVDeKO_l7(KMw_|l!8ed3LW=1l^J}eWoPT?KGX?Gp&V+k4Gc+e6 z>d$KA>8K!fp_H-I{2h={_D0wfxB(7u4Bu)PmjVx|kbCvxRW}~xaJ#xPh*sh$OmaGh zI{>n8K6jxBGA~F-Jqoj_YQK5QC7XQ;bSJhz>^7dz-b_T7K1D%O=OAQg69;$&ED`Uz;5^!;Kpq5(l|tN#LL&7uK;!GtUuf% z6qHRaIQ9p^8is0p>xzabrYNAs)(qkTqVUUku)$vQ$bh5@3y}TqhwZ-}%Tq4c(bLj_ zJL-hokBv1Iq3UDZF?vQ*V0M;?6O1A$3Nc-2I%HN$9VtE*oHi@w8~pm5($8~_zQbL8 zHa=TxHpe1L>3$GjjiYMQN@1Ey)7J&b5hs%04X~_DE|i$M{ZyenGXm{;P+BAZ=^{l7ngm~4prP*5O|+M$%&i( zK78$B-_i{*;a(}H$oVXx&G%^>jOmw_E6e(RPv>r^Q+}|}TYI~b)m9Zgg@CVXqq665 zG2k|Rozlbq9D?m`+=aiA1Xa2)|gxZM;Sht<>4rT>?8i5eZ8Ww$bonROm(e zj0?LU{0c~`gpJJW((PIpcWY86djHt19b3qa@L!rUKy`My(${`|8tt2Wm{-vUS9Jp}G*%AuRV( zWdClMAc_RQALBm_=y96%$7yL}zRn5W`(Py_wJt9cDRVD~kt}tSpihJve+*PfOwMmO zO88y`55oL7pe*F5f@o3S2}e<_{9hMMuhKC;RUn8$tqm-5-@80!$A$Db=cTZREF;XJ z-6wd4`LAl!pv@ptVqaJh+h|#!67^aUW8PFJ+7oQbq=|r-SdN`zX`E1f$K$_Y?5_py zFjpC9y)^ZEBP6n8l0`nPdF*J<_~OL2Mo1gjQW$a+jL|k|pWEmpkm6*bAyr2`#`1aE zXl#_9VU!xJD!dm#MU;sz7(JP~E`DUvF*|NecA}D1jq_d)E847#-*HT~D$8}1VqH3W zQ@Z$Wwl?OEac;v?gic>22+H3*k9%$x5evLwU6G>AM~4G8)3#+_B9pF=*jlT}VhiQe zK^Oci=LnSzw&X2+&#C*=sfSIfA6nwLP9?R+VtLs_I_XtV&La=X0~{R3vZ}6O63=3WmwJ_t5$Fe zO1)KJk4JI>fZxai5aprL0URjZ5wQxdIVn!XQ*)$0r6D{Iwwug=7DoY_DtS z+l9(I3k&;7VWb3t50*wH0_+sI;5d0ED!t+;7cf5H+_YQ!zdlK@Gv|r{tEiYOAV_cy z?v{z-L4W`oP8yIw3r)OIy5>oX9P8Edoe;wd7I|N=H%Oy|V~ymA;K!%Bot(|xz&_kN z`>nxP(HAsSBjQ5GjVFEckv80Y`guNYEB`pW?44&bImp(pnaG$`(?!x!9S@QfGtTHW zABIzNiq8-r2*o_w=8rReinIeFDtf5V^6rMYW1jtbCa|w6%nyd&Csgo>-22>`AdG6K zM%CBYs?x_gI_srxPf;Hlg`e-D%LsuA@kN8BrEQVI$BB0VkL#nt<-uM9*`G#vKN)nB z4KsR6AM{HdN2oF|WenKb@6u4+|5PY+3=T5Qb1b0)ZCBRS%(IK$1scs;AS4qM{2dl_ zaLU$EBl!CO|6p3*nOkt(ziss@P+xQ53K@INy`#;o#;?4?jrbP-h3`t!^=5jVwewKd zda6kb2U6gB#+KwQRc#+oBlQ=nmuVdD8drLKPXX-vIVHh^q!Ru_B>RuGF6=h5)mq~* zJ1>cBO+m3O6@xtW7)FcyBnYe(#tj`m{2A>5ui9PBv8S5xppa)Hnn@nQ-0Ly1=S}9h zO|dqwzYfa#C~9agAYi|JdE*7zr+uI%d6_8@rEt!o+gJ}OFOhki8~E$Pcxk!HP3Unq zwk_xnSWG@BLken5)WaOq@YV(1BD`jll*p`5sOA5(lC}z@8XQAMAa1X3FY1NVW00+? z0f}Mb|946*B-p*zZ}I!rsf!GOghV<<8lU`8D~7w=>MM?vEDrbwWH1@%eS4H~1fvOS zW~jxIP-cd`I!ROxSC?g-8^gxe-RR3IYKp*C8`s$Cimln#>cb;ZTw{+qF4!s;AZilw^_hhyM5O{H{palc`tBZv8TC4q?=v0tjoiiyXXXnARLg&Ud$u68m1!Q0$I$GX#N@B8 zUVTe(JGYyup+a!@2;T2~LR8Qb)WMPqIz#f$BtW$@-Q>usqPo|!4bH$msI@bJT&D5v zWGF@UcFrQZXE)dk&pbb8f&v##^%_=~olCgDGN+b+*L03k9ht&MF-wSl_lV}DSz#?g zr*Q^dg$t6EJ&@Bxj;1kXs87Z3c~c-z!WzKVkyH-qK46ne$vxkj8MOlmJA9RcDJP8F zo7fPKd%Z|qZ9)N;Pb45eh5xUvp#lU)9}8Ibf?45^b~bh*Tl*EI{*Js2Qdk@_6BC#z zF~7Fk`ZwN2pt=CVfa-d9!x{hmurYFoT(?1BDzy`q@FI<;yAlH-+C4UutM_D_7{$#yy0PiG8{!raH$m}wrv#18}po|?ydI}tY}{oC$<%Oz_1~eCG+@Bq5`o`&)Vvq z3%bs4d;|$cZvr%%LeM_8-{cH>RF~*qpE@UmwhjU{L@X$sIDFT;HEvbCJKT>-K{*0PwMmyr}0QWLvxdcw4IP59udos>hEyqa4yohBSZbr+^9xEkIq z-}aOGt}Z*a|44{_R8kd$>bcj(SA0T-3!y2_@(JI$-CXx``^>|{Ttx%UO5A*w-@QjZ zR(hB%{F8}UOle{xkUbGsx((hx!L3tY-W{fz45xBj{Pa4Ud&bsksCFRn=?d1HyQ@2@ zCHdyw%!A53qm+@GRT2_x+6MYT3+iTA9%UM@J?WaGD=W2R@Sbf6R1>#^8LpaOE8r8% z#?^NKYwz3!8H#6tam*fsrpt_cKtv%h1Vw%|wi4ghC+MscOGO2(^~Q!VYc{kPs4xT$ zrv?LD++H}pwfg%9bWmiOZM3-V{uuZqDkD<74uA+X;2+2yvc+r4IInz93M%f{uu+o# z+Wh}-zYFj{|Bq{|AGgyRLxh{lU18Op18?SO*5ujP3Tq83fR(1%XycEg86fW+<#d;b zXWwv!V!tO*Jg%WLPczsn&y@zc2)~~D{zBNbwylLt7s=l~oSegq-hfT{k&EvEn%MR3d)m6VB*-P27`%NI*g$(!d@C zP^H(YCTt@6V-%hkgRvxeq2F5WaHMaOSlY4n8$SO)dn2IfdmVTPR9bIa8p4ZLmXr6X9CfLfc~_nMzFR)T7}Yyx~Unelz|XLZ+KvHHTS(3n4`1 ziTuSgf826Ch5nNTU_Quhxm?*m;^*>N;qfs#d``jE934@xSjrKi&8NG*^GdZQ?5~wV zdY_uyRss-5;^q7q;2c0!QIsZD@$HJhBCJGx8AD7s<+WcE3L`j|gcq7JmtLrUh*Aeg z)WDg>*T*q~?~uBiz_5rdW^yl}ne}sN_r@R=B+`*IEEC8UJr;TW+J6FAQPH0BjIO=# zEwB_&4aC3oizDO(>?`60K4gQNvmFyyJb1b92>$U-Z%4a4U`_i zrr1L4IYQL+344cfd^&O47{`Sx5?_ss(fY!hr&k2R*=Ra)A`%jgtNWCq-LDwU3CzXO zg1LJ%eXpg1jvlw2tc41TSKUSA3Xeq=(~v-s8m)+3YKw~t_qr)WU`R@ttrJvpmFn?! zId%2Jq))q9bwUU^5Ob+?li^>pLf?$|aZGt#$|-7#E#A0wONM45xkUU;q>OmamPcG} zRCcGsWLgE-_$$v;*l=CKPKG{!>#OagxDoVkYgB&V#AvJf9wci;22TSd7@7IWJEW#PfL5Mj-kG31{Mn&*}osRRW=@D)4mK9ez)|MXUX!=Ddq-^sWOiZ z&5zKEYOSevN}~nNTO-M`8$AEDS^q!$?iC`e-RhiR@|S`Xz>|9yB^@HzBey4?#WAZP zvrTnbi&uxbAll2Ve_@X@0kR<`JYi>>aGFZo7B2m_%D$@+b%g}A=i z`FGn%WJGuC^2BpkLHxo3cX8fca|}-!2dlKsxbbK{$&&MYAf+a$lih%jOQJK8v7dSN z&m!aWkh7ZH;V_{LLD&qd_Eu>uF_qB^dmvBAB_@?8_i4g$RJV=x{&V?;e-& z@=XRIncrD%Zi_*>4b*ntMQ|^0kxBG&)=Y50W{veDYS2ULO^ER2M48HG%Y3QwccZnM z37dSwh>1yyy^baNZWFR}+Cv{$4!|6#-nz26*M*x^eSK^R5S0lz)!OoJ-qaLuB8WP{ z=6~_6z3#A%snWm<3IgR}nq7Rj zQ#uDiQh#rCp^HQv*0})xfFBr^t&HJo0_&sYf_;Y%UQ$^plRT0uyy25{^ndFOg7??W z(*}Q)1G$SEQv*hQ5ao?fiJix9g5-acf-!A{k$NOCD%3C|)PPFM&*RWSy`xn#={_i- z)T80cr#(9%S^64fRj#TbCn7Lf(!^$>^@IY=BokL;b32)gBvAi)vMJ(y^jTCHvsDhG zARXF{5ti#n(6mG`V(MLV{v!yo^L5Uo{;|ZUo@4hmO6hP+&1xZZFqSQ^DGE1*BM&h! z`XbL~Aa<6LHBYsRwc<>gdAgo%LsM^>z?wAVW5x6~rVSoy#Z(mGi<|EmAKOovM@a_g z_8e_3If6?A)n1EdK(tUKx1tHEIF960nTGt!2`?er?yW+PS)0uqsI2eB0)enXt z`8&TgNS+H?_;+T2F`XF_{-f~Le-*SVzQ4|>B-V6Z@+ltW{^(LQM%htXEMy;ciK>y_ zuKB8epH^(mFeh8{OO1g|AejF;o~y%{QHjFKg=-E=B9P3p0#o_JY~{MLQy@bh1ory^F+Y) zGsHznwaT9|>1&O6hv#~ON`yZwfE|xC3bV%;?PF}l1joz1=K=@W9FDJrozJ!{cl4;g z=EQhjb1It{NuwQn79;rlO!L*npFKA55g%}&II>?p^*8@RcAHYs>?y6=&?RSv*%sQDAF&5 zZcTOH4)o4>`;y*)@AmQY<-0QPAu7nzGT7PJHZ27u#atJ#{V3mp6w@`g#yNAMy}7#L zM)SB+Snw{N!P}C;eXxIEPWi<1_6NP!#hgX7ToI^-`;7~NfO}aNWT@7;Qzqq-YeL;h z>^;^>F<>=HWiO2d;|^{Ih8Q5l{;|(NV63u0d5AhP24I(%7YBeTKq+%U?R&+Wq(WBaYX+x6VJNvj0aWMf9>l^GyqUiV87 z_u!GC8X$nOg~@N4fGPBDjDePC3M)XJWvg2@T~5t$a@du=a}~}B!-ZH2EYFL&#;G7B zKu_D|pCj!;yBTE_H5p3t=GE3LhJnXGe6L~0eB=pJ%-NuHY}<$gF_O2ZRkd^|doQU` zRIGQ+c#F%dF?JOs3+m%(5T6%lR~dl~iG1`K8}faG@AK#HNSZ@DHnW`q6}7e8wk`GC z`o@k#x3_$^7q=7_U2#VIhS|N=AZxKvCB@bD{f6%R zr9{ZQ;Gs{_b-n$}e2hqoF3+Wy5rVlign3{6g{?Z0KSnW_zSM&-_2`((U*G_ZA_Wq_ zX10w$R4@6B009&g_Fy>JI{m@5vLD8rAjC@o?~r-&`a*c{pNSerdgoqM2UH?ofV6-cd4@h4V7JrEg@aW} zA>#CsA z+8j;5@eM|iYND+*hsts-NptkR&l(3!9f_;FF8^P(B6FQGYaHBTeevtU z4Huyib_RXY2~*=qr1E>Rz*w6J?%s%Kl3S@h{cW0Ac4g^=^Wq6<5uy|tEml2%1Xg228p4xRX_6R-Q*>PIkK#|Pe;*ZpcQ=bgCM@o4 z(~vEG9}ydUM_BgjQ9vvo*D6!d$>ijO)^K%%tIzSLb(!>}g|45-{lTV z7ovA@C|VISV#-n@co`pq+<26aaa|WfpTeg}Gp~IeKGa^H@`H@*x^6`4TlQh@cPBF~p2q6h6N(yh%|9rX_>NyYGf@{n|=C?QJB+4*7c6?@E{&(Yo-4NrnS!CfO#sk}$9=ygW z4PABjeM|T^(wz;i;&CmmBv);@_K)jkc?SJJe73snh;3g ztI5;%ut*2Onr__TXUN?h-+2~>c>s`Z!7@Mk=|}Lok7M+WV=tq$Z#@qAbG!TylT18x zy0*Is@&uRDxEOT#>xHt@wmn`NI)Rgh@4cnd@D`Ve{)F}TxBKJHw48(X|3f$Pk838; z1L>R?3`po>YS+i?#57=HVr_*Iik#V`veR;<=+KS1#xAZFsg_ zt>PV>Y~X2w*<+%h;FOTvMlaHK5iPt|Lbf-IS;6sASplKVX_BeY-K4fKbU8U&ZEt?n7xb4cnlp&gghANp>P6cHsjHD)(Sp}Dui#Ij!AVUehL zp`BV@c`5oP*YtkAtOx2_<9d!$b(LD(V;Qbz-J_%7sB9tA_^4~RAg6Nt-KIjDm)HyZ z9wrDLq75Bn4V^|LYSBL`ubK($xa}#}?G~G~Htc}UD&GCEN?e&XMd_4O3CmW%QSW&p zXiDTC@cwFQ6-eYjQwQD3m6k-$!oE#MW#0a%)eEv6;S7L$BZN9*OeF+=bhHxP^|@8(lnBC7a32+K6} z?#2p_P4RzxBqiaQwN{8N@M0TR`&AaG_O&po1Wk;Y6YRCw=K>f2!2}D0=`>-D|q&=`#T0l#LKQ?4t~t0W zAtCmUi)9PA04)SvelE@BY?VKJO$z0CUKV$+L-zJYF^8v1n0NQq>q-|?BJPbD-wige zX^I<)b+Kx(DuThPKO3XR@$~JUtA9vwcun~<#UrlzI z3~$!gB(;XvK7HO6GZ z%YA-7u!uJY=|!UMhYypT+aut+y9-(=pe+X zyh92-MHY-QTJe9xOZTK*sUKyp2pb{JAp1>Mj}!mI@#NkKVsvUbGE=-`*$6dA-t3E= z9fa$UyFNA=d7gI{HNJH_5R);;c8_Pxwb?D!Uvbr)H=yY@n161FCAF2H?^v&2k%fvY zffM?jVz}@T0uR&I5N=Pj$9&I+G0h4-#@;QH|% zxRiFw?#{w&2#2KGPOPK#y;NCOkMaWF>y!6%KcOHEB)#pC(1q%G%r5`GnpqNG_jcF6 zgkll?;4DQ#@0b2<5#h~xT%i9yXLFFufH zLOy2!3RA~p{2w0z%~>P-+R7o8v~ptN*L2}p-@igb53NSB~A(hVXlDcxO? z(w)-XEgcgkuy6kF`u6zN9_xL__{LZV`-B5d7<2O6&wX9LR0k()=KtC;L#Ba}KYlmC z?ELHqX;@8ECl!el==YrtzRTIpQ;8Ha;~EsXTb-ig+&m7$#QCD{W8y=Gy>cce4P?k zxVbE-JW!)3K^}iS*WLjgE9gym>>wtlnM$jxBjEK;CN(< zIXXs~|0ic^E>eh?4C46oI4V;S4&4?Dfe%6Mm8=J|Lv}VUhQb1)+xsS_sjj$jJjU4W z&ab!u`8@(uD}B!d0k>Ikx)PRtDTy``>byBk;B?6QvZ@JuZ(LN#nhP9T2Yw&qHh<#^ zek#rcm*>`W^4bK&jujAzb`1#fF2gb0FjjYf0Asw5y2czN z-sk=eHWRd*S&hp6g*j9V<9oB2Py&k;hnn{Au*9``;q4nr%NMhwy1jQdEHV6OlPCM* za#Y`&mYv#3z6tE}Rk+VaiN`MnP`^u zI|~%(D7>g}kn_10mp*i@%x`zHG&;$tn}PGv>rfI+$7KUJFPTWc7A9U-iW{*^ zrNCZ8_GEaTI2ny^_ox<^zp^2N^s80W$ZtvPWpR7i8C@OWxs4^|0WCTjgI$6X zI{Tr*){f)VG|*lg{sqR_e)U_isE;G3#%VY2v-UhN$|q0a&{+Oob0r5%LzIbZjOByI z6NnM(2d=kH#C(Ek$?5gLT*=oj7WIaaa|4(wrHxs-#qX2p1sy)_^cCREWOc~hYkl|B z2;ILXN5_a0XTk=t&>=yi%5e4p3UKA=>JWsOUysCZrKAW}N3gH!c6J@shepV`NVYy|+?89OZhlWl!2?7zlAZy`I4k1D`M8H@a1 zHcI}cJXqjAHp*~pV52m4d$ds!={pp)Gtd3>W6FWekoRkUEKVtA=~lbn5Dyy7n)a&x zeE607@|Cyr-8g^myTtc~vbUzPP-o7mF^Xc0y1Ac1lc?xKv+v#PIrE1w6Nm;?;i4)~ zGt)TYKK)7K!ZYrA{_6e7&WU&wgXi9lxdFz+&SqxZ^7D=9CuWfw=}3g&@G)+h^Dief zT+(_wQWRV07w}W^P07fG5;qj=@)s>ERE>oQ5}hD`wBX0#XmHn z;qZsvyMMYJl{~UuLlL9pRVdRE4ojT;<+asAxW(>$FWQ4Fw1c@jBZ1fo@r>PDMeXXv z?@)3gxgeY!9!f%US8ESMFg@tzNJ^-Gu(gyKm43x~69~QOFJr5ymH1fFj@@==HGtjr zsIe{q6+#Df9~=)Vdd%)0TPuNjmBToC&-tv@|{G+ppx3XjU1=lEjhixI*w^*gy%Ie zf5glT+lSaX6SYd}RO^~tSZGO*bkrN%Y{9NkZcVV3P9+Vbkz|_NUH3gDO&*84^MUD?%3? zOFa)F=Pj95n82bQY$c(7nPZO8FjZaWrPXp0-kKsSUA&<}rb zg*)q&ghX`{jp=c8>p^F~6YPg}@p!e<)%-5)7ilvJh8P)JOF3{%ghOBDiTltpADq zy;E0452|4?kqSh|5V)-G%!fC2yrYC5gEWWOPBe8(ZdNQEll>ZcaOG+OILopBT<1lE+^Br`9!`VVVi536%jjf1pt;Vw@b6{H>Sz}q^+E;%UtBfDTKlm1m%2NiAZ~K7kiNbKZ*fRxB zxf{yQxT70DrVwNosr+)@Hv^QQIHeI#B|30An)F>Q{$pP9DJY4uLW2iTUA!*P!^{Sf zxNcxr&Di58-nGAAss;pLk8_%9vl~p$)FE4=;xjNQ)srLUd&oEZC-!Bq74Z)okewZW zy6%}k$~+Mc?v?PkCYOur^(qc)qtR6m`-|n|QT~mzd22U_c1M{|z=N{PdN(e;!jYvr z679l-N!uEIYP_kKVw{D#_R^1JIDRcNA<8-yt9dP-hSX(-ESYUMDnJmW*(k{HLX5D) z%O6voGr~UqQ@ETHv5b&K1UDKp|67OA-SXu9l^txRmsLcaYldXu6`6)*RdlUJZ(Nu| zd`XBMj!k9sw%~PJgt5iAH+p!OVvVvdXL{4p5_znE5p}bOjZHjQEK3GX9ddQsSPDUf zQb3Quv8U%jik9-#xznBq^*yMl4a0(1-C~{I{iE$o39oFM1&58iChF(jWjH=U;uWR)Txb8hrotEMa6UYuk(hsdOHPSoz6 zcqii=G}(3AIyUW0HkuY$=O&ezNaZIH(#x5|=> z!})i4M#dEqZkoO(3dLXxml3+i{P#=38TTXp0EBBDqU)k;7>6rw9S#{ub4NRWNL{Q6 z8$N%Kb`XM| z(X#SPeViEwR$PZY8t;SNB94PsXsM;EU4h*M+|^87zoVQ(wsx07dc5MK-Mi#nfIafl zjq|5-aD~qfYKb-_AXGEX6wDRPV zG25xQks~jbDY-_9g!lDo`5QBZnxcf5bXZC#3h)jWH^#hLJyWLizW3W%V=k+H`r;G6 zv`|>nAre%r0B7qX;GolHQA`}=g|o*Y(22MOl)@~5RWWc+x+F5x8{ABAQ}`HLLh#Icv~5YJu60qFgA-#E{@3o^opH_AS~ud>Qy)7eZ<&YsdWaM~x;GTO z0In?1_giDzFcsD*Bu|mImM`8z5VIvpqd%qOzBP$SRT%HYE!UY{Aq*E$fZB#P_N&b} z5=DTA%OIFNNG=Gqg9t=s@SlM3x1CSFoGL*Nc?(e>R9s+cv&>aNj4)NcVst%9V3GGe zG_%5ki`0Q?SK2qt8M;QncimZWv8)Tne2}RW-Abs5TRwd4gzFKZ>S*+~dx?1j?qn1Rw(HbkO)P}#xR6oJ z+wd+J*DK?N`s)Wim*i%Ax|&5OZ1g1|qT0IvdZ!0QKtf$a3$D${AB1JXnkS2YS{0Kw zi9CyC_Bg*#blH9(niXpGMSi(4HQson5%Zq@%`1Ez=A$`-m&))4SN3sdtMfH>E@Qvxw^g=b&I_M-Z_}8noScY{7xPLjRzIv0NfwdjP6|4O zTS6(*L7sTSvuiN$mDz8D&y1e-lVKP$Uo`+dqs8|>>r}R_SbIis*~SSGRQsNT$76fVhZ z-PD`rh8@ox|Nm&QO=ZOa7Tfz&bx07uiWJzl1!TZJNlK{i@JNaqcnKNEVM3N4+)`4B z3X{ln)pYwy1uQ3#$vyY0SXOz)nX-nqtT-!{7WcL|GO$T1+l<5z+Wx>A6~7-w(?9$u z_{-;d;T!jd)sLGCKpT_4?>4V2zP%0FuC;nsllJwEI(8Dzo&5Z!?;55FFw4RmXWs97 z4bhz7Ni(R8+&ho`s#SpdX(;u#<9heSbd6brQ_;`N);B5;4{jCs_i1|#r3_Ujnm_6_ zq+4IThEz@h1wqfFmCf-pXohplq}^*@AcK%R+Ab&L1vNpb)gcg5z1h3x*Ekf-(4cG< zp`lj;6c~=kwDZ45Tn5u0`Qa7nAJ**=%+LL4*x0KJGKCZUCMcH@B%JrU0@^>IkUHdz z<`A*YW_(Afz?cf|NnuHOV??f{T+H4&HJMj2W^tr7O%go9^)GL%xyk?Ljcssb0odNw z_3Kbo)}n6pr-gx5TkYLSV}WBVQ{B53kYRH2>fP0Sg}qr^*?V|}{c}W4D0E$9H@QtL zh(U;6aMQY%$%xbe!HeMCV$fw4j7Ql%;-o_C4;wX&Z;74}EG|8*0W9&bYg#+J54>C7 zAb6#nyFrz;(iKQPI<&<_sg{l|x?+Ph9o`9CaK}d?OK1NqzzV$RiQf@~=wc41&ismb zW~vg3&7=MMzo(&j*p$6wB!AEu^TeM2QlmNj8gqZQ&a2Xb?Y?^R2ZPa%QUNOl!6mfS zxiR&J+aD+o&Y=k`CnzyU|tf zpWaB^vK?ghVP3pYW6j2#Gxqx+mcAv;QC=ca+AjqJaGi}O`l1J`(;vD=dk(67iJLA? zHIws}?`Nsy?>Y!Lbhva<7ZyI;b54SJtO@1bCFM?F7me3sf75zsV^59fx6^2z@k^0q zdE?wJjf2*8U}nX-&g zo@9=gx|+mr8EEwmFAOd9%;BLNIX_e2w^QN5y|tXp&a_#uu+Zk$3DHU0FlOaZ$yz5^ zLKE?eooX@t!UT_R2hByPLhtZOC2(|z?92SQq+h#-95!!Rf;-S~$;npQzLI2LbAi1Y zYPC_>pS2>{P6EWPD5(* za_Ht3|Hb9V;X@0IzjWEPpWuXe;GGwLQ`ok@=gngzv{7L?fxXnTLTzukh{x59S>$IF87Mc=8ji8 zY!>PrYC(GKEL~AC=DHIx6I48cpiA{-E!d&A{7D|!d|i(y{>xrXX&Rsvs=WghjA~_i z{PRE)G(qJKI=x?iEgjXePX`^uNKtOZ;+7oK);Pa9}W9@|``Z>7BHJu!kc4O}*Tu_rtBe&b;FQ z1BGTZl51boTL2bdoN@Kto&r%y&u7R5aBSHDA+28I)7FeDu>H@h{PtU~O6F#Rd6&C7 z?ax$XIq!~B2{aM~HT7-ueLt)k5vY1Z6hM~%@A_Mtx#|iKoU6S(oNDF4z;?vs@H^rv zk*(Tlno&ToyC9s1d;Hu<3Z#dw;g4T@8uS9(_j>-CyAkM2mQJt%!Eg?qJENJL!20@y zgU!{V({{#w>f!kYq6=^X{XA)&26d6a=~FxOqT>|LMtqytk8Oak$r|P^TR_7Zs;+Xj03EWrH=Oy0E&eykmyEv@k1S^n zHeiI`prP0}emss@Q6IA!3{pETMDNy-r%c0!(ciP+Y9lPGl!F~KG>ZuEQh5mxr(x;= z#L$oc6u0i3jWQ2m>@&->ZWCFjP4OUf@rp#_yz3cOv!iMe*t<<-9V3=_fz;>Ds4jy= zZ>3aBd*D%_6^YV4a5H=m=4T#428;?j${5iztljeW9*z;MB&9~rRpYU=H_df3=v&t; znEEM5yT)5${q&%&!JWcEt;5A6#O*vTuL=93X2NUUZ6X%F>6A47DB~rdYe{%d4$BmL zp!{?gZ-fC6gJm)09-}=(L&Ol@njOq`Il`|Tpr8JW_1v;SIRDMl8Ny9o$N%mRiHGTz zm!91Mhwv;mv%VJ8vZ)sHX?NZZC5nCl2hgQ`ZT`Ou3~?vlAIgb`J(-4U4;DHZxvTx+ zD@lGXP0D-N$v^#R;Oe+ok!sx>N4Wi#)cef*8)eXGjx<>J;4zrvVEyi8db3>we*U=RZ&$P44__BtH!+Gj9dw~Fm=H9coeYU_ zk)UEQmb-w63v9~os(}z-ks_T_Ro69D&W$xlj6$MhC{3r5cYb<00&Gs2qr^swpis&J z`04vf>+hyp@8gUg)vAOW?3CUN9DKXk-(SOp@q^Hwj@=m5>Ok_1THe3)9l+=XC2IXt z39Jxv05j1K%;)5VC(CYl^m)E;p3*d*1zoF&Lj#0OAZ@*S`5irG`B#si1(0EIc|IZE zbAs}20X@W7hO9i*v7c6PBmunD7-KqF#qeYjnSV#}o%SB^ucS&mpdvLK_`YE5O;g+( zcx)j$;s41*d621IricHHZP_e>W2zkF95raE6NN{y8#F)@QmXiGCweg*dxAj!cOR6j@Ov_Rgr2XKT1@Di3b+d#3*8T~z>=!R zKAgCd$w`5UXE$db-NH38THpoJ@)KA?w7gm;X9P+`EZ4)G-ReV-Fem?t&lBXF-eZ4= z8xU&8Rjj)20Z&ogV-DhA@+%N-RZ#+JYLnfL{sWS!AdZnggwO`+^b+;;rm)+TpL8B4 zbOvFr?X0{LuJvopCV8D9P;Z=yhPU~n`*)!8RJmbFH%2BJFYF^UW=sC=L{Y{KN{8CK zwwBj?oM}QpQ}aSvF*q;rK=(2nJ4k?--dmyPY`m)U?hVPdIv+@qfeRxK;4By_#C47E z*cIjwe_nnLA0qHnyP{li7?{lp(ww`#MGS|fc3a3el3!QoAMDhiLEp%0go-eRbXQKM zaP4HPkMNwJpJvIQWhr}EYxbn+!`WdY`rK{Nz^{OK1j0yubAL43aWs!DnfOXYAUDRr zn*ImyQjkHoE>E+RL{ts2)W(kEmW5=8&i&4ro+`xvD~;RQ-qY1P`TEPVcKbV;%4IW# zgU-eItr_qfe_0;rI2^_e+`3kzij?|N!1qbb+^X?ySGaVxe!j?OCkyOfMNcG)2k4|N zX)mLi1o~~i+yu#}2ft73ep8*sjfj;r)}}otT59QM?I}wEYG2FWuqI!+Ub~bWq>b;n?acXqHj&7uPU_dZ zE&bStlaHA+_lm&D^GMCSnJ}R($ue;=Zt1SIW?OVpDtlX)ezta>y~y@W5%}}SG48rB z!%GiaZo?W@Rq9!to0b#Ch0ku=LjLqkhc<37{STDH_F@T+MG82V_wF^caL3W2s1*!# z3**K0v0Ik~|B#Xc*oUkfD?EKL;4_e$u;H%~EyiAt&lgjzouw<8I; z^F4C!L}QX!j6W3r3NjSvv$F-8%N01^?1&*!?tkF&LwhC%R2X7a-b1oqFFyi#6B7OX zWyJ{$TPS3xr!O%I^CZWm{Kbi#V;?~)2cXj?3j+au?_Hdkv!xNeRJ3CkK26A8g0e~) zxid+9mE=aCFE*;-p7oOjnNm(mScShpbtpp|m}#aSMba`)C8PCG@%Y_770={7T?zx0 zv^_X_8V??sai{JQX6VlgnrO%cu^+skR4S{oOUA+078jj>byx~SA;eki)edgrvYBJ| zyADAIKGPO_Ta}VQnwAsmHdTj{b)D#g@lX#Aa>(hGHDW|T^phC!Bgva#oYyls;MVXh zB#`7|9$j9?PB-tdliVISpo2Who-xY)L?OrOn5H5l^kb`OkgGyx{(~SPBk~`)6Bq=@ zA*g6JN*|A7SE$D*q9?9RzBULL_STK*_;YTZen+j$xF6%tRcAD^A_~M$NA|w|jZeDS zBggQvilr9zgwEAfbK9YxXlR7M54?&?N8|6h~Ko?DYwItnKL!<5LtH zmNlG?OUp;4o?=Nm9clwL#3?-|zY8MtY(3YhJ9w?UOia`Y>wfIl(Lw3^_LHM{BNfO- z|FU_yC+GGXi<*Fx04cdsdL$7@vBjWN?(pFGZ{Zs_)mko6V9{H~z3d_N2vd3M5j^7> zaauIL;U0BwQyg(`BcpOgJ|RV43xZHxiG_UVEAm&!S8v%{MS`cAJ|moBtUQ?zCvl}L zEGSkZ^I?03=~pRNdcfYwLp0R?SM{ zTFT?7s@>?hEb2g*eYd+^ zSbEsIl5tk3ce$9czq6#vTRaI+R75MFvnZfLXgf!q$#T*8jk;(CwI+PsC|Pm$Ysh+e zNNX;XfnZkT1!FWuX}3(G;qAr!8wyQD#ftgbl44z2+8FxSBNP*<(%)iauPz1M8LZ~& zTST_eAvxKnt0b#?h7t)nv$qyxPcQebWIsGxsC1gpuwbI{Qhg6e;qlBR{=EKB`8nu} zs704vn^9-_wr8;Q;LP6Ug!{@X?%PQIuU-DG6O^b_$*Vr|q z`a3mQB%h6(Lh|KS%tFf2Dy8*n&u6QrsZ3r`@8wID2_$^2Hgv^GIBwXEZdlQ=q`h3+ zHWq4}O3mdCE!VlyA@!g#Zx-D0<{J_HKLxv+*^9=}e-t-gmB= zze42G2?`VP`n4Ia?Iede|PffMTA$xW3|jd|yIW zCEpF;%CZ4gahV0SBgVL+_X0$MULM7TH1MR8)D3R6l`&p+J}7urc1^}Ae;=b{jku=3 z5_4Z~_v#>|nSAB3pRn8EhKdS$2=*G68N;A1QzOyvb>a_PxHe;A(CwFDlsrrL5-Er# z9X7SI)R9mnEO@eIHo&5)gvaS~W3;aUR6lmL8GPmhsA*d)L;_vHTctM}^L4gd>6jO= zt-ZEjr$*9mi~dXz2fkxK-+n0GqjjgFDFtih3C{_Oad+q4ekz&ZLuvb&!#`Nlf6uP_ zZ<|a0k4N~0>|qJ-zWFr6=U{X+pND)HlaC1@Erv^FFvmQ+&0D0-em9ZZ=J)6^7Cu7i zTDIE(`flgAf!F4Ytuv*RK43I`gm+MSOCL5ATp{N|IhJ0YSJ zt&S5NC|TyR?I~P{Krtm{HhEp>Gig8MAo=d+lh76F@^L?wsjmof_nD(v6eJZ8`C3Cf zF@fS2pT6b=NqHSIk$ya9UlrmzB;;==@B*c_Rxy8qSbpk3Lu830-8fUFIZuDbd-MaP z1nrLrIu)Otk)T&Kx?2cv(P#>mz=u4s|MPJw{(@~UyRO!?jO4RQ$lnCbJFm|lFW3Dn zHZnVhN(%kXf3*g=T`RI<(-tsj+^RgQYCzjVh1Y@WsriCgda>Sd-N2ypz2|wk$IN_* zc3ldZ&Gx09rL=&+C^55v&;n|lTjA~3yA(dO>09App?V%gb;xi*iigHxnSLvt7f7)9 zarmIV^$hMfa>qfE+T@}BFoMc?~j>1jOYry>rJ)39IK`Y)j zf1$c^%Ldc*R?KHcR7C%ZSgUP8^=_*6#WdRba>2!#OHW@_;VU_$UnQbqtO&1(IHB(T z;kC27NAG_y7BQNtld5v~Y5*8QFe=r|J;#9V@vt;5p=o*RLJM!?MjOo^iY7k0v%Jwj{T?Oi8^$zN})#+Gt z`tkvqPvCVWL(k;cY@IIDq|McUll(|%VYec$j<0Xu20^3cHoXytZgXD#PW0S}1Gt=Rur*F)o*PQLil1RRbvoiFQ=s3IC zIN!S~lq!D>0EfX@qExt4f~Q7vAzrso7$0kCh@SLTfZ}&N3nH?_*Pf%PZZ*A9|1ZkD z&ve~vxR%2_7&0;uV21jarL-VMRIzu>W1cUgUSOx=pTX@1N1N%yLG*d2$Aa{aQ6A+R~TL4(X_v?t~xoA$>E+<#2XDnqO_@;xx3l6|Yk4pml44r^!tQW|Od)l0z+GW42cE9W=*!%L;Q zjXS)+hxBEWwGQWafL8@+@ZsqPxT8%FJ`*996f{+)~Z!ZM4fSSbG3eWx! zDWa-ydNz29lm$g-6WI_zjPz&?g){-LiP&1+rMx}~+%d=nV!kg{plTOUMGQf!MSlwT zwZv|*hkqpEKL2O_M`8b;eP0rjLiflCu{Ug`Mc~a^JNuslW>C|5LOrvnYc6dEsQTT zKu+L%XEJf(cskA0Pru(=G%BAdNp-ylRRv|52zTw{IyA`OOyUND;E&o%pv1(EN{6m& zk4MkBkLc7Tah7*NKC(LSgi>I|Qa&_c%e?q{&yQ{%tL1+SS7{FR2|uBrshvw-o5&K+ z?nrO|VTfo(H^WTokUYwEBfaS#dh`bfLV7g~OkI=^uZIqW+pDm$88p$rIPPF9$bgU% z%`1;L@oMmf6Dof(GOcV$e9;&#G8sstx4gLo-(4wbI|3yR^R4{@a0S6RuYliur z1!~BtA={)~v|K9B>|xz<+F{P90hrL0eMzSaFHzKwb5F}Yd)3mD-Z2&;W0Y&;2Scv! zr`HcQv<1WN=Svs=xREqD5^a0qV;6oqT-?vf4}?8OQi#zjLJoQP6IVo4u<(|Ao48!5 z_+!s?LE64QvN;uH3R9q5HAN`{c|$6J#AkP#rnl5_@v|5Za;{1=iP+cIiqONq%F~17 zKXXjpF+bZEiP>tTQPDn#R<}_USdL6F3DQ$l!e@DC$nobqP#)YU6DZM2)DseWiFymHF}=_g-3)0kKsY`X4135?;GQja23yZkba zTff6OM$GgWku7vrUyC#ONc)R`XARy$z+F-5?{4o8&RFz@?58>&u(`|rLonG#-Q>;Ar?VRib0cM^$NkyT}9}8NB$(t6i zxClzy-xZYp8Ejpv2Gav}tBP|8I-EoXfI`sl9gvi8H%j}FAJQ?CNLVo_yF^X_=s-Y8 z-nRh$;m5z9pSWo|ie3g0sY;N&6;|@Q7K^JZsaxV<8=!#z0l>&L6`Fs42(Ip@Z_YcT z9xQ)Zb_Tx4U%pu^@RpnS>sz1 z_O@k82M<9YWaLpw8s7u#YNP zBFv}ti+0Oe2hG>Pjq7U;SEw)=GY_+ur6Hbhe90+GkDk{|rsz3YEGh4Mv;b!)ZR91b zwg=UWm0bbxuTQ10jc@4UEMhmtfJc@+Gp3nm9vl{>jhtHbi)(pf)tJ4(f0=xrrBR+Y-N)bELe-U2hi8y{xb6QWAz^b| zqqFMYTpkjZbq`FB^fiDN!q0t#w#vjmAK=Lv4;-!%F1sJPJ5dC`n3-GQmgdAMSjbJ6 z=XUaxOsKzy9Dr2xM(DEOhqKg1_By}Q(yyvS!Q{94oLq7R9-klZtAc}fvD+=4{w7Q# z!7M|~MV>|Jajq;GrYk_`;i%v(ZIubX=-sD4;my{sr~B-JkoPgsLlVhV1=sqI!BmtU zR_-8ssiN#t)};tTCTXVOD2J-|CUv2Of9~-6iESO{c#|fqJnu2eeht0qGcYS(WUnCp zbRoE=+MWmwo2t6T;9nloh)%Z8i7|ty%cXJ7XmQt+U^Fl2ukS0c8yLKK22VDPhZ__0 z#PDFZ&O1~ZoH;47aE8>RoWu?F=dp@Xf8F=zP;!QMM_M2D!xt_+$}UPye(pw1apyjz z8M$9(a+&Q|?yfmsr2VLaL^a~jDx~wLQIW*K!6kFtoQ+p|>IDX5qRO!2wg7GoIVr*Bfn|(J1YN9u{e=? zy>G~!GKk5DaRks?OY%%5vLlihy|@7wuy|Gh81bv&D=)Y}`aE(mPD}Rvhgq#M$&p4B z2L_uacb+H9^c(R)F@A4@d>q_Rm|J`8!CKH=^LNo)H;D-QX^RkEb|`tL&L%E~EufeS z>c#aoDFvsQrRxdYc5}?{9_XncTl(e)UyM6zL^m^C^Acr4UnE{HJTOnOuj_zO=OXQmi1@fvDRddFsHs zM6ur=Zs}B2o0WeSx(}bC`@kn++eESi8J{5rZ7O&e1x0eazdSD<0E0mJM4rdL%Pjiw zK>L#CJ=9d1@9>8nR9PDkASd4h9VTGKw5^v?Z>2t0gDlXXq(3f_eeMUqv0asxSbDP7 z5eZdQ0_7k9xV1%YBR6EZbcuX~r7%y^l^4QF-Za;{2(;@*>*ac_06?m!XROe5I3e5b*qjwaS#RGz-@Ryq^3nybh0J6f5Ps; zTAlw=_hl6Ta}NQStHNy}1<7{Xy5Ed8$F7$oOWh+Dx;nX9KddKw$lJX3bR1P1(C(ky z2tCk-7smZrypgGpS!u(KO*bJ(-(Q4S$W>EP77XdtBlWsA1l^(D3zwAxjD#WVDrXGf z&^j0E41~TaJix|{VWLGsG(r;;9Fi;4;%8{4cCp2TJeGaBgRuEEhhgq*qIm;96tmCO ztoyWZ%--L&m0reZSAaKx9pGU2 zvXws5Cl7{%r|c0R#P&m;?k)I9iY_>Ic2Q>xk$TrOVw=?_wCkF zqx)w&mn*XosK-)j5?kIN-w_C+zVf^bFN9h!E^i_EG|3g5zr=w$pEU}^p?u>DVWeG8 zc#H);PCD64pm5+JG1ZZwlZ9+tuLY5MaUJ4g+SB%xEn-5vuNs#FK;{*$bDb(5cjadg z29RXK0#6qA>TJ0qNjXF=b3Ic!@%CTh@w;R#qUF4|l@zbKKECy+3 zU%i}OOn$lqQ7$S4ehWl7{eHTDl_sZJmd-z|uqRLFUL!Q8jK?X;?dVWAJ=U{~I?tJV zhGtaaarR?*kVH!fDQJDK7(GiG7r7b-cg+!jT>L2*{5j75F7lp(=A2>xu#2T~eTZ^? z?ZMo61=u4*5Vj$UW;jdezVdqupl}K2Kv__z>`6&Vq||YJvi`)RW_Kbl&wT-a5u;V+ zBQe-v2U@|0h|7(PQR_j^Oj&dW^!KODr`?21PsgdJo80TCo$gt zesq>W^0FybU3yfaOmH9!6+K>@w->~U3*-^7h2vXq$ zn^q%^+vg{~NAQbGV?v^qoEGiZ;O;`ZE3O#z8AdVJy@;nPRduk8rZw5^zlKn>%&=ju z-k7tY{Lbb^^!Y5v&#iNpz+$0`>)~lI<1}D9OF%fERA-=geLA8ySh&wm6h-}4>2j=d zVr{I`E|*Hkjo)@zz?5M-MSCeS4nt5*py?7y@`k$A)86BH!We7f6K(s?l5W>M^1F`A z#`Cv0m6N;s6p+)Z7z%T83UU>ebtf^^V(MUC5u*WZ0 zy;w_UNzGV*Q1Q2Xndfd;jVnBv%OwX{WeQcfZPgIxYKqfv0anaNGZDi}he~oKN%$2I zVjf?}H8=7xXDWlguNxD>y)=8DMn+h3y#!uZ7Qv)FAEZI68Po%jyh^8!R8^<6b^bp& z@T-a7OF$x#JHoLdMry^0(&S4-7yEehdb!~4b5}exZzRLCu%M6Enda7q9JRG$*^wwI zj3I~gwGnxI8!FbD+lHjIIy>lHWTofH($8u*p#q$oWgfwz`tDs(EN(zhT|w6Wd=)3jZG87lZ~6o*X9zjq&As zf?OFzDtu5r@3uUoKCxO4W@GoaMcHrM=SiIZD6aZr$-R+4*jQ!iVM?GVj<{8mARAc( zRG)JsT(yfhk;D5(a6b%_t722{q+Inq&pz7HO1pzKV$a_bt-@@+s|6?L$T({W>qs|0 z6`zlbwOTTwM(o{Ng%Uo$XfQLQ3B9=}?TbrGm_hX4e30teNoGK2Oz-84QHh49UDn`1 zZculS;Jv32LHc>zMY|pfrMlvfwU~0@!In6+|FR$-d6z5fl(>Ca|AtwIq%VNT;-)ue zKCjRW%b25)!m?;~5na-kc&-dD^3GM(baWtUnd_j*0vfmY_Sr*|W6-FV>8-=td9&tJ z@E+M>&`2RR9&8CE4l6Qw-f8(&Mg09e3Cqqx#n!zByg^H0y2oS-i>(>gYVtRW#4;R> za0p_9&B(+<3HoZw8G)K6MrAhDZw`d-TVxO|rFjc|T|uI1oY2z%NlP-k3+P@ zlBUq%T6lv7kgG3v=(N?!25;mkPT@p!Ts~mcYXPOGKg2omy!1OhYZRwZ&FPKdystc% z7Kc#2n~ZQyp*D`ZgpGLLe=qcB+4>^uMNJXEpc4ExA$$;5JGCqm`;biHu|_aNLQfyn z>!_-;jIVD56GBdbO)+uO5KLzsaEeU*l0X$UAy|9NPn5Pm7=@lIIxG2)6GQ~u61sT%XH{!VWn&R$( z{^F)0*{|TrTPO+-F-D=5UqSPtN7~f3^5qDr2H|TJpFvXLMRdWs|3r&?bVbl&gDbBE z_1+j%k;jSHO#h_iogRk^Wb-;C7`>Yq>mkYPdgczbvfh3R((+u$eBJnHTN$T7m+x1jC|PmgpqxnzRWB zI|xEyOQ(|~SP&+jtLo!Enu(6JuCR4QX{&(CieH+>U^hV#eeCbv71n5R)Ad9UDjZ^v z9><(?vISze>JZZV2zCorIHe|Xax zw-;Vu*6UzdR8p%&%>P8Mv57NOweNSJJFmIikYHi8GkgYBgd*I*0BR{#*pW=+z*AT7t(Xo@nC9HLa=7?|KjLibEyj4Y2vRIdNNr;KAdwPX`bzGV6$LUnTz^mD!&x5&#%{oq#E~|F9wm*h8 zdC~68E$cTfuVQ%Qz34${{Y>dZ4BFX=bcFT`xZ|$R0w{v@ErFCJ>)FyJjhRlQUcbnQ zJ}rgyrQ9A*e~~$p3jCv`pOT9XF(1-?bs2#m)c0NRL1b(%b|%)1pZ3`yLzLXhclWI) zk{3lssHoa@8p_z?bJbH`qKH1lsfF5w!@q9!it-98u3yJPdcOd%qh{Q+Qd}KbmS{%8 zMxX0At|bF^(Vwy3um%5Xs=nu0ROK&ZA;BF74EIHQ+c9ZvmZ9`0(l&ih?75{LCBI7 z(|9M`dN{Q2x7LqP(I4_nN{oHVz)t)=W4)&H>N%HYMUSnhf0mMw-gWphB%Fd*aM4Fk zR4M#N2Y6m!7xcQgjfyY$ZVbp-7CDK)nh|}p~tMyksoJwx{6%k_iKGiBX>dM{Iw!Ne%m@p5md59n|GQ?Q)N!Fe^dO zsgff8pD@D+%&(Jg%-6HU@Kv?gjcugfMWbXHcVI>wrf`af%?!O@KZp0l8B4>P*#2o} z7yn67w{~o|NHo4$Z-Uc~{I21SSbwB6@mkghg!Sbm08>gkTRF zxm@MzEO^$Z4rkq;+zfA^JZk0H0z!*FI;ZlMU~(>+WZ93x-F8b+5x+=!HOUQE{)T-P z0qyKd8xm4jkhaQ}f@+8nf>31SCLDL%K)&NQZ^Y!Mc1A%#UthZjBOHJg+pRbMxtq#q z{m#!YWHYb?Mbq&TRatEoR}J?UUY(G!JVbv-vngg_0-2>HqR2C#pKZcVBT~)G8=bg9 zn5^h4Zv`cIi9R}n{$iPkeWR%GqkPU7{p8EXuw%%gn!Xs&jOn=_Vv`A;X4C+7z95tY zO&X|-m(AU?`-f=rQhc?kRbEz#FDOo;lOl+;0pDfpY+=>!XN1|F7BT}Pj3nc&P_v=2 zgablWNDrwJMi3oa^!@t<`f8jt1?Rx$`Iv>Iig(e^H&s;o)CVHt0M%jSAH^rk3aUv7!LiZ*Xz0io?hP%9yc z*GWfp=aE-~K3;9lucry_Jy=IU`VY?5$@At#wyO(S&&^!oA;G7(%LK1n@T$!?%TN>3 zU_YkYi@xcEC~!DP@NH=*g+jgv>ugih?89cuQ94@Y|1_Cx7G196zgV-f^dh+2n_^Lz zRUFqs^f_u4q)}}&(QW$6Jy)w_bVL)!QV>0>V1W!5O%$K4Nvav;-p4N{r3!(G72jVa zXgo!4*sNxVu^~|Toe+o#fgW^hKlcjUq>_ic`i<16Bwi-c{ixPZ=DJrt6&Jiw6!_2J|gpNr;{(5p1C5zG78R>Gj1QnuBlfX4i zaDtv2EyGv34v(#MwrA}l_Ifmz5*pIc{xiMi$s!`EeLxzKO^cX3w_U7R)egMDvFETe zv3pYH#I_IEB`+2mH*{8Bq}L2{t%tK$O~~<@UJ2UuCtox)qQjxPBl@C0#h_CVMSP$C zEZXhGdZvD>mkZAYh^>YmI4gli1?WfqAKKnBEb6sw`yLQw5P_jlx*Nox zOG1>CltyL@q+4PbLb?VdB?UxU7#gK(NGVB08bLt15#Mvxy6)><>w52ZJ4Ly<^4KP$d87 zgV)#$5z)%f6Kf2{XT8h+-hg4!US)X6*}U#t$Sga(l!^rggVpGFtA-Epdh|PAo%qY0&yq2t4N3i>zeAt@1&*fAbTAJLW)%ye?!gZ;7kNjkc7y+MC z1Rk2QOPyMv&qE|z)L!Ip=5S7ayYR;mZqs_q(`s}=Uka}b(^aJ@2L+$L6RII%ZLrZt zd^x`~_zpcu{>maYy8=19Cmr+PlwiTVLRh@@#i*T?}a{643ad)#Y5k38BCgWmfe!Oi+A7; z^nZS7Vz|nM6c-Ds=VcOXxG!yNjEgSJ9jZPS1tp&eo%UYDzBT6c^lmM7{HlLje?0Wp z7v?KQKdLMQ9_kYL(PDd|e+wIUD2-_^AKxlP$WWPF5K2YQ_8_K}MbElj80yf6Dn-U^OMDj{*wBMHV1}ejOar@)u80-#l zY*#oVp1OJALF0jO|0xB>TQDx=s6=NDaKgSH_3iHT-VWS4i){q81uQi*moGA=nMHA1 z;+<&$0bY!6`BA?EDo)4b2DhYs#JiM+Uwv)gb)DDtU4f}Lp)9+}oC{I=eMSlIJ`wEW zQM!%o4|)uN9x0_r+wN3Yr(W#PGSBDl%+z{jq_(@i+gp8J2KM}lrDBKZc)lJefa*i` z2W|uvvccQFOGW40y{td9uq&H6+Drygrol$qEiGa0Or&#osW41W80_a1!?{j$2;`UR zGQU3LhasAN|JrSET|Wi|C4uN;-FJWH}HV=Ov|V3ZwZMcVt!xl|0hgF*5w3GH{XXG9%e9;OH6= z-KZqlIq@Sa@$9uqe1zxf;0U*zlTp$b{1=$O?Cxa=G>v5+ zr2wvljk(62 zoZd37o9l=(f}Hz6 z*I~%GyZf-U(g+z?RB*j|_nlc=r;h>2NY2j!kN8a&htKuC*L{78$7+mOzBeEBh$zp)OZuA9mY$qt;T!6r_(E|cH9?z_DId@f<==8Yzs#+%}{QjYt!>Up3N zIL0-2YFD$iUE>~v#jsm`R8m-8>2_%i^=-_I?Wvx&igN4^OYOQ+X zxS9te=WgPHPQV6=7m57(v^%2to=_C#hrLnR{|b7rcXbO+gaY3=2W37xF+!I*%U^rR zVwi7i36dWq zn0KL9*;ZZ0RIISrhzxueo!3c^RqcUd3bO6^Wh0Q?(!aNwV=MF~gIS1%qI0}CkxavK z^!FYXR;f%YFrCfQHYNY0Uz?*_24Tb3?P~-%M5J8lL1#T_{w2c|^E;Pv1F|23UBr7> z_EO*iKZUVGttkBe4KNC&tuO1cO8&x&WL83+*9x)Z5A)zD*kQzY2-1`t* z*)8|l>epABgOuM5`QV>9=N;?aAE&Pt!ovm*soFKZy;wh#-BgANoBfj~Ss~>g=}_p( zr()$~Lf)<9_Hi9%Qc6juoONlJd;J&Mt_e{E0zGYuL6V0>dxFI}mn@wiaI3TMSxRCu z0d`@OacPbi!-$;`>*gE?9rSU6f@klMsI^}6tu}*`2| z&>b0K@0DPvz`RZD2fWCO8Lm^2RY{D^OQ$sQ9dPCLxRR4d@-Op>rnazYf)iuPlD!|j zD#yEZl?EFshz|YUdN{cvVtI&CE|ZepoG#^i0emKin3nW=)`Q!ZmE;5E&cu|8(n&ZCaDMFka-j_Qrr>{+d8*OMy_d+#5%gMGAd7WDyKka7I z-m^HDd8hJIYOt2mQ+YfWL!1bsiqJo(Adn1oK%0K>G1SgHFjT)fOaZC_=`}KkkR-&D zY8`yMo$>`S^YCJzepT71vyZ&VPSLP;Ix$SHb>8C@=9id>yNkc5eVM4wPfB?`$0Zk{ z*yh%gVjn?82E*^Y$nAPu?X_6(aMNnKqOs)4@o%B<#fVRCyN`o8C7V7t*w*fLU)#~p zh2{k5)Whzl%GEapi&^)qyPNc9+bixag*!GDP7lz$53!iwSCqt~)Wiy9r+|PcFNi zsRv6FgcT=)kj}K)4#2Dc#%EJ}&hULP}Zj~uMiwJQn*KS=XF=--0hz2h{ z%WiQuQ+jGC3pmkXDts0tDX_BC62rLh?56WBni}~@A^$UW4Qs$BpjRMrHC1?4abKd# z+@Py>P5tq8sb{CigWPP346CPhJ3i1ry+kS_LAimHBiqjJ_d$O(W&ou}9v?4ReNu7s zkzody=20I{B!+t;e?FN>V1rO(&Ri51{g^EOb|KR~!>4-run%M*TeCMGi|`s$k)PsH z64o(_riq4@OT2n_Fi$(1{>d0lj~F-csRg)$t@?w|(4}^d{;;H4b+!hgr+-*a3&~Ig zE-1}>!di-Qk&5nQp}R6stl4Sl<0)mFq^;6kPQ~$=5|blf5bRhATOVRw9RKiE7a7&9 zW>GS4?I4=5p6!`P2&|`zv?3;|#;tme3R#}i3Op&)fT_{z6)D@Ky|{~}nxgY6L3=jj zKaMEf;Fpu^=k?X&)Rw+fp4Sl)L9Y^VPfNhQ-dt~Q$>wxNH-ZF?U0Kg{gXb_*Lfv;p z86-2@hj-#LF8j41zHlvqUGGm_0h$n7%9{F5Tn73y&HPhzyx`r> zCtr4TTXSDTtJ?prnVyXAb8|M0ptbN$Yktea8QIS*`e&| zo!Yg6?zvy+@1vNI>o3}Ay@M2A{3M?$DMkmXsej85mtr`KxRyN@Mz}{DqWp0Vb8Uv1 z>2+B<&q3&JRD*ZOOW^qn9e*A9QV#pIss4q!4z1*TQkZgtoR+(9^kQAX$T4>brvfrM zZi&g&s%B4;J|GNa^b*Vs#g4Zhn3vYulXqnlxqnt!=Cmm&C0wQ6;n#_T8CgW??0)S% z%{XQG*2@`aJz4spM-@EyRR%bFB4;xU2JddfPSy$DAULr)y7-F5a{Y9I0^L>?A~gFx3CX0 z%Z+W%zyaEFYJnJEmgBRT-@h!Z#^0xZeo_M?DcA#89|{6z8fub50O54(y!!01$`K74 z1U_&LrwILA&>3<)h zWoC+k&jsw2)aZq3);kC5le&eHB~ZUJMG}?Aw6B27pL-{_D|9UQv`wyJktk=Z^Ynif zy!IwQ>(gA ztf5WISSL2P{_EF+ZFqW5oAK+srPgSSl2g2e*gY*I!0lAMm{$wMN*`O^AXoH^&phe@ ze+;qTu9i18T%%@}aKD-bL?hxCbw^C!`%{@ei655t%@WSY2<>f-bJNqVfpA23qhnus zb~*G0R9||wLLumOv@HLDU+MlDfvb;cXjJEPY*s`*J686(ddL}CBXBGTb#Cx7rV>4l60`U z^TTxbEM&$73cBw>TAg^^=tn->o1+{^W|bSZ4|Zt;R3BsNFxO_SxAV0_;rt0KOt)oq z_r33;%p@gWFBr#GeW)b1aeqFOA08aDFTU(~P_Jy+um6yA+91M-FVNfgd*8(>taK^N zt9Vkj_`_vpvm!+n)1L^8VF$b0BE^VsFxRZhj=SoVI7AKQk_W zJi-0`YZl9KW#5v(i{&$cbifpHkCa*T?lSevHq;eueAE)4mrkp|!hz!Z&DSW?Q$>gO zppI2c6990@p~qKKxK+B}V+2QEvf9NGQal#XF+nUm{K$N`30Oa>Do3KrZUMhP7wGB+ z-GRD$k=&xDE!5cgFuQweG$-ka^5&WG@wd6#7mm^6>bVE;198l{&r@ZbNmr!id*0eO9qoPR?IDx5QY?zNRCSJ|___QU&`CZkiAZPjvlq8f~9Y=9SZ{GRwd>0OGWO22eJOqGSI5Ui-mGJ5>POIkiQqHH*g0SsJ@E+sP@vUacgjlsX~RCohgzXG>H%LAAuc# z3*}l;_`MSN2XwRK+be6ReFmR~v^MQ$-iW+Dk~X2Df@&mq2ZJ}6KR11+FBK8|%GLE^qQwS44aNI_&u{w! z_4Nd;uRQ%Wk%E$)m7$Dr7K`%pu_{j6Lm#X*l&>J4*KOTdVL!4a2@jKlo4~K5HGSaS zT<$j;X?<3oS847=(Fm3g;brI0XbPNs2y>6c50%Eh;%!^I@r0m4KW1>AJ+~ZBuPzz~i+=kG@mI`!_D5Y8 z8C5D&^Y^eK?s{=KA36q52NkXYWzmBHp&hZ$V#@f8Bm%=}y*H|o5{KR-vSY-D$HGh4 zy0kGcn%x`T2kY|sih;jYpk?*xoeWL;!1p3AtE4^eSfNA)-vb9)D#W8HucF=%f2E}Y zGr$$UeKNp517Agwmcph+0IX;>9zO*j=?8P$z#>ApGSbTp*QA>jM+CB;R(~zuiY)?8 z%Bqs8WK!IafPe`0L3i?GiSHGTT^EIeBrrFY2B*DpbNs#tU2}VJzSa~?@}iyHPa^y{ zBh!x2V6DAWK&XTSj~h~5Ej7RPPr8ObSQKw8p?Y|DTluwdBHP(~lxgo$a*C`yG`AAl zu>psH@<%V*2x`LAb}^})l@rb)D(X>TArm71hAG(Tahf>gcL_@^!;Y=&+Lb`F#aOD^ zbm~I2F|lam5|(a=t_jJoocqkI@8;dlVz^FOpw)bny~GiMT_PR&sq$ z0m36H(Cjfq5Yva_DU@a0?N(uVR7xMt+)5`CAm_Ed>s3N2v)%oC7uNP(m{ga+b*F>L z*A-f_6O)8l-Z>FZDCu9uYE@4$@21Z$sX$adrVFDAr(DNzlA1U@VyzR!6KFz%o8wdd$(j_#%e-|LQT2#S`fc&rpD z*iuG8(A*J0OQB^`r03P`?;~4R7n|F15RW0uR+wjF$$A zsw@!|jCOxaVK6j-+D^S=+0A(+E97YcerhU2+;O&9vQ)RExBB<_Vbh2sQ1}{b_y8Mj z!@JP0ze{=NcI42iLk?(t$f*}~^L1IKtH{ON+krnu$Yxj=j)L40$xoQ73vf_@0_cZ7 z;S~QATLfR?(jp0b57YX52(*R>p9!BkoR}#={Gs(w1eC{~R*>x*?e4s40lMj=-48G* zI=)eCJ%Wg4-s3JB9P>?asyTYnLNH&?wLjFZ>sO3!z{4>XZDE1JMc zArmw|owsFVkNcY18px#6u9_l$YAJlzq-qrq1l`^!^wWZvOIM>qdO#JG^Eqt&8IfPg z(Mk?l=ZSpb`ma?j-^;+wweelbR|WBp;1SSGdr2zE!+wG0vMq=TpmnzvbMg0K)9;Ig zUs*waUabZ3l$AtBg7i5Qi~~C>s84kK*ess*rzAk#QW`<7-3o*h?<~ir*dthFWw)9y zOqz0n3n7NH6Bbz3)smsUtRGX=em@eZMH>N`Htc%1;3$AxM!CjuPVAD<$H)2<$7d!pM83Z_Rd5B~+%mHrlYy~z6H2f9($wIMbjU=o zeYL~rKR9FHcF`00aSAI(;8sS;Us4I~|MqqYqcC}_lHtp~r>80CACG&_!nXr{zm+f+ zVv_7iGVog63L;c4k~l6HWx&|Vk;d@^@2uS+JTF$OyZ#P6XsvlXWJA(tU; z&MXpd;WH`n4$X7P$?p7?(NEgcGE)niQjMGnVvfd(#BYpl1u&*UAjTyZz3n5<;5Bd1 zaPpAkN{SMd<0`Ic$H`b)e3lXagenpL2v@I)&61^0i zx^8gS7hqxa3^Svn_m6pIKG4sH8B7zP1`X!BcO!8DhFJHrDm{v$u99GNRwt;4uh4_x8a z7*fxGc^kp}s)uDEwNBLo9U^=d49=VBx@Bu1)xmeU-=4tLfH9t}Dvn!=bmsKiVY#&@ z54eEFX)Q71SD4M$DAjHSauAZo<)jf4t<5*29Ij-@ct7Q;_ucV|eel{DNV|rw%ePAb z@!!n=M#}y>5Dv7=r`L$ekSkXMKD+^ehehDMD?uVJKCzq$1C7v$bTOTrhpX)XcE4JX zn2jk@S$e9ZQo*XGd|@cXf@GVyxqP6#s95K>TwCRG!_m|~^^5=bnUxw&2gEY4xWMbK zxbQ2PN|+onC)6_gM)`AI&`srt>%!j>pz4)lr1atsb}X3~$vE}Gv=HmHRFpCSf<7Ii z7f9A?+egEv7YC%*;+aJ-+DN!aXRraHe`H?G*4g>F#!jrDSFKrjLg`op(@@INvxOX+ zO6bI0!qDh;m?3_g^7CEe%H^&O1~0s@XxUZ<2rN#P4N|p@6iEFq@=3(M$R`z;6+l*x zO2`y9{Wtj}CC(>Jb@xLz3`aiUgR=}%l4a%MKbkp$SSgtlK#o31ZBiBgBw$IPD175& zif{p>Q$_KO^@z4s!}MYVaG>Anyr5WPZ`Sss$c<>^o$s}8^fIE6SEaH(2}-PCxr3@c zmg=kIwZsibGn=FK-ALN@08MsJ>)GRl{geGqC$6L?!;P$^MTo&pLNGYuCmBd}XuO*L zgWKPBJXejDB+1&s_t*Z`hJ&xvhzr9yP=+OT){8L#8xVhX58rSY;eUAnkVnr18LCLR zuTS7OG*1@gmgyBB9I}sPiKsU(kz9)}iAC4~eXy3svl7nktiUVo;3>t9d(|kNoPv2o zX6$c6tk2X-Q21CPQfHTd(eSN&uCg9r#Jh1J%qR;hzood;1MEqF_DrJ>^^K~p%zU?S^6A&-YZkw~3Zp}XIUYCyuc7a)IANPDAmt^N0lm@V z16SLQd!1mgd^mC{o0tg#6#jfH5S^^2@cO5n#EldjVn=H8hAj?ofoLkka=Vi;>@;+Fl~VECF_Z45 zuw0dPLap{Sgre!vV12)qH2AW4&0$33$lH0yl_B1Y`H^hJ9Cm~;cUM`J9 z=Byx5^R+o-WT|$NJf#Otg82O!ka{2`x zpf!0Sq?_^y=ouMt>eRR36^%i{s8~5@U+IVhK4FzB;#Yc5gj3M>y)Gz!!zVCR|AUN4 zT3lcC3@djYs|T*H$h`Pm#V1KM)Y09sxRN-$7p%!u3aI-=L6YzIYUf5_j{5A(VQyRM|M|1ti}-?f zAZfDScej2LK6s_t%WE-{!0v~RG@zVUz9=uQYA|aW_JUI<-PY>OxP-x~=#1wj|S)%@ESk&|#Tp3wQB zc{G!W@tV!X6IzX7V>)6(+J#czsOma!fK2V}0LZU&w(tat4 zQM4VNQTJ*4$ITZ%zkWen{WM`G^-8X~hC<4LcZb>L1^y#YmH#|#`)%$i(}%{o(Zod& z+QWjGydDAZc*+m^j&=L1PA@zpI<51OYZIkG8lvCIvX<>WMI)RgP+&pnz%nOF)Oh(c zFNInESB!(tnu&k7BcKs}&t%5=5kJ1veWm<0^|zZs4SPC8s-v5vK=$go{!{4V`m1Ht z*u&zR9P)+3(;#yAhX=VV_jSLM=s5t}6J4FhpSoh%+k$A#ll4z4c43=fRWNPv;|qr( z&0jX}>$sK>TR>Y63`q$~WdgzN6aDIhWh}rYb23HOtis|CXMBBErmAep=ZFvEJPHew zG}=jX(*YD^U8(-|hsXoOX6R;HzmJ9kxujybS9K`^sF%;9Ot9X^sL* zBdS=+3Q}%}D0X^_;h(bg|M;1FFY6#kzqEDdD<){O*b@?)%p19J;tm7E{OzW(Ybv#R z^D+oJe5S+G=wZ^XCp)=NxIEpkdE_*%Kf$)53Lts+|cOzdCT~d3gabdW920 zir(H(@yz-s!gs?f9a2jWRltm5kUf8FoGju(BWDVhO!$MCY+j(TzueV+aVCCqA?Q(j z1lq@|6EirMSp6E@{;8ppazjTVZ4t#-F`_S71TWx8sd+=I*IG$Z>>(d{6RSvmqZmk- zJk$^NAWX%q=MPmBO_N@e)J8JP$%5Z!FUbXx*Q{p)86=&T*jVJ~C+IiV80t(&I6Og+ ztVoI{bpKzVvyCs}>;HjDdh5|2npCU#h%ki6zm&t7UUIu;rOk$7Q`KdnZE5(W=khi! z_A>MGVy`sf_zidP&dq1LSj%}WODremAW`iuayg!oc`U%37O|wFf+|rw9Xh$%YXOe6 zBuKg^L~y%I_k2RbXX)uzE7m)@K|!nn6hqlnkD^#hj8e~*@h&od6!Gs)TgMAAgzk#U zAtw1U`v;`i7zJrDm^?I(Lx28LP02}+tW%qaCDCXL-SZ94^0}dsncR0XQAQA~M{Ff9 zBcdTcDZ5G8;cGe_xEeIvAwzf?S5Ej}#xcq+`>nA4Z=O|y$UmF*N1a$3gZfz!R<^Ps zw#xY@mKXAfS{VcpLbV#9om=TE?BzKQVea#$-89~l6zKX$JCtp1PJ-}(J41*OYV5tC zr!$Lt=$Hn>$yDiby9y%Gs^kZv^sM+k?QVF7G^({{>e0h$SQ!PIpCMg@j_H1t)ki!$ z7G}I+5zwjZ&#u5MTql~H7dDw(+Pzs?WffgDqJp+cLw7JZkKRTU0+?1LndnZ=sNq?DzUuDS zCC&IF#Ev#<>FpAQmioa;8K)dRR#oJ4c8$+^71Q2)CNGU38~u_}skn7_2%{)i!5jKw zxK}sG@4hZ-PF256ZY^zetM#2Nb9(1gvfnrZLM>ELi@|lOxN}O}s{`Z|gqYf^P#@dc zvT^eS3lS=*6plOSXz`@(rBFvN=veR!l{gU18OZx8?ApR^LnIL+M~N@B!do~SdoXx0lX(PG0r*Eg=cuE1dK zbZN;dNl=G~z_EMe9XiYnWAFAUOj_%mF``5gi)xt?ot5Ri=movw?2d#@qj5zsLP3#@ zOY6ayk*8${Qj=pvXGJUnZ8d1Rj?|!bu%wS}g{04Cjfm7wIEtu{mZ&*xAVXR zrOwYwj=G~g0G<2{^iswROQK#zf9(;b?_^vU^=%2bSR-iOM`2n>jk_jm>AP-!tVTSz zisNZsWsnK~2btf0`Zo<4lUo6!T5sWL8Jv9<48q+J!R|LFNt#`C;#K7mf=IA#Y`Bsr1_jqK~SSjbluoyvq~VVN7uaLkTI77uyzKHxYE5(c9NrZWT6a5R6R!lNS3wE|tGQ zsC=GgdMntvxdzPEJIa82&r^Qn-jIso>A^@fx@5Zd&)uJI+K5CaLyX2+zcw z!61JO6a~=t+oi?T4qinqPeLRq;CUiGwgPg*^tJjEF5P1XLr%P?^|5X(QzZ^%D z$7#CG6}RW=5mA0{^X7JYu8Hp8M)?-=>@)m(&F~y#-*W+}4g-b`tY&pzSh5PUg_5Ap zQk-T9{Q6jsj1O=GhI3nL9_O;l1!Np+ZU;cbzjou3hw;&X`?cM_oBQYe!Xq#T<==Ii zv0_~1BmhX@)Q0~%4l;v37mNIz7|`w@3YQHYf!&KvueWj_RgloB9=q3$+9>|M2fCJs>QCgovo|!$K|R^^CLC8J?N4h8+2rq!SQu& z=1CFkx6r8T211>~YFIi8C5-jmsG~x8ASX06Or{p3WAqVBOC)ZdozbH(EqAoevN}APY z-J|VPljc8qIRCK2ekV8K5w?DvN=2f*f{j*zpMHt9G~9ECl9+yPZ>ZbiIGb;2bfWXI zCddnLe)M!WKlT@=4n29b?b*T&j4E!7>vTzis(RH3ybz>7=P(A3h77WY#|)z* zrZVQor!YA=>Si8hIR8)=&ZuvsX`7Jg>Hq#LJgu-*F>aq6mMk{ArKTX=@pz+0&BDpb&f+*naw93xvqWXPtH=XPOz;g9E(_{J z==WxGy63D^-XUKkpeVt)bU)NQ8?Etj4QHp{pq1LU`@^K$eBG*w6qt0UsREPklk(AI zoJn`DG|r^E=6Hx#uDTD=WLSGz7=iAvTco=dlIBaE(L{P*LmL;=^;_ z{3es|J36{R(M##IcLXw`16&uarb{-ObcS(UML>aJ09W%lm9Jqmj z5OERniiL|>MD`Sd_!1gOuI=<4(Q6Tdorb94J2X_jeV_P~#I^fa!LrK0OWnPmfwcD% z{U;NxRd7vIPbua=L3+D-$EQTO`q~%5TH|L|;*{3NzpJk)gW`fOu|G^BC&*8OdYX=y z!iPRpmi|Gvva>b9_HJ{|GsSRTmbVYpZK>kKLw9Z($Z50-uawnzIm0py7gY$jTqbOa z>nn#x;CW~5!-i{P41%=B)Tto*Iy zqO%DX-uLrL`sJhNTRC7*hf&7nqSoJe3|Bndh%z|k1a7RYBsovaTa(41K1w2gggn0} z$C3p&Z8izcjdi_q#YPdIyNP#iB~(SAISzQG#FFjeo6WAidu6fKdm$=AO&q4Rb{Bm; zBy(PEAg%pmP~|h9943q%<2};&n4Q_SI}g-?HM;AEVc3h`J`MQ`jYa_cYtiAiPTCfgiFA~>Nxxm_uK-c8M)WqiuU&ji`0hO zFo+F5gfwa`g-RIeN3os6!WEXLMEoL*CL@lst;M%BB%%>{>uyK`fs9D)N?XJ$vg(yw z1d}%E_(ta?ZPXe!qu|;*fM6n!QaY{@c5PQeN1HBc3%KrNDVIiw(4HGt*ltyviS30> zrD(G^S}WoXPJuyCx`~JeJweaHQh8@N#(le|>3XQ3RL58pqF5qzrZYrZ<%&JaHr_)U z9qH7}#`&VCLP@c)9|>}qang(Wr~_rxx-!9AG_wR|^n@ytMuv^CagP%3IuoAs*KWLK z-39=N{n7BE(fR)-lYR3FieoSEnu2On0R%Aqt5b+S@QVMg1S%B>5;^g08y00x=h7i zzi2`KX0YKd>M94OcfpwuS?FX?->&zVaAs&3zA3M2)dFj6K5cfXQXq&F~J-9zqwk zNnRS4pmjH0D{>_352HK4D%CbD&kbl`tMmm*=$Vfx$CsahW}pGQgrZb77UDs8;Xmuk zf5(42Vw}35JUypB42U>Xve-`NXt{E6wUIcPI z2sE>MCw*41<@+lp^EkdaBbjI$}8hO|ExPi`d>a#@&D};1@(+q1FeSYo>Id~4H`~6RTi43V(?P|9SI23 z60x`Imo=^tJ$;3$gGI>a82)l`0ZO;GL)~22Q|e|DeS|OJULn0g9pN!?{qB}NYM*%N zGegM^kKFkRb*gMY264mGga)0+GIX}l<@+Z_rY54Hk9xegOEpaYz4!0^87miDHrGGB zLo;1Q2{EBUY5noQ{_B;Lk6;CdMDy|+yQ$ z)T$yRuqp8Rz(s!|xxL7ehR!k3l+PId5l)OxNA-4mNE+DcbSy7hq9{-m3FU8C&gLT$ zrP#+{JeL$fkAfc+IRrGyU?2TUZFo@B-d-;aeZK9pg-2qD&u;dW_L73li?q?C5RS;D zmzp*mWHN{j@|>H6H>6Jfbh1%$TICn=Q4%AdFHv55#f(ulRmvll0!}uDea|&|N^ARu z#>L%ln)DB`O}Ius%mn)j(T0^>jmxjy3%GD;nZ}FW@gINdN(?5FgL2%Y@wC6`1!z;s zEoTh^Y3TSac&8 zgO*WpZH`{9tUqL&@p#~BAg0rQ5|||3I{8-kLf?Yo((Z~X{Y(Ej=BC$_?%AG zm{`zep**0$cF^Wm_!}P!PDUA zfABP5+4>(n4YmR<5(f*L_r=3*37Ky~QPR8R0QdD^0Y;_cNfeS*uF^=xVrN&of$ zWoP!9bnIP@JIgRvzbk&W=I48{NR(|Dnu%4m+E|O#w*!0ke9vv}fz!Bq|8RBC5GEROI{MPOs(S*V zB}o=}0@sJ~NJ(w=q8kFx9GdK9hB}UibHI zWyIVW7avAo_2~26dLbjhWlwf1zuGpy=v9bmUlZg%zZ;Dfk6j>nrk{J*FB8BW-7Dy2$Jknc?+BD1aqHb9$(p{vBFOHSaCNU(S&OvhX@x`=&H9U2M|f4Y}n zW;HZlHXqI(xGzRGs6HvvzZ2dJq|2?5TF>5Ylr*(m+IH*6yr5u3ia!f17s?N}?WaEk zxo?Q4HRslm9|5Ut8<@1}82?lRnQE#xk)6;CP)1TL4`gN@Oar4r(Hh?w$2OQ@*`qsy zGaDaVS1An4+(v^XJ|z6{eQPLzXsJOk__roq{tW`-3wVx6X6|#FuT+#)xH@e#>)W4D ztZL-9nkmfQb_y$NXTH7qHuK9a%P<58eS^mxmu)edNw%eQ6BL_9ZgEVKANYzK4o+32~t1ihH2uBQLfNj zlETsK+n=OzR4&_HX&A$Tm7wyD@q+~B^yPTD!dE;@7bZvM+d86hl;3jGh?xuXo$OTk z92az4!XR7^h9xoDq{akN$JV5b9P-A|kazgATN5AjMDR}(;UJ$c^q|$SI4LS^xC(qp zXP$N}Y+tvH=ojU+-U7qVkeV4r#!jtdD%rE6xa)RPdxMU+mxtLO=kt~3x%|4@3230_ zq-KsakMDeKBM*g|ddvmQ#i}sfH#|G2X(D+^Nak+J;JH7?pfn)~0I z8+|0k#|3C6MmFZ{y7=BtmN{z2Rp!UN8J?l2&}8{ z=nb;)k4~Ggl6_ekE{R=Q53YW-VF>;bOdjH{Kh;})FBd?pi2TH+U3KXIpR^*oRgQBD zE!zcV>U5wkA1XfPPcO!t0{wmNrqZu%kRHn2wI>hwm8w(+CeNT>iL=#csRhmQU>v@T z)eTpyy=lRP>6Qm|f8*5ywM2Pc_gUtM)bs9rc#AG%qe+XhZMLaACQ5H5GOLyn17LujTC#k{H2r(dd1Bl(ACv-cpXi@okl& zDqdPAkF07<1`u)eNPV~j(5HB%>w_20)pn%k!OLsLJc2U zN(1Axq`7Pdn=D>#OqU&##A2W(dR~kV9w32vrb)5!y|w zq@rdGRtVq^{J!!%%|)|y0jF9P2Ud@X{I}nOsxw-V zwAh(uxA|Aix&b2uFYbFqJ)aZ3)7VC89>)pkw0wu9VGV}EOOf+;pPM6WhbGV5)lsn* z!c>?#I#kxOt7t{Ga+g{Ov(U3ew|ThEL+!#^q$T&mI8!J3kIeUS^F}3y#EdJuaB@0h zam>mZ*Oc;QmL2HzbKpH`O>%cf?6#Q#@?mx-H z?BvjfJrJS$A_EH%@tS9>*!(}cRtv;3jl;^2#eL*f z(xIT2;zQ%-xn&CnCc?KJi2Q8cW4tDgiN6HPZgp>8n3;-(6mNMY+_6)HJ z${_jYxKipGbEcg*E~^zcu&+bnO6{cu+3ISuN)Eg&phtV*0VGkB9AFEWcG!8lQ^3qy z&t*FH|L=7H?!T-H^f_7f=E^)Os=7X4h>9eS+U~_#ntP4qGOUdLxh@cJTfdTJ9#Y)= zz*LY*$_#kA6XU&^D1*FYA^dY!;QDSTk^ukUL)H;%3L9uVUP*?rG&Nw z+Dx+pyI-!IeU2l{cLRSNPRd+ix>fe(cbC{V(x#@RXxpD_Dood^r{E*D>*=}V$+w>C z&`G)58oKn~ZUgl4^2(MQ!=_-~YrZV>kzCF){JZ0QB>Lu{Y(TvJQ7S#_iB zotgLrA|hS(`xgX-w4e?&*lgHMkisv)!_|cU?=<$0Pca(8L@Ue(X|)UR3uz9Ur(jlR z;9XTFpsIWMfbjtl4LYyn>G^@;Njj17!o}A4)n;3b>gxnsHd_HF+QhJtxD0aiz zCnkA>M(O4lwVEONBx}10q=Bh;w8Y-lM_W`sudHA|<9&tJcj0hD*!sKAdHR`Y$NkwO zou6wC_Q;LN=d4OHJXaqhHeNp@^)I-YZG;wD-%=@lf471|PE7Uq31F;iqb5bP)R#hr zvQq_RFt!YPp<}HKPkK*4x%|6&z*4JDPY`?nkuyr$oL}|uA1PWuXwA0QwuZ2o9J^*O zrewj+4~oRiF3#N-oH@RVQ^}tm++FpayREoK2p%*N|1+HbJrqdx7jz0XYZsy&0a1nP z*Cl#e7*66TDN0Nu0Bu*0bX|!NI?;WnPQ_haJ?Ecu{;rBglF$478rSu_8e?x^jIJ@ZYP$@>BUC&MD@P}teY=IaRoZSS=H_BX zcfAO%nV1i_1o_WftO0uSun|yGWGeYUaFMe&ck=~oNs?6+@C&{0>6>Svqw+T z?aUkk3ELIE))+>~=3CH}G?}cIyVK5d)>jHfWq}d>4}awst|z}^2Hk=pZz2xilF^=? zSRK6@fC91Q2o#`eA^qzwlWT(DiaNEfjz{B5E?OJ7xS+?A5Z_VQG%?Bc>+RZo)fsnZ zAfZ=rnzXhpIp7I7j&T>R1SE5M@%Fd=9Z{oTE9(L@M zrt5To-t?~fZ&%=J`Pe6^j0=)s zDj(~jy5TnYcY!&$E7}mfIlMDw5!~#5jo5$6^K1lHZ?a$5ush%G@3?EQUth>r*-G0s zrI2fHic3bI-+jtIQp16r}SX zE&@7Y(g+S!64Q<^s>xkvd804~YWK_DjyabGR{=C6>-2sh@KOB0+t=^voB%mI2Rd5f z7cZw>2WG;Pn|`$Qb8Oe1Bl;{Nz3Kcec5#?(-J@SP`sUb^jPxwri|y+X(_nzWs;Wgh z9k2DFVEnj!i4C+TndZ5C++&?LP*m zI1#6-xM&H&O6FvO2e=abbxRxFtaAW1CA|0{MhTC%y3KdwEP5Q;UwoA^2ynq+QM;#s zqf9W<(}eEj3mKmqQTY1w~SoM8+gzar60RjHTO!`w(aqDJ^dD2 zkm(M+jH!aAh+``veBpJ&Es*(;D@9pu@mGS9eC~&$4o6cXAF8{p-;lcbfp$5eAz0)t4L7^C$hJ)Zh zw&n-umt~%P3NFRwNwDI*;IbvlD%V0TL!H%(mKfrp(zu9Zoj!`5qxnalO&&Hd{+R2p zjwCfbBgtEe1hhVl35OL&gMZ$su;3`eye)kx3j z7J}lQv0{sEg1!&y6fU=S@*_#l9^P{dd;tY?wT9M%WHAgMjXejt6~1$G)aQQHIuPQ3 zxwVf+95u$qmY!AyQD=se5lN46mjg=3BB=-Sqp%AKC;1|nk;%&78O2N!C*kh*JS6}o zhj!oJ*;$&{X8)OW*R@$dp&X8-E8UJ}0!abV`dLoc>5KCEtF%@3%2+N_;!nMRrZpyu ziD-P@br1Zz9BUHn0LWm?;MW#O?)$>J<>qqKPOe=53F7x5pVXk1Zh#XcBP}TStMUm7 z0K@iNbLU}$0WPR(3I)8%RY0lP0zm2S8356EsaBz4Yd_x;ITr=6!Y+0(EdYEx8Ti(p zE;+2{Rouv?Tkyk?d@Bk2LMy<+u-H3km6;gL$Z_Q)Q2sWD?&iug19L?S{)Eqndz|b% zsRodw%|GJp;7)3fWq!U+TXF3NprGwxs3V2W95=|^>;$Du%sxu~@3y_+o8f1Wp= z&(+DL3yW)JNr6Eh`4_xxnF(S{Lq$1me@W+nek7a$O8xly3cm;&;EmmOI9tuMAQD?0 zM$FZ9O(g?!6T!a$xa|f*uHvKg2-RC2kh`o^JLk?VWFkaUnS0I0JphQ6K^5?zJ%LXj zgJCVMk_)?y-%J-=`>1i>yve{ez}fxlpib}M4dGg;D+Z>#x>;>*MiGqkBWBV0`bC>r zW+L*R#!w5WbV%dgtQ{gAxn7I%Bk^M0suoG`Jj1la{!Uwy*JiITNcb?DVI0g`k)75L zmin9w&cA3|oQ3sYLSa$unTd`_taY;a{;AR05Z5eVT+EOV->kJh*+v`QcDBB}d2JDc za(cT$d9!T!{Git?jo%{KT?Ts?Tw|@3=@;qL(9zckQA!u3@MzjARH>+OT-ZHk^R|_08Cc4WzSr?HcRXDq!e{OOU%InAdqEeH1{iqYjmZ$+z>HZunsYMvY} ztBKMs*q%zHB{y6dTaE0)r998llZ)_4Agecmt~)c*)UF2N2=3ie>D?1nqyX1ZmFiJc zJuGM7L_rEC;+xARltujEJQ1Ga#)L>(J31A$M%OE9f#D0oF_hk zY1-(meOOYeYZ!Bh+OKiSK+{0|z1M-k>GwxK!N&6?*!tf?R4oGvOW@2(y4JSLAz>N+ zAJf&Yf|8EBr_NK2Qj+~SeL$M~-=?bsZus0ET5-NMd5jStley1|b!-AGAUhUGF5O@T z;UG1hcI?2r+>dQc9HLb#(EJcTM!V5Vi*1Re`*9VF#id5uMQm~A)NLqr7 z4?bQ8ict?9F?}Z-BqEYwy9t+(5x8YC3;uNdR7&P`I{PQDNFqh5lYV=f)SQe8=jKO83~BqXqOiH zNT%ai1U*bqAPysOA%cOJezYsR9FKEl>{;UEJHpP`?`tUBrJ-|TP9Qn6F1_XeZ41AdzSvdi-%jJ|adUzi zq>$)hqL(rsa zh`Yt9Xw;|12BIbXFmqS!mP|a8pFDqL~+Fd$_?k6_J8EmLn;vTjNvljSB5DOR@n3qF812jD0x zz*2Qcz|kMIhT^5A#sDdO%{LkUyD4GA%C3P3$R~29W+6K@dj(yB@@92W#>+x60FC{Qtc0fH2p)^&1CZHfS3;J zJF^?xg*x)cMN9x?Zzh5Ny@T3;&!=H*R*`kcipY| z!?t;hel()9Yx5+@l*gQCeKMMO{jf8q$`iVYY#=>Fm9mBDn9hiMAB*MOSX3Wg=fzCC ztoZ_}98~gYKH23Ty6rp|(@!#CciA;~F)g__@n|jKan0AQ?%N-*R+dk+3$6s*IFxHu9Ra(d|(e(pHvrdU$an^ZMziM{YcgIVt%YM}+m$QRV`$0J^T%4gl zKmXzUfE5U*R^x4!rj$56FHNS#6)JXVZTzQCm>&<%GLb^#Teg88r_T(N>}HQX zG142`Ka`ywC6dm6T*b#nm2X@boy8svdRU{=>S(fa9!_e3Pz;$Wdv;>NxUuD z%wEzMu2ZI-hV_|*P3RIDO=%YBKhMveJChde+4?=Cxn8Y$4o`%%<)rrB^y)KE-kbjh z@RxaaSi{_!-4h{?7hv*5!0TD8>6`BVMRl>qqz^OpI0?D&>LB@lxO&|4oFz4URr0pW zLcPw~?t=d+4lnvFrtW!ON*!m}nVXAL#8p*t{3vU0zb`cBoBJa7cAMMFfh%an02DZ@ zHmF%d{=Eh=3YGm10dVt&+b6CsgNQxYPxKtJXGEEI;w^(&pT$eP---RvcI`FH#iSGB zL}h!nm?@Y|DWYU+6PQE4R&n|{KvH;Nd%QjiT7MSFkIXy?$~-~lo-DX+{N}KZ%XBBnP$y#Kc$#GHj(AuR|owc;N{oR^1L8&j%Xr z#_~XT7Z9fm0VE&Qckc*ZOZV3)2BKn!P}G7j z3nWEomfE&mw9rfX%HAo@nUf)&p#KYy) zX%T+E-9_vj5TF^h)~N3U;CG3Bec&xx?v(OsCJyJ;y(fe9HtP0ytqd~r6Ge!G6{eEq z=WEw02aRdb6F*KGL1rnj*IPe&3H96Ls3*to!`BfRBvXf%1OT z=(U{G7f%%uG!C8Zv>h?WOw%o4BRpMe-Oz&DbT)tqV zi{L^FHh~EksWZzJC=iNKDEJz2GA~3R>_M~h5iC6Ear7K?_f@T7Q}X7XD@;p}Avwwh znxIUbta5}WPu}l6rc16$a1TVXY{|^|yh_~`4_OAPN)@P0c3*-hr;SR_@r@i)?X1I# zqU0A?KoWcLx%F1ogO{Jvs0(Q!6WHY(Z&{P_9B1_alAbkJo9kCzCx>azro zY0JBu0*dJxe!t%$Q{)xblB#ZPGJH6H$`f}!FgJaP651%i<+nXT7??Xebv;QjcBqz$ zrDr_dybOk}>gyhi>bev>dRH7y1yYkVHG8lO*VIGgDk^kRa3;`e3Qn@=IgYipDf!Xp zyP0c!sQZ>&W|QUKOA*kqiL60Tnw!_lfnkCku73{)*W+zn`Eg6nu79@2@+FfgFlxlp z0-OhyE}3!DjD{vT1le{ST}9lN9KI=+WrkTQU7N8G&`AhsKk59|rcPqaF2rRcrumG{ zCbm9j`(ie6wm!KJ&zI5g1yJ64V4v?bdLBOv^iPHC>Q>Eml9cnf_GAIfMlOMoab>_`pM@II5$z9Es{&X2xTyPw%F%Q``Sj>KVs>=AEHvTE0Ga=!*H>lHj{siq^$C||7>O&23 zW}!@g?&iy9N071CX5yv6+b>$5t_3|F{UVm}RHHa8gx`~%1hq1w%mqUR?nMtrMM$k- zyOU#A$dwKrVA}Hq2HH_m_cQPtvQh{Llw&e z{QfNb!E$}6km_j!U5eU#Dn|7CpUNmhB$hlFb$0J_$9F{&+W1RWi8XyO5`uH*feMgR z&1gxvG+tp-2DiyLqHTR>VB2%M{=@!p%l0MqkO}$w8O=?LNJsZT+6ct&FyYWbW}c)Jc%P-!bHfy(ygw6qC&B0!g#VfA>bO(Ik-amcA01NC0*EFf6gpGLwQoJS8SE zlS53~<_?2E(x4aeGH)If0*`Hv;u8r=?+tISn|Xcy(3F#v`$F3N zlNIx7>%kH`jS??)vR;Anv_f9d8h5TcY}Xz0nM6va7ZVA2bQda28@47v6y3>BolaXI z7vxL?%;v4kagJ3w#S`m+K^0Ri;9z?62h(VHGVYcwse z`n0-yod;R^yLi{c0J?5&nVvel>*Y9u5$lW1x-z-7@R%;6%!lI78 zd`+ViXnG)d*4Z+9prQJbThT!zv`&apUH4MvONa`PB&um>+UL+VJjxzncrjP+Fs1qY z$Jt&_0l6Kmr*ihhu5>o;z~U{61Me|eH*39|9KS)k9yNWT%4YkaVaoMzShJa#cvCYB zR8W27|Hy23I9%yJcp9YTH#E5);e_7dA%^6QeiUc4Z0So>Ue)NnOf0>1r-{@Rt2 z{`3K{}vcBxo0_m+P4*@YF&EoD&Y@y#++ZHBv8zVqIwGW95N*^+4i-8=o!u8N@j zG%a}4QQeQ&5Ci3Lh=fBQ(M?!Gs253xODKs49tbniWs`Gcz94x!cX$@roUaO1ku!WqBfg~knKu<5$M0DvaHGwTAG6q$t-Sn?`hg>u-x!FT?;TY31Gm|t znODwn(*=Gs?G3a)o`3q}OU?8=NsNW39@{%yF{D|5pN3ts>wPdC^-$A2&9 znasg#a&H+?Gg10oHckbgVg3>Y&)jGs@c`zV=)3ayIum5NdyLSQ-B$(oi_-b=Cl(js z%6!@n=78N07&wxo*Gx0ALxjhF4&@g_C1^6PFrE4^z6WsrEmXEOO37@=$CAgBe?kHy zs6hLuxgD?e{I$0bCT>hOKIMjP;gbBzv2jW#NP+Rq)<=Pess%IonomsS$P7Nk0G5@p zrxH7Z(Ie*2tg$GZtE6D2hl}7`k<-me%Z%rYU)IX{x;fnXcgUk0v(-$SAe51eOHmZD zW)qO^gh}EiJ{p`9ulpklO#_~FPR0e{nr^ePAomc7hjvjQt>?l$%i1mz^-BPdwcfyt z0%bZ_sU?fZgX?M=f87SNUFOOf^##YrkB#_@!dA~>Ty~-IP$yL?`fx!kfL}cmw|Xjq6T!@FJ#HzBOP*o zp%rD)+dZnAClEsc`hc5coGoN^GbqraWbm!jt-owx;nD43tcAgTY=p;eS3<-8_7s5Y z1@{hi;tkIQ@1r(Tm0NB=vbN3|DM6dU)#%HKX%>OaeXiwuy0%oR;`z`cT~zpRxEApSKyh?1mo7Q;eb#vT+MRBm>bPhSN!Q+w`0a=6?-zdM z*1OJ=jj|sqi2UVAaF^+~uCSOBnwbrt*Q$)B0OiE??{)yF@on^FrO)AK%}9Nk!t$vnQZ_A@}U$bGtE+RMw^*w2E17hKD~+Lfe+~>s!<>F z9hFokZYLuh3yGv_1k3CCOXMG+JX*k}X;d!o)7NdR*1b1$RJV@R}gqVZB@{Mj{Sb0yIqD|zdZ{4X1Gr4f)%3! z0P=QJ-tgQn81aNfaQE?SC{oS7a|hx?`j& z_fPLkyad1xz64aNHj)M0{03!YsYvn3WecUM<@g#i6d1Ak-QVf}_=uKh zb~F$ss%laU{*C>y14ON@Q7mm%Oy99-^VwnIC<5r-&XmfZqWmBv?z4g7dVJ$o7)+fH?jKB? zOZKq)Cn)Lez}ud?ZW>$9djtt**kcT-M^1ODC1qa%E27&IjyT!NH1};N;>3NWY1;Rz zg@@>2QS;P`%%s=Yv0GZ_OPXNc?dhp!Hze_$X)XE5e_P^8;T1%U`beDK$=vIXAFlKB zN2M*`Ns-|Xlczw0?!20kOO5R=qx&|UKYDg2-GaJa63Gy^hBqFrt6Co6bxcv6_^lSG ziz+^2E;JrM9 zHa|EM8o~FA*klo}7xb1*`UyM}iwTX!-r2^{Z5#eobFhWmm*EgMo#CDp*1hnkykD6? z?lIZ*=<&8@1B>x>LEQacm=Ykmqbjo71c9j>UOSY@JH`Ir$H_{WS$!T9CjIkS^}^J3 z6RvRkS?il#9*he)@z$!ygpXf<0ow_4knj5AeA|8a@$mFZQE?J4IJ&;ft>CsQd@@+b zr(yyy3^l$4PLQWmqy_)>s68SlUr`{EzTm=pNK6G0OK`{&2`l-Aqb~;g39hgm8Sfq9 z$;)QNUn`g?Fu-=d7s{CBU?Z_%G=}jI-PMPS!F9GBZ@(rNLGPU&Vr&*;^7ho<)vx)K z_!-D1dIWAnC0B~AX!4vDQ6olf)ckmM&2n78nOs^-AgBkl`Q26@)Tsc<3E{m!7Oy-d zKV$O>Zm=7QaIb-_r+<2g!V9 zkkuEx7jzgke`IWW%K7s@MN0dxzt{;hEedBzGj<)b-!H|U&sHQ|@QaGGj+!rUp`l{> zTY`G)z14h~w zEZK|l1UT}L0OPQGJ@S`&{O*BWu$oODA`?F2a$9I{%sS6+-tC;xdS#&Nm*u=DP{^6S56fu8U&S{`w{0lVZJzy!x*bQ^>nW3a8w> zya{6UT&)y%cW%fUGUIl80{~6Sfkq)~R68;Blr@7i;3np?HuKWqM5SQsico_G(XD13 zVGW!%z(!CZllsPQA)lBK0q8oimYkIt{$k_aTV2~S__&F#XXI%&i)dH(_;{2v)0Qlv zWU$j`4ng8oh8QfZ!lm9Z#vFsxx9jxyD?DQjtrueeWML|kvs`7)Ghe%7;BZLR0XJ=) zde3xNL|1bAy!3%W`bxM*@Jc1 z9Mftvgly?>&W!&-o`ntZGub%MO#T z7e{rvzPCfl+Za51j+Nbc2^@w_4N2qeMx4#F1UvW{oaImUFI~P?HK4i{+eR9zcy*yA z83I5*oD&O%<i6s&L;9M;5Z_5h{GTI6`*EjxB=1v`#oDkmRN zYB(4ZEp_LATQL8*?_5#G z_lHx)-gZX*t7ds*x0-&{PgCMuxufE?8!7!u8IZ4`VnsrX2Y4#Y-GLqj;qK1{j&H)j z;x^=ES<6K`%hCndqVa0W?|BLz1HIyeY7HdfBGCwxfljHul;_vW!#k2UCHEKev!^X zWWmx)I_7)Cxa8vNJG9e;Pg#C90hZl%)hWQ-(86WWr^m2>WtD>X=L-JJ-(Tp`X!eWI zqc%X#_n93xu}hJwGVZqd2l}{N>z_@uvF|JolL-8MFCb2^H3Vqw)9GYnJmFDD>QXm( zioG%F&wEjs8*)z&TA$KibFgGYQGg7AZ+IcVcBQtflceRot5$M~1zm@Vpx>JS>$?VDDpaI=2kD)Ri^Z)x33~>MG6@JK^B&VYf34@zC13{Y zyo0ROqGykDL|8;WQ|YsUgLp-Ar$h_E5*1@_F$4FH}i(H zmg?~kT!}_hCn|N~v!&w4C1J?m>MJFMZIo?CR<$R2LIc_Wm_L=u=G(+`^^nja;myTb zGkt46%`0QZDpGUiYQk!f(8K5Lugg8nsS7HeJB^lbv4W-^Z(S&I8_66eIh`;Q`&nG< zzF#XeD^;#{G(PE)gsrU(1h?n6j|N-G{f%DfxaFQ(8i0+uKu$YvJ9HW=uu10RZyl{N zsCzD}ZBvHccl5}fzT9`5{j^^nzSf7giUheHx=fS#1muptvQ)0FJ@Sul{vM^tbtry0 z>DL>TJmq9Z@fcAHF#_liZSY_;K1tDjYsz3!vqY_(7= zQ@@!6Y0E0MIn;3ivOjqBKa8+~MsN~^qr1J+QyQ8d`Hz5IMS9e6S=@(Ep=0t%Ix@)A zWVhE*wLQXyV3H=;{z!79x32h6>2l%N|Hq@N z$`Er4QJH5i_eCw5*ibIE1c-TdbJo=IPXACM%je3ZG)<(heqyOIrAjNVazp$q_B)=r zDkTkbO;-u{@4B#4Qw4)V<4o5TSMD@C_P2uWygEI8CFUou;i5%tcSg}1r#Ju;5|gBs zEx;G))MB69Sxm!J+nUO`H@V&hWW3`l_`!(`=YM9<%Uh)-{5*)g3Db&{S<}nmL=RI| zm3S#hJ&)6}*|wPK&L_F|P8R1ew;@`!>&!l7hi){45=O=~Iv1k3wo2BN8zQ{Mr<1m|>aS)4sA3^7_2cOszShOX1p|eVoN;1(X%z`(q3*rs7 z;Zr`7?LUG8a#m9<;9>pK?H@;HT7P+gi&)QP0u_s;1v(>ZhjzQxeO?&4$Ik;@;)?ns#Z`CRtNJ z_Y(m1lxvY~jOUCF#^ddaXQJL*m}$fD1UkgF+%JG_cm+A)*n3dP9ENi(=z9!~QF@&5 zEx;1#j-73BxBEQtpWFO2+yAk`bcGNu?$3JJ*cUi?arT+byJI}Ie?6hp#?g2zWx1ZlKsYeLboam|J^X z^|vO_fRFZO`k z;+CGs@c7ZwWH~f&|01_jt4iGpc+lO5?KYd+1y}9*KOS|_+R5>M`-fE(zQf2t+D|y8 zOy^~ed|eB#KceTnk6EIE{20*($c+=I|Jt50sx=BrbJOi?F&MLBL^=caxZW5j8xRZ# z>S5j%p=Zwl`H)$KvA93)g++<_@`q_pem&&j;q2IQd*;RI972~9y&7!1ni0)Y_Q9M4 z1G{hqyk$_r%hs4erTgHLQwxEHBa0}3P6`$X002b@`1ocf{r;>N(fr=Jeit|eDEVwXVs?d}F|NJlN&({{5^CkX5e;(P-~8YQ7Iq~=j(2qg zOiP|AcB7~Krb*&GO7Tgvt^5pBjOYza7oQ=3j65yOKKhkBS>2d2qVyGzN84eoaCx`H zfq%k#P=nf(fO}Kej{0!y8E9jDJNa#4RuD*Q7-(~gM4bLIO>=MYQs-nB4_gBibPvIu z7LN3(bEN%z>G9LUd^sLtk%|)MpK}Jiq2JbH0I{hQ9tc?gPu5rsTifipYplnNS_lyo z@=HzY)M=J$MJ7VsRrJ;kdfRuZft}@(06>Tw-_n!!Z(ZEVd!n;z1Yv$!b0z}hpyc3= z1y?P`h`^5y(HqQkhb^|U#D=%T%d$+bL4r`@*v7onK4x8Ag^rYyqH$iBBYB&;#CYKN zP*ifY)1cbzJBt-AXTPb`^oq4qQYRx@Tkg@dg$}2u84?Qz+UBS-uJMu*j8nH6eSfLr zlbT1>!t{InRXimf!LtUh&%?5X5o9jjpX%gKxy+N7Gr^Fy?~%5-9IulZpbRWauQgFo zEALq{G_3YhB9g-ONa|1ZB4PJiVG9Za^F94`fQEW0S%)w2iuFS${sGvpp-uqh64w`u z*hXXFS+-AbId?52zY6uzb*})e#?8nFLHDK@w=Kp*eU7R^m7 ze`HR|ftdS^gh_PDbAF-%zOnJyl_AmOL#|lXq6z623SF?h`H`unABDP?B?zO=MiD)7rX&jB0^HDEdy5 z)C}*$TevDP6xNdQ<^W@~lWvMbKcMoWa zmvxBx+<^Ho%de$)`y|C}^G8}v&cGHCbtKd2cQQc}jt1{l>sm6SSl`r@;`BS+XDb@c zZ69F&QL0UI(XqpX2X2)D*D1bTq<~~SuR#XGr2?c^Z4~cwlAcS>qh9BdobJeh{YzBE z*$-{YPtn9AmL+o8EFjgmCjuT@kHu*;3Y~c)RS-Jtpz&eqvFcdfFV3@ZN6s}H^c)K6 zz?%TdiNmma8C=#C8T(Odb_awbpk~9eUD6z&JyTXGG#v%*+w`vw?yOaDML-_&+a-;* zx}My#i&ZiVH!w#sfDAn-@FW|qwhObTUREf|<_5-w-yjh{=z&1tc#Wn0{M?%aN# z!M<|=b_KKegs~gB)n-Hg&)o^cXAu-S=1yLOf!g(u*p@QRt7jjz<)?;m$KgR}zA?)EHcHYm~2CAR0I zLcC9gY#a7WbMSGjwjpq-gDwT+fq;k!YiU$)`N81tcAD3@`3O=p_0Q|0&3@k6zrB9H z9&O|j1tq+YwfxgHn*K(R@6IWy^q~d|cHvZ`UwH*uke+Hl=h$j z-)G+fM!mN;_Sn+q^m}%1>og2kV`>LR<26RPkztpiqWGCdu2E69UH~l(nilZx!(Gbs_X;fv>W;WkDg8ip$!+JN%hsh&M6wZ4 z*+AV(tVN#GIq{`%(2G53ugVQ*o{U)6I&`t2ev(=t~jsxYh^xEVU_pMd})M zzD4#}DuY@xZ2)LC^R;EdVxw=^QMt!pA;18TC-3^E7kEAeZ3<=7C<8ntWj1^qbd;HX z$o9%G^(48BXkWL=n|fzdo6Mxa97e%h8YL;Od_(ABfoNPX)ui6-Eh{)}L++t^iOW5< zByHYNL$s&Y%b+Wx)~p)(Oe5RAxQoLIS}^qR)U?803NRR41D`t?`;nK6#6(iu0)$yB zI~_1&-n}*@bATWIqgUf*Inb0tNlMQXK~L=_E3f+7yUv}{na>mwm1>9@xnc1e>!l+; zcsHU(kNELo;{2=NsEY0M;^Th6;GYa&tcA;UmLGpFXw84=23S4=7Nd3Z)zr&y`j#*n z>#r<^9=mOYxUCwR`E54BnM_!T_0u&hKeegmVtsN5DGjP@-P!YWQIkaEOZ_u_Nkzly z`U`jCMfeSx^O9_JYJ#xct(s-K*N? zPEwC3Ofy6VrO_WS?`1}Y>;-H3F`Rz(BXe6@St#&$9krKjYdV-&4xsr1)3i#9G(2pw z9wS2qFXH#O_==%^{Lte!X+fN^Zsnm|>4^#g$p z1Gc*BqXzE0^r(~B>s(O*i0FsWH!Lp-c{v3r0zLQ}@J`vs<$2U#G3MG8`rR3t;&F-n zm35fk3v}UP3ZzJTSFV}+Co#kOS4Ki)W+yvI6QBv=KiEi$*a6)lu;TB2K45i6K1iz& zN+%uzYwUYuY~?JA=+d2mUVG zl(lW5M!Zl5?gXf1c=ex!4!^8=JL{blg}mw2n!Q%iRj;bc3=+Jz1eSR)1~i3#+_iJo zc18Qw<)K5y8b=r39vRCT^*FuABc40hpP?h{xCPA}Fdc>(U_AU6rn!P}y^s6T`)`-= zcF9&}cLVZs{;Gv=kPHP^%k4d$oXg!Rj#V~7Ce!*QaS?y`jsDuLg~=pff<5~U{oa!i z^07A%sMh~Jse3aXwI)^kyL}c=2{oq*<%5$v=K5zf!IO|X;;G~7KHN9Gz>{dhleM2; zt?ZO}cAIv}g875f+u`csm;36qODC&pTQ|iwo;=~v^{E`^CUCg&0eRIOli1h(E;Hdt zukrCmr&PAPN}>v!?b_ChY;&L;9afeNI(8%teUg^noSW4W0L zgLI$4z=Mm{^G0$oPwcA-$3O)DHS4%wvagHwxErBfA0(Gmd1A#gXJbV_!WYNRoMa*> zwK%LrttJqa*;8Y!I+Vc~F!xn+_n|HTnq@Zk88U(kTHcH(l8wJ+#C4rA;|etU`j-~( z8bYmMuJieRo2m<4gdPd%3yru^h@4b6RZV!9a%#2BFvlISRrsJ9AbeY~MZNFF@SbD$ zA$c-iK~JBj|HL9!rGXNHw)t~rBHa&#y|z!JeB>kg?tLe(Y`S*5+h|A&8g}2F;9yB) z{Sr9YipTD2Hx>NAyd`f${!S;Mgr#2L>_q-{L-Pjm5=ElV2L>I@G5XGB6=Z~fY&66w z1Foo&tHk6D+Wpq=!66yxy4S_|2li|FTameLUesW=hhhZP4<_Owl`TL+oq#y|KCli7co!I^f}z1$mFyog!<+=WZE5YS7>X)Les2*(5f)JtM7P7~bJz>w`so z=DKZSusv}0Z1~(aDH>#5wgwCds_8I9f)D(Aw+^r?N`Hc>O{Ruy2seL(0eT-I zTgG&m9n&8D@};?^t*fk|QWF+%HIt1@V{!A*FJzklVrVXvVULoHFRzv*Sx_+a?9DiF z`pR1xg0M*>^!2!+eJf|6U6`;7<43UU+Ja;+E+Xpw$G#W&^=E79gHeA6>2w2g@GS4v zhO)dj|G2K$XEacO?pt5P&6l-bJ03>p@=`oHu`!vd&D2he+RVy(BLm9)&ym9pk^(XZ zKfC6Le(DgOu!)e0Y4i^Gi+ERu-rFV%9H>PEc9a*^#(ezF>f}0R{S52Ght0O{3}ZG1 zSUxKC=#v)6Ab0IJWz82$+Yaq#lF1s6r~PVC8`&a81o^$6w_nwBYKe|0Wm14>f~H9W zJa<>*UEO)Z&9#R&x6$t0Dxd4)?Hh9FsuDs)=9l}uahuvUa-=dgfDY%&sCbTl+x%fu z&*hn>>+I=rbAS8a_(0#*s{O5Go!Iew%@-hFUsSWBLck?%I)7OE{^S&H3o;Ti!OCCK z8!))M>8n_6dMH^g{XGA_bcpJbmw&hk!k&JZL@HM<>Bi77Gi%x5f2*`i*w-;^;ZD_p zqi&hMdJf7pk($gw&wf9@Rm=>fWOUfsQFPOjlKzDMRi=4Jt87RKI^DQR2Nl|UoI_TUa!LE5%c2>zBZ9x&?9zq`t+&%iO+77aRVfNs!%jG}|`ytk1 zc|ZDGwV30h2C5pC&OW)bIXRsBENm|(fC9;2Ix}M7)SoZUMjQO0`IV`a4GZ-Vkmg18 zwz^o)>0MLmEoDsrUw?4F`S9NUfCc4gPhj9m70u{5p{=j2k4s&99rx%XL}j$LRYp{9 z_RszC`FeF2$u(VsZu(Gp&*b)Ea?O8EJH3~0pJzn57fJY6T$us|{%I*x?H2zlflfVFNF)JP|fFmy@rfHX8Zsj?O0aK!U zc||3AeA6o=A*Bu`!h;|EL3jAbbB-UaoI`Z9@-yvZh7v+z;dxpqc5h0khQy1h-$(JH zif2%7Y|N;Q4ROB^`mrm&JK#y~%lD^?F*KJanxVzTUqFF>uaraO<3q5^9*+zky=eQ@ zjC!O}pjFs+d0MXEHaR*H4xQO-5ke-jdwE)#_XT zEjhBf5!>EkG4K;>TREFe=4vfUHcy+~nobrE&(RnNeumg;vF!|@UkBJS0#Ugpu@S#* zB;2Ro0qQ^)K(erdN~9K)$tHQ675iF#06fSvT)+w6@bN$dFWbxj0U z5i|^?Hiorc9VmNFx#=1SSt3PDT;WGPH1Aw1_>q8bM zdWFSciiT%)d29G5aWxb*$O86D>K9AP09i?d(x|TXki<*x+GtJ30tz$i#nqGk*IfWN z_U7L7nwBv`vFSIgdw21LAOno#fq;p;w&q}wAT#vkC}lazFHI~EIomHHUI0L}G9Uya z57g|>fLXs=@cQ}xLlN9xF^6G34t@%QU|#H!|2JZMd{E=R5aas9|0iNx4M2>q7O!=) z(<%K2G5+vBh;jT*8lU)C(X);ew_E@*{#dgwM13DXjB5ah@pMDk_@^W;@&eU5ym)xy zJ-wPLthePSmdcwv;sR@NVU1m!evAyef!AG&Lx$P*QVhS7N+iD7v-S`jSP}KTw)@2H zfW-5JtN!5NMK0JyK4Xt6{wbxnNT0IsUQ@IOpaF3FU!;9?RMdIf{(z)Gm(%OjgK6bi(e9&a#li$ag6}tAuA6MiL3!xFk6R)P^;~gts-=FzX+to>>DP-ob zH@TQaY8Y_bJKlPK@IkVfK)R>Z_oNtyS+YAPIL(fk&ks&9>*S8*^&f;Hg3Xsyima#F zOxP?l+y?nAft$m3Z*Mcz(2@(q1A!=6b^iVfyDv*>H=f`Wf2qVuW3VAm8FU!5^eBl` zu%c?vOjwyjtl^{E&_22M4Htj*bRE`KJ8t5%5OdFTU>#^Lp-}FIyHk8cOH-C%Iu&N1 zhC6VzGQKk_M$h`2Q{yMk+a7|#coetkxUP{1$t+WMA^_FRyJesW;Yj|5GnFDFPqe5VOd&{IOw4;Q#Oj?hJBA`9ldRSt5+Y)~^yu7YM zoc_iOfVWS3{bj39sMOJ(aN}5glvwM|c`mNwHzoD=&F`^7CT4oS1G;)UW5Xeu?~wo? z{zKk~0D2)jsA%f>WS{ra$zDGvJby}iG$sCxjSF}VC2Q-rIm_StnGKt4+0|qeOoo_$ z#;)?_Qo@KGYZRv+YhnxQPKnQhd;`BypvhP>iZ3%Z1tOCzeGyl2{eI{9XeZlyhb_V6Ue%^7t33}mNP&YV&N2~WxHvI?!d}hf?N5ek z4Xz~>jYp>a>vF4jl-TViqm%IOp1Je4Z^B?d;Umz9)4oyZ3`}D+AyJSi~GoEvr9CqE=%+^~X{hhr?Z} zAIxCeN?RaRf*@8jMx_&S%#!-~JCF#%e?s_xXD;-`(|6kQg+~AokdryUW<(ga82F<_ zIz?_}%hQmaftz^G7C5aX&zf;7t(uaY@1>Qb7gxAe>Pgr>|LqO0P=gW1zx@_Gvp%bD ziu&8}Y}0PU;uHU`mCb`oRRii$7v6rWf6}!4#_>GMiCCThH>9Tx}Gesmt(Txrd#K3V0R7}jB!svqk#2blr#QzpD1%CmN__-LU32RvSPY4l$w7TX(^ zGCyw*i^tBujtRRf?)Ss_wogofTL=RRP$>jzk8nOMM%<^W5&!Q0K(NEn%jCzSliq`< z6QyKRyhmxy4L3`Z_e?X}0+Bdcj4njKOH zB>Ax3?%-ex==_muKNvs$aLed&oLks)`=RHUgf4+BmNXgC5$$}8<_}N7Wj+P~s_S%- zx6$p-MJ*1Mtb}{!v@OGdjUFq@vw<|a&7Y=nxlwU{m_6t4|Fk+d}Cvu^dwE zcQ0j=iE2P*a#P|0R55FsOiZen@~p>+F=+-Q#hf$jgO%PnoIE~{S2^HTISJ(4J}h-I zyVI!;LbBG{a@6m5*55~$lGZQH4TniHdO=8u;4{>0Y~o5s6sLlzf2ae%^2#BAIzX1x z97PEA4ZrrORGN{`g%xOlypnlXz0cZ+`}2tA!I9>EI6wj*8vty4R`mTe_9GvoZ|e}W zHxcgIom#H{Jn4P(`L!=5DKH|i?a(Jxdb7N4X9?i)piVv>z3TdQv0&wp&u9L9-S@e6 zrJ%s8dpho?_sCrBf&RROs`H47rNJfiT?cfP{eE>1rC^CtqLV86V*pM_#eGB}CDKLy zMliZVBiu*v!;N%+@(dX)Q+2}c^|Z9%-WTBt|Dp>67X#l@&Xer5M>sFA4cZTt)p*I^ zJrmAkudAiynpb?vYs@twAivGPu5g9yy(oEFhZ;Fw`KPj?+7oKyFt^rr1}ZAS_}!O| zHiQ;e2z5Sp$yf^h<}5X}ftKlew#`N1!A2+f+#F(%{EUPB1ADV}Zyd|~W3Q^!lRjV2 zE$>V75yLHnz^t=QxlV+afZHBPHO6g3#0)jFjaNreR7yR1-)Od7I#9PaJ85W*xYj}S z7T_}KeQM$e6FWeC@m&GHOqyB8OM?!jvCUtld7qKJ{%!SI@-$>j+J}MyB&;B8%jw7Y7p%cZK3&-hgsBOmfA;U z57&+hp_b#|O7bIWh(XNt#Sv;=Pk*y7r*$9vb+th@5=sR4tn)uas=KK+Mr4mbc1vr6h|fhE@<(uP~nQ@L?*5VBCo);d7vc-7Evi)7DAXrsEv5E&Uv z0zRs)^)9m3$(pjB{{8eak4W<(!gWSz?6)OZ%E_Hof@B0A5qG;?Cwen-ilD|R2`+hv z>LO#wrOv_5u*>rA59zpyYtJGCJIt(WJvW?;F$0|JaaK|L>QD^KanG7}-bna!m;Pr1 z1Tn5k>+dr33>TE_&0)dX=TC0}Y}Y zcatZh>~LrC_nq@aQC_#yv+3}i_Fg4X;m9#~@$H0-r$@X=COJXxy=ybvZN+6OZoK}^ z`j$?RX2Ew+l(YKNg6DVmYdO5Cz;t4881P8EubNGVS5;Wx_?e3UYv!aan+8ca#W7eN zA74fx&*G$Yg@1x4UD9W3kzTgF7XgyZT$S#Wr{q0Qefuug+;T{hHbQeiwB)(bRo26q zO*YonsLQ2c&(7uOAd}2b2iQ)PDzRuwxUN8(mEFZeg#FD3a)6OGMEfw2xdHelY?;R$ zFE$7-+9eY(#X5$UV3c7mzo&1qg9xuEFfx1a^es{H4CSj5<&(!NaG%t0^2lzhX6p;# zJv9U6>I?Z%u4U_R$@Sz`zBA(uqw0_{cf(`J#ny0V_G%SlKisVrf9SUg=yqg50PQ+h zy{Z7IseG%JNGPbdK$gsT#%N;J^!ZWpm7zT zTH0*5nznByi@(DL>Ua!j01JL9iQ92u&*UiMaR+LYRP&LeoVDBHDUNCJc;t1F)N>g1 z;>EzY`I`ZcYkvrsYN30XDlX)?G_!}z_{{Hg@fT*?6aDD)#T|di>36vXMN!a`XR)kz;&7wv`x$&A0!2XYXv7Aiy_>w`ev`cNrr=-Y zE~f58*j{h5(i{KZau=SoKjkja94K};Do;PaX*WUC)kgE;T;j&Aikt5&KM_vrBGEaT zs*XA`cosGz8*+yXr2M$Xt$p+hmo=|0O-R!uQoqb-2d_D(L#;LHdNG!<@hDRCnRR`C zh*@=HL@a7WlZ9z&$gKo^+dB~)xF4m(qBIh0_MnU>#;(?Oe9%=cWvtfm0)%K~9D=K) zU==uyHLaEo_%7bxZ??5<0C*jQm^~)-dMHEy*00@oxL>~ANYvn`CyN;k)&T&a6Fxa3 zH$a1BD-G};PVJ9V7F`V12|y(*XEe#q0Gy{_$vL~cI$G%+9Q7~dY2pUJKmJwiS<=Fg z3={B|c=lo*Fs-SO&51foG_Po@bZt47(I%Vywz>Pw(EL&xW=gaxqzz*r7XK}-RYHiq z@!nTBfVVyMy6blf_&z|u|1&c~<+(O`CWiG{+gT_Mu=hh=6e4g|O5o`H?+-hKy8*6o zBfTnuAmyr%+R%0n<;hoMcoe5p%56>h=$u05ovDU~vHY}4=_0Ul!G_pEd4$!NI*UTO z(A;>BgBS#%AsR<_LgLL;Vja?=3hB`Qo*REaXc z3gUx=9M6srHS}frKJ?u*8|ga!OoPjZmu+tov@fXnVs93P>wK-UcKNNge33M$_L7gz zHsBmBIA&Ti&`Xs!CuUA$GVzeuINTb9#e2?g^lXgO#V7)svBh+3fY;{-V+juA$kda@ z^RCEhg}ff<3i7V}BS7HeIWfm1`!wt=O=(!1>>&xaY(U#ag^76}`*z2S_%1U=&~85nFLCR)-4;-;a_!s5Rn9Z2F(Q>Oe1(2Qr8>?{=;}8NbOJX4w@k!P3P-M1&8> zJg;}@>nJ4gyagcFp}?!T^fu6-SOya|(YU!1l&D*5&r~ljM}WyFEXsv|Kfn?gR?p)e zq?YP8u3n+E3k9LuslSC+ej5Hks%+#oMxnMN7HIUq{^8zM^g&mR-s0Vp{;?95(g5%G zYU`=TV-@SiAM$T5e->N3(B``zzxxiF+1vc=HN6psQyo%md4rSu!cb+ERgP$Bo$Scn z6NZoj|D}Dxq3|`?pTYE-9R7&>-mRIyA14#i0FBw(D{ia(vk)Gz;sFV|#poc_M^!yr z59dF8w;!(mW$zb^bA+tZY2W4di%KrZN4#nG7~=RlIMUqWQHwqQ03EHP9MDzTvYZ8bz1Qy zK+;6lFyP>qq)AA zJ6KtiS$sofA*dd;lX1&vtvP(JxjOs2MPIl`iZ)KYH^b+%-^X9^aD|t%UE(nR28Rz& zs=9KcMHrJ!+y-R4-#{9PD80~|Pr8mmnyw3`WMMZyJ;La`JzcL>Y(AIHD5aPx^%6ek z-umjKe>BbIUaK0m%6_WRpiQ3FIlocHYQo|D>XUDY6tA>mq*h%bHur>RsYO0|zJIG- zq^0cQQRbQHvm=d1amVC8Ko&gU+hp(plEv}Uuy*2z;xAbU)5E%IdU6eqr0zP8?e47SnGJD9!YIK8RJ2YQ_$eF^Rq^QQ zjYH;I3nfxH+0B34w=BfyHe#i4SQY+?t%hzjWWV)Zp36P)_T+P_>cPrFa&|q*+H7JL z@gMsgkE`+Qj<`2Kmq9O@vBjL;0ZvGDI0e`^w(y-fvN|5>!Gcy?;v^$R(&}UQWt@cO zy4#awl}+7qw1oU3;pM%BAJM>#C{KrNj#rudgTX{GQ-L4zXJYdgln0m)v)QXYdFyv> zzI{(GX{y!u$e^tkMSOewPpB?EPoaSy3NTy;dj49AV=v zs@^csTugDS_6b^-7s8$UnlF&m`~(nEUo)JgEgxv}e5Un=?z87ockPnHE`uY!+ntA6 zk&+38t2ST46w_3wdoly?lGY8gurvwSySplpni(p*Sq!rA0C1kI$hwlb`%b`c2xKd= zYBYV+-UQGnmTefc-?J7q-Xb{>lDRTN8q_{E3smj*kU)sf*}}{m92^27X#dguwnaaD zm>yEy@NhzzVQ(q0bA$Nx!9~l_=keIac|XenqtmT{@10U#mp@1@Y)dRh_`9^qnM>2w zKE&94|7_@3_WB#C3R9Z(*XeiirHqc5wPP}$1Kt%-0vRxJG4h*1#5=gXkxjtK1vZHj z_%DYCzM6KB60UNtsve7<#c8GnD?&LztrQUj!a*2fZh0PL{hjr!m5uJ$nvkFMr}7WBrpc$p6BKz&sG zC&#F%l`20bMroNK`je>w3^Nyxtl;2=@ji#WTqW^u_r9_#63`(fZXAib28(3ySnm{H z*lw4#kTMJcFyGHAkHhJ6cl*Ryupnt&6dXp>!gd` zOVH&w^*3J!KA2QEuC*1=tw>gCvicvjT-hR?phjNM$_tn|{A`?DNeOjgM3%di)w>-^ z_T3NIaKuD0&-OFJCbs3(7sd|SN`E_f>CYmK_pEm1r%d-BguLzTIN_^v-_nm`ewp0D zf)n=^4ip2eRG^vs9%E|-+=Id*nr?BlY;tw{6myBJBItv?*?|w|3O~>Ct5RRpX^G*p zJ(l2cf`yF2&6ow(3Uv+>2P@x5-=E1->92IXS%`K>NO_~t(?gyS%lo!SWPhWo!^}gY zJFZ1@qT8I%zOx{rm`6!SOSgci-1BP;D}Ne;Pb@s3rN}0_61aGkJ>U<#!>uRJSX0;? z5kjpFyP+eb4XC_Kt~q`|>BBBr&2MbyxLV~gCz5!g48XECf)btZ-klH1v)&y4sc8|S zlS%$l&>oj_e?OR4WZyluUDUE^onHL<@-V_MT~J;uc>WEAq>=a6M`|AhJS{&sjI4_O z*yg~K{Gy(Ezx4n$wU-AlWv#eualDq0?elc|@X|WZI?O1=dcL1|2+KI|dXZM&ch#}G za@JcGNc5)vD$!HoJzDhQ$&4m826Z(evKBcCU?jZ$+X6@Vc{C$8nMJK0pHTb%b`vby zq%#g{vYBsKCB!eQ}VU z+$;zIi!#(___FClu7#EyBe9jD?!-Xe`z7%!nr28vjKOw76 z^*>4}4oG|>@ehVCWj(fLzArX*b#@md;PfzfGlapVe~oxWwWS^VZxQQe{!nHli>J_r z2vpWJ_=?n%hZ6Y)(9R^xVRB_M_(;vKK8p45xf*t`H!9GjwfuR$OSf1V{)>Ly)&_MfP=jMYdfhO}XjEqqz{h)t#5CgB3vQ>}FQ2 zKtH1=B4X!uUyXiw1}UK`ykLIRy?8qSZ6FB^=)OyaHW-AHJ0DT36~;lnC$IpKCI7@*=O5ikDR;6m zbX6|SQ!i6+?nwb73pii3>zl=1QaC|x67v0dF`u0bBuQC@r=J*W@K<|Y(OCF4az5lh`{moCh?7+-cMsbV$?9;F! zG21AdB*^!AQ*U30aL}@>>y0ITm@03}T;iiNwnakAKnENxEoW#m5N-GlI^chW5_!RZ|3q#%^yGItTZfS=aga*-ccw z*`B-`u+Kp$K;$e(j2KlDWqQoqtt5VTYc;zZJNclGuDul4#L8JCARnu@&Q1kqJC8r| z!2kSD5pLkV8(paGerAuI-NuQt%JKEGOc)TSDyrjmrFYYpgkkXOOu@Unanx9zg9&w} zj^q%CRf(2-cf%OWJzN+$W|@$pm*muw!;!VUp|YA+4KpdIwom~RH!#0E*T8rIAmC7E z(qn3qCp#IxCbFhj`Q~WqmD4?v4;6Nb-FQa9IZcdwp0cBsh4lD}VwQMBN@Q%Ced^hy z7DtpA5`t|HWu%H-p8Bpj+`nR4`afbEXsc`g5#!JW#5n9rMW_2JtegO+t(n4Zm`k&^ z5&~iz6Mz^;MgWmN_E%s0&n}}Vftzp{nH8eW`c=kLMJRA)Lb&UWv>;S$(xTX_JG^Age5%}s$w9nK*hH}J)?kQe03$EAyx>uixqqF+ zSD<^PBCmFRBYy3*W8Gz9VwogjbL{9?1ZzOba3!RtP<6DCo6E_Nrt7H%Z-H#V*6KUn zXl-i!PjmX}eAh$s>U@q05@PEM&1DE)9Y+2pFI&|Gu6`pj{0^JW2QU#}6V)*f)S+TY zfu}~(1Id|2l4L%r);TV?3qv4JX?<&}98GO{%m~E8cHOnlD`$yS{-=NZ=|V?DfTJ8< zs$j)U{r}1I!KYEUb=2unsc{6rjZ2Kbw1@PPW98t0RS~@y{xAie8b}WC(%sFPR3E^b zzS){MuE~qfQgF0dc-z0b=3wSlF2kT`ChcjA=Ibl3;&e;MS?Ro6Hk0JU1{%CuEulRZ zc>p*j`@}0Pro9E5`9jbxv-SAM=067bv%da~ z-GYD0kq(W%&O7TyEHIqK7Cbr{ECI~soFKk5J1YmM)AT9vby$%$sjUVx|549ds$kgo zoaH%U4ak08h<-s5da^f8MQn_7=C+~99Em40!Xc+CE1;Jj`gn#9Qf(I<_^RQEHe_aX zbu@LA(|G^UTN^?1SbBwAu_1WF!A-StEM-+WdN6_kU(@2Mu9jKIU2wpD4*j!@BF=q0 zkXSM2t>gxt%)S~7ELuTwFwZ105@DqxqG|(SiUtNvLt_lAD>ySfDp)~wd$kfW+gC9O z2jf%fdGF_P5OF9VDKzeaOk^qmwLWcQJl$^S;MErskwE}Ex7<+0*}U>MM*7`=M69@d zn%DYATil-Kj~G426da%mvLS3oB2#I|(HhS_s#-)(bw^WWU8tZYX6AEEf7K()K}PFg zWf9WupR3h|y`yHZWyr*Y5QqS1#SoV8OY#Ddp(L$a`jGt%8XYA682kRZ&(SDAk2}EY z$qhv%T*#@w#?YISJsuaV9Gpoy;xneAy2H-MS1tZXgXi7Si*!ZcU`bp|L)Ep4o&>)) zQ}uCV(6cPJvAbYz_UUEOHX~s-%R<*|^{NT4P4&sUWRGh&vj|uqxv=k3e8J*VOA^JDDsXgfD#tk8U z%=N2@1=J@fHZ<{<1QQm>1AWNe==opvMkhPrH9x8IVP`D^rOI`@ruwFlFFUK-={rci zzniHVlUE`AD6dFA>KeD)96HLFwse4w#g8A*z}8!+0j|8%S&T6WU>0SV*~-|A1kv0~ zEjsO>*7})?_)X=kUd=3&LJ9wdcg7S1F0JuH6neayOr2EW{4PjuyI( z71BrcmSbzW!j1MP8gIxG0aroZPA1{k?#dba7#~zFY|CblYyewC+v($f6^FsNy*%;z z*M~38qF_Pz{($xo&9ZRA%v0f@@3Ds?-PT(dp&=~eNG*sL)z9^| zNJG|dNg+qwjL9N#Rw7`F z+0$<|;>Rm&^-C+=!8k~0!*Et&`6;^*ZRe`EeQ?FitB;OsRJ3_wGMudHi;R6^bxvni zcmvls8vH4j3L#87m|brWO zo@<>0Q7P5kxF2!J5JtO@I88FKJ})P1D9(Qx?6!t$?- z_Rj(S&JDMo8Djq)diFE#?h+i~<|UGDpsWhA?xs>u&ZvIQrV+is)K5?Gna|$6-C21u z{F^FEJd1~B9re0K!^}{!*J^?Dp0yxLfnRmw&WsT1nrF}8K=2GZqm*lrW9t?*I94*Z zx+Jazb&ZE*Uy$wuO)BUZVmhJRE}#k$yFygZRN^@5iI1-c!8dYtLN+E`x3%v3jjFxJ zyrE`jZ=$lg=-)FG8R0!z+ngwb`+qlmwIDN25)YpRv{!P8u~j z&`LD4^+-M4&9i)BRwZzN(Dq<72fa02N%F&IZE73>d|6IoRmT-_5eL(z#sZ>eQ{S&{ z{dczv3ygnbe=BEwZo_aZ$Snt(-WByumM(9rEc!bxnCtJNr)Z)fFt>g<13(6&^17-|?J%+Xg9-4)#&16SLQ+{M?)pjx zUAwjHg9}S)jmOTR&C`6as(2&HzF7f4%gp5|S^&7V_L`fe4+of^K8|9rol3qD9@CrY zNgPZs6PeCF^Zr9O{8${vKUcc=& zN&X$E`=r$KOyQ@~X6^@7tHdcJ(LJ<30FkSV-Bt4}vhN>#%~NHa@7J)8$P|LXbf%%7 z>i)7C`A3JHg#!+2`$J}z@-Gf6NQpy2zyq->>~3OgAni!p>ckX5vCe;&nqONM`L;X0 zQ#)T~Yr|es)hRc0FTVlNk=MxzJsRb#DbzNZjjjw+PzFbM-51!b#n^F1>0~eu>J(#9 zoWvf(5dkRba|*<-0r!v#hclz0*JeJ)tuJxQ7#bf-;mVc^><@&}ajx?$Q_6W>q8t z{;X~S^N-IiG;c+dkT-zL3fd|`GbBotvv2k5=jw`PFL zH}k^|R&p-rV`DpZZ(2NX)4VctPxMXA2Gnlx(>WU@oPzK_8S>9OkPXGX7@j_&^Sk($ zv?_}`hJO?-+&}^>M(7FJ*AX2J(aC*WR;=mVzWr(^kJ3gvQaZJrw`Pn2=p-MNR;@oP zFV9=i#TxA-XEjAy@v}OsI&T5!P?^nXzr@A3w1E9?>J*{734BuA$f_Q-YHNv2nk*_N z)i?6cqvWvQ2EnL~_Ed4_OD4SGl0GaB`c|CT8}wJI?~{1ebhM&2)p&zi>56>>ldN9NWiu(#T2GwpY z0-{vR5k}@ETx$}__%`AOpUa?cdwnuM42vYl3|&IJD#~urmaU^*xNWA+D`S5|TbGCm zbT%?={;Z?@Lkf___x}kDVYbpa`w7K1WgONGiiGKeHbo;Klnnhe`UpHrGVKH}bB?KE z8v650Ea*tNu=j5LHX+)Q-D(@0tj=4HawEfvbgG>K4od5)$LzParWqo2J{<}|0mOmK z_y?mkpnb4W2fK4hDjUDH(-dWK_M`0Ca;V=m48H$J*n}aK_7Ve&$EEb==h|Ozg-T}l zX=!k;AfB~>?m)SpYGpz_-fd7fZB!B3t=V!bprU8gnS)(c=3MRMfj|EGG!58TmD|IO zV`l4mOdCpn{4Tg)7@mddb*Rb9APE9Q883&_wB5*?KRM(kt^7H{#E9;qqcVY$h|;!e zvJZ)|-}jR(1(y{(ndZzFAP}7y zFD}P!P$2l|oVS60<5o;YUd)eIeo>l2TjTSdcb;^`c~0c2YRM%_uU6Y>_7O11gLH}g z6tjhO`N~OdI28kZ=M8uCmsJ7JJG3&@1_4KeZ%~4ny}9xzJ)u}l8NQ^fgd5C{(T?v0 zfDy`?w?XffA*F<7Vf#o4|RUf^UHy!kl*gL{fG_Eix!Z-P%F? z;glz?AU#750+f|{wiyg&zB{q)j=nD*B%j|K>Cf*c{Er%}}9^3;hq@Fusa zqHF0!#1}4+q}Y&4C;OHvpL!{C$mOt3UuSOpUx#j!=fM9{9*a7;T8=XO_< zQ?>NkkSaR0mXM{cA+LJ+UZ5n?PAA&$>{f(smeMf_EUh{~(-r!&@ zIwn2!!K+(l!fVVCn;7-L-D;wSqRMm(R?Vi@SY3P#Px$o>ZLOFA60iMRH^c}-_oHC3 zR#e1#0dpmVacE+e!=HyV(b&lLd~)CVq?Fq}8rz9kMh=c2w}A1W%}U=Y;u#d~i0d>g zO#nE{?&?5-`iMlz8?hG$s2WAaAH!CLE8QJmT0BOK-BEGD91~?0kAq3yB;_0qi z1p}CU;+;lcBir(+f|7e?ffMD+2h)oeal|j^?_XR(`SoAXH9Y%4rr?!Tb@;NBR<`nA zrPf*;6zTofYfG53Ep2K&$v!vUqoYKrF5^nbr!S%5JN{0Q@=+(b%X_$8h->naH~Vg4 zcTTRbf(OAVwJcg^(xctIlf0GYshMjTtDNeaA0rDd+V9;?vi-p(cTK2EirGfX z@HM#~Ti#KPrC%0WH9viwzczAwY>?%?uqU!EZ_rrsaN1o5M#2rn#2Ce{KEK563gnON zSsFvvnv$xiKW{f)`Bcy$^KC0$G8KH*3|M;=%A|I)EmYE#Vk^=rrp^al8l=z^=LS1B zMsWQRwUMjUqy&4geg+M|i^xg0G$3hsA)fpM-*m~o@VWU)DSm9GmNbRViW+=0A`79Z zlf`wUtA0lSS`Fibxlc6PaDtr%3bB*4PYO&HEtWgO)|DT<6tY(@v#y8U@aW>|k~Ra# z&WRPk7!FWH{bxq|9qim9Fs2mverpl^}Z%=V4t$v&lhQqnzw+InVpEdSCNwtU; z0tK;|qOR!YM~o8ok(UQ`|v7HQ{CHSva2+2Jqsv%W?1wp4`Cy3{hs}Vr$319|FH8P-$2*X zAkv_&8eVy_GoQV65x+|jB)>uZBc&(Ri*VQ3J1tA76iO7tY<=N=>A zm8cRyd5#jYZ%x0a+n3o|)K_7vmz{aeM*UJUL$`HwNbYcZJ!eth0I5)q-bIa|u~6hh zaw%bdjR9nCW{6zwainJ`$~wZXa8wl9Gba5Yx{|;*R(LKa8j$aUhe}8BkAqKEc^|%m zXE?dnr;`t*I7w$b>n>p*8+Pb3!+P(wi3avtLuH zv62u66)3OjL_K(G5H>{!_S)^(@B4C^D3boY%T1!=LCQTI|Lvl#KGU031}0x(|G}Ss zdAfKkU}`PSEw3{n!0?bD9AH{?QQP|5tk6Ir)}-}pg92Hwq|#xTd#MlBaI_=~6Xk9z z6X1G|tm@NdLhc&8GZ7ABCh?D|#G*tmqQLuuaPT2X0ZK5uSCKz6`7xSprdN8yMrVNT z7^V`?%ihvUF^?MlEzANS@xJY0&ZqZ1bHs;45$_h9NIhdf%qw)@Dt|oQrV2pc-nJbH zBa@@tpwSG|y>mdRJv3>9>bXO0!?{I|YNGuBc6zQUBq*bHbtb zmo!<|`q(oO|M%%3IGED{f2p0_6aS32UZll&tI7U(3rf&EJPL^Zs$7Th(-CfkW}fm; z`h(q<6x-~dI?|{xB8Jhjz>5-X^mECEZmQ|?rZMz813D(I4Kyl;uS;XD-`cFEhH64q z^?@G6IQ>n~IFXiTo zQZm^>^$->JQeN3u6Aa={GGDn1MiRPJBzunv(jlvIVwXy>CDUtnzy&Bi=;;P+n(Wie zOD%&Y!dG&K1%qtm0ZDpylyB3RPE;yr2D;4y@{C&+>&tr1hGci~ANp$Fm*PDAdXHmh z(Zto`rSAgabw|uvvL@#*kj49YiVFZV)^Gr|DY2@{+-h6D7CfK9iy}r%> z%>8t@uGzWj(Q@Z&9R*sr_ZwdATcB;QBQ;2_Z+E2@n!xIVj_+I+_HAb0!J>BLo|xHq ze>XpU3BkO$rqQMkaeaLMp^X0>&3eHzq4~Gf$%24~8IKyo%k0K0{;QO==W|@SNYH*= z5Y#Gs4%y}%k_a%OLlQN-G$z?U!QLj87W|2r-I<~Pg_!Lrh{Dk7yKZfdRRa}Uvjb3f zi4;D4VP$#C6f5Q@PN&h^OGoHCn>~%DP4FW*N;N;ZZrd10Q)k>(at1M*@jGG`5js|D z2_R;fafn&dca>hR-|qh}#Oy`(Gl*Fj4l!HZ<7va1lj2fA2XU~*A!acqi)i3pI2E`6 z3r%Mh15O}5;__lwVO9W-{}Lx}Vs8XXQ{bGu$ac9O0 z4)^~)cFz|5TO#;8AZ?M;_YZ&d0l_de3kH&)=(`|4-^^ncZ(nH(5c^GeL9g2g`J9j| zyz!Zmo+OfUOAvOBSy+FebUZarAjTpDc*8!hi(oZlcxq-+x}gGgMjMZXzd@CXmJWIi z7W=INHzm>VaM7n`7-SOEe=L-D^o^^=C1jM5RGjKFhX%@LMa4y z33f>0;kOzcdsNUxmxiEizd$FHy0<^^SSt<}$X|g##_?0R+8@3DE+P=CBY)UsKc^v> zyrV5h|L*wP}tsPZ}BXI2lPr!1lu+`V`rKwykK^K zH90fl&~9N#P)RM91}O|AzI1L%^wJeQ^{PSu<)&Lw+RgK!nmSO!XKv1|{$1tFpeTek zfCN$l^Pi+;lIx9*tJc-1%3*PzDD*C7#kh>?ajY7eOj*NX5%IjA)fa1@<(pITbw`EV zb=oALI!8AU`>`6#6i=|JGKzN+w=7#u$qGufBJx-(GvDjkAE@FJJ>r7;2 z>L5^_tjBnW8YU^XUS4pvT2}FMl7OuB>R{aKDf}!T!>Q1~(~p!>tJn+@{3SrZG7HCS zT?as!C1eKxa#gQe&DTcc-D4h(o~H)s%YHYef8}geXE5isr{y@{HEs4|eSfWXohROO z+SGRE@hWBB_eIe_fA2S6zWR=9%RS8cVCEP*_sR1>BJhT7)?Rtdw;s`t94%j1%B&p4 zeuecvRP-wtT!)G|Zs$CcBHC4dPXU#n1*wr^pqRJXonCOe{93zcS&IEpR`)k5JPMW* z)V-#nxXeqeG_unAyV+H=Is!nS9!J!$n@54^!%p_R7KlNCAFuLOLMNvWPb(P2~v{PAIgo{i2vX z{0e5J(-u_n`FBvL-cL}dmRuIYT>R_%`+6KRg2ZA;=6l(2K#NJ7_c3D%Dladt+^rW2 zyo<;xLxF#eohvU0N0ms5&sKw@F?*n|sz?pGARU1iiHMUC6ZS(5)ODU8DlBiD5h{QE zdCPvv;I8&}=&r@lM649A**w$QMxcz-#Q~Rv>rf5)AFK3Xv$7+`g3i*`Cv|t@YR97l zU-^D}3q4t$V;awRa>5-BK-sYE``CjImkZpx&iM7;=jL`BcA%u$uzzbl^ZQh0g76p+ ziHu4mC_Ik@w$GzPW3PxB6Q86gE&t$A{J3vfgQJw z=417+dY*udxsKtNc(}a@57?hjn*?r4#3=U%wTfpDu>&|fs6^oY0}-^Ppnrv@D5L84 z%mdarcKm2GW4VvvhU|{*!zH3P1zp9wB|_z0g-?WEBV<69>wYr zmkvwxIb63nUy7Ux+@Ke+z9m6wW&cz_!mhsb{YLy7Sk5$hV_J#Z*w5M&GghpFsV$-C z$z%7`@SB-&O^n>{w(9$moh!0vl#-?4^lV0rUJ7{hUCUOjN~k;5~bU%2R(IE4=P+KC@P}^!Y76 zT;X+d4yBWfAN_`QHv6E*58iwQsKI)d>)TxBPCV=n)+_EZ^=X{xp#EW?O$Y-T{)DjR zJ;qVN=s#h>**|@`=ieF1rdehx-mY1c#OB>-u8FEPvkUVPANkr+h zD9EZpaB$A;F10k2V>2p6;e_IZ0>w6yZFq5Q8eQV-#}!riTzWbcKPce2mEL2)$Z z_i(PhWbndJq)`Uq>-EP>OG_UZ}nVK3I2{eO1wfW_u}LU^Uw4w7@qT zi34*=_V$H0Z+~1v5%mvt8EqEYbj3BOx+a>-Mfyd$3ABCI_9I1Z@IotbeFYyBsHcWQ z=PZ0GDt~lS>!brLX0Ar5x6&u$501D&z0;=+X#=>ys>1gpgc{TrX4iS?)NQ1t=Zg;* z=*H?MZ)+9+`slLdwTJgH9&L_v2inAszxk8r6SMkVQ9zG&ZN4bXx;Z5B_SSv(*r{lM z3wfV%NBrf^zwqmeIKRI5{=L;1zqVBR>DMEz3~{}X%L#I*L*0e$#oW*#E{HzYw+9{_ zzkr<~UqS&6ucAvX=UXHCp?+;Xdb}OcT+;URQ9AfJm?-9HPNPC|xpi zSMqh~$DGMA&aun}#1I@kPN~1dU)dX;8Gx-jXA>P5L+ziGMHMgXfdK#$2YL=pgV&kK z?o^H9<)_ZDb*qe8x4A8R7^wt7p1ArFR*?pIkNk_aiy@es4Cr1{noPfvGX3e3n$q|o zTmZo8`_3k+G(c9Qvk?0wg$?vIhKlO`XX?}GB^ltbz zTv+*HPq!JSJN9>*-^7bm7XG4)(*{-(CW0l&h=H{U~u^Xy< z308!Kk#ITL=shMCTP(l8eBb zw;^cpxfF1CJ5PW|9!%ZC14)&>JswTM_mG~OV}bqzp;1gmui=4ck5;~81t#^X>CnMc z7gorl5rwX|J8N^zF;jpf#QUkMqR3|qwyJwVPhurkEI12MOVME2qtUK!QJAShbRx-7 zYiQ_6l$9z4BL7a|os9IUf!vAiJ8%H#qCvULmzNo^X+yoUX-F1a{6zH{tMkkO{U)i_)oFl@tGpPF}KG?ku-Q-4_GJ9=xqKJ`-vV97Z%nxHRMr5=%i zo#H+IXt2K$p{RO?mE}&iVm>dc^1%6^YpC-Jm+1xhv ztYOS14XPi#_iv)_78S1EQSE9w{tDILo5~iEBtc~$FW&{$_e_4=Hy(0S0gdkOSWqS$ z7L;!Fe_%m>GZ?FslfB%|&2xn|ofk6)NE1zjuT$r#(h&Owvsoat zRU=49F#Pn+2l4c7ET^cUsjKv!jKn?!a7oLm{!z5EeGZM$`}) zlhv5cBCrhGMX$iK-cH_T)cA0#YLXK9(u?p>;Y87p`MR+>fjC|j8UL3vx%$_V`j??_ zNi29kxt*YWKzYIYOs%{kLvj&7gNz9VeIF+InApfm$BqZ*e~!?N2K3lqkin)7XDe<+ z$`>{%24Q4iFP#m_ITB~TNjTX<8q8=Z6d==)7D$4k>Z?>DIYsW~^apMsq8qQ@T1!wk zWrTV(NJCIvf%>N=!oPz+J>Qx0`JSj$@q`Z8kK>yr*evZ2gs0zPkegj~xCj4Ty;$dT z@cOnF#ZqA_!{38Iqy7p4y=)(gJp%%b@}6gF!$*JY!O*tfYNg%`B_ScbQo#lI6mS3k zSIVNmEu?qjniUeITr)tVWYqXjjaA9Vk5ao`pH6cvBpp>n3~_&@KDp0K#&lM2)%;yn z8aE)gdb1Axhu~`a7v;)WpyA&?MLa;gD}s{R&KW!1w?RH2NnD)Q0mX43xz_cK;6;sN?!S!axOsq<*es zOtfE4QhwucBW#yOeyMDOd;-Wn>=&B7^%P!JOaZeg^SM~szf`}!|Dm0W18A$bo_?D= z^ZQhS-`_$qPs_c1xmnpBpt6A5Ksvt^o^!kXez)8Aul~5)x-#>A zzh2Mf@wh+m@f|v(lov^c%2Ffw%`eGxoMNpvBUOjWaK7Jx7s5O_!X=rt9{*kd>NCva zWU2#oFnOSf9DKSJr5HT8J5RSvNw{nA1DG zXf$2kzZD$mv}MER=@2f%r8uh;Td6Zj8E2kyb9t=2HL_ve@T>%rdo6_-ol^`Vtv4?( zl>tIcnGDWK+^f^f>s>5Uw5$J5ux_+!q?YG5;jd=`RaOyIzvyqJ_kTQ|{{6VO)1Z7% z8g@P`zy0v3)6|+;5HJe(Jhxm{7fDfF;#Q(iS{#x7#N17PTVhcu^W&31c>RoD+uEn4 z?WHV&Mu}LS4C0UX%Hkc~NcSTwhjx-BuF6k9-4NR zjP_WMM<2)4&pl*Z=B#LmVU1vIGkWnQPSs_WvEwvXkjwBbzA{6Vy$+~ShzZmuD%=P? z)%rYE)$^fMR4DX-rE+>W662d<;LvL9(_)JB2GK2IjiaItoZd5VT)JxMeDg8B_xLg*wk&OD|KZz!#>HbcfQWjkz<}<4B1rSUS-M`8UfV3*II*q{Yj=-W}}7BPVxCsCnMR1%jD@)c22xmL9iX=QBo&zaD?Yw(U|Li|}@d%0cC?v$C69YR!**Z)i>WASQf}9>0$9 z7>LjI#V5@=@pc;ODZ7-JELn+r1ChXKK5H4Zz3gXCw*RS#R05hv*MHMQR$H9-Uuz;O z@BSxEWboTMbx7vbSD?$k{dm-|U^Xv?Eg}REFMkZj=?zN4+pL6N$N<=X{pWK%AiBd$ z?$ZCNY7nHMOc@fmmK}eed@)njjAM=kS^Zww8<|1t36Hvekn7abLI(tXrs^U@Tc3Ts z&Y_Ao%8TZ_GLrk^bQ$wrgieNHrieW+!L$f0zeF8eyf4)5$sEU<#vgRX7q2_VRmi|e z--V$geVDO`*zfSmqx}Xt9JX3z*DX}Yuv~5{1NP%*wU1rbu?8jSF?S*QJVPbh7q>d9 zhG!%oSmQ`L({5YuON9R{fP_xB{VjmJkKvUNsRdZ6 z9JS!fogK+OZxq{P?zGfI(7#bDrare-rg~>uno4rz58Q7L&3{v5U8<%mab{KmddL2G z#+zSZru2ue*&sXJ0h2?N39PT)8cGBf-bjN!k=G#UhQITrk);u=4{Y`6eKx-tc_eEp zi+S=UmzyAoh2VWF1L-PUS>zN6R8*Z4=D*4vi{t)H?uhY$$A69U!M)b9RvMDO?a=o! zj$YCilFP6ga?LXL=5^+T;aeEv!-QXJxE|P2k*JqFioAK!d)7=jR@-kT-~2+V=S@*H zr9}DpHC!ePbO{)vdzvKXjGDH0oOfV!9`=-si@=|MUN$eC%q++e+MLm=g+Zp@3x(R@ z=!x-CMs34kvGgGtU*G~VBirFN-wDEVWr%nTDVqUM4 zZ-xUpKf_^?KJc2t`xtS0R)yziIrbKspZmw~YXCZb>sa+2-7e?>(d33cNtEF&9$!!v z@$s#PR;>%1j(FxpnV1BkH7^D++e@%-NZxc-j?%Gd&0o3$N{7MIw?bhZxq=?A=cUz| zXJ}aN(*QodnGqQl@9!PO&(Y1Ugmt*#$-66Mvm_$JKoT)t5e>6q!QMy7dVJSICn52? zGdj=>3Q24MgY^GPH&Ok<5Yja*62`Xut2?9MPgjLRty-hDk05fD4Sn%l<|QdA_wt0t zHox6(|IKCCOc^*dSE?yr`0Zy;U3hYr2Xfhhiivu1*)KraZ7q3H$b>IppydI}#0RJR zPjs#ov%*~W)QK4TM$brAZ782A+oAir?_z2}U_)5sa1s}#O1juMntqbl@}qD_=Ilse zY(0pyvz%t0yD_beCYp-EyCMyHHJXsxNPpoMRG*hc+aTKm&W^hGUb@h=+FoS4Wo+dlKV~V3&<_EEP-l5kb}gQ!J-sK##WUX za+z?p$%wmgs8I9~FD>-P({7Z^%hVRt;f#*!(JY1SVus`7@e$ImTGXZ-sB;tC|L4Bh zuH!mrZ3F|30=EBoc{U}5Q^pLGlW;S0PWeG&45bv6cf()$vY`QN?wZ<`{scO*u=iTd zd*{%(FlgXKntHsJicf?$pGJqVDnFdR`ktnql}idVK(-Z@StRNrqeg!JEe`3@SN0(r zrLDa13ia#y2U3!4^~I^@CjAn5hMZxFug_65W}f=g%YVSi&@xcf$G*n z7NXVqB2Lb{%6$sxB3i#cH&7IulF_5dJb~UX{$U^l8OpOCPl|(xW!U)5rikD5?J%(U zdRq4z5iKeYz%8QF*6G7RPlvk86`4x8(+-T33*t{?$Lbbj6BFzrHbC z{6Y)8Avfl(>3Zlm@b0bn=dtonz53wcOIOeRu;@7ca9w{!Z>J1|K6$3AX8qAA-W)|4 z#%9S2^Jln}>*?&6G%Kb8p=szY*?oDA8*<03evACdij(0?@7=FVe}zZ@=9c+Pz=~H+ z#t?{ui}O@lZ|9#4+DUgVdG*rTXC#j7QnAY?d1IpWtZlOJ<3D#Mf`e=3vIC;j-Ag7j zrHa1RPf!rdZywN!6<6G{2tL>fM^tf}{Q*uBv5>0Y9+oGqod0-F+*eO+artrheV2b) zyKBJoLd)oNSgjU)@5Q7kfL&?6ZmsH+-)!?V`<%-lFBSN>K_XbZNMoR5v~n)F&sb5v zty?r~ka>w|7FYM3nN>y6Gf}7Pdq+4+z3iyVu5(xU7m4+W@BE@V;G)8Y`MYz?YH*&e zQv^ub7OsCFX-(lOk`dxctwVA7#SLj{ZQ;r~r+j#bRAvsh>e7Id64g~`q9jX5X-t2i zJOe}i(nc<6)4Yj;DwJV&ftf;ukE>zuB()vVUGjms4OJHps-K>jiG=|y(U;+f)%W8U ziN*>d;d+~s$>Gul<>Zy411S~K8`Y@d#E{J`Ife1zQYi}ijF1i9t5PiVM1#*BY zNtCc@@3!*~2Dd3wuxnT8q!B8`9NiSMw|D2of-}~X^u5slw?hfL^Kcr#FKqM%ye{_U z+WFVfHyAQzxMU)F8FxNSkblWVzaox|d0@DN{azZm(Y#}zRy!i~4(O<^C)ziGm9`r` z;GVE2_<^?|R<}y>03?iLei|*@KZ1EDVPs8dpWNNMEQ`3AVZndU^SI%K>c*?yGoeTj zU6Hdr=GB{*4!PGz3Cbllh7cI-<%aD-y;rK|7_h!7X+z*@AHKk`^V>;n=b`lvnG2;c znRP|}6+O}Co1C|c)Q=u-c%HXtQW3=ZD5gX92kt2ULtlFw&p+l50+AN8 zdt-B|sgy*j*ZTuGhu)(A>2C4L!i`1|9C=l8EBDIP0DZ9^fY+_lw)G*(i$x!g?{QVX z@EiVfo%!6mRr?q5ZFq&JcZDHHVzliIN``>=E;wDkUa8P$g@pUyeC_^u#e^`QqoZ`C zV{*o8zv>p)0su9I#5>5md(%Db;cs+U)QLPpwNEa?j{Mns5$CmC1JBr!0Lkb754C6e zBfvxd@8q7%a1z$+0Xj<~a`L2!#0f<$(tQKv*o<4G{9=2@vEBBZDk-&~PIMWIb8DSz z0)5Ctt`yrF)^hHR`7pZn!r+1|pV6v;6@j5D_2Vvf)OM;(8_cS@)RPMjkTT=m8?O1= zZ|FnvCq*t~u|Q@?**kT@%Z*2ePO>(?Hhzfo|N8NB`%?=Fo?t{D!UP=_$k`h#V3E5S z0jk5+`&uCmiw@9z^E~|SFZmp&D=v&#+`(jGVD=nbhz%_?=+{is^ugzzU!5u26QPm< zgx6|#Q%m7RWo2z6m94>wgY6%@q-4-MnpG^g`;#J0+UuuORJ5X%o9`axYn*e(&0OWOERG3E)+QL{sNa1-H^P zO-<-<=lxc>rvLqV+fZGi<^e%b526BvxwpT3PU5yo=cRqS>f@CE3vjk@yWI4YONwoo$o^Tud10nw(X5e(;~zL7 zVGkd`C{omztZOEx@Stih^F*9lqdv|-5(Q)hVD8{=xCT~fjQ*{B+_IhV5(t;u=x-lX z^=D0xsLxw@{orC=Z~$X*j}yT?oIvr%IUKTJOXbiJzW8zz^j zdC zuJN$a{KMQnh*1*300Gz4`gv`M3vW4YPm8P$mU=}Uyp>ltw=)_j-#6d|Kjo7;qklD&* z41~yWc}`v5X`0${T?B5b<>bJRNm7-vT^ZU5ZNj^|jdhR%1R*wH`L+;zv=bbC1`VQa z2cpE*Ev>&L#WYCkE_9JLuY|2(uxpez}3g_<+?*()r^h{Gkc$7^W~CF zolAStLbGO8d+$+MsJF#?BFrxDW?e(;%CTbw*-;qfaZ^o2Uh49v(DH?M8A40EkWVk} z29LXq4}(?(Izx73qH-U(|57hUk(j3VzGg^edw6~)bA7**Lb?Dp{BxmC(nNZ()20#S-|%@92K zY?M{Kk)0^Zk+d1G^n~*Tiyl{pkmIZ83Q#47K~!7&42N@@)mMAZE_Ki}u|$>k(^D}` zyCF9+S{J=$+nZV7kF>Ipdke|E2HIR)X!Z{;gs)ySMgMBOeu((gFQaar=0eTm^$YR7 z-SeAxD%||;v)4$F?#xc}0B&LBT8ZtCIe)ePq|MsX*JvzMvJMQI`ax-*=377A_3CPL zaRyA7J7}{H&)J1a`8;eNO^KpByTJ4EqeSBUD;Gc4^e;XA<786%-10Vb8h-)1VlI+2 zqh{DW2a-N6!=nNxpV0PGlI61Z$L7vf6@i2`eVM|0FsgnO-u3U*UQ)sN!uO{InZ-w2P4j*-G}Dl+qQm^aDQa zWPij|3jj%&4{@JCrz5x)0I1q5N2eM=K^z68cL5OwjwAP{#bKyd(x^H4TJX}a><0jp z+>IEAEX0swwAdUZ>qt5WxnqpRWT@un_7ldKdl&7x6!MJHl^Z>NPHr6g1h^T-W#yd1 z>wej~cR3%AdFXg#3&_pssUFRfZh&Bx!kmSOJGC27Dep@aN~xaKvsS$-{2Z9mbAj+N zXGE53xG5SpAiwGqDEaWQc<@Z3PUqr@h6kA**NM~I1PT&=Su8}stTm02i}yrD6|3qE zOH`36g(h!)3{F>tmd2Y$My;A#{rCjJdf#{*XfZ*)XzVW&<_6g6@zYlg-MHrsR|| z68EWhfyZkFA=j<^>r;#3ihuZk|N6*FJ78JD8?>4FOHP(^*R$p@=PmfhGmjl^7O1h!3G~Eg zsx{S_f-fp$#Q=4zaR2A+%1GCeg}|KYed_(>fLNI!^ZeZ#ivji(Zf0|Vlt8!wN=mrO z?qsOrawYEa3ak9;kX{|_-Lc|01^gA;xH4kfU`t?o>xmDU6T6RY7`flIMSSdcAI}WH zN=d9#j+n)SuXc^4daA*N4TIUI{V|nX%DaJ2kKrU60%C*_bBfy+aZD@XuTCC4o~&Bb z+9gkZ^JqKg?G}Sxajae~{K;YFAm?!~rP#e=8JA+zxNnB(bFPhpw39(7^C-31HZ$%) zPw%*{vhnu%c#;*nmAm>L=u)iSQ2xaOYUF0MmPaJinIn{6z^591H%3}#c_V(tI2|CpP|oA7%Coms*O|=993Aq* zo95X#>dC;*!T*vxZ+64QpXCYmg_nDO?$g3^(yoRlN{64^ILF2M@;%qSw1U2XkxgzM zJ5zGRF9C=H(q2TTBK352GJEa0P@>bNPUwN><3tWFj%_J+!x`S{hXROMm|KY2Mwcb@h*!suLHu?}bGU=Un zTWX`twY|bDA6@jw{esOtkm#WS6fN}HcNRdoV*SS&d81c?yMZMlIA)Q(O(J0A8;clu zumhvIU51CDHV-htWK7jPxg~$WOOs-+T&O3H$h}8z7(oVOt2?EK-2A!IAV*2G5~SCd zesd3@jjXl~66sKT*{ir%B>i}0?4ixj#P+ApZ$lXr-_L4tp7LXA3Z-vjeHJcuw1+-Q zKU{1)6!XZB9IXFUy^?o5Ml&mTWd#)0&-_!ZeJ-xUTp!9wK@Y#2l0x)kDzr9#tWloy z8#K{jV-&Sl+h|5}+=Ws)qsq&TM+d6|?2Wsv-dLC!b{k#MukQ$UmfV#|e-__`b`lPs zJUntc+IDj&ol3c;!|iwPN4THiQjUCz4PD65y2Mcu@?g=H{cgh^7X6O$D_-h_O8L|t zuq>y)KLR5qkvKq>QY)&Fn7`&0c-4(C zRwEJaZOoL1s|tCo851ZR=1til#qLe%Z~g#8l#^Wq?(aFi_{arXwO#eQJ?12nYhq6V zo90g3y|fGKUj6M$S>7hlIhUm042Ucm3U?UJlUb z&@i8QGEWs*e9>|5=Q%tJI(J4#1U9wtwK}pFpZmvH18C2&KX*bECfLrMEC=_VP{dWl z({903t6MlMv0*avi^?+4FgZ=<(y*%Hrmbsv_Jg)R=7=}e!j3(vo_*Q69!`-soJrU+Lc1y*o&1%^B~JO*ka7Vs|R(W zYF*)>w$QJQ=Eq|-N9yiNln}RtW6<4e%%8^R3L+Pc)g}&58!MGujZk8Zbp$FCgX-_t zaScr0dvvGU7WaIu<7krb=EDY}E^e)U_nAcCU3_o|m}zyVRk-;NWUx%^puQe;l7h{* zg5l-UR$b0G_QzmW?=jJwo%35?c%5JJ9!=Aajd|{FAjfLgO?J-`0Qw>TY>!lYs^aP* z!i8XUZhKMin zOnZWVyK=H9uAF#}(nWpUezfGd)0Y`6%HFc-4pTop&b?n2$us+>)SYX`uL(&66Le+N zKDGP<*WU9tuHE%7Tsy~Kxb_kIe~oJ|Is3FX$}c1Fh-lIaIbW9H8C(nSu(Plue4G@O zWU$D30Uy8_?hiB0!m_wU;8Ay+i)H#ftxE`-GcSzaPOJI>?DXzKp--1`jO2fXI;sm9 zzJi>KuPfUEtv-40Ww5sa-xIWHzox*ZR&Z;PSb*TA7W3xo0A@%<$51>&c`)CnFz`ro zdUZ+tQC*V4=+C`*E%!qb?SjKI`a`{Of;zP<6V=wu#NeOn*DmRAJd3K7ns`JPGM+u*`@KUmn=)J!uTWl^q51*p)t^HpIYzo) zGC3^hbM7*K*aLKk$Ko-#BDjNk?;N#;RYBUOzsfW7mJ<$$D|FO6`%kd<1tt!+KM#Nf zDqNcPNNNsF&HUu_6h?!oDdVNkwz274C?z+Rr>QdCp{~T?Dl@R+_TUo!*zNKvc_^3& zq3ej;PgV4kJWPzy=1BU2Q9C4Vf)gO~PlLOeV^_N~6}*y9w|J=}{A!4T+EygF1ua@G zYz`Pp)S#vljMZ|W_THXHZ6uT33O)z}ezZiv#}phf3qrQomq83qjyXPqVZ(i_=v7!W z_p^-2PuTVokD@F1kgdH+7zwquDAe1b*jf(j7dvf@q;9tpx3c2C!KXt?yAk(p_IHqY zvW0()8?UQOrZ$rAFW*!!c5iqnoRIqSVC8Y@4)d~$UyAUwlVE0nd~a;H8`o5UDL^;c z5Tp21F!#BrN~xBkrx@NTMgg`66q;C-Igfu|TVBtVqj?Up1g1J_J>$F4G;TdVrlbEX=SfXm z47-42rQXpaU)HDjFP1TF9cw-=SC=Ur-t~CWhiEU@xmmUOc4Moyw`E$vfe*jEtO+Zd zjDCo8$~RS09gIX1oiBIV#-fq4sg3KXF5cQy`Sz819c6q|B>NZaWZ59i^}6goZm@oR z*=f=s+*8X5hX#0M$cr9Z_+N)2+g&;TefX%<#^3ev&KE_g4^LQ zw&Rshf05&3xn4R33!!R0F8GP^jVHES5a| z0tPYS)tHlEx8O&UTXzDVQ}Sr==BDzxy#AG+yoq_a-s3A!a=QFayyh1nddk_7W*m4^ zi{rII&V8Hcp2|Pgs6Vorj&p(L?-X3|7nzkkx54)r22N@EhN^r=8{SqK+J`JF~rwk4tBlPpu z?6Rn|XKpFF46mNC72^ZVXGM~nNOjoy^0*E59D~GXizN;*dA7_`1vv);Eu;|KJaNr- zV|L?9WrD-gUIw&fNz&nTy=9}k)=?F8?&es$d&!e|+B?q#{`?R7g64DAoAzQ92=pQ57<4@-%yny}{_yQ)4s5PH8of^V&Z`|B~kd(D+E%x(_p zaSDrh94t>9E}#2|R8^yi7Gvpuey?ZlIn>47Ew7g~NSEt_>rLEtV$Aq~D}H0Zx~*@B z7{IvWOsP|qM{~7LmSZW%xYwyEoxTTx{VjobkK2!XEd)A)=LdoqQAmvQOP9Ti88vdh zuC~k>%?YX27P-iK{p!O1%z(acfv%PM&qv#m@yO>t``PQ74A;S`=wns*GYW+dv|UK!W@7Kq!AF6%adyk!uUu8^q!9%aH zdmdavT=x4XxN65B`kgSQO9DM-`kR~qagP{zCas% z{Z++7c9VmWu}zX9@;QD-V}<0qyb6*pqNn4$xN?ZPkQo?`7%a(&B12=GX>%HF4+v)Y z$mBl4@Pm@*P@t2MU()XV@=u+NBz4x`Wz~8+)JA&mttb8OUeAH>CX&XahPr^j*{8*_ z#D)klHJ9)F^Y6tP2%QotpCa%k!a@oiz2?a|x2D^&59f8%T>nGzN1Kpk=lykfH#DdW z!)UqSRTWf);5JVPPhWCZx z(nKn~Za=t0Fk4D9aKHu*3P~V!WzKq(V$SB>L&B6?baLb2;b8WUJ?3Ti^0ggPuW#((0apBB>&gHu~z2twhjdJwM9h z6=ayDyqsT^&RM%_3hPie1Y`6pMA4@~%)j2T{BRh`&JS;VVt0!z;$Z@GH~b>Y5wRzf zCj#mWXxbuj+}DYWk5!6>jzP~8c|;mm62pxXy}vZG+vH)yW&{u|k-FyZ+Y%;x#UQd$ zP|sFawr?6H>H^}cT2i9upD;^qt#xOwFo*gVYzL(v*w9J4WO53V1I92dGOjmSb{G{3 z_anlyih9~L#lmpXZL|^d>7!~bQLn@A%v)qVc&)M}O2wpsiBnoJPnUwK>eSdyQrQb! zOnn{%_m%uQ7fm}&hk0(}#ijXCF_$hIfwHA^VT%7a`@ZH6Y*^O$OnwvflJM&=IP*^A zOAfZtH!ZfpGPYE5p2&#mT;M+QRCr&E<4_GTP_+1+!1b(Ro&wWXU^24xm zO4*zGkfOF&8Wa&^gHKfLokhKNX*}45y%?26YYs*!CkXMR-u`1ui(&rxxjV5}ZE7Pa zha1nKWGL;v6+3URE>A>vx(rI$==
  • m3ESa`4yjQ?=|Ht~}uJuCQ3R#Pa$a>l-`O zU@Xj=CtRcbJJB{Mp*wWC%3r38huGrf%SEEQ#iRA;4OZ;RbUoXS3j%#4PJR2(dxI2- zGx~blmehH4%$LnZfC`RI**#4dHClS~HnP|FvqFB*m>Xh__>g0<2vQ6ym#Cges_42x zjuv90AtHNmOgvSO_yXl_*5ACew=tg|FNDnHo7!leLnibu)_W+oo#)56)-ldypIc9E zk3ndS3H@rFn_hMc4)8mIKdz5LalQDsGKO`!H0DLXz_OSiysLzdqfwGKF87!)^;l#< z`7fsJ)2MDR+s38_T-yF)Bd-4prOa&R>cN2Z#Cp27VQRvM;iDwV z%;OI#W7iZ;v%tfq>{V%#^r}xA`Sd+f=)hUAlNxto(2At$aE(vnK0ijyzPAMgl~f1n zOzDWT^gQsmA3&FN^+C_=$3!^88k1h>%DyqVXxe;-^B(}Bh>;Dsb zG!gozKG1`l2Dwk|9e=+OhqxACA}y1qGnsIs(*+cNXhWcm=n8{%TbCzswx)>|-o zp2jR7aMotZRehQg)aq?^DO`F29u)y;XX#a7N$K{mZ$fk@EwVy~$)j1p$;NMP(}y6A zuDQu%?=~^xX?BP70-2hQ9aX)iXZ%_5RU3s9hGXPKsO?xc?jABdGbbH))PY<&rMSy_ zWHND@s&sGd-p!dPhIcoaUhXRMGo|69gx4Qn+2FJq1b1hrBaxg=UHkcGkakVk`XN)P zi_@WjqfAx!W^wNWeJhpcUIIC>gcIjyCZBN4X=jPudG>_uiU2Xs4!vLSVOm`Ej0+$c zb(6$Z=byYecBjCI?{2}sbirjKv2p%*gpHP4xL`NFlTsV@<;g- z_|{!*vyzl)Jyx8lXG{1qL|By1^n41$TyO_l|Me2L@pv3+JS|{>!|h1gL)ETTnAzcj zruT;vVka;u504{a3t1qGJ*^2y{E1kEmQ1V~a>&=WM}Yy+Km*%rU0-iOCEMG7f5GQC;B)rK+stNEv8Wt588oV-rcmHlDVo=!ZU4%;`)V687ixlKPP2$Du%zZ`34)U} zN0}ifL(c{m?$jeDa28cB34fI^!iQB)16+y|%o%*B#faRmSGdtH@}xanR|Sm8>P#4) zak2F2dR0{T$8viZzVjW{p?r_@p*FjmMG7VRX`ehFXs}{)l={SNVB#QhBpN(CljVB^ zRQ!q7qduPF1dIc@U6Q40npBsw`Z7Q1*L4Y+rgyzK7&Q;d#4NHL>oHK0{e$410#yqP z5s1FgcC;PU!n%f`X`+XWT>Q-#C8_n7iPg4kJn1uLvV7yR`2t4uaFB=PbsbkJVvdXZ^5h)TV8zD!tMaEWCE-eAbMFeNd_Gt?p4>>3{vHGw<#;-!0*+-bbnvd!Ayh>=0!S?CE_VC&r^w*}&x z9k`8#5?4w!@nVe%IhBg+apsSA*!yY2%)?S%Xr{Cr^1XgX92j3w@)1gy7XsWn51bi1e=T&#W7JTZ9^UUs)URDdNfS@Z3E4N47 z7qHi;8tl|%s{1tN`K{)*gZFqK67O+Kkg27K>BHv8dlm?-pKH9s{M(<4a|NkZeZomL zJdX*7%uB;+x&rWzP8lnyRhVeC@<@;USH|R$TRQ2{VYYNdfj!5?>wj`I;@Qw5;cXAf zvHH)faJ)bGVCyF5bK_5F-2-)=e=kRK+X0aE*jY)f0_~oo;`XqEPVwjk%wS=Uvst|I zdi(2I98^nM8{%TGin9$qc#q3pw|?nR`-rUxo+kZvj@FJmNwbi0`%LdheIPq3C;53CcuCE&m}J6Zuxn8iBZAd}Y=NAlwoMQdJe4Hzkj2krlu zxIBvOHGYB1dDpm~$~s>To{b`teIdOyev5efdW@nqRp|m4-}X9JD!y&w z_~x56i-f!V86jJ!c{uQR!)GU{Jg4w2Sb`yX{l1Rj{(+2lbIh!Wj83p5Mz#vsj$Dl2`>4nJcN$o>{_(-Ef24si z{f9I#PqS)GU`KoXU(&!FY1_{pofH1AX<(f1?edQ4N|mWcgy&+AvvtKeso&J(4mX4s zFPWYKH^0)4yK~t`I;wLC9|Q5A>|T%1&6WVpR5n7JD^_HJ_jGPQLsuDq_Oxcg&K(?|ou z#{Y2R&J&SuV)VTEWeYHmO-6mZrZAl3a0(VlV+iMqII?o{Ji5KHZ2)oEDa}wQJz`Q_ zB&uIWaMo8$cfK9pHG{s{str!Ajr{8Z2X38iQnCJ@gJi{veod8NmF;6cnrNu3^V#wa zebFYQVkOU3SpvJ|EJ;jrs=RPn>~1L^ia8`-MXv6-TTtGW-_?w{ZsbILnENFs6Z27z6>CDd;i4qZ^*zg?>*e&kc z8$30pU-jj3a&!}%b_(6NH*JAvsr5`DO_RFK4^$drbY*8_z%d){lPFT?EHhINL^%0Y zt#URe@%p0(txBO^tUIP#Y`=)Uv)ruqMq9P!sOs(f)!CotUMr%U^hcSurw>luyQ1rF zs82rinZFa`Y>?74_(*xY1ai*o;Fi@28_zlrZopd~rxKAoXU!0xz(KvE{nH5d*tHBd|Hi&_Tx6SI|Py3uu#Y2cVBzjq&?lKrQ$Ft6O6<_$!P?Kb4 zVrEtwyR%n}%w)BF(tRMVrADuI?`g~PihXj+Iq*g+qc1)ZzP}ZGezzsSrFDL;w$a|( zvTZ+24$O`t7u~X2_HV)UW@uj}?W$a>G19k2Ta5S^KsZ}SiYyQmMib?ck1i1y?~&cE z{v#>@YD`w5Q8FO1SXjo*+3vzsDE(F9%5ddPQkx*`GN$QK%dVj8B znlnO^qu%9v88dC4`G*&wpVm!N$D^tn?jF9K8xt~9?T`{@jRB(8EGpIDL)L}&4#uLf zjA}F1j=!FBBrgXmEiNwXsg2*Rm?+z^?DzT6@O~-Zo_bP5-iad-6vf|n<88S$iaz!z zF8K8Z*o@wLVFBG(PY93xkU5Q19w z^sx{h^l%ho0_|U~b-J_Ft7|pp8Z9}l%t~8xUb_u8F?z?=~3Is z&3&$2sc{}e&B!zwb-n{J2-sn4xVMKgQT@;H%90Pxck3==$i;+Zn;gy{d|8(Q+KgIH zj^t zrw}^F*zg7f3%YVSB0UkZyM+!`aRnkD#8lfnA8*}ws3+VoYHp4o_JjV^!c&-jqG-pe zm@P?v4=4rUn~0AZybP3Exxrcctk5qCQxUlq3cV=~UwB?8bbhANTA}7*#xB|W1-eJJ zL{aDpks^gUT*x_eOsQu(*bkuWq09r98ICwCy3 zJ5CrbM~h|fQ3g6~80W4#-7AOtt7wi#9*48L&gncCUbNx@^W6|`oIwP_fz6M|j;OXw zFL`5xXy#nCL{$H3J+iK(lpui1SB%6}5atRN7L8v_94!9okG#wRAw8OK(jKm|cz_VB z^Huw)XEbuV(NZ5>ZV9lXJvgw1>ND9{zTkkmQqnTo`Ob*ZBWDAH7ZHM7jtjtgUHNxA z<~3)E8N6Lhlh=Cfgq^(M$@S+=UQa&@sGfDD`3mI}sxovT^kQEdMv8L;wcO6|)pf~d zojYZT&u@Nb@h9xA7y}zf^n>z2V`I}I+BB>kFn=?3zC8b(sS}MHjUW)rGRhyAto`+d zMx29)Nj~HUsfwfD?-m@R%1tYUg!0fPY)(=bfrCTwexX&upF&+hU;2sH20!pLrSFfiZTh}fV zPf5g39OPVZtc^|;VJGjp=|-d}=#9DC%J)oAY%E4<2b&e+KE2s;uNw*V$}`Clf{b5$ z4_L&q))<59lP->~^#-?H5urYkT!D56i-M#V6dUQ(`kf^$_?`PHCi^uL2drM(0d-sZ zHznf)OR{m`qTMS^p&dntrL|fOlE@*hFIdb%?Pp&*#3{U!C4(~84JZLjW-i9bxo0VO z{rU6;Z;X6Swm;!Rt9smsTQ3fTGWCZPj<0+xa&h5>d9y9HfclV4zY?KrD}8`WH8W8r!?pBW$GqD_ocxK zWc7AR)s-tWMIgeAuk03Qj$Y4QI@C~Cnp8evw4AGh1%dXDjU#ebaZyQf8)MlZv>vN$ zm|?^E552~63X3i|T@#GFxqKGY@D_TT?oQ_^UjDLC=*}a`=t^hgY%IB8fwXqP5IGp~ z@czY;9gv3jz^|^%V*EMBBlF=?d&cBChNqBowrYybaA!V4^hQirk`GOju4o}k+UV@c zOE5zR=9bl{)ys`Q*zoP3P*uNYA<)(`XbYQP^InHVML-HpwFFP+gNVARZJ5LW0nVGM zIO2ux6iOPwWR@q6SujFP@)|~7(HaYr5}B@+Px8$-w2I~WDy(Y4M`TdJ2u#dYGZ^Kl z)=O(k^w03ng(SL+uF%4Zas$>ogxRMHk;vm72abf=VETKhDPT2E+-JtIW&O~@4L<%x z_>SPxoLI>eZd4&h$o?A(04%t(veEotU6kQa#~O*@z%YmH8ij4#A3v}ZZfJhwKs{Ny z${XMN+uhsEN4a~0*1H~cZ~%$C>(h|%rbv5MXpEwj(1JG2na|NI%&XBzkGHomw!e{~ zOljeX*`m zW8i+j0t>|8J}sLKf7fD|_(d6YNX$%j4J`=Fs_EmX745J!5Ej14#@#oRu z4(8&gqENOp-a3XDv!zWwuwy+DO6Jg;nQE_#xN%?pv!#`KA4l$n-&V@S&5c z_FB4H!iq0lYiJ;RBf+Jj@A^WfSC7fZPfN4B4_tGLX7)~9+>R0}5#gRxH%hDsNGW#l z7vB$>mu^2`?PbnliRI_5y0utZUtHLcxsi zq1ir+iTGnBk9yn^F7QC~YIsTQ1wepNUx#FhL+AdinG#k zg=ty28JDAc!>GF+AEa&C@SK<0m&()UTSRY-x+NPf=OBA&6PsG9EXJY0qhTuOM_)@I z+@DWR*d=`OLBEY*?D;XGP0bTlt;ly{ylOgh&PR+{gJ+VhMYk5#NipnfR`&*#l(Lrb zvOMuS$c?N2`aV=`oCz}B>6LRto;!KP!uo_wxOo4K6o`DgbHKRy=tBA)x#C-&BNQi7 zFMB@eM3~9SUEZ3~3p`r(+X`WREAfd0sUMqx+<|LfOi-CpCC=!2S@kp8JYilj#>tzW zZpsm6`rC>VzOHF9D48z_Fgjjm-o4DnNgvIq?P5+7mp(Uw?IQPlA*w{Qwh)u9$oJ&| zkZ_8^Pu{jIxKCc0ASj>L>z_{Sa`^dZjx`82w@2~Iy``+VBE8(nCfM8+w(8Vh*#`aH z2p!dAaQ*UXT*v#PR)3I=zBuBnAB&qZQjU<=Zo+$DlDhUv0*;?6+9RFc+$zXfJ@jB0 zADj+4h5E5@#Em`YalelsiZBfNT=XkuF5G8gd`2z;^udf7Dgi!vpUisT_XF$wpzofkN=%i8!n+NqQBK) z{B|#bZL#`JguRHG4;>|{_PdFW2)2McFLQkFb#MhB|2Y6w$vKe!zVr}KHA1VTg8N36 zbJ9vJCmy2p@}rLlAZbqKo|k^g^#TIXkNqRSC+2^HDC-*-`X3Nwsk8+zKTxb+SU9U#nN3JCkZjN zRFQMDVA$BRN>6bXV!iI3onl1;4O)bSduSW#IdqXLRi;!J+3C&=Sic%L69 z3cd0;oaTt0`lO`OLeiqPtA!=;d8C9BGu#^dP7ORhIBC19 zp*|yUv(_Uf_5H-bRhz&)C6%A}PS!eE&)F0+ZdPEXjyDc`lmK3Af0agNxs_Uk3%blU#6nHtNow6y!4v&N4ws!|W{`ro_-^5L)@GmEC%5Z6@2pwrA=4y{F=L7Km zC!PpRSEH2IVmIy_T=~f=D&3M&#dmk>&?N!q6Pq_s4leBi(&&hG{|VHGatY@4qM{{C z{Z-sCq*inM$pnJRCeJTcbUjnoWnkx8Pbpi5S6(_kyq06L8autC($fd_R*#n38I;$W zX!6c3+^bv}<#A2UTpb4gZ*0&=V-a}G}3JGDj+Y~Ss5uB(Fs&EsqR1+W=p366jrkZ;Uv75rE|M0hP|vD1gt z-3{?F%hGx(uSRB0_vYoK;y@Xj&4{)l&i@a5y;A=9 z__Fu;FB(TXjX7mEXKtTr{bF=TcoDQB+7|Iwz_RyEX7!(sN|uB1=?0D)Z09=QDkKcp~v;EP$rtuxrP_Qa;anx0Sp&H z+`Es(h&f%bTiN!l;ZySjx)9>si>Px~QVS)oA3lj5oOQBS#by?dCUSZllI98!Lw5>N z9Lp?n=t9u}}pH*Gv^6z{@Udf6D2o1^ZK8XDt^oa=-cyC-FqcuoIgO z{8J1%U0?-VHlvCU8C8g!)xaCa-V#r2vq^myd0@)^xo~mDHyWj1mc)s^7IOt;pR|;T zYDfyu+US@IA7oD83tyvymYoNH_}enoeiF!}4T|Xq9>QEJVRLGGz3d({0MD zec}ezjLxYpQSxaC15Vxghs<-MZxQzg<~|!?cxrXePRTSDHBfviY+`Y(|A(=+4vVr~ z+r9?`0Z}?7hEh;UP&x*wK~WH;1f)g;B&54Tnh}vu2_+?mlrD)ux=RrlI;0T>2mH>t z@3q#=dfw;#zV9Em4RKSs=Dd#ci2c}qqy3Vom6VG+h@#4|hvAs8t7|sT<@Jm`ErM91 z9PD0x5VCfa1syt3^O4>L$9mne=S(m^Flw_8`^jQBM5SD{1G-n;So z9Bpl~dlvBf+17-!Z0_H+8i$g8-zV+W$us`r&8bm_`JkKdbX11g2qE-~1g5Cqbp_%k znx0&)BS-TQyK^oi`!?yaMqj_0jJZeM_noPsZvKFp^f~w?H5nRhoEH1%U=D~X4WHCn zXZ`5!<=Xy!Wn=$Z>}G$8SDYH8ExrF*`Z(XHUX`=awmQ6#(ev#JV^76g^JC>d(UJSL!o=vh znDJ&7?&rigl90ZG>3*rgZLErjTP`1!j6fG|jAlQF{VL3clzMvJwXij?r` z<{A9AXIXR;xW#)yQ#%6LTQufJlSg%9t>E%xjYn#^xHtPB$AJr3my$`3CR-fL)#XN# zco#n;ZJr(y_;f9jEZ|z|?;`SH;6ZTRt_GX)R!82=#Mt{JeK@HBh(`xX#;q_z`KU8vAroyr;l24hxboCd;k5-|Q+ZkCnV z@f>J}?d58wv)_Nd{tDs;bn)~kv*#92J?Fe)$OD!NxJ46Xs@k`a)4cbJMn5lc(GZop zftkjHPCvg9%fQYeDKlN*#fOY-?|_FxQDAHaWg?ncd2!-&K^|-9oFnWyQ(vcrz>;r zz6R9=P1B6coF&+HCo*Hs^L};VabT%a${nzLkDq5*f_YYqmPLJR04HVXo-q07wASM* z3Y}!4syt3=GfyW+POULM+kYlyXm7|wT|Z$||HANqBZ!ZHkb*Bf=z{2lPEo$H2(B_B z0t*Kv6}ZZ6s-%FG@K|ZW436t}AdK1y?Ig@Zj8v{hr%cL|U${O6zaku&NJJ@HF9 zb$W5wQ1!xn^Jo3CXJc{xBg=xrI>STXy6b+Q=k^E|y3{oCw^E2G<^g{eE`6%S@xw4y zdz3+ZYUFl%4)dL0DIWP}*zW|zYUSerqEbCbw=|gJ zp^>7Zf)75|Q|b4oq_VStWJ0`ay_0>`X+BAIX)7uV3b`_t6aok}$m{EfN{z1WTd_wwtGR|df zBu^=^yZA$WlPWVgApj4d_q>G&$=F15+(t-9($G^em*1=Qr`tFDary1;zxGpk4JdBL z!NzSPCo=x1CU9IK4H3_)Sv=&r?%sWU)-;!v(6q_~1(dvHAxBdkHXJh5;#1k|hQ=}; z8#|hIv^rn|_>=qC`q}0mg2*cnBI!Z2%~_+^NQxj)ki4rkYZT#r)G z<>*Y5q|Y^lblsF|lOi2SQbI(AF5B5}pfbvyEC&hkQpXcr>B%cp2K)K&%7XJ96DV0g zIT_=av3(dKHQJrBYh%}w2~XzsLuV+k0XJ4UYDSH~>xtD1rWZ-y4Rei%<_fau(2{4O zjsk-C*ad-&c6LnTpt0Lz*2owA=AqXn63HSDO=!i#*R+HdEgLtx^ZIo~_?De$hzfJr@C7yd4_NlOHpBjwZbM_l4(_SY62Qu9!t_c;R)q!_dFnRG)K#`Il;y9) zJMO9~K^D6COGYT*Bb^$T`@MhcbtT35NVPIbEe!N|$CSjNA$y^OA!+zX5HbG~Kk#DH z;=g#A8Zw_mGqDr)xKZGVMS@P(NlXam5(_n?u9Dri<%?t4#*dp|VRm8Ux9#!UrNmV|Ca@zA*A_ zaK*1eOSvff@hh7_N)GJgRJbEd0-6L_2MROc#co4(_n4BO9Ve?}^MdT(r%q#KWi zH*WO#0}M>Ge?AYj<8R9(CTDo#Y6=ZqzGlO!QM-eSKtGF*nx30rrg(TO9fblu37l7M zaY5YH%g0|Svt6t`z^!t)DkU9BwsNrlCaWO}O3xb9h(lDSRqti)N*o&%*OWe&IkAm4 z;lb=4pC(q-XZv*2{W<;Jtu?h%?pWSmIITa9mr!%okwZOZ1FgZbu>g;dJoyf5~)eTQLg@W@8SCrf~W-ix;N&KG`zQ7=$5x#{`?RM0W1#=`fBXY)Mzd*6@;lE zBuGeFoSuVCBRjJZnQV?)q>`XLtq<>#)jV-kL@J~`@AVU1dN%p(v;ppD>W(8TcDC<) zyC27WdNfTON3O$+__1bTH?CfFeyzHbN6DG9ORsVo*tC}0pDkOl5cVerS7T^C(4~Q8 zM&l-21c=sOmPiU3e6We5>r1h%Fx_|>U#A0`Dv-w_kkEj^>x`xI!4Oz)yGK_T48%io z zuaon}8Qp?@EB*dh%k#4DTxN~eH_~tR-_z~oeyp{9^g8jG`%>y4eZfw0XxhqThJ#J< z-MJZE5NQl{pnXfA)qD4q%X>1DyHOX%qal)0hl=tu&Tpiv#c7QTICHD9CU$&Nf4UYn?ICBnH)csnPe&{JS=&;p;&bBbvuf88-MH4Rb<&2K1+|ypC(K#K ze~MK3>T)VmL7e}H*zvSz-|$ulB-}*81U0|RKGp|2s^l(e{7hXwY4b=1>oqw>)NI@+ zQ`~!I;xP^X5Jnn+BN={zeU~nLbQge>Dz`J0?UhI#gS{1x`&`1-6yDWF7a+BQ7V7b2#Z^QX*aYjb8BmJ1nF;t$KGo47 z_k2TXh%w6rZ}D+gZ#9Cm#VYg*Riv_Z#f7ot_w06SQ6zLem@h|T!;L_J>ugu`l$6EJ_7D7u}k2ycx`Yjp* z6Wv3bxz$?lw@aIF`GZ+|pv(C_6w2jh+MI? zp3DmqrdY32R(@~4kL8N=4u3%FxjuA(fGU0PN4l4BOhk7QtiC7OiFb9r*Wp(0|^u@ zt7o^CO{YUvoqc^{TyW|Qj`>^MUJn^jcC3?3NU8R!_g|dDy>%Fk`;QcjltZ5pDd1Fp z8+Wc#Z0T?vwHtUeVNSO%w|ifA0!4n)Co`vlb)F*&>xXsf|9su~ zdx_aHMa$_Gvj4)Xt$A<0c%Sn@6E|2(iR;up2UeGl8T|ai-t7FA+j(7#Dm~SULt~eH zD02I4aO#^YMH>Rqc2#LG*&k9~BJ7oFKAlru4NIQEKA<8Nl)063`zKnzp=x~SqRd9e zp5+9Q-91$&mMnL9a<~~Um+$BKbi*7_MCYpe7ml^YI(hl$P?kP>e5WowMu%6qi>iA84(0Z^AYOP_< zo>BMvk1qanBOcUN*6tO1K6wQ>L;n8c9I;I0o;Ot!RQ$CnXwTDPNzS?1E=UD_2sYJC z0`~?|&=|qepc^0mGH;7lzX1hTPax~w;_(a@zw9Q-I^ zU3f;~#9p=W1vQ?ly7d#~*=ut>XcjE+KMG|Ua=M_vpMKyeh>?3)d(;EUOEf)_zH!zAp$AvA35dVj4t9yM`AlXP_Aq$96TX+2} zxjDA($^#Mq9Tt*YrRASBE}lk$cc!>d^Q!5lhBjDH&-n2e)qN&P#Za$s5_0$lyh}ob zVuR2j;mxX11CdFgmr|~hI#)#3%!+efZgtN1Jsf(`^ZgI?Sf;#ClgyWH!e*^YwD}8Y)ml_x+xJ+g=)RQ z9A ziNgG57&~myl-2HcHFvM!km&*M3Lh*?8es?UxNE@TshNx89VJ!<% zqA@ynrOSZIn9_qnP*WM#9k8#{Ocp@^|Z?HS3ic$v=o* zT|+yu;{LbN1l#zHOsr3{V}$IBYB=khxHZk6-{O9RJ7H{PpMu93uQDF1=cWtqAN|}fU$7d_!qF}s6un=cOLJH#3Gs(Kx8SvzJT&N@|Al{3w|;^Z z!Nb@cA5BJf+)4B}w=v}rj`XALVgmN&_oEAcdRmr+O)+GQncV;trUF;t{ zQ}YTHc)4aMf+uUvhX2Q`#>334D$DJfI25Qz8UjNS9ab(I3Gl*$NcIAsg?KobB z!>&RX^)w8GcG{jIDGYbHeLO!gJs$+7GWjHO{sIqW_uG`8W~Qvr!v(P=t>*`m{p1)< z^Yuzg*Y&ln&;;k%4r2JDB7Jkj#=a1}Sz>}KvU*`Y44aER8zfZODa-G=EpW0JD=%(D zDCAzi5*jPj{*2-_GFI{(FE1icXr}Ob2J0>&jpU8FvNvF_soyISb1z8QwJ^rMr_STzBLiW@WD%Uv=SG8h}O`1tMtak1V;OfTKnx92hqbB34NM)AbIZUg0J30&+3xX7{D_k3InPz-fJ_ zu}z2O_O-S4;4c)Xw1}mew&||v4Blefr*KFR?irO$>24-h<&$54+DPWZIQ-5gw&;=CQ2#>WVQPA|>0O8aU_qZ>91}5Yp0vGKqIB z^=H2;SocgnwBypVBQ$;S{Yh-uywy!IG*id4RhGMq9|(Jre)=-QZK?sOS-|0IdreY1 zmeT_L82{i@O&@bK!wh8)Yx?g4t@YT$RjKQ5{l6$owA1YFdThj2Yjf%{1(Jn>w2pQ= z$Lr3S=gV|H&=_dpaXU{YiahZxB~Q2a%Q zsIls==GMxHO?eOK5K)B0w{i?1zRG)qND=WPtGNKqAy#QYY4@-IPE)IhT--i&higls zk=KJ8s@qz!yCTB=G3EIaR=$y;?Ed?uZa8`+Uu=my<}N0fNN#Vp9q!>kwB7N8;6~=a zGH|m@pHWD9L3EV^&(LaqKZRBYWC-MoA4G!FM9miN2;qkPAt!-ZVc<>V(t1fkJCxOB z;Pxsop@ECJSx(~NfMqSyk9p4%zOq{COEoMmKsDAH(4p1RfU6H1bkB&`=`W1g04Jfa zKen5k(-XLAtAS3Ios{wM$1wK0c*iC3IZZRH%ootWDgI~(s(w{GaUzpw;GeM$IN&$& zEzzTC&5gd94;%pRj0)SM_q@lo)bcno$@Ugy6&ah)wT)Xj$omVHX6LFdcneK-$V&^g z_fKlNGjN1z&E}atJ=Ov;?YgY( zXpPT35y^07)tq(`I-VHH{>AYpwK3l#Acm`L2$ zDF6gjkN}{V5*9w`muI|rj!E#R+i$sI`lw-ZAbP6aN3e@AL`w2L#y3JcSJ#No)@6=+ zldiUtGyanFBo&KUtVi_f9{JT$s@`k5Jt)sg5pn6!V$V?ppJPX`+NI-H6j%B@fzo+5 zj?K9+W`Y#4XfDv;61}5BXJb0jqDj2gT$R)emv zm}ZpeqkfaC=a-3uq-_Zdu#5<6jE(9nDNn{v*XK<9$uWLSJmBqIdG9M5b3*tSl#Uw7PeVbM;8J6 z!y5f6#>w}j%8F~in)LwhcKAbJL`P79wCBBqFq;=&)45zH9&Y$egAS5FiN>86U}$K6 z{j2fO7sedM`dQ*tyuCNx9sY=JR-lz@8@R6s`vT{00dc&~;M9wzla~`FJAc^KZ#I=@ zt>kDt<~&)B{%UlX9J%7vU`4wb#9qIO4 z@3F$iSNQ5q!JyfVOtJSoi|xR)a_lqw2W&+fDCNAAg_mcY9FI4#V`{+mUoKwP$>zBb z7twFQ0A8e8yw+#BeR%N9M&H0X={_NWg9Ax3Gjo9_){D<%`}M5eU_PZknK8X$I_xOY zlK4*~?8rQ7mW5bm$s$*>>m!VzJ6%`2OW2s+@vEkQ?Z7ac*MAXsbL-7B#Y@E`K-m;o z+s&g>F$neashZ0>GjB8QH0anAYOcU)1CX8`mG<&`{orY!m#2VX~F7E>1|x7>H)~77%umvIx=Xmik5HLXa*4W>ZE0%}!fqMDruT;)UZ<+Zqn_5cgs{Dc)%`6> zpU?VYf5hwf-1YjFa-rficCZZO!Z$t>e!mHqwQqSQa=eJASz_kH)_oc$o#3y*-xh(3 zv;?Q8^`#!#^hu4rATi^L1w6dN zj_7ZA$LQbijv_{xgTLS%TEcD>`AYI#@wt(&)H51w#ja9Fua1gp%7)-p5PmLQNWr}c z&9CDXV1NZKW7P~K7{|*udJ0XSsj2>YD*G>Th3?*@Oi6J&Vmvwi&BMp|P;vG;#bWp3o)6M&p;>FP7l&5I(i6!3k2H`A^j8-8HDB%ChmHV%;O z{0flzn6u|f#IRyoKcVGPR&>M49nR6BXw%aj8v3F%T# zY77rbLv7kqaBoZyMWG%TyV2kIDxWW-VIc*5tU2LpfCX}pp?6XdN$+evTuS9ok-J?ric12%_#4F6Yu@Pd znIHPEHy)UW1t6DZ>^1#*vntjTarrVF%TG?MFpA>FjJq=nw*;&7er)SYAJmcYN0!#4; zX(@Vw`9Hr!z&)T&8hwSJWYl%DVpt=^%SHcldJ>8lOJiw0OId#ocg^t=DZiXA(J8I; zX}FpRqbx6OR-JQ&o_DQODT|i+uHPq)~ECv`r+nI2_R*ZS7Q#yLQohdA{RH}l` z_S;PK7%JB-iqT!a(&RL}OX6&>bR{|>cmPg^`0I+drYq@XQ9y&N4M5N)X zwK7PJ)DPhO_Fa$*x@m=A5o{&D#7S~p3 z{iH08^7FzYzvIX{uT9Nv_^rOVPpayF0Kd=l&kq?r`+uGT0sf&VT$h0;URH|zX8CZ+ z=6%A@W0>EqC)-hhO$2h@!34WABVq>y?svyeu{$mp2?j=tsf^!5?7zZF1?Jn@Wq7=E zme^+lez$zRg-+curV|%ol(ggOG-YY|nYaO>7=Cb27nPfN2KxD7oEjfZfH1g+B7nrQ zaI=e%NFm~1^p4OvWpX^d9$bG>-CMKk#Nig_`#FCoMu9|?d^6zrs zOlA(!dX8+^kA$y2jDi}6jyIGOi*k#SPaV+BGh&~opSC;oY+Ww6*wdb#dQ6@9cFO_# zat~2VKU3vvA(A7AqW<=*QdGhSgz%T$Qbvt)xa6AzRCM4a{Z9yE@&*MSt9NwjS=XJ0 zkiX_p?vMr2S()8-5&rFD08++=isdz3^n; z;v(+_8KHJ`TCzyf(px3u2ZX>Wa|(a&qWvfwog(=-ddH#=*T&g|8HVdKR(?P;n6z`B z=kiHL3oU&_$~kKxpZsf9e?5_@Z9Y;(B*$Tz^w`mnP~DL(n8CEd6z8&NPw@D27n;c% z%(^HBV;=ZzP)*YfmRc}u-N;Dxqczf7i1nbKJ!~K z+!+<}nou{`vC-x~<;J?L!8cSJxfgAg!hR4bJSaJHicL4bh3&8*;&%Q_JlUrqlv9SJ z#5vXonowTCoU0;x4drU2^Wl@c7d&hHqS z$}MbG7=*65=ab~IKrDuup*utQ{8NfJIl;X$?yJ%p${!vH5Cj=RG9C%|P%oNl@W`~A z7soZ&Ul0ruR&L;1p;}B5+|iaO+JzgoKb-!X58>Q}GKi=&Xw0!7oF%>}aDvamPQ15_ zYW`<@{_ls2&mZjZaYbU#Md0iMktb|WfUwFE>JurrK|=cJuo~Nmv(9%YQFmnKROITf z5_zk+Z|5jCc25t5S+>`k4~ljq>i-X*f~L-2Kn0BD*D%>Gqz2Zx3iD==H`X?yC7FTE zkJR&x`X0cDcA@kuG8wM0-RHOvMIPZBsZ9Y<)Mq-8HeGRzcdjB-5eZi}X`J9VkR&|c z;6r?)Xt%(=m)eA5**<}!!JL|srGvDw3+0!Y@-9<{eGv_9Fdv2wIDgc8Uq{Rh1}F7{ zK#L>GpWYhtV<;D&nCD9LS)6eM{O6?uN9~_4RzyK<>c;#a>zo=D+HopjHLDtTL}UvkQZ)vo+26^rDP*AsdhOq!mZc@tff zyyS*Larr=cKV&0R5NXP-1%02aC*SrFRf$0}HSA_84eWO+4lLqDt5ehNSCDdiUC`pCV(`Ki3$N`K^e-ZFlm;{5qgrh>&u3AU4iLb;}o9-J;@SW#? zbF4;rFz)dirxp7|eDvu;vPp#p4luIsQ@5L6e2Yv0Fc~zf^r&XKq*gzZoOH1y!<`!i zQO1qY2!V~xk6wCTPwqoO9rIXI_O_aO6aJ-W`XM!L_dhP%|MTg5sKcMDC$em3r;iP> z|BBYKJP234Mh2oD4xR{0V$HiLye?ErJVQ4-02qStFY|6{EFG`Ymjz*{EtSFIN9fOi zDAY^i?*%LIqgT!w69qFk7nQ^xf^x|%~1zbB!ubgwoI;5fy{? z}@mtH0@1>xLAVE+nH2YG;Y7W=DI4DM0%H2Pr2zk8wROa zn9vAd6)F|-F@x6Z&|{2?NNy!x({nAKUj8PW7%EZUPFy|~f~EsS zg!jn5B(@Jbl^-aW_GE{e_tyvHFOR3-=;Co&+e+c;>FN^cOto<}hD%n|8wtV5T`1QZ za40o{0j>0CHg07F0d}@vzsjqRDqzHH?$ zBO42eVYb=*)4xrU%i?>AeHz zPm7l{Zktsc5rsoHX^U_pa3n<>^2n%*ez{~Y8<($lT4u?f0aautV%d-Uh|5RGcfd1_ zo<{^X0J%ttxkx{25QQ0g!&r2&omROe`naGSW#t@OIl z2ozAA$U$-zPG929e^PkU!Y$0qS9$RvI=61o0Ip~X81btEN|b`n z@SXJG)!cOX*HOzc%~VA4fHj$mH?CgklmER@0Yt47Zx5SEqv;9p5XULYbl`DX1sxdP$sFpKQ$&nPX3JEg5GI0am zodJRSPIg_@)RA~2@5M89Q`ZMeZ6a-cL3UBcZsjdnQ$peM5n6Ik4{J?5Ih2GnSR7|9 zdj3cVv#mf(E*C&Y%M#*2>a{W6Gyc*u>7A53V5ASC!2km~Q%`0jU02eZCRbOu{kGrd z*%Saa8yXam1qil0%`~G5Cu$bi6usF*coEi(Ps@jMr(>cmUF~I(`^&7%z}Z zjRNW@JZqxt7_icW~VrBN)shb^At9bx(_EyW2*Tx8g>ie&@N`lAf$O1g|L7)u(m^{IsUaj?R zoXOBd#Gf_ZWI+KF2Y1}jdQ!2&b-uB}=!j#V+D9kY9D{62Wa`O$l&)X)bvklO#l*{C zG@=oq6^EB_Ur*8Bccn$d5r)eWUi7xDUO}sS*+xVt!#Z{gmPsC%a}tuVOy2C5B#dcz z9_{7BbQ9IMaZA^4pNsnX`T6Sem>a6XEG|ZEx3&3woo?v*9hc3M&c;B!Rz6N*SvS8| z?(>6p_}6;s`w7=S^UyzPzqgwFA1{E}ctYb*yYS}#MfIoY%Kk*vU zt62}{00SZ}R{nU!EdM}Th7|0uwKJL+8OehOocptCrjhMXq)Lpyp@-9r@XXmgQzm{O z1}~B=0nht0zh_FwIiN(;+$vgFwG_o2z{w@p$4J;u_T%-Del#_yKSr|U#gMFXG_`F_ zGIvf#n-Yd8Rniiq8f@YR;sudKlG+RLY|i06+V4Ac@`+iNs!JA!E|=&C_S{T_B9sxh zHOJ(nwAwf48jjzMCx1q8PFSfBQ;8wI(woC!GB!2?_1TsO_ML_BT+v!T7lU#^kS1l?vW}Kx=I{ zU$gJne9+o#4eotRS`_Y3q19iH_aErN`wuV=j%1R{;Nm{949LDsXUWEuC8Y22HEksG z=ImJZ)V1~40g9!?e*T?WxGsUyqq zGH8;8X3d{DIsX)vHwbB&@nhxP>4T~NJRAb^bG^pcu}^K# z+tSK)KI3w7)ajrxcvpGKpdxQfd?!V6kbLJI5vQV)o5@b2tu&?lwA(%XQa)0J)qLo#HgdP%>a@dT8~|_?`4HusW7K2XGEgE|V7UIS;(SM2 zRuNjKP*%s51Jb2is>6%mIkt+P*$3BpzaP%=yWk1FO?=|Dd{uWERGoJK#8{*893jCr z=pzdU-xr_cNpUOy<_Hf;S<|m#N0^03fQqaDF z6DecV<8zWLHI$8oq4h!(H0}=P1aAyqbObjYk^nAWu^e2{V_7$9tGq=&5czCP&5tDU;;=RO!mM>Vtd9(dk-v5A-ZN z&9%pI#5t2Yz*APj5c#_Dw-*PjQuc>OPcQ)%&v45D!y{hM`s7>~```0b{Y3D3R|^cf zpB2kT!~QzI0H%XA{xw^FT(^6Lki!JC+g{Vyqm!N}Ja0|C#3{6solSbLVvvGG^1-ed zJDdDegeGF6nvPa3NYJ-^G%0Jsai?8UFbK9cat-D(!6#qJgitCdU7`<8URcOLRf{lq zb&{7Qpw?87pPnt6vie49@xq8~c^h{*UpAXN(y4wlsE-^oO1tj7GI;66t@Fq4&Oyxc z<;_LMzO0v;`(ezHmremmRoStWlkrQ8seDHU^h8Y8uZUVsieAaFB)(~ByMyyO~wxR_l){TNY6U85Hn`sna#Jw zZF#5&V7qZhy4QM{o~s=74Z8^_fmS>a96zXi;s5*FD$utZT>s^@UX=8#FJ;m}F3H5t z(;WU;^#IT0A+voSx1_BuVX$lDI;wL?snSUp4{*}6Ir^&U_i$_<43}TzdEoyZT4bp7 z$8G$?ADDm|boogV_a}gq1@)0Es}7&(SpV9XytJG*hlh$@j(yW5cRCOz{|3(m%{ET~ zkgd?~N0lhwq8|LH`X1goJh4oPI(;0!3EjO1@s8Wh7#=fx@g&WLOG~kgo8<637lM1v z6L)&p1pC?edow0y7|)|oEVGfERQ3c5+`MVzFnI~(jNDwT!~GVsLV}+n|;lD>Tx5_bl#3Lv0$!;Eg}3cX2?reP8zPG=Nj07%tx~A zxjIEX;|Dz-AF(gK)=aw&rr1Iujk}M88;w@7^o%P#^Lqx}cz9M`etKY@=U~8aZ%07m z1JHUHFbQTzPLLB3(7xc3R#xcLtYNZ=t$($?on*49TT}9gZH0P6TX-+LqbpFuZ6W?c zD_nXp*Mg!!s69i6eTj~d%~$z!f3PSGb$_>5Wf?u~nq0BZh|i(MPu_hRRn2%%V8a># zIZ9cU%?)`c<8D9vsx{6Rf725MmQddoJpUbJ{}&v2Y3e2>$#VX5BKFYj-ge@kpT{V?!P_mYL75c@89N7`plk-K&!t2 zu!fO(0K4kAk?p^n>YhUhjNDcM#K-u#&~<&<1@*X}7}h!^C(ZZ3GIr51l5H0(D_#Ft z(n^tS@&}wOD)3RhS~j{FnANrEM_PBv2DYPm?}e?H9M+C!15>PLdDB;AI3bE1Pu*K; zqn8d8O2d0k?5|SofPZpR6wH=yzA2PA+Y!;eQNij-S-+9Z!7&q+ke7fC)ULqwyhb!rT42V0UJf{DqZ-H4vX z(h7p#A9RAP1`F6ni!U=F`j=h|{xAEJ_Wzp6{Ifq<$hN&=L;d{iaAItJMChQNkHT#_ zB!mC{#E|NYm2jQy!{=rKrq*9kEImwlC^8o11HPo)nbM(+CtLna_eyVm0~(~UPFrnhY6vG&>9^VPw1YyY zTY~5^C!#Gpe6FqUDUF(~tF0I?s%)~fkWhzLyiYrv!{4V#cSqzZ#RZ0JDpfz0@$rTr&~_s7z`DrdZnWSr=MJpJM3h(2XzoZn>uMF$b$(vkEhNM4jeDtWh--HXh!o^Bwx@yC zW=Q;-ZTuLp?R8?^78^Hua?FQSsWc)f8tFyCT*D0Z&tn*U}ZQ$-nq!i;r~(IOW{I(Es- z(V#+MoaF$lX&IwcNy6OWY&0BWvMkr!Z$pdchA=VBfI0coP6=uA0&UcfNfl| zGNU&j0sPEGSq!4uD!7eQC+F^oCmA{2QCa&KE8RjOqo(6nB^NsssxW33=+jmSu18AF z^mbXQgJM9%&5%A`$s7h{DRpjvUn-=tO$*MJKmpXE+2LN`CN}&^a*Zl)CcWQx(|MIx z*yHxwVanJN-|@O134VulGxYRCx7@~9gt6OUFr%Lu6G8;9&;&ByYkTy|go z4HQ|%;aLf{i)fMIi|h`<2652S?Jy7-1zmwvp2?j@xf*Pk3xkdw(aiJ&3{F>`D&FxO zZxHsGBMl+vOpA%6N~hbHYl%cXtwS;PqZ%5 z97cHJ+DpIuzwc~4zm1A2-Oc1~S{v}vh9R)sR}1nDIx~GHXeebC`=^KW>^s=V$yE92 zUOwQ-$j~Y2_`YxT$VB$TEG^^J8*k&~W~s={TxYZ{b;)i(KNr_Nf=ym@f6) z;Wg~N)?^O+H@UiqS2aZ{K;)*4_v|RkRk6yuWP%l0VmY>sVi0_nYN!qc1nj>XMqX8< z0n2IL_Cad2#5BYBb=bHMl97p-cdi_y)^hv=nVR%F_MtQYq72Onq1mP8;raR{lw6%X zW>T(5qtkpD)~Q0OtfZ#ceb*1$ZIbin2>FL^bu!f!oX$(?An!B*8o|UT^emUh-^8i4 z_xW$=kE=~2Xc8&A`2~lI8;f2htQ4DfXz=v1xsGV9UV7o7BzDRAK^-MVGo`l8yVXdBsCh0t`#`oRde8FJ zJ|0fmUcvlUqGJ{8+{TOt>+>FzbYFRjuEmp-$$~^d0Agc9{_jo1z#V)SYe#X)^UNU` zU?JTHm~&Otr^by8OXTddT!buwiu}e5;tuaPdIm+8g1&`VU7U%K=aM;&v*PVbuq_1> z@y>3^CA6-z0oELf_S9d@b!*R$KUb=xE#bIg)9^01Jo`WmE`Ly}=l6UF46H>oFPhQY zmDm_+D}0L;BOy>Wqsy*dD_E(9xI`~<2Z%kR_*1R#Vnpgp)7)(zwzpc4{>f zeybR59$P)s4Q;R&Y7Dp4CMgB7igc$NNMUIqWkmajc8ZTE)(uFt){i{vJ_NGV<=?}^ znusUv5~KmG)Il6vtDi=qgla#r3SL*1;@StMV8Tjn9kQ!g@wY0qyD2OfjXlf;oAy$- z?%~~uUQVQd8*Ft*U06^$mNf<*kRiL2jL1*jlm`~iNtq5|L`<0k@Lxe9AtFC9UH~4O zI6bW<_1*qCNXOtyPANA0Uv@e+E`%#27R2A|Zkt8oZ_m+Jsbuq|HKT1zF2I}M=^-pu zu(#|Lu*65^$PEEhvc+R@D(Rp`8$VSKdZ64~f zR$iVSRYK;sXec-ufi18zAN{}M174V55dgXe-4K`DTmR%?&7#WqwN4UCrp>w5a-3T#kY!=vc^4HAirvY^@X08=VHx6zmBb7EzbJ z81;0^a8CtH2s9&A^|d!LhxN&6AG|}bk~ywK z1ZzZ%>XXA!9yNxG91IfYJ|ZtM{xT@o<$q~z8P5eIUnC~S3l;(ci|=(*-YEI?>;*iG zwnD~iSV!blF4-qMYBacs2+=osv?(ya$J#9(q_+aWFfmkX6p2&+zED(0QV<;{sjX@Xaombv%l1kF6mmfKT-a^55J zYWYZg%XyYtZ+{kh-6Cp!MpOl=NbNeNU8cFxp?lJtkPh_Y^6Hp6l5=`r9`K-6e3P9eJ^4s+4!A7-@u>u7CF`=L?{_Nkg8qU7RDyqT zf-525tItyHt~=1eEvWo+-z4UnibiS3hvt&%>2pysEW~M5YwBN7B^A2U&iC&0G8;<2 z=a=3@QP*_@JTXhYbI0E`zsDNta90e2Il`;5%`lBPOXnvLx5yuzt&ALegNzcjwy1oo z^U8Ot$5wayt|7F&yuhHPY;K^zNG9SeOF;|vFg&Nl3d>3RR7F6>y~EX7JEmD;Z$UU< zxiwF2`6PW>+*C_=jGWtBv6e=(cNC_?b6UU1E!SZ8E=+L_CVc-W5+t0Z#y9d$(Q+hL z)CqW3duqDZtQ_=a#Gk~cZyJR)9Kh(Xzm$mCQ-kaRkZSay642I8|5+nk3+_fc+eN%*rkq6k6S4@sX#Z0Cj{D3W zlvavY9sx4A{YWsE>3R9#b2lWUflRc45$qvQz$?R zf$5ThA&(5}WGUI>n3H7nDowAt_C-wy#+~%!>+FSf8}ZpNi>3<4ve1j2+}x6g;Eq@F zoBnL!E4s{xtB7R&s>u1|ul<)I`8HKcymk6+^W|<$-4^|rI5`2Fy09hgmC{U{MwGmp z^R&iwv12EDk{?hI7&~bdF(Z>%VTZ!6A{I&)#<(cM12YBF*ZX1Y!-q}X7F8SB8)0j$ z*qU9bu6H(B#Ivl(-CpeIn&ENcToWnsd=xzsp`)D*I@QS7z~MvPfKtnd0mNDVL&A33 z?N1 ze7%W#ReWD=>~@cqp0*g(1j*!SJ^L)w#{MNXNz{`E(zVXma4Jff6^My!;dCbZk_5rg zGFq{#oB`3L+9nU&wYdQZQ3`-t!&{HboWa&AVY9rxc7ew+%^UZ8(6?LxoLDXDs~#s7 zGO?~tfa~bDA_ItuYsq~jJdhzYWS^{u*lI?UPb5}Aj|L*5G?$@y+(a`4#4Z50owJ0ToB%xCD)M)b~nV#DlUAloKJriK2P19P&M1l zV-H3=MFVhEa&~ScV|`28`(TZ}UY@S%oNsae3S&d8r&ag`hda%Vr^$iPNY zRHIx_44rA9fxl-Te|@B1Gvk(obG|z9O#RSPb8TNo#xg=%lvN(J#QtZ!b|XY77?FKW zscwmL<%Niul-fyO`;&xS9cAVX1XK_wap3TJUuML5B~P|4_=W)Fkw_MmPGToxoSzwU z?p=t6x?(TU+<&|-2G-h`)__hNr<&(!%@^T?%VKAOr^s#K_-eS!rBXOd*;7Fs6AZcf zdk@Q%Q(_&oq`9+aL%2!3+Efh&=T z9aRE7reIQB0yizCmB6PHu;gkm+wYr-fLc5orlWXVwgTX>XD%Off!-0g#!?8@>ZqTc zT&`+koY_`MPQ2#5J(pyNJ%lDydF^~JPvW|UR|QbQd&1Kk#q7e(zlq%!C`HK~PWz27 zJqNyjX3BpM17-OS$%|Xk&(T^i?Vd9sPKh_>sV#`NB|S1&E!v`_Go_k1Ga@0b(4tT0 z=Pevy^5snZqdU!lDka6LdeF4pXX1I+EMno;abRTZPUCtqM#3{1E$a7R{y}rVE#($L zR=>p=*}MoVY=x8ltB+h9vIB65#JIyZ6d^s-zL%{;ZrEkfTyB;;Ox$TUMxq?gsMz!yI(?46qZ!Ezf2+5D zXI;t<)V1?6qd{*T?Z7MnO~=Y|?9E(Z>+a|iFpesJ?@S{}h61$N-9x}i>|4&Tb8^3S zH~NKA9A8<(zPtEuq!7r*X}8ptE5Sn7J6YeCCQeeicc2_oXAE0CX{zbS>et$W)5()f zbP6Khz*OO$Gf>FNN%J((^c@3*Q(v2KM$K)}c9Rk?=ynyx7}iX)fObLm!BM6-!=d;- z1|#r{ClYsGF}}XN!nlsIRpc+(G53R2l4lEx6*F;pW5BhxsweiuxWGYoLF_|;v8zVS zj|3=i(Xmehiv&*=F;cY6kA?<&Se+L zmX;Ll8k-Mkx7RFzJ=AmDPFS@D=c`$Kck)f56Pv?c^;2p-X1-d==-BefLT=4aWvTaU zoMWlQ@&H<*Eo>52JJS1(Zu<}Fbt?@m{PuIDELCGFD#uZ5gW5uHcoGYo6GGTde%Plp){*aZc{7oWv6U=B$Ej4lp+W(5y-t`D#QemzsCF z44B}p4S3EF1K};axA|tn?c{(sfu00U{8khO980nqJCOYk4#8*QKz%<$SIK<(uY6+l zobNY;4ssP_{5hE;s&~|xNt9Af$5&`AZAtocOb^D$zfYBQAZgCkqOv*4hK@1gSb*%U z|J9ZhTwFixbRPH6RZC*uzu%E6mO32Dim{>cU15csymk3%QL>1M1dHDGsXR0^m~Q8- zF!frLroV>O#fVzWXYKP!qMo1iL}Krh`;JmA;fJ+{kS zh+~;cWTna!=PG+Siw#h`pRIh0POIQKtEzljcUr&Zy~DGSGdsE_o?&n=*`u>{hIQ-D zqO$IQwtrlWsv4|hN|}!W5hfyls5@zqNI02rLI*m7ZgF1m*SOrYBBSs!vu@KxRT$$zwmm8RiCwSZQ=BgSbTn_x^T>bqC&GUEK8=(9U*yN4iy!rjA*4|?l-e9$x zH6TSXb>~!}G$5!V`mJ?Ns|eNf3BHy(Lbf=UTR;gOgQw^&J47cN_)wFFV!g%;9xK&H zo_bRuj)QKZp-tuQASd$f*cx{1)PetAEJ9vm;z_~GCbZGD%XYK_a3SggRX1%=jsP7C zd~uO~HKS)O?3|zZYU*l;c-TwB)VEl=cwNP_+ikWD4|tLs?V@4|*5TdR710TIS`6?_ z=(^=(EGt(MsnT>>tJ|bZ+N2<9_p=VI3@Xw4D0~`lt6JE}l?#Q!L#}BiS|AYdklD!9 zno!0Qbj$K2(!H6Vb+S#`E2cHVJ4kHR{Z?BMY3Xv-JQH2>t#1pAxYb*}i_a4@prlBX zIbms60aquJB*)nh(e0-hb<>6EJN=0w#up>9_(lI*1rb8dJzll|!nD%n_p|u#@;6ck zcLGk}cu$7;Pco!^aX6ByrI}p+{q6zzY^07~dg~Yl*#ZHGzhovOH0`@s&FZH_Po4z5 z9H+E_!83GsWoV*WjhG;0+Ps=4d49+7tmLV)z^AdBbWUf+w=gnva&eU`!{i-k@*#zS z>(x3CfeWD>%(}9fpY?w{q$=`kjX^x_c+_!)$ttzzCx_DJmx3qed}XHQ->7Xy$pfEe zXJjjo0{mjU(dpukP}+Me5n2VL+TS4K;=q7JZlzg9U}W;;m-q>wy|x7eQ4LogJZ0m$ zd!42w@@U}UBftI{+x-i`kVpY$qGE@7()tc$s&XOIj51{goto^tr?qfW9FUg!qAtF}b@$&SF zo8Bc!o;Wy9|VIY0tCH)bZN>=utgmOWPfORjmbmFgE&@O24Zy_-e@ zOLr@Mpr|X234)aEtW*orcCtWK}LVav7yDx0% zlwR#lXEav!ac(U2U&Mx8z$BHdGbimv>p`u}2ZFgxeOb`#k*n6+)yWacn;n`;o?J1M z9-KT1?~H61(C1lOl0SLyFJN1ainQn-Hwo+wUh98WefaK|b5Qv5Tm+ZAhK$;FiMso( zX)3t8=I_qNGr%M?NpOIz#BP@)IIS4qjU|7|bivj-)$IQgt-;b$ zT)h+UYiEKyOHNh;hsnY$* zp9RONciqr$u0Ow7$?3CPa+Ff|;t(3Xj&PS?L(_AAQ2ddYjoKsz&b;9DAQNxJDx3k) z#vZ6rnI>wx9ppIuODS_3kf4lIr{WF(n2EH%@yQjr@;Q8_>g1HP>biP!QZW7Dh$sn8 zVa$sVyg=R4-S_Wk;JA{xPr7VtmtY-dPS0d*0maTQS%&_*#W1^PmJ+uQ6+ANOn+mbw zn0c9?Bx;x{Ot+n@jvQpbu6N$oEY>#w5RDw8Exyl=&7FO_ zJfn9U&~0WJ9DqLWoG;mWgESFJFl%V|t>*>eM%S~SY?N#4<5Ql(%SCr8N9RsZc(Tl% zariFQ>e_O?@GV-go#V7c(E&sJOQ03v27y+$#%GD;z|ydlEENWzUz7aaaMX^b%L9uR z4*D^{g5pod_#p2O@%X-J_2Q%P6jSI5<=dBU&Z-A^(MAi zF6B|yy1_ym-lr&8x+?gjmBz|^1P?}BOo*ZN3GLoDVhBjPQiR)vz(+)*)Ye% z`nANZJ&j0>F4%qezIcu)_nJiH`C1%sTxlj^NtE}TI*^$=?~ej&ukzqH7`7rhES5m{ zn#lgvX?~J{jd?)bxzt%+v|)f2Mh#)YtgGgjtf_Y!xi&9!y!#wiH?0Ys!?Nj{k)pMs zy(b#4l)V+(W;AWqbgwFoQP^XQksExy8{N+77mFx=KgcN>+mAMIbLdqr(2$&4CJegd(moT>^eZjt>cR*>%XA zFgf`x=&vmpz)kXQ`icb1a7-BCuxp#gABr7hf&EK_W(F)Qh;VBx;ozz&X$NMay;a_E~ZH(2|PV z67@FcboqVU&E9u@ySA!cBxe&7@WzO}pDo}xbWly($xOdE=>&4HD0x=B2fO=1JmLHP zjULavrA?9B4R(wtulS1ImeGPQ7ptP14`aGTX&z+K0bHLf4Nol zcxc_~OY|95c&qR1(>P^$Tu-h)sW}RXS?G0bDY+VKY))9e#|gKF(G6B#TX7+QcB2D1 zeN@eaM3%fF3n8yqz$VF8f56;{`zDUe9_&)w=qLrc_w>C${sMWJf)N6HHy_HZd({WT z>Z|wD4{)LW1s(h?qXc$RK5*dN4%FKhuKnhiR2-V*^*-x0=b&oD6e_TmKdBY95lZ(d zRRf6`;T>5BrVWd{E6kTMt)ZK|I~Q_7El-h<#f4lO?1}MV@q1s@92mpm1aMhg@g2pv z+scIIJC19;tC~IMRqEDlCSE!>*f2l7mwTDrbAR5n>IB%Er;D4OE=wXeP;YXXLKy8<9Wh&SqXk{E%K3Fg(e=?zsoZiQoHxC{oWY zg*WDZDDyORwVu^Ud#^_7K9$f<$XOK4e9N&P>HmETEUw4t`Y90e=FKctjcwOIm41t6 zd&BW-wcUNAQ|6GmAenGYM9>jg>YO>`h+~VpVR&8W7LQ_ya{Z%~fMj zOAb+h(=Kcp9NO6b0t3-;1SZp-eL6^*Ve4BBwtqvWPy1J2T+%MC#GUk$x-}pV=M|_~ zS?wmRvRB;Zw8Q8pFmYwuWUcAVtqI+|CAm}l`~{3Dx(LrDnVVhbb?tPyInK@-bU#w; z1T~5%K++2UagxkV=P_s8UMdNBKe4*KJO$q{qK+}YFZN37TLYG=figSbUrL9+e)wOg z^Gq@}NL~~GmBf^)9qYV-<)bDKwMiLXRLc)03I?u?^{MuUq=m{!)yxpd!}P~Y*Iv7o zN4g&`4ugiZs^D_OyY5JQR_TdPsNf^btuO@m+7u832g1Z(5$#dB8(TfXY@)9YE{1yY zn53w{6o^!{DS1Ufa_B$v9-87xZ$AdAFZ{2W{bBu zyE{8Y@A$XYF;PS*&E{v->vO~M$ysO`+Jd8LOE>-92_<*BlA%6d`e4bnUsH9iL#X2R z$)k~-{YoT%&+(uD1rPlf-jlPXP4x?cyISorg?^XPTn~$HpDidKI%bc<3uVjrdAssH z%yhv15dWzduk5|}#M+Nz&Y=Yjw7Z=&+#Fhp20gedH$L+hmJFJ3%q`z97;BGo%JR+1 zEnD%~tk>gyg5GwXUpDk5j79&)D2#jX7iTHR zLh~h-CeZ6{syo#MPQkhXR!eQaItWbI`F84X(#*p;hB~{Dt7qz%KUOvG@D=X5m9IA1 z^;&0bEuF6?jPOOnGLmNnRLah%6f9xVw->OAa18{Zmzi0$Xsk3^bUfM7e#&cb17+kae>DK{mR5B z(B}D`|64o8LCH49KOe{@A?pnGiXB>h=DBdmUK!pB97*{3It5J(YTdX0%cciy&K|U; zO2%UvzZf43M(4?rVXL5YNhB-2hFlc-LuImEpf6=IxH`1KVVcSMXdLsNY(@k?ZAV%o zl=%Wkv5{`B7E;#QoT1)?X`{0$i1#^n{E5WF%9{%e>v>{}CoSRYeTI1zCZ;IiYDbHQ zRvlsgzpuT@P&V=KQ1S?2ze}Dii5dA*tf%~gt;>bW`zcjI;){pezGp!7g#F>Jy#AT? zgY;kHeaT)=pJL!!ZS3$NmA|0mIh1t2jt}MnY-R+ZAyAH!`kFTb3IA;`wdeb!m67vKZqcp-)Z;?nG{S?z_VD!fWY2e=7KOc@HDfeH<3+^d=PCtynJ8 z(LCT*#E5i-4bDpW8ej5EDPi~;*=rGAD+k|Tim32LBCNh=%{Ehlbn#1~B{667wN z-72QLTe515f-fR116VEbACtlc#*|Gjsq)ZJ1@SOY1z!fo!Vdhvu0qKRiG%jvJ^t6f zHVE)vI7-z}??ViEaj!j5sc^D1v((|*%qMAIL1e}C_2&=PE%eJ3&pEE=O{z5de4;O8 zUK?3;r31UXI)3_PQc*2J0qvyKyd_d|{MXa@!=&bl{foa^Y@rNsfe$VCX7UFKo+!p({kd$#xaViZ>^?|-qrPGSm#|> zo2V~sYUd9eo?~n{9CbDkd<9#R_ZC&HglWtk&2@G%Pn6zMC_>lW{c&GrVzB&!bmv>w z*Gp{GACMa@nNWeD>V>JI<4nUY1PhYDXZnc zMfEj|lX)HXKP~*Hxr>u&LLn8&3qoE8z5yZnprd?{bp4*n(o5VF$A_cdG~5dAZ@%M9 z>{-ynIlRJY>F%+I)b(o%n$3#yj&e08c<@t~5H8s; zU}#DT8&jM4J@n|77dR8NGcGQ#)w1X1c%?1CSlQ&VBue9LdOHKPtU zlOb+BVa}aN<`^!Ze>tm0briZ+B3TrKnUESn+9boh@-q2v0*bpH_sxLL~Vx#3`X>C<(Weg+mfG2;vx~#Ro=yUw&p{Ze;8FG zNbzBJX<67bxC2>^Z&cmbbzE58(14tg7O`TOg)k{d1Pe8cFv6)Q0_e{GZzRyHEv)@m zG8aa!-}+Ff9*6Y1H;PlW71?hFvMB}X=D5)+lFd>x z#FyQ&Ih(@Vu5&-qk5t;1qR@j*=c85Ncn0lM{ObtYuy3T%u4HidKh8=70DY%ekrXqk?Q-R{s2x#99zq89$ZQzoV>R<3aG6hDD!YQaIt z(}OgyKT^P(tjzy{II_ymo$Dd_!gLAoGQX(Eb*QAyf27TRPpN$*q#)hQgPRcP(D>2I z9_I4p{akR0i?ozjyuCWvF%)c!T@E<^fxq>jIa*Y~XImPjj6?p4RTpw;u7k3`CE!O; z=lWbbFQicXJE>2APYWDKHb9rLdEjHX$a}I*gi95=n7%wi;h;E+6xYqs);s9-QWk`f zWjf1Re!GdRJrF0oDfZ)xc`On0j7 z-HDWKmLZ3Gn7*!pLqV5+n5N90PGyeWCKuB;y=ipaX*XGS731qZAL3XmbPZ|5xVvpD)QO6~tFr z-Af7QX{dt!j427|1{)>_^|!sH!8~4w8+C)WcJ;?gTh|_s2^2rGZjX7=eRw$P2=%qN z{-KLkW^YIcQ7hAo3FAg$KZw5@TH%DQo2dJkXZUW-96}%C<5kO-#%IE8l{fmc)Qi1{ zBR$4g6U@n595BBJyr_b1WK?$MEf@10n+Hw={-cL6ykbwy#8T5we0U@+eCFN=v&(Gb4TqNW_(R zPhOFDlO&l9McB+4JhR5f(A7O9uBqpLb#c^jM6F4slNK0|ghFgt^%2|_VxwHX&?2Oy zC7Z>ukS&Gyjl+{bBfTCcB6M0#_2^wjBF6Y-jG(wwvJbT)#`zO>O1Zl`_$?*d6o)0C zN+9TF7r`9@_M)|`S#gxwdVcg55U;C+eHn(~qImcZ%tfy>%q@;aTvf4maD_7-A3>}#=c~IZz;^W(^4n&iK(dJK20meeHfftF5v3-B|pZ=q2)yJ4j zMLD_51?d(sGB+AcH13#`7$nAq4_7&Y_SZ{54z%mB|_pd*;+AHlvdF`R>iKMsmzdA|xMsP2O={Y{t z6i%Fj?Ww+ZrAa~b2d@Yj%S!vbZ3|!P&pGZhGde*$g;sIJn8u6|wJxWAl+PeW!jfr4 z_9OAl)Evm&t788#}Vs-BKr|+N%4)Rm{XH^+sytIF*~NBv};@@ScPw(#R6&-sp_mRNlb8R1#`; zBwy=zjTk{1Hw1(E4Nv*cMoP$7WW0K?x0nl8@@8Y|-JC1T9B?-q+d>s3weHbKsW>@cjY{tgTv;~yx&+x#)*9RU{tHK8Bs&Vt{hJ3J z7DN^0Wbv`|?c2He8)esIyHYf3@l3IT4${C(DJF{Zw5 zHcM=yO1W-nA-1JHJ;}aE*+IrIi8B&9UDeh!viBeXjp1}Hh+8XHc6e_s!{#~N{BE<+ z#g2DMRwK}eJ?3H&oXyB4HBR(;)+!fcv2SY!&VcId^7p2~uydLgX& zi;y$DJ`bZb39ekTnDBI22P%+MrVAk6XWN2hPGGVh74rR2J-BYtQ7 z*A5cVbV5NT$qNijakD-dJwG1?{Gv9L!i!ht7Zv0wE*Gn(C~&zwG)(h85K0cDsDtlJ zkX!)>hA4*}FmJH{xx!gRQ9?pv9JE7n1cDAJC#0Th^B)mh%{~7vai=+z-4~VRC8qN3 zt%=X~L&DKjq(0M(k}~!gYV@@Lzcp1L`dh-k#Gde#_%bQrz8IWPB81!+xkazy%P^1X z9j;{W?@6gX4r5C|r&|j>(d2i0$DM^(!BAOnY`kEINLO4K%SXt>jr-mk$x{`hJMxJg zdK%mnA>l4~x!NCAl3!rc)B`Iy)J9F`{f03kyKHRS$!z>e7&sB&=2Q zYY`~kYoyT-v8&fhLLo*LRC6LK^I=8oTW9vC^18p{cY^5s-)=9||FX3-HQb)e@UcRW zLJYhHpHu%8Y5t}`GrCBn1~I$1a7*?;WY-REpkjo0Q>|uaJBjGL;z||du0C%VC3h1) zr@H;f5;tP+R{ptoPCK40?xZp)p2HG{V%(j*XKWeA;<<~LvdKftgxttLMoM)yapumW z7!h(;evF!lSF$V***G1OLfu2f%GLUR^OiUvF6O+|TFJ=GSvs39bHjyQMJ5C)?He00 z8&1b@!V>v9U9xZng{8MDow8MSR}N=`o|b-4A-2H~VeV>Cl;)d1Y*P44cCXde&wT*a zV>(gkmqyK1R!~I0QLC+h#19p)jkz;xNB)k|iEP*9@amA%AxT+0-Cy14Uq#?ScXH(g zURv?^disIzb)A|r;WEUm?7^K6zT0jzfgIOnfEH4com=|nV!@W&gb7dwsc0cky^@9k z(!EXIZqCY&Zf`M1oKSkD0$*Pex1H_7 zBiD^HBtF%g-@4hJ5G<#L+I}1H?a@4FRw`5wnZn$DwVu*HY(oN;D)~_v?qK7k zGE@Xe9ZK7?Po7zyA9^DUt=mejK5m+}y||`2;DOJA8XGOBwQ!1{bR@l|xY=OnEV!SyzN6ii0G`4OF!{y1s$_F6w%O0y!SnQs$Skkd8J+2OP$`G!?Z z#Q&HyJ}*l-m>YCmst~gT7=%sWjgcBeL_Bo;+G9uscBNXTNa>d#KUePy$ku8^`nclc zKnCYoz2Lw8?!Pk^kSqWM@WV^Frw$rPoou9>bmW6u&O?NX;7_DJ>7*lMhI@^;mdB=B z=4uHezt=JIPTqd%H09YV#qnr4xUBxHTIut=!lG|=U9nwd4qhi_ZOy(Gpo@s#_z}Yo zj!VM{O_=f4*bC*X2;x#Qb4;?sed$kn%&`okwAR*T6;|#jb6KSm4POL8rRnQZ-rJgA znmK$!K`B_T+}|O&?5LQ$FU2TnObbn7+G*wA@)$>Q6=F#%xuGAo*EE+;-C}MWPDp-) z@0T3DVmU0_RdsKKB;j&2Fh$12BIe@7T2MI~>8`q6iGaw~&OiLm#r6!jMO&Lp7CBfE zuu=(uL(*W`MUwVDUi+)j=^BBpJA}C3%x`v=^E&A)yXUv>+#A94o!_z^?p7RnY^y06 zY5~Q!=Y7)kbDIiDmyn++Fud(#KJTIH*j0e0<3(2{&)E9=p8DWvqOzYt?9dj&EaAQN zyBp)Sdu%c@5A9I7BP0y5M~oC97mfhlx7Zm%8I3?4DoT>Ok8_RN48eA%NT_ZIE4DBs zli^SjCxLS_A9`7?OdYSd5b4zo(Bb7RE$K^fV<__!spxks>jQF}w*rd#;>N2y@P}o- zX)OIthgRM}PbF2z$VSMAmA`YAKOY)98yQifZJRwx`A_RKxbu(^wL5tRQte6NKN%aw zC~l-P*M4IEg9^RLKrv@v9f21}de;>~@9DU8p>X5sLKC{8%Jccho5MvjQ4+$nCAdr( zao0l4u0;IXy=c?(vy#FNUSBUN+ZP{Q0>iY~>DJMr6Ahb-kM0g>I%vGtqQWUE-h>QuK9)mvJ^~NKY6xM=M{`6r_J`sj{%~qSY~Xc>k<#`XK3E{p(o5?Csff4^tQ)pi6vh?7t3JS z3R$FQ@_&rgKGqvI@LDz@c*NCD%coUy%h?vP)#7tx49%G{;=@8|S?I5yV49JaflE({ zvgIyfMo7Kz-=*AtsB zH04l=CE?y+=`;OhT$F54$q^m}XTHBB_aVj~uS@;|0a;f&Z(9oF!>}$bbvu`SDo$14 zrs$Pw0b8whr?Rx_1!TnITz8(!icxDQ{Z3ehlWqm}TQ#oZfI$xCzyqErB1eu?+q|um z2clZB_V3;WT=N+{soP?FZw60pe&w`RYZx9~b9s#2L|$478kx?jSAj^$Rj#W#-Ho$R`@#i{UK zxM6YvwKXak{yS>LF~|$Qwut0-Iw@pC#IRTMHZD3J1JzVK?J7aE$pFC^e>Fdz9NBr6` z|0ouaavNS65W>hx*?f8@a~IMbvFqw}ODbmqoI>-g`Kk1yH`N2fPhI!HiYvwSKYL$` z8t}drHEHhy#=h|UPw%rm87lqs2*r(fGB4DPNoh~3mG%{L4o@m>x$BdUgMEeEhru20Fb52o>?4m~utK1^gL5n=@DQz10u zNc!S4P*Tul)-VY`xZPG&zo(JFhNlkS4oy3ck@w>{lRMvhfC z%h5oe|Bihv&jY}tzfp3*a_~0T~Ul%!K9q(WMFluc^5PCMcs(ts8;a#cibx10Qpfq zQ7-k&dQS&hMGj9IEy;xCi~l;_^-Ov>Zn31T%|=%Qflo*x;cQXG;zPmQmNuO*It}0A z8N*>~l*&gF^hB%8t9a(8m)W%G)_a#UC2Xg-X)r__Rl6eYB{jRu_0)pnrjLnb+=$)S zCVH;vpkihJNb1AYt~l2;5>wvfkI@Gz?!+ZPub1F&Rz*Ox&Innu5{E^;96V$xGXQReesZ4HHEMgOP>d%bxKasG% zItim|M8y%Lx5-kZ>T1Ep%YJa3^J|;B-%#eb z)Bpk=V|sq8qR@D7H7zV0T_dOlIm{jt1Mk2YDSo>D<>}qaj*5hA~^{H{RHbM4DL zv^??%#u%eRDFO-zYyA8V)l67q*jqzd`DPO7Nw-J8Y5k^D5?%=NXnlxSVmwjy#32J@ zr1$;R$r^9Shz+%ZCw_b<2-lynXVblXr|6OO2S9Nq;zEuWlBNbby^FSIFxB_RfBFA( z@}G;R=MuQ2{LjSv@0$w{SXsHiZ)W3~K6${n4H~@UEdB)s(T2>@1+G4SP{&*Y^um^= zq`ZY|Oz4Y_HbVQjYR~OLKfV$lY1n zQ|es!tPfyJD0>gpmL)Ei+@Hlyml;=9I!s(EtE*gK6Ja&K%ExNp@|yd@RR;*eCk(q6 zh58Rwu_o>_I36(UT2rm^raDqvLV4ZAZ@3_KH`pw^R(_#VQ`t9}zu9EMwf@EELIK=w zx;G_7A~-#KyzaOuDtUuul3&_swDkU$i|Q9(Z%+KSpAB$Wdy7XadC0DABq;&h7Bu^k zLNEX5$Ih>k?b!goj~*)PkxefU{xieWCt@xC^CQP z?%;TekWQL|$CRVtzDre@#}Oqyf^l+4JUF6YTHoa$<~tzCZL*}HPHjj*ynl|Edg!}q z4t4U%r(TM{Ph;%vpcf@{bn<6?c#HH$bsA!gGK`vQP@V1UYk`w9CT2;lvxyavUE!8~ zIVx_}2%RAracN9fd+~f;EO(==rv3SHr>`G3F&uaVH{$LK1^}b3W)Ytl*1W0opLru4 zsPNO3y54&3)|^=Ik8@tk8WkZtUQDR}{7RFlz$;A+&3Y_#;Imf4e>j^0MET7!>3v_} z`4hU#zGr+MT|@DHYcoIBlpZIsPot!~#qp!&a-IF%P%fQ` zi_1W?qAcEY|9R!Z`yv4-_F({f*_BNe(IbalbeDJ+K58m-EM3X60!3*N+sA{inKWt#9di4qU7(*AcJPjfmi39fqMkdvGpDYWkKhMF1o^m;^ zOjGN@KJ33RmzSC3a|e6UBju2o!S|*S(&(yGhEzdBdJQfSeMKaAoYZ_89a|!WQn%Ih zy~5OZ`fSB9H~nYt%r7Bi4jXY^mJW_PalXqTB_#_6>5~r*x8PY|{Mno;5$oz#JitN( zlLgbH(;jp~c$0h=ZsJfDc4F@_IK&`)Vt;`Fv&D~!l3;~?Us`R+@uONDDli=eFv*)g zpgAkp3b+jDoWAkOa5FVyZ2&9drGR@o?%UHy{cA3(GeVgZHMG~Gz|~i?DyIj%bjkm} z2zKOA6dTL90R4fMrJ47FHC2N)?d9R5BjlqEwaw)h9kCA+1y&oaZBUcloB`f9;=Zrt zVz=5dZg!6ugx8XAAM1S2O*7aKa-C3}u~57w)?|UjH+i_Mq*5F!^-G6KNzHFVzR<_F z1C~|=aH%jpS{7Aa!&*B;9ue`H zVB0!GIMVjN2z2CXMw3b=_h6t4`e&eHeI$0ysbA!}skS8|?M9P}+N5&Zk0+2wx@w89 z_puB1t1o*Rp9fQi6)EOkbkyWx_ML+9Vup#Q+AANVeWrIG5H8ZFznIFbcfHmCa}3YN z>Kf41YcCvLk}Br7(n2b1*&Qu#sqyr2J0VKsi=azC@s>@u?z9;jI*%jy1fBvHzItzi z!0D(*g}WpZt>PK9G&FoaRW8?()|JNlRKMcZ?CRx2Ylke@YWWelf*;Do5?7i(DPpJo21Gf1x` zwL7cjbf8oRdX|6tysfmzBP*>by|n`^&$1hp5DM~0i=qJrX&Mj23Rt#Fa0LLPX;j;-b0C{s>-nxr5OO z)tkVq>f(e%v~%<)fysEeKUcd&WRs!aDLQd6o2}M;Ms9{izWNvfN2yu9am=ypJg0h1Y&uiZK5EGUO0S{ z<(_XdxtSSzlr?YBtMP^oJiZj%wzypV7tf{>onSj_F!d1{o)SW@TwM8$Vn;@0w|B6! zybhs{n9@w@kSi4TAD4Wg!0pz<`K|sJ*7n6uzsU@fZ@sVrN4om;l86z(01h;p4E>IhFbWD)Sf?4Mi6WDestG(`n(DKJjqS?DEp!$U$tA%{qLaboo z*w3U9LQZ)dyuy$M#JHtuF%O)Vt~q8CCrD?WrdR)JWwCcEq#llZZLx#8ADJO^itnz1 zp^U1SjNOk{Xj<3#J9ultflkdA)tqxqJ%3zE@M`-J8m*@uKkq?_xcQZ74( zDLVE8mO6KSVF@R{R&qosIHP2=N0svR{Fj_DiibLj{I^ix?<)s&qZ~@{eG=@aXEr#} z;`B|gWhbC1MDwCG5tD4kHjMSJJ}pm@b?ql2&Z zT0cMAr0d7M2$H)|#_o`K)A-Q_NnQGh_xIYXQd|m?!nA)EJH?8WTeVQTI>Lmd(?`d- zuA;p;ZtQrO+>AcGgLA;nA(FiB{3l|k&-kxKTy;`FQ4!Z1clD2P#ib-}Gn&w!i#u
    )#)}-K@7nJBbM;C7^Yk?X~nKl(Ww{zLSBWhP`C){7ZJG;8m15 z9=2oBjgM5i(dF!>ZfrJ5=Mo)D&O7gv7=|30H731b)nw;t19K|fs=ke%&4|JMoxlcw zohE$Gz^iJ)MKU#e6jd-?SciiDlE7*rk9ECzsep;r-NghcOq4?$&u#&*f#4JdN+yk$ z$AkDupYr-$um=Xd%0vQDkS_Fb?##YR9V)evlmKuh?&f%z7sKumFKzV>`m+% z`k-d|I?%}htwVK4Y6xy>i_)=A75WxDNndXvY+Zub90BoLb+?&)8AeV5Xp#FoxhTXrU^1}iRD*1^s;1DL&AVZ&=Pm0YsU1hX1EmGJRZ zF$H-;&~sIkx@tGxyK=dQuCY>#V;OIP6|+_`{Ixm=G%beXijdu?$+%Kf!0i(I zcL2ja$X*{(0vL*j?~IkalDqRfH23PtH>6ns)CYiABJdgV;LWWdCrTG!JyNbv@zff9 z+Ta4|w^olsb6_V}IP}dIz(5P!8PJ+rd`9%=-B~8S3>S%FtnP#Z!atG|WD5IVMYlCC zsddrFMx(+JdN-5lBOQUD);SY_Lol-AO9xN_b512tLD2PRRgZ(@i_6l0k>zvNROOQ{}*j<9uDQ-{*AXuMV1yzmLZ}dQz&ajp|L9}q)de* zNkUAN(OC-u#$TFnt8T%T8!Ptjc%s%s6KA-3Q{qFmD{`uaY<9Lqu^@nAS zW9GWv=leWg=j(i(=Zt}jA)If_LOV<(J`PFgwU)w$EWo~Jf(2b8YM52z@K#1H5g-s+ z{r7PxI{7G%?^hxC?FUxf_gI^;VgVz9x?;88-ng)>D0c-ijV{f@r!0Wy*(j&Eno(*j9lY&PG zZRi8M4=*mzIq-4ro@uQ+=r@eovvLbWc#5c#b56!9^C4`Pe|yr0z^Zz(wh>R; zo-(cA9dn`0okkO9kc_wsS-&*rPW{Sk`Z!EU)u;9&O(CQ>;lhIkG0Utii1Zhc2ORz8z#8EAN2Y!Pa=L@C9!9_|flSDC=?HPg?ZukT zN}%gT80p($Hy(Vr?qm936KC~ORoCAchU$1I`|ZSb6k zy^zAZ7Yy6XaB%$7F*$+`tPb3L)xfzLoc{e(ld#9_lto&Y66w7QbFfugcrk$8A@?Dc zU6EP$ECX=qZE*qlO9dPe9h58S=2?{M^TV^%fTXGNN<$2iZqo~JH}ds>4@)ewE|*Oc z{se+Ajpuj6&f8USO#i}HA)ishz4DMArk)p2ub4#vBq5srHHHM_isRM8PXNRPE;Av3 z>Sj5LYX6cv{(=>OdhDL%w?asq!$*au_1v8&frobpbz5PrV&u2t@^t&(8W$M*`KuE;^ltw&!bN^=~3TS#5Mtp#`-@Kd=(i_%y&@l6M%Mgx3Zqh5eJyg|2i zXO=F5Mn#?sX!IMA?F%@j!VL5Yaw-Q%Mo^bE(1Mc8`JC38uJh{Oq)4p*{;ko;}+#}$L%x1N~KNaiQN_3L+-&;WOT%b>NYl*qIT z6Z#E0-*&ZSfGCj^8C8f@*Qd;3rr&xm*>n34moaoX{3nKj%M$b(6CMywQ9(C^&wI17 z8T~D}H(jOs0qIdk0nwk*%+scZcrrma)?ZSAVP^Ag*;ek~IDcy|0H=bTBcQtdwSu{x zKmqaJSN#g@FC`EV_JZ$nxvx2ixKYDl2FK#BoanC-`eezBk@qqUaP6&lR9OJAuuhB( z@*#(;@hIp0Ij9HI)QqR9+)~-``Rph}i@Tr=N1k1u?suOfPjFxdjI!g;QgdCFFb}wt zP+S?1AO9%N1zZ{lzKpF{!hO7o)BztRJ&#&i~Djes-p^6Pq!2 zO!&$-p^z;Jm89ws3bw4x6V-75A)I*dmVnN9%ginJzX`?kXM=bDN&y!Ym9l4yhgw)0G48h(Vccz zol%RWCdvCaSOicC4q|efYfl$@9Dlh+H!CEUAxXc_MZZoG@BDq)jsC=Jai>S>kX23P zc*?WD_`Rdv-x7yYyKFd>qc$A185gE|eQ>W0Y7B^cAwXj0mZtWw_E$^wRJd9?@J7C> z!-L+KRkls9H?D{hvRKAYaakhln13o8<32P_%cn*{TxKq~GcPb^g7)(Ke}_amSh5tc zV+~&boxJ#J@n7lMjGNjQfnXu(JQ=c_wc3ygJXk>f!rATfOP^PIjv}Q2@VV6s?tjCx z2=%QO^Hb-yew`0U{1=hA8TvOV!jkwz9yWNi!Zte;yg@^0#4G`oaSg0^md^b%fX+-D z$auHbjDYj5?<}k~83YMF6i9DlLE*=oi*m8a5pu z(#4WxV%?Z=;iw|C?pOhm`X>zOGqwZ^^Si^1NoTr{#a+(4BNwdou-~4g!oqkbm~-&U zoGD?MALwVTb-}!DSQaJZCz6xN1Y~x1ncr!5;~yr&H!N@fEF2>CP13Yxqg}b`fTyfBPae+ss3RJ+%;$O zx!bQ8!OZJ%ut<#fX|a>Q4ypacA^g=K-VJLpX|W9E!SH!oQr*{Y^-v|tFVHqW80oYR z;Gj4%C^*}02!gPmfEafFaVIb$d6za*dB+U&?x7a+{kSyFLjr`VZ_bJFECQaeB(Jy% zTgC~0HU}ORAO}oVV#yF{19VBA8bQ1f1VvdBe4*jhQptG5%=g}{f(zth3E}gR_|V_a z##W(k*zGoxCa<_P3n?=-I}5CIVgi;fgt;h(J`AvQ;#86^3m2k!>5}-c0TXAPp%dtH zZhAt253A7n1D#ca*b&acS6A=?8lPvy=y=SnkTqahWqDQ=ko^NAR05H-B zV+;J(?rtvt3-L6_uo(`*VVuz~o^vah`|JCul5z>q zD zvh0SYwgjPUH3^bPu;!~#^kyMUAzRohoT6tPI9(P?9VkR^=wJ&`g_G3WSdOVYv!56m z#K6|1^l{nsb-t;j&*{weTmZ*H{G-yJ$&v>wHZSa6C4CGp_Zo0SnL@k@7NGf+gGBuS z4QhWY6Z(Ny&iJd)IyhX(-QZKkZMmKDi z>D%PC0x&JwASDxX-##4CVHX>8XyXl@KATWr$=sNe|3aAlAuAj_b+$$R*gUml!wV0i zS25q7A(WS{(j_$1d!_?ZR;)p8;~(vW{KLCJ1KBP`FrZ1Gbfv9acL3nx&byvxM@d}_ z8)@W^MGS%ZF{P6-cY6Zf?vj>M-g~;x*cmxLD?pkXX+7sWi@39HH=ivm%;OYAdbVdJ zmRovg=b@jm6tM8PZl7Lz&bQv~W7XN&xiAqabl0qHGa*_5^G+TTn*Q!+E6G zdiQL;b>UOkf@FeAXS0ml+J@nB=hT621Mhko`gjn}eG)?W*=`LRv&Iw^Re~!)xZ-* z{UR$i=U2a7nOrJ(v=k294iFbFj5qg9 z3BAMnS*Oz^=`4u34$Wds@k0VP%VLo$D+kf^pKFW(m6D8LX8&^NuzfOnDI#U^%AP;l zc1X;9U6_<-+z7ra^g?9M|Lh7}JzB~=oRUZ&gvKQ5{gl{|BG>p~Xt;jOzZNBJ!`%;gm7t-3=R$;)fR6NpNXfC465}( zw`A9tf#Q3}88lS#Ow2q7MEV1JIaMGi4>Vsy)LyC#iZ$iB(9mK-0?b=#OYadY+=I*l z1ZlvFI*v|qx9Gw}qLxx@(#9DMn77oCPV1>M;n}ur+iV|iM;tSN-)l!cNS?B0| zk|J)-c~nY;Fy~>j;r(=`M|eJx9%qssW+Exuv58x%a^~duKD6WYRVMNazj{bo$Y7?- zSQAL%tKH6s+Ua~u0R5egPRKVDqRp{Ww6h!;zc*CrhJDOI5rg7119&!fD4M5G?@N9^j8Z>Lv zL=z>0)j987xNx`GDJ4&`IB%X!pr8K>GyCxI@7tpO!S6jU6Cz6aovY zES-b%mhL`Wdf$!AtJts81JpHvnjNzj1W#7R4q!_EY&oX*UHy>{qvCZ9{kxv)z9~;SQQgHl`yl?{gnd^EgtX$7=eMERP4gu&tVg={oE>et?+(>q6 zcqEyGXsSZ70ubb36kZEK2*R-@!K@7o@1Q%1?9ExNunB&Hc_z6vjqAU>^!M$eTfljL zhS?nzCCrWz?Vx1~Fei~m4oA^z8)!ioLT02I_hMGcMs>g60ymNNwvP9cBL}WKHA)V; z_(%L@$|0Rut9s8_jxtfK3C~er5IDIX;L3o&OxKUM6vx%MH(LaP_Y4rLV;6B9clAX$ zfoq5MF5NnE$Yn;N)8h9L=^lWMB>!i40hs99pstTykYxb-zV?bEgSn?g` zL^GgN;CU76Ch4)pFQKUEkEkwwOGkM%*z>eM;=DB+CkREb0AtwWfKZbafMygyn8V%4 zysT#)Z~j~J0bc)T=XS2ZIE?lcv$UegPplmaS zh6$#;*dF2)@J3?lmZGz&;`1HWGG0l+jDZW!EoFl57p(A|g*^|Rz2)$9H$RA@X-Su( zdLA0+z2rDLP-v&KKxi82Jxc{T>dF!Tkz>z5Y*!(UG=N$5Bl7DyJ7i%wY%GrrW_1(U z=P|@w5btMI134VIuyURVC(f#X{_By5@{c3;)UioU*oH-^2JXs!Z$vYUzD8s=qt58CA`*Xz-}|9ziwQU2x_XRN4a8FIm%1%we>t>$6$+1 zc6aiVk4DM}kte;2BLEran+wXbBzUJK@n8JnRyJ~0e+?waR1=*#t>he`7+7Hy7tCld zgh>atJ1K=KVJ=;)2fHoB;Vhn1Sn1?dqCcU1a>bEUJ!{v(5CB+{zV!}2vz8B(ktvG7V_>#4*KD>)=eli;uwn!HCp#ZP7r^G7PmTg_%poIwKbacr*xwpVvr) zan&cWr|^vR`ZGT5?vn~nK2D;_SAylim@8pZc<0_a7vuB(e^f{fhY^%(F((i`*KyzU z8TD0_n>XDaQG;L)ig2W)@GqYYI`evFX|h9Oq*Rn{W2=6Yz!F?Caoeq<*wopu`0ZAlwkb?z=zV+4TpzPRK6wR>ILx1$p@s>^CA;fZ%o(p$v20|C5v z2x+3T8u=7%;Ny+>!}oH2t_IGF*n|_>0ZV}M+611p#V1*$>DK|1ymF(YWvM{!Nkapi zvwN1FyS>_pyZ$~iZMR&_WXG0#yMd#_{dY8jj~=(!IQ zY&jS%+gA4Z!&l46Gu=$R7I_a@1^ ze!?D--D|La&-tZ-tj++5FDdH_C9=fh*9t2UUW&TeQ%fA7e)~H58-A1%KP^RWuLC836J7i;glGZ@uaNM*3 z2tt&Hrz~Dhiw`2auG>{&jGS~iip^A!B|_kk2Zg%BkvFr9n1#?U0q?%KlnS3fbcEY* z25dMNco|S$*8@Sa5jKIWy#P{2hq%(Uw^^ z17^=T4?r=*ZYu);^SSJ>3H7&M4PkwXa0BNEUj$oUSw{m+6)hw-sgAA3oxm|_kt;+F z9Yd>t(7se)kz$+wX#bC{uV`R1g4;vdkun4$yWZSz)gZ=W@M^yIt#bP3vi{Fd}4C_YW)k(Hlw{ zM+U-yOGoOad?MH0uC&93SlY7Efp(#DeJ4UlpZhcDpH)En_&n2he5~Z_B<;%72iugI zyGbi7opCwt;7roj3U~tziNGWojd3q)Jo&D z!5F<@`mC~J?3Mo-FT85Jb!jS8+*zCT9mZQma#0*KhBl7lacN}x4Ff;#I_E5MPDVgv zb*$?o3pxNVi8z$g&4T6woU>hE4bS)i#Fhx_g=K#0N6nw;G%`t7?=&{ZLz0%t0Lm$M{CgqpDRUIycQ5*Kv8UXYFjIOB_$qcfWK$S9Lkp%igA9TO zMVn;)0a*HDwkyk#dvY=z$DSFrN6p!@vx%%pBEzmz4s{1!UGy{asQ32xC*ctTER)IL z8=ty~*8xbR%zDPZH*HoPh=j`=WjZ`5Qr0Xp>31_Bb)KV4ZH}xf1eh3TviP<^qD)~S zOs7Nf8U#+o8Vulc_pX0dnLNHr+Av*w0^#_rSB;T?*h?A-Kje5Mp1NtD0>*JE*;cvo zUt=1QrmsQ#*X`UvOZiB~bYebo3|_2oO>9v<1ZofrpaL*sm`lYmTX~znS-{M1@L&0wMX*v>s8Zr%dk1&k8RGTV*B{Ak;7yB+A97@98~R2vOy# z%YdaFdj@PK1~4uT$d913+1N$s7cGcPILQ=3m`j0i=V07xJPJC97BtCWyBq8j{3j%fhb3M+~2Yn)>SE=3I92B9>IqpqW0dYi_^$K6>QFCs}f%T6I)R^y-{kcO$=x2a> zi!fyN_|dJ6%i6Gr!GY~lyU^vcouc|~aio{3{jK2*l-&I@e1;_ElVUrF8>wQ#CmR+F zNa#{N`EuGC?+@5W0%|x%AgSZ5=Yq1p^e}IF7;14Rh&d8~ni8jXCjFz^f7M7pahKWiEjua19FTv0bPNwQIX+W7!GxL5P=j*HIC z^1`uT(aU_6NZUrjT-*=gCcZU?4vpD7{9O*NUi)|pB=QTkMez=YNlOSMraq5>iOrO@Q5JmxPaGn_L@ZV(Rmp~`r8Xq0ZDZz<1~FmjK5Rb!aG{Y zz<%B)_ppD5Q@QvW1b71c@7Pg$4aPo(54dEh3oC*P{X2Y-dM)G3>G$3ixPjb9eS6g! zyUsE9ly0+ihd3{ZSu)H#LZE3Dn{_3OQPdI?G#feDpuJT8o*$$enB-%M(XYJVYu%9& ze(0jGZ(IsfOBL$`jA}qO6M2pN2J{$Uqzc~R%)b8_UGZ56s|-4;5iW^sO( zc1*19wgaUAK}53K9$S~RO6)v*-&sz4Azz3-jsGEKoL>IcjFs1JQ}4#;Y0Z_L`v@~& z>YfAd{{fVSHWSg`#ghpZ$X_MwK@GP}|+Flq4&23xj6nkuV*K&vPc{ohfYc|-C zl*l|Di9C`Hc0cl*=}{3&T8LCzYR9VUw^G1Xgz^RQAJTg}h8@Jkmur`$n=+pX;H~&h zlR7Z#EoNyL&@8ii!W)?V=zCr!|KK|!Y!2)wL2;I`21H*7t(7-~qkHmN)YnjT`p!S` zlfd?~J)it>dMCbK?LNyJS?Z+kk;YP8KZmK)=1t5p{g2^`p+bm|@)x{Uh6h?Pu;N%9YF0*hX)5F!Ek5bBwOeWd7RUptlS1`Pk#0pO=Q<}H8j~>6rn1wZbGb4me!-L&zM$>{lG3x^hr;3N0+ruHaqySPm)b)9+FBcvD)Ztb;qevzN4e?nNx z1U{NNQiEHBflD%M)Ue9Q;XxNCZH_{S>Zg9m zI6|9PHlCf&i0uMic4EPbb9R%PfZmY^iKlT7dj0XVZJ?p+EJ6*Iq|x|-OoO=9wyR&+?zB(!KLO)AL@Ib8Uo=K0Z1D+yI9Liu@K61ZfeO^a!e**6Va0b{+ zP#}(lcMyUI z@P|K&N`SBN`9~2Ta6Zkwdy?5_QKBlo(EtYyfEpGG8~{C|o3>=GC@uUWJ||9`1aM%$ z?oaCEMAy-ZSA-#6$tf$rhz?5kfhS6UeCnGwRZnQFo@Jbgzfn#g+r~1h0?LxC>NVko zA>sTo`c)T&R?a2q=qRf-j$d8>vZEZ> zTB!a}Eo3u5v$Mu=$W0S4hPq(&pxjn-R>cDyXE6e6dJntn!cVWzX@3k|$wV zw_4{~Yhrr8x%TrYQ@q|-BxPj+pw<9|$AC>{JsHgF85QP&i26apwUhq6awmbe)Ti!Q zFR6D%Z2YRg26Ylnp^%&p6XU%O&OaW*efHE#I+ilAvwp}$a@lFyTs6)*-&VXIhF)c-T!&98U4 zO1vPUA3NUARe^eTx9PuH*#d%0Hnh@z)&H&_xB6pY01Kkx4&sbJvB>G2n8%yh!pQZN zW)P#zk>}L&z?LKU|J#PL*mi^LKdgaDmLkggDALi?AuBpS<9_=_Z9w8EPFN+ zf2S@H$D(YJcogSM{gj9RtL`d?caFZ?ruJ9Nh3dGSG0# zJ3il*P72^cG0Q9CxD7A&k|3E!c;t^JLqa!tUryqOdHtXlFMiDVU6>F3!QrfV8rZ+% z`W}D2%I2Gho&GkzBVT->G?WP4y-is!!#Rs033-QyGRQjL4F z^f(|d*`Q-#B?!{n3N*VNt-n=L2xzJLkFYqk*YGxDst(yo0G%&E&jrAy1GJXtOsqX4 z2)7c@@94R9c4WHY^_QDclVt0V;5#*0++Lbkd3t0Z*F;}4$oqAz@iyZ$xm2@68aJL6 zIh8vRWc6cziF#7=F+F-*cGj^VHFO=7Qif*s!c8I1l7Oixt)B$vdT1k@k{~d3iUXeQ z|H3^M)D4v~9{(&WCeh=S06vttwA&$~+<)7QMc#hdF;hNt-ShS$!A^nBFTy9(7cI6<(r(tC4N3l|VDpr?I%a$>Ek4(>L;y3)0>#=6&dh{8%fr}BN!FYwrb+wh;K ztw+eK*teuFb@RFmdLs7b+h!dHIfvUN6^36Q4CZ+be{tB0b*ewy?Kh_KKr1!OOr81r zW4d2aVV~s?^pa%b{V3%YFSdr_b)_62M?q0rgi@6cKVXaIx(G3U8<+Z)qJU{aT>Snf zwVh<$O;9#(L-*!c(*@M%$shFQbcHC)9qtR+1etq&cCQ%rsi-hUKp=O-3=4CVDt8?l z@JPta{EWY%%_p$yKh}zpSVWdoeHHnbScdm|iWXgNK)X-uL^&ofz{a2*$s{hsphm7Ic(J7Yrq zUg~Y`K7AspUQEdw94k=&^+zNT1V>2W2l(x(kdCxdf7shsT}twTVk0W2)?0m9osH>_ z4m~2I>|60G-uWhIK=D=8fg4dare-rX@2hl^e`0sZ585zDDo8 z*h5?qakTeJa{YK*>cWYIT}@(l&DfSA=B21Bce4K=2_lSEU$FMO$3kLz#6~<-Vj zOw{@(nsd#+1g>9m7pGig$9YbKYnbP_-wBw>2zib_7&w4AJvFOizSJBbf9!)!am~e| zyjR-FS%mkH5p?(UY|h4)y);;kyP<0Dol?|ZjxejUhZnZNA7G?8rM?I6{V?V<&yXfE z54*#aoX1TwLh5I_5!@NEuLqT_lfI6WpEE4|Ki03(=MB*Qoa(A*llYK~2J1#MTp7b8 zTH*i#nIE(^@1(mEYJcRb4eT7#${QXQui)&xkQy4IGULd{h`S@ST{EQqjeJbEUmh8M z$=h#s`U3Ab^O&e$t2Se=U^{+UZgTd_BShZZ9RvHM&OvH~!v0Pdgy7zM+gGy*}xTBZS6Ve$#7qS4kV?(i{_uUNk+%B5vC^mOj=?bcltI^1Jq~=Pw*OgRu_7ANC zz19pttluf=&mju3#Uj871b=JXaM(+1Zv~CMJeXBaI{E8zVSR#4%V?~1M9>`yZEomHTbhq>P}!7T`M9ZP!~^mDMskl(tTDY~?olA9@S#Lr!kW+X?}Jd^3eFZ+U+02h~r*2yB(u_^Ln`V54{Tw5Uu(oK!YuyD$QPThbNBc z_S}bwwt!Y$Ji<F2!OC>@pG0~q7KuaBl;kBL_-PF{Hsld_o;qjB+2v+`VWo-xLs?2)UTw~yTCT&WEk zbvdH-ND&vqU&`R3bMnJUuQeQhrt?x3CB<&a z4bx{kVGs{Hss`GSqguOIrS6yo4%b$RY4ka zV^dVIrA{^;(&Gm&#RRs#3{Z>NA1~POXkD0j(C3E*Pa&Otqk$pgXbMuuRo;&mbd*oL zK&Zc3y3ff}_T`4{7Y0n!ozZ~k6G7h)dw-WRk8*pG23?;!?WK!==i^9{N6?Fu#WdKO zVaTd#sri^md50Ya<})vK%E&n|tff`pmq1g`<4f+B^7UKxMmfEUZoRLHyN}33{y8GM zxF;X29?bbE1zJ3gBSp7ToZzO=(#rPt(lZhX;ncHo`!m-+O-~I~g80MvG_3Z7@NKFI z2-c9FGMdv03a*a%Tdl3=9(Zbe#v$xz-7E34W3E?|)bm0wNr$U7m!Gn1k4bR;^8f6w z9BgMv$9}E-QH~cCx4Ziq3VqVcJgs#;Fx@dKy>Cfk!DcSzSOV9-P%uDWVUJsX@uJQ+!&D+cImOw2Sh9Tv* zf;@2ax!WXvHM0{-8k*U9`lzb|gc3*Jd+j-)k>=F_J5K^1;NREnVTWx*!bXm4i9~|j z^v#r4*5>Q+19Zw+lMK%jua3+?x4Y&qJf5A)hNzjQU8?)+LAZFjD*r6{*icmXheZol z1M_(oS53>r7_sR)4W@-fqoUphR}Ey~R=eF2T3pjr$*6Ko@?OE{6m?0hBPtq~&7pM+ zlw@~cG?t=)rYNC(I;u2{UVb=*n@zn5y%ysx_Q3tcE&YD?x0?FVO{COp+h~`-KJtvn z%3Y1vOL>;L6`DQ`s)~o(JohJ6>PL_n906Dww{S}NENYHoi{aC zR?SL$W0r?cHBnW~Kl|db;)jD`ShHV>eLh`B#gqmPN9rW>?TsYl-950VeNR*%(!)wl z+HCRFFJId;ul=MeB0~52|GFEK=l5eqr!du6H^xzMpTNF-b8TplibV?dswK*B3uUcH zihaCVm>~V6EjuAAD~8{D;6x$la+OZuE@=o`qjQhn&daCs4*%#?`z(Ubl-ii#f1G|w zML^q1o6n@^(3R_=eVbE{6i=FWic)+hDz@z52S=QV-ogONQ5fAbjUN~05B+5i{~G|f z(4KKSe*aGN#&E9h6JVqr`#-{eX`@=%wt~2|V~L*v%(N=z)9H8Lmyo;$Ym;tj$yg<% zTogTa{)2N;nwsMz(?V_V+ieAColBF3c`p%I_XFhYMy<4rA&_$t0H z`>pjlFh3f{Mn`Dyl#N}2qcpI7w)yS(mVlooM~5+5Y#2Y&k^PG-)ETrJdD)Xa(9}#a z^}J2LDwAY_l+D|K$Ekwe_hs_scM9Gim4@sE1817`$g=syTzrw#5g;sy9 zkc!Mb6QW_|+((+)EP1+JbWlI+5;pF(TbaNEW|}*@#RYDV2iVDm;QDHQG^m7d~5r6|K*;OJO2~s1J-y| zV9MtTY+hkK=fj~F*yO<0M*DK}>An`&zQi2i^OVbr!8g6rG&i7d!bAYx`%*(6pjN6W zUo~~EJiEF#?#w}cnTlXl7B@u7P~tAzb`; zuAu2!#Yomz?JArYIwQ56QkO(Va?tm-YALHxt}5!si&5@)7fC$V37CkiQ>_+(F*+^Ps6cKU6?_CisZ-#{GnC zO*?{8__&Ox}kfx+Oy~%01YfY6oXGZ;h5EccJ61ehM@7Zf9RW zmGWXLG4Z*VI^p6s7qps1aCWNC8w%t2r5B(00%`}@f+r@nxi`)hI+e)ECj3cK27_TF zGTH6-*w;3jL`u{rhx4b5KF3|DX{dZavG5q1+EaL?KK`k#=P)*bPsQNvoM%JIpC5w` zrv~yb2fdlzEPhsbzxU$UH?QdB-zQGBhzh!VH_sHZeEt2&t2+(8>}iMA5HDlNn-Ry$ zVv?WSm8qS9 zEQh6YOLs!ZO&4~Y*)&p1P#R57?#P2<+dB615$dd)2`jv!nqjOFXGkfGC4u@umtyjIcque8Zp`0N{n4N5OwH!K4_@;9=Q6L@hJML7iIcN#6-~h>Xt#Fa zKZqFbh&i8M#b&2E$8>QLu0nQNrs-Na2U8E9c&?EpTxdJvCp~(Ovz8kIQ-F=fv;r|~ zGEP&tRY|%yj-+eFRcHL}6WR9e^WBrL{ zpbrmmb0^SPZ|TD%$%Gc3dN^xEypH ztL~Z=r1*3n!)DhUP@o2DQPmvZo>wc5O1b;_O@jW?$6P;^JEw%hPOMI{MU{V)om~i* zoZlFG*%bXC!r|ywZ^iA8r>@>O)?Bzp7~ggDn}`RJe$7yV(y!M2{#ne!iwgX#itOs$ zc-2E+r7T`;5+*E5qu&7#xz>o+pBtpb2u9m|@GnZfk~?{}=?|Pd_f=~$Y41Vh8t3B_ zh^|uT|Bjn@?^F~(kp*(gl#^uAl^!e>|7#Wiis15Lx(^se$5 zEN`CyEz|~Vs)@sU^$_TrX6-MH7DaTpbo|^$h1eX$_8S=I2gAk3(w}IVz3sTBSZ{t< zb^WxRGm-)MzMO#Ev(A^`!B4GydHFKqMb**ChxbRHhYV_=0EbphmnQHMe|NhEqPdg#^>C>B9Favu10W(gU5!$TN)QJtXIcO*u>X(27&GJmfU zuHzA+0SVg;w+tKY>QidIZ^_^9w(t6T^}|Q@R&<=Mtd@MO_%z!AKJ!^s%>6?ewC{DLPB$5wljS9l!IlC`D+u3p|w%iJ{aS$rE|Al{`7Pa5Jd}!;Nqi5sN(-m+?Rwe>yr1@31 z)|q4Md(YC}mwyi)aUtl<0lt(h$LH#gZq!R#P=0JTV8#`LguE{9XnIt1u7emvp2>Z?yOZ5K~AR*zbi{FJ>V9j#zaD9D-F&8gFDxT7EWec_(Q`3JFTF)gAW z$aZ?o+|T0yn;lgwXn%kI2RM1Y+;7p=e`tc^S?PcFy^(s=`%_(=Z(*GILp6xTIg&15UKcbZN6sxoKeLWJTE#^~)X${HG~`>YepnxK)|Tx_0S^)?@dKtt*`*Ry%T zc+k5`5b`Roz@l=Y(Yvqx-v)kXyMEtt#_!?G zD2u!UXKbN`u6Y@LeP&Na?u08~E;rC;EDD{fzW5P`tge?hs(_;Dm#rZjzsLFQE2F-% zI3CiBL?(4y#S}r!v!%-|vGEF%8zQ>=&~rl8!Fyi|gM?Z&U&seXR4++$-bBS9S^%y= zEGv9Y3bT>QOT5-sz~|KE9+>#MhsIN9%-)e*{QR)RQ`f9nd(jdz7e7Q7jmC#nkukD(36`Q3oCFK&&%9L{AO1^t5i`9XFS(_M_;t26zol-W>zs`7^(@#y^)Gos1|w zDyu3g=dewzt*a|3Qti8h$}b)D(RF@>f@62~+90^c$I|t=>=kuvFTdZDnlo;paZpZ0 z?HKngw&O$sRmY?J{#m9X#mH*udcr;bN~1n8&6Q+Hbt;s-zz>oUOg}9JDk{d^UAVo( zMz#Mr>}@gEaqhGE<5weJz8aP|*B{_(JEOA4U!q(Zu3qmUU8SU zF0xWNRL3R3MtQiSc;KYmLhMT6konKd(4+XHkBj!rJTlTB0S)b41^+=k+}(RBhZflq z5X&Vn+|hnjbg^y$@ly%mz}#8`Nu85V>&ACP-lHv&r6eD>|LUuAtT>h6n?B}Q!b|tG zF&l{Y5q-r~jzZ~<8#(R43qMLY&3&~I{#$P8=-2T9`q~+;0~|<*maw-)c($K{1w*1v zbKm}^Yb}v`yDO)q0WR?0S1DPwkw4J->3-Y(wY|9Wf1ZDFILEM!D_}1j(xJZ(iNB(V zLqV=j2Gedann7H-Og;aE{iCB#fS#7N7Z5!|Bxf9^LT1CsvkY@Pu!aPD+%4a>qKp2PG(>`KO0o|2-VE|>HZc%B}R`CQ%o#&p2 z7H5lx-^1+p79bNDo_UX18lxu-dE;n$oUQz zxEWMBTP$WOq9A`y!R_ttFYK(FwjoaQ-~MylA=G26(xd#|?<0uQ^Q+gSmj((ICZ>+r zq-waws5W&7>FxWrbnRgAzB}s!b~f!t5kF5_r0V(Z`{`(px7e(e17WK>(|L12>aY(Pv2_07N$Au`|!&3DTR%$!d>5G-C-*J@2ajn2zawc-}2}KxY(oD3fYh^ zo?SfkYw`xXU$sko4L*f7YXk^mkTXUI8LbTEY1P{}aifT|N)2 z>Jw#SAI#>)e-Lu97~ofL2@iGn|D@*4Nv9ZgcT{OQ#SnK^gQF^|j;^!FgaOx`T46FB zUMYDB8mGbwrW46E#Za|!!>@g>@W$R8hlY%mX(TRU{7JfsAI_0!9ZJ35VafuQx}+Ek z-^wH%q9aS_dy=N|`5{;3uTeR!IZ#OsGn;a{&N>I4lb^k#|Ar6)$X9XzaI}Zb>X2$|Q9?EWz@ssGL78B>aZ_b9%`$O#A*Bv4J~efk$3a>W)2H-h2H-?#!p z9e{Xrf?9f5Tz_V*4SI(cmFEynhUaoHn!-(pLM5Kp^ad* zLdf@FX){~F3I&V-pIW0qV=W$t;32h0Ud`xKbn<-z( zY{FKtbmDDfsf~Tm&!(RAxybDhid*<5+;$Q>ref<3aH04}F>TCqOB!rGkq$}I*Za`Nb$Jkn+y;b{n2rG@EvbD>IGD&~B>$ZD20J}!>pWU(fN-{oL?@d2LTrU~W0 z1)bkxKtZ43eUAoL!=Oc@?dAiTcIdU2 z-oaQX`;?!Qn=1r@h+U-C><3^0<{n-b-u5QEog~cx#gGZF5RmWuuTazbrUU#YlWOIy za|Za8gpe<}$ElNYs0Wlv5{S(2t3f$~)uGg6v#O7fvPNU`TnAhn5q_u5LVjB0qh+A& zO5-SnhZsnvw?!ur&k@b2kusZq$IL%da&n?`3 z74#9;guMK;Ij#d4Hzc#&z=Zz4F$tTCF{bEyyzE+q7HikO(1AMNx3doSmu>} zd;wFQp*OoC6PUwVzpmeIek+d1QwxQ3ItFtg>7?h8?s0TF*yip=Otii}f}(v}ew)zy zcX6t72BG{sNlQW(mQv02%YApC$VQNE<{^d%Gm1yA;uyZMme@vwGK0}v40ZHaO;092 zM7zEz^z%-4t%#$@a%!yBSGzAm$e#;i&NrqTL%M0nSxmT2KbkXdjn%!NQqbh3Yg#)C#`DRZ_5i)lPS8)*UemG!$WNqhFgF9+uu=W^!jZ1qcm$qUONvI z>>#?iF|UKH60^^O?v*ZI1C(S4^5DO{(qY@Tm_*xgTr1}f@+jd5*%0mICppOgA&8flG1nuZdzc1~3ri}Vh2Oz_1b!P_|6xEwj! zyQ9ob?u;ulthZAfXp|EBj;K{(sftxsrpbJQcy?9*unU~|X4^Xicjjvh46-g; z&6<1nMicg%7WGw7T>HLXoMdiBzMvQ?CE1zwsQwGcfMYKFsYtBm?yD=8bu;Cnc=v-|&Q_>J zarHMN#D9Hr%@ZbWvLZIi4fS}*zEz=}2^%D+PJ?(;c>ok4o@BFQ)wbK~im`FjDQ_KtUE%w`(3v7x3sIUN=yoU~0x)jh z2MviM-t~Fc1}|5uV6}jC$DA%U$twFaiIJ(hJ#7`l>_xD3b0$uH?|-2h?^&CbPX%2A z7ksoY&^zS&UVJ<k+O=Yw2HY=wTBc8%Z@ozAERt295(RDU_K3|D%yH2EViI4xJfrksQ)Hvb8_@H{qKf z+Cbu;O`3er@O+mLt%>cRqJXJB(9t1g9fLhBm5&TuQxZ>2WsSQpN{qZ?aOWng3iY7e z8y_;#nY}ha1!QtWG6$z36?0_dErFqaWrG;Z2a(f zW6>gsb`rgh&+2UF?<-f}O&3p^Mexl&r@d!_1v0llFmhpC;}Hi58!a3D)$IT$G?Z5F z%XNcLw}>oPjOQCCxeSr92JWNr(U?Y|($&Q&XVu~9`&g=IvhEHZhdkS6g~D8`VX--I=X%2_`(eJz1cAwKv_ALARVl)p-0=JljrQT6=!TzRi4%S?KHdJEU{rtMz&p^>o-^?RT6c4 zSC5%W$_(1q>E`VGw8~@iXGwr}R z5qMX+0b(D!9>aa`k_LvteTo8C&2HCI#19YOrOkYjZW6%wyHIglqcmS9PD+v)A#1-N z&{&4?!V`E#L6J-WJ8n5ES*t^%f@`^J%Of*3m#k zb^&*p%~KsKrPk9al&&ggy%I|4}(~-XQ|rw+%9jWhN+X@C_f=!DMh!o%U-%ev%-^Ka;)vhkjT> z)KnrcRV$DAFs7X=B#g1*9P6r{A?UUviP2&9(GY_T9 zL@n&ryopharvRwvb3nzfb+&ETYQ<9yfy`2RbEQUK18}i#qAJp3l6*U~#N@{zy#G;y zV+hWu#<>?C!TL9e1dTm}=((RSO~fSFc6@{Wj(9Ew$@@N$r%K1_26nisxVNhaaKXjQ za0!G+rh>F|zA>TRC|U%v!#DkMKrruhwV77{o|nDZxa;juMGo_Z=UuDSoE}fnm-|GO zy%8#`1jr2mxF815TO#t3WB>;|-Apq({{K{)Vj;xq4oZ#dz+O4{z zRNCwziqyN$E8jc$+v2htg~s7w-9K+ZJ1G3SyaKt23p41bgAkezX|!@ssm;?CONSkx(!2nTu4K343b-4boJh za>UU>++-NNe;-qMNJM7{Q$_lT0au-&?r~vs(XMZ2t)2+ugKzh^ptMtLX!Up_CT2z= zyTt)U^&lI&3Cm?Zyp&(Apqz#%Tj#{O{6evc5mt3%J&oD@2`g=)%@a}|_|wZ=s2 zCL7r}pp-;WlZjgovAN=@zVh@N@p@FuZ<|v&Yz{02bmZpyf+fQD$!71>yA5EK^|$C9_n(yMSc$9SfwjgY`(ye!ESu3ftPZ{n`WtYA?`_F!H-Er0 zho$K=g_5{sS|!Pa)BLejZ_T#124g2ts>eqd=@T)uwCY{ga3DuxclGYJMs0~P=}d1D z_d9;=%)z}I5JReNjAhpFB#kTA2Y!m76dBxe(D~5?4dSh_Z zhDY5T{?Bj3J;;T!5RZ!F$cb&vW?id2$BCcol|;?7@|`3hxOX-%4aFb_O-i=Di*~b)7QqbbTJ% zVG}`Pz@Ssu&>#=h5^~_d#^UBm~D4PtynnynGK;GnSn`*3$(eL^LZ@4 zPpiK~<*Ra9QN8+wi2~}_W^4bklgKb@x?iqVs*(P(6S%ty#w-;uJqu zW1vXpbqTbZZEy1ZPfxwBs2L4DwdL=AsB=bEw>EmYW~zykPAHL*BnlbfV z()@DLz$*o9zuW6{c|IE6bK0dF8BEc8%{4RGfsCUw`vc_KrnhOl8j1tgN;B>O2v8DgsvqG_yGew>UZG+^j<8Q-epMU#}kS)Or?d3Cq zEQU63`KhdEgajtt&eo)96|<59H4<#MRp}Zqo6-0sihp~2z(fMSToBh#LpA-qTnAQ{ z&th~=vwU|@>pe%6z4q$pO!trHH)?Ak_Xb_wU)%Qj07urR0EP75Rd*uw#3)9PD8Rh6 zdV(zc^wxPCZul7DN#hS2Bc1}Qz&E&IuHDFm>$!%h{}7`c@;TM;Ytd`@LUi+RK`_aDpHNmHs z`O+&9=QA~p5$|z;J+X6)hmI}qr3vPta~DGfZL14r{~vYO2y7#YJiru0; z=gZZS?AP0eFJx5#`q`fhDGI)xER6OAp;2Q2nP~jGji-NzwfRm2(3@#$;uvV{Qc4Pe z#D&V);S~5mPESP3l*Z^)siCxl%i#)S1-v~B#S@ZYd_(ikZz=Y#zNDh(1V8!l7a{=X z11^2=S8o6{78X;))f>DNf5?Ce@-F%WDBKE6^)m(QzlSQ(XrF^$#4l}7-YN}M4ttQR8c%7X7m=*6+P~B^eSzq^F;=^wN9WA5#YpW-FpP&cqv=YS2FN!_(u3XEz=*ltT^nq zSJd>OYz#Ut?`wb&14a{|TE8k?=yw%N!0nhiMi}Pd1shBWWZGM()O_|k%- zJ|swr>4U`DriuSuViR^SDp8r)QIWei-KF}qhP>sRQuR0KA@T4DN{Ztg*8LyP-I+hL zKcy1VrztNv2l?U(sfRW(qw&>P1$Nf? z_w>Eag9vVcwX=Ua&SOPNVA=@|oe%@B$GYKpiWmiVgclYk@Mx6Un`p&ly1wGp*V&^7 zUrfEoxadxR9l%CMxP>m(x@C5$rugA~St~GWLp8`S8SvGG+d9ei9q(px%Z8UjMGZjX zo%gGX6&&DaUj1{>;dB-!>{8Mk3q9f%hUHBTOl0AS1l9h~iiXd#_Ygg{oX`jh>*@O* z0XSa+!s+c`)9_QSBFPr}M~(qg$Uy`=8jSrPlRYSyaQ5osf3)tzLGtuHy8$ zmUa)|W}*wRsEX1Nv6(i5@E|#rO;W|&YPGrQ75dVl!7NE9DYPK@VuMq3)~qt(uM z%xH?Jh)XsX*{mYapl6gTbJQr^`F$jD7NsL4Db`Joapo<4IQWVGV`b@qMv&gon>n0A0)JL>2IPL!Jo)c8;&U2i3TKf<w zh_9b{q*s@2+~lj%uzYp1wpK4utB^^RmRxbX{0n03jMfJ6BF(F%x9Q*9AQU`o2IdoK zG$4c4A0pZpnWKrWk_t)?g>x-w|FziRUa{E$ z*bDNG(_{t5Yp-kmx)+fOCn6I;pNEvnBnX-;z*AVN6w^&Y7va*npcEg@*v^w1F z+5~paGOMf#tm}lWk=AurLc>kD)dyx%emx#n>IB42)U$*)9}xW%6NP-6zVZj#_NgqY z53C|XwU?w2hiN27I+d21d1XXfC1xwsQ~FtZh#yS$#gZjO+dnH`(G+742917?2PP3O zZjNzc*X_{9hqH0mjnKWExLVM0h%+7~H z1KY>~zbJ#-j>yBVlO|-HQ?FQlQbJ_tD-9QrZi#=S<8felYV^0-#i_apY1V5?$>ux_ z7&QO1!@;D@YReE2u~OWR)e-MfFx$ya7ZQ%+WPs)J12UJHsfNg5VYM-;t ztkB$a1H|Q7HE7#UqE}5v<7u4l`9X=cmH90dxdiI53|24G*N;#())M!i_p;d${-VT4 z#naVFmblJ$l(@x{FXBPX)Xh<)eo34#27|v?Tx~u~JmUYwu`F>`81q-9o~<_6w_&1y z2A_KXo6vKiyO)rY?8*k+3#Wq4-r1r-9IKvymU650hW3kfD?iZlCl0f2qZsFQrUo(7 zCh^C`=fDJJ!jPP3Pk=Ng=@no1MJ0@mRN(|`!y{&{dOs5tezg{Hy*#2+2V+9f{V@FK z=bB0CI~;3#mcukZgz4ls;Iq{$S&$K^W?G^pf;caU{P%?amB{55)wJLHrs@+`4QP1) z^pz1-H~isbMQ!rz0Yxjo1KDGpYrJVf`KbqCCv1ga67+J=XxNMEj1K#xT(`q~BA~m~ zzgm<(gTn6sK2K1B>YfvQH~O+~XYg!_7Ms})Nb)K*!36|yeOaZ&o;LG3i)v$Q^*oaC ztX;?N6T|K^z*fE@g)Q@cfiCy-cehFY-GHsJ4^g&B=MquGV?iKT11nE1`jx2BZFEll zmzStTgA@d`!~R;bv!U**9ZF|^Z@B05LL&yzT*~VdgSZzVGn!Cx0kMr=qML!JyDTMv zv77x`NNSZF$7{&~Nnczme(Kh4uX5zv1g(>hxDJ?5oPJZ?mp`Cj!jMV!$5Gr0bmT|vm-H}b}?O-htR6nyX<&Ne$J zlpJEnHzXgu&46gP2cDm#9iIGzywX@*a_g_(5P?})@BY%iMVlxc;IJPul`@GB$piHw zC>sa49l7LD3Jl08<$$!3ICGk7E z6|R%dJt4XIKfX&xduA|g+4oSAF_zeUV@eAxT3BwvHC(2DrHe3FUX|en@_hPf87dd( zT|-gsE7!4#hrLlk9VsqNOLFC%>D8uWqkqhx)-$G2`Eq%hRc}O?>F}l5IjP+7^F-L4 z$B|1O_i1g9#&F=?@64!r_g=X@e*UzHRhcB~c^aG1A6kMA<$HE3U%nFYBq5V}OPTTA ziNgX$GH6ed$5T2nYzoZ_l7DntyAl8BsnGZ#stR&FI{|4kFEgc#4DHLtGRCJrb0=s= zrAyyEMLD@#byKxE+v;}x;Q7rn^d$lM_HNa8TB#3Q>d>`tNRaeJ3viO$fnKJdByg92G zZR@XA?>_9Be!5aV$q_rUa-R-N6k|@3atSx{301zmP|%rewwjfg6nVz_{DX7nIEI8@ z+4Gd;TM5GF6lQ~-i1WW(_Uobbn~}Y|9y*h@pWxCz_D-|9p1LWQsVZM+*46nO7PGks z-CrriNDz@nc;VDNPfa>uA?|CfdEdxL1$2rPmvhe+oazS~9A;jXa9b^Vg$Y4t%#?p! z)qWVd3rBZt7rY`E9-}}ZrFJ`+AM7`dX4YxejRsV=%=uIGZz5yHD~dqn$Og+jP)J>K zD+gsfD{9@yvQ9KX0{>=>YP|1`uMq?GC_-~9oVN>#>7z4|ZHgvcJ()S%+jc$$0G=$h z>OVz$LOtrJ$TS9KZGyFH;bBj&J>hmy*$6P43f}l z$TcGoov0=p_qL)pYyLNM9@ADf4|*hwcito10QcH(8R&owW$aJ1Y}TEB#RQOYkW4zu z@7&&t$+!%h%pUM^-bSyQ#34lgVW79g1}ICwEwLXYPkiHc6EyYH7Nl%2 z<}vw>AkT2z=}#SvmAFu)+`||3VwX>hubm>5_Ss>jNVylG41Zy`Y110#%Vu}Q0yWx;` z^0lCYcf5!3^yP*OA#>N+ZEda65JV4u5M+nVRR!R=Iy^>Hhw^@A+OZO(A3h;(E{>w* z`2VE;mc;REJw&9BF~WZKeUobR`I`NJi)bd&gkZqZ3!CtO zKz&9Dzjx6@!qn1p=JAOkz{)`6E+HFZIdeBv@r&@yNIzdsd&#kd$c-GpD{S}s7q%Pb z9IIm^soI*M#EkMB$X-94tseG8L3k&nJ{d_5tG%Wu>*0o0xzqF4^j~ascjC=y@oLUa zXO>!mzlb6%_we$-u0Sf#WP8)~_<+^*1K#rGNdaLqxn}okI<*8eMLUMC$8+E6a`6=G zUkYFY&+Z}qG5)Yt!sQRAh0CNSv%F8cTcn=pwz@6)*}gX2LYzV+a^RMWnsS-p&8DQ4 zS_A)PfyBWN_(=iDM$*2|b-%1d_ohedaKJ-&FAFAk0Y^0x@kJN==Z=uM_jrem9{fA< zVKudSZx%l=tI532pMKB~#ms&SD8Jpf)_Ng^ z^QdV!|9997%cFZ>r2!{a<2jHc3j=R%sx?TEaf{a=uAAD%jzL zV`ZS^K@-V7EvI0~gInHXr&8CK!DYv{dzbNVDg*ISw91ZBJ3S?wS7M- zefewldZy5%CH?wjHbW|+IccvDS24bf%R=^!=&KVJBx;5F?1`OXN$w{Fyl=?XoUkvewj55f*JCSKP!8$W*b051 zAVF<+KcZ~GY}X>UG-o;_!D-n~6zj%$I*(#=my0gz#5H7m*FplhqNfSA|P9}ygt!G9YP z9>^|VoTg$0Z>Nv`eQ%K_0|s^%Oc}UwofwOE+R*sSN)Y<4>Q%3bfwc5*rj!aKY1}3# zu>S`hM8t{{n74XB2Wa7ZXSX&p{dztVO`hG=K@jsep{qyS>)HC8KfgUV_r6{phV3jg zz9^(Lpz6$SMCoBXVh$ggtkD0?W%QLr))o1NfX1tCri>mo=}s1^BMRvbn#W{+HbsSxgd$YadzfTf3<9@ipK46zHzE(Uv)38U(+k%d6-0Fmt|I_WhB=(TkmLD zdT$A92(!E-5U=d5ibyYbuyNEV(-)ZT`xb4~f)jn18_NJNJ8t2H8hOL6&ja)}Y8(vr zyil9NyJ}t0&1m#(E3h+Jt}&79^p)i+ZdJ=LWVBs2R^SuY9b`EsfpDgIE~H~^BZSFN z7x7kUu9C5dhLq9FzB2>7n0=c?cE#ZA)t}zCmdI-KM>p`as~T<{$Y|+VuJu zET7*Ty#Dn**46L_gjPq)rgos&4SwE}9!4XUy0N#@6kv%-j&V1F{H50X zB%EXpNRBak7bn2gH|@B+*TxAQO;WD4eIAo+!o!epMl=W|F^veUht>M~_tzvM8%b$g z7Uvr}vy-XeC&%SQ6H3J21HY_L6#Udd)%nFUJ9W{<40iX#3oPYvsWqRgEMRKd-`yu7 z?fg)OQ}kw~6>LZuZ_wgK;5M+^NXr_Va`9Io=4i1PJ-y9QTjzbr*X!xBo!GGu@Nc$_ zgh4>0G9;N zCkoR3;-yf#Ql+X>D*vBFrx!jVJ@GD#|5L4_lD_OU#xdmTjs8V!qE!q&=jN{m0C{4e}M8ZSQ@NKZk zN0^UWFQZ3^XXNUogC_7&TdyVPm;;A%4K2 zPlyv=JYKIV2Il&#<8_6rDSup;#KiR?In01D+n)6y=g${+*><5Zh!b-iC>3Yie-;`Y z2N3ol7Wy*)`sIa3o!NV*%)-#50ZBAm3K#YxQfGd{Z;^E7L`6&$sv3*A$rl~2tTWaPTfq2 z6rDXq@xqyS*SLS~!pgK7im&?sIqTa9uk-LBL&RbvUp&I^is*q9ig2*(4d5!I0Og}F z136yn#+b>mWL7;!m16n+nu0~?23q+-qkiNiPHqEQ#qF3hPaTbTzq<8Nktm`MIaqXx zY2_8;?ng6(lP5>cgJuM1r2kO+$vicmhvYr;1nq{<&xjL9uC_jU07!OP+Z7KKND(;= z^Lk@MwrVVH7Whx%)6xLwFSX)J5}vdcg4)7_fh+dr7J#~_=9Qi`*c zCbiqjWfyAV$(wP78Djod=EgoftXTrmxRtSE?U&HMt*E%QYK)-Tt!%h2^izA$Rm{x? zjg;c}w6wAwksL0I>~VwEpNQ0gY!@72A82M3ob-u{>tsY?$#(EMiPLF@dR(QRB1v6p zVYAZ;w^AhZB*0>7bP4*4>Ct`Yxxn3Sbwr?%d;x?A-D!gs3RuCjgdHrk-NaV`0ci~u z|FzIG0A9tjQ*?QqnZi{K_-2lKIf?V7|Mk9x!Px3Wr=(IH5Uh9xN8Y&9&>MX$v&cyx zhVdB#aEZ2p5(Z~xt8u?qWEl#(5Ht%!9>h>S;@{k(RfbTS&(+lW-o7H zhcyV1_PK%~UsSCXm=Ivm*YQ5Ly86FVi%s?1N>|8WlFh9LkGxf z&rZaC^D3k$JhoW*#l4r8tx71NQk;iZE*Iq8H-1@`l=ofJiHloH6TcYMoSF-nE#6BS zNAgQo5@Lg_6MGKlV^fOZ6N^2;47z+LC@wOa;x65HMydL!`C3~d{OWydKZ0?nG`5%5`9-kaQ>7;ko9POe8^XzHe|q1!vbBOw zIN$~{r>Od@a9%`P9-3lNN&o%kks{|;N{1GcIv6gW$?9OSZz3qm6*ac8!Zo&duqESc z(u1#DLZRNcgXXON{czr6pEG)VG#gUK3Sku6k(fl3{8p zsmZ_&1kpSTN2cN5xjS3cK%|L@36jX^Hhgd7(|*UW@3(zD6L~(RO3`yqJ0|6|&+NQg z&~YLJQ*wGBnyzMCk)CH|9xQIUM%3Wr0cj&E$^8$w-owO{Q#*3%b6?d3m3-LLjwC1y5NsDal1kroawYnYrY9dW_{n#i9yOG|bc z{LD7(CHca{*pX_jc}TAG{m@6>#$)=p>A1)Dz36HQhuj+(^iRpfigSu_>bNGBYkH?L z?e3de4Bpi&mdom5#Vb5tG}POIHM`0Vzho}g2iRj|WOQM+gAy|b6!Gov;7 z9juOlyw{z*#Kp!0#;b$jB3@CO?BcdS#LF_vWi#NtlM%kS6`94 z-*p`-a14m?eAS=5n9&DE0HGsM@f}840(@?R_i;$>zE6_$~E^Bmio6(Pd_$U^{{I+*t%ZqgX9)g+{9pb^Fp^h;k#k6 za|Vz()>Q!4;vL+ukBwyseszFWE&K-McW#b4MQek@v>|ATwz0<%es#VT_1&>0EJAQh z>}sd?{O^D92fC)MB0E{ZPYUaP3Q)HzupP=jgb&zX?g?TX@>(hD3A%Z-3va2iN?Tfh z9bEQf#@#$U^z)pJ0yehYFA%&~@o5Y}#d^nCi8r#Y8w+qhvq+$NXvzEA6ci6M@3wfd z^mMz)+fYwRKX3GLu?Gkp0J{SIU_0!Cla|1ZE#PZKG<@d7j&nj}Nr49>LXlWM8jbs6t_y(|?~VlOY~@{gJSj<+W~3pwdMUGx<~ zBU6NIK048#HAjIabhs0k*gD?c#7fYzVzzylabbhWN`ORYhqMaK#_*5-EWMxVE&F4K z-Uhw$A@|j^ed)TYS(G8*Tfim*?N~L*?3tmEdM~ABR4k1!NqVkM!SazfTlaVkbJeACsXYFZTLaDyY^o z9|nocFo`{CirvpA*_Gr@9_G7|lC9;858<1g>f}ViFYNro_zhytJv-Q_HWHH%lGNm^ zWr^JE3pUFB`l=Xp;40U4R?#a`hb*5XYFo;|sQ^J?$j6LwYhP=bP<0*E39#>dC))ka z%}VT4#>ukTrwUc?PXA(w@HV#b=CRqZ*mN8$m1QRnSG3CK1{NH>wSJO9-++(#cUx1r zVjcKwJ}hKem#WJpyy+YPdd+YXwwnq!Yq(*G(puPvCSUy9)JSOnO)JmXs7Y4z?z@g{ z4!$$-@~yq*C-G}lVsxFcYPVpi)%C-aBvViGvU+^ewtE*PsM?Khp^kSe>Gu~e2N$3T6e=pd{6)qH&42tAXw38wz|)T3cE^W(#P3Y(V3pi~m~H-~D| z{iD#ukCP=x$gM0oV-whl#D$BDyOt!=JbkOQ{@V+UDTCyAq}djcx`gw4Te9}U%_XP$ zIJNi+y14p4DQt!0XXu+%U>8qTE#(GYG@m+-q;VH&B-2>?J1(<6*#}98qq!gq-O785 zx!H0dmD*BeP8xt&_+yh4o%3gIVxs;|U6uhrt1 zi3DZLK`)GZd1nRdDxi{tXX#zC5E~(nb!*6`izp32#Slk}^Zc>%KvKVBOlv%6&8rHj zkDM7z37A_=oVL1m3BGUyz>9rcvzbTN9MSbxEfQH7gDA{|Se-ejU|pCop~bXG`)=s=gYSztU#DFJ6~6;5OJ@4D#Z5`^?dMi`E3ZeR5msMCL~q9s0jV@&wyd! z-Oo42D2ZnMiV<@#`a%THuk7~QmB$&q-S3iE(Q;EpZXMsXxwD+wseC942h3PcMV565 zM4=NB_=ep|xt8JBob_v7@?Ij>M9^I%iFeae?|!ofMedi~UzhN`Ig~maSyx3PCtRYnQBDp?9Hix+E4yKEskD`HbDb?<;ZzUUm>mDp&I= z#Rhe?sw>K)DE61 z$%%?@*?`qBM*u_Pv=EVE%S8oRxfg7vlkqr$Y#-#KdqlQ{!+Did)b%8{*-m>bhmFqw zQ}FiVHsg1T2Y{kRF+)weowPk0-{*lv*7Fh*x!>!ebsA9;#I`M*VMoAyia&dW-df#pbwI_%X!qVU2Opu zza!jWI#VtKOkoSdPV*gt=P*EvF)?R!Ak~IAB0w$cI6y37{I-@ynSaux*7+22aJM*c z!`59`u^V3u?DE#6d9ask47#D^qug*G{;Ab!sU!raleJyJ83Ne*`Hac)N(qm%@St3D z19bJh&M^EIb{-Wd@pNLUp zM1ZM=Qy}wsJ5o3l?+S(x1e>{GShu8Cwbnb)$BMdz?C_;EXbnJS8ROZ&E`??d0`bw@=lT zz)aV@nv<^F_EGhv=T8qd z4l7JmrOnVCWAQxTOn~_9V#Aa12UBl`I8oW@$j8#0U;|^2znv^=b`uHPn|KgJp}gvK z^2PGlv2;y;dV#N6?Yp8~#@_`x*tey-hN`Ui8(ng4IUaZY1>LS+Vmb!KLo|@X-y8GM zM8d4|GT}?dh}op1;zatSU)#hd6TQ+ENv$!*K;&5c?(@fww98lw=2w*p=-m9rYN%BV z0D$7Z=rpQXvL)EHlD2q2*97*IK;TSGfMOg%*%PuM4Q*|Xs?~pn7Cv9pX=kHES4eet z!ig9HZ_1m$bMx5g>{*Set!MV<4daWGw#Ys@#S!+yS!9PmlgQ;vUrBvON#p&KD(F3) zP}snVxZN{CJg1^4YYazUxxU8K(_2LeWKUyH8Ksk7qglC}mdVjO3a)d|a~WV>*Lbf7 zJ70>oXf+3`Yyh>B6(JPWaO_2N6$`PP5g9v*o6qF%KKN+6xQiMf>mO#PVeSz>o-Vu0isn~g(55e?i$r%=;r*vp z`xGOcN87vRSi;DIN`2PdEvdAYY$l}qVYwPc;aX1PGjluXd?sSp<8guJ zD6WpicFg@I{M6=_h{-=Y7I!{J+5lx1ZyEc74Fsu}s~k02>aD2hW=yEvU)cCSqGG*O z^x|{zqOoGa#L>KLH5R@%bFeiIcKWodSn|*6dP!@exv`9ZL}*dpBP)`KpVJym+?lDl zi+?{+<+ht);oG+!PrW#1{Rj@?`ueR$52-OmWn4_q9Dr28PPfi+;>p%Gv*lfUoRWX8 zNyz>6CDKD#K|c;3;>pYOtD7KdS*%d2NLH;;(nDVN4nZu!z+I<}VLH4Mer9%i86N__ zUS8UXdJt@BEl@cW#R4$)1BhPJbpya&2e(OY_|P4FxPhS#)1CbPupu*_S1+q{+hkyW zFV^%rDL1CQ*BSEwyLU`|F`rwDcr)ImN4UQiI2y{F`iiHkHbb#>M-y`g2O{MOGa9iD zwc((S$UmiW;P=5$+W&(Tn=Ag?xz|E~zg z!fWK526Vctn*`d`hB~(wbYS>XcQEh%iKibSIwjR_F^0)OW&(^`k2mK&{bp;ASMgD2 z$}vJO?EL$CxZf)ZV$plmuT+ZVhL==7@$Y2S>_07n5bcyCxr?hzIlOL|Bna{mv zu>W|NplJGUe0k=h&Lo-BW1geuDd7#`)EhZy;KPm*{JEt^7q=!?*zPv=I!qFqLAitC-XX9o^d+BexH%Sxh^;M_Yy!9fRkmU zo4R9d-4xguc!_D~sqZ)^g z!666r5p0R-RoWw!S`BsaCv@>acJs>@c1I9d5bYp&(oGvCR3v0jz>RZ1<8qwafrdK9#!aXq@CBRiD4hrTQ8?405bKw(62cr}M;gTChlGlcR7^c*R`O!9q%v+uuLcOo z^XqJPQZ3p)r*pjU9fi_;ba)D*dweO*;ig^vF+*H+rKNAZ@?T1}%2w|AjxNgoh?i_f z9>r<@jd`XsHfEl>R>k|M{#J+g$-Rs*mTQ`yd9@Knj}mJyFTPoZ?>`QO5}uCS0S*Nc z2y@JneD+m_$POW|a5wN8Tag6v9^Fr?cnncn3<9Di_u@mY2b`goArlgvwT5QtTI>7GLR^znqpY<2{bRJk>#IY*rkP7qtFHmtLKx)BC19%r z0$H`rFY9E6kd2PAIM?$HlGC61zpj;HlR2itZ0Z_)$KR2?Cg@htF4AySl`zfqWxhxx zCjc{eFt6rapMjo5W^8+!V^O-aMJ&ZDrW^55?jt|oqzvN?FVBjWV_Z3DYg`~r^hr0E zz5Ll<)e}+g%J1F!zo>fasHOwU0qGpw z4Z@^hqr0~;YK*bpp6`3!bDrni|LmOo@i}L4*LB_3)g9WP7A>r#c=i+9G)+}@SHfYI zUy!%)c;mj;Vr4Nvr>`v1V9Guz_~{$!c8XXsC(_uEqln64M`6lpfuo?#PNs*jecCr{ zWCH+K0d0@MUilM8^Sc4^j#V%xzQ&^1U)?fgN*zI)Brk@BwKW?uAc;9RJj)-xM6J5& zv3&>E+EB@ta0?L67?li_ND_@xe<@$r?dVz`nX@|!#pv7bT#BnWTZ~VdYB}avJP)~y zt_(LVACKKwFPAi0uFY|;Uvaw4wChsF$F&zVtDQ($jlwWuR=p?vkuFNi66=Ue4hB$k(zwETjX6eKf3B_t~ke3~dxP zgDLOOY-r|PmI5z7gm(rR7z&lYQeD+?pyO-N$y5eSyC$+2@PfaOd!9frHwM+ln9N zDvVTg`VMZX0(vgcJ#< z?wiC=Eoqyv9D%A%REl%H&%a>Op_SYK{b%bI62WmKgB(-j@LF~r^@$r%(aGPBIzP=? zRU{36DH@3u!Wl4Fz!zW*4x`OD?8t;F`-_=sFF4HW;JZN!O8OvX$|~@jq}gYls8)hA zCHwd2%_8}kx5~XrLAkqkXl6AAaFjwFcOJ_o{GfsTkT#yn{S>ZVM*B2f;>q_E%U65B z2-pTK>%hOUem!6tC0&Z?(LhcceK$QtdRM=0vcos)!HaHGMF<!25`n7~7q1qy&YafjHa>!(b=T8o$rX z*6~7!$9IF83=R;jGmbNt-KAr#YLcsVM-CDAtpcq*<5D> zO^^#;=EnFEqi{ZZuNilvI)9#lcZ~a@{0lb@Zh7poziV|IyToG^I{Q=VNj0abZZ}S3 z6Y#7V=cJooArAK*am6TB-xV1CmR;GJ*6M+0-8MO9*_WV1Yt$ca-mGM_La_He@rb$K z(OFY?M*#uE5b&l~^dyn@V^wJm|5$vUCGgk=>f*IME~EiKXZ`IiJ+8THk=G|$j^8nR z4KNNTD4YIw$c^2ROpY%0>9D?#RT4R7Zy$SrQs15JzM}M)cqzRukNY_;#$HzF_Cfkf zb;0B`Z56wA-{{g^0?tD~N8ev<(4&x7Yw0$Gj^btGV-72rjeN5*8X(6!sDshBDR3+XZOW)7+a>MGoR~`LOHlvL-;**XACnwV2})9B?#py6O1H7H zZ28+o@yYs*yt4K^zBa9tC*^EYf09L2(nRKMZTVT2Hy@RnivP4|;kV?V#y_6#=N3D= zBuD^PyNjr^OhNy-M)IZ!b~-*wst0`FU`|tIBM3=5ONVQNlE#Dv%Za>xjch|Z40>o0 zxTqGw?`~;%A9gnmn5`)SC@9=n&-HM#V3APLC=tqM>hB&`S2>R-l&@QDFJDy|+&0I^ z23g`k=aoeNO4n_v+e07HzJBB=YhKaf zDn#rb`Xi!ZD<}Ph5crM-bapGjl=oAV+JY}4YbiTBdm+2d#s@0nVUs#dgZM*k8abE$ z^p$cu`J*mXooOQZ!Z`bQAdKYaje2Y2fmcD%P^p8EPYs&0-bpdn#>HAA8TUV_7tbWB>$a zB0)oQCb@?O+#b^Y&4%=~JcW;83f+ma-0sL~_s3s);WJ&5f3iO|QE;1hxuMJLR;cSP zsw;T=f#40?`VY~I639ZZ@ZpzxB1Vzd_e=sEbInITCwwNO?0G3)b0*&Apw4pTyW6TH zX;_%-bhG2}q#H#S5n!Eb$+6lbZ-#Xq?2V^+V`UzNjO_q*Gc-=M8`e=aeyds5%wJ|M z<`R-8QE9_}YU@2OHgcM=pLJs(H+8+30dZ7|AYblS=vW6Dz=9yH#&r^_w1|SPCy7vH z=iNLWr#=S_ISuVfV#vUf=|!*TkFeDlhmUo{=#a*+D+dTfpoKK_N%1WxGXFM7!dy;@ zlY`ba$C>Q8G^@ln)OurXt17@Z&0*z8+5uKcs3sv` zUAo8>@Z;Bt3ep}E5VwXg85*ht!tZW%x|V-Wk@oD);N0rcBhfeXNNBLRSkf3 zT_Vf}OpxkXOY#$x++Z-#7@4%Go%FsiC0_q)85>?2kNU74Mk?(RsWawr} z3Abh!OdoL+h7cb>pdFIFynuCq;&5QOM}@vbg))u=!UFl08C~OY@@sfr)VsyMry`7c zcgj>;f$@rdI>d~Rk!)+Q~u*UdT7=TamZaKjliZ|0o$QK50gx3L|t zE0HU-j_REDU~eq?J;6a((MGJ)S_r>7^c`4`G+XZrxWV`*a4n1IuDE^d1|*Its%M%- z&nuWk>yA$iX1U&P8@Hf}+vfBG%c1MP7&64J;oY#=94ogCrZ|$E)cpz6+21z#lPI6! zN@V24&hbYOR1wiDc_t)>c&5&EvHvJFeJ2Y<8-o-pl+qST>YU?fUAT?)LZ5(f1bQDq z^w_^`{Yx6bz4ro)6l{!00^I8D;mO6h*oygDqg~Jv8Qt)e^CoSp<23}j+ho22dp&W! z9Ig0I^7{GeZGQ&id(qYg|0GN1x}4i?SWF6ISQVE)DjpaX@9ZtwI=~K`n}(OMtGxx7 z+<_Fio0jOQ6(4*k@&+4l>1HO0N7PPzyu96$3jlR>4IWJl=04}a7mwq`P0Mu}E7AJ9 zKPbO<@P*E;1dMV79^zkm>w|us>F9&By~}QK4&>I~=!(p8vev_Ik!)u>o>`BLI^8o_ ztJdY3Tm%N3rcEfgfY3+ruXFH>I~XA+_11W}u+>w_C;t`K{4CFnDMXXo8=fa_e+_uF zsv>#gf7UX;A``6P@rCRH?b`f2d@rpGTPUAS|kuKlT`}vbE*JVE)}tXjr*g5_c_NzCBDZ4 zCu!3L!M2;-U|gSAZrj~oT*kh?qJ2yF_tI2NeUs^g!g`Y8++aqiLdFAS=Dr`=b|@>3 z4H4>L8|DeFeenV-eHt`j8v4yQOcy)CpB(=;RWiPqcPzYm{c|Eq{&iYPlvxJNP8mSx zK87YugE&EPRC6tcJkmm8v>HIY{v_AUs5*^tLso6HX{1a*Nk$08L%H>ZA=qxXm@9jP zPWAbgkbc9{ahsfx_X=p{ow>s^v&f6S6Z^;=gQ-ezh20)))wAi)RE;%ak4xal`%lEB zkH>RcCceft*cwy@@_vi;{w5Mb4V*99Y!K?Gw&-MTd}Yw-?f?^nH`MY<L z59xGdB~V6ulfPyj5{uZ~4%%|<(cgxp3+>W|0;0C$?guWZ3jl?J zb0ik7O2{idPPwwb06mBu;b>vTViRoXQVwkFQ2Rcp+CL2J>&QY{^oY z3Hd_u&fLZzNf$**ROu8Ab>~PRg357C-0p+m3VFfU>D3#sS6%T3*N0nk2J9TDxVA_2 zVlF=EvG{#%ECt6d8*$5(LuK@l9<)ocGE49m&A`avS!eDR$DIY;i|SPL=)9=XO5heO z=h!Xo%B5-64}!_Jkyb`V`g|E^h-z55(A~ADdubM#Dg02@A6Xj3$Q{;*5%N$MuD0dmdgnCYqbyNv+|lYpW@!=4MrOc%FY9#Z_a)DL3pySu;o)szXjm4pA^sNo)w=Cs+KltBR7kXCE zar=QcRk=3do~y4DyUpi(I(9kvEee33CnVp?2{T+L*#`b;yHK^)oZeuW&pD?35R2$2 zbG`25c;ls>aTnq394X}+1qKyo-vI*?xHuY%w%Ypi3g&4Ly4R1Wq00+s>YdzY$P}K? zrm7nC6%(N_H^brUsRssa#^;UE?LjUUtuq}`cp?-pr1u<7NJC_Utz65XHQK6Q_@leM zV!qfy)i!(&H^&xswmzL}`E*b0@G{B2pu^CK9tvW0`Zqo<$8%l1Ly%r`7xKXT)gQk0 zIcF}`i=gUuSTYf6@979vZM;RE3$k-85peJ~ac>Tkvs9B@Vt{t)bk`Y?12XA8N^glf zIxqzZ)3dH;2f)%L@68QH>^R;O@2tvuW3y9R?{fq;S5$2KK5krmkaPV}wi|61DfKBF zXuDG|j@K!OOTNR`KaQeX?FB1B2sXdnuT!dS7#ni~2ddnr@$2V0p1AgF^LoW$DB^*k zmC@lZ{4`#8pa?6p_<%`Adm2TsSSMIIO~@tuckcer>+5osp`0>#qy!|V_5Nr7v*R$M zdu3h1mDOk?u2hYoHD-0`6WP;vm2!dQ(7zcX@XDrIpo9K|FVpZ!AXwfJ?$qez*%{9Dgd3>xV*Zt;?={UZ)b9GETil=ooD?%P zAB)i&jXu%J;f(r9GVwT*Z^0x%TS-4f)Axkn`LHSWGhk9w(9|eh+jpCehXyqHNdfbp z1guzFM?pQTI*o}^oQis{ptAPWCWR-iD_}j9MGg7cg6z#YvrbB~wo2rjvX#ikFp-a@ z`ff&QYw4JteN0`4 zJ-6?>4nc@4MJ+&sF$;Jbqo&|?=2pMpjTHnFnz-=2EvoJH-eVbu*+wF`i{;G0TrbwX zt?gW>a;^5ehq&b(+GVHeKU{Mw-#2=hl5WD9T2~3Hp1FqxEX3jKwHwOOggBa(EX~jfw)H`T>X8a!x6@1I6A$ z7iy?s!BvB7lO!a~(ZOqV;aR|w;yW+5T*n`7ixiz)p)4R}@mJPaz9oz=O23ww*X4Is z<=hOsS?s(#^C%i!`14q$EldlwBi`pQTb`cn`56fqbmAkWVr!}{<#%8HSJgQ*ioEZS zrz^UvnfP6`jjr7vIQL1Jr-x7bG@WFg7oyiXw(9EyiNzkWXA&2RdCQ$YUG813_!P$( zlTp7gBpJ+=GY_PHcX!~evkUgkipSD{k=2O|RXi7^hRjQ3=gfJl!GWNm%iTQHHn3Qs z=n3MMN?Y|9?}PNNIjp$@jQKi2DZS#DkgBP|#1hT${(s-JrTg}&q>rCQl5)5H;qI)V z#(OylcAAwzAl}6*F#7{YoxOy;3>X}*Xm=^4U_E0u+XGQJ>B*AXf@WQYw);S}oQKpf zr;<%uxzGlE%3f8aDsycOhJcInPFT!6#ipCGo=?^hVwEZ{;)K4wv7P*TukdIIev@&~ zY1bMz8t-pd@%6(u|5V|tM<30fB|bwxR$F{_EKxPjonveCOwf;C zar(PVf0yXgn?Q1lwhpG^?WXH}ul@NV(u?}5vAOfBHR>p^m;d=K9eP|7RgeM_ zR6MoN5z-#*Q_1meJO=em>$hOS^)zED#rt4%ju7B%fMltb=!%1jmW z_Ad3B`fr0qoTK1zgnd(S3S$ZQjHVHsIaZOG%JsEEpWc|9RUZyHSResDHzG1vJ1K;v ziC7#Fa^Go%Q>vL)xkGB@T90Ol$)qseQiWrnN0i^MH=q|2(FxdC9mGV8GLI`BelY$D zXnIGIv-}O`L*5s9$MRMVQ9~{|CO%s1Ff{P8Ua9=Om1E^w6vAmxv7JGJC^PW%}3Vb~d zJom`m(|EquxUs+R`Qk8i#nDC_1XmzIHn zQvcnm4#9vAVhx;|#;w4tq|}}u8L7V^gP zk!8yo!%}>G{l0flKsKE7zR|>vKK4)y05uO%+!3azD%7d+Q2D&1oX1*TPHd^n#|89;P3BHGa6Tg?e(Dd~%MP(m#N*OGbioy@wAK8NI?@m782_gU>rc9$eAMGaUa`-t%Ewk8vijSz)tEFrXUVoJu24hN{>PhVC z0RDX&5tw$?uZ?w*4mM|*<#DNTYY+ZC5>omU{qxHw4`*4dapJ89h;6C z-rwE(X8*LhmEzeSpDw>Fw{KvX&9ibSn=zGOn&q$7OB#gLBO+8j%|hi#?yaiNmUYuq ztbyV=5gwEP%?B5g*UfcDQ>xBhvL~hO`eN|y z`A+Mt)up3MjT-ucv1J9pNZCUl00l}?x#Rsg`amixRN!-{YMV8yGhsaoe$}pgXz_#a z544aZn7h`pPxn>%8E=FGdyRd2!rQNYq6@m>=JgxaUoQ?fv5AT zf;cO<`z8@QR&Y5UWEM(j5^h#ZU%T~(O{aEP|rhVfrp2h7Ifs1Q+cCe;G=(_9(SgT5Kc#Kr= zT-&qexwc2#bddz>8dOZdo#{2;>?pkWy@LRJeGbKo4d*g8zt;Hg1+S{(Tw~Gm9M+=J1EyGmOtKZuG$RDRW zaStG2;lz{lq_g!E247jnw8i zs2dfo_$gcYBD@fycF4s<%;D4XLz~k=Z{{!7AO}PKhN^FH^KB9joN%PD0q>oB?xLsk zg+La*8sc8Gpp;+ND$}Mns4~OC2FjR0|4zxbLX1%;@c$Z`U?3qDoI2q3wVCk7g`u6+Hf(kn* z0rQ|kZWKB?w^R}~D;C|1h}#7Rh@3sqP-&KRxA!xXm||bF#Nj@lpj&e{H%G1$@^209 z+}n{*MnKgw_IsCg8&w2(3h=RU3I{4DLKQILL)7)*nDES_kmb~`(s-2W+SwYUU z4IVPD|7TGewHZpEcXBR_0F7)n82(^8j|!HZ))vDRZLAlS=;;UA0q6 zKK~s}XtDS?<3P9s-q(6j2UcXU+F2AE?_k!k__43! zbk+>%7Ev#^ihzWftomD^GOsc5>Rw7FT6sdVNm}H|Rv|C6*{(LAXj+>tFd4TZv$@H# zsrhk*PCI*qp#c8kcD~q4`FrV#Z7jh2O%|>_YHB zNSf>RcrBFk$cAn;LCE&D!La1UZ2b;*>Y1PiQO^$(&|hsayNcH1Jq}zNKQVLor6h#t zX3a`B+g@T{Hv*^e{kAFV#b2rO(F-S}g^x0IcinSe7Y}jBfzxD<-pA{6I$&!nvD^07 z-~^*>u20FgzWCApngfvTcH)A%9dcltBcf8fiq-e8v(&kGk{+C7nS|d%?XnGnt9`#7 zQAe7;;3ITM62Axd*zB@TqAcez!_t8PTCprFzy7yJ9RSBcL^um7o=Y#ElLTm!kus!l(g^QHav=e?N zWqgw#K{}tLAy0Q~-C2XPJgAr(@G}7#3ocTko@tz+@Y7#bX*CR{a)?#hP)R3Pe2aok z&xRY)a%rQ)B49tV3M2ytI!8vV|NNPK*;7v)LxANv(K%=B_Z+-p#5!ReVzYNtrEd~c zIniggP;OZKWkh>krlRziJid)krG#YQ*6J*9uZ7wA(~f{?Hy-9Wv%5CkWSc&V0bk_W zcZNSK9JsVuH7?FlUxqx-@1G+=@0yuw2s}tXY%LYlbp`kIyePGxt7x*ZrikoCOUsuO!|~j%qaDT9oPWXVScT^sYZn{Vyd=1QtF(b`2=5h~ z;~!$|Zn`DZ(Jq>J4Ybfz-#bZs(GJ*T8?&*c92yjW{P^%K(f`JK4WflQPqKo$PmxAM zIeWA~w&F*Od&}*9{`;+(+(+kdgezc}EI7yIj_%_ug3kRDoZIJ1{?^Epdv}thy+z03&0?Nm`NNOzP$5c(%#-oRd^0LVZv&bkq77VCOkdPc``#^|!EqY{o4< z+?OIezL=D$>Qb%~Q_c=y+ zavov$i@onb-3jeL`ZLZD80V->w$}I$S984-yG8;uSX1k@Ar{=Z>c0Dk22ZkI(bWZvBLJdf|AQtBfKs?*;Ylq_8q@E6)XXAJ@Q z>rb=v+!ks~+8jbTJIQf07ZI$Z+HNXs>QodQ=RqHCvi80lj%ALcgFaxqGRkjjxHIOn ztSz5-e8r38b~u>;+W0HU)Tg;fnO9vkMoG%-t$`*bS>%E+r2k#ZC znzt^<_+l5fVe=W@e2(g)mqU%FeHT5w3Jgf&C)4)RcYWK0h!sYZoV8XeA^HLom^|G2 zu)otGj|)k`r|DAjn2mE+^!DGEnCki`M=f&4RtJuanNx{E?Ms38!9YjS6s3$$g|E#d)np* zDV7vDsZ;@jRPO?Q5U%JMLsRsYMGn`O8R3YFYx%n9Aysu_Q+a|)k3p~xXmtip;MHpr z^=SrOe@8*^w@EP(tFV&y-Sg8jxOJZM6L&hWG;I$###L zV9rWveb3A)Z8gCOO1ssY-Jo?#-}x5uFDM7id4CZPZAI1KNc?wK!2EyGUh}Rr98~ps zoflhF7T$MYMG&nr_yy00qpD)wWGLW~pLM!>(!a)V|GG^oa!9gpd5|tm%=@P2a)&(( z$3GnLG4bXLVNS@+snGt7+F5ROMsvCILhP3I8vW-V0xWdy^5lAEWe4=2=&f+ioz30= z`LB;Nt8|F~5i~8FaRlIm++ZM2)*@XFsK&@%953!% zn}L%Ti}XhXI;#5<&8|H~gIU*&P*OV>21rpmEn#N0GBEeo_S@j5@Y|ATZC_d9&?#KF z5i@($h_Ti!COQry;1Ri?g)J$kmf=$KvRoMcZRV`vKW%+{KF_Z+m%YnTtjY#dqaCmHj041*2~uk=?6bu>5FEwyZ7 zqV>NOz28>cOEgo)$80?Jy;+w$-~?U0c%cFrd}(jDujt!1N}u`of2+)>8c|0^bWU=e zCqH`$l4C_D`9?60afNXeH(HXgvcTTB!ZDlaoBkk&zWRxsQtCfz-5OZn#Zm=*>i;i?_WGQ~|7*u?8Whlw;C5oIcV}wz{Ud?Vw~{Jbe0S}KmFSH{1&RBkb9p~@ zluHNaKkTlz{b6HBiY|%&%<--a#Xm@1LQadO6{z)iq%kS>)#!PW+nv!8szd}cK~d=L zuniyuD(*|8R(K`-_&vEs*5->`yJQ=^iFbnNNS)%}qorr5J}Q74ShGS4U+)3q*z$w(igNqdeWW-euc`(2IT=eg|Im6%X}*3rm!0qjZvF7o39C!3i@Z5i z*bH83p@Xgca`~!uA5#T)s86%0ICrwGkgFo?ZO-U0dfx9RAcp%>S;~1ZHXMrozDiTY z3t0UdZd1o48PN4G6Wg0OC**1pG+vg$#ex0SdA$)v_2YywG?4fLd_f8os7oab0_jmnMGKM$ag)Om%S#tXsy=7krDiu*^5X1~r| zrb&I|M<9o%at?JH%d}oK*S>W&u*`X5Zv{xZB_S0!nPzLWQAk;7Ndd^=<)6g?>t3Ng zjoxb($xJO=%Q1G#H#3BhwlMxFvz6`OhUCc@{+kqBmoSf)tua@}G2#y=;Eva+rvr?a zUlgb-J4m;1YxCKwIt8$v5L6^t|!>H8M8zb?-mVZI}Ancc_ z+I_DcZ9OY1^ikdIM)+kFMr3S3>v`vvq#WE&4v{%bc0@S5%mu_ye=B)X_Rht}*>dp8 z=ESc2;$G~TD27$VMjhTi;1`@q?sKdsAnKVlniXI9L`?YJnGTknN04obyj?V&5B#T= z-r527>B6;=aFfCAKEyTPR7G5<3WoS2+UJTiB7DHfOxt6b4iduZ7p)sqaJ!xCHqP4S zK}BJB2U|B^6kpu?#b28Atq0JC@*r!~sHHRtd z)P-C`jzv<@H*Rtj>$!8SiaCyJN|kSO#vt~&wNIJky+M9C2F7NLyL(L*aRhI{j26u< zR+n}wL>smv5VNHtX*Kc?7?r*ePRvHsY>as^;CuSuZ|G5FaN#qGK!fs$9?2z7I;_^t zk>f@z;p@f<_Go*&KK;dR=1J}UHT>Wllv2^13QW-Jah;(UZ`;B6U9AFqwZFo`{oZb(gOf13DsxsPw)-MehNwyh{fN>QK+Zo2*v*miij(9Q> z3|+bNk}QNchJ?j}{G90{;EZC0B}d8!nxyd@*f$C(^3oqdcxFK4Lq+~EqJOp?A9w>&*y=Y}7j?NhWu85#N`Sa@LI79EPmY20Z?uEZ1%6|v^k zP>=+wurTnZskp&zYGCp1%*R*aqx4_n4bHwx7QcSNp#CPcr ze0)H>Q(FwaeR6wWGey|nfQKe7{gJnq+zDXGsvCmvf!b7}x7Xdv1fmIaF@oc9Ha>NB zww|+xdpS_JZ&c_$OVTW-9WHq`w~1PM@p6p)7!<46MRNIL0~F+fxzuW!8M1UkfU1-d zO~h{opeBqao*grPjL0zxEfHo+sS`FdS(oJ+t~eF&?ErBeNQgU^OHbduftsZ?n`!)e zA?o|0lQMRX{wGWq?3E5cCenhhJkJ*w36Kg8i;Vlvr35E+*3`+XByydaue+XVu1+H} z)@nrE7u2s`S&Q~@udy#?FmPO6F6N|u!6g1$uxxv$oAOD}x3=#;01#Qd+2f(*AKstq zUzk6~K9f}OjNDdY(aIFJ7qlBzA#uFi-*yWxFe|Aa5&iig{6mtW@<}oS!HhuF?@n(M zWz_o|y0wSJ{h?fY%!$-?WHIQxfSF)%5$Y|mpC4Xjzqw8~c8p)`xBeDVE{rKrE*1CX z<=7D$7j2ohPqR(aDJ3g<%fo_tD!?@$rg1sxUXUCR{`(|dTju2Pb9KM9X{zl(;KTzB z{h3U=JELz&Hm+at8$HU{NqD1_^Q(~Uwty7O5zb6tfHQM1x-+|D>sDr~tOpw%?GGA^ zI0ee%E(AZtitm{*Etb%bQZ&87hPH9LWk{`bV9p&{t)`{1(0Yt^I|-#tDw}TSlALx! z(z)&!%&DGXUuTTeK)XxPZ{zi?oqIR?veRH2Ee^Mvjgf!f5M@Fgb*#A=wi=*n(?7FS zYbjbzOYN)+8LSl!T4ni5myZx<=eH$?l>y9mw=P zkIbk_Qz`R0?qN1I@JUZOoT_F2t|<_lys*#eWW{6Nkfkx-%uI&$* zn*eQx_5`PWgDHm8FT8^I7m(NN)E2^>c&<(haHno4!@Xq=gL~I{5LMSf)fK8i=!GAhA z)oWD>M}X4xXGN+2mIayB9F~(w3rQA^{q2u~5hBZKG&8phHXuvBimWKul;jQTH2Kig zn85-=MD9Ue! z9IULs@-nD`B(}!ORmWk*ZtfE&>b11pt||7i`+)1#2h_^it=&R(><77ES5aGqfYoqA zd?uS~h=g6;+q`@BG1B3-Pj}rtlewZs#FQiHL%vTvq$R1PALBMIkucovF}=zQrRveP zJ-BCOfpYsf06dkgtGz?nU-U7@R+ZhYiNI*mnq3&{$TYMbT$CHM9$)`V!pJ$-V&zen zNmc1YSqm2ckZIK*I`D$8jNV#7X7#&U9}V($9Op{H5Bsn-3qv(E45Q_Ekp?FL*`=qT zu0O?D<~aOW-b@6~LjO|7GP6J^T_dD0HPr}I7cJq^(c-c|*x5f}4X=nLm^v6-AZ4u& zr8938hA@lS^yCF`q}&q!yD|9TI_@wefj6uM0$!o3#GM`vA19R|S z5YZKy#4Z!;AGY4$K%EdUW%vYV`z61_?qox>$<)X(D6ZN0Fy6?2l0Hw^6d7gFH1K=y z1uI@nHDGol?bPw+v@ptFlLF0&{TbzVyZGeIG*HO&6uKsr`*JIlb@)jE_@A7PW#b*WE)p4`U>c0jOlB=| z5`gdHKoJP*j3oB@Q;VLx4YPScfkI*g;VnmbtYV?&vY(T_!Olnc)%9_@^b(N@VB3S1 zp7j=Q?f{U}tPHCsX0xzgCgp)}KMj8m zjREWUzuewB38!Lr=6)0BNkX2a!ErZdbQp>xKfn)jb2Oy>Z|PZ0o%&X_VHf~}zl-29 zoX7AAy^@y-*dbt7*V3onz&^g8e3kw$6n?$02@?&=dIV~eKmS&Erw!D7zrmzaZi(AC zn5Cv%Dc?}DvNk&5y-YIm`Vl2W#q~pP{(hhLYeOTC7a#K2X=C@u0z|~;EX@9l*Yc~f zOx9&hM*7Jbf2LEV!An=wv)Pd)YUm|GrAOaYzRYvS*r#3!tJCCc^@jpyUSs$NrG4K^ z)dXz67gQP6Z2qi3uog{RF%M-DkR*EewSOT`7xg)WWi0+t8_TeJkBo8(gZ#me^xkmp zX$(2f(|@00v!l6`>j`ouTWSWpWnVjNBYCO;Za;@>MRKGkz6e^q>#)@`_M+tszcZPX z;(2#MO;Cj+QNwTYAB_t;)4F^|8|yksIb*FuDOXlGRzo<6y#E93Y zi}~Jx%x1^&nqpV4Vgno&UpKp?z6x5-xL*m%x!_KCn%r5yvaTs09x03LBC0TI^=?kF zRr4Zvtj})_6N7ntw?}A{P0~ZLzn&FAgTV^+>}z9BmC|tsOPE;%v0(pw^w*?tt;4I( znr!}_mnOr}n;VoOhvA4AT~i$e`N3x&x_6A3zJxiYjZw{aWUyoTm`dc5ME#G>qz>mT z;u_rOikajeT9e1bpiWrJ>pt?q?FLOYxX&R-)5h?M*^&eopTGV&96?20ksbt}^WzsT z&n7);1T#p9u=|VN491B4*@}ZVKuT6gSBtwr-*SU1mM*)oq(G|xT&xs|7XKQ1gI&eM zz42R2M7#qIo88ogR~oI+Qooexz{v6*+}-EuAZWSX#1G*_FRu%&(mOUS`2z+l{7W|t zlGoNU((i`R{QSQoi3rvZsK~-t(s8Hot8(5AsCd1Av?qO4y;11`?uXoU5AlwFfv z4EZ3yc1%!}fp!x1vna;VEm*BW4CazMK5DfU(b>41YIuA=HU=U+Tp2rGv}nw_uH~z$ zfs*zba0r(NQUYgw8%x6LRX%=US!>x$F~BZhIfK5HSH~4HE{kc%^}}4+G++4UST}d( z=f*NA6xiML@6h4@A>WX{uLB5A(epAl!+~gG$3(No&Dg^JY z6AacLnlh4St8XCI7x8ZuPMaPmf(XYdR&g)yC6fGaq~w!aW2zqbCU2b`2a3ESu(>t8 zTmAc@pBLJiW^#?JMZ5ErcXPB7$m@tkyiB zM-_7tTWk z0d~d%SA?S=7lK+nNt?`AjvszU#Qh77#Yt->1M#nGb}>MGx{4!GALhX*o9-$94hOm=;hym(>scd~0>jktw>g#mML0<4jI^ypEaNHCLoyexLc#%#_uuH zZ~GnbjtBpJvLY0k%lq{K{r4DpC49vkwXxcLO8pvh@$WDY9_PgEI4YQS7tC`SGe}*` z$34Witl*Dul3E6a&IG%q`KX*WIvA%}Xmmp31}A>~qi*#sG57Z@afX){T50U&@?MT3 zMg32ve9upK4EggeMB$`hQMkpZz4w5iVIpzf+QMFOt~2!wme%243CbNosc{yk;@7{C z;+g5v!3>FXa1bvq)2Zs1sWf8cggNA?&s2M^&mU&=Pu?ZL=th6K@Tg8c`T*=r5BCK< zpit<%+IPSr3&8{iKdEF;fLpFXu@+xITUEr-Qb%OJP#rM!FHKceSHSWcY!7JJWPW`$ zTe?1*y~jUM=<$2$Frm}sST#B&9Mx8yqMK%A#M_{vxV(UUwF|zDw|Eqk!^X^xn)I9xkpkhNi}TkTT4^;TxYUn4u=emC2B6;-_^=k(|K*?+w#Zq3ak0< z9EUBOL7v){s6kFYr^1Lf`!qg`#cP&XlrORX4Gm8)HrN5(ffQwjLmtEpo+Gmx;j=sc zzI>FUb9$mMR2AiGZo{;3ba_w-`B>Hv827u|0J*3Wex%K+yW&uF-Y{@5zkZftfN;%8 z4@-lJl$jYU9$Xo&iH92djyWTIbSAFrdaGpN$DLTGW3xz#UG?LIot#F_YOCvnhzr-8 z#wE8@O1~osWcm6*2TX2%3_XrY3o#b7K^i!i>S zOR~czcY=-s$OUp(m zWJNtb>HHh6WuXePGCn83JBa*JF2&(%nHP9=)L5A*ji~?f(Ou;&1ou7ZW1XJIu2q#V z{;=-Ccpy~C#qab36IhX5(#{1WQ&+r$Kj@CgOTt@kv4?%h$0AU78CRwf_lS zYZfw%Mn5&^=hu@KY#WSc$6IAE%|b#?4hGWS)@cv(`G2gvcT`jDwmtkR3MgGVBB4r^ z&}$&{BGP-2UInBnQUVA_FQG_p(v@CC=}71$^s4k;gb-S&-}an)fA^l>8Q&e>d&f8S z{v(5ABxL8=Yt1#Ex#pT;&?CvJypK`)^o>TXQ5+v7=B9YJ;P=)$9LS1=qY(nnaXV7< z(c^(z2NsUa`l`%9;sc^j)UjA?MuVk_;+%R(49?N^;swN-J^VQ$V^t3LoRL`jQcaxH zEjDaKmXbe6i)EWxRJ_KX7nWprRkuba#!Aty*U}AI83vx?_P~O+X1M*$t(7!d`@7z1 zXTDkK(SR7h3$Y(nG2{2iK8)r>iUh{2=R(FfpUMBF`w?su>co?zNH0O&f!7g-Sz!@d ziLj#X)1o$oybRY07C~wGKF35-qBvA&87jc&2MI_oE;F0SqSP?!67B-cCOJhK|F;{D zH31V!SMRg%FdwnQ`v?X zDPaJwgyo)yuiF*b<>G{)5Y^Y#NvUEua;2$GX3}M~zTat6)p2$>W3u6`v0&ZY+gB^A z!rYIeIc5s&-^-~B)Y=Z!FEbU*ph2p&l#e}7voyZ?2S zsrh^*s=FNLs#AvLMF6)f#OLYxc+SlSXY%SvUULWEc_w78S%;TQ{#_DL*YG9A0-nDp z;u)-ti(TeY)EDp`YKGVwo~}Il;tIaNp-$rNl)`CcTUn$f`4Z}E(g0a8DIKS}e6d07 z6e>-x;aQXoUJY0<0k_5ZwSMK2v{0^6T?f2us= z?Uu$Nhm2Ko#_Prh+0QXnF-b%sI73;2ofY3No{Jxk{FWzZ-oS{SlHvdGt5A#$z&~;8 zE+fpGE+41u-iSG*3a+-_8RWZ!$x#E-KcjU*)LqwO4%xPHt}o}e?XqnIm%rDDO_6c( zxt6ca5BwNF`ji`6y*BP_$akEf_iDAcENQ2Q8&4i}inOf9Jcbg^U*4F@9>&AAMl4!c zejb$sSIndfS&U@cg|A@+~Kh)zRTFV0W_H}J=P0<3&t9^ zPiA$fHo^t{!87M&N}U>iJdggBVdzhxhC5%AD@|KC@Ns*-^O}wfsDlD_CQI#3cBX>w zm^>41&EU1NEkuK2F1A~|hxbJBvI0t%6%&DhlW((zdwz;h7!T>;ckNe3g7AbKe$Egu zmaZz^BkhiD*!F55&DKacz?}7~fWLf;hzh^{3;N-F8tYbV7hZSsd{^DfE)1#TaNPof z2XJ0qK!MiTa8g4?^?waiS_Fracq#4c^sw7LNxb#%e6M$ZH3|0v%2WTp41iYA#U#G$ zuDv9gEluJFNh%u5y^GEbzbwM1`$}g3QBl4^^pTyHrY@NtcN^mlOOK85ct0`RczkR@ zNk}f5a|j+&UH%AlFLdIba|{)Sno)A@GM*rZX^jeFme=^#$m2C>qwWVBoptu%Ohlpg zP#WoVKa^Xy!ix!#>{(RavSy1Mv3_0v0$8bPK|EKeQ=yAP6#)9 zTo`xwN(s-nTfTvJAO|=^iJGhP=mjU-<^yXiuaKevQRA|vVOZH8S)GN8IgvWDy zAkfZqrDhi}7=2s_F-p_@y3|939LDlQ+&7ybm}GX7e`AJKq%|8a7zA@IlJ2beYm!KO zV$ODVsw&24vg$;y(xOzD@Z>SSMK-|`aZ2pF9((x~9{U5J5fcBvi%FC5vKybt@&z%$ zvezC|ctU}rcaDX9uV5L1p0TP=gnEhs#E~1YHh>r4s?fCI19p!roAzo{vWJL>6Isoqh(bQ#C^{pDy3joeOd#Dm_QXmQGNa^uSbh zexd=}lYWFChsGMOJQ>Bql&Jd&{SO8#S9$%zy2o?gkT-PNau!ct+wdT)w7p#R35eW6%8iCz zw_18r3+0CuATCyYUTB1%CSm zTe3|xQ)w&8)z^{F41FgT(GFe7mrA>t^UYB<5u@f(~qby2>8+w9BpO6?X{GvxYw0pT9f95y|y$}qN^f)gp_b< z5h{NI`yUxbhYXkaTTZxjTUS^?B~^9NT1m}cEz2Zuyq*J; z)u^#cQ+-@66&`71)P0jt(ML4$%0JeA`(7=G0a&KyJJ5^cwALFx`0%g0zwc@o2_vm7 ze!%;QtX15H@loI8+g)jET}LXELLIIi<%!7Nb?lS z-PTx`#O1Qu&Uw`Z@C!+jZK!FKsERuFha=J1w$2Q6&q} zyCf^0>HC=2F57BuZrrk{59C;+M3=Dl{NhfW2E~<|&Tt(3FmeY&BUm3f!)B{`A zDKqK2@vz~jZM|fXP2~1?(aeRj(fr%#myYu;ZGHy()(yv>zu@h~>R0{RD>m66tAWI~ zl%36+l?ozx=FRsxJeLm~XN(BG3vm3^Gc&FR?Q9KX{nmIwb7i?3Difo%*CQ}OZan_z z;kY#F93=VcFa6o8#KcuMk;^<%$%C>TrN>f1ChXeWE&p#I5*P{vU1PN|1>v`Je1rUVVuee;obH}jMBZFxIBo~R)K#5arJ=E#xtnTZPgP7lwo+o+NN;l`zyM~j?V zUw~e_^Z+8U!@uVFcGMTxDOTUSy9FBHoO%XQP93h}r_63j_{*VgtZtu_b`Qwk-iV%j zSS??lb6nC=Lwmvp}_zC5#ZM7d~Eod00wyhbD2`iQ}; zQta6RasTb8iWVSFj^XBt)MKP2GhoXOSitB#S-ik74M^&n-4}nvO&3736$TQ0%PbJ- zbIK4#_iBI2B`U<8ylFi-qgwWk=biVk3f*9YMh;hetx0k`phA8fhan)m+L=h1xq77# zEGVRWs?ho)_OM`dT5ya+Nrl!q!5|wnYrriayvATi$m+B4C3-C}#}(fSf_bE9{zPd& ztoKIcxmR<&GZuZZ2 z);bl4buxMvNQ6oPDn!@A$W7# z?#dRi2YZXj4a9lxeCA*U7;l=Oa}srpVvAO<8ZJ};`!ggYXf3YdPHZv{!WSk#o1RRd z6en=#;rM=j@6GR@vvUnDF2G3huCFbJ*5B|0K>^=X>CY+y&_lxeyOnJ>h6O~|7aoU` z8o9ZJ^!)*W{kk}zm50(S1D*Cyo3KH%KOR@fbUd`A{fjd$&VsWqgf8e^B(MU_D(yyX zC~|Mhx#&_)<`!%{>%?Q4zkb{ zM<*kIt+jwZ0uOXN*6NQEk(;062cDqEl%6}jtI)E8p$4*et`Y`Q`0ubec2>Ggx|2w% zB<4md$2ltho%1%M&d|fLcb}c>ZF;_WX~KRWB0PT)2>)qJ>SR$z6J5X>Z#f%pcc;o7 zf1NG>+S{tE$r8iT&!Fp%2y3s|fRoATJ$Wy)2~rKC04WcL>vhM;x|a)PCHt#UUh+agyIsrI~Bvp3jeTU5<22)&u+Jk&q*cEEb^Njs)kaRUQ@CHIrH2b{(x~ zK1U~xTUQCZC$O@iPAKL8Lo~7#Aw+kRUf9Hie(DAWNm43M28jqkHlnO6=*JQ%9V{^% zM0Mx{*ccC-5263oh7B{Q{e+tJb5?X>&Q2*_PfZEyz!u|kLJiYU2Y}2>22HCTG3PX= znNcd1IyW2~&1{WwZk~GDn*|jF76d*Q_*Cv7h>N=4R(AdCMr~d0(;H=jk6EloN)O&* z3fTS>K83$-6BtY}m(KE?BUCQk(GF7&+cKf~n+{XXi?6$hGUek47{_fpv5;%`h2GkF zNf~+6b4*p)k~?Z-3~&W0WW=q2^XUB7ESi2FOwU)5FqP9uEVD2*f663ZdLavG%ex`1 zb&U}XZKowwco%*ia2`i09Oj{FV81#lKA)Z}a;-B2^}+Gn;)~`X4O{(z<>7Tc?4y&A zv&}wep?v$tqyvcq!l&lEJs-cVm|t10A3Ilax<7W-odNg>(Y;Ft0d2dD9+buNHpN+c zYozdodgBU1b{CtG;9uKzIZbk_0X;)PwVwNPb4HHk53owoZ}^fz-*p1h!PTMHKZ}-o z?l@c#krt?DINYe9b1DuaB>&lXHivxb(yZ8ZVE0?gEyAnUssvY(i5E#vAe_r_FgLcIe1>WLTGB7qC3@HypQ z$2o;l)dWG#G0a8Md=0vJ8(V8HJe3CXuSo_Hh0%SoSC*!Oq)$-5SW@sPlM%DobHEG; zZT`z3^a%H(x>z5pn)k;}k!>qX^^38pW@}z`K4$&g^Dj5_L+eqYBHe&TT07TDT9T=j zdGHE$H-T;;bxqB^4VBjpvIQdS+WmH-%RrUp)6GIU3aN-C9p}rDqLn_e{Y9m3jNsp3 zpq1@XuB-{)XosOJCB+|jf1!1YF1^l6f}kc&>k7!#Y#gzsDd)8q$obXgV73k3#!$6i)7#qLzldsw=bghI2dZRP;$FX8RddVMD!?2D6YYgQzL*2L zYHV~%CacoxUls4$7k(mV-jjiQ?cBxn^NO;|#P3;H3Y8v|y>mk1QuL_MiV1VKC(H)U zNWDjJg_^BCw$E9!%VODvo@TkY=UmF7n}+Ad(6$?g8)dY5dcfFK#uSK(uvXU~ z{nmd91JBlZ^l!!|GBit3Uag()q%z}frFfcaiN5PrJ#!WmUpeeV$qwvYllGQcA6&>v zCwDDh-315aM354koy&h>p5IokILnFsYroEczYOFVoho3F2TjAxNhy|MZZ3J0v0QWa z#kCW$H{$U_hHyR0ZZ4h_c9IMm1MV+M zxwctAnkitqg7uEZ?%W+FU$!HrSb@9URv2I!E?|WcPH97oh;rNDe;I$3isQhN!yvt$ zY741&jHY~mcoY9nSE{TZ!O&+Qz4F1%NQ$NANGE73wOB;_FEoeNqk#mqEIEh12pc|b z>Xji4N<(k_`&{{r%B?#CknRT`!8b4T5m6$`%CbKFDe+l5YBU=pR9cc~9U(%)cQh+3 za4!v+KWj=8E64ww4k9&4fK{aM^&xrn$lzx=xfDfo_;?q)S)F--yGbUA8~$jBt-=J! zOS&N@Wk~^IM=P7@+hb~er^KO#=nKWjie8!}ydi%Ppl~=e29s#y}ZIhS%mw3h7-QAQHqN$J`8^nDc*m1FJ&y( z<#3RDLz#td;E)-*HKv<$3=&h`3HWAlrO+YKsjstrV@%zXGbFTYe))EO-l(#P`{Ejm zBfDJxd-)F5em-1Mfo0@i>>6;d6S!G2ZO>zgY5TM8T>j~;aC9a7Zo$O&x_&y~dzV^5 z=6}PZaROD5j`Y3*1_dFOCJbE$^*e%P9-I4R*H1GHfC+nL3eQp}&YSL9A3cFG_}{{1 zZp0!4bouX&#tT4R`cz}k8?yy{+Is-{s?#_1o;>f=)(UrHP&ne!jkd=ABxBuc^c-l8 zI)IxCvl$7ET<_E8qvogpY$4Y8%lTe$x^Xqk zNMWlyT>fIS{sBm?fr!6s;Qylj{@#ymiJ4Vi?p^uy@%pVtTuN5Ni90!2 ztfpIYyK;40lPk@r?NI`ZjroOsMZ?37l=&-O(ut8FKSRdDJyFNE`*FEn(G^YPsRc97 zbMN@{WQf}lLe_@rLJ4+^GlZPWJc`x6Vkk0YOd(o(tsd&Sb-m7gec|u1bEAj6|splbGk8J)jZ5ckX7{WAVjfgX0XXFZk6oB*^VP zL;6_3chIR6;N?D#YUvnbCv3Lf?pofp!bqkafKyZwEht8%(e%OuW8F4LXGF%7-TJN4 z-MionXfGZ(L#_bx6O1yZfCbTSW3ta6Au+8?haq8={J}p2NhW7grCHI{+t)LAUff8G ztSMlsYUyXn2Dk;F{fCEoMVb`Y-`C?M`1$KVXdX5FlG9!=42KXz9(Y8CoxY-DqGlS( z7zs&NT)7*rAIh3`L>8LY_2s>`+G!uCuS`|cjV=O@-jq7qx?h_rlA`#ony9kBK|i=l z3C^0U5=H5jj!`}Q7#>zxHT!5*lVz2nj`=lyr#p?sIkHJBA?G;f4?i$=-svFEWJ?n; zewDbfSa;K#Y}nfRe7Eu+70K~cwWVYL0X5&C!V-@EziS@qvCoTQ4pwD9>*P|9bmuSs zVqScKLc=TDS|BRcb<{7H9xp2|+gO_DZP+ELdqauJsuetZck87u--}b$0@ec$Sw@7E zrJA1l)8{f6pXM^_XC5gHz>@6@XAR@C+aW7y$xq1LbQqlsYo-4UF0|sg^frd?=N|KI= zLnx$xY=e_dI3bdp&CG#aMZxI>sX=J-10BYgP22?P%^nE3o#ZMPXQyzH74frO4om|3 zO@T#LDo~18v`Tpu0ncJe%8ou()_GO?)w`C}?wNWi|^jF_0dKSb${NP%29Bu(*Q0ZX+dP$yIE**xdaB7CHLyD&sicnh#E zE}jR_1J3QY?B8n~-ec?1rczyWbVQvI-H{~)HT_Jaj;XC-vMxeLR@|X6_59h)#O?0c zA*%K$(j?;^8M5FZ84H@g9YVD3_jw4HTE`}v2{Rg(FK|axl7w*(k2q_s$tU3^H?$1= zP38ytuAWlCjegyNo8RGA)iX26%ukmEDAxZ>aslQ%2p`V!wy_KTvXXy9k1EzHccd8z zcAl#msNW34>VG{30&rbXV)->%{avmY=mf;t}T%IGtUl?-OC5^8zhyF zYrR2OVhEtzbp(6RM3m+8d8WvfJ0rn0?bDX@x!JibO6i(FuvAH_2S&~(+ z?2)o8{YwYxDfO>fuY%93@V%8<*Lcdm*{A7cUU4K4z2P=<8;b|osI>0Lrgz=td#R;i zWofEK$JzUhM%9p40{ul~d4j%>dWV<@mFOBhkEXBK?Yi zLfg0bn^N}6NIkI+C{b`w_~*M7^!3D1UnERTn33G_oWPr8QcBC|+|iFS3h$br19Kld_71)28aHWATf|%X?=bM>P`{3`2;RN2}2AWRyuwL8Z!?;9d1;2;XjNx%G-YI z@R=GGo!A)#6mP=UH!+UGncq*Rj9nTP{eKnz+vfdwpfzZJE@OA+(P(2~5*RNfeq#9wUP?TjQzt$w(Rd@N*5mA$zEff&&d(4?uj&{3K3J zw0W>yz_o&@=WfMKkflK}gWvwOf}2Mg^CQk!Bq|oLt7>M;$=;fATZPr@zm@Xj&JhXn zii58HNSO+DIEun(Q+`y1tk+%-RtDz_0u9XxkpIXp(gY@Mvn-w?z|7STog=yNY|~i8 zH+Ogyb*OS>OEe%pfk0FI=oanzcMWw`jPmW4X=aDJRFA>n%~^Z!?N^WCHlEFo|7e)x zEXFqa>g3=&Ujbhx%_$Ku9r1V~@%h~B^bU@9_7EnN(>@f!yLKG>V%W-pcqM_F-k*+0 zxo4FuvsF4MCBN(sYy2eKkL{%G&21qH$I6nYG+w_!;KmlMkRHIJ@Jeglx}Sl6sLkQJ zL$c$6KzZBeh`O7>Dea1=PlVHWY7W;=KE`E3MO?V%H!EG*uDcatXbUS+|E=D)skjrc zy`zP}-(M_i~aMjmd0{?>4ZZj7hOI#uyd;$8)nzN9w^I6IsI#iiPFq=HU;sua7U zU zT!{T8uf*vmu3+eq5@qm5W!izNQ9e0s(NHZl2k$;sf>oV_el#P8YU{nE6uMNsCrX?? zlQ|A!;l=$}x^LXl)WZi0TbSkRdnRyu#N%GwR@&D`L)Lm9M^K}ykqu<(f z5pkN3U*mrB?rS02!I`^!U4Qh4dd~?)@^?2fTwb5-PM%@uW-1g4=FJ6~O8?9qsh zbGTZkdZ1c>0UYj3?5yLaKeMgbw94+ST7Un@@K-+hyXq)#nwV`Pa;wkQV9F^(6< zUrsy1K(kkv3;cpnaUe$i>oK5(6+)hC`H-_BWb=r5srLQ~#wz8Ij**prfmD@cRw_!y zg2X2K&?NgFUJ^L35Tp?5CEM<2`!w*YqRCQCD82(fGm}tgjZI$T8~SwNY#Sv-U#4z{ z6lVXGzBm}}N=KYmsGDdXEA)u`NgkbDulwDjB-o_x6?4v8M$lc^t_VBoBr7Eh2Qsd% zASzc!(qV!EWu5MZN_Y{%+m=HMzkjQ{e4dhu zMpoL>XDtZ!ipI}q9Om21no!;+4!CaDA8n}y?4Bs8(}Ej+d~00;$H9t1;JeZg z2Ls7uq{#LbNhLWx3j3)n#GX-ltevAIaB;7u_Lt{CjNbkED-wYvvd}e|=wKa&#lBkY z-Uu|>i;l$a!=b$r`UTq|c!a%(N27Z)j&ySq1!26vT^^0wNQ+y;kszz^VW4nOlQT3J z$vsXP-yk86Af_X5$bP_K24oF+7A!Y^LQ!B;UX>Lb+6Q!nhd@~6|FK|R6HHXRoc}uK z#xRlTk0s!$5n1EW!=v43v6KrSRHzRM!#w2#R(3LCL0Hek41so58nlWrDN^dt+Y#I z&j6%|biS>?YsSIc*8Uf}$hw=2=J;&rd2jt-cH0Kh%p9=Ai3K(y2G)zT|CEQvP}{evsG& z6iyvzMMEeQrr;!iYo3_{wHGN8(furf#$6^==FQrRS27!w&aSaaurP9<8nDQOu|+jg z^QoHm!jkmUz3)x(7s#ZG%o)Y&t%qA>StIn*2ERGyS@a$~PgMBilU!sa*>AiScQ=Jh z$3ZBYn3GGdh~`Hm;8@G9?iPA?^ouM>r9uzod#|HpSRX?+eRc_+_aVK8>Kb^S1cEBB!|WbnrdeLiYz`J0nRyMh8) zB@u<-V&Z=1TMGGOnmg{^(8t)+g}o4`%rwAN+2$}>vAa**zBAkq%J}7+S54_Cm>V#; zO8OH)FxP>k2fPcyAKu(bQ#xEJuYzAk=6(MVZ2KQvUC0BbCdGg3npb~X9d zj7_80w#%&u>zpYV3f0L3H-d;b6K+=vld-#K90eL0Odr=ly$Cv`Wg%a~am+-BsfwSF z1PaODTd_Cp3Pqb|O2P0w;?1d7loch{2H*nt5&G$FeHNKv@4fmg*^HI}2{pgES05mi z>5p7jj-Bg*1RZk8(wjm;tg;MZ9VX%HxOwE+B4a>H}}E8?E5tTiyKNSAVW8IdDX;q{n4OkunHh zFMVO+vdjkd3}M4OG*mD}1H0i}u$8XInmC1q$VQQ=e;5=;(@8vCEAsergK(7I@#${5 znUfq9s=u%6x^!r^`0CyfR}XgH7BKTbhw8lnb6#|VWE7$y=H4rz~=RKA;33O}ZTy{jEy%+oW6D z;cb;}gvReJ_~_V!Z>fj0Mo6K141J@j0H^Vn*%b*9nT-9_fJ{s@T>_=v&05-jOo4#L z3Iz$=+=Ca;xQ(A@Y~%>s?!3n31aQQsGoaKQbLWTD75_ny=-j)U5yw{~bXEREo0VV2 zi{_TV*z?iU{B=$$7XNo_I4Zeg2FiCg;Xuc;U-C(f3rp&!geA}>A#qg_IS?9{F4P>s?fuCyjgTI_Y8Jd%v}B6M{YD;+TEMP6=N=Nc+jo?%E*Vhe?!4E+;y zsvdRdi=HbLv|%V_4G<^H3060+@o;0f@-G0BXkPG2TI@PMHzdzH%jTBFD4A5vnb;*1 za*tPiv}({2>(74f(W^4AnxG$=X}qQnr|z2@Q3kHt$0_)DGEd<; z2k|oVfV;cAHsZsM*v;IDpCzax-}S@SNdY~^Zr(*at2f{=k*!Ee6tq@~KVA(xVtzK? zC4yGwG|${OrToL48IM1I24HN1dck&OOkFnX{LQ5&rxyi>?gIr<=S}_eb%z+WelAtK z93m^xyt^+Lz;G4-OB#&2e{VLwf%$GN-|_r);`eOG3iBiZ0F$L<*jpqnLxRRLx3y<< zhskC(Eoc3M)_h;2WRyNAKYhS_Oqi<_|J0|&#H{(FhK}65d-tW+gS6!3y{nlh@7xFG zNcXSHOZ$BP7=BC<*Z$&ZL7Yr~!Hc41KosHtPC0~3M_tWo}D^tk`jG;TfA_u z!9A{-mb$gI%v*5-oxi7lkksVwltRjmCm242Eej0DTL^ z+?w6EX_~R&x5geFz*jWrj}9tPo1I%|#@n00wl*}n=PKZ4=9`<9aof$F=kM>E^+P93 zMM}6Ir2g}4r+aRGgg)GYb$W{b^3qOpF%zHkpT2(4k|^%!7W_8B*LYzRx$05bmdMd0 zFX+#>U{x}6_R8dCuvsTBv43fMA@S7Kbr=uSrq=dbcTa0UOnnhpS-g6N#3#|f>g>zg zDXz&a{lL|kJ~S`8#pi9eg>2Yy3MHM;@!ow0!i|N>ud+`ZNs24! z{o*e~V8mA>2Z3PA@yyNkHsq?0D_sCRj@ulB)Hn1D1uLYvN+a3J4pVQ{6^t!sU1@oy zj^KP0PmCM*Adm?TskuJx1kKT1#O1tF1o^!YUkUG=55%F>SnS=&;e>5|IpAA$cob}T zWagCr!$l`$o5L3JA3w<5n&#vpv;l*GR1WQF4#Km9bVnm?*$_{ zp0ayNXYua4^9EV&>tdsb#O1BvN(+CCmptR6y9~sC?^OBNejee~EV$oD(=7Nb z#sk++<&!^B#X55pg zQ*}OPpBZ67#NqK4dn?Roa$k>9BcrL1*>l-plq1-UMrz0Bxr$}#FLH1)zLyop8k()9 z4i&~+K$a_@l>Sq~-A&$l*L|`~3!{_aXJCi_h!8-K_#3A|-o3_#qHF(`feMg|s4a3W z`_%km++50tmTUcU(LHUB$t5fGN7o87gO0D?YzT(6sMyfllkg80Ix+zHloc71CJHi-R)eUIj=3IBXC7vWHgYla|3OO)(s&dZ;9d)6+xw( z0i)~)6QLzT&|}9VO~sazQNx@@T;MlXTrYR%AbIe2zV|;aQlZKxU&e*AT?&DfQLy!5 zl7!wd-3fu$F{OplP~i=6e^!tkVs<>9KDV_#NKR*U5tH0(Nhqu10wk8LI`8PXa2|(!^pOK;?z6%Rs z=@-7Nd-w;2109MI-er}shAoae9ymLzi#bSz=67omUh+@>H_Kk?Os=_h_u=DLBdmx| z?;=bYFH0tx?DTq^tc;$830}WgtI~fU?*DwzY(3qOH(BfyY%xwLVX1a}DqH>aHp<{2 z7wn6+-?clidU^2P{{m7-gFwgOKz~DDTDg`HO&vL%4{yRk)0UH8^xQolrGd4+<*1tk(sBF?&w)VhgXt|b>P zGP^EjB4ibro>=-#&5eFPo=)vQ-(1iyb_>I0;c8BTAUsf^ZyC(?7?rI7y(J}|WH@LOcgHz_&73yVz)eo9o{A*i1j|_6s zio~G|C(kA|qAsR*VyO-SV+GxI4ArN5Lg_?5cc+sc+_sM+p|?TO@kD<&`~k05fwzAn zIVcdrymLI9syhYqj{C~FkV+_=KA&_aJ`ESTEF78Vw;^;sKWouChAE_q+pA zZGKONMSJ9GZcEs=mp<^#R^iyzNj#|j?iI| zsjbfg(VuGR+-B;mtmrRJ1Yi0R!61~5$lR>-seL=EL)O>2F;+VfUM>TG4@|^=2aW#+ zJ^qgmxHRvs0zJwmPXb=X3^X|&`>7ohF&tBmLKKNK!RM!zZDjm15MKN@zxR#D;E>a2 z%bn>|e^MJf+rSQO(SXe_sg#44byD>*#S9eO=I>X2Q#M0#eKG5W+%>(ufygFcU{!}O zOV5q@P1GT6Djw6^edw6!Sx89!;v2%#bA!&S!Kq@4A$9JIU(W>*JWLk}J+*i0&JH|C zgFn@_g2Vl{NZh>wrsghxUWl!BiXK})C7ugzc`+{Vp2#(iAIU-D{uk-q;n5ZiYHErA z7&zpcVE-*Yr?-{yWXpt~X;`STx(DzCa2q^j8MU(UKiTLGjlFqlyI-LqxRu#wb)AJ- z+7#VS`;jA3fP}YHF3w-R1@XTGwK;Tv7}{$W3!J!Z56HhGc3(7ryw$@A|kyEr66? zYDmHoKq@;RB;bgyC(s}=BaI?d0 zb*WbX7e>5~5QA0MQxEK|8>+VvZ@l47iHIW&utl3&tG=|nxR@C2c2Yau;K>oPgApIG zueIk;SJOG}mhSGRb^hE~0t{D66`IGCe|MOs;TUw*^8--6)i`;c;OVf&?6bVbJ8);Ar$qLPZijx0T6911u?Y~~up1|yiAZf6-gIy%DPA(%$ z+*ApCLhLK@Q-I|^bxJ%M^usHJa9S(p?>5|rp#3|N$jM$KCA~nFgrdUpZ@?AJ>Ise+7AAOUbZ4cN=r_k25j5C zw!PQ#Hb%CGn&c{)H|27h_IF>;T=QVK9lfyU&dG_Rct)Ikt_Q~hmnz8>bKUR2zBIT+9Ek3Q6${8k_}UZ zBH_a(*ZK|h`goybM`SJHogT{N^F<$WU$C)ozcW90oXY=I_ z;v8)+(?;g0rY}=`4yzr?;nl?v8<3-!Qn_eBgVml-*qwqNW;s;upWc;2#hmMD5p?W3 zOvid@^B0I!yJk$0NA+3k`3{h%7A|uY2US#GF|4&CX@Jo8h)bu4sCNO&{lWg!kEd_A zmqTJm9}?JIOuF}W?sa92GTdb(as=$rEHxV{J7_@nGCbd8b~NO$(3v5qU?eAHmuRCL zlXJd|ufO`sTGJQ9GeCa&y4l}2Q$Cu5BjG(l(nF8^Yxtt>xx`E}$hQDGpu~@aGn;(& zx^v{piwO4dK9xbO{1~ScPf;9k=m`)5pWcMj#0t(lhF4-zeS0T5r)kPgrYm)VvszjQ z1$HnImb52^yTBql%?zVP$#+*&Kr3%r?{n9a_(ebqy48WJFh3rSlm7P;0GI0BRo0a( zo#I>5n9^4xU~6zfi!9K5x#d>#?n|<)%Ol_8NYpV4bySRm4ACR?qFt-r+~aGtt-;D{ z2~px<#KO(fH|G|1o*Dy}BjW4x8&mGYj!SmUXX}LB+C7(FJSqb~NFSp;DAR(^xTMEI zqB$?3o7WcHy*#NMESRzP)S|HP37M4YTExGqj9jd#L;{3J6g#1_*$S0Gec9O%kl5bDly}R9Khs~hJ zXo^U%PIEZr8-;`1v`fl}MpN1Vr*qd?$!@!Rc_nHRJXE+^{8TDS8v-yhQ7Qd!@8sOEE{H^2F07X;%PrTdA_`j(4S)QB! z3_m*;yJ@6({A%W%HR?Ylzq?PR)UFbDR-G7jY=!+uXiCP?)+IUxC$;{bPRYLccRPj8>X7fmM;u!) z)JWnu<^2raYwzb0qLiNK6Gzy@_?lu&D@N@x?^@AQ$6a4xOM3*61s=-$FR}n%;1`8v z&Ry=~2fTam6`wNdo$Y5en(DV&s+M(M@`WS(Sw0Bzp7YFC>I^WLiVKC*Z(03J z zneuJhXOG10x=-5lG`l=Gk#+$`Tzy#fvpSs}1@NPwmjM?ak4Hnn*Gd~!df^^%$cven-Q9e}GHHCzds%))ryB8{ zkU3NXynn8c=FNspWgBWRe6s-C5pX>ism}gdeSn_y^vvC|3=d;T3G>`vh|)|H?5s~Y zwnT9F(R#wJ*UaJPmetsKLymiwnNxDeIS*2#;c-%wN7~m~<3-q-^kCpG1K12d)5WRd zPW}N>ty$D05zFj%gIP?zT62KlN>+gMGp4@{0Rg5X{twqHuu@*`CQopgzGatJ94_IA zEdwI)xriK@wX+VUJ$YDZpebiIa1?v=Z!?&0!_VV}g5uhVCz5q$q_BjJol zNBRKY{kH_X^@2Z;4(L*ta0WPpr(lG`dnhoD|;r4u?u zSfU5Bb9E98rf{Z3UICqr#nlo2gaRhez<`U*#Q6bJRM_;vgdvgW+R|5V^u|{UtlQj< zpKJHq&{wCs$gBGAqCK2{12~G^z1*u+zmi(bTr%kK@) z?0;S7$@$(FJe#+qUFHO(yUZMLHd8T&9CAQYK~ZrGQA9)p6dZnc=bY!+&$HI~ z{?@b4>Yr9?<#6-4ui^cEUDqd6)r)xqK~#cux{~$=357R`wD#AMp~lal$%4L6Eg>PI zEC}g0(H3X)Gh7_u0p~;TrX3iQoymCzMtzMvpmk4p=Rns|SAUaMf=rNj!o_iA%daOq zsa+M=L8LwP|8dkqfB(KDcKfQ^nqgcT0|;(ugJ5> zH~yz4dQxf=7`uFY5LPSr!#JdKlM)_XJ|6AeZY5x#)(9HeU?%oq;9k;3A zY6=b2&MYFm%%IG|1YK%#C(s-ZHoB^ME~z)!6Cpt}6Fyibnaq1fm^`#!tx>U^8r)=K zwkA7nwz({h^kbB596bT(1{X9`-Tu)roebV|dc0=*Ww@Cc$9wJyjZ+!6ydZ4PhUKqP z{ll~JZR^(W{~amm?%I|nc%!|2Vs)U>>bXT7U6$6un3F+wQFiin7&=b5EIqm-xKR`u zt*eDvI5hdd%W-`1Ei#7^0W)|~mMM!^ZM|4+9kS%crg*E)=GADFU=f7PRb_zXh6!vu zfCmQ$jp!A<_pj_goG@8$@sd-1W^uBmdG>8eUk**w{B;^}ENHj?&I3|Z>OPYaGM1c? z- z!8SHf|EC=J$7?xsBunEg3w*X~Ag`HF=8Tua5HgXwFn;u;UK$TH+8ZE=c~Lk|6g{P=wJ^ zTHAh|d$3=l5n~|i@4J!)`A)Q`BKPOtS8)y4i5Wj2)%!+{TblZ>#3X&>LHBuuGE$fT z#TkzUyDK34E=anM!aUk;o$$%MneP!bvclxdH~26T%*LaG>UT6}FMB`AlUMye+n0rq zM>8A8eY){r&cM&-CW&%$zQ%%|rFfF|tlDkIUYL39^~~ixY==sbK>;9K2pR`bPi5a) zwThWm_>4z2ToAvV-ezVjZxA_Eg#W!}Ii*{ji5zCfcPGS~W?CV!{vLWhmAjVPV;n8} zUH81uzHU?v-V}8z8wL92BqzMH9|j(kj)-^S9|Rvk&GuM(^fo4I^(=2H;<5{GW|OZc zi61vd>FY(Lr{l#x1>OtLfTe;wr`6lCf*6kfi!^bMr#O{C8qyRjpA)oVPSx2c2jUsk zq5Q#x)0+Q@q&>aogVs3Yt82Oaz5TPEGR%rO!JqE*T{y8_krIlWQCa7BHan>B@4U+=XO} zI3D+Se#^87%b?qQDkRvM4YluRdgS=5GHSN2W5h7a*SOJkJglxuPCCqg`9Zq?~UuIhyE_L8Y;G&(r;*ZFY=9H)dFm>ArpA*C|NuN>q zXD4{UzY^Hrva<`H>rs#iOm5MJA-^|wW}Lw#u7~=sp628!lY&>*!5}1 z!lAtQqmlZnx1I@j7Vr5iis#Cxty)V&?bI2#YGkObQgi#EPBfDM$U03Ni^Q!y0Uy8#CGfbqHf>u=2 zL}8x9!e9M9{XKCvBw6p_M)kdmy98y*TO7DO5r)Y{gv1(fB(k@8z+_e0O(h_j%))Mz zRI{?N(R$fI0RJ(9%QdN(-co;{owfE0oi9VVfdIvrzu%KYYj=x}Ao!0k$UW?1i@xlt9 z8K6RNi!<|q_>92tTmEk}B6Ulid%pcXHF{Dtu9}WMuvEz1IG+2)>ft4w#!9J32Ab;R zQ=%9&(FJ_BO3tgiALl5FKuoNpMC4PRcGL(2-L8OUJmnrb!)vw-Tc3o?o%K!$0fo6Y znto)Y3K#z?QvQvE3Y74#0khJ_>nF01HuOmjVllf9oiLm4+;QeLuMCtE{#nIjVt!g` z^}?)NSbv(lih+p!0S-@^nwj7P7B3eJMW!#Y@ClFx{zrb^EF^8p53VY%7Kbe*0bNcz zXBIMlqa|jyY02w*%q{y^>X2yTnm-gWw<(NecJ|L}Mb$H;vyfiiC_#rG7J_;aYm`d= zU~cW1=k<{P^pN9HnR4gZys5*THKEa86FS6Y%EBeLl2;=BrN+bvh=CM(JezIT?EiuW z=uxR!sce8S^Lvo)jJ+d`#yiZy@w=GrZyAF zN1v4Ww*N-NL&%eFxviGaz;~(Jd5dS&3p!#Fl(8dwP3|GdGdT@kke_ixd$k4btmivI z)$_Y=>&=bs65A~3Pa=o)1*Lj=TQqwa3AMb(U+@R~6uDX#iAk0Qj`z0dw$mkLmGdd( z$sP-tyCX)M?Lyw>Q52m>8RBSx9qLvTSP)Y|=CyAp_e)-{dW3so<(M%cTmKVKDdo#j zzB{c?r9gS4VVjBg4;DC++p>1-PS>#|VT~oLtjE7m(NqufWScRjAn&QQDY-wV^$j_Q z%0zlqL+Qh5x%eWS8X`yYF$r=Fi&c(Jd|LJiuqvwbrkWVdZyE~V+DHX}QF!2PdZ_h+ zH)5}=_?0!&Kl}yucajJ8%0#P_b}S8GM3cksFJJ*yTwYp!iKp)MUR;OL)HGvE&-owK1%ju<%th>lojJivVl zRCJe{^)b}RLr6qbc?2M6FzVL8l(-DrKS}r+{C#T`c1dtN!FH>XGno;5FNK#CgWRQ7 z-%`gK%VmS|G7jl@czrp8o-CMdbqGri;^!sk5V7B?aSi;#;*zh z6lbj#>h3P??hbE^>o;pwMYt-_fu?CKTDPB9b}OeMx1m<#GAuF^l-X*`uzY3$Cuxzy zpaow|QU7jkCc%~}yp_{T^Ov)Lo-_5O-WMu&QiI`nxI83aWkfE9+G5OgqTa9ttSvOk zofpz*yA|=!te{y+N#FK((<%EAroOYo1PuFrx(3=wPieJ~LF^7lxGfum7y=&4%5KUq zg^*ZDgG)XGx(E4QPjl;W!J}$s9Z{LlEoM*vS{)t^ zUWus` zdAQjkyWCe1Z>(s|iNvseR&Bj2VlQfT(Qx2g6iHOLZSC~IaU^u+(9$nV!7f5lSik4q zNmcR55-rj=q)<2d>zpU!YKNw>o9?;GO#bL3b2M6Ew^f5kTpN)(m*qt z%V^CZhW@S}lSSawfK3`xl>6lzPg1@y_!AKa8a%CCw-6aNdB`pW7`C0GB?A<4K#(Im zzV`QJ>a%zMQNjae4dBw=n6U3kKBtzb7w@vTTQ{pj>jEZcoBB32z>O>LO2%2ftF+f%0XwdPx{_uVk$t1u_S5pkm2r;hio>%`nF>4Vn%9no$q9FP_Bh)t6qa*$z%coF zK&)R9pu>!l^b6VcZ5Oa%yOEtwiP&4ryX80^D=Tllo<{G{rYbt|z6y2`NvaiT?yst> zmL}_6K!m;Da?M;h!6G$TzrOvcaiPDq6r{wLE{^p;YJwk1M7!r6RhC0_cN)wLE=A&} zvUJ9c#r#YzhdD3*krYEjigtA};!Bb&ASKK3;J!C(N)$2J)(*9x>;Sw9=>IU^-Cd!U zve`RtQQ!DPn-dfDRxJ#&b#swTuJ9M-S7l5DOX>zyy15pxj3`J^wDD_>Q~lfNKQg6d7F>*MapjMxy7B`$&(DN zp33I;pw;s%Ip^sc&IXpSFqXr28sXSV$0L%!&YqIqbXO0&#*(A<=(39R^577Zppy4C zc;_?_pBzo~oMnZRiznKd`9DUZNXBCE!WSRL+03UqjSo21H~8MAI(}EN(XUQGdB+LOM^+oZ=G7&9 z(uxvvyIW<)ugr8OBG(n0-^-DH`HvFb2h}&_z{o{2Z6B5P>GL+M^)7Mbfr1o{{#l^p^BT#^ zV!h03?JhE_`36%! zk?_t2OBtZ?U%#P06%*3+pP&j_mwl`ylb`GD^xc4{2gx*!C%+|+JcFROsBJUZiU?Rd zEbtW`ou=d^91Q0dH+7OJ*9KcdZ2|XLl9mS_kw=a5t}P;O=5a$?pLT}0%yTIb3|n@V zOMiA>3E*%0;Do=0lM`JDYT2>vdSMSln>;^l7&osxU9W0Sl6qn7de#Nc;u37b#35&R z{pb99{WdwmCNN7&MOsL;HdRPb53kpCQS|mo0{pc9?w+YHM7_)k0&lJ;mraT2T)J)J z=!VS+eGqSd({R?^=w* zc0m!JT58p&FqWflwLj&Hu>!G&?7tQ~NSCIS`|B*5n{utD$}SdE|LIUXX2qdf)5@*w zmloq@-M8F4Vc#uuDDtTqcx32hXgcc3X-QKZ@D41oFV{Cj^d!K>shpcp3=g=eU#I;4 zStI>N((xLK4!-)<7SRA)S!(_js)>nyeQIJ%Iz}u{00dymYvya{g$inE8dK zyyS)~hmxDdW8Dn*t3aO>_1B~cp;Bv9j!O%ipD|S=tLFm1UtWyr$c_o-$#|E z!b-62oMif~&b8YTv6xhG+|aSC>yMa`i0#USe(OQaeZii=#xph?Z`2%h?m_M#*F3xJ z%HIM;g|3?>EUUHlN0jLo_i#7r9fE!hgA^k@bZa&|b>K}ONm z?YdK!#h-<)AF_$j+l&Nf^~k7R<3 zy9I!BM@gN{H^;8DXh^U0PehDn!3;c9u1~N$cALIqw(QyhT`U7t;BkBxPRV*;({9M= zK`+Ls)1zJkS6jTQ)6|2{3eRlnd(zya5fxeeLm!{EFo#K#AGGjZzs4C0M)#|Ru#}H& z`5UM5u8;cVnq8~F1q{vi!24<}c3}#KdJsb#c&Y-ZREq9ap$-(x z`>wN3+kiWBbw7O=cT9UwZHC!WWdL9s0c6N=1)8PIjB|EOJ_#{so;NN1@Vn7Uj0TR5 zH({3Gav~MJDAawPEP)zC0zF~-tU!waOir080rw`Th^*#mO>3iyxoqHu^bY%;$1ZaV zFH36aYrrK5ZfYwtQ8QZ)LYBSTm>qo&4L$0WPVu(rH!U6WXm7aIcQQfg6Vp+bQ1x;H zT=&nr>!%ygpVi}E8QhX3q4a-f17g^sA}x7JV{T<$SQ3oAR};v|2xj|UJMniO?x8J* zF4z1DXvqWm2EA{>-P|4>AfXh6i~8Lb_xLK9)!EQYwH>DD0HNJmtHMO08GwZpsxvuL z(?*mF-u`kZsH>#(!_+`~L;Lb#vke6GIe2b0d!jvtwA^Chfb^P^g#9q6dLE+N*zlsw z;xmCEy|o6Vj?r}v)~sLn>I6?9LrrFxL2$^q8kFn!LGnCnz9;#hx)k_OL|O2m{dE*H zcGuLE#iLaHWm{2EV_HL*z`c_XJj?vRd$L;$dHsyhFALmx{F* z)n&@m#w@N&kvjFRSM_qKK)_3@xE%I&{Hyqm@&Vq~yA;K4qP~d^sZ+Xm>P7pKTd<}Y z`Egw^a#?VU|2!hZ|D?Q2#%)=QKiYM*5Rfj4DrHqL9!0LZV_6M!Oo&YY<5tGheIH<| zDkJ7c%s-~-%y|<(sxMM}eAb6d=~e6e^?PrI%P_hNm;X9w(mKI5RiQoSZw+U>QvO*2QTyshdFJqakPD|v zPU`KJyy!1^e=DZRcuPjjrPgLBuDco1T}p_*!)7P_DReZeI%%q?T(?u4+FW_HU2}h`Hrjq~sIv02vIj#L+tu>( zKA=dWjpJ=}_zA^9al*w}CYLWn&qD65zD{H$L)LoFMeFT{2#lpmLQ`7b`ewCH-Hll#!2i@XU7L#qAQB?X~z2Et+zr>Lw&X!U>`yN2pL9pdRg zLw0yAo;!{B$iA?*Cq7|=OsK^*N610Bw{rNp!96fm5Xe(&SmetohxyjW&oL@5{|!Xt z$rpmv8}UA%hBT@A*+P-JKD>46HN8IQgm-k}6xIT)Q>xR?9K)(StXA_IEdj}4ahyK> zc%Ece0}S+5Py991HAxXePRwSmxU=(GT1$d1*TlL8wa&LBA4*^|!baUr6+1X7`#=gFWoGwwgLNTkMX5)LB^@?vT zO6`^L?guc)HzgI_015~p1977?GPE^fG{P-7UyVoQ`Y&9V(jr!tCT+elLXz;aL@QLJ z>u9q)@21Z{@s9ukW8XmHmkNr+MiPauz3*19LQ?yrr8!VLs;tDoRs8C}(kYF(R(G`_!G}e4YLTHR(aQOa!$s*7*$m4K?Qikz# zS-q<=dK{7#SPDG8umN_1rx}`Z1rTSjkxTz8L zw~S^TCSu>DQAP7%8|RN!2)3Th)3=lE7cK*#bv+C?Fh&Ti3s?xnlg-0J}XViUyQN%$yE39Dv?p*CN_sBc`|F$h&wMqD+XM`TPk#Jd@UxrT!?VBO z`a~alE;=5}VtM&dZcm42wc6LsL}a8-j#qT#<)0_L&`(hTCV1?UVjpFg%|WEmjj1!; zS0WC0(53IIct%e-#dnxd>)|Su!zggyp`NL;Kz`3=gUm~C^Jhw$l%_VePW>?cuv=pC zxMA)`j1}Bp30SJ#;Mt%OBwRX`ccX2`A@)gmB$lt_qCJyFdX=O=GgJ!zz1O+Rzv~0E2=khib)<2&(%L*y**4-If>OYia?fF4X!0$sA{e^{$*Rbz2^xCR zEZ^x?-zLAs^tPRi{0CCb6+K6NpYL%MVI$pxy-=|uY=j_~M^e?!tojiW+M$1)W#O(( zK(+cI;cf0r_S+ftXG7a}Tt`?B*5a<3JvguE8T7S{P3w9o&_A~sb!5w{Q;))GZNHHm zJO3@5Q&=JQ2H`YNd>{S+Lv(PlkO4rP%xkRkXDRJ(Vjivi@}#WhxAt964yF|?i8?@7 z9hVi38?m-Nl1>$cHQ7dxH3KH!-Fl{P!p^P0KQqJXEY8Y}8-Y!>6-DdTWQbWm`64f- zcHfcgN;6n_N~3hgUNhP8`3>@qjg9{_k^Oe23v&hhg<$5`&eVe@hOlYwroO$6;rC@= z=Kb~nvo4-wo*-C#SwgFNWLnuyTy&%^83Dtq=GaDY@0k{N6>ejmsv2e5E{6??;jkst z3ZUEI+?x2%k!DB)@VFU0g^h~yj*>cBU((L<@(!A}hrJ=5_{7TMM(X^6@hPcI7QjP) z;62tFA`q6gi5zsp=2n_C2z_oXv40)NFNEJmpP?$s+t}G3P^+!3aEM!H*)Lm!`D$B1 z1;hg&da{~^My&bhGqJd`8rTt|UwYtlk_-IsNinVnj;-xavUyqZ*H`=BVA&=459C)` zue`m0`HuNPT=)cK797C|Jc|VFf!K&o>do5IjT{GeBPlm>q8Pt~OuN4qmAXE0w zA3XoMd%?))50q@j{#4@8sf5l~WbMzLHw%+W2aC zAJy@bw_E*$mt~aY$9;XjeU+4)J9{@_OGp~MBdsYuU2x=lDvvs}!V*>!L%pl`SAtVr zUVZwDy8AMx@nE1SpYz@0@HcxvyJ2F^9$mA~O6w(Q$=an5gZGQk^ZEgHSeYNkLZpwT zEJ0qLAtPpUNS8YI{d;|7a62%DljIQ`6yMf-Tl|#eJ|hLVuhy>HaVwdhaBarZ79W2E zt=?c3B4f;ip#xj2c6~Q|CqUjErg4GMK2=IqIB_#fxOiy*%rpkx^O0)txQ{I6A>y6Y zf9(RupZ{UQ;<;R!DoVi3?pt`nHC_x_Wt#ave7ZA=ce$Opcz9CuynQCV+cF)z*8uBo zvU!i532K!4WiGZMZuDZDvx;lj>-;DXihspI&Lktb@#Laj6JIV07DP4E_Cbz2#5Fe? z0c#w>21M%}r4y`Wx1>TU`{8~oldfQBnYvS(L z;78hm(_hEX<6^32=3i~Ur0D+q@9(X}t4j9}^c4oLF_1y6< z@n~#IDsT;tSD(S!R9!uPmRz&3t(<(GqA9<^EZ3L-9i^*qit`Bqf*=WUSRR}O!LYKf!7k5o;qbr*Hih5EW#J!)!U z(-v3p_)OsR&CL2ARxt6u3JjV7u?h8^GEkD*#@`bGbJjt+#F!81>9t&NVE6fb?*Vwq zarVI&T@bYKc5UtE^3d2Arb_?T?W!-M_%Bp<18}p1!KB|Iw1sWj|2s*v^{^oto4(a2 z4wzD3ea~UmNAY=QM=z$6S^1=J?loqsG@fCEEtFj79>l9D-A~eM}U+(J^tv= zGEn$x7Uu?cwFhn5eTCmk)wb8{xTb+uTAN5TG|q(ZohWYL@F}&S`KZ<%%ySR3e+8mD zyk_fSSKKY@3^2NP-2+rLVZq$1mi^ab>hJrRY+vb+HGSSy<{ERSmqQ0zEkuLaoGExb zM*K+hhW`WQ214ul{V{xYG;#@NF3%vY3P!YNR&f$z%5Qp%%stk{e|^3GF?jG|>J&#fy#fJ?GZu}jPwQpI zH~8Nb_V;h@y4dG;cx_-qOH+v5YR5&L)eED9gG2_tEVQLVp4pNO((?_vf^NEM?ZNW7 zY|56I+~8~a<6gtnp&^G=J3>UJYh=z3Jnn*h(U6Y;X{CkU>V zR2i2=!1ed{^!$kcdO1$ij7z&ec8$;~o}5K}ZpIIt_C6_k+~IiKbMoxerB(N$ZMgrj z#-`_DsJh1kIm8B6&!r>_C+^b@NKJ)gYYh~bU$3;4PP;wJvznS6XfbyPvvomo?Yc!% zrR25tow|%ifd0JAJioAfe$4L8YYi+*@T4vXk+u zOz}xQvU+jix=~(~sGj+wUbVO38VEw}iBfp7 zyyZgP=i9OlGaY0J{07;+`gd{U* zAT?mu4m%C6ywdanC`5arX_1;{sk{*BD~#U*1{QvJE&pDqO->IOX)Z%xT1bw_aYNj! z8r_{}jCCe@*Ec-3tlmL5TGC%#1g-d-Jh)9c42`VXH z|9FFT&`52Bed*Nw{yU^$eWeOWzF!|sQg&Yu)bLHAc10kp!{ahl&^>A8>uV(-l$ENl zv~|iq6_z0RN9gbVRijY~B;Qz84T9 zREl4y9h?HERd~9m8G3mfzqK&(2S?=v>21wKV5fGl&0X~oa1ep_xeSh@`)f8;kf%vn zY`gujDX3TCnEwaAdv8zyGxoZRcEgCh*{BB`cYZ?0XZNm;eg+-O#*U% z{{#}N82z3NIJH=@n9hWVqSAurjlQ&rD$R}@+R9Bm$!Xv9C{cQvGrRFz_2|6DHWk#} zBFpv|@F8qbM?M~$z*|ymi&IJC^<&?5T~izG953V3q$ec&lw=c@G0Zx6w&>?D`{cY% z|3QGjHh?#xIBBq@o0zfb+7X@FnFY&|-kW6IzH0#AA=NY9rbG~b4q|I~Lyq8@4{|+y zU=u2wA}#292(uA!Ab_oNn}+)#Q)`eHOnpKlvNDhBc#J?rrW`LK#!B*S0Ku`Ab_5S1 z?W#t+=6dFC!{@5Lsz+5cfS}c0^x_eDg}6!vGvf-o3f9nQ9cqeP#Z9U@opIyHF^(N-`jePiYDjtX}$uC5%m zN9J1?kp23PZ}0jL*rA`5@P6O%8SOdtvEzxu7I&|$M(qX4nA}0Jf2UUkG{_pW%!Sly zGs8WLfzzk@yD6!@XTD%E8(7H`w*%Nv_&MZP#+|2JEEmm{3?|o#(pbWI$w|g$@xNUnDNS{9ql5?*R$WWUHL=K%-by)dzAitVOsV0%qsTDPxZAx zc`Ex+0sz0iTFNr0-Qe1xHfqPewMi0p2bh2Xy3uOv@2uU;@x} zz@s~ghnV-6h1>PI#L_NEN?v@K__i$Cb*s|h1K5-tu9h0~VOjx2`tSo+%0%p)k9BjE zVd||TAa>g3G&qHyWD)K+4%eA+(dx7n?xKAA3>XU+ye8%$z(yxA(471Br~T+fi-*!? zjs=+I$5~cmKW@ZVfQD}@5T;fyn!4>GHPV(5G`$uN9eZLpOH6^MtJo|s7o+-Jy-N42&xA++`DU`5`~4zJ87 zo!?opYZl0JhY5OxPb6L=m&*kUoQ&{;%s~vD$RanRPr6mX1(sEJsVbT`&(oqqknte2cn`+=muCqr!`~o)wRK9s33)t&JBnfELVW8 z4-8Iw=cR?o4BH|GhEO_Nn37dz9b-}(Qa5dCzaA|x!%+Oca@Btqe4pO_Y%6FUI3*TS6>n7zAMXu)BP8=&nSIQtDdi6qHjE0(Vh~HLSv98{HGlNFr zyg^c%6zkM64@)R zz4cYW-ZY1!q$MKQ3uH8=6}4#kb2A?J&LB<@4_BLo0YKvFLH8!iT5E098?6c6-fBd6 zf6pLzNYag+VLKqImg&OO@YPu1TM~8&z3QCjb68NS%2?~KfRZWsaL@3SPq(&p*lb^! zuaBkk9haVQP8im-s&iy3Ov%H`2^Bt|>h&1;!LTqbbN-z>2n|LPisVIE&PXmlZs2*K zn89ttlp|rQ$y0XfbFmj5TIsBJa%+mca=5W(2ibRp_Yt2k?1qfG)9kozXTft2n zgu7Q5&%IVtl8<_4J*tNcd%M~IBT@@KKO-V7UvRg+=!ftlkCT+i3VefcDb)vOBx$sj zx*(tU$}UoyT5|Z?iaV_3{a3?RBl88Te(DE<5VIIq;1x_m6-8<1+7MioPFQ9U`>|h< zA4+>W+53|F;OV)bJdpqMi#nC1t4uEW-uxuTjf>${RbUvLP7X6lg-%tjLCYR|MQ*z) zR=h1P^^btWe+eTaPAtyG4wzNEuH26%HAek!ZR1~>#~0^4Z+z|n5|f!6cUCc(Hkw?s zvhSg$J|>!Fe6|-KGzg_%&W?m?HV%Yf5{HuT=o(_JXH&D7o=?J;$OP^?Weh{D$oY@q z6KaauCy_U~sg{Rm?a_ByCYFH>rG>hHiy!U@q+p&4Bq^jY<#E*;C_Z`g%N<#B8oN8R z8>boh7X@q&+EP_iyF!a!19A^U^SRH zkPvEMlyL1o`G#yj$d^70Yr@>Wh8n_Qd$P2=qF%&+z1UpKoqvMThFq9(~9 z){ln|dWV)kB>0xW5oggXRHTOR4Ce>?5cXD$#E1?MPL!2Y98AY^kBpfq&}h+CA1|^w z?l5dqc)5iv^uzF!V=!g#N@o(+xyq-&vKoOC`^dP%KXv$W-hq|#6{3+s+-!Fa>M;-|DX{F(2%N$M;5$X~p4JKx|ah*%?2Pq4oljhqOKu?yY`BcG57ZB-(VkQX^uCM4S45LdL70ix4?3-Q!Dc#k>4%IS$8;-^%l>UGAZHuX74uB^D{*{8c{*BD>}TL$w_~ zlGqlYM~Dxx1p@BywKdlV)vRZ+^og}dCUd#Xx5B7=m5T`VvM-8*XD6ly)`_-3*||GN z$rxpSk?a1El zrhqi0HKneN{6@hDd*~1@F8QnRmp$K3wb8oX-SYGRFAZ|b)K;DcBm1wctyDJ4$lN!* z%_N03U^>0HtCL?j20)iuyOeKFfz|Dad9#CC3R){17P3|cQ3U^?J;s9giP!$CxT3B> zoqtxBteQP)|Gv76z3_8W?B{QouSOLB_auvs^1S0>y)KVYw0zC;_mOwV(ZpK!&-#oj zWHgRh;rA5vzm}s4?cLdId5aSU3n%qHm~Y0HMLRvGtW3Tm;{XEvPbg|dY_!@E)nR#l zCN0fQwM_Ym5&xuo+j4q`{l|ePo3$gie+yGhA5vE4Z6g1&bch~vBMNUU9_lgPpvxJY z0-Sv{6&!h#Syylw1jDut$4*WAe-aKc54}=sdY%MXYmZ(oQlGVxZ?MbeP)CzMk~LtJ zIJiCu#X$Wa!UFv;ZCdN@gZ7bB`|k_X(kcs8-|Q$_5)T)Ab%qOFXcBf(YOB2H?V@Cr zcRo#QCEonXd@S_jj@RYZyI`)o?^f$L%sfZ+H1G55$2K~t_J`qMC`_?tmDYIDab=Px zLXkq++h&qF;dRuth1Kw3hUBZr`VJSp=s@RLFH) z#zrfSbaobsyZU}2Zzg6J9<0C21>kLpJCcBLl`I*;>=1WxF?NBzNMN9(;)6i@IdS0& z!lQQSp_aCH;x{2@-6S`oW=)Foy-i1rp*Z`=1@E2fV~k!58B>NE^^3scP;O><22HBc{`2bRb53b*)I{3OnXx|M^8)Df~GIm~}qHX4c z6ma|M140#JS(Y=pPOK?;SW=7@FLkNs1Vp{*U#+OBs*>LNE>Tu)@8v6(cQrQFpS_Hz zvM>5-dG&Ku=oDtIvtaXu+`3Ge51lhcb~c7GV=$snT)P|0X30KRS3EjFnM|V8 zK6_6wWnXuD%#;1JN>fOkpC7M@nyIe5Ci3Pzar$awp&$(kaL(Tb7 zZ1nOMrwZ|H*?aea4DzW9qr>CjVy7c z^!fWG#*P_$4%g4U<&WOF{M&vDsz}m!q26SMmYXzTD_3EMjst!`us-U#d_md0W>d0i zaF`%0Jr_M>|BIDvuB+e=$unHBApcI;w|xBUThsFXPL=Qxh5K)io$1aO%;W+U`hzPd$De3LX$)h=f>&ddi z-T~E@Ht;@mPIcNJx)U|Dxf1vN-Q)CYtqB)3DQSl*h=Jg7lL@n^o&F9@E?y#&5$LIO z(bA(8$&rDpTGlC=F9piE`672yM8;jJl@s;WbC+33InMmdx%XAZ^n-kA%f~*Y(^a=- zP&I|@+g09KdAA#gmv*2X^_~^|P>7BajubKS?z@(@O53{7Hje~{am_R6rF&0xpIzfV zyGO%0io!e}fYP&T)o;xNOQ>Q@_Iq5#WDp)6sJ$R@5vEtpRqP+R!s8m??5)>P?U}(5bC=T@1J$t2(RbTp?@yp;S2mq{{@k2$Z#qpUe_&Gm z{YF-y6)~u1v(Wm$ulJE9W0Gdoy|f0H*~t54WT)pB7wvL{X4Z*{oA=aFi59BHB^D@t zUNb@-=Sg^Fe4C#$>=thzMLKgYLHf`1ca4v|)XN`~piFnG*`FL6e58Mnx&77FP2{bK zPy==Gnk(7e%i6WsGlj5xMy>a8#w8ZLE>pi=)~`jW+YkmF@qDd(%F}YOLkhitJr4po ztc+4tG+fp?h{apBT(a1zZ6+5kS2r2{)H~F@uv#!Nm?{IWyCUAx_vK1BZEZ^7jMM>c zs>bc#M-;^O?VWL)d)KJuDOc}LJ}syGHgGjYAyvu1yQ@8H*x>^GQywfKqJ^BYkRO09 zzIfz2yLZmdE!JXaiS$%&G7+SjRNj0?YhURRRQmoC2-dejn+%vf^hcA{Tu}9$;DF=D zZalsQ)!Nv|7G9z#A6y;;(qQQ`Ccdp5|C>xBrCw^8l#)r86N9dC!jj z_U7F53)w&VwUe)YT^6)Tx4jjavA+2G4sR9>+Ur2qFIAFVz;-p78xMTQKJ)64q2`8* zWV1tM7%Qk|4{~ygvmd1&gLn8rKMwXAHA7Iu)n=hHmA(seQp8`Pk86D?{&Q}9O)_^> zff(#+aQAwffy4dfojA~+@BM9H7i>({erd($*`+N_-5VxdIdu`yq^YqX;GTcXW*Ps@ zRuZdr7F9)<00pjQkCVl4Hfa|8RO-dLA8<$sSV>sA|11-fB`3oE3j-Q zTFZBsyj=c$>~ro=FtK=dNsum@52MLo$-7wTdAUB@AW*6)(22 ze(2OcYz^)~F&~$}Z_MA7$tKQ8ovD@s!PK=>g8#7Je8%=nT*`)V?6M$OwttgRuh#g^ z=gXP?l<0@9Yi9o+VecKyb|3!#$EvnUI;l<7o<;3ht2L@cX>1i#1+`*@P*7r zu~WA>hY1ETKmEab;m^B^q-qdZep2Hmem>;J?)&cWA@6kF!I7Ub=rP#osLe?RMJH#? z?u|VNZlwZQ*+f&tE9P8(jS$0p=I>|dS&DXuV1-m+SR0AM8m3Cr&I$olvGR1`Rp9|_0PRu+mLzIj&#nVt*S8d zp7vG}yvw`+t3f_@xHPD5cOx@y+-Y-9edHuyw@-f%(fYiiE5~oO>mOzNVV?#MR5AiNpS{xa^ztuBu7L=a~bI()s z#-Q!a$&FU;wKtK~EpXrC)x)D-oO?;Cy($yg`M&K#AVaNc(XUTB3?*EKd>O19HY4~hlwaJDC1ZskGy;Lbu~46JvY8&-Rw?JWD3*LjGk2BU_%WK*UbyV`BWsO z$;CdBu5(@CiL)Jv=FE|=RN=`p)K{3cBdd1*IRJh+;r?qq!_7Uaxa`3xv~Mp~1PP8B z5bE`H$a=)f;;$a%Xl7+Q{Pwzx7@f>Pun*vsmG8w4i&TW_F?S_Hz{#?H)C1}zvRgbO z#qWadwj-JSJrjuFzGXHoDG7Gnv>O}?CRmuLw?GaP;GF>Z;q0HYU+zI)X#8KI-Tur9 z{!f*$!WJhZq0f)o$!_|6+4r|7{3c5TAOC4P`$CS-dO;F<4$Wt4{vuWM9&YcPrH}q@ zi+hSEV~-vjKkP$w$ynUJApQ|5Rd3lW}KODZ0dv&hz+Fjmyr1{a9xqWtC=Kgb7?~a0T@1 zPA{`k?pt@d>oR{#J&Rf6ebQP%mrzTtWQk8dZtoRI3&Oi`Qat4>B(d^6f`l zc;ca1Iurp1-`X{*7=Ad>; z2u^cdYzQwdd8yWb^aISW8w7UcJ1+`DgD(~?T;r9W9(ZLu(`@!p@03yJ_^;D)o$uPl zv&5Cv#Sim7Ln{eY~Zj;mxHQP2;n%Hfjsg`4(Dh*xnK{(DGy- zf>0!UAN`VkFsx{s`i2zE7f2{bOx}g2&Udm(7Opk!!1k_%l2(kV<1=Ig$K}uw0_+Kx zQ7A==F`9{%9u4z2Nnf>!1WW@{6@4^^Y{GeWs)xoOA=fbC+10ljrGUUIg?Z;3QQz$8 zV`Uu%taoZmvGb0=@JxaJrcTo8pJw*s@3eaV*1X2fS=j*GWd0H9mMK}^vnq#`U~l$_ z-UhGThC>lF0($U#WiS@ipWhHaCqwrsu|x@HcZq@`~Cir@Lx!_@LIM$@tL2( zBxZm!dPiQQe%NkD;$rmbw3CdFU*CTbO8xxkTl%1M)WwI4TmH5(-=pG6Z7wSb`#s(G zN^1f+`WHS6Jsmxf$Yu6dNf&ySdI@-25p|$9T4mtZI#p__#n!a;=UG$7ZcLNrbu=aH zJEZ_fk+04Uv_~Y!kgA!yG+lF7;_auh00H^k@=QS+xj*YxRb*&7#phK&EaDWyXS<@6 zxm=xkrL%of8=NP55!HNl9|C6mN9Xf*YLexr_wGc$Z93)m#Z?_2$9eabKmGV zZ-{^qVyVn$^iRUw6EuT#Yn`Tl2XhCWUyMQkFWWzQ)BR=6Oi!g;N`;Fz{GN_*08m~C zfrqR<9y_|vjfbZGuqXGoV)Oq?c(1FOvg5S_V1%38MuCSP+uJ1$RR1=!V)1}X=2Aah zW=*BxWG8mdP@|s|nme+TXxX=gN^Y_LZrFJ$V#aWx>OHrtl6`0fLFv+s-3m(pT&q7E zaIn$@k^6R#E@8>Jp75!;rMw8ZGxNQHWv{IzKRAmTjNqEQuc91wa4=2QV$Nu&eRNp> zVnOkjJGGZ~&B5kpYrcC_*Cz=(&*sN2!+)U$ok6M6wZ*1ysx-1VhwqQoyh3Kh1>jPj zh&Bv`0D?kqZSM@0%JrBl@fFmVl2y32p64bRv*8|(n%uUMP&~=~dnS$*KizA4y<2}C zypdLLONc}7UCqbwM+{BT%FMVC{dPp=Z0-F@;X)n!!`-G6HosfP(?TB#?!!)HZzfuV#wHN+FK~fwzrzm4~t#*LvD*gVRp zw&}*nO-|ER{;&Y>6~-{QGm?4An{n%S{G5DUHuX$X=`6u;HEmU4Rs$(!^7HNM3u58= zgiq@7yx{G_V4pc=obO`Ab>hvS$Xg*8Dd&~l@St~ag7fz(eP2*z>gz8}IYw_e7I1Lg zI5U?v`N62?YrK`OT&lbt5H9Kbs&n?Yfw z^Jk$HPzx_@Vc$P3zT$AaoN$$;E<&LpN%E(K@ik>7yv9*6qoY=s)-_^ZZ`R>h-%NmOtp)wtY`F~`@X6##o!Q~vt>I|EA{k;q;;S&L18e%zv2^~SsJo9WK?P@ zd$t>4bzZznn2V;SW87_}K249nY3vdb;x9B*34mQ;GYPCoCdM+oG{To?x+2dYCUc@Q zIH{z3eD(dxyxsez%Ez^+vF$P#P=6BVR#_CM@j#nO-8+6kOAa*_x4N}jdD*6E3P9Fh z?Y>i+^?+*%C zbVf?(Zz_II_qqRGWy$qV{xyS3#V6J0fu<n(C)bf|GvT!k zE;0m?l$2;uXJ_xttD$9X1s*sb)bhj!<4$&h1%yR;+F$))uauq4eOjp`?0#yuQyo)t zDjr~#UOM0zd*XaMG$M9K-R9Q2u21&ieQW_?tTtQ#Xt^-Q9;fMw<1m}JJ%dG<@2NsZ ze$7#O23jR5glgPD;tI-<5*kfQ!qDxhLGpV%p(O+@y6+kczH6Lk_S9^bGw=ha(g86k z=H9L^n=`EfNP_4uXSD#;3(ANqflSZy;>vf!gV)2T#ROKc>nkx?>sk`%$I$2$;(hhsk;q-HeL3o^2_FB7_aa4GPuM6126dEuzBOV z;-_+UN1G^~0%eP77!t={ZZ?+f`9Vfzs`eCH@#Y#@Mc0mCDh+btt z*4u(3XeZ~C>C$vBxtejxlD_oq_8M8tp<+ui%a{WG8Oz%6^0m#&w&gX6%UstvmOTlY zFq2kKS>NL2@Xt^+`$8oOmr?uBAv0d58zw5;;D7uMGJ$y!iaZagmk2pRU_j6-rr(td zvD{_)R~UwYv3e0)pP;L!X^)FnIR#e7BWbNm4>r zcHLsf|Dcd1OJjNh$w69EzeVVjrO&7F*I`O+o%&8tf0CPbP*w4g<3sN?FKPTO+r67F zKO|=&*9PoS#eI6?$U`#IPnEf!4kM-o&lcl;VH!Bm6Mo)$ht63^ao^ct#0J}=ods2Z z4dHO)Jo`QWA_ME~-J!{s&q42|P!&q()n0*(Yky~RYqs-Mre#2oKNLm<5%#Ov530Tr z#KAD;z&=0#XjDI}c_8{v2Q^V2(YpN!q8+VB$Y{ooP~R!rsWIta@ONoMky}&zIGqQ6 z74m42JhcOHtq zxu%SDaJlFN;ALDf?=|asbnb#4H^BRls#B` z7=5aQE^j#$w|m2DfpewPP=C%Gu*x$fLXMsIU@Zz~oIL@u;)$xjO`efnOCsCn;X;dgu!bdrV%Uw;r`XG0y&>;cGyF`mJxZ{v!k*ZSjKhZ3*V4A$TB zX%n0gV6+JMAS}Dto{`hoXO+&ChfQNH26R$HI8cU(D_b{v20s;TJ5Ex#n3GxWy+Vk! zRbSR*|IGsO?aH-K&%$5IY*pV|y)QhvJLx|BVeX*Ntmm>y)4aEhp0K-FfW4wURL*~h z&m1q-f^$|q?)HXDU+BFljJTvt(YSY&Ar#=kwxlT!!J12~TR0f}U@K|TzJ1nz>! z)9#pBJr=&n(`;fnX$950#z0r+vq)!;>c|htv7FB7+QpB#T@1A1{vduk`f+tF_mriJ3#^z^Qn1U3|Z zilKJSj+hIuYKE-WML|LUnk#YH3gAGHPx|uAV>8}nPaH$>;Ura0fnf4r^yp~5FxF)w z^!h*laUi?b_t^BWxGKr;e0s?EcU^+x>o&?MkJz>+d)Ie3^A&A08CXpx#}Uh%dHUPt z>}eRrU5Z|@{x%a(?<%I@H_X4o?^(K&LaN9iA-+IDU9*uM zneU=+;SuigFw2PFN+Zkpz{n`>xJp?mnQinqYNezKS9=vt=5SP%dn@2Vgz@AE>B3^A z7RoD!^fqjZ25-iAMGpmPM#D~1BF;8$FxxjB+KCB)qx$ff) zMe^~N$hQxhcB?~>D-T8`eX${VlFQS{wYR<|U+GetI}G{`AjY>XOJ}{j(G6o{w|?vE zyo$>l<{b=K@Ht@h<6W%fcR%eoN3JqtZ=I2P7y>lY?IO$}i=r9oVGPo^DiGgyv(7_r zDEp**`g-|M4Nw?V%h!^`Q2MsP0O5!k4*o?HcPFhYqYYZTOpDx2#|0)N{xTjYV94Os zVuQW{PY3Y_4FfU@bOJTyM%YKVxUN12u$(%G1LjLIJ}?jecz*3^o@bCx2yQGOeXq(8 z-=S-tC*~{{#MEwU+{&245!3-zpKdOzrWCqQjpUA(&SLNK$2D{JHSGPe4{mlG%Y2zJ zq#km9A~y9SKu6+SalgCD1y+&tSjkl9o?61qLZYO4Z|zoD!_d((d!A(Y@>bgL9j2MG z^xwY>6yz=J!&qdBtMj;zHG~3DPuocr*M>+ z9`yToCvYXX(5quS+7qD@uQyd#iNh8R)cZsx%|+eAR+#XYC*bn^ygqC`9al_$F1Lm3 zeloHq=@dg3)*s{pK=nV8HbK6l^SA#}^-8l!*8*;A!EaSte~ay@o^dIf&w<5QPed`- zer0zVm)zgpSJ;5J@i$JIl;nDo_>FrNnVmG4cO`8G;CHrY$XA$kYI+_@$JjM3@V2Mu z!2hZQEhDXM$%wxd7V4r#RYxkf&gfc8+0-_0DN^Mq(mv-CLb0WmrR{1Ok^Ps;g2U2g z+9`-_8Zfpo)b$fNo^~g^J`lmJi<{iG?5@@Rd{_J@?iihPHtrp6H}+#Qst!Byz$^Rj z^EZ*At2&`d2g$H=jQa^Z@>=Z&A$iFKO3e}b$5PK3-Y#Dq>rjU!|IHf3(FS^}5DOQT z?{~wM#if1!dTyd!#VnF9ycZ+q&9i}5rV83^RU+d!giNfLXXj{}?6H@y=mT+h@22U+ zOTg{t#v+v-s~Vf;Y8lK23?z$yf)L&89B2{H^Ux>>P|&O znem_2L|TS`|H%Vy>97wc1KTW?4iWOdqLAO|83+D8rdVnr^gL_WLNo3%VG7X36YKk5 zWC6t*Zk9bLdUlF1E*h5en|yow@gD~M_#4OC38Ih=$|7zct^uC69$N%m$hl?+V^-J?k>3)i3`@!h6;ZZ)iZVXFb?{r*=-brArE`w!bPQB-<0Rc})tzN~@Ufd4;uQSX_7U#Ti z{?XF?V9ck$h1pZWn&mCm-m~d5;9{if{#nBC9ow~slizL67UO;PZbbWnQx7f(XNBt+ z1AKoLS`0p9!^|w@a5>D|y1{HbNaWIIx0sY>?nUuy?Nx-(TCvF@*f3!USQFZw(bMRomr4M~UCOaW#`(@s7y zDOFF z;O}a+&R00E5~ZHKzn)E`6R5_#J8K^C*#>ch!oR`jmn+r-+29w5h|?NvJ# zbE7@G?aLAKH1b7VHqS2<**_R{JDtQt6S>I9hk45W#+uFY;!F;WhWAyPeR!Ja(o`YQ z7T$vup5m=XgXFbhn-qAy*x8zs!sJNs-CP#?3_dkYv{)W%b%MRO@cQ*w^iFtLYYo4n z*HjN(_k$;ua>|#7PEyPmX{@o|!Whq8B#k-4jSsw{puxLPoV=I;{zUejy_c~g=rzSs ztnY}nk^S8;)Y(rRaNE^R>hM$LFcH_O@kAfnPX@(mt}WvO-L`%mvPE`CHis_&x3^#Q zd=y>Zrwcn}4RAY=Jt4FI{#)3ZJ8VB+7~|=cb0^3+JAe=gEAE4mK0^{6%4!vCKbk7Y z+Js#>!@D;|r7neBT>L4rdNlT0Aulr63vieGnzklb=J6z_=K#TBfaKn-oWb%by8UhD zesx}p{kj`r80Bp(ij3Rfxp^APkaJCCq(E4{-XqeWGht0nBT%!>_Cbk{4gJQ`#Adwk z7jSS>4P4(=OBh5mP<@>n3A=`Edr88>YPAvae4r#b>0I{9Cm%?**lYUdYt8`!gRJST zK+5L769-)Fsl#SS!tY9F6Je)e?A`PrpA70`#|&x6++q}dkCQ@|TMN_R05_>E_p5Pc z0mz1`q(zYQGV!1{+FK4G;YFI+lYGH17knSii-X)xkC)R04F8WZ<_%Qd-$DB(Z7(FD z&cwYUE{@(Rv)+y+!;i>THk$iDXp8(nS6G%Yr|2EQ{zwxk&t^+59{DlU9eHR*xH1DkPBexy?x5i}2Xw@&j6_6c&? zZOKhF`aKk&8RUm}xR)-7yKx;TX6ce3a$7Vt(i62s;U_ZoF#A`<@xW-{gXl>yDh#Po zJu(?QTo}RFhvNpPm{$hV;U3m~2T_RKLChJ{@Mw~1dWBSHF^br>YfFHOQ>Go$f0UOH zss^nr@L7B6rJgFH9N7hjpaeQKSDyMPa&TQvb2{`wM1Zt`IHK8q68oq%0;|8yw7}d(mb^_0jaFhb&#U z|H+nyd!Hd(_V&U{J*19ROCa+7wFa37J-!c4?y#SO#6)FV3p0FuY9NpDEHi~in-xd# zySu-QRBP?>eA&a2x0&|W*|(}PDSoB7tKwdNZgANNe8E3^-Xt|S(U2b1AxFhQ(VFqZ zJJReOOIV$3RAi3;D1GfiLV8Q2dwr7xje9mBYNFN1s(t(b=?mkY!zU#}tG7V@u<*FW->F)RC^E*i8 zUb~^q=wbC%m~2&c&o^Sa@){_9Cw-G6S}{Jv)k&*wI}IK`SsWH4ectWc2 zzYPG>*cEa1(%-_kK_^t~_aG(n&leVI-?qb=SomU6?I{!?i<2w5*iZUSmlXre_=o9; z&1DK-sq0GrWMuNKWy@A|C zINsB`j0+Ko3kNof$3Fi|ZErQK#^uNyLbg30D?;P|S zQsv(T0uoFAA`)jFa~pW7@ue!tDpBPAubo z-v(`J)2~%(UD8=pc=D;^VD)>ffgN*h_ws6~T*J1*_46D_cF%i^+Ih zl16JoIzh@~TnBXA+qEViH(UL2Y>DRfBFZZvH{!?w_vQ;dTph&g0@Q4Y+d&g1&pg*YM}!Y1>>hF zTy(MFBl28K>orQ07yBI-H83xQa67QBytLDo)@(^bb}%D;=_J)?OTEu(>q3oM)9zO) z68PX+*m{UsT&8qGDVO28k!4?j*gEZ&=!bJC`+No?p3j3(RL7}rM0}PTSy?0dKXc|= zVW^XzUn(8wuW$5H7xkZJCw~R{_-+({#Mdqe&tzwy>n`L=pj&Y@%KDa^(sPOfdbB3D zK_O{&abGn^y|;4`Da)-^>jtWML;=clInkY%s1y8`>}rh5!2809-sJehU(Yp9Tsc<< z_joZpXP42d6U(gwQEm?BJQLL}OWqO@PS>tPz~gdOUZ0=7`ain>f}!iInE-9Mj*{r6 z>~zjDc1=2)kddOk(RbzV^kpzeZ@RF|Dh~Dr#srwXyf(PStxM$Q1!8hbUPL9aUd2bIIj zV^K~Usbs?L+bGImm6V70nB$4A4=kj5`Cc6^}A2_MDM>Ph4LkC!7mM^%?R3mofg zZ!AP)c-Fn-ce@B8{=8dXDezK#6<_;$*o*wz_PmIJ|0C^SnBp@MqA{qo`2T3u~1s z=GxBiFi)nz!KtC;12aV1u9XyttKK3F)b!BI%7)rTdVo)@)XJXi`TAC8=whmpuvx~f ztIs6^eRdOUwjB4m>B`@lLMp4IYBS42I$64B=&mVD=8^8c$OVq7xY?V4MnVTL!CENd za@R?86roNf%>vH8VH+(gZyoe^%+8kWyXz%BqU}P^&f`@NH*0Pn_}B`MBO!q z4C8-fS^lHXc+fUu3B%g$qdFOHSSKvRXeSA0R#O_h?kOziwsW@lT;uWGzRRf$gpUCH zA?wu%CE0^E#b#cHvIXI|HuHZcuZBmeA9YMb5)E-fAhto6!qk~t@oWBALdcMJDO-bO z6!u7F(+4Jh??uzaVlr^G_sNAvNwDqk6MfAxY>rCv-LJ?JzF;31zSOJ$t9n*jn2_b# z9rchtX?wL5otrO|nz^L@qFK<4L^OO)`4=B3{jzXwZO%Pf0c6^mU8hgIL=8Q6INiA@ zaJT!|h902Seqz{Qz|E-i*lp&5~D>6%Y>VxcRtN|CprG@y~P3tOP?22GJ(8K(~rfYPMxSY z{8qWw3o=1to(JT=bti=)=PN5EcgxUs%q+aV7O%a(sK-^>(lq2=)X0M4o_xEz*L~FO zmB>EpbYhWju_efr*gPGY101X`cHniK`=Of8jyvUkPaC%0Co7VTIbCbDVC9gIPBro% z^~?k}s+1u@vIybaG{r-pZ24}GPs?137~P=`HLJ!(Rk}+LpK@(@v?=A2# z`K1y)|4k0dpYE9<)e*Z|SmD@~YRUK6f=qH(#Y&eiIV>yhwv;%{Zck18omQT^8(QtW zqzw}1Korf1b>Ig|5^tGHY9L`F8FiXJO@z6DNBx!~ll(jcQmY!z&tZA&Z!OwF&2uU8 zyiyV`p?X3ZDAzhq^nWez5Wb8L_5rt?KSRnI+Iv+bdGKKV2+Z4$SS`;s2l*uU6&wn# z-}=4z$%#W^f%1PWIEWXX;m zF#6F}vz#_b_--9V+MRzvBPAJD*z8oAiI#Obho=@}>kM^CMty&rgtO<@gZW?fQZG3p zY~wK%&q>|lpeCuJ=#*`85c|Z#uK2o7997?w^6Tz;752xE!t0yXHvNhW3L*Ru_f?C#PIIgHq})j_fwoT4{YEIIa4K7{8(D z9qOm%Oiro4c>AG;Rt2?ra{bYhy#0++PIh@p<07EKg!|{r%dg)8GFj_7XB}TV_&1!# z<=Vfz%#e722;7*3F#h`fqO3~qvorYcNPpvNy3Et$Qd1s>TZ+7ce(MzYSMoa}Rp5a^ z?yS%1b-Kmk``UdKcdqZ3vSX9XESZF;C9zf{IE*)r+WO>A8M~Hkn_;W2Z$NHSX9dY( z5`Yh7ZJb>))n4bw%5unX%^>~!FC1ocN__=XzKm$TSkQX?e72_1;CR+H`8|YHxrttZ zJxmK^C?51MQP9M=|5IXwkFSlW5?^VSH}%@!)JYbZyjw=?RE&~X{bET0?j1tAk8JV|yy#;mMVOD7h2o1|CdWs~8;r;< zgH2}dTaV;Y@2mqz_pzg}R|)CY<{i~?VQvTZdgg?>(!pdD#CCP1jInBUoHyG`Je?-Y zfhPYkUK)Gx1MPYlb3^%xr>c4daR>icLchwHnOSgDN|YlDh;W*&t~lJBRw~fbz83%B z&LEBTDl@;fN@DgM+{$uvQehkfD5cEXX7ElWW%_q=Cq{P_(FJ=VReKcpH#WtftNqqD8i^W@{xPWc8&JV$jEQx zVJJ(916Bm%*^=Zb-f{m=of+HhvbE^~F!&^cSNO%3jDOw4WwZc@jkXC z-*)g&X~FwE-^0zGB!6_t@UV{-$;YMObymYNkHwv?)xK=Fmrkp5JI~lc8)MkXU?0s2 z9<|;tF07IMZJ&Ip=Lpb5i>od*njK{0g2eF+`D*Y;i=zs3BAt?_Adz3U8>5@W&9dO$ zS-(+3DJSp03=w0<@E=SBg}JJKJ7oY!y%>3z$(Vlv8Ghe?-oWLwv-PV-J!+K}oLzEp zf+EJ-?`_2;c90Ymsp>432`}iM1l~baxizXZ{||P>tN*knqFV1z+3#@jYVQu;f00+} zi`cutLL3W(MrDQPAVj*&m+e2_gI5-rv%V(LG6K|QTs;gBrd6TD0$JgyXnG7L+x$*){yefotPXAL=IXQ*?9b6skk?R0PaH z`deXNiqbw6kA$f;1?XGt!#2BbRGkva5uB!&7oQf9AnYdx)k=CZ%3HGFhv!nB4+)ZH zQll)C?D-UD_B4!KklC*)?7s5P`%~$}*Q}acSObw6%A+i{{lt6JRY0ugP+RFdY@+gY zXaRzxWt`5lx!Wy+TBplEyv);O$#-wk^I6925fzO{6{fVZ9156FMEe;f#L_iI!-@F{ z#E!hRM_M|JD9kAPWBDm8f13YtsI=V}vQER6oszl=IXQ1f%rE=yyS4qQ?(>`%o@Z<% z02dMCpbWQM0(9^y`D(NIUEML%`E`UU=LX=VO3XyJ9;6tUBmI*2EDWONHm`3&Cukja zbX=YVetoq9{ZNsK%y>XOOUI56gPrxDV)@y_q|G|CNRyxY!(>^15vim5Y9|VNDX@LQ z>2vM}KK4Wu7MXbx5wWtgSl`_475g2!9~X&3O~3ioUv73z;Q4+@LT23U^a#P^Vb07{ zK-KhnVGPmycA5kClN}q^gSC!k0=R=7$=5hhjS{*|FYkfen-O63V%|#R+_6`Ruum@l6c_a!eLqcqlC`7nPf9-1ZK+&xB-IP zM2d7s2x0$qUq|FI9U#>NEzceSC1F?vlzqJ@8~foSv0Xq}j$NfuH_NTA zpzLC|6ASOSD3n#^Z_i+#?#A1#vDtQU(fH#__?G z_IJ%b;|w;iH@nTs!I|X!f$>vLQjJ?{*2C}Wwrb5}0jzd*p-K{Jt>fE{n*e-2;Ok`! z@0I%#3_MwTVrS_LfrHK-#Q)yYC@tr8mEl7UOVUJzifT#tjmj#a1@5Nf z8es1%3&oZ?OMgE`W+!X6Q5Q8<0J|~feLSXb<6btNgg^cnl_+u>myYA@-|5=bw<}a3 zMxAA|Lr44IfqXIXIrsllQS3=;<-DzUw_c2NY$WRrX$Mv?q92yrVXl9)ryqmgNT*wr z?GoS&ZN@Kh_02$1*=+mk9Bsi7Wv;+S#H3A*&|Am&7fu1hbl?`|%sHaOHM|uqh8=Vl zUqrlBZsaMN|KWOm3uu82-JJ1T3LGC`u*oS0OU*FS_s>9Q=^^reqc_#I#i*$&GwWol zXt8HQHteibzvjan4u(>19mGUB(`BJMm8h>VLc|I+=o!y$9~5@YOn+vfMxn?c)a=jb zEV#BXrej@gXtAsQbhyuu#9CVh3Y9#m|KU8l;5EA<=f94h`XV0{sWlP&An@jULPqOJ zvHOvYi6$v7E^lCYx~~Ch%8E$dd|kM`xbw3M5#w>9DDU3)jR^J!|cL5Be0r=)23%SvOQ>Ph{2oKtm!QMLb z-Be{jYEWCoIKyv>r^xMyZU!#rKz?fR$*dj5M|%|5ByS+K+reecmryB2_OL$nbCCeM zU7|XSBm;yKLQ2evjHOuH0XWBL9u<*SnX@&LAx7Ule}`tnI8U5p4f0H%{?xfrl75aB z|H_cRhuXZv`XFzoO4_A;<$twhB>N|&E6>exvGMsU`OW^?$&0k)8mkS2BFyaPD$QG_mICLy zEn4R464&Swt>D=krwQp)5lp-QaL8`G79dTP^?q1wDEY)hZu7gh4^y&h#vSmM^oh8 zqOZ~aVj%xSxGL4O*nTGxP(KxdeKun45a6%x+|T1DS6j;NVaHiV$^=7qVkMlwuQN<8 z8{?0#r?A|)qwQPLPaEMh{8mYQEa~r$W@-25abI!7wIk#W&_%?}o85v#ia&Ey6sBRV zNre_a(a%O@O47{zp6OvCf7Hayh`~76mPwrWUi!C*7OVUTeNqZi$-4Q;89PJa%j`Re z#d>zq53;c)w11~!Cl6g$0i8Mz3fh5puK!=pDX*3asRexa2fj=`v{=v@Jk)-(B3Oc4 z862=9w^YFL_VMWkN0)s)ceZ{uwNI;ad>60B#)N}J(}rp*{OopZOji`)g#GRr?7`P< zF5A{W>Bg9>6@nklar1P6afdWTQx^qT^T(cC%BVXBm+onzu^8odj~Wlq=G6#@ zwONMVlX`F5thf3s+IqyYqVs&}H3#=a!HY>e0y*_!syAIKE9>uY{BdzAZ& zE#~ioUyM4&eAZDzKBDl0Z$eg?K7U>peQ=g_ZSz<;wTKR1*?=8l`u+{epna6CkMOh- zJ(?8=1C#rc5!nU4!}jjetqy}77}ocbbYVWn7VBEv5DYs;^X1&dKku{Rs_G(`AIGoj zxi$Nlq2fpS>PC}N%WyOo-|yCvx+zMItVC6j*NqAGJ%S>$?kZKa_P<_DQTl_Ck?_B^Rfx@viYl1Le5N) zKNrfjtXkhuO(HyZ$}wl$!Zur!aj+QBS|gp}yzev65~=4~<&$kvRZS_K^)?xsy!nLD zGRg4MOwk`MwyB};uiME1jkTk%r;p46f~B@wLwgb@-}LBG-~r_p3qSKp-Yg1wo{;8L z+N;`#QEIowS_^L*xPZw|K2jn@2&{cL03U~M1e^Mu7+fwt_dA@pYS|2mc+QSMAByP5 z>ESX@l#@a=Bcay>jc2rjDW$jtKou0X!QN;G^hkXytM@qR0ziBS9Zcb>hii|D8PT>t9FZT*^ ze2xULj3=2ToAsl6I{BxCQF2OBq^^TBuhP^_a)q0TO#MuVJ8y&t+G*n*usnVwPLYyN*r`(vD>Dzao~+>VAjJLgCe)mr@TdOI4cxjE=^j zlq`OrEcxSDMfjSc?TQo=HxiZCuCAY(9rV+B71}XCClDs#Mf*th{kPp zB7wI>6C?k#-u+t%XGj6-B2C9xl91a6JO=b$ucXiVlklDv*{u-3ri%`-KjQ)JUT5rL z%iY2RkIr0I#0-TF_Z*dn3%N^$mZ0+@m-FAImxd-Cr7A#&>Y!XhiTD6QeHOa9CMQ}L z<7%2N(dr5$kl*_vp<4SEf__xW&TjT<(F_ZnfZm!1gF7lix*jsOk~CPlGxIW#WV<_# zJ5*5sfwJ*6O0_aUYuIBli|exB?Hl!xvC`t8UVDbD%!jQa2QdSGfMyVd3Ph1;K=uSF z9wR|NlHkPVB8)Tr&xyQF}BUqey!_pYiAPv6P61qB|e}H(H!7qPF z0!u2BZ^``1wx?Y3oK*+ZPrJS?Lw}mS9@HWu{I>O#sgh6W*x5?RA}r7)KpSJQH2nio zTP+OUL$M#|#?+wGY4j`+9U zRy^~i&NoX=Bq1FtfdEy3Hzl{fp0_856|(}=x2Cx*c?iUR!}KrZH{WI_x^XNFzWJ5! zgfpYO{Z$|Av3&SvwM<{QTF4bxCWIqZrV5duPo!KIFL_c2Mf>yGPHvqfei>f;GbW{# z5UzU}hf4l`kvjv1MOvLZrWXAEI~6*Th4(~VVTEjMhPHj9qY?eG?xdui%-(%Ky_Kic zLLkl-UG8Q$w5)yCAug$TdL5Sze11rn#@d{( z(LFqylE%s>0lUK~$U!u23xQ3}^Ilg-*L$lw-pWP**pjqwB_wr?H?vkuMPd7@V0}CC z=FMt*u^9t_^qMGCfMm`BLVkxM6Jv2tSdf$^A$fV_>w5n~>vBEcG*5mlX6R{v z)~6rz_NQPVXbr&SehH@*fKNMB+$n*H(yQ{EPgSR-3WiY)A_)UEYGoi`2AVV!&% zel!#tgq2WkcVyn=oFCMsG4a*kN|z&Xaqn?cUkBo&Iw;RU{1Z_NYrVoCpAy$f^1Smc zZ{*LZUyOr@o2?6WMf7yKSAE?B;+I>v??c1>oAAT;n7=p4@|_b#YEJcs!cHc%4(z(a zzhWh|F3P@TK%YM?M&uybugpcds)dA6cN0t;P1(ajiFIwl@e4p*H;&f%G*|8mgv-js z8*YR9>kk4wxDYM1-bBuL2L!aeOXop7@`&c+p2RR|z1!6=6#XF-rb}HOX<8m{dJ)GM1&~cbY z_>7(g93alVr;FW2XW+0Xy{71c&bXZvS0pr!YN9T)CwXAfAuEV!6dF@OHU9~$D(2tM z1O%;cRB2$r5u+KyBq}U0#s(tgI9%t-EW1`tYeUT(G29BxypB%yGMLuEdDlO%45&m@){2VMo-aphLKSCx7NJN+9wVV!<9vgcvd%rP2>&&a45 zO?6*WDw1FLO_*G%ykoMqDPss-iaLH@-GrR5U$tI7z~f1fu6DG8Khj*7nVFZJQW}ni zf$Cwg5VI;rb0MZ^MrGsOz=N#!kj%kVfq}8`-Iz1XZwccG==2hL!o?``hmi2IOC~Al z+oA%&=FfCEl12EhoEoF&V8?ndP6~2#+nJ-I167p>5E!LUhcRi-o@B^utc%lBu0Q2| z7zIA2Kw&wD^F-ZF;tw~Mb}SU<*&_KN=Ad2yKlJdA-Fr**)G0v`+0n$1L%YcVcZdDW z!MLLj{T5u`g)9r%UF%3G!Iqh$j?d}LVSP+(XUEixa>Nb@p!Rf@k-{&}v-IknT&lVF zf`n-lG{fE_M0>;6?`kag^|WGq-Q8NL-J;cSvJ?X49=27M{~eWIfjLN_;DR0*kXeFC zvnR@A#x?`ec1g#vuu-?BX6Tc-*DVV`!c1PqzunRDYQ8$<2Pup(6h)p{7tL3?x~Y>W?SozOZCJ{VdjCCdbRs# zga4hXkvJuE6DBJ~gdG;ocPGQy!Lxk*_`!(&>8Yj!l64wmY6P@ zt~PSGk*@4RFM41rrPpT~|5ScDEgDw0#)tj(glc=H_y1$=&Eui&zyD#C5M@YNvJ5HO z#e{4#q^OW~`#P8yQj{<=BnnwZsqFhz>S`=wEXlqNGGj=_*w@C`jWL#C_`UmVzu)J+ z@9%YAJs$TT_kZ&jkN4~KI_Esk^E}Tv*$kTpo}N+aTEk(m@bujxRvca-Xwt~}2gTKP zgeyXw99Ga%-}p-sdgu#`q%-KvB5@WabzRlU^^$fexOKuaPs12Fv61VoEbe{clRP+ z`Km1IJ@w~%pJ`dd*P#30q@s9|ao#uegOdI)WC*MqS0E!<5M<{msg06ne$_!%ck|3# zVqW&Y3>~qC`Bd4WN1pq9ms7s_X@81yB_OB`V19n6Ha)IvORxGOOYA;*C&2{t)l#^B z^!o8zMUOOI9X*-QA~f#sX0k>`@#J0QtG>zl%BO8m1NqHg6*B8StNS{r1>(7^K->LR zgL3POs#5G5bd`NYqh3GMTAnVxoRR+HB&cfO?YdcMdi~Ndgf?o$)(Usj{j<9kFLl2C)ITLMNcdC)KRki?S63ZiYu>C z;{nIqKI<2L0NwqDU=C{y>Cly^7fMq$!bV!o6;xbp;o;kn{^d{hzCg&NUwX^XccA+? zpVFLTu6xqkgLpb8MAPH=6>_b3ZmIQjm)gpmg3_3iJ<VFE(cc-FeXc zAlJ9|IigK8TuySTOQCI)9~^vUA!squH1%8)8EBx8{Cqd>U2Zz&#<97I2b~`hGT)md zP)`Mx*nJ>ABl-db%Oy_#LPhkGcUCIGjRf^L=3FQi=6f`F@B#svtnPJ6SvL61EPm!1 zR3|UUUezUd$3X*Q*`PvOpP=>y*=_Wf%R4-pk6k}~Ej1qQ5M&3`AddInE-!NZxoEiZ zM85p0ATjEe{Y+FFguYdBuXF!tn=jW-xW8-n=)WD)US$(Lq&z%jeV&Nbdw^)v)Oq^G zE){5m-6$zoGCQPs><3;0T+E`YJa~U_>ekDI*Oj}oGJ@9a?9o%|>sJVnLwN6jwpNkH zK%3trPiCUbH8Vj zr+05oj&HZ#OK$B4`oehZ(|;`7JZ7a8xCV@xY+2)#^qxIgP+^)0t+6dH@>$&4_Du?2 zmle$gcu0OQs*kIozgn&1{YsEyqjXJkI544Ndnx0Z(O&5T8SSdqCJ((lIk?2QO+H_C z?x_EnGq5WrLc`pFz3ZoEDt~0;e=oc%RlZ0|URpOdnIKan-WRJo&zc5IHS8{e$1kZB z-Wm7&U{NqA@Abm;jgV^?W{DY_R%9F!SU)MR0_pTRv+&=6tfv9&4bng;dO?Hw^zB;b$np6I4C`S-A_&R{~ z31|S?btr=&7e zeQ3`a1Op}HY29T~O>1`4UNi^SI?D-qV|TV__d!#gte^dbvPIAPoZa^|y6Nl!X=O;J z==sH^8Bw0W4bDnG#IO)(AW#Jl#}*ByuIIQy>>im8EiUe+X9CWy|2S6J@2D zP6D6SAbnUj9@KmTQFBt0eTWy^?Cr;))txOUWuq}4JVe1(s z?R}kRC~)`K!7iU{9_ER6U9a;e_qN>dDa#b%mti(%#4EB72~Kz<9=Rp!YJ42#!Q1lj zR?0gKQfIzRnSIF7Wb*Yol{XjO>pBA!4&RoaM4qtS=Uv}F+xT`Y0_5oU^V?gWTgR8Q zf@`k6Ju&t4Aw*?%;ubni1Y%njFo%1Sd2Y4e)K_hMEU2$8wW9;sRbIC1)`y)EDRRxB zxIkM&*Jay}S+yEhx9@-AeHu3tj={Zmbh1B@YqGuUdt#7#D#G?_kE?+v;)3!Z+jUyf z+@bo$!i^-$fFTX)=bT<4>eVZ|Q*IYnpWrm?)8F$Z%f`E&7QE*B>D>;#N5zkSzP_2~ zv$gQBiG8wg=x)-w+$oaNNJYTb=JVuU@3f670-1WpXA==wPoun<9}d{}&{IOiCfD_~ z$(8k@$Qp~mpAF%1McKL@&-Drf_b;#oZ|B@T*({l_cp}IjrpEW^DaI>buS{}mhZXXssOHV( z#E@aWZe1>d}eoJc8Q?51sYPtYmdn6a@jX`Ob)F?>8QkgS*pehRc1LvJ&2(3DIXTNbpExiQf;A^%LrON#|~)I4&N4(~X`vUz?JhjMYvUhd&+(zeB}-Zpf( zd!)fR^H(?3vf^3z?rqh>n05K}1+4xRZWR7nz}BO^Z?5sytG~JS=9#JPPCyiWB`Ce} zg2z4gQH5l$VxQ+`6mZLJ+I(ze{=_0czWBWNALrP7J1@2xW%_JV%^hhH`OxyO$5rYF zDP}Hox8F&d`g*!+Uvyjuy?CbZ`p7GP0aE{t2EEQhu%W}@x@x7pDZ7cwovJeNQw_~E zA&lY~pqg`<+lF${B2_0U$kmTtT|%13w6u$gqwNaOsURpl(_sIZB2?Rw
    YkPklSxUtz9zy!xwXM5(&u=T#WR8V^QmvQfXrFcjU_%Qc&S zb6lq!b$q~+XYAuNrMfV}I!t!vtCHke$oFlKLc+V%no_AALSob*tz{hfMip0{d zz5S1&M}}7$WL&nUAXu{&v;socv!6zP^?YpR8NkhBHxSjeElQ5*9MJXNw-gvC1ht%=F^cZ6BeV~Xp*~QYBXFu7!FMVf`cHG#ckSJ5Bgl)k=NsOw1d3whyV)8QjUR5Xyi!`& zr&Z$ryu-3^^NWApA@q;h?lF!4&brEaURvuaF_?wPZ$GxtPwzYF5rwUrmod?i(Y^YW76;-IqL&|r z6>C?;%5ZB=ON2Flg*>cb3~p&d2z2q^uxis?Q}iE++#7YVjjvM;q0MIt7k)-@<17~P*BK58 zR0AZSDtIJgG1ANitjqF7qY}L|$l}1*vh>lKksP6*Ojp$ z7V<^1C*pkG?T=FSFFi|W-5Jw-0hpy&np3(f8s8w3l4W!L)v<*`8OETDmT4rP!~_3m zGS*LVo91@9R8FXH>MT+D^hL0h@DYrS*lFOUr39n(NlD;-Wow}Ge#CqbcNUlyljdGiEMtbs`iCO-Le4UQF7(xcmD1 zpsKG$@F;q|j927?If*6(0gYeR`BHvoM$i_}h1kxo2B&*kRXaatUB5Yez2~!y%^{7C z%E}oJihtnj^8|GH;{pG$C4i&Wyli2V3~k+9UtRE_HP{}$eqlTLh_rpuqVn}KH@-oe z)X!NID46BT0g}gI(L@bIN#!=%IjPDq=9E>n{q*gVr_E;G#*4>%yD~VfTiWY${MKre zcXft*8K?r5qtk~sGwH=7$U;0IlK*^@|C8!qE%%~6WGt-!nU>vub*HWt1u^MWyfF3rx2?auFQRb@Y1l>C0}R)QLnEx67E~dG>{;*#|^vqT$d4@VGYn z>q4=zHrU=UZ%*Ii70>oH+F4+lve0O=Kmcn;4eox-fnwH|Jz;lU7EhM7%?#Hl@TI?Y zZaTbpJHk8yh>?z&*KRyW4bjH-{=8Q{8Wy{*en);uQpp{MaL2aoo_cw#{uJi+fRZwJ`Oa2bWcwsIIe= z*5GOTP40|vPscErHS&;UEFZrrRO=6DYEInBrL?SMv@Q`6-sE^)FNjU`TY9)7EFq(I zckf?WZLl5hfruv|^FIKCb(@p%S2%07#TV2f5GNHT1BwWM>m$D$S&my}dkI&MR_^7^ zJ!QNYv#H(z><;l+Q`c$f)s9>BlFUeW{z8KA_*mOil3o0zVNXe_pw&tnT0y$3L1sy* znbxuvB(oV1Z&Km9ocPE`=_~A=06}ORrzeMNKKf0~gWTEo#IX(Us$7 z{ntaZ%^8>OZEmAC8j8U`V|!kFdlPW0YJW*`t0|Zveo}61IRj>}B>FTac|V-1ef9hO zh^yZ9{L zy*(F&C=;&?#ARMHU#Y4E#OJ7|kERyxrg)BlZCdIfJ2T-v)IMwSyF3ZmUCW85k!BLI zEkwXP8VlCD?uSifd(T{=QX^t}4fyO>3k$n^*Oee|yf2y8?F6-nBXrz_!mz2L@Zffi zTN~AN2A;Y2+@YmRXm|oG6%QA# z&f8V}YJG>IYiUvrNa7bhiZ5&87H?rW$ON*QR#_FKUOjybhWa8=Rhq+sb3Sx?r>ohT(Z5^~^u-i=F# z!AjoRTdB-Vwk3Fb%`LPLz7>N&5-gPI;EIPji{EDMI_xk6NQ#!I+7~g>6X|91VmtxT zCB>70yKi@jt9)|Q9o#8N5xUEuM?Bp%ns-Yi{eIKSUG-hQMm9YDd9js7FC_>j8sQ#} z|Bc!_sRE~N$PYR1p4feM$W3o=aD}hF`dfBE%T>Wfq1#^s9_%~aiM$*S=NA-RvoQMg zvfqZQ&))v4S@t!jc3SCI9{*|s2pDx5`Ir;m`3veaJ>RMr4?nnC{B+p=sp+t_zlg5J zqge$)%nswk(_IZ2t*XtErtz)rnnms-f)35I6H4AlwQbrmrcYAKGnAFhj?`+fRt-Px zPaT6@qwgx;883CbaL1kEOMMqeALic7i9l(hIy}WB1?)aWVrhe$4s@l?M=2D>iUbOb zo@iB~urAWei&m?mww#3UL_S|A=-N!t%@frw1-<#u#IGw*!7~@P+VjG^AH;IsdgV$` zJ^hu3Iqhy#sl2PuR8cgiHww|lU5I`IOlr_4Bzrx`Ji$*?gvdEoUjLvWjz4>3=bN0} zPbbwzkFT|dXsRm?DfEL+od(t1^thWZwe#SA$&3px89Vm&#T4BRxtL`-Cyq%}D?R_s zsp2%*tlACCLt5JpO}`L4PLx#urlx`60q@f}S( zX}O!nzc!h49m*7*6~%xZcs2HTzH&-u7!oHH)G!)~@ww_y%q&4FHd5=sRXSK|80PcA zTf0S{76Js<1ULzrXzqeDN0!Dxq7Uj4c2PWOeTm^6nix{dDEh@!MZ?mBQS>QY>$bHEU|sOnA_x$ZdEct`4^0xJ8!JIA$gUOxxmV?7Dm;YuJr@ z22`~jfnJ|n^K{g`8Y9jhm+O@&vLov0E>Dl+)>ozCcTn{GQJTFbK$G)LcVIAQHb*b!&(2~N`ekyGk-gEhFN9a>^7N7sF+Lz zR(I&FVz%uUHaHo+Xg~VoGLPKF-=l#TWifU%DlvQJc6+ z!`)8Y8(!HIYlnVW%FO8e`L$!UZ3X|m>eTB0Vbv*(PHhf{>sAxh;LUEje&7Rv(>WD( zm3~lB${HI@e=i)^Zr&w}@t1NZ<>@Ai)bw;5!cVsY8Nq6gQj1jr5KUc}VuQP15U^Cr(A!y`n+d=IpvY|DZ}3R6f`Di_lK;HAF^5NVe9(d#JB4zbthR4ajTRMe3ehO ztd^=+F;i|Buj=3-N7Cx`f}o(ua*I(H-k~LybCBBrEX|)=d0wh3TTvwB-+%q^zkk+N zTp3|>7hB}gPZ~dV&&(;ixAo3v=1z8QggW;!ZVDKXve3u6Q-P=raxCE*_tw6NNka7r1T?{N;i2-Kndaur=%Sl#Dusbt-QV(<0b? zb=G{ld~kc^$u?&*r?vC5aV}G^e3B8*P;93+JkgV$v>dkx##jU| zjf^K*jw9rj(~<9Nb}0~6)x~8WMzHa{sjIa(_eK<7_(Z?h+IMem-#leIW1Bo*vmLxu zPj6Aq>~|< zJsD)0QnLyVZoUxG6{r5Mg^gv?z{1AIz{17=t4->_EW4S%Ul3T>sLN9`a{qCUBUj0v zO1DQW#qY9W=XZ}c6hi%8;QNe9yh%E?(uDT4M0htif8(O=<-w4FF9GmX*k)eMmyM|4 zncx9C?ze9D`V{l#6!QxNsi@nP?;Ztx^op@sU4$k~)QgM+bosaHbeHvr`4V!JNG7b- z2;Bv2@Y;9hZ2Ro)kfzvoz{od^ zdy}+s;-QcMOE1OZW>wjf3E`!x{dm^4lw-xSO>`Z=Q_X=`hV5|Zl4;yi5eXD zt>CN;;NuwQCTwI=uZf>wyl0AiiSePWz0u?rvXU)$6dMyAz?vF9v~GG8fP;fHWAgS%P@TIc7zmcRiiV;W4I?QhEFi?wg0|6J=599CSr79>G0Kl z>kLT`M@0}M^w6?~Rg@&(I?3FAdIrJ0F*idf9sc(3O?ER4r?6J{FUSP)<5MZUl{wn! z4>G$%43a3J@hJ_8B$QIPQ@b=le$QprrcCDV;P7-n zyQ#{L|8e$3>MRpsM8fWKq9jYU2i_}tVHOCArHHZ2)|N@FssfvDGd3Ljg4q&Vee=27 zTf+m{WiRsP9+z|_HlIXdlS^Y?eT^erc06><8`C#hJV;gse|L=BoCmMjRRnXww?7Ro zY|L$wtaKkEUjFSPJfm>7YOi_wodUAID__h$jiOGIixg2*V8joKkJyR;v~jAf&(h8J zdxFa@*>%f)!nroHXjcN=a%Mc#(W2u9crdw(LnDR668u##MkO`;NN17F#b$~wsqa%& zdZcz=l3t3saS1F(<5BZ|A@IqyV-dShBB1;BDi6L$CRDAOF~gpX*du7G=6Wph+%+JG<*0 zy=Ar-)U6{c^rW9qzO+yo4&G>h@BylYFHiqz zgPx>Zu%A&QJP~O=KY;br{$F4P4y%$M6nA?7lHh;|VW%Bl5We^S%_oe!o4oFH5sMuoGk#@L)9u zyTzys1Xg4QHILW8R~50FizT7!QA0B z_X=U40I%>FtIeLsQfZYt;iEuel!zJoN~?b=na%?~2Fxl{7EhTxD#x__9Hht3_M+Kf zn5(BIRQbSs57XV>rC1K@A!;r3kW0x?>leq4n!j<`W3P}!uZ@tP*FrC|Nkn%Wl|R#x zSUbt)uMCZGV~1d)d8KTbzN8qI3`ey>L-|SJ)}gj!mLlCS*HKYoUjT`g$aKY(<65Id zKFi9o*98i&6y-8K9bcbsy!LBk3BTZl9%v0}UNgPFYO&j)7c+$f!Y})6!F)AmsmHIN zhRKcpi)_sXpBmz)R#zxt%y4BeGA!yWPwgn%2`lGhMDc{4iEihIwUJ}fjn27I3No}> z8X7KGLU0SA=RG5CnG3TrS#`JCY^lv4rMYJIP&lMxPRjJcIA*9i>|(i=FjePG1&_dB^Zly1-+kLU}Ao#cb1B@2qz7< zcPYZ)jn^G`Wo69GHG+j^8wTS{dY|@H7#?Xwxop28P`zRp0DVN&jNSZUSZIT_Wt2b^ z>5ddF5`o?ga_}8No|@Dujbr?ALHI?&;scqul7ywjoIYN?a0?Zg@xgfh8`zozw-`r5 z<7<4XJAD>(KbVo=y9TmgD6b*IG&Ww5rl;~)WQCSzqBq8LwH*FXeZ#AoW7Q_f8Z+mH zyXoFg9J+q_?|UHNfF8u|F$HzZe}8Y1k$O@WHr_3@EY~Y(Tp-H5(7r5oe41U>9HFPN zLRyi>e}F~4(0)W?9$mHejwzc@Mh>h_s)n-*U!}=s31lwE=x~Zirj{>!f7UviyhUD9SA&NF+Mv{R`uVPT56OHvJ z%HDx`B$2p4A4&L`>3;d}eR_rl#@E<5EtQ9~&7Jr&5bez*HY8k?YB?i~IPJCxPObaw zo{^;WySJ?x5}-bpJGthNYM>~mcVYQ_uT1lyG_KLC6@+SkY`mlMiHmNK0Om?KlGPFa z2P|N*WPZ*gI-t!}e6vBO@^^(cBU5 ztviz(OG3EL-NhSm5{_-VML^%)i>}l!j@f=!f@I;1m!GH<*LEt8>8a;#kL^9gjB8NRSc%ZPx^k@-)tFv=7?n2rzCNQQsBg;VD>T&p z=*C;mM(J*GxOY6tZDu@5R$(%5s3bu!h20Gin@P&Uf{~3|C#Vcv>GdzUt2XdXMMgBj zP39%nVQo5?!75!na(>_FPMLQ}skYRrgvBgJL)ymK4yk5SIj_bX!twUXoIVc*$kJy& z60`CvN!M^QNPbea3%TUP3hBIUY|rP{=qnvnqcOI5TMvytJ`}E#+(QWDpFugKa9RxZ z*_&-J&|*R2m-hePbLGEs0IB9Xjbr>PlUJStc^_3tof9#u;9LrRDfdT-7CHUX4R7vU z;&>=c$W?c1q7*C$zrsu%W1j$%2d zGsBFoIk!3uTHW_a6ml5Dc?+kKL$H2s(o>7R9=4Glq5^lh)}ddl(N6a3 z>OzJMqSrbK8i&4E-ADOkJ&6;Ob-wROeL|LVShAv|A77#0(freFc~zHMRE?*BC@+N# zur&xfc#Cnc1T=yjqaIuJq*n&Z0!Af@RS^9X9~0YmbXtY$)z2OcDdd!kr^ltX?moM@ z=u|^boU8s&UJN(v=yEZxEML6Q(i&PzJQNJxA4D91bFJ=AS|U6@%SxjfIS?l{{x~T%Z&Efo&VzR-9O88Bpo#$;L{%L#TVl*z%|_4q*rCMm-Et7?N)e!s>Waz zLBd2<@9G*}GvVRvEA?Cy`bSrT%l13fwNb+$uY9cnbz4->>RNueWe(gD^)3a3u}ICZ z68c?M3wvV?5dnD%n;A zlg<3n+T)!HGgkNA=SR#1({6t`m7pL2*Na1W)ial7MQ8gg;l>@kBw|y^jfQYjc;7D$ z#qt*8SWLt4i&8__bRsBtQ)GIyEs2yP8$2c{5ES7ckZu?3W9cBhg|kRs^9|zN*XNC;Z}w4PA}M9*;Lc<*pnj6u!o7!+ZE%ISI% zhOIJg%n#@wSj?I`mpWYScajNUcfBZBPXulJaXxp_sno&aosHg10jfPDhz*N|C|6UJ zi6{v2Rt;U6#eCkFt04EzR_;4{)czR54s}JvXm;+RB~)f*!g403;r{*AABI0F+?3Ks zLyf~Ts`Fc$b`@7Ykr%H6fm0?2#tRs2LzRrpdP_K7k#hrU8_f@Z>x_ui-lX{d5H0_v z1OLj!T^vc>4`Ad$w4_9gzXhW5e5n0lPMqZOxlV_Ppm#P{@j%YY;x3!w{9Z@|+{lxv z2(I4iNk_!Qa&UuigxQ%!b#|wdF)kRnN|squT-y&Xc(abfV%b(U#&WZf2n}Tjv#9pT zL1ZRm2;E2JAZPpSZ*BfD)9d50a9)VGJz5rHdRTK}mH|xaJ$JuJq`4zOhF*l&6O8;W_A{^~ zC7e?oOJ&7LJFEyG!z9_9Y(v`2q+ANuf#cLb(L>H;jqB2VesB zWwLmdxnP!qK$dr;+~KexMfQq#c{A4j$m-hbD7`@HXW3v>l3RH}){rg8lbW(!`VsXs2Y^p(qWubM0GnOf>2%EI2M|&j&R0e@*w@=k^I{B%XuHw z!zGq7<=*uwX{dw>*W96{V1<0#$HEkOePxI?=6Vltc{Ow?wi`hX(qQSlteMXFQ3@p# z(GAS^I&(`RV=DzTW>n)FQmJKA=E9`40ob^h`q;kbzxUyjssDg8nmr?8Oon2%MdWC5 zxrbrPX?A_@VuE zMy)f{uYoBo_MPDC)mv{%5IZzbZsUVC;1n&ks!D(eT4XMttvJNNky|BXL4qmxKI4+e zYFbao!@PohdPq+a`tVSWruWe1r*)-N*WU|b0;v`|yLK(NYHhF}_Q?j=I5S_uKwuWb zIQvEf^w>svVmG*bZ4`^$C0n1auDYTsg-z#Zbdr5o>R<8zOU+5##VGTni zc!n_hq%N2TKuOj55hY5<9X7)QjqV6H`8CzeXBQ~xse7kS&NJ~!8mv#s>47B17f3)c z1a6opwdPM`$ATrfaLnP~&RW{{m?{qCP6}EeIwFig`?=RvobkC>fvo0;5U=jeF9`7d zt(SqT#Lg&}eVbEvip~(=zY0(@@Z4$?2Zw{Td69AHCEV*j-dC$9;uUB#MbgAY-17`= zpNgJX6(9dIkJgg63!y9UD1L3fXF2+y%TN`H!SgTFy7t=npOMDKw~|2#l2nZWCj?fd z!J06zt4J8~kg8duO3kibcPkJ6LS?4XM3z(gISdgNM3J;MYHr3(_rBe~{;`G*kHN9a z!^g^7R~LaemflH|`EA_RwX3+|(bV^N-z6l(9{P1hmC?D*hCZ6mtBK25(i>Rbm`SK{$A~UV|;Q@%}zeMoTDm(hw0HxbczXerB1f+`gr<+<2IX z^Be25Y11b4k#zo?^Q2x_SjWqnRCeH>VV|AXUDQp~(#q5p{-)o7x}j2=u1k~D$N+-f zj2&pM@rKy&Nyz3-C+{??`I-0>g1_93ag)6$4>d&`^Qa1v(im--QNsQd;z)>n;(Qm2 zoxB)+y$7|wg1XvW#t@lp9E6SIr8Vzw{y>YhtNm^=cQR!CVx>8`HzS2Py_XZ^8J$xW zk*>h2hkBuRdHMWQ4!QdM3>5BG1gdA%TMZjVz5tKm&g(@Tp`&Ia^Q@s znM$_G!<~l4G6@$g$GuNw(u7)NNE|1d8G=%~%&aKICAGW|m~%kid8WI zUfmtwGq|LN=dS(A2}Q2Z%%Fn=vgL%Z&|3bt5}#5 zeju47vdPd~I#|4NR5X11P{F<`jJ-x(jEC6rw?IBBlG}~t(Ce^OTS#H{vT3ghUCXGX zDapcNjOqDWGVWwvNmEcbviu?1&c zC^5@sX1pz(Be)Kv;NyVrLkCvx>DDy5Iv@T7d45m}Cqm8esRwc&%swbt~az z+LU_slRfx?NU5}~wGk8W>p=7YE*pLqks(&zkrdCFsFz5)pco(2p5ASno**fmLHg-= zN;LxI#;5fOS!Fek`f7=?N9!r7((A%4X9}Lw`ZYUe>j>NK$0_eyti7GbR0Yj_|USz~{@mDw;_>5u0 zy)bCeM*use2HK+l!^5{b# zuKnHn{g)y5nvQ%FT_`W#nGs>UAhIiK^`4i#p|^MUbaNl{s9W+d1L8avEo{&%&nGIVR4J%|$}8-R|7prK#Pi{s z#p7jws%+q8kn=T_pU*$mT|)DaXp73>^+Q4_8xLwU+NKQkkguak3O_Za>oQXHq_sXq zfsnJadM7#TRBBI#l>$*`(Zkv!)3C)PM|Nwb_v4fv&K-l6noo*+FS^hPxF!VWVx_{X z-%8U)WW)gMt~|L$A)iO9=k0sEEQhz>h+>#!m$jrTQzHTcV=N&DxJlgvC0GMg$#eO* z6*!{=8bp*11znH}{w`_oHlDJ zJm!OzocN^v0)_-2bUTQRuicFC>>Qe00EYgU6sBr|wSWf-Pz!mY-j|R3mPb3E%lm=< z-jnquSAf{rj82HnHz;@=RRQWywnTE3}qV`p-I+^`bYVs^2!1C4% ztw?VE%azKG1{bc`+kG^T6xhO4(99R8IPy z;PJc#EBvc2`vUcJ$@Z`UAj}Aw(V#1)K?M4Rq!2s;Ck9Ga~ z9nRN4CPBjcirMwFUI-GN7xWI$G}OHiFmiC4-e?NPlJDd4fGIC)5R}}skX4nI#Rx-^ z>VVEKwdS5G3lEojsF8uFB_{jgn4fE^XY2p~ zg>bH-GtbcRz3m%^bewEb2?6Y2$Gw1e4>kN<9B&Tb_+N-_KXCaP<4sa4a-Dw|Er?!F zIdCCElw*j`x~9i9iXbpoE|iyfyR!*kLGTQ+tQy*`@#97pi$DacCTOe>)#5X(s*oF> zeqh`Dwo8d!d?g~yST^*Q^<=Q`!2Ybl zY9rbWx8v6rUGql5X+l5O*?6ed?6x(l*XBJ8qS`*u6a3EmQ`J0EVZIOweRArE_P+JI z{JA?~gaX|+dGF`QXh46O!DcJzZ-oy3e-HV>}9F3Br}XCtvw@oC9i0 zB%sWo)m)=7{#I&Pw712r=HP#n1DGo-$FtyGrwCe8CPg8!XxyAt@=qmVk(DnXBrzyF z$vDsdRXvxDPueAmVA^w{J%T~h6`Rp;SPCnq{4_ zfebCw{{bs7q@n6;=Y}J@j_;H~ro>^S&tY7Tlb0LCMb1|Wv2V;hmK7Cg2^J?@klS3e zu(UyRrx?P}l7dL2h%sE2-6@Ln&0sU})oh~@lt1y`2(?%Fx88b0t=5sVdioV@2`Vsk zy(_@P&gzw-f`hlCv=l;K9C(#vxt8KyzY7(*IoDAL7ug z;t?eTqh?uA4o+7nAg_%yWFRyC0QRSuH*^Is0O%+G2WJ|cXo@?XutP*Owyl6_dsMcV zJaTMzAswH;?)4FFM9NCjp1?z)0$VfX?9L25Es;$UHdZHb7<;AhT6A?^w=@J;<*f|f z)XHJ^LPVC=6aj}06j`9R6o-g8u-^i35AOe}FXm1zIwUgt_69~%jdZBXB3ZdAty_Os z&G*pax{cEUmpT$$KnKf3+?M+ybIN0qe^|4r%KXo;0W`5FGHXB9KmSfmdMHO@Hm`aO zCB7sX3JN_>0fZ*Fg>=Zs=XCV|aufP6^R@ETBHn_y>%NYSLcWgRKLXvxi}NJ9+erZ- z^xT###k&t%4_~G#d1bx4zRkEN(>&6kMg+n&T)x(ce00w+Hzt7nL~r`EgdgYC zy?g@9{at@wy3#5wuZAk0tKmlZ1FP+US5m1ry(O!6`-gF{R0Hmd2LEF%9mtre-MC%~ zLQOo_BPo=Smh2xHf8W_90h`CPUtDu_!m zkdqUyPj!9ff1k1+$t$f&B9eT%M&Sj$GQ!eOsO6KI^^mBM6YDs>Yx%wR^>d9znl{eC# zPiroY4Dfuavy3PpqdpR#e!LZv?}h8-Djt6_)~((<)Bi*BPqGCJDFwIR{IuN>t?bb# zE%!Yc7-{+HvO6|}gMd@*ddbUGLQqbW`Ra+~P_-0~yuiO#pvU2D3 zaABS53HzBmCe_Y2W@Ag2UMQ#G6K|Np&bxA&x^mSD91PTfy@lEEK3;BLVlFI*T4o%@ z!~PsAlOD4M7iu*>5zgoZ`?X`9EGKIS-2F$SKVGCP|bBPCOwFb&n`fT$v>yhdDhE^;)y}y6(?*d z6)QKL2-SgZ&Uyqk6COizXgZXJPz0|o2O&=d@}@CK(T4bKAqOr9GqjS6W(ISpWNQW{**7#-HIT8ciDyj9Gzq7aTDQ$Xj5okARQ@oaS9m$^JbFiAV_R3Xr1% z!lCN34S<5?4ijZA(MA@WHspi?lUcFVn9 zXD=$MLW23MouPLQf@(A&7*W!r2z)Dt6gO|w?0(bHa^;j3PN&UG*mu+<6(}GPv=%$t zJr!lE(_i&kdPwTDad*|vV=Nq~Ey=rNQ7$p~>PdX;s=woA#+QfV#4c74rzMZ z51o4?L4bl>5s|yFo_ev@kaC_EVCZa*3}LY6T!NpcKw$E0gr)>kP%A)$ zW;woKSWl5e1MK&l%uKXb2^@~K1PjxRy#Xyjg?f?{sNLVCdJjr{?&x$SOKwkufx{~^x9LT7;)nl5-kXO*-M;_BMMcS$3R#APimchqj5aEv zQrXEmX-u*&V@#5eJtDgjl3}dbN1;KMAsPF=?}iz}nBn(!-=EL-dwlQvexBp`{Qh~4 z=l2}%zi=FLjO%?}=XIX1^Ywb28t$7mxtTggp_?-bk>KJP_oyge-}g(S3P+%R&DeIO z*|OJg!m9A75-;5SIGo_R@nQAN22b9oG!?!Y9@$s+T0U*IP)6SC+&R_U_kpd?zfpb( z_k|T8iLAUcA4DuIlPkNb@kb8Wv}v@~>T4*Y3dL5+J}B~T`^arY2Z9xGkPzT1wCzL6 z(7h|*$J;&UxarOL6`RtH_eKSYO{28A!V>ge`2O)v{Es`V07|1>L+L3c>-O7eW4Qt$ zVzgj$fEjB=c$3EG$G3SY-I9D2Gdlx1Gipk7oy+#5PK|PT4Blt!{Un7Q?*P3 zzqAm5FR`j8_g7RXKi!IUykoXV@Z^CX6UuVg8tn9((-GPj2M}(spIWR>>7;=m^LI`X z+xL=11CB*_LptRr4|*jkqbV}-ir7dd0L>9LpAP(QU{u9Uezo4j>XHp>hKTPZ z7s}5W6}vdc51OKBk!wZNkUk|&-_19STWy=VjvC=&SpR`FCD4X-`pH?cCh)s<*E|@* zgP_)l-3@k`Y3!vndOJHH7JB_`A-L$R%Z&|hTd!3?hS(0*!e!@wgw&?8wgxw(3BpnC zeeKI>z9GK7ZHi>jPxyB zXO@Qq(Qx}uOLW8i5Rtz(2uzcpg$)s07rOxBX^f|D7*Pp%#HB5y z-FK=XA)uX(>AII*hFrq51XW~1)R#giKsPOs8GXpgX6c>6eu)8rFE$5)No_NB5|*d8 z3T)Wj@yQ0jvPGZ<;cwC()bu5_>bhzXE#pmTC3p^156kG<&Y*LLHpcTftms^BMMNF2 z@^V|FF$-vO#_sE8k^t0cO1t?Q$L37>^vq<=c2S*0L0Q`D_k^E20WONRBY>qwhY5l^uyl9h92rW@8`38?#R#PsQSUi89= z)o@Oi8PiFN$%cV5ZFmh3Q6M272NQX1En{Mmt|*j-e$d1dCM-*P6c}S3oKI0E>u7G-yPUXWEmYN~5nz{sSidA9&8j?Z>_^AZjqQKVDaHj=R|LS-hF- zNyg2~$GTYTM|nzU4g63#$tB}jUx@@BA~D%zI4V(P@(ed)D=`A_?uC3pdSUT9w1UJ? z+fH~8)@3e)3NSn(Wtl;K`IAmHkU!3e3N?+=Sui@7q&9WyN7z6q{>DiT7<;dvdFu1N zYUR_zAN+%6nZKnE5qVjQh<2AAFD56eF1H;&1buCFcdkD+_6q6;7(#4xfKVC@qxglq zBmk126RRRKh)^*?V$MWk4F2<~MJ>RwaffU^z5q0%=dOGlZLyTzBy)?B`Q!`p)z46u zuGL%JTOCpLjll#!Yi|?nJ=e_yR8Y3|AGjqwu=1Ftof zmHwolry3wiuOB9+ z3_`uDsj@Ac2HazcXOjO(Gx>jm*KOzkZ`~6Rtogd?`y=qJIw~2xArk6AX=jn2-xqbG z8kIJeUQ0B}i=n=EYj0)~H0CAy?wK&aNEk~#w55Av_bKV;JERwN)N6F*1Iy|tnBK`; z9V|SC<^Lx#S_jjgop`mh|L(-k5z!-~ze-?zfsIxn3;*4VM`na)%7!W_wFO4OVM_~L zqL*c2lEH9?*Z*$Ddo0SjI#cvaK-K?l$G82S`hUG0UmXGHlKpL|W!So!oqS%ak>QFK z^uV7r^P1;T^R&IdRj-=8@nII|+SvaW6<_Bk`s$W}t6= zXgU5p%3sXt3f$_1%NCY2&^b73&olH{`3e>Tdt6JjVtjTMruQw@&D=F0#4&8rY#*4V z_)x@01UF5`TWdQfn^fBZ+0l$XsRbjBJd3(=u-l8+H=M2gDVDG3!f#D#IZXvzAfGAg zms1ah@>@A=6);zG2J?SU;QOK8wk2oA2_nvXdVSU%ni#3d2q*b9jz^^`rN?_|kYw    =3P;-IC=#sH<)YxMp1oDkgBx>R-VXhjj~>PRq@ygM8W z-3lmAyiooRjkJ-Y`wV8Ql%fBxasW0t*+g#r6;K^}c2Vj#P?DgUhZ+|1JCW z@vKB{gkTzTNfUnLNT~_#hLbXLvAm^ckQP@Z*@`-sYmcJNh^nN^=|E7L$rf>GF6Ns` zWEF?9Tr#yL(3kl_tO{ zX+Yjnd+qqEk<2n5_S)Kqc_8>s+pG=HqCi z5nj?kIopPG!DC2SrSh<<3Sr*uW5kZa=kxZC=9SK64;P; zISs(%En#6xt{I+lMF2{iKa5p&v#~wEEmR-QLAqkhnYvAG(C!xG40Fq%LS~wpfDA0Z z5};gedg5k!IYA3(~`1h~D;j^8DKCdu$kH4N%5vDznKM-G>U*aFCxhyeG-*--zOPoV@MUNouEHVwF zB5-29F_!7p1}C?mmTl)coO#(bvO$ z4Sd+@S;O$Zy#Ug$Svk$sa>8i^9E(v;dFX8oNv2Kll;=%)6G23C;Si}3RZS&={R$Pb;-B8 z3>yc4HH%zQbY1qpvx8Rvd@Sl;|LJ2fwC`iFv}(GDlmK|VIM@$uePk`s+eVcKhbOqo zHufprNU3x&-YD7h!*DNmY+A&yT#?m5DL1(6iTpouu~4oq`uZ;yi_fxllo|5?K-__* zP`Wqh6P;c|D(JfNMLaNRl0XqsTK9)0qB3DC7cbdKYn~=WoZ~jhxTTy1}4xz@n%@PP}0KUZ9)!pcn z9?LM5-6PvEXKJmx<)ucE-B?9S>kr4?eU7rCey(iN2$0Nn&IZ542dGLdyRq_S;Cg(sv?-Ic4)fQ zaA47fSw^UxE2QlQHGlsQAa(`s)8Ul4_5mn-nBo%nm~y_<%>QC!}I8=O{OZj>h? zi&W}dR+>t;kx-zidQz3$WW)O?N82=)J0O1HwSd`FL?`@kZg00l`xWME6$-R6udzjz zy|j?0s>fQTKU_^RCT_`LqVyTkRAr*SykJ3u3Cxd3%R^XDL%pMK|22^8r%Pd0e*Rtz zii#(6D^$mmYBe4>|7U^?tOwQtjiTz-(d$=!qNpqWbD=swLt*=`p90)zTgrd(E1oF_ zb(zEJPL|Z(wkswrnYC}7m=tm7=?Z(*r2LLM*UWE6Q-rN1uCB`d#Jp2?Qu4XLbRp@2 zGtGL|xw}&2YWOzgd%COw{TWLnQXT-AFF}!uu?;NKIc?UNuYLBBi_r#}kv0sqw8ca4 z;a)E^(&Y49LB-LzQ2F;Wny^ zABN8;&x2JV25l1|oq309IHFo2%h>j_8*ka8&IU~&O+EZphp-wWMTO}fndOO6&hOW<4_qT4^>nn+eTEt^iZxgZs6APsjJRHi<422 z<{_0vwUnX~3BprALZxw*Y~piz-83PwHc%Bm4m74m{FYXYZ~EOQjhTlu6zUwR7p{%4 zU#R4=N#VUAsYPsLd)#hou`zhJDg6C44G(}l>&Hd!bz97YB3(tc5>YEN75Nlne5t@@XOY&iO@m+HTVB^Sn{rI^I`Ni3t1*^RmDRz zAEblu4VJ%g?5o3paEkIRpa<~-jhv<@h*DcUPHw=ve90hb+CPHb1ob;tk`tiq+>K$g z*2bo)CJlbRmH*Hg1$@8v!Qi4kO<7XNtSMzt?Xz>k$U;~hOf*VwC;o2))oo7oZXIC>65-8qdJRw0SIqP{tEO6sK_ zy74u%YGFz|n+5;~_V%Y=ZbcvrVv$QkD|ob_Knd)Zj!>C#EU$HTZlv(V1+jr}>qq9v zfmJD~{4UuAq_lQL{xE1++xLEby_&{bC*EFrA)E%JC^Gd24g~iGgMDA|gG;t6SuYyc@^W+c`vHkxYq=L z{_pB=*w!q5{<;H|+n5BhhRbjM9tVL-_cxzwSNik)pxJROz<(s|on)8VUvCkh_xKTR8sHK!{YR#)nHwKQqd?UpxCMx9EG|y*B2WLxj^sFOPDej^+VfpRId{muU@oypg1pmcY+Vqd;f3@Pn9SAm71CFX3*9nWBR$o$0m8 zs~#;K3b@k$WiwPq0!Lw4#-fVcQn>|at5UD5#zeS~&veO7-GRn@v_vDr z`)q9qPMjy;wAd$~uLTQPxne0q@5O>jJPIxBW()|+T0XSXh@Vcwky)51DBLDOC733U zcjps=2QzQHpgq*#AZXKzf~F+jH82-bUkK`J03_?Vg&??~{PCndzqOK~FrdBS zbLhH1eEWGs5&ny0u>8zN9J^~@r{YQXsRx9ljT6D`vRsP_nGNYCP&Yo?h%%fD(FVWw z9jNj*|EZh#EoeU&1fd%(asFwA?FWIeE8?<18fMAY0sv}!?pFr=*g$o2-UJh3D!2w_%Hhy^hgB>?=%1e~Ny{(;an_K^oT z7ayVHE4+aF*eNDP4Oq(HqubwZlHu$Be;|7BChqTz?RifCavYQ9-rpO(XHv!gwl_}y zX`irT`G2H+0&n{MD(vxlH2|yNw0}bSy*X0<1`Mr0n5Y2#Bi3yZzJEgIKsM)B=9O$Z zjqG9*)%_xh<~dSpjTh$b)koD3s8l{42$gaA_& zSE&Lpo6Bz%pr|Pa+VV@Ifc6k5RUQ68aQ%FI|JED_x$uSqwQyG2cbU90>}^g%1$cx?~Qxayg@ji`%5{uRFZmn|U|U+yWr_J?`W^Ph*d z`bM|;H6~|P@a@Uf$%Ec*)R|;DYdVNbHQy&X62f(>Tf>1TlZs~2-`2_kQVSs6@?SCE z(iu7|_Wa_ZEfW%cQ{!jEaQilRdZt~)OJ$ZCdoRify|lQ7JQ_IqP)3MR;JT`|hswf7 zGbRy$g-H#|p_S~>UYgI2uwTGK;G+J^-O&Z3m)vM>r}VcB zy)C(|rl$f_04Aj5tg?cTQ6Ux^889r@Y~i0K4x}Fj0zk(WvJ^X!k`~(djc>IbqsK_%+_MF&(ynPrS89G*Y^c54S-ttzGQ4jvw9rp=sRiI&1P>3b z(jLzRD`$DA!iC#@^Q9#yYDis zmHexSdw%=S6C9Eeq2lRWbA>0Zj<=?E>hi=ea&>wbMIEVDny#(=Tm$U0>QpVL*UBdL z#R@2(T<688-ZMtzI(`$)<&C_zm%+Oy$>eWT=_Npi&27IubFHIyW1*D0;{2f%{QeRm z@8Nu_b^emwu%<{d(bEsiu0D5ctX2oqCUkKb)Xn3&q@>-mR6syp+SzUNDRtzdM|;{8 zK}DMqV4kD>V?`+3{Wok`SOe}VT96yXp<%-?t9G9G1_D|~$gDOP$`3;rP+xy+pjo1p z7@BYxmuJkJN}B2ZO0=>a-AtO0JSF>eX8rBHz}jtC<@T1N|B`b8Jb%__%^pxu0v0(=wMm{L zf24T&VF%Lv0Pv*O3riT|O^Ibq*K`|2QI`wa#$wn1K$XhHIti(R_k5f^&^s_l`OfNY zz14^XYS$=RGcCAY7&Mq&wDEGq3tht5Dc#iu zsCBEA*!U>sqW7#R3IWyI)Up!V#%3JIW&W>WM1%#K-wp&9 zm0#)nF1WJlQ@VoJtX$u>ris(@TddAjTQ1Lhfb12%Y~P3;1k_4Oit-DT8^MK5*@aEo zD7a$-L6u0n*5uPRt@-7Wil;3_DM}I7^p>*Lbo=?q>%ze-n`c+R7=L(ek9Nudl0CaL z+3$oPXQWR%T;Ji9PZ{<_U8-ympzs#$Fed+=mIg8|A(T#86iK*zV*@kr{v8m=R`i9= z>`bkVVL<5)F**NId5#@ARA7ZhHC4F8f=D@%39=R=7L^L@K8k<56Dc50U@mvylO$^P zmI(BO)n@D6Vf5nYXZ}?oQDjl<`W{=wE{(G66_>2CP59=e{bYB->)j64+y{0n#g$mn z$9I)yq;3T`K^ZRP-_itZ;y4C)rokA3lO=sv5hw!Nwa6aYIw=&2_-POsqsD_=f~WQi8)$Zt zK04pXSF4F;p%k_$7y0nJZ{^pI_?buR@<g3GV4gc zbG}j%-vRtN8?HsHp8M2|LX)UO!I@H=9@_OWes-5XeZSI4;hyJt(9s+?$H!g4%;dK| ztYSF{s=$t3`JGyAnTYQ5AKR5eeQ8O}lse1A8wmuIjukNm=icO=J2l7(M~f6(+kucs z!|8OMy%CMK)t`7{4@7uj5qmlTUYlNV?}Y2HLr``fSS@K$TKP479J;iBClhbA!zPbtE z{-w~~Cup()xL+@g+nJ#xY2~hY-Uj`|FH*l&*dq zQmMnPp@mgj>#!+5@X;XpIA|1#tz)3~K-HZ7Yk^I^?kY1%jeFnIx1v1JfP-}T&emR3 z?Z%5bU*E|sTjk|@PtJ&o6<>YwzF+KQmgv#tPZpQsO1a-&GCO}P<`^(FHs;giXz;Jn zUBb@L=*BXAWp!koWRS}bF? z?r5ZVHq2eU^goRD|23hLM@){bTW_o$$4+$njvJmG1rZ%YAXVS0`&oGU=@6fnj>>CtE_W$PNJ+|?sV-Cr862Iw%I zKg99#xj`I0N;c-2Fu%swmD1cyTUCkf;3zb6mt#*$68JW`{VO3jSct5rofm`7GyK?e z5Ewwy9T<#@Xr~)Piv^oS;QpA)sMrs$FyUp&r3eg(A(4Q6dnNm}@;&B!d2X>IFbJmO zTLkR;2ZTp=5HEom2$MYE2H~@Mm9k1t~uJqGVf^`nHSdIUd- z=G5a8=rPPa8Pxs&&*QELWjdhMOsu}3<$XH!4$GwdS-DROI3;PnV()R-y;`|b5N0rv zDs}p?CT=iZ+Ct*tMWc&t4+8Z=wD31X%(3=R@x+P|2axrXpnn+lXm|gR@XqL@>tI;9 zlqplib=Rt~Ikr!e^UJYppDJf(_ZS9{6{6m553fjU*J;{W%J+ugR(%~%>YZ~edyS$w zGh?S-k!}-sQ@yK}q|Mj$t_;ma50|f}MJ70Ux*jJ(>+gzK8m2DX2OpRq=^P$uDKsu! zW@g8S1VYkTo)ezm+y!Nk$_8WR18yjQngbsy)Wvx|QJOGR*&|Pm4vb;i>K<97{@VJ@ z&KYDyPv*Q$6QMo17T5Qxjn@_5@U<)-WOCl$d@WjOhqOB{d%6F`F@%V2*O3r#vLbv|%R z@!19^r@~Ggm$+;5WcQXb#J-X=K3c9Lw9ZiE6cbR{Y>qm{wQ9Y1d^$Vq+f34xpybZ5 z)3PzAM)%G`cgZDeYx){1A`hjE;@+IHvBD?IEPQvncjNJ7U(UAgQSo{c;jre$o%hVD=a_PBu22!iej=$4$FQ|p$6Tmi|y@tEj;6y;San_Ox;S9+@}!5cKyA@t@;`*8UDkr zJna>@2~AJSlg4$S1^4JYEy`szn$e+gq2Hq2nMfhq_(PNVzm`%De^4;#zj`n%&8OpV z@#F8jt~c8Q?SI8aIkbN2!)#Bl&%@GN(vVA{hH1mm<5&^go3N!t?4E(TXD9;dkE(;X z5)*TH6F%_fx%d~Y={ow|QdF6d8Z3=h&Ns_K(Z_u+A#W%W5rn1 zJ<um;Z$Rj1 z^6rlzHrco`sYj|-W=>`AmWUYvORhsM>)mi{3#Xz(a~<;n+);bG7}? zTO6oz?{B$$z@iEto9eE}z5SyQ_M65bT?ZWj1HD`$p_+&-}P%D~RaZ|zRg*6U1#WCu3fwhm#< zYOO2iPSdIm2)C^OjU&Q5-%aBkaASj8^HL}KUmeRz$!Z)sn#SJdq@Xn^f0u(5r}tYz zOF)C{!nYO9c|yv<59+&h-O~)b#C&y-{zPd#3W2woEIJ?-#)0s=fAx3F4;c>u9&x+f z-2EYTJ^NRLAyhbHU>w1N!vwG|!vS|KD z$tBLV34wq`XTb|>yr^l3=W78wy3`IM-qDtGeA_e%`l)hF*->9*;k*YeZ;O||ZdXT- zdS@O>dvlS=T2BvL`~ziiY*Bw9Js`qbw5!bMi+@aw%Xjj4rPN#U4=r$T4S2&#*khbP(-T&Fz~%17RxBB?a}BqvzKC?f_d zbJ@E#y0<=RCr@5h*-n9MlNHrAmNte}2g<8&SGf;FwcN(C0jQeRsrkE#91Zm$SEQI^L{>vApt-%QEYxJ29su zYc-ScaWh)?h;Axl@%r+|FBtD#pKZUf*U02kGC1SS`5`se^5>1L+q6*0kDI#;+O5j& z4eCpassrxx#kSwdhdl>mk_`MWLg^<43sfLtmf3wR1VLpT{`Qb2;SOE$f$zsGo1c*b zFEJS&`kvEn&3A5pP#@~GnJE_ayU1SLH+r7*?S(p|EpnUW^E)C+@KEH@!BSw`Az1^^ z3p1nSq9B6-O)ZtZ()K8;rmr#14ftTI8J$~o+f4-#tu{8EF+tKYMUO=HU?TG(OMO>5 zF&!Cd;qT+NOGDpF`<|Bbo|C^7qQ0K3oAJafy6s3-OV{j9PGnkt27CYeI|Qe$;F^|u zrs><|u`D1BW#N*eqvW!MC6jbgk+rKs@QL~;?)4dF2p8$1FY}%#4=WIrweD%!>DiSq z%23k@R_Ipct^%QgJ5qd6ZAT_0G|#)u)~2@`e8fMZ5w%Jrc$;rgB6WWYdGqrf{FWk% z(`=2v48OZ%H(HxF#Wy_}n-<$*Xyr-|BS3XK)EQHP3P0X`7_&DiaY&^zIIYx@BftIv ziDun?$F=*KDNB|KPQ<*Mwn9s_;v%y~3o3fk?ptHQmx(v_9z85Jd8MReVs{KrKv*z+ zevZHftVg{(vzcpZGEj~%k(<0BEksN`%klh7yJXeo?H<2-eQoeN>3(0ev`3Xituowp z9n>wlO%DwIFmyRwA|ExO>PdXlLj&WJ;x9C^S!Gc)E_WCF>lBRSDZ*~$5fQ_=I9R>V z{W{CxS2ezi95r*j=crb*Dq0Gr?2 z%%R~V>x_d)4JsKOm^gJFb43-zeg3wHWrd}#ACrPht)AwuZ|r{y}bOm&D6L zgKddNLR89n-EIvRiZ9zbYtGQ}R!uBco+4q&{YpvftG}RCyWm$eOQ|`#zOOyd3_R=8{%a0`w{CtizRzJ|G zyA#EC-<8?njX<;K3y=bn-H`w(Cg%*Qpd1Kwa0$G4E}5M?c1;;HAUJ0N5?60d7DR|m?(8!BV_Urd zi-P=Ut?2J^#!~IsdWTL4oXY|x8PYl%j!YQ{ck*BPcs(9s#|ZS-P>bU#p5sdd-L^a5 z4pR8tE&&Obo)eMn8kbY+E+Tyh)@1x{iBAY|lF5z=pZ~tW5YrXd)9!=82Y&k6`hVQz zJ_C(QKF@T66s;7a*Ba8~c|jX#lzWbu*7)_iyyeB|kRq?2NRa=DMAbrVCAHjLQZa1X zmG=C3#NfzMe&uS*%b>8ciG~K4#RERvVh@~lxAS>GF%^WeGff$ z8nT!2`o1z;sw_gSt}r`Wa-cF_H)Uf6p{}OWvpH-=qlENyPpWxHSr6X=zZPh{`VlVc zCt0<7`?ADWp}Mh@?yT_^O6H24vRJ@nBixp2(eX3Nj}DyFvTu!xH#GQ?W7hSk8{ych zUbtR=Bg~!_-fLHj^EUpUX@OztzYZ|fU0f3M+Lp{?$5b649(lg}Bz zqhjV|&()C-vog>u&c?h)2&mddIJ-(??0k6zCf6x}Qc2t00ZlEdxn*?}>9lretfuIR zA0QP6iCzB174Y%UL{`<29Bbd0&^xAHKxPxcbn2og)8C&P!T~Q2kouB5YoF=1*3uDQ z2TX4#oKHpgrK3x<3Mw-78V8N}NsuSK`u?a{p;@nT8fE&0=(UgX#?!IF;HjoWMGLo_ z%*eM%woRr+1@?c$beWa)K29D_@#b3qttmj}8G}6T?69f`UK0T^bq5xH_x3s{3+>n)htJ>Mq`f>W9M9e%;mEu{TM|)6Sa4{? z|9iHiRbPBw&>fn)gE^{i8wVoX0ej9(I62^hX_?v=E1narxa5L_hT!y z!{zMX#&<&vt|wlA3qQD4;M7w(_WFTs*rl&=3R#M>t#>|1lpK9`AR@As@od|+XTe_Q?tGur%)zb(yZ_5fz^YP+b3Um`(J+Zb+^~buEA{b z*@M&g?&?+aIZp6qDaNdP++L{U8nJ36sB1!(Wdi)Lxe?yu^cc^MP+!hR1?Lyah`S z_FgHCkyk^?aezKv?i5DQ@(Ej|5y1%hRh-3^#BA$(LDU*Ta4n*ZlkY-_9>_!P9?qf! z@pbMRK@!-EWW#coErbA%=jUtLEChOWWIa8&=s`=lb!_%4Ow@P9#{=Xp=+^$uP((>2iHjUyZH#uLcP~&ONrqT?RVppwNHimy|0Y(40c$;|bU z+bU@h>=3)%A^~R>VY&4;v>&H-9(8JG=Z=hX@AH8i#}>@qLa-4}TehRbNK-cg$k zH*{5UBLqgZ0C}});x!J4R+UFM0vmU8J{W|43qsRO%5RxTYAkNTrhhI=WZjOxb8f+V z=(tsRB%=NY!o}`|;a4rw8oNXX=YD;_z1`dNGfDkSsj? zv!$SVDK5`IW$Y@w{1Hfh5cVZwp>d^>*Rt#Q)shnMIfKI?O?)9pI;-O`E1TJI@NDkpKcStp&!wkw*D(?!)?D9dg?JUwVYf7iAZ|Ht)G`L|;-@ zx*sC?;+Wle-RpH&`nBdWW$nslY;Z}D*pC^7D<^L}2goc zQ!hK+b+(`u*ZC~ytmdSnV+z15%~muamKf{AI?>GQTAIYK_Qxi6D7~X8PG_Uj=XdO_ z3v&HX3+8V0wMjxf#ccWwvNB(8(jJrgWQhn9@4aiDd4`uXZ=S|JIiW1?Q@l z-tG|=2vtFCIq4lW?#**0XX7l*y8kyGfH+qF`@U=lh%s8nf$c~ z^ZME|!SfNaPp9m*mucUFK|c$sSI+k2J?tGdQ|nEuRH1S zXg~-QnaJH58>wr+wby)M<-scbPWot)Tmc3H@&GX=sAAf{R4>}t)%Op)l z-wDks!RgLTQWX=sTc5`F*u^cVF+6`9W1uP;fB280Heu%uGkis?4H5L%IXY1za95t^nl3S@)N>`03&Fc2t3)s ziW4mn%z=>8n=#Cb(W@4nS$w}YG=;b`14_mjz{P?Q&n@F1T`*%Q8ZaCBHoYl!TdSbc zPWu=_>l7kdnXAMxw)p6HU})dbj8B|CPJCTok0vi~edUZ-}g|6vb)59oM z#&iE?*QCD?D%*I8 zx%(}IJ0p2=QBYh@76N6uCzl=BOYu7UkYc_5&HU@K5PJ1`A_G6DziE1yTlmZ4tC^J> zkm#H=lx4h>R)?g*aEkxaK&QcuZH7^4bw|L&CiW}V;db?dXSExU;SR4vdhENP<@j;t z!vb8Kv8%W}?rp#Eg!S3mA``~q`a16)Y@l1%N*pHEI>uU|I@Azh1^kI@)TP|v;( zEV(N|{T-toC>FMiEW6(~%YSK5G2Q0Ww%(Drqv|rBb*rU*k9;p!*)!_fSOBISmK%6~ zLj*2D{YHFpgt8u%giUuQvCw1;zc3#-fce3k`|=ks)bKnNLatz5&S*^v1D}5=BAlWB z&DvVXYh1b${i3j7QBl>D$Ftu@vhw2(akZ~zyIb9a>4F_$qS6#EtgeR1;$Y4>Ci9a| z4*0ObXi3MSXDS_KTM2daGwq+=yyRk%)X2zyUmK=n_WspNO-f02Zx;>Pir?MhJlYzwU2S-Eqv(L=-3 zA<0bq(8UAUu9*tEpLy5t%%JuMb|6~dRxM2b`^NW&PDQU$%W*nOU@e{vGu zV47giTV)lNW@6UKiUe(09qSj=m@{*aY>wHa7pZ$aMH<}njQmeuHA*)v})VRN{?w7-&EIMq3m|wC@3D>6VJ5|I_IA_ zzxxeYxXF)hLj0;+^jM!Ub6#Y7T9oim?mo^>jbC%^NCaZo>1+P?G74WRmBFcb?f`2< zg#!-LFa9gbkY#=#Kll#X=k?-QDO)9&>+KMp?>?KOELrYi)^$b}SK~&rP#~3sa#uS{Cn;o4 zpVy1DSquFvr30V=oZCHHq&IQRG?&zCXC-YHg}mZ^UNWnS?9q*H9tu-Au=|BNFE&lk zR1E(0=7QnW#`i$6-FpU_qFEOog%7k`oM-CHYSlk5A+BNgBNj{LPnv5^m^;W71!ekn zh(3OILFjTYSRrjZ*_$g8W1Y4X)wDHtZ&psh=k}ywlSJ_N`#EM!o81@^LkvdC4m|!! zs2RW9+SOFkCaLf!=dxMzILN}g6miF)0j~|vF}FXlgM_xCw~G%S)xazAOB#3X$-TWO zZ!A!w*SADtF8e;o2`MH8mTSESvz@ELcYnz<8(dXPCcE_A(rUur8rFZc9SGaJ6Ny8R z$L!=ewv<67QQ_O=>f*)GRw`=lJS|D6*lS1jHpf4VE?EbHvky#w>)UZ!$;y8q2(rmO z6yD2cqb`1KEp|*X-}81X&?=yJ{+b?rqJ5T#=KhLXFZt1)NW~4gHq~-JxexN*H>;v78!djnrVJS-A;#nS@rxIDH#LJRN#1eM6 zm88|1^PnT|M=;^oSUUl-SFe(quaC!xacZ0sz!tJAoH8bsz8vtr3$m$GqFUtOD-6_% z3YfX-Z=MPXW`E)B6JQy`76)bm`H^#nG-o)P&KVNMc84wSKbP(o5#Ox(b7}D(**b@m z9E5iqLK$^LgrMHhmz0xy{;rh28u)ev$%;UKv7aPRFV6EZTw%fZ&7AH4RB5C=$ zbPFa=eeD-zpcF3ViI{wrF6L}n5-n+sxiIeOns5Wi`{i$EdZs8Uvl5q^oMSu@rZ<lH?#-f5Wb!kBV z;!;_#qR|lX*v$HrBB8oS1vln|x{~!Z=*PPkojdGr5D^s#4si<}2x(g*LL zOpUg_=ub-|8%HjAqj$G++!uc7W$Pom%*Ca#Plj*%Qs&|dW%)O<=CL;i;R8DT3Op?_ zA68@zS3krUi!N*ic(=cJuXx&Xq|^1>=Xa*T!e=?bKu6fVgH}bIyA%aYWCR3L zOniRF=rmh+MYhIJRx_?~csd;3%7~gU@Bdrj=)gXjO#O&QwhVc;}`V9^d_JVn9%*GO;X$Q}vPuErkXwCcnKb?LOS7JMEiq zwRaFW{Z7?qJK%Zomp-AII*uFMKRjVA#zPziD(6tW46cB`KV+T99rcy2%gl#&gxb$% zQ+zFd#@+D)t>Y4@tzgBKh$Chw!h(Y76>t07agpAY4~b9lS@yg(Vo&Kw_*;6>5&L zhdV2!c!)3jY2xKxo-in)( zV~H@=ppWXunCzdqJ6Q&?dKSMFeCWBp-(-3iFD$fF7iwP+=X_7Ba(kmTCSSqg-=PIR zm~B8y(-&k=-V}52t>ix@prqKHTgw)X&=x`UkRSuaPnV1PUWxm-Au7-w544)^<3z+B z;2Akz>p8lx=y`E!raTJQOqyRjli2(KaNYbrZv>I*OFPVu1#ECI?b1h^uPTvG_HeYw zA`%*?H<(wNn!26I+&6PNf9aGD=#gng1=Ajy(llCRW4zMgw{fU29;NwNSL)m4O72!z z$qI`S*rc?lu7f<{rbQEaIw4_%q{kj_m#999xB{?dufY(XysdB!p_zM9)0E9+HZP6w|zv^BrP*gioH`jXRN`;o-X1F)B*$#TPm zmve86$7rMFolBp*Q0Cbpiq?f^{l~fkYWD@-R^n!= zlvx(mOi#+}-8VI{L))Ytu2yGK7+ZZsmBCQh7u8+(euL3-_2l~K>b!$0V0_5taL16d ze2!i5_DnO>26eUWT*;BUwye|Vc_L-yp{IKClGZU>RPwckt=5cr6zXbn<7t+p;8(eT zQSn!)9`jVXD>C3fCD2U1z9DBji)R^Tnij*Z6b{$hShaUmH&~mjW`C`;({R#Y_`!7Z z{PWB$80Njsehc|%Jd4Y44+1DK$fJGiLQR3AIch9xT?K!hfx2-e6&c6$HIbz8Y#GGh zxv{ms*Pd2ohZ6>*GA?^*qb@VTWw@n0kKpRYl;WEG?YG;(*{mHYB3bsGi=F*T9YZVl zdoQK3eRxp9Fcw^)T%G*;mTB((OipSr(H&ijx`#f0Ayw!p`C~UkeBAmqQg8pO%n)OluCjmX>7 z^0)|$*W~~fv*Q&*=g2%g#tW&&m9v#juW|VHjoigQSpfZWF3khq_P2!kpLnfx#V&QU zzw1wMB5o5Hy7g5xJ_V;WSVHc1UCt>9P)TlEFipD{fMzWv&>>Nyg10dHiU}r1j^^hZ zX#@-bENU{<5nm~zPJ0EFQj%3T8aU7_vwtdr z(GPuR3WqX)1tZQX?}8v+8jO+8uds+J7|>O`_lQjX&PtQ!CM&TYS35=b zHq#kXDA7(HD!9kCg5OL2^M#Rkxy_dBrv|c$?^{y~9_>Hf-;z}q9K80b^gI=s%^FM+ zSs;oZoCT18`(T_qGXo*QJ|MKekn}|lMbh)HD2qn?L!~zU`Q>41O&PBKhdxy6gG)(F z7`I=V1a7`*VSn~}N`vuZSc&i5>xmS7zBXSKM0b%4smAIQ>gBScCj2fxP9_O# zc;iKsSTB9ih~@JlJB%i0oraw2sIR@`AO-GCH%^7&;s)fu#<4PPr5k~M>j}kaDCt{z z#-SQVDX0)N%17I^C=y$qYag!h@_A*V$h+W48&8U%{JAlSu?A0FsuG1W)YZhKqgqtu+G5*l^=9~$v)$gJ{WC9Q;iF%di20q%NUl_e8T`;b z3HGIf@U5clQ>sTSN6>Mdps|e00@_a7EQ$NlKAT_hf7b4tzCzwhAd`ST-bNY)FkuA9 z?}_Wv@ft1~o{fj+7;EpjV&w`syf2WMrDPL~1Lc~AJMbM>vzU6P2xFn5-w>$TiLYBJ zZCTq9*oR8i%4gSQoSq8t(9Y(w%(22zzqHAZMEM=KQ9BbnL3k8~AXWXRCHlDSIe?{( zbr^(>A?@1}bBt>v-;C;%!(8N$i;p9G<}6$B-CTwvfEf5E(v?(3I*rjMZJeg$?I#Tuhp+$qu>SEFzZD>sW6bVR-zI*NYZ z*9~e1f*dMZIXAl(^k4sR4rJ;b=oGjcrkE`?U+h#oTEm`rVAEYoE<#0ZS6Rgt4*g$% zW6f(`Z#~aW-LBZZH4ESQBvE>FAzN3&#l%J3Hj~P?01?Rd9vaRcZ zVA&Av>Q-|Qs4096Z$8tp9`d5y=|ity=5jMpbuqu;sky$dTVm0+#k|MHN9JqN|JEEm z33M)No@Uiicb~)B;;*aJERf>eNkf~TvRiU+&d0@ z0YCXE`17|ix_VQCieDzS5l$bGc`}m*9#pmfA)idD5JE{cL06)z-zT)FqS$I+tft>vYFe|l(lzaEdY;FnwPvofw;QdDpffLn2=1NZHv zs-B<3vv`PhF}Gz;sZiWBKXKe06aeYNB~>;}iJpdwL)_j6lGgwd&HclR>+-czpb0WR zWf3&6ppY41i0*B%on%sLhrS-^Y^i+m*N{lsp&m2pR4|?5V}O(iofi=PML+5D@SUF@ z&Wm%oeInbdhx44)4T+RA;J-{*^fpA@XEf`)p-%?b5=LOW`k^>ZBWnRYEG5?y_W}xc zx>0%j;mlB5wdI-3rb-8^QCwnfSVI;m#YMzfc7H>sEDWdB^PcbjS=O0rkK)t3&VJ`$ z;TuIv2EXZAQ`2B!0nJzmlP#8qt(a5mHODofw+UvY91{Z|55@b^KNhOY!eT1oMT5`t ze&I*+Od72SX1CFH76hHSkI&7GN z>?P3*A~-i1o{7Z7MTVKM$xj9s_BiH!!}n0Rgid^v$CNmRQP82_h1S}sOhi?R3!z47@NLVe$c0p0zQqfcZ- ziaExPl?C1271wFPxa}O$ST*s!5GTaM>x$2$CFR3LFNr=jf}11qu8*{|_Zb_wDiVCA zAedN}l{z&`VCD5ZgQyc z>>V;9wf$bVvKS-w&HyX1nhJ0e?fx^L`B{ zz0}T{scIvT>GtPLwHo72g}2Iba*m0_t=;{WX05&QOP2?IK?Hro>%ha@%iC`s!Sleg*S~PDlgLvD4%?ZQaEEsaKX4g8|@(NhM~6vtkndq?Fu+ z%f;b0oMX-aG3{O-XZO#HHfec3=D)#)&%n4oZt6f%e}5dGo=()@JFs`#7nzG z7n_mt8J3IAj%9X|nA`j>HRM0@S)x70R*O7$Vz)|+HT)_8T5}1jlb>hsu+oFpK z6{1gG!%GAcL}4{lSBe%G{$hJU>6!J_mrDLEmn}jKIvLXI$EJaWs4$cJ3l}FBmmYet z_<<*sB)$+BfqvQ6ykLX?iO+2unwQ^Xbn>Grn9aTlmo#Htm3Z+Z?S-%uE)vGsvXWRv zns+wELzyaP+a#|}nvHuI({?Hj)GV63tF|tV>Uq+ zWZAqd5;$vaZ7^g*0uQeOYUyoUVoOUZ%Ko|-8?F&~IP$V|u9(B@{ytdT1pPCI$$Rrf zWCCul+kn`7n-|qg;V$L3ay(*gHo=%85k7{b4(E81$QK1SvvYss%8!Ppu3Rm=Bj(dk zP>RuLTw?_GSE_EX=H=P`%4WN0rPI#F;_DluQX$8|C~_51%5bNKD;M51-%H}Zx@4D5 zE{@cC0^>Vv)ME*0vq~!0ybSM^RiPyZ_E7n-|uRhS>eJjxQKpibqPfHWn9xO0w zJ>typ-W3a{PrMl0crNpiP(SyLDSx8W!ICmLE0e4uF(^f%B7T@wwqk)?LP79W{vEKG zz8%OlTYCeWTU%x~nl8(UV4Ys#L#d`sOWj?sv_)q2B#U8=kcZcX+y)TuM%<3~M8sRe z{mZp#t|mP<4^T+_`K_|yu>I{R(b6M5{I4J%(N+IzL!Oez>fhuUquAm!hIf%=SL~7i+(O! z_fI5P96m8gI)1mU-m2K|uYvEsh<~)dQRn{RhOKhuk;K?f+H$Ad@Be5`FzAO~NDmVn z*6Ej0W2?BFxA6=u-MCd+9u8VIl|ng6RwsPJ`h_C!a0u5qm9UosL^IIP!aU_RHyuHi zT}=xLy>-P7xrxQ1Jygh9yW$OFTN>pb@G%>2l~8e0Pe{|kNxaqp=;k*sod)SW`Cmb64_XPkeeiL_X`=` z(KBvFfip4r*h^K z&V)Qs2@Mi=ZYO4dqVr_POz*K1rab(C-xirFy3IO0j~-o1IHj+D~;f zKUz?!8~AE!2EG2sZ$$VDDqELcl=hG^Jl~ZFE3DYiKj|3ezQ^2jTz8>6qgi@08g+G? z!zhD|nFM5w+z6C{*dGQo9biC7`Yyo8hb`@`O}7nQ_oPxDG9-`MggJQ?HH;SHxp7`6DTr`T#M7i%YZ~?zAdbidolLhJmnSWLf95j2_ z6SY(~=ky>89?M=Yb^S8y1-Ee?%0hRb$%?03Q0qCR?Qd#34)_v5hYvvU!mvm74Yb{D zma=uP`q!+l$Vel0O?p?|Pv?@_eam3X1C zXahnf+F$rlM9s)tDqmk-odh;&Z%w{*QsYG-T6;31{!t`9;>t~cJET3}VQ0aiVR4lA zS4}U&-;BT=|KaDIPIeu5SIh}DS zh+#U#!9W`Z=9*H`?T@b2`!0ES_BFA)I$4&E6B+$JUrt3CRDuI^n7^z!PPau@1XqEV#Mw})z+OWnGRql&gvV=Jw6uhxO-Z&PP@Mj6H7KX?C&FU zcYT%!ddtQyhe(YqBo+#FnwSl8dp&R1%{cgm$yyHeZEcpWj~>sR1L zY*{Xj!`{s1t6DB28=NmVU2iH=ZJtEhF=M*eh`78vR;#(4%byhFNbi~h_aq<7&j&(%oLht}A>8hU8B2H*O@dbyM$j zwIY}rNiF-5w$#RQJ)bs|yrUmcvRf#Z1_!!si&=L5plZqEF);@ouxZ{6vKkT@vuQ0> z{Zi}~J0?<$)Nkuh0pU?r{B_@1%gd=|9s+WP$Zvi`T`!cFP4f)9a|_m3`RkrwJ9`qO z)qm>b&##|d^%KpLRXcnY9)sCXzYt`d-f1k1u_@eO8#YOeROSQmi?Xs{)}@a-{LqW} zk#_>e>n*|VmqFRd6Q!CmY$8W;3WEEUUqx7rf36$`e>Umj&Q4h~Om#X=6!d^@*76SC zlRll57d!bFYy|iZIKF6|y93J6>jc8!|19d?+<3Qe=cUfZv;|$(`OZ?OzrD8UoQTWV z=S%xCD_$SI>xHQ((dmZ%Z35Hk_18@|tcKnfJN=t53&Y)Wyd#_zg5=p*`%9=-Lpq=l z9b_dK#3`O*?vXc!&lHJ^ZX)p&ODFU10N_)aS~jL=f#kcA>shK+kY)}BA97D=N=;Ol zTD-q~%Srehg+?mLHWCWGjf^tsQrz(3i8?h!y+~eoive4Jq~mUpyw%mjN&DgnyV-Sb zc1gN`KDh2_q}Zbv$GE%r6}}U#Jq7Bl4Y1}<_FQAoRrWV@#HVx$>wCU_mWTs;GeHRp z)n_SrXR;I@l934mmC?_vJ~1ywh^E_lAsWyCkn$wt2a4hlXKW74QghmzcBa&JiIOpY z&LH&=a8t-ocdp)jKdgj9i5afh!U8e?Xt(ppz^7un54UjV9Gp^krB+g~kJ*SR{MNjR zNT2wIyr48FDG{+T?Iaq9?;y&V5VP0M)ybG0P@Y@uHQOQ?$O|umFD=C zmCQM`VM^FK8PxwepMQ9h6~xkaiZFuqwaDcOP;{87{Y1<*zzi~IP( z!JkSWnyj@rwLOc=(L9#NXW-MTjolm7-s({Va~rzNEC78m=v?V*Ra z>#oL5trWN5HBxFpcR36%susdxht4IqQg!n6ISP9cxSf{!Vnwe{;<|S&1?y;lfZ&s^ zxqzkm6tzO>t3T+c>rdAic!2N^lkuL#Ts7Lj@iKRwcrpr0iS4S475q8b1D-fw!&WT6uw>oM_{*QaK& z8=`+IoQ8GDSA@b9Lpv^hNSO#AueYySk|mei*Cx*N$I~9M8jBZ>52aA?|BF$N_LBXR z0r#J;N%q}~q*%eZ*xD3q2}idwDjFhL7~*=oIn^onuB*e%W#~Baf`yy?k?OUe&dc9V zU2uL~IF39xa~R9pq&sB57Qi>U8UPh%(Ed{C$nQVN)-l78|q}wjlcU@{r z74E2dcq$*xcZefIVE08_0fj&RZ6(cPpdEMwY*G=yhUHmO!!^@kE@g~s2}l*&1Yir8 z9N7z3KhG-|wXK*%fe*qZC2i#_Fe?CKo@3U&lT98j_H;JSmUlv=F{W%wHk`d7pSNAq zvy4>jo<^+gtXg36fIly5*&L{-=TwbYPzv=xl9UyG$cNLwd|-1-rloW{k!+)#!lg$> zkaGXJO1*8-$_)Q$-)4&$xdm7@76|Nk$Ol1ce z5?#BXi{&#PU;rV62jZ>iSh-Z^S4^we4G{HU9t6&HT4r?#_1DkZ8hH%55ADXB7o@H> z+SDAz%?RV;v_b+TANvmBwziPVO5(UzNaai2YonmZsT@_)SJad~s0+JzHf}q*`OZqK zG7P>{+e0zHD{97b)ZBIlTXC9WnOze=)iEuI__|A(O!Q0FWs?mm$%a4i16b&ZXV=l* zfS@TJz>UQFY`o^RX=Eh@S?^XlYXQ?=a(0QiO19bi8!=FFFvvf|*+59>jPKCI{MMUS z`7Z~5zuVL8hIS4uo&N^aEx}&yJ^ng+Z7W^5eII`c)y$-h4kd22pzLy|?sk z{PoQzv!(rR#`a*^D!`tH7hoIB(`wR~X(lTH$2}?uX3#&FyL824~pGl+8MAljJ#PjXYf?4Y6W7VY>g{ApSyDf5xxbtrJ>G z7Saf6i%t6y%8b5UiQO#7IVWRc@vRKcM}9Iy{x&}opzWjyD8J8`r|a&~MY_MATPQ|u zP<;UU{y66Ozx+-l5r&uU4@tlvP~Zs=lk>bB-?|2-?23WuCLUO9mNEeM(pAiy&Y%Px zN8Y%f)Ssl>mNob3-cJ`WvyUD$GyB?PQ|l6CQ&1zwA8UJ+gR_T2&Ej!7NUm(8((GT@ z?}5hMEfE_aOeE-(j^7S(1A847Cp#J6LAbv2I~O!XY-X0b-4t$ARQJ+6eh&=%&dI~k zBJ3=z6@ure)r^yw=Sgf)ynzeb_jddN!S&x&PuAM~2`&l@>=$?Z1^-*dgu>UyRBr$s zeTntp{WF^-6|}x99d~KJ^ixQkEE`@T9q#W4;ZXs;A+r<~$<;$&myu@5<`vwkx#%*+ z(KSB=!vX_XVm7LY?F>?Md**x)f68BT5z%ngPWb7LB)juk>0UYox(Wf9053sr`{SQY zw|!(Dmh;D#0!8aECwkim5kf;XnQJYA1vyHdXF*%FkNpTxxbhHFLR+q()0iwv^o&ECF&29w#Dtp_#S>& zk9;QX?E9yIaxb@2BB@u;!HXQ;MsIH6!IFqiDICFdHfmv8@15}Hd_QQ!M}ne zeH^FxZ#UpH$;sKR`~$5j)o{>aK$@4!Pe~d(=WT}SB=_sjx{HxqX>h^zF=<2adx-0i z<_doVD4?AM`U>M}zvg5V@X6`?GWeO`Zq}eiwo2v~!5=1-9VRtCZmqC+GfjzFcK^fZ zYd^*JIuWlOpQcO>Wi4e!$~=Vj-M1ljuCf!upfQeP0;SjZKBotTjn!l19+4Kaa`(<~ zlkyEJr(u!RnGNR6E&d8`dkl8!G^dj;3J&BHB?TAGaLPT}nc4FVgdMJ~y&Et0QDr-0 z|#yzCk5J zxSF)II`3jE@ZX}QzU(x_19YlmZx`)}qXDyli7B9Orhz!3H2NF8N<-S#SjfiR7j{w} z6gC1jhCZ@I9j%$t88-~zrq8QxAv_-9Rl#tGlM3y}5*t&bx^`GPK?!`7 z0-Ts6$RA*ku{i2loqQEL>Z_UFZ2nsMa#5&P`RZfQa;oF}ZM-IO72)H;M!h*>anot7 z^!R6AF!~NH5iiK=N;e85RF$s6R2Ax=g2*=8ariYl+h%z~Jg9Yl(R}Dgg%eMHAFmUO z>_-Y(_vD}BY4f7ql=#FCHe&mjF`Y~K`iqpE-Ad%25sx7d%5XN3n$x?9qB~NeH96X; zaf~8&Ej4epFLtmMr3Uup<(uW>{-Al88>WkT{hzO_xMOD-J@)1czc+W1rCi~U93QN+ z^Cw;ONml=G(B{&SuWUkE3@zL)r2pfc52-g##y^2H=H(Q{K8zuu?4J=lPABD$K>4>8 zC?(J3-CX850l?oLC`irKC2g+8rnciXtZ)}wtLC>NV$IuleQwhVED9m7`g0lq3$p7B zx9vESCbUmtV@i>{Na@f22RClRRFtNf z+rfuEoj``bg(U9<0xY?aak!LUU~3udwW};lADFlm|&G+)f+X6fkvjnJ-^IpTk$kDBD9NqnpUNNYndFueTHi?631?5J}9? zt=5HZ+eGh0Ru$(fu@|Bet8?Mi2_`)1{uSuQED*K!<)6Hw-ddp8qi@3s_k0C;@UHy~ zWnG~lfiAL7ClMA(b8-v@Ef5<=IfzdjZbDC3tP#AnK>yZMLAUclxBCwAL53ZQvY5aA zO({CXP{#U#cKNWWMN?ds;Zp9ZfV$%Rqg%&R&c%_P=c`G}WRG;=>RqOvR9DBCogvSr z$7ioqA6%Qh2M!;KvGInPh-M`bjZv~pJOvz<5safJaQMZJeH+rq`;3DW8vg*Fl)}Rv zT z=fd$a+o@8L9_W$Ky3aaIgY`NU!1~{_{;HRz&(U!nbLY=^Z=JSqmAjRJ(;H^Tw0A>$ zi!yv-!tcb*`xY!46sY^Ma_Zr?*{`yn!*OOO0fsGF*P`LkCG$mDtesqUlE<|e8S~@c zJ3Q+i4hGu6Je1+^>d{f73|PHAvw*V82y7}uC*PP)7rwsKK;)vOHPqCAHC)!+$Uc;l z>GbJqKzOa2Vmmcs1XbG_y?97irvc9tyX(}IPn{SSVVUJ|X8}G5HA6#or(NBf%DRA# zYjmlNMEq;f>FNF&b8a759H#-(0483eNlPN*zwkR}VHe;6Sv4G! zFgB5WpL%tRpkS{9@3OX`o`j5fK>OilbwDl`=wixMCZc#@dk_r2>54P3<(8^3&d1rZ z*2sQRKnwgKUlE6$2+?bR{iQCTK;E}GDjKZp4%g$KJlq(3-nB-z_4(VsX+~q#>Wqz% z*d3a~6!1e`J6HFOP(3k)gZ)T(HgJeKE}(&$XCJD(!4a*II1HYKNmpqHtNbw`U!T^}PqSM@8;a)+0?IBK}<_X<&TcM!7Too}ekV zxAh2ePWegYKUa)@ztd#Fh`W8X;pAl($Up9=JQ93ahhN zgaFdUj7U&g5Ms4XiQFyf^bNb!F{xu6&t7VVQ|0CkTs(R3IQ1+WoIcYQ3=V``Ez^6i z0x3t=WFy(UTsDr&-OfEg=duL1{Pbvfg0m+~nW&i3$(t>@zQ8R?$x^~su*vIf4ohR; z-;iNiUiQo+@$7Q96jcKe_qTa;GoN%}c3K5#n#@#nWqBogj2f>sE0@+h!3ZX)s%QST zFsR1C8V{0K^8LgF@uhR1U8l~$S4MKC;@$4TMP?+WHTooMVABb3i%Noa9~%K?7h%L^ z%KmjgnnDW(7N26iIB<==)LTg}jO%*Kd{T3?!5m!8{3au*ud&Ya-en0Ma$=os^7Ymo zKyNHmwrdH>xWws=^FGKwTorA7wHQOlwdyy_STdd}0EX@fJ;r)nyc*3HmQX55p`Cs2 zfd9sAaV|jF9r;G7&cxG6Ll{DH7k6*D$J3-V0K2dW%T1gJ6Hkw0a+Za&m8QeS6Ym5D zy!^Q$BD2R$!pdU6nXg~p)+;f31IPr;YF}Mv;b*e=iX@$VI2)g-fs@$Kig>Dgu0K{z z;NyVXpOtDQkB!Wev@WO}uDWLMj@#-|uGIGlD0OVtEMZ>+fY*WGmRTW(ci4sRHFzJt zouzrRX|9fyA-q^+`}W?_jlXER`BkIcl-H?)#UY^8&6rF^0A~O7u!Z0 zs9NY-h{*#6N{Ylk+Sa$OfOBu~3B`|wG^VU^^V*$?;2x9R%(@Kzh4N@!2M2bRRjq7XLyX#%U z!+WyuT3b5y;F?1=6BG75)HFEbyJgy$)}s%}Bc50d3GJgV`>C8>0qf+Q3(P^Ar1{Ow zgqbzq-!~T_FRUU5189!eQe9+}L=UsTmk%7Rk&MP|}kz z{&MN$1GuuxlIM}XD|Y(FMH?IVXv5pgAU$B@M4SInqW3`%|9Z&p^I5iV8E5qw+j}Op zOwCF}pax0DiBC%4g^wXS2SujWk^I7@lCQsjSz#bnzfvzZN{(nDX=-0f4>}sH+rZ?) z7}=@))S?~l6W@V3*SK>}K!3acS^{5NQ7B6c1aclSYf7EE_SiVulJ^j0qT<%^G6@)Q zQjcs#k5JwVD1Mbi)wSlaG71}p2QBw^C$zPpU1e)%MOuoy?yC82Ikv%y3{L9xctrr_(2@H z{kNm5z;X+d@VK6 zGs@;+hA)h4_9DFVi~|6tq|zYtk88;=3mqQ(@lQ^QaeGL7tao15Fv7hzY^(vMnv)zm zI-%P^)??vVjk_1|9Pk5O0b*u@4l5ar04S*T*Dy^GZRmDk_@Ly zJ|C`5_g+EvFC24)QoHpHw~b|0IbC;~i8@m%XQKG1O@7Ks$_7CZW~d1T=QsKC*kB2# z<%WeW{$=}9X}N2_%rg!P*Oic+Hw%|c==gMMFl#*17%pt@Vnr^7lR=G&|&VBJ(v z-O%C7R7Z7ZV&GEjl;0^@9G{bDyy^-7@Jy-Wl+#k%2kf^W4pKUe%qaa8e` zw5N0S-w_z8W-Mps(5}CQ30`LR7XMd`J|+0#L~w|9&}P1Q2Lu`VQsI5T9q3t)@fS@G z7bk-IfV{wxAC$5*!36j2H)x>nL7d_I&|koYUB-}%*>@W*XkOz_n%I0f~bvEJ~hAU&5xkv( zu@iCKb)c{>TpLpIeUoc+69@o~)qLX@HT4^%{q+xktLSrpAi1Hh+r@UZMuOd~+9-0Y z(K200#o_vxbc2KeYHOCo)4IfS^*A@@mLr`WiY8RzG8mOY^#Zmg+f2 zJ7?csa(PbfI^pGcay5N8e~=07Y@Lxu5>0Ow;JX4=a|WSJLKCT<(YQ%!1C--6>W_NF z3V#`ECq`?oc(e7tN9cKmoL&&VYCHL`plG?`_Km%;*hziDb$0hb#&qXVc>Hp_@oJBK zRQc2KY=xE1Wt8si*~obJs<_J8(sAF<$(YHM4DPrPXLhE_DyEjYP4DVtM%+ zFMnE`UrI-D=QO4q7Xo`9R{6>ErQXWvI0HLoF8hXZHhhrTPs8exh}(tj@Nt!(s*Mu{ zA&aghSb-y502wncJw#mQ+ff15qvLya8rGRS3`)0 z7&{zl8_JRQ#EKv5CyH%|9M$Ld+${Rp9#e>IKA@K`IR)-*zCxep?VW?{RZ5rh4V?yj zt{vAn>RzQpS8>Uy=^|>Mx?thDuGfcTwpN3p-?s$0$GR?-&T9N2&!=f|NM-!)*$ zzW6&ntGn@L0`>$eZR8txb$;mVVDDzJ>6xV+;4)O)A|l46MXXU%Fiyv(&$}X8GZFe# z?#e^Zv9;)F2xnFlcO&&5$F{SU-@E_049N-v;hb0=dflP;iu(|!)o)(TmhjQ6;$2bu zI}*RuX~`#dw>X1Mb0UBz+8Bjh5Yd{)3fC{5IX?*0?NM|#S)w*fX0grNwORlEu&0HirCX6QwznBpI$r^`gV$J6%EeYpk42Z?A&%Fr0E) z#CSvs7!5+nws#yZc@)U=J2ZdNG!a7qbt!J^6LRF>Kem)>z6c9?sZ!YSYAH405As^3 zL-}jB!DrLw1M=;c!i(W+Lb*6&APa!(smYY>Urmjmk2#`3kd$1TOfb zhf|QWh<3B_{4unh*)<~NP+4^E>k<&?*4TE@M4oF(~V z$@D+(YBShM~o#V*X$e>*f!tIyJyg?b6}NXqO3qvV@b-dIZ8nNq#GIt1;JWuIxPOd z!6dU8O~^X#UydO6@l^c9TCkV%{i84m#Ygtj6UeO7R2KIQg0s`%v&eIFc3K|4U@~oa zaLuoomJ+}w4(Ui^K27C&(^*!#KwdXo>c9=)niWI0PTR{J0R@CT&D)7KeV*&{4f{Dm zfy!5bA}a>HNZHaekp*0MU9ebq`kJ@0I(t zFwOf~Pi0-zHkRl0NaId2KRXAAG;sunCXU+(03&mf@tNY(`1z&3mMod@>uOCkzI?rP z{w0Xa@#MIEhP*KIl?VC3o1L6Kpy{l z4uFIce*kmZ*i06}6)QyYeMg$u82kgH@bUZzt^=b$y-Z$dYwY+8bY0Mhb_j>tUyBcl z1Ma}=?xMWcchzUcn+aonP#}qKmWSJz_`@jH{jLkoPK+5$Z|eh)K0%@#bSV?`c;b-2+la$l!1Pv(cX! zZU!BH5{(IeS>Q8lWDB!0mp~L%hJObDK!mv5AqIieTaU2EXMuH$3*10h4$KZ_`$HA%9^Y^tT}UR$vq3Ef&0x4ubonKp3H3AVBq) z-uWZMSPPN`qR^<@LrpVhzRs1b=4Mvc+^5Dg6K(MuVJd@sM*g)wBDsfhT`vWmW>r(w zNNrjg(}|YgI1!LgDbx6>>GNFfna}@?X+sE=?aWSh`;k9xMDODe=lAWA8Pe79RZKl? zoAJs`c7Er_6b%+xrepBze$sC5X>PMNoo_>)IN#IpUF1ph-)`*SgB9KossG9&{he7Z zL)C#dZ@CTeuP&`v_}F}yBxbiA46^bwTxz`iC+ z39~#;KzfkIz!y?bXy&)4dd|Qqc_0r;FMEEMz@%@TPLebVm?7SFu*qX8zx8%xqf5Nb zSx?h+*L4b2)h4Dc6-( ze;EGQRz25uf{B~q-p(Jx@NatCI<sqQ=x#1*{jl~`BO$nFb)_1vll|y{< zDhjM&>Ox;;MSz2PYo@@OCjnybTHD)8wc8PUx0!M#I9BP&l~Z8g^)#peT`{f(1%k2I zOMZ`iwM?VJTnoJOR|)i?#|6?ylWuocd_Sy#=*7}EsKj^GZPo*!i#a+OSw*xWhtm@F z)|^|+!yeN>E7i?`w+i$vLol}Nq|z6U^N;ZvnPCazMOpkftS2q(MrIRsX34`sW>#E`f7) z6sLHGxd-sXYNBwsrw7WTBC5LYiDL(3!?w%1?ncN@yS$*bAUn*b3U8Mx9RjQ zqL~n;0^L%05A4n4Fc7_CvY`o45i^2V%oe1FZTrY_-Rpm*G=15Uk#_9j@oI#~8(68| z3x(oPxTJYI_^YJ}U|<4p6+i0lgVmNaXgUv+)xDOorvxR>-d>%{nD8J9!duB$qGl>ki#U&x=n4C-yw3Pfc1$X*w0Osddv={G+M>x(Xoy&g-8a<~{19q! zrih(1@lTqIMP}E#)>&=v@q88WrHn;^GQJ&xb(F_<{2JMl6n`@RKAvDMUEWP;`zS_Z+&2Z#d+1D0f zsYS8@I{pA~DIn>hypAwevuHn$R0_v`N?ti___Hm2%`*`gA%vS~d{04@W7w&e;f?ei3T0b56w z?KEt-0Hd#Qtv*MeTUmeHdQ~Y4lH9=;+DtKj8 zO8&CSxZBGEmM*F`q+b1O1zsgEhWEo`zz|=|Gh)eGFM9jt9nNa`}xpClcTaAvY zvrJJ5`b#|>uf$KQpz?6JXWVr@e^eCA>o^vWht3FTe=eW_qTpB%a^Fm_&lj(?NE?a| z9~VMF=ne;q-L>`8_K=<(^huAC$xE8wbrV`0omPN(b1{Fx-gUM?n@ghQL7)b2w?h=n zMu@!QR3}>@twlppa#3w;ePW&<$=h});E@6|1Af0A$elep6Xr69CTbba1Ph8?ng(Zl z2Lv&`Gwk|=|D@1AkR`xT-TjKGpyctfR!Nuac$mp53DiWVh88*CiG1KiMZBT0Ct>-S zL15(!u+GMwNMF9`vv!M0)>>Kpm2g}9W{$W>1X$WOM9)ROfE^2TRpKUe1dl!!s@?L( zX#)Wc)-&7d6)PF<!gn z#QjD9ijY$2X!4klkMol*)nsP5&M`oFtxtT+3j@wjepzO0@-4nQv7YlC9`j>BUbLK6 zb5`s&pqMsf`!e0WSayu-0Js0JH}&Z38i_@WJET5Dw;~K6&k2>WoWcCj*%~swLaFKz z6}PY-p>mHsI~XbS7FkQ5VWA&iFb|=p!CiLnTj#;-eC5zdeCdzcmKPC3{$9>9zafkvWuM+f*%KASK z@Sk@;LU?)%dvQPeM?HL$1hqhLa^fjUh1(R8R1^)(phQ3$ZJtLvEEnDaEjF#VQ~Igy zjDXr4-Z-;4J5!MnnQ?pSpDcj#y|*B}NlG{|^8$)jGO(gk4<+5=oydgj&_mUn`L(SHcZ(omm?VjS zfQpJrw}4DSlqdlakTE1Qf(B%WO1I33fQkbU5CIVgDlriW1O$>W%Nz(00+|RToR{8v z-+g}WDb#7}*o8pBOi`Prb1pD#RyFCO2EfLB3J>J7odC(=Q` zpm$==UnG`XWhJj^xfq6;{I>Yo&x5l~Ml-K&%58ad7}fO5gz~+aVTFC*IhDi0hhwG> zzrU-2+9%Y2C!g=Wi}7|R1?E~V@3p4qP?S$xR*YAE^J>%BWYy+ZOBmD@^zD7Y zn-Y)y`SFCtOY#?V$1C1$BtErgXV|jUY}p=#*i8kZ;|&e=bG#z8W(aA_4~GvArVe>O zy_g>G%v>qVX9!%G5H&KB>lb`_WU8((q#ge~*B9--IKste*Ka~@EF_v*jg%0LE5wfw zt=TL%m(vyDKN9c16Qa^RId7}e)pV$jJaMIcn7IYD7-C~|I`2l}rF32t=ea?8m0;QW ziB2E`?!U_^RYq|k04=!-5^Hv{P05gX$9=W;{t*ArtWJrUv^id#Fb)=;*7H7>wDxZA z3^#ioS}8;Yc{IicFM6DLXyo4eu-o{x`u#PzvNw+{pK;dX0DpeIscY5vtn=J>+%C7i ztF*dTiLUJnm7f;^$hk@nDEF4;e;7~IEkC%)P)J}dNF#h>wI_G#DzE#~vxs{)rpmj} z-5k9~2Yqa1TkdcUUN@Khx+84NXRqmKN;@jind@wQ`iAfa-=?9c<=;+%zvO0k@(&1> z%I~LGB=$&VDn^~XM)G;OZJy|QWUQM8<=G7gEWa;{ogJilGzxlx`^%4pd>t z9*y*7HEqy#Gk8^IfHDWpm8XzMX8e*0lf`58zX`Tvk1ixW*`u;K9*~OrHn&Dh(>$Pa z>#3^B{(7-K6W!PA(<7$NH$I{3!~N`b%kA6~A3NlpLwmkU1p`)lqk;8MTGAqU?o|UqyM|Na zZi>w-jXJkFflv8ft4*WK@{QGSd1R2`+Yq!8UFn;+P!FHoAH~ln+jI}2*R2E| z;+cMa>kiSy8GPkcer7af#leV=O)g7(jwG*n21xuz@tPdlWE_3Lq=-7b@KL zyGKelrbY30cW^Ho??lBVpT?=I_aGL9(4l)*b_nLuMvd>5#={y;GOk2)g+4|Ep=Y`x zoe94Qkd`Ic-Idj#yKlQ{Hkz8rX`&Ld^OCCOT^z5AdU^H~`fWv@MI4g~h4YS@o;j$_ z{(ez&;t@lEqT zSz~%Ws46pn4NJWxKLw*#W@k+7MZ1G`0*JFec9T(&R(WDH27*Apxf;p$LPv_L{%%)J$A?!Y_{*vmwg$? z(1Oaz7Z2@%x0Cq$dglFgIA>k8kpi}|M&_qxJlM3!+hDq~n#3C`)JI8*O6Y@D(zn6) zro*D30iiJe8HNFI@$20PXsx4Rtp)1eWxjf<){$uuU!a%nw5Nn; zz7uFzT~_p$mJ0;#st84465>#sCu^RGbI%n>=i4)=i&?4-yeh4QYc9@;Qd(2$S;zN7 z8tj_Vis0}jo#%EFe?EIa72H0_ecAQu9&Dih0HAF~DxXAswft*ihJT6?z{iy2qu>$k z^CB;=(fVdor|~go7Z@9K{^}vS`J$muuI;^<$FyYVdNaN-x<}6Sg-!c@sk)m;fPziu z%EN>bk!4q>>6ON;$?vsNPBl#Z}5k3Zc0FV(J^=~`V3!5upSZ-lg9S4ok99J6vLq6FWARA zAp1CJR(H?jF{7IkkD;~m_Qma=9uq1N;LOQ=6pBHZrKZ!?5q!4IndytfhedcJ242mF zempgLUY8+}YL}n(ICXgTozcl&ORP0 z+sZeE#vPu(MpH+azZ~R4V5bghrnjro)$zde9<(=KB7jPK?YNfh`xym}pZi&EovPiF z;F{WU6{b^gSXzG7BwK_}wk}Z_ZFi45NE=gn(0W0l<(;G6K^e9@hzgtuI{I?l!LL&N zUK;NeMDEt7CvlCA&IdSk=1R5EAGDVEyugTaF_cjC?)IUq!KY;~9CF$vH~t<~GHspf zOsa%NQx_lgl~KF}0ljc!`d`gG@!hR832azZnY^_ofy6Zl+*jH|{Tm6~l+)J)5~hzp z!qi~5HF2&U=m7_MZ2OU;5Sk5cztPr<>za# zpFnVY%cAHM!vNva3Bim#rKi-Y1qv_vRvNTqOGf<^{1Arv*&(;SI+H{NPp?UJ)9u(e9ZyMM!-g=ggxIoWY z*}9xn-cfuR9V?ND)q}S}H$^K?SI$XUVe-h4(VQMnaS!}Cv@+*7Vc_Q-(51Qa=z zbc@2CcOpK7<-|R>T>ZfpQmbOA@WXd;ttP<6= zN927WHzzukG*5@cy5+5J5ShTBjL6o&R!k|V!euGP2NwH`u3Zug4V@3TsKHA=q33=7 z_niBWC52(sx@%kA=RqMxyVmI*blfzyJgc>|J2dqVlKNdS?Cl@L{L%}oLu$R2q&Wkt|hvXrhH22vy*jyPn_;++YR}Vm^CLw_NE; zu}247B=k#|p%z550Kixy!pUcy-y{0fG-J3;Ii#07$rBAZ*kbupM(Pt-|EY|q0%#^y z?(r{PE{;b`?JkYk#vDNzow7E)1u|i~txo~_ov}Gj@V$;+xsfXWwt`04h0D)lmEf+w zh?=!lp^Ig)tWq3)vGXQkj)ZwG?-LNMKa$C089S5rfA=@e(cWfvnr_Mnylo$lIZu2O zAKRF}9%P&TmpVeX{QJ$PfQ8?$->%%w_~z=PqM9W9zL+QMAN+!bR3MH*_1XxZr|00= zJfM!SODa&>9CG^lhJ1*NFj63ZsLCiFLzRAd#SPwQYm>aqKBGv>ZGJP^d)oRf_)G36 zC?hEXv0U~k;ZbH0G{N_2+`Y?An=>~iSwak#EDyI!w!jhelC&zxMa3BZ4Vrs)p|hWJ z)qpkMb$~c`cZ||!qMsRG7EH{<7s1^cMS`hlObFX!E}_xqS5~s=Lr6m2CS>~t&qVXPNlDTAUj__+eSR8rKVJK96?iYML z&E?}o)m&s~uiAwc-E{T*XudrRUce6g==5z$xYBc2dBk)`6f#U#E=t`L?=z^#YKZ=5$wQaH54~u<@^`<%cn_ z<%0PNQUr%H8fd2thQN?3Dq+{)!G@+w+1+*3gp=snts*Y!Rr@uA^p2sFhNZMHpQrDK zmMaL=XD>M&Cs3VkTr$Ew;t1IFS7EA6x9bft=<7nsXhNy{tpPXaH;rH2_Oo_`iAqS~-_=TsS2=B$u8&v#gL?v15{bBPR7IPoVF$b_KGo{Xo zuG`kp_Z@S6an488Y&kbdp%ik8|Gi2|n!0aL<8Rd@s7cp52Oa;7V0O@}ohDls zvI+HFOgi8IyAi8dzM`Kcp)%SDY&v|@!&dGJRO!rhMcl!# z8?f!M%CqDbO;j!P98YV4gI>0taCAHayRmr5^;0~7G&c891FgtpDTgULDZoE9>%{q! zS6IrzlH}o%(Fi2#aZO>Y@MYX4+zZQXzn5=+baz|uM>Xtrt~lmxxpQYQ#e$0L_1XxYx8&D=n@S9!$1oO#neb(tnU$UD>S&wkDRF<% zpxn~c8stu` zNj239j2rE{==mle-=KW&U`6S?@AoC8Hd<-nU5<_=t!M_7Dq-yZxsODFYMKRFypZW$ z2K^4P{OQ0qoCYGq7RhMqI8d`rD6d5bJCH;AUjw14nXU|4kkcx9c6V7H;rNMElkTQ%b<2w5V<1eQB(defXrEYq2?k@gr$xU`Nid| zV>4v-ORol#@k2==3-1Z07YUH{HaOTTyR_c~O2Zu~wZMH1+qII$aDNgB@X_Ap(yHc6 z-S>0ZPJogmz5}Hkm9@>{?4jX69Q_mOv2%Gy`m<7df#B!)MGZCPBkHr@*YMLyDlw7= zGtMu@ucj$Xp}U?NC;EZOluWoEAtep9MF0 zb5j}-x;PW@!KB4gRa#`poaK7bw0j2AlUBLS*z)CGuNz96!SW9E2jztcKhXp8s%3?} z*_Oubv3Iqs{B|(Kn~61o$@aFuyvcT4PnBhDf?(N=kq0sXS#8j)z4{4Gp`;oY(XX8L zPjs7QKWi+Z4E~;1d%u3rxZU$L2yLYEN24iE+H5FnO!Xjx&}G0+H+HCe8mjfOf8?V7 zXGz$8RRZwJ#^u~tAfehYaqENy{|6Jcn%~p7q`@Cz(kMaf*CrxanG%82uU zup89}^u7JeHaF`YRdR+hHmUi3^Gg$_NeA*F72gx+2 z(6&@3Z~D{_mc7vgr*LCbHd7U?6waWgUlP@K*|6X>MuH@2rY|~IauO__MjU|CQec9b zmlZx5yt}r0|8mBE(f>c0!-Prv^tS;{4-KQ;yoUK2$bfd#Ww=&@1AmKUr}N`y%pn~; zA&X_&mq5;u?bVoW_oZg`qZ^=uZ_#C;pnR$pqsifV=+#OR`1!|P?;kj$^c=U*)&kP0 zghyP>MLv}-5nfe!L}K1=s#Jl&b(aFKto$+q*^TW?SM=TZHfC7EachFU8BBaJ{TL7y ztk>;ntXjE|R^dQ2z?w`Hk`zK&?WWsrj{QW>S=@$gHCE;vDrzFQ!@_pK(@3Nch94!) z9ym1A&DOumApcrV{_&gWQ;&dudsTb&SB=9X9eT%b8Lc5D9X-KhJh+H^`;ekG+L1Df zZO=SRGE;(_kYvdFaL)W(M6)wO6|g)&+R~rK^oU@jOD z*S$HpIExK&iy|wgX%3`6^_D?G{Wl&)zeJriN-I~pqc-`#EPHbrq_7bcFNj`x#HJmV z54pvpM-7{L0KT`o0&%*8*Y%DN|HyHEamz;uix!^`ZjDVs`6uq;R90_{aPVoYE|TV`{P0@{p^9m+Hvswgzag zcS3HpMfp?SuvTvqWuwsC27~txm5tu{W;Zuq89;4@Z4capf^EG?G0AY${6p?TGW}5=_>R`6pUg&7radw=N~qH3zUYyX zDfMjiO=feSQrj&2>34$ap-a3V)A2tDCw>M1NxsOM z@rqQzqSEgw+Ta=yv+z%jaca;cK^i!{AyQonv4A~+*w#ml0?L54Z#&$vkPkEa;@g*N zcjE8mHE%e$GVePy`E2&t)7sZ?yY|k@j`g+k=RP&d$ESg1nB!vg1RT(L$SWdL2qFS! zR5(rVSJ-J4Bt(tADcn8{!U27#Eo>|c51Km46bP*qmI%TmR%MPiwao{sIRvR#NX zQ6+)2CzsYWj7&Wp$)5Rm-VwJAGt+uS3-y>jr2`W15B4-(*@_Y0^T|cFAr+YTAqWX= z#9;4Yl#PG28`?2xaG~*HI%7~>y8^8Mx28vV`90mYH>)%&q29$&eR$uf=DNgaovNm$&XCM?Zwf-)B{NEV?;2X23KsSgO2R!UxhwNLmQ!LlCHEqqHYFl{K7<}vBK;joD7dC0h@-yA&vz@ zX1g9kp^9);omtsWc8VjV^tUh=l+~_|Q=Fn7D#)e~w&#@Ia5u6ua){e4>P;LS@6lsb zRZ!9&Rc5E9AdBvR4y9c~OM4alP8Sp%R*ci^rAVK_p({MQXINvzAzZ{tGJLmK7o!^$ zA#L_W2Z<}^qDSab6+WxO zZk7BN*#C08oIxPz#m+$XRMQji4SsRkDy8RpDWjiW63k*-sn&xAA1xtDz;{(z)9#H! zVT$~Q)u=p6p!aGrnCqS^f%;@4jP?$08}V%(*Y(12Z{HfM%H;cz&+PlK(B$i!PJ&v^ zOhhdoI*hL2^GZ0N#3(t!bOp(cw%6&ffeBK|KV|I!#ulwr6Thyh3b_ zLw->me_NA_m5|aIi}y5rgqx6wy9AO#I~HeBCs*nt@ol0*keq^1>xodK?(ZpX=+@Cx zZt7#$O6s;#8}C!!7r3ERL^>B5o7;V-gUFkeeHia-=^0Ybta?f?nSQ4K)GZ0zjf+scFw(L zC7af$&)Hev{9S?1rh?#Pojr+zdII6jS}M+auSonL1roz((2hf82Uxx+7__FL(M+1+ zNOEQH-3D-SG50RT231&(6=b)jG@|?$_LQh6k=ocvl_U~*Bmoab_~9CeE`8a_@;UDO zV?Pm^wnU#*Y6(=$&9uS#7|*m)H`E>u`Ji&kk}_IajJIGgxBy~O?vBg$H8hcEI->(T z2<}shj|?_eV1|x4dduYsvYLI*aQgTL^8T?8nJn|PD0|(%7QTN(5B`d!FXsIR2LmXH z0S*TLM-$IZ)61&)W-;kA_I?z#0?{VIAR#K}>x|2XJB>Wy{@(%~n;X=!J*F3Z^)k`t zX$<1{J+-*$ZQN9)kcsJ0uhFJn4I1SLj=4XxfP~n6$JfZ+onV?qX#B}kHKolkX3yuQ zC=-9B)*1UQQyft+HOl9u&g_tWJI?WONA0{+i7*>%0AL3f(BcF6_wpTc7h!h?mV&m;qX!Kf)lJUV(5TaGxLiatdtDkh!23EVx`NRjH4d-}#KTt8jZtinM(;Ld6%UJyGZ^mC59RD=50vb)diKuW0GPD>N$& zQMujZ-UOC+HP8~4rP-U8afg?_{px(3vnA0D`D$mmp!IZKg#X4{peEz*`7_PUk4Pgr zAf%ruA!g(`H8uT627tYrC1%It5Hs92E>oh^}IM;|^NH+%NgRhwJb^srw%^;^6AsJj-!?cL z?)ZVfy~pn38VP~%-y{U&8VRAH;UwjrlCEOh21t`9gM3{*N1uWw(gdn~Nyt+OmGA6Y4WKH82tXZ#Lt z&Dv!~;N2#3yr{F}bE-pEz$@!~gY$us8n_xXO6S{Ar>&@fLwY5=ea1*SIn|9&C3qfx zsWLs%?*a}tc?^4&iQ3l36m{3Im1oEYh!sqUfP(`dM5Ow^lk^bfrjw(Th?T?_6;C%x z?ae41YvhAlcu14Z-k3aohd)sNT!Ei9LX0SnvYq@+D=Y%s?1~FGknQNU+8%&#&~T;; zpu~(e+n*Nl9o-2H;gay7-2iJXwrd5maf$SspGhz)hMM z!~pG@vCgM>ElD<3y&(NoBe*@-13ol;2XY=u`@?DfYpSuB@jKbTz-NtYpxOR^A=x01 zRX+Sof<24=JJ!V?EB?RcztP7py;9-+Y9+A;v(FV)v_cIeSV_Fj5dZ-((iMVDiaJ4{ z*eSd7I9y>PhBiGDwnxn>>^#9!TzGmg`#ClHV6N271LPy8ofd_1d)f+XHIvvjR6>hSvuw#qSQC8sc`iv`FS!?XKewIzrLb zxn95GD?A;*eDkL@&pGtb97&h|?y(Az6@4OuTjD&(vu0PntZ;3}5wddrt@xL<#wmI6 zcAYc1C^9L&9o1z{EU2k@A%X`HwwbmD^VKUN9I%hz$_WY~&Y+Ci)FM2F#p>*Q>~p}; zauz!cr-en!@XeC38RT0kuAd)mBD&S;y+2TR+0rG>v&3d5_2XXCGiT#l$pbhTb^N(%)Aa3(dO6~8%SAGUl zd`=_nv>O~tmSuZlGS~-RO(ug2@!oojt@d&Lf|6!>Ic~Ei`Xqx|OvDj*l&=Z*TXz@QWp(Iclo@sisI{k&Uh4 zSsgUeJ_&Z$%zaGS8HkxAoo#>7qY3~0f-YHC%-S;Et0m@Jg+8i$iatAW-p8oO+i=>Y zQ!>VAeApCSbuOh!Q1MdlPRw`EQ4(MhAO_znjcMGyTbzvrSNR)Chy8QNTLiV%dv|Y` z$+7CqR$r&5_NA{U%y%SPWhKdms^M0m687B#$<{E=C>Czro_58I5;ZeM_DA1z`G}lM zj-rSro35kzd4#7&!bAcmi1>VqsY+u#1rxpJKgrAgQ+@M?iszlR!NH|~-p*+awKLwg zH(JG{u-yw?@8b6`gxVcpmkIZgqAMEUhw8zEZDxtPB=?k=V;97kx31^>ecEzOQVsG5YQU5%{f-nHHoV>xZQ%U>dYqWaex*M7b#~u%vOQc-cNV-vZua`YE~m;TDsm+SH~V zVoW0YnqM`&S!RgJYKIq30!@z%Fg{;1d%dPrqDAO#a)my1A2_K4mmLoik}yH?kV-Sg zCRtJ~ZL-!<6?w<9A;CoQu;qq4f9wkWM@A0IGozDKeo--m#-t8X~02Rt=3{p5Df+l5S?Gc)ne)ZDMgN%PlM&N)j<^8n;Bx z^G=m4TMvG;HtUP_f$tAY3Ns_h`X0tR)E9;Pn_Z4I3ovy5@ba1~(}H-X!SV3(4pd_M zmfP)!M2u(PGZ*JZm65>uhO=|C9@Ekp><6l(x0HyhR0!|luaxi{X;0D`DrjSf3*27J zkAm?-{f*pa+v0o+hd5*5gn1h}dt)4zis`kDKcI`&F@7Ikt97f4S+rOvJ+)PB;gwiW z+rz;rRqJeufG>TsatmI1$(1%hA7d6X>+~Ojp<6jcE

    y)2e*7jw0a_bpi6+_ygT{+I@-_8G-JyYXVfXL5C&zozP$GFf#pAMoudZ)Vm(lG+!hi{Dif%-OI#ncS>@LyYl~V->kqW|(zEk6uT@_vg2MQ<)UYg~Xm&9Rq-`mE*P7s^E02*p z0G1ZgZ>YFimccF(U)3tsv@y}g+;yY{ovjCj) zCcW`3Y_9gT3dhI2*zRI6kY*MduPO>?p z371^kLlkeK&v4+T@>Xpl4g4Rv**Yb&H6N7XR%lHn`MuKYXGQrvmF|^46`2Ound?=| z|6bXY%k#cY2-c0Fd<#Vh-SV2{a`E0tCC$m@bJ(hENJcd6N**|=*s{%7-%nbewPWEc zw(&!+Rl}f`WVq=pFuY-*!Fh&DcgtNa!Qlj@t}m+5X=t-R){UQ}cAudC9NW-6s04)g z|Lpqn|DUdZ$o`n5U7OIytQ8bt8>NnX9TS!&7WS3|OKyk`u)J#mT+zper@cX(Mu+-^ zd9|d47SyB*c#e)nT%(_hUCfd(vFSvm~a;vg_37d}B+Ju>K zq-xW+@NE^UMZ^dJ<=2+olxF$3wyS92Rym05lOp&61D5DmtP=e7{y*@RbXSjhkhU0Wh9*Z_qJ6W}!XvveJ%PWq*Eea#3wsPS>=60q_xU z(Ja-J*2QhOs50*%LW0C>MnDpyb}sBnP)e|%14>iE#hZS8i3dlweze}tdr*1u%LdWC zvtgIWTf#2Ejtgj%YaHVj`Pqx>T8lpw=v@d&Bh1Hm#3|0wDA9`2EU(;*BW{hjE3Hc^ ziv=#gSkE16|3I4fki?U5*&(SrJzdfgFyjRv*wz205&RzJIp3+B@=k#6+bFfA@s&D` z*b_V6DCC<>3=V}q$9l4+91CmP08uC+Q91qa8jMduUT+p813LZeV@~}h)6?Pnv*$n^ z{#z?YdbPU7XJ|>L;c22ke6!oi^DByN)gQ@DG<{u5IreZfRbzP1)^Bb^p;<+aSskXi zxGhDC3B>VBj?Q`-m6J@m*4S{9t($2HSKee$xfriCVKXTYa01*xu*4pvO`t@##YaUt zkric?(3#ePbS+90^Spv+sCohoMC$Li|7!q#)(`RF9A*tz&FlQ=Nb=H1N?&jIO3sgf z{gh{I3ak`-srFl1sP^l-0@j}>&0IioUV4)vKa2WK6vx&`*?dq9LAo#|T;38l#PF=2 zcmX^9;~LfI?z_9=`+M8^X8X%(sNsES7Y54*{2F1`%!h(k-N!wjz5ksxFcuFC zFc0ul0cv{1*4Y2x4nY5pa0f0q$X%^IvN$tT6^4n!NcW`pIN7hY(7qm8=h029jvR=_ zMx+fyTsu7FwPRs6qp=ej_65DDZ27*Is zB3^O^7k(_U7CHS4I4=O5YMOpr%zU(%HK?aK$_5wue5zf2f4V^?+*JWABJ9!G%ZPO; zE>P5th;1HVaz;!0CVv!lMALjBfn)kuGmb~b#gf_IUO{Cg$>2e)>6XKrBqS5(xRnxT zOxx{e-0-paKr-F!IMhQOwi~7NY4~-KT~=-0|8Xut*3S5${79SSk3{-)j(Ol!fyV1< zFNic?3D~~AFy3-!2`AWIa?NW`8&K$Z{Q8YEwO;(7YIY>WSbbs(=ZEaWcMQE=J@#78 zsjKpe=*OfmG@XT9AL)%FB+7K<3;8D`>3-0XQ#`(S1nF=AB# zoW=b4*Ph*x&V$dhaEs7fKVdBTFho-y~M=X8i{)v@U$ zy-}VW+eyPG7mMF3ZB8JD7r!_+p{s@=?_oGP!gef`yH`H6^IoiUEFVQcX4oZ8(3{7( z*g?0Mi7L`klFPh#95D=1)YH`Zebk{(Tgu1RCCSfzyQL{5>_jdtk)ork6DKM`eKR(m zP-xnzRizbQL*jivRFjqfHpDD?zG$QA`uBIfPO9A%KupaxE?u3l>o?US1K=PyRj|@^ z6iBHw7ter&&pFUj<@*x1+;H;`4RsfJ ze^A<>`C(9LeSQdSti!?D%4l%1boQ)W+`9)EZoqyV0rChdYs0lcnPN#ZwpA(hsnx=v za=nsLXYG|Ll}Q&tfF&zSh1;av%5iT<5HvfT$(00H&H$wR&l2qXu7A;Gv$WPtdX+yd zwHjq6aOPb5p3KJXgAE6SwQVN=lB+%aRV0vWt;8(X4c}XyiEgbP71qBCYT4}k0mU&G zf*u||;8pSZfcpe-pvE)pGBACYKI!c7-)O6JekjkM{;Sz2&t~TKA)UC;KBe2Bp~U7CB~(myNpM^SPpo05c=<<7 zUK0A^%<~Qc)3d7_ied0mX^amP?d%S9YX77rk**FfIu_sJ%TFyjtDZ3p)QdD8*^qzx z>xLdZz!hVEXLRKD>>ADtc--_fKac#N>1~zPWotDO*?maMB6mG#mS*;4n4_MZ_T)}Q zl@`Bkutszxjc-XyBjGAYlNISAR`rU=qY)!LC%|0w``5s(8?|y#vt!QAQhWFynwj5c zbY%8Mt;}SN6#0uBCUS0Rwj>NQ6cr>8h#G_kk-4oa`5Dduj@qYJnHqD%&*!bU{)t@or!Q)T0NLR3N&d}yfd~nn?0Lhs##LK$Fh^vnZ?!ayBl*@o_U%9XHC<`GoY{r-xZSAv6eqD=SB2!PFPMBAHXKW}30%AITP zNqLg4vkzGO++ra-PUwU{rEQm ziMohF+$0OZsXXh^@Z{`=_byfYDH=6>yX=IzWZcVj*Yjk><;Fw@O*n8hG`~qQ2|nOx zHOu0^Pk+O_)8;ugneZN~HIvN~Bs?3xWPYb%@&it(23OFd2)PBS-ND4)wwTUsl86Cn zT!iolgY^=a`YHRL9r2AF%5TI#&i3j`%SGv}z@KJU7U{wD4gPhr)tXZ~NBk=K!*nqb zgHsQxIK9qiEaBqP?m;HWq0b+Qnce<73e;*)9x?DXqSv@h3$q22AQc9-RA&!}?sM}c zQenRc(wJX2QC}@kbn3g{WV9^eOb~v=1823E{qBjTQ4puiXDH%g1st`c=kw({i7Q)N zvZ{olq>&D*YtVS$p(58L8-mJ^p%*|T_o3g#?~2_eJRpc+2!AjU)y@p;c?eF>F^JuD z+=l@6qwf%uIA4FlEHZ^b@hT01*De_nu|=vcxA)C?1QCXS>=F>`U1JS3?rsRj4zfy*S?fTw; z!fDt>nB`d|pSH_7vtm{1(RsTS+xZzuMw6s>9x<>;CM@f*D~jOl09p+28&7$k_V}OB z;;=jKZX+45S0#KzZ!>H;x6@_U{2p1C$rbofl-s$`|>(( zcd4Y#d8S3x=R}16K1`%Ca*BQreNt%d3vVYLQ`M5%Z$e6!^iyyRj$~nUd!_4)vtPB( z$-XG9XhG*4;!+lM`LRXrr0+zm#Dy*aXh6AyS`i3mYG6roOcnVvo|5RU6WLpmYZ9Z} zLZgo}N0)UTB8{g$nuY88E)AC(IQjtA6IM5=l@!CIkxf^=b_^F2k)gbAF9NjCBzw0} z_+lPvWe2(^S1sRX7uqo57;O4}N<|Prl0Q}t5BR%r%l|h{{4Q_z{E~4V3op%^tQuOG zC`oIxQyqjge4Q8mlAxc{X?Ey3WunW)wW_W^sBmenk{}yv@2>#{MrM1fX2Gi~5+RWr z6Iu6K_E72^9Nr={ef7`DgV!*S;(>tpAg6itMBDoO% z2Y%a|I_F6%3B=b=`ho`@2F?BEt_j|IB=>gl4|n*CkscQ5A0fpD6xTfSsYEDKQ&}aB&{%aAjjo|BaId4b z<#;9`r;D1>-QxTr-4$0Gof_pf~^;CA(3Xb>>VA5qEN zPAHA4fM#Zn{Zi6kSj9)AY2TQx-;FBRa$?g&ldCpKtUKXXii-*C%}%aR1S;d^z*(p{ zhV?1!9^immeOlgAiJf)l?l-h0R+^Rf1haTJdhbq}*mDi4q9;42Emi6lTBZsuKrk_B%Res#}hc-ii1; z)fni+shTmb9UL@0VRAS6(@VwcjaHM)pxpdvSI){q>oqLEV)IXGwB9ggHF7qlRTz&j zo|`;(8mhv5EwO!5zEOJItg6C)H(x=Q#umR%ckNur{|TU^NBfzp*lF4Mgl4ti_pOwk zaQ>AucwJ|@vme{Kc&`tAz;S3i`5e*MDiLCK8)7!?;iQS7R8;F&wZV-h&nwhcXuc#y z=kfCI^Ra|;x0-h^SXh^ZcZ9FD+jL@vn~d8uIX#EsY+G_-fvAw60{gM4f>iM-A6 zbfN{k!zHuQ4U`M4q65fes8i#U?o}rH(P&10zSUu2v#))r==pV4(cjwqyTZNmPiq>B zrF8Q~)A4~-;6MZ8Rv$Y$UrRakU%>LE7S*p)3L@FdO$Ja0oWgNq6 z>C1^ZJqHx8z1@+Gz(Vp=)2Gs7^*HoO#_V%v)I|F+aT*bQtw_JVKa-j&>clXNv-na&FMvA)KONV;9@8132L1}}+Ebq~muU6`qTGFlo%-vvX=!(Ke z(zXAOx!@CDsW3=w!`RQkZ~E(CTzBUn^SAHAjhO~(b>@FO2kgF*jWN$5(-C#xEx**+@A_&sHYG8wrGv^u!K|n`%R18E2V$R7LrL}sd4fKa^-`lHsbz$P>YSZq}r#@LW zE_*e+6@Q7S@`}{H{X``=aZk$HTZq@M^8j$abgZ_;*crV+(C+j-ayzxZ)!^MTCM_h| zM~Y-00LG@r&sO*(N03Ux$*oL2PqQ9hAqtjIwPO50}Jv1i!w_OkyvcjY%tt&!-@um+afh%Wxyrt z*UaB`C>S$`0PE3_wF~Pfb0O}<}n|6SeT?jD2!Y|E>AhfT~r7!^;+&l zy6bXMk9q;Y*Z(r~slI2wf-y6>padXF6~;OV{WSlo<5ovQ0543t4v z|2soD6zENl-ZNM)6NieGvs~o9B$*dO)3x;FcFM&c9yuMG+P$7%elg#BbVY-|spqh3 zOM%*5%wCP#?1VzK&Au04&`~T5s(5n~ia};kFI&e<1CzTg@0qbQa&8^7NKc6;=?eX6 z2y7a%HKuePtf1a}wKJr_Sp?>l;g#T`_$;vHTIzDgf^!_H)9n$_r*8KrgjKoYJC(V;}|gO+JO~+Afp>v z9s*UnHp+sUV#e{P*RCYCWy%9*BklhjSab!)7ehwfXZ1kRsJg}cxq|`cHDT+W9~N~? z(}Ncgv#g>a^Xr3SvL?{dRg}b330XH&AGRzsZ=`T?%%)O?Kg4Ly#>LIX^~TE&)<&ov z8gQsLZ&)gwt?K^X{I`|nRuRa%A!T+IGv5?3w0!!oEN+QRuY!o`h03APX;G7eI1K8m z59og}_EkY`zF)V&-AZvUZD|X|p|}?)ZPDTm#oaXohn8Z+H8{ngxI45!aY%5N;!a2i zIr;tNoA2VBnRAnQZ}QG0^E_MDT6=AykCxI|uYm3S7|lG9r?&6Y;0__eg4L3{Zff@3 z6&%fM=uN!x;;2xf#bO3nqk@CP-D%-4=!_6tt|Y(hgzj*>=k;xxhtYdsj_;yS8xtx# z0e2OP-8$?~Vxv%(b3CMb&{@ec$rZH1I~vm1+=VnA0w?K}a*Yn3~tC!>6?cFWM zEoGgX+BJ5li*X-R2=id)$z9qp5l4`lZQlp>)#T`cfAGs~^g(R?)eUe*lD9mgVX^YuEkmJEJpZeJWhj-fGISbQ#57^|H zwdXExJe)uFps=uOFMnbL-Pp{J9q2ESy(Kxg^{Qo?w~5X9|MUIo>p$7~qNJupPh&;i z@7Rw<3Sj(|+M^V#hrElO8gN7|cx-M>62B;*GRG-#3u61X6x@}AR4KTn@|70QRUQ+LP)M(B%NkoA-ykNR?w@3w=TrGOx_sy9ed9& z>@`?Q!4hw-U2+7C(EC}_nw#%0M-K>iMBz^CO{0R&7&OzSTHMb2uIQ^!&e*$9T`(yl{X`=O!r>>J&s5anf0BXsX zaOJ(}ec#LXojXpawo3Pxhf8xcT>%IPG>cm(^HeAC29q}$ItJ0P9r1$QplTS>VWx5wR5$b}~N3CShHwTs9ht-EpbO&CgA zH-QzTk=pnzyf=X|2c5~+Bt*n||Epcs?Y_E;rDyPy~h*#65JfZ3OMESpiC3D1gkzw-x;nHsYran=M(Zu7c& z%X{<37aq{)2@QV0Av&sqm$L^i@o7yhpjt_E=CM3}`T@_a2hjba8VPpRf2`Ly#KPNF zlb~H)HC=C`%s8C=Vml9{UH{*r=Lq@r@9<|wS!?I3H^=q^hgPLbK8_9tG@JL|b^O+m zCv&u&jHo)4BXNXoXVnkWRB*tmUwLGPVn=ttX5r$`pGyBT8E36zhB93CxAg|yNK17} z{{0dUMh`yTUv-`acIF;5Z6yb7jkGTx=N|t98}x$_M>j3Q686g-`iQ^6n;FR*u=A(g z#y%^>!1m0cAuBBs`z-r`LX6YIc>m>u-9IjYPVEz&ZyrQ~1?JhVJ~OA=2=v_@&O10F*i6 zltse25HfRNu!tv--fZ4@^E;kp&DnkHODU<#L9Re6*+-A&j%%l=nlzt|<3EMEV?oyr zs1;Jbfx;*V;=+Fec(c$B-0(mNWk*OeU#AZ@Q+C64&_773jp-rVhQvQNVL0jHW({S1 z+)}vKJw=J(XM7?{20OgTTFaheHm%77o|sd{`e3hKO5ruKpkN$Mr=2=Y@t`YMzP^jH z9;i~^LxazE-%Ke@QR4SMmaF(7qv)u7%1^ByA%pKohd#Mk>w0Pf0lrl_b9!1~4^Pkx z=<5O-eA$UybFxR0s&LzSG$-`4?s=MkTeRENv$~Q+Q)2i7|Yy$M;nsxu`kk|LW0s*YM9`1Rf@)IQ?S>0^1=UCf@sqtDVT0ZO%wQO>;>C zKEtu+s|?pvMb1Z$leH_BLVP-a?GM*CSwY_w94Ro-_+lq;_tLby+pN>SeK^F25qON^ z>pm$1-ndMZnV!|4i-MmsXYT{J#c3wm(7sPk2|`3am}#Mw|7@`D*`kAiVRR243)~j5 zT`J|%y3kaP%I?}*IbCMHSw}csEeePF@{iWB!1WNbHeKo{^Ak|0TF!|S$PeOgu_~*@ zP)PD$8%HP?riAFp(3|$1b;Q@S?jp$}HnLp)YL`X$aw*EPkR$mcow^GBPv?MkagyEm zAXwP(?wqR-Wd>)guN0MQH}b}bBXIX8%B@E{N2?~cbFKe~zMILHJtwIVFIYLPIT2`!iUF0E;&h!Nl^W4ihSTDd(!)|-*Y@}K ziyv>g=g2_=6{b_nS3O@!6fD!#VE12+>*7Jvc`EECYR~`i$|X-{O;GFze1_JaI@BiEI>DNuL<^`Mt3|MoMya@cU8Gy}EV+z} z1wdKu*TWWpCw>rf`=!@PvK^* zH)smC+n0<_c<=kJL7=lO@723KvS-eoVTU?ctFryKu+fU&-86AkB~n36GTzJiCT;;q z45TO^Yyl3&NchL?R=0cm49{1VSahObXmz zlU{x}UzlJrc?S&n@YAEMPQu8@K-fuVm`#eavvs8u95w zbRHM;fV7t^;~g4n0?)&zP`rN}?EEswtp?7}0d`Hq|g1y*+Mb)Gt)*Wo;%)%`U;c2er_B+uCTA!9z>NNFeZp39wp zg(ReN&}CNR;ZgJ2eh2sG-;jyhuFKes+%?1lid1c+KWZ`C+{ia`^_a9}G!G4sh~(Tg zOLsqrZ(f>;)U9k%gQjl`THRNT*4x(*CgO*c^@}+tzQY^6xR<-@qWcB^T+0m5nC{x& z12oscIPGmx=Yg1n#Jj8+cAhT*taC*Z*?7AN&`rYTWtQWBc(FIl+EpPng}Rs8vKyD2XAme?^RE&%VLUu|Te_)n~?_?Jow5 z#^;~>dn`t%Qg_tcN$PNG6bPlX%r$rjk#3`liLlAe!^BY|z2NJ3DiBI4{g&khxoEUc zZXFpMF@1;(zJd(vpAGFtF;BTHk25oD;`Qc=0H+L1QLCk6g=EZ~Zg8{Pn1bfppvtOv zp3peO4#^6NQ>fr($Y;4Ac)ivlBJOVTES%E|*@61#GW&3I4idPJ_*f%d@!-DCl8fw< zy`H9#s5oxFy}ygEePH$g{^6M+1D#ha*;P!?#*IKugwVCR_~y<8_)w`^W&F0E1y$L3 zB;>+a=Z6yK$h=TD$~}H1x{S#+-Ch2z<}LlX_kv&P)JMBX$;&sCf6O^`9L4P!8ALzV zQG~>Bx3x%~oN@;=4l5456g~wa9HP2KHeV*F1uc3oplJBrA>u1tl5h$#rg`0K2oml; zIBL%0>xbB>8D~5|M8*2ni#l}W7WwUrqn)kQmNbTeEjb2i`q?VpD^`0q+ryFtE8B{1 z(nlCqSVDTJko9hUsAVKYT-NuQr)O9FCbQ$&jtxP-uu$bIr>j0->&S==RZ3cPF1}gx zh;Lf)=A<4Ptll;ZT!*PO#3P4Gqh7t~+PGfaK*3OvLa2|jSSW8!o%>!8#CR$Z1`g#m zsxL7H-mWNif8O153EGu8@i`4>h>|$#(oKGT^KVS@pX!F~EFp}{X$>~iyeQ9n-*Z#0 z+vTV-0qNfOb4=pm|9;71!l9W53~PM}97>r0^~NkFDzO;GzQAj^?Ly>i?fzMvNKx!) zUqzZ6@0Dh^>FV4h&tfl?& z?WQK-W1p|hw)x5k#Dove<4v%Lp=oCaR| z3dPzK6$iJEo#=+^KRleqpb7;z;>!bscv&pC0l3afT}gloPVJxAe{w}rtjBZTvv&@u zpKrdkTRoz)*JF6&ls|49@QWO4C08OS+LSc@ErYOg3HOTsD`b5)<6gk1t?*LGXnG3! z^A4YglE%MG1=6Vdr2Yq~CVd8>14wdm{{t=!tNo1Li^ub2hTv+W)^d}+1^CQ!siv*S z(79TnI-3cTgZUNr?D;aSEO`%vfNrGI#6~~-5K>d-nz(s@^H+{o+oJl(DH$WO*Ztr$0!Yd%`Aw;gDsn} zo(8B6VZcBM$8Va%ks=87FH3UYE+z)%n?^g+>=cw9Ml&C%b8pGCMqh>TMLW&1 zy#|Qd@iYxmk60bqVoe=BeZ6C$G%=cPhG!SuAWyfrzSYp9r~I~=Eh$y@9TRRm27A2N zHcs%+J5GvPx@<0|&p+EJC-IvUOeYE%f$vb?X~b)pGNfxc#Q23}HAZOl2lwT#iepVU ztl+*+V;`p8NRdMmABsN=MY=~{k+oZkzrboV)HDg#8!}9*#Z%3OrvzHxmGg$W;sb=< zWw;TnlZOii3`?i7xmkkLjKv#1zd}5H6%XQO&E5FQ`*FD)rCw){mvm7aQ!xnLpXw%> zkz)Vurj*C7c6I{Mv+SLdd&xld0rJw|DCU++8KEWGX@4< z-Y`kXl?I8vhq$b2_?KxuEzVvp(c8Gk-5*a4Nm{lJZMNcLSwkKh3e^|yzVh(v*}+J| zGh%i{KZLOQ=c#pLG+6A|ztUr6d2O=qP_I3)inP7X^!ilf%4V=GzEl#|TI(3`icn^z z-Nwfr(v;FF_UrBpbHKx4_3O>Cv@*e?fl|Igu0(^eBwy46ladSU>vvu=J{*D0!#*vgW35>8t$)O8 z|3VQU(~&TyBopXity(BeJ3H52(~e2$Ps%X%?H5Sn#^{dfa)pN@p7%vfJ^dkT{KNKq zPP_bi5|Yx}I>?s4I!owM#t&C2|rLv31< z!VuHV^DU0#W*LeU55CQePRri`h!4dJfgR8!m#(`=ew%THosrc1#YTq(Euu^J@NsU< zO6*RMjXp=_fj|TyH5d6VGO{78OsjNeOh5H-n~d>$zy{`8LgqL1W0VD}Nxt0Mxpbn( zztm<*{FQ#3qiAp$m_vNS9Q@T2uR^2|oe%rCtu>6w@g{m$OVaZ}31yr7gj};JqM{82#2@U+Nk-#<{cGiOT~(Je&-hhHyPcK|N05OtFo5dXkFq z5wkj$O*sET0dXjQ;3TdW`R^FxP9`{|p3rQB`uY{+&*?|oyH1F9>@mQiIAGWXEt!tEG1 z$Z{3Jk3Rxv2f5oT8TLczPceK#-pOaCk8cRx7&&sQHh6Q#p$= zEEN0HVJi!tj{nNSrNkiY!oh21p7G7Xd;Gy-95WQH_ zP5-de$?YZP!-utJ_P@+HGlkuX=4h?B$G^>aNqo8Ovku7We-c2eP;M<AjI|GXc~wyM!r@E8_401aNFKRlw=J0eEy zAYEYXErkx5m2O=Q&Krw5_|Y9vrmzD>PPecA*UF}h44g*eiW2XoI9h>-6G`76i~D08 zI*LYg|GljLy0!Q}@p|Tk-DmYkndl>KjusUOHVsXhD6s%KRGj)c5j9>8^Xa&LE$>rS zUeh*{U!<~ZOqNrg3(q7;3kohlM%x_1OTWDSl>U?m)nHC=WUtcvc>^#+7`$OBCqJY>J&baL=DriJ~25 zz(2|51Fu2?i%5-SI^wtYC-N9*$R~bM`W@4|%r9?}1^f08VF=>6#sCh2CBO3*VbEg= z6SRf;$2HRlWzC5uu%^#5gPGR@)n zG`0#F$_!UBO#Z@@{Dp*$;egGS2lyo3y+KJ-0gm>-f+q4$X;Aed@z~j@h;?vzD5=}w zGFE5%WIK~WWG0MkHv@^boL1SN?0z45Sx|bxeyPeZ&~Z%vWG|9V{vtUg&m`jk)u+W9 zv68Z25u5HVs*B)OP>W$+T%4vt6yPyk#fvJVEXah(GtpPDxC!vo=ob9__ss5eT~hZC zQAnjh$XVSpv(XGbpTu&x=tayiUqBt+KmZa>0zBWLc`T&zxR?ei&Gkq+;3l+S7&iXg zw_hV57{^os^p4L`v6+DI=NvT`2+*y78W(ozsuF(DFJjse_}26itFERC(?rlVG>TCJ zN~2ML-5KlbH}N1ZXw%CN=U!|kTrYquytfR(XNhnPy@~VU>cTLxt68mf3R1qDhyv{| zxr8`0QZJlWd^(-`R{(JC*PwS92|Yg~dzgxI zV|}Wtj=iDJa=rwHl9^><3qYIipBKKqJFJ0Rg_L!&O=3W)hHk(eM?-@Xg`3H5d z!_}pW1blP*?yuiQ>$`iJ@om1oHDauICvs$@Uc>O9^Td0Ec;IlZ__Y;+O)KGf1l}ta zm{EA(D4<0-@vM>NDq+k87CYbWb2>A#H!sd#ufn(*G9EzoNVmxL1R{+6or*?+R(0FM358>9ltxKajSQKdR$dN zhy%oB8XLS2eoCy|CRk=`wpOjk;PIpgB4xDZyxdVmjsNJp@pVv#hz>$Fj^rwaK^(dG z!m`&d#8MS|&C9yC5f8F|dn&DdgdQKGmFV7f$kg{VgbR^D*6_$!DjWhBtx4twGaL-n zyKg@~$hOWeil1K9Jz<(hj4iWVh@hO$eGbq&&*vWr4; z%M6*P&1apVX^yNg)f9wU!0^Qu2gqITK>RUSw&jbT=`SKt+xP%IfHw-c)}8#^iZCnR z{CEMGbeiRwyV1__t*YsSVJhl%qNw-5U-PlX6hrxuT%md~)uWYuygj|9xzjyO+_l>y z=`k~5HCkzA5~j%{SDxpg4sj3>mUdQ&DJ+%)J~`!oIFUy8~A z{JPV{Hi`9%;884YvX*}yy78V?zEp9HD9z!uBm9`luPv0mE08gg#<{fyRaNOrQjDcf zA(#7<%K+8z(PK0T_FeKhDiA&vD^IAr6rJUUVtC1l4E`dlHlk<_lls*InT}oQHjS=(zt@C;HKdBNM{7*t_qULBS>{ij{z4Ay z)!Cz1-V(t!a@>j%;^PDygBwiIK4%vb4G%>)>o&Wv)tk5}1;_weR#YLnZMYWoq?e+ykG!7S1b7>y2EMUR2Ia(%F(@I?4lGp)s`& z@ZF;6M6s)ghO2o0m+}nI$02e0G+r;FaU7IeH}%Q$XKC%;bKP~^ZQf9;=0;yOGuEI$H|*E-@9@H-{G)C_u{YTFcl4O2s^F% zMQV_vX4=K}nDrcUj6NWPQ8Z|gU)AJ?+Nex8SH`r~g63N~$Ib2^&qy}121g;Ug0Xst zP{Sa%t)bln18MaY`V>)#P$AZLi+`8E-beYdhTe}>Rg-b%_Sf`#umSB?2lg24`$6wg z_**UbI(qYqYi-5+)7vSkA2n@UYISE9uBG2?{uLmCJ(q_ICW~5%Q8`a`q*pABr%P2? zD0O&mrTS|<3T}w>D%Z+2T6p}zf zOHX+o$HT>_8<%P<&5%cDID9YtcRBI!N}qnxH+TZzoZGl{XbV~$$Cu6XWQsOeugFZQ z+_W@v&Z2R4t;H)Ukfw?i_Kt>e4Ie@PP7le3hX!Qr#u98qHy2;qxOotRR`(r(-YP;1U<`gb#KNus_E#3kC zo$Ao`P5sWVMjYXF6j#O!Wt?oV5*DQq4a8~DTDMBG_4{ma4MoCwoRG*c<&n4m2lCz) zY02IexFg0S;l6AJ$`ZAD47|LC@S^kyWj;%;MA3P8c=EXJ?-OK>RK9y+DT#;O(iAn+ zczT{BZ996iq60xg!{0T;k26`h>iARL*d;#Ee*SIQ?gWwYij@^}-&Pj1{GR5v(mB#2 zXH@92+7)9j517XyuSLRx-7J z*uO=+oiC|sr(bV)kQCP_A-1bp&hNGjLo7chu`lz#tRr@vOMfRos}BEV3r?2z@p9Z! zJcs3a5v)Ou7d_Nh)Z{SMC>H9i3&xK#4OfOUk3)eZJPFx|8lHDPxDB3dZ~9Np z`A_ocz{?bL$OmYlZgG?b(?u%t7 zbtMLL{xQR?)Gx&_?h1U1G2Wp_Tv+gyup+HNUD)=QE0sU>#Kz6(f+_*!^CG2t;wts2 z?+3R*s}ikto8f%-77my~*IOK_n(d@HR5NDvC9!tASO=l(n44HhY`N!xKTOjUiCG@? zgiEsK3S3fb;nQVG>PiK9JNi+Ss^?=iL@%5wRGYLbT8-S*&k5P<#Yd7can0Gc+g}?T z%$0Vl=vJ!7i8Z*$(+PZ5_t0;(7m8Y9syf2ziB4#KLPYaAKP2q+#N(0Fmv3{#no2*= z3H(6v19u$_y3Lb*d`AOaEq$-@vCca>BB>}ISdzh%^a@)N~fi@TtwlflFB zZ35u7NQ+`>W(t%sSq z1L=K=IS3b~wt8p5CeVV|JN4W;{{uJ%Fpp)4y(#{d_1z+fGRax0^=+w3ZVBE5i^1O@ zmg9htY>~oO0kC@t;~>|;@-CUh`^R50Zdr$`!FkQ6YxLIymd}d>&$Y@Vj@It_;ePe` zw(JftdAZna5s$uJac|NM~3h}AD3}iMgHlM zRHHdH{Yjq%a=^6;r1&!Z?89i6vg{YjXC;tRlbN|F$m|}007K?8o3D&lPRTB_KBF5I zN-yD%DJp;fu+Ovn_;v1KVns)j%_6uh=d|k~&b=;2@O*|GE;5Wj9rRaZt9>M}G&t!U zUzU2$v#MwE09nGlhD|Lg#4@H#KUeMtH#`Q%cSkV_-{D57cMSyjAx~nf;rgY2&0=;KuUlWFYM+)*PL7(v0{q{(-536d3dcFUJ6&YcwI1T^u zjXzLBC1C#miH1n!7T=?wax|D(lPRtHTS|1E#gZH(vJ6*bK6YM`C%J+wZt=Ad(#!Lo)kzmu!~@FKXW-ksi-6A2eH- z)9{v=g^qLDAC)ZxPxYRR9RhC$&NSf@qO7KR1@&C9WPT+A8gOLj^!R(|v8FwS# zxua|`_XkoRo7J-R*a3CU@M$K9BhDMcDdhN2 zXgXn9t8JBx0mTZAk7l1tEEKbIafrb&4n~Zb$r#hfj8!uk81S`(6gxwIyc_C*TtCZs z{r>sEYFP@^<@c_2Qflttw@w7Xj#*774Wiul&}*}s*4Z*m+K>Hx)j`LuxY2ldBdil{ zo>6q(M+D=s=q#j3@5J5YNg>R@VlzN}nI_;Zx45eXIN#;Nx1%v7J9?*S9dxxn^Gu!G zz!!5<^q;&8fD&;zwuzu&F4Ey#y2%}(1{RR?vsq)aA`EMAuUSL$sq3gRaWs$eg3#{J zWa~}wuEUy8p_(K`e8^g1RC`5~znQwj+Mg9zwL>3ki#u`TjMZ#-ndi;@TkYgGy52a9 za=5H}`6iT(tJ2Dd`LQv9KW+*?_`y92Ytm2|FG%F`B9K%{$lRetX>f`EiXtjy_G0I9)IUh7`q zD-#inrLxz*2N6FQ)=<&=d-zA2Z)vg}niTMCm&((At^>}qB~y!eE^j=F-eMS^Y8E5N8!D9V}3Dqs0k%);JBkcY_+jbWy^G!nfbo` ztaZf44$_CyCm^w<@~=ki-$|3)oou<)Bh7x!DGyp}_S)~_GoiZMcx&OnhmSu4 z|2`SX{{7R8Q7=BFV*V+hr_JlHLXLPN*@qQ#pfARzdBQD=L|$g&;S5$>EdaxnZ$uZ+ zhpf7Qy>a{{W54_(B#~vz(d&{1#zXMb{0uLcAO9WEmkFLnJO;dJ(?zOI4FoEiS3EYe zdI}H|e6s)j4%=(0$eB1K?q*s~4BP_Y4&&zDDW1_X>g zr{EKkpUze2eri#6nxKnxl0mNaI^8+h7`A>mM!9sGkbq1( z9w}pyYR+p4(yuf;L&39d7>>uEaR+ic;Xf|WE$URQx%{U#zZf0QuXLmovYXpqEHMBU zvP@XtgzOF!ZA706noNuNn$=L{+0T^x5$v%{IH-5qikz)i@<~Yr3E9uR2+_s&74GQ(gp!BVzUkzEBdY zw->(R8)g*!sfFhFf7qvt%#+-^1D5>w^lmsvlSo_{u=jWZA+@r=SNi3ZuQ=6Nr9WmJ zR87OX*N@)V`P_|A(ew4azf+sfKYQeei+gr+3Q6PVXVs;tuK}jldG3^J4~^bI@q`?7 zN|{&M7qEXzt{)ia+J9~n44=Cn1e7vl8XgaF+)D6)^m%u*JD+akk_$XA0= zY%#6Lh!a44)KQ!DYPh>)YHRu@>BB84a|P~9K4(;{|2GWF5J%BV%GjmNQyTf-iUn`a zS;`cv?XRwNP4Rw6dLVR#zD=x3M|oP)5Qa>!oICa#5Ez?j6ak+xyG^BMO(U?#bRKamFfeind;0R zBi#?bwI0-uwFmpAu8hcZJkM?$V!0RT`SVf=^GW|(T$&ewZWnL9!tmEKUqNwn2uy7N$sEjJuIh5>d@CxlS-Yd(l*+nXlz^%8%|#L>}HZ|nl@=n z-f@JnD0cs6`LvSgk%dD=)zufVcm2=dk7Sv!tt^y0wIk|L1GV+XQ>xE#@Yt%v-?7xr z7Lwrd04?RnlYeikmmae7To=^b79PF_Ps%fhP};rRE5b;Zr@tnz6K@O>I?6miVB-0oM>EVO@Rn;yw-MgDEG(S(BSqsG*y% zirNUYkB&Jwc~y_<*UT}i_g^o7Z9>nwScJGATvs~^Bt}lw6IPd0QZX2~T=b?|SBo!hgYD0TWhwr*Kyra# zrzcTo;=RJX*)y#`BFq4$zUxps0^&#HIh`t0P*_y+*V@|n2#0Shl{S=0WICC??eF>m z4}wBebLdkZd$9E>4DRq+0thVPC`-pRq$UQ&yi?L~c%3qni6h%4h^nMH^Du}Z=qaSy zsp$QtI#ZCNCipwY`wui3DNc(=5sLfLwMDa4+7TI>7v&|=PHX*R-tC{-UJBGDTPddY zY(J{kAYs@66%y`>*LJWf9B){1z}r8%kpCr8zu_GpEoKq!c95Q^SYkKAgE~($+Z3RL7J)4#5C=LjO}59VEFq#Me~Y;EGT)8X?4@LO zO}Krt{yg+CT2dyV(?jsbFr}loILGB($f4e*!Z{W6o<#b^$-pp}y~k5Q`sR$O^EPj% z7lV0vJV#6zN=CDRn(Vm2pv6ug>r2hO->Ez&r$FulM8O$d2LZG@fUjW-@3B7soZ7C0 z7QLO;zPs;@sZ59tJg=Stoh@yUhj+X-DPkQoo1Ap(;trXj3XM|eY;Q#GF1Qf;h3|*Y z{0ozuY*GW)B;kdAWga}2N+ z{Q{GC@lX1uRdAzI4m*tdSLU-qLYko5(-1%&6-FU5;Ah>@Bhux|A($;^^|noIS_KUVI4u!)>Xt6w&P`gHFa9Kib zcfzErY$)fs-zIsy^a~k@O0w-gy6Sb>{msL1%s>6T1svuXFEYgboalM-GRSBZtE6d9 zJQVP9BD*@^O&W#l}&VU_pjnM&CnKAL|l`JKdwq89Z( zqHVOZ#9(cE4n^$8{Wb7#!>@i!e6G0c}VzYyi2)C!(5Qjfv zy@dT0IT^9H)Su@JGfrZKqR8<|&jk9`3XNg@xDXT(DR;pg9`!3E_Sm%Z;fP-`98)@e_TNqX4cB~p=w_?o#~TIZQNpI8=f%cP<>LK_ zhMMU9yf*W!z15~O4Fk}JCr=op`fL9rFJSGy8Sv+1Wn0Xb{JcFh)o__@_3;xG^bS%h z1H>esNCZHk^Uds?ftQ+Pe`O?;jsg6RqV2JK541-y#l%m)Jrey|Xf5aj`C#DX*qC34 zb^c9`fk42O0x?>s2zr&;i=sCx%+UCZyNPoP3t{7BR&_b4(nAsVmta??y|!*HF;wHa zjVU>pcy)-m$>$n<`z8#@a1qzp&yuYWIH&9TBzU%Koot(Bbm+zHD1Fv#ww!n(2>Iw| z3VIZn|2Har#Gx7{s49-pV(7BFx z>uvg`b}&WCGHV{=c4%nFv18;k%YK}k7dA=0LORVa`++o+zmw65UjrEP&LWgwfB$b& zA`NgqPt^zip!l^nz?&P}j$$?@+6l;M85L*3ZTB*YDX<7MyTyJ}92Y}umMi+&>FTxT zK%|MYs*+{rcHkp!xiHjEWo5STubBc)*_aME5EgV6Cn^Vuc2qGt6COEYMaJn^BfL+| zxa`@pxq7@!gXq4%CQ}&5~n2sFghEvr6 z-TC3OwFFkM)PpN)Urf0zs6R`1s~(rvw$FxXPA+)yd-k3 zQeVF#In+se)p+~{`o1ogY6Pql@v*VIAyITB9~6_YY{ zjGJ+8fj0EjbV!z-nL@Ns@OK5zNOC}I4-9XL4$tia>#_hq^@+du>|qQP%?~gJ@qWRX z+V236>W_{^W5N|oY+?qw7=(geVXbrLkG%2}{7 z{j{V4=Er91Js9|QTo31)+A+#;h**N#+QPT>=8vH&AnsuuG(dne4Bkajte&ilZF%e% z|4Uo$uAT>#u5WI8qM8v!uh7YRFCkBMYGZz@e4S{wwh=9lSOaPJ-vdb8zLMAm(XkRCl@ zn{gwm^2c64#8m-&>X#z5vOXENR$BcqTf~ekh1Zx-k2nl}3ewziOMYfYonqqSj`eZD8DlV?)v|zidu8lG zf^fp+5Fw~zuFAx>8S5gb7@_etAY9eBhs~QuAj#yX$nRfO%9Nz7_83K`9X?;g#!kmL zy--ROZCqL#4pSwZ^&>eu>NN=u+6c|Ev1gy?QO+p0sG#fx&7E#@;r8nl$d6MgiSBBF zRt!nxVOhQdXQK2+lZ#4$u^*V6Yb7&=`*Ta(FUSObrHpHi{K#ta5UY}MZZ$!R?r2Vo zi>k(+(q#1?q>dY@@Bvi%RWIAi&pLm-*}4;cy{xAVgxzBOS=p=Tn|dCflwH18X%S2X zLLf1{3?{Wd=<#jlpNT|muYk^34>=0>B@{6f3#$JtlfK&Kn%4HvDdFA`V=KdE3-ifd zdROxh^wv*vr{u|BqW39_2k1i^4`zuGE*u&o$H%C3C$2wQ2@HJCB)-Dwolk2ztnOt^ zUi^wU3}nWdy%3n`#*E!a#JEc&_OxQo;Ub%ns)pS8r!&R7Aa!hryM`Av^)z3lSV9=w0$+rgB{^ZaB zr6C@%X=%qiP_#3d9a<+ABm6T0IJH-lA0?=;C_Ai!QhC{eGJ7F7u-eo8d5gA1%GXWg z;Iq=(=__@X3~5(h?54pkXs8q^|NeqI<8DO!)x}$20CqsO#C$niCS6bsO!W@2WDD;|8JjOs^>e2QT71sx#u>dygIuYB{LC*O{ z=}>ffCHE$;JqV`5v*7XkKCX-|qr!#AiN0FWgM9 zlbYaeXo@8<>&I|9lCocQ*y5e-OqINc%&A&u-0N;7b=Y#it9&|nOmS?>m_PvjVNaBfF ztyyzB>k5s!rPy4^K3kr);QcCoe=2KR9>h9+L+6C^L9vy2nzAz1%!T-a)H8CPrykQ2 zWQKeGW|yh(X#XROPgt%bPZ^>zj^_sDdU-Ah4}{U_wD_yXugBJOb5=c*eD}s4N>qP) zj00=D_N998u~s7%Y%aIQO0GO*jL!RTeiR#GX;;VBt3>c0EEe8+?JSbe^Sg(>Qt2`4 zsY6roi^TkB5tA%hCfXC~AAl6WuX4!hJe9m+c*L4}5|a>Uiem#d=PT7NmBRgT5H&`Z zPSJ`P1yrFp!lP_kOPmL~R3`=cc07zi9i7nJx*p)XRwgn{xj>W3$ZuY zeXP36m>K_+`TtOL)-?k4>0u*nHOOO^QuBEsZx8f9s;!w0$(4s}#;!vzWakt_w z#ogU4KyV4GPkcPPG|ZYfoGpEy-K5n!(w2n^x1BBf3#xbwC5kFnm?o#Zy9;DqtZ{B33QEtm zR?sX{Pe10SA==p9{u|Kb5(<{Y>Cyp_nSBzfchoSM&8+*B^q{$mJxawy z_MGvYK4u{S0VUW{Lp5%i2|r>pR!qxptsO zM96S!97AVe$s)}dNy3r6da}H0CEScR+YrZvPZgfT^j`8qCUR0Fnh>4tGulQ& z;V@Dj%b%#uJrQJ)^SJtYD0I-vV@07G%0N%3s+r}aBy%a+f&J~&tcNH>G4V0=jf3QJ z)93fFpYX4?q+k61>DSktewG3H`Ih0ka`Qi|@;1mK-#-OAe?4mR3TKu%*l8SZBoOd!tsx5eBI60D3Q$X|31X z@YFT(jmZF-IdwNR!AVnjTh3=gwppP)Tw}2xSBN?i`B#`pf>kR{wQs(BIe2czGSdLm zG0wG-DnAkEiNObNPk|u(5)^M@?A+ck=gygeJ7P5$AT5)A+d)z)yAA6HOo6n6KsB?e zi-_9+7wVi6{_2wib7Il{1Pq-*nD8K<9>xYr^Q@NyzxM;)4V}8ZN95vgzV2$T`t4tw zj|QUwGIHx~Axu^Sl+3;dy*7fLw^j+gZNJDO#%S<%pGv%4W8SnKTf|R%$m7}QIC)6K zrvcs4fYt+h)Fe0Y^!dMB8O`M%fM+i_+udW0gnzl83rI1B5?`O;{;z! zrg`ybRL4)0$lzJs*}5Yu+MiHfJeRc+x?6{AMz5)dSTTYM+(k$5JN6d?Bgy%0DNFB%f1DEK0gdw|&3TM_Bfph#^TwvE5Fy42pew9Ex>4S0Yfh_trZi|)_ zPQiLQ^8b-g@s z&!w$uDa2g9DXUR})Y*it)Jd$U_ULFWO)-w%)=7i(K{yJSD(M|K{C2v)3IVN(oIrWT zw~pn%Mu8JxAf8Ebn0y+GQ;CX`-^awU2gh2wb5Uw|@lrFp*sUT11h=1W9TY3M!=o%z znnz_A+U0D< zFNyIkMGB$Nw1OtQzY-M2T+C5&h<&V!iGG;g4;W_&+SBPYdU0}eE6wDzL)bI+o20j? zP~eh-pX35P`9CdZ)6(~z$6EVv=s($&|MJ9Hz{kP1M=lYt(-lKzev!=0jH5bw8umXV ziwpZoP`5roOVNAzl4oErfn7!UV3xP|Nx#1W4Ukfho9Xe%2gW))t7i3zjv6Ys*Gs)7 z%=8FUnat8}urrY_&H-51QMz;{^=N}s(pFE=56S0dX&#{N>Z@&X*HpYe+J|15i9Qkv zYRu6%E2oNj<$9-SW028m?$%%>Vz8RY*3tf#1q|Oe^hx-2;nn=h3cL)&JA>bKCfrJK z+##s5BqnNgj}Ml4q;d>&89_0>bB!}E?$K+oaAkz`IX09stHY(ZAR1j&pUZJ+>MMvB z&^FeoJ@CRBWcIua{hB=Wxbzk0aV#qlSBs7>?K~(*ffC(UwXC8{M0h#Zd7X2uWK7ig zR0Fm6(`0CE^!$3>kNNYYqUNWB-R%mu)K7%qqp~Wb4)7-IzTj}qV*1!RD*dKH&OY@M z>%;!c9ryLim0@9(|F4#v9t4ut9*lEX`E5HzIcO%2oeHYV{xP5qm!rmHp`j+7YJDVE z)M+N@#qRe%8?0$eMo}^eU^U1kJ^W$jlJ?g0XIa^VFWFjcLZA^yhDx|XHRM$&Od+9o zLd35Of2M1>$-MyT%}ct^7m>(eT)2QraMgvc2Q>5cDDa^H7#AULS>rrHggyzgefa2A=7=}R z0xQxiEt`Y2J_<5F_&BwlO+Po{U^4vuQ@z7)f^08$c|fc9@1$$)z`uU|nj$8B0wq+kN`bK`xzh&BT#{8=4udLXQ+VBFeb*W$&k z;$U^|Rcrd*GoCq#o!SiLzh;bDHdHkh_~H3Mn;=cQUQ^d$?&2Qapog;2sz_zoa81DZER#I{Odqr{*{F^#Mg$K=#!%e*2e075gk-96EGT&GsPe zpc}cAwE(yzc5qlBz}F;F4UHC{&^2^r&LU7^FtI1v$x&E>+0Kk_9KMrC2t2W{W^9yG z)VJ?paFR#O3KF3T@6&rVK}@y`c(dJT3P>c#?*7@M@bn9xQ!sVuel+^k^)8fsf?H=# z0^-dSL}i~xeRavTe>n!Qp{nfMy-c5(TorQ7^U3e|Is+_dxVb7>o^$T@q%b8>u?Q9f zRd*9IkucIZxKj?~8r&sueWj}GDN@k66Bi2D+%l1b&g;!ZwBuc5aeS${$VrOC9S_12 zrIS;HScf@&1dQ4>@5J_0@4{j(I3An{Q9ghBxw@cBX~6k{++U>%o}XUhQ@gF`_eYjP z;k&R+MSeaS{0ODl+cmiudJXx20(Ww4ae-MbR9G~1iNa9e1E-SeJPx$-QT8i!X^CY9 zR_NVA&IdZFZ$H1*N6=!1Z`XnCG;}w_fQO(QAS{Ajj|=k~w9(nE zfvEzrf|8H8Huj^WEf?#~EZ5@LsN#M9t43_?HCOZN$ZiwD=FT_t3aZ31vR;_Jn@c0re%8hdblVQS!iCE^J+TmEqmOvn^yzxiVp<67zi*J+Yo zFymVjLOej{n?Di35qT*tyiBrl0(Oq%S=F&Vw9W+d=>aRwxkJ(*xD$sp@exb#5IA|6 z?5p)|R*t~IY<>l3V_q;(3N4(3-rMbrOiZ|aidxiLN#qWnXCMsj7#lBf10(!T72ryy zc}cfW8A77xUDf71BJu2O1GUrHd|l?rF3rgKInEEamnkXpjsLI_j%T#-i{hh|2NoF%H2 zXZeIEJYlHa`Wr_`y6aX6e2sre-G0}VXB*~?%v@oHeRo(a z3o0toDaQlSE&CEb1aL2xH+eYh5_GL%jO~wClK@H8vI*rM8Vpc~@TmlqU_x%{7M~BM z7_J|Q6FFPpx97Ws?>8-rX5dsHIHgP0vLsv<2gJ zFE-n>pz5W5c5@dJpq9q4{{js8@-^~Ri#MOI`@DBQUh;Zx>VJ<0e^T*vpatswtdkXk zffg=rQb#o{3lM(ocIN!CI@#h}eH?8!Ki*vF_K6plQ!39FK=0S7w5au!34^lKtkm^g ztX~5Tm12-5XhR~)7^-dX8Szee-Goqchug6MUcaSvkN({h?n!h zT+*Q^y_}(zZT>@w1e4)tqmcOL8BRB|AXR3~ruV&mEUJ zGRLO)1x&5ZO@M;Zi9~|UF?gFXyGvgGp%47B2q#<5&0phAhIXJEa_n;|xkp;OAfIzlA5gMnE zn|_0FN1AgHD=bP7F9mrPEhc~S(tr-Ty68ge=495D#QLJ!#&*Z@cS%-bmmW>V2x$_p zJl((uEu7#J&;_=>ca#7G4ynrR5HNu%BnNM0Vz(g7Vmi?C6dw`%?v?8w1{-|sayi6r zyySO7S+s}%bQ-V{e}yZom(51zO7fQc=?A)8U@kF8yTtKvYpwN3W*WL9Dxc%3hDg?= z9)~CcfhvArNPXr+p8UI%6nO&2u=UdR*OR+sT{G8tB4dQ{RMTX=fS)Ar-CJEb*g-;p zx5eP11w$=JuO+>ur;GX_Y@$n6RdW$cS=IpH9L%L0f6^ofGwBKN<9de)<~T+XcNDZQ zw}$mSq9H~F7^IHPvotS**zQovTYL%ab4;h&ak`~E)q=5bBc70i=cC1$wz)R#pfq-D zG_p?h?bsO~Xud|>OUC}sxXQ(CC1sa%%12u8s+|EtTYxZD)bIsM-qt1Ch)%^MtuRKe zTt{;}m+yxJyka{@lo0CYbs^&W(@JAfya1(B!zSBhOTMxQ3q|#=#%V2bwPj(k}j;^Wiu&@YDG+;bY6lWLvu7WNbFAQ5< z(m@5%{T_xFP_7nXru}d?Ji%1eB%>kG>#5FwHOz3ULm~5}_!PIhsBH7Vq!lOcx~oV_Y`-u1xZ*2cCd|^Rm+ZfO*VbTCmP7>+`QC z@IwD`l^1a*`NOF0XExQubLg8W!Lwyr8chzeQ7LAeB1s!bQ2+%sx)ie9e5_in?%C$S z6FZyW@ju}TG{W9%nf{M?)mEcL*%kxwTyjT}>(10=Tn)kmE5ZcY;=&cd7X9Chl&{%% zu0}INWGk1~$!;4z7vFmMJ!8=+G2wg>U@MW(5hPsTeQB%kursVr$uNB;R4MV`J(aJ@ zF(IK3Tdd6kLfk&2%%GU(t59o{*k|*BIg6)@^<_hfeF0KeIdi8g+aykHn>i6)rq?1_ zSz(Iv&3RKsqwq(f)q!>puf-SC?np|3XK3)4K1QqTSb<-ge0>$TC)v)7z2*ag4>cA=9g@e zlalRa7?y8KS?v~$rGSo9rO#E|zmSly-wYieJ9tircoMDjCQ(1>ykoax4zgo}gA*Qpb2{d65RA<<(Kr?ve zBsYQgc}%upDu=2T&TXn!!5iIM@B{c=L(;Nt5q zkpo&%j-Oyo@}Jn>1x0X0oT&$BcSLik^($!wxsB{!vAyAP-#2!Q@O9 z4&(PmMxOQP!YP9#;!O{_ffqf-tUKk4HOeTnAQSAuB@^)_&l9}}^r4w0*gXDg0(?^| zeYd?lad)Z@d^xDMF6es-R`t(`X_$OjX{fKDfd5?PMvp2t)VbOFGHD@pEGYODfn(i? z`T}(942|BZ4pIQk*Dg}M4KsH=d6YVk3?8#f7)VmrGV$zc{j$}c7~<__TRL%eQr>2C zE-Art|oHdqcQAhjvqF z9*Y9zA!{c$DXjX;5kL?!Y02^JbuIe1;mI{9Oo}t zktVTwhGR2ykPU_3lT^ElKiwHr2J&d8r@th`VD4s}Y$UiHBvsoQ2~=6up>pnD&#G}& zpKtVFRiKEUR)LJj$Iz9m@sk7b&H!Y;eEii2OS zkC)5dG;QOfF4Y|Cd&>Cc^eU72TvNP~`xa35So8I_=l$4Efpg7=-_eI;m`QVE?>dPIIC9Mk z)GE1`fsBJ;{DAfywhwTgLMAs8BsDs9;;mkrE->jpZ5B<@gdsEWskkLyABqc8%I2%2%Xrk-?Yc({ zKOqm4x4wBDHu_lri8q10? zv$bfgp>RKO0_~~(_oP18i7QY6_@|-DxPee5B zOu{Q7ZLqxcLs{nEBAmw(y`NIVMOfT5Y@)C?u_Hj?7~<63=F=vETNrLQC8Z?8p3>)Wu$1S5F$fFkhYS@y#Nlbg1CD}F;=0Q`>B?u!X>s*llXn^vxc73P zlKQem=Aagp0M7#Kzwn?dU_-ZDYKTkTP+^_iA*)*VjW$-Zb zt=`GmE{EdRPF}XE%V`OV?OO$f&ONZ?8 z#Q=z;^2cYiT$mIaykx>hw74D8r-5i6tsW5t&BsUBmJ2X_HG(X2Brm= zBXl2u={IS40EE!e(Fu9{1eC%a_j@>Rlad*4yV|FhGl5qnKNh3A>x;`EUJLHG59bV* z^Zw}3vWavPy4hHZpNufG-OF3t7$>>2F{zf> z|H%95!Va-MTlH8kTqnfQ=1)n{vNymGW_@k9uAb8+7NM^YSYj zJ~#_>weX6CZMKXF!B8c{Be(v6N|VOOsoa64&0n3ZoUUG z87<9)3bni7)S1gge3Z8aRqH)1@D@WWvbHV;%4CWG67HFxXXh|DSIDzcbTrp8Qjsn}s}% z)uK~BV{*(%5f5ed(TYD9S9k$#A|e(e^~#+DX00#1(Nxb_9a#++w$8jDL8R{e0Dg&uRlouT}AyIV${d!^$!w@`c9c6HXT(cMK$jstfxEAA9(> z`gjrTIUW6h*I0kw=0`;Bi^g*pw}N0#zJ*)qi9wdi+r#~x+``rK2AK_^52XgRslp<% z%v9-w9J%*w?Vtvbc=w9$oy(J8t0M35&Rd+HgC!Gy`!hftr1-hxWU6S|b`0=V5qX}R zW}`g~Z?G6tomyR%D%3944hhAf&gIuA`Mx4LshNV;P0<(Si%p`J=Y?8 z7K`P-xV#okv06L09G#71^ z*ZaSphVu>ELfFcK;GIu{!~Oz#ZQ`MDPzQSWb;L3%B_XvXsz)#{I|E1p)ErvcKOs5;Q8j4#3mdBzuES7SZ0cNh_vjRboU85ge{y4f$r#k3PO&W6*G_4p(R9dvuo z77S13&^I?(AIHA{U@>|G(cqVUjIrZmL>*g4o>@gV|P< z010%QVYr~ySW`H?v6NEXHm+nT-SLM87+!bbYqNsr5U-vv-ON>*bLCxXpd&gZ5mJ_T zUdYEFA_9C+N(X)4znI5j^bz7=abA4Zs?|+V^B_);xKB>t!hr5o2p4Jh_^??z3V;k?66;u9*ku)9453&-}`5z znztk_v^%uQg;8;@CSkLTds1e@5OiJxy zLw@F2;AGr)Zi%T$&Ef*Vi&)sW3l@Ll14%|V$6kr5d|GK`8SZaRKEfn;F&^LvdW~Ab z^b8nzqniyU31M)wS}~+2JT*;cak`NML5^45ki8nj= zlyMl;^*UMYMD0&Ku3J$LWw>@?E`L4TB2~Sn;d&MdSehy}v7S4-tHg{5bxCA;p=J%O zP-kebzic(3arb^S0yFK+EU)e}@Vs277SGktx6Io(*Lzt~=3C*2KlRGjyg2N4{Mo`Z zv-&0T_N(H$9cP){`uy{q5f%Aoud)^?tB64i!D(TjmrHf;%oFgK2}V=w(yCXXq`Ln? zGsT6gIV2D7pKeywkGA8?m5vgiIc2{2tN>ox-h}2SA3&+EX+24w?vEEn-?gfxj9#oJ z6!Tk$&pt7C|8vrDNqSA{f(%qxf})L;MLvGP8bIkBOcBAZ#%TKu@Zn=xVp#Ol-~e-G zhobn4m@YlzCTB%9-YiOdHRx$eTM8Hc=epdJcEXp}=$6$r zZ!iGp3ct!=sD7-5zc2$+ZkHUB_O@As{W}L=78d%!Y~vZUo+i{^zyH{vT`9f5Sm*JeTdj zO^no4d+G5tF0|WYsxsn zzIX8oNw3RiI0?XR_g7R!wjiE{X-gUY>N(U63C5S^a}9RQxU92Rq?%1WcgJBx1`C% zRA>OAvw6ujc-I5qDMf!xWC(An{DMNkoGKU_5`8HT?mI(dADU)RO9tW?`L&8P-#2RL zU!zdhc%7>Xg zbZaZTBt$AbGq1xHyz8?`YSiVo&FzFeH0 z`urZh@oKMeJ)I$h;(axpvgTv|bPlh{Hcbv57L|0qPKiimOmj-M3JEay2e8?9Y2GE~ zzX-*_;dPnI5;<@5#QXZueuA@%miC;dF7eHqolfYAn9h>E+xXT`N1&?`-8`USp2q6< zGo_h0+%rTVv5(Yloh=m`ANr_TzAo43kN=*^RioF6-Gu=Tq^!+Z)dHVf4!ZBLiytki zluFO~%ABoth|n|_fLizCByJ4x##IxF2x6NHHo@z%!{@qsH2{oIbeLVS4veS88ke4f zdFh(DGBC`H=K2}|#?&eX!ugurrY!)_kbe!StQ;#hjht{bj>X0SsU#X~cwC6rc@lx% zMfZ7O4_^ThR+ycJIw-=kGVX-ppxUvL2^lJ;>vq!)=^%gDOzNHSUmyHJ{{>JddojKC z=r|m*!g$%=oZO-b6@;-LTs&S}O{moO927-gWFO|>)xBr9`W{BL|J;{0x>Am6APZjv z2s$;B8fZ|!8W;z^ar52BuqfyvrByEj^1uMCA|Jh1ig^cxjsvZGEtlGYz@AIsHOa1m zkn>Xl^{P#Qe->SALZJ&ZQ~agYbD`)I-eu5c$7|i6exuk{ zsNqs%;&SO;aH=R08VMh*t4vMjei3PS4ARIzBmZQ5p-^#@+O)C^o znD2YCfpP?@$P#5B!yvw@z<2s74%}y8+~Y&Uva@k;r1xZ?sQ!TxT7G2IgAH6JdY%<-O-P_KpXq3rS1vzo*`sv zRvCCB4H@bB#U$hxg3XwL(CFE6IAzC&(;tdoZk+dtS68J(-_TPZJ9pf%aSl(rtFQM)Yrff!^Vln2aH$6 zMg@{gqkGMw=EVOJm!nYDYRq~R$vC#NM{Di0)d%8VYh7ddf2h&LG8X}bSXzqbS?{j) zfj3I^nqp8qyQZx{2-~?V(e1&^q+{;M#a`vK{Uqa&g2n+H6ADqE0);LNQ2g>AXN_$D zhR6f?%w;mF{LFndWPtett7J2ZN+?1hfwl1B)bZ*_;ANB(=vu4%Ljq{7d5~lJ(-Ocx z4}GorFEcCJpK`N2W?Ni*4)e>MZyg~|iPSl4VDn9}ef%mS`R#LrmLzNP;lQ9>R5^7@ zv(W5aMAs-x<&2X5)R~#X^6EdNBrYG35wWQyZN+@0l+eIHRCqn<(Oauy;YLsRkD@Ly zDxm8&7PZ@%`B`SzRCa)3QleeT+!IZq6EbdC^)cncqIuFp=%wB3*I|tzKwQH#=My9y z9RY_1o#jtEOB8OigC_q)sf@#xc#>y*3b_YnJ`N}!T6fe6@&#TTv{+qZ!MGX!e)P2a zyKcd2bs|j9fhAH?7+-r0lTJD|PApkC02MzZ;Z1zw>x#O=%Ue`ewoG{50KWl0c<)l8 z>}k_!IN$BC4Dzf3vWD_y3k9G=SF`-$naRd+&>#84GR>PiBhLJ@?Av!)-9@mda+HtB z*I=&aKRl}CWjsGrAkv$l85xh4N+BB2RKsF|@%IY&l5e%bd4Nm+{c#(to)}^Zc_JB7 zQ@7RA=5tP0(=W+bnhgkSTpDWo&#aR%wp&+>P{RAVIzfWb`AsXy&B}Pb!Vs=2wlLw9 zVe#fe98ffbUQ}yP>m3T~`1S9}G@H(uzaRO{!~Sm;KwT(YFX7+BYx(bLTC~9DATiGX zyr?lT1WLR3#N0+;{?_+i4DTD%$wM_TO+bw-)ssIjUCF(COr$QxG2BdL?|7~|w2G)M zSdFtD8=25Do?hir0X|ceqkAH<2SxvazT}UeCct+UjNVL1l{wLK36Jk$i*W*5=aMAj zL*z_2bLpN3P$_}v(59(aN4|YE|1mfJi^aMcur9uOKu_>z6D4V(HF5b7lGbB9}#Rsv3y@Z)(8H~+)RxgC4l2Qdk}`AuRxKuF2j;wGx+FtK_C}jNFTSZ5Yx3f_Y~;hB zQ@?z_csko0VdA$8$Zh_n9-=e}k?VF`lPf4EhCwIv@nRRsEaE`fq?LbSLN-^~jV!?p zj042PW$O6~DtyISYW6lV7=B;ThQ#YXO=^2z%spek?=h)C3zDu5{rrUp&-Ns+E8-mv z=x^b3;bFt~CVt}-0S&0xtL!{Nkex_~a^c%t_FgR@M-YU)8e`wZVWR$J4poHJpfR=1 znY59WY*J&Dn(D%IP8lNNoGKwnfh#7(B|9?|A>x#^`_}t!fP!4+Cs?#vM^c$Vj%f}< zp$nqDYojDQM{vBdzNHICe(uBs_lwwnFrHF&rB+-Ws%vvKQB-Ft;5iF%6!4}h24OK$j@#F8HgFfXDal>#Jyw}^ggem z0*croO9g_34$!cVHG1)Q?&6-1`f8UhO6ruYX7QIJcOv1)0%9J`=~MH9PKqe(o12@< zCC8^A78s};>9r$gG`^d=wc{@nLEN8QH} zD^rY>wP0ZN5#{>qZ%qAZeRU*h(#I_scY?evu*FC`+CjAZQsi$X@fwoyzf955S^zYf%N?pdRt7RkCGZBD6JB>8R^T5JSDFqm_!&1E7lCE_Ti~W# zMG~}GM|MPTZN|XLh!#8?pcfQ9ztOQ)x~zV3taY!Q=auO{eZGHi_~XN+R$-p{!-}ZR z^@>N!^{s-f{N(`>GP5~c^U$Y4ob6o02#XUq&5Puau2fXOcwz|0Tq`LV;FQg!qZbeX)nR({9cg{w1e}(;Ci4 zQRDTmrosY8AFJ{*S|5)++NxVlT{G@HqJ_~kO{5Eii2wudm;dq3wY8DXD9 z7jWv>;|9mh(2DB!4}=ul2Fb`^7p32M7YTD!e}Wh4F2yL&m<0 z@Ic#noky)l>$#yhqd;rk>oY2`M{|e1m`(hqtPWf}e36SW=e|m<)vVuN+a~Wu{BL`& z0`U=vMbCG1nl~)y7d`2zW8!>1ITp{7O;UPtlaXJn+@!-G{;=671N-i-E05N#JXp|W zZdb?_-!$v>Z+_p^{_a(bC6~k5^f4!X?wJi&(OqV^%+o(P_-kd{5KARtEVT6&(o*RA7jgLRHlw$`^*S?_d|Pz)fTX5=6;YQjtW~yq zK5iQU-MmL?3At^ll~d0MbH(a-G7Hp_q4{Nr``&2G*E2lCe6(Gj`5xf)AJrc&wo zs5MGK>X7P)Y0!VkFM1bvm1vAuA78yyUI_1-y!L#$Dk(|7(fhd%iRaTm4)>g#sMqFM zNora1cOY?Su+~gvXlOc+cN%RwxP>{2Ssj0_^!=|7^5Im$G~>A5ba_bwE`#3G)72!V zuL?n|T&2h!@7L_^az}ekQ)(jpON;{b51zL+g(83WHh+y4;noj&q<#DqziL92200q9 zmfh~ZD49AXC zugg-M%=Z0~9U~hZA|>&z9x6os8MQf)ub|w(=soIr+w5(7lMO;OJqZgOd26{*^BseV zq;IqtSWA0%-|@T{!WX<3X67rAI$O=n(;qgBAJz7qF)@(J)WP>)tvvdzSxKxiTy$x? zIU}K={KOZoQE@&rM|Bx@s*;cr`+V&$xsOz=qiuQd?5L3kEXI94uTSVS7RtUF5&HH3 zey45Z?8Xr6s7)>C_UDmrwoWFl|Ig{L5XFGsp7QE)naH~w6sv74?Pl&;f2A8wm1|*v zSe+<``5Lc_0b>U%*ByLr{3*y8d(+mBI@2zAUwY;+&tqQIlqc^(dj zc|PwZsE2{S%0i&OU@I+6epGXuyeVhVSFU;)$A>nrR`v}xhELGkmpzcDu0O9u z&J$T{Ix!M|4i{$2L7TLDuj}?xUTbp6OpW1OM8>6C@aS`@^N_SMm=b zv<{`Kk&n@LeO$bn=l2@qKg1B<#VBHWPip-UFtN9HUj3PAt(QWr9ydJrc*Ym}ZCT3~ zeC1@1h%PbB+r2(fqwUd`QXQeQO^d3CZilYNy2X`oqqBFe%JlSM8mue#nf{H-?=$l6sw%g9OIrox0d< zqEbiSMST47;BBM`rhgywu#}(QsOhdMsjcb}GPR&+eAhD#dfQhSo4Mt>IbF_6;i7^> z_Fn(ZKq7W)PfBK+{T_Gy{fx~nq?}bZE^pKsU zF|x{k;dHUebdU*RTjR5j7Hm$f7b7?_jYKpVKjOpMkhkR*JEqF%R>trW z_e~3aO@uit4&S#3CRzdY<*zvsAqx{ zthZh!QqGia(`+`Jz8bmPX`iROv9{W2y2QD zMeeQvyK4XE;RMF|SweV%lc;oHL3b*0`El9sT7>f>bhE91@vPPQ_%)eu1Hu6bX9PdQ z*p=Bj-Ue=}{?+|GA^-fp-(>d{O6oD5mU+i|c0)j0Y7B7bu|~J2+79W>zL|Qf)0$NM zGul(p+|`V??NJzU+I86;)E6dGUR>U2`xi-i(EU`kO^9UV^djHKQrMd~X(ot(y$x|T z$*v^z3Tb^8O7ZC}tQ=}&jA#$SuiLjZYuQP)Bfgx!w#t(~b!&6C-dd_XTzSJMGF?_~ zIU4ssdHL0ocfrHbVJ!eH$^1oO+=rr5`jVVF$(Kf;OcgG?Uie{vtlX z48|F9H*U54T(9Fo4l)%yfa^56=a^oFpxzBu*)^BqcS@d35KU@U%^WYuAAq=;7*|)Je z$7hFx#vZX+Xlu4{z;Cu|!hn8d_;UWd=bcBPh}4_!^Do0z{1`03q8G%M(XO>r7Z>EF z{1DL#mP-Dz#I6j3J*q9~uw)7fLDve)HAT@wQ`ymsl((O2DW#F3B;Z4eNMA(B9>K*8 zbVf9^@xo(0NOx6tbFRAA-;8U&8*2wmL`lqiBVezji`w++hxp!u0k*2#$QCN8-%Z7d z>y*3Zq`^WZ?Ve2){ffa2)7AxcAm5{(+znY!?4_N+&z#K4OLzMt!o#i(#9nk|t5rP% zkGV#)-2vmeA)l-^7D|TawTPql;3>!Z25wxB*(p1llR`13qe8}VTH)JW3Zv`V933IN z0mT3QxdP9f)PYsMLa$R@S58~6kp}k(#z@%u&vNhEq`KMRw%(hzrAt@XtpB+O_(7++ z$jA{9yKCg=Gh)nyf%D%hmaF9g92X!Z`2$zw{$i1R^7{mD%P~(ikD@PSlH&O8gyWJ# zbSU5%^58-u)JWP2HTo5^jZv%B^A^GrpT{GY`Vg#B-gg;A1&FIY(K$clrvF^b2(?4A z8m(7d`DdS{8G7gLCd@h>tmV!S8BQtz91udu!N3iC-SLBy$!Z0s|?qhSk5Xzu8KYq=`^bFaS^IDR)-lRK$*GfuGE<=9<14#Ch` zJAtX3lZf-@#l~#1b|+CWbFHCV8CK2gT#?V7v1$!V`P-p zFy7P)2AK`%4}Mn>dgEI`e_Wf*Lvnj-a!QK!7Ge)Iz}N1p4aY(Gx5s?T7z6lIAWc`BA+T1% zZV}qH&$y^XV)S_c`&6?N@|ag&kB{(g`>fDLN}@^=?ddvHL|E?6$M&H9CS{zZJ8Lxj zk#@G0vU|4r7b6%F>Z{n2QR}NPcfJ7CuXgp=Um^39LDMIU+xXX##%`` ziom9FMMd$<=bGM>X-eU3l#VuviHXjQk;UTek8dAz@-YpIIOs1-4S2SX>Mr! zXg%E@{+jwa+*BWXZHzt;Ud)YiS$8kKFaO@$!Tf0BI^xe9b3;#T>$wOl z_VGrQq#368I1{-jcE97OJ4S5r|2kM_)Mhis)yJT`wek#l;7zSU+f(Z-&U@?JOIO_m zd9*Uv?a1L7F=|J&PIQ618|nQyt9gXw`QI;ZB~2E8JHQr=ZrNZ7mu}4=!Hnw<|A)JG z4~KeR|NmR1SS!a=a-5{7RgpC0Fe52bOPWgM7@%mQxO65)w0r z2Fqax474)j3VRB)nU`r0@t@G!P&0x>6QV6;rx;k2k| zJ*4&UWL=o6I>!%(-Isv93!$)GD)`TxW^N$1#e<~Leq3IMi$OWMEj;&L>p7D;88y{V z;Rj6x&?{b3WQ^@YFjSvb(cs*XKo0I$e$>(63gc#~RqRqm&g4EWFh+h$cE5epyxDta zq^6di0$LUE!_Jm0^;9__As51bx5H@Flkl4W?jzRU$lugZl) zl5Bnnp*J)L3ko%4`1N`zaY;dTBLh+3c10hkH%0{Izw6oV{3eJ5O-LBOUqC)o%0p zej8`n;z)D9aLIO9rFX%z|AFlH{}56BF}nQa-?mEObBeY)gBiuyxE zRne)c zLG)Luxpj}z(R8|bLvYJi$2S+FNy6j?#o@@GO;=BSKM~Q$7`aeD#-U~MheMc0c=}^v zI348mjLEZiLhiI+ocxb!w2;Z-AwN31MrLZBOeHb%n(YektwzFl&+QDz&V|K-{=}CQ zD01$+s?y4MaUQ+L#$aX^3zN-@4C~6Bz4K@8L4uI}z=n zn-Zr@tb1HCy!$K=Ci55lX@%w^=eC{E7*ZJ&LKugEv=w2~xrcjJox4??d$_~=VLSTg zp`ks3rH-g^HD^B(jP{|N;iF@H7zXZ2!2&8ra-W%rFW-t(uF2tE>o|T3{z6a;EeYn_ zqn&el2;S7uqp0dj?@6!?X)l>LH$xHxcp4`Ky=rUf^p3@c4ifWN`i|iN&4Ji;i+ph|hvAN=9j-!sv_o*Rkq$Zz){cfI?)WcX=0;D7!4&L>0Q_^4SCyl;YdS z^U4qye~&IBsvZ3h&W4*<-Qgc_sT&SjdHECgb4r{e_b_j{_*pabfIF+luQAFrAo3m+ zd)%MLDdMR-p5rkxJnr9+*`NFw7<6P!{g zCKXC}Mt*JjYRUAdKAo_+cP1(39$sftiXl%|Cs;N_cD9J8F(kyCr!bdZ6)WbGFGtvd z(56TDywVIrOiYs2*lc228pbs2PSkJ1*lz+`&0aC!LwGiKpQhMO_=sZ=c-A@850R3T z=4~+d{*4uUWj6QI@IJY37bs;zb?g^1D_kD}?si&AWyOmzkVAgfXl5j~|HCY=kQXw5 zK6^-BW#hr*69HW+eVCuG`Ht?GU08P>1hUi%1 zIGC}X{==kjJYt6Zp3Lo;hzvTd{?DrSKV@SeAs^8V-y|+mT8EW^tEATeN3>I;I8-Do z^U%;SF+wlorOCV#@%-1On{_-=47^Ry;%C1CU$n#O`g(Z8>>3v2oxLvAAC!?sfrts{qe2J1O26dtSit=7Kz zc@2E|AdplJYF89rb8hMq zIvkpfTKZcY-i&(DPqLRuR(qXpy&hTKEiGdr<9=Q`H#Xv^EZ3=PYq6G${^PJ8Mz==x zRK^YfiG{*KE^YoeWK^ost!04Vm~5mb?BaLbu&`xVI?)M{iXs8aKy;=SUri1+Ms{WVl9mP4(g$7R$bF%BCXwg#jT*wBK^0 z*4odQbyd^$K+u-~`t7va$n2%SVBm*e2g@DTM;E9L8h4iYeCZDznPB^bEmklLge>k)!?Aa+A!9`{pwLTE^3#t^?gg{PqWmsJd>jrtEjs(Of-L`OQ3?P49$T!EWO*b^UnAY6?$K)O7tcTwdZzZ-G1C+ z#Iz2)Q}Ip`=hI^!(_-u9iuec}-6sJBG%rYqZAzTdlXlEeRbQbZV;NTmGDZ^O%bx}* zFgUu>*PKDl{4SeDTD}L7Sgle)4&C;Krt%Lu*>6OMU!Tg$y;5Yik7~@`iD85lnqGV( z_UMF!q!|4jkJVEu1#Ww(X%ZW7*F76ErYDeD%u=}4u3g}s{Of2SRXSYjO{CyiL%J6d zsP6rJ-lG!XT6347t80w9Fj2!SER+KSgw~;+Y=iUVc~T+GCO|qVR+4B@OZL_iNA$;9 z7I_S>U0E*>>Co04CcD@vZB)dOVcflY-B8;IwS7th%mc1g>laMh-6j>zqY`9Sk`p_o z@G=yxdR_yp!`ak5fN%J0YnovmTsx%Wz_FuKlQVX$UxOn_oF>OM>b8jY2=}LPAL#jC zb916fCqMP*ZF5r#!Ig%FiF-xuls{}#yj9lZN14feklm=&?R;`;X@yC`ve=;)PHgd0 zx4FXOTZeXu+BJkR1Fer_CK(Ym3CA%V4$kXCIW3toYGhyGbwSkYazSW8AztS}tVI=a z+CcMOmYmGq->KHV?yiaRh*e4R(CaR!GiYG79%_E3Z+PW(fa_@sYJrfrCgCD{D$*)`|DydrO(B{b2;S@gN*7-4T! ze^#hz)3*k81ZZF_IpRm%QCOzJ$@aeLQ~s(S)j*;|Ij%&B6?%q*w5Bnf-emY?!8IyRJ@)L5saE1kv@uiI<-)GP1v z} z8dQJDXYgI#H9rpDQ;j=tBPUJs*BEXH#PC<^w?rt?JyX%{!fOG2pJqQtmFchwJyvrR z*_dh!tWtDuP9>Q`FUZfHh_Uu=eKGvlng0ANkah3u{9Yvmaur^iA2#oQBk6?E?CZMAbmdf*pyB4#q%o}!d;80zYOcyrKe)71WV6ShHH)r9<(|g^y1$z zv<`DDFq^4&eI6-)`4yJCdxCq(38&;(FLPf}d2RecFWSW)&lXv4Kw)wbR(_7AW?eJQkaB1ZYK&D8DQ;?Trk(T#68FhFjE z*Io5ytv#czu4;WGV|40$C+{6CpZNagYeA0*ubSk86|3iA>xH6n8Bui|(vzi-UFPl` zGo{r1)WCpPMAHD8;l=P8()0^MegA@v`vxtr{LR^f53Q_Q&Z5&{)#QnNL^Z;mD*g4{ z*O%V21UC%2#|TOcVs>dp?2rZ>6DCJK%iY;{6dtvslwW#S`E?cm)BGlVqlv8wt|@=S-dGQ{<8Sc#=tfKW0v zN)*1=a)&f)lw2IV5`hYu&SV5R6uhfePI=$yV*XDl-_Qkh0 zRy`4p!qRWyO)JVN;h)N1@A+2616Xirb!n7#Z@+f+_{Y(g0}Y3ptKTZJX>)6f{P60f z!oQT_v~WnX^L|BhAa?v1?wwLrnm`$e8aN1L-<;igdv*2LXh8ZFxI`L(Fwy-^K<_p7 zd2Q2Vp|=vhWThMd`AqD{Yp@uWBcFkJ_R61z)(@|ay6LVlYlxz#+{C{{Zl=NpYux=*pF*o(8K{Mm^?wGq< zKOrY0gQ$YZy4x6TYI?S@zkp{6S-RA$Cs&<8jS1f4bP@NT0>|I#@hOXXvNDZL``5EM}CS1&{>shjoeYgvqor}D!B3vzi zfRLvu^}rPegJrn{^Yq#yQ!;z)v`0U0(9OZ_GsSMP4|AEBNh&2>b#6AJ6(>A~#zE;Fv^dUwAf38%7*mPm1`6e~1AZuPft1(jS zjT}25Yx%O2vsE+kp+2Q=@=zF}s1qrhl#L!9_uE}h(rg%2s%JK| z)PT^=)nyR`J7uI;SiR%K;+ND&a9!$9?Ji97&G(y73rBUfBdxrOn$8~Hto)$OL@53E zY}gUb&z$<;1J_A&>O67!c}Z-!K9Dkl4ZX;w=vkp402PKDgGnB-%O`%FAI*TJwoWP* zlO|L!A#9>gn8LycBgs|}Too1URklc>UhS2g^l}mz#D`l{8Q=Ls2l20mwPyL`{l`@u zuQZ4jN{ej?a07v@mDsH+B(H9JrV?8vKeBdes1$X7q)wg_*gZ1%g|F7}vjto3q|Ww} z>2g9}QpS0R$O2cw;h(H1_sJ7vLLcCHr4G&@gz_|QakYR0YsrcslUl|RSK0lcKk~jF z{Zh?tI+>FOtjg=~Ck)y!Nn66$4WS(;!@oX-;uA({9Hq^ASRKI~p_-4k2HUL)zs&F& z#2sYBDoG(5LTgD^iw{oBAr@GjtZVYkN}$KQjy&SmMryy#V@|2AC>riuUCv{f$jMy# zoigg*NMgrjB<>Qkzh3*I|ER+eQN6u{{L`0SYDrw{(l*BK?4FLOhrK6qKq%IAb0SfA zDJG=L&|giM-h$OZZZ@rV+D{|mc}*_sHtDpXA4N%#zM9o*r6w7H)eYG99O2R-`!nxU z{N6@%-luLR9}C@BeojyDhG)3vam7x1Jy z3#mnZ@K2BrSYA&;o3NLoMOfT3?m`Swo1tqx2J2Nkr9dh52ZW5pnX2TghmwG3`=5KI z-@beO<~Ak)S6*_v_}<~CwT?@UMB)8~h-dm#ixFmL<&?Rmtd!d39x^2kG|BqA@ zzqvlwH_PX0jSXII7{1~bCMCpq-6$D;0)d>GMjA?>A5!+Nyl5xs$M>aj_w@muigf;= zZa-PKKCYoqxU{=>$KBLT*U~$My)EIfB|$ovpTHl)kt>Dsbs*ElBgmYuRvC-|*GIEjNS0Bx-{`xynob)qYOLhp$42h; zD*bupYAi;?$Z)y?NYod%sg}0Nd>^rlIkzX!mD^o3l<22ee|&j_rdUWLguiM4_1U|@ zM0=|=VuCi|e>*h)=QQwJE%MiQ55}M1Z5Xu2uHTI@2Qzi2m1k``%^wngGZ5!#Xzyl@ z0tHMrnL9s+TpmA}*n!lFozVBZl;7i!t|9@QaDgAvr&*eeRiH3o($fRQJu72uyGA!j zsN|T5^JU^2vmh&g~jLfmf8o-Dts|N*%~gV(-JP)-L0pbQ&^oF=-#&VSo$7p ztnDXo=tq{f$nc$>@}wcxEztY?+;tH&9y|$a!JeVR|!Ri5+?=_^p|X5yY?8VQ>wllF1&L z%J^vANn5=Fwz%$)Yz{$X!fa9;e%Rj*WcsjAMgsKEcJWoF+C5TH2{1j&h*hBm^<0t? z4BIa90QJTA$^Rt}|5kGSepy!Y%ibgFp8YA)Tmc>EVfhvv_v-s82a|hduDnhEz7k?t zAm>$oMA^F842#E{W%kC!K@Y6<g;^)F_uDUQNzVKXR)=FYKP? z2tETpi`m$;+v3DrTJtenu-AQM0fN|y&Mkokid9Z#Nq z3mFIu`klmuVOHa4A1>YY4CS(->29=4u2{GL(3Yj&wy`{QX9s z!={dI1s$v=m*|RIp9mFwuHz;2Ig}^ z7ysMn4}7nELv`hrm>{l12jhmn3i2*rnS^L%qBEk+VZ+ZjOX}QxF~nAL`17^#+MW+v zyZ0|XZFbtvr^8^TJC+-ft@hHvtu(dT*mPcTW{LK4yE++!awDbm2q!eo*AB0e+jyr+ zuqi<3Z`@k^bt6vv>t_kHOOUU&M_f{SuZFNv!8ScX=1JQ*e_5>{QM3ZI1em>FQ$^G3 zmEcmViV`R>)9MSr7*wU#uCoRE9$|q46l&yk1eb?2enX52M#tm>Rjanjuf5ry{PZ7; zs{!VBxAQuOuSHmx-1r8SyW*ddt@&!C9AcxB7CLVpQJ5YmjF;|tWz!V8Pnq)*xW0E_ zoX{s+a)mYarI)j_KDuLgE%hjO7NbFlRQ&{OM6-a-O^JlITnQsak|M)(U4bIRucYz` zV$JG~_v?oO(=7KsU8L#0xq=jI8M=D|1YJLb2|Qkq5gd&+TK+J?aRk9bLk zywe*vgC!zv=*KHj>3-brTm%%d4)SMOcr4^|gYEF5Z3Eit(7H0h-TgLEU@lX;to|np z!Eb8ISGh!=`pSy)loBdMi7(lAif&NF6J06bWQ6DXq~_1Q%IT4)T%ONxjwJh*s_@58 zvUh74)qm+NU?)Q;<0S-$^-ODi(d7sxfM(vrxB(#Y4%G*0VYL2+r}#DP5LuQoQU%RE zdi?xC#96J#SvM1aubceCeBF3N4OJ=3bnj|(Z38fiY3rc%qKx(VINs>>P%hPWxWpkY ziIhhL^Wu&Wvk%Mu`3}IgNsJDd16Zep*+?mIWQEvWPtd5CUECdgH?pOj-Ml`SBXr`8 zP%q})e6$(88kqBfrQ95B)7oLT`8w=szoWks@;!fbjx*~|vS=s{JS+|p79BSw3A_E? z@!OcVS>!H8FqO5fWWRdtrB5o3k2moX_%%-NhD$8o9|8R^_O&!gnT+(>u$v03S4_Qg z>l8O0a{}1KXX!FqKz_vtYLCq8_=v$>e8N^!=ojc?cVn(Z=s2*jwR0@jN1Da(!QAcb z^U3%129FK?*Wu8jYVDhf+jql)C>sIQ5MmvB{A8VJPYAn0cJUAMP;~wQT|vdn;GTGJ zgql{!t~1W*U{~4>UIF}eR!^p$DU={b=Do9y6D}Q(c47Cwza(XdD~GbyR+p}uBTS5b zHf>IImovR|EAQjY3dxFHqVO+B`Pc*m{(28p$@oE=yS{c&j8bUhv1}d?-f-YYv7e8x zdf!qOWX3MfH^^kDQBs>s`Z-#$;Un0kMIx zO5Z-oH344h_RB?xLTQHWf;EQkM17C2KFG)2dwM10Cc*JcmCBe)(^vItc=n?QL!}8^ z*Lv-}9~bIe;IR~_(ac039CC_`bRSa;ooCK>_JAvvHWac|ai{0&8YT<{O9zE-4RnmE zj|gpNaG_lq3T|#Os=QNG{~pHry&9;*issb+NW#x9^#VuSrnqdk@}( zvKVf_)bN=&dMv56>0H&J`PolO%xHu3GD;{2-H&{tbEV2Qz1h<51l=j#URXkvJ|5uo zl-&Mkuh`;fzO?hItUrkkgXqt;)Z2=K_!BqE0@IaEy~ZsX&87Jh#IGZa&edL>7x~1= z;Q5>0n2-V=X|G_gx7nZ3JpOV~YL-u2UyBSfW@)b=+wnK7m62Oc4$FRwjt$-8WMx_X zY^?>i_~o|tj8s6LD70AN%C+eTW6r`uJbu%N;?;MPoB zUADcm^I&m#kIH|O?0|w#jva5bR-{ywyfXv-Lx!_Nh7UmHJ{;2E@po1<;GOmgmYzpJ zP;|0t7&^(*@J+^$Nec$k(;__p4A435lUKcSkTUsqvyNv%=UX!nIZ1&TNd5adcI zl=`s<0vO?nCljp)n(8-M?Sv?FPtKoI>#93CP(N|AeY9sQdePTR+bZ?W!|Sn}AXc7M zY$tt0EFs?gI)|I5Hqi0B}aw$Y2ibW-IW6p7+TDMR1*_uOrNrqN zLHB!6J$1Tw3tidbR0>6(TR_rXJXNJyQc}VuravtGCSU&9N5N&_)6VTTS|Nk^^jEOP zzp+If`%i&hVBr6QXi>AyHOAk(0RDF|qkmTrA51*~q)2<4UOS-ZMLlKSd#exy!JLwS zSV(%2W2umpr}H*ll?Jg+dyyk>;`4wcRUjYR0jdUXuoH1pWG{_$=M~IiUu*LUYon!V zscJ5oTCRszyPge@14Ev1{4?qRmlGZden{=snAl>t+S3pxLc|XwVnkZ_V6!|vHv5>V zqpR(}9e^sQNFuxa#2SrS>g|SCskTwViTtn3y3*Lm`p2&(zX0HQV!EOWRVK{yjUXgT zsSPHAf{;HGX^`zSE6QQ;t@=uHw~2q#)BRha=O12t344XQ-`~~MWfib+4a{#HzVD=w z%-oK8GLzv-J-;r86h_XRc6Hy~(i>gsE2aEk$Z4NjBUTn${ea-2jdU&FB7%?CHY{f7 zS&%W8CyptgfbE}k1(d6t8_Jl&EWD}e?mcn1`;I;`L$KPbxlQNT#rY6ftT;hjPfPrA zgBj4&=uB_!jT2X{o6w^?4I;DNrychktE4=3-aS)j-Fy+_=f9JtaXlo`1#ad35KI}r zIh&Ly$0{jv)rmO!N(pEL>F*f0=Lii~m6uYKwHcXCBIQHv+9VWfH7bA1500`!MTHqK+ME&zM@Wh*2! znq%_qHz&WQOtug3jAxTJ9lEkwoZ32dx{h;QQ*J4k^IRF;CP*MEhI#Ge4ARvi#}vBs8T+#u z=yaGUvAb{bl=j_;pP?1=r*qmHe@-t!fD(= z&osDgpa4z9%WQNW91@Iw`2~)r4eVLOL+NSl-w|M|XdhR+!j!pQm5ni8p4;S8! z?lK@|l$XB|xOt~<(`)tNDv|;%u&>-?Bcy!cpty?YOhRaHZ)fMvz{Zi`EOy$h#s9}J z+6{~!A3Vr_-4<3QqHEoWJM__SQ}ax<>AM46b(`wH|FPX1CF_qmpmRz}drZ70S}M$M z{|vdfqCtQuNriTmXja&6O|hS8iuf-e3IMwP!w|(kw>ejjgin9>Aul!z9>cNe?7skG z%dsfcxS_qMsF`5bnB1Hm9N4@g-423W(3^4lXp#P$$C+X=5LLQMyT{FPX&(e`G}VGg zJks5N6oKDiwD?L7i>Qm0^|9hJ^J3IUSBGg?=hF>or`OIr&-ww&n|JE1a_s#dLm2Ws z{tUwK&)NUr3qav7otp9h4vtR@dGVX3^^G`Sf?SJXLa-69mudW3Vd{(&`t`SDH}d}n z;NYKX#9zx_&;GQ47}26lMtJPd9#lN@=|hb7W0EXlZc+zw9!jY{hVHEg zSM0dUKi4qj;S9JDMQ?v3UkZLOeO{&uE`S%r4t%^ry{M?vZ)m z6f2YjCfvK5{Ju}vf-{61S~fh^F5K#dpcTZF3hkv)?wghO?7}4Fu@yj2{YoH??e1XE zW`c8dZtx~%!ZY1$s|CEN;80(t!(2qQ^NZd{y?97Os>HvJ{ueH9gdyDf!y~XrmE;r| zRZm##1N}dOw*2F{xRd>TfrIg&zISiCzPF>Z+ifRfE9AKw>KnUpf)Ag=-h5L6U^s%N zd$JQS8#QfK)8zJkXZb4(;Mx){rFv4uPia?n-zg*8IvNCPLjFB<87Lt#Aibe7 zvBBM#jr4jX<=ZyV9phrD2R;Xu;zYYvIp8Y`a*i|gRX@XIBSyYCsl50CYN-AJ_%HU*bOu51@WMHo_U36i| z*13|$^DWDWO(vw5N|{W2rViP`J2quAAe_l2AVUu4J%x^F$25 zKel=^9`n3sxm`>|fT(}RpKYp-ZxVZR(@i!zQ?F!pB%{uoMiF@f3xnQe$@|Al6(xy`_*P(a21u#v!)WZMK_o6cGygtJ+IwH}@VEwEV-= zg`rp15g%Z&C=+cPhM6kBtA>pk>YP;LKbfq(jd8Wri`xn$0L#?Zrchd2zQ?D}06NOP zEfc~gnUToJ?4qif*PhfArQ`*n%xKW5tABRod(e5kEq$92oq9ASj_Z!Kwc5(79gEB}xwB{lJYawOf{;AIA z>V+=42ghq=!XA|dpvZ>YI&4O9*%sep^ot->lD@zW1Y$W5FUKJKo&JV1RC|79wwzn3 zN6ZmnNp0^A>X37Kmy^e!ze{hm@2b)XBj1%=%mKiM+KDg?GigHguFyI>m0b=sb`!A@T1J`^9&>SL~|=PEth1>njYvw1eH z5WhCl6h49oz5Ath6{;y`tSj`i@i|u^>6#icKN(F&&`z{7@Lq+aOaO%;^(%AcF!Rs& zL87s9_qeeKb&xQ8nc_+fBm1flF>HlAT=TvWwP zHDdG~Klcro2r#|IxFCg!7Frn7xw08KI!$Xo+sD#-pANy&Pz&t|H)M8H$hvd;BQq;v zlDnpPbS?1*_~2gosMf`8_@E-E;q(Zh{tS<@gxAXoxTHM&0)0m-g)i)-69_0`wJ=;PJmKG&m zONleKt;XMMU6xzSur7WU_1MJSt7Yk^(2)+@x4SzwR>(p+e%tuSpSW@mi&p`_$`uOL z{JV62QTHboD<@c`XSI?a=T8YMFHhd@>H2K6*o2<*X?UYN5p3YpNhdBY+aCP7vl-pC z49uAw>;$cdY%?fKPSx1+=*P+({ikv<6;f!aF;9@>sRUeI@5yF3y2YT5t?jQ^KMGFm3fWri+}!9 zWg~Zf+%4vg+?EZ;tDrL-8ZFGE)`mwN%e6gz#hE#BF@1|Hg!ICaUL3ei2rR`H<_soJ z)b_{_>?htrLnZV`qBPqS?D1(|1(p%3Zb)Ui(IxsGpyjN`fSsLVg32>(3m4`y;qS1X z?TVOB`xHtud5LX*x~QmtU!U!|%)^*KtG?$vvDEfT=&>z4`YVL7_A7*OthSfbTO$c1cON=S}`u(pM22gQ)!!XFo z%X!%A^;0goXJmB{87=CP{`w z--D~2f;!4ITV4HfGp8p*&4v@Txi4r6VmG*~8p-Vl3TP}ODD>sGGK!!;zhU{ZuX zftRKchuvDDOnC-9?|n-R#xS0fo4nU+&1b1dBCz6;Enf3!-=D5bW946kPcUcBRib+$ zycelbvwc0+0%FsbT2zUDk?)ZCAIabLy9ABY;}<$~#?P5Pd+ij4j_!4Hqj||}Lki<= z<(gwvhesKS>2?AReb)bFGt*?ESWVwA&OC)z*feN6aPTH(wa}-^uq&Z?H*@cMV3b;DjMh4z0aMGkyG?O+N^ zJL{sgw{4^y`z{o+%7U{!J9#|8$4N)QxdhXk>F#_FpTbRp-!KW(L#FRrMLgJOC8oE; zolCwz&B$ao2Cd45c7U8yu+Cy!Eg1^^TCPPB)^TZhD~{LE0Y44(q8EI9+Os+%H?w3X zV{F8FE~EN+CBtB6WpJSnbZq-->oCg^ehmFS^1)<8)dmOc`$6q$#Yd`+C%kJqcWXv& z3|JrkAb!FLy5C5z^I$!9wKBF}sil@%>RfgTt#%NAwQGeN6 zoJTlA?a`FF_)In^TjCtN&?5{ZAe&dv07RX3xzE3-?NA>WaFry-t}t-yoc=!TkLgsl+rqU3 zGf4Pc-+*+Fd|fuZK#^c?Vg5_MJwOyrD`S?kyH4I0s2o3*3*;*B)+8J99J8h6OWY0_ z&fQOS-eF+0w3GreyZ>f_V{e)F=%ZVR^S89WB2$ui@3P7$gkKus+84IJ(`yLXcS9}A zXlzsiX5p-%;5G31)-O>HYxK!w)Ld4KI064;ovSxGF=la#LcJ!!vOAXUaQBd zMOL{YUdHt=u3$-Pdsh>iqGZshqynF?I1VPd`mBAUg^6qWPP8X?6086&z^8*D8YQL0 zzA*Q@R9(R`mE~^{@^r20wY|50JjM=M$Y8B(4Jb|&~M5pPmfFrmm#0VFdV(bA!Li*R;)~Q zt&5N2VJxJg-MBGQTGv4T?!@)hnuHK~T`U2(pUkwUA#M$$ElD@nxw2%}q0Zz83NVrZ zQ|ylbcS@p?5HaiZuAd|2Tf|X7GhF{&haDF3ab{n5`%1-5!qe2I%|}+}U4|!fXLGYF z-np5#ciwW3!Ox;+sy}cTAY{YVhvKxkW+sb{*dU<7b z=r&-3XY-!*x7oY@5OJZYS=0GZEqJx5%tIv9H#WA0Z)G_6@uX@{KM*3cB6at`_s#dY zV#ikk;Wzz%Y@H9VkqT~nnc(~xsBnT0HESKa3|Si|sH?+|4^*`*C$N8Rx~nbM>n!y; z#Cwl|b8(?}?iQdRN%h#6UWLWhl$Ir@;~GRPfuce8yL{>w_{WO1EQ(?DUmd9QlkyIB z=Vr8I8{g%-<}nPwuslvVK!?nf zcfbGDhAO!G3B119hiNmLaN>^yZ%fS@q_L?(>xHV=K*onsb9uGadn|gPC1cRzvz5k> z#{>JC*~mdOR`Y^Wc*tP4&7pzL>7ZFA0)&36WQoA$jCl7|Rau2@b=>!65m!S&Js+Dx zJ>OHk(APp0 zT7b_}C!+M}btCmhu$No6fm6fMw&9?#WcZZ3W)6rs*XqeChQi|7$Tl zeYkhTjV(vQsBvd@ti&bGCVbXcgE@(Q;}z9a5_%Xb{Hs^gS?NVN205uTkG=RZ*zbSZ zD{9sM(O>u^r_$#ZRaaIzCdYnXAu2v378Iamb%BQ|FY^_B@U*w@p%=|olgkg?Y+Kpu zQSZO?JQ09EEbw{R+20S^y-MtLZIvKo}3GnP&OKr!poEa+=p}z3k#t>CZ znbJ#qci1u9dAML!`rzVuLtcd?VEMzVzAq%7fka1HRHcD~h{ylRK#gf-{C~_L3OHlG z=Mwc71Ryc7h5?`Rz(YysTOs{bE*J-AxJ=X`!Z(*XnwQB~229Nd&7buFf+?m6Ui@pt z=TNb*x5W3CKArgc@T*@w-1HwPyV>bl#{g~2vHE5&mphRTY!LuR{LvHG(v^Oz!Q>>DSxvmTnTzVBWC!Bsv zCIeakaI#84m_HIvn@^6^(tw4aInyI1Qa-E+t3t|mltaNb4$qH`9Tv$ChmBmXtR}R* zCn=r0=NR1gd>eFODQ>p$S!Q>8IVR{A#`EX9qs-VDW1TVCD>3FYpoXh?7bJiq5=mju<{zkQ4XHje6mt>4V}I>Xr% zS0Agfsmj;B?S%bo7ZFrvZ7#`B=3{a=7m?W6GT12;ZUa2>=&6wqKIOc(mb}a{JFes9 z^t!0v3o^}K@+k>sSZAG?)`ra$$9xN7>T;ZW0{7DObbJd6hbPr@iLh&rN%c%0lgW%S zUeXR)Ycye3y$~a>8Y~9@T>3jxc;3ReO?t})UGLRng3=F27D6V4$j63%OnL$gIllN0 zo5%D#xJ}folIq^DBPklVBAN_3thJ@BtnwbDJ)3^66mjj|6(4(U@)m0+-=I%f3Y_G+ z(+yg?#r7UCMi)T1jc(>~3ojF{6&U$T95Vh^Y^kS(?HPiUG9rVxavk~gcdTgb!2Jh; zYtRr;*s8as{^=KQZLTT>D!$yd#?QX-s4;hMmRaR7*-Pr^%gJTJ)7yWLD#=h+uZ(V7 zH=)h)X8o%LXtt=x*pD{A=rjb}=@_X!lZ&FIA=)Gl0^4iE^UYLHh}`BNHYcZl5xuHj z8<}$o#9vTwZpw2-ecHRTD(jYs5Vw!8J!_%z4L%AI%(01-3VpJJXQQe-{fpUwu$P?W z)JPgpccd=E_Tx{>iq@-3X+J_Pe&$yBR~_4B6@4ipyX(}?Inl&s&1o&=m}h0D_#3ij zo%4`~?pvi?TJt<;ig|KC`O`k>2U4#?yKiEv7p!g0X&as2j#;=;Z5{mVu&5)V?N%r+ zBj-G5-@&mfP9^TGdN-GC3|&r}+}k1cy@Z(9#*N>F-#>9;_ikBPiU0WYjB@yLRD54@ zSWj=DgU?N6pPzf~dSDNh#D?P%(yVp%{FJ@**&+XfEcKT^&OJ>Ff3*LmQurOn%c)Lh zuecr&`xWNR4u`hSiH*MZ+wL*!$6|-S)GEk7n{e#*&lu6DRem78Z%96i%h?y$>z27m z^<;_>bWFDi1X(`)+W(4Ae$b1hgMpXvvB#I1saM>VujJI@Hx=zDTQJ8~Q?pH`8{#)9 zd%c8Zt==?`1YCp)k;np$=&j|O8&8v-X#V(FN&eZ9<6keNgY7;Cn)=(ZMdcjqH zq0)ORy2J4HEceRCCqY|PC4nm`b8<=RcQ4;RUfi2v+_5lN`6Gm#(*}*3BV#H*J;w<+ zGZp%Qs|U+&OdVZW0XeZXb(B98;_mh5y-u@b+ZxX$Y7By(R{31CokmHXs(O9Gp#Gdf z_=$Q;g^H1cA2xni-@IpNi-Pf&ofVt*sHyB-IzQ&x@fh}SKJ1XR@U;;R%_Mz&dWKlG zI{=e((|+}Dri zja>5!L%p6Y`DWBz1;G_tLmyU%c+NO}H&HWBn$m{jW6B zAIub<>M!Yks575PfaT^COuR;pki@pYjr7gl%L-5rL$RpD(JxAKv_D7jigED~6fW>U zH6znxa71F&PWYuHO^?UCsw>z&i9U|`AsIr*;>d9MGR+AA_nSrc{CFwRaw4Etw=

      cH5HOC{&~_Iy)Ha6dzY++k#tC5&kPnblkld zLsT#}K-BcL=y{B&x~}rySf5!X2kz(l_gtb(f1&n>8eH@Eg5jE;Hn^tR>!AEo@GVR6 zBb1v;IKlbPam=TFv%ajWxblc0~K4_?szNM6k5ox%!} zp&8istaNw-F!9Lva3|LewS2OQ>0Ys=(;UWZg2zAA^nbY1|LwbJS6`=(spX- zQ*qyGydbl2V|3^i?sIs!4oU6^-$vxjO&rY zyVzuMBFEKxkI1Bto{fLdtGP!kM4#kP*Sf=wElpD>R2KW9Lw4MYe;Y6rnJ=AjJ}6SC#1N>^gnz+F9RYDF|Z9 zsw*zZLjj2zFP(S3cK-!b-IKx)*1fg)7o4MbE-hA7IA0_+(`t|kRp8T+4(FqG4Y|8) z$k74KgrOa}z(r19_wuat7F)I&D`ty%2RG0cilalhr>)hX?~sB*61I!j z2D3t##;xsusg!&5r1Jp64*kyLdS&9cv9ElU226a?Stkei6N!mv?ciGIXb8AL_uqw6 znaU4NQb^1la?LT>z?G@m{na4w@AZL>^9LgdsGl^L)JSfnreM0&&l4k0RtV3|SgXp> zvIp}{X&=61tclVPzR5*46yBzx0N0rOC7Jr*&oT7S6K++g;i=tzYJC{x!O#@jumVvn!Dy6bP?~n# z5xb3!BTaZs$5M7(zWZH~vb$VzLE&wzM&rp%*5vO(F9P6iuJ_*Mhf?eJijr9J1aC=w z{HFL9Wke>7SNWhwi+^T;OL`Brjz6^?2zWrPL53ij1;dWb*-9NIvGiydvM9-zQKhr36 zW>eO9fRp}U`)MCV0kkOv0j!lX+K@Nff^5hCcGBoluf$( zf1Jpdr&aa6Xmpw5f`IK%y1#z0`o@f(?3}uS^uHgB_S2^#=OYl#saP@6_-Ce_)xvpm zA0E8?jFWU&aWcd!i&$yn{-E?&*mFz?5ifO%zP7~=mMrrw z^=6#h>bvA*2L>p1xlu%*Pi|->BUF|uRdO>=D*Up>SIXBC&*@we>Jknebz&L4hgS?!x)@Ix)EpwL_ zwrMqSkm5xviOLRD>8*MFa_Qd)X=thHf}xMi{ns^vc|Q)Z#!B{MPdd}Oby*#I{f5`S z?S{ivWul#|{tIkI+#yS@FVS3JJPG`(!y*?<@E88K!-(Jp&{BPBpgT=NOQ`QyeRQU; ziIMb4o782@XU0}_;D)FeI|z$br-prhTi&A|BaxS@7+x)%Xf$2=PHcByDhgG^qVijT zoO`Q6@!LIGzN?(9(g`6h(nUhAs_vJaIe%*u8vMdmt~XWsEn(Hw-ITY4J?+wk{|T@< zN6SwPgc&La_IK#yd9gjbp3+8Ua0dA5aR@0`OFs};!{vuQ*US)?;c5QHc5DV=LrAC> zISm;+CjgW3K{{V+TT+QlUlw07Nt-n8CV#o+gMZz}s}ZHT(;DnJ6IaHkJbocQ;9qEFre)2FP@IQd4rS-2FeUXt^))FKq zrLhn#n?}ag<(FsO?nlKT43=I`G3ClwOp5P73k8fv94R#Atm`#-6{Xg{taga_4ix=B zc{VjenyZ@6xRqL%#4J9jyC1vUXpGi%%UN%8BZuB7-wdz5jnK`}dK7Y1?=_gyXQurq}oX4FJ5jMcW%p`gRX5|Cg8D z{O!2&^XtCXM%y!t)|e<|SP)ywCZycStC_A{cU`+0(Ppb1s1muN+xsLv8(Pk&Sdx_{lia)UKCB#H5Eih1y&-xqy8)n-!w#IfTM@B9>r zf^JRr>VgU^6I`oWNZN^e6-sy+El6sBEjU4u(@S+Fi#}0NhUa94pC2UNM;vW8mK$Yn zl5f+LwSmM*^6`pi>j>O(#Tz8)Fgph&Vf)ZC1@R?);Y_m0hVu{!zbzHrS*s86{BHEW|L~tCkdGNaY9jocFqx}p+C-r9upQh^y+}^NS46`* za9d4q)z~lPb+m-n6TRYP9eN~~k<*6vP0be5=rm!L@uouIj-dS3{%1{4!r5V&8G-Y3 zquf~bmFSS$;G3YHD5#xzWX`&U^m>J<*00+pmUsN{Jow4UVqeTBtsOTB|v~Te;HrF&X<<`TfnG+2KIr$9(aNfpSTrIDJbZ zT>}-H^WcSGspRh$zY&>(gqRYTk1thu^Dl7uo&>5S?xd*A7a;YT!hM~+0d(ovLcOAa zO*u{&$9+>X{pI_}ZJkxG3A+4-0t_^cqNHN8m672zFAzydI%d!tyE(dPQQovA-2UCN zIb8y#aSIZf`=0j0pVawE{)f&|zPMXAvvgWJKX8p&v>CUB)|D9PL;AJBtm4zpSU=f^ z-kAvOWy;kn{A(1s_9G6jK*n#+NkU{r$CILQ*mEdfz}SCf;eXx^{vDs}cy7*FZnezL zrY9~D*A5M)QSMnZKH|bw4k zjOSvh>+G-6AmZ8KG*D<&Pl0X&amwOaVpF}PRpAtMA9=E3iF3svif-nuf8w{}gvo=) z;6LjBrzTT3iUulM%>?YQn@z2B9a8}5WtG362^)0GwqSztBsE}zT^^^Ip*L|ACxu>9%`C$5J!#$N1>c)~u*yali!KkWdQ?f6ZB-E^ zoVEJViQd*uR=I>Wfe$Ai_v#WtC{Z082X({KDFfIr#48rypMUOb}+%B-M%hAg#l7cWN6rZ)HH0C}Fxx0qDseRX8 z#rul(-8ZziEqAL;#Z4I+UMjZzTcR(7aR7+6S-q+AN|-Q{Xpu|N@Dom0Hq@A^vcSIV zhrokSAUP;BoxW|pc4{;0jWdrnfJ9P8v|{T zZeCdc*Zjr{cGhX1@?YmiyVQdE`SBYSjR%*<`;T{f>PJQD&sSS3)zT7bf%U)Fi_sQc z*w+DU7Wzg=ha}NqH~)5>^zlql`aFeCEV({$>$!V+6W|)W`++XAAR$_MJB)>!{9q5V zTb(`vJS9>eWRneoG8}>pAW%^;^5eEB3A_(&H1Y)R6G>mY+SH`4z?ST;g^R~LCh5*R zo~&gOmG~?8;WcgNpQ~;>$mEV250qt;wY=a%BBxfEBjV`0nM>aX#ct{E^HR$uYZD4X zLPH$DXDJ6oA>;JqOd)|%u0j5=IY(Vh_S8Y|g)WS(W0Cjlpin%V(vN
        G+l#GO8p`(3=s?mH9ja>B1iYN|?GyGW73??}e3TTAT7!OHknf?nzu zoa4%-kzQW59jV{zG6g6Zk>&&Gn&pVHsc{Xt%C}l+?KTqxdY&rt9pB;kqnb0lp=^Ppa|M?!NM@kJ3;zFoO7I`4GRSi|Y zcpa=G&~oCx5DBmW+MUk~otdhqE;VvfmPHt)gh#hxL9-?}q%!yJ7j@NJWNAW&{A>EtTIA$HTso?voLkGaW?%8j+?@t~0q-%&( zW}Y^VFnb?29FjCL$wJ9Z+GjfY;j=TgRHoB>&2=Q9{P>Vh$i8xt{;wxEXC0=&g6iNf z!DiolLdRP8dS#et-mg$;gYxcjOLHX9_A%U6{Hj3HOG0-(q(zf5s!!KGQDrx89u2YJ zS>?6q11P#_FZNLQ)SzDQ%F6J7(}>MV+R&P`%!JMFqkQ!zk;dWzN|{_4Et)J|VC*0S zS{Koj5dm`{WTgU6)cKd-(YuK!ggI1qa2dW+6EU)|AqE=fr@UIk(I*j0cFDq#qAHU$ zf#Ix5_9woAFZd$(IUK08JS(Kp3yajMm0sNzbufd8^q4OKsxtV+vK9F zgg+luc_(uNsHv~cN;Vg@^!^%HMmV~ktDsJ948tPXLcKikNK?=u*&thlw^iMH=ucON zB%M*8*6V1NrJ!?-mZOhfI^A2+hhu7TW|5kbJ!~AG`Y_-Zyfq~84PrvTqgkoRYxYyvaFQu64pA;} z(BDM(bfe(q9-FU%546s^a({JfGPYvFY=D9F8qHb&8?rEzWgG`or)axOlU*iJyu;d5 zO0=#sH51HtgMqYGZ=!}VONJ*T-W!OND#r70ybI2@uTBt9mGuMuGNze;6QopVE{^Viq6c!SBblSP> z9-PgJa&PB=(j{)qKhtx~`=`iuBh75br;T({AGEpP)wF_g=CehA#Zp)ixXX@~fAVJg z2Y*C8<(1y+P-OEQQ{8$g%Cz$GA;5D61qiuZbwyRYxLXd7NW6{rRhkQga(k(Izoat; zwv-9Fm4w_t5{|JduP7pJwA;_n^nU-r6O!;3qgJS#o<}GN^cjMn?6vG}M{*xP6d ziN)q5V*cvffF9Ch8LS0a<_f?+o9oqNOD4uuRqdp-vNE*<(?H}(#8^)v+1OSiniP_c zvCW#CUho5F<7_s4$gBI8{v^Hq#0l*lnzpZN1$7f7sq}l0?;X*+J{%#Ths+Qj_=~n| zr>uEYi*RN)+ohD&ML4Jm3q8wkP}!eglkhs-u$~6!2cc67kKYN#*lpV=xN;eV^H`A1 zIPiK`Q@lIUgp3pOwXOd5tv*|PQ}lWi6gPSc8d2OHK2^B0(7BXY60!GKa^E=)?0@Y`KR*DK-Q^+}WvU{~#w*Ny}(U@x-BG;`vbc!Qx znx*)T;2~T=@L$uL?4Nd60_Cox@?EfFwB3*aNF>))KjD^v2MJt*wm`la%F!=ZpR{oV zuv|4af(WmCrqpt}R!|Q=SRZq3dmGRiw_sBoxskUag|ipbAIC!2-u|J*^Utm3_EmJ& zSC*btGj1^%pz}8-6|Ufvsym+>ZOH;m{N==*ZSTA{-m1y^hxJ9zo95&yU6pE-HkpZK zCbbkf|Jem_AcKkqXI1*zznxxH6Xz?s4J zX?0de?>2ch2R_NR3*{=6+q3K#Jbg5=NC%k_w2&cO7fCdO$ee&*-m8c6eG16&Y@n{C z^1hR(+U%0O_wjex1F$WJf&t2&3-Mi>n~Fyt1v_(r zb~#3NUqxLeQbaSMdY{l43b~{|<-%CKdjL(&mf3&lIPcI6>B}GiR5|0W_tvK+jCJdX ztdvE&s$?F{jnL_uQqv1aI5p5aB23?eE*h2LQAcH6deGFzwTZq)3mbF#O@cxW+Of|$ zT4HDjb)<8zdT(MG&JL;^lttNQtA@F>N5tjPY0sD5T)%0|s@ zw~B~IqEPaPxw=UC;gr{Ox9lPFnzLnq!n62Shvn1AwdjuNp-KOKK!ckuPVb8KiZ{4n zpON6Ghq}+lN-g`d!lXIqe4MXM9O@H;Ni3*)Z5C%=7ZW$Fp+dc)U#?3C+R`^Dwb3<| z^Q}T)mZbafo7MVG1ab7rZcb`=^qPCahs$N1!qrE{p>)y=oUBWhQ#Hru#l_9HvL+eD z(9ZdD&YKJ!(Hb!;J{CjSx@A@b6Py!TmMDIwJ@oBVjYrv9e)XahDfpI0c{-T?s?p#!yOD{` z{oZj^hj~;_mMc5{YT$2GBXrs))Dz2Li0h0W`N>iX4WUABpcYmsC+Tj{c&pTD@i+Do zwSc?r>t65GF|C7^`Enw9;q+h`e%~xixoV$vhOumPBrn!22P!L~`!=mEG6#8xn@L}d zyK(Bgl<781F8_F+7{}}k5A{v<} z*Zj2A;IYV9(H^7(l z4b|D}gdX&*HFbQJ`$wgU5dVe|`q zOeRd!EZ|1K$12Aea%?DZd7Gh9^BAjzTyPRF<;P@iej274AwmEe8C-XeVS)DTQDB8IK(W(~T?vTEqvF8vUfc zU+!etv>?E{fz4UD(s8?Cq#d|y_07OkLhM)e@?VIh@p4U2-1(H(!Tv~R%|NIfckAm? zoAHn*CC<>v%`)K^saGUd8v;JxhUVrQ#wZr1dI4Cm6nN$b0jbghna_Z96(*1QpJl@S~&mt|IJ`45k7HMF!KiV7UF&L@dER#K)7-*@H z5U9hEer?St+EkEVw_OjLZ6r>lJewIWpOzK3?kB-#e|@T>bbRH1g?DU7-^jdmIB%(r zn`mp=T4&|8UgtF^_V#QM`WmMuQVZwBxPQ2DcNCO#LzUHChR_s#K-}d*VB&b^-qjaj zYY)Z;URT*(B!L~*9a^gqp85v$bw0Uo8?Sgg->mj6oZJcpK6m9YRmi^O9PxLoSSKse z{kzWt)AVV9?=#iw+U-=Jn$PtZ_9~@?g=k}JoPFic>X4~RpATZW@Ga(g73utR4Asht zecL!8N~HaR_lYi(But&_I<^(8c;uPw!7x+Y11k5sw6zcJo@T!K)t2!7(m^@YuC9H` z+v%I^$tXq6h8!hY=HYYU$__?jW>YRm$U&l_oc|G<`^<&m3N5bcz5ZaQv0H=6i&9a( zQinm$+& zJWgzSb%?rTxP0mx4RkD3r>r6=@9d1)cQ|H$YiKAhKKA>AxW5r&WOuy3=D($@BauId zQAxe&bbg=*v7E9tJlZCHRdeZM{leT;-!75rwu5PVwwRkLcK|@@rwgz$9C#low=%DE zkN3Xf?Ynbu8iM;~BA84jhU`^L*A949v=WtP@P(*p9Gx41QOy}l&$XVy)4AFr;3Bk(!) z21?~KKN01*UTAsCqT`ecj6yJz9`xNUOuf%aIeuY`0Q1_kvrO!3l5?X($~btTUQze3=d0<5qQzNykCvR3Mc3Q`e)trDy+S%(?SrxgJJIvpPp|L44q&CbieA zZLy`~F7Du*NqIJM>g-uohu$bQx#eX>P@uSHp!dzhZ?}t5LNnD9h)t=QF8U!0yjMII zw21m#HXJzL07sz-oB0i zzwdn}ViL3WoFXidCrINj?N;Nzz;k>B_}~|iK)%l>?TX9`tydc4r0mApFyf*#>o?h0 zoL+cSxU9B9T=wSzU~)k6M*brAYRM#)NYd<$a@}8eG3G;&c>N!7%o7|u%T~s`pvFAU zUpJrTxp~yM60>Cdx9Y(=C_UUQk*5_FdSY2Vw7z#}dBW`7H(?Q%=Tn=xKNkBkm}!zy z>(KVD+4g(P<^1iY0;?l2^_Q^~B5fH@Bqg&uba}-kzlJ=S8eM8L|N6{dWMvw8Si8HY z*3C2FT2>AfMT_*d#bhL!gxrmvS&KOj{~N*psA$&mF$3omIot2;COX=2_N-jkSv2qa zuhu=XhlNXtUM=D{c(GxiNX;_c>2@R9afME7f_er%+{(7d(Q>vopgCM(?c~;loShWV z%bn@C@kMv~tAMTmE?iR%^OelKGcOMT0P9*7vKZNe(aE|ayc#6=q;pNUYWbqAua~s( z2uLTR&Q#yfqcrw%lu&-<`0KKo{HIJ()h=6a(V+8G7SCmlgL!%`x^WO;UdQ!ta&i(- z{oucjL_Od~{f1{h6l;OYodfbT62?WDHa9lx?Cnikz67syRD-7Us~8@H@u+KH9p+k2 zPew&kWX5`)>>OJ*2Qjp$I!&Z}zV7ieJZML>H0nu7(TK4x*KpTyz+e0;eP?#k8znkJ zUm_taKDoe$>>18*)3lwC*dhgAxlz@_epf!!f1Rg&kN6uS+sclRw^AGx_pa-hrkQ*58ftEj#uT42$6rxfdVpb1;URV`nixv~wF<$w<7VlNJ~K*Wn)9j9i?eDYhcC zlBXhygG%Ea^etB)$~|U6$MotzW~x`gKdI6fDcK`jv7LN75GrW2THNUJa6XBAy^Ra4 zd?}Er;yK zG=!h&rX#Sj^|%GSwe80B>`swehFC{plRjdvB6^~DP(3#hDkgGLH#bH8c?=LU-5pu) z)n?X+xx~tzG!<*<=2BJW4Y}x7vUzMRxX6I)hpPNfOeFxn6&hGGn3FCT{yR zt>rnJdSjbbUOKtx4%tJwd89HihQ;Y6OZ9rPlc`VEeDuJz@_`m3*-Zj&Up2##{;+$e zS1}vs#pZn*<$jSnvFNd!vHy>2qE7u0S;)ctP}z>qOrHwgUyF}!Xxa!-B@%ZmbpUP> zFeUkA%!R!RkK3YxjT1}+RZCK+0w`pGq1kXlF})1xz;R_>S%(?!2F0Kjb{^0DIr5bc z@uN!n9h%q4n4IanR|eb(kjMGJ{f1OK;o%Q$f@@pw*;uS;qhD>yd^Rk?7}4@RZ*MR# zhZu1ukS9j#E6VBSy}|3Z`##=zKtJ+xNCdR6#2W-UqnNw=xXtQ)aHh!XR*jh?2;M0( zQCrk3g`l0C|NV>6aZ26b9Z<6S^1VG;N(EMKpNLUMuqi(;_lJU$zA#@MxAjHX6lkO4 zq2L-W$UV<~%LG)(*w`i-`o%5l^jqZpJJiW7rkZk=-ggv77j0hD+ttBdk|riQ5!n49 z6Slh7LjuEf>Vn21Ha=yGPEI)K5Fv^%q^vY!6~oxqS#&EZK#WRuG`|wxf3b%e+wND` zbw@Jj^-*c}&r`Mo>!Z@H4TL?QMd-Gxj>Bn}ix_xm2-iS)Su_N8k=oPE$MvOxf={v9 zgNJrr-C-%u?xgak`kcDD_I+ZUSG`XA;gZMOc|Of+*)OdvAunUUc7|U0IOwhgqi{bv zIVig;X5$_%>9jZ=l4rLgI6su@Q6YPsG+?18|a0D1LY?i&I)`>xkFfID86%5<9 zRc|3yt0)iNgPGj;u{y-!v0|*5ZaZCmAt7Phj;{guKZ4qk+v^z7_H+L|gC7EiiT0=+2&-dqY6 z#5=GG+m8PZFCL|(gaNz~L>uF%Z6)`V$LJFN9+?NO(AZ`Oq1 z!{h5_j)|3rb*Gc7!PFIN6B7b4U6VoIN8IDtbLB%>wou{#IZS&{SG3y$8j*6X;95+ygXvjT?{wID$174v zj&9cF1asZlnk`pnk#er!Efi4UQtsEu!A|R;tG1D{jgiE;9PBS{&)& z9|C(2EQ2v`E_fNe0W{)V5afsgJANVHxsB)Ft?A(yuM?bfb|~_VfgpE0PmgmW)#Tu~ z6}~iUz}y|Y6_QyFI9KIg+aSk2RVvIw02o;;0{`iwC=-@-a^dv2Swvu~D!9w7hs^l4 zYe{9|GB++#5do)lK5x!faDi)HbA=Yngi-8!;5Ff3P{ zk|5pxLe{>1&Jg#MBN9$4O{qe^CLC&M+#JRwo^(&}e%o%_T+e)wohRYgE-CSKrE^~k zZmVX=+i~F8s8&d`-%faw$F+lY5k2w!KXzBlbgXM&qwB(JZ;w}<7mQK;wG4y_ewcI1 zVUoXo+C!UysRi0wM}hUZ8yaG!WY zX8!Fj{#YGOfp$S(XM)SZkC)e5qQta5Jikb%_}8@;crD2Ho8*5jo7p~Grd5vz^cXEe zZ`zYSMR3aCkvSyrM!@J_HiGpUWM_M{{@R`bKH3)4t@*-1v*Fv?fj(&zfpG4pM={Dh$Z@ldc`9CM!*4chiR++2(10i`*Z z)?bTGcJlR`C~;oVmY(}U+D)a|Z;lqJdC)KAygpxk!DnMAzDKo2y`<}!X6YL90_nZE z*WeLCBjdS8XSkvGJKT8PlMNOK@>O}rbX+(O&Sj)@ZrHmq+g7*pcy}4_j+EE*O}Wph7w~;SwN~2o7KZUkl-2E9*aFa|>ZwC%`IILvy=FfO z5Oe1AD1+%5A=Mi%ID$9|>JN%^vtRN@yYYZ)tbV-g?wM~V72g_xZL!_2kvO@m2@7hu z$W^ES^YBRK)zV_5MeAOfPB@7=v<#lG=*s_r!+0#JXfFH1J({#yj~I5Jp*GSg)Tg(yUkP=Em?Qv${=S4}Q)te{d{-`K*UQ*osd= z+r-{H?JjsFs_~?tTQKLkqSch=TKv#wF=6G(uTEj^oG>0BrDpwP-97$vI&U`55d{{x}*PO`C;<5Sz=ZAVvMhwQZ||9mlgEz2InXgi+Pu zKGl=bnsF)=4wxw6grVj9;Zq+zA^U=dpBOEvAUjUDKnE_k+4FT|6K*Ee)3y6f#z}rO z%x55cFI(altQBV;2Bajd8>hfn)yaHDAfXER!>$<-g<lXJ!$@YlHJJQ5}7Sk-PBd(KLFz&b2X75G+#tagDs{QP`v%ObMocid@&Y!aJT%2R8Am^%bvs3JkaI76Xau! z=&ZSiaz7)#UJ}6SIf^LtO2rNDHWnKD4w1n~{8T^mVpX7x=Unz@~X= zPeIs_G|)R*=PA!*?N2w0(dFt-w!X9l`P-|w42KKFl*aDNnesFM75!JzM1m|b8Tg#p`i@V8G-MDFmqXYV5Nq>{yX=G?WhRKMxE zK`qsXi837Aw03jz>yi(clatjfdd{$}}PDvxpRtbes=YO?ze3C}I3sfCaN*W7tzSvB+v=7Q@-0#agrNu-@i z<>k#080LF~Ip-8W1HYY|xRn9t?>tBhG{dWj95XcF%bORdd)0&yHjgY9zgh=swbEu$ z$*#YUKKO1*9IonPn4oKZ#%rQ0C5Z0=sFH5kt&4}`)gBi$BL#GK)WQ#jOMVxh$OoKM z1nS*LHC^d1$V2*v*Q&n-*W41ycfyruUSESJnnmV z7KeFJB-7L%9$0pAIF0b@7#KJxQ3E(Sd7T6p z?t2(VA14uccCu(EoH9EnUUq+euH_b1IXd5MY(Nua`()BN#mGa+seoyvY`!j~5x6IQ zzy)0Me5c6hV8mFY7&l&q1@wT?CDeIiP-1Q>s)?TPurlMBQz}$*|L>NC{)>{fdemc# zFe?EGP%X9&icnzQ3?um6_XV_$ST*!!&h*wGtkN;E)MlU|4h~HCh`Yb(`S4rO_}_?X z3W}Q_-ouED09Kmars9JN&Y3^b<9NX^%7Svg{43l!alQKrn%T#SxZgQ(cs59Cv zk-HctHDL}S9;GB0lE|djNRG%siNoT*mtjIq!l>Ui`1$#49&Axs zO^@dnL;1HDtIt`oNWi{auB6MQN!h4mRpau&jS#{ z%;ipy@bEm9l#`F|a8v2gz{D=2?E$ZAn>_jW{)pkGX)|e;Z!0=OgA!ch{suqZE;kVD zB-n4^%yFCh8g$@VV3AIh+mD*31~XJB_je!99muJpbTgdY>J8$g$X&P5$v(?7EbWPM zWH4>-1aWdvGfiQ5U<#2SX&8M-&lpq&?`z25#1IXKD1CzJ^%yz}y!RgQbg9dY(rdad zi@AE=)IT;~sxtXdi&qO2=Hhsho_v)i;41rFzVK&Ol-JecRf5buYasMP#s<(7g;s_d zH-A5G{uz3EJ|cm5SuSmdJ{-AX)v13z{}Xdb9{nbRQt5a_=lV&O;-cbUI(S?6X%fC8{V}x2YlA zsa@Ha#c%;6<6}-TpSu9KrvCh-)2=Qr{0y+oOx5nPqCzCZeQ2S4To=Z{;fC8NSZJZR^d$#grdTba1AQ1L!=f8Ywmeh9= zlq<8x31~3I{+sEDo&D>zi=1){ytHV7x&PDXklR^rbiX110rjKCj?X_O+Tu^oUYl4w zP@h#-BRX7J$u6*H+?n$9$J** zM|k=?@n=1zx&;mJqtmmz_3O#07m7Z*IpIkZsy>6@=O( z2up)8q0bsVDyrEfvKq`P&+Dri>P}0dgpRf1?oIMM75{kkfq|;Y!&jwZR}*fY(2Psn zS)PZeFz?TzLjxgmRp~t(UJ35r=8#ap))Ha-RKU)eYA_IzsBt@0%3E?7k|_xCDAZ>| z9`S*E=(++V1@c=|?{uL-i1m9VucVTSP94u8BFwRd#)0nfz@TDhz!wO~bdBTc7H_%F zst+}l>CrhOI}U!yxWp_ioC_~xRQ+vY%rf5QhGus3)_a(bPm!#&=fXw$4`{@^ft-Pz$4`eMyZcH@ts}u&A$hv5Y0_cIF^@CUY#LBhk_SOX10o ze8o8h=+_&2B%@F-q#}`~$b?y&hPJ?M3v*RpdVQpzURK8WI}6hN1`}bFOHL!%S6dRalK(vV@2sGb zcV)OU4|QmTXCRcE*{?zE%c@+^YGjEchz`_Ha7QOhs@cITXQ zz|U8`dD8vL=RQ5qUVD^s!f<7Iz_t>Rz{EP^tcVR)pzX#y=-$J`@>+8Q0U|Qc^*?Ml z!nU%Ov&wqCdT7?IkdD!I1A<)+BRleE%td?s*B5A+l^wZ0=*NTNUbg=par2Mk_P0W;MxZspdgu|Az{}DaHjl=8#Z1g(O z&h73NWDFaePz{KYSe6P>ovVJ27jf0+%(F;=_2q@uLX}6pBrmoi$wco(y=m#T*M?(* ztwE$ELI$S1-M*F{fKbiC_Aw?V#*ec15wn-}QjZEQrY}cz8q)WX=_Zf-;J4M8PX!Rn@mR>Vn4Pqfa>0zcMQZpdsc4>sDbsKl!Y zOSFbc^H?%ff*l6>gCI|gd?Rs~!q-x>-*(#n7u7cqb)VM0tx<6U z<8|f8xU=S@0}O!9iJT{8*0}DLO5LTRTF$BekYRzaM{?gc&tD9YHm@Z@k+&wE+_A;s z><)R3!(PoNUh7knix|J?n33QL2%uh-y;#uh@8V%V*T6h)%Z3tmni-9y9?r+WSh(>? zG#tyHqegIIBZdrHHsL&)Wq?~|W&fC#aDIMjUw=acdVSi%l3aRg!fB@|P@majQ1qaf z>qX+6-oom--cnFUvQqH+{4@0$0b1Iv(Yeq=+@133ybvSD_GT@8WBZ|13rMWDP!4d} z(?9O>*UrIXM@@hpY>BpWUCol5>xn=`+fChhWHH(t{diw7{-OCdFI2G)@!iJw+UxOD zm2moel-p+I5^i16DNi?tX+2x8plvSh3+K?9M7Wm{572@eYIEQTl-kO+#Bq_TX82=F zSyY~OT2U>r|D!>)oSRm?S$TTby{(0=0-(w#SS%&_=DV!FgTQ67e78iu(JLEwRJ*~U8M9f-8Q$}h=XU+^;yoZ`FcE#?NQdyMm2{6q zvOfDRkS(10u(0e$<&wkwr(qq6(rxaht@U_chCGA~B}GDE@P?J(*6Vf+*))0fS#B^N z-=%-s=V9~5{H8)fxNXg;FzEncv(BhQ+^75|ItO#ic~?vSD9fn$bHd!MyEJ{g!&=WH z0mM$#`!_-m#Uvun)Am^&jMjdi{#oTxIXUY0-p!3M-sy9~i>>b;H2`%tN1ucknV#rA zY9N;CiiY-Bv2wv0 zm$V@1)S1XSYk?kIf0s71WIqe^)&9Vl2n|8Jrq}2aFfY{4g1;UJJ}4gu1l?TF*J}MN z2cNms9-xhAZoE=Qhd8dxwx_48r7}rY1cq%F^b^F(`n-X;A!CO$CjpV75%&nS;{`Qe zq5-gI4?ALzBG=?U{pm(BaVL@u(bde9zKi~lKF74*_a>S9>^e=tPVX~5F_ovN@hstO zvTv#;7jCoU-2)&>DvB9vW^1aFDcnK*JTr-asO(7En3JUccTLUX>ZdB2wS?KYeWdt}`|+Ce@mp zySosxVO{Sa5>JbCah!9}Pd|h3E!qA&qsGNoCZ4!UZ@ugrjS^=f<6`SQYb+YSw8>_Y z=quWj!#-Q;XgX!vGik1U&-`y^Gmw8jB`%r;x?j3NRYcClj8`$yIX|=z*1nk9L$8r* z4>~{6Ndni5z`Q2yDhNEdpJzL^zbdfD`M=V_Ank^=p04FQ>W+FYIv{ZH>6Y(Ly#m;V ziVit*VSN>RFW3~`9WSZZ9(F~fzUI|)%};qrYs?NM#-8WnwguR=f@*Pn-x7kaC9r+M z_xw|^Z_xgFpX|8qo7(oQ3>@*8a{Xkjpwt#>sPjW8fwS#}COB$seBaJ%b;WYI%$;)z zv0+y(YTEJ&uxI?yJN5FJNx{av(PFg|fbQp0pnNkfG?3o72x^BgUFfu*Eten4HeO4f z&-Xh{60tlefb-|cI8QWIFDzsr0EmF| zo?S`bGdu1kt+Lb2A;$$>P=`JYLj&a()#1e8(_^F8sx9)kh>G#IMhp=`P*}8WO|EmB zOG{(aIAAH{LSOG368W&s>a}i{0;zq&WdB>g#bu|Sq>go)@)#*|s_*}e&W!&5czf@l zCflxi^s$1XgoujN2q+d1M5IF^MNknVBGN&K)KH|C5Ks^SDM3+sQBV*Fy-8OIO-eu@ zgwTr+l28JK656@(E%SYIp7VQs=gc|(IE*lkT)D2j_gZ`HwJ9FSt$P9CYn5TbC*L&r zX7K45x$hHpS<*!U!__y{Hdu%=DPGSnTyI*lQN;=0uJXA_8}g;*&3y`+bO2hp9n#j0 z=OeDAhQ_rjOD8`0gu3NTv9lq{j`~gZ0hDIwXs3dGhOY=9o`W5jwNwiDwtsCmDfx=L zf~W1mEsQ))qhq$O->d}q-}#(nuIR#v-&ii}KGTyt@oxNssnEl~zn##=!hVMrF#X1> zH4whi6qQ*IYdFxn{5jRjLyQAg?&VI0J-~hbc-uQdkb{0h(5;&hKf8%{0B1orpG3_8 zrQ%NWP7NrCoFG0BLro4^^V<5l3W$LKIudsEd{=U{`SbY@NWe;NFM2xE$Ir|l(y8rA z+l7dCp`jrbaZYGQ`p*K#dh}}XBPW$(6Y9T!5s5)AbMZy|2(PS?Bgvd%vR){-a{ zrtqbTP6H|tA{une>)?xke(I^c;a9?nFkz>*is=@OOy`z)ly72{M{-}(S?{I-#sX3i zXNF3i1BHxL0zi+>3!t8ho~{ObdG-f{s-?@A2(x?NTukGb{oJPcQPG`fA;Hggo@Of= zyJaif9dC~iR+fcNoX`T4VUy{)X_P5__C9ITI4U&;I0$78;iv`FRV6FcHHmjnxV6ge%W6FYwvS zq`q4YjP<;{L}NqH`ea2=Tstk#dRZzZlD-?*6r5**EBrQ=9u=uhn8y{qVjFyIrS>n* zKy(W$qJ@j$2N%>a?;w2#J~`Q~I35$?c#?*JGKm*N9d6bDgE1pfxv0Pj<>~m0xh3m) zF3S*p`{mFPdTkWeLh0)Wn?2>S>rNT!OGU5B!!7Mc z>r(jLR=S(YqgdBQ)In@#YgPOwK~9evat(?sO?qpzTWlD-GE2DfJrx1ax0?-pTupMW z&nx}V@Nz&+O<)!6-NZ>Z7{@F>EA&_d^k*e|t-;tT*v^2=dRhO-B6=$Z0xrnrU2vCm zdP*4!z0i6qqe+{VTX5P(i79{0lyLyGa!&JBwAXOomDRr_z+m_j!CMJlp0vj{DLyY@ zyCz!v3L|#Q(;aJSK!-H$$HoT0+T^J;G&OnVRxi|5Gh7BI=IeL;p?G8GTE~jYJkNmj zaTZ|mGjUMB`|h#8yJ6n5(^h|RnYo9d*T*$?nANR$4nUZiVN$mzF*XBpbBe_8!ED=d zoM5_vHtmg8QWdp#E4DFZ=uSvQy(k# z%8IJZ8n4>i@VSz;ksYpTP<5Y{yxhz!B`^qR7(Vnn?`M`@RTZ3AH)W=u{os>{g7me@ zJsRZ}7ousHwj}D1IQX-s2DL~kbGv}-dS7<|4fmMR3+;~P5dC6)4DP$kc(DuV8q&Q4 zsLD>220H#7+j$ZFJJOw?-w3vem555Q)y=B4(S#Td-g7RV_t6mQHRF@*9`RHZWJ{}{@j)?V$U|Q?ylhewD48?sHdBlGt~@Ad5=_0T@6&I(U2+a;9F5Sg zwkh_&$o~|t8>5+6G)JHYn(q0X&qSh@8I`B|o{6#8vAcvCF3dX(lJa~S>+k(+-38M0 zdY)7L_B?7$%$>8|t^Zpe=qa8o`*eW|Rsx<+S-!j`e#kIQABXtV0N6AY91wjlI8+;_ zkat^cty6YwQ!qczCN-d21fD>-<#+$?o0!0I>3ia;g+EUJ(}-+F@orpI5J-xvibi==?FE5LZfPkdh?r%+vDaZtS;Y; zZRH3TRybSMcj4)E9}?>}CF33}@ZJ*{k$k8t`JCF_@M$k?i657`bbf$PVA8}~ONKWQ z5fTkDZu%%kX%>J1=5Oj;flcBl%Zv5Q!YqMCPSiB!eHMhDWj8LLR`*`%UFiB4^T&%V z{ZQ{@vAQ$rt=^wfUR2<~>Q(LwGtDXOjZIvxv55Sd*uP>T;4+SYG@}uG$UG`oiQu@_ z#x?x}28)gm2%z{RUGp#!YqHC_UaHG08(LPPS4k%*TAD|*g|~98LWdPkS;syM_+6U` z3z*K_tvPzR zz7r=zLj^Sjd|oK8jEyPP-(OBa?j}gOWtw{QNtfH}bwW};3(jJ9P-Vlt6piZijbA!$ z=Jme_1gGH2xIC5Z7;M09vflX8ne+E=V0o08jRv5D(Rxn5E_tEWrkZs!G&l1e13r#& z?$nV6$B?9WV?3b<&==QWk^nX`V8^e1KmTEDaycG~LJfZ3@tNP?8j>kbL0Ctu;bA)~ z>JsGvR%O!jXaJvJ+Z%JdqQ7%ILQakuP4bm6$3wyJlU34=IWsK#jh96Wir+htW1xO84Cq)E4=jQW)faV~aAnm<}0xis_JO}_zVpzi+WcG833zn~4$Bm&s586Hno zd&=*+u(?|8jF{@D<|8foO_P$mV}J8a#~$QP*mWiw3n&Oh@}@X&4jqlVB_w19L^#OP zIanHcr!vK*sVd~9hn zy?8<4=&P8>IshLYeq~)Hpv4AW=&3Am%L{F0#2x`-kg-8Fme|mW(S3cohn)bUk^z9{ z#cl2JJ@$OQ_p$uut(edd{soW^=HfUSN2%ZOl$i24zfk@;x3pxKL?J2V&UF|sz8l={ z`MzS@XF*xHdWtEgaoe-o5m~D?mFB)A;f4>ZX7G&Z4+)=ChegKCMD~G*cmr-{z?=!K zgvvk8qjWv+;r!(%H7eUxjc@4-Bn1EMhXyMLuOXt}Xad6mHvqwis+Y{^YBl4Y?~lF~~%OnZ3Lp}7JNMlE;Tz8xH| zH0x18f(OT6!Cktgyik{lJ=}_Gan%zOP64nI_=sV{bk6Jbh=;NLD zZM7_ZhRIg8jr;npe2UnrX?J=JB z8ObbYuSz|IG{2=wUgkz#&X0pzfRbBSP*OIfhKDuR*VWN~<5yfNmMwc_eUfUFrKo5W z*?`otE6&5zbr}|i@w}^lXesxrAhJ2=jIHkDF7mxqFmu=vl&kbNeBI;fGsX~^6 zUhL)s)MTfHMr_hL%WBt1Z7{8g4G~S5Jyxrr96!8V;~wgLcDQ!!MpFHvsAzrTX+oCf zg+U^?YbjyZ_;5He$|l!p#5Tsd}@2OldO{#K7;Sd z%HpeDJll{h(8czbm+&}Jn=5zE4NO66a4J$ljeK@&#{yipjDBtCOm4-xylSuyj{8`cn7XCP&2jNK>lP*S z#^{$mvZv=k$#R+4#f>r0%)=dTYw7Eu9@ra=m)(Mo$j6GCQYw(c2+Z(yYZmXG^AtMy^)-mm<;fMDeK2!~ zr70KrOcJ|YZ2nlR{KT)V8zwzDx`z}_b{P^k!m6&xl=KMUfFq$>igGy4(l ze8GJ^9o63*v$jG8?+B$J4bn_qvs~eQCX1RUhS{t*ue<}9?u}pWF-Uhu8pGqhu%zei z&1)ZN&F%KdG!~L`-u{;t0A2(Pc(wdYfiJTC-Gj6`{tsK&_D(-QbF;^)II6X#D_C!% zJUsCC-BRwF&gXCl>db zvUyM>-=!-`J)@kq52yySyF)eaJ|Ar~SpPHT8r}LeCF+BSx(pcVEmUwow0`oKBAB z=BbdaEqpvQGK6Sfol~GYAzbUwEm%4m)0K(Y`tb=$n*!W1yN*cw(z(0w`EB0B=Z8^m zwa(ueknDUer*P(^$McNx!=lx;p|%kJ{T#-WXFx_DlXH37{pHo|u=^UD8Gms-377Dn zQeTXb@Ljrg`d1d*=Lz+pB&0+5bxKnX^v><;Fb`7$j?EWp^7;joo#v$%$v-SN%#Fd$ zXyuSYujzN#j!3+^qNRjMTF=@2E`bKDr--vz$qp&SfLSIqOqHB-ohb=c*^ z>p2ULR*`3Vg6{x8d2v+r@%o}>L>|OYdG2G(J+atU4;ry`B>DQls{0g-%V6?`e@1unl4UTGSTJ?j2W!kSexEUbEuE_rLF8sT)uaA`+Wj%+vv320< zl=8BXwbY{#vI^(lcRa&5fQSyjYe3Xc^+ssVORoM3p!C~#o@rqSn86V09CNQL>3VfD z42(j(>lMBaVPJmF)wE(Q2R)_j_r_KhB`?H+@2h^F)EwAzn{uq!jw*jAyng7?HtSmr zp%JyU)g$L>eg@2byso>A7Q!UAmgT4cH_4Xo#=!Q$DQ>wz-;m7t?!(70kfIly*aqm+Rabe4?R6a zPYI5GxgwcSoU!={Z^e~@+?=cSddN@thvo!vuql$)*^x9Yc07P+5khJ`&P&|cTyTc% zZk5ztb$vUUAA4?Z-nvb^_S~eO;J=LKpFo~FY%kS)^tVextE=MvPC;Jizc&I6n41jv zhyo_wgZk`1ZC~<@Yht+g=Cb8r-Gkpl&-*&OM#U>e_47*S$_G0aNX6YG$H%(oCyEdq zKi-KBv&+GZDzE%74t}M0D$tKCer4}N6%ZZ0>7~jhI{q#;_x!fYKTKP1))er)!G^M6 zSo2SWP@cY2PuGPc3j=1~MK{L;EI7-WAt#c(@2prz1km3lU(VFOYx&LiRZ|AWVB)sU z<@#La7h()oz&qktmVr({U(ttrzPC&I+-dlP^(~$QP`+2^v2W8P8!@BVKRM59;}x5= zg1T`RrETwMtNZ>~uX0HDFYZ2Lr}YGMpJRxekze$ejN_e++{nEI{J;JEH4(1eF6rc$ z0%ppO@TDGzGC5*eAL2_{(J2-(vsw#(Zu4e4aFVv`cH$9E)HLh*ohH$ab4nioZD6kB zglNHFZUMX;HvH&K*b}J=wAD5zb+7!WdY8F=>z}sL1DfxhM^O&M#qs(6XFiCM6*QGl zVbs$m-Z991{hvCc`Ve#^|Uu@ha|| z+N*0El1S~=lLm*K6iGj-9~JAu?e06AQ)`y|XY@ONc#G23M#qD{a1k!e59a96 zf4m#~p7)|c&EN<=|70F#^|!`$A9?W&nPCxewmc@`U*Z_ z*Quw>brgD{M$r4dZ}qK9XumN2RU-LDNLOYQ#{2G)Cfxru*`#mqvcUPBSNwe$!t6W6 zE`0|6eV6Ey&yc}+TV3M?MVBzlqF-MR8~@U|6fkgK=(3v;mBfSetEauW%>4u?Y+jW% zsh>M`PyV6J*v}(;q?|S`(;Dc})O&xe;vV_$3oLMb!1eV<0dYM$?ahI2QEFT#eMz{f zv-RqZ4sT(+%UEeq!;g-+7eG?#3xAYQn z8~Bvoz5$>zf33LzGV;NsvLkO^QqyRglR_dGJL`EzKL-DfmDkiC z?*txNoghoD_NCuk4L7C)#F<{+ct;1^0pms2+OGOO1^qKCr>noe=rUsUt+sOX;tL$poU-SR%xgmHoEGxBfeQ*cI2v}~!*LAjxG@_GT8AH}yh3!n z^-zx)*>Ep4at=7BqkUyU@6M|&qK9XJ)*t+XHGuPqR;68$s&A`A4b z&`>v=7np)@?K^Yhhgw+Ll4zaZ+wiSdGdV>uxk^OIdq;dpKO|}=bcNm$E#UWNrJ-3% zlfnVlQ(bQ^OM$|gv}=~;pM|b{RA{s01|C|tO)YtP3n(Q>T+64|526+-s~yX^6>t3C zt=dllR_(w+KL8He&-0tm-#I*ORe;y+XI+i=Y&2^(Ep{|`XUj$cP@Oj=tAXdl*B3y* z799$YlUF6bEN^ytckL*U*>t(Jh2-LR4&G^F;C{T4h(fiF#IMA@6V>m$_Zd|xEthTf zL-cwq&*O$0u7ZHWew5s=eEM8bZAa`qF7x$FTqh{jpsn~c^DLnX{J`uUg2(g|R~`kS~i8%qr=p2Y0EQE1q#D4E;b z?3S+fnW`M-NX@A5H}$Lx%TTi&CzT;#W&uaK;aazaM@s!@mF}$nPurFM{r7iyo@uT?_THPehF;8dHF#`##(RNwWl%eim014{xX~As0Y?1u)5=ui+x~o z)TZ^FvoLtlY*1wkzi6a)EsGIs8-3UGNMMGLfv8TNs2nIMhsuK~CFOPWsdN$4&IxPuD#5PbG3a4Z z!?I4?rX->Q>Z2TYw>?}!C~m~51t#C}gw==dhFix6?xS(VnOxm*a?d{qM`;OR>9VKq z(}JI{TW=SZF$_6v*jGbsu63Fa7yB`WNer|%xpmT~J#1vXine5@3uoVMZ-}_B`E8Vk zJkwhQpL?mS9WpDI1$I_|GKS>;^X4@X%vZgBF^RVPx^kpH$#Z0=RZFSk+9$B{3XA{j zDgAf9MD^dLl#k}qN*l_B&)=Qwy|sQq=>~9c2W}J(Uj#Nh_BR;u(xdWnKY56mgA)A( zeG^G4yV0sK+<}m74gWww-MNWH=gG1U75FxhFFBNhwLepzdl=U$jAl-za%-48boEEace zB_)oWEA)O!W>FFfRx&qsRqELYAD{`01_tA+>jtNpc$ zT3=L5IF_B?b>K?42&_xeeoHh6fMRNjPQtr!cS&)+ZNc27Klx7xf_37fx83b4n>})4#<*&oS07 zGO5kjPUr>K4^kHxt-%rs!5Sjl$;!EvN)nPX(1f-D151vz_G7LO`h7hH7G^EyeCUh_ zTs#ZJGH-Nb-{6ZzbxwAN{Rc5W8hmbpLIq&KXr!B?INl1nkL^?6=ChVaGl*IHPkacgMPUvp}8!7mZNVW)gEp6XVz~c-3Nm+?DDolWI$=1Y_8dD(#V1vKIaaf%S(M9k$Q%q&ymdYFy(| zylB)A(~mCp2CiYe7~ssBGENLX**i0g?cBbJo>DF9SWoGSR(BTe?gGcQDyza~oNc}u zaWVrU6)0d)Zii9!bfgUAW}NnTEhFK(Z3Nja{IJGHK1J;kwsLa7&W719Ck~nrLy@1# zDw{e&-|t<8^rvSRDznXVh}^y8#uhYZRS6tmh>q)Wl(vAuh~+h7%YuE>&LH%a4V=BUx^mL zC7b5uxH_$xbnq3;3?^Ld;dn6R*zL*QC-?8N11EO- zL;}!WxIV!k69nF8Q0-m#gVHj~K17WO6C4A;wYOJJ4=m$&bl?SGZf z5_+CG*+Xc?dm|QAT7vGUc~F~E6%9Bc{q57=@dBdm(<(OX_?P^GBZ;(bU0!9&yz(@y z6sR)($j8OT-VzRG;xrXyB}UhzqPMq7JUkkgliTJrS67z6$$KD_%wg>w3i|F# zZU;V>#A$DXO~XD`HPEVWxC85UEb(P z9Djv`qC-W8K^EB4E}3VanX0o2kQ^#*00U=dfyIiXx1~;|Xi>^ts5Z)iUzC8z)Nj?0 z+KeSbEDJRO)g6OKR-BNKlI^vCpWNV>;P9gbyE?M_8S%?^8TLRgx@8xLZ<~oxbbFXn zgnIGnW&4cNNGd`fm<&AWcNkstVGW9%t>(d+>!pm@2oQRCj7SZ~lW=Thl}hK%9-<{G zkP^7}3v>M>4Y*lMB!IUe~tLNvRxU>J4u^Xp;itHw)J~c=fotwj#eiviPzX8CyVx>b7O6 zR*>x5ND=zY?Fm-lRRt1l;Sp-U{>RB1b`NFqO^x%--P9^~mR#;YDu(ut9q^&fo>4qtpWC(ju&AUWu|vu#(XIDKE9&eC8nj zwfD?ba_W)5KE-TApRdF9u5M#>{E6BJTiP$m(3&fJ12$76v^0aaEusQ`gjY3U_rp_d zr$Z?~8ultqERkXV3}R3m^z|D|#%%01{26 z+pH?}auxf!ooK7#Cpe?gs8kpqv%f394)&H9CKapPP*NPrCK*~8(Ga(*h#O%@*kp}g zHT`8XBTmWpuc)1Y>mRK2`pos+ zIQ=fglUVLxn51;UIR6VJ(G}?26SfB54V0{B(QdIG(|mULr)U9C6y2HbhL68t+X$C>_mr?6G7;H0c1cKz#USUPo}W%B?(D9f{#gJw|8_Q8{+i5EWZR6A+f4E~`cVs5B~Ij4d(enmpH=^j78*M8rY4^y+CgTfBO3`sg|8M>cX;TT z)EIp2A0(kk&M)&!>EO(od2Q=5ZmT(xht;t5mfPcV2SqfVSu65PSmRUmrmyzn1@J)f zVS$VFzx3|8Rb}}r=bBe1?e_N6+{@l5d`kG&zW#jjj@Q$qycum~67Pb^N7p1BVEu7{ z3_Crums`qPc;u%-Y`?_AA<3QOku|=AEfaR0vpT_W!Q> zyfs<|6F2tNgk7bd((TjjDe{ud$8d`@L}N6w7_%L$E>ij{V9Y?2c*?CpYJ*|N$PcrM z1T`?pz5Q0BO(e+6Z)K8m5pd)BvN9@=g97ge3&6zxY(+h=L-tF;U)mW!1(dUMVD1~W21`~~IQTYxN3GTl>}o7M?>9o=7p$ zm^%xyQ8@7V78)J@OD8UcBVR_otV~rluEJrC8QJj0M?Vc*GB# zwsiwdUp1!=PD{cRT$x`xf=mTj{F!g6Pa#X?O%Q7BDq_+Rf)`L*3E*Xf8nHy=WeGbe z&mv}Ih*ILbeO{@yv*!^|(AaH~-ROUkRe+xvJX;7P)ue%U{U@jA$_J_(l$|>ry_-+& zM;yVLlqQ30Hm58yOxP7qXxcYs!52?xDqR?%K4 ztD3(--ys|DwmIBmzHxXj3_+q|DaD+Kfl_&(+CNJ?<(_=NG^vM4Y=0hA;w^#B$q4`f zhczAo^PjdL+?!jy+uPkq8^9XsZA;m!$-Xu4{yfG|;UfllKV9~H{;l?E_vT~9x5Hv8 z@41AKu0q&B3rB1G69G4Fo8uF9QOhA=29VPwssdY!`Ub{XeMxFCzcWXXNDfT|KcgFr zbW3BNi(i?RoGsRQ3u4CC{@+F+y~<(PL3V3H8$9 z^Q2&x8tw*J7}$ukE=h)^uZ4aak=yDn+rCZf(2d(Zvn&;(1|x)`2)!3B$n<;2i*Wf; z4IlyTQ>yL5lso{2`WPu9-G{&*@IOkT`>Wb%{5Z+OYkGaN9eV+4LZ>mvO_04o0L+S7 zk%`ToQ4Mu5JDKvAA*aMM8H`7Vvl_pYCHq{jAcjF#S#-wdVRmS(&&O>1-G{zy)ro)= zC7Jg6&UZa#adI1Dcht%_kb%soLyWk^i0c#YfS2eA3|o zuc;e2mY~a<_V#4SZ=DcPe-HD8}HWF zZ?1p4a;}%}4E;MFktI8IK+bXQW|@?m+53&t^6t3H`E*V*BohB2Wk3%90aAi=b7i4c z6k+9ImQeSjGOpdx%@L8@<{C+DiS4XKq;8$G*yUPEmK{E4x%6EP*qH=nnkfC*c|AUG zWDl;*AGcwQ#<5BGCP*W5i~C}YV-1Zv#Q-ZwE2v`CbG`)!ry4XBm;e+*I++Y6Ie+=E zF7=)F-9btB!85}3}du^n|M+8B4cKd4a6Q>pNCYn!md2tF6`4oKkFF)db70lI1yaUv)T}v#GUpdmY zJ=GlMHrCvrY9NJO*aL?E@3j1W`I~N=385KeAyC6vG)-3;8m;PN7RrVwxSp9b&CRKX zEgT!E-qBoiKiQ)PJXX^*zxh9WtXIMNk;tA?&P^GYBu?zF(0DejIPyZ)?XV-;YmP6I ztb6ssaRyWyDJ%ehGTB#k!h}`R?wTfv+4uY~U>RTmShBsT*D9-_x$c}ht@U==$sJl> zpH+njm*n(MC)lZyA`kiLh`B-9VhQBO@`sW-FJTyigGLbM@||lBl_$EfFPHi-8v6Ox zdD?tlo<0$IdFrwE5m56!L)0Y@05#sP?E|-cZT4Q9Qt6$X{A4Ih?0Oxe67g(EQD67M zbkRPiuC!X2g%6!fBAAvMr@)G$5k3jf*RNrnbX?RYXO<`6+ddw&B#oMzr_`X@ zgDNeMKMG?2iSktO;Nj6g&xS}@&kjfh=jr8?=&unZhvp=(kErEHl=lU{ue!85cDP*a zn~c0qjJ2iDOtLt3kJJF>uR10BQ`BKBt#9m9sg0~F1jW(7(ecxO=<-IfS@=7zFxoQi3U)T4#p#%&o zjrM!Ut#lRzY8fxhP>X+_Z}z1L-0(iEgT*`!-JQlQiFwxIdQ4Ht~Xu0bwG&M8MOXa2}%Yk)h@+=DBP%>W90u zo>bpgDPX_)RP9g!XlcJgd#zVkAFG*)}?75?iJf3*~?WriuWcPhX(=P@W6`?THf`nxJ=$46owUwgs!)WF)+)o{)1dr07Mi-m?8HhfY( zrC>~Frrh!)J$5o2xiiIK&8ORxJk14Cino1Q#>qz0w3d(r6 zHXSeXboU$i6bC9}K#by)d*F9e_32<{ORFWi^2>?CsVeefRAM-9kp zW%c$|weFx^nXCaRy*|_Wcl7nMtE$`>Smj*EcTC;6rHO`AGZE_G=o6*7rsxCQcnu|0 zH1a_Z<2_6o3s06-7M42jt%*OOo4c7dPB?7%=JnDhJ_6?>j_pMNJ-VDd4kg?X) zP6JDH@F=6iJ9&tX5sSIL$1Z+&9b@2XP$90!-5xCALXc(Yoc^k*SQ6>J?yF&q$hL4W zU4?LXE(|h@HAsA9qOfBGLmA^y)0|AHUjTY0@R{nl|2D$@ucIjJMdB1Qp*`n4u-JxF z!K4<_%Zl>)SJKey9A%Mi0B)U?{_X_zBkNl_o0xi{Tt9e4bMjj{IRLDafccUkKK0V- zw4T0R3VFc?YlTJ>fl^QL2MPq>Nlnq19dSPnDld``weVA(eL3WINSGr+>8>JT<{25= zAYifj=7#OI2^;)Y=hXf)fP=KNTd!k%W@RZtt*hsWW=-XyPD^Xh*Cw6-$O-?ZF~oKi zt+Tt6Xrw5!8p;@d?7z}vFj`_9lOS0UwZVwHnwFV&cD{UVi)r&GWY_=XULWUx_fl?{ zBhU}i?C<*tgbOu*qq;ahD{a}O|0E_s!7s9CmOZ7`fI`;!j;XDTKwwJchbJ>q1w=M0 zBEEqjOGvj4pS*F>a&>b>M5N~?w^VL( zh`On#CxVC)-}3(Ac&q~$Dcfqv`?4yA(;4L>G>fMV_dOy z*W?S(0Xu4m2CXtZmC>44>gzt;+$@z|k?Lvx00Ie-q?z*S>zT4oFFVDOp#Xy&QF|uLw zWw{EB5)TU4;-HMTCA4So2TTC_<3eGqsipz02IjmwSmV@nw}6Anp6Hj(CrqBq1l^AG$z$El$Txz+#`h&nx48ZYZ;=0a-Ze_G zF%>=vhOP>L2d7o=W<{{D0sl*mK`v8$aNfFUga9pOA~`i=z(2c+Mlq}(c4J@3+kKoY zPcMT?jwBf-F=fo9K@#UukI@UKmZI}n)>Ks%NLs#dIkVkj_G4 zg7-_10KY%8N`wp4#T|6g4K zecpVhs_fo4mu>)ONB#2X(o%<<2uc-Uh7a{y^=Aa9)(Oq6oGwGI9-D{bMNL`niAW1GHx);&Yc{jpi z(ZczjHL{|T-k{<1LTT!;^G+4b&o2qGNp~${D1qv*c>omYczy*43BdZ&+_qc)%7_0> zjQ{5^zMd3$x=_6!6%2CbJ&@$9qbVuH^{uI@!j2U9KZs~{!HU`nV<8O z#7VB452>UXejiO-QLl8GoBmLjmcdY(YKl|-&LgN%TSw+tWmYy@@5cEP7v1nAU$Pvg zGC4N~g22{IyEJ)Sv;)B&1~OEpT%KMenBi(e`kc|WvSl(82SX*0k3Y<4KUI>OmMM@= z08bM}_Sao8w+zb=QB5u)XSW$*F&zrbM|!X(RK(1TVVR_;BbqRjqHuk+)xybi!L-@} zUH~8&pgTFJnHC=MfBwb)_jiX{foj`196=Q}HDXE2yh)BxC3C5gjnhL|KdjxVt-U!< z&){lRuA8#Nq*nNpWu1`*X8UyGsIrs~ zm~c$p+{PVeXl`yvSHUMr6*Z3#vIoa;2aa=;M$EZXX8Zf z$*Ep#eq6)olWrP`VDpHiL=IEIj>>eu=K5x>Z0#D~!<5-> zea@XW;6aP|U1wivn--@{Z-MtG1%CBcWFl)WT#v5bUUw*SW_i@aDMh2E$u98105*f){4jLgsCmE}9S@!v znV+t;;V-3Ds7QtI>D7GJMw+OPKP5cv_||tMq!x+jK29WF^Mfz&4KFR!Z% z>*;L2v4~hd5S*$k&)us(G>Oo5nAU|WG2**jY?f?onqFR&TBJwJ@mJ(BgMEZY(q9QW z|L*N*YXFUzq+{r#fBsU2j_iTbH4dckh>J(rM|K`MStWh6)l6)41uVF7MzXL>foF}T z_T5}(VMNaNHTF5I_71_yv)9TT5XBI)7gC|30KHma4P;dRiFPeikOVnu(&!na&ZwWqK)@FQJ(uzp2{n~^PIMc$DYTQ?jrE2Hu)!nC2;Mt2UH89H zgXEMJmEz^)-z%{HxY32uk@%XbL_8ytMi0Wxn6k{_bT~&1J=PC=A5riaD1bY4PWT** zkdUNhw?-5;#noVyIi)Po1VYx~zz&6xFhgZ%Dks0H>B4OX<5Bo%x>_NpY;{yHvOj;@ zd;2`LZT6BKE-4j{cB}T_q03ZUc(eR(VbXv6;_mt105uQjXd@^K#6U?jV0B)(Kk)ewfen$b$Fd}3+l2d-T4RNHA)5m9TI{3{X3-f{oSTj|=+ zI^2@wqbGu3n$;-nh%DEM4D#f@=e}7r;-%i3VG^oJ^@Q8aWO+XI- zp5*IFwh^#?p>TAEa08YVg|?Ta*(uy@mIq)uJ=@ve>z?q)^x9q5^gpDtfgj7>>xI_Z z=>1zsw7Wv)O3%vXUjbdZo*=m1?L2kCc1}x(eOJbe*LSnVAuu=RUYF<`w?PHN7)D8A zfvqwtLhtm@-uKIe#c)-X>vv!n7Bf0>c#h-1^=fZv05ig6``kUx4D&-eHt-9kR8 zCp>yo?ON`d3IH@&`pi-@rOrxDh94jGe7rV(Re1eGhCv87#F{$ZKuYet|6)FAHnazS z2CvDtLo{42uc70r&tNbvWPl(q&Z<-WpF$!^)^IYw=&!ZNwy^I${6&UUEQIw^)eGF?=)&2#CDjn#@%9d*dt;F z&k=R6{~3h}fRV9#s(bf=#Sryu{rcQbh4t%KwjZoqlI&4bujdHt+&P~}$0((;!~Xc;%F54NDQWMf*98sl{pRORC#hE2;< z&i!|9M>aQn?04iZi4XMO*mlu$C4dpe7hANW2K=fHC1GrQk>S~|5>Igx6=`x5mHAZ+eyE`X`!^`Rr@e8XuzmXV)u0A_KI5wx2tX4PhCy1pjoV;ODJ;L23bAR3;&9epC1*zp6g?Wmf4Y~JI&*OMTh7#k3OE)EW%ubG5U;kIl33^S zk0tmEshMgb_kq7Q?q_<5bSmHMbEj|MLLe8Au;j@1pATPmz z2T^v(Zn)~2+w{N0G_Z%h?;Ng|IEU>B9!7mM&Cta})(QK*cKY0qdT~h*C%8^z`$ghg zFI8}TUy_NwKmEYmlv!)go0SQ`^8i!NnLdpx1VVFu)EUa9^h__Ap$NkX*OS*65UGadG&R3ra*ybV>vuc7oRQ~=-lKnZm5#8S*F0U zcz`1GK*;Q6punoRup8qXP^RUX#sZP?xt(=86M(WYEGfvB{~N6SA4)EVlfY5t9={_y z{1DjQ^exLSj!;y?j>6bJ$XH|jz;*Nko^|^@@qSjSzc6mV8}(smu%eea01C!1%8bn+ zHoTP2vm1t!n0PH-6e6J&j~yx7en`pH^4cxGz?R}UapwQx?meTLT)TEr6_((uG+EM% zfP#vEN|7GvDndl0Ns}fZ1f&xni3$ox2}rM@hu(`wQ|Z08(4-@sKmsHrIS*@n?{~g$ zk2B78?XmZdbN-MY2{3X$bI$vkb6)eBTMZLQbJB;SBgeiVJTuF`o_wr?)>G500Q=ze zk-)Ne@w+A+-3#L@uS$T@*NdwYVasQasM=qAFOIKE=_~;kcxl~s@M9a(KsSmKrN+p2 zE)|E_+xlS$MMb877hQSIv3KOcZVErZiN*247Bx*X{CNm#t^?_T$W(U@n}-6k5l$)t&v*P4E2xK*ATmGNtFU$EAppnXk0JI z-^uJt*dL%+EBYA;AMxRpp>S9sn4Z{#@x$x?>VFanuw_cR?^aDID7MgzwcGws&ghIV zmXoHlGa1la6newCT)G!~pH#Y^U?3XAXa$Gut_EIe+WY1r_7S&H-rYY-SlU%Oj+Jp7 zx#OIK&LC+)=_ zO-s$Qr@WGXE57LI*p z4%#r#Yf=OVC!xbgzX`|ZS&fQ4*xYXIAeEh~vHLPfHTfTz=_T0tZ|p7tr&%Ro2qD#h2h9`|-ToGO(X3--{!tK(Nl4Pm&m};xfLKtFaty5m5@{o}lBh z)1Zm!Q5PFL3XuS3h;PLSH`d;lC|{H!DZ3psV7qM8;b8g-PrtzCPt0FG zSg`_G@a^R;e6M8;v_R4ZDEM%8kGS!*NQ-^aep?vK`XH(O>q<>}IQ!i|&-I9QfUt8^ zvpS}Mz%M=66$i;~zl57d1*NdTstWGse08@>_S;dEC|K`GNvTF@YGJ};`vtXkHgtbMAO5#l1aCf z=oHUc=)Gr7(OkM=d+T}yT|=!Qbto%x($_aT4c+e>@VDGnu-M5kp=L5U6f0M^=M>fR zKff(c;iWu)NO2RRh!Xk#MphYC2}o_cMvPi7Z)*EksklB871(&qH@D-%oy>7#&cm3!uGicck85t zyh`Dm-HH1GD=O%h0<3gJ2kS}y)&hX`OvLZmRMr-DhB6j#bK`7B%M3{EM-}Vxkn7GZ zNk^GY*rAZ_riPtpLh~we9I`r*L0;oNj%$xg@dR4B+~_ioTlW`=Olr%M$>|JZZI%1Z zd(<^ka3XdD4a(f~s;Qg#@o}Mjjsia(ujsq&FkVd&*{YqTM5uHzX(;A7N`_GKF!D=@ z1tp@q&^h03n>Z8K5UQC&26|D1YtP-2ri)G%D&HylKcmno`fzL}@9YowngFj65AKTq zu#e8MwI6|va&6O4oX!SR@sOfO?;b0`x|WXP9R9@;)P9UBewC6r3)`d!IstrWg1Dcx z%n~01dqTJOg^wf>`?8m3y_+iQZ#8w2s7{}AsxqWy@sv|j=1Ou)2M2!#+1(okwSb0( z9VF~j&|$SWFVj&|(ajSonO=`AP;7ZMI!{!NQ+A_9vLi2SQXJSq^P;db>I;o@E;)4sk?Y29(}{*{E#R@94?pN>(2W|q+bON?oOLc9(EA$QJvo5xuoc`Vcc zT8(IEA3%#p`A=d^L}1{D(pQFaH1B47Fh%w}ez4t6acA&YpNgdV}1Qu=Y=O|0QX56nCmI-GVF*Nh}LEJ zQcWmqLraQ(IUQq{mus5HddFn1MqO{Yi82I!bvgC0@sRC~Ips0LjDYNqtKDCTp?WHImgiKArfB1rlkxkFW^SSd&LdL=@;leXez}HTn5E{Ng&%(RYN~7e!`Uc7#_Cn= zhQhX4_3W#pZ3tXyWeb6%>Jmp0r|(&vr!f0f?BdIYK_~NA1c+#lp2msR#VD-wi)pf$ zJ}qus&(}WGVDR;Z_AsZuaT~Z+V)w>(d}>bL+ihx=xNSgQ_#jr_DkD_86fmr%)`lV; zpu4>qalPBc@`rWXh(nBfZFMqbYQIbC{vK-SnUs3wa%mGN^Q6x+uJiXeHKhrcf!;5K zV;z<_rY^6j)eU-qDQUqp3MY;q1#T(HksdwV;g$0(Yl&!P+g#f%6T86e>pCR#0R$*& zOcn(Tw3%SG(3VowqV36Luq1ByQh8jL+>5!oNR$si<@k$KM61~LdDtV#0OZ#@IJRn{ zaxqx_itC*((GK+8FL$!#{q#KE&(f$Cz6s(RQ*cmKfYwVmP;<(<-YcBj9yM?~QXu?yhS-aJL@?&dU!#2()kXwi%UNv$&;5%!Y)C`}3-NLDfAzIb*hG%O{ z_u~|-OO?uS77C+mCBUGB>q3F~Xv1LSeSV(3ETI^vvGa_nL+hvINuSMNMS$1Ihr^cFDb zlUBf5?9y__&T{|zxQ+RNt$L5ZRjhG$phKwS3k8|byR0}!MDxeg^fUpq&scJtv?KYg zVH`U*xrdO@%;r#u3#(ueC%c`_$=QxTF^^}1?#mz*!@M(Hl0SuckDGd#LN_+d3_Pcy zXzYSPJy!qh?#<^M*i?L|Z8VYVfF@%#w>R1o-e&vVuO)gyl?l0+0;$) z3AA6#tARMhu=_hH|;h4?O@S*AJE@bljxpOX9_%a^GK( zarvSQ@UdoXk)2nU$VI$9Cj(4YW*bQ*iG&62_!!S3CuQ*u8dt;~@QA)m+ke0PAw3mf zj(zNdZ6LXs43pw$)NFHPcA4wpZ5L6Kgr%0^a2WByZsvJ$Dn7CIDA0|u_E+?qh4w2d z)8YaxhNvpZQgL~ZB;&uCV^p30!5mwXKL&z9o69YL%`iEMARZYlBT)xJ%MpR{OZsPT z%kI=;$p~))Xh$=HFcN;UDA!ceNcNa9ZZU%`B(+Io(+SRtIIWUa?k|TqgK8Zm9mdj* z>8JKrDx$#h=|lv>$)veL$!6`#?;@`e2dG(tKGL#S_s-l-n(K%-YO-e7uHAUpseZ4` z^@s^!!b1qsIDp)?Tk!3jJMlnI*{`N_@0Gx2*oe7FA!7BV^@k(6-55gc2n`oD4cmfN zfQ&>le_Ca3MnCs7cB-|JnUD6Ge!cnJ8j$rRl@3_T_~JLQ1dN32jrt3_9_>w)zNCF| z@`B9rTi+Rn0h?UX-**DN#{l(*-zge=<9>Krfkq&Tom=FpEt}GSmR`hnK`A^fFhRvI zDQC08bU_#bI=8Rs2Z;G(2SfwA^DE?UJcC;<7THVSM7$HXhfk&?>w$AeI*lP^Lt z2~&o6TG_<}c7IC>Ya@Yy;JBMg9mQwzwz-#TX-|L? zRMYmci6ONLK4J%u=9(I>_G%{A_6GLSsOxe=*(aFB#)Mc9kd|ZphOe8BJwb=_;VZbp z9tf=8T9cJ?6Az{|OD5#lJ3HJI#<^qsAc-{GrP9BZl^jg=f#2)gqNM};zy~4 znOP4hjW$2!wNZ6*;!nudYsf5fGPM zj91{S{!SQap|Rhn+cpwBLSGPKlWLm@@m8`u;7LqSSjaZYwC!&-qN)pHg6kpAUYBsa ztVzEyW+UWZyL-Klu<~t^>&VV_#e7BqAOc7M)qpV@%2|uU#v(C?tloFw3PS)ZZr`xo zcbBdKHePJ%>qEM}`5wK<3zX85(W(D_?%-7Ti{rh+CiB^+bJS7=jZBx0`|dXxDIS)f zME#vTeM#NnVs%?(wh)Z(quTsNzOb5Zg(C|fHo$%`*GZG_?XHZIAx5>9YX1ocQpic> zq}RtotBS^{xap?bUX+Hp4fmu)-bVXS$^`^j)BMGXn8^fauJ+=jr zU5@7|ekB8iUUU8oqF{yXUo`>Z0k5LxP!}}uzWS-D zxM88up9(C+@t6!ILqso)-De^GGy-;G>>U8JWDYN^Ifm>>{GBgQ*47`N)!{~j){*>#G+}tGMmHAPRZ5NPHpm1&#;%#el z_>bdp(EVyrF~8&P?u`9@u^q(tT%3mdO4;&!An$CenK_6=XfvpApiyqb=HV{3e(5*oJ_-vNwwR3yi+{<+Q!9xKHVNemBku7OoqYk{=_-n+=Q{0&% zSJZeD(u!TS*??5vL_$xPyU=~o4HtdC?}=?RX_fYh4@x>~%i*%3zSbPDcduF;hZsP< zZ9n&WhU-r~JShhX1|A6q(0f3~-k|N<`&F+dQqhn8Mw1V;J2bq6QrERi9=%suL+BWd zV-h>wYm8`3|672uH{mZfjBSWWwe;8G*fAvm9%TxniVH9#?%$X(3*tY-uQ6IVepLzN zCI6d6D$Y=`@pW_TC>I?VT)*_1w5x>fmBjr;BjxQ;GjqS>Fm7XjY!vPT7s5Rz&3ysR zRJCO2p1i+Da6&}H%jb7#;^yCOWh<1jLJkX=M0-?}>g%Q4GQGm+&a}kWh!SPDCJq28 zwDFI9CQGZ|f2z>qdyWWK*UKw7n`hnT+nXU)cGW7#pBhfBRknQLgq2c7@|Z?o3aJ`s zU}{nS-?$Nu1F&^67+$G~4?@cq^vrzZE$R4pIUX>J9mV6Na>vOl%YambF(r|6DCiIf z==FY^{=7Gku!YE~N52L{t067EOIEzbJosEQ|5$U&CuFZ(&p-#6@tudMA28GwcWa->3;S5^T1?c8tQ$?Ct({1lGyJiV{yajK zY!8i5lFC{q9ab<`;Ub=tZ_IWkm6z9Xt>?r4dA_Y| zHp|HUqvZeO+XAi5CqU|1P+VVrnv4C4N&;FHOkkg9&;b=5OzSLDnD<OD9TNj#@z4s3_|ymhmQ37t4gK0u?uLNu<`XBT$)5%BbcSmlO9WaA2bgr9YZw= z_-!iiSNHm-HYg`I|IIjVWd%Ww5|PkS@TUqW&nsf~dU?0imM0kgH|1F2;$Dll^DD^u zl;07MYyO|09G4t+WqnNu|9pQzs~z2VJOh0Uc)F`=?a5Gg7pH?8@}3zmvb7<z2Z+k%K%2pPiYv^%qeyZAMiMr^X-jEe?M98)w9I(4)U=qs0P*>fo%?XP zoD#g=C?d&DC4l-{<->d&U|9 z-}_@V4nZI`?U(g%k9}hXqf4h+11#+{_*4}v7ewfTJn#$*k|0@kdcB#7<`v9y99U-zl6i4g1mOA7;YYdmLgnndIm8ie)FI% ztV4+i!Z>O8Ro?;P-u>gnTNM0WMb}}|eu__oNS7{Bu6X+Jr@u4qsf5L8QGtkWr*uYj zQ#lBj34_RFN;Ck9eNM}nGV|O!Yl&koh<7$lv*2ZnL-EZ(ipw&5LZD6S`_zVa$V}=* zmS|QkO1TS6UC*r6(MV>wg}E!%*vUv+dYPLu*~!herysu&4r(N;d745ObW!>|yJ<9G zzBSIUEr;b06zPzlUvD&n4&I;;txcNf^un=3@y(shkEtT?-^x=;Z=SaLH4r4uz1WeN zeAzXP^1Lufsxp9t%uQ1DON>PfjQmYbFZ(a#^b`N4jWH*l_2KEj-u;LvK&QjumF37r z2)zYT%K{lj7#sSCaw#kd4BwCMuFd~CJrOoKF5h=Ve|>8{@NubPkUTxZrrNZxAqnGC z6efLkp_{{S4a&^L5MJBsp#3VKwyNf>b9bEKLT)gl?QNfRSC$Q{itt9gQRE)a;xSYo z((@R&v%JvsVKCQt<8j|{r-|VWpj+|Rh@Z1QD+;g+smBfL0n9|_Fyb8VNt)k6C35Ed zmbTo^Gx8?1Us!Id-ff&qJ!*oA9{LozFq}Ger~n*&cT9Kj+K$mcJU*hCe&haT*j=ZL zUK#Tf%VSJj(}*5oI#L4=Hy==O-oGZ{m~v24a&x@M%oLw&&N*x5+5NFbToF5u-AA2d zZI-Q`V1L9lok;EPQC>c9DoNk4!WH?~m+dqn-n@aX52F;F`VepmD8`&JM~U(0*?o&$ zvI^%Ow|%~RC(K*-9U!hL-2JEo>Jhk_YpYn$sJ9DW%*e2anu`&sj@Oypt*(hFdaW{h zL)q=LQVrB3!(C@vev8WRjav<{&t;#&g#g8y0dT&6#_U;;{2?K8WXgDn z2jmkuJ&aZr#jhFFc%E$8{Db)`xB8pv<`P5WWk z<`P8N)XDdB>Ccf$m!gedDC$VGdp+oRo`?u*P9aG7)bT< za!OL5-%b;`;Djgy8suIX(2y^eUk?(HT6>8iji9?ubAoa}>^qLN2^%vrHFznj4CnyP zJ|8PI(mitD@aGvKnhwwQo#K%?@InTsqqQT+aG&Le*a^|LtG=j4RLuL=o=sqiC&!}e zaduqnVf|us@pcqaCP!+KG|xt~h6rMU?#Hk-ZEQIU$C>!;LExA})EtFOa3h73A2t$W zRvV961+2K24{ayrCLK z@;-%=W2$V=O8LH8oH6E2lEK{-gEIOtZWZGMW(kG8oebOz|4J&u6y!6*%4(>rjLkWH z#wOwc=E8ddlEB;4a9>!jN$zy^cM*gU*M_MWRh=aENjpz%bpwA$rDk@5um^Tq9S2HS z^0PnNlBRi%eu8cxfqtUUK?Io$aTbvPR>0FaZ#HQ;D_@X$C$9BoI__0--F6eAVPBWf z`(eukU;^oQVr=5{MFaq~*f{R+oii3~T>G&-TvTuRX1gA0 zWjO`Jlq2P1%%u7Da}ChG(ei8!mPLw7w7_o;hMnpTyFWY85WKr)t55)c?`gqWcl7>Z zmk}??t`?7R=mIvPcFonVkJ{92)$BM%k=j*(*$a-v3d-XC@`m~GGq z>ZgUT8^yx52=cxum7p)Ex5wu>``?9Zo&Myb-zsEJO#CHUWa9faJip-LhM^9Pg0fUE zpa*nO4Rjf%a-cMM*is08)5d`C;{v9W3WLj#o!$o{0M|uS&V2tav-7q-GF-l815mXf z6ek2*4LE!#aajvGbQ~KD7o+0!D_V4{SL_LLbN1Sw1w>77Q)vk*;kV49Y2LqK`p|6D zEJ*inAT;vy@ITYVV?-d&3!cLkf%`;Tt^Jt|b5FnV5l`R1nbY!Mm=MbEVokNZ z!wMkDMdbFpZD3kk=&+f|PUy%CzePitr*dW*zeQfA;ssV$wf5KbCpY4IokiVNhQP25 z*KIL`kv4IFhPb+YvSDg>S>@IEt8XAu!75NQokUMLhl2DA4b2px82hThHwD-OTM$uS z^NCuUpVLtfX5i=)Y1XmIL#eLyN2%-1x(1!hzB?2J7occzj$Q9rPt2io;I=}G)16Ge z)!gQcIxRi8Z!{V37#L`-r!gUUt`Sl;TP?x7Ov*?mD&vAo7Y2pKOKJ_ii)(7-=g9}R z?q-SyLV-q9lcMapFAt%x&^&G?5#Y}f({q(b)$~#=gu=2Y<}w!eddHTTTw}-2+JSio z@^`{SAPa+p`+M9wo(Mm)RR4dK6$!|1nx%RlNMyU{oWI+%7HWYMYkuJ|Nn_3ZYN5~> zZdIrT+aI-|%)g)k_2s46I>T@)w(9YF&8Wn61wapBH4~oH{{jNrPWN`gLQH7@rmS6Z zxEs)};zkixyjJrjf@su0h_9ZIV|Mj{`H*C<AdT8b`@zzO6Fb; z7voLcaHBS-w3B}5;78cX!TlzJ9w}fqu1ifbHo9u#2&_&*w#OQK_Ie>@7m)W~GtU;y zSjm%~+w{~z_h*oe6p#&2jIt`Op7ETD^JkFB;=-?KAc^>vyM4?Pp?`xq>TuTa-}Bki z`CEge%=HkXb%W{fVuqLY+`{7^TAwhx4BfSxzz8n893?(99L^8Ka$icvbW$0+)#3}F zft+d~{}{`+wrem@gPUS=7@(*^TzwSX#|)f#V`O?i%o18ADIZb|TjIyG<$WBC0*#WO z1^IGGRRg|oN0ne!j$7U^#z2}>8u9-}k>C1_{|zF)i=*-vfr2#AMKN32^c3>pI-Si9 zQ}e^TC8+nRD^R2z?X15BxuXjSzn-Ui*bouADqB&D{o%yJuIz9cm z?dqxXlJ28a>Ae|X%C)ow3)TCl|;Lga2*w3-_+maj~ zvGujMUZr*@-mv9a@9nwR@pm)HDLLty!*5Y8pU|IjPo&50FL3J`glrg^(vXy;h5=c= z|E@258AbJ*`oe_F!v0y=t*?*>U{+Fb-4*m|b4;jY^>Z+EPi<*vitbp5CgBnvlFF`F zMnYx&+1LR;;j+*j_ZF8&0g~jlbDtU_dcGI(R#z)JEcATm*?ZEKaFLTtxa&~S$iScg zl}E}9a+=4PDniyf(^1fPru7>~##E$aS$y71Df-tP?p1()`*(hyFSYOpyRqt*?YEjV zce}f!L0|9wj#mw-yTW|;{oSvg6`P-gyU_j8nYT^rb4PN1jy+E$ov=oe@NL;mO@`3- zYxMuQwz12$eHa*C?}gK+w#EV|szEjVIEtqJH#&0Iy#=qQxk@iO#FuM7>i)Q$B;AN|JKBzS~;@tMdC*f!g{~j|~$F z=v2RYM~@vSLYyX=>fcb&zXdAqTs}45-6H3fy0q=$0)L+C98+sIEw%o?G?LVl{NG2C zykdcogLBS_f0BOKD(aq6(_-hE=9HFQGKU4J2t}aFAT~7DrpL@lg0<8j7JG&)!^WSmHUKHL%B?qfxAK9KYl?YJ5Abj zz#zxXU-mYCt=Ca;cGi``T%;j=6$c3up{1DMi=q4P-%0(@^d=# z$ODF7Nlr1#1Tnm2=OiyZo$$4AW7wX0B?HT~)p9Lkk*Wd|>QgFg1!z3>EW%P6 zY}MvchY196;TCTiK-7ZHofc|e+1#YSDcKMx32@4r6~xPc@>(v??-y`x>E=9@%(Z3) zm|?Sm0jQzh@{_-&G;~u>p%}6hn29z8Vm;f5L=m0G0Z*9|F=S0EqoyNOXe5SvPN~P1?ON zYh)^Bjme>kWU_wn3#z>f{v3LXYpmJVV&Bz*VSPR?kZ10D^Ti*2@2}|tGu94=MZL)r zY!6fe?_{d@F^;L&Dw0YECEA-8xYinwK(_!G(s!tKAO&&vkDn0cRbbmMVf&G%_8a8& zienD|A_x}#qzK>(N%5UT|6UjD6y?NY{{k_e$BKl-ZTpt~;#*phRI&l>-wI0qtkK&} zJ!{C9H%5+=DAVMh)Z-C9L+UiIQhTwmcwN|LG-07Vt4zDiW5V+O_GbC*#Gj%e*E*Cb zt3?SrIXP(CA(*qR&u5ucD4+wEqKg~F5j{-zVt+C)bqLre-iy(t*`XC35@Trz{=uUx zN6qb$9vw^PK6KCVsUT`WsWY}q>-wVQJTD51g#0qThd1yz;uoQe6og70MWyK$YjQ7h zFxYz=ER&0F{L80Yg~Pn|`j&~A0LRnUnkm!|&lXC+pM#$;zMN1V^1)t;$G6b>RHlbY zyo^-0)_t&mx;iy9xRk4qRv=P_$yLBjWNDLc7L1tT3WLyidrEE`qU#qZOKwt|Wb881 z8b?qicHZv!CA<)Jhb=jXRcROXk?*H!{YRypaPG4j-?}BUyH6`y##79}7F{v6nsBYSqo4Pp6Z=rfTn~d4t*Z@k#MW z6Ct1x)7?aP%q`W5dptG#Q8B#$AKMckweVz6yISYrR+K*Fp+LUD?b$1yj9nix-7VE- zc|%7u*(Ba}7s?LZsCG_B1uy@MK%k>w--wOPsl|J|TFN?R&X}35e$_gytsz#<* z4(wk@E5At$LR6jcdU$f%CH@AQr;lm+<^`YVVRfn8%uDIqQjD0$wzhs2I{^jDbA%Bz zS%kAYSWkmPi8oSYQn%?Bv;BL=*Oy)knCb>wrE%4@#9+FFJRV!=*5A==^K6Ok40pfT zFCr~+i{sCik=ja+D*T4RvbkPtqGK8%VJ+^hQcgkghdo%07nZ4 zEnDm4_+XfZTq5IORl2kJ8I5fkjjz5dDO{_{R2r~2ANVvjRyXHe&Rqyw#Q6}j*GcsU zgXyAw1o%|hoU8mE8T(W$a!aDE(S67@+g_7{`~8V-j;rP?kF2V@(dbdZu)#+pw1+*$ zphY|_IjDVQVaV>(3)a}*P=4Pi{^OI2_x`et1|V8x7OH05>F`+4WC|%z6=3Sed>YIS zI|muM_vK*_t@}`>2|PE`6-a8ODrOnvr(%>! zKCMuZYdECn*0muGTPKRdR!~p~B2hmnus!V5SHd35z-0e{m;7xLVt?6$dZs~(Z~qF8 zxKevXEZFeuc0`a>);uUO5TP2Hisc_P(rI(Z&^{4VR1v0U=DLn~rV$#!GWXac4}tmV zFT2UeynD9hQKOy8x71B5R?1KmLb&TB3i!ZQR-nSV>hqQ+_n;4f*E0vgUH`xgfm+KQ z)Q$t_M^&h!H}e)Ja`tKOa*t=F`RArq-%`<#dN#EzWi2+Uwbh|$Gcgj-O^>_mm?mWE zi00?bqsz`yvG%V%ddlheSp&ru30r5xX4$KlcW*4KTx+=b#8!Li0*%qMO{+o6M!D`> z-uZ3SdTmMWS@wSzXSv?FTskYXAgL8!6jW1{JzH~U=$t%1(_~8xKSSWd<=9YVo_BHA zQZL(Njm8>E&0i0G5U4P;aNFqKC(P$ZkSy|`Qf}N+bNEgVXT!|ev_$A9qZBqJS zi1Pk*l1dlBB1^eSP z?iSe-U3KF~;u0?~2LclQS5w8EcIPINREMWB*7ON zxa)v((}!Te#9XA-R2_>U6F8ZVX+2&?T9ulbhpFIuy2e`s^Kd998-CDfMWqDB-?X|^USe}O4;|*NSK?ZAH|EA`A-@4M5(`d!`!rnf zUd#t0h){iBus7ck+I~@L9z>@MI2PTx*_nUtSge3!mDqEHQB@XY&z9{*{UNP>b1+$y*sCjdL5zf#R;*`)`T>wp}!7`zarOgtEf4SGT_jfD5yRZ4*mhLQrEI9(H+Mtk zJXgyqT~pboqs+tR4~B2KMi1&|Ncfx+E7ByU`v7l&vNQ@S9q*k#22Xv?p#*K}2&U5; zGh&1C1k~dqFrUGe0oD2FOO&V=@iTxvXG5#0zMopXs2nck^-t}VjpxJjDK7s2xBP{0 z*xDK2@S6<>NFoyPRNbTj`479%w7VaI<{7@HymxqRrjf87qzlU~lE!54C|+KY-HW=- zKD;1t6WnluRxHhvwZuJ=z17TWzscVcvHtVvJg-g)hEWs1eJ4X+ma2E*z;-uX)CddA zuk$>tAjytV?UJR+nf(0;fv`J_=gtg3e?_3V_;QjB@oaZ&61_Fse7g8DmaIc7l9p%LHk;1FFka*vV`mC%0nhp_5P9rAE}PsxqX> zog%5tLEip1*76rr>x*UgQyiv&qcPc^Z}{g&Qv)1LYUIa6Kt{c)cbbOfNTTSA&Tja_ z5U)R=S|-=`5^`B>gC&%?Awi>UpUW=Vl#$|tffzdX(OB{l%cUz<92q5OJ;Lcf zkEM-3g+D3Fq!`qG)A3y{^Uvji(Io=^&}QP=fclx6B@_7>9pSWZmI+IGXqVh4c2k;~TTJrFn(;NHF+DzF$ z#B$-^yx+cM-V1&H{MLsHLdm5yTB|fH>PByUuUT@L2plPYnrD9WTomRK+M%nFYRGkM zXgBKWh>p6#*9pLPwwCW#*{mBOtX0Ul%~Dd&g(%oyv7v>>oghM%eF45a-L>G8GW2mz zl%fw-ES!bzd1|bM3M>=m^xa$M=FU~9M?_y<>b(HA0X@+-qv2B24;=xsdBqR2RQ050 z#4l?`6-Z$tW35ym))y)K9Xc8^O3Lg~dfJKPp>SEqRjlR{c0vnaT~(3DktR$h>s^Ab zAuy&f{=fBpf+czyYtq%6VPXhpeO)-9k9+lTc|AZc+FDYKZmkOg|Lp^O!^2!Q6SPcamY=}Zv#B-!;RkoSuvN_&P zNXZ;Od@tLrb={=6tv5{KO!=iVIvVT}%4RR^eqMTZP5hlYPh=zZ-0iAv)$cvgbeId? zzw#Qs3B@8DpOxGL?&bpg(E}6^UDMEXYUI2qy7fmYD=N`K>UIK@tYv>6<@LGp1jHy4 z*vdjsV8IlrY;Xm@x1$L=CX1f@W~+$|J7NFWV!nJhwHU6EN`5omq}q9ws|$R~*QBsP z(vKIkgMC$b%p$*NFFZ>JzwpTqtU0Lo)bo%G}CkQA!CICMyk(O7xQ~>B*{$H5I~{5G_m>=y;^b#)`Y_ZS;&g&~VmB5xn$_ z+w;PRzCuczRi7iA|Os^d9o5T-asZzGG0-k}KE>@V~j1&(A;0zwfb; z&v^9ZA19E12VykS8**S|ggOw2Rg#{-67{c1daEulGKDbwL38suI#}GMHPSg7zjk#& zIZuHw!NU751@A`_YJu`5g2${)kG2N&I32IXtlJ@fnk()peKq0b#e(IIpYsM^p!Eoi zjK5bUpg)%@e24_QM~pNLX-P_wyIzL%zQ}dB%8_Q-HEM5(4LYxt=!(6REb$Tzp>DiV zbLMfHMO5`fgt?~r&6*FQTTA9rPl1H~Irug|_t$lSGR%SsL?l6r5y#=2ugUQU@>HGY z(NsqhK>)USoalOw-Dz;fN!wf(0u0+*r>o)uTM25-Pq-ef!t&|gC zEgsX&PL#Cnl8u3l{-0`ub);Ws6Xu!utU(uJ*PwyWT|1OKo_{>Kh*(F`h*j~S`*!4V>8-dmuzLUxt z@3jQq%MPtMd>+u{bYGhLT*hnv#PkK28>&kFu7tm7zT8CLIJgRH7i{{RP1Z%(ETiw?Tp5c=;bj2Rf*}HMsUUp=&^oGjjU| zGpnY}o9F=nG2_=7JdYr^kl|hPcY>R;rPk8@VWT&-5X&m|ICH4Gu5s2)fsUH%ne_F- z1hDZhqkEbTJ<)?wxOAy?aIHCJI|l%_v|M?xKR=eF)WLxGS}Sqh_?e zxm_S)G6He1jJmhp35Hlm0kOu`CGHAfDwBDK@BWue#rr*ADv5$aLEa4_xb#01wJw@J zz9#-fnc7=@H!!-|`cGJDj4LKhh0*z@h>%F?WtZ2Q(;}G9g5O+}1K(zm9|CnAulVWZ3!Rv0&LPknD&~4nCUC-aPT~>!Vg39gEUS z=Zym@Rk{kaf7Dv0i=1Tpvc8-C=wo~=p~msg<3HE_%;zTXSH^72Yv2bo z7{2p%&<1(Q*8ws>LBk54BDQCh_;8R$xpGE z{C;8TzkZTUi0KsPRkAZ7!NZNtN~oLfhLW3b0s7mte!_!B%I)Uu#ybdL~4kpP2kfN|YZoq}JnV9u~4 zLyueFEh7*3_cscvDXp=xdG1iNw5P?D=kwkTR)40wtwj%Y%p%{+G^>tj=gn}<4z>pm zwCH|Jb&qLdVZK4(pn@Cl%v#Jvd_ zl7ODu3Sx@Hl?IBwlbsaOVkbWm1}oS*@;zPztd;55xvOyTvhTmO0K%%@DZUqlw8VT? zIM&c0Kk7#AUIqJFPF~AtD1C7M%5mD0EgP^$9;Fg8YM;z{h3g*;zX*4XF51Tu)4?FSWD{lBs5`Z$69}P}o46`Qj1852 z(TnuEZkz|g(U=Zlk>MxZ=RL^wFQ~pVw48q*@=x#Pze{sOKIyyE z*CnPQTF7%z(=JBrkZ!8%UQ?C^w@+78EU0S@>3Fj`qc9Bf*ueA8%p}dBzSVmJ)3kE` za{p9$KBHb%xM3yd?&A$Rp)-Tm=?tSQE^{$!Bx7Q#V?sqI=PMoQDOMi?Q-26DzAT<69L8F zcYD-lR}m6gSxkEb!*$q2zeJXILLa`dD*qJu&Zqp7C(mS>e|gY9BuoD51V32jS0xY3 zCE<3$@zdH(Ml?A_P(Mv!t0jqF3{@HE^@q#Tzk7wv^7> z?r!|EwElbnYAYKoR+Rsm3Z-$qqnxbbb|+U+fmdS9!JRw0ferA{N-QLg^HI48{rg&az^eXjN33pli8$~V3}Qq6m0ns) zl>{9YFB>v3@GzNNe?RosLV9koZ!K#4>a6d41GMwOz7O9l+|&td#DtVss~OcgT3(!e z_8KYc7%ZfAn*zY$!FI8&E14>ClaHr_!|3gguj>1@E|Z^JCm8VBsYHlaT&Eo5)l>AN z!AlaSr??(^UcFG8+2QIfAyKfV5JZR@7g?`LIFsGq^jY8hOp<&VMp%q8(wXCK%_>JL z8?+u1%d@qNs&p(LysI;kSF~Pqs^T8EY=+8f+*OAI-v!pr>!;JI1$0z6R| z-Ec(Y+HH0Z8)Q7bJSA55BR58~{c{2Wh}#;#O8H`pj=C>S3;rA_dY0RLS)&Z28OWwH z9nG0y095|64fLJ}g?u`HYlwp?azN(zX<~T6lb;a=FCaIC#lYW(snd{7F+t`U)>&lG#pENL7Cxn{v}O(J}Br)!Vg^}Xqr!<45S&b z5jf38-opydr_47ukDJ4|1rywd?u_ohS;IHH+zsu%Z*vbZcrDPnvrucxY=yo#zGCoU z*#~!N{8D{Jg}d;EhCuig6buhF^sJ33S4?)nbXx59N_ApW*ZgQh!?xJox2`*s7`T)Q zanFf4&iHnJ@-SPYt^DxqnL_MEbHu(Do8Q*AQb(i>=Gi`0H1vT$A9V57bV&mq^=69O zOa0!o?+$|TOB>3syz|F1O%Zkix7(5-=a^cY2}_^!eliRG{)~0zn=y8D^$ku|aZbor zHSgsZgpDc6edy5-Jp*!4bEkJ$;*{f0y2qhKw#sxIecr2MtG4w?L-gDcbLO5mrnh_k z_NJG&`GHoP;G3|Z8lX&90c6qim;Hp!Df93!oof$zVEW>`3)0p7!sQs@63;i0OH{Bg zkAZg2$Iaa7{Ckw>d2`Y`+v`BYu(ynf0+J-&BQWV{U zW~~cei&%FHk&T{u;HKii=*uC`eI+Q5_nk(=d9ZI6U-sRn=O969UounWzfvEUTc3|O zVI0;b+n7U^E>g;EI~`q@X%q-I)068@3QX|9OqK@&?dYyiknkr`GvYP4@fjslB?E4? z;{_zUrs%F>Hm@A2Jp*$Dvo>foWB0p;R#vvVB0z5YRZ7%`{ZM7L|1|t!ifL16_IjK- zb1HQEL+q8o1nyz74od@>uMqy^DFy@nS5<>JKV%cOx;dZl_kP zM{48$qUtTfqHNn}VIKieQ7P$^mKsWWKqZwDX$A%<=?)ocR6rU8DM{&W7#bu8=^AS2 z8oGOkefvD`{`T?xqLVr(AMks`Nh}f1LeB`-u z9(b)gq$P?GDJEjoU^4z|eo`SGEK z%1ML!t)iX?#&n7ZnH!ZUe{TSOmA(EWrc+0jN8!on;U-IEYg;g>b)Tia zXYq;mRD~O+JACkHRE%i%s)?hX4ts5mNi*F`{}1(lClIeIUq$ktxo=yRCG_}{s&>n? zp798QIc%5cUS<6F{hTB)gp!x!ig{!|7`Q9h7(0NgDadB*Sq$k|s=)TMm~>EjG9$!_ z=HfH0pPDP6FOJEtE~)>?u~p~2ts=b*b)IIj{xLq9>U832a@vCQ@1|=nw3}A> zXe{iNF4f`wx~Cz_H4f(hW8_VyDs^yT||$<;1z1``$^`!y*$oGva}wZ*agx;&= zlG0?D5B89;Z+uScem-m*A@-3l@(G=a>~DK;QVw1%|LC)|Y@8PDv%*DwJOwAtKdXTSfS^vw@^g zFE@$z>U>$vxGk9Nkzl{*vM$ZQNG~r#a}~%=vtd56IwH)x-69nwZQyZ`osJYx3Vh~Q zO4U0jpX9JI6R|62`kwAYIgdEA5cqn7q$2)c&LyQysT(Flp1q6QncM^U*f{^krzt0h z*SW7E<(Dl7Lu$&U8f}bY@XlZFXA;%Qd45+GgMAfMbWG056hDabMTn0~zE_rz-C5v_ z>I&TMR@0Z)UtNDj6kn#2T6JYg+A3{zq2pz{_(SrFQ1*t@Z!Bh1<i6p*P8MQBMlaU8_J^3&CNXO{j}&Md9TI%Te=fVetY|nHz_#&xnxQ#D(jtr! z98&A_l~FdOEmW%F%U8OH-NeFgb_iRhnQUAzwC6;+c-{m1Qy*E{$u|7#XKC{#XHmtp z{$j&kGoejUvvuuuGy&xN`eb6hZFZ=@EZ2XkM!r-4kGTM{ zEBa}@0C8!ig$yXh!|H6k{VZ|K*!o?KNo(IN-Ji?`=e*C&g zHqCf48#V81PdB;R4|`9j{Z4BkKB(U|ZBFdTv}-A!Qh%q(O1!29*U<5IoqD^D38tT3 z@*y^@!A23qzE8^~qz2W94eH;c4~!*t-yW@+y8Z8KkpPIx4RVso@I*VDVFXzj1!%_M)4(dIrxw!nSDt0X)83qW zUwz!7bypKDQNyaFu}|nns2GVemFViNenEf8g#A*Y3BDrAl;MW2e~(k~R>ZB>&dE$U z9+SV$q`MsZVQ-U98ZNh^^1?X3PKlej@hZm8{~Q$imita3J!MzoZj(I>j8hOHo22$zoe}Q@_}FV?jnOkmliwRvflvr?sFk zDD!GSTc++LJn=o7{j_*ZC{-3Z`Jm0VvfnzbIkBL?cfyq6d!|0Jz#XO-haw`L77mfQd4(>KD%LTOd8PT-rY24Zpa6c<;g z4ek-w#w*=J{o0&6L0WuNTSx}DEte^r_(rt-k+D34E;nu~#I?j)C9=v%U=HBt63PN^ zJR5XVvTNpH$V>6^;w~^(ns{D;`kbkpRu@{`y5mG=c&9dHF|54cJ~3$TMzBk@I`duW zvT`xzOCzRHO&ZI6b$A3a*2c29(r;LX0Vfd>9F)7lYQ)3c)5(Ht9AcO}w(DA|P0w(YqLF6@C+Xk=NX#F$oALl&bCL_S6O_)>d$<+wKr$p` zRSC2f%g*+Jl;QBNDha4+IzCz9+nOV}+%?@!_BiA3ew*TW;XaP0On(FpcJ0o!n#y?e zjP3r1FVS%}U$a1Top+&jSqfrIO^2R`W6#3;f*I8$Hs15zj;Og6i6?pVpj5@jY%&$M zG{As<#`~H|P1T~D=KEGk5Jekc;|PjUvwQ8r{rg>?(|Z1%`{%V`UGng4^!{PX4V@=% zrP+D!u7nv%k`Zk;-+p%`s#tiI(Y9=tT9595qPNedYa4EC=B!z&&t^H#CNe$@IL<#; z(&smAiYey2_O8p;GYA6F_RY_lJ22_pJ%uGy&1GslrL}E`i<^bKrIW4kM!u{D&Qq(# zlSiNqwVYozjWE zxE__KJx1_$m2~*+5e{gcg$Ut3)9i3HrVIgPPg3ARee8Z+L*$8;<)lGHm?VePvRk9G z$2KM9iG9^UFvr_~rUVApeyzop+iPJ1YmcVGK{#GlFn9U6$>Q;->cgWx@TXAslkQ}A ztK8zQ*B+rm;cuuZ(ZMla5U4> zzhleafoAaPdP>o|aW&_eu@ofgmw|OkT54}8tyHB?@tHQ{8?bY&WX7P+Z&h&cYPP$% z(4XtZ-AOJ*pI{zlQA>yBB%M$btGh;VAMRGtGLsvcP@%~aPj?vL01|#^)nQ{#YYg^} zi7;J=jSn#2K2nOls0Ue3+`SUZ*DG3t-<(A54-Ey{VI^PqMyP5f+0{FV9vy4Mggd3~ z=-z{RZ!jQQ(uh;xH*#d19@%8^gn@L<@7CvhzL2k)g>2)>9Vwi*AlFEVId6P$8JLO)Jb`vS>#0qqz zyLD&H9=7pqq>)l%AwuuAq_`k*OMf*&$8j;tH;XhHa-CW87lw*o1L-{9d90@gwv*u` zLfMYq*BOM+QozcckIRvP?5W4$0vWb{j79^S zZR^W=2PD3M-O<@hbvvb4hNruYTlV=D{J71zX&x-SHL(k#?d~`0rfU8=M%SMja}sPT z-t6exN0og^*}AlEP$|s0YF%14jjXh(%5MM6#TyPs+~F!YAu0(tz3zoNVXZ@D6EM2N z1yWI_ziO`y*u|YapH!i@u76=KS;Vq`(fBh;3r& ziu7(Q~V~rot=tuSTRm=cIcs z?L|Hs=ei>GZY42mT`cl|LX2>wHJ_)ikY~`Px$!)@CEy5TThD&6Q)9FYetyH2;u>8W zp55%lU8z~S+0&9O=cY7z2BXmBun$EM9RP$cb@sN=@k_YNYOKyf9Nre8txsvq5|b}x zj?xE(o7$a_^s%v}Wrx=CCKnvZUITgua|UFv(txp4UD?LEwQcfmQj^CoqN9a)U6rE~Ay7?^0dtn0IeOQ$ejFdo$!eX{Oy*t{yetd~;kGMoyd0`!D9R(?1cs z*-$I4A9SfMMr_dZIy9_ym8~-o)QtRre8)FEf&CrICZ?K}p9Rtrr>P&BQ@&mKeA zW<2^w2TUV#r(FpY>ZhmAADZJH-iETOz+AHw!hQu3WfDj~NQb&{vX=_jiZtD~8;LdS z$&TODb^7?jc|(IYis6zGJrqK*_yCEN>U1f&?JN1rgrBKnSOwE*|1ql`{*Vo7n2eUP0|FcDC}tjs$&Y{T zY`+Oia3|U#I*F?CRy4935s!T%Qrynl{NTR(ijnzdQk=kd_;ydu_PZ{USCvzp*C*tk z^r$GFbj*C-floRuhJsqGtC{B5(|qZlh#&fk!r9LxxUpG0c;DagUZQ{Rw@KenZLwD+ ztrqfv86g(bG+z=AlvFaemrD zn1}Z7;2NU@*4~1GKPI`w@tN(vD28r6Zv6Oe{nJdaafuk0v{}F};WKXnxg@_5Dk6^y zb&%L`8FTw%k=f{<%W@YJM(`i2@sJXWTF>8Pr!N%(SBp5en=wXhID}97AF|bG<@;V8 zfKFa+;Ef?`Lb}jK7_T=zbMW( zN4Hoc!&Gb6qk9GL)-1;IqK4VITxVeu;PMg@;=L`0<_D0oDXGSrOB!{I8vM#sQp5Ms ziWC;5C1hXcoc45 z8Zh??E3-g(@q5vO4${sG;|L0d&DdMtGDfIT$?z4p@U zXG}@Nb3fP`rj}Ioq0Zw*VLn1&DZ81sE~i(A|XQ5i}Z!Wb7g{ z9+l+Q;@Yq7&(xpA@obJL&-uhH&(C;E6~J0l?X=$-ecI7V*BLagny zMM~VWT;8Tg4sEIxU2Wb*P08D@q2VjFnzhFJ)vKsygRo!Sx}nKOC5WR{^LQgF(ivJEW`AKQo7J}^#MW}mn>sx0WH z>s>ClT>eeVuqW6Zjxh}IFNYkUFak=I<&{gUo;Mrv>Q%D8mgMjev{N&0j~?1fV1}Htw7dVM#b&G9XWO5Oa?Z8|BP~{ANetNO zJob$j5$L@zRG3|&RSti}t;o~?<~Pm_^&2@WFGQ~C&Sj|d9c4g4GR`B8V&khgH~ZlX z9(7HXyWMYp@}yy>LStGe=ZKz5pQ@nz7x9FV9AcR|aH7PMN48NCOPIyn-ES~R@79rS zj7f2~M5QrDhzswNxIV$++?yy^jXnb+Et22Ql98}PAIvy`0w^<2kmB<4sy`6ZY??Q?9&CWl{%jM z)x)O7r~Ueopl+X0Pz-zOpSC{ok5zmP0eXq1BbE9Iqpw8>j)Zc9F_pianU5g4Wn#0l zCO4kA%mD&Ray;B0jh_>6=}%7Ef85r4GZCu;Wq>ldeuS+YE$bY5?CE8qii;0OhoK&kfvOiD!%pMEz;b<5_ajp=N` zcuDl6OuDWb+?FijEoWVit$9t~E^ot*UWL|X2H?CY#B2+4=%rj|md0LVzJb$FXG ztjvM2wq(7NE!E?*eB(ULnuFRq9J(eOsd{K0F9(P~#mliuwYAu?PSFSO29uZErO3f$ zHOZe-vu2gWZylOZ+ed*6Z{;icHunj5S1VNJ=`sc?nzT9j-Gjl&&v{x#3d$qO!`_6k z5V^%~md_+;Dh*0W6bWG@Rdgqn=A)y8O=uvfJlD41Tv>@RAgMUYV_V+O(=hY4+;_1v zj&s&|%Z`;fE_N~^)pu=A4^CCsWNA4Z7uGeMi3wqa5Q7G`kZIoU#rLiVGF7I_`{R0V zZ_aFjn~5hs4ngcYr7g@0m`hj=Ay1dzBG6od(Kg##nUP?6)OuPmf~1#R*Rovrtgi9M zl&jQCRO+BZqqzPfp|;@sDM_`K512q3Vw$qv3q7u~L3B&?I=ym%uP-Xd!B2^VxikzR zXgs<~tptI-$-zm)6S3{?5gbA(P0#Ca5hXRr3)jNymuQV*H2=-E(dsaANr@Lyp+(3M zVq#XhZQytn%w8xO8oG-^*(0bOQT@S$OU&Ho4XJpS-Ef1NKJ6%M5Eys#OI_yZy>>{E z#dcp!`LU5rVH{1Dd+>N$*5T+Tmj15fPig&+R+Me)VSAHmkST=g>gO*9x&uy$Tey%f zBIEqv^XU@kmz4bG}rZFazxhGFGJ~ZC%!JS8D>wa6E&c+f$FPfq#dJ0{P8nV9~CgTf@>kq=@ zIr>h&(78`noB8)nlI_}zc>QyVV_2H&6FV=7%o|hX**LEMr{&mg|2qxDP{(l=!n@tO zPAbZNgE}XmVM$*QkoE~wf@ARb?Bq2Ly)1*NXdMb&As$5S`1cJ0-r#YIMMc({69ny=QEBP+{&02Od}98g$) z#P(14L~T!h+fq3tEvX!_$@erQn4%yTXu+p-wRHE1eq5#+{4c`4ZGdjwqyp2HVX4LI zY5?KgZcBZlYsZhw!E5dYKN+y3)-w~L^RWb2{GFx^F!*=O{WN;x5BStY;(VN}v7GR6=WJtw$a06Gf>C`)eoon+b40d_xI(z?M@_%;q z%*zi33vgH5=q|iXyD#u~kg>57fn(sp!&Vxm$AR}#i5r=K^kMi~HRBEO!AyU8Qm2b9 zV`~3hZ#KMh701Nxb{~@4ja%-=A|dC5IBz2q2eZA9>23n4IauO;uw>uyzK528rInxQ89ne3NC0 zHaN^5nN4y0{1y7X-QS2v2-lz~5Z3PggljkHqFxFj9jJ*xOU$-fpkj+CI zV`fJR624WL-EN1k6djuGs))=dhMxfJ!5XEVMXyNueeZqic;c2V5gPrF&Ppr&c*7!@ z&hB;5V*1-UTKA4&y|mt7k7ISSVl0D4UZd4UlmbJj-4yiwhys@!S6)C+u2gBmP1jU8 zUv=F<4n)4?^rEk-_IN;|y|R49W0Z$yv->6e7{XAsWBC;`i}V^f$!pHO{tzyaD3T{7 z`%65irkigxrVI(o)>)~PI?Eu`@Jxk@3^m$x&&PBgmiMRq62Y=}^?~p;FIKXn%6aM| zddHMb_H#K8s@bw=LW&?g#>vl#C%XApI+*Ys`bP$uA4}`Yhy}iMi7ZVBIIpolu6f+& zWw;F;*G>r0K}a(G7)Bqd@4!Uwg7?N!8Dti^T}f?I%%8;@WN}B5a0?)!^&#Ny&a(lih0l=D}sa!Cy;SkU(c{r0eRTM&hI8K`z}edR}N zJp;!ZiJg{?oY=EsnU<>E2s6CW07<7-?npkon%?(>ogMOzc=R=lszmy-N^XIIcu>15 z6m$mpY)sYk*~lsu)muniL70`2caq3rSLh0W*70A^aw>WUw+TK<1!*u`{S#?=_aA|+ z$+-4N$(*XWdr2|%phnr_Kki~VTaK48XWq}-NMt2s&-Sib!}*Ua2xZZUKGb4sCmMq` z=|9xKU@R$7$JAqysYbK3z?i~%Wc7d@7?BHLwcNepYu-V@bS8}c<;*(v7NEN)321#x zf%;K9gWF_{m`L1wrsUa7nXUpjYsT{}G)#kO4j|fd1xkOf@2MlHo0z1x;1aH~+^su~ z`D;>=dk3OB5*zw8%ZI0^IU{mdvo!CVQQYzh?7yDnmx1t?78n4hJPnd)C@gIVxCih= zg5IgNLArYwmxF`wTNIO-0naw7p7o!*^e_+QEImbT*5y_glSTf6v;~={KvFp(Dnb(a zEC~}uSe8aa?77a8c`N#BA)ZC3z`21H6%5bgL)NfXBG6T(^yWV|>v+h?uIgvbY!ohl z>*L=jYDKD>$Vi9MQ#X~PdyhY=Is!v+6-OvVI{Q2SgZDj#OD&~`gS}XQ?W=&|CtQ_B zR%|hEo)Sk&etDqXC;ufv_=)gSJHCys_HS~~EXfgl;z)73?@UWpa+1O(#0RonNxeO5 zRWBtSToO}EdQb|49=4YgZ>1(BSX6bri$zw*M2P1fPhpH=n#UgPpa zdAE%4QtQ{(*(l;MW~~3~v8{&d0ZwbOt@KwHe#@RwB>G~sGGCyy$uRfZki;uA-Fxb+ z4t;+zOaCe9n*-;<9Hx`9w;HUA#u7UhNUtWdq&2b~-OluAKKYY6piRx`JXX$WBDV1k zar_}Q9mBu5#cpimdwFAopX{A1~5r(x$&3R;rm zOV&n0<2Gr<_{5Q@hoLypI zsvU#oj%I-TJ0UYI=Z_)ufq(ou@JK+G5Mhda>K2QZY~Qu#qfJ`HvXa{A`7A}=Pw4whIm4-Kz*o*s{w6e+YZ+N9 zoh3|d_Xru7mdY!vSYc~>gYqhqFS3? zUgmNG@%gj*fAp=;l2%b#lXK^O3;V=-Yy6`bDqa{R?cFX4E;}auVCbNier$YkwAP@_ zv#Uy`vr8JgxE+@h;Kx&qd~^G)YA_0$93PP@X$T0Rb;XC?UKoAXqnTTohZfZcYaFyC zjMz0fq zj-_Kg4Rk(~j$`+$2v;{wBao~0)wal0yFWT!@cd<;RDji>ugzI$oBo%=`&It8Ec*an z`;t7a=8j0vZzkyXgM~+}3||#+Yb?L4QO*%3Gap1QF!kGgNw}jEdlOFFsG1RyYNmc<PwqbLgw_EXy*-bOVG!#TepQMl2n;g%5*&9sR?kK z(Bm@j@V%|#RFb}J3ta@>uOmzYY_jv4K!!F#L~)~_x5xQXD5#y2tCaGdfs!>Hk6Jby|%#@uWv-#KbjZwOd~?k$VxS7dbY%%-n4S|)4{9S zy;ScdC*!R-2x21-irtPYiPiuuEHa=hC$H<(lw;aC&)dXT)I43V z%4xTDWQ#ogDn>aav^z?fYB#R;8YHpH+cXw!yi+}XUqh|``aSmjmK386tgF6bq^V70 z-kWq_3$8u+;o8ldGjwnl4iyDN)^>qjZZdnynM0B~ddwGq`~g#Qs@ERP?qBtO=<95| z;isAC@S0-TC?5n*k|}4)#u~&g>e4RhCuif~NLk1xdy2CspNZRgooyta$Ix%(+-|2~ zC=(t8FMre2ajhy`wi@}cLs3!rav>B*v?;+CdXIq{_b_t-{GK zDCXVHnp%UH79$1wh*Evl4uoTk%8wT0lZ5G7pj9r5dppUxyat7~b#C*zSDVsCk2F+U zE5nFN5L=~ym}+x6_3?2e`0xX_65RLtq=s+sN@c=m!q7{LR!QF|(p1j6G|p843MZS2 zu%Xg;QEw3MQu6mqwIO^w*0l9Pwxx9?53)1>zw+L4M8qu;4f{o%f8uS`vEn#QWq}s-+u5FKU2MJ2 z(|S`yvD<`2lpUr`Jn}(IaVC3sw|u}2|4^9q4R~*kqX@B?R#`H3q~EPw^5oOJi&0ho zh2=jDEf~-8kpr%+mtSOgTp*=8`Q2ir8x;lWD#a+*Ewog4=VEc^TJ($tvp|xw@GxYxzfg-hpTwM$&=yuLATKr(kLyETm#+_ z;`q&!@-@a?_oOQQ=&=7YQIC-5=6j#Rf_UFec2vCDu_aDImX`gWFg~DMD0@1F-=jDh zS>;mznsw!#e5C*=!c)V#W)>!+azfDR>_^z3D-CuZ?F+vkk<0w&iH6GJ%U=>`CT}R9 z#8B^xw5UnPA)`-(L|dE>WSf>%#d76P)P*HaFHh%$nB^J|#w8ZdHIllSDbA!>mBFYz z{q;x(DrBjXpf%T+|KAV*Vm9ZK=;FC4dOL`|W49V{C}T6F*^MHM>`+>}uq3u)iEB9ni~L$5>Q;X|08@eviGu?)hCqBuNO+Hk0(k4$4_k zr}QicOy&EO;t(RK%k||U^2Hz@WizBRQ|kT4vDjL&A>pMwSttBDR|zyG1G ziAwN3{L^N0d#Rw!HKKA!#9wHuI@$AiQJ>jIi)m?C!FG~;q9@7x!jtr1GuUbT4<{+p zQfy(Q74OkN2$Ce>Y#r@b}LU9mtsl(nQqHk zckgR=f;cgGEwW4hb(&Z-_9{l77&~J%UO}SIoq* zl~!YZq;_2@X}Unzu22XM+u_t;CO}sS$O?cxb^0^IadX2W0IvZ=wA*|%Zry;+fdY8? z$kFFc-H`U@YMV!?0by}sm~C=Z@P_|TCUPW`0IjHn&FIi>B}j6pQ>i-avMJTPYR6@X zIT4-|+HAa9a`|#iIUE{Yw?=!!@N9%4pxo(5Z5Y7E!bDf*l9mu#Bq}VQJjELL15Oz( zf7lCNr8C}?FXUThzsm-|-gUsYQ8uqVTwy8aKwCyjL3E-ArB$G)Fs9%hGUaC9*|BWV#u7AGP4>!X5 zJEhM8>fU^ST>LsQ>KV7=;4`Z+DaPAs=#M-@>Ivt8OvBWpmte=YSOb;%?hAoxBLY1x zI~}3NQ88Y@H1>^RiJqGWf$e>QgJU^UfUpSR5w!)%4`o+}O>HRo4|-+?=4~0F+_bmc z|NP_BMP>2m(~PGnOXlmhJ~vbBJ8GKTL45j~PCPL;!3*F0p4|7^E#I=lH+`tA=8%pSVCI zBk^vu#nJ*Ul5mQ6+P;$OCVns`0CdHC)|;=rqb+3I$K@$yN=g<6iN}Xu{FZagYGz^c zBR>WuCw8yAPcP!9EG#arwsB+_9I|iEH3sEVfH#yu6YR_SRNE_f5k|{wib|J9`5CAF zgIW8}{SLElM}_4pg2hk2iu3Sp2>N()=0)%4kDn;y{yvP!6d(D|Eo0H zN&qY>E<*Bhk_32U@%EZ<2@`zYm~)Aq%eC68J=z^Ji(C6qT?M-3*39|N+=>Y`~|=3Geg!KO_0m&?ZHv zB>8f%#6>~&^%!^}x%6cRL)!0hd^c7piX%X6i`&kIme!U=eO?UzhhRMX;$uul(Fa6c}R6VUj;Mnv<4Yye61bp}|seItsZIvK#h6(5K~8 z$BH0DS3K>IqDwAf-cbL+Qc5eq0V?bhWD}qgzU;eTihDvE}kK~_PiCs3z z?TyEG%MIW-Yj5dRw@`pF8$U#mX&x2zBlg_M*5Dk3jq9V>WTRI4WHbo`#ztX|eo-FX87S-5-G46>)?j#K+mOD)L3~caK90z@x??3%=s5Ux|v)rdX zAX}Wq0dWmBU-I~?a)!{`$u;V>Op!xs@*Ku=w^q+k@Y{yY7kzD^JX#f~Cy+4y{`Ju+ zd5^cDm9Cdl_7EyC7yEFK597|u;t3WjNcK_kktL+}uP%_^g6jIq#Uk~kj1m!r3YWz- z^8*oYR?oIqPXT$cPBp=14o?Z}S)v==GO8-gmH3w(znx*;gyBzE?!1YzdB*J0QGVFC z%8u=DRZ#qoPK~=jiD^S5Nqf9XRIuo7Ksg+U2V%Ug+o&uWG3ir`|40Z|DfyWgSa8h3 z>eIA&q;Zwhut+42xWi9<#PT6xrLd`m z`_LP1(AZMs9~&?B-?k1{D6Tm3Z6>iL6-CgX8MlM+8-jhm`;LJf&zPXUzt+kv(FDVB z*&j%~7XgyLYh`yV9_*4BupRt7KckRjH~D(5*5MrzN9p_2s#e1>Kj^`JVMp;-3pwZ& zm#ALWqE*zl7P-Vbxk|5+c}1Zy!MAcnLf-tx3(?u$0@?Y23i7|W!xsyltI=Hu=?aHT zN2NDwC{8a{$xwg4_c~SR@^j8V_bGdbHx)^7In75*N%EM1Wm2TFz_PN{AAfKK%VR2u ziMWcx@20qBKI{J`M?_4xM7JVId=Mnp!8|Ts@c3u=&!PUiH0R0WYjzQs3J)oQBawLZ z=3jU_LIirA!z?d5AU&_u2#V(ggqJvmUZ$n&y!0Nm`()8k@5SI@7S=r}ZK%``Dffu> z|Ly|Vby2i+S#iqM8ruW9OXWBFzPZ{(3~3MPTDk^4R?9Yy4vI=hRXv9fMV-#wG*P(O z*X^8E)tcQ}hOIWz7O>pHuETW)Ln}N<4#v?RepsIMRbq9VAxo?TARUkVcf6sXI$PUb zoK$BjDU)NRhJn`|=$ySL48Aqr-d6a&T2aRnb?AU9u zGk$!9q~a<1;q^7p`r||dm<6g{^sa>RHgm_xsAAVMBlWAVw{Gw|FaIM+g{qP1FJ&7c z4h_uKz85GRR>%XE2$z%-Vb1HTqd_trU<{^OW+n80y0%!3Oyk)2V(o?dwz^oyU?;R| zK(@n=NSrNy!rfpOsU6H=2l%g|7CXd+mhu0wq{Q+iCG=J-&b??mR|!g>i92M$m~QiWh`O=<@7#+jvQeA@e-t*AJuRlt{^5_8s+X9ThPcQ^Z3b6y&5 z4BF&zbe(vsM^gj6^e99j+icKQDHGc1g=v9Y?!W4y!gYBp>#}?0B3n}Y4e(g25<=Xz zkC5&%NK?P_M08-xlb*wQz|X%&3O0vFQB6&N2LujCwuYaxFQITuy`M(u8+EU-F1-L| zz5QOdZT&5KN{kbh?$e*3dsnZ*OkG%si6gP-w};!6nSc5XL~=&}2sts@dhupjdm{rQ zxgEA4`HnDoY~FgA3DY~Kz++ZiW!Ng}D00~}k&_TRoK%l1^@pKc{~vPP0g!{!xkM|C26k)Idr<*(DRk1I5%Kgr z4qQ+XMsrG?`Gxh~%#Ej!70~IhHZf6d)e$3K-&7gCLF`r`Zu*MU!W%f};X z*-88}031~*BmdEqdA(iGg^aR^$XkyRsdmgbxo>MBndc z#stc|D8@4(-dB`qB)xrW$70 z2BejavdD&Vn>PP2hvaWP&3F>`$sk1sOsA7r4{SAj`GDKxxYzWK=FgG4$q8?aGoA|l zj0p`=pxO|!#4+{*P$T-DFrP3lztkU@Zc|fcwxH(^y<)<(Y~Odz7CmC3H!fM@tLgN= z;O=us_j2h|mHEKVRAx#XS5;OU03}CQbwten^mYfTzcP`MQBnKfW@coa^X?TEmNY#B zqGLn8?xs_R^Jzvt*D6-IV8XDIGw`wHi?uF2I%MgAh7J$0!}?GTh1Pe^IbUpwHk}Tb z(78wF>u~$`x1c&cvozvxLiM~-cH&5UZZ;=P9G zlZ_V9el>h;@oZ`1Rftb?fu>bwvdj}O)0PVmr(-1#DT;lP7-(5^jzfj}+Q{oY0kK+^ zNRVFaeYc|5L4(d2^yv8gQd#$f?0`*RXt79kQ!QGSGZ%xIj^(Md5?6G|b~NnW;Ahey zejJivITtn5!nmd!N|j|B6&PrmE;$K{{na6$XGa5S(-c!5u%qoG1ibYuT2zG_fazcj zR5e39P~S&^spNZh1bDZDlJQl1sCKV0mP6V;r@nd@$2tjP9s^yA+Z&uT>!cx;;sUBg zsrX|?OaDq)&|=V?suq-|vI4zpilJO30d~V4Wnc^S;F)v@(wi z6r5J**$Qps$e$?B&wI6&R7G97UlM+W#%x&MUR_yuWcb#$-S9rp-@`Ua%sIn(Fi zt8O~*IL#fIZ)TELXit|wt?1&>%u8foBYMwsbtjs?br93O1Y&KZ`Mf$T+iM4iQ3MCo zbWLwf5Y+Qe=eyZ&m4i{912oHw)9M_D%6Z*&!aLEY*AdOPr6=Bck##CaLzVjBqf8gx zLcA?P*&;?X`BZTte|7E;3RB{PCD=@N+iKfMVye^MFcMF}3;Ahs7(%bt$7A?kh^Sev z;@Pm?0|h?mzx8eroH07YS6NH=EhgwQ{@@Ak|H9VG!go`GZ-*6G!U@LEcV!z{xqlOX z^+(=?5zcUu5-q zp7sPT`U$;lSN#_k+^G|5}r zm>{tccBI7Md;Df2Gg8`)Ov=hPFV^IE7t8Pww^?wop-QOW!U%eMecC`$xN`7kn(lP6 z<+!PsL#R1qc|z=?Ht5&1{u`C1tIH&Zx1M$F?O1rzrGr*y60~V3@AyJ6h{W?(Ukhj+ zs3uL4w>==d(nPAbf`dIatnYc-e}V5Z6XkkDmC$_B260j}-CuR#E-GkuipSUVD`}AO zT9?5B6vPY2YE>TWzrLxSxFN;%y?rUUKbl*&4q!`U`Pq~`ax!)B{;QGb{b+5%bjAj6 zp#NM@KsoWc!xWGD#AeUul*{L+AD*eA2>ZS-Ysqmt#{c&65o6lO$~>9@e)xuk@$jYk zt-N{BY6sm(q&NbMu)(dkk7ir-=O;cG2|OnfOY`2`*#74ur10T5!SduHweRuwimSz# z?w{W+p+L)7n>@5HGR&&Mz%h!ISugP7X1{%$i}-EJoKrQ38uM1Bb(I*1Z`r#p$&P?=DKr=>f=YB)uOA}W7`=>+&Vu7!I z=SIZR7t}cv0M87Nb(HyBkl_ft7QtmG7I-x~lpZ;`J{@mu6!Sq2A@;4J2b3l4KiC;+ z=|Ar*;1or{dLpjf5i!0$n)fehdE8EuSGn9=#0R0sp=BN+vp zUH>0pS!U(N-upt)HrTRn!m?6MeY)#)!&;aLpd|hs0GF7)YmsmMIHNVH!-oNLZbe*d zgk8N(;mK$frQMir=()L+8^cfEkEdnK5fLuEO-k9)ee2D!Fl0+ffG9l0d75g;Jo)brIX$_`X z@OGkriX$pl61mJ4snSwykFv1VYwkTU~!5D0H0~$Rkz%7nF{2YhJ;&gO0@{|8vBsi_%c~a3yf?CW^c|l72Y}bS$vAvIEgyee#u3O0|j$hD* zPSz@?;^~kFmB^fc33e#I&xHF7i!~iw{0BGU*|kC;#G;@U0uyfnYXR779NJSg^cD{G z_8z14Kn+-Y?tnSvPK~}A>Z&hP;22;@{eFMPb?M~G@i2$AFLXFJUWuZ-b#FvNj(^Ef zvvD&6%lN8?NRc={6LqnE!qNW7^$Y&U5&NPYwT3~Kd5P<$y#MV2HDwSP@^1}gXhQ7R zyH#q}$G2#a8I#mHEQZ^}e9V>hr|*JGoR?tElaaK3-SA~{tm_MB4FO>29rwJtyZ(Z} zb-^M;>*6*7jj7K=_iC=hcd@N46z6=fe&on`T8Z+QQQNjDV;yogIV8-QR$&`K&mRm7 z_As+%chq~DRjR-1l4E73&G3eN|Jc7_zc?!1WgOvv$E#!gI`$X{=?9)5GD-Nf{FWz4 zMvH2$Gs(s});1SBxmB_%!;q(h!g zk8_EQ^6I(0#_6vO`P0FITt)w~pk_i}pIOt#lyg+E@mF z>48L;JLkaAC2l+rdfuBf**{Jgh5qfhl#60`xV2(9b29My$I>r1|qVsdUjuHO*!!e&fuP*|)Q2C!s; zwl$GXm!~!3#)OO1i>vblUW0`7;CwsW=@C}${oMG#L6%)ao9yi=w*6^r2rDI|Zv0_I z-JAiBp7*b&?>F^NuxPxs$oUShj!{^&pI%bs#VZejN-$_C~sy4AX}<1sz9Zez{qh?lun;q3y=h4Yzk>RU*T_7YKU0)wB6n) z>$>34e|v^MR3BQ0r>Zr~RTmUX!6Q|Ucdp6;bSQVLm>QlFDR3HzNGky``rAlNH!#YG zBbp2)#KfnV@A8b@+(@-+v+->hDwkyjI7^>XonCjr+<&I8YHGD>jvN#WRCQ^j;Yk5a zEP5*4W|sp}0Tu_*z*lxCOoOWijX4sa)kGzaFR=IRqeRPI05tRDMgMPAq>g`j%*BoT zsFp`toL)5gA(y1rF#*)j|pJ4mf1hTt= ziDgOqKz-;a!*vY8`2gw`i1AqD!-D;F8Go=OnYO^Nrreh3*p?_hvFI+fTbJy5vHzR~ zh1@)lCHkd-5$S@zBx-u~`m;@ME=y2boiOk=FgG;*Xca z4y&%qwFPl>p9&jH8@QtcUGZ97BZRnj)BRKgc9%}NRpr?UZJXDdNzZ_B9fJ-=>8OYG z%^vP^<%Ak~MpyP{>dEGtRbpNbbj?`jA9@%KGLho*KYmI)j-y(syb{9EfqZG-cD@!M zzUcz5omL`huX7d3XP@`+chBUT{h&B!3V=W-uirpYo!RD|NyhL1JC=vTOIka&t5)Fa zJLJZL<8*Jq`;>=eU?ZZu7^8_2@7LMrzj`qtei!qLS}^Z50*$5GT<2} z;n9LeJXzVhI%h46N9gVN+X?2_CdHfIKWtBt^O@fQe8yfM@Lhab%89}ojHp5koP3Jz z020ehm!;9y<-qIaBkH`fUl2ITx7?^ccVeJP+=S2JD58Y*{=ijl3&nkOax-S{r|nB! zdtuNL67YDQBWP;+9|bt)z4RdTd46{&rb5WmMxk=gzcBe= zwU`ORHvy5DjiHb!fRi8Nn7b4L2{RKHf^bw#Rm-k!i`mHkKrvQJe-9M0emlUJA5E_R z&Qcx}MhHfUd70le*L1jny$vU}!1ep-{s>p;+x@R4aP1+?V;< z5QK?a{y;8EX7avU$l4*=+x+4prS01FWTnk+b#XM~t`n};eb^-jBWt+_Nk#znCVwL znNPyD9X9hm4fIAp1}~>D>UhIHS)G9b{xz6PlqJ*M``Mp2_pYw-<^mUFOhi^Brcov8YbZve$lQrbSs&30Bwl9^opBomf};O#uhU-U4xipE5l112@MH15Mek(VwO1a2ycULAHM?+tH%dd-CD9%hwA+U` z_nnU!7rGYd_EM-Ef0kshRAnc6vg(&?lZ3Td9bEie?|MVAVuQk81(rCWq{B5!cI7uS`BO) ziMobP2Y;KED`HX`Z!K*Fu><8+$lc>{X>Y=~hG zB!Uw4duZ3$^``x%evzE(({A-{S@y2H!Ka%+&iYx!?wWB?vT;Fz0eVFMfK}0bzGxFq zZ8;I~YHYLN>ELr#s_q+7y=UN;(o@nMq)w8*k9y!y&8U~vw93{B+mMJq5%aGckrNqB zmfyEArL#3V+I_lg8hGPHiwwzdO$#)blk_~_ zw~7e^vCS^9)lIQF^>?0e(A-WePuG+@2T3`Ni)1Q7D(ZENp>7kqp8dKZM&OZdKavsU z!9qPj?Y2Y$SRF64oPjE&fuZuC89#ga17A#r7b<9-seBt+M0r7kd=V*TZHmTD09Raa zeM6M*AWBG26k<=_(4{<1%(r@t4WP*exFhIEzj6Z2(736yhT4$eshXei?qs|3SDVVy&Y)6 zH(vM6$AT{Iqs?oCeYid)T*R!!rs45z(qEAOHOFv`&B-5S;5tfTWn6rJAM0cT-t}BY z7l33no!TYDj_UJl2rahG*OdqLE?`(D8T~767xRq-Z(?E2Gko}c&3;CYTU|z?*1rS< z_nF^C(x-VTWOUftjynl4yxeUne-5N#+(2U+nxnpYrzr066CayQsTD&wOQXK)wU4{S zQe)-Fm%Ho8ld*@$tl8ebCuOGI{46;Zqln5Ugw0iFQgoq6GC9#FQL1Tg@+;s z3W$F-jqLeRMC{gu4BBM=$et88RZR``_-2_|T$d=Zg735tbxc(={=103D;{jSarydF z1YGqXQPU8&bVoq5T6Mg~^JJ8NwI|Ue|7O1y0G94%q5xxU6 zFg97yhVuN7(@}aD%<21%iO)Dd2tChYih;H)|Fl>bLBWIHj5yz4wq)Ykca|D~kZfA# zHEUZZWIZ7<0p-2if&fepKVzMxz^k zh;ZoA@uK0$HR^2~B;Uzk*I=uP2iFqTwfLM0)Z-czEALC^mUPtOS{GG`7S@x#=az|#M{R- zOZjL;eHnvyLof9Y(X3v4E)<>{k%mPPq{cXw>`|$>xPe&IM`b0{(IuFJZF+hQghMD)_L9QyDA zJ)6NnS!F|6l4%6Ng_j>C=eMPuLz$N3?-W{S|iAiKl<(*iU$Njuye?N7R#r2ns zLdTjP*ee?0@`i?9G%XPDKU^WSfR)o#z~Y2;V`$z9cFEg-2}+`vOr8pDFsVq9M}SZs!r(>rZ|R}tZ+H>YwZ9+yw78BJ01CSE1o}y0;n@W zOMc_jFy$frvi|K*cm1-M723buz*`07o(N#+G0)B3dGL{sKf$o!Bl>yN5+mW}8pSU% z)km2!*^Z5JFV>?(T|Bb}Q+1J18XYmZfSib@lu?7rC z=LcVev7oIoX1@>W5)CL!(|P<$*Y;(@S?IOm+|&T`X4jU^DSs_0MS~ z{rjq-^Lv?Es4CgEp@EVz-BKiy39s4^WouQ=`YDEtw^cMtqG6a zG!o1T&O%S|m9D?-{eLM{{qJF?xx0}DcK;*=3 zYPlZ74P4gGkM8-RSIL)HVThrUiePmO-ICnq-#@GZJCIi&uGJ1^@~X=d0H=i}m}2Gc zYXETXP}lQFy2lF z4|aS>&<79JAF34KVHQ1Zxetl0?WmPBbg7*#_DqU&=?U%YCO6acnI-=mBYGyA3t|li zUGhTpTnVCce-?x*_lUX-U;j-rbV=xM*M7wexy)<^%VO*s}| z3i>NyXa2Ryf|`ru$C1&7;A8_|!P6gZE1eH{Yk-Z|}vf9&Q&ydj?O!83{y9?{(zV7WZH4{{KJ@=gbvCF=`i654J5Q{}Nt z3UKPlarXNGM~M-oYGyu(EFMj)fJD#z`;S%SlmKC_i)GAX2KEGSPK*sKYhp8-ux0OC z$nZ1t27i%gvtta$|?apDPaT6{Eo}RlW6Npg~UmzQYOSoPw~MkPy;c2Tv7WMC}6m` zVsD6F(cwe-%h!Ya|D7GG5aTa%i7F4FoqWKxIIBuyx=Tj#2yRk-$^86+YyY0@QV5w^J}@M?>xYBwRq=iZdm~X9pGYW zk0_>>J6ExjA~w@}5CsY~WvmzRv~cVy%t0xcvjkFi@Xzq72Osyc#6fjN3vtQ|s-iB~ z+usg9bLj5LR1OCJjOImvW%i2jgy43A^D(^n>}3VfA`Iv?y6c3JC}hbITvj3FcUPJ# z0iwVHFH~~($gJZZN5KDFy8lDF@G{;lpv$fb=p%C~*G%RqC_FO*J&rkwDuL9EQD zm*Sc>63saZdan|Hsl1D61!yWB&+3XqgkFYpKSL#fe}+6hS1;hbNyN{a_1m6Qw294+ zq+10HE63$~Vm5i^gQ_|v`H}TS_;o6N)xH*Li64I!4qygk1?>NvHNxW^jh7B zrp~gMz^X`nXF|%AP5Y&qsLNCqjf#Ow!XWAS0_Wbx01>WcFhNq}8K4omc^4CvTJLWy zE%=qDo=L8R15lw`1F}uH^3$^|^GePJLRfiiWB=`I?mB(l`M-HyK0bNdc||))322Z~ zbs>1S_LBAlnNRjX*vFA;_%Cb*pCd$Aw`<>q(5eezTe%TCsd{_1+ zUaF_5D-&s=8<(WUe7#o~lQ5hKfra@w6VC**Pb777G^o96TJ8$v_ zSVT^C*T<)i>ai_C5;W60C)WlUXG)@Z&#=uHYPjrY*TpHH8tVXRIh8H7pK67!dl3^! zv)wU=Sur$U#hmx!4-0|VI3d9)0Tdh3a#}@?E*8&p4rf6`(q^T34q+3(cB+-9qXBOg zBHX>6qY)64{7)U!z<-!vyVW3_eBxmMW?+3rzXF1&er%OT<}xBou+&1vPR%C{<8fSU zKJLkyCq*J7fsrdHY8NVm~uxz2-Y zAGStMxW@a7LvTM%rbECa>8gOPR=7ZdK6pDBw4c z-s%v%$iX`$bhcnDPdFSD6M`%2_y%HmfQg2gxu8K0nu`Xo%q%&)isf$#Y*>{xTMIvb zEMmip1JsruVN5<#GZ<+@yl>$5^yzT!FNkZJ?PZ4ykXq~)rU?OtR4LyHdXCf{csf`L z(7-Ux|HAZGXfU0bwDjE?UXZ&1PB!C`{G0(NUEvAfQo{xjQeyuvml0=^`)TOOR+x@P zkJqdt(W_4BCq+@bcm4ST3Dht%LzSny_~QUZU!&mMQn2g&ePi+Z9_@FApmm8C>A!~` zqs|0%&af8u;-qC5YgL+@Ux*LLD|_doPrAP|tJ3s`KW<xu{Hstkx z=swbhXE`p=E8VavmcH=;P@xDx5)HE>hKNka=oR1OmZWfl2RocC zA|7w&?h|=H)WniTSs?G*e~*@_Qc`>qDjs_h(Ubq{eXzmHEwh-r+@HZXRQ`073;#R! zQ4!mzBg2aOt@~*Ah~(ehM}HNiw;x%6@#+8Tk3ECiJhX>bU1{h=`2TG(N@H}04V{!+ zqXD>E(=<=g+~sDnD$X}pwN;Ar_^KY*y{MC>uJ4IwNCMR2Eqj~E=i!rC>DGDBM5&Nk zZ-SDxjZ!hSFw`s-n7~wCYf#K*=zKLC9+tLawY(&kKG_)x*ctI8wtE(8ou^!j~ zbMfCJkgOJG4=M+VO4{IX<#cN~Y1gU%K-g_yu|H{mk{xCirlt%Rs#9+RwtMz7i=W(Q z6+%O@YSJU&?oKzy-S|0Bx?0n5;>=L59oGw$|CMboH{jN`*O2G%g|A`efE3hlM_MLV zP+p3i*!x-NyW^idUJM!@d{X#6&cx5f2jcUi+!ZX91yPdOHKsF(qQ>B1R~@CNuAe!m z<&ywQqk`}~Jyz%0Xl`(c9X!X=8E5Y&s~BLt7wQS!*jbA4ID4(j(H3qjr2T>See7@Y z(7>_5kSS+9vwI=Ho+PhbFY-W{@{W)7aL1jjGVeIjPB_P6t(qv;-M2A6sly%N^Uu}{ zvqgm9vgwCKY3G-W`H@^EKqWUr-*ex2rr$Y|N9Ss({q{-urP&ifcNy~!%hi8aiTr&x zS|<3bAmL@)u(2u9WCK0}1MaWN>b-&=hY|=#-G@wZhk9+$XK|=B!7Z`KWI+=lCC@r~ z9wxm?j8F1|z$!#USg#sP6^KgGYA@ek_I7v^sD-?jrlId+W-#00Ep{dBn{&7LlXi}uKHanLt~}>uCK8Z0)};`Y`+n(_QXA z{AaoTpYOo&Pj0uIjSp&Sw?VyzN+{w-5Qk1ZhaRJh^AiEdjrW9V_~=kxZwBB!!olWp zv1Hw#0IJH3mqmEz1mM3}PT;a_-kpA3kA)z#W|ldQutHO{`sc}hU?4IeXhT>hdtjm5 zlqH(uR}a6HRw*2})TZMifRI);%U#GLB<-po1S%lmSF%R5_D;?!@qcwC=> zj((ICP=hAZhrYTJz~Lr?asNZj3F4H^4EwA$72LH1%&Xjd7RF{<;OS-A$Y@&jnfcGJ z&_Dkr=RVzSE5XJB_=dG8(tPD@ao0CC)WJSt?Gb%KJWFT*&{q&DCbHY7EMbgd>#Y@^ zd2H~+!h0YZnQNA-9!+!40cUYbcDSQa>5_#FZ5hMn9T!5&gx=a_Q7pJ$G!u*nG3=98 zXhWK4-aKKhj$mid`{5+$w=ctXU-;pdeBN|s8S(^gOS-AN^gB6`u8*G3N410R5qtPQ zqwJZ=VLwy;;adHcMkRAbslHGg;J6pZ``L&LRpp=tn71wM20tsi0JiQ^(-87sG53A0 zetJ{jwngH3H4%Fn9}+nzFF`<`{<8)5-`C`n1Oj`M^vQ2th82w@&(SV(wnegbg0y_z zPTIIP+~N}fcDc$E;mH!hr_<-fIeH=-v1_HzA8yCh;^(TNi)c`0SfcPLWt&2(v4l%w zNC-))Y7%_+8>f<2=g-O~as1=Ra@%f4<&uhW*uZ!UMnSp)_x* zc-5)$b)Gqc2${tTh(q-l8|6dY6?+n7X{nvp>5HhS!vHx(DK{()z(iVa(CY4~GW!oa z6YYhRSQmBF62fHbiA&gQ2)4s;=6foT+SNV#3}vY763~>C>qJ%=vcTkLxn*otF(otJ zeGy4W8ql~-ElO)0Iu0^?Rwv(d zs!F}DBHe^|+a%$;CNs$AlDjUE=W3=~Uznr+(jt9oCSF5q>fb2M_)!c6`8hS6G9Y*a0p<4V)OwQ}^K(|mk1f|)cA@%bea?UZI} zt&*9AUqYYQe<7MR+T;BWKSAH0tKm8=7Fb9FvjxB^LesMEvj#jI?;qSlU#~i?FJG+S z254%56hKW%!s_Jq>i>M1K9l+1j=3!PjJFwuF_GeSq}kNFp0)m011^P_;B(K7SIt3Fq)J#+@jkAM|dul{0e^R|};-b7XG4=;z-K_0IEVPn0dt zt{F0nBqk9m8MErF9{w_`;zHw>kdq2+{qjxpuB>jNHg|ra@_}i*&^uQ+QZtWh&jw*M9UEkoBv3nu^HYUYCoO$C1&!?Z=o9#@C%3XPldVbM}%IC zc^!r9X865mMgIx`kQqA_JFVq!Tm-DnT8R85|M5=2&$vMs8JDD%e(ILWKT6HdDGxS2>PfAV~VBOTI zAH$^#=*$YCeJT~*{8A{hdne)gs40h?y6QxY{51k{oXL{$h$DuQ41_q&IgT&Ne>kno zuP=ZoG%{L8;m+pK{^7<_XV#z5_a+&*P5sx278Fclb=m?O<#d9Jn$bLsf zUX<%Ma5Nz0n9v1j&ffFxIe2nc<=^&-=WL0X6|f`Nno0@9Q@aXTIdF$xiT-5m-1gZs zy$@WQ)&kJb8NCq;1y#l9cfA!)S%R8csgw+Mus?*qVTwD7kBd6+n+ocII{)2%l-0%krA~} z5VnW1RZyoHV>!0;4XlyVe!;8@unp<3*4P$M(yvK~FfuI&|9+95@)c;&+OD4@jbdra zO7Osv*6;}j7%hHqC#qo`VQ&mJkoJUi(YzDBPu(bUKhF#!z4j4h!XS$cU|B9o<8_(; zB?bb#-(Z=6lE;RCKaM(a5;OHloxDpCV@w9JyJZN`ko|m0_NJs9A^_E!jnbv~d|brl z@`Ua|>l80g)W7{=ge!Y6h(Q2-K;>DR70LTCR?3t}|I18YlFk0-%|f6TEUzHyVyWE5 zN4$MmP^#xO3jox>1vl~f$oEQU`sLUH_A|SM&*COo8Ju-ND}NRKSyluv5I`Wchi8uC zRCHXq9;zW~kdE>p03IhChlkBJ-WM5G(9M(_^LYMUwD87HnH{Sf0US~R->8Mc+oS@y z=fL`UlCGWIwEuqowS~a(mzyp=U7JaWQ~tN}-`C4hWv60jWJC&jb5c66OtFJ?coprS z_9cPS{TME4-20;+b>lv7F<{HL!_nn`jix_r9v(|?_h?5zN-6=Y#)3KG59`4}IAO9x zw!*@Yt%iW@(&h1*IDSaxjdfq;n4RzPsHdTin->_SCi-qAI~JSDYbk6U;OgRGBnvW8_Yg->qe(lie4S{`{Mj4u#q zl--V}Tb>%y2eEH%)RjzhZ;qw)*l#!8ZL`>&h00B#;F8tcdA#ickN@Umhx0L}+-BG{`GdLA&WIG%r*HJg%N`_>&D>UTR%rry;{ma+J$^Y$cl z{&PGV##}tGmRj{dlH|{oVB{X*`yu2PZI1ZUD`U{OVDU~X||qXqKrNKiib|`H5_i-*Xq*n*NU84wmn^2 zp=0}QI5_YP*24XQ!W*@lwgCSg8*c^~r9YqP-KV#QKS`k;5$vrW1wLjjcM-?eJk=dGm-_aU3;yG{vpc4) zc<+UTNPorbrwZMj?ikR+gYpg|_k*%e@IBsX1)`nI4#UgCnsKPv`Q_z;kWdXUp$81N zgLArl%bNSZum|pLbQ^dSt#a<*hoZ7rXvDVdkE_eW-k6Kblx#;FNM+@7od$Y9W~PR5 z$U{L^?@{1~mvZ0wU3MU^+2{&5_vTiWg>piu34vANxVsXCnHtEy;?8pld2QE-0#ClC zueYQ*9Lt4_&683u99qmZQX6r-n3+Y84|w@qHFT_!%bs|Ix?6{c?1Hl|I6V4=UL5j+ zFoA+?uNnK&qxry=@<@A=U@y}A-NGbsTloN>0K8%#C$m^wwuhrgrGZMIm+SBkY4byL z&ZGd?X~(7%pF?{BsA{o)Sul`}%OYRV$d#m#j}b1t!0}8F{}77@c`n|g%%CWIXtYU* zTN_Kmb=L=?hE9sw2A-d&pD_bThefNWVZ3koUSrn9mKXJKy=SKys!LRcB=j-2KLfO) zMjW$wA`JuffMSb)@_r|S(px#-qIipQe%N1Wq&PCbgoi!6HRnAC0;KU$&_=|?x>DIJEH8mR|w z8CUiBAYd8aY-3xiYw&@cRC>m{9w(#@^oh$bmD3??J#L*byJOjPS&*u7l~%5V4}{8O z=>qx9ub%hvcPabA<2iToDc`Mv$}W~`bM)8EY{8k)Q=&J)O^nu->MRUBdQM|c|1@tV zP5G*`Uh5AkDSKT4N0FM~>sAi!`$C&p24#kN=GS^L$nWOqL?~y(cccBhldJFSF*G~CrS~q=x)q-_!1ctc2>i4 zu%4m-y4v#oasC=N^S^*G(YL@DbICxV#BP&!#3gNwGD8s!36OQ#x6&we4)m1Dt9R7U z8NaDL#_BvFxTSogk8vU^8z^xI;8|t*8tLAsi9)gW8wZBl!7uF8RSY*74eQo^lE#52 z>Gn7S#GlI#znFeAox=A>CP0#-PSF6d_dfaFyEbt3-P-Qhr1u=LP~N_F=PAcL3wa9a zuSm6gNBJa(jFtI7{w#CUr0h+Biv?J-hv#SWkc9WddVdhVO;DK)-zsNmUEfRV?l?{r z8u$6Cb*S4aE@e6TfcyiXDm)6tz!&5DRB*ko+^vy{Vt-ZnrlS%~-``XH*Ar7KJ;MQ{ zsolEdN{}yoNk82NJ#I@f%3YvlTdn-nm)d_cLF>KdYt*2hswrTV^Z7xP`}b>LtnR7G zu}i8u3$D|+sAh_ZEl?sBT%Fqr=*?`2|$1-Kh?t;NYc%PwD!h(Q#|9a;3Qg$2`qf$IFr=Q8R*Q zakuSa1;1vL&nm@H&S8$_&&wm!hl7yJBXE;(TA9pMP+5Y|aA{4TBHL_Q|E>ZK>r*}4r5wshDKFj@WRlJ1G^bYEfypv?IZjds0kQUez^ zIV}{hvM_sGm@Jf?r>F}@r@!#yHk);t6h3OFY`@uA4DVw$3_lqwx{YJGdn`3JcI_w^ zr1Skahz#-EHqZlHCisA2tv_f1>QtAQ;l;Zm)x)p>TTlj}wWEla$x2{M%dIC|P-#71 zGl7jlF;`&*nn2#2P>|rJ=kwuyM>|c zqY!QL@4XcBJjSU-3Cg~-qI z^rsEdJ;Gfe3{V#cYwY1kH%B|&Bbrw4(Pou{rdHB9l39bzdr~V+4C64h2&<)50RY%V zykHSNQY1N^e2H4p$gkKE;-WUmbCN8J@vp_7&Gn)ntZ1Re04`Gb@PSXcS;sB7tee&K z=Cn5uCo8$^y&;tBPT%4U=eY5w2CINpRj6KuIcRK=zs~BuQe7kIkT8c*<&FPMwqZv* zET*?BYf9j#iSGzj?yK$v)z}hQE;P|F8KuuPj7@0%U#zvS?IWZFNma3z(FRoujE5fj>f zzWx2~h2q&IgQQyv=+B`~LB@Ftu$yF7@j{a|@L6#D^;p`8s~Y8I!rXrwM6%lu ze~wT3CHYR`XFSa|T%3A)O1+6B(fLDu3hMZY>iGl{+gto!%x`a!qmd@!$ch;n3kgI| ztxBZNzHW7{G=+*VfOL(Kn?-#rB%Lzor~f$#t3A1=Cm{%NS7R52T#c~aVVqC$+5b7N z6l@^4Mo#t?#r6~$pX_J-S$tnn)aCNq@=P>IavwcfP5V1iEd~VL=lDtue{vS$c~yXC zVQfubsTdcq!QUIfR6@V{FZMHlK?nuZ;eqjehrb4j;fhC74z%^82y%`M$*@RRVL zO8sITx$%w(V;~zTpkEj2Q~t+K`G#c)bRK=&zo`_NIiNl(MTufh^MvCJ?L-^aC%0Oa zo~2epl?6~SMm36j?7GtHB%09=yQ4*fUe%mVt;a=-zW>}7a+t{gQyaeiQ{$#}qFFMmp4te$!NJhAX%Tlv!dSA|Z2OKw6c*oM zhCjXjev9!VLi^^DXn1qOYQ@so6UmRN7Rw2z#qq@$0JPI+-uOE;k0bqtWP<@V9(#Kv z)wH%bashPF;>t>CigN5*Sm!X$Ai-pBux^CI@*JIxt(8wsVyJkcR!}2(4cC4H*d77zu6wvk*G;Q#V&$QEY1=xx1U?Z*3c7+FM_p#OT z*iP(XB1<=foMrqCQ;?XDUbRzE|J+9y6;^73%Ke zdGXN1&dMNG$E7avV&US;aSWxMrOA`HIgAS+Atb`4(Qu{HH=4`*cwWDy7cSl|AZVE;>xkt@v;$kh( ziY8HUa=J$O)GWCet~A}-pxk{zv*HWu4V*gmgGFQlYEmSV* z0@m}fu4Q~4jp!BOE)Mflw#D@00mhi%(fTFkq*eRnS%-G3oP?a8RD^ajdnFj#16@XoYxzKyYFQ<}i;Yu^=We+lRi%>nm-fU@!nQ zzp>ZJI+3r(_2|7R93E{g$Lu?aj@NaCl6UoSGTNP#-eX8Jt?DJk33)79cz71*3`A!K z?K9E~XgyB3S{hKCq~kz;^Zb$N8>HO*{ZiuZ!)7JmD=lbv&sk5=Ufugik63dR5!|MO zKVIF_%3?$nB?TFt#g+5M5y5A_uM`&!9#*n>mXA8M?zXw+bV!a*M+tq}_c9oC8jG)x z8Y%L)=w;}C6I=f=(cGZ)L7zu7E%Ns@5L7vMxc=e3$-)59uBdPLN4;E|46b5Dn#hQe ze)wXjhgADX4*++U{L?+#FEaP+1)<%gA;%+WaHj21(=Mnb#*^cRnSZ3uIhYZ&x_)KN zmM3gLJLibh@72&;_v3wnf8Lu!0yC)d^q4p+MZG(1;yAzq9fu}l=&5)=)|Xc- zQ8YF)N}lsMN)nPt`4BC4E$)X<(~y+N;VS2#c(}C zza?uD(EjOQTl|@53SJwOuC;4}hIQG9;ZydK+ur25k5^~BK4DDqJG2+7m-FLbuiRoK z%M+Mf07tw%a_Ea{Kz0OLNQBA@DeEBFP>|_esvluu+s-6%Gg2d^^_{=c(ZEY}e|Sk= zT8}VV2%)8mmy5)81m4|ULxJWd;~pmeWP+l~xFJXfLJ?_ByFI@yxqD#ON;vCl%Q~d* zH(IDsVgSHBF^p27ZsBJ{*9%tT%iX?y^DR*nB`sA$lwIAe3x{S*td0&RU#UC?-Wm-k z3HLZ7YT%YuQgOe5&Za&?&COZ%N!K@hKSKsP*$xc=)IXz*b}Pf7Cy*itr6Z66#}8Xy zQ&}uxJ?T{7871zc`1OgKFik<47O-=#RG9{E)*c~mbO{IK63w1y8h}I| zQ8elmfN1dGPKFsdjav|(#1pbJomQ)xamt@~B_ zCRp&K)G2C9;IAf*y#KtE!G3eKyw1bU z@^u(jKN5xY7;kR%_(JvSbXwV*^~{^_U@Y z6+nu>{6$fk47e5Tfp(wULqfZq@8%D2N5l->*M5aCUd4>pA5e8x`9cP58ulmsMA#p7 zoWeV+&Vev~uj`A)BJKvR6LK)g$w3wxGQI`(?%L*0`_v(aq<>mZY=sNh$p#IHc=Vv{ z0y{gp-85c*h(2ZBNI#*t9>|t|MSW4$3wXds3@qbhMzOuAVe|X6cY%6;q3ZLh z@v8gAD!v;yJZPlA#I~t!E8|4uM3A*y6uBmv2X_q1OL|JYyV3^rU-#HGBwu_RilTVp zHC%e3+Yh33b#J_ckG#_^L^_c*X|euv>a-4*^hP1j2K8iluDQVZ z-6dB5m{13?lYJr0Am0=4sA`r^Sc3b(eUVW2?Oec0B_rdpIZJ*C#!bSSvw0<`roYFq=4p5^diKzuE-1?0q|YzeN>RubBVca zJq!cSK}n-)r^C@z^{O9gDb%tWIO9m z_1$yx!>LZ;K)smDO`<{edlxCC+&V{oUHq?a2w z)~*FV8QvjIBK3dl^@4D`T4g3l!IJST=JC6>KyF~LrW_Kg&O(_mNfsq9r14>jsjMnH z1mu}u6ry!DuY8^G8#q6MTS(@CileK8aj5g1dML0Re&j2i^$<)Ivfxz#iI*3B<<4P~ zOd3B(_T6~~^!d3woIglqG-v93X_TTHy}%9AKHoNHgFPZuQ_A37#rlvkImM&Bc2xKf zZEoRJLV0;`$r1m?H~QI#*}g~I#PF04+iCqof7d;>t1GsQ@ve7lW;blioibV0D!384 zTG>pcA7M$Z{&wS!Jj+F{mKvGgX(kB+k`s%P^m9wFXF*%40Sy`=(SjIjIg<7PNBV8o zg+Y`d52Fott&O~@e$SK~eO0t7ty5B@Dy>H7OlFixOlP&NC+pLk0j5A`wdXlE=kMtT zK&4d~HTD*Zmf|2;%d(02T2r%VMMgmpm%UY@RCs58Q+``+z9To4IEk`Wb%s(90a5)9 zoZck@gA=($ZXFLyQi1P*>Oq<*DH1ReHcw;ws+SL_?tR!H&$4&xn1%7;BH&=8GNkeAye1Hx##66h6}&ZN{JrERN+$ z`aN}T%J*B2bWF~G?JV(Fdyz#)}=H<=d++Z&rNpxzzb{gXnpr3d0gorN^$P= zlxLiG;bEkrl+KH@bcag(n;TmG#G$FcvL~bm{0rVCwF3Dz>Wx~`K(A_{ZBWA`e0#Gm z%C34`APGXQtT6@q;DjU=U73xsbjV&#TC}F^m+)JVes*r3kCW!|s<`#@NLsL>?$e5W zAQo+1J-hvbbgx6})j`LeDvX>KJ;bUgtDO9Lr0N9F z@A0QQ>?~AeMutIwl)r4zhmM=X7P%f4!azt)D9H2tSizu=CuW{XORa zd;qPgE_xlcbtv)+tW=G9Td{7`7F9_8a+zCw4A-ENW&mCba!_*oCn|U`-^qX zI_sR@pDvdy*E2l#T=(Al+Mi`)uLD0H2OtlY_UG}~Q4ZZY1BzV*r|Kv6e$xET$|>Lm zpibKVgv^>~P3p3_Mt+SoBEB?B=~L1C^s73!thxDJdHk_F&;>1Bu=QI1?iY^eC8JZK zV6U6zZMe>hom<1EM{*EJq$Ss)c68x@I`fd5hQd)_C$P&d*#^Dg^eeAb46S)(;$xzd zopQRS{o9*2TxXSe$3vpihDB)UN;{Nmn!(`&6<%jj~Fh^k4sHM?2{Tmgp&?N3Er z9@ozsI@tV_3;Q1J?1-))!hi|7FMhN23nV`BN~n{#bM6jk8c!ogBo3sobIis5P(~A; z-{8ywNJ3YN8#fSmDjsC<{Pz#7+*O_Av)e2kSl)|#I5@2)9S@koZ>ne4w5*fa;FG+& z?{(xRnXTkgiuszR)X|cjVCm71`ud!@@t-k;fhw&E*3!bS&>lCG8t++giK!K68~4tA z)KNS9v*Nb4R7R1LUNXx^*g(Y01-iXBe!T==s+pEyfT_8gbUIOv8PrPF9sKfvzbpBB z#Op0j7IwMSDt20t4dgT8c8sJQ*$xKtS9UdOER%Fi!Po0G9vfRvS@g$8xV~z;jRC&z z7(34USX!zl|9#Gz0y@%!*)C5GE>vEKufkuH0mXk-4CVC*4}< zXG(uds8aybdKs9VmB5|C?y8g7e&jbLk@S|r?YQm5SK3#UiHL4xa2mI7#kpzQFw3tr z?(dtKZWH0M5!XLy(I36-%Kz{vJ;fdCyZa{kgJ17{3CKQ*dHajP4TbD2C+|2(Xr*EB zMD_YFvcw7$!6#&?seW(u{DpR;Y38C#O$jh;h~(ba)Asiv`nsS9?4CX*d`h>S>9&UG z-^~MKD4d4PaU_SjKA7avVU>@Oa&Uh_wpp4hgP-L%mqjK``QWzVrUSL1z9vx){H?wQ zGjWN1e!M-Y1o9@T(j2F!_$0(-(=SKFHV?Ssy>Crs=Gwi7?h2;e#%7{~j99oK`C2Pz zMJ4tXb|*YzmCQCEheIZx(93i7H*2?_feOk7FZL>70{M+c+O})-V!~O-c(e^HGycO~ z`8#rgP6UY(%_nD8T%y5=oih*9e1Sh}%^O8^d**&RD0Yl>UPU#hmr6c!u1meVjh3aN z5w)9}>yPZ!D{1@^p%Pc(hC#0YzTtMXTPf`8_KJU@>nH*T$6-t_JF%krMxm}Eug4@0 zP<&={dR!{`-kJD5M=h$FcCY&rW3>8o)4jjyBTKrm47HS)xDYxCJ|3&`he)7{bUm3f z>${66yZs+~TC~K3CA4&FW^y@}qUjIy!XpRucKdh1<1fm#DD6__S-(eZucaze zqrOjR2G-0qS7kZr_|Wx-U5EhoU^Lr>vS0k#CUIs}!9G`{$h(hy2p}y$ytPf0JCP@L zad*8I;_5y2p6UAaoT``rq7HQUfI<{^2e-jY|I@+4QgVCFbp9cc{O3oPx$T~;+CcTX zeMm|_=Ge)baX$PXDswOFc$ObD>@U?fd&WNPr1aM-0T$MOnyY>ovtaMk5H6Z=tUp3~ zO8E^idssV?=@)aY)3!i*9mdfHEW?%dm>B!v<$WPzSl^^AsogLB+!mqz#t}OIn2X~M z6fdVa;M^=GNhy62VYjE858(D%Xm=tC^SRlIQo5ra9aXBBsp3Xn*EY@METhqQNGUDX z($G_@3dWBu*3$Ize2xM}&4Uc<9~ZSq%jtB!kwc*$oF7=(xw2P<^^pt>96|m-nMbkZ zT&$XA#t3fcA3|WrQ%g1LR&n=9w9emp#F3+x$3ON9o?qi5GsUF4p;5O4^rnawoz=wc z94yL#V*6ff4{6H4)Yqq3QcHo>jwySX#;#{8jLvCie=~pO?s=*ydvUvG0jCP-8sB!vkOyLBTv>d)Kxw(5|c|IDCj0!8-j5*+LTfLQbd z5s^U&xhEFywuS+{0^&k&Rkd6G)i`7&nU8mItYg*Il2$|=%jCx9b)>tYiO!Eg)@NlU zF{pfEwgDRTn7g<-=>crN8MJ<*kY`+I`JGF7v4X!OKYoalrd0cd#9xR{-ZpVwpxMFi zitd(xb6Jp2asTJMY)A}R_ERxR2vg_NG(xBS;^*^_kSf#z1tB)1a^-N=vLJH5F?b>T z=OfUwB9fKm*jHdu;YHTFa4wW|?$Tpb1wlk`7FahPPavz0NuE-%6ID{H*casoGMCca z?*Y;Jy3((={JvP-fwXD{UzIvK7mDx7#mD*kfdmT%{-xfxaFu0KoL0?<`4jV$cAiDl|ER-p*37M z%3R4$eshgRyEG6DUjM-gj6{PAVofv%S1Pa+AFud+e(T1k3)L}(ov_Z#@AvPXW)g|l zYt2925XTv!{`Dz~=t{W~M|4PJot_NzTQk?%NXb7qJLpmN?Z$E0XN{;Q_-)GIH_;FT zv!)?WCpe1iWZ0*YFXa07CPdTz*LEm*Thp`!HO*pHXS-o5H2g|mmUQU0#Ud(JR_e;G z5ISM+H7FZW;2KY;_sqen@(t)$z5yh})opF~m@1@zRaHS_C(7ID2_DYjvwZ6qg6jq1 zKV|lPHNUR77PmO8|Z3)cm@1k~N*s zc&9vbrROz^)rgS@6sqm5!SsgyJchP1>r!H9|IsE5w91cy)HGrQrchh&21O; z?+Z?4ZKGSRBHP9is$AIrh*V0-j%{st7%a6WcYNHELMYhN4LBq^Nv(POK3mmnE`Uu& z!Z_9`y9X+_W`NM>xd=Ten_}n%Tm3x+8beq+d5*{6Vov-EX}*@B+f)x6%B2ql`awQLSOW&p0N75Wlm+cw+0Y>Blb#xlaY3gcmpf{a3>Q$i4<2~tX+H>g}*5C5T zbVGn(Oi5rKbucd&az%HTY833ss`o_dY2$MtW}pUnKd-ISFANn2voY3)PjkPbt91q+ z7RJ3|+Yqd*Kmu8oXrV3ULM(*fwen}A2tE8v>dWnfRD8inBkYKKY{_h|(#FWUK7Yn` zfWy`?yz#1sVBItCeVV;LiI>qtD|Fjpepnehp>4D2_|qfdw-V9>%diCaurd^Dq$hj( z$5kq-<3Ck8LqtF`0kZ7<3*P^&Ob15cpeHz9{NqQqtU3T+d@~0$tMHu^?6=4*wNwC! zBB+346UQ3)A47t8m$|E#+b&&$iU-xS*iVo89>tfNhAfR;Oik&@KDpY4XjpX9w^XV} zvThHE?BI1o`p{n=tkbrP0x`UzhJSR;@quiYVvbWdr}gpnigrnmS?M(ps`CdVb*n66 z5WQc620D;IvSx*O6!Evd9MW|Etpot~ya`Pbe2?5axy<&N7j~-VF#et56i|at(m!D( zwnB}*m%shJy{_PcRjOisUfvwn*K49Uk)oFd$?i|nJa#WiP6e7GoQTtWoHdM3Mi84$ zYCj9Rp6j{0>G0i-XS4z#*2$t|K;axW4Qmy0=qCh-P;g%Nd*^+<>g~~K&EesK;lS^e z$@P!6<0Tn>UQgZ>G@K?aOqbs(sb%XJ;-yf!Ee{&7aJJjsLsu8VK(GA4qF3BP7t6|n zBUocl>@W~^{Ebv@`z`n7re({(`@jJHwG`TEp#6y|LjBw1&6x*)U8`YZo%Z<&=!M0} zW?}U4l+Q(O&zEdFHnIawMsMWFZbVbPCHVl2695Z7LsyTeuUBnoF#F3}Y`^l#?~wVG zw3NMmz+N@7$bF5(TUZyRr23U&k0`ly-|G61Kd$yL^r%ZwijopOWsT%#Z@o# z*|T~#NfBsntR{Zi9L%tA$RZVRUr@N+IQ31VqrT_5?!NuusE_}3T$bp_ZfB){36=vnFrIGekBSx|Nu3Rs#TMyJ=Q+5Mtt1tqJ+YM>D&!+#O{ zB>&9bE1iwrqJ62r*=t$UATqw`$=eSG>R+$%YAgt;0ElIC*P!9NeNSMNy3S-CyG@4( z6+lygrq(nNlzSZFSw4F@W>OsVt2n=|cVS-bf zW=kv1?9flItJm-D1?pCqf-tAme%-3&*9u>};}%U*7;&7g$p(k}a&QInFfdG-0mI~z zsYV+X3kaIa}L%**x0PxDyq z{!Vrk;|1gkt6CGtY=W;$a?|M*dp$oyr>{MvZ4Ve!*B#nSdvN`vute4sKnb-(Ns$x5 z=bX2!-e9iqm>PXbGXDjgy4m&E4dV@>tne9kicjsC1lj87+jcXRdfLbkU-(GPl`cS0Cvtt1d9Q>-x+r-0gJ9 z9cHXz9rv>p^XVqu;rMMI%H^`ENq2%|Ja1W+ z`!#b;A)$oF`o}=sZQ6AsOGI3PJ7O8=xjDfPaKC6JT3II4F8lOe1j10sBD|ezy{Yf| zV+{A_Yey2rBogXhLv3Gz(oilcrppxL4=b?D{Sb!2dEwj-N9j&7+tXD9AR6D*z7)PA zbv8l#xz?0>abo0PPt4%VPyj|g*7*524w6a!i%^aiU%DS+NQvp7y$&&)jjOI|zhTAg zpZop_>`sk|sipB7#VY8Q?I4|qAg=5;+3Y(acmcx}oaJ&eG~7&0h;Jtxb5Yh6Xb;Wa z2+0=E(`5{^1ncAVAN1_vrACXwSB`>LZt;>jjfK@z6`Ri6f<;cUeHw5<@MSJ}(=@No zL-G3FOe1A>Ja;;+U)1_!y<+7+fR+ilQB1gX5U3MSsf)1CP}~Sby<{NC_lPBcf+KEx zv2V>)!UzwT+cyA#-V(V+F;ZpEd3VXoAaRy$aTkzs`i`Yxr*uuk+^%kehGntT#}D&P zoP}nDTvXzgGyb$xD>&Z@DFlm;tx_TO(=I6YW_TXIAj$yLqvZ^E9Ma7Y11$0;PB zRx3p9n<1q&_`DwET{Y8q{gf;z1KFQfZck)wHkH_7k?fg9sJ{ZlFiuik^efQ54WhAV zl|~-xJLV#tHB9E`&$}5tHwfU{w3>TNxO>RotOTr9<<0?b!Fq~ZSKF+~P>yl%#YDA9cn zlh7_cIWwOwzB;9^qtQ#dAgPn+eQrD$3U&>YkXyoOfR_pwKy}oYYlsJ!h22&|(>rmJ;ggorTJtJlM{jxRAW{50dl%nt z%~z66;e|K3IozfYbytMoy|s@p)Vf#kb~5Y#4!)t=omNxsX_g0_4PeACcrwmhS zB`g0vBg`KFXN0->p0S!&FWH*#TDQLNe;s+*R@;S009&5)4lrYJI>Lf-|s7YYo$OQzyNU53e;8qFxzKj>N4S&|9_P$Gltt0nfs(2q26 z?{ea^t||a+E^eNs*)XY`KCOX1aPRRR1~mE{T=1n+)^-1fblB_IU+sl{4icoZvFGa7 zm?pJx4?vid@kZym%OQhTA*kni%L{IJtr)<(>$LwTI5u0Mo^!+G!nEQil!Th?9kEQ$ zK!(oc@S6{16m&3b$rH!82Yj2JT2f@b68z@JAww^1Ri6xGPJC>e)Ue{%L}GOXLY6Eu zqSX_fv3E#l7VzHJ8V4yEm<}m)LZ#DEV<=PvSp-3VM%RUVI9__Cu|9%-_BrHAv;Io} zaR0p~a@c46L@oT|<-FZDyArzrYsI~{q@_@e!nwdmqvK@Tw2&7xyH0&>i?F8B_byRKfdKvVD#k$L7fn+W09wEjp z-nHdF&%VLttF8c*?*O}UmcWCf2H|wGX1Y4Qnpl3s3DI;(D`DUJ>gVS6eX1{M0(2 zdc6r>=WsVn-}69%oIt#rSl^xLQgCB=$Ozbr|bhl#t_k&_^db*sx| zw$>f*z=9|Kb)UOV-9auZR9g=o6WuR*Cp4N7O~1I3%2MXtn85LKZ~gKE+x+$eR; z=xM}7yUe;(ajR$f95QnKJuOa3kykxdQ!bb%17ZmHd9)E!dhxc!;dIMBivtQ zaxxdK)|jzz#@)#-)^~#MSIr7Pec0ImrVF(rPOtn`5;Ggt6V~EYp&vlA?cb?F67QfE zFl2?#lHIR1?~exKFQQ8*)(~HMs`!c@?X^lMdOj>cVDV>T=+Hq=qIue8(akCRRvEv1 z@nYvMLb$IP57Gf#kSJ>QQzOb{K_eo5+TZQ?ccI*nNhaAF9rOk-#D^IFy8fgV$O!g8qML7a1JF~Tsllo~$C&hiaQd@B zAm;Dhwv1==BxO}qQu{aEM@cv59hhp7?of9SXwSqmk^ZAj9CDaevj{VBe1EyjF9 zdl*R(k{a|j>9@i!3UK(x()X3jl$?Ua30a}aTzdNXu(=jbqRYxm;tE%4%r?M@z-DYo zCn72@@ehb)wHgin+Q@RTZ9#Cr^JeJ2RB?CYgml$3O(3Ao)Jvvu(3KgB3PAkhk{lfa2V{O5%<{nomMni#QHk4D&;>aKJ zJa7K27oXKdWXu5l&M+%>8LIKa;-r6_2TqT)FlqF%_}EH^?d^cuY2V~;fzQ{GpMHb@ z44#gWZLkC-5Z5~GGzLr0R3*dv<=aZ_X|)ubuWn{b8-e&6zzqy`x>wNb<&#|(I>SUL z$sOr{p`ua%I1tRYDO}o1#kfr>v)rW>f$Z8%br)xkg<*a8m+&)_9%gAKwX1E9w*~$9 z2Lpqy{d`*~6*5f1&fBS_Y^UYo_4N*$O_XjGp9sX%`6tY~b``VnTQqA`$cXYSv|B9_Bx%w>ACFWPKSm_@OjrLVGca&+;j(8oSW z4~WF-FwL4=1BZ*wn% zfcc)`?KJvdt{8>w^%~e)A%-bu=jOw&e{PfHyRlDd0#Wvu-hU_k;CCa-VFo(+7kpE5 zAry}^Z`}XnYQoIDjsAu=B#LB6CEB(=k9BUqQ-+bc5qE>=p8O&am=#&5jo&fe1V3;= zFTzcsMoFOo7(7Pjk^n1b6S5&fJ9bCsu zsfO*3@r0YW$7VzH;uM1~k@W&y229yYq;yWqVB_C$P%8`L2M>PZOJ~SYm>coF%oMa{ zMW9>F$LQupfLX=TjGSo@%DmZX&Bkjqg+iQ}LPpLi&L91PT@mkpE3ZQ~yorJ(TC{)A zV?8WxLOuMp$7dGo^aT$DF)Rt_C9|7%p@-?3(=^`ndC1Y#502dmzxf~>3(N&8vk-fp zPlSwKc~JWLo+wp~EUA3@$|{uj6!l9k^*2*O4|>19F5%e@&X5Dmmx&7n6H8HgSv|u& zEu%?)2%oy5L$yBM$QRvqF&Gt}sPAILebsn#I>jqc@cT(r9&Nf_8XDZ1oRBf+SVE@o z^V=F3Tx0$OH4c$*z2 zMkW!Bk=EsY6B0Z`G!Yp_UViVOSMQ01_ceAc63n?XDMEv*0Q_J(+|wk+N6|#0jr%lr zTL$^G$d@iAkyJJ&3_&28otuPmG3Tm^rt+_ZM}BOrpq}$W~>@V;C$ef zSKMiVLm$hCi^*d6YZd^XH$l7stgMq$9_YK=U>RTU*6p<$3LC(<&_rWRyTO%7k#?_W zW{XGl-dq-qfg6HdfqO-B7UkGycg8**(;8J-KFaYo=$bTX&_tmz{Q|LWo+TjCJZwU2 z&^WZlc;|VUXuWy#{JGZ!5L5z8wE+#M*-w?qc!U=*lq{+)ffZ71tz)}QbJ-Q(5(;Ie ze*|=$^8wzy`?=s@YS2UzA_P5VMZ{Ql`8=u^I3dF3ReFxTTHx2{C!Lq$q zbZo<2iH{Jr1_f8_z0zU)a_1{Dc2-|j-;Oreb!56J2WGAVIBHXzK(F_`qh_718lMWqs>R;C%WG|0I2X068A_`~O zGHf%k0H3P`9uQomiOFF0rCm-77Z0?8+f47LF8;;zF`CSEMq}LW4F07?K|rh0Ex!KQ zCmtab9R@Efm9X#4zUkqr2jXqCfmUeo0MoBpm1YT`be+kPvmtG(yTCK}FV_Gj@rrFz z+nt~2lQp@O{f-=h;%D9o$h`7&r58@NeL3%me||_mMZN=n|D~#Srtvl7>th)K4n&un zy7`9X%V%*FlPGkM$G%Cw9_o<=IFgQ=4Zr(iy!36XgRbwhE26DW@v+{%G+?TIwfz@c%qQJ@7#mg{X9QX z^fq%NgHGtIMUGx<&L_>YR&|B}HtIuPSW%oB>wGPMIRV`f(^+iBczB5Q31juS-p9iS z4mB(4p-!F(3ZS8>at&b8=n|t*DBbMHFK#4~FS~s4CL}Kd46r-s_`F2Wk(h8gA?W~I zvAX-MiqM`8nvetjDV8E~LQ!L833jWp7SY<{7aenZCqb{En*O(MTZVe3Pet_oJ_CnO zMSiTx<>8MmEVD^? zX@ZIvoS{W=2CrIBI=f?Or8>bnT(kEp83g&Fxm3W#Vgo^1@V2$-2)FC&H^SjKpBg8+ zNq8)vcRFY zE>h%{&*;I=hzrdtaef*~@y8=aB^QI8w-gv|1v%9~Qa)~Tpd0@H*fZ10ioL-}XJhHL zOR;-qMmAqw9_;$(tp0fEA?;%|bdx{A=bst}`3tA}?w9K&8g9eb2{8gv)MtV4gMA(k z$aqEUvdcL&VR?qQRM7r-B+DA+%@q#*@N3QGG+xDmhsv1XJC$+jc;(y8CZdghZZ9U* zTlSzb&X|HmOEEtOWpip8tr;27s9-nP^)<|z^i@ldmcm9!2UytrOKYKnA39R3ZoDQrRQ-_z^vy3fYhXi{xzB|o+4P{Yt z?iHC@&j5s_lEVW)tS z?s5f<8X9_ROQJiGKCg%R`{sM>?sYp+)U-g9X z)fUKX)_8*oB0mb}K<<31_KF-Qcjfw~eE491l>#CQGbX<*w4* zH*qJ+2LJZ|nuUR^NseXmsVp*XbF6tgpqHlIjLUczXlN7JI@ZhjUh!Zf6v6cr-iP63 z)tv|*7!_4# zab4{uP~LJrf$AIcCPoFcI14_*I5j94_U(RUla`*ecro)T$vhkDufb;MR^8NVghSP8 zqWw9;DqQsDxSRycGXiem9zN`4TWxa3RK?K!W|r6`De>72ug+o+7FDD*^Fg zT4dDgx|?C)A8U|xBdVl-GQb!r{8NRule`?Qj^w^>TY)v>jyT0b?cUCl6`1hHd$3r| z@FC%2UXuG}Zp*!si9P8vS29)fUUo$mU>D^Wv}Grx8ig{o06~9<$Q-u5*NGErvO^z# z%gI=dqPx2xW)S}nRzD=KXn zMiM5LRs4rc!~2mN_yol&nI8+UVDbpfkbl)n;;4)?c} z@A_vozi2AySXaM%jDvwoCp`{{Z+}zGjxT2GS663g%TSH#g8q&eJ!!tA`n}k|4;I&# z@BAR$I7hH5lg8PkG!Ii7mpO_F{x!GFxKshv6DKDpmlK!#yR)F!;^tXtx=t$vxUMv|X6pPwM|I~$|;q9Uls*A9o3@8}8|Mw6VOIxmQH9T#kG z2J*}7pN@y^8NeWl+#E#wV{~$CmEzTlWpV{G(1*JLqlTvn6`tq&c!oPCyw3my z2(pcS&H-zXC#X6iO+uV|=X*=w2*e~alHkaf4y9;0( zyMuKN=jZ~*=e+f=OWe7At?69@X@SJ+#Z;>LW<>I{UmqMom%^{*d1pDs8J=Wp3cJh@ zt&;G)ZBH-e_X9%xz?yV(7tI1d0fsuiDv=v~Oz?rE{{Y|`3iZjf?)toBEj>3fTpx*- zO3f3MRKN8eCpj@|nk*|31}K0daBnhp!uzUw)dof_X&%2Dh6?qU&{ zJ0z~?ZDLJ5qT%65Txt)K2O>8+=!l)wnD$jyIETI^v`LNMmw;V|APIlwLMku2nly2`h^4ks#?ESJzbO$jMvag6NZB^ zd^5=c`qUoriAdypzSVZky2`(1HR<&)^~A`09ken@&9@Gz$b|Qaa-9LTa~(S6EueUu zcs)<=Am%i;)8c0I5xdU-mCUVG-iMU5SdKA{B5YHCqNaY^OCr`|I?q93;)p@`rNpis zlR6Otf_F>cOCgPti9)+~?A8hmaC$nlG5DHhdF)XTt+i3zx#sP|K#l0`*f7)GnnfN1 z1d}$5EVmq?qqstzV~>?<-%y}LR8J?7rk{5ld+9#K{}Dp&a#E?*c@*(xu58UWq6P4X z2%}%6R-B|MS-ut;vSp(*8oQ_;haI&LY1_odrkW(>E_wN;z0e$6;7@Y;rIPn&W!${O zGX?9}%eKs@@Ie(tMWOY`E&>=&VUQ1tENN|IFNjGewBgjJ0nEiZ;m5Tw># zy?rr6VJUWDsI%PYSEkC*H#TEdkGN1qU1Eli?P#+#l#!^XMkaIiJC3A0{j6H_2m))( zt=bk2*{3kGM4U}d+Os8kL2H%-+ga{h%}KaEsT6roX&*a}D}xTuQx@h4E7|LzGUb^$UvU!KXHCT4;do_5LD?3|vTB2A^RjtH zNx@rpz7PXqZRW4+0+~!;!%cOHr};ObYu1MG+$o!Ig94mc!kz4bW7dR#5mO{%^5{=4 z3vixSCtC6i+OoAFp9k&T-S5uS_n z3yGCkSu3PRR|Us0A+BK*r)8Lp*iJXCoVg8-^~=-BTmfLw8=>vey9G^8D_^E<`lA5T zR6gEHz4*Ozr#WilsQKw5c6508N9hprdhQgT#)}q!K9>+BJB*0ezmO{F?_rwE#d)!G zZXEeJ`{?A&9I(aC$FE~dhZU@gj+vTYRIkLhJpX7rYXy0L>eN8|`l|4DHJCbdlT&aVt(8NRkW;&`{opUXS8aGz8zuw5@QbYw2 zzXGy(mb7G)pB~3?f@D<8!V2N9X~vgAo%h{d+^kxHoTQ7te_T0VN0o0tBZrRtu2~HW zORUsO$e)oSF<+6TEnW^GLG)j#+ATJ31A7&H((2^I(j@n|Ljyy?^huaaO>>7MO9)3{ z(~Bhxoj(3EKieq^mnT#9!rI#bz_&}7k6b<`+(BK#r&WF`YlSv^X~t!SA4a|e>?f%3 zbp`9#G#z~ocPL`7{*AKm<>m|v)NpK1r{pZT@B8hM8cng0zw_t1lej2W-uCCp;&rJv z&-r~2X?v=6={N8zpkvOZQ=%*!or{&|bt8_5ttf2*+mt2{PNQyQ1G!8n8h__snD7cmMhbNT)i^x~*a47uVXK_u7o2%VAwWDm24_r6d#i zW9{o-LfE~5A$gI%pK}Fr;>+tJde?%vFg(=9fq%9rxq3^x8Hj9S-3nK z!K)+6TDAS{cMWzTDH5WG2$!(31se)Rv|WX?Zr>UL(7L`4Ve1caS3$f~W8ce;N_PTD zF|gpt#(eEipX-d~`@M1~UxgZvyv&qgwr;CeE2UZ2sB)wz`7fAv?FV&`Y@hJeami#} z{-=$n_uJ|Ve}L+#n2%bH?8WvrZ|e|!E1N?TYbmB#~J1IreagZPp2pN|)va{UmKIL*)P`@0@{0d>3Q4haqe>z}_48YW%s_Q%Go}T~-m@sy}DibVV%U-Wu zpW2~V*csDfuhL_fMUW_&Gd{kiILAJ6D!e9r`y%73(lVtw1Tmjk1}T2TtUn48$j(bE z8f2xYvoXmF?r)EH^r=79(urQ+4>GOfQPbzKY8WBn`KjCh+3V>^+3T%!$#^eOJk-l)YQ5H7 zomSCBgBc*I>)|A?lN_sYnv{K6x73)vsln=C^TST(7pq2WB5|^>UE)!Yd!4(yw3qyi z_ocPhm#(I>2Tmv5E_bgV0Mjdz>e|49^+(o0Nd9T=2Ah( zB!N25AGTvVRR|S97#3|ck)BgK)uc5YQXyA7^UW+({JKdb2&sHdHG>sX*lTTN?b<*6 zW_4Z;5R{bLdYs6YpA+prhZ{U6dcQyurSQVhcAeH-!0;gEleYV?3@HR-=~KMDw3eu$ zzrbKCbh8smC(j^%I;c34nJ==UoV}eMq@2iIU>`?e{Za3PpaVK-)0`ls1DAe}gjf7} zex8+{CuX|w3~p=w^|^Z5Z^gBdcZac337-Dkv)CAXD|ln?0u$m!Z3Y?hlp!)I{Kpbz zJzEb;?%^6@UhBwL6N)02F>*LRB+7l?3P7?Vu||r86KXZ&{Cbmxvq z7+#hpx{Evi6IgMciy-7kJ3dS(jUbzX#gd!mfzZj&LawE1 zE3$;K*(!=8lgo*4xba%TOuZS-+V{R}_fySp3p=H&hR&}iZI^nN+|F7Yz*0!{hBC;S z3Q;vRW?4`2W}&)N`A~Da$a^vutsIG#B6V07L&aHlC#6-8Qv+A8^qSC2xAU&&yl>EC zqQ|+fhh?Lccy3(>jT3QdvY@73F($8XWgEY< z>BzM73ZAayTr^+%2ip-~naL!~>Q(e}+#DM>FfdNSO*Vnyrw1N@>UPy;GM#7{IpczH zwL4SmVWa7>RI4*mDt!frOANO=E2n`BiT+XC?P$ zki@HGWbY^qgF?Z*y|Ybs8hdpEHXS;Or{q6wXIUdenpAc&IwTWo()0TtR>q3F5r8Ut z)^2I_9Q_uALm{vhwF#JM;#vtN{7uSzT& zuEgtih)$pG%@wz@Pb1CY#SS@tE@lhh&ubLog-vVJ*y_!;pzp8ts=(t;YZS>N*9to- z4XaKkDS3U*Uxcal`7%RB)UKJ2j0nSf(nM!!Ud1e`EjOk=?J!T3Xi@EhF_Wk>X=nPl z&Fub8;Emx&tF=_fY5)#DRak5Obo9V((eqyU;fdtk$U6KCJKgvrQ7t_98Q1pa0hHgl z?JL#ePV^{nlB?|Eo2a0#$#jcpsKy$X`_KWrv*5B^3S@{JBLhQY%;DimNf^63;=TIm z{*e$c2c6CjiEJ24Icak&=`ab8^v6fbR|Xu8D>WU&W*-kzUS^@T_TusoX%c_&W4*4itkpt01E#r$1^1M%c%h27|gN3sB zF7Y?;<8_hT9LTa|T4aWZ)xs;DH(@gx&v=^p0TPhc>3~P)f0BTHB;y*mycUsqZTtJd zmDNrFMOTEUY`9NA8B2Tbsis-{Xg|E@b6xkLOdkb&j+fki;8yo3W*FoQt8UJD`o(9u zSszK1r-FecU(Iadj{ua;ZQ_@H8Z3Z6TRo&-IP<~XL$u)r`ny`(;7s@oqiU)sz;ki0 zG-xkU{KifbHs$>Ik_!bGyv`s(^?QGN%g^h_1v`FcM2b*~?tQS_JMZZ={5+L7o5hcQ z|1A?^t*|u{3e<1{#@pI3SB_g^qd!nG9d0{P+l($=U)Aenh|P{CL`RRcjJo5Q|B zI!Ha!vs%JDfe&hb9^B53^CFAuXF)vWw!}sJuM$C_yR|)I-wJ5WtIZ+ZObOBlMIaG z;z2gI)3@rk#L_75P6t#;YuBmEBs2tM8Ne6kF^auOd=%MxB7@WIlg9n(v=rvCOF^{TxHcQyy#~AMbVghox-K^x?ue*PcD_8= z6+nT$#d-H-2CuKY|48_tP5IP(kJvaLK5KDgyS%WpTiz#}xi$Mt>W4PoKJn_z(l=J16${-QpAvVaoZ& z>qH$k_aGd1&nf3Nk0~Sl|n}=;OfKQ}>iIHnlicPpu)$ROyg?Gzws{1_&r<+wM86e^C z{vY2SGCaP6W#vanzYnU4IU2nW=#!D(G6EK_< zPr0t342vV+$~<@Y%2X8M7UTcg|@-Hf}T$;CXY%#-FYcm;f44~Hl4sW&2p}YXDmJVBxd}LC;%Qe=93c>9U&Wl2+2yf;oZh z=HMbv>+Z_tGV26>knLUGOEfOLZ~D4#yj6R<*8%tujeZa69B&T}SsuZh(mGeSC5Sco zKJfjFW4L_!bQUc2V+#+c>&k9jAIxagap-+vlHh$=WbWrWSd3vL zTZoSDAg1fR{z|)gSthIQKfE7GfcMj)enS-QJeaMA=#dJtFN=*+C!uJ`d!)azvbOa) zR-PwZ#5td1Pxa|`Z9fpo`fPYnTc{*9c7HhLr)qt|V0 z$t22n+kvW{-3U1C-@qS6eZvh!U}TJwe?oy4Dio{QNDlyiE^=vK7wWrZ61>8JQ5=|D z+>;2)qX+!Fl!56kxpT&2=l&V||B}O&Z~%;pnQ&ak!^v^6y`(E7IXQLIDl19N$Ni|6 zPn*Bu?_ua~xKRlo4@S{qQ7a^HEpp}xZ486(Q&BUDwilH3;6skclJ{;K8XWohhMtIp zd99!M_L+)$*2=;NDdHgP+B~U7gd7@G)Ep@pfx7n51=6xBJ4#i8g3vqyDs7gs`7t4o zMSdPvT>~Q1lbt=k@!&_K^$6%KW4-_erojkkDn?mE1p6IM_CpB)JFCSU{d7Koyl9~b zWr3Ak92oayIK|3RbkO|LfFjwDhyrAz{1WO)i}hp<59Bv5`v3hn{{Dkwv3u%-`#^Yb zRZYMwFB%>WHohl=U1@MDt=K%tLYLgo%iWM5|3>kR(0p{`}@hnepCOxc$ZeTWM2 zNlzMT`PY2+VTD6nq`%pGSKqb#so0=5I)gr+P`8I3tBe__u zKpr-3C$<}3R6mKd=PVBl%)cq_V&p*jvQ0G-wfwSFUVE7GVK_S^SeZdYj6`=EUoCkb zZv?DyqKqb%wy6l)kA*@fWk|&uHW?s8mnR$ANZdoFHz75eO;@{hTibLM26F&R>uS~R zOz(dL(>lM0X=z1f?F3il21q7eb&y}v0GMZ@<`-hp3{V0zAmQv7!!V1iijyMIK4c2Y zA+M)v8KxG@W00pUa6HBhmK%Sipm7qmC4S?t+JrC;69{RIRJv(X1(PaZ00(?!r27Vy z$VDDiokcuHl&&M*0+N*FLhgMM^?1}H?f`Rc1+i?EYylcw1O^9^QHlYtWj&wuEgrFS znJ)-n=UieaEAR%>T0|qdiQLxZaP-~s^wA<6w{wKcWNH!G9Fxjv$Wm(IiDs!BDZj?e zmtIN^Hvso1_W5P{9)X>{(B`b^f1*nMJKN{~_9qe;F2McS8U(mMCPeO?)5O-Df4M)y z&HtVI!+$(B?Tf#pARsVux1PjMV9CtCT_kxzLsESDngc~5tdBNK>h zQR}B%le830eARo(OC&A3qI>B3Bv3=37wJb;$CBlqUjlw!Jox$>0t1MQ6l|4AH)+!^ z{*ml%>%X9$6y%Y{hXoAm&IY zA}Ve)lHG1I-T($3>N~wTo71;u_=&tq0UioWaCz47fAmoL|2~w5*0hTeCF4H5&Ho1f z3`Z%5`~&_u&-@qohl%1I{1a5neGmRgvQiR-575h_M9H`xj;Kv2c`(r~Mq72OYa(8T zE-jVFH01UBy~qwLnG7qMlzuVsE~qR|bmx&!P7gWy(o4eo=q15e1b7!2lNQfC%>E+L&nejXeF!Tqwj8EzL1D8vBCu zxw&_ql*UO$*taKmHYT)-x?AG)xT{pd{qz5AeExre^8NFhvu=IQ<~s>~fd;@D8;zj= zu`%8++aJdTy%AR|>0IvH7VhG@G!7LtMKiH^B;N%>S->t!k@$orR~MNTzbPFlgdD*} z(&wQ;W2~a3NEB2o)ZvgYAw<^qRi+OjhLyAt`SRn`;W^~yd7>sU7tI=~GS)dm=fQ_& zLRha9DDChDSpOGmU*Q#X+qG+hk^@SI0*Z9^Frc&`NOuc}v@{H$0@5W6NQ*Q`cMa0r z-3&3*5Hob2A3pE*e&1T>taZ+M*ZB*E8SeYudtdvCNkvKiyYFGj7OI3V{n$3L9fot| z4_VknCd~tcP;xRh#33p+ys+Q+8~F+e+2!S;zy#yGOo+DfR3jmcBx(e@4zHTb}}90cyiy?Hk^D-(bCpAa7# zO6NS^Oo{U!#(N$BT{TdkCqwU+2LTUjk57VzpK!H| zpQ<-#mZ4f|2@H~s!Ji1^RHXBQW)inU6u~bri%hxRPQzzIs_w8?SWWn^Fa1KDZHGZ)FicI%i)4+yuZ?86%)A<5ngM2U`1xrc z!G}@dws7>F*GKml%wXnCWE$YU=(iaA&$1L>l_-AQO*@l~7Tt)#vJCf?5|P#Pc~46{ zR>TS4RA?CnPz3#{I2z$mC0eycl(DbU2oUwPDG6p=n$r3YZ_7_jAnP7Taq+tLI%y*C z212qH_>RqHzWC)c{EByz-wUvBjp9{E81C|Qy+^v?gZvxgB6N@1A?SCvF(s2*v2D`St%haApkj<;Zz2$?yrl1J3 z3WvY*7ybr0zpTiVzLRlFUXGC7G{YlD&XA%8lqpEmCrMRc%FM}>NHOK!MpRlD_~&j;4N5eHm=QU%~iG^56xQR zeTJ^~IKhhaSn>S+d!%tmWysTi4M?4aeXsJDD1=e!hy!}!rkREF+;Fx#dd z;T+EhK%B#E+1_{%CrKCj-)FbKI~}0MXf{bZ-^BGjwjZ|76B`@bai^df<~z(OdL;*0 zRf`qGPsBDxye5~dRKuTR>gyXH9{%*?(Z5mM|E%xF`P=t@mu{VDer*>&@=pduGwDqR zg~Jb7M%sTeC^A|EzT;tJC0+*L`F-*$K^F*h1FtSn4=pcA!ZuF2=|lg?pqMKU;#A}x z!-CypP(UKX^)GbH)EV6$nX1-v;<7qlH*`g(@`H~`a_rWHHKg7bW~9SeWty7|<2uHo~QR(>{=!*CM;}_xlsv( zxP#IZH}=8^PnkK`W0scKGCh_g($ddhMQ54xhJM1EYUdBrfk+NaU_LA42n{PNK2duk z0GqsyiIz$L`aAh^DZL|gMTef?vrSrb^XvP4k)z?luY5PCUh5<%CI}~-#iU7WvU=p& zEDg&9)ITP~sK?&@d0R&7HC(b%mG*pCZsbW8tFe=PUMg>!Z2V!aIKN$qW#doEEi1C6BcHpZE#L}sdtq7wt_uABdMFv_NLYu2h!WTo?-mSbH-qtfKHzS7XK$4qljk45028&y1)G~{SgxiKXi zUO1KcB4OzgHPFlT$0WFX5}SNfcPOaUvWJKl>AIsj*zJbtQwQpYU-@yDa!?=; z8HefeLO};Z^Y3yu99Hu!h3SkZ5QjJodk;HSt& z1Q4+H5Qmjhuvf4J*NcV#>ko)*0pxZ#Hqk5tnBab6ZFoF09I-ohcy(xW56XJ9=sWWE z?UvOsgEzj@i1_};bKW~%HYpn;STiEK|J&j7qWIgqcmuEtF;0W&j+NtHpyYevg(9}I@3AhAou9(1&z}*1 zulQQa`5nFq^2>`Nu8zk4@DA`O&1+!ekxZxS>E2bje}aQmH{#l=?Ppi0CD@ zv(ow5uxL=~-8r82dJUPM9DO|A<^R1Q_;>fb-h(Z8-O~AL!H3p+&zIKPeAy@l*o6>V zV9&>NzOoOr#|G26_|g+#U1RTn!mGQ}lyth4=-5R_db>Lz5dI7qGUX)BL!kcpvrYDs zY~;xtrYliY5>6?O0L9*~BpL~z@({Yc-=id`JOk*`rsyKyrzcGQFdq30F5wUHZ$TPFLTyf^5rMv zdBzadRKUAzX!pzC(C(;0Zj#VnpPI3}rgP4MmI;T4WU_b#LX!O^1VJ44u6b>!i2tkN z54M2FAW%sy2iTZZC8m0T`pJ#iaDw}3YXsy>kQF{!s*Pb{r2gx|&${y^CEyRhJ|<$X zIfyXMeIAFcY2a-+U}Z$CdvG{m7|?{nPEw`Rc$C1>45Tj1N^W_Li~^2HFAqV^ce>;Qify{EJGb9|ZGCt9p{`VlNQc?tny3of1kE^o!= zoDjeQaWm3@BdusII&@%7ylh8xD-5bZwTpYRI5IGYBK zyku8DOmL>ona1Z>0Nr-^OvUv{vM%%?s-hXlJ)_D>*p%5G-j4#&OMkPwI)D4a_-v!4 zd_*yEARK)|goBqb1pcWua4jo}_OJRzKu`of^8i@r0?SZA`^C@2e>ffl z&|c;&&t8ma8u}~SHO{4V5WhWW;WRqBiewR9iP~$tzT}u@1b+w@YL+D4fblY!N&;TQ zM$McPdXC{;dy#(w+LmwMQEasm4Fr(I+1D+7VfvOnDCH1a1!|mon)im#eys1FoDystnBTd-k>8D{ev+QR1U7N zV0Z3Y;QX9D$;Mk}PUdtm!)g4U6AcSx@K=qL&1wo1R`7Lx3JWj#)GaTP2Zc`Ke25&n zMVj_o()i$>K|)-m#OVohwu>x*q487(L7o_!{Es90Qkeulu(iX4pArqEwt6&nvsLD0 zK6E(8$HY;rDzVY3Z@28`wu>IjI{=#*!jpYNTLM;TeDczmUC4MB$UbS)mj_^o79*#( zDpXG}Jw+xLKhh(x6Ybg+N5Z-QuM*-L4jtzfD-UpTJWL~W3GIH9ddX}}E-T{38MwG> znV{R62lF{-i$watLf3af+99u7b)hBWdv0?Z4zo3lSKBqkbNC`NeCzqe*LKJFBHPuM zf`uh^@oWC8#7dAS-WSWc%>bQK*udo~3E+ZdUtaZ|d|yOT7O~99(1v8DZ8_X00Iv_) zcj&uXY*UDy&72HdOj~9@9Dp2Z#m>wA6qt)v6J6+7bNm^9oEsLJSU5-y9N-XExYNmT zqu4{n6nllq559+WzgUc+V2IS`t+)FMfU#M&El<&1{ke!dM|aJtst;ZfkR!=SlYAR1 z5?>>M4}(+y1=lt2G^wJwNE2_7$88Uah@~tdsJQy$gOG~z1O9Th-v?WU{x}0-+4`b{ zZxux@d+p~>NvCP^r_I_r0h=cpe32C+`pES|8JXllg%`pgO#)1rega+eTYhaV z`!7uhfky50mWGuZ5xjjKFGe6pV=+ZQ6cwT!6Ra|5pJz6paJuKiDS(jFPA z_n-!-$20>dU>LbhcfK{*0Or75;F~xjDuFRP&mcL4WTX;=ssKYm)g61lo<*m8}Vo$B&Q%d>#5E*sSFQ==ny z^3~aDaDFSPl~j=1C}!8^S_Cle=j9`v2&rhU=->nX7q9H~sv2@G9S(=ADcZI&?&6JEsXj6r)ya11LG*hs+UA#r`QGWKi zW&^&HnOFi>oU55<$T$p0Oyfk{OI!79`1GMddOCc@j`C>6b=Rftc~D@$xVA+S$+(_r z1^$>TFbM%Z@ON5obtO6CKZ;i5mUBb2k@A?#V|v(#uk5@0MNO!G#qT@V31TI6$(xI7v5s!DOF*g5J4wEq?3b5Ef_tR@iOm-PeO%VlqLlX}uT6U!(BSb@!WZ7@7v zDoM-@9J)Ro@F_iwDaE4Rn{n}}bfQZkq`vk_CGEI2MTxRT-0aeMN6##EKtQ=*1Jj{l zz^HoP{jFXmuOR{9I^Bx$14A=bvXMa$M-cDQq#vU{#356g^IM4&`IHLeusiqn^9n0^ zmy(E|ERYxgX5Z9YC|2^qKFuT0&0qmqL%gMO2^W>RVF^wCL3QnERUJ+>_2Mt8jH7}S zvRcV1%WMGNDl8t;mX?kQHpNmF7T)AF_5%+W2c?JJQqhB(NkvhE7BOe7ux#&_Kp1XB zWYLid!RsXGn7mgEu&6kb+5|YbETUtX+@&FqLnYh7Mq;!y1@4vQH1^l)n{G%@<_~Q+ zh3}-pM_fkB!wS+5o34iY9b;dOlv*A18V+`Xybk%pXt6_gIUI%FG@NG6op5z~cyoBP z^sJfxoFwf(HeY0*Y`BCt>&->;MxQ+U-E-1#c@ncx7Dw)ieUP>F=L8a$Em_|PxzxJY zpYypsH#}EE=ps(n3FHs}g35}{AW#=69G^QWBie5Ph_+<-vw&j6H|nQUo+*5O!lnECWZB1`DLaX7 z)^&gyJ+k;Gg$Qlnxq8ZpZiTL}-b3z_8n`i0`7CuI0Hgj;OVT7)mz(@n)5#z=&^HKr zdEX>euy?-eJAjf7$Vyd;R_J^3^J4?JPnb}(3|)H@-&YO>T1b@S#xQ9|prCszy6qJm zuGquZ)RrshA=~Bf^7_rUHt`x_~SR(wst4^#Ycq!JFsBOD7+qBuJlj>dy2Q(Im# zXV>lxrS?(*NNM|jBc-%h*u{YY-H=3~3Y%=mz5);Fbbr#oiURir!_*yp`o8m}5RN-I z?w9AsJ)`b~UREc8oSxTL#-&}8CuNQZ+S?cV*0rgMlz`ABxF41nse6c6pRsEU!^yrp z?<0AUN(FJAzz(@hd};rS^H9lq`1uo!wvC&x(sbzt>Ie8#gT_tOW%$tJxnqPc0R)@& zddm=K!m@C9roTF*r^=rK+F_GqL+!asYnhB+B8uuw)pZ6x(I%fV5a5{s3!Cc3>tmm5 z(gEde1>ud!fua6zO-&>$nI$i@4M8vM2ZTj2DcGhainjx&o~DD@6r^j1M{B#*CwX+b zt-VBNI`3T|czx%pxqZZ1?ApDTMw6pqq&7ckchYhk+Pfwv9ZE$GFI8$+6u5LUhP$tI zk-Q%{awG`_V zcciWB+^!tQb}-G%yvH_BTH_jQx!Aj7w+rJ2)R8&dWXH(;hTaBU@4}Z9MW0f2kmSnS zERNPpGwR0-6@j#&t4b)xin4)u!?_QgYdZ2i7C@uwQm4bGQr(Sa3MrXZcVf@hgYD}d z#vb-00ZGa0>3fZK*QDlL+^Tj_%w(<|&YzvrT<5(eNO~Eu%cl1`VpJ8U2uJ&V^z_W~ zASneZ&x`84)6qJT_2no)IYw4FZ62`KPH9IWXScc6>3eKurN9J=;0~bvWHf0zQ!uiW zMg!W-%MbY05^|cji**Mac|UFlYkNlr5cJA+J*Xib(z=1 zr>qQyDspz<*+m#C1LuNb*7nmh?E`Xn?_ufYzPu|WU=96|*Wf|+sLRm#qjnR`-*pYP z`zYr80&>^l8G!oM0%To8^NV}~vX)AUSI1{M_JH)3A6~yIX+TO3ss*&&D*%w-zJ2yQSATHm;7GY+xI(VmVt zVZZ{HAe@kjF=`n*`UM>1&|DpZlldvb!M6yr{%r3%#(3&WG=mrFXTFEknDNvQiARi- znwaHYZm~?tX1P&0%XupZGoHVyE$;`2bR&PYHgb5lS zVu^14>3FvCY~Au_j(0^onCj@jm8T62>dx_Q&XX`3^WGF!6FXf&D4Fe8NVnGgk9CM0 z-JJ;o9|^(b(6YNBy+qjjGu9PSlQt8{n?$oGq&xRX^@(moI7du*N+!y(j3Ml$_7}Vl z5NbDmxy9!x=YEC-dp$QH?QQ;zb~ehM2A;~$%L+|@91b|Io)emOsj>M5&r-MhS`sMM z&~~b~bV7Xg-_Fv248S5a&HC5{^3A<32kdK#7z;it{-|}?0Y!T*Zs11 zok(J7t@LkF7(hsWDYQQT-kP;XPObSpCoyEza~xaMKD+6@D`$-3Sg-m7X1698Y!5dK zt-EK<)~K6l>cWQ9g|FTUEKn3)kAxw12gGQlBd+*kQ+?p>%Z#rp=gjlfDlCmF`^1pd z#Lb4+M@bElXS~ywLlIfHjoOZfH+q0ci;k@AccdYOGE|2m^ndVhk7rNg@K3>={ah0l zl_z^%WFCi4jL~f*VZwcXf&x6ln*f_#A_MPJ*a?yQcexk%zT4G>HD@1;!Lw-_DU5ico{u21YPq)&CRU2{J zE#3Voy}qF%c{%l z)_XORAKIpA=*5=gau$!s%}(t?z6jLDqOLZq1{97hnLzZ&T6`LR0H11iXj^_!&3OCO z5WfWn5qsT1v;8DUrepusSKel4qk%bBJRnsuxlg;+-)3R6Y(R)()_ZLZ0RRCJA>T*d z9*-0+6=`5&O^W%E>bV8wK)3l!k-Tl4{Lk#w9}>Li6Ammm%W;RungLKQ}CzcvjVR|oUhIX z{4<{t|0YMhH*ne`!bQ+9z#eXw84g@;$Gg#7T!of33$3Nl#+IE&_n;j0zV}s5PWPW% zw3sK_QiVe>oX-QE^;~w7j4cpYq|9HH8JVrczj7qN2WpaOp?donZV~+8*nXk-d^^F% z1V}RUF?TMi+L=a-Mk{qLB{!7U0RqYv_PSm2BHyi|DqBIoDy;OAdb`P(=}cmw=$+ra zP`%Y!^~~SXtc{&LYs|+Cc||BH^#{w`YjxAwt5koa0cGZ9L*lgInB4(H{qV7uw3^Tb zcZbGm-B}95b8iLf<2F(~r(BT9eBkjtu?n#uwu%)Z#GV8JzMoZ4!D`#NMZd3rO#n;b zD^w}>he2^qjTxSsDRGQ>{8_;|n#tE;tR_i1PG}*&mq)#yHoPr}F_mPe@%pxBlNh%N z1n^t+Q`gjHLczECjX}D)i{cBO$J@q#P-Pt#DSN69mZ5badRX0sB{}_#qQ|avt|Dza zzSmh9>l}5x!$(1Iz!zV+4mU*YCLym^)D(8kF{V38O9>+IoW0&I9+$OW2MCxJ6yvt5ry%^_ z#&110%ZD^NtvXhp>9le9s*arp7aF({qZ6G68EL$JB0Yr3*c(ufqTW?qR_X>wgxv}Y z4GRqD@8Ty-wR6PWI;Y2~+jutjww1*ZKC;7n{6L|V{X7H{4gVzj-4eQ+P(GB%l7%!2HAMCR#xE8s~xvL?Qx-~Na! zJrA!|tuOflV$`?eR3V}?-e95ycrD09dW38?eskc7{;-|?J6ct-+DUOWjYCt3Z3d-7 z7V6Z}k30?=AnBJJ=NY*+>&gWD=#kP^(6AZ}Z5%1OaS-Nhkc|+0knqgub9)xGs$TM~ z$KrpUwK{Xkrn6y6(!t%)j4DYe9hKkF-~;Eyho(RolHIEMpwaj_M!&nO5*3ww_dzax zoggNvydg%)&^>0P(1Rq@{Uq>Ag4RsarcG%}GjT9FazNuv*`%DHT9DV!aZoh}jq|P} z4@hwDr$o!4z-&ysU-bc?V>Lr(#_G`NIZS0z%aReg@mG;fMlKS%xGrajOY%W{9OedD zS_Xjp+1_zO+d6tw&9NPuP5T}~?3!E$Zt=(l_Qbme3dm-$mRn%MlVKZ8=eu1lB*S8k z7V+*#&W3H_*5-l+A6w0Dg4bYOi|vZ{FV1k-OW&WM$_D7Zhp?3Iyn=N*c?=W{L&}~1AZzs%OzKrQ%e<)#nTZF@m ztAFO%{5lSA{{)ax&B(*$aqvN;@H(XKTJ*5BMcbp`&+8C&@_}v9<4L~abw!~w5sw2O zp3r9nU_sOlD)pdrAH#BuO=(x_&*ldO)UgR4=w=F*vG~8qU?D?Kk;wu?)f&3atM)rn z+YjYShhW~YnqS>oH_d&s2c@+Mjtp(b4!5^p#}CpeWuq^KxcCHO7_E^YH?s~p4lTE# zI}aTJh04Pgl-cqBLE%);!7F2#bCk4!qR`=i{rr7Wvo1X>V4t!jnDWCS zem}~b7!BwJ%QJhSxQe9u7_8tKTRz$jM~iIgDxg0(`1Duz=W!NIgjN*Y4wW@pU7aX9 zlFPjaC(^@-qbP;8q7FtB@vVv~%*})6n0?BQJhYQO7uIypdOA(MU&fnRU8TRNCrrMo z@GClWo+(^0aXi^b$`X?EPU$1BJqcc>v_G)#{tb5bt@ZnpwdYI) z)@)CIhkBu|diTfQog5fUO}FU7Ls)Wpw}~DSO3Hqt5?S+vc?wiCkb9>e=Z>laV}=c@ zr!~_8^)UmT_wU;7ZbXXbZiwUlV^sy3$yK!hy$eL>`A;1Y=yrL}j)v`zTD#-bS)Z`} zrAD!eWgeT@_Q<2sz(=ygnq}3zN!l$iTHuu4WSPO3%@~PZ)K2w zHTlJBn<-C$Q&`o|>HHH#f#Y22xLV}hpfmd{N^pw+oC-gm_mpf=vSz$aw5#S{aTO@! z4));*hTB}y%hcvacOObNZbFleayx|pVYQ|iTOJL_&idblKvSQEHN*jC z;a1G#+3@@9Vt8x-Vb=aiCyP~4eTSvibnfkzuwFDx^={$guPz8IS`R_nPn@2O-bdbP z&eT6abSX&vKyN5KR%zZv094d_ichA#gU1_JRC1Pg6kvGXlHVX;!X|w@Hn}#RaQt>d zGb#^4;CcvFbvC$%MJn^N=qbSbME*gIl!ITsYW3w|_)Y<4a0uLU2<%JQ?zF6bqPVX{ z6HWwdfSm?A_#se+gT0cF@DtsMs=qH|u@ ziJ%|&EKn(-8|DbcKgKvOYTr=h%5 z#=|3ftt4x8A2=UkXXF2(aJRM;hd97>U#2$fJOt(=0ay*~^DABwq=>g_;YC|`)7}8|XR*oI z3nU3=)lVU<+lkXSq#^|8h4p*Wfh0*Gz=Gqk%paF%s|^98!u84phd7cMHWmtUE|d2? zKzMlc>Xg{nH2F2~cnQ8mI8YM$x zrTsD9upLStToLMVzU|`7QM^aQ6~RABG}FY4v@1rNQbhX`aj&R)Bv7aIS5~dmZj?#3j)Tg+(~5g zp*UmiGuy7^`O(Zgn;(2rpD49fUIv&Osl;qGMvTuM}S8QG;>=DNUlcvn7IsKIs+ z@#$y)6Z<@Xm3Ds}$Mj!S0e(@W5$?>@9uf#jHW3QnpM2jWr8985_(tTXYmE>fDN#aK z-sIm7;kyIYui7H22VUq*osLUrqZaUnCE8hXsaUjbq8U@HOMIZ_W?@Ogh1RZ8dA(26 z+m`^lII5CjeR|z1`>9n2DqmX16`)f~L6oDjborkol$s8?aP>~}PSiJkcy@I-QQ$c0 zIB?lu)>+yZeCi80zab-!juR_8Q(^iR4PiR-Ze=!LuS4|^q-t`Uo>jtgbpWaC?ErQO zGAMyH!b{VOnO}w>pcY*N?^PJd%xQUBr>3^+0(7eYHyfBq8RRuTZ;`nm<9*U_0jpVz zO+Z7A9nL{TX<2#cgexxZ-R$4b@E+uaO63g-{efNrl6doq>8~I8WgL1j&DG--A)eIX z_m7F*$a}%Ou6+qgP0!j$4O`!zQ(4EhUp`zVY`@Q6)1EOA#k{Y;Yb{oZBd(F%zI+>t zdfMcDWGpa+rvt}|cGup{;izVYvts zQ8aWuS~?K;QFY36M*o;0iLp0XFoj7voZ?9xCiVIvd#<5kd#RA!95TTSTZPPCWjslp zaD$f)M7M!c3@M|eBM2&iqT#}x-Os!xvZ~6&JrE=6W3358OmmpsRs{x83d zL-QJYFXOsN4r}5@z)iy1q6l)Th6D0wXW?P338Q3R&f^@4fl1-(uOTL9fYtAKKd<9d z(mrmu``xvqBLC&R;hv)Mkqt}W_jQ1Cgr(e7FLGBO{{<`yQg?kC++b^a2l08GI>zdu zV{yL*_F_i#lvh&VH{cRD04KfFn>;BezuQa7^>>}6e!>;WlXH5*B&GO(?Expg5L%ZL zW#xbhJ~@wuA&*3i$~Ex${iwBxZIuQ(#NXoS>%?9qCR9~_HofIQ?e8iPK3Tf%pi?*hcH;@$64b;VeU2zmiHkcxC*h%qe$RO^(blFPk%lLp)L67Ui%+Fyd5|r|X>NVswjb*Sr zz;sWFO%FX_n{4>?Ez_GKD@|}Xrcg1D{*Elf!%yl@w35(gtPdMRFAOE?4{ka96fCBC zCp7$YHY$AJmeFS*>QEv{IKF6ddXv|qxQ3BKkgKaVwFuiR1shKm;y zcr!;BWuFSZaob}egZpmeir3rGtZ(vA5-)sLTo1T9D#Wwo{3)xxacRE=cvJ2~LBj3F)t#T#(s+LIX6(a-h$W%DP#!oHIv~Dd0QZXx#GJHvkP zgu!)oP6w3`{}2vCpi7{^q=S!y$Wt@AQp;535Qoc{WD7MKG5sIeiiKFF(HHU}flnO= zs*J4nHD;_0kK4rA>cYa?N;_Om_U2u0U~kQujsg{aA8WqY4nEKglyQH#yhvDpQfOi1 zlV$agb~@!D&#Lm|K5PMxRGlO8D1Hs0%353JL(w1u5=;Q>qJhtASkTbr^hr=9 z@eJ2hTCv6i-H4gRiD-ittY2>QBYSGy|ys-?rcU82CuaAsi>LoKn(zsaYpY z8p!*mRph9em_GLRzN`uzjb)_B9}#`KT$xr0+ShqIMN9!@19;Jw+cl%Z=c?@RVUU|h7 zISTpM>94w1*CELdA2xQ@|A^f$rXM8zD|k@mXCG`wO1Apa-!sJCiKNn_tCq44eNf?# zpb7Hf{nIQcC?^=`y2RFG`Xuf+YvH&7NqjlIIhjG?~K z_iqz~lR(*)_G++~vyH2b1l{2VH*A9v+FJQm4uafvY4 zJhEhh#X{t=t$aUQ58e|lNjB5>F20X^-R#TMz4+F(eaph3<~B)tpRFyvqhnHvHYH;&d_7S)0fA0vHA(Q*DH9OY>m#Mhia`@{D4+UVEUP~^6Im*;N^r61=AOB8 zV-Q~6(Kx1>i+TEETDk5c=(~!je}z1r$gT13^47;(BzyvF=%QMkBMP|@vD4E4AA?%o zz>bnpI*z*IF(Nh~f6Z9<{q^PUfDCRE`j0O`h{zkKcX?4yn_sTv4mn@Ju;p$ODYN}j z#*5Zgu^_W}BlmNN^n+X!8S6fG@Lc!DuBHGQkb}a2(!tY;uWawbE<#>U4T-6EQv7{H z%viHT5=UoBJ}1jGmBvegseL`XElia|Qj>ft40xw4M9UmQd@Qn?lcWq!G(WN-YF|ML z<0b1$*Ffrc*Iv z4IUiWVLC*<1g!`vZ3Pwbgb_NT9KWKgOGMazQQJEEj6S<8A1V6?fQRuQoD7`(neAfv z1a*NVc)4$m*zTggi5UOFr>$$Id+!WLyW)U`a^+%(hbM;j$_Dc+C9yi!3zk-!+ zQ+$Y$2C@KpKpdZxRLsKj)T@StTeO5vr23D`^(bstsB%2uA%U6)^K3R2Jk4SA*&p#) z&q60ZB*?0=BGYNs@aK9R{?J zSNUZSr`U;?pa?ML!(x2I-M zH3Q%`q_2qsAmms@j`{qEfCp|qI3U~kv9@Z#R|g%7c#D&AC`519L;LVFQzWHj-^ym+pVG-U>f`ge{%&Abn-HkE z3I)u3e%2%v&5eEs#slU$8O7a#d@#YWpL2|`j_6QQ&>AF|GviQDfH6f!f?JicR;KnEWmJBRX+R9iRt;X^t4VfwkKy!)!mk#D8TSEXll^esSsKKog(k9=hT3J|Mj(+8l{_Itvbta>&5+aG1Yg-BT&p1 zN&q702x^k^Eh7F#{0Qq5pNNJrKG2OayA_6ZZ!VY+NDbV2w!9JkXA(5nVvwG}t^Ga# zOtRpXQ^=TT3s)Z%+VSJMMiPPSdI~xSPbLkhbWx9Ck8nIQCg_%;G?mJ6RCTaw)oJdH z)CNPSHi+Sk+7_22E{;7S+cA>o?f%7!-Pw{itkhVW$^|AO))NczN#JnN)b$O~P;sPu z>>5!Li{4mqOlf8?g|lM`H94QjSFV;0w~O`#&I=`~tjDmJKKo0ik)3vc}TTf+bGP=R^lqVa_7Y)aF@@1Rf4u`|z=AoZ- z*4Fi17j&x>8bYNzOn}javPhIkLu$>m0sPWq?pHsv*$6+e?ZK)eoC-~M%%F~ZIi~;E z6xPD=37)+=Y)`)?KDMtf`RmuQt))mJ$o2qIf#NZNhe<`)xXwkdn>|a-EP9R_EpX>= zl&?8(Z~wB_rnnkeUt_yBoAYToI8gKPa;c-xrFHu$dwp;(k6AzMPKTdYfxe3+R-L4L zHn2%f2y%$p5{L1Tq_8>pJV-$y+jrcOl%Vr9Af|se3-n&OnIkVjO7G*IXzH->L^Cc$ zrHOqn)(BYl=D)U_{t+~;j;~}x`tN7K4aNZ&7Xqjh^#EeiLcI}Nar9r^0`Mjr1eni}b}raNH1No( z(xqVbAyyA(iL?Iw4ooJkGrM^@@b_I;YVet6azdHmQc& zPm~yhXtDS@!%!Fvzw_u?PO)yODT)ZBM3om~c%MtDo&|cMZC`A^S7vWtD;u!vPhg1S zO-jXey5tk}4Faj>Olrm;U?4@W=A|rzD!w-b{{p!iDpz6K7^yq{b$c^ z>$}xgoCO){Em0(G`vg;`f*rr&o0kx!jTg>G-=7-NqElYCdL9+|^h|48X|mfR7QSvu z6ezv&Mz@i&MRHDo0BxzZU;i%B|E+;XS_}Rivkcbuip`G)_buSo@o~zgy0~4$=yKWS zLf6BU;+BYDts`DKgP|LUeI*mLYzd%Axmc&PyPg)w~9bRr{7x%ojbHdpg<+zQ{LxcV|IQgU!njUq?`XPBkFM! zv#ByiDesyqa$;ugTP2Bme7=v#ewTK;FwUBA(Wy0Q>MzNIhq?wvZ}NJ1O24GC_X@nZ zHz;2RmWFDStoIlFZT~g)&FpHA?De|)J3QRq*+JS}8a!v2%}Np*D&UC z%fQ+Mx0RyyMcLxMQ3CEaDZ6w;Pa0h1XQo2!0kqmI6*Sgf+EH1zBX>|5Sz;*fW zgtJP58+$RP|_Tzw*Qmvy#? z4WA>3(+_O(;z8U)Z(`_+W^2I*6LJ@f=(I(J%=h4GwI$`IlIB8xsvO>_V8N-pTU0)Dyh+KQz}XacI6%-OK7Eeo#x6lqbQ%8 z{w)$O!Qs0vLtq!a1u2vO)(p=ZcGw(TlNi^sYN$4SLa=w?7>c!#?(J%gvI0`qNNlaT z0Pf=gD(x7ErOe4B8VO!hbE_hpvCK~?)};|4Z~&i%7SIenTQ5;nW=5?@dB;Io?cW$)ReO_5i9(rgC%MU~C>_naUgxOBB&iJ;j5)D2KmJQ)`*s!YIU59G1i9oL zMPmShz*L*k=GYET{b1g6L+?{F6pLy0lq7gea|N2Mz=JepTe4#0tuV8`qIR99MjJK3 z21c?{GubdiRiGs-8zx}(x8|{LRs`j8lN@d=JnOm2+u_rgnAefCttjj4(Q|>WlpzW2 zZV*#9YpEPRr!IUB4`rn~m0a$D43}a5Q)$<5Im2l#!!n6z7pqyv-GwY<2ZgN@YpiHx z1A1E348ra?wEk>_j1xEbM2co~Yo86qJM%7SgT=L_eB-Z0y!8d(Zz&3lB_^a)!`XFwc03HN}gxzMNhhxY(5V{K+( z{a-tz;3NLO7hZZv>Yoe$=(SezQJ%so$rlDxP(7B3dKvWg_Y2O+1CVmI@X3>MoPW%gkgu|?Pc4gE(3 z>a;JG0WkqZ#h)XU;>(l%G-KIAF}DpMPl@9q3_SLn7WafYgG2l}UUj@`k1i^Hfa@ze z!%|8~;~UD0C(QL4;8#5{eQap0VzU*vFffZkJ}9pd>ZSbj_~c%y`%xk_wqYYy zw`|3HJFtV1^Qqt1_qY5r+?8SX+tm()G-%#gb@kV6llSl?26hw*8nubd*1qW%x&Eca z_`V*nXl#_I@C0ZppRWS8<^CYO-oQqj9xQN zAqA#}lXxYuKppBKrvaMSxN(uned;-29ir1JhMXiG-t3?-4q{ zJIV4tUw{ArZKbm6RjwE3V39IJ7S>POnKTH;p7~Kvcp@b-cj0T0?F2Qm6gj+1j<3(A z1n4|0I|P?TMmn`Es^Drr`wnHXDy#*BNqPWstJ}ZGtq#_CF@3Z%|2?(4gy(&Am`46u z^VHEmNcVrqTk|BRi<+KLX#8hYQC`tqvR&v&)WG@}Boa~MqGaanZxq*k2ZxQO=*dM8 zD+j%F_%jc_|GNKPES~T+hiCuH>%}}w9Vj4xD1Xc^*0_Zx@N}K`b?a8JMXI@p-iq+x zZ@$>a>p(z@CQcpVE62T-{)~0K`B2Yx?qkE`!?dz`=|DG$qH|S#8aw#vKzxmdWc|%+ zKD9HEFtaZScG=Rq**O8>aPz&u8KxumfsoJOE9g7mtHnnEgZTlVmFUYaC6V$>{JVh| za-$zWW}+Qm!dE% z?LzS-EOKIRb?vsbYjX#}Ah_J?sB>CVpP)?BHCcyPPZk+pilu=CPK2Ep0)pp zAD9Zv26fY+TZ?)y5h4iXXhT4QuB9LjP^u&@%t{MoOOp^iUff!0R77OTX0xt@tV}0y zTv#>cp=;tGwh-TIyyu0|!w$`uE(s3jmD@Cm$uIDzhxdZ+3c|(XBJhpzWAI5JXH>IY zy{~FpI-;cYB*70J_=!;Y`oH?c=^M-mxvL0&@D%lKJD3rf^MC^l{K-pw^CT}6-HZ|` z-(Mvmk(Q3a+DMxa0{&FukGCCh5_P+ih|va=L(T6|H%jd`(Bdj50Y@YflX`FUK3gh^ zLF}^iKCmVpuRXyX+A65}7Cox?4Ue)+FnQ;7mQ+y8pKPCtvd?jkY<}$k@ZT7#Hi1UQ z{#OwWRzEAoY5)_+)UPDr{Rr|uiHnC=3ImoQ%=uMtHw&y{X~6Z?g*aczCFa^a44k=%pgvr|tcjyTX6Eec|DT z1s9aI^);)V=@B+Hdw}g+Oy;#t_2NQq?gvu(v*yWe`C6^!!dJO!O@K_ln54<7LIP-j z3*E@ugm9&+!SPZ2nH=O+$%dA7eC);dhg|jK03r@bYsE|?L-DMgQ4Z6*L+;qi=hJHk zO#9thtaT@H3*}n(Yf#ZjVtuYvtDo-@bhW?b0f;#Rt`w7i`R_WN_aodo4^GI*?;wc0 zZUj|Itb9utq1YhD|9nYQn_r*ZQ8{$9EtO}U(82z7=oc48MN2Y4IhA>IgK?f&U6{|U z`y32)3>^UO;8W}k4JuxZ}Ch9DTNjN4@&w7B`A^;DgT0kJVm0y zl~fBl8F9Fw!CwGy9k!(bD?McwIKv1ThPy?1elK-YdlEXrZ>7NN0navjVtaEd;ae%m z7CAbt3?c#|B^2odR4`E~0f8h^5^14^mIkD7H|P7_ zd;gv@-d}f&{U@*oWUn>%oX>pbGw1rY_o$%Z%17Hmd#K1qumvS$~*=_ah>rcHU?3UcQu)!Lee{zam4Me%uryi2M z{r2&7MFLm=+>`K0r_K81-2Y1#o_YXJU#296OI(+B_PC^gmAJ%K-8c8%vO~p2e=J7r ztW8IM@u3LMa;~ZjN-XRK4}RP0=Pf`szus_r7|1T-MNdWl<85*PZ-d5Jy!!zU_i=^3 zP1hWBZ~p-Wl8pbs99L>E?V8#_QQQHqylU>DQJ{B9C<5+qPWk+iO1VeY>n;Tv2*b5@ z^w&=DOHw6J6&2QRlfIZ_mo7x4?EMDKMNC5 zn|?5tE8Rymh`p|t(<5x}O~NeA0>;+I0aE&Q1`p`Mj@g<3C|(d41C0N(mf*kH+5K7O zk^T;^-Df3*PW0b0pEVwB%>?1AG+f#~qyU8T^YrXl4-_&701NeWY>A!J#zk9lE$??8sSQ``<5+H z(i!q@W52q`#4l(kG#WohliHhHA&c4oRTH~T} zeHHAL%K>Bjl|2tX8o!eO{atYw;mjwWWljSUcBjrQ5d}NM7igs78n>*d47xc&J(chr=XewWxtfNo~Us8(MQ zR=SIKw7!GzhjR>!O1@ZMJndq7dy;ndN?p2fL}Lb|?$$Z$c{_V(=GR!|pNG^6ywOI? z&W34MY~*dJ)kB+m2h%{m?dOlCY_tdV702uGy2@FlYqQE$eT^p2qAq(U|JbY5>oJ+{ zTV6~}?PR8elK)V3@wspXXzi&^&ig1Bvjlbb=t~bBxeCWrBL7nB&|K=Hc^=s6_W-z! z;t>XRs|hY!;I z_vGCrtH%Zq&mLj#P*$8cL;y?J8;}>9Yh6r=^q;=V)0wX6nyq~{fyq3{O!38S%)uOx z$%~1Z2UaQxc_)J*Uy2>%(gE%g@GdDZag-!gVOY6YsQJhg7%py95j6VYy4C}TJ39us z{`UGm8Brl8@H8-ax=3*1fBaVO+9|lJZN{Z{T3Vfes2iX#l^KA%uX!G0Mr=v3#3(7< zJ~Em7_q1?|Ltua{DR~ZkP+VWc@o%@q|*Fsa{Y9&zCnO=X9j{G(9eC9@Jq*1NL z35`rUoY!gi=AZ*uuk%V$IKMBpDWc-8>cwxG8&a~+bhye(z);GW!(oOlzU zITkwZq7vEjGVR`cZ=2640cU`PHB|RTlP8^8dRM3h*q4l@nME@DA zp$_Oc?gBcFt-_)>RU%SJVXU#c8!F}k97U!OsRHOY9A%B3g?^5$F|!{z%6KAjV#$mC zTi3WjYV&f-aUI)tu>SKu$F5aX9lpQ(;kUzgna#Z}((d7R#=XZ*S?P(j%7}@{8mNC+ zZryzf=unew)p73_OUy4mXB1g8Q130BS+Uyp(p22m1y(kxW>LCV>rPjn_ayJOn($eL z-a%`5;p?eW6_rm)+wbc&Q3%p+##PonxZd~4T)39D`T-s6dn4`K`p;UoB3`s~hSkgJiYZfdgYt0Fg0dEv6`sbQ*a=VoNZ+3`{lu`gp5B zobt$L4QL~TM$%t-?InxjPIg_8A~SARef{jV>9V);Y)x>(h_5o|y20t{wWmOHCS*Sr zw`x-QR&chqORZf594Wil!pPW~dw>sC*|Cc^>HDTaSEO4K6TUjT+zu9=%Mi?!Vr#04 zF_9+r{-d=uIx*=5RIxUf2)3JkTL&xYSoZPX3vrfNh`GGSwd6Y*P8`Ci_P5Dr6^2JE z0uEHgtyKBJk`i!UE^}ECk`S0B(+hqSFIC#B2x-}Hy zHg_g#*KKWDfOD3g-lF@5PHh@ryR42rGp;bhNxA>ZcJsgup!c!8 zm8U3?;w{r1;2X8kf4?09**N|&l6X(^F^)T8xKKOor=BaMcm!0&WtFw16h;X)cB;I< zt0yh~&v{LX_!W8o)7jOFB))`dQ4QE;(_Z76Iu9OswgX(V`%W``ZKpPD++yAnz z_wAK<;K-cQxgq%b?%kTVZv@ddx7ucagG0d5j=|{xfMUNUc$?e(%@lE9Q2+hrVC58= zaj22e@+VXG+FN#Fz)43IB8mr6D&AawY#skqUbA{UJVrT?f0fut%IchZ<=4h@>yytDj%L~$><2j6%8v2mxO_WTYD$F=g7n(vIeUw={@hP> z-<~ytw-?`-9@w3J=3B+v+N)J9QLNt0_KtZ}nGuYWq1+tR7qwnQp#s;6%F z$usREJ2&;PgKAHP8EJ+^sAV)YI#y7*gfR8*&5K^lNf2-?+CoXEhG4{BOa(xpaOkw? zF#~*fkL6i|%`*)BC1jqv0jEvfb!ieay`Du_yphMLX(xp(ZY;2NTQYtx`5pTL-KZ*l zJszBg5{%=VU1;d1QZ{@cr-+7HyJhbCAm#5##4EW;ja+qh|GWqPvFq+S`w29s| z#@ldDP$X5ftZrVd55{XmR~Rx**kt!)$`7dBzk}*n2u>ngpo!G^(@4VE8=GMtyaM{n zH%CC6#7(^!&`PX03@hxmvm*D^^l+4hfju&K^1~Ag&^&mDGQjcX*#UWr;aXG}f^ zF|GsarvQII9!H8Ntd*!5g@i9o-4TuwHb1awYQ+gov7fW1C)8>6__eh4MvoM=hUthj zx%P0*0W5tU)kXf4h2^S4n!7P!g-ms?qXYx2ypN;WkfPLzUB5*?W*elOfyOh>1AjaZE5Ir z3R*#w#X~Wjzjy|&OKYhSn8Qpq^R2614Q@TG=iWYTiB^b9z}S-52890!Ijor0ED-g* zrtpnyH0daghf<*>HagyF!l}$^wsANuk-)!Yhw{q;e`LJjIC`};8P14+8tzs_)@M%# zDR=QSCbII{GHC1Cq*a4}Asd6Jws;!9TN~yj{HaD__O^4Yk-uZXMlJEt?f$qr!Kdvu zBe2x(!%<6I$3uI>HxdliM26;{)P4yG|00$5(}+I?xuMx&6UfY=wG4tAt!Q}>zmvqh zv4|k__YYv3~r~SOJ>__Di+3V;DuQo zWJizYR~p`%6}(Fpu1K*X|L*?uW2dXf@yO^&Fmdn)(SY%t@roGU)ZZugXCvj;oP?DL zhVKM@U{pYObovr}Goo9wf5{NoHN}LyaA;=7JfoXfedl zjl6*#9ld5Wpq4XH~4!sP1U(uQ@pWZSjhnM;x6v7Cpr-B~tKN;SpDl4@PJ>}<0C zhh4P7r8}CitAcYSo2=p13!Z6$xKsfbWp+^Gn21q_a+~gq zgJ~C0)=*s%?p~Zm>2W4VzZ#X%^G${1e6gq76c!xgitN8-ctR>OT(8~q3EySyl^Te*zXQN1UWql`S0?egw zUZ`#c=Lo*Wtk0hfW-OfivbIL!JM(}>d9E?4(~;_Nd@|zpp+egLQYW}&Nx<-m;;=Xm zMIv2!4DA*_`wwjfKHL^=nD|%AO;$-;PBv|m2ObDTacUUbmyq0R!GuR@W#3j3mZJUj zCw>vjJzCIW<~R94?8nX2!q+$bQ}S3d;Me$B5sDEvLe1N5VMO!&2}BcNbcu=)l=Tl6 z8?nVrjrV?4KA5^-Glw0MZ(CSrc^UQ3VQb=L+76BwaDRDyR28zMGC~A`u$Iz6*Q1NK z4t`4ho?tZj`Ia|(Uu>e zqn6LtNpBZ#yNn!x+LUhlo;RdA(bVjSbUzeMa+O+~x|06|a5QBWW8*>R)h43X2+=<5 zm2I7IEiq}XtZNea1FrAtA;RAYxr_CiGnT@#(Q)aKvM}Y={FQ7w+}pi$P!VFNed#3@ z(QTC6LE*|%*M=Eto2vz;F_Yc?!ZWuT5KEjgM2u@#G|T|KfR$J(_vhg@Hh6JLv_}7k z8$kOu!+At!^qbs%ypdf>#Oc+2*IP-D4Ki5%$)j+;@zl4|1I%_+qxJ8hB={lz(1>i73vzTi#?_?2ju+(*!%4-$>XcN8B-=2d$ z_%~!GMzv03KF~2tMIkDm-+YVm9eS_)vFjh*Ja!N0HZRgC4C4*im?12L@rVY3S%w#8 zV^T0wxt4=PFqQ=wE2YuQDebkw!-#ub@Hln4K$y1aqx%Yui8=#HHaL6yuLApD+wQdr z!y_R}x?VR|*14$m@|CP;Hms+Fz~VWM{_@`NRD(zfCTN=s7oma8z-Uau7ruU- zI(j5{)HR+~8+A5>NJy=2&rP#-~cW}f_U1tB2nYrn6~%_59bVEP;&Zk6hfh(RW(JSx}M zzj+xikguyE5}5pyQxg%91iq6xo-9H$Alfp|YZVK8TB(Fc(Wm}YEVl~M96=gnL5Y7? z47OSXM?=Yq82gwAo88W#)w^-_~NQ!pK|+mx+^5ERZvzfOw@b0fa6n#tR=QST{H+uL8S>u5{-Iu3?{H#krj4$i|h{ z{s(@joX~^`v^-T6xln?>ZwZQ+bkVW`v7Um=iJmJ2Cw zg_V=};(lIjbZu^Re&xGG`@x~`9G|L=_Y26J9IczukspkWObx|s`nqmQ)h!W)3m z5ty+qW)!hKjLLmW7rescLhmlj2f(o$+?NPhG)fe*#J$p^!(n$)fG{vyOKgGIl@WM; zPL6&TujT#G*JHT(Xcin$P<&)be=)S4GcJRxq#_|=gExhhdwxewA*Y@a8B!F*96rFN=qDJS3zqY8| zXp@{a^p38>;L>9t#XU@fz2E$b0n~3}&`53W%8LK!uR7<**+Pa9x5*AUs*45fHF359 zZ_9aoaSrl9=L2TPynyk1{?1~VR^zFjcZ=RcHDlGGl7SpP}g=Pk#$Mt^X*DS5e8B?gzrc( z@+fw?qn?PS@--DaCJ5z+(mv>;TVA@JKl1@lPTFE4dr(k`-)Z+VokJZ)0~a0R^?#MK z8sosb&bE1Y@rpL4meLgK8`bNyIu=~*1%sRG{l*0O#Jt9}XQ7kjehy)=zu=aYf(MUW zvzFs!)Y5p(Xa>>C71pvFi`FP_9#v?eX)CeYiiA%}{ak6SUYQE=D zz0vAzKCAzFE~1R z_Q1&H6(IZctADTkSNQYrLNqk$aua;I=Qg2+$mE0Z>F#FbAImT6%605_}(lGtC00$?Btma_C` zOx2^mmR87soNbSziU_bU1Um7EATCj{S0`Ka()iU7;1eNL-cCJ@M;m5zw^(O%dP z`ksNO1~U?e{;o~Rgj}D{{vtWG2BIJ(2Q!L7p*Z=}xCE<&6 zJdl_CXxhG_t+}XkX8so(Rj}@p*D2VTxBAMH+DQx_O4^7G|rAW+;)l!EDIlqUwL;mPTL$_D}q3IrSPXh|(p_%Wy3g z2V0|C99($e_$mRSWeJa27k)184e;tznHPi#*D|=GepV|;($~DkcY@5Osz1zAEU9z1 zwLO0*aR6XCDD>@>8IO3r6V$(Xn-NL?=?iotIK8lSM7SZw%ad4>J#CI!X;i0qY1?c_ z==AQmzNxO{vLqFd@UXLVFu6b9<=e(zKFR!@*jnqEGUK=S%kqfqkSpY~sY!8ZAcz^H zwNd?8LSR?_ylg2!EI%MAtLt!oKR^C*6rN7bv!A?cje4>EDyJCC-FY3gpKEE|V@YgU zPnvJN>*3@p*=Xen7ZNQds-Yu;`Rgm&kjx*HP>=~s7LX0N4;@umjk0Vz}ciC&dS+e&Q_gi-Ti*2dUx zCsFAtfZvB7!SpCB3F)CYqTO zRf^i=jz<3~542Plo{ZoW_-AN>O1j`*FFgztkCE6N6LPHbHVr8pS2Ox)jU17R?{8T$ zT=EY4;QGwh?C?L9XmK~)Fz({+$Da@fepl3i`On2`C;Xy$oMHA#P)&3LfnXn`T0dn( z$I-Ykk&OQ7Zk-)kdt)L+eP5hPM=2cN24ipB>x$CugypGwr7V$-RyrwB|F+H{x1Y*C zm?J^S-P$Cew=Oa4@6^!S&7QM=Usp4`dV}^JeEs-&)5-#BVh+Y3;buE-t~ABH`#@kB zvwF7}cn9w1QcPf8TfGW4a0JcS+KldlLV=Nw-U6**Xxx84th{o{YNo1S%o075j0>fl zoa6BYO`)e2ueNw3+}rv`;XL)jB zb!*4z>JZ#|rMs_H&~X!PPw?9PVl=N^97#G1uWy;^sF^{hM$K&SDd$z&Od^f4IWrru zL?*w~K}M!zYp0wUxgmXfCgTR*Lbe47*~$Uqu^=set!h}50b}4sJX&*7vu)c2L&e0`fxCToY+IM3?6y-v+KX?4tpI!1`v2|S zQ|Hrq{>!e^w!q9?Uei3K1Ux5?AeCso4c+rOtw|XXJOqtB z6LM*;%Jw5U&E<87b%%+U)vDA!$KWUHNF>+iG&fnClUTLT9Vb4Xi?Of@%EHFCQ^M&4 zlHoWscWR-p`^+(n{zcur7}<`3h)akailI-mx_DJpy-KVLf9@+JBV#_2@h;07-U*;S zztGpZu-((YP0kT)99eX7YkkSoY@8)FPpgdgW`>N^$I}VY#+FLd2XkK;aVI)pjK>q` z6AJ0TTTpIwq|JNehn=?9@V6ajaja@Qfw;P&()oRbK+DH9F3MJ6(T>8*=yiSo*&vd( zo<_sU0Oe0 zelrrg5K|j2IPXc!nW`mbY2d@=4_s2Bl5lmp4!gUq9El5;3c9tu!?J&|3~$+gUG3|s zTL_~KoK@GDuVcGFmUN` zjwXJI(eErS)v~gH_jW99jqN5^uj~fmS zxzmr3V<`7-ZRkIBm9N^8fyFyRl`jlhwCGd%tTowG1s- z_TRZ?$&j3AZA}~k;&EAoN6PzRQlk3RK8%YYbiBU|>XE8uAiu@msb(7e^oP zIE=^(j0zuDr>3U^CxQ86qX*cg7wDHD7R4CNxwQA@8wgF<+r)(532x9cFQ8Dj{`th1 zo?Mdg;VYv)f0Z&ln7sXo0d#exSu3s^vJnJ+Zi@sC~grM}`NPA8G`LWU}dj5sI z>2kiNdy$C)eyX;_|B0XC^d4qf;cw zjPhn>u}3axL;LqJg_cii4~U6MK${%KYwo{ci+H})#lcbr$pO9nr^=Kb^<`lAMr)N- zl+>#AKa)U61lKf5sZ`rjTtTs$k1G!&GC$`(cqPs;I_^NQaiw4IP)?b8B<^uqP-*yf zsE_O#EohWI{XdD5;bIXX;@p}yC z2NZ1e3*8bh2o-2$yx3>7?Cz+Pq`(K7ksk|+-HC|2wxU=JRTIA(h@dIct-qw8+3JR| zMnf6j19q`G3SE21xn;V?ibC8q75FoKhbCz7 zWlbNngipT2TuLwT$7tRgepqZ%}A) zk=05Hy9zj;S`=m|L1IsBTYCsCtE`Z1UP{7V#fGJ*L4CdHmc^~{{hD|qSx>?S%TNm? zj4B6Dr-ko4Y13igr2KC;{QuZRWyGGXZD%y0iv)k)KfSl0p$BmS0ecxxz3l61Shq%5 zo(&mLR+8?$pFlMz%O~GPl@w{sE&LK^+u++XsvaqNoO!_`rIS(33^NsSoeP+jmL9FG&^!Xo<9LX7Ayw=1v7y2>v^Jaw;E z(CIPPh!#y)>*}`Iul6GB6*N@=&zN|DK!`EHPI}CmG(+KnjFK4qtDw>^DpIyzYTqmq znw@3fnx9%wD=Q%NbW4=N|3#dYmf#0*mv2DD!7 z1Iw+X*f^~M)tT#8nHqJ}zafCUI6LmiBsty%q^Yn2!qSTTm4^$wqM28jUn^mJn3yV+ z)2+ht9Z7y9IAM!66(>1qf6ueox{Y)ys7x+c!gLjInSoxkF5HTUfF8x;@~mf@q5*lM*Qi;D7< zARP)`*zOGO=a(Jcu83T58hYV_5W|xk-4hH$@%dq|M+BH}6M8tLhF3`uGFWuf$z!}R zH#3(~DIYk2Xa7+HcYh0Hk?nGoJ7QcCQ<9R-E#@@Njy?}eDa_MdF4pN0k!p20jfm5s zxMR<0*U5VGjM?@U1#o z92ty49e_^^1k6Dr5gy(I*}$GGe#hPJKvC|KII01i08*@yfN~Mcnw~5jfgUtCS2Dln z2Tp?A!s>dk*5^50D96G>TYZ$4?E@zi61&e??)ajBi@P_cEAci@#9Z|ver?|yG}L9n z@tP%CwmoE3g21O7p>TO53nabcVx@+WUXNR(|MPEpMng>%E_vq?LBrd#ss^ESC!A!XCzpTdYn5&im)_8v9w&ulR(#$g-*HVjATUT#FmYgzc z;HX31&Gy+W&3E;-#TXsnqpA7n#~|GNn(c^%br2iDl-m9ouhX@1uUjyVZosztrVjkm}(CB+hFqjk=JnXJ(}_s2Iu5CCLfB)#9HB- zivAkcHxV+r!D}bes-#@nNK5TNlj2B1C@U@X`{6Dc@4V+`;!5v{GRfpe1_;tjRUx~o z>oWTHyq?}F*ojfc?)xZnyRGt>>UbQEr5pZl-NTj_`6R8h1)AfWHoS+NHF-aO78Y73 zS>PlL*`@>5wy+D$@jaRwRBB*Jf_>Qyv{~S5_GL{4Jn4e2*C-z)=Fw!ag!yP|c^2Pc zK6BzjLHrYbB5b4gR9dRB3&$Ewd2ScYrDIrMF-~|lf7mgQht)-o-M!sXX!S3~-ha3; zht64|dkc!SK_V8@aoDlSG>pjw1Q+{SJ+b|(iEMw@Qe4)V#2YsIC*Cl>Jnyup16&bz zn|thUm_qR6#A$jhIlfVSK++UUyz^ml8AjP{Q zZ$2ssov%3VQgiz|;uxvi!6T(IUL0qnsSr%D&wQMwt6uW_3#PFNpoAx&r^(-8{W5t` zXu;@0Wi9B3AYY>`szVk0rD;7ejv9jKknQ@F5V+AW8>)y zgMM^p`be;RU2p-cFlz-fLk=ig{fnHQ$IoTSr*PgKxeguaPu)WrVcqce8j$(j^NX1V zyWynnD@OdP!dJAnt=C2ChF)C(Pk7h}b8hNu#f4`ciU-2{A4>l*YJ58O7eGFoJlQ1N zr~{zF^SM>V2hK~M0g!{NWw|8Vgfk#@Vy?CxpQsD#nk_f>utFW!88Tx}$e^HFsk9bU z+4;Ohf-D`HO6dsb=F|U@fx-&A(1y@Rws!o+9l0GS*Q{d0PB z^j>Ie*XWTPxT2zocrg3Rpg360+}CAI&e|M_=+N1w+}haEu#r_jmNErH(`nmuNxl6C zgF9{#vjpRWY;g(Z&w_T0i#~J)nr74%MSn{WR{8)Bzdoo|1~BdJYA7+#zebAyc&If0 z2QVtl7u>fg?<*WU-cewYD5sh{AzM&GP1J?naotx4)|*RX0rq(IeyFd4&$ExJVs&)q zvzBMXtIFa${Gx&fZb+gV=w)LPD^!_md9a=t|Hjwp><+K;f0v^GtGZHcfLQ=azmoKpl1buTZ1H zg+>+XiIA&ms-&NgVsyz!CP>`y{KEi1+nB!SWqi`68 zn`!3cn{}h}Zq$4Zi*Ot4aip_+4E>arJLzTsvk_xXcv*8V*_hf-q_AdK1!4YW-E>t| ztxI{dmAm&|ZpsI|^h3TvN{D--saN|oEDbI|SzWq1P&cm87d5uao5vPbkxA}UIkEHd z`yBaQ{`*r>V^Zf?(m&njL9^_m39XvBE=Nd){{Ee^v(PutG?o!P3_@Q~NXQUWk)6Xv zBiQS`u}o!Qrs}wP%bYI!KgEvQ%0TQmX`g*?+_0!({?K6S&F*ZaRVf%sB0aR zV8_8V6Fy~9baN>E{9%i2L^a=wtVnwUz+12+dLDytSDW-Q=R~qwl zA!+Big-UlS;r;A|;wmREQDd8QMIru+h0-yZN1AvFGQF~2M4m|wpjgssNZ1;@f;vPY z1?>W6HiyA~_KTH<=4>c;S@ugON~J-Hgf!XJMq+fnGm9uwug0GrWXudNdJ{$$vpC(_ z&9hImwDDo)d$eNuWOqR$wg1faRsRpUdEH;vNFUu50~h7=pptp}Vnx-n`l0i2@5d@D#NpgHMVWeTK1B>5GO7*{ z7I#8c<=gp`9I)biSIL6j2OuNGM!DZpF_d%__-|5OI8VrR&UP*#vGaj#OD$o@pA$Cs zhwG8QxLSuNn#108>&v&hr7Y2pX1q@L*ICTtPoyK2>2na$b8jHL-&}_{rUDtf%MWD@ zpE&Pd0M*v zSf1OV@s+-h`laiA9|vTWI0O3~itnPNU>D|Io*n^sI})Zz#kb7xOFcRk)98UZfMZ{; z=-!aD(Yi=++@fum=L!;%TKcZQn| zkYT^(2~xY}7_*tSf)W2ni{|nY*7xP{;Ec5izj`uTZlc-l%~gZLTef%1BBT7j*j|QG zr7d84QpYuqg=n1JyHfE!^s1&$(tFdlw*6+Pbf%n`=AD_6Q$eqX-bQuh#)Az#sz581 zg;k!B_?d4+itc<$Qk>2)h#pCjY2%6Xa6`K#qie6@H6U7aFJDl^IYJ&ai?!CdZP=wN z#yWbUku<%8vNJfgZolG&IxYTv*I}f6(0yW7$fpwK!>+iqe<{g|JBCm^5@eIBwB{V( zuR&m@Tl+{Bi@pej66C5R$0cGLS717naBT>^^XnY55$t<72Q1H&kFAZo@W7aI+@^yV z_4yU!N2w9nT7TA-kuQ$8$nZrko2{4SZBB&_wnerY&ZUckhcJUA{2C`viy6K@R=qXn zl>_I$fGEefPZlMc_WqbFTjT?0Wy)tj#bE%S6@N|pac@BZCJ}gtsh0qB7j-^o?YCur zhAh6?a}N@JU23YqRag)STB}FoF0G2G~Uhx`ED%<>-rn!)-p#|3CKu`0o zUq!J7Nje-#&rtz=dT-^VnSy+d$AWQgvjZc;DWSr(-R2?X{4Qz4;toPw!P11>b5Q;g z8PLbpe3gL&DX+~YV_Fuz^2=UX4g-J6fDjbAIH-vzBoeb~o+o@U(p9)UQBeAAzGY74 zw$=}+l^d89ev=8gemYn9F|_MJ*vM}Lf5<<#-)N;I+LsoRhpfws_&HHD?6+9gt6GB`#%A;~`O`tLoaS!U1Pn9q+3zrq4le zfmLDFHcpS#Mf*q~#V9&i+SRvL!_%hAVTm~qY!qn9jIe3hkOh59ZE`>)Qw;X&Eg;9k=0-SJCwSIl}rI8pSQi91f5AHCx*8m%; zr`(U~0W>#RP&hzhUr!8kaQEIS0v_H-T?2=86i^oTZ6es!VI9LXpcJsEw&;21pTOYh z@dCG1B>I=vC(mO*uJV1*u}OtGr8$unJ|JmZY6iFJerg_EVGF-|=73?{Zng!5#aX+t z!|U|{7-ilccfF(t0X>l1RA>Z(b$k)e*M`7JRjO)24&}F38I`84mC|jDZ4>ymo3u_eFcx;F=8(M&=KsM~>@}we06r54-(+ z`A)^fN|e6Hi}_yGR&wiyrYTv^H7804d6BFc9gRSzVlUDBV)qFUPlH;j7xM zdj$~5XwHw)A+^@YDaI*Rfe(+m)as91m9lnTsRbPV_+RoP0b7nsUg1ie%zw!K9G`r$ zz;5bXt1Oj3e|dK5gKeUv=mEAh$wR$3ZFfFC5q}3;5J1%XYvB;Phg~53U4e3=^sWoS zQM4F=r+dBT_mtF}2gqJ^90E@=P0!@h-*}0-r|O#6Samp2N>u9Lpx#5fFMkHS1>%C z77l=VCuV~UNrJU7%%72%=vQG;+-?Fssy*(=0pIN2q@qIp)*sm}j2G_oy_)$OjnWnkULs?GcV1Cv&6 z>ZU@DRyh9S*7gB_HV6%x8g^h@xe@^=6cVlTi@wR71k?%;4=cm;+Dohpk1?94Gfq%Z zWB>AJMjfWh|H$?-bRD!s*ft%X@q+w*OI*lJ`~_(QkR1tR5RsCojSzlcPNxB@;&A=V zc4}7~RZydq84k?)16Wpr<&iA)UvKoZ{xp)sfwX_V`eXv!#>#k61K5$TJ=2idy z(NdAi9GmJ$vQnK}QYxR9vd`Of=(8aygV2O)4Q9Udlx`cV$NZFTETrn&_uP%+Obu-t z$l|_t8?uY&mRvL@gegTveeYR-|P0_&R@m zkwv2Z{OWWG|Aw4aYXpJvQ$8yM+H4$7)?BD92o)Um$x$8*%Re2G8`Vd!r;D*LMTo&*6;BPOd2P@j~wYMojXIYd! z&xy)-Txi!JwqZh)bMqmtuUlDo)k5m5apKak*+FE!b31Y0AQ9UY-iczw@&cELd^To$hlKd>FiTCuC)iHFuvCBjj{nE7e%n{${)=H% z@6hrP5D=eS0CB{}py*mT&A$)UIZT@guF-mHfS!@sD~TajSu-CAyBz194nPaMv5Gjo z`P{^~o~%h#>AIPNdtZI53B%%p+ScsX?w&@XR*ZA|`x7s_Fb4x<<%t51dC-b_PY`E@ zE-gh=e50__X8(Af!MmpbzV~i#0n6`GG_jGYyoSKZTtYrr*oj4l&PXym$**eS1H{hm zfb&0^`$sX5Id?EF;jE4O?M>oOqHy(4pvEQ{d~kfU2;i`+lw4q{3ei?$_R$f%W-6Hq zK>hvlx@-b?5XAW{QWky#8flk%H&#B){Tx0l7W$p@Ul7+7sV(Ki>TOX8@YQBO=5_T7 z?jRr-84$Bod;F#b=pWU4tgAKDr!pgnNakeKEM_CF2dzDJ4mB6LQ1$Wn<(kZS<@V{9-{~v+DRc3zn&u(A^!gxm)WtfU>edfvMd!?({PC z`ajC!kx5@YFOmrD9Ekws430p-u(4}tM5lu;2Jh&{;~dOqL7jKAO_8V#%@9G9!t=b5 z3y*c^cGJ`r=Iiw&eR+}5s~;3^fv+On+51k(&nB(Kf`!SP;c4Mwz!}hbthgUKYCs&j z)|B$U0TDKCDudBwstbiCEuAp&|Gx`tNSkTl;LTy1Iy;O2e>*N6kRKVe8ZN#7!#bTa z9}L&mIz|oGlM07bppjg&Un2$T`|)djem=iY{~DfN-0dq06kv0l2p=?c8!a;Jas=LY zfB_hW9wTHK+Z?k8>6$hvlI#IF^`a9){iR-3k=Y?uWwyn4qkI9W<1AKOYj>c;s>UKC z3%(2PF_A^Jr#L|4dUR$|#;Ep|%i5}N)}#eGs}wtZy|}w0=;fx=-Lgst?WLI1&Y02n zIjUfUua~yk?uk7ITtk4OO%G2KT5YjiS?@7OaXjuESa0G!LCzfRbea=GWy%66qJELK z7lb56oAOP?Dr!wm@26{n)YrW4056|?#qUy*w8>T$WMeeN;;^yIYronQB9}iiu3`;g zK4xRoiM)-j|9!%f5L2OsGuo)Jwjy<*{dA+rjVc(SKxnTGL2zvPURUw>g&^PW zQ!uLS(C8Ks1e+AVZ)k+eaQu;V#KJ#*>8H)+|& zH0g#!U6cP{TwRy96o~=G(!ks@L)HRZFM-VTVzku~*W_}anczBEj{;XF#1ErtM|M1`V)Kab&g+N9jav-WRz zJ05F4+$)tCrRxf>re|f5;syhj3oN}99`q5<{H1sbwAVfbc}WoOtP0N2))q18jnE+> zkn{=|ZF-i`oup{=>26tTeEU~ZG)10hSc%U5BjLRkt^0Ao^y^Pd2$8DBA^Ew!9v!DDh-SnggXf zr2!MAfy4QEhxW}4-0*)4WWi@%z~?g%`t$jf>TUCMGM@TKFQ_RR4?KTRYGW&_qu6eV zf;h>(cRsfb``u((FY2SvsVfzm$GjuAUkNS=f^Qa0bYbNNq#y}Pq|C{4;W$7M;@6;J8yLR+Imi(x6Kb6sidStQ`+1a}}k ziYt3>ViF@7%>Mo3Zr$m|Jh0XEIuruF%6s|K{-6a=oxaW@ogBM6_Nx`)yHYjQKmXp` zIJL9R#`Di+9t?;%=-{(9ROtiY zKIrs_a?|yz^V#+_tx4$o+V~{7qmd2;ma>liQ+M*f;Gjwi1%#aL`v>P`j4q5H&TE(? z_wWm|0df-eGHOT?t-0^ecdRJRz(;3y)XammY6uc&oHBAZg(*EckC9i^%CVgJ)gZG| zz9S@Z&>fm$#PQuf!LCCoOcbaT$&Bcfo$B~x{r`~mp3!i&ZQF3JG)Y`qTp=Ndl1L(m zh|Y)}5hJ?jB_eun!;B<|Q70mLiypm>UXtj&&tMq64#qH;G0JEDtTCKwqp-^j33fv`~2WU4Zu^6>;|6S!^}6LHAokV=b)R9iR+p z`X_&0rNNmGMpozkE3=nT(78>XxdM0&=b8$|O=JW9JBaTj`MB2ftFwfBnn)+VUxLAm6&!dE2^7V4@VjT7$z9;iRGewz^r zc*#17OmwFwek!^mhc zE#^Mjz`J-`P1b!*!!?EOfq#<$@rG+ztEq)UnyK^OTV)xKBKkjZ1bZ&2gp{^JS2{b6 zSNL?L8i9<8Hy%{ld@WHh8_=#f1^sCMJF{ajpj~H$1$yC~Fg4DyIRd!l@mlUQ5e23( z*Y}2&1sEMpacKVOY&y_E9NYE!+L|qG# zfKd02x!+Tir3(Xpj36+-;OK1ZsQD4aF7ySr#2G~{mn*{`7DpcRg?=)(@%KpiO~O8i z_VlmvG-(1^KZC<|f2YYLrAyGrA!OVXk!<@)KCl}E!(Nq9T14paf5YVfXDB)9#SOxP z_#(TH;Ns!?d_a!eVa{rJcjotf_gHip)QOb1e53Y#XLxWr1zye+f*OmGJwe2e_$O!eQTi zx-{h^SJ`jciAMOCi*5$%Xq2YgpU9cy*|faa6L4GG(YgcxC*jQtP z6Iu?f`%W1aGqer3nXdQ}i-xV#a8`*i?7z{T9!s*dQ;vWUL9pom&HGkI1Q3Vp?esy(r(X;F)=+#rt~m~(J3cH$Amwr&IUWXjz(k4UVHZB~?V zL}>VswvGzTEiwa|n4y1{HL!6rmA#y|^mMylW<6Y{F5)*9^;)_u;bR;9k7QnUtDwN4 z3%^#77E$aODjLqxv=IZ;W~~-%GQl5++h$T$^daHFPjeGzsfCQ_^U`j2$gKwR#+UaY z*yQn7{#^Zy7GLY?eA{PVO5<+zllu!O4XM*grYk;Od)y{P*PeM^Blde%r~kVe5qzF5 z{qO;h-FVR=GrE9^h!hR0=k7q6Xg0nFoC~juj4Io1ThMSopmySGW#t0b+1xF)c!Pl? zhX`QM?=&chLFWpBPS`08lNR4--PWqG(Cl=$R4^w-EW(L5T_&=sc zccuRetR!z9PJfOZJ(D8X<~5isA^_HEl!_bUH!+Gd zypM~0(#AJFXXO~<4%xHnm6Y#;wLtlA*{|qpAWHp2WxXO8aD}(C+@0GNQ_@Ngl@LEh z)6+!xPyrT&Cq?~XtCtO^=Px+Kr6t@&)rIV2mVJ48X!&ClktSX;j~K`l2hc@VhKzY= zXel}IkZdnmG)z5GdvfPCBSJ**wvuOCPI*+VGql_rh`1Mo@Y{#2&PQ~3mZtqaPD5vc zEWZXKa%VKnf|!38=nz6l1<7XBKd-rM)4Z4?C9~E1_*+m%p-VO7hJ{11|b#@P8L2(PJPFH-D;e zv5WTQTR&^rS3j~Uq!aqOjM`E8nf@%#FAd2XLM903`DKeS+owdcr^1Nak;uv8rM9c< zds1mdz}=#kN=6(7-RTzo+8S=Kg{;6s-bbWKP}%&wiB%!xV5z?k!9xXw`ixrT-dkCO z1DjPo0Yk8BDpp?7VTQY@d19ob63fY5tT!~aE zhy&tc+IFS|uYv1B7gHsIeOU2H?^OQtf|?ux^wk1$Tj1n$j_EdJPQ@3z6@JI?)@%ob z))(sdaxt^nr3A=L7;>W`LumG2_3Z=R0$wHvtI#lK$NT={s6;C@>AknY?bEdzuSDPn z+nvTM==lA~rc8w)E4-;6$Aac;FpVV)x^K1p_G+u|sqmU~a}y$Y-48W+Pjc_6%9;!h zJw&SW592qP@(W+sfVARmk<^vvakwJRwMP}Lvj!6n+m__ZI&S+3-t;;$w*v4vWz7$D z$#!t;ZQFY}+z=$Q3YL%77@&H#u z{7uWc(6EwllGIvG@s4uj2p5t}sskkaH{R{1gz=IuqvbZrAL$!lIDQqQ5S1ETUWr+*3sy4OCJ9_pU+P>K}83zgLJ8 z5KcSsB3$b<)S|O}3;M7c;Hp&|+ROcZBaSq-5Or{}(Ro6&??O9pM4 zd?SsgL`C9%{xsB;&z}ahUa-%}c}&te`VLb5`9{P~4maagxnmzaBFS8#(kUM;Tn!Fw zMp$n#HAmQviCZWr934k6*q3zKz%2Qi*i#ARu86h%RY{3%M5H>$O4L5zIQ^x7J>l&` zAVRW6R0$#aC4SH&$cA>@2w8sGmbuUBww>f6E$trUiN0MK^`kN&GO$6JR`6M{?fHOj z3C_qGqw}MldcW0WCB0d$&=tb(_bduGv8bX@rr>|C)_W_|0){TLncizl+v8q)tD=%c z@2moSzI6pS8`BJ>?9|bo=iXS)p!Bi-;yp?G7yc}}K>+$y>iF>oL%RriKf5nQ+7->A zA}oMiavNaK?KNf?L{aSXm`=Gt<8n|a7V-%F{sdl_YCpk(fK`LTp!FOOT#lXil5l{m z4ab@v<*lrhr9I4FTCB-_gW`jfZlU+#Z|lF=t1g+AN`0ltif;Y)jtMwux!nRB0RrqN zky|PLa7ZVSG}^ecRyK+fDzE*xa`-oiYr?{ckmA01%Q2CaIh8H~8}F$owaXCh^#RG| zsnSSY0CZS30@J~W^UuIMdS?ZbD2E6CajP|t0p2CkTgD~<(86R_O<+hx+81c5DYD&+ zOnR^po`QDyIV`VX5{(;U+P7MHe!RvIz7G%Kj}%!HR#t&^47{~@{iIEZJX{`?5bzAc zc**awk$+L_vovx!U~}E;3Y0h{c4T*&F-;s;(s~@R4kAGT_=W|c?#?hOoR#lO(XNTs zZ)$!WMVG*-RPO{lIIsWqnJ8#wl4>)EKxz&q;fSOJD%O>bY%y;RRw)!bl0M{iU!+;< z?~VqtkePs9`rwIq@5C_>g1TJ<#0#k9ZxC+Czni(9P47G-C@1=VV@ChU$Fk7#pK&9^ zozLn0&Bl=sp75#Lqx2hJ=pi0sjDQ_$jMY{HF`@CEk>mKo)Xi1{)DsJ5uwCZeLtF=E z3x^6029M--4-)!}fH)3w_95K|lJ?D}%D<$#cdRIM!Xm8A3i1)nQ!JhAn7ZuQW8=T# zQs7or+7U8vcd^2mZ@8g-d(w4!qmEzlgQ;`1E<~uY)d)B71VZN%P)%A;0biDd4#&hd zC8Ue&eJ}!k)vCe3KvTVPDPWy*_u73k!5h+Q=kKB0`mX`~#{biCz%G5(<-|S`nR*KV zaHXFy@<4$4r%~pYYZ(VGn~+Ka<$$IxQQc-4mFC(K)r5QvK<_uscaK0VRuI-x(p$0i z=@gQ-x6=F%5zVyLV`4`;Rzk*=q2sxtk)H=C(agxdTy8KyM#!dVPp~QfBEZyC^R{n;{g!Oq)6caRJ~tZ zH})UCzhx#H;Mp*EvOP&VwNg`bsXmzJKlE!%EC7^_SlzF4+tj~O%#vJou^*!H?^M7C zL}1bO|MIjTRsI)GO9eRWeB;c5rH1M8R{8HigQgZMhug`4rU8^mf9q#U-gKm)i2Hnd zm3fmV@pd4gb$=|QpxEN?wVCHlRGJ#HQmEX+(GHns`c+ilInH_}nl2J@#1mPqEpr@8>o3VZqh4 zY!)D$&~7(&?d@~@)(oaF2+xh+pMe$Ip{6Ge2)2WXiJ^0n$%-xJbgkQ&!Gwm&XmNPa zdD9dTB~G%}ZncF01#$Q%@{gXZ2dP19uQrOGhSj0ps$QmnP0g&1L8gX>qL=@?ZC@%<=BWLrb85>^mv*M^2wNhBKCH(}+$VXmjLXx&> zX1`>7__@0g(3xEv&}g7E`^GgP_26WZl0JzMJQ-{ztx?;TyHOiCMWU+bGX1CX_*=lo z<5>Swe#*N|UeS5Xb(DYm3d#t5i365r;n9XO3ixKZt|*S~|yp2kwT2%SKERXFDf!2M4TYl{Kbk&IJu48+?R-;x5nON5ZP`@mrO*Gb4>SSl_D3@;%1-?y>ppq^U$4ZiOt$R&<{}Nq+8V zXsOWvFTQ;7(~Eob*Z#LpeIG72 zL+Kz|DoL*4l@x4_=a#tu5>|gy2ldA*h~NZ z?+`shGqM^^UvYdVk4dL>NB(xQ#iymwmA5}dqtOg56G-2M;XQrR-G|IFlI>4B_2)8F zc8~hk7pp^|#p)oos!ep5&m- zZ2&vmIz)N3nv9N=Ht*jsvfaOx*APjy4e5fUd!)%3Hf#}+zqOo6wU;!!E2Fuyc4j

        >!`zhU`o$~t~E zA%==oeMuPf(%qL2$*7|4Z-HLB^vBrK-{7Z)6Do86nmLeY0jooTgqoMEi$sRG3kD7L z^FNtuvu%Z%Lj0@19@jjP8kT!UYr3-`kHlQnn~(|5ZAa8AdpJtpPIK_fwNbJd(uMZL zPqzQG9`SOSEK01F>7vcXnGD{+SSc&D7loXWH2TP_BMuAq=O}cpCBN0|ZF?x4$H;HN z#+!X{2GxoD&3y|8EAGzscQ4n+6$;qPP^IcTVlpy$3BA7%>F3?ZhMMoXczHGe-_m*F zI65JeW`p(p)*KyUwS9b8Ec~6Pa?s1<@6V?6gc}IUIF=WRBi*)@V}CYWgtDBP1_xyK zxs2XV<~UBQvF0Y%H8T>nTNeMqVfK#yfT*x;b;X-`qp>~P$)05Z+4u+C^drv^xfqwT z@@h}+Qi_ZB_){b2EYGb!xB<0;N(A1K4gsl}YnXmjJi6}S+VF&wTwbIEbyy)uvxj~^U`YGHNM{w zmZzU;9FNNne3L%icc%~}!LT8$cOoq)lGuvSg02+AAiDXx-9JFbtOJM>y6KIE@lQ2P z{Tb%9gbL?1n6#MX*+pKACMb>aIJ^=;GLUcb{u*NFe8A8_;$!-eK+UuKBc7wW5oERS zJy0T3cf%iU!kf&OMXNrBhPmIwBQrW$+r;TYncjS%0^@bWD3|a1B;1<8`)J-PznQ$sj|wZ?7p^1;%W~AA3(g zrEnV(ikB%H;ia1e)FtJ^-a3t0f~>Ie;_`tF?S7fczxPAohkF{b7+Oa!a9(t(%Rzbd zB0FaA$;5k1{Ww&=ulmJnD=WFSDG!$EMGM5OrSS~>8~T)DZvcT{Hr)7{ps?fJ|4?%UU=L*KPoITgdR z<4uJs81krMo!Lk3+#6mDr2(x@6O9;$nC;*hTr$?qvlJtbyP@!YuQ$56*122Fnng zFiStr+0p8aGHXrEE}y(@-!D+fQ*C>{IWX$rBOCPr(DEjuPBG=8lcoC88Mp(~_SaNu z(W@=$r~P0%%xLrJF)OBePqdoCa0~r}Nn-pr58MZNsa#Z18a!e@Ri*lATDu`uhd*g_ zzN1kXl~iM#>*8iU&SevY4#Gc}P{9Xm=0zs*kNZDL_CEDJD+_kn+Mz6h%B&5aIPUTP zDlJ~`Ep0iqTb%WiHR+!8aH0)JC1{zr^^d`Q{MqX|5=XlV_8Q1B2#|Un?QUYy@a`g= z?34g2ew#P@#L{THtWL%aZ-r_ce4q5KDUm{wZ9UtLcu}QaEFOQZd0Liub?83)8!=J^v=m)UAUV=j zzI9yHal`5FTDsBhBDH#$@+S%8DLP0MpufWPp#m2jlx2gU;+|!}@bZZu?(+*FpeHW%x9yuqc9Crl=|F7-ux2WUai;qPUgk{q<}__xr?Q#g?6TMQ zrgO{PY)yK2KVErNg1*Eh1|k1s-U*B5fGEOpyq5oj>=W+o+y^(W>6)F^A(E--*qauX z0!=u=rqd`wdQg7`kEbkgu3XrzjpOq4xk=T}aQ(CN2k+|B8qyY6$^B7vOKX2Zy~qOs z5-ZRAwz|>9{j;dbzyX;b=0~T=*AEbw)997tt%Cs3vp;*x4lF5^&d#idC?AZ|tfOO1 zD@N5M4@yt4qq6Y~^>J?8&5f)*c;L58MsMN-Tfpt{2K9->NNkeVFCi1h(46>(hC}D5 zsq(~56&oui^Sm#KUzcpxv6}8b9EJ0;3~M;3E_ArU%ly4(O^Tz+&$(e1>$4oGXt{7> zHdfE9yV~R1NE+;-fypbbr>W3Tq}xc_TtjK`cNVQ-J$onTn1E!5OHQ>zDAR!ASD?}s zB1glBG1y$xk|Dc?bt7`;LzE_^2 z)17Cb6evX5x#kx?#AwhRh26?ZxCwtcR` z&AQ*mri2z=RcwTziRIyg&0}dNtL|6H*Ai{8b&f5qk{DC4z#?STZFij6j1uaik5LzwM&HBLs0I@Ns6^<#P__P1DF2CTg( zWm1lxf|<%N>9uuF{#t9#Guw^X1MT7+h3zW|kYE<%ooVRa!-k!Ra7SQJtPH0zGl%+_ z%!#+WV@$c-a~L-`4))vrfWcR9dGzYU!>MQk4hJ6x6_3u3wd*lR^Gi-9wb2>XQCB6Jtv;t;J{fG5d#@2#d&*vf`lRNo!d#rQkxL z{O-N{{)S8zHNIMTFO1Vn>Lyw>X0s>y*6jU=6azm8G~)=q!ib%9J$ocryYHk1QQdqh zV}c5e7mKPd`5NMlpX+t1%1ie_VNVCoMjC2WN9!D7MfALGZZn}uvUmdhRXPWAgV?hcG8n{yk1VvES0m^%Lr!;Ym|c@ou_`&UN|ylbW~mHu6GaX>}e;xdPu-l>}R+RbUfC_H1kS3tCyev$9%=Yxj^j*HqgZ^iAD-NMM>_~ zp%mFW;0r_fuxDdSRNZ!bzO;@>?9q|!mF6oG3739|F1LREp>pA^&{WZJY`pO4^*ykKg~p zP^vKqTc7F(Onp91_!y=gm0J@xHGyj#ucB|b$Mxc;+&yUt{C$R+1i^8CRaTcpC8c*# zU~9~Nso&I~tj6ni2$@3+8=9+bhj{9B*nh~flxLCU{IEi(4wvh8=A2^k*PHw6}OnlA$P3ZR5yYJ7!fo**o|^bEX+LKsDv( zj3{Rulo+T*-KkqYGTQ8c>E{uA_0#QHo$BRS%!ZwR%=n)aSGRj5Pp+S6s7k_Ah}*-1 z?2VN9=OKSfo_*fK)Xe%D`EYnk)fak#g3j2?o}^Y!qOWIvmE>ia_0Gosa^G5N1@qI# z-O|+MVsD{?kYgw4Q(~PtBl<>i*&B@$ElnCr`zNoo7B92^RI=mj$yc{k7&GUF zTp&*D@P-7{i55-g?4>;6<=Du7PC;JY6r6dDF8zt#DBavF&p_`OP#3h2O7lN|#P6-~8b<`IPdza&otjaWxKjVrP z2h{al+#a)Dt}+%EfsanZ`Bju56cj<;~wqyPPuyUE&alH4VoOxxVZ5R-szslnc{J6xMEVP-+^>VjK}0Oi)c8UVt#da zV{Vb|bzY%s1v9!j4PZAFpCt_*x}&uNN*o%*ppLFRN$cB?9D;0ej~BD$g%Sq31&-%*&eY{fDb^4FG16VTl=3(3D|+_;u{ zyi&b{;8J`g_41rB<-Zl%xW#x|*}kO>dck5>jMp#!f#n&0FF`E{i?)?61(U=@@@X0H zy0STYUC{bG9b+W*b$6g9zT!) z@mSWH;m>&Xqx3~VSxV28^IN&1`W3vsA?}vZa>ly%y`U$mj@bMjxxv*>gICfgT#-rzjL`j{w(A$S1&_I#e`}$qEr88kOUu9pfQ126yGO_|q3h2G1+F}|h`9`~EDjL!dMdVM!R~1PzkAi2w*X-&)mPj8*1K+)1 zJHnU(!g+n+O3?20mzFtu7A*E@nD30N>U5uO7sr&d2W@0%gUA+v&pTT!+18L8%bhCw zBDtN+-JQGK)hVUBy>uKKl~m*UAU78ge#J%xxi(>nPq`4SO4sI>Un+R$J81oW- z3V3`yWtw`Q*ZAyrqo-=cIwymid42X`kjKdt?d-`Irx0Xi?w)8WuogA~;6!L3?{%A! z4pezD`_fC_Jxmroy-l^(!?eK}3sv0j+5#1BCMxjx9fjI#W(R`7qsi=d-m8hvzxq~^ zGjrBP^u0rP;d&Q@CUU%MEn&CiBk7iWHF`B$7qab{ZKhAjb!GV{sHpzy)J+2I#6CS` zHW{BC^Icr?5p&txKSeo7g4RYgGmph$+4SS#owu^YriFj5h3R*B(MyWY=MyjIoO9;` z7;kl?9}$GD#vn=cZ@O%$YGkLy*(wD>eaP?Yl!?dMg0C)TCbP50CHF+Rb76<`*ex0) ze?N&2klqObOipiAuarBlGpRB6eZ_bg2gG|+j7h|&YOWV(LG|ix9%60qMII1yPEDGt zXE35F&U3;x^zTb@^p>>xw>hwcwF-Ns$zhGoqps2@HW#b*TV3=$6K7|RmH9H;6zS8V zZCF2!_Q5VjIobIGv_v|utlrP54t?659hqA ziJbtRI4_38nyR~xfU{vP6i97eDx0x z7`Gpr-9nfsHXdiAv!pnZulWa%TWChQ?MWv8L!E4%Ri757E~6(lhE zGgq(r&$SQlJ@~i6)j75M&*jhX)odQwj~T#%%aq2Q<{Et7i%a^dio%4rIlAElZu0F^ z;=~-=Z>0r0!CF<9sICzDkh#D#fPt8c!F7ECi-ZnOhg^}da#+d$0WFwK=;lg=W_bC= zA~&1R()Wh~hwUAAWyeFjbq!~ARhMGW@x@cn=2|-{jq5`zd&Y)5FK+lmUXKA*E&u8Y zUh-PGpxF4a6>-}m;;(R_%oNhaZ1!rmUKKhO0_kxayOe0V6*^E}1M0E7V7;m+-M)&` zHr@DPbMkdN!KxQWdA>YkS~hBa3wa=Dkpf?R0ca(13H?hH=LZJqCD5%(I#7))In=AE zM5=qmtoE4W0J#sMq}$+|K*~VW*v#S%#;ufpvsB7iE4#E;72q&J-UCe)ZR(#&!zTV` z%Aq37#Km#8LP_bRc%2!7>)Rdl=2rRJ5RZP-b&-ntIIn(BbeUSne(868p6C?uZ&Coq zvJ5SK)y7p4T1=hK55R||?Us|ji~z}~2<wEomA$IIF8@`fYTc4e<&cJ^;*pVBdzbcE95)F__Ys0C~Uogeu(`=RjKh zOgNv&8GnIa^3+nyY8y6T-Y%K!XrifPRls~zqx@&Xzln7pkG-~+ZE{|x{H!jFsR2d~ zTtzlA=0vhPKxX%yWU6DQOtr@4H1AmmT7ZBAq>-Nnve?EP`Z(_oj1wWHIf623?Dgkv-9EVEi(3zH-x-jCb$hXP*2M=IZw zsP{Gi4MooSYKmg@o^k_kZ>*S!U116G)t%BCu~;kNB)EREw_P*oBEuk|`6!OhA!l5_ zuV2ZEfpGP2SIgD!g{p#XnJXsT_(zh_Izct+XVsyp(Dge?67Sox3kFqipIwY^jX0^J zkD>xP>yc6ur&Vp1UN|dm$3NbT4xKcZ$y_7HZ{UZiPc8o7k7%aue?Dr0-S?=coi2Sn zo6$cIdJG}M{{lxD7mqxvLgbrtf?t5!Fh1ceJU2~p6s`Z^T5#Q+QGkh*fMH9j--Z1?L&N~ z()T^C3GIBPkL>1`;~n@;GVz5LUk_+6Y(|AerjYCe$w$NUg+3fiLAPCVe-=)QFOl!q zLn9a_$F*aczER1QdUo;Nu{#Rn@x1TA^5VO8_>&4{2$17wo1c_qxv((6>!J+S(5W`0!KHd;N}pzV<;4nRYb( zNq)Xpqq!nf_S8X^j0{hYpp3CMuWPdIr3-aWZx5L`ga}}|kzmTbg>l+}f|~@$UH=N1 zeUh*!|HA9T65fe$jiz^gVL}()4&UhaTIPIOxy#zt!3^`)AG2Fm>~Oz`mo{ zw1`QF+Fdj@u4lr#a}pSZt+gB6D#ltK?*Se1o}VjnQIL_0{IKrvqRad%jf90=^Ocpt zo@d`Q0Cw_gMfD`vId+$h<>|y1W05B&W)kLIN>?cRFvl$#{lEGBL<&-lh?_Q9cpsNI zDF$alp16K}jO5At7V|e|0PBV4sl=^Zmod9NAnFXf=Vm zw#6O`FimP48~_UQ{@AalHl~)|QH>32EM6tyD-hHj0L%36F?@1VW+aeisuYqZQ#Qn>czn#p4c2D$}-%h&=q+^642zzUBz`9Z(ChRX^s(G|FD`R|b@z;L~mJ7=(7 zh%=N{BCv#9fWW%;+dGqaQ1$o;NpWPfRic2zT}}stis@!wO86VhJq%3`iW1+Aw#pQ< zgew8=8LL5{SFEpFTSd$v9>(w5&J?MpJX{`Q|A*UbcMf4H{ykh*-GL=0#^AcBBH3;B zh8j)4V^^A1?b{L`J}RXLeitXTlb-W<|O0MUG5NmSkn>unty5hdJ!E+laLIkV^R@=Nf7OF=eRkrelCNU*DC`zaAio5%94i|j6bRQp73@zm9Wp4kB(C^_+IrXjXJV0S)`vTkx#J##oS9<}Lf5IuN?-N8Nd zF8sBb8xnFPlC37rxpqa$=`5xwGyvojun<>qStJ##_r0hu+jjJU=uwWQ^^2-hcHU~(G(E^Jn~rw{-oHGPiQejIi|~=>UNiRtw>tRv7zx>{ zuX=k`jI|!o2E!#Qr$T-B$h0Q1fC zrTUPh^?kRBNaJf2`@--o9{{nHiUQY zsE+<77#E~|u~4CH@t@WhgtScbr(UMi%oJTf*MsKSA-EQFmnjm$p+24j|I>$D>=PT_ z&-4eH4;FA<<5$qx_-lA#_`q%R6!A`PW-Z%OKUT9Y-!6sHX&d)}oU`?>I_oN@6#7iF zy22m;dC&QkAoY4{j%9v7SLRxXtsh&a6g~IuyY%m|-Fv!oWY@;GD&8m5c{c?PI7Pg% zZ8D#;0l|u)?(Z~)BQ1suFodKGhqQ-N=hXSA)p6`I`0JQ?jmIM(3>)y#qdSYh+u_i6 zOHBg?Sr=hSe+BVYrP!D(p^o11M#bU7>vs9T?qc@?wh+F^;ESG|zU+>luT)B0HYrib zi(HWra(J2CE;!h4d`dF!{p)v$0sBXgOT_(&`#q_LOYs^d=mdif(vS{EDiQQ#;x?}J zjilad>|zXh(2*<-Zgc&2V$ z|36Yr;kc@i7G{@LqL#|^DG0|SQ5T*NDVlt=T3&9Z-E;kgCnwi}+@HIU*|}Gbcu%E= zf!`gaI_O!8JGD-I1=5Nj&))VUB*rsJtj!`owk@ZIghJm{TB%9E6~|wbe*j<_F;WGq z}TRv`6z2KQ1Ktv~YTTC6fH*X3H2%iV;wzpW-Pu}<#Tt4xhE(^kZs z{G$jSPnIT&v2N+_4~z#Xd@g(d!S_j>HG1JIz4iD%NSbmjh!_{(aWJe z^kyovWOJ?qry5-K^(;LwDh2Sr+!Sp%^&G5I#=s_;p~OQ}9$mP7qs(}|rV)o+56vdXefham5~CfSuh#m9KaQu9G^x{EI+ zvc?Dj;+^o?s#diw@Z)0F|GamH{}%Lc7y(&{s!-e?xxK=*&@VhIeHtZ&cJlnQwMcg= z+{AnpaMAGBXyM!}GN{iH)xXm>095iQ{nMu16o<)ut=sP|5^~nsb-7-(Rp#%LZe}UJ zE(r_|g1_LEB^CtIH2LRv>;6`e+%KX!joF>=HTcXS4^Bb}a*Xp*?MF+e*Xr)(@hZ!Z zm+`HcQ{=npZu^A%>aRZq-q}%yeC)W2v^~CD3wN6kFOY*xkf{YOaJM~d@!wfh_+ln8 zH^HpF4^7w=)`z;S$q6Z!X)5^cNl%n>765lM6d>3G{0#)<+1sC@A!UUip@{YFV1N+0 z59SK+kMkDYd~=7zl0&g^5|=;gxj*9t7*R%Zr@UudPf-?ywoW^VRB1>RXWzag7+E0z_wk;U?tz^sm1c*HPkU270J2DnIN82c z9W7|MkQrduCW<*Y3-dsx!s&$zZxTw@WxKwZ$halxt5(lu#z2njG_~DReN00m|6kC6`-lH+(Zb|gvgpv)d%T1I& zjDMajc0}PpkPiGc0v=Blu-~rl)x(g70a$yBJqd!X&MmkG@SYrYH6fmmo)~ZYh7nkAnS9zZS9t?8PV_PBdCcTDXVI)Kr40 zydGYiu;Jx^B}GDQQi?0*r%(YqSFT9ma~#o=LNd(FVuF;|IB(!GMEFi1S}=OkyPs$N4rb>@uXAEl#&L8GvHrf3+DE(7=>fZSGS4?Oll``Ht35Hr z1+Opmxwnb`d-V0=l#`x!LE`t?AtRxK%y5gdp+d4Boi?e0@{>@z(}#OyD22K>R7wPwoz1y^taVf^W9H z3PHFn)v38(P|SBu>+F9dD|t-(6-(6+1R-_DPuG2r@uiJKIxXMR^ULPtl{qECcddY> zh!3dj`H_WJIY66tO@^mhf?6A$%K-n!ysMFcjp|%~v6?c`$zD&1_OQhKkfPG#3Ok>c4jRo8)za#@HbRTqk9tk6 z`w-s7Pq1-sgE4&f7ohv?XwjvDFf$s!qy3>+-y!yxxcG(d%fvpgJRw)Rq54fT@%-hR zCn1VPMJc)8zWUtTTiX4W4lMMBb@Gl!a4pCXhGe(KxCdYBSG&co6TzZI{h>Y*oN9`( z{w-fWIPEZA3~;?TjgoS<<}0qYbSfDpA(@X0dYbr33K~yK>>ooPynMWy$KmN%bGG;1 z=tFey4dekP--v5HV{T88_VPC@Ee>xi-tS)ND25ak1o2OjTmgY&3-D)D$~w<2fn@8- zqgMrP!86YMNwe!ZDxlu;rW}pyG7XW4wnb-FSz+(k&v;2ZWQc{3ZDE-2oLi576evoU zO-yNsF3)If-x!ES&uGplCY5n8dLYQYFj9(APV;Y-Ge`+EVBzrCPHf%Qg2LWg4Q}$eQcf zB#jJ6*vaxFc++M>-Wj6fctc1G|IUQ@;@(rty>rf8W&JE&Hm^0}@E}m^^uj$ZR%1?a zl|FK7G7JX^MJ?+`Ltyx%2%VQ&I2-tDZud z?*msJKx7Qa=9ixQ^~v#d57>`YBT(xiDoiz3N7 zQ;DSzI`uyWBJe;16{ts>RtTg3f!HWaD|7%k^8*$R=_hBctY5zH08*Vy+Cey?>7D+5 ztz>zFzHMcNr{r%9`<~MuMJDo0294x}q}=9Cfu_w~L`#KIym8yX77|fhJ#VK^3+x(J@)iz3oxor$bnB4 zSVWRq0l!g%@3XOaM1iS#uc|g%&9=jAfEZ`$vHQlArkiq~a-{d#Dp8oy;PW&@>JRkv zJ#BUMe~nG6ZFP04i5S=sA)qwpep9B;5t-E()#ZfK-BEL{yJs5S|5E-y;5J8C-TDM(fzOEU*Mgf zb6w3NZ2U8|;0GB9M|#OqB|1&wH+KOww7BSg%nv7sj{%pDWnrZ8|8U$RHXi^PqbK*~ zI@RKJ8xDJ^?Q-aEeBbu!1YkVk?pM?3`{xt0RXq0rQXs@zplwE)q}Q;}_{p}pJC2n# zkKh`{JS$V;*NiQ_zfxeDeb<-&j@=G7VEYTld2x!kO)Z?8nD0rn$Q}eLZm=!r%f@qW z6*vG?ED2}Qfo!!Q%8u)qTHU8uF9>>_vC&O@tQ1sllReH=X*;(cZEYtj=ipm4n-6GC zr#b*Hw5t3lzB~V?-bdo>Wo$ zO~y$%L@S+wih#KITS}^1hU-m^ce4N+?ETrKy#);`H4s`jB!^P%Kh~OE(tj;Dudg2R zA0XO3?78E=Tkf<*wMEX(Ibg)9$(1YZtmPzB__A}D(8Un=mtWiq&&3^{lT=&~ANp>E z$kwN%w;B8T8^AST5VtObP^N^{MhxTsA??lMq3++e;TDBt8GE+LkR^LDS%(;g#Dt`* zMUgGL7=ut5dqQN5vCA4sSu@CP?6heZ#?Dwr6VFH2b$y@TbKm#t{$AJh{OJ!b<2~p5 ze4poW9>;N}wZkO4o>==_2M2r4XeO$RmB4)4XF8Xo@s$Xg%%o9G>ybQ%G9A8B@0H?Q zGuZ41C+paaYIi8kHbv+dU<9*-*>s^ZN{2=o9=RZ5ePqV}x*0{g5Q|9E@?Cg_*jm2~ zjNzrgl#8OYp;=_C9dj3RwxO@B{EH05&B*mTtZnpQ>MiWT#R5UnI%0Nb^b7Fn7Hrc_ z%qXNC&_S$!1vj(A#EvhCiAt=&(%;Iz43Pe?1WsmGYWPL??AxYy-1Xxnw&y{OC+2ES zaNcTeq|TJUo3-lT-RG7*MKRUdpA&A(f!Cz`Poc@z40Y<{FB3JX2k%?XF%8cMXIY*d z6|^*%kpG~``mqIIPxo3a$C!Pqo=(@L6=eLuu8fg>*7xk(iwE|}rIUTIJiS78dD}>e4tlI)BSbwy>P--e`jI77Iiv{z}&8C!Dti zQv1|u1NZO+Cz_7O&O80&`%)xZ-utTc`*vlV`Yz7*`$IF8s<}HR26-mc`{ZEWo8Lp` zIH?cnJqxWKb}~8!Eu2tuE#a?~96!m(ZK)Wt-gC5I!v3?1dByt6X?A_Xn8YLXZ*Eq3iVzrRucp;aZnSXAT(Fr@i0KV0>_KyIwE9s{0V9}Z;g4wmX{-lz^Ey~;;DSL>qDAVf&F>=UhX@MC^0Nf3ztQ2^y8*b4 z**f~y>b0M{Br7-dfH1p6wq@>CK}}{EJ*qI6vwi&87liVB=W!W&0prZDbkaRhrVF$R z>)l($NG2MvH>+)>V*^ge+^npB>~f&f;9TRbvlLA7H9weV-#mdip|ElG^--JoGYMu} z^Umic@0LEl+oGgfcuO{i@y%^$*^}-v#R+l@YaIWbhDRsQFuH>#$Z|o)nAMEUwR};; zXK|zY<&~aQz9ap1XWj(CDFb>H@eG;*YETr~(O-Hb7lBFQ=if^6vluN;=9v!+O9CbU z2Z(-f6!X_zjCWW6rtgqb<)>ax#{7Qo1$j{rpNT1fr{VKh^Wpx3b``7vn9>rRU(q zMqyobrh_q!8<)ep6BF_j&$tbh9ylR36^GA$9nP!hllW=n3iR3M;~#!v%x20Nx+5xZ zcNxvh@?E;|N2vFfgQKeIAn-t@%3zOOxfGMr@_*L7mIo~9BVr>=i!=$ z$HHXI&WHWleA5y{JU^CLHEW!`-8=T(Nk;XTv2vx`9Z}~}Vs69njAzh~$RL7n-Wi}@ zl=sEj%>N_>9#mAW#!5UhRWw@O=Q>|@bTn0|&Gk{1Wi6m3T7Ium{^EV%ch4=?A+HZ> z?}O&q-$AfQ#gLWfUNR4#PY#{P;S$xpT&*1W+h;y3~t$4wy1dKJDKEef$sc{>_l(d^na$O-E5u_HL^CF@48>sOZ_>Z;<8(F ziKDT+b0S!B)J5)d{_>4^n!Z63TB1pUH9%Ztu(bPH&_UTIT$DL?OoqF>dM~oQrk7F_ zTDR&+m?<1$G>gHLN|5H2Bj5pw^JpjSHyL&GhF4TUXrC6daKkdSK+Dz z<&a(HyvKayyNzxlwQR;FG@S3@D<9Hmql*}P)HiJ@-bKl=rR!e8m?dOrwuvA za_x&EpVm7lgN?6>e04)K&5k$O0F$Mcr2uWaGi#Ogdy!V`L7-bYWW08cvK_qNsM1ZJ z>2nSMbc;923YXs_c6aQjo{WjGS_b`c2@1XU7a)>njJ7|?`0g8$GjQ}9W%a{+M*G76 z4)r3BsO3xL-uK?Hl7?^g>Idj{G5>60$QQ9FZ_t8#%33X`ENjw}qo)uZY$~xkD$>7X z&cZrWH#|Q&9E|e1)z+aK!ZZEcCsv*6-VL1i?JAUQEvNoa$%=HUR?StYa!bSyGnT6;>`#PhB$&q_UuF*E?cm zZwPn~+Z_~_Si^dfw3I!?bOL-#i`8p)q%tsVVeYje?$c8wP35*ni%)aZOhG-1hTlKR^~UQqDFUgYJXU z(x*gsJxb3NF!Yj~116Y7_dRU+9#=S8Wh>P*csYFoKqRM_UvS~Fp4TNN9r-uPr8jK? z*K4LfxC@R{S|O{sGEsPCWsm8pB9=?1`g~-kP&V#!=S>XV)8da6&0(2ghPYCIgOlQl z3_NCHIKJmj4X5wpFtf@wL_X`uGBU({*s6>?us)hD_(-Y|M}XS+R#^#{nc1nCkUdcO zLCouYo}>PGC9wr&J7((iZiBgcqd4^_AHAEBr7CZ}73D3a;5Xi*VZk#Wa-i?rBPCZ~ za+anRNYpwfEXGAX(f!mkWk2JvA2+E#O#k2O%R(MN#N{>k?BHNJNF@g2XKBC?r;9$< zPO!Rc&1NQE8};U~OlS-@s%=+xehnl8_^5e)O!$~p=MBV*CkSg=9}kD-df zWIM{<4+{y{q%K4a&lS%|sE-&&lL^ScSZgPKc)c7`*hEK^>82yA`mqpo?hv5y`59IV zA|4BQ8G2-_T0nvLo`6LvRSi0#(og$NwO~X>{_+A?3Fo<+J6OWx&=ra$Nycd?LB2^g zk#64pZ?N-Umy(eW&;}_LePZ@mR=u>8X?} z;G&I?qYBgckSeD2SL&?=%HR7-Ka_cmP`b{{Th}R=wooEc!yP4&x3_yyiJU_;vT zSE9^Hp25`XVBST|+#fyqxsc7pz{dEOyCH5#0vD$0*Dd-Y`8IYh6Wt(wPl{8eL19K!>?-#%xEbFPRBdNJw8vTk400g5ULr(1esmF(ShJ0aie)(686;|syo zy`0u}1p}r>YF%(OLPH$&mUhaUjf;zI5kXsPpq?B0OptFbTZ(oU|2u+zc$5PgEI?1t z7PkHQ#r8Tr;M-Y33n+A2*ptuBo4_mQaJ9ScTBH{3s_y!(;M(&m9bL!6_4a34%zU~> z+`YQaNwa&6AZW89(FAjfEIpK%m2<^^%|va9@{K(#cm-I#;f)h3Uy#U3I~CeQ){iK= zq4{w#5~?8peRMzDh2@U4Y_$he{P`K>-oTq{9kFy3sxr){?DIXR5KJLg4BHscs1Z?7 z-}w}Y8$N|0>VUQ7Q~`73f^*#X{h6Ua-_#)?Tp`SE7`KaV!+{U5MrgmYhOMQxc9F1)@7crV`4N(d5?ry}=>25`_|2P&9~;1kM=Mfo(^W z?_Mu%;cKy3->fzU9WdBXlJ~Cr8-~7Tfi~N2#5k529680CFW9psJ5b5FH4`7>=K^UH zFE24R0MKbkr85b%>a+fVS)2E9<)n7HBc* z6fB+#JnR1Qx(!vNZMuZp^DNN?Cp2tk;3O-(Rq%9ytsvE0NR6?jU0@zB9&7E~dc!;` zb@!})V2p(12({?($Y}}BF`eqmTcn!%fO#CWms`yX3OIpX41uhDy-t(3G$Z_iuXwRl zIIj*6{B0#2cOW(+d{LnJwGp0q4t>V9y^6I*70yj{GIqlKA+bu&I|>^|vC5MjUsk@O zfS09}8bo6M!V*jaDi?%p-E!*(P`Is3z1L!Y{lkCvXkP6D*rckcq$$g~GR1^<&NcLs z$5S|@o8C=HG)fM}g7GAzBNGJ5K)%FQ+D2BdHi~R-8}Xx#kf<`e4qwvP-m`u#Ya!xd zo27rAmnkd7S*3FdFx2*ZRogLCxc!=2$_X2Q>30;{5Ra#g$u zwtBP(diB|^JjGevOcO73Zg{Kk{tMf+)^KW-V-Lzy%dXVM3%y|(jmKaA9NtO$jbl;t zMi5Lgy2im9H><#o-AWuimv62aIvMF%afUO+&75IWXG6*EG2_NH7FTO1QKwuEdgQE* zf8fo5&R7H3IH>oYR)OWrT+5Ue(=4F$y1Xkp!O?2D_%SX#twRGam7795h-f!w@EA5@ z8tJgv!ryUdd{oP6h~r%Wnl^xZ(*oPOj?T@9Ol%*@!icu@yemy@}W zVDWqrFRl(V7eb9BWTXyvAPnSs6mF!K7&8$}vpgDu&=uJxs>;GP`cLwC)Wxq`+_4lxkX)82j$`&8fpuDZSvnNXOofhba>YTuXG!p4$+#DO){ z(6Ol5OL;y&$ZV)R!f*c;-OC8z zdv_BF1?Ts{+AjKyHS4$UMPsF)>)CnsWCS)=X-P~V` zT?6f4##Nb7v#je0q_*VerSh@$BkYbrkCLM6Ck(r+SU4&bD`nzupyczT`#am zEGNoOyQ)>Hs{`0UfER)+#xvXSK#2~~v3t=9fY{#>(>{y{=QsKlIkBp=c4!S?DNZyA zL|@OUT%co~#SKY_s;z%K_TBRO@eD!|@@;*PfCW*m%~@jdW~P4HU7$X_<&Pf`=Ei7KFnGj_$py$KVL*?$g;G{kuuzKZX1j_o4V)wO(A55VJAC zeE5DJu3~KF)g<9tL&c%ahoTr-klPCsUuDXFWqACr zQG|M`!Loi{AcbvxdmHcPW@!-BoS-?yAh`Boibc>pE|;rT*NZv@ag3Fz1GX!se_rQG z?hJpzGbq6vXl-MMQXoXIxkc7Fu`;ioBD_*GnhakUl91U?9ZKN3b5(1m1Xz|=EMsH4 z4p`AC$aQ3ntvmL@8H#UtYhTaQ;vLkixrvG&uRi0wOZ;d_89$pQVmL)dLllcKQ=5;l zd%fo`U?!TjfFEMlkEU`U1D#4>4Z{6lncVO#FIIkkkV`QF$wa&!7{CAcxEc(wzc~f@ z#vLvw{7-Y~pY6%3Mxlz?E2RrRIh|_u4QdcvJ_bQ*SGJ=-e5$v zmB^INNf$MaYMeHxdz`fJCVz12L$Q5MjzUx!X3(};4keXp%^RQD=q;J0Y6zrcK=pI< z%2?BdQS(FNIf8;&pi7rHn0Ssklo|4&oh)R%bw)xItSrC|ZR=Vo7ACi4UW)b)oEW&+ zuG1gkcc|}1Cj`?6j>~F`5)^vAc9i|&O!_-mQUVXV2`tmT{P&&hhD(Z?kY0+cNA{G^ zW%f|obKlq+HuKbicBipVneOzZaIdGZ$7Sw8@Dy3fd9d1gSH>bfKHQJ8TX7AD7Q%h^ zQo#9LnNR~AiRZWBf$bK@qT0H{1&nOueg>A+yqF}KnyHV#O~(DXW}yicr}r&2gvhV%lJM-r+yu>_W zvONVHO(0b+dgCOBnThrP<5s4O2_OjmkcqeUYHQIpW~BZ&UnJd-%FKXjFOJLDOKp8) z48)0C!)A0_c#iazX_x?S=;3-qLwL-yU00 zCAr*WLEI0S%SaRH5nLJ1TGpqqH~Ad{BJHx<9cK+48Ee%-3X~$0 z@Dks`#j{)n6SRW5wBoKILYtgkWqr1gaA;*p($ZSmf-oI+>U))Q|K@I`@UyTS2x0tU zwzm&s=b=fa1X@thz&}h~IOOirDcbM4W&@GQaK3&2dKXgL1}l9ZfPv|g6=eGs=YodK z1gI(9>ivRh>Ei2c)l6o2io_%t001iEXk21Y3#uMe9bZcZdqr$2G5vN%x~1W&&8*+x z=_E8W2AR(r3wsfxs8)#Hc-D6$Lcqplcb4&k0I>C4MviqPyCd9sYwgbK^xdaXQowQy+LSaenpCc9J?WIaE*D2kJ zMU(N9xSV00uX)$B_9Hu82Z@XLl)d46!5O2#`D$nex?pccsyFO`wVM>xX)+$D@bOWK z7(d2sAr@Zdf0JlYv5$7a9>DWsxG&a$nue>s(~_rIF*3B)l6hdd(s5Ju9O{$XS~PbF zBK*~FvjIMV1W$3mZJ@QC&oF_CzWGTUc3l9gIz%2zy`GisZ_v9gbV*fa&$1%I`H4Zg z{Y?K#2@3VB)&MG(AA|ho3bpocG%$;6oePX~f9iUx@hhf)Ew$}3;4Uv-Y z`q?1Jw>3qOj3I8LUsLzr+z*;#Tdcned+6K|pH2Ktw>-0<$ZNDa7>_=g&@`G_-E`4* z4B)iKJtRynNY0d_I1=RUgcaoe??P&|!as%7gqztW0^VKOHFppgGlN-DQH+35X?p*; z4D@-`5=w$_4F_jQ8*l*KPiwA8Wui#yQdaekuECD#y*|YDd%e;;ZLvpxuNcgs%|?+D zkwN2Ud)F&&(xR3Tly#%Pn0eES;O@9_&&Dnpb#!6Bz;zqSCjh2nS=XTf$zTp!;J-0{ z_)pLK|CaTytN|MeRnc<>nJzKBmjHNRry)?Cc=@9#EB|_m*&1b~79$@}e#(}bL7f2StEEAZmKr@Q zuMx1YQIGy%l{EU$l$DwoE?46uNg+6;!g;&A9OI9OKT^n#1?sY+I?}?m7adx0LqfZt zuvodzC3o1-t0LaZ|9`Vz_s~7ym#r zQ5z>m1Kg#pQDp!%nU)34C4>c-N&K5P<+t-^IU$>J$C72e-T&vEF1yDXw6%17td`=3 zT0)h-w1h<(k|yVXwGi$$C#y_s{BC(WjkcAr9Mi_U9ax`Y!7`yICdo z;#;^LQl{l89XDmr#0CsQ!+n8H2Y73OQKjK~$8MpBJx37;lV4xV3g+fp1#KQ8_x}9KFUpgJ-L{)yorpmWTx5j)>UJ2c`%Jpx_N;N5*krv%zn1SR)sC3acR3 zw{c&lOQ;1j;NP&P``OA1Fp9pIn4-BCZO8S?&_Y8Eb zdJH?HvysUS&Fv*5&)G`{qbrDyZktImYk(EoS(jLeeF5Zd(J|+%z|!*j#c_rxFsDoO z)*Uf^36a(H&c(U6Xg+{$e(kXOh>HXE9sQds_1G5k9~FIE!3!&cpID^!sW3~?M)rnx zS74GX{csJ5<@IwqF)5a`T=bw2!yu9=Eia04Wwkgo&U@h&Emf4*np_FMewJdT7BGN9 zv))8T6K-^7WpZ!LBsVcfIn8;YF%qS5$eJf`A3+lfMH+c%p~19hvvy)@ySN*qu6NpswG7mF4p%xYI*2VFLJn6%1#uH38jlCR=onIsmAtH>?(@ zUS5Ar8ku5>P;BSkXY<-c00e$%){K%<^&&2WOCF4+idWqeF>N|=vYg+q0CuZ#!_7JZ zC?16=Xc4EJJXu`bzeq-Xj0Fuo=bgk+Zo3U{^KyPztuUvQR`H)85A? zMxM}#5r;l@_7XrS&a!X-1yHFR{DI~3Um4`WLh(GE3Pk~0;R7<$Q|4TtlFaRfgzpeed=NpgHa8dm?A+n$ZG%`SQ9izO5 zcm=m*aU zB)x5mIfk>Weo|xJ@^;QxSQ0a|nU#ff0%GS0iQdSc+%!)hizO4ThxvW-*pmg7glo$P zG6(JIbC(#FnK4m*Xe9u!4B_mk5tzRcvQq>Dh})>LDoTA#x~e}}R{h0u|FAzAytCk7 zmw(mZ*&nCD9o+u}SDia@Yq~vVXS+jblvk7xaZy;4AIZZ6Vhlmx9Nl;EQ{Wc0962+- zeUfJos~2(o4iN40or3D^nAzweq@fGX&k8Xv)QC|a6(7%Fv|?GlH-08TwDzJ-hXBa$ zhB<@3X>w*Ak4N=jUCDE6N{X3wuV{1@%i}{N^u${_T7G@b_3JUWxWT7~HV9?BM1e?U}=GrwAwgI2VyM z)B2H{_xVpW#Ekso$ z|0I;xJVVIs4q%2-f#BLwaA4d8M)dVv+BOn+5$7afhQ7<1y`do2loN}WuOQ10S$JKB z{ive`1)s8oZsY(YJegYJ;;pQ?%VT2 z3For0$g6(F<3q{PsWsGHu@~)~B@i2Qm(q)Zi8}yuXExlBLPVg+g3%J-$^qwe9;4HH zJz5@J@2XmF$Wg(;n_}ZijVLevItX z*c5g&&9l8?JFzGNK-_Ud+Sr+g1FTNPkMCyn1s=nuyYyky$~>_q-N5Xww^b(66fx=T z88FMeAV3{;iW{xqda_0R?;pZnXC(`Q+=f^`i-b{xw-(3T++Dt3H2M~EY)2QT_)cf- z$@Nyz=ejZh9?_(WI$7p?!jo$WXNR-x_$+LbDOZAtQg%=LU15>g=x9(HH;+jWQJBls zBQFsgFuB`hBbOVOElJY1&0MN93G%3Rf7Un*((-C;s$!`xF;>64mwGl~NKyGQ&p;m6 zJ92CIu?PcRaBu3TOdcb?qi{5FaJCDfbVUvL=5Nk$U5=I8WT#iQy@E`m5IRx>ScrK# z;c7KY>{_rcqgj9?XJn`D!(Nu(Ain^UK!JY30c?}b@5kSYhrf;jh@ocqVQU>ofvdii zEzAF^S}cmyz=a9Xbm+|}PLgn!a*%1pp4l_uOyAq5%^NO8KHqx~TY4;u!bVrqS$az)OdF(-a>y z4zF+Aqw)Ltj}Ha+`%qqDF0H`pdu?U1qK|=?i$p8&2%Hh?!z*8e_SPbCKCH>70w$}5 z6zlVtbDB+AZS>&v*Y1Hm(uRT0>~aQyxz$%YV=R|X9Wh3PREtLoZq}S3%^(c;Vt&LK<|?)^ zn)V3>JUS=R*oAEB0e@B1kvhv!YkAz2AeYY=b{%1PY8o>uWwWI4G|OlQ5^Tol+$F$x?ufjZ5xgTi~(-31o>#p^&e!B-%)dQ34rJBK&%^6wFi#|^JGv96)v?eY$UMp=Ju5Pe%6gr=cv%G^_>NZpF*An z5d#A-KF1MT(Eri#xbM8sn$}k)u@IfB=!ooke2+1h!GfA-BPV;~w2Qo<6omh6s!$EO zQ}Fx!Q7Fcvw6;1gCQ)txkGKLRj-e9~izM*&M(`#ck&OE_Fi|J7Kkz$V-u<+G^LO*= zU-w8>{OsBNaKMHU8uN>fpSUbWI2{4M!TRk=5QnSFS(YSR9m!tJQmCDSnRoZfCXuW6 z3$PTC!!}2YJxz{imIix^Gl6;JlO)Q#v%4Sxy@qcO+f*wvZR;#N3XCZchp?&4k5}5f}Thug^$yoWaJ4sVj=XP!zGI*|PNE#3F3Z za*1QsDQ@EnAeq)F@ISsf@Yv>G2fJqPxA)S9NDi6$b{!uBi=|Dj%4w%QoU)upEWUpE z!U`3!5P}*Xg4aVIiKe+!8RRI4oPw*;?6YX+z$}GM)kETYa$9e}AYZfDxb&43uZ-i( zBq?}ASIUB&kQ$%JdhJXYKNL5XGTCFMG(1Wj>3AEh&C9P{hkfZfWhEDkzQ@&TZs80p zP<*KcOGO4+qs>{5d7H9_waK=4;!`U)&9@zeBvTA7SNp|?Ls2znjvqm@UrJTTXg`y{ zIE~rk(JHu!bFixrJQ?WZQUk*GOp~+A{qJ(K(4Fyv;v?!HkLEh0r zS<+pqmvJBdNX5V_?EpS1^W|?m%zp*YVImd|J0e^^jf9mTM&FD*_`G9&A@h&K3{}JU zg<(<9Q~%+;oH*pY)L>s~1H6|GTHZ)M{k+V#epiO?NqW?-yQXpmJufWzXnX5) zr5GSs9ZPA(6Xu1Youi@CbjtA)H{Z2?$~JhKa$`2`0Vk22Bt{HxpmW{woiX}zwW60X zUyNNG_(Tg6KI~OpcP4jNx!jUtvY&1L9%wTf3%o46+-5`8vn7s!5NlNi&VN+I0B3a@ zf|zH;d0ePbA1*p?h=-&a7r zm*xLTW_j@!JDUaI1-Y0%nzDJXp1Vw%W`zlVHzH53*y=l%7-?h_QX`Azjc6X69T3%d z3Fe=UEQL{6=120|vvOh(;TbL?BAmR1RP*DFbiU&l)dJWy>%^d$r8i3UicLFcB0lbB z;=a*IfCZGS{nbHR#y0EUhEDUS%F?Y5vD-Zfu~&u+FB&9|ZjXL;E8zD9zp!&RSU%wp zyI@?O>B$LHfms+XzE|ww9>C5feqyhfd&HEW(Ug3PjIny^OY9Q?>-hE`oJp>G?9@U~ z{NZB8Cvt5CF|pL@5r=eWB}+|bT&xG2@)?!Y-Yn3<3HHciM^Y+{f+o9!R7umw(v;y{ z1_l>>BPMUMnQBZDMgO~Dt=>0N{Ku}F=E7{brESmkx2w<4D$ZAH>>aZ@OHb3*dPCWz zQj0z6txK-M)#>3~F=pr{M}m1>_xQM+j>}_3+^h0kd=FH)H!cVZ?4jmW8V z#Ma{BPFRD>Q;dScq$xHJ1u3-9go#k`XOt^!*XXYP={8me`T*i%wme^@GQ}ByHIvF* zS(z6%ptBZl{g%YCS7nkVx88KOgWGpu=myNY2T^%Fym(f~X5xITlZ%9&66MO#b|nzv zi5`Abb9n6Ty-R%xW<>6wV=NYvkDg>EOpPlpTqv_O78)k{(Yqu5+}lXW5tZ>W3TjV8 zyv;7A+~<#3k~fPn((j^H-%{~EWX%*|)x^dtlHtFDifw&wNoeW`??3Dr?y`{R2Q87f zr3cMz2eKfys@`Lt<&55?a)yXLY39EFHASXt9msm|y{-uLdI?Mz0q)4(g)DtHUV=2Rd<;DiU+Uz&E8gU?-gZ*W zbrznregWxS5+QQE_d{<M&F)o!mvWN=#MNjMGk{@{?E5Z+X z;oZX z&5S2*?;i4IBIK5cGL6QCPN+6v&icFy0(Ll7WTZI-D3%YmHJaLmW!Wa}JK1SjC>0XR z-@|NDW~iyhVeDb?0v;#LVj2Kmr~O zZk1Ona5d*6rGf#E47s+%7y>J8%SrsZN#NzDI7)~x^YgZ)pcMp)C9Ce$OP+o~QFxjO zwHpSEp4O)0)EgnN$M~hR9Ina;zd)~p2B&{`E(xs1)GntkMx=a=soMp^fIw*pSq56F z$YTiI+`9Yr((GtqjON-aTtLo?#>RH00GI0nf}4)hLIMd?e1eVe`}_75ZP<33N_{nD z!jw$f{ZVp>K@9jr8OK{Pu!n3mUzMlhMJVIjF0A=}RkqIc+AY|!bJ^B()#CMD;ScA{ z3w50(;U8xbwOmD{Gn%u@-=gs&i~4KTN5|PLC@1I|yYwuMNHp0_7kD_G3gy>kW=HMe za-Z4cz@S~7DFnSZbxI+=(w=ZXJyq^;YG};t%`%U@f&S?~dQ6D*zvwYTB6vdVbL-OF z>ZGiGb*BvmtTufAvA4IAb-uJ|WoIb$yH%e3n52F0D=zt~IOorg6{DRu?#ILeJ;oob z8q)6_fJWRBJ}f%}cKY$U<&6L>O`LYyJ*f~c{*<5#)~cbBK9y6N-x%-TpM}b_>u@o2AMnuvn7i$)zkGL? zPQiCP!35PSbKO5^MrK;v>}8gZuDlz;fb9h2TOQ9+RE;$b1}c|XX&iI;XIc67pysPH zjt|Bf!VAXscTfeKDnrp1b4_#vtlzkDzOf%*;2{KW64};6k0{ zr}K;?>>i2B&avm)2f6OT2@oR_7N_Yf{}Q>ZMInu6?dQ+Cj-gydmUWl5@h;Q(z7^a}>#D za#ci(pDph!2^fSvf_ZRbG3fR%+!hdxyYXzF#j&KL+2yME*F;gM7amO``*wFgR8&Ee z*McxOnqCM38dd6y2DgboX@oh-MIPx*=U-!p?xw!qvL{O+Q-R_^U8tW10(E}Jjes=!%fz!Yy^bmOYjQ`~y@OshX-*+6l!sEEVRl z^+((!u_sV*A2~BU84c4r+ zk2`rep#iqsx=hT(S8kw>drEo-kZ<5|f0A#W{txmE3|fWN84wzVEaM%3#o9y3v6eI1 zUGGTu%qBkp&|NAmDuUb`Z|u^3zcu3g^!c~8a!+lB3V^17JB~=fyjF(Ri+-QmM=EyB9TH#Bo}LK4Po9YqO0{(5H-;@!5KPQH4ng$APKA8tt1=9L8do1j)3cAU94SJh3;gTJm8 zC^UVzVlY;Sm$Vo9+^;XXACAPOxeSem6=2;V0$&7A9os1sF3;wwEw08&WwI*FT=LVY zHpOZU7_HqoZ3NDVwC#*TSJ_3w(nTh;-*B41lLrwV%2i|OiCHQ447VzUpsF$p#@uXU zk#e@#CIlI>`w>S>XMvWBCWp5bb3|^W_hwk zy=@lZ3M9NTDXjyA)sGL@r#H?9`L@rvi2wb_gTTTMOzV z*GrWqC;xUb3-P6s7wTPpzq7VEd0_44pzn}>#zD6rS{1DtSahHBO*N(dvk0MPSp&WL zUavYc);L(9l+Fk6dP$~207LdDoPSP?F0;`Ss5T_PY2J}73nIW~x0aX)PP?G)OHO8n z(s{6uhoqNDZ%z_%I<8J_9}W2=yd%R5<>W85gQ!UfFq9`?9roACwaP;b+e z*COR7BpxUk8DyeKm8Dq#HAwYnM7cN6ac_0YwcU+Ah9R*yd1IiOlmYR~C2nBJg1sE` zrgMFLt?Z1rDOP2pspWAMCLz#x2*JBnno(Ad_CBq9g4KEkY1(^m3pOT zrUnr843EY3W=`nr?u-&O_xaRjCpJIXA#=^F1EqS^?`Kx8X)@%#Y*HMeDc}<=&Y#N+ zmQ!0FCT;HjTrIe~!E`lj_N9t}(m6hIUw3O9EIwB0$L6riH)qmfP1c@4YY!e^ki56JMZ1Z$Gk2Ju9b-Lt%0WxO|#Um->NX- zo17_@B+e9{#D{j>Oa-j}Z`X8UJ)9zs2yq(64mq^!nh1^m2#bZ@#_O<~Xgtr#8Lz_6 zegY2=^$(qe46n8)f~|ytV_NN>1uLnyCxO*A0HW3Sz5Qzr7M_lVyIxBJ)OEql2*0Cn zHvr1+976Vs658b7xL>dizgw@&Dqwh=mU;gwz{OJ8#%@MAKhQXjKOwF%EAPMhO*dR#?C$IYy|y1@x;pjI z7~g6p2N--x3)=X3bs$}eE)^RKduK66R9m^BC_($#cP@Lr;jG~Xv%n2=4@#E@4B4S~ zhcQbusPF$ea?tp$@#+kyT%u$(BE{+@Qpg5C#GYQ^iv{#?-iZ&}f6#=)$^`w8Y)J|= zfm_rIDIy4Gib{h{k6`YRxqwca2JEMcnRKPWAbs3l%*46AwDJ0AzTZ_|cR}Z>N5hq1 zbPC&Ba-6-v8pz?4dRzOeXds)+B6#udoMvB9oGlf*P6pmHB6J-+h2Ug78>v?slYO$< zvn6_{V3gZ+9{X}@n6;hdsE~yddGUwd6PCw+c>%PZoLbm;BX}&`d_z#(4zn4lcY5-k z(f%MO#ERnn2{!C6fD-F`l7*f(kvE(CcmfQsoC#m9HagiBp~Gc2UV z*}PVl&?2TE?E77Wr~$kufj@*@_g7P4yKvS;dNYqQ%?|_-*6=pfo!GnJteq zv;2b=^7?wHTZQ)3-F30|shqKZ1L+~f??e{HV{`a7$FJhh0A7w;D|`xZnnryRH#H-I zzKbwu$y~n>?ENOw+^!n51Zp!@?M+j{=Zoc!o&`@l)w4d1A{bvHn;Nzci{$&=!S@6W zlh_e&NfHct04~9P8!vtNyy$BWvYbEB{xY4iRBYv7W@Gz3n_2PYBsLZFk%YIK_}8G> z`xj%yGG`yfLN~;I=>z6)&Vo$P)C96b>}ZZ6K+{dg z$_QK)T5yr(L*Mx3l+FQluw>9}8fAJn`@|gb^TFK>`HrPGqZeQsUpD54&t|Bx<*MF| zG8jcVzuqgI^t)(ma)>>=Ps6o7--b0NWqo~5BwBa) zeDCXQl3JhoeCGIUT3dLjr{K-Fsns-&FlGW*UG-S?KPGa5^>c2;({CGaKau}ygLAc* zZj;7w7T!a5b4t&_j0P!16FZ(h$FXa12x!(_SDkw>}^23}%ijrZCFSa5Z zUd_fa{7}LPm!DN@@ygMG(?E{EJMfDt0QZtC+rYQ36B;k0jy_4HtP%!ABb2$O6ird9 zQ1D$VzcL88UoL1bRv?DrN62g1pz`s&F}Z$f28#SnbG@!YK0gO4o@-`CZ4U40#b)n! zv3)Y0>_~ZDtVd%yJN+UNpq!6>jUJtBf3cLT`PxEzjjy|}UbBPn3-E70RFLwlW63qX z3z9Nd@Ldk2sT}x)8JBwKZXvyvy8i1TjGj#UjCJtIImWi*$7%khS4& z{C(GE*2gm329jf>&)&~QypC3R-f_CL?YuGu?;@O3_%KZ4I4()@w3-i-xN_*~1 zV@_zC*Ng_s$9J6W6DLf2AeT4mE?enYTkZu%9S@?`bhriRFa21agWBC~(HbVFT$fp& zo6S=W0m&o5(6q5{Y(?9a{809~44FjWz5%YXQnz zo)q0?$-r`OBbZ8VUR`i#L~Ena!e7R75%C^tg;kxE)MzHPcC2C2d~eKP0ogbn}*k zTRv!$7&e9)(Jo7ynnWb5!HMD!7CX0}wy*}1bh{*sf6fA>*D*@U!{2=b+=6{NZP z);ql)WrBgk$=mP#!5B0`L%MOBnSP1?0+D^G@vPe`a;&?|o8WTkG`GJ()t|C*GOhHm z$1Aw(_rInfdVoKxdGrC-T>$&^avaXBSfiv*cCDyKIXdGBqY}?73dF(aQeG7JSHeCz2 zgotcKT-!RWJ{SmjUeDlnB!{;2#<-UISbZRn`NT)FZKaVTTQYR`sa$qk?m?iKj%E0 zITjzu7eB{V3{={w=P4KPSE8OPBV3y)qM2voO33H zDMtHl6Htszm(n!J2JF+#KM4)byA@Uhc+Av#p2=$Sy}^A4U1VNeQdQH5P56ktgpTDQ z5=^bwUp%(w9#iV2B8`RjjRG&bK?RDGCQo+j5t??Jjk?D5{408|njH9%j2=DC$`run^BQEL&T^f|XX*cehbdyWiR& z_Blwu-`Sfej;tZ5ars$v#T3TMqMNDxzGag~8_ajsrnRmwC)BaLTn62!jh>E^g+KVQ z9|2W@#&KjmKqe(-bCh?S&n+QUZw<%*} zLEB3e=&t9kAC>k$&J5jYag0Gt!OmGSDTfs<8BYKk@$auZflrBOsG(k66<=znoIuYB zyVhG1IkM>!)=|Uw3~GF>XghW)UfL--=Qfn@W`sA#K2a*~+Tw<(vM?Z-dU=8>E2=|v ztLzV3wPo6s=_DQ*(~0fhJs1j7Kbf#fQ8nyREgHMExfj#Cr#f}9CAzu#oj8>RJXKZ; zM{kDN2l5?n2kxt%UqHM%CHF@$*aS@|1aaIebuf@b0a=3ii>zl_@A;<82XY^6p-an$ z!7Zgs%e?ntJh;~W)3aYZ70+r01>D-#zides&Cnk(?4&5lOn%|1!krC+Y!+)bl|T+& zC65!3(SAm4Q@FYHv~B01(`%!yliyv(?gf5MzU&jgA;bF1&#b>xd4}LXwrY3}6{fKTUJChD??flQ`%1HXvH__zWSNwA@@-KHoic834VqDl%dO%?S3Unes z3b`DnUrGY-Cqv!rY#TV&Z8Q_&@F38Tgx+bQJ`J8l%>{{5nehdCkg%fI@RpvqX zEXD~OQDs89Yu)&!UE%W2nea_NaZ}2W!?|Q!d-)_+iFJ5^%Y+(eh7`h2`k=RBdi*C# z+UtF7T08&LY&*c|C2S_Qz;s;=CFE)@=&C?CQurp=hSqemQY%WpGvMy~q6S_>hf55E zNYb$p{^T(egJ(6HCs&&0LwUzRL;iiXF#m8>20uFm)I<4=v97SDNeB-0xde`^k_v}s1G`o{NOZ5m2 z3t6Pev@t4S6s7TqH3EIbRX7i?quyfMnjy-`L3my^v>!|Dowv^!yIjzE=Und^7A~Ne znru@OXOry;Y+XgigXZ+kUJZXt8W~FL=H7-DbT!YLDP*^KUBmVRZmq1-c6{2rdEp>s zFuE(W%P8fcm)gw76r)t9rrj8&x3BS+;ZV@x*99!l72U4x1_?ftx1b}9J(|6&RPUIx z4E7i!Zfme>)^~T`eS!x$58E@KVcap1l;jO>@=C&pYY6eRMe<-{9XY6Voa;5gT+}3BN&ee{9Qfb34`8DYf9GYKMIY z=*T$rMo5kuUrW>z#BGJNfa7WYp7cx(L^Ngo3m3H|qUPO{W2aV+N%h2`J1brC5E-U) zWOKJh#PDKBh;>-$yErn4I4jwX4d`qGvAJ)dk(;Wk4{lpkkOx*ygw6Wy9|0NXoh(ta~a_qW)AIF`vEey`Cu}u-(Uy@xAeU@6>AI!|6_z zY7=#szkiQbo`9`^#Dw;(*ZZaYya_7;zem^0do~UamdP6eLU%r|@qts0x}+a3Z9_nZ?!Lzh z$6G1)JLY-E_}~nWT25x|5z#0R8)MNV*)eb%!VBB!20gZ6HI201N22&1FntkahI?2+ zXjV(ByE``fs7v6JTT8*wllGbaQQlJeBFZ!}rXWR>A&#&HX?k6*jv`PkuxNrxTkJz7aGQi45Ug}4gpnKrz0$x+Q&Oac1lp3>% zdreP@#>2b;$i1J9cyzc?vr>M$Xs%llYq=i1?5~6kXFKF8+vz3UJ8~w)Q2pXbh-psP zyU-F5<>;JJRyCtupA0gxNrl=cofFr$POp=-is*_&T}yudl#j%A>PDD`@9I(}tpy7Aa~vgWa-aI5-5K-*TJoXkbczGCOOc&yDpZnM|xk{meTTnS!YG z1U_BGm+!@{e^9t?YqO$i&8~q9Qu%&coy1Hgip=_g7KRna-7V&@24vB|0x}J0j_k!- zq~^QAuyl&oHXr=s2Y0;|G6PT+^rc_V0)=R@!tuq|K9gw-Lv^21D(@3TYG0&fDkKI+ zo&K2cc++rv5w_0b%Jd^(eQv2IFC(%28`J9@8jb|Bh8=-tg@-}0{MNB^^nPc>m^nk| zVM|Hc7;%S7Aukd)*68pzz<1%BS_cbX2e7z{3C2s-*1&xfYqC$4%H;OT^AIXQHeWJq zc8mok^M9ZsaCONM^RXWg9EQ$0!Ag(#9*abgwNIY^*s3F8e)i=(_Iumo`y6KhBvX~| ze$6@u2Kv=Ie)KN1uGe8UDRsk6$wTsi9+M@oE7{~-)!Ek}8V*xefdwnQbAibVqqcbT z$oX-fp3M43_vNs1C@UUb93StKCA>UW^V#4_u-N&|&;Bu>%Sg!9(=aUMfQj50f5=P^ zF71xc$e0#8b*RBpMMkKHtdN&oxZXP~W`Xp0Fy;7!R(E zZGlN(ebf?>#uLXHsvQ-RaJWw-nDY8`fi7)|uI2 zhcRR5A*oFp_3HiR-6DkMGe}27RjdnB?qeF*LF2d2OTjHFvtJNd2S65s>!*3W--hO!GebBadpIyTI* zUbf+<;0JMb8DZ&OUy3R^&m+)Ygm^Oy&irEc(!BOC*BmKJ~*Ha8^cY)j}bu!-NlJ{Zf!6S7HJUU z3k;Kw8YybawXQm_(2_6+3J)9FHLU6R&V#VTj(($xX+u!}GEDG45LSTDz5x@F5)T?_mv2TWHld@%Q z%0i@n7A)LA$a@z@c*|DKww!OiewYLA<_>IvZX5=^=h%s2nBcy(INY6P{{u^m?p{BO~rMX+~jJT?-qN21=r& zDL2{vPQ$Ewd!xi&`mVaTaa6)Cd$#|l#x=J(e}kmEjG}jEj$_qT<|KM(N+0O;-6=)a zwwyFYzL#$)2eLxx0eIUdq6~YD=X_Iux?vpqE#~N+z~pk3^Nqqamtm0)l>}zdEhKqE z(z}hb41Ubdo*Id7#h!Oba(yD3VGQA|S%KSb#L|&hw;K#Qlq$67u79uTIn2+vE9{@W zFe{Bu;t|RqBhZuKykd{fBnXr8FO!MJ<2GzClZoOS9iT*mr8eS2^EfGgQ(_b%6- zAy3)oTlmWgmbHb~y6(A$h95^iNM=BO(<|>~16^M(y7)Hkx;&>dD1)y9vKL)?XV@m= zxpi@Va9Utoz3~cncc0d|W^6H)yc0$ZHziK`S**j?hItnoaBD5$y0A!2(;E)vvG>=s zp*2DC1xuH|+@8Df0Lxp^Y?dsR>$~-RQ>^PljSLxWokd(&ebgjD?gWKwV|?Xs^F3)!*d-HxmiJDMYb$?XTHWob$}I1brY5&DE&PI+ z?zr?Hm`28I7DMNHGXuw@BbX??FLu;@yk|^cjiv&ov3r8{yF5B}e;NCkbnS<~8rN|( zxZ)d{=vUh~5>+R9CIPdiFvdQsBYPvvpi#0KB2fNH+HpMYa_5AWcm`=cAC><>-E8ub9B;#yQQ;65e59OFX z#Ku;HxABa{YEeb$j;r3}iwB~(I`r|IbAyF{7^!1K@O(doi;7%mo%aGV{RPF+m@2k= z?JVzLk@0G3E9Z~j=u?{&{xjmCOO#qJo#Ve21jz>t()sgi<1~EX-=77Az3O6Q_l-v2 zH$`VmC;6^&+zPrUal0+bwhhaYrdQ0jE(?D5GNpdn{_*J7K{}c{M`_wZHJq@Mfoq1q z#8(ej+{|iVnG!@k#HLb|`Xu+JpczGZguM}%nuqce2tjagQ>e%0eWcA-2Mdn<5tc)7 zA&oMs>QVpV30?KI^0NXy$2ABiy~J&cj-XiOK`P<;M1kaYFIlj5v~)OVlz_88>HL|= z(38*Oz)&ONQ#hsR;=h$jYNuiA0Pe;9iZju22`Sd$kM=K^0(D5^(zamUdS92$_J}vH zWT*@Z{2yvRZQo|72m=~+K^%(ByS3$Ta?Uo4slD1jkNfAZrMK%j5g_vVIo~lxqOupr zWX)o~<<1m@!ECQRUUqzkp#Kt6+;J!-TbUlh<7utd9t7NNDs(o(!$ouS@#**lvfXRe zwn_o<=0t1otcD%VOU=>$!Ljw#O!^6x6>Pp?H?Z1g*D~iN%k`2gvSxGv32)#7S#y1)by7kJHEHJO{*SJ5v%Idkrsoqs z(yXoRvz)`JV^0`aX(?7jjOi9QyX0NrV{zS?^G-#kFtF{F&_UD9Wqd%CQM#aCqhSrO zwGaDLQwm&u&DJ;H9V{`fU;0MJRaVP0w`$!eMOt2KJMMJ!I-TT0>6Z0VJs&wd`s%TI z+xpkmPC{j#-);}yL>vVD#+)*WO_*l$RKF_4<0xNW^_}|QHk=wGQ@blY=k#(^d<&~h z26dcBXqEsLB%)5hdFMsnZkc<980#%cvXK&B7gs>P#FRT>W_SY|-m#rB6Y_pGt{}WV zr{nr-`)kcWhKAV5ZvmsSd$JF5x%J}q0P(2WB;Q@*wG>nNdneX*gjZjJtFJ+mo^b%a zu-_W>YD$bYO6>Uq@#ArX9p1@ef z0@UD(ESxHdH!cis5Db#phXfYHabzbQBr3F&@3|69!y!t3^991>fm6bUfq5`uwH8C5 z40o>1{=@3Uek#k0r0{O9m@|2MqMd061j7W8$D3>Ov+aXcwA75Y7~)akBcJhqnZ$tY zi*$uUVBozO_FX&oJ7sPt2+!+Ixz;(AM6_1QkzJTXw>hm0z~ezBN4Z^>mCHR3}jMkJvYJGJEbM~S8=46KWT6xn*3&{3+1{28uFz6ixTrC{i~&%$7@WinBnQ$Yn_Ok@n~i_j;h%F>+S-YH);N^=1* zRKCOh>Ca&Au*8m*;rOWIJwIf@uICKLuvsRug8sOzB5AJdf~45Cn2qB3>0Z^C_nwiU zA8^-N;W>OPwH-3sSni_mqgWt1Bmqp)V;4J_^+_8>6tzuGs?na#S01nvmB>o3aq%lD zk_8@8HxwVUb#PUaU{g!s_A1$Z`OQ9`#J@=Pl?3tQwRhfVfx0ed~0kbrLW=+19>&Yu? zg}>|Q+7pTL%mt9fb2$ov`^&(rLuPRt|+ardfqS84R@BZ9cR?hyM1$;I9 zAFRoq?(#1de>g0EbN;Kp;_V@g>w~oo{^9&|_%}rvj*JuhDutCC-=%8Pz3m8Dk|4bB zMAky>7)hxsPfvlN)1_s1tAMI&w_}6N363wbZ`dWzx@cn9KpF2bTKD|!K7-gd-Sjaj zSnY3rT;d2Dr75dx&}WTmo~f&{Dv9~d^6P-FC9&~Nx_u^_&TS0|Mf-vWDZ?BNTqdtg zT@Md8L(>DNV&)4_Zx2Sjc}}%F?yYPQG^242n1SC*J6C$2b%yt=v~n?@2e5=;F~0NF zHhehfE$lv2)9GUgJ6l8xD?Fk_?{cwNTq%!qlju5y!q=Fyq1NBkm@vu9d8dkRCq!E| zknWgsPK~SpZnD`+N{;rngFQb~^KND%_pxc+sy_vA-gc_M4MHc<*a5d;=sA%DcZJnT zTzfam_LRza~IQ#+m%-#1p($jNCCj11l&sI%X#|L92KAZ8Lt)8wV zi2jDKMl|QGfVCVkE29~+QmW~`6x=I{>mEAcvZKsG;_NDhk-t{t0k5bCf$1F)v|hGY zIA+>rw3f7Mgft-t^4CjKkGob{w4}ecb~o+Sw_`PM50$B={Ck5(tc`qn!$9@qtCYoj zuV!>T``8#dJG0JieKRC`DwP>MOLZ6(E6xvq`#@<95yU~H)ANxGa7cZKL~4~!L+ z=xK^WzqIWcniFB|PV|hPr6Wbb4<17I7Cx85HXEXi?7t0Xh974pA?z0J*&S%*^)2=^ zXc_O(Ox=~2vS)2Zy1Br&7VDrU-iPjjGK8J(J!2#9Dzjs$XoB zIwS>E)K?Ej(d&1njuFI{z_q&sJSoBK!rxu)f6M9YuxxY6^**PbUW&j0rM24j#hXJ+ zrgK2vD=!uH_WeWAMRiG}&(kAu_e<%qAi{x^xw9fQ^RbDvfmIGep*FZNM`IH7Yg|np z?$r#W#Qx1=x?PJum9Jt{(CA}$!|^rcd`f_c9N=8%3?0O;=*Dy>{22%a{3v)G_#-tB zZaKyE()tW|P{~*RARFb5?LNt(Jn1#}>V%+h?61bl&kW9_2=eTkfY{|XKZ;D|R%j`4 z+x)sTIfsnv>e_T=`|}HjrIChj-Npv;C@*84K!!x|s~VQ);WzLPx-|{S$gUjS;Kz2x zWP^93XXi3u4vetIHND-o^tJbKgQ6yUbb);{o4_!q?4zM`rZ8DSLj=%rNoi`T| zJ6cQSL@Iswciu$FpS+1yF(u5yJWXDr`;PRqK;8sZck;AV+b>g}etk2Obci`8gGC2> zC}7qW?^QGe_{iN^B5i2ByPFoAgeUQzIsA4Kv#|q&asSU-?`fSt-o$Dc@y+|`A~I>h zani!MV%Nj5eFcL_kavl`<~_<)J$ym578_jm-8&MqL=HM3{L+kl&!UO^>}I$^{S)&B z_&}?3Mq!$U-88Xb{Q&xsw;Ka}YiptDk$n$d zhVuZk2|vFdIQ#;61UEt{*Z$>pgg4zFv=98s_=ek_4MQ_}aq~9wqN}SFk8&FyY+k_j zIJ4ds&*$6PNxIweF}$~%F4-|gnhC6Tv7JM7KGeMN33CcsoQMgZO7eP9BMnBLACGDH z(Z*t@+%g_FkKd2%Oqz^bSwfsS`3Y#0t8%<9un#8NUfl7jczLwrpo8OCpYb0TZ40`(`)|X*9M!D9XBm1IXQ` zg;pujWMY+~Mhg>x-S?beFV?^v5^vQ*$IfL!`x!EPLpUcpV!DK3aK1Z+U%_JIw>GIJ zcy!?BXE;QARcxAz0kQIHb|pB#HVhDkv77)i!Q}3Qg8i4|M8{2o64iN~(d*&u*Gb$B zzMNc__ocXs9XWjF*F}0w7vRyqdCPsv^SX&Ani4zSr>WjmkZ0;d;JNapkg-Ftax6Ia zEQ;$EqL%4^X-k_0%L%M>yvfMDO7Q?kYiTlA4SC0z#K>M@0sMqXD;@+H^VBaiZi;qr zN$3GTJ(>-RLS-$#?mW+v$1X?OTSCMX_jrI|<{Y!TP_szIOoaEhAmW!4rZQeijJA$7 z2P6J~oPd*i;VW4l`0=~wpb#zNLk^Cvq;&ZsY1W1&8Lx;=3Jqn5gml7ZEaeTqoo~iQ zrwx|$$Q?*bxHn)oGBVN@Wfx{{+E*rNTafJl{x@-(P3xxWAbpF8+TPIZ7*P*W5QV8_ zPVME0u|0y0l;lZCwP@Y%d(=C(PrEL5TNZR}I~nCBpQ-v&x$d{wF8Ztuv6H3QI|Dh# z*yS*v!PwoUjHR4BhR(N;kU0tx_;gz%Gxe zla24(ZlD_I)Mu_Dc`OFRJow}W%qi`eGr(6r|LUQzXV$rJ{_yvfQq1{UV#~?#&yclT z`zK9{o-k=Irv@fpSgsTj6KC7U1$7WLi8oSXUPL-IvlzSdCgG%gR5Ggd0tZDo8t#Go zEx~UAapB*mi*T2qxxB^87hs4cb&@<-{~S;+gzmX9x0@g#VGCKRILlHjZ#)TYWX2{7 zbvx7)#<7I<*BY0VhW58^0i|e${&E*dT&RWOTaN|CD`NCGN&&|Fr}?b#!!GH)4XcmJ8V58Q@Y>-hYUI-^YM|D|>`lmJ!}dyjvz zni!J4kMeRnL!6HeOX)Qi)@Rt~k)f!DEn5hKqP(V{mQpy!>SbbtP0~Krh2@?vTDnobe6n}pMNlVfF4IhaX+wxNMzvDp1Jw2=9;HhGwQ$d|V|wFG$v}RZkU5TKz@?PGF=f!`7|d z=jdaS=yX1sd8>M54BzuL0E`C?vY_5MTWa_Y_{Si=VXP%A17cM zxeo!GxQ5#hzhOOc;OYR*?Fk6EI&PG>ZcRWCn9`SGY}-8ujiHkAtnlu`_s5IJPYv9c z`3i0v&y=Yrh{;-4+#ni0ut^Hn^KhPh{-vBHh-jE{_~Ec2mjU64n}%fhk-vvR@^@In zebnbUz@L_&1o08kXf_nvZSIc2`M$-(pVDKkeX()ff@X<4&m?))J0_CO>?t&U&H0>` z{hES(+rcwd++TKc*UxxQahYZ=#Xu^G-$_sR(6Z;Y>fc8&33{1Ho!|a&TO~|K=Eg8= z|K-Vn>0V?&>LXK-#j4T7P9QM8g7*_JmLL)P|)_{b!NC z^WJ6M2y$rFk9B&sJo{FLMMbs44^@ydRw*CTiv(+!24mO+=!bUz=`O{@e=})EFTVMO zyHGawRZlixB{!`TfW!dtEv#a@jl0R4G(5E&MzWJqm<_Unz!xcg#_`i?_bIlO!~K48 zt#>dKX4guRLaIvs3^5Lzou2`kl7Sp_OqnjV&pKlXrc4)Tz}_fmav$Z3p!dQw7u+EQ zaFsxtT#{|Q*8~sg!=CGt*fC|$x$g9Cj&^6WDmIg$HuM%O{C%ulXI*foU$*GItnTT! zmZFatx9k6b7sYOchrK-XPw_rAJ|0hQ>im5;MqL_EI*E+F_h%tYZ%l^9FTd1Q@nvur zD-o&i&E;oH@fo*LifI!-BH@iMs()lnkMAc`=CMB(!7K}K!LZNKd;x!hUPv_~WyJe% z+!O%mMe>UDk`&25sS>RL9=B>aIU69Q$59Khc7pODc9P} zs%Oa%LhntFqe-zjC7V=ZV*Dt!P_&ZZvw%kqC~a`(cYXfKQ8D4Wq=U+C`N@3ZD>Q>& z^~w&D>uci#Zb_V|Z04P%LC`jI=k4GNtodHNZaM$JYxW!lU((~Z%!{TX(~PaB1A-3^ zZ^!S~ih5YK^cH?*F7sc{q~47)P+$*|Cz%1Xp@NDoTPc5j!fQwnL?-KTR6>G6-|xpb zWWe!UUDGQzxa=#*l_ISOzKv5&VVzm_a-@;OUNys$!|~VM5mJ{vD^=g2Zr5uU6U6yfNp?Y3YGyztA^&sOSY`O7jV)u-Zh=d;I9v#gU~WjK7vh>jxmR37*pd`rxH|OJ2ufCjPQbt0#Gk+|JDhi#YM1r%iqtZDMm@1=qc1 z%TP_<&bGD>{GU9I@WwC&Wl>q$Tm;`u^-Qyc`>5QG7pQ(3DR3N7R?ch64D2Xr=Lh1;(&VzQU^n5Py?d%_h6Dtk zsUTZUog_FlIQ*FwlZ0UfDLqKva_KelelIw=e*QeqiO!-d-7df7k7Y#p!*%JVQD1xO z``cF<`l9uemARNtTzvQx&2eMiu`e)^o>+g*@hXT0#t=vjW56Gjd_vGT3^nbv4G;Xb zE)!Zkp1@za!~X&E`s0}>JT~9}c^#v3{I@of1jB!w_YYR7C&et^y+Hm@?@JKvI$^Du(~d*5A%38S3+G zSU4Zx)4|LwEt#ZGlgs{<;WTTDJ}hRob?MlhT{7h@yKH9|*WhW-d04Fa!#$0-;|t-i zgzT2l<#F9*fxJ?b+BgC0XTFXI8NE0`zekU|x}LU8X|Q}J>~N0=nX zHH__*I@&LWKuhUEXETa3N!uRB(^hk{l)pYr743zGciS3pWP(jjunG0Y?w1$ZR=IaM z<^}*ixNIR-&KH-Y*R0;*w_7(Qm`aMi_0yw88?X4reNz2*yUsFky!$q*b_V7;3pD=e zs;aadq2gP(T-Z-^e?ey8Hyz0{N#Ib2asuEB5BMYR1TK$8M^wjrvho6C5|&T z-{&;14yQY$O+chkuP$1IX!s8O*&mC!y?TCgC|0BbvR%YBuu5old?blfNxE7Ks&$Mt zM`g!iZUL|EFm-ljE25+4IMQpd+Ew}x5VUIRcet}ZWaEEm^iLV0URkR`HLa@|SYGWs z0_sr#ooaPn)6-;0rt;d4Up#&j!l^qmDb=>a5?*HvXasdVn0y?nZ{j&kN_^UM&DZ(A6;xd*yRg${|hrwEL2p z$ej}}#+BV0aCdE$*aDZEI9cVG0i-A9OlDFtWT~wGQIj`2X^J1)rS8(zQ5`0S#>$S2 zOWnHr`P&iEYnvZ9dya-A1t|x=xj%)Rn-t=q>$A8odHl2g7sDP_aPZM;&5sKi%zj?# z8$->G_Qnb6HRljOjfWoHr3;v@6mlsScUvs~d)C;Xdr3bKiTOu%$%Y4jX}j8Xa8UCH zRjR(S$gR!H80|8(W1)MqZ=21R&b9wZK_KDrD`B}*6|aqs&Um8hgjJh7$?yJqlr8Mb zbR2@G*=BOqKv2TJpB6ppzjXi~izoR~noIR4^mcOOWJujewI+?(4~ILso%ZTgqospX zfBnvD9R0c}H1yelN_l(=IRDHtG{N`yH?%EEqr>0Qrw|7W5=x3RU_Lm6(f^2m8Kno@iKGof2HWI|3ZrBx2-T=4mObLY(pHV^lbg=yt_Y>jv8XmvdKU zPnQIY0b2cB#goSO#n3`HXE-0n1KGZ1a+ce8vKm{GmvA0%>LBCYdbKjT=D}Mv{WJ9}&xe+73SS00(rz2A14|N9 ztw?>fkp31m;$}yr08xgAJW+WOtHPN1s0qt#yTI_3bU4B!&QXh9NY6M=^j{sJSK>F3 z$(>Zk5Ris(X1g=u^{RrzkvyxmhRNAbLtC6?Z#sLpW+rJ?Doc!Xv0!0ph%cc3K&<_c z0fCyL9k-tudGy)(6F@oT2+r0%nf9-Ypfb`p8GYXIGQay(6*j3+=D$+KfmTh}7?!|o z;PHPoasRlfG3S_if!yA$*!bE|urzAj*k>L6nYiP2Qi|zeKW4{`&r)tf;2CdL=w90m zdEsL8!{6@EZD6E>0p>50;e{mWK3!MV3?awb?SdJj##@QjEu)8HR#8{$iwmS2Pufll zXt+|mHtx6<9G|$FbB4%UV%y~53avNQ8VpXaq+b$g>+o%NaVGnc;=%#sRR8sCbZzg@ z0CWpbt>guF>>?wTN|BkjrQ4wyK47>|x%1ab|5?{L-o96?OeG(RNEzO_B$rlAL@ZG!uqe@3l@Uq++BolEZzFxg}yhq&4$6Uh|$riHD8(6Q+%hE95ugbSDTYGH2ee@Q?$RBeE%gIhk!=i;H{3x9TM0t769jAc?pwL$} z{6jks^%N=p^o*Dc#ZE)peBeM{E+53l7XQ$Q>5dc&R^CooFtXfQ5kf3Nj!IUOb`0mV za+rxr;P&*VwuEu?MslONeJDH~F-o2Z&X3BWlsmfb3Af*j` z_wHT)<;Ag*Q2|z${hCMe2#XsgnVrog<0PMhdON~7P!jx z21DMtN&G&LRY~<&OBLL-mOD!LDaLwJMT}(ZZHDWKC&y*L_KHdzV&>pP%|RE$8*L=gCRaUC>!0#?mO~ zJg*LxqUy05MdL1{T#gP^pHgpBqGV>ft`(&%xvgkfvzlVaUf#06PTU}nU2-})BRoFb zK;L}gdeXYv+8zP608tw@ht`i~Ykc*^1#-MvY87O;LA@^AbX=Q zDIda1moF7Nu1V|BrTtA?DND;nnns!$NSnZi+XM7GU8l&vk!8PJpwaZWr{j`NbwN+Q zS04QjP~tcKcmVULowbeOcWoBG*584Z!Wn-8E6t;>%RXKCX0ukmgS$^o;|kg5MSOws zk%A%&{JEkhPD%AVsoQl?McY0v2ec1z-h!(+vH_Cix}N{mueL=^{)ilJtj)qWbwXPd zW&6a(?+Z+6kE(=J>$XqX^zH294D@TnZ$EM*3NTN^jq;aIZwV4B_|_Gppf-q6GY-SL zh|XKwApVE#lsVDSJ#JeTd~v)1or+NWJd71>933uPag)L7jsLRy>+t|x3^PCg8f6$!BZk!z? z(M7uIyd6M&!w=8Uza#0T)M~d901boee}RDN%wHn-9#!%xijVY~qJVVxBA$^ zqMNFU6iyP{23HoGds@;?VM|^*0L8s|W_ZO9?0hqzH+GBQig8W(M*nZB^P712-$+-F zJy(v*RLxDv^+bzr=i@&GhgvzW5DpI;xZtec0dm5C-sZdO41pUg2gGR{yAA6@IHBRJ zEKQ9KhHReei-_R|V2*!qW&uxh#QI-|?CCQA>ju2HYNj)~5DjNoP$mNSk?`OC{Pk`KJ1u%E!^ix!|*Opf+wxJ^*iFmA7AVghSax^!3UO6-lK=&W(Ur zFl&0wZaQPYz9IS=R{L`*`PrOPt7;mW&=LRW2;<*(<`gJH;0*yW%x6yg=fNbfl>O8c zh!MFeA9IhgKK}m@8Th$_#Cvt(vJh~wusoMssI~oIbqn!t7QoSK>&>bOSGrAL3Ll#l zaM6h+TuTr-1~&72ZVl`ozJlRmcH2G_fq=L!>K=?)8At>q|ZCjfef(h zn4b~e`{BR2wZ=mQS?_0d{iclo-cR1^#{}uW=mS+;;9UHnt!JHjcXXateC`Npc-3VQ zr4Lut;sG`&jdpq?VRjDt+FyT}IywOR0d;3OQ|p8Y8K!RE!*cb1s^L<#&(Gv_o+s9( zd8MbY=Y7<&|21w9ju}66oJj;%kJ4^Fvm|~&GEbFP*7TQ1fE}(Ba)k%|KY@e&pQYR# z$Su$l-bK}%AcU1!&G-R8FaPGz^!O**-35g9mtFM~8r zF*ovUy^fUK*@NcsJQkvh>WH_zu-S2})^7td9*{fM-l;Fo)q!jJO{rALDj$uVf`=h; ztZmHz^tf4LLcO{)_v5G9E;&|p4e{}}@L#uSPwe_Bja%FBG-=*TS0$Og|6Q6qdHP!Fn*tRV4GNQP$fW0~hHJv>$VkmwnU&J+S6SGPUB|evuAw?Fy z2LgGmNY2{-@o4?usw)}Ob-+97Xh7Rl=Tobs{2?44|8`qKqdsPtl*uKEGb-s%GN&1k z%o%_KD4j$*%iLUib!tNPz5shg3^x&GU2q0?UjQ0VB(b6ing?Ilg1`bGO8++*f@T>% z8z~?l2^HH}BY&I!$Pk3A^-=|8`S5@w6i~&ab~}|EP)wR>5&Ephv@0(<5%)Sw;edTn zNQ)6}T=Jt$|8JZbe9v$2zflbTkH_*o|NY;UvE}z)1>o}&$NQ(^?0s{HqyHVtS@bY0 zP=Q7!u2E&2JS2@D_o=aqD#*l$4MzfiYy58eelq9cK=fU^j1Zf)0dK6Zw0gh#RII;| z!~jCUMi7xbP}**W)^}XQbzS75uY8<<#LffjukkjrNg3VZ{662uI>-}lt92`I5%}`H zBK)FB+r`P8jbe0dwLcdFuXK3!ar!>p;L#Ma$3+Yp2{BxY;+4Vlsz#4=B{$XzbJ!^W z^%o>g0^nWkbCc<52Fd8;Ov=cX1YqTDieXP;mR@PC;WqLh<>AC;z&YAbbol>rj;>-M zraOVS!m*;P7_<{PR*|{u2XByI$QP(4DgN!41P37?lM|m`DP6w=CBK5t7a<}}uI!^m z=eSuV&-j=$9Vl*;QxRviNv0Pa%p3t&tv*dtpFU63SZ)g&@QPKycoYxFRhZ8#w{e>J zXF-`Bii2#Eh$-gIm*T;EuKN@P83y4FD6%&j`xbEojytP_FEBUb&0qA#R0)6_&&Y#i za>aW!tEk#dJOL^r*pVIx)|L4bVRA7#fD&St=C_23jT88=PV?ZOTxhKkitKa>Y+Mm2 z+2Mzs3&&~ybRGS#=@}nXuOeO50eV@@^f15HB5gy({>R@!NjEQI@!}r_(fP9&%kr4q z2T!M5P|NdWrKq^%^aYu`9Qxpy3ae#-!QUvG9$DSpTvm_ZEA$EBKIJNRK4*ZH#3@|VhVo|(_cO&Otw*CQ}c?akV4M?dAxzIV{O;|m{L+?nENf2@o9lj z$JbO-YcE));VfG8b`C{J#5A*?REZ*WE3^K!=sE@&O2M z0Qy<@@I-B}%mo(lEa)CjKz8ZjpUbLaE9L)?$N8N=o%wItKRaCd;oOM{xtJQsT!&i_ z=oJMfs$Dp!IV5~aAzI^T`VAqms;>iUHGpz-hl`UEW}3%m>rdwVi^5;FBy z@PGMe0^NxZ1ntSGqq$9m>@yzErttxcewk0f_uBeQ%Rf{lD}FHWd_;>U#r<3(avX2e zf+NQ?rnpQ$Ed_r2&4-s;b+R2wd^8i+O=PO&AwA__qpC_XumfH_wwIz6-QQLlu{_(A zmy+#3H6^bVlj2zmjE3<59AHy$xK~qzH-P=^wlL%WpKyq2o_^C`kYFSTByif#DD-5Zw5GM^2VFtPPW#gBeG3x6TMCB-Ivrt>0 z)j!KvU=*K5zLg}Mxf{Eh*O|=tTj9}6N&sf%CHU|`*mTAdWvLk(Cvz>k7_*oCOn$gT zi(g3xTIpvifbByIyeT9KBypZ~ltF@>o+kQSWVastbx&)6 zwNGmk*nDb~mm-+Yi*E@vo-Yv~GL~Xfx(fLm5jK~vM8yUZj{+f|c3cqfr}l0jsQh+E{;QZr%OeUxLz`zRB z^oiE`j%%|rwt2s_{r;x-jXVRB&a*Zu!liOps@sL-*5f#{v^?Fn4#K-bh_m8P$h40* zG;n=Pw{nQ&0x<$H;(jkQ&GQ9IC|u$CX4-TPB{_A=$~}6TYtx(2bXpbh!))p1Tg=b{ z4#hO?N4k+yp*kt|>~jpH&MV0bo4v2)_+F1Unu$;I7<`s(2S;2}a3Ek2QQ(t1uPn}j z@5`nktg481W+7W-c^AJPPSlJ)P|6OgsvsQ8Wl>NgSSnLhr+i@C>w?$kFJCNL`_Rl+bOwa3d{m03tN(VT?gh@-! z@^$56#I#q6MXp%|xR(*r#hK=L>y67+5-N9EDq94;$ZraHek0t@u4>$R^u4YV7068q zH)5q}S1+ix&vad>Dhe~ztsK?kw6R4TI~`#??z_PkYo#}M-^D>{%d~3?BNagV>G`s_ z2?HA#o!FldmPYW+g$ZAaclCeq_TEuVu5a4tR@sVM=_;K_7Z4B>q$Mc5M>--!DI!HN zG${d85E4p4??r0pO?rzU9RcZ0ilKJ`gr0C-{LOqbXVzIWdw*-z`O_upGI`(Ux$djn z7tJIOIGA`cbJqCreGLDx{3%ImQtReN*FdVoycw;(F&6#Tr|HAlb)cKCpxOm<_WdGB zy_Sb#y4RMkI8zyz-Dy4!w%kdHJba3~_oAI@iF`B4Ut)bbRPPc<++W7-_I#SIrJQGn zHVY>e{;->5o3IhGlg8P?nV02h{Lo%*Nn3N{v1E`Yy9d=+Zui)eB2QeTmL|SAB4L-I zG#6!2`q22*gkFF4AJ-bla!pE3_blO@y|h`wH_FWyvdfb&+O9Weq$F?SD0n_+1(B$M zZL~VrKeqk{-_?IPQvn|3FpcvzNm-o-$4&XoSLotlT*d+Et7SjXdNpAiC*X9 z+QQCTy@*VeNpUj&u5a#+Em1^u^IV|U ziY)5g7YcCq9crflj%`DE0SB8N-~Q= zh?e7GGOi?_3bGy)4UW%a7=KVkc?iu@zFX@r@w?AcWEDz*$98$*4ER#QSwe>l;W}#s zp{15E!^zaRm0N#_1!~y-qW&@VSzI&e4|;7%5T>4wQg*by?6E(~u;Fz)+^R*4jO7HU zeU`a+{Czl;$x~a(ni2%ot15{6J`5T19kJ5&J#C5X^Q2k57yAl)IGoDjqGZQz?Q78) zc_$@~8!oo7#z;?x-}7*P@XtXE)wK(Bc-p2{14#Fb!AWLWJVj7!OU{+eFofmuc52)= zSqm;L=kVo-T%6c1IxN!uRqKn7845xWB{EaEz)=@z{>LSdD}%@Kg(}sCj$dghtGcnI zAl);oyyJ{u$1IsvZK_m6(4OJ-jBORWTRSCd?6Cw}y(ufZq>|5z)E9u)NTTAYOmjyw zK?m`8p4U*^LNBAh^qD-NYpe_fOvu@0)vL3yPy8fWb?R;q?%1oe2j*O^*?U4M7EjlQ z0D2q!C8Z<_Dn^RgI97UMETk~z&5!@L@CKxzOJwCp2K*mQp5u`TpZ?Y4>9E{ot*7a( z%JD;+$}}k}^QE>>WSP=q~Wg8RaXS3*~cPCmZ{hcbjESW&=VG^bV(^9a20y$tPM98 zK~|wM;&$wLrW3;;St(aFSt;>-#Mdta#yRRpM?Yh#?YzIT|;-KJ-H+ipqIUri^ z0V#Cnb&i+a+l(=?+fqjtKNn;)<_XKOa;7uw3cpNs$zz#_55W zy`FfpMj}#KTDyenoOD!fEnEfRo@N~1UwT|Zhb~v`<5-D(TY_|_;lV99HveCg25$Sw zpWnQOF%plYxi^OQ;L&UnO5FXFtdulv?y5Lm?ur3CyLE^|neG*{2noF*Ifl}1DBHZa z=RkgWzN{Fvg$sI?taxi6#6iW<$rWC&RcuCv00bwkc zv_ABN)xi_Lrz1$6c5( z{!7fg{Hh@8&vbiTW4NewQ!mb%UZQI>NeZ#vVm}D{a}GoE?8<-G7Kzl9<)FylR^Y!c z3_{MY8FHV(SO~fE>8iTy4st=;H~ct)ubp43Au6L5SdFs3=ORwCMIiGl&hEJlr;;5w zxS8rpQiKzR4Mkow`^Rk){Aa1ou-Jt!4)x#f&0QCn3%TD0go2sA^h(*6+YR%-O!XEA z`e1}tHU9AdbOi|v+ep1A2_~d^sj24&$IPYRy{}+e5lXo~;q0N@FnPDuV9OR3kh2mj z?8h(O$2s2uQjP3liCu7lpncZ19XKz|=P*Z;;%LYmyz)t?DC(FFtyQ$6FTX$E^|66# zkuODpK(8E3Hm=SrRxZB7EO^5)Z%8Pt=2i!8zCGaH#oG0Yh92|Vk1Pg*p?2IsHVS&m ze`uRG>^Vheuw^APb!iJ82j32)l17s;i&-n%G|c}RyprA+GKR3xOR~G84DKRz=?W|1 zY}Ba?2Pw5IgKrYq_mS>BCs!X;GRykFL(bN}9ImPtv7V8#^w$jfU!o+_H50|-GY^RG zT(11%j|+RwR~Z9!y7hrB@B6iE-37ta_*wEM7_B5FYvQ5O_kIsGp{SjbCTSfAjJ!V6 z*wl5Fi!Vj0CC^bF93eeQOCMBoZ0QG81h3}V=s24W+n{E7wTRo6y5_4dAN1q z4p}`eN_d-bI5pwW+7bnP11pbZs6Mi?Yk`7}=X5Dfm&1;zdl+e)hCrs^?cFHiVEL*r zXwGD1B@E$iNb^HS(HAJGv~LuCPqz&LJlrm{(@QnWbWj-@G~`%C=4d|hi1FbYll_NT zb4kvE}l|Fk0Z!r0WomKrfmILK!Ed8m3~6bE|)jgYxE9>%-xinDqaF75GxJ#FV@5nCGdVOF}h}q#-Yn*KKCXbi_nL^{{Enk?*~is zWuv>CV&esi6aHp@LHujXE{iXS=qN*WN|84(wVhF3ci5iisumsJ7e2w*?u-1TGAwxT zUJDHOd=a*q)9nZ9uZ>o(htIF*fi3W=<)HnXTI2lv&!mZB74Mu(#M{W}*Z6HD$en&!uTT(MA*QysTut4XB zxRwRSz_ufD)UP{NYpe?UMD8HQ zQa-e{{Wk!Kr?lL*_FZvJSvk%9I2dmrY{J}sStPt(pxFEQeVeDle62Gv}muQ#2cxwq?e7I)kF?dEHm z!ZNHkfsZeKdGg)pnA_xQ%j|fYAdjW^QLFluuYGC%P~Y%D{N`k*L!>hg&N+ZAWuSPh zL#_E)XR#db<%`;?N$P_Rf%g991jL8p784KE9%s83qw<;#2)j95-<9vktdwKq{Zcr?^tXtt2HE?MZT2m5c-_iKxV4b4dO}sikgdU}(hjt1&m&ZA^^j$2? zrE>PyP9*ae)vEnUr^1x`=kpetZ}kP?+4|7o2oUHaYXs|2o??i9LOnTrxn+%;2E$@8 zB%ABOx_~I&o3lja$V%iu+!k`MBSk48GCwD4N{X|+!A;aaqijH0zii_nF8FZP4|c>= zPa+DVBDJLWXgj|&c~Z;Tq0O-y}#8RMW332%`o+8R!2?=zZ z(kwiyI_i?DJ+7slyvd|hcGI=d`pR3brTCn8I?l4d>XTHHRscR$*f`9`fTJ=9L;Kt| zwf+}1Zw^1df4Agk`K^M`7-tuMid`M**JhC6HX&BfA7L4_s)Y_abGp}k6r7Jra&Hkl zL|UHsNphBY(x~?MEZiHdMa(V4NQP~caJFba<1n>nN0ai>NG7s%gjVb31(birt+ukx~hQoXaWOOd0W-ac$+ac=o|O^88VsK)AU<(S1& zN8m63mVKPPKwPEcA#16ll0CgQ?Q^oh0QPjLKi%oZk34g1#iaTq5F-tXzdXU3V>x#^ z-KmL-iN&Umeth|#tY`l(CGY$fXI|${)^oU7$kW*BX3LPsR+RneUw$+;cctyXOkOd- zkJhS1DI$XtjCOOuM=^98)>nCD!7I=Z zwuO7KMfFx)VjYIQdrrib*>Bl!2bG!_scx6kOl{pyJ!On`_^4|GCXf#qJ@=Kjy8}_6 zCLU2{=2$eFXD9Vw7r+xKg8!6KTA%^!Xs=nk_0aA(>SLPj1U+RRT<6?lg!~@+tBoK` zz;U;-j3<&8zYc0bftaZj>J@2`t7^%QVipCpeh+JH*kdSANS+#Sa5#ryrkG$S#vGqD>XFkC)#5Vk`#j!kZ{wV=Rv3L(|X^D(X^_hZ8_%5c6T zyWJf1yRaRae9w>y8NQKR!o48j=phs3hHgnhX)M0NBQLii42s(Cxs$qX4aNbm>=NaHsq1N>XC)IUanT^GG|O~a+_ ztnVDIvq-!xlMCCv?Il;~ccXnUOFb4&%Qi2eRXn#k#%HQ|jU9a)wsV^p%6OkA#d9_H z{ozBW`HuHd?NUq}bA*k_hbXDlWsQptGd>^cQJuG5`Th5cC;uyb3GlmqNjk{($&KGF>$doO44}j*Ue6S*Hc|4p)%^$~fhAt)U=tCRJeB-5i zq({t#ZRRvevABF69p@0OUCZewg=MKD@^@>G0YM<|L!aRw5B2Xyn@ovw9(Z~I82~uL zdE9=&0^!yUPcPF>pTo9|$tpAeID~57ZLyiwxrHvonnNaUFVox?Z1%l(`zLT50e>`A z)tw4*_*~{>{map+aZx^ZHrIT=*N@LlbSHw;Cc5_jm=`2fQB$8~aMR)4Gmw7l9Mem- ze}Pmp#a-CQrm33|6z66yx!ET&oav=+3}WTk&=$FA#<;sQ#VK#oGh=;*)38Mu!=5>s zcb&;t*_GW|E#%__w4C8MUp`6@EFmKwBtDX1%oLg1rCns9ugqB*8sUTw<-aF_l=3vX zQ7fKab1T0Znd@=Kd;aPpi~bAOqM!o2Bz7G3Qle;P$c4W z(H6j8)(>F{8Z=(8jEW-mk4t->*SwBLG#YUTQmFmM1O2rc25LKpbeAsgq3N_F(#&Yc z-R}21(0!}8e!Nx;0&dW5|7sMg^rF2*O`e;vsyqMn&dvPd#xCAD;KO$A1Ji#Cpa}LQ z?WW>)x`mZ%?Ia@!H~Pkk&9P&ztEMbBYnHS|XL_I27W~6HS>PbQ^e^0UT{?SIk_T*} z8T>U;ZuT1ccFZg_`&+aXeU*wcZkEGV>uyDyrLr)wCAd3kC@*k5@0-znY;R5=e5WPR zq9|qlTir*AJ6ciuX{3-m_4>t-A;lja)U9?cN-4(zF(wuz8DDr754$0@6B7L&nPN?2 z^+$dLls^%S(dH6=eVG}SbCV| zL(%>5rH8P|*Hy#aOI_nfOR2J{@2kdNCbshD7ep+XJnq*2k`yqSt(o|0I8UEvT@x8~ z

        `UL;f%4cz7fM@mDViQ){v)S2pp}}}`=GjS_ zjLoQE?Spqbho&dfFrhEmnGfW+BK47)Q3Pot++pO(cRk_?5`(R!FhX*f9SikY6{;Dg zSTEH$Crf>nSgr(9@;A60Yc3a-`;GD3lVk{rkew@q&rAy8nRFpr&bCyj#&@NumxfE- z)dTM3OyP1reIe>F?s6A{UVJ-0_CC0@#;-Bm+3bt))>NY#sT5LZYlmaCPvNt<^mJ}H9@xN`)MM4D}ROTz5Um&?L6;Qn)_J( zi4CkJCVOmvD z%iIRqoLfh;aU%V|*n4+V7JI(xz?mxOU;Rx0mfT4)rCPz-WDHAWCQN=y^zm0kp0>OK zdlQTFn+E@A)_W-0U3Pu^DpqO;>Ik^(xjcWx1d*}4TF)WS)zaA+=y<+ztuB{5C7%a8 zguX-cUo7S!L*=VNiTVL_;WgcdT`uux*a50FzA7H ztqn?i?BvD>Js!-jqltAH3$(C2vXAD>xAK)5aM^EPO6LnaD{TRQz;plvHfHG;3bcC} zGJIUVTJ%94uVft-s!VROfA@1lROM@RK%%~70ln8_JD+IjVhbndK$I;XswL9rZ%Mu? zdO#Be#~ZI?CY2Q{R1Kb52?n;JI#6a<8d>Ayx(2}Hr4nxMG8>er$fQDezc-EK9nW$d zzal_z9m(kB9E;|dV`X2PpQwS>fivTICiR0Dr^c7eQ5U+urt!zq-(y<2u%6Kbj#jHU zXcIxRZwTft#aV&ihsDr70R21Asz!v~*{vNIG|nnsg*;o=TQJP;8#}tf_ZAc*OWB&V zUz^a2OkLRhu-w750K-+7cuZ8MMrOw^g?#&!F7`3GkazG$(5{WkDu^Sy>{#2rsx$%C z;NMdPYC0}u06>vD02DctolmsEZn}G%7f|TPGrq8rQ>Az{QI5&-axGnN(_?}iM3H_lq`7E{)`>Pijy(U0E$dcpLMYtOQ{ z6yx?TY5DDXMJc{)#BhawmY%(FeY0ApMKacQ7rXq)x%8znJfKImNdg0#&#`Z$7&W$= zu68VcpgZwM+1PQbk&O7hrda&_`3%q&-sJ*1!VJKdQgL+NBzsfX@j6Lu>y{OsL;kjX z>NuDXpm)COmc(i5bnOhL;FS^o%a7w?w@4W&5}G#QXp3#mAV`u$$xy@{|5iqCbc16n zO_Ys4%*;Qux$Hj9!L3||OVPL4!$PB?e)k-CgAsMZ^x+fOo5MK<7MAwwBu?RPU}IOV@BGXIjr(Qxbb$b&34zbDdd@(bNQ(2sbFPE?#~LdSC@nq`iw`{ z!lq2tur;YJ;Fjkm>$7Jmi>|_J_x-@I7$*z52<&wAtB>r|2!ul34uD4X90G!>kz z{?R)B%^E2M1~ihor+)F{Qs_oye=5g3e$N9tC$HYLoHQ&z9KR<2u(O|<*(AywcKn$# zwIc#_gRk`b?5S!ViE#RaY_twuzT>*aav1LCP{Qi4oHM-$O%cytV9g} z?uv}n^UN={GeGVdo1MPNcVk8S{ami2C^j+C(9xteLhj`7^y`61RxfDl;SYb_4>z{# zE=Z4G?K&3$+cxrh0yuUj8l2-NEQIwKyG0pw4j%cw=-Q|M>T@RG_VR18dx+j$=dje& zyk=8Dr-je0B$bTMYygkRm)-Q;rB%pB9f;k7^#R9?qnHRsa30MAQ@&Xn+bF05$M<`T zU0$d2 z>kJsP@+qdj8Q;G?_GIRFKGo+D8J*Y7UU=r%{|Ez26`x)n$(+zj;ymp0Rk)?|8481b zGvr39)I(UC>Xtx>If`EcPZDI5w=;4@BHU=<(lx!sz3FM3V*|J{ime2LQHB7vI~Ps+ z_-3mX&oL7!iY5s(ag$*IGjWBRHnC$Cy=URPBnt?cH5bG5Mn>CYiK!vl@PG!N6uytg zv1jhZW%>p?*Mn;wR*Rg3xTOkW387^9+al< z152S>KNNqw%~+bh|6|+K&RBj|)LXm+Qfky=vtEabQUuqsQ)>^`bo}i>?e9ZA^L7t3 z)bomd7SXfU>Hvw=2Trkx0lGJAA+%Z`7Hf1y@Ec31zLB=bl+BxhM+*zB*`6v=SnWCoY|MG8j>H4psjm6j> zVXg3VFvYuq*hp2;)iAI?h`s-AGsSi*E<^akQkHQH=aCtUAj@&l-}gVCLZGey%U zacPrN3~j+KsmrbBMifw`V|BS+%$b(c-xp>=7(+=4`@ageG|2=C!@gH2n{dmjR5 zT0a0rpNY7%xtO_oc~O44Y$Cg&q!6F8d~D+9n3)k--!_D!b%V%Re!qNqqG1_k zuL}s^I$p=xL;Z5m&5aunZR*!AJjEqn{KSy%y?{N_OqN zy?`xPHQ55X><^#{TJl7}6eFui-$}!D#+{LEmA9s*0h`XuwY`jijV;+fEOQ@hk?c-` z(O;*waLRtfy4ZS6^!>;z=vQcENWykM*$+UwBBSTB49JGglQ3m6OZh_0O82+@p3Kug zP_s{E1q9qKJIkeB+BjR7#8#-j^p5*w%rI9`mStVrced=C@cvJaQOyFlvtf8mCB)ec zJT5eZF`Y$Ces~-h<;d({=@>od4gs)W1YgkuaxPqordfb<$q`BHiD?=SIzq_oJ{-GA zZttSmI&c}JZtBih%gDAkR>>IEHdr54_al#d`ySf7ZxNGdKX5c{I{E#Dhb6OdDzno}#f+bFj~D$*!`$k33Nrz~eDqR@E9xIq4! zz0IIUPi#&(@>v}l@GEr6t!>ttPXR`>2TldC>30`#@^OV0Wumn#-W07B9FP=`FkYSx ze20>7+WN+|J(i0jbapgS`GjhU^gNqx_d()w+gT8aa!WhSj+c08<3NGG*M}Cb0&h*m zMAKLWncuQNZ{b1y5VFJ{ykwN>QR2byG&6pFw_-&IzA12G*=r?=Jf=e0o}FsBw7V^7 zYwKL!RpH?@lI3CqcgpzInOsmohRNV^_2h*Q&sW{ zjzA`0>gjUlB^DU?0sbi^B5d|=(1^4e9!0k~QB#SBy6#GOMwp`c>=ueZB1}$aYyOsU zsTkJJ{u2yCk8Tzkgi1SdykbV+rDXv6hjpTS~e~xXxu|M#pwrTFjcCGA=-~ zz4fZ&#!?S1nunZM@frTlY^sa}d6;vMNA!DEkKH@)3!)Vc8@C!2m2EN0O@|ZhQl|<> zKZ*S~Qc?We$8O4lrZ~}CVPYiXPEl(Nz;)-GT8g-c8(OnF9t`P_0;`vXxk0GK&Jnf= z)cJ3_RofrS)`yUv-*xY+ngY52*WYuYHx7$f=NBe+nlKmjmmj%jUk03SoAGlv&lMQ0 z&$PfHWewYWH#~lEL}<`s^LA%PF0eJR6w&Lp@l{yoZOVAA9-W!{^@uQJyR>e%Ys>zubS%*CvwNrpJsMi z!AevE9mUO6WNmG9T5{r9$oD3JTBUrHab|DV4}PkJE;j(|vAwytGqDS%|5_gE+jwkL zC|>Y=R}8Yj*yaLvxTulPl~|sA1xV$|``?MuAAr0()13_X*{Q<-K9Fj*ta zV)C8ei%hyo(d`6Zr}y6#+E$_tzj-*`^|DnNKzyor_@ok<&@>pm=i zZxyWl49ka4-RqZKdz=MSOBWSV$Kn)6FZ1isUuS|S3jxlkR0FS?iAK92_r-YswVmIk zQ|pw;J(@@J!UVMhmW6`Y3Okc{ZPg!2?r%oPxz}2bcKo~-ErqO2SSvO&tLN ze#DT!+juXJdz*`LNu{oZ;|5G==48}>lDs;emz`M2N9W3&Bcn|enjj_?4{JuS+5Yrb5ca5eYM3M+XetR z9q(7$?T4#SkX8~to_js;WK#Cj`GWbyWLtvZMuSm#C~>dXY$e-%PuJD~9v?T;^#-Te znj56;{-b6Wrs&g=6BkP;`rwjkq(~njH*sG$G3%i*-@V4>3K@VnbcuK73X9k_Zk!q$ zK2vp8H7D1iUd4CpX|S^EodR8m0x_;Zt;sL)jW%emJC&G(7G?7(RJSHi(<0~8fqx=a z=d#)>P2wC_HN90K7YqOqu7gk5U*C{P2XOCgN zrLssxzz$YxfHCSn17*4X)Ia_n8WmFAMbi{*<-v2TKTRMmaoFNP$F!b%II>M7fRA2^_eu_t9{5bl+kXoHdHylXBI=aLtCzlTZV;XD0fyZl zB86j*9okPkF8)3nT$U05ovgU{3!B_+_P%lXDu^YE(+&X5N(e5;0Mb-CCkRXL@;H;Z zfv*W5n{|A*(As(!q;GXhU1Th7AcNR1DSs*vKVc;yk40NBLub$x=`=Z$>4ixB^_!uN zSivsF{Mn@tL-A{~BoUQisUmsM3^Rc6_RhsL$yhLfC)3NdMQ+lV=<4Ndb?;gA@>qr zn7|dOy`hLyVJdoGD4;n1?^z1J7zkLObx@?NhanKm%_Sk&poWeEhzUA z-9ND@Aiy%)&Y>#h_pI>0$V)$)u*x#60S05p%Lg;lSFlf|ugla`=L@`3zdY6lb#m(& zB07F;=AZlu6b0coX29s1*%<0%p0f44R|imMF{|=#qaADqHv!OlKHJawivk%yga0v$ zdf`4J+F1phhDVV?vHPPwT->8xRdZPZr{P!eXsF9e3^!|kaztr>iH$BVMgoY)GA~T% z6$%h#W0v1w?^=q&KLgW)tLu2Q!|inEJ3sszoou0j(P8CYEE3wgR2pSeCE9f?F-{z{ zwH~BY&#y0j^`%eDw8#J!s`P>76AKIV(3LTv1fFAPkkvfH@lJ$vfEVranc^qyK~TpW z`4U;npOM_JcJKpYG^a$GY=VJcoixCYa(klo^>|z8hLi2;DjzKms1LdTrwCH40Z_sL zt!Sj;XlIw|(?fer^`R=AxqYR~sO8_s;iwqP^VW0|L(Sdf7s4G?N~*S-H(rJhpJ{Ma z)y%7gs-iB`N~1MXmDRwU$}YEQqABw_ahsFue)m|C;BLHiG1A@P+>RD#4$-<}v5q+g z)ny}^^#!76%4%(BcgBRn3uy~E`wwOpuRb=@Q=W(ZF=2381I zD|?b8ME>LEmNecvn5)j?x@=?*-wO31XCj>t@*z7>aWr~p0aQUJ?B@VQguDfbz z+{IT zek#Dko^Wi+It&g|m)U%bA7OuyZ7GW9aJjYoAtx!e(MrqZ)~V^Q7zq@>Q;BN)l-WiT zWvYX|7)D$;^Klo|5mD3g9|aOe z_Md&JM5Ags1oyFGrFuVoO>e95+Y5V8Z-E)~T68mz%=A+nZ8-b>UfpSo8tM8lhn=k4DEAU>7%Zh9s|m}GNF?a@Ev%2xAXPmaX6J4x2RPh77^EgPnLMDWt7o|RIP{cLc8yQXX zgK6v*$0(Gn>EjG9z#iL;@nM^DG??B%odTcr%CjR9SZYLGPmdqJZd6xJj=WbFtgi<5 z{EGBOu#fh6@*-hqO97Grgcp@lUT}+~6H3@3#y(V2kkawMqHr`+^Yt7~9R5LF)0URY zZLG@|V6$%kea>v3pc|8qz?F%=CP%t#Kb3V$3PX+NUL!kB&Ho%>H^)St2N+9A{E%O@ z&)c>6U2fTb{px=O*`)&>mvQ@*LF@wzdZozbS`y0Zca%rV4c$vXTX(wA$UtYw4k-*b zv+DwIj=G1S?gEb$6&y2bU?S9a$V|V4NUcMe_~RE_N;F;>On_g1EB~X+m&*giEC8&-9>Jwws>BfKkew)-hbz~PT)Z^>{$kT|HVQL zy0X<)RG-V5<$~o12FFyS?e#!c(L_5Oy+gBgzxNQ5>wZ;(x9n$H&=s|GKeZd)>VVkm z+hXW+;~?NXv=y^B*dJa*YH#GBSof3Eg1-nrnSM4u1o4juoH+1gr8cKF^a>J{4`!*I z^v|}Os$=5_>7nzYPR_n0u)hkRm$B2|$jx`;u*pcm%J9#;N7*eT*`-*E$Wa~6Uc!`$=f;sT-SMDWI1|Ppf_;+=QOLbRmanJLf5n6Gcq{mZoZzwp)y+?p69~7 zm@2lvfWGroc+O}l6HaX3nFS~zWI6X}q{-+^#RL91f2?fA_jdrJQegbfzFJY>R^BTK9|YJLbxZ#E{|AUp=LYwPP7S=& zS7poc&ijr;9uNslVV09a9JY&YT9Rpp&w+pGAdn&T_unfDuVbO5=ZduL)3BPd+VIjZ zeY3AK&YRsjX9{(cw~sZJ2B4B1R%jnR-}sUTt*hm3mU}+jZW_CD>6O(&h#R0_K`iR# zu$q*X-nzlyBGj(ei7&?-8WZGu-F)?7cy%$2-SiI+R2AFYgS%r%oXdkKJji9 zOT+Q34!7m)agNitQ!;?8S!}u)r}+PwH7mP03O6T>eyn@HwCSeMN7!bR4=eiZve~e{D3?LC@4-o?xD8mJ_k}zc%<+Vzf)S z0_7aA1VAdmGf%pljKe_@-Y;{Mog65OgYykd`h-yEoUA!m%gCpD+-HuQ9j?Z(YbH+k z9^W<0DqGn4*3v88$h>Y=(Ck@fXrf>r+;xg$of=wDUPJ-h28Ff|Ck`D~9sVA~c)(bPGje;sKO1l)UlhwEg;Zgl z0VV20E0^)l%QE`j^l$z4jWe^&1p`h-z?Z+bFp(Jt>0xVWMT)-NZVn6 zrnp9Bdt8#gHHh#=mJFOQ`V&V&M@3DLLxQO(79P35jm26q0Z8{OtI zODZ#WXLP)?cHe<7Ial-z{NO?336+J^S9kN*#|Uxrr&%ge;_N03Rz4Q4&t^m>GN!jz zdXTJ#?(iNmg3l5LOx}blFY`Z(M8O>%)y2LYf^%*fG(y;2Y^NL|T9xWAd$cU~lu^FT zXCpNo&z_N&OC+wSK@H&OmBppaY+dm?%sv^}uU`Q|2W&?$M*1waq(k%73VwD}Y`qT#K zB@5X%Osr10>k;Qz7T?mt(Z;&&#i&{ho4#tk_4c92xcf(s)LtSFU$M$j%HyT|InTpC zQfd4Lsd_F~#>vs+!1YkajNaUtI@Ad-5>eTT{7IQBfZH<1LWF$$erJm<8+!c)A6G%M z&zc{dp-oxDS;<`OG+@i8VO7I}4&T)cRi>#;ysa>U4y|=t zWHdJ(lSg{=z9B# zm#*?s8|T96xUI`TV`BhFe^+}fCh0*Ty+TcRY4R{u@=_9hY?feqC8vnVJpLT&bD2Impc1 z(6+QRv)m&!bMJ`?RGK4ADp%&9GBa}zoG3YQlY66xii(Pg2nfPM_xJbxJFaGca zA9$bZT<2WZd9UYVLw9tUHJj~t7+>R>vX2sTwHGZYd*fNZ(Ae{eUJ|hYZEWF-(+9C$ zZGD&b9_6EBhRxH8s==PsK!T$E(vd(tqRpZ5)@7H>@#*ooR%0lNd0gYL<8M_=V@bqP zi&RmoM^Q)*6X=83+HDcA^}O&3w#S@trYK82U9s)!{QV97R%MT@Q2N$&Y4I=*i|(WvX;3!wi0DbeMA;JoLdwv7TIKhzP-V z=hOGpxLHfwHKS5aygqBMg^MrMOud%7g5Ztj{Zf${2&8PJ#(&PkhZ6Hb?socE-0nY=L}}s3gNtm;?VGk-#2;eA3L^Cfo6|l%KWrY`Av{hs>ym*Q(m%7DV|~ zUvQ&wuYYpyRHR@AvQ&D_E?PNIkYlBof041TuCB*HG%%2Lkxkw1Hs0Q6DJn#6m&<{T4k10?HZx$DYZBSBN-3~ZXZNwFZlOw93L3r z(Di{9RpHHq@EpfXGJ^qIh>hWd2)X4;hWLT>u06!8=ihuc4Bi^L;Fl4 z?BZO-js}|HH6DUKn*!r7K@!guOHhx&OSd$Xr~0=MR8WPCVsVY5905|Q>z<(>Oxk3B z#7=w=$|^)486otJQN`u$}0KR^1{r3wF)xPO1V{&y2CnMBUv{!$i#Hb7$xS)jOVt7wL<9OEHfgmp#i zTU_hu|8My67+7FsLJ9_x1UkkInh)FQdG6_QZ*zoxS}=TyEN~(RKZLA$MZmJvr}-H3 zq24bb6O&=Bf=Z_)1^p_9{F7GpJZ>}-Iu6oZ(|x3ot@XxTi_e>Dq{BR6^*X6K6+TlJ6vdoVi%7_4M%sB)T@um zV=c^CQdO-LQ(Nrz2Fkr5naa(w=IE{Aif&66#9)zNNstr@e>khL5+ce6MKA}_7ZOS! z6}p?7a24!i_-HQwXSuL!y`3;`#yA$M$XrG0gD0(LDsP7yr@Sy-OOqyS8aBv5ye{&! zGkAV~Y}{I|{=2(xEuy`t%zxybfQa&k0EgQsGG}&bi*;7=5gmRwoQw=JfQR**>Pj&en2FQ9jRMb# zhN_;4y)Ef|36(hQvDg{^J5X*;xf45K-nfEXP|SlN>u)i6aUq`LVI*Zf&a17RNn)}+ zYb$Mm!IXI9-N;xhU(2ad_{-edwj4WM);da!Mz9ksorrnT8PY)9b!fJw|ET(H6!*eX z?f))Mi3lFN$j5Qg?YrX259L_;v>y`UUiaz!lSf5J_rl@Ki}X9i1rvUir7emBg4I8V zE!8@l?w)TliNB%5gP``8^-E2wLj&EVSGF&W$eZ2nmkN zt63+dN0gnfIurg(Z6<7Yg6*{~L%J$e5L#N58uOgHbe3w@odyD8hu+W$w|u5!a8Xj=jAoGVIuZbK;6O`{mV8XgyN+4xTp%jlop=;yJUNg zPWLh5o}V||fUHw6ebi_pTVjDsRk6g56D*x$)}%()Isqt?#>I{5w1VQsAG#zro#0zD z%2ZfU!%}XEA~z*n!FYyo-+9ypc*k5LiCI31Dq~UXIV#5BtsQ5$ZT2-d%+2!nTPY%^ z^=Muyd2d6W;!t1ttl|PzRai!{de6QQ2>>Fc3kF~#;syGc?Bx^e1}lzx5Rghz= zcyGW#5A1Bn7IllCX^M)&I#K6yq~|sv?X;#k>Yi6+Ggdau7JA2W&yFU(Y4V=0Kw}9| zl{eubbi92l%t|CWevV0MJ3ET`j>`o~LSBSu%--n~-G=y?xWmnRLQidm_6(|JH&`>U zFz$HKkkw8xpi??i|D=>f*clxZ5=3kN#C*2jxA~vV zx?zu5v+LKV1b|`duA@$Eq3^M}J2gKMgR(-Kp$W@WsvnYu=7i;FuUj<2Qiq7!AK8Tq zG)rsXR{tS?=GPe157g2dz$d}MkOt=1)>n8$A@ewU0SlWF+F9f~7b%TE@*Vamj~Gd$ z&fuLO2+PYi`F0Yhd!hF^%#TS*E6lmqMtV!k&DSf_>5%&k0NglGco_5nU12?>mv~yE z!{b99jYXX^teb%smL8zRSzNi2itro9e?gasYzIcN6AaODyA7@!%d{bE%^sxUzsm#r z{`M(ofkhk_7wSIS@uGJo`Z+0x55SvpOA_)n8{BhT-CvWD?(G&^?6!LyHm z7aj8e;bkBoQ^fjVgE&_8ac1~1rm%9aAL6i?=I=KPs2~m5duDkK1ZK*&h^aoWGnd>- z-8B%oRH8%YgoRXklwj&{%nw_WAXb@YLt9Jt4c^tsfN2YuC1;JiS8DA;tMTgoRZuuZ z$w#q^$d@Wq>QTBu82Qv`gdRic&2po@8hSn@hCfP5FA>bq?=FFbK*vK6(_K4fS~_Nr zB&5dDCTG~i5%W$6?ik%%+Ctqf=Geix4&e;YH`MN|IX8x}UQ{c|9wi>Mt-7Ey!|;~- z)wA+?J$#0lEP-Hs_y6+>ppxNZYtKUs-?Vl?JRRX808w!(7l5z>(ini$8P-nqv{WM_ zhjmfRXJ~If>kt-(i`e|P{ed#k-(83>lI*;4^_0J!PM4t_3I<;0ObhA21Ae!aK=(3s z?=^&^*t6!$DNjOsa-^OLfY%DTBc)hhz^h6-&~*y;1MN-r^#K4)$MGLPMLj>^Qf%%> zx7a2;E6rS{ZxZMCoUu>>wJk=o5w_>xlh6s%5S5Y$h9OC|d!6o7qb^0CeMllyGRD1& zhxF-t3_)~$$S%XEDCi08p1my=I-=H94+oZ8C!TH3X{cIXs1c0#nMtKqbiX-kH>MZu zOWk$d;I?}=L-fDJ=sA*9Rx3?`wpA1Ue5Mzl1G$ZMO3Tc~kKLGQ(FJ`XG!NL$0#eop zD9ZZzixCTk6cFyc{lP|ZjbJhv!kO}CGhnOtX1f7soAJQGhh3&2xO`m~DRw|FtNhMh zx<8b-Wh_#ock=Al6gXN^U5pyQ?3X#2`KP{D5gk1h1me#_3 zTsKR)&zBJJAYnUeBX-ZxY1vAk)eHejV}b%L`k4+HdX?gPeId#GBla^z36m@$$o^5H z)(&Jk>%LD7zI`1M4O*1isxwdXfiZO!=*C$Vzv)9sM9e2r3qb?6TY*SJ@2!!ivqP0B zb&#hJP&8@`(D*~L5+A*gY(+tq=oEHW({7PSj_~Oa<@)ulLiUi*Xbz)o=X}W>nocVD zm5@ebZ2Jv6<9Lg(*3u+nt)j-Ana3bg4FE!$owGpoi7=!=eoIvdv6nW>BL$QI6EL*U z3?@#rmpK=XW3sni2|{ahcgo-jh+lArr#sNTMyfg^K1{z>uge;@9oFkSiSah?9EJhN zIy;}%)hdZ1k3^0A_rV^8wO0g_*w-s@VWd<53|}G3cHlhp0f#fTU5r#h>PfcUSXkJ4 z?Dyxu9F-za3>G!B*Hty?tv0)S*GPxtVGrPKSen)M(Fh&(dcMbW+IYJxx?h zX_@B4OmybLcrHZ$)`fH1NY@hUmFXD}9S=`6&e~W`T>Z7jRc);GBOsgccA8S-p}KaM z$OyY~tP_r6S3TCt+em-8zDFw^MVCdak!F_ky3P@6XP7(JIVP^zhXc+=HYW1!)kb{R zOBlI!q@A#tuF*jZG;FmlW@D1!5vz3n{yS%bMo(>#ufeD4Q232oMCk*7Bk=wRj)l`z z#Nc9rv)up!$zhG6yIM4)pi`@_V?*DY)2l_wTav2mXJI4fwx@FT3g3L^v}>S|o~2EP z7c!`n8hg62qG0Hsi&XV1dF%&3GFk{j&~w*@j3h41;3HAkZTs&2VqOR+y8~t~u+^w3 zNyg-~RlSp1W6q_R+dj=M-Akm>!mE?z^|-Cz2SJI^)Pk9UTW@B9vT5=5$;cOdN;7)I zRWP(Ml%Z&E%TepGq|BGjf)2CjQ{+AuvWC*~%($%$Oa%vx$=a>%=T4Z;c{$T;Lqz*y z{0d9%KxbO9w?QCs+H}?fhF})UZjl<(Se(foR_l&K0Q1?zPgz~ened(iw9Bzhy3qDq z@;7#)qY{E=TXf!Kid&SHZnG2k%s%{AQs=w%?8*j6xC$+|P{5s_^(g5karOKox(Wvy zPc%!t#9xy3g;%OMg*+6uxiH%LI9@$?d&F2*_3htv6icbil^y~2_q@dWXuZyukT$8b zh1*~OW_3_pNbdvNgITY}T13UbI~u7rj-@#j@+0&~V35|Qny-J?B__^EcD$>zd~yBs zbHTediiJg({c*C!z6ZY^`p!+{1d%=x?RH7;hjwxREjI4s)iBPEi`kThTCo2KX7vT_ z6&d;}##05ztngtbVLtD2BRaif|Ax8#<*MGN_~^}`UFj8D>o|kGkXGyK2G|H&x!;pI zPRpvX^~Lyw1RcA8DI13zc<{ykHi~iX9>euRkewlHvigV!+T;43dBfuSt%Z`zejV1O z6x6Y=XTZCI*^lWwN49!>GA$(^k++AB!AchdtB=g*FrUbr;?%?KKc0^n)|p;K&ro!x z0U#D0-W{+rja|4&Oq1OH=)a+8SM}#pza|5LpVafqYqk}A&n&6-Zs;C{kw{FR>0NKC zK#)DV*^M$ybx)h#SveAD`{!oklWd#XB`guEKRcV|q1y%5*(d$%(ASdYnWG_(bST>Z zGaad0AstSLjqi!uAs%w_hNl_x@<6U`JZDs=_P2f8;(VOXx;}Pj7&RFx$12CJ2wdS<~{z zy`adf^95(ccG6sewUzj1LQ&HkY_Z2PfnJdspuf3Pv(0xfn*iLvm$wPS|3TkVr2869d9JC@IZYM3^r~*Ki&@0*@?ENbw zCtT1I@S<8aZrExp?ap4?&XO3}liXgd=X>i^C z$H|{*_TCH}QJBHE+p^<2a~92h=ab4K7zW;(Y9zpoBG$L`!-0b5UqBZOxlc7>@S#S^ zJE=Nw9*nfAhI#Wz+iw2lyA=s@#uTG31U>qJd>+r$BI~B@nCR>K!bp=b_wlGc1hq#8 zmPH#C>E8Wo1!aOqM!VPR*B&SSf@y}&B_STOACpJ;@L9AkAD;i=YWr-@((kbKq*z{I z47ad@?O;=HoZ^eBlsS!f&@}92D92CgGdVFdvJv}|aT_HC4=mDm65~?$Ntdg)zumBp z-=R>kpE*k9>|Gl9$fGIglVDr`O~D6Bz-O(emHkC<)chXZ2|<5e{mx^BcohVf+W5BD zMdtWI8Jlp}%1#(1RA{q(OIvcAxP_BG{G|Q$rUj64crP^3M!wq`DqaVQvS` zZJsV>fn%{}*vh3{m-x`K4A(~3%aBUMAdlTg@W5a7>8s#OdA*Kuh&wxY59_}dl9%NY z8Sj7(@BIcH$+kex%-F!#b2B(%f^UpfBVZIZdw1H%nB9}7UH)TIk`z7^xLYXEjc(zE zAU3u6ufP}fLcg&gT1(713l9I4BaMs4cN;^S;}8ly;7K9dbU_qH&zYDNT=|@a@TN!L zXH4?4wwKEnQd>CDsM`$i-DdSA>QF&zqS$N~ z9k$(0Y&AOfuN_38PqbOs#S=N3#wma3nK-gN**~p*2$KM?=GcaL;6WyysQ$atuyd1c z7>O=kcm@pws0k(ZpGbo zUFT-t6)CcxS#zug{qklF^8waD_XEck9{-zQjxRycCquWSo47Gx`Y6U$%CCHv>Wj!( zWh8aO#ADq)xqh5IJT)wr-8ipv>Q**#A|l9S)x*pyyiazDjO-|s_TR4 z+NWeZ|McoO-TI_eqslj64N^}a%-wkA^hL)eiTBjY$&+}eb_}GfzjhC65WsuQTciD) z4*HH$?{$}r8uP{B#l-s2bU*lusfrcauSijy>hJlmO{IcSznNN+I&sBg7`#@?1DSqN zXisI1Hlc1v2>v9z3cy6J^vqW4h>ezYPL;W3X%r9~f_x35r&jEHGN?7Z!4WmVp zEE}1TQi5v@Glnrc<7DSsDVM7{tQ)q=6{7`U-8%JC2J>RSLXcMTQ@IKoeH#Vv^|i~p zBO%bsPo(@NmuGu5H@J<81ZR0L`qBqKx7W|hvYcsp2(`-fUBPouz3Y-c=mPRG+u;7ZLK=@up^rhNd%Ba2?f5Y0EesC}g#Oj9=JDqMMI2Gsv zf5huiD-h)I?RPYqYlF_yQICokAN403`2Zh#Dja%CaKg2sk2X>*)n8G-BEza_J7ye> z0InUCBQ;Y|Yrpv6c?ofKa>28fniInv@rz!OLdC3bu1JP)VPJK2HoQ5{_?!Z=Vz|Cz zdoFm=31I|Vla3J_26^+_`r_~0;<9-R1wXa!Rw*JF<^}Uz7Yt`cELMa_)hz*9O41E3 zi~b6cBQZ368oI|0VCyePq?{jLD>zxT=+RArd$dDmf_lm*3^;`BmjxeX=)i$LXnK#N z8Z@`d%~8KXaBA4yiHO<^Zr{=eYd6P!#>U)01y4JXh4v!P(WaQSwlll>EnmZ`)7Jw^ zKW;>?*b2u;ay58usgkr0P~mgiL9Ei=80@h`6chr;hqp?EF@?yh`0Y&sNPUTWRc!c( zN_ZfWBylYo$jCocPimf)b8;;X4~Hque$zwhV^d6`zM} zlFjYLN#$QA2;1Ew-#1@?w(y6~5$-8z<$V`<`gG~c}pAK5t zU(*VFS*)Ac!z~rq3dVk6CkD!M@@Y9VW=*zg>W4b~r{J#DcMC{h;AqS!(?lO#Ps26S z+6wH$U5WJ^9?2`M*nf%=7J?o~%yjEB!Q<=rHr~d{Nd$WfOJk(U{dqS}<*zIf5O>u8yUvsiAd3)*%6~5btms54h&a zm`uCP%xZ4k>vc7&fkjut){X>Z{$wC`9LbI=GP!Z|F@9uLGk_iUla~%^Kf$V zcSbK^Ypz>oST{|{EY9+BSAPLfvZ$A}?8VtLz2@Xuu{hY!Wb?*{#cQM8;wZUhx^LRz zRgLflCl`rO!n?)gyeYZ7tVy@i z47J;6ZRN-mUX7@6pwC4K#mGiyH`6zIAJ2Sis|iej7mJ6*Zml@3(Gk(oSI^}|U$XTJ zJdz`O)ApRXMerY?F9Ws{5k)zBcaFC?ulGIeyLf8 zkb6+KBgFsxhDhe|CyXfRdDWNd??s0idV4*JjUhE9jLZ{T#Olk%XsxX4be^6Y%`JZA zMbEwKt+G0@hK=+Qv0g4!&E8D$bN9J|CgfJdW&6-^^*51;;x=Oe=oTl@j_}dxKx@2C z_&@y;xpMS1)aWbzju4$Szw7uvImTSgg$P(aYoq;r@}y{isD`rK96yW|SJTmQ%lkvx zK-hU3H@~peF+Vr6;?jqFfH11WkxRQO842Y1!JFwds~-(&@W267PBAro%TJpcRj6^ZZZ zPwYbRZJ+dk^XZSreUp?O8zEu2R~55QiFsC9_JEe&w}>qe!DF}%3%*l02)V%#)+H3M zs%F|2@!^%THdb?F?ke&4eEkzm-VwWy7K@TKl}|4gj@>GL?fbi|0?WEqe(0#c$G(B65PB$Y+6vZTM46P zThsg$HlRVNNS_$tacc7_Ta=vHl7HQ?eq+v%0P$XKF#2V_rr8(J@PIUY%V0vljlxyb z3@SX%^=T&#-kom%7<;Lo?Thrw_OQz)RmO&%IBq~@E&&4gFkuT%M?H&~Z5}TS`w)er z%P++G6K-+=h>?Y4M`s9^_{??&rBN`!2$cvrUca|eJG^S~vwJZTd_=^}upld^ZV+ik z0Ckf$bSV$QB7X4`)8Uf@nsYW-6&qorT%6z7eg}!Re;yfr*zS>IVwpsz!M4OWD~YngUDO*{p6?#ka+V;tkf8^$yv`&(b*bV3|ZiLGjiC+wTAVav(7&+70?lckgAPSW% zd&uV)Z`v`*Ge%LmtmWRgfJ0~byoDQ^Tk&2^_~s8rtWm0;-|yH{X4!PdTpP7}0rOws zBnKnysLnLgI=M4iUf;jQoVaW5H!xxAdg9w%{GdZrsdn16%*6Ba1*S3+U-OK3M5<0> z?W7mzI704R5 zR;fq4%Ho!nwcjnq|3o-%F17+ICSE?dJ1(0DD*9dQJN?k=wN$+C#Gb%STmXPoP*bzj zAcQQ|IGM9Wt|Q~u4?7I+c_|1P*Y}qGe0smq^^dqo;bVsXvhF?y)yP9k|BsE9wg#<( z#b;8w?7Zr&9Wtt2Gfq+qrshmd7s}_|^iSZHAY1w9G`SPkT&gE{_w|ks_C>DVv$#LN z3yln(ssCuzw*4<&XpM+doZw;o)8B4r z3&kFi`Fwr*ANg~NI|>zd$C2luSFcPwczvYd#84xL%`Bf-Ww)0p=zmwT{sJ_yND;$? zJ!)2gEzEc1z~kwZ7r{kQP}jn7qIvh{X)ky~j*)^8T;q>Iw@UhnL)~$bbwBDCzRJr; zwi>NfnpxS69=hydWK~|86{7S)kN2}jcsA=tyQyS-*pc>H>%<6egrrKMSn&IMawJp@ z5yv^}RZdd;CgBt`?UQWxg4SCpF&w3C6r_?&8P6?y@>s^sDmvzda#p=`c0i(A_JcJg zmwF$6n2ATfdUlwc?$t92-^I0r8@QnGnQYB{sGC0Be_^49(+@dRf9l47V`EEMWZwD= z_a9}0e>5yQy?dnuRW3>My3-oYSTKJ}8O7^Mnu>s+H-~LYg2jooc0b+?-ZCi8(hc=i z?o>-0ytd48u&z^8s$>b&Ij-nPPhKGWz0#pvZ_iqlmJ$i7h^obF?(*0j3FbJx? z+R#vpoWj@yb~?AE)kP@)i39x@N&D0z;{(vA1Ks{by|;efn>1MyAI{=J0yKu0?lM3y zeW=N09g=832Fc!(;^@(bd5A0!rpS=spY6{RgkE468Z!|E`M<>GpWbR66d%NS1P`Cw z{AEj;&DAZndG@vKQn8k+{<77{O?NQ7`-XRC*r70RF%Pl^lgsagR57sqSXGC43R%}V z@IQyXSNhKfhEy-I!Hl6xR#o|PZPDy9?@>Ws{eKn&sMR&xZOnJGB2-m*cE7H0bW9Y0 zdpn9wjUnAPeO9Zi|C6|%<|F!vjoZymXLSeKGMbHRpZb=}nl<$|H&r*ApF=5qSl_^V z6OH$`k$Pnu3~mAmbIFM#sholJK6((5ef z8U0Z8P0#!3hVMC0Syqe`?08-l#4nWCKx?^bYAj)-x$@;QX4Us8)e4KptF`e~N zh)4uWRjxLue=TH8OP8`raiC2H^Xp6axmsqqpInQU9pl-un19=?BH&Siyqhz(Gagqu z@XMopTVJXXw7sV0W8%^;mwL3y>5fGx{>@DU7kakeobYZYet^a2!9D z13yx~UT&JR_#j(XOQ~k#r0QO32IpL=Wmx`Q?X?fjbf|9}s&SIS_MZK|7_VDSr!+yS z)(*p$q0LdgEI<92tPt_BFK#6hW4O?YBF71|X9TCO9h{G%&lx%tc!k7va=>f$4ij!Q z^2JGQsWvJPK3`R^31w?JwD6CZ`uBrqEWVaIXYGYkt=!{$Nq@xRm%#__UOm2}F!sPn zqo{hq&oh1r9}l?rCIAc6^Q^l+t!cD2{w=76{;|7dz))Ey!NOq?3PHxKtA3az58^`wS^kL?DjkOLp-J9 z=rw!tb4pb!F!yYt9=r8V1<@0qj)p(-=b4F(!KXS@zezE-lD2`Z4fAgq$nNBCT@Ks+ zwd{LU{;u=A#ad|BqdR3C_C7TV;vo9`MqcgWapOd~wW{qa z1dMIJq-H-Iw7Do&!q=@_pHO~t1l-@Tf={UELu&cyXNbX%-)%j9*FZo}&o{)v8HsG! zne>t{0&Ye(Dd_wt%N)4)>RY1&*(%DM}jna zu3fyUbuRwRQ!_hNrSgvEuljJwha>j?A(mq0G$8X$j1lw|Svb}yLnzQ!x?$bQd zNsVb=FAE$Lk(T66{J9=j)JxIP#p;@_Ya%Zw|EKs2LZ9jYM%;l$lYc(?7A>|xcJ$8c z(*MY|U4rYf-j`z5Bj0W=9-x6X9$h|Z|0yWdvYCPf4u1~|FB#AG;|@dHh58IJ@k2?x zF<#aA)-)5l6&HzkqOGq<&BiywmID;*SxFRUedxKW=l51$Ojbw?b!0D~X8s%H@8ROI z)m#Z>%aZE=Y|s~BZe#qlh}#$&4w!KpW91)BUmCT{&G#B!PM7`&(29KF?o&zYq5I;{wwql#dr65;c<(L`Lv@n)lrR2 zV#NlF>Mc!K2pzcgTip2Nv%`hYyqQ*I?m7ioi5;<3htSPhXYE8o948%UdweA*JDO;T zlE|cBO>^zp;qeLQl1NWtj8Da<?U$Em(%b%`g(8nA!Vz}Y)1twX)#L!blj_$YWD0i3r-W!=h zks>a7RjY-!?Y$+n3q1n{R7VGFQ@YOm^7{t7AqFyLnoQ?qj`7DgmS&jNN(_5$HiYVS zuNB@o#hCw|=(p@L;$FsMio9GJF1Lmc09aliX^tcwqTy)Q$KAoRY@zww%pOrHvaUrFU@=fo-TTF&=pCg*{vMnBQYcZfGB9*US-m`Xn#9(OA zAMwrmS7M;PZt%f{I@jm1V}gCW>-yy##-P0?HFLkD@90d)4jZu9aF@5i`&y`)i7s zF5=yXp*ZH&kXZm;SAY>c)Kz0{0f8!X4ikLaG`vCEbQIL3N9r!E)%@nI9<= zj}>gG!O0%V=re=Z5r3)2ik)Fay%nb(Pwf1^c#$NDaBl_^2|IMieNK5_Joiuc(uYCn zpr@Y&Q*cu#P4^*Y8@PVv0M9R+SH)+EO;=cW;kb##i{V0S9yuM+lG5c_=Vi|iKYvqyl(yx7?z zGB|@p;i8a@s9C-yu>qq{y1#GYW1I;fzD2(ov!}3$S8ej*zPyn>t0Q!lb5!7T;`GKm zH(Dg)wc#O*dwXjW@}sO^qi{swP)xxct1i-O%p0yWv+?@~VHVtUrsYGTp#AZ6k((Bb z@6^lkcIk(lY~1Ke2JncZ!5tX=Bh~dkleXNF&)vP{H=iqEpz}?4V4q;#l`-i=f$NIK z*Yjpc=Vu8Wr^bzVKk;-l4elSg{@bPW@}sN1x7#Bl^y{i@pZlu*iB;S9%j%z1#alV6`VQOJisBrC<~N^)tn59tuJ}#2ewQhf;q4 zpVmzO&iaj=C{?biEHEj850dszw<)e3=Kh9pQ;qGn%;0;xrmj| zja%b*1OF|BJpHW4GTFj$<~HDWZz-P_QIB8e#)d8cY5BopiJ@gUiI8HJg8y>WbB7Gx zGvN0BIrmD??9Jp{U`i+D!~>!yl6%QC1jx&;usuz~#bZ_y)Ua_6U;k-uQTl)r4M3jO zi|D>3a1Yc_WPC>z=jj6Pc{to4v{sO^bR(tjjRBAtlD{;zm<})auP#NuaHcu$lW4{> zXB~?(+#qJ+Cupa$d21zCo^tssPiY2UB%pOiy9X{6NS_>bRC>&*PLe+>DaH==DuI=d(=$u*)4}y8t$6?N}^g7_#Kz7$z*Xy zIhFfN|BB*TDWA;#wH=n5|eFy=1!)MaKi*33TKeb2K(u&rtZ7`p z8vw5~yp(RWQFA1|Tke3QpEyI4{;U=Mu1QE%rB7se?%jvOc@G#%Nzt+o>bCye>bUjY z`fNc(PPu`HIimfKYo_-1(sOq+6Fc%N@*4w_FFxD%;cC~uOF*{+**rHy^gl(W?0!#b z-~Z-i4B?q#Pm}pMhs=B66LK;~_p9>3Rk&2h7<)yPwuIKXAmkkhq$>%4Ejm&8a) z^m|rhgV%GLkLG1t*F<#ip9zvT%6wAEC`q#~`8j&#%C9yuRpYL3q7GxV`M!(Ii4bpv zm{-BAV%urAF0CXhj!Fz}m)6!wY>pj;zbX0=D_ZpqI#f$p4|hK-SAW2S{N}8^)yU!o zUe*z)&DDZ~H>I<9tH9qU+TQC1J-y_Cc&of|@zS2#+nQSpcd31@E}|WwQp4n`)G8+q zk6;|NDmj)HTw;|kOen+z*GmK^Lh`TT?8Em!s#2NOH(Lo|Q)Z*j8$O_x7p*a1{(<9b zg|{DP=`!kNn#u>fC3k8kT_dMY7#QvON zM^Wr#paqvfPZDl)@&Ou8GYw#hYnQLN(*BjDeCPz@)@{Zvz=o=B#QhNSb6*{`#)Fv> zIS^))SMBOyH)YGQJ{{qw4oKq5F6T{3LY@*e|3P-lGfU!~72*9W6D0OI_?|3$MCj}7 z(8pm05sxz{bmVzn)b0d;*7^PzIJ6nu#@H{K`y|xuC3py^X8HMP0%`w=3%7$iyA@Fu zU$mH|E$~Yl2d?K^Q?MjVZ~!~SKzWhiPUfE=G#V2g-PZMe=3J_g%$;a7&TW)Uty)EE&zll#= zAX#YCMGo6&3buob!QkRSnYp+?y9rG4g&nS6l{?Nq$1U&Nm-#OhT^Se|wYo>JaapS< zcvzJ@Q<+IQYZrJwDNMPyC!nZd^T*dR<<;x_+S%rd7fI`e;U_`;BPX-Dm(|AlZp6->!MCV4 z$H5K)jv75K3FEat%GDviqXx1zXRpU`Zd=q7+_-V|dFSy$?J-d?0Pbz9EXB==)?pbH z-WZRSUCk*Kt(s?1ooD3}YBU{vJ6a`V9}3tm;AuZYmQJ=~?qgo7HatlSOp%`AMw-mZ zx?4<0=jKTm>ZDAZu=xJY{#ARZxH>qA1 zxm*+YjQbXHZ#170g5NlL)L7tvq*2d+op8Hq4N-lx9w*;(v>zibf6N;gka?N!bL8;b z$OO#Ms-LwByFHEXEQYsjO}=uHlrF&L9zC+;T4Se)F(P?VB8o zzOKpaE31Ip4O}bYpQ=~Yde)}r34hguC5u%+3ZDwkKrJAdz`M6s4k_C$h8{Z3^S3RLG! z(-%&m{{GDCk<#&`QlBp;Q$M%)+ZW-+?ghn?sc$R1QV|xcLK`kTOuXZJ(7pDa`lkgh z3^!gDkOQ}uwTB`R9tv%hpEU(TDhE#;ta$8Djcud|#_n-VKR2b9gSH_WjkMp_>W{0U zZ>T)Hb6dCTX7QynizaLD!9?4Tv=kSFuES>k01|VW%+sNb@ ztfJ&ZT9V$*g#60JpBmwQAI)MJs?uz&rm;~2Su`Txhx$~WR@Az%Gw@T2*7UgZy| zCpRZNdW&tOtTJLTbt*M;U3-Tg+$Sxp^K~O@<=p-%0*(LiuZHF%)2iIxmF0S1!C0x4 zo&b0^18K9z$4E%}0d#s`tMb2Imf?w|dn|ZrWi>J|fseZkWAtZ^YnW41xLH$O7#K06x6Mo-GW5El&>5<$J z&cMSwk*}Lxmo(kXym8xxCr;C7UgvO@$X5fWFE?AAO5JtzBgCUnxW%w^lBrZX*(LGR zb6~(8spb8q@RjOkkaO(jMPb$IsM?esuSv6da^=XukE7oD>9O`KqT-uZ^}|BVMp~qA z%`sAt$FpibbJvr0W76HwG@b35d#77qRH_Dd@p>{Z8`@Y(!tr8QrhTZ=Pou*Jz#C5b zH)2C)x936GitG0dx%qKb#5nLg=nAW|_^@>^Gw04P1D&Y+X28XVm#z=ZVbuA6B^)BZ z^O@|>t^C)LuBDN-%5P#`Sg{&FN2l@vsbBCOS>zX6^qiRGxHjOZNHg-P)Zxu}igu zg0F6VTC42#J|r0(TbKguFmuqm{_S{twYbMYnG^M*9cCU}tE5enR0dfgbN<=kb!^G- zX*@#|#7)iPU$*l>yx+$1DqKhKd9RpCG}o9x>l9_YqBO^nU3pb^gLZ0(XX8>Mil1CC zUrm<%5|@1BD`oL(%UtoJgb*N4epbdm)`l{Ykbe1Muxp1m?EU5Q0~<$ml(#l#E4Qb* z|0OC%A=44vUWCx+N}Ix}f{|MKO&0a9Ui)!fwDL)EjiFLEG2-{#=9VMMKepn~SP;j? zvfnr^luxPB;uW?$?q`otq}9*pgwd0ak=xxu@`GYI=)KRQUn~HO$fqv8c1YkddV8By=FVojx3#=nr_~%U&M)0E(a= zF;oT&Cpr~AZ?OBJ{3i&B3~9|Va`>=-d+7B-<;+M?gRErGi#AQHx-lUYYQ|*VL0cdeyKa(bAJxJF-=8P19kqC3J#qJXMH-1VeCTt%8gl^1lN>*+JR;HQjUnao}?o zW!v45e@TueU)80g5WD9M@$7Qhsu9$AZ}%d2+B+*5Zv8-xezvUzR$dc=Ynxj_)?xvq zGpjWn6)7x(MMVoU%MPEIg8*Yn#rI6b?SzeN zlxu7>JHYgf>eJCPcP2`Dn)pu%9_O|}1}*x3WCis?T@^UTB^DGVB;uNv@K5ZP2MQ*z zUccSHH;pmuAtLs{XH+aczbt)blD7RM*3@ig--1iP%GI6sPvm=Zl=Jz!K1Tn{iYmLM zwfymicCNl8FG)T?TXO}zqOVU?OeoPFEZzRc+9>Ucds^U61n?(xTo!RdJ5Mh{aw3Pf ze_f%ZK~Fn4;yT)H?eNQoj4hq=qU|6$m1|gY@2elaBP>Yv?7AP(x_%>q`&R}-28Qsx z^PS~+ezQXH)wud{yuzSO>e0mPzW*Ult+2--vYO8myOl-QoMaS$I&0@?Jr%zo9(5ZK zumqbli?z|4`JYc8o5VB{^@OA#pHU9fEgkTpgXKsld9RQUM`bR+0^N0%h2&L>ZljbZ z-ccmH-(*~`{3+W0Agl0Ml3YDZ-}b_Q@o+0hgy_Mdhnk>`S@M~S^F!~42HuxSoPu36 z<$*eZ3zVNyk}O@2CMdaVzn!Ay(t;N2>S^|ejcXIJr<-l3flZ$4)~PN>r7U-uNIELm zvJ+qQy_!s1j(|e&uP^sc`9cL2oz6>mdpYMMBPp2Z{F0of#ei{FZ4N47QIX86q>0`c z#Xi~{{no*W zg>*bt^8@}n#)dO&Z-?WZMbFd4l7)Z-zv1+*cE_Wv6t6nexRybn0U(q$+RBW12(&G& zw4I`&S}P@stlph0NrvI^G+|UJPg?>zj^aKg^7YLUfL#B@0x;ZQdI7lQ$fQM2?D&dR zpArB~9wcCLr{He9i1GRw8lLiTRAA1q(J;7#&!e~Bo3NL&QGNP3HOVWh8uU7!ZT0JV zzw|KCf&%?QQtPe^!xRFpcv`p7W20%)Xzor09P#UmX1gJVzM);L*$Rs4ADLO(BpOJI?o#{DS# z$Ba<4CntHRwggh^gTuzxqr79FjJ4R2KSoAyx5(ZyN?vGeMKy~>e(K=J0 z`pBH;b=(VI{b27i>g8^h4_S0SMH>Bi;}k3FC<7XQ0Ys1s-rcf8&~lA2Jn!=W z9%A`;@|qN&h^*Nm$F&|GTfCyzaZx_VGXZZr0CAQD+;ZIFt3b^j^;f&bRh& zW19`H?;*q%0e|M?Ex70gQ9zk~HZ}k69@!h6m}kvAsQ$6H%+Tt4vp8nOE1NIqy20aP zM!;is^Z6}NphA{JLJr_7EqUqwroMT(1(b-xw*LKwX zynpD)ZnE!!L&Yt0?(<|o$@=e>-K*H>(SBi`vH_X*fC|0bsXH^;z6p?8cg`VAiBe|`5%S+ zkTuCB-bL8S{gg^eo%E@J8MIGrUEscxE+gI8^t|mV+4A96BHTedxwZ_pBvHDrWm6~V zLN#)c6fOQ=@Pso~9!C>8j__Ok%n}|w(f-1h#0#5B^V(Lw%*eGNkfvQzp)eYUHjS|Q zD&Y%f)~$xaleYt1G(I#lzYSOZ(0q`0GTN!3SJU)WIC4gn>9*=04n@ATm6f}cRX_Pt zz_(QNpQg(^8NtILH7kacyRqwel1eynrcFO&mcH#lFBh4Be)FDB{>VH}*w;pL%I}mS59hcOU0X}nqJF8* z^0DcDB9bt`ZZx-L$VGe{puYxNKFgu8$lwpMsU#mL?=7woen`*92v7nn!!yd3zFoFq ztES3_rK$bav~;;N-@}7sIsx@E>8|zq{ku_5%r2}khclK>R95krlE%Y3<1MO@e<h3y~q#hAsO+Z6JL2T}V#uZ;g$4hyBYIXLtPlhC>_QG6l{iZ7?SFlA45vigjEj zHl4d^^}z1hm+0Q?TAD29*PO#n%WDgDKiqs7dUp@k^|+0XbbifVp63BLr;CCiPhLL% z$Bh1XT$50;sIK7kG_5n$W2>&l`{w3;fgkqa9%4#)lmp-FCyd>PJ7TB=h^RaF+XFd% z{+iJBthDR->+6erL{3jNZ{e4p8RDv;95C9jyv6~H!-jk=*E4>K%>lZ zO*KQ1z8Pm>EP=DFFRO{7{BiL%W-!&&8f^(oGM%M=?o7AhkpFlVkmNFx_R;8kF6j6$ zme+X>S0ylTJ(#QRGkAB%m+}4GR$`O4vcZ*)-A9FK%={#0g%~bSIL(CHCc|&ZK{9k+ zpPvP?a~+q%jm3U80>f`B5?Ioh$-@-ymX76b!Q5;LL6#Z1rgws4`k=(W8D2^9?>7Ir zShh>h0rWfLb|*p`vu#bLyJ?F~p`4ObR2~Sn@OKQ4?ya3uGMsg{5t$$TxsAhE#%C*z z9lBip*#M;qw>G}JVO=%zTgCGlw$g8y!fG9<&wcyXQLZy2^OqTCk8-qw zglRtT#(>*I?%2r#9N_)(3oMtn`ZUfv&6Q4zk-#jDLP(%$$NE_!y~EhD(NK{HMLq

        SfykKy#}z*d<&AyWj-w4Ez_O0v=Mqd7f8s*{uc4JpOA>f_1BF zvKE|9#R!Y`N2e9cMfPia8|TV&%1_tcciKnqWFnQRtEPT94feEpo?Ty>7WX`O;!p-( z`LGb9HG9NKxdHHk8kHR`muBqFGAX8mWeof|im4tgP`_fodcNdOCac+?C{d$+kSspc z`z49nTILn{q;BFM^}3*Zu=4y2xFup18Hj0Xp}N3k3QLB{nu(c7vQ~5Hx!P&{1LNe^ zn8wPzlu3}xw1U=!{!&NMy8fNNFJzpuEv=Imm*20)HLP&#c+BZH^OXN%INJc$65;uh z(tKcH*|o?mf&}v>+RY6U#{aRO{g`jv)?3_Q!Bag*b#=9BjK2CH58F7X(l74?q#^s- z88)+j!J_B8hiLzS#cQwi8fE9r*SL3Q$Hk{W=dV~0_K9V4E9))ag%5RcE$nZGw;%N? zqEBmx3yMoAdfs!09t5@Z6fq6+Q2g80kckH-DF(5*uXlYL({`8<@(DDt3&xaU%Z2D3 zJR;x68z3=nC)1q!_3?>E6b1A+R(@^Ob_NY>Sm-a%DE0a4MiG4 zuXhi5Cuzi1K(75H9CbUTJd?K0WmJ}!Qia($@A#K{AzI3VqZYxpR%`f-yZjBF3|kDC zm<7#Dj7(7xFo`k`gI@789SxR@3*fA@9cW!&zG0oOd|HV*o;1KcS9}}WL6>*5JN>dh zkG+rk>q)KREZOJ0c+revbs@iqFbKAL!3(2dcuII&`^ziS(V73e#d*d=F#RaaOURQK zySV~w-4!z{*F$-<%b9cdG75V=nKl3&CSd_LB5O#mz}A1Db91QL>Ms>q+Mc9%u9COE9~^= zb=|?%*spx^tQuH9t&R5t7rP1ffHmDeAV#%hi_4$HHOx399Xib6(zov{H5?w<98hjC z5J)v_BzwIO2tC+u5@bKBs2e?OVnz<+ML2P;i{X}4RKJ9?VB?(h`@X4|akU-WCz6CB zU-p#}5S;8Uu7YZ5(^4wq!}4ndQx}m=i!r!|KwhNN-vz^Jeh}C>E*n#Rg%&jqN1v9? z+bSo5`T8s-ndp8=-Y?e7qwN~k<;k~Ju-r1E?J68kUf-?4?X0X(o@IHn;&cdg=pWam zu#8^RD;nK>%-^Yx{TO&EK7A=F^5U?*BK<*g!t^~0D)-j{`>r|8@NMPEnS$oFCxS@6 z!FRT1@nM#HJR=)b(E|cJRbBCVI`k10kO3WMl9(x$^p)NQ_dPz=ri_B44_KsqSi*+z zJHRBwYnAUb+|U(l+wn#;2Kw@Gwck>P{{(s~{}MmT9SMpme^hduAeTe{MqULOF*r*P8& z9@8dM8MC`Zb&ylLsha1zCtDw78hCbpLG{hwkIU7yPGuDMiAtTQ&etV|T$_T8(b^BG z!GBtzujQ!=Jk-9^YRupAjrbuy$hD=ji| z0E|%8Ja<#m1#-Qn8T624hR=u*`OWMKR3{|k&}7ZrtSZ!871-e=aE?3}_ljf|&gW@K z3|Z(P{ZnQOFl2d-7C&PwO76ytl3h^0mvesC+NJ&P`CJuViR1&@@Pk|_NZgd>f%iEr zC0$9<1x9yg6e>pdDH*n21?)lGV#JGNLO5j=oe2%a!K16k|HEkYPruc_Y**zBynuei zXb0&W)K3Sfa6_AD{tQ@C+cdzQ1?#!=M;S#$X>D8S9i0gOOGpiuz?J%QMlVfM7Wz44 zX#noJ(&uTdJjWz!fgo-Xdb9K-T%VnBjE$C#l+j?V_si zzh+ceKJz9?$|{V?smZ9Nyl|9FddpL(q>J7B8FS}NQ_q)M{7ZNW-7($H+r|dM=5?)+ z%poA<S@VL z{Epx7i3Um2{W72*(}oDR-6FNE;&Y=FG(0x41ztJ1@WGlUazNH<++k?uwRe_i`a+;5iCPNYb#oP zOeNl92IpGtWQdvbH4zDgJTeBp-4%c_$Q85C&j^D)Ih%@Ux<@^h)H$4{Yks+@&PAE$ zuWkXp%P*XxoDMAfjbsYbTgZ@sq`)$L@k~t&gg0My4{_kqT(;%{n)CB^KxpWgTG2}b z8)K-?rB&cQkvxW)n&+i>9I-*&Np^{2a>Q2iy?Tf{yU2e{gmJGu8<8>7H*QNl5l|A^L~h{2B`lxvdR_Qo)_JP-n|3tM z6F001Rg{LGrzq+=9g9<}c2EzC5Cwl>T2bdR3xN{>JDj z^gQR!A!kfAff9BJgvy}IYd{Z#gAUm8`5jG|D)lTRfrvE*-;D@RqP3f5F!)Azlo5iU!jZ7=dJj;`O)@ZJnU7h477`JHM!Gf@H-)vl& zr}R0M4t?M;aKaqq^Ry+F57J?Iro@4TzlbWyg*)?R6)bY1EadFEXx7EjemPPfLYkk z$GeHwD!5U|pz1>Z&bS0C5M4Ns|LBlxFrl-TVt`Iw(!4`tBAPR*coi zW+t1>5gmE)oqa&PriqwPQ*z91S_4;p^ika70$r8~f`ju>_(zFY2vxJs0p5}T1VRE}X<4r+6~DYeOttYb+!&v;^e6-4KXCh76@jBJZ(r zgs4B))F1M#JelKkC{-2lwDPEi_?cg6#5(EoPzWQcV2pe>Pu~OaC9*B5lZ!2@mkynG zuMPH=Fk6y80L&;66v6#5Ze)x2_m^!}^E*Fz*X~JJ$Q<`H;W=S~tXNarO46~zuZN(s zT(n!HUH88w??y<|n;6VK`vrZn#cr_0Zp^Ntu8c{AQfr9Y)4UPJb|0;;S45ybu^{|; zQw?}{fk^(JVe$XqWBK>DY?|EU=X+nD;C@c^mySDMprJ{R{47HWBH2RyYKN8?@+s2& z+GbVSn(~Qx1|q8>_85tR3UynL$?2KbZ3Ax=zDu0V3A5l?BdO$2g3i9aWCYyUoB3Q* zDo-5kBGnQ&Dc>G*C{qt<2pjG8kb7~fusA%CdyxG!T+x@rDfa%31Us$4T4ao~`WdEz zVyGgR#ym2LH6;0u!r_QBE4{(m7-(ymgEQgi^>MZ-{-~GKiEPBrKrTEOW_39|Siw41 z*~71_hb0u7{o<76oFB=x?xKVKUNcMQwqNrfUdMl09{&$t97%4Dk;~H^aiw#gj;2EK z3RI*W${)2%)ROegQaxTK{s5)s>CYuJ!$=Q#v?`2_;G}Fr@Utm5Z9{kdWF4T!pKq~- z*5Mgbv;?Z-2L8a3tmQszk}{f3)t`Zfb!Y2GY0Zv3k9wO@XX0Bmt~mBx^nNMBt#Q{~ z66sAm(5=r6jzJOdr3g5WyJIXrtt&yN#|Xpk<^0Q$2*O>v65>|ycrlKOe2|*3fJq?m z@7uq)#>42o7327U-n^e?2*qv&Z%6UaBFfVEt#U%J7ILN6Y6;@iBxoDPwECNKblmOU z{69KJ`A=`o5#hLJyt9r-7Jcl>Xaz#LMTC*_X2XnqRJ$3YK_YW29xSp&>j^<8zhk=s zV<=c)SuPE#YfjEN0ev#93OVk{fG zBY!516&(#l5jtu_pO}z8TqCnu8pD4DzyC-xd(2hg#~a~Lt-3!du#Qq+R$5P|c-}X3 z=2Pt|(zn>S7t4Nk!}07gvF%aWUaU&MR^p$M{aqD*9D4~%}WWleR07ID{`UgDn0wu5V= zQU0sIQe{>>EP|4RB@EmImi1d^d7Z-)>fuI^slLSF`V zD?&ck>j+;>bInw8E1JyzC^DAC^GLlJ{NeFCxA*|U%Fu(jdn>Ta3ZM3I394+55n>Ms z;3Lrx>REbPy7fn=gmnb?BxPrlffoir&~jnfx491s$hS;>9ce=D;8KZF+_?r&cY#kWBj zz_XI-zaWT9LIfwKVF_Qsi+J8dV&7U5Ns##^qeVm&c0}wdmuWQZ6Y&fv6Y|}9$Bm|k zqify)>61Asw)S+$ecN46(DIt>ChFxn@zXTC`(If^8*-NJRSi)z<;L^25U zM(h(F1MhnCSD4{TYulboM(8mIZAzI%`L;|LFQXTk(a4y+|Byio-Bz6FEh*G`0S!~lDd@@DGKK;p@kr%G$6(sa?Di07(_yB|~wB(b-Gm3s2L z5ayTUp)kxHRp(I%aVH&2*zo6eNiY+=O1%cT=bDOg{dSr{veac-SXq8m9#NjbC0Q;J z^;k=``9?*A9V`C7%Q)o!KDGH@6P^G5mEOIZv=VQljm-X=$1p7iH!cd0nL1WtmTzRcgA22g%lu1~pnET3CJJ zTL+F*6E={P>D%meTFv)W!U8k`LI6iex@aZ;{K zG3tR5G8oE~lDD;D!F5w=o(M&f7`@E*s*ktw#qt!6^EuBlt(gfKXgw=marug2^fsU7 z8JKFoYp{>V$}b{@IZa1jSSW5sKyl>M#M((boE{OYiuvD5miQIMbxV?n7LiLBOuiGz zwH6Wh6Z98;Q05Q6n?QqifR|qE>zCYDY1S@$X>? zopUtKkFeS1gh972-KM?&-7x%jX7YcQ;rR>%d?iJ1!?nZc#HuQXzz)P{VvHpCJHjs1 z4)sIog&I{IJJSfQIpQN5A^eeByQ#uj5L2#F$FPbp&2x0M`h79Sl44PR^WyDy+DI*$ z`7v^%5xczEZz{M8WXSA-BTnsy`GXlM0)>*MW62|KY-&-4Pm8V%2OL(bSGb&+qv zd=sL5tYn10(N!@&$mfbo_nLlpxtZ@Z(#-<#t*s3Saw$KX*93YZRe=j4d;g=ubQd^G zW3;kN2y5dsqJFgb2aGCXTnkxi%gb-#87249HxCOk)b7(Jx+<6p8=)gnYB~rTm1tfN zoKzV6tT2U_ae(YN*UL&_#Bs!gp0+aFaXi~&JHyLyRXw1lmEBBk`2L!P_;SVN=1-aU zo``@9>s*CgggDt6nXrOciN6AMM$N%pxGA4JU2(4Ppd$%k!=i{3{-d)^+%;?*r-6r@?+@HmiQatvyA1Z zh<@{wEZXgqtYccV6=%(Vk0Ae&1pYtgdP8g^c8vP-MlTuZfFEY2oRZ~l?AIOm@>%jP zjMD1z636!%vlhx|NCT5&yV!3li$F)jBXk6+BSux@r{NtwM|ivg#Rm^sG28$w@-%9vBDXFx2Y#YRihp-nQpN7kZ$ z33oN-5}2m(cosf`w?gbHi3c%9eaG-~c`$9QFdgiCbTVZPjNle9QAlJy(qKts^&j<^ zPV@4FYa&|&>e@+K@k}GR^+t#hBWj7F=;jO=I=3IBnw}ZMbko0VaxW#Ed)6moKE*y$8ZO^{Rn>c*=BIBNy|rC`54-Z3NL^38Y@%? zofVX?+|yS74a}+>iA}?zO({G((51n|oeV%7Nwucl?8p`j+VV3ewLchjg%n5z$kZb&9 z4#nd&98YxL-~>t#4|>bRJS;WWs{XT9N)08(?A2cfu%uw!wH=53+pN4VjH$=B$N%r5 zki?Ihn`tNqSUnihF-1Z|N21G|*lHIb^;?aOh_n4|s|j&*ov-ln**@zB%u`~_GmMvi#-AdjdRgAXaW?bz}AJxeAE z+PPjc>N8$Idn}J%XRA)tB1AZ#Sb8O&NxqARP=SSu1qk0YQrKIWgUydLb#5hqn|e5k zuzw?zwz|2Ui5-d8I5@?6^1WKi{-&--glCuaRA;b`FpE2xWF2#aIkv6>2<(N#o7HXs z({i6%_Sk?tW^iS%@xSIVsba)6*FJ%*0442l{=%2w{?@qclo7gql<lUmbvh6oUrq9(el+tiz{oMMgP(`^DewojsUoa3mpok{=m z1{qSlX#@mD+JCJo9Rg}PK3o~u3?Tw(?#CX_g5ID~mlzo^@;t}GlJvAfz*+ZWW1@@b ziBP^|9DdKc-9raiGZj%{Ary&>f!_-T)R0gi8eI-Y4LE;KzIC3=*(PG>wbpUB7Hn(j zCZaUAk57zvY*lt=hr`~|l9`9XWj`lwzl#mvP+B6^(l(U?S}TCFRDyms&*1AjO{YiX zfAS2f*s?u5Xui=Y`jz?p$@Wn7zW{cYSqw&fE5IG%(Iv zP)#A&3BU2f(rLfoV!#a^1-&UWTVRxzo3;IDYAla*(c@5wQp84=f6{WVwyk1RS!ejD zou>&e#p6J(Z+|u$imBv!Q{!lJ_c=6~hFssuT;~~wpN`FyrMAUi=9xxGTpGvEHK$j& zRF%dP??2%Wid~wdI|6*_gQr6zgFd2{=(5V!OBF8%9%vEOa&tD%l`RMC1gi79jq!B_ zrd7{T9h#*ynz>?gyEwL^dtDFvt6Kp_Ck6duIPK}{k{FBDu@heF@66;xEHo~TwT#IV zw@G4;)?$Fi17cBSI;t$9xB2Qcg=*6i;8g%PhC$?MO9;9}*|!hd4VX?So3Pk?%AMvv zcS6-`0)Q;@dBX|TyS0A5k>W2S&VA0u*gg^4*e~*ziB{?b&+!es&NMKnbfWY^nA<5x z4JziOwCntdY0>N4n)0Qy)$X14q^<0fCMy?LLm{tLOzdQ_?IJ4QAXDLiY4ED@uKc7Z z9=T;vxz~F|Wg)a*2~t2Os{c?*CY2d4r218?X|zFYj@!hO>;OO;SV6hJ=L0Bv*b`v` zFe7vaIbk(XeQj^+@ceolbF@ChgU?)*(rx9~C@wQ*JF@F|q__B?S(2x|Zt^){4!h(3gG#Acw-}0V>kLir{;IIky0#|H1P9mlG^40 zOQNGZKtZWZK+f%iwALMD=~$8e-7!B;p+Z;7QYnoJ8v~%Zs)xl*ShvzGHKpSnyZKjI zl~hl{7M&uR6KJyH+~S9TS@Xxn%-a)>9-N%k$9;MLz&knnPimOnIozd8u$_6egsfh~ zA5{`hDirJ^CD(WTDpq`<*T1uEb-#XAY-M)8f!Yg;zXu&v#TJCW8myLvhxlt3v!5oO z1k!s2?R;SEKL~u^^Qf+N?_wiVaD|EzI~QDXUtl!krNDeD)oR(gbka*jamn&YaQ{Z; z_<(S4!7`CI#?$xKj6p=cD*)(wW61)|GJ#U54I|H@NE?}^53~{)h!}VZ zDH4LV-$2c$G>;x04TWf<2D$Fq~ zTocKl7~ew-w7cp!weQLvFR3XX_crz9aBs(m5s(uVZNCn4mX~EI!bWkQWAGqun`+r3 z;}C@($n>kR{lB0u+&|F*CJNU)?j;-eMiH{pQ_pY$I0$j{;q208C*FRRr0Fl zxng0};&(3Wo|Jr^XB3fYfR`+J)ihdTm)gP}x13#_(<9#O?t6$M zkP*eT80M)CC-MO{M~FQH45lT!FBAgP1oaGtr^K(1_jv*T=$(vfNg~M88y+;7lfuir zy7Oea&1D(fJq>x&+{|daYEWY-|MUv&V;_b|T?%E$amXi~>aSv)9;mB&>P=eMk^Mi2 zJmXqAuO8NJm)(a+EdbG{V8asaXZ{-Ha|wnmPh7a{dlF3vohoVDcdUu5f;5Q452{N5 zu*_S$le6CB<)6MFR)Q`%cO>c6$MY==;VG&z&4ImdZAR=G_$ZiI zruXA~PU^Fm6lCbTXrI(qSnA z;peD3(z%??7iG(l5%&e%rtgYfW__!02iQ&u!I~kGCps>^O6=<#EA!#S)t{~Pu-41X z*H@dUU5CNI8-=2_ccW86;lYi8S6TF|Vkpl0TI{l~+-M12e;+d9cwyh=2QYfr6m3^~ z*Jbbbe;a-MIF^E;(_U$*V;L$=OYhPlf{Y~9$@JfuqPmow^|9T~^(LK^U?_`z&`dJ9 zXjdNF0O*bZNjSJ#y<(#K*WuHhXDu}mUEM@k1fDwWR4O0b!++hoAKm&~TbcP}ir zKHKrcz0)FW=Ih&-ke$^2sCq0*1NBb<9tfHJhDK)ZA}rfyIW`?`Rq`pT;R7a-K!LmQjc%9q-`=VC z!QOGP>c))vBUOa}U(g&+-$|Fafa+G?>6=htwRAst`*n^=OrAiSkf8%tu-;1FIM>&4 zH2mqX+|uI~`d>s8-vfy<_*8;}{fYx0VODcPf-IvS`#UD~L>t)VEg8CV`1aA%XLpI`9~Zvf+aL{&H4AU&PJ zC%KO-bx{;waNe4Rb@_xkil!Yh3_YRiK3EB+H&Slj@mR@!SyA&c5hv+(SJ8yD7{3J| zt!)OL+w;0=2D2QSu9beP$y*S+vs92lBb7r|!9?S|L1CKR2WrRQ<|2v~(PjFh46^ z5~GE&-~s2mb^2`1oJp|txKQ19Fq?h1Mw=#?q`07%)483VLq)Bp2(H?`2UVk}c9476 z(8cul3qohPxZ>+pG{X_#P?)q3aTum@{v*0lU?2bHv~=mA8Xw6>4{ z>g(nA<>m&%4}X<`cQEfdI%KztW~r(fj4IiDxMh~&;8oL(_w*+VfNM+Bh);YZIMpAa zC#K*}dr{o59Ur?3{Hl(1UJWy_=R}MiwC28{0tEEly4BNoB1@+`lPtW~Kn_?Z8z5|V z?OES$wsdHy@uBMF{LAR7##&eTc1sJw-Mn5Ne9MBS55u|+QVlmsP-T&o-5i6xvz04c zx<{_L(k~W0E)iO9^*xc52yNXP7tSj!gJJgO#l4!tJ-cornLMoBpkB4Vzcovf{O_~G zV*1T1|5qjxp3HMRB|_3{Pl{hI66D%eo`^iSPM^5Un@BEHvNAL6j6ENq@nFEH;LR~| z>HbuvVF5j&VcBAZHe}LshVfRds)1C5YUKTL|C5S^iY-w}EZOdQ{^rt8qq)a8SonKe znCfM_29%0?u%|58T7oEBc#GbsC)aB?Pp?(VdHAiLf?h$=^(X_CVmfgLS}h#pwkii* z>y80Ip03=I-r9WghDi@%0&Z1HP;-sPg15jUXKS4t%-~jV6Lp&!|H$L@^5UAf{?b8i zn=H2!etnU1U!l*v4mvf}wXki^R?og;rHeC8QSU}$=@^}% zR-8VrkMMoGB10Q@<2GkYnA7U{Jze+SO2LH>Q(i+&{$i&h4ZNS`0z1~HChGk~_F%m0 z;o=8Lr$1n8cbp}4C;>Re@2mM!aaH9^g{<)h&6A6i?bA=QCtPDsal%E0Tt)!YhGe3O}@c{p*pE;$#=@;;|Z|+QX(MXRn*7iJ3WG`Nxxp4)v-XKTua%Hl zomUMD(xsrzVStt_U;Z(6LqVFIXL}0Nbo1x2WO|1bjld0UVM$V@vCK|^Is2NuxyGLM z`bTNLXIei^@|H*|^cr2?g6c#g6;DIP5oJS+3hgWU$bFkVj@Vhd;-(WfUyGC*NAuna zupJx&WOx96NsZHeibRG2g2k--9`M6YAp=2;x7c6KXu&L)@_*`f+s{=-=O@L z2)PVF`Xo&>iRqCpW4#DeILh8z-osVVF2QX=1fz&b3<|!!%krS>G-~Z%kgFg2Qoa94 zxuSq_tU0x;yunRzbT#y|M>Q<{SeESyrAlFfic$E^fR^ zY1K0D)UX~_#Qx+yTV~8X@hL#|s4ZbWk=W4*?)l~guQMP#&ym&kr5K=a%&A-0(|p>C z_BlcW4JCrb@g*wLl+&R0@Z~m{cKVh6`Oy%1@iar*Pnw>w2Z=a|`@~R6t)#a%W;b__ zvL)jbc^-*(3Tv0c#vep&O~e)%xKvJWm{9o>lIatS2tKb$j5^#}2;E;jDK5{Cmv5+-)4oQJc)V`&Tc<%XLlLd-+zmZ6RlswXL z{BCMI4wFEfS`C6n#t{CKX;Sax8=MZn4mlDQCWM1Wha%x_(K8s$mw;?=0gjZtsYn3 z_{Bi}J(93<9xv(x;+VzJ_WbYyhqnt3#bWDm7Itz@`AAEE_)!#B73^wJHx1Axb3Spf zs|?}jp7Vc}Q$8Fn09eS?y82A}LM0g0-VXQg6VDLS+-9Y481}@r1RiEmg8dTC3cs3!904T{u0;6v5^pbC2h@)DrdxMmP zoLtuxo#SwjYnG$k@6lO|l%_%M*I&OLuGS+;s4(~*l>Md-H`O4~R!L5iQGdZ9HCLe0 zNnd8!yTYkiVaJ!i1n`ar$NAFVwZ&^1YCSeW|G>WYxb5KC4=~)XWp$qco9mXiUjJze z9P}f)P2@$Y%OZqMS%S2L0u5%msMeY8hstES92j+k?sD(zZYItqa#28q^5y$i85$V~ z2tsM^YHZgY6#P=U&eb@hg-s2D%~-~ZC=xv)J|Nzj=-A%PDHxd<&*lTxM1a@|0!Xr% zzHD3N@z7@CQ%XDweev}NH2&*`1aT+Hx?v_{E5lxbVQCpW^}qoYB~8hqN{1sW)!_J( z?~mcPH{Hfh0Xp7O(~=i?y_QT|7Lhupz;OM|(atE?d3 z7pMF^hagV%%kxhAl4QqqAEmia^-CiRB*xB`J8e80{m<%}SToEH;57$)TS!MIw$ znd$wf+NfY;W`606sh1qZ=vn z{pwYqdYT1nO?BOvcj1U0jA&`4MBY=_{>^nF)NqH0H)w_3=wjN;$(GDsG*baa?yeoe z#

        ~#yYNb%^4#yczmx<{OvfV=u{~LB}mbu4rjE<`@L%g2I@z8BC z=fhPcp-ywPUmG+fg&QjgX4sZ~*x;FEO1f2Ek8^MD3;Ia}Mt#<3-K+D?p&xn9RLjl{ zY6EQmptLA9XgYOjJL)($>SyrLU#p)~GI4e}tteG#T4b&sAX!^VdPO65xh|ZAIn-AXK6Uu<;- ztXaN0_rXS{0q7!spgE5!()nr1Z>GtJC|&Ao1QoG;QA)>|Y`u$&?&A}=5y-orESO#Y z$SkMR*-IEXl)PL|R2s!Ma7AaD?hL*l@1?SM{X57tfA%-$2JU2mV_NJX{_k4^-F02u zK#X}2lMhQm$HyEu>3VifR{E7rM4HeB=PEf1n`}^o%AASpiRQGxU$d(P+lLf#o<5t) zHZOuVg^JUm?1aQumNp15d`Xen7t+DMn zHI@&;gR;$BmkpldIPaX>jrEKVxvII2;%w6pqB0G0$L!aM3_<^50U(W|h1j`LSo$iH z?Ym+v*hq@w7h?+e47~y9B>(4iXB?LwJ8v@E-6xU9O;n{6uX z5sN!felbo?bTLIlTY?%|EQnIg40qK+l5gKfRwaoI6SIB?q6)OoA1O^@GGp{|gUqjQ z2UED(*RefPpQshJmPtm{ZWvI`&H{k{SC)ANw|R-|x$SK^jV>P*{8gCzW>bGTkkdP< z3jj<`Uos->Qx-okBJO({(v)5$_Na8x(2qtLz=O01JIneNFiQ6UqvY8e) zAxo-EW9>C`ew^CqmkZ5rV4R|OXpM}ipnyInqMFn?-;pryWJWExl6A(wx)H`Z@NzIi zTZ`1|$To~DOh#>x!xi3cZ(P`{UUmfv4>t@?p9G@I zl!%c*{aSiaF3=o(lPYt()o;H^luwoyzzpudX3yhm7& z#Q3(oa`L3HiJ{TuZCwo}mDZ)<1Dhb=;m-q$4p8o6B98bgD;dTuvHE!mbv?uboa*sf zs?_&hO1Gg%)-DHIEqGz=TaUeRf5K6EhEd^4TfN*>8PF#k=wZ2Iyk1b15am<^2(kv& z4w{kGc9JzP9TClx6YOu}c3L6c&GE|2wa#DySj=T?A{l(L8)f)Q6!<1+76+Am&0# z8Ew#6BqQbqP%?(L*1(!?{&W)??R%aCPg5kiINw0neYpezf_Z916^$@rM}Nf93>G1w zKV~&YZW@YrXTS5VD~TX0e2h&6BlsYbi4J~7lD2qa?ybc ze_+789ha8pSib!k%Obp+l>wbHf4;gIMJQE2 zyvdFfuaEfyUR8V3&T6oBnkCu?*c}o|wyCS}EmFO$(k6ve+1nJpn#2Q89njBbx&E`f zmMn=tBim({B0{<6B41#-^-IahsbW{;@^m&`asOwbqbKe@ln)yy&Nizflmy=2OzU3E z-!L|&tYea9{+4zm*-fu$-NUxL^!Drn=D-#@(^ktYoWtJJtk)T&a6;;W>n`Utcg8Z* z$ICV|XU_rQm9algeGyy%0WFdPgn;?}bB))g2C^()H^uw%JhKFy+TRA01hl4b@hgnc z1-dKv^wvp&?Eb<}Qu69OVgh|&#$QbRWb zij)YbbPh;&!;k}#N{e) z%3)#Ky0x0Lj$kr=JV!OnLriRzkRW0y=0|U~fPT6?W5~IlPiurV3~YriyRFf$)t(6| zuUK>bx2OKQzvk}~`AA=2JGJNr2iBg0Z{7*df;!RxaUY1m)pJF)<+Epz++Bu!Ftwe% zrqjhGAwK8l^R@CL{Z#bh2+7i_Ci{vrlWK-WUY`L`2h@AZg zx@9d|jNh&T8G3L$9!@7gG9qfLn5rSr1TgTsksk=9_~iKxxy6j@jX{1L_v!7LB^v@w z_7mb-w9^&QG$JnSu-17A_ez+<$FE@MvG*^A2?Oj6Tp#E6)9CN}EXx=x@VPyQhnyv4 zz5t!XwNqdeOd-7JyJy_U95O6I^E6s~^?kVq;y|$i(M&04l{ni~lPxIwX*^SGf{09nMnAp_S;C+rfRQl8@ zU0up)Il}~4Q1@#j&<&FEvfXWIrX*R)R|aq|gaKVGoV0%HCMK0Cx@la$EBro;gHh}8 zW#b&J1X+G}Uhh_QL%o{s27f1i`sy?oHQnQ*ZeDP1y8b;Qeg+A3<`O{|UbdpIMYVRm zMT`&tj4<1G+H}b2>$L`8HxfPiZJqUJIPp=-MN84tOvIk}@T7WJUZyXr zGU$)uO-ZC?E={r!ko8VZ4X%gyo?=$^w{C%^??R=-XOAA3{#wFv(3 zn=!AIvNyDyLv&?#W{XZW?`LOTMmDTqorLK-wt#=n;}x5<;7~-suaBBphJ^QuQm!~I zWZ1f}lusdSGpf2K*8rjk26k!{EVMS6>v4ryjyBy;%qhJ5u=OKK1DZtivbsT4V9y04yPV;U)y;Qi9RP5oOmU z5@D6NS!C0Ocv)V0jc)~QOdp+a4WHb05O7oePInoYY7spYHR-_DIdL#Ve=gO6*txxv zBkvL&5I^LuU0O;tZk0x(a%NN4#9JYpWjut7o}+Xo9{ShHO4Gqr-qZU9C2~ItBbPXY zOZZ3LFZ1WP6D_ga?1h}~x#l+kYNiNp)`7^xJCob9yI6BgFQQWZ+7g#mZ7-rx>Lqe3 zvk{%&(i>;)mIfz5C7F#U?!ZEpxbtJp$iqedy(r`&$!HGlE-^s9N|BO z(zgVH{1gQ)#5v+V`p|c6Ft@N_y92-29j`%J*obkM)B6Z9gevp+my^#D8!UvNolEp6 zEx}drMm%m@Xf~l&?CQ6)MA@v%9GIkXylO%o;l|IZ$WzZAHQj_T;EAY^rT;Sgn zF7J;THoWGE!Vlku$4HWT+RWR{OX(ET^i3%^eN73TtbOg}?Dr`d$n z55>O79t!#}TJJX|Of4VF@lDs^h0khO!zg1yAJb$W7<8As^lI4uTKK765Ax)=JFkTY zUbt^T3Q>K_)5x^5*B|F`8q`w4ga&@E4}Ki)SY{3n99PrpADnE^pG|1<(2i=o@!bG5 z`oEcK)If*3N_Pr5m*$?s-KOWa@|d_^mYRvf|+_^h|l5Z0+e7Y);dtnWFs?5?($YBPD< zj#Zn!>sL?k31E@lR_@y>1Q?0Yk0+*Y*ImEsJO1EUbJj!iPqTAF9CaWPr42oE&LZzi z3O&BA4Wa=C&aaT{DwHFfdL11$uyiyT19Z>#^Ss)B-Bz6oJ7GvX?6M@FGZa>UILvkE z<~1#_pVBSdm#r2pyDXHCZ)~;lALa86w3U`;My`4NlA0?HWO;j{aegIe>+sj`HrZo- zFw-ipKw@q$b7y(`Pvoudl$Xkq^y1He^R`hr>RW4NR zfmh;U@9wx_D`MK>raFN?0XosB0c~zf(o9D~BN>LC*MrYrz0&e6cAtu{-Vew{ueo`K zahRf#FSE4GjWVgKx!)g^U~6767bLg37^0}97u%=7JmHNYv7Uf!YolCXJ8% z9=i9bIX`RD_?iLgM9^r6crJ}@M2V@))_7R?V&hA>`yFeVX=B-S!wj`G&c#Y~UH3|M zwZE6vyJwGj^^L5$u?$e&3@{^kY*KbH}{ zLvuw}AIB;KubflLC5shid2L?<-_}J%$)BNA4%cUPZKACFGH>3oWC$^lN|41TLbUCt ze0#vD1E+`0N0{8pz7q|bFK&ks)ip!tf~n=I`SmiB&TM~=RWm%3xzuIS(#WX%iw%3* z)4m+g6YXo!+t+^OXF7e+qXxSXXVLlF!Q+c7wR0BNPy?wQNwQqq(@EvM?R8mmv=4Ad zB>dCw?$PW?(Xth~vuzui>D6K3l-11a92_amx17Ch9&m-m`R!&1Bp#^Ai8pc<>q@LT ze;>^t$z+4H^0PSyvsqFPi=))i; zEXxNa57SAZ*|Wp=uwZH1v^~qacbf=HUc5{tB44s(wpHV-VAxecNV_~-&77#|sfq7F zDBjc~u4glxzN?}Lt(=!cJOu1T$bWp>I>GL7Lmu{-=8tz(co}%viDclRA z3q_k2d?Na3Y1zZmDxamZ#2nI5!_MlMU2AM>7Bp54Yp3uQ35Uz2-`TaqUBFFnIq|^5 z9%m-QXDmTz81K?y!rs$y*8k#`MMfc#J=0(HUF%k0*!Ri28}I##HiSZUR9RNKUCCwa z3COmVWGXLGN5M3u%|_X*M$dw|Z_KnK*-=H|yZO zfA2O_itz*>5W46U@h&_hiCMGCcO3J$oS|&PKyf8+C@JjI0k}w15jlDNi{4KV$DbA$ zNa|)Vi+p6HM;kdUDvli^m0EfibCoGf4pn0G9izyYG%LiA97BDzfv3`7Z`ExKsSUid z5;hbwZ*EoTpeRL}Xldkn)mtg@5`Ox;gsEHIqcf#J;U`n8c?Tq^&&YTg>0oE8G2Xcv z=l+&_y1k$0dEE2+DE;>iYS-dys#;TInlwlm9oE;N{kp_wU6i@m6d38p$9&Ia-q>J+ znEu~+Ob{NHK?$;{H|Y$e@$?x-^MZID{Ou@_b1gW3t`AWK_RI_wdop5owN%>mrC&Fh zy{OFBuB4?pqhC?jx0vrmfTH<0epwjmN5A}4EQgkr^Bz3!X4XB+!4K~(&mC%p@{RuD zHjOcwIce=iKROYZ`-X)qh}^hZ<`6hipFO-AE#wD{LSnoj9vTM`GvRwZ5pYR9=}j?A zV>`=9D`|(GGo?W2WNYD?;~$v7+*}IX*JJO_v!6!h0njM$Rutt}dcDw@eQ<%~)=zfg zuC-ig1<-hD&4PC$6o6j(L7j1k4{wRVR=pi3ti2Jg==CjHUSZoJtJ5W0ZKa4wiIMfe zvo}p+HIKrz3mI%PSaFgH4TmYSSqn+gKZ1yDO?YzddQa@N*FeXEV929B{J%uwdLc%N zCqSJ1;7p{;pGb!%7kD0Ugz;kR-qrl>zU>kaWdQNvO@{sUx|3gfi6Hp_quS+^X_^#n zIA2gWd;h2lJ10J`@vudNMg)^7N5h><4ftK&oRPmu4bVM(wMihyxZAYAZ(D$6gIPhw zM=sF1i5m3yr0EjTBZcAmQpgnySb^Bh8H^An;=L{|Ro<0~ZI5MMZg;fk)&9lnk;KEC zV+9d+ahjU$W`6EUj@ZDL;kk0!344J^pi_TYDD13qVtcyo>X$15e9`r?x;uA45pd=1 zA^#=cOO;?dN%1i8x|#6)dVNfkyMJr6A=cCfJ{zGLJkMj!SWNisMSQ}%Z@7M0CZaZk zc9*vGWoelx@mbd;Si51^HcVJY+7%p!)Wf8L#$)u-iMY}Zt6MF zlaa*S)XC=YhOvoVMqwZamay|%mM9MoE@KYMsL-{*RPCZoa}9jlvGEFeqDO5kiHU5Z zz;}Isi_i73wF|S2g(&(9FU^-+V@W4fJ22Y~8T7@f@h>N=HOvldw=m)tF-~90pWMBz z<8snBu5Po7!_DMWVd23eisWs2v^E$>hYiBbB!sB$T;^9=0Xsq5b^y4-W=~77)|D-( zysP^$M5Ddxn}!kUQQ_(;3mvmzXh&=gr)uW7B72b_&jag#L#GDb;QAj1Z!nSJYjthM zJ5LdRT>pNUG#MX}?Pcb9Pj7M%u8=9769AnfjZx)d%xr^J>dXxRXMiJttNM_&gM;fy z6>33JbTt6+pih6MLpkMy4rxR++hM#w(;v-kTh3z5B5GHP9c_i`Sd}{kti;v(W!IQ- zqtSWxz2ixN(6c!J&HtdTalc?sAAIxYndJHMg|wX*`deW|6KB}c>>rtw+; z_zN~-Xz|!=K>o_s$}$eb&GZg{a;0J|6~4WCn^g%M7|D3;JEH6)dQhtAs=4E91YOYImaO-ECp%9L4EPY;2HC50v z8YQ&oX!LrIKj<=L|D@;_M`w31b2%eF{7NY1Z6H*$=a>&EU7B)o{NHJJeF%Hs6utkt zD{1d+p%B$Fp(y>^PGFPuC5hwwf#-;JKJQXw4f&%()^ZU8h5~I|pmEXFsB&{EBe{~d zaKM!wOP!IPp?|1RW{-$;e{*2rCpj{*$T>46>yr1Uk&a-6WXz8ULoX)G;nU?s zCaGFmw*;Rbe_HNOvr*0=l$+xQCcoUqu97RGk(AbMU$*76d?0lHP+btF>N#k#ubRKB zlR03+%2oErFPg4AWzVC!L_6k2&$a;6eCo2lyibJZhwP>x4d}h?>$R~KcmI?jBZI$V zf9@M<7&{U3=X~}^Ccj{xpst-(-Blzr3!|tK9D!Z-)AFw*NonPy$qGL62TwZvumDn1KnWvCOge%nx!^1{i-&5NbT@*rnZCx}qzLxIKo;Emln|;d!*WA%32Hg%z9H#!BwQh*>RM zllN3}x7acmjc7%Otf^4}x}K?7GW6G%4pP{X#JdaqvJ|@h=*-6=3oZ)D(A6&;DeUxA zY$?Hfc?qiGYYT{u2oNB=>Vk@D#$Ddh@7;PIT%Z8q)$jr=I%nFwkw`Re*YZJPe&&{R zq#kjMSf79q#H*c0IGtPf)(l?sy&#zR3@t0Q?gS)JG7CWSN3=D2hGyMHniR9lPIJS5 zhSB5e+qGDW9wTJM`E>?>b@zWtBg$?)=7Xgf>L5L?s03}`lllMm9+hr5`?*?WKz7#X zKWh&dZ|}c;860?FX$uj17SsSRf=hpYaycY0ikl`HCL$k6So82{%iUEPklBR$Mk`iUz z!rOL_F8nZhU*mh$nMC*s^=M<;FTUIV+jY1CyM|Df7%)#HupEG2*p{Z`=3&lrzq~brm6V=y`tc$*k^82*n-M6lyJ$@2=J|i?B8QvzW2ZYJ+`U|0W+2g1*sDHe3B* zx(@@Ad1Y0zg&TQ^PTl4dA?CRJS&!SJ$??NzJ)4M{K)@9%w(vGnOr)a(Og2InRpK6`Vtf@V!DWgl&bNRx1x;seV_1!80 zjci>3faHW}b_?RTFG~~E(1yRz{Cw9yu!Y!lgwKb2imN%V=LPoH5CHWLbp0Y;!++C+ z_FN&*3$UGyPM}ofDUtO4O4&d1H1jjo_Z$DKxSUff^39N*n2am2=ZhV-i(DAEhFJeL zY5w$->Y=oO&*Eb~lV4xhBGJIE?N}$0p$-i;>7}co>0VF@_u}z@?SEnK3?c^5_jfU{ z2g+YH1cg1A3kJEWFGN~Xge8&Nh{!Ayt|^Zjz?uy;PohfR=&oWLzP57~YC_-Pxeu=u zoOXL8I5KviX>J|wP+J7G%Pz8YM|UReMo&Wl_&xXz(u~^Fhrdd@7?E^sHEugM{*i!a z^YaY7N0Zy+^C!l9L3<4+C+!_0Za(|PfRD?{W`7r{kgNZ5?g78R#~lfGH5MG=y>&zfu`Xze$BOPr6a@yKWG z{Yz6qtl6+O(in6QN(ZF7b`g{DG3z$7V7>pUJLlCq;#wPG#5=MhVxV;IxfB501*6)> zX7i!H81c;BY7geo3($y?jz)p#+323$=nm;I0=0#{F z4^4^QFQ48CZG1Ob_B;QIl!Rp?(Jg3yO5U>S!<{Qd7MEzT^I#`rZc?pJv{gh4^l4}>V8rd{Dqv*y~kQ)l$vmt#f5#|EV+J8fnfUG-aJ zZx$9B6Sst56n(H`ETI$UX9hwmOOEnPcG!MYy>I@_E9GF#xkb}AdwhsZ?BSc z{pD;{Ku!9&ffKwNeo3Z=Z(Ce1PwBg9O_w9`$@CG#WYosvsdch*=uT&6=g|>k%pUK2 zda>>4w1KK z7aF<|zZ}fZga><~q6PA$Xz(kEdc6%A$Tb{M1*35Dt*Ob<|9OJ(oPpE+N6%6@ak)#< zHmbi&`R2(JF)vZ_ef;884l!k!hC%PD)MC}d-Q1>nZOBWuEJ^N<0(J~qVZB+Gw$O!5 z{R=6Cv9AKwiRfB1nL~rWRo+pm%_HtU-Zn!WyDzz&mRT@*RnfccvN7B}O9Nc3$LE1o zlie`mOu@{piHS?F&Ck$di!~Kn=0*-JCWjKPMK`Pd zHYYGan1Sm`JhZGQPEGs{x_M`*`hWr8z!DxS2E7O)40j2RLk5WrgcCF1Nu%=pBYNC? zH%LQQ!dR7$H5_-}P_n1k1Pz2w>wKb7RN(Rdpu5AWW@7eB`3?P>)b(%?i_>-D1od15 zQ!Xi66mCB|VS5lui6Am^IWaT_`|)df6OuU5Tr%8eFByzhUw(5LuMq`D`!ez9@^!}% z)v1K5$fF^tYsKI{s;DNVc9nmdwm$N)KYz#}U&X3UZ;l!RdYy&f^ytEny@@ZaBiyO7 z8uhwp#2)E2zi?v@ei$P+N2_L%HbamMR%s?BeawG1S;-SFQEuOIo5?-eI^+HB)mX^Y zR158ra||}i(PO~IAD9a|44)3aCCo`afL<)YmX3_2pBVZ1y-AV`!MQg6)C|!@{F8t< zmPL7Rj|(5ua;ALzw@CC+H!65mK2_Y+&LJBJ2tzD-zwZ_%Ft=6$6`G{E;WMu=b$#*w zajovLm>CJ2HoT5oFfD-H4YFYWH1k@`2ZVToNs3q1a|0Ab-!yG6#5L=d07^+Yd%W)H z8QZZahrD-0wCq39svY3aey^C~i`KmL9&qf5zJHXRjg3S<|Er3BwjVxCrM6UZ8f31m z^Ssf&Av!;6xg3K^^Dxl61tBYK`u4xu1lYmSWFH_`c%tpx!MkM9*=sxEfudV0s6mV?rJ9;B~DI&<-k}p z6y>u2wkvKSgLHJ_MxiWQtwmD7c52Q%PuEl~`@*P&`z%@j+MQx#yftjcM(G)Pq!d~tI=<%9bLIbZr`?{R{KZ0&Vz8@F0xQTt9dW}tdDw8GU`wx zH``j<$bL9gb0Rtn;CDkMG7C(-But*Oq&u}Ci%!W@wRgS_l;jr>JFRm`5dVx3dUx$4 z92zEd`931L%v|MXcq(7kSS8=pgir*tpZP>p(D*GeVFWWz-S)Q`dAHSj)55#yXcUSL zIWVWwSpBck$IIVSosvMRT}DQwzi8uPbX~9z?%)Ep7gaO&5)G1J(Vhjn3|nKZa3XM%T(I_i8nOSweG-RE zVZ0K>>#jOFpF z(zP4=1U!yg9zY~hzGP~bfI(Q+s_FI!sNOJtyF$UNc<}LV`pi7{!jJ0{%D+q zmzd9yj|`W@mLx$JzJNl4%PC$jZ%zcZ9B8Bv{AP3SqgwhJZy6JTo7{JvlFdM90~i}H zZEjRgLyjglUfE-49(%nP^*J zYMtgBY-0pTs59C5PpG^)!jT{EXu`JtZFK2$$po*Cg7xDHR zuZRjRAj(tWabv#?bhQ4k2jKqPm`HGB}R##YoMQt>sbJaEe=7IguQHZ zW`S$a;chRb45%H@G{)D|C>E}$jwDUV5VLEKNcf)W zZcl?ruCWtgy-0&k5Z=r8l{ql7oXUg5Ii14#B}wUk4*0(oqQU6nJ-^wpqL%O_Z6iN! z`i<`7POQd50`e(|Y~Via0^FwoMc()6#ES%b+idT9F@9tbv&(jBp`j>h5Rl_4|*5G2mKH^sL;GhAeDibJN! zBJzW#eHSeM>Vv;M3#f7bV`TPz>gbtzr0ep@7XPec#|}9p9W! zPm1iZu1bWmf@J_pX0Lrx-nQNJkw*hv`1A;ENF0ZZV$pu`z{#(G-yW-Pe-1DC?iJ6d?q}kyCj57fJqPC4 zr?pAZMVv0>Yo7vXh8jBKHCP+446Q5zZg|7qVdH)G8oQ(|^vR$9C{fP~8l+|j8I2nF zf}%fefb*6Uo(KN>1F3vrIQY}Q+Mr>CWs!PRNL$033SwVK5zbB*wSdhrp?|v+j^4)C zry_sIxHNuW!udW8TY{C4)W4xW2_fIX5U7L|GdW62`P`l!*8?AsfdRD>#vQ?DV80;) zD~zoM#V~WNWH@Q;uvxAYg%iMV*doe!^)QeR*V^3r@h5P4A_OrH5YNcLgj~8`+0~PM z;e(1STnt62t2v}<8FDONvL2$EKaW4kd-gGC62Q;Ed#!8&2xZ0J(3_-3zD>QXd$f<@zLY-y3_)}QRW$924s@taJ#l~Dk z+vK(m%Mb11j3?D;PmVG9Jmk-?kS(aqdBP%1f`z<{>KWbQa2*|rOE_GC-X1>4vpYkD zC{iS9d$zF6O1|=khM-oi3fQ-F-HiNKJ%6K-Wjr0ojP(LfO-e?Rd~=V7v>XH_|H`Ea!#QI!6C@F>4gU21!E? z6~Y`?tL1%>Di{ShCz;HEeqP>Gd$T3R-9GL^gpkos;WOoHN&soZyjQ+3fVd={)s9CCXlj>BAxBIKP3q-Hlh}dy|GD3 z8;=_0G5IxtiQjvyH(fR6c97UF?xL;Xp`v+W3+^zJa*Pt1{!%cb6fPv0xjdWyttHui zWn9ybI%D)<^5iU0sNv2&2gEco0E##nBez$Uw)mGE&tUuCQ8SQS;Qq5RG+o^)71-8V zn!ckC*FJAm5TB?v4YdEbQa%+sF+l}{#hNwkB8@&|uSE_B?Mj~_SW*s9WzFQ}>O8js zi_cnjU7?i$Q0t7whWq`MN2{Zbz!a0*|q%=B;Dp zRnEzsc^)#WL1;&o=Z95CMxrMAqRq2IF)-$%B+fd1fC6=!1ibVqZtZg!dKn3L^@Bd_ zc{xh1lmO^=lx`Y}A(7E|dsH9=VDO@KzHF+VLcow>oFs}L!z)qA*xPnXxQ4}P&g|Mw^t>2t*3+glLM3M?eJr2Ly?PQ z=30@*UBrYiL2O?`&xr%~6hv|DvVA>ZgRp66CK6>HkhJd$iQ8H-Db|mhe(p+voA4d#QMh;U3NNQU5E3BdrRHjESX8 zlYA-hMcI||7(s>GMeZ-}e)1?RGk{=o`X?z#7F8NO+har^C@0gzaS?EZB{Rgl!X)u& z9NmbuTdv61_zc+PBo*A1nQZi~X?SM;cW&*j0#2U{J|)O^Y~DdKhyelZ#C!mBQuDTA zpEAMGQOfz20a4vx^t}?%Gg4jsXaCH4YT-xY72g2^9q>OmY}(75orznX4J;iIDw#}W zu?~B9iSa`?==3u|nI|a{QW)~q=zH#Dk!>Mb*Tc9tY~Z}x+l&IaEoaie0@Sj=HnuXT zZO17>J3|u~27NkV^!E0_10#bGZj;v)*>52a+Wao#df(tt3aNQh4f`dvF1>WjzSS{> zC5S0y1J|5tA$w0L_>z;~A4^XRWUA2rycDN*@&Hc*lY)$-j5sqOjhzbfV`4s)!b3uO zZad3Adwq(WL{{!UP0stDG3Nar|AG?e{3QU@ZKZPFDY`&cJR&ItOk)CbMQ5ocz!=H| z5sPle&WujqyXi(9+W(TN-BlZUkDa(A_%J#$U?T51L%v!QtNS$yS>69ql@H4%O88o> zMD{XqSKX&wp*BuCIiTZjEt~~dU4`O_o|?7ZCpcY)fMLR1d&V%@yFWi9F zt9oR9d#prSfGx?)6?VLQ5QBTPb^(xg9r^>9Ua>RMe7 zmi@}P$T*|s52&M1te8sh@sr;AVK%``Pj=uoEEQXulKI>U z<|);>z8Bl$Lw3hftnC^0n4qd$EC5Q7hRyQeVa(&EO#wWAD;`&@)j*+dWOolGpP2X} zlx~Oc1Mm{@-;uRR_&TX}NZ_M`LF|!FX_5m|uoSw1)tzx6#vFX@BO&=tSGxnCUwIG= zC6*bkG_?hg_G%j#ORheOkHPi~B_4@HK$Vh3cXHszsKloeh<=I>xSv~ll^(yx&L?@M zzJcgh2e%N)QU>Kp@{@z3$U!ZCqaK+ePMLSGUPOsfkWA(Vcm>z5TpHK~cwX)@%E?HI zleS45M23|TJ*55~{Zhf8cVczIdFQXoEth0reai6gCx?-mOWMs*hmwck3UfD`b@do< zc-;=}27_RO55~5&U$Z%*|7QJ`zVN(5%)?9Z^YwP_quZ_9MD)!?5YgdnO?RsIfycg* zrCiDdwT`3RZ;o?`qgBrAs2L?hsQ#fHYM|wJ02sYGmT#U=g5XzxB<9xkp#J*(?GhYd z(1Y7U_pt4$Dc(*UGh=26J1S}kyUFgaRK?yQ%m%ezIht)G;}w87t>A_2dziiTp9JO0 zW=jOKerh1pqKZ+6H`IDL^NZ*2uIBCQZTe4BG@hEuOh&43tvjLr7#Wl+c7zO`0cz%bh7TjF`e zA0wx95IHd8(=M0P#ZvVWZ%i$@kTFee+`{+q5M{R9d748@wdRNR(z(fHFjNsRYa~)Q zRz+MVp{6B{n$q%LdeigFQwaQgjBA65{Mu#pQw(QSlWI^1Y@C&OHOgsYX=$ywx#3lx znpc_aY^jk8;>Y`|8h-<^ijDw-->yDqK8LtRRZA4UR?fby1Jt-4_TA7zO9f!AR;$ZC zH9HU8ldW#R4iC$;7%Gkf-l={gvTCFxF>Z&L!!cq@oN5?|Nj%iiWF<9dNk}VR+HMBn z3zV=I3`uat~LcUx241~&U02%}$q1yRbtWE--(BcQW6>?Md6D-wy6L#@MwM#EXqggb4 zG3xswY3aQiO!ZnOd+nWG%@{8Y={7a*Z|BF9gUR!Vg~ID^bbSxrB@sonn@{Zz08YMz zBVZW++nk(kp7~d4J$v_kmzm4QwORfGmbuB;q`yj4nP^HM_v9#kGAo&EeW#%=@6DkmKagrj>te#vZ;4FUH$B;lnOeR0=~x^@oJQBy~gXza8h^&`c)pcBE~fs?XQ4l+vlZgS zZCBp!ZSpT6QQ4)Z#Q53u>>HMJ@cJ)AN2}3SdANV_r{n$(fKzKCLQ|V&&rsjRY_fGw z^KdP?Q2!;{wb}?4F8HCE)a|<&yT3i~?QEjajhYzhZ7#c(e>L}xhiEEwRg`ig-W^5D z&2b@RmP5lbKtnZp=6|h!*E>Jqk9Q+B^T{aj@+3=*+U^^@-oA@{?XVW#QRS#Ku{OlZ zn({9!KeE)O&FBf<{3kG(K=*n)-f1{4p$>cXL%~Z))CITCZLp0m;dLaP%!Qak26_36CNtr0KvrM?tLkpK*nJ? z(s9}E?y1M3S1*@pTN@@EAh6*BAA(IC`p)FT^127eAGwkA^ZDTqJAsb+t*-|+s8JLF zjof*+Kjq!uPTkKcH=P&DXp*&fm7etCgt}ISx{DG3w;CAcn9BgWdAZ+wbk`o>!FQkR zj6pH@UYh*AQ1jU*KVLA_eg>d`E)mT1&dMwZQe4U0AUVL`-mt(l*4 zp@9B$P&Qy=+tU(;G557nZmG>(&oiUC69}$TkwbjPpy=GU1qKZItiw3T6S0D#=8Z(8kiz9PU+Z&x`8hzyq!M=eRYqr6flS6UqwfK4XNBZe#& zH#^*uZ9h@3i2!U{h%c4@d1Y3}^F$pkNr#K2<3VmRo@S^9Bq@O7qOCoQo|JH#QqK8k zh_~|;etWSTb0PJm3YADxN}#SbEJD>?1+4o zS_t7mX>z;sUw2AZrRl>OGMl>HRNKzG>q9yZy@8P2|78IzSzjl6+&&h;nfGEYs@WZY zH@V{W3i<;>>U{MDWf_<6<(R?;`iU*)9x9RO<@k5}O53fI-;k-?KuMa(_P-=caeL>N zc7j$XT&e;74^?>EM?2n-Ath(t?v-AIIc>M&y__2n!GP-A+cFORW6PNHQwM2MW$*s` z0I=6i?{S^xx-&S}lfO8o^Y#~humcZ{+BHxIUvGxa;8WeJ1=nG!!-lmf;NKU+agDgQ zKN$GJ>kp2@XDI3d#i(2(P@8EY3%;FyMGw21EHfVm2``IZGcei%eQiX`zSk=a-t+Wm@JsV?yw#W_6f=Gu%nasuA2*bE6>v6_l4f01}(8E=6Pp6 zNn5MfL+c76*%~5V@U%>JPt@g4tS}YB^1hM=*}lOJ4o3C8hWv$M>PdTar0Z1LUxRB1MX~+am zj3N*w4f^p2{~S~H@(8v}+{@tUHUsTEvjy@NzNi7t(oo=<$v$9o;#nBRWSNnQ;VNdWQDKbHA|pvR!HHeYy6nq%L$x{E0t+eI!TPQ(=_h&=k)>e0xS(@s|{ z@#oKUy6Ml$quZ!^pleYyM&3vUU2)9Y(GlVKBKV!pp;b~|-@W5vTCucgf0fs11>?Cw z>wwOZ>idxJ%;~(0^J#d0Fa55@#{?nG&FP`apZ}YE4|_x80Oi%0+4QCbbD7CC}W~+}^J77Ux=2 z>VKgD0$z`Jr>kQsKAol(@#Wdeyj5UpM?LMHe#4Ktn@MSXw?45 zadPiae{^eps#WehXVDQADS)bo>e4mcoSkp`q|2A-&RBeOlDX1xGD@UOyq$$4`EyKb zWbRfJFALuY@#qu45vR!;0GVRY)u-{@ z%nz(CE2skQDq)_>J|Mg1f1B_!**gREbU$7aBVQ!M1htX$ILXM(zb6mrYpI_-2WxGv zJoU!X+3I9Cma&(SW9KeplHjf zZh1)mjE(rM*Z1FU>yeg3v>!RJb#pkgTqK|VP`~O|GiSm6tl-W>MC?@n+F(jhnV9fq zWXQ;;hdLKT;8ZrS5aYGleQH-6FBNs~nUSa5bsQzW z3F`DaHh*wTDYLFVRb{1g){*!!hrr{J<4slc1HIZ}zR<3u(C6_D$}qh|-m@^)7(r66 zKJ3^qHF|JUod)^NYOOILXO`sYNsdJJ?FU0!|E%04eiBE(8F3ykl)ID8R)LceF#@i4 z{mpuDsU8*#Yd*D^arujDlJG1^>Hd16d0if0+qfLk+KMPe>{w<8XsW9Tnd{h%;dHX? zm98;1i8l=W0O;ImcV|0gD2t$u4+^w%=J?lNxzcSTFh;=_p4ec2auh%*ux9>aC++j{ z5i~cv1$92}bc19MvEBcfiZ9glxsSTAnEK9+kqtvOV7kE@4qPTNqU)? z2}1Db%1Q&X5{D`J0qc8!nz2m2>u4)4Aneh6xX|zbVHG_1@$rFCMQLgWc4w$(tnPQj zy@S&FcS?gHIq_9qhQCD_9aX1tY10#iE(}|4UbL@spbfxncI<^bEvFm#?6*T*`9GeX zY6|4U@${mTsVL&d)b&OIC(lmV!?wGwY`%pnH5OxiYn}wL1`$UW+K1Pqdu^piEI3~eA6ycN?T0&^2~E!` zCqC=M*~(btQ6p`>WNXr3=DHUpY^P`*IM^& z8x(MYL;-DVqFMpvbXf!~QT4gDiGp6fjnON!@u#&sRb7PQyX1axzLh;|!yo^il83f` zdhz=5?ALf?&5#cFZOPND0x`j@=VCl?F*@ztFxLZ(iVQ`YPnVue`8cnQrS5!d;;^a) zF~Nt@O#!;4nyA3cLS5QhIG?Gk-U!Ux6wE#HKC2vIeQCPTj8eOZ_pDG{k0e+8&N|BP*NSY9AVoS>&v1$ z9ygtf8XUg2b?Tehn4$hNf7EQf{oWRo^J4+X7p_!oM%(^mdPh}QEQxNUGyQSeu-(Nz zxqT5Zq-Xugtk0fe(|r@h^i-H9Pn2@AB2CS2nQ0NDboiwX>A zL^44#3~_a(!ULKxfORwoL0+(nXH|~9Mh5+KWt0_}nZ#q{wfuL+3_Cqdr0d0}lVcU0 zpyAmsj58(~i*T}GkurcxhF^Fx$gSo@_Cd$YdMeM+#&@EI!N{WOz=kf54WlPtAA#sH zeXp`A+eXCqB#c$h+mDYYTW{ad{>=5{Hb&9zpsj$)`VA14Yxu-o0#TV=b8^FX&*mJ@ z|8U{JL}c>YMwVTxeZ?ik*2-*i!Qt6PCw<(9Tq0%PqXTNe^wKD)PQ-cKUl6A?Yaw5#BR z)$|GE5+C?NWb>G4w~w4eJ_vzci)NTXz$IXLAqtk8jNt}&pg$Cp>|E5()XmT@AFA9x z{Py=G8g@`DVR>5Nyrgp9#hO}4n#`{+`nK8YRg$kCpAg>J{7}M|D{Cdvy4u0i5FgkF z&Y+TP-Qtmgx!W6XDmtL10_n3POqV!lsbXbQxtmXx5`0eRFJNiUI7H*6LAy!NQzQd7 zm9p&Dfx@!HCx_~$R{+O(OKL!?vJ~<01cy=6{GKoRjr)k}-&D(=s4h6cGo;`dS9{mK zzFiyX&pHaRF?ERH{6pW9<)9Omi|)8rH0J5XUmFL7{A1?B7hwCpc-P`J<%!=*#<|eB zFM1r$7iOM441aO%aM<@ze*S4fM;Cz+yRf5euB@&3Mi(%v-7r6_j*Nlht{X!gzETE8z9es<|!NZd4p+ z>ABUHYQIa_9*cAG_ne#1KcTc<;BV&#Q4EQ!5I7{gbmc&mjSpE5Du}q+1YM4(zn;1% zd1bVtB>s+Su<0BEr*dT%;DLXyvog9%Y23R)Mg0DP*I)8H{t{$a4N6Lh)2bvjOPiRK z-x}2~S7&l5ADEkWvfi5ObAnDB6-hK%Ryt9Ez^_ccu|YG1umtn}4A7__+I8<0S#-l_ zn{vt!Gr+h|BghxoU$J{6ZU!Qb1$g*NN!27z?|uo?Iz0XH`Xg-!04BpIEqnRv;+iKC z(*nDQXeHl&a}AwkOow8y9Ppp#69{QbA@V+93}y%qsK^Abq84`4;RNYJsy^fTkcdR22?h(d&H3U+1)6`J0JqbO-`qtquu&_81@t`oh$o3;+a33 zpFG?Wjh7@x?O^&P?n_oZ0+3Md`yOt}25NC+w^rKS3N~1kMKgv4+D=3XqO|9tqojgi zDA^l{;2>syk;CY8t#aUc61cxjJd0<&`?k^ohz@p^t8+SF=YV&TQimE3Uoe-K}=!O4t_Zvy1^|wvG_YG zn`WLR4;ss$QIbb;5{*v--DXGvf6b;8&rvUhdS=`!21c`}tLEsu0>y1DCT@t^B(D1W zNt&TAGm~8K>+k)+`EPfUhfkfewNoe&Jw zv*C79f1>WSM=?EPnSGA}ukMfY{InghUAF$WfO{7Zc))10VgdPP#0U>zx4`Q++xK~& z&h>arr87)19VxbpRLCy{uKI%?v(c7nJalJLqf2Ij8As#!tK+;@pgu)2iccgZCM{?s zR$3g!5TKZdX8K-d9;kpD@$flVF43gd#qTA<}Ik-Wirc5u$E4`YFK@8ywzT`Am`X>~>+i^H9BQGKte`o9z6 z{3DnwN6iliCZ7R<$y+k12gtblkk%7Lu&P-u(*)cR!EzN+Mx!tWHSx(}0R^A$*DcdDRv339}UgfC+_h8sD8a#w!uR zg*~$?sJG=K4>{nU#1&h~+~{UuRjMo6?KCbI&9re&nY7YFZxA~lF-v#cEQ~6S-2J^O za44onAJL=@VibM7FP7;_LrUnzxL&)2vyb_-c1!j~W^7Pe{dFj8a$9(&X~(ldZvSsq z*4ODQZ_f zYS*o>Z-j{RInhYcOFr{`;{NIYRQFk*Ua$RnznMvJ45#JrvBR}Py4$VhJ?-j& ztN(kD^Yy*W2~Abw<)C}?!8xqJ#+f2zz4LWr$^LQ>sAqoZnf*4`)bW;yUa>(IFnLNq z0~vgy@lx;x@EzRYnDmVL#1+dYoJZ^RCuI4k?GM$Yo^`|x&>5ksx?k&Db+0(`jal&^ z9}%GIrT5Oc=B+lNMW&Cktb(^ipyblOo*;1Vaq&<7H2N$3EDqp9Q8|?IH$TrG(QnV{ zI)_o%-wBr{7g^5L#CgFuw^?u}!o&`84f}oDxXHG5D|+L>joT;z?&FA;i~!ef{VXGz zYvZMFle8G&nr%r0%?pWVL?4(4A8au1#8)VEcaWisv~}1|9)zi%E+zW#;?h01*+VBE zLK`3z?lWJa8SiN5q7*Vu`r>@@Ry5zaB>J4-$;Kza5L(YyvvHvp)tnB&f(gC7Yf2|P z?mbx>MdFd4&50j<`(fGjM4O5Cp?te^w+o+Q4mUO?2T-I2zfND((->ExyPzab35dA^ z!f3U<6u9KiUDZ(g!4f55$os;juP25m?=X+^Vjw5ob)xG1P*>16-R!f5;*!}H9;-!a zIET6#;~k^bV{@t^@&8KD_I6zX`}a({cXc*C25`-_5jp)5viL(=RyP4JlyX~iGP+rY z`fZn=f@5TSWj<>eHvKcSx_BzcMBzr313f-A5^yu3>PnPOKP0+AgDIIXOVXYF93B@* z=8BaE-a77{=ZEkQZodKI5`H>>$WX!wH}Z(u%|LSDfOXs5@E?c$8L%SWb-nhDNt3@d z`>8k10(c%bKYcxqQ`)=WJXW^+t8RfX%NOI3d{x)>Xn#mt9e`tA+LSr`-Fj&7<(~j# zj~_ltZhsNv7cEb#dY)iYSGat>O4yb0?l;FcJvP3 zUhR~n;fy=L2b8kW#RUA{zDo?qZYHTY6A$m_$eyu*Gl~JBY{n?ze}uA&pL%#)ZU*2g zA9DOj9b1Cm71k-GZKD2ue*kQl@Dof}G#a1;R_l6z@6MXjcak_U{CYrv)hvdgg*-ey z=^oEot`YzHL<0BtC?0y+=3=JSf$y?rT*-#?*olSsB;NP|`UsKu#2B9m1<&!wkZ|91 zpc{kPYQ1nA!bMKoUGxG$_TRnLza7qh`P+6%>)XA)l<$kkf}i(sBj?szg~3D7FHG5% zxOz-UzT(=vd6-`H@fEJM98d?`friu%=<@yyTw^2(dWE3xXEi({V8&rT8MziQZ=HDBwpc zw%s$4)W~WU%#uJxADH0wgAL7cja-t{V1K&T^Q+Q+N97C24ncr?#KrMnq5sBa{>#Vm zZ@)}A#<>Kn#B&G_i>%mu$aWjL-R<8_v@93uFVyMB@wo4mCAv8LgF4A1Y*_peXJNG39_Yc`&LFox+a^QqH z;#u0(YpMw_Jc<7i2~KgW>2FH*WMMtBcd}z5#=-ZU-p~s{Jz`ZGJ6DZw4Jel1s}fv` z1Jhv{dJ+^;O&PNA?-20^uXL5*8+Rnb`MclpoYdD_QnkD0%Ay(cb1SxFL=RNH9(3_s z=EkUBP^_Et(k}@8M<@N?Jd}U4Gn0^eG}oh^43C2ADgze;dPl35^6v8A;Rv{6ao0!D z7+)TNxzWp}OSiw#%U%ZbvUNNE(aR1el@NJ0p-%aD{h>D^%H~a~TIy<7j#wfL%lwbn*k@7Yo717QUTKqU7kFT#Yk4(eBgFlj5ordv7 zE;~q(G&$lc2N7*!->or?OY#Wj41Tc?cHFjGwjNRkigXuf=}rG6F{McCasdtD7a|RX z*YiD51SoB~ivUf4k@%be(GPxvOKj&Up6Xf%Qr#9u>KfVq&n<^nUa#HHy)5b1XLlOa z^GH!zRs5fLu|(#IA}q^keO-RqkL^dk@NxRsE1>bbtVLA85+&{?yJyXnG_XW)lA)&@hY1Q)W+( z8hn<^Q7T_-9M8o_r9u%T!mj~5bDo*d93qXz&Xf3FRA=1%EO#<_a*EeCLbx*M4kmOu z5*^m9V&JHx*$W6}6NM0Y_jRh8e)60nu`4|FPK43_tx8&W`uBh8Ty#F%IG3g3JeFy5 zgIkyd;p05f3c00d`}e8s6hP_`JjzIG5QFU?&of4f3@ppy06LCP8jo1@WWfW{cj>Us zzAsPY0nuz(#3J=mmODOp&;dLS77qkb)B$NC-HgA;8is{53;W|XD)Ho)iEIys9CL(!7e%)ryR7&#E67C82d0^3|B;-*DU_edEEEks! z85_bgUu1LACo3F4V@jL^!w{v)8R|2|HC8s ztpA>%_VWrvj|Vyz>29aL^VDf6=B^b}xPSX2>62VPF!G}w`X<3%t^27r_?i$5HC0UH zRY9wOlW%mh`=#3=bKZJKKjLu+=9Qz$3ri9Vu0MGKRzKmv#NcKj1M;E-x0rOXTx=XU zKadGDr|87*)!4kd)nqb}GzpBQU!Ro^gu=@{9v~zJ`ah!||J2E?BBh}qgd}jJoDln@ zW>MD*KnFAkGlss3U|zzuh!kKeyCGT zQzWydT$iY9Rw!Lu$R5T+oJK864PzrolAu=1VFR!9;l;-A@OUd1&={lC*8t`0I4M~A zfQI}9dz6o}3Z(T}f~=SsJxX2Lxi7E}c+FHX{{a60EWXqwklo-z*zGkoMBI7dbP(2h z{qMEs{~!PXd5bQ&Jw0^$&}xokk1MQ_iB5#ELRloRgW!Q&fdsEYC*yJ#zMte5@LGWc zy~uKWpTE&sp!SbkPDB2fd!N`66zF~cqeMwQ`0@?toFpuEIXm4nZ;kA05P7>Qk=!OpLnpBz<^u;iq%vwFE;YXC1oYb zqQ&H215&=_Ky?1%9S3-pw5fUh-T&b=YM(X%JWDlHrR$chO}5)FZ!^O1=oe1p;X2RI zinjvWr5_vzzz>>u|XLqc;5skppvgK(}*9V&6g~PNFX+rwf5$ju8qYL#c#PWvjv$)`D_!Yq_$F@hSRLA#NjTlEWM!}6IL@v37i1lAe9QH(ERc4wZs27XW_m7PvoHhB2Sv`rmfR0 zOgp`w+hg)D5fMhbaFWPo!ADD(_KN7R`11Mzzn8IuCmrlcJgw>Xs+>C!>QZN9xE3sc zV5BiDkCdG5VasL`Aq-284VFFW3&_Qn%45)XSnI-H+kQ#i9Gf+z?qjJDsEq%Sqwpc4 zdPKo@{tv}LFq%^CU>m0?`M6vhEp+ky$SOWvoTV4pKR4 zONmZS>@d*>NF;lM(98ay3}x+0PPR#+%OZ)+*Tq?`!CH2!s#b(R#xk%I)=JdvjVbm@ zoBvk<@ZZc^DAPEXPKfTP)l>&K^wPSKHkI!spEvHFeG$Tu1LJ5i6Oc)rE=A!1fC~8o z5bknZ!4I7B7~B}{(%1odqVF^pj0lHVmW)*u+!OF>d(K%*KEE*LbFDpB_YF8lJii=zk#c+7%xNI{GQJdO`a)J~#-py%WK zVpS<>HURGIuBDEkKPb+K2Na+;^%3+~w&&RmR6f9D*7go-_4`F;0AE>mIez!Ql}!Jw z6XQM7X$Js`DTHhHQ`79aA#ZC!Sj=aK_hIb>(z&F)5BveNLSlgQ6AE{bDV*~(-d~H* z;IXl@V&p-tWk3QU=&t>PneGQFZ53*pV9rZ+fPm>SE{Nr_I}iM*;8u~=*R3GvY>+wt zGiV>isxnhR6f6=e@84Cs$398BEUJ} zdeWzINSdE+N*tsGPKe{gE>VD5vAISRQO>J{Qn5;n1NyuJnwf|g2C4pzpx;bijKmbP z`V1hlT~L;t_DD<-ou2pvr!n$m@?SsrS3*#$^B_`T-ab17DZ=?~nY~iHKZFY|fe74xj5i$17{jf+{X%3S3!81^xWvSLrS%oj@#+CjzNd}` zC%6Hb*KCSseUE3Ckygq8O6Y+Oi>g;d0bvY=nb_6zE6xpLG2)*fUM-0|QJxBXN4Msj zjre&-tV{6(9gAzX)i>4C5ww&SuIPzg?nshy$5UYyljCo6&Cf|c(UL#Rp}ANkHLq)C z)X)ct+yo}B2_hbcgRtn4(Q1LqgE4jOIn}}gsSV&sDzz2!pIu?(B5Nl{+FCj4~L1sh{GhK$?jyZvlWWfMgMN;~QUzo~4MU|1Zelzjc59 z?U#QF;)@W&4@0T$2j^HW-efjQdF^b={4r<)J_ppx3u&I67EI^V#iz~%i=WG);OQl^|ff>kOr!qkF(al z_NrFzIApaPEZF~p!2r-c13v70*X?E-^btN+^^4@AskXn_di8q${`!9jmGJx5jRGvE zjuT+`07&YIr*ob(%QsfMWdq%mkGI?W1Q%=-MF;Px`>vIj|FViagz#Q}A6 z{}VcPE+)|oOoL?0G zYcRjn9fh&){(^W7w|1A*x4){@$cp8Gpy|ky_n&qd_psx-fyhH#OB)3jG#Jyf0wZwf*yvTH^f6Rsbaeo=)Q?^lLL0U8v}FCH8O^wUUeaJ zY)Ig%VMKHXWA{->5~lWoTrZll3A>%>GY{{9|2YHRNuBnqxz3uYdEzU~1-@~2U(E8D zy3`{`+WRl)eI@WC1v-b1H~eY6skOpY3^yzC^_$4S&d*mWfgC(-^(o&4bU{8RZ*&~n zf9L`pFAD!=ES6JB?9L6bWBuV#TL1}@{MWigkLSPDSySyhD>lD}1uzkcyE_-V&H%7t zJEfJMUF#_;X9fB(KvhUI1$BA}P~5%j{hfGVP($Se&<*_Rd`ROpPGTGv@tkvLU+%x~ z?0y&CqY1Y7#_V-1wBWwtAh_GK-fC6Fpu=+eSAaea1o;1X#)x<|x_YJx#cKiZt0!3c z0ckWIeqM!Xdt5$)zaZ)fq4JOTPn=Zb_?MgUKBi%dUn*M%WGReMU?a-zv&vAgVZGe-P+Ec zBq-g#NaYmLgk0xL;PwDDUI0~o7WW^YIaTA(elWbd+-=6YE>qSPKY%?Lv7i6W&jw3I{Z~r(V*MK+N7zO@^~g5Nd(8apEoUGB;>7$Q zctv8o9NA9uz#_K-nV4{UPzx%;0zA3TvH)UH8!X7H!cJsYY~=FAXf4mkg@q`k(=%_4 zO*Uictp~oj9F=kYGw=*=F7`o}$|aucKoZX%GDmuZnF6Le{09Wjl6>?d0b@!rC$>mX zUgha4DF=Xk>RsbK6S3A{3B|7@JW^*9r%N3bXlXS0{4>t2ZAN;M}Q{yk`3-U zqPaobMiy~4!PZ}pKJd7=s64=oV&Fw=o+J9|&!1PdOjfBsQRFiSJ=mr6#=Hf}~=~)`@ymQ+l(&@kMYP4Lx4PQtI0swR`z%*At zFki#52bx+Gxwr(41fdGjxOW-{BaJJ2$RD(&e+Wg-yDbJe^gexl0kjCjsZ9w~Q4sr6 z^wl{iU`$<-t+Z))*5o6{R*9>Tm9;myL%F&Bx4Ju+pW|Nd0~54~ZXM7BPwmicWBO4h__vWgx$ z@gwLpwHHOjG0rpg{c9h$W7^^2VdU@-dtd9~KFzROtLL!S-q5EX@MB@a>yz`j_3RdM zS$KXR)7^p)T?sIzYKgRem|z3%Z+w8r4mv{X4oFz;g4r2cs1WgnukQ_wfWP~N$F&Z* ztNH0~5+uolhU9LVWC&?qs+hmy6BSxyC4P`q!&Zp8m{5PhlB^a_lr47r6#j531)BTD z|F+JMsN(6@wWw(1x2;Dn6j>BKBr35SQUE1+7UgZCdas84Y9D+hJE#dCuzZP>-*iD8Q^ z4%RvqFhvIC*E5qi$?+dVhR_}?yG4()#6!=d$W4<=zk=-WL~ zYVjJ0VaM_+c@?_uEteqm=-FXLvjGC6q;+`8hWMCW& zs=n8}|7mNs%sSPs)gufHdmCmuP7dc&m;FkpGIq5-Wf{trU)W^8HRU>9_y(1rZKTrT zIh@$&wzu#%6Bp#^PA#&Dt)2u;Di&loYBcRX(XlgHvo2pN9T+vR=03i4{+CLpMjN0; zboRWAcpeJA>zW0_GVX53bbIX{PWiu|VSzTy`d>3({1vXyfQ0>`&mftDzg-jCFDWlL zXoyPx1=m#2w#*G;!|j6leog+tW+Dw{kOizaJ@*E-R4f}U3seQVNzYkBz{fQTVzKG( z26gAE>S{l@oAE**UwcPlGOK>2=BHW}*UIQmi(^Z<9!}L49-h}{j@U%#7gGSNf{!(g=HwxFA}*vfd4Ar~=ONh}~DvQtkSE4M}ag!hZA13%8 zjPs*R`$ZHh%@6IdNCNzH=DUs=CmKUY_GMB`X<3SnqhMdZt$hqJ$>x(FLvOUPcIl2W zdv9NU$|V|?e}akJP=-cE_3IIw^046RiIIooB}Nr9wE8i>6)9^wDsDuoSq9+~!Vd(9 zu4YB<3KAB|l7ib`#&`7^36lkZ?&IBJS}kn-5WK<4R8DQ59+rKTO@63b0uge~K1g~C zJ9s_ctd=~u@!EGGqTuQz1e|rrIBv`}>VqzUh;9yz%V4j%W5I7E_?%8As_n?@IYqQb zJ{&=Sn>YUTmhU&n;eh~R{`gN)rq|!oyT&EfQ~d}Te6Hk4J*SB3Q(%@?|DigEI0{ry z&HMMqSfpjpZk;MFt)osOYF+Mh< z^ZZfs!FTejhIPYd-p90%@>H|$A&9V%E2BmebOs7g_~n8^*rouQ(F}n7my&Bc6W7r7 zrP#^uHgdQVt;o{%>g(IMc|jl#L2p0TivFla%9N3TXmdyFGZ>H z^a2^ilNYBZB_xU6G+DELI8$?d`#fL#Z@oZt3rBTvwq4Bs>p}ds^fWrg5s&$MHV4)?4FlAyTN${p%ZK*R1@KFgrOj9j=QflX1x2wkp=V};1 zQUDo?CBW_e?jyBm?6oRc+eOb9J%>?O^S;_#LEDZPYi&#wRP6n0u^n{Vz0*dw#@+R& z1DAQ|{rAHj zs;Tewj@UfNIxegG)9ha3tRH|b$ns&$a2akuRrY2DXEkL#DQb>{h4h@~darnqv~Y=D zhWqASFTkulfjyV7Md=eMLytVNv8(gl4D#J7tr*vt_N`-#x`*x4O9K07Pv0ztI+F1I zq;chLFKp3uSe6Gk7ht2-Ux7HvwqF znE!r(r|#Xw#3lm7n{b{(st}2Nq96&o$bJaAB+C)HWLY(y zqNivxpLnF{-T75a=5G9!<;uAEKAynSsh14*W3mipg5N|myP7?k7&O@zD~^gtZCon$ zHU@(^>i56Oam^adw<8IU9u2F`_!uHpxJpxB1-k zFcc02EeBHWxb(OBKV)5=6p^E(XXt7*x{Fk~pX)R% z*;e5VOz~ov;dWz@;x=hl$2(4_4qVVDlELpe!R`t)9?p&E?<%ALiM@2KZS+N}zfNR5 zfq+C|+PM-X*?4cXbfHSaceLj`4`Aaibr*Z8ZdnrVo9?J5b{Q__XP`6(gYfnWnv@yTo`Iz}T^OG#K)VSSH$^@DIecZFe%T-1o%HF|uLZx)O3){0k^2 zc@Ooi`pL^Z&x9Q(WE8ZKp-8^;G#i2kWh(0_8By=GTqKt+-<8!EP_E{l|cTmUjoMpuZMU z#}cSrKoOK{j)TnpY@0+O?9mh0?3-#%74DSkcznnmljz%}oBzU0{Q38PgG01^4kSG^%+5OK#Vv#6G_ zi0hUH9W^?2_H>iTnK2G{vj*$qPYpfhD0CO$J9oZC-)n!%{jyqHV{2?6gT#L0R2gWjG%|{*?D-aYLfx z=;!v8CX7g{wr~SlTKZ-rbuWygysvh z1mm-1J-2D`EoRYzx}%=pQlEO=ktJGgBpF~r6`WQk6iX65>$g*lgT#Cs<7 z%FO|@cfXWmDEuNlH;1|v;|ImyF~{KhMMF7|+GbX3B&O)T@X>cCHr7{bI?j&7$Y8LV zOY&NQPb>JWZ>02Uiz**Wx7H;*9Pp@0)SNazbPCfyLcs6{BG%21!dm8+e@F>2OB^Oe zHU3=U@f|7+iHQ)BS_r{)i0~U0w@>zfEb^pUEMx~}2%Yg%@wsfag?2E31${_8FV-Yf zK_*{qDl*xgO3GvjJ(ZNrVv>hbR`n(~c}QvxIsHton-Mk|BDlf{we6t9@72lm;3VB= z#q=hh0MaZ87EsTe?h4?9UW?-Zn?;^Q8#Mdzo`;zQ&VcY|0y1j;WsJJiWp(v==J^w; zi|1Fz`NCm))q_T%^^b&SOOumyeR?#AJCvob*d>oI_Ve8N^(;@&%eL!NNcXdp>x5(H zMQ@^NI2RI>tcO<&OfuYrB6T=rc zzITah=wnt=^+iQrV_TQUrd5igyxDUi_TVvjdYgvuf^%4B+Y)0~5>ly<1u1GRfvFm| zn<0A$vM9PRtcj_LEZJM}gj6LYPc*(WlCs9gH6x+0v(vn!!3ba z|GUw$zQ=?RZ(X$4UQ?UF@yPZk9nZB1ZG1?Z*XBmmUy~zkw$A#=y_Es6n$oAI1moxD zub3#c#pfP!l)YOT-lKsqV@wwqU1NF@IeSRy2A44)`|drPuqUl;w1>w(=0pFJ@|G7T zg90dUm3tQTmvDMMlQKvCmdWm-)%)hr&XQW-0m*p$^Iu#5-@1gpI5A(57%)4;n&Y=v z5V)&UbuYEK2lWa%5!93kv|kTLzk)DUau`;8|SLnlHj3JTa{SXt`J-}M(k5%e^- zjJeVX18Ca_LqMQA?aqA?@?tL@m|}GV>TjhMb@co$#qS#GVG(ZY+ob+OY2f_n;eBfo ztTR&xtT#1HmATncHpm_LDj_ZAX~NUQG)-oS$;O5hFEf9lE*idMs(rzc=)Lu@4qVIZ zb-&h+`#Rj~5gga`Gc&ERmoNX!l-G~U#o(3J9C`MDAS*R-WdqoGY!IYe^W=Ep`13m- zD!GfLs6WvGH_X-zKJh7#&N2KS@A7PZ%p?Z#Wa4O{*o7P?BUybae1l&>5?AG#t42iY z-lhS0NA|e&um^r=dF%Qt@HSR0wY^#BsPF64zB)~0n6IhU@G9x$DDAPLmlITvL6p1I z+kf9)Cj5-t)Zfy?_-?nvI&3kxR-n7RCGssEre(3k;F@*=Fy8fL< zG&=(n2?B+C1j4_+`j)N$`2~-b|^+8OZsgXkBdZ^YU`r)?Pixox>}sF}$CrK6z6z-7Cj9<)G`^ zGI?kLq7NvcDX0+&JNusmJxV{d;LoQZRSL=a7im8?DNHIU?E{t`V$j_6vi2eCQMa=` z{-v}JU$>z{f_~9i-~Ypm=Z=oY;s#6i`H$UAdQeU(0j^g^Lil7`{YmeE9+t-|de|4! zuNn`EzC)LyJK7MRlUNqWyTvipzrof=YpdeU?nXoQKZE@!?rRf>Tcb)xLrlt7vy4sX z5h-Lm;vUn*{>BIrm^?DHgpb1iHI6re?1s=Pb>37aId_?_b!bj1p*wwC^@;+ zK^G+D7LQRY(P_$C{}jrewMMHS;KLE8(HY2h&uQk9!rou);ZZ3%@=*LHpw@R7#f)Y> zwV6DjgpxZIkU>(b$Dp2|X6d`~kr!e;n&F{SIagq)U&HkGug=D6COty_-z*kHd>Z)E4)xPKKMNM_{ z*`XW9MQwA4{K#xy331H>sC465sxNyYN7+e}^WPhtwXO|!{`VLwz4Csi5s3uWtn@`& zJ!Rq=1W;}z)=tC5oV$&PEKxSl2~XSSf86(GbtA*qI20Vt0#y-N zLgMS4nk`M#He0y@kh`iyrbF?N?J(_V-DK5zT9MFkb`VG@&8GG(QYdredawUv2ffmk zhn~6EDp^K_4sxria4rme2y}%StCF-(4J(^X3vfq&Q%4&8%s@XGP z3R-(SQGG*s;<-FifXI!*ZVyr}*Yv1x1KP*+uqBovyTzVf5rJJm1txS#ZGRDz>pZAB zRnV}JDzG1ESax_8UPcYCFyMr~jW9UR8XW7yurC>Wu}_?Yx^;B|u*G(s_t7kqsyNs6 zT(0ng$C{pdEyrUIdM_o*>i%ZUWf*MhKJ^gV-E|{S6W^)U$9S5S@0!M8tSwcRGaq&8 zq+0xK7~}Ejxc+O!Rg>vr00T{(r##ZI0A%0%%7`S%Rjx0ORh@p#cyW@L7&ITHXp_Rx zb884-yISBUiC)Vw5_-Oq1@Ov+k=OjJO}5MQK(wCk=o0EWl|c$NjNJKlYq!;UE&)1O z4j_5>M9uH4lj=CYHg>U(xh56t4*_SyUU{s~ST>j?DNz`?mk)87&vSsYoMC$B>edO~ zX+O7Z0PJzO`ZWJ(K^v`u&J6cj!-kO}21Nd3a6o%((#!U36O(yHiDcHXyibwI*)5t9SG3Ij6RKx5@tChEn!2c_D3zWCtoEY9;DU2O{@)6pt(0OFndS{7^ zZwa4oA6LF!(>{XTdwSJmcqK2Wp)e5i2~qcJJNaQYkz_K7`6H`UNu9yoQb{&>VbARC zsGK2m>(c8{P>j0h&|_4ww9(OU_{V%Ww&wY+QbYHciqN!vPzd3uqO=v>3)@W3O*~xV zTes4*U#SU_;)zv%NOoD4<=VP+*SFtn@`|jt)W?8R&iZgFupRC*^g~nDr2^GCrcyJW zB@&=Z5lk6iFwr3o8UEgyO4g+(WSaBU(Rq@WY$HgQPoEfb|NUkuk_S2Lx#s;>p2U4U z) z7qFIz>Nx*ftash+Po$Crq*Qu74Q7a!6k1@(aZg(cRF!Ecm@)qbKRL`aiG1g61c0|s z;1t}7@#;O2Q;7gfu^rr6lPR?5Rn|ZObygBX_O%so8#d-b%4^J_#ihO5-^L2xEarFl zGdGw;vydnfL{kBf?7+d0W>kWS)7qvfAV_?m5bi8f^Z*-XLiH9iWMOA7e38ocF7{){nLsVgW-(Fk_>(sMn^QO&F#a@96NpP4W9Q*>A*uI}{jZ}uTI3tF{s2?`csofP+uq-_e@G3mNNdyfNg0=Tr zDB+(~Z^*Qo>i)Qe0C1o`H(PI*+#fm(T~W4ppoHX`_daehVF|KpJbi}(IG&W|?CMm- z3a@?E4$M~EzPQVni5)CmSpwi7=UiSmB_HFjw%4TD4Y9y`*Sy`0OtwBH5XAmlYG}bF zCxI8GZ(HS!af;BZI!G2h+^*BoYaaPv39SEzWLaO}#*zOYx*h)lgn&NC3*~j+yOz(c z7M}QSFNpjNGUjUyW%%@@naNp1&OVeL&Zm7AB3r>^AJJ$0POUI7f)W#3QJK#w!G_cw zB)7`e45OKd&1$6{c%&I7sgZPsS2_NLBk$5!(>EjH>_8S>0;;JP90@PHZ+(<4=3&@F zQbOI$o^(0R^~6f6u;VvFwWx4#xvb^BG5g&nZsG=l5Akpz7vhIF_06Or-5Q!RLdg_%D zd~DuMJhGHtV!?L~0#0BysGU?@Dq(W&eH`P-8bzk%VJfsuDjXcn6dr#7@=NmIjv_~CDnik7g<17Z8`ptm7K)Rs%&ucQR7nt0I5b4akh9K zzUrm(HceB%(tOX=O|!;3<;f!~(;YSiEdXjMwqMWpBv5V74dU!_SX(BmBE$Zvfq2@m zRu=}IxvUaCZL`IejVSj4uQ&s@%ZQK>m*&W~K($%}Mv`cawDcVh1;;SyAATIgWTyq7W4mU@;4mxImBI>ojt*wX;j|fFsNtgx;n^<`2&ps(}_&# zGO3cOcC(0lDW=k#9QT2DEG6+)#WFZ?)}u|r$a`Op1iBDqRS1%@(v+1t)K>S*uA(@t zAW?@nCcvqG1eFl)tiEQ70!OA!qbqsjj{e9$Is~_V%68AuXpo+qrB90kJ?$J?Hr=3~ zjt9S{uS9hQ>5=ycFcmX>F3f{A)(^ai`lI$}t&rS{SX#}i3)~^EYBONmwz_P>b25=c z^|W#*R18ns`_kXVk+PJ7*cWJIXi-MiSa(?0?1--PZ`af9o9!=zU_|ERF|sU zA{~kpU(R)&oY}}{N!*Mpr*yWQ(ALE}1qVMLdnJ&M`?sZP%ZE^G6>j<4 zOuHITW!r73?L@V^YmA1ro!d^dQZ~IpupI7)>Ze`lg}4K`S=P@;H*7jQ9k1<<|0E5qOxn_b1JvfnEObNV!+htcw7o(>GWs$VlTPQkzGQXmf zo->A2;nvr(3kxooj83`f^o$=cSIynDJlPDIV^1d2;ObSw{9!WsziNn`u&V&L;Z>;( z&qNKg=g!|u(fks)W_%fTJINqAF%qn!G~BlI-5Fq%$#($sth2D^IwBKiDP->shvBV9 zdV1aw5HfhQ5k2($YQvp&n_uNvr7e9u$ujiB1BU1?$j9ettllEUU^65Bgn48fZQ^q^ z%AH{c;Z{Cnj!f#-W26{D(aq1*yTbZ4v+HR0FH1Q1&s&Zf|Gk*$*OS@N%$^`Rr3ZdSnO5 zmzD18Z1xOY7!zzWJRLtz#|9l4uTF!*Q>39yE20!yKv+5cM)jiGiq@)>5`A!DsI~fEa4QpQ^h=GcHVCxJR(i`*d};~ zF%H#UN@9L%Wa%na}U<`W1P?Sr*k#aRU!1DqvGgsrq>>ap(CnY#s~mu zifgS7O2c>>UcG??gWqoN0d;wx?`4E=*;elf&|D+qTe<{<#cHXhNC=llfeK#*BUfI` z@*Dt|K0t!54(;AvQUb$p)@3cwH~U!@ne*nqjzqpN>-=A=eRovT-L|a-0hNx@Art`- z0TJmXN>_x4C`~#F(nNX-L~23}h|);}gwTtK^xmaO2~BF~p@!ahKfY7OJ@?&l?(vN` zM*al`JA1D(*PL?=TpZd}RoTwl$vvpC?qY>5j5i<5qwG`q06{7`mMP~Hz}@IQ#uPx_ z+nU&6yVA*W#0UVdWgklabZ-n7zv+D_STd%oX5>srR~if9FEA2~*m7cP0W6~oM2Tle zKv3NXFJQ^w@35Tt%$>u#--bUb6}WplAwdTkz_15hUh*;nbj{bXM1W$XHvHw+WpD@5H)*s4^wcRq9x;QizAQEWgtN>HS(v4Pr@T-H-`vaar zKVD)4juLE6%7^=d&m_{V+m6;@&&Ftls*j&sKO^uSr?veCR*AeC-cq6(3}KK{E4Tf2 zpdEM;sX*D&_2vZDBd4=p9t-lB?fu63#=!75l(qy)%yi(LK^?Yr^2FFQ9ed5-AUVw_ z7?T_`sAr#+sv$GJOVTkWyx-l&he2t2t`K;A?hRi2x48JR4E4RUv>QEv4CK^dI=^>9 zFNz~Bx{>BnC2lt;I-r zSdiGt>V3ZV(DVAc3>fXcT9rg8Yw?%@6Y-L~W8ga2xu~-%`T)$6J6fo90BWEK=mK%# zv41a$N}!p~th>6}4TcQ7yp6Jdap<#n9S2|0rc%8%%pvPwIP+Nde(VCUZzksfu+@sr zhnDcOaKPDHIh^UGU){A9%jA=FVWotU;xlif=|uqWzIoC4xmyA9$nJV4|ExD&wIgYaXTJdv|t; ztRi}}1OXzVw^cYe*Ki*&_o^Iw$t1I%-$1dn0g!L(r_F`k-$$dpcJeqB?tNAwDh{My zeswt859x5_J4QWZOZzKvhY~|;~udrctvT3t9s+D&h8qc ze|qt(x5LO%mfQBW0k%bAWgheY#C!TjCveY~9Y`PXh*DD#-b_emXbTm!&;nIGx1Uba z2TLN7$H!@s^6OX`3#1+;RmXvvYy$-c%c`$;c^vP=( zLcx?#a9SV*Jk(`qp5r5%4Yc!pZPS?_n0P_W)!lr*iQgZ@V_0+Vv)%qw(li%cJ&z_p zIEkLEumvCFHWob!x&>ws8w~lJ@6H;~n95JjUL;IpoqxGX@S3Mw8DgJ(+`&P2+3dcK zk-M##rFBqyd-zw(l-0a)W2-vJGzBM{f~_X0$JlqWC<6QRjxAeptBgvRk?=1sab&r< zMQ6XvmT3Z*cuQWGF6<&Bl9Fj09wPRw4V5mV>IFW+ zHq%MU*;Y^O?MF5JAen;N=~}zNywCf+7AZ`udlPQ3qS^yGgIsoA2Y|)9uH8W|kg5JV)0XwME`SXt<@eHl~lsm0Xq?Dfnh^Lzk zmP_V>?F>lP5)IG3SuPd#$O-*?^wU3pm!_|`l?7dDl|J;(p21nRJn>zTi*G-tcg!6^ z0I1z-z1FxT86$VDwsE|<1q^i!W_M6tzBFI&p(xtdFOG%ExM-mDXbCNK+RHn=3+BM) z>pKKRan*JiJ;%Dbj-N!@@AH+L{6Ao9>a^CklcfOo*-wUV5*T2FkC@z4M_;{^vxZ)8LrY`yY#a%b@8j0@XWL)o&sHU*U_P_TpS`5psK@;-qfwLPuBJ)YGO zOSY{xF68IEk}g;2&+a(J%@$^RI>o!I@fhLxh7ooaoUzsC$yk*4+QB#GhL`9XHToKB z$k4$0?BZzHY)OhiIsA5~9$lp>2Z*crY`^UxZPd5@AX;Awbo>cK{FNnpTu<$uk z6BL0j9InoC*TP*tp?TadI#71Op?=P+?y`AHD;fAHRCwR~eSOnSf32YII$rP8U)0B> za<=-ktx}~{tn>GE)Ct3Qnh@83XYf|8c@dX4TA)Ev5%{qjF}!W&YX=jPuI{-ak3 zm0dY+49^GlEEwZc9KBU`)_yftO=ns+um!!36Vt0i#qzw$Q4HWK^nX3aY5(f!0eeOD zXu#B*Ne-%5ejMBiiUyX-uWmA>_u6=Eq`)!k{B)wc@vlEV=(sD}=e1r2zxS~(;ybwB%;S9>!{+HjSx5O#(pRe?MH=)5=3rQ7QT zEW}Y09t-1UUErg&V#`sN1=bFmPwa^q?%~FVQ;n3@j}!^ajf%ADNq&o;0CpwnP@v>B z6Li7QDvSFl!{ytoT$#2^DQ)v!R&GA_BD(zb1|rdv%>VpJR#)c4$JDzd!#X; zLX43(K2@t-Bia6`-}djW{XBg$`G{2DF2EKk9EQyc<~*8z3^al|x%TBthqxL+>73i) z2IzC|6IS;P)46Od4M`=3v&{qJa|rN+QsxEVO$if(To>wuaS1EqtPJ?tJ}z~MPu>ZG z&U@~z#QOz&@(X)D9HWx>zlfyl)F81p=OVAd4Z129aY(=|2C&%Ae^ zNUxT8OQu8>Kfl#>mk))~&TsYbpNfA%NL+ILZToUx?&x^y!PLj=eSIe}cUn`bHt{wN z;CFE~ht}?<>x1EEhM#_-_W;VSgrReNxz&h-)2rtldRfAMBX0a~S=${}0Y)8pMT4Vr zM^|Oa<&2?(H-zMg(skUDZy88uf7NlxZ>!r%^IO_lGo8}!@ut4>U?A zTvbM@mIbAOj((!J>c_t&l-33Ko)5i-giq&xIJ{Lbe{e#b5u8H=SM}@uVAJ$LXJ8u^ zhAaxqLYU4|j?<ft+9kHHd4Y5W>?fvOlbF08V^uFP?uXj?_WtVnBTkKSUh7e=zu#cS2Btk_^aPT< zCax%rnk-wyi{huk{xSM5`jw_Of{UkTp$$WEJI-hy8W>(_Y4 zpZmFbuqHgIB+9@}2IUhQvH!dGO1=75v3$t-gwxl{l*8g}q8Xo_Lj>Kv~q zk#V1n@Vre9vu%{6FU||Y^ho*YIoBEAAA7dQoBrFrS{Q)-Day0Efvwl7T)b#c&-e>X zCzWI0I=;>zPrUSPgMF@C-8-}?xFe_bnR%)L<%nlo0_NRnY09Ee>xg)>kTt6u0WnIN zaaZs@Bl{^pc6l5bYUHtly#a~5qsmVubkyoHVR~eDl@AzFL@-F+XQiD?zbsUly7)*_ z^?t3f9oG4m?-8as)_}+RaLMvY5v`wPdKI(cE4gCAi*G>faZ5FXgssrn@9wTb-$ZeC zciEv_{+>vV_mGH!j10iu%>er4GF5otgP|m+jOyKeHP7X|(mr70K%DmR__d`f7wUc{tWmh7!YlEoA&(;GUrk2O z;6~>cGIvCNwXKWnm>iF734H}0J0wFp?C{L3>+~?nPX0NdoO?>JJ}i?f`0;*6&$hQ| zJ&dZom4_<9ZP;pPdz9J!EBE2{V@tG)vfu3gR-~NM%QKc46|2JKXM!cT%!WoDOs_#_jA&*OL@~+X9FOp%oDcg_IxVCRaNZ}!NkKeUs z95!W&yY57zQQ2xN3X%F~TneY*lMwdDO_y`Z6`A3t58n!=MWK z9lYp^N*}01d$5{lQ{ND4DRpI;cZ_K6JWDF`BQG5p(E(#QT(6T%@WL^v>+vuH6~VKqpN*KHvfq8@lyfatXJX-0m}(!N zQ*f<8rNBs5YbakGB6cWz==`D!;55sSGq`&YZWY2oWzwko;`8kW;DNM>;?38B2wq@X zTG>o%;*&WE2rCb+ZZ7c{$P~OGrqcyLqG}F!my(FKCC7*kkJlc&Hh3>01P$7u6Tlf#_4msUogqF`k;xf}$P;|Vy?DytuQmR9s5h5D=d-BLjMbFtsJRi`gkjP3qy#5`%U z-gNSyKTPENK82;wSYib@2fN(nRiuAXG~(_#nF!Plkhdobe^yQjP1to%ymHK7Iuzke!VHyPPWf#wsSB0Bbz{X43S(q@&=!(vj#X42B930jP&f{ve`O(%vw28E!)2hVXt`48kjgt^zmBO3k%K zUGBlUlFL17^-Sl4pff+s6(eyVFEG@o-5za*9;FmH(t_d7laL|SvU`Sq>xGsV2bv{0 zQBQ7U%d=@n;KmwhuSHh6`jY~K1(U}^94>`Fc5f9rJLqb0ts}{6t!=vGs7BI7qI-S? zwkju?rE7&=&paJyQW5mi2s@SfB1)iX{-$kcTOqt@aE!n$st6FTU%*qt6d7*-oC+AV z+o;;Qznde``EIoD7Bb0!Iz4u^<6=u+P63xM#TJ%YCTjbzp@e_S&iYq8%H;UGhhR4l zm8H7GIT6WV-10$J)hVxxuD(F;Fb zVLZ}O{pU)YRe@n#W1kvfasQ%*7;9w7LweOqk9H8B!*y{~Sb3eWmHk;u9u;qdX#40AtII?%Y7$a9u3y1aWvjdO zOM}1PLCz_{-lqrj!8%P7ZhKRkIrpTgZ`iS66|2NjiW>jj_~u^_3}3>zW-CGP=@u;^ zsL5K9Y+seLBt?YEAu6t@o)?&nY=qzF348laUv%zc>$AI}FVvE_aadZ7PupV!Qrknz zZ%aVdv>i;3RNA5pi-rNXv7ZUOZyeI7k~Fx8hlihJ#?0UQ?DQ!|7u);P*6^c!P5z~> z#{<14T8mPM!O>h?f>tQsUKH7FjuD2!)y;Qddklb6ifE0)^*jx;b#2Bn> zzY)SCA>KEbGaMtjH3c-hJ|p!$?x`%SZ2J!LvhYxP|1fE!K$Q2NE8tes_v)qjE}f%n z6~F{9q#q)zwC6ln+pXFm*k2Hxs(CWZgL~Q9to`q2y8l(^)?!T5dG@wK>`~M22j5eK z-9-g1L9Y1<1=PLrQwXS&{b)GGnHTII`c<@Oz$~0qc8^v_P%Cqe?OP6o(}b~9G4a7{ zuz0h+Y&+cTio>&{+sO(i@h@ZD^Ww8YzlcyZTem2q4*6pY%nH+rc?b8m`1eVdyq5OI+|0QyM1N-JY0?PvD<|qNl^8V?c^L zxA%w0S|$qYEET^^a0p`LS-CvqP_Z`w0}927_DXfs;jUp-#5Ik7+qwTYs`T;qbNOI^ z8*sZOLT&;9N`*)#n1i)DQq_60UJ~#eiq|DtqZam%If$HU(rQqt+HBUjrZtkEFyL4E zX{b>}fbcaA3m!-nBy4jViwMtVX`_Ua8Ju@av}@*n`cOaL9%5@V&5S904%>ZEes&Mb zYprkWsud%a<}Ym1-zkMy>HJ(_wkgy67MaT(LUOzM^roTLMccv7pF{d5gscp+7qL>L z!ieL(n<_PjX*oRNtn}B=j&qb+93jnU$|MiiL1EgA`FyautTK|#+XG6fu$pvEC-E5f zw*Jp=&);N{CJm3y%LN-omM`J*%yct30A)@w;d;rGe7%a_Z6eAiRlF7>{FVUiTlq3` z15+{!A?_10`INIaP`@dgP2?au`FD{f9NHY9zb2F%FGFm=Z}u4;4qa9Ep5={sL{@}P z(>n+;Rem6z*OFT@^rRLyDq7sGtVD9tD%@XnILTAha^~ArmchQyp?Q5Mf6VoVG9_5! z50N>j#Y?&;FB4@B;u%RD$i|-y>uE(lf&~vYW%9~lqm!YB!saub15s#3P(vrXvR7x1 zgv+oc0r)=27>*UIE)kuX|9cVMKfuxdA{X^Vb6n!Vi5h-q#{pxuNTBYRVy}0jp$`?6 z;UtQnzHI!?zl@iShCnk?qRnP-YlodJ|Ks6(n*jYEX*pn@LmTp*CnpL5&K4uR&G1yA z6RbZY$PX#n@Kjx~8W9~ns^0;*`@CGpwkg}^4eZz@RP2SD@4TX2q^Fb&^G$>Y=$PzS zO6FjgJ$(uH(OMi68pnaq(`(_l*K%DIdfI%th#pc<**r~BNcGmT4*~uG;-4domOvV7$ypQmw;1t%Ifj1*Vp^I@ z0Dr_G`^6K0TSI7ZFod@-OhCP-nI5G^*YVN7Lm0uwT+aK7I8I>^Dhue(n-1h4KSKlV zxo4CdNcXF*LDpHkK06=I6j{x_gKd9C8Oq$jz7SZ!Ls0w1!|h6+qL12J^NsM0chUHu ztl>mY)1gxWmRstXVSCqOTegkw!r0gT-->|ku7)Joi@I7QAca|xcejkz^_O^&s3r|M z1#wcFovS5d=+PCWBkH=QkBteaPEx6&0i_{S9QBTh4$PB%e?Z03EGC&@m6loFI5~Q( zs@BLml)N5dG{jI01^9EZt?+vT-F!e z7j*w)l+1WrAeyL=i+^pR1X1dJRegWX47xRW*>eJn zOsmCHwdxZ*$VaB11`B0)2V}Kr88&|`V8ZEBca#^>wr1w~Bi);eV%ktMkw-U&*5b(@ z+^Nt_c&SB_QX|%Ww^HysbaqL84i0xFR_$!UafyNUT^!=5&Dx_fDMf@k@hW5$)_n?` zzjj_rZQj7JtRiJ_gtV>iRo1D+x6ur9rX5GL9SNs2_$}+v5g@F}vdaa0bE_Buz=ySu zM|FRAFT(1Gg8pJ6e+Sq~%DFWW7gesBCAw>Dz&Cwa!3JDqY6y4r&fyynvZ9U1*SyN9 z?#;p-JSf_d!YrPXETy|*R~31htp<%=svU8wH1T5lat$1*^5Pi>z7`w?>d!l;*wi*z zBWE)yglDs1KEzPb&}-PFIBrt+r=v*}S>$HC8Vyo=k97oA)pm#qAGWVnJRE4rXXv_Q zBpK2eaXY`SK)UPjzu7fh$Sk7oW@nESqqzyIkM~FL75d=l3 zh0?Dq;2GcR{&!vd{}4j|89V-QUOw;6Gp%#8-{qzpD|pKkP`RZ8^vy)^NE&>B@E`byj;L-TZFzPCwiCM63WwgpbXd#500G&>Mk zW#EW*K3*JEsTo9N`bXTROgyBI@H|b?P5U_XDm(QN7ge zhKG#*lp3yRjpH^__xcMFR~oYts-}GRr>W&B`(J7-jzplyX%6AV)w7zhzehT5GPyeB zY)Uv2KE-j=){Dpwg^|~{u#%U!JOJ>P&nNc+l_q5#I)oZPCwM^e zg44uggys!4f^7mJNq4)p3vTSNm%h`Cs<^J0DwY+VnL&|$x!2!+@zT8+E))~Zpj4r? zPQKH(B(p^fYCxWTc-u^!)i$9--1=86gY$82iO$M_9M+i7N#p2DY^1J6X-n$DF-nbI z4@XJCJ+r|@WO?!Jfrue4KwSC@(gc)EIHPlE)&G<={_)NK54UB?G8kZJsmBUPJYZ&=Pa}aE1UW z(v#jTiNT~tvcXZ^x%y4P=7H)ig;_znK_CueSv_-%xT|8dqg9b4_h zA>Ws=mu=EUWljodUzK}YO!2(*(O^Vgz&XzeZH+U(z$q5M$eemT#b@{h#9^Pk%b{qP z#5GxECs-4<)QOK@4&f@*&&BgcFdRA&@94-{Z&>Ri-2I<60S{yCO6VW7et*v;wn>}Y@y-}@g(&i6~@Uw z)*&}@WEL&V!ni-n=JpEsRIa;?!5nJ6BBanAeMTBB;*rK;j*Gk;8TaWxuE`{<6EEMK z-McBDg#Xf?^R8W7$DW$?c0s!OrLPxaG(bRIbtz0=bWs<^`&Bwmf z^USV!5qBH(>vKmg;24SFk=tq27BKcfAuz{K*gh5{eFS&LjC!2iqc7U-L$$3lrNyGp zIhiJ$Mi>45J(KBwOsI7|R2OLp34;1SPYDN_y{$I^4@pW%yJ-ygB$O6$tUyKHqgpXI zeTTN=lMspqPzk%MBAl(&3WG(seRL*_y*P~y@CDVlw2U$%4>`$|VBI-@eCOB{&j~5H z+P0i#16xEKCp1^4QurB4+{t)9a73vj^+e*qhs+EyHE%KUw+Ft2Vv86`!`)}srHhF` zoF+Fqp2Eg~`RGbe{^^C_WOs{I_~|7*S8V6S)|O{yGTM-y{;rf^QX!m+7LFHEp369( z_$%V_RDgv;LcJ3w z8I0zppmjZdA2Frz7|}>EsVcf*s?e53EYBt-s@%-3;?PNkBP^Vl>kY@xDX1U-&yt<* z_PYVy&(xD2Nrr?+;>d=xIt&DKWC@P}6x}q1&ZBeqg-X%zGF^h$9jO~8DGTg#%rR&m zTcc`8DnE62V{B`2j4{CjEn_4b%tdmq_YGx9nfowxS2jj=O2P7P4lu`e2RM|y7fwd;oMm0k<=TWCvGYWC|xm z?QGT~@chJ-=Q5q>|YM47l=kL=G{_f>|akQ^|V}4O_VfOdXU zasc+NFbnL1YqzW=b)qJmxD(``$H}m| zp6ftd@H2S;bh-*Syf+qlrCH5v@PqU%90TBJFt~w?3+~syRdMgLhx&e#Jx=sH?q0nn zCp}2SPq5}Q)C1ft`s;Nol{(DHgBzKVM^ZHG`!e~6RL10KVBB*JZdLwd{q3B##SMrmO__m z08E0az`~?HSH*UH1q!lG_g`FQ_UbLaL7TBD`K!50H-*BXN$nSww=^dRhcH$Bh4q&~xNNs7=eK#|Az_C(#&LZ&ge{n5J-0vX zQ+-?e1Rxh09wXjw|FoJgxpY40U?&M@OXdM)_v$m>YHs@T;(|qP$+POPP*7j?RcY#< zLYUWq{k)n?@?>yDbH}#^vuUj*Rd(Wm*2h`V#`#c-7QOxK)j&hO93CPgX3YV>8CVcl z%Eb{ZCDx6oEABJO%&FT$rk>B`Y_~p65)3mY@^TI>hAW_bTy5{snPhBYjZbL|# zc`o#}(_ipl-FfLvjgO%mH%s5EKMU30IGRt?T&ms!zuh~qjPt1&DB-vN z^y81?(9HF};E>>{3jiFlEL;~m zvnE$$H;+XwMv~ub|L7EXuh>+P#GxYY&+(annPj-xc$9&S}@cL0!OtYq;J$wB}C2^rz)7Snkpc?b%E#*zPxLg0Z^vUCtnJ zm3l3+I(oApFp=A}e9d&qL};f+)%HF5k_`njUjtsB=b3?m8qtIMSn&EI^@F$)08LO9 za>jH1zbVCg#StdaPdn#Wxk@Q&cn$9_f~|0cZc7bz z&kQL>-AZvwp4e)zy-oGL>=}-K31pchGS~>)8{b>1Tu*SXG$o)wz6-GC^xk(Qo)DZQ^?(aHVP8k85+rifQf1kHLq75cOt9{EkN1P zLoZp1vLEF-jzGrcQJWi&|D?}IIpv% z#r}nr&zxev(^Hh)A9on?w))9ef$`t{E!#C}o?&L};N2%GKK3!c=5*f7TlY-1-=Nx3 z$oa&{@PpFa)IQ@o0GidF14ue9D`!+qDRle-JxWABjwK4wE?tSSQK3|r<`rmjopzZX&EbvE3q=ribn&07>DpLVw~ey;L5Dl0jWDo z$hheUzr}*#Txs3J}qmxW99EM$n>hr``+R&w$EI zZowNiJFUd%5YK^^Jx!=FQqU9iSGZP8Q(hvn*?hQ(q! zKqc^zqVD5m_R-sLW!>v!tVs$XuX%pya)k`(f0%PAe|AsgrN7L@0*SfnP>UT5kI#s1 zT67N7ld9)oAy?CqvL+0g?F(YP4`3T2@(}>sN#dhC0gjnF-4uqfnzyif7%D&fD~`A? zR8xfHym&&gQf-5mv_Wde&ID+6KY@Ucp!(Lq&3*5r-(eeIeO8tj49Y{$u4IJRYVKx? z-SqO^P~{C~X62!iy&ukVqT(6v#w#+kkkXv$)R4R1|2+56Uz)joW^Rz$2TT*x%_+~1 z82;kpur3$wcCa+}8nunP5>6^uO-ZH#Hw!O)aEI7{oA7zjHv%!4?mmb(q*Wsih=bM+ zJY$jDiA|0-SdA~i{i5D{2};~mW?A@}vH#-dn{cWEsD*Mm;!G(Q$8SDbo$*kGl*FX? zp#J+H$A!SlB2A1h7x>ui`?sI{K2Zd&u2i@Wo}vhea`8O z%4e?b+8e+n*{a}jgleNon5xa0Y03AAQ5$VVcdI|e#lk2_k6HFXU@?s@MHwUYBUiHO z1npa*?y5K{V5A_SDk-U+#CPxsLdGfhX)_q}WB*xGy;`cEaPIW|tlE9`pS;?V0}rzg z+JHjOOdScW%~qn^;nk2WQL)%*Xl0Bq;zLRn=!~FcY5Zr8K2OYM5sYu<3g;=6QKVkB zrX!VNw^4*ETW;k_N=TWA@T*M0vuqoA!J_TyL5D&5s&53$+O=RQ>aKqK zY>b6Ay_U7Y9xwX)u0TGP?dVL@`?wurm7_ic0gR!IJ&(rsex4dXm3@gXUX-^A4Iff7 ztXSN=T`3*7sjy#irQzk!#HajfLd*k?(sxUrW+)+A&U^hEqYXb@|1c!a(DJ%=E6~tCVVDZr zf;sKeqg9jLp|uPt!T+SokiSuIk{Nr*PY;_jD&iOp9x~cu!Pl>I5^KWd?jTFLpA!vk zAwveE6Bpi!9E73C&Ca>X#S~XbJ(8S#c_SZaU9UrM1-Te;#mu3yxxsQo(zm4l##1h* z+W!?iq{OKq*#vZ-&2pQJ#%ryuOq#Iw&%9TDYQk0xW#bv6TjM0<0(?a6E)-1}$j(d> zAQL_d)z15qXHm*NCocLwj3>YM|41wuogI{3Pp&zMS&IC z@78$J@flhD9#M^5t%sD&ZRr@3L%epuGTtXU;!8a?d8omYex~x@6@OHA0O95y8wY@g z^*6`8O$|Qp*T@j=q{kdViZ*4+WbR6w@$JgFj_fEz&MmmIJpG^M;j^M8Jj$*T zPjU8qa0#|Z8 zG&RX78i}_QY#OEB)+nn;+@rtJJ3Xgmx6((rctJ9o*?NQrEZ01x@;!z!(OMIIU4cwg zSA;g_I<@t*4u#EXsD$7<)a4NhX?d0s?!FTG&BX#HJf!N-ys^hKo1vJ9+TH}9gtsgR znYEd~S-qbFL}p~4bM1kP6fV-c|Am%DFHWCuIKX=9_|P=bxlhmvVp>sctT{Yo`CWmw15x_vcW<+nS+`Aa zrIMi3 zzDWe&8CGjnG3{*l?`i;UwF(}S&)IQ?52mus%E$V=`!8*E3FvspO%D|J^`Cjkbz!}B zoq^)7WB00_m5>ki-v05HP@fUWsX#cBXtp~I8>FfD&-0?tr5XOS8I1B>gnLzj>sugT z(?w9HGImG0Kf#Glo7d^kI0y~M>&R4bnKj9BiWm4NmjDjc7KHTKoX)g-+$@*&P8`3- z^A)WlQ##{21F7i41)E)8S!6+{mbw}CpVY4DeB;|=)Tv$1)e=7$mDAlGPG63cVkpNd znk?Z8Gn6Ml%s$w`1RumoUwpgeVuLxCMp0i@^OYB{WM6{-2{T1he}a3knO=^d*f@iS zppT-%b{bvUt1vcTQ2Pk5lw<_eB29!u?*vsm`WYn81LRw)Myc}GkqlOjFo zv=C`&m!&@LWUrR1!cI9)%ldBn#F8CCDqJ>XtwPqu`}tZyMpPWU2H&Cg|1b=LVMHw| zr>&51>-Qg~;vY6K)68@*P$^Dv2v0qz7wVH5@JkD1HHtcZAL^Ja>MvuV_*xcE-BE`* zTpV6R=8O6`TXXa+0VL_vQ}rBSQG^PDTg8A6s|7O~02z7*kl1X-zl@HDnm)1>#QUlr zWb+zNfP3spHMRiSMTgB&q%D;pJUtfIOSqh53*dYU_QeLVBq&O z;*bikEs4iU7pSwyS#u4f5ZhoWOAx*N$GSQ>pZEHG5K210-!m57IKY0t*s#B^1f6J( zO|M+@z9)!Nw8E^4sdd~fQC#`%!zi_q>^wEyN_Ry=0w4KchO8fJykZ$SLh1v8ZCZ^k zeBtT`44z{L&$d8)=s|-W%lBsXy?+LdJzP*WfzHChLix|DHI81dfAYoL6-Y(I_7$rV z=xU;X`o9ZcyR&REgro;q2Nx?=c{T)pL>;|^pL(+9?JC%r>2WQRN`B*~V{XuQ&T zHHUpfKa=4}VG#)1#{zJ?9B<}GB?RZGZFUX4{301F#bkTUkfc{X@uh*2weXzWCJ}ql z;)lRw-g<}WxUGup_ON>krz}%N%^%g+WT`hlg(lamC;#O?q134W~+itVYSWE z#iV38s-wjo8IQ0LKXPgIc@6%V-}D4nekGrwQ=>rh&aiExOCLTb_uin**4T9+41azN zhq~0#*QGDsZv3b(I`Ln4aW2cFqRCE&4lm8`IQir+>jRtN7Y-izRf(uZYH0{7NzIit zYL&h-j8|K}#C%n)vjzEPJFR_)sFx`%t z)$JN?(}DqqMCR)3@MB}a+e{DrR$=Fj_?tOVXLh?!qCOT;!_Ex0O>+(UI}+@09>^3a z5jL|^2RzcQpmPQoR$oUS3X6PFi@<$`z&vxn#kYX4!=iY?(W41jh=QC9B#HtP?Sj)$ zN-+jyS@k9_5ffFb`f^XYt+HdwjqyFqb;0V?;Reu5$gY7;q9|6jN!7)Me600b>@fjqodWSRY&hz>raed|V=?6;WP zY+u;RrWJ;aE+mTw<5h!+PW*3(2B*Hb%^@H1ocHUmpgZ?|1V4Ms zKR}%RoQ7NAIO;(F;)P%U!TsLUeTLSpY4(o&RWUtSg|WvDUXXA+@(8L0(5OSuNUrgtrjx7I^QJ)$B5tX+?{=`Y3ztZik9e6%HH3Zq7ohd zjh3BiOc1|OGwaJ{v>a7Ky?(XO9a~Gijy#T?^x15#}k!TQQb6`IH>;9kDKTva@?xmI#bh82DfZEoxgi0jW90} zJTjikFUelMwJzjHvI-YQeG0ukkz~V(5qaD;Xr|qs@P3G9&-3*{VqtV^b@dmxh4IgB z1!eYSs_P zVv(?8T3*;{!P&2N_~|6fVRMPzeRp-Sw1yB0IrX1Bk%rW)QJ$(~uRZb6J3c+CJ#FNL zoq05J|GSx z#d>R`iz&r&zO9^VK8=0;<3N4r#&W^r6)km>W?E?@1Yr zH#up!jB(ojhmkv37rPFB4o6ZJNy>=0u%CSu*on$Rl5?)rl(2aan(4u1MgfZvAJ=}6 z5Gqi-kbL_#FTjlq!sgwPSZd!Q{qy?o6ovo%yx55%hSYNB}w!Np5 zlKID;L2rqV34A@x$2?q2)w+V^Y}@!;rVLu90xR{!d;B z7LQqeCa@_Q3yIY%B4#3~?w__?y5aTcK8XR?wpi}I!@LRQNVLOzLr|^Hdpn~WWe&6P zC+r}a1B&G?3A+}YkfyP;_~eO=?2imnm@3?SRu+LIWV_8%k^27UpUSJg^I%sUCvsf1 zG`xrliM zi~OGw$HU8Dr_55hgBA1OS4kc_+!HKKDe%SXvR;FxY_|K$twztm%aBT+g1FxU{1g(6 zy`kLV7!r;qo@u-!yYMK&oU*G?B#c<~J+x?An%-52f~8^aeWbdq+;AS8Z6s+Rl4#su zH?&rGS7j`BUHo^vnnwQ8@<^8@`SA`n{p-nNt5KB#W8m>DE0r-u5YTK*t?pQ9r}Lox zpML7b10HUHDsw!XsMhHR*R*VeU(G(fu_eE!K%t24$^%#UkwJ};x(#UXO%;`LL>}gXOd`9FXvPP)UZn|Ge2kz*0NW6wo7XqXBzjIum3Z@Ro~t4`lu50v6V-d(M;T2rYN&GvGua6QGBcjqq zG07o~{Cf6$^(6V#eU$8dwQr}L3f}l7%P^7WO>w`I&|R>W84^bD-hNb~B>#~hj~DaS*+7o> z5PNNh%2lmL%2hSg$VAR-e-HqGP$5n2OH6RpvFo}}?e!Rv+sw}9q|_-U44!?+S|RzN zb&T4pO^*i}8T@8V)nkp|Ab3?aK*)2ZR}ZAYW{Z!^vX}Yhq@gwjofe6Z^=Zi)6YCeu9HdA7dQLWER`SPcqd}V zOfF?kq!?abty0Pi5gXlyZeSj#fd@FwTU==>J zc2E*W@5mD($u%Du$1LAMoDw}>m@Kv0B8^d$DQ9`sXw3NgyR^ug6Du7RnH>Um0bw9; zcqVlGG|xV4C$+>3#T&<6r$Op-qpoMp{C>`i|K8^|EeqAurkm!i!%>uP?3~~)jfo>tHYor%iv{}!B)5unF%KZCdlSVnpoX1 zZVqHhgQi|)waKN0_#zIGr|=bz$UF$k!ITIE=&j?*J{~stk+I1ON=Qow4#8_l+Wk*% zL7kx=a0oVqi!I^NfSCjVV}&+Yj(4z%7jXQm+@%2ZXS$bdJ5D)z-Y-Od|h> zw6_mudjI3cyH^LB@;M|oBb9SLiBK4}C6!8Xs&fuXmYeL9ayNG~+bU%oHzS?ocHOH_ zidjM!GEBxeH23Cq!^SYPnce)}KA-D%egExzzt`2(<%<0A+Vk~zKAw-qZa12q{p*ZM(xllWxVOg3;s!I<4@^-#c4tKe+h@a ze<%TdGDdwzd;* ziu2Nsp}1QU3hjSN2T<#DV2}L(&a^Ngmi6J_w82iQ3)8IXiCF}9yS~k@eNRyL0s^d% z>yvK6jf1v|odaSvuH=QZ}Yjv4QbBUa^hR~#4mf{(00^c&cO^uj8 zXkCGyY;4w}K+S^iE0cdEHL^~cM^|C8XZ=sOR3vQq8gJ_!l1m&tGVix|_oMbZ5CqK} zB0`yVxb_5L>V7ljbUT%P-ga9@E=^#vT63DQ@+V1gNzHm2-b;_ugKoa4UPcoqQ4j+9ZW8O`pyg1m+YlMeb|Hk6EmUoG-Jm&`q-Im1 zWE+Lsoh>u*wp~XmFic}aX9(1iG=kKhc0c>*SzgFjB`Y1E5 zARStVQBKP5fSJK{|)kqvCJ*MPQ~lX7ptiUjk5)S~KjbL8FWsp)W& zr2+NDzErACzWrkdiCg(hdy8`DL|NOzG_QOT*PVhp6i#jHx`NbTvPNXm zD-cCOa4n{GJBMTJ%Smc!-&q?6bVJFkA9CvZ2PsF$I*IBH14tC=jLQFzGVmb!I4Ild zApL2c%{k^?XQ_SNeM@@bgSiam8KXd6;R2fd)nU4r#OaxE^I+G15blzQ7w=9kKOmz$ zxp%G*2D&l_9N1_sKqZxN`Y81MEAGLMm0!|A4x&})Znbu-t`ibX=1PT+HVzT zphNbzMNbFDCbwQo9NA!a90hAY*FlHmuA>I=jV;PI>isPOUB$;M5chO%Z3MPLtqO(C z@PG};n=QY+&Qpx>^yaTx@2&y5`T*Dh|FOqz+;Hwy-9@!fE#cX#>A5?;n^aadYW<-V z8q*L0FsUN;d{y}qeSfRa{U|(R>_}yty)E%;>CcUSEhZR5C%kh(h)Rh`511Qc5_b@E z#hH};JXlUlj_sEYjUO9v859P6!t&?51X+jQSOB59edP5yO-3QZ8B&pE9+q=|^68B| zRLqiz%bof%4368W7rngcH8{UUdc1EV$>fNAIT%g#EERfX)_TyUjN8x49`M2fL?vH4l6mL@^PagEyrJDNdvm<@#kR?|0>(d+CBx>YEgk;RUzH5MtK-YhT(>(qU_ZuG!J8kt z_3yS1tZN=m0XZsso}7;K-m8|<`0v5PSnzd`TX|;tJ2Ru4-3W^wGlG7IT&{X z7>mqz%ep`6Z&!%^v)&utZNokI{t0V-(>l9OaIp)?_oYF1WdSAKKhr9M)OC#2H~ zvdiqy-mG}4YviuDB`+7kcuB9&3wGGAmyVY$rs9-S|4&(F9J( zKPY`oRlC-<(O5q!EVcGpY*_titp;XsQGP+AK2nIdH(=9)dA>ahjq^DFVe!VRw2DooSpsvbx}~Zt=@Zsl0F6m zuo=&wsI>g+{=m?`50#j_dN6{rU`o6X5uKfWujWY-=9lD(7XnDbvM@$GI|l!Qz7_p= zkCm#}!^w)>7^I1QW@FUhurH{Beoo~=_N*~$m@@_)qlSUGBQD$jbEiz=zx_kL(?F7$ znOaN8$o~0_d$V=Zz2tq`XfMKB+g%I{CCRk#I-GCwFEwut`njoEoIOPgiwz1j3}gk6 zrUm-xmb?l=BpW%-UHja`sqwuJITrr^ydtIDGvwEbrYP}ldcX?9^5=kNM$UeF8}|kpc4s3zgTQH%7EP;{(OX0m|&{@$qJou z-q0r}pOFz2Q*GGE-diE2uneSq@5H4qV(RGcT}9`s#fzDpdTsrcPXywVsPz3IVifE) z-qZ-|zi^j2kL0@ncf&Qc^m2&4D4zqU*f-C*`D9Gjv+4200zgD z@K=EA$3HaHXuCLrGOd1XE?hOa)uHPbLvjk}v(detzJLDu(jTrKphzx}<%PBs(+Z)Z z%PydRKJ7;4qpEKWCVYK2qwO6LuiNZ9wt0hd3fa|B8A;lV47_)(22Zx_VG=mxj^D3oU4 z>4jl^52m-Z)$Ci38Vm}=e?g5=^d$@fFxncobEW8pu9gR4fg!W|;jX6|Q1rfrL+|!{ zH$M-HF$isb1qkA@wZXgfEQWh4t^t zn<(X4-(K<7M{;uvw2mNXUk8eV>jasLc?yFS3Uh7b(cI1sjlYhjehX!va6J@!nY?>h z%K;twr%35?uk9i9kNZLW-A}Rh>ab`DL+e_^1>?Zwfh0im+hwP}YIx2Cbv}~rkJ@Ov z_z=@&qU{H&w!}0;=M2?~9OsP!;AtRSaG&IhrKt*uPqIBgZr%sMY%?R7Rhvn-cT; zGTo|Z(n%XW-MTd=095)cV2oF@OF2I#yA~6wx#sg)L2hhfT@G72-W;TX-R|xi^nwwL zTVY=r*GVbCj7lA{ADpY<9Xn9CAF~bntH%d*?FSZa246O3gxXFTb?gGh_KiiFdXD!C z8jeJ`XAI|oL(=xopDEqKj%QbRHoV$a#%tgpz>c@+?X(5cbR%Od@_X~RM4tdey14y z2Y3(qYE;s<(&Ki$=UkMCh?g)uOO+32(yNF`uXzmf{JNuvvi-H1CTOXzU4QXku|g!DBWIp zSj6+*m}G3(wjU;7B-`=7BzJi`f5Lk&U9-t1zH|-*yB$(wQqZwc0B))!R6nkim_lf5 z=t0D1=wa7GjKYlCr?bo(h_G8>r|WXAAQj6^99eTNsn(jePp6C)HEJP{nTXP2LuWj? z;Tv_#*1@59&1{RWCQ#Yfqra2{eg9N8d=IFc>Vp`O{vy04npM(t?l1JoFrCSoe_;cI zGIrw=md$h?3ZpBU{R4DbYXq%ZGkfJSuNZXYOaP8wY4+I1#te(DpZl#qVcva;jVe6b zuMGO&O$4l$5%}ppQhkv8w#8blOlhqAv!saQ6*1K+GxX|;p z=mxtcHM&D8L=B_|tVcN>*6BI>f(rXyxE4k$9>?VoBM?xiKn;Y-vAIGYPl4Pw ze{1^qBy3_%t)T2^_Dyn&jBe6cuvSL$Cgj+C>6HPBMG5X2pm<}mExT7+pYupgX-|L7 zy_N|M=?;sU72~Sx6`p^xjL|esB!v!oPz&y;*?nv!%4 z^Jvom)*P}kcn&(Uh60{};{MW13Z-L3Vt%iR8@JP9(f+M-4Ygzq0T|>Xtq57QYA{G1 zgJ(hPSC=@7mGep;K5L#k-)ox`BSB8M@BZ#~x=^)VE{30iw@vFmUhY}v6vr|WZn_Nx zWpRHopq`c1dv{I_j4}^ZE&Gwqxd#W>cm7rF-llEJ1Y zd5O^YrRvAA;m_H(i(2`xG)`T(}x?iNk(DNpHg;Ls`-w8YRSHSXnesc5w?;; zU?X3@XQxsU#qG}SmX+aDxWo1WE5Tb=170^FS--!cT=3(Ia>jMma*#$`d=e(?5a5oM z{ts4GUa5QtqG7iwM0H*@a?p5Wn2_e^_x%vd1Fa7#qg`qGX1yP-VtL0`O@kNHVzq2s z&`Ih2CfuA!rj`|X>sX4Wp^Y06FYxXNhUUE-shldCBHC1(z%k^E=4)h;-||VLIk%xe zpfz_~I<)vW=Owu;H)qf~qcL%&-cXuIHym z$`?$Ha-$wme(u&^?PKK@hQ5^$<{$5weNQT=Tw}*gHt8bedHj<}^FIOm?M02ibG}n^ z{A!ikMVIf_N@KMC8|`7QOX!DY8iQeVI--;2+vm^y%Ua~tVe!m0$m+zF7NWPQy~vZf z=Z0&`-t-(ZoZ*}9Q<^&WJ2vhYPv*fW6(D$rlQ-F*Z;ZQtTh6Mv{7pk)P1tq*3u5OB zzzr5T1~*kP-YE_Xt>@NG(GK?yJUM_F1P*~L4n(YbjSZ>x)|`DotekYc+Z zl+A|Ru3qWX=c(>c-_#s6#0nkb%mfUXT4<+sqqXId$r#Cqz_OY6=tnFjrPf7<(AK-r z`9}D9H%f>FjFgg|27sMj%zhE{57_D9|FY9kfSu0o#|6Ik_|R0WMK}N3hY3CdDyu?G zYvfWo>@qhKwmZhHFn@;Lub`(b2P9ZhB6!(DjRjG;;cm4hHWOVglg?nfbf@Afa#Y65 zU>vs~d|*_X1(^pN=5c?VqMV#}MLKlX^xC~IW6YU`@B+09mKg$*amLmi4{3MW7WA;e zqoIc)M+_#9kgd${@VvF$&^J(lecd1+LiF?R1vapV&HJKE7TS%(&V{awn;GfY^I5XF^P^&w!bCdjTQiA$9W6>i(XVRmOMkk z%XYiapz7Cg%ght~HcD>76;9u)fzx@Ipc)70#=^T!-MV^)v|@E_&8v@tK)DpFrJEvS z!R@$BNhSAT`aMAp@-hG9UF(qjWdg9owL z7nTxw1~IgfY8lyl1)^WobtQm{xi-UDpH)cztY{C4LWGj@6?Js>*S+hlu(um6WX@Co_&>C7DO zdyerH^xNBZRAW%7Xt(JFKN9oefe@KDgzyJ9fSnApTG`Yh>4YF~k7M1=udpjDC6hrN zKfsgY*>>Bij}{{WxK*!}K4oV*evBNwm38liJNW3vg8J}lx1?Dv{=&Omrs{u|gVef{ z_E)U7Z|tMza@4Pdatl_ADPKON+yg7A9`gPxV2hn4b76hyKGO@5Q^wg=ZbQh(h-;16 zQ~2a7plypr-kc=KUE0o)Q2NB{N(}{-EXSH5Rx1d%+!m{8Tm%$gEaH{6myVzNwk@X5 zKa3gu{!KKvZn`)g?$zjY%wDEnCK7VlcO8OA26xa0Qebp>Ca_~Dj_CWvX?ptt*Bx~;ue%2KoQ^!Wg?1ZiJ2K<<%`vdq_Y28~t9?4Y{k(}=`uabGta@^VX0jAwbgV z)V}sN`StKGl~ROCDpby85#$o3vSbC z^#c-7#Vf=D`OKT|Q6cx*ZvCwuY~?n2PRBvV<|K3HGfy>?CDidG2vyWMLn32Zue(F> zOm}Zi&H=twf<{hv{B%Z+Dpx!QCajrR1{NC(3r-?%b1Aifc~n7-=RtB{ z_I~gYbpOl7AOkJL-4=@{3?m%~BUX{bdw%X|k~6BtuI=LO@{d%r4&OdjVdi3!yM?Zz z-==JFU~UJ5D1Kbolt*@UV8|HsU?NrUqxV{IUC)}Vd8i_C-MWMb^cVNgC$?2-01kxS zvb*~pdbI)mB=NiVl!4uPGyb4z2iSDPTwyiF)xN&jpvwRV+*zUbK}&f?9}4>SKSrNz z&g#xNC;}|q#+L=Ksw6W~bY#axAjEjza?Km!y>}$%J?3`--7h96)qeJpzI92N;#mcP zPet|DS;^Xc`YcZDtGY^mwvm%>^ru{8Jnil46}X{5cbi^>RI}ec@a}%1-9|BQYZJ0` zp~Yep_&pwm@lP9Ronz{L2@E%8F{`t{Zi`Z85iXLvJ`94ep0(R!O^Q&R+lWS&`Ca;U zAvJ_S!x;oZ^vvv276L$E*FWp$pwS7j*}$7dHEm;_k>AhY!cEr|G+BvrO{mY`tP=6t z@_fiW8w5RH8|~WR3JCr|MaH}*`A3hFQb!B`-W|_0p)ht>H7?JTcjmOf-*{M5hPw@| zgvC*H1z!Qlz2nsY>-Kph-!bMogr1q;v*HKtab|y_rxl;E7~danBIxVO68#-G-nMVA zn%mPqE)L)Fg1L_>uK)jc0hGTs4Ck|;-pK<`XWU%7>4Ab-KUG{;M0o3Q59=TQ+W#&|+!%5=(qPIDw z1KPk_c#;r69KswxRU|nETV-#VA*MnmHL}G8!Cyl1Yis^h!F?R22nZ2R?#s6EmF7Uw z4fB?EAzXkdH~@xNqn@r6FWM>1Rh}=kA9+s7z4N#1(bYd0~JS69t(po0UHZYm6b*$C;6hTlCl zhYbNJ8xyf4ptA5w&xl4c?)u8G(ZNt5!06B?EE4bML%%f3wQYlvM}Y~)4%k)W%rW^c zLLyu5z?^*^q+dqYVi`Fqsc;Mv3`DAB&&fQ0r5hsRMk8rA1AT)E5%d}SYabZSuIEAl z;jnT&9x~$}*r=NVPumOD%=Ngoa17jlYGhQ#N0=T|zRR+dj&tHZxeR1&Tl~D^ z`$vM~qvQWuyH*eUQm+wSIu?5MC%_FA1w(;r4u~RmjmK6lTU?2xmHqQO3K}D%&RHyj zuWXy5c&?e5&H1op=`rppTaaN@`53sNbxgO?8}fm*tHMjdy`!z(5|oPXfftu(erUHb z|3-7YJq-YJrFpoq{xiS410_ozO|>^0Gd87Y+|d3h(#L6AXUErstFW>=9+-j5_jk|v zS`>?Gyu#KhXz;d=tJ=cjYC97kae+$)&EA_KwBZh!+mJjhfJ8!BTgudcanTb$<*EEz ze`F!iuB2{f+Whnz=bDtOORJi(mf2&sLkTUdgLqbNP5$78L4CU8Y#V3n`z>ROxs3tOA}zNNo}oVjh-9GaX9f`0fke=&LJK&EizX2)*a?&a&S^ok@i3`4ZG(e@Z&R_Z`kzFdlm4(f%t_WF|iq{^B7ZGX~FcF88L;wC? z;^clhW^WMb$;o>Q;W|5zXCSyFeyBrn0yr47G?tPcueHi-EF9_!GE^*H z3N^4@W}fsWBu4xL=TxRoPOKZ&$aKr8V z1nh>n=GLORvOC*lHC=BuVyH82=4H@P)HhePcA4z088~`&?NIdWg7YUhUSLugH8ylO ztkr&{*>o@^PTqNUxHfoft(hS6P|d{Pnmps1>gpz6yabRsrXMkQ*w-bt#9$CG$)LYu zzJHRqUvILh1)ij4q?#nlvk20^kgI=jYU!l+K(Bvd>2Gy#9}1t;zn_~pIy=^v-+J%h z1knkV`J{TUTE17S(}_st-0iU0zQJe3kf@wzW$;=zhU}S3G(Z`JR5-p+Sb6}T zag=^WBZfV=P_oq`>rVrt`o@P~J%=ru2$2TcKn-b47GBde3(Xrrx|`C6y+W;>o7KK_ z>~cawK=gK>OSUEA)+XaZadxF}cxam8p%KWMEVH0xzy+`rahKi;vba^$giuZ(l*pP1 zL!tCD(2Y&i)2H`t&p(>lt2MF;93&RT$4-4eW@~NI21amqcV+fTq$CO{@zk-X`wX~; z9S5uq-e+p;v^g0cVBq8E1L3ADBzW|P=5&L}P+p(~_hV8(Nl0>qU=dneLW*1YI%%^F z2K$BFZ+7$8^g>0<@^pSl8Dyp7A!eK082zMM#(m%-&Cy57Y#!(99@usDF{7c(D({8! zB<3gZ=N_`vZlWef4`FF<>%8F?#xq<0Eiuj70r~m%Nkh#U*|O;*V)0gDYSHVbrY`h8 z1U_T2Ia9x26_$spPZXy1o=T15+h|Cy&{S)6sshf^Akec_n-j39$F_{4SWj`7-SG-4QEV3`CdDhX>7Mw#ZmR8?m zXTv{!P?A+65}IUAh~=y)&6@*&y%fUvO*KPUAlzzI&Xve&D=cR+18-^xPg_K`XnePL zAc^i$=DVz7 zj!cwJc=(=9Pd{lW+8bbJ)Zc$VA;|O!)U^U4cZB$tIc_im!Ypu^h&ROW{#97G`7J7K zb-^YiS>LZw*W$eQaFzWIOE;rCPItESzad^jfJwfk;sWCDYLx~{hb^PGP1SVux%j@+ zBNfK6V-WlojqWgp@{Kd@?k7;bGn79;>abzPF3+bGfyAw(cAMwDkYPVuyonSStaxoH zdu}PSBgf6Yg{-qXtk4R7&^IA=2-Nj%o%fZj{P+g{{ZmCj>UzJbUHGC-#xHlds-`U! ze_JYsKBtp?+Pr^8W#(V?2SZJ#1iKvK`)sgB6a|;|vTFt?i|w%;M-GLzZFF_jfXl9s zYoobOGFsDyy?>f(4ghY0&qaH7MkNU>8)SBO|fC zcMpW9g&)rS(F?R5WwEwpB*c0--}897VY{JHYgI7lBb!KQmrZ`6MLoW0y5g(xujU5I zM(fp@V{9`!xC}_I0|$%Z?hXx_LihVGmT!w&yvve}Ge#jN;PGD5BT^fL$c8Z6Rwr*$ z4ey5-0+VQDw*0J7C1A~Ayl?*d`^O8A^Jt&iB7Ox$SSiA{2&IOqxz9dzl{%sm9dHvH zQ@X)Jn-gJz4lS$GM3T+L2yWKLonWi1`&S_me>6gJe6(!&`T;fK{!1>k(9y}RAWiP8 z;$-m4cJvp@OiQ6m@OE!ysH#Atzbv~~?1$qzCS z^oU0VFh;5~YYbMbv#>qf28K zSlI_O_U;y40{Hb4k2QsxWGhE8%uzrHycj%>?6uT&0g#DfT1zJH0y6Q#>{qY9pA*h& zZAr%f?HuqF2uhY}wQkvLy>lUZr^Z=-Th}z#JOrBhf1v*&j$jT13g$Ble!Dy#gtqtr z$%y|dwMjVv(%I5N_L5UrckR%J#6hS~5FdCn22(sk?a{x`BJ1OQ89S`2I7ZKelzHM% ztVxkvI`D$hhr&f%eF8k@x5aLAt4lyuz{R4%+AR#Y9#8+8+Hi-gJ5ZY+$G-p0 z&Tc3rRr8C-@z*-KU!1ttgeMEc*>UeSw-C4PEMofh%ec9?QNTjJNj#V(Y_O{t(?qV& zwLRo9V7PRYf5AW-D4KJgYqN#rK!6f^d)EB>i)Pj|tT-W7V+QBZB7>~7%wef89cNN0ca2g#47HH% zA0updJF&47dS@Hs(t!~thIBl@(9+l-FYcJLtGTs$>0)N7^K`K@5PPvGhBAUfLbt4N z?JD4tCt8g9fryMAtjgpTV_KlyFB^Ds-9o^9VkNOq=ql6d7VSpFg_0T`X<<`sbbEkB z+f{d9B%9Kef}j8n#V{WHr~Ui2!Gp>5R^V~PC|Eg)RB=O0(;kbb;gLac-y+ybnMkU5D)uUS0+Tdhh`_c>X=9WV2h3Ymm3P zJ51j0r-5yiNiPh-;IeiZyN3jv=Ccic=wYokRMYpmSa^_oZ}HE~9bsGILB}lgd)sTH z>@$=a?=i;&3CgYx6aUHrT*j`Ti5=m}MG~UiqN~m)rOKGGY8;ecEM_o|0!JGb46*Vj zM6zf?O&d&A#O2dj4YqzHEhj< z;Q<$u*!#GWcp&nw*$`^@y;{n2b^GHAE1Wf+T zWWcwRwF_}VY~3vI7l-W2`BRd6(k)7I2`C}eQJS_pAOjVI{WWX#{cH4}ydvAw{F z+Qk-SA7qWnk>EHINpIAu^s)vK>cp-128G-o>EFwJuv_CE)i{bF+tqfj^k9HlVLW4i zNrJ=$Ju()|i%*guSXAz4asS#t$bB+!dL@%1>jUhyk=390qa^0NNAEqH%2pRMQ~gM( zkk#q7ks!q@I3jboY|<~tBCn_c^T*Be1c8BXfm#GOX2+L{w>NCJh~8kLW38jYIKRfB zeN@c2>Aowj>FN0y(YJbt#R$ptdy>Xj%U-pYPFON(uMsl)=$MTi=BZk*><|f|lva-@ z=40wm-3AQ^Ad}H>lD0V=SRTW$%$xsUdA{xqJC_j4SO4TLz4sonnh9AQi=l}MAU?WN z0qb_>=3C5-P<{Hjon;Pc&7ICNKQo;OP%_5+^n835bF4lWQ|g`KwbJ+G>P6r2!qmnP zp>&4y0-A{m@fV*=d~J!v@EWdi+4B8I)_d_6=Q!?twwqY@hK{lR400S4EB*3OK4CZXP+=#M!gbFp|%v9FVC2 z7Uh_oN=i~mE8@R-;=T#5tX1dYm90nz%={(Qf1GQoW&cJh8UY~tzgR--utHK0-+yH! zGAge|vtaSnWrX+=LL4))m>wgqH-j%GBYl5XOnA9>fs79Z1 z8}c99WhI+vE8dAkr9FCIb?%D$igZ_irakq{Bz>EmnNll%XyyJ@!o*yQ@2HJ0hV2=R zPk~_;PZplIot(S!($awy8p?j8Pq2WilMja3qj%?C+wq)8d^e%hovn`EO)SB?)olF< ze3J!StWkfyU+x=OUjc^?WXGo5a>p$uj1Jf~H5BIe+?j5&Y3L829-vJ>`%43!1{qNYswo?lFT12v*kXfxrG9kiA2y%VO9V zK=h`5@EraJm3RoK#I@&^@^&+14SV>M250!CK14pMhFCbySw4@Dji*>D32qX>WwLLI z-(gf*hThTzUgyBY+tkwoXTILrMO*l}WbRO7sI+ejo`Lpo56TZJ^d@vTK10!3ow$YK zxifj9Uk(Z$4+!3$!NujSzHM6_<9;Eq?d&MB{NI2K)zT1gEys1R3i<#TaE^CEOD9eG zv08h~68Fb`4LehZaRJaTcH@Fsh4}r8!rcsYKi}XoRKGf{&uhB&soM}|xhHIc77Qyh zNpxto47Z#}D1^`5&7GeE1EKDz{?SPa9N$^YD)cq-;)^*ew>c}0sv+_knj?RJls-V- z8w*)Omy_{hcJA=CbLfHqQ45FMxD&DF7D46f`aie5Y{(=X7&|iC^jqDp*ryb1>^RKe4uuH?rxwCigWPf7 zC>8LsIB0ogW^t%ys0HhqM_Ux11Y7k1PGAg7PA(nz+Z~sjTd1v921eJH`^6BvIQGk0 z@{#gR1fbcCNMRfiOf}X^Q1lY!T)?np*{kYz+m;GtQ%KlqmF}m2@Q*)jQI@Y;O?A3)3|To69Nk7?C&I4gF|#nG+oYm@(zr%D5>TK%!oRD7qjDicp#^lvaBn6dwtH zuB=A=5_D%D>eZ8j5s!Bm(lxYPB6o$G2b5}W-YGQS4$PYKp)gp`M zHm;4u?{--7YLPX21y>1BpMiTS;{3s`F;9Rr#gNp?jq{dDs~R&;-W@#S!d!PbUtx@M zt&7Ui+-vV_(y>l)3X|*kHua z8|+FHJV3GP_3_OCz=bCF+hu~*hLPQ(MibSLIYz;S$ug3rG_=G#&0yRu`Y#hv!B!cP z2OQ-bNBOBlF;JqA;MYP`bI2;+<+@~D_>sDwg);Hgo44~Ce^m19*qa5A_~jq$ynJ4yI^PuQLKGG3m;$I9!JukkiS&QXg zYSh13c;%cEI9w}EZgJ8U_jcdGCr%c*7YpkzxWKG!PZxyGj*1pGr4*_+85wU4=I)FQ z?o$hwIuG=*fQOG4@9ic*0&#+s>*v?3)s*bL9R}0In&fclwH9P<^l~4VuU$lrN^)(^ zMtH7`UM|5-=yRkCdl=Z|+o9OO7bMt9pKjgE`B2$CBGAG_5T8ikp*}<;3nuZY2DrhP zL^|pfuD`k=^TqPJBfNyE!|n*_$99urw|1>A=F$3!54uVS%JCHS4E@1`+Z=VU)A(J? zqW(cnntna?NbjBauH!q0%f*My+zsV2v2IMcr#bI$yn;KqB%UI$%CYVrva+1MaVEC> z-kZK%RS~cJOlHGIabH$zWA5I)vLH*TF3B5iD8phRTEdYZvIjrcRq~@HJ0<4YOWev& z^PY3=9ih9mV+tHYt2e$Qh@$o=hY7UkIK_M7Sr)mlP9g6fX%vgHD;jH6eYL%_3Qr*d zs~YB!;DpuHhpdM?(%q!C15wBjbUG z%*o!uf)WHU&a&{cm&kEJivE6&ctHTr(|80W53$mXP;^6-6v!F{tXi^ESrhP&#~hVg z4pGl*nD-`) zynA_B%`oYh-xe=-FkR2h2*^^^M@gA`h)P+ewmzP2dVk?j?zI;l4VRtD_O%y7wjL&Zp)4%{Ll_CUOe zXnb>K@8<~qmo!Pf)Yv6V+^q{Bg}+TR|13ny_752vx18W2)eE>PyBr^^Gpts;suYV`$e)%F9L?qCCPIm& zLivhQx4f2(SN$zSN^>@}OR}8wxvU>XkmA*97H3Esr@U-zo?DU)CoHcvLhrs)uBP+~ z+iF!jJidxoSF*8Ef^hK@$$RcHr&vGoMSH#+pb&#_OF0l^;Avza-(LhvV-B>TeEKJ`) zr~G}WM;P{Kwyh$&EgG*lpd^y((wcO=kr7W=Mq^s=m1ml@N=BdM$$i!41yQ^Am{w?Z zynfp2s&XI%Zo~cMfX>4J*H1Lt<>@yKpAUOaf7$W-D0A%D?X!7mexcpk$M^v* z;EizNzUD^v`p0qLvZ!K`W^P=dWO7ASYQKywJ(rRE3_c0X=wji4*cVn8&lq3?;BbJT zygWU<(>$YzF0(nM@4x`=BJ4~_flrR<&kNiX7jNSz2;hz^r8KA4sLQ!9{A;tHOChfX z?7)m+i_KOtf?&7U#}1eUkDp3!I{3j# zNStc(4+{C5!c~Zno3qzSMhGiPtOWa*I^rQ-4UpJ~79^H9<+P~9dwl~7d@bdJyb?G; zyc#TV7!`N&JbsxLp~#3ec|VUe4C~|x;RMP0wrA$#i!rm&DrEy}u4Ho64Pp5kWYDip zz~dn#J^6tKuxkN#m?96P{0%9+H%SOdb5YZ?;XezQc?VWDo4km*bH0{hLv9S^(xV^O z!N!STY-M=Z#A9ih7={qH-*y*0)Gjl!{_KtZDs|>QgUr4muhu9FIri}&MOQn^ab8SS zRoStMJv14yf&Qr#iI`G1nHJX1x^+GLn)h)hx{OzP2ad~tW*i$Of%YcWs@cwmu~N1l zNAPzd&||!lEs4wx1K#4+0N{`!ZjDZ?S$WI4c$@A!SbWj|^KI3*p7R8_>r&j1WUoUv zawx9ro|i8ynzQ#JmM@CiQ@}KU%!ylXAc#OlF2rII(_CJ=m2hhW*r}wxhPfuW%sXME z(=Uc%*HV1fkbvE*CVo$)r=?yGz>OOR*ZSb%-%shiCCU3|C(ywC3)pCT*zs>1KSO1a zB!h9{gCH(--Imw@j=YE`oe-VCgBEws>J{e$x)*MSJC&i{RA z?^sCrt!WVtrBs%)I5_3JD27~zfge{W{bDT7ImMpp0NS5jlAoCm%!wY>gOuK$>1 zCUq;TnKdPZ#MTx_R{5pbtXt!}HN;dSnIL;1;c@(MtRH&Sa>xbJFDTqi>eHN*CslSj z0D|j<98v(xtzVY!JecY|i-Rpw;n<~J!R`A)9DuHhdY~WkJ8qoy6=kvXuo31X?{b+2 z7tVIF<)JD zipmLr*Mb)kzH;kPUsvt}?ur?3J{AtN+&u|oOzM7+A(p`xVqylmX`OD|I|nauh}oZA z2v|{ZSo||@LZK%I$m9mR7oVL4AUymX{EtL}gfoLK>*dTJZK#70+=VHZevMPEh)@!0 z54lJo$E`{bwW?`Fc1bpXph}G~-dSOtJE3Dm$zLuw1$?>wAKa0Sa1R;K(K*?G0V71j zsm4UlC6FRk=Q=RIlaPyqHgPJ9%zgb!Nz>2&E@HV83YV2s3At9~qzLVGvfGC=tyRq{ zBsIG7(CtHJ0In;b=!!bk!ez2V#?sp!P)nAsu6?mT5?G!VFV+KyY^HJK0dOTSPcqW*!4l7fIE!SH^RaN zC^%3N);wL+{*dsnc$0WW=+%gaS8{n04YtX)ejmC)VT%Mwj{_-&8~=g8$N(m1Ue7YPzuC|TaP0dxXZji%EWN(t zB8>=JnrPhW={pWDRR6i2zI|DsmlGS`I+Y88Fu`)JQIUAIY>YQ?3Ld^Y*$U)dN)C}BE-w>rm)V^^$vyu|Sd zJ6+u?FXkh#d($sZ-b<}edIL{1N-l~~tmZ8Jy&bY<@^28t<3)y+ycCWq;FTz6f_>%n zpiOlP92n%YD!L@kmq1>XPegrL5+`UhV3mTf1#!2if{akehmF8%kA+eC-U?gFBAxAo)x(J-|S`29Sqm~c11ehjX$B9_E%>h}Zjy9Whh>O$4 z`~V`eq@Z>&Y;Mvnh+Uz!W-~%9E=^-R0PQXG5v28Y^k=TF#&|&t11+1M+ce7xA^K6k z4K%T9&aPM2taKfg^g>yMQ8_Com~wfjg+WGpsD-_HZuBe#v{nJeC08E?4xQ~dWlY?r zh5m9wCs)l`xa6;uqTzRG<#=dfo^7CLEciTs^X@Gb@TXTc!`d7e#L%(@Vv>m(O^cQx z?#F6-a|*@Z02!W=ndQJ>ySCuR%RcGfNMOmNyBa$SEKlPA$5RgGUr|eMx1oBT0%wB1 zY|A7Sb`8Gcj1a+bI{2{lME3$UCL%{I&pIyR*tEBn1OJ>H_jEL2*lYI6=2{9BWDWF) z@`hGaIz|N;&lGq(TVhUrul%9kpV=@XB3CHKR^O>|dRG@@L;x4!mCG_d(7Lld8&(NQ zv8afws#QU8b%X1lUO0GJNr-_+Z;hf-Dvc!o9N4_>RLOKPey$COHoO3TW(AZN;o%#=zSE0t4OscDjum8p=Ad@HFb z;foZN5EYR(9M1V2>fYb)_m3Yt80gvTz1LcM?Jtzk9a;Q0%!Oyn=4;`nUMT{L{Uefk z6-Sf2$txSO8q}?(4Oi|CSNr)>f;G99F?;azn|6%&b4eu^SDb$T$Z@lo%-OQaoX=Vj zG^~Ml^a<6l{_4yUsT+RHXbr9;dT*Ih&8*k-h=JhR@V^1a5XO+{Oj zcQ|1~+4!Z(^-h29sC@gTl{zOfQxWBUYUQII`LSI`PtP4rn&HMuIPAh-YkwgCTkyQU zm%L(TH3f*^9ZV2}gW5wR`Ef||lxX_5kKhCLfBEg}46?rIEmC?mbIaA0_=|#9$j4h-tFGH!>Ty3W#Yo9~{JrgALoM z*4}uZR;Gh$EBee*!PATa@YBoR74jvaxubNX-DxwUfylVtr|KY-9Y|{dB6?jI#sKih zgMdaV|2ljT*Qa*onrcwNYKM(?TqB*3DoSk>nGTk-B&*h zBzoZT+K5)u&-Av*vj(jOgJ&mvToLgno}cgccL46RdFknkxL+)*w5yR1qt#UHu>{TN z&0yw-PER*h?CqF*E%Bb}Yp%HF;0Gd~H`?uooYOo_;U~(&0Rcq!;=Oq6AlJq6ChT}myqbC=J|f<%DfJoWlA@1Lp70W4iBG-z ze$jMWp>fCbmt+bHiTxNML>_y=b(slaZXFxUF ze}64hW_e8u1sriuy36I;iyZKinQRP*l;M7XmiFO^U`$>Mbu#_!$!Rt}W>h7VJ`hgd z8bA+*2Y+M=#TDhAGIiNCLMRDTuD8*cUu*~oD_kBRxP5d$n2T#Lp3~Gmqo>G2edU6? zsxWLCDj!fCV8({lwAbL|a_&ykK{lQeOyp|{B^cN(Z^&QagsU~Q@|Sl5`g=8(!**$~ z!_9E+YqaMHzxYLmCz!fU6FyYBa(QR9M@YK&LMV&*5FouT;TgSAzvoWv6Zb^=u!i%$ zMy`PWy)bj5^69A$#Z{t+jaPnDWik((E};pl$)<|yJ1R%kShSMa;q#HgCk*u)hdKUu zTYSTSrpBkbp1A%e$-7V|CN)b_oSC6&F@~1k(6|E$f8s!u@lqNe@6N*5m<75c*a|EX8L%pP20w68xGe9DlBWAt~fIBI`5^r1LA%AB%sI-N$ZcX6chx2dbHifPH`X8CDhiVVq zt0+mI@gL9r@#hjv$IaG~D#@MIGyana&L@HTD*{I^2jDm2`1aSsjp>G3!l$m9R>q55 z7TsZ$1MCy5zK~X5#E&Ri2SlS~ZMe`!#Qo{D$8};N*pf&@-B1y%&;-2;Dl=qs z4k@Ts1EZ8ou(e!13jOi6jJ3=S?Sr|hV3mRoEvBKd*%2)V=_;0s>r-fGjZWAKxS}6m ziLtk8loHKs{x)LU)$%Wk#bn;^JcNUF`*OYEgrUj$4y zS7bJYIm-#XbsR>n<XIvV=H6^$B-4^aH+$Dj} z3;h^-N?9#%Eh|~`u7IVnQ)FC81h;$a^@)7$s|rYH>Joi(E&i(=xmC+WIYApe4382W zp%o0xuH zxloU@KG`b{LU0>h{@9papfHq66>L5Y>6z(@Zcu;|H!{IM>E(#8C$I-N2@lqn80u|j zDmS{U8ab%%$~~B%;$u9^P&!Z~Ag8|L7hX`oSa|;A@en?0GcQ zD|j)uS;Y`#Tl2A3Lc?E!@j`JKn$+wgVfsi#2It2*L(DS=FZc*azPE^^>}p0!W>f6C zw3F5KipnQUpHx=K-g@#@hhuu##XU*n42SQeVS(rYrEy;bp3a_cw`L%T0vpRhQ5mfkG2=hp0{2GCQ-Y8=5H zqh)1V}>t5UHc z1&?3viXEVoFq?qA3z-5}RGF?%0f*i=a>PEGqiq-0D;xK`8XG6Zaw+uCwDo`I7(;6t zV}2(P__P1;ub*9!>O^=Y+i4!7$A1@3AQXD5*NP;?`vuH%L-}Un)Ml zT)N>?&Q#6%!}@CtHDu;^P_A@dIU_P=AO3~@%Iqd6zNGGJ{DNF~)EAIgd?DXwbslpkwhfbpn_ zB0sL;2u;lcXpv&uf5R;|-%p58v08y+ZENKJeY1>03bVN~B1EMSO6BAcF}xu33jcf5 z_=mfW9);r{F9Ly8-qw@^ZPLo7mt}jA6zL{W)%`Sf%+`aE1rw@QMI$9v0#LKx<6%yHWJa+prj8E=phAx;%dKRc+P?O ze&;Ga-*VUOo7wnN8upP+6S=5mRrZt|aQ}Tsc^@y{`cHT-Gpg|XRBr0z`P+$($t6oU zMe1sU!1t$7RvGr`7?eYwnDvgo#?p^^j)XmzRpl2|NIFNnx7oBJm&v&#DSzAhA06sI zv$Z3o>z3%Dr&9J{id$1I33Wq^-W*cN+i-Xc9#CrfasRwEY{6L`QtMW)Seoh1 zroqYmwH#=W8S^TBJ%0M_3+3aqiCU>!rrMDdIG!{0-k0Tc-u=Ea(cpP^m)sm-vv@J9&S2MxL)3>d$GQP$QU2W6k=CR{s+I{VHZTe`t z<-v8-yH2AGmhYbXJ&&>cKOgC3_hJKcQG^N?ai5;Uedua?5_f`p!r_$V!T&Dd)Dj@?QxZWdMf@mPu`mSe#avAQH;$tcCYEf z(mZ70S#@@;cs$E!pWfy(yW}UEYvZMMtL=<44!oP^eq`^P_j{1(J-|(-_x#njg)vj-)+Oi6gWBFB(R9#r|8Z5cnxF6Ly9=ke6? zRG=PI@U=tXaAtrfTKF)nFj+h6?DDPUNE>m#S2XG_y=2>2@xiRaW};HTEpXgGdzz;0 zYz2zATXsIMBy&G3X6H9fp({s1ciN zPa&0-!tR$UTDV;Ben0`5%p4*&u2{#a1jo&imY)kRRe}@dPz6QG){`e8!6e58eKu5B z8i%~0y+E@3U7-A;hpZ1h_0_laok7GSnSlw5b%^0-?+|!UG7@0RaGg?ix<6s@RGBLs zs&f=pr!-4JYbeNkH$uhLYw#qX2hNjJRXazgT$;7ZH2!Ov+l$o;fy!}};Ok2#;4Ajw zLsSZ-W;S!tcMxmnKW;Qe?k-r3Q#zMv3D#2amZRLAV#zr~^7BdZ50Q z_L$;2Y|SSvS1R;9>?yz#os*WKAB`C*&^dhar6+`W;Rm@})UscfXkOOw^>%1BC}cmE zD|*mzJBKwQv(#)xziCgb4gCU~e@hUELn+13l_dIcOPRI6;2P3j>HTTr^BgKH|6Xl1 z@EXKFu)0IY1WzGH9X5|)P|WniylL1J9(AVd_F+IF(3AA(+$^;c= zN!C|7KIjlIoH(9ALwigaadYz(W_eS=u=SA=9mhFWzY{q@sw_oa#pyaTvo#BBOa_;t zAui~|>5Hst2$`yJ5&%Kuxb=Zi@q-u187(-`^=Lh=PKgVwNFw7NQ3A`U#@T$lvv)%$z$X7pH+| zI(D%2GyJ!Go#x(IMf(`f~Sm#}0#`w-RiDjz=xEt-O+#*ub!PCgu?B$m1 zZ6}^Cf?D})<$a@&Fz7Jjb72;PEmrSsJ#{$xLeR6vQ--_9Sk9XzNW-4s_ByGHt*7hf_Yh$%-?-1d+NoTUTeBzlTZo}} zj=c9t$V^x04ZC?vv3{_n_>v96RSIp)f1yEenzGp`L7QU8BTY4qaf*+3<^$VLm7L%# z+DfV!BHTGUW$1=IH4_75MIL z5yN?t<{fkA^jO%^>+ngls?RC8-h#rzk%R%a+Nwk?^0`nSlvkJepDxp}LQie*c{}Q- zpp5fhqt&6O2b7`sUpdpLx*0qfgV1s#&`iZEUD4(c#_&2OC5YpT@H zc)8HHC!tL8IE@uzZdgIrK0DdDw?1^mcE-maL0%~|=(hFTzQ)N^5Dy$Q4!R9Yg?1|6 zqe*MTd!o0KOX@tO;>C=2E|joj>y{()NwyuUw#HhE^;DFFy#c`wA?WSD(D}A`ZLS*= zy=VVfSv9|+d=~*a?V-7|(%duS)!Kk_o4U3RYcAm?&fMxbybG^%bV%S;dp#l4x>C5D z*g$x^!)pV7 z|Jk>PRjg1xmdYA4O~r|L+OXbIl|vcW7gf`GH%!6kjo(N^Urm3joSR|ku%QZwhW44H zQHpT~o=zaI_+UxUr&gFV&}^D_)n`trP9cs#C$o&lkvPxk-j|ag+@}&xejCz2f2pYY zU7LxUKIiD#6Ebl_Gz=_qJ#61)lb|u?uzh3VD;WE>3KC21IEmj@P0G{w(7UWN z&Z@@0i?p>YbODJ$T~ZsB}jn8+MzMIk>!YLt<0Y*Mmz= zMZe{1$H^Pi{OqxJFFi^2u0I~tT=+L<!$6S#f5P_k53jJ5cgn z;)?9C5O_$};Y1>O3>y=t@2lS|PNv{--OY|^r4HJe+sQI*2KJMO7bTniy1OM ziF9U{bS$DUg^w^nJh;K|9VH;)_v96n&aDZleBMR;9MY54Ir|@To{~&+k$%_A)uKQA zPEvDNdC?oTr*rg!&Oo&^lky@NtUH1QQxJc=a>D3&Va-rGDQ9yznk9eqY8;`pCKJIT zm=m>D*uv(2;W4>fOpR*gPt35$6HN0V1zy^JL_t|w7fOm0?0zuaq{remRAK=}k@Y9D zTh^zw^oagPo%>*#DqLD+$<1b4EwVWHb+@-}*3w@&SNS@Y^C}vuchTV@-l>A%%15ke zuLJsB68mc)2 z*`O+-9yowwjEpD8Yq#q=!%5uyaC%qnxE+CJEVYyN`%R3CE&``;+L;T)Ay)$9d&cPR zHW~OCkyAsVOCA}7KX&fe%3tFL>D9bjf5E@}@a$i!d&lyA@)PEUjD=;cj*LIw1TR=o zF%}}rlll=wdlK~8->=)$IKoCxrx|6gc8uM(W5@J$w zR~4uU-~%^6L*NA$bB-7f+f8W(pTgc~<@9?q%d9(~Ol2f^g(#HR0 zD?e?}PMPCCGWRrA7XpWelPgfq18XOyWVJIX+j5;M5;bqSnUU4+i`e{p8{gKb(x%e;`j_ZUV_JUNl1$1oEddqSRNgmoaU01rQF zB`+ne)y58X{qZ1Q{OVJD!>2gCcWey31YTy=?}AF+HcQ9rs~E+S#6U9x$H!Z{GF&?y z0KhmG*^}@C?nhC=d~iBn9II^5FK0BV8=X!FA@~u6FLUYyHE5GOmgRm9YaPIt|&$UlBXhsW3YehcS%^Kh9iXYGQ2s8z0}valLEQ z0K~OkwfJglwC)Yy&nVfm71q4RFAa*Od)4IH)a^;QL=o#7$VVkq>lemFeBBnlIRkmW zS8B6dp<WQ6@`Z^+V5H8}YOHz9NR)lN8QE zgeTfY^s#480IjbB!7WFytVC&;kO+=OP%x1m?pMW(+H-kQg;)V(zs80ZNnaRDu!YLd zm-NE&Yv((w?taRm%T0Jgi~F$z%L9{QsMYy>#qVNOi~yS+=qyk3C8lew-i<?OS69b5*l| z%%-|bD9pi^1x^vUEX_)Mq_{fQr5@Ua-8appl}$|J5CEb_o+|& zQx^gOxBxGK8Vk@VII?<)w`dnke`rTC8*i<=Q`}xD5zYa!!*V%w+qROy>ZiXnKVI8k zcYoLAp-U7~IvX9jKXohCz}e|k=1PoB!E=zjoctVic!_LB<=KukNZo^!Pa!$KpwUD6 z+)q#cSqr_2csHZ$<9hcgvpx(N;=UP9I~}c7OeAVPwzJ+tgK24+b9xmeUhbFUqv@Kt zJ%bZg&B;#fNKDuG2UOxk#m%npg2nwIO>~LW8q_*1dSvw|z_bLmMXCCfM{8%9aW8L< z`>HV^Wc3i4J}rBx^ktZLKcIftTSu{r)gK`#bLm5!I07#^c*7ILP#XGghVlTMg3>I- zw}_7|Q-G-0tUKt3dA6`BD{!|eyp#v;rCIu>)Lh*^2w?*>3vT6IuyjtL{q5&c!4D~4 z(obhhEyH>y79qAF7zFQ{5>*efwj0Jx05VFE+6EN1bsH3;c)xWPc_Mg{V0j~a9uT!% z0&ao&*0oSE6qXn2Cf@}Z#5DcD zsrM$SPj+GHS_OsCvc>oEJ#Iy5=&N@SPLwC_@z6aS7s2HSX3@L`3Vzr*ORaUIL(5?ndH#lcLJ?Y%@Gcvc|2+d(k)3V!Y1=2-O zzq(+ya}y}p{&;7!uxqpv2dkH$P3|(oPr7};6VBM+ACKLXq8y{OW1)=CsL&x)%6nCQ z2%uz*CVtx0ak{We)UQ+#%^f)JY~PXhIo3DG9mopCYwL*aFO=~h6N_Kv2^|z#kFES( zz4Rw_yEI(BbvgP8o(S94)`n%EtyS@|txdMMfuPSuw5 zVT%vC^KIR6MW59ii)PnjZV?^1uTfQ0SUZ2mi3T*K}+h@uslOBqHV%?EmQlsgI08p+(s z3TR+U@ZM2E5aaovk3OxzjvxQ()*#asDsn;!>kG2<>fIwE<74oj$o%!US1aF}y zXhFT7R_)x9sEJ+kuO`2l8~cMdJvj43%FOnF|7FjM)<^D+mW5zbl}j988QnN`IA0=@ zssqcB8;h|s$?P)M!i;}lQ{WBO06ye!vBaf97LYJRb%~mDi@B002+$kuv-BHNDEO<} zf@eA%G5{)88<|XIJeD_=21uS_-s_0W|_1+mnx##F!8-;C2e99 zFRXY*!G5gnkN_frS+;rMcR!Q^C_PN3uSn-^)3gwakK%A543p#!EE z`C&eQ$v2ELF~04`aUIi)OoqeKd>rJ~-F*?1MCPda9-#nvV}3vLp0U^#)9-VoF`~SSv|L zaEoRr^g8YR={LI{=!Sriv1emadw~AI8Y-glz*FgX&5=E@a@52D^~>PKa5%Tl4VgKf z+pu}%l{3fA99r;xYzB9ulVV1i%>krA@~Ag9eY~2iJ5;GotoVs}{~|s$e&*>TO1JuS zG`6P`4P;!wPdobPpE;6RrbO4FY&$Tfx@Ka3wtL+3LRh(8V3 zqu8`02FaGcDlLRlF&{&?j^B@FlW53otL#!2^a@pgi8w8TSewImp*U3V+<`IjKTc?$ zEWJkr-Oy#i9$4POHIhnoXeDYvAQX!%lj~VC!2g_S^0sF>#ph&e;}(Z+pZxvE?``*X z9TR`j*~lCUD?#*!uapMyIaGbRQV4xO=e#8FS+NS_ThmJT+^x|&9a&i_*2=YW1X)n4 zIEn055mv$J1`OA>DZa-kM|{GJ7p8Bt)^fy}M8Y~{7tyfyq{`2n$NRL7Q8BDJ-|wRj zQ|H`%b_({<404O##D~L!+~&*Tum)w#RSIC2JMDmp+AHlxxXMN2KJ;|aK1hFN%$m4X zz?%0Adgy-p*{rnXs8>f1`c`W?~x@biQ8%E23h1+=l5_-DH%&^h{x)v~KywNBn4UCG<9?UWj3K1rDZ zAmd_;E&*!_oTYk9Uc{{Kb!ea-vPFlmTQAmALeEOkBD5cE)2#l&`_1`quqDNsE`25m zmX~E$8Ol$OBKGlFV|}`~ z3NPEgQfWWO9(KJKTPl0p`Ell(;Z7%;Li)0q?0CKAJcBfJw3$-UG=*!I%y?)g{?W-H zjUdB`3 zjHwNq;rDH)jrnbJmJ`Pt=F+gMw#|B<5b9Ao;7nED9D$f}fT>7#y!V>UtD-{hj+skI1KtEs#J0D1Y zIgW`2KA}{LbEO9ZKo%1VAy*QYdKyuhrU}JJzPaACjsrA-k6{MdP_ND@5==nb4JSjF z-HDF&(QFb$BW=oz`UN=ie+)986S0vsd!}uU=C--ollw36 z#$y|29XvGj!`#ssm#*QeCVc!GKiM3ZR!=p2(lj@%PB;8Qc;}-zoW@`M__W^eT9PKj zA^NG%)@7bc`;){UYI4(fq>f6~qq8L|N!EbpHu@ykICBf)R-%H z$!w;tWXIzb$CMosC-&`KuyG!#{|tLjD4Z%ynYjxdve+4Bd*2~591*pTYZU)0089p3 z`6=jnH>`Mu8V|%1Fdx`ap;)C7W^IB*XfzsEnX5qfQZXB#As=koEy7DQ`!s?Y3;Qg0 zJ0_0ysPz0O1Dh|(6_lYRzN*ajQ87oC{@;wVq+a#{jsTlZQ=lI*v3Ztd5-I-T{sK@o z0aLg!7=wKbe40VP)u>mX<1c>}sLfX#<0AK(v*7kg(!a3XUaSW_pQDWY0K*Gbl*SfHigp8r|Yu5qC#MNiKlZ zCz*}#4mj8;__})$#CpjC*E5z1(15a?CM+qK~XuYT;i4q`d_gT9x>bZiH>-*Xo5Qn5d zvrlHp`jm2SNy{jSF&)x0bi#g&OIdk6wrMI?Jj~P|CR+`XA(5|n0Mv_G_4S#^BnE#x zxDG-3#`Hm5(M?Uz=z;0LZQZmg??!eP_&xeh9yU1+p7Y#wGU6xfx>veZxkA+42my>f;k6Za-#1!NHg5Fdi+Zo0Fh4zOSmS5e!rq`0q zXq`%k{KYtjsL(qmPN{ytAmnuoJbte*AsIopnN7}gxSMD@L>-dmygFV#^X0ket|c29 zCpD43n&)ze^fB#M#ENAHPtkF`%XTKP9+RU;9XYB6h!2J}4Z~z}Y7)zFvN4W`j>Sl_ z_~-*ju^qX(C=MCSQ9p6wJYC@kUu2=D9$Eui=u-aq<95fZmjB4b?OIqew%s)*!He*7 z6KC3%!T2|q65H)V`k-;%?qMjx4^kuQrAq=e#&-uwB)#BD9Kc=+j#={?yI;*w)~qtq zJc$f1N>w=A`FPFXVp2P%@ian%+&hw7<|kipFip8_^v*hsvb3{{t?!b(QJ6cuW9S|! zOQ96>@EO>8pfZJ}-#qTf(=Nhf`_Vq~5McKOpI9te^}ey}c|a+uK+3VKLKRX~CJG-! z%1nYupd1}XRO6&_12!znL{B4pi$p?0iGm9X1S$Vwz6-aQHOlx}1!6voBF}V!i1lHX zOHdPkqJ|%eR9zkDMYC@S+M18lcJD1>lb4n=!22YX!jpk41W8T|*CvMKJ}HVd>V4Ud zFS{HL?RE0$3@XR-cR>O*W?(Q3S=lzfmz2X8Ma3p$z+2~?r|A1A&z*S4I!635QyEI_ z^vsqBMr|49W+atNGBx_8^G~=aJ5Ajssf>co!JWIM7uo;(?J;gP`(VJ_-GqYZf69&y z)(2;TFUA~uYyA{fXRHBGBvzj6%*iQ)-p&QEF+&xUuuqt)elB8Sc;nQ$i)8AHF2lw# zYdqO&EVI~ECS&}-|Ikf7wGYI8$HosAp=@4@GE|_Hh7aWnw2N{`L$vB6U+uW#tB*C> zlFAr6;T*%W961IWgIgw7(ti|HGSPo*KxF+VxTb797!N1&6`&NAn~w=mdF+QJjFVWa zp<0-C5a%WKr9Rm5y$(L>=`MU5gKZ*PBuRl-XlZ2}$!DM3XUW5&k+jueDm6b~gAEZm z_E&A47~oCoFvqe5bC{xd81a_JevZ+o*!Kf!He}#KM2coxq}D)4g{lZI<3iD5a&8UP zAb>Yz9&G4ay7#0V-)cRB{*Z#Hij`Bh^s!AnDVMTgXS#rA}_ekwl%-Ga%`mfl$XxGZ$mIe_no}O5qc{|e4S1;N{ z_u5P$0+kJ`$MF4;>0Do`afx?RqcmddW)~%@BniKjbW*?@97$s*ElB&P_{6dT_cr-)CH*A2&2Ix@9-H-h<9gJdY-Yb#mPkg4Lcxekn2Y!6X-~3dpb9_Iph0XEhn%MV4Q^N!y@cM z)7kDwxfk6`y9^QIE;>1;pf36dcwDs12EF#y64D}mu=j>M^CMynQfd+`S;qpe3MTnN zgRaFE+MdESvzx9Pvfq@`@;&E;x7Dg6#)P^<}P2kj^B)#_A^NEnvc|y0*pS zt#hWHkmh>)?kHC9sVgko0vP(Q*FF=2tko@i_ZJ|$y^P1QSlPp+Qp@=1_RQm>ei&yE z!JVe#D6$MKl`e_L{2Rv9o4x4BEOr?pyG79kHC@sdQU*myzF_;>iUV~Ad_Rs`8xLRCIeheRnWgXsw@=$X(f9QN}>O#naL7K8lW7yQxq2p%! zN!+hNgCowpN4)P8@^-=@O-YJuZro*x7)ZpATAYb9F?~c6-tTXBTqrI@C%(9tEFL7K z7pkZ@^S6gzvt2Vcz423>-{+amIsNEmEMGzwSxlq{y*4xA?3 zDOt4^G8k5~LPiULQ_KK6coz^L3n(O&OoOUp6gpd$F zysKmE%zG~Igq5^_aTNJ*AgT$pmNL~w3%iQY2+keViMmirvn!kzapa2z*{>1? ztrjG=0&Ols-!wN9F%x(zzc7uB&10vZSn_Y3(6gkS1rDl{Qf|xyfZt4 z-{iiaLKd!l$r#*~Sy%O<7<0kE<3sJCg-v0#7!F-#PRbuZJk0{04H`@LJ;)#e+arDg zzKh%ter9&XoBkdDT>e3GLd(7Pu8QzRw$q+~TW>46%z{oY71auy0@K+>dR1p`{08G? zM@AG3@3PZJE~F;pg)pmgp`HHO0#BsM*o%4A_jJdM40mSMf9tLkAB!OOh2| zN~O>w!DzMZ3zMQOw9O^FJJXrlhY4Buh=&m`B3`aV{^wu$JW&%_JvjHRv}Tk--FK{Q zz5MOTzdyS~Q`4!XMZZcq*Mxr__IO?C+0nx42L*X8#F*~nt`!zbh0y*4bSiLvU2gEe zI8tun#LX?uxQ#DI*?aELCJSu}{3k6}-8)FVub*5a*H>VhLOP1-r;~&=Kr~9sS*z>w zC;Y*M`%Q!j&c{w4K{vm0F$Mec7EjlK^`|H&;6blhXvzNE3_PQ?SO&l$O#K#ic*T_B zk$ES+=6-;9=n}ab$?!D}=4MXNc$kr;9#YWX+{@%?AFeikoZEWa4ssS zp{Bx(sx1S?dT&iZ{A=#`qD%gUGgEuf_f^m|sB_-1tHR*DJnE~-k;{+ch&`*vdWneU{ws$kgx7`!K?1B_ zh92HoUI(@OXDOtlg7s84^N&`r`X;{6hOQa9iPfFRLj>dpzcuQjtKnz+utlt1P0Z7@ zZlo^@@&uYr9Ll(Dr@~x>m~8n)P*!>PW#6|j=|D!QjwN^C8+4`Qb-*~5d=TyN zfpN>^bmC4^CFTgmgi9?_rc*?KmGdzcidQ^$``k%SmMEk0Ygo zqXpRqD`9@zLLQRm6REnNrKexa!42<$!%7wU5S$e$rvVzaJ9C0NGF6ay$*Lc#`>VK;wb+eWAradRC;bjeH29n==7x0hW|Masd zwC%f)H-FuxyPC*bc`xFTPQ}}IvKgH-DelV7{P7W$AMv0^o(=6q8)$gQ*(}O>%FQN< z_Xg39lq9;C?(WiS{I?NEz*yQRY^w7ZXFNPwQ{F)6hp$s<`zQk$jA5{eo8wuZ?z^;b z0KEprj@vOkNGD-yJm7Bk8*j+Vo>&~OE`v>zko{4gphf)X+vdNX9$40S-ruvgNgvsDBYq#6LI_+-y3z4t zHOJR2JIDB5>wrEhDQM*(H#GBE1MZ|g z{jjkj=-9au+i$cp)?~xSa~jDu03bW+rZnGfu5Dr>AwKvMlH9~x5|rPJ8El?662~0Y zdhA*el|Bn1G14{wn4l`$D)OCG;famhxJoJQZ}mKSJiU73m?{ZBTI=VNVpV6)*OU9` z55;;zmFk^9F-%Q%lZytqBYOi^4AcO%1SPa#%we73@Q@#LPD9npt{=@6d=lwpwB0Y% z+_xOk$XGI}(^0OuBEkxhf%=1muS+$C@W2lQue{1&EEyGZGcePj*W1411DNIZiP13?3@iuo_Kmg+fD@W&652GJtDR}5ldcJuG5e#(>5{q=MowcWU9kx3-bDZ zD5%R8GfBAHSRxqk@6p$v+Rjt3l~LUnSMRvFCg_=tBjf{y@N#gW0yek$NMasWWPl<+ z{YDjhCwh1Sh@nTU_1wUYLo*q3+A*)^j-r$&q2xQ5{6NY!J`Q2k=9+x;dc)ISW~Nmf zxK1u#{b@?hKb^sf4DF1&Om;ZxQvci6)(d`Cy?ZOqeu-etOg*>xSRLSCHr~4itt|5p zr5Cs{G*g|6n|(;QZo&6c;w_ceF9cuz?Weox7UREv!rleHyihmJ{L$9L*!_6(uK&dA zlG1^AxXbBOIvDku{&D@{R19{B0`znyg}*T1D5j)*TtDxhCLf9EVGw6n{F!3faIr}}ahHZ!PQQD|(XyvNRy z0kZVgSc!(}-s`XKz+~$FDHSI>s06=U`Vsv1p$$KLvuSSZ(v#Oi#$+uXmB###fOok& zD-U7Ew7|}k`3+Jl}=LCQD#t(?mr`dsEbaE(|ZE6fKiQmWlA;rSf4@P4< z$I?m|Yj+mj7xkyb*SFCH!aUTWV&H1_hSQis=rgv#kR@{eK5vu&5Jy#Ifg`Vz1vuKw$`)?!~;BEyJzf1+Fdu1$#*gOuXM>Qdk|@R5OIiuJj-o_hDV-9v_{La2dIaneVnI~ z@Uv!b6}ns2+jrsi*lojx&bvawP3%n~H#rB$1*Gx*;2-?Xx}&n)%-V(%AqaM3bJn_6BaL3(fS`(a^1oWiZVi5MOmOzr+H|gR#>w+?;_Gi~j1v8};_?m_UJ-GAAkk%-Mr{@unp-`}Scdu5<(R%n zx9lkavhe1lz9mi%Jc>MuBd39y{B-k==tbIoN_#Ii57IZ&5#({yTuFYkqOjNlfi4Ra z3aEcqC2r_6a&)0@yx%mzIvVM=WB)1LJ71s7CKGq4KWU}^*|c!L+5@LDRJfUD5(laK zJ9SkY^sI6LnG(8;C4)M+6Z%H>8b+K}*&1e&R$WZnHdeFSH@(@0rZyhO!~pF>xAX?ceiy;>q!>sHFa@whcDPBTfYtXRPV^BI5GHC`bJ1bY*eNSb*fka;DwRyqM;@!@OWcX^x}@DqlBg1_3`R|5(y*Z|7!Zr&1@|* zj{yLz!e08m$s}iGML+!^8{{t)#qZ)yW3tA~=X)A_)9PP-SnS1pmRh6t$X&FE?$v)( zZ@@M?qel^=!u+``hx?IF{!L{ehs*;xXFSHN`Mtw{iJ!&uuzb7F()2dqgY(k6@TglCL zsi+4hG?cMr>gA668=IroFvftcwoY|#DhM*R#t@Vn1AOZ|S@%8i5``oHVZfAs1t<)WX$w~l(%u}Z|RE~2P|mkzH7=M zs4Dyx(6qjyCXDN*IMUX`ss$`rAG?=2F|-o1ZtcZCGC!@dV4_Q5wNTAAx4bC@p`dMzKAw`iv3XgOXsw$o(P%l^h zaJb^kmeRjwtzs7b_CDY$Wy?T(#phXGnqS>IU)g)5xl>|(0(#}rTgsB&KQ7b zB3QTX?Zptl)Hfoxa0urH^H zVxsDJiXk31JetAe=sZ<31I4lsQHiNrKx7#J0bB%wAn_A92@l0U?BqLPa*U@^h~X$S z(F&*q@c_YGH;saz#y_Z| z-Hp{(gLkO^lQr>T}^;KaWl)c@x3nPBruQs4#5C zGsEfe9%ku2hP9B%T7`BJ$6b0eif{ST85$M&N**c+r;d+6P-kj`2Nip`Jpj9xW&6cd z^i@Ivf%01#{MOVUyy^vJTAi+V8_zOOOzg90E1}8~))ydZ0ym2J&N)_hNjazT)|27T zZ;0gv%@;(4HJQGK|8kFr( zDu`zn4c!S6Un)_i_LnPpu}&-#_&e2+(uuuKzH~(6)yG!o9z1FBFr1+Pqm6EJSErGcSmvId6_?X7#MlJiUqXB6*5I4Hp6Bd;&`?pZ6gvU{uxpu6G_)eQr2`9dUo6%f9xr3g&c0Hbt;C-#J8Y2M; zN|K21r@HR2l6Pi+Ua6ZV2+ z;VMZ?^|IuW8sL}|$JovY(`6a(P*Y5&ZJW33q1S|Jv(?dTsxC;kE9VKXg~%V;%HXS_ zcf*9W|48DaZZG`d$6pOg7S1e)BK^Gz6!u#=?*3uB)5FYiyViuLXRV*@B>~>};MT50 zFAG52Wb&6`Oq0}W5i8gYYQ1g)HD((&Oia{mTURzK-0^D|$vg1Ol7_~e42 zo#-MKnyzfddCJt=hxWUf>L==;Bq%Hxe%F>W0k~f$9CEnuBFrWp(_mB%9AQcd-;zm- z0sS-3ffRGPqQxOyc>c8*n&L6#sPD$H@@q6wxdLeg_CkOOf<>X%gkuYzOmngy~ZD$ zmXzWRmRV!))VPc->fE{gc9RA3?s%*vr*~>DFu?630R0geN4x}4)SJuWl)|)m z_f!kW#?Wz@uw-7p11qfG7C%0pjM*TXSI|w;7!dNkNl0Qjv(Wv3Sl(C}#xgRj@?R9f%OzxNOvvsU*pqfDdYx=UW2I_hZQ>ACzk z=A*{*vmfO*J1^Sp?>3t7PDf1v>Yjx_(>M`sLH=ka!CIFmYg_e~NF{hWr2 zXSy8fviy9hhwC=h8rIA3PmZM?)dsF}ze=1;^x8`-Y?-~3Vmj+Z=r>yP6K_%CgcGg6 ztv%Rj_y@O0-Q(1I_*}9ttFt{#T>q0o25o|?67&nm%)&$WZP%tugaDHhwpGp49#iU* z+g-YYK!|yc7@!NHRh;SoLv7u1lVN`E$E7;Bnl*i0IJQ!CfFaWe#Id3M-|YZUDJYAH_&TF%k;6-`O6ZkOyq4`GBDcsB@NMUjp)+ zv7gHT_`|d$xqwln2X*$>Y)!|9!)h3RZ079Xn8|m0ch;C1fghk=F#KFdRe4eC z>AHTE5X0Ef9JuB@q*Tc4Juj7%Y1|b`FiX7oYRx>K)%R0E+;i=D0p;{ zt}bP`LDx376AWKYzLisD)FcY!zHNYvz~SnuzcWSrLEaG~O}IU^_-S!fZHgbt-Vtw{ z{|-ptEVJG{pg-LCBBRhch&9Lq8n|r3o2>O-a9^r+!!j}jy|I!Jmo;iUECcrD*Z&S_+s7?aRNN#>~!1=#k0Qy`+O~e5oj!p1d-K6N_ zoSe(<^;LN-3Nyh>OktwKc&EB#M2G>Ug^O^k2j-fpD>}>&KE0}Ob(3WUds65Dpo$(a z*Gw2ksR|g_=0@Cl8`oh{B@4`w(lpZYCX0U!n5Ll%dB7m~^fbJSVkdeZ4)pG@^8r|I zCET#2Jlw-c*a9fx)>ldcoN!E72FFxEF1Rm6BOch<&&0w74JG7{+B^I_tO_Q zexA|Qu=2uG=ab*K2UMq{!&?Qyw7((Kvf7=@-__i@+n0hl`o#pfH8}&Yx%ity4-9eR zbj5`BcxUEWFJc?l2VrxX9qX-_k%S()sfx=M4}&@Ds4@u$?AZj}X$yLv46qv6>|vEH ztm#jI_h;eQe8yABB`(*jP&8A8{f+&8Djs%inkx(t2qCkr_e|dBBcC?`mIt^W)4CYe zQPK_Sc%A}Krm#TbrB}-fum5|SnxN5{U})(kGmk8zw}aeb!a@&Us574wVCZNG^wT*A z(r7RP@N01_YHO<18m~L%5`m6D(-dzo#v~iC9eib`mJnSI$Uh3{NUN`&fTvEzI}0IZ z%a+hb(Rkx*L_Kd=fV#dJ^f&B{=z5xIK5{GNZ{o1pxM-bJbuVi?Pj*h?FFoLKA>isZ zS<8So=i0AG?amuRAgqi;n-Y{1yjyv&pVXNQA=Nu7qtp|41pdQIq2wxhy==B=`I(gm z0{mVq|EE~Jtum_ri&a@4EdbToEV3;rl>gUIQtvBnlQ;R=sjH^lZ-xYifp1n}ZuU>D zb=R5XtKm|ah&?rV@&a~Vq#OFS?13`ZUgoBM^&;dC7HOEb>bS3R8ZY@Ul@;r)`BJ=@N}>Ri+nW+k2@Z25*DA@ddXtU zRIcG1I!USeL~TB-|1+oq6yUJYY%>REWW^;{TE^1M%=gGmSU$}THXmP3Wp!5JhYYpv zb9<1Sv@q=-kHYS{(GJsyh>tJW*bgf3?ln0ds67-1>38(AK!o8qdo1(LbZQ%zAx4l2 z%vch$?vMN{zpLA~nt!49t+p7+L#zO8o_g3)~txD>E6Y^h>UfxYe67%vwDgl5H5D<Q(oLzs#{in)$*28&zZc@{;7G#a-ttp?9g?p|1Q=Ck0`5L=cn1+;|QtfOPAF4!ITR%OIR&?*n^v-Awd6~nL3t5?X6HxMgsI>pB2texL<5!8mKdyhbmZ9ps9xjbt2HK&`Rg9aGv}qd8 z2NDS2^L+S%kx2~0nEh|H3}f&0!^gp;V}qHOc4cuT9H7(<8SU>XZo&*^Fz)3QE5R#_ zR0RY8KP~PyB}cn^R&eSWhoPbk5dQma;^f-?AaT%;ZCe^YIQy=J zJ)o5Gej_2p4mrJ2jXxtID*O_jZ%XqAFJj_GJk809+f8(k;ZOhc#D8ugKM-j){O8V_ zvxEIkE>~x={nffDo@(B<$$Exeo>gBw`B2xL9m16E)D=Jk^M(?^h}t$h>QEJ4kuV%M z8qF}Y0u_r^sS*_M&-%i^OKP?1VE_e;94~IRT+ZmnU9v{6g-fjnPE!C=yrnY*&1VH> zfud(V{u4Zh=&?|0Md}ApxdnOwUg9Gv@77U9Hm``nrpFlWv~eR+Ie!eJ*GRpaq3dSM zCvY|pK4?vmy`dPr2Qgm*Q733fuO+3?TpS;TV<&4~TK~A9p3R4BegqtuuV*~@UsY!o zws=urn6bP9(BSU7N~^a9KLM22K*X&zqq5UOMjV8@Q^9TstX6pGA26b@G-&UedsasQ z6oS`o&j^s5soK3)7@P%ldM|Tpv;(?_x^ldEo)a!@O?s57S{?Z^pF!Y&7U_NlgrSRn zx&_Rb-1twi9~Ba0QvZ`_gkufw8~S0yd8-$5Nm8(>&4ckHkL$jVkUsA){V7X@xa!0I zITJ~m>0V~>C@OWmFO&cCdLfmhPWN}crmv8tdYUGNEP~srIH{{L61^yrt68V6s)-PT zG4?>?$cWqKgx)Bd?A_K9M9Fp*SJS1iDj6^#Gt`)mQl&|$$b(8f^3S&+z2SFcCp3TtQJ zvj>`wn--2jiQI)NjDQ%kgeSHek|>xD5?Z)?7+$ zWd9~MpC#yF28d%IDTQJETL%@KdVW|_#Y;w~`J7bGTWvZKD9h*>5~vaeMwm7a)O|PB z1R)SUYO%M^*rpd5fNQF@c`|>h2xAZDN)mzNMC{od;Pb^e@5MPT7ur&cD;cK2UW=%# ziKInYETKelHwiNS>A^V6s_p#-X2x0~I-W2Zt#{%_MSfo?mJ;(kk!w3y-?UD}TLtis zLA(Yz(IIkD@=N8jPGTfGaW3+a<+6-3`!lls^3-)|&gdupS=M9gS)M~-y-BEJ=gjonEHl$8~dh#OnSf>#*A!H49kKNAE@1&;_9>;h`*7ruO}VM_No zX;gfw*1j!GJ27+?L?kYvkV<4+!X>y}KPy}5#V8x}U<9Tsh|Qkh-XxJ;icDQPiV9C| zH1{@gn;S;>LtQlS7F}%bkpP(h2Zw0_}i` zJ3@akz>#Y&{jaAPw=<&Q2*~!k+D!%{4yNwq?O;>{hV#ao^FL_5ZX?PzTx#9}$e(OJ-~ z(F4+IFR#vx(FXUMB%MBI25yJH*RLc`&CN*UrdU0lOd*DAtheiiS~u#y1?3}AT2(8t zvFrt5tQP+ch`Y*^p1?EBh(%+*%yJBS1qdkrGNq@Dv%p}L_U`}axzjcD2boFJ=_ZIJ z(aJwGG5@+P{mT#8P-kRrMF>OD-<{AslZCV{QN5;HasseckA0-TC0wDjS=rhTr{F1s z@*8id?lE98vzw#O)V)_u-n*sK4-k*ihar~h=zvbS^RSb>mVkHtg`IG=n{fQ;%!N3m z*6NNV=0Te1k9QX84Oe3>?J2iv+UtS;9s&KjF(3%qp8dylh`CEkxu0z{{^}u1K=nLN z3})8Jm&C1j&$^(sW1XxgN!qT3jwD4D3j0O^(b}ghp)&RBgsHx5!*6y|^5|C1HsvfL-)o z3XALPgm?qii#^lJuX&rj2TRnC0g*)kT%T22BP)PXL~!_nXc8DB;dMaa`ivvS(SZS; zoLlT9yk~HdQ8I<;xVHSNQQ_755^5yAB5d8KRe6oC6CqLSM&It#M@Ot7+|=89EIfGM zVkwXZdMg)IO*L3xJQH>Jp);lv_JucIdZMr<0Xm@(%Eg?=uH0}p4t&3&g$E8e;Wt>iuKg=mNTI^+32a!HzYW{ z(Y&|Mnn$h#GP>}JgI>^Zr}=j>u#0m1-TSFZ)oSzsu%!E%;gkedKh}%sr9z~4z3PYz zu0Af8SSR_z0K_yO4`^9J2t6vf*sU?i1IDw$!?EaoC1B$L!%s>Ee9g7pP0D>a7}=y|H#->&$AmK;{dSJD2hA}j38az z{w36!;~WdE)H-U}o^N7Js!V;fOIP%}24k69lL{V4pyArUClR$1BVO87_mqX%@kLcP zqd-wL;7z_LdJ(5nOWrIY{pa()7vDKUwx5Z4JQ%8$XH)iSHvFg` z-rRS1m-|b5SyjWHW2sBZewypT*|xn9(DUMac1xX?6?P_Qfno4AG*M`OQzssc8z2l# z+$WV?x{`PD>xQ7#;J&2KJ6{pJ6Tg9aVp@q^fGZ!MliK7V)kMWg2Kl9Tuabw(La;Xo z8zNS(pj?wei{Pib(r^HU5MTFERJ*sffY+XZSq>6;ejpBO#2nSYLc=g}ON`3>yvlJF z8Sgd^cVe?f^{SH?BrE>ls~sRA-m*9MGvz=B>{k@N{F)K%?K>Y~E@}zs`Jre4i?O2OiQA{{{ zTTjheB}ZMt;um8%LUs)-3R`g^wMi#?v1dW5nTT3Var0NhGuwvX&D50bgI**b&M@WU ztdGANnfZ8qOsd!RnpG4}_2wKy5p2m}yJ5E$>*ELr`EJ#~I1d}}>Rgvo;L1oXBdanL zr&MX9J7QZB1<;!<+DS*<=z+p}fbi*ab*pdY>_-KguGQ4>XWj};f$TE4eL|&GgK2pc z>3$u+`}Y-Q-rxa;0Xivo5l#c3i<>AaWSX9Am0F@f+W(BB3DebPvcb`U-P1%y9>DxP z-~pd$HAfHB;NXPEu<+3pE4R~Zn+)cgv)22^54u9YL!XwA4*X}j!3UBKgg9-{r>Pw{ zZM;h3`Nb(H-l195hZG!<-_hpjnKm6aIBH487H$C)#p%R{mW-f$yfQ&y5ur6Dag6$^ zaQf$^hF2?c>@$G#RSGPwrpCY2&Eg!t5&E_&|L**AfnRnj7r{~b+*>Bo_pN(5WPn~V zEGdXO@yk93$+c8&%HM~hBk*^K>s0vC)0?*~Q=jR1{~~E%;ipdiljWqcQ@Yis?;}CF z2Wea~dc;%OmLUH9=dr=Nf)dJ&^F)rnE~wL?ZW6HHey~j*ZM9704hM-Pr-fFgPTUap zm|}nh;U;zJsyD|?)qsaN>A2h!qXjX~5>H3m$P!9*xSup6m;QDUu6T*J0v`(|?uJLB z3Jhq^vS2zEj;UO6@}Dm)d=>$Ft^be2@jo^P_`-w%J68Ra(V-JULH{uAQ~E(B2%we! zeG!0wm$SZsh;1&9%N5s+>xQJb!-Eve!BypLUvc4+?;Z?S<^_b3az9G-%FNauk>{pugtFee z>PvNh!9MnDlqkzxC$q&f*sDpGxP)IrfoIg4Rg4N8N)Km%|tdG=Kf)B$A3xNQ35c^ zk0oP6MsM6IR}&0ZVa-M&hl66Xv`bA4<;eP`?DW8HRe0E|`>1`UHB26tQ8z~SwWN<3 zA|De?Qw<-F`0fL4pnVS)A=($@Mda77c4^P%-a?>tH%SQkn*{(4>&Wqv7~KPjI$<=0 zNFW}~1`gQ)Wa97mb$ECRxd*AU-#y*;DS>OXfvdUt_4}I5M6T8I+1s!>7yJ?@-0~rA z3aVfLOEp7-r|Y&)dWSYk-xefu6cg8!Z^H5v;Eh5l5Hvcm6U|qMgQSbRqlVgNL&*%A zW$bgFDL=MRks?)k7#}&q5i)=y`^X}@-?iXf0>MT*mU!rAj4=@3>#3`TIGqE=PF?FZ zs*+o}d_nb&TTU27f;Z+4v^OJ&0w4JLM_||-AOQYY)&yFRndCG|2=6D-G2id4ild84 z#?8|c6l)7TngW_Px#E`P*ph)dGt(0!0P{g9V0dI}m?9MF`GCteL+-`P_B#}tja`AH zN%Q(&9gO+drX4^5SCBlXZm!s>Z+U}ly*<`7PHFxl5KmG1(m<3mx;6SL0pmofS+72+ zNedwNz7!w`a2hhOU_54Sca1mYo$P4#due93h?$&**?8%~FG2Wxz-X&VcbyNhu$SP? zd+cqlym0U~j7fWb&|D0;_{D(acf-KkSD*NNB+J?Ld=b!ASgjjt+c`NZKYKCF%Sr#| zx1?*^pdBNDGkrAgm%S+h)C_M;Xv?h~;hhQ4SSPtk9^d=Q+bg?hm}UH8x{^LnsFxnm|Vmf2VKYf8czgjHYBc|l_jyL=Bhm9 z1jffVm5~Ml^GM1FG=^x1tF2!`7a`B4aeeA1X2Ti2GL`(Z zpa*IrnwJ36T{Ku`%rUBV8V9@Qxk5oVvBqdjI;I{(Fl@EWOj(pXAe9wC9Z9N;ft) ztqbf9nQz2<3S1D)wP@Nuf@+VIWd$3tnz)lehRbm@^!Ur8#LmPX`e@)tC_3S7oOnen zpHmTu?qZ)5K}t``issSqDx}ks>W`;02R2`S5~Ar3|2AhN0TM~S;n!p7xH1_&hIUGx zjH5&)2@k=)hFL5GxR6@LsGQBu$67!<7#!M~x zY;X?jX5yxosNx)UN!1C%qyPQC;N7ruB>YF%_cdgof-;Sre`0M%|D3!j&ne-gaN&Ce zG)PH8k{>2jINhlF!`RVsU(>Q#;PQ05A>6fyy+U(45}kP4MlPi4<#UaV4Lnz287u4a zJN{$2@@FGf8Fe`X4mIr-y@1la4-uX*6$xn*6|_}B{4Yx%hpT>(t&eefad+mX{U6QT zrzjbJc+1r_nM8=S{fjKS>^}8u@&3@3H7TP--0`(8r%o)Zk*i!qHLSxN{pC#6lB!Bq zv9{Dk)OmH6g~dH+O!nB_>iswOdyA0fT&8?uRJ}0vvWqYB@yAB8MO^b*IW4m}$=!V{ zyeC)F65GJPAqj!~amP_dPmO|(OK}D+#Kmwmr%&jiFVXp$m{I5+Y&m`vu7~&@@U;WyPDOG1?~~Fe5yvy5PQP~66zk7_zAm$*>y=>dBMWi zd`iRMpZGY7bglTG_%CG1>uGkn%cPjFSZQsoXVg5#uSVC}W{(mmOzhc9_4gff%PA~s zB}Y(4JX2OX+58+P=8R-${P6<45g7*lb-7Gk?dt-KbkU7l)UaX_yeoF|#O)A`f0Cv& zhj81?Sl=8aMt)d{yB{N}kJ288X|2&vADTP8xsQ-MUZca)$z0?Sl#6^= zi8KB#{!V|}K=(Y{-pvC#ntZGPtMSa^b$dUZyz(O4d@oGDthxSIwNZ;Y1C~dn0ayPsl4GAB9X7^so{nQIPMj_K)i^#MilHwN|w{&*? zSoMtdEvXJ{>bPIB>iFWA%VowMXM@PXw1qv@l|7OC*KpG9eu3X#p(DDQxS39}U0yB& zLCKe1uEX2b?Z5S$PWje#*u|>ML|upT{K*!9muGLM7^keMc7kGIN0D%y>dl4`gS00^ z63aY3)_RQdWO)u#MB3ZD-fe6tiR`OA%$&Ls|F(@!+itoNSm0=ER=Be}yc0CnnKhC? z;w=Wbz1pT|j!riSf5fPlj8Fxod$bbdFcm~eN3sF7r zaDklEJg2c#Y$XaCY|~f8?lpD<+Wl(m=2XJHR+Gt1DneYqh#?af8*C-_W1e`yV(NG# z+DfJ^-PmBTj=#~RYAX`D-hkCm(A}f(q%H2WGRZXl{*R|$GqULXeSbxH@Ye+~J}#=S z$|1O<6c}7D1=i+ktW`d@{s7tGim3DLLA$VAE*dttq5ep#%YA0eEn2a#VlYo5&9=~g zF?B66d9P3WrxjqY^EC2XjbG~X#5>Yf2erFYhz8ag2Oa*9=>6xfbPw`tZAZh<5u18) zD>;hEF9C0yv(255qylUanvUolGpq4Q;rI;QOCNM62<6SU+>GrPb+g`kFl8e?sEeQr z9)r*voyutUBenphHfAzq`9^`!8U$tp#?y7?7&XqB^wLu=-39?j(O3!!^Mz0aM}H6G zhW;)O)?bQuOXn~j7_tpjI`io~8Mr*m9%lQ{8u|P~rirYIL#&6G4pUnwEaQSr)K!C5 zw6I22uohb^|w#Ein zw!tq51B|`uO3C?EWrM5bm1>D!D(%^_v8rf~6n~z=rbzNPVhw49xeX=ffP0BXvo5ZW>s^dT(Hc|Te+^Hk#cSniTY%X)m;}FHInH|Q79AT9) zN8?JPMDAndPC=LDEPo{A1n*Imd+kf_n%HLv%Q&k~Dt!jlp}rdHUF_0-JV$ervd~fD z$1WxnqLHXUIpfk7tV~<+CkWcT6nr1;owLRqaxUES`!{(~M9q>mj%RNkcK6}~EDx*- ztucG8v$2Myjy5llO(~g>8yt;|n|k!+Ds7gf35{PHAt9#FHcE)=HfO@{Uu@wohS@Q( z182hFlvaVj)Fkx45=MRHP^do-`O?3pc^J{JNcO_1+mE2wN1VtL>k9~EE7~tSVYjeQ z=>GZ`FeLv?BCiOBtBJAl*R#hu-Km;uJ-Y+iN8Bg)-g+c4wHePnS;ayVCjZKsx+?6DOe<{TkDRpaHikCF26N;$H6>kX zP4r-i{<7~_6^%JnOb|x8ruf(N^R{QrC@aQFMk!Skw~|qw-QY@N>RpX!QDts)oAt#~ij_4FUmQEm_&0kJy_Z+Vr z;i&QzoLC+aYxQh4=qX07PDRJc?eRu*w~6TwUxVur^Da4V$x{EDBB6E#p^dVsCbKd7 z&<2}x!S4CsS$*&J)m?bdxk#1KH3~RaD?!j;Lvf|{N0w-JDx(Eex<9c_W;Ss2CT?wj zxY~r1poBzMhZJ-Q0v{nC*0>)1T-lfNmeSrTyaGjoFP}vX~6KGh1N!u3Go)&K!dB+kvD^SJn3q8=f)u!{^E(Nve0V zz?;0pE}|k~g?qNll}(F968(-a$zzTQuCu;PSatdaU$qn(3oo%U77eenDic$`xN~^6 z{4IH`2P*WU@jW5o5T;OYNH5ikgldQwm7iIr}}6n<(h!z4_SB=cBML&(a2j-6tshwS(e^Y<6e&2+%0g8M_S3zak z8t8EKcpmnZ?+K3vWMYZ@hR#irj;B`vj#*M~u^NwFv`f1JFTW4w19Dm1i0RxHs*UbR z+JZWI&EoOm(mw9&h}v?eQ_bKX&Rx1-vScplM%oPJWX$TkDl1vT6@}%~o=v1z9;(3` zwN<+~dYi5?5+f#b_WQvQ&xCYCqui!s)X_py&`I4cZvzM3xUHchof%XdlH~rX!w)~k zp-y&Qfq266j1aVAb8xW`^&C?%v>nl5MRP)88_0#>`M_`~_WY=XWeyz0xTfNliglpE z;ApD>`v^o1U#xNu*rnamtI;u=dZ-!S0UA#coe#Zp`w%TWFRj0I*ej+vA9H=YB;bOj zOO9#AxBU`xZX0HMIQ{*H$n?S^t+aYSD{v1Sws1FW3B?ebr0mjTtlku zPE_xswtu4K^^w%`Hu;|j$9Oe&D!;}rT&ej@Rkt6mI1Fd>O=eu@sT<>@g27fz~Uwg+8}$3=4psPo^X=TwVRlsO?0 z-D$Fh4Oy!L?vlQ+W2#?E`#ghPC)$}yZX(krMyVQUpw%1lN}4{jWHj4;n~`i)Q8Gap%Qo&bs?rPL zQ3pvr7Olam%rypc1@<)@_31^t9|84UT3meD9Ydhdp^Z{b+6`kY?9udN2?}Y8+O$_Q zRvr32O_FLlUif6y*@`DJtC30Ddtjf;E45<>>W^;A8U)>A{Jz)vTvb}+clnVU%*|yc zx_B;4*Y_+(QSH&(eTO?B>F(~ zc0nn}kc)=t){w`R5}I6^M;!zzzKAb`n=pf^H;~OYh(^P|B}Hia6lFy(&|+|`FFvs= z;|m@NJA4)RQcX(}ODBiNkUrspFPwkG?DV;ytj))s`NQ7u*h!U#I$TYiE)J%5;}q7R zI%3`$7Bp&V1DoY7C-wbB{a#GRvGrTl_wuY&m#L+Y(I~7LH;T@$S86c?>Z4pH*Hr3W z2=UpW|JLR?CS&C=0Z%$U;Gh!mgp@{O7Rt7Zed{{07ZrTNU>T_TGD7gtWV~1WyVvU`!@%ZK)$%9AN01i%rScr*#QHW0l#3N!j{~BC*>d`b)?PPn zQp>i+o3>q&HfqEFRS~P-Ril4feZH_6 zR94$AW5TIk+YvDoj-REMcL*=`Qnd81rc)n!9R}hBiKA zMp{F@P@$M2QdH6wk2tn$D8O%`rPoVF9YS*Rp~Dh&Fbs30i0m>xw(hY+{rUdEbb!=F zzx%x4P$u3F>t@{bD#D}OF9H*yL}-V~N88!Fe<0tG3mUmd=o*}|?*n9{W%!~`6z7Jy z!=yPsQTD>-cpHsPbRX{0kJP4RLRy|{>2#fowl9%+-v)ZUfAO~#HW{%Ti{8u#I?!Bt_BCPX}h3la; z&7LEm)LFRtv*kh$S@*`N+aRUhpe>1?t)-!4$3U^9j3oSdEIWreCeG@l+6`pVp3`P? zs_60^!NZ2``Uq~=d;G_FmyzMyUUuzit9@U^te$u;w5tB2W++BqAJ&sbCi#2vxJw_z zliycHJxjRd&DR_~8R7gOVwZrrE6pXm)6?4rlyCit?o2MKA58(p1H~6&9BID2O{XC~ z;Wqnf(uvlC0mjBJTLOGRn!3_JK5`z$qDLdO1lBmC?pGvAAM^`RL0$WmI?zS8Ue40-rcb^;s6;`pJ6{IDC_VUWCg9r$wmXvpAjsVn? zLd!e3K{99*NEd;uMrq?1oyjK-K>Nb?!t+-X-1B%xmdGBNCKaduPz$aEPNfbx4g@oD zz=c^dumEm=Ud1bJ!Ri+4hTaVPHT^qmTLupf#`7h_xv=7i*QkbhBw@jRnIYeVgxI*2 z^dV7p`ACfO8{ZMF$Dt(5$8?g+5tQO(?N%C*hc4!T=%0;-zKWc-k0bX9Zq%fOau&GM zmiBx#u~25`8PS_hPq*kT;wDE>HR(xr=JY|HiH$|<0!_Mcr7@YetN^rJ@qU)5qp|)% z^-5!2l^QuLS$m9F>1d>(?hPxA^Kk%%?lLx_Ic5MtfbU;y3Rl3U{&dV-16+ivi6N%} zK$B)V6t;yqm9F;wUkh>JY$mw=)36%??l)rx+5=!s5o^mK(l4(*6Mk`EslJlvV(49( zZBy2}DDYOuqG2O`{^MsCwkdOTRjh;TBHU??)1mN%j>!%amz+OTYaN6EU(GDKfKE%M zCjw;-9)#LN)NoL`hA5P0 zMFwO^D@Q!NjD16u3JN)D;V!C}!+ekZc<45CZeJ3qd2Ou1HTHCY_9p4HUicZZs^(=v~EjBBje&M8GFob9a9S=-7%Au?M32}akC&KQIn@&%=EW^dr zTU3=#7&o6IKOLG=Aynw7o$#l4NxRV14)91g+7FrDV*#85RdcBQ60nPA+@?6Cq;e0Q zW=1iI+eNBZ`lO4SIVSI^@^<%pdN-W@_L1r(q6<4?lBh-tu^9BVyV$->W% z!U&y#-}c=0DlRzeJ=!g-#fm@O0iE+pA|*z)XnV0?o7xw$H`dbM2G`TN7pJ)2<-HcU z3}!b}R)4A$bI_rn+U;-1?i?>;$~I%@D)|AERe|Ld-OZetZ;uw zds+1wA2dL~R!yB$P31yHIc9~qt

        E(k|GJ!FLAN3on3Dv`^@RkwEvPG~efheLFy^ ze}K6jBgM5*EbJ5>xHpKGd*N~Nfu=9*GytYFuYaLRc3f(JT6@}4t;O;$dVI0~&^?s3`ccT{;1t=j$;+HYLFJXn zF5{-!XQh{YY=6zDKOyYCOlwJq26cBpkxlPakz?xJ6zn zJQXZa0_>rpgLR%M8h7j}&Q|YVce!Ao@0Decm6QZ$4)n<#&_@Q(WCCg>kNy zT1JOp2z?HXt>eatMvaWFpGjv^&i3A-WK8HuJ^I|9w%M9=dcV*Zrt3cu$N}i7h>hZ* zqLoJXsv>7a@sjNsgO)Cz1^VMf;Lq%fYa**Qa1KjidH54l+Y5>sw{bJn9dLlyvK{U? zo&+O5ePsE0^4&h+h(QJ{OiU;fnT~dnrNsGxm*&^_iu)9&w}4pZD8&0EXojV+uU#*B zwni2P_QVZ6{X;ItW^M_nH9abBPw%^3?DVD~v3sVIHi9cSqr?XWn&5zEAYNin{gQ3q zfu+I>DlwtG!&9iks%#Yba7P=P0so@8f(lIqtrcs=n$*0{el10h&VSTz|2OGPnhWI)DK!#I0k^+Q$};d7L8BoFrHkJ$(Kp^+ zv3W(t$HwNSj=OExRd1s0s+uFkrI8dvGrfsiHn=>Y;OWsNr*fDlHzqWIDVJ0dLdhUk z-H%ISX34BIPb_*0@gFdD9$doe!mKek0_}t}w=g0G9|z@(p5wwrqjfJi^`P{gp)x6+ ze~a_t+#+sAzNl1l9lIYvU2uZ17@xgD43B4NIQ$)^PUdZ0Ih^~k1wy&uIq|hA=uf>| zw`^80OLm8J{J>rS{KYI-J5b0TwSton-3GAp8&~{*n;&Ca^;f0lt;^_G_i%c8`O&Z` z@>K((H`N(U<7&42DZ7T){<%j4*6I|e?eILW2h0J!1uR^ZCorf%yE72Ef7NK~qww-4 zs{)JOlwl7Qv~?U;=+5DtP zb~`hoK6Etc%l$!%!~T5N1@JpUcuK4MZ!fr5aTAOS`>Z0G+sGz5h-K+aPMBDdZ-)o) zkOE2ZHoum(8c?fbTt%0@xH$91d0ei8G3RK>+}3toD%eIaHWY&mO#I7*tE0W@n}pS% zNC8ii2l-AE#>gbrX82_y(KgRF5N~HnmOuY>!|{3A+P!dvh6|#f8Oc+67S*&{dpAJS z9X6rwqqNm`KpjIHNE}v#(M;cJ>b@IygUu*ir@nRHFBPWa^6*3L46?zGn2+z1(`Cds zw%C*UcSzY&+yoaCJ@p9#1s=9MA^B|OZ+*2sUDTEZam`DGbT#PALg>LTGey4@4&%(k zPeokf{}NE(4)3Y=VCoNSfcr-dG~S!xO481mZNGZp*2EB}GaduknlKuFp%URT{d!xqf|J{T>ho>6%B_Lo65TIn%f0 z)t0*O+1(!!f;lPdg$>&VdKKmg>=yF`HdjTJEBMe9dQaiSgoll-(iu#+Gvt-ffSuto zH=}w9CCaCVKBgK~=&`d+o-q6}eM_0vXf?^kup>2ayXHEsS}|uKIRd*W?6*lvWW9kt znM`djDmb?`LO(C8XLoID0^3o#`}j98DGy7Y1hDST46i?uaJ{r+6IIi4(9gd0vu2O6 zk#}OLU8hS9t%=GPke}`~ju^O|T5HCtabhtf@`4MhKvzx?;b7KI1=4Q6IXWu_8F^?YF8+BD4YCI1yPw=PbM@Ig?lThu0-*O?1-{hdy zT#ux!JGA0r6N|NVaQ-#m&~jacR>1)(%2NqW4h)(i511bqZ#fqX8Iaol(EUcijpBhPNZ8EDgz9E; zVzJYt^(TgpxyJlmYDT4xbA-2B%+l@C3M ze@0`vFJc9fLblD*qOhbaT6ZCL+z-#z6laHt>0{Zs6<}w$t5!~3)A+NWb-%7L{zjz=x$q)p^1WuihziK7($7N zhyoEOK!G^4paMn)nMpu_0Ad0!LYRXD2y=iyLQ+Z9Jr(r(zIE6AbAR2n?rO_vt(=g` zsZ)FJXV`U68v-bvKv7Tacb;Q=-aZP@Y9G!c{dphe_GnWr@W9)k7R2coy+YoBF2&Nq zVvCKsw&o`-P*?`cIRL(ozY;G=SfbBCkW+`wju%Y8?8p;*X!}G0=vl?!{>nA&xN67# z7rFVepuWS1By`3&f~`NVjxcO$qisi_H!=0u4<_TG+GSIh3y|IVBn@fPb8ttbJB&YH za`rZIj!PQ!Fe;W^o_QggkKU@9nozA8bJQr2mVMy&7}voEnullQ#vhxhobI|#SN>s7 zSLlA|X}r(ggopgAckE-r(mu9XB+Adjk7EzR?G+r`u`2>_PbpK!xnFDY3DRIQsKhNO zXbl&`g))*ekTozF?svIe_Dkg1vv7IEwfV~vGRo%SPh-tONKv_Cv^|&(;`VbAu+`i% z1y>1jUqJOOS5gZNl!#}5ubErvaN2r3bJTP)YgF*{2zWL)c3ILWZLtwG&Rg*;gmfeH zIWOO)6!B>{Lbm}|c$HyN%U$ML&RL>$3D_(^Mj0pAT@yKP7ID^vNwP_npT~LI`n|HE zMs_(4>iV$$E*GBDwAtU2kEDZta7}P@e+~CgxD4Sp9i4Nz#;b33_$?N z2)2?5xClyTKdyxsm18kfaR*odl5t!nnHKUJTk;bC5Q{)}JJOG!c|;u_&mmq<%EzL~ zkL|8N64t#UKpX^yBJycYemdlew?4nCuFSs+*iv%5edewBZ>B$>%kDrAG7cY7>$5kH znIArH*|@ilLuj~=)iSmxVdQPMX{}uLdrt_-ptjH6-&P8|C9V3~?}!WTTzs<^Zv2E6 z&6cK<0Mhu|M#`GVZ+LE#FEBo@lVs~fwfLMF?Vp3@k3)0PdW&S zl2C3a_!p-ltCwO>4ZGlWPh|P9-E^pUnJlusQVi%)YmfudmlrA`Yf{f|AZScR{08PP zPYYmS1>E?Sa_^O1SXJ^Roy&La_Yq?PU zau_8HvDl&WNwDWc^SLPGewud{d5|^aE%yl@f^+|EC(FGZ?tS9;6CrPH_n3<1vhbTG z(&egpYQ6V6{D}kIzcmyqozW>{BH`(0sdV;$?9DR0yFCTY+@-~xq57R?DM&e0^d$>q zg7F0z2rWA;_U+!1$nl`yN?B<=fwb;CTz`cwsn9&}FAg4$yeoER8X_xwmwNpn~=J;+j7 zSaAxUa$vNykX?v6%DDN+IJ*e#L@V>f5NJe4Maiets`7hp5rA8cyJr`7BRZa23>HX5 z5waPiL-WJh_OV%mTwdz3op(tur1pD6N5Pnf&~)^I@B!1&l*4gP_k0G)m?J1}#gpQz z7?Tf1X-hN%pMsiY;mH0<`qTMh<+eWoKI4MYOlsOz@(7wkaD3=GHnq!X5|0bU+2L%}rP+Rdd-a(LDu!HG?%8LX9GWrV4 z%as86pupR922K)7@$AOAW-iwe{__NDq-gC>(m)Rh(WJg&%Nm!Q_GrZ6?mB;bvDy2M zb-K=9)VUuK*6m5cfkmq)RBlE)Ee-Y8pM21qTg;3#NKL=CN5@Ssz;b)I@uiXHW7geW zoJ6y>Xzi#Bvfp+lRP=GhtL&M^n({c)3_Uky;iM`R0R-e20G({%IbMn=OhlTvJ?+wg zj?RIN5)t$!8V$`8tdJo{%tS>%C6-b^1+@)?lAz8y=)BuGhI1ce?&Zl=cr)@JF`Rl0J!E?9~BXSyOs&hU}OZd*cW*8oIr3GCuIS0^>^SE*uloP zQo+H+q^L`P$3B7456W|qNnAZY8<#J}Q!>wAZS8y>M7e+j>?$u2P)djmfPfXg@so(_ zY)q-yVJ{Sd&P(Kx17(oQnLupxFgFp6fVu%90=2`T2q98636RZv(r5K=h}j52)jLF<-0!fQgv zpOuT(g*4KSeJaGrXCQ<2ncW*OJPf?O55eGSrFxIu;Xk93FB^gX$ZJOz2p(EsP$}*F zpkWjjtNQ07Pj0Rv++tY$Vmidaeh!F9K=#a^+~h8)>odbD_K3AQ2d60gf`o>+63m{L zHqEKnP*^Zy3%2i|rnpxX0CIUr?h7H4s-$lDIQg(s1=HE5G&c=^3ZVc7VwUb zgp&y{XpID$p(8}ZrvDdhtgIaZh3Y$g2ZDenEM+k$)+fT(68}^H!aPlX4s~270ur{) z8Nm;@++(QJ8nhJ*cHkv)T*$Hf=_;;* zu>ZPK+SHvsL=w9|kScB$yD}Q+>__C@w!jM+s3)pzbt6?A@Q+I`rQwp5J%w4V^ISCL%|>5}g)0Twy} z$v;a!b`A&BL9(my$&PV1;@H+@Y_{iL-o?HHdX_QdQ?23%%?ep>%+belMFp^4NR z5_Y5pb%sW`&punG6zSgHlfHJ*QA=H?L7Qj5Tow)orP?MmoPNeW-OtHs81Bw8HGR|A zRxw)=GvLiWq{c;bGtrmip)VF3%sK`bzzKGsl+r2Y6oE)>e~$(vAz)AQ>GYvnfX4*g zCy$?mxW3dul-q$`K_w87-JHiaA$k_n;xk**;V8sZNC+8{bzTRaF9mVRWD!~cinE01 zEYpFNTh9z>1*u~v6#--kVVyWrk*r`#)+&dRCpyIV62<2$a#$$WOe~W>2LWj#TK>Pi z`Kv6Vq1wO*K#^xs-h?#DqlHUNNG+=htY?hpQiiy`VX0vttLDvw;b*~Da1f&J!U|0J zE+MAE8QAD@^NOWQXKw7bS6yswlCU?crR8puO8b-n^OE!dE$Fowx8~C6c}vTn?G(|2 z4_nccUn82B;dg+AdjR$*0=!>X23hm2=mGpIY)up~Cgm{@xI2K=0GOt~-A(Kae~GR zhQ_$n9!(vU;Y(4$BmLJ~VuM8^#l!u@cX*@C+jkBo3T>L5GJPDq8pG~~A{N}|qShL9 zA?RKWqL9}T?Xx*V4%|T`}dl?~qa}(o)LX=yER`=|bQQ9T@Wh+pdH#`SQH6&;4 z1XXJGU!BnSt>?D6{ue3QL6!BkGZPGW%z0|D)qXW0Ltfbp0?0K_STLub0@v7@{{X^{ zI31l%>Nozmyw^Pqvci0~WILJ+w%nH-l!f9vrtU2ibvy^3$?x3i%o}VYUo+HoWrcr$ zjCVvHJg$1Bc7=HV95dkn08&Y$Nb(LkbSks8Q`K=mPs-o9_o8w&xN-c-nb_FR zzkU9)=`6Q2NKb(LYw_anQ|6)-ODhvT?uz$zt9!B!@8zMBdUL+RVh1F~We}t%!=djX_02#t!Utsp-tBfp$VBx z4`P}febd)shEBNndJ^{L;wb_CWXSsMF!p~NQ*9#{X%~ZNEtaR4UziXZeb!7hUMo#E zi(lUhaisTxr{mZxNNBblZvg?n;tf8tw=4&>nGM2htl4c@4Ucn4h9SW?*aQC=W0Jr_fwt_YJ%sl3!6Ppmn4Kgf2X z)ARcxs2HRfp*;)EoXA)I8HUT$QNkFiFz;dZ_WRJwXi#Es39i5*vfyR<_BW=s1NCT! z0qILV1HAfwItZT7JwnclX1Z8xG#Y*inTtCigJ#8q>@PW7?wJq47YV@wnh<8VcqU%E zsJJ;uqsgx7d*#~1jzyMlkF8lW5U@^5XR@RzWsSPzfWNle*#=YQ7FcM}%-bE&$=8{0 zEhD@E&aUg$c?GNF7Bo?-nZ{bSb~u0juqe!SIBVQns{uUc9i95x8xb%q-ZV=2N(V1A zM?i>-sHijloBhi~k>9@Z8w)Il!g7q>7|7v5S6hA>sBuELQ}8{9F#_cLyw?M`0Z>f_ zVKF=$rIPK0RE_+BMqgc1bEsPGNS~4iKFag|G2<%J=J860OvWn0eO^*?-9@_w3%-pg zv1&QnY|sU+GdJEMLg9lB@S8-^T+!rSw#iVHx;UF{0lbtFZlOWM#CKu}=8&kq1yU9! zq~sv&zBfi`HUVzl*i~>RxH^xl!Rp3fz%2BLW9W=o`H1;pF=&7bAVXd3l|osQxJbUa zS zGfBP0O6QbCQ9F);xZndQ73ZiWKI_H%_!M#g#?kKuF0KwqnE=!CqFt*Z9BZTVK8T`hlJg;5wE^&T$4?!%w>@fzW`o;pV##>zbF^>U7?dG!?6S7aX zLo$1Reg}ILV$Mz%^%E{O4vLiptsM2jC*n?i$ulFv%7eFUwUl;VeZ2UfzopcFl^G?k zH{Ufwjm*^%HpcUp=O59M__R~mg@?jYG}qW>h4^KXcLI{1_a>6x-&>NY?!6T6Ru}Bp zGY-;Ck-$KlHqm`hLClA;4FO{)$TnDDMJQL&uXMQqmk^L}Xchh!oEy8F0fTCU>{{`q zEZ092o_-HR=EoA3FlpoG|p-aICT26*%7F33u#s%KUsb zWA@r?q}gH=J( z4tPpZcfnVlV3HJh@-M>n-$c0V8eNZZ*t0kWkjz*wSX^%Hciu~;-{&ew6OwLQ2d-^R zD}GPh65N=YTV3%whLl(NLPi?UmYtdjPfj>teSMO5iDRnquL0-h>BNXs)t&-bUDuw&NjHa)~v2_aWyt^-B;gz?h z5h8je-cs2(4Pm#NLJ&`uPku-iZx-&QUSDLqRhq9-?7H9cPK-5Nkg)M~Ty?T#(7h%f zHND!3%p(bbf_Gm$x|;S<+HxtKM(tq6@ZFOe((mJFw$Trik!XUPin_(>|1%{uAZPUV!OvfVMGzJUE3D#(9H! z)EIe2>@&nNO>NvLE~MINs0*{=gxf*exc%!f)4w!o$HUz30Xu35{AUY!)%ztWL%L*7 z$ae0xh^>RmHoLhB!n+h{PCKT_FI|&>nR?yWtr?xdzGIAlp zS7$=Fwa;SGCP#2UkJ&U>^2L7EKoAc)QVui2zF6_|$DJQH;>qh4mlq8CYVD<9ExK9uF>>jNWjRP8}B%r%R}pmw1B9E47CO!GIjq#cu_r!#7m`1hk0B zDJ~1YE|>G4G}IC}cP3?@O7a9a()ph@JTkHlFkQ?hNj*My_%gmJDOhkHmAzYEXE*R` ztVicJYeMzntuH~KhzWZSo;9w-hUXex;Xmh{hx2KCb@(`LVK!di$y$KF%OF1J}!$;^6MMFn7Yrg?-uxO;v@w72Mn-s@3Xs z+PfKw9ywi-R~z85^tAe;O+FL?CE!EnHEXQ?+dFHj5 zWFp%_tuG>bL^cvFy!%2nUnpF{sXV-M~c*PB6h>W$&AT%hMwk@0%I<=)!C>2|f#q zV0c;7K}PNt*fE-k>+2c+r+w|zC#ZUP2ZX?vwcW>T*v zhD&E!6<@ZW&5kFO3w~a@yYGOCwt3p*=Hd5IYT3fx%J2++@|NwMo$o5N=Xbm*pD1wX zqlypLBJYlN71TBQmQ~#G?lxx^B*~|!$To5{@@}<_@yVfRhFu&@+Tw{Mp@*O*7nZEn z#QkJ>-zPA>sl$3|ZKuo_eGJBb#KzM`NDX7&yax zS*8=f8^WE988H;m-VKKtm>SDgc!jr8MKcUpfHaDJamXy8V;yfdL=POCSdiY_ghIt7@`Sl9dpYlgIjws0WYM zxrB7ut@b)U%gU7QBi5+K^U2o>r6N6KI z9|SwikG8uw(DPc<^EABgF-FZfzl^0$wdT?i!cS%DoiwQ30JR3bInrkFCCi(rCuwl9 zs@olR2zkx($jT1-=LG+m!GG4^KR3z$+c0BM$ejyNxn4<(T=X~vU8cn89_}uCH5ibs zv>ju)je(}xvDvOyz z3LL?~hGED8JA5nN^}0YhCgL`?=hCsty^iXv!~mpK>g)A8ir;m7#eKB$u6zFvONSz( zP^v_NZe-cmtxQMpv-1ha5**nrtnN|r2njI8u9y1k$HHgQ%-}B+=K&~bVx}u1kP14P z!lxeevm=*X&Ng{BPdfewVsX*TBxLRZCQ(v>WN8u{uLV4*D2w2rZgBKZXd-v<=JG!6 zO|KaVmfrE1eam8x0Bod;6*V2J(@-;QSzDyDw$Z?sO@q`Pmqr_3M~tYQjhzvUU0%1f z_JM*Mz*;0X`j%gy-iIiu?()FnRlTm>=jND^^`+FK*$b1!1~xWL(%<7;XqD3K4CvzY z7U|Zdrz8FFd&8Ny+!bbMX6f7pJsDU@X@8INjm>i<ICU{Ik_EKD~$wQ3B1$t3n|K{{R zp;Z>I35u~2`IvLR+xLsH67xr;+ZR<=p!uJsMuJTCsXEiItQmXp)+OEK(or2jVpN8s zDAcifd3Lp_Oh^bBxoxL+*7ni0%7;>b_#NAR(^RaG!>>9IYfY{%ueIIY@TuZOL(A=PTBPc|Nw^_Z+&BhOY?%k%?l$R{?R z;IyMj{Q~_hQnRJDE0xUJj2@jC)tKM5c=cT&WOr3?k-!{g6YqA3p;rS@FN=^{9i*WQ z=l2rsgrW=S6hSukd_+~M>*Pg1yTncOAazC{qh3t^iY63~Cm;f(z=a*QjUG7LmYN^% zDK=FOTolftJJ*R90xGs};r}u!elsizMg!Q|ZMS-zxlaTsODtfFhVNVR2lkAO`6&J& z`Fj|%y<(=n@F7Wy_Te?y)ijv;pfPpTZhCk-cvr~(h^HQdC=%L(52Cd%+#(M8Cy2WM z*`kd6py_?XdeVp{Bh4QIw#~9hN{P#O5?H5$TtmuR<0mtMgeB;$SQC4F@jVyBMwTIS zNB$BsyElmxT8JRgp#*?n(x5vlZW2sEdsv|>~-4nX7}-H{|mjAVxs^6 literal 0 HcmV?d00001 diff --git a/latest/ug/images/contribute-web-dev.png b/latest/ug/images/contribute-web-dev.png new file mode 100644 index 0000000000000000000000000000000000000000..04f3de1e2d2d8d121548587ca670e713862f3ac5 GIT binary patch literal 1018125 zcmeFYXIvB8_dbfE;87_a6jX$OsE7g)Q949LMFl}cDJp~_B2prR7D@&WM^R7%f&wB$ zrKyxi7b!uh(n7C7q)QC}l8`oYCwR{H_x=3utNZfa`(qJin3+9$X79b$de*a69$zvy z5!<|bvyhOG*!gp(uLueKF)Ab^a&MCed_-0$Q$a{*tEro@@ul;|#tN5wFt^=2T!e(q zJ$_*=Y9rMzU1@nmal@w5CocTDC>itTi3^+5!dCV^x^Qm&-+wxvx|Ek1wK>=B^rv@O z3XyV>d5+f7wF}p!w;Vb=>-06ZTz37hd{PK4gqqBrBD;dYt%>^Bsr4r?Q>N*yJB#&#~8+#!2niA^t|}HRMI}I)%B@yC?2CGzXC~_HX~b zQApvkWab|ef8Bf}u|7=ukFxFESDe*2sZ`#FhR+S3EGi{E=Rp<9^H&tMU_bF=!m_# z@4`-8ThOuH_n2^v{yF6s1$EXB>80HAc!pKaKcoBg!tmBn9UOkHs)CKX=ksxezSqtE z>gz-1$6fG z$z(kt?~M@ekC;sjqO@h&?2h{(4S?LYL%MW@Og+7@70@XCf>z*WZ}m;Wx{KG_GxzO! zqOi{3{*zV2HoBu!)gB)QOC}VI597DqQ;-^_927Zwt6kLK@%f)W-C!sjHVg9u9wS%pB2s z|1O(BU|g#f_O zl(*?TbI{e-EnENQCUBKlqTL=kyZM_3yR`+96QYe(R8*K$V&B%U>zfis{SiUNYI%Gv ze827<`00dVlePEfr4wOjalH`k%6*NSLmm!BtyN-y>rj%LPMzHMNcgN3a z;`c-%e$qb+5&xpp#s8cL++iO63SM*X?P)t!M-iDA0KDY0=(f5?`i;?^2=W%I! zJM=o#JG?utT@jrYwtebx%Kw09OzihReH2UM%40*GguLKA;U&I1pO+SRWv|MqM&HJx zjanC!CXS|uFC~6FQ8IriSR3)gk@t{P)2L!R;U)vH&DuOhA&zOwPmy`DH=U$lHz zqTA@Bd)D9wY`10Cjv3SLfcL~pXns-2Tt)s3qXD1CK0)xX*lXKZE{ee-=U z`1;Ql&iKyWo&ECbz%TR8oHoOcgRM0QR%Y^=5v5N`iMUv{TSEJh)+6noYOC)?*vT>N zF`rY2Dd$Kw7{ahvg#|~Ie}eD9-@##USYr2t^~3Lke-M!sYu)K9*1K!r_{}5bfveyM zdDpv#{tq=CYHlsrUA&XIbC>K!+4E0(b|oL3IeL3HcbDrfl9ti!A8y}{&^5LtWozkr zEs2`O*E&voYP89;9m;r^p_s9`Q!OJWgV>VYGTO4ag_$s{m|M>aK!P>!jd=YN(w!gQ@EA3M{Wb(u3Qov80as4hG1K(SE z5A~(>dh{#zxM>{4jYq~zoyB8){2ILnCVd0qnD5&zKS%I;&;Tl#Ggp0N`y$>l8)PU zRjNyFZnuHb>gi32`&4h8X;4eqW>J+j=@;=OqII*OT!y@~td%_T;1Bhi(!)B^awF-3whYcbt5$`kqD*d-)JeH^;Yp~>6rx0R z!K?gY`QA$1`zg`SFC{M;X()KRIB`G6jNN`(7I!OppZVQ$2lgxP!&ofrLg?UIR-bL} zje8fDB$cgfmUPeY-PfAek4==@mFdcI=k})^$XGDreANMez?&FhIGiq~3v$}@$O?CW>9nXtYW<&jNF`vy1zpi<0 zSUUcr>qqsUp683lS8k1c?>ta)em?z72U8`*vd3)t<%93VP21QTaK#tocnipMLli2s9U3*^kH_R3G zw_uy6R1-Qiv;)1m4Q9&caAaw{9l5F@`Y3Pw*!t9sSQ!IQWi|8F-luzQ+jAb+Z_!r! zCi7UPNL{`naA*`$`)xF8zxn?3{pgpQUf$&4x+pFvmik5Xz?Wvv{LtT zw)RbOAfGGtP0U)G|cI-!Kwn)z9F5iU<{eCV1RSOTVM+~S1Cj?(${#6lK0nC{W z1z>?ba8h_qxJXn@A{SMobMRu=zO)-{fW;_GjFc0-noW;)A zk|HCHzJ<;vkNbbftu2~pBju9i@A|ptl+EEwM%Z*5`8U4RLBe2l{8rXXCw2 z|F~1O3s`36#NC)Lc~C;6elJ~~DdAC#sL8>Ed!*IMNq&duLy1E`2|v`L>;|_zVx7bd z`C6kdT${z!S}ArcQf^C1N6JehO`H|~2ODSUdTHtfst#(WpW=*St=oy$fn30CdFdw_ z4;1+lW)}kY2X}LWzRU8p^@qQddoDbl!7Zw@hNf7xh!xb;&|823ONHK9K(Qo8SH^`F z@dsAb<_0T9! zjGwRJ-o1j3{`2$uIb8zX{--A|>_4vszaUa@2C1Qb1o@wP!%YnYNA)hb1-f|Ho_6zu z#|-YnNJHzGj=@@k|J$km>GHpt+Wb$`qsKLm{CCs;I`w}xy@qx1F~)epo%$O6&xHNc z_`gs7)6f7Zc=!Jri{Asib`&0Iqs<1$|IC`vW-Zy5g5|i!?X<;JcndEx!H=*G{O92B zExa#UdAs~$1iZ*j2%SHD@@n9^xr!T4ylz-gODNOW9~ZSf-zce8={&lT8n*5`&g~Dy zqDT9i-YE1xbD>8|K91iPxy>ptPgQ+yRq6vd#i>6I9~@O2`MUYw>2*cXPA2%r(US3L zC%yD0ouuxUt~}_>EVJmL-QZfgcMVXj8Q10qirk5O*^ZAmS?m*C$h}#k{^s$3c@x4r z$xZkF_xFEC;D1Np|M3U}%5N&?*r-hFzjS>mC*eo3vAMFUFgq_y@z6h_hO!U7X`x@f zgzS$p@S7$-5nVmuAO(sZ6h~z|b+bHn3&649;>-U#))OjU%gppPxh=+yQKd<@0WJS{~=>^(d6O zvyxLSVolJT#!(Byv5CN})#an|@2>J}VVS=Bd5`n7rJEX9{^aSS9e@#UwKL$_?)8e2 z>lGKZj2#f~ceZW&5xn@eH7Emx+I{I^Z*>@MMv;42!q!S;qW`wO-!%2!4w)m{^}UrQ zwwcb36cPPizHmg~JR?v%?VGh5U)PwMoyXO51O?8!CcC)wnb;4GNI+uN-s_a}q%5z< z=M~D^b8TI1cQIpn{a34j>T5Tv&d=4v#hIw)MD*f&Y^@%Kju**+i-Ko8u@o$bgMy5KlQe&gK!bJgkn=Y?LHr1x`8sM zwGfBo-970RT-x0~u#{xBoBsG9U{yW<48o!fydm~wE@-E5UifXyK`oOHi#r+XEf+@0 z;RfFDEI?(bAV;*f#;64fYnU{yan4Z#F_5jA9vv1QWn2-b&)+5H=E}PSYH12ZMLX%-0q2OZe8ZZ3hN`0pJIAF?F&? zqKRWOt72L_0W6a{)jvrzrEyZ+EZIcQmdEWkt);Rar{gp-esBioJe>}n?WY!t)TS|d zIY~x!l;d1}(w{>p7mHHz!bA3-Yc z)~BJ`3DKNi`sY|YHnBBlov z!3ADB+kH7XSB&@Ybmg-36sZ-ROx6SZz!_fA!joijal*i|NJHSHBw|do<9yBbTIz4X zm$jqJ&~KrGpz1$zvm%YYV}D4RQCzvpa*ge{@(utt_>|S)0Vg)>=HfT3)0ST!^yuig z$n8YEr7lWb(Cqkr##_1P5#^pem(5WP*?rM}iEYsO6Q`k>-cnwkW>jdr6kXDy*Ek|^ zRCd@w`2N$=_RVH)nn>gaiTP-QanFKhKC9u)54HPFI4H%)Xj%?5H<`{D>+h4m4Q8kA z0Tl{H#Iz*)&W+bL$7wAuJ?FHEe>Wc1nmrhSYVZgQ|KG0u|2TlWOLW)rcGJIw>ULIC zY-?MG3m#s2%_vti!bDd`jd7ZnE)mA|TFAK!#AKOugz{C9Ei&cf`vdnaS>pe(Au_*B zR1?>kOOv(~;Gvd4EJmUxq3+{&`lv;W&3xu+@C}n>lpf#<{({vj6;>-sD=`_R545g+ zUS|1c3=m70F6O(E$yQs7rFwVYuszV4!0d)EG?^l_BL1i4m`}*c(OPQVqjVTBA%)iO z8P-`mmEkcOt%8%N%~(lIuE%E-o{W3(R-TL4`4Z7%SxgQ!^DIERajFsApY2{|1t=@C zS&87bh+nSnJI$*af|hy)>$|kL&nJN;RG%op-}x2fSUV1U5)FNXf2cRV;YqeKrsDTK zU>_A8x_C!BgN?8<14aMea}xtqsNmUqB0OXix%|QKDG1 z|E#_4e|LKUg$SGsuQ<8(?x4_ zKgQ-Z&`&LlaJw;Sk-oB=SgcIey4~+P)AYO3vv8+HhF9RHoIhEdla8;9-gHL@IsOyf zadNqpr&*h3q!aQ8)veM#seeGC<-sgb_d!H?`C<&Uw^N4QaEkav4S8)^^zZr&>P{Er zH$!5vbC`mN9_nqG>{uQp@@ruf55u+KV(1Zc=?@lkMA=!oD;>Hk%Dd&c9UujUZR}z@ z7d&o7BpEjANa?G9>R_EnhTXsVCz^Mf3X~MY2Y$jx1L5B;)KYI`+wv*~PEQe94hYor z9^5SHMF%@;%>xoUk-o5F3|(Lk24bIn;p~Egm99;n6fNF)2$>k-&KY&|iXV4RE-&u9 zg;-|h+1qoCqyx^~Nn&t~8vnvA9f}R&CX^5uOXh})rz{Ulgd$w#aW8b?V-$NUj&|Al z!v}cScUq0~rNyj#v`uT9vs*Jg>O`Kg^kKz@h0%)3(Ne#^H>@!?W{S$bP0;T;abT)WrBsy1Daz+Xw{On5)rs$?EkCmpIJ9{|p{5zH@gJM>rv~UlaQ4D)1)IY zGY5vi&iv00KmFnHcYbj`+OqKES|4}fEp*c~B`jd$l=)y9{&ydw_fQy&_Sxb)%sw#^tqCmIzgY zH&TM(U~WSrgljG^8_^Om4)h$4f$Tir@m+7o&XXAp(CsjE%#&|5gg3dtp7h>H z<4AHO`NW%5Y%Tm*7ON%J5^J{BB&HeEQU^H)VRctuL$b5wRLBp!snzyC5AX`UGezl! z)!PsJCIbIkIigM>a&}oIxj!vu^w_?{0HC)-DnEmc3RUonv4)9-iD26mP3kXQrLb*h zDTsB+_i4hJZ^je@)8zfWVuAbY4 z+;9NI*-Uxq$+0zXE6L>zXQch=7cBsIiRO^un6HHI+P@D$i=8JQmah9VqZVuc((-H~3Zgp8zRNx~MHsP+gWL zh)wdLNz>WN67z$%&G?clq|~{o3dOLKr&&=#2?c$V?^2ZB$otS^1M!8ewCv=B6CO}qKUWv7j+L(#thx_bMxjcu8y`8y)I!OC9^|Rj z#&%}BSbYeGz5=lrJ22+8HrLonlru8gzl%lPA#qOy9CjjALM%RcH5gXtwXpKW4~HLa z*Z-OAtu+=uHO4%b3btC%S?j-@`k7B4s~C?SG7GP`H6uw}V;A>yVHB|Djj$a>UD@`BpG zVKj_Ho_rv8nMebezA(6r&JF;>RqZ=BPnK18I`wh>b8#ffp0^qvfb-&sA#Nd{EGoowJ?yA>#rSmW9{?x1#LhxPb0kE)Kpy^j@uuFO$+07U1 zV-kLAcen9&Kn9R9^@Bqp$7~1H#}NtO+vVPw!@t)!P8Z+i>bthsv39Zx#O%kd)MWBg zqI?HS)Wf$9(j@V(*RSGsLO-DQ%RB|z6+eYB6Q>O9BnIG|WGWkGKvi9YGUF3JY35GP zYpyDZ#FR$AXE_!qQ2tVsxa|M+;*_JT%6#Ehca)YK$Po9FR0(>UwW8!oLMN(^heuCD z45Ln~ZV^e`xIrjiRdxyBxWuc#++leFwZOUk%&_B9=sMO}S3McCrPOeMT%itye z9PJ;~KvDG^h9Q+hcBKK!C^mwh>jsB}skHsa?T^+PecB;EbK5|hJ(2p1m$xdghwU_& zHH2ehVvER1Sq7*3AHZ%xhbKE;a=C+bfqx5Dn*cb(MZ-o8(qTmj=GrhI$sZhUwOCa*!ObefZ+0x&}&(D7EO>R}N~w4&VNQ0&;!~!X|J> z)IX+h%^dQ=#_g~3hTv$w_sgN%&4$alFA}AJT-Re`9{k7;41t@>P7+Xrb0<3D1Rc#Yz=QOO#J9*-29Ly7e~RCsdnB*h1O=HA^!kyZS;<;&&F z1f=9o^bN;3)y-n<+Ybz=aH}FxMFR$Y9GplMyP}Q@d_meXc+oQgAy3WnnGY~SdGc&c zudLiiiLzlgo>X_vq~gI=jGLY=Fs@=8I+F>_Her+TpzH?r9_kgp`$+a+Gm0;p>k!xo zegmpixHtGBOrKT`5hO8yewZOG_It6$KJFnv1AsQF9VR$U_pI9i7!0vVtIo@Z`z+yb zj=;%6K4;!nz!V`C0d@EP1n(-Pw_bM!5J=^0EG@a#;eB`RNWB9&#t$m%`DA0hIG zsGNYI#A5I|4E%bip|uE(T<03;9}ADk4+`6Y?EVUBS>usm(is`Np1M_$C0Z%R;Y-TW zlinE=evOhCi5JpDlK5&!51Azar1~vZ#01DCppO~BBr?%s5%4l0g>JRw;dCd}VI|r- z5D8W<{Xpvh<%X?@^1%pyuuI#{1<1CpdnR{k>59bV;)U0If>C2C!e@?T7Wht6Qu4E= zjkB#}+t<6kqnV0VFtTBZ#QAZ%=5e-8)%Ahbn(zw_V2Ii(|tKvxCiy|qVEo~1$&jl*#GjJQ3F=tJn?^qEU0yY0fmPS{s7JG7<#c5+bPw6s&x z<;cDV5yD#-(Vn~cmGZly`IBV{b!LW?E(`JpLeT3+j7TA5WW$hYIA_{xSJvx{_HC#V> zTJNbBRZ6Mm+(d6*=7`g$hA@v3goAk^9|JltdQ|c@F=JkJtj1R|yhSJv4 z0hIx|P|`0~k4qfdFo@p3y+Os(P+SUVOX4^$MZ5P^EFa(!Lt~aNu@H44E>J(fq;e=w z4tNA2kNm`a!|qTU9jjC%1P>c*`9=jP&Zb=7Vf%rdwKJL37 zYBd8@m$;xLp$qope#+#3_AG1SOW0ZtUmUZTAC5EJwQKdQq1^*0rDW;EiEz1VE(j$d zt)0>$CY#;5c552!E)5as=NiSiC58UlqEhXTJ0BBew8<#&^CM+aXeNG!8G6&8F=H!Y zANlBnVsZ&?BzQN!@l>5X)TO)3wEbeh;JtuX1y$dG;tWosz1Pw)0T7&BiiJ~Zc4Mz$ zYfzt%2g7HsQ7fE#|1HUYJ{(O5#E7lNEvAxd^J(NvGFfKr*zYrfzq>UV`~n&glSw14 zYE25q>|Xv6z>8YowxOmnjjl8t4F>Vx@ZskY_6rLQ?r8S=h&Iu7b%JNaL%hc(p`ew0 z>wo5J%g>g#okhxMdhX5$Sy85~KVtV${B*ym|H=!1+522`K`LRhUsKt6_DT#{u)KjXwoXsN!++)&9SdU&S zPgpK1dxhUAL5!u-<}B=YWteuqm2g|xxh^bHUFnVD$fAbM);rH1njDIWM~|hNj}=Pr z8jN#;-Ya2HoW(^Fm|{id$3)osnem^rXbljpQ2Bw;WxeF9h8j>=4{c8;0v?Jl!#5!~ zvX`i2+j1b->neF$UQzDj-%lmxff|&nzdr6rIn}dr37DkOLosU!~ zKjVV}&(F`kgJ;|?nBQQjuEL?-OsUv95co?%;xvv#Ji44J)(=NYsV79z#2HG6AS(_j z3F?xNZ{5+n-~?*7Bee$3aEQa;H)w`|niphNr=a3c*epPy1FM;Eq%ieywTvJC3v#T1 zYEi!>ncQnwwps#9z@U_^M2(Lmw+1$LYM_1BMk4`P_(jf39kOeEbG*;*3MGuFjp1H2JHUZyf@6r+;=ky%f`N zfXFcIK6!v)AZb2OEeQ|J&QgOyyG*q0vzDXIr;YNNoNn)DU@wAYlA<@s>o$>HQl&n? z-z)#lqg{tC(k-AN*!KyHd=@%X9xQ=iN-vv$W!n)^ zy>?RzEOcEYX|FmO-c&|63)Rr9MUU5kPg$QLZ25dPF*)D0&f7YZv$W*fM#4XDXOsZ6-brDi4>)& zelcK#P5Ip9%XvOZVt9x>`>Cn%pDQTlL|fjqf8|8%w?agppFqCM?(3RRW=r+-K9BbEw9vA}$)VGiAw$vDl~|$p)gACnC>cJg67^c> zqHX0CoQJ*%6z2$?S-H&bp)r)IwR}@j5%Rwd@e5nn)qwRf$^`WV@eU7ud$SV}>{_hh zKeu%ci^qb2i8a+a0SHrD3y+OE0BQ^S zF!#nh%(%CzrJ!%RW>@r3BP~EzJEWizfr{dQ6WY1X!4Ey>g&-@*{BlbtIH*aaNgQX0)!7=(_Xe&w!c z;+-{@8e9nnB-$raa=d0T@dIkq4FJQ8-!Kw$C)G@k5u0hwQ$xe{z_iyi=pgyncvGm` zfpW7r^q0F0yA$eC72DO_?iE~AN+mBve>G0pSD6t@#P?2{NQcZgZ^g!3#AU8@TJsy> zh21cPHh+)MUAfkJkzoO1rvNjukJ+wH-DM(g>Q@AcZ&3+&9}^Rla0L8-EFk?}Q*esI zM?!;OCmaEl5m1a&m_Gh3eL|I|^36711TMoW^uX{$pD3ICG$Lpw5+x9Ik{JKJ8|;x} zjJo*J)IVSzGozvq2A)n5lFXBp{D9i^z~=ks=_at$yHI}`IbG-Fal}}I;mbC78!yOi zTO#ucJihl0Pt+oiCcIjsuV1u7t!PwCw8bp2YYLtoQ&u&rZIA;@uCq^T_~~d?r_@Ot zSok4RoH-0c)2~D$f2AkPjh#O_<)(Vo{q#=hh_B~k;|u^C%u*U4V^-{gxjll1)@g-`3hCBP0lwcPnDAN&) zK)wtdSnE5(W8+F^eUa7!vdISP#XR2qE`pi8?qIm8Pe^oy(kf}d>~-5WpA}d;4(Y*x zqY>+~MKxrzv4}Dr%(xRh&qfzP?Jt=G+Yr= zM>g%;c)5Oz=dsAYjvvf016>rSE<|2Fv2$w#V)mfB$5Pwvvgu>F>1+i;@%hC$i8qCZ z!+F;@$1kkTJ6}l3k5NM68uFTq6Dy;SHV`{d-eFXujHzEHnI$;PM}*<8OC>=UDcz_k z%4-FeXw-2aaN#=Y=-U+xa~GJ&w_pa8%##085L689M##Xt!fQQ9KwRcouLeHcU(v!Y zfC1_M2zF>o$^JFYFGqH@rHxee}R$e!r5;5Upp z4Q9r>7H63Ze;|CZwU0DmSRxfMjVNnWNN_0ksNVar#A8#y1(ZQ=3qZo4&rW$Vh~bbu zweq!q&Gst!?XaM3E`%rd$Nw8)f4YBus)qV6Ah!+$`s!u5M~wuSCX?^FP&pXke%B%t zx(l=azoml5{e$;TqtA04Ze#aKva#;cK34E_v>Rc%V;xfSkA&iBYfP`WVk!{0OK(mA8g<#2!4i}y7Y zAU@Pp_FAwL@b!Tg$n&PGEmx*WITkI6K@-Fd!j;tn$ysQR+6cTsPb~0~^CB5+N{E1p zrHf)*9ihfnxJ;sS^0vL~cd$6L%kZ0F#L~XT>RX1zwC z=opwk8yA!=Rh80-l?VRG!d>b;&80mQwRyB9PXs4VL3jO|coA@?I{+^#p4}RlL=$kc zh?=W4wzX)%@HCwYG!q17esK0-h!t`C>^C(gKb?jQ1xou_GGmX+K)&ddVQZ+7wl1Wb zk@OmB!^SdbpP#5u63JtGD=zXLn6I3R>$Z?zDmMmSvnkkZp(^D0bJ4?IQqK0OTeZB! zE*Kx_exIn1o0(2cO-1+>_hUZjHN0jt=2LVz?ddTp?j&N~rA)8J#a3P2vjZ7;qqyW( zs8A*+{-g3FiqYvxA{u3`C_y**tufo>S|{}Qzbd!zDeEDapWef-UnEo5nb3Kz1jM}o zz$y9?Dgg71D336HXTtp@Ke~*;97X#v`ByAI839N`uMu#Jm4lyCtQUYSG>C!-B%>*= zDU8^urBw0&j8hF`Kh+1mRIDYmS^Wo82~b5TKQ}fs=J-g;`BEC-{^Jr4*Ke(w;l0gt zn>7PQ5SefWM1nV2unIQ5szxXw_Fn5XwgsNi+@@$euY9O&>cFf-zmXHJ8;l5`W#xefk{%H$F$V)>5Giz7$%XKim3PCNt0BV1d1JdsxUw zm+{UGf1hkLP8K;S=NTnLK^{hMS+HX}jJ^b-IX3FL4Jd(+!WsSQcWbUe;2t9E92rsb z9ix=qj|Tq_MttR;xL1qmVn@$D|GrwrGRxEw_OI`3jy z#i&N_Q@>hj0035@!;h~NGV5t$unh1aVx zhBNymbk8mY^IuM+(q5xn&hraei)D`P=#%kTEIa8u-f0sO^C^b)Ru%aHiN);eX_`$x zCU$$N;Gl-M%+zzkC$&jAutE5!DA!52>Dxg1;mnzqFhug5?j_@=oMw3EKZM7f0e`SN zMZcJ%3}y~ogW!6Y3U|I`fFPE>(Q7kH!^4`X452&~VAG~pCqSxG%avUw2^4t3VPyH#ZpL-W7AqF2?w9aGX zZ8CYa$%Ew$IxfJVnqvP=_v!Xi4_UyoWb(LSJ@i^1fR6rL?x4NS0Qo=Mgj2Djr0=H9 z&r~@lbFG`)=eKY=!+Bfucu|h}1h!8D_jz_nb*1MLJ>ML#eBlywly8#MH-EE&OJFIakftbJoX$+L^XyS7YziXTsoLOGXS zAg}62V1L&fv@ZXyoC&ybcp-5Ce)D+e2TW?#n8oNv7&XAslDWH#qFLVzE2B*jWiYUp?_kg7Q|H#o zbnAoa9Ec9&W5q|*Ks;^?!yB`MzpXu;!KIXPM#9^?uko@jHU&3AmPp#QW$WHjddX2z zC&2*MebP4n>5>tW?3va$IA+1m4re_``=fP>?tPawtoUv@m0L;3=SMx4E|Zn*RgZBm znGg-hK0hN=W8clj;iWg1xV%tC@cV2O1NTI6+=yvLvvWwI&(zI3##&HGA&13R$wKU! zLDkWAzEDI?WWk`UX?9g5i&zf#ZUNw?1CsIHf608o@areB-CR^1icX&95x$#3cek({ z;nbzmJf(-)4MGVOgIccjs&fqC|j{|Vr)NS=CVidS!(<^4P`04Co4wr^8y+$QVZ;eEK`kP4=z&PhE zthiA^xAtmhpgTH4{w`$aUF9XH1`?Dw3HU2tP!A8@B9_yZMn#io_(it7)#+@%jE+&fN?caMYa+lmP=e9&dl)L!3Wp`DRJSGl@6YMM@ z->MmtNfmxqs&HxBHIAD#3dfme+%WkF@_F5lw=ORl2lIdFYXO1X$EPqu*EqG}yR4_< zX$Lrj5es1DM5}9SJWsV6JH$1S4rQ)p0)t@|{Y2W1t)w8RFx;C4orjdP`l$?<{v*PU zV@zWJW`B_NFzR)Ga+z1c5uJMrGoa*U$`^Todd|Q_KCy=F^#yQ!DhKRl#lz$ljT#Eg zbCE{(E8fzmS(sm3cPjd6A_weYY4g7FhR@<(as?G$l_<5SQTi9S9?YNV4@o9v8UoW% ztqjy+X?zU%0xIOSXl^9X+D?A-d6ikkBTV<6g|T>>HE%NHJ7vi}B7Yt*L-`ddMHoz9 z97S_Z&FB?@*10l^%2L7Yk7b$+CQbeAyVy&|BqtA(kO_JX`Jp!Fc;u$?KtDm%ND61f zQrT=-va(l##QFJPF3SVFJLJci>T7$ub^HU7XOD7Wq)OzIIIQJ(ggq`=bJ_ACXFA{o ze*7f!K|FlguLDk$G=|Y`@>e3}vdXy~GMfZlnIfEag8_BW-z^Pj5Yyc|>44%ZM=y(}n_GQygigS&=vz6DXSJeN%?C(P}$d;J;9UZ^I1&{f5YTnSdR@ zr^ww^> z_b^f@b7nZ?so>`x_RNofmWsn(20b^n=YxN+r$x=%usD|Djri=Cjv!r=Qy4f`O|mLlCoC3&FM^+k_$8aO@L>T9b!1{d_LgQLp}DB8AAR@~Yn*Y2 z^W#c2wu|kFW#0)XD#Kn!c;nlwEp__edvOHdkqokLGb_s@KEZcVY@q;vfO8xr9NZIFMe~W3 zu~h(Q#W}E9q}GTDsUn@qtgVlX4L<$zn@0}>m$BuW%83ws#q3xD<+@ccXdp3wfU{w< zGQrW*v!Z9im_&>DVm_@x0uujwv6!3!#cZS7I1Bf?ap8Sj{pb#QhE}}Qwj9LU;ne-F z(9>>ro2^NcCIvYfI7E*iIaVzdEx6KE^w?t6K;-9*?WQ*|I&&$=O_d(N+F(_U=A}69 zaur|zGKQ%Vb4s?|U{`t|nE=QI5x%=mQ)%4_>XG7^2Vwhckb!H+4%l_4(&SRZS&vOA zi%`Z8{k_Y=M+nd#1Yi}f^jKuwpONUk`7I6%-`r}WeSE5UWr3)A*k)(&I=7?B-}b&6Y>dX#AZ zK=}AyJ}wTW55@rGI`(CK@8@#UvMBC`ozS+D%NQOON<`UM7XfXZm9ORvR&Y;s zZhKhG4#E6-bQq?)|^8rf~&E^PJA4b*J zojs>tq*{dRcx~@w%1W7h1Lg2lgjiuI>9hIUZQQ~;%K?yre)KkI7s2Tpx*Di)G(ejM z&qz+Eu&vf@^g?&mh*ScxALKA6{$_{|Lo`-(wlM$46WU=?m+NtS${QBf;eT^r{_iXK z#tu-nlQ#a^ilH;)wk(h?T)&A_=>N+r&4RZ@O^lGS>)757&VBNP6+)W^o0=V8;cVyz zuuu;tH?#duvp;~xXWztyw7c+HuvC~$S-$Qp36eE4;0H7D>}I~>0`@U`BZ5$gdByqa z{n}?5N>2b?f1ub`NgscFx@T3bSuj3>7<)19hSaKzS!>aEx@fRUO;>OBj0`|EIvoD9 z>ouRSqR2*XCGHUle>CKXs!Fz7_t3cBrd6>iqNl%N!ZDP(J#$%4eY2PTe#Ck@fF11M z^!pOWjD#KOZMX(;e6E;msJB@>i!$Y852j3J_aZp>vt}G;#t8dcQ~;5|!D+h@jQMdqJ;mSBFUfGiV?)7Z9;u>7DF#rW_X5av$rXyNh49g+ z+Kme+tu=0~Mw8Z8k&<)qm=rC@q8!0}FvAE@`HS~PBs4umFCo(HcZx|vXi1b{W&-Ph zHsWO`bI2l#HAI%wD?|aEC9I8Nj|z+ykd)b^&42Z`b&umg&b_0*7trhQwqk9K_X6P3 zR+Bj_Bli^+*y2ieS4fkA51K;Bx3DxdS+H*rBn6612S{Ez_0erL7L?NEtTEJ9z-Z4c z6cDaK9cC$?`$*S3^*GflqbuV(-P~J*AD%~Sy4OLE46rKGWI$d5`4O-g`Lys;)4;_6 z*F1L^e2&O-|28xC;X5es3bV598qk4UU%4)KePf2e`F{T0ddG`i9eCjE>o%sl9Q-e) zxE(VF8raZ*>0U$7U|S{QG3jMf!rrQ7%o6#fQa~&UUPx zo7HtjZC&qSvf~erA;b}+>=Nu%P9L1H+VsCqtb*EJFk zrKLsmZB&OK)(PZSBfODtakU3A?m1k-ja=|BXm-rpE+OTeXg52gd4l$~7~(xtk@%Ld zc1DpK+_fPA;s8N!jRkAr6Nohhu&{XN2bf~#fSnC(zpqZR_+3d?c(i~$#PQka^103W z0}^Y+1a&l`I6d&(jqq!C!Jh1-C80x0Z zhuExdkY$*{`VCPW!rZLz* zOD{s_OiHMXM*z>h9SEOy#^1>30#JePs>fxNkU5XChX8W2T%|XO?5DfBe)&9Vy?MjA zPLtCwsO7?H4fxICB6f%R=VED|P8M|dRJGMsRF5MG=+FQH(%$MJa{bmeU<22BgBaOk zsJAxkq$YI~$&8`Hu_6Z-fGyFq@>K%i&A2t{<^uOI9z0F-%pfgMmA4usFt zjNUejTj)X}$^wJ^(&0Bm=TX<-yyLrPk-O;9P@ia?m4%>HW0xw(5E~Tde%TCa^#mQ_ zz8lZcqqFSnjQ}l{aa@hy`u_<6Flw+I$?~XQ7z&mSr)DB%vk*&#|H2zdc4QbWhgJ8s zcnxMXp-I5XVv$}I7!%K7-5!T*$JOKwAJmQZ6cfn!j7v{xMW;oszbhH#a&mcPnkX@& z02=K8tc%(edZ+fR4C6U+LAHdj_6{yw(6KR&_Fa$$$)l}>yPYlYiEvg?Fq_-TzXkN* zg53T+Ek~YGXsW_6=P`szGfpNLmps;?Vdd1fUp_oN&Jb3NfShQ#1Z$hf(V%;srLcal?%LRfz!dhCi6)Rp(ci9^4 z3NsAFANOf@%pIclep(`dFaTiA1pXO$^LCM#_u(PT02HDVPzY(dwp|whW}iGU$gWNP zOY-1TBWGfmLqdVZftutVE{!4f4qdRaEMf}141le*IfXA^ADg~bk9+iBc8vRW>J-|; zEao!c6wm~Yy<8|~jse8svkI}W;q|L)BmR$DWy`l&JbD{NSX3v+pZ%r$Z;6j_6ziq~ z@E5;mvXrKvPQNy(0ZT)H9n}TS?t%l6wQlVf*zd@o_#e#-`k-Lmolth$XWfb_A;@zi zLR4)NH#y26bXqhx-l|I9kc#!v1k=PVNv5aK>xAAJQ5J(HAlx&bf%JO^cNi>W+{=zT zK8kxf@(FLKtKPAsGm^$lOODZTqRc2?(I?65(z?W$h$dD$2vfjXdMmM_@YB#EV20K3 zpR}dRx=bY@%8^j@=cAad61dbGkOz=eng>o+qIbv}Ynr_!s1m)6d^F2QVtbIBgI*^i zvj^BDFe#@s#q;-&1(>ywvt8o&YiK>A*r5uf>Y8q-o8pn*v+cO;rfmpQEo?%P-sA!_ zkYSht%jP?5hX7sHT(nt7M}27V{2c+nAf>^ni;A3`d>t@MAz;^*;Fit zg__jHu4{9`J(=yEAsj*Eq#(NxN(+P1c*sa<1B`Qr95g~wnh(}n&+Khiu(h+hnZ8dz zcTX8cwRG(}zw380^o8bm5dGAkXET#-`Ib~D0e8StlE1=$bjra}X~9eFxC6dVeJ{hx zqQN7Dx?PgBJy{I%0gyfTyTcS$pw@Jgn>FbYx4LFSo>;#D-@E~5vIxNXZgN3rEvSv- z@U`Qd$)n26J?wSJl|Nk2#$+9*mZ&<(aVy-F${@`l~~lb zHVCb0Ns3d#u;5vgVXYc0KED}SyaGd@JJ)m#}UHq2mmZ0VT5)({#ef z*LK}J1P8~s`iq;w=BI`=qKLY3V}Y|`Quw|`ivk@>ryvVs@U|&y0v47Y)J6PZ_)e+4 z=xi*(6RusTgv+{v_pLx6KA|LZvj3F3 z&3;OXfrH}>K`24cO^hN=FEQMYrpp8;>_f8>_&QzKqAc9C!}6D4PL{H;8Pyf4QZEBJ z7loXwKvDxxRKjg`!zgrS57^?^Kb{MTRd@bX>?WJm0b`HD*wZjJ2uo%(lMQ08urKDO zuhkFwF0qrTsg0a(EOBV#nbFwbi}riN(vN8p&6*w&S#snPU#3}7bP_9nhq~m8*Yf8q zWUw_K5Z^-(eL&b}F;D2auXBVI2tIaj!9e7g;}pN|`g&Uu^|Gpe;3+@`XyH%ogy03d z$#BN90;I%)cvg!(1Q3yhU$Nv{QCDFck5a7^ZN~T&)MnPorlaqIB!`q98vqB$9HTG> z6gzXfc?Je&6K53ewA{WHb5VTnKYRVj<^KbnIm3Cmd>h7DhjC!cGVEp@k|}_peZ$^~ z{DZpDwNKl1;v_|hzXU;6z8-1xiE{}>KKg|VLB=x-w{l8C|LCVV2M&F5f;s_pZzKcg zC91rL$H)Vfet=i0d+PpEP-0+Z!mdN-{b~>r9(zo7xRmCjJP#>u$`mC&=^^vI ztY5vX@Cw#g1#6L+*`+jj=dQKvKb!#Zy(?nRW+W%1l!z>R1ryKNDkE%{!6*$_Mgzod z{}OZ^HvnoR}cu3Sfk95|VT`B5X8= z-U#U7g3aSeDM-=_QRB=Wf@(Gl05aF~6)1BdARA}NjWD7UJ@P9y3-I?uF$_)2x+ZE3&WuH^ zg`?_sdaiyS-`ItWrk36rU5lg#;P39n3# z2`TS_2~^cms00*yJ@U`ALw}>=C0)N?3Y6yKAsaX1`l=OL ze>9*|Pak(NeLHct84LFZn-k$`gPkcMAPW|#QxImbW!kp?wyQ&LfeER(GPmRw*lJCl@`M8#}TEB+*x4}u`fIBrSL zQJo+h>{O8Jx!RB~0*aJ0Gr9U*S2I5v53N}myELf&`MsFs?4Z>+G}@7(;rT*ol!r?O z3XrdwN~ZNSB26H!74YBq0#o?LqYpKSoUf4WH<0a*SfG}}hS@7kHVvQ*8^n+92*LfM zR}0srKbs?P)M6Bh7RAYe(4IkPqt1b-4?3QT=z!-!Dgn;}8==I|{LHV04Jb1UBv}f< z>1;5rhI-(y#5+?~>D>&Q8hxK^T*mgP_an!UjEr|6-2}(mCXX^39kZA5AH-O_IYL7Q zuQd-}5V)`qYB#igfA`~$Wcbg4kU+0t#?ey-IBU!f>rCWG(2#|0I$7BsI@u4f^w2MX zc3dGef@Yo=BzmrK$PPP#o}eP<(~aAqA`kir^wNHKRHK^a#dIhWU5CFu3ZCc$_DnV!B^8)w;u&w5dP*0`LqYfEfvLuw)+)q6E5HZ2`qLRq@3i`U_2R zj3CZ@-{cy|&#ItziAG}@j6s^4kYh4qlWi^HGvfs7QM}Yy3mAoR9!dH}lc6hS zA=&Anqv@fW73_ry_D0otf{U};|FY@mtQI^l@{PYxlC_W$YQQ?r4%^}E-Gd6X{<7+yQm%Khi)=GNvusc`OB?eD;J zV?-n3AWSQoIUqYKB{C_H@yoAX>$6hgVqoH}RfjzI<4!Z?jIqg;KI$<((nBSQ!_?_qC zdQUQf5yX8klPE!kd|714(GV%IVB?&W@2#Ya1V=m8s-))vz)kZGY~1x0NjB=2m5)+I z7=;plz!=w1Wa$=ad0_F8C%Yax_^vyT$|m@3%3SY|LWde97V_I+t;LM)G>0$-qcj|N zLyZ9Ko+#DEnzaiHbpVc70!PvcN-$gRHy~<(#6eO{*SZXL>k)R#qM4$ArEsy*Yj{Nd zk}~~ACa&?q0YwxanZtZlL4Sp9;HAT%XpU|f6+L0UfLjk7jcYKRuzN+tG%j8`UE#NS zn;cqHxFBw5xAmqJxdPWuDTy*#R@=1d$dTVv95t9=*lhXe;h$qv5^otUuoUR?pvhf}4-PUunr((Cv}o%1+R)-~BhG zvaqI6UnF>5?PN+I-Y(FlR5DYZh1;Ahp1ua2Z}= z1a@dotj)bVH$fYM(-lxN<9bX$7I<5A34I1c4GU>3{-!HU84l*){K*h6^dT@=1TgRZ zmSgkW&=~|LM#EUoYWqUUydk0jPM?eFBa4-=SPB~ktJ~ZoLzkNnmL$)n?Gl?}MBqx! zUed&IP{ewKt(n*^b3jO@S@et5et9TPH8f<-1U4q_uuHlE+M%^+B?}uD6Wsn`h^#=B zeC|W@#$92hym8!4EJOm~E^K=eK>%@9L8wJ4l1ydi%Rv6Ip##Kj?*ih`3-5umZHU?+ z11K{4Pp_f@XL@F`V(Pp0m0ysll>};xYxUz!aI_X#rC%0JP1s_tvs2Um%(bd@ZLHtp z?O1`I`4NR&s51qM<3s~1PBX@t^i;G{#qxnpf?wLmSTKA3+lt+Cgx0g7ix+T@&J!os zWcIv!+G%l!)+lO8lb|))&3B2<03~=zO6@V|#$Y5bG0F1EN-klmgwV{xc!Md~#Cfr; zz=*Lw$u@M89}!6Qo(Vzrh6QH>wYf}SFLTavTzvnR(>^7!>I0+taDEeLCsETFMJY~Q zSL+>#6+SPC=wS1NfS5)bb@J8GSutr^s{YAU`!}}n)+Zo%FugNBaq5Q`K2bEg7HMS3Y*k$Pg zb65bI(v9814Kq!)@+#<~s0Bj^F?Irbexd0#H$*Ei#mf|{14Inw`1Gh_7ePJ=>DvKk zdIi~2Q1%okY}_s8|vb(V?#Fl+#N)o1C^3xIhY^WJ{L-#fwN~&Og4aa zWu^bGcRmS1(Kxh7Pg*3|E|NXowLVK(A{*On#q$e}1CdKkUg1JtFT>&&EDSQm=2uNI z5Mu?phCe{y3tl2|QxarWu_FcOhtOW>#72KAz^E=yq~5XVh z=;)rqMsdbZ-^!6=3tu)uO^}ul=Y9*v^%+yHYcP+k>)_D-%er*CNKy*BaQ@xA z)w~3|eTCgWvnC0qM%FtL;mOkz1C38Rbfo~xHgYhGI}a+2o&l^EV-U@)N7fP>1i=Dw zT!AxBEltt43!R9_Gu3vsB%53(XFT8(Zij(#wyfG!SX)C~nnt51MaZXNdq>ju zkwf%XuW`Fpf7c?-#8UV5fvO0%#*mg4@EKQJT&vcnGs#*Gi>KCI_inr~^VTU?HBL({ zMp`b2Lg>AAxhT$GcCEOV!|dglR5Yr#DW3V~UhR2HxZ%^-K-7+XtH9D?u{5$`I180d z5fZwV5 z*5$R4YV+Dn&H~?RcHQBlv*mWe*A4^55Zas(I0(dj3HzT(jAA~Q462k6y8I73K?2e& zd9myxh}o?hs8w#%Dz=f@L=Gjmz!v*lXpH6NN2rJaacJs=`_1VFQYQ0*eCNu0SV2b!0%7X}zZV_VcyL=Q)b=Dhcz-U-Fj% z5t_|=-VhHIk z?I}P9834^xI9M^hbmb#y^5e}TSdxo9t{}H@yI9Bh%=ajN%f%E!F+_BVzmq&8$Aql_ z+o}Y_ivR>(dtwx2*6^DDAN%(fp6C`A0PsIYSkI+0e>l%U>~hh%xqAX4>k9xlW(9P; zLsuF~Or)}t1;-kFh@moMyHN;oOc8h-M1%Q+m1R*tTB*&J3JafX$SSG{rp9P>6tZ<8 zn~Vlqe3659DIlU0u9F)q!R-&hXJ-ot)`y-B9C`M~WNn`oH|df#RP>dWim7Wwy4E(p z*UIDbK1@vPRNEX>0tNlWx?zcRBsKMcdQ0m7K6wX8sn^S<`T0@TwgXSfD46AEIS z0Py!6NK1APE#lln;B>#79zDhoL!$w#>CuxI`&a2rOQ~(}#!dV^4#JQAX~`k#@lZx_ z*q8zR4;)N}J(?NY9zMDNb$$iEvsLti=L@x-n&;?Yzo6Gp16fF)-G~C{3${=|jgmw} zX()n&`hdd~(s)OFZ%v(l9|e!pc{sX;lb#PHYzU=`Vyb)14c zV;U~;CRPcK;DF?Vae1|WrAapNsf{pxGD$21cda+6DZyeQX#1xHYfh&KqKm&%6=f4- zdN|bLH)ra5elG$51dHzgcv~1+BU+;!;pr=7)f9f6ev!ZM@rAHcx4Ff`EKcgwBp%X3 z>`t~3P7_QsfLJ;Wq^C5mUci5Z`mNHA%6Gy1EGv)*F|2bSkaucrj+?_5i}V&;>_#!w zLjcC^*-V#EQoXdJIDT#qbF*Ot-qAK637)PDMAxOwO|22yZlCs&dw)B#R-w)#1!urR zo?aNe+I35>{{UBwdNE4!%nRm2RIq~JU9pMpj(-lPLb=&p4*oPAgu-FqX$D6EM~?)q z4|?itpTkl;!J!LQo^d50PMy6v%1?83N?&57Ta112_s{&{6I9uZ_$63uwoO_OW=3-N zZ3);B{{+(rk+h`**3G{tjJ9HbDXXS8-5<~Ysq(s`HmX~Ig!zxkCAkOE%VchDYr|0+ zZSak@F6wn;$6pVQ_%~jtBfYnLo5xR(V6DVQqfyg4z3J!5vQo~R`{cq_?U+dlK|e|- zz9y~m>>CFfAlZ@=h9^8Qfu)K1`oFZp>ZQN^mcZ*wBqn*5e5SRjHP(#VfGwT6d3;y5 zc?7JSp=N@r376rtL^ZP3b-nDcv}4`?ORy?cWu^oKo*Vk<($v_qoPiv3haEuPgo$=n zC&6a&Oj>q-6P$~!z4O6n-@Pp<&(XE<5smGO&DX|Dq_87o+d07RY|{p)-lrIEZwqgz zfj~}ntb!hRXo}dm(AOoXGQ`H5uF0$dXQ`LHWNArZuF>lsvIBE-`Pvpwe4tk6K~uFhSqIK~6Mnm7?G z=bLmPi9tZ{Oqnwgl`nmOzCd?tHV=*gO>%;uvyor3JO1DfZpT*ai4 z_g}Tq!-2LzEcA#`J^L$7pq-%1xwM|QKjxrS@g0*}Lf;$ivH2F!AK2a_d`)MbZ@So` zq8K3aqlLkow$0mvvS!j;Jh=Qim7GR7biDEV zzC$xrKaBJ+<@TQ_*H0;PaqCXaPYXQ{*|^vsx#y8H`hIl2ir74}zW=0H*Xkc0yD=Gl z-j2YK+vxLMG}R1Grcj-?Vr#2=IWB!-Gg^vo(Q!uTsA+S5LVSz*myX+ZQ^GE}nBMcw zG>VyE38kz@9BOyB@G8&Gz%coalum(rSFi73D)%n5_f7d<42e)d2i|&<(Qxt7al=fV zkdSvFY3nn|7?f(JEC{bokCyclN+y#|g3>nEkmI-xUh=6Z?q|+r)73g_iY|dg?xQO#d7+TBq+_$e~rEIsu`Z}pMz0uyC5?RuIqVe;pk}os%)RboD)k{9d z3ClYURZjsP(-OyLxv0 z0?)LC5UQ0aFiZHr{(z7u#lC*#`dxS!bM0~g&w_L*r~9VkD8jqwJ)_tKBzyW*>0m%!HwC9V z`WEI$CsC0_C#RjA%}%V(!8uD_*i|l*4 z7kA+Pf!&f;z1watAj&Mi)BV^Qvhqc3t=D#Y6YbD)ZKrb$>;Qub`w;>ft{mx7ZqK8 z82d;WJPg0bIz9{!diHbf(~rg8xU0geaU<5crE-U&Z2K20S&rY}M`Wgs=H;dF3*SrYcfCGg;K+?Csd;FzguuTu2SYoAelxj5cYp`(g~ zrFcc6i9o&_-!yN@k!k(uChNP+{lcCDLh&Kr+4x>6JvkCl;Qk6*jAc1c-1yFW9j6YaHU zI_&{TMWpMT2)qbV7jLK))+uKJ*IT<8?@RQg-)tw|4mC3TP_rfunG&kv9e;E|L}aob z8#KPOv;?I|s_oo%OK$P*$A%`cG^am-E#JQ#FoX3vF}+tw-?*&FG{frWO=X=+ypBO%_kui8V_TXloB0rIv z6~!jO?@Vt0b;#+BGTksC!LQ7d!;pKd8H)rF&|>cg_F*c-nZbVVzzVXge(-Y7$m0t; z`}{vgO5T22DfZ8FNW~ucz4FFrW%*lAOLs|1LJvWFOeBnq+nowU*FF~I@b&+CHSC^d zYXDB0<+)LPUG=0?{=HYeI$S#4C**%*iLE^_m>H}rT@$w$5b~UM-m*x0p!e)es*DA2 zQWtnr2KYU<;E~l;H+zU`n2mOf7o|?!Agu5VfhGhuyb*>iwRU@!qm%6NQe7wY%XUVd zWvXM~!1&1^?a}W1qn(3uie}lpJjVOdY7bw%1^z~#VF{S)d?BiNP|D8mn&qxls~b#( z=m8pJYC&Cf>gxyEqx|lFI(>eO+d#)v0@w`Tx4T6otWBfL%3lg49zK6pI^R+y##gjD zI^uR;v6TF)4|mN^%O=JmyLK1i4fclHY-0b$rYL2JyX%AfAp_q6)eXpv!Ab}tL+Dc zD|6}(s&-@VvG{jRx?7h=JX%!llmE>=eJd3sN!~^B6VCPhD_DGbh4`7z^hF(jXc$Z&?t#pn%eh4gI3o@PW;(Q+oO@#{UOkF>_J8b`!B43{X zSa(YE&xd;k{HI@F-c~1LM|HB`>Tuk_-(9KgFT1?kADH zi4#i7R_W*FU>n#ctcW$aIINJ&zg+c!#flGX-bK#5SDRB-^{O)gEYP)9pBr`rdGH~zB=ldVI7kGL)xxG$}M0=U>+m|J$ofkP_ zi=e3Xbu=3taS4oUPuB@NV(1VjDBJ3)*o&uA$|mk6N_XLpT8N|bmaw+a_iApepj#|6 z4TFKBp3G96Yckx&><3yRuf^va({^JY6z{P~lYfpE&+v|xJ7eH~?6a9P3cNRYGTkLR zYKDGQ7B!n0GVOSNR;~ANYjO|qBPsQm-oDACBZZ=`_)ZpiHA-_>K8N=O6EGR0VB5v}^D$ z)A$^;xnP-pg|FmJ!^av=g2NU8g>oA%&9pADynNcG+#dJwR|BTppLD{x++IHO{mpkS zS~Al;&iJj`119gkM@xC$?%>mI_q>|~eumH~?<ZgQ z6WoZ9;LByKd(HYkGyb5QX}l*ZTE^-a{17Ci?}(?!VYP4hP06Fs$_Vv$j<~3gA){Yv zMg=Rw9zY`A?wQZ%?K_+%cjnng6V3Cuu2nsd0@{6FmsGBEDY9Fg{_UhKVzv;F#;e9s zx-xhl71yHO9>M69aX(rYdeo=)VjDXHG-Wm(g_%T${<=$XnI1g_-g`Rcg<9j;TnVo< zmqU3|X7V>ZXZhm<4Q3PLXY3-?P1Vp6paJFOfGbm`X&9GHW%^Ap5g+>|$2Qr*{#}Sd zug;#q63WZEPPvy*%#5w!?4Xpx`|Rv&==WgW0l+Q*mf;9r%OMB2@6Xr#qk=7OcX4IE zOc;vbKlUcQVCg)+;fqtL7fu#-)+!e%hY2N$8sp;yyreVh6H>0fvgdKMl#1r>O#JJ@ zq!=D!;hhU*&;H{JmE*s}c4yy>PA@IJqtjM<=p{K#>CR~ka=Ro>ymJV?+H<4+Z~_yeOsZ z{o=wJ|I5!$^1c{#pO%oH5+hojvyQa7U;6(1#XCEpMhEif-(KllH!NE~S^qg*@Wo$| zXjPk>;HyTZuiI7~xDV`MzuLMK^U|7DR+NK!p&utTo>crj>l{^S=m_6`rH2PZPWkbD zL+4E6hHWHHC*7h{bC9x_P`2HG8mb&i9SioHAE|&>sYTU45golpzukM6acbUnm$`iW z#d*#1RZsdJ;Fcm?p-vhGyratC8i~Agfyi%GGQ0>4%h=VjV9 zbhZ+OV39XLrwKGWv9i+C^+9p;mvqm@P;i`p#Rm31JjwNWyGoNj-KiSQVE z9RuW!@**v@5?$#~8>#q|(xYYrr=EkeMATicJ!gzh@naIN^T)Z<D3_ZCkQv+zguv#J$7>9sZ= z+lKGp4y}`FaoEQuKIiVu9eA@IYkuY)`FH@@x7G%DkEs9mxOP>fkMw=wjMda*`Px0#&HMM3>;pvR4I%gu4z;%Z zy`xK^-}@1xHoS0Bou*B_f>l&}4sj|Lnsn&6>%-P!`<0Jo0>-d$Ih2WL@=x+zNlNrN z0r%{>7ti?wG_$@4PuFM;Xb+z1QTKS!edUG3dQ7qIQ3I>kncc?+Po8l*P$2iAv|p`& zH>_V}WqoTVQLbyXKnT_fzvv#oba?SA_TQUA-K8;pNAS`5!;?WAnW(%`;QZ zOdTV+1d87Ajm-qt8VVXt8zq4FXk(}NSb*9|z@Epo+Ack!ZUY4|B8w~L9t!Wyh=$Ma z^PKt?L!nKh^I6q}{yCoq>aRPF23IsWaU2*XBjtA@#{0&EE;)F?Vvw1%q zrcTAfKDW86+W>*_h+@A7*P;2?Yq!F}Z+@9G5&;78#pM%PT#S9%nV0iw-WYIrM&LrI zUukXQR{z!lSj9h*3>bVMtTrnrOkWOAb=h)f?Rwbu;&|iJg2%r%T`~`R;~>^?h>F%#L)8L*iiPDqd_iWP zH#ynlcc{zp)r*beMta{yW2%$C_YrRk7nwz-a-H^%az!+UKwO-09ll1{cRIhF|7%5$uw`bFg+Mny; z(H(oezRf(&l$AY9d2?u8{ZiT6i9^?O(f30FDAB-&&=S`2eXDq@#^~X2sr=A737;edN6NarDnEclWbhQ3T+9sv0UdvWDEJ@>wJMgvNA1#n-+j-!tvfyq7lL z7aHfBcC&QgE6yuC;aX&#CFzM}9gZt2?kXLvF1R1`*&a!s@y1C+z14^ReCIzhccWPX ztQ{6)GUN6@^qKZF|JPRqzK{K1ct+~ytzCK(J=XtepRaX$rOj;}e5^kGVI2^J@|=>L z!!${4z(!8yDO|2de!}V}23SB)H_L71q0O|gkhM0!s(T9LPw%YDP8&je;_QD_V29q_ zmRqns@RfFQ7RFn8fS5(gi9fExMUP63p7`LdG~GB_A3s;}t`*#~3tN-(oHl7(yQk-z6*3@{ z10^^m^q{4Li(lrd%N#mpZFym0_(-xNUZv2EE7SAPy?}5p_6PVI>?UE2#Qp+xCOpqcb14LlIIEz?X(q*K5NyqS0%DPqTSMz zbkCb~xAjd&w;*jG(bG7i*K{_;;PWD#tME#-hIG8R=gO=@D{$NQO1In1%3MfG~1FRk!iYh>E5<%>aI z^936~Fy^&f)QV=)?uUa#FSCPJG`;8EM723m8oPDq4{zm$XrHxtpxA!=9T(q^$?~hb zDg#B8xG&46as6UlCe^oM65VJYCMo0*c(SmXOY7o9&^!T)ebO){^2ESlC<8k#A0+rV zLG7CfC8A*caBm}5j`P#js*x>qL)l&ry(c0^D^92=ereu)%U`6nYT7&VJeYXgqcXbh zOxGQVPrlBzU54{h<-F%)cq!rRezm+F{+*~~i?|jw9t0TASjupgC%*k<$X4C*wNKv8 zn(L+2#4sL)@xG9k-6pX|+TlG~`!yUR=yE$dzVeF%0NJpACzIf;jEb9lB`?xn(4GIV zT?BFw__} zKeByHvV07L{y&k;hjsOq)Hg`Vi_<>^^3IGrknz7?KV7c9Nk{eOGVlmePVv56#H?_p z4kF3A-2U=@P_r4G529y3f#SfTNhSmyr3CQrhGJ!cKV6>ps!nI{J)x=1XRqzf&+(&U zAJ^@*P;AMR&5iZ0wxP`PM!A1K7gTL^UvtlVU`Arjnq#i+XGgm|gZ^ACHL2?cQ=wYz znHG0}7866w?tFf6#H*0V0!Q!{CpB}?!8B4G0e>=QCUKakhW56a5rCK8J+64Oh+pl| z)3af3y^!99X-?QR4JP3`k)Mmt_K7%WZ{uIrJ?|&RMQ+1d$Qsy zF+5_A+fM|qq8VcE^h}o=4Bp(YES*y*EO&;!I9#J_P19MM68U*&ulHnPtV7q_nJDhM z^68JEdvD43#A-gi(Gd%Tf`Qe-q_*qNl7Xyk?pyK(eh0_43^ zytH*H@QYKzEb`&Vz|71{$~OTE96nXSk??ygvEswwdJv8wDkoDG4O+VoKw~B%&snR8q(w&2eNVg&l0|Dt47%-ShOM`Sv zNq5I6M~sf4ba(fFZO=a6=lss|`=00UA3JCK#r?kT>v~<++w+yYk`>~Za9es?T}-SR zi9Qlp%BE%2AkemMmuX1 z!d*Ou?QPC?ND+zA+y|=HWW^t=0{}Py3^>EoebML8h0n2Tcay4KtA}09dyZ?Ny3D$6U9wsPFt~_* zcKMI)n?B-?&SRu|*%LJI2zWR#2?E1<*bsLNWr*1QTHnzC z9L~vg-a%;L z1Bs)_Ov^Mbhi%R7r{NqbY!G^TF!qq$P|u<`2r{gp%FgzLyG>rAqW(mulxDU3kuWVn zn-k=IT*cPZes10m`TjAw)cx$s)|Q~N-K<_56-w9{5((T16JL|WodEFATqYYIkZinQ zRol0dS2Al!TL_Nm3zihfWGMfnP7`Qw)8Y;d;Fix|y0Y_<&|G07?D(!uDepjb=Cev< z^Q1vUUfKYD+)?w5@BKHNbm#K@#C#iJW2SQ&E{@92gX}q~3-c!ePXa=#AlX!F>wj9v z?r;yYj16ODBi~*JV)?3t@-m_*e_3abg9hGtMbqA zby_4>{6bE(?qX|coy5AU-E3X4ZmC{*FY)Q!&2aX4y`zbgBA1I9Ydx29EN!C4$=CbF z2i66M5{-|nrI6>vQ#t7(dyrnu;-#ylcG2q z`R=l0&Xi$%wM!jxQqBAv|iuATSYDcgWAIIMJs zlp~24E$JkPtnH{;mR7FJqT)j3E9E+Li)Y^XnyF@oXr-6_e*!x!J8l?JOYYX$@=>}pNr(nC#9?N+wb@;16_=J6=S%wA&3K)amVx~8M2H&mmOs(bfD#n z=lf{K;3sycp_YS);@c({#-#4a+G}t`PC)q4An1^=U0zryp=cL26WP8!|Upn)R(VCf5>fv6*E-{10h99MWRJLInZd8 zTx@f-gbCE*4mURn?`WjO!HP+R+Ft)I)5e|Jn`K zAI}!?>jc>BJvkSEtC}hJn2zjs<;IzvkN5a1UiI8emZ$9h$kpt=X}vxKifuT?H!k|B z30bg~!NEn@-$;?A3VGT)moOddt&U>UjgFuHM+hLh>(+@V$VBkj`NG4p{fXmw6C077 z3)-#-9oi)t;x#%kN8O_qk!9)iSb6i<8RCCztr*-?J){p>`p?w;|9)!n?^jUe6|8!F zL<|Da=aWL7yH;(_ONe5?@(pRpiA%c=UI$4V$p)K#W6jj<@|kw)PYLg7DBM7Z%rXgD zQ9#Vo2$%%MucLQ8`Inwu8hlO;E|XZ=jznI^C$&9>&#em&H$k72XYglB6lzp}Lab9= znC*rdo{l#i!jqXv^Qvp|*>Ia@%zvMbYZne!_uqXY5aN5yS#m$*YQrcmTsT-j)93>w zMQ3A0$8=$(L^l6g$J;0p+l`&cXG*EPA7ri?p+$In*@N|)-! znN&x9SxnUIKC_$s%~ck~tr{HpMrkmD}tkAfn-d2wu&1Xm?oEqq_UNC*$O=91LYPp&ZN z^wD8BpGgq^qd#>;msXts*&~b?|3BkX;>??Y@+l2ezhda;5-7l@nr=m*r)rG)NTn<} z!=_CD6N-wle7}QZ;bV_(k2-qvA{@RDPdsG$Ce};9N-@Db=(|5(WsZ4J)-F^(=dLl= zVd|%ugVR*_%ers4%YZ#MbHjN}lwe6P8Hk}J zFLFlJ6t9@u6869>i|XSOHDiN!)i&l~;y#1A;C4hTb1>~H1-vuG$H(l8@j6}6DhVp% z@sURWUIz}j=>sxbBlzUm$%W+>pCltI7*BP*RYwpAx?dFg@V3QdpZY=OF zg6ciDZpQq;+|On4ZWr|uNFi~bkS=3l_t>DIlf(yV?I-M`$9h@dtas7_z0d!HFGNs8 zD)PQb!YKG?<`f_MjspHk;3&d!IreMiF5x(ma9T@SRSU>-V znSs;u!->n~`)o!qDi~CieGAJYIyW6(B6>{08in^yZEX7bO{fKJ`Lnu_{=wmdi@!JC z!&4t8s!hCiyq7oF-UC(no|@z2QKP!p(#jAw>aTN%F;4hb%5})S9@k{CUhXNDEI+rd ztdcw}ch>F=#BpookH=qs+=%bkt#w-Hz|1#1`vZcP-u2%-R`NA@T5s$b?>~ZJ5x%Eb zIc{rZ*{2I1+WeEC%%VtrwHsLDdsxScx;<|LG$=SPWHhM{~Wu zAwKQGxCa+8{#?BShp5AJcW)*Ki(>SY6Lfp}2$zu!k+W11?P$F~8e3!TP!q&i6j~BH z?}{V&+d9yf#weVe>nXhmy<1}v@O7;8nB%T&`{fqUsr`uYsa~ZSFHXm5pjGucoTmYW z5HA*^1*=8Np&{U3&7ALS#!fP9kaRP=(adpYS`blY4XG^@iI13-(5IOUMF##;FES71 z{6NSy&wnR{8TVn!j~UUGn?QU4COJXB!RuNY#_o#tO`}v1w@)I9Kk6L+y`No{-7Ol= z^E3+=Zg}z0rQrQ~=cMHf;u0KKl!9IKU`wT2xD}__I zP-}*iJqC!mexD4>JHxIIe6ZS#+=-7SmG#4Uc%t@5o+?a=EZ%6%o4(r(c@jwj`|lxm z)&|g^i<#(4;N`C>9EFJmrDJQBpX6$L*B1gzmo4de_(PH!26*})X91w%`5D5WN?-fhy}1K zXr{?RO9(l1%8w(TE^fX*eSVtx5-2@*rUMbsjui<1r1TuDwC>l-B5f3WoWn(Z8ca(( z%X7~Cr|JGq>Svlf@z&RcsP|t*dIdG59w4Zh)>bC9D@H@>c(jfYhK8r2zCbG)Mm;L- zr@AHto6ofvBZb$WzAYt{e_)O3tXsj2q%v7}UlD&p6Ctly$m>W0ABV8l!BJ}#gQs*3 zbxD0=U%%ih+C2H3HM#`cK`H{XA?hI@sx=26qH+L&nwkM|`cU{Br7gQ5C}NgG`g1}k zM&kQ`KnIV!04hXWYL$DuX{|Fiu~QHClVhK7^?zfAvkU=F;ZsKgCsk|hOdFLC*Fe6`Uy)_x6BhOO=sxO@7T&H%I=Zq zo40OA7e*KLN#@Eh756f}&Ep#ebtAWzbZ%gTjCzX}Z=NefF3Q_Z6`<6rP6On)EpqeD zq0a$j5Ouo$>w`bcKmz>vR@$L-ajmFhG3WebTY`D}jk-zA+I45TiS+*YW)Fovi%4>U zD_LbsB(I&MTZg!FE#T%ga&-G8GH}SCL}OBvE+h^&i}Q9M#9W!c*!sGB@0()T7$j}>_j>1rtl>l~=1LevwONqJt*2~F4H37WH?Z&g8@+aJ1bGZ6%|%*9 zuR%P?&1SQ|oW4F5&@&6^am8%Huriwi%CG?R`Y$!Ue>-bf3Vjo1oI^O-vVa?Z6XiQW8-YE`pCj@>4AEB>K$Q)); zq2eyHJRtv*;Pp?LQ~pbgf5~%I;`U;)p*Jd&yhc34bfU3YGFNM3#huL}Wx)TlrqNha zE?p-RuSp-)Rg+wKwvi6@)h-=DuSu?;k~jCMvITWZjS8mV*?o+DCQ4WL@%Z$Q4(RWB zTiqGAelBkdBE9BXvEE^Wwbu0>VP_lc5M2KQ%KtA$U5(bYaq^M9i2sd<&stRDvaQV{ zCgE|8_y^e@O?|g0_eGSyHE5r+muHLI<%jMHvQ8eKn|G;t-hak4>&w?sbQ1kTD~CJwO&IRnj&>IN2t>Hc}jZ)Cb68kC;l=Iq`OQ+#I!XS>=qT35TRdu4io=8M4c+* z=VhWs%SP|Jo%{Z2R;ZU<3|ORB*c>`FLdN_=gH8w((#4WB%fDQn=i6&3h-l!vY2SN8 zPK?6aaM4%Gtsi1p6ziWER6N}bz%~z|HrpSZP6~4&zCqjQW>^}`f^4msl)fG_Q-Ew| zV|7yKSqJoyZny0`mMe(QfdBK$7u|Rdeee4j!atG5Wk*q^wmx&s@WJQLZ!T}?ic?|? zr$TZVxi^y7X{L zr8T245)wuC%L(RMujJqU*$E8&GjnP3vi-V;-N)04uffV%c1x5vsI>+LwhIv{i(~&# zt#HtOwaD^(rG1O1?IG;A`)M#E*oz{knm+2}`dPM_X)>=d*NmyR44{(!6{+m;SKmR) z?3;z7fFgXbNY$FYF>ZSailmo(dpnC8XGS^A@GEKXXe%lH58^8HDBiL@%_4ypCyt%XTOJrmcYA`}q$7b@5bM&Dg_bzadzh6twaSWP!<}yG17OQ6a zQctxBbN*^J3ZAVFegVsI0i6JOmcyYB=K3epN*{~>VSHvaU#fA;)3Y^Uf}QmfZ_IZe z-_ei6W`62Q5y?DBXQMJRCt(4SOzlKkIL%bS-C}R4sT5W4$?D_+2J9qrDWO@l=-6K@ zPuJvlp%4fTaP9I__LbBGyj1Q7uDr7e>l5wYzzc|J_&M@F6K;2QrL1-&3Bk{_T$g|I zngJDqTkIUeu4IW$Ua0DHT$E2?8bxnFHDAIbLqe5&nPpGISk9XX_n7#J$*L>hF}EE( zlnsz9*L^|%eEJ2+JuV6cEAbXgggx*?Fy;N*+uV3pj6BvxTsaHd@cB-qr8*qB1fkRj zJjRK8YzO<~AV1n%p12mzz5eD5Ej7D4pZ#hjW>F1%6E8_X*o24jC(K;dWu-atDaSr7V5sDAlsE$p^Gu~(3Bdm2DBa5l8#?y)Nu+UtVe}cyqBTfR~8F9z& zb?NRB>J`o(e&#dIK45ii2agI3eq%=yvM$##Bz(*L&hnNUp1L)INY=stY_Zlg%A+@A zM14&sf&d>%+|a7UzT)j#zXdzM@;Kq3C)}@de(kTnCrNx;6&v+y;&Gv^baQVlk$g{e z#%rWLyBi#FUB!dY>ClSEe}E8JlKP$~Z1~dw5YAE+IURae9(htDq{p;&G$}L!d2nV3 z-&F;8!pFdZtkG`(q=VLmvcr65A>jEZ2dy(^@g>R++9X^sbtqMz+V>4O9lOBOp}Ap4U(5a*u?n z5S&{+iqHWT9gA?%gG5TE(>u&uEdiqszJ4s)lSFFuXrxT(t#VB?bIL-VjA|2K50VFeBUE}onJdwuUbtjL&E;VJb@aU6N|n8R>9 zXM#Z5hUad|yRv+CqLY@ao^rcJGubf9o9wK1QzXA>jwd&W84o}2-|~7z{fG@wtnWc9 z#h|3PUtU?3ID?O-^YCY<{0ALg2CcRoWm&?8V%Fu!To-A|3zwz^fXJJvW3ogu8Jizv zh9df6H5=_ZPvJz!t68GH#^-3`#B_E7PsV{kXyx|nqrjE z`&v8c;@PTHmaqT@es!;ZbXLQV?ZB-UKB8&$iBD{=LMS5Go;!_$(bY5D6zS>@iWzA0i)t>@{eeko=F>j90le1l3Wn z=#l)F6zlR%x<5-sA5c9zNZKno`wwLXADld%Ve+iu|3UtCeJtH5K8=s+j(U;6PY_eX&5WrHRK zsQF(F{E?f8Z_y6Ik1m&<(L$O0_XRUS_$FfaVnz-={<(~S?vfuBP!+r~OTrvZs5MGp zW-qE)a3Hs6xo12X{{PPB)Zp)M%2~jYVsgNXa?V7bK`9hzRy%~hmV7=4PpX6{)!@t+Agz)I4a;QMx(0ySsU^`h_I}st(Pi~ z<>mV@F3_3+P2_FvX!bdeR+Z3@xFq|GRa{7CtVEJ^27%q{J}X1x6s3#-i{`1z`vs@~ zn$`XU2~fvL4PZ^}<`cmaZk1y?%bLG0Kcr>e`#>bm=%u8jkmkN0M9r)9YVD3F;>)_i z@kYus8rm$84#=tb?3NZP-$vVTwPEBY^xJVDZ5BFf_^0irn!N*K;4sZ>jJI*JLL_rt-V=eTJK5NP_qfdE-o!x-17#3oG4e6e zJzk7|8R7+#)`DNsdW|yuH8vsGl9zt>&-=w# zgrt7+uOZ}L%7A_<04Ee(^XPQ4*1Pv~j=?)?h~cE#%Eh4k)2`<}bEX#BG*?}J-{uqC0P|g=thu7mSN^jrTF(4h9KEK_e;F6 zJK!fcN+KYIC?jS^;X~F!E14WtYo}~R@xTs@LxU~1pWNq1fHL)Cih&GC9XJeSpnCz? zfy`RhxSr1lY_DA!dFf@`;hU1ilK78=GQTWJesNriD4Y7CZYGfTlAT@i-5aX|t(Wa7 zeOCH{y=#E0yR*^K>V*0re4TTXhN62g%~kzdJOYxRUQTm}4H(l)f}Vn_yCFdHHt5)~ z|LpK}9@b)`VClZWZts@#5^hh7_;{&TpwI_P4FPjx?LgZ+xH4WG3X0FD7Wo7V}^JTSB>KJJ34s zD6L6F*Wy*e%og${Io-O0K<4je-pI@fjz;wy-fT)PCxOqe2dM^0WzJ)r5t^iU7sn4m zQQTGjFJ(wYe$Tu)gf0gZe=mRNP3g*Q8r)0RC;4aK9BHusSPZlC#BhtLB`!3Vee?C6 zu2t@2f++i@T^Q#>U^LKxJeTuXP)gF>_q!bEdH8P!0U})1o9N54N^JKQJI&C6kz;7Odi~n<#>m-m?Ayppsp`?n`mqNA+r{-d?9W- zmMs8^K{lr`ekCkEXe_szW?>{=C2G4&?!B`#o}9RM>`r};^6RstBNq)izuq%$o$gZ~ z#up90um!u&?jS-OCrfYlucTlfcaubqQr;{jgZy7h{-r#9)Asmx1l4^D^h!nG!89z1 z^VEatEGmpkJ|=k~Va?z4EE*LWdd@S)P*?(5dPE2u~f z>HlwYhKqc?0NvdPmC(w}mYZb~rbnE*%PdBT*iR{YJYkNaI};%~DO3+;X3R*K7h4yr zip+k|D-ys;cXfdiOp?nCiTwy;F&9VB4_gF;Y2PQFe0ny;MiBv6Wgx`}yE*oD*}J~h ztm67NNmghlt*~rLxt4F8!A#o0$->acVwoW#Qe(k*@{rpG7pGm?VBdzIhJ!gN-%$ul1@1DYz%YQeTH8 zidVsfHLS^qYz77C5r%6T_Z1yDf`xwb^b{2iL|7jz6SCvhYeT~iQfHAN?l@oPj!=)k zFp6}IXRF9C+MF3dL)s%a+><;ia%Kp6um&jOkp`9v%r3JXD$To>@pRKtL;P=VxF?qL z8uKmZ8o<}i@=PE`;b`BU5?Ke=G_yVKof1u572%De>*egG8MP8$8Yrltij=7YG?hzN`E67}o{R zsXFXS7bVqbeo!ZC1l$e2kWV)McwWSbt_~>U zHV$U&CE$oC8cJ9b9!d0wUc}t!I2s0a6P=j(9f&T>cI~RN5IA%6Iwk%m6;PbK;oJ3{ zWiTzO``jYCqS?Ba-tUGsvbvVhSDc#li^Y5Uu0EaRW3@f;#Z&{0*-zW$L;|g!Pqxo1XX+%MwOq8yaeb^TphyjN^4hX!HN7~e z87R7v6GFPhw7o)YoE)Dn@3F`OmTOlEa5XGfYRFxRxPZLb{Qk;+`HA};Bh&Ar{qJ=; z?goa0147^F2FZ%)FojXE!~W!Qs2~-_^UXo1aaF$CT~mzB*7O*lXs(x;0IT~6JVPo?IxE(L^xFFP>~Q-q z(6_hsf>Ocosu{JJE+Y>J9hP5eyW5~otxw7CZSE+A`?pW5d~~j#cb(J_I!PvUACcVp zo%}V^&b5$&XEk etLKoig#Q+L^5{z0Ca&ACF~j+|z4s`69Y_5teLEbM7!~7|)m#W4`Y!t6=F@-Jt2ETXh+6g8)RDmM5eQ2U zMBV?ExdaC2_?njozWidz_?c?=oBtCDlIGbZ5!Ub40;BK1i4;3L{aX?3InaaW+hRdu z|4rwj7$9)9bXiV(ahvb)QL@KS?WhHb-NTqMYORHo)`PVpBXIuFQYEYmZj$`u+^Q8+ ziT8E$E5oC4U%Ak0Tlys<)W2hV7)~tVTrxR@<+;BZ3=% zVqt5@y7^a>iJMe^J+_8)@H$GSOPw0;c3UdqOF|1SG%2Xt# z<3^7#Li<+tt{>sTX^14=0)(00N}IC}T28*raoYlh%XRoew#oh{!VZ61!6fi`CwQ>R z9J@5W$6p40e&Z>%bcwR@>%;O!!Tz{mwk(NmmVww6@s)`Ve`$0MKLeAKJ@iM~@X1vm zDRAt-zO-AOk$7|Gq)lR7K4?S(CWeu@lmM*eMkiYYsP%<9OG{zOaiT7NTh3J#taUve z!~i|GnO!_vB4PaSKaCLocaC}=K>U|?vT}O4Fdcuz-#BZk6r_duGMU|=UZH-rk!q6_ zr;<>lOtGIP2JT;ei^v~@QZ(QJqZrHUX3RXIL>v~|#@vnH6$&l9I=Qs&9)HkSm>Fov zOOl|BN6x4&Z5h|gP`u*9E#LW6%2>mpA2Q2L!vJ!gUEn$STxqrObpoQ6fE-MNBnejm zCQe-WwM;7pszdqp76*;m%Q8-mC-bc(rBm2}6J+legR zD);SQ*AF5awS4N&)l~|KvRG^5MS^1&cU@3O$w&fXBra~f>h(%vy!V!4V4LQB#R&() z-shU~j-=5sms%Q(VJ0tY7DTqS?O3L~r@>2H@V&lG#NC$QVycg@3f@P|vQCjZ*9D zvcj6B*Nywy=tI;trQtv4xT!LbJ`=dqm3rBZz`+P}zPr5qWgKf*gOuJhi~8GrR@J$DXLJ_tyQns2C6uePHk z;t5%aFYW8MIepSSSUr$d+HPgJsgHKmh2GhV9lfLxAp2$0womM^Ac}{oH};C2lbd*r z_0dbx?0yxwMpjXu#yh)*tdgWdzPaR&Z}$@YZNNZH$>0|)^6$!3W71Xdxo4iq0w!6+ zy#LE)8DWjZ#(Q48pecLeR2zA3+sV(4_0pFGw_mso2W^Dy*7aMRY^dKlPh4&~_Y#oC zVT!N#Y(NF1z}G24#iUGwIGTC7T7fs}p|FkCxRZ0e8QF-_SJJjaS)!tpPp>kK3=@tf z%myO@u-n;eHfUN%;(HRt8+_%=hFgP^eAj>L<6|2h_V-K*%;a}atx(q53$T%#e4=Lz z*b*KYrw{U{n9FZ@olg48Zr!i*KIB`Q&3)oNXBgV+;=A9Jj?#dJKoE<`rE0^F(c?Ul z3|()T`~keb@eRh$jb;D+D^zMDUB`t)@R(ig@ADsrc|UC^lu_}aVS8@5xi#21b3Gop zH@@HNlpaQOum}Hxv;EXMZg#QxABv(+XJD9*p!b{!LYHT_Zy0c>gs~ITiTu1hf`PW% zqu=x>(k{F0<)K< za&KjMI7eb}ChW@VBe{!`t4=)9eMk)0L>tF3gKd{_>E$d!+W3NZA3~A&m361mC<+q}cstd+&$)#s$Ys|byqQsEECYBh9 zw~WwLm9i-IKC=YL(8I3{dWF2DfCG4Ek&wr!A!@iWA2K9cMb;C>BoP5zv1s0b@fU=@bF{f`&l(@M?m<=DVQNO4@=pd0t%HDWVuUjc! z9-mZ`%y*yIj#IXeTF|{omZka0sFhK@tzk}u-e;R&$mN5+r}HCDQqes0WgRXNy~&Kd zg6ler1ZO_RxRO&E^Q;vW%eF{SEToOKMYZ%SZ-??r; zM}7J-Dv`N-v@a$hsu|y?o>W2eD?Ak$G;cJ87%+3e@;9;5tuc3DxA^+ST#<&_CvmeuFD)_e(8$MGu!o z9G?4BZ8=Duqi4&dyIIWYsNIKtcAE~sf#mVr1IVFtzBM!dv6C*BIm?kGcA1#Y<5+GW z;FN0MUsH6xK#v$F#Q8iQqI_ zTfcuqB@$aU-j=E7_nZg~2SAgpx^m)A{|%w}S`E2o>~fsc?^t&k*Ph6sgIdZ!HE%9r zR8^B}F*%B{no1R4otf@Nv>A-Ui>EW-Ni)B^s<|x5!dK{##*_h-1%9Nv1~6Q*cf+# zsr6sDQm=L`@3XdPd+Ar1nUoAU^4w|#NFbbMMxJetne$@Xv$8HvH~!gVCwMRV(BXsY zS3cc2FQnD;WIduqj>|K&6QLi?q3fL&j2a6V#2iy-AEf9o$gFCliKsZY9*Fth4;Ygp z7^v=JK!D|dMbucsH0tUH`ISPoY}bI`ChdNE_lVY&QGl)}t+!y00aEHi*Fc{WkWY`l|I zQV%(l@$JV;$$rt`aX0*}tGn|XUhvgTu$(`&*1@Br_9Y0qo;DgyfNwgU8AY4kjyuA3 zO)uACWRWLFxW^KCg~t=T0J46cj5XG+>@_V3ou&i8mXoi>X6TdP`&*kIG$j>kB^oqS zB<`PGh^B3Z65r@3sowTQ(>;}M`=;t~B;&0X%8j-#`Wn3{-hH`9Zdv&69@>C*Z$uSA+S ziEMRGk9$bF$SOW&;OfVzirq|VKM&_FZQ=aPVc?7$mB_EP!^hZwHR57}+_uH%_I>~q za^%-0_GDSm1p`QQ2>~0$y+9i?p-vH%=3$NGA>j673p}EemxvMIkxJu7Oyy4Y(>T^N z0c;3LdVQ-yu1A^NC!TT(jx%wj!XEk^bw75&MP7_FaOkmau}*Cg zU7@Paosa$YjMgb3(t|2$Sf8HT*5+_}^tO zxW20qIZH#pEQ;H$ z6QvcHynvi!T}_qe=hap3dL!5pc^V!rIayg*r6>Ww_Buyi>sq(0jF3r1a|L4C4_0qz z5w&Bd)M?)s5*_Ps^%isNt3+WOE_oL?azq{$$#nITCLw`ouCr&?$sK~~O*MJ9)>1=% zg0E;2Th;hXCnvhIRg#bvvbq<}!b(S_Fqsw{%q! zNooHIC=>Jy`9EC%Wo>?`dyJL4Yuf(XokC^Q$7K?YLb*DOj7gD<$*(CcVcwy;-nUJ3 z1sK^2HipH4FI)1vqm@k7rQnX(&jcsueG>L?km#qJ!Ervv(&$~Mcx%h#K~Sp`6y0B5 zCI^t~d7s5E5kTzaDG#6{`{7)q6&E(il667y&SXi^pmkxfW;FFUY3mzzB0mdLo7w5{ z_t2RFC*fhW94|Uw&(=Zi6(v)<(37=Sld}FAlu-;LBqe5Sm#|M^xlV$o$cK)nwYVSG^zQ7bRQSL#|M2G1FG(T*( zMl|Cb7rbzs&~m%=13_V9)Z+xD^}$1ykbSkQ!L&!UA7!I9ea&vXVFoX}3$_oOha$WY za0Nu{9(v za8Fp|J1fy+jaqrF@YnvOBCLprUW=FK*}REN*`b-B2!T$gH!z3$irsAt_bm^2)T-uT zS~H>TS(a>LOj9iOz=RH>LPQPoB5&jTE6meBILcZZ2WG(SkK(Gn?7VM29ps)~EfnB(IHIX9#9BzIWB zy|ocvEgn*}$MT*fe}Criz*P7i7S1G;uQ@H^bCv16Zta+eprXRTC%;8(W9?n-O}w1@ zCAS-JIrs}YF=hX$YVw9i)9O!;8mbZT#GOt-R6`Dx?RubXm+qEOMjKqln%|bIYuLA7 zFi}@Df6H?ThE;I?YY{p~2WHkF1)mXoOj{oC4vQfBkKU2`M zB}+U2)_HaSs1w@M6o*a^MWX=2X=}DL90hcQ%_a>dtIgj%Ho=07{;Wpt;B1M{{Du3y zTZnFyTs|p9_wz%o1AwgWt3IPh-$IfGM#!<`HhzVrFv z8eY@@2(q(rz=%buTO7yEt>aMg*K>TPmr2jf>6P$G4QoFS;$AuyxVC4&D$~>+>N8z| zEm~GNBo^+yUAN4HCRs%FNT!(0*uDUfW?_zC*!#!*fn8=Hw3czqTiMTX@@8T4$2+!U zlSrHUG8b~kjZ4u}q>pR``nK>z?v>d(n^=PSGPP_4%X56TYs9>?( z6FM10!XVWjZjkJ`P*ggUA&JLG0E>@fQL<-*W+(wBT71jDZ=C_nJVlW&BX9|pMiGwjPC}L&bC^O?x%CGn zw=(h^n0!N8c1uciv2#M$tu>ZD6@h?Mm}~C(>YcmOA5yBv6)_xdnUaUk2p-O<=8@2j zHr-WW{!*etFOv6gtqk=xl`x?b@;L`;0>Z78ybdYPs^?D>U&^l4oMeYApHB@6Zi#@S z$_o_1(p#7<-gyw8VcWwsv*$a(PU}AWcB69*U(m*WfA=m>q;D6o0axg&zZH<`I{O7x z&G&0}@upB*595LT3djFCd~#lhlF1}^$2?y3JLu*zzgiih1NRX7E-lc9fM-n3_Kr}7 zn>bYsPQdqJ8JrVO#0UuD>`dB#VGnPG99fA@jt{?%QW(`cS{LYcuzQ`7W;1n>#eix? zdgWrkZ8SM8M6VE(oo6XZkJ(cslG`m;!Jw;R0}<$EW91UO#2#?9dRfe53#GWfg{D$-Li)u(E*qx$pt`BSs@o>Ckm^h6dD37;cjLXQ8=mWK( zWjS-9tyur50f7S`LfDCzJi7h-#@_rS*T5k1y)a#R{IcCCNZm%6xG;qH2fo+f9+xbfD zYZ)j?MO-zsy*iu0AraBH^gYGq&=<+5O|?`1a0uJXhj(AjB!MU%_pP$J!gp$o)5JwjS#)1$LErMtNN=hx|dNw>h2wmBeO3{w={9_ zBFa}CjGiO$!;*AXsGovvo+VRG-+A@1igCejI@G}qoUKB zS#5?j`sLaSCEgtlE19FSbfW2ICjsF7%4*DBT^H&*htzl9$B;9^-uZI{(txOzOC;dd zP}Z|d-S?^(yuW=q$6ZBnBHJJR(3b2^eQXRz_vrI~%KXqunJ`}aTuYI%2W?Nhq>pGt zJLs;Clvqg_Rl-Jpo6&`Y&ZsDAfRBFs)yC5DzvN)f!`(aM>C}zl;>#)SxT>$czm82Z zuT3H=|KXICPtIWvwOg6FdY0=<*v zc5z)DUGK%0BFpWxWCtWzDVo<{lBXL6GfSo*)dZy*{n!y=1VaCq=lF%${KT7B` zIa_LN66D2n^)Nk%C&PEQc!CTLnV-Ehb>x^OFxGw|!&9BjvXyPlC zoFGkb{UDnIdBo%_XBj9z<#PVwITb2ZPIm^V{wCAV7d#K z@#Kr9+ZJ?8Bhc!6J3F87OIP{%zR-A!;#rIfnfIJiV1c*GR`?uWseUzsOe2hK9*Xt9 z4$EsjO_dlp3-j(Ho6lx4$U(2cV-ohNOl7_qPae+UUC9he5W_?I_8_Bei|u}h^2UW9 z>?gTFbQ`u!mwwxRY;U{wD%;sFc4y>?h#Fkc{3cDxHy1E%#Bp8-M;7?4J@WU?`Y#hk zS+cviB~0NS@iR$z!0vOxAy^FHMr(z#CP+@4B;K;R<78_oX4x~=!Ttfzeg~=p?LDoA z8?yV49z|f1_^C|B^!YlrKk0u&QuN(oeL$nU2pP=va{)5P(Eo?5ua0Uue*Z-gk({W2 zw19{-Nas`pLXm5es)?fz9sKM{BpX6a|@B9!PN49wy@68hN1hk)y z8SA0foS%Q)*O*s(;?~GC4bQ#|OG3Gt_D-C#oUvFd2EJrI%V}s+DZ*hSc9rPP*IrtW z|D}*AW(MWmUXyK>6kHZ-7r%%Vp4-uz9ixMM8_eXuJ9Ch9`OD0<*SuRym`!l`OX3Z7 zs*EPqpshPjQSVqiIr;@E_mw<AIv~H%C6(0$E(u!F3Jt?}oMHCoHuEwR=FmSo-<$X_%zr&Uok0bFJ)V-Fh zFIP3K9FLD<#XHXqcKqX;Z_xi+Mum#C`eYgD&=qdRTxRw3QRy4rZi!>9u+fJO)?L;q z9e5+mNMRAY_WHy$yVp{3P1T!6p8m(NC_QjcV&m~sOT7@@{y+;nBLBO$zM3Z8zLdP5 z0eJFk(NlO(ri6XG^Zws}|IAR;ieEO$s-By!rK*7wx!My=nZhH)<-)k1Qe3Cc7zsr zCtXYpwE?Wm7azGYUdz{WdtmkEYQeD~EA9;JoVfXDsqsQ_hs9&1Pejj(Sshl-Hy61S zNZ7pX^WR>&jTfjdnaacTHSa5iKFK%K-;Hq&=1Nt-QvQXQUY$#ysT z$IEDS4h*rVwV2fyJz?0Wy+#=M|Wwhg^O9TgPTdKlP6fTJHOu3 z>E8`4Z*&~Xlx=_L(DRd(2uieiAv@n>=^@y$wqqd>rsg|g8mE=myjtsUcjFl-WC@9oRC5p2zft=pdcAl~u^i=udJ@!Mm+KCuq z?b$E=HJ!2CrReaF_^=d}-7O?>c_8cZi;k1YT;ofuxOJA!P-Y&!EbZT2F}A!l-i03C z%268e3#ADV8Y;g zP2HVIn-AhoSG3E)%)O+Jx^mc9jYJE18UHjaUf%Q~nh(F_PdOb1f@E#3P_vI$zlC+D zG^GHpWXX?X5=m4}Hg;)^a&(xMJD3;B@W8wTFL?jCPv12Go+u>E2x_t+mOqL$uuuMv zu+Y@8+Ym4$!Yw4V^{FBP8twRMdGV zOLTSRCFy66f6=lnnZ%rl^qA3g?VQIfKG=58sud9{pxn`jl~G3cwla24YesD82Uv$l zlMM)~SNlfM7dC5079^>KoC;!{Wkw<8!>)IBHtU_kT;?@L?uPB?7yi5k)H34U>qz_` zKqh!^IGR!_bJ9@fLY$ho|cgL@NbAD`n- zUl!si(DtyR@_OsuQ=xbWnWrU0>|}ehAM{|@QAC1$MDSohczEKfBRpZ5>M)jmYpS+| zQsP(Jt+@NXr(L5@*4R9SJPhM~5w-;sCMZqRAVJo)@@rT6nU0aiUc@rWJ<1Ms7(EFj z2GH2Medw=c_y zs$TDfSsErg;pmi0G5k)SP^;$jzge%S`Cx%~IQU@t&C~v&p?f zxYbM{EiWk;af`d&%CXJjiZ$t1k6sHkS~!5mpMw3~{I>QkZ{A<%lr2Nvzg|xZXg@!^ z1bW0OrS;zEG9yQ^L3Uj~@M8R9-)mJvSL-{~VBzz3peu8beSw>m z2DCLte8o9Ap5Y<$KgQWIXviR^(i{5xmmbIxY^}m|3K1mi2qu% zF{0pAUXIL|!{{p(7*}3(c&;uqUhX*WI$0v-D4(K7>vz!uqLer-l2J|LEW5shv80>? zHpH9m*FBsp_c{3qh_htYw+J{f9d7NP^|%47Fw*c6ei}EucmUvLl;~%&KjThM{~gKz z{zk5f-S{!>O)a3Sr{3ppMlK!A&D?{bnd zBzmz%M92~N(TW5Tz?hr8`Ph+>XlpL;gaolj0h~RnSB0{0CyN)>voRa2PCQKv3{!lB?XhHQQ3UEazO-<$y2ad{ z2oLeWPisc(qZ^8;Z#dVq+}Ai1V=ZPKSzKgPbUlQ#Ir*hT2hy-{dpoU*mWbsRxTa1< z&rGO2paSR*(t|J_>#v4c8c@snZ0MQZtY3b>WRLC+6g!lD5x0#fdui(S24}MXR)Del z)9;at?JYcf(R%atsVUEhWZ#uk>B2PBQnnZBG&%AF{LzmYhv{v7`%KR-xaG4kYjT^^ z_upHPCEZK}HfxIRp`6Qz^3X%wj^>7uMP9pxVU2IGsyu0BUlO{~2kjdgwuc71M#0dc zjc{4x-hKR6;BivUONQ)9uOaX@t0o&c8oS+&Wpf_n8UB0d-+uLVxfBn%PPN!*N-7{; z?i~n5yoBO=1^J&zg*GtkxC{Fu$^V=74`d1WRT>Rnf}6XsSC*S^;->yAR(kZ>LZ~PSr9+lv(3W zXd#mLYv?@LY;u%L(_w%nzuwY)s z2#4!!&UGs`9}X2O{R1vuU95znueNwrnP}lB*vX1Ps$m_yQ-7{e986L!)AeiSB|5@0 zLs#c+3j5;nzd*l8-E|*-p5!jLGRsG2;&)b|jLz>Ru6_n)*_vXOv~`W>uov}vy^rkc zPM3P+XiV(NgV|$c#-PPanpFitM=;aNijF2qdc6F}se>wnqsBVVu=5IsJRKr?%&A6h zR0>`&SNlniV-ZwpbQzND);6+c(LF;=Pj3-F=G1}aTeyLsh0)HB<(2p})Tx{PfOrJ@ zhUB(hzDOj}WldpwatZI$yTji0eZ3~9E{TFR7gKN!O2wG9j3jOW=LI&ebLt4`x9$>D z7ys@~wy`q8ar}62wR+Q!8vc06H3a#>>h{-<;3gUar)ok%w{~$80-c&I+tWBhA4*lo z975;)<*DH$uN7y>#WjnBwswX>Vzm_?X;1J7g1BVo%pnEM93l)uRV2-#(%=Ks7wl&FoR?w?92hN8<@9 zvLmX?#&Rd;r!HS7^Nm%8hWif2G|+$OkcZ1gC1ul-g1Xj0^JkPn^R%(5H;?=9hOt}+E+_avc z!zlA}O#9mjg7`HteByOPO8V=^&(o|;xoWxZ8i%Ugzt2wjTGNp8v!_)6IgjyM^E?XD z%qWGzkav<2i75?M%R!v?a_+(ccIEY>2`~{Vl&}tbbr1Wvqe~d@H-TK$>FDnIdtd{l z`&oTTQT?6;ch3fiVhkf)SEiHA%wL!8k!pm^#Yhih_xu`XcJdWN7DUD#D1+|c$dz$B zI{n#W-N9$`@$|1MAlC0nV;gt6G?Nk-n4tyk6UTl}K%|J-Q0aS!Y-Mk)u_vnn`=!JzR)wq?Tb zxOmbq#kcUgu#bs(m1)3UR{Le1bB!UI!FJx7r2*5Lc6Io~*$FjwO3ANm_QiJ6hH8mb zrx3|Yj)`YB@ldu!p~Y~o@lT4D)m$NUJ26mgyZSd7bA7fo?LkyHO5wqs0hXJwgXn{l z{Ef9>i)m~iLUA*UQwYDL4z`X*fpZ$RML_4}LKqR-d#j$iy2+hB4w$472kA`)sxMRy zUskk2Zlec_cbJP5C zlpz;!I-LdDJ)H0{*{+)`H$86+d>g3)&cqSrsxt%U(53DR-a&k^S9)9w7-2b2P8pxU z#)FdK+iGkecX zQWvdPPqszxgK5O((anWq3Ej)7RxzGpA4WL9wK=n9%P+#*r9R6A6ns(mDZ_AG>=j2W z_lzq(sq@3n?O2X*-yH$3zpav8naBLq{x;A(2WuV|@X6p|D5dR1aeR?)Ij6SH!_N~Z z2VqKaz}q8v5FOrIU`clpHVoXaM9eo9y(?d*(s{5>B+65Xs=1s-;2ApK{BsA}54MKS z$}FuaOL>)jn$W~x!q!77Zp+&kX?wh2VOX%XuJ$hGbX*}?GKD( z+F*i#=Y}zyb?4z@+PWa>koi~7T@U7GL96aHv<&@ZmGMkG^DE@7yx+l&Kztu6h~IE| zyxroU*viG*3YsD)#L4%{n-8ja)t<`Q)aKX>8OcQV^6{&--9S8gUf5@4SNzbdC2Qj7 z%E>Ew$J$BWR88;b>(p5xOe=bpXl{X-#V+zYqj|m=9yj$(FL5v67*AVr5&z*nouwu% zcLT4LXDp_Tl0V?^HWWaxLDGv7Ag#^QSpKG~)fY(II|HGEVA_!DT`5TGg+9ZJ-Af!T z=1`&4!UjcZuWc}%&TcG)#gAIMVY(k)e2xO*&LnO0T#A>{b2c zq7T~8Bm)c$FL~Hp+l7XYtD&7d=b)1Zku=k$~?x|d(`H+ zDr1y|K%LbScrzral5`EHRX6PPfoY5u}q#aN=d#Z=a!%k;|< z-Hk=o?j|8YwZ!n8&D*Up6@eqgqc$r5#me>%lziPtY!8jpA*v%dT5 zmF|NCK*c%K#Vj>t)?Qd=yf`%2|KiT_$$c2S$|&Zd+PTH1`=fLOzL)&WG$xZ24~bV` zTDK&^w|A5*PKzUPw9ohgQe+5V1g#%@mC1~q6LoKTyD7pbPaY}7uK&ar?&>@S`e&Hc zB=T#>KSDLH(b!TE7S|-DbMeG2%|>n7BLXjiNhM#Z=6mo*uzPHMr9G>^9IZ3^@;p_N zIa3<8UqzhknsaMySY&DeygEV|qbSv!PV#OutsL?13F9X7`Y!VETwar&ner?FIH{a@ zKYff(FJI+G(~CRftiV}Y9QNi$V3=pMigY$%E0YeIEye1(J-1-o-mMuRkGDvmq2o;F zI=PZ}@yd8I%}VK+npS3AFsFi3l6C_aWSxwU)L0I`U0fwfJY1^JqG}a6iXJJlwUo|v zCzXu6PflR-De1wD+4XG^Z^2~WJ3Y)aEaD}5j6I8LDkC#9Qrhmg4#cZ*J=C&yCTKl^ z{4ESpn%fnXiSj^uNs{?|GA2b0mc9gO{4M6}u4OZ`Tdej*C+y^5&%WLcwXlTSZ5Miw0`#-v-HG`$&`#?s32 zw^erWD$@NxXxyY)1KuRLs;$$(Bg(*cGLd||V5%OZd(aA3nYK4=M^+8n|q(NViit zSogm_=776czIhXb`l0!wjyv<|{6H8%acmDcN8YaL~vKkjx zj}wC7K39GCHR*wor6jSnuhstd1SK`3bHsoPDqGf_DPD31QTWZfZ<>qGF+LvbjR~il zXE^lH+Lmg=cbVFbk`k*F%|a&uGd((kd-~<+v~Ci)xV#+^W5?*hFur%{P!^<90TUwD4lTCa10N#IUHVhi@%OcWGgjOnc=+s(Db2La^HAvn7`xOeow6Dl zh*Q8&A7f9uU`GhJ(52X~oEjZqrALipr+9AeKAy0}ggwN^UzWnLH!B4|jP)14^T{kX zud7CU>Gnm>s){d&xNeV_rb*gW|6mtrz`GIVfiuLrjc*13!rz9-H3!n3C@IVxRo~O; zSex+ic+F{#`VKr?Vk6Sp7q+$bACisqV8R30%soQD*^kU-iGx0du5Z#DNN(Q0naV-s zAVKWYsYb%L-DF`rJdI+f=d{fa>jB^NuWxc91#XrcPY19Oo}7PqR{dy{U^Cd(8xY8?rL@Om6`*G0dYiz$I3=-) zIf){2ecIk{_BHEbjRp5y2Jcn(9YyF+nMAsl$y43Njrk8F+N4C+ql3XYW6!dAVJ${_ zD3!ew@8ufNHR5(JN4gyE*eRzgy;q9wmxdYlNHJSaoY!>Vx{dw^mpMMz#>$OkgAf;g z7qx_LoKGJ$K;y;B-NRlH%Jwl)49g7j-r0i;WMkNT9Op1_K#3T*SuH)f1Vi-=Z3dmk>eOE2EK-aPhUY0I&mJ}l7!FpXaaiL#7Q8&3iu>E)SrP)s zP#p%Zj6x=y&c>dAgQ^N3lhxqae;pIAs@Jf{5?y-8u*15XpLgh*dRQ~@yVkDL+pWf} z_Oc7!y;B1)^~HM{_d-rkwSCTF@h%&Wm)!3!NGMpZ=xZj^ zTsn>Fm1Hmc0q8kA0s4v3*4lLA_CA1s;-`GL@84g6YY!hN>3g?Pb??1%db|FC#%Y^C zVp}RtcjG7TRX&Sxz^B_)!jvwBP!`w;8-Qu#&JpAC*r#hv|Iui-UV=9&WY1NCbKA6@ zKI9Yi)z{Fbl;bWH@ggcBcRUIMi5x}9Pxo?A{?eq-y!poyyZ(=m>Af}8W5@~>@b{IL z`*tzhHC{M+dQ-zVN!PWPGtY2DdS-Nq`E0SPe`15`3*A=L9*%yh34Lff67UB5I+=2C z!OO90?M*r+1>|kOF~7Z>!Jzw(ESb+PH@H_22(uG#Tte@*n(h%&l4nV|*?d0dT6&DT zQrVW=xDoVZM@k9NCQk!IqA0SN(T#*rIgKGlV@DqC23f6Ct(E<6 zRJ2<6SguqWJf@b~^%>4iJ1;)4C^mnj-%PU~Fukz(cJU|k$>83<&t{3SQhG2t^*}ym z7SdtBAxuPWe{nOwv293IfF(Uy{7Vx4CaAa8gtmAxN1Ph@e1>VvsIU6AMR+dC!7#6F zX!K{|Tl}E2vZa_=l-*=KG`uH75S`0qI&bC?TAx#+OoHm2Gn|+*8M0sqiuSXeQy9ms zQqTqix?*_G9sIA!}Bp^9{-$JT~?l@>I>)S=j%TAYYJ;$@*LNMR`Qt z&TvC(lh?_1&RSwsG{`>CsROO{{0ZEQh5k_&&_2d97!1W?y$-@I@vdD0QP*2#3Umwu z{60Z)$W>k|!imhZm3)H=(gZt&Rx2Xp2PgxcO3+c5h}5YQByI;NQn)Z2j~}Y|Tt)b= zR}lG~uOMd@ozu2{OYrH}kue;4L`f1{TngkaK{kLZ8%V6Vdl*mT*P>y+Y3Lq`zJ3p5 zG7t%!TgVTI-ZEt`d$|3gj^%M5_m9%_EfWkP1l^^5s)b9XwW)W(11YJL6Z`6I3wN#6>9nwIQ{@1*|Ig-QA}S zW^sd^iQu7^i@3HA^2boC8p)!{*51(}&ZaOu2oz!uxxUE-eW|<2QDXL&xW#v!k<=B} zvb)>4h&xL&OWp&2FX8xF?jW(X->_j7edXAdW*LHlE)3-miR9xN*DjCPc++a*JScZ7EL~zk>zHT`fD#{0{Zszw+2%sUV$3W)eMpW&Zxlpxm=UaV)dj zgvK3WwAC=u2*-;Sv>tA`IJu^Dsd9jz9T5VHSLl5g9G9+|xsU#4@{-Il0WK9k^I)B3 zth)tLz;Um-G{JB;{80N2Cwnm{^CsaV$fxvARNm9Xgnyh7>4*&eb& z@m(>#xK{f8P+p{+MR!)DMO3*DR0gJemGE75Orhyp&?P5+Nc@ZN50`-TD88mkC^Mc^ zJ&OJPA#0>flcs%6;yPcPVkLz+QtG`wcj#?m$|u*(xVYVV^CFPb@n7q+V%W0n8}H>f ztbTT<8oQPCYkf!RCyf$Wy^cXgy~`tlPe#Tlw?`f*o0$Z>iU<7UJsIoKpVhFH@YE8J zY~jl3BVnSK${YT}Pv*5x`}eV735#5k>?DBsr~gTjaeIQg>tvjWGr=TqQavqcIBh=^ zwoYdrLs~x?#~a(GvWYjZk%W042q4_c%4)XFONR8$7o18xCDN1US@`q{9je*bXW(;W_F)(RJ1}C1%iv7f;PRa`Ya4SM17|$IakfFi%~}C2PM?wHXbDbviccHKg4(zxv0w^YwrXW zcl@w?aKdhhs~06{KvhB~n#`08s!&%Wt!SwM2eyVvHsgDTvA!>0zUZ8JA#zK)aw5iK zu^UB0)5Ep1;cPJu8L#8m7N%Ud(R7_1M`MnG&?kLE({Su%2#`r}(aWtg#i_LA`oeU< z=;CthqxYarNAvNcf>EbcPiR+DhSnr5oDARf(;c&aw{I0ic@z%_PwAxkV2;s-!0Fy8 z;8o7Z7~`XY7Mzafg*x0>w#xk9O$ERIN1sayB>vwbO{M|aou7jKU1*2?<-m4nZgyNk z#IFm9n5@PdOGdw97*|@-M@z>|n&)W1rTyZIaUK{+818G8)cXPYbYx$s-LQzq#m92T z={pWfOszCGzNQ|uN_2WC`-ZZxt?B0DDp3?YAs#fi_u_gA?`Xn!vGg#b$`8zbpLd$fn1OI>9O>Ywd#PgChEs*uZ&v`2qcWf}VT<>9HMK^JVL9W!uf53! zhj@=qFi!*RUB9EYJA~~TOK4*gWR197Dhp+^b21lCxkKb=1Yn_6L1O(hYC%E1{>yy& zMGDo1nPH9Njer`!$2S__PySVyWO{l2a#^O|`jwxpXY<=q3J_*t>bGve=E`VyNV?`a zwdp|Wbh`t@$9Tp(K{a`{*rn55v1l@}BK3@a$J&C`|(?#6-F=F$WFd zxrY0>K;x-Dj)F^R!j>^0&C>a+ec|B{RO=a@fwviY2*IISnH~uo|L;qoYp5to%UDb= zN3nTiUUBe;<^gj2rZ={%@H?hHQl^#}&HFDB#n+2A+~bNo?%jA-ecDlITV1=+bE9JL z4ZU@dQUU){^D>0vGrsH~e7`OEU6A1IgfClbcDpxYiCKK#OH5=oq}Sm&ohBM+P*-M# z{jE>KY6OoR(KFfIqW2D#$k571AOjaQhhmIUtJEt-^wM$by@FaiUcZ#JJBG!v85|!% zks%FV8M{MfbP8;6_+Qu(?!fDy5zWk_G|>Cf?S!i!oqbW*w5)E5bQ*Ks)U*~04O?)) zV@Y4A1l|_Iy%k^xRp*+cn+B(qBX&xUZ#r>^?`2R726e-LNYcgr^BR)AgjLRNQf~=J zuGU#2U(8#vD3o^feb6X6eZ0Zru&GUethH+yqy@U)`W^iyMx<>rlHA_t!YOlb?OU>d zEyK0L+9FNDn9u>?KkSR(PQxJ`MX2Oas*suQdDBuRhM|N@67{9yn6^MU^9t`k+Ts{i z*UWG0S_OE(f8=!@?VjDhVmxsX`sOoUKIxK@LWG=H#7PYuQ45m0kn7S^9TDu6f(^#) zp^cp&(V|f-FU3Z{Eo=5>$|kD+F;z&^e}O#JW7w`(g_bF*qujshPQD{=RB}| zJE7B&z@Dwsk^BB*C5e~p(07FgcdV{Jamf%Wz^cR%U;JYRFNx2RM>X1MS3fx#*J**i z%f0<^yP+>ICkbo!J+eZm3vaiehkKd&Dn?K^zVtUU`8<65V#^=Ay zmBW!i$?Z7K(UIBnJ0QN`hddGBVc)~N&Jy3eV8pY!SBX0Km@rGR(dY8kW?XmDjvg2D z9z7=R$-N!JFB+9B68uMs{Kt9-mNi-!HS&UqIsN`5=-{)ibiIFn*Uh!)Ep|hF-vYx- zjEq<0kth4%d$>n)3of=Z^Q}F$Q%y+=9tNU?Bqjh|zdC6+9Vb{x!whgc#LOsu^zE)o z!1eIeG~%q{7Jd{=NJ*L{y*5AX`pZ{c&JnzQwm4|oKiCw!S*Abt!KKQP;&Ne0ec&`WO*vd+-=Kca0BSYu&?nfg3zdR80qmOPTa%BP8u; zBlHCI104TBb_O{$6#~G6M*hQSoZr{T8(KmSV>W?oxIVze~bkLwqD6~b)bZP=1Ym2tG4dtW6 zrDg0+`rzmny|7iEBew*YMHKP;RWnQ#Zi+LLK_6ooR>kDFRTQ!L&J78|rRvZF`rGk24)*L$KG5=c3bB#hx?P zdhLZ8xh=Re7GRtWNzh&TADtu-{wiA4SEOFbEcu2CG{eoWac0hr4M)eZ-`*hc64{5< z>AX>*H5iNJdF(1op^O~_;ep^>R)}arSnC%*C_TJbfZzmYpx*FdRE!e{5iqhGbGtEB3uVKj6Pe$5Dyvj^ z+QiCiOGo*NDsuxFR~=Z7USQ-@91CNk*vX><7!ZN z`yvI~>}RX*Okb13`SwjI#Poha#AhU~ ztR+Trm6~T&`4O8Yx;aJ$*K;ahD`Nxk!uE=GQRkL~eEMk!abGx^e?Kv|C(t6nVXe@F zHTK%DKu)3W7*xSrt~SNtJC{DzxO$1x;VnC!awQhO3G}Yt#X|Q-Gj~_Pe%^fSRs;{$ zL~Xi8HB&bD?6kn8E3H&!L3wRRV|&``?Bwa2S2G)%%YgvyAV23VNL!m557AK7e?uYv zd96NwcZ0D-Lv@nz!;UNj{{uL@ho>NH^_;)c9tLvcJJ)Ln02)~3?J4ju%WjlR>{o5; z!9P4+q+Zlj)MKy0gf7eVr~qYGf_F|l+La&Vu)Vz&*Z6v@S9{O1@P#YW!xe>)%(Ek9 zHvXmOky7xnJ|5X+ZRRwMnXMV?^K@1Ii7b*bO)boAyXltqLqC9yvTK4Xtia$dRfSw>{V z_B5PU>W0Mje9xR}YBv-lF^TxZujILN4?rn-L>i_-?8LZdPUiWJ{mHY(a+72-4rgd& zG51C9@d+91fj{Pa8gZIp^z?qzmHIZ&eSHVl@Hc0?f1*{D;4(WIu~KF zUSQX!H7nm%gqNh{Mo7fnL}m0oZulI3Cu{$ugQMIlheMMpf`QNT2(Tt?nRiMhrXF}z z5*+OX$2h61Zif&q6{ajvRt(Lu*}+apRO)BWk4*4tn$g2`%xbO0OKGtdg<4q)6zFCP$RRds6@0hdQBNnIMV>)QxTv z1jqZ7G1K#o{gqherI@q!XJ(;`bX~wc=(}SwBb^RJ@6f;UqG{$PKA0`f#9-QmX%RdZ z94+nG?T6TlU3mN=2I{Q0h{u>Ib1)ay+29GkX(UZ+>^nNOGAKMnC#lZa_xPR*)^@zS z7I)j|(mtbf@ZhlJ=v}I?ZPVqOMTS=^yEC0oO6=$DmP!69nf&C3FJk>9$(vX1^2CtT z;i50aea@CDE7iMm|8(g7-2n_iV})4*ISOF_LRGFe1*^(eMi5a|Be=P zZl2AGJDHewT*%!t?26+0p3KM4UZ+$`X6tVApaOPM+|nT{aMTU~`H=YIlY|=r4cc4h z6|SExzi}b=#DgM&ql_niKVJ7_UP%XM%lh2!s%Dn;zEW|5Ce~Ht___flH+qHeWwSr( zSYokC^=Q2}!S6g(e93oQ*UFq)=Hw(Etpa_t7$beKeOe$qEG1074SdGvK4aQH&o6QB zJS)|ah{SC?%y!s(L+9JU3;ph=bjg553OoQAz> z417K1Jy!w#53_kPSC_%$S2O#&B^8vm6=nvfe5UwWE6BN;+E;daq)L9qH9^%+dv46B z)C6{W(vKg-@rXH|{;4gBHMBBVT(mb>x+~FKbvYPE5IE5 z`gQr71L;^Sn1#LuZO!6u$pxX{TW7c!Tb@v9W6RaO%;lY1rDz{7Q` zj&@)Ndm(-Baw{Kw&|Cp|_6G~uZ>U<4Ub>Fi>zqB%M{>uxR~%oqlL=H)-&Vc))918kF^L5^0V?+9<%sGK?s8$s)#c#2l9@ zja77&{Yo(ue-KtbYpEh>jaJe(yD|D4EirAZ2?2IjeYr5`4Pef~-D~MNAHG>@)LXu_ zL~mUWzskf7WQmJc%JN-0NPmI1#7WkRZ(uE__VxHJlO@52c9g@de9h-nD$O{r)3W+@ z^kEBV$G4Qdoz-9snDuBV@Jv16tXuES1MC_m#Vg-C9jz~C*zpgd+zmOixm7;j!wOV{ zg=)VtC;RWi>qDk>U`{(>6x-$Fzv>E+7yAKadSqW?NiPpJ4GU>IxQ91% z=2PGkpgI89)!FLQcn!uBxtq`zC*DxUed8uit&fl%p>ieiTK;x` z^BaZCx`QB0I;{u(YdX=L?)ol!gwEy3sleZO##RPqxM8zmDbr;j8s$ekm;jPD+>8<%wGPa zx+RiD)}*C81M#(9?lSxyPW-pxgUoKw>gV+9mw$dFU zKUM71>ylqa?@|cWgMPzhSw&J2_dD)L`^%oqJ97#thMeir29WUh!rH?!1OSiiCdHUb zt4NuU?NfnWX98^oriKAp#sT42qO@Hz?yn_#Z~~8Dr#p{sEd4|z2Wo5!wb7KnwX3`r zengRd<^DD^ri93SVqa}+DB@iB-U0w)xEmw)^(iipGv$7x?QD36cuFeuA#w* z&0w-a3vL}@HM+mJxj_WvaO9PpdC6Mc6nPfQpA=`3x0Xu@@(rJx-LTRWg@;9Lz zd_0@1sD=gokQTAJNjtEN3_5dZ2ES95&c=FJOYCPvSlo4(jf}=iz}PC&@05`FuvisWAU4(TuUMbZI{hAdKV(^se#~hq-74OvrL8f0cyLIOnxi560ryW+pJg!#qV^Y9F zp7Ddf9rFr_L09dxzS#sQMvsmf>f@KczMma5ti>1)DR0hz0AIj|`!&Oqe0JE^w8O7^ zJ_I*eatud{&p*`dIf-q-*9u%|ioNykG+mU!EHQ0BF<_YTK!45CXEf_14HG%bbi1LWthG-B8#?NZOw z?6vmiFFL-Go#Dz`Wk6?Gf(_FQlR;q`ZTLQ@1a6GU<@YZ$yfqLR`oZNC7o)*m!H60D zaWQ;8yam~?!y!QQRLr;2aNo-WjGe(1zfse~4uswT=PT&HBzt)ywmg4|f-i}eLMpSL zE#VR|&igOr8!=@Cr|Qtx|Kqedf4yV>E$vXJ4L_7gf^!z}2qtO1luoZ+xV8(gj9Ug+ zb&rKM9nk4?QCjE#ZzUW4Bo9uXqGx4ESkG1T0i5BYz==$Dbdf4y#L`WvjppvDAkXxGA8e%*dMwgy`1-gl!yu7eIN91G-W#nV@{Rj zB$6Jd75T3R$lnj`vlx8^@D9+&EdOFGD$Uv$w2=s$X{y8oO!eb%grMj7Z$f_D@TDk~G5z0jTaMy2r+in}FYY{fPGa7j4k2 z7A0;R3%WiZi+%3HKf7r=-uCTP=`(%I`x9-8HTif!+$+ zVwcyI$G<3l`zawY^NyKq-`?HGkdh_$v9L)Uv8fSs%wPwOo?x!S z`w=}MTk>0PN(`=bYC4I^e0`OzIBbu=HheaKDeYD-sOw0SwI*Ucg){Wupg38m?@A%Q zUPsz&siz-yLoFUsl1T7m;%OxQF*JWq6I?sY6as)pjhbqZaSLgsByL6Jf8;p!KxzAMHhWcr#)o#*COnBoKB&5tPTI8( zEF+$kF~W=Vwxw~^_?l>^Jhqa9V= zb+*fAUEl@^*+JgDG&ANa-9<6Ws_;|0C}BB%&l$FoaDwTFtxXD%j;k>rd*6Cq#f2h7 zAx$r$e7*823fm(DqKJ6tKW0h@k=IjWJXd7w=Nkf4ol4E@%q-Y8edP`jG4|=-TAP?$ z;-@wv6=dH+%lvFX*);RvVqOK#yQ) zFPI>GngSmUvu5aCEBrFj`aU|S_n59|JMYf*mF@@Sv}&v!#Nla`Tb^p5r#)nzOaYmg zV%UoPpxF^NYss+#*_=y7WGWy>tEo}Fn?F07gx^y_N7pD)6`GOXziMtW+N19j5<(5QM8VYuXG<`SoCo!8S# zAT4zXvTAOrtdj;71=KZmvuMEHF!)l>HrtUQ^)Ue8StZ!$RY$#3{!xqf1*rrt=|!dX z$+w~O9Ui#fv`(5P*7bJQ?Q#L(o59ZPI`U?v(t$;%C=dUkXD!>cbupvBujb4of+^oU zF#q1SL;xp4!7Xc8pKe+K(tq9RAQ`pWIeg?#LL!;xFWHpFb)! z=_iTb6SBbA|5+{Q6Pd*}V*KK#SuWk8#Me-PVqMQ~PDSk)?2XdNY$5A@ctc0T5fuVF zd8T8EH;{({N}F`+mRxW3CM$5?_xzN&OP&QB`VP>VsB20r##p<5 zk_kv*=^zoJ1;jnkugwb#>?#$ru~nZs-CpMk;V&fO zjR3LlI`#V)$B{e78r>7!A6z$7`u|E?bHsjnwMr;isB$OIMEMY|*hn%P9o}Ka6-*CyF6vxy&yj3tlfjF;Y^ogHGu%0?OMazp8 z+NmmHa`0STjkcqmD1(oqiC;tozxcFH&R34qdQQKGT^>8kbN)`vl~{Wa#omm&sEREI zOy8#n-_*KTrk)P5|5k7IcsuN-Lk33HiDkLZ?cWhAAS2F`guY!GNOLKb8*iW4u??QG zg>aG2eT}vF+=|X_5tcb$M63i39R^KK?LN`3cVN)%5@Hy8?>Qb45v~GA2Mc3KVJ|z@-mS`w^cpvsSGgG13 zrjp5)p~ItQilYRpJ5?@aFDlk{r za=J9X5Y@F0i7!U~Bh#vf`(ie*1^d3>eJ_FkaPJA#RtHhWsgsA$Ihztvc`Ac1xaNK} zX&p(2{4}}(elboN9c=@8j6eyZRm?kTnCB^=*#k7*9fW6N&X~oVYDbEr2fnSqaN#_u z0x{T~@dBT$rw}i(s>&PT7n8dJ#4Uu+ahio@*F(fQ0(4~jj?r>TdKh}KNz7Wdmh zgK-<&3;=Kg#ry8q(HIYP`tPW zFYazF6o=wcio08IDemr8THM_oio3KB+;94=z0X~1?=kM(>pSO+{6P|Iyl>`j$}^w& z%#9n#8>;VdWgqq6CV8JU?IpP`cQeYu&<{UOY8u3UbN22_;A2k9yNX*btZo z!%hqk+o7O=J##7$jshZZ%0;P8La3_{{i&m$qMiCix;w-UkAi)j2J?;55EWsdugM#X zD*Gu`q0<}XFs<+EE~o3;1_h2~)^Ql5MC2a=XJo*Zpquq%>$5m~GO)sn1QvR7ak_U7 zcqz`h^r)=L8>U!<0pM*qW+JyhK)(!tm*P}Rj&yG7VMRTx%+zt!GmK zhPxi)A&uv&s2_9{&`6hip$e(1?4G>l4R2fBAQQF~qheJUE;s5!JkHwzhCT0=yKJBI z3^k7q481+96wTVrrgei{oR&hk#30owP2<5f0M;K+ued!k6_aO}^gTLktCZ4UxbcfJ zxLFTFATBGPy)E2&UKBI^`oy3(TZNG?)qrJD27XhDw(5qAck7L`GN^z`#T?tRAtlB8 z%fi-1R1q0E2W>0vZrXX_vUEA<&bUk!zjy&jw}0ll&HgvV_6fUXLGk{~$MjsXFy-%4 z5@>20Z;Zp=yt2x8Tgy52jl2L~O(vO5;?>+Fqq>P@x`U`Jb733{>?aax`3?W&jq*IL z;(;mNE&l{vd72M>uT-?(=n;~f6{E)Qz*=Z*;0$X>-{?CCNYG?1k)bEdd!gEJ12!yw zk^F*q@sqVM|H({sp;rbFosgU7{gp3Y{jz*`o2(#45!va}@Uqz1>54tgs6Mp8noF3Z zRgG~i8o%ovmp0I8?CG=Xq$UMT6fR5y-uAF;@mt43-Fw}SGsSFkLdSs)j$CRGjIL98 z=aZloYzil23%s|Sb%{889DCTEVmAXv>!~EhGH7no5TSyL5>H$c_mVjURuH37i}=cDSvj zKdc9S8FSkUhJOT;B%^I)r<>?7X0mCE$##gDD>sSBv2{J@lW0d;)zz)r5a{S6ai?rOb$rfOmHPA8~x z+8cXfBPP@Oe7Mlr^edC?v!v^nE{_eaWt-r{X}7VCPy6L&s9EL@h$rKE$&2U5ixghD z7dV z*YP-^iuI5U!u+;3?L;0_f*fay#q(*c8Zn!K7!v@s>)e9 z8XB*u&yLLM4RamNoP=0y`O11CQw-VY*|NEEFO`Khq@7|y5JETzhjMB1YXcEO{PKaM zzC;MF`*56Ru|T*YM{xw!5S~HRTh+&P#1iiV)!RWT(g}4Is2BnuL;OyMA>NUYl->NsRMIq4J{hB~dwU&;uqH*ap!C9|^ip}s1> z_~3p}VEAxzHmp$6Znn&31KU9=*9xw%K?;@y|FK+jXYIjqii&zGl>@4|jj*7&G(QDM2oSN^bSxco^F24(!=OdB$Zl!o@JL)|mG=YUhnRSC4lzB(x}C=bBXh+&t5${6`A+10k7CP3eUD5oRs(>R#ZU zf$OT)WKd{)_p|;*dt)36ndB>e!TGp@FDfi_Pupkaw72R+97sVem=!jKdQ)5Xo+Vo#gbx(f$Vh+owFH0J|w}TKL z60;?Lp7LCuJHqx;dV9Aj&HPgKS7Gi`Ww)h#Pp2V_-NRKa+vm?@na-;FhK#H8fE_jM ztfTmj+6l->&*|rQ8&lDP8Ry{j*`CTYLAOK7P*Rp;p<3FDDOIKPSj!1;R zH;n8nG~YdtO8#sB4p6+3Ao^s$kj$|F8A>~(V`*o&$(Os-1Wk5OX|abM`SK(d)ehaUy83#5f`~59lbNlz- zPxoFPbA5Mfr0ox;=*N%zWGkenqjpOS?trEKFE+-)Z3!piLoHhG9hyf)e>rDddcQ>9 zw`071VkmFGkM_NNs0u&vnJaHLyg4PXDOgV| z2UbHA?xa|jVyj*z?vah`Kp%#efEkp6R+&Cu384=j4!?wV7dR9&TVco(+m*bN|Jo5Z z=g7HtkzDeucvWWW2}0AQSn{j@>-5uJlAdkD$>3V!7|Uu+uYr>0r4NQn+ZOW&>*vw0 z%cWP$dVzvZRzRm7z5dEDCG#h~iN;@}|0);|!(5Hd9J8v(8ocz(_xx~rrDvxbZD!c? z;R}Yq@7m!Pzdaao2|S-atgdUN;7ZR%gFp zW29Qd67&OX3_{-_s@txD9e6441G-AjDah}H3nya?ay5q?08r6X9Md$(+u~HVQX<3P zc7skI4f;&kZZZR9awLM6LnwY7MDwl?m9-@&{beRX$G~d@kVqm0V#tOwWrxa{dL@k< zLMMdDRrPVm&LWxS@l-@SWV^IHa0;kkN{v~Z*%Mm?J?x3q+M$Lh=3cxWI)@3x*q1!j zTTjtF4g{~RMz8LgI4?hZWgWrD`ZI&|k*3MFu~36f9lUmV{T_VHAc{_t%daZIf@_-p zwOLU%U8nu?vDuf!9L_{^b;?pIjcs-n$54?O?K~Sci z{>9@9A+3TP^6yk9(7ft(^r%?!)u>oRt#CwSRU7ovw}aiZt~Yv#<}h8}MGRFdJ)7Uf z)uY_YHw@oBX%Y-?o8TBX@rs1TzE%vJWhjI((_JJ=9~+;1h~8-+5ZF}?Q6j}eY}Bfd za2-sZ`FVx}j7$Qsvt`eylh=A%tLhdQmGxL$oGm^r(Elk}E51LD!$xUNwobjSSC4>9 zcJ1ewM+CZ@OV7U=<}({fA6KejT#m(?cDwz>I`e{}Tg3ad4Jv)~aiMeh*XGL)uw8uj zzlz660*xb>o6t|J1%z2cqX5m%+@ zY9ah*hU%Z^LK0{RO&O;7wuT_rb-(rT^zgl^vIc`uA+dwa2<}so{@*LdqS34`5g;-f z$uR&hXs^{bz*rFfJm_ujs*V@$Z8r|jf=f03W+)YlwZ+{!W^nFS`Jo#N?Iu79k>i5QswbB(*KY?Q9~g&w%#zM)h$3r(L4# zf(p%7(HnC}5_AE-AEI>E85RuMJT1CY%Q%fO_?|5ja>0-QPF&NLd)$PVB9XqOG-LCj zzleK*C(D?ksUAd|Uk&GcP*D+zPG>xHvyB_A>~Iq%S0pj~jYtuOR{a%;qP`tcrk0>@ zAmfD?xH0R#a31tmq!LYn`cYNhMQGhot1VA=F{VSID7PJi9A+yxTBNn=!GEYz8htMu zd-Pm`7=KpuANN1v5DmU+W_0^l*2TPTIvbje^C5PJ?SAl%5kc9qkW$t3$o-qf$kQTr zRbx=OtEKHL7>BSY6nkScf)#VCFRH2H(~n?~RRtdRlIvFW4y=?=5Uwj}Cn<6{WP4TG zS6<0;97NEirX)-n+|Ehaa(^XYxS1c8P3~D;@uwn}dk8PuAYO0MBj2d&ObkhJ5QL^^yReBf#W- z8r?W8hk54@e|_b7LYS%LIfKthGQ}LzrR?*^oTnFu7wxzV@%4vx<`Pjo@3CkOax8}dn{|r0@&iA*2 zQcn!yd?M}WGa2E3nePFAQwEne-YUM&___J9Gw~x&?xe$bwRJb*WT1<7g)#5dH)F9T zuJ3r?*!wBpy&s@FWhRuXp)1-pua^*H zsS6|XWJvbRPbBa@XtFr4E&`vb&2g%`Z3B^5d0i2ECgDZ);9iBigqY+Y#4v46$jnaz z_1T$p52Zlap7~)#rU7l*pFrtQdavlhAmBLxCw3rj8VBJt z?Z<`@Aj~BPU}1$pH@ks3epuX^KgcL2OLAnLBx*v{xl2oOIFzH1-p3;S()?a;_$GhJ zz@KkmkLN|=M(|wqs1^h5d52otFCYTn*fDVb1XMa;5J9lmu(SjtkFAM zDaqr_WL4}E%yeoxRJybHlixOFoM}7^s?CqR5v&G2&Ci2>jHg^_WQ#RVJk#f`-5c^h z##8nXQWfKYx zO?^wy+M1d>Giq%(@_uqR)A!>^%(_b+ z#k1Wn1LlDSPf*1iwLL`^EEf|v_h(YvD@K2+q!S3==A-a5?^yJKi?V$5W@lZmQF^__ z4e18?9&HVl^m*vZ58jHXi2x9EJ)ZhQ;0p`5hZ5V<{bcY|TnTUO4lYubv-Zr^sUILg z%dn@f)^97u+hV&nMAoq&UfE$*%B>)a)8R&4%RWC19a&p71|5~MyJU)?8a1_0&AgGb zGF+8qa1I3_1bsUmMsmcB=5;OTHGVTLhpcES!A*y>zD=c7uP)3B_Z>JjhO;g1mR_q02aZgNd=|>Aq^dJCfR@oAOs2#;X&tT8@sTi#_zk*L+-1={2|k zYsw_)sHqdN5)Mh{v!oZ9MBjxQRA*Kx?!HRwV~l$hF%xti+BA`TnI>vvlci{d%7L3w1n!mWu2C{o8uL7 z1;4jBSD||=y2d>`1{14tS_!lJy3?Ig1skp2fWcaxH$z%&IN#H@GMR@-p_=uKX2fn= zQS&D&`19XB(|SYRk7P4?MHJ3RkYP-BJSi5XznZ znIVBb#8ddgzHU8AvMKlRHI3$Z3YoqvMK5rBBCSwSq(2t28QfbtIo1&$Uu~5=-;@3q z2vwx9qsYo{=;4cHVxFXtLapX-e~i_la04eA;R59=4;}c`>VOK%Gvhc`Y=}OuI%(Gp zFYV@fcM~#rd2)y~j8h~O49`OajgNb8F(pOPGPNm+S(_+{N&eVVV6Zb81-$D4D%?%8 zQxdGbxrr&^1jE>{rfjM@ioGZs2>E0>FD&wD{Ih}@85yAkx=H0**JJWpjoZW{=1sw~zWdX8*Z8$z~|C(OcNr4y{b1ruDh#C+q7 z)*x~%(xeJ}r}o;dRL!#OCeg*y^Zfu*>ag_J&dsO|LtF*J5#5Y%UKNHa)>`i-8Ow6^ zIHHk%`Hm3t{Z>6!e|j~0xhH-KkDY!s1bK!2_bAUAy3(>s9gOW5UX{|1U$0iAcq#kk zc!ABndh@6IQ3XNcisSG^nHH;o=y=-;RL|K=!`=qCGGgzKj38PozncLGpI7jxX;VuH z3$5GeR_|zfJ(fc8bT8{I82DlUNec(r?tebN){jeEO$S+3VD-O!JV9Xf8^@$flWW`W6j4cpj zsN|#wiG1c6rhM3 zB76_5y{>+@(Nn$NQxsk^C7%4@^A>l-Sn8!zNQ1RclZeKah3UE86G1xEY*I};%TCN#_Y>M8=bOq(fYb*6I6?q zxmB+xv$YL5*woA?$KebKUfFdKup1pJ;Lh{Hj(;T<7mRS?A9`QY_k*8%kX6pdbAX7ffcjkUWvG<|W&)ziXK?7p?PSGn4kP^UELE{u}L&ZY~ z+?eAueCSNNsU9cb#SUnGeeuNaitvW7Ujk3?4UEIX2#p6+EQ0%5?_2Wmq(Eo7 zkHHL=jF?%6RF4cmSQjObg}#`*gozOH0!OQ0G7&0X1nnvjlf^xZK_85Fi0a*m=Rvwz zhfiqIOuE1gZ*TMyp&}y}I`a>Z1Rdb8g7H{WQwYAAV9ldwfM!uZCOC&8AO}A?1*>S+ zCRp~DN)4N`E{jI8mpnVMv?`UC%E3g6n_`pqnU35H=LH?rM4>n1$u$e=XB1G+=O#uQ z-szdugnpx}%x%E=zx6g|g_GGh8-VEaugXVL63yPLj_a(&?XH-9j{SDws-9 zu(#L!Ht>!C<8A-H)?-P;XzIeL1`kFWdsT|e;q|@aHE&dtK|nOM`cJc{QY{WH@=XX? z47WfP&rRP_F1>1n zMCO1Klt!5|-ACKPY5Mri07bo3M5D^=nC=8 z(8qqL_w#J4-t|PY6J6HfZq`4$`M(BhhF>%&?M^#V*Ha&o$TC_}>xEa6Rndv0qcDf@ zYgh&iiD?6qr;^3e_v#zDPK0PbwUAmXpsmv(zG4*vXCwvl0?3~!r+UtmRE0KMLKD~U z944D5;SIo?P1+43OU|Y3Ns>e{phS!h>%6BPao&TfeDnw*rwqwcn;c1{(6}U)&C+(L zjIgC=O$?f%^G(5gu0p_!uR^@?2YL-@Bn`u9*<$wn09GVIToSk9dXmWmh;m=aDC^@X zR=@PnxQsecvoCZQGhgGSYi|`aK3Ix9aZOo+j(|UAH`zNVj@}DZBe?#dClR>Vqqoe~ z(RlTJu4E8d?J6j4BwoMv4WG&z;&v{l|yPIgEXX{p{uVYLZLN>{?=CgPzd(wHI_@Al=66KkB5>8b)K^`8@MWp+P)&FDs$A| z;;!LSYG!aIdB8kvTAzfu9))liZ#xaYK!g6v<#c^*Ooidx+A}Q<*~A zT#k8_{?nO;Lw9n(fBkSxE&OgW$IW`4TAGzf$i8!{hWl$L7lCT=wbCl{%yO8JYFLzz z_ z`Y)wHiK--gz9v|QyR@S)AWgjThUw6uYepLu)DtzJ`ND144yW5HLSh$;!W4HK zaygpqLvQrAJE-(#4wX!qHNhG!+Jv}fc!l~oIXMVlBgN7KaC5)8BKMk4GKhDg6_4a^ zm?rY}YT$E$#5UFyJ{LNiVHJ9w!dc!X(8^z`y}apkn8GXEk!TaSlR?W$LI8uel`e5Z zAb4l)Fs(BzG>$(!{qkIV3tPs`#i{yL6r&fPd293{>G_N5adjrtW5qouhFu9&DiJp( zQ+5dk?(#@+(2^SEndk~B%NLZd7~O_LYpIbTeVpyS(5jfblL92hjnS;})6~D}6OHPQ zbUvr9qut2<&%Yx^wdwE)K=haHt*6F&lUo}e4dk`bp$t|h5~%nME5Bs6 zRhdk|y`>->pL(xG;S=UR=-T4@p1a_c=j|sRh;U>xclgp}O#j+n!+3>pu#a6*I#YP( zmgnl!1NDBk@%T&;LALGLp3xKa+F<`=x~NH*^>RAqzqc=i(bPdptlEu4x}R&~ROL7P z{qg;EvgjZmBvA ze*0>9%lB+lVHBuAW5r4I#irnLF63A(;aliqc01<7Tc*&W*$2abgqO~;FqDhB9oj+V zo9RDQlAh3}eO8|vk;rDKnNtE5kw7dZIjCRX-iSGSMfXZsbn27xy2il;qOVlrg&fdT zgk1yQ#2#*+jttBXznT10A6eo}0tbH(Pg0=9w@KB0ldooZAxFoFIb}(>At3}fD!qoO zu-FYT0#a#U6B*@Q_!g5b5*CZ$Y$b5+$d@A7U}h6+O#qTo?ArNj@iUq_M@c>uNG^@I zUvV0KEpk~vxxp^I&8JWp*5$M}ieW96_Sa`RTkGqkjyS21*`d){w{ju*->NrEaZs-(q0okat^75jGR}2pX-M^i!gglHy#VFQ?b%j-HuI) z!Ou*`8bq>NXrZt}e~)h`z{!AM#W^|>(PlobZ@q=*aLe;gDq(*V!#?uWiJV~g;Zm4S6>B2BzCD~FgMq6B``3L~PdlG+mK7qmU*f$ZGt5kKH;|lZ0WBlh z_G1wof>EVAWf~<&6AIH$PGG~$yT_pfQSm-?NSdZ-J&9-gVl$)a<)Zy6p5H!*x?iiF z(kcQ_#0NKS)x>bBCKzf0kN@zld<;(@8eewDGLp5r%3AFm`Sm{H)xt4uwZb@_hP&lD zJBV4=^u4*R(Z*9F#l4;1R2S=$UMZK);o^?%cc;ac8EoDbziQ@u!h53v9)UHSDkdi} zEuESlB?Pwr6zLa`=I7bMQEh~QEy!JP7s=$}z({=m+QOIbABKKd$?e>R5ccUtDSaCv zrxo2h;~5t&C!MH*WnA?LjRRY(+&4F8O`pr=a-<+2H<}jS)9tl?_2fGvFM1W$DU&|M zHWPf5$NK)P|1N`GkCG-eqL3uZb49b~{<|fiUB9!y8=NO`-Wrq+2mAXT_zz=WdV;#m z!+6P`X?Eh<@tZ(!o)gY`v?K@W-pm=`iCBQNu(!fM0w@v18#7VrE-0A^wgC3AC#cCn z$L!W8EZGw__~#bGEQtSE+Eh&K77e-yKz^^PyrE$~m>{Y?@ro6p>_z@(ob_ZL6bu`N-dd@aLpKnVJdX#0hBy{s_fT9~4cZ_7H|euBh~IIZ(RL-BNn z1Kd;kUfON40p-ryKjy8`0OutdfzSM4G4paRjWb0{ z-SdNbh+J#Dbc5x_uxJQzlq(q;+41atdCKc4R4AXCoZ@E7g+K^99NkdUDdh zpu}1`wbAU&-xjIZ97iq?{pHia)iG`>+kxEWH-ojHQ1=hv8?T?gE|al3kjUz96Dodr ziN&0HY0Ob4@elp1Iy8!F;r{?)Qd!^1R2z0;l7R#@$Wgy4gNRthg`qHPSr}G!t@%)A z6iFrjdL$4Caz2=%aXy?G{I#*4^H)Inm*KH%{EzzDUk)3|4MpW2mo$V{iMdjxW^d4JPCv&PZywSHF<}bmp7MQRjJ(_FKgeArl#OIZReXdUZ3=mWBljy)EIfnj$x{w2T z1rM)@4B!^-^pqL9*j|phhn-3a5TyDZDcN&FMjRnfO=tsodT7}7G=Pp-T=u2mkon-0 zYtJB^KA|cd{U`tkC!Foxfi_^NxZ^9FnD>o?KzM*W%c4}+5_48+ha=$}_r-(;h{!-s z;BGuq@V@VM7q(I7A0Dg$4$}>N>X*HFYq$VzOzvKdGq!r|>)cPhFGz6kuTB}TvGPz} zl*qad0E^3gG@5);?500j>79?p2G=lF?H?vfJ`Lgz;7c=!w0~q20^Bc9%V+#qPaxRe z2jPu=D`VzrM1ruRXcW9|Di=vipX1@rHXhn_ue~RR6<`coVh4KnViY_&13tXSCdYBr zgtfpYcmL$pJ4dYgXwAFqN8%M#BYz;^85Zab@!o5p`GIp-i)!e69Q@qK7N>{$ z8yET*(h$=7D&+n>SRm4uVGH?nWT7h!>*^i`46gs)NPxCd)229-ej{Cw=( z?DjB!26*FhC=F2jj#qfMA<<@15`C)beLz5V*GZw}#&nqNSj@5wpq7KGD_Ss=nTQ6! zc$N2~>3rwE@y!NcAI|^oLtB(txjZz4YW1~%*`gmL&NKIvfU-jTNqpi=-~|vfW(|jP z;976cu8R!eel8VNJ=4C10 zF(2M(_{@@m!9xM)n{X{ttm(L4p;V#@gJs}LSn3&5@uDz@mdug?X$I;?AWT6nK7SZj zqo%{2?ks}P4=>#~^hRj%RX7AoFddvBG8scr#BaY(o}eg(2`#t_3(x{3N`T|?IGqoY ztx3+@Q>j*&|Bu~{j_`4trFz3ZW>U??9PI?>EeBAXjjr+vs2bCEot9w5+Mn=HtGBwAEYeITYADFx9#}A zc5KeUL~HvvMndQZ_BaIB8@S0Bs>gLTH>g`&JWSL&!1KjHypqOO&G)8id<9v~rNW8y zZbJwdBQCwlaS%4I=A zX`fl4q5%d^8i7MF@*qHjj@+wDjeB#d3hIvwksu&5@$DVg85A`%1>?PUoc1rR-9}V0 z{e;Hqt?^p?a9bwCB!X_1l}dc8V`8cd3+$fISbUD73fiAo@3h2xOh9NEN`q#rJ(S`) zW6n}sZ?W^AlfNVdDr%FC&#hdUwe-~<>OL$_6QLDMX-=xh>|0Z zs36+H)GTbD9&T4czgQB^C&DX*!hbZa=sWcZ^TT@ces3C){_ut-IsrN%88jdmA zYl2Ls@rX9yY*^9~Qs#W@k4X|zCqa$YWr{yKQso5LaJF677Y2jgs^JQpp_7GjoebXf z+*gC+*?RQaqnd&&+Xl_GCXO4{*JBAe(o_p`LOCO3-gJiMKk zqB^57J8eN;WriyT((Gz4RM1aHE$g<6EP?)+o%+@AkzD>2v$zqj`*lAK8Y&#+iKj%F zHokQ7@iM9iQ|Qoxrd>9~_uq}g{CW^M)KhQ3zpOAMVar4ywc4Di`&9+O5Ul-7=&|Cu z6}7kG96zDq<&E;ciRkki;Y(jh9u0iS0e;*U0`@Bvj3+raD1_xe9Hs-1*dY zCxU&36aCKvJ2Z4vf*+`zd)_YH*{5JV90N#&P_2&A5Qy214+g=z)ot!xmwS;mYYRWE z7)u#8rC2ucjIfT)B1W34T)m_%iVLN?c<-Ogm?bR5awfX;e!o1#hO(XerO)G%u1(bf_T$o` z>;2~{pJgQl_90e$5RF-kU0VOHWeNh-5|Vd;%O(O^wD%+5!j>_{Ifouu*HR>Ku{Q`^|hM2OJwy_AXuDbMCfvr%t&on4!o zZWcUL;y(}e|H%0N-vhHCf?WO`8%VjD%kIimkxq^LNS+wmBrh0H)nm+bmj81?_$0mvBIzA zKeYg=3{ItrtAy*^t*IgaulcH3MY2_zFht)N|LzzM>Cy0ivBRkCHPEuFfkP~a`rU0{ zIK+CDLHKCP%6o2(b$AKEOjV`EEb7LCAZlVmy<}8<`LLzH@AeLlsy9 zIEoivJFGq=INoj>hVBfHx9#9hH?imd{%x=D*Nu6rg{A$OYBhK2_h-`qDt`e);X(K; z=}jVTUipP>2}9#G$Go9N$C!~$>vHe892S?r2DjO*c>@Dsuj+0)BT1=o^trp3A9k4ZZoG`o{-ymzO8^5B?`dPNa&@up1}vb zagtqbKvm(-qdsCg@Lpls!$=GR&cEjl|I;Em-iv*ljdBf1$|OkcjB*Vnp)p6XIwm{~ zUnjI=9nM^j_>h)Pb9EX+UEOTfSD3Q=us^uy*tE^16VU1~$5wQiS|U;D5~Y|`TQ2l# zv~$I=sk~|}`)(=aWRycYq-AL$iiVp*^R$#)q#B#3(Q>3xPr!sh+@5qmWyPo!}9NUjN)ZaV{DS61Jk|Ve0d%_L%?ZuG=Wzq20$ojD>)K{mWSkCsD zSiBM|EFtRwqr8u>NDzQ2-23_h)9P!87qOHApF!o|{H~Z1I;C*ws4>QId02x`4YG&z z(x{!n#cBDmgn+|Mwbab@o+0Gz^wxq=ZVhgN2>h1F3rQi-4k2j>(1@gU0V49z?sB`6 z>?0zofIEuK!t6#jD0_BUOGSeX(;!gW^HgdgPh3~f$ZHaNpBp`i=1~ zRdk~N4tJUY_(zk>X(=)BAHJPPD`N6+_rx-LtdJvV9_adtAh7F)iyB;H#G ziTrR_()F2tLAeip|9M6vbUsVaO7yrYCzFsk7wB-6t1o;gmuY2F9wvHfNHDTq0Iwug zK>7wyM$uSv9Q|2Z5x>zTDnr{0aWyf&X>M+}BzlM7=%{~Hcc0`i<)p&L2J_fHZ(sa_ zj%JOLSxsM!x<+|d;-jLt4-yfgW=;$5=@AVXm;-K z(Fl&jU~A%Bbi%eAh%6`;>92TN4jTo&+ReB1(SN}5B=1^e{Qk6Z7}=Se`H1zSUn#4x ztu-}S`!O^qu*r?kgTLxkIxN0rL5#a1$?{#r-l(XyF7%=ClB~eLws>HNG-}?0!TP5)HzB zh-6E?eO0P5IN^TftY{b3ItUS6@T3 z`vD@@$goK%2+%5!_iC31l;(Ao6FVaX^1P_S=kNznkU4Bu3voLyT-5nE@75OO9$uPa zdM({89VheNXBfTRlX z{?^0Z+&L63HiXM%(@T5C2KJ8torR>Nf;V?Mn`aV{odhc5-%sZ6w!4xS!6PTlLyfS( zZG+%IfvsXwL1(>$8Yzm+jCkTRRGhzgAEdDV=t6&YJKrVMUurK#4|PQ*p$#>&4_+r` z8OefY!5{uaIV>RQDU*fQF|#JdK9B`DDV}OtM#7#pAld?(Y_+ zfgGFSeU+6bT0RDTayIV_Hk+7@lTC+{ywJs||3;wIHq?xH+= z-jM-qXg1a9CAuN}?Zy{yHgo2AxN@}CSNDtH*1SirYR!CK5XDT4I-1Sn?N==&j5(58 zq^XdNjf}HdTHm;-0jss$O}~x)@=-w{bYG_^VB3rc1XhO};zFWQTfMhCk~fG1YPL)kYZyuVv6uuygov+a#%jh9)nvLaA| z0?B1QmG6kvm<@1z@(TZcH)u0O+l+x3*L+GNm4+tVthBJAH|=_b+;&qe6*3CT1a{^o?_H)D>ZJAQ+Al&f=O2xpQRkH^0Bqem{3Q4}2UDJA+xnneW)X&DUlx z>6y#*8{_Vf?nbs>5#RTW$M1eLv2gGop_RVlK8lSe32n;^a(y6wUW9zVBH1>vJE<-A zXXUm!Q(nxI3N`#W*WVOXBgE16Skv;=Wdnm}#s131Hm}6u?*@huKE$CYS0!czR+g>r z?AxR=M#f1+)O*Net}@Ux?QS0<$-C>rl&D@ZLnV;8^9&VWn_A}c(qyxlnVsOhaWK$S z*mUt|R{Idw%H{$cF|BzdYSq1bvaU$WQ?UK9fv>zf@^w*FgQl+3!)!iPaK(--$4O*- zh~~IHwuvzL&3-?+^nx}T4u^*^80@Pf=NtYBqk4sdYKAWJJ+d2~vk>@V`y%HfN8w3P zv4@u-kHL>VDM4!CPxadZHa#(EU&||gFNXSsCc~Tq^51k0^Vk-luJg%t9k@mVkWJTe z!ov-GnVISKVt2NsnN9`&s=#X6mt9L5!Nu_r zs*Kgy4?OcdoHR6M^~1>E8Z<^1Oi8}mzdy?3(9*d|N$WfK9nb;LgPp-Zq6-tR>xEb6 zwO^vhtUL@)^hsa=h1;l+#rPWL4>CUNO8)~5`L{!)(<}JZ&}P_#qi{jJj}GDRkncxY zbJSm02xC|e6xYy%(;&6LOfGjD*u}&Ay@l}v#hkGM%hj$aBqdqUDnIJ{^S7mxQH_jY zR{Pv?I~%iy;*e^W@$xKBmaEE>y5di)GuB6G!~$X@d{I&%+QvJ!JqFCYMhis0NHV)! zeH$s9k1M+2$;;ee2g_w{+bD{3GK-{Qw3Th7hi%E-zo6ohj;u`@tj)!l~5?t-cvS9F04~hEL?^Zgq}Iuv7~LPy3tl@$fYTe$CaaN2sKeNYD+-x%}Sdc-hlbpiSACw#RJHbh`4V z$Jzz8mKS$*TR-FjO0xhn;5>pmmPSZ{ss&%0eJpb_SA z-)46v;bhYXH8QVdfwNtE1x!!AwOvyt?KaO_zNQtU!`!fc+Z_IpUA`^C@_pv;dGZW( zjTq9_4Q`>mk+%Yb^^={UNQF6=9@?lKt6j zHL$Rdxfm0nJ2x#^ep{}kuCcf3eKDJr>bZZ(Jj~En@A0s7{;`hiQ8H78|HIiw8y28U z0O;k9yap#%Cs&axZ;?p)(oC|m69i+W3e5=_U#pXCwEdYm^Oxq{+pOln0L3w!r@H~WPe+^P!Zw2UlV*yrz<8F& z)2zC%I9z6=#N=(`%PnOa3BMhIu(oPvrR^`>*?7;P_qhMM z?3NVr_$>K*$%%bSuAGeNa2oCWf&J>uyOuh!9!BYRf2)M-Ad&buTV@GlJu%Sj`)t}l z>Q5Ia{l+*cJ_tk>@<6$@4IY&7KYu55!BhElGy)_XL=x&^wHac=Zg6~~*3bJ8rlG_N zEve3t(&m6=vKe~9b9elCb(s84OFzC{%-bEs8JkdaIv0#?_`&j{x8k;2BA}O~-WAn6 zWWM|3ORk3je*I? z!n~5vwZ~!G0-MX=o|JelH!R0*+^i0F9Xg-R*C7~&6~*0JK2RK16d;+6&F|empbq=+ zeJ${Kj$xSLcoy3j+?KxR6%odj5wW~)G&xD7B{lI%;q5@b_4LT$%#nab`V&pBu8|^q zpI^ggqzs)k?zQX&e&}g6*1bWq-eb%_*g9HGwDwB}SUT=VzH~o-d}(O=xFj^O47_Z{ zwrdjWxz|pm`kNKvh#?{>_HX)v$6?r!e+j0LwmJ=b9W%GiP-FJXfItHVq}xveRJ#IU; zmu;gZHruH$3mHLTQ?CIkU=ojcPTLP;m>%;tl>4ul(Q1((01-v_+O~V6QX}T0ts=#V zL71GEZPwu=wj6ph^?ITy-nlM-h7I##y9Yu@k?i3yNk;baa&%N4WRk{?zdc)z7xD1- zu%cb27ireDGCX#xEk%h4Oe_If(?cpolI!T5RATD{6#LXiHRcrqY)0eE?tRsCMd|sC z(do3-Fq7oHa76Qy675HLaehf z7-YEo=Ih@!e@s6|s#P_)>Exu&GRqyHsFB(_U5xLL zVOX+N5T;+AiPw2v|5(Q=wEI}cgYDYAtFM~OP5p3mJQ9;l_(;<((#1L*Taf=KO)bqW zLT=Pt@xmz3hKXX)IcV1lnbTBpo?EsK*#k2o3vk-`(O6n&OSHCcRY^6Ewrxdz55Z_{ z&agt!OXczq4J=fiO1Pabd|21$t#bv<>HeZm2m@Djvlh7NnoHIo3VPG$cuo3VLdB~s zbhHa$dB1+a66EgYrsgP1w!e!kr^x+5mVcj4ozs{yF(TOFAQ&c*BhrNldeR^YTHVTx zFxy#5EOv8={f;E{OMAz1BXgQRP!P4qCG@z$2;CU3&f;!={|1`d-=EsjqmtEdx#PYV z;yot?$(HKR?EEg={+{tujFv!+&1&t*Mwh#FO>+%yIqHS-2=f59?Nd@@-v*X(*tuU0 z75?cc1)Rhz)!v3(y4%1Jk-?Tu{5Vm?S~mEOBduFo_|5TPxBRF}6>ANu!(FNQT3>3& zYhkSNGoB>ipS<9GjZrTl&l*#L1n%FhnZ_uTZF|mV>*eIm9V5tJHXuA<`ID|Dc<+;E zbPB4{Rh2~b0|nf+-Pjm=;sJ&>Ol;*F2K00Nz=QET;kvWgng=n^!wG_*+v{CJ8xoEH z-lNo}sA)5%r#tMb;-& zX+cz^hAJv5Akra-AfSkd9HdGp0xBhR0t66{rgTI)SV5(PB7_o(f^>)l6MFAGKp=$n z+c}>1yYD&YyZ4T9?_Ugu8A_gK@3rQdbFQ^ogFi)Zc_P9a!_gW+d#S%TLQNV?1=GH# zJ);zS2(}7kX=#*AArYN-oIMglO>8Vu?DWlqq25iXy?yeXpOne3DaJpStDO2uWjgr& zzkc;t;o^BMl}IF4atW4&eAV^EqEWhiS&?`=~p2OZN85y^Xg}O z!0#DZHyiNS*>YnK)|6(btVHPEcnWPCgb=+YG_fA-|3AL6YsSD}?f`1N%U5=3oT{r} zetb4hoB>RMvZ(kG-Y){sy;P39RAO>XlNqn0!j0zVb|?1IO2*zmbT6(~E@KuVve!RZ zoC#Gw$cRY->CD3m+29zH{;l z>cj?CUc0erMl2Rl7h=Srt|lzKhMK_sXi(OG{8UD^a5kK$4ov{|;Z9ZQMr<=5c zJQuk)^Sdqk1~LMw#MxEQa?t(BGMJo)vOgQ@gu8H4?1j_Z%IZfxUFVg~i&(qTGb+f} z!_B)tdArx&YNMdbx$wn#0>12YRb*(77V9G$+Y2<^jOy6Y6uYG`lO5siTHna8v0W59 z(=GCYvKKRD;^VEK1v2PViF>31+nh;~7PhQi=^qa)q@j>0SWNeYXZ^w6%0lI~{r)!O zf4fCqF^AAcYa02NZ@0(|IF%K3hz0$3QQA<*5^SW2ZEP>$N~Yn6gC1)2PrMxw>(wFo zh0z6w^+B#L1q3)9H{9b*wsssHUhFibn;o0)9pH3y@8y+dl7%d8+VS~$BylOrc~W@a z6iy*uy{W@W_={v)LQtJ80<|W^h=no?%q_Yktm)^8^m1RkoVF$5a@*$<8{|!ST(-qD zr;g39p`xzpS#|%A3}!)&kyJRr-Pt8zz4E}; zR9EyZyW?nwUp_ehOMP~+|2!eC66&Mv66nQKgMlq-?HJH+NcAF+!Wmp1RxUYj&-|}c zUGB36(4F1lx1%5*KjPZRIz$4p8$w7D&Ai~<|1eJ}*IeWuXX^?*azbxAPz{}1TM+#Y zKyn)$Pe)&q*&&&Q4wku_3736r4O)#7pNC7@WP1-y7sK{fUqJB9(jv~VO>$xc)Iw*{ z(D)BkA%Tm>$NMv9TfeX6eiI5s{W6RQ)(_f~!@wq?J>~}NlA@_a-$3c&yP` zlt_}Pqj7{JDGF0Z>}0Cz9Z2o!2(;dAfx9$GT=_>u(ojef3_qX{h7f`48L{T8$O}I} z$N8XhMcTn)rL17Q48y;)PdPqX&7iXZGa&f7WACYp;d(L~vi@-{_eeQ2ksnZ`! zPSta{C>&IHc>Gck+)Lqz=jwA{j8INg3u9I~Jo3WviKTL;2);M1PXsbKX<^Eo;f*RW zOi~Y6D(C{0NWiBWd1GGNJ-NEK^GE93bNeX@5RsGkaZ~}vQujtoZH#)vy_`}$sxjir zE4wR+NrSNC_5w#okyeX~Y2_t%;V)_#yLdi_GqLz{C-rOvkH3)wN?>{M_GcTt0zr%) z>V$1?2AVXL2gf4ne5}qtvG{uv~p0PbCnvf*BZCqeB z5!y{z%bfJL))2jD&{FQ_9$!`%!zz?RQVrde^l!d({s+EgxVbbpmeg0HrC$)jDh*$# z`Eh9)eOf>U8=esQJp^6kY@)2r*VBI}^rfTvqdnrUBDJakJ_<(GlyJ2m`$Tq!u>h>OY>7(TD6XU>#q_GV>D|vzX$Ivw7N^2{_Y4Rs z6po+n+272c$-ZU_G|U&Nm)rf66vww*A~d^dyaJp_eyF8qr`Ck}qslIp1t^%0sFqMl z1ax(zIDbrAFVQISg%tgI!&&J)9nbfzahx!1k5+^AzW;0{{i2VONQm@`2@2BR^AE@@ zmr07?fk8ZDOAEZAF6K$Hfsp~2GSy2MO5j1^QyZ$DnEBc9gYf^n`M<1GPFN-j6!GiO zO5j$FOUDJwVx{vxljomo0_r5Z(bR7#voZ8uIH!GPbuJ7HzD*5oA0zoCf9!yk0Yi1!qjP?uS;=`tGE4OFLnSH5;GBFngR?Fz)E6CFo@%scS!5{VYmMhJn$-U5ArC;d%j4l$6QIU~KkU&Em= zCf_0RH$3fEFH>_(QR@aDy|F%Mxkb z64cNKMr2fX$*t$G^G-bU$o-d6-7u&=3d{_P7prGqyCmt!&256cmV-~_eFW|)vC{s} z8)zs1gi8$anQkZ{StyRGPb0O~A}0AhtB0IngdedyCLJC{wz z8)~xHJ$>OL@kzM-Rr+?6+$|R#ZI#DXc; zf3i-!CJ-_S9W-<=aC-`%CzpYx>V+cSjuQ9Se?Kv;;6n%Yf5J26p}AYz@&j5#O^?X` z`ka#j^>F!^%#HrIP zj^Rw#?AAhk(@lyI#9bA*T&Q^>`s zQJ*6MdnZCa`4-myDD5X?Qzi!ewfa(~D=q>uV0S|uWB1$M(fMzCN3RaYs2tX@s4CaI z*h(Gq>#n);+q}+_e?CkmS`W@(Ds-*c_@P@fFtqGVx{Iyyed@_i|6d=K;)RUHq^{54 zg3RXZ3;>ZG(O{5h`&FQhgDzNYGRDL8X(cz?=ZhnewV7v8Qvzv>YHz1>tU=9vY4SLP{X+b_BE-hRUn;oa7WPp5hzed-O;h%eoz})Lm&}(%8)j+f zLhTEi6i%EVo9ecyt%F=WLG(4kqd1Ri=Um4lYWXBBrRKi?c)yKZdKbWNDKq~YPQ`Er z=j?Cf4Lv;}G0*NPH`Ei9>y+ux^#R~kj$jEiwsdFSxW50Mdz;vhk@3A>7XbJl0E2Mn zozHSAMnZ8(ZiCnu`tT4S8`wsRuRYJ%2J*dHPeVYM8(5-DIr|R zpC!!4j$FSODnb8UkB!qplpeaROBP<_?xlRqoV32Mazw4_E?(UsVAo8wZsR`dBISi0 z8U~A$2^bS!Y3J+2BbH`codfNkR5u~-Zkyu2YX@yo{9SBHGCImem0x`N+H&I?m!`+% zhn9FI8OB`enbHD3`-xBGjK8{XS{`y45gMeO?x!@J>3uIrWQFd$xo87*uAeopQQW;! zE=w%)@ps*H+PK9=>YSDbv{TU%yBbakUC>tMza2cNC_i$u`d_pXuL!Lg<$Ijces}#! z-HuCiOGg@b?k8zns&@%NdxT}RgLSoq6{4P8-`jz}ou!4Y6l!k8+;2;K+Qp{4_>JGa zRVX>WCI77O|HMM-3n*g`KG+*MSR(HX)-HRY`v?|FM`?e5LW&VG8s67-|D$}^&Exe` zFU-9cCU(xo<1GP*)c1bEUB>S-=r)v~Eud(-%^=q9%kb(_rb{(050tQW@5V`X4ZJp2 zSlp*Go+SQE{Uu`yB1Yl+kGE6F0|I4d>O~h$$V2>NRj?_d|M08*lm^!LY`QbudDs~ z_BREoIwtRpz55jvFc^zX>#ybQRh=f==G;+)-kPJT?3}-vJVmJ_eskg@O^i&DSoieVW=!;Z;`atHNg#Y z`SD-K#_EmsAz=ac1{y}E4Tmn8|6GaA%d~^SKJy>)Zl%A-XpU8!P7Q`7eTBL;aSSE}1S`5Vd~-%11Gf6?n@H0aBO5tj z*crVzr^~k26^tgCn&UE?tz;zkXF2eD(z7Kp1^TLvK!6EW4*RrCR7YoVOEdbr_cNFI zc9c@a9Ahi$kfZXYe>!%;BZ?Jy?3Z3SfwRt3;rCg37^rh3vi}1-lN^-KH_93)nND$b zrk_Q_`9gQUKNL};8`EfLv<5|vb3I;Wn6Hy;r9GI`NSXcg=BHL5X|`3SJ~~Y3-%f5T z5iLPYYz%p9`T^z!J*aa=dJu=GWgq{D6KZ%p+Zdsr#>BEaLT;A#9(?KZO(rc=Z%_DLn{3#n})h4umRA)}`N9qWHVeDp>SZWBc6L?UtWh zt6pd;((tSParuWO($PU{;z4(!%&3$6Pm7K3_2ulDf*<2t^{3w4An3^l_P%b+cIZWM zZg(ZGvpj3LndR{8LIv{C=f%=XFOq4{Q8b9iv2@cS4!`U6g+T_!(Cd!PFH`ED#HhF? zeoK4C{n=g*Wij!LwM24hy4fDfcXpF31LE~!zY25U@Wy9s+WY6xvHE2!rXtNJgH& zOMhM=4L{!L)+Fh}s{H44;r-5F57xrl=I~p7+fyk%V07t1L7nwEO)Tr)+3S0PQe{k6 zJ}QIt4h#AAIqR7-H*b6?bJuO2$moWUg)uPt%4@`DU<^mV{=$NnJO=jMfe^K=+$&$d z-R0*voiV(Tn~?55I3YkFKFT$&TT32l6xb|Iu+jFKmL13gODTB3Xx9q!t%Nw#eb%fD z0LDE>_LhC9v&_68e^&o4V0QDuvLB)57R9G~Zj>f%o60XtcV!SRSX6$y%g_y$FnVl( zYg{^UG6d`|tj$o%Ibc_<+ug*}FJ)8y2n_$>1>GHGtN~jFyEVk#Ft+yZt&Onw! zz0wXyUvg5kLgUV(jPYxK1yu)*Q{k2LX>7vB-9I1ZDsaPp7|$z3CphtBkgoNlJI|ys z+?Vw%%5(@&g8DQC`woF{wdAyb+O;72uar$)0ncXM(4YZ!Kik5%SRsAp z010viT($b)^`Hc|MBhU;iid38@bOs375<`26qQl8jhkJ`?mc;EjrKUHs8JE28 zRXFwao%(y$QMWqHG0KS17Vy2_axkhq`!clJ@Rp+8>7Tf#7HT_vxazOZxO{eBk_7-5 zC=iKf%n^gI(OgV8AFH^!=VQXn!&47(sWdtap~r2Leb^NUv(y zH6)3t>T*6ew@RLfTj_j*`vXZW?oLSP1c2YB(7JXTzCQ(@CyXc$j*r~;b<$2rT!2%TPcyfJCurVYdHm5a{~~tv%kuj-u^+>Mwf2L=2xHMg zT+r@>Vd4=&_enjFxfghXAw<0Fmo_NM-0=U?{jfl^VnMi_V-s#g z<8GPr0y19NKyUiVd=+3LHTp5O>sM`KbP_`y=*6!m^2vEFexJZOsmS3wBZ;o@cb^BN z-S7`4o>e{Fj*4h$%I1rdomAzH8!GEHHXk8Oo8`bvMaXH;EK-{WKaSAcj=t)kBJ&15 z>XK%75Sa67OEmS!*rCfEi=PMmnbZ$6J*j2ah|g+!6N7YjcU_#m&{5qSuGWy4R35lE zK(RA-?xc-kznWP!fSO;`Ui|K12314#Q#NmA5(}bUT~y7NkF6><9jP(-5SMlEwCW{_ zbN>8(iv2&BhtA`)yWdV88>T)aKaC@pOt9fPTP8UWKRM=oOvhz6z)voTc(o}*7MgbX z7=3O`gE@ec%R&1yLG#XU;?=cI=v<)gs;dSQY^!%V>UTQ~8Yk3RI6(N1Rcny$k5FOQ zUTf12boXiE(2jm?tpOndxa98@zs7Jx^AfBP#cH_ho>JrKQ~fim8kDLP!&j)->(Tg1 z*5IKkf~EhQ*-YCi5}YFw#37aGRNLx2wX7WDg0mh8k%a6~_8_vxihU!5Xm-Dpjkb&t zyjpu)nU45hK?4H;LF2ga@VtW(i)DUo3!GI~g}44odux?@wly&|YTZ@Yzbb97IOLn1 z-Ib=wD zUa?h+l|K8qERp~DGl4FROw|Dq8M@ES+-cvrTbvNRl!c!nFr5MPLh=iaAlb1WdGa4ul;1kz>wHu*ATtuWFd@E*rQVh<)aXw13bZ`HW!noLLd$mw*@rA~Yc!34#z z)cm?pTl!>;!_VRAhLLJ#mTjStzBsQ`?u?WY0@Y&2a9|GJ&VLnG5PEys;I*v|zx8JD zj2dIopNQYRz#RvrA6d`d;+w1BUN7iS)Wmv4xwtb1lOh^GFGtOc+QBx-=v<3{|Ds7) zl~I(5rObALgQ{Zz-;wkhrYDi|J~>0-v#1IVqUe|4uV2ELYvi$GtV5u@!w6g++-!Ds z8{~PqO2K<{D>}^9r-VfkLN7g|#&QTXmJ5y=%Ka`)rd7a=OQGJl)c=PYcl7GB_R2aI zvX<);(S+;BP~9i2)-m_$PB_|pDvL;IikAFh_C2T8H|x78)IE{(-CQ5ONimB%wXv8+ zG%|i+w8&mtB~@&H>RD~Qu_u!sO4Wx~;~v?BEQpuKD{K}Jq2@Q0yhDtF<$iXjK7eF- z^@?-~9D|st5kkaux+iI+c2})Orq2vm>UlhD34a*@NV}?4gVrO(v(e5D0mPC()4Onc zPnIS=37>pYW)5;*gj_D&UofzFeGxQC-33ij%AjLT^zY&Or`BWWW7v!$ZZ2>&6gqfL z2T6-hBvOgt*r4;c+=Inq!rA)gJRqq9OskE3oVOHS)n%_1H81H#8OzzspPIYwP8d6t!QE%)`=Wq^B3D*!6X_BR%*)yRDH zS;yl@#`-9l2p#LL+w3_^A$*x4d(jdfvt!CtB!+A0#H8)PlrV!A-k^YpDT(`-w&o9LpcjPesiyMuh znj1pm)fIIxifK}$$Xl2{{ji4jozX#ra!Ov-ry0 zYhO4&_1$b{=D_7WS7hpRrbmh`QL)`JHx8+_6{)Rav)G8;cqds{BA$aCC z%vO>%o=OzGCn_&j+SVq|i%I%kr!KccC#+9N2Kff)Z3{*4{kUGdy^Ra9j6x0yQ+$H9 ze1u|%|+Nf_jeUz7AR z*lH4oxv?%8*HeBi^Nx_URM!E!VRYmPHFpdTfs$&OO?Bg2xsLBr8oSDB!}4>(TXTV% zWjS7hrU`lREGU~_}Vx@Mg2(2)Ey4P*W5x!%#cQb|X z&J&cE4ul(YeM{H%{q8J9;THCHR_eoX3IRkjLl`^PJx_zKn)PmFW9*-G>P^C#+j2|m zlNr-_*?x}#R4>2%u8$h$mCDIfr_?Um$!_h8 z9PCr7jVOP_s;spx|In2z#MrE*_XP?~C*|zkZ*f=$Pu3CFDRU5aK#p6cV(+dIndgTc zMqgBcecPC0iY3JMg*=t1v!n%(c}e2SieVjtP}7>JHa3Ahnyf0H zb_GjXxV*Pkeu#TZ21jUZfo+z^GGg{Gn0rk;q-;rz_W1b2=E01m%cluQ(Lwn!+^; ztyj~dJlOoR=kVzgGu$WR(iGSaye}Tya)RqI$6dd8Vo-=7Q%K?3vgsSgwg+{wV6~8O z5DMb)sp`AXyoq6>s`mnB@XRB@$rnGHcxthEz|!?z%_D;sN}q*2i|@HCsVdbvP%l@M z`Y5&n=1BY!i)8R9>?!J8@SE&wjN$90cQs+txX8e0H0a35$Bq;DTofbgO+RFB$Mjlm zv*#;YRAC{!!l>Zk`5P0f;<4mFwL@|_q-P&thoB)|Z4LoWEMeH?w7vy>EcDpkA}f67 zYRfjqZh6T_ZuC&Qd{1}!^1-l}>EEE%DE`?YwcQ!7sNE~vHZ+*$(d(geRk2pO%>#fH znP+dztIoO~kO^`!DcJoHeXv*DWBGCQY7(o%>)xGtPER6~5O{OF|byx-VP&Ve^OJ@J-~F1O~URf6xzjbm6r{{m6a)R;@u7az1?T z(M#U@DlT-PlkaY7HtqaKsq3koH$s1GI^PN#JTtxZG*)e&%$6u{^`g#=9<5cO=4)7a&<0=JEJ;8!^l@0 z-Zyh(EPkeK#P_*dBr?Uq{rVO_Ao=E{_oE*A$=v@K%BJ+5jw|xx1;vDsEeKH%eYJTh zg;QUpM0sbitfrp)tbP`@8qB`Y*}~^>Q!Ej->=u_V`U#N2f{_7}BG89MwX$gRblMfc zCGqi?^}YqMY%A##9PBnjhq)}iQOlqq2iSVrkwPq~Qd1QQc3`(j^D0zyHw%w` zD5KuQyCpMnjEH;zv1L4xW0AI;B$~fwywE8oJTZoZ8{&T+!0Y@P`{iYt-Q7DG3k2Frs~Wrtwm(dht1x<g9$Q6yqfZLP2xdwykn5}a$|=6&_B)x?gW?u zekX@{X3}12bro00EQu|SP@Or*sNc@;TM#%E&-~?3(5A-GM@NDhvmaXA`JoWtR`&V3 zHuN6C77OSV<2Khp&*m5g$jP=g34JOTigshR-BHG-aSH>=EbnD5FW5njY#Wcs) zzUPDm;9F$B#tQ)m|AB$iH)P%gLO9qr&iuHEmF*>q%+pV;29u7D5~MCHTQ`kqX( zsB^jt!&4xE(Dm{P_|>KbZP6V;sU0f0x2c-sdHi?9;XxN{9jOa)u!7h@?6eve+p+!S zu6l7od4c3>ycDvl$&^Z@I{ro9WisyT`|cdl#D29~Riha@rhYU;U-WZ~EZrQuL*@}8 zPh^;{s148)Vt5uO_Y{*Py1Jy2o<}=p2eM-<`o9lII5t%S%Z78nCNOa%h3-TAt>Ps8 z$Ggm5cbKa*;&;$y$vrqXZTYyC^2-jmLC!945(TCFWQ2oOChy|h>>wOC z3wG2f-GXx*S!Hid-*_lPZ2Z;e^h6u|nj}0wVe{9giNNUrUZNl)TXjJCNIjNv()z_8 z7AK}sAVf`J5UOga(8fPUPw6i+N?!~W+I)yamW@4Gc=leF#Zo4?rFbUIrSLzz!fFmf z$CfmxXVmsb|7eS{u@_uR>@5q=r*~shZ?S~Ce|nvrM#B}Arqa2V-J72@($oK}s-GwX zd|e%uuv5}Za`Zua#beLdqz~GM=IbU6=OTt+VERB{=Tt!sDUD>OmHB7imPRZ`wHA{v z-{r6Up_LfZy?*+_7zLW9lyd0#NaqU^$7;3*u!RCOP@aIyXCJn#z6p^HIfc4SHhS{7 z?AI@G<|9B0`D=|-@wKudRnry)KN`-B!6(`Q_I0-P)RtBb;7%0&8?7L9j5dC?Qks5^ zMh!bv9wf7^WER-kyMG(`cG^DJL$^5;`Ndg=_bCYS!{^CY-i8TEX)vvR{G(MrLcnjf z6-^grL6;CmxRH%oYg2W{-~7Z79Ld`c*|&%%i$z75XOKN!p9t(d-}mmI{0*7t*Mke% zUnd#88eYXWvzzJnvLXY%<$8x3ntUn)69P^Xqxj|7{u6W+oGN+wn}niRiTUn;gVW`A(IenkqVp zfwj&H8nL8>Q|P>@)401=n;gHlDlv85q6g$$7EbKmZ+Wa?QQPX&_?<{(e$IpxvT#!% zNcKF@Y4@mv$V|I$_*dK0-Hlsu?Li+WgHrFAfhja$67>2^!OBmHwb8}it&%o4p1MT0 z)x=Q?4tB1&W}`Ci4foXcQe%zUKtM%}l&e-^V*UMI!HBCx{gg>{#GV}5Z|$Wx;9`Ot z6>P<0J$M|>`)^D>+_rGevfXysk8#NkHsKh-JX!l=R27&1ZWaW(GPU84{`h}72XxU2vj;+_qmb%fWz`@ zYcJ%O@NoDQRoT#nYV|{x_$NQ)qwA{c%#sL~*+iPuX+u<+^-SW6n>p%=i05!QyOZLi ziabDpclBu!;@A*Vw$LnDltlbaVXH9MFtIq*uEfo z!lnF8P82=uakS>O{tR@bv}?TU4$l|8(99DFkuB-GJA!acb9)TUW1K0HT{5oY$Vk6)RTzd#^J~o2l}fs_i4HB9$UD{Njxo_ zbairy1v^~17l6nS8jsSPrn(oXI0Ba8dGa@oDC4E#2#_HI!y8A-`~7!+6*rX;B?_W5 ze^-b~`o5fp4*WfTdqqx+N1Sktn!KR?AQUcIqL*@kT1H$Z+F8lu!KTI7L)c#r zl?Q?`T3u}s-RwD4pOWYdMv4aZzYo-t(zwZPBEv3I8N`|Aihqlx5PGevj|Z;pk3sie zHM+2M{S#{0C>vXm( zwCYxOg%5GW5)y<5qk9g_e(dK~9bU}YpUbIU$EnpP)(gfEKYlkjd<+WTlB`)Qy{^Fs z663+PL-^+jfC=Xs(>qb?S;poe6M*!9!^hflYzs4ehJA;KEl{}8lCK#Q5BXRblV59a zYaIVlhI3-UbtekR?%&%upD#k>7R8U}lu6d(9a&dA+>!zn*f9_7@Y z&NJEFsXy?ie%m5HJ(7yHA{uQjpt=7^Ec>whl}%1jhr~$v#hD!{`?I(A8`}ETMNI>m zq3Oz}P}i+VakZ-9#lGp_;)D z9|{ZHx2*GKJ*H+G>Uxv|0kQdhIJhtD3drmWzHc*r+h|ginOHO|z~7SA`54f@h9}VB zV%afpYrDzcm0OQ*dwm4E1QSsY3vACEi5qucBr}Ueu?ifggA#zA*WI5wc0qd8PHQm9 zP{1ey8ki`mv|DIvIo>t283Nd#m%SonO!@aT&Y}}?6W=%y2>f@Ki>OsQG5fy7!z9!$|_u}_R-ND+J_WQMLGWf0E=u_;lQE)Cf|75MU7nYef;<*7faAgT*BAC)H{b5(C^(}4vRy-61)xt-wLVG?ir z^X~aI-M=~FPcdP)yAaE_l$SnHG`ayzyGLSNvwfR(0+d9T`Xp$yof9)|Bg^?lCdVSS zu`fz;W~Co>yX|Q-@p4r)fhQT&K-HK1^3#Xh98Wxn1EjRN5hDD4XN++?L69B_sx(`U zyejJ>U!d{}#CcbjyzvDd^zgLoI3!JIN9cl^^QB`y6+o)onWedNa<}iRL}1krtCNC8 zJs_a!XNQ!U7jCQo^=PA}XJAtBwOjrmh{p45ua95qODoaWYzqCRT@>{Mw&yVk7S1gL z(Qu__xYjFQE!JYt57Tk6X2XToDGG@_nQDw(n>nGWRD8;_G0QgyoY%WoIWa+|wDQ{3@5^#ri47!B?S#V}%j?0DV`GfvC8w`mzS5hY>{w_!MiPQ~dOraaIfc$$m z<~Qi1oO$0^cS~Y~=HawQ@jAydA|qQQuB+Q&!-J)j3iLd-Ky5U1|m&eoOyu~nW^6KkNhzO>*g zWV5sLdMSq#3gmP@-MN>z>ygO42X;_;dnnLcy6PMfV}FZ6RxW~4EN%}$35ZEr&w0(z zW}wY)gdl*{#Op)j_y!wq8b9QS< z{zLIu?9sbW&&lUWP5oxB$pvkTXF9U8Wvfp0woMFMeiOm}5qArATz2ZJDI>3qT0u!# ziy8TY2*!Wun$f#@$>-$s`uadto-NR9C_k*gE1DCLXQ1x1z{KaxuCL

        dg0Cokd2; zws)eV_^#>Zp;9&(H@tkkH2!tnc6;fTYhfrf;M{DVIlOi|jl+I-H80n1N8)2Yl+=~i zU6!8Yab{Da^DdC}ls!%djXrqQ`CAkGYj`1sjUK6bQtjq6<5M7q?^IJIZA@&azWWUw z))Bx>`-!T!JP&3mc_j)=7h$M*hTt^q(H6CRx2;$o?3;;Skyw}K<~fzz(TL)ua)RYh ztn#wSbt4r2_~w~NWUpWszgLezvV!U@T?%pq%T<;vH7n8%B8 zAO>Mhn}F`H5F2@Xgx+08H}nZ_1$mw2(tsv9*eU9XLzdUw71D$u2j;Z!IP1KvFn?{( ztOj(RYSFzBlF^EWvlE$EDu%oVmZ_BX*4|1`y+5#iSRkq=$}!jRMThJ4f2Kt4D4`A}{cO0dsv()Udo>^)~;nu)IeN%jwaPE%gt%QE0pP zRmA0e=hk|0{Ja0~4vPQHJ7ndd;-*$Z0KsNq47!KO8u7EoD|KemxO>O6g$kyGrDY)Y zPR%zg8pA(TMZaSBG3^jHOzFfo*|Q?`CWRy|&f;ea(3S$pid|s>{8uw~B{!Ocn?HGv ze>d+?>g?|XlOyFFUtxlrY@--?B#=gsF1pm1v?PXK-_Ovguc)gY@?W#EB^zFZ>0se+ zM{e=S60?lMp^#1d*$&G9_n*)9n562Oit|p(eBptwl~#z`H&F@-^;zjNyi_>L{7{RW z{8#Vct~;4SYe^lYN4JseT_IqD<{0083*v7yvmjG6;F%#)5yYt=Q!hZS`PWccwTayH zb+-#g;s#!jg=WJ=$7sMz5s!V_WIFobr-$Au>B#IlC|NSLUvP%p5*$H+V*C9Q>>6TM zz%0IyJk2k!wuD{pR^3xzu4@KjQk(2?;kL~I#E7m2d;Ha1v$Bg($cat$vR&5<kS+sg6TUitwYmH7W44qo3Enb-Gup$6;eA zvE=MEIprbuad$1Hei0caNz1Wdxm8WzIV+eI!bOD$a|^4D>?;>5M??GuhWvq@t$g2U zdJCdS0EBOm@>;8if51(Wihr!e`HQt1KVpp|u0ELv*NC*MtH>U<1oDv&S#VE&eA|~! zr1(+Tz(Qq0!VHXsBhDl$0L4G1_Qxkt9j5m<@b6YrUB2Zvby0r?bLBsSIW+yd47!;? zdB3j8b?i&|o$tyRfk04R7FGPoS_21}fH+n@v`K2;gbHWt+y{0CE~?#OrR=)HUv`HYsz>TFHwWS)`NN`2 zST_jlg)8efHC;2$4hr5_gAS8%sD(S>0WeOIl+*4_l^i4aan-_&()TQNrc60H7dgx5 zg^-&4lY(HGiZ<`a#+SO+Ecj#NlNKk8rnJV`jjw;n@Ga1|=T-3QjmD^2LXxVZJ%b_# z=yk3mPQE_vPd30iAhNvmT;6qA2lY&5cJ>zPTkag=TpxcHiEAH9t^d(_6Oa{;r_*z} zk4BW{GJa1{pwZCgi_kQgK%Bo)!X@eT5Ao*PNTbz! zOVUS5wUs4j^s+O;-+b#0bnpE>H@$QVVTDb2{5x3!=&b^7Q5F$=?mDXM3R(WkRmrPc z;qus5{va!u9b`u6Fnpe)YLMmXejzB>$1BGtbCqCaR=T&C9!xE<@?%=mFFi2{qsC;) znw+LPk^8X|V_Tw`75(?;Fv@ikLsk8?7-7gh()r`avruwNP<-uly5l3BI%ym`J0%L4 z*x)KGKr1q064Cp$Y>ZUXTCAypm=OubZBaS!DFj9^t>WE?nmjI$7S5a6g-Oy&zvo|#c%D4+*tAVQ1TiV`U`mW5 zB8V5wTB{;?-SwK$;o2XY4b_Ds6oU~JatWcn>y<$FaiTNS&U~UXUy?W-?-(XIb2Sbc zs$kz_vP)_-HW&e>cnYhkIdb+fP3+~Lu*)7lPO*x}wG|AXa&Fpw+25$4L?>#GDj6GK zTkLVa*fBq#f8Q`pvZ^2=yIk?ZE2e7spB#BP(wo|R`@NK;Q7pe%{~&eZUxvi=h+uqy5tGt_7X?f`81j` z9CLCvctN3ZhU2RSTHB^98eX6t@>v|Z0eM1(1z?N5wDI_bp$+C^HL+> z;g9o^@1k7Jg;_CK>n9*5vQ3WsF)N5&y)nG0M+dNqeMqFXv!%un?l^8!QhnBfv!jtg zV6auo1)FwFO%<0rqJ%ImOOpeZh~r+MD6AbWjm%b?fV5@-m#d=>u)7-n;89v#EC0Hv zeS*n5FVp>oWON2!RWeJaP`vJq2LP{s@ye`2X1Vxh@L?K20`UkN1m4CXZx=qpT)%8e z%q5N8i51-_U(`OCCgh1GLS97vzC<^Q+FW>NH$M0?fiYWEejov1A}nxSa8*6` zkA55#Jsm7ZsO?&R%@Z3RQ|@-a@o;tlYguF%J(b0--P+b@Ss!;a*zr%ou?2C3T_&{O z2jAz+}QovG2qyfYS=k6=-mo01rFbYN(9mSosPab7vzpe^M&8;Ahu2;aO4vM=d3sS|8OYAPvY^ z@tWSe3=OvxVrO1;fr-#<*dHfa0B350(m{jtdjdUWP{cu1l0#iE|8Y)#8 z6Y0>^{^Uj|Z0J)NtWIo<*l6nVW&K20*{f}k=Nb)l*ww96=qp*H2kQTHTNuRo{n4^; zNB+4hbN>7@DmaB@G$Q%MH8q$Vcek5;x6Oij z4780d{js3dmquJCRoAT4`ELQC{39#BFKaj?Oz`IR4MUw^U>^zE+MQ9WA5J8k4!eCA z&kn3!5@{dG)r&&^V0;zD+dLaH(|X|NqLv=VLI|b z`@7x7hu3$49ey39*K`q_UZBBj3H|Bu;a;Z7D(9l2abn1GgFG!WTU2d+E1iJV^2*v) zKaM^V9_;{wjl|0<%ELX7)4O#JL+!v(BIo_h4_uEDh*lLbhWC=9hJ=cmW&T1;aA6GT zKGGF$sIOWcc+yvn2^TuD!UWeKo4L0r54*+i(&d+|q`cT*5Q5m)O1uf2-mWDA{kuAM zRPI(_{9*gV``fCGOOIPX7t9m1Fv36N8|cscQt_?;baA8t&ugSSv%poezk--z6jf=V zUW)$Tm*SDhcpv%1U9Illy#SdJK_V{>Znl9Di5I|BoG&RMc}*-nOm&cu*v|s){J-Zv zY%rC*Ro(0@|KNa*9qhT*kDVofiQ_+Sw`7pH!1AJUw@v^_=R(4i1m;$HfiAVzu?PSJNOYFSFR#v--rFy?OTLQQik}IVdnhu!aa$mghY#q;(X2u4XBJh9t9G_7nBIcUnp4UHo2sX{z)VVW(U~aO*8)Wxj^VGtM0)(BL#yo<2K_b) z`4b6@={<#ltO@ow3{gsESny3PvSn4PNw#6#Dzlx|h+dBI!ZrcbaxicF(YD3>hUuK* zI9fEV=vzUTzty_C6>quk{HqpBy>GBo&Xr^NMPQUwfTN7K9D^WGGQSJKm=<2iP-!-5Q&crI%9Ffh>H=?h{rtYD ztWGt-SwU#2u(t-#8O*=vtGuaou%o4X$4FLu&Crqy$*Xe@-B#Efv%wXG9B{_m^8pw- zFFUaw&hODF%{v!Gz?D==uK+ip&xPjv)a|mvAj(OwY>P2XDI&c|7ZFfV0qI0Uq!Vf&AfOcKMMO$aQ30hRO}c~t z(p!S`W*1Oc0Qv6YH5D#|!QQO}>j`*o!hQ0wi~`RLmPq6Y z{RUNZh&eUR0(qyWhK*c)EBm&~*Xu9H&ld+I#~K%_P{kr%QXDx_931A)5Q|`-55Lcl z$Sr?Fle;*A;WUE^{fQQ&_LuXog2H%<`63*68Tt7Wt}r%Q3% zJnc=Msl`Lur&KJ}xRoyP zj77*%9?i~Et~m7Tj;=w1xaOzfwklq_Aaf2vPRPxDo>tWpsmJMIpN-Z^9$vARj!c&Y zNVEC2!ucPk9m4A8bo3F*e#8}?2D&1pD{q=J#t1hoVh2(ajL?oH{&;-f`i{$-g{nP5 zIdL#tB1yKR^b#|RH9d?iblLwMry1*rEsTowzbvM9sZWr1JP}_zI{>STA}sjZ9s0pw z`iix$!d2uFcCUTy+46L>yc6A!Ss93_kEu)%gaPst`3Ae!2etWG$^N#e$3k3&rmh-@ zuZ1wuz(+$b>B?5!dw0<5>Xvv+-l%l#Y82-iC(n}9#Wgz~c?t~%5Smd80F!=ho7StM z5oQ1G??vvyZJzqRT)XY1wg?(qmRfz@sTds(z~am3 zw_k!)VdqmP_p>eou&fr99+M&kPleiA$plkQRw#_Z>skYyqByQTgq8;)OFzY$0JXP6 z&1va3LVQi?u75KoT4-NVe&%x^s#hH{!U^EyIem9FL~*A5Y!@s`-}lp}P>kpnNRYP{zdeAg$3 z^P{RA{qP0OczrHEQzqz6doZ#lS*ti5FI`sAFXOvDU-y|cx|3=3vCwbB(4VFhwE(W} zvBQ(3yt15M&@~F{>FNxs-(esQHY?qwGjIljnJ#6SzkK_zKE4j^VXh>Xy{%aALH8PYjuoD;V(R;oj}f-aGEYiO9rorOBlSup z3T{%xpBdq!=w$d3N`tWA@6QQ!elo}|%JQ|c`W;4J>68)%>x4io2=w3VBS`!VZ8RN9 zX4ld8hZCZ|8{~+Jc~)Xalbdzb_k0&%#=Js9=<2r&?vYiZa%`f~=GH6SmTB(8KBpJ@Qj4Lel%j^V_lX6qS0lr)o?E%FeGk zlyO;DJD@(vRa_0DklXDxp=5_623Q8_wbB*wf&2HB{MdwvJZ`T|>y$7;p*saq86)R+ ze}oqa)$Q3-m@Rrn)4A@Fi0vj4{&-REM<$!OxM5r~p>>=sj{SbNzX39V^E`C(tg=sGtqcLg~%2_58adqJL zH-ecN>$5}S-}0;1zAl00ahF%wYbp)4KVb@gbyvWQ4H@QjGraPVpq@En4b4(4N*ukC zk=&^Krn#$<|MQzOD=CGo&Qp?~+>$5GGDJjiSzQ>vW@3`T`pA-xPBH3?OKPsh$tXXZ zkSKvr;(wE7ULwiaCe44QQSfFQiPRmT#dep6wkFC5G*!pmoY6JvRt>xIvg>I=Y7^ha zg^>sVI!HJ2ASP#ajCNVoV#+(9{_ZmyL8+8gs1qxAZB%>S}-J8l}9#0{+CZ1GsJLFEJO)u^temdCFu)B!X-BAw@m7tWv zOx13j`_Q1o+E)IBE?}o!tss49F(o@QeXP{DB>T91e~1%*(aO~Z36%?jPb*y3KL_ra ziuL$f5gLvg9SJn2XG>tR8j-T^s}fvKZj-U6r<3iZV=6Mg0Dr1LoGcJ4)B7kL>QC%G zg~o74*S)z3;Vg>Z&W(v7c|3sH8G=X*f1|+R(ITv7}3B z6bx5OXPqv~|AV~hueV;{p*UdLnMOyA(l~oJIxP;B>OA~z{ODiiS_(Vlj4~~G&~eVj zktGSuv^sNAI~)4VCF~)U0x$A-D1>H@VTA7tYL1B48=0f8 z=MdfIQe`@q2Sx1k#8HcT0UlgW^o-qNWKWS61@gH)Pl3mem&0M1gjtO{1RPY!nP;_P z>dQC!2&-r+D%b{NTYm`;N=Evb-XS(7(L;`0_!J9OPDN|l#eSX`!m7%OGd3?~ue~*J z!q(q?p<#!9{u9%*5m1kdI@fp}9Zt8G+e2!%qk`|m?Ov0A1G4O#k{zah9v*UF=88C^ z-*f;EeLlWl1r~(Rqclz~!HS**-;Dlgj03}2p5tC2cX6tA*4nDp<_njSq0v9qE?2*E z87M~oCW#)ZN9bTjdUxxGF1 zb^4eL_BEsi3M;0>mls7ED_bkM{~_h3(vsP%86%q4VWSIwVzfAyU03`mv&?A}&Q*~8 zj3V$K4+g#|wB>X8X7j>B!SS#xaU!@1Fju&Ajk$RKEj9S-CkAyHh+v(5&dSI&||`=rdB76m;%%Gwzj$eU{cjj(xQ~Ocy<+e-Tz# zc8p0{Tu;@F>Q#gg1o|YZ`_SVid?SaVY7BDB&w(|arS{}UPDS<0aBM+_Y)fO4Dr;Zv z^3yq{ss4mUg}LgL{!4%`Rc)^33XvO?Ldi)OjPO_lWYV-AGh*l(<~yVN^SzK75b8Y? zQZD_LNd(m+W9rE};!9QIyH3p=GGz2Kxe##i8bQ{rE{K8D{x{RIbGv|8=sv>lK_*oL z(j9Z;S;SIdBkeHF-6Vm3y?@~ZRXZq}-WI=z(3u|iNkeS2aOVLQCdZhe(vYvvPdBa5KiAA40PQ? zC$j|1FB=RE{nzFbcVQ&`M2ym>HM3XKOBG;jkY!TxKo`NuSfKuS$zwOAIPyyC-CtZQ zf18Bq%7m6O>1H{IjYCq7L;a2;6-CoAnIG@web8@cOIQ&+1i$qUjzr6sd^b9`AUC-y zDn9AHYfy}5rNmOz#wz;pYSiqxMJ7X`dZLu!;ye6Q9&?4$I!k5d?9QW7hOUs@W)4iF zrjy&ll3K}}CZqgB!m91{+*RBSi|co~%TWrut0lD@7mxIp%K_5!DJ|ys7~$Pxm%IWm zkO@4vx(BH9T~Xacd>rsR$~Vf2)?9~q>q@ID&_Y)6vDz z5S>9N%q$Vv>gLIV02ZHAERbc;YZ%|j>s-BB6TyDYTd;*j%;snqwc}ytlhU1n0xwUT zfj#lwNtbXs%q`0D$AkB>UtJDW6QWrB;P_O~l|V01DnIJ(qj#Y4_rH<5oKn=&GAsWk zt&b07lu;xZ>9N~?B{znXefRJ?&U;HJxq^+~f(|`J63>xp+8<=Hko;QGJn6}CWc&+u zkEBUT9+SU1e*Za_mb}1LZb<*;zUECpA+q%NDD5189MpyPU+ewPn+~jd=*V}kE`w`c zDt7d%u}a}lvb!W_!V{#`4KD|i9eY6wEY2b@jQx}E&L3>L_FG1o?|8r*>1*I_4v(u|W z<$h;(CIsSGAUKzoxuSKg-hNR$l$Y8y6;u)Sw}M^AGtOXyI#crFkRg`Pn2ou}OfSbl z5+Ns?t{3A~-EpZaKv$-#aB*ZbjQx|=@|zzo`J7V3;W&ph@jn?2h7SWq1O6lq%*Dp@ zyQV}&TLf&vf!6O+pU&GxtYj~{4h^);#U-$?Y8>-Iycc(+nZpj6yA02rR=UfwUz#fA zc(0k$_`i72e{-t-b;SPqCQ0PTcaU$s7_hiKH1MvKEnXeNICjtfG}Lc`xfE4-DGy$u zIoJ_Ocb^Z3er}bXKwT4+Hb)PGmefLV#P}|F|CO#ZE(;GEBaHxTFvJ=GE!xCBqg9Ei zvv-8HP}WgHP$cx3=CmThYI=FH`&eMjA(pytRoYh`?s8BgxxXb)*RM2& z`lM!Fr&zzjoq z+WIC2LzCbkX2I97@c+VV_P=q1zYSvag$l4=XxnVzb%FuC9^}or&dD=96Q{K=8H5&y z$1ioaHr=AsI-!iiU5b|N#kohvz-6wll}9$vLDuYH?eM(GL4tg9c}Ei~XUC9@5n{ru z$lsbE+}JRvn8{a`XBCP6ffaaQt{UXp#NiNftSr^D!Rb@Fgyx_a%Q4sWAt1FRE_H|- zU2P-NZP)ys&J$HB<&NW3W;qUV6U%DGQr`?2a5@RYK83K9M+G{Bay7(^JcD9YIS3tA zh@HF`TKV-|9eKBPT*qvp((jl2UkUa9>0s0|YCM*<&c9ds0U>$O@0|7nm!}U`A}8o% zMH|N zRI6M20d#sOdr~7L8Az@6oyVMVPef0OzRp|L;#{AMfv76_87KIBn%3u_X`ovTo){ts zg%V09yDFNP0)EE4YL1RR&afO7#V(DkvOYHdKXV1DBRUL$Y+$?Py_rP{*!zG!8Ej;W z&*HB;!A?^fkE*$p3*DXMoaEaK87W${qhOmAREZtaxR`V~iIaikCRa=hG>>_pG+PBchW|lRbj7Ck8(A zCQoEB?4n6o+IC;Y=hFYNR#4$vpcMp4sWW71{Ib`VE7VtFAG)MWu*ixwe(h1EE4V7p z|HiXDO*4&xuN6Mi_#&iZC$i^eMiFcwvh}IVdnLJrFhY4pen+5kkf^xZyLMZIUvAf+ z+*CuFHyqZ>B+5)Iv!-!B*g33=N?%W&ntsM^53AH>ZW-*jr4xW2Jgk?_eqUrRh@T4A zXvhg>Y&h%O7`Vd_XpYb-wRdPcFG>NHvzDmXP>%Kvi;#iltSxa!(#O16_==4K_+!qr z4upYEKx$Mk%==i>|Lo&8dUH@1je=p(MFwZ+x8r{N+K!QSRMk9BxH$cI0h{vp)c`ok zf7rp~r0ZowtCfhX4$*{3FL4^<#5KPycMq%Pc9*&1BS+^ zHN)F&EN%z0LJ5*FinV;&Rm3>Pc8a)W^c&VHhFOujbuYVzN~NYK=q=EXpCW}CTqoy- zt8s6&=1hF4S33Q|1)@`^T+wf`MC^-{r0{bl;8$&mw|A93$}}7zMShd_;Qkrjm~u(! zGr;RS4Ks`l`#&A}|2{SdJgaa2Xs3U!&BEeL!F!DfZJw2<^xiryVPJAN|D9R3nNB1g z=GWT9p*W3+t}}gqiKG99GZ(3>77AxyMYX0{JLyhMnyGLkGJRLd)ps`EN$*QwvAV9d zQL3etMj!|6bWlO}iiV48IxTaB6w_*$A%f;6&CB5|f6o-|s`6h~`et zgg7e_P~v6&psV$<1HN$?8s0PRJ#R2f+PIcVsVE*sFk$5MVQ|1?3Wdt%iT=>%m|Hcz zGbEl0wxSJ5|1&25F@QA?w5r$DtEqLS!@Yq7`}rOY5C+t5w4?U|8G7Z0p$2D z=6~h@+=WjVfbNu5;&%(vp*!yy7~(G*hCHV}201ZCuW;5!e`9`I(VsXCRSN}uvPcEN z=^g_MMl-g%7VAAs&P#V=q7_hhgOFfS^pEh&hSD!s8Fy5b6#ilJix9e6Op&xXgnWP& zhAKgajgV^4#oK&Z`n+9K)Y%K2XQGWO}Ufe#P5;uw#GXZRB$lGxV8v0Ok33@^5Nh;PL!h0Rif~GIy)sx>ltF> zonn!iypxo0G^SY(F}sqRYZ2mcy#QI{cXs~P_?eACdWUufxEn9#i#}&%x_vXtj{<7W zTHG?WS*f_I#%tl1pg1Z0%+H=aYxH@!d?e zh;?@8#rf2Nlawr2xqK$}Af$&0gwxs|{)9_;CnskN)Uaj{!mwXtT$$4L4O8i@pBHI( z$7Fe?PU!!aX7B&4OtEl--l)i0!)xw!DDw8*+S*SaZ9NZRsTk9bWL>2_t>{VAikxI> z)p(P|voRR?yds1~MbxkrFrcF*3tnZtY)cu;JG>vRK&()5M`r^qJw4cKpzp9&*Uc2c z+BX!g<$Mv}Z7<<`bD-3ix(44Y6<_f>F32{>NMWK<3|4%_<3eJ{E3Zta$Fe?!J^UG~ zDpQ1fguH7%%FD*i|4On6XzLMLJMNjr9GccS347Gb7r81R3dO3&fO?AnbY)7Secu?y z#NgFKZ(tFO!iO}ytJWLl z6N`K%0-MRWx7*DG*`2d^iE=&pB-=af!IBeNC4$?~>uH2m{AU!Zn#em<>?k!=ci}z{ zO1I}|3XECTU@%c~G^`eNf>my6kpBy70QB&)O754z=E@F^2sG+tuQz|-c3)feG&1zU}^b_aKH{%tzF<;X? z6t=EfnmTPa<@bvVAk_W%)eWL`W4YsCjm!pBErK@{?pJ6+rwE1JQe$w>xUQAvkFHRf zT50Y~&iYQnv}vuNgnkV`du?f?KeoWAv4?!;WL?_bppOmn8ng=4EqHkT0C^x7dC+FN z$D>|-;%NHDze^I!mprksL>teBl2Ni@>Up_iVR;&d6b1g(L1N|zd?_@gf~tD;spDP4 z&7eWSt`mDVhP$Dm_7q+x;()K~1^BHz4SmZ6(FoX`8)${`vdF=1WtbA*7)(h1uwA~_ z@f{uxR199!6rs2~f7s2u%_n?yssCZU0AKZpLM2l|tnrNd9F{sYh$O#Kf)BlIsoqc_-*59PfC*ccuw zm{l79Bv{}N?%1PkKPJ-7|7MIzvN67UHkFJY7-NG0oTv?P{ic8WjMju4woWMvkAAQ=@$c!;W0a$7pFczPVr7y`Ona{`Ov&H1{DFpvH>BE2|`0t9e*CFnS&d*G*5?mA0j8wDTeZ=}55+5b(NGq)y^ANgv zAz4-m$JqVVMLy2qcniAX8(7C}c^4qBrGF7GFHKkJ^93NGpKYJ+MT4O@GPy9bireFAs#jU}K^vb*i<>fuDOBdzzr%5T zu{!tc*|xP}+r9%sM^n!jk z*BZM5ANuDUz58YBLY~e^@t18f^FKnPWYYw9zq-U4DBWg9e=AgSpg#s+j_zdwSTS`bx4sclaH{5RZlG(w9u^H1s_@ z8*}ucPYB&F^_3lBaTP|nM{BkZ&{o%-J3MnCMU8)=t!(MYXe)2Yi$Lm22lDdL5!oxq zOB3h7)S~`2eM{i?+m?F2b$JRG=v!pJ7FW%Db0H6cEa$0aOzr1mvn>BP7OJP9C;re6 z7|Js)2?1J|AfJ;Em^iQfCxQvhVb?s@4-NLBVEK{KJEI;)$3xqoC6Wk*P4vyT1a_vZ zy=s3~TXC|&s6XpHp*1gn4MTX8$qdCq4Yf`ZPWh2)2fM2v=#_jD;Qac-A7^zvFYcY$ zNVfLKjnp=cBX1AMzmN8Wr#z0Mwp(ofCbqh90AD(36nOw&vIFp?2r_(0$N3k0DFncm z!oAVu_(mthMlPf`y>ghOVTQ>0o)TtpXJ|-)q2N^^Rs7MJzv5%E%n{kbG#S*nzbE$x z8E=xn5m_zcq!)^*2kp}9rvuaMbx$w-`zlYSKjOPsYFNHG=BtLP%Kj83Ve@YYk4y9n zo2;k#^`q7=0feXU|04*`RZpk`;<0*+at;1D!d_k1L zExNcm-^-Jo0z@36lN4_GrL5Um5B}vks(fPWkA}w2`urCJ&5YRVX4+Y*rNkfz+`2uG zh7;&Q|35&`to71GlnP2U&m^+k4UvrIO842&P%ggVZt80AxT)e;j#;7Se37?(2@gej zY9odufz1yv$s&{s`lAjBLJ2lTAWuP!`Q;yGhhlor<$I(uUmiN8{BYOQ<^v4Pwq)6p zfq!CXY)Qapen64W$gzcs99y`iZ-XQA&pfS-fgD?!KOzwt9;@BSbPDr^1-n^F6&+_8)KG5OSlXv~(Y0=){oVITLVQ(pBtNQ5?Y92=}>4u~1B*(#n_k7`ifM`USMx;hlQ%yM@9yC*L)E-#jN%8!IG*0Fa1{fl)<} zkiEg=vgWM3@u4AC1n(Fo&!lUwRUb_{c|-J)KKTyTub<)qVI}?wxN~%-F4@HW%MdD- zt>jBsz^k=*;@}dFSL2?&r?V7q^EX_G+&EC9Pxj$O7Q7$54dgFW@)JZgL=D3)Fm^q_ zuL__wuYU}VcyjesA6<<{;cKiR;wFt>|F;q@qCT$iMNtrhm*pz~4@J1O>_1v>&FjrT zvVteE2pJx5nkCX>3u3yepQ=;ylw9OEa)#Z#k9eX&UDiS2yRPy=HSReLFDlsrva=OC zDScArr$z~A4DYmqv9xHS{>w&9n)NcDXYfKge8B}dJhVB(8xs*5S~&$T1c(y!#*FF^ ziO85W7t`fxQsyALou%xkGneEaPc?JMCw@-Q3p`iE(<`(WSg5!9{~_x`eqLWG5LCXE z6gdAmNgm{+2f4|Ao6rIX2g`F)!;YDR7wXQz^8Bum;yXgPm6*9zm`Hej_VH>#hqY91 znmi6cnQJKPOf7)Y=*3`!Le31fsOe`O9}%=?P~*$kYSlsP=7N3^De}7sTNY%iQ2X}V zTBVJtn<00?)SUT}2;Wl6vo)ERKhg8vz`-T~T#8DOdh-ov5B!nl1 ziuQPA4~V-{WxI=*H{a>sr1{xkRC^jUA#Azei~UYmbr%_Fp8K;g(zHBx{8wY#0xcVoD5v+TJXBy}N zo)&rBtC8Jk41F(FcHEU7pB)oz)QZ3~He`PBd6pmCgz&cVSvl83?17XQL%fWl*NK9B( z!=zSl0L5k)dPHWYr*wxOhdbA(61nxG^)&>Fl7-GEFr`jk8WCZEEb^3oW5dpG1@4-$l9R+b_3H7 ztU^k}5>32B7SG(O)=%NZgG8=#t?M>J%i*=#lX^uUdc1!E4pSC|``3ee`BxaF2($^g z(s?uK+p#XsgEA-LF|ZBu;f+MV*7A2yHgcf=TXh8hRkf*9%D;El&g5D!w4ZU2wUI}a zPE_0f78@;kFczbg4qvO+iC5DQdBRoWImKOmGvQtySXDZc@-6gdZ%Zcd;ncD$`BX`d(yfM0ewMkeUWUJym?;85DNoMQI=3 z&wk0V(n>+-YF3i0(Qr_BDl1tJr@JX3M*NHB!$b8`1gmJS*IN3{N>Y)X)Sw3+&Bc4B z29NFHn3=TZiL}FPs&1Tcoo}_`ayR#W^sLi_M^A%2#$s?G=2U_5|a*O3tz-fA`C4>c1Q$EeY3f|G!6_L~zSqF{kJ@xCC;ya8Mn!g{!6g{h$ZEdrM75&iog@Rg>b^WR^kTBi?W={6q(kc?(M!!IT3$409T zrX~tU)cx&!T%(FKKMIA47B<1AC~c^jyJ+{GYJR^#udJTO2p$W_j^Eyde59(Y6!AGuyu zLk9iFKgecdx?B-;vclFBd&d4Eh}bm!+8wa`!gb5TuB=J?bYnPUO#<#Nq@1QDmV z6EC@?>l10XMG|%S+K)9xm1t`}2tsr8j8{G`^{KoeCefjiR*$!>p6D~lNE;jwC!=-x z>oY=LX|1dWTO%BB^_{GjAX8~vJZMs6USK+THmZVf+@MVKoC9JqU5z~d@3mH1xo-fp z?zL9GzfmGu|3Qh!wZ8k3QRF`~dC~DA4M1@TgnMh;fzC+DW|b?|4l=lv;TVsxEc6D7}OdHyTBsPfdai(_+*8v!ivTnAX@x&>01&@l62dXBeAX@a&N zvW3ULdi&8=-at?5J8j({Ht6t*Dz#5uGPdwfSS6lOqrIOT<^6<&d3$`iR#`GvKTXn% zPm!hp&Gn;)O>23mkbpN}g1pUJ_D;1y?x(mQt%fVB7^EM@fZ>pY*2rb(M*BAzXuT7Z zqAt7q=(X+^?F+KGCLwo7l`8_BBwYPB4&uYC7gs|I?B7a*1TSfF;)s=3U7jfPZAT!$ zE})IZ2}aF`T#-F{X~&^YOLACo$Bwvw_m9c;IplVY0yK0z$Tg!!i@|UBzYEl4`&uVi`uvX3Iy;g*}CzTetDll2})!K!h$<6z-yU%*vAiU3q8gFnV%0R8m= zfjwEwWTD?V9$jAj{o*KSEDPS6LNVzt9IPJ9n0IQoF|F!}Y}aLf`lyp2!5^M0P+hun z9!;#j_$VA^bC2K>RhUW#Y0+$t5^j_eVu7>E_V57NDnxVpsz3%II}jHJxg!U$24(XyaFDeo-)qxz`tVUhQXu2z9_xs4pJy%HXG zlVq6{REmXI9#4kStxIXWq@XB*!qR^On7Gs=0a^C`QzLkYPVn^yqd^h}w?5lSBA6vuo~N3rcRMeZ_1jp=$dhV@ z!{(dWnu838_XnRszT`hXh5BOEi32u=u>&F{GLytLbQNj-W7RAmff(JI&8R!d%r5Q3 zF?ToDs3+YO%{D5!za~oO-goB87hfP%HnLbkCu%xUTCuc6B$LzdOfQ}p^6?=9Uj!@> z02D?~RJ+_HYsz<~npgY5{EDPzFQ;6k(fq{O$>tGLw7Aw#TIcFbx=`)CByr-Tn!jVT zae*X9mH#ZUtdcb|)41y7N4jcZjDD`ajSOp*tvjkrGSXFX_cN*;DBtEM2X_?Kd-jP8 zMwP+PRP4An+)h9QqDLNm{17U+{3NB^;^0O@vWwrEq zWqPViJa)00j~Hj-x^OQnvsN}YrjF2KWm_9yr{y$Oy_MFh^*)m9!zaDJf{I=2G}(tw zCmZ|@K9r{r^ogE=oEAJW&j;CRSpvK9{ro!o1qFXdV5s%Y79>@g0J{QJcrdwbZYaAL9G`orc7nKMC?5n4MK3Rr^?0hl+BV!b zv^}U^fq{6y9DerJ-b%mX#9_K*+l{5!PKed`X6@#{)6t)0<%`i^1!L4X&bQ?mh)kiT zEe?F-lSCe>I6XO3*G4#YX^f1YPmf={$2$fjnCjeT(_ng=By3$RW3Ha^?#2=jOtw&7 zMB&y2z5-FOA|3HrlmwtqCJ!0F3RyE%QK$sJzP3M;)EPekrE11-Ry^G@6{J!NRp!$z zVHj4@`l1&T!zWrxv}?rrZ6J`R>|u%ZUgC&p66N^Pf>VJMAA;k&riDxoh&w3n44y zMZL5OE`p{LY0YN!*I5Lu%35NRs3)kW@U?($(Q`+nTw=1-8;JDCf5w|F!-p#g;ohv{ zBuu%dGrTYLJlnFJzVAJ#T$I!8}O+8qYJ@Hk-` zCHyoLfyOY<;ZS|42}tjv`tsBEuO!C&hK5Lv3u(=#AciAGscpK&SI|yL_ec_GT9^3| zZkP%Szls>7c7COaPMigb=!XJeL!`%wm6IOazPxf3ptqkW%vd_@UCLD|Oj*$g`ThuB z$>qleS|Rwua|O;&bXGX5&-}BQg53myKIwgv|_&e)JmgPbcW{y zS$oxk%*t#3jjVt)3PfuzEeb4@5q@5t8bX#qlw}OfJnne)Xs~#cS2SI`-BGzegssJp zS^3DcV$!q8l`^<`H<7bVzcr940=Ia@a$t#1d0Q4ADO2B>l@3^!#zSD9cj#1yb_|!(cD z_ZaTjxi64(eW1&+G!aaPG^{04HIRiN?q$4@EvPq>nKiX%In=~K@yk0G7!M;&57?bj zh4+ID%gK_Z8B7c@Q$Y4&W))RJ)`A%&^FEs8+nI*auc9?vNUQV;ZATONryMT`KaSzg zi4v!Yi%^fDRbl{uKj*gq^Iqpzb}>mNrFKT_MVi1)-U*?vuJ+P&1fESRnBt75IY4#j zN5T<3Jncp2+KX@7jeP9vE1p18Z|<6Kx3A#_KNtwrI1jWDXO%To*HSI z$71XqQ75=-BM(z6>IY4K=_&W=(2nUY|H(X&zQw4+A;~ZmsiAL%0ZBimr#$<(_!2ZZ z!+t=s;1hwZ#B2V_0#m4@jh{Q<8A!$NQ$5=cYGXpKJUP}SoACr_^adzGHjk~R_a9!9 zq257*RnHgu%isC3WIPv#mI~GA*k%2P0>}4$mRFIbhDsN-h0<@+`DWFGjFyfeHBE>6 zem2fNAg|<-so!WXjd3oygpyFfmHxGSIgbLf2|Bz>JlUs zUkCKpCldL%{%z+?5{2w6-v!r)VfsT71?#UnVK>UutE)!7iv)*}HC0B*x-8Ml_W_z_AvxlF#m%gdO(z=B{(0D?>YUSN5^ z*UNb5O#z>JwMHEU?A{^%YQyTO)8tLXyBSYpu|htos))6O4AXsIvigySN~^alHl^=f zgu$Oj~qElt^K(gZz^OH6-X zrWbA9iQf=&xs`JRsiC!b%gJL8(yGtlF#KF&r%@_EXSb2GfomF{M*W{!+I?>I}yOMCAu zF0a-x@FfN;nBK~G(%fO# zLKeW9VFQkES`N8wby9pocf{r(fI~m!wydcwuCmAxXem+|CTw(25vi{%$?OS`+c! zi*NqNHk8bzZORAJ2zVSc5fW8of7k)HftCjtx{fqb@(Tqjr7+KC5(8kC7lO!%oRWf; zvfMe1hyFJpK#R+h(W6bLxY{aN$+tz*V4Es-MsJQRElmiw7&#%EV}IF#mka+HZ1vj< zFW)YRp%RI4PsjeO6y7E4Z|U>OPdq;A8Aj%~`%J!2@(Q9WfjCTEFd{ifD3h!SJr^br zB0p+X*`*P7*dF7N$v&Drz1rMj8g6g-Mc7{&tjKP<*Wk?xrdgU@ZTh?FRTpg2>=#Nc zcl|tBjzpMQePhHgfrVqQ^3MZ#4`{Z?GVi-&e(Tb%=M~cS#l|PWl=oP2_P-D@Alk4} z2WqEhZe-lXX2g7+^GELa^;cK%PQ`hVw?>_J(9Z6$reqm+Cs1I@Uu>48pc%K)@8W~# z4^LMuy$$lB1#@uohfqc?r8<=(NI^K8F??so~mXm3xDZXzP=j(YH3(urq1?yV3 zm07;ioFj0|0Sef(bv8!)6vrl+p;K!_?8_-1(a&>l;18s*S*d|6Gv|lMjGP7d4|hhC zYwcfiW$0o&X5zGHkwj%f-Z6e<1F~{DrE%nXnU%iEOGhui+O0GuA#@s8*4x`G;8C#p z4l3cai`DG2XPDY51!kWBk*0Q3=l$WP62qSqcTF1&fu_``3MFU%=aXp5#)K7bxFD*A zoX_TFya;SOauQ^}hqwhbenmQ)$og|xX}1D0NW*oz!%lh}u6E?p*L9Sf9 zNVoAxVYB1T+uc*ak=ru_e?YyYUaiEd12qrxjyWq_Q}OBJwP`wHJnn0u+iULmE9W0m z3M_}4BkG#z0{k52=y8$Zan1J?;PX0fgd6AWmEeH2d%hQvlbsHqssyLqrJr?pyU0qU}k23vi3t0_ol~M ztB~{NeeoUQu@H-B?zD5cQP}DcP?d0UMA~KAie`}dvp$18wmM(51oGzcHNb;Ydy~$( z2$qZ%HYArU*WPXeXWs^V+@X)D>RzejrYsKdF6?IjhI%=-Gin^6cgTWWgS%fucaHSE z{=!32-f2|s&&u)X_@>OCe;_hUzQEwknp+U}%{MGH4?{UD4|Jlp0nNLyMbw9*ls~J_ z%#zt&uVy4{`5(`%qTgowe#RuD>jHKP{OLMMY*4VLdEV-}^8UKneu@2vDuJUm05op$ ze)uoV`se$LY*+4s7fZGQ<)OiV7f_*u-$Fq_Fc z-qn{8lj0=;`2Jw#WVI2@B{Glnd4@T_AUHXZbFyyJx6aU!=u-Q5fl! z=Ai}}v-z#)ZDO->ZB^4nr`I3iON`jpTC|jkecPd22F<$xV?b@&EA}nDIY_XrV{>G- zCmg23_5G}YsN+g`ko{9w#6fe3teqLHcy{C@kxbfLyOvWEo&aOS*OArWP-8MkX5vPc za*dwPy$O&dTI!ZMPs=h@f^4}g9Z}XwR(|^|?GpSX)J3Y0oJe6oqE)p$GOINFbPxR7 zkStx8KW`3r`7si&7CF8?S>D!%_a=NuG4vh-g0Fb8%$j?^PIG_)z7j*$TO|FFE5%Z} zhjZS0Z{GIvWH^las#%&o;k)SGl&IX^;}%(_f*LrPoO+rknTP&$r_6LD=`ErY#(e{^ z0EMvUM!*Uv!7mNA@9FCDK#==7HJ|~MBOU%|HYTzP zpQ#>|YwJ^tjjZY7?W^yMKc1vKWE_f=!KaS1+TR@avyrK&z__Ll(r@Grlji8x`}j79 zllr=Z{DSOxQua6w8u^LvEp+O0Yq>M%xOJ{lm+Acwim87~8{2HWg>8G?_U?s+@72o} zuonYxwx8KYS2P>1Lx0FnAb^5dr2#MZlX9{meXtzIb=Q_qP{o2eSgBAJP&QK^FL>kw z9AtRa+nh=V@IWRc=*i`9IXtp8Q_{F@HVk7C3w^UI&n{ycQr-L-;uWX*WS%-S0_fP^ z+kG0ThO+vC{N^h>l1>7bFWjYYc!*uC#QnM~4BT@Z(sZn9GV`bD1 zg0T%;KMO-8Q_SeJwob-+@cfjRmwc~8`LUX|#lo|P@bu_?+KgG!+b{k*rnrkev}@yC zi5YjEHX2=h-Qu9Gh-hAfS;~q8h0~GSZhtmu{v2qr9!ZeXihKJVB9caD(s=f>zxizD z4DW+{b%jnvZYLi4B<{m1_g4v5$%0>-fceMoO3If4fhiTwKq|14o`zjMt56xq4v|&9 zQBf3El9CxM_kppzzg$tjgaot@j9Rab)VEYpy)7jdIRi97<2hN#p%C}jes22?!G-WF z?X$7D-f-3@MOFp4?+VAP*}iOgTy@O5G8Ht_=;e(W6rw1tjox2{>=$h(C~qYkK6f24 z3==t~eRI;cTD@9%yF~e;^qO4>rLdS9x0tHwjHceB4#8NuN|jraJCs406mkT|aSL`S z3~G-jdK7dj^7*TzLd4Y@LEKedCJVolPLE7VMJ>2-lrh8Jue~a$Y}$UsGzHI2i|%nhbZQ=lEtKoF=c@I~{4Cd?m>b zh%}h%Himg;nnM}gnAXYl;-Zt%Qo&)~a~X}=Nc+`s@1N)ZUrfH4Nx*T02^EFuRqwQQ z)&A)iY>A>|LEX=-PFTLA1#0Rq8F=tu)?cX&rAP4qN z%y>Te4z-PM>7N%iu^1|=$|+lo=I%M?cQ{b_J{`-6Jq9_VI>?>vs1&83{P|XD-F=Z- zT1ph0dw-D1{Mn&2ME!pLEWDa6f-p!AOQEhIgeUAjMH-=!F?tGcd*e{^RG)|s`5pJ> z%#_RGP&84e6qry`hr6D>OgQ!d`uZ|O4ZFwD_SWDi!L3L-#^vaR;qXksT49~_qhChk zY-FsXP$>O_x;S)sP+nl8RishJPAX~(J$rh&Iatw%Hc#zkw4Kx75`HG$mr{5Sca&_xbhLKo!DJb|DvjuH`Wt_kA0sr!;?M>BZDEWPt zNx#>RHrC}JlKZCN-mwVpAdcDNu_z*Ph;cQ$3$F~>TM5N3e^BVy2Q)$u1zEbOQ{&6r zUsc{ty%(vqU(*smS|4Y7hV6ID%(%~nq(C!m(EE7{s|fecp72cbSfMD(Qe3nfsFvX6 z(vM#eyxww0Aw5EZzEgJ)q93VNp%Tw7{CpM^shs+(^6%43$Xw4K?Dw;^6d$?3cq^*+ zcb5yc`%kFy>U&PxSvmt=|2thnuuhae_;H5d$YZN<%aeYPS--F@QR3>`%g!?#&%-Fq z6;vWqm-Z&;_Fm;jq@>aD(Dx{0OyN{IKYE|1%s7VZZuoWx8_CYw5Sz8bM=m%i3zTg{ z7yy!j%jXfLkM}LE*}GKR)&)BZv3MP)Fq_zS#IzOJ>4kTQM?CtozTj@XJuO=`k@Lh7 zeXo9Rd2ea?LlpZX*`xLrFBj}>T_;Me=vw>Oh zaTRIo+WlXweOFjhYuBwJ3h0)q^xmR^AfR*-5u`&z6cFjfsC1B?1Q8IB5{mQ^1q2mo zQUs|&s8XbcCMBWwP(x^E#l82pKlgvmx%#ho!m}=tcfGTXIp!Qdx?gvn1L6(^WVe=* z{D-8R36q}~9r$W~ZWnmv`^_##R|A{Z>CPMhG(lNxQuk@wJLYuSj!qwE7W@u&pQAm% zg=B5n{LbNNASCa8lNXklgoPfumbdytFic#qjL9%3vFRawY@&OT8tN_ZygcF-@sEVHTu|aw3*(WT-pO;{ zP`4(T&2pp47n1wd1Jo&7G|AW?B)IJW+ zXOnLCU68iZmB|!$rFa=7D;;*NdBXU)wV1~28!R2Ld`iM~)-tL>7~c_m9vG)6doU3m zlA&18k~SYH-k1VS^>v#Eh-X3aXO9MN(%H->xfws(aqt>tOF~XDBmn?ig~-gL1FT_c zT+ui6Q|db9;SF8%6ut^J#YUsBulTy(O^t!yX;ujhU38|su7 zt?!4ocj8Xnr9HVP#AxAP*$*>@EW#|u4n?PL%+^;PQ*qEr`cRxKM9f~qa3Y~5vZ1@~ zEpLUW;;E@tRtz?T%c20*+u7mif6*ix8Hj-F@jWyr#_L+f(`TcjJNaH6)g>vA*phG)?!{LLxH?&>~1|4T?RN`NDfxpF-NTElts{?lrWHO{QH6p2PoT~3L zFS2iLws$*dHTIt#J6OEU^I7TJS|%+Qj`_0KY`E_Ua z_Y-;ZVa{0noWCZya6bf=znjd5_B|3kB2DGJcV7D9c{n@v(7WrT3g-hIzn+e^2IFfu z{)GXKtVmfmzLitCF8?|=lJwb_um@VDQL35LXe8xC!j!~EqvUWXK{L|@5_j;_o zP6`mqo2nHO8{gwm5M+q1J9V?THs=pF@1M2ccL;v&kmoXAdv*%9X7r3#MQ^{XG1)!X z>@M_5uyID`G{0q{LRG&CP^b-|fii5BT?NE~e3jBLC~T)Mh**?De4T4+NWoQC4|K8U zw`8YPd8b@KPc2Nwyd5bEf3g}q+W#Y>3hkMnWolD+8cJzf$Zhy#f5tL>sY$&5XzE=V z)OtBiQ11C7U3%q8Z8&@EsqatTq_O{=UQe1(R=9r8eL?W6lSwmMDt5$pahorNd@`%@ zyxBGKsAk8ac8QQqF}0sI5ni}$oYn&X`3D)ZJZi#aRly%m>7TiKRz^bW$gMLP!E5T~ z&J7c$o;ZA>0jN&o)RHC4?@t_ubf29#=Cj|Z@k)x0OFieqt`KzfG{t%Q$qwtEUsq6^ zd*cT@KmxtJ*}{|adN|ZO&5_vt0E}(a2&^{Wjgabk|G`@xE%QeCY>?v1G@sezQ*NAd z*V6ElEpq3f(7;maw{!sqjk<3%w14EiVmJlu#{GW!2?xhRFTVj&iLF)j;=;h2-UA09=3?!VURqEu4BbX?ELW~XE{HcPrHnU4>XU#?3v`fC%NxhVKh$IRO_z*bi6 zt}@|(r*3}}KaG(9Qq2Lip8e1XPu$)YR#iMYYG-;gni`>|3`}C{-x*~t;q1}}HYrju zpaS3g8Uf^`$_ZSt_+#Z)BC2JIH#4jOR-Rhs;TG5;_+3j0}2)CAcPBF5>u|Y@6yr)>B8n@Lzavl z&oc6oiQiJo5Q)e?&x_+Sr>*KzDK^HXr-t9J^M5Rt@1e7J!e?w-WsL3qORm9)*l-0N zx$Ah|gfkM$>1%M9Zqv6Lb=kae!niVMHvT@(7@ML_MP6bR+UIFTNF7lVgAa4%W-TX- z-B_;mUTF)U;vPy_GMJH#R;}1fR1hS-dv!{k`g!%07lBPy4P2eIwE+sjh~AThS$pdt z5K|S;a*+Avw{HgM&=z~&Z>Og$M~sMuO&t(Z$ZpeH8K`w?VaK-AwN)hWHdo3f<4eao zl_qNR8X&6Gnr~9lem5w~T~$jtPTs(SzdBweW{$_tGZ6(xq-}hs6qcJmV){acaE^=K zi6~O%zhJ3;bHwlm z1*58>^>D6-_qmfnAFK*LmCY9TYCMOV`|$HYSMU+vZ@48i*lWaSG7%~g#yZ;fZXbKR zU*YC8yH%@7`~_O(+k|;rPCdADqvN2FhwdlK+)c8Kj(x$jq_gqNnbBWm^Emi2s{1u4!uzml)f)iabVw^JYit*qLuSu=z1taNMC?O1oHU>^R_Zy@y_ zj3DU@AlP?aeNUOr_YUH03G@~BYMIN(j7wC5+|51OPL?%bGUv+q+6$`mz7;CK-il`% ziM&|84nhx#TN(93d&DNnEY){*@%?SH?9OoWxgErD=ME96 z0~6KLy=d0CEn+D$qEp2whs1K9_EY zGEiar_;IeXExxp}lh1wW>sRC6MX)pNP*03-Eme_onuQLf~oCY(X zj4Iq*LKK&+=s0|_*Q9B2vWmgR!;Cw#UqP$A#0HkyqEieg5a0TR%F45XifcC~?sr^5 z2e|G^VTo4Q3ZWNnmOcOidZJnf{Ljb<{Mpk2O;pVi6#?wuPP;dGTdJT^QhTt{g zioLy0=Oq~DSbVon8+rMsau^UN6mLZ4=62q%P>zyeyp)DsH!(JU(zf(gR)A1eQixcw z7hzZ)9U|RDus7dK`Sy@&9B9#C zH|1Ir$Qou|Y)eb#`@pq@7!){`b2o6po~EU{O3S2bU>er|Nk9jW(cv3UE!su_L7>WJ zM@N^bIZrS8u3%uO?&p-2?fL(>l6paUK;l>SW1leYYKZ%5U>&=aayrm*^4s*0;7 zP8RytFGObsU27GIaB>ZQ*sa^C2(`yyq-^pf<4S-VkuT&Xk}9 z?3g~7jn`>EDMPhLFHk8Q_qw{l=C3)g|C~NB|5!`y{pi`Zu>HSx0k{C;`&Tbf;~A$P zg|98`Z|ckRFcL`4$&&{`MuQvd>gX5P!Q^v5eKAMBlxIGw7{PZ!x%$QP7K0u^oYj67 zgp}pmXT9%h(yB7H-eRv&vp{cQE6qO+2uP13W~I;{z$N*o1nj?c?NJdgjh&#Gq8IfR zx;la9Q*sriDE_0y`&K=^It+5+S8tUB#Y)W;amQZpn7_FGy#CDPSSc}@U;up@W$SsB z`DBcdsw0l3BVN~AZ?+wI=Di)aBw9EPJXZXj zG0)zTfI*ZCv2Fh>sr^F*=;>R%f41$%3U$aBWFovQwC?WRKzt#OdVS72r@d5{Vt9*d zOrZH{9rXt77{44ef&pOfvVIZdIb0Z!5{BqF);?2QFdJflbs)qc?QmLjNRDl6Y43$&x*2T12t1Sma;|YnH8>7WY z4DIHPIwbK9TFH0vPilOE zzM?KRIJ3l3bY1}G8tnrRSlmK-Ie9lP$OJVS(q>(x^)NqNG{P6}!zVoBAi#~$=MQ4*-cB`kEm&&3A% z7SLqNtY%v1OvOtd1-#fU_0OI}F-8;UkLD$oVRml^GfsUEz9s4NH~r>sH2pDvM98&Q zP*x7(_DM(8KS$xsj4ixl1j_QgR#U*=dU~gDPxw6S9fB{yk2cYT&{F=F*w9;We0*`5 z96|V`h5pkn!0#6N{ajj%Tb6Yu{Rjc~=bN@2w!5<&MY{v^ox<9qxZKfn|D(O_i=}BI z1OzwXey$=z)FFvd#yohWmgEJy|FD78_HqG(v(X({nF^q*W|(_52Oz#a;DK2q0_v&0 zo%I1!9>;$YqP#dO0EU>wf}qWY@R@>#BJK#sC)%y-J5NV~k^I~;cwa-A4@P|(*VPKV zj(?>UCh$>0b0kL4F zc?MW{^3wl8&Y^1cRNhcY>Dc4@PJ_T+Tb4x6fsWPx+em#_i@(a*0C!bzkSrxn<(;U` z0BD{7mArj>pkyKmCpl@Y4~T+*z8u*ZWAh?SBJxpYToU~T>kIqVDr-nqm8f|vu-A#0 z93oMsmf-1{CG4u=D8@q81WA$y`rj04V%cRbcZe{S+a9`Pu` zb0^UniDnxRNO~!YgSjxBNfWri&@O;<#cBVJQ4$^`IT- zK_&7h6?!*`ESfcraka zf;ZyyX8?DldbeUFd~`KzO#A@0S_jt@N(NLluIXD} zT*j8*J%v^fWUuYpl9H^(<~FYdAR$UsxGlR<+V?f}=kg;3%m#^dm2>uuH?Sb)XE>mf z8$cI=sqQ-M1Ms@W$P~p>qq3)VuTON>1Hknz`(_G9#!<`EL0`sB=?blJQ(*VnyF_yn z&G6_+VZOh**&kp6BW0>JAhK;##ZoAx4&GnWYEG2T^uMS zGwZ6Px?}?xw--ViyR>*ily$0buSC9*xlY?@XZ_7NM8jgcFF=phzP~)rv1sqz)&s&_ z#lSvVpnR%8=6UTS`wem< zovDflS~pv5PC=Q5xx|vINGF(I4MDoQ=Xge5r4%0#xvAGRN`lq|YDCaMWU7Ntp?5A~ zvy3Ldl5-}b_?QR(0gH=@$ZBSs-GF`JC8L;YZ|^w)+siV0rMsqI+@$(K-Nk5nS@w3s z4A(cgSlINCkHq;{zgF>&`rx|MQyX?A8ct zo_OQOT%#gBiY#%Z?Zfq{#t=$igycjRx4$n|1)*%{tY^*krIVB|o_l>IMCCZMVEgdS z-Edi(NH z``JgILr*p>*P`!J9A2^$TRAc-vWicGPsz}pue4`eU?RwlP5n4CH5r8sFQ=$n?U3sJ zbcNPmcK#{4KP15DF)>?W6~0XibBN=|0raXhcE!Er06Ms(R|5^`juY=Ox@P}G$?C^; zDx{|1X$-S|P|)_sqC(B`h32+qeNWIb7USsIFrvOd5qy*H&Od+XhdwB_ zXHr&1Hlw!jJJqlof|cnb4Bgck07IG%<#gYxF?(&NrgdOQj;!O%5qiz3fJ58!c*AU{ z>%M1OTqE_#ye|`>p>tKW_%kio8XANV`YCT}A-h0$a*=gZXT(6nGP zQm7e;ekl5j9(Zqhislp<&VQM@awgF6piPcIZ6cQn?#2nL8}mJl$p{5e*?_=HyIf{R zZ&*k`#5HG&8EKB7VPuseM@-M3?QPocoUhePDvj4sqDfqT_pF5+W@CRQzfLM z$i*+0oz9PIi?4W_P*L0?V7AXixu8@li^?xsvY-y1O}$}?XUDQO&ziDR^`S{0&?esp zBE!7H%?+rZkR@Y64lJM-mS~V&VVh&&W9JzkxUDNOK*woUG3UQzjP!&TyTuj=Ndg6m zTNJ~!8F5X2N7`3A>Z|>$FAAD`#@%tSl3uxD;W_4StH}VR>}A!@J;1i zl9v%-j#6xcH+eX7B6W2TA2u%=s`9+W7k+t%eu(pSqH^Trp|!m17fqtctxNvnoUX$; zew%1tzw!kXf(OQlj%;ML{0I}v|EiW`fQ8~vju4s6`Igt2j9!Y7 zb^HV8=3WAn(ZZtD2UJS>uoAvC{D+odc)gxbG|Pjgsu2MW@Ij0~Tg?iwa_YR3?A{Bt zS(AIq#;`egx46_XTknos!FICz@s$2~pu<)b0`?ayP{H&i1bKi23GWS2)2iHY*QZzr zBEZpWN`iNaQCwezfW051qqJVnzotr}6xy#M*QkMuf)8c1N=7p+=ydY zW3LZqm~5rI5~~y*{2WpTZ^YOqt&7KK35qD02(|sZT@Y{^Thc0*@ZL*oEZ+Vqd1&Aa z?(KAy`xJwuW|H>foovj>(9_2iaU*g9qe6q*n3_V;$HJ5`z_ppVFfWA|HMl8p4_u)< z8*u9l{iT2Y%If(RbODH}?l#BRdx9z6~yQ%5C)11?kBc05YkSD&v=JS^#2vSMe@op~s$qPd>T(#Jv&W zG)|_~?zf3p?6sFwFR7uRUDdOfJGqqg#b}CYX`J)SR;LwX2$L@@mxPxTX>2p(B3ka5 z+ec`Wo%_%GvP`DFz~C&OavPHx^*wWB=V6U_b0O4op{oAb9>Wv# zi<#eS_%BO=O|wfIA1KvziRCb1T|5qL;$$u=|5iN*o9! zUXs)xjf-2Dud2Ub?SAa>&=#pb@;(f&0slJx&?6tJ#L`%iA%SSiK~3y#dyML*kHnr3 z_t=HCJ!KgBK)J!6=dG?yZ@xZ7=Q!FFS%*`Li(`NLRA2dCETziR6k*0stI|S@DS$Jy z#twm#2lk_*-9xUiF#)^mEhaWIcHb9-1tntaRPRcn4kHT0g~WxPH+!wEUSNPaXu5`J zw9Q6NlZDJ~igE7x)o6R~w2h57`wB)_fdMMjDlV~R+0LG_2|h*(ok zPTNS{=lS7fQuSiHs%iU>+Nn~XX^Q4$O~uqTsA^Hd#Np2gv#Jk8Uq;_YrG@GQ^ zF<#X3`ixtA+C)-P@G?LD?eJM$VDu8RA>lNejVxo0eti!wTXN7(mn64 z(;egzZSuIS)Ek1^t8LW5s)0VD_ehI}QbYz!*i{JqqhD7?#7I7rYWzUoPLH z@QEqotR=1kJB(&y$4B~TKpEHeKH0c0I6KxQH<9_q0og)(aq3q!kiOZWRhcp6f?56K zJfhHjM$AgnAS_l9r~D#3pKHP`O6d7d&CzhPnel^J8M^Gxf`UIU|6F4fUL_A>wpkp_ zSkPwYMttE&uPRo`d>+=IRu9*3!$=r?~je|Mi)NULxAQj9z0=JOYaaPN;&S zqoW%RU*sx=(;Wqh2eEZW+bW->llDSH^%tC;dd2&FdRgVnvzgRl+7&4QP^J831yV7^vlkd=PQ^H%h_ zDV0q1)Onbv_^>~qaq9O|;04T6((a~^Xzug7AAgTvz$ar?vSEpa^L`niNW3_Av|D$) z{S6N_yH7`YXEV#oxhk4&4MI&lf9 zoNltUP^jPaT*a7{#1SD~ZjkkE(ZlhLgun@v5Zc>_O35Het^?C!64nAHz~h=&HD*Ty zuk8a1;E%RE4o9C>ZkIPVfJHJ<7S8qnkTf`B+qfSguoMqJSV?zPbsE(jy!2Bi%Dm( zsq5&ibQ^E>!Q@-FinlN5Re644uX^A=QzosFOZq48u+*n~6)MB^?N|D#ztY1+=(0zG zk^M&An(Y8TjxXwiK=@;UfJ?*gxSR|P@(C$h!4tL|F8HCn2AfY{A$_`uD+mPKCSsrk z)ysFr$-tToKPi5+cM;+l2ADTtV0asE-GZ*Azu1Iwwp)KZpd1m-^R9R{Q4*Q@6fE)9 zPUHEjI-N9UCeVYMdS^Lekv3U2OguGf#dJ3#9Q`2qe(TT{F_0p1OC4jw^03yg4erbH z0X9ys`ozlCm@Dlk6y}dmefX2roog4Qrs12R@A6(Kr0Xn0ZkdtTZA{f{yTruzlV;)E z61+a1y_%r&DBGb`xRAUMZ_N7gqO{&)$5|={ZJg0(nmvbLHWD$xcX5S(Ssp2~SMH(@GnT@l>H7xqD0o8wQfSHc-W{)*@q5qHHxWqHgC!ZIr^( z@M-7lRk{v7b#Ejfin19KsFvW^r~hOPe>$s&Y4X#td3wn^vO2*MJ))>-<_F!eY&cwvc77 zaplz})j5nRJ_5acAnFz+WvCZB53j1UDSw)PBWEU%V$eG_G*=9Lgng0(BP8eoqUth2u_=MJ zpVZc}P~9)*Q9r_gS-3k$MP7DhAq-1N0n8 z^Ruy(8TRWv%ED=3wpN7H(-EU5(kY0~qHyz{3rNvyJ8=b0exuh7J&If0JWtRYWg z!rO>xqIN+%p34G@VSP(@0Z#``hHcC>+G0JpyiF5>IAK^2iMuf{{c%OMOh~k=cj#&i zaaeaaKj+m9)r-F~HW^KQw1a{Gcy)XTuU(=ZIJv@BNp^Ss7q`)$#kT9N%O)6blgW7B=o zJ(XUYJ4c>F4B}~g)0`eJRHk{oRXqdy=IS90N^Xx~oPJ+3(Aiv&{IAl&NAYlsUV3)E z7#K~u>pb95JI@3n4EGUkk_E|R^dY@bwx#0dy+H6$DU3Oa zC0=Ljg^pS(CA}kw{(I&Z-dNWMm&{JwlL4RDLNdx6sk}FcC2G{k9teUt8fwvA4%UU8 zR8}m<&j#s_hlTa)B#L$Yx7hl0&a_obHjZ;LS&S;r565*owX{WsdhPu92obq$nakKJ zVy1dpgj~~D1_2>L{rSC;e^Q3O98bcFdc9eFL*-@>#__vifo^xn=UyMhf5#`EEBH$q z%in+n6?cHb*c2^O)#JK@8F8MB>*dtE2XL$x0y~M*1*Y5i3(9XWv#q7McMT`3d{QG1 z(}oAhh&+BcG#c@7#RZ`zLbN(5 zo-NS_qnGRpH&Mau+6;7}F+66fJQmbGS_rN3sBt6fD`CY8xlG3uo~Bhw?F7@&^~6ui z0qHutg`Pqe^M4)Ucl!51Gj_)J{`~Z}jgs9;LdeY-{e%!ZpTBNiQq;|vvK;)~k$)aC zrllzK>9iN__HLF+z%Rc~Bv;%_s^zh_-l)IvyS_q|a>S&*AN_)pcuVVmZ|t&ZmMf1L z>2(caQCErBi$VpNvLNr~(Qdn>^bVqlh(Ex6xgBZNOzFmp2aH1FEVS`NK?GY?1h9M? zmr@m*eL)5<^`+yo&2acdp4sy2ZT!rxt?DN_ruPg$%(xTJ+gj98GcGN}6JXz-$r1A9 zxB3J!FH0Q{HBmwInDxB`k$RXUdKM)ff=VKjxFN7;LLsw*##$vJl1HBKNyycpSxo_) zi5IZ>Jeb2i=zmKDT0_KzcYnTN2h=m~DL0-H3LXPiS;S6x#j27$O+@Qo1%S&B`uB?M z$_n_h@n0uohyu>b5an}Q^zU+FW0=qUYF^(%&Juj~u&qC!W)g=4B z;o{ciaJpa}?dxsSYCm-)xH}s{$?uWb&1% z6!$mAYr%IGn;*g9suN$&yj=_PDTXByryjG>BMR{X?ovpnDY!lx^o|14^~$Y22B9BW zbQNr{h*M!#LACd>f;(D_kdvXunD(~LB+UFa+*Su3#`7W#?5iFW)jdDZiIqiE-efe= zY%yo6BDMmL;9;iLmxs|qQT8%`pZ;!XDq|re#e0WlnyvmyAMg{0WT@{oxJ{&eOnLmT zJ5*FizC*S0W;cd^9mS3iMLc#SF*jfM&p`6`b zW#SV10k(K*mbI`IsopUM&7CB3Q!cA1mN~R{0>E73c}TE6LGq&_C;S zWlX@aI@2Y+;hl9MchwgDs#!0s>AUs#TNwL~Ryq~BPeho|`N#$sWFkZRoj4)Oh&@#f z1Xl21M8?aT%{HSw9w82meQzZav|5ZCj;%TNi#y9lIYm`O>uuxVCJrMHRP|ngGt=Xg z6J52Cy)Z>H4OhbGJ(Y-|QwdNTCW|W6M2ZSp@@BJh-5HOgt(hRc0m9M`sN`CN9U6@P zoX7nT5%Z~q9WUeF$<7E_I{yJhC!v_KGp#LFIh_Xem)GvU|M@KCm4NEAuSL{=oA8M} zK+Cv*o$%`4fIR0Plvhx0*Sg&EKmR(GpQ>**Osc|=O~0(|Klq?AGet(I4=xPk3wY{L z03Cjr{Zjn`ZH%NXA7^$(8gth@13GwK1WW}eqrG?FA#_c&;$arjBNaMfJV=A)l1^4| zYbh8XMhv_Bk~CxG z2EDLeEyvi~d42W|E98szB~I3Tz@EJLgLpjwg>f8EZmu0-Pb3n)$%2QnE!g+-P@(R*<4<9%?=jr+KJR8a8i6bUMakgBb>-#D!X3u&a7=67vMhjl-K1&aH>$5it z=*iyNjqI)6T171XHl4rP7B0MGOACg~_Vaf%%JX~!-Xp8l0Mkq@!3?0+0$JuTmlQ14tB?A#ZCnXJ}wDP9C$s<|fRDBXj<7F-uEu{^YnuI=xXk+|D^(D!I` z|8B0kpl2Sfw71c$v%|89M}EeQKDN=8)}#&?CpIZLDDburShSgP|2C}Q!Q%--5c6_& zv?v%s&_#a*pI~LG%m13AT~|9a4|iMYR-~1S6zMM9O{Npp1 zl2wbB;C4roECDY-7zTmUkt=y+_}7ggbm*V$u@`}0HGT1v`4lMIpO2k+G{b16;Ct4xHJjLcNAcMsdPk)Rym8A}mg>7i3Oq zx`5V=is;c(!lyi4w}RvHb~j;JC^7tk1|(4+h3)8U>3ic(P3trBpx2%x3O(jR-K|`x z8RYG`mYMyT*`GP0=P9yHomss2d%kWtOwB2T^SQpVx6+#R#5F=gEA8$2>jvlExq73su7&qQ ze3uDPLqUGF4r?Li3XI5DN%)7Y$QA-e)mCvNWF`q@mywJD{%6RA6GBc%(~-uJielhl z;aZ6YUnCJdyGOuuKm$QiFm6U9P6shYdui(fEapK{ai5^&%=F{Uo|fD`o{1;n>X}fp zC)EO=j3_e)gSqcCItQP=88<}fwz@wlL17FPkPB{BTQ=KqLt!n6_#n?TIDqD%HCl%uYdsfHJ)K z`Nw@$h{g&oVe8SHvbx0EPrfYH_hhz+Xh9hDEwG-fEHCt1eGiH~=EMCxQjXUJT5(U0V5}scuxlrZ8*3ddJ5L|+c4GCZiz%{a!QX7KIklu z%P1h=On@|f)UhF#!{=1=&UFh!bw^0PFRn!MfcQg3F{PY=&?Uxiu42;!q=5f>hQ#T& zTpUMktN>ChL$@Xcg8Oq;dA(IsHAA4&J*7moVx!pC>L%*VtaG7Pc?cJ~822%lFs+(3 z6c1rjcBCW3xqL)5os|jUun_9G+&jo}WVF0hto=}lFy8^Hy(>L1k`xi?c#v(Ykhm3x z{{F2;`C$6mH6&-0$bpRBcfSI1K&7&3dRrn_7+CJ_KzY_L&ZSCZE$DlDDBiL*w zT2nC_OC&LZ%5}@6g_n{ZC06D@*%t75536KD5#OdThLAGgWUc@wWBtE;GKlLdHK|LR zqfQ z(tQHTA$S{w22QEkafKB|SnNCz*%Ml%WgLC|tXT-@5NW4U=%hD7+Lz6jL)+fkj08)5 z+>JSHmzn%YQm|a~Wt5rt2muzr>}Xm~Lrsw2Mtk>gBM(9GTv5hsFfD2D2 zwri|~jI+iPmBOMdGQ|n6;TRY$WQ&FKwL_G1%aaf~9&lc~kcb+P`-z;XZXoA=TIAeM z%d&v?mxukQbf^#bmHVx}#=iJ7_md;%esa?ni++#TA@snKGp6OxT`~efhoUxWi;?fT zqw#E^QSK~@W?RA}ck#kXr230h4nk70nH> z5C1aEh(ek6(M=8SN~7!_&3-PybAKFr2ZraN!N=qKwi=X7MpKhW4} zcU6);tQfM58i^S?bp_>rzuWYAetrkBl*z&Z-YksV<8#m;8KBY$VTIgiF?o=dMRQKw zhcjXMM@K(~TcA8OU%~IV2zpMc)rn=FZJVfpenHc7qY5Al8Pib27n#y@T+IIM=f0tr zb)mk;JyV~)VdC=3AB(61*`7#9H3d+D{TEAPnVtdwRk~+Mr&fsG3NAsnQtSr;&IO}_ zWP+$Jj>k!oT-&0QQaPUi;Ahf$l4OQCP!O7U6h%Vb5ePq*7KjpH>HM$E5RZ4Rw5B5E zZ0a!hY=Z0pY{{}w+V$=uxWj9~nV3Pll@5Lh)$DmIzl+x&X_C8fi2wLEuS=rVfI@QbWL9Uig%Z z-V)hnco(QUJ5)$;PdR$+d)-mRiY1$|wd#a#FuAbiQh&pkpg`+-`rr5(tsq6bx?FT_ z4fC(ksa}iWef6N$RDtDxAIb#^g`j$XhbtuqET8FmyxMI~#m`O4SZh#WJmRfN+0y#9 z5X-k39D)HeB1YIk!e6s4yT&sbC1>5oZY_otS{#%TJ~7ta5BVzTyS@Gva}gr(niL9l z%$$xBWUiVg>M0yLw0WC9bHMv^S{#qX(sZs&&e!Wi*NKj+p0egquT$}7c2?xNYob>m zvB)>JfPJ*2@yXEa)Fs!~fDsVR%Ellmc^ov-J%%PaceyNfN5%tjDk zQwzLW2sS2M3i#GqtM}LFnE4^~`F-MH5~kjtF|NAJ_1yet6SIveE2Y~e&Uu`-Fa%I@dE@~zVWEcCcO!7M3#s<+*@N=`T;KNm%Jn`&^c z$*;=j>Fl(W39y8E;z}1y;I*AXn>6(fQaln1Ve$`=1H;)410F2qxNv2nPTD6;Hl@@K zDff#qOV`U$X!VI+hQnsAi6{dxV5?N3*@D(Rp*&S`(WzQxO?EsV$&Tk^bb;*eHzc_J z+bwd@`5)kY=sY31n`eay-xDYk1@h&NQ(7ej!|zgDb&T^=6}=)+5M2qLJAJwmJEZD;lT5rT{clJn%S`R9ihZ77Nl)i(Yaqrn@a`4zw8tB}F(7e6t{B z&Ix!DvIKFeL!dKBr!Pu%0{>&T#cA{%jp!A*2bb|u=cXWW_tel#>0rEDCaFmv z{iJ4_AiM~PIrYw`D_j&9i<(!ffBjPB=z2w0r! zGX%VR1gB2ieLP|SL@c=B>-z)&!X*G=R99x}g;XP**_Sx!vQ38mwv&u7zuVG` zfXh1(vnOr<-x_g2;)o4_wC3JI;!*V4Z|=TB1^^|&M~J@yBaord2CsgI?`^O<#+ zwr|~5@sgu8aChOy<5_!+?s8Rm8j1UF7DUriW}l`xghXStEjpmTPG|1 zM^T-&SJjrKa@N8N(9lI(_zLfVAo5xAL(f`mII;yfU(g$6@G2C0XXvyh#a?!t-bnEL z#Xqr_bYGeN6>o1&GYUe$-1XVHE6_{D$@su_0h5|*728}&mjqDQ^A+2&PY1e3TYsnj*a z8vD^6+!(Uhg6V#=lWc(79B$D`<(lv|Z#Ulxwtpv{_USbaB_t7%{t#yiu=y;7lfy7D z=J?ZLR(x_NwGhjDp^stT2ue=7wv|JniAnGeR1U?ZdvCRqD+zpJ93F=w$s!0yHwINB zX{|Fj*;8u$g8|8~GPLW?B(pZwjBJWm8C4!O>nr zNBV;ZKHN;!@EJjcg(o=`X$`l2+83@1Wz3s%zs-^=kRWw5W2-MQtOGt5WpS=cRmz7j zKO6<(;l+vHWalsg`WdDBwZ#6p6Z~BIy)kK_m@Ht++=5Dq`{#~8@KTt+bQt=pq{P1O zazy$gj^kn*f!Z5_$O8h9#RGO!O3wPGwGVFqjg^b)1unn)lmGs-EKa#mQQw}mT)1gi z^2?b1gY5lRE;PWu4#*Vx_O^O^V)kz;fRWeb3+{$Knz}kgCs(RzksEH#GtMB^`)-9A z^a^6lX~iUVZ;|jV2TM>+Oqx<|GTQ32jSLs6O$zJwT7Kw}%Ek<8N8Zmk{|M+l9 zI~@aieqn-PqPVTC&HD||+_jN3hoDJ}Xr~e4)+mEGet&NP3isVq{~EpqMjFtSTifY1 z^GrmklnI!VlfO{!zmvb;ea2s(5Mcm`XlLe0p5}kLe*b-JWJ?p{C3_bdhP7%>Q}64F z6kJXWU5o`6^kRIy)n(PE*xqG$E|~}<*ulNENTCwm8iF3R0?(#&f+q%Ay3>YWa2%|F zMEnDr$KxC!SKLW7G-I-9NR||xK&i^<}HlH*lSWh;Rz~9?Gg$7%+Hl zHDf}+^46R@7+DXn*pm>6Vgvc1r8WGQ**8Wx(DWh@;i7-?7r74#I4S$qq#@}ztMgk2 zS91TP3$vLU=h5O{KO-K@zk*4jp8K@QvElu#LVvkH6dOybOKJ zl?wo!lMiYDHs$|}EC1Y>AvBq9>7Vf>#p8c?o4mAqlU1t{X1%Pkhk82UOqxP_VbhJng$xsEG_ydtF zs1p3+d}>?KQAXVDL?oW`@M|d^g70-Q3q%a&DwR+d{jqRp%OLFF8dQMovwMqp5^>tD zc-ePiq!^Y}NTurEEPt|cvR{BCK=_$>(2|4Ab^0XFp^odjJ@L^Vu~^C4ydANiEsZ#+ zEi9x{z?r$V35jn<%*PJ!17wQFnPZ<=?lb$b|B%dY^ee ze+WI$v8{bAX(|+Vj^L2>|DoXV{1*l9;BN}vxi43Cv~2Ef@a!9!u~a#iNH}q#J3AVB zByF?81l~NbWbPDu9&#zSTg5qrUfWZ&({KYW$pW%RPz&qAra)Sx5 zk3Sns|Ne!)ngaDlUeJ$q_a_j$a_nuKrckQ~b z3JNx=4@eCi3xa_35*4IKQ&ACVN)df%(py3kAxI}wDN#YNP^7nzphS9+8fuV)YG?sM z2qa|x^Q?ER^{##PKA+B~GxEV9BSRs~|D5-I&+GbK!j>K3L+#*uRVG?eO~sE1Dl4ba zT~5#2p8mM2^bnEuDb_0krHfK@TqYQ%< zfB3LhdG|!}LlKPnzHs|nhweR(FH}r)ruflIhf3Zkvw{m|+On_D8lx)*E8~)JlyO5E zxvmAVS3*$!N6)nPgsEpTPQV!gY6Qsn%LeV6pZn~M@eZKDhidJ%9rQTvG+bQY;xE9x z6*5+$yYTjcwe+!D7#r!yzrOyD664<%$gVQ*j;R6HibebXt$X~h!VcJXfQmjOJ}^v6 z-knYKF3f$-<^_QZSeLJ&wWG7n74YPTv|l3dDqLjMJRE7W1_TdE4+|-S9j-x4FFq1E#x%0ac8G?qw%A}O^=(N(b7x-PaaB^+=ZG?NR#Ok) zph-?k#s;)kmJq4NlceD_FseHCA>H~SbFo~U{;Tx=x>yvMi={)hqWJ&1ST5gUE*68+dj$cu z(;UKu1>Gs-MHXo9P7lX7qeNZ==MR~%n#9p8 zs-T5Zh5hV+9*t`^#AY|=G+3am{i*HZ$d^}AVUvrksv-Vi1e3-T=hV|0D<>#ocXO|H zMVYC~DuuYTf2?qLzMrvp`kM2#-#ku|pQ}#?K^?%!JC~K^w_*88S&1<2|?@&@kz-z<_V#|%Mc2a$YaUPDRA;~JZ< z)A#fmEE^06x=lM5Lk~uBLpDExKqnjJX+;l3{>)wbSOz8?oQD)!A1g0wU%Gc25}=>Mi-|ce z1op#Qo8XHR5(6Om9fs}BWo9a+jOd32A;Q|~U^8X8I3_ub14{6N*`TRjKE4YKLn$e>F zdH!g!x+e?;T=;YC!GD$cnaL3hH737YCwGanhVUWax9IEhOCWC4o!gKPMmv?99YC;A zoszJWKTRrHQxVg^^X}A|RU_UdSkes{>NPc#7 z6cu(?dBDO~SUzm{L!3R^2d?BPTq2zO+cioiD@^kPYsk(~H9~^7Smgo+kkVs-6Grw3 z3GqmyQ2>6vr64&WPJyJCGHkd3`$ZCHX`%|2DDWHMFRhGUcH##CZ-LShOyr~wc&EJA z3@}>F0T?%<(nq_3+#7vfVE~c`2vwN}FmJiGOPW|~MZp6F;Zne%%x~riNZ>8ZH5St8 z^%2LP(YzSDUT`L18<7{bze0ZPeN>pT|BK0EyNH(6c1*-Fp za3)tCUXP})@iGEE0Unj9C_v?OcyB%kfbPe-DgY+BdAWC@o2j`Dd87*n9UJJ%f^=os zz8`xOf01=p@EDWqEu#QkF_GN>X#TMSnp-cKNgDIRJSM%dHq^gRB6r3IyvnTm|pz90AbkG03Wt?r%V8V?iH$ zL6MElKYyETF6&#*Yv2+MuZPxD0vX#FCm2J>m|q*6w4Y*e2;GIH8iEN2Fn5!G1=O?O zu&^M&=K4yO=PY3V5s_hPG_6jz>n6m&b^(gIuhA(6#)5{KpNCuEV!viXyN#@wiDD;) z+RFgeUYCGt-d$(p#M5bhNx(L4VJZsn7dU(~QVue`sF@jkp%r$nu?o7{)cKFP*gn|~ zP&jSA+o~VEO@)knYKd(1M9Bx7I%1b5XY2x$FPO#AnN&bO<~v+~Rj zCb&3Pdr>htrz>uQ4l_%|bpQ_iqAuoI_p>Ya*4xTdS_%&>>Ir0`27+oNoaL z8^yYFHcW^X!KVELACu>ltP`-s^!4~KDMO3WNFZMVp$()IAk+t#(QC3y7~8Ym%F?4g zew@LbdM5(WJ0|Fw75~Q4>;+d>uJJWrYB+-u4&MNRkU+TPsvkDfcs@8Y`{#wdc=tah zA?^LaWP6*_H&Ym#OfEdu@4-c2*0~@a5xvA1VH#Te&7qNf@-4R3e=S1&S>&ir*~kr}A`Zo~c6 zQKzgh$nap;ZX8m=8G&0hB|07rmv>a_8~d)ePYn?57gZ_|-scCP^(PHOS2RNn zn=MIEoZ-*U4AxCKgya*=&Fx7^QBwueCt}D=*&Mx|X!+uSzZE^WNqlV;2LC++Y5l_m zl&y}B7+nZj*Y$+lpFPZMDGSkq@s9GdE6~o<5FqM^{&=<_>Ju~e>FJ&Dse0(td}=ae zzDbC>8nI-6X414B)XvR$=9SQZAcsHScYVPWU+hHxR0F_4P@@9hKjmqI(B%Q3Hl|#d zI=KWooCC$od_wGDWc#(~uRCUd%_$!V_^btJw!oH}tIePeASPseibT$Iz1NGCQ3&ob z`DZyco8cahX+9%w&vAwaZ84LE&hIiaB6u+qbopked^m|e+mOW8<}K!Ls;m>DR4?hEFPJ1Fz>LMMxJWm}csx(xlY(&PoMzf{v^;ec=5btJgh{&Czi55;&qv?kt&a3fd-fk-4)M_ zyAr9xW=71Mu3FV-e6OzB0^A$SrTULcBIfDrj@j%rDge)? z`fE)FOSI*<7Bm{1*gpSwUR~>}I1;j~2YQPHSa%|jp!?FPUN?3%=U7*IsSDsk0$67D zpk=nXKXQiT=~pOJHoT_aMzCBn@Hp$aK79r7G%jxDEor-M{pCRVYpNj07Gc*W5jz=( zlfWNO9L<2;50?AQN&m%Z#>_MvJwE&1sM!po_ngKAES%ihEEFYw5_!CU^EqICw{88| z&mL&qUN7^tthPQA*|G)3Ug8Rc){)R-jA?5ZYXtgPqE=s61<#k_K7WOk-63*=P{ZoK z)|Xnp*U#x@=K7)@Wgr6}A4GueQGbjV7XnC8g{D6gr~^J2QLIrot@4KIP=CWikx9tl z(r(SEQd=%fSBJndmFIB7uW6jDGs>4jj+|Gtb=ZwL@65bvht& z82xImqFt4aU_x(rXRm1Qe#>H>d2Y!e`a#qcAO@z(6`HxT7?N6{zjwggT;8)#Psh1) zQ)?X#YUfr?IPBbVxK?@k1hs#I*53t`6c%#$02?Ptck(wU2^=%VEhoT4zmzru_;G7h zK$`dUkt$aoK5CRW3_|AWYtK^9WE-@<`YX}l5CBo(`P$W&a+4Z4#%rNV?XoZr1F}mX zKGn1P#5b$Mr7#)+gxCX{FkSa^?XRq}8cPQps@wCQp{-6n7+!1w@;?_s zrmvXp{_*#{MU$(wS!%$q+p$hQvt1w4K#RbF0P-HUu@JU1(&}8AwV%7POp#X8%gPUJ zcO6Sa90W?tLJ%*i<3wXG(#jH^cEm7tK6;|!QbQIIs#CZu&3ws98~<;q*;m7zoPdiW za%oQgxUNCFvo4{by;n+D?h@&#qRhC0CU5`EgF4O1C$g`dNh|SQ`y=F|t=W4Xqbhd$ zJWTgbb^iS+;)KfXWO-X>``+|V`2DY@>vjl*)aCdt+pe_oQSAP0!EENYmnUG(ei*=Gl$bH zoZH;IV;oAS=bq!Rp5WNNKU%^09(;icyKAG^pAuMym*v=7DdWgIir^;rJL3`f**?gB z;qn1YBgZ`pR^O?yKC7m)-hN2BHCWq}50tVyj)8j#tFG|jmUxY&}zQGeV@_{DBOa|t+{U%sEr!ylD zNHuN?3~8oNA#YZ*20FL*XaAnIr*a3FV&DoPeQx&3(@&a41?QEx_@QW+Fmt6psqEf* zvqvC#@{p#V=jA4}1d8*3&XG_TmNrs{lhSSi-F>S)6+u+)2!wP5o=MRK5Sh8tYo39* z0yr1w;aiQ(^rN8}cT`-ygx;>TD({#%=2Bs=W`!BJ*X*Bkc^!A_9XDwo0G61%c8<9` z->Uorbi3sNTNlB4CGjbN-Rm>M(hm)2!K3PXgLevH@3hq>^_1_pz zwPnu4*I3G%s}wV? z5oZh5?_vh~b*Vwx)Jk8i1BK3B%1HX}gn2%ul|9+JJ84(#E{#V^YaN#!Fe@ z)GW@fu|(0VEoT4A8~E5HT`V`1iOk;m2;>pz-5j0iOSN7~_pVM4-*pXF)mC-kRuYw) zwl;+*=I%aEVYW(cfl19yHa^Y#TCf(t0*9b6bB0)rQ-f$bR?tzavnM|?W3YrpBYlAV z(|?QE-_n0I{xQ1O>AsX7h}&F_2}YU9e50b6tprf-dkK`kUw*pp;;`!iXXZD-fhKq$ zDda*p*(%(B%Yw0E(dOh2lv#$QM3c6{zibtNEsq>ycY4LOMaFhuebTULNALRlxKpyo zw~QJ=-mCfXpo2<~kf}74e&lC~-@3 zUTp7I00=fmeznST<94m(dqXxasqlmPa4qC6lRc-xE2V2p&c*E%!$H(kkiZU4DkRYb zhg}~Z2$<|a_Sf-N)RPX=u=gr9h+z$#2euUs22cgG{9@zbAAj%s9EJGc@<>+FWbn_+ z_KMVaATq3$I9~gQ+X+{}05U3`1ZihdWWlNlE(N~AAe`FlW{jFCO>7G7B|!+bpy2Km zA>Tc4`S0h~oryT8yZLM4~z=I2}9 zW$l`;;+GF_zT5VTC#W=_$kz>6-m;sOw?xf?fd&xd=ffW`w;gQjfC=1uQG{T2c?jfg zZACuJE6;GU`)q5gc@%+WMDutM19Rm-$%<(lZgMg<1y8=HCM^LplzAqO=xP=-G6&Hh z!yz)62diJ!EVU~jGBM;j&ZGUR@$&xKVz!GXL zS3vED>qEvr7Ff{?Q`P2jq(PqS7Ic;Zg){L2=Q-5w02qVAg?Cw}Gr$rB_nsFnacpu{35|dhw$w2$*)`j@(DD{8Lt<=F& z0Rr~Y%ODXObRMXx=b`WU3dOYoSnOu}UUOn72b8p0r$s3x{+QqC$K*NRAGoPqk)^rR6 za2zjZnhx4a$6Z&0l8k<`&y~BPjXTZ6Ue7Mb2MYLn5Kt?lHKPxj=d{%+{W%mVETYXz zIt(#xL_=%}?mYJE`+mcAgIMms0NHOw@te*&GRI|IETWqcpUX4JA-gzyiezSPz}ZlQ zx2^;;YBYxOWW(yvp#jBAX5oC~aq9_!487ZXtAA92;aiP+@zFn&t`WGk?BmgY;1AUL zb4>-iL7@mC8Y7^5o)+hZ36{1$9WXncBuCuFGIJr%piTB#)?hgjx9ZmE)_^ zsfiVOh&D(j2}f)hC4LMy>#xczMR(tPBFQ?*5CVF0v`FwZk4~YB^l!oiX+yCpP!2K| z<+1;#j>GY>XTGLdABgl{ZieIYMhQ&6K~JXL{&+jWrx&g?&};Z2ta3>fD33OU7~TIE z4wU%`iCs+@EAc2w2jCzK5=iUX$}le0^`t!cSa9pvQ=z_#|L!-)WsB4G|42&83(^dz zG|N|zy$U$xT;=Y%`nn{_{GS~M(}&&#!*I2?<<7_1SNSDy|BMTnS$DOdjglMNcC%zV zI1{<(X4m;N0Q*)Z?IaT_gKdJm`?VVheY^KfuJTtn)oDrZ4d)&T$>U(VPkc0Vi$^go z*?RGsdfs-j!h_AKui5#e5T)M%w)@9sc}bAZBJrFhJnERHDgzG?gqg9(VJx;*3HiqA}Lb!7bn$9Orm`|}ibk^>Q)xwdISR#G22q8jov9dZV#(G;Hu@wK4t|vvL zl3>xh%&7rq+$@5cgNO^Uqn<`@p5`@XaX7`b*;$H>-hQj_j+h7X$cDSAXm#I}EQp51 ze*4q&&i5K$ms|6!F}nq?Zt9t}a})8=W@*7KsET9<#0uQ`CZ^Zz!hSj|FzuPMAh#D# zU(p6E zVW3NUwCtM?Dqgq|#vGscsC}_pbW!38<+|GWPzz5c@Rc2WpGxiti`cc!2%26)9}>|V zQn2~Q?cOQp!nS0?eeOt}XGZ8Qj5|LMt&!w8*~pxvqg}^+ zLh*g66ebi!kHeq#{5Q!Kd17XB`t;C`SE4)b<_x#(5ltJfHgCufe+K?oL)qO4IkLvth%mb3L>ayJs0;Wx3p>`Q3R1@Xq^{UgTqwBb1XnKQzeQ#%v2_=%rJ_yG-nrkQEYX ziMKpQRPap!EKNRgM(#dS>>r$R*berVmtgN$Ow>G*f4XflsVti~rS&Sat~ufaV8>oC%_4^^j@N4Qp}%Sat(oW{dR%3U z(et8$%G}h1ad6x1VdnzMtuQ_ft8LmqzAD9jNjVDpGHif&a4%32IeR>Wr+7AoR#%rA zR0fa}y>OpG^TU7+Uv#gPjRV_)wK5tb9ux5pTV3!?qm&{F+3~G^pV?>b1c{7xgB4#l&oZz&wODqj2ErAKySDOwVV1Ln-*Q#0kVlj?OB!Z zI_P-N|3FelewGYd@Gy*sN}$z~Hcme>-k>qA@V!5AyxKL1R_!H2dr!XCWntd+?CqI2 zfY6}kwWi;|b->s`w}ctsHvjAL?w|dm{C0ewM1HZ{yAA`_4OY4s;!Si^2Z<)=p=`|4 zLJ>qaW*u5R+@UrX%el4(2$N5IPP&q__%%6;`t5-Q;A;Yb_RGhTEGPMq)g{mrPpGsO z?7D8l)B{h2PG%OpI7yO}&iYh`AW$`th4fdEy-Wm zR5Mcky(Wn3b1J(=j zqy;?DtGV79Zz^e5ISPqrVX&wQ|yMvfQfcite=dA{(13 zhS-^<*Co2t&;KZJaW6{mcaDC29aXZjYFoNPB+DLbFKeV0X4{!10a`tcYmd;gCvVMBnOHMBtRS+ul|x z!39@m)FsX*!{wm1%2(KPx*i;U%>AaD@jOPZK~M!&JONi1?P%BSWtX< z+vBy>7^H-&V~LEuXyaehD|DFR*pm)zB>*VbA^7PH*JazY&fCM&jBS5EeSS8tSzR9~!j4tjY zp3qsVQ2`74b_2D%ovkx*L$^Qiq5W+8LD-U^^Q?8McN{XE5>Zfd1D)X86`O09Z>aVM zcYvda`V`pn2V75M+YW)-z%5KX&1q{!=&?jtkWVnaN#>`wQ<>d#9zWEmtc%*bh++<( z*w8I|Jt`z%HxA0HjLri_!JKHbXF|*fT!u6Cl z_9@rbSa0opgMY?GYJc8Np?%9ey8v0R4JC=@=6;)z+wjN4x(%rOX0Z6wQdFoDFZ7Wv zEd>jybcNlw8Okw{SZ)!LZhX+1@iqHxoD&VbJN0^7;8>h?0PGk2F@Law?YwQ@Hn<)^ zX;{zOOCSjP>(W6!xcREz3&_fo$`{{ezH?P}$_r6oXW>h#QAr7h z`nRcWIr`cRUStwY!AFG3SY^B!Fx^VLDv47L|IHTm+o#8Np1JY1B##TXg;rq`utnH7 z#>!%KCwasoqyR|j)aeHtIJWJKS9^k4y2|3esL1Oy(f9-+^t=Ch+=bv%>9gOe1Po}a zQrunz{z3%C@FiW7?_${Z17y!f-@bkua_eB2`)_b=mr9?vvSxRWzJ3tyTQSBY+qtvp z^4Mo^UIeUn@@Z-2Xgin9M8^uLi^(-f2`c^EHoEwDPXDxQ^}C-bbdn^B(`8=?gc|l7 zeP4b}W`BH_v~z2R$P2C<0^kcHfXymM+8pxCw0peWq8pRlX!*ifIMVr0=b~S=!t^_iqo= zF~vT4Uo(W#P>0pP>(}G_!dGvZdw_2DZym35t_6h3RC^gbRV+;_ogSf!>Zy}uGdhw0 zDx5q0RVrD(zoz-?H1t`|bDzZ=R}Rqhe)aF3uZFL=x`w0*A*}=Eo+$Q2c(f54ik+%N zh<_3;JM_@^4?*D`<+a|uAy4qS*i^aPO$mSyLhD<0-udNFcz)_TT)jSf*Bb9%fgaiP+pT^||j&`d%!PvKywzx5YeQS{NZ4ruL z_>LhK%174wl0N~^jB@Sevns>*wrjcC(-5h|Za6LSqW zADz9Zr76*NO#prl5M`kF5ry>D73CIxvFC{%AqU6=8B**CSXam_1oU zZ#-(r0Dz%lBmJCZ)xmYVvmPNn0{KGh3%q)p?}d0t^U@0^=oh?jTXE3xGcjA*%*a4;9{1cN{_;8h!i@9mW8||VX6Q#W#_;U3R0i7J3>*XH9=#sMk8Rp z94Pt(>j|xw(y~~%$oPJ0c5=ZJDc2>M)a-?UG2ZMKtXh@gyAGk?C;x=&0pQb2dPwHRns49YP{j?Q7rkyx3=qrdXyK*5f~BIL z>=uPv+#B#8DuT`v+hfEK*6rUOA7zf#3VFgX?Zg1rV?q;LlHEgb(GTyX9?zeE^2$6a>H zg%D}zk5?w=E5+&(UKR`?vfBxE;v6x&8U9jX8(GlF z+hK7{ucQoaYZ7?Cb?sH}t<+>a=+L~eJPW1wR0EK}=s{}pS+-o#iF$jQL<5wfUC4}`_7u#9u^){G8duW$2pZ>w zi}T7;WpvaNYBFh>|2UMNfVoI@Q5Z=>sf)%I={*f)?B=MKk_Xg#e@wcsks>i{fzAHX znV46cd-^<{wD(?b5zBRNEm!%jFo2u#zm2X->g+k9?X06=vU58?F4RkQm&<<1i|6AN zV$)_&tck|_PE)~??Dx_N#>Aga%9<{cu*qHh=DM9G&n|SC^OE+7X9Lp2oFc!n=7>l@ zN!xm?Kn1v-Nvxk4Q;5W$eghKc5YepJErg+9tO*JIdPv+& zT88tkG&C!Cxkpx9b=NsF%zi(OWs4xsLkMs&#Z;;Xuqu z<9c34iCsqu8|~MdUn_BfK;Ow{7dzuomHQ^osh}p6TC^H?`2(;!X)pHlHF@%c0deJO z{vCQ!I?YlNj$LpuRZpwTInd|h!98w2;8$qu@xNX>$1eMHXyLs7#<^;NMGrjrKA53- z=Yyb)Czf04^u~x?97YKH?P2@m{#UtwcV(YzDD{02D-x{ctK9KoOM$Va&}LTF`DA$O z!*IKPtn-`alC#h2I}TeERB?Kc@VZ=Ui%Z7nd;LR+3kAYX{Jkl)Dbw=}C2Ji1?E;yJ6>P9$yN7dd+yw1bVObZ<>*m=I>);G1} zuq2!Xvci;iL#y06x?o;zJeYImt)x$zj-tn%I&k?}i=Z2i1<)MGaC<^?iYOyk(=sl?3vlsrP+-W6H-@t&3_IcZ&xO9NpIEcvw zr3`F`%1`A>;jdJ!KY(Ob9Uf}#Xi5B_U$b_;GEB=T=Zd&~;NWGb4RTzCEyeoVUNrpE zQ5W)WzJHGJ z9h#{iq?RFt$qC)gRaaeP%6e~puu39Uu5|pA@f}IRh~BaCjMXLg9v`3VPO!)=)BE3i z|FZ{vgBo}Dl~n0wDn@wX24_B$wlnyZXgSHfF~9qM-=$2>TJhLHDr~7Iy4g%RM!55; z@jf-;Dr)$p@=&gVzqs@SZaP137&D_($5sb7XZNV{+x?!;DRF~nZW3sB;HZ9hY~o`)nK*{Z)H}Q)HGhf*sfhL7@x&m7Qc)Gjh`-2G|2qpyoET`ukCevx&$D{#CYOWGkxTwvldi$k=jXMGh>XFP>xeICEVPHZ z^T$?=s%AE>v)>8$dgI}ZtJ%9Pr>(zJUPxuG0bL{KV3+w8&0;FCc=mNCV4RNX`vMDs ziH4P`S_Ic|4Ym^p4brZooP@Tv$%0Don57UcKaq0jm)`)n$L9;zosda$!b% z+UZlDFMC^hE_D!?&}LECwf4<=ZfZxMnTEupF1zpPJI=B8V84Ly1ich^N!7MxK#Fq} z&>AModIdo~iLm5XywKMO*oNh)`S3BEwuVa&_kAyBt$dc&$Ne&^n7FGHwg7Hf=Pt^Z zY<`hrfhLMfam93CMqGa5Rj#Swo-dpmT_bU~jQvz_y6E2jF zNj)B6hxi_dj+ZJYdP1yLVs`O`@yxl{FOXos_08~-CqTWem;Tnml#rVCcP)V_^PJ$j zsXvSqp{J?eVU*PZcBH!mj>~z+wHblVG{*S0UH8O;%v{Uj?hwNtScuuTs|+!`wh9^t zWk51j%jB8_>f4ToSb`E>j=+d)O!^ppWvBUe@>-4EhVHDS!7igDFb%j*Z?Ym;pOUBh zH%u@xZ;eTq8;f5(8@WqeEieNBgAk;M`c3h^+CQzYe;ED{`thop^L_VnhqTtNyU#Cf z4}Yg0PTfHvB)t!Aqu*5z)7v`&D@q6*d*c9xfHsoRu8|@&{!BQZlw*T0LX^EaJB0yk zVU>58Y?`cEWvqAjYTbjk^B>Y)$J9I%=Z2dkjF@RRMHB+on4v_nPLRgYRjN7dh@-pX z7q;J+WG}){g&$WylI@+HNr)yUxu{P@k^IwPr#-%;sQOvhP{oL0I)`eG6WU;aUF##= za(Xzqm~3Hu(^Ej=#zN08`xH7bAdU)QDqy%0Al%bN&j2M+1i^F4T3^ZRN3xiy_o)P6{t~i zt*3M}PQ70ZqcqRjp7fbl2%P(Il-pU-TAEvdRqLc8cEAA7_6BM7I%tSDX?o_Z)|*g} zIKJ`OoN6Y}^cOsd-Bb@t*Mk@pNvs<8#`-N)em8dZP<=RbA$eyR*bh(v%JsqBE_SZf z?O}#f0d(dVf9$E-?tkbUb>9ZrS@z$VaI1*FRSxbc$No%(&jO9rAD`?c!IXEk&7BW7 z?1Jz6Gr&&=ee=cx#IGO9GqtGysS$c2z_k1+o(tv42T|+c72j<1!j&Iyw7E|oxxk1R z*{lbyjoVnEY`5O#K1lfws(SPH32u&@ul!mU#ETb-ktnaPA+W#NL$rTqC(Orjj$P`w zwl4?Rl@(y0c-fwxTCj3@xc=qx0B(GG_Af;Gzg% zVAJy`c4kWZgNGJ)$F=0@_F7yJokM;LB($dMn5UhiElGN{trkX5;~@7P%1xn#6H4rY z`ntlos2`bHCd-n_d{FZC_*0HNY@a^v)c4`Uew1ul!Roh(enWS?>uKRWZC1_#OKBCz zq*3Sqxges{pH6fLpCNwx!x3$p9tIiidhVw?%COLTp{)U;6@j}rpflG=6*eA#N zI8a>eU4f`b3TF}O#Sq$l{*0=`K`^E&*gf_M(r&d+)_3}k&d2bC;PAuZvXe(umUKQ+ zJcrO6RZ|l5XHxof*2+$KH$YaUxC);a%pb1Gi;+ya!;*(-lQyju~RPr+0lY7YQa zN2zb^U!;|)QPT>tRK4N8a>BVZ-HHl_%y9zKkd;R6amo&rs3EEX~pqU+Oc{6Ztvzxg?7zf0c z{@epZ%7RR8j=?Yj%b~9=ECnffSy@AZu_vYKIaKIj-nkNC`iOvbszlED)#MkkY4W;w z+5NFvK7=`~m(5y?WaIzoa-kJ}+j&LI24Pt;t^xoCq&-^wK+sy-sg@=L4^}2JydiX7 z6PauEuL@a|ZyZ(y@t%c2^CC*X@oEL47yE9Cv|m_JGRQ5HtbFW$_8sOf6OITd>;OPa z?VrgmGvR1`+;y+J--9Lj+w21_(zAT*Kev8o=Uc+QQse_e(Bv{N5uEE(FZraV3Vx_je_ znV06*1OHtgkY_;k>9Z2&Z=8T%&UtY25!|M8n6F(|l-g;?(Hu1HVbWW$S$|2Q0JQ(l zz}<2x;Zs^81#?AXWUc#}gs6m69+$~#donBUjg)9kQ?5hp6G`s+7@Ky@)iGytH54gP zHb8LFGzIG;`P2eKjN{Ht1W~$Pclvrt_v|L0S(v^Mw=K@!lV+JnlCmd)$9ki!^f&0p3bKG|i>jb#H>{t6-wS1jp zS>w(a?{BMJm;@11^ioU0T${ZEk;d0o_pyK~qSwY{qdhi)())on$S!%GMcQ;VAxa0u$W=@iGC^ih` z7b>UP|CZ&u;L zu8+)3=qRlCIG*aeVR2HRush&p$==bS%9$@+Z;sUMxP`Cwbj2+k!yk{XU#pu6@Z80g zS}WgL3mhG(tSVa1Ug!A4iqEO3)VZP*ckK@`fcHxsx%MYfJ0eJ0y<19m(@Dd6 z=E1Wlki*q|$2;MhE=^&z2kXsVtjjFjeGg*`BZ5#@`?7+d8AyeY&vl93tuAxcUo7?> z>%t-N9vkO>$5lKw@G#S|NDhK~3VrS)X|GHkx!pv0Ht{w9NAWCgbDTr&PdIAw^$aV_ zXz6w7uZ;OQ^bRq`Up7VrRgbvU;`pl*68SjIeii;~m*+j&y1JnJl+R|!HBBIbE0}|2 z)9MS~r+<58j~+V;XJx(i71?7$<42dt2h#*&JE*%~lrvH>KyeDp=iw!}jK8_%cstoadf{cKj&g6d-s% zW1W&Q27cyj_r8-)epqHu_I@#qc8dU+=1*(x#}1sal5n8n<>XzFqS?meO>d z-I1?3o8>pv6rsu)`A~?<>*18esi^a87~ispW%stnX+*f2!cOlEX|CjsN1{M&T1C+P zw0?dPxF>$vyD-#Q=p zFHz&cETm__%!l3rY}f6!2;kzXza?c{Nmv>*EDl!fn?x+$b;y7E`A}U!$FFZo`wq(D zdRCsQ@XOYtufPrV=D-J`RWx&%B>yoCzT0L!nO3Dz%C~Iu4%z{Il)F2#``bszo?Z8p z^-lD~n?w0pQ8%KzPg!h5*)%ou@ycF)?{i_{Nd{&GmbZLy7z0n@{H~a~W~;s5rN0wz z7~T!PRpPt%X*p0-$0cv|&P7Rbq18e3Rv}_~izg?dq&1gBT*l}XPNmvufr%+{0stl58dFCIw$d4y9{NL?E=!&jsSWY+~eG{EB?O(ULlwTlO4TDco3_aP$VY&r>5#qYCl4UOMrbZmNH+WZR%(@ZQ*z)hRQHz3Uc>98 zu*MMkD|i0u^^#h9{W!iaU~TCvM(Fq=AZ$ITZ;ymL>Qu)43XZC(T`bsoZ>aqxof`kM z&(L~0FQ!-E@zt|tr!d<|xxsl%|J_W-n^bYzzq!Zc*{DG;FK#%^Poy4MF4=h^1HCB7 zhB47Pnsx++EVNnO4ZkL;*?q;P<0xryFiDS7r-r&)kJh<6)$1_NFg%I5tg~QtEX=yw zlTHin!PYx$zs1UZQj}c}dtCjj@8)BH9B0xa@cid4$oZG6HP_CLKNaTk621-Rs?FnVnA8?C0G@&Clpeg8V z^KCY!DnEB&3#P_7WpU5YLpYFrEC$13#OAjkxixe&0(qAbsoN&>!Hp2cyjgtZFO|bK z8c1G186q>95Uxk@8PFHY4O+z7H&3%d7Gu0@vt3sm>6$M5q3eA@uq`@x736;iu9PtPZlK= z#dd4Lvi41MLnPT8{zRhFQ~k0pF7$-dl-MaxNABxR7y9M#m+sMA-V1ySCIR$&;k+HXG5cmD}S6TJ|nC z2YKl~mfIvnbNr$mcY=y7=GgS9WpmW?E1HR$479%jwHr_HUC zhm86!on*nVcxsr5jsGVLK*?Jzy}QExs59idz+~P(`v(8F#EO07{ev%8F?#9zlJH~C z&v6a-YcW%-A-qo)>Z*7E^K^ZH0uE0cE2E4_i*CijlR$v6x{ry@>OaUu0&Zx#nRtXk zKSXCdi}G5sUmi1`SU;Yz z=A;00Ra`lk$_!YSYPk6hly~F3?y|%RJQ^r3pbMJmaC3O)g<#Vlm#V?&iaVUkBA-<`*8O<^5Z`1OOXiaty*!fS07!CR+ze5K9sK7oTJb2E3&^k zt(=(}OHCb_aCgMrA*Nr$(?saH5JmoA(L(tkr&X^`W!b`fcWs6Zf3_vCXWxtm5eUxJ zU-}zw-ADN;N3X!~3xS7sG@P`4=Pl(_f+>IGpskKkirhy9g_^rhIt~aGXm97OgL$7d zwj;|!WQLCRdR2A#B8vdGqsQ5ej?VL6XEMGV|MwSPHL&4ad6xfi`{6N|tNjl{G41sC zcX9W6Eg-8-AmUb^b*XiAalFDV%emc2EUM1Q+C8;gp)GV53K-Qn)b+BiSn(IOacGrR zmVKeh{BEI9DCGrLydwvyvd6O)oGjm|Tw{f?1)V60q;ayf3mCeuNg8-ed!gxktIA1e zQxF?Qa+nsCtY0{5du;Q6@%7$OO>OP=a6%Q4qIf_+nnAa12S-e)fFkn$Mhrhh;$* zD{FZ%XuBO-LOt0AJ&|Y$Gflv>XiU=Y-*7Y{+VA;Jq-qw^oMAt(%J-+MT9K`^FsA2F zfwlE$%AxFo&m;5@PNI9^$K^Zv>^e)E56%r#JS#R1Y*L_e!H`M^p@wc5k-dNp$Q_%WxW0PkS3O0PgTedJ+%VQi{@x;Gh=`y3(JE9m zX}z%E&p`-u`9!`~*4x4Y)@;~luweGojC(uGrb)Gf!J(HIpY}qim54bQx>}>_9P=^} zG<{xA8^*>@vyOQgH70^ATMZRx6A?Ox?zM4nv1s$2&(m>hGP+gV_%y6dZ@!wdCUUAj zj(i%B^fTs;z)MfQPLFoP*iej=*E4Q+m3?()4PA(#qKW7So=}J?6W=4$ z-ut#iM5Jo6#9hz!)_YG=;gmP=dv_z}^|}2~x+l2P{$-ABSB?w;2J`hHHhg?xpLyLL zN?#brk>%?-kJpCa_V3sSL!}%qZz1&C-sAyI-f6rK zbJie`o9g`Z%3OqyDtP~?Ydi(*azMeRq9Y)o?+@@HFGi3;1z?TD$-(lH@-6w>Ui=2tsS3K?`6D z%r&G*fkJO96lq;5#HGabWT2_A_3EN3<^F&zq2J z1$=jms!f!}wC!#{nnSh4N#E1r)8@|wKsM*AMccH%S2v{Ct{SrUEVT;;1e+!tL#%S$ zw=j`=9XZ>&N*A_mg5#fm-?-bC&^cA@z?^^sy{$3SZla%l0r4t+S*`ew3q-jTYidWhv3gI;f~{0^DY9>op7-1-xtxcB@wfxPTp{~RWcMO7EZwb@k8M1a zPDzoD#_uyr7rTYUYJjN)o!8uNq*SY#nzzI1_$*^r<&X3s}A8&v~V&Pl3ws&1XA$?wsMhT&72rT-Ij>0NMh9KZAXg}6O8FF_)> zAj6K%{{17#T3CiHP=u_9B3x}!o>n^z<`{6pu*)>~)a$t6bSf71629vU5Q)YcC$c^( z(~MAF(Mq7J=-G zZZVbxd z(WoQ|{c#ES9DjTwUv}77a%}7%Q+1(0+hgj(7A{rhv$e*^5bbdM6ro-;oPXhJdeM8} z=EMhkgD}pnQj{G#%e!J|>0k`yd%(r9MT?+~r$4{p%Hkf)a-QlgsGFSdH?_ZF!clz@@`LY#7q zHWEo0qf?*FtKTJQ|4{Wr|I2T6W23D0?tOZhx5~e3hm& z#WLY(I`iLk?HqiZluA*nOOipp_D%&1JV+h%;Q}rqRvadO(rA0we&?s;CxJTQG8@WRBq9) zE=Ws^L6J`Apa|_Db)+3i_$YQaLN^G!m`^(_X-CleVWBm zt1^N)WiHk|FF}IQdAh7*`x|VXkAg~7tp-5zgS0=6d%_-yPsl(UiYqTG^>!LfIY@qOgDaqQAIQ-#K-st1i#X1ZL6z) z-w{sD7J{4GP6j+y-mV7Pfc6FHF>Nk^+1e|vf`G9?G|@tmV&o0c7d@zEBsmGmm92!B z&56Mv0jwTmEY&4Fk)C)V&fesyhf8WuF7fAYyI`Ap?C6qhONTjjZ_-Fkmyt`d08V&K zb&HDu_A%ry4$H@&1YK(Z{p0ZF1@+p%{#fYguQG(VcPZ>3%ghGOfIS6+H-n|8UAXH-4Ba@PwD zTfHxTg0b*r;-9`+Rdkus&P*#xz2G#Ux*9-)Uo;c;aN5Wg=CUbP@mN>1*by*sIR@VY zZ!!8EgyNGYt^0e0!Tr(10m+AKe`S$a>bxBR$i%*1M+qak)4)E?C%)sMCE7ooOVif3 zUB~^Erd>RF-<_$8EO;KlA78kenvyf^F?1eTg%4=@8&*M_vb;<)4vmY5)0R>j;T{KN z4sXt@szqJP+#W1?80F4%dfi027X(8$sz%OIesng_G1YpN?{{K(0ODYvG0fI5sEZ$M z20m%pz|_c<$q2YS`JPD#~GrCFk zHQ48>nh&+hGt5Ww!n-7aq2f2Rd8yPqcsXg7A@05I2k%92A=J6z%SpPdNjAAb_X2J7 zS=so#R&LWwx|+AeFOgp3&^EiHf2-cfGbC3TZ}}ix*}V9{&I^s68{I?5O{66aL6VJ8h)0B3&oB*sht+|VdlJC?kcP08YO zvW3Lg!W8>#sf2ssR2Qc$0|7h3;3fb1bsIj`&7S@x?R=3~EUM4OD@cGgyA-gHX`&2z zq|aKe7T|x6j@BHbVR!PTi!EeA53cYHk&~Lpc${>8*XtA9jYH(I`2)?g&sX45r&os! z+*`HwSH3tM>=W5l(A8^qu9IgUyf46P!4)2XRX&@NaAzcg(C0;dgh|@5D14RJFB*0` zR8PK-9e|2hf(IYH|7by{k55dr;5if1ZLE8Jgt<+mcR-qQW(G@0hKwEB$IIsooO1S@ znNeun=XmoLo&P*&VVdp8(ZVX1x%G=Scy4B0%V(n*Aam01+IU<{W{t^b0wzGS7kLA> zrj=@jme>0k(if3lBLjeBH7oEHD!BHS|NMF&6PGQrNw!q@;sB^$0cPr%mn%Vm!=}D! zXwH-c=N5R&)bn%!3%;1sg42`*L!dE?#T)EKXlB{N69AJqjoLNwtDhySXx2=)ufZzj zW;qAw7I{UhzZZeCqZ$|C6w0M;I8XQ}cVF+1$&}jQq0UuEy55%$qeTC_76oa8hwCnJ zi#?+Uhx8yZB1t9uB8<)C({HXs^PH!Q1cNdL(!nIw$a99{KVu6lm^hX)^;BCTL(wj4 z`K}h2K`~BN=x;7) zkksXJONF!qD}+`t{&>UQ?jAd<^yC*Yu|6TYpe&#a_T{l41i|v`<6zNsfZqxjSN*-X z#)ix9u=KbClnU&8+0pBBkZI+uYv-?o)fD_3C`*2aWepR>y-pe+rWbL=WXP8}AP za%{((wKjbdNoN*UNcZD~tY{uS^w7uu0n2Pn_^xTUbQHGKSqxFRKz})-4T2V&sO+dF z{xTd=YHWrs#i!4`~1>HtYukc`??79g8S_bacBRlv~)B~t8osj-bUL1p*<0JgO)@# zhIkl)Mp`KQ(oSIWgS~s<_CgK|W&OIz%im%`yP_GmbMt^?TIvu;WsQ>ttzc^Lm#OGwbI7;+G@vLP`{f9zKFqA${$lKgr`HDD+ zU!sJYeYqMm6xOrgf%>%wxf%Ep)zR%q(sg%$h(B{_j_+_${WS4sDDq*EPdATtW3G5b zfqI1C>VbejA8g|$V^O+)zQ3nTN~y-iUuFlK?(y_+VXG-NrPo|Zn#;p;NFjl=o?#vq zmln*uM@t>CJ>1`;y!SIwU~zl{aS_=X8+>re>j9`cBL0})qVJ_o{Dv=XUk|QC5+hLknZhX z+~k<9$#>#9DJdJzI@cJf$odFCzANk644|wt$NM*0KPWTfg3MFCl{L>zZBTAWQfZ=i z&UNp1zq)~hwvA0zSTUJlSNbjz6j0pSJoOBb@27}Okzqq)pjLEl}DyZH@WZ zKdnkQsmwV0zpgoqeF(_DCJ~l6>Ydc{ct&k=B~*}7HAk;gkMbuPEc77Dy@$`tjm;HD zD@5|ZX1*^&RSj?9=Ofg8>DMT*)wtVigUNMc%L7Sd%Rg}V@fM-mK22YqNqUduCh5%Z zpUj7{alY73#K`vmPWa6UdXdD&wy-U7=ZrVuyI5CfmmlJij|)67!SC~l<=#?~ne)()^+jtM|NVPZ%^rf5Yjv0;pTWrG)(9`}yq3af=M)PaDZqmm1vxnk$Zj>4+cF1#&^AOK4 zk^<-k$%c}poHnzO?4f%pSwxlNOCdobOaNFj|2kv7=wnC- z05bABcUhmmZ@TR9Bn>9XMtLBY(qm%J4rFIpEYo*wghggDCIo9pGlxq}0zH}4_j}!+ zZ*5H5q?mcz`_Hw?2c#9mBrbYgvV1GEHNUV=#(e{tEH`?>9e=QG0Qc~IseXtFs0!+v zB}NDxvAhr@YfnF9@f-6NIc~hktOXpNJE_B(fMzV1G;({}H{rW|&>-uj(08sNOJWI1 z=WaI5E}TLwb5{XZQ)b09~8hf~!Tqg_EA@$sN^<(x1;>IDd_m_?npX zRLuHX#sj%-2ANl)6*{TArlCm;cl>*v(Af&Q-AuiA_aYietu3t8BktRCRiAr#Ie||E zR}jUY<^T0ZqR1wX0 zKkkJdumQV}=0e~|@GOngn)UF20qy?*1*qM^gg~t38!AHtg=qh9r2IAZ6TPS;Qh6q+89OF@|j-*D-$Buj;^KPc*Gu9n}|9OAT!oMNuAf(7WNhYiusID z>Ld@AV^?S;W4+!rRN_4eNExQ&Ber=+A4U={4DF_Ya)Rb5Ehg4dI~G%%Yy%FOM*Y8^ZF~HsF%s_XHtE>LDjL2FAw-0v$9fCWy?!{8JT2}pLeb*(E$IJkHw$u#S zv?*Whwa=R^*qlVRFjNn88fIY#3#c~c_QTsuc42Ojg%fJQ(AGR$?mcn1Z+ArjL?jqK zj9%^>8kEQ;L7)T=y>Z&TL z`je3hj+Jx(8zy6{=P5t_;>c+SOmR)K=zl-kGb_N46bZ6j6ct0n_P+?(TolYl;Uyas zdq~6|yI5QCE=LpwF7TdGtdG2Kk3AUSgqU>>vMH@RX6j>)OYMm-Lq)!jG;H>GiD^$j zt2BDPe8T$aWt%|0LM9E(uX*L6fmqZ&rGA#_lB7L{oLJIdA~9<**I@hbl>X~@$>QNG zEk29-M6aDEW*t@xHagY?x6v$9R;x!gmn^W!wmRdlMEfs#lfE8K#0$;eb-oMuUy zL~g`R>1070PCju8k04ocXOjc0r}t6GBWUCCHzEJ;t2c~rYi&07BTS8GS048rrGhML zI?cXY3usUl(6bgEE@erAi@;j@b_&r;l~KRiB+~_JzRGF!uV`gev)I7kUK8MOXJaw) z{$xed()4D@@3ng!p2D@~1)iG;Q=`Wv2FaDJlp|N39nV5ppQW=d(ZtK!&)UKGRu1UTTaT;qy=;P~ zsQ03(<@y}{sQIWn%5aH%Q+z%jk5*^Lc8`|>H z=~%@qKnu5ohF!L1j57t-?c0S6}GOm_SfEggctp6-#@z#G_CzK1euG7Kuqwa2Tck zC-?OG7ZKXUq%5hq;v~@T{F~fcIU>DKIi+%)EB#M=vxvT`%OI{l{fzmkv<#^$h!=tK z0wCberYFw7Pv`eK7 zzG~of?ldhO#B-E%>HkC;LbNsyhlcX2G5h_G8a=tW!8n z=lO=|3|`!h;lvRh)WS<23&jr>`Sd?PpI+FQGwwnb%z&)j-94_Ur$dAc<-Z+04KvGb z5VQhXzZHb6rt!{a;fckH2*cbDCKaUq-JZaJu_QfzuzbDRD&xS9-R84sPnssK+S;+E z{{oi(4KWET%gq{qmvfpOudONl`&TSIOj?g}3*o+RR#`SWL;~Gvo%UBshut?;?N@>J z)V#L(Zt&;tb+C?a5M@PZol)M8j+s9)&^ zlJ+4y_7tP!cs|VDr?9;o%N)JSy+;a+KZBAmZ@*t{(Mf%`6xI^uoZkrP$}_c4fERtt zh7HzzBF?tAWQr0YOG%;Z=ruW6nqGNM948jX#(FNp*sS|uSXlL-c1WukyT-%Gz;C{? zG<3bbAVU(C!!p#OnNEL!*%v5l4!^ycGol)JAiybnmof>r&(CmG0X{obhCtuz_jqyj zx4?nz0>P;K*#b}s`8}Sm{PVB;-|O%FM1O_Xj+&vSvj6qwbDI$H{s(z5fDLFV?+thI z8!t7RhODb;8$UnHs1~!pp;FRPnzn3aYu?t(E7SN6hDy4>5G{^24%DXv`MB#{Cu*Ax zIG$x5ZA@F^k9-d z<{dvg;w?Fs#bo~c$4EVI3zelLL_r2JMdh_HbO}il7b1eNPPxfa5ZS(*gVafmPUIMt z4&?ac4@1`1iET^`#6$-ll#XFa>X+ixqmgW-NB)y*?R46X(J~ufif4%UcfE3#92MmXd`fr;2+1T(2lby+d4Mmt&@o&mh>G5Q^ zDq#UsRV#oe585N|%K~^Rujyg))1G8Fzfd7*NnF!GfrwMT!sWTz19}SX0dc7LEFcO z#}_D0v$>U;#$T;4`Bb^Qtk0mz9Div&*4syF6603yeK|0l*h5;C+*0z5Uh=ooe^O@udu>wtFYwS@ z?e(uWi@S-o)6`ZAekXsI-9=#Ee4G01RX_KZvZ02MIpE+u1}9=~w!R5hAqol+R>Xt@Ix!8rJ={ zj90U@IBwk`f6KW*MV&>AzjB0}hb-@@3+$`)a~4JkCw}zjV4SB@m1Zc+(tv%e9g4D6 zi-E6oi9`wBoV4*h=w;w3{LPT^CF)8)zZZv;@B4la-qp3NS~WA@CF!iREAS*eH!3~G zRbDbTVY$|dd4EgoXD&B&B5 zRB>!lA2CT3E|>(kn2@?EAH&(4LD!nkjv{J5k7a66Wjm{fv$4_!PeJRVXE|GSu3Q`h zB#*c(d0!9|B09SINdR~Y9NYghM<(_8o2kvee-!@|+Y;7w2%~JGePI^^L{07g&lBSB zr^HuM;}~d+T`zo?^>Ub1RE29$>-L8yGNyWaYEGUU!Zb+`HFX(jSGAuyaqr)u63TA7 zGG}@wtq*CFwb4oUCncre_+#|S#F|RTFTh(#h!cGVcRjKg<@%ALDDRsW(gx%RH3lB3 zig)6=OwtLlxvutiyZIwgmVfoX*Ju!3jyI5$I8{2dk+78LeBATlMi;|k63j*p*!1-y zoc?X?ocheUErJ52cwS8Y`=vP2Se`_l_Dx=!$Az?f>HhWyF2k%+_91q=@50TT)94MQ zgf0hhK*`YQ9d-ZTTl1f<2v~(&Z8u?*H4ysetN(Lt(o8DpsCgDz!^PliN2L=>Z2shm z0*NfC!^i+YhrjI3f~L=O$J4|B&pLlS=Iw=_63eE62Pra04Y;V+Rc+MT4IT!H`DV+n zYpUJqj4yfjk=X{b?|C_z__7)R6>3CQDN?7lUYF@!greB1)@N{tTRsOhna=6ngOuoZ zsP}P&KT+=U({?E$EVP=RabY52NVgxcb(}a44qR|ue!_KW;O+HKC2L(_@9Gtyu@!Ng zQSwe7(eLKnSQ*tgIc-p5l0^=e&!=5i0R!(#=>?ybh^I!q%ELsPUzXX7H?Ouczo|F= z7drTN@bKS1S=tEd0H@kktKSO#uWi&@)B54NJ=;{x0{Qk!hbhZEP-uH-Bau1f3qC0K zDVX*nC#>g+{+B3kd+1yB_>~Ne2Yl!K31cb@2Lg0P-Gx%BJ^cD(ai*(RT=sN|vZ~g! zr7`Qun7kOl^=^h-q-!Z_oPG}#8yeY~Ua=wm`AS+6(l!5jQO4Czg}O!l=_7HTN!q@V z2^eV}axRu2CZXshHO}E2jcbY6cTO)<kGX2w+Hfn zD_aSx@=t=T*T?@VgLZ^fJ;y!tGaX?qR|R+eWco?T^^WH%m)!Z!Thb}3rnj!eKk&by zm??1z?G`>vTF$FY9IX%;;StN#W}URYD}u{Q5Z<>e$YpD(tKef}R0EJ{yg3oJEk*o+xtP$8dqzbT4_Aw_d$=r^ZixA!tY#ARJHhSAlz&thc+Zt?O5dYB9ZHHw z7aP+3k^rEl$3Y->OunoV3aQahhvVlFVY%!39<@jLi-D1kj->#f7$MAoFRt#=G-gM~ z0i6JyiGE4pcnkjUqp-sXAb2fFXqolii#1`$^u!eP#RQ%Y$3-=C^c~wfyXP@S{+3;x z*}ZS;zi48H_BLoV_NWXve&an6c((G^0{`uFit&%*RP)sG?2%-xW2s+erb^G(kHbcD zfEv!3@bq1IvlUR89wk(gwNp7DZ-!@RIq6tQ)Yn>Hh=I0qrV-#Mq;pgmj4o;NOd+5i(}_0Gs0Bt(Hst?9jdb z{Z+s&%@jLY7U=bG0kD-$S{YQPaVqt<`L&A~ER;ViT8R|zw=4Df?r@)w%aWqntyshc zINzlK?!|tT1vHSo)|Ii^=EJu7_rl}io9dJl(J-H^$%}o0FVi=fmTK&oKI$57!5aUvvo*5 z*alAP9jFz~_e#$-0k51DVW0Y5l?uplWXc+#YV`K_bB3<1-*_%9niU1;#a$!_Ar>+m zfY{WbX7Y9VB#CoJLG1_Iou{U7&gciZr^_NilR!2~tsUSCFI)1i=b=nZ)jc~MPJ@RW zmqRHY@3x#r6VH zmnG8~4(FdGzZ1xO5-}KBQ$2;9nTIMT>utWTAG1HUM8x=?x7YAome$WxmHoNxIp_2rH;Ir7OdUI%g|Djb_bMHRZ0N?M zeck)W1D^mb=5#6G_xsq+Lvr%hgX0PNJ)Q0Hq-(aG^mTAUJQ`4Q`Y6h_D&U^dTATzw z6Iv7OTIeAdcY3q`WJd3O=mV^C#)}Y_7rQMbb6*Hd63fXzE{>1_QJ7kM2Lhxs%evlW zUjT9zr_ReR4_jm`U-2Ig#ROJKACBlVgCG&+Z3GcWw|R}IZwLdx?bkZ`){y)pNW!oU z<4vW-{5qZHe%sYt&;0UaN>?^vXququ^WOCFPz2lYpi_F2_n~jq;n2O^mi*HNgK58W zV*@+ra|1S()K zb$#fOK0WirsL^|SW~tv~FjdMYQHPg%7ONE*xFZaljhyrdRDI5FO(szx@XwG9}y;U>Z*>gXyqp@yUA{z zK9WRH!?)VD)+N9eXEc_A*z1nK=TjzWX6CVFJj72V>dxxHlC2Fk7ZnJ@aS z+D#MJVmLUZy#A6wCZtf3Ju56xmcJ1b=)1?GEp3x)Va~ff)QQwI8~(7S?YIAaE!e$5 zm-3Np59?5`=6~Ra%RZ`h%5ZzT3j?eA0e^h{>oArYm!nCCW9J{c8N2>1r@vRnh-;~3 zTrXcA&w5YhPo>nbXK}^^YNrH-ZkpBBZ%!%9yj!)(I`PD2T^@2eKTB6=x@_81THvNn zlb;97!kx%72v*8co44dNFas>(dWZeR zAMtjj96nAUHR=+*ZdmzRbCq!@cY~1KAms^r=(itXF|$Wq`6uwq%Th@Z0mN3-r`s_a z8&KLKNb$h@{F?O+kk3XX@(^;I;fYeqRL#CT3%cCp#@z)u1QL4IE#e11lX3T4f7MJ2 z$8?q1d%j7>hmJTryCn3<^biRQz7~+-`ke3N5r#p`OfNkKIM7!^o~RSuVk92}Nsb;L za5Riq0S8m-2%TiH8-vaL-pY_2pQ0mN95+ zzt$yG-WoSi1W5&qglq9dZNu~95_QSO4DTuX*?_COM8AIvH|{hzEH=Bj2&=fr9xbeh zTQmcetGa9ga=DHrU)X>9tz{2gU{0XG8tz&D2{_)~TEI21L0Vusdb{$PR?~@@1p`dQ zFngeSwM@%V&NzUEgV#ITS$t;hy;1pq3#sU28@FI&HLrf2IDb3; z)~DB*t)x`M0f}ilos`Eb56M|1j%MwcGMR2SO{x63yZ93U58|Yfe|V=c3viV011x@m z?kis4I2-GvRLuqsro-_kT?%M9tf}fiQ~XSV`m8P2<<|#i=fesY`YDeI1+_)Ee+=kn z8yf-_jmn*88{z_Nk+Kw|J6!}dPi85hiJlF+f@|Ja3zGVLhjL)PUZHWlgLU z_F=se!RFWEHqa=Hrs%a@ifuO7xS92(WneK?c0@iMd%DWFe4(zeS6a9W>k@SqS>|KP z9`PVZ>Sk4fQGn~(B97B4=#mvv`s++A0QZwOZRJ#|?4I4);ce8PYM94SsIFv|WFL0e zuls4-rHh@k{FHH#xw>7A_pe;6mGQL zlkPzzc7@KR-077LTvdYJ^;g0m-JBl^*tDx(*f5Ie9HhW{IB|L6UOU*~>lZzbZ8vx$ zg<(^?iOKG5YboR7+B~e!HnjZ%`V(8OKd|``H8C73A)0gW%y{i~!O#LK)1mHxRf^54 zb4eJda)+HYzq-mn%}_M1VvnEUA}&N)Z11kcmGfj=eso)60jJIMS{rG6)=@HI;cFsC zpEQ5(qo55sIs34riTm5_>(`gt+<0sl1HX`tY4$2q^`tY0+YVVd6jt`*wLIDi<)`ms z`+X2*9>a1z)A`-2m*)(9jc9C$aKLWUk=>4G7_sF1=?p{5Oa}hY#e4m@@pyLQs4Csi z4)=~Q_s8<2OR1A^hWC+VqW|C>oz@yO3!Aa(X}%3jBYvvrFkb4k1Nh5(?PI!#FJ15} zE;89u61b;~mF=TOvqD7j0MY0`h&8+qkbDdcI3NV!@~=`$7tFBwt@Qj=`YA{=@0$kr1ok zn}W@RN2DW=pxAgH;Dp`%7McG{fYpPW@PB}!Gpn>7VSbPs^-ZFxl)jlj0ZFxLaDl<* zK*ew&C@@TipL zk;A4gpionycR*qjUN?v`NKW`Z?hu9o`fTN~sm^Y-zv)_l+5Hii--bwdVT+03cntW{ z(~6|Z?XRj%R&ocvsJtvNW%Qk09zq%h;x4b{vq?2n|M`(idJyy!M-u`+G%#>FnwBlo zO;47`pDZ#@&qQ$^Uq4$yFMaF^uwq6sAm&IpyFTmDyBH$KjenDkbvLGd=Z`X&{PbOr zQ{MTv&?(xry`zsu-bbx+@qXC^0+`#j5F{s)#UMFllW=OC!mW+d06M2Me|B%pM;qEk zC$p!$@!-3YzO!A{=x*X6^@C5Q;+Affweqm!i>{z^RjXpGJfp0cPreAqBuQckt-(B5 zaqij~KqE-xNni2)95}ylpL(zC$$zV9IFcL-#XCJa<m5FKv7aA}F91OluT%V5!Q`IPqs+Fj1&<(NXFQN<@|^q%3)h`- z>olJm?x1Oyph{;1;+Gc%b71g;rd8`1KJ1qOe3Fe^FJw5@M}^fKyoWo8w1wmmS3T91 zEnN4Dlge)y!2M=4PP`Hb#6t{&C9G=2NOppbDzlo_RH@`k+*mGwR18BZ!e5GM0AnoW>Duz&Ho*i>s1b7^VHh;I3CSN)zZPX*l_y{oP1%l>> z|2!1>pKHgD^b??VKSPt_-RiFQ+t+{VC|ZNN)o9>qYpuj4&xls1hJ|O9($0~;Jl<2S z@{Pm2Pp#*BAAXUzIaz>j-=E_W!L7yaK-?3?xV>)TM|c`?6>OG|H~Fd5y0RLQZIGe6 zZK1$R`u(se)II9ckAoaGy<$Zgj6DVq?S~d`Qw%>*;XS<(v;Qjpo%Ow2@{oRY#_jdD z{m7@ykh?5Mty5$h-5qh3hqr@-Z!{s}2oN$BD?<E|?6F<8~wV1F9+!qp+sLTI3{oggnCvMw|K%GxJk7Z*i?gGDS{Bu7rU1iEwZf%GGJ~@GPxaw zFgx;N`I%xQFr?@}-%jRl;#>XVnm;9yepN<{ zfcTQFDedNd#X}o@%TZW%SJE}LM$v!PwJ5AQ@Npvvrr09BTc~wK2UVvlU-r5luE@CY z9yB?VRa5d>7JV01;tSX*N{{s#7`T1_U}aE&@h!1WY}-rwR|l`_P=Oy1@vQCQ#My;o z`F6z-jEojL03?Vexyq26F2xq$hTWn0PM*nvZ`)2|HVg8X?R8J+bTXjUcn3`)79$g* zg2r||-FA-wgi}DO&}G%)u{cn4T*8SxwnX5ku(BuWetS)& z{N);p(hiN~IMiVDawZSq*&y7hdyvl~XAj=ny4}*uEH<{_RmODrl&FrJKJ7guYhn42 zpd>v$$7qnUdh|iY&#e55ME)*4%TXpfKWNL#S4(|lca`>A-^ilzVK;+v&$ z4}pWs_QO<6y*N#30As4abziARjN&-NAu!zXe_obNq*M1p!)ku)){?WczGZWN=T7ag zR1UovYlPbSqM_)6dfV}I>MzMX>6ns4kLahV(p?Fjx4z8P>XEUr0`o9+I2F}}qM-i$ zDk)N z$v|4L-yPw&{;}5zWOJuBN*FkRHis_dW$4|o*=2Y;0?U0LDr8H@M|gDe@;iI7dyA#4*N22Z+E++{#As=0)QeUXqfWsEpyL- zkaS?DRR0_Kz4;g)&AMqb8fRy>%5-N`Mz8Rh6Bc98QnbC*;!s=I5QrTl$9Ho>RGT*I zR>)Vs1K)dB*i6yn?#h{Cn?Bu_O2ryplW#Y*#prXc&zS|kZUkIR-X1f~#iAmHc~e3D z`)POo5V6w|vwwb%U7pgr`C#Frw*RYD%`0|0+V~~yhW9FP+l3+Lkr(wKU;1#c8NpD< z8I?~M<~M_}HvwtJtm#YY&|VWX${)ZkTT@qg%WoN(61^o(t}vwFjepDy3l7b?*s_(q zzCrf+KBbXe_1e|&HuV^{ae5obrJ*Qkx$k7J`Iyt=-+os`xkbF~k{eioEbL5GK6fBO z6`u=!qG(-VfQSZnC9<9@ZCXKC!F(Gn1*@`@xUJPR3<~qP3-TpFws)XJMo5VqamA5* z@5&5?CrG1U7mH&EHg73K1gPR=+TZ^t3I5?J(X8mMdGTS|wctkaWGl>;iIUm*5uvV9iv zXXAZR19&Hoj-#lJfXjw}%3nt?uIXpDf|Jis0pme0QmmMDDus?fM2@FaCzd6ya-DI3 z9}KdfgQ2V=Fv0fT6~~x~u*|1KhD*=gfwMCk4EH{b|3dsqN0|l91OKgGHTJA-El!g2 zsa#+?DbTCMtHDg7E;Y}|xFwR8PvkRI@WV0du0oB~EzauXZlzpH?I zh-{3%C(LTJ?s`eQfr>$C?c2j2S04B@3`z{l7;RP7!-JN^A1n9*-F)*9cJyQ+m2*~= zY7zNh(d+|*4r1}jl>A8VxU)R5QE-M{mM7o5vqS9xneExOGzE4`+kmI%Y$4x zwtyjRt*;s>^ruig)%Bqie;H1OEKZvqXixQI=C$QKi;RqsmMCvnKc_kq|7L}}%_oab zueqW|Z&lp3dG8KK+~SGSCSK;zHkFU37ft`b6BBJ}-CCs=G*W* zBjo&qHUOIRF=J`bpg&|U$MfBY+`09mAk1Dw%29jS#ghhqd+K5qsW%Lk(Zq@ zB!tSHjqy>5nr;>KAy5RR%@5a4Z(MXsEMync``mUdTAoig?F2sY=rxHX8*JLytCdo? z>>xFpX7yN8mYVWCI#W0qSlL!>_RE>AscTw%D6p#O^l<+L{f}6B8nKA`+k}AL+FPGi zzve~15zIJLQ&{1!y60*btVsX<%=$XDT?ly%G;IUWYSoG+zgJ}K309F=2#sNg0v*h;dNzZNIG_vtWeHrhbcvC=#Ym5OOD`BVqwD z9m!24IlZC*G3P5Jx5DE^+(4A9VKd5r&+=u(T({UMqRG0^;z9sqa=N~YNHG$PVbFl> z5T9PLY?u5%C@+>2j4rX+_Yw|x6o`X!)?r_Zy<2LaYfytspRy?N7&)v6;13( znA7z6X%;nkAuI*t>*>P85FBuQFvg+JVQ>-Pi-os;iw|reT*1LMy_?v6S(l%^T#8>Gx%0g+IK!0tUnGeBRekq{O)~UbS(ZoDBt*59tP{*pCHw_C9~g7*ZBQ@ z=J77EJ#WD>S-mLh7 znUBF7igw`l7(GT>V+*#j0tA)tIF!Uw{OU*@Sr#^CpQIZfkCi)f}_IJ~PdkOh%Y zAEY}Ow6cGW#nbKn3SJEmsm(;8wWp-FEA5i;aDEN!f1s4YD6~z8NXT9jCkbupkv7vx zJ&ob|q*Sy&r0q-$MMG3`t;MN1MtbFQ6r80yz3V^Ah0K4K3t=hRvXa7MK{k%;tL*|p z`oK)b|8=DsXJ@(u8m8kej^?h@$Y1Ha!j(v$p|_`rxlJD}$p4dpV}H-0C~A@7=*gsB zwC5_vvU@D^1?FsdX}%)`A=$vLZOq0~;9L}=bCH{svF4nYIfG1ErXYc9!(DUC@_5W4vHB3#QY~ z+I~^RyMyNk=UGx&CnKv3LOl9=!ag!z>xWrre%n)#8@CcEi15-EgkUtm z^hCG7uZc5IS>Qs`mJZ}AhS(26Lr@H#nvo(0Yr)E60;Mnm16P9VUW!o8(q9G-#D34g zMPNZMK~D(Tq0Fsi@?a_^1tBFe=Ggx&Zs;gSpJPf5`nHfyH z1_20*#!VjTiG1yq(`K-Az$QfBy3aK*26cJa3-zGFxA_G zgY-GQk45}vUDEQRk2wZ>ryRxwB!jRi27v3DN10AS+&#KF>dzy0e7D|cSn;&-X7iDR z9|25d8FuEg(=jLn)DWrM$+;NcaTd%LG6woYt7CxB0h)x{ph=E7iZb87DO@U5^OB!r%{DRKHLCKy2j3f}X@05vfn?ka zc`FhULL?)ry7PS6o72i%u?Wt?bI308lA%p^%8!2kb=J z5#V8>PLL@>2j(7$m1l!hIO050c^ZoLwIMSZc5XA)V^!mTDWu`&AxO%~I+?+ALpSEB$Y>k^=GI4YG6U$nNPm9kKpf zQcaXgEH;UP>;wKf;C#T(W?62g$x=heo^_zbzBAjXtgwM*eOF+X<|*@lKy$nz#B1z$ zuw?fnGZv@+e<%n54MCD|>(uj2UNG&h-}Zj-Q8_J1*wU3&p;afnu%UQrgGB!bHJh1w zWoeFvDmlxf+fWuvMwm9!1)oJvd+41MKP)dmZ4u9VkAD1a&R&tySWdG zVZzI><#O%&`aMrs^)%t(S=<+xJz61K+q8WesVAQ(Sje1)cQFc4?9i0VUeyN8#I@!{ zxM1LrX-@}7g#BYu+J07`?ttsR#HMSNJ@v^WGsCWRQeH+eM<}7`s+ba3%R^>TV03E4 z1>fTQUbh?Iki*i_zB@eMT5j+>OYAG%LHZf=o&Qq^Ou0!13ZSHCQz1_hACHMakHyIJKz^0X70ZSMX!X}0R;LnjAg6J`o0a9hDok%$ZIzGPOiTgnu5LyQ?rh@^y4?&hwU6y8* zb-Gm(+TM3CQUjIQ<%4K9hzF?0icVfO7{GeCb^ie4<1vBLj38cTfvU5f+>L zPQ>8P3Q=GA^~R6B)Y)n7am29xF@Hp8COx7EU}${vav~ zvamWI(Ao>HnvF+@g%-M8K5#hBwJADgbRjP(J>pZeT@@NgH$3;+(CsnYNR-U?(LXy~ zWu=*RWVJX~k&P-F_y2g@b)`Sw)CcF?Jnxu_28xhg;jdP= ziJT0B+cEnaH_3v^Ze$S7$bKLfr(n&i*N=|%xFz(4$M}bLU-AFadIk)DaKoGC^UhC) zD|fFZR=m*%+p^6pgjt6Cm?6k4U^@$Z;`3D(^7wLCk`>esfp@w_f zjAgFCh)T6)VrHHL`$pQ5l9_1*zQ>l_{f67TW+oclXK^_~+$Y!Cy z?BbHyVyoP*Gr1dk)&pM#X8kZ>?8zKr)auWB!k;nUi95~mr(V?47ng`~;p9#>bN}dz z9HN{RvHkvRO5hXBT`h%QcY}KToo9hyC#i}4)=YrTXJCeaqcZ!s26ifPf0+o$E(?EK zdOdc#L-MfV(btSQAMf$m^XqP@Z_~4$aQ+}(>HX7~uR7|NM*Dz#S^yrcopmoB`CGrb z&C9fSMm#-ob;`;(^SAW;tNN=;T1RkbKUFS(UM-(5wc@mur2=b$-mJG$#rrFw$Oi%Y z#@LNRNcH2?!_?a;_V%z~#B0gjrpbCJ#CKwY0((av;)TGL^M3?YqMkg3(BQN!IzJ>H zv2MV#^PviXL9Kecoz2og_B;?Hka-x2evtxq!g(}3j@J!2Gx6%1g9Mp#Xty!ffIJTq z6ebV00_W^nwX1_Ujo92l7l8X>Q|_n2X3vN&ip&1Kle)F31B_S<6hdv0?tS@5iTAKe zB-Ogccjl-*)Zu(;mC;=qmJH{vRpQ~v2!<~)Qv%ZSsaz2?%wus)vQVkj-twk_AOt|s zFw-75o^i&1NY{7DO$I7}X3)tKd@j5$-fmZliDxqO7;w=SVJ_b*yhgk2!!_b>jF*{s zi>8M}eJY(hgZ6$u(MAp?5ZU(1SX3*4MZXV@6%`Zx;KL@EtSX8S%?*aI9w+cV0{hz& zzpfinAQjKVSzM=+)&0lfj^)FBxZ;bmQ8yoOI9=rdnPzMfZOX`kb3>1#RKIduk0_d! z;?G!qTWR<6`h8T-s{M*AoVJN-DyyhVq+;sV6WVb>s1x9o3g;yp0^|hA%mJ=WuNP>c zJmMyL(CZEp=qQMgA`%zG4tc(^@KLD|p|d3@a)B_zeSN#lb+;McL%e+En`|-)v5jM# z%`!lbvQ3$X2S;LcuZ2V)UVZ5?==o~}rUJ=u;3HDgLjclhq+RI}M&qewA5QxC6YBdD zDe7?J6pgcjhS2}GWH_av^koZFha%tgPtECY064SMn*EZ2r_$GGnY>43$>kCJLDA>k zKFc_9XpgXHyi7Ify*Ys2Ji_Rs3kd;KtWF1(mt(7QLY9N@qSeT&q9N`{G7*72`aAkW zA@SmrJEOoT*veb%kC6ZFRsZjQE1ZIC!S`FIZyBMhgn5m23SUT>b&1d1xlK{_23P4r z0B?`D^z+Q5MfTnrH>@C|Uk%Yc29*f<7kj%Le7}aC)OohR*<~bRgXBjaY+vFhFzz{y%{=2*8LR-U2B24@Hi>&c@fcztu_nM2_>T$TTW#$5R zH*(3A$#?l>5)HH9*>VPKz2~EnA7_r*_FlTinzEsFOX^;p-vO~g7X5lp+8RvGZHWar z#KFcYm|=dNVJ^OksC0-hH6pvCRIyMtQUTote63TU(3ez#3g2)-4EQP&EoP_IxXmv; z_xml!VMXwH-{Uu=)qPgPGP2s#=H4oGprZWB>C2?u^_3eV3bkL4xlB>bw)?vc%%M#+ z9?yy~dd8vZkH{XpGU0JkE)a^M1PK3ztHWXs*?Z$8O~LW`DpV$_rXW%ff`GrhWw*cz zdwR2|HTosU=d;w&1Rhfm1Vr8xNY#&|+PsMw z6w&161L-)!P&ZEak3taZ`_DWbi6>&zCGw`TVNlg4u|JhJ=9@cNSb=MWnI8rTY*Ke8 zX3ElbntCm1ZZRC*b#DH(EYI|`l*aJ;*dD@44Bwg;E*&W>|To7Oh=UP<>J{_VZKar=31*_m&mvO&gw zgJ!(I#Rt8=Jg?9OSJ|iI8L;g(?-Pe<(euAi2D#zvIL+3*y;_zrwGf=rh|)CNPaQ>P zl7gg&&Y`LUoMWnQICm#ST$18h#(yLFSRYuZ!9%tyM${Rqg9@D8Ci4A8=zT}e-ZdPn zO^a5|dbmk;#+q|6yro(r<)?d14YmLkfn__rl6VV|T8H)oYcGL2fA+u+x->GUlBNcD zHLy?6{$TTTi;ld_wqSijZF%2rKR4I9*0d42z&U;+A;WF>)uKDw=iz- zcW@ejJvSsC=r?rx;d-`J@$a|~`p}_l$?jF|m5OL2Nk~yD`Dr(PWLWEJ_7qI7B(<+Z zl^{6eM>=~n_y_2xJJN@Qz$21z_Fm0sH1Lo6=w4EJaSR#khly_A5G3zThZ~~@Xd8QM zI^lrqSSOE!Iq3S&c1Jdd+WBeRySYWQN)OfD8IUn%!WTOJWh3nhp7o7l)crfy5~=Xf|j^SA3WTrWIVh0_UiW6&Kq;b$diSq2k*7#(3oD5Hty7) zXYv3iXtPI8{C^V`jO*~GkoQug8>XS?4<_Gl?hGG|d5A*zkW}9QEIUR~mIv|FcbRtu zFNclHuLr+)^Z{?C(gVY{s#$QP6&^op*p{%*tPv1aC6u_~<}@+$aARBB5Y$utc4;CUJQnkTeGO=>BK zjh2c2K+aTGG$}HQHl>Rle?hKW1Mb}e*Y8VN_IuNrpVQ5KkzG8892&LNaOMaE zAUE=Tc5JoI`45S~q3I0{hQy)s4c~EWv2UUHUc#X)8voDrEN~R|h#1m)U#Xgn@M&KB z`1921d_{cVV$&KMsk?!OxA{{*+R8z~gbT#v8Z=BPWgwEt+Aph6;@%PR690B7tL90n z&*hQr_tR*I^JN{t{jq}n0%a#T4Op=c_zAa4nlaM5$|`WeAFO31;%|mbQWRxF2SAKB z)-XO>9&o!My&^~)UVFH{K<0;7WgtXx6L0#Ys0^&9$B6Qpt#wc|r2-Dv0O_w;MJQHk zQ#Y-utd})2!=IZVV;HVeT>TV>%{iniV7B(`02t2gcWr(Njt^Pc{k^880#T zZR>z2uI91KxTD^A8b`sgHe!jp%5K{`ZM;~G^BA=V~D38ue}}2Tw|s{YRy2Y&jXxbcM*Kj?1;gqe>dfj-inhKP}hMb3WU5Q&^(D zJVx}HN&Ui59s}wIHbKv9TzymQn_l<7Taon`K=!*zFr_$C^u3&B_8FU?+?@jK68A0N zq>gHtQdlUW5a^Q{eS(Kh5mHBMm{V~;K%uS#v0DPD?Cy;e3We>yu;3!mT`Gt!i*1=Y~)q!a(1}gBl64$q9^senSRmdKMd-BOrLpvAx%?~h0nL{ zu_kMw6^1WXyYyRH_D(zN5OH(z#PaVnmmfLrG|s*!lUPf`gLzrg-NA1l z6&nk_cS-il+uQQoNEUvS^yPuimD;0QeT$wzMYcGFHo3G&YA_s*rwcI{D}-R5+KnRq z_dx^<)$8$O=&;L0n$%UDRM7-9-kxAOtyR96wV9+@u9=1T#qc?^^aa92S)so@mhdy@ za@GhVxhdTif>k5e+bVv2xJyeK?%*cp2S|MMROh?dNkYpyRck8JX82I_Pz?WaE9+yz z@zl#Jxck;>uv5AwyG@qRD4yK?JK8mC$|mhGREuI7aOaD!+2t3iu`!J8J?X5ua?SBH#X(4(G0 zA>K-`kM()u7gd6#$gL5C_6Ce97!Wo9xBv4A7MGh7wyCBJzC%g%0362Sh|?6v6OCi} z{C0##=91xGd?q6DIv1b^|=-9yg+t%#y>V|s;Ui$a_rX2R;Ri)`*<5W0BbMf zK+x7)2h}vM{7lEr>Y(W{t2W5vzU?=+RPyGLN< z_4ll-3SD&*@XANYdO6amim&HspanCoXsxM^(W7h>^CCJi%lr))nFmNLH0p|&hgQR` z?r&MI@{!ijP!32CQH|^YWLg#R*^|+nxw&Ao0kyk#39*h=&%Phy!4Ps$l8tNsOcnGh zTwcHa>QV1_zQR`pGw<^)#((%AP186U@-Yr~=B1bZXrn0D=TC13N)=XLf#XCgv&)T- zu%W*%-2X-53_BA)tn@o?$qyrAHcF434gF^7#M3s>d3ME&iz3K7_t%% zUnu-o(wKGXXtPVj2QT} z_A6xqs};k5HDG{HO7sqn$*WDf0e)kW<9e6CNmu%&p|OUPi2VmXPCz0_ex8Co16e{_ zLBWGJqY|Wl4W&DS8e%{+*0=Ep`t`pjrym8!tD7-Vpw=7Cx2M}}e6A=kwYa#?XH}B} z1Y{J>XL&BA^b%JRCCSboJJIs3?!y*8c=_jOPk%cmv=~Sj$4`p)UJp$%Z?aiLATtiG z!p|&OB5Eh^OwueQ3UFH6H#bh~!@Og{cljHij)+0ehhK1%w1`l;a zQ+zP;OW7ac{~MnF--nIFu@QZXny9=q(2a9m}y&j<^sdWUy z_smuJvPD!nj!Z$crjgZS_2KCPyvyM=4WIdfbU?Us1_)B`gVWz%X-B~CUSjsT9}fk> zY^_$|rwFY^v*Fz*zUGY=&0mN}s7k(Da4DPJFHRSDna9x)liI-z`$P02Na72{Q&rkk z1j7)3_Pl*pN`5(AW>4oq?OFuTmU!!&fuHIblqnf;m8sM~PKaH|d9_WJVJ{5j8a$9frH7E|U{tYx#Ieo$&eJpGxJe zq|>4@XIPD|Kw2?!?a4FWJOKuOxJCW0t27*`u~pN#CQ`Jo{6Sb02hWdiR$}`mqZWXU z)Z@3VYHkF=nrs@4Z@`7Ehv=03@kvl@AiNX-o?Axt5PjsIO|x-FC2wc^Uu6lxTVs`% zXU3YJsU<8TZW!zX!^!)CmUe#tzeJI-rY?tW9KL6{m^~V|NaAlvYpv(vCQeLdV3;NL z*(+zpNFsjgnRNCV^f=QY1l~$a|B@chMOVfcISD~feZ>Q~YJ;^9(dUT%>#HFQP;i7_|CewG5?1u0CMHK)Y zJC~7(!or%$8CE?XK>C-C`~jKw_WR|uJ0Ttic2!QK;Lq;P&`v{Zh?BgTR&es+2I(l=CIq znTRNma<+Uhz^!ES2X2W&-OS*iNA#T#r8ulgqu{HFTl8I&{D3#M5xJW8=tK85vbP+Mwp04FTjSmM%p=}`CBE|G*7D+O zoUU`U7spQKjr7^F-*pbqAYD_p|ID5TML3|YK~?CCQyScG2&QlGRCJ3*=)m(`_-nuH zt(|ZAjF}DlMBL;~W^n~B|1s$vHwQuON&=tG9=8$ReY7#`h!J^DxAgxpd}U$CJD*%_ zdW?9TzjVIkyl~69o+v z4Os7E{0qutt8CxlbeZ)%O{*ty2Wtj=C%|nz{R`)QY&_I-i1nG-Ql*ONpLA8v4VV*o zmfU+Hr-zw)Vey|7vxy$4DKaQ~-v4?_j6*4fl{-)3&SOOxb8!i*;|O$}sXqgl%wFR# zHq}n0p(z&ZU%$)Zj9&Vbqb?8Ro*@nVXlg0j82)vHwuWuUY=zFGcH_YsFyUgqT+LML zyy>vA7JFhT!Aq{8=+DW6D#FF4G+RDdN4^w4bnKHwtMb)UAUj-BWTH;Z&H@_k98w%- zga*#esfDS3f}*u>bN6$DWlAQ!ivK8Ck5_=H2*{nH)2YfqzvCd7sP_G*l?hz+zrdJD zX+GQ&5Wh9JlUS}R&Udnb*H)pW!ih720h=Hf9N36M1~1XE$rnorM35L#k}iPr z8i)5*TOBa3A%Q}*S4uMg3v-B}pcs4*GV6$9SvYg5xr z4ykpOzHW}xncoazeUKuNS7o|lL?JeqiRTQ{n+lWA$wQ*tyuTjrNh-e2lP4ERf@q!i zsS=R%8%~c1c3WH1Z1@L?*F7%J;)v@m;m4L#LoxVPIgG}-N+=_$2LHPUeI*@I2o>KlcYqx>D6Y8d>;PI}q-hdOL2&|Mv$XqOtNuvDidSl|Qa@5$#$z*nHYjVJX{+v;zIQ)?C`^P9mczxF+ z^6IXmY*}ySSz^=j_B9HPGxz-k4b$Nnw<>PoRPlFL#ISNi+qd>gg>(B2x^J|WljBkW z_Fg{y;;U|0fZ^SUN5j{-^ttpBY=!wv2_UwIgJ!;!gRnsxx{m)D*392|n~*0&U|R4G z2s`Uys29xQ`)=$4&~(lV#gd(nmR$50G`JY7+WW%~k~48JNNDLtyywn~gpj9r(U`2C znal%?W!|S38*{4c=Cr9g7@m zZ-?ZNO^z9-{*Ce280NNKFC8wYY#O?@7(g2TC~pUV^T4Hlu|Yqxs;xaL~#irRd3eQ!4jjW%EG)j5wpuix9V>Mg7< zG(LCrv1{}NSW9(RU8-#!(~IdxCA*cr&0bQK1la^C!NM*fIF8RP+&*(4n|V!VvOmVe zzP(JJ-RVty%fz}IIHZ#uyMDlQ*8PqTdYRakW)447t#Om6nxMV}Vm#~`npWogM_b18 zr$(;HLCiPL_6Jd+)a`tm1GlbzbiqTC=)>ZwpGwN#zn5&QjED_w&g9IAQl|Io5&W`G z!zuV-A;w^X+JH|mDPxp#nMDnaT%9BiN=q}cZOAAny7FYZ8+V+BM)-(7Ht?J`5Ig?J!Q62TaE;Urra;80`1t_r1~5^Ug-+Z zUXN=;5n?q;XZ3{_6b>V<7=#n!Y`H{$Xt~H z&IO4G+Y=2|5$F}wF(-rFyynZU>P-n+NqYRtf)6Qlr!-1tv zZO@8=Z%F2u#xzy!UkeX<&bwZ6fR5BOc}C)Xpvv`RNcv1GA4ifhvM5gOU~Sp4sdCajiw6 z$aDd?aZKD<&&dGn#ME{E()V}Lb?BV%v5{BoiUVxA=vRvB%)Y+|>)|-5TMHqF+jIj& zn)W*K;|sIvFzb%iLCxv@VVlW&{Q2|>Gr_>r^Cp%3f!esr^jWBGhubuA`lYc6<1%s& zSk?&Ljk~LN1;b~HkN^}I zR|TRP$*%e;c8O76C1CAh(|F%E-u2x5c*||4ZbvP7Aje71AXy@3L)YDXuE;zUbH%(9 zZsKQ;^EI<F#hC| z`S)@lj+btAN&;ACH?=}}_O?%W{I=Pg1lZHsz=73F-;cw0MP)^J#R~lbV=55-7hM8e z4{!08o&12uyiK+K9H1__CFC*jBKRjb7x9@@rq}N6)y0;Rv<=ZvS##J$lWD$ zoi-OV6vVsl!Is(IyJRX2*{~J--3h@0%NvO z-qlkPt7KH~4Eb@~VpiERyCop%E!>o_@ZG^SgK(Z#$E* zX2!_G+q)mBi%_Q^N|2yxz^gs0FMV{R$<~{%PfKA(&2}VA{2iM25o2+Al*PlT2MlIu z31l=%zwi%O({jxQU)9ww`?{`HTvIJl(JjW&OLq8dEIz8eeD_scPs&_F$Gl_GrI&a7 zH#VCHgph>|kb+(&!oc;`NUTq%B=~&H-$_yyK_+!Yc04YMJaF5dz zMbXi|HhZj-jHlCdiaG)5SRqHgLC-2usqcgyXzeJO)^=okmf-Tf-L9mCXsfucLKe3u z*^o0*9I+}FkBH5)#v41;3&SmUUkqoe#I$(f&CXe0I;mHU4vt1yq<;Si{Tgl4ibj8r zexgq#`DE9biBWrR=$?ahFwRzyK$%gDsqt(Mws|&2Lz-4Pd*%IIw3chVfxEOo^hz~P z?=!OF?t;p36-E*t^PI~|qso3)>&8mXvHT>wPtq}AE9ai#p^AJdU;ck38+;@Zl5rMYy!);__==sPmq!G#&7*^e{Z`He4)C7kjcn~U-Dviqq zrtGSRSz%Pe?5f}0v~CTHGvf;mG5bj0$3$~n?*91vB`QhCcbF^Yt^w6NanEj-EHwDO z3PIGZRAqS5bhTB~Eee;eCc#f?2KXP%;Y8MmSPI7V$dl;Pq!|1mQi%Z9o{#Zv>(q_Q z*vZ1r9Hz@{3Jtdc`>MR#vKY-mgiwgkv-YG=l{FDXCbPOgR`TLMP%MuT)4v`IF`nIn z{cATb2JGj$#aUYm_(sXq{YSOj>Z<~_R(C+?ERL(6dZ&}GE+eN`xF6N*?1+Xws%x&= zv&^I=-o@gZ!4215oKHIj1boYL{&I(x{9lje0E8mMV8FMYkAXVF%fXo%9j1R6(s^Ww z$XrdlL$+=!Bz0gb17o9FUFE2`i~L9pCIkRg<&ueJeg$}zvN@_rH5tBoxnCqBo5 zSr`#zF-kE)cmC>R)+0rJ^>W|LID_K%obk<=Z^$LSMQ<$K&v$@s#h5xZqUDuR9GB4W zN_B;ZI`E1s-i@o#0k3%c*5z|)2==Vhz|%M`R7FS1glLjI_WxK)Py6eDMHShD(q(j`QJOX=%Da2S^iLB6Vf(0w%m&WIkJ z7yaFfCLke32Uh<+{<5Cj(lLU&@^L3y;_GYCzR9YjWmx`TI5yW&UhBu_l&ma;3ogt3 zFRwN;#LkBLz|2Z#vDvlV`^g8aqMX4(M-PnQ5G?v$kUtB#6HORY?+Nkae?3;u=V4CI z++p<_^*mRnsg6bBGE4e~W)bSNcxPg#j8}xaD|7WbuZ}@zyp_vHW2sCon=6?VJ3xnz;Jm(Am0|oL%FjRF zaN6f2V)PpbY8I0I@)u@i6qA=d@8he(MW!C=MmQMVXk|xsdUS=U;v5>hd6m^q!c_3w3Yl zsc2647hYCz zYrh|qQy2w*SZa>AO|kl>#EN5p_qjTJEk@mnBEEE}UED=kC%2Xvr+$~5Bh~eHtedgM zI_GSlZVM*!Tp4s#N_nd zK>zX7J%wB8rI%%LuuaP?_V35ZXua zYqT+Ey%%QbXTBrzefT45s)E>qy(Uf-8MwZTH&?OXu56e8pvKIevpQWSCA6K8oml!s zfpQG}Fq?uqD`Ps^%|%_JRwX#I7gO`)L5gh>yB~#id~N|(@hw$85`9HI&o%);F?cuj=8-uLhdR1}uWD9I4*Jrq1p6NMVC(*4`1ie@2FH>6e!kM`ZcM&VS2a(fV9@ zxyKB~6;EGoVmEpSER=NDkUG=_B?Eq&cP|HS7uO#dc>pUOKU8`HU>{;{lk>29=%5?a z2C;30*G#oDbN`9T{=p?cdwCF6+zIvKvBxKt8J|7dEN1L5e#P$nL{Bm^9Oo?68TD)0 zv5q&_+RPBZ?kXf#d$vC4cQ6eQvo^<`Tar{=?Dgh+ zdRqRSW`D1(6^$~p@4skrFCCO84ix|DV7{7QNm?4T3w$M{`>Y%V#O(VjIadH^oo@(~ zpqhUUSY=ml@TEBlQd*N;0J6Jj^;5#*UkL@uK}$i)25>E0K;ra-(~gvKhVRk3Rr{IZ*cgss!QO7JhV zy&h+DB7FnOXG=?bt2!SnCKha;B$O3{zfHh%Cxx)-0hWUTNxsa4P+rwE5u7iz?P5}s z;LLDkbjYIQAQN9x$~lO6LQApQqd@Jv9;{^hMJ`);nFoeUYUQ|mbcWDw)F5Jm=9?q4 z6pU+z1M!J-vHEdbADOKY?VQ=(@}#u44I}$j>2b8og5F06W>R!MZ)5KMK&|kjoZT3{ zK_44zU`+^YU0LonP>TBOJ3QRO?e`$Hc(2koIutsbC!-OS6k~IEKEkBnz?}M?V}$VP z1y-K%T`~($ZT>$`DE?@kre1b4UEd{EM(6T@{$t*#f0q#Hc-b)G$4s+b8#_xc4@x_s zn?M4r9ewgkbj}-SHGC!x&9S}B^I;qK$X`$h@ureds!JV?f?jD$TR&H}7674|fEX++ zU}io%1E%Z9hoj2(dbq0)P~;K?ex&lwZzI|VWzDzfaAg%-v{LZQsGx>#A#IP4drKt= zcAtVChDP#iV32I#Aan2Ix;b~AgDi?PHtAWhwY2vw0n|-RBN{SN;Xir9@s9gMrVDs^ zk@C}x0A@GPYB~p1egnQJK_u|BiigevE0A@J^p)#&TZk1>tp!RBIkxiTK^`U4^T|Rl zwPFH)-6RO*cP`9Yw*jNJ4e0o73Oy@^*~;z-RXB4c4+9Mif%7F3e%)k*{THP!j8KX{ zE6)lt=hER%`?pGY$sUoLG)S;`xse7Xb08~g{Ty!`O_`BZF0?rNAp#|H^HlIDwQ zH@Hg42*Cn=*XMI&X+qWz&=i0iZskn-DFjMRZrwGB7g>ee*Ob_QO*Lrb>G1q+h(UYN zuXa>vBHe4HXpqw&8Hk1^bY^_GDP$&i8*nUx-mNrnb4iNkCAIvJMRU2D{1!;BeMdBh zTxAGWYP}hoPAmu`?x226(84Hrv3G)e>!Ju%&`b}1tl!vkfeMp zBWMEL@X6F=HQBhh<>Rn%I!1g@QTAMPn{Y>c$tR^ziN)U8jB{*__Pesfo9O@3FS$dH zvg$FY9y78F+zcs21sk@oVeJ7>#MRDs^BAPwigtI2d%>Gt2_F@ylZY0nFLto-gq>51 zl_ngrUp@`R`{EJE4BrCL0s9AqA(K2hTm_0?*XdQ`;QX^n2+S>Ct3DR%hUFDjV^ys zUPQBB{@_M--5u+V%en0yV6f~{q1a-hmEsaj@;+9B-fTmOUb{iwD)*{~BitJsX_iPn zeD{UhZI;9jx>PJ}uPd9ET-9^on5V}>k?Idw$f94gsfPHHNF(?GULga^d&(cuYaC?S zwN@uvrW2&U<3RvaE`XM zaWOxq4PduVr^K`?WdE0^NxAH%mdTuT0Y79a0il9JVGR@DYRe&#G`iWQ-B0Z;93Mn^ zsGcm8;^uxVNcmpD-AWCo|6ue`eUSNxzlD^C3C6btAtR3SZQ6g2$HPv4ply{Cr3r zK_-R!8J9`X3rzA{>R(m3>L z7 zoyWgymKF-tH%Uwe=o~7vzU2zhePV`b80)sE`aQx27c59LKbawZZjAA5O3KH!x(6OJ zttJjEKM5qurh6g^wcYDP9IqYqH8D75{s(GYrZ~3x{`VtDRk9AAZ3@vCBukSP>Kg`?c!D6<-OvV z&B7|PgptGy#CE$5{Rbu8%ZSL&KV0*A@;|%V8|J|B@Q?Z73JN#8yVgg-i{V~`t`g%? z*DxBdnY!VWolWT-++|LgUxd~vlWyj#iFCzto{ml5m>FY7I?vKx4=GZU3}~S?c-`}P z^_9YoJ0MqyCv;{bI#=^#v?olY;BgQEHpk?IXZP_^j5@&z!QU?g(!-prv`bO9v`A^m zmqS<=rTjFXcz>YZjd22w?8uu0KzPLjzQ&tF*J7M&v| z7)ZQ7r1?2gsG9<|9!r?zt`gqz9PdSP>%Un5ZG}qh_&(ECFVL z(cHcl8xf&UEWgH%ieDITVLGmixS#Q#8pD4T3jhAo#?38uW3qTWYwM*@E!cT}sD!J38W{!3e*L z#nCPEIq&^GP*+Rq=RevJievu%{w00)m$6Tx4$dCaHrlVT1azd^SnWL4BmgyqG8=2)PHa>VkB#Bfec_isPwqu8x`hLkpZkD}SMI`_$nG z#HU0dTWvaSS#~NtLm^zNYzL-xtMkxyaWtu+M!*DElPvV?KwRY6Mr45%fkj9lqA7$t z?Mt!mVZMX?0k=6Sq!9Ig)G&|KkcyM?CF$#Xh0X4M*$s};|YMFzjYK}^op)_C| z`tAYQO|(A^oGCQZk zG+DSY^WioaTRH2wDZ(#`RLmQp4^FDJ%+xV0c?5k^lgh7-?Md`@EIl^qpj}k6+KHhG zu{kgPn=}@>S>I3d8q;8wxnsRpP@=*Fm8e$2>A@4S`gjV4^@dSMf399j4-G;*skjg^ z^YEVZa+8rUnDT^l0JYr6%*#;TF+n_(?e@YM4Zel&KCdiX6+ZIFKu!sYv;ysOHg1^w z*sJ`kXKz>q!z;>`hF3ibHYWR;=}I={2f`XgjH|(Sm_#E!!DBSdj@>cvx&4_muSd3# zDI^~sRZU%OD;f{d<(*Td!7hC$BM`8YMG`*(FI;7kusgU^L=c@7t3@kB|Hi zov*pYfR5X#U*FBw{yYb?7hkZsf2-v=ZFW z%$s+V7m{2IV;O2zP?P~`fkVsUHVMW5)Fl6{P5#&KcT0gP;9e=PIc1{#b<>?B4k<=W zV-OC469R94DN3w^2t@s*^0&8(t&Dx>jVJ3S{bp>0tSVX#mEm+`n z^KVaT2ss`d+)M9LMZA$Ru!X! zxthnGa`6nnmk!$3W#+AfSPhOMu z7Qig>wSg&c$g`ngk}GOaAQR982vgd}?+P2w3OOp{6>-(Pr(u9_dO0g6&D03A{LRyi zUog}`T)eJMS8*Z%S;fPlo2^Bp4*|oNwf}6Tx2y6D3T{Xrh(@}vKCrTL#DD(Xi)-CF z7YMP-li`ap#V z+ZOM?+I)fb%Az=C2d5)~<_*&celwUKLH`U4#8##p)yzy0kpGmHJ_RO<)=0(XLEjiK z@JF_vZ#6ls)=Ri@wm2~4Pn0>DW8AR-#+itblHX~qQDd0EGy8$msrOvlzPh&g9=huh zowb`eeuRIgiR=#*Oe368kUw}Y^|OtS7Ho>eRN!v|-Ua*L&Cxj^~OVF?= zHAQkUA^qNO()HCC&2RyLhES$*hUR|7L_-JP^ybDBWlz25PiKynUJ@^qEb}tz@4&nUQr`1va=qD zxu3keDI0$~e{uyU2^FhEYbe)n>STXlLyfpCMbS@}P$xW@vqm&6LOM>rx}qN^&> z9%6Ao3Oj5u#O{P+qc@#_N{!PsT3E0x8~<%2PZ=aS;JGGVn6k{WKi$H;reH+MRu}c8 z^o<)lpo(XiU12r`Qu(5JFu=MZa)N{jYP?m(AOM{KfR^71%%_k!(r+-HrIur#+bhnN zvVP-Xz|k*X(4PT@M_RPb%6d6cZGzd3J}rk4g?LwBkepi3_oJh*3QBDC#4LqmWDg|F zKUeCAyBpvoM^$<#G%tx5H}|`oA0nA;1Qs5H;XU-NG!@1^yHiIakTJKu19054UIBlg!*pJ*n1R1YXFG1%RQ zIb-|g6zc<7SQ=OA@TexQR6poYo|Lf0KGH9hG`{Q!WknxJ+XAial?pSH9lcIjo#R7w zpVZ%EBK0avW?v1|@9C4#sW_sPeyB?|erz$)#O-x{=Tk-_xxq;4pOXuh7e zOd5Mpp}v4QRpZS%2Om1N=OY<%i7+?B7fap)mA)V1lDV12bExyMMmq1l*7pa>LD6tM z`bk|VOD1OHE`n)UN8ff=IVd*y3o|lqyeGoEc(F#OpoPVaIj65BOZE!J)pH z1Z|t0W*^-@QHA_}pNB8~3EH?{W?e0mh7R#)0$WBEsUCO4y|ou628V!Xz@>*)P_R5s zQt6CKFP_Fz%+IDzOGg!mp4LTb;ye{6nz2pw;f#1I?h9a%+0ax=WV;p8W|+nNs{wy3 zJNjtK?$3}CBSZ8qTTY?&77M#bvxs3^oqkhD1$&KVyk18(wIObm&(mbEPiEBN8!$>1 zYF*GNQR(z+zcR?9QAa~cIHXE&_<+*^z-K!nzO+hG`)CIagXFtxU)mYf@qgah1+}*9 z0XiBT8vor7r+>L)A0L_6#0{+glBX5GKU>pXwAG$^Y6P5tSUjUQ@)(XMx zSV%!7KSue1T}(aKv%n$2qAchN$Y>--BS2I09fo@Z z)DYq!a;@@JKvcj4#){}PJ~QiT&ItYZC{1^s{2Qt??r>yam{!O+pBatfKaut&Un1ua z<5?_m>uYVX$A;IWC~WlS93c&Uh~BuUaf_W)yo0uTz1!J|zo$LG#2}Tu2eq%cm9L$M z&GK@as{g&gxV`%H_oE%dmd^~b|A(*dj)t>s_npyYv=Akt1`(Y|BpAIDy+=(Dy|>Xv z)F68A(K`_tB?uuHgdlqFEy@g{bDnwk_wK#UT4$f-kFjE{M40=zuj^M043|v6joe!^ zi1D82q2gps`pTKn9o<$NvwlC$b+lw;BBY6ybPlTWE zf81dePAqmCmGbFurG1&KYkfB=9-Hy%;mWAR7@Lg$p-W_>3jR810{GYa3-AL*N#l-H z^3>fvUs_~;yRWufr2iYjZ~86du+9@03+=k)#740G_YYMgV6n?Y*m$o`|JZ{5qWV(D z^hDBuyHA??)$O)=&>d8P1d`|UF?)x+o8Jt;bcw^XuwDdHGgGa~!pdMk@07`?b}riS zEJEUn8MgQECl+HvUn8cqi>s#TJC$wp?4B!6y4*>Kuycae_d_~)lSGJT|1cz)``xVg z7f?u%F(j~oNd#i>G8HM>Xi9!`_S+g@+uR`CX}x)=rD5GpuvGE$!yD=2JveUKc)h@i&pYXZop*(x&Uf2KQJV7ePK zs1=kT7BE)ET4LUC2G!8PKm!j&y*rbvyBeTyD^Pd-!y|eIY4Awhb=5rOd!AY_<+RV? zc4;2T?9%jJ7kCGZ)mzBn75aDDnh}4B%XxRN!zK_!{Q21n9P>N1RdW&OG5|Qa04x50 z{BiB2-vqi~)N!BT(|g2!1qd;0rWl{l^ZWcv9pkHU65@x@<6kl#0|BWH0Gh#m7ns zBHz=jRM7dH0mvYdTzqE4EBxeC1qb1wUg5v(ctOCOxj8)%tW+7yRCJ~Z(yVhkLO$5le8rUjzkv-ECIuzwJeUaHceUQ^~{ z-V}M?LH(8w7TndfdPd8j0A+aQGo|K`Yh62+D0R#X`iho>bxjUTx4_&VEN zvZ#v`C1j7G`T4VdgGy){Yh&pT2m@p<>5;0N0-dX@ z(S4sh^GjXC>z^#GPmo6Rrqc$Y?{;|6(_tderaJo93}CEoQEj)6ytOgtDDHQa>Kxj* zk=C;zF|Fdb{$bt{FazUWQC0TDUak%fxK4!ztt5f4Dy&;OV5%iC%mf5=*tI6qU@)>S z`O>J(_{_EK9{p#;kSz*8FZu!i=yq>IK?HEABlzsUN=Pul`@Ea1DsMhq&kHa=LZugW<)9DJ|ph7 zw~Gnwx4Po*1;r%vKK=As=7XQK&n^#kw~Stja5eSh*BL`EqA77H`SDBN(#x!!G-@Ht z7Nqu-)abfpI3e})rRBiye~yOXlEAE)+{SdpaEjcHA$6p_H!qKt!UgX@s^g&NDd6Az!&r;=$;(Z09jBr5OJ zF`zH^kWSIgbu2>@mh;JD$Ar5w_eb4}Q1AKdgJ9@q*AX6<@ehqsdE^)$Xq5WmB!V^W z>0O^btat@Q2If{ey;Ki!>117T+pRn#qs4Wa05$vV)5~K;69fPjcusd{`u~531<6Tn zvS65rprbyH(Jv~7sHs4~=qX+@GD^$Fr->2ITTQ_wmC7&#HaxhO+EE>%AvHVts@8Gz z6QEGRiC1EG_Bvejnsp?pb&NM@t^V2<(a65WwjLgu%-BI=%#I9exi`VABuCZhn76?r z0w}>g?{U;0z9>qhCkMm>?=}nK0*?#9M5DoC&qN_`-FuM{3S~-3k8r24&WbqE?_(6G zUVzmX0Di1KFQ z00nVs+OxQ~zEbP7SdvFQ51bo7p6HGc?-#AzQm6CYW}tPRZ&&DjKtW2BI}AdA z=dfE#P|3w++n`@G(HOoDQ~-Y1^O;Sull9qa{op(6#F|IdL&e%4TKF2Me|nV4*%O{J zMGKAVA5!hBKN3B4?XZCGG-!aFHn!`1fbFKFCvrR^22!UevP2{KSB2+`P8PltdTQnj z*xNZUgLD7vT{!@%Q|8>lRJjwdp420udcgyDE@`wwjL)lbvklLZ+*2w@;Bt z>=DORj3yTFBvg!k=uT{H!Rb~N&`6aQVEVJdZ+x@=;Yk%X0GnWr%%4OnfTTmVQ67{S zTRXV6uEvVK^^^id96|fqc>W6|C|T)@DHwLJJw16k-NMK&wsKOyV|()6cK#DQPk%Zy zl}~tq_BTlFJ$5S@GX>uiN1Z$pI-0Ctb541Rl%hIcN&rnV8_CkqE3^C#CaMf^U%y+S zwxUVf5~=>x_9dhu_ zxo%<0GFH;fRE5pZt1)c?(oH%K(5C-iq_FwZSVO#FrOoVCLwr)SV&2ctqGiq4Jrl~I zXEf|rkrHReyM;GP*)9v6E)0w-q*>|;gu+y`MAQs1?(Jm~RHwafLQt+DD3myBJCMhE z*sB$SvI=NwkT}fhXU`b8wD{3U7PP>XwVEV;V;khKXJVs%V)moEuvh5NY*TGL^4|ZY zFZ);I`R^%ad4kUmnWr^!@Ne))1QPR*0b859L%i#*2gzL^WLE2O!WRIijJN|uTlFrK*mHg>t4G85Euts=)>SN!sz*j#;phhrbyAP= z_QqOoU;yK0=!Qn>-X8B?XIi{;}nb!V=FPBWhAK<2MJ z!@0kL5;YMYfU1v!(u=S`jRn3#qfg8W<#A8n?i%yS_5O+PXCsH6u{U(_F|fOpsGZCP zBOE*cSrrMAFR|n75|hf9xGJSl{YG_4Dj=N>|1oOexsfj)fMKLAlsuICQz)c0Tydmr z8n6dzoOG#=$+`S9hiisenXV8y)lUNL$BHTt?gwp775HCqZ-7d@YMwZXpSTOFV>$=R zz>l^;B>1kP$)-iTR+}8gNBx@C8s(t-5~`M zUxD+s8mUS44)bfw8=s2z+zp5k6N6WMDBcRFua1}CcvAYY_Q9lIJ+JMip+$Zo0noW?Q|#w#Ref9)iLZqlcz`P$ZKc?TZ?bJ98cnqjCgxxXvMbIv2_4AF0*8ahzHT_ufte;9i9ZHa2$ot;}x&QnbT|fwiNy zT-+UC3{%%LSjz~lZz&ng&8l*!;epvU7MnKw*oj8%8^Wzg;&5k18F$ZCS8qUE4gKbi ziAH*_&Y#?X%w!1`A~nuf4izczNL`f7lY1@!?O@%@=rftAN75wAc^xu84@h0K%!>#p z@nz&_4Y*eBY|_O*B5>uSL;R&jJDm)<)9Or?TKiaVhH-^rn)u%wx^88YVd>*NQr%uc zzR(xh?AN|O+Pzum*vhGLQAbYsF)@B6G@etbtfyQvd)DJj0B`$A)QS+jh5L|Hb_hvu z+KZewqLC!UEZaJsPnkpD8rUKJqoAb(`RvXv;SOjAEL(6Y(w!i(amic+JE^k*3?Xo? zlA!5cz5duK*4dke#$SFC;yUymyJPi@;RGY&QSY6QWo7ZTvrvhqz6rDfuxio3*?(F1 z2hX)VP)Vly|D5JuCYV9edvCVE0{{aFr&1p2NU9IBhn47ppD!ymlbMiN95zly>3uncDKq&_!b!h5Vp zk6~@f{pYgfK<^p|QjN<7I4#D$5VQk-YBlrgZ@FV>iVPGIso>XITBI>-;ywSx5e((P zc456n27ic-H>n!LR@C&q=r0%>W9;oPVu0 ziqaJn{5xREaHc6fzSAwb8Y4)~7M&*!grQf9Hv?SHE8Hv$(Iu(G7YsAR@LP8Gx!Jx? zr4Xax62`qNm5}a2T6k*0X5+GbmP(TDF$1TOFZdUm(qC|qcQ3s+j_Ef_pF~H_4wB<* zz%gwH7UctOQD%QRia+U=3@^1PyyQwYG~tV&MH}o6M-^a+vQ%8OtE|R4BVjn;;P+nm zvYv!$Z6-85VCLPTm=ZH=@AD}YCb_TrA)(;{G_=MLS&i;Epu+imk1XzD3T3hR^n>+| z?uid;b(_`LXb%Pxd>F7;-tL=7xH8g3xdjDB5gwelM`0OT|`DAI2aJT(#;Nn3Dtu_rLQyBF~Vt&#O^iw&iLUJ#fC?^VxHQ;g-oDfj_o1n6eWZ!^a37T0crDHuG1&VnKpr|5}to_f}aXTQsi|rTE#f1v28AVDGCzKMNQnAP6iFkY; z&lK5-efm#Fgszp-cu|5(y%%Zn{yXv+iee3tbD4;Up4f_ix#)ji?F^U7H*dCwTF*>Q zCE~8f+R(Q*+cy^_?rB#rp;Hv)S)~AatJYb~v(gz|lGSw^W@d9E;51iYG57p=7P7h> z-RCgew;OD*ih=D%%!8Yr?e*=*ef_}k?37_U8y|=TFU36m*Y89D$&wM& z0o4d}o;Eiw2F`w(FEazVLHGtmPrc9(-63r0Y%?0jtQH9oQG?)_AOe2G1l?RzX|aeE ze&ldX_znM!FrrhlmSf|pJr&_D6#G|$igb&VDKF6pLqQ*V-Lu`F&ll+s&sqUNakv8{T`$~KI#0l9N^g`e_A8~{ zk{`?xIRKeEK?~)%Dk2wQclN>HBjITXnyolK^0-h+y5w*VQ)}e;d(+ zUyFNri96{s1hblpLOZ0VD46Zeyoo9L>CHe#f$0CCX1r-UfJA-V8$zDu4rJr=g;g6) z^NuItzi2Lu6Blt{2LgV)BhDFoqIr5+oP6qyjGo+9)!%975C?|*sHgj{Cym`dTmotP zbO_Zok>-n?N+Tl&1_JuChMD4hIR?mVUZ<&J0OYWy^S zc2?x!2aAwG2`zFz<+0X?k?wd*5u@{Md#_mfThu2q###c}Ch4(N=O&|%+Z?hf-H0(= z0L-HHS;jTkxhk@TMq`P?N7$3DZdrB*uFs+Nz8YRl8&?WYrdLi8!*5@beXSVAsW>2a>7nR?XFOeTWbQE7rL*LxT%(0<0T_1O9f6)Vv}5bWx^ z*sVmd5D8tO>+WQnhK|B~YS3#^Q23+OY>YIa%u9dS@pLQRXdyj!uEzj&qGp-MZsQl%V0m5Lq6%?4ByHEI*- zeqV;TG{FM_^8^^bt2LP?>97P9h3k37#N|Ssu4wgjD}U*2g-7SgtJyECbQ$Om2YwaF z9NOk9O86v7iMw|A#}5%Q_bW=cZZqX|?VOhKT=%o!=(g0I{u0_##WzmyeGAYByBXz$ z1$2*;&}X)4_G1=t)b=;g zHoZr1@ksLon^eOyIJ;IO&r)L;AzyJd!^SYMQjz+UTl-`(;Oluw^xiJ+!Y39Emqf3N zGxTP6hcdbX>?m)dVxSk_zNvYtRNqb_qApKu_j@?pn^ICAWH{Q{5Ax^fwDp8H&u9iT zNUl;HGQ61slAqTAAq>N&SkhD8pe9^-rUjQ%N#ScRfy^H-b0-bUP8le$&U*aX-2+u# z_4;8Q{NyD#Ww4oJ7w?QXVkEomZ7q$AufvEkJ`oR3eX_td-^S4Q9lVkTKps-#k&#LG zAvPgncf(dmGFzJQ=y^4zrwHpk#SkJ89JB{=gb(QX>$rhg9{dY2s?3FJG$eo@3(o!=@QN~Wa}g5ZO@LJiM!ZImh=N3!QQEX=&dB_fxhutqkMu39Hu)KvEoNYyUhS{!*z^%`+oF7!kKx*?~m*Ac@OO} zYDmcfg)Zn1DAAmm63%$w1S*sS5UTUPv(Ah&3UhwXTm!j2@y80|`}eNASiP@|T?5$Y zS}=(71I~=2B>e8e^izYix>+K@!6l(ZfA`JC`^2ZbU`Mb5K`3rVr(cdojDqB+DVq3_ zMK{4d5P)5#Ks8N7*FJ=(NkS!QvFHVBz@f>-YJa6n=g&E6)sBfLA072$LAc3k3_(~^ zGtP3`PQb9vKZ$8K2Lo<60K7Zi1KyX^ApAbd_EnMBL%sX(^{rU|w21u!vcVLEGpryP z7j)74T5DqS&0$n;+{;J_m_Fcc3aGoNS11EvwyIMpEdn=SuIP54-CX2=N4d0`tmAG6 z%iSeqhs>fDcM5bSXoWIkHIt4-Nz}zDcxH;y?^A52Sh}?X9B#ZiH&CXc$z(b&T%9#3 zx>qBJm)TTHz3sP?pVbk<&B8!k7d+37D#lawz5i!VnEfXUR#k8fXc4?;yT^ID4yw&jg^dap=DT9&rA={9VjihC#7WJc88QwJAU$fkJ>kY-x@GT_IFJS z-lYF!4|*I)tnmP6pWrIKPWwB9t6B>cUWbJ%iG(YPBaeFb;2gV(9DjR@iG*;NEpUi= zJ3^mtQ&;aIfms|~WVRieteYcD&FC75PE^m_!DIA|SF#y!BS|PhhtesL-#|=J>^^t$ zSn>%Az&aB`FE{OQsm(yN#$Z5;&>oF zQAHS;3Pt~Z4d00$kP^4tRWUqEQ4j{6Wj+tTL?qruRH_}m@5}qi80~Xz&Hk}+u@`SDH}mSXXoztsABq{<1AK&_^k(#Y2!I?Pyh3N zMyg1OdTv;ZymI@T)`Ro@g|DL%wu@m`%vPP@fkhGuqA0A~v-#?mcqM$Oj^Id z*|0DtjjQf#K~X9oA!Qd+nw7DIxoH4o4<8QA`O`R#^mKxsd^Rt zrAxx#=}SIC2~XBRKhIZ&C$yD??!KI&Gn-o@ztgb9i+r?biT7e8TNB2ksTzK`vomyn z9!UAecg#IppM(=_JIKKn;>nptiLQc|3W4xaK{80cjJ>f6 zNvP$jW8~k~vz2JQ@%W}iaUK{$LA8}le=^4q00COYObaNOf#a2ZNBfNw*Cd22!sD!D zVVom=`x(}`!Z5{qF8qYu*xlgtgA{#JO%zD{=%7EOSDrkf7hfCLx0x5-949;s&^h(x z5P9p^HoDTnh%$?~g(_iz{D3Dqf(`pDQD5HS4ruaSBxnzq;QUFPt?SR5TvzArD$w1P zOwlv=_lW|^i=iOsV7oR<6`58*?+mIZCQxEA;AL|eb@dvDuxr`?4s~KCeQ3WFzyrmv zHZ~DYiscI>vqCiz3>1 zDEVgR0aOO-t!g4}&}$ixtnC4OXGnF+5i3&PGFC=k+XBZ>2`d|Utz_}eUv%H|n^n!4 znD0N&ix0jYN4~Y9csmP|(SOCf`dFZHXy{wyLMd3!Z86Py0f;pp7N5fL(U_sbkxV}) zb+(c#-#_E@jT^#>E6<$|1eT~_5lQHb=0EWKu_Xqvc=%w&FdfzR>Vdg>Q|01D1CIbN{n|e)^TB;_qp~kV-Or>9*(1h9l=U; zml?l1PYj~ADi{1y+Xt3^|C-q_yK7jOnKb<}xh`^#BHU8y4~Q4P?3nXNQ6 z4>EOhq09vbdrk!lGrlZ?BP*-wI)UzUbmGMbA*tmFmpD)9S}jg0_e4)kcvVUGFU%jO2Sxk&fYsBk@XxmWs7;c*_0n(%eS*?(?hQLHpTpu1YS-VnaEj zNm5Qm^zajE|GqL^iBFND-Hhj9xvq#iE~9TU&RF{9mZS9-SNYeyAUljW*DiyP%Bc@y z37?Oj$6J}Ees9R<;;>gr4P?gmx#IG!$T2|R*CgFz`n5iM55`MI$Wn1vKHywFefHO& z&paAG5?8uaxSrJj-TS)---C#^3^0;OM0XAJ6 z@nbd(^dM!=x#fUqbXTgD3V?&C=DimKNF*5`X*+@!+2;xLw1;(gF1$)PROHRG(;YdG4&~zPO;7Y5^OEgQ#ibPC(mSND?ja3UjOM7(tAX)Xt4Ksx7= znf5$NgR66eAoV9C_u~w8yq)Z@A{FMNhFn!+61a`bpTj#~5}!{?F=Fo5bUcl7Zp$rv z*xgArfH~;-KjxtQfHs@OfmB20VK1oB(wErgd*3ZMhwTQ9U_gm=cNc`_U?1kS-mDoa zh&6$mjt_pDS}gLM`&pB|ii&JEZSgwn3ip8)M`^{QphFoQuq8l&-_ zrCm{n>8+o?JI~x?&NY<7s&&1^Xo!>NsPqCBY$+05wbn9ZPu0Z5L6Yfmc95gTlX|qC zpLuLA-n{yZv8X%l6^kFlHC{0f#!FgaArp9^6wLTgqCiOYQ7JQh)!p+%d{QpF?8@x8 zaCggu8tjZBDIkHsHc=`Y+jLEd@fM)B zw$iu$3cAhi<=U6zuM9iPrF473Ej6V^iz3`3H9m9`q^i5#SC`j{{p?JKD4xBB8xD~!O83IV7V5j-FYp8b`bZ;mKlwsXU+3SNeCP_5g`46(fLF{ z#y1^XvC70zx;Wf8zv<{b?|iebXZSk2&eQ(eWTW!6m)I7)_w?|hyUGW~)j;oce4{Dd z1l^)R#q86l2CfgKL(ftl@s%_mO2fufpA(nR?71H+9yo&;0Rv-3E^x!Y{ga-IMG%Mk zrE$TRtF=%WyN+#O%AG38@aioJ!ml=sb_h{g#9CR-&>^9zqbRE06(sE`1WX4yIVZ@}|Fzr`wEADR+k@4~0}88gXJXLi_Y{ zSAOe@+|$4IB&ki2%YI6-{dc6J3xd0&ZiqU!;i?fzk~gfBvC_#aGVM=(i1V8bnJ=L8 zOXwA)p3I)GYb4(8VmNIr6#2-+70nN_Vx3elvh8PAhpx$p=mX~~%wGhL!O}&IpjPC& zf=qkAOO0=*!sg5q_?}|Kk_%D~)J7!t6qcCC^`xEWS4EZ|*Z+)?hb+(TaZ1O5BoPiQr0JTe+wbJ=y^n757dZLhi zO%tD0$CJ+E^Fa%+^`q`bU`@BL1HMFcVy)EzhpGzC@kRgN$H6hA@f~ z1RQFyBQ?dZl2_qNAy3J4yiqJN7b*A>uJ-C@wi2=;=S8k{-y6~urpzqoD=r!o#W0x+ zCmns7ataUwCWig5sL@bru67cu-MhvwkE}GQP;5sz-V576qKZTl#$@jw(2fZq08|0O z2vl8n9y>xi`0SM>AZ__HU3~^bK`b)_9FMr%06__XeG{xr+dX@tW*Vp;*8mJMj}dJm zI2A7|Qhv}f#3Q@Hg!x#e?yPs>GZNL?ZUXdv_T|ariz&5mzC!kw>12pZLpLPbd>SBQ z)))p94&1F%w$BRQgz^x%T#}%QrvWJ$!^+lcKPHvq5Az%B&Chsdzoa@^XWTS+mOm)v z1H97-bzktzOjh@^0?&bhhcVQ^WdRdSd!hvwT@TnS>`@!*AsY&CAX6Qq+=M>RhysBz zeBbpKK?3J8;k~#BhBu-(TuD5yYQEiEq|!(d9P_OP0%MayF~!F=`a$4|cW2?Zi-XFMcDp#8mt(O{_!>n0y1;zh7DTA zV2=%({bs1lGgYe%rpgEWWP3$USB*=z*uz@T=OZ=5LQ_n0!w&Z!Y~Ef2BN2J7ZAOru zp%rE0e#>q+Pw!MLhi~`ii3)}|$<`gjZf_!#rEZV?=<%)hF!X3JuYeZCkSrtLg?>F~_dC0-Jw0xDq*PhB!Sr{ zS@SDlN~s6eu(dur&U2{>?s^@iA4!`N22qs>b_RMmmfW5sn|*b_)7-4yQ%#Jim`hF3 zheQNkPv*a(OK0ejf6S5u?U(Lez6(>^OeBnhy;tG2rKLe|pU0p5ir|hly!w=G2KpLF z{UgEG9)tE)w-q8hAOw;4ON3k5=0}O|ew49(`W0}t96`!~%?JnI92*_dfIb5O z0YZ_;%R8EUic@+UQCu}HRFAJd=Uorx05y*?9pVJ*13v9VjZ05Qc_fKz)qY3wSa73U z0)QVbDY#>4<{T52Fstw?aK)j~XE|()E=mZuJ4wH;sHWj)OilD>b;GD~b(P4Ttm5>I z14qqWa7^etIIiffk%O_zR14{DC^}Y%_gVH z9NTFDQV^OjF`d=iAStu+e*IUQJ_+M`Mm#aQtm--9%dcKTrHmDf^^v<-tq|TOCT?De zT9wvc8)12D2!R%WN^;POeEvGGKA=F^<$5e_if!*aqWaTROBWWG?nJn5PcBa$Rq0~C z(|XFIQoC0M@8_Z+^fJFNN%|U-+$T$3U+Em^%%P}!eNk~5)!*oh3KE8lUg9j&5Emc*NPZZzqzTM`dEC=#^YuM1IZbZzSHfWNKP;&j|^56hN zdLg)jXduO4F#6_f$0WR7)1% zj^itJ+Wp(v!ma|AT1x-3uRzF2!@}+1kQI=rw|u(_T-;tC&S?OL^paPPXt!S_&>b!K zRb%iy)s_WjPG|HUdR+YqodaQlit}2ltp}A&h#52jaS%aUsYXuCns)D}szxlq6W^|G z9pSLyOTf7ZXTyrs7BFU(ZDLUEu zWVSwR^>M9=U3yBfyq4689d}E&dbU4N>Cny-3%9;gk&&t69=3#>;ZlZZx%7}I90c!(3-(ABcI=D34JUt1t*U9$=ybH%BAt(iG4Ei8e9(3VGaW6!*+v5+hf+FuQ25gYpaCVzz+RD`VrF;O>ICCXH&+rU}OtZ ziX?$5eOx5x(>^SER53PGam_KWD{UHH&xT{F$j>kQaATmS6k_F?<%^YvjLnor0z==zb5%yVq`OnFg>t$d#U7LYu=OAk7Pl4+GyrY^>Jo=RY;q%9eg%+|BsCnLfQ)OFP=kGA2*}Bjpk5n+Fqu+b zg6uj~c$lbXG8N`TL7ye(zH*a^*BU3ZdM_TiANvM*2Kjkc%(}FZeub!K^L(Bf;QRKc z{qL9BFl+2wj`YQiENAgvcRsI)BR+E~s_y(pGlZaU@rd*zJ!97&OTo$1R?zn5@M3MGB)AJ0hb^9>>iP)-gBBdVl zRM@cb&|?Gt-T|S0{S>@s?f^|&00PxI1&Ox-##I4!!)}^ZF(@@!?zNLG9MhbfEFje221s4dS z;mHU(H^nl>15KaWAwj#+xR;j*sZVdl+HiqT!4^iWt~a2CHXyY?f)<@XpYmFK{aVo7 zae?m? zdZY@Y?eB>CQI-tOLXFnM!e7+Y@>)98$N0tZg(1p!^+P;r`lAj)M)$%$W)l(cxyHze z|z_L1#P)(nsu0D858`?bS;%?x;I?*nmEBvo)P1MbFSOmFY&%STj=hk&`Q zi?;^-WEr4wiI?v5Cwl+ZRQLktg$;IfrT1a|o{~QXI(%IGzhJf9Tj>W8n`}5$F*o%5a5V-97BdpY?z~$~Fy%DMUeEuoxGLp15%tz--j^~A7t#}Ul z@R6c~bc`6)>**&_I0SM2?Q_ZVDb`&D=8x_3>LsB@`mNZXQZm`vg>W5`Pbrhz%dqYx zZ`|$aw=cjP_-R<#a?3d6g$GFa?%BwW^TQ!e*!g;zH5MvS1h{7FbuV##tpQ?Y>ffuV zw?Lwt;|EcAY6OFCnT5Rws0ZGN^GA6i?Wn+l&oH&!d|)EzJS~XuBI*3v&D4veo{4!T ze3BJR391Ak-qcvBn3`OA&i2!6 z$8`) zrM~b_S_0e}qB4U&?#OP64Q>Y=ZZupQ1&xe;v?iKLm( z=vn)Sj3n+4xoH`v>7Q{ucrNL5N=Lg~Kj`KxRvKG)I><~{csj0_>UhQ0jOqPzzz<*c ze<6t{#)4zR(to(-4rhEmiP0*p(cNI$))p1s{6;iu71iWCviJ+LdUdq-C+S-a`7jUr zbs>q15@ z&%zqbx2HVtO|M+Gvu}e67KQI&amuqayU5#>!t$I?JY#XVu*t57HL?Ti)u!CQi@+wM zem~h(ZwVl0r85D1t82ix_AMHKboWK%uSc+~xR)kX+xO4S4tpD@uf|-oB0+pO!A9g7 z1b-4n!+1u8{mm0RNchsZhLqTyj+P@7Sm~A10AE>W?Te2jmKw2gmg_3)>zyWGI@Ub* zFESU^#_KE*9&6IwKlteHAWO54qtogSdgY2zgZ zLJDMfWpj`3K9qSJdvXiuiIC zTIuJg5{92y#Ljmw00`@I$1GnKT+&cxLMAW)w#$8{MpnhRADqXiQINVamIhOt1V))E z+m%{3aYSQV+kRmOa!19-loEG5eF*8m`i%?gAvg6|TE-nr=3smoL6x3>7mD4`i-q;u zS+e!XUe#FMM6A{7OiwbdA(c?&JNc-0AOE~~4C$sQixH|%f3+SLbiYH6BH&FhOcg6H z>hEWV)b+c39HlVsP03kw^A_t6#olb^M|JI6 z3=A&4J!Gp;K*7aaxdo*Nq)I zfDcan^ZAaER?U}*S3+O8Pz}P0Q8?XQ?u-i^dxGyydd$Uqwe(Jd8{&ATDpGw2J2Y`t zkfSHxfqT;Wn}NuGr)d6!nbp7t6_gA!h4g`e>zU52P$r6B}0?)KZh=VRGOQGJ>%!S)YJ( zopm5ppN?T=RH_VpC+PyJ@~c)vBV4B5l54wE4S8`{WXD=OuB^^g++X%OwBqSU+5(U7 zmc~#-HcUrhNN%N912osiQqyAYFhro&3$FbA4`bC~_CjXUfd(dgn@}DSIrLDk&y1HB75Dgmz0GIy>h&|o zmRO?`$rd!G9u;xgqLRo!Z>XkSHK-yZte@B5M)D*Xyfl3sMyVW(|7?GZ$~MW?Jl9k7!}q=*H)n?a`)%LEdq|ae z%v z0~wNGB}<0Mf3aDC^u4;DT=YSEeA@F*C`uiv6O^&u&XfSX{7r~^4(aa zbtQ#wk{;r;Ft)gObfV*!k_^fEkJUn+>nIAX*pL(=m~QOT{z|9OLVuX>Qn0@7y^2;C z0dv^ckoXIIlce(%u6tU@mZESw&yeuQvTTpXYClpQtzz)o#MGCKJ=*vkaSq#QQjfWE zx~ah*u=AC6lpUAgcgmxU7K=SlLDfw%3={8 znm7&Tz7@q9jrqzPX9C2{BvstSC^r)m1LPfiF)?(KmTHIzF2-$Vzx)E3*JFl&zY$+&*wC=V#w z1I=SA$^j1s?aNA>b&_K7I|J5R(%CBxlVu(5X>)sDz{eqX4HPZ$I$f-NRsWUR&q`AZ86y*Dv9d{43$>xJZEjX{V}W2P$j%c{ zqUslj-zwy~(rrv;v^hh(UiJi^S#Hl#d|f<+HCMk}&|TovEz({#zZGb$?s5bIf01vN zEgs$!$}%mGjp--@ER6Eo=&*lP+W)Utc{pw+&dN^!`E&vT0q1(2U-|@ry0Puo7T-m5 z;V;wC-DQQ6p9>K$<+>;)Q*)SXa^h1diG(^Pno83rYm2yUvlCy7Y+AJeNMj@gXU+@0 zeU1>*V-@_5raMW!!m^Ps6gt0KsC;$~s>Pzu9%5;W3d zhvyogfz=7_e#ZwY&1){si!>yTjeNS9EAzY}b)46J?vuh{)cx*}>2Ib2Fu2aCBi%C( z1TYI3Le#uo8|Cidz`9fx){se}oSj^%3Y(Y@dCcE77IEw*;UZ(X^=9>vNVKeZK}ivIB(7> zjqFw+YSrWSK<&r8-PpueyVhAr=#DM|*i49=pWl!wIvpKmHUf8$CHfw{pAxw6F5tFg z>bM70cQZ>!6Popc=#}jfQZygJNw zd(i0OyS{6$+#dnnlNo|P+`mCDwhCp$CI4cW9gwU0kg&C4mr)I($jUTTf9}!D`C%97 zR{#^7T@Dx__W~Drc7XBMe4n&kwS4>POdlB$NZN-o8p-uPtLl7^pE7RQI{44|7#AVk ze5U6WSnK{l_e)%VO0~WAKLe49pU{tRSW?&Q9Kia}!3mJs_krTI5Fnx0XEYu^0q&6z-} zgRyXM#-S{6kVT2gfIOOP+pdhZL)h&%fABDkqQgPvU@4u*a_?Ru9>L})<^t*~;jM@x zBC6d9Q5$7mIeeJ*0(vLl>6WAf>-82qoKIQ)vWF1UEO>QblX#Z&hioZv`g9w@c^?XrXGe#qzw$z4gt~ z7yR!7kmya=5&T#4;FE#Sroh8PFQ70cd<@7yD)L2~0|e9Fe(RAMJE;_>5ha`rC|#97 z467ub{CS=T%=5?Aqe3}D;31&%kR+J+*Yu{u?YWxVlcVT&9}m40C8W4V>x=8zKp)|% zNx64f=7kBEcgacS^x)EGvquBu=opVGJ`XoF!5cln>?P76($V|xR91AErqpKPD4j}hVR zG~aa|2HTU>R%m2WKZMi&#yybhBJM7X)!jQ905s6_uHAQEJ7M*q0g`6=C-4yH+$Eo! z2JW?8K;lH{4OlWG{Mb)_mAtRE)1O+Z-4D1OUWZUf{27uEf3Vf7w+f6(#!b|DK;p2| ze)FbNWh`#;baOevF5` zoZSM8>GSgcoCTrdu4j54fu$dGYd=-|RZ8W0HTi$|`s%1C+jZ}uyGyz|ML~C-XZ~<$%$-kbu&3OH ziSQiu1HVbnX^*#kze%sfd~pynZzq_;RS!MSylDZ0J6NAC6(9q%?<$uPdEr zehwmjI4~MCN?AC@z(&WJ`7{E`%N?BfP>K$ZEZoZBHs!i#l09iuyi7^9zXxVVfGHqP!lbZL%68N&>#vZLCU?gw|4hGl&z)c)s4y_V*C_WmSg^Q;l z17AmwUvsWZAOk$TvVJ|S#C?+g^j^k>wo5vjrwns7qbMd1TT_wQgD`0Qv?Kj*0I6UP zI~;ZA$NFB&PAV7 zK563OnJ>QNm>v-{qZR(UE-2s$*IK4kqMB3W_lSUdh|j6;`-a0#v%T+E^RG%OWO7?> z%s)IO;oL%-qWaV})BejV0A)cAY{Jb{fe+WSy5qo`^*{!uTdaHcP@~$2!s{KM^Lx+W z2K!AHa?<^>m)lY;TSO$+4r^`F!-~#sf=Ls?lW)sh=8=}CbTvmAG3!6;B46uHOEqiF zLI!RZ7NC{+VB0Z;9KoQ@!}}8%44qrT{+k-!#k6bP#m`BjN+5?k;on=!rr%Xuc(9`% zRvP*PJGo1V81nyL-Sm&2U5=vz4_$0og#WJw)P-?-%J$$sBzOlcKoxU<@C`|8Vto#k zP^8zv>=B&ZLQ;4Iw_+uiHIua3o8{T5zU2d-!Jzo(hi0_uICp^9izJW^u2v4^6{hVr z?b2vb4UbpaJseF7IPb%$P~9}__(o&3lz{((lh5wnBhk;dsKOqr-On$HIpQgdtB%Ea z5tfL%#7ScLIw4*t6!a~;>`4GpN|A#`XmCkC5S1R#fO|w}J3N+$cWKLcwyx$U&U`vL zC}MCnlyCizYZc;WINE}s=<3&l?GVh4CkGJ-eMKf?QCihcCm2r+ z?X~VAg6uz}cl&`Zoaby)Qc3G*{gh4}+KKVDD;Sa$eZY}amrpStP{c2d#>jzY1Y(O6 zTxPpC7C-SRe1mIZQ0{=>;=Qcbdw4|K*rf6G)fO}ob6}}Szj;<%U-S8fVW#JT*YpRL zPA~NU$k^lPXPE_w?h_wy!`i`w7mbSa z15Pgm^U-ux%u6R-3V+ctP?GH=JKW9Jpk5!88*L3Vv1sHFPE1%!+oHcI#gMFaOipvKNJ`FV>Bo8zlbKRu|Xpr@MTeu##XG^!WwYP^EDN z2%morYlXf&U+#}3V7_B)GBM=9MCuNBvU|YMs8*RV$5k#4HnvCa_7zKO>$@WOFp{~o zUjmr5!|vX*td8>;WBaa7vIy>y9|WL?%DT4Q{BK3nO&utrWajT(o%#cW^gOtaQ$!sy zYuw2FJ=*tmf|i^yd!I11*^q z7o91;ArrBGFjh=wAooaVP7|LcAbAdT-6uaCwe?dukw51QJd>h594T6-|_l6-{1 zQg$jTvX47Lxe_dzd#>YnPgvZd@1F~d#6E}k2v~l*{e|HJF)Q^x5G;o!#L0ESHk@p- z1+y(d$_eBE<(2gdc|5$pXGN7027%E+#GuA#$Z#SEVKo*D!H-WMt#Z>_Ne~y<^|ul; zf>q>Kr15@Ede`-n{PHk@;;(9}q|R3#B>jXPjlhs2=(R z+WgK;ke$Lx55Z;OK9!%ni~sib#2=^qM~mXT#m9dhCOjfDpR#{PtDrCv5z%Q)Df$qN zv$2vxfX$wgl!J}!fr9M-gq)I%r}|+h?E{IRoCoZ00x|f?Sw0Q4^H`q;!?}3ot^Bv= z3#A&K{k}RoYk#%$VYslRxI`TJT&9YEp`)rByRzOrnG1=qk@2xf1wkj zxpvCl|6-mE43?yx5LZ&=Y}ea2WMEUa18>_tr>L9Yn|JL>KS+Q=zZ1@2_I@l7Lfv!3 z2YUpe^6gN|@-C?lmbm=*$Ef3h59IjhJ95WKp1wyNqo@q1lNwX@8!90Hhf1UE9fu2*goU{P;M32?&uQaoI#E8a?0vbBw^1iF?fAY* z_ypvDh_ut+!tuYFU5HzhzSJqA0Vevy3Qm`%NaOxIZO8*n`L25n1W(6t)UqA+c{^KM z$H#n+lyLn?F-a6WE}vd<1$q@b#rpaD@ zttE5*nAQQBYA-yR>{T*m&yW&^kmwYWTfBo@#PV->_>HPLqb0{osy&Y=;;mLIC;2G6 z4wTeY-X6u1J<`H;(J&0-izVQV>(;j}k6fn1D%R`DpjaYRH>5K#L?%TG940@UY&3xEgOhn8MJVM)ZZw z1~C@|RV3@-!a)$3EoWIJVq^B&DaK%ln=9zL{u=1MRSQhyRJQL)$Wr%KKI`q4#x%A8 zbJ@6n(&I{1ESpiH5@rVu1^h$hS&Qix0`nN1SHJcHXo7($<@6KXNM)f>z-vi0lhrq- zhs}@#p7-D$B@02GKmY*R2f@~%!GuCcjVJB99)EW2bV4sDn=Ht(_%&P`b6u_toV+}( zX<-?#bz^G`O$<2sb{WICL#y zRwzt^^yit$PX5%+c#S?ld=N5oi-jLD0AYvLE2lg^+nH|uusGrTTB7Pw7V^&3!Z`Fv z?(y2Up{rFJSt3+p1ED-6e!4Cz5}WAB4>js!LP*jrTYDPH}4GvL7O#p z&2bQQS`uqRgej}rmpq~`;iGnH!Q{+ z3^7`aFcPtU5bITJ#{R-#qOKBvV2^VVd4wRCf6GMMtu!r`G#;H@t4_jffBZvS288;B zxwhUIoE^<(_IF*zdFwc3wJ|K)NW#K=kAgO(8tl#kyLo63nOjl-a1Wj7i&p53-jB zeookK{j89wkf|-6x5;o?N*Vq144K9q*tkFy

        OatDng zn%5gk;mqHSQ~KXi?L)Gpif|)Tpc$|4zpFwFAcU>cDG9@oLU4z9+5+JfHm+nb6;EB| z6<9lEztpXVqX+`e53DMA&+)p>5Z#>d#h#fsFI)$nESa zyO-VXv_p5-YIgp#SU0)0)t&F~aAkR3>fe)qB-{mA&#gr1J6+%4lzhMko7mTykpow5$znX-$IUH0!6s7@=C0X15-@YtbPj-Ne> zhpj#qIa^DTBrY597~MF13=sKfzc@O}F4<|m0xg8f_ODB_pnYz8vRA-HRRwnbsj3XB zKRtdyw>?(`u(BMGD zIELaafEY(ho2&yRd>ogMY$c8W^U!4#u5b^{UNmW)n}aFjlD=<#5YBz#2RG+}%#%Mf ze7f1?%k8^VZt^%ay>OEWQ)8hKC-7vKZZ&Pmyw(Bc`*Gd96zp4Bq+@A3rT7*28s&mT z_}T#>JsH%NQ3*1-0s2LjFGv2 z93ccn7$T<#7JY2hWN&S3Kkue#{i{qc5fi^ItxfU*{F}IO79p% zN)SMA{jv>m1$Ir}E5pQi5KX<8wELOG`{jzM`B8H=+lA`yE)UHEd+tonp7{w>3pTCT zPP^PSmU%shAMKDW>9Og$YjWx8V~C$t0d*R)`u^??w<*7$#7hymewJE{&ZjXHm8yML zbfnf~va|(EXR^phLelw14Km5sOSk2ct9Q`Sp1o0!kx=!fm6W$wx>Lc=^b%bSWf2@rb zsos{1aab_+>!AAIim!jJK#@%G5l&JPc5V>=*H^B{{5#a{g;yZu-vahDW1f2unaJDV za}&>zMSn7;v$27N`mZSFQtaf)ggozz=chfG60s*OkXicaeXzE4&KZsz)W2ZQ5MwK+ zQn5Twm6yS1ClXawck%({mfR}I9^W^4Ol9);Z&sdl7G{kzkzdG*jttZABiZty7itAi zb7Ec)u@}2ehm~j<6&x=XvZP{ij*8e*-g4BahrW28!ep7>$C)LW&uw`(%HxQ;l&1}0 zf~DtcCO62*+|4VWbFVzI<|2HEN6DKt%kHzsS3HWXb*xF}0Xh$s`2?!H=|@sTz-3(U zLZaH$WpHWb?}aIaxCfZ-Is$0hEv6HF23YAyBn~Q>V_-~lu7CIEySKShSo7x(nZK69 zv{A=Fw`)!8Nu=l^`U?Rj$UJ}jrIL{Mv;+0f%fR)d=?=!$7xj`>>RO=KRp2M0L_0La zJL%Qe!yxX>NNVUKSpEOi!hgMvPO%>f=?XH0G$ENA5X3JEVmCJ&SR9@|*F_g!5O25e z9K~DqrI?jT?}#X8k5o%Z&Tf{mCoe64+6R}yQT<#fqXUlFF~%R5nks4EUD7;tM1fr~ zhU2c4N9Gvi$4QUP&)fkIXVz;qKguf~2*Ndz0_VVca1K!EI#aT};}baI6;rRF;>vO{ z?^`m09`t*dlX)gkvRj%T87&9n^mXCz22!d?A{+VQpLyZJdpMJ8&v!o}IfErlhV_?8 z10$j?N_5G!rSn(cD>?KDw8k=!W$sx8Gg9Mhgq?kQpP6w`!v7m$+Dmxxj@{+xou!h!_xsmUuN5JSWhY~O)#(+; zR#)c$eJ?LiBT0{f-$7b;IfVwH(8?Pa-3t3(P02s^1*&Dyq(Gg`^t12JWIt{-ge!sm zgbaN@gg^mzC*iRaiDOBd{@M zsWGaDq>Dr?ZRPV^3Z8tpeKD~*`+O()wnF2HPKu!qIk&v%pvD7+2e*y{gqLE~-q3>@ zDzPi5+M_JVHHeDY*j739F4Y@7PLlvAm2g0Y_Ir65hCIc0=LTtuv3KJ=RLfVoT!tP> zx%v(XTMorDKp%4<57da4_>2x7LRibUN@_zAiS=%J@jf)XI2iVdh88)UuPC%GZO=Xb z;70`f4yC4Poj%+y2Psof>w4h&8AotT@b^CL)=!98>-TJV`DY(nL2cl4@(#7E|JKsI z-9qiD#~n()Qig+|zcxnm|MMxcNVh>A(ExM|j?dS>_p!~lEkVT?x|z`QD8g{Rl3{+2 zI7k7hJ(7}Ks^wz@(RnT)wI};P=YS`$k3aBmfGQ_W#vlNBpp=v^S)NKwbJ2*OZUyBF z#Yr;`gonDOY9Hn;SDqqFk5aWJS^17i0?a45L^s})G8nu;*O!VAq1SrL_taucht+^u zjz7cYut({G0q&vt5Rp!Bk1(4h$Ml49JJhuinb$``5`M(3xzv^MWy#1+^;+G|0_u7r z@%=JaxwSAmz?XHx@IzP$>Q*ya$eR5z(%BtKP=kuPH1(db4kr4PT8I)x=;wM^;{Qvd z`}Z}KLqTL7aIrdF2z4f#`jbfARz!WnD65-ksXE{9AQ>r!eK3xqzUc+;Fy{RU*OEY=_B zHNw1lZB`%o_1+oMz+$!6XooHqCUzO+NpAIhLBzo9q>@gS ze85s!ik9C1yOx6T5e-TC30Z5Rs!AjAn4Vly68)R^WLR5o@^}XIyAmHQv6|zTXP}eh zLC5$AnFcGX^=Xrwe99OGxe4DjFC{6p;?f>O(oCnNgr~B~dnVW?q{*aUzccTNCs32~ zB%M50Q!*KcuCgY~iv~G;&%QY+R34U5%J85oz-EZJtLgUI@;^WMi_c&odVhYD{$FmC z=O!2y=!a>hPd~eYc!~wijpKO_88Tvz2k6y!?tS97*g|pKIfBAFIq?b~+zQC=OV#vH zLmy!!=@8NAqE~ZnsuXp-IZ)`0#?562F?k2imKsV=fa;3@jZ9uT-=F{4hJa>U?l zTBILkd`UI$FlkDp)nhN>6@a(q!RqRNj4Jiq9*_ z$_VbS2@vlMT0$}$%s5;Zj{{GbJo@Y2uDY=f>F|$`F9x`%RIg&?m$3m$pJo51b5>vD;gR({W0?VaXx|hP=`k2W=4!=hm1<)0v zR^4Oo*N*>X)fJ&uUC~$82*75nsYWSoGQ?dBUtVq&I)Uu-69q3>;IUY<517Hzs35)_ zkj?UK{} zra^RVI!do+kaTaDa7^N^t;7I{ehB%GO$Y-uqmL>qs8PMg8rhqAz91*SnBhHpYDv=qh7xF~VNAxvM6 zOhoHqmoiUIlT1xNNq{@_xJeCI!DNRBI^b^@@`J*IU-0Q4Jk+~sE+9PMW03daBxs=e zoKzO_w%1S%Q{P&Zs-Uwu5&w&Ubl-FoA5;3#C$Y{aJTz=&ssZN!uyq>x2sO{wm+B4Y z@37ayS#=*r6e1H=$hg>uP5fjLsDo~&bhSt3VPq6{u_*C*rae^!OdW)(?S zAFF_Jvm{q=-TOa}h4`F1gP{7G&rXC0CR9*dJi;M?kvCWb)gWw?@3KWE6HtJrfkIVA zYeiz#H5tWhSnfu4i;JX+9ZUvZPgY6p`wYLX21ZRzd{nzqMrlHOeJJGBkzwSgkyWM* zo;{Z?jr4o9%eR}}?>2XR3g$a(Vp|G=Zy-yk#PeyCCq;Q9jV08k9>|hG(GmTwBBM z)umH;i|_#M?5vV-HYOSJMd_vFH+L^XoyWuv;R|a)nte;fnh4!nK1(V>Aq0B_gj5$w zQTlY|iO3|y_7p~%B#n0Uit5jr>ICvWYS<3jF^?l9&=Xm)iVp^QNOZ}FDHWFbdc>E& z5@<|P3B?k6a4&@D5%K zQstKlNo4lcZTITysk7%Hq*c#t4$CnP4Dio91*#T7Tk8!mbJSheczHJW&+G5srsf-3 z;H_?JrS~Mf04=bSk)@AAJ!oc>`E^l%PT}-CaHE(8$SAEtdChm}Y2tf32`Fmc=n<2T z7I*hkf@nKq*LS>zd;wsUuII(a>tu&duFUd>nNAvAnm5kvn6He_GWY%dY9FgJU(WDm z+;z7Eb~z;u!oH)?)qONh7c-kpdEmvG(kzF3&T+>L?WK7%-j_s~_1fV}W@r3-=|G;i1{&QsFIRE3Z$9j=mVlBB{dc-1Zkm)KCK^;k6B%5TGrmX5Zjy0pbpDva6Qp)9|IlEdqIyd(*~hCb}dD~ zxsq>d6WGH#rhnpoL~YjPJp1$d_k#Sa1I>h;ql7`(@nhp3nUQYgYTH`~%UX*ScfCEK zG0noW8D)QqhiL{rdxb8qvo?P>z}u8?f*D>tqG3F?>j%)-TQ>kDP6Oy%!Xj#Sl_3Fp z=FHh5h64L>ovAHjgpr2Du+*AR5EN-F0T7x%T=iCA2JJA6okW1xB0Ro@m#M>_-)TWu={2=_;Zr%$@@e!w@MQ;Lt>NtMdk)A0``a zaw;vc@{unMD2Arl{=YRKPpQ9xplT*1x6uS{@OgzaPgSR%^#NGALG~W zGZ|!EZO&vlU0#=X?K?IT7ysBtRU&|vgy~G|PmQ;e|6n?OZ z*|EZ(P-z&_S)Yf`5{|FH$3qp;m?rwzlaDun)~1gR#S zzP!vv7wpNp1^1mH98V+dEY4_Kwdfgr#1#4S6)QY-ne7H8WY@o#}``e{GO3T-)xc zwp23V!zZxyy;mZAE>1n&VlKKq8kveO4JiO`07vI~J#T<-`1*z0@SW>0!=_hvEN~3A zzR+#ln?H;j@CDAJj`#K&?NaT(18jJtUVGd2g9z1+ZH3m)9yA5dXaPzYYtlO__~Y!m z2c$PxkCc8g!9%NC3-5KWcq5xlY)Jka=8khpl4qNn9xxShOEra7(v;<<-grXQi=Jpg zTqZNimB@I>)d~;uvEr|AW;rD3CTF%tDv{3*3d^O>DL9j)NcH%k#H0hOgDCmc&wjBm zp$L2(W3$^9CFDGz_|Fy0w;f3znyj#?c;<0y1+cmfg;Pk%!pT{O|VkUtl6R{pWh&k3)^)wJ$p0 z1^{Q$%2Fjb(-V(y?iG5cy)&6l&Ez)em=Ce6h0-MP7E1zM&++sT;i?zWcW>wK#= z;KO-mM#i6Mm~J-R9dP!h0W9!du>O{Y&bOk-xG{-=%fUa$;Xl2vdVviP?Nu477`z*WG6ye`H_P!}&_=-Jw17)hI`h*GmLe zJQI2iwtUz5*1BbZbDcd$%Sq(Pa50B zZWOv-00$hh>o%=9<}BSO;IoJpg`Wev>d_tj?90b7YqSMrCdFnr`I#}EiAVK&CvGIcwni$zzB|E^uURmI<$^HYn}CJK)=`79?np;!bmRTCFaCthu-3 zk|@`!<=%5KP^QH@xdKk6wabhZY6Oa(haIPSi_JVJ^cKX_gU*>Kg+U2~d zAL|&CS;#A~N8FezpR8TYXG&}U7KKnHNd)&l36fXdhbM51S38v~9fK`S8bMz0qLGi@ z)A?ovSZ*Gt2Z|M}nV`FH(SIqADthCEXY|ptDeSQ`GUWNAzQbJCjE8WNu4PKjeAeXJ z0iE_Pdfrql;mwo|`%VGc10JUIh6s4BD1uMWhsW(;?QR70=j0J0yp*uJG0c^2wc?0} z`Dd_jw-kz1z}D9L2~(a(8Fk)8y_cobz6I`a8D6|2|Ve1qPVtW3uzsGjJX+4Wx$+%Nv-NocB zavk(!xVLT(dI@{`E?mv0?}Ea^X9|^=s`$)D0b$~tpIWUU)WkvJW;P-1%c@W9{(IUf z8<+1ZfsG7I)R`TIQ=<1vdREzjdSCwJBZ=~X!h7cC%ei$qnjkr6^S4&RC@Z2TRHCut z;w;oz%&=!Vza+S&+U6uKF_Cy1kyw7zog|Wru&HO`$S3J2-3l{J;&>yMZ>8u?8{~2C z@ipKP8mG+-A75(!Ink!bN)Cudy1jU?ws5`oswOv1nh)bd_W{g&Qwc5e@yEd@6)D?5 z=an(?XXdCna|L+l+641~e7J%7F5!T~=xN|LkO>&n78FOB_g+2oOM`}0R)=Pg=NJjp zjqMj;@*w1ImgTF#ph7GbUV)Z%Guv@(hS|0f)Ia|C;ji`idM5>kT3MKvGUh;xTr1u$ zzvFM7ggN3RY_#qH#~JJ%U(lnLYJL+f3haO05Bzhb%*IxLi;{37E9{v4D$VV46l#_?xi8Dm4A`q}{5H|ng3Av)DhKHm=L;mK^dqk>^@ z`K7py5d*PHcfODJWqFCzQI$nBXa$!h3ojjmsZyC*l19i*(wH5=Ny2oXZq9FU(C=bT z2K+WdfZryAO;S)c@Z02-N8qi~rN031vMQpXIzs10UBl1Rup7*vj7;39*zXt6p$D9MCj;deG$rt$-^(~%l3tr(GT}&tBuTq*j3+SF!Uy3cKoR$| zo8Z!~A%aHiw*8pOHz3_OVqM>v{?B#jBHa@doLx7*P^q6Th&$U?({Vl95leuCs8xpb z+A>E^!Jb!sz_jrR$I|MQgxFUiux&2TT}+KBs|oA`LWPL$X$_jM-BPzHrO)-YRra?m*?R>g`swx2jrI}Z%qLN)BoTds*1uRx zr#iPt4DVJpq1N#jnFU9JZ7NFv34>FcY_G>XkjKn z>CwH$KgJ@qw^J^GJwx7kb$XjXTGPVkXPI?H(Q;MDg0nDjK>?Og%i5eMgF=+t%{07b z6~YjF${leQ=b$ztW-SQM#S$-#6*O-Y5lWhLdoIzz7H9_8i`{n~G8(h2HRYCBOW~9x z{W-PzLnYXfAny-%%y5$^=XrEujkRGpLX#-JnrBH~-5}7Jf99_ftepqi{9tG0GS+hI*>E< zKmEDcl7DN}DQhUlJ{^iBS%fdXdF znKQI{*)w`@tO)w69G9WtlCUuELtt-UAPMlpLDuh9r@7zQGH%I zHZ^>{uw>jO+&AfuIGIL{JjU!Txgw&tb37h125YBpF8VPwQQLxP@;eNJg$XktLMhLs z@*%^ETJ(3kgqHbeGTfy}mB#q&407e18k>z_rJ5E!xgH{#-R`_Zeg`a8o=5tYtE?UH z3KwXZ05ZgrXMZtPX0e<{-noyawaLnxE2dV0BwyEO%uh`}nsg+MBN(ouVCGC^OjS2| z&dT@oQP5+bJ~fG@BZ_czRraQ?jBws8$wN|-O;gVhHR_|L+XpPcF6K~gcF;)i6HW5b z_|2JTU{^9Ok@^i#4^~ts#34DAE_y1EcY$nL6rl9mrg?2f-ABiU3uQE!sK5qAa}rO3TWZg>*ri^!9v@M zziTwyv}8>LZdJO`*@?r%1m>k;Cn3>P5JTewa@BCRX-Fzz5*YKV?!FXmaaEiW%1Y!X z$QRI=4b>`*w2lnM;wZv}1+RVtBSo2jal8@gci(uwMThd1rc(wPREB)9m9tAr){^EG z%A?mMTf`&{-o-@QWC%na`qb8$vgcSZ(aN0ggH?0{$?3W^^(?he*{q!aORRSDaPqUp ztg?A$#DH}dvF*oG&~v>y*~WYlqHNIaNxN^et8UiW1xz(YNNYh`=+v^)?fdn?Q?rR; z-;dhzfN{5c7MhYSkuG!#Bg|$FUlK!yo?2<^tM}uw8fx!R?8SRCX42d_>o`m^rN08+ zorQ%;?om`nGz^nCLoob-lSf}hCQ#LR21!}QWER&-4P{@pj1(#e3>4hJ+#r?4=sHSQ ztn%}BKxt*l^edDJ6ek}B+ekf>XsfPyAh)TjmM(zPM}paANTF+D2La=tFQWo8j0v(Q z04R{{hDrv(`AlrwoV?t}+GK}izOz0V>C2&2qj*NmUZ|2HKe%cP(!B4gy2MW)1>#H6TdA~QQ zCjF3Bt7pxd1w0hil!ovJXYFK$_DwN2WG;@dQr6O+o)OJZP_jUcJS=K0+-dv`QePMT z#=Z`zd!U&)TmSLIV)n%j*ELO(+fan&+U#^W{Zn*uPR4D<4SIyEX|1^QEYC3oy4%nC zGNCPzQcvAd>-c2GS#jmI3VJsb4M1@;!0cRZ)jROspT)lwN!z{^@#&0O?Vg<1P5Rvg3E0u^k3p| zmNbH(XL93b8?%C^S7BAHd)e)Dw;-e>$G?$PeG|2d`Iw>@{Jm)3K~e}30GP8ieXsm1*;gZqD5tKDSU}H0Uqb5b@aB(d#AsUExENAT*A37k7DMAm^ zQ-3+sAofh!YSMXs{JKplb6-ETdUBTp8DKcNwQ~5wM$|tNmLoRkfSeZ+uNa+_f4O~(5&?ia|>K5LZWu=o1|jB zENKYvc5aCv7)ir&#f?^la7N*}(4*3xG0UsmxDAyb7%0lQ4VfAU8xsIQRMmCfFD)a7 z{ysPZi)_(AvqlV$lmY7OaQ`GkOv68aIB zaAKP~>=hcOiAT$MqwoMkVYpSCTHeChYu*BYY%al)=4-@zj26sss&n$X3Zl3;GV7U)?WVWZ;#vG%CW zwbl`SM{_nez5_6T`qk{eew~``_a4QWI-7FWbiEQoI|LH&?~)5@%t78`02wa#5Kwjy z`|A++k^8Ly$00Xx`8A%)c&idTfMrF6QXo=^m$YK{t|sMHp>stLz$jvH-c*HJ1ncb) zh1VBg*QqBm08 z6Oo*O$m7X?2WwoU$Y1dOS&Y5VkSkx+9#`WM1zFq0cgqo!&sIY>)< zAABh1q+mKkq?>pD5OFm{upTBdS4*Z5f7x2<+0qbrAxUI}nn;wl%if*rd@&BY))CC` ztM-1sM=;WZjW}eD@_GIQOkHERy5EH?yIaXsMss~HYcCA8BCtUQ<;w>ZDm87VRP8<2 zQ#sRIDw`$dqKH`kUDNop4h>PI(7%vJN}*n@bw@u4>OFJyBG8?>A?+Q7X@mU1l~mon zf2LDS5f^bU{}}wqEdu@47L$=)KEer%DRjc_HzR=dECrX$slhnJ&YMDu6f`5Pk9I=M z6LV9mKe0hr(EYl#A1Nzn%WlKoimj=xPPJAR1RG>Z*b8b;g-(LSAcUcc2?nl~qchr> ze#HWnf2##H)1=LzOQECp^-cVt;piZMslTDTh;N|K&7@>Y`8gz|VshBy5=Fv_vv$&f!T*|BK{Xlt~XetwTeUl>YoZAAS zf`9~%jnVn(x{4ZGN81d_AM0HuLU>MW*{^SW8Qh%k(XUwMcfD+lpu_ZcEMxaRQzlFu zGMEol^*+s-x=$7ymmn0f!3vQ@f4|jEW@-O9+9MIBV2;6*(l;cOrEM0+<(~}aX)v-f zSe;LeZE1d@bY?NT{cFm7r=Ypu8I8k(g6nekr(`5jPYWGp$Df*+!g6Z$i%R~s9e=I= z1z^QtR5|*BasT>UjNp?BS3&JrrjMD)bnm}<`<;r?<6WyGYitXJsSL5lzD4W@*YUs?8y4XTu8Wf&hq^jIus z-QRvf%D7%S=V-7nEri$}#G9&W#fA_v~AaD(j>p7LkoXN~A$_#$U)rCw4Ya!L2*JT?BLOMKIl zlOp|O468LQ1;<8R*ay(LW@}Tg?dQ`T-{#jy&4ZmAm>iMI2OxAmbU#)s&ws(Irk)@J zrNS2WOR!&}iSLfoml1MKA(1iH;3_|=uU=v&o+kB5=&D=6abH1uj3fM*V`#1Ls59E? zq9+%{a1}t5k#RYFf6ih#(wh*e$g^TLPHb|RmFZ&r{z+#*ksJ*S>UsrH4Iz1WvqvX( zdm38-Ya1VV_?=@xlieRCP3m6oYufkp^DHq#gpqbf&*C$T-kMbmzd|fr9E8KDFAl}& z$ctJIm;GJM6Zy%0#XE;gGtxi(X{Kw>(QFP>q;R}yu4%tx?e=zhI5_LA&Xw*MJmv4yU7R0LjcS7~``|Kk#6 zKJUaqNHqVz*gkKI=u_XjzTB?J?jZ3!~k&}TY~GS-fM^vBY>cf0eF ze_RD@xO%YRFnX`1hXc|^ALhJxZ8~3d;$WOrH(}mV+*8@FT;=7jWqf~~n>wHq;gc%v zRH|XCtfdgx>58NbUbR{CVXfc&1*RPcXjGHpyoC;pKg=!uy1%zxyJw51r3ymVOU`6% z*H&YK`uO_fn~NIGz-z)H;wLV3W3J zlx6*CrQtA1=>~Qcq3@GWw!Ih|U_QoU-WsB4PQeWj{-usy6&b(g{t6^+u1pf=UCdSI z6vNgecAEKz_5=&6oyKe{8#y}X24of`l?ZwbI!1aGXWb` ztAU5GzEcc!G5QNZ4#WIkzxA+>j{SspV3Y2kbK%VTH3%9!c5sql*1!nJG+V!na1aI^ z+}<-SW;!M1lY@&Vo+I{8{5^aod?av;qTcbo!!vao?0@;mVRnJA_zYaVDULYo4SzMo zHf?D9#146$YNM}GvQCQ?S_6D^v8i(*OpyD_oih(;^IamduQCK@?&MtmdmqL&WepD_nVL%_>6HSKlus!kBQ zfVTV}k(m-KJz#wpyY6J@cKWmjHEVyIPgIYFn9d&e4LW};Jg*P=GUb@CYxz;gUNsm>}`D_GVq_&8@9B&i-<0Y7G;|Zm~22puxfNpy?8ytU(qURTG|^$H?jC6 zT*t`!)b1x6Ko1^6|7TL{^41}pq64M-2r=rcL$0V!q{7nbjbTmz* z0mQ1UUU=-8M>N9DORNm?4uC+Eq21{EkWZ)PNABlRLIYJS0~=2)TYU%I;9>H~Bo(aB zVw-skyo#b@CvffmN7q|NMfHDe|3iZ`C?PR4(g;eYbc2L+BO=}1-Q5xrf^-fc-6O$Ae2cyOty4R_FVxW=O5<#DkFdaWxZ5xMWdCgd z&h83O4K$6*Ml58Xb$RilbJQU`5!Cj8MzOU0~yHPEBE--SqBl`dkAMwOp`94P= zY~aJA&qY4C_r4>Df9)v|HvWYdd{(c=L;8!JRuNRb;@ep`jpx)sLa zxt~tZ8+ZA0T>?Hz9urF(IeFP+Yjc%`Y-Ut@Y`3lIk0!$aRF~RnsVmpOcX**@KuO1} z69y0$qOLz;{sbM9g<1mBK`gJ2cZK2!O)3o@_deN^a4#EO zc((XPlm#^GVmCMDFuLkBRQM3d8CSzEy*)C63#*1-i?VfNJIOwlP{>h$Oil4;zD4)# zRV6rLGl>SGz~8r(?&>hlkOellb0xF6bFfOIq4P%JdZ;WxLd&=wJu7Q2A}v)lOcCTK z334^VtGxNWStCmVX@Cp)jY_wo z@n!e^un3UoMe2z6Nmfr|koj-Cl|Ude&kn0Z+6eL8xmd>M|)qFG1im=80Vs`OvcR zzI`e<#u$06hZMyl*Vm|`4==an+0QR1I+|keWK{P_gz;h~Pk)Tu@w4W>f2hxQLTR0| zGN`ze`hp<|MRvLHdBASkTnboNSdx=oiX@LkRBs?GpzG(5qrq%8tr+WLBy-3NaNvuk z@n&B6qM5%ZK_DJlsNu&Rcck;G>fKnRNY)kaG3-{2_YUs#KPUW8gx1A-zf$g}EDt2T zaGg~oH(bzq@Nf8*vI&^n{8qJ!c=w9)&-R?uLye*%&jPMb4Mk(#=K$bTYwnV#wOS|R%aG=wwFxO{&JxUB}8D8iE^8mVd5f8i6om*cp zA-pF*7N!@Z;F;`@A_WXXl`jL%>;STGt$dh)`DNcnC4652sIMY!{7SEMfjYu8iQ*fWU#LJk>yIzy2a4EA5 zZ5p4KNFC8U4~*zTTdzOuI%Be-*e5WM4@zJm0+x^4UMY`FTeHcXMwK3ha+sJh&8AX| zU|8KPQ;gk1&zdo=?Ioz^-r=7*tibh( zaXHVKWtCT+_vZLDrVgp*ZEvtX6ZDQF`BI4K3DPSJ$v!z>ioL$$h0Ju8fcy%QZq8kS zv05g`SpK#|x4{}kA*cGsbM-6Bi{;4vacw$(_x&N`9a7TJJ+n9XEm}A^oaAL*GZ1Kc zjI;nBnIv!c3U@XCSt>=^0ST*=)y%xIxvyw8!5f-Y6IS0-?^C^QHDu90@j)a-dV6J( zmm;H$OY!yYCnoozvgpKS*1-J-3v1K)1&SxLteET7wPi0Deoh#EBp0R+Xg_NBqn%6U zQ|{rT{IKR_bGXm^=ST_SFxOka07h@x01P<#&~~VDf%F4&`cQZJx3`&B3@<}Co>#Id zrGrE*qqW4GnDh(x=0fMhdRwf%S4F}q8}Xe}1&8r%7JqHdEB0-5W_@m}a|bmY;{bD> z=+_3%KfuAxnPBW4D+4^{Wu!kqcXv-a$C8+l99-KAQ2+Hxde=rwSD zg9gBVP~84K$>D6TC-tv#MlM`$w1mBfA`lwtitT5M&c6Qvx#m0Ln75WEdGg6Y69bNt z^8t!Jbx}?8ep~0%agngki%G5}m;1hdb((trEnw;769%}uY~P(MvBkGI_|t{i z{KJM&?{*FMc4gPL!eKu*$dhxMkrm&yk^v?LD6F4+<~lgAS5xQ*QU>~RSTKAnq75o( z5<#WitL)~JPV88$E{Y0(KEp#-NdN5tDGz;lfXThFAk~UQk;p-sEqitJJQbYkL~2;R zs?OIXU0K5b?(H6i!)_Ups+f#KAxz-+xICyI%IJ%%Opv35CNMINzkY?Q!m~*!jPxlj zsk{C`R!;LZu#6)C3D+dIzx<%R8E)`G<0(ObuXo)+ojp(Pv>e}>^GOKg;Qb9E^p|esLj?9jwdcvB4TSYDq_8l^Y3kc78Rv12C ze8pEA_<_pL5_n&>>{41BoY+B1x`}EBW5Utus=%37kSW7F9pCBPN|P8~x~E$-H_XzP znl}My)1P7C*i;0^H>z6r{XI~Lj}__S%U?^&9sFW|ac3EPf!R+Bz}#e1^9_#4tkd}Q zBgm|GC<_2!gucRh>M+BLmT@oZ1ub`XVff-3@ns4jgA8!(UdLLMP}cz!thOwDPPY8K!nv%*KZsGak)mZG}= z&X@M1u)@274q3NMWvB}UMZj6bUDSK)W9y@$q4^$b52cWD@ZJv@)tN-ku3v;qx&poz z_yXI0U)|`FRmgyNtm`g-LixHMJ_*52Fj1B{;`GRLG6n*F0x8a6Ve-^+doH4^8*{{o zbrVWjdUwIx?rcD8qcFCiMKnt?;>lK4keR>&a$-yrix40V+mtYZN$KcMq9AUu@&>EqlSDhF=`aQU(iu#q6Z8mT{ie}yuqff0)s|gc?NkQraorW8j zI&j*oDG7=-zf?^_4z++(ar$+(zC_JSq_RPxz_woPWD5>t+jFauwy09X$?YQK1%3tOT3#nW zwHTi2GpPS<7TIjE4Aj@%s9QJ}t|~*7!Q9bmPQ>H7|FvCuuCPE?2CS2M8B5C&^qeLn zB-BT{s}OtU!;W9{rA_|Q+h_oWK~72L`moMP;W5Hv_rB$aapmNY34P)m1h)XY?Xet# zdbh08%Sn}Ft}iRtt&qPau7qWxob7m%@ylbqD`9-rz0OFGl-yNFG_>~F^bo25b23)P6+O7qIC{HuNYRV{;mWj^IaDvD zxg>BwZtAUWmZt>S{e+(D(ktH`lST1Ich=_wJv0zMoMQSm+{KVK$-cq^^VoH}^ceY^ z!o44#GxOe*CjN%^1)v)2alHe~D+F_>YLfe3|5b&%+jKlGzeB)vE94`8-eMzHA4U8g z9(ZchL<%$Cy!g+?81SO^>zZg9EDL^F&juv@2!V*p;RvwTq_}nS^P=A{5gMgPTS%#b z_qBIBs2H$satN_>yJ*B5UXtgX0U8hAWR!2oXV}X-{pvhEXB3$3aqXj_Jkq!8^yKMr zX8}q^1GDw8wctqyT;$4)qFa37T^icrfJV>=#Y4|N4)!bm#y+Kogf$8>pRTa(5>lh) zK3WWY-I&5Y-7cQS&$Q^NGj1b*5I~XD$cjse$ZI&7j0rLI5u>rsY$k1`+6m_>!LEgw zlqmz@U9aq#rrCj;yWJdW|JOB5K~l>Yvf6-Blf%^Z=64!v3|5j@qE)o zNG$ZPs^Z3jgp#0vTdPrx?BD6*6VSPvXlja+p!rJmoq!$&BZoL&5_m~=6^N75jXgv3 zbYm36ywZq<*SlsJsg2^wO{tCETF}Vb_1shii;=S`O$h|PuMijmwIwv}gkb*_V3qHP zip;lJ!~RYLeljFO1KX~{x>xz;6w=0t3Fmqxh~l=*&?9TSCAek|P3Kf!p%Y9Pdt0Qo zzVRB^@IV9GtZO3RP{g9+E3d;Q(T}*T1s`6eNG9uth6n2Ur1cP?Mb50dAvBuO$e(Q) zwU~GHYgs|vSJOgyvf+ks=whdK;w2&pHr`2v?;+b_%Esa4q0?FoBMhoq_L? z#{xu3IN@WJ4bCubM~KCAqelo!iX=RbDJk|DJjjs7kE<_uKX26WV?)_cZG{i~DtCM8 zBEC*PAP@UY1Bx~AO7kK`OY9l?!P#KL|K%>K-r~5#YU%!`lk*bSwJFC1J{{3HSC6AH z17M7|hkLNer@KM$6WGRtnkt2T63M)VUwH)t2%3%1GmFTW9!+i`5ZNNS;;0q1LfcAz zrxir|EKD~IdQ!>{ZCwk1C{3=6-cn$rgR+ST2;_{3*2!@%F(TF83NXKp4NG-{1-$Ci zRjgtzFrC2kYZi#PW`3Yr&U$?ujAo6bWVe5XqHw$&6vc#GH!((=s++J+Z$-$7M^}EX zi*VybquCvKS~tu-n9(0^4z1n=XwWI!qePS-CAtlN)^0?%Y}=`~Zmbk;djgqUSr0qG zXAa{P!^H|vfIFC)Txj5yS)=`D5xm>C%stF0EqwhsZR7mSVVy#byyx2eES`ySJ#`;J ztMqz86-dxuVT|uMnxiD+lP1l`a1T#ylv`@?0i3jMp9T>*#O3!?NN}CKfE2mAX%xEQ zERQP>tHVLwS3N^)bPpBs=IUb!rqt8;Hr1bro9O8I?plGp%9&Q*gh7&$@M*R*pgzeP ztlF0ZHjczb{!^0C=MB%@FruBCezp_y+X|7jfF_1EwDk50G4=g2u9qTCg1w<&0^@X` zxaORnR{Y4Kpw=86>sG~fRulSXK$|*LH>bCg2oWQG9{uL?aeTR-)wEJr{g$(ryktfMBW#A>)Y4j{DtT+*+;@r0`A za{9E}`&8iscs^cb$?)<{zSV(x)IDB_RCex&GLty+jl`zljs@)DLT*`2m@tnoF;z1L zsDC6Qr?Ktr84BQ6iD>qCit%v0=I=n&Iv7V@d+migPgNz^xE~~TlV2YICdI2@m+fL* z3owJ%d+7iFX{wV*&yCrY^Q#n+26H(lwL{7;EaKUU*j1Y17# zs3`AL8!Ec{RU-$M$1nz1CH`k&wSD;0y&adDeTJ-QB-p8u3B7lmiSS*( zE4Xl0r}va|zWWu1{=AS-5#(*gP}Y1WSLfP? zQBSX7R4^Um@yle=wYti$nfq^p_4;bB!sfPGMQ*3F_b)12hxF(x6g?Zf=bYSZx!l=M z!_581JK;rJq~z_s9^|3PK|{K@25wssce3$>Rd>uW`)pI*5&ym~|8jN#%&N!C&W~90 znjb}{?zNI!ldHJyszq9y&eB>~G=U)Kis8tqtv^XPOuqYLbQLVnj;Obr?U zpW(+LW{K}7vX2c4TII|rFfHrG_8jCPf}lg!m&ZZ+z&Z&xPI}CPP(+~3|NW0QcW=Wv zCa?GP5Gz5VJ#cBp`c#_8V6>DcvWM?fL@aQ1!Rq^Wq$io1bTH_(84IyE>srT zRx;GeMB=J43;Ab;+2Rqs6vhUi{=_RDD~{pA`p1aR`$Xm+fWR0y$5M&uf7L5SU#)on z#yxl=5W>>8u9;?^M8?gS1@e5Ie;!pZEdf?861>`*Viv&^Ba@)8yA<0^E4LP0@bS$3 z$M0C+U><`jyP_F9RiOOedr+F|3s!IP^L>9tdi`WjCDU z&Ws5P4;8z37p@jNc}QCag}<;iKj~^BXw5zvd_p!)yB}Z;>o_55q+iPcEyH!;E52BK zdGp5T=LvquTTWu3ZtUe356QahIybx>?zkw~=!A;|K1OXFeuLOo=%i`7u*N=Gc@(2D z67*DI-7Sy+V3-m)`7qGgKA%SNO**K7F31JQL7>F<)twUI5idcVOS=iQ;#1eQP?s_7 zP~r(nXbdq}OUSo`Sv}pz&=WJJ4iz{h;A>L1-`Kq>dSJ+zq?Fo>m%m9Ca?2O!WgsPn zb*s1B*i+twuT%KGUOlLK)56|T5a{ZGvt{26|KZ(f1)hn=(@dq0^J4Z%A)B|w;<7oA zgE`h^@P6XqEnVE(*56lLYn$aj0|I_+pV?&ZFV;Ao64dto5GUzS>*ZGpW-c>0oQ&Xh zoLcrbu>xz|%r?a44P7t5MfQ;cRhmhec&QyH_T&v!#+gl3A}PYDYY4P9_9+=*Scy>L z&#>>)7+gk1acR%C0~^sn4MGVudZp~^Dpb;j!+dh1PWu39NEB-BBJ)y4O1Z+HY~&Y- zZ1(%9>;jQ<4!fWJSqrgSM(`om3203ncJ9fSNwLK%IP?FxRLh!A@jFB-u~8T%s7ga? zc=_~oUbep*N!$N{ndHrm}=atd|e|mX5b0Y_Kn@dtU3fTL#Ixr+C zumVUKw%0kGFMnOkG=>LV)WpAkYZQxrhek1J1#odsoAx^SSW9dKt)Zp0OH4Y0rN?W3 zHi*mRtg{pO%<4BwO2Lr2zKg%IOyw^d-mCoem%sfZj&06dJ`f_7JjgN9 za=H;bvknkyzV6BWuuI;*CE@N&rtzO9v)m_R7HBg4kLmhwtT0DX4sg5;(#oQBuyC>e zNg36|iMbBHM(%Mr?ld;P;1n|X6_peq5p?j3edJoS>y9cH6K|;{s;rK7sDc%*E@BF+ zKOfH02{n@O8=m0gYXv*;ba57hG?II**b~ldS~p!G5buXLd z9Z~h4zFBYG7%P9*rvKQ?5DIQX+N*zWoe7zP_{Ij8+J9Bm$i&pq{Ca=`Qj3O^)}8I$ zHE~<%2{IdJIu2~BWLSI?N)-xw3o?OI$vP|m#;dOz_Oyx=lDx-0jYi(K7}it!40FaT z15|#Fz9K8ZzF8$B6-txLt!F5@2|v?-Ph#yRgN~Z06>T4Xq`Mfz_H&D@@Nc3BuQ+1n z`&j4#FEe5v%d|{8AYSP`gvyNR=JzS9?*~LZJCkif2OgO2zWZ(q4ifkoopQA0bjQL~ z3yoBYxL9ge9G?GPGzYylHG*Rk!XB|e>@aizsG|M0QGjrc-$qrEPY#ZTcz?vz420f$ zY~F`vWyA*P0xRaca-mY2eND)F zYeJ9l*3~8x9nl2`5RoasZySBiGMWE9n8WMyB|n;LX#1#d8mGbc^FIHZEK7@0YRLOS zT^#FRTe1bF9#STqiAkI9`Z^*~ApukDz}_}aNc~vtPW$5b_2(N=j#)O)kF#4w$ikG1 zCz3=q&a@;j7|vZ1iu3UT1WM`3$nfuu`voUw>w?a)+<>rAl5N4pE%)HiworSX6~;Pz z$cvDOtJl84CcFS~2| zqC;6?Y{C)A@w;V)3)hQnfd)W|tGJjU_+a>QMWqEL{THh6v3Y4_3}%A)&%^Vd4j0f2 z$bTO*>%e2?_b@ za9pA0uA>dUHBe#p(ZsDp7p5qu=Dks^1IKLs@y=lROEt69PsJfJB?f=@&Th=f9gu<8Kxb%E0o;)VB{p-wr07 zjARz+Pl0P6T{(-_cUWE5e$WW%>XeUPPNCNAb4p;+pOg!!(m46Z*0r`yLB?88cM^%M zAKzvD#HH_*tY@anD+)&){JqM7HZefOP&&9r9dOviI1Tt&ZNg=Jr_pr_51b?KNlaZ_ zjczHxWdLu+mOiX@vZZfOCQOQ|C4`81$>yKMWBI^N19zCIW+ZmkRQS38;FyEL6V-;v zA6t!^8|{LQp9dV$<{uTnwMof?Y(hzCZpLvdv1v4)$9)yj>=543yzn*bLu1y%?l!}D zaf^7yUU%sJ(n3T;0C`t?ev&2_X(_l}p4xCA;GBqtL+kbUg+$(Yl~a`!p$y#g*{Mx< zI62*$RDF+Ko=-%9(1~$S}`nM@j*v!&6{vA=OdlK%xos;^u`aCU-bg+8xP>m zfYGS2`4Fgoxy~~@r3g5#D;DQDm6trn?dSZ}gXa>Kmo(Pg+yLlO)b}lN_W4#JhJUE? z4g9+djES!+SnJ&t_mXB(vu6nbUW9UI564k6ly?Y;m0Ee3)V4?v1wP$>(Ubv## z%vUj*FWY>PEg$0Z&fiT^ z>ceS5nFX~XEzkV0_3Z$kX;X~sA+Ms| z6gVI(lqi+dd0GYc03V@Gk-2XI1%a*#u@QUxg_@M@2|@%mfy~KP4-i|7zT)0uyPNYJ zXhP@nBqCvrO2QX7ka^?CP2n3m%oCh(z|@~&6)72~O4ck&`pAT!9Bfn>==x{N}Orz!~vn@gJ=i6hkPehuh zfK*vlrHiYvdX&Rl66 z&Qa3A>ccUcmiV^{G!;I165t{lM~umXtdtD|-h zS|Yp_OBqf7Qh|~#5IF)(8YPD8BJ9=m`*^=TRt1e4l`a*($lk9S7ONoOSA28lo~IzV z;N@BDchMV#)+9v*#r`Tka6^cI`EXIft9JwS>fWK(*&I%T&n=m{n0hAW&b~xw^l8Wq z=I=i3xARkhpGW?IDh%$sqWI>9ENqxcaYKXw!=v+YTQ&RsaqT3mhfPQ~I38KJW&=j= zYuY(nFMX@yldN8&ra$@Rgi*^Onb3klZ{2|+Q6S0SM6!K@!PiY)a#C6mSJ)_8hM1cG z2T%5NK!iM$F&rHiIY(MRSEt<+7kSM=y7OZM<{TzoyW58BsVucn7v*W;sV+W>3bqa6 zTme4Y+K|CR3cdI?ceY(2KKAL?mt4zdYoDG@J}}S^M*fEd5Cqqw!vZ>$^!-Ea6oHp$ z)sogVi|&p#XW;vY;isI~Ug?f@)`blv**FWq>@&f6!HdJzj&wv^0{}wNbudjI?9tv% zl*Qt+M4Zi0`+h?Y>o-hmA4CfzVm|wX66gjOsOh(jEk{t-HA@;Fo2W-qju2pxL7&2( z_7K3_$c`M9RYlPWukoU13dRw*j)29}LC0``@Iui)I5_GR!eQvwKmAFsX4D!I^^|75 zv*N_I|20#P;;;*a1KvEUFPtaSHh$$P7^%@{xy5|~mh<$wH-l=nl;X(XE)*|Ph&h4% zWHv`_2t`?9-dNBRFfCW+qS;JI*ussL%+^{!5n3oM0X=_xeEIb1CveH8xtE zNvGq(&PxdLYjfJzYwSc9oXB#C6a^`3JgdYOa5tH zn_u8mT0f6Q36mQPG@&)xw;n&x94WGAqV6N#DMKi9%}?dm6R0TSvz?cTTfh;;iuwip zFUEF@a>!ZAzgFXx{?eS<+Gfm#Tb5Fu;0epICr)JN7Rf=bChAjy*Sud7GzFN<7$)?6 z(Ho<#Bp}CPOq|$@76dnq>S754&?#Bt{n4-fJ5az5QcqwGI0Lj%jWc>rU>w!^4O!zV zt#WNiSA1iTih3QM`S|-3$GG}b&1`FbQsRBjV`4IAa@O@r6T__%4Nd>7$UW6$zI~Fi zf#!(OYCyz_Z7nWbwvf|)OC0R}cB|S`P{DT$wS)usnbIoJ*bDKt^NZ!i{sHpZEYT;dZ-&%}L{Fr^uc$m%s zL4r{Raw!;$cq$zecI`&OJ)TrB!k-pgV_HV${C(KYztnF172nOj2cRnrtPFHhRh|(q zQt4h@&@1(U9oJ_Kc)=@x;o!Vn|F|s3D3=Z(90qDvE`j~l7u69h_+rzCZnwgf4Eanx zX|`@sLWVJYRuj!^&#l?CPjBuZMOo)S%?J6VJQWZEHVdEtGJ3x@QJbZ4=RW<7Qv4(5 z?WFw&74M8$fXUD<7}t5nxB}MPtoNp{EH0~tk1?^*MC_p!6c^UKCJDKZnmMdeckdfp z)OICK-r3$Qcy>XV5S+STUbb_SdQG3<4oT6l&QqRzz%lA#gR2N^43Y9`#970s5b@N- zujC1KEN4G^{fJ7=mTGsZm5uXlm_~P#Lbt%HLt2K*{-#r0t0{p+t0(?q$2$=D4RbNVc-x? z>od9Ynvi@r)W9L`@xkt&I34_mk7gL6?&PpfuSts7b;xhy<(5ft9Fp3*)VR7RH)9vo zu#AR7Orm!|Jtm#2Lrj$zy_iE-;J^p(ArQQ;D$FDR?nNTXUDfJlf%RF&Ps0GDShB^nOw`;&d(;6>QnJ0%F)T2si@SPq!J+e+)SmW3hk{AHNy z5JOQ98u19v|V7KW$h2x-t)kqLBE*B(AkpsWbQA%OD-a3tl9bJ|s;S7%gsk`pas(Db3=950JTHSO13|L7=Zy)-#CA@iNN{y;)O z?kfuhyx7&6%vXe392@i~kl9tiqQiOVj(}Uh6HMA4$Q)A8Gp77ZFEL@C#o3`(ErEjH zwdPo~saHaGLeabk%yOxgYP@5fZngw}x|$JMkHMdML<<&#{xGpCOx4-`qxO1V0}j@? z^5gLR;fgiy{tYx~W^2mU%ETRIZF~8pKLv6;AxC|5_EA#FN-Oq3R}EKMF{W-Y`U>8a_a3hiw^jz~8P%bgT=y2r3jJ#$QD zkzCwgyssFA?Sbi~J17appX`ct?5A(7VNud(?JVw5HVg;97COjf`O3mQbVh#=1>M*0 zg+--+r`~UWtdCMZe`n}UHK_Vx-KiXzELAHIa=h^*9P`E}E3jxZ2N~H_2lOlD-`xsr zZZ>0pP(az+fn1V6OxdS1@CLuA^KM?{SI^_-uVN)r6pKIA`T&j2wod zk#y8mD^v_z{Ru_E$ivVZu=?lJmy}a4b4R%KK`Up?Jg-?iQv%sre#VxlZ{lZXX!9-K z-;IBV_>=>ZNS81Kcu&(#%OG?ev)dDNATjI4y1JUZDM+-(F)oBhdTtf);_MD6dG*+1 z{*dwN%p876KJ+90oBji1;+fQsQPsH<=BACDgfj|jlZ3cF_zxdm zeME|vSC@T7h0T~p;wMM?Fo0uU{zA^h!@AP}Mk%}*&iwF^%iTVjv}>cpYJkGP?F4_U zen_^FrRa=MxFYOb3Bmw2klpivwU+t>S`%Ni_gx@axP=tha8i-9E(WF6;N|7TH^Yvtk=1VRh0YiV19|9@M(Wf&v z(jk?+)1$FYq@R5vDn4t7f|SKKYYiZyc7W9waKykn&3&7eRYEFWQ|po3OFH<-y15>OAyjWKXKej%u|-*EOp_cp6_799wvmDp&BOi?g!J4k`Lj7=cuRp3Jr-W&7!S@2jDw1=s^jF!V=%1cXK;; zdCbr;f0{Td`kuKza} zmCW2kT$}+GgM^&(J#Afk25u<@=BlYq^&zuoe&g zRI`fT7r{PADbJzC1*4o~QmR0sw*{)d*{SXe{INIYqnsZW@PgIXfXJxAF2?_NI*l@w z5e}Mz`?v38dVcOgY0R>Z{dy6 zM}UAOTlkYAg*DNn+UTuk9Lk%m&sno45cu1O9YALqezUrN192 z8g4wW86H+Ycn;`LqM*LU@1qXyZ=e9`o|gd!8-Frwu_$&P$f0&T37FJQ6~5nlinpC2 zyd6xn9*m2gAz~RIIK`WFg7c`^|9Lm^4yfARHG25h)u?t|;O~CtVRMhAcSQ*Vy)vIJ zFeLrgXoNs^nv{cd`>e^?q8@mLfS*!(E=SYTtE%%yP602JZGa1-T()olHCgAJM_ z9clA%oXyKQCy~oc9dO#AM5g#D?gZ}e!>PWSpt!?51B{3nAl&A!$Ii#*@#LjJ^-c7N z-@$OFPQomHG1~~^T)tng?(x&AS)m;w;Jfiq4oD7b9&p{hp@v$)FOt4wuUGWUIXYJG zJXW*qI`992`Uhjz zG{*v&4=A@dM(;NK2Fw?BuV|?VB*# zj2vXhWKDGpz&D9)!iU0vx&kJJ?hg`MSCI_UYB5#^FXs%v4FEVhB(Hpq$|N$80C9p1 zL@&gy)xn(iqgi6sbZ#oezx)NrG&$bsqbqboZJG7gLBbMXA2@9rf+-Cp>dzq=R=;A1 z+|rCSt#$@boiT>Ye&(8mU1g17_vZd?e&cZSar6{U3lytPlg3TS)>>a8t*$i@mBo&@ z+fJhoit}S4w8nkl94AwTfNYfJOH(Zg61w481B(@dnBO_ zw|~;Lmk24$e`et9DckEcIz#<0w62K(bB(oNvTyRe#njAcLlZsY3j3vrznc}d2P~Yv z&pe7t!k}w57stEFTIZ+Y>Ix7s1mn`OVnZMzVlwv=zvWjv<{oU`$%{1hRoQ-&^868v zfMpt$yPZGrCZB&8j z9Qhq0(Qs`zSguK6&PuPV(f>N25Ml!P+rOOU2X#?%hF{?r3y8*)rg4X(!K4ZlLA5{z zb8-~Vb8)^?ijx%071g1`{Xn7cQaK=sgZ3?AdePAs@>-&d=$Cl*L=f;NU`!4~oT_Wv z_G{s3DDO59KF53AcE7B%e}DCJLA`Xg&f|d6ru}@#5>jC zy>@6DK3e_enLo(JI|FY#MSIk^Rr&%pOcjCTG?0d!5zOP4YR}rRyOV|X{naC z?+^L!wPQp=b%JVxN`q8s$d~bdtGG#qo41d>9zssZCl;Vd;DO>=@W?SJHC*QK zO(@;oDCuoh6IXoF(IJ%WIpDuldXGM=_!3*y9I$dL zzX#JVXt~Vl8OXWsHqxa?ePCUXWuRKt$kTxkiW+KBWn%|QlHa1rwcKdlO-j>W&ztaDr>6A{Z-)=XI>T~P?6KaMr|krLTgfPvBQA3eFoKj(&j{?0RQ zdqT%Y$;TiEpJBt~i3t8mVQ$iVPpTh!)aA(e+X`}w+xP*y4tEf!2`k>5d7XGHrIqcb zviprgFO$AK#ZA+4DZf3~8!(Wy(3-}Nemh2idON1ye|SnA9tqpl+})AvxCa6#Z5lW! zhFZ&7E8XZ80W?zF%2S$s3+-$v0v_*&H}*C}tuZh8sCc(uyZ zev%^sQ6N&St3{owJM#A7pyAp2OLg%Ug6IfB_+SxAWz?7dda>e$m*|1o^k577x;9T` z@gewy`JmwwTyP4I`G}}RqWgbXtr7w5m=H(EF1 zGK4VF!$;7Bl*e~^z4ZB=e6fr;L9Q?dnAOg-s-zZG-9+lj-LWfhxu5l*dE@C+r+Sno zHnMO{g(QXBRC3gbdf26Da0zYF{@z-~Uhpm;bQgc^Szd8bNE?#MHBM;Sjm&I>{!wRb zPoe~i|x=4ZtKCY{IKZn0Sn z^|8Qj=`|l@-{Hf-x;12kYOD%l%S$}}2)@G^=%?Fm*0LOE1p-fwo|7`!nF@$22C@Y` z`G$ER!}GV}F(bxW)u?CD>1AH;YA^IYlYW&cKMc*Y=*dWJJuvH*(qdDir0jjF5mF`p zGaEXl5g~Ia_FH~y=u+KJf zS+dyA38%Ggy{{w|3c2?qqv}ozYj^=+{IzsA(gZ=-EeB(2$ zv+VE%9sY|PGBH!1aKbe;_;$elYTBE#K%T#{i1AoX%~d?`YEcy6TAy_;wPOD4>pw~H z3nQwqO8IQ-O;Me;^gBwGWDxj}^=mB+@5=8LrTNdp+=lD$--2W|1c6|X0@=?}r>FW* zBlbgIGP7E_44JXNEw9Xu-1_;kf|jrHJxgoT|Asr1&N>r&-8eHV@$D8I0bvsJ8@|k0 z6igWw+i=)!9X_=QhogFruAJMQjDM@m#;zg3nS$BYe@6RKdFfE#!EyssLQOwzv7fR0 zIdObIGvT$(kKMBvsY?@ka~^NkE)vHFEZ*n}iY?@NSse}7&$IS3wgXd4OCW?=0ze)F9!KH9*cu2@8!na;w6B zd(&}#0VK~P7Cd&DJ!QUK709?ez|FF6+~agRV7Xf<_zP)hwN9huHroz%ZR{osNk7-g zGW*@CUU6K04E(o0E%)<#hwfvxM-G!RaBcY~SPlO7O?x1K*uu6`J3HoHZmDOvtzPxj zX`Ff$8g{*^_shk3u4U_e!(-NVE=tww=ldMx75qL8tcm-2rQ&!7!Oo^#i-2R1nx@_^ z%q|8sJN}|NNIBI>fG&Z3vs+@w$4#zW|3=vfCVYDe&I+QOK25)ioT9Hz7Px0%GBrrM z=;^GZzz*II!-3+BF4U7dUd^@)M)Zh za^I!sTS9#AKzbLj>>B&3c3BZHc{3yxk40H2E_tzMs(&%0{)k zkjpHFf&<5?k-mxSKhWQmB3-9Gqdimf=baZK)=!l5eFT7N5>mTxOB5AkMkg{SU#mqq zW+j!`@M74)1v}M6(ehrSFnt$!t=HLiu0pRHBO&sR13lhRUn~Dp+$S8y5#(BYB&`8? z$P;+3vG0Az--XY67Jb5+l;;$r`iEaXL2LfbmpCuU|I*g06>W-1Q=b~~MI}7pQ!`CI ze-tsQ%IY^IyD2`F5(2j1r#AdYt;36ii}ZqE3PQ?_^ve-J$6shvPLoM#pCrhPo;s(X?AFlFOr06|hG@Co}=fZESuR^~&50pjRPnN-~ zHxU|JNZ+W6h%2?#%Yx+RV;*9y-x$26W7&dB z(Kb%`ES0cdfLQx?jok(^ccbX_DvGe%uonTY?QkwjcW_4+D#d*oF6PfQpX*;MDNoyk z6>1Cw|JS3Ev<6k48b($VT^>SqhWZlsI8L}{rsMzhZO+pnLgK=%%e@s)*<{i%UElP) zw|}6&zmfXj@dul`R4L;mV9CGqGqXDA z75eoc#rAYx5bk?=QvQ+E<6sb7CI0UYY9Ijg7U$jllce4rR1KwPp=YeaLQ}3zji@a@ z6EBAGzHyR1OICQDHUGsr*1AW(6uJ=ZZDF6|fner>vA8t@(juTpcSNMdNPRZ~8n(Dz5e2y>(`KrZe0o)fl`n^g3U15nc z=XRtsHr*}zqJZ8yeT)ibOsyPnoC>$|x+2;oB=VLME(*K4&d-Te*Fvs=g@u z>n-y??Z-b|NR>M9ZQ7Q`vHU`T2U>VC)ahaK|Ie@dw_hQRKrKrQGfysm_IO<%*z+~4 zv`yK%iBr}D+nRwx-|Tuj#l?l5BqZU>;wxzxS;1(7Mf$Vdc;tYeC)H0ae0iLrJfohx zNu6DY@^!DKRM4BO*tw8NbO~b;+nFdLy=7-tV_01SDd0*pUsN~@v~2YjCh$Y zUxa@y-47$Z1_JMV>>SgFb$@vFab{PWu||e9n2o2beOQG@HNDj$mUc~T*`N(AWXr#a z3l%WcNokL1e*rXX|2+`BLBvu*j0kgeBfl1_pONU{SBtf(Fa6JP>A!dVzt2z*5`SmB zQ&u3w$%XsZpV6bGhBe2>&yp>6As>pT1W2h!I;lBGNCioraF60geTF7dXU`H3`W3-h zN#Wj^i(mP0Rp(H?ngphB?=bZO@&U4=T-}^_$(2b6<_jRo`*IaY0IX+u+7xkrJ z{#t=JUj0;+m_loHfjy)8H_7LQr!MP*PStqKOXHP4vm}hEfxwtnFqcwunI|;QIp>m+ z7{1U>8Do>Ka@46JeWb3FW@;6ebP=>SeD7p)G8{@+6eoG8=(Nhg#wK5b)0noE*y^7g zWUk2DeEjjIq-3m*eoWzbj)7;&7_bNAK6Xl`oZlyzxDaN}Uj9-Ms1OyaD}?3?yG+ z0AI_!j5Qu^_@@`|agCCnP3Dr zFstB378go@=Z_JG!(*K$w{}Or0sFy)fNjVz&o11jRxv3#m2g|ep~iYj#bzJdzO?j0=W3mX#e| zX0}QcizY|zPYyScN!vM0=8v13EfyKbI}CCfkOY7|DQ=irx>L90PF&Y-o=A&`HC}&~ zx_)vPOaAvLta*mw1qY>UqLa(DvJIFQoY25@nFTS-@L}KT3d`NMoWP>=l5X9Qkk#7m6^?bJ zlsdoOy>``8noHv>g4fKc-*rOJO;En1J5dUkQc|dAAz^-N;kG}Az&=$!VuBvEI%0FE z@7-*@krh1_pF-WI@9+z(z}HQcr<@ecWp`|+aeOl>hBT&jjYB9AiC0%9iuH#<`~f|r z+~(|w=pCy~I`4tR>>;4l#0HUQ-dEI(HG`mOUt`9NB-b4fwC zmr;nrxahw)lK;H)7Xr&vftP3$?J_R*PfxU*r341NsFrUZcZ1koMxk9xv=SXN!}bMl zQRBj$w8gN80@{m0{F-SX*@FJ_V(RHIDQv;&q>dp^)}j7QWI~@aGU-K88Gi%*{Pa%l zGq4>t#|^U!Sw!;~4J3*QRJ}G+Fo)N2DAZReN?Q%v*uA!W@wz2NwZQH6t!&jo9BknF zzzfhCmEaPhk6vAtBx#u0p4e8Tm3AtL6bu`=Ud3{H>gB9IZXl-MSF;}vwURpq*F6DBN@ZbIDn|8@u|XVEC?A@Ic2KjLQp^hDUDzjqvC z&bC3R;e7Z0z;b7Mx231@85dllcS4xwSso>DlU$-OT?jEc8g)+a`CRREzj}wdlL;Jl za$|0K zRrl*u>e0U^uz!C-#(@#I%+9j|H3w@yRMw_=n5$7&$m0igUJxOj zSYUzVLRC=WWthim+qNVR4F4)JyISC+a89>MPz*#|eIg|w_gA+ zJsyiDkLlh~0^=uZT2n9Rek;7NEu3_2Z1_~d2jnT5C`n^}W$}x)_z2t{LTu*r_j2lx zGEe( z%se24hC|u}q=*9Ya2NPbh3Z)S%jHis%voYhaoCimS?5EwIbkfX_RsAPO)zFMbR1yi z3Dryr-q;*yZgnw&v>L&(WMO8wuBsz9PM34rYLkT^BvuoB<5;Y|pJzh^)%RUih59+t z@g;tc_LFU8^jP1IxS~7f$JMiOIHeDf(;&MYp;&)gr!a=wefI4xgN$lU9jJ;n3qHN&5zBg#-ZJlRSO1nOeV!K zbDsUYz#j?On8}~4IT@Nm2hT#zK1-7-$a_C9j|MRn#Xq#&XJ+uC65=&Fl@CGt+vm?_ z9Y&QccJU9yW0GP;WtpU?gmp6g>6sgoa#_eQ=w}E=r~U5IxFD7RNIBW!*qnMa{I^Gk zf5RIv{|vjFyDEz3WG8HTFdJX96=`;CZZ=#lxBStfK1>1gdOGCJkdlI>C@Ful&u0Wt zuLE1x4T|0{UXh*NKJMKXadhr~|ESgIa`AxhKV{~uP$2JkOfVG_{{OrGZ`>{=68!k^ z_nxN|HQL1f`bI)}N_}ZOE==LP>C|$+ns+YPGNlG&r*!M$nzrHBm+CD~&Aa>^ex-VWhQeVM4M9rAE1KZt%NnIO#32$GF}_Y5RC!U{Ck zCGaKPMZtkDZb(V0o}E;M|FpAh5Yv_%Q{=Vt!hWM~fE{kr3_0tMr&RH4 zu&)+N7tIcp4));SM&(X^3X4_`FrZHMB^B%kP;M3pY7o9Ec9Rk>YsYh}K8JfD;)?hF zDYuNRQA$uaPwp49f2=%3XdS4SDooN@$8QQq81r&uGo3t{2g*v3zS}13vdEp32`F|a zDY&f6r7r18-JDE+Rs2Y^%v>UO0JhJgKr5A%2z>@w!>0OyEK;*YttPxW_s4@SEiIU# z%D`OS1Lhjn>^7>Utyr2l%WhvQx#uuGals1gO(hszr?V)iV+@LC70(D2jE&{AY^@my zXqHp+I|q#rf`EgORovhzNDlX0Y`N?&ZQPo$4ga2+cJPn_!J#z(w;EaJH8ASWXVN6e z!8gN1u`fJv%aZ8cmm0l8+1Aw{-MFR|WMcVkat4p2W_M2ZAye}DtKBkZn7yF3lWU|A z^Z+GjzB8f$fE?}x-2bV?|MSop1yNwoxzTFFe}q9ie__z^JlnRD&tQgOI)2K(YoJC( zRe(1^)9dk^bO&NiIOOXnB+P3M8?zehTi{?1sV9ZIjsHx2JoA;a0lIc0)(LYSEibgM z2@9Un*zf*{XgKeqm&_&HpPHuC7=1())ZtgfMCmG&pBW&Zb+n?1RF8b-?JTbq zVIIj=QJN{(`waIcHDG*_vp``EEdMNdIR#gD#g#1Za`^Urhi~@xUcT%wb^n^?l1qyBF zu{GLyA~L4wn6`IG_#Xe38$Xq+fq$69=d7!(rZm!`pJ$(F1NIp> z)Hxct$;I4otf8B&;<-Ho&_iGotDngq8V~jFocvl4^cvGQy_%u46m)i4Z(iB36K#qE z$k_3ah0KcEb}#LPqn|5cB~vO^BfDsf2Y?JjrEvXh@K}C^Wc{9+Lj*){4VNJH{HFiv zSgh7-zdGbvhebwZODJh3Hx>OxP5Gr7hYaX-nu06h)EWgb z33du7)DMJ{R;|oT56$`$A!5XNte_UmT=;d4q)=jYe{@zbG&KQ<(_kOd56^PAeIq;6 z5}X`8)0C(Dds&F>)Y=DXjrz1doHDQNrKLht#+K_&^$otzdjN`X6B5ocbB_q{#DkTAk435VH+8Psks|Hoz~QhTa|y8H_UufL3GEy6B!KB$Jpo=`4RHt#8rH9+SyEzK zcXCV2fKrxx%X%|)4V!Klj;@!(HtjvZ`?}y^QbWMOcD=C4+T-aEF~7O35?~oi-{(TUr`cqWQ;bnpV;(Gj4E%($ z-2m^V^+79ulIqSUf8Z~?URD!Nv&%_RjT5d^c>TKTyYA@pHp2-Z7v*Y-UX=aE*ZK1Y z0u-q<qmjtdDmha6xD~pyCxuRti!dq2%Z(z079E_KI zlAp|?^FY=SHJhb&{Hxq;9{9(ee%?n{h*~8__;;2t%wol&3TBknI^zzV)u9+*F|DAc zfj5?Cz|4iQIsof0_eHQMYa~og8+E;T@rKyi4B$Pfv+eev2tf&&*rk>rT=l zpat1UCKRaqI8-lLRo4o}iY|rUJ=yGn_f_D|uiauZay)8X3rC0DU1EtL?cWX}4=J)6 zIh-vy)Q7v0hy_am+Nr{gbms>|pe3BVOZcCn;0ZHH%vA9PZR zOF(weM9d-Y257Il!{w%n8@f!k#K+lyty^#Fn+YY&>%D-gi!@-fdG*Kx7|;p0UTh3B zvN8&hqHBOIfc0aSIxq?$NQp|^U*4}j+NtI>j4tj`lH!F*rH})a#diro)PWRkWx9nMUzuASfD;T5FTGn` zo=*N{cKpbOKVVlnV9;bQuf9TKB>H=9xP;r(+w9#;sxQD!YoF`*QVwZ+_EEQuM}_}> z$$>=UxMB(MN_m#jD-OoPtl6WiE%I>=d5{Dc3;P|QRur5$%(hN?O}rf;t-1suncUEl2hM$gU%M$P+1XIEZFea}7Ae0!Cr_YHxS zzw)dK%6IR@iBj{o_yyV!$x#T+oy#ER8Ak5sUOGPuVwHXN)+`fMfgTDAw{EA#3Rs{X zB)i&{{p1KRLoKYz_k$8vTLb2mmK?t7L3Op$am7Z*0y*W;^wWpxA94Lm3BkSx{-~V# znBDxkC!Z5a9$&jQkRGb?{0@j&A6syilNbRnt#S3aXi9$yhFk!@yTy?+PbG6=Vf1bB zqGNEjs9+M5=rC~@Ynh|%*BRMZAl#SpBwY%T=$9)GXfV{dCZ$Zvb;#pcUnMsw5PEA! zS7)=NPM-qAJPw-4B!q9^4w=+U9?b$wm8RL6c0yjWkVk=g@;bt>Ysk6*5F9)ZG4Q3L zrn#OAMB`I?ZU(fR^RyxwtsE`Pa*tX$_;rc@D->TgzfmPv13s-Q@J#`a?T?Sij%J>dGBR!sjZb|i;{ zv1w57#Y0I4;kgxLMFyYWMX^1qXF;Sj9Zx_yKz;7M@Z1!Tm$vK4*KWyj-|{VC%tqGtX4A;C9WwC#CM^O*Zs(o41s`C% zxeLIt>zreZfseLcgw0Fzgnmy_;;j_;Z|r)&>6g=VJ7-&3MV?c@5AIThSzuz~%ES8uOIs_AbZrmC8osRi$??xyVxRp?w> zM+X2s*_xAD{sbR{=bFEAtK9VGlq^0T(kdkEDH2SGzX_cNL<MTfxk*4X4!=(80G3=HwJ1j|!pj$nV-W z=ZkZ#vdhG4W324ncGnSn7{OQW#D2fMV$~B~C%;9b+d=uN>k>UbpqXFFX&5M9mHjz% z$`$QBM(HLtGMqK$7pSLIqR)GxbaV(A*opZ0h*PF3wb%m&!xcGwpST$!- zoz*!%cGW>lc|4nOd`#+ldYq{r=<3-71aB^4-Y zT$#~VTMA@jG}pb6Sd=Hlr*KJ&8iPm-4e?u65eJ{hm^}cknU&7Ey&sFs0m)+fko5&1 zs*g_VEpRBGcB+Z1?0MpO&dxzjV-_~DLOeg>b=B67hByC%`EbuwuoDnT`+_KEg0G;Fc_Y+9Z z7eBnd*0iSOyv}G53v_U|d;lAIe;>-s90dh5Z$wFLR@`XmI;<^sFYDD9soD7O^pNNH z4^0?qa(c^S`q7>FXZsdFbOsH=01&~W$~lWi){$IQS%@0|WZwe7gSJg*m%SNrVj941 zgyItQ*tV*V7N|NOm)fH0Fwb||E6D*yCq+WKGQWMboS43t~w+nO*Z

        2-;8x1HHgxc z@&vk3SlI?<9XRpy_n7{bMZSUU_cQ{<3l}aMmjs74?`bqkzNldKyaO~0jW)+ba8JGO zGjODq$BuAVNNOzr&NChdU-TQ_tnwe5kv9SyWr!=19C9}tDYu|451==gOhR@fC*Lex zK3&3F+39Vdf*P&_zkDp_R`JCqJ!r{RPr>sv<*;vNFm0Q{8bG7YD+e4+jQ*E@h+a@s ztA`oMsL5#etDAah%x>?tjz9j)ss7;1DOZrWp#OvnjWwGQMUow9$ITc zvk)5J4h>n3{zxv~IYA{bsK6|5HfFtp5pIqDc8fdw_bsEr1S9JdW8lMVQ~F^Q4L`4x zyIlW*SONiE^CiaApi7Kiz+nV4Cfotik0-_L2+nLe8Dms1W_FZpmi7|X!ZGt(VZ)&B z8tse3Rv1&hR?beaART!@is2h3_GC3SRDl0EdT`8$d*zXsPydrt1OAxdIiN6l;~DEa zWpQ1Lw3c&Xw_zT>J=56W3wTfX1@1j!7O{s>=x5teWo}&D77(fWrp&{A)j~jT5nR3&w?{cY0Ix3 zq`&CPdiQ^t6tm@TiJKY3i7>I?!6BzZWhMa$C5G8s8oxtR3phzgKU_iB$`xkg9LexK zH6t4ANI(fX0P`EcLmE*Xa4q`DrlCM6$Th~O>K~2Kj(#ZjP>0)aOvXdNK6rk0XIEPQ za=CmyUGkV-@8_7N@|ezz5cR%5?QFLPPaGHGd*2BZ2*)}#boBjTVy^F0nTM!Bt_DC` zEfQnZ9`tv4ss)uYQ(CF7@L61S zv{#jX9~`)6p^8#|0buCQBW&R_|Gf)*ZsnY;<%B{JD_L%xLdx=B;Bu#3+Gfc)Y<-x`ES-@~ zPVTi9kg!Bp{TiSp1D*D<>3P<=)mL|QYDUB8aDcyUC6R$V2d3k>-z~XQtOI+aCf&jz z&lm$M6=&hS_jpv(X;44~)l(yJramRy2Kg-v2xKk$!>)dW!JL`tRaNQqWw!)YISwXl ziUI>LO@i9m@@yvFy*-Y8#~&+S-7tTpLWUEJU|J@G*F4Dn#?S_!vaZnj^g=A4typ>o zf7?|W5O1e~nkAEFw`TzG#&CNS&~`TDkdJbB+Gng^_yL(`xR~wqt<1;&-U z0%b;QpLP!nkjLC(9}BJ=pdS!_GFn{=w9L?<2YLFa`763M5u>pyht0cL+nmvlX)i|P@%Q+K!L!#Nvdp4*UKuU(OcTfgpb#&PWP^l!K)xOEt_o^waQ$n0BT^Aye zmytF5Ne(fV@n}}A%5&2@FQA3EFm97G%^PDo+eez}yOi<6%bM+Kml=KOc92aQ) zY3%yRlG#b2FAxSmbiXMsprHo1M)b^nx#uP-v7B#azfXR*yF+Am9S%G9d5y;)DcmL` zh@$aRCZEkXr()#u`!V&*D7?(0auq#fKAT(s&xXC0Fd$^eWA(v-bn3Oj$`SxnE&dM-J+1d;s43<}HG z?jprrGi8>2cbTyBZNPhOP7EKJ)uOw}r$Q@-4(0-YK{MD>N~P!%NVT&wK!#A#HNy(A zY2EmGWwl~>eM}_zmueok+dXWx;f?<4-SFpN_Vc~x>I}~+^JFbK?DLqc$d0o2?jpC_ z0*<}=d}p4F>}wbSAvBVnH2GbxM-^Ij(f2l?4#8%7D_Kubmm-)P=9l#|GN8-`%~j{D@1=OVt`$j)8()d zVtU}3p4QP12LHRIJAt1UeKrgcv~zY`?o*hmK`G&76aXQ3dWV5dE%@WaRP#|rGy9f0 zEs5}w%cvxEwV`p#y}~z8e7BsYtop=#^u|ia+aB_-sHSo`3gZ&y%v|O_zwq`|vMrcWkYROKv9x$Gj6IwP)JnKsS13xU+plu)~sMk1YI z+RpSxa4t3PbC?@>X&)+Y-ZTM~Gi@mK7#mbe~@Y(W{C}`SGlIz^McrmkPzU!g{=%L-KDsee10FsC-BjZA&urs zjM1F5N@8>heCooi6@u~IyD$?j4bv#5Uu_ayYcEFwojS%-#tMzqthwU=(rkr3E4S(h zpi14VYf9L64F^VnH*>ruzo>(L(R%UQMuc{b)zVR4fd5JmwcAJSLT|S=b{lA)ckkO! z?Nb`2Uqfrp+~>-W{WHk)W$^ob`ts(Ti_LfcNcZ@Md*N6eZD^qnOl1jiJHcv6vTAU5 zzbF#ASDtU?_DW!CA4R&Y3>owq(e(y&tgx_{D_JEmk6II2oALI|BS-BEA6pc-e65KR zLAf|f&DKG?3f-5GR0i%&Y0(F7ynb4MrqgVQi?4jk> z??qSM?ZH7PywH35WSdNCX4p<1#5L~nIvu@yz`DI2fVT;d>i&Gcx2s9fL@*0FaMt<= zV%op$N*Nux4oSPuBV;QwVUglh5NUPhTbx+Imn!2$J~nm?A9zQ{x(A@#ykW8k0ocU_ z096lR!yE}+6M7@WZ-LO6et5*mso-yDpo!8#V~pk(C|wnM%ekMmN|PqoOELpO?2L|8 zGIGntwg$n}+b*OBeyFyiXv$;UfD0zen3s8Iv5+ycFBrD1C1Q6W9_ToaOkT!kU zRe+gJIhglU9r=aK#>x=*+EcN8{;o`oDt;)pQ7yHrYx;FzI~#(Ov@iFa3D*5e!kIKr z6d;_^*>65hCA(1>XK@hX;+3pB%1s(V1HW$yTqHQhE7_dq%V|=oj;X)%L1P`!O}=3z zePQ3GUXb^#Hp{5}flA5f^+L^tBB8oBT&W5kel{IG)YwaTPLGJj7pF3cB7DoQ*c|sw z9q&$EJn@8)xcT5+C8}G&dmLFvzx$KH?+Up{fe7d?n`r+uSaon{d6lco%O!dla*Zkyj>2F%~9U`3cWv z>vK$lSH*lYlW&xt-}*I}eIy^?P4B`p{>7%LvG(hqZR_n9n-Z5!XA|=jPY<>>PAK@M zm-=vJS|bK71ZIW)H?-5AZF@`X8K^mY#$6urRryd!#qdz0-Mtl*wR%1R%139{*L1vi zW7>bK z6O$5I$;xfw;Ha|O0Pk+7mH@}yb}-9^oho_?jO-1ZkJG&w4XmE5z5=tV7AqKBk3iE; zuI^$UK|UL2-_%8e?B@9iLW9dU%F1-+F*rwlOl!cvv%24eg`DXsF1yehBuwDV`L&%c zx<@crsCK1?WM+->(}CAO<)w^W<(798f3^%v=VE^sI||gsl!m9Sci#@HN$Q_)TuJFA zh5-&5LgK-ypVv!wt1XJ;v()3=S+H#?&4&i}9pwC=r`PECWIdQJH=g21Q|-QK``nnw z`=c5G%-Z;d#5=y& z{y%u#PmE)i0k}1J*;wxJc+}gOw03Ilop*sr*4B}}Kud_);LNvQGzfgq1Cuk-)Su{} zxYyHiMFxX=j=WbtilS-6&7Wi+{7zA+<5H2AAYJG2_7tRjY)zW1wI98!kuo0M-3jSd z3g+zpz!22yXdYKN-p6PeXImr2quPCKrLmT)JvkOZq4UG4LD_~gqkkYgirvhM`S;wY zu=mEJq%)Y@cR(e5XOS_1{?8@mNhAPJK7q9IQj6{H#@VUJ2cIXgt7#MDhp3OJ{V^X+ zLavL*LJaM|Me7XgELgp&p4ixdj=uYsK$rx76iA|=;gvZ=ddfe)857f!ud+qLgY4r!1ug}u|8)BV_A>SB0-H&dC<9z5{@p;mK>WUiM`#sww+{=ywII$QC3EKkS(3XU(U1Dx3wTe?V$N4?n>|osTuOd!N66_-W(1cPl^lJ^3zV)2J(#!{!SV<5)56BJ3^KzJ0h? z&c>#ZZcf7d;($`5U>Z2J-yaU|%zrgCcc(RqhTDx2{7WXFz|V4G&z% z2L`>>7m6zoWs%$6OV;xCDcDbg$vP}}pErt!o2q2jw-(*?0EC(I$|nQN{2Cmq7mKQk z)f^^9KTC!)THAUg3AQnv<)JMU%XX!;7p=q02u7t9jcTZg~FW^HM@3bA9 z1S=O>cD}td=713^HAsn9Pk;uFS(e`^EMH1Yg{w)?=6``9ML!?!0atS$_x)O(sC8|c z7n8-aO_gh<4yjvD%73|QwkB@>nu;vxRY1tSyru~E|Ie9{C$tXS6y+W_BJ252xnj>- zD*O^ZC*y|V4C5r*5XHo?Mj(%$Ki}qHxnN+(*xijQ0>8Vy=T#T&aGyzM_8d<*oeD?K zmzfV9pZU$-A=8f3chnut}1$W zHJVOBU2`Jbc3T~85jggA;_MIz?-lpV34`BlJXWw)RXQxaQ-rC+DI|jJO9lgZhWNU` zq``AL`*|5m+IeGTZLIeWEmocpO8o*d-1 zJ9wgBJ9$!5xTB|#Dt?jk=ecUWpIXA!$3xujU)le$6^_gV$}uahMI^F`5NWoT$7b?L zt1Jh5%Fz)qE~;{hN5kI2VBk;Q*HS_N`zQ=GYg$2>4Vr5TbQyo_YZeb`Dk{s5 zDdBD~P?0AykGyt zqibY0A5;RMCK-9@O3v;A_wtlWfJDpUp#jy=>~-H+r#8g5vIWC$F}rTsyEhFG;a-~x zwrMMjql}{o_oP_RumS~}X%@FwqhU{9)1HQa&t13C?7TgsVXTMPfu?Me4sXj5{fgXk z%jrJ9DmgLZMblx>;MWSG#~{e4+BwY(SX{;0WEEn3%b9Cb(F0&9f~Y8JdDOzbr89$3 z&IZsU^5ZRdV4TOe?h>28>d)fDY%;}fH!raERdpVzwilw#ra#lBhucY-H#6MGG3|uY zas8y9GeZp{Don8Ig08O}`WMU$?5g-hrJhM2sT>{Fh?#h=2{ajk^at_~`fn4Pqe^ez z&gg{ys4DqUYh}4+#r!3@49Sv~bAs&6wfmkQZ?w<6oy9M)ViUCepJ3 zy9DOk3OxPgB;F5SEa@NM#xUihREPmSAEjY_1)H3AmBtfg-yxOSgB1DQ|aSD9p{*N!OAHFY9w1pB@M(TK=#z4`oK6c=Kwv8?DE&uT!rp)$r_D z&=h|kXlVDbU{)u(dW{4(JH7HjvR-dbuPRP$}tF9(SER$)bZ{9&9YJ-&f2%} zv7IHz`(C{l;By!YIp#ukksdlL?-8u`n^zVo3LbQWWJ&zOwU|}ai5E1+ESYBQ9*7jU zV`|~>=)fICS^VHuAOB3vA~P&Wt=fY5rcv)Uod7qPX2}`g_SVoMsU?2GCD|J7A7ZZX z2}Hp=0L!}jd%Ogm7@Gb&ZrsSxEN@2xnr}UyM!KbJZ$1hNgLe$(oa}9BIr|K{9Pe?} zkr${HTQkDCzK~PxHk}7EOL`50-ZQcF6v=AE*&uGWAEqN?WXpXphR<{xB+J-K7nu;P zd>k>q$TN+>*FS}Y%WV6^DW0^K0QMT`biO!K!a(W=`cX$1E*{@p_4k4o(j$}*5TERw z*^m2RCH$yoInR_x8SjmXf8B4r$%#E6xxLuVQA_OuR@~4$gWLCfT*R>V)LrSzOM&-P zPpu=rY~xYso{n?&$qQ2nH!fA)J>M#+c=f*TJvWfSfyAt2&O!~)9^91BYO0Ig9P8W7 z8uwFxTYhSnEe{$zeqqR4$wHYZ>O(;LnyVx?*$A6P#EHm~%XtP~8tt-D#DZuIje2<$ zzi~mpru39RCOTGcj#;UloI5PoJd9~6J?wP4SeG>GfP)j)HICB3;Xm&)*<0!uT zM9mYwRC_|4{-HX-H|v4*pLD-&-6}B|AJ1*@;m2nhv0m?wm<{)KK<-I@r0n-w^0$_P zWt9z>IIaxIW_u}C&F$3)MRMKrK0ox3%Xz^{zYvhOD2}U5v;#beqm4JFLPC=!Xh{xr z%BxCzK-=aMTc&>F`imCLQ>x|l9&5qBi_M`5xJ-tto88`y)6m;p{IW{o%r(R3nVcmy z3rd^>3dFgLxsg#$rYi$AK8M4rv>J) z==Zovf%$8)GBDd6rs6B;CpOXK_q$C6|4XyKOc{(gI^?AL2HNqdi}X4GZ`KUrjpoI@ zdF#fcpInNtPdPpU=;v1u5D#xEfCVbb@;yDaw-GAMoYiRuR$cW@s@>H#Dd~V#5ueEJ zo8%1cy@ryClzH{4`rw&)N(!>iN-YzcnD)Zb8A@je$atQz3ek3SLe{;5AA=?iPLK+l z=%JMGx-X6zF`z$G41avU?-%3l66|PHW7LKDhtnDmG5M!CV9!l!%Or${Eu&mjvmgCb zHm!=vZK~_u8N9rayVfWE zv??Gu*Bn$X3TC?Nm=-!#H9j6=t}^_&`(?BfU_c{l9Ir7sa~V@JYu^W}yP;7#6>aJt#@61dCl!$Z@5?{ZIv zV2->zT2sRM*|}MF+Ugs)I|lo*GFOXpl>S_&r~&2sUIC8bB9whVj@uJ`zUQH!_wyoi zx92WLgdGIGy`24Yeta7dD*h8_dYYWEu#s7 zM*iP*K%K!7znuTB1A_a{3mlz4(j+D3_^3b#1I%a*4%-WFBp;gVey&!btwH|4ZC*?i z%-#cr=PvT&)ZRsu#|2=tkhGMAK#Xg9A;q!cIJE(b#7kI@NU|PVyf$(CjXQBVm-~Ux zl5lD@-m$pE%jIckt7&KdeKtZosXbD+@vBqn%b)#0fp%{rw1spl>clK3U!+p6!2#J0 zGYL1%_lI1u`$EuKHohl&xv;nE8Lh6+Lhek!$JI{^bHYbIq3u@7Ul(f`2Ew1yz9_S7 zjokQAS_oEpqKl5&ada#d&W``FJ|EH^+1y{;jOA#)Cx6)B?wx=Wnf^d_Hd?VMc_ zDiu-nF=m#AcK%TzR~g&1)dV|VwuSlHIj(EIcnmw}jtuL1xX9P|))<$OC<;N51~Sb; zJu%43Pevk|Z_F=+bcHczku2<7vmUi-u;;gmoG;i_Lw|T0ZaMMnx=_9@n)RMw4;Hi-Mg!?fRr7ax0Xf}OsL|M9o17d zA>$q+4~40^)6Yj;qF&q+Wn8>jk`{-zc%#v3G>i=NO#9_B5w`!sdpFTP@t$4b(=-+7 zx13idR`YRR9J8J~Xczn%e`lZ}x?wNQk{vrnP%TooZc4DZ|K9ukVNknU_dPTnwOhXZ zh=fPGm$xDL>`JtMk~c#0mmWti-^_0cNsuT0yIM5IE8Ka3{OP!d5zDwh_i!f4VcGc2 zc@W`YS?24V^1$jyy3^CE^3S)8J*D1seNjPC?n4#Y+NcBZ>S+~Jw2J|nY{g2S z@k5i0+8rmq`FoKwiqWOWZoc_%+^fQMBC_8A1)n72{jzHarVhW6{ZCneqofp)_q?&n zbMAn!_5h1~-{n$Y+-=7U{aFL=@?V>Xb2t-1^Q2A4i;Coo2RzGJsfdaGBA^9bwsB&2 z&Jrn~@pY>%Vb|SHyR^l#w`GfYXA>A8>Ejwv@>u1*IFWw*G-e~w>1X~ zc06k#*-$I<{8(+7$C#!3Vqh>v%^XI`mbzu8W^5 z9)@Qeuh#juove)|Q5AWu4?x0#1hWL96zUzPhw?>d*CBPoHeuT90@`981#nXs^g81O zpgEIV#0dzwc~?yGVtK}A4|U*`T(}-*|F>S(+rw`aup%_0)vr!IO{Lz<2W~HcHi^ti zg(yq|aj$9Gco%ITTYq8EJhNXsHoMaM$E2H&dJekk7S0}Nm=OkcaMAKt?&W8a< zeSflK-$lLJI>TowXP=eokMJ@~Xz6Oid&k!tmyS=iNz4|$J-#;jRTYkaiflq6Jf7>7 zq|z_-Fw!f3YG~ow`fb4dv1V{J%yyiR#yZNhq1-LWXT6uI!0?K7ey;S!vuaHSGf`kX zhF;$W2dvXvdTv8&WGu}$Uwd|ve%U*}T=|UVxB*)F2>5dUQzRHB4iJlSk}>6;(-M91 zZ*8M2WbJqKW~ABDsJb3sHBjn0CA(c~31INz1+n9wVw$v;K?_n-aSp-8&upV%QV9@_@a>`F9NxiBoyrf4JawW`Ix2dBcaHvad zl!G+za~7y_a+jotRAd^lh`0hk=r>%_MzMB|=d0|l6>DY1=T%Euck(N8c}}@fQ|+gZ zqO21H=SnxIs>$aCGw-g7x|Lfk-|Z92w&06AkzSroOm#F`zbmFvudG(>6WQ~QY%l;4 zF7+v!!W`Y*KxMudm4X3T*W{pYO!2X2bWbC#!G!0PR`Hn1;9NX>k>`WFtBE-6jpiQvg_bBU((^gEkIeX+d+89tAAodP;w$d`5io#IPfPmYy4N_X4z>2X?#@Wle=k+bOZRAZ6+Kf>eHqNKi?fiQvB*#a9uv zNJR`0nB|a(GW7>!J<`chs5^Yz&7xJ86d9g6XJ75d;`OI?q z51^`Oe*MOq2;5DDx}x|)?xS{y2Sw#@g~R&B@7!{D^TRQ;B9W5-koBZQcncBk3j@I7Hl`(S-pWG z+-nJI_jb=rfd^cs!Yl!6cKyfIo)FIZEnXq0skI4wdIaw6C9XE-Ec9!GI`6pA?LDwu zZo=m~Xn0u6B%~qE6f5P>aG~$Cem3CI)vtB@WMRFObAJa>W`B+e0LlOv29hFtM!hkb z^yvOjCll+wr(xAr?`qo1vbGyj;TN>DCR0&%`1`T-TaE*UqCVS$t!d?emqyn4ha&UQ zZY2pC^Kvk^ND-|DCUtwRl>{Gy>=E*eNMeer!y|C%N$GL(1S+~$xjxd=QxDisSbw!r zi*6O)Y^3TzxgS7<`?6*~w7fY}4*dqGYQ(EN8)f;)}a6x+(+GI(VwY>_Kxp zilP_PB)AXCwCaxTdnm;ij0W}0TR)>ZQ-Zy48@Q8F^@3u9$Qob0RSu!kxf`a7lr<$b zs7mg|Od((ha7VHtJdFI`i_4|v}TQ*HUR?mU|l}xRGmXIlpw5^gA+iAHA zfuel#uqNllBND3;qnpX$v!5=>gw^0m*3%O*1tpqNRuhuO0?emP_6pFk@@xHCJ~@)W z1gFye_ka%y_47-U{Kpj|*)kDLPtt-hkmgwJy;k+k{SPszt5c-~gzjX^8lRoM_Hlu6(hvV~(5c zI&$-5bC}_A7hDGdJ1-|>0p5@2A$Nvf9Oo+wsPBA~r?aw7vaQ#hEX3#4Z2c~MqAJ9! zTaoc|N)i)R0_Zy-7i*7pU1Cli-#Y;cK5wt1 z`(I`xrM<5CuV%Ex|#K&brIcjY}qO}k_VB<5b4Yr4~bxNK7vlTLQ3-lEhfmw>Gp zXg8(lo?M>x{rQ&D34k^yO;fqs2rvJxX9Y|?qSD|hpvY0f;-_SqRnSyEy{@?Y7WN+PLWUC*_}+ISQoj zVCqw%VJj9J)*(7g5#!|e^RQDrBEnVD_EP1*{dL;w2m80>S_K1p6LmZXt;IMt(jS3@ zFW2x`O{U>kc^jfPCvx`hxxbh^XAAg!cyi8QYln$sk$Z8y4UPXFWp5o9Ww@@5k^&;F zguu`s(jhqvDP4kqG)N;z!;pe>$k0fObR!LdbeD8V4PDC6&3VVY_WsshXRYu2&Y#FT zKgQ>M?!NBp@=M~ev6x!x+mfY8)Un?yb+6sw7)j!Pfle#c)eEfdO4@^;@muhD$5Ir= z>?A$8eP;P(Y%6ZVhB}8`X<_7bbsLUD*M9j$*Gn8`ql@AI(lx$e!HNzhq|sh8M%dC0-m6gH3l_6P4B# zBnK^yspb6lF23vkZORK_VKa3K_u{;n?c;r(DLeK^UbtI^LEF(L(2!S%wQmgqoE7!w zQ)DK3S|bbBd|jR2n$XAZdxd+fZ@*sAc<+DftVcI*?gN6XSDC?#XNuPdZUGTO?|u*x z+O>s5_r;_y=&p@__z+0>>&rC~xmAe2D&oWCWmM*setf$_PuAGS{Yvsq@cM=I@(7Z0 z5@6go=k%!uEZXL-$L60cy4S7zR?38hp)y#e*#X$)gDP~`HAvHyhp&mx^@~WGmp)ZK7c_)!koV`yw<)Y?s=b8lV12!gi)f~==n%pL_9yr3jCj$$57suF3j&# zV_lDLZ~WyR`|y{0tVr!017cECAVGyP*zVyDuEPEx!&`izsGkI?11an-W>DFH@7 z%9KqB=C=;?0M-Dvd}sqWJrB6X$79PW_Hxi8dZMv8*Y#LAOOMu{_Y|mHIYKJ8zq?PNEgh`L&k3os-f7i64_&4CU9vzs67ZTs9K-@l#3s`c3lU$>#s z4{JVLDk-ZD0F5jduh|7_jE9;Jz=^neoXuGgl=sSj2LrYbk9m~{F^0buGGHiZuuuU5 z=XuqKmxqD_gmi?=U08W!try*k$N*{j;U=E!GIu5lD*3hJf6w1LiGW!a^;0?DSM)|n zeiOETT$c(g!zng+)pr40_*rEFvmqZeMP)=Z&tp&*?#men_u)4LfP^N=Fz+sBhw7yR z%S)BpAw6?Py=zIZMRO#5q^HBuZwkcx+;6;SDiRD$In#ynalZunWW3BNhl%+VQl#Nh z*WqD+kxUvEHmCaJfSQ=W2g0$w&ox!MPUbE^lDuclCVp)GbmU3}3B^0%+7S(m{SmHx zWNf&;=Bxi+56nkr;W^Jv5x#$gB$C)fq*yA=1M#=HZrPGye4L$^T~zpdhKFHEWQ55r zl?lm}AX*LDNlul0I=2lr_jsidcE=C&0nqiOVz* z2e~X0^vj}866r2Ro?;mT?r;y;aL-Q9dN~@P8&n^jO%dy9pZ3aJ{{845&!EjSUE2&k zpoDEspXpiO5LugF)hE{7x}C@+zS9Bn2f^nvEX%1N0DFqRK0Rq+hz!TtVk4P>Vg&J? zK`*y{1mIpKAp>zX8s!bUb4BWzGT-oiX`YQv3%=^HmQ8S*>dU{})P~n{lVY=kdRp?PLW#JJ!2H_}vt~ zf1O}aaqXUCIN6?v?}_HV+^=`DJ>Kd1;B%%BFT$)guK{$UklQH1nz8)s?i2n9zqW)- zbV_Q^wugk{=wC0$g=`dH_miydZ%cHjT><{O^@eoifh`jphW(#8G(@m00WpEEa=oNP zFoF%jy^G|0cJZ5T@r(;tE2L<`%-ww1$u%|OfRMp!L}aft;Aa)}oqH9G9)7T%;{u%? zmcF(Jc7IG8r;wx<(pF1gMpwemSBuUpbi8ANzD-O|0ATBa3dj4Ju=iE zbOoL^<3%DWRR*QHQy?I!t7_`%>s`ZPT|I(-p_|QpMHOSkDOcY6v)De=DDrQKXb9OE za!B4T$pu)<+vFZ0cTTe38wvEr#l9X#X2JwYgHdi(F!OL_>xU;uK?sH4L+@>6{rjr6 z0*Y3t-;v7_9w9F{;jZh$j)z2QTh44E&jFA%3%*hzBlXzWwkh@JE+qsKlWR`ExBP9# z#~y}-Nu%Qq1RYoGN>A$g=2r$=kVAIL-g0OIEDWI26 z5EGB4yCwNDCgho=Lh}&Z)Nx@C*u6CkaX!l@+D{PVenb&u7ZNrTS52rIIx zSla7sA-G#QZjpXk3Wjly`Mp_uPY;5V@M4S=_!A1LG#}e)K2WNou{d3()uMCNeXgF> zU9;B4$$pji`T^O}ptN%OU$b98b*%1#ScvFTgCe%hh`DUs6eS*`4ek;04ReOUn>_b(5xg)`UWp)>I)g!$gsjHP6(Rj2qvj{zhJdge* z$%2<0%hlN&?a5o?RDmvtl;KgL0vL#%Y5)hE`~W7+)h_w{nZ1mNuXBo@=+_Uc5Z~F7 zEPG@cy716LSRW-IiuUW(b?g0g=i?pR$CUCavcG8OQ~Q;-21-?bO=sepZYWd2e%8pR z)ZMfbpG%oF>E$ANMw$P zZ)A8_Y8uG6qNQRI1gK{W7Z$J+oBW$ea5Qof+-uA7j#IJg8ZbU#pMCy@5z#V&kH`W5 zGj*DiO_W)KZq*|HQn%Wh{HG-Vtg{S*KJdDvy#`=lX0-QoDJhHZ*$-%6tbZ(>cS3I5 zLp`zt_?}R5SMuk;g3P~%L;I-aw{l8hL)dR7q5}dv53thDa!S3@%6=+~nlI7H1uh~} z<45LcNXUOY#l@ztvf)%+UF~4S(yn&>5yJX2hcb=-++8el3>qFhLE!H!cy*i@t@omz zrKHZSB5|(u*zvuBs9jWV#8V2G`H8CC&GPv;bcz!F zNY*)eH*(`upFWTnmjeh{4=gP}h@NkcB&`a7b<2Uqb&*)qt~)EsnKb6G)+;#Q;+GlMqh zEg4y@H-oLIR8*R2C?nx=us{T%fEr}2@ zOJ!7Mm5tuS^pkJq6JO0gQ3ecjR_ctg+R>#v#fcCS_P{FLsmJe*ObiQnT-#P3S^!RSa^90xl*7ZQ{>n-PjD~8g9 zOtqFHGj&QpRzlxQdC``WeWdwNI>l&&m)ZzN`;vrO0XV;?rvSBhb?Lm(>8w0yqt38* zzRdx^6I!+=GJ917rK^l5vR+=(E-UcpxidV6v}9CY4`Z`Yptr?rv7(pCuo_jyl1gKrgkzcr%#wcX}h3%dtIkfmTxQ^^e~Pfa5k9EQ2!kp zBv@u{U1@FkFsA zkYXkQW}|w%bzuw{zS9_lobIV0iB_M0JU%3e0sS-P&@Ku#p`{T+7{0F2*j+QMsAS%f z=G8WG#hjZm?)KZ~R}aJ6?D#(1pMUs(IzCX`8!KLYp|71{0C1)}4YP;1Qg$UX1BYMyBR<}nV*q!U-sf77#f!*1|bV1dO z`!PT7*_}a~7qk+Mb;Be<(e=RkZs5bXl8r}r5ie7vA50j{)ERsL>JOQ3z|OpKlEfrv zMsfxLwB^~*>6EgLkn2G0p)Lto-)Q3xZJ1@N+3v=3F{tIR}5|FMV<_ABz05qS1V zJUlXNZ#;?49J04m?WN?oK+Xi#(>ehdXqC2$lOe66%a6wB%ks^60unxUVi}$4ow}-R zVQyesQ*mM5D{8IMaru-z$Y8@S$`PMtu;&MIfvdd#0W9swr_!{r`toDvUv-E(U}h`w zC#%upP4wc2K41GKyULO)qmyR6Qz5LuB$>1t0htK*KiG5L0D7ye;%~I26r1QeW2eu& z(W(eUyfUS$ocISt>@?mBrTSIYxx?U~3+ewq{IFKZ*oYsFg%>RSN))Dyh}jjL#b8Fd zR@SVhJXKbutcqFn`dWpj-y$Rh&`h3>W(tiFQlh+uh@9n-WV@Q~+f>$2T|h+EmE>ed z^6$nX@!YA{>EB1*Q(<2sl5Z}esGEcjeY&-8CK#kF76ih3qn-Z^J#5*jhxxs_cj`z% z+`-=<8|mSh7VRI)X!(Gz)+OoJq_9<&&i^|A{w34l#zn4tN^Pzv0+R~0!FgTVaSgs- z^}dl1P@34F+~v0#B_*cOeM<^P0CXg!U}?9&P6QjCP!%mhBERd6GkV-!3sxW1R-bRv zcn+C?CIBA0EXAo1U3XrkSPGAo4F>kAt^iuNZuChIiRyNb(wn*iX|T-uZ#Rq-9}*HR zr~T}Qk7~#B`;q&2rlf7|PXa$d^2^_fx~X$*`MY0PtNNJC2m~>&XUmE0zS0C{3Lv>3 zJ`!^8r61c^fHfD8*{H)B1he@=fgT~)!S46;Gn!m0Srv0`d+Ev)=15{z0OLpqB^r>*e?=C=*E?bt z*mXL}?h1^oQ-*AX%umGsf*pfZ)+u|rWQ1)FPG@@cs#8OtqRjBI^JUiq$KP`EdoX?s zQ9pywdJ2$NAhKTiXUcZz%TenH|Fxb) z%k`72NTIvF)xMO*di~V%et>3OV*S%n^ByWSTk2;aT63@s$NRHz3%kWX>4RnLUiiR_ zwrsqv4m1ImukKrF4~;&i9i>E00Yk41ABY2n(z`4&qU65W58Qa(ayp>t6y-~wZA0M1 zfyj901F5mlMzm~ub}v8gZ7lnvzkD@q+S7YBZ_gd#-J1c3YnZNJ60-xiC}Vxt|1ll_ zd<~$X5SoDP#Qz0DwdApQFIPMKA-ft5ly7(yCJA3Pq^oF*jXsv9jZ<~}lt7fP3{XyP z2PHEOL(-rcCkHG5Fwv!@TG9caBHcbJ zgB?K4$|gg1!{>1wRR-)W5nphM!iaOUrF#k!FeP{wI(ItsI1z$Vz4gpW8-^@H*@zGq zNO~?I!lRfl4LKSMj(h7fW*YWb)gEVniIX7rBXSL_)7hgRDS0B!p5lc>22@9?Frac= z0Z2o+`-}N!lc4I4v{c1%7XKbA-%6!==JL=$%+a|ItSl|`Z zPCIV}wT3=mk<`9dPRf2NG$P%ff6niXVA$lion^5!$krlpja<~yu_ia|I9-hQ6K!32 zU5`V@OUL)gmNh4j(QK89tB->3iz(Rjoyy-_k<2;fKqO>{__*lv+L!NV?BWOe!0=&J zM!3yd@fPt>V#=n0AW=NMC7N4l%p#z|K*@B8wko@|3N&WP&pt>MOSxNz=ikZoDet4UJ z>)Ojc=Zh@JW7Y@$76JrxkO(kd3_1fzTK8{Y7IQW`42+;p$A7qt2wTynDtd77FchS? z5ak)<=%sjwg@Hb*{nk9Ve7-FF&SopUf;HZ8%*7EQTGQ8!TEMh7UGoPX zp0Xp26M=iV3nt_ z&W-`-Z~(n&ioVIwOh4FF&9r1bGV|6>~fWTYVI^Se*~Ry%{l1og+mJp zq>Goi=9rPBhAI-tX^q(XOD*1S+`HuI2Ft)F*#w47eD>uz1ML4YZv1OqLIA>teu>Ua zDB1SWM;zkdpX|^pQg*z$!iz6qQK8u8mIT$?rTQ`WF;na=9w%dR#{Sscqgimldl%0|PJ*B4Z2e$8>xMj;P)w$w2Pg35A zlU3tL{=ElFKowGGmQ4*Q{HV>3O#=+KiISBmZt#`F_yb{mXlns#5>fLM-Q16B9Vln zWPgsd|2^U8&4;rQ^pUu)^Y_8@U*ZDe=9uIYp6QM&#?gKaqn9-CefIef6|T90!%6#* z^P@j8MgS8IG3Kk-4YdcTk`m5(ykNqlFJV^|4#RhxR$f<23pT&^htiKPPs&_((~Bpj zrhLEq`3`XWOvj`On@Q&|jMH!9_-TdOe6uR{K%IG|$sMIn-=XD&&vDwaa$*mRCaXE3 z5f7^u4SFbY*oGeOC;|0Hr2j&Dk6P~!d~$`99E`hydgPCeFK?6~IB%VEm@?|atV4nF z3QW7~xs|bFMk3*<`zOBfiP!}2^yl{+KN$%fQstVd&8%oX$z?_U37{2_u#e$Z>`=w= zmU(IrTd7LgC2QdG9IO6B8{GCBr-G5zXh`u5yJ=bibAlg~H8jRX(t}j#Wy%R#R!oy^ z^+~5374eSnSn$*7rSf6m z|Lcg`fcZ~{^^YF|HrZDsnm6rs;(*@;KyZJ3xW6^Mxj?YCySE`VYsR%xjuN^>?KU&b zU}6HEV{gA*HXo0$9jp!?7!IL9YfZg1ns+$9?^mq?Es^KiV~zjxCkibBZqJv+ebZ55 zLdr@6XH5eAzU!_Qon5TK2;y1PRJ~@4DbzFLfp^Eccdv$=`0bhRt@`S)%g)Qc( z5WQ&_HYO=rAh0*kq1?S6RIlL+r8UidP2*>dOMpq!z_{Ka{ggfa1a~?2>aZA}_e(SH zuJm@Ysw?5>QI7Og5lelJDb5H26sVJY*)y(=g(%Ss?#Tlio@I76|+L z_jd>APF}KJGm^PJ%4_pxNZ#t*)B*}hIrTCzv z^3O$IdS(eppUP*R#Dri^DMXoEK2AoMGY0o{m>jlC&kuz4C#m*p2wMqhU z;ijw%_^qnMKE>#;lU{4vP(0S^jfB{cTpCe%$Yn9Zt?hSLV&`T-5bjGDbZgs^dO}sK z${!u!Wp1sr_8-gwwO#`F6|K=4vs(b*U)uO_D^UQ+OSw~hpCl(spo3O9uE-V~h%Zu@ zWksIo{bm_W-|pK>=;@SB{1;@(x$3=q4O-&g#dXK|ANS;l`?#)+t)iKjSv8#;NVLS) zr&HdQHv)h&q#9J?M&=IiWgdy+^5b-+)x9{tAA6_?M&S zi|s0xS@~uFJqLrvre8yBJSMS-A3T87$#|2r+lEDOq?Ippkci(s<(IcwTNM`HOSj0A z3T-nS^V^N!lGS%QO#$!fQ5WZ&nV)JDJf{1?sqi2pJD_gDwo=4)qKi&sNFiX-Gf_d{ zGD0&1wUD8aXMR9a*aDtSrJ-lBu0VPu%yUQ^$WPZSLd26gpcPs(k4eKaGmUB|2f?7J zdKpo|F)7_@E-!vFt_Ir3wTkSe2PQGfFb=@efGB@WHU1kv^j|*w=VxRn_{?e; z1KivgGgJswFWUm(ct|q=UQ+H}DwiN6>80uZ>^DjMsm<5Nr4QH-fvJv&CvDfX5=ZUp zDqr-shC%;x>wlp=VQ4Py49Mi*#+Cqof58D| z4H#;B=;Y6bCY}q8Vje#$UDw0{;jbpyL7Y|-u*=v@>kF0A(W6MfR54R(RK%MPeaB&T zvBNBCN2{+W`;#GwIV87-+v?Qg5hXy3;4S33?XtgK&5i<3u@F?*?+mgcBEL4tSnWKj z60!?S&`ycU8Ho>hrbFR0KzD>;nX~p>I#iXnjlV>knM9!=N;QACol8PLi9jq4OWcR> zY9&u4F30(zs28;z%Z9e_04^7DQu4?TKAm|u@gdA-pnnY|tp1SFq1j2`_s0MD{g<`3 zr*~E^y2*xKcfWi_UH@$a0B*N+4PXwkYr5x<@Bi`DaFdf-6Nd>N5AlW8PU}UM*%Wk1 z>rZ^-`S|!F1+l8a1@nMV8yijoSq>|wpQGF%wzrHSTd2=C{c1dRa56w64sz};;Ds{5 zxFh4gX4n#BA8PQVo+z}cOyD1Je5lJb?_j%~eASAhmG8sGMXJMsAt-6fUNtG-U2Q`V z?9)A^;1<>7$!NB-9wQqv1>CH-GX5*t4K`JIU;GT{(F#cgybq3{*m@;lhz)^aWNJS3 zi-jsEae6)_ujAZ^x%e5%9<2-ic8KidSKlAgxN&R>opzz&ckP9zD6u)w8rj5qV*VqI z_*cIi3^;5=0?$Kdb>_>iera*1JXV%yc6q0hcsXIlTi+rN^EQHZC2G?= zMzyQeSU>nUgLh0mB-@-=!?@0WCeAgc;3}?ww`6&mgG$cRP@}h$-7W3`v5wUklOH_6 zOlYGhFxSGBLP0hL3{Ax1@`*7gB7+^VY6{c2(BI zl+U?3@!neeKN;D-9HsS7tBo)#)`%ILX!DqsJ=!Ybt{2n^n4UGnQxLW zo&~Dez{ll42eItIJSAFkZryCc4_C`%>JW(-$|XTm)cg?*B42Bsvi-2p(li+?WI^vx zqB4txu?VSBWhb(w1QBL))Ia#$rDV99P4YE!Hx6brPk)=B0E3!omqcI1_7>C?N2!~i zk`(;eMxA95Z5HeyiwO>h{T!)+Z8>I(*r z8m=V|I?Xk1o(vB4f!BodZ)mG2Ycsqk)I0d0ryU}a8&do&2<=-D-+H@Mc+L8lq=jLav0j-(oWpcXk$f>hGHw_gAS!kU@PBl zCb2MB(upk&OMVs z;4a~+V!X9QcN1b%s*CfRPq6 zw9T~++!nWoS*7qwQAyk)juq7Z5+8#g*SWh}&Uc4}Gv$$p>SK%IlB3Uw^34egfl?*L z7V9JhQG_rkt{m-BBaiFuH)JR@3nY8JCDHsb#983qJ0J2Xq<1QW+%9?k`v;IF__U^t z76kzzOFK6Q8%1J~(*|TU2tm^ijiwl2SGH*;#GOZ53CUqo7ig13K^@h%@lehBlTgRR-BO(HIN;#aNZ{57~42%kJIF^ zsuuddJEXJ8ZpS6%DP$;Y!U$7hT-yu4=4@ro&}_T!eStbh)mN+)%C_njs1whN1Nt<# zYzm{SPt`{x8%5N7k5KY<)-^&KP&^XiLz1PN-qu*q?$G6Co+$m;l_$Gm0x~!j9j{5% z0oo&*`jdDp1qhuCHqFiU>mT!E)f(479X5zUOZ~3sG``24-$7BjMEAt+=@yETNy#}R znso|(kQ({A*?zX4*6pNn8PcBbs%W{B{Ve?3^e*#!*3>{xdG#TF7n|L4D=JIU21E~K z=c30lHQ=kuD;M1tUW{Lb()bA(xQ@LmGkKif=@IW}%1DfvP8(TJ-VocHuD~{DytL=wbZX_iU~+N&o#^ zY<+k~c4}a%^|f{E>ZoMShB85xALOWyVYRrV{2|{ExAd$-BNiO5w|djw z{XgVD{`w|fH4^a>;H4L3EobwhU4E+Jy?YZ^xYO8#8Q9815_G`{f#UQ8V5BplBBZk@ zW>|R&6d_c_YME{F>+M|h%e(b%x#%|}BC$nhu`IU$5kZ`CKfN(fgx-){P6og3P14Nr z*@**5B`UlhQnZifJeu+wcpfYAy6C7zksq{HWE!V{o+u|ROnWr-%FUnO`PmwwZD>H( zS^1nZ5R#0Rptk-oNtxvKJ8}Z{ue{AopheP8GlB@6ps`8@_VhuySq&#S=wFq+CRwC5 zI&<9Pu(EY-bIYeH${hLwpA{?(A>OPH3oe6`lUr3=YTM*7;VrjktsRT!OEm9WZbuGR zq+vn8)^|puYktZSiT0cKJC#$tg7_}O!gBh7trs7-f|dM^uMfA)G&|l^w1SWXjKRTV zdbFkA<_Am{YsJUwj7TtZFvF18%}}7OVNS8DXgPbxR^ITo{1T;>3c3=o+D&Hs2#{_2 z-U;(N$>APkuUp0{s{?ilHPu!SyRQw&P+phB& zyypqafNaE$@W*n1?zJ_XrmXh<131H7@C7cd5!XEpXXARD!k>@0oI+x0-3y!lvF!BM z|5AgQiUC(S1`6-lu--LVL=)0^HC#>;_GU8O-WSS@A+xv1r89`y46;0$3HBpQd zLGYZRT^3cbephWC-p2@uv_anM{bVL`^>^}GoLmWoiGS_aEJuQ)cNU8Rsp?Za`dqt&&(f$T?q zh*(nA<@xrc$O=b!^xZhsB&q(_axoRM#Ltac^eiSP!mBc{Tti~9SMwejd8?PlOJf6N zNbCt=hx9YwL&9Wb*D!Ne&-|Rsi`Q}oIiQ;a5{G*6@T;#^v9($-a0!jk_%<0`R+$Z1 zq<)c#Mt*2Zb(=gEe6{<1Vxl&-8JRxg5a51HZBGPTPG1NH6=eQCW`1#Q;1Y6sKF2n6 z0up7H7P={1>p13W{;Y~|s$=AI`TBf(@Sbq?A>O>%Idx~15?2absvn_)gBNk{^ zvGoAmB2VF?q7MHPb7xugdim*pQTwYoB~qwTC(e|O`{ak7rMNSF-*e07oFID}}G-(gB7 zCpo);b2{nkh1g=p-!Fe!g)iT5cIz0J&Q&gqEEGT|#B*@M&b@w}k-=2CT5p`+m;_*U z0L&^+mdyNPp%1PA^nQ{uSR;U01(vm=o5>|HBQDyB`I-M|0Q7Y9y)e!V#np(%kND?2 z9-K|vUpFuwq5npD{nV;Q)?drZV>Lbqp&(=<%35fKb=$H6Q>*ioY#jmsi#-pUS&Gh3 z1Tye`5u^X?t=k;yfSjS(286g!^i>4Urjj;47GjdBl=h{K`T<@|MwyY!T_vKSlYz)Q z`w6lc0Js&NMQ_4|s|4is$`Gxe`>-FihU_3~ZcF8~^nZeWdO&ezkcN!;N^+Ws> z9)OZjYbPxF(i6Hlx1~w3fC9Q%yvP6ZL0q~)_o<2mnB4<#(!oe&gZ?n&ETIEmbUy}O z(R`#h>vw&CZX!l13g`?O%c$q(r*_5pA$xp|$HRi5p&+kk&6k^LI8jw6<4U2(T%l2a z5dyTHR?ik3)GVN7sZO#g$-cZaeiy5b%f9EBAbf#2^LUTPFUY^|m4EL5LI5Sm_hd{$ z9H3h#2-!%|=d|aGSYj6g#Kl+h)80QkIYnk7NW9z|A4GR2u@XDcw2}A0FF(lb$%M_| zG==47I;4OT!6@X~t^xQwT2m1)NUmQJvA0Q?(h(f~E=2$wk4#`70akc)gI4e!_^^$>6n4ik$}yaM&+*dM`}h zIreb7Yy)V;M3k{1?;(Pu;vvc6(b~4lAHWD=0xaVN6k7^rev581)Q+F{d6r5}j)5#p zrH)$Eec%6XA{l6t^Ul4y+(=f_?<@WwU~b39#a+*5d|XR5BX~@AkKH*yC^8$#4GruVMpI9uL7u&4cs?gpR%YxW%OWdRz}n0iODG7B_pV>9s@b)3{JmRbP3<#_cq?;v~p zW(XkG)xwde)f<5E+H*;BvH14&Exl=mw<2j+FQ4q(J+8Eqao_xgN9(m=)0X8i7F(HT z`J#dF8!yB1|67lwy{?TG6#;@B^e}*C>F}}lV=*gYx$F`Fhn`MMw<72$+w~+4E4EjX zdVn?$l|nvgH(SjoA@;!p;}3HC{>Sp|)3NEQH@5L73=_MrpF+&h4QOj*QYy6*=pw+7cvk$AzoX*zy2V>4?z-9m;>>DD2e4s=!`nw?ywM|dMYiFM`MJahf{DpuEKjS0V9-QDYO@blKHI{s`+M9TIt!`8=-lBDEmM(jW~n@qxy~SlIK=1z(p@c1^A8Co8wV6 zcMDv72^HO@^*AMBWA`!2AKSYE$RY+^LSYV*rLMUaDbX-dYtA_>lbl69kZ+RCOk-A=}D5b@>b~#_w>qex3tJVM@ZGOc1EBdRl zD1YWg`J&-Yg`)8bsHru+1JaRqY(A^F#(nl{NaQ`nW{Sg)%W>gR^s`Ov{h0pKtN5%N za}+EWwKH%;|A?eTg$g(ft$9aw!LC~6sgf>aQ@MwvtD%?KbB1zB9+Rp>1S>m`r}ccv zyWm(wL>5fPpK{5HW}{Ip0d_#U9m)^^dOqg5;S#U*!m(u3`?@Jf#Q zg~@M{QIPlk*wX@(VqoiEt+>$aA{OSuxVXix`PUa*4H~7@4Qs)XA#2>g8_`WhP&lGp z0sRq~#A zR(U*9Fa^hF&c*=w4OC}1?Kh-Tk+ZBaOP#T~Vk(BAj40y~BARzVSB9rfs2d0q$(a-i zlN4B5S?53X>$CcvDZ2e;b<0$+Hm>-Cdte6?Ebd7NpZ}a^{zBVe2WIL7q2!282k;>n zMBooy2}T(XU?Tp4zaM)P-4@fSxe5bOA`;KN!cl#<$-W zUSt*Ax^!-`dtLvd(dv!K9YL;;__EkV=-6OK8qc4=RsH1~=YjjyWFvgJn~RHvFGubt zq`dD=Os4AFnmW(29=$8A(~T@=dsAsi!yV3Zw7`teW^^XEXEq2m=mGehEq+0}Xc7=^C6SrQtr>w7vy;vWqr ztw!BlU5&U412Ue<1T5$$fR_&&*LcSGgD+YP>Sv^Cs8ecaFK491V7Q1H(G8eulWAEsqIC;Ejhv0rZs9|tt-|Q zl_#{IEyHuxO|DJ7W@26zUe0fPE(~8}u>X`5q&q7{9Cv!I`#2NCCksB|C4jd~YGl;W z7ex3L172a#Vh!Nh*SG*yh*OGrW>yg-qe{P)8;m0W&v5Cs*;2Koc|g0~i8{j7<+*jY z^xjBO8Bs9c_O(fClXkNm=#PqdX1>H z%iPI%y35GUxw4dGh97e~(}&_Emsgs#NH3x2UcvGGcWV&JvgoVCy)Lh+&8NfH5@>Bl z!23wabYWIWovgsoa@9jcgRkPjyh;7v!@)2FRriYktN|Pn=3HC19?7XKvBxt91qUwm zP#{Oh_?sSBTj65CYpbKS{_{w8h4h&fvKTE*?(%T6Q@J(=pJ0l7ZKpU^HQs}3un*kh#+Eu%u#c6M;4E)=bmbOUECpJS*JxsTy0SyM8+(#8cQ?FI~ z=mP0*t2T0Z2v049E()bVPEjwZ07Yw_T-7@BNI4d{(^V})sR33^U*O>T^i;+kp7nhmo+p$sci;I?>;N@PLd4>TSoW3IR_?}+!%~Md#%yni|1{ft6K%>DWzh| z&BsB1_Rpu1HtqpIy-?rQG+e4V!h5UR}#tKXH~mTMh5R;Qje z3s-BDp-zQrJ1=2U>WU;7a)E{mT91_G9K>cDp zze~^vovt>a`Mxr#L<_q8l0j&~j-ufIL&pE%Gpn&ludYt!6QZA>$WKX!pl52d;()AN z9GOJof*+h`9jGci+epYyjt03{)QNFD*uSnVmf?sT)Ic0Q_K9qN2_*g;EwqKfrIT#r z#oCW50Ul^Q$>U;bdnoa^Egt2`OFKpN2#G{o8JDoJXIC@c_CvG_bnHqJtph8Tl$QgpAdD__?B35T80z6$mHX30Zao2* z57s?@PQDeHAp|jFt^MeAe;=h*_>8b(q_+Q88+qXNhwmKWB%L)hxNY>2Wo;DI^Iy|k z{0#zvR*OWiR*N1>aL}4dK-0;T46N*=htK8@nn{wV|HK*RWuYx4V8Wda-pZlGp}b4k zD?MkK@1oK1FZ4$o$s3{cMp2L)%Fcc&uG4ZJoG%!uWzDdV-qahxT-vB)S(7`Lm54;i z#UvjbsRhiNd8FX#`RI=ff2fK9%eam!eiaSx;VL?a_SC0cpw_<-3PJfG;(M|X z_>Z6cQ~)@^oSMt!KMpL~IMjb32Um_AgdUaXVdpa7rO(q3QC!($0(H?!y5NFNtC?+7 zv2uD&d1l(h(uG%jAJt^2sEBigs$|xO$qA-HXLfbcR&;!Kbo5!J^DB+&Aa2$q&BZi1 z9K?{wtI2pf@=_o8;Wz{yGw_67`ann6Ga)kcW*{ggA3Mj4u%9va8zG%+HFbVEfA&Ba zo4BkdBs+{(K7@#i?&`(GO1q=(Z8{-Ey83~nxJAqn6A4Av0o`p98EpnN6&yBKMEx{j z8#!m+RM!t57?tt1D7lJrG!5SI)MI~sR~!M1p{vL zU4(R9x3G>D3`iA(B{zH$ToU4NM^kL`PU|}(aiqbmN;+(MK(LflwWP>yoYFx0;kb>_ z|MiE5U{oXx+BpWz~1zQ|;U`Zr z0@sToz47!*^|_k+(4Li*%`|4=gsGRfckdP|6BudxFS+BY7XU0611&TeZbCA>|(DNf(f?}uOm`R zsazDQbWwK)Gqg?|8x$ z??BO^b@`YK82RCZ{)Dr1tJQ5JtXYIZM6;|!KI@utyw4a2q(Hp1yF_w5`iL*l7udop z1;2J-{RwJ?yl}#s7;}Zpd6l#<7y10FFCy?y>_r6YgZQ3qdGWm6vEiIV7KEOC)y?ZV z%sA!jwAwNcuzKigWUKJBJ=* z@BN;A?ESwUhvRWy*IL)P&hxkI=kjXMM>Y;cx2#*rL-fPU4Rc9v6b*O|XJWhwK} zXkHZ^_J7V1D8A29Bjz$GJpg$2hMQomy5_nka?FsbTqu0vXqBR#z6QJ0a^{p}HYN-518~zPDyXg4g@M<;jpBgxGn0 z>*?v|!N*XMcQOt8A@+``hxH{@-4mJN#wyUT9uzrt0F+Y$4s(>gBA# zf2U}s0{Z>B7!7eCUky?AD|bmS<2$rsd>Gg4ryjbfANpxc=%uA--@SO&+%i!NBk6SG<`gBQxn7X!{2sOfLbSs8eVqP=|p26;R7d-hyaT^-jo=Uq@96Al5yOOG`drpV>av8cL1Nqhu4;L2P>lk%nZ z_v5pr&t!fu;-j3bdd1c={ zfOsLvFb%H=-RFO(=nr$RpxzJw+DCqRksQ!67L&|vZ;V{8@@ZC{ya|uD4qa!u9Ia{* zG8Q+sE6&t=(*PUya!T->fRk@dM2W68U3uVP##_`tCjZp)S$%}dwP)TA6VI=0w4N>$ zm7=cb?*1YY0R#2Ic?6#5UO&EC@=p!(%ywX6Hgw+#bbNSXB0U^?)*b=prmxnP7-MJ; z^AR%WRz|X2*{XMCSquA}cjd&0Jj@hBB_;WqD zxOL%tx5S3;uXE$lrxpI|QMUT>CmYtS&U(AqFHj2I*`IDQ9#f5gxQNHfu*ceI`&J0` z?PobJF$89AVEZ-UQ~l#|A7vrnOzy3%TW$c;at>fs<^%Tf-cLX)|EOiiqC43s?;%qf znU0I-Pu0t}{JZ0g))(Q2Tp9NHYUy9no?_+Zd;dj8XsWK2iJodsGKY%d`Hy!l7`{C}xmR}Vn zbo=PM!X&4F-$WR2P7hsOvN=VZM){_gP2nEAUcHl~0&lqZE3!0Db5{T4%;6xqLGK`b zQY_*P8$?91?rjobqM>xA+sJbv6h6t}wBz{VIEO6cupCe__1uAXpa2^LArHq2)KGS^ zS|EFH!8eUw2i3cBfaTwlr^(Xi7+nDpK^m_Z!nY)%sFEQg`?9Z_-`GWVuiumTqNWE+ zW#kp62%l=JhBZI}J^@Zm^}+2-iN#o#2t$Tj+e6FAK%6i+2ja@&kyfOX;^TX& zCaLcJFueG+Lq)jz8e8w8qNGR)w%YpUkPGM|2(NCoxOo89P%T7Rp)6MUKHccUY#JLHCFrAXJHRV>#SdVp%Ue*IXRF`@|} z_DjF6h69gbj`%3_m9S~f@;6}>T8+d*jPapVOeD`Kzu|nl)bZTii_(4Ou`&_sKKCo` z_}~SHi>Aq&dj#(@Eh8mI_9^!pp~loU8QCw#0@bW;hD;XujXXDSXV&pqurJQ6r?6hO z{==`E`TXB=jQoF|V@w;giy454+z8NpmeSx?t7w3`uzd z)ouF%O+F?`ShqiFxwAYLKoNf1ou4x>gv9x)Xi28j*jG}?K<3||SuT^Y7~ftc;nPmu zi~A*CGaIpb#k{gBnmkz?r=1FXUg)cSgh%C-ii0MZwT#bB>(%8FFcDUVa2afuJh^@VRsavcvTcdCn3?!L zIoa|Kh!0>nV38&Ycni*7m*ArMVhT_>jz~YS_!V!gu^TyF+JMIrRE`-Kd=)R;Ds#k% zw_RxI5N72!iI>IRR`|pi_v*+bvJWJSt7NlM?Z^4)+(vQrMnZR#1XWS=d5Z}V6S6K;BY zJvbX_=8;V-+K=Q=pVU}yxjfz4m`5v6$k1G`Za;A7>5dG~L{i{|)ixCEYdqB#fj_%N z8AXu^e}=$140KCv|EVjeQ86FO*2ZVZinF|_P9nV!PfyIx)5YFmal?{ov4#-}Q)8++DIF+G7HvkFZ&$9Z~V z1jpmZH}NA!&2!4tXtQrfVgY-su#C8wD4LieIHb`HXgpa?dvk?7fAU_(O%6Isv6nDG zS~CN6j-~4}4tVGuPR=t6H`O|C^#HAkw71XDe20Te>a?2MOiJsm50|S8Xi=b*33A@u zPq??vT+>ke@_eIrDU@IR>%rq+3(^A*C#5qWMlT<70@pS7j7p#O0u^NNa?`I=GiQL__$vDXMh11>EhV5k^kHV(!+UY(okp zzu0jO20jL1>pFZ2aK=w@e?vrI!dKY1Z?W&VhCJx3?w?=Qpfp$<7^kA@-V}wpfG90e z9qXUZ3M{hh{%PJ-GY3QI-+d>F`yaW-3%E)i5W80&0&9qq5CuXZ--bOcD-Zi3Ka2~J zh~+}eZP&)2?{2%^awP$j)tjYl9IVC$b^8-3cN_kK4aiYY5@zQP({E+5`V+FMfcj%1 zW<^Cg`@}(@x85*us$7rFSbDNu+h)NY<6WGti+~lY7#v7xrsud)9%p&&wmiZ60BN^goU*@wvu; zbcg@L0uVx_^)(}$c6niugixYiZ#ij`Grj(Nt32Q9FQ8Z`J~F$~2Xj=G2@S2~`d=Ot z$kidaCUN&B#^A{d4zgMZm^aO>pEP}!1?dY83q>;5eL#AQ?%Hwdo56Kp_F4}?Vv>4=gm|9w)w z&x80KMfM#oNOImYPvg{@YyY`yZIpBzj_ni%#fI<>P&V>oDCs%KZ!lAtGV?8i{0NRh z0%|vb+p3c{CNYiPaXiNRiB(9HM4p(-0Vkj_S=MF>?tN7{UE-xMjJBHf-Y7_uc<&(T zviF;lVDN?G*5#-+Nw^i;!VkYwSBZ6fI$kfpP036Z*kGJ2 z@M->cMyo8Pn(WRtTHIqGrzm3+`uCt_sk=KZ8TnS|8#)=AAoD#d=a~XR=2p^h>-xK9Bi_-T`5;$iC(Iz=9$bOE@J`KG}ph#yj# zp=RJBAPqpF;_-^DE+1Jp?Bc)t5c$=5* zzuhWpAV+XbT^6#?*Kfm;2CL;CY})=og>kYusvK=CZRZ3Le!&0U<2f3~j8wb#Xe|a5 zHTPlad+OO!-r^a(UP1fJeBeBZ+@3juL12GVf1ST+1fm;pfSenfEt$1_t~Spz$ooF4 zNgkOq`8>0p640Oa5*1sZ@{$mkbL+*C7&-j4bIYaH!lI({XA|J82O z{-@pkL;KV3GXIx4>4)aR3uMP|B>r-Dl(T=kt|<=`&=W?R89@<%g_8v5m-2xW_&0ed zIj^Q~53j&~=h^V}0VSA5&$(jMAGYK8VC2R5rT$g8krL50%*IoxjTjCOe1I>T{AQlO zf<>YEEaaCztQvj5f{{mDts&`bc5-K>yEeW(;&g!k8LI;*2I)9)U3X7JngNg8ADUIU z+fjaK{O}mU87g9hr?QP)OK}#pcM3?Wp?%u2?@`=06@mmqqP-KeDc&(j4O{PjWo4j* z#wvViiZ5yz3my|rb)NP21s@5DoZFGS*8$?jn?EqRrNtli-PK!RW5YwB!C;ZeT27~Q|)eqDwtOgbrc!Wf0xb)^x zj5u%IF1UzZiQ&y5H3aS50J{66j=os6Cm~IDc_}U)bXpFd#GW(L8Ut}*|Cn27FYHn` za5blApy&+T=7_dF{moHALM@tSI%!P`b zU9SCBKvkxwe~MrSAu1(^PdlBjIvp7bva7 z>pf_9-COD1ptvvMZ3qn#{7HnE0eqVYNFm%u8br8{Bvb~31EH!wq~P+Uq1)!rLBgz1 zKwTD1u=a;p-Ks=M5)8CU-gz73>fSHZz~!vns4+DALgZ$oT%+LCwU;;+^veTK*(UyG z0tpr)6cm-_uzLe!4n&wV71+MI z4>p_C(%)yaL~O+ip|Y>3%RdpSc zCtA!nZUY}A`x1n9cs^-q%HTbB78BQ^224#I)e8Wh0#NL)RkyJuQR@~Mxt15qw^w*@ z#m9l|vT2g%eIE$7Sn;pQKO9z{F-_>3)82%}y^Sn6+cvGstk1y5l|F>ZjtJhnO~;lB zRXVRgb4sBfFta-7ac6X=sOte{*+iSQ;_6SvGH}-)_@*=)Dsk)CA>U2+fG;y?;!kCEj^`UQo#7uw^-YZ^jt?+yasd%MAdKAm8V zyhf|6qJzN5WEobtYu(>LtZ;dVU)W)bnNEtLDlpro4k?+hwj3SVc6@|bR>K70e z9(7*XXWEi~LBlu3eR0o;-b)x#x{z;7hGxAw)e%mQ#jj9V09b z>?udftxg3a(fDA}aZNKzy-hhU9>Jq)v+8XU`~QT+Og?m!Eqx3Nld&rQc6xWob=D^* zb7{BvD*IjE#yXF=YU@Ya&;(iJt0{P}x>Cg}QrudvKdci0LnMOifp*qUg?Gtk*URkG zwTJa3m9bR>tDI@CUZEV971o9Zg+GbEPf4;SsP%{ptuT4Lkc$FJTuAzk-YgwQ%z&YY z1qs0Rb10$|-?2Y6#(h5Ct{LKCW6wyF(~5uVFL5*r zh+rDB$eQ(%Rs-zt*1XdVJY}nj*o=AYW6~Nu%8t2WSCg!`w3<# zMhWs9rzQ_2$$37oMogIl%IGVfQ6I0kU5}4pClS#@NYj%zFpv}~o2@^5NDiAu*MV0Z zAAY%IcL~Z!zxVoy$}LNppL~In&kjSyPz3%usZHWS%1)IC7@(r9X|8b(1HheBR2^)1 zX-?tQ^0l2wiSqR{F7lOe!Dt;pMTlfT*&W=+oA>2h)lx|43%;aQ1IpY6wd=<$^4XQ1*f>PgzukZ=KGCMV%4*g zI`1MHyig3Ple*Ah>i^{a2XIC7&glWZ2#2c~+%ZP7XLBtjjINiXUiP!dWIQwF#5Zv& zJ=zd`8|HgXB~YN7Z@PH;O!uyMw=NfkxxvN0Rmc3fbgK zYTPe+XDb+FouS7!9#tcQa0$6m-GK(|r=k3y85<|9f+#HDpryf5;@wXwt?s+)5B<{% z*e}gSUFmlTPkKTr1h%`M6lo2rryP}>0?EG2OOZXZ=&Pql67wy?O9fz*(Q#9msL}z0 z4lTNMCG@woXP^5jNO2S2_L2n48n#X*kA|aNc|5Uh9c@aQu+Ak(I-hBqI|7{FYgA2B z|H=m)i4I}6D`)IVzDE6)aCQ&zqMN+G2cK*^Z-3AOWDR0ua|SM36({qa$BpbuIs$IC ztys^~oc*q;C59@}n;}ZAVtO;<-Cp-H;{RR^`a~b)WCmRMo)6LCG}#wU*)tsXWhoT~ zudjS`hwF{ydn!<4i0AKYekK;+&FCbT2#hqP=G-SuHWX+tMebczEfFy}P{P!QLu<<% z4B1S__fZf100(S=YtPA>bDYD=%&9%up=Y(NJ%^)CPCZ+4Lz{pN)=^4s;69RxQQE^{ z1|9$p*($$5Sup@ZBz;$aD&2oGLzP9JQO4%b0T)qm_%_h}c_8A^yqk9MVBOFO0(OL zVj?vj|G^Q~7_}GET*yL65zV?KmYy*b-RAXj?N#Bt(vh`;uDfrE=;eM_2kX^I_kpIc zC3DIgwPEJwvz?6DJvSN_*D2M=o3Qd#c*OCDw;(^`Bd1rMJZv&klhtlBmA_qIOvAI@ zn!zgiB|jR7tjH-r?q}M0I{|Z?i;Pwwx%D*3nd_E+^g*V7qha4x6Kl4!2Vjml zW$@*q+2peKjt5(LywBpVqoDU$JIic8gb;a(LST`)y+sSpZs+r+cB(z~uvYizOR{q@LJ-Q3#eXLix6K!{#I%YnL| z!CXzCtf|Ca><}Jo5nn=?RS`+LVlBqT1|`D1|15U_8=y9fjwC!TN=rfp469$dF~e74 zdX2L|H;^E_z$XkOLP+c=D{EbFbmwg-ZjnE1-~483DG=AO^)3ZcV-}zO0EV`+bm}6+ow&`=ilMK#Z11T62+VcJT1Wb3 z%J(%Q-7aKN^Nv>rf!EqEUgF|mD4nNZc)eGsg0y6-cS=tfIf~lO3n*~)Iy=1XC6oxB z%Yz!-`40f^8O%|e&O(Uf>kddR40S<7)J3eAW!Pi%;HXSjRg5?GaFBJySx&7M~E)XMJqN>SBzFV zdw~g6#u}uH$F-J_zIf*V2iQDR!r}+q6AhG?eYMD}O>RwJQO>8g? zcabJ8N>k+ODs7Qv*hdt8KbzlO!?Rj7DP^gQ4*~$cd1`Xw3wK`w!`yM-kuD&FqkEdH zUqCnXc%)?g`3UI#)FAym&uillCgT3?w}!ay#mk@+z*}EvT#z|dp`f_S@BVMl6Kz9x zSySibG`L)mS|HQ{nwQpX04>b_)hJ_Goo_avd^7h1W?c*U!5w@xbFOY7j0s?c`z@vD z4ZTC~Cf7t4tjmt`t{5gnp{3yZB_qC8`*ZDnGP26AtC$w!WY@CNt~9;J(8Hm>0f50# zOF!m{d?*HytXeg`F~>kqRY!k2$kZjwPa zL$$kqaw58WD*XQ9-3~4L_7Tv=HUDZBH>RNEM7+HGVD2?oB2SJf5rs77gGTnglQ!@F zsb;|mN4b)?q?ZB1${mB*HT;DYxi``nOP#fsD!LUa0=X}k@8Pc-Tm_Ypb_q`suCLmg zof+M=_`ZHs%`LlzxoS?=ca(g8^vmz+;8OSR7lm(nAgntcovYcRj3pJSe1%$E@@NRi z{fc?i<%W$bFf+YoLaoAeY)nO5$@IR-HcpDcuSy;y)(nw>roQQKUX;`cUG1d&0_Rv4 z4a!Iel)N-r{vw6sT*nXOK%ar<h>+IdjGs}dB%eGdu&gn3cMNg53S-E3UI?NDj42CE+wKT-`zG= ziX+{oysZi&t%ixfD}0=p3Qr-T3F>J_T2Z1iPci^OkytMKq=#4CJ+EU^UuNU>m6v6U zA}8f;DKdDE#yx^--R zxBvFVh|vFy>q)AemUD$y!z&9QA{j83S9xj~X?NjBg7p$b$Vd3iA$^H-+GxAz`O3q?t1q%!elJ_Ih|JR~{1$ow zl0H;oiXsFgV4LEuqfpE4NEWt_Nt$V1Yvz4_iyQQH3Nl;lau0y;4Ki!hT5^)stm|-Z zM(<3?$iST(!}#V8o^t1_A9OpfhK!QGENr76;=w+COX;MA^9jwUos!7Y4gtFdmrvg? zlM{_Q+K-Eme-kg+Tp_%@&vOjxQfDZBuzR@aO+N14{>=*c{>swJ9=Plq0u&X7hq9a2 zMgJ7b5|brfNcWbxrn|+?7L_JRrP32yXC99on;vOPd9jdp`m`Ml`@<#}J2=UwFerSA zmtoWA>zG`IjAj_oa>v6zDwHG!c=uw~T742d zn`^TyPt|7CHL)hW8m5Gr8XUP!z9B>Lb(R$btrWsZWKI1+HhcHkmcy#T({HdhgEB=2 z)OFcRr}wjj)-+U^7`j1^=%c2hs=5xlVawjv3AFr#&T`hS$B!^+_v+y`AY5itm68`W zycHLugMPre|7cQVAME;Im!eTbV-WhoJ)#@RM}l6S zyWhvN#^0ZzoT(-0a24+57nHa2B5 z@KaXGRh!ymG6VxZXBWva|h*UY=7j%#`VsP!$&JID-|T^p95DE_Clx{wdV zXGV!??f>Vdw8fiy<_D8Sl|%6r2HJ*4^^KO7rsKCFjvb;8pBY|Xk$Tb@O%c;llg~B_ zufml{e*39Xr&~IO4~a-C8b)>Dvq9+DFWvCPw9_XhUi=RL4EFJ2Y_&`8 z(ooz<48F*FuDJKGgvjA|TH4RGeLeWFKbJ=h-Ei&nN2oRH&M<&3l;_4 zR4zYIF%`6nIhE(Dc3Dlhr3p+(z$-t&Ay9V>TLy){Zdz;)_TuZ$;}t}c6Z%8(QurCL zy;zL44@0KLY0UF)d&;xac&t)4B-vJ;U~RLM0sPlvNf(rN^hhA3J3#4i(-_P?%EgcM zO`sZtL=j?Cx0vbE095bAUpF>W=bZ)BRD4{MVNd@&-e?8kbt-dZCyK7yAy_(s&BB6e!3Y9d`TIM{i)5GjcK#3hXPq9?$-;kSQGnpT8@Qn(Ac;Uw+uL9~ zz(X54{VaSRl-2GOLDE`B81{1tN^*)2i2@nBd?zqRF^NbM7+})&{1ZTSa1g_SJ>L6( zDad!hlfli7EeMI)4)heu&I`dZFd?Y0I*EiDOGUSKcPUM0>K4oP<-d5VAWjGZ+b5=o zD6FR`@LO>a&Rig_b#RnR^dVy$acxHpJ;@>{1oUDr#wbG{3dU_ew4R+3GF^e*OKhyq zuCnark+%Ak1lsQCAYG=Q&<5QWQlH)`FljdA>b7STdoz$cMoaR9`&Wj_2=HW1$C=9* zKQIMUMQfb{PFavSICCp2^qA3`k4TvekMtIwn2M@NlHs@ck?>IQ*&G~33mBW?#SmckThR2-P{R+AkqODh~ML1l+;6+7fRho|z$h@cJ=iu3^%y51A z2b9N_&78q&m(|CMT%~Ii3s&$6JY>;MrTyoZ$Ff%MT8t2M$C*tK+~!nq&$-@*bDM5_ zlw$^d^>HMJxYO}m;<%>uKz3$&0(P$7wG>e{?QytiRDPDGWd-4zN#a2{4%CEyn1HY$ z>R~$#=<|+!0dwVyEo@Fp4@X$7!RPQvo|!K!>N{Ny^Y*#p_oKok{$Xs_sG^96m6idD zZQsW!WrcRWo6_9dRJQLF+Zk`F5X!mWfQJ>>xf8!M7W)DZ(^*QJp>p1X$YV8a(Li+9 z)4?&hFHaNHl}+jlPnS5!HO=;VwP&N1P+ccA%xT<_5TbWAgqU{ireYU+!}(#hfS^c?#7y#7OL zE7k#yqQb9fLqhk&Xs=-p_#~AM&3$z0-j4@l!WB^ftp2VKRVN-134>Zo6-XorrWvtL z03}@Xk4UO;2)f=5dYn&Hehs7j4=mH4$`b6iz$9BR0?drpUkz*3N35i zGPlLy?z7HxB-0QVU}iXI|3sjo2hXaR&?FGF^1A;$$%5U@Oxm_Mwv2oUI#_?ews>J0 zNpsyqtsVd3DSk2tOy2+TQ0ws^1*F^n87Ot}p{tqN{5G<;D&*#kE-flh^6D-PaaKq2 z8Jbs?YU=$%6_}$Xjs`E@8f<|f)F3$VKgOrsCJ2cwi)N^CFzJ>ih>@291<VWf;Au~8H>O<&`@ksrIZ=f`ShpG&mo9@vqQf67 zyj}qp|0ISzS;wPvG^|+csnoGrYAxCt*%Z3nT|)zUSvY^Flydm)nG^}Sql0hq)-D1o z{6z`$8W7sdJ^={Ji{9lzdEKVqXr~4lp<_IGZrBKQp_saoc*RCl)cQmDZFrW^npf8& za|M(ch-kcko|2V%=lNQBP_7e()vmd(?(<-78j`hWHiN z{B!oTs29bNz-2>>Cg$>1j#YyF(-THrnU2XX)kFTBOuKIFg8RnDGa9W>X83j1rTgN+ zTRX*_-JT))PvjN_LZu!1yiq*g9W?~e#PVMG!12%5(?%HBK?0Cg(&cqz*H}X??L_8H&>|^K`pu5g`pODe9 z-B+^ygwN@~h_=ay(%@Rb#scGc2gwXgP@6&JAOK21XnESkmaCy%HMa@iH%#pZ2lht z$i$URSvvKPPBmqi-aDy``|EWl<*8a|nGIKs>L!~AB}9d>g}o2Itow{Qsq~*4956D3S4Hv4 zA)0r3zO#0OW!7&yS(rLw7;AT&KKP)t*Doj02K7T^>3^KV8P*(-=1bWL_WC-9kkV6K zh58?aDxx{iqc9l8gX@-QsF1kishah39)rMT;7%G1w}fRt2oYRREg^>Q#8zySRX&BVW2WhinR#=5maMlPb$&Fbg9 z$sA^Cxa*GKz>1>VA7w%hECMIMTh2h8!tGZxwzrPoUa5B%sv%+QLz zuahv-BfDQgiZ+=`RPL&x^Tj?^Ql3a0B=A4c+8s&8T6sx!j32SRrgtj6?-N%K82_ZwM^?W+D-2W(2C$A7EJY7lo*e+fk%3pT43oJ@aA#K%K{9jZKoxbvzf!4$c9HZ%!k)yyUU;XjFEwOzI!YIl-*=#9OxxMqdzg)3B-hug2BKN zZh*zE0lIACZUtrlaex^O|!pt1EAb+do)#yY5(%mudbt0F`Y87v-C?2bNf-CwhU zp2Fs92$IPw3=twpMt1zh@l4&#O8}2Gz8*;s{vDWl<_o2{raVZQAH-iQzGhh%A*`F> z)Ez1;<{Yx`tRm?WT6}eeKIy-5QS9$Gjj6wPR9PkCtY&B#7%iypKeuKZVp6uY&72h`ivbmtSpYo57>y%AOm zFU9{324q9vtBj*p&D$~TEg*+7w+l@Jq-lOCBg1wl%_Iq8dR~|WTS=w_*T9|AJl1KB zRP~IN4uD23;&T^RHN7;PEtPjiza=@rO2h0lboQu2fdO8u4zZdYNz%s9DY}Oajxboc zOcC*yi83gq^O9+ni(=vxR&EYF>(>25o^FM()$@DF6RXCM{&GCP3{fx0>d8gnd%||m zrjp8~w2IY^!v9DyBCj#q8AZCG&v1?|lUXXbqWl{l*A1q0UII{f%iB&OQXHAu9oKtR zI*1&V)9`VOqIqH0n`ZvMY;J!lN8o`)mN`n271;ThN|?aPOnH4J-4q=Y;2d;?b#O(hc9!&g6x!H2$k#VsO1B8YyoEE9-^SFlvhX|?ht0@ zIB?|YX*0C}9Ui1J^S+nnQjN5V}Mf@-`JJ zZ{1Kpm`60_I@jp36sWUA3O^&3C%01+-GltJGJy01g%LnFxlq++Gfiw*TRz-hbX(pF(+@a^JEm4;GVI zy<9dsHH5dkH-lmp!8Q?+_YIB}NnJ}5sg1Imb5~#J`>ivWr2KO#KLE0!`(`ZRQ>E$=}~`x$=R&xzX8jvUH?=yxyLA8B@hO`oG$=v7^C0n#6prZ_i^Bv;~S zZ)QH_L&o=2A4UtvCbS8_0}az?c67XM*k+y#1F5Dj2P(4Jt3wlUFRhdz?qkkR68L}h zg>{bKY*US93=@2)g>#r;RB>_FVzHm(VNl@>785P?-Q!Dg_-ad>=M50?hq9^FA>J5W zX2UdjfV*rx78KIKiA@{9hM`rA-uI58D&6^m(ZRA-E(5otf|gA;Z1%?kfJAXtk{yX~ zqq*~)=K9F%L!q<}%l?0thX2`Xb}bCV0^0x{c@up+v?Abp3#|7lnFBi0o$7w!3nWVw z*(|W!DOq4t_}LPFh!DSY4C;}`RuRvPnOl{Hqd+xi+Uc>rs6$V)J}n4LYXWp(;Cq~5 zr4H*}C@^tteRUk&J!lb_*6s`TCjnc22yfzb^kDH0Ri7t!F#vi}(MR|q06XN`mppvR z;i)Q1?YYaBU&Q#~MVwJp{Sv@0vB!N&wu$o4>H5D_VUqVh zRbe!F^qWZaL&t`{-$U&UFZ2x7{&NEE-g4?tzyfte%k@w*a7Gq@`K*v#6T8${fAh7z zG_blJ9_B0;{i)N;-yM`jUW4AEu2^v?v}_C1xMW6(%BPFb5-2f$5iO}_)X&1aooMb7 zKebxUlPpxaakDfS3X|lE^Tw=XXEu(+Q!CNtNdRda=Ge>cW749F!HZubE45;;lR0uO z8!ARn{H}-f$ zv?-j6QyGHn3!sx#t_}%P`Ws)A7A-Y`Phs2374Ia#1dJ)k*ohhPxaFQvQ(R$}g7&No zee5WZ*Vrgv#aiD9jb+RYv~*aoK*53$&`7n^eb96S8Yw&e_5Xhuj{orWUJ>%1(0AX>x190f2JOx!60AD_FNKKfgLl{3>H>k^&0q>U};NTOY zc&l35`r9IVM)%(%z1+&})^5{QdF?p=u9d!_bwaHW|2cx(fUDbU7Qlj@y~0jh+3Z3W z^NI&s{c?y1+CG22g-1I!)%?sdYB)s5jzip{lKpNM1NmU!GXa)vP0{x$F&9N>vN*g$B%|=UpTv3j!>}9KE{Iy zKAU{y8o?RH=mvZMpLQ%eXPH4Sy?-PC%T9_SWI@c#&l$zuYV>$0i8m~D1V6$9$X7DJ z+C=xByGa8f#1!(HqDV6Odu&#}0zLql3kQNqPHC2P*6D9kS|@|jyQI^bAS>K^8Iq-; zYe0H+3A;XNc(&jxyesP}u(RtH7Wgv~C_T!QpP(jMPEZ&+l5PobHy3j%Wbthsa(-(h z02LoPlEFrTmp6k$uw5%>Q^n(bN$VxflUE4aLw#_k|29r#o}z7zNSK|w_^CM zmnW4#yv#Y{%(H0HoVz>}8jO7*Sz2IpU(6I#D&;C)Ly4~*~Vno{vG+}5d| zbra8wzpeWv?z3-rRhw+P8q+eVrn@$&>*0kI)cx3>=9Ro^oS$2d*ZPD1bs-6}j@~H9 z{NpCueW{TtW*fWptJUwf+GT6bkPB%w*(pF0Wj(1r=U??M3;cg5d+V?$yl!oHhVJg} zkdhP-1|$VUN(H206p@gYW)P6>k_IVJln{mvr9(rZ(gWF^tv46fs!7g4MZAytpfhuRi3!N<=L%f%`xvC)yV@e~*-xngb+pW5I z5qrAa21g0F(ZP9<$LidiO0+SZP=|18!=*A@R&K+K@(7`dfe%}u<8LY9VliSMQBPQ1 z$1YpirIV-y)}EVCdU_z=5Qo)v823q-mZY=;Dm0V<-B%|_EH}j9N27v9Ae39!%t^~| z4F2__e0?+my8nFO;INU|oLt1U{3#bC-EvZUBKo(#J`GnV^{JCeo@8DUazh5(%%G`R zoI%6qCqXJdYNClSQ-NNvZPHGr42Rk|q2WOf?t>&ybR*6yq2m|1SHt)ZTb^fZ+HEG} zTMD@*__R+od|D0mEqa`ZwnhZDHr5$VDkM6Q5#8uC=rX}EHa7*`P(gM+wl)pT3fe+a zFKl8a28bgZ@v~Gi&&UN*CYITL0pX2hy-WBBSJDAkQ@_nf(F~|wpf0kJm-$7Hpfyrq z0)(()qZYI*c17kK%&|;+^-0)=O>RDvUNkz=iv+;JH5|CFIPMxaH`KcGZX$Mo@=y#; z&!3!1d|%ij$Tr4SJMs7;&e+(Q@jKx(uw^zWHEmSr=pe)ib~rxK@~1YTn{KYpE^N6+F;2jszA8 z^nH|RfWk?CAwoYx58{<027D5+A=Ld(ccKt_*hCC8^4&lZX*;x?8TgaU|BmO5)yHCQ zk{fgyA8^~e8-OS$%9fIy9_xPlp>D$LndP4(nX))QI0_77vTO#-FAm8d-2Id=mwnps zOF={9bhdux{^@0B4PAm?SRMVRz!Bg{CZ)|l|z4rm>aKCB-njzo-E?f{QoO6 zh>#NG^=SAJS;F>CWQ8iC?`6Y8uw|@~F8Opm>}XJtRc{J(bNKRTrmvvpA0w+jzVOy* z;Y6HDfMKny(Y!>|k5*YORThHQkt28k1}TkBje8;%`)st1*tDifp4X_F+k%SK0?=AP z6f5&pM#TjFEU+mrfUt3l!Nt|sO-IO^vt+%o%<*K*{IA_S9!S|wiK)K)2I5TH1dtP! z-@}^0Q1n1Zh#^6U&)O(M37ZNLA;C;Ho=p^=J(SB=K$epCC(^YzuG{h%GJ^5+Gjn}sz8A4RUOoE=Z zn!#st8VD@P$J&L07roh1xuC=fB|@~Y1SNN^Z&pcE7sZ zN6?5{6M|6{n_^84iK*P4-KW3J%^ygrDNXSre711Wb$Ioqt(L*xfd@M@WtEnJYVdYG z1PW=ZeIwL(G`s;KW$`b-2q?XWe!}_1ZmJ3sef+O7waL<1AEtfT4=hZ1zqLL8aOgf{ zo>x?OTy3h>bK1UIyk~@y!{zBs-k< z>=g~UT|G(-@*^FG%KwgmUGTVa%1s~CepsbkCC}D7GkbT-8?S_A32T)vxo1=m0V;U@ z*XF;MFw0F}(p&fM2#>3}m+$1dLb0Q9N+?1$%->^t{7v(L-6D=>KDdSc2l*lU0QTGY zM4CXegP(lo-%$H0{2ASn7-3gdY@HsMeaC#K;K7~w2aoG4JxAwr1?dyx^;0WX4d3~m zBM3rVd7o9pXsO-$>U(nJEvwyo*iEY$sry*(HQPqfqp^1K-Y`|zFjZK#Jk-%Dvd)Kf zqLP=hRHA_)Qmx1%pIVkgCbr`#HS<9QK)>^?a%mDuI(+q6Caq;)G?Cl3k$xMII_?Lm z#Kdj3XS?I~B41NO(HBMq#|-&tNrW^iBgg;!ef+QIa>^EiAauO$S=N>fWaa1`zB!JN zJ5)2)GtmCZL%5^Yng^F)_(TnELM#6INuEG%mov6G0iCq#r)lS20mV$Y{azk~8{8Y} zsJy~y8a+>)TH}!#Nvz%Mcg-+aY}vEvpPUjrfubnl<&>c!5*n_IK!BIxGp-j>cTN1T3xDf3J7m!XG=$*15R=d1GY# z?agKDIl)}OmYOy}o0X}ImVszRrgLVwtiY=5skg|ZgFXY07NPk5?otGFf59GiKJc;B za-w6CL}kVG*QHu56@8Ir=hFGCN0E?32%If}jpdFdL_WyclB^;9wCS4*C87jkWHa=s z?KtlAJmu6lTJByVdKTd689(+*6){vWyk$+13_%Ka)t78h6f(+ovxuZ?=4xFwq?o{ zn!sC~_0L-^_n&VyUTDhc^ZrYzg2YSt;#1DCpj%=lV31!XBXfEREM^_EmuS%-+2_s! zW1c|9z}j`vb5#aiIOH9tXnFdr7+5CoBCKoW;w>sB4jU2=#Y;;K`-^18Rd9l?Z4yX7 zp^?N?&RntYeU)p$!4+Hm0>#HLXs5)y4gm6T#APZeeF$l%EsOm>6c(nva*=LsOfa9dO$j+&%Gvjg{c8(vm7X#6I%4j=Y# zmi2JbDlC%}&GoRwZ9`}1^u#xRfH9#=`}-3)_SlErL~!7{vd|znY@#~lX9oxR$l(eo z8}ZtF$@hL|I2{?ZVxfWil4+5|s0>YvKUt?3^{POY9*oI9T<>H?MnzQT7s_oO z2R;%;t7-E>>mhG%dL>(n1;OI}-t~0Dr$u6yZNk(j5u^RH+#A}!*?j!Lva~W#V)r#xWqtR>)sqEX9p8k2nxH`+>A5CfV8Z61 zFU`i5D5B0~rCv|N zb7w%5W{-E1XW>G?otRqdd3W03jE=kD{$9x((--Rx7x$)Kv8$e_1zeA684`qc8Z0{(U^Gdk~~xB7LezSSE9o9-kDLiBtspt{;y6T<9V4Iph5Z7zAI; zE_hkh&*nM{FP5`+@op^S#<-2jeF3}f?^=2%GjIoR`u>JDP2`38S<*U45HuPIE=YcU z$LAdLZt2%pRGo1G%jWD&OVj_$!0M~qg77%5Vk+=zm3Ro}X0sx6BNZy|@=$t7A#xoG ziI1BPP0@u9uqPPN*?5aKSuJ5#ArfY@J|6LTaqZ{CHmt0iDr>v22j-Qm)y(_;>qXPtOYs`L6f*YchDJ0i@ z@K75-8bUB9>8gx>3LS|ypVeC&C3r^L51r+@(v6aZhWIWFNGYGRoi&))SB=g*z-C-Z zHuF3Gh#)v0cspP>iWQecSSuD@{Qygn1ENGHWZNduv)g!T3NifITGjS;0#3_OZ>(qJ zF^(4+V%G3vyeb>xL;SCpukpVjN?pk=*DU&x5LME9NO4L73{#OsMv!0vJ^Fc(58a>p z(sqtuvP;kj@g_weP@oTd(xN0DV}h`Zj`n@mN#Lwy>aPRil;w-QW36XQ5F&)3@(g}g zA(dP0Chp9nwG>vqZJ zAVVm39Tj;l;2Cyx?Ij|gT5i3rJw4|C2NP--kXtd{sm-{W(Iz4xzFdX{Lc8J&ca~Gk zh-m#Lk~zW4+`W^% zUqeGe{KwfU*bV?fQYb(O>Yw&;45Q78DXAv;(C4wu4lH)Lsmejj(2Cf#a=7(U}OSD>_U)Pj_HkrYYH_KiS1T|JT69lnTZj z+_v;8aeIH}RJEHA(tHZ$QIMgq778eZZnq>c`9%vkZiLe0UaSodZ9*i%wuz7AnjyYO z&z$38j(UiBI_3o&NeRVkJWaUD&Bgcr>s$yp?MSau&rXIv{+1LIXL zc@T2z?DY>=-M;b-Ps<*gB7J%yiJQleh6zkZp+d{#q#P>Dbw7=~0Hl>?A3c~Dm5Gbm z{w;LbMCZ!hneeH||3l0?{<~xr-Cqa6Dp$m&!g6QB?}X~lstk-+Kp(t%hmNEaHs0P) z@t+XUf3?5>Knl1B2YAtjt!#x?YXpzHJEX1465BCUXoF8vvoZ3g#N_#eX}EwwH<{j@ z(H{SE^jP#k8zFBX0qvu24F^3hqbh=V&1Fn$xT^c?pVg=nWYC|rdkzH=LNQRKF3iGC3 z6Ho+i`7!MqBty+S_(4~w)BBRiP5i{jAsfj-c>t1rhEeCwv-ot<>BW;BV(jP+fM+4h2e{Qnhlgb1cy+avdB1}6aZb#w@ zeYUH{iJEcJWjrgqL9+2IP?DHD{M~1|tIF)_`m~9r1c>yP1jxJLV09v-vwJ$l?pb=I}sMprj^8E7FP8a ziC<`{G&SEGm;P{*_dx7NJ{Lr5$YaANlZT1)##xjW6oYoJ;9BJJ-{92BUnl_i9v}Ok z9hh#y)&8%N&;V*Q8VcsQ5G6z(%UKJ3+|eUR4m10p(s&|^%G9+VLsEP0!0Hpk5uyOJtr1bTs11c{U3a~{&sRq)MniU z1S$NnKSM<&zvxOk5rnWxsTKQmzao%wmET{2W|DHKd(Z+eJ(|vBbu+>SHJ0>?d4OvT zX_-iuv+52er4mW)tEt?uV#_U#L|jumb%|@R7U&wHo(@ToI8k1+ww*G)(I;acHSCS| z|5T}o>3%x>rn#(Lc^KP|*1Ln&T2gzPq*-?wBzGp*ef?%H-*90pg1S8FKIl^gyjGgK zf4jfE;@#|GwVO2$yS`FAZBLP_bJI`%ZQ}HD_4S7@Vg0;+Z`Q{C>==!=%gxsd$%JfH zwJ|vCnn>4F>Cfi{$NkSJHTW8xN$;|lE?Z6}ivw6&pw!{TN(YsdohqI^n4v5#CkjP^ zpLV?Nea*Vqt;U_XG!Y&dX#ub$qREKoV_!~QWNyI_O%SDTWk2zvgPp29Mp#U1&Z7gf`F`QxE{K#@kjO}sM@1u9i8 z3Xc|O_^D;1mE^QtKWB0MEyR?B*8p!*mE&kys&V}h=+BSQ&=r>AH%aZ^w-|ztuhqQN z)>`v8+(Tw1Pw;Y2;RpnS{zTtb`K@DH2SUnbfFOdl?;99!99j@iWfPCH`H)s>vb!af z!|D!ub3c?lje1cRyh{NAstX&YYVZQu{Ta|i&?4_l0Ik#1&%`^h5P&Ok<`1mi0Ao$U zmyT9OH~!MTC*3 zr!U4UG2<$gujAielk+|hmZL(YF|>Ntw^JDfeGOG75lz0M(lVAG{=>fY^S0sad+PDR zm*A^;!ik2}_C?)bIztzIp{kbiYfsQWSfe@!>Xt!{+&>=CYjrPpDm>jK%3)r$ zC%+m5_sRmmtA`bss^q@Io2=5MV3*%HcNlIo$mPwF2}@t}2Lnph)HOH_?m|sxmKMGJ zN&2Qz@NPTW7&;?y7Slx!gWmswg#tEI0G8cgNV^X-2=Q_gY03Wb9_Q+~?l=u3O3c{y zEp8LaMAhxc zG96tZX6uVq6YpW>R^Gkh5SZ@GksU7!)8t-PI5r`jSl3tJ(UF^VV%?L-YoYPHqsHdy zF#DFkXtHo0nG8eKxH>36*myxfBN|0VO8%e%zQB{QlZlyXhlYKX>NYYBNxylUBR!0> zgL5E>bBmF?In&Dg{u;z&rW=8PJnPMYX=s1xIF{Z_<+@y5lkbY_txRr$QQ;}Ww@n#2 z7rAjgnbJ6__}kJ>D!=n%;+;6Bzx9DyA66!On{M41XU_dMp8)$dOIcfya;``p08)K3 zYxWCRY$MllMeIMn|8${gJYM)!gza$rzMTNF`}G5N(i^im&&;GP!%T6@jyK>GRi2^- z_Qq^z!LPrlx1+exMKc>VYvMNg)M0C)yx(7+@h8xl>4X375?MSb1GZWYYlFEKj}QCr zmrjFZzn>?SF26>5nnPbHe>s}|do#BG4Z1N?`+d>>3}xx~^%a(V@6#r}<=eYM@97=Z zfNTt7yjah^sWpDqvH-dtuH11U@L$WgPbwIn!P0TgcR8ECOp$?Pf_?8X+ePr#@bgdj zMM}75gc+o6Nk*5esY+B#|M?`kd_j=p<5pKD3GZWC?>>xM~NrN3?s zakvrAiwqOC_)0_0rNMcUz(L=Ytf{MuL=)oSUJiAAt(!(7@gbB75ifi;#QO0ouEyJn zueT2C)Wj!na+48CJG-Ix*|4MoLdJ>U5b4FrWxnh3>qb7h2oqeDe&=a&H=Wvlu;~xR>=(lUxm#^IArr`4x0fldop``{|W@ zwFLL0PE|WVwyJHp*Cv=cwToVu!IY+0QZhN_^gqe!vz`; z<6RJ!^t3zl-h3!6IP?WK`hIfc=CcK7W~fSbWDA6MGBsJHS%FM=dt$!Q}e+&R^_GxG`92 z*`5xmGS`CNI$Z^d;>TO6D@2)AHp~GqZro5e7U6#**S~c(*eQ%rP#;Re_ zNMe2fh;brU6Sly3fb2)6#fTQJ z00FXJG*+wJDIT^x@B+g#qL?;en!nqu=f=%^3keJuW)UBH% z?+Ayj=W0nW(Jzu5RH&u<+5IN&eipf^o9#g-DSD%%>>Joa^3%uy@*37+j6l^zT-^0MfCJa<&S0me zGArA6{P_Yz{wJb^Cd_cqTNs4oQ)9JhsI*Nf<&YsLDjJ;z(gE#m)}cNQcj6(bZE)05OxydG+D%a3!PPaYxnmp zwy9k=_tO1~JS~kE{}}c%noTL#eyvKT2Z-aRqU!)+zfdzKMqqSgV;6M+`6~;ent?Zo z(+2TyZL5O(u_-yfwMEnt^A-K9nW~8j6Iw))JQT4SlS()M#HBV|8~U#LQa| zd-w*(L%2rla{$lR&wuosDcn2^weuERdh>g>%jjiIL2^cGRDG3%d_%IqK(c8q66fOe z_Gu%shD*RVs~YRlGr;4kMf6JEKRx58B2)!uJ!|zT|340}sBbMtTov_x*RE#K%Mi#n zgx!3Q;1h(bLAnrzXndH3p>>X`=Fvf-x+eB=Paw%^rjnc;EbtcA2cPqdl$eF!oWyVJ z%wRu+JSS61BXji(N)4E3ectIGG(Bg52c;@JuCoX|)(fG&{iH~z&pSiu#d1NZx*rta ze4CT6+m??T>e^#?v?%rFmoLt1`fcf$gnwD2wy zpHRY&HMlEA78OsdOkWKA?q>B9qTAZchcifZ53j_Qj!;s=S-^wPU~)Co`{q>oo$FQ= zm#!BoPmi#8t{h}-8Cpx+1KEX36CKI+Hn~3nvFm{ifQ>{`P2e`ZVC@pwDe#Wz zn2p-d;4fDyQ=23MMVB1vbto~-NAhN4q}YNU0sPpfH9y?_AyCo9X5sz*m&A16FHx<< zZGKdQMwv3sG=?4EL0Z(W!Qp1W_9rLg22jgKegQN(0CP4nF4GxoE8ReTcL`A8ucGaO z>fe55=Id4stUI|z#a~cK}4 z_y(e0=e|uh7JOEMoO)gCl=2a9pj#V(=kN|_h;dn#UL+fGwYeufeMYLG+#5#DjWs8F zQmB=^lWgqV4N3b06fb(;r^^X@!PB9)HxK@OH@ks%{>|sV-r!w7K{>`q`&H@K^x(Bw z@r4&mY6Ov!FVj_6_GMO~ z?`@%Nz4ckZ>@09GI|8ueJyY84wXRn3gB{wLPRRM``fu);?~=qd_v8_3(4>wwUxfI|%o(uhV>qQi zE-x@VM`etzdICFKshzhoF;bnwq0Efn@@0&sIZzBNtiUho=Dxh+^tbnWmYTo1ef6?< zm{sht>2z9FZJKqmw}6PT(c8bi)ort&@n4jT>CR~c-z>#NaoH&8X%fe>=QC>)@>!wU zzlXHp-ZFA@3x8T%f-h;ZW700lwg0RtINyvR|EWz+Hgov~nITcbe|zx$w<&%!0&&aa zrB!-u;{VF_`CSF`G#)5U03#U;UncH?_XmSG#MP&r+~3K(2odb zcx*6_)SR^payLCUTi0rY^^A2r9(Eq3H6oR-=Mo#~A*=BL{W@GRt;9~GP+B?|AK=&- z>xyQ5y&jW69~<)3NclIMVl6|&qh-17Oh3X=$KqWH(O+DM*}g02H~C}^m&@(=^0k4? z1#8kU_M0twFRSwpW(~q}UUP9;Bl8JN7pW0PICk8(oSTO4GSt^8Z)f~+^ucY~S{%o& z`hFXySdreoQpaO*rqTOtr+Z~XVjXBN(aqmGwJ@SIuAit106A&odXf1SCnx&jqwiQA z!u~*^7((sxYyX+o3<7v4yn1m|rONULSj=tQoK!d0f@a$T$%6Ly{(61_9dy9M!uM*w z6WbJNAPZVp`fljs`Q_^7Y7Ffz6j1`Q{Q!=X0pbZo-x%2wM|PD+oZ~ZMX)pwg;7sK2 zmo%wIAAl{E3%n-)D4aJ@{!k-Qi{uEZ7o)gnzpiS}79wUrLCVmNKQpplZn}Op=|}$_ zdK(SgNF@H$EP}?@k=oS5V*U?xj1ITE-FhYmq_<00&c2)R@apEYnRrut+}MktEpK@= zY*X&`d|(n1@{0YC2Vsj`jKbZcST*Jiy1}G2E~6NGB%=kpZJc&DZ=DiLA&qgVDHca( z==KpCK=}yng!6rKyqXG1Nszvckn#ZCRxS8Erl7+Z+Gz6VcTQzOw{b$pedncSzTE0( zMtXRTk!!QJh$HOP7HEA(bW|}BcFvEsQ9>CA`&(fC1u+1Z)}h!Fo_m0z;>gVBnrJw$ ziocrS5^Z(4#NqUp4(#{W9;5Ah{JEVc_QyGG%V)6fPXPKGX9#t zDqcMIGL${qv5lR0xp8;dWT2#}Iz(LOQBUnSvd~)au+OVh`Mt}xk;5#48JW`fCp+Kk zGQ`7nQ&0(PHTTv#RSxjWWN&-(0|xo_jbj=4{+Su%IZ;)kt~BKO9~8d-37`GXrsR_y zhKJVHU#*>$s>cVN_ipBv**)0gUlR)L(BD;UGF&TSN`Sa+pufQ=#`unr8w0BfHVQwd zGxfU(npAkac%UJ32lG>){*7J;Gue%XRVAlJn4kLb7eSe%3t0_T!L{hcz{qG1(<3#x ztH|Q*FAr1>^D;m2=TP#95; zjL5$)xO`v6sd-~Vl{jQew4e2w?$89&+_XY4wI)badf^5x3vWA27K7_$J6kUu; zueM1YTc{7SZISa{3vs1)E7 z;HEQlTVvN?dP2}fjU{@+8ZlYk$wZ&u<<<2Zjf?$|g*J>u#1%>u8P?|s7a&7vBrW{l zlvYi`q!D5e-9Ej?*Sje<1DQ_3auBDTZ(r(a+@3`-A4Z910cqsUxB4AtS??2qL)HXZ zjJrp`{*^dKwLc6@ViLyWGS&b_A@hJt2$vRyZjW^nsf~$>v?zG?2TqKI-CmW}&u!cW ze=Bl0NnP>UTzt@%RBF28b)eOfeRIUE%Jn$3&oM&?j#w%XoSe&X8IY}hRrm;OpxN4w zf5?VO+qSt-<+(5!3x~A98xe~I_H5p+HJ*RKxE2rwPO(!CzgcFQ{%TY` z$2=YYBZjQZfYVXH1y7X$W}%Ao^0p#I9O%;bYE>YcoT4A75|a$NUH*P)^GaTO8SquM z1UEt8^qnGlxp_03jNc;i6ZnAom({`M_pxUy`mtKEP{_jntt4}#N%wa9APbsDov!{k zBp5Y<9s0Ommg?~l;?R+J&W5fHd9EGw7z|u_ZrH_(5aG!X{c9%^-#hz()EUFrLT;o! zB<_++)gEwW#-IM}7oQXtij-71FWPs%V8S+Hm*&*IGk>VKd7#7j>BC|JZRh@kCuWAQ z0L8j*Tc_mZ1gSaB?645inN;_j20p{#LaeVD;e|~vOuABggteoLwXvM3L!5YWckU9N z?Q}N(!wg3@K3Bk>CdC*2N$(?m_;zbV#>1;U{_Ow>_F)n3u-YlkX+^XrkQ(j27?|$` zMp-Pfnt$atI3g<^saX3WOpc0wn|!UURxue3YcV=dh)KA^r9`@8u=LSFW3Bz^9eDpp zB2B;vM%$v-wEyijBjlc`0eW&cR1sl?1!%Ak3p?UFEtI(&-uSeWkfyS0`tiF$3Efm~ zzcugu!Wz^&v(ko4woWKKpH|dL72$;c{5@8KigUNP9F=M6aR-k|ssHVb#Z3=U2%+ga zbPT-zNw&i7CvgNSsqzDUlq%E$3HJ@h!CL8X0Cm9Uz!>UunyIo4{?FVK`PNymll?@p^ znF?OaY9@qTs(U_LH3SvZ853~Ekk8ET1L&ResyN2K5$@-YDD?`m@XH^6F+vg10~%29 z{vVvQhW{1#|2MXJK#wY7x7_+gTl!knJv-79azWfjfQ0IUSEIssMQ*>Rnz&aiV3)jm zXD*F~yeZ87Rj>tGUJ$<(SdY$s6{DI~#iEbQ4T(pmH&2J-(-MKl%d1=nHhF4-c{ws4 zu?#d}9T-pAnq2knFg4NPNUi58QQbaKFWtQp8JHK%VHwusfYFK{vZRg~8Cw-W{e#5tg-3u% zPI$8xmw^jnlVKhYFEnJIB?{z*#@@{>#Ccoig7Z z?4tdKDG-Q`b`~o>HxtrDphl(8qTk8j@@Nf60F0t43em9$aD45S`Dt6q;6Z_|P1*y_ zOfAd_oqctTC+QnmesKd|`|TUM2WG>4S6wr&1&jPAkby>(=`e*h-SdrtZ$%=K@o@*q zMh>{O8xa7%DB*a~xck&n_WK$0K(j!pT9&uHt?x=R&1hNGVt9+L#F@tGrpnJ(rmP`E3S3WDdxYYpe-*^req%dDv(td zz(F4ge*|WD6l)~wO8?-*l@Eb!B<_WBXxtwooesfP@3F{kGT^p9qfH>X*i$|vi`l&c z;vli!0cCK0i0ki5$YM-Nk$;OL$$PSUBdqn0}1gXqjxY#SBiry3z=bMquRDTGUq zF^g;%ygX2LG6Wbl54^4Q1bBq?6Pv5#kT@z1Q~9`kT+92?rjJt8i!$AxPdq2{gQ(c8 z8bm_E$~Xnu+_mkh3^f4NP9V>u?kji}&?i0;#KRld@fp@U9&*kJR6JFHm`n-^a*33b zzp#9SnCV(7w6ohcAi#t8R1B;0wYOSCsJzI!1gi=Lgz?=cKgVf8v2(aI-j|dh5>*n? zMhEeaR*;39woDBqMz7Hf;9q`Kdi3iu;vp%y6e(!kF$jLwj3u1m_dyJJh@m`sSl=qE zl&V_-x*wUT)fb>u$2%KNb!G_9n!wVS6~qSBnIhe%hB9X^Y}a&(;}$qm2O#FLxshKV zQtG!@!owne6d0phbwoP(UL4^XjeR`MPk4-nc!t!(Htsz6_4bcv(c)zL*dWS1c0N@f zT<$BfDaXO%R|DmYyCXJ)a})8FtS6S7Q8KF4hohUiaXC7?ba z?E&QQ=tp2UGwdV}-&S`>VYqw_m}^z1eWC+F1CjuQQLdpH>hz_G<;pKf%ALQB<&9yc zguLQJ=L`uIXqd!GW9D;=p>VQCo9b2Yd1-ln^Fzg-(;kxnFv(QJYTiYfl{{8a5Min= z6z7#l(Y-jFu{GKhz1Q0)LEHMDhrJ%)C)T|VeCC3N29sp6h3YVB%f@Hb{|~c$7-To; zs(yL4@dWpVg+1%8;#}b;Me|Te7Dpv`pj9OL6{!%V)GG}lzY9wrGW&HvB8@!K`>5zM z!dg{q#he*gyz?c>bx7!b1+kp(+PnPwJ1M>$#d+LJMURF$m<{sPCsw+#bjI0T zej60>trR5>Ka6LvR*+Pr*Oh5HCyKJd zmaPC8Oa5D^j3s(T5}#o$W|vq$h#Q@%idz)BYBStNJa&nK`D|b3#KuMbsFm1lAH^%D zr+n^qz)egdl#Kc6JJOkLh+$`QXt8X3Yo(tS$glwzYMJx8Z!8Pp;bmy@I&_jM zZksd#L;iirHHlDkDKNW)U}+o-ML&Q7LsU0Z2p+oxi~8KrM5(6Tce<&n>|}A`SYsar!2LKRz>%z|2iO4qMz0hx z-cOxn@7s~T+p)zvH=XAmi!*6_1M5HDy3~F%@mq2Kd$a0Lu6(r5Le^s_;3k_YXLOgV zx+(d5f3fpEGCCyOejhY3r-WITqaXFOWW^DdE2-95kPnZh!hAK+7oa&7_;0@Y>zZzh z#WKrRp^|0bt?1^e?lS#qA~sO0C{f{$*bpB1LH`1RI9 zaxO)yiSFUaXa}~(s1{>mg;r{WShuk{+q~pM*TuW}xQlnmQx@q`GCCH**ajqnnlT9P z()|b)qZ*&r+gl5Xmk@i*%eWBNocLLTyQ$ZYUxV?Mbv;k3jiwH=q$8q&E2LVYA;HTE z7k|ur@_>n73fyEv2-A&V%eyAe9E~$bcXI-XoZ%LCRP4SKr<~Z4cj3=IkB9ERrrjR4 zui|FOlGlYVpe0T**f;EVd~dv~q5=`!fS;i)CHs{3(NF}Ubzxxn$4kt*{*Eb8evTL0y96~=4nP+Z)ga=c_x^V`R%H%NA=Cbb;ldMPf1d$#!c%7 znFA4BA5k=I%8ubX@L$sap#A+`eWz6pp-f`v4YA--lTQVV+d800l9Muim4Y{O2WP3| zs=3t9HT`Pd=ycy&uI91JZC|64zy5fEXiV2+w;VhA;5q=Jv}iaY7Sn9Mty390{y<|P z8%)5isyBH%JG#FWFyX*B$JqA0#CH4}YdWn_gdf1y9Ds!s-m3UCW&)`_fDGOSViDq9 zT_haK#2Op_@fd%*gIMg6+@AU7$2WC&JJyX}YZ=`$u3@OvvWHj&bk+SR0&6w2#5{qO zFhXJVc#zRDJh4*#9ODz2BWJ4OE^u+5>?VL6qiN>H?rRu1?c9fMBRa7 zC(3Ci*)t_r;2&s2ip#q6HjZ;G>f^JRW{HOdc-UkIy4n{(_dnQjX5n{# zFr5D9urGxHe#n8+0Q}!J*#Fz$`$P!sJF@V)#YkHML;eB7TriKP6^=VziH>t5EJ~;2 z>htAJPK49mLy%pqbug;k`Tl~(Er%WXz{o1`Kuu<&mCCJgJO7{Xoy*t`4nXfCwUwR#FH~Ql~ws>sSWW))*@7Tye(fpG?N`K4qTMd z!{V6{lBa`ff(`}C9>)ET+ipN)i3W{1-{9Zdo71Qd6YgZGmAY*vvk2D9?8m zmu}7!40*~`(Q)j_Ul0nYCEBN_1Pq27o`YTGhEchzSK}tG_N_9zwS^Hzz1D4CB$Dc~ zAe2ykGP$g4H8gGHZqwy^hZiJ|4sb$KB7Nh9-WZJwwY)&aXzFg+l7(U;9DfGkTHqV@ z2XH{7u#WR*(}{#U5)mT-2~#a@wd~VojAj-J7=b4|eJRx^JI9 zK%bgot$Bd9FE;L+jo-~|R^ajsD^|KGA7Xk@}jhCiUNXIJ1Vd*U)O zqy=TPKG;Z0%s4d(SQ|%U?S;lHjj9mm`+11jY>-$Thzo$oy(}82D8W{nt!L7{lAGnvcJ<$#e&Cox!Xc6_ z05plIXewAd-^xLZ-`Mp6b+aR205-Doaf*SBEgFLB8C@XS-1TUwA0=@;SO(qe8pb`d z0hy<`i=Mv9YD_Gq8M7rcEIg7^ZOj2G>fNFGkA49FbSKO2V*PI4mh7@ zQlTH^Xyx{sBThsnAE7_L1P6TvB&Sn~a1W=bfZlr;-n;F+m73}ha!uz4ac)&UtkE1F zU#uzb_^11YJi#o(a}?(iS;jre#0cbNXIYgR??y!q^(%_3&4RpB)8x{G%+AaDc(rTMm4;6zloe<*onHV^Dyw}lGm zup+l#T>jx0#S5i=qued=9bOp8djcx8{8*61F!cQOmsx|84_47mV2xt1rjEWKd>1er z?pd~lmYHx0LznQJi2s@g5-Kzf`-2wyPI;E$%An~O$G@&z&{r=Ws!aRd!-mAXSn%Q< z*pRW+7J@I z97r|u6s;s99&Ps_V z8cq(BEONSFQRgc1!_;@i!+SGYwFkE1`vCmNgXEeaD{JE8qH35Kh_JU!P1^L8&>ia`l*>E^JQb=l&OwK!7U_HPiuZCn37?ZSF5#3&lH=|q# z@P4xz5tz#$jnVUe(iq+oTYdV>@C9-kg8%br3E2OK|M-<#Ckx%@dYrL_a%PY1)-X&C z4~~v}WEa50hEHRp+yu1F(O;=1)uRONK|>)Ap$4vCOBOgHRG^Fe%%2XB+ z_Fdnw_H~=y{B6q3>KxB$x$Q=8ThvFlOVwcL8pIsD%a?TE+$@!ecBdr;V}bVsUTxt$ z2lSCepEbU{xTA-gneBUGI3bZZk^f>DZLh@sc><&=|3WvwNUc_8TmR41AN#3na5Iln zkPr__><7gQ7ZIBmB4;)G^^D>x+UNRGMQ4Gp5IvINJ+l<@5R>M?%ZHh#Yj)9T(!}u< zXbS>WOAHP(UkQzJxjgU83cATA)#6?59}D_-$)AC3`u&Q*S)e~HmT!L!q>YDCgxaU8 za<`Kx&C-u!0L%eS9tZ-h831!bGK%7sX37KZ{cA|SUh-#4c^MHtGJRORBPK6y7%(WA-22>*Z^l> zMCUzbmS>I9Sq&}MrpqHPLoCe)ws3N84x_(UyIKp-cmHj7HlKqJgR@Q+5zA0s&?IP@ z5qcG5OSDP)RCG%ERz$!qaz4cPb&Ci#RtWiah0Ueh)My=7s7vVsrX{N;f{Prn^oqe8 zQ<2;{9(c;XQV3@uZk`%hgyf_IgP*~w8K+@O!}Lc{qVKvsv;9UIvCl-#5`rdh?spj5 zXob}MkkzhF9aL$MO%@0TzyQ#yKnEIyjK1oW zyO{^uS^6`}LELd>!vjc^qX{(91n61Onf)!bAriGW?o&2JkQsJ%3L`*P@q^`$MVY%JI_?EEDgc;eTJV&wo%KjXo z{j;z}hv1nrwvZyI8^S>uJV z;FQe*YsU2c)LbV7V4h>{=07^kBG z)+DKy%zd=-W2Bq~W1o_i(VgCFaWVcqb6B}7)&TTFk&FQR-wCER&7lk3+(w`iX@9@- zA{kW+qMIC3y=jTwrS|_(2@OyZ=V3MOU_sb8BxAMq*Y{$IJI975J84VMg=Jqsa62W6 zws@dG?-JBaJ{C&b{NI7z8>)y?{Tq{!oj=3gH^7&Z^MPF@>wHE~CfP}-L=BrolqCth z+rACM%rJrfUa$=IHQK`Y>lRDg>3oTTt=3*i4#P=Rz|R9(Bt161>=(>nU$pmhWIf@{ zT5I$Qb?-3o5Vxm#Gzac2X6adi3}>~DHm)U_q(<0dt}jTgTxAP_k6+t!w44*yhG-6s zg!c_f-(b-%aF?wqJ@cuwx@@BD;GulD9<_>kLu`IPMsrgFokHujtg!u}SVJPWM7f52 zKI9$s=>Pg3w7q3il;PL*Ju{SuFqCwsNJ)1nC;}oV3eqSbBHcrSlF}`W(jwh3gmef< zcXu;%`<~%E_~o-gm3uj+EG>pIVC?_(dwZ$CVVRLGI_SWoXAEtirUUlsR( zQhYE2hoHraU%JGRCSfl(X8_DuH*d~5WZuIDGdDP@K(b@yNnx$s4nDZ55{y$|gfJ)p zqZ`W+fc#*~-f=AbWft5SKve^42;lAulR6n!8>4rCcEi*<9I@AxCyw5!$pYjI zO_P+YC*+lb3d9b&9zX40N@K7>VxrHW&qcqL)mItmz4{L3fOYl+v-riS_9_L5&hwA? z$`DNCpHJdW+Z5i4Ku`0-K(fMOFhw~Oy|)oB;7{+sUey5JzNoCLdXBI~i;~RAeP}C& zY^$~xFeT?Yf;2CIRu5!82=bnQMpUhLxRli!K_Y$it6-vtF*`naa$=|4@hb4DOQp|f z6;e&ONcFa-MOFHo#rt*Fdl9q2%;HLr{=5QiD9+Y3@Cm?!JikCAaVmdg^&OXwXz0A) zR!cohPjA&c5p_tcTU*$hK2Yx8psOoUmV8y=8h31*G>Z;7xHFcq8LC6F)T*pz9+CZe zC)=kDL#2A0Oh6v2Bzy1U{^1%UJAF`Sdk?oYxT?S;8Em7ktl{~Fwzlps`DA+|_`Gpy z(2f<0FT?qd!PLiPOkhj$f4}m`Q|%Oqb?6n9On~4M|7~F1Rp?cVyZp)Htg^U;hFT?a z53y7FLzxc6pf>NGxuoG?w+3gJIfCjX{U!PUWHFh!{(oFQ|F3AxD;^jCPFSd1ev^SL z`cM)-#fOAGkOwO(DOmLR)o+iHhATEKJU&u=a}UMv*=ph2JVv~)G~&Z&lPHhPBV{`M zu5=6~Y7)p(QSQkDv956Zi2zmM73M4pzIGapjcA%IcOxz{`lNl?5|0t;C;T_D%^~kX z$AySg)L5_W5~GAO71eXngh_Iq7aLJx%{hzQj``&O+<1Vou7T=a9-jWPv4OZ@905Y` zc~_FhIWs*6YcPJ-#mBck6l3m2`kQJ$KTA)laWP*WC^!kiBN#j+3Evy%X)%5ByZ<*2 zlTelCpgAbMxm&mlEY$SBBkcY8;%GzN&gsrZzA?uiq6x2%O?DV~`xTa<`K8CJpgJL! zWkr3A=(Rwnqb3eU!O&C0xXA?yv z+9Jcli*xPQg%6pQ_`kKM-RaLTyPZ z+u7}&TVkg?3XfpZ3A|6Y4m0d>O0npepyALkR*=so!;Jfga%?=2u7mVbFw6cg7CZSZ0LR&)eb|uCn=W`1QHR(}MurDk z5vP)}d+`Q;*GFd-s7226>1TwKuBY`pgwHNF)klvpw;h3zTo@KioC8G9ezb0>^1c8o zLYwPkXt2i`t|p;A*UVVaTfocrOE)tYS3=}wbCJJDuW2ns~LYTQU<8x275 zxsY1F_=U3;FmvR8{Lpw`zqjx-^_a_)X~#qb?dqvC{nwf9?rZtglnHUCRbiz9p>o6X zZV!2WNB>7ew^p?1;T#Z??pEFl-_Zk%jRk#Zv0l1+=$Z#l@!bn+uS=agycMvVaMkk| z$O)Te{{OxWoy5R@Y!VcQ(*7SQUjM}*P{BkrF3p+jt`?{q;Y?`zQW6JpVIy(-<-4Hp z@$VF(Yf0bee-bSX;=rxnm?`&Z%2Deb0p-yn!a?9knuFS!H@OEWj;_l&BGuE1u!+5X z216&}xt0_SHb5h6(9q65jx~n`XSs}urLo-Hk5_rAUHM7tlN}omW%I)e;{aj#JVj#P zud0q%st;cV@xZX@CCiOy8?=f!^r%ele5a3~Js89azm+0Rl-pAD_>(ICerH1ww#;Hw z2_l(qGGdzqXCntB%6aEZqN6gRW#aaEofJ5gqphn%Ujwn=3~EEvif5(2jv=3i14czs zKbyCu%M}<>zc*n}%Hkz7RCUe$CdJ$Oz zS(#qGXX$Sb;G=`e%bsvGNw+FYU?m-X4te*JH31*$1GO_&$$#uE&=F3*hZyMBey5sV z_Hp8OzH>ZAPAyK_vVE$3z3cCVIDI>Us=kl*HOwbFUwuEyiycFewk!S19b0B>ovns-kTZ%u#(vZubXLfT$u zQ9o%7)>X>pvi($e%l@IA#=mz2r0_uQaU}4^M*08ImD0o%Ap^USvh*r4iIOR|q&j0H zh@3<|TZU+|L?m3y$A-u{AK?aPNk359ABf}W8t{LY^06hu^TD%bYej5n#GfL*5tOFz ztN6bkTd23bKL^3l%a8L=XTQIlUqHUiu{S~5*oZnRQbw_^)0l~LnRUaEUz9>so51|L zZIXDaFW~S;k9~C*DiSxsgivlAk333irzC+dMNCpQi`Is0n0h0RAh$DsuAxOKe*?V7rC)@`&$wUA~N~YjOKMgHim~w*yZXgL!L#0#F|D zEr^T4g7*zCFf_Yr1+{yYn}RIY(^omM*tc`TScg6meUOGNvER%SNSW2TEsD{l;FqIn z?Q2R})?Sp2#2Ww7af;@^YLsxkNSHDLey(NaRVVucj$gSWPv&zo!t4N!UmkKV%CRuj z=SzWbCnasssZfcjRXdiD(|vXZQ%Wau5J{hkUhyf$RTX@poRN+Yt+1nTWy!K#B9wr7#iv}X({ zw~mI`Jsmn5+TArH!k2Jm4g=N$;-v|^5mHyeW@9C7V6%|DtYl@janFR{VhmmuUj`Z_fB{Og!5OH?>)Ho{k%V||8&3XLh z0I-*xfe+m1>oq7-wg~`m)`=|WBEiaBo5XE(wBN-j^*>Lo5}p327>TWLsmQ*SY}1Up z3uX}Z9+xMM!0P?6s}SJSj>9mhq+H9B%y~RK^h&=Z^51|y+ZHTgj%Fqip1VfNUW{@s zDk-_8e4Yr$S(i0GT5Q+j%@rr$I4zcVB=$aNVE)%FsFKYD@Uwe*ox>LE39BgTDLnnq=QLK3G+Vc4&VxMP6I>j5<)*Jf_1hg zd%WUxkf{-?LkuzV(tnZ=v0uD#7E6S7SpNB_pF}70!6c}Kll~G zSL%`QsGN*tBmEB)uIM`G6mFQgs zt(8LaWJcElde})dKP_|BE@y6bRepNZxS5#A=5Im8@kX0way@WosH55;KUC`J^$&HX z{%?LcaB0+!Fdj0s6CoU9#HdI&fcRCt);(b>swg77mxTGn5Z-XR?6=3=o`E|Xb zUeTAy>;73bB5w$kBU?ZON!5AlclY*~BHvm~Bc1(kzFqJ-;C0bKdUyb|uWel5xGMY7 zCOe3->~VU+tz{4FeQ7taR?5k^^|L=d^{ViMakSc+YKeJ1aeuqg`aRK)cmG{YYAd&F z8jrfF|9KKcZXn8-1VI?Z_-9NN9zurY>o}U3wzBfJDZ)5*FbV)EmPUwCM0;)?y-ll~ z3{h7g&lEq|FrtaN_8(Oh2aw{&Pu_r9+5=&nR=a(Vt~@d)=DE`HT|9(Q6#fMZuLo7| zPDd&07+-3;8Yh$6#+P8TThL*EDC z?p+J$Y12Ty*qZ5mVtlRxEZr@qFHEOm_Z-^ldeB5#$qf{`5h*U90U;ku!6vp zu(7alz4rmPQN_Qnt-**Iyf;gb zuC4PuPd%p=>{+M=evl45&+`?lgXOM;zcTt4&YQy=L$81i=OJP<-$Ymi#lWscZ?ptc ztE%+hZo48b%3hyg~uX0BhnNrvBFg?D7(TzX$pM9ZveOliuc5K|rp$4dhlnrSiw z_b;n-`+|B>?e;)`%wX0apxd%=>TkTjwbmk)Fo^r4^=N&-M}1g`sAA>k+4~@WCOWz2 zP~Uj*U*FT7*>KUA{L~cZVC+Un64@ExSo5YN4v2CvLT-#!zB~dr5XC- z%e%|r1PLd|2?xOy&RmaIBws1|rRi#ND&vC|Z%x~?guP9(GNV7Ded*n}FZL>PoKYpQ=dM=F^&V5m+5Kecz`tJ4Bg2Dz+EI$14 z03(`e5Y1vQOR;V^Z}$Lv8pj$xYgSo`1dJ#qwcX?B@7=Z9FEEv$i%^*Kyf?-)Sdy>+ z)QI(Jf^#2Z);#b~ImOnL)?vjzxeF#f)d9zAteUy_M+zS$DU9(-x(H7sH}}wo&B>3O z6P->gEa9>s@H3++$fUAy@4hj{e_mTZrgIYxBOamfyqe>G(O8@1&FD&1L1~e%5~Lp} zj>DoKd&KzPG*%MJb|Z-fExN962bt8F?`RVvXkyD^U?pb!N59BPEH{ikJ);uCQg|2< zmWkZXqZiu*>_*hg+h-^D#8`qu&RD}eEPAA~?tu>zf5dhNgZR;-kS;n_@l5p-tP6FT zdkY)u;j@2%m0#ha)au@BqQ>(QDVUBAu5L#>Z$S#0WWf0W&8Q$h?Eaq(8=IVHu0YZ8 z1M5js%x)}Vq2s99R3=62A3#CzCEtOdCh<@i=OEH1X#5m}v|47sVwUmjY<&*GC$s4> zZr95d<_7>OvFeQgwLk^6;D?ALQQPlHKn$7r*UN!CkH+-Is2zRbS*!hhK?eOk$fysZ zA`QBtuagBsZ8G?-e)^9fE(R;(UsTzL8Mk66U}^-(IX;ks4Vc|w2rGUXv;W92d_L$r z5(kq#nb>GwSs%eV_j*14xr2|+mt#JEo`uYNCUcsf_0LLzkxGb&=)yPpj)>eI?5yS2 zY&$M-h6d6MEsT0!Vz-yn2fgNA({+7t8N`2S_k<)PW+)~x@PZ@S5!Gt97#Uvvc#&NV zGEI@eV{l8@QmHE+pBKkykb`dHF&q<~X*<#ufZXm77u$Gqubm~|cJA)e6UuNnw$UY3 zMw+-$j4{Z9`yh& zqd&p3iIXAP2I$8Tdl^+bN+b?aO*E&8K>F&{10;b8;koZ8kh#c#T~)6Oby4l%gxl0b z!nZPBIrr3iDvemXA5)^`s~f!pY9Oq;0l_5M%XTLWM5IoW=B~2ulbCUzF8p{V9RN@g zE4TDh0yQov)pjdPz=}e#hrjXB`qX!#{WMdj8^YVA&buT^v9VPW8wAzbWQ_d

        ?w-XKS z3!^}1cNkkH0P{TJe$MkN1P~5pKw@+Qq-jY@GmbZgI#94W0HF94Zs#L!#+w%;p!3U4 z+8ykUu>uo!c;#1n@V8Pg*~P&>PrKFPKHgBmQM*$)1#JCNOw^ zeg&z7ho?Z*s{=WuA&-lVoCR?mAS$%<@q+QV-EVOn58$}H&A$RcRj>9*9{x_Z2Yw|x zbSU+q7i*C~4AArHc7aXW*1G;U4*W0sr7dr_po_ibmt%Y1qiOTMKYYS=J}cdB=Xo7C-J0n8<+osD6p=7;rx@g)HFpAUm1!19>#4 zJOk{B6qTNI4-94R!&5A*yF6$H#i*%nRA(=Xk8-)zbX6qM5W5Ex-W9U!V=QB~RJ{G6 z=)^8?JSam&f1Bb;vu}ggV{ht|`x6QYr=M=%S+>-FHf5R$IdC_Uu=0-JL%BE8or+jI z(p4V!T}^S;SHK=%F{y}->9?m>-BhaVsqs=$5KF5V9F1roVt!JMjvCuGYJd3V*L)2k zgJ*JQAu{8Elido83(9Ym%VS<0I>4=+zoVt~hp;^s zE;36Sc|y28LHnY#Hy}Us0N?p!6h<%$^?v^XTkMB>ZvJERX5|IUAg6Y%;+hqxv9bFl7_t2nUnk?Z4)k24phJP*0_Yx%SjbQR^HOYtnKOkRKv3xE>i!~SJvsw<35qX+ z2QPxQ?wIIuf-5~0!{K!Zm}M-1ZH*3SDv;ni#ZM0eI~{Qz5HDWbtCZ_QI~&-NEQrrQ zTV#!HbU>0{Nl(V5$Y`}i?2aKm`BBgEeNBecaP&7U*-v6EuYaaN>IY z$sL2U(2|w=Yab6Jxz=i<;4Xc9?+DiY4uj3-`@L?;hWj+^`kS3|^A1@#-rNZc;F-Zm z!e~M_&u_3T;PtL)!7|mswlvsl(qbBx87`TF@Fc~^h}*(&S~P7c0xJK0P4Joq6?%Krukf=; zAJsHD$e?{#dknG?Q~0@?@PQaUwF=Scq-EsdAKO`}8`o%REs6Hb;c?h;CSh3^fP$;qsmy(U+IWX`3PPa=3~sm# z+(cT>It^R#-s^{;(Q1qWedtXy{I$^W!PB?sD#LVYS5>+>JbYXZ=S0F`ov`!^I+e>P zKqKsetL$I@6?6JKoc5}kJOWRag8x$Lpp)4r<)?(P_rhcQXWrYLe=xX#zQo807e~BM zAQR$uf?6#2t%A>K;%#qcb!>)5`gcG#nQS%kS`*(D@*t|@OZ=GeE<_OWlsSyi$>r@Q z$wLsal5SVr!tQzG0$^ zfska}&{q0B0SG5y`t7E>T2HqoNXH*bu5&x~2JuaFBEC&FdU=T;_U9+2nTF`i?|^!U z9r6aOZhL|RdL+#RRhMq=;RYDQ+)3Dp-NI=4kxL9R@BeOxT@hpYwlsiQ3UFiQ zo2R`+8C1O%l@jE}nm%egs@TS&)t(OJZ-UM$IoGLmD;Y8vG9#S{4q{~2flY5Na zS{ookkffTm)>nOwtmnv6yIqcHug>4BO+^kJtm!I!l(R*kcFiX0pO5T|31E zDr*8rV1p6{s=EemuJ6(}a^}A1qWb+#pJFP9q{M*AsAj4G-yWHc1(7t|Mjz$=DgH2M zi!NQD)dhE)=X{sQn?DU&EsP+rn`@%$7fLO2XY(oMY!b9Aovu^O2|n$B)TT?#u%G z!!(4v{VtjXYuKJ^H95=%MPnFSZEHgOq=%FtA;r_t2%ddOmTdRY&u3SCYgcEfqy{9t zGZ?_E_!;A*gXzyBqW!fitJxz=uV<$?h;RPX?iiKeGLe^g!%VPw6@8~YNLZ4J#LCQn zFC&a6w)0^WM!vk>K@5nDwOx<<6o*?)0_iS=@FcIt^Cx*y`7eboY0HVAEmS5KID*Y2LexIG{IzqdsMOmA9mx}Jt4MBZOMxPX0Oa>&n|Fd!t6T&xOg6Q{6V-n&FDtq+JzCeC^SCVo4Zd9g zYJ$Pm+u8rQUy}8B0%XAB8lE;J@q)rsGNQ1X6p;kZkp z)d(qm*y4|mXDA&S9gF*bnD+tHbN{6fTNAih#!rId3yl8;ahwpP)ARO3iI1<6{2}Gt zpSU5|_r1ly=uO<9y3EQu5sDc?4EGk0eMqSF9by$UuCG2t1G_yhp=|Pk2!0q`rpgMn zITLbN{{!(o|GPbdJMB1z5V;9udFso+_g}x2l*+ z+5EDqC?p}_mHazX%KAt=?FVaO?8a|t-jLjCKBrSC^4Kv?s%pI6p|v3iES(Ftb?la$ zRrY3QhobzG4-uMn_{Fx0g(DF0WCd@`)Hv@aO0E|}X|q0@DMqJwgV~5NN}TdCfe<(R zr$oh(3N;NP{C2R`vNj{!TWXaw+*qU(u4x0kWtzwmN`={@Y!S!#lu|v`++9$s?Mj+v zNiy7_pXH?rtO~p|B|5b&1G9K3z1;B9YhB1`GcPBskbLPF>{OR{SH&BVUiLZp(7sphMxV^2Q>@s6x7pybKzfk z)4VEaj+3#Fw>RJsbPuBK=e2>kL+(r6AN!6&92a_s@XnB$R4`S?(6n1{gU-8SCZ zz5vKvc6fL@y%B5ifvEQ8x%g47PTpGkA3l$QS@>+Pu+_9E?C*ib%xSgdv&9-wdW|C) zx{W!K==P>>MmyE!d8@DSe#T)<0upZPbM1U6t96Z})<0%ue#42pxT}Y_ zw2N7Qr#aj^&!X)<*jJ(b*rYc2^&s={d+|q}R2M^!=_7s6gR?Xl0HLQwyQ%ci8mfbsUsF-sdF$+spMV>E1mLMUTgM>_x-jnu#}r z=XK>B(mUi|+1c!cmWMKVIJq)1I~&xOz2-yEY#)VHi1Z@-EO^rX*y`hr^z!PZ|UA=pE@MD?*r$`4_mCX zSgF8K^FB=>R8=QiCo-I@K9}1mlZtIyxq*3Bs$qq}UJZrYlGAf=3Cw7L}6s-onX_>U3}=`#3MB?7oIH=HVL9uNrg!PjL#@dklE+tGkq=%zp_DE8~bqhd{Vqo*B;@>&Q zQ}y^Ub)RCNy;WH93i>LJ?lWQ^Mkp(r4^#+ia$Ya4^Ilo~Ggn&$5`3 zSMD6?O@A&!^izWn&+Nico1z<@RYIE_Imv@iZI{H~6(of1N)Qy8?O(1%X{Q1TUge1Q zf0I3c=(;PZ233fs!?<)esl~+4wFlu6J*XfyVt#Vjg#?<2>K@C1XiZ}vsaM5m>HJI?{zUgVnghAPP@Kto|}bCTQ_pLGN)h%ioELo z-j4E|%M1uhlbfyRwqKuke`z?S9?slfgq(w<;24HEKcyb-7m!8r>geC=f431Jxy+an zKM-Sb1!JQDJ4%;v17IkBeP_<&X$tY|qLE7<9F_)~eXO9*ld6pts;kdMXHX$!p*D(ELByo+-hH=x} zNgF(C%K0NP;!sxc{MrA1=v&eqE=BihRKEw{m zE@%qA_;dQ;yFPdY>&A&K$nF=#0zIL2>Z3*61?yh5y;a{i6poM`^TfMY5$-^pv@jD! zL>)+{-zMbNS<%X@#J>ld#QU&65bo))R*+@UQ;yDFzO0$Fc?B|+?kF9{(dazWGak8OpWnZiV2E5U=q8)*y9;}Ey#1$6PZ`5pm7n!rL{_E~2i5tnTI0wM6%3+rNCtyWmWh!b+77iC}D9Y@ad9+J1F)+4vU>HeW5n-|EkH6k7>s-3_b~R(*}N zSkQa;Qs*_d+W+_~uH;hlL6~p3bB!fJn7toD+}j7%q)%&BDfN%y4a(s&uQzgdBS6+++rCFU3&gY(zC) z7HJeFmaSvFcgUg#yFq*zER5J{a}=<0n*)-R?79TFv%{Oji}4`F*QeZE{c0|}7ChLL5`dn==`HLbQb#4nd*Zk7fJcp(lD z^Gb;%EWz8)z*>h>D%dkDPwuINlam%RZ^YrOX_;=uwG%5XVf%LVZkCo%(mSU3f?27ki=uu4n!~yN+D)luRV${jUX@w@?tg*@!Z$$8) zvRqr_T%%TduIEhF;825k?3#^Ov5beb+Wt3Kzh7m%!Ix}H3`!U5@i4M|M~=l5;k{5v z=Y!mkQ7S@fqOlnzDUtRG=eYmWe*qR^b<>w2H+4=(1Ey5CrCeCI+q*o|%|9iT>Ka}@ zuqvalgfUPJQ$N;-;7*-BV0@YK=-_j~{qxq(>cp@{mv2O>_uyUjxzX{dnb(vdKZi4T z-McfdH}DLoX}f->b(KC}=4wk528%DV`Z7_G_-m|OiV04PCdOULPrcHXjkDD^2x-NmNElxEr-ei~h|^45JK)CQ!94~P;}9V#@q%Ip#Mzd{e}WZsYaAx; zH(Hn;1sG7gWcMf*;-)!}<_@RT<_T5@FJenn1b-G73$ktwX}c#xHYi*MY6 z9eqE#^Rx7PU5e9W9^b?A0(JD+5qJZR$02f9uWKk-FV$m=<~M?b)}xgwwO;3msm{e`=PqJ3vA=5H!L(^8ryJjJEDS0%rzse?&qJ$w1_g^}3&9za%l`R$n5 zrxuV<*7-bm|BX1%`7mh?2|X$kaunk^i0IOp&nz(=kVU$5EPNZ=EFUAe>}yUcnC)4! zNF^^z=0s+(YiyuTz#upQx=C_1PFXoF?K%1~AcLDP86d4>bItYGTX}m!T6Cv;sIr=V z)e^(Q1)FP)lE@nOIcGg{;eUThikTCgpJ_UC&%#~$liLM;oVcwrBYXp-w%_U@!I#7} zn}F6_!sIwd+mKT$9c%GgG5?}&XJ9T-*js#@8AWV>nS`lB`a4=wN&07GH8ZK_+k>_) zXUvYwJI^^TP%#&%EYHpPhsz8XZOYPS9)Zs#gYcN~3?674Fe&I8XIgegUJP(>r&*of zt5uTJJZLTpvTrwdY_b)FI-xRqN;_Yz8p^vo zy$4^Bmrp}>;-&GYi?J(9Ea%8XhO=LgkUue{gs0UmA(&;{5$j_C>*138?&6TZ(-ZXj zKN8Y~i5b(Oa=~%{`!v_8g|(bzQ(DVnwf%Y{Bhxpwxaq>u?3Gti^968*hHy9`>fRn3}*`hw?ARM zLQW@DSuZPO|NWY@%VohiYb)cgQ5k|TbN#_b1){g7JLu$T58u{8uGIUA@EHbKyDw35 z)P54FGn>pk0NZf(=wuyG(xi{k?X|*1#pfK>S1?Rz02&Ri%&6er*t^-?%f1+Y(DakI z$!|c|{rt=cOnm8eL=q%77Y4Gc>US*loN#X~E1K2p5OK2s{;?zr~vL7^gzps^( zjGFr~+Q_q}6`@cB3ek_P-53N#Pk`WqBAXhTj2a>{U-u<>{^11ps(7S(Rl$aMJ%J|e zgZ6<4`{#73_nSN=wu|Ks!9cKjN_^yzjA7X0F@)-J3C_BJPA`nTG{{pGrhWxTz}5&y z7&2W!M;X>`SDxc%*(|yw=*$x?n5yFeNO?ch3#!|=XcO7Rc##rB<;odR=r{M97 zjNIPRAn7iaQJnd&Q9oAb%EZlA(;sGL+JBk|8D{@neq4V;r-SJ|G?yB;CT_R|_TLD4 z9cy~sJ;`e!4qS6x-ND(*pB3X;=8}0q@ueULz zN|)|0N6$ZAZ_VzN`Z-Ms_fc!l+75F})ssG@ErR1empUHa)oZF75KUw;iX5Byo<=R# zaWww6U3Y_2{Zp$}sxbY;?e|T(RN-ZIA+XDu4JL zmw~+JgO(04yoDh&7aJj-E}OoY>QCYkM@x#S;>P|ji-4mhl=s5nek#*2Jd8g-U(2pby*By4PzqVm0LAda6;JG zy`;C^ydBG_?6D&D;$S0Qq|me5rB(U5)FV}XOz0<8CP_OyYMbmIL|>M3&V?tyvxXo+`$?v-ubs!&l) zn{S&^WxIS(8#Nt-|Hbbmvl_o9rOl$!d~nb!dGU0C$zbMtW;j1r%r3C5f0p>5gHK}1 zR%cnpx1lBSX5cpN*&hAh+L|Q{UW;GOH%wRl(uirHLxp3n!9!*!4;(8%9Pl|0Ll7~Crf%yupsmm8{H;v$6M zH2MpOv?O^a!G#L!&_n%}&-BGwHB#LDwtWgUJG(6B*Y4LPhPRtcdkisiMRyyU!0|3@ zvoJ$&{fFF%%(=w$Jw)X5vN(QUQ>*h8*WXwh>l1XVMAoU z=SdkY17|AJF|MJZ?)8DTp)+2eNcAuLCsPNZL(xb@S?G$~o&W$E-806a4jw9dDNAt( zL%B~kzHRY;ZrKz`oYm_;jXw0YCl4wigwQ@updW2ZeyqK@;`R82r~fCEV`=mFFdGa1 z4s;Q}zQ|wSXyXv%kN-g5P4G+&QRPdSOWI%P#AVOgz4b=aq$%IfU#~072*|EaU~L;U z)Ts`^Q2b;+8iz;A55rpIibl+e*mu(WoTu$8kuo_@?+K3fEc`@-Uv?H8Sc#*K8I)Y z&ibRx*Yl13aQC>w{ru~+vsQNTy~M?p%ZDziG3RGWRN|v?rT^8YHJHN|Q>N(1El2TX zO^KlIaW!zWpH9E~Ec!cAO&pau^|LVS!EskJIdOp8qo8;^%7ae{-|4OMWGp|HDI8}Q z1d>MviFj~K@xrZ-ss@PiNPd%QMTUNh;Y~dW%7|gl6xdO9nIxh+w^t|a=T6Vf9lArD z@F?{0qbHmaKXtXg@}rik26#XX>HqHQ{_Tzawt#?zi;EP(^D{p))#r9eLfzrd_*;9J zFPP=DkZUW8x4d+QE11c%?2cb*PDWOK>EPK+?^KdPx;yO+HHfCnb2f~yMRVLZFfris zI!1SnVmBzsH;|RnUsgT`DE__D9?y|0FN1T}!wKHx5%)u#IV*$TGlNMVfWyba%6>~n z@U(GnPiSm*N4txT8n&Nuf>ISRINubR!n+)!{YxSu{f=voNnlKXus@B%ivm*R31n=C zX#57zaufe9>B0*+-N+=CO%mrnNX^36{3Rco{Y_Oore<+JoX_leI@>Q%&sDpuNzBzO z&Q$1q=@NG0>B_XIBs;HJ}+{ItMu%)#OFW0}QkxH%GDN&Wgo(620z1kCUFBCZ~ zh4lxS9zUIaX_7Bf#PzGy%1Moq@1qq$)}%K+_O{R!8?8Ow-PEjmSr=HweQexQSy>d( z`hya?~rlyYKtTFD0O!EgBP1-RZHvN(D&J8Vwh}VvYdLe+U|Ks$)_=RHEFCI;QGei381uFvqDn%48L@dE>b=Q` z*9mc!rs0%YX6udj$X!e_ zN-|PzuJ0>kT^`jI4cNz1113Bub=P2**~8Q^%UJQC88T$$;$w^H)92(7RBonjlNRLI z!`Kmga52rzL^+e_@vIo3qvYt7C2RUk8qc$ZlmODP0DA-2HX;YZ)nNt#yBdKQb3U-Ukxg13iG(AOTTHuNjaJ@PR4K89K3}??oL{Z}WrWs51)R(33V9*x} zLmp-E()tKp9M9zJYQBP@$Q=LPsSm&0p^d*8jBgmWG_xS^{|uXgtI7?1!uE%t{AV@g zIt~U2ps?!&`kS|FQh%rhUMSFx=&p&6nazSP#dDe*Wy{gx7EvwnJC++zzbK&vgGToJ<*AXaH>bRsi?!R6%ARf`Xch$F-D|}o{rgzvd=iI%i zTG6CYDtoz$>eM)%*oiDKd+R%&;tP4iHmlN#qa5S@O{TS2ozeYZB?9qi0 z{4C+fD9xK`(qHI~G-|<+;jLL_=`Rjzt=h0BRRrG}B9%Om9B{9^oFe*gIoftoRh`KX z&JQ~kaGBxO6T&<9w&JfAxX-(OMGFTl1=F0HX;SY%e4CF%99QxJz8h#YxoDa%U0QI5 zBN}e_^X|fi_l3;PP304C1*1)G&eB7vMTGTJ*#}ovJKBQjw zDu}r4IX<@b{(GH~CP*(;e|>-7-oWCSonN72fw{033Mr#(*VcS|tM%~vc6bkv*7*kt zJx==?rjPGhcaqUIywTs1mGn}p!JPxNpE}K`Axd>2K9cESGqTFV-^rzg@+8qt+kL-2l%x5Rdnv}dfy8WhB*glS?K2BVn z@ba*=pRV&7(6v706fwAo*Q+wypJBQ5+&qjIg1c|`*Danl+QzT$I(N>+D+-ZCHzxM? zYUvCU|u)U*QCN#f@I)CYZ54lZ$r&0z>S{4=Fm z%tf(yO6AyZk2fY*ED!bsm(Hpu<=XoXYX5U@v|G-;zhoFHpSZA0&XK%YfLn)feE2}! z*(o4<1*$&vQ>ZT@ZM%9&Y(aZ|W4uhf94t28Gf5S25ea_2kh!+?QO~(dT7>Ml@YSTD zuDkg(+(r6Bc=-K!y!ObFGY(Z3r2wJg*b-ZT)WDwqlC_+4>ptpNG<|&2G(IdX=hAw} zZ}-*>(+$&`=nm0uqE7-B_zyCAHa%gv%6)82eQeV)$YD4c$HshIGjEzF3*9wG_{~1c zo%HAR{yu=|h25TfinSO!`o?0~iJ0v{1h#81?PHjl4)3+@&Q{K5Qa_9ndcr|&6`xq0T-3&Cu=S!JnR`C3;59*Gvz0HH zle+Hcd6}{2zIU)n0DmCzN6;Fv(bp?SaNc{lsC42al$IoSSyC~FzD;O8Mr;4OO^&&N z>YZck0hdYK9$1;l@MF(? zO@gFe88vG~z+xZi!I0{wAKV9ym1Z3qt;3&(_%^-`Z*mVGGR>?aoj?kdrwF(=;upm{ z1|E|;(j~e3-uXGqUPrXAwz$+u{M0x6dU1rVv%T3ct$g5n^#zy~NqfoY!B8<;=^+6n zQK!S|s+M7r2c10Tfa$hHw$pRaYB_eh)5uL*R&px+n7p?|Lb>xWy~KZwnC{tyAgDFs z3!HmJFc?tPCf_7xu``Bnej>{)$BVxu6;&=ZOU$Ce-uFwL-ccq$fSsN9do?5lLmxco zpJD$iH;s3Tu)6}FudE6zeLuS{Ht)gb*~Dtl)>)ZNev+?Zt;%O_BwNzYay1&2De zaeVfxO&s3=93Wq}mhl*d9aNK@O|YNlxk9Kuukj=n5`u9W9NBHSjGC0%^1Pg zXpx^x=l7O9BsV(ML+%(1n0PN^&LaM+XQ>DX5cKZ6am_akEQwvyGm_ZXb5f?7#CAQr zLwFi;^n4I!=W_jTkgEH;s^fbNHwq|DXe*~oCt>4I%C7t|S^4mxW2a+PRDb9 zQmX>qY6gbR-o`wE1GzdLh^oX9?B?A#%jsUvSW^2!b8#GyGT?joXQgGXQT>PE=I_#b z)8kF2FU#!CH!n`hd;NQu=$#zvFPgX$oqRXbR{5&_G}L1cz&WH zzhl9!FSi(JUtMrHGhO~sS5h-C4bilM=(a#xkc$j(*#13lyIp|>hLd(lO1pkr<{&$J z>kpcMe#i>Y)0%vokl-PL4dOQ4^ICUjmf+*^&oj@-(e7BW>NJ|z;D2&D0}ZywlPnrrgw_uqTn2mstRT% zSLT{7#6`R*ZFB2ArO}F)rbny=$`BR62V{X9grA)rWc=$8oF)ywwf0nJ+mZqq)@SZS z8T62ZC+r}9lNTIk(7Epci!zJyF4?9&%qq#1eCqw(Xz8iQeM)}DTQAN4rPN6JDx_u{ z0Xm(hF`piC@*$BMm>0<@$(v#CNB9hjaihyif5Js;tVSM@&^g&mV*x&#YtbMEm-u*8 z_MBA0r@3ukd%)+g>M)oH=SeUm?`i&KZgwX1vc;L>=2e~{0_m+9Ki)t6m^FQtRW?a zxTtlaRGA|fQ`ike6(ret2ymjmxWKxqNe9Tqk6lfQMfiDTKwuS`ErNy&3-+o5x|0&6 zOjQL7!%#LRn8*_QQ2p;}fUb6Z*RKGf6uD%~=PeJ^Dc`UL%hLP4c>k5z_j07G!3(Q` zI19{UZQcQ-Q(hb|Mk2pCaPkcV8qO>-r*jbYDLHlnS4zDa?Fc4qOu%O#ZtjP!Ps8+V zDci}&r3HZG^3U*H;bO`P{d;d(_BQmL4e-MbZuWn@(IAQ^!6&9ggb#Z$(f8W@jwoza z4GyDLh`3)Ro2NzMg*K)laX?pZvcoz%xEb{HH8zNEFkMthS3*Y9v}VeiIf7FIgL z(R!y`k-RjlOP=QQ~i4O7Y#0duFt-f&kfS(9JZ5GLc*bS0Y@j*qW*lY2gvF!&%~zp$M~dXaK)9H zx4WG)n6bmBq&UO6J+}?p413Mv!DbJ82JaTGz97QS-hv+Z+=>5QP|X&BzFx&`FLirv z`Qo70bi^ONmwmOJP2aX6=4U0Z$7R^Nso(RoB0n=vVh5A{Ce#i1)i|%0UE^KTI8S*F zIJ|$bG!D{uK&kn)N?c(3_vF21`N;G5glVcH*9}Dwaq#)4vJ^jKOmtlsGS=76k{0cP z*;Hqm<;|*V&L7ZA0`e$+QaD!>J1zcBiX(19i>^>JT{+iy*DOy%w5_z%ws@-7td3V1 zqUgGZ=Si)Y$S?^I_ggNTomvyTYx?ozMjf<}Z|>F(gE&6d={!vh+kA08oAC-4yHXu3 z|D2b)AIR(5=> zzX{O^S;ry?RvS<@11jfp;peQhuq}_W3Gtq@4!K5LuU~8Uvw-W=(ZQEj+nDcI;8N!6 ze{fp6n%!CENIgK`volGz4e|K{v-~rnX)kj@+ITEwpoaX8M97`QuxbxbGXH zN*&5Fa50zdkwWZ_)T3_Qb{+A~gaq2!9i9R9)lR>sWxoyLB>gHKqU|)BBPEtX9W*GC zBfOkqt8G%KL#28>%*1-#Zs;rATCK~SOPXkZSmB%4Co_JyT*}Mn1eAnl{+hDNgiY15 zl?K!oA2&44ERoRYa+oaXv~~m;kPTDf!y2IVgkWoeoFSXPWFvjL?|xLujdg8y*cL0W z*CkyCoah>lYZ{ahwlE?WN1dbr5dcOhc(TkA?z93n6BsE1Ieb15_4 zLFvqkA%XZisC!N99H?3fff&d-HI7r{z}<_Cs@c{8uVZV-UNTb<3>^%+sGO+1N$zAb z@bhB&JbRs1OS|jG2mAP@!6kO@JDd*=I)Zr^8O(YvU_ga48uuu3@aMK}!`0LPvi?() zGSO;5S2kpjbeN~RaReEucln&=xY6tYra_ zEFTLqLfHqD>Wu@y-zeN^wDcWc-a1~czWU68Lj-8!DHgA>hJ+XujhH}*Qnc86oE*{} zbmk#q76SN;P;>evwG1*bc=P@4iyV7V(ST6WiEMe&Ln`jN8eU!8xt(v+Ss?G<`_Otl zy|3DI_>1HhT?i%FuzGaunJ0|58J|$LrBGtY_KG6Zx+yVV*{mT}EpQw-Fg-pQ{mZ#q zJ_+iJ>;-!Jw6#zo>blmWvhTR9TOH?e*PT)YMBBK`9R%__il|>rQ*58@@|E=OO)X^| z?rL58(wE^GAd>qgGyfg2?^eJhB^_Ke* z9zDLM+Id%seJ$Ty<5;?4LA&F%*hk-v4nDM08WN)tFm+QpW~|Z^IrNRg*+_)u>ffx|#*wohrgv z!UH9i;eaqzbh}e z^wQ@PvV84ZaZ8ILFX4pqW54gW*W+U3m-wSP)`j5tkx8_*2(~5WNulq@S+mj%35MA= zMQ$iQQ$xtMEp)T8)4_UdHG}VLp6?WSe8ie0ym{See6!`)josiDUdS>v_p&oX0s45v z8YP`#UA(<15Cl_cp5N%pK6lQC^tKKc9nWZFTeD~DmeJ`g&DwP}N@HP}(Lb8737*Lk z5DVW7LVAv`BmVn>u{c>m6=-784M`_3h|_M;37I*O~iO_EWcC~#dE zc)xfi_l*}2yp&xtp)DuU zUuYvgb$dk`Zb249xjXtdI~@VcV50#WC`7iQrttA(8<;72)0iv^GelA@cAEl)ECzDv zJ|?UyL>Nr{3HE}rWz2Ig=Eq=FW)Lvr+-Cg`PME{n(}(g_{lkw>Nm%7zsp=0hTveN2 zS{)#;3o-O!&m6u^~zxcbf#y-x03 zAh$rAbXwwO2J^Vg>xnjiTwrQNdNX|*F1VW07`+?opmB+~rF(&ReKjl@R){ZZRBR--zvBqmf19_4l`9NjfVK%PMqjC;mZ!OI)n&~(Wu?Tz1%qiQi?F8gzce|ypn zV!L%WZ>&$G=o}D1Xz*vMnmE5IVlOILz2+occ)Wp<^h-WXllReaYhyEV>gELshS(L> zzq=^4kgYFV_aG(j$6nK|+&A`VdnCNyrsGwD@UK{c7f>Pc(_C{ zyb6thoozZjzF}MH4Y9CB3gyg^49!4FUvTnn70pL8{2%r6pDf2W%q)iIFh5nvnJ!vP zrX1c5evAl9Q~GkH=~Ojm05k!d(nAAGvE7~?P}%J&kyN_4BHm|Dc{Rj`dP=v#PgO*Flg1T%{Mth!(jyF z?_-_GgJ7ZiUtcegKjA2Q-PNvgNrRRuv)TgIb^HVtAYS^g%=F%wB#U zPttjP-GH2zy{3#+Z&|E*-JTImOCu@7R?5mc2pO;65gEzM5aV`BiwFiP2ffq9aoish zuh}Z+^La%td-PFk_t_RIU7|5%;Dtk~bp!`0e+)*r?dsGo%kgKgNva<*vT}`e&aHWX zsHp>ysveQe3AR}JMEC-GL5`%nd95TEIEV}1R4b6EycN%`b?Uc-@Iz{&;ihTYfO6Lc>Kh%;Mn9 zu?(u)Y~QWXF1{&;46O3jekg;h?wC8yoL|J=O%ZDJr_1ACkd;*rrG5AMqPprPz#0w+ zwmtoc{rB?5#Qv+ush>7Anc**Q(1O5^izi1_t4`8Q4z|U{rJ~ioCp8Ku{l}p-A#;w= z>eG}R1yoaEZH(O^>h;4b<=2#5EDJEICird~ko;R1|0M4;zKCWZ zR^1N&rC{30;bV__#_`EMaa7E2wGvl(KhV_+Pqd3H z;R=H!ncB!8_>7Ls4u~j$myreH;^qcPlZ%j8OV6qg?03c?+c)U zkor4)a1Vn_=f1BtKy?SLG_$??=jbmpBhbyxrOOP?p ztQp#7z~=~Wvu#_smQIk^d&_PkIprt)RAQC8W-&vLDSZ13ZES=ip4h5iE24fIbhSO4 z=iSf7*Yki$%N7KUH=#62@>=k}uovt15#MOeC%{qaQ?kuH#K#H>y7w$MQrtt*-%G@b^kQ-~UgP=DR$i6yZQSH2>Woq4hR5vP zOe>t(qt|BzpsB6g%@NkW6fP5}6_w=G^fxXmhSB1NingD|e<>Y>P7mje{xnkmbe~Box zE>G1J;3w=20D6Htjf_CEq~Jwn^xi~54L$Xua4Q6S6aQ)@d3^5Gbr^q3A-uLL`L9go z=|67lRHU0*bXrITOLmQ1F;}iP_{ZT7s+)Ac49|^SXc2AHf9VWQCec$8Xbdea>Xh4Y zNvC=0QRy)#6bPhQwwRfo`eV33lTSTLKX4INm?@&EjO^;Gq#-7TyM8hK$FFzNmD*yG0qx@7gYlxcPydS`j_%zmoF zn1-x-QY~#Z=p&@W-ucelBo23l*!Q!60_iEKgb~yAN>VMxR0nD-u^Kd}-*n~-Zuim|$-?SR$SUVB!Re?SwK0k@ ziaq_zv{lhs!*r-Y$-mm5@^Rt$3%iqmy9!{#k=Ec88zuNBR=K;DIQ6 z|DIre@tkUISGBr@Ha1q6uAa{d@B2?TSfkwUMvf@p-0w#^{g8>xV9F__gl_P?pa(>X z?gn=R;#Be!({J&we{|4RiD4o$$}p9&Tvx#ZV=5iQ;qZr?1Qk)gjU|s~0SbN&uR7V9 z*3{CwenXq(5Qjwy$nmR&LE}t}0}2-%waCWfDXFG0eIjAUBYK6v&`9|ERha^^@XsTb zxNWVyVEmx!aDoZl_!GpeP=8j#?6zY%i-4*A0EIY!CF)W91xGF|2xl&T4CDdsiPZ+l zNrWUvLVd(xK9w1ejj|E&EA96dP+f2JDDzAbc@c9Ou+{LbSQTG>MyFRNyYZGWAFc1x za!T`oAKN|@HAi|SV8G}5`SROHhe^$$!=xWVU;kXy3g3a3ejqEiqF$U-CL3g2UjkgU z60J1Y`=S|;tyF`77G^BVnAnerczS!Yx&tz!sli1#W#8mCj0wE60$3%?FH_>7KxiJ zSs6{T)^(uXFatk=kU|}e&}Vxf@hQi5?X~QUQRP5}3<5qpRabt!d6&0-HQmz&y+<^T zHM03RJkX~UF|@v`*6eewPHL5%Vc+38)~90V(Zbyhg8rOp&+1AlAoCZ5xzRsQ?9^O( zsahm=DWTpD(EFv4WDIF9-=S+9gZ{APfY1X$ID1hm!)I9aP$^xIgvfG&ym$?2ux1@$ zcRp~G@qt8L@Z{KHo?Lb9^;xClkL-Nfz-|x4G&4Av+OK;nqL1+)d!G%vZT0FFS7v9? z2?!3z<=t92-ZFV}UO#j8R+_aMN#ZQ2)5h<~0y4Z@hj-tB{{yf1R0T?(AF^+}ahPjD zaj?|VY{i5fnnj+jGqSWY1;>KU%_4FVRP!}A+W5#vW3um*RqB}P%O9xe3!fCo#a#F6 z>Eh+K9L7B3GhY0qrX=t0;-M=q9y`bEaWCVJxZ3$zOuj~g7QPoOJ}i0a#Heu8Ai zNo$f!@A-I%(-3$i<^n3ayQ*V6H4nV~D!)(hi5vl+&T$6ozs=5sYMnKjgPy@wqydKZ zZQ6@Tyu|X^1EvjLyQJw9Nu(cZ+;9zl)yp@kJY=-HE`W2gXt*92BAD6Y8O!_g#Qh&G zLV7&9g$Py*f{jdde%u!{!F}$i@lqcG7XR)iR7q@)=zbhSPS*&zKf*dOOP~B*jKqKk zBiVSd0&>_eF!;)<x7kJ$tzlI%%dH*Eof%}y`vNDAiKg1Gvh1$ zZM3gl0S7`aLwYr67KBk4^$Sc`0n3n=!G2Y;*Oo))j{Ch*RKSbZ0X@lQ!LnrkbeDBk z9~+cFW>`rcIElCqu=#zcJ_>pq9$Tp#DX2+!(N9z| zh4+ql)4&O-19hnI0%(6;;dvZD;KsE;1i@$^7*euwYZPTXGDhJ?d(=g3<6eFF@>N_5 zpyDy(5#Ftc_A5S_TTjo2uCUWTo)27667?SXt78{}Jw%9*?-RYFeP*(y0cWHJV@l>p zFT)xi2!4J*{ULs+rO(NKPwD&QMkVaImob16GQ9V_{A0!l^~wq6pitd%^))95cD)h! zn@O!u`sTbYByBT)5+r$AQzSu>GXR2ym$X%OEX?lxwhRj3@GB2AnOSeJTyo0Mn9+Xw ztyPd=hyMV_^)tsG>}vM46-sa7dRJE(oilBd)R9k@tHA;O3tos)mepZCPW>SxeUt^2 zHeNT}m=`_9EXCz(Vw3|g)k@rIppW0g5y<4HpF?zH6r$)k;p=9@V#;_Aan6Tu)uhuN zZMs)I9$B0ZxhYNQKux33xZojZ9v-8b#76~Ue@b(gWuZ6t##zr@#X8ul1*Wi+Pn$?a&D z)MgkZ_NF#a;1X+xkatKZL~Tpyxz=Edn&_qcXrMHVZVv+YE%DS?=?Mltu4tB z?Ni5FZvUbI&5#+qz*oM0Put-zqSqt11VAR_W_{k8Mn6i8AJN}2sIk-W{m*s{X*$23XRgpF!ezOL;{LvWLvcFt;JFu=v4f{ooF)I=SciG>L zj6mfZ_hi1$`qcx$J<8LPi83d?KXQQY@tBcLpA1d*B$v>%wo51eiqo)iDn+7&b%|ym z;0J6vV#c=B9PMhmchTfMvbgjE6i~e~kl{WSHn!48591i5q5VU0y=k!C~$8IQ`g&O)SzQANQiLifGkO5UJXgTaO}N2o4Y{NwT`Ky+*WmFQvGX z21FT$4k)oRE~4}Y3{w3KVHGA$o&qO6hm+P`paLU+4v&R^E!eOjf=UqY1>>}&Hz1iq zIapaddMvhgTE3;?xWvx%WU45)W}}e#bsY2VlUoB{IucT6x2$GwA$i#h*j@^kU(;{7 zcrE*f6J#)M-6!def2aE&8*rt(#VQ(B(4*S_j`e}daK0RLX%YU0&q z*pUu>?SA-S;LEEfVe~FH!Forz+WSj9lnVmW>dHs)N&)!bjl90$1tygZl_q4>wG97Q z0in$mXen}(MTU6ulm)#@fahs4m0unvj}(?obeH+XA2F{mEX|6q;^C4O&^1kt5{#aa zocf)xFc8MV00QnaN$FvbqH?Ks3_HBXwKZ^~%Y$EKai~n>Jiahrb6=1)SDtvQ&bFw0 zG((blROOSapp{RJsHu}w-QTtz!sQ%+u!~ctd@0a5YDA_Dy?Y7egg9*HHVFJRW+m=U zz1U|_n*7ya-PTYV;0Dro7!LN`%QQoHiovAI6R86Xk(zk28wn;HLi_%wOCTqb#MdKk zsmBw5S^M1va>C~H17Rfi#SMs?^FTzA1anq^6y!4z5by<#(M)IvTaYcOQC{uI6ZUdc zN4Hy7NALCdaNiHojImaq0=PrybV8G=0&+KH{vS;M`E$rYA=G2qh+nXl|$da)PKqewyJ4p>?*3|=dclz|Vg1k&J zKh;l`j#HrkpqePC!O@J1blO5LFKkCM0fMEKG27Hv9E%a(T3o=52~q`5LR&C<@;W**k)=mFJbfJj`kd|#H7*fouN$i=>)UciwH4}?= z^y!Rz0QchN)U;~qAA6P>m2xZ70CeprmLe6a`e@*_`grcP>46;f?KCcL(z%vBCC;=# z+;He{I(^e+N_f_qT3z&Qgl4K9aaOSA>jCozxLU~Q~YOP95-nHk~=ml=webe%kIatm4 zwveuVA`zxluC?$BTEob3CF6?`c(`0+2;{4~k>t^(u+%fEvaiC&zUb#KlV#etrok3W zpQ8Z^#_K@8)(C8F<})$eKj3RBwCI?-oK`W#ytV#Z=Bt+fZQ*$3^{St~w(Km{Ta}s- zb5>4o3T{Pecyx!Nfq8~0v&li0y!Zn^78y?)G&hW>(*9cSp5w^Ip3b?v?$j+9rN)ZS z(bnf9jv&@l(*Q0&XpJy@Qk!%pXV*jSXdWbA%>>F*&DriKnYCPtzT;AQg6#&A~9hVkfvnVJXs9 zn$x7&Sb>~m)l$EuI!$-q7if0TyZ-Sd2SnGNeHzGa&@!u=mVAR+U>m@KsCse)y1;?@;t=~eBAbA@#ej|A z*H{(g%;zCb*+7+%!Q!)f4-sQzv=?~M3s+i+ooaiADVjxN_aUW7NTv&ClQ7kb=YOUK zz7YZJ;KW1WHa*$ zieRewr0l1awi#)Cb((8>*wsMXijwTEp&{;EOQ$Z<+tj*SN*zhH7`f+Y+xup^GE4sC zhdf)*xH@|opsuJF?w2d;>N>1Ou#uGa>f^zkpmN-5Uw*T*zFX%U`rGj!ZfUOMlMzkL zbQLu-h4+dvlk=P(S;VS76yg+hguq2uYm9Z;b{e$yU;J9`Bf)`jCsG%i8-3>IFwY04 ze@AYJmF&B@T{m}6K@MY06aj3r^TWP_&g1P9bPjO|zsf!rf{X(opY_i1J0ChGD^^NO zN%a*`j!?Zy!V>){o4m|3{myiw{F{!L`O z3I_*_XMGef8%hy6mhJ*r?uN<8E=I3;9#LX^ZxZwOBqXp_kJR?jKm@Z6qRoCi+bn8JV>|r7%PgqC916UocY5-8@F+f zO&oW6OoFTBbI6x;VoWgKGb<4)ms4rgBOMwjpb#u&w=5_Y(<H%3!~1>c8o;C9Ujd!MnFw)zP9*?2DnWe*!zr_9lb+1w+|n7SdEi`Mcd`fWcVls5E( zVES}CFd!cKsB2Xx ziIbmQzUK`5QWWK&A^-=%u<#a2jzMzuM2hQm%sU=sJ|2eVyMrF2HlaT8BzaY)OK!P| z(m=RyKXaUBae+2;;NYy^tLaC@HJgkX>ly`iuQC91_;@&kaV$YZZ4};f!Anm_6^`+%06H4wJ&lDI1Agy-CT`9pa9OS3oO+o0A;@0UScgWR~`TM$gugqP~diO z%{ukCIm^J!rO@qehjp25!Oa4EOV__7-nx5?PF)_Ea6~5(J^A#wl~#0%>}$=P70YN9 zMKB0f7J%#T1EIa}d*1h#b;U~nCGy&>^iqs;h0cFj^j`^& zmzU6#ykmy<1JF3XF4^w8fuxh(pa)THfA-HwKPO!#SNgx7^n<13_{YvBK4gnrM_elW zwy(KqjIN(DsUct+RPKBXpmWSG{)M=x;?X$e+&?+Ed!SEYMwL4Gk)E#0xk4_)Y;IhY z{Cbm+>#}rKL!>8hzO>48cDH&+8|;^u?^wv~F^p(3@vyo}@kz&GE#gvQy5@(GA#vd- z_X*V}>%KjA4gD8;ZYiX9Ib>%e;{|D>UE|$*FiOnFnsglEIl(ZuyHhrL2$^A976@N$ zvH6%Pq*cX}A6KO$N95)v;#8W!%fk&dohI8^6RHlcZ4-pc8!2#2@I$YZ=71%`hG1LX zS?BrLR5<`mUh49!KH2hH68_v2@GC%aH9g=LKlUvD)QvW(E@vP2NhaR5=IRQxkt84J zF52OrjtGF;nr=;RslaEkQ_;!6zWEOucVZRj1>iI=3P!Tw$HcX4*)LzH@0c_%jyc|8 z#5!FZI>~-Pe*m1QRwQfdUhpxIy=SQc_S$40;IqC|nhqcZAu2?oL!YM)o}7Wakc_V* zC}!8#JW*QhMN9adtjvpC4-*e-8nh^rLm^8^j%l=rj5A&Wp7` zgANfBg@@;h#(>pIf#$UQwCi;_d`z@`L|rKx*)4?zEl?;;Rc=|!E2;XS$oi9Qdas{~ z6KsTeQZKb@)76$@t*{2P?)Egh4-couU&^5xd|DpzkD`)K^#K=&{8FDk(w=f>BDCZtiE)G%a8YezYrDD8hkz)w{Z=2k2)84FZIreEzivM< zDee5X3qWfP=x#kdDd>@c$|d z{9_h;$60w-F|2kds#31V*JJnbd&B#CzX21Y#LD-xI(jqYOCLLf)Xo+|HGKiT+~hZL zQxnXRD%-M(Y0r9uk#E$fz)~TK*-Lyh+8DI{ zC%y6(UwV>qk1lWNoo?E%FFJLVRW!xT3<{fHc-~AGtN%0F22wE0h(>g^MKcVA=%wD} zTRs|d}|+XpyjU(9nkk)xR+s%0wPqYBv|+ zkbuc8CJVIdGIMfdax7BwO<(_%Pe(4g$dmtvg$Df-a2td4TzW>1eA2-Y$V;Fcq;B~N z@GBN^^_0&;0x8Jk{Eyl|o(S*yKZmQy1HM+PzxmevyL=eTC^8i?cHHx2Jz84CGm;?F zc=A7-+l}W3QsfG7s?UBf)upps=pI=FQQS&(ud>bX_2t(O94tm+h32hky8=sL3UAvW zxEm_{j|cT&z0|g5sX#V}uo6?7{`S(T9C0X`!?>tF#Nm@ec0n1kb5cjg@I(QONo$;o@?5#@$?+=00iWQQ%5(}0P0ATK+nuM#O?n@o2Esv(dvs^MCbINkwZjr-q zEX8P>8aHq)L9es}#$gbY!}bP;O5hAq@;l|}^11SoyC?O-^LPcYdA9Y0M5#;U&g4?v z`!#CjW?(WQrR{ws?^nCevJTpu?`lfLynrYY(CrH}+Z@iF^z^Y}2{Q5spc({5@IJ}| z?G1pWV0L_`Y9i{8#7@g+97K6`@Cd&vK8r3p`(B62I4x#6i$ZM;pQ7dPUf)M0!A;eO zRK-pkInzk5GGJzhT>5nvO|YsHU-_pDj5nu&4kKuJNKw0eB*eV}+s0!mpmP2$@`)uI z;M)N7LK_nQz1Q5oua-*+4^rSb&^24g!>;kFROWN3g@i{_6t>Q4zoZsiS_FYMQ}pTL zLWpcD(^gDCi=ID)I1gwdg74nHSqOM!BgRgGGh^ zsZ#Ru76eQi#h_&xG>0^-mgM`1Z{znO!v{KGk{<;8?T{Oq}sWKO5qiTOFuc^or zwQD^xOKfLD$o+wR8bf{AGF6FVq^j(mAyC#tc>xVO`Tc#>RJhloW%pZK5FKh2lyd3Q zDPT@3n{ca!DoX*EvOgFCse*SrM7RVKfs`II>kyb#1BGJh8}-)+)ZkC0<gtqu_?4GK;SPf*QY>r6=^t7eGy@M97f(!lXVF@ZK3|Kr z@WA*#tXVedp+dGW0J8eDTL81FNOw9SuJewY#_INq8NXlZ>@8QzoVq+qYdp5�*%Y zzt>5%Qrcge@B#FW5yz7_?JgQE5q|&@T?5V!*nf4ftT46p(3b&dpG!sE-Nn%{B$wE-zYqYhO>wzoT@KH|k_DuL2w60y$xn0#YT0MLFauLaKEtGGJJXgg++*-muOhjo8TZw;BEP_XSOv32ykSaqIwS;Y>w}`Q|RNFLtt$_!*Phw-wtd=pt!DTJ0z9! zQe+H`=F*BQ)kLc%n7VXy&)SGBi@+;Yr%KRZ?Hn2SAzV_zrG2GqYfo6luS382-Hul~ zuak@HwtMc%VQrI|Tl#G2=;`l=rQxFULNQ-B$9;n}cmQQ`w-iz=02KourpHlQ3cBl%c9aHs(Epypg0{`|^^m=x45wQL4 z5k!~Tgq25SLcSx6n~w`!S73i?L?Nknmrvz(TGYMtj!$KydWnTBKq{KG(6MY)2os;s zvT`2dm0tXCi#qOm5l8y-#?b_5SV*jy;cQzsxxBotla^sc;nNK`}aRF$?{X_5XW`Xhcc{CxL&xJuJcNmam3rK#S}lr6n(CvnL3-G zlrb1nzwuH2U_D=!82n8q%GX0{KZ#SuHKuZnDfW8u5NObJi?iKr>~Ny?K+E|p+baW0 z5)^fx%~#C>VASM(yKnffub`)G5HL9e3dWKeP~-IM&bY&0{SA}Nr@hUONVWvG5hWae zN>*yXd;CXD@3|;S04)F?1qx-zAo64uyEDP(u-TYa{B60}{=xupk&z@Ne~K$hz3^Em zOO<7JPOw55smsNQ6oz-)}mKM}}JQ0AtyZbk^jCciCz@l$?){YBR33+h9ba+rL zlzv|Igk8nr_p70@7iWjH`g_{({dzvSC69R7nev8O-R~W@`h&rijk`IK!{2rv-V96? z$5jPaFlTa z@C{PYuM&RzH_QJ2Yy>lje@f2rjS~}}(_%TZj}$3(+3d_cZ)s*2@BHlyZN(52eUEUM zFCjU<$F4*P94wE37>(JsVcgIHe~YAJe3!O7*ugzV-sPJ&JrGe)$Ok>E686@KLIu${ z?cdWl+r6ya`l4_yXJp(Tew24r!j(Tao4jQG`SYbLZkKCNlL+o~*hbIhYEnnZ@RQ@jX@1ZkYLM;Mh2?1QTDBFIS&Egf{;<zk#;DDjrj1i$8Wo-SbV3st? zm@r^2FdrPR^c|D!CK1-U#U)7Y8UORcY||i5 zcvWt$Wd8bHp6IO{-6)oWX&weA4B!sMFemk3p*Bjb9T8RE4Q3ift zK0S6E*-pGVzzfr3V`t^}{>0Dq=sYyI2v(z(qK{{aG8Tfb`1HXaBlKa;G9x#UvK_og@ zAE{jLpPm+JfH@TZ{ePKk@3N7;*2!Mm{NF#&fB)I;H^r{JUK2jyBFA9>zKz@K+kP)G zRdqI$NB8xv!ncn-3(=TgOw{4`+&RBhj$Uzo!5WKw?guC5?rsCcnr?`0KBGBhO1H@K z!)M7K|I${nvgnTXKX`u;TPC8GUTNfaJoJ}bYrK+UsszQl(yOU5dl9vemG8*9*p7!L z5sb;Vlfl-0p1B^ZwKwbfU?^gu5Rx*((3+YYIk5-msu0cN z=XXTw7GXDPhJ;0sYx$Hhta9sd4~}8O{Z$F*ecf4|fSRU+koY1m;F#V7Ivs!OaG*m^ zcr^m7q1u#jgoz$NA9X6~(f_}GS^sv2TEgZ2BzKlg!VC&Qa$WeJ9wb8Wt;~>G;ZsK+ zqZy7}rCsgIHT-1X%+fK`AE=gYa(v_dnQLkv6~`m`wMcU6P4;dp5A`my^pK(xzCBKq z;g?v9fUt-=)#kHi*nU1l-(9UuMXA|+KOQ$x;gnm$#o?o(xTgKT!L^w0h7_mCUE&G4fms`sMgJy_Lblt0tGIf@6Wg|Tot+jz-b z6AOVh5adlymOLL6B5ez`=z*RAC$zdgzWcH%=JItpuG1l|i+9@X#J_5c6z^)$0h5GWWVruNIW0V(jBHUA z*7IG}kXX~HZ$b=nqu(yk<)#&Xj7g6AlA(MxE`upu{J=G8% zdl+Qj-I)yr1OO_$?B8z5A=XD}O*eAoON;3vHG8p#f!Y-I zwEb873&0q`5Q+E3Pk%{VSq=scuRcpecI5!M8ThBpFBa6l)+oQ4 zDx&wlseeURk3GI>@Ck3@5K39)s|c=&#c2ucmxLtm#+iBVt$8#54{zNsw&hyfdw=_$v(Mi9 zbOc0vdRpj2_|TdK=oA(MAKGgDf5EE%{WT!`{?*_=mNf9xY2p7=hD=nD$+&3+n9n{2 zq`=R93sYG}EQWneFl(6kYo4+En z3HPyH3XF2YnT=Iq8K~^cxn?duh1xFjYrv?^QbZT1jLC9zzE=QuMDm4A{{M17UY!x{ zh&PN%pX7go8p59!Jtw>=BL|Lypc{5wAA>l`S=u>(3nCm*82ajTFmWMMA1mRd zRVs~O2b0tJ(@i%mP8IImINuKv@3h{DQLk%o3GhxlnY%*WB6+dAs_@S01$iDb*7qrp zItljP=ks91E(>Hj7tz9^0yK(sDiFd-}W4P~#jgj?jPswb>n~4z~H?noiSHpDJ zhrT8JkX)>>0GdzHV;+hpP3zAE;N8|6ZLS zwA03a9HyFQG+chGas4U4?&tM&*%rT}W!4s7`0h%!d^M#>xwPD7m_(qZXDbnfXo26$ z0U7&{1Rdpi_bi{r74Cj|g;x{*SwWPYi0%{UH$B`U1-MRbx2*j!-9;%LUAj&PuCpq} z6Uf{n3fMkHP6Y>`#}Z)yu{8C(EIHh-QCe_{&2({PEqW1b`&;ZcgWQkjKp=LY&0F=d zCoRsgud};Vx34Syekj1h?%Sg%wW?p3SSV(6zsM z5zUMl%B4~lTd{SliOo2fLjJ%we(lLQeHmBt>sz|QBGJ~}Z1>&$Ux<5kyte*cVQL&P z&UzzoyPL^Q)Sdb3otxO0Zh9SU?d`k%+thkOCrJtUqUg2g!b}gIgBLB%nTMMxrC1f8 zIJ0fHN(J+V5y6wv86M2bSl{AnHN-$mZ6Jwez6~V1Q1ib`b`1HSFKRTmNrYKLSaH$Nh(672RJFN^gVz3_=C_qOLVYJ zKJT}9sUP%QSD${{{oMFE_Z{l?NuJiZ9vD4pU}H_b^K!yaJ#9Z13apHg|E-zNI?eX< zV%Y)kK>M{VmUKTjwCdXTB0It{R@@qKApg*JFF7#UwyL7N=VzEOlMa+~?=bAT&8={% z($6^4Kws0F=eoyte*|8(RYl;~h}uY8b@amfVqV7vdnO1Dy8n*GxQS=f=RSp*6QM3SWdGV;({fqPpGRjrI~ zr>TU#4TYRTW*qXom$cj>i#^<5@|lZ1S0$V%e{R50y^ZM?d}gR13j3o)yc`516FU%S zT|zQ>|55}mLJ{a_Ow3=c0c{F3p}L869?zKPnNDSSOqr`e$w#Wd9LS>h{4h*X{r?>R zYt47k@%LOU;1`qfcaoOF7cfAB0^Bt9^XJxT<}<}w%Q4-Wyf1_r#hy)4T$H!hH4NvA zx=V%9IOXIh_wobD@XE4R?j?>0cV3l<)|a`zcD!ZpwZpj0nZMeVcDSG7pBMp_xAFzz zUxBBfoe`J_xWw=*;)*&A-0S}<#9`u4xFm|p;w>( z*fP*48Gf($NUb}|{*#05yYTC8mRm!qwR(SKy}n9J`XMs>W~AjN3wr}6>4@@c9u9Ua z(y(RxtR=q^iP+d}nvln2%;q6BjNpzhn@*Zvq6%KZ4aQpv9C7;-m#d2!8RrLTF>h@? zd<))-$Nvx$4Qi;1*WTxwp@+vWuEQP26> z%01v251X>st27!g)YybfwA2rb^wS4S*1c3w6ei3=Ai#cYEj#tb$Nj_tRha(fAhH)o>RFIo(gE=Y+&k0$tly7&2}zh5eLh35-j>6fl=JG!s9I%k-+3c&-HN*??MQ zzosu(`@twx^!CXsZgEkvVlxNkTVa0;dm+3~#bw9PNF8GazH2eyo65}7)z6^5+xzD~ z*Sc0dLM^Ez5Nceo+wDV{_o}1vCM>$faZvR}!Z1Pt^4Ke9&p3?i)8uZU@4z!CT*6DoqSELTa(QWDi^NV?1Ng;?B4rSX+}P%Y8HMD4icqO(e4`+g$B zV|Ek#dc(%hZkbQe9PrS5wmXMK-yVwTa%*9>;?qFyf_L7fERz@BY$wVn_BeQ&@GMoH zmW7H;g;jZJm|xr1m&yDciy~E&2zXy7E+Pf|o`H-e=`unH{g)C~n9S<@^1ObeLjZjF z2d?T96sz9w9jeI5^uTkd;1fxf@N4R5333Kq?Qdp?HX+2FQtHSbA1?P74gcx>XHJ`cl|;;Thqm-9>+`|pv@nr~`t-1ifES=suaruExN z6BqwN6CvN{(gM8sfMJ_pj7(DVVeaWtJ}u`yK-3EK=Xm%UwfwX9gVrPUeNAZ ziUop@+`r8OFlD>xS?>2}{+~;;rqyHtJ%LO|1={)Sm@G74N>J#MzlW*8?N%Y=9SVwr z4N1rQ##vfJJP143t7nK{-yQIUaLvbLa=;&(+6z3;$?e}YqC;reNu!2oOBBasuy4TZ zFLy3e8hwRjvzHz~zyFOqrK6urfq9V)e3=lCaBdn{&k$KcD)v@u`JI~wt&60lrb9#a9h?Qo`xoSKpd>eOde@?qIsArd)p92r~VxAjzYkE<~SLO&(7;_9sap~b~)0$BdIK}uY4dYHW?>14BcA5 z70VCXrx8xIi*Z1ZSp-$&*|uRz111)K06y)!n9jsbLzi9b^J4>7`P1tvJZ*j2IT2-; ztxVh&5>gAF|Ln2{thL83pa^Qk<4gPn7{7r8%BPDN2L{d@`VnBBIov$;&sxAaPw5ID z&bJPc+ktBgM1U`sf(~GZLa+)rpw%}>UB)z{Fb#z9y-)`}4}YB5U^3TcTemYTD9=9( z*_|{GaIvr$pViuu8}!pY`)Jsh4Tx$+8&aB&f2Ik#UH-?p%n_BW-sAXLCE&<%Uxnp7 z%;G!@=>y&HX&@K_2&yF8L8E{!TiLCUD^tO~6zk8Ozr_LWxuAK1ng#h$q+}B}2>cB5 zhR`)bh)>gw8D^*PXkf<`Qkk}Q`v~}lZg!eWgZRrq%yEomBX-YiL4pHab z@fa8$h3swK?QI~~1k%gP@rM?;XJ`K;J%9$5!OJeg&sH5zaNfzu&bIcE~i*=e;{eoGZXKP+kl{o2qA~eCL2* zBUcAQs3ozo4JhuF8y1*qi`k8%oo3{Yc6Vs7rE;SLVf_vqj2#8<5h4n`2{}FR$^rR8 z%qbwWLIS}xXD`^jv%<_-?8=+$$Q4~eCirbhisyWH5=DMi1h42hn5(ERlY>&L@Pj7rvo{@*~EZ5*_AiS0tb; z&kp~&6&8-Q7RCT2gwO2Dap-zL$(b6FOmQzD!|j3-HrEAB6UsLqLVBOPCCh#j@Skjb z!dyV?GEo;9s4WaJoTK1TjF`@@uzD*P%q>f3TK&3PbXp6$@$7m?5=tAX+K6| zpf<3#R#d<1G%9!{Bfo~LhZBJ>#hQb$g%hyMwBL-v)I0y- zkqDUXMMFX?c#wo7NrFZVt}wSmKMw``mo*E$2+qClHT&EsUv(Jm_nLlKoX0tXsT$%= z*ELLw_dKxQcyCs4a7m$gMFFA(f4bhVl-BHo8eCAH>8uhNR+<q}OYisu%RNNp$qeCtLDOWGvZKVeF)oB$Q#j!nG`Suo*Aa> zxb={!GxKp4G4{m;uw}nzb<;s!;n`~I&8(X1e*cUb2w;PXXXuVJl-i7;53(%f(P86K z^DC^Z>}{(8Yt%Ya#`}lQLid-tSmowA5-c`8WOR7ufaRYJ-H83bB=a%bSATisgY|uO zjZS`9GB!llm$swV?ffz2Zzz}U+yH-#Y-!F;OH)+SwiYn+dcwe!(sR>=heh@gz4GOC z+-80|KR-~31HbxAUls$k92rryI9~aH+Z1`gP1^T$E%vAZQT_R`NhMHPx%7{53d?J% zG~)MpajM|`P8E3%@_wg=^;D+@*kvr<9b9GuqB`$VIblv^`f^WzH}9db%X=dBW5Qcz zF89m*cH&yuy88gSnd%mj0l&`xCm@QO8-(QjVMq;8$I-zB9B5sz@8d(TTKPl=GS#nE z+*s^czO)nT&6da=4q4x$`KC#;E6Z5gWF>U8g)Bvqcg$K~kP%)98-V-r2z@8`B1?Kaa3#1 z5ui(fV_5Oa7RSNAZ~I1^0pV;<&Il>bLLlSqK#6UblL&=&q3BUI+%ymf zFj?b?w>#Fs{RJDj-m^0tVqqtSN2wvy?Wsi$`7+UBIq%}0 z6tN8*B8Z{&B+yf*3jkz!l>8sLfmFaz=fF%L%lW>>yOQpU*?I^cHPlm%$6JP#; z!6=SSA$Bi9EZ}i_nefST>}2g2EBz+))`C(i!VS0XcKRITht9CtmHY{PuDmw?b);lS z=??)42n&JGYI3VPV5QUY*tNZUXl8C8#b)f~CZOdR!9N$`#qKlU-?nVpfN|=2$?F+2 zEc?hrEr|H-pLG?ckPaGKO4pCPzZvTpx#D8d?z3LT(SPm@8d+jBSV@>u*FF#*d8C~3 zY5yQ+?r2mex9&X3Cqi^-mAc?U<`$ z5$YM3=nsqeiJwG1_tmN2i40gGN)|8;(H;4j)%HdOx@8q?4CIL^gE&Jyo?G9{;PJ@j zWoWb5P*7a*(IIbRy=Y6ken_-^RYL3XLyETV2(z1x1}kPUrEAj%^|0-Le|CB9JLtfC zWT85<_+Q81h^$TmItK6Dic}`bK}QWB;BE`NXXs$Ts(|y+em!z-`i(=FlMyxMs|{cC z7(lzSMiM^VJL5*xjgGJVzVI%>pNZH1U_byS&Bq&KA0Q&tAryoGc%#KjMNu6%;n3T& zOfk@Cy1-BQb+l|NTLEQWuB%!glI3*&K_-;}FMV&!Q7vi3AxRj^QhLd)`vAhYQ+~?#ut>Etl4n4l9 zHtn9^dglInq1`9S0t`JHU%y!QtrpKm9BPJSIKCcc0^UtTjTGPI0|tLx3-w*bbvchX zjg@(b%hp$!^YX&4+z-Y~yi=q1Ui?8W@5ZOxnX-ZRqU@SC{4H|F);NwA&;3@I5ziG? z{DeR?jSLw&+I{TrIuGyXCfj{1-ea_hH{#3*D(6f-yTW${!wur6b;@Rcb}10Q)vcvE zL}B9)0g<}}0!=cSN<{Sg+T}Ei3F*BPKwQKXAsW7P#q2#vxst}~{)D;j-05PWu*=rN zA!>&Gc<$=Yr|R{=O`x{MS%M-0bAK;WEpeu9$h0QAtK=&}%OyufKfRJaqvly7I?sIO z4nsd#N7@W@64hS|-Kjmr%c*#7(<%^S(V69{EETGpi^f>qtUw6VMki{aT2CbcClT@h zyO6IiBc`B7gy~naTByzk<*ma014eWz@4_*tVV|-U;Q&9KD`m~{RpMIM!KuNG0y<)u ziR9}+$pmK?wj><_s!qt8AN9|?#QpsvaE6kYwCg3a(kIzF_a+T%7r4k;%Rc|}Jypn(N{B*Sn603D zky@wGtL&9myhVgMn4MB*wJycL^iV|UY4i5JJn!-7-(tT5A&EcmZUr7z+-kmWz(?F% zFA3uPQ35A+jzmpLXmsw}>IvC8#S_lXC?;}i7Fd55>S`>ibFFRTYVxzXUg(H_%bcmK z0uOm>r<;0xU9BiIMc`4bJQ9Dnjhpy`zqZz(Re#=6(cm+X^K8nHw?$i|WQTs-+x8&y zd5J>u&XYB$%fUjuY4X6_$+C80^ZejZ0CJhlaFK>iq0Nb4o>KKa2{E1P}D6+`lBR(Cz6 zwNUr#wO&{AKEloOBoc^eOp;cdN+xZZnpu#1V`oy7jla|pd)V9x>bgloa<(&*mkA4^ zL%=1OMrJ%KohF=?r8h=QaL6s-VJY06r$0&exMx`_c__czu&x)c=S1gd-t{3e7j35N zp?B^|4&uEW=EV-b%iB$@R{f3|`E)%oy+7s}=ueEVtc?%S%BG@VLxibFX#X=iyUo>$ zS6|s?ujhbrWB!`>QiD*hi01be-SuMa5_8TV9h36i!b~p|mgkvUhs!HG|2!O|G2eg3 zt!Pu5X+gIAn)P~64}wFv)JA^WBuHw9d&PnWe#(d^q;&Pf{Zty%%Q#Hro*|SLEkJ2e;UkJ- zI(tVWe&0Y4;xqMI>uaBqL2$B?8&M0F2#uG|zNXk9vq|BGO-h5Z+xA7poeH#>u!0x2 zNNW@K1+3r6ys|9x;3F}B45;;rUU8HCvZS*BJ#>C1I^R6p2YOAbdhK>SmEDeFZv~U} z0zyFC)og;;Rr4)sz)}PiIG>y#cQc3*&*Y62g{RO@%QR=^V0oHlXN>Ti(iaRvxi|4- zL&oa7B2jNJb%X}|8QyINzghv`jH%Ld&24n@=557~-hOeK2p8o*{5D8&(zIyDyIU7_ zwd17$8z+rQ#fFGN``%E?WPc)_w&HB3zQDq!Yf5dp_xZ69v)a5k4XHnm%hF3jv+BjK zIf%)iaO`#t-9qslyoTqPUbsmfOb=iCX)8jEXNY=m4E?1!NqNupxEJ`cMK!E}t8=|~ zCDpO1he%Bq!`vA;mlx9lwKDVN6?}GCd+Pez*O;K z{driszq^y>7s)f(+pMsX{nif$lWcb__wB`@?n@eMtYHicZD0|#Vdn4F-F*7jWj9-` zIsAtNj-+D)mLj7vIsH~2xl)Up-&gfa!0)S(D?e7dEZN+6Dq?=0{X^_P_iq}l53+&2 zIlR2fPopdpmt(mst#84OJLzIE-A~xqH4-Y4v&>sQ`q^GcHdWo@Z{u(oCN_$85OB!} zwF+r(=FdoqtdWNTeET#w(MF^|ZK`eN=_h{m7%!j($FHYbhXrkAofY2OzLwd}-Btvu z^*ABnJy((F{WxJG((1HjKx2Gy3@`$<7VK`-h1cEyo1LM+E@uqhOnXhW)WY4~JNu>8 zp`Abxzhe(Y;KnT?b=1U~FbO(HuJ~1z$7m0CAt+bdR!il4DHkXA6;6PX54x!@1J^lJ@0=M|LA`0gfp46wZGu)9lLLyVhpN{W^e? zQNkSD8SYm$kS?T%(f8Jj+t?RdI204weaaU-u43SvLKFdIB@xNuCR&m+GBYVviKd6& z@|UbGgF+HcT>W{QoDf>5G;Z}(lYl}x)5iwzl;0sxR?uDvFGiF$!jB=EY)myP|r;*3ya;(#TK2kMSS=0+IEte zeo?CJ3Snhw*KKtE9*>DH5+{U>*y5kM6M~bXtg0$L>AN&^bSgGC^x1=CA)N}93|-31 zL=A>>2R%Ox$jyjffQ?Y=w`Yr~!PjQ9w001QXxCcC6O;KG)d*;ba_IcWqWg&A!9VM1 zK!S!t4{SIWrQwApuZ~Krc@GVuhI3B)wGCX&%Y^zH3fi_S&!q2gb2`lqv%68r)~L*0 zakENDA0x$Y@?vwEOG|X@x_;SoZT`)&a-gx#UKq~TB=xa4xYpSXhx**d+68&Ty?0o} z`Q0I3R3Sr$>D)c8BFH`Gr8KuEF{&a=;X!YSB#*nA>HPvr(b|t8>@R9`i`&K3V(h#~ zmp^yE)hxi(&ts1ZD?}1;QR$y_iQG@%@^qu{+Cm<7NGE5_cW-5gf=z3T3|Z^c*~)Q* zlSg0D9m<6@vTs8$yYYid2z8}NxbpWq9H%t>aTNG+=TG0hWev*R#9xOTt3oD?Pm5pM zDfvCZSwsY(mEUy4rgL!zsc=m$w0Lt$ekjo^!E9a!%U#$xC&q?a^r}db(LwRQ`P6?&`1TL$k_H)SpX^ z=)x!FuaqX|^jD6iLndPEdhH9uQvMdT@7Aq1srB$ls2&cmjUHo_14}o`l4Qi--a(jJ zSO9FKN0I@#!<{@gSe`J*wdaFHut`8ff11%p+{EvOg+q>c*I=FaZ|J&D)ZKY_`a9va z&K~rshb3C`4w|^UQ|WE)gUf}o9jSjiD`B;4Ci_TEw^tFlmv*09EC$C13?OH!oiC`* zE6*5UpDLA>sB|{*nCjsf$9w8cr5M_FnR^#sX4DH8ip&2&`kGN5>~1wL3%uAPZ=y?B zVOcie$moMI; z2Y~&Ue-^!fEa@*cp>ooa`9%|(6!tq_m*n*!M0X{PyEr?JpZ^M#yGg=NJ{KNby^lqr zaIPDha@JD6`4CcaCt2=24ny6b03-Kn?oCeb44|5?>HlUWKOkz*^rGJ)ctK&BYD(8X z=NyDL_9A=fLD*pm?>V+~4Lq=prEyRqcv_`Np-RMaEcUOjtT1`5h{8>=m{|^6*J;v7w64LWSPUkA^o#x7 zeO;Z7iG$1StL!u83DE?iD_m5GQZhm0M%P3r6R8_p84$vz&^nA`!j^_>{sM`SH;T=@ zH^yzu={TJIIBVHTC;P>Ib*Qn%erh6Bae|zmq&6c7pPLGTS7Unxr8*S{@5pc1!?h>i zMzbE=`1~pI===b^ZH2eLi1fR(^Fu+&(sEC?jRyS<7+im~Uv#a$Y!Jq)Ss|F@#l~*I zv%d|MP_UJlalU) z%PwsBX#YUd&M!aBjDof*>@EW90fU)kr{ z+XI5Eg`t99WtMf39~2?AO@bsRPZS5d$HtRmil1u-NQ=v_1_fDX?*k{c37>U2mhiQc zDbOt&+jBODifW80?v>vB?Q68H@KyE2WN_v2LUggU;+vR5&GKruc*Dl!YeA45AL}nL zmlWJL4@Dp=XD@i0v8?!%K~83R7+&~mmv)T(?n4YwM_PMw;bF7G{j{>^a>@mWy|@Vx zgD+~x+{K;_`i(?IQXON~BI|9oO{0(fvCThrqSNP0#0ZN0j3@)_KcK5FsqN(G^DMft5U+CHssEyM z`#7M05?3NO?5 zkkU_3nnz}u=vWIWUjAmQXWdYCi04uM`v@ereDJaGWPB^3B>CkO>&1spn@s95>>oUJ zw7o|D@D}MGuWY2qZ1M9i2^0t|t$u!fq#i5jei(MuJR&Zxafw&!z0OZd@_C_9sT5z! z$ilZ&vF-`tk1yg^0;$dQfDxd_8@|IF5e8X@>>PR_euo>+c!)nU3C&%*`q;MZV$D$A z{qTmUe|_7&XSfOz$&f{=$5I87aDX@4|OMZ?}|({kOnm(Oe0A@2q^r11FtS4uV2w`tr@cLl>i zqO0ueUiWv3D*a*5B7aWgN14Y$eg<#RY;R0z6aZ=r&7Hqn(zI=F-aPw=Qq%f9{c9FSjDI#*bZTCWFsJGE0 zm8;^-h@%||QTJ0>zQ3uR+eIP1t1d4V4ra+j`P34OAgPZqR2{SWdED=J`xvDh$QNx> zXqmjE{VYPb!;hm{&ZDr@ua^+d24NBa8*&Pwd|>uqhB$P`fOqy~Z^0hHW!W^JQp|y3 zayeH;Sn(WvX`UYmFAEKMg$1enJ*Lo%|9bpu%epb`xX{U{ytqla-ob}T;i9~0LqF!T zQPD)wV~dfeZ{bNd6tI5kbf!k>MM@6@Jq`Ah+4(ZeMyr$%mQa+OLVjke?N|Hs7YyjW zPnXlVLBM__nuMp2+`6fMvs-(I=jPrF^%@YLBOO!52#i<8K4&dJZlQHV1gf!;#LXqCJ4 zjLhx5B4{(LHsq?t7HbId0PMp!tC#e}yLlwDJSm#6CCaWZ6jH~_`-3~WM&mid6y!B?wbQmN1;1EmB z41IHYO3<^DPitMWdlJ|YVDogRQpL*jm?C4{&S;2+D z!$g|%fiFx2E{zr!8JM6rRJnIOxzaA#!<;VdXU%ef{IddA`=4hB*9>UiKfJ2KgO`#T zSij)hsXXGI`GF<*bvRG!(Xf7a(9o36rG&G4xlnu_UceYu|fbN*@@nWU< z{3-cBY*M*poJ2y_U5^4is}@cI?#^+0d`SUuI4LaW|Gw5qvbVoIJ0(5`-(v(PwrpV& zeOzw0IwYVg3rwXM2l4!~VmbbKeQ1~)JIdU02WR)W5-0=3O(0M1)y5qFnhdk9!RP;t z&$Fs+Ld$v{w`V&s`6Qt0#P|?gCr-QYyXx?YK3v+AA2p*}DgO7%1tK&K5>MVkHZUK( z?KilD-*nwFo?9wc`D$2Kmv~CDM%)p4<()h6J)kjejJpqI#nZ)L+C^xQx3&nGj^Du^ z-IQQC-@hOFzQoVMqIZ}R++}5Mg6Bl-OoXZpKkMc@LK&?^qX4h59%+K%3>33T=m!e{MGk8ztkIj z|9JCP%h{Ql2g~p4b!IldtA3+VV`$b-+yn-U%NHRRy2$z`shb8I5;zG?h*wK8= ziQQU8_ch#)TT|itw1&6}8&j6@le>{t%izMkHM;#3;QOld*?D|e+B-s@BlOhTR$X3R zvxb~DTxe}os0Beh!&jR_#i*M@)WEnnL!g~-6VwnAG`sbkbDOsaKFMI3)>p088iV7H z@B1?r1FvnYBJQqQo`>}i0_hgxP)ya`-kK89SO05*>W4K*QYM>(QYVAfcU)oF@9}ob z20*0#@SE;6ubFz#TYmrKPS*)((*rJViNZxK7PhGqB3D*%j~5c%+=Z3o%K)%#am6bZ z%-VxPe5(<6YDvyX8ZVS5I_dta~ zPz%JQWjl6rpysqy!vM8TS+YNd`dfq0@*7c}F(Z9Fbhil@vd4>_hzGw{B=LUlIP{)M zQ{8Wko6LBmnZ)*fvcjI$NGBcRU{eS=Ja4RF>lplc-~XvnWb++l&0d1WZjs=m3`fx; z0(;T2^6fYOi7~c#wz+(dXO>()fA6rdarDWzjrhN-ORK(gA4f9^MvcC^blp+0I|1Dq zU(~hlIpQk3+fbiYVvJ;>&2ZP>M6`9k1;bFVj1eKW(w^ z3CMQK{A&-7vA@gsbsHu)vq8Lk(pH$Mg(w%UDb|-kC5vXYY__~Hv0fr|T)CA7WS3X( zYRX>X&DB%!IMMJ|LO~GseKEV|k8dS3vLs!sTRcAL*l=w)C0^c>K2WPok2tCQjMIr> ztJ?3UM+Z*_^TFc|B0pU_XE?BUHz6$2jE0w!e;5aW19#%*sVi?eI`VAJIc3XVyrEEt z-6@^0ZfrkGLQN|Gakt)M&d?PNL8%a6$LwXf<^vb2156yMej!De08d3E+0wWl$P1nt zP?Cb7U+2t>?4udH&7haj7q=@5OZKCugBa0LLZQ~1+}oo_JDO~~y3IM$R=lLWwp2=F z?K$n3AX7#Dh=GW7M=@Z9rPP1C@WnUWleK(8n|coJl|6r`v35uN&0JMY&ZZ?;LF1D* zC+lxF*{1rKt(ZXM)IVezMeA+I;W#2w%8xq6OUT}Jdc?U!gNB?kUgCuD?3feNqk&x+ z+nNH!wghMkMobT5e*%|21v@w@MRT8RFZ2yFM3v0X37@!|0PwjzIpt#)0|~?C{X?Z% zH=YaQ6YkgMLzj#D$4n04t1uoA4;@}TqHzzmZ`2AmL?5vx#lx~pgMIBO-+0FUXV&GJ zVDCF`YIABZ?EET2?P?_VtDlQW#2q3Jf>K|nc??EF8<($q^@jeX$*kMdxoc)b_U|`lIGbwe9^r)ADbk40?VN-Rr{J6@8t*R-6Rvw|v-2h`aot{?}(@S?8PA z$fK4z-JYCJacPaYw8NQ)%QVC8l^*loHAzivmrI5r|HgvVXALv-B8;Uq42$o%qjqhp zJ`(Gu5qEF`b>&Og;;U!}UE*<($9sGg&H}#VXu8*In+%{Ith!J~K=sI5Eu434PLK+; z@$e)f=l7n!P+`$ksRv$LKU0uTgqn!rXvb!42I79H&H%$owYK&4X3YQ1&`Yi5B8USH1exS-EVe$2E0qPvp+|aTBQ|Ri9u73cf?gbj)ePUeBG)K6U{Hs!S@D6pH1y}Reb}Nb zZ}-%^3&*PErz7>Ynf4Zg?;d!VUXp?+Qua@cpKJeo1{nvVTR=@lfriB)L1Q6dTld+S zd-~*Tr1Y|<^cc>9N)~_3voJLMffj})hHE|5N?(nR;fSofUCQ!}tjYlODifM-_Tt3K zCx@eNLt*qx@ToFH|qdhfuQIa{&h3ZXgFpV|aBfIs6fhOR% zP*+9LGby6)PR)RI)iJz@Vwt-zx~sBw|C&oGEZ7+CvPZ$_HriO^_zd%|`1}B26ui_C zn|kbhr2V#X)Q^sD_8zRzImxa@o6|93eRn{Xl<^iU=4ol~3rw{T_~$D4!^-?1x;2CwP=esu59Q80Pn2wnZ0hXe zO1$l3{9Cj$EggAX5`3Q3r(lJ&iu1}h%&}<=N{P0$_{^6;V`sdkT^u`0yxjl1*6Plek@SXFoRyD9MOVe~?W5m} z?q-za`Q&-OrN-SgVkv%0s3iwnBJ1~`oY$?!uka)bJDfXVy*Z?Gk0;$n_|Z8D^tkI_ z?qLZtFTq$-)~k7+Of5CKqM`1pSg+*=)wuK0sOf!KVp+|aP$e=Aq7`bL+VAp2 zrgukoA?bph62BE_ujK$9NcLfqMkP9%r6h4QKZ&RHqJ|=?Bmad4Prb%7^$`}-GSLSe zKPPjjelO!X&$t6%G5wH{xFQ&ae=?o4JaYZ@&y+Ff={O*Ctu0;W7Q2)rIiQU+mUF&3 zp#3O@{Fl#-!f1}*8D_qW^k2JAUM5&o?xI7Bmd^p1W;23eM92vAUs(WEap{G@4|nZz zNkW#1YuD_HZAc1Fx<&<3Oh?jv5Pm`EdFYD)8xb8^50m=HB6NvQctvkyjtyNhIU9@8 z-_nr&;5rY|N4|AwfZc18w2kDpN{{1mtM~`c;1&Pxp}ZtC7phOJ~gdk4e(v2lS`UVVZA>RS|Ni z?t%yH94aqRGX}i_tua<_BNE7^dGTZZl8LoQY|S1MpLvkJv5L>hw&mWh2OR`bFKS-D zt0n-_{MJjt`_SBq;?a1QZsnT%mq@A=doYqtX?3c$t%;;9&l9V@mDoRj&RG#Q- zLDVYV5|3lUyw`9`yf{m{Jn1U>FI@v3tvafpVHrWc998o(<4^h|D%<=43HT-zFR!8s zt;6z^PeA#=)BDTk1F<;CkIrx zy>eya_Mk4Rp=N;I8=~)3HJ_{B@@%KdVk?h;6fMq1vmLwq$e2IJEONXhf404xfD-Ei&v_@wmM?U=-@IBYH~t#oOLCasCNs+IP39e+oPtww@-{jET19JTKjjAzvv&4w%Lo;ikFNHlP`5t6< znHh~#JlaC-mK*lJa214juGKI^NMGgk^Ic4u6EZtEJ+r17RLhlQo?d>hM&3dr;WsQ~ zUKdc}1yI}>Z5F*(uV6JqpkE9vpWMf-R%@$D1hVolV>QyekQWEBxs=>ui@t5vxe&F# zS!J8fi6{^S84VmJE08u6ZFT7%cf_n~#}js2BD)wYy- zzJU546F62EYZEktIXHEyJr zlknDqwr=ngAysWu@Hs^`a==aad<`}9@2|VbH>0&nTEhoO01$I|0@QZNoMMlWe zb%TbjUz>6iN)0MwcA)>$m(WbQ4sGZM9Y4xM7cgW zayV8cnWi<+!CnaEnD{>kADThQY)p5s~f zmzJF>J~FB3C>buO>Sb)aN+0fz#@WEb#sd#BKl$8k=&H+m%6ac6GP)SG%g%==I4#Ve zeX5`&Q0f(PA@Nix3CjHx_6jUW^B6d~$#FhtKF~q#OpUnV5vqkyTi{(3Q^;uq1CPGn zQBcMIvA9&Dcoh;Tw8K<nmp^Wsy!@I<;W+U%YhFY_ z@BxgVuK)`&p(?^01OC2Zu^=J7)G3iqErUL;jwTGcI@be`XKERp6Kfp0#{_k9l-d_> zIVYHk{mJsL`X0R)=aFH8T0xEj!d%!Z4J-LINWC#zw3 zIG#1u{CX{-N$fqY&rW%?cG8GXF{Kz(8!|U!&NtE!t3VOVcM^syC$u4bWE}~ase~C+ z(cKK^cb9}rX{r@{Y1B8|JfgZm3tOLwsTW^N_>Lf?@IZs!Jc}VE3d=i;Op{ z`i85#FHTp$s<=*NL%5N!gvVHe7NyL0xoxa`Q20zZJl#6ZT_h?q6Ic@@@$tn!DtTM+ zQ-0pxKA`lFLt744_Z9cvsZq{tY9VOJTNHYaDMvf)XkBR;-D1$yx80~LPW}T_JZIXL zIvF}IqJ_RMz3P=mC3qD!lPH#6%A&|gPnu2$3eI$Q9{^?SC4ON|OGR~CYh$MC8-U)0 z654&ON2w@ohkWfF>><^PPHHgn{Zf0TB%44Wl3!$NF2~pwd2o}9kX;*}>l;wtc9j*3 z9lioP%*1>b^$4rahWiEty)`_Pa5?|zv!wGiOv7a7N$RTIFT>R6$l!ctc541m@9zmq z%vH@B>eRd6vzV3LY^V|6&r z{<11F)M}GB3vn&+D=@fNw`o$PbOTW8VoB`d?$xX$-hg6+K)X8P?O_W!&^uE; zBInQ>;BbD!ICX~>9yk7dt8X$;y3Q3KSh?hb?q6<~;vCNiR+aZTS6yM4S)UkEWq=ai z7L7TbR7kgu_vN-!7TukSx3Z!An7UeKEUEGUBtr6`{qJ`GRa|9yW7>!y$MomHFU;?$ z*pgX) zDJ@(}K-AlDe(2=s<$+}85n)xic8MTc4}(80`iz;0JR(A!2#p$C$QmZx1tO6pWS zil!xiSoO2t$8&(wX9uHcwUE%gaNJ_Q8*oTK0QXNP37MCx+W4R+g6drSzKp@XK#Nso zx(CG*dQObnik$Q+W`h14mtYvut2yL=0&NEi2Qp;u_5`eUBNbAO?wus&DgM-1i3|uz z8In(Uaq@opiw0sd%TsnJy15Wqh^s?s;J;4ac?$0Q!73%!?3i~$hWH1F^7F*N$aMLQ z3pSdL1h7o)>j5fqQ1l7CV9=I1eeE|c9w>;um+j5nIrd$!yppppJxLBn;D*nj$u9m%n~*8iM0^Q6e` zB+4p!HlL&y{Q<|6o=v0@1tD23-rfLuA%p4f^aK=g07@Irbz}`y$0+`cXKMk|DXIOY zF;~!gEP(U#&pJ7rx)XOl3|pq+z!~TpRA(BK859iW=9HUh8>(Ht{8tF#pFvclfy33`(qc5Xj)#@iyFQi9Beu{*s1x`WLED? zcW|u>+xE$xs#a+bP-r&i)|HI*dPjJqKQFl(3-=L48m%?x)t}e|qWPwH zXkU~s)K4rOVfFKFIbmmex}L$7p?J$12vz!aKNs9ir&SV9&|@a^jg`o*G6IR zZa1Q>-8R47DN}i2VP3l~#WX2Nzg<8MuzQ2SW~c(D47auJ@2(ifJ#_tgY<73N+=}dG z-4jDdyxes&qJFV$9ir8}Nc=y`#S8;}FHjpbRF{mF?RuIV0;H$-@w2kUs-$vV5Ko zNVV1_sw?C)(=RO8^m$H%+8i2&xy&j%M9^%y#QnUaz*x{E{YD`m-m~{>=0(&4B{Ie< zPU8op?oS;3nw0jdaqvtY_rZ%T_pa)u7vWo&mDhm*;eh=A#oAj3MfrXY|AdH0DpE?P zND2x_Er^tqbeDj1*U})}0#ec~(x`NIsC4(zxx3`DEb!dx`}saK@9$@RfBfd2VbmF& zare5gG!C`LyzaGEdm@|u z!QNitrUbt__xAkBTh3^=V|BMe$F&RxDl%TkYZXlDBa<-?a+o2VvBb0fAqQ#^ z2+&@5uPJPuX|UhHf~Dlffis$mvB?vk#5bXTsgL6RXwkOMjuc&!8G&V-C?e-=>t!At zGLPnRSP9ea^jhe)wA+%FcBLjk9fJ)od*d-jPs^w|s!YRF; z<_mTCI zoBbW{%lT->;^@q!=G7I{xI+_$Z+o5%UEE~)!Puc+d_UN20|4}^)DH^?Ys?+4>;;%% z#{3K~Yld)5dBxk}Ss~xeuPb+;d&+-%-t{C(MUW~MW7FfclspQJ_z|w1{QsO8f1+Ck zhMxZ|LR&Pr1HJB7rqQ@RdiZ~eKhzBnsoG~>-sL6=-5 zGsA=bi1QN-+~niO2S_Bu69?oL4+&@g2AB3^zv!f+VZW&o^T#Q3(`yVjydQ>_jaSL8 z!^RQtG2mm6OXnLLrd~q-DE;-aw(><>&)(3nkDV@^mW?J&A-LT*RX7VcP%`bzE0c}} zC(}yAdRH=hhC2XeX|TIGVIU_OK$GfJ2^)N5p^h_XM-pUk5fK1ZvFut`F=Zh1?>ruKs^;+-+l}I826bRKs2MwH-lhF?87QD;wDBv?H62BFRYSM`7Pl?lMPs&h zJtVbgfvY?)wuw)2^t+u4r<#_uUZWju@!GR0ZjMIwZ`$kJ3xArIxr&Vrg{8M= zk!`;`HiPRy$Lfm?B76iB!qfE7s@mCa{)UeW_&MN{q-PfDZx_t^h5FCA3SP|zTe$3- zaZQe34e0dMsiqa^9ae`QP@7t;ecEHvpSI5!n2q;LGU$Kf<)Hcj)v&U3|VTP zWdVS8|L|mnc$#NFuB@hN-p)O6MBETrG_F*6S1W4M0JZMf-rPVUWI;>uK}5ZLbIEV* z_R(6muHg_#ZPt#aHC4tvCnSyq?{3JF>|xvY1FL!V5!Z6%&3j7r&5YsAN6mmDvCXyr z`96Ab_s9O2*Uvcj>k_@cr_t*i%VEBV6{r&!XgKz&DO0vLYc5QYJoLYyJY@Wm2=r5q zwl4&XeZDZSTJN5iKA4FEXSA4ISuEsLEL@9{j~W})x$cRMt9*vEn&~#$7zOFAoasu8uMvSHn0oT8kd$78u33>MSVCJ;_$a1_Vp84ruV~ zQrXV>DiLjG1Jwnsj;-EoP9h8YBKcTW2l00f9nTRA@k&F5F1MiHTFR`s-G~l4R41LA z#hQ70Mn#tNyH=*#M)_bjx$Y-%Tml@WI7<--SQOayKK&RK8+7yISJiKUU%z z(a^WmpCmMI=@6+ne6=3KkA$-H=cYs=|A3Q7NklJ@%pm}=yl$nm41>soz&|1C5WlV*1AZ>gwS86-{po{&6CWV99(fPX{;X@PEFgHVIc@l*U?R;tldH|&65n463AWsY8Zaf^uheDbRUgAS)_rp2u|a4G*8 z9wA=YlIw_AeU8f6QfSz1!434VJlq##-VYVey{5j8j~IE{Tm))+bp8zuLJ{Pgx%EVS zWdHbT$Pa!l#JI*Q9f`~M?fS@Y9LMA|6v8$fI>W+!d>J}6lH&tMndc#PDOhQxZ{0nO zKL^pRC5QR8Bv4$lSmot_yx$XFjJq-=aroH<)fexOq?{(CHs}RpdDw$C)!A{%EQ&ty z4dir8dkb`r=Nd#X8V$#u!d; zkzm{+M*NP(=!c?K1rv#o-&PQ>P;DZ zAQ1k?qIMtiQ)3|b^v*Bq@osulZGkF5?&HjnepB7Ei3N3}g%_sIuLqG*^eSSKj@46z zYD$5UrNb{x?4$nFoVEVZMwv-Cj~f9Hv@A(}4XxfvQLTJSN>t2PIuatpEW5a=QyjFD zT)&S22h!CPi;mU%ykX}fvIjaO_FM~NeRs`TM}|B60*B}I;8wsTfF0LT?S&+Qk}of< zAl(ytNceSMhw@WdpQfsnydDw0p9gAVGk8f)&kE(hz=`uvTTISKt8t-DrQ`XTvv^#j zn*VL@D*;yfy>A89g4P#`YF`xJ@em4ZT5Zl2ir3oAPRHT&DtTp_xfhErwy2mbR9e)A z9G*LTq2_F6;!OOK`TVOOTNcn!1!Sw|0okqCJ?k@$&FeJKfrTVVeQ0{n3eqnvac011 z>*(D0#ip1SnoS-o^J4+o^Xi)ttqp9&9~dR~>OUW@8$MX-D%J=3s)`q!79RSpg8=W~ z;i;5VTm7E1FeH38R99pBib=NczSKh6Muq$5rBWo$^ER$A-l{fj zU)enlE~Y>-iTW>Le2NZ_7bv;Cznz#ue95MOilH1QDm&RS1)d&4Y(19~Wg3r`HL zJqv1|7!jMx<F#bbJ*A zp6~sq9lvg&EFjqOEl3f$WM$*W+-y`$VK|@C@_lQ3lFW?8ii*UMMnq1e=zpf5>W993 zfcw1C(ayKVA(bl(erpQ9!`m#)YlQ#-y{$^JSI>`T@f|?8%UGKM%o3t>y{!3IHtX#U z@Asm0m;)J11)ru8Kch=s+s<#8Su#x364nL}MwFYRz+~AJHBj!p8>7UFY}}U&A{V_2 zSB>M$qAgvYe4H6BARlk<=YV}1x8uc4k4bf%0aAm~c$lCI1VSV2z9ow%lpT?2z}K7e zaYHoD#hR-aB2m0|9!nU?2FVY`lWkJP7Y!I#ovvgeOY20o)Z1 zRS^S^mk2X5gSkIV&1kqeCLU)2yD;I-mo$uz&qvdUeL0GTRV}Uo&0uPQxd*`>&v1W} z>6vUGF>Vr_8xzOX_xH5#7@F-SIk5fSprwTe_Q7-}M2=SXh)UUZl1Fk=1{wT0-W@)+ z%w5j?Zu#&_{`c&63?t384u0`B4d}4Ev4a~H1;qGKhB2MG10zSWAaQo?`WogB?^CT>J`6xsx(ATS2Z{Hoj46fI{I1j ztixuH^2(=uQiLN85KC>ryy}m@`$%brP`h(-0DNIsm?G8@iNQH52=Pn z9=%%x`becMk6W!5UiLRP64GZMqvIaXNeaZhSQ~m;lI$Rb4$Ka_=C!#RZ0oBdKd8@z zKgjGvcoSW=e80_h8*p#dpj`nZVO0KQCaeIcw%H@&Vt?8jN1T7xMAw_Oev4)BVPGV^ z^601~^%-zbV)Z=K$s1{k!caoRUl!ARRPr6(Z_fm7wH1;a%@RGoc00KAQN(DQtEp`r zP`)2aTuSp`5^+Z=V>~MBSD71jP)Ex5DTclH)z2$_apq}8_)tM~=Hjj0AG&c+QozVB zWpyba_+h+ceSUbp=@Uqk3NZa{`>=*x2rP&N66m~6{VXqDHoI>$=l>~l6b@{)z!$J> z)AWzFh`}4puq2SvirYEx#Dp8>glY}ji3+Tg9jk|rT(-rO4ogWS7&=bATCu{=XIS^! zY#3brfV?cTdh0ciX=A%9Ce^Gqz2Wx*{CedAJ%73XmBt@K$o)|Vn>$W$7M#-t>)}fe ze)0&}6q=|>S^KaX=Eqp@5T&0iRAmuHt2$;C?iqPJWxjtANxj-=5DYMZYF``*?vQp1 z73Eo%mayxfB9F~w2&6}uE!7-ez*?!Wdy*_o7*_o;7+-JT2s+j~4v>J%hVSuVb@jPa{sGl1i|y1)tD#ksqF3fi8(m?`oPi? zxECODRC)PM{YuzC=uz92Q9IYWwtntsEG5+1dQv6uaY|u94Fr0eMUIS(ENQGz-5!3#w-YN^C^wdM|<4er^VZ$3XMTgNg`Sk%eVD$Jml7T*Z66eSM+$dIdu z@#WQ^vcyZUvRJL~+Kl)B`|MLmfqi_xA z0h0q!)`7+9LeI@70&=f<+uD!Qs}6Eh{FHw_y!6s`2|1rV&!tslc{1A7%uYT_b5!5+q zbnFD?wxe45@v{q+r5=R3GC-$GA5gSx0>(az{kDK8G=5Zr6ZjOvD7zk$*1g`p9_UO{ z!R(Fo%T{;WYIL0U_zia;(xx84!%%K)Kp(*Cj;4SSt9>8B9y5OX?As@YZb&AHgKj3# zzAblPigWg&Cm>T`A%u54ew5s&q!&}(=>k8Zepf_by3TKHenbm>MWg@n;$Y~s`KLR# z{p&a?Lv7V8qZPx2bjNykiv!%1Z;|FJkK0&c%`n33zW_s}H_uaBeODZ7T^Fb=l08R; znKPlfn=qwjr9@oP@za@=B6r$JLi@(&p}@fLflyf8*7}A0(LMJU?u(tC;Y+Vi^{2Ki zN?1;#v`}`5P%=iXyYXJeTVIFW+s*FXRgXW#QQYwk5UiO=JD%)Ix3Puh)zF{y`&1JU z=;1Qo~gzRPLa+_Ewf)NV_ImkX^&~>S0-jSZJz$w+xBu4EP7?9nW}nK+O`|u z5KZ*@ii`Lr__(d&*=?ph5u$jyiXHmrvxfzd2*<5t zK62K?EcWcr#H&i9EMCusz4mSTxQym+hpMnBFLi3Pp`OmsTkx|0*qyc+ zJaM+NEh3*m*{S69V<}uDtKpG{GPwO%02@#nYGcXPXdxT?n78($P}#=e)+ySW8DN5@ zllbJm^XrLDo@HgPSUfRJTsl4uIjkggN+8?y@WLO(ju(wE{>hl7Sms&oAGfbSc!m+S_STXooLSCzM3(>v*di&~U6S2^6I9TbfWJQ#E z_+F=A%ROLe)p9O)XfUF?<9|RF4evQXN99M`||H(1$ z4hKaa6WH8ykv$c{h$4M4;ak*+4@|YfvdXuDln07o<=$*Te*<*-U-zVoa@l4mZ#55! zj|AMDTy3XWrq#}8ky;H@VoG7rr&QKe)h^xMTtGd=mIznx9W)2U+dh~ z9VBI`9%frn$bP=)d(egPM$WJa62*a>+V!ZFP@fmu{h5G)SWZP<+!OS|{)%@;w9uPk z?6Dk8Tj0nKIA$PQoXD1!@)Xr|#t%c+mJHU{6>ntb>8>--V8HgAt8ES2;J(RL_A@aF zQ9s;V##`e(Mm~lL;yXQcb}rtEMkO~Cv0f^lrS)&hEyc=K4#zuQV$qL{kXe>6ML*`| zYUVk>wLgv<1NGGb?d7blp6JBt=-j%7tskqbLxGJ=P-)+Yd^CJ2RocVm$86=8J9%0G zH}tNzm4^d>H4*}oTiHW8eOS3HXLV81hBLJIYyB;|Vuz7FH)USnR#bieYpOe;Pxy4e zOLtD)9lFA~#Zh2aL%~t-l34qT&gU$xPDt#0j%6du4d=n=17QQoSL5L&UQ21f?!ysx2H#4Jr)x)pfZb$BEPLk>g%@6G zwsSD@kgIS!Ijdacoa5jIHIi}w?+`Wge6)MZjn*Ec{D$QzMTOF=G zVprZDZ(<#N&4~RImn}5cgxvv-!m! zPYV4hQ7MS?X$RT|Yscqks7 zQo|+DX9oZkTFZ>@IRWNw=v+T+QD6|5)}Or1uYpF2L(r($U_vMWeJj^&+qg7uFthXF zJND9X7ocA@^*hFGUUUsiCGxg%K9q_sMg#{Z?7`ebJ<`rNMVLy&qWR)vx% zS+?5nx(@!2+rpX@+g+jp9L^4p!pfy8do5FSlICw=zclBZy4Yn0N}s*jYbAaP(p@E- zwB!$$37^0M&Y#ZgmztY=B!vIyb$o;v@0e{o)DFiy!U+!neTFTv(QvA{t%hqx838$> zVaSPWI~eIoY)N*FK0o7a6VpZ+Aq#>zh$3C%8_e@}x>9*-U30)KR%tw@V5Wet#we?| zVKVqa*}PQDJfW#$lr_^#%PiudsYaCV^k^$zpfDFBJ>zG{411e--<>)YMFWFUUv~0A z$5EbervkRiN8usEo~QUy2_w=5XuS^jSobdv*lBO!-lWdTr4s@GKjfX2^sOy=%fmwtk#^nVCKKQ-i5 zhs!#{hXGA!q7an&cWmGi%>)s_qE!n{@#F;qiK8#K-q44jZc8+w*LMV^@f1$ITBM$r zIg={dwu-~EV}$6UIA3p7@fuREdGcU)^OWyyzNy{K{R@VcNk;^5#hijRJj0d?ZVJ@RG)T1Pny}|EQB)IvxZkk6F z8C{>swG=z-?yU>IRim#DmIDE-{6(OEma~xXvUy6vV+CNZ&OPw|wgg1!PT%(c$C@`s zVHhAYYv3!U=jMECF8T*ICq#w*_6Dnw-oiWpO84fT<)Va%R-?d|4?*l_tw7CiuB}LX z5q*m2zD5z->~3T5&`j1E(w%IkmH#D*^8<|Fqea(|R&jD?w{#%)BRu7uM{${c?~tzn zzBrYrxr}ixbi}tG998;#)`z7W?|uF~X9=(lR~hTEmN?P?!x_e-eCAF~zojV*Cv!AT zp0vZCbnkcsL~y?2m5Ar*ZLKxP;ihOI@qGk%DzJc70S(a*k`MnNQ)>u^pwnxt_|6 z98_w1pES@L{XTX7Naki}fco=mXDY4>zQg1d@Z1ISa&u|_#!~0vwfN}&?I@*9 zHy3zT&2@5r`mlBH?eF?-@#oCZ(ZE@Zk6D(guIH-`y%tZr)rbXWJ|h9jHE^%@V;o?_ zV?&g_8!NPe$ax2^B2|3zL4AV{)?n}?30GKPW5Ujt*aUs!l(gJ_6ssR!u zzVF%4O(RTN2LN2Z;1E^f=w*PNa+HSW+|VI$SHSKeQ3(!OvF?EezKX00ueOK)*4iZi z!o7V2Z~_nC1|w*Z69A9+=)At&&l4a>+p`!)H{9swV!#0qBygP05jD~SGo%$GKmM2H zNI(pqs1)qETE@tf#^UnvUJa@sY^et6erdqo58`G)m;_tK zWo4?hz{&DLZH4Rkg}rp*EqNg`9$(kH>+7EM+Op|%J>}vzEu$^5!5nUdn(#bjsg7UCO^GY0@n$`Qx<7K_id z%wpMvq+0v^``I@nmvO~nC;T~=zl!igtsDq@Tz!)c)o;;Vh6%qj7B^VM#uuUngPY1$ z7{6nyU_%HATqGO-24tXUL`v+3pmeU)+x6{$n{A&`t%ZQy)aigoehym*`eOz@=s+C3 zW={;-*TY@YoV-PCXkgM&JhA}+iEc(;7B1>#XXJkf+7AXAexXR%BYmoW{@%a;tc)iY zBI>!4U|+Bt!YQ~jOP)!Jdgq5nL2P@cIpm`)FVo1B&!h8Dls%uOVuXXL&>Q%RncS{ppMaN&R!_ z(LTJgJI`Bk&ACGr?}o19H&(4f;>$NUj^D3R77>kLGwOrEkUp3^srcGc-)_V}7gGT3 z9i!bY4pC&c@yX|%-e8Jsx3vd3Z&mwed{KZn2@ktRqyhu(uh1b`_&DMMoqsmNV;vV; z0qyc`y=jFfJorYy8De*;9twOECgP>QK9V+4wE6AtOM-q;{_khiL>IX3Aeuh0YP9|f z)kK3e|LuvuiKA2Uac}f|!PW98^C5-DJ)?Vg`2KheM2-EV;@l788ZZwVDRLS@npG$b zPxJLEVX!IDHBvUwOA^{BTFTM^@_u4c&EeRCfro5{O6~?I$YoMIQrwF%oQ@@{dI!qX zhawS3wxMEwLBXQDWii_-bb*;m1|_;b8|1LbhMf34JtFvW?mHyQ= z@xKfdoKDmco)(SuOtc4|@H=UzR$s1lYEAi~I@z6rR#syW>-VL)48|j*8pF+^$_op4 zd?AZy^%9tZFF5?$#G5}3s6qA9B;EaAV&b(yF%2&x0re8KZWm-6RJhY2_=VB@M_?jv zx}pptf9Ttwop+x^F)D>n<{^tE9SLGB#A*s)@J_UHEyB#MX>px`T+oXt*hmxwSz@c| z+V_uHd(kl)N}`G4!b|ui`a)5ak4KWLVFvw;Ydj3<@*k2e9|^gT2~jC+ z?UKfMrd|HkGFg*qwX}jR+zrg5T%YIj_K<}g)90(`09q#M(adlbx-Ru>w3Z3(TJZfm zTxH(kA1xEdUoBHyF-}i&c>``D&|1pUjbWc^=%IT7r0E=zhSnNQXn5!n8f9@*EZDls zh@$rbK0JD{Se~sSOn94B^p@?vzKQ6!Q^x{G5cMt6$(R4aD$&5oe|wycIZf2dT=F;8 z6^PJ0src?vS5sEQ4USX~DN>xA(Q>669&KLL4TfEkY?C}lJb|b?B~@2GztGo# zw_sCUlbW3pe&iq#(9U|PL~V!~;{iwmqZD2I8)R&vn``0CkM{s#)LJyPf0K-QR%6X; zwOlizQOD^AIgCg>b-(G6ZFjoFZHhk73&1<_+I^c{*zVjIm-$TulH3B#1-4Q9rD3D< z+M{{fi8!~V3J3SHBQ)U26S$!C#Dz*WSWC17!yYOBk^)e`R!QXJ|N7zlrF^2V@d>%c zk23!5GylF{0Q*na-{_|~_wOi$#leLi`7nFR9x zjA-aIOb8C?k6YVi>boJ~qhNm#{N@9nLYpGLo}mf+s4;R~1q?r5Tl^&Ss5>N8A>bKZ zcHk1CAcrAzeVY|@+CP97|7(7=%V5m-eea) zfQkl4k0SBu(b6L=Ud687Zt70uP#9h+D_;+u)ObQr;X2#8>t-UWuK|TW{O66!Lbxkw ze>|*UAgX0UKO13~kj}@f1jbh|zPq;Jl3En2>2NXvbA){k`}46hrZ{$ znU`}9BUQ=yC0mchV9K7^@MXmh(rvt7dRai4^CD(22L?H$%XWGsc$|pqj5<~=sk-de zPYtCO9V89lV*9HeQd=(M8brD|GYO&u*&kRM8GH1o4~(Ku)~y>XJiC>RTVL+D3%0>y zo1us}=*}MzXv@vcymXKJF>tbw=R?uj0At+5*gtpv?W6nW&)x&Cwe8gZy+!}Ozgu0^ zU7f8lTOxFD!j_#dGOScd;h1Hje>ux^2S0Q*CWM$huqmYbNnV4zN_O=kZoS3{4sj?O zl9cXxE%J$kp?vKC2n1Lk*)y&RHxoycz^G1jmX_+%%~YP+r1l<#?Qg@I;>Stc7cAel zRW27D6(9YQ{F(Xabr=~DURif&QSMKUSgfLIgw5Phcf72DJqcWXAG5Fv9^Mnq*z7S# ztU^QE{sRRz7~|nw>uru$SFxZ(CKY?YCz1ON^DEE@wBF*V_fLd)#E;!LushX|a=?Tv!250zkg#xGRl=R2y|IKdO!SL7ZbbNm_ z>K}gZzlFn5PA8N9=@=UPUyh+d>i@5fp@iMHH{GPy=67y2hwCfVH9 z|6LK39UGbZ%1W~jbMz5!Xdgu|?o+lu+>UFc&@}D4GUIRj!LTxOL<*I1Bk-EGwEA9* zsmRc3c%+lc%5F@%yoKdcj|CJwB)^8h6?obss4wz1WPMK+x<^>>r;zZs6!$^dRlrRg z=<0pMY_ObqAeepRFUG%@$KTl#P+76wL)N34n&-s;bp^ETR3Y8;3P@!Z>Mw;K1Ivzv z<7M`Lx9qwd(A9>6m$}L9|4(-Ke=faMdcEBF2heYc?Z7tjyn)$)do~Ya2C=HHY5<)VJ+f7(lkfZA*vm?FghcyHU;DX3Kg?Ep@%?2&22L!%Zk9MKRqAr@2M z3>~Z3P>8WJuul8|;Bvp!6Z{#Y2cl&bXI2ysnc^!jHZZ@Jl=_)Nl*LMw$lsbo9ED&E z&j2^=i;g9M9gfMfSgaEId+?q}tBU?Du4KkAuP0<+5kSop*SxCN9`x%x4}no8do}(+0n>)Ar5V9;u9$GOI<)v@Nx|qi@yHPBt^Lva0-)DPT%`4j7B^r1PB#}p zFUFdaVm)9aQ$70S&40TXtTCiO>|X-=h_i61u zY=>e*MVV%VN0I75rsnZ$hf|lO?ZiJXTX-b>z#EM#Y4@_<4mMy7#`ru6ZlItw(d{C; z$6|Q@8Ry-NRPkRa>OcRB1#tK4<{QTi+;{!b2?=2Dfk=PRdjVNcSjdVP6(CKkSp={+mq435*_;58u|UPyA1tbEY2o zQ$X!y;DWkw@vAf7m3cWDM;9h1WS|C_p-E)7i^RfRh>u%VEDY`x!DNKEbLrQt5H6+p(!_Vdx)n1v*0;*qQE0i8)a2o*+~M}VVs3-ZM}~! zeTd}RUC;kgHi3v{H!MNSlj8xKVDt2fyG}W>dI;dJ3seQiGdtjvrA{{@2@t z){`%xRcJKQ?fqg$V}{_h&?S2Z*9@99*A-xAUL?!~gcS_02<+KjIK6j+DS=>m7{;}XCv9bB5byEg^?bB^Z0!(K-HYS&l&CUrj-LZIL=aWDf zy)~08rQguQR_E?@alVH#GUJ8iEMIwUm7;t;VE#6+sa>TX2Q*S@%N&&r`RH!iX4}d} zR>`GUVC3*fHQrmp^X78fQ?LP3{SR>8DA=yF{Rz;TO;jNMnyt`dOGcwAx2Gx>CN1to zH(fla*B2t~Cn8I`B{|E69&;A^thT=416c8Za;yn06jDj( zt6Ic3i66i8%35UXdwdV-AZ2|huyF{ zsm#B`(w)>0OKjy}ACT_&8!gE0@8lmWR8%aHiQ*R5A|y~6Auyj)`A-jvfhjh2NZ8GC>7fsZNVoPrI<=-wIQ?Rj-m7|N42 zB6iz#8{?=w=#6S5EiXR)HRu6jqciSjM}ZySbj40VHlPBNIi0DZg$=pBJy^n@taxQe zcT;lj-hi}u!(hj+bo_3=1_IB}wRh5G3M6_G)i`2|WKm@AYK$J-E$n)RBVG6&C!GrC zExtxkQEnjpy@-z#5}$?%?vbZXhDI^ojDT`}T{;|#TSBjot`Gc{FT`Ar_4nrnlTgPB z#|qiZBA2Xl2B|a=^^HW$A-#`xBwBi#cE$ItS4#qrCE+t|=RdpCEwf)4_`-Ylal~;N zV%2F89k|n(;()1%4sbqQWnncgi$&jF+}^CL0UP2>3>+XtNaC!x(Jw2qXg?k<#d;^A zdE7`r2I!~GUk{7L1s4Yq^@v!pj89Cw9Q_Z^I|=E{>QI-}$?j-wan;{kK*i|;~u7HYEH#q2g z%i@nZ=wkIX?`Z{VLYA>ky5f1@xCJZ{i~53mi2`eEq-z=DLP5((5|Pm$!Jfj?2H8eD zwiw(9E*#@>{`(+OY2`<6{2_1GSQQ~wOM`N00}lf*Tu==@uNMbmM4C_U_w$f3!}%K5 zEW>#C9X1H*dSyyzji7d{cOc(c!<#REWG+5aSL_7h~b;M<_wMd1;e9_4GNG*Kuf)r>H23b+RBI85c}#I z@C7VrpIrE+ zy|yxg*!+|8>vbvY5G8ghdfB@q_2#@#RhdN#K6-u!FUQNvf~V!lWx4eHOxVVc=-NW! zkJBS_6mOhQmdWplJM)S~7=-YUvA|EF32qKLe4j!UnH3?HD%2=3`F5dqka)V2rp?A( z^lNwfEG$?KtsUDdWl}En0q&c`46f#9#2E%Tg(-n!*$e@?w}nGkC_xDCE+zEMJ6uTC zy$T0zVA%@HnEuBv2FfbYGO)ANIoa{gV)x>;)m71)=>UjFz)HUyuHMeIT{R!=K%2}m zt6!}pG2Dv9`V<5ijhxGjunDImwNk5`pXTfwA0DgN6Y8+tpteCE-(GFs-qMPQ?5oNk z^h5U2>EKO^EctnS3N8t8tfbwtD(~A)WgMRkn#!j-1tz7i@8LW*P720PiObbsZ!sZc zB~;lQDD&K&_*8B@mAj--9O z?Rs+ad}IiE$1d1h;{8I*rdYZarX}PwyDRseb)>v9DrB4Doxuiq$zwJU>X8Dg$SXuk zJv?=0uRn&7NxNYHF!-_a<_f!rp;R-BOyT`14VmAx%ctTa6Y0ES77Jf`kz}_N;u*_P zR~C!49xUD_p9@d(Qa?gprzp1ao$I%s>4)1IDkRn`K!Gm&FyrefV;b?RxsgA2jDfF+ zy657h@ySam$@?RV_13$9%hblzr&d{-ei;q*T?5>U{Z4Zhse}QSsR6HifghJn)4G;~ zmN|asP5>?3bypCE_Ud(`uTlu;u4engq{4{^JsXD&Z5q(Zv&zup$r5pQ#P%&JhfZ5! z545_UgBr}yfT7toAm76o|3jGZ?S25wP5&)|uKPEzV%E?G(K!72$Y75nfK48pFp6Q3E2UDonk)pqVmpy5pURN^=A_?dGl(Ec+7 zn&;dNh@PODo-2#!kw(3X515Yu+}w6yKH7ZB&klUF*Hvq1A!7Kx@h!63({IM}_oD8k zqK|e zxXVJVzL3W=5%;xwrlId;*aTpdO&JC@!MR$kW@K*LrHp|fM?2yyz_aZni{c#LOmZI! z?n?@B7`$+;@>wc#pEq6k!82aJe|svu`4qWEP~zibpQUp(EawBKp8t=?!ieye0}8w(%5v2Ko$nq<2E0$)&a z^q!DxPIZoM%grPKWjgm!xtAv)C%?>xqhm|Ca^IWzs80g(lphrP>X3<=R&R~PG(lyB zB`0o#-FI-RImoIabshhu?CrM)m zf`Nw1(#{7sQaz{i9h3;B4^B!I#$D@@H&AiL$&*;Qiy*9w%7H`v5Gakx52_twh zq5@{V=}CVPf7zRW2vx|GXW|EHsj{r~A!e-hs6Kc!DY4CZ{Pq2umjO&pzfDADlM>8% zSudEs?9#AI94xjD3yE0No93e+EmEqgkJGyn6Ts0w$92e!)*c3!o5T@_!Y#4dS;T;U z*0eXFx>uNk{$|i|csNdvYO$q2KoO$i{ZQrDIkqd{>j8bk#+#tuHc>=7@i+_U<8L?g z_67=-%j=y%7rnaCtxhyY3;xed-b7nmZG0JkS-Yvi71wVVj~6SP|SSg5)e zxN8Ry-tK~~OS}^|gv$5NxB<27o+xp|1#n^u01v5W^P#4IfEt&JDS?4+_ap*0gr1B1 zeg7TsRWJwqp zkNxHM`VxLU`pDUhmUT6mi1D-mqG3n6o5S|&dXbj=99$5hvpXsKw2;Q%2xvmN(s&mK z8eBQIU-8In_duYFqp&cbuptB@nm66Gk(`ZmeVhI()*Pq5bOmqhN|U&FN6Q=Ng_|L| zy#(EEuLr(Hp=HIyK^3wH!=cc!v(jN%VT;=XA8Z_8nB_-;W z-@o3Q0cOSx4iDqcH+pjOm#0Wm+WtCuE5zSpl3lu@0 zZ)k9Jo}5&ii2ppgM$1lZgnQ5S+i&*!W34lV4v=q5ex6?qvj>$GqIC*uPQWa&Kkoiy zUCJkR`*(~pj-uPIMqX7KN8Wk{TzC@SZmpm)TBf1Lrhqkf_05LY8yKc zcH0}$XD6i`Iyvrs5Nw_sZxcH6d)tibR2u)}qESK?qpCxC;mCENrNRt%;OFzZfgp@? z0hE%1OOp5N^E|0=y=|Kuy^C{i#e9`Cy$gX-T%RnJ&|3N1dU^dax`~uL?bbcbZop1@ z>)?=4F@iY`1m5fA`-}SLG&ksEeZL`9F+(Ph`SpAyTH@@Lm5v-&Jz`0z*v(*9o3fkpOLz8hqWDakB;T~ zb~JaBRRgRGzn-OSxG~YXV@vX{_Li0w*l#N{n~g@aw5EbgUeI39XCzm8yc~A4kUU~` zq& zyG6S}(R#x3t_=JmHyi5?M1J{{SpEjG_V_DxCjrhI@=w$ktLbU9qT1{#_?aA4Q#8{N z0UK*U+Q->Wy?QHyknC_pho`ld&d~%O#74&t=>m?H)4O^rbT~rWlY5!qY@D~wdW{T6 zh@@$O81Py%EVn188gDy`=GHuFbPy{JNAbO0QtBNS1<~aP{ON@uDLm&-dEQ3JlZUQ# zueTfK~Pfp?c&Gh($G4*`>@{u+n)ZG zVy#iWCi-6Pkc~{L zzcPsrFsm*M>^~@JoDRx+P{CI$qk%@oFiqn#&2IED)4PjeX;y6gGkX&l$gt{}O2t>r$A=gbp?UxSe1YAgjl)`^B+EljjA|rO%ER=sz-Zek5>_O%hJI_LHsk`Gdk`ehLcH4FSK=KVY341?!dmlnT9Gb6W+1R)DRdRZ0G;%G7=m_zCb zxx;HeS@e++bnyw(_7f5AfH2!~x#kysLf!Bmx(i=qO4Jpwi^PRkHjj_*6yZIZ#0oyH z>;kVwt>yrOi=?c%A`S>x|6vZ9h&VJM*=bpogC7cp5Ou%d*2PmV*W|88^m54Ttt>R2g^}(5$`*A6y6%`v6SJLLy2_>R*u70);D0##K^RY2X2H{g zx%)m2%LzRCf6(-mQBihn+YH?xC@CQ*As{K8QlgY1(xG$=-Hnn`BJEI;(%s!1(hS`l zLk>0bU2{M0w^)lmEcgMOd!PGA+vAG!Y_u;-b=nqoupLTz1nS96p|iO_fBGI${bRJ##<8cX*>!s?OgeQYco1_(v&0WY1n5H|sK5{0u7?sz921{mib zOZT^0`75(o*P8pLdC-Fk9E?*a%ZCR;nLl13PFPIz5IUPjs6V2Mn3L*j#`Iv>09v%a zgriwXiaNBUO!=QhhzLLy@K;=?VvjKYG6v{mQb;HGOqwt*zc+O1VOQR~2UbtG?YM=s z<=0bx#29kGrYQfsdX;HbL%4y<6AMvZkN+4HbmuH}?fe>XUmdZm82yyGbwjL`*)Tzf z71_}GX#CaYCmsylh+>MsDm@NFfVebi>9N4+vi+}^%_Thj_D@_5ugDz!F}c0}???!; z-@tqfs&(?U!o>yh5oStSqYccp&Q^fj|l zIrPc}-kaH}2$qbA+Q{AZXfHI}b_wHdH=Gn3>uJT6+Bh@}OMMpSCvE>tewj*~XtCzhqWp@md zt&MlD=>lX4IHMPiOGJsGA%4A9$0r6D5bI0;8JRXFX@j89Dj}jY8pO7pevvDwAYZyI z&2@(8Z1t7bnc3B)i27D`^D2|132y z3NeF0D*nA8Gg7f|qauSMtS?;u+_jT48#sE1<#_DvTl=wHouPt)45BW7O9S6+G%a72 z(j<9uUu?2Ud6ug}_on_y>yY?+3>>izZMdL$6a)-^G9*cTbgzEcqsu;91D^$Be#~dAOY84h5-$u>sK5)A3aI5}SnltNAqgib6OdQEhY=)soc{TQdA!)Erm!Ak z~YsxA6#c_agNbk6UHE=enY0`diyp~l( z@=-r3msz~-Jd|#389%#qOa%fy%xL&BU4Ey@JatGrAq8#dyZn=%mLy62_syYKx*3gP z8)SsWPKf54y?}`|w*|Ve>03kb$#nTe13?Fb4a`kN&Mz~sIlaUJ`!3C~tDfb%!W1_& z;sW|x_aLnWw*zq2TM{ZYd(tHNXQ9D2rLla*J(Q`RLN8 zAlIbsL%r5Z4@#qi(BUdR3xY}0Ee~jbPjf~U{9U(Q_|ycA2eL2P{^22Hk~-9^bmJS;mZQadywzQa zM%cq!b1X0AEy6Od!aB5X2yH32H0C}RsX;C%=q+5)oeSy=b6_+jrs3}EK4M&|eQ+DJ zQvF7>>XS}r2aI^$#q`4XSXQKZNheX#aMZI*Cd0eyle0k>`_v9wt#2*T9Pz=Z02%9@>ru>vjIQ(P%u<&2s$I z*!Y!>Nb+}^0U9OM?ua{75%-M7#hK)oK6ZCi^lf>lgsnqZNDVa(N2JhSMHcDwOM1u$ z;D|aNq5&>LSq!uE$?58(Bv!4-PO3l2JhC0^SS#IQ7!XWM%6l?z_*(QSruTDOj?kv- zpAMe=D);w&Yw)!m%C@g*0~><9N=kYYUGc5mYO3q6W~jGc9&;gu^-Wp0I^z<2_%|r8 zKhq-y+jNd0l4ZdH5E4nTBgs#(zX?UpNr_;8c z_NpeLE8h=%FUMs_&y+ZemU?Umq{4AM$tD_N2v+kk^;`_~@Y3mjcoLz<`YYf#Rlx!@ z(%BmdR3$gQWyq=5SWA8P^%OEZ*(LIf3ElYBKbqmKC`+lvSr8 z66mIzm6S^QqV%fzg%8>@ioDeAZBy>qYh7`vupAXET$!_X7OJlnh@MhD6cdD;;k;ep8AocsNbl!YSf)f#M^)*Z@>0|Us!UD*K^={KAnt$k^a zV*c`gq|P4gEqaY~v!`P%Yb7-Xm2A*Ql9>{3yfJ;8Fq|An99KdC`Tc}yuggor(mCwK z{^YzU=R)75#yX(LN(Bln0FV3M#~>?a#Ey#bVqE)N+9TbtewV{h=>v_~AE?>iYxQQL zkWeV7vov}{tzF+6)UB7lWOJtvF0OS`Zm@G++=;%q+Lw@SmVa<<)tQa8vUsDhZ&;M! z+V?!%o!t4|()%W%8u~+5$@~ld1xp(}#$~`J@<~l{rKC9EGywLqcG;@;4+_F4&d;tl z-$YR%sXM=cfz7)@jnQI|dtYfFk-&JM2Q6C}j)4*|J9WQ)i)zfazaav6t2fgwF>ydm zQuBo!a+c&Hg_;SF<-L4U z6&L)KQc4KH1~Y2$c?6raIh70mAF@E+bDVMOas z>t@!}FO+LqoRFaWj?tTsqx7`uJiosF#rNgx3pVz5VdBk>T@fVm6y6@|qudDPFJvV2 zC$R&{izT)`_x%c+Ki4GAB5Kairq|@pO>1B;Bs}KHrP8|@sPFfutIeM6PH-|&)|HTx zruP~=E&VdZYk3+7{uzhgde_wEt(f1vgr0J60B}~&^H=x z2MWYJ^qgw4g4tN<4_RFqm;J2$9Tx$liv->t?tqH;qTtAdS4Y&L)`CzVM118h>olh6 zBzA2RQ{U@4X>mua;%%A<6lex6x31&p&U7Kf_W&Z{$|*?8T8L-%3`)~$7{yN-`vqH6 zr*9JNZxVGHD|bhtR+9h2ri|B`4lAO-|u zY0{w7B|?h-R)>=CGX1(a-%$R2$gNyV(Z~NLte1Bia+W67YdHJ8pb<=YeVK;B*5iUx zQclhR2*2a>_iS@sBTkrm9Aq))+olNm?(LP{_!0^;nP(r#Wr)Adfid_#UL~Q z8FT|k=b8lO#M?b-jkyCo4ywHc+uzbUeKa}*Lk%9CbhkNXESw$Y{%^L#{>&u;_4PHxSdW$HHr1^9 zC8@o&Q47%n=X?L_1DfP4;9&>Js(B#DCb{hb3}~Rg22CLWRH@sx8=Or%4|8>$n8^B&SV>Y!O5}}Ab{Fteg_Kv?K)V|Amz3;CUL!Zn=x;7xq!BA zFvoB)PZo<7^bfb_TuybQF613PL`*-J)ohNZd#>d|;@Im0mdm zM1vKElv~i34>2Rpsb?orRNfu@s>m2o6V&!fb#Mflj4i{=l{|vAmt`>^U7RAf~-0M0?3Vb?zHrKW69@Dtp`nHKBd$t6tB{R?U*l7 z=Bw!u{%y8;E+$8)@=N5ILpJS_B@fOatZiaDP2Myv2=Zyl?1o3s!7Lf;9Ryda1yCWL z%-}?%_QTgz-5WJZq_$U<0V&N4$H*|j{H}SlW%EEyLQkt5^-WtzE6s}Os9IXT{*)`g zFnD=?A1RpM{7QaUQ|5c*ICZ%&faEgynBNt-M_>f+JdLyv&lbHa?LEKLScsSkuhxs$ zPYH8=k{Tt7iqz{( zXx`ZqZWxH!wIWb5gvHwAW=ERs9$xv-1zUoApU|@tDPE_}=9=ws!O6U6DiSKnUG59} zUZ307CNEdY-E_TM2Ip9;^k-A~N_8%Xw##X(gaPz`Ze!$qOmou>9<^8vSaYcCXgbDs z6@%d~jyILw-&x|U@^Id2JKAK2Vb?y1&d7s~N?r_vS@kQ@7*1qaWYNz?Yi97s5og4Vo?glzb13ev4V~N6-qg4>^)+_bwfl>{)3>0S z3UAUy(yvZU?>qtGeQc22kL8DF&%%>0LFYk9k^M~H>0YQN|DDrA_CJzxU}(z;J#415 zso@U}_x4zT!-L`H6K4I#VM%F~^*3$Gi{oue1>0w$yv!>eQAi$(j}8>>n2}b z7a)l98QyrWyU|Bj1FITp@<6-G!r6&V|9~x#l=_x2UE>Roi&Yo@x0KP}TKPxVWcSY= zFN|@|&6twtm4Imm)9=b@-uI=qn zsYj~ye58sjJ}P|ZW0)>jZ?{P*!v)E^*k;{D9t~o4Btv`rSL)(eKZsfCS0`IdjAlIb z|5{D=OiSnXd+keVIrN{Pi`&V}7TCj1eDi13rneH3XyDDd9Xz3mgU#jXs zRCC9XKn7@XJDc0SWf{?+9(tt{-3|&^oblu%EqmCgcx7xg$u}Px_{1>JkF{jCr5H!U zwdjz)g4j~5%!n9w_Dup71yGqJkFRwFn1^)Rmr=^QwNSs^P&YIWJ;wBKe}D15O_DaH z4+Nh3#+I~~i~-nj>`fpT`kQLfiy&6&fa`{^o89?s!RHWUX+X{{iYMIHuD*=%{qMYg zPPBALGna@xb?3R!3m#w?s!0BJo7JJsU(^CI;;*gP>s5HVagKtb(`e_u{wCj|jIu&* zsv&Z|W%1R$R_lK_@kicfxYLglwOy(Ij=b(ORqcElr-%a*kqc5cRo;FHQs6VHXs1Z}FZu0wD7x8Fy63-IW*8=PX_r*;nI&g(HU`HUps zECoc7W2J_8WolzJMtEJ1N1MO(%*wm$j{gxw;0Vx>JK&EeHWYhewkt}tlN|i)@!k-^ zl-`vJc1jk)IYCx?)mvh8#Pbc_L$d@hUN$BUzq!t4c-S3eAu>Uui*fs6l)gRfekpXk zL4G1+#r?U&Vxoc2=grBPg}9ySXfJ^@biC4QChtq!RY3IpSjy~nicNX)v3DAD`vrHz zFt{dM<1Pj!1X|sfDsXdB9(;TE<(0cK*!L+0EHQyuWV^j)0L}6IZ8KWeyz%mx@;@Un z#pOZkBWS4oZJvFhYE!O%oV`^sQU#hL_)y}jGrzj<{Gn5g9b@f{_dnLUqj5mlFgw#Q zEKe&v!dkG?OJ?E)#PUkOW1v?>TrrZ<;sr%qeN%Z~2;VKsg)UeV0BOV*mdm(NGKvfD zAiP*D(IoES(NVeSsCM|vih_;WeqB?${|?r{mWlq4mR>g4#J`AJINBR>=8Mzd4Y1}?c2V2AuS%)dE>mRW{ido_VCBO=bd9= zYw!LYuIb53#h?K(jLSlE`okWvjJNQ+^seT8e+~@wyc%X%BCK_mw;5{7aKmtKI-DZO z>__QYUW=eeleC=6(3hsOS7u2DpU;0v5yLQ6mFHvB2rohx7@lpCgoQt7TIrcpTKj0U z0s7kOEPCbX61qg4U7m_mgEO$?nXhO{XEz6wg4EtHwY{!YFQ+wU)B~VAgNRBny7`s9 zkhLdwd2H`%wRv@?@;JveQu5?<>sX?t+6~MNdJGg0cHf4&^aQldwO{5O{LQZ)&MbWev_Q7?K8FC=IS(s-Th98&MOXj#617{ghm5+hR^X|V z|6wnqARG^&UH~46Dn~_ie=;0@-+9lr=b-=`mDlxkYgNKn`W8R{(!9r8u^j2|_dp?Ug@7EyF z1@SNvbmV0B#P)|O7&deRXudoee?GXuqJ&d}UQ-j*wnl=me&yWTc)(j9c& zfNh{dbs#2#9Y#cD*WA&al_~#b4ODgEKf!1)*kQ$u%k#pxWMADciG4lkoMFtk;9%HK6rd(4$3ScR zmhSfk;rx>MyuUXQ75mS{y!yceLmJna)@5Uc;+(1IBY_vM(7Fp9vT7Q1Nm~B~ind1D zvUkw8GC0NeQ7E2a^;_I$QuVj0b~rr4>m^9vRvlK*7$pC?Wyc(Xl6(pFN3zpW?dmN2 zIo?uD4t_I+y}$ZN*P(Y__v~ zC*QX1R5Q8Kj2pF#JpDT<4Z70(oh5Zt=ELM%+=_F)hmvNSXVvIfq^jhb*H~88UZPMMD>LKa{UGDba{Qxe!NF@2 z{TzDQ1?#elh=b^b!c_x5LF!q~TkPp3FdD4d0Kv^@f@^cp8wdrTS1Fr<#|x?sY6Ck} z>8^1hqKyl4k5B9bfI^(SiujZ2mM39NJ~h(fI9anhBqC+JddB`QVg zB*1g6QW5Lb{?B=pe3b3N*f-X6Ozj^Aa5FlapcSDKBtmX$XcMJ=hiL;RG<}PuI>R<} z-t{t0o;%0IZYT6^G1&sivl3VOZOQ3n*7O#Uw>zVo$A~)Ggq@JBhJgxqy^A?}!*so; z-g9HN=~WRA#b-QY>|+gE4Oy$uJSn_qIHr3oKd|M;#du{GB55y5xkR*m*%UxPwA@hqKf?2Oeoarun(tD*qZ z{Dy6o_SoV2BLZ!>GwMN&9~T_sx9np{05)z50AK)89sIx9xe$OEYt&Gk1P%{jO02dVuh#pgW^Uy zD*%w9xw7V$lS8Hmgw92R&!Eulk=Z*M5I>vSefj60KrE*PPw!BM07oab&>`# zjfjd)^b|A}S}N~rOiV2`Vdq&(x2(M1KWBqjHQB~PYBZn&m2l_Oc62{s-F9_;Nt200{L{m~ z$eB)W{PxVt(yPjX6H6U<8tgIJ9C3Oj+(+PnhI*qy(%f~(KeD@vlNQ&lU+3zh^b^H% z|0Q9S*50X6@MFdq;*-x>y~7&~=)+i>uGO4wvjP+WBhjaZn;d&W=BcyXHCFBK?GJuR zzOP5O6VpWt>BG8Qd1ZBqEXs9qI{McYN}}bz!G501wMRP?g*$B|ITVsJb7xt^eEu#1 zp@{!U@S~=P8OSj-@~USspgNIUE}9}>ak$7eLxjGn`bHyvdoR;Aq}XX7ar@`}mVfMh z0(r&8Ykobt8xm-qO>cGkSH$y1i;1mz`rFUD&wUU{byK}kxsm;6{yb-W&ivsVmw(Y- zZ3yraI28N6Z)HU`^}l57O!4Qm65180j=K7q=9TD^NPhDxNOUCyiI|Wo?fattc?>F` zY(*0JFtJ@=bKaVO-YKT5`sjB;LUZxt_6r7J$*v8b5X?nV`IEO^qT7kQ8o-JdwrLv* zInLgiiKY`z;fN)EPkekIJKx2gbv%jf=bWN7;f zMXo>X%7ivj1DccahC-VnVMK7E&5HU^K0}#nP&h`g54xE=*gKxR#TYOcnvVu{D~~7d zD>MRCjnVmACXGadSs1qchA-5rV?y>FCTkrgPs-7HEgF4qhKyQeEg*SOJR8%yqaL=4 zt*cfCkCt8gz^0tpD!s2aU)^FaRQ!Y;F!8+#Cob-&%RzM8FN;3$rB+D)gjW@765z4nXp(QQ9m z>WSgT?ETIk?~Q4vRhd5e$S0mZ+9)~4y9S+4&Qgu&;f(dqJf4x9|mWG#P+jUS6tK8E0Ba4%+a*O+og5h1=v z0y-METY_Bfhk`kbUK@}{ySrz==_l1EuUW*T)A3V(6n|uRIX1r~vXlI<`1O|Y>vG|o zL>;@DB;)qc5Ju1rtil)UN&kiHi_rL7?fuZBQ?URi(O_4G2#0fNj|t0F+2vRu9W`;% zYaesCcA^z5;){M`eB}dtaj`V=lPc&p5uz83<7Q-a4y_bxJ;6Y)3iw9Ct=riYBvlv= z=X-jdX#2ukw=Zr&>e94!LQQUpsr0Lzya`KV(_2#9XcBSCg61Kj%z#;g9tT{N#;p) z{!^QmfO^qc2zAsGL3551$VJT?Y3sUJKzwU;w&-)1IuyFwD&>*q^-6kTiPNq5snwJl zf`74|{w_C^qj>$Mw}pMk(|9+Ag4FT8N5sBEpfb52f&#bqNOMSN%r7g@!_2~^1n118 zvpDy&d(&lu_cSH2Tbyi!Tau6568LQhS_3kr1Kxo=K&FJOo4v6;m>0jRMA*}Uk3KP` zS7R^Qr0S{$lwPVlByDS2YBJL6Xx#3DcP$cpT+&MeT~VaZfu#-7bD@Xb_&W?;=cBgj z(-f{#bdQ?VXYHg96&CaGqSSu3>Qpzqn_iPB+lgngQmtY4IOSo9@EK5UybVrFB6-Jt z)nB@62F8t6nE%XYt=mL-Q++01#6}D|xTWH{Ik@K3Vpw6ck)Ux);1`WQf!~kCw*HCMhERI-8g32Jac2bl!bb#L7NRM6-tM(V3*p+u`s?z~f7Ffqu%6yd zS7D+WpLEP$;pSW-In+ui{RZT{*`_8!RB2Y=Dds~sHIHsn_s_6cV=QNK@|)U6|M&-S zG<`lY$<=b+8mr_9`s(&5C*6PA_lHaVf?&I|3RQ>@d1ZU$h@hi2YTFI4+q%fXDgZ*- zQX7RQWksI2;sAI952BPJAsfNyg(Yqv*X~|0gdhnLoMsS7u`m)OsbYIrfG6rcsDb0M zV&u28D(4k$g}A=A?8fcAxQrAjZ7Nxws9mQm6GJ;Gs2aMh8E(2efksb41**Z%u2o#? zt@P^m-0K0d;hmU@6e`Hi`UVthR^0BZyydc_BT^=2M>|B*X3tmp%;uj^JrSc})1T$V zJ@JnU)c!F$8d_EuLUh;Ft}b;Id(9Vhb{c^mH-f$kN84~uX>nLemyl#H$t;hd)*Mlo zqJjv>`zj+ORh(Fg%8D4mj`bh02j@EexbCa*FnDShNP-5`e0remg-gFF`_34r-C z*XL9Xc8OPce*5yx1fPloPTV^1#Y7~CGoYD*8B1s@F!x*b8RpNvW;f4o4c~gcjePAr zrn4gm8R}ZPn~rY5!Prid@au?(sxX&!zCZOw=y-N^jY_F4Mobb;_7X9C?Sr`6-KmlV z{bI`_WWF*jRjH2zB;}t1+~B{g@R>PIl@BE%Jnv6`r z^>OWAiXmo8t(v^Kcm13Gauj97@& z9;fVnzzKMU@%+mzGpTWq)D`T#==~qH+rv#okNXPCNy!-!$vAvG8}z?V4MrP&iT*v- z{$zRC=WLy#|IG7YMWr6AVg5gsPAQw5M#DY>dB1b=b_0b~c?||v+7#%M zt9OmZN^-^}Qgk@+*_cMNM(c_k9-()r-FK@^xlIP8S?KtZ3A*mfrG?F=?{3MxkBCA8 zOM8fLsYwDG>B7~$+?D*Eea=8ol06ywcZyAJ1}+pi$jdUHbG+rP@2*_QaI=_$9CGKa zDOth{n|&3OPn3)^2R<;eneAm+tR#m8r2zY9VTNGK((>zaBBIE?{e_bLMH(8n{I=5~APas{tp-~0z$9)91#)1isB1@j-C zH(Lr?1Cy1oASBZ~+VnTlx(^By6~O7IuQ_Pp^U|nQOK8dTkssl`tjO-&fR77vO96FtfYEggmJz8Xrffgzv_;+kMc*OX=}%JHxB zbN;Zhu-%B8`WC39mUoO^+DYgzyd0SLk~(VxSozL3d%%;9L?RKbGDmI` z;+H^|i5;M7GCV6EUMwM6?5)o)$sX!;8=9bQE07k?f2}Zklsx05v*^rZxNePfZ=fs6 z)dV^@UCe%a<$g zDD1?u!n3P>&=H4IN0P159g>kJ;*Ac-n0PjKN%MkE(L0^->91GwlDTT}ukdT}6^1bE zdm?G|KTEqSdz4UY^c)9X;v+cF#PUL=inSN#B|0(zzyuM=Dc(^GBa!lELnsGXF#pI@ z33>~cN(kkA!o+7{@y?R$-~lPt+ZVMYODv@pe-YE8Dq`Zl)*Y_(#is%&Okz#{nwHBx zs6sQ)mBh2$Gaz^9F<_?lJNd0JEW4YVxSJdHTy401LrJvZ8H^>Pvliy8cHg6GMv$Mi z)C|NcFFve!%a~QTu!$vDf7&8JIMfs=L9IVg)Q6&vQkD8$7LfoB!t-tHmjn@)hPN$) zV~cXdyV}_33Fk#^G~1PvGXL7|q~LoEN)4BurxjYS&Lo~lAF8u#S@)JYB@_|nXZYQ! z2M}C}NdQ3yA!mJNY;>3E6nmjgS%bHrU&4qb6_LblARaPYx@T<{ikB_ zX=_yuX8Qc`Jr`@&KpmZ9aaA!bh6PkSMFh2*%~`MUB!{|U|UU?DS{4}T1}5_Fd*T7I7`RwgC7aX zAppmz7NMDi*$Bfm?FzhC_QqMjXG@F5%ra4yDT@!NYH7plP;8_fy8 zVwpq&&EcPi$q->%JtXmIeJJH2YR8YJ{>t-l~(>p?qanm>-w=Zo?z_L0dYYYHN*8@hQPwM^FbfpsJswMX)z=kw?jS&LqRgn5D z83*o+gfE*aLeSX?u22C?veYqCqL~?L44zRo`X+1y&%02r!oj2rl>>T_!CGanqkf~! z6(Ammb}+}+ut=vJESrLsK5YZeJE2mFsU>^jpf#=JJHKiX*T@Rx3zUjq@_&srQ7FEv zx!_a6L0!pCSzZ<%Iw42ok4l zri3&2!uK1JWJ@lte0Z4MRc#sY4pk~GL3By3m@^<3{s8$1ZmLbcfe<@((a z-&4Lu4^Rt-Ej7(R0tC&g#@(!xxDyeRRlwuPy#O<+v$dr1JH_#L=pEwAEnEHsXky2W z0P9d@AUfL|@8^|o{kcr{YSO;+W(B_~yb^=2WfsElGtKM&McJxnsBNzfZa3`Tpp>|5 z5tY-1s{2%fcs5-qS;L=z=p7u%ZRnM^Sy!jJYDkgf7R~G*eXOQmk(Kjh2rbHS_@c1y zORM~v>?0GOm|;CQ3Hgsww;>B1T!z6XpI#@65IR%;MYF{Ak~K5=r;c_xEqT(1w1Uwh zX^m(t%HFkIyl?xo^W+qw$ChtJL}}=;=CJI!Lv))ZZ>riSj4QGKA%-Thi{gVwP5zb6 z{ew_F;84}n$!2yIMJyaCtdp0WZXl@;l)t{H7A`te%6_`qdGmc-2Sok^OOuf)VKo z2z8a|`-(LqA5IuHr`_q#j*^J@Walk)kv2E>X2;v8w2uQZNu<#I$*EM~!%4+|P{(JA z6r0MeKWJ7EkkPSL}A2mgS?wpDt+oG(Y434za< zoMVAvvgbDcE%aDyJO?HexhMYsW3YMvmTP)>YNxQtxzxh<;keoZ6y%|=)o|v}mpY}q zDmNs0OCIc3t{)}N2?^DSM}U3ammu=1m5TmaeVDgpemGw@sv(@&;}+bD%jG>9M>(hC zzY}l2@ZSC`NISfJ8+HE6^t@amQU5DdjhF7daN&u!Jf&gpM#IL=jFCuQ((%E#^WW;KWh?BHxb$ zqjJTc+5y=`pZzy*HgG=$xO{J{i;Q1G<>)jb3RgIAz{A_0f~!W&eZD9!{3kVc_m>+e z85jlPEDYJ;&k1xvxQ^GyUqYF0*DKt`Vdt!INXo%3)z8YuY-^=n!|A8P-II+q$Llid ztP5h^>#XGA84|EMr=Al!+;E9Ale37lLv@bt{_F8lZiw)V#T*XNaQ$XBuZDH-dRdU| z_x=G{tBUv4tj{&V`Kj^B96nG9t(lTlY^Z7fIHP|dkInCM4~5SMM-ZN{S-q?8Uk{b? z8HT?=Jf?Sd`jy_lnSR=%yVb*eY#PMvl>Aow*?su;yVrxx<~p49+OlnwQ|K^MYtpPz zo#qDC?Z0_$pjiIp0plr_={UeZzOnLQC(0)yRV#hK69VbFF^t6D14O-u%?KdG@e+zfAb;0@rVy|s)a^jOq zi_D)Dlw8}r1_-Ci7#?3Prd3>jk2gm_wu`l9zd13p_{tf`Gh;jaL>}23YOV|cZjMs4 zuS}vXBVgdANXBBTVjOv?K^^k|H!(gfdsT~xxvf@Kev|{9;Fb_}o>f1Wqawv?U$G)WxV z#uX--qFD8A%vzqS8q=WNVB;#Y%B>lg^fylTMyaHpHqStU=ono=J`2Ot9k79Zk9Q}?tZWS*S^6*6PO0dulmWWI%s$$4_Y56 z3zyj1gUC|+x|F4GpyYa~R)Bhpr2L;nbxh^14G;-)29(}DL?8GNz{^Eer_1~V7lJ2_o7}G; zN^8bR#+B{%^dEv%Ur~VoHx>O|#a|0?Lb#Tyq=a2@@;1UZUB18c zDu}jEe1m%I@9~z)k4Ei=x7h9`F1NbwGP84wsj37YpN+w%nTmYo*#wrgC%!$0mAwaoD}*A9qn0+TZ+BULH9T&`~*;><|&aey}fm_ElGzxL(MvDW$y#L0j?$ zF=UpG`}fJI<)akmO7_~4(0{X8JQ0fve4SMq*n72}bv}ySw>?zFf)X}okXR0fV|fK%+wFB9ap7|nm-I;&q#^lT^H+wS0X)yWLDoylUA zHC@^Z>u|G|q+^X1#4P2A6xcBzW4b9-9C{`sKTpkhu=gBDTH9yed^^u5snau$DBEue@wkJFdR0p&K(zmB{q)E{<1rn1* z@5T5uyvsfIaUGl}G-XYqqoyD~I@M+!)!d*uPsypxG#n5)qH#Wl9M-nJJADX}W+4uFHo#S+=Tc&Vk2>2sG zH^wqX^>vF!cLTnGSl5O`1@u6Kb6KcD$VEO+7@E23WhlU>vUwHyM3ctF)oWHbM|j zzE_<8^5;tB{kc&7cf~Z%`60tzD=p~bi^?dzU;Uba9;%JifddLU1bzEN#{K^}=E)t- z=%8p=7ofjRfQL#nKc6$YV-s$h_Q^wD1sf}=kK-nZYfSRxy{i7qho|*>^ystksbO&z z48NJd4zS=08Q>DQ2ZS=8AG&9jynMH zaxtb07gJN&qZ8AJ{ng?E=}xS9JlNC;mOrQt=m`og%mDP(^_=9Buq20#krP06*=^74 zY6q&Io-e@%O8I_qvu;rv&20uf^)cmKMCovEGO)s~|DE0YdK$;0Eg1ip^X)$BN|P#n zbV!C@8a}{v?{V7stcOmG?S9RqmrIznvR*z9KF~SDW$MW1!y7l#|IRCT;H$Z5kFxd` z_2m?Lz8(ntM-7yjd#?u~fKM)R4sTG&lM~mG#-r+qlSyYyiTu^DMiAWRZ4<+37q%Dv zEjxZj0_!p2v^#R0oW*DH1H2cpeDmx^opd>vfcv_e0g;&RF@~S+-5DI}|5E;7<*b6$ zuQ`mCad~7=uD{Gl_`_77$NB38;L~O0N@+fTmA73kZ%7$ppgMFyP+8*BU3OUvh&2Yu z^nxZAqSS7hWSnlX@T$qU<<|}$t=e;@W$Dj;di5kKWu-RqjCKRpIiTql=6Yzc$^7qQ zb=3;+d=eX`aK8UQp$@BN6&NO%L|=s#X{JS5z}$rbXi`w2Iym{xf37al^o8p2GrJQ0 zv`bjhssD(wov*jyo!;}4<`GHA!snEVXvh9HZFi%O*=(hDW^9_-AkJw2(q%~I) zH578O)`O09;>YqBninj&X9_Gp?P0X5D%6`a!nEGic!Fr7+47f!CxuqpQ}k&3= zL>*hE{|R%c+Mse8i_U=w(H@2S>VcUW0Ey-mWSr$dFYyD~V7sE~JA5wm-={{Oq5%(c zL4H=F&erY!>m@O%R1+v65&OC@eG}Uxq$R?L=G0`fp;}JCWghL(Id)y9QKQxC56a;^Vbu< zFK46OlV=r*#PeDlB%W(u@F^dgO=zc@I|fO8(QT`**$Yq8cl0I|374`{qIHjl56}&* zxs{wP-kV~qr-<{h5p5NQHfL~}lWU}p6`rhP?Nj5)m~<2snzH@ zY>nCDtQ*`6)$ceUU#}MOiRGnzblgs{n32~eH=&R*Q2hGr9RvS~OIXWs1mKrO9=unR znUw}U+8a^VkL&B&wtF4vgdbPB1D*xeAP1mo;-3Scockjy>f4OUxTp&+WWJFM%T*+QYprGSHV7K<*u6LtgGAPVZi)KilXV^#O>pPM+Il& zZ~ShI&($8$ZWyV;;1MesO9(;ZCMr{`NGn)Z+b+=V=yhfhXZ5ewd77?MA$KTm4t{F| z4}r^SH7V<6GIPx-?mbVQeEVZo?5+47%~G_dLn;P_SWjOQHx1t9WhQ~+V_krMtFD8b z$E-0rr@4A7p|oVW0cqr#@o^^#)S@j|9=7zm&qZ0ht-UK$B?#c%c--wNyFdo*zr)9} z?cu3{S`v^9VA6(wNyCiv1aMFuaiEmGq=E~B5=|P-U-%z=$>jDl+Iv6XGWzlLKiC3r zmvj)Cwy@2EWJO*SODwrO8V^d9-%4(b>T}IdRniX?oX)6s!}zoM|51v8p}o9yy2;u= zkN+mEJjvGy`fQcjq`=Hn_Bjtf<2fpIO!PCa8U|)mWMFm4`CmGd5--$j#fPXYbgHy< zk>hp8NzE1+p^TxmY`%S2wBO>VC)2M4WNJn27F_h1B_g1GwT6IZf9!YQ>tHJ-#2%?c#;U1NlJapH4%FNp2J^rgk_!O-p$pXa09 zF|%>*dF25f`AJfvTDDa$xmmy6hZ9m~Vg}@C=wAMoH-6k#u1kuk(7?x7lO3vAx*UOM z^jv=paQ3W*eG(x{uUGLifEVkh_Mi?&?1iS#LmlfFi%18zWRFhd0DQh4SYw`SjH1 zvxX_AGSkRuPgBIGYh=4aC;H*$r^qY+04y=%3{TTn;|0%AVatWrg_)0~|DaO)E(eFr zZfq%E)Dd-O%NjFASX%r)%Dy@(>W1BxQb2M*K|mN95fDX6S{%9rln?>w?vO@GhGsxY zx&)-Vd!)NNhHi$ChWi`e^WA&a`Of#pU9%R0F4qEQ=BfScXYV9CNntyyVVO@Hn|8Be zLc!&xXMjRqW;kYYM?lu#Ru`{njd-6^Ca=g~CLk8*O$n6b+jKW{Jgl+!%L*!u(iqkS z@6+Pj@xKCq7#aRf+mC9up{3jLWaz4gDB1hsoRkDMXN(#8&rc6?-Ewp=d@-b z`P6MG#C#>bOoH=OIV5PR^ZxG0(Bl6*e7eRARt$s`O#za@;E#KIgJo`2f7?V4ldl9# z413F**KM3ns+ltyeq&aUf2{1syQ6nVw94R*t;|0v&Al^i#$Ehnk&+xL5Mgh`BbtLJ zyl)qgSPE3d&l>N;Icy~_(fZdxv_T3MMdyF0H~p&8MeXkSXHdgZT&=n@PHa}R%ukyq z0lw-ez@5sCb025Pp;lQ(ktNx3Lp-Cv&Gk`lm2*9FqaIWW$>5Bfeak(HBL5$$W*iLl$TCk0yX1d=H!pWYqQT8iq>gaJNvLr>U2qp4z3nKkzou@e3H z;#r&@ep#LpPCtCLGNAaAg`e3=BoZEx69(38W5EYJePrvjM7)k-_>u5|PbdCDuFmLl0~6+f2^tZ-4Wy*k`5_co zxp}X`^k$#YE)+j>P}+==d!Df8Ha-m&@o>p@p|-Lh_L2X|aampwRf5?DG@aO4w36LG z34@7WTKrSda7VsIbEF(6ZM@$?sl}P#Ij}sfdtPO+^nI*_O$Qn5W)!6Qh+UkH^fr)? zn)2&m62$ghm&^-hY;;U=?HKoWBQvAJ|D_CU8}K)}f8lB-MVY6uh47Jicb<&IHC13p z)KrJGFKBC-i3~o{5mQBDQktj_lNRxAk2k!7)aQKgZsW+P6?~(WXhz*rW5y%WjcR`24UY}-h ziP7Xtq@k>%{Ipa%zP2@=hcxGYrZn=Jon3J5uyF`>+k8(v`624n0kbbksq#a0k7=^R zmep4sUJeE~*kF=JrPj?Q;5(q&te&QMe4tqHg!3{AH)$t}{P+?jVPWCEv^@?;QzoB< zR{f>&V0<<6aUo%#R{U{HjrOM2{A>Wwr({oN4?%l(t)|dUPfJ6gNa~;eL3KH(1eW)QolCn;c0`d$-b+|yX`W4BNEc%{I3Srf_C9A z`7vozM3W-3;_dFG)akg{2aeY@aF5XF%c0TK+mmIWqt&gnU_*<8aSQf4%Zr`18HSrY z0)FX#@gEN%n8;8$pU%+!$kDW9>0Epd(TUv3V_ru7;ka4r8}mmM9fLqT53^fHk{dg;e-Oab8(htKrh0rwxmB*&EZ)ivlbL)aqfFwSFbaDY`xBxW>D8tb|jn;uN z;Vux^#(&;6*u;KZob3d3x!IzoMxnrU+T-e0ta(7oHCJG8J&*TE{hjp;+38~rLA!FU zlT@~_`{7p1ZjkOFmY!q2PA+2@?LY2QLh9_ayA=*0?xkvTAoeKH(h|T(X_bzP*plRn z(k{#=#|h7i6^YkQqiM&f_<`m%g4_hLL3XQOxD}RKGes(TSA)yYM4a-HQ*^(ZNN{eF z{}%BcS9i4}#Dc3bDDfF1g}D(E>>ax_dS5ytW??e3wst=WjFGDT;K6^Gd7lvR>gFh*AF}6Ma~9 zNG&kTf{5WaUVY&ENls5HSEhJ3E9qqz`)%5G79f&Aq@Kzmw2bR;_cY9x`g{_or|}Y~ zOi=#G?bm;ol>TYavTss>pOVA-Y1>Gb7B?Ce8hE=I zahv-*vb&j7fn6vChc@LNCyNi1RK`z2Tm20>R^!c{O)*RHQ03@R5=r&GZ_(%vF5Szi zP7&uCpkWpS?DeX1kwNYBUPb86;(A3??X(AE6y-|~3hs%0Zk>*Y&BZmWGWkX4Mdmv@ z%om-F2moW{u0X>(Fu-6w4ZHtd(E7MS^WvLl&g(Z8>?R9WRWopfOJKf5E5H;V zq4|}1No=(8koHDurV^!`oZ^EYRcs^{ZL~I}11hi?IY7h8Zw6j1cQ#^`I}?rvU&Tcq z0h8})1BzXxjp+jHT0eZIUCO?EyaX>hvAF~W;nW#s34n!dWK?eUf2o0ckz8sK<4i0{ z6c$^@Xx5dFI^?>>laI(o)OI4m2);U3cDH;+TWO-mfo+Fa1LTPbRjUB4N2uCgJxpeO zM4e(vOQVhPOL+Zd1jX0$4Hy@9)kq*(MntDoV#O!|=-114sj%+f^#kg;KR8yD(VPrC zoCwd~-MnB{T<8=N`iiuCHvA1U+PvMe545jfG-oX&m2zqRO4fY@`OIqR=Ss?loy~?a z>Utv~Ll0?nj_%@7Yi$S96f%NU(Ul3?PD!9mRru#EaTy1| zDGcgkjP(fmS;5)XiI}{CSHn{iPO>6HM*D=h z0*q`@QA!|aTdSfm4A;N&I#Ol3b!+@j_hmj#XOio^Gh}+QU=gTEw}mic`wIk3`%sO4{M0ZW4X@ zGb_B4G8qb{LXJZo>ys3=b3}(Dz*1IpR9T~+*GL;Y;}JP6i|K5V`8!FY83SuR0W@L{ zPU-s9)qzh$bpu={`uj07aIl}3m)}3M*fOK^ zg3kU)%W*}H@Lmn+GV0D|-Vn7_Qn-vu0IoP!%x*$KVJ`;+b_yn3jdjVPENQ9<*z?!l$Xw!j+Qdh7>Em{p(u+wfaA%sU&9-B$GdG!rBn@OC-{EbnT8zf$y7ehS$;>)ua-^@>6=6qE(y)u!l)Un zPF)YKA2mieVKHMzD`DQ}vo7brJ+dV7dp8iA$>{4-7nxn{vp>V;cs+W-3$dwBgk)3^ z5l{AyNM57QGTq<;Kc?X&;O95_l*Z(HD?IzLBKMn?9m|g+6!CqfY-3^-Own}VWv7Ac z$u8G7AfPav<7Sm95Y&k$c=}SqELG@TDc}|kQaclp#Y3GH0 zGkry`_%BwvRDr76?6(3=1^1Azr#o34i^R%t8lnDn^a=N-lZL*kpGyIBn^Q+FF##l@$3_Mbc9Sqz=xdpr$l(^bS&zc4=WpcU}O1^Y^yCX?f zT@q<9f~7%WwdGZjzE)rru3G|7c8l+QY9S1%P^?oXB2P9v2ee4sZEv2~XJppBj+oh5 z`T7P!B%!m{>M!giM;SYw_h)AJkL)U-xH8UNFhTcetfumZt-4`XyguE{C--(i#~-D^4EY#kkq!7@}FpUN zv|8peVE%8Yy3P@9>3%gtDfah@Gvyegw?E!Na~ovH!Lu+)u8Ar2t7`kQY$(stD}0a zAlPR$K2I%v)$23#wW?qYoduz-lQI~?0$4~^a$CNT!Wn>G#be}#2sVI%6AoAHdfjd1 zICNXYTu8jHNxfb4@4r*`?Hd^k2LkqJ9cZ0bU#-x%AHKKaWaqgXk#HU%_g)sVYHE=3 zYFh(5Wo}mouVxs1t=_S*Bt(8rcsuv;i*>iD#RG=7-RwvlspIug!Wf#(xDAF-?rKf_$m9V*I|z5m?<4R(y0& zhm+aDcz*BETko$4UmqMb<4f1c4+I^}N>ad7psF8D zuh9G&sJdx*7t5<~_tU6^+|ypGNKB~--GF_Pu6X7aV^5$}UU)di>UehQeW2Ct&l$c8 z!kmuUFx#RkUSs=g7c|(ab$K$g4Zx(P2r(T!isR*~FamIi89Rc#41TRMKt32ifoAxX z?$zHp**vZ;h=(PJgFzxk?S2&}$Fw!m6EoH~IK11RiTEc?V+e7Xluffei7QDz~8z8NNv9AP+c}dy}w?3--QaWPOZFda>ME9JQR7!+&wa z2uzGejVxYVD(@2X5G>(cR%;J8G(||7DZ=1`;O4`TkS-*RtlK$@m)=x@VLGo@Lt8*w z#K!KC$qHik7Pp$#-%7gaxI1^A?K0T?tnm_Pz(l$)t##>iJa}s{??(sVvJVFQIifCxl z{!UYo4z-9{_XPw)GXA9IY8q=VhJg1gZ8`{Ayk!!+J z1qkkT9wgx8$y0%H^2F_p2%7S%4%Ve=et}q$A{=EPocal83Jq-NVo|?dmb?CKMkeZh zsD?`}a&&$#_v!87i_8f9LdGX<$3TeO(-iqtd=rZYL1#DpD)*8ipI<&YUyA1*r6)l*Ao;z$$6wZb z7#>7&xUe0(fY@Hw0W!f0{ zC>}RUCCsUoEH6uGDr22Jg(b_w7es;*69CO!L#9s%VjBMEF)~vR$zDMSMXu@o0L)A& z$@4=O@!g=e{4D}V2U6apCX@stOA~_IL&A07X(yE~Vhs`{3M#fw=twYozuN~#0)F1z8W$%~FB-KYg^dm8p{HB1%;+f}S zINQ_a^WT6N9KL;gn+4#vLERFO&_ZfDEqON#Y+Xve)@`DSNTKOpLpTd6Dm^h5l+}Wj zd!a$S3dKC&;qe5J-Szraq!;+5d3Gx+Gf^9J$2@Iv-igQA9!aGe8!ZCXRJlPOnZkW3 z9;7LL!xt}p4At?GvZs6^LUaw|~OEpJR9q8p?XO9$E@BGI9TrI`)o?Jr^7oPYG^ z=|bEQGS}y|umJjcC#CD_X}<*78aQhN&cHJ>IzA*<;|6Hpl^3VtxbRU!u>zKjtV|8Q zOz4+~0WKSWed(ML4$~*D9*zfwg=dko3*%T~^?pv8J@yUvIr?UYeG;)9XP3GYAeQG%g4+d8ky z02zDD56PwfMUeQ1Ch`BiEd1m<`f>dg9ut?-T^o}skW@P7w|^6 z@NyrA3^=5eWAaniq8vX0j|WA)&jEvTBz4Y@qs0Sf0kd5|5((HbJAKg(OZK>4 zgEZK1=G{uW-lhw^kmMK&r~U>N{OfxvP=5TDLun52FW*zEDflgsb zO(u!yF;hDU`-+UqHR*FNE6IS3h^)AguftEte-~G-gdEjm+C4#|E`H@0b}eDKeAr-p;|jPmkshD3!xv)1Vx3&Ns^?X#U zeBg09I-&+FjYyfWz1`W#ZDna(=$QYpGo6aix{l}Y-u+$MgCL5)`b6%b0xWf2D7bE< zp3m}kg@Rw1Jy4p1|5kji-{#r+E(rXaQ!hS!is5a;$N=Q!@5DnuUio{;`R_**BUL=I z%)B6J$%paq=+1CMI6%7x(;Uo!q6J?a8OCcpXwt|R{UXL~JOXa&qLtF4b5=qqy$MCP zvjhB0YqFPqKhg{WgY|y`ex`a1fr;m(QHR+%Itgb_zWlB9sA~W3k0%}kDC4JD zSy@qK8uiipRQDdkY33dsek_q~eT5|Y3Z+JpeoJ`q`{O)d3kvTSMA?Eib{1-wAn`~w zk>oZh{*QhtFw`!97M9YZM682Em%GTph}82g1dTUyF#f>^=yl=T;c^&$11_6zbWoZ? z5WW%@3@!tx<;K9tb7be3MD~>x+cuJ)Jp6Lq%`J%N43m#|q5N*afUH;+Mv68UzvzA) z6;Z?Fbqn<#VWU}1_C`EPJ#-Nc5>0DDymxJnt07^wM~2*eTzd`lQxbSrVn8M#lGUZ_ z0W!%OndI#Mlu5o%qB6&RyCGyiV=~hmSIM#2Oww8lV2}>xKXRy`mXP zx|vn`TKM>X#{Pf*Gqwiin)!?kXZMwqczL8(+ik6c%o2lNZ=85RW*fQ2Y>Bi5yR<=aP*ecWDA zds6RJT=F*XMWNPibRVNNsXDK4)dNd^m9InydaK|0bO>9x?ZFuw_is5{^nf? z8+aU13!EZ(>jwDBeF53h>wG~z-|i1`k$~AZI^%qD=;v9U|FTGcGJMi72;-T_IFP%`(aV^TBcDQ zp9srEjg&QL@UoS0P~^(;9Jqdb{CILe@ZibMAHl`+!QJn)4ld>MuJCp6sV7H%9FUO| zHyp{@^9%|dJN9N@*#?ymOrwCy8cN817-DP zMltUt>o1zR3K?$j`qO&K{B_#9AH|+45kyr#lMgZ@MCzi1GqmeMzLFyALcS>5D8ku- z-+MNmEx2miO~&dHVVFwV}%5;dXxUH{gEHVmUW6{Fjh`jeVOry-GdQ zMV`8@r_(F`Z=XDKCR)Xmu9Lqk;3itvnNfC>cG6JMt~iMUAG7?!8H?fotEy>c*n2^} z^5n4p`FWVNX%;>!PaeFzIa~C$uP?T2-WRSbTj`!dMk|TPoDoX623qo7?Uv_&IS(W%m2f%uYf3jaw>FWh-B&?`k5I1IBd_MUN99Qsg^+MB0i=|b-t{?h zIb3ib2WZUWxe0V)pZ*uh`26a=PREBhc1s41-7ybmw~fgg?Q__ ztp{3E<~xn5gG&MElxXp*ec!-5`}1~__At&cgv;}32vGn{1LLk-aHe zhnkM8=H>LkyD_Ww7!D1bMANV+dAC9cF2bf6X&dYA{-p(=skJ$xbZdlZG%Y5zmle6l zO%n!t?}YWrtspqQh3JlzD@FREecsURp4z_HbQhJrpcE=C0 zu}%5Rf^a%$0IWK%m1>Y3RPDfq1rrwZlY47St|eW(<;Tc?ZqB;HM)H@RUC^nkUfo*~ z7f`r-9;Bge^7Okb$@Z9lbchMsoxBXB0r)U{*Ctfm=20UHth)sC7ew1JiG+q;H~{{k z%;J;4Pa1EO;$s%-;)-0945J)(d{4ajXUZS~ZENy&5wA4Hna`yaQ7k>6(A4#r-ci=~#QBNl^P-mb}C@KgV% zyunX5Bn6*+K5&uka?M7Azz>2LDX-bS!1@u25A<`0n*9WSViLy2>=t`!rivP;Hxddw5dA3VhvmAdU_5 zKK&rtvpQVN&h>FxOjnAa<0tn^vF+7BF7aP77{24GI!m~W*;5!VPKMGgt>F6YIhJ|J zy#8*|&L?pkj*L@d;iX?8^e&N@hmXv`CX61Vo%95+#Cx)qRr!em@Z4sH*O~etd zD%3 zgwmm1Sog)hG#fJlUM(Z)vBsiVi@y54HuYk9gOvO*^2v&qZD8rJ2hJqw9Whh56Nwp3+byi+&y>wY07XhxtxT4{8IL%N5X6##Q-9Fpt}<=c zNv#SO-eLgIvnux8@I$;__@5H4hgkQ2m zERhOdcZ*grRiy|_OGz1I>D-QmD@{v8y!EuyxzTqhd*gkxcMj@z~ z{}-ElZ1?Aoc0y^RO57(3DO}?9GhL(M?^w8~NY$xC9HZ!dYTlK`LqzTg#B2vP;aF)3 zUw6@5Zql8sFOc7ZqybK?R| zKut7U*J9eeZ;w+e0$7~bifZ)Zfzi0T>R}bW!KY9IfQVzWNm9G2KPB?isd19gL={ z{rcrUvo=b>0J+T*&4dkNyL`_^Emp^E%U_`?h08!cQ7EI#vSL`$XK!S``R?`*$kYLY zz;A{df&vzo%Tw1fX?5dAf!^iEz?v`K^T)AT*0m*LDstIzUH&h0j1!D7HeAx~c|6_$ zTF8eB9>@LMq8+^g%rgX!4FfpV;;F2b4ww9hz6H{_J?)S2f|ThsxgO0f-txk&=0;0;QsRyBf=N#L8_GCdUOn!2gv~2xvRDp7e{}U2h2$HeGJl?xc}U$~fa2 z^%_m0|LGlw7Wv#mX+ls^xCA7uxGttoY$yiF>=jLoeZPGC3%Zk&ldK&-i+hL%;$u%U zq@2X3o=3S)@XlJ2(l!ta2Nx#Q>Sz{!GC(zHMfqhGyo1uy4l2J*awcd}!E<*tKQ+lM zV{pw($8weRfEzK_QMpt;qvF!KLF~E2i$2e5WGCjG$)RRh2c?BS-+~K6VP3|h%f3Ie zs?qdSHuX1=V;LuXU7Hg=U z$4$-eN$)X!YQM)fM}M4qCrheF)IQssuFJ$~ZMf^q2G4A> zX^N{o0j(xIjZ<;+t=rPvA-lBUGOz_;OvVHuH6psM4w_R_K!n04L+>Y2h3IL9_aAB> z{K_x-;op$c@nL^uLR)M^pBs5>LjMg|j_MpWjjD^kju9-I~SS#VgzzrH*ZzTy-<^ z8Ui0zzPy?DHhaIL!|0fjp772@Mq(kA#UgGWS!i|cuo@S zBLC0JBidL%iq>ujaig*Z&_M62S+m(96j3*5$nk9c%bDMUjA0<_#_6P-SwQdU6pePs ztrZ;Vp8~TTQ3ywsMrKgl5sEiXwWgMUa=J$qYBRP{0=~HyAX$`zT>!Q7RQiW%$lS{B zKLDe4vE-oXidhAl`jEg3OGQSFc97b>i*8H8wo1XMBaGk>VRQzlhLiH}j3{SHX1~tQ zn3ij)UT|Y;%-Z7Pr#>E z!Tk*cEs*`?K489W#1DXYs-hFaHFhh^rLAhYK!!7Mdu>BSw_n=-#KC0#t#1j}c(0KE>TE(b;=C&v9HOmK2XZ^i5mREp) z$HVg{-J}@~djJhGn)^d-$F>mImhj?Jf4GCsJu+$kEfjlG4-N$__plWw85UqFE3bJa zQ0M#;$h!hHYq44wXZmago#6_z!wzBV^Ubw3slY1{G-Q0mI=DeKC>NzTm)R?F(9Oqs z##yAj3e*TZAcqYyPV!lKF!M1)jVvh6fRLL2hg|BL;C>B5LLD#%VPqMCkhFOY$)DV| zvbQL=>bjaC})R8zZajr>TjQ@)Yb&$lS_#I^-JNNCo) zPhwJ#cU#0yz4pM&Lz7+yW^$-@{HMwT_$0?ggiH$j?*kLil)Z?=X}Jp$jS7UGsR%8E zV1J@_k$ys7llLT_L@LD1MZ!D~VtD-h^(Koitjp~%W@s%ftn4JWz4=lrag(+z#Cv-) zLb|&8B#+=iDoz9;+nsVfs&w1k8*!K>@2xV;nB80=HW}>kF6Xu^hj(Z34@Xj`tM)Lw zfI}e)J!;Yr$>e!dftj?;{iX*)n-&*q`mMUtW=3Eand??=3U6ifh?Lh*I(uT)k(E`Z z6jc>y_p@KwZl~pl4~Nh5D3jjHQI{bm&b!U7X3L@2s-Izy2DT(9`S4~LKd89(E4d@z zryv*Kz+8vO4JeJXyDpp;=OyHl)-A*zN2_5opygg3-Vqh&RM7d`F+uui5YQs*qO^s! zB_X9DoJ|_cDi7JZOd)j2{!Bdjct@mVz*wKtC2dhuYs|lu6`d88NTNqX|HvNTY5c6U z^_~TU{8h$8wu7)F#)vYyh_^zYa^k?NjX}c@ID>vKii}=DtMrh*$cTOg)QG2&%y_^= ztDFZE^Ja+GD$^BfP7(<%wedZ7H*_M{w=Ow_mOoERuc7plBq=K}w(?R@{r-a_8=duIUqHTF z4&KgsP8<+u>JuprwGFWKs#T6xBTzo|565vWkwJ|X#f`jtJxP}_bXP+; zJpyT9P+-$>@j~ zUq*YS#x>aGO#o;?5|n^b7u6~b&v$Dc6Z*dWD%H^*gq->qgVXkjXs*7dnDmCcz?GLy zg?_`Txbe?O$w*^mPk9{vd)Eb3T@^X_N+()@soPV}jz6l2uafOZL z1eqQENKZ5Pra(KT-i2_AOGJlYFl=BiRk^`_YaZkhik%@acyLV{fD@mD zZFsUd>;u-Th|1V$+<)aV4%A;008mVA)#{&}JwjoOBF}Yp{tfu}7aGzc#sJ`K5uCRo zP;3uI*i4rLErK4Va+csy!n1c55_lp5%5KbFXgXPme9mi#N3{yN@F&e~u!^I;e!HKk zumWV|mx)JNC(4bEg`zWz6{Fw0FI1@9wxx7#a}9(}V!+ey!Pz4*)Y+vLJg`jjM$x?h zYHIx82Ij1?`)rL$?q}HFyfBEhkG@LWyhkpjvO^jc*o@2P-E?CR;?T7a? z5}430Y!2V(HUJ2hYgm^Q%J)D6(774KSoQ*-F83_*J7NafIxKpcDm6Jnx{*#FY?>)rQ=|%22H22Z zCxdH42uKFJ88^u;h#);6ysdMO>?7jFi5VED zay^%Rnm&g(tYmW?`^&$nV8hkgKSEG&VQ+x0r`8F5k~(V1E`CPCsV+DZ#XbC7?xDAm z?3KL5qLN@^yiA_g2l_CV3w)8tM&cLWT5x3uc1sMZ|CB?7qzNG>FpYX_YR7lIxe-QP zB4x!Dn*w5~P@|8%Nm>)h^HK4~GJ=L6Dp2vWDoO^k;hmX3rLOdP;-;1o@N&*Sns|Ky zS2*HSlPnqxQ{{&0a^IdgBr_UNU#dD%k0r3clXR~UV0f2%TkHpcU{8aS3VOsa5J2#6Dgp|mOz9i*g*-55CXp?UqgmWXZ?Qt>dn`0s(%d% zSP=D9&pXdTLf6Y9clx~UzkDvTbIy*@tERF_nc2*Qc;qRP24+<3O6t-Jq@IW{C0b5~ zT6cY>Lwsn|{V5YKdfCU4{0Sl?s7C*)EW7SeM&%I$@ILit^$FLJ4gvs1XS_zIkox8; zGVmu=`Vc;ufaTAcLUlrxXp- z*Nsi07>e+nh`_l21a7y09<$@X&vIuwOXWkQ4nmT3QXaPZar(DtktpNr!?u5Os89&k zNI%QO+X&`54Gzw6J{g8}1#V|c{o*}|VHx)!xNLP*srMKGFFb<3vCH5lx~O&@R!?|X zkK;-R5&5nnC3+F}+;cb`Xn`{1>rY8T#vz!$ChDu>D${Yz(kR*Uq%D8oJ8f#Fv%AYj z%8V*4;b2X7{fQGDAB||Z))FigsO$!_240RxU2aEsd-RIt!DrG_M4;DNB-GBJnbnAg zRAsDp^f$QJDvl!H2pCfRZpC1G#0b>{8@1roQ58Xi=<^Rp`mHq|;D(SRpNG`=f|mcNg0;JA2{UV#fvw4KhtlP1khuYVjbaQypGIeqOz(` zHmDcZDLKlB>2jW#iP=L!(Ii(NK|LBgDlq62u|%OBuAGV-AWpg6(kjb^CM-q)3eI&` z%@A+;GQ(<(3Qw!1r|7*=LWcp~Y)Nk&p`kop*E!Xma$=<$nx1rsuXrOeh_Kx+TudYk zvz7$|C4lk1kujqgbNH?U0V_3ZEb(fU1M&`1(N-i%@p_2>geo&9!cmIG{h z1d;-Nqp?bUVVpRR0wMZ<@s_~1X68q>#3cL8UPG@=;)FL_s?$UY69p-*%Btl~y=hYy z&o>SbvPTF!q?GD8JxDo2i+=1X3m*r{*Us3D$}ux4bdm*28n%8WipLttc?z;RMC`+l zQ*JD+PW=L%SF9&>{Gn3ZBA~6)X&4g%dC^Klu8}EJ58$-c-A**1h;Kk1W%ukD;$#!r zKw?H(j%^g^RQJR}<8GAE4N8VLX66?|ip~TEmz?(9DZ!Ipl1&b+lM~bTI{{$w2LJN> zKMjVTWhK%$=@&xmydZEtDJ=D%x32te>4)5ksYyCxKWjDI`{#`OW9D zrN5Lp6Q_Ku4flq>aa_`69VsO^pCIMDvp0v7sw}bX zx2Aei}3)(_~mOu6gUl-J1cV^+B=qIbk|rVPcUXuL)$r|J~i zgfoV!0%al8Sk#cc9=V9yBO9x-O@8Hyyy6*y4iIrFvrY!k@m&d5Y$hv3#(AiHvWkoEGv8R9{ZAYK&6Y&G86pD_B}_TH2N}#B(?) zEQ6UE=tk~G?u`aRbudUOH-V1d(h@0KK}+?fB)KpHi(T%hW-}v%IS9&tAbMM&g<2nZ6otJhZ% zdqzrf3mJM~s^H10#CL^mYWHUmPUmb2e8q1G@%De}9f{o|t7%#2sW<$5Bzw=`nEppa zFtoF3+OjlsHCb+(PQOgsju)XdzJryR4D>E(142A%P(31{Lor$vvNO6KoHJ8tR-9EM zSjismxa%3Fd-Lw@2tju~D1XQ3p&$jeX&nXA9x-v;9Q(>2+B4<9;Lp!`f*= z9&h4|Q_F@#tfPSQ?o^8jf9mf~eriy%o{P8qoE`%lP3MU0t_h?4;bfNupl}GcPrr70 zrt1&wG{HzEfTmCbe>daU_$D^crO#=S>d1qW_4iqO$5kN}K;>N%~)# z)6Zfc=z$8f<~YKo0ZgRB4&^2<55l_##$6y5%3X-NY0TR$XLZ}m%=Z)U2X@ua&aB(9 z62Ka^GFzSKlMl2{GsABw6R&frwFw=EV!+wkoYX21 zGn=i^vW_2CaXRVW-%LDGc%Q|?Os{8qlrDs+p4^gN&~T{|S6IEYg_RazbwN&h5~Fm4 zp>b=J=w;5bCN{J(C@JRjD0X!c?@R{gnbOBv^xP0jMR7r;mT^ws3D4us9O115rz(R#p)n$ChR@YdJBC`Qi?f#5#kUfv)k+i$CA?wUt6pg`%5`SCWo*UGwjq1~0EnW7 zOV|X_Z-a@E&@p+qF=SBR6(Z!d+vi@hT zipKMihR@Q?c(KwDBbR8A0Y(RLv5iJ95S%9rgfo`ZaN+H(UOMH*o^5P$U~79PFSM%8 zYbbR(73sZwSj;8Fb`dfCo#lhDtH%&_^Le$G>08rsuhO6{a<^aYRXyfX^L75nfK*O~I&-#pnlxfM0=+GinhLzv>4s}c`Lu;- z5!&g};wnduM+{4lhVBTvM?~#0(CXi0THIBMl{IT1B*d1EYZ!p_Eyf*=0kC|6G3&*{ zQ{QS}h?I6B&O-tFw!k9xCx;zs>-PdUZot;LMlETHP!tWfR#`Ym`VnM^R)A>r*}h${ zR}?iPgm5O(7zBp^xUKK}Ocf{kbOwFzFSHp5 zr}7JTPj6Ha0TXe){?Dl1W8$TG7Y`G~@5w>PbM?jeCCWD$(JidLqFLXa&!xs%SxCr( zzGKp5D|kXaWfG*PyuHb5rxB;VB-t+Xo|O_=5?v-uqy#%16}!z4Pk-mwUQ6{tcq;?e zx1N@QH+gZK7jz#IcRPM@^Il}=tmG6%nTp2F-w8z+fD! zqs-T^Uo_NV(E?b_KUh2qy|>pyjiaqDJw<33^s{pF%e6exSGin)R%~JQcl9qP7R0I4 z^9U#a4r~Mf`!{+k0-RQ(?Y!E6m^dy@KLEpD{I(JyD$}L|*!^ zYhZA}C(fAq7K~#=0;PsL)%-H=%1NO6UVJ8xdG~;X|Jv} z7<)<*N&fY7NAK})rc_QLU66R&V>-O5=nSlaUz}%jPQ(=VFc`3sb~joVZ~s)6pb!eZ zBmEz7<(N#oKl;6{_TmPbsqq*E23~IDDr#0&Nr~HyXE?}YJ>2!{F@q)^*6PgSR$q@Op=}%?xDW&OgHDT3+V*&sG zs5arqbVacq4KP*FqR#_6O;!Zaj+V-)fbyMUmc-$&dt`PO>>c>i*_7UF_AXP>=)wY9ul z{%XnodUQe<1@IEMUy^z5<{qGkpqc>B3ZovU{{D*+uWPv9)B

        (hJb4^%D^(o<1X78J2RX7Qd24qhz-qKJLy^Kz3E9gp{1 zX&AESS&&RaZ?M07tHGV)yqOGMY0?kODUyF=Vygh6_J6HX@Ly@PVCjh7*}uWI9X6)| ze;7SS2Ora0h7G0nKYUq`FJ>7ya;hWUW2?cthdKOUfQYA>PGmPzvD^bRb+?#39v`ns z0?xA4Nlln`-**0DPVMoOG?r^3yeqOvnQfn4XMS0gqGxB#?8ppKNawXKUyGNLXujS#@}{Hy$VzxRG53(f}bx zx&V3sh{bqc`mUF#3I9~G47xO^f#M2w%B!%?bp3rFSzPQ%U5(jQ@~HhwJXT|96|h%- zBA}D~>FD%N>$e+k07DzWlkJTVsQ;u8>||tOebh;-B@Q=GEI#ZrYDqFEQNo2lF2FC= z*xksBqmHf2qT{+}z~v*iF1}G-H*y2kC}&sSuHkBF$x(s1jh5(+en>(?HB0`)6x9`c zOiq4F<7$0Dlp(4K$j~IpYr3wUgm-H^iG5zNAvSH7tlWt4wmQY9cW|Yfj}#j%V>see zha+2nU4xrA6g0^=?yO(Z<#mTxa}QQy#K3aqgKTU^o!5({jeD+cY40lCkW0}Cp|Bmf zWqEK@_7Xg-0Eu4>&LdClbx+mtje<8%98c*j$P89`4L_sFFb~gW0gAxQv=6{5`XAsJ z>Obfe_L4HslY?6KM>Shv-?LB2D&Z0HqR|OaLXbPu7vZ)XS*CSUe7;)i`{i}NQ5oTj z{S%wh72VGjbqI}HnL0}P&<&9F-vQ}=$^SY(AIBbKQTT_(gO&paGlb=BSv~L$`8kfB z{iKxIq@L=NdGOVcR-q74xeSfGQix@R4$W{1J>xiVn2j4TTxRxX0}_fGQIP9?mfkIkE#%YB{p7NxPxlwTfA#z6cB`U( zME%`R-sP|;CJmgeIf@7?0<;R%Ti9bcv4YiBX~)~i|8D9q-kv!hG6%nH91%L3Q*ZCy z|9^4Ghi7vB@$Umz`f=V(lef9|6&}9WBnna`?xm2YYJtiRsq%8{Dt`NI#Jo4}6G_5Q zmULIB#uoPA#7yS6kJ9%l+2KU^`u97--{Lsv^^nu4*H7#f&G|i^r~Bt>Aazjz!|81A zX~xaYuok{ydJ@+^!&MSLOeJ$?Qp6B(T;(iTA6IeP?Vz{ep<1IzP#rG3Y~lAQPN+~g z(_@VT#Ln@gB0YNgxn((tS(mv2#0!dKud<(fD$4S&yQ}vi`cP$D8M$5_p| z^Z|+q3!Lr9#p+ZeO9|?OwY^Cz?b%N>(AXZIeC1e|4BcG@zU}8+FXT6Ek8T_*O7<(q zo9Q+xV!q}QQnFL(%4X?7fPe* zv7)EPn~um!2{#j@^N66A8!kKZBiNu;T`^3f4>+S-RP4R7Fc=l)Q;-iRU#n&ujqA38No5wJf;$~>0@1X9|2X^|49481cg(40Ges-KjqRgd3R_7?kdpP zxb2j`*D3%KE}*p)4bAA)$+gW7o z@wW*BK}yvxGK4Jh-hxlq%9B8#WTO7nqFB7pee{3OylrhTAfWVv`>tHL&ccOpdzjeM z!Cp(YS0BX9_As4#ckW7}E>D2Rr={o%k6z7)|X?2$YsCO#nPu&!a$j+Y%`yUq}@4GOjE%rDhlC!h6mDr zHr*QQ4^o8z>2gri%z5YQ52TFIPK_q`DcDset3y#gpTSG62m~A@9NeU0cS~tN_3{pt zog~&Fnfikr06#SfXf2Nw=QDs7OZRyN*o)+XJz?{bRKxiJu?H=AxZk-&2Fs|Ml@7Wo zPYog#|00{y#d5j1)g$tvMt*Vnj2TwCrhgCda%Aa1!4@YP4Hrr@NhD=lv@E7OpmGjJ`mn| zTn=F7-cNzy;76=2Mu^*<1~!MZAy~2~O#s_-5{y zWccU&8l9#fG`@mlNPHn?7f)8sC^SpKQBIX;DcRsqW48NpY{%ru7J!;Rkg?mn<-IDv z>HHB&%#?LRm6I!mK)Vba^ZLdbaLu0p81DgEt>01bk1Dp!f3v2WhUh9@M8p{5ZSW(V zNmcLB=eLi(gJ4E&A6cqMf!BUR0(Ao;-q>J)UdM|=>LBg%P7V(UWnmloMU!{~s7=yDg3H;jl}d`lUc8^^hk?&X<&QhnDVA}K`_ZFP8lb@+Y9Zyt`--2cC2>&8$C0q+(lg#${@rFrDsS|A%&y*FD z$d&NIG*iA4q2fa?-XS9bR(7w6uuMS8^TCtVtIOHIppkFV$+zUGmMSK*kXC zs4|;YN(29Ftx{$eTb&v@6Mri~C5KMO#I`+dTL-zmm?N8tqU87dv0>-tG*W<>VU#}q z`VO=Gxv>HpEPRaPX}Ro+@?Codvyr0szJgU_8GLPsTg!*;Y!B5n9{R#A#5>PI=QIoPtC&s3(pa%Y4)((W$QfhPmq+ww)DUc9@cXP_GFiJI2|dI}=cU6E z3Si$<+jPxZXe{pf*3)i96?3YxCXrcr)4;iZnr}ZlASki%!!h3Hq4$8wFtR5cVY}F= zRTL)r3#0(tPOPXNd~fTz0IG_hHA!%Ul}CsPc+LwrR6VGb;CyR=1DCuYa?@Lpf>7DpwBJ@qU##1ox7qc!z|)<)5=Ht|bo<@sr@_i%zE!7ckJL_z z4j02>)QmUY2Vv|A#4L|p%k(jJO}l=;JD~dusH8IUOlCv}Oqsws)AvR7A3aBg?hYyp zd*1cT_PS&eu3n&R8B^^5g%mbb%K^Z&$1;IQA{}Cf=s{9r-dcJfUA&O0S?Z@yD3t=_ z53TNx(FaXC%C;;hxpA@SjGtpK#_vYIOqP`0sFbOs{W0p_h4_31yRzd`zHyGF4%JjT zX>5RCv#m=!&#PgK{9FX*Z9vR>ZroH_;PY$MM`q%sb0N*xZ0XQ*%(0Wo(d4sO|z%z=_-b=dfqaAJS)-N%RltqNhUxH-|po zbymSG_{45#*$hQvyj?iL?hf@k$yn*C=rdK49~~<{HaKjI(8n zc?4`Z+ODylp$}v6PCyLhd{v6mR5 zEdl%)1+@6xw`>3zkH>gdSx3w9V7wDX4&dC#q?-1dC8tzIGM>jm^0z$kChuedpMZ(F zc>4r)rntQIBKJ%NgEtDlOBPHe^4%s{aN?&=>1u{~)e&Srp!z7IQRP4WE5@&oT_8P; zxwfsq5(p(D{?n5*S*KC{4htd;* za%Yl;P~1jj=W#DJH?5SHH%yqWg&}lq?%NDp6uKJ8{bVWCh&w6VZNYxwB7b>8UXk1j zSMCSRdxkJwrs1u(+^FNZ^k&4DlAl24$m|6WBmH`z7w{_tCzdls1-5U={)W}6Ja?kp z@28*T>8Ouv47b!91h0ET!zwTY)F^TnH-&+uTw(4VQdYNiHE_F~w3RG4>-NB{fLo(l zm%Vv4th#{Vz=dPU{H5oF$(j+Mmp^Q8IOY|uhHaM=WnZ28D8Mg9Oyh<+KYwYW7fwwF z6Rysx4iyTEq`c)YkU=+isaEH=`7}5d*QaE4gtBYSe~3OkPLkwD%v&d?$CewNtY-=( zPK(jvHNG&}}~mS?xD{+J*@BfIK43b1_`E{FT``dv1V95{F3 z10ziqi2_jH43c{bHZW2$|BkC9Ya*R5n)LnN(MLG3OpW6wG}8 zZLU1y(qXtjM*y-hz_e(hoYZRZrT*S@WJC7~Lyqm|kX@gWnqPQw;-Sa=f<>h%hRp;e z=3K^>$-AHU=|KrjQ%0TnAHZJL=17OT)pO2gWN?V?K;_8u4}KCAW=`C(5B9%e4Umq}EfV zKvA;PLQs?RG+8+60_^rSFL%hhu1N3meqQ^?oU>m7HGcP07QaT&5PL>?OE+!@q_wcm zok?X6MRE_+aSr((SI0UnN-u2ZUkmlhUfFy?HU>z?Z$$R3M+@Cm(i}S+nzH-}gm+&i z#O|yLSU#RP8XxZ*%~gvJ%Bua3ihzRPp2*F1ecz^`M6d~szy?2X(d1GBi3;w)v&_&+ zacy6sBHy>lixQk81O^5D7}JdcJ5LjWJj#Q1$E*TA$ybNWT>(vM#CFUy?Z< zO_!X`)e^fUHUmBE=doX3)0RP4?W_ZO{!}BgS&lD)RnH)?(6ljIwNt4xxhNBkZk#E0?@f$t$+`qTPzROvWjNz@C?`^rM#=s;SfiuWyxz zXixC1WIIw;S|C)@pq3+_*v;QnJ<)&_%K}U$(%We9kPRa$MJ*eK9Ol~>2*LF^GOift zI2YbD)efkp|Or?%JqDmg}Gh5(ocTveDvAfKbGm3C%eNcx4o{zO1Y2} za7o+jY73c0q3ZJ&6l9M=s5EdKk0p@)J+!hs`@`RXdhhv*U)XvtKqx)dbIAHeRy6Qy zz3%b9yV2kek>|b@b^eTb6P(uw;k%`u#^4>PD&XV zb;Kts`G|B6mcD*cNh~GvST9e2e%!ROjL%GUNRWRY(sMWQt|4qK z`+CoLdLNY7@CDT@^mJOBR@`BJSxZ6v=L$9Ju@EUNJmeLp2e@-t|>0JT2y>-thh~Sd{s&>&Rs@kF{R%3k9_L-`+ZiyVAl+`g%iVr% z6TV@h@=AmlII-`{;4hz-cC0D%zpXZuO7?@5l_&&&z7&j#unkmGu#B3P9Fy^J#QQ&z zKwS7Rg4N6T+0!knAbfI8{Rx!JP8$1qsT+Bm5&tu6lS(CuX6IpFJmtPM2hws*r3RQ) z0$QC`fDd=QtZsk*MAn#vf70XMpB<6PD_RK7(Hr9})TwC3BmXMIjKq<=lIA4>KQHq^ zf@Vn7C)HMOU9t3Zo>wR06B!##9zev$B5!g9rteh==T@EKt7=BVH9bTbqypDJ8JuOf zK>~2k+pEy|_qLKJ_j@>8jH0xcqgX?IV-+P!a@W~oJk&F8J?(i-8XZ7-*~zQDUXR;= z*=M{PT?$%?a0ugC(!5nP73)()s>GnD1#AJju_`ffnhdezu@bG*mL+*dz994=3n$Qg!KPZ-un`Yo1EzkUA z?9KTF;FJ&My+VYga^%;-YCA@2T24U)V^kRdp>i*(>4T$^C0%PS{<%nDwp5PM6X=}e zy+&t}5hSNRgUY>PIA|zyJ-dLqF<$o2X+|siT2F#KCPA&fd{At*+L<4dYOhw4d%xhEqK#E_+crfI0 z31n?;O>MT(?3s=s(u})Q&}=~DIwgXR_KO!#!fL&pX0L+w{svYORc?&f&`qe$VkD)& z0a&!m)N(jpRhltUx?gj$3esUx(LL9p-+f5^_P&d8xqF##E_VRl~ zlbB%edEg9aI9B=h#c8iPR(VvuA6_9AyE=PQ9{JcE- z8n9ApH}0`Vmt^a^Ekbvp(@8S1nZk)H37UiQ0R_wkBP_+;*PSh`fX2rMJ+Gm_tdO;- zdRtWggrmdYXjD6ySO8DYDRr-5G~z@5ZCZum(M6}a!<6ys0UO=x{XD+AM0fC|@zWmo zVwIG>>@GQGpDybovw*dkclXFxVR;>xxE zVc!IE6CLklW)gMv?2w31%l5L88mCKU)Zw)^pAzC$BwE^7wyc0mMza zwZnb3fJ-y-#)aNBFo;ql6i4;R{P~=W-L;cCk`6XU;doSiAgCO|;xM1mSjp-cyJXF) zOOpFFTjB-WB#qJ`^3Q7UU@wp49i&X_AZ6q$vJdNkT6n`3E1jc5-FdKMk^QjJi7Z{3 zhzx-KY(92~BKbBtc=tN(6)`ET*^gAxagyuT%*Jb^IXg=k<*E+>=#Vbk0Z-oo_TtDp zsjMt0ZB+wsW3{oosXlCNX)Pf&>Mze9%4c`Twl|PV)L^O&;jMw7Q;swyhgTMFcLZ$9 z!`dHzQDdz8s8&|tTu9ZcTcBUr2%K=1n$Cl@UXc?;?7X+Gn%TkH<)^{~d_h&getKD7 zve_VT3Ba*tlHL7+Z_Gn>OT{u3rWyfQs(U3=Ix(Pb^4hmnR=>@f?;%uluNL+A6O8`= z>rC~yp;>_Gbb6gD!PKY@rGlF+let9dH;(ER z3o$U#oOM&>V=%Xc*^X)Xe?U1!->N{&uaRU!_e`LC?fRQC~!)yx0wlFTigYkhG>$b8tm zbRjT!P$LbTsJd@L%MtUR0s7KK_a(lDwi$M$@Ou0uhO6R=vg`=z%-oDZeKU zm*b?eTnC!uU%WKu-3el&9Lvx0?R7$5!fCI|8vQj<0QWj*X6iqda+SzWJZmEQexHye zpdr|xAN9ivNa$V{I}D(^m>ln*Xgtd65%W;DxFNs1Jb47X^lB&^u?0=s0-TZr| z?0eb)RP=I5bPm@+Ibd9Z1=X0SNW@hi0f!cXb;yC1N9&IJISmg(OP{4`9F0Z+``oZ{ zigdseAJE~F1$w7n`N&SfZwG9ankz3>17j9WkA7OnfK|*fN*y~;J)>n5G_@Z4FHli zMyaT_FRQr`Oy(5%z-1c`hltyPr1IoHcb?+F2=bXmz&+l@H{9Pvpl-uECk)_1K`)=<<#zbIv=EhtIG zqgUgTVs&rsj)ux<4g55{f#-heuG(5Y-O)(=bYP1cQa~!*g0c)>@5Q;)n;>(@zGvUlly|f_oDk@RMsUu?3RI1*U4L=lw z#A{0(uHLXDky=+YS;)0GT~o}aGsEn~Uq9g-QCZR0(a3n@KTWXt?%LB^DZi&+BOGP# zk74n4_o(NTh-O!|mGI#6xP2q!VbwpaRf=pxdH1({6x8j;H#L64k@7kJ44{#V;v+RF zGs6SBD5ue>jJhaJQ0?-igxgcPZ0#?vtnb5VYk||Q&`A^9%mk$x=^>yf^hK+*7X+Er zVpoXs{N(!-C?!{4wNd48qT-%;Jd@*t+g#%m=10{^?$3qjU75X36Rc&k;snT|_ZWc- z7Jlr(o(A`SlidXBh@6J~7wt0DcEvCX1zGYuXyAKqdzu^Z2W$L?G z3fc>lcuJfcf;w=C-)ikPXJCN}P8fS9?DKgC!zr;0RVN7U9YDhx*>@6sHy2crVlgV5 z*Yld>sY5fuE~`GHX{ib?AX|%eRO?XzY_%@%&t4}*C<;@5_vQ8b8ykxR-V!aFj;?+Dy zQ=P55i%3J!<79?!>L&#eGBYTBT&ss_n92ZmF8iM3YX5#p-~IAZZi-@B#49`P^W9=0 zDymFxwJu6xX4c9iJ?uJWKF%b_l(}y8$a+qVk*BlHa81c+zn{V)*eAmA_3&DGEB|6D zG2VRbs2*82h&_JSx_sK}fLiV6C7mLk(@~^lYju=;`gOt#aGl6vB$jqZop^cu??3fF z|JFf66b~x2RwGx*Ab0?RA6uftd*o3KegL+nRikRZGW?Mfa8szC2pblKF~J@uAB9kE z2pq-A4!UhbhHAXiChFO3O{~EfIzJ(|$>avz7r#eNRda zOWGZ1G7YZGXgmcdj#+YJEz$=d6Cw>^DlcLqrOLkrxt7&71Zrb>96K_Q=JCrel!yFB z(J9f6=UcMVhBPCH#Bu@WWG74DvNVk zDT5eQe7(80Mh>*6?_RhRc?wtC6)RFoZ~}+^w;tAHRVS1hXI_3NCafO5+o_yARcv3M z4xcwUerLEJe21ri0!oFL`U7;QC}mDl7*3o23-|o^yEG{^Tu4gKiPN}&QNzPqc+jZ3 zqL=R6(rz4Vu<%Pj!fR?{9~r*=`KUGQ?xn~KNbLK##(*JfG&pwCJATuD?b? zI$7ID10$w10y>R*lSdJux+k0&DncxzCe5|pQzle`4isBfdey<^^C-sdS`5fc zsAsswgelj{HGxM`tk_oIMY@NLfh`-*I4V#D?Ak@>Z|!4k+v8`{M8ytb3}S^#W8bSI zy8jYiwq3=LUT=IMhZVR{G8vgl>GqThR?L7|tcgr`6XBoia;KKVY@LUFccqm@ko$1m zE>XQYgzb<9kGI{hSM*(dsM^y{b^@FDo+EiUPZorak2~(SD!&*iX*vhOuK##ny#7TA zplx3|8;fs)APA+tz5mq_7k(4?<(N$!za@>;7Q}7d!F(pQCJw$v@w>Z;#WyC1S-_x4x#pW zj%*aV6@7Ke4Plw(`Yst*5pFuT-KMRK1#|0dr~@1d>|7?74H|!A4AsW^9NOQdvSXeT zQu=gRF@9Q&NB8O^yqo_%)cKHjXA`76jRBhnHqsaj&qwMeUOa>aK}o_k+`aQE_WUXI zGY4hgdW5WJS`Ny@%LY5F@>{J2E`!JPE$+l?&ZK~c6Lz3-;0xCP92gP1EKC4i#C4k%N<&r!>yim zj#E2`=-yUO)n@cvm8hQZnVk^U0~Ip)Z*gXlBSkTnNo1yr;v{-n+BrwG*w;!e_SR_) zl8SS-<#UAlkoJ_JzPr%hUKv8Cdj3j$2RW4lD!j7YV(K}Fz*1a_`rj)UBap{ju1J2M z=0YtA^SYHxPRkt%vNPbK4?tc^)Sm{mdpqBURMQ7ul z>M|fn??rlpd>f~I@J+vZnHv(#kAWDKZ{o0T@=hp>iwcS2B9NRrQFHym!nD+vsS4yU z$!VBBAeQ3wHRs}*3-`-v6y!jD?yn@J9>qZfhABO@PD!{exaaQHg!C{o90#XYL7ddc zJZL=Kt+Oiypn{(!wY3`vn90aQVT`*aoVn3!aj2C@K6yOmRdyXQ1wY7`~Zm_ry~_A{&j@t`XOtQcx}Frs92{ zFuNToWF~YrCHEd>-%a!r5hmPYmtN3BX$sMw}_4@Y4vodu<9wC`Fsy00ut>{y#M{$Qa> zwdxsk<3F)2fC14dFdzC`P5zg=N}RyQ=6e1Xgp=7&+toVYL2bKT4#f7nG_;%&J+w*S zNFnl@57*0r-Do1cC)H1Z(lz2I2xwBX&k6WVPW@==a2H3bea92%g&d5*qFb})J#KaG zq5B=!*O0}Wn;*sVYq)IhuZX2mN5N=JL?|pU_zP;}O;gykEtOvdtVD&^1NZAe|3ih8 zmfLmaO88-X30>0v;dkmFj;05*PDlWovL~*Ean?@sSfE#x!K;4Lk8KKd(&)x6$>f2+yfd$)49DrNNKMgs%b{4wHu#Y}o z42*P`jKidFIrf8GQX|C6rNr$|8~^UQ%x(gDbb`KA4Nsl+&TvYL9-og*9iQP>nCBEJ z#tfqM`h!zUf_(m<(J9R<^^H_Eqn&^I?Y?q{?7C?l#XId-1sK9FJZfV=gdsT}n_@4Y zCeEln7x{>(W zV5%;ysB4|AhkEIQ{bVKR8`!u=mN8*WtU%9HKBcuT%el6>3-7sJIL{ZOA7Y2CH|MJ)|#sN(Dfm4=e z;@CXH4$)&uRD&VDp(;R7Ntt7PHbdCmf-NQm3l5~R<_W}(N@n-2t&}O&$O5F!UiI~1%H!9< z=+Fy7hmsCfJJMPQ7eOqoX2D$#m_h>wqgY*XMO6q978PEqjspg{LE>*z4DTG+0{6e4 zdvu9c5l843na%oW_U@NeVAaKs~1qk0Wf&jca_n?aO^|dRS30rG< z5!uTr>5p?pe$SgnquLeU2Mm31Y&?QVUjO^^kR|`>f$NN0zUb+it*hyy{5jS{hMyPl zS3l>W8^txoI3C8XDwfI$XRd#O3PnoxO@;D=$=Z*1qWf&4Worw)j@R#gGai2sGu0{k z>^gQ%-PwPvw{eEo{i`KB#5H^)(-r0;B2cVq%11B zk{c(@fSk>jSbaCK5JL1A8qf|U&r>iCgc6n~AphA#MZNtaAl#TR=x|KTV?d8b5ZdH% zR{!k}L`k|PHSVEuxVMpS|A1g2ZoO{yAb&dBtkA0Q(QC&$h508Yb<$1{J0OOw8mRfymMO zM_&g0;<_e&$X=7t{x7V9qwTDGhfMfeT-qr#o@#;Uk19@_?e6zWykXj$I?cPC!g)Zq zru!(Nr$hVMT@}`?Rh!wvx|5~JnW**Hou2UH;cz!}vF7O#t<_>@YEsZ{@2C-wt^*j4 zd@n77Ct!Dx{V3*=PIE;^c$e~7-?N?fNvtsY%LyM!vLr)OdP^+lO4$R%VKr;GZnRD)=*v)&H8V1$C z)tOn;Y6`CuXO56l{8i0DVlMJtaaMUfFAY_q29-=P=UOcAq@SB^duIxC*}5%Xa>^>- z^SuQ4qMBf%7LfdoHU#G*%vkdshu9Op09XcADut-1wEqzSq7$vo>zsS{?G|kw8I2E} zGf;pXxh3*vP6yu|aNHu~D86Om0*x2^q=w7;W)0^@VcRZ}yqAbCO)H!cJMkYyhZV!( zXQVy<_KvJd6Yr40rBG!;xbp}$7Pz<;^=yt7(~N=2bLoI_cJ@_w*civEb8ZjPtyW&jr^g@DR{#lE%xUuf^wAo`XLq#D zs5-`Ue+F}6Yn8%>!bSpF+UU)&w~T7aQ~eix{m%;auR`{aAl^{i*fdL;0nq&mi1DC< zoJR?PAry^gl@cR(iY|{kpqfBFB^UKHg#?JTW7c_lmGwvjr5sXC`aJBK7Rcq)vu#vz z(~%$;V~@o+e#xV)8v? zW5#UmHGVs(%y|U83oDn`>c4;aGx;$fy)hW?Uas_lod$&F4I6cx znHNx=Y5G)m)>c0)UtoNWZ+`CO`4C{|^_|r7 ze8W>1y4#?%g@Yf6djQ1m#(wuq!Z=O_CSH3)F%M`Z^4s71-LDR*@nq3W035t)N;1*e zOK{_B&q>H5{*kOb@{bAW@KOZmL_UAJ-g=CeL*b;qw{%L#0hqV3ZSUIfO#bJKH!E+d zzCrWIjO*)h4baI9&0FqeTkK}%KYG(hrT*XJ!y#l>3AbS6`PZpU;;PY6#_7;JQUA=* zw;gqjBMql)>FW~lW>-ggjxVx`6Jc4de$wft`&|EYxRCY3Yu2hI-M=Nd5F^hWFw(P!?a2K7w@3A`55CE{)LqFk&|$<$&jklcLyDbDHhdUVUostP**Rq_sQ zs7#L=i;^8o`VS}10kQMS(Q1BtgWK3#CW%gG3W z>pJ^rA;Lnf$BzkYIHJ;oRl~fWL)VkIHLrlNI@mje`dvIE&?H#Z8$>>G)^fN3;0!0; zxFw{6g?ZaVKcWtf6*T$4h+yzc!$fH2A^7@?(wtC@p%sDfKzZ}`;H5Xc-%%pFHKKJ7 zyvGKJufUy|TFF!$dJiIh>*ovjvn8;Hyr?S$KcSspqefbLb>+M@vk64!=D-cbO0h-N z9y6ilU0s)m6y-4q{w&UU`LRXIHqocmEp$%JFxJDPV!P4J4*W?s1GyIrSfQ^GIU$s{9{l^tOr^*P0dmB@>P(QN5q@f#fyaOojLW~_~=uHu-H3rv)KV$r_wDR9c zKI+vDq)7v?dLXTvGER|vo+Po9I&Vh4(!{wil~`w$5KR0KC@@43TR?4swg%>mlO8$t zpyNj~dAq=Ype;6G>RM3^D31#mcY@SAYMrEa>D@}U#+GfD|NBA26|XpOFt=9gE?gUl z+E1ku34)PAP5zpSh;1{2P7m~$@T{R?ZZ}`3JU#}?hS{dV8BFXFm1u~fw>TYNIKL*X zDZd`56zNUMa-kmo9Dlr8du9&?MXKmEZJ+K@pzw`- zlXm)2usQj36~=@3d}3}X%?@J`m-?eYAX}lgCUBnA1F)M4F=4x1qDKH1C@3+2&p$em z<2KN5_F2igO&$Cge4&P!s3NI9=$7>g)GMJ`dWhAU0GHoih-{z1BA-evwn!42TyBR8 zT}lMhJ#u={|MA(})esax(Mne7Mv}y1T;1u)RN^k^{vZ!2e;E_ijcxs$1B(O*e?yN< zimM8v7--7M7ktkz#EQ*a`@;W@`z@8?{^*GVV6ik4ky|Vczqh6O1?o8GzZ#mkrA|;n z?}S~!8FXD7rpo&TBAy)w$66d2npb+96OUl;yB3TQK{a*C6ei!|oWVISAVzyp~hj~%rQ^ToK z5gQoF^(+Rs6I&XTLXOLXwx(-zBksnxbh#YOF$6M5VvftI4t2QW1ML%s`$!KZU2cdK zMiS}rAXA{anl#kq*?3}Y7;h*2)7%J3dshy6W?6fUt$O&FVr_maI+x?aYkFdzUC*RX zdh8yHNQY5zw0fpnQLG5!Yz}rbRu+Hkx`|io+X?d?VCI;&0MQ!=8VhT5=S@!$VMivIlvi~$^`5osoxHA;?RhLFYg{06fd)jY!@5_??#7;wxyx-Zw)=ZwPX&dZb8 zygJchtfjP54P7-!xTRD+z%ifOeSj!sh3?j05G0X4R4@+Rcb^L;Tc+7r9r9WBkA^8* zWc!0YmI|1GdpJXHU|AeyHS=zOyISFVG}v_Nb*G@d= z*A2s{AoC0!e~Ii-W^MP0*mwF#G^QBNA;M-iT<-A#6A^%w3^y(jy_Vx;Q5si~Wnz?Y zyI=ha=y~ct3}2jVtSlsi&Qx>LZPfq=j%!ZMJ*t`&b1YoJ{W6WgNR)*i`au)HNlwTU zD6!jm$_}Llb{99-yu_aqGGq}-KSR)4{n#Ezfg@NO{P*1-DJn2oW*X8U8)@G&=dC3n zlgErcly8+;wxduYdKTp_)P4V6DbP-DKb<7hhiNFO-J^<7I~LrNr()eK)AZ@$XYX@8 z=F4|=ODu|0Y_SzvYiqPQ-c7XxSm=wJp1TdQV=4>1hlSd_ALJ|&FLQUC+bR&fr#Y6^ z%W)?o`I!^mCE0B~wdnFW&~FRR7VAm5jpVZGm=GfGe@h6j-U|`oeJ=?W&YT&KsO<`4 z6(#)jqUa~0U_XhruR5AoWpTPcx9BqC7l@jr|X|6`*-N|^+4GBg;#LOcOX zy&9JThovOKg!p{aZj9^u-}AWT=>S68h_2*AZaP=VPAfGDg(@uJAt$N_foIft zhc94-#>;}zViom@RK73C?=>*URuh&F5TJGHfQsjG=tiJv)YZS1SE;tDO~;GSwddH& zP0r#VNhzl;j5=rrAC|M!CxRM{TD}w`XD125Uq_BHH@M+^SHz~&YYjZE=Q-D~^1r>d zeh+jTgQfea@cHi%kg%AQFa}Gf1Ptt0?wR%MJZL}#-FzbN-$byvK~|psl!WWZD}ZpB z9&>^c5=IQ0jdBQcmnV@$5GSR}T|>~YtTayha;_s*h-*#LSh%DrMkE=HMd%7z9NN>W z!M$1h4)G$0R2h+h{@wscxawg1^V`A4CnJ9l)Y#tu_8K!x#qe~X%s51t%!Z<*UyF?Z z-8bscwIPj%3`+G46}-@b(iiu$%Depig~KH~gm4^-gvhwTf!-g}({Guf%Whp#%| zUy~|$gtBQ$8n}MY2lTqPJyM7`Uvt{av5%qxT%B8FMUmF;;bF#-bY#PVp4afgUG_|) z)~T21PgbYBvpe~UV8MkFt4;Tanclom-1^02dy%R6>hroLZp13dMKQqBhp*=tiyY{} zjfYcZ*?ny>`(HLN_%_BPJ(!X=i&+B>AHi1PrjVS)#5)fn0+33yc=0+ol9abv1jf=s(fsFgdpn`U(dVqNJB7;_D91?pnCF)L z(XY-$_S5Z%`YW_h*gl0_8Lj2DoiJY4={|Cvm!B|nxxRR6G^LH3(L#$%3he=Yr2RZV=Prv;k?R4Ij|4+$igUNxJGh~j_;~pfz zVoDc^XFg+SK=h<~l1*QjXXe$}-e)fzh<^o3A%w!*Av-xZbFGHBBVI6{AwP;vnkS=N zTyJXu;X`YalkK`019I9qou)T#E0F0DBkiN=f}}X>!@AF)}Q`#_-;YNb#WvyWB3R(-M z*38D(jj)6Z@-@l2E2gB1J>CS$D%Z8>ibx1JyVMa6GZklOo8VQS0z^^`$K+? zFYi~J?o|8;L8nuY4}UWw7yKKhbuC_wbG}A&3+L_RYAUXb(G^#m=Z*Y^VkYzFg8l)H zjKU#g>?+0&W#t;-3qomK%`Uxn&yEw4KvklVbh~)Y_LKkL#PhEL-p698 zrjtA+2tA@~6)G)>7%CCSTvbhP+SDxyvpyP$Q>6-;n$O^7`_&obQn^@I`(L}(*2isG z9{}jN7POu+#XyKELakQnG@(M5 zI0>7wyn)fN9Z2favBx^ix`?xy3smi5aNpopUfN_l#DU+KU#@hjEd3{P`3nJl{nGte zMv^$>Lhz2TFZ1vs>=JZq@Kgxhz2A18D)c<1ILsiHO-54ba{ZPk9xWWB848I)hiuG4 zC>%&kL562cBNMbL=JMp<(V&c4=+iUWps{n%pM~B{3{-DX+X>>Rhk6o*TygY!+fieb zkv+@2?w{i6pe9r;H1ApJb<)^8_l<&FX<1QTJKC%#(6!%bvJLRF)e#kQ-s$9^!(Onk z4$79Yrp=dGu**QdYMMy3K4$fM%;99VCG3}Y75`aI^KGKK`fEdfHi+%5P;x15=NRs` z70bc;@>Y>JYEeeSH4^#Hcc0CLUri5%;pFt`lf+2-sX zGH}5nf#icP&V?gQ9A~=P<3(@R|GtFPAnhUB+Yqwe^EbLeU z`W3H6U$WUtmfO$p@n`$-#hMB@+Q>E0<(03yzB$vH)DU8M7=$DkcEg7Rcoe0*dMSuC zB#C9n|3Bj1Iw;C_?;kf%5F{3qkPgK_LM4`1Bm@)z6_IWbWeMqA_Cv@nQUVG{swmA8 z(j6-yAS&J6xil;+zw7=y=bXpqIi8u{%=bISz z$p%1jhYu0J7mWsYeCEh0d>wy>gr$+EPuq3qw&tS{SfL2OmXy|f$QFWr86BD5ZSb2r zseH@$Ck!>+Tr^N)ymze?X62@MM9lm(@ZE)Lp&?d^Y_n}MQ;|*P0;1U$fpC~tebA%T z!=4YaQwVPyX5f3)fU}ZgA!{(TX_yB1M~ZRS4RQ*zleNii(hKXp)hyDhvnW9?b!DDO zHsgd-RQhDY#~;I3Cnn_3P?y*yVx8=@j&p7O_q#7DB^s-7qAak+kJrC-coo6qVY*5R}(7a{H)%V$W;{Dd0U+mi<-#u?zYmpQFjFhJM%H-gHMM&&S_Oa zM`%3LHIzs9=u)8e$0kheV>&`p|m#Rb;`v`i2u94eRgtaR_tBlA~Jbq_n^@CymVy>udf}lRri8&z>kM(lol0(b*D26=$%WkX;?f z>i9u0`XPOMe4UbkP+LyZ>Hb?De!LVt%->4@yyM66Xm7^M%ok4H@Ukgpd&J?qEn4Yw zu74sMo+J|#R!)H+iactF+m6}frwPFe=qFPz%*&>Ai4iYQ-y8j?unP6@nb^y$g1VHy}8UG@(4|q=zQWYd8ob!!b z`%E!=&FZ^*t#hlWRj+Aa@q3N#-CUDwj~#$*Sc0-_MYSz$gQ)||Y&ARp@yH-)yD+T? zJ#+~CIUWm^&wVUtyU|*R?z6mZAd=aZBvWy)nI?N3^5LemxYpDD_99(s(pI*WjE%;^ z5rD@a`QJx0Xr%yirOv_U&*LJBE6@; zp5rk5J~&wFCX^-m5kHyFiQ* zlF3;<3jfZO_c{>R+n}a_oSU8YB&0|}rF(r|&SU|)SqmcSn14pMzvCu3EWPIBWL$36 zVndMo!AB+>eYj)-_g&}xF}9XFW_*mkUW)fQH4uCf9`|;!;>OjFM5&j0J~5I7RC6G# zTcXSg(OUY36Z5LoydqP&SsmK^r-wO0W~69#vbb|8Z)vD6ab0Xvlvr?SkmHX=`xta5p1HBAdpa^ukjOrgpUo=n$ zYj=lz`uPAx;@SYlEcR&W=9*ph+!Q~DJp<|#CLjgMV^7$-(ZCncW%Gmjj~a z`O;p*u?M_0B5m6r6+;3ICmGTls}{6!uh#6f+sB1=&h0KfBaOf5{5BWN=F;`hJn8*Q z4IU1DEkd~V>sLSa$OWo%cQJidvc&%B9}2V=D-TxOYObL-#L=B3!j8t#rUokv87kWI zEZ-{83> z?j>oD1eH>tbx;g+!5*o;l|9;!wXcGI2#KP4`w-mvm&Yvb2Xsuuk8EDj4?%iM@Qg5l ztfkcVi8%oBEh+0peFAR`n}@O2k%pRoctU``aKPNgV>0)8Mk%yqT#Ci^{niIdy6Fiby1|baW^{9+)~QkV(LW|dw&`E-X1~~=;i% z7wCg1My6ZyC!81zxweL+sm|l8!^g(mHm1xmZyJ?6noaRfX+TU~(&|2bd)t(+gVZD5 zWVBggq(v^&i@@irpOSJSB1;gw^(t(H&90UG%#56H5=zEv>#!d)QJzs^hT@t?q=a88 zcm}1QpA#}8b~i(@Zorp08WN?eYsh$Jz}-)!ttTJppKv334eryTYV^zC2srBwVXe)- zK3{CP2@npdQZA}yOrLJ64@`L8#i3jbXC&|8&A)F&K>k95#(Imh3%WQ-)QVH`;QiM` zu6uH?E|63;y}sU1b8LTLZVFI!ODldh#2EEos7XcMlgHODS6M- zrY)eyv58FwnZ=$VeOT?e&Ye}K9~mc)f|BNNw5(1}`5Rn4g^aE?Kx0)r=>isBmF&H= zT_Br+SbWm?KDEd|w)$=mYuw}YAwEW0cRv#~#*EOH>s)=q>8vK|?BbX9LTKrGD`<$I zCn5~B&yWX{p)w`sG;Dh&Jjr5pdKEO5C?xZ{?(jF}XXcO}!ib$GKcu3D7=UMvK^pRN zE|ITfHGG()Wn0vuUyNAP`qet$fT!}~(F_K!re^S}MOMcx9uB^@Lf+$4)Pl_#4T?pW z28WLU=QM&Q@mFwOFBLmmK`jO^Jsqvt)yR{+rC5pK>E9IPRLAf&ZbfAWbyl3iN<%>A z_%Ihe4l@28?Ac^2d4F){RF9F@vMcq%nwCHU#pUOrou|u+ogCiY>#^%yS(oh#ylX>W zBGD4EC__ZaKf#Beoovc*HaJP?VZD1nQ~g4~r#S%EJ7K=xj!!WC(C(cb*{@}aOeQO# zP>1;?!f7R?c_h>u=b}n(RqX%Bm{#F1<1o1B?5Wd)sG>HMa-cZOXlENHbt%q;+o3ly z?r6-cr7U#}A*$4EKj)6`&$W`634_VyIMw^vsscQMPEVr_zR4?bcM*=?a$#&w$-ClJ z4l{3I5Vo1hze|?r?sWWB8JDjAPYG|(JFjQgu{o&C=u&YK8bubq)Ckc^xfq0t=Eoa% zKha2bwPvou+~+y=9hEP+U) zGIYji10z8@@ajU}d6 z0ruod8%)K)KsCty9{c`3dSS9I*Bd=+qDhBWkPV<`;hX$)OZ}Kv9hK1!^?B=;3rrNY z6nuPl?WTli93lS9H8^*)+?-?1>q}*kZm|Lv9fCV(`1`lyrM35X$T{3iDqbwIceKIO<)!D|`_J58(3UMZ*}zP>8W(laYkiJa4sZUP zj(YF&98h)op`J1bba)4fa?J(2IHFdaOtJ0_X`H{_AHk2~#)3CjEqOc)yr8O~qMP{| zEhhQHc$A?2qeGA$AurUrGjaP&x3-Ba9e3YTWu7N_S*<8dEEz=*|H!cZUov^ZxRZSmu zSjAT&P6=e^F*7bcQxlg*F}0)*v!SLQo}3qllx&%UzAD=sjqOYe^WY;>`Y;j9N<^5y zoto!mzm*o}DHf}+Mc#1tgSmug@#s>fjUW+P{n2EdnN98Vj_$%Q3mJ&CX9?dTu8lye z@(i2&A4OK}aayDaA(GjL#gH@*fhOgi|7>cz#bbmP&3dLFF$lO4tzgyOMImFA)y3g5i{xuXD@JqVQe;|AZP}c+}-8N4IQgPa=yRm<_g~51P=Mt-H>oGsg4-TBMD-t5B}e%CW6!dt$U-DSci zO1$(~)hvl#EJ!*=b^v5B6e*&eFDcb$G@~U2v0K zlF07igG~~GW|)NM>EoKn(F}5TT6uz(yi?zeI(!?h+4YpqlAEGx?vBufyE&)MpMlxS z%}F~}zf;1WeBS*0h_rfS1li!e1@wIs#~SC+Zc_|Ed6wD~bwAnYOS~WOy8iC7*A5bv z)I5x7pQu$eehmQh=r<0p+g-`pd=m~;^Ps>^^++^tgJ7f4=)D;9^Q80I2Kh^%YhE7s z2?UnQ`X&0mCu=}1yshi4LZeHo9vxl-XFLolD4$#D>}P3v@fc}bn)*}H-RNVSCR=Ao!vFw`WzO=`c-tq%eP+R~esO&FRSXTjQa(fi+z6+D{SEweihiiu z)ei->&F!JJVwWYfJ-}SXn6y|!LRtVp?8GI2daJu}E$AiAV#*|vQI9XLak5HLOwEM%8<=n6AFCV~;*mJzG z8Z{vEAq@GKwxLURwPh##RD>q|-s&}3&DSk6gpGUaQ}3*j;G^ezyAVrx4V2ZujA=`Gu&E<}_np(%o!hIuxYis`<=RtWYT=Hz)fbM zvZ=`RxZcXt_E9kV60QGH3)hYqx^#Yr(Lo#4@!Yc3?n778-W_Z=0UI1+>H~S ziiPZ1VD*8mg_XxRm2sadt&agwQUK^5WP~m#O5@JVl$%%p)f~HC4%!_Hgf$OM?ig)lY8R2C3Oo{CxZz>S4?c!; z(^e#N<0xl{?mC`4Mn@=FHt`;)B-_8>&ACZJ)P>C#%6(uHp4@wb}7HTwFYbmN%zHSq?$;s$NC;mLY`4d%_BGbHl z_I&CPolGBA=r0&2q3c0xg(;G@!>b@cWb+Gu(T`K{Mr|4X?LUhi`d8!MPgcLB6(1ANNcmRGVp@;Gz0dp;%OD(`Dj1yL zt04}rULasaUt&uns@~nHiGFt<&#J`A^BvNWc^cS!;)A6QSGNahNdY#ypU?~JJf?eV zNG=}fQD3V`Te(a)PsK2q?Y;t_XSg%3mJFK;Nwcw4h_D;rLYxgj6$V3C0V6J+>Gsv-odok;rLp%z8lDD_bk?LIZxm$48YxX zmfD3f;VvaH7(Fy6!|$zP@HJ?jhqJ%5_**>tSDy%i+f&ICTW-}txy%NJ$>UkiFLu?* z$gl3*c@Z_n*y16tT-YEgKl?Dmsw+$##o=*(ckD`ka%{D%!%V!wS$XyV(j1D-Y1>4@ ztcxY*4%=bN*Qe|@Juhr`Ve88+Y*KrDFt4ASAHu}UzZKJ!PF`-I=(9Ku$~&F20_W{E32XH$0V@T$78Nw9KbjT4~zH_kls5&Zpi` zUbk$WMONjrhyDJCIm*aS?E2V0&@c(=6Jy1DyQHaIh4AQvqAp>CqEL37vy=SE?fi4M>XkdD3ca`>= zGGaYqy{rR;WBCq5#tQ(lRAw&WL}&-Sc7yx__Fz6r#MmulPqynXgPH)+RP!kqA&EFN z8x3^y3N>s$4QMXh^-wuNjRMD$$Q@`@x9o|mwlC}H&q}j}#JX%=yj)+i>WKyO47JVK zBpG<(1Nx6*IMWf(S0p?=`+JUj3FXMH#cyW*zu&L_PM9oUDAAf(GXUgy~p~?6Qzu!n^QMrk9DN zzQ%98HTSpTM{_&MH|xIda}SF&_3q?$K53{LoAuqx8~=!a2`N^-@_cKcCPj|vElg(+F-$cCGB^m ziA_Y1d@2FBe845=pouf`{2@U0Eh_~~;)PX^&8mP3v<{@>$~4&L7`P`Qrd;9^c2C3B zbUQqs@HXc+L9_nlDbe5^MQNLak+0o36x!*(h(Nmm#mgX9s43CihLp;eJNHot&%aGx zmm#|xvUm^T!$w1;*{K^n3a~9kAfGJz);2BC^(wRmp9Y|(`o1`-rL?$@L9fgwmSJMohSWZKpr)@(m2K?4 zLwA#NflqldP}y2uQCV!*xpUiN(xL^3W>q8r3f%JW#$jVic)~F_<#7dseZu1wqJiaG zEj?Wo6R_iOgfADuhln7^Z&`N8>?EXJ)D}n2+)RF6e7G}OQ)S=Ngy8DEOKAvZa}4K4 zH&ew$&;EqlMy}q(;itXAJ1RgEdnr;Gu{b_UUw?!%5$gKOptY!Q?3l;-kCR}x**~!_ z1PzhDEBdVTiz`Y;G&BDz-QH({w%CI9H;Dh3r~TI0l0i$qRMrz)J5T8dxQq@Nr=8Qj zG3Eoy!tT>G#n$XKCM)i>(Qj_t-s0Ro~l)l@5;zA@&96h$VZ`j6)X3)-Ewx* zuk>bh@MA<_NFOb79@${;^=!4<#+->dJ(#dLw@-nKz2Vd~B7OYV&#}BcCi$06RK!=F zkiUBDnPr`nP;&!W14|*42t|_+%TG0&2(x2$rLsbbwJe6ThXn3{oV(PUqb1f*@oGZoX&J@KD(27<7)nCqxhLh>@THi@q#rlfHo(fX5_aH8RF>WU=?IvrwD&dK z>lrSLYedp&2RiQe=uELhUb=^0%&oYXthwEH%>r%#CMj2;Rd^=`Ak*u)0_7H17@IW{ zMgq?=5c1>-{GU;LpdQ~WX_8rS$PrQ$IOW)Nn$>2^Sy=ur2f^((eM< zr2x$Xu3&JX)Ry%O)RilMoFS{6?XI&(iwf7?TfH9c`b>OrYZvXkbwA%}eFU2SaBRdjG509pp3mOXJ`%43 zN=HK@oXOg_r-7BP&en7!J!m3HID{KC=aNdoG>^+}exPl48s4bvI z{~_kizq);xI6K;1W%!U2XFSOiCH*3fnVX`HJu>-JvWgUMLJGV_I_KW`iM%ND&`dE_ z-mP@s*BJHC{w;2dK|ln?{Qz|&Y3mAZ90dVels#Ln%ODvpI_wW`?0H>GzBD2H1Sdnt z(2O#oM3Av=?dvQ>F;Z!i-&Xr{n$|>Qn`?`z$5>%NX}LY{wdw19ce5?l(H)i*jkC1y zzk*iuG6#$}T=73W@!Lpqc9ajNy$z=ZyO{xlq(e{LN_pl0g=ff0uYt`J_jVIM+`cTc z<6DsX=P7GF1P_cZ_BqIsmP8=CW(>_{_7KNjyOdf-M-?&h(Y=z;S`IcoFyn1{@hXWg z1;g{{w%J}^6QW1`^cOL*bkNSGCUS}0r@Ijd`xV3g-NAFvJwQf&WpY#Y)UWT*EVWtQ z!1gYh0!|m`Sq9drtq+yiyK#^1U?iI7T|oytIHs6S>pgaI8s6cdp4{X7;;S1V!krZs z0W9~P=e_)e>x^lq9Ixk{;11WM2jue~>tIXhdB07@ zmhRUDe7WiPH#HT*BwP=XyPDkr4_khGv)Qvbg<~t-b^0;_XU)F&s;j!uViRm~YpOKV zJ^Y!wsVr_{V_pk*jT8TJ3rfz?;^(2eUl#o~>eT#jE4cETfvhgd7ng!MZmt&adp}Bc zE1wLL5<9_~Jefb`HA*z{n)S(DLlFwoWOCR5O$Ic=t}GjgKYg76WM>!}4mR^wlB_U~BwUq5AXiMw_+e_{0$9JV^J|KddW5U+~0 zBX*39do3i7HaI|X*~#Yvkqg%DU8eGV`Z`N^B8j5>aBFasS^131RGE+S1PnR9NHj@7 zq`125Jsv=+49YHkEMDx?;LxZMn&}bm@Ng+|-)Zu$m-m0DV%(&bXCj6%SzPWLdL|p$ z5I7{@fU=!wWbn@=C#xx|JSO{Mj?(Arz@ZAt+_OTmY!1KH#~Ht!N#i}|!yM@1v>y>$ zjb2^ca^)FW>i?n<;$B_)r0*%HCRP; zmZ#p^@Gw$m68$le?w3mGYwYW`MwOS$I4h?HP(F@{C{G1qA z0wnuH6Bng3_8y#I2}U_i^jT-+JmI?JAUWa}pm`E5L+5+@)VpAYiPT5CXJ0s8uuxRd zZ1{xFn4=a0#p!cicL&ts$GLfgJ11R!S@qi}7#wbw`H56gY*^N6#qp6@djheYAD)=$ zy38jva?wJR!XrU~Vvpg(Lc^I=vI*`_h~`)$d*TBRnGY*~1pIvJiRZ>&iwcKsb_E^{ zizes<>lPuu`KBEvvijeec5` z3_fSlP$21l1S*@g5V+Gy_FCa*oEuF`Xc0?|*14&2A!5os$B$Y(@gJ|@xx1zuh8z2m zFRa(>d(L4AAyX2MMt3u5CVs#+uq;_+!tXI_@>@$D3w@C*Fupt~o(E zd0oZTBKQq%UOR!YKBjQ6iCwr^A}i|saE=1usZ)~cKZ@!@zq9@#>oXB#T1DZ~X1e0J zHki!jtYpoNLYuW{hVah>Z3QGn5u+^5UYKSE>GN42R$TT{u)k$0J%N#YDW*`A4M=f@ zvXSdXEZQrpaY+HBNGsqw^_q;I%W?8)KUF8rwJSJXC?W7R{Vo&W$mLTR# z7=76;Gt7DK$^JfR>c>e=7iN#S<0UOdQ)>@8_PajUIBbIhMuYFquqexT)1RLQQi<-5 zi_UoTp_(mGVLdsiEoZ1Myrg)uWgtFoi3M<-?j3U14ZrPjTLSFjDdGqs7v#jp}Z-aoE>!lE`!5+cg<S{V=Hxy{gHODZOX8;?j!_Adm zMb5(zTzgXYEu9pEO%y$=##IkHdMa0L!J%?H6L-PbK2(0=*hvB3T0!hwm*Nj%(?|%e zMY88c2gj5`*hYgQPAK@{2O0$$b5FE~w@jFTX|sbnRdB}zAAl@k%uTk`GPu^dRrt1ch_MWGkZ*wt zY_(yI)Hf|B)I5|BalJ!8-S-<1BbE5Jo^hT`=~b=88JDPb*7*rdf!`L>awfk3PFMW- zT;zWj)4v6I2nc*d;V%W_g&aGtuG8AR7zV=B*}Lf};%qz|WE`-XWBg&{kX#qX%nY#2 zn&lTMQP(1e_gH-jbeO|BIqz#SBztPjX1p9mZ1Z!l7SSPhT#1v)Y3i%WO^qBd_b0fQ z<=d7PD+(MPYn5?v!=7#Y0_Ti$9L8<1Uxk&)0^qJemIM8CW=X7HFa0$)MRnV_sk$fT zK@(O-K^6rDqh@pyL>E?bX(wwgye=oJS6+1!-vob?&f!3N2De%p1LuTp%Hg{WuD&4U zCz&1P003$ouQnb-N0=cO2X|LQmrVc+TWIV}3AznHV^s%|16cZWjcy!aeF8#ikeVx`M_5Zl6k0JbX`fK&% zKc`Qya69Yk$up89I{9sX$e2??N#-XFI}Oa${qA~HrsNL-H!4JIxyv_(5A#Zog4gwM zO3p5Yzsj@XFvFM5oPB0$!l`PC7nfDCv-rLypb8P~-Yd`UgdOMZ5Cxa|F!9T2v!WEu zUcC^ii*}A5UOBhOsKn|DPXy}b2|bcZ@z~!FU9hsK`m51C=r|L%_CtR4HBaLjn!}Kp zGMY)|?wl5mrP0}sUwrVMedoNp{9ZR-cqnBqU_Z*$UupBkDE!4tHqI{ckiGIF+Y@VA9n-6~J# zIV5s)bv4b!h5S?!a$evGS*sp<@RReW6-~-VJL>%cS0#Kz^-P6WuZ19Cv*0w6^<8Pu z%PT6>$DIjX3d(&Hw8!$?&121#ne%Vzg;SeveAO=6%U4h|cRp;?^_Q#^AWLi_Rbx%% z6I`uz$m4~QjCu-W9Vk+Su*?AlizX?YUirBxB5gSzLNCme_F7vLjd5XLR)7??CTL!4 zf{>fgS;hX3v$CN6EyVq^d(A6_^2h`!u%P;nCnINaiAQ+HdLX8^%2=Bdm-?3Vln904 z$oVPJvU}_A)>OIVmDeH~o~diahcbKI?Tgi9NIFMoE7EfLk<5miPs;@u>P_S)L8kzn zy$3kj_`~)T#39|mb_%2GVF*?<_6yD8rb{Sq&joy3tLLTb=k#3#0D<47X4eRzt+xF+fJQc_G7h{0Xe4<+NHz6>< zx>z2S%MQG-^Hrbzo@W11m$b1#T|azPQtE%adjC8`Fqvl~lfWW@g2g};Znu1YNT0J* znSOHYLLHN1fX1h1;znUGu$Ez&=K26h-C(F?LH;9d?QJh3yVvSGvrT2ayHW!Y#K9<| zImgdS8q$(wGx`c%E~0fK3>zW*-${;zDnCXB)5iyzlM5esn_9a2wi$8-cZO4&k~uH? zAvxgEulu|STI`_G!Mc!P_qW%lLPuz;cbkJf^EcvjG zX9=Qh`O2fC(q1C;HQuP6T*XRFp!|k)-}*wA0YXYlxZEF30$8Xia{-)8(`DEnZqwhd zlRF<>x_0M^F40Jf6YKsWU`*m}m_pN~Q7l|iqvPcbTGmS5jUa`wi`0ufzEKv^F4&?~ z9huCE?ntVyL!`bj&4=OT+u7DxNYo64&%_djGai+Jp`M@2iw_c&g1YhYvOvOa+)$?r@uP~nUs72=Q-l!m(xDZK#avnDS(ZbGI&x}W3)z{{BTPI_b8cv$ZZsre9`2p zr9(}eD~LeTz_Z~pq~zHO2){85gw*whyx3kEn7s&EPS@xUMQ)N1f$K@dspy0VXko=1F$rR7jLJo-Nk36 zM)Q`mz*7!`zJ@>eVr<{>x!wxB95Pk@l*oVyYtEH#ni)uMLJS)x2ea2bMeugyH6QWx z?2gAebX*apG(9O09T8{KQx?DWc}yXecq8v!lL|X($~@|v)v&d-ObEG-btDo!1NHR? zCEr538gl1_@r{>qnJI#_K6saS)k?&=v{tx|_bZ}lc#liYN*!rM`w^$;TwQnJ;uHFT z=R+`=w*{pPgdrkWBKJ4DLvut?wf@+w=V@mLUS4J68IiAxnfgPZiRFfh0|g`JVwOLI zXK>R59#S}KcN!Tpt#lVgc8$SWxXs=OkdbHbrvaOK)C_}v^UE87?$$T!m3hJ<%JIUO zRtxl=+RP5T>vrRMMEH-{Yiz&Iad}Sq@8If`^?}o$qyJvsxXeUp; z8`Gvz7q(4$AwF@MJ-_0a(hN3Usp)${Xv#^~WZvCwY1#*VN@|W7rlXl+EVw%Y9@{0S z>w379WK$F+%?x={$~J{dGX0qXMi001=TwYOvO0b0$gf$<4=3v28tvVIs(aF-@Xt0a znp@KmJQI-c(sjr~xD4#206Kl>5rkSV_;xkx4K)9iUU3M&rf-vf2O{aDS`SiXgE8ER zaSwa~_k@huk2Hrr-8ebu#*tNJ3yA*t#>I+2D2b|%cDr%=Lx!Aig~(>U7Sq)|tvP({ z^@SiOmw}}hp=Xpc4r*!g~U}ijNCawt}yzuHe0+QqS4`fW8;Q@KKZMIFrgv;;Vo}27C zrSY0Axh|cYh1W>&W^%4ex51_xi0s2#E1^`y#5=<2hW_2YHj=>U4*{^7- zsVr&J^B9FUPNZP4CA*cu*?fOE7)E2L-1i<;d-6NL_qSWxWM0Ki@Sz&`|WQ`>#!5Cuntg>>S zu+S-ojs5IULw3$%ug!-uX>9fhEdHDhAd?oQcLZ|>UT9+p+Pd?&Xs_LLr5rmsy$yf8 zoX3lQsQ=LI`qa}%<<-0avN(WQHjkg-_XWr|%%amUiuYX$v=orR8*W2Zm zT0fWuypgMT@KOP z{mqp4_@r+xpF?h@nmES@OvEv~d3n*q3fHV*_D1Nly+n9<<2)~*NHj=a>6!Oro>tW= z+WLZ)wPNoh?v6_%>5*v1A@LN%GOB7Jsq%sQxe2q3X`XJ(te>CZuv)o@V-tPd`m}JG z(kLgZ4^k?P^P^#6gg1w=wAe(5RvM$w57LUSL4brAUk9AuNF=(p;6ZmnRG?!5yGaQ<#>x8&sOf z)dD6^-#X5%3i(Z=kqTyiY|jkzswFyAVFH)_^d4(M@9}-(`_bqBaID~>wml;oJL+mE ztL9#@ZNwGf>1;hD`Ngm}hz{3f+w3 zCA_>ckM1$-d%YoM_BcQ|6txN)5KJG}fbFP{Smhxo7t<~frp zOP@X&AAF*0Q~MZ38!Yd}``s|x!AW!Q2eFyqw%O0)R8stPgb8M1d5?u6vlp6n&Cjgm zVt5jT$BbE;5HepDL1flf^Jm);d6IzaZc5)g{Mj#s;@S>sSl3F{0tYD2qF4!`d8Y#y z)YJ9f@q+NT6QJV0#9luPp-LQqw3uFM#GZtfeWpb!9f7p-y<)+o)-C$2wq8bd`GP{S zxXfdim`k zn3VH8fD3zdRT=7oX6w$_UGBA)bndDzuym!$1JjIfej33@C$o&NY*L=9{6>PBTI4c? z`k4IH-0yP=2#*&@n}bo_?%H(Z(~4!ZM4$on|Ar4+giGrJiRNl<>R}9k7dmcrYnN;( zBuw6_Bv5L1a-cSULOX>k0BGf~2Z39CHd8o@Hu&E{A3G;j9=pnCt;>lJ2TaHIIhdDq^q|<`MSrW zknLRSELGq~z`q~#|LNT{?j!nX%Z++!O-D6*sUt41*H|rzAzoe3OFcT+ z!8}AT?q}#TE4H4{`Hc{V(6;lF$0_|-5zf6Q`r269-P8qW5y%VXh6`L^&e|QyJ4!;S zA)G5Od(SN7re4}^8kLnGlJ@gbCe5c5EB}jWsh)8k;7Uqr4sG{p$q_$#syBbB#z4Tf z?8^0Bb;AlEzW5CT@WYM(8~hexDMF~y+hP9RvuAwC*_|H%SX9!Di+%UCc}70R7(PTe z9JEm3mmtz{|B(yv%~r3zS5hf0dTG~jOSHG$oHgm7Wk%zg*XmwL!%RfG0-lxS&6Pi$ zZznUvSs}Ex_xz#MfZC;t7a)>&mEE!Rum45}^w0)8_7Jnqk!r`7P4 zXBO)$ibUEkkA#IvPO)ls%b{JA*4@YSU`P(Jb;EenCPS;j+5ByXTcgZMc!%#xb!ABQ zZB}ty#2vxx(ua4EHj1VW+YhY92gopGrB_whnk55X0M4aNv`YjP1sNwO=VeL1XzaG!lIGSn|R-P>p=9(lBi9{v(6Fl)ZRc)+|NE!yqs4cJB7{?h#dV&yV6YhB0t+r zFw%!iqC94jZJvlF6dCC{wRg8BZf(}tqj$)s_gU?%b!1$Nn%?-2t_OPH65e8!4;VZ8 zDy4mLn%+)F8>Sk#?rBX|%#zZc=Uof9S`agR;0HnX8Jp6aA+w5y0 zjw!zJMO(U^DQ;NqGdDX913oW0TJ4tV5QG+c-_Lnd&V4D2)#s{AH2@+L zAmeljh={{hVLO#qBDWC!03h8PW4`~Bbj3qGGU=}z8 z(&Lwn4;Qps0V4kiSi+KX$I5uQ`r5bw!O1uL2ttr0fH(_5{T$b-{^w4Yyak(^Tmnb&5HQe@Q#}FrMzLWX_2h@E$;`V#oJg~bmc)ud&#XyR^y#->z_i! zn8^~h+E?EcCFecq_wH1?cSze%8@3)r*tjhucjV|OkmIfG|4K0^t`n7*bajr(4rycaO!7NpXI{j|Kfu=#&$-*U_heG;7Yk!(Q^y zUUDnYQTx&Jt-An-T-KQkL&*77NSL5tJ~ciXLKB_5!9gaC`!wxb1c2XZ2M}JFi+uWH zu;A4ub~l4BIr)tjUUF!1cfQ5$ywFKJOx*aUeYB{5eJR(tP_y53(3V5catuwZpuGm3 z_U()6g8DQ^X>MniQXb3WSue(c?a03exX$xX@LP;;um1P%{ary^WQVv`3r$&zPWGrV zrn@1KD=bCb_XK4cdNzLZ%@+MQL)2WCBOk2@tr5MXOtyLQNFXjzf{cTq=v~U7F^=Kz z=dwMbXs(6L=gr}}!L;6KU9BAxYCNGY>hMF96?&muP$XY4A6we?P7S13mY1bhlx{nH z|LAc}%u++#Ou*wrV5qcM(0c}Z!P_ECd`RI7nB3KH^(4_)UR;Yba-4TWLJ76KGi{m{ zwwQm(bpxzR=R4J@C$k%{Ka{ygIQrnH?fgCEhg#4FysF8P^Fi+VwnbXHUdu)N-8L`J zKe-He42N7hKqv%RMqGiDjR0$_?CjzJ>yx7ZEbs&YIQ5XCuO$NLaAs`*52=u72JCzLWf!FOF5jgX9z&A?2d|kRp%Iq#Y?ZjC|X?;B5Pl~?MF!UEPs9q~ zHV6EBJU52zksYu+6hk*jjXZqX9w)l?K>!=#M%tT=VNjRw<%O$iG=lZ3&l3>%GzulN za;rVzn?Dq0GvJvm_b*PcyVYk*N2;PbO}vS6#JBv?B!@}A%{Zj}WlqWcQT?S(aWCus z*;OMkTxHPdmss(KczVu1obyc>)DchUcO?C%j`+B5nPO$ug5GKtE!#z`?Rvr(?G~-; z!Hdu_LGJZ9=6n{7v-xYU3mHFLK7S&gAx(G{wb0{e z*u!8VH@{rXWo<6r_;9RUghtA2C~s5`pNB9a%b#Ki9ws&Jh;+-i6Z+b3p0441H8R@t zVK7;Tj1`n-K!fQEbLyjN!0V3|Ld~nbtVm~4DwW@XR4}Ak!X)P)M5f-|W@mjHk)wHQ zp!4ehNqOtHwHj>~tV3k|dGEbCTAv5%h`p)xDSp{9HlQ7mvjWtx4Xf8)3Khnt0d=71 z_x>~&@Zpc%1u0gl3RQgcp4g3I4MF1aJw18{w>g<&(_J?$&cFT&U6Jo&EB@&_(l*2F$RFiT2V-e>h*F@HVj_E0Qf;fkMp>P4sW zF`975CRMexIwaXO698XenH;cqSl)Qy#++#-yh=mAhQnpQGoJiI*kMtbm`3#%Sr^Qr ziT($~;&ntnp+9Y;L`Qw186_$qKz~WeG%>;?fR) z;PMde-83gAc_U%=4PYFY-=4Th$1~cLr=HK*2 z3N)A7G&JrFS>H}C=1K|P@7P;At>w;gW`6?l5MtElmkD?iUO+|1{W5WdhGZ zEqCYLFq!WkVi*v^BLDmKSPYYZ(XPk^kLq!Z7MEqkqR)ovmoxLuA`e19u()*ZrFl@>=Tu z3MVA%`8>o42@&~sP6)J3XOE#M18Mpj=p3IwR;9%w*K#WzUua!dEQj*N3)J=cqC&`^ z7lP$+Mh5hrs1TZZ5sKsAVTV|bKwZe1Nkr1+5{y9FZIX>f%Z?X1&RfQaA2VL7v~B&4 zCLB2U?!{ljWv0y~J^~_&vTx2u8&|U(M2o-CdXlse)}&?PCkKw1E-&B@x4kw*5e!6G z_6EMp|M3aPnVh)|2BJnrF&-|cz}(cg56E{Ys%Dw$)co}MX3wzyr0JzdR2E5kC?&b& zF(oqYpJstJ+b7}Q+0%$nxX|sV>^QXb`^yA9v?^qDaLmrr{r|Xo%djZhwrkix0Z~#x zB!)($LAoTQ%cMaGk(Ta3rKKCBlt#K66oxLzp=0RoA%=nP7_a+&pX>gf>wUgI-}e4^ ze}cm%oX2tQvG%pEg`LQ!O9A!qaOY`Pwb=}4SPfH`OXTk59^kyIrTMmmW9E)dl|fEW zHpI!$pNx}mltkXH;#I|3pL;6b-rf~Dejg$VL{Kq=e}mkgV33kC$nlM{#3*yy#d9Wl{P^ib1Fj_O^qI~6La zmA0-Uvs40wrIJN6C^$Kds& zPl;Ib-flRqINW2d!v&JcHt9F{-6I$3e_R(47GM9Jnu2VX4Q7#sxU_JfC$H8i^4J~jZXDj!N0`2gXHdzN-t zt7?|BvwTE0jcD?~r#TAw?rZR{5Y2-;VM4n_LEyo*mVMNOKSH4Vu?2v8=G{CIHQ#iwSfudP|^mv(R z)h^%$RexaLdaiU8KHQ;9gYZP_%(9z$9*Ere$qbtK{o|t9IyPWpK!CTpRds12v_7VW z*#k~*-LBjS>gLxGJ9v8_O9Vj1hw929|L`irW7HA_re{AO$^N0x!W6W*n1Xh8q{84C zq$tamo?-9KXF}uqr&_y#yGEuy_E^q}wD=-Iqd)!c(1tz0aa|q$_)$9476>0L?4aOg zWxVUsashJrCSq{*lF*tzeDLRTGh~i?3lx17%ubHxk$H2{fDYKVr@Wu%%bYMXnDgtp zX0Vt%`tuPyyz-g*_1iqRpF`C0p$jPS7Ife|EjHJHp3I06NZ&v0beVsfhRE$ppMl5ylcy3G+%48U`kI- zMFdzV1ugPh0;evOaS))enOELY#DeHmfLS|P0$M^;)vv*V@IJxiE`bSX5~#PN7;L3h%$$ymXhuI|(&r|MuIt_dAt8?7#<1`kseHDvef={3pt zKTLhr7rU`-yd40|SUNxG=fp@ewKW8T1*hyy;0EJ;vQgC3m>ld3_HOYlW0rI>HP14RoD|}zO4pFUgFO*@Xk2H=sXydF-2@xo=r%6@sPh-J^)L2 zp?DG-;$&2zF+?MqNWbyv(pb!J;2wgoM!j(MKI(<^g@%Eeb9HAM#YG!wU_xx z+HWF{!(wX#Yzd$e)%|k%Vl0r^?}%=g+rMT5z=C$a$#Z=V(SeL=+$r(QGhUZy=9YkD z{N_#<%;pOHn2Ljht{m9ALaClAxD;AoaCiGwo9>cJ=-|h>>IM9M7K>4my*A>)yyS`t z;p=1!_1zZYrNFX>RJDcT#iL(#d8T3wYz+>VCDgoj&25BxOt-a&{{hQ*a}&e*zU{F# zZubw=1yH#bkJ0~54sce{+tjlsW8(}Qz}^mraXXx-^~^)KiC1)q_4w|%sGKYc^cL1q zG6^a!B8+5yFX;ekf0Q(V$MD<5@7PmJ?h!50VjC~wF51SMzTQL+1a2Gzr&EguemSh- z|BJCa`j#Q?NJzWtD-$!@`@3}NqxSQ|@8$z2b~6dRSD7^^xJOql2;f%&=EoXU9jng9 z0uFq2u$!bL5W$&FoQ2s%-?wWEBss)-zBAb)$cZ)ezcL0Ce0eVpha_@cSo$qo;S_WNcP$nEX=#_-58T~! z*LjTmf6cM}g`lUtmh-e@HxPW`D&j8t=LkcC6MP**5bd@Yt2p}f@oJbn9fdBPpj;1a z$NM64l1^z@$BSk^YmRijc}9hA>D0pX++S*XP#7+A_`E2F%G{ac@?Tu$fTzp=6?Z}8 zx8$Urp}(%C1MU?vKkL_nqqm9CV=jNtzhXSw`BBH~E%v`)+d+IcA#ZT8oFrwknLf`* zAm2HtjDmEEq=DEaL7413wSsRs2GHwER;k%k`PssDAFd*42n?yfq9k(Wg2>haa8*=0|kyIFXBfG{Jhj~JwOg-dc zv3b9Sw~>cKFtw~V)&#ESL=9`)K||OsQBAtfE_UrY+-J03>j#GIz6UeY0YrlNKZFG? zF^p8n;~hTmiMjYk|L_S+l|zYzX+7-f=BOQ=96bez)cV4Ggs;sL?$PW90NqqU>JzyS zVJ`8Ba-x+fsjw;GS5%9dsSyv_zSH*&tf{GZtiMXmCUruMrMg%SOXW{bZiPXTg&QDL z6z(!}S~aBW6LAqW1g@ej2j=EZ8{DbI>Mn0veamP`TPTSLm&X`m%}k{OT&?dWUP+7M zyy8iP(l(HyqBp#QJ_Oxwpk%-f+$wml2atYEJuNqXol!>xq*59kSqNnNJ?2*P2rvyn zn)Z3WVW!r~1@c~WGr3l=oI!U#ttrBEGH6sK%K(abWjOk8Yrp?%r^C$u&#lY^G52Qs z%l}~7|5vq0E%S|9w!$=7Pb(F*alJi(;oZnZ^=Ei* zVTGxp9ae`K8a7}pgU~R)B}vz#FwO(!c!Y#f9mW;I+lhCybByr0MHg$be(;wx*^fTS zcXC+Q4zm3YQ{i|S!BK;a%Zn#F#f67_YHs>i&7kQSIyj%~H%LD6z4o{->tsfTLoTlbjp0VMGx65>ZcfcOJUM^>*1yll8I-u@P~K1@ndPb=C!<}=&tYmd4gZb zpDiA5wq%8sglQBlzs8gBVCZlJEba*hA(g(p$)+7i6;H4VaNp`sDx0GjX9o}e9-7E= znd{N|=r>LaAbP!K(P&|>vP`VTX;EAm5tyhM|9P1337MLhgHOorl`BC4enL(@L?Y=& zV_f_O9#{MA_U-V63kNkhfjc~#RcFDjiJW+zQQ~p8r>E0`MwVa@Gt$U%Xq4M!btd?{-opW z3vcdHXmOZ(+YF}KICosZtp%sTi@OE9hGrs3>LQ?r255d&pV)5$;Wz(GD5}o zOBBA8S@Ts;w_RuB>#UGCX!J_vhonEzuA03re6)MoOf&K<4qF0I+smjAaZULl$0pv2 zE|%MzFk+?7`uj`Glise~RY=XBjzCc7TAgYuC3=vdh%((Zy8%Lqv`5#B{!2 zs~~hU?>{KV{KF?O-4_0}>5+1{Mv%sk;&X2~2LFI(rG%6jDM?JGKfY4Tc6k_r5`LLP z%?dPHzm(EAxO?V##tooRr?9WmcZ}H}r#R>>1%ktQ7q_ugQTJL|S!yhZyD{t?b-G21 zz*K4q3=kZTgi>&!6?0fa%ec<;*1w7Bg5DX2R+~9&_KXV(zc~in#omJ}jPHjT;vOIi z%%kSDVUea@7KD~}3=eq~Gw4V8c)ltT*yjnmNS;jFK!QRK`HH#a&L~lJ)TrvPCG&GX z%;b~hNV6+8i8BZv6LYCXN!ISt&B**#wETyN+JjLQqUcTh|BSgZ^%}$Dd`C5P;&y%v z5l22%DF(i(x2Mul1U0gI0f5{s)^CUK>r3{^>Gm!j;d} zz7F$8Wkq>VX6;rz_ot>pzKE^9$O?fCU1qF}R>GEq2Au+t!Y&$TMb?Lk4tM+GmvVKg zB81oai}f7e5#N0MsN^k|uqJ^pRo|11azXAl%)Z9EEJ0SMfvnd*3YX}lrPoKZ28G&1 zI&>|zlA=^^Q}Ji`I@r@GmUF66tsMrXMCrgKE2Gp_OQ;k?J)fzeN+OVJ*`BUlnME%` zJuwcHLyBX@Aw=(G>iKSZbS*z1vQhl@Ra^QS?Qg>OIFGR&T)Xqh@5#Tu-29F6m~O^H z)r%g{i`~98(1n=-Z%+WFC!}CGf0o}*{!dpp>8zN)TOnRnsPg~k4+l$rJCF60@4QeI zvQ!D;ycbDc7=FDU$Lrx9@fPD`S(k=?D1CjVuz{#3<6A4%DR#$JDnV5T$_#6RBp>_C zhVp)=jJ`NBl*6FhsTt?e#ISfWWiEZP%X&=yjNh4=LH)J_mC62d1L|Bnu4*8L{awzEHe+YNlzuBaxX~qq*>iz;Kc?HB2C-!iyx>!zF?k)2D*lbvUO*s^L%vGpUysvr8Yh~Hv^E(i;r9x= zb}}x9)L8@iqkb7bJng&HrvPW*o$G+Ve+F-AteY6&8L1(~*^0NS2kPVN`hc731gN}T z$H2Uzei960Ds^b6Pkv$}jp~5Y!mJojub8%Oui?9$?}5FF(HC^Wpg*+~)2p)6lGs$k zdMm=>M3!3PUsJd*j|?tH8nzvaHu`{I3^nuR3Q)%^-vgr*NgGj|iCg?3}4rdS8WsXgoIh3BbrbtWS?scd@;e#}(eGMqOZm_dHQ0YB2fi1G+{#1?7eMwc&~F>YG7^y^oz=c9N>Hn!yPO91 zQ~Wc^EHk4535Kpdg(Ap}Z)R-^;%W*B4O$Lwb-$pVRImtRkg)xJ7MkSZdYG0dsH6I3 zqW}Idn|hVfWCqNg%S`bie1qf?)4RY0_t z_4LOY-`}sRCi%6HfGVDI?X5qTzc>@~f}AFOs-Q!70+Qrb%4v@&G8x)upE5MP?NpWM zcE#)R*lSj(0~=TmY_Dtd4=)TeeMQ{HiO+5TK*RW6fLy4=#mP4CXW3bpTu2oGZf@ve zYGkp$BcKd#^7Fz3>gVrFgF(S?OwCc_?3siDm@3CPnx?qEGdRac^i6{C0duYsnZC>0 z79%19VZ?0l8e#(V993p9wX|ZJ7ioUaLn&;-3*W78ZUiuh3*2cbN#Eo z#eg@7Pk-)Q?4ziOc9QILHSu-nL>aJENubXL87J(^7Z>hjQU>OPDv1o^{d#CDhFlen zZf&d<-3nqZ&`n~GtVS-eFq?V3SiePah^yz=9P_22T#b1vC_8zMwxE%V-*+7wueKuN zj%zN&oh5IwXhW3>exk^DJ@@261qD?$;D9zvhS@j z7-)6*u4hmQ50Rwax`23(`m{sN2}8C&+oSCfQj1yyqivUC41s`?bOz`$CTC1U>0NI2 zUs%2j{aFPdrI5iEoZwkxWz~^R&Ml1mdgx1+pYEe&DI=bnMi7dnK$k0O+4x$rKO#wTLC zH4Yxk#@d>B{`F`7dFkIc5{+$wgCFc_UD~}y_&m`?AE)^#aaRj-DIa^|vqN8o`K)0k z@kqDO)lwpzdA0$yM5rdSeq4JfG6EHyDPhU1m*%OPqq?8Y8Ya&gB+ohoolqoi7$#A3 z-#=uoB#zCWsoWn9vEF3JsAJ0&X=1yc$XXIb53*jQs%g4Ll}21H*_E{~*OkQ8KBy)Y zS5hQO(dBnrd?Xusr6FcTeDqwS(dmeBi&aTv0GKBWleY^t9P*ho%TG5}msntza0=?C z!;S&J=miB)5luYUBD2TMkzp6BVYT#OqIR2R6QqGIfZldFE`}fq)8wL_*~1rF z48P&3pbHT6hPW2sykOdJTw^M_K+aP8{A6lHyb2>CC*Ec7r5anKKjJ!pXtDcIo`Kkp z?1DQK{0*fP1>ufrT}n zg5r?A{}n+*0KJ>8HPFL!!f14bDWJ-Du-^UhGGVuxuD~2^t=x1X&vgI>UF9*cLm`TFP}j6TSLFNv^S4T!FP{lBIJ=LAbnr zBGG(=pXZyyqo4mEN;pNuHNS3vOvhU%rUZQ+gw^p-;g4L%SKj@M9PM+bgEiz~83mF%(t&?c z(;O>{an3SGrale`{!OoCr_SgBL!2F#bGl;?Qfo1UQ$8#_M5QQj{uYPBU5659%D?5S z`rMAKpFIhgUA@@nyyWS;F;4($fC%S?^ibg+s1^{pp9%3mo)~o znu_Z4xDL^W0X}{mMvf9M=Cx48SB6ZpB557TS>Ru_Dp&iq#V@72x~pY|wnr`K5{cht zuD>uT;$-FVw;as|`P56j*Z7KUH^7vKTB9>Uuuomyfu%+07MVi4g2xoSa7E*p{D*lK zmh{xKdDfWxXHd)1r5l-**}(<789ruBGVXPU6?sr8;q}(ndJ?w62s7#UGhF|zdohjZ zLrE$*%Nu#+MQSYRBFhM8|)FHnEp!sO?B*T#PQb)M|On83Y)g{f9QSiY_l z|8sg4GNP~w3|}I-W;#7gytb~5uW+CN*yXKO5y`%*I~!41G0^%`S#f%ucB4LH(jnE3 zy)=ekBhdEOeD2rw$Jy%3#$8DHJhA%M${?@t~KqznC1_m!wxg8p+Ko1x0h)wz7 z2?TPy0(8or?c51nX*4*EF<2wK1AqQHD&z5%-9@nspIgHE zZ7Q;bP3Sn3<#I(8RZ^he<%=)XAAzUX_&5=NOD-}iia(}Re}4p?qMpKC7G?LHhtA=* z0%U`GTYLZ5N@s}lZskXCIHXrRzc2w3=&kUtivQ7a2+@FWYk#FA;jj8bhY%ENi3BH; zcwp@lGq_PZ25(Ze$mRKg$V?_!Oxrk`d~=a{dEnJ%J${PuyG!194@&MW=*}_J=Gl{e z(Sx3CjNX{@NS=O$I}n$x{kZvZnZM5KEZb{+QhcZWKv>6)PG}k=)h*l?-QzcYRu*GS zuxGPD96r>6g>KM1A2m2{H8^~Vv59DRA6IV#YPe1qvE@2Ygw;t9R)yzVJC!9K!BR1* z+nSl~fT}rw(Xm~x!r`02A$aeFs`8p-c70RVYh^uzMm1f!A7exirdNQl_BObd(5lM| zlyl{%%<2PEkxHMwdzMXrAaa;84G3&u(4ZGOUBaB0TAgoVJ38+1Q}PpOMjp}4ODi3^+I(~yZv;v z#gloA1IvKp1!h=${9M5Dwq*b5G??Ox9JfO*_aMiQDis`6{iU#H4yUh!USdeT)#+zp zpam#$rZENRvx^KI8_z;ccu(@SL$-oB-hR7Y*goMUM(EeM&=WokthEldouMnvXBOt4 zKJ^Bg$txCSR{?7oF`)scy1_zLo$VP=((X*=SgE;F)%H*Cq|g_NAZ8rUB=8>I)YBeu z{Y%@BwXoVkzG~ppr!VFtO4#g~w5Ww~xO2oTmWjZtS6VO*c73t!I3LH6E;$?S%|LW* zW*ZcB4owBc?p^lny!`M=s|7u|6i7gFif(oNQ%e4@}Ir6|&ldRCOiJjJua6Sd9xdE~75$83Qq966Q0Px^i8J#**iBfMp z=>@)wC?$hO_J@*;y#Soh2x+Zk|7zycLi)(_j29qdTm5cQ6!O_Oq<4xm_#(U2Jp?`T zHjP0lm51ShzfLz()J zr7x&~8*vVG+m%XMHChIZN=BZ0tr8nx?IXklf%u}3k!ew&oDK>zzuCtXDs8}!aaQM> z`SV|-R8g<*aH?AezLNVXherax5Qz8SGi#s^3RIgkOgL$3q1rB{m*zeiv!YmT)L&2U zAHKPgQ(Yk8?ed5#*P?XBn43HI!lDUjVK0-LFfl;1d-dTAugA}Z(TaNh9s@tfy$O-d zb8c%=3JehP)0_@d21+`+(;(38UgvUZq20Q0LF0?#%ZpjD)2nYE5)(&k@mQt1CU596 zKgE+W7D)L~A2+=h>b&_!lK5pPj_qbiJJKih*}Hp^A6H-YKMTjonsw z`KQVA7xj7JUD!^UtA@61N+N zM(H{QL?22m5n5I>2nsyB%i2zH63 zH5sM8mF`^~r0oCr-Bh22nA(?NT;}H+DRx~fXh%Ovk-Pm*;Zz8E8))-)7o<3*GsEp_ zDQz8GcGf>fkcCxpP-nY$(E1;4(UZw$wMv{tNy#i?$}%)BvA(pVsKbmHZ&DscC(cMA zeEfl%OA*`gWgPT&k=Jo0FyyBBsmcYY-np1K9iapl??Re*Q@en={-dI33!1LCvR)qCNhGSqVQydx1v{b zJS&eF(YQYyMj}SD!UKj(G(m=X5qE={SDvh4kNqklARjO ztE{KDr#*L^ySKxr?Xyd@hfQkK#V>bO98F{0QqP8KrZt-OXH85NvM#UJ?b!BilUCJB z9#=1H4^A%?3g~N^_2p891RP`T7W#`M$?KrNn9m1vMp}|qOY7=9+}u4jYZY=oGx{-D zSL3_{stkmejVh?cmPpAL_OmO^BHpixU%%sI6t|1lb^m#t`ghT5eMK(|7J<&4bVczu z_uJ?FA&uYMi#ysGAy^)_HI>JBxaIR*{1g^}vEDi}sS5SkeOYC3)T+_*_(lR|9qr0R z-uI&xHUalI$(RuSkUfv+9#_gyv$a+t%{3vdsk2I*u0%fqX5+z1t%Lj1yHv(g*o&^^ zLze%7U4O1)s-S~kjylYUy}1KWF`%e;u!ymCUIySV*STOJVpw*tg++z>gozsD-nR&9n5!ew~mNoY%YM+K#xlLtBY84J;M>vzW71 zBw@Tx)J5lQ^DIGeLextx1-wkg9QqC6k6pr~egr8?!%!eX^v>YX@TA%vDEt2QUToo| zEcteu+xVoeTZChCy1g&4Rm{>w&M&dWoi~lF$i`TkF2$A}k5<($$0@FEDibwgfF7B_ zw=+g>lhdWNKAmBme@jHUqleL4*=fC{zbGqE`|P+2loW~?y%=02`4mr6WL7kT7F+8L zMw-8LC+tj=liI$AJFS~|1y8820$XAyjv-}J*B?has-BBZWgohH0i@M=Ne_Re$@|d3 z^EcX1P94g93z*%E8)xzoqG)p7eplM}vTGP$ov^^eTE`7HyOsLcP769>HEVfwjJb)s zTFCO%@ap>Z{dX*>G_OZi3}y@&82jaqLxn`u%TJ+^O~> z-+fQC-!VSVQ}BsHQJ&ZE&ntR`?q>{(!j8RhyV?&O zLiGd?6Ge_o2ah_szwy8;-FtW$GDP$bgMCe_4M2&vGkK&dTfLMUt;u!@`VDB7>335O z8#@_@%lu*f9*0#uEz4H{*^@(2+9AX&E9ZVY`Vgq>HdTp)8n0Y9HOaKOW;)m;O!~-q z7UeHq#v#`?Aj_hUYGsol_gz(8mQPa4$N08gtqOa^?ilq?D8LSb%Y6UVHa^D6!eI4c zKUO{SDC4598@wM1+gF*QOQNHLz&nWWi9@3vCrA5M9S%h@_q~=nl3%B#4#;lg+8TCs zY;+2ML|ZBaWuwE%F+swjZX#M%MgcWwmK|zyHm`jvXqbOcV(URFkfb#gK;L32QHsNg zQ^_^C7>RJj5fSyDf(O-F5**QTM zj{A8F1c;h`Xm(w@O{3v6E*pn*y*lUfgPjwi5iXV4ElB- z_uFMFu`>e!E*OJll-0A?YrFS~Tv}r)T{M66W!Oa#Gm!>#GDSViAlh@gU-?C1QiQ1g z)*QwMXZk8O7XN#T6(^VdyuJzw5R!Z>17&49h-=1;$9k8v zY?C`DIVO%sLx!&ktS4j^Hhf)wMUW!uCR`(U8oQ11>Osfbn8$mce)6lRypwywxMGYP ztxSFZujAF%pc6FbRXxC+1J7#E#q$fR}D@k5wDX0b`^%`&ZJ?gPnU zNlJ3JTBVv|rcBqkvYf8EcHWe|VEl2MXE(Kss~I0k-A<$C!Fmn@pmh10jlSBDw;t3o z_2D^$))#w_%M#}I!&|%i(N?BbBW{>MomIpDX{@@xBBu9l~(WrD0LBjqU?M`VNdc z>%Y81FX$R%)(`TNzJ`c~c+2M$Ci;iJ#@j9oQGU`3NZ z@|n=jXIam6%HDWlQO=y$Cv*6FO%4U4UG`OO*Yh;S;ylAuX_BkLa^y-*)cT&=>8s(lYK6F=RhF*Q}TB zTeyVpp2>CjJX86hD#4_;(9s;Qyxi4$aDTzvHABrnd+cx6U#RyJ*ULRACu<=@8kGSK zcaHe3Kb`zLAL>S;A_Xb4G-`A$v}@6S6fKEg80GQD7Sk%#%`-|`k5PF8WshHL> zxK4AUc#g*Cj^-lzJ~CwF1zUSQguiYk-f|oX%t$WhRCafO8NHy0_!#P%8%pn%8+DN@ zXHX+(%UoogT3C*x-!#ahM8(DJzla)du8@A?&WP|t^3HB=yH;s9iR{>o zY+sd|`cb#_9pxm@*hxKoiTd?)T7eS{-{wuda3a{>+9@_Tj&&9-t*@`UD}YNkW0vhv zSvP4joiB1&?CG9111wY-r`=}{Mz+Ov#Ov}uPnX}Aoozxo*SgQHEa&pWKgiJ|w1iGU zTKSerxKGq711TvjpZPo_GYoi;;u`tnya|@q9@>&PsZ@$y!;#Rs(GxVTV&gW%KAS6q zeDfO73qk`gk-5}kLj-)$5iKdDCGK&`wXo1;*v$GF*Ua!~>52?`ufx6>i%0DyQy|7j z7y7h#1YT+Opem-%aI3&+TwB8XT?2A`PbZh^+z+y5-awjq=Tl5l)VTIUWjR1sCWQ@v z5C>+A`$mcOPyYhdVM2_g1cY~-t5Pv9Q=P{?eT`X9aVJ(i41bB)UkuHLGGxxzU%7_! zIjXjT`MrJ$;ko=)0-F=b{-RHgY@4g%ml>`kY@)C#9_ndAtO_wzmyZj4J*XEd8MpRs z1InU{ym+P2(_cmcC*tTy}r*?!P= zDpx-5%aL+-jkbiQWDn_wb+h|B%$sVk`%kVORyY0nm@UGsC$YxbVy|#BnS708?OoEY zrVH?II(#acN89=|JYQApXc#K;hIT$C{8%u97S`u>mGt?8BDa|qqL=NsgPABEp6oNo7q4^xhJ(F$)>WTfoM#eSTAwEcX=mr&NvxK)9Hv3A#KCM2q=8hp<$IN;}^ zUKUf3iV{|$Ux0tomzSH3k8NH@A=aTR?!6ZJL#B87?Nth;?@LoAGE{75tZ1Zsx7>a7 z!0w&ZkbTENK>YPHZ;2D{S{K8lIEfP?{TXwqw~vGbNL}1s6QuGvfW`vZ<|{|#_)?bK)|&6<$9jc0F)MGN4`^)6g$c%tnq=Ngk8AR%>aM9C4Y$*Gew$VxPt z7k|MvzP$cFkb)ta;)HYEpJW<@e6m(9#3haovf zL(`b1C{7`?!^J2DX(&&7^3!T3G4qLBe|Dd#+gA)rV zPLQVfaeD5ZZ*Om?ageA{)S<-Y!nYSS#6Ns*PI@l#fQYj=A*0;x@uc$Cx#Bdt3X=i_ zt~{}ncV3fE{`E#GH5HKdXVfX|iA=Al;;G(M!|iaurYtV^|9R#ea<9Ge24bN3HE+FW z{QE+U!)#ietlgYBqt;Od3-s-;M-zD^KN_e`#`uf2nm72JU?+-woycGfdW2QKX;sKy zz;zG7A4D^Dl81=1DU;^YN%2@^94+}kL4$Kb(46b7K%*qN1~4PE7keft#*etO;mhgq z)_FO>v};>IK8ln;`~5pS4J7;H1wG3L3D`sgfm^Hwr;1H?7>GNnoii0Y6Z`_I#$1BQ zt`dIAW8yOB-1&%r9uZSLokbGzP{Nam>u)=I?qUePR zF@wzHyfAz-_`rDQV*a$pgGOq){5eTPtgu(#Gtqr|D)iRu#a2#&EkowB`MVJhP(80Q zCdy@sGeMj%TUMF(A8y;2W|$8l?2P2tXCOAoV1m=CtGYQ2gcaHw2G`@_FOdK&G5||# zoBV+%oIr|~^Q+d~|O{~F@0v%pE45YG+blV?<8Wbl<1Q)zCryws6&rn`*)YMLJzh&&Vr?(4e!A)Hr6g-LjaJ z98*AbD$OoNmG^J|4z0I{HJX)$u|BlCI<61&X(Uf4;2yQ^gA20*c@2vh*bW39yPTY_ zOkP4)CNK4lD~izHM0Ve~J3&xYDtRe#zV=@LB!AtFq3RtSHGvLO0>-rMIIk_@8NTr9 zH)xR0yfN*5SWFoV>!`ZmYV;pyyAPPnLznV#&%V$A^z1o#jFQ~*?6`(;JlKjNcj1muy z7cEWhR?q*^`0I`}SI_oP<>GIRJY@29L2X}a9)(%uVvc2%Fb%9lI?oF2anjrMxd~Ga z+xc86<&kcd{!GSayN1m|pFMoz{XVX@$g{U;yL-PRl}ZeJ%KFNbikZUTVn419V?~X2 zw2&g@sH*9;I^$+dtr{jtX3{K(7LXLO4hoHHJj`q$yK&r(frOvdMFvW2xU`6M|k`NQHA}%R>NNI=O=U83%;{Fr)u*LMZ zVo}4CQQNNMY9 zoMm1?L}Q5;O01$R0$1?jpT0Z2j1!hxnJG(9fdpH=T88d54Ig}EzIR-7K&ka5AiMCA z8zxt-C1IGAJTJz(o&Lr_=ikMl4&=|++rAWZ5#~GUP#sRD8Iy&3)~mFS7;tyII*2NK z!k3R_xArD&5Nv|CXp0Ip+Fh0Rsh0&T>zm+93y1?6L<8U*ZHtwc?4W(B9yQ@Mv=28O zv{j_qqC)hHHjdMrU-BG2;x8w$3w8~~K=J8@lP>$WSDfEC$=<(*PuIaN#GI!B)A=G# z*6)1en%_`K0XLj!wLDly$K4;wKe!{5Is@dDVykompR~FsBVBQHEcMwL1~J}K$KNs~ zIt1mVpakw-mjHiwHQumW>g%JO%4t=TQtwPVPy0lLzQZTMpPS6+B9oM#sK-3a&heB> z-ym$ppmbzkopTLivXV;14LJb%uwvs4*pdf#VD7sNMTWU^P(MlhMUkTbD;w9D;Nb)M z1<}fzsq6$s%w%r~mJIV1{r6$P@+=XU|Kd~ceekEmI>wo0 zp_7>Up{)iucC`BxDG@GGt}-doU=Cm=nl+{-9+|=ymk%;-HiBB>rpu|zm^de80F8H6`?Ghr;G%w;(q2)?Kll}a6(H; z>PC7~XVG&gvY0LFLm<=y}j#A5$Wnq=jVgvZ=w zkwfbr@}w{}ea_4&E{JPGOiU^s3Hg*?6x4O5G>=3$a}^AjO#JpYnl3ibG8@&M(*5@! zT;bwvxXsu1hpX?!GRpUeNVsPN!MlXv9_;JK{TPN9!5tiZCK9-m$JFlk zW(FJiY{xpF=A+SW-vUbJ^-b1RQ(8m=uz%fF-c}=y$}T)UBY#|EVe>q(6XI4KUStKC z6vg&89GpP=d+;et@mf}25V?5Xe(=S9hg{R^rQ_@h`PM=Rfl%fBpz6_Sl7rpQYQ{c= zHg2odAMq(j z$wJlW=v*W^(@1>6Tm;>Q)2T;jwV&22X%X@So#=^7m40}Rb|u_9uarFD$zDcJ$m-{A80C$F!L|E#jj2~b2nubp4MW|x zwW7&1!86gx+xK|gPXx|$cC~6D6QTw!nLjRfK5wo6kt?9UHnBfB>-o!_&UX5z+k@Od z`JwQk9(F;~4<&C{Plg#XZDmA#ICo-5bA;F)Co$wbh2^afkODTW!Jg=vn=O={7OsV} zj<)1ZkacDcaGChf>q?EWL`GBou7+Ydh-FFG!pL6AalNSoTwTIH<>D~=7!H=utm>Qq zxerLZrn?U(5e+7vav#6GXzKaXN^l;D78cp=^tZ|MFuJBJ>aX%nrv66ID*;TCNwnkH#>qt4poGnNmwa%YZ!Tn9nh_QKK;&M=M(NngOgy$5`EQ)**IXtRp+`m8;cAIS#0>E&Pvq3-isWy$n1us})WF5DQ8B&QEg&3oUq zPp8USPc3J^gr0|!j=JBh2%uSpmB-h7^H`Zm39cpT5=as~yOZ0y zm@2BjkF#^Tu*_AlUV70x{^0HB$Rv;bPCR*azPIlCY$Mui0(UFI*HU*>JWWkfG2rVhlr)}l zQ??p(!v#!4{mtTa*ve(`k6@&pg}7Wt_nBI=8RuM@7`kZ@BTbIunw#1uK-F`&DeSl8 zrfx8-<2Czoa=mFkUElYo>C(2z^!Hp1q?D!G4)vEj1FJapzQ;>*XD?_Ig_*kJkvEv; zzYHdb=tF6XVHZbFYX!(#F4dA2;X3mv_lTJh0t1+u6hMjToUrjKIHc zJ+lZynAPD+3m-NbD@T}hIF_vzg5T8RA!pjmJqt+&JY;iEcOfZ}+T^mlE29S>w9iC& zAN4j%q?|`Q?!A|26Kv|bQ+`Gs7P+iK#4!8h$`#Qr1sTbg2%@M4P`rFyIx8x&-GUp| zt!t%nI-*JcMltg@13{Ua;H$;MTu#NYA_?TTd9$!o?bU2 zHRifNV6qD2Gye!{r@maHH+16Bz>HIJyX>_1bVhnA(nt<9p^WMp36#%P)vr5**#CSUcVK?s^qz3`6#N$({*7z+avpV%9-P(VI2GE zS(pRaBv>q{tBNSe*%+&#+yLUgpPNa;sUiZ7N6MOJ(aSbT!+K6@{dER4M|bLuJ?6$r zI#4%Ji_G;6`LL-m&po`^tuT+ch9N!tRek3(>F)Ixaj5f5qPh9x+p!dJ7YqLW?oQ8j#Dj9yH1Q`wvR91p{Kdq<8iBouM zyK;qv%P=w?&dj6h8+t#wz;^j5OsNjnmEi+>wVy79l0qMDgH~HY0q^hv-!872iwu zN$(z<7ni!pQwxLPpDgtPlc(i?zgAI0?d*h{0|QfnMZde}yQ6F->+zXRAIG!J>%R6Y z3;iGHYI(T7M#uW=t_Zo8B~DvrG++O;l1}ing6!5Yrzd0$Va1R#x-W|S)$AV>(-kYu zJajlKXEM3C%ke2b(cMZ{@6y@BK{mRleJ$qvQi)4wffD zdGZr+dEIbNkpXUExvKPU8qb&$;h#-{JgbBN(>?#$xFHv(Qo$Y+gnUKlVGx@+r`4&7 z*>^c~-!H#owVfqWVlDN@HVLr-D|#O2vm?)gv&CfF$ddx^B)>QBxx;+EUx6+rb74Q=s1KA=BhqIiCB|y^_5i-a+cn6YXHc8Q+TxuZXS)8Hw#<*Twj_ z#wE7;-N=|hwFf$D!mmD0ZWWxFZ%7QQ6BzD4`j9O$ojd!5B;q%s@od^dSEOuFtG=s_ zI&h^SbN&CJ?k(e@-oCzn6;x0J1`wnhL`slOrF#UF?v$1uYEWq@X(T0w5Rk4RgrSx0 zW&ovz9BQch%Q?Su{m;3sbNwIR_e1jaVzc+!Yp?ZL@6W^pV>ZehuvC>TwwP6L)4fq7 zbx|7QMRXeae*Oyd)dP^cL%)-|ECX%-CKJc|Lu1bZzmkHS3axb(Acw32U0JOC4q>5W zM5(5_p{rDkyZB^0YTn}of}He8+h)iV^j7bOkx%AvYI6qW-Af9{UqL?x9yAsGItTih zKp7O=;5kx;p%DCS8}-t-Qo*xMNbK62)<2Ido2ZoACA{ zLiI=ZG8JwfF}T6v&^@qlfV3&}IV`Zx*(Mr%rz627UzK7 zG+SikiJ*y?jShjJ>1H9r3u0C_aJL*L)5WVdhta>7@JpN<7gik0bH@FSb@sT%EwN_6OTxRpBYPq`7`}PL+r5ek9ne4kL%wKBVa&p^xybm~q`!3HxmvbX0 zTDCKtW`E!DFW-~w7x7090s{=jXm7X8Wda(%U!8qijlO10UL@yT+Rcs5vpfVd`f-uG z^|j>^=#sBr=X6-mn4C}j9Djh^n9<2`!PE)GRHdz@$Cyo*ghz0f-NvG(sEyHiv3<+u9j1! zN<~z4oHHp{_kM3*5k}p=&tl|5g)XsW!b!K*=iN*laX-$uY)VsI<t5Ynm1k+7CaPJ$C0D# z3tTGrDJCDd9VxY#a(2~-?D^*81RP4>3+Hbl7`8j4BsTl*gPdPXJ>@|?d!yr&d?Z># z_~=aFexZwwn9_hZD)LF9!s&B?wz^N8o7wCgndn^B!-kH^Ho4=2m%VorV>pjDgnIZF z#h`#{lmf=vdyw`;8?GO3&|U(&6Y7H4y|EfOeu`c$Y$L+qX- z$IO5|$Bb|^@QoouUTn0hm~$XDg_~ZTRqZ@3-im8_qa$GvxpC68;qPQ$2m5^}Sq2Y> z@K95SdlWtV&$L>rR!D2z0{Ov~#YO*<=BEA}l7TA9@Q`VC>Yy}9u#g}|HS_9skcB`T z3Tf*5sup_OC(6^}0Y;a!gfpwj*?cc>d^5_&Sk-dp=GMaQ$ydS+fOrh93^6#lvgrE^IDH?i{PI6a+rQ?cxw@$PKv2R`!hXVSLNyQPQ<_-}?|IT2{6$D05UX zNx#NV^EOLl8_ht^dxD@VCIa~<=Z~q_Y^a`OxCRQnMha;y=?3`+#U)^Y*$qlkx)LCD z#%^s_L|yFnB{{NOW_jt=bnC2p^Af`DQ!f=JyrG4~F^cpCH|!^JQs@-s#!0k=hWI7d z;fKTEGV*w;&a1gr%=m|Snn1fbUC&s8Iz;5%LohV#2(R}>#?zy<3VFm~W2y0`eC@b( zh#H2;XeI_2zkK8W9wz|2(W@Dq>u1UJ7}++{0dC-P^VLFX%}`@I_3@^W&xZP(W6R2Z zdJA7PL?0#(_tyWJx~vXEVQd#G2_HNq^(o>Bi29~^J+-1C z)mQ=cc7r|BLV?bBMUx($(F@ARpmN$ zdHp?Renou{C+C3@;2~S}FlB7JW@j}kUU1x?_-Um(NX3D&arnv~qwa$c1ymA^`%Br| z^OF!1XrPi?-@e!`JTHs2v0N^{n`*k}f=_lV|F3tP{>@uI8G*57snbsjKI}Al%RDoU zbMV|tLlF4I$aJarDT&lVcYq%Bpu93!(0#{${s8h6so1lVxpZ^{y$iV#0>%t{^x-6X zq=_KXepuY{{{b)9u{3npUyR)m}Ocg}YkSR6ZnvJ*2 z`Xd{xWiFkF<=Q#C;1-^d#8Vt|meS%pkNXPZ`u8N4$p_ZrM$R*St$(Uz=j~A@<<=2% zTQ9B$86gOOPR)?0k8wR_nL^;VrULk4Jgw&5Ve?|TmJrFY`Y+QT-%lR2#Mkvd>#{6G zdQTk8**h1CfABh9MlDcv3-xG?^!^Yh`7o{EF#N2OD!3jGNv%k^99VMQFYz0C3oSkB zu9WBNS=CCH~!-`q;}-@k}F5UAwDj~3LfLo!I(iUcu)9iX4f*VQ*3R! zx81C>E6`1&^(DRk^L70MD&G`3>9-;_I)8R`AbC~!i~tUhWDk!^PPq{S5|aXQojYA_%R}HmUU4tz@9tZJ(GR^U0~K z<;sg_6qw0qm=ro#mzAz#1@U8o;=};p;{IhPuf79XUtSbd4K& z{c-V4^^69!=UhU2q5BH<6ZB_8g$Kmi+G$aYs6J(ASX3{amz+-D{d#fk$`nB zy6|ZYRQBU`pvR3l1drk*tdbW6hMKBDdsgJu;_pQfmImIl9&O9$#NGq-C16U`6C6mX z_HJ4Z4HPWgoZ7I9!bTOgZ^wPzoG9DLII4oVTfTn##{@|xVO7W1XcGw%LIln6Paz&J z9XJtshU4_HiCOG5mC#VvRPu=NyO3!3Y7hX~L)1BBZQ`oYMzJ_Vi{1wfgy7L~s1|Uu zv=iK`cFbT0`a_ksV@s@Amo&u~(6mlyhhdLGdL+Hk>10)MVCZiuGBBjcHZ*{LoohyJ zYz5x2#r3)-Z=grxLizN1vhFftU$T?`H)HYdFo#^lJ&HkL>#2K1^Lo~KS67o|VGxN) zdTlOdeo)!?;R`r~YOU0jI($@%>oA0HTm_%c=0AW0hr8F!{DJ!E#4t#QtKk*YdPbqe znXut}oVxc~fm#Z=xlG-2SzCm`fbM2H zSg>jrnx*sBA}giCtdeN;+)BE;@?p-xbLqWHOVE#NlrP!XQ4GE`-+t5=f@Oq{?%ok3 z?|5O13Auh(D$moYrG*go5mo`Ek3J4qwqdd>5n3#Q9c;&@@rsd z*Q>nsxnX7N@_?u)2`M!^=HdQh6vJNA{iuR2gb9$2a5+{opczlYr z{bgYa`%cc``e=)8`WFvKJGJ5chZc{q8&kwyx3o`K81KzqkqS-adq2kc8XAmI3kE=( zW$oTH)pdzZ`XVKkN;3SKHAKYS=n)jD zNMkw@b1Bb?ssvqXJ8(-jXLG+|1tJFb&~1ka8e-wF(a2n_$X@RH8+u;h#*^>T$vqh)2*M=LD$fVQB8>%@k{XhIMx~E zrqgh`3s7`olHuB!+Lgd`k2D-#9%%Q4uU&0iE*FD0N*mA4wSr-+*Bv&ZJznx1vCnVF zYk5D_a$0KD9yGiPSA5F;UVKyPvLa;?5lJ|;RvztVZAG!#GGhfXeL%^U z=sYgNI-g6Lx+~y8E3v;H<-LUvp^8bROPeqV z9KRLo`=^soL}Mla6d20QG%<{Z{SNbaWaFIn^)`qAw0{k9$n@;bB*2j_Y+^j2>&9w- zDTO$29&vT$!3Dz9Kt&L^i~=awMIAZA?5}u7`1uOwN|w@8HfEl-9Oav>Hix;=S}g{p z8Pq83T>Ut$OKABcW)xz5rf6b@3!wy$~4XZqd-m8v^%u(>V(Xp3&HdJEHM~q+g(b^ zo*O-mJZ53H-2tQz17C|j=cfajz}a8NuppeR-RJhEpWf>AFz{fY<_BL9n)FiGU=^_- z#^ukhbkYoCJY7^H2_<*VD$JwBYgk)Xs8z4vaqEnQWZx9a1VCWQL!UVG%kw)j^SEJe zwHRo8aG<-q1g6_To&p(FcEc9)L1YJ9{fVBGxjFReKYSj6t?6YL6w24<61BO1F9M@) zs$B;pd-}6HktduxDMuOnHd!M=q8^6Nj}Cl}0ncBZr}Jx!$@D3*g!e#GEVw>fa={ZS z`@|Gw$Cf***owW4RkA79t+|lr_bFZ9%%_HV`dhGCe6e9V<}gHv?EIKdNcSAL`Mc9h zVBp>C{a;8p*?6olt`|ROpnBOiW#Fk3QY=+-m#dUBJY#m^mn1}qQJNtGZd2NB6AIb( zoF9)!P3GQ%uGHr=*9#3W8!dL%9ixEyxZmo&HN_kde!V*BiHIgz_Vfz80Ovn+V=NsD zgRaQHH*$G|rYFVuIwv!!NorZ7N(1Y&W1=QS8hvfdRdMsBwiIGyU^!Z{*|?5XBI;#Y zy~gS#+3D4A?my<6&2W09YL2+98nhjPhn?qsTk$I*eN}d~)^i}-~i5^vKS}TWf z$jGAPSup)U4z;T07Q1#TTcFiIl6)&`jSz zysWL!{OEJGzqT6K6}2CFv?iN`(i_g4mP4+4+83nq+?yg9CX1camdov!8k{iontr>- zRtsxy*yn{7^#uNr^*l%T%;*nnM9sam`phvkId?SZ*YIp%KeVFcW1o}P{>Qkh5+97_ z!kjj=t5MJ`WX^G6m0T}Z>yN}ojMzi$c8n%i-2JO{?bnwAY#EB#m{+M^&Vf0I1+Z<( z><`i~H$rMhU_f?aV@}x^GYsV&$Yq&qq8wQU>ws5#?8 zXE>?xl(@`3MaD=)D=zdmR%k-1MSJjri;$0|#udFjfM`}&J2V=)7M1#(GRn(n{VTpv zZ$>no7ARztVmQ7BLJL@jPYoQ=0!SjyjBA)q2FHrGo_%AQGisbT52s9``77W+wETSl zfqsc}#=1Gibjh^8UL^yExQz7I@zk}TJG$O;sv<_ZAlu1-;F=fNluq`@YQSo95|Z7* z9178I7w$QM;YwE=-AttW$RKxSyex9)+%Ny2rN^(kzpEQan~Q)@=- zG3J)igLZ)B*4T09!loDaG|2I!el0uPJ8p~qi`Pz3S3RkW81-)B0F{!s9Fwr0R5DU` zE}N->3J{!y{4%h0Hd;XE3r1G#&v@3$hy_DXyxbO9eP&3*VYBk3ok2zSjr6-#r(49?rWX>C26dzSsB`*wy@=Q0c4W>)q%ykU2AqSbTEQ|* z6L9C4rDxA++ER|wmuhAJjq(N^o!(&lnHo)-$*=ltm!w9t5uY>;jXWatmq=Q0D9pjt zqcrQ&-by58aZmth^@D+Rz7-LH9=?WRMc}_U=x6y|C%4mRw(_;4p*isDMiyz$!h`@&w*kOf8d3Qb(V!$M0V1b;%CWc0)sJ{rKkq* zv|{~JKjlnT17=~d7R}LYGGHD*kqoi z5gZBh`yRA6HqIV)vR4R}x-cS3I6-CeW^I9pTwE`Gr@;85wBKT|XFUQWaWO2+1mfty z7||;|7|XNWNsH`m#1EzlU@f4stg$(l|-S!yZKafyFC$u-uf8P4+RoW4GJg#P-0m6W|zIyb8Q_dh2 zP!Z4I=xSuVo{<<;A<`#2TjaI5UqbkM^mu8|LsNQc8nEwb7bZ8W(GfAyzqs1pyTLQt z)P4Ws!4g(vv~nruZ@~<`Uwc8QKAD|RzJ zF&*mR7tpB7y1{d5jkIIij7$co^x1>og2%wLvB=`$D6fdD zuMa`oC_R;Y|85FMp!=$Xh3EMz!i4Xw>X?6vg+eeEFBo>-K*8bi z=f75LqV5)o&hJI_WITBl!YVky1-6#f7-M3DPNcx3@Y48>U-~?$eax!=O|61W(t_%O zXMq1)T)ec@nxBXse8|r=B>T!;oY6oxO)wlUOyQT$me!Ktceonj?19rJ#;M=*u~$o+ zu@54gW*~)hY}%5ZiDQDz2QJ`k+z;;)VwmTfSgHcLkjO&r3B3!0mv@w1>AbkQi!CW! z4AHP5Ltr044P1Jdn|`ZjJlNdqYEx~zx%;w*a@`Dg&g>2(C*6}CuUXtr2XtpT(L0!} zEBuQ5daH>Evx?a(f-I5n!-It4xaKYDPE1Q!<&TMVUp4h|i=1 zvRTz)Nhc&ydx?OjM$HN=y$Wnhqt8^cd0tg!ke1$HV35H>BvyrGw&zwx*fdZPf9J2y#?rKVuUxH@ghiW;Fu zZ$jl+F~jzR-sRi_kIWYI-}H_timh(+fYSlg-{A)WKR=bTVSENjr^X4cJ-=R=KAU?f zUpa5hJOk}4TpsGr?TGEhZx1VT?KrxOh&R+WFUQOsmhQOd8vxzoiVE?be)9yb`W5TB zIef|budQbV@8Zq%<+9$VSN!*Qhvry;Oe4O6oq1rSIN!UaN@tc@-p;%=z3WRhX+ zX(C6I3>bo}Gu(igmS>Dke~Z;N(2ncwgW-U5st ziic)NE9(JZS~Ue7lAQPbCo-{cb9??q(ri@=!ikS1wlMn3pTpeuiO&1?N=4Q$ta*Ge z*6*n+W{iAL{13xyd3@~D6Bo*-_0}0=Tj-bWHs;N@Yx4@APN*Yw3OFa)^iVF}VxeWS zhIMqLDF+|IkBKIbE|xqDMCTxoYtw-F{Eu_eoyd99pUj+Hzr@OUcFanYd547MX*jJ4ivj;CkRH{m<%B+$YRBaY&v@xz@=%LfL$SpDmVA2m! zyz{mFPDT_=>`+6C;FaI1jQ{)Kh&u+c6(VZfi#@FE0vcQqk!!gvZNRYH!U)t*+u%xZ zt0(-idEZvT%g>)mb7~RfnHAE@ioSa`PA%4+$8{6m=cJ?H?w$uo*_~j)+3H60 za36rNI})7>V}-W>0+xOhYIe1B6G-CEL(2uUQ|fcP5YJAnV!uCeHmZ{9Ew?4M;RKA4 zLR6{~fQb1(^~+SzcNt)IAVd-l5#gBspz?UP*)j;SahG>9scmHE&jBPd{*kpQXPNi`@juT7bvnP2AppAf(F$8j#`8D0a0<>j$IOTZIqQ1CC{B zCPCbLZdQ|}wlxsEHT;ni5=~z!-m)_*ucg{}C(nxo zr|@lTl03=*IP(H zngVJULY;_EvUJjafKdMfbGq|>e{N*FYJsauHr3}H$x1635$5Sf(I7iMj<_UV(~?X` z&$a_wmpo8clPr`us}qQ2{qbFHF4(O%a9z_a7RI^fJNgjmxAf8`Gnd0XFa}{R-H730 z!mUoltm|Xq8_?AcDKP?qJ#<=TpCWH0_gAv2;UR9`NRN)H@@0tUju6L6Od>YU_N(`m z;WNe1Hcgsz^)Mi#sxpbQ#87!+4xRXOX%L4Ft!bEi;KsN)Q8e{ol{JTrps8D~Iir_- zu3D#F1!gZ*c&g=Vu5h(i=8c|drEdJ08KrH(<}7<%=dINITL%P}Cld|U5}VsifRG(3 zCFC;xaernd!yo{a47#cHm?W zaK&gbgCX9x(g6Bxs3u|qNm!lh;6NGM?SgB&H9G$_mr<+m04L~ct)7fn#xSATh8-(v z0T`dA^m0<3SLzJ22*D2eCYwe~L;q*gvUSXrZ;OKug zb3FI_e8n)9ZndG55l0`RVjz9(XZ{f|JxOXgUsa#>LpB_m3QS~3(RyzKQx6enEuz9O z$kv;YUROW7afPOuHUp)6uRHZtV#b92VMmaTWry}AWXj>qv8KvLAg6J=GAH|k%oIos z2?+d9KVx5re2KI5ZtW*8aYnHjR!~x{2gCgMTeT0UDtf2*Q(CPn<3q99*PP^@nP1UY z3-B<=wjHent2lQA02=x-_-6^m{_4*MvhyF%V=GGm>`OHGs%klAUbN2h`?av)!YoHe z7(j?&WMBWfA6g=CamRj`umDu>J39k23Ny0dQ7f52{w;m`OZz@ezv%P&w3Ct{qr|2? zQmUEon4SWLD~Y!gl;24F zdfU$;$xkYY)1VLyHkuxooSdLh&p4Wl&2*s;dth@Bnm+A_UhBLwH#(MSd0(3Sp#T-R zj0h|MN&ZU2xWYRolQ_3DKy8EdC%&RYI-XwIGT`%ZfzQ)%3Faq1V@w9bUS0< zRb^?9!T#0Kxd|{sR3UgG=16*jUAM^*J*>5X;POKmS5j?KfXcpnyKMo?UpJjb8gD_b z)Sc4q4M}?cNN=z{@0jzR>*KzXJ+Z=lU#ic7Qt%N)&mVVEQ?LxN?q(Uh7DO8Gxyf$cq0Ja!B0=$dI+tTE%7hsHuCM)zBY2U0=I3(>RR{C=vBhT`dykyRiATn#*Jj zC+mBuDPLYYHT4!#GS~;!$_edD{idP(cwpN%J59Ox(t6x26w)6_&^k@v_0TImiECn| zYGzdB0B`^OO}Pw7&;)067GNmo+wxO@;fusxvY?_>{gEx@q2ISQT^B1cHw`c=SDTCoj0c~VQ%$R*}=$js~d zaWCT4p=fQxtM*O1VLvZG24Htn<}!r7dz=U_R?t_DrR6XF$T#;t2wTG30OgUEDm7t> z@LTr)Qe}q~6yEuR{G>#iTLN7w+;{eRtNQJkJOFB~xpJMA`)g?JKZop_1A|FvlW)7X z!umyRpR=Oy+i0nXcK$XprBE=5A{5=u6RX9-iFa3#O0p+J%d2<2!mw6*0^C?#k}a_T zw$Bx}w6Bb*sLB+mW~M29H4Wn~bp-5X_LbGS_oqyA#$icE3F~BvP(W~u>Flfs+DqvD z7BIa2r9aPr21H@7kL9>=n}n$*?SzP05dhrDSI_&>JFO&Tt#XkTjEC=7qbw5+zJa}-; zJrcPe*BN#^ehtfoTMF9XL`VZ$qBCoF{~sLZ>wv3&_m<`5#oBP3Qz90KKpv+HcZkE; z^hB-~LCsJ0q+x$IN+XlzyD~+m`P~pU%+{bKtAJg9yl=K+-OJ&jgbo z^To-p9JDu$qBv(y$ASMF_noT6y;dxOts}sXah1}6-xCL$3)+Bpf9Aa65+2NWD&ONqLAY+NgIg5$IR= z<^srg1iLPygf@DL&L)$KGEi;K_$V93fnqf-aKxk?t%ngGnj0HoIy0PyA7nmpP$0$> za=YO%pK~`1(Qc@uTba<9-4M|y;8@4I_4v*f-LNqEKAM?clugrESHbxjeX(ges+`BV=NpsshLO|{Hm)|TDb76nCl|GkgUv`c{&MKvC}-FJhj;hZ=*6v zB4`wV7Yb~#*MhxFCDQNa0goqOWUYjAexzm`sQEICp#fyHbSr6Q4XkPmbxr*7K`cA( zP7Odkb{;sv(mgh6v92eXzf}b5p-@D?V$X1a?I=g_ui@gTcdShh>VZQ1Wa*!}@cwJg zY1Geu(op{~mX%64se-8FM|t+fl-NjXv@_ldQFv5Ah_9ilcHg?l;`lsw6eiskq~wRO z4ihSHWylSw(tm5-P$O&q7{R=WBySMzF{61^Zm1>PA6)Wg!=( zO|6U%`E+)%(RB2KUSQf{wT*CnEkC+#bWCm|acvEoZ2)3t=&UjGiB)w2K(JpZijsG6 z$@&{k^`l0Y#_Uh#1e7tQ1N#BizN+!dM3W}W;nYUb z*`{GDujy@muDPJsHLMsWX~T|!mF}AwuYyk9jW2bdjdxq^bq- zI%9+t(HbFYK#RYb*1g~>mo|&)umqKvF?1vM0xj-vk9q=7gMXBVPY6asZin$F0(J)G ztuXsiz|H`>sE{99E3}o|I&BDm6Ygv@1Dsd4Q`)M7eo@cO@siC?yZAuO{9(;tk<$Rq zEO4uALV;19Ba5E^u6StX;N{FD#jP2BU^#0IGv@{BfF(4!`y2?Zzg%O1HoSz80Q>(q z^Z&KX2JZn(v1CPVKj&Qrn(wqOGO?ZfE{hL?EE2^U3WQM#+e(p{i=jdX6BjM#5A54RH=koZ)rBKR7$ z+-hz0!$#BAq8h*Z!u>?nbIz-hTpVmO)uKjY)Wi;zw49_bs<@4gGoyID3b~_4{ifod zwHrSud4)G_GU+l(tt4W3lQkfTrB{=sG_Cvo=bx>b`H^WBh^mH**ezyFyY=&{RuK0+|v8n zLQq%v`fukP%4ja329zD*QmU2zXl?rvPWm0skv&4LSNtVcwio@IF^X>wa}wGC1=JGl z#((MYjRNHU_bzrhfBzkSkuX?&-t2Q zgWii;3-rl#bdYa$V>)LtJ<(vJ95)yAX3L@UX`=@#NsiD0pJSe`O*-1Ff_9f3h8&v3 zIZkV{E|cbSoK`n!zm7%CpRoJnXIlTRI1lv>VG%k2)d4x_ioyc{RyNcmHXpV-U5E)|Nm6lOWnAF2`x(@L}659iC9TE z1U>IZ0*&L{!j7moPa(2wU7SVB!}y1RO#iodcOX(T(L(y}KI;UA02+uD)fHR;wVMY1 z0Kl;29)%qT5S%*Sfu{@@k*c__H2+qq{X+ju>Uz%w-Kg34^Z4Drw)xOM!LIuC5Ay1N z9^!v(AC>1OmGW>`rM-^TR{48{s9!(&=^6Yx$gK6+u8Z*(J<9iQV=?7OgY8-S0w7xs;-?52^5w&7uw z;;6FW>GW7qRT&3LrWP3Fu%KE-4^PD7GP<83J4>k%&5Lg%i56N2_tYF@;2#ha%0P<3 zv#2RB5em_~H8%Q>bolEvO9mbCws3eMJ*HN*4x%r&e7e6j#z5_J=gr{8?X-7t%+3p+87>sGykdZvB zE<;suM~r%`6iW|7RkO{L9s>pv0%p%pA!stHKsOJruA50l-s^>b`3Y>?0>XI98Wg>( z+;HFDMfZ3l^8$W$y6V_8mQ-wnDw;NDU<<33?HQB=PTKj`0_nFdDSCcge0fB6s2(0^NM2hg8Z4VZpL8X8brAft0y z)~7X%;8{Yh*iT&F#j`axi=(m0GGci#g|y8YJrt{5Ecy`TYT&6F#LBD!c-_q8l^Grq z536(6Y+%Ah06kXQC|Jn8tN@LI5o`#VvFqgd`B5CTSa5=e*Y<6liW2%QOxoP^lHW5K z3q{DoO3BjE>LNsb&n?fi_t3W|hk+j#0Tcv3*AQHyf%uAE$RS`VF1#y0ygy7Mv4M?S zw@F6Z%kS~m8SrOcXGo5BZ6BlnO>$&I=e*jfxzgv^7e}bcZ8=K_Ci%)dgJSKG?4T$fVNxkSO=IFr= zzF%;D`*w^;+w=Yxgy?&XeR7M&Ez<}13+pIh(UE7r(}Wv$j>Y_nHj24lHO-B{U}xzY zUAgnCJi-V@uT(LTjU_@N@r%%nI2Xf)5Eny-v2xjOrs3Z9Vc@S1gL@6|`oOdw%3L(M z2>e$y?K?}LN&+%9;Vy;(YoUeb^?EW6z6o*o9dR`NW;S>~BE1SSVJB0^O6~`Y6FP~ff$cm3xHnHuwg8$l0Oj3b-~K>w3o$D|&G7Bb zQ2Tmm;||#M*N>e+bGM)QYKCkMb(d9DZTB!bQH~Pwg16*aaUR`dG{KH|2YULS51x|Z z06GXPo5QjCYCZv%2}92WndWF-0f=b$e|^tCf4~_80azB5o-`K@Ua9GVI4^e75gpkN zqH#d1Va)~lLZcxLOeBh#W3nrE$rOdZh0whSQ{y3#$IOoPMn|1f5QwqweQ~KCWy^zc zNstJ4(;kF=$vU4L0jtQ=e~XKnv@NF9&lTZvn|uQ0m%NCS#j>R`=~l;L%3v9Ie%tH^ z=rDmyt!_8c=_!G7kWS@L}cNwI9db++hfO*Q!Z7y-_`gaqFSd~m%5 zIyBTU30RlJ&fkVk27Bba_X-iKRI;DW+d8!b)Jj}QAJs-2v81%e54E51#@YkK=A1rfg`QEfb&Fupft&1@_`&Ra!3}5*ngk857%!JRM^9FHM|0 zDT%LD{nelDV`bHzow+;AO_cHOkt%OS7(}YRWtFq`;@Qvi#xE@|d?IRkpRniu6f`XE zdhGG<`%nlcIaE;Stc~$s*BDsJ=Q4Dz@8*+dYJWL6&M)2%dvv!}0h=COHHCQbVVQ~Y zFsv3E6d+Rm3K`N(P)g+P@;GW=hT46-TzZiQlq%r9%E}@I-RR}^H;aiAIDfnfD-kQ_ z%6Pr)7 zs}O+I)jx!4sUS94Q=&T?wmW@Bq{D?C;zg+#nYwrnFT)7>--!|Z>z)&5Fkvu?zA-)b zKMwqVHf2uWa~32jL3$xWut|-unGo@%?mKPlb6)9h0ZzHvgCCOuX^)1C{nk1Th;X@z zKg#UOQDGe>OHRiaJAcdJJbNVVEu?wU<-B6Gr)e;SEPI61Gwp*9ns)`$GBX%&S%#Fz zV3H+|`bw8I!bCj^cr2be!`N7`%v(e6D6%#Aj)r7%SqP1`ej>Q zLNt}zm8jDjlF?umE6p%i%}Wgh$RV8}v`1)7>uR{jkiklHh|34rSWd%&I7M*bEK`M}IuDhXJMQ|(l)vgFqm^+`5-^L^K6Rj{RO7r}t`-Uscas33ap)v?9y+uIyH{$7lkrJ~lPr>cI=z z!6WJW030!h&)$38$`LGrA4EE4Eou{;ruFD2i>2^Mdt~XhkGY zK%gQ=W{@$S0X39w>^D4;7-g^`Yi5A12nW7E(A4?fC|m4pE=j7y#@lQ&gAOeY%x*Z* z*(+EkU_?GcLF`<>xGxPm&&%nd{c!k%CzwSwtRVXPGm~lb5a~@$?U1l;t9KlJL^)6Z9|q(gJghi&ZjPSsAs z^dked%e`h0GVll~!m?1Z);BK=tmp=kOZYMNYIp8q3tG?H+6J$;%;mXSs@r z!-$>Qt&F{@lHq2bmgcciATAa&AZz|DOL>3E2!y{Y9(S4l z?L?!o-m4&Ho&my&ypQ)eNUBJkyhQ_jf+n_gA=0f7)Gr7GPt3dE4=CS4V3dJ&^0vz1Ttg`^J0+ zdK2E-P9T}a0?s(^w0|oD zIt7Z=9v`LC4I-KGOKk{MA9oJZ-PE{ItVVOFS%Lf1jJ`ZmfVeZ0=sP~G+vv@3k?iDK zvFG+5IVn+8r&tZXY^#j^m@vi6{hZ51R;HZ!+^or=Dn zj-HXe&(`ne*h}b+pX^l>)w@YoBwB9%eLvcom5Q-__os;Y_=dR74^caAT-im#%Y4CQ5dA;lR zB|KuYy39*{LI`=}K@XrukCRI=&$cQvFuf=I`&EzoM&&3g{`w zNoC1{_kRlwZV}g+QCy_ck5nVo`|>zy#LU?Ab<#-du=c&4#aYv0}d4`!kTxErrT&D5C~rNqZpUvx>l{ zZO!HKD@{xfp;0e{P+<9ulFOr`k18Tv>G1_9hz}phyQ)*gp!keWt!j}l4QI<1m+eXW zDs99j8E&*99RLS*owk9clL|iZS49-x;C=Tq^9qSX#~pAzX7ssmEK}q5zN}1owAvOF zJ`9VNPfzi5+~-N*>sa$)8BxAf}zzS00e zfSh(1cmqNBQ7Es}1VQI$y29_`Qj1dbyAgxhvVkJ&OO*6aR=K(2r;(hpqI+52)S-v$ zE%vWIzLZys%oI5aH7ks+@ns7G{~zk!Gpgx++Zwf?V4(y=KuYLEq$#~uLlF=Vf>I(N zq7>;Jf)pX4g$`1cB2q(;E>!~vh;%6`Lg-CN2tC02&wkFi@44@0k8$r9_sjjL5eNKO zb*{PQ5^7n+nds!{_mX%7uH+ox?P9j_EA|K`3ciei{V1Pt^)R@0Y=MsWWB#Z&F#%qg z&u-yu)H84SNJzU(+G)TjBH;Vg=e^pE(g($i*3Ic*(ne_c)=`X&3EXRV$*~O8L=)*~ zrHsMyFQS4m)@E3Xs>dBA%{&1$^KZgw9A7B|f?vbY!i2hCe-^&*pzeKe7!WC7{zffi0Hx7p6;si{x{NXyb72^kC&7<~7u zKb;z7_sCIp&*tyfQ=c1X-&k=M9D9b*Q6k=#d=L%yZ?rk51B~2gu zkBJ#*KT3aG{S93EW2lCzU09~1&pAs?xdZbBeIMdhCX^pBQ?OUvksE&Xqx?(;Qx;*# z5ou_#k9^BsWV*P_6NT%NefTRAQ0mq-fgfPH^YGl*w<1G+%TRdGdlULA$bC$wA$OoN z2LNx7Ol+|6X&DG8Y8_~OP{WwnNY?MHx5B5KDnCjDZ?6@nz1D|0Y(aA1s^o3=xb z-tZE;_rCE>{$^g#G6G_iU1TZ34Z9(6_bZB8y^Vr>PL;{-rb=*hXgubbb#+hacg6QH zuCLg4CWL5;4tm(THGvwy(Yg1vX@x{7trd?E?(R1YgRAD}huRsT4DahM@CR&|PYzO= zpF7v0T4-=DBH(9Ama&~NTPMKSo1v96pk!#BdYA%ml%rZAnh2ULwqIyir7w9ewA0$M z?+?uid*l)93P`=_rq3Ox|7k&Q6z~D3Ja|4Tg7D_Q{>+;g7>--|YMh;05DRt>7!!uo zQHZxS&sP(}!MRXk6nhOU6SL1>H2s$m-|F9+KFr5-Vv8i{GlCTsBWjK>vc@gH;GRZo zHjJENy8O)N_;LDG?2EHE$Th(K0Q3Iq4}BNTZQcP2ux4oPdWFB8mZE#)jJ^?Mh7QBE zi7=;*SC-y`xS=MV_0a};CFW^bxO>zt6zrv76WF~qT~_A>_=8KAR;$dHQz82p2;`O~ zroeiCrPv^Q!jPTaQ*-9w^IKR`Yu%}-O}nzX52eeDZwP8Z;w{(2`Qp_25=^a7&T zxmIh+HSbrSt}p0y$kAFT5jg-C5;3phR9bpCpdGkzJZ0wFhV-jw=Xqdou!>)a?i14i zpJ16rh(+Z-GU^#-=}12jLCaH6r%?MdKw3)+%~=*YHNJ?S>*GD=uhrbLg?-WcgVfw1 z5v{4P>V_EntVgdR1hw!!NO;DRL&S!r^U^S4=yZvz-LxL8ay^XOy@ppQSUcawi3Q&f zJ4SRdZo9M1Guenu*`hIY5ao%g*<#=-3upnFCGl8T$s2d`y1ik(&dxPnSxCbDJC8LP zp0-aV4x98E2D|647C&izd69+M4HU#zYA3L13uB8q5Lzg9{}ONP-T8#37aUx22d;@9 z)LG`a9-*jvAc(P#!K5V9cR-JpzqHv-OZQ`o?>q(qaV!()FAsQMJ5xSY>!c}}R66Z7 zY6PhTYAZa}tR*iMkOA@CL47l1vLa=j`xV_Kq|KA`0gnq?))_jl~P3+X|`pQ1P|88;mkist_cY7EFa$r=q#o zCFTnnpPIft>23V!d`#NE1NM*DEa0)z!G4@i(i{Hz`i@E4;)laOAB#8Yf5RWVe8_?D zOSG)-I9Myv_}%LI$exkrBj3W$JgW?NW{=;mFZjFzG~ZWprA#mU?;!zrVj??W%?C6k z=l?_0xckO|BGOv_qXUf>WZF-vqQQtR{QYOHFcS*@xaujfbD#isetN>WOjR3mRav%ii zeA6#`O`t24y)HVmB8bJ%j_W>J{i?LSdbr)oQ7Iv6<+A8E<20Yrsaf~S^w~56oF$*H zQUxy~dLmJ0j4kZ{+{~BdZa3X{US_zJV6eXeSswT62_Jk1^Y4jLsdMfXGlrQlT1*P1 z2VG+dB&bNc-bv%*w$3$NWnyua)bWe;d?7CGGN40GqQsgT6qq zv8GT+^X!y>Og8Y)T+rj$Qk`V}jl}c666+iN!vlG3*(`bX)Njr*=oF^6$lk44DbN?9 zq4(a?p<5jsLWyAPT9?ty5@yn_0F<19QnqE#2<}B^&*zI)rV#85* z$x1%GV)55$h9T?{lF}sBD;O8=;&khr)dpXbE40^_~8}TqlXJ|5SAntKl zv$vdwFOpC6n#%%&GB4T>Yx>Pn#GNruT3yAb7osA+z{eraJM}hQ>?pd76djdE5!i{6 zA7f3uVac<^C7}P3pFvgfK7ZWcb>>Xjt~HCp0}XvQL4OZeU3COz9|LCm_!32=8TN;;@6T)*-~v!8_AV<3qVrS89rf(9F#WiW z<<0eyK7*spwCnTKl}UTL+&FtvJg8pBMR%b)4IYu<-khkXl}FGsM54RONfSm8EIL2l zz>bGwYm}5P7C@0h5}GXKK4z+`Mo)SDn^FRfIBDz4;>hyf<#BnEhf&e1kKQ=SF=H1`38hGNrXR z;LW7UkgD4=q%-O$djMyl4g{D%1ZRk z{=hH!4SZ9M@DyJb(9j~0Ql}&z0N!RGH?$1FOVa;%kXC7IBHjt@8=4 zm32OJN13iQMe$hXtD$!L{jWrAl4@`6O6%HkIq2IY&iBmW|>rj)k z&c&khET`A1ci*^DT?OH%GtN(^)yw%aIB4@$Yx~8JZmv$Wi$r4^0X(JQE>W06Iw9^^ zpBPjx%Y3;O#K4|EK@@6Rt-zCV~VPX{}R=Zfp@4t!UOs%?Ny&6ePR={ zDzc-C;0JWXg!N76EoWXVh55mIJ9JJ&PEeK6v8Biyf-e}8r#yuqgoon_(oqDb^E$C4u^)VFgF zpK4WEx0-oJKFE${|C!=g^PU$U#j@$O@E-AY+2_>e3~?^2R18mxIWwCNuCcbP63?Dd zj?O9*$vId_ranSUt!fmTV;#C5Yh0a5nQ(;6JFcYDy2M>k@OeQDb&lfbh@YSzle$j& zf@bbTwGavbjd(}@A5W&6{fieoMzO-UF%2hfYbDVZM_?kg=FMgr!hkPDG`O4+{TWyQ z!{R4QZ%xGgZ#KjK=!Qb=S;!DS&%obr&3MO0d&bxEE2lZfahm5Sl|DBE8|~HPK_{ZHqad3iE7d z>Y!mwTpI1N=C+uMjxnITODqB>vhO20>pZ5Va{>Hlg^bDZ(&OLVd!0m}Y&9w+UH+B! zJ6gDMqSV*Ie?b`b+6MqVU;H|F;mU3On@i-ZK9-f;l6~xymKq=zv}-maBG*pM24uYL zD#gsnd}jkE02kFi^bgmgphZ#}Fp#)wJ!{=+1~nFqRCx2vi~A$}P=F#T}};J%n(PUoR>S_?Tl>jWtBKvk(h2f6S^SH`oKi zk1}mRe#fuz{xy}vFzY2h0ZQYC9zD78M`r|b__ZzGT;UCU<2RujCE|myHA;^o5=-*v z!3!Ocb+*PgePiR;gRyrJfd573m37`N+aIcoVcdGIIAIKhJEy=TmW9#p`Zb$Jx}p*3 zo-`5b4Ri6&0n!iqI0lF}@|!T|lg;I7bQ6Dm-9_P#T;s-AWfBEv-RRjXO2QqOIYB$i&O%K= zyATRLUW*_+k3d*n&`@$ZMo=ZVm*+>hb}!4d$;`y}@YF=eEK9D{8mw?ApHUtdN=&% z#%ib(g(zC-&beNq0iD~`4seed?V=G)nwp@Gkq%hJfCJrM1B@PxfX=tE!0>Q15+Dod z51AQ|X06oNt_kRF-G}RTc3QjW;}1YNxLDd@9F2X~^X9YYWtUF7uzNRDLV4(}6|ACzhUXww`*zvoqQSk89)4KR6R{9N zvcgoR5y*B^cRYAB z$%9h7t(N~ePgcJOHupRe2It3JLLR4`>@8&zcLN_qIFFnzY4E)kfG z;Zv(ii=g*xJ1nB{%RFg*#wopdWqhJL^PMn0={+GcB9xtVwO36jBy}ukvT%N!dDF(^ zmQ4{UwnYB8+>u{*>T4h-{bB*q$Z;?w6G2QFYjV!dbC$ddG+*aatWR{U?9Mt*r4XPN z`zt2*CIv;^>741d%S07Osd-Jd9)p;IAu9GaCpHWdh6!aQ8U2+8!aS6428FHO@a3gUAGi_mEkHmEphFDjSS zJw!Ke2yvbXDGH6Lz!~At6Go_b*}Xn~;Kws9#-gYz8S4ldQEgrC6j!^`s9Bv;Aw?v6 z4di>vp8+)$7_&qBaibp2Kt}xsg;M<7Hg3Id<ch4k z^VZDo!Z>?u6i{IRhL!HgVVPjg;@aHfm#}Gm$#vBZx_-jTK6F}QXqN?;RMWCye@Fjg zYB)=-GZcJ(rvW{bTf&S2GDeG)19Yw%5!d=Yyg`72eusW#EDdbQyU@;2nM5#l>>EqV zZ6b^q!fR(A3IRMi`6A+IXB4;Cerh;C0#%-(;*$U^d@_)?EvtY#C$2UO+LY~$k%%(a zso%T5SE^xA65V|`D~dybS(ZjFS!qAiNLjyGZne%<_Oz6O`l^Sss+syku^ z>lB`iQ=b3!KT5Fwt0Q&ZTZcxT>WD~t-I<`Efm3D!NDm2KT-}^f`4lQU+F9` zzSpUaChZ|lUU9%Ql`-HDVsDXR%BsoFa>qpCHNClFbmBAhxa_EGX2qFH6rE2Jh9&Mx zQ?&4xUK-?&=jSJ|P|~A)D|Y4}2I~(ibt$P_7JA0a;I?%HdFH0s3cM$p7|*ptZ^oGeCS1_>sK`NcfQ7Qw`)R8 zhH)f-M8J-*+yX9pM!kj>{>m!N7dj)33gP4t+B&$;hO_OKIz_)E12WpCrdN9~!Ruyw_{5$3Xc87!GitbH)g(nx2U&(gY2rEjzs|50nYHM7B{h z(!7m}TNeZosfx4%YgV9n#F`==CjUfcrk3^mxbVs^(@5rc|RYie}@i27cK&Ab6S?w2J$~R48zq> zF7D|H|A}%0r7wayH1JxF({g7;w9jZKK;k4_96&VbdQr(s2Q6!iMs^pP6L|90mkX$i zb$lA9qJ@+n5RI}E*QNLu1fG5^0dB5GE@`p6Qg*LcW)RTh+b_#!+mpV2;W-Wo4q57gzShZqfJD!XFn70NhE^&;( zY{i7WT;nj*;u*bIwq-h;dd+9$__*xMD1a_j=j>>Ly8?2ZyN6W}0V+&uAcQ>n|0;wy z5;H(U=!hRnm zYlJM-ehEZj>Z_U@#wf=aQ^nAIIS2Q~NOa}Nhl%RGHi{Kf z=JJc^OTwZI-&Ljj2yeUVlnfQ6c~ zcW?3Tj6D6cXTm)(8y+wJ*a&jXL^UZ-A7fvT!xN&KE>;vYZ>S=%0#JLrk5?VE6!*LF zLuk@6i%OwFXZ-$$rimmyyH6oS&HbCvesC!lWtzMC92rsyN}KKFHB+T!@1BpCvDPXc zU3TWSZcFfD;}OTuH4umOM)FQbOErs`PVdHB{&+JuZE|cx+F&odBFicMY-#Ep-5%SoYjTHi*MUS9 zcfC5^>6G8cznbZ3I_3bW4HvoIaE(OH!48qI4;0YL1|V;I{0tk?p|EMHu}te$avRXT zaP75g0FXl+MUJcq&bO0vgJFjNg~z2T+eWW39^q~7P4ucjEy7R$gI`GcqJ*+{97;YP zo{F;qQL2ft*_+5`9&>58Md+Ld9JC7SF!=Jiz&+qd?6y(5GBhUFSRKs$_=%nloIPj) zv3}QT|17=IPRb41{R`E^XqK~(?sudiv$Ca?nFJSUu^oBAm2ShdWA_;arzNG!-;?e~@4*&T?uian1={o3^ovG)YjNMV~KZI64Jnh#dQ@G}yG>6{`zx{mx zzVl&)Qe{tV>PfQx@JcaiRUH%Fte{xut_u8um5ybCHp9V|=aA!V$J;A_`aDeC^%V#~ zMVh4z(T45!Li0;qjy7CF0s|KB*c%Z&}JuDDt1)WfFfv5J>0C*^#OEvFscsNgzS=2|r zd&NUhjHC~v`^km>fVELKRLSOPFri-`oGV}^zSY>|xfllaw!QU*Rk^z0$>-c-V7>*| zOzqT$vRiS;S`PD>QoKYDpa(C#g*>>K+ocNj?gAYZ zv^dXMBEsXkG?luBEU!VHDD*>HCoA?!9#~F((8N9knC3xLQsl8(=Gu#Uu%m+#HcuD( z-W0}RF3MIum!_V`&(4+ot+0pDVo$2(l=o+C;7884#55I^V%M*Kydv7bSy4kD^IR16 zX~{d?%10>qc%oZ5&H7+CoksEuS%+_gEcQ~fznE2QV#vO~B|FW)l7d;iV*^xcU{D|I zSWRK)_;|OiSh%twzm}(!SR}TP>H^jV2-lqM_7oITi4m)o@p6k9*Uw%dCu*ESZ)$_P^S`04Fw6^0_gf6sMeWyz%?E!rpUON1zCpFZ{Ta^hjaSwe5)B zqU}Q1D*12BCIAUWJ|#TT(7E=|ie=s@39wuA%FFXK&-C{h(SBN!P!X+4x8P4F@JkV2 zf#rUSej{N@vW4XTzp)T&DmS#^Z@ndQ8RcR&ja3ROytqphdgYay9ec2;=KExhR#3k2 zF;=6v&QEVBoTroGxf}b7Ze%P3`5svpZRsFjC6fbKTdMv@Gxo#Xf&-?qq^D zDqm3?B``yhAGhD5QDfR(mK-w2eU6ZPxNhq_RoxxgN=0=QiTNDr~B$BU; z{nb=7+Yi_-gXQ2>aRpj?BN3GQnT5L8z;!!t797|@r9Eu*p0J53`hE1rH`4$Z=U>n& z=+%^i(DrUy^CWCYa+6aV6-wdsVgiUSFQ_7*Bj5VN>A0voa`uc1nKcm@XGOsmx})UzFbNr83leX2_ac64X+XuhaExbu zw1xx-4yCo89Q~E?21~U;TUJdMIws%qnd{Ejry_j+ZBu~xa&z6z#6U3L(b4o_^f5bS ztDMrTdse+OH|THs(T=X+G!D34hbaYuP_w+Ee_R%abC#O~+gmmGvQkiCj0MAr&C;7# z@4=q?-iMP-_UA*@RCf3;_t;I!-rzsJ#SKD@e^HNK)0_g~{rV5yMsYl{meFHd{rI=_ zuquIkRBFT(IL#pGGF3zDcZGXStU22I0alm-CMqrn877vB@%{ExJ{Ur!nHvU9jSQ1R z9I;S9sic{^UhI-%*j0j*4lfQrCv43_!lObI$@Pvse{3)?QP3|duhyLelY7?59;^5K zy>bEfD|ee-et*YK-c5{Bo&0)AKmV^3WQR~S2mP(f_Sw1bh))u%?O>;OkCP_}Ol_hB zF(wwgP34aG%w>i)U?-m z(dWAow(E{pU%sE}l5PBmg+%4}G~fosxWGQud_LFW1iJ29&6!;d>fr+04tM3!8wCNB zhEcpt`51g*W~Lw{wYlHC!EN?yL$t>CZL5oMu`<)Vif63NkbZg!exePVNyItN5bLkj zhndjA4Qo40qkcXkN=GY(hHZPDV!gsExqztcJ77_~UV3{B3d^Z%S}najO?vc)7$Km@ z<wr?QCR!DKC#KoPc#y zEvu+|^qOhQKE9krXjW~vaVfX#sXQRGd70(q*vsjI@AY-W2j4ARTZmyyiU*A*OYFWs zjSyGYM}YqZ-5kao1U}j8E@o=oe8uy}@Ee|1dGE15<8Lzy7gKBYFYp6E&L3vh;ZI1; zvviy52vq6n&3M>>AJ!8SnZFu;VMh*q?x#%@`|xOqiBtuj?zfimSc-=)V+I`*=U83| z5`e>oJVzvuRos7T0nAXUXomyjcyftu5C3{;eJuj>p_fj0ig4L>5p>~5EM&jW3n-+D zez>-^u&J>9T|cCj`6-@Rw_1L)^YbXnou|AzcBZl%Od^j`II9yr{Ql&SeB`m!FH;Ph zXKQ0Ciw!reT{RnV@%T!3q-XuH*Xf%tFlNLqtrPmh#Fj2tf7EXsZ(fvoPIzLazU`XU z!WQ_8<8KhZtl@3LMbCv)Xd2WZf9X!YKgv@_U|6K5;D;R=+#M*e^?u4t6z84K=G(lQ zxJBw>b+tT3D+02|j)!t3T`M)ePnZkYUI-=;jy+W>rA?`srv)K+gFcCroABck4g1u@zya5Kfeb2+T15jJlI^D@m*g1QsXI})MLK>jLd)899P_UAo=vlR(`=;kFY2^Zq$KLDopM}snp%= zw@$peKfm~YL7sKuywQMjJU3R?u8C$BW<5Bgr}~BoF^WXqM`d}KINpmcFejMMkZd%T zAAf=>#2BlytyiVrhvvSAUY)f0%>TBMZBMP7M@2rU2LLvJg}zj=GWvV3`fsz?^T!RP zsd3FwpSwg`o(|=n9td%FKj`siO8LC8{jo*9WqBV(e-@YwZWzvf!GGk#9c@Ob+@dw% zy7ORRe;@=-t^r4(9ye&~f#ScxYiH5{I+8lxpX1Rhq;-;r3gT@6+6wT~}+e0ZxV!W*!C8 zEmn- z2k54fi7XAUYPqp*7Ena0*w&9s*9A!TCW| zP;n{SbGTO+%@$>`n!xsu<+6>`dxX$o*uYuZ?6Pw#N#pW&!=jugLg+lmm(7WJC;NHE z^}1$~IL|#mT9#*{QDFSf5lGvY+y{jvm*Yv_#FNmp8L11HeR*@Uyf`Kn&_ ziYA}RM(je81H`(mljqotg@iY_vc(LPwnzCQj{w0=33jhRwO4dCnhy89bP4T6J(%$| zJV)e|d#aPTnQ3@}l|ay9JRmnqjD|MnSAI;a9JfPf&AmK{0?uuZ_chKH0~aHWVL~B< z9)V)uyFAe;t88-QGEk#;x_QKn!$&{dIZL7T1ZYKXb~|}nCM4~jd|G0zmJr6pr6w?h z(Q0yiLk5}2hHz(Vn4;#8-5q3iRZojOial|H9X^`$#b-~fN$DgHJY|CxZ);=iv@|O( z?9ZOTx+_DoJvkYH`;!>^6Z-mi#5nPWXZb*F4sQ5cWzR_);A;az`Y5FZ)-@*+f{*9) zh^(o{ReYmb!?DVIf`%iSb^oLRXkeH=S|1Y$EUasoo!bNQF!FX2=G%YD*mE&w2DS*O zKfApJ4N|V<2!U^O%|c2PFEy}{?L4?pmSAVa!pK1ET?_a`K@5p^DmuAL1l(E78@c|T z$I(Q9jL;}SqkyrEVlPTb-j*wx9pK2Tc;m3})#VJHa|60|T$Kdl;qQ@Pi`pDh;9Pah z$Lr^IZ{Cn)uobTXomFRTLD&!9;nIX>3d*0=W)C?_Hz$b3p%XUFq|h5(-A;~@?L|?C z1+&#VKQYW=2G&MV@p6L75%Sw}1x*Kd4Y536z2x7P4&YS&kDl)jWN=qC)8h@~7izq= zrN)`ce|uupo`-LPtr~9u+!KRf=YaXyPB0$GxB@N>9RbgyHtKYo&||+%yGs>*q2K*# zRQ;sU0<6R~Up6eGwpn>!5Px$6NX#t>0e&wBdKnZSYni{jLa=CyVC(NZEI_j4)Y28$M2LCVI2O$5OmImv}=3vs~&PKI9T! z^>g`oa{Tw?I{l49>L3uuOKae8%B$ut*=+!ZF`ne3iM2BYbx|S1<=th+)ouim&n%PM z(`rW}F}npW721ss%KU4>mn8(uvTPS}NKM=7j}?xHBUj*=0%cYJG=>(AKmwd+Mip&e zwh!C^j}@pi6?cA<#ky~MXZD7!{W1Cl9%ALm;&odvv zU|?>mRfFfmsYwTKW&O4^Yj|Q={=G|rb|rc2$6l=ZgPFZ~OP(RpB0l#7@4lT1&Jf1ezNymCVx0|zsOHJ_|*6q+PK zM(oh(b1lCz(%-c$o}oGu^wrE6zpX}45#>0$bTT`Uf~RKE_| z`pfQl8>9r^l8dTJVl(!orgJ%b=-{nywyt5mK%IXG94j+9J|TotB-+@0^JDYUz^*N1 z7OptliT^kfz>9OImId^Es=@oWl(tI@MNXn7{{ljhsNTl(2Gf7#V7%zt`f#JG@g9Y8&NlSc()kdWsU5np|uwlX}5Rh6N-7h$(t{^6UhGu7`zT$V)B z>oS+Pc5}}57SC20H!;_OIBDHxiKzOI=CSR=bQx4jb3UG%{!Q$+zXQV=ac!#krP{zH z{Lhs7egAMj5YlIKmhNp-IxpN9ARfl_-1zKL_}M^Wmaju2S^|O0RZN-q)X6R2V}vGQ zRjbqlI?|Qnm_jI&e2l=|YStb%+nh1u<{q_DJ~)gG`oFhk9&~G2E)=ipNcQB0Q7lo> zJ6=RR`*bw}=`^#No_8?ll;8MhH6@m5kh9>dXjqP>_d133dd%E?l_HWLCef-~nBNY1 zysVdl=ZTIoPzU2V=Z%2PKM{-ASJpegSFRSLNWzOQBh8s(EOa++*~Pr%Ak+nF%}m5U zb*{GZ{1vxS22-i!&1(HNwep^amL*M=9v|s_Rf_Z1defHh$d$a^@}@tn%lEJr@*pu~ z=P>3i;DsBt?iB#ne-GO%(5xfjE7ra=uthHY%>+jE4kn$uad>@NP1oV8OQ{=(2b-Wr@ZF=}8<^y9kmqw@RcurSMrzt-RyO?oO70rZZef9Fv!>hv?y!6bR=&GB^ zJ3=y8^L`o?>!q&_GQECucpUzl1DkDza$YPoJ;z+cgKJQ%Q^41|+~?47Bmlk0d}o+v z{dkZ3XzIG>!CxMhw@=bO4_M#!Xohfe6y9CziMt;`xmd2-*>5C1b4PiY`p7_sLm$;* z9l!hTkW&37n&#E}ufoj*gOsnMx2~gYE`Ee-1A(B&ytfjPH>TgTFiX4 z#&7oE6{34Td#va8$?=lF-%+LWGO4COE-z*MDpkas{dm} zt|{G4EZ+N8rT!tt5ODIZ=Cw(l*~h;V!<{ZAo|HBC{F`sjxpuFO$T3N#);BMREOa~R zA8j~L93WLKxpM!y1ciKH4t)W*ZufnXTJ;|bpF5Brq83!-H@~^t{P8v8t__#4p6yjL zaq!B|o+FAsGS+~6UuRBWq-)@hAJ*Un(-*0d`B&Nuy~8jY^z%i$ zvSGbOR{+otT)Y$-1j`w>0QP4(%e-zanyX#Kfo1qeTn#3q5AWFj=i--JGUs?_%(>P1 zgm`0C30s;4v$if?RwBm0GJ<}ZiR~tVXEm9&NYh(){Y&435GZv%31BBl^e`PVpJzMZ z&(stuF=U9m_itw zh`rzDag(NQ3Sa%%Y#*Z`SmyZ&>b}VZ-hx`ER==%a9)A9n_`I_55n=0r~geZLs=LnV;Pd++I9nA`vTD9WqP1b4GGPLvUa6T-Uo{KmRFLL zJ#mZ~oK4#|gWjqvX4vUwG%-dKXIR5;f>4yrzWJ!THxHAUY&PxAhOh zF`8v6)l*l{?(t<`Y_?tx1ijl1aQMQV=qJyisYsEj=NUDTG zS&AssvYuI=%dcRNceyge)4&@A9A$NwK;gX4r|pXrn_B}aA(t4AnN)Ls`~D8@^KPfVs3gcqtC0~ee5uQn zu!=au%Q6ddTZ`rOznCqd$D6;(uuC|i!ly^w2{8Y*iq&qeTVA+fvQ+xwWI*O9);mUj ztQB^0BKfx{ryx*nr|V#<27JhSoL6>;SMv@b4*yqnw$I%N(#JYQeVtj^Z+o!YRy~qP z7)(DY?hD@xzuH>NO#+u4s!cwdYo}dp@R}z^;M={-o-cOq1<4}hgo)9;e@tLeb)dJ0C~>pP1)yap5`2- zzL>zX-yuzojMcJgGRH?XIpmUHi+z5J_{K`F?(-nov+pvUJr-DUc)^WRt9c3GZKe0d zS8}3}W!Da81-K@-iGb7}P@~H`WA)S_Ss9y!RmCEJc8)w|)9BWAGBhjbgX07N9ckVjaO=G47RW%VmiP$xGDnXN|`T zCHKg*9|bCywDUY#+MN#2xhpK;A-?6|XH`C@?ULG9hQJ}tKx>ODl>0U07mC4eVRL-6 z>RIpwKJf8GwNRUO@IzB)`(jIik>z^N$wYI%I7qBOoTeJs1(zMl3+i220j5oY+HIsF zF#~kKLSLF{a7WmySMOzlb7~{E`};KCjC@m6I9d@KzjieD)H#hN_^|b}^T8OfL%*Wg zyjR3teNH(0f!2IIyn-K#uI6;)EVnkY`o-TGiPpu=rThM5n>kxWWq$*${UyOnbGoDL zCa^^s9?^Z?Fk-w>J>SOr%?m2sUkN{Omi{>+v>ja6tLR^Eh7NW*yh-#in@yIAHsp_xr;Pq zIEkk(;;VGbrQ)Hh-+wvVf-&G970cJbFQ8CaHYXqlTTvxY3D<1Yj$3EicH7r?JM(f^ zc^G@!>wu~_#R>91t&7s_&@1?F89cx#P(}8E=gp58)QuEYQs#&HFyll&SD8hF?d)AH z1B~N1AWjWErk&~YkD$!cZZqR}7O*a*L}OkXor-(<)sGl?Q>KSY(9@1BUq+^*5%Z1O z$INYRR*^O^FwrlreJOM7-D-q{>TuHXhhk|gi?!h=2P*E{=!uF-Q2~oosI|Ynzv*sK zy7eP7n$+B+ao;VvEXp%Sbn&3XJ)RO7w4^nMv70mIrj2Fr%jW;>*qBm!Jf{zb_oxw) z@iSe#oHoRAWE2DxE+)QzxFe5Y-A-Te^5eI2`G-*_A-(@3YS(hKepc>o#3g&)dc0jO zu-&Wdvs*j8=HPs*dukj>djS~dNZx19$*}zK6Mnc++hGVSU{^cdR=GQ?pq8^4-Po|| zpVMERZ@2I)SjI-n-E54_X_hjMjO;b;b|@v_)708|ZN(G8Q{Daz%5ZYI{w(1V$6WnV z+V8LUkMzIKHc)<)oQ16572IMa=s|zylMO|GcOXxIOEiU~O_9oH-AcHl-QR6m7w2w- z{_QR=ubU27OFiuUiJl8o{JjQh9pB>5Tva+6p6tv6_zsxu&+3h}hkxE5!&89(AWo0Z zV0HDFIdm_kZ>yhU_{-{jqae@cUzxl$JSdl=#;M1L`4K=nXvow6rw`di`o zBbtxDxb!h|RRKQ#G^d^iHr_PqTzI?6Xs zdGWke_cCuXFb)vFbw=4WC&h_PnA%9Owf-bC6c*n4)wcbRrX4iD5Ide|Y{pl)%z*Su zbT-~Dar#i5fw0D?bd^}l@=xtNLZP)D+(#b!i1nSN+C;-!= z0x%mr=o`R!@Q9C=+ji7Y_B`^N8T*$jJ18e2puV}0Gd)Y*ydI@)|M)nhlE3?7*F<52 z`6qoFYaPX;(Zn`Lwd?peal$Ep&C+W~Yvnw6=FxNG{kEQ7x1eb$*o!Zi0dr8|z^9Si zof@pho;Ba}MAS^T{-FV|3gma;pjdgkgy4AX#VAi~j;EQxIiVPs56oxMz5+TwQxCK& z0%p_esm|KBDsb948Nd)kXpEbDElT$VRZH_9KIJMzcZWF$A8_RCXq}USk8CwFpTAQG zmILOrq6;4k%H{v*vgOBp!gO-<#Q+&%yu1=**JC|yyY~6WmNk|?>4%?{nE>t0f)JT) zYZW^?x$iF)$4UUwRSvh*gwLae)Tr%p&5zA}oQluDHBrUkFLe|}1qd34vb5vfw4q41 ztJJqU>_|I530ZRRaSo)W483{|c7}rMe4RHGKyHZd7v(2c#uSuJk;GbIs1`&tD>Q-JM=8US1v__sqnhfaXMS z=WVzzZ^!|ipU#-Pi?r>RT+4}@u2%6stw>d$nT8sMI*Pe-yVA7*Xqce_mrI`B&c5w+Nw|@;_H! zfIw2w!COQ^=A&4YJYn#Gl^nW&Q%~adKS{Vu)-1NP^?)A1H8xm3tSg)fa~Hd?Q{?j@ z|7saMFhGA)A@+9&3C&qaKTJe0=|IXwWrmXuv2%LO99O&dfPBm&rg_Qj=>@Vz3Cvya zm3BLIyieIxn{vtwZ?psJ^;W< z9g132vqcnbZED4ey=Uwo_KFomteEf9?{A&+zVCU?k^eYHp3l1Xe(uLfVYgp(z3JKz ztYXS5*p?+wyfY8x4WQz0y`(*u-+c{*Zv+}#e+=hq3t)P2_3?d6(f!y9JC_$lp87B{ z%#i!MbMsz5DS7P4Qe7-G-^vxluZ_B>@E9n_C^r74ORDy`|BhQpAZ|7GfnJ-R%<`ZJ zzML|sqi_qc3plgX-~h-Bt~j6?bp%-B89z6^3j<*PJ4G5$K)LiK>b1^GUHqzJ(jvw(=SrX^leb($qw&H%-VW$G7qibSbv&R;j<&+ctlmA zL6N|`>uJL|w5>_z!Y^GlEF|XDGys63`^vSNGtB}|QaniKMfae>c-s>nrTw;@iLzCM z#5{8+>_|#?W6Q9XH?6ps)1iLZG}3|}$`TVcF3aS67{K+3mhf?Z+k;Uu%-4?pYxX?c zj2Co4s7Xq?<3e;JF0=bAbly93fPda~EA<@AxN`XD;lamsgFoj0T{Bs2)3h#8bv~&B zU$}zh@RP7?^$7LQ4t6D4U#nx@0wgy}&}%cds%9ExWDdeL^e-+2zKsv1eetbgd{`+n zXTGsqu|<8eK=WUdqkUyC(n_AGubr^X{{QNq->0(>;VdJ)fS+~9t7nd7Os;V)sn-ue zWzqbuk+T*9ZOH14VFu^0Kxvow7Q^dI5_u+m_r{s2Uj#S;E~pZiDq zRN9SR&1Wgk_qVsK8cv#udmjCzHG20lksJ2@DR(*p)7LL~#Vc>dA*s7qoDYG_hmzzc;f z8#dNAaz=r*I|}2k4UDU#`m>P4(_P%mdCnoPYX@ZLPqO3iLjy$(K;^8{VzG47p#PC| zU&?p5zxM00k{45X5Asl{Wr(l6B6ssennl3*S6PFtHW>g9^o%cRpt{9UO&T^Xf`NOu z>%>S6VrA;y6K17_&(9C@%ujPqUK08gx5VC#0*LS~z*+~6i6}}1$Sumgs|WNR5}TfR zt&iTp$Gf2hPE9JqoMEBZLU2@p$(D7#`PoilcbDo$AaqFoRNYzzH37&DMe6&1^}05R zw&Z45cmd%Gnq0cb{E5DHUe8kg(pCQJtyL=MMx_7#Ky-k#SNzdGGJkp>RS~aX-a+q6+GBr7d}>F#)y6%R5=ns%};9&_}6HCE6W})IRC7vB7-g_kZwgEk>)M zt4Y#Dy^HLR#%L!P)L)Q??sjG-T13ZbM;&zODLOq?Shy&1o(T`8E$WWA-l=l)!NM~D zeSX+aetgdRU33xpZs+_)6BnNKFW!&;-K&-ioR8nb{NX59X#!L1TB1 z#v>LWCba-t)u+)8xjipa+jg_a9ad8%u06ARZf-USkXEM;_dCF>*gv%?2cKTtuGm`# z6^@ORU@>DxQRNEz0cF4{H0_rK-b@HTPmwJ?rI#FW9)2=2A9x^(bJVZ%_B^hy{z3uf znfIB^%_|fk8rz+R>H57xn2F6`jhNC#?3j3-kVMc5Re%lMbH^@J)E_Xnwk8 zn1xr`LTF7I&T{@RJS@4MZ4e&V#Ek5(#y3)Lt{wcUM!#rh;5*#(0Y;sK$aT$kJ3q_~ zzR)OM1~(0fsF_krSr?8UQbv9X!RPDU2qu<*lOzrpY-6df(}-Sku3AbMKo67qvPT$L zVtF%60fBH>JcL}=a1aWB4E0Pxhouwr2hRWORd%T90vMYZ*bk$+>)4+qDPnUKE>_Yn zvd=1tVz)E*`jNZ=E>Men)69t5DfMJZh6CZstR{vRf_}iZv~HluGKL5Oc2?cQyNkOR z(hn&uQ@6iUd0PT9QC`%VTN!@BXy$+{1qD6Hn0o5D&t$P^@_ixB7yRY~NbmAWczMh- z2$0#IZZ18n0z8Vkq}shj_nF#dZ~*!I@G1jMuHxol4-s(;n58Cd0(or*vA`0(v3^L_ zi_qx~;8vYNYOtG6fd(EK%_FbE-JuJmod-014xWRT8#6nLM~fEFPCYNMi<37_*Vj&* zXHPo3;Q<@X_;`1=cBX^Rw=7|G=ye%a&=ZVSSOk=_K3Y1Keh>Oo{$8 zM`dciKUD^{BKbZ==gsK3pz|D`_0Ffxe^>V=Cw7nClocidz4Ig{`PD-PmwKeHiWYOh zV+`QnP8F5M@!*Nj{GLK|Kx(vaEy{>f_N0N~u>jUF;yVr3VOmGq`GmsDwWs*iSRIAC zM6r;O@tKolxe9HJx96s(z|jm;=JV}tnE@HBsXp|yhxD-UuF)qIuvbggYWeNDDI^0i z=Qz;NTgf*;Na#z;TRaUK zZk(on#)JbM8C}yYKPna9ofCMg@yyiGw%O_>z@{$o`iH(B1`Joen#*@Ss56Tp*c#qNRY z8b9*#jrVCapDBL_yqnj$y3{+uKVmdCpLO!(eet_DnE_pQ5kohnpJU7d@&@8YftL3moVhD%m(|cXu7>{2Oq@@g_F@<(U+?KP zaC+{y>7GV+NiHt{uQ+2jb$gkPUT!~QTQDq{@#*dPfn^~HITD;8D7q)ZbZ-&S@%dG! zmiD~N-oX0iHa`4;+|PBjBF>FZmvST`CQs%lAMKq#@-v!@vTct%{-t&n-)qjzkDtSXYK1Mueu9+#cpHFgA-6=(rb|?}^%D?`K+$!cW zwc_HXALjNg$xE0xSP@`~mc=ryFvfh-%4`Ow;N;r{oc-4!-6Fo+)uTUJF>F{x(3_kq zSaFcYlx=3@;CCD3_}cQ@aD$)u0-g3WZ~DlS5e2bMMgO|9d@haDLPG!$#U?Gd78W%B zWd27|dKN1J68Pvqjt{T$m*-h7c9Ribxm=A$wjOll*5$il%4v(} zBd*Vgs600i%bjoil3^;^hQ+qB53ftknFRBGkW5pUdn;CT*k>Yas=LF-dH?C_BnC_B zO&T!*d-jpn;OCz$v=T{I3xt}Ar}^UHkuxPD7=#DAt5?T7#D$K2^V=GwEO z2xkAM-z#$0^<%w7!7S-C6Iv_4PS zM@H&?@Hm`4?8~z#KqVuSb6s;`eb@XdmKE7&vK}(1IOSiNaV66m9ay{@mmRP7L*43e znYKQE6?`0=;(Y6Bu`>eloLfHCRaNKXjlT0@o!bG}O*tk8DtaT=nIMwF0o{5X-aaLT zbl4Xz1_PFDb~6{~1MD*Q|(WV2Ww&Q(0YozS!4TN|tJ<&*0Nx6b7%D`=xUn-HIUsV0Z;oH?E4w_TG{7>Idi z^$tKn_2y}*7tua1V#=Da$cgHO2}r(RV&|W)m5M$`p?f=%AFA@lJo>^M_|#8GQ`T{% z`Jz*d-<=TykmIcAK!SN;f^2cWgMg5NTJfrC7W?q{-$?R`hHil7$*+GdMA5}7dI97? zb8bc*n4!PLl& z?}?1eG0{8BTBjn#W`fRKOA?oC;Ogjz7WQzbj_tJqEA9VtVk`eYC$@Y4S#v6=o5(G< zu0L*08>-Mfhps|=3uK09XMBwc%!)LbiC*^@-AENvqED(`v|r=zXfqnL_=}j zpyD_TizW)jhF`3^?v2YCkw0JEZLL&?r1a@EGyeV)@lwb0YOd{S@RjRd>|f`ZBz|`l z&e76exSsg*!|0OWUdD+Qx-YQSun%9{r;H(;AaUeWcel}ly$MXUKlY$z)EfZJ0``wK zwthSTQISask-H;?*6@{ynb|x$*jMaXRWfZ0U0Sf8L~pyqx(S((R%>^^_6AMAYH1%{ zK?Q9!(FI8cC-$`)yon%^d$jK1^nBh<)@|?0z)+TxS3+$Z$@l4s^AgjKV^6|%zqLH{ zR$kp-@?fQHt6q4kr;M|HA?yd;-f{U!VC|n^TR=Jc0TMSuHWa$wF=vkvb(fEaOnGj{ z01)2+7CVEDbVuk=Bb%PWE1x+l?7r{jS~#Z?r>TN<6jpz|#TJ_R%8YA`q%7Di{Icq+ zoTY4$t&nFBk3LkekSIyu-pZ+XzS3H`J_e$?WUm#U5JW%a9G6Lbtp#Fp(~=JA9>SIl zGObMLU0wFV-w0~rcWF~~2!A~frQdN0lci}X9mA(sN_mSVX2mZ=DHi&GlSZxSmW?O3 zsixSP*Y$!lHU&0|htNRrP1?5F1MI=_j)I}&J9t0@}-mM(#I6q-J3|*%pjw0GX zjP8UCukURYU8l}JQq=J)+7Y#ON2HrsjuY;dYoDBBY=%6SYgceOF1Tv!m={WBf828H zJv_N=`F(8p9mb+l=as;g0-&l?SFSY6;Tmcf76aKaPMetSuQre9*4pCFx6tn>?;f60 z56`*OFV0Pd7~66(Vn~-h}%(t)5vM*Z1J-~oU11vK(*?$%>AZcLjsWdNmrGN2K zSdx_A+^XeT5JybdS zfiBk+b8&IovDq5Lez#OI%{zKy4(yR_mcKiY5v|wpM)>^J`=?_e2k};p8A#uf;@Q(L zuuG|`7;SXBe8}05g2Wk?xIc5f1~ED)e69%Jt0BOgA+-ha-d##uKEkaQJU?VFntbnW z!P$Hl2F+deJg&3bgXoe9yuI-e!b<1z5pN0Dz^#B(Zvw55N<(g8?Ed*k^_v(w7&pF( zob zm{3Vd>v2b)^E;|tRLMCvS9#PC@{uB}Ad=s~pfX3QYz>rQ1_MXF#+Fyb6hzoqB(bS% zWh`b&br?XAX)Wz4XwSBZ>IGBZje^#u~NsfZ^SS?4PA%8Ht0 z(?n7S+{65lqSr>Y7jj?O85v>KJt^RSdrNu2xKWWRF8W}~JtfVKV$Bn8KUcN%imhfkZ^y&lKyGefAV&4uYKUtr|cHk@_f69ySo^&_6Snps48AJ&6KW_%XJDS>C!+B-opEWbe zgBr|FzWTVD@Mv-~m^6yaHK&2dhra|w_xLrE;9;W=k&BRQ;l%s|hG=x0piZF2ZREbN zQi6IRNW&x1c7)dZ_vzZ_A~j*+t}(K@AZqxTZ=27^xR<8J-BFc`2_e6j*+jIEmDJ^~ zOA(6{2JUM2l&ne28(CuiULZLHdQ>3fX1pcKt0x@9DARW?Fvp zgrG&oJ$=6e?1p(eGJeayz%6J*)yAy!rbgmIwo=HURIlslb?=*yD6WKsHs8Uf2J0ZT_h@>J7qVj`^uqB4BPZj8&(`IK8ug<8F zaAs!|qb0z2W#?_Imnv%Wy@{$Wc|{EA?v*GJ?VU)wF|{N(d)xfDJ1w)eC4mi5(~WJ5 z&!V{Mod|yK8=uG)S<_87J7uNyerf_7-jx{l`U!ccz6Px_Wd=>@ePr~J+MN$Dw`+Gr%{wFW3RCV$XbUU!axc*|sU=9+`X#Vk ztLbL*j6Lyeb2OGrS`pnm628xT7h*c%hDYd^^^HM1(TRz6u>sWvUE!UbH)lDeyi&VM zo}#Se%=dB)wJqZlT|Do()w@`33R|WYV`blcCr*z-grE%t<+@A3@LJ(YWj)H=je9(O zLZ?=lR9{S<>^`6NY@5zq_~{r@YG@AKFG(EPk8dS(g3_ax@`&FFP*j88qd%EJXI_cH zq2EJ%;T`A%AFEq@+~oDr|08MhQsBj@i?9`8&keeA6~d zUTsGIb)=P9{Ydub`CYV}lwjchubjbfn^p^Xljna{jXa{DHXE>m(wu-og{{^nG=BFv z!jpfr3;5nF^o@ksK-yt5YSsQvaG%fxmZmRfG95>@PR*b}vwJ`8@)CMpy+(ciVQRRv zkezcLLYL%FVWaDgwmG&sdr;H9eD>rCC23=b)tzIiD&&%qK-nU65m}Tkrm1sw5Zq2$ z*GKNends<}Rc@)r{uM*%dgLF?Wcgjvx0(dD>}Jd;G?~Z4R?Ls)#{Hk4VMNjnp6h{r zz2d>_PxD4}J}@VOpolBkjz#a>4R`6fn@%S2)9Q{*D4N?Zmr4qx9{kxqxuNS+a~i^c z_}tCj|A&hH>A-Di{9>y91ek}Kd6`APN^5u`1aThU_1JI8HNY*62rcz1lP`9lT-_L= zI(MbJEQIXWLqtSb}$!3Au%`dyXGfuNkGL(IWf?quye zjHclO&k@gVZ*hIeYMmnU%Dlb9v~_(DMRjN&z82UPciAl5g5$^<{TbuFmr<4@H5@hc zdO3!;_gckp?{uk>m*&QUVjE%x3LAJ6eOBK}PmUG{WVV2fxayo6l=V%P#c%9L4Yddr z*4w$KIkb;i)liL1Xe=t=u`*xX=Y6>KiMg-4NqxWJ{hXy6PUo~Kig=~n%6G@+H5A=# zt#rTJ@1GRyZ%X=$@GS%{R@U1f^|0rz=L@DqqZ|jcEI~`ZQu|apYI1tCXnv+{)HZ4N z7KBgI9UPFpMa45*&lT^|_)?xG&o=Fi$(#=>AAL}CYcCayF|aVH;7$G!jrB*dA2_5q zrL}`TKKHeDXpff9{%uT>=Gn>}^PVQj)b0EGA0x|CodMa6biOYWmqtiA#{njR6_H?S zqx{RkuO7FCD1n)C&9wN#^kH_mk%cL$#2a)s#J(21d-EZn8Zd6+j_ zVA8`P#+t&~!Z!~baKe(zpA?U>t?;rz(nw(Qu|{fajvfIZaAKKsHjA#?bl9R zXpxEIi=nkk$wihVn*Ooot32kaM^{Qf!&nh?2Ki+)p2hr1@N(6VbM5O-;B@glKl!@L z_VxGn%fHGup^6AzvUP=vGB&L7V5ll0M|Q-ZPCCklZ;z;8xMcO11s~9mS}ShQ#an&E zVo4UzuRqy|w?=atEGvQ6;VqCq1;g>JiPf->qF-P4t!plr>n4KpWoFp2>TK!aLza(5 z(u%g3FjN{m2+Q)A`{qV;ctneS0I*!5i|V+QiEjDw<&>3m*7$Ty?n>Xog@`KitO=n% zQ&$EO?x7VH!@Z%j@YccegfWb4__D>K7I@zy@=!rZcIKA`$j1-XO%o6bHUFEyMjz`i zn%IW+P6rBu1F$iaTwx+2A^W-Hs}z>&b$9(!ztrN2HMq0VJhAWv^xG(Dm5vAs+}3;* zMDGjJ1r>nXt}*bmwI}(J?HoTDaQo&+IAUUU4HmdDB`sR^0M0?X3^}-9napg?CO~-G z?3qKrmRLBCxc=;|``TAK;fZmeaN|BMVJnA%?AtiO1j8dpnBCUh&CJb4TeJ*p(K63$ z)hp^?$+?C*=J*5RlN>kJ+?M&&@wmM?Ti%_sD$rVsA8FSWK5`kduA~J)kX_B}^I$rl ztsYXSMt=$Bc5fl&|Q^;e;TTXT$MWAvctkw|9YKdhBce=;k z1a9A(XTtcM{#!Kixk5y5fET1+E`R4#DuBjyX68ZnavxM|?Vhyz{`BTUZy@$nkaD2#Ti93|r*mhU0e;!Lv)?+8 zKa4^KjD(!+H^n<1$aCF-l1q*$i!{)6I+>#uUv`M>Nd`9G(Nu0l7$?Wpyjkfj&FSwP z;RRV|qs#`BDh8NVhQ&V z+$m4asL2waHl8<4ryC;^WTi$8xbb#4v`cE09n#c_7%J=(C29Cvz&(sOTaUJBOc+(F zpRU-M-B5bwg$?yPcR-sjjSuD!fO}L)1e*S6C@!@c>l8|mPC}YRqPKsA*NZ^3vmSo#`(FlI2_hk7rZr%EM z@(&1G72D<(UeMn`X`W-fs%YoRiod3Bp9LMso3aG!U5Ai+mp5X}LmVZv|5;w}OcNhG zH%@mLWA_3to2qQ=jfeLblgdiac_y9?6Z=z}`7)wg$4VG}?33d&w-}pF zPki%!Kt%`161EbTrag(39Z9&`yKX#16@sSeBCUMX625mQq}4^DTLP+f`sj|t!{4*v z+YjHwishT1Xzb7;H@6$P=U%XK6x<{a-U7*YXe-7=uitGBm#`94h!J*6T76s!XuI9@|`VYz6PL1%_Zl1-B)uH)Wpj zncD*z3C;COnO$l2PR^QTLtZ9)baRPiY#m!*QgieA^fs36`_8`bq`1P#+sPR8a^@v>Xsl^zNo+de(`$`e_CDnK!OEiT12y9ijr}OL%wXru(puZy z4?dhZ7RT%odScg)GnwU+FU*svdkO;1)XHI$4@J$5Fn$BWJ0S~q~HT_dyN%3V|B-_uHX5pdflW zqa!6k@Q}0>;DW_x@-v660r~+kzWIAfx+F5feKVNzCH{|Gt)1Bo3w@Z8^?HPz!k;B_ zGmNs;$nkOqmWnc!5MJ}TJ>TIWKA+}5-3A&uxUN3>#}-K6U2tdfQ3{{2fRPmL5~T#v zNhbIxv-1a6HJE|}o=*RZtE9u{BiAHfCugC;KEGu=5n0{+Y1vq!{=w)7O$V;Z-DYaA zO-puRM(fy)?s@l0Q_bcW#Oh{0qz+z)Q#DrcaN50GPN$68n;0f#6MkEZue@&UjfPd! zKGz7cXZ`r~IA1+Xit-m^!v&+V31KZ;@hB=KgtazFeQy@K=nFMU1ZhwlWEx96&TRIw zMy0%SKS%|cQ?MKR-7|k3QvSgxXg*S7!7WeTHs0o&XHoAn3%nZ00x=%p_@1B|X1rL{ zT{{-;j4%KFI!&s=w-AOy+xz_|pNIGT%jeWY$K15MKHoKa(jUC58-5@cJNDjo9UUMB z8GR4$Hrbe6oB^;t;%K1q0q@pTs)Qe-ToiB5&9*1#r%~JCUtt{K_~ov(y3N`qv7Iz} zl`G|ZVx(JopO3pid~rUM*hpN$)*Q&DtC2~%Ct5x^XuX({SXbCHWaP)L=t_4@GS2QO))&KG0} z;iSIqcs|~eMGN#Rd%aCdn80)U_dT$tgU{riB4c-^8w2|(q~vH=?Qpm@oa_;JF?B+0 zho`f&{CsXmg}ZdE6Qh{Hnti99+nZ2jIC>pNZR^8&2O9ACpD7WH*mEe<)-SXigGy8W zbbqFY-=D^G_om`ShaM_;8QyiI7`65=Z6w-?WYen+>9l(fU#O}nfOsipzi~tm{K~>e z>$PR;?dQ)MQW=vukEbgJ>^8S&JWuMSeikEw7CIc8S=F%1nDA(@8&2~xVa%T*@!%rK zQuKiaMP!XL_46eq1O!vt;On~;#}3LZgD3SpT(QMg^mW;R=v$s^#sA|4pxx6xQNLNL z?(oqSO~8X(s(p}VJJ6A&KHsJ>mgwj`oHrIgG0_jYG%n{oM31c*yD^jA`qo1h5#Lh( z3T&K+dX5JOu-rc$6fD3Co0QS zYbheAMn4)ht?LPKDTGC@f!;SXzInFxsUlETacX{VjSj-^C$~SpDe{!6VRm zDJDb?0Vk$+TxZbTiT`byt+P8D6ZQP9M@0$ot^ikz>SvF|MB61YgYV;2yAl(BI|e9m zrJeaSCcOtzkl9ULs0)Vgx+ey;7c(RJ7|?6<5S4zPL43Z1Lv~9d(_~;?!ly zN4{C&hnO3GwQ0_-5)a=LZpUY`{R+BX=Y%s?ODj@1{eGdpGp+0Nx3gK*rWw>jJ`D<0 zh-PI)*;h!tdC{U})_^KF9MYjT_eeq(m#P?1`D4zhgEh^ioD4Q(L!d~jPMgMY*L*djf?S$I%f=u6$VsAdA z_8v*^#{qr0gJY^|Ts3zno7T;VIRh2+s1^-|qZHKCc7=8Fl!53-bEo(cdA28z@xX~9 z1aV>ZO(T6dU;ZeL4M94SLp<4UyuzQiXHY)!*tejpRhN#6DE1PS&Haxjm;<)diI2}$ zD@=eFWLl}e=G)D)=C<$}hVh;Aa)S8@qsDizO!XgWk9CN}v{;Hcnxa2|?tx`)z(OA7%?%X3|p}ChfQ? zjf)}@9~1on46ODHd&iMiXwSuh+J)LU$$1g(dj{$1c%Wp`hE|M#Vi>qP9PoA8DdxNo z%2glmx(UWt7T*^Fq5RpF>3b}dmuj-i zltp*Q$y7LbN=!!K1yP*T#6_z_%B@F}$rF3jTlMeRQe#JzOM~FaEA2wd7N;f$;~yf7 zU!hQG@S?rxDbjk0v;$Je#*7c?O8AaD7r$`GAlX6Lm>TA{7pWdEw1gSl;vTHdO?pLBhD7LH>sR&1l-buyROYwugN!Q zJ+Y)I{RCDJ_Yj^=(4aqU@b4PrDT%!|z{!>yd$Qf7I@tAiuxll{Fm6suiMSG*r4$qY z*Yfpvm%bc2CYEtab67S&kkVHqCRX5@j>b0~i)QSaL-%kvCGpFH1V7|#%EPy!a`%Iu zjwMuFM7HM@`gri~y);y=ow$D5l_884ba*Lzn$(tv`tzLKelL7oQ7Op3_@h6n(2%vD zZ@Z~-Xy4=~H4%lK4!2)dL92^idR7a5-uP$nQjI^$n74=D@X4)tKHo_si^r zCDVf!^mf?n0@q>nG^>tR#JsUuE>{DSbLIU+aCNuvOQ8O+S{Kz0I?ouiC1O zyZ@5&h6RTOH%#FavUszHQ&s+;U{Zaa02kEMOnAPKT8Cq)yKQ^7To z>=i2g|NgY7?eagz5SD8{t*5uoey~;ey;0V3PS%y>Ua7+PJ53QY#LaI{cQq9G2Ymz` zDD9>*6r`hwM+eMcB6E0XN~cA*9df6K81$yY^BP697|rZf6+h}`_jc5%`vu)Hk7b3X zikvFXJl{Dlki;rRnvaL?wj!kl=}C{M>m`+M{$m$b?(^dNsODiAyxl$erOOrs^Mi4I z*(6rZG~y(>gG7+#C|$Ng1Le3wGNi`ZPi*E}wAsc5OaCT={vq2un@;VX5W=Zb48GHj z5LeLy|L$pydj+vBFUEWShm27HL1Ikx=pjS=5AR-(_%xYKedB|YX24(dXA2+IH8~}W z2X|U=ZYPcR<5$!)b_6uW)^tsiRQ>nfAYbyNt~Hxc(qCkb4^XR@+}jowzs&|jB%HZR zU*f1a?;a0%e&TikdPM(Q-V4q$6GFH{`TfCkY3WFo`|l!BqUIc)DeQPKruj(eMD%n1 zx}kgLh~Kcb%t}n-w*hZ$)UcqaPdgzx;O!j(YnLIddLUhf0NdSg<+p1h;Q@rGfW2Rx z_0Q#_?wa3DebJr=aK;q zb2G@=J3f(-j@3QgWi!;LVg7=N@XDyLh=oy=+c`+H{luM~TYdOBF zI%I?JtV6gLYQ=6&$}%Rk;sNBC3QqC(lZj+kNqBtt*zGr(N6X{Ts`F}i*-+udJA1l- z$=*>^mUZ7D84yl`TGmYzFIxYVNF|(J-_iuxR^Wyd(ooz_76?MH&OheiWohjl@aehV zn{0tZw!9wg_v*QS?}Del6GJ_cag%?biuy*&)(DBFkLd-xkdkoKwv_%t7Tc>C5bMbT zsuo-e`$P+<?5hm+Nb?{ZQ!9@R97X#s)bCQI2O&~EYx z|CDq|vdE!KkaQW7fZ}$t10rW1lqZL&D@7(J*3Og@92Sx*i(t9puo@pUWcJ&;_ewm( zKGD-TCWfd>23;`^d-PO1?tYZ-`Xta2J{!4RcCtp@NR##JYTz1e(W??6a?CT<$(N$K z9L8(6-tKCNw(AxhT_$F;8N*Inh@l!Gl6%Zidn^gLV3=MzlX3CuU5BB{Q$YurFM}iY z=BA>N&)PrPl}U0xt8=-@pbL=z*=2g%Ik`$R`{y|b_SVtv?V4~THeKv~Gjr70{V75cFmd47#m&)xm1 zk|dstlrFXKo;33A5^E!v7%Zk$uZ3dUkKclfe6ck&)&F_u?dUxCrf>Nl2}J^fA^<|8 zvz&ypn)s*h@c@o&h7?BY1jh`=CyNJx=LdO-th`FK0Q;Xz@#0Uhjf0+*_@%tP?01iL z=)EhO%hn*vu=4)8-$8e;f)-&spzs(O92Q^p8%Ap_u7K^$N!3xL8MhXVy*WIHZ|G0 zQ~Ru11r4-su({Vg{-V=tq&|h!GC90#gM0%Nf}>g)d+g6KAPCIP5a+KUACs9;u zZNgWs5KcwhaZHbr?;ZU+c~S^HpCjK*tEb0+-d`CCYn}RFSU56n!E?5e zOX;#c81y)9dw!T<&~CjF8uOe;G`ofZaX4PC&p9%YISBAw zkA5^9sY7Iccq9O+jickflqNu}SttFS{z&!NLYR(KOrqc3Ds$J6joZt6uRedG2iaNR z+C}3}GLJ{gTCdOsDKKtPu=`WSbB9(0#n3a-v8|gf9BZB>11jZTECAK8=rSKBOkaPL zS8r0gsC~uf7i5+Z)d0LYpnscro=o$s6_u^q*&0f@0Wm(8ymRFIxx{A$e<$XyaBsoe zCxd%nj-$_C`=c?^+7ka$bXHg&W{dZ~htuw@8dthPD2YLtV%ZtA%G>X$-!zI*-CLlc z)9W~A=Vcau{LjC3-75f&f4|bP6tm%;c5KRm`|x+7AUAbS!*TiW3F{5h!2k+#l)$1Q8i-BQlIMq`16Q{bzuN z%~bC_OIHHNIx0OPQ4?BI=(i-Q%M5;i@s$e_fJz}4eq8LQY$-{maCX2En4JG>6r#Jx z?)&G5wJCCVQa2j77FCPB)<*?*e3$>5yE}?BoXmood(C!d=FHZ!)!Mp~GR-y~72n%q0r#y=7@y=6*e3c4^Z$)TK zy!JN!A)`C=-FG?C$s_a1x8xCeoH72##FbENmrK2Wmp<}k#h1h_(+Y^@|HhTPVL`|$ zssPgJjwBWw{fjNfkx?ix65TQRNkQa!IpH55PeFY1bvE@w>$lGWk0qbbTful{k$&hX zy`5McC8J*}4Gej=`>oVztt7pfJM3(M&1C0*tGrl{0ZeF2x4Gl z4I8aDp^cQI3W68y&u9IACZjiGzf%hco5VFz)=>j0+hOZ}+pzzO3?MepVnA#pMv!V* z7#c;rk(w|AQt7Qd}P#B9xE1p!g^|hV43qzxn~(Z#;P}bugnJ5*i|`~27gjLxpdF4mI5_j3b)s4 zuBh89@YHHXO*&B!737>72jwY_RFkRZdrO|xv~oFnQamla^px(6$~lFQ-ueix>AoaZ zdPn(^d=edYB=D$;kfP=ZhA7{7NREWUI&9>py>-HURX6vs>m`UE&j87qz+O7{(m9o!2S()Goqd|l#nL@uFlX%D(Mh6E{6>W0!%LI`fpXy*VFpX7C0oXg+IUc9Qj${>xqXn z_g5i}?*g+As5|!y7u@z%T6|aCEQ6kE=!WU+#ukX%>0XU68pwn2`~`Wuo`V+%&sEoTsOx>WXW>rHYox0oLF z*B&mwakUm*WETkXncT3J%cBTKZ5p`3=#rjr!PUM$VQv5C-D}Wr>#M2O(cZslM#f=M zA zpb#9U{dyrvdikGEpX=USCtw`8UFcow@D1Fn9NQ!#K#`6%9Y?Y7h(t(=VA6&3lyWv-cWeGwLsC&zT~OiZlYV4 z*)A{gFQAeR8Z%+U0x000wu#mP_BA6jkCd#we3z;JDS!etQ>0`R=y)7c$d~Rrxxn)g z)fyEQ8(p&BR5n1oNSCI| zcPE4wSBKFAs5A_+mcma}O z5X6U+oj#sE;F+|b%pr(bZc_4d`94aeZGrrcn5ToB#zLj(3w;FM(+9tR}T zEKvN15PAX-Fkyv<~!R%W|KM+Sfc~(Go8*4q#aof+`Y!j0-PZqYU`v2 zFbid$J>6{3QKxpzyV#D_@OO#f`l4s{9YUcgHzN`%pC~?7U`btl3Lgn?T+GReeR?x+ z?S7m`#0`$7?YjwH+@%gZ-M~)B|;per|)vj<~cVL6fE5Vr0ut5^kSD zk&M7e+`w_SoBF1pG-Traw;OY36)Lpzgg~yMjC5+EL9t2E(Embw{{!{?*QZORF@PuD zBS|&<|*RPGYX`h2O$9J9ZBshb?Go7B-$#+j4{;!%YPSx zpsa{|WCSWO{z?Dz^3T3~WRNPzXWZ#pWf+^th3B*E%#1(PAMxNe1J92c&}XJgB8KC1 zp^}9|f5gWIgL#0-^%aB|`YC8D2w!qdbj$W=cn~O2N0;yH04TdFjV>kMPSeF3>9C_^ z|9kxz$~feHF5vC%0(f0q-SWdLh8Wf#jf|`_GQ79t=0hF<=pj2C*g*^Tuk7WfrwR8@E>#43RKFeJ~6VBZWZ70Uo6Wh@rXPNl zLar6rcP!m+T2R@bTSMbG28*=a&=tVdQpxfWXv-AO4i`cIGuVk{4dtDfIl#rr*(}L0 zpoK}}YF1jnkxQ#6^o85whHSLTt?4w!R=?pF8YAv~3#@O#)|n(J#Hm}FXPl@Dt~vJL z;$^8EDQc*)s9K2yKqny+}PfZr@?~RLcBVG8=oU5ZtCsyL#VVDcY)Cvi0S>Z zhKGp4%R!}5zPf|*q8Re0?9s7;K@2sqS( z-v%(z!jj5*E==3%zpwVnC+dWSsq2J^@(PhrIfPvM553)o2#^S%z zDi9l`7eSB6i4yS3iQUf$F|Rtz$AAVChb8i3eRfPv;lEcIVw@c&*5i{29Gx3;`~M;s zg&FO(T?3YC@<$N=gPi;qe)4}m=?(uODS`_<5>zciL;p6NeQHYjSxWk^{T;fFK&3lW z_`ZfDoA$? z4H7eSKcDe?&U4Or-{0@NYrX6C4|K5*xIb}Sd+%#+WF_L8%2Ynpt&Vg*8HWSNVQ1U# zzyhtS$IJa-l4ZXnUS3Ov>~nU)n7q0%FAMp2R2~5{|836HaY#NPxjt=3Wr$ihvGEm1 znTP44BVcs>a`$KmM_}+`e(_gPmRs@)wL|9Jx2-0S59C!>2_BVV#ZB|Y(w@}%=MXA< zyji)+5r;#a;`nQbGRvoWn#mf|PuCAbwVhIJ7rOG`kjySZ?DFhrkM^ha3JJRm6v15- z3j$&1Z0mE>pQi4dCm_5y^238Tq10!=AA+%cMZPj2zTHkoZhW$}7}V;PK$^cQj(7AH z68qu-p;TRqtO!lNrt6km>Dq>MUCb`Ycl4x|feH_cHCV-3-;m)SzPUyHd+&qZorrCF z3W86%33^nM>8`dszs$dAw*orl6cfGH!g}UV(4CR&W!_#l;?rF*6(e@}$ye^rM&pLt zH&M3;ZV(h?V4>15lBi^YH6mf6$6x-h_O%au31{`x*quqq3}VwxSuh;bIsBgjs2wvF z54el{J)t+P&J~pRCXyum%F73#lXeA3p6im#pC^4prjqs9QmucxUcN}zN5RSixn#aU zfUGc--11flgQ{SLH?`7|+V*P^adzV+s@^HbW7*@Ss(gQ5G_!fpHL3Z!6`(z72td#JFne%g(g1~h(|BX{!`!VoVZ{}luca{LM zH;#I+s`}ERXFZRQ^GiN{(Y%$)xIN zp}idC!WhNx@nku~-y}{%n&;NZtP)*Ij{3oT##TgERy_Nu14rf{8AuqT^y|`m$HN2n zT@6z7Adv@PSE!;ioQslbQ=B+t-$Gd2wg?Ycdac)eMSf*t*iLj7Dium!{q%3dH8q%4pVUnlhyJ#gZPBzvlFm?hoO8I4i|x^@2=FUjah=* zyI}r&T(K8m$A2>2I=XoG z`#oE}Q7hqO=RLO#z2YP($i@i9m4&KJ!bHEBFs^*~qcu6C_n^ZSb(sp5cbh(?H00lAs<3sx0>=3l58yx!Szx8-a8qrhLx!pto8DMy=R??})oiYF|9xHCsca;|w9wOcd=KJXt?qAv zsC0^m>Uc0$L;B(Yt5{K<23fj(`I)#3R2-4z+;E*^yk;5?#5hW)68&m|CZM(-(IFFm z>B~qp%63uJp;tfhMZmWEIp&W@69@}2YS)XU%R{SOd%b4Qyx{;K$!XZQBGV7$8Ph{B z*n+mtV$#>C6s2PBXhY2IO<`-Z4J%tYfA4&t`IzGov@>A?Wt0wC67L~Q z9RyBYHj~E6Y?4@-n=1*ojHkJ7p_9_6OS6Dpp41-d^9=NdiOa9A2jvacS84NcrqHCvS)oZ(a!klSsK+nAndekcPjL}BiB{1* z7*x^=$yuO|Vk-6cz$pZMyc>}IoM!Y=OPY9)S#vCU3uQLnw=Od;=ZEVPIlOh$5%IG< zdg)$Xh6Gj7i&=;UDTW!6A@sQv&}Mg@S*-j^cm)6~fAHXA@Fo>Rb#DFFOKi`cJIzF8 z;8;N(BAea|Vl{5uq{&DyYeVq57uT1VT5hMj%!!5U{dyeT?m&xKN&UMNS|X$5$RCbP-EA zL?VjC_eM-C1Q%hkHNX*0ZAsW8FY-%Cq}fumhcU$YDpF%HK+P}@TnDbLha+%X&)TJI z?frDDS<$h z&0RHklBivdMXp-(;qM2SL(_PR2e$X@B&j!mz^BO8lGbWYyC=q!Np*X+X1_w-rq82> zn1Yt<4*@1c=ctR5<tZ&#X)S(7Purk`r>myOQr?0jUm zZuGa`=MwJ!<`P1|+;NHOb_-15i8yoQA4l-xvoYY!s$ALHJbA3r4QCQ0<(FOJ{}Uu^O%BP_W2R zq#L0ZVuym4zsFYHDcvGA;TCe5msc3eX8OjO(uZ3~h)U1<;mj=rrF9lORB5ltEV1$y zXQ~!Yew&Tm>1dO%^CrLQaW}K3gRhqXRwEFmYDS?D7yJgNp)R-65r*F4CHmxCS}yB* zM16=zmv(&Vg2HZnlZX(-wFC$I`h=XdbG8hX12B~LWsWWW2D2?|qJ2K>k04{nEpsJv z`IisV5Y4g-y5(rc9=#3o?29ECr^mgp2 zpg+yg|NLSGIPT9tE&3DjDmS$@H z=a^{!oL`)>a2FEN8@e4r{M7t3r!ET8qq9Q2V^eXx+$^V^u{jhz>`)W98Lpqzu_~|R zEJo{+(R@gMg>XfLzSa}*flg&kdSMdvLFDP+^sSlJH+Y!F8Yr*(_!yWPH#FTpRC!aby@>J;;lL&5w2V z?-`=dWj}I)F6@vsY>~C#qbN`7iPtjOC7qtUm`M*4WB{P7#9+Z7NU9SRsJLM#e$Yhe z>wp*^pAx}e#|8SR&W6KZ_EPA1ZlOym0N7a6o6&$^b{(bmukSVg_jPXPuM$qYXQSrj zyYjno-{mrr0@a>o{et%c2X-dXI5Oa#GIZtHeS(B6UkByR_u>vuZaJ39;sQQiuFo4x z6PX1ZF-$)`nm%7g--y|^Iq8U7oZU6x<1?YsyXCka{Zfu`xHnCP(Sh@Ak+a{3^UkPB zdHbwLLVw;*@QyGqN40cj1@ThDd_#x4Up}FK_p+HUQ#z0m)@X<6?Rk&GlJ&D3nas~C znp-<~L@wKV%t;Cba-xIka26W3b%b2Am`ypbBl67Gb-xAgUtXvJAv^nZ{p+VwR$lmn zV%&ODzQUDlDm`J<`(M8WAn(Vs*P9Mf$HzIFczN1ed~RvWIDq-ST`qKr&m)&`-(cDR zA}W}`=EvYlVqimto{iH~r!NF{f|NywAAH)vt@tn;%7%Tf2GMU`fVUeGuoD93jv5Zo zcE&&fLJSljOWWPXLjUtztD1iSXcym-oyD?+_M!4Sp!<9bVITQ2Qx@EZn4oWTfnv(Q+2gBPJgo{v4Eso{rw)LB5*`r`$rAbN}>Cs`^Y%8vOlu20NNpuwfH zWqQ@>FoQZxJe)W6TAessD3{{ny`GCIK+)UKNEr9X`hg;I-g? z-vq^%A8wAAL^0a|FoHs-c5HAjtxxdqePv@1E&PS#sNwdfVJ163aO4l9;ZtH;j)6h{ zEW>b>0<$}qUZ?Y24n`+z4hR%~Ag({2+@wf58pyf5{Zx_p0fdUxW}xk`$xXr2>%SUc z{6`}8{*$%t$3iC7V`QD!UrraiE@UQ1ixq2J?0$0gf$*z}6#A<2hokup74fR91R=yN zXm1*BnG)6vSyhf#I{typXjh)j)YN%Wf9Eii6c&Hd{Oq{M&@{(~SEr|UPemN3DYWwJ z`C-5GN>*rqng$Cf% zcD)wEdUkD6#XYGtW9o%;YF6lHwcq(~i9W9wi$@5NP->{t3)#+|Siy zk$T$(UA)`kcR-oltX@DoL0$T_RXwGKxU;Nz3!sg!?}%&wsF4z^wPl4Bnh|@N18~%c zqGzwzf1O+3t86%Rz;jp)D|$LxUj~L;k83PXeR~Z5Z)-X8yHe)to{bI+A3Lk1HC(?} zQK@1!{O_>X|3GBhbw6W6+WKkTnrRhPFs6wXj~oax+sIc6^%o6h}O5 z$~b2H!8mR}>!uv0Nk1!pu!w@Wv;C_0a`9(Y!_|lFVct$Fltw#=`JukpnSy6R-t)X< z8qsH47fqtB6=bHKFs;5eY6g5!UNnhqz^kwADlHvD2(E#xFx|X{durQOP;kx2Y z6m?~wbH~%7H^psp@NKt5L0wfLXuBu0$A5V=98cOGB>EjD&Js`}WQczYWSl4Zt|Y$2 zC)^!BKg3t-vzK*dn098qSV(PuY{BQT2r#;&tQlA!RyEV~4)IB;uc;}uWcV5m!Wte{ zobkc2?`nR$YsR~D5Y@iv6j^8isnmDTfSFp=xt*F8b1AFPg)d_;iZo&^>sP_gWgQxNTsimYWmw0j9a#hB zHq^vwi*a(~-G!y^Zx!iH zeo)~|g5nghYcWmD!w=35zYp^~P3{;v-=6@N&Fr-sR5;jr_!!gsg~gcp z6gQ9sx(P5X(W_JXmX)_{_woUTJXC$$8ZXR*dkN(hfDW@_U~jvC=(`tSz%=Vttahc( z=AS$Vv);uyhPv%URJdFg`D&E1YU2o1}TCbcEF}`q$uV64ubt&Y~$&2 zav?+$*;|kejeBrq<^YIkULSPo)R)5QL;{&b)wU-F=tbZ?2qP1#ymR zepl>0`;*?9M2eXkCkBT4t`Ga#9)J+NhgN-fMu1>h_=1fGAiFINKxm6z8N%g6`h4j; z6VVU^2+?WPabj3Wqg%lEPzoigtUy!MRl}Sayk6o2mub$WBlj?xr|$k$v|!e(c;?-{ zTO`p5tj4-H*Na(j@!LWq*L9>xEEnYL=ZT8%ex;IE=v-k3UzF{{wzh@Z*GibGzCAIA zGMZ8&(aH51tlAT&nIp%S1^*Lh#F$|;=088DI3dHV1sayZZ)ar%_?yc1!G3cmI4xdk z+Dgm;izrk{qdTDXb9G7YQEh^EgmVDsSEcO{9E%^oZNbN#eX6`c)k7177w_gD(E(E7ihc7rU=bvif>+i4~y z;0p)YrG*>=$rt?ME3daR(#YTNIAsoMCG6!!^%aUV*pi;QT-Jx5SgC}nk43imOWWS= zRqjo5anSG3iJDlZEtFrG*L(b_vmn~k`i^q&gBNZ6TX8w?&auecA|@-L41$cig37v# zZM1V8iYCmwv7g6LzSli)k2~85+o^9;V_eHi(=|f|)T*K2;*MNP zApR~*^nJO!4*!1FEB4dJ!25lwVk+fJ_{rQa5* z-yH}x$R_YI;N$1KzH_ofrz^cc-6?_(Ltcrfq0%dEY=HFS?aL%w=lE=t$ye_EH5{AZ zO{oMatu$9LIefz9wkC1v`JC^=>Fz}Ez?fD-0txO*LHlsg8ufQ@E-&Ef-l0QIhe*rj za%u1AN0G5X-6pq(OL6_Y)Eqbv!Q`>CqOx<7Jj%tCD=K_I z$w)VY^eNe5zrBGLP}ZaBx|-xb*>EJ?@PSGs++LnOaeI|FqI{v1(bC_2{<)J|b1f z8gIiIoDnJh`XK<;f`JQ~T@}C#>MBbmztM!ack`~SdWMLFU-g8>JdTV zp=6bE>*2y#JfFl&y^mg!4CawsQPNDpf@r1M$U0^Tw}EXb^CSGOpT+mpzJJ<$^CRUK zS|{)a#ihKvjYKnApb?za@mGP8s+dufyWL5(By5oz$ z%E)tS7_=m^WvhUiBxFg?LDJ{2%ZLT<3^5DB4&ahe(&yXK(jzzb?A&X|KeGZkQuiS~ zm2tIqD}YRpt`KyTL)Oox%?(YgDhnJvrjAdRq@|0uVQ2HOA?s5B1Spz$0M1Hk0{F;N z9K&bvgQT9eWlynH`mVUr128u*=Y_SsUGhil5Lm)IU*g+t?K%6?LxD1r0u;V=lE=&Y ziFAHH4EM7?y;#T>-z>N{TsZD;wpa&_%(Xyk>T37mxewu_!#p)Z6@?Fg$fj~MjF^q~ z4nh?uP6bw7#k%eLyE#V->4$@{8&c+fa2p=qR6OMBKLF`ee%}!ApaXai(eBuN_Zo}U zH0!R1SpK4-BVbI2Pj>xnJMJ>f)RVPwgD1@!XPTOl<^0iW*8)k*EsDeea9<@ad=e*+tkKq$*rdov!r^H&-x&%EjFxG{y znH@gkyMEFma+lM8*Y5xG@5g$L;xBdAJT-U^AB)+jG1^==evfd_X|!&-P27_Sg>X1# zsxrS^jkEmKLTwNOwGy7q+*08IsOiyQXntIO5~u5+)%cUb`^}8d=VLrVN19P5{AavT zQl;}b1|b}>dJ-Ht@r+XFXn#@H3JWt1OGA#9X!T4-hFhuXSy=A881D#}Z+PsHQfy#M zlynM>V&{DHiUtpfviM8h-0Nc6`^ya5Dmnb8PvAQiW*Q!2DwHwWEOk5IqK2=Y670t3 zcQV#5E2p&ofSoUNm1GcM-`${q0GNZ|&Jp2lN=3F*;dMX7Am-_pP`oydNg*bI>Av(sJ1oQ{5v{fiH{=CHDv} z65a~uHQAH`394J5s`fR2o(#ZFpA+Yg+U-B0#CeMi-1P+Cu@~!<6@6vRU;&t%t(zXt zS;l8x{UV*B>&H)XKzF~vm~D8_g2W-D#?Bdxla`2I*6@4KlUd3l(#AEsl%c3?95}hR z;89I=Vodc-{{^IYs|&!0?GAQ9R`=yCxuiNtB* zLczUFGqjKd*k>DNOOhhq^PH?=-k^WU9fxl(ijlmL1X<$@21|u&OW@}ZT+7ZHZaCX* zA%kxPh~%{z>i2J4dilI(gvj)h0;NYgh=+K#c=WP1$;TDYX&2g4+L?>WZ)2&IGK zU`ZPUIBnql{e{0S&Aq#dgfEeeI59+2_ONX8JNNuT7@7MTF=-wi!Tu`u8k;OZ9WFuFqinDFFQt6{ z2>cpn?Fg)0rFUedcN$*>3&qVzEFdK>-{~ggM{7Jrq-)?>Si_^sg{@xRd4kzeq8Xp( zZBuc}D=J{EE68t_vVxh)r3sgIJki}zaSVy2!J$Tpqr2c>ypLuzK`BXr#8^s=UsDkj|=MB?JqX zwCzR5xsFBQYnD^Xi3f75b~4bZU?dMejwofsGj2&B)eAwzx82gn$#O@dHpPmj%j9)x z1acR#G8;ic;Daq53iyWDuK`n-`mWz(hX)JYDw=kUOQeR0sQ_vrKpc_?-Stq$q>wf~ zVl8wC;u|1dw}PKMv!~Z+%-stu)M|!c`O!o@zc`S&kRW7>I`CWT^aRXqou`Tyu))`m zY&vZ_KVap1Vm9>n41WjB^1?in3%bg#-ANT6fAn{NK(c={VUJtLLy1}9e9rGADwpBm zd!5?5W`6{T24?Cu@RX(8^(a}W1icUzm+;smMzK5r@)XI?8(-*>b@`QMq9|wT?)#F9 z0JjDz(p+d3yi^N3cG-zkNd(?{gLuZV_QYnfI(cfJtT{OPP zlZVJ;t+AT!5uzGbw$x=vpFgW%zkrP0ScNWM!9hzGTjOn~2FHRe!M4}}N5VgAQ$QdV zmQcN9juyJtpeQ7i`*+Ir+J`-J(OTVI&({XH&uilM>mg^oHFL&;Yniu&q=7!kYcxi2 zi1oCWwZQn%-0=1>DGRB9GO$U`bG_ekzXdF_xk$ z=N7Iz5Ml`aKrvUNzJ{&H$jiu~K3yTe{h6pPBb-3i63RVG{o&*YZKP$NDM55&)_=Z2 zTzrTTI>QLvKIlMw7T_iNjc?(f5xl_m(WC$^>F!$*K;AwR^e(YV_rmWV@IR5r>j-@!O9IT8k^Ug)5`+Hs znBw)wUo1zzgS8#ndQK;L2GP34DdBZmNQM#uAvqbUMsxI)Ul}wbByTLd^MXODw*9#q zakTPwW?ROTIQXBC3y2sZE{_!zBfYj0y!L;#=lrCHkInv*BAVv&9-itMv^H)mmQjHc z6MlvmqGVumNVSfo&?xujE~C`B3EUgFOjse`@GXWwA7lzd`f88u(fa~Jf=rtzn>AG# z78bf;X3e$aSQ_#lCP^NP?VM5hwxTyjlYAgk2)6Nm?jh?oVdwSSb-4Q!(RYduLq3m^ zmI!vtEBe#xk10Npes?bFct~4!MEZ-CSWHEue4QTc|J?e{Z6Ml+rFmLpfS@wDr9?@@hb#HF?OL5KI zxcW6BLQj~o4)hd7`zWOBxD(c_wW((Kk`LG%p9)gCY%)|yXFhvjZ=wtOdcXaZvvp;)=z&> zNbaYOMjR|#?j{1w1UY^6s=V7gZ`UQFT+ZPyOreSmH3yp6a5UJ10@Ud{imaTXwl`2m z{n^N)0Uf)b)32q7T?Vq}DX3w*hQ4kO{(OA)!gmQ!z4PdM;kfSY5w@B)U>O_kq5;>z zf-su%;6bMHCv3}@s#GA%HA(Nth<#cdEu{H*KrlfRUg`>R=BLlSgbE?pY$i%y#cZyZR$cBpY2IhGOn>PAg?SQndkDkb_p!JR@Xb z$x_wb>CzP%Xa}`EN;)zTt;<#&UT5adV0)ZEV6df(H&@e}+{-Vp5cp_A!Zj!5nOHlK zHC8fMVdG8yo#;9doTw3)%Sh|{7Zk=K+MOgJ)j^<3doV9fz+%%u6FWK;)7FW^jI9Nb z^0QRx5h@d<%bOHazE2fkAn5A3m3lmO2$9yXZ>;PIZK47R?4H;E7#^(3b zfpLq^_;zW*F5QeF8R|gSTpx2zC|c|65VK@PFGdNl zMBxVIz6WD_VMJ#=>EZikOYSmqYuj{Q||LAr?(%VR%lE;9CLU^y`*n~mPO z)bWG!O4s$%CebWk{b2I@1*$&RlN0VU+j?<^MJ~6|rdVa%sfk<3(15RA()Tbq9Sb3? zSXVp2#Blp@I&{4DD#_toF>a<~XO2@?DX(f(S*vnDx@0=HRI*cG!#y+l;evq zo7ECJ;v{l5ol&Z$IuKY_VhsAGqPUu1`3v^p428ygjc123RJf)~uZO1Yv`nc=yjx1V zw@7e5ci^nd5sz=Rs?}We52mK-Y4$<4zA#>L{GmqAec|)r?_jCt+cq#Sfb|R`Xu9k{ zN310z{J^;0wO?aVCx2#^g} zn(-4=SxS0GNJ16Nk(Q`FW-ll5p7dF|kbQi5vL~79DYDI+04wZk?%`rhz$Npnjn&Wl z2D8Vt^}UGR@gc@QA4EE)A}qKXU#i6(%1-{|2JDBQZjtlCYLV=zm1FQ@PJ@3mwIECDP<3qOTQPKhsVKScVxc%%M7EaoC&!TV~JM+O5yau*rc~ zFvcS+zuZZ<_gvLvOe314GmOQGOO=QI%L0%lg+*VB`C)vp^`uf**(v>A>9a!e4$@Lh z>C&w??LTFx+R|d*2)S;_`GpR-m47Kk8GO9|&etu(8;l>GT6wu#W=`a5bG?k5>#0#h zzY4X@{tuIg4N$3=^?E$&f8O&Do%e-5Vf<|jY2jT0+mAXnfmXE@2@oE@Md^^E{F4<; z8XqAMGSUr)Ne$I7t<)W)<$K}{U9zpP0K%b?9;pa@4o;a|Mt~O&dJS-B=>rE3j>fK% zHWrCwFk9v-A=`-VSC_EGoZ9exL~)#eqV`!GJK=*x76Pu;@!vHU-hcOcI?7NNprB_w zgrCT1Le(w<+2_y3{+BBBUU`rQ96U>I3Bz?;m-HKnH>2GkzuE2f}iefVpl_WwFU48N4>!*6xCx+~-SVp^mssHekr4Km)Lc+gJ4or?OZ=w~V?eYTvKV{r6t z;b9Gg{eNok@C%z5dZC?YtNaF5kotFLZrB1e?X>6oP&)56GA$M+RqY9_#oSO+l-;dQ z6tMEAu?c0oOl42QmSyXh!2xk(#{9r%ovLU|~ zU_o2A^m@8x?)3b$;ao>D7dJBswB0hDi#@DovnM{U#S&_TY%t=$2GHideb-c-{+Q-J zr37grUc)pa&RX~2f3Gd@lEw=C{$`b?YfaaiE{n~C&jeo+>Qx?1)v6aqFf|EO9AcVy z<=qaJ<8lhCT2wq;nZ6DRMJ|6=1S6r;ueTTErBas@SbcbN?m1z_p5;X3z1Vk#%k$^}>QyWcNZGJ-YvD%l0jzzh3W<-{dqEW!+E%C-VUDzr^0DS+*_&6}Zl#+tLyDrav3El7 zDE~KjeCok>9*RxB^W(LuMQ}}Z9v*e1opj6+1G-uDDgCBN6atwGWx&%T48CiXzSe0+ zz$%01?fFUCx$`f-vHn!;Cf;l7AlOsdyGF{=ov1HqZIU3kf<8YmI8nl#pStWrGe z2dmu%_v~Ixl|3kMH2(PpYB6@%gN02H-7Mc^Ys+jxb!P`JEr7iF$;XO$bnS!dP}zp? z_Ml^t~V@ufOT3U%Itn`RVmsx&q{VIu&R=SqD3$UbJs63hTjQ)uF zTBLp?psI`0_c+kG86f(|ieJ~t6f@@%&LNF;5oXqOXZZ0#Osvne{AhtU>QCm1YzMFj zspsT@v(#_hR8OF$J6#E^xyYJ|T#9LByulR zxu6xq_oRg%rsx4s-iW$5!t1MCTZUYX@5@Kr-~xIFFeX>xwatW zci8y0>o*=}UX6|je!OJH?9@;a&s$7KX+O$P5q~M4z6aKQL&)z-u=L4n3tnD&!*a;3 z_aS8n=?l`Iu3#Kd3#noXBa;TIQFVx4!?r}jJwO7uj|8uu?Khln0jY~s)nI|07J=>Y z9scMNL8_h#Gp}h~8THiNWY`Xft2dqDy;?C|H>MEJQ<5;|3HmhSF8s9KOPVLB__ELg z@g-BOI|F}V27NQIfC^S^UrmvHjfEO(?9)Q3@i#6}R3Oq(zc+mb<>BNcFnhP&aI@d? zoL!3~F z+#SLBOS4TKE*zMP8HdiiXS$=dC9jld`NOg!m`_>E<|$*M+gBbrg0<*i;F^T{vCu1& zTJGdns)5<*(u_<$2WB#+Gm3~oc2@g&dB2WN%d}Dd&2)4Nb)6aaOd9uWXw`mAkSWL8 zP`OP{cO{eLT~3)xkdc8{;7uXsxX50UOgeVl)=f$wsq4C!S*7~YII_V|7HD5IZ}^6` zh?JQrr&Ig;NFdpS%D5tW@9P%Smy;GDcIHCQ+BI4^r+UG}(<;SxzJw8TpwF}wIS5z< z>vHOFDNPzW&rV5iLp)|@A^z(*3T;#AtWV5@11E-i6%b1q?5gRLlcp1P_p{t53(2t| zSGbib$@e+Ty>Ko{y51AsEE*vN1T_>5IKGBwVJu)yRUI|Xv<(((NxoTM5(%dF6rXL6 zINMG$N_y#~J9W`n%9g#u`8w6;{a2c{&F=UXx0B9~Ew)T&ikiMh^!L9D}B47mL%BM5e zmykQECw9ULR2jjF(nq}yR%)I=7rNdOP!_CS6@sTMGaK>XZ0_0AzVsoP3DxODvGyZN zb5cE59YC<~)w|(MQUtGYBf9`Wbh`Q585;HcCErQDv${61Y{BoJdS;Uz_VM7%Mdem* zpxaE6Y$JQ|hhS5c*#3m`TC#qsDCu}IUSyWMl2WM6FC7*z-YhNf)3wlsg-Xaf3^Zap ze_=G1<7!b)ZBZe@{NQ=4!%F?z)?xDl?MveV-*Y_JB2>pIw-dy}Kr5Ep5PIk{L9t&9 zX8ludgiBHKqklepu`k}+3TD=UG_FCvDS9Q3lD9O-6X!YdmjNv{{Hv}gb@~6$78WNH z?;*ZRGz=WMiSaj*4&3y`2Aoh9KiQJS&4k+ABl?$4m@m_>*>`aU`_4$2Sy7IHtq?&r zsN{=SV7D>@f13P)U}E)|KQdscdve;%F%Q1Q*33pEzd`7vqp*CJMl?f{nHacJBe_yq z-`c|l8OqI8e;^S*=vAa(4(iFp@r)lIbJ=w16ZOn#=}3x4dw%0fgWHDsn)Omo;lGxz z>YR$c=1ua7qaV8|ES7;IvrgQ;b)|Pa6-Y5RRBY}6{!@g}`;jZC1EQ2LT0auZX~t~r z6Nz0RG5CZs!99F4HesFArPahf>eek%1(9uIb~hk4-EwH%)sRy1E##e5-G^@o{(Uhu|DV;4PDuNkN~mCiZC+>6cDGd6Osv!$*>{I8iu zix5~}O3A~Q$EA^#+3{A9q^f0Ftb}sjK>naN2Ly$rZ}FjHgZDmd6WP%AD5jn5sTreb3j|5niW#7N}%}`LSnLt!N>9@R_IMeT2NPr`NzRws>}S$BX;+ zU~-Tatk4>H{+XFxMOMQ{-|$*gzOPvPiBH^V)dhr?X|vcUzZ3W`VL_xhBnCoZsA#k1 zT><%dcZBp#_lToyuh|4@nCRTvumk6y76_2P4WSn{*$hX3V^Ig?-<@?O4go>V{XzSN7%Ol%Cd zfDu}tZCbEK0dI`?LHHz;%sI}|mglEtXNIOv6<_0{g}xQVok}N7^+@maN0`~D$TyvX zVP{*pVT$!tBJy^5Ii^JlR=;0Y2o(-?J_+voeP5f7N?)9l(nzH*Iww%P03J@wDc4%% zyTfe+Tx#tX;{NE-_&ioz&80pY$VuB+rhTg?h8uj;I~}mxF5j6Bd!k^f;3wl(5=hl! z*6FCK%QilqrP1-H{2c$gIG%3JvwS##M8HM1-V>K2k-deE5!M4$@_UFJMlWvt8%%w6 z_DYxR4I1r{&}AU#FVLrZ*8>Li|%5;Rn7pOEE+o>)P zvU4?a)3#h`xl!G-y>8@sPB~b+FSbcPy`etrnd+14HkhlWmG^qMux!mJ4?o}$Mfg2$ zdm9_JD-3x@1vk!zSYMMWN;)D?e)t%1?cvR#&~{SP%N44X#K-_GsS8}WX@utw%^&)B zFi^q#2qFommir6rT=TA4%RV3oA*3*L8#Uwp(7ih;E(z%yD$rjuB|A(c#&qn=$HG`r z99scOCdmU)vVtiF5-Jg-4_$B|dhuaN3HqLTlCWo0!t&yuxvvWA7nt7cu*>N7pmx|l zf6#(pX>4Q78a2MPpf`l)rqWH;!RY@XE&cuuJzEYQ7$I)=SpAkmlNVoMfV66h^IT-k z`eeb-gWq_BnO7Pt#7`r3yFDjfK7GJuhSZy5!wC{xsN3mNQA{-I?mQA9d`JvUk=u?W z4NGwSSWjx)Rbwo$8VKP2<`A!`t1Tj5|IDaLLoh1oOQnhy7FC{xD_#NdC-q}&_lS5y8Nw^Z7vjv`Rsf<}TqR_xCT zKKJc9y8I1TPH)OuU&oJ?xYvrKEPN}iW3)eK`>XZJRI+UA8!FJc(S{)$m-b=rvq?6hi4%!Cq ztf(->n)clOwkVzjCFWSE!UOS!4b%jW>ftkA;1zum|IO%3(DJTwc39R_!tEfXAFGeU zVuOp{P#(6#b}E?nbt%e)KNnz-={wnc5~aQ7cz^8rmHTW{*yieYXP1E;hZYC3dDsAUqfmcg@vbN8N^|-WG@56HNyOM1Jud zCymD>A3k+w_d-vR$sTF3;`To7ecm~XjJP%iBg~7>JL;AL_kV+@nD72?B%=25nwNX3 zNY5ADe12Hp^SYHTg=o+Iw#@r^m(TIi_%mtYyq~fZVwuT=RA+i`&l}HL)H$|qoG&E1 zA-!Q@t6wwRjQ7unMA@}7Z5_UzZ@wzO+HyXLui(w>Dr7O-c0cD%qn6cQ^EyAUtr5K% zwqtaHp;Z)N869yNc^Ul6(8pOhN8WPD=;VhH|1@HerZoM+SQ1kK{a2u$_33w*BL|E+qM(&2-UA-3uBJ-R6uyBuSzuWt{sb0|A*>}I#gJF4y zc-{D1&)p}d*7yzKr!_P&8FADF=?kPcCa6VceP~&Iq1A8L_fPsxqSp77gbdCIdR?cQ z89fYEIBO|r6(Vp*iI1 zePHf%!%0_J{=vm((eInNqYiFBUp|dIK8V$RA&u6CGeD$AJESj1i+JD^n>wURvs9qN zL0i>*U*6R6^mCtUY+$)yj?sw@D+_Hmvb*QGQu!zx4H3^;Ya+XC$NXRqKhZpC=HPoD z5_W^)W|!eIzA36kdK7}~nlN|Zjcmuh3$hYDwvs_l=08HwTG(H}WN~{Vjq6tVCLNRV zua=k-Lp1|un``seMv0NzOg5vXX64hq$G-%wAvXHc&RhtlCb!;-8mNe^J+{sEUG*02 zryR+ow4`09D2Mzk{YXY#Hl%axB?K`(_#B;a(L$}^7VG;q-~oE4ba|O`wxZCrAXNL5 z=9h`q%8qWr9JC+lJ{2~VSoWTnuIH;b1L-2WEhlWK0H}`B(mCfkYAj(^v0C9?Ykjj^ z)n1)d7Vu?D0~1<@+>)+?D3G?7#j@fZdxyO=~@v1|tFad_=9k zWJMm0lHbTRE52`AHpoRdU=qqgkj&&h;V5z9S5f_oq}sVh(w+3G$h{BxgCP2DO6ym_ zi}>?q+Io%BJCzsON6Ab5+d0JYHf#Ize%S*_b`pnO;#p#BEfTxG;=zZA==U_PcwCZ%tPBre^q)d>?ln%Z)F$GPduNA^k3qp0}w} zOGZUW(!pAHGU`mJ_{KQg0JD0hQF0bx_~p%#)Czwm7v)K@vcb#ft74Zn(_0V8V*NUa zEaFcj?6J<&-K@|!=)BPqCk3~kFV-}DK1k@L>5>!{@wCC9c}u}p+7C;ndAYn8xqeAg z2KUT^IO5uxcRCdN4ZYLs-}iig`-;wszN)r0Wq68v{^$9Yc)>$O-##v(Lq+%!v#1@e zDJPkIb|coWnKLb{>R_wu-Yl;X?ek8ab3HgNcUvb)qf>1P=1$8twI;x}Zg;`pW!oZN zik&FmAm7=RUqvbJHoI=;m&rh7A5CNE_oqA1xO0! zKs3eH$?dLj(+8l8!9NBi_|s4)e{X{NwX-~6u%Y&I{R*am|A(%(fQmAD*LY`W1f&Ec zhY$f7LO^n0Pz0n!lrE*Eqz9=%M3C;0MoFc+L%K^sy1R$&`;Gr|&pCIkbJwiJngvTl z{Py1OexK+0y$ZIz2u)@tr8%f~x*w?&0_OvkF-^&QBk;fV_)LOn!8oX*0`2%~T50$0YhtXmi*dQTmO4qR#uosoZI+%0Sb7C%vZZ9D zfAHu5KeqYGllB=!Y?P7rc_$%VX-L4~JvX2<-G)|P zirM^d9>(3e6n-QT%9;2m;7sSU^K*fBDr%E*9&vcUw;On0s5zPCTmKY$A3o#L6yWAk zpHtgVTi;(KC+*DgjaB-46>uN5jM4P7m^(Z% z2oF~O?7DkU0V@8tcQ&6jYYe?^k`!Ci2d8el2y@%%P~uRl)7mU>COhrQJ`6kL(9?O9 z!g;??Xm_Pc_6pIp0!R&<=Z73V?#vEd94?Cw8PvMDh`U6NV=DTM5a_)+*$QX)kin%J zwQm0h{h8fow+E2h$0ZSG-$}hJJ-3%j%$#0lrq^I5p2RBbm7p~v8^8ye-`hrefI4+_ zt4zU$&ho!s+WOc~f6(;IVah3kSVHSi7c@pxDxT^d^)kcdH9inv3APx1CH!B{hY$%g z4Omxt(pEfOujr~+!3V-6<{}E}rJ#dZAbTFirqoq6(Pt<8E;azSDgiJmSB9#>4q7Q% zbyL#!J>fgi?%5@PZOooW9Z+{og4$A~=3uAUNsfx(2SrK!kKi?P*SjJY7<;vQE3~z? z7AbKd4U3CfEsnddWT@U8$3qfGV<1#%g~W43S$MhGg#tf|&lbpgD|j6UU^cBQ0OSYb ztXsf|FD1Sh$QI=C0*SD7l9gO}`x2}b(S+Ap`$@<&SME;}l`=LX9zn@v^R8p>gE}(L zd!KmjNWZA^pn)@xhiD)uXr_lrYec-Jh$Xf3}=ahLLuq+MHf>!F{w> z22!u0Q=slO0pW@_yU}Vp91^d4UYsxIdg~u_rB26ii+|Ox3P?n)wiS6s&J`2@iG+r#Rd8l7*!Yo&kx-2gHMlt2w6 zx`h9;QzYPdXZT*6>3m;pa@8z-_emQn24qWn$Vb@IuK%-FU_RPJVHR5Sy_phPYvAmV zOAkdNfH>dnOX_Q{Ewhzf;9kf}FV?O&y(H)b@PTB(6NOKVqtY^ zn98T;@d0#vGEgksf21MLwQ=iT1*m$;vzFzX<=aKKzRw@vR!rkEzA{xk?{A#2N#xCm zWBO(PH@(j1c|6nu#v5_3#n1R_RAl-zuXFHjN6h964-3zi>BY`o-MuOg`P`zcV1!Dq z<=J2rsT-D;E7C-aa=S0Yh6P7a`<(56p)g!C>Ikqm7oi&6dFDu& zBJ?#n4EkD&X+0#W3emQZ4;Y$*rre3_A)Rp_>P*?;3s;d`;V)yDdYp&-`K(?^ZR`iH z%{kP*qbW*$h035wa&F$dI;bgZG>zD^oWvIArptEO<;?_2?%H&Wx{;0v?@GkBM3#ib z)%V%j2|6;gK%KkTQ6V?L7E;V$yJe!D%HZ;0IZ{5%`y%_N@%T&NY^JNXkFmyHw9WWV zJ@>C@#uUy#y%0}VB!~gsEv#d@e{x|vg#S1PIw9T|G;>uIUBl}CY#ez?*d&3KynO{m zyO^jGd9D?7ujB>Z`ktj!qL!B*{bb$yrCc#WEUb4{I~u7Mug`DHQx+|MW8W1`gEC2| z+D<<9X~1s45dFCR6;Y12N{vTKxT3B=1M#CXCM)rh(2E(@FiauZRw6b z5;s=(F!|WeOXt`Nz~JpihI?ip8F=R5+iyv8C-AN>t^j+BQEbVXVS$>>gaB<|$0uRy zNsK%z4`4>ed$O2r*e&rbqo;KP2S=ovUCOJX0(a%>byiJ1 ze|s!qTq$2EZZL%5wt+{>w!l660d4IKY3ZXAfSK8#-%h+oWSoU*S4h-ZuX>Hqe*Tv( zH^l^KhC~P6Y)*e$o{+fQE|mvD#^ZO8)cX^nzpmPU04UTq=@|VZ{rYsy=STw3@|GNX zmmHQw`1vH=4RsjmF?l^+6PBI}uY?mR=jWSkG)Ay;gD$7mQ+z=GV-+{CheJRPCLMq% zWE3VjjvoTY$S(4j=zzF+YUMTN_7A%j-uN;}D}9X#&d6cZ>L3^Ky=0ad*>-3_dAB@Z z*p^K>4^8hZ_vq|0&Kv$=HTIT-Z@@Z$BF&y58wX$aB97qKaTRJ=3P2c$Yn)PE;=2Hs$7)TVb$>S1wIl6tdy z7-mCH7wvd;zl$7(?j(mXUEt?4sClez!Pa)H+ud%7Mwc-AxV5^(xoyoE@V(d2MlDsB zl<S00A{?c!vfS3=k z@B0DaiAD2CofOpZXbz&nA~JoAv&F2u$XK+ZA4FDjIwKZuC1s0MqoJ$tklJTCvksvl zXT@p}X!N%^CWMB1kUeCvi+LbcQLd|b-@kdO;Y2=;ztu(dx4I%@3f>(b#G>4R0;SXf zr{^`|bTQ(iCBf;izZL>b>eKf}Hk{rNG3+nzDK5)sba=qwQ}^Qjy-AlE_>vEsvDOfV zjq=d%VZ)P&;{}t?T~?Bh^WBBfi42$?K7D+I=c-`pgm1E$WCz!`v%Nd-rRxm7ABP^= zNY{nBjEMg4qslcD&-2@n!^L}myuv&4vc&rRoTKf3RXBfvs||3v=>_*{reI=8xM@$m zdJL1tgK)rvI-=NLj2$`&X}n6v*8XZVg-Geld-pq~XizU*I_xrrzkf>C`BUu)U`_EO z<@HqUy#E99#HC|Y5DDKq7CN8xU(3s^~45LzY-reD=2sb z16ed|sMtU9Vk97xCZ=uleHwWno;FP}c#YTvM170hA{HJ8{VnlXnPPt7z0$idG^UFM zdT%X_{^e|E+kL4l`Q=4*>h0B9I3@#2B`vl@4$vu-0<<~4bS+_W?*uO_C}<%!R|B`6 zI2js$%1##m8qS-sQKTPMbK#$M(&gAhS8iRJzm@$%$6dsndaDAa03t^ zW_I`yg)m_e;z;y;x6>K7ImRE^l85(ccC2ZYB>$`mMmK#%7wNQTAw%1#>q0RPu4cOL z?#z{5az=1X&rsR^tD7dLw*mA15&S5RdGTc?wX>=hqKkNCYlfbS6uVMyO?zlY9sL6e zR|!)^7q|lUU!r{@gKQkG_|?m&JHwz3!=tY|+W1o7D>-`_4;|0chY6K#*xyA$n&UEc zZa>2Y>B4EY ztj4sUmLSgib|HUhna`evmE)WPYDO6r1+R{z6>GNfoAA-XI!L?m0ur4+%rg5s$R&)m z6dtmpOOUka?=pt2b2h>&*qwQrH^Q}^9@gH#xnEh~nd|mP`u}`2!7%-E_p)-2eO+Rp zK1nrfa%$3TsMmp-{$4hLTxu70re{FWq6$B)7mj0cszp%(WQU2X}Y z2&QYg3w2uQRCOSHG%EN)NQT3d5F;F$0;F`|FRY; z3p4q0hA9oq-X^!fgiOiplLum9C}1In*mm=W#sP5C@|;2y$9JjnFPX7VM1 z_P1UH^N+^%m&Hf|v+av7a6G&3WF9b7J(s%RQ?g01-J>uTpWk;+Jx0oRe#2?iJMzl* zPT?A}AdiS$3xA?xyLo;P^6>;FqZ*WeGs}hb@Ct;D8KwX&-h6wtZ{)meX=w`Ze+WLX1%uW603W0mZ<%uLak+EY=w6P0JM>aNq@WXQsUb< zLMxth^jfDzmY|7HG-*XZJ_6g|kAM1vPJpa*{)Jv@9B@$U%Icl;j5Hc$K`?9gF~Q(; z9izELZ#x1Zo* zI5#n&lLFh_6{aw*k|e;YM_dJf2&=_M!Q)+0sypO`lV~a*I{eoC zO7xJs;Oa64mSOOX)$}dcp!uEv?$_SekEo&of-=BWi~G^!j;VL#U2hxkdi>?RyP}~t zoO*`4UF6gvW^6JIh_kj@H68!)73G_SwJ#Y8jCJfQEX0vSmH~~ti7<`u<#^!k;5ZNq zjKgZ&UAejFpK-=&_M0y3vXk@qrEEU-REk27BN-0rY6+X|!&_Qud5682N##mf2|jQQ zceTv?pQgh9_ub$6CzvDH?ea*;BC;1N&0o5sBE=KkB?0Btv&88w$sze*@_P>uQy7DP z(&XVX0X1{mD|N3Re}D6_N~j_$bHK-R9wh|zUEehA{h#3(Eu@2QAI}zlq^8E$x$iJ( zKo<#%0u{da_a-y|QMfpNr{M1hhI1{w)x-*d>b$T`N8?KOq7t!(%&2{~oyiQl#)D0YLn?u@nAClVm$5hIudc)%ej#cQOJjOSZ{-p%d0d^txz z;_F5svOFdZ3=+S=jv9R(p4{&Ckx<10!b>#!D}M^t66IOlPIHaJk3SzM3)eh&1~gtv zt}AYBz?!r^zT)Fg+Yv4&vmj-mhMM(eeFdNGKP5}_?mZP|jmp=TW|s@QQc`0BKTR_G z2rs-I$hXUjTwCZQLVT_cR+fdGY~rMn@w7B%Qo&C{QBMMSrRy@>=dmH$s}9v`3G(q% z;FIrCXYP}NjW$N51$##l^pw2=0qX#}kc;{CVJ2q$fy9ObrwWlZQ0i$LV$W0^?yGkD z&y2zogpuNZ*>32Ja1wF!a6BHQK-d|^0_Ujiz(p3WhHF2WP^@L9ULA~_FDYGQ{Pyd7 zie4)`pU#y*w^G7IO7^>qbl*m@K?Pn3AH29&-Y~2>YF0;gKSw2f_Rr?;zm(}L$tdFT ze8f=g@>BzHPS`QU=XsCZT|J|WaI3B@^-`QypsjkCU^pY`$|`UfNLn{@^l$5$0O$4y z2m0W_?O8QKeTOu)Or|apA_YTh1uR3{O#!unZ11Rl<~91+$>aQr&laZ;jkCn3n4tx( z{Np>MX-g!+lRP!uB~O@VAC*^&>i~zUxPh<&<}&bqy|nZ(N@>byMcB28Y+z=nhMJ_y z;HEY-7OVmY8B6M@<4;fKBbWYMq+!v$UErV&2MlW+u_i+4Tx0G~(Nf~qeoGVsp)U71 z%!>>)v9I4V&pv3PragYQh|RQ*eD_8{G~wUUs#xJauf$s{#u5#VWh5%j3-^Cd3mvq? zm;N#c>sSYKV->YNQa1(36cu1CcW&Ns%gJwn=jOuKvGbV4Q%W9c&T9J=pXG&Ky!KPj zzDiuPoYWnI&fjg4n-@Y-H&KI7EEFA+#H=)(W}2JW2LQ~$E!N+CE(iQ-Q#f2XuE`UA zDk&Lf`Vf4eJ@rn77|dz4#_~?A zxx4m$;zYOYuW$xR+$O%*Ua-3|NI2+N#H7Nar8H?tG}I+!>t?b?h&d%4#aFvsf~EO* zjD+0UBd@FYhmPLI7KxrxDIzlap;Ln}BOCz@x4n9nJN&ZxkUGIuqX66{q7kfb5*zgi z4$Y$d&y2bScD$;fh~U^}P|rg~pMvW?k%-f0Bz6gz*Ks?Q$E9uBc-Tz2i1AU|k<;5Y zKmlCOxA(H1*q@)ldcJqQpGQo)t?lX=eOqEXQ7CikJ>gviTtsIhXPtzh_ouWI=vk#} zF+C6VU$@ZGEc~;u_rXo)dS4`VB8ytu99h|$36!Tj zC*>ih=mck2{+|t`vrb*uo7I@wYRsdwH3UN1o!&MNl^Jan?AZ+9YH~>n-T*As!0Gf! zKIpur0Ln@1+mk4$GZJDP2a|=-oPh4hQt2 z+RY;6Ly~wFn3thLvj)VwD%bnQ;N|z2;(oY;Q?1Lws%o9&(?_p+6j`_gg2IhTTAd8k z0jzD9n;O@!6S2rr z5|b_mZayg8CntMVZ|nt(8Y$O4Y5K$At}Ti~{g0p^+;HNaH8UP3ul=+J815oyPD(~9 z{Yy&jL+?xXck$T!g9pjq6@nvj2i4KvmdBWD6kyjM(x4pzUxcF^_J8A}_6nc{z0aC} zX}q=LJVIc$TLlXIW}R_)dzrwlv1XdmIA2~yQajW zdA%prF42K+o&v5URo%D0tuc!V^jb1eN1F6oc^s<2`YmIpe`XTMrov`|T$H{j;OOGE z%p|}F9fi6Fx??E+0B`Ufw`^%=4w&G{zw_zQq;+Y#@W&*%W5JigAhGV>!=7fHCCPk==fd78{NIm!r5$+>+{ zBDZ=SaxtH*VD)+2E45rnlaC{E>8F!^<^gO>LNMzEev_f!U>vSJ0APVI`MDhj=j&Cf zKAJT?liR5b^45dv<&~7&sj+)^K3@BJj+D{sXsAuVaCd3UwyyWma-u@n{mXPsNbpGu zOZ9b;!4oO0(s)W{O=1)OQX{ETz|XBE2Y{NMf8B)lV6b}aU*3WqV}IG{Imi=F`Kw<8 zKN*pR$=PX#r97WqX;;D7rr#QhPC2h(1g?3`W_H=zUPQIs>JTL*NZ5+qzZy`CZvCba zyy#V4+fXSf4-)^&`i)(i%ZK6IPvVouBd?D@vlG8h02I%pEbs4q2J01G!ysVpI>o7;EJC5W-qlIBlg!H!`R;q zL7r*KK2l+cjBk!A9E{P_(ysHcTRfwjbypGdlq*;X=pSQc zRzeg1mkRm6TQ?`7|IR5OpdSi`v&c6xx&D1iNi>iUVDCooZ4FSc3=YPL#-gRE{EIJ( zEv=sRzhmWZ7s4{X0P;_Q4WO4GtcX3=JZFEb*3vY~w+?j0W#nR*sY)I6_8dIV3ZBXT z>1Hdy8v+|1<;##{j%(%>eSS~dtStlnhLzB(ZrWh0yPk?du6S}B&y1P9t;oVym2tmO z_dIf$mh+a!DQ)G&fi`@!0oDj(I#_QdKrkTQFZk6-cxEciss8 zqC&?7OOHB89`x;)Jf&eqZ+`4yxi@e)z3&mG_tlhy6a!!aiXQL06VXTZ)brN$>qgiI zW7qomKkCPxRM?Ktm@{6E88p19AW!pe$ZiyHZDMZ0bP>r1+Xg=Zr;%Yh@ki6ABWF&X zECC^QAN=UI_idDi59OqJH_UsK^IN(&CnkE|+}Xu3y`Xc;~JI$I)?2Hq2~uI!CK6)6P2A zLa)Mxc4JE>u21uE1J`+6{H!ka9tL+UwD0axvhThxaS@^il|GRpS=Z zes04uLRd4;%7HE~s^%}&cNGS%eqHG1(UUT&Z8hR@_Y30<{$_RRTL1Cyyg9T=OZ1cc zp>&YB+dcG;BCU^L#ZaW@zf$!3i+xJIvp~tKVj4*KrIQU?p+l{mv_>gm-@)LlZT#G= zl07L=)cZ5g$Xw2x?rz-+>K$RRYMv^N5hn;|`ZD}b&EWt;kzQjQ*SYWhr0~rDYnmBX z><{RTu7Zm%B_EthW%kkM3&mgO2M?vLT%;CTQeo+c?qxN^8YA}VSzCH%iykU;THLD- zGMkXf0OQg?hchf}Qiy@4GOrYXzs7S(&hE^oBv>@f<7XpNi+Ke6rg!*DUBr$Z-31$U zic1aBx0g^Nfz7mX7vp@IF6gtBt}FlP%Jmy4;9@Rx7crXC|MjYWj?qijgq%sr;qh(UZY_zgStwkf+kJcF8iV_B*mgX3YIu>VyE--!&X#9eM^K1*#Nl~*@c*w`0 zM!d!R%W7R&kNo#GiCHEN!D0Unkf|Id6JJqZAE%bQZ-n2&%|mb2MAQn}8+JPVyi(BokBo4pm$bmfpd%-yth z=k0rQ(ecMz6>LdRG?QbMW@YRoWGpo*8SQFmFk*mm(<+jee$TH+uuAZomT*r4PCG`hdZBpj}9CjcVwDS2mhS8mLnXwWzpn|yit-)Sr!gZ|0TcXj> zsd*X64 zUzm7RjCSCJ*lh=uOcmT(C;*!GQ3e{^@_gD(Yqgh#1ro9?4TKdNUMpK$xEb+m0bDU} zE)=6~XU8K?Kup;(tDVz#W$cP75&-eLt)i zxzJR#Hvz`i3A zf*IXFrGBiQ9Zk)m^*uetBTCP2T@&1DVs&SpxAj?s{jY|@-P*kd+z`>=mG2p;%Rn&a zW-HJ|^!gL5CLtihg2bE&E20{(C`hW7=t$SqK@S&$jP+`xo-+qpzv;%^}@-j20I zW(2n(2n<-mbd$w~Bab=f69zHOgdt3R9cy;P?HSOrD=u>jV-1{7u}88H*0TjK^2aDNApg}mE&@iXuIPu z(Eb2yYWor?C%`j&8Cb5_5jlnvvo_J`@hj}#LNJhqjVU-W@C0Xu5vR({T7{Kw`?+Oh zf?opW3rZp)>xAL{e|vx4ojS8Vl_{`LaoMC%0M4%rHhH`8|6T{9W_n|AZnDCHr5{U) zB?Z5D0ygV|ysNT9!b{7*FITdqj(;YntkkJ(e3-n?o#LVlTWtfBE^Az>J7k5VgG!z| zbljzpSt){QA6K9|7@E}11=Wb|C|x_w)yX=UpBq$1J(%>kXCTe zNh$@|{!VteE6p8Ok34t=qQTh1dv+c$rz|;|*m7=M@FJfyK_ zy!qBxKDqjIXcOaFiie$;H_f43T+#k|M^kz!G-QcX1#2-gMKyfrRwoR-EeVheA#KmJ z!-5}LQ;_kky!+ZKg0>R+*$;(!1I*Q=pLSvKL?4R&oeT-DPZW+r4L1QNnN4DhRx|3q zs-wsQgSi5pDDrXaAde_e zo;2+38}k8m5GQ(@vgr=v&mNdG3~A70a0Eah-Er0h`9}AGWqB5htK0#&PHf(BrWJ<~ zcm=!!rqT;nf&c1opa20-dvMRLMk2bkf$&0A8Yy%uZVu;d z=c*hexiZ2zvL#mYd{NGhrtCh~;3LkUpt^fWHn{RXLH>tJPrsss-y&Gk<7QA#$-QQE zRcQ>CiCR#2;S2}Bcn2cBi6@z`@{lu)-OdPMm*uFgwgK5lzPr_H95OnW2VF92ls+rF zlfx>ms==`}yWTveBKh#=K$2H@nsqR#OK8i<>jDGKk2HXJb<3yU6vVrqeXEmPPxHG_ z2#S@Wj0au*qu4UY49XOuyB_5JvmVU6j+V(pt>O}T zON}LQT21nKmzN^*P*EE}W+ zQqXcT(syxV^5EO%x`)#dn;lyMPAl6V2gk6VDmVYw-eKwG)mI^c{r6AJ+?BBwS331! z&=cA4-OJZ-Cn&U}ERaFP)`7{kY~9F@2PnO3Qgh#wjhC3{sSn1a*6i^LoaEPf=Gvsg z8vof28jtlFpJ2_)HjTPfwJ^F455uJEycZAqCG3x?IwT8_GsrMCfYivSE&OrpaUrmL zg!l6f2=ivL*AiK~#20x#1dfIoFy)_G|7Hn2;}dbf zGMe%7#3{p{mz(XAwv7&Cml(5DhXkVBN?g`3a;pSVm7{AbU|bs3BrHFm_JfYWUSDcC zLgvm^hK2VVFO`R2aDv+!Vv<40+ItiJEFDu__l-*9NBJO7OR_V^^}Cw4(;R3iIc!)I+lkm`Q(pLLMBIZpYWUuG#c;t$ z=$Ra1sALJkDbBl|UmeHRRdZ=9Ki3>)C*AN}8jjCUF>#Pto^OFHs!6#ZOh1!`bGN3# zGO+Wa8~LqP*cz9^fwHiX*K%2@9h_YK_s?`*v@$Pda#CpN{^MRq1`B40x7f|R@V!Rm zzp!(uc`)hy39o8iz%t=tW4az zj~6-*K*!E;f@H5VD~4Ym0;3deOvFB_eDfwk2yp{PkHSDrjO+=9v5$+eIG96N`-vHw zVbs)r(D2>UyvX9JC(n^SP0ApVysaXp_>1=z((E|=EzRR(#g4dj1h7D$^=%H*>Zt%$ z(^Q1&W|3J3P@mbqv3;$_X~H;k&>hx&^S47v6B;G{?f@{L=;kL32}r{}F?g+u)d8+U z{U)CBeNc6l0y zp54SjXoySYioo>;wfhjAL?L{!c_el>>_kz^v2&*Xwci|YVfXrM-`s>ehiKx9cQ`6vqc}*eU)Ka;(mHtVAN}w3sVQK($ zjkkuk9UbY(?8UCjNB%D%2J<Ei_lP8=iq=kTNpM&xw$asmmCw;?oQNQ?-em z@ODs^=nIuS9hWmq<0rzi1fKH9MCyB&L?82_!O-G&pE|LHiB$AH>ubt)nMBnBgK5r7 z1+Z~sP?Lk|mQ8fu8HNZgyA;PUG31<0we0 z?wvDG^zXi|W1!*qK}!9@8Y%w~w>uNXLVMAUFSYMmyxm|peyz_lW!MvDyA-6h50${2 zQ$h7M^q8nA?t||9@E`SOi@`nWaKZ@15e)K#;m@9s@kukA#9267dg64Gk|mi*Qp?Hw(?4Cu zEVeKnRk1rd=iUc2K96Pf|0d%HR&JkVMf6mx$Wa*pHUz?@bTMx0GRxtlCMUaI^sL;q z#e~PqUU4gZicRT)IElwB@^7RP!pG;vq2DEhR?ICP6p1kY4wL8Wk@6#A>edd_%qHqFQ zWe@Pf+ep-!_hldIN5Rnw9CsT(oPRjLs_ddPVq}__lES+pfR7eaMQQ4Hb4yb2+AWq5)123-%8}wsJ%9!A;k{L@v_3=+y{QTJ28_5`@p>3q%q_jwQX(p>;Ajax zmf84zZL?-89Y_hJ+9fU<ywen(OEB>MTN5{Y&(WFPkvN zyhxLunDI;DP*FDKbcT)&IaN(*u2%ipM!_i zw-)QahQKv@L^m>`v#{3RD+z|tlESN z<2!6SUpZ1l0cyQn`P=HpAV;uUaS7&YrO0!0g)?BjLnBh!iwzikH_LCBXRZ_OFNrgP z#yEM?uTQ25LCVli*gNNt`6+=-zIQ|z4y=5bk?cjJzrzLYI`Mi;h`ba!GIL-F8;ZqR zlD6%^OJrn`>@tSbB`{{4&EzsbX)XV$?0 zt$Qrp=*-`UbD%Q-(8I6>$@VTQPfy+ylq^+FeSDfq%+ZOMJtCK8y_QL>11w|ud3uqf z`2X6E74>n9QzPzlJpXo{?gktBmA|sL*`Z5MjLYyg5MPd027ya6V*arSnfS$edXFFi zGb3Xfdk)-T${6rQUjFx(P)})tDsxK7ee7`Y&76a8uTkL;ejUk>(e_v=ME1a3BmUS# zjmuWxTO!jWfjIhf%v?+AVC^PHU?3?{)g zmdKr`b$`6`amoZgcAkamJ7~U0B2Hj7WEY_5nzdlj&UOiNg7|@F7Q%bTVfNTU@Fs!7 zKMUx4u3L9?+#iBOgZ)F*y#(;+)X1&}4gOW#qwmu$)y$%f%6BhzUAsOg@*-GxuU;Z; zu0_w%TOF)#&VYEi5)4N1!C+q@x$oOGhyaDy%iA3 z?)jK@%1l&q7FvXrIr9vdvr%YmFXf)_!$7NxEg_qW=ng|XmP zN2Y=Rhrf}!F9PY5db7PI54mk^3~AVJBdQ_&SaT~}GaT#fdBiQ!@Oyps^sH}4O6zh0 zhZN9+=K|zXVS9q^gw&QU-$o9l_|n-crSSmt$pk z4s|x@o~DXayRP(sFV*=seZJN_aX1=AFQtFUTwg$<8XPzE3AGeK<^^BjQkzhS!DSv0 zbA*N%tZik@*!EW_d!4qPr`*D+)gq*7BUiG_j+|s)Od$~-hTPsO+(ukZF$^qXKk-01 z9ZVkEcjH{lb&A63SeR2psZWq;bO}YD+%&iY zl}H$Xc!61>`zj>J=VVN3989 z>|rXjSwjLQbLKH>6EwDLa|cJ{BR*lD!5=*y`ubk2fr-J(&;KA1Dc~gy!cj_*7|-JWh+xm_L##OFFLy;`lXjoQUvrxT0pGXji4@CK*h1^ zbm!@%|K^&;x7&<%)d4FN`g+o>C86j7CMR&z{rbT28M;6V{gW^(9Ad733Ve#*Dw3<~ zUJEHF4kf43GDvmsiJp~(m4&fM$MP3sG^#vEgp^FJp(n(i>r}v&miEuI*~LN%zf=MW z(O+hewHEER~x8C0&8xXYEF6qBp7O+`TrNso; z(dsSIExf6`RBk#M+C{@gx+;ZMHlxL2Oq{{`Ue->ZZU3_ySv6f&c--OzT96&eGZ+%^ z2g0kk=gW;_H_t$UXneyYq3Mi`I(A~U4+_oG(S)3z=DeE4_e6cHSh)|-eX(W3BW4fA zB{3s&x;dcd9E|5^nZ;;`PBSIY{8}&+W6h5H&&V9BSc|u;mO890v5FZV?sTRqX6_rj zWLdbAy3fh6;iPs~QS|0@0^}>DT$WM-C+Dd{ZO*gEr9S3Dsm9CJOeVm(?VcN`=Dy-L z9jw-Xj%F(4KF1#!$EBLxXD`h7st?4rf9_6}*fFPk9RUCpf6PXy3ND>Yv81fV36vfj z%a=u2w!s1ZzxsVvYOW-`R5+F^*?C&Y-I^a*2mQB|e4&P}n_F4GwmT%YTyGE8($Y6AWU{Ye8P!qvT))t{lX`8^nDI{f%@Qu-Nh71x+2@{Ljry|wYIcM$>E z02YWj+8+#w@trgoZ6$vtBO&Q#61(Ffn@dwH@~h52)3XU@wkJSiUPbf$`;r{vNWXHH zTQ3{Ssvd(~0rSUeL8JW+#shyUrALAd&&Dn_C!Qrb2nD7GK^s6a&+WT>v}!Tq)?S9) zR}@3y0z$Y{OzFiBmB{e+uznqp9XqEAv&~wL{?jWp{4BZaB`9jBjp_-eFpKBe^107V zpJ%oLk54#z*z{{OQl3c%xo|z%S7MwjgsC)i7SK{xfcgZxxmnegqPEZ;*e7}1v}Pp@ z1L4KNRmE0fip>PjwoFG1rIzLkg=+LX&lZhd%U{=BoF4YVqg-j3nP{N`RvNrmI2h)= z;gvV61F4ahIC{-O>`VYM2aC_gx7sduqhz_$6yl6~L(N(CjFIF-m(q{Iyhv!X>$!P? z#*M|zj{3%%T~=*@0?`rl>F6m@V*_qF3y7TgMM|tV-xb;kYL2E5Cbb26hf3$R)BBM0 z*=57EQgWbrQi@DrKhFRCt4SV8#pKXRo*DYSy4;9v$4%EQN||IbX4Yxdz4GtwXKV~) zq@iFf$fnE^qs#(yh^|IJnoWEo#hzLjdPOsa^3~ARBH6Df#2v^Doxg}ODat4P4*Vt# zmP?#}l3J+pCdqOR)L1M7p%nkLr<3bC19cwB(slQgXF`pTYe=DE#JYzB_hma(+LSvX z|Bxu*dQ@==@iA7>6KcViL)kjB0b#AeM*MNutE|=@?Ie5Kn2Wfdblvibq%C%gTZ27k zr)SG8FW}-Y;IO>_x`|4(0~%c(gA(3B^X9I+f_VU$KyP8_`cCEiHZDB9i@93g8sXY}Po(gCCBL>BU2I4gG) zc`h%qhS26Xww_rDC*4*@I!J>JcO4eKJ|iUcx#_H?SxccOrntRb=S7OYT|9^~SkuZ@ zYbehP^U_c0eBr&=`H;<_3+~<>Y@|cMLELzip>omr0zvcUMU{~0$kkcry@#sRFPpdc z1)|_L{$Kaaei})ia-}u18{S|1rQiJKx%RLum$Z%5S-(WqzLWa$^QWflg+g}255mQh zLNdNW%?PA<%_wOom;BrL11r8;*72dCz*ZMjOv_9fv3O7l%Gc_*nsBZ|&Ei&2ejN!s+eqbM5#n(+dZ4{Vv zY`U4*UGkDgx%njBE?h&H3_QEWgLexX21e!7&izbW#owQVh&0$9g+r#y$q%xyQZZ2)Hw-qiUd3S%GHjb~ii`3n;3hO_7XAfQ+iX^2y|0ZVo4b?WfnT%mQ(7@vtz)^X@n3lL?O%^ODmGNbB$sPIvyICwM z+zcP$;v47rygV(YA+{{{!&WuKof^gfZvNN{pgDl6xw;+8<7Mm`(v9zUt-%keolaxU z4Y3#d#v1@9RBD5(h#k?U^gZgvtMN+ChImb89X#}P-zlEF;pE>UPOy{qOME(~?bV33 zP+8Nx_l!KRR?UXjNt>uw*)Om`+CG1N3!t@<$JFgW_Zys`7xmqrN^!R@&MLjd+Wv(0 zTzysjBAs&WTstMXA7J89oi|@h01ID<*CieP(=wPf8@gG)yY`EBZTByb_Pi7xKK^mA zWtT47ojF(H-7dby>SZ5i;T7qa&l=hXZ%1LqshKceusUuv?9m?E8BlFh&XP97L(%=3 z!X_22e*rD*xeQ};w}jGVe(4;Rt(pL@z|Y<-g2E}p(1Gnl#dMCL3+>uYfJgIL=bhvR z;tZ>n?|lz~BOa4f8O#Z+p+ha{j(rgeYA?{)INF=@c!HjXZV(} zAMJ-q>bw^&a++K@y+j!RES;2~x{R$l|5n+XlQdR*BQzyn;Ruh_{Yis& zQr&A0eFWM#dc9_t&z66?usD)8IL9pW@d~saVjq5=c8V10N`<=zx@BIWrMut``cuye zXH@LG%ks(Af(V;BQazn}^kyA5e^5A8-#F(*dz$iF#Xon&{fis4t@`T5Wsr(0@buW; z)9Gj^+{e+m!_Qu@W^!Qj9h|jeOzISukMX+D-cT0{;&#L)-{@SA-9d~A^T`h&`iX*K zE4;+hW=(w70*9Uy7Vn9s;9ELJhQlNX;vGvxzz5r}-gR~0Tl=K#p!4CHrMgjUQ*=$n zirEt~KLC-9)G9}_H}eTUAIN%xI1xGX3OjL#6lm0uhJ;D%R=x7s8w8cRD*2Z^+sW{y z3tYRelUAhzn2!eJUu#Nh^E|!E%NQ}0i84{;IVxe8Pj^oBlzt*lfAL~sE%|h|j`W3Z zCg3HGVC-;ZDhxisVP+cq8a^%@D)yc;raJn(ID8wRJM=+U#~_PtYoRp2vN5_8W}fxD zct8EW8>>JwRXd_=fwVIzc3i>u?bb_Z!FRw28mFS;5%5Kq2V*o`9cp^OJPQ*L4yFkl zz|)|&(_S_4M+DyAf4s{gC$0VTKmJTz5}V3EHw4FV&kSy0zy-7LDd+u6ve^t66TvJRGs3nEKqomOO znKox5g2%ak?#MSsrEG0#>>D9k=GNlRQ;=^W?r=g;%CUW3k0RyB1E#Yde`aSyCABK> zDYscy&)9acU0ETlS~$YReXOEOscdyB(6*(A`#BrWpyS{G9q5(ZZ?S^M(lSi-+ualMkh_Z-)?$u zN4dg~j1I0vAeN#B8#)jyWpT}Az#8-XYwec7Ud^9=y=W)-*Lq}qcHfrEAECI;G1i2( z2Mr&wrY~fg==ukDeTc@W`$mt4mH2o}IsngqeTg;zb(?i9N>TQ^jCh6*Bo!pPceBF1 zwoTeXBy$DP65B;Bagzsd1xP#fnDfZc|HIi^2Sxq2?cckkNDBfg-AIav0!v6pNlUDx z(n?4#y+{kvEh*h8-Q5UC_tGG-OZV@y-|N2SzGr^VeLc@S^Pbt^kDZ;_{qU~yJdW1^ z+kr_hV_5fM-3WxhX0Mp&F66+ZWgD2aR=C$0fwb?#JhwJ4fX^+gY7oR_HQEk5p>o5b z|H8Ez!Ew@@EJImE2-UIkcyIR zJq}BxW3=WrT#cuR?-ssPn_Bq3v3=k)LunZ;d{cBA>KZ2cjN;X&+4-^BPstuYzO;5X zE?xTfo9M7GXjN*+DdzeZ?q_veihkC}&DP3bpn*FQ8b0Bi{H=Sl-l10=+J>KsGi9{{&%0Hs(KrGpF07ygzzrc9?TopvoS@b z4WqD}$3I=K79&Exx7!O8pM5`z88W`br~T3jHYG3~BFURdmJkILv=rRCX2UarV_ika zjp0;TS;hRC6y)OE#6S+mmQIpK2K}zn$H}m=Def@CvNsZ7Uc5%cdMWDj49kBg7uoss9H?{)6 zJHB|F2WH(cZEm>Qk5M{oPCPH!d1dHeb+q%cafR^7`>xr~K1OTS&Gz9H#uGfQcCoXzgxXp%_?j=8;A^Mvy_moN-c7MnzT;0-Z zWnVKntzuU|&5N?p_vcRm{%jVe3+F{iPbe%~@ix*&i2sl|^$9)ABJi>#6Q?&55oZB;R}zKyK@N;gUGb>3k;^3ym40B+zCDwvus zpLrde^~<7O2Ry_s*u^(IZ%3x3HtX8dbbr!Bge7eM#Ig=k_5K;!B^%4f$(<@QGt z^Eu7`^a}B&7;gczf_p&R4eR6&;2)LiT>(CcOxpD$^}t)ntS)zohv1Zo-_TsAcYfl! zfS5Yp*9A3F$;XLo^c-pb6qY0cpab881A(e8Pkli>BVZ@+gC?LrO^uaC#HuG{R7CNt zZ&<)R4RqhLst{ZSgL6Xj+gq+DN^6vK8&>peHt)j}|9X5`JX`t1u9eXIh zEV$Q>BK;|TNxh@eZ&JSK9`TEvzLo(+is}PE16%0qX64brJN@$MVQ52qyH3J);G$Gp4H>&rt|o-x*wE5JH+eFNlI zV|e6#hDT-8oue0Jz!y@V_QFb20@4#mRfutp#Vw_shI1SO7ZFd%T&=jZByT5{HtKHKiqyu=&DL?X?GxDT}%RUREMV0(53*O3{$R`o*873x9>?xGtxIdLXE*XysYU)I`UdOiwaem(+_zMo-?01jB29 zBIO0fXDxC*IYH-ci&(V=uXiWeM%@8XqDk=R^`tm=dO0BddKDX54cX)T$o&#koTuV$IfmK3-IhFrh8kI1mfTocT zOi=!c)xx?f;F*bU#ob8s)*lTO8mR3dVISUuf1v|PefA_8mv)%F0bj|Sej7k^rHDvA zd~Dbij;or9Gwf6Ycpc?D)>eG9?b95AgK#tpgfg*R)g(mm7TM6FXn=|i{Bow(2zV9! z+tX0XQhnl{jMWBeUQcX3xFv2v(TLd z{ZLSs9HR7&p=9Y|328rEu`?XlvgvVsqlM^VSdnlZlch){NhIeCqw{`@XE?Sjf16Sh zlj+eVqZZXMx~tBfuoBN=Iw;c@u07LuPxs@` zE%uqCDa3U*TgG?S`JyZ|i<4kitMunR_z9gL@+KhhZQ%pBp@a?EodV!P zO$hh~N$0tcAbJ64lE*MU4YnPBqaz_SM>+|OND zxa&dsn8=v4ThX+lD{x|Elz-}>A6v|2+>bqR2^^lRQukYKuDJ|dUy;C8>#;xheej%H zSf%rt)X&qJCkZFX=tTN1M#2FpG@nZ`tpOdSaXF8+$YcB-XT#7r%K%5TD6?l~(dqkP+5wQP*zNOiY^0mAf=>x{!ZastdTz zT%Z(xY%z#_m%zDZHPhSxikY6EA#<9{Zrxk)h?n#ac1`5GPs9=g-jL_)TxR_>Ac3fB(Q}y?`&tL|;ffdN<+HJA0@JNcWdAQQ*vte;T@_yV7@BY`C z^3b6g>ck&hO1nAqaOg8MUW4+8(>TwS9W>9JWZqmOx1`uCn4OTzbQEcL5o^dn@d$WR z^UFIv73_23a@LePzS+4evc$P0^FM1eW?mZO{0<>9ixYxs+oc=(8*aB#WsIMAOy*5~ zMGzg)mGbNs+yKI^Pu~Sy|L65co0;%@gwOJM$oFr}FVRlxF1MqH`HRIo=r%^EIn6&?#HJqo+YujI4bg+#HgZ*OuA=}EU%kUx5w33tlYSbkU4yea#% zNKN%=T5T@{ZOg0s5v=wi2d}u0h;}C0buqhk#t;ue-#`Lj^|A~a)M6z?Q}Q4% z*MSmadb9`3R(4!@Z0zI8rb~K#e9C2g)Opg>w2R|>^xdWo$>9JUt&1e|ZS7(l<{L^w z)B(-8dCw|>&(L_OFg$G04QAI9ti3h!#0U1r{Mq!^cg`E&Owc}v`j|4Q>Y*Y7aNwc5 zZ?T8wiotvosM8Dm1x--;bgyfHwS*BiOn0KHjCGFbhXo_Um?yQh%Hu|i2HUkFw3gHf zc74jnfUYYiJfl9f=t5_?x`DKu9{12RZ6@EQkkD=Veyh%=^3@6?l5|78~nx`8hh%9&C0Tj!$tGBn$aT{iD}D$;~e& z)`?Xl5Xz@M38`tNmB=2;^n!A~H4jV?!XtUpjS(^<272Z8N9Uf=lS6CN;#-%*+f@61 zuNMM3Tj1{J)s}|joIzkdux1lr%HXvNnRH0>Qsv*j>3s0_jYOkx;%!klgYnxX;ZMQS zx0RgT=`u%pRZ8!EdEIg2cQUCM@|PYK1;S^*-XNd2jK@KON@33kY}s$7o0^NbdZ)Mb z=hJv&diTUnkknrR1FU*jc+EMYz~{A7z3I*3MC;G)I_e*v8(RR?h-Q0eP4})C_a#rk zdgpyCzVV3I$t0J=X6=E*3Bc2LP5eR}bCN&J{!iIiXn5bHJ>WTi3w7yAw$@4^K)U9- zh}6eE@_CH9Bkh`gb)S+Ma-#St;&OYc@R6(tHfy=so_y(f<#FauL|!H`<_RrC0rW zBA;tx{FeCg_77TV4mgvT2+ze1=E8>d(K-^rk4wj}AIdjV)o~W%sYvTF?|t&&H@bJa z){6#HXJu;>^MFhgin&m;6XJ^UM2bXornxp=^ zNCr>fQla4m$#*fqlX8Mq`wt?Ym<~pouxZ6=KB~}j^07~=WoL_3!R}%UGlV=a6MVwL zI_&xQ5nu6eO9OWdBwEX8Y$ZPIT8s``me$Kd&I^_uoZPt@KkR>);fS@;-mdZnrJ_gq zZfxqZGi|2vOJlp9*7Vsf1;5JDmj5)8`z;0gp0KPzo)GO9Ir_o}&Y7jrIzz}0-Ve(E z7`MaUKCWmL4)z{B)VZ9QFbbC$5VsZ9+Eeye43S;B6_1a{?q{Pu+8XtlTCnBXxYN5$ z8BI$*j9+!9g*O`3Aqng8=DeSHu4SfCd9HeUR(39J1x(S2Zm4nPm!zI*(Wm-9?-81m zmByH>yX@?52a**O%LF_X@c}jLOZ@a6SsVaXuPa%olOA5=I!`Tr&*%d{(D~tNa_kBX zc3>{_*J-7rsFHLN^|{g+&f^eC_~?`!ru&DNSZg7GqMkdsVr+HGSB&HUU@1+XZ)vn{ zH=90QzsMB7%p67Y%qo0?V+-K~A4!QV#u*t4T^ZcKf5&R5cf0K;n3J47I0LB(=N4)Y zVY$TY@3bcAxts4UOYbhJjD+$Ve~>nBVK@?YKEcrX6Ven$cxv#*=?MWey)t5t=6fUM z$&J`V1r!ti{MX3KUC&k?F}}54nB{H-5qHECsLTs0TFCX@?W_X!=WZDfb_uY~3dl#N z%|hoitKNF6Bx*0PM$Wllb{>sly&@D!okq@e>(aBX;_%^fYM`ZC13IC$qi#Io#A|c8 zPMApNE~+Yv)R1btl*xk@AXefMe(Tl1?NDl1@wR~!NK>4!Jh3z4If#@uvBA>WO5Bdt zZwHCX(z>qow=KJ#u5EiJXKom?*jntvT}E9Zt1?{Suz};IwU^;@0Cv<9^8=>lWzb+$ zQbA1O*uPl-E^4ipi;r4oEfOpCzX{Dj+_sMHVBNHgEx#76vU2B)~h@y}U}Fa3_Fw+a9x4gh^1PWFG?7XEKmR_pcSt!Ak1T76!F zPAQ!D>oZ9^f9zaxkLXvFR%65s_|5l_fpq)#RLW$>Chh$ih~?u$=GSUvZc!y4Lo`U-!u`rnrRGDZqx7R45ZULXJ(c7XjRCV_cy32S(V#nD(ex$?m0= zaCN_)G=-dxV?=5(vE6nmZ&F(LkdZ0w7a4v%Be9FI0h9r}jmYS1aJ2UhJ$HK`+j8Cf zDzX2R=h}V6p1kpIvMWG?oX5QU@05?cGOnZ!<%OJ81_rq8t?uFFd5^f57=^9=dU@Ht zT#meBJ04pMjRIniE5W&OnE6qq-+__@BqXd9HnE*~bhj5G^PC#rvI^ zt!UchYGx-~6+8(lx_rm0r<+_QH_Uz zK7WnwZ+Ns4!Xq&y(U`GWX`pAehpY2I=*@2`I4J+J;dhmHQQv8sHH+Gr1~0RF{P3sZ z`*{;rX(w@tyiHZq{%>=YKGvJ%<>VAYd3)ydXWzm4ypr4t@aGgMla46kA}QCvP1?ire?&nImCI*no|!Rc%F1>F z5NmfQ;0822)CKSU{GdN{HKQJ|JNmKIm}a$d1=?u}hbj=HH>X~ePv+iDRc$ro#YKv} z!uzXzG-=I$Ow{q?;;nZW6xdmpZ~+r zo^k?psFrz&91>pA=r+Afz2N$ifO4z0?mSvdjNPdlBUx_YHJ_>LVm#QnoTig?y5en@ z+c9RjyLeo-G2z*R*?INJMSoGhO!|vl325Ga3HxDa+?U#) zotUH(US~Ypwd_WsFqTFhyZsKfx3}_!1D(E%+PCdlvMUSDXH1X!=t>3J6l4rg@jL+L zJ8i3@>3F_(O@U5-xtPQCp5i3{dIs3z&Soux@!9W+;$jt^(tAJUEIm95$*l!?Q~R06 z>>LU~kVd?Y5Mmh$Z`cDK9;BXS6fx~tWS`O^5Lb`reX|y^B8C#NT?u|6ekN71bFEI> zc-=>*f(j?F<3j8$aSOJHg^VoR^asnt=*S{R7bVS?FqHUz@qLJI3a{IxpQNLf7YatZ zV+%nCaA<_gC7hf!8!F&oi-AaS?*1WrcN~25t>6;Wur-2wt>QIXX)of|A075ce|NJ~ zsCiT9jERn}30Y*Fo*gKfm^F~4o6OHh z%=!1}^DaxC1CkCVMIU{{D$Jb3k-;jVY3}%QXqS?i(tG%8wiL&)-bjt{JYuiHUCWFV z+E4wFCcjSdguM*B7o59a$rhe)SdZZ%Onn+h#J3mi8p}_~=nau#iaDb(Xr*`>k`N=|k(Mh}8ka(ZC zW7Y!mqLUx*+)}J%q#!hl2aM21Gk<$tMP&?awcsq27j4fJ&e;GP*(@>Zgza+xl=hL} zJ@bgnoS)6^*;0iB#5lIxQvV%hej_fC*!gl|1yCyq%f?m5Ff)@U6gs^G9LOp1ad%?q z+NapZVl=?sfHSi>6rnQN}y zToR3@K>d8P=vItGMc6^ON9JN_2WBl>ZYBnZ(t+B0NmAudK{SKd9Uf>EdjELXAjT}^ zAhPA{(k>lXi8dnttp3zA((UoYkv|}xdvPF;82ltjmkU+mtjBjqGce9@$7#jfIJdB` zRYXy-QTJc0o&WdUZu%c5WdDH^CFre$_4OR+*&LtDf^{1O-qpdvy2X1~CLnH@w|1Eu zYo)1cR}65s;Zp<(UiiMjh|^Uj+1pmnF@&9p^FBJgAzK~>^UvsAa<17kNWPBNM(o(5 z*u*_h;YGD$EK2i-_UI47zkbkopOGzI5}C_br}CjgdsDYZo)R0ep3Ak;{N~du8}66< zbwRp4Q}-iSCm^jTpL_dzkzWAx!{$r zyxvZZC`CifcJCu)Tov=faS{a zdN9;29^xNIz9`h?t(u~*_&$aXy|;yQqo}@W?HVe{T^*;r z=#`DL7u%Lsd0bpw;ll39rOcF}=M`0Ltr-#jrgKl(qD z9dpb1*mh{C;{IN!JN4uZ|K(cH1~smJ{4boXa#{z#o1c^B80fBbWCL_e4@jyLUlwj1 zoFHzwtSc;TFgl<22m@O6kOUC&lf-G=W~zwWjz(HNCa~@NYqHt_lNGfHY>kcoY>hSF z&Vcv=mzIw-;||n{$tI;qI~Q#~B_OiS!aK7GJ90BX09YCM5$_#}S60I9h~yE-gUgTc zPCis~U<@r=N9r7i{?zPne>%jmjRONr-O*cmpgCr=!sMX8-#r zlEQ$1|mB57|sUwZIjNX?Q4k(5kJ$jCvCxJ39oI>QoLP>r3nAxWopmcJe=F0 zAF7_-rEaUJIUwh+{+m2bF<8z1X+SCKS!C|l^Q;j2pMLKd^p6vw4A&ImD~{LY-fglO zYL7+5dR(om+|H}^4?W}|RJeT+6sE__b72>)rH9hqU*k=2N2Lh48ky6qR1NDtxriX# zBDI&!TGh=VEhKTS03fPMY2AVj$;Otnm%jsT?iIKLNH5J+Mp6&ps2U1p!_$pzcnJhw zxDH>*9>C77zV!pe=rlUfTbJ;^aB^j7+8i=vkI^k}?_KeFW4{uJ+hp2bEBUpbrTYAC zi+!c+!3STibi?<(rxyaTxk+c?uqT*E9hf^{A=a((09@#V?_*)8=rp}B-8tKqn>Snm zei(yah$S%PG{}r%GF7xqIl`d_%nEKiI_7Y@X9TY}eF@dAqmp?qlgsvcJel&gsQ zUI|8!>V3%S$a=h?SUoy7sy1Bga_b{QW}1NYSWVCwg0iJnXTk0*&F?kHqzgu8W}rC` z$a%wspZA`wd~4fcR31O|UsG27l@=lufHueLdX7sL%V?Qo+@O8jA>P_|os8iwtmzU; z<)4`U+5rIltrfuD@~R#OK`5HW#bn95R@Ym(0{eLRTMKQI>FJ?(!za3}n}<`wlB&zg zJk?s4lzS?|`q-lD6}W7>w=?NegcLU~Jb#v7Ev2Lyq!k~#$kjaO!AEGNH!vG}t9g9p zI%hI^$pbhY(5-D>d8g1uCt4-W1E4NE^aH31|MUXd*tkJc-ZfDz3h%K=!ZlSUcO!gxbIo8m7W2Q01^HM(p7%~AN*oXLNlW?UscdlX2XzszMp zxUyKB>)+_i*y-y#FA~VP9#Harec7&Yq)3cKnH=@%TAr>^ol<}({B6Z@+$SK$FN(-6 zy2TxNzRu~X2N{#mN)hvdT=)6@IJUdGaN=UQi+TN6+eAjY&oJ?F{opG_rb)fdj&;6z z!n@EPk`5Y?ehyc+hkv%)qxtKJ{nLJe<~xzOT<8S9+Km4+=DKStzE}9J6K|8U$CMP{$*v+Fr8H=LM6yyaq9d&^+!C;QPNzg=*wm+c+iT%MeluCS@Whn8X3>2+U^Ni71-ZQS?!C& zwA6y(_?DfM%#oBk|MsI~b1|pm=#&?~l7_F2FEX{8oONBA?mYL!>N{))%`LOyUi2;f zGsQrrm;^~Cue+bSpmQ&5>_T*7R`W6sW}k*^Hh2rXE3z+s5Y#gUZEcZC&xt8MFdKcy zM<_w4TAcHEc?uWbN{~dQ4ipNHXQLs*54HMGLfl!oWfMtT?zlBw4&{(&+yycjM0CWI z+~Q1hwvC{JlFQ5(W8rU}ew-b#N!&EmQgyF8fCIk+s4K(T4ZFyM|ACh~VvWXL(n=4QMd_0n(Y00OQb4 z!!uI5>cBq@-;WqO-ILB<90MVV5ZDZ-dI=3Nh-T3>T>KVB<*))4WWCKC)t2}Z?-o+f z9P%zTBK#$&xQotQhqh~X-aSf~87NNZ)h&!KuB*Ef}$o z(!9H!XM*-Lu)0d}-w~P(CXiP8IiymGa-wrJDv=62l`2Id)fSif#aBs}sFJmrT^1I4 z1K#2vCT#f3|6#nVfg8>(cEx*5(~X>ChDJy@h&?V-U5?ZN;o@Rb;4!{)qi)9)hX~90 zzG72;w36^H)$tf#dNb2U8+DI^cSbNpU`^EkB9^qRog86LZB)FhDKy4jS}z}tT3LtV z8f>fOp%4syQc~L=MUkt!x{c8q zZnYi%nw>MH)6{4?-m0G?EdujvxYSGX?PR8C%p1m(4yKef`P4Cva52d-i|6(+Dsr^a zz2NX2i@9E}sKOJs&+ki_xYBh=a9Xjg@o?n=@N6K)N-4q<*5zFk+3X6l0^_a-%cIVs_=lisV)75Iaiv80yi*BDcXn1h)kPwwLG10Pa5Rm-o$_jBg z##6#Ts^)Y-;2N+wEGh~zx0y?Icmt4kJp-=xK~a=%)l}`-%nxUP5aq>Oa|7jFZ1`?g z_*@nE;m=48+HmO{-T#)$)}}5t*ku&TeTvr#^dEI@7vGCjA_;x z2Mg=hCD`;-@$3x*^jN3QT!W^y0U{2Pdz*|2-F(ZHyC- zfSBTfy&?y?wO>l00t5F>sha(cr=F??3n5vtqtKHi)o|9uBc?||xV;I@A>0)iR3zVf zM!yTr_FCfax0-mJw>Scs*?#2JG3FxY!j8bchg0^PpUQi$>1+`{2vb_BMa6qya($lj zXTbquEZdrXN82=!t$w4(oLY)|Y09ATHU<}RC9ZYL_4<>q=fPC|u4?EEYF1NV2*XOm z^AGB8Exd zj|tb)2^cJ&b_g|6kF94W`eX%0*pKmEJY~|~iigk*@su35%8JTlIq=*l#Cu2vk%*m- z<~vS|u=!tREcHk86s9=`y|Z0gNhP3Pw4#`Cmxt9DEB3}4v?udeefI6a1{)k+IsgYr zAy&JY0;1n&4!fg*e&PdjVb8ia#cdVUe{||KjO( zCLqchX(FyAQxW2X3zZF271w;>goVRgJDq=#u@yy`+IbJ2mmbu*dPVwuE?Yf4aC%}} zo9cd%9lu~(($uEEQd93AXJ`XGTfe&|9?6^&B~ufLg2MoT3zh4}VB&`mHiVTnUPQ>| zqeBASbQD*)j%yn>rQhDnvae3MF_?ga2t-Bk1KfrDTltG)Q3l8}hSe-M>rV3!&A_ZM zq-*x;ckLfvvQ&S?^n2!h`ghPhr%|X4Q(_Mt%y|fE_q;DhY%ux-gaFTe9DVT7E>aMq zd-Xl&t=suZpp*eYCzBe8yo3S2NKXUgNiwz5{lu1lR&~pGkD`hKsE3B{_6h26eL)ba z7_me0t;*VPUK=bD<7d(V_ki}(4_2GFK_3RVYY22LM{y?nD>M&83#Tw(a<~K?j24mH zSh$#QnUv{*SZhLtYS9haRekIr%qRBdywX~W63y1Y0`8|`6c?3@VK4|7%!nU87m&1wCaZS}-EiwCBq@&>vg zSrcFcL(3n>$T9y~#fUJ+M z-eFjXt@EhS9yN?LPsm*}Z=Yc}=6zp66qcR|q%I`#eUPN$9c3FmE7OM@=r4LgT25~$ zvEr`F4<1~0|C%xo(Z)FNtft@e%^Bcn;KCf3L76VfX!SkR)+4=5i|nStR3)RGfbp)Y zO}O)_Xw_5+OF&Gti_r^1{mf6@+uN&y1DpEooYsJ;H~XfGZ6tT2k9O_!S3b*{cDn-) zU~x4x@Pf(@+0cl1PS@rDV81s5c7Uw6wEK64vlFp)l*Z<>ojM3^TUW)&#oD(E_@nM;B1`O;ls|XwHuJ*pp*^x~;=F}$}?k%s7i}&i!NE0CHmwak`G^$eXC{LV$ zVxD3%p0p7w(yO9BeO$xO0@Waptzf=BjOJ^C}q zZe?yVp7=RzBS+tgSLBE6FkyBSUZzJo2EA(RWg!Zeq$3n|T$L9WrZ-UtpOwyYguPRl zc-Zub&9vBSEPF}T*Q&p1n6A*ZwezAWHCcwk&=`}R(=2p4!ne%VC& zYd1nS4U=78f5Wyb-9H))uXUPAr8a+Ip9+U{!C@d1ohnaMADiz2wAM5-v5S|~Ks!ez ztz?`F>r2O1GOVotY@Sr0U(RJ;xiuj`LafhaqkBl5&R^YchOh7A$J=s^vT7qLdteO% z%)jikJN=W&z}446hq*^%2B7tk?@z3NIy=0$ycRuyld)Bphyfg2vC3t{W zLKjnWQ@E~4Eu#EGkQ+23SD9+pIsPtaVFm$hb=cP~!KA0G9yQH)xC1!OI+)Vs`Z1ix z-2*pwfkLj+ZgGu)qLb?>$a;2Dhv4v2;W^bjYib34ABJr{1c+!M+o!wtWz+L)ffDhI zgqRPMZkVbOs7~x87^bBvEK;&OtZDS~Z^1zLuGPzO#$Pqegp%;i>zUqKq);{=u+Jz5?C5cg`Zs z{KAC>WR6pwBgEJwr71%(HcLkfa9B*+IEC^3-ewUn@69@|H{SL&AJNZnoLEh8J!x1WDJu!^Gf6V93*iNdY>C%baVhqf!J~(x)()5K(iHTvY-GAncc+Z#iRrZsb zn(YXp^f4>Ff#yKA{eLaGC`&j$*(4IT<@{bO+f6+T0D7K8z8%wCl=TJ7 zAT*B<(bSUnL>bSseI3OR zN(j>jS6zL8?+`Id%M=pd@yZG0ntQvw`ARyr;W-w!d0G-lt!xLLO zNH&#H zA%_ht6&9+8#4d1C5z-J*2q&X{+*G67V7as$iWOmIDn5sdn8Sf{GrXW zUmU36x{oPe_GE^O3By`cTf$uADcO-E9;Bl&}hFwp4PO8 z4m=r@E(3; zKknPkriRJ)pE>ebJg$*F9j6}f#bC^$c4O*A+btmJxg05o%EFXx7oj;ZVGzQ3-bOYK zgyvDDV*iTt=*Aw;RUwAgE2DtoxH$K3v7G@OFr3j3R~8=ktb9Rq4@8pb?}`N7+i32P z(n@_<(AG@6Gk>6268u+{bg-`f`5{iO?PGqFkQpsG+%iT0Vj^svGuBosUODFNx_`><(6+O}euXyPgJ$ zrE=F4=PLg&WVPvW8qZN0XdGMbE7P4GTdH&_$m?&AGky3G_Yyoi>`i}@Hh_sx%h_pS z^OTVSEuc**Uz?7^a3YeQ55MY2aofoUA9gy}=6}-1bssd_)q6ptbA!ea*M`*xMEUo; zx)muKvVHkfc(Ks_0J)S}j%n*n+Of$Dm-5=2a~<&;YN`BV=B-pNa5 z7lxwP1G#zyX@5U@!{`?ef$hB(t0%v-Sk4ZWbIVFoy>G7aqn#vf^qvK*~f9xO`}J14Anyk@9=b1^dl*@_eRnDM6)tVZ>o;&XqN8Juq zI*1zW(B0a2et*(3cHbs3JHCK1=UrksK_{mvd&eLnr9q*NUz_hk2|D&>C}-5U3D$wG z&42w=?Y+J*Pj0t#2tgT0^Q5v3kien+<6_n{&??C3x`U@9@a69O zLG^8isKKukr+wdyGWl4sJR8x%ogz1-0Ft`&qB zhm!V#atf<+`=@^v@HCR5#QmRBvJ2+<*B_9ShW>hBTOsiuM(Z-v2o!`% zvLWORSHqab$q9OO&fp%QET+R$rbyz!bx9V*>IGZI4$N|dNh2ufGRFKIBq=PTg1t=I z6qDpGxm$LgLJN3JvD72D{KsS-$!+>k_euvIUswbwrXF_`3ah`dN1e+TzE#(Q!g<*{ zm@r+bKQS{%KlWfmez94Nl6frM%YZq+E~rl_ca2bE?d}n zwDlgux%Wr(*nl74s`1mcsavn70888L{hBiKfKwkfs$oS$J}jV;muUPJuxnS2)wx^l z6Me2`>O&RuQvESH?9qIVwNjKtmQ)zP*Umdl=~L>U3%uB+B{KbltSYo5rFb`Nsj!bA z+KRFP!7SI-LDu6?tVc{MVpMp})B{dMv$zxGGpbuf8cXj4q4fU@BNH8ZAWXa4N#WO9 z3c3GvP`OhaCQwSeBEIk~wro@M(O|?9!7{kVsC3TK>O``67!*#zNW(~O5$=GB&2=1( z4d6MJ)Z*DjR6-C;;f@o&j*-Xk$S5mRkZ*8>J&SHdZ)P&fkK9)motnh%CBh7Wud?j3 z6#ei5iV$it0f$S}6V(I~}(X#%Fg(8r&@OE8!OFQrC@@oZ1kt z`p7%he?OYF_vlBn|4Z?O%K!Rcr>uC=Pr|h@;WBIfts%p=*u^?UXFKM6KN66)C}2 zypoD*c%Nlb`Jnd!)Rv=aHNU)^DY!ZPY5q64oX6QX8NLBq7$i}+;{4Ldg>6wZX}V>} zu-|Mcy^K7@nIR5q5jm<(QaEla49a4g1)ST}sbjoelBA}8aH?};a4kvf!Lx0)y8+6- zq=d8S42V+5)G6o}3uuF0&IS4^SQ!IGblE^_vg~u316bfyudLVu5Rn3AQBRzcRcX-6 zCR@*4-Toaapp8&|!#&pzRe{0Ig$`RW7dnHy+ED~2){&J=Kaz(>6)(2OT$j=KA7w#}i zpK{2q%nm)oGnPqOi(q|J@Z^GIJv-WAY*a~@S)XDgTL3w@$#oGDQ7>((>H0#)-m>gz zL4RhrBW$&QfFz1dN?prR>@h;P#x+Ww7WWM^AtN*4n16)W7_*AU8aQe7qZ;wp1Z`iS z?BzqY809CFbf!lz7DJE2^fW=amNf=o6#yerb~|3@0#)}}pclDYQVZPv?9pl0?Fer@ z1_{?dYJ0ilWcNj)ptDXgm0EP|TNHRs-0ML9pR(p;Qnx1SzcaUG%sP!>h}AbuUb)8do_lKQSqi(a_C*>13rNaodCHo z{uAbBtpC+l3B8XGcxm%$L-R@h(-kdq5aaLRT8divi@lCpm|423Q7o1KnGN1G3GQaZ z_vjo)R4a{-OuKI&pIWakJ8l~jR}3Nw9IhmVV>!k_9b>|=P-&vWb)2bj8OiNMM|h%1 zTOXt-exZ;_a4CJ**|-*2a!P{h@^JS|-e)BY0C~lxHkEKR?9`XXb+@UyT3btRt4w3bS%5d zZ9BnXu<@%^x;rYkH-#RY4N~1jV?{!1tsnu>pILdxO22qmPn$1@{>7w>!PU$ER8P(t z+GZ;}E#4x_voBY6)#I%*+^*1J6=_Edlb{FVP0onCa-kSnW*Iqwu>+%yeLW9_|(NK1# zL2@^iCpesGwL7xZ>dlglV_ItxS%tI+yhobeBxB^G76gom1zf0nfj5!jNC z;Q@}4q^=PJOa_w2yBof^9c{Ss;sMMwUXl~ClrwCm+fnjR#A$?AAHB-rk)uPM*V|$eRfRwxc;_=EOFLL?#PE8fC~KpHdXY&Vb^UfO_M?P;JifVJs+-<<3h6qeXKYz$hi7y>7TueiBw^I?-( zz{XJYB0vQKMh1-hl6xWlzw8fG%@lGHjVtcf>O)c3|NH2!#)gpCs@VFt-(&#W`#rpK z*5v3z=yGr`TMEe_=`;taN0#r)C<2t6FMA+CkbP$)@~b#Ilb9sYd0)-tjinshJ6gMY zUUC)8DknM0okGkS)~b(?ZgIbH#v&CHw6%o$G^i7|9z^0svI-#xfnS}u_LFOWz8Y0X z?Te`5G8Bi@diD>T*ID^?Yf!J@SYEHf9+V=RM@(BnXY79F3L=t-BL*_z13~=hh^x6q z{IY&c1Suf1?G->wdHkEC>l{Mqcqc zAMt9obAANunH;p-c}0(lUFN)O>I0WGtOPunpRdC>Z|-ja%KY_Br?Ufu+3{&uo$e=Y z1i3oE^((h9awqD4Dai8aaYw*m9Vh)+ZY;oBLcoR(`0k(E^s!vfHj9)O0s`XQ;e=QJ z{lmYh!=6^RTWoZdst*(CS4vJo*LwN-xm&$M{3+fC6dry&eulFR7F$Io_HiQ`JU-D+jJ>5un9vXiG1r4)$Uoip^Q({4Uh4Dyi7=H!9I zj)^K-v~-z7=6LkmO*`B1Ts+NnNPBobAvUZ?c0Y-pQ}%m$y8sd6P)>ACz-$D+fZTWg zk^T+6>%$0hLdoWSd$3~%DP<&Yl+_bPLx`ZhUH^l?K&eZ4jrwpi*G{MBop!P13=plB zp-SX3>4^JxkwEZ}Dp^V!Kpx~gJ4(B2G%cKE-R;tx}cSL+F3M8Xf<0<~jJK#La2zg9br`(FmublV5CZPNsNynPaIUDYhK< zR7Ca!TqdFB{>0rgq-Nz^=RD1^w6JBc3t+IX1)7(0Mzy=Y9vhP@nBDX!Z{+JCZi{-&;7s@D@}5xpYX zYCIZt00KYm7^QUbv)q1j9in0G`{Drnoq9J99V)+YI%g|xQ6CucbM%&gAnz)$kLFEjL};FtETSWCq_I-V|zmt;S?bo04ql}wFj zV4!`u7fgZdYf`%NLtOY9%n6HglP}=)USo1rG1SaPERJMMqzAHfLHim zNZae9ku=PEHnqRWR3M}vSD^iz;=aw2SYxn9m1PU`=E3lqzZC7HBM3u) zn@j*J4ZR?G2#;J*W=mYQJW129e<-S237JLi&FU4Kt;_dkk-wDgHTUV zqK1)k6~O$P^@uG4f;4ACfPTF2{pBLnw}XlS9vgt~9GgdCe+NPU4nOa0TCejDl%-2W zji~;8{R6l7IrB8nL&q`o>S4UIML=LCwK)|!52z*OYk=n2BFyOrCFX+Ef(tNp-Ax_O{tt}#Z^_-7-_AJb$ktyMa3(Y~JbRS0M5Jo5+ zE(9UEH79td(pOl^%qJtxCTn^5ISd)Ja<%1h07d1U<;3U%`x};en+Q}X&;kc z5Wa0Tr11aH_1@uB|9{;0Ikv>HGQzPbiAY%o2ML*l>`juLbz~hO+p#Hogd}_KaqJ?p zS7x?zj=kM)pWpAg?)#tb|GF+$&UwBb&&PUZ3a_(4#DkdE%^tBC7d_bHVy$1N&pbHK zQcPBHNoC7grF@nd%lA6TX$x zhJQb^;zgjMaPhX@rxksZ2a0>j^7+6~#~495BA+FN8t#oUVOm~D-0l7xdFz-y@r$6C zm3U$o^)%tpCxgipj?#Pd$BKUeoGlh1 zNjCYg!N>98HBfl*;mx$cM*t}%oxWQ9Uv!v|MF0VsiIZO9No5S-bU^v7JL;;O(|GA6 zmsE<(i#LaV2r$;jTT7=KH@74xK=d=iyTEtc5qOU&P&O(LtF=LRQExjVv-+?9iMEoq z)d}m&ze#nN1)k@mJLSSHmpe|4zn;$U4@7W+4h4XNy)n1-_7?&nj#JIV5JU)YZ?^Gh z+RiW>uP(y#sReL#=VbofeZ3_sO!KkF4Q+d`e6#2~k%kp_xbB;-^RbtTEO+`VbE)7x z*;zMMr`?wGU9ut^8!wyQ=LS$TI*@&IVq$Gj`g~isi)l>_-qfvjw!%nsv*^?7)U7O)O&-cetD9!Gd_ z9ck?A3p_MN{zy*h81iDu6wbkR%KLMQ_@pob$SPXJ$eNU!#wZTt*2}3*f>N>;uN5x# zLuA!4pD9-gi-%;w`q-ix3XPX=%8Y_8{cvnMBy)w5kM*=hef_0$_JK-)M*n6ZY=keC zR+kT^8G7qGM^W8M5g1n=soWq?jOgvu6DHUY=5Vo+L+`N91r^1wC?)kP6R(1MHs0hE z3(#egh-2FYIRvDh8VjR|At9l4ZkiNkEN9BO{2zYvUSgG64^Fv`KlrQq0Ltqd7vVJ0 z-_w8_WDELXJ=+;}x)SdQys(Q|^T3A-A$HO!Zr(vqJN@pvc*|1*;9@|CLnUy+5Mcsb zy6UTJ=xX;&A-Dvc)mME!z zz)Qs9Iik#a*ifYG$3&(_$%0gB5_IQ;jetMW=rg7x5d~@Q!*ANi<;wv%djvdQ1>I@- z69kf`Vu*Bj3+^c&F9(#r;PX{Ldxi*4I?{G{bC{JjdGkM_y)eHdY>VKA6)r0Om_XP3 zoTiJ}x#u~T_++`Amkcd0ImA6=^RfZBr!&VZjSGuxE)@jhge?;y52*9BD)`9CD(5hX zx+aVn^*2Yv^x0&%MJxk=^=SIn=f?$_nX{4Ii`>>?GWc`+IxGM8voe#YddfM6=hL>> ze6hPbgA?^%pwdWTch*9)KYGSYDaO&%9@_)HBH5-QUgIN{v8BsI*RPzsef@loG?ra@ zDP}M%m-X|?{oUM$fU*qT2+0(&l8tlt^EDHQ3zeUum2;yg#U6|i){m(4)>HJmpx31D z=cz!~zLK`PE8i)Q)&AtFM6{UZ1|CRI4`fT!l2?ughiRD*mA%i?-6JgI4C0bMU6+kM z=)?z@gojX^YxHdr=|0}5r%EleTyYwVI6l)2zGZ#9Z)w~3GVTd}gW_x>iy=t|JvTIi zWZKtE*_&mAyr`b+feO5-BmYI@|JwU3C-F!_ML!Apy*tCBTPNx^$b!FMctThBVP~r1 zNDAYnQPz3$?VEfz%3vMzB=25miB@HJZ{2!ML`Txs-YMr!^0}MB=Y^L8{mlm>Dsw>H zD`Ols$@8}?aeXlT`1_IXY5c`_Cygs{DsmhPf^aMMbwEaFkpyPNT=;{Mbu15oFHl(F zM$GICXDJWvrz2FOrG6cFpJ)jeSrO&@GLBvqcYMgrmSO+$={C1gfxWTC6$e{xovMTe z-95X2#f#f+b}F$pdC5Bu&eVYi*-=+`6-7h_xNE#mJZ9HWYnR~eUc8;qKz0rmqd2Ux z^p~!_Kz`InLNv3p@1u)v z(+jUX_RWZ4P_DU=lGjs;%t%EE+AU4#Y^zYkLvC#&;ctxxGZpA>GF)DHVZHKn*G(kA zJC@wpAEz!CTG7u-4j>jw;1pYvv&r_zYyt0PIUz9OdWcHyNrQ2GcLnaK{I8Wr>t-bq zaP$l0q?vd zlC-#UVRaX%`~Z~Lax|WW&Cis@8(Ax6aNG~zKMatHq=22XmD%J@b1q@+)!CLL(oHAq z!wvukqtD+1g(W17ki}-F**X{Sc5N@m-j1e@{Mvg3S(@~(qeD>v2z#kBz*Qt-Pd}$7 zvCM&t@N0f(xw8d)Mt?GJb2bxfBoz1KZ7aZ^lhM8)?Ze}K_$Vziz)|h~UgSZAufpH^ z0Lb2Xk$*9477zgJ5=RbR9$8Wg31V$zR3BOKBnijw4RWe^1tpofWHMXDLZGD1>A+w7 z?$WyE-E0agJ(jcwC{1^2)W~lI=6Xu@I>ATU>mdmR!a*Ee-1yC->6EWRO%iqIw0RSQ zS&idl=k9Vo$%%$r^&*R4d!h0oLHPKZUN~oUiDya@*(<|lBW{bnA}jHOGQ@IYrao~2 z%)alQrOBVUvs=K^Mq=5;^ENtiRVwmWr9(C8NuZ$>aq@T1-bNho(L&bZvPG;4Bd0gx z<<9B%7tw2({(i6hTeag7-#+387Op_^)jbK|&)xLvRoMRm0_8S0KtO-uVkKU~<0fCx zd1Qhc53J#~FF%_3d-ary1vq7)Kfa8TxmgnHoGE^ToYeEcw5J26S4%)ro2vF=Z=kWZ zY4zbQ(CHUy=ukaYQQ<`eXVo?Jtv&}@HWmTExCk-=IahSi84@^C8$QVZ>YsK4h@m7E z(pNZ?jm6$3p7Uycs^fb=ZjRV@O?MnG)_=&B4B*P~%WWGO*Z-iSq4fKf?z?sb@Sng> z-rY>U-y62TviXrrz}X-8D10m^yz^SGy%{*;;L*5KlWOQbrepl_5uJPPuc}Md>yr>m zrWZAdK;IJl5ny$)k3RYr2ii7r>AE9(4M@u=E7ju*R>+ zCet_Z*4yqjhApX1EmP&`+-w!<$B70po;!ZP!X{2(1wI1jRZW<96E+sk8hg&&*+vOW zxB1r0f7q(ODeB3NJXtDx=lvs1V&V#Dd#pe2WWA!S5xnTvZJ|cLcd9Ucc-#Rvv6x22 zja+|if5t^v?*f4-@?+s+esoegwu-X`(0HyLt1F;>ei`63lS`HcB{47n%litBT37yh>N-o~>zf{caGz=4Z)-b&Jz6jeqYz%8*f-lc`{$(klH=&;}u>0YR zHChXJC0VoXexr7Rl%L6J2e@rU+ZL09`t}^xq&iaMs{sqqEFIrcZZ{^hbq^Y<$y?G1mIxAuLd!V(+dLtP2+o18D?z=VpOPBB`u9DI@c{AU?(5u;T%P2XfAC@_`_O$bB*5P`IQX+YaHJ z*IIhCU4eKXjAh2YGD`AfArLrIbKH<*KYji8`tq+iRb22N-=nF5t_+Yz-M_heEgo1` z2MY`H6X14E(oMPQKWu-O)aPUN(|@T>yDh-(zT!BiU(j5nF=sb4p38sBP;)G~<$&80 zV0=`%@Ysijo=h0gwCNxv5GL3UN5O(V=3o`Q>3{Nk~ z$^asR{H4SgquKE2H!b|X^WGR1xc574tz+&9{TUSATY_ggNz;8GA6ZuL`W@^raBgVQ zMJV&?6hITVHygds4-9+MFAml~<-nvr+-7O>s5P<#`ArLmCcQkC=r*kH-YcI1dJW_G zKc6o){=EdwXIqE8B%q{NkUc|HaIrx__gkG=+We3|rYdwXov_ab8jZURcAz9JI=s-C ziDU@cE{CPbzZD=Ih<`hpq$31fWL%s8ui4?=+_P(Uz?wt6pl!mU-1+?A_+qbR%v62zB|-)PmGtAC`{~x>*`VbbLpnunlpQ^jp_=R_iNU^80o#3sN1W`t!_CH zb!D$cATlofMNL-s=4=Q#=J58>kjw+JTm|sg82~dlCX}j@l&ZK8it7@7OWRWpBoS&D zu{KJ~z1`D+?;|oBcS6eE7aI^GXxvc8$I0@Pg^`a_f1Mtvl^qd(mdCEOf&M1A+M6qo zr!2^Bi=_!ixs7N)mnim2j2FNO?hdG71rw*dXc(mhUqT*cDVG9^Regv-+zc0uUE~;n!WaTFrwkU6U*lvMlW5qu}Omkg=^2{YM)L=(2H-rkUm87Abtk!ArYft!4~j`NXg0P)PiE8R2t4mLR=GCj@7L9rs1|o zj*}g#1>FADARG!rlD#E9`<#rHyt`vYMb&X+#7QPGoFhus1aiktDugCe!at)604}iK z^Q?S=qSOI_ktK@Avr@U(<%A%|RTE*a$V0gT2^XmeF$?X1LK(9D=G^oP1!|Dl)l_4SSR4)x1U zMmLA9-8;MA=7}6;0|kKU*DJAalGe&AcimUSy#cc@a~4xTo7cGL^xIrbVo*QbWZn)% zA39$vUzHT9u=evaO@{uN-n{JSXFt{VAItD$=t6s3>i}dH{Hj+@S271;6Jbl@OuEpn z4xEtRF_S|1L69s#Yw$C-&ECeSt&hA9=6@ioutAAyRHYLb9#AZB;-XZJ#fw-=rs?;d z`l=LOTdLTCauX>Yl-3<@W0d7j*7ASJh9Jc>@5p1yW7=hgGg~=f)o_b)JkN#*@&b`jZvyM7O5bX$Hox883=w)W+)PJ(f$}x=VA@J>h;VZwyO}^* zH~tC*T+D!L+e!3VdO5*7xgf9;FR)X49pp|*=Qk`5>zT}pW0H%G;RQCJ7||>t(3eSM zIqy(xXv-aq;#qG5nKl2kRr%b<7+yPsQo1oH;U{iIlvLi+NQO3-%UTTH=w>ARt@ zK31jv0~OZOQDp}$#*u~h~^Z4G%uY#~JOqQWO-k=dXA zC<)Xc+)MVb@erz7BDetkEvtO1lecdWecE1(fMJf?)HaPq*Ly*pn4S0;lpxcQc7s<# zxR;kA1u`Pe{)};hSAb>3weV^knP=)1q;k3(G9e<&wWr9eyGdy{+jMmZ6%x4>R{G(IZOK2Osh?cb@eH{EddzKy zk~RmmmyS_CGT(g@*<#Qg zG#L3&JHAj87WSM+{xmSN@C)H&_{T7Dy4@lKe_?)g{j0~(UW1nl+vBDD1&%dk=eRJ= z+P|#oLwc^de9ABA?%9BOGQm0vPt1$|=rLf(L+pMog@aroC5hwnJj>iFq$m^qy)4pi z+O;S$rpzabv;^dzDni&Kh_BO?e%bhHZCN2S*n!H7!XdlQ;((Mlt*p%-UNc!~GGc*+ z8`0CX;NH;)a^%p6_b&VMAO*Ukld#ksc#?));4(>|#<0>Jwy*g zW7ss?1&3w)VSN0C0LeIXe_na}wMQ=ztmE38ZXZNb;cKRK%?|#msYvI*4kPcLzs3#* z^)Mh&lxz=S`C$ZzrL+$&6ngpmT@w_75#@GtB@bCiE}G=`iLKWQWPe^ro*nV zK7FnnNEFP;OwCB~;A+RopA1g5WIsekBAU;T2lNKc2)04q;t9GOG*&GGxi}LfZ<5{6 zLrRGFjfJ9)&Io`0@lL2;;=>-W6DYqsV+V;)tLkjwx)Qp%I`ZHPJ*2Gr(&(8p&Ox`@B@=VjwQW<}=1 zDlqQ5WZjZSr(IW|s&#(`rr()rK&*l0POIQdl>254w^j-b;|oc8@X|}`5-_p>;nU;M zdB8pS8S+S7Vk0k!?x_&efhxuI)iLz#@$E9dpkz24foQYdzFW%P_n6tz8FYrLw8_+v z7MlX-{0h3sCcYtokKr)Ro#|wqyytnnl7u+CC8{;?)mFI+lVLpy=sbQC5&d``wg;hgy=>9@75WIyw8eq>j>%n?-H&8(o2-9+?gU{ZSc`HRFK>tOC07EZc|N9sSRkGhfTPdu+?|TO76HHENCp#+cdjqw> z<-1aar!lC;C>>KEjpzEASw*Do2FA2kd%koa4b>fe^$WKsoGMf4^RgrJW4XG|%N|zl zUUffmo5n{eHbzkXcvezK?%jH2om2M5 z!}1+d{F9>rAIx`Rm4H$eLd_~nS*@^a~Dd?OTVIP-+?31-5`AA}myfVHFwey{G`h!5zF*eJ8E*;s+&l988T1VO&I8 zT^9;NxQ0Mo+R)(FbVmE@0RFcDxqw^r0p?5iyweV>VZS_3S9EL2F2p7YFu`+P{4K9o z=bb7-wNO|Lk~j$n*_tP8bv5d-CGbqoj8^Ni=!0xpI$r^={-xwG)H2m$=FhZ)?PuMH zTF)v8hol=JP4_?{$Rh25BUst)Qw1zmdxiV;S`QQ@-V1?>Hc}) zjS|ASP`$ZM0iZw-mhZ*gRy@bA*Sf8dAyQ`?-oLox>!I@wAZ@VQh(C~relkn}s%`QH zy&IV)rQs=*c*xG??2Bb-Rq?)bqz^W&GsKFrQyDlKi*v@QDz#dT(#Z9TU)Gvv8vZU325cYjE96AvnZs=3IdT zbL^v}mGlHf1hVt{Q*!;BqNcR`F`Y^1oaDg zud3J>kwi}Ix!#DwTpDQarml~ldY>sNzkYGBG5JgUJ8>m1Xx>wN8%8UyrG295nXHM7 z#Kark=FVl0ujq|2VI`*>_?QgDk{KVV5W)I+jnJ$`s7A`@rgFC- z)#QDuQ&U;v%IN$Dc1yf;!My4@EtB+=l$9+>D$}WrsWwB|*e+22)zxvUQ)3;^R8V;j zBvq6aS1~lHM6`6dgDI_xs`ZsfIh_gN-#wbP9nOB_HROJ@$GALTA$i*M^!;>)GWm`A zGYd$;U;iw`S^y$J@1T~In*q{pu-Zl_SRv7bnx>q8VPPkSrCf<`NMi@_-0nt`#}lfK^`D5o6ja&Cjb(v zxyHG2Z%ZJ5n$Ub#rOj?96yjGq^(M88MN!DRRs#M z)gUL0pPQ`hO?QqLoI#j@`Ecr3v9pq^^{;c93L}kNpggXED^xt#Ku}d>{b{iLvQ^qD zjXwbx0Os56_&1ba!jif$YP~u;z6AJ<6eJ ze#f4Tf=nnpCU2%(MGIJtGNqiBprM%ofCUx<4hnHdu~|qT8Dz(sVcE}SV{LIptpdnLL%TxuW0LP*AxBF#=|lW|sD!Mz=3*!Ir)#6^wA>2Y6u_Si@MDbis++!EC7!i4Y73HPul`?+uqFj~E$^%#8OMqF>pu)>eTw?kfhd;L; zrwDTjlg$U@AFDumZD1iHBp+jAG9&__mm;)yqPr!c?yzMv4I?H({QO)`A2YR-#6*644h;+AWja_(T~j*zvZHG-PqA zk1B$N=9wltzTanq(rmy~IGR@9GV$>wJ}Gaf|HB_cL4OyJ?f?#Gs@ZkI=HrG9>+y%< zk{=9%fHbrEm<~8iPzd@|5g&7QrkB*UkECNyNa`2{PCVU)5K*E^G5ROSaXrhZh0ExN zJtvdMmTN#2A~9Tv)B%3`#^?Qrq49d9S%HRS2RK_yQ$>@j*Rcow(jw_Is0_HREGn_( zr_C-==@Za}zVlx|hX%Ylu$^+YKpR@*eg5A-B6VJeVaC>-UTf#0b8WCcKlwtm&^?o< z0>Dac=F|PvAd)w-RxzrSl5B{7ux9~mn9OHV2C`i+S0!GMq&sDA!Y-0i;2jL5a1N#F zn>~_2juWUy1|atM@gx`0)zNyvXE^EhftNH^&4N?cq+S)LP8>t``E&Z?6F?gLD|jN` zUMQ5ZAT4VWJ0nErNA^N@K!7mvJH}cz@V_bWmw*x_o#{;yUR$sV?UrOW%T_lDkXua4 zEUHK?bNO!&sGLg^!yW@74YOS}kGW^SN?*CKSdTXgQXS55@i(Nd^!rcWJ=W_lb|s|C zD%~j{Zhr7~&whN9*L0Jk3s~pg!0RX>&B=MoQK_S%zi9Wo=s7seI2q^lJ_zE$0SZUH z20d{h4}WzVoy$BAIaT_2g_35*AUK*97WE_SEO!1-gibt@-0n$6=;!~~2|WX2^HHI| z`r{*-_|3Ah!Sg?W;B4v&!M!9s0M5ufj8vYydg4d4w>d#>6-2L${PDX-`lvkG#0sZZ zc+3oV`yA@l&np}a_ofS~va4LF*i341p8-o*H0H})RKL2HIn6QBmk7HT=4mOdZLa=V zoah(k--hmAb?BC36EEP3+vL&6m>mh}vQ9;K#7^xn2K3Yj63xV!hBP#5aTx;IKT`jf zVE6LA$x&{R<*j(aO@p=}mYq#&*a`%Rpgduxh#hRd>wWc7J2O0_5=U;a@||NihH z#mc&A)w|X|C=y@#S~MrzS0E`=iIcS~%yOvWEB-X?x31&q(B9KkZ4H`4 z_ZTbTur^PSA>vI9;6O4{+U4aLnf$miWwSQ)7yv2jjXiq?B6@HboosypTMePSpy6Eu z3mgc-<8|4x%0z}M2cegJ4Xq?6)!{JMB1cGR5*V-iNrCb0DqmK^=_MgP9y$a4-nP`& zrT4wiTh+m-iKhSYzVu*O&_4kG*5M;>vCk{53$nxC@V{~AsCi>0`-liK*|0!LVrIr` z5&NY}4_55rws+5#{@p2(2&77-VQK$Tp!As#C93PnA8S!4^c?8~ek9&nVdhP{$@$rb4Cx>SQN&OA?Zc+<&Zv{E*a#@X3$T>1&Vtl8^T0 zv}>ZPxbxN7(i<%Ax|!2tFz!rpTp~rMWbqcL4Q1C}ipIneR<9*GB@<=Qp-`H`$J|Zs z({iUCA_*P>c<8OCJmrS9GdN@5mGt@2CNZZfN$!b|GueCg#n12D?=@f&=x#r>)YrpYZ(bs*E2P`LMJfL z`)2q@*qOHXb}=Qf7$;Uf{QNDO!_W%}>xD&1$G&_TdiAj1{nQ>26=?A`vGz`|{w12- zts_KwL$RheKc43lTNs_ElDRj0zaHyS7#a0FZHPknp5P_g;c}53CDO-1Ug7>Z^VJf) zf_qr^2!oZ&2N1ud@eJ%AzfiY52mdfQdEAyqofQwWcppx9Peqk(GeR)6L@dx{GhCOXW%d;CA}j!5iKHwh z6fYvBjYe5=>A?qIsTY|&tQ2(pCl*wqmvaZT@iPxE1^rJ|PQsZqKt5yYEI6ZpD_DiU z$E07dgC2i5Nx&TYHoxcL(xL|4k+lnh^x#wr0fyPozFeW_hg(ehN+-GK>;m8x@;e3q zH&GjfM7~<;_n4HZ!}21n56{TU(1MAirRklb2X#0iF>KkRVk>{b*5)>P z`HC>IOZW1^i^#2ue)LFXx~>JOm@;Z57p$yIXPH8<^Z^}l=`z)@W{pI^hI|&)X7omv zG8S4ETV~$oMj6bzW1aoWt$P5Ov+;F&7_ZgxVKCuSyV4@xn1my0F2Lc^o~9fPl#giZ z8+QVe{X3=GlhV{p4CKI*< zE%;^sekA6pu`EYF^Gyuac_8mnBfIheUTHH#kujK{%VoumD!)(m&EBO$?28M>q1`cS z`CzkR`er1}hCf4yaDKX|lgV4bV*=Bd8RnP-(12eDJWd?HaebpZ#zUZ ztp}|Kfo^&L-IG02iG!>9WlEAMf5Fap;3I2u>UX!W+6U7>HPVw|6XQybr(142hs@5I zIDsm3b1*cN&;+Tyqm<#Wv}3!Po-Ff^eAN;+J^y+@>o>{|2$GjOf^Z^Y~QL!4Ja)M$OTXdXX8cMRM@yMyg8Ovp&UYK>H(RGN z=-?d3;#;0cpw;1!jSSAxFdKUDxeO|V{rQ1uzyVL;jHH6Z3RNi|Wohzd;buyQRX_tB z*43lYixDV4F#NM=T|oIW#`#5uXlze=P9V}7aJMZHdlI0^6cei7E3Fwl6KCm7^xIp0 zztT>Yx#uGiuQ=Ut72`LiwH7q0an_gY$V&d6JM;Hm&nlOedp68^)KPBr{#<`xt1x>V z=_~8luP^wZnTD44OP&{*?`(2eZY()R-~OH{vd3+>Hj4kMVJRqK?RPLQxipS1nqMI6 z0EprB%b^#k5bA5#2=qYxN?bluXA(CnHS1YSS9yxe>%)6zuAgHx{vYnul04K#_O>cX zSCB5_6|&-zDxx?E6tMcB{%4^?O99i+pnrUWkmpixbXLnsm z_{MDBXPZB{L-*d(XqX9wFfu&@7xpIi7cnjBftJR+x;LBXi;jkm&PKzocaxImJpQb; z5(6#{OO+0Fj3S-a`U3(4^ubUH;gXP0bPwtLH$-E$|L_r|BCD_4dSIOiU8rsireXr< zXV6vTT^6D{oD$&UfiXMJvA4A#{T}Mn|6OGal%5uNUWQzfS?O;(SznaDm0_)-{`&Idfp#eBSmdgPtfPtdgffT5c9FG> zi4`mR6CaedCL;{Zv1qGGBwnX?deszSfkpmM;YA^uP$ws(&HOnSpiCVM$6J`Xg4nJJ z1xw(;1(wp)S;4RIDpSGruqRAw$ZBs3c6@B`P2uRrsY5W)9hXA^|` z^43Xfq6OH1_wjym;OSs0`>8|LOU$__5~n8%HB46Fs5x)G^P{2q3LhCW*M4 zP9J;Gz?)!`rRzcU2pu_A6woBpb9-W8Xg&_WCfKp}Uj;~g=m8y*r z8D6a6W;`avmesoLag9~U7@qE$ zi-Ld@8rt>A@$ZJS(vO9d3U*U?G(_P~uL7~Lymo|p88bkIC`jI8w}z>=*92INj&d*q z4Gw(|N^jOM!2pC>l%jP(Q`vv04%UMRf8+Cu7)5D^e`fkwmpJvgjDpMnGy0~ELAt^+ zQZ4h7qF(o`Ce4t*`vxga?Br3`kl3mF&ETro!o&Sv-UXcDD>F|JdYmPbaYU@g;jF}r zSGO_COBhMFu@IgB3GM9`U&~@<=PH9DxDkMIY2=faZMynH6~Wf0AY+>lf|k7A)&ce( zLF*VuDIh6n+}c=?AK~Jmqcq$fAPvY<802PgAuc%KEqUM??UcsxM>qD=g zdgUyXm^9bHzNSI&(-l-wItV@lbpF#`DNzwGbP@QH2unoAoQYp%iaP?7qNX6x)t(JB?arGXiX0cx($U7=^h4b zQ1@m1_7c#uI*Kp97l#BEv{fdV+en5OCIWwSfui3(tXFha82U&T@2}>g;NVW-7-CmltK;8dezCSZ8%W|6|ZYr3(dX=I1neEM9qzmj) zVBz*|Y5Cp_JOs8?{3go{JH$0^5U*`uqUoSHhHxoyr|}~)AhYP$geBeMW1Khg;WH3D z=xq(?48~@Xcy0`b?cPWFA}RTQvpUrxxUFXuuZckKzkN;W|EaCO8~lATNodu!AU$cL z+m6Y7^~}zY)p{@5qP;-?7aP*X$-n19%blTrg7Y9-6i>2AE&WrU5vk8kX9J!#D7u-Q z66&KKhP{h-D^J25a94r!cS6thnLToZmz%Sp#P07D(`@K>A>u1B3jq@U7Sq-U8fED; z+dke}hQs*dC^Sh7M@rYIFlqE2$;0(sHZFGnxD~F|KDabib(qdhdmqiuBzDe~SxKY3i|)ZwH(y*H`IH-wh2X zJzr`e3vwn(C;+5&^wfPP6>rI9hrn^{sOm$lFt0OUMy~Zux;GQm-|yJbeRN7tmDh!> zD>VA5=TmrX-Sq3iS~O>9MC>-3eSg?Oao$>e7*Ew}R3 zcf4PKma=u?Q??Xw_#x+w@b7`IhV>^v@}pByylYs@?XEh1cXKRjKPX_KgnYhG#H-`G z{OR-<@~fx92bgvmqyJ6T6q-NRD91L$`S7a?fic(F2v3^po|TvGAuJvwAdad0w{NfU zdv4a}FOKdDtxqi-|1q$Evvf+BdPA>29O!D!Iw?P|Ed%(i)HFwj4Q;=BJF_ZmPzOf~ z*mR$V+AO};5NL}OC>isd40%G-Ju>%ie1Egg@vhikGe10MF;=j=8mzH*<0!H%enNUA zHOmo0yYYK6w@9(+|0T0_ZiR|Y4B(--G?`o|l;G@gBMhSpIxA1EC}r65oUf)XDiW3f z?wgB@5zW3~CG^ZCRZx7LcvdlEGtfT$re*il^NpqIvtF854d~fd6))^JW|s}ls58yi zAGoxvX~T8j)1KwXt7ykO|Lq+7qB464I~6EgGuwfG8dOKd!R7yw2Jii{5xWl}Y*`O> zOF!VX1a9IyP+yw@+`~50 z=5+XbDE2Kve_^l@x-lgAN%vvu_o(a2c}(qtonxB7dO4|u2P@}0H3oZ^7M@B4#hLJT zeamQ#7YE*DQ+OL*r1OT_F{`cHzXk?Jv~}IiWIrUSqcy~=4{>B4A9~rOxjau=qhB`M zYqCM{4{797t&EA|K&`4Jo}GU&QifJbCV&yw57Kn&6w2@$!%JHU5qh|%ozmh1)J;t6?3w3=$8^v^DHOk0oP zHE;=1zgN89Gp{WkB^PMr5GPr$N?}WBwqpJzIuw|S^-r(zrk`E1t`=WGMTRlFgz_z( z;LNWyxOnf&tBB5+wbtib$MJ3tPyIT6m=5J<-gD@)+gz#mZnACa7s%Tww4CC_()IrO zr0a{{G%bx+Rr=bvxAyHR=%ZnbYzzA@|7sR`Tk#$`Xb=NpnEhQ5L}IOA$Yuw2RJF#{ zGW`2G7IL`8_&~+T)V`-(?+2e3n=TLWIYgK5JW>ZR{cq%^md!<6C6@hi)Clo*>Wa$T z_TT%aD-nJeQGE&3qdohSGOTfAGcoQI%UIFV|M&<9Pl($!5=R`L2lqPf^0uFiDLP~1 zKSaaygwpo4YB2q`&XmTyON-PYKR1uz>AxvjAB|!H1ohn+6cJhS!NSyZ<6%EQqLsF5$@FQ%`uK&T|14?yWsx>vb>tMXj0Yo$Jzdu7Ync z3`@oRm%%G}UI}t<-VLk-SWNBztV~k8FkNXa-+ejIBbD#gy$&_Y;N{4>1RD5%B2HT! z!%m6&vRQv}LJ$&J-yYi62taSo$JuD8OC64?(qk4qo@G8T_It1!xpNcDP8#$- z^a!%Qrh<15O#X@^{$b@cccwBA%yRec>(`<#_IXD_Z{8^y`Cl)}Ev&W{5|>*QL$er1 zJZD{c_{*F{fG0*n8JyGgQj5;@W@uSM8+myJTXG;CdE} zHDB)$QhDI@eUsNUC$@%T-u?bn$;Pc@0(Dsq%~A-F<>k*cqocmIf7c?dziU!4R_X6M z`Qc=K{?Rx7S+JS$X19z4NIFysd(3|`)Ni$X{yMtBle7E0h-t!f6z%>j>F+04JSKpf z`Y-j!wI(sd!hR#uAmt+LQl`VdQ#enY8PjDSU~$E{k(KEpblpet4Rx9MO)f##I5EG> zQ4%4#B|Ys>J9oxtSi^ZnXIy(?JiX-^f7OWf+diN;V!b+eEV@}+0arobLao6biirmr*bkIeWTrqUgwA?{OFt`z zunq6jQpF!hz628G+6H6_>@z!ZW;8E^xq~%8c`0Qb)e;bM!sSmg^z2?54SNVy!z?Q( zgu_AHpG1-{`W9^L6@Ew*nJXbr1b!MFyVygDGX1=O!zJdXpoCsHn;cDFiWIvB5 zg4hP7Svt!x8neUD^_mTOL0DH8`eS1Hq?kaFLGe2Fx|g6?7w5{Dd@<2GE^>}y!3|&+ zdUX4*`fwTkd#HV7z<*kM22XQcvb)V}cjjCnGY%CyC@X&KToUpQ-@m0?=IL>dBWaMR z2pd`?zz7#Lylmmc1{-<)z*f_kE|eF`95@8Ssxf*izkUfwkmR^br}LgsfAQ%YllVnd zRWv$B*i3ACn2Qn>MsBsIc(3GvJ4i`Ex~KT9TrVDOotM9tQd7NAX4fO2Y0l#LtY5kz z8?nFUKwLTua1-nPun9nT#rJ;^3B{<_Z3Ivk6Q=%hVy1j51+#iH^ z?bd3FO@0WP4jpxh(Jg>j7;pG`OT`D^jwY|CuAHtG>aUjl4vemIpUnJdxTOh>$>s+H z9h-;^me)tkngys`quitViHoZ)XCS6A1Ffst_o1A>#UwR#ovu}c&p+HPmO;pzK`41D zLzf{W8LN8ThL*;-o!y;dG9b{Ev2Yl@diQInZ>v%J`QE_1H{V|Y`+`4sDN8OC6&J|^ z`lgKdxT1Ls-qI9Gh~T91vWhOYc)m!&R)wa9jxpfVLd`9#w9=VI@>4oras}*b(`Ng1|+Q6+SAw- z_alNZNDsPnA)`R7IIkFl#kQ*XGWvLA(;@q+Z2!o4Axkf0`Z%QtVxV$SvS<~VZK-e~ zXgB0+UH$adY1T_uTA>9cn2sEX6VzVFbgeO6-Rb?Of0}CO!TR-<5(uC(=krT^;{pFf zV*~5y?^nmSTvgq_6$36W)pRdtouJH7IcoK3z}3h4CsL+3*Wv%BV>7|huu@yyrYk~V z`Krx(=+;hffuV6z!7tVE0}|#KJI(m@W*m_e=({AiUYh_JbNrO0AI%DyXpUYlTOO+$ z(q&N>UrpFH`K_qiueILnVZ+LYi*z>mBmu@1=4MD@svnOAyJ9}S1K$BM_-a+lC(9_z zJ2H&5#CO3VP5TLx*3^@%*FyprWy$=Q_B!BHl`1QiuaxG7BOuZwx1`%yCk}6MkuGiB_Tfo7k zK7=Hk!n3MoQ^)KG%>JESj@+4!{pY*nUfwVya0VDp)2Am&1{MB9G-<_rwW$I~&56sm z!$&+VRsrgCSiLM`;zzOzflm*J5$t91TW9$EREq{zAX9=tlK;xEP;DH|whL?&B#>EZ z3Ur$=)vX}KhBEaI8E^|eO;2FE+ouE(-Stv!Y05+!F<84Jqe+pGUV6wyVqp!aG_il- z3ku&WC~t8|RX7Euk!meTeO=5guodiOT z^e25f%7uTN#y%z}^$!00#`ZpAr{hJiJ-$p1^^?Le{=_Iy`N^pECm;7})No`*6Ia_S(_SKr?4ow$M z=$Bl>MH^9_`GAXtqsHddv+ylr17JG#2h9hz8`iuuHYiG&5gP18r$zD(9Z%I3yY1%T zggG1byfb>=Oi9A=U2$nZvf=BGzw}$?4Qx@`Ew5N=xAQWxtZb)LIZ6z}Z(gLD+umaS z{c<8#J}#NxZ74(hasHj1>RE_d+jD6il%|Xdb**xKnt$ap`zEWBzgP3(wajnQ#XzkC zm6PKi1VHR%>mvR9)H9u~WoIPENA@zerb-j!mtNu^4qWA#~l|Mj{u(e?%1pu3Y74|Hrzq-^z^jdBMnorbr%JxNFsr% zR6b2Nk9GCOiX>W)7AVkJ&-|6k8qsCzT*6&c!9DG1PXEprWc|syvQ?>@3S;ahs!8&P zv99G!s-hsZ$?-V?Dm<7LeNTIQozNc~wIP!$VWp&DoJoG&=P%+cOQJ<~h^9@8V#?mu z39*R}XL_SajrQCpd`r((o<}y;Iq9CW?voZ;Flp6_9kzylm)WJxTVSn1J&X#q;YX(> z3xoqAqpx~I(I>GIp=&wmiv7!7J_}4?r&au} zfFwER&Uz#{lcJ2eI$gW;r+|8Z<|Hlm(1h2>9$G6ZSht5ar{>Pp(?a#sc)qYba%he` z>rV{O0ZiW8Gkc?s!GFdvc$wArB{zaZ{n=?ix4!)y7V4`ddUKS(=xaFFkQ8N}HFSf^ z$|HWE?KX$xV4hp0_89_bg9zDg_FP$B2A?Q2{-UdB$~ON?zNB!49|yGvrI8DW$@hSc zRW=DgmnuSQk8j>R<&|k!L-gEVZS%EIb46AuJcIgnW9SSrNwC)5i@x0#Q8qA=QK4?s zI?Zg^ppdO3Xv4KS^=j2#ymvCL6kIHWlJfcGW&0TF_k8cF~MK(!psQ(qY z6HNZ(s^eK^bD;R0Zf-5aQvo}06>FlxlYszXr?w*uHJAF$9h2JDK%*ZkK{ZEc!48_awfy zu%O!=6&b}2xyxj9w72MUYiltJ%biC(Uaj_DrT5KP z^EdTP-Sv8^`hDW+?{p7EJ)NYZzqGj)48UyQY!TfMYYIRPx;{Q|bYn zlR`^XA}~cUU~rXRD0*^F>VgMK`nLb=3S=!SRVk1j<&&MB{>(WyZ_a|O^{DVbY6ePa zor<#bH40e^UMKt_W*yag_4OV`<`bF65i~;_O?U7>Yj*SDECTZL$lhq^ihM;U84$Qs z2OWPPaR~FmL&DfCC-qaB6IVYT6Zr{TLD;+BoSXB=Z`Bqik*!FjW>M|Ug&*|*Ue5R= z&6eaC|B4)Z^ZwUvTChAK1;@7fJY&e`h-^m&UCe4<+uE4;!F^8SxmP;dwgrgNJxYds zrMNz;9&$Y-w(=A==K+8W!+g8Ts-OS1Lm>euL${bc&#gT&Y*yH+7f@0HO@yzedMRxy zb(0NP#B*cWANCw={lfGmWRj4DV-a;v%Lji(oT)4sbaM`9{2>2&{DBT`c@+m0wLyAx zOuNtnB1sbNs1Ie=u!rr#@#^aOZCG{YY@*pQ>)HWXcCd}2B`MmJm7V{O#lUbQ0hWDc z_x#aH$QmcTfyhyaA=?=3ZpMV4N8C$*Y38?dS<6P}LA6y(k%4EJ?7s+!{?lpc0nv14kK=h+IJr zhxL5862L9H8qdR=07yflQ_gb~?uOk1_Lrzt?*@iq^rl<)9L1@1g~ zslh`Vd$QEW7Qp39YX-3RmAY&h8L`9XK6LnH*6Zl~lM7&7&AjrS9JstJ28>lc;Uo*b zlHiX-wWsmFy&Yl0tz8QD*drI6WG6IjvkZdOk|lgP7q6pU5Y2j)Kyd!C@`zuFlF`(byZdu6IxH z%$1WgQV;o}2Yt%sF4oIZX7wf>yE!{H)tGJidt*0eN0;c$s<~UM)i3wC>#1+awtq;u zT71k;@z|o(igvgbc_#2B^O$}CPwbT>R|lf#tGb(x->-guOf6~^?rvZv*3!gOerybC zhE9HlVxKx5Z_znBnY@($rtZET(aNt!OH4(%lgY9rAgh{s{9&tH;x=1v)Y;l~AI{&k zLv6bdW$qCWa6seP^;D?7=Mwh``q#bOdG6W!N5>kNt~Z=xzf5APHw;O7gS69~FoBr^>;4d2x@WH-w^Gxej3 zbcxzz=X#F+*6?Vyo-L5f5eX%64dLR*F@C!O>y3w;aOe$se99mY0Q9-q zTw4gBCQYJzg};+}kDne(hNoUe*eTC-K^M9FmeUUGLr}jvldHpCLmxq+73%ruu-Xcx z?j_4PASny%-e1DWLMCPA*!zCzt&O7}?OTt}Jzt}<*D@lJ)Yz+p%dU6_l6AaC^-6eL zhSw;FyN0c=E05O}(Wm2e5<7!k`VS&e6>L{ZsbfEMi<)}v7N^C?JF5cyHt2=m3HnLj zdduEfw!Wx-F3Y^(cy?b}(Na)$KCumNk)|f=I6l?SSA{{6YmK-wPv-T@IiC%(jm4|# z^9hUQ_^S`eKS0l+>12@9Oz3rudf{3#*0+A&2tq2kb_13)i?i|@! z7?-Ta>l*G@CDVay! zyuHaTM;bwy5cu#{;9zVJUQ@tX)0KvGi{H?!O_u9$)6T5%Tpi?3nQ@K&pK13aEkNb2 zwYK?UlIzKlSG_$n*Gd1UsmB|r$8!cJWtN`i1jCc<%ZSq*&$ya_Gh3?x(v)?=^a~PS z0|I6n3))7QD917HaGc8}P-J0P+UUKwgXb{U>_;-omx9}gms*h#DfeTx`6o zwxGs1B@XdV|NXMXjA~EO-#oy;b_2ruq{bIn@Bvc*@I`SZd%u2$vqNAX%lkTJ> ziwx~aa2=6sfz7uz5MSEiEd7qz}ndJXtSPVthHM7CRs|qdG03#U*SP z1&B4?!*@y#54mFalw=WAr@_`1Weej*t@mlZ$s$Ut_U`rpQg>b@c;~ z76^iY=@QXo?^E#@2o|m7P=Q8`Qd8ChHk}8N(!EZ^n`@ZIW-iYA)vG&MWIh8O(RQrI z5qyLE(6SG!8kRfgrp)m0Kt&B&>rlz`FV93Qm|q2{JVFqUmlhu7%sHx!XuKtve}oxv zp*hZ;XvS?0c4Y0=lsOzX+HATn@fbLgG`$gZ*H+{jFoBr8qs_V9*|=%qN)%h!>uNFO zb1-xJ^T2tF`Ki7u7UEZc8?b4aGQoY}d%}j>w@fcFwf?!p!2Y;**pgJ_y<=!2%~Yx{ zQLCueAZy?sTe0(=ut3<~d6u?(9;lVv{oyI92(e}KABMV%)Y0R_%y0W2A-=CYuinr0 zfBf*fh&dbR==UESHmQNzV>n4fY9kVq~q5Z}x$O?NRKoz#fZmt*287Q{4P^1flahy&cyn0rhYWZ7|6Gr4Ys;A zHmS1XUw?_4d{=jyopn|RmF_L%vt>ZuITqk|bux@AKanYa3x4(OueHP9t6@!9g$G}| zuF%I%w7wm4yZyx5tL_p*0qx)M(4i(m2GUzz-3=*|UV%yn(q2NAoJ*Ol@{yEHaQw^7 zZHHw)PdM`x$t#{E(biE~hmhp@=(vT{8{okNDxru|%&%NUJdl~ZR6kN$o+AAuStaY^ z--?AdvS1ex{Vvzn;FRNKC*sbImQNlh(n}U2Fdev)6_ePm=1tjTqDgsKFv51D$}V6X z*CH!(`bk0Z)UVf-WDOc{1HCf_j@5(}HIL;ZJgTysotK1q&+0vtA`Ty;j21j5rviLfWD(U<7Y-xGBZ;&8 z8Pg=)=Oi$S9_gqVu0E1bovX$>)l&ghW@oB+ z51TIu;?};K2vn{E66c+A(nTGX`W(!O_kH@C0p&~N&S_3Y)(GiN1PH;ym& zPI5xHc**W62Xj-&U}b*>;8_HuArf!BFV)ykZs1&g5Fehu08$Y;OtH@8Jnd7z$X5s$ zecVTt8uvizG>P<5t)cRvHPUyvK*`|XW&&NkgSJ84T0H!;KmCQ>ul#nB+rM~diOug#>F3X&^vMD_w@#=4E-c@<=*-P~{=|Xv&uo3UxSyA?W>KY_=t)+^v zQKN(2$o4xsa%ZEPRoTm%l~&Xz>a-LK6!Wl{8+`!F@px065lF}--0FS0o>I>cFks0# zHUsb$r5Q;xNH>3H66bJRcdOPS~90MyU#Jk)3 zG^cNA(2%!(gVg=qbU#$k&-M;G8VHv9CtjUSl}n%Hu7uib@Ax?R{P~lXJ`4M~<5kPp ztAH<&WIT&1^>{iz#EQST@X?QA;%btTvbMAh?mESNfh-o z7Z#ymb~zDw)RYK$b|f`o#o**{^TevRv9iw`YJSLVna8(a$d1;8fmAblLi!2zPEl>k zs1V1wJI&m*1;7Y*o3>+S?bnP)=QI&w-Kvr)JyJ}RglqkEuL9ciTUPeDLNvDV-{9Ra z`cjwrz4@=v>b57?%P^ZZdxjtVXnlHMKiMhyk;8WX!BBxT1$?Qx=E`I{CDq;0ud$1W7P_-H6lL^Bpq%y9v?k#nd}7ABP{M9%arCp+x$mS0qQ5QJ3z;fTG7hvKzk znChQ4l#Jr>hCEVC>GCVFpUdIxm+HA-Tti+E;0;{Z6piwh|wvg7?r~ zr24&8(KOGYv4Uh&P*vlj4+)wQcEHToS_aK2Ta2IRVEiM#Ci|k*=+)hCwj-Wt&1UYF zGV{GsK1Xh(cTd6lLrI)@GF-;VBSjY}O^??nF8iU6RvPW0NQvVmVBp-}Z`{54+wq9| zVGu{-iPQd2iszvM+T37oj%A;XXEW1Tc#cQbEAn?;V#3K68&y~ec^y`|!G88FZq_d7 z=*sfdI^rmhF`Vx97mC`Og*R0^w{H^P>gECWkviV;HqH1Rg3L(_)}t!objdAJr-n#K z-{^T!>k2f4sIN_x2SS@Uw2+rO=XH?iTq$1=^*hFFiy9f@@1j#adEaF(chdT5s?(gt zh$t>0c!bKpPDwd0_c8gca+gP6o-9A1`nUu!3UguQR0tFH#j0K`A{D}16D0~vtol0G zq%E+yGIS6L@nVRTDg+1Ezna---%WGO%{x*Y=OY}m+R+KqNv!3&?4{Laq`K^A?=2~P zlq2C{S7hI>7uj_C_O7C!h>1D}aWAXU$^02Ga8$E4>96~Yh~3I6eWT5W$IAYK@1p@x zC#NLepCWbIL|Jh5vtTM>o$p#A?DK?~JwXbs;N|fG8joZ%LvBD-B5PfN;=IY;)9R)n{o0B|zhOUf2lU~kS~?1S z{&gkBy!+#Jo37?fslOH=)TC-T#&>3kbpip9MeoD|k%a7<+7H+uWFsX6g78UwQj5*3 z1G7!*iw`pm@E!`dfV_X}2-*+%c03rYX}O44;SBJwFDXf^PJ`8(QoT|`SVhILGA+zf z048-6qd}CtYie{zt4>1wZ)_^E}X`4IxpyoE-(j2YxWgNq8 zD?Y9ArY&y?P#@`!`jlrWSk4{mAF_5n)~hcN`#}KWDJj$=+*9`@7_GNigCf3vQ8x{N zeI1X1J=@=|Nzx61LG5NUxqVnEo#Lhmj*M@voQ<6!`G1fLX|+9G;3u4d$scNYt1PcSag*pSd_dO zdcgnU(VT9vaklZR2BK+P2uXE;kZp_*TP%Ul4SHSHU3m`n$05T}3`I6_tIFc%);Np` zXo!#fr)V+fdQK(9V!>s647#^1#d}`J`aa7WURcHNJdF*cf+H*`ChAq`?pp)5g{}U$ za2ekrc@?28t(9;mx32{K@yJ9v0g*9Etd5Gss1BDGa#=3vvshJ^vK#`tn;d>_!pzYQ z9r~mYLm4A{I&DiAqb?!$NCHzJ61~eK1V7~oH&1)!{k2Y~!-XPdi?#Q=gHKC?z=*U(xp*@BW#rr0qQU18dYs(13dY2u22zi$4HO$5;3Hgfw zJFE_NcNVB9!ml)+ErbMPjA-6LDWF!N1oRA#N4F zKUg(Ub@wm`rgL^CB8w=N_!F>kWjv(?Cxi>3OAws)L`i}5MmvzQm{sp}6+zas-*z_* z`_2ls6vFZROMXD+X!p_7Qt9?}Yeu5gUzeROSDZw_&PO}X{iOceQW}MKygAG`@n`fk zN{APWvjnE#fV8cZiA;v2o{sF zE1_s?^5;F`dCW}ttm`EPa+wd!?qG^P6L*^02X}9Q-<1NQinY~RPM_$`{)`u@q6A3| zt=`6Q{W{Wc@*e9x-v1XC^z9!OWZhR9mrxONS-S( zXcJHU$p>1;T6}($qV--w&TgS6n2v&H9VWK`$`ZC~6OVf!AhOO)T3$_QqH{u3SQeLb z${Wn4px>UTN4#vZ#-4y)dzWVl#%h}*it|L`9(M{kh$!q?;XAa^!^yDBc2-gR{`;9!NNTyA zQzkQaKnT~F$0ig{tl>QCk$t2`#alXYZ8T;+F@I`NfiNz2vrBA>=SoFpCY=d&Sgq7` z!%0k5(~ljlR|iD%_YU8PH5#qvD2c

        @!aR^4|(V`>7A#cAAO;1Zo*0jseJ$ucewX z^f~GjODy*Dd7VRvD5L!gz`|0iZy+AsQRHs56gPVFnoRaXPYi(g!le*y04kBioIAD* zwl$>;^&BFZY9wf+J{gyw+1@9EC)eTxlH)GW=0uun^Ku*#U(FEg!!)Y+0kj$(PZ2A7 ziQ!HWSmzLuo2}XJk)XX4yT4XGV(v9h@qgfhGy|hr!{p~>mM6%ma$Vy*-c-J*7i(JA zAn`&j5QTfndn`UJ%|9194^ZDu2S>96ilg`8$8Km+{6;u7u_#f&fEGl#Grr|f>f})8 zkg0ImpyJBf7)aW@bJkqm=&?-#W=Z3xNRkCxBe%w3hb|`&xC@epX}-zdoco>LaklwM z4QaYT^IrTLz987f8PI_7vg8wBO|XCJT>_o`)>wGi_?N(b+5gojSeIZA4rKd7vz6^q z{Lrx<7P8`2_?){BKfs8|BPOg0&ldQn*RLwh+35CE3rqWF@@%HwjvP=$cpj0KP0wsa z&2>?l$K+5NPIji9SEu;w zbh3tDL7nN-b1C?X8h?t(bsW-5cL0 ze2rgwqqa^!V5;@8tO$DP&B(nSpAr~o8aT_Z^Wm9A+PW{+AGRe>ACQeR=q4Y@=F9PF zDnA3<lx$u50a1B`sOT$=*AF%lVVwffba$d zZ9OkLoGUroYIU2l6-LWA<&w~2k7;h_Rs*ks&bPYFpm2IClBT&FwBsX5M>D};_6ise{B3V*v@SvQnh}x!vGrs zfgk*q_kQU8D*ql7eiFC!68ZUWZ+wx7inZAywo4}l3wFP!#9WY3y|yD#curZ%pCmGB z%b^NKmi%z_8e$Os{5Fs2KFcE)WPZg$j7epCx%yBjOjUZXmjgBGjcw=D6?|-0Y?)r2 z!+Fl5v+|(yJ7f_vx+RNw5iqJPw*K(64>+8=myvrk5fjE1OkWB1YTMR0b+<*?Sp$={ z@)5u9WwRy(g0p7V6vZ|I-A94yT0%OP_#N5sK6z9l@o%n+6#w;<1_4y38bLKa#m&@+ zT7v)4QDQ$wV-e=bSj-8>7c-pfzW zMB1&^FRw!ayglKib_sUcL$%3>7?^1pBudZH*SI8XQf0VSumS|v|0GtH6t#`Br{TN`ugc@TLWQ;@`rgE zKF8Zz#5tMiKd0Wtzz+CFhk(=V?+_=2Fq4avi42BuS!U^UlLY!)=D3qIz3R%=HP(3j zjXmKC3LR!Pb>f7Q5 zQRb3N_J+x+R1@a-eCpZD(?qsN9qZnvx3rW(;HvgfChPj7d4B(O&z~JE4Yx8l;PMMH zwF9me8&clA`Z}XSX9r^G&^b#P%5zV+bJB{m=kVs)a)BQ}xWChi!4pz$shH&wqK9X} zE$B?%Kc6U{%)7C;Ad_)r38a?E^`07AKK*M48OIsK-W$}i(OU{H*&?_dR0GV3BY-s5 zMaQAUzW0h))~;8-u5orNZB_cX-ojME%@p=<{o3UtOdC>=_m0l8`|T z)@Xh!e0_QJ5}59+^}j8;QwGlrJ^`-t9#1)1&a?r_+IB+&@Bf~mdC|d0B7WW{?;ars zkkJDVr4}9Z?;o!Z2Es5fF_PvEpWiQ)+%Fcw0D@Cu%JSdKk{!n;r!imzns3qKJI34^ zC;{r*4Q2|JAX4xmpx`R9i$n7(ch7)xU>x&(Ed2%RkEHOkKn>9AX@y&RAMA4|gpQLu zQiuX;XPx3!e;hYSqW7Zt9<}Qu%~Xg=V&4Y+a|u*mo3PxH=3PI4C)hobS%CG})chau zuQ(|)-eTs2>Z3JV5&x@@bAR^oL?AUaC|(UB(yTVHkp&%M09`7%+MC-%GDs$)q5^5tU?EltzlHOa24( z+1_lrn4i9@#U%%o@DVnD3+2@6w()8=WqC|mafkW%=b>s&i9EJ)&Q&>U{JpXXigB|Q z)jW-_)vW(W7XKo?CeIRgTC%Y*0TbBXs|!QoAi6+y{mlJ)ueG_+fG#3>Ca@C_N`d@^ zJoFC=g_+NHy^Vm~-V>1uQ)M?s^bQaN&n^pkGJJn`u&aCoXgM_F!UImiDSER%Bfjij z_CRUoIm$&!?jJ35eNsvcT)3AdMn<^CHMzL1ZYHkcR4F3cnMmmP+B{ncWti6almVH} z3^Aw`;S2HyR5bq1HrA!Tcse2(nds9-YW6D#U*mPk4R&jS{qeeH_f*8432AuxHmT((#O=(*zEmW8`@~#~1Su7BCAGlEwbbtp< z;69imL@y4;k|5*NzoCz6>$WcQT6Lk%hhc3BgRbUo&W$w2K3TBCiowt2J5MdYoEzX1 zBfU3L&W^S=5kJ?{w*>-W59X7@RgbgZneC^s^xgpxX#H`b1WC%~JP>dNeaaBJ+^kDO z&29D%(lsBHt|T@Y*qa?Omn%TkcDyGV)8;O>=C<*e@NIvsd2ejiz7aIQRixKO=Y#`! zai*9G0?b7q@1)4(^akG+6nZsTIULG!yf$brAvz~;)aZ0ozU5cBE(;U#J=L4O>V0pQ zfG$fo^Xc`=R5BiRg2yigMfD)!DORt(*t`Qv;mq;#2Jc-7U5P^xKA>AbWlLb}xNt+) zMm7{6r_0+9ySJS>v?Tb8S;)HArw4T23Ub@S+KgPXw$cq3A|B-;I;4Q6%T_HSWkuRa zEhVRPneLAYTBKG_x>Fi`24g&$O*&2kGS)T1uf*FvJ(B2(M=Ee{!?lH`t?Tqipp*PT2d1qaAu z3>G8W5r(u|LV^X!UunP6Mi5O`bnBpgssJrs7)Q3aVJ_artC)CNUut_Q^ecGh%h5rr z2uZmGIxf=;b*1;}*!jdIkJe1^#w()IRfKaW(x4EJ6l*SkanvYW0WJKerrf; zOG{*`6+tCF37!HiJW@zX#TtkMNS6z-cJDFCG#bn63DI@tIQo0o*UHujaz8C|ed@0;1uI z)km?~(y#k>Q}KKdee4M(*L07of8Kxko@v&7Um*6gG-i5DvTR)+(u!COp0oAGR9`^l zSo{uX(x86Baf5Z{OScCT*!+zb8)JHjTR6^9ArS(YB7B{ds9U-~-hMD8-rm@r&7jxg&e1A1M1o>mtU1 z-r8mlHiq%6f zHVTACv^(_4X~ztz(BI7MU58nwJ^9oF-KoYOanj2yLXhyd0wN=RmhaSFX=jgid`9f} zC>?AkNv~!~&53W?IuR|Fb|CeX{-==h&w|eXer$bBD@-vtG%?pAa9DgaDKk~aR&qDn z=)D>jl6mMQLrSun*Lx*dJaZ=yb*Qk?8MnA#hr_}xTHd{0_C|Hiyx(lhiBELL6&ywa#(c-+{6~D6(p&gYjq;%3+?Bu-G z1@UAIgxqC@*wASDD1O})Nt?UNp*OQcMmrhQm=)fTskCrbb|ge5V58ub?TIR0I4fkN zzn%PYf|LHU<^I#Y82|MRkQ?1p!KG;ZQURa4HkyA9?(sU`yYn4+g(J``c8B_AG|%4d zWU|TZh#}qG1%eg`$&2&UEL>`sQn6}y7!hn~!HalGHFTm#wWO|<)c z*wh(AtUoY#=NQnBi2rW3s;_#ZwQ-^EtnMIZmDiwIZok!sWfr{ksOO22_v3HX7D1N`hb~%$=Mz1q@ii!x zac>7WZL%7WoR1C5D-j|aA!5s@HDVs>fkcCx~qr>o6 zy*S0k%2tJyn35-XN#w~pCSSmN`E?_Lru6aQufOcxUWcr9uG^&so^Wjh}?lb*0q~gBJ!44wry9Q6p6M{f^IEBW~IJa=EnRMUsiY z`v}8UpC*TZ5kU5AnD{4Rblfl-NTRyS^xpnwORc1}UF`^HNZR{&)H_}+EGMiXhsQCQ zGhd~C{=n2Wm%xKJ1kxZ9#{pryCzKG5{FvaZ;`5MNI)||3Tsy#Lx_~r+J9;;-_Y>kb zG_#W>E>$#N9R^J-?OTn7}J5X|jP)k7yf zs#7jHjej%L&IzfiL!r=u2;7ghTjJJ_felpo1Lk>%@{Q^StkbeUK871L{0%pv#5U`I z>tZrnTL1;X_FGA$g^QlfEYSW4MK$}KNyrwIcALzp{vr57P*Np(5mP#ptfyVm3Y6Cz zWz-5ww;doT!EYP7hU&YEbS*zCn(PYR2F*GK*#M}#K@H62~}qSc-V zqUBj_6G-xHlVA9FiBSrGQ4wn?*=z_!1NAv)_&;64|-ZW+@G~9KFg0H-R$ga8F=%a+wnJR*Y58w#ThWZ@JBY_ zt-oL7z~%G`%40ip3c1U^KVwxoP*d|}n(d{A*sS&F6q4;Fp7tX|&|aO_gs5h1>2d{! z#=tE${%)sY8aTSY7f=W^8vybJgMg^(%1T1kxz(za;#Rp^0pC*~^05otb#zTfF&mSA zt110o4rfx2_5{#p8oL&R9wd=DX-6YF?6T&cn5_owu#riGjUXeIT^{^!q=a zXBd7RDX{35Nqi&vPYXcf0b1~(4(oUy0yjUTP!X5Bcphj|C5J#_v9WA?DL(zsf$KeGAim~fI7%`m6l_tVP}*G+T)j%0*~({OWdnV9OH7T<~)sY9LqJA_Fw)(7qNq1mN)ghEs;f3BuhNOU6VkrsF|N?b7I81X={@H?@ge1KsuQ=dq%e7Y0$Kx z2P*hB(V$PNOUeu|zR4mw{(cx=(FOkecZ->p7EqnfoD*H+BVnX5i5Cv4~S%y z;4on|hw8jUcWvau!=>j~`O)9<#ypQtmleXExT`d_k8wFv%Y$Kjz9)MM(ZV>l6!%EbU2~_@P2`Yav8}1zc-OcsH`_^rxZWg4e!h=Qjdw+U2qQR%##;yl{hWnVR~HuD4`e5;llpx9(sOPd>-(3%tJa9E!9+67_iIq znqq1%UHlzs=R{ZM)4s$M7*kUQ|N02^#YsV2=)Feu7=PR%CK0zdT79R@s6Y^-SpLh4 zVww43U$j^)2E0m2-PW(oTlSoHiMfk?sDQ*U*^OL|CnZcZ62B`c247Wtgb9cL`_@aV z`&q0mxon_z^KnV=f~O{NI~{JcnghGU^|D!HLBoGkr_g%+;qq&?^9}loAr@r`f47>W zpJt?;k|mNQGVlHoIsBQ)O9CPXTOGabf9>4g2ASFeHjC<_YY}bw?~?6*6>k6UpRbgl z*@qFwt+gMr>|-KPgxz0nOn>a4R0&tREnWQCv2!^mp4(1^n?#U@p0_eq%Nv_S=$Hra z=}MjU$-?gS)K>x>ndO%odW9*6*)oAm@pJ(ja+=6_=Z7g0H6zivGOHVbV(W_-#pL%q zs+=iQ+IIy%-!}?<$@sm!K30XU&;*MN<1+u+97P<}{Zn~LYw_eYLZtk=5;l}4#XAJ@ z1!nbD{vgG=>kpd(ygC+KiH8lrhQL?~zOUWAXPqGQ`7#f+6aonPVf6mLUh13gzq6ml zsq5ZOdbz)Y&wq$ZS~Y810g+6ZKjV8PBpbKxVgl)?+CgoaZH$Ne`41q5SZ*|zXCo<^m3Tud`01!_Kkpyn_%=UyQ4V`@oazBOWc~4(rwH4`A!6IvVo*b&mPRJt1 zVjbjS5ueC!2kS&de$Ln^df_B)2(w*8Futxdc&LCg$ISv`_oLe6M09#tjpPM&;pIXk znTrYk{q2ZLlL%>c!F8(_(bXofhI@RcdmI*ml&tyo809<&G*`?5mZ79L+6z?0YBV;c z1Js$|*UE)ixKbyDg72!EKdvLs4rJseU~gRx`fC5m4_#mTD}7xq+iqN`>H2s3czs=R zj)0`LP^zYMz395y-=>I9{E@_y2toT@dsiJx$WEn%O}ta6&a^eUdn4ukpm^$g?UPLI z($9`-23(c#5U1!wy~6LD^+R{i^T4@dHI5l4d(dPa z-qNej^PyDj)S>aLm#?BS`dtOdh*g-SZ)Izy`68@RPLbFVDDv%;*akJj2zQLVNIc!e zh)N3VhxSN}xye*wOjLfI5sQjYkk>*F-9?)%PwaunXP{t$>w9rh`MW%OUsr26UWoh_ zgVg#XM`p=#BBK&NMr#Kk6;dd#k^m#4jqubz1o|Sc2LU9;JJAzmcL16-s+CmwZ=B03 z11J!fc^od6fBsL|-DDfBZC#l{+Y8~8JF27a zk5LT3@X)oh;jE1p6WVnhwHF9ONAZdn1GQg%Rvfa7dSb#!C=xl6k+-`FCgxji(27ls z%P}EiYfg;W3mt(Jp683x8Hg^gx9-S}-f4DATuY&2z;*@Uw1z^JQ`hKXC~&|A`84Fn zc(s?*^>~`PjVP42YyJOlk}>Z_90%6=uhx>Vvu*@WX5_s}{E&J3s8`(NZMJu8 zsJfh=k3~hzD<==q7O+4bkY#fqj$gt~u4TlL%9y_Y@S+$^UmXU~=#}HkkE2e1|Ie z57D;AH=<8~yPh3?1RW#JCsw*k7AO3QgFc@sgLXhSeP*Fln-z4MmUnqCfdzb5`X_)= zdlqi}>2f|@o7D*!8x)33R60=NW?A&}m&i4*UsGoZrMM4a3LVwf{L;|3xmiRF;yvVU zma%D@yJ_-ca(Qwr_K9%Lfv)iybHT{sXy&`0&n#1{U!RNOT*5w$^y(%@tvTee99l2v z37&Eix?0VvGz-g00O$o_>viQR(FW%rOi|N=@@Kr(%C6B!k&&#^7m#UZ_5PMsKxPtL z<*qhGQzo-nb?vQ($0Kcllv3flp4Y$I0FRRE5VOtE#ofGA4@V9N&;Le%m9FbJ&nQ&YwbinMB1q$ zow*-Ib9=<83ge=*un$<5x|DDAy%zR`Wu%BqkCA7_CHZVU}E`LbSd5gMN*}# zL~M&r@3op1w^S~?%VXNBHcG23h)z`TJM~U7inwW*d{5p|_lLb3Z$?=1>Y{S6>D|O` zZlTHoZowG*#E&zg4ROi7UJG$CE^x42oI*2ca5&kj9HO4mp}HT!uv$zfO;^WHXwS{E zz$uvs+sI|Uh`V!fl4qXgyV_IRvj@z%ju<%@+Wo_To-+C7Hvqx4-B+YO@G;*j8_mnJ zooelau69A6ZDRC<*NOs8i_$Hl7ntj``FF2nmvMjw@{GxT+JwFTBDep&K0c7lZV>1R z+r^qvdWreP#vo5oMx_g`>c+UgaKFgYCgWGf#;;6|n>t3?vram>)2=ZpE#wgwY@HM=DW|&R1I9u+}Q-t~li~v8i?Y6i&eLLs@T2T^t z^nEm`ZRw_Cu{s?{Q^gQ@+e6LBnIwvum4x>&GVfK{TBLuaymdo$Z%=}RYD_a`OhpFH z%(DdEO9W1R2BcC8%qRei%`ZRzHD2ogBtgqv0X4>wM^@s<+sk0DN1BW~%zY5}Pv83j zuSCfqtSt4tfp!I#N7Z?2Q6mounJ@9CPkj$wu=@K(NF#vMr?00xgK$B9{bsSxNngYz zW`Ry<>!bNuoEvVGIS@8+Ha*dNgyf8lHL=UQc4qFzK8UhevQD2(=-f0QwO76q<^H## zM|9YGyy^|(wjIRBcz+$@<7lq9&Dq1^X|iuRcW62Y=&_xxBm;`$)~O_~*>Jr|X+R@u zDf_^`eGt&>U5ShFwUViaU#CU|OA-T+yRIYwSfb?AMKS*+u{7Xq)(pCr`^>HY@@{AmsXM+uj|t~T11?tsw$pq{ z-m6$ zP%Xdphafx;@J~Cxn!f?Ua{+VbKuzWOelf)F8xE)>qRvmtue@D>ZvNFTN8R$HYccQi zYYfz&r~j&_C^sDT+O_3uww$SItwO-v8&Jj;U4{EN0^_K@g}9kj=?Rmqw+5TtijE#t z=}!$1ufwcTv@4cKZSIT#Qa3v*_#jwobh*>kndBwapWFJR_9aBpSGZxZYq?HOb0^P) zw`G7bshHT$HuAKc%k3TXxHk(g61ck!#3&BF88m$Z%B|`#th@q~&EB=HHJ@#M1Nz1j zpBd1=hB^+6>3;j4W9!S?Alit3;9fYPW9{@gA;R))JVbN%hw;mA+@NERgPkly@80mq zx93r6*w@-sX`e5MpAb@VJc$n%!-n`}BsLUC1J|Z)i-b=5T@Pc;u*dxhTxcLt-lF9a zS}#C|`bgYC+*Y;jQ++_alhyNZlp4Z0CTt!4up8Ostf^RRo_5|lB<}Zc{Ud3TC#GGk zgAU!<=YpRnfwnAprSAx^LzgDqU?8mf`TEw!$aa%OlwcXbvZ z)^gt80xma9Df$a$pD!ffmA`hwHu%)QH!{G#gGoQ#IcTh z=aB$T*wN(P=ZaTLeSkc(DmcX-*KfWZ7=^BR+)XDXH)rbEh?-5yy252Sl>zX&6eFg+ ztHYK{0|T~O*N+n`9soW>5k1)}&x(z8^j#?wYqImy=t+h?m;(Vld5^^?nu{LbH4S*Y zmn+}Swd~(d->^aaW%I(s4dww(bLASY+3s?=7IXR43qaIO7(OKaeE`&RVHOO)X0_@Y zw{8>BT4NcdpO_QhwdUVC0~#lFm5kvC`yFbEgOmVVisbD?xXsEvMNuV}_FLTccRxlw z8lJuW$iOV#&z`5|SEmz=UB75a-oMt0Z$7$y{@^w0)6w}w%MO0v#_{M%*S12n z-IUdEy=rE~E&P%anz+iuu%yaSWgzvlT>n4Bz4tqtf#3HXdlnt2s;%}Y+A3ldHH%hl z4K0dVwG&&-*4|aSimE+o#@>S1YVSQ_hakC6-|M>W<9^0(&kxT(Acq`h-sfk$->(mO zbFFuXy3vD8@XP4f4?#WcsZZeN+7@3!xwnqugx_*`9z2iMc<-8AaoEej7^@I++~b(T zM6JyPdBRyZmW)}XjRroBh2cmb_jwc1a{9Pmo$V;UeL0b+ioX6E`|@o1d(FlHP~sSr zQ?!?zx1vaDv{W|@QCN5C#5D@VF#lw)@t1M&8o^BWBTP06COcBzaziid@;Bx6xaqa7 zc+AF?mG8RMGnsy$B8IY(o7Y@f8WH8$fBgQ$URdBOEhAVImyTH$Zil}9fuLR{_v%zPlYZ+0~QorxDVq2AYti6i@LFe80X&i?O-(65! z-gN2Nuv6%r^}qe%a7Pr0^rn1zO)Zc%*(y60xEe3L<8Suye^>y%e;M;Zte(T+kTLHi z3e!!lFxX}aQ52(#E=;YWXUM0S^X|~2+Sl_L(q57=bEiNJ5cfAcd0sd3de=$|-{Zde z#VWV#6o~L@9(6r0FPWqY?c|3HgKmQ!%d9XUzw>Tu<1LRj`4taJjVCl^`sUpQ?Gjsv zRq9Y$+&5p{BD*k!1G{0C#XqX!_$vZtulxNj9dX6x&+={^R8rRYHSJmoOQ|U0n)V;k zApX@Vl_XMCw`dYCC!#9?ZDrD&*Hf(AQL4R>5d#?w|EVuBFY7XGn~oAoT^Fx#SU`p3 zH36~r+SbXOj+}ehRJMTnH3vk;_o2;uGfe|qZwN`z{LM%FjH14KlfK0l9=QDl`!wXY z1e9PUw9l2oGILhQAG9n~kRWz?ou8n;@;|+QrQqilj`<70?#XEaX5Or4P9)@Xsyw$c zdK8soT=itL)M`Pt72F4Btm*0b;!h5eFss3< zh#cAaxKQD>jvTEY7#>FH*c4H+c18)ZnV+LP-|`Zhitb5Byj26=>VxqyHX+nZ=O6cV z`a?Sz)Frh(3#FAMFs8iV6gXBVK(6TONl3;z^YW)d+`jt4hVRZlv&qqz7U@W?=hC_l zR6({<(*8c>fotEns|g&f^jIObU!Up#?Zng~$M~Ke>wG45EAyEatWQUh-v@>Ebv(|d z_Oae?G4hAv))%f)*K>gs$6AqBD-rz@YOjCo4;E!ClqQSz?2FEQM^op=4kO>e#ziJG zZ{*-L-T74J^;B1j7Rx=UKL2@Fdz|XQD!T}e_C3iNFkZk+bWPNTd4MxgVLZY%w0DQi@$hoz z%bo5X-xM+PuwIdmV&PP@tdKn*KjMoq#I&HU22oFNXA9VwG=~S+xrOU@;(GVHq=9je zaP{w{Clvqc#f;w*NTqvj7mO1A%>@O_18+jtHN0rQ6J@_DfG(!7= zY6+t8b=g{ErCJwDU11at$>qS1t=Y*gn#U;{P#$zUV3KJ;h00znMcPNfB9G^t!i{Iy z+3RCC0&l{JW}akVA)|+_=9_LMF6ryQZq-yWx(4(Uw}HFLEQ#$yYF_>od4(07H(rWeEo`Z+2>}wB&4F_|>lP}H>gMM;s#d2sc zV>^N+dbEXVc{hd&z_YZAW{+RnD4!%dA8wea2;K3>s-U{mIja%Fv=<6MwwAY7O?(UT zrPE&)3{{O>sslFNvbRqXX^A_Mx>VZrA*nwymWOLGIb zArOmvEe~r}o3T61^M?I&{6O(MD?gD+($T&fIF$A9D0{8lE-Vjp=-u;R2z!z*JLe7H zQMRj_bd?L+9AF4z$bOE4%7)}9!|v%w`^r@GPkxle6SfLf1N+e#XFwc_7d9mL$6OZ~3FHZdvT%V0_@t zFRdFRVcoWF>9iFJqgwZB{-&~h#ucVPejSQCU=ixZamXHVFhY0`5lU`(yJPN}g373| zdQW1;&!P-jemkQc^`q(ay4PG*l-1Kw7Ks)yTXDePCQXF^<^f+}5>D33uvqM4O~YwV>aqP(KeO@2uW`k-Ljf-fTOu<3inIo=xW*(n)rlZ6Pf%aKI+j}k;uVSel4<3{J z+_p0Oe=n=h0qh2M6rNY- zdzEMYFIP4cpT?0n%%KvI1f(Gtx}b3W^QKj@!K?0}e+z(W;3{G3VwqC~4Zx#14+cDq z($*0sd5$J1(wiPp3PMFQ_MQ*shsNTQTJN?S1ava22i&woNLs10#$c)p*S(Q1{f`oj zC!-U^YDAw_{`bV!EP;p$+96eHxqcf(zK2)1s`Bt74{QBu>qDY&&W`ZK$b*EdK7v-F zd`@b=K9bTgF8g1~T!zYjm3g(84g1*MpGYM~XF}HQF25G4=sWtlayy#peINJkj;*2O zbwQwLRL{5KpQh=UQ^)wc*9n^Zjm>ZQ;zP)EY~DYJbA2z%oKax{eWSdQeIRzvKNWm9 z7F?cAp(C>aWjbOP1IMaUwFSmyLeCQbUCGnjc+smqwOXUfq||(M6l1upmEr0Hd%+Bt zgEb@4=Ry)EZgyqHm95HuW+DO4{5yXNF2iExCtuH3WU(vhoq(&~*M0$}+z(Dtj3g2omn4J_>AlCG`!grghcePexI#>|CY7=(-q#^p-7$~OY|H!nc z+#F%Qbnx$!(^JhQdC7bm@s-pYE-?Mfdfp6IzndcibQIEz{1}iL!B`A4W)OInts5de z^+@_vjTkCkS0kWvJCMn%DKUVo9rsbbJ_%I}`Otx(w?3G4QjmxOw?Y$*sl+nK?tu)IP7$Ec~~ENSJCn3$Oc+-4&Zo40BGt|@j9{wxJnI` z8|i9`Y`|kT?EkcM46dLV@@hV0${6%d#;p7}?n8yZff-RH>EY{W&$k<`gO>qLXl&c& z2_7>oZdn-nQ)(}oER;K2BDg3NtS?d<3>$$JBDzX^!#cG*X`I1w*ib3(YRdLgTg zoqioAktkOef(!=3h~}^~L$`vh|EX_R1cqdy_a~iw|47%K2Hz&PE{SwE;DK`1vOWJz zxlR#3Pkp%59k1}fS*S$gvj(qlI@W)4+Pa$&_F|2rK_mHP)X|bn4kKW$<=gQ8+m`A) zlAtvQm#;@ z0U< zV>AOn2$qvY&o-d<)`=|_mKbL3{hKIDiRM01ykTnK$4v%du5qHzzG7|z;bqwk z??5K_%FT^g?Text3((UA>xOyF!pHkh$E&Yzt}xC-HBFW}0&Y`-;G1m;t)5A9gnukF z5&cRs8qV#dcci%M6C8TL2n4+5mfk%eWjg@|Hu-p1WjeEjncCpchsH&0DBbH|rI7$P zDDs8tfwu9T(qVYt(a(Luy~a^5THzjraN)j+dHux0#(jeX?;N}WuZ^cR`|rHPL~rjg zD*nR_8gweUg5FeukL~oDeVd#pD3oK+dr052N+!8r@zxkeqKqho>tY+2D_Ur+A(Vu7 zp{XR&_Q?r^S>nZlD4lDJe2qutUCrm&#&X+IIam9b|!wZL<5-|^jWW*~>e*R=i{J5&Dzc#16?Q`|f!%2Ga z%fa+FetLX+D=E@rp?PQNh?2G{gMCW`Sj?&ynBF!Ge<$gMhAH`F;3|9YHPPJHSq~BE zosL3s01FC(dRf^=nS1N2U02(vMl%waW*raM-{R&Mr-A!pAsqY^9orA)WM zPt&GxmuPYHOPm7QtO2xjw=zxdSIO>r)245I$|#w6s)d*A2(Hh=5arjumP)$C3BWG$|5Lf)zzQX9S9;h5975b>i+%$io-Tk8sc0wNvxqY)@= z8!@&nfda?LVXCF{lyr{pi2RG^D z?!RQsz|#v%lUb(BIDh_3?qin5teht<7|KjT&D!Q46-{aJl&x%xMi9TF(sI!8dcx7| zgB|x9DvVlHdK%u!fSwT5xcRuvT2M&vO3dB(%V~Y*ICzDZevE0_tDiVHHrCLXEZ5b5j>%v zSVF_(+BOy(8G#r8W-vLv8RRkkJ;+4peW-50XZ@jMekpJ0JM0xB|C!Y;aPqp<9hSkk zZ_FiA;RZVq^zuV%TGB8`@7ZWI%(iH`QU-^gNsA`o0f(8MkX>bBNBy=zp9&ahGIlt%ltlx*I1H!@Sr;ZI+t|f-ymbB@GpP>s-5X8Ugg~4(;_};eHHD==YQ-JP`^IPwI z=PBYo!ONrTjfR=a5rHGDjrw0GKK=s{I{#nPukIwrA748bmY7`~LGCX<7>X?XC5oPq>>ijB|K@9T`NPmv z_b<`DD0F>rwnB9U=%0_rX2y1g^)4T}x`}F`s>u4#Z&PFtK4YzhU_OsiJ>4mSfGp-6(A&e`I14FpMI;sUBQR_55140$i}_TeiE`}DQUX!sjwFpPfjn{$ikv5ee-9d{?= zP*JgD1~7qlr0fELsqk*A(P&&`*VFD*+?jNj$RN^dNeWz+3DcClKG78P|ETxVNHryz zpXI_~M>Qp+=KR?Y`joVYK>_`-I zX_iECm3QFv7s` zvM&mcBUo9`XTyNh>cd1()8Q8o4V3RVY9n=_=62Q(^e0p%UDhctihKmU%Rs!mdU;Q! zwXG$B8|tx0Mhy!g@W#VC`qN=+3V$Sfl1-hyWy86`V$RhgrPLXX5^|ScwXh2KV!5>W z5g0QQ4&oC=@Je+Mn6)X0;k%cAACh`^G2nPR#qp0e(CJCR4O8B(UG)Fdpx}DPGEW=p zu|(gvsg&Lgxce)Jgs(BTS#Ke&44ldirHl{=&7+^@%x-yM^D( zYW`^`fV#P&SCcYuB_zx(-cN4oyr#}&W7eE26zs7ql$zVpobySce-W-ER!u=l!lQpD ztN00piqGWqEd}Gq)Wd#4ZJV@zepC4N^GE9B+MRz-WeN1$k!5lQ(y&djGm6y!|2MOD zW2|B>TW`?%RB}A8<`R`a{uhHgch;{~FPXzPUiq)Ne2eH4CGI1jV;}YF@aZ-vz*MG| zb61aAz45qO1B$NXtumh3>jV-R96yEk)+C9EDcTb!MiCJym{g^4-J3$vVO)($I8D2Q zY_yxWzkfePK~&)R-+wfbKFSBCuEGlQUr$_cDaD*PWvPn$GiNNvexvk_%`k}LncxoA zqT!u|Z#&MNIgx@u-Rf3quVJUu0^D-|VO)*dz^*q_|3>U&4>kVtPJ*`BR&Fmbx4N+X z_3pypb2R-4F9E~~PqYqTo(d3AIj!m%S*${bSLE6q;Iwo9VV)0xVuqZ1ffv=YC zatUKx05U~9MltUs!7(QtzWOLV;y@{iX83L!3)4unO?3P;?M3N9Km*h2%BUWZp5_Jg zi2cK(gv2+@gA8_z033yga^gacSDGY}w}A=F@ccLPVRbvE(hWdsKqS~4+J?I6j)13p zjG}ye`hq874Zj0%p}pBYY&J;KBX9*&L(pja2{~eq@z$*UpK>9a^L>xcL`V|_J=J~I zR^27Ozda%(Tv_QSInujBlM?V2`2`ykL~BHBW1^hZs(sOF;>oMh^f+F?huWZ!Ftn&$ z25)(wJ_B5UcXHk`sHc(3q*jL9%Fk@t>UOWTXAA6ZfcCmL(A>H}J(yM0%OZ%nHEaNy z;Byt49vt%+zG;=sdY?&RE@+@{eMYQ29?&4AwPg8wlZ2<3KUMAtb)5yi!H#*wY=p?0 z7K#8i7NjGzZOH0YNe=egrX>m$j_*D)c%z35zkziY?l4l&j$Lc>T9-xauz#P8V7>*i zd6PC0r^$eqFa6w`jq)n)W#&(AB!F@wrPUeliVu}$_S8gDSBy+3wit+7CzCZM036#{ z^8gi%iCUrRkGwUPQM;lhc_liRt^d0h9??T|(C?vi78>)W-GAEy-F%zu&jI1$Mf3e*#j9vFVoz0tQp=%~h3^%_ij>(yt1L!yUxSIZJa z38R^=&z>zAcQ=#-2dJcrLPQ9wjveeqCW1IyLeU5|YE9r<#xQRt44jwuw7gIt1PxxI zD&ES3c4=5sZ!zK%QXaliMQ{qC4E-4^dE~$sT{aO!ygF~-4JxDgaPd%$=LDy~&M(92 zkMoBKuU}5QXCodO&ZxNt@lNH?zbG7{-*IUm;=3;}MYz;N4Yrh)(P&~*#X_XXac=lS&ai~Sn$N`3T4Ct3904!UoFKK{mC&pnDdubY|M zpP2I~aVxfUlSAHCdS49(T{kCdcz()rXkM4jGkHy{58Tk4@WER&*9qr%*F8ah_;b0@K^5a z7g!jOn#z!f$3NxDysqSrg0Y}CVlF697F}6$h>-d015YYp{EkuN0Inibr1rVqcWx_P zl()?c`w}0<59a5x;6fz;=c#M1L*CjmyJzS=EF!#!#WP^g-mBO%cuJ$?gBRB*{42^v z;nvM!v3eeVPx>FlDAC?+@j5OByudyJUmik>kONqjlPA}#tON|^t!u#f#N2Sxu+||O~ zR$NZ+mh=H%2h49YoN##JJSkLovE`;0Na|e~nr~cQtQd3n}_m093DHWOjTp zz5CNy47F29uYJJBn4*X9J`3)7%3nP-Kkn4tGb2;UmR-CzMJCp>Hk;)@%oJxD!nL{e zbdjzNc`aL(MK)l_@^#5ne=~4uThHym^s}+;H!OSB6Chu?$HXT7HPt^r6y6pL0LmUo zBFY-sOU1GcQmeioOC<0ByWzb?_lDL{?_m8W_*&U^%C!8Ul_gdZElcQb(D-+u*Kc+TRADiDe21}!R1!J57&(70|0{oX>xnaay7N!;_|x}) zY$9G%4zwtw$IMexA7(IGPkg9?#Jw{dM_61;wJqxX~2M z9wz2)QTg=VbwY9}@KdXwO$pgrJSz`SQ)0WX%2!#wO*Y}MuL4{Y+~bpc=~y9PMWcs1 z?`EN9nX~HNfdq41I!G`pbE!NgG+3mv>y`fxZ4s-J^KJ|k*CqeTx1@pLdb^$ph zpMwceOz)^3YN4g2>+46s1G3LAQe8*wtG__`k>!};iGqA%-EGjT~o%M3NAw*o#2!Uazw zBdr3sky>!SL8B}oiKktiOg@#X=9bL zxK7=Z^q*w$KkJeUMvHLPyx(tKnoab8*2U)68@n%Q@cC-KzZWp; zml5Hf1mIx9L+qhY2NXf<7D?I5>iu;kmoPe*V>S|B?U>x>@f291&~tx{u`kJEpLk~< zJQrSxeRPYAN#t|Ho4gJDU|BGk`FR3art7^X-zFEBij)cIMqjYL=SgVus!gT15d0*8 zBKpepn`rau-DqF9$^+JUx0&b?gvrC+sSg#j)TMed8sZ!*$1+`NpS7Dc$lBC1qE!Q> zq*645vVqmG)w^7PUnF*ZPp)YE;8D8Qe%)N3vdvo3uR(&2l}6D(;t~2>V2xqHXdu4% z@w5pqIF9ncMQuvWqnEwSx=sWU+?n3a=vW(?5>$EUyz>X|B&%QkX5QLs9I(P|4WU%x zC(teiE7$qkCdLE``<*gh5P07xefex>eq;x@o85)!9ayRpU;XboYTAgErE9uN^BQmS z&aSy=pV=&!{C+=3-S09w+Zp^EPm1dQUOcsRbx>3&k(7PTtoQ`Y$2+7uZJKbL{O7Bk zWPHL*SZ4o*DCOQ%gNI|y_qL=DJs^|nUvAW!S`k7nex~=zMs|(Xp2rtET)C?IR9+$gQm+n{oUZ`W@2@hxE)= zjnb-t+V$bFq$nXBBR{|QT0`s7;%(rFw!(!_c_-&3hdF>y!cdlKfXFI;dpi&)4dT~Q zCYJj6$$ocJTd+ccwD3C!zPmJm*;}`3(1IoAloU^F*+eaOHtJVKv_X2?>RrF76FB@MKNi z>`~6}g z_~7cj9Im48k9#u@nhWI#gQ+-iU$F6);k?c zu8zE=KaN9O8snOtRtuf?F-3$_=L^>4o-XuB?eR^Qe*)GbAMJnt$DAomXPwDdo!6Kp zZTE^ocuk%oh^bFO=|{W7XC~(;ZtoYIOk@PpE<&;}Rga7(6Sve5MPzNen|y_Ps9^Y(u2eC{3C?|lT(8uB0{mMNX6coKeh5I1X|na zUlTx@phx&+Uz?oe2I-^~Ac4!4rOn0maL$-DU*w*Tsv*;^0uzd+c=W#-unb$ftOW)$ zK0L;4$QPdwkjnMh;Q{&Pd$UeC4Y=mnMOT{DPxDIo&i_oH3UEKy@+QWmLW=2Q3`TZc~x_%X!3Z9%t5f?Q^?D(=Z?Cvnq(Ck+Qg})&S4I zNUjIk3k@%}V0bOPKVy{u_;AT3#8{J4V`|_2wO5dzt`GI+7IE^HDpV|G9=c}x>pbt$ z{~;9a-`<7v2>=xACcrebr=9-F#DXzhiSD(=me+pb1w@Y?MXAGW5i%_RjtF)6P_4VH6rC^oD0yo=r5h48{Wv{}c7-};;n5;v@kWlE?9RGde$>Sx2Whq&lqUICc7;SxXm`HQT`;Zu zZQ`m6al8T$j-a55+CoASg_A)q%}ZJ= zGTht~d2#uc?>h8f`#Jv~jZ$SL;^Sl};A=j6SY^#7`i6S&Rz$PW<3*pZcF#7W!-M@G zn_eRyE~x#^+vk>;jpA&3bu8vn``|DqoB~oGLSrTP1SvfSE;_6bC=y&tLJ5x8OTUY= ziY)K&E;LF*!R9{G=NY34llfVtL0#4$OyUp$|#VNauMu=Oo~-d%2m@;%Lrq4XS{% zpKuOjM}QNKdjt`~^i7+gHs1yl^k2f>CVj=iuKM!8GHJ{?< zw8bW|Qs`ChJ+^qFDk7b!x16Hsw*Spo1YB7W(cQ2I52vn=?+DN{V}8azJiMPOw6Ut9 z{=Gg{UYObGVo*na%ThW=_NpyL)F!alW-BJ7hp6iRg|XNals+C}%SPY?_Ya~hql6(^ ztmHy$Kdus0%F?*-1RhiYISqsN8^aF3U7<&{g^TSj*0!$;*^7fJ+MW;$p4Tvj4W;ahBx)`C zxqq=p?61>YM9J)|>NvAp^mc<`Q4?@4%Igl50tRPnK`LjtDE~>62R!E(vgu9Qf$rdz zDQ7ge>2!?o@Aq%tbyOu*^*+b{a%S_oj2cC57uDA~*fcA$0nA7Whw7}QbZ|-tK^=Xw zYuL<7E1D|&L!s3B_g$#@YFtzPK7Cc4;54^^cQ_(^C#tSFnVINgKq^NmCH>Seer~TZWl4#*aUTeax)!6f!*~F8(#?d&aZcPDpJCNZ*9- zbZ??%x`xg>YlO89cbGT(gRHrBKiY^NlBDg=oS6fjL1L9gbYdE)EwN z>6afbUQxD~;SYO6pbO$;u!qqe{(_+OIM97N58K@#@tKbn;Ne=3Svr~HOzGOCEyQr4 zWc!=m)9mMt?4FQ!eQ*%IJ3bB4AXZ7MlIL#UBcA++EGfDUJacFw?SCKNUScijeoUiP zRb&CyGgh`K8&3;rv^>tA@Q!}gDq_@9`8$vx0o`xWhyRrjV9!u`^tg~vIB~{^I&pxm z;@XRTz5s)8RCjrRIS2Q7IKVPZI{n@kF#(HB%OXd}B?fkVSOLrIBY$!&*=yHf2j$<;-`jVHeNS}5`|Vd8_)VXjJpl3_ z$pKmZncky`7HPESZx%KfDw=g#`L?wd1X$314 z7GFD8dK3>#n~AV+6LzKIrN!>ZR1qM-hHKZIdJPILx53*x;yu!R=bD*)=pujt!-1U_HJe?`}~iK{KSC+Kbz*3an$u}rN-4f19U`sbs4TBs_9Ga z4`@oShSEtoRxAYy^PgHI=@*s6s$ZR3KP3$vD{ht)C~TR_to_7d#8$&32M(0x0#p9G zpH^-(n3OM1mWsSyVRa58c*x z=w3>zVS_-Snhz=nGMweyDM4Rr1X+fOD_7EE(%3{v#T=jR0QYSEGa|0C8g@pEC0c1^ z$l0Z4@ z64Y&r5*p!ah-mY&L|(A`5;EUMt$y@kV>YNDa`c*6d03xofXJ%EIL;bbJFNBVwDMeIv}UTLfU*&3a(B@^`VGVQ>9V(D$8JN^N|9~2h;o!`Kv95h8G)Oc3b*wUM8Jfi)hxDrv5ZxpdTiuDfQ;gpVTC&BqbfK z5obnS16#vBfr-eIX*4?ZLrRm@3ydLIM|=jF#XrXxFHZ!AZbCQC;d`@&4}pPc!A8bR zz%y@xP;dQnUt}W*&!e~am3nv(qnEhLd2~~xS6fl%pMsjla;yL8o7xPd1PD4Ra~;>8 zu3ww}jkgj2mt?}ShYYg%fFl}eX5Tlyc?v14J$<+$@pJ*%MY_D@wEOfe(h#`$)p}NC zw^?Vivl0hRz1BipZUO?MED@#S@T%cklTP(}H88ruG9x8cUbf7<<@LNOX!SqQ09~=O zJtiyK)pW#VycMffOUXF$^e$R+#NsIdKS@1tmkW1XfV)724>?X$XD*Ns%5=rPS2Edz^9h-dB&YB-pMq zk@_it-mzY&Q^VCSZs~%;WO*5Wl^4VWjg%2=mc=C%k3%WDi0-WfiW)Nqp(T(oO_D);DiQ6q zb}F-e)->wdCCFQYc!z^O&Q0iPkXc`g#o?=&iH+dwq&c)Y)-Y7nc4#BP}DHY-To z4zmjXg+tD#_#<=^wwkea52n6+DPpV3+9i(=z`OV1b3p6uhb`~L9}waxO?44zE4JV% zewM$jh|g*FMWC%LhrK7yu7aGDO@KY@u>cv57!IR*^vq35(<2k&urTYjfPxJc|0!+C z-ImTr?#W!c)2^(^vzyYCKgcL~-(+9};5(lT7^V1uO4Q`;yruxNr34C3isL&J-D#yi z0CN&ndXA9e6^^Fu^~XEatW543uxTGE;o;YX2q)E|J{KQ>;wFVYutRpxtoBpn1&l8! zXSfb>$-1T`4oo4TUjd^_EEcAsJ;P~+B?;rC-AVQSHf57YrFEw~y7)rLv=2Aqpj9qO-F z=^mY4u?Z?2j{ZbHvkb0tFnD)AAfXLs)`(j|Ff_{Ub^Wzshurq5A)&y#dq_-iF>&l% z0+sD*{Du}JMcH65n04~5=v!4sjQp9E%e1mFYZpdBr=%e7{WTZ?5HvPz^TPAN^S(Ol z&fl~6+DJQMpF9yRyy8PsN-M*-ZcIAKv3%$qx1o6T{4Tqo zEMy7xD3kYyC1ir*V{AM+N~JQ7LH!MB~+ciEXc*!2qk)YvM%ug@L$qnPNqk(xDUa9bEBqSa{SnS1wl4tyzuailui zRlI?!d^o!5h?bx*L*WWhVtJypR8J`E`(&W+0_?GdS#d+4-KKxmFs^WWNV7x4OVXET zjqG0Y2mXrT;`;$|$Sn5uFt1Eu`;vuaK->9@g)XyiAa$Z3fwL-#r8 z!iyrkm8#{Br(dC@kY3uFj}vx29=!!OMe5(zgFEyq;AXz|{-nDa%GEfJ z`mo&bwLo3ADE1vcTJ)m!3I0nnGnz0Qifvh%IeKbFdys3WRq#tCq5c+bpdcJgxIxNf zKRzDyXH|jM?=WGA?Yu?d#ar$qLM98Q3v=~%7fN$+!G@pqW~DV$M$xmAllb&X8#|lCt#Q%GcKKU# zWk^X?=xS9xRlz)0$mBr&p1SY9BSL$-t1Jm!!~^r^F>T}~H2yTwc7@5&)TG|L*lF9+ zM|btsN4~wYV`(L**9#VwV-+j=)@v626&mP6+;<#(j~#-2A3Dk23=+6IuW`)!b@Dw{ z{kQv9s6=_GK&ETVN0%c(OgptKyjnxHgMqp05TVAruWlgnjb!CCDDj0sxys0%@FZ<= z+~wP*bm3nVJzv;uWzfhLtFhcs~& zGm2p5l8X9-ATNGu=~#Bd2w~;ACYo67?O6AXMB2mqwoNZc?e~dh3r~Z2IQ6PI6}~CL z9cCAfcX%H4V&x)kFA3_@xa}QcR{Zkjr4&NeOpdf;ObK?L0&2z~PF==2t$MI=%{v3# z@oh`K#U9+NX<2yuFv3faQ;PYSt&Dg106m2X#UkgD5sSD(+7J8WJ&4zZf_&VuUrPCr z(VC3^=LJiz#^D_0eD@k`l?zkVrEE?7C8Pm8?XWbqeLBDIRq9?YI2ezH7S*@={N(Xw z$fb>IaN0`=(^ver*ZQJG5#IWu=^7sM>U=o^34trG@$^Bw_7e3PjLjpT-f8`gWLILN zLXy{_Y4tnWlUP2KkyG*09$$fs^^OL~+~N9WQidN6uuByPA$3$D>)ru#9_@QD35)k< zd-^EPAo60Fv3>f3qBeKjH9CJI9-cpXdG^sfIHvWJvG>RIZdltBzh^p*O5Z=0Gv3Dk zaq(;iMRc3`1vT%|v?^?GS9LxIk;9ges?>-*^N__a$WeiR{YoF@4zWEC0gz zeIh&gJ}Wa$?q#=?zuL5+nqkmI3Y(Zts&hNjm!6vOwg>rquPw8_LhW=0qZ@9M{<(W1r|Yl6m8K%P!W|X7>OdE`6Nut@-VJ7y+N&B}pS~S% z>^<;w@>fAwv4^Rt>8Onpa@1`k?4d4Y0?sS~_3~Rd%jy|8bp)*l4_)!m61q_~xaRU( zA7pZLgIc5Uq~G|ZaiYlk9F~%U=C?DWpNyA(Z7Tl{3&05L=*-fS%Xr*_<393Bedph2 z(G|h4<;UXFiT+$Xi|G4cY(*F$ho%WzfbBiVk-igcc(|A?PGYM0`rAeaefshpRV}g& z()|QNsS_}#HYH|=ZJGOZcl7rTs5J9=PgER%7v}h?Jmn-|J15F4nkQ*FHdNAl1bk1& zB_`S~$EHGA_+g)SV!X`wS5+Z0A5zKXwQ4})hyaaqEnyczpdl z?g#aUXz-B==0z;^q;9Y-ysuhc0Fx{YwIX7w?tSF=`ut~_Nco>v9K$5OcIO8p)-&*z zPJhl0i9}gqT$b^kN3qDt_^1wThWmtx$IuyUg?j0g29e0IU=Kp?_HuHYP9Ufm;=G=+ zkSm$A&^eP?e5x)GxZ5dl( zR?j%34l2*<>!CQU8jkHIOXtduT8MuNqs5rNv4Q2*TZw#b?(A$;=U75@$G5<5%Qs}Y z>FL7sFdytNZ`h+-+a*5__1VEpA^O-qlXy+Qk>vYQrE^!FYuPKSz44>TiKh^fx!PtI z+!7lXztW38OHT{E-T-g(hRONUNz+Wd=20-r{#fa$g$X2nV2}()!8UxL%}2iv^Hv?W zC_-Dl1Z1(uOAuEGD{ZA8m!$r|Z(*zQE1v7spDIkm)q})66EAPBr5~#}eXQRPFkJcj zbEgmNsXM3tc>JV%_Do3ju*kjDrpf)rY9@_uGQ|+odCleg|6=UT!=e7y|M5bW5{4|< z#x6;;*qIT-SVG8Bma(LgEo2{qkg<-Ptl5%vkWk4w_Oi>G7-W|jOEcE*%llmCe9rfC z-skuI{nK@|T#b1>pZDv&AIp8;rIt=ncE395m?$2QwyiW zjkpVD4^n_XstpQL>O3D%_Vnu$Ci*)3lf#2^RP z;ReKB(~s#=HmZK$;zqqjv`O^i&@&Ssj3UvUPb~Wwp*3PG%0Hc-I6gf7=>hRMZiy6E zQky&Se7)5OgO305kp4aK5QI3;7cKLR`Ed19UnEQkzm=Ii>g)5Ck`U`pa{}%`9rhf! zLc(`qArP*&ay1~D?J=iz-$w&ED4GOPoF$3RfAZ3z$O8K<6#V0-|L-p=ozzN>-6x{n^8pvgiZMou%82*ADZAeD zr`4Z$FXHWdcH4*6fUq%%vFm^MDn!w~O5PIMMcdZu@PPgf&(4FTo81wMBKTzfM_C{a zBvpMl?vGqUcN&P%OXSs+e64ioyg+S75$aHm=sReFBp361 zPWbW*{@I@Yj;s(SUrWkbB>YY9?(*%y23$CuL-qJ#l|wHt*S@>Ta;l`L3Olza-4Szp zpANoPWUMq+($h&U37oZ4^>8h}A}ZG`Ro}`sajE}+==TsLnQ;B>YSdG18bhD9?hLt5 z*0Us0tKYeFkIpsTRX2;FW6lYs2|*T@m@WIJwbK+?)VFL=hm~LT$!Bb#vRMQ{G@pfi znJzN*WFh#4y>Rr^I1j=~-~T1y*f<;duGbMAE{D9+x9YR2d5=^14<#)_95YkOk0sN6 zN{NNAOT=+IOd+c$Y4kFq{4e8=^RbH05Vc5P5L3lb$@>W({u`B(tc>Pl>;9fIWSU*S zx$Wc}{#T-x$*gw&lD)ugWi; z=*%x2;WVvI$=_1ttdTYt^{w#_#Bw%ecv(Q>zVVH0 z-TN?e-YdqvI#1jTM5#)S6t9r89-FiN;n))4&;Gm9_vG6N^`;FaKTvW_n?5+lD8P2o zYbKoN?=;c&HJHO&@t>IS;)jz98;z%M(W@e+rEzca^80{j6%c?9BhmCRwI+h7p9eGS z?-O8DTiS>{OsUo_4Bh%f1RZcl`%04W0a=;-Na_@OoJ~;3 z8SAYzpNESf$zL%OW(IntVM|p+V|U+Qo%NAdqx?3T|H6?3h(df>l%T`ly>3lzlAyifeOzM$Pm2x=F?wqc2 z{yhBRbYNtw_qju+q%r;>T>+~i@?}OL1I^|`4!XI|=TT3;TJV`x#mL}pHeQ&6n=QKw z@Ita0*-8@X75MRPjr{goZ8ddGM;i{iP1RsYx12{|#uZTlcTV3WAP~l_@}hzv?uMB7 zu}!H-cA&ue_m-1(xA~4jF9PEd2VUS0xFFiP@8q4B2a2zaL^AL(AR)h=@c(Ld3_J1P zZ!+2CW_}O+{3kqplC4Kc9`{6$n2slJ@v%%^m{~#9}j6b;@nSN>da8m}gL(iYS;qcLmzgc!NtB7km2u;I}oxvQ} zgWZ)0$~=Y*{dMk=j^{2+ah??%P@o_vnxcI$opz6v9yi5je|eZiGEBl>ZGRS1DMInE z3daWKAuTA>YocjiRI6c?c5+k8cMOc*$Lk5t2b~o7j2os}hchLr&8Nf=S=0`(O1z%1 zy(H2*p~iK)50BwI@n9Kya-usGeNeu z@=}X>**D*iWLU(E-lm@H(WlS4vPv7UaBo_P;V3ayzrCu;efn1j}OOXZNx-=(En8CHN zixZa@I8nD-7%j=}n9*>4pKW1_%OFNXz=ST(T+|P|Nd?oKhdVE{TJd+o_G86If!oH5 zBpXR_=PygjzqN8qFH<6xt8cOh-9hu0^%(Cxs5KJcRkQ7t?2_4!2SZnFDx$-|PgHKt zc0P`NEgyCJwl8sEN7!Db9EE_XrTGBDW|nvA_XiR3fhqi%y_)Bc!F{Wtv{P49O&rwC z=-`iZQK8iFLB7P0uuQ5kF%ZTv!gsmXqDveX+Kk&qNQIBPFJ*bZovYI+*!cjJf+^`m z)&_jvZQrClo%}XhmJHnF1~2*F4OXN%hA~PZ8LNJ!e!IoH+4F?_%jj~=zf$`c6~Bav zU+`07k!$Ch*Ahmn`M~USk4{6884QHt4J^|0-X@%>l@Gl&f3wRn?iGmv{oAG<@qCjA zRxlPWxh;Ud!GL=H?c=<>B<`sR+dPf6Jx*nPt=j<3ldPGrv)vTJL&29tgwoj@sMj() z9@RkM!s0?sQUwNt?GM{dguI;REcgx??PV#q<_`G!6iK={5anI9B)j&TT0r^_0M6s6 zKr3-5AW>mKoCsL)`xwXGcx6litEr!v>kR!|Aw?Kq&~QZ27{hNU2{^Dos?y)J0{c1L zo}U4rW$M0Ym4qEC=CD8U-VT~(lw(h#{i9W3KzA~1mV2rCYU_bm_MP`vx`BZI0efXzC7F+vy=mzDLwzi9(z>BRb{_ThK!rAldB*ilB-{rvh*r9i zQ(bM4sW-Fj=@;Dlt3GXnAd%Q&}OiA;6b)0Xt z(^SFfk|4%1I@jl;GcTMlxF~Ajww%gDsW`!`$i6tBu0}t)qIQWAvA?Kxcfv>@QXj0E zp#X{gFplN6K<>O3GD0BpWpzXA#(D3}=?c5XK1fz;HR0fHa9a#HBczm4Gs<;u<^@sb zd-Z6=L*aSC9eD5b_MKEl&i{yZN`+dvJEVK12t|fPc~8f6q(L(~Um14~`#D-hkDl7r zb(6l_OP#QW+!wVi5y=f|)MQHqNtbyg_N|C|lxIX55okhg&9(WE&eEqsm|i zkso|`5PKev_+bQ7fkj#M#dwiab#}|!0TJJNgw?y7(AW1y9k=J@o!MXM3aSRxR)v_k zlNVF}OtE3D4lNj4&b{PAI4!lF*MAssKA;Gu1P~{JW0uEXIRbzz#X!AL_V%}9;4IoF z?gf9BHYr%S;9K5^Al`=N0TsT;s(+d2&xqwW;S;0=vMMh@p&Qc_>d3*&DNb5JojHrC zQj2`qRe5rJkjhLz4|Y4|UX3UPUP_47>eeS;4n9=|Wqv)0!h2zjBd&f!`;;-YYa4u2 zSs1yl^Rdw&i@XJmN?viFJE1R4UOCCxH*=ZPbh&Fs5zX)p$Py;4`YLF4wFv+_(7VYam?1if!87V>n zG?c7jXp{udw$Ec`&l?QAQWFX&6UmLS4#{yU?oBnkF((|M0&mDfvu9{6=m=usmpZ9) z5ij-ZI!popTEX^>-L>>or@Rsw##IvExD6%?f3GBGnw-{^kJ66OmCrBf7&Qccs)a>N zxo6Mgf~1))TDVCE+nQVFjYTA13l#lhY!g}WO)yBnErMl@nLPe&KN5?um-ug z%-J@%ZoQ3`G18~95CQI%k?igAaq@4WiO-8;v88h*k=1#cI61D}0J&Dixn_>R8ahby zi&iL!j_~$#Y-VpZO=Q%3QCZPh2#sH%PK^z-XYadRh}Uzcw@0uLUJ)m@$7B8{$68ZS zpFfp8&QAo#Ohre-ylRn47rp~{-MwMU*+c2lRlq5~LmbDkQPm90-?cRld^R%1?|? z7xD9m1XUQmcO9=CRQ;`KAf@8L#CZ^-tstzudV?in(EwVY)(0}D^swZkyn_?GE?4c& zX3n;h<{tZiE-pDtX7Z`v-6>|o0VNzaABw);+Y`Ibk0ijP1@Jb#GPxG6fOXX#3S%;% zw_`1HtoSGbGN{~;0bvslNo--i!9K@~5mCm&d{UbAvhJ7#-m~$!S2q4p!V2RZ8m1HF z8NH|7!tWP{zM;0^5OAG%-wp^Kk6}vL_Ns3dtiG1qwYX(n&f2_xu|zfG#P@6Xfu(_5 zAk#ZDv9fjlqC92T;~)Kzj~@3anz!ktN#!o5bon3l!y^Ao=DFpcw8cF&t6EJlchNeb zS?KL?VG{KHQZ1*U?BIQfbA;iH8ojVQC|KVu)S^xDvY=JDZwBtD5&)C_5_ z@TNAI&K=#JYEnb?p8Ro$_Jf{%kOk(upNzDZpNZPyeOI!8Rj$1_)@MsTNC_6eJ4A0Z zEUoSA-`muyI4SufyIAt@SE<(bgE{RRCZgMXY$t88iktP#DP!b-XnzhN+fCt5m{ThG zr?a4xD_^sJKB?_x*8J1Ao%4%6=v!2-kqQ*yXv(>Z;-xKvoo7#IH$gPcWE;%&CDB2X zOtW(G6^QVSM{pj43NTRyQv~nHHMohp1;Q%IDfA4eS_4qd;WIl*x+g_VDQ@1>D`kRqD=x;K>^)(h zTG`3#&%yTZ8SO0a8vzQS8vfQhn`RfQRhqH2D2+&wW%0t!M$O%@>!336&R`Ffyu`td zklNebO?FW;m(i>3eN+mAY^yS@ysEUlX#S)+{bDH{(ayHAy!yyomN*u5)?u>^eEfX% z@vcPe!}a^kTXoJ$OkizSU_~7K__C*{430T`pcQNEQ~%vZ zVt1c>q_VWM+a=xC^Q`Q-u|D*dF3y%luj9lo?t5V6U)r$#FykNtqDVaMj0mu^9GiVF)XN> zTo0Y4TPaEYct2~~deSYcl1HNSHQ^zCvK0Oc{MBvmrnmTS@~40R`kmdM=VMJR+|=dp zXu*UF;t3{}mqFn!U+t_8l?KkEYNaUzF9(yF+*9RFpq(LwCUYE%FvZp9=z%sJW~i8n zqvw9yw1&b;1f?V$uOV+p+VUs{yddLlo4S^q!$B*vEJPYABCKAF=}2DNc8f!Vewk+T zj}bO;wCe=+SI3B%BwlHnj6Q3=Qp{pX7E@%_tQvTU}_Po;T$^9MUwuCq<3=Py;9muO#ZGs|&-g#S!|H zw!ccb;c+M(b@rupN#-5?$i>ai1iqrQeC;V%!__OhGaayo8N1Ese?X-F8!zqrg_p8! zX(%~Q*3?k2l;SJPjTLb(bLBj;&pl%mZ0s62&#UHk-MHg$HiYr51Wi>~O|w^;pe1r6 zd`I~BdD9-vn!?h)tvXaQByMdLluCw#juyvtCyEv&cT+ol?Q^7h#Ys_izE|6U>01*a z#+ClVoPPslbo28s5Yllr>k{9)_o`Cjoe%#4amFAtK!>~y5a50Przl64IfR1>fo48t znii|qsM&_RSk3>sVT@V56on#b#;xJ>BS-JE7il@~Cqw&lr&q_)9)&=#EbO_Vf6j$R z9-{XFA=V&^S&?|tOB*KqaRFQ9aF^H)!JK8VWYNt_48k!zT20+< z^Zvp%T(ws-zfmCg3VD0%o%VL1qksy#p^ zo4$(l{F~FTrrH+-s@XuLSK4cPQ?85vvT^0y{BG`=Rg2kpvHQk1V6&{gt+oK^%cwnFe)8sPqBEBSKWP$tdF?TWcntSNvz`2YDtY6 zqj=q&mka8!grKzT3y zwr42h1#Y1kex|tmrkAh*H)u9;uV%E!SF`AFM{vinVd2ixVQj-f8`zv-k-b>5B%ypg zNe2=crA+?GhJmmU6n;+f;m50e)EiRx*CIk9e3XMHwEm4!_-DLWqk*%T8Bh*>cq8<( z3UhE-`+2?jju@^_iB~U^%j;%1Pg7&fE$S&YfhpIffF>|iYW>9vqs2wpoO*z`SNTn5 zDwL8@>ABh0Vy?uk4=2AcbDx8Y>~`QPQ(&Fmqhtx)k0+Hs#0sn*6&I$Q|9QMu*Y>Qm zT*N39xG1;p1o2eK{6uc=_B#&rB2b zUr$1COK=zTd*TMhw_MF>XNoV;Xqr<#dcFz|zen+Dhr$#^dahzS9Dx~4@5*L2;64jO zE)I1kW84?~Y`fr9U6L=k1D555meFF$o*hx(fKMt(smwfkN!3R5`E z83&MwebpP#FibnFftS+iMplFmYjE}JfAK#5JfvpY=%-Y7aa^B@0)KsdZ3Cz|b1yGk zr+xqUn>Gu1q94U(^1wbhSFt!D9^w7Na}L-);kWw0sj9uz6@~SDVgw zN9-3F&^6f~FNWuoC)ge@IR=st2ND(xl(v3HyJO*}3oGWxOF22>kU!ZU#;g>7qyl5= zyuXgRh5^vHibF02NOv{P&vAur>JnSrB6^6Srvm{JVUXpJ*A+*vt#U&=*^=3m6^>$zn58 zZaJ-LQHI(c^Atg^BD3+is4Gwf$N&=tvKT#j$&}zAxMNp@+{rhx!sn{FEA9{r5pKx{ z!d9X+mh@3?w^sXNg~XD)Uiukbk)Wq<f>7hO;%OF!P1L({xwG{|6Xfs>2H!;#V`cRqj| z3`mMd6g7tQ7ZP{Xed9OwV8cK!-Bb>P^<1#a$49!mWI44N1E zAqP%o4u#1>CJ}0`Y`gHUdzdoS4_|Ngh6<;chZ)Jx!>jdm(T-xI^K5)t|o}utC!A;4VfMaN2 zN(Gv>`7!7vq0OXvc+JPN5spcTRZLNW{&Rf210uG4bXUhGUkg{F~x zB19GUlMsH|Na@Fmov{i6C|1uGoLq#oqF<>8tJKkY$4T7kppy&c6YS1c>*xk9+ECD^ zB&6Lnan@B84TFT%>QO6@4Vd8pq~RnE&9new8wa#^n4)3z@5#X89b18H zz}Dlrk-R7k!qT&@{ml!onRW*b_(hI=>h1rXa{Zss;|TUW8!Z1<0>8;SnQkH^?E}Lz z8AJkuro=>xB5tvcMz{(GIx)HBE?|_a+QVBJteD-ZaxbQ8k=tDpptVGPYQyj0P*v2T z5Y29$vV0O4x;VliCeO5=CMXPi@n=putlNn!TtfZW{q=0NldINIE=OObLAv*Z{Vt{_ z$mD4m!SypDjA+)U;j?g0=o>1|8wBB3#ExePw%42pMyU2?vm2EL&_eW!@n_LVMB#9x z-3PCi%VS6n^Hoh=N*-sSKL)56xbJO76vG62>Ou}%YT@0!5JD$R3BbGapGs4QVGVv= zX0Ctt{bzN78|=?=VeD@o-6=PX<&z3W*BNp5&l7xvdGYiSuoRXVci;{<&9W`xK91k@ ztJl~O=aq?zdD<&!Vw7RF?8(H!lQ+I2*0fqvC7ex+r&M;isH14o> zMl#&NeCbF(U}8kE%b)=v8C6p(4y~1ldRe<}_I$va$jm~G*7JQTn3OKWx8PNBK`FQ( z!R*W{9+{eLj;aT}#b&ETjCUBj83Nl|HB|2g6=D?j6tu>>X}C`L|Ja5C$=^j7nY_c< zH>Bmo{6o&q?uPD_uMdgwwBE6%xG2pXGaywp6-M_;0KP~}u4`H!tl`yG{qSkP{M+65 z>o+QZ;YbNV`?sYJ@YvF1LFg#A4Gy@BATJYviKNEO{9%sMty!G8`>ul1qTmpZf?HKV zNPZ}fb9(~VSqM`sBQw-y!yKps8MjeG?iTm?B&&JGAe^1H%|-^@u6UP;aQT=mW$9>1r6t@Lhhcx^`*kEraQV5e~2me_ITQE9frE-Xh6 z<_j@DKW8tGz;Vm*d)a$i`KNeR0+5huqOd|$5kA6i%>Fib-UJ0j_?%Oj20Vs;=@|d} z!8I$rR1v~20y~CMnY-yLm}ry)NopmX&zPP2BYDA2ayavz-H~>qysvfmR?%{%3q~kg9d~7g_D&5u7#6uIDoU;z>mG3id7aqrG-cca8+Q|!Lpi+dfzwEf~Z+oR_zp^NMK0p zc#WgBt% zM>si%Ustf?_$YaVUhjfmi>>Rh3mXH>c20X}UVxeF2dsFX_Iilv|4(!1sZ~7f>$JWsD5J`4J798XrYrOC8^-HFnNm(ih=k|q2eO6$ioLTCKFeOf3YOnV z1Vmy9dkYtNzcKjA(mF#hOQGkcnQuI-^?87HK6F}#&IpZ&M@w=a8>YjaJpiZ>2j+np1<$2aF~ zc8!0IN@~b*0t6qWdgtFfyWqK4;5FWMMDLIK+vghHd{5oFFVbgtp7a33$P2O%W*D6V z%77w>92_rTU>nt}+$vJn31-gp(cZC<3?wAymAo~*YujSpGd~EwMku(F3^g&bSnrN% z(stT1Dw{@lI=vI8DLgc0+g49ZLfAEjt5t<26K}o6lk!WH4Tkm_p7=XRrE?Tg>lR07 z>OUy!75S4G)1hfD;2$)!haHh-YksRM7Wg4K2hyGtgJ-5`p*Cn*t!_gAAuqztBN_=I zmq1Grx>Al0-`wiQLUu-0@*k-;unK^FPXm>G8d|mi?ZbGu62FybR3y`o&1UgDc#EtI z5}f{0^!7{r=1I zi&N)gCU~Jk0tI*_J1Jx1G(D=)>+fyF&t7Z^Vg4OqxNjT5vp2r15{gsDHY6JVw;;x4)Me1(d^d2}(V;$45sFkN%@c#ovYma*O{g&CQZ z3s`{Q&NuG1{8CjvBaM3@^<7Mi`%sb3(7ZlG`^DGSa;rrJjJXTV8g^fo>di(lgzq&M z)H(bl+dLf~f(QUeZ>-#$bPQ{(vTHTe`6Ae`L+qV1Z6aIx5R03HDt|WOmbVru_ZTin z(2m`RC)LN|szDyEB zq6)aj+l&pZw0Wu?4jY-G_Pen%O5#A>c)utq`xEKjf^d`jy`k^{I9INaNS?*G7ToE> zC`Q7Nn_a<)wJ9yF>x)LQT+Lw1j(LPV41)v}&J}Ueuup9{F(n$XG{P&kX-wm%-;h1fPb!9JRI8|$z0o$A% z_w~eq4Vgam$NOtW5O+a95PHl3MIp@qwxI2B`@$!^TgKbq3RpuEFwVVxu~xD5F_;6a zA;~bdt!pziX{RqIcDOsSl;EDD3}v19FjOylk#mIC_k|y6PRl5vU1Waj!c>55DfRaa z@7L%th}YiVoIr4V2=EpWT(amFbNszf`gNws9+uJ%hq%YrI5B5BOy>DT{X!LLafPulJ!ZP{ zU6?CSc_!Pdm|rk4Wf{(*4sEM%EI*Zi&%}&g;%chH*?s-``c{98li7}PBH;ay0oppn zYygkCr^j^;Q|&3h)_F>bnT);F?i9y1B)BV+W!uOH24d@MLFUb5gge%|?`xbf!_bjsCyO8e|pPC&u}UCFro zpT%c0S_445pn!d4-@nPEKnAep)!=gv@``NB;KjTq1W5{^n5P9mp##Iem}ux?6P-px zXNK0QFbY-o@!?&J70jOQS7M0^3adkQ;mvjeGR~_#`gcPQM*xZiCm`xfGU(Aa_a%Pv zF{%12L%lASlt?z{)F(%jy3w(;x3ht+zc+V2w&(l7q#MaRF!FeSn^~kVGacARNpiaJJH+HH_`y6(k`FK`&lj zV`wyWGXz*^#h>}Sl`c5*+atiVI|nSPcxdL{Eu8V%t1z&DnNUF1`x<;Dk70(jN@VzkT#n@=vJGUb#zboQl7JEkX5 zS{`rboZJ;^0Jh-fr96B8P3FQHwh3kC@^O)3sm!*k4%y(VB?AnF=(tP-*7j2PCK zOuz(kZ#MexU42HXX5BC`cV?XdHuHw1TKS17?F^{Rr8XVf4}5O`V#Zx=Hi%MH(u9_~ z7}k)euP8o!(yX>}|9A=IA7-EG`($`{f9mHCPLvyAv3qmgJU|Hfd^je3zs3;|CO&sf z^#2X4*ElV@V+!7HeEeJdCPkq}2hc(d@cFbS?Ub?1I2l6bEaM`L-~JqDi=`^gF%Kr{ z?^GEUE~G5OJkc9#s6fa>hv@~%*dT7v7v{( zR9cVSGltzf1_W+zp++qBFR37U^Hd}hA2U$!CQ}z_Jquc{N*w4rxNmwbMu$LEsnWfx za0jO$$(2lD1*ulUbXAOF&Bmo5dQ`QfZniJPUPxWUj}I&uD^ztZf?a(kX9}=zJAqy> z5mGR)29J9?s=y(nNZI!!JuLa*H6`IxGdNvP0vNu;Gm*sZJL0>}bw9jpw!g_@$;QRg zfhR|E2R~0x-(LLr;m!El|L1fm_J>Em@>~)0$iZjh!&t(GD3sj2)xwCX{3UxYIbIXz zKdX-k&B;`dzVm4$;WsTpad|s=R(UTpvDHW)+6MVGmqGIz%=REu$J-hQYY1)`HTb`L z8UIM|);@qGYGz9zCp+fv3w$XgQ`&p!jc7T++LBPobNUg?n@mW4sw|RD+#1v5cvmd* z9n8JR8h8e3S4-bq!9AY6dpN#BCvv3U7S4lE_Xjx)!@15#7n_yS`BB9!=6Cm4xkU*3 zBS+riMC$S@z@Hy=70z`E8k``^hCSwZ6Vn=XvTgX#?fK6y zP?nDJdQ~Gia1PL} z6K(s;#K`;kvmY7SU1?OM#!GlmFM zKHbHrZ9Z}x=;4?HhIi^&PPuqS3kmRwb7i|vPRs>El{04#255eQYbR~DweMyBiPCA) ztvlqO(2Esn_#klEl@Abvf?;D-e-{V!d_WvLmrqo4e+0BL$7!$>*OhJP zw~AY0!bCuPw0khR*3i+mNuPgogJCBfgSX2+EHS$J#444i(Y`iPQqifapF0UbK(`!c zGZFe?f#V6HWS|B3wr4$_19xb`l1&~KyIAq|t=IiTeUPx5cTu~Xi}&A6P54c50-kqpA#t*CHxtl4!+l?*4v+Ufvt*V%`}5lJM9}3{ zukg5;RTNdXE4Q0P1GN=n6mHwiY&ym3n7ljmbbZPN8{xAd@C5od$(ut9P{L&s`u1k~ zc7fSsbh1B@9;D%%<4b_@Qn(eNj}%yMIynweeCI2q*bfEj^_j|^tEHj&u?i)`cY4aZ zBhP`Um7!IDD!cRYOF#Aw^7Q>Hd^w6~EAI^f+FX-S<_QbI$CrWOc{1!ai!0qR6OFSFHa{^N z;sbvke+**O-L$cL8+nYtkK$KbT_Iz7vPa z49%(CjW~2S-+yXXbhuR!NzT6-;Y2)Kb^Q31W~_Rfn?@IcDZE2b5M;_D3jj!3DO-MD zsPmatM6*peqrz&CI*-9!r?ZBl=2iCjiGqPni#l4+0AdkB^t>{8FqvGM!%A4l!RWhn zhh!7l4D)pn*-#lH`fp*V*g9N3HdP$Y1GICUN|hJ~wWk`f{-eIOPMH~>`A-$t2BLNl2Q8Vg8eIBY{nc~J1D6-4bd!2h!_C8A zuQFI31=w|let~>8$EE31eVj&4@ytzcOKQDhfm9ld@7sYLHb-*9B7Ar#o_hb?>4Q#B zUqEmBjXseyk6}D*FKluHq*%7OI5mcqBCg_#+1MFCLbWOX@cq1K)(b;n4xeKn{hCvo z;M8IP>yMO8Yv}#ozrZ=4UGi4UG_0TUKL>WdhDri!t{nz`9&LKJQFA#-)rbtV4gRIH zPLLQJ`<4H!+dMA%pMZa*NZ|n(PL%pQ_Ou_or+e`{YW7--@k=H(%LY+^l(`Iq;JP;8 zXJFT-<9W%bBn0!c)fu>RDIQwui;AK1|3^FjjrQH1BZAG{@gAs&qX3HSm?S1c?TcI; zzX@4I?;A6#&6`3M_U%I&o%uEEs0Pl$ZirpJrb_pe9J*4ZTMStp>U=h2q`j<0740O} z&FG(KM%&D~?V(B~SJ)B47=Yf1)S_P{=N^76H|ZBNapB5v;Qn-FrBlDLM*gL zjIar`>iiJbwu69v64|yisd&NFq4w)&h3xnghCUYn&I_=k9iwAcj5_f$}{A zHz_wq652m29L&Age5;q0-W7X6qUN4XDT5d5z;zls_Sbf?@*?U-^Aq0BvJ7IfnfpM~ zVsu{11cTE~XA+3A1*32S5O*Qf`3ue2$4Y@tBFcsP?*vclQXfuPyS%>KwDb_aV8qD@Ivq_^|e8#C%whT($bo+PE5{!GbeUehh{X>)k|5i?}R{>VSj$&LZGh zkvve+cfn?k&jGE@g_zM7!~wypton9uFbeZsM;`tYzdZPXR%e!7rPyD2aspEhjl>w2 zZv8@h53k0^xK#z(8@Sz}z%Iaef{@{K5oEWx^3+x9b-V-w^?9SWcZ;1_Kkt4wr$KE@ zMkh;zBE09q(~T#kz^fBHc}VnIdoC8b1L7Wz*HmkS;H5iyc#K0&8ZdHwU) zlh(Yb`#(4TtTf?hR69@P$e0HNTzNSq9r9WK(x zItPCQ`~aZ(UqB*ak<00;y|;*I{%qPdzcfzZYq zX=6W;?hnBeZ=Yl)h5U%F`W!V|5V?=sv;T^n@B^NnC+ z8G2OJYd4&tEVHv1G$4u43%V}1%DgWenU#u5)vYk)L9C8H2aFmkb|1dOE!owouIDu1 zMEZ07Ebi6_%m644lB}HPFAOEMFt!4fsi{ugkhb_aP4`2J?RItqJtKr<{jfVWgR&a1 zK~UA!0B#imjbnwbIQcx1<5X0O80f?*&1(nEz0Ghr-*mi-4f)kHVyJTtQqX=>ozbz$ zuW;z~&shK?)^aQa7xGcoTxJd;laEu`kD%Fl@WM}Q)CE0KmLWzL=XD>k7!z#Fo;Eg+bQvOADsW{R;0_42tYyqk}6)cEILkr=T zQ9dTv|E~tP;D0v2p)V8?dNs%q{Kuxe`qNh@jPUshq-xA4>f^SI42gByZn&E19haf& ztW;jw8D_>pg_}WP`Ay}{kdExF z4egWX!g%GKF1xwTqD;^WUEOJ?#LD{?Ane_7ASFfi_K)uN2Oi%-&ZB?7GJVo_m+EU9 zqx_pf3FoEr<1brb4Q$QT#eWlw(PpQ?SXI>cgyqTFS75)l&=zv5>ExivKgIisaJnfV zU#v{OM$0Byfq2&%UIIkqXn!d1OI3B@zy7y-Ji$)t4W0R8y&g*KI(Z{!y)|(+R=0AV zwn6i7dd_a|^GZ4#^YjlzYI9k`>0+51cMJqZ+UpDv*jvdH$cmjcH z!iw5cqt5Uuwu9u5D9o_|VL3{?P1k?^VnxIZ9iyYZ!b-u`az5s}ZqIjG|Me=kPp9IH z0l+oFg*ab148IMVa`{|dK~B42cWM{=E;EO9nWg4wOGbOQ{dT#)Zeg)8xBO}i%jE@# zMIN~?4zm7)-s*4UTN!)c|81){t2U$e@taG4vHMbWtmEG}NZRNCf7Gk*6G|tC+ihTA zOKkIX(82GfK+eO{9h=WbjZF)eJl5H&4vD?tr$cM!fQ87KD}9#^>r;~Z;+$(IM9Kgv zV(!yg#f2uoS=P2u_mg*re$(02-@JN`@l&s4lhWZY*(N%D<=y*}xwe4${31X~9JGo; z2oaSyW}OkIVkMwzSb5FA3w$h;T**8GyhkFhcH<&g+8$>(zkPfaj3UiFZ#l;v8qVu? zsC(B#a-Qx{{fv(=NYX&}Bs%@k4vocRQ!6@l1k!C52>_Tty$$a# zYnC>^Q`0qPf6t{YIG5f8_-We!3no)GKyKbn1^&IfrT%ZGVVn482B-IR$#o%iU zz5FbLmB+3t9zBodl)gIm=@j4qUeZrL*9wx|q^lRD-3Qg#3y~H%r-s8}-=%5&G%5at zKXcV`)8f7oRqE2m(-+2HKTXt?p)+^+Xm9oiBx6(}Ny_w|@m<-4Wo5mp->a9be5Yy* z%+BifF2znEy|VCk%Dn9E^W%-bcrSXm|M(XKlA<7ZY{i1Y07*fb7kPy({$j*iY&Ai$Z48|!C^V>`p zAg8{8WXY1&Rsx42V7+m;O|9k==hk*nwt(gw@*aMU3rr$yRegWxm<$ne^v*=eEuN(W zzd{5g`+r-fxv2DL;%R=&P+O9hUERE_MTC#+4?lmo-!Bm+FCQfm*1|R*RihTQMOl}j zxSt+@LxC>D>%iSI$^QQr(xF`*yQ8K>S$uu+OPO2ASfuc@d#^-cVo=)7kKZWo3UDWc zfMWq*nU^LcuFeW5Z@2QnNAD2P;uZCI8nZ#6@0YUu-!7q!qJQ1yi=1TyX|{TN20Zqq z4;})0gmX6F)(UH7?|*T^H|yKk%tO@}$s#D}+{7yn5wSiNRgieA!_tKb1J!p*z|0$#+-R@TrRz;1fxst( z^&@}Xir|J{TL7k|J{tG_8Sq3FkD$#t4e*1B5d}N@;B#!Wh+|?ZOT?8iBbt5yrC$Yo zj|`~cpV$C~Lpjjng3Uf0?MA1{{P~gN4=?-MB1v;{W$mrZ z7TeV<3)6y+D{nJe=fc6frxe0aSsb_T#XCJ~uT%z(fHlWpzUuFZz$}O@#K|rq!osp9 zc)-7vPE?2)QKi3e+S`d-GykdmNNY|Idd|q(ogFx6(e^ZcM-M>nr;P|LBzqyuj0*|ugvkcURp;&IQu!3km!{EDmS$&qgTyZiTnLIu#{Fhn~{tQp#N$#1bJ zN5PGVT3t>Pr0CbS!>f3VwXi-l=4=$+S2^WaY^7>IXH~hBkI*}JY2$N5 zBK6J~b|TI!xFwkq)ZgX9E~yW8RPqZl zPm7sM2VTFNPaOWGGGK?Nm=`X$qb}0l_bBcWkTOrftu3w~;_QvhHW88GpZ)@=z zPW&In&N`~Utg216$q*36|AyNtl zkNDol`91SI&-$5Q>>S~1NW=)rzPY**dT{qXG1mhXY zz+X*w=@AT@{ZXL_LX017;zGVDFkCz^9VCH5P-6X6P`rXWO*@FamBX!z?voHP(h3G*Uk9-Jz-PPpeY*R>3#@^mr;C zC|ME@*P58d>vyTVTRWb=JL=Q_$ezT`U2HF5XXqY!+BXz~NOYD4;ezz6YIBC%q(#*M z)Ru6U1OBQo_?Kx)DacGr5)8;qJczBoE8_d&OY|LPt(Zryp9K;7F`|b%(f4;FXt`aP zqO|%KZt&%HJpYJmik{l>xSCgWXUHL~_iBqW)2n({78X-O;dN7FR@nKC`Zsz(j4wbD zExCi(5MS@;cLUT;ax}k&y^rk#=^MW$DZFHHX=7 z8>^m*$n_PE@nx|!``Kw+_TG(`KtCB~YC=x2i0V6RKH z%r{E+RfPuQg6+n{RLgGNDZDOd#a0spn$O)~_9&TO_-j{%2A;l*F5|DYWj~x??xo!= z)hC>P`Yxq{o6Xkfaw%PWO@*8|H&oh2ZlI_*p42Q(GR;*NdS1amhw@HpMq=i4L<~7R z@0DbUBS37k^$VM4b2!ksW=ZH@{7ZBAFW-%=)1aF0HluUhka40pHs=N=uVBS31;1TInd-C?$!|wI@Hjz$(W^eoOzWa&6T}6t zr<=Q~K?@_v!z_~etq8^#&?|V6xMcx-Seyh6^lMi_BFWe*B=mEMi3}Xu1zxD?SE0jW zXzuZ02JLRvBNgEZFcwUVRzy*BjG?kp&G=X3^a>*`w5kRV!jb-Xi)ay@wZ1eJPHxDy zg2k7xYJ8JtS((z;kl8ld$S@*=+#RThGu`Wzc9Bnw_F^auzX$Jkb9s=+o7l$~yk~*# z%HoF^8?YJF68lN8zC99Wy@soS3!TF>Af;`Wvc)zAcj4jYKdWwwJszRS8lXtA@MKAxsY65md+L(4`F%lfegOG71*95(io= z@py?BVA8f@F6RA^-hD!j^QKv>+b{JNb~kNBKxzH>K5S2%3SLffPmI0F2Q%%SX`b15 z(*PcyB|n*f?1Z&VR`y{MYwwy)&Gn@h3O0J)L-rQKc2{NF!QW~!ib zlb81{v=M8mVjQwJkT3ZauLt5EkTaY|`EP$x$y}_YpXQ|eb(qLFi#gWiT0}b>9wf}; za%TQ1x07MT%v2soXv$&7If+VuqW^J0N?8r{`lJ06xcc#srR`M4dbCt4c}Ts7rck67 zHmSmuXNQQQxH}M{D^`aM1+nx6irVE~8q~R3epMv_rzDdc!U6M~*IZ5`v&AEh_Y^09 z@z+SJx66<{&phfidX6dOeABJ4M)W)}zLld^eSX4_a0kxBFe+T}5sgX_2GG2$z6gf< zPMH4ut(Vd0W2l8eF$}-~|CgVL`PN@u%eb0$LIz{?h8^?hCV2U(u1nx+CfpAIl&2Y0 zW3lpZhBU2g5nf2qdSz1T5+fE9roZZ}7I>uK4W8(%NmL$&-dsuFvl3h9no|r)jjw>^x)xaR8l9hzlVm zCBo$!a8k1NgW9J-TC;K`kQ=isW zJj8&~$}P}6&z!2T2OVBIdV;04{4*NYLg2H}zRHfl6x^6MiPamqgUqG&mWb3raPemw z!fjJk42Sm=!Azodfvcd3WvC+YQFn6_nAO|+e6;}W)s9EV=Pl{8R%f8+u^iK%Q4aV$ zl3z{%n=+|pWkRJx4IaE{LjtMy=n(LP^VKZTJ->p?U9jMv3|IiqQrcw11ZL#@*)s}H ztQ~@(s7--q3fX@?Q^KyutVCAQM#KAOnhxOzqe7wxd@abj@Q_U>zT!5-@2DU}yNZoY z1j$-Zq^aShJ2#caXQ-EJe9n<}(OX)W;#Bp6hS?=D-b#hXrTkE?6rDwLG#CNS7(%`_ zKwVMbDVd(jaZ5vwp};XZrqYq=L8&|;k*0iz?T1gooHwO`2V?encRCIYs#23y(FZ1E z5AZ_U@WCKrl`m=170DcN_|8hc3%gU2#d-l3kPBgpW5%W(Ba7ozFnv6Z{zPRkXy`e_ z%Fx@Jhjxlq$&d7cgvpVBga+2>4Ngr&<&`AO|9wuCtq_0mdu_O`AIU1i>Yo`)1&!dA zUl#)p@2Td7Pi_s9B8xCGBFRJ9Pi}+P*>e&MDT+cUzA|d3UT3-4EVDrn9PhWzY)|oi zsRoisa7>^`;%D+GYPw`M65sT+F)3$&9h^-|gGH?^A}rm??0Tg#!zmj=CF|%(AiuMg z;|0TwJhgcLf7&7i$!PsfZegu5p& z_g9mtQKPYUAceg4^j=6yF6mJyZ+!r;h?E)(m!)4H&u2o)mDue)7_=fe@^KlTK)0F9 zwAT!DrOgt9--@YP;!lk@mwWxPJOG6BvFi_MQdQkLxCSk z*2A^~FV+`ejiVoj0_UDymD|M}XVU9gKAG!^t59%^e%hII6xPh|HG}sr^R=}a05d)P zVt_z6{ypBYvSa$-+j_oMOoyz>hxdYAbkPXB>c|V>6#SX)}lKUFXiF4QA_=?zlLQyQXyuE zUSgv(-i7JomblGR7~<*wl{maBwsW-xjeCPdB=_97I&z;A(hHGA81dzrgD_zYd$=EY zv;dq@g~5mDy10$HcJ2{Ug~3*?^j*q!U1VEKc z$@PA${=m$8%+}zsBcCN&&-K@}e zh#~Fj8?&Q8?=hEPT&~w-as4s>WVYF+cN5dQt>lGOz5U`7Ie?fM`mS0y=scGHIFx>* z!h&JWQysAg{3$q5J_ip?K zx(si1pPK*a_T(z2shaW}tE_3`s*HcdM`8Hd_RZvD?A7PF9y4l>tCwhokU$!#wx_YZ zFxE_&Rb*cMa-`#5x3X`a+CQHk<8Ce_aja(S=uKPv&8+}U7wBGPZ|ceAC|+}YYYJXMf+&0OqX^)CH~Uy`Ei%@TZMQ!aX)e+6a~NMG_G%N zI_X0d`43u3WQ;^)vO*8o;1iV8S)$40gM_&Y^`?!p?DSY^{Tqs1Bl?7BIMahjpk!#5 zqY=d*HF<16?`kz3^h%{}Dy$Hl#q3Xu2pNee(~Mjx0@go;4)1{d)ck-84yx$>hNGU1 zeQn)(>m52^BKc0VXLuL*L~ob^rorFx_`gbUP+}C2XBGBFqEGe1WU)~4xObWvrYVcX z=HaOe#`V=2j9!x8Kj}Ss=-~n5Cy=|7u58DLull_?c*K@`4^}zw?1Abus>xa~V8xNa?n9z}8Pq%~XE5QGm5c8?k?9iJ}oDgEy^(k!`x-Ve8#teSR zZHH-BaIRu&O0_KSjkK%Bu%?^eH3#n7Usk*8Z8k1A2YO1nblejz0gUAhu67;M0)v%b zI_EA@Q)Lnjzug?<{E6do0B4R<&Eh(v9HT0RH4i+daZ#M5U(8nUgRzJew5uX2U2CH1 zhc8vg9gjU5XC3byZYvY^nPU)Q>}Pyv-oO7aKMeeFkka%w! zZs}Cl3FW$U8CDe?#P4pyA4=Inj@a%B8COC^*-M()usAd_a0;rEgW~GTSmG`YOSOwd z0jnz|S$ZEUE#p&U2;EmOW1KlAQ0?v2uBV8X&b_1Rf!KJ(FxVf>|6{jDyK=Yp*=~`d z5W{9!%k9d|moi5}Z2K(hRt^gkNZpMmjkzyhzr}PPX74H=0~`sLZnNM&9ix~($7nwq zZWK21p}7`XS#R^_{UJ18VaMFeHSNX^=Z_8jN>*?Ex&i>y8}sd%LEb9!BfotL-Z4dG zpEb^PbpW3{VN$_Vzr681@Ldx*RMm%<7@J}$6){jFx9ZrDQb1L*&$bu~VR_z|Vi>lz z5M+gUp{qUoWr#>V#>lr-argz16oXOYJxp5l-#3xb{Cw&9BH$S5f4}&E;qI9UG_r1j zu|5f-=o{vf+n^}T-lUctnf9#uerI)w9>~*g4xXDE;oAC|8h%~BKwf4N6u$$qQ?2K6 zK|F<2^jZ6o%6B@?xq{|cQM=BfcxiEuT(DVaN0`5z>rv$y&GA*8({3^ zpygf6q!DmkJ0?+8F)_`Y@-i(n3(7VGPQV(tAIU3C?s=F5kG|>HqA|oDkc_TRB^F3% zkVZp}x!J|asJ;#spwBr=`&2>jx}TPFaxh-kwx~8EKW7d^{HC9rHJuw_nYr&hsfm0V z%r)sSk8}ZpEzi$5Cspva6;>0VY(D4gw6Ut9o-51ORTPH_ zE32cD6guinCFD*WI$C)>SmJ}?M3R1TboLcVX7!sD`7Z-gc4_Y;&g915r$ks%3Fg2C z>688`GYbk_aC&gqzcrx$aKkY=o(!ZFyeF-$+uY*#%ESky|5Am-aVgJR$Bpvy{RECy z^~b&&wy@80H2^QTQOPTphuNAq;hF_blJj3DsdDm$O%@M#t6UTvyxKl{J}>5zGT@@uyv?Nx3LA92h*2_1;xAoP9N6e6vNrQy*&aM;0-55 zsWy+|OU)U)m#(W;N7(k(gNe>+k|EpF$xqPbMF3{~9mh%nNEzJ@pg(;vu0(zW!Xh2v zHDnudSgS6K)^{!T-nHiBu*1PtiS-19ZWU0nJ;Ss70)X^?)o?%oGrPNzSxwOjgePq7 zVCbmD;@qKl$Wm7FTd*yI9CJ1U#9_msj)NxN#GItyvDT6O{&{i36_PW@CeeaW@&7U6JO%ePGUfK|xG2pxm?p z%woKJRG_jbMsSGuY#8N=G$TNO;Z><-WVL&Jmg0}w#Gd%gw8yVIMGf8YePF^fOA%g& z?R9b>M0{MN`4Cm_XhPofs6RO5T5@{E9a;Aw1)73SELco$^&YNVXGuk1-`TG#$nA%Z znrijx%7Ea7s^>X3r3k4FHjn?O`dPJZEos2ot}1a^XZ81%@o$1`;NkVE@H1@8&ZQ*5S_^)qJS>0y%+Cq;y9yYv7p{sth956cUEGRP&Ct61<9e*x!T zxRLQSh)I5i%rI&JjIwmkoY|1|KGcgtP;)Zi2z9BT`ke!$=O6>z#K(&7mZ;=sy6_li z8O51o(5u8fKwQ@ov{&Bls@we@1aQD#DK5|ZWx@>%O;{5zCsGH2a8Fs&x|#Lqs+^wU zJ5W8Fn&oeqeUGD;Y8!c9P{ReTsd~fS*Hg2aJ%cklwA*`8O+Z0^F$WS3*p|V-ozb?6 zCvz^BJ1Jz;=(7y|K8w(V;s{vxo*tx_$i50uji~!bUui!>*1>IK_WAt1j>#7Z>p{BpysyN4$4;PN^%ZHa;$jT^9h8H6Kw81Z$d~jc~70 zsr2+S^I8?&q6g>qST8C&;NJl2>{-5_iX1>qg;VrFQ*fr53}Lm7*398Y<71o}Y*>tCn_;Qu5Ox6hXWK2UbfF zh#07enU=b>^-bx7uM^C35VOLzzF-Cvg#xPHD8T)6%0h_V_VH+zhanHI6egtc|3d{a zEtO$M3PZi*sDn;VBV^D_vc)0WMbjr0NzaaX$xR^k@4wGf5*YgNWg5n01zw_h%)T6_ z1$aVT>yDw7xf|W0;4!rLLH#j|^M;P1;_Icj3vhNI;5@u3ew?jZU1;bbEoz8)xQ|4q z*5rX-;Ew11TvOqSJOOV?p9MOZj4eVCf)O^VtE&bKGXcB884~sB3rMw)9Yrd0D@yKv zYyZ}PL4rNd#ASu6lR^LypcasOT5I(7F)ws_pqi|Lsz_u$oBq(#WXFR5@(j>ni3A^y ze0aSa^rQ5uge`X9mZIOeww~)@m>w1D)HrBZ+(LA#EuJ8IjY1WEpW5hGDSrIZ*9W`5hBB1)exR*=Lp7D^HJ`AQ#gr zxdFJj127G9|MdyA@QgG-)nFOooX{B}_Ju4&d9Le7?$;{}MDW_`(tfv%XTS@lD|qZ>0V&<|2bKglMo27~f)=QXeEq^Or_dd;65h06n92L3^*5`xlBBee zU&ndQsOVZuWM~^WeS=Mty7S+_;PL)eLh0O?Q851*<;U6gdLA`jk-D>j3VRNv)jpOw z(+|dJ^JMgiVQeJ%020%C=jp^NcT15*d!rY?(vFu`IsmSIGK_ol4C*T16oPv%0DWEu z6qCyZURm;UhYKp2%?J z#s3f1AnY%!LCjxR15Z86|G*lIu_D(}j=_T%BZ+|mDV8T{RQy@ZqzgNMLwPXkS&BBCg34v_4~ECPRh z*H?3h6`sMr&;QJpC)1f!V zL);O-BPW@tJNJczl&-iClw)pl5J)R`WQoolgdCNXs0i0$@=&dEJV6szboN4srSV}j z_&e*M(rc_G+;95I9i=rh73nzrrW3d%?e|oK96AI zqvK)zGqnv(TW zj~EN4UV?Qn?R6jmTlxfNdWOYdYhm!0{&%+`vA2tc?`sEeR%5pa8!(1U@F#LlYE3l4 z56?y4thGVuE0M(hhX?jSUhSZU75l;&*Vj(^f1T`B)|RN3B#8FM(Pg{RzF3Mdi!NFT zSO)*~RAanb9xq~LexyALl)-ya?d2J8S-#@CwtQkH*}h@E@!t{wz>I$hyq8w{Xq+_i zIR^^#9l(|?N%vp=?-x-^GeIhJ0w6$LA>Hn!{M2_(>TF5ybFG!rzvJa4#JK0}vOIlP zAx`F!ef>Cm5J?syQO(0>cl!3oqA+@k#6Bj-hX0t@Az7EIofN>rc4Z)^R8#^k#Gm9y z*OPo7jE{3sM6u`jQ~wtgV+T+%R%ioFdy9K5jjghyU0)@4BJFv`^M5vfX7@Ij>^?R& zWg#oB?M=G>!Qv9fhYWF#t2o6gBdDZcZKKmmbdYGt@hUvzbt!+Pb zJp@S-;?^7g*$$_i$gCKH#n=qt_5TZtQ4g>f=;3Yv%U2R=;{ieXTh68b@Os8%lAbAm zSJA?&ef3v4r?}Un9YvYCnDhsRe>;+p(l1^BlaY_Td7!&|1rvR0wsIUT=UEA_Vll>c z7D;F<^fY4RI|x>VJNd2A#PX6v3%G;Kban)DoM@rS_p(2q37tdf0_9$C3j1I!*)0Cj z2kJs=OM}t%{I?9OQ2LYbGQ3+v$62_9`jCX(SdvLC$s>eN4%yLR5cv%`HEa|il4PB= z*N)q&*)OamjUbelD^Jd1^r~xq#gK<EFebcW1Sn%h&!or>(UEN5IP$4$R;sa#xh_ zCQ)GeLI4|&a(;-BBNSg%+8RNdeK+PmG-~U>_lKAF?>H}xw{=M@ii>to3gR1VnqNbPxCRO`2$5pPo-TS1=ff*LY( z`DA0Jemt0dpnLm2KE%9K z_`Zz&lL`*5^-mE%N&0R*AFC<`AwIrtus#OLr@p4fI>V;iBUY|0p~c+>GTqo2#Z)O( z9oxQ`M6Ngbq>DDuyrf-`yb9TB5{i=Oxy^(qA6S=)CAL7Q$3D1-%59QQpGlZ#vo}Xs zKKhDy$><7hO}yrbky=RV5vJ)@q?S1RfKy5UrT1C_c@cXF?1Ic7Nu#r4)F zn$i=JpJ1i- zl)dYhnyC=Co^REP9M`N3(^A&?-Vw|*Eb>90DRhpr;DTdXdEV1E)xa>ZEsZjX!K|;r zt>S$9kqpDkvCgn&TtTu9Ro-u+ny*nZI$>KD!MDQ6ah%dh!8W2RgiDNk}+^ z`QrmYXr5n%G&@D9iA3vowO<8NE{6+q7YcPYjPvD1Ce(P>9MZgWaQKhAkRKPh{DQ*? z?I+20$)6Z0$tnAiKlG3a0ts88SL1)4I93m!4sNhjbC);^gCn81_bnRrivvvW_n)4i zcc*qgFvy5%-!{@huRfHcwaamk8Hnrg>IgUPMr+r$#>a-fNCPGwXonmbYUIOpYp)eMrN{MH-~33^ndRvGUf!aBQlv3!cXVIn{!3aAt7iF{Jo$U zJf=4zJ{dR&9%)Nhax36Tv5X@ZVbmGYgXKAerBtl$c@W{2bpf{%UG>4sLHC=KX=cfpVXtn zD<|OgY4b!JoX+BAkL?m8 zrHZ69!##kAv`SqjtRVDk2z^n}wd4jj-`kK9e9@(k7qE$BSE@wUXCrO2Ezr|8A^A2N zm%FwKmSRsgYMV3ovx?DKIMTFHtW_!bVia2p1{;cM!`|AbAMKj%m}+Jj5+vp|&!uY~ zu+xktx<&3|MRh*Bt8D3p1sk*9sC9#hQR`{UbMU#4z(`^%`6bY)GVz0&{b4p59k=5v zScb;E0`6pN%~JbZ#7yc!oa)chM<(mvxMSP~ZG%thW{wm~>P@ML|!4Ye>z z`o}y9=s710aDlUpTVR#o$cvlaIaDz#`ZFRdI3CvtpFYJ)yXhm9*?wKWG9I{dFV5lp zEP!!(2S5r}g4k$>`J8$_}=bHf)26@tlj@ zAFB!-6`S8@FGjL2>aI|*m4o5PY}3+g*l8RU_viaHZ5s=^2x$#d%MS;|Zf4Xb{zi%q zm`y2@m%Ic%qN}nm)c^j;{})E?6(zX1E3fv|Tm{2ShX)dg|6t#v4&sahjJdDm>;im% zzPG~I^@5Zt+RaN5pO%@Z&y@}#b(Bz-u3GDc>Qd4r+F#}3|_LjU*&CB;t6>>t3(gT4j9evhW#`{^(%7+R0Yx(?b z_iymmJ63UG$h4a{;=x|sp)b0B`~Hf(RuGrr{3OS+5tx~#)Nb0&xli^ue{SMyjE zB8YB+@s`)uTOblSba=5>8$n@YE>HymH*fm$O>u(DEu4E9H1zg_q-yz~ADT%qCiIJU z{=lQEVYcHg@Lmrb)&!=B*l(RYx$Tb7JC8>)4ngFx)G<{A@MT5bgQ0Q>4>o3-b++_op80tTm znA`!??Yi_=<0o6vLs-8fa}b}<6JWOG6IqiH6=s1tBKu7s)dBZAc0o^aryox|(*W5F zxsQ50qxto^g;!Hu^VSjTSlWynY{@Bck*? zCk}gN?)YoxqqOmIWNaGLj;<<-g~NBNNspw@SC&^NJEb89zAFWX>w4M|XUo42O~j`( z1j8xP%tT<#M^t3>HMiCQ^R=_*>x(Zm&)dFgTLVa|8j?!M_#k;WbhPLjHo*w{o5dvj zeW1Y&x&ev;Z+ao>w7_iOr z9cUV@OEMqdz`-NpAvzQPJ!I5DYT>mSmhu~8+p9ggd_aql??9KD1KY;n=~-2kcdlr`%8dis>scQuN1h(0i|fLkWI2Z;`S0zTjs&Hk;h|3Eb)TWcwPymHB`u zsABxp-Q~cI$IoiDNJPQ9T5Q~aj(iX!{v2897%MvqS^4%SNZfKVCgHmQ(r1Bmn;>Ux zaj|2vx-6$RJADu0wA)6XoE;nKm8>wZ_8&UHzdey9bhuEw?MfHn@m^bb$rY-uc=;8| zu3Pd54|#SXQe5Ks30L^r(=Wx+^%IjAq>crt|6fR*i@%UMY+I-HVh9hYjQ>WuO#Q&1 z7@A{a%iR08!^_a6MF0=O)cHR7hpFTJKTI96arMhV#a$BKD9Q=2XP{_sHFx4wjD%B`CZi&8Q^y!fv;TU98Eg-6w`bR_2bjI->vVc8qvnXSGgQ1-> zudkRre4jjmk|`e7cSBa@zT`EP;QoQ%=!kN&w#W}n>Ih%7lWouV7{fe!ir|>2f~a%; z=N@E;&n3TS#{8Crvzpg_WU1+eg7U=$TnZS|c;`O$;UueA0qAr*%iviLu#P}5V-RUN zjJ{mgLqxKvAiDi3q#Gn*W`{cnA%7+bD;vm_u8^LAME_+$mK;(=NmY071J z=iTzs5`1)Nw1Lq>;Soq>mK>Hxdg+~GyJzJ6o>NZsz7$*n zU&~^_+tGix2|+0giYLWBTBdptbK);ezs5dF(?NoGg?=f+5@Z){g|`eZeA1M|d~Tip z(}D24mj$#-$$<1U$&cvt1l>yKO@Svdit|%4{M5MwK{X{=$c5spfgKqUx>VOadN>s3 zC_rR8Hyq~{c`8PPYS~|So+)c!eHW#qr@(HCRo~9DhTtul6Mao8i2x-LrdJ$?hLTc@_JZ)B^i4tYYEaUDS025>H3_XWw zwkuY>6H-@y`&q%tlpU$lbLb6<6ylk*)O zb-a%2x#ZG+xa2k-22zG6t6*4Soe#N0Z^=Yp!X@(PYMfi6sR!PK;nAd%Epxn1EGC;KUctoKKwNqACLk|H+@!q2)sxvj=2%ox~Eup zv?Oy`G3mAWzxILNbS!<6IbKY~76^jq-QXTfR`vNMhbX#Bo;p)D0!1y%c2J65+!udO zeBnSpilmJ60(atz_@OXNI#v`kf;2S%5BkcvAK%Z8r0jx_>*Uv2BGwkOqz+d!KtU)3 zefx%q(=n{3dhJf(U@wD698Txnxzyk{$p9QvQ{WM_aDbH{;NW;+du;s!p6ySC{jd(n zP(*}S9cf9faLB>P#;;#K2zd2`wkFYnJbG3!TI@9F8aF&)VE3+w0p?KBHl=blaE{lHuFUWbY99h2Ag z!d5NK-wKFWcT21;E=!0(QXk}`ij(^+}Si$#DIk0E@V&OMKDe8A+( zq`$TZ2Btn6#Ys#Cvy756ydVR~fW1h;1VU0aP}~3{Sw237U9zV&4WHfdpK#unS5cJY zQg(jGq}A}c4wsaB@m&7HT3ZI3-EQf2P&^T~-ihFLQApvFXJF|$1+FI$c>fISrX|hB z%q}oP#g3z$A7znVpOu$T|KKS7^TeK@2du>Y-@1X)0G3K%c_WXMcZum-9$)+@opF{a z$Cg>b6jw@~`y>5UjDv>H*lT7g??g#HpZN`u23x}Sn?V+ZlFr5C*#Z~Ng~u&X)y6Ta z>G!2eq}NV`M5mg1wD ztbHl@Exn@Kb9gQZ7z-^Y;}jRf$@Re(ui@O)d$Yd;GX3pOR;@q3F?4FlaT!xuEw3Lh zIq4z(!VW;Q^05NqPx4Npl?~oKUXzOP|HzIFRF}sspxf=PY8<=GX!)Hrp-zEqaz=jhw=LrRIB?To*4lplul7{!0q>m%MN zBUK_#k&+Bzn>&2%`wew-HqqayzkMUy>=(8G^MENz1OThqs1K&u_qN`>l9`;817qjZ18|9Y&(;SMc+e)$;_KONwZ%aDjrG6ND0dx`$b?>)}lw_{x z{L9nQ?1dM4gC`1RjJ06VTF{oPAeP`v&`a>=H@?(UHT81^?Ai16dH%o=|1S4p?iMx# zdDPFKz3Aas*L4l`z|p_v`nXo}`+$>C|7)@C|6&2$n>vXbCpHULxZt^A{27o3g5F#T z8p5yQNEeYP%o^LqmYn?r!~7`O zB*)}hXy;W*hI|PAI=z6hC|kSrY3Gc=q0&`z2(07Iy#F>2&%>{;#S(S7@-z1d&$vcM zh}WeKQ}cQ2w73(f6sL4WZl=v=#SJjQa#v0A_;I%Jrxk=Jt#)yewypP=J_{~CUd}&u zdix7(Pp1A7@bfEq^titu)3Q^*N%rY4A+N)g58vv|hy17v-k+V1t-ZZH4()h*u6f16 z@2!hJpcbxvXl$N$g8LnOJ#D>)V51tp$0dFu6_WP^cRA2Jzaw-R0oJN^cHbT5N!~J>ncu&s z;h48^Py;?9kUI>1W-eLwe}Td#0Vs?T0}8u%_6HPZO*kpGjt!XjD7${@t#?gH5BEiE zqKH#}a%frp$VxsY6C5vh+lPsi0qMjyBM&80{u#Cl!9ypZyKL^ZjLC z=#OSIN6HyAI)Wde9D8YSeu6_>TL19Hl8E2tlvJeDZ{KeFqp%9S$ganp9`@ulC!(-uT=Sl82 z(83Nd;wE9D8#miK#4D>B)G;lLPX-*0hl(@~yqL=OiBYgB$XW!kjL!;|8^yq|=7w=B zP7!Pe;oz~6egW3!1&3#t=KdUPl1V$&XR31JeV;@@uJ69aD#q{mV$M3E?rZa6cy;pv zmx=$cJxixkw|fuC_Ukxr;Bq^@y{}Qc>n|IFS=+mF`SO7td9&Fjy`4mN1r)%H56TI> zc3!8KIQq<2P<4+NM9|;HSPuO6@BM+lOsnEJ8LYc_>=jhKd2^q6b z6#a9LAy8iVeJI!+toBB!SuQ+7Ck6a}@a+S97VjXB($7oLzzaZBT0|d!JY~=`+0oGI zz^><*;o}|zLcMtROwQta;r?ZO)U z&p-FgOzT4(S(maU&!WzJJGAmPz;5$1-RV9_B3!0ToS-Hx&PJ`{^wvC|YaYk%AM^{B zO?{J@G1|y_nwtwg|48?r-U+phBToon-T`uR&)C3XBt1-;IQu4R!vP3IOxwnMTQJNo z@T%zoDK93f;=carr{`d`Vn)mF%gbjT)y;t`4qpL;G^_-S)nZDnhX~s zI&V18E%g^)h3hu~V(D4^T*Y%OWG0bGBL}le9AN@pB|gQoa{XxMe3C{EzrX|F>(snH zG8cTyxc>QoJIK?-M>CPO#yzQ62i#N5@zuwB!B645ofNKv-`<-qR}qK9OtSB1<{a08 zyKF`8$1VMh7YQ@F%@UXyH(gF{??2DD?_lRb0ipC=jz30L^Rgb0dDp{Q7$%5&rYe4v zy~1YAJx1oQ=!4#NQ?=9Pmh!i8h4&+*zgW%vb`0!chom9hT|Wb>hmBwh>R_8(dI3IvbooMJ@&~Wg{%G-auw_n* zMQXsiA|X7Fssozxz%hDPSd|+}Z!nD6w{F+Npx^QeNc$kS;R0k4FW!6RBFO8jSXSvH0mHRL}Fd@=q zz6&mSHd2~15{egK^D}a0Mjs1%t0D0;ZJ88 zKJ=JYe5KI;X0=V;XR{*>jz4NRvm{ZGbp84o0BmT?IR_r1$MStq;*q_A{=o0%KtgEg zy^)%N?Mgge)>gbPK5U^a6(aQ8vx5q>=L6HAcuO19M9$0)Hm2pMzRkx&iA(&7(ZNdI z;$gXWU?RajWZ>!7at<;G;D+ zHKqIbDw2zqzF&nusbxtO3D2kvJF#^nCm41%p1ylojAx>qI#&UTck5Y(gVsebdf202 zS0HucoS59)h|BsCN!6)JarKCkTMRgc%(W}N>RdeqkP`LOoJj_d@!V+-3(!#%Dw1b# zTWeL%cNkgze7>(|eFT(?`!#+Ma)cXs8!s4B4NG zMdRH%aPz;Xsy+M!%5IT1TApE0qgHyJ(6}#HHuR0LdfM>?#>*ukDiQrp3Oc4W6qkD$ z*ckKeS~>hoUh-6CZj~$YDccuP;Ite|d>60f)3-v`rQ{<+?;L;G=|w`^Mcj2wD&it4 zNVA6dn)n7nWvhO1V(LkZ=sJ5T;9973xAqMvS)%F_i5P6u*V7m8_KA585r3=9z+m~= z#%t^27X4i5B(z;8kSE4jEV4JezPn6`@svW{!&FmEE=B zZiczLtjAaT+24AiaT&8GU%)QY_W1I4K4;vpOnyEx2~X-I!o6S2*89>c%jPL>j9Xpj zA_-XZ!=ZtdNgwGI|JxCEK96E1TR0iNcZc>@Y@}ix?d9I3^Zgb9!_lG}*s1a1g!JSV zzqTA)_F9hyVR6RS*I)X3-X!1^4LsNkh`>Kg%D5qqzb+0JPsnCeP;H_sx9HZL+y{2o z3Fr7Usyhi|35NV|Ur_`ZSMlLp5>mCs3RWfGQJi1ELzc)jHlS?w)inS_nj*l0bvcDp zQ^+J66|Ou)k%@&JS^p4tO*$4BuN@}kaJf|D%2VNTCfa!&4NbdLIMuUF&Tg2(_t6Kpsjat(_3e_;6EE`vB(- zt90sl3sE=yF&F>o-v+JSXuH=n>B|Q>H zfX!4qM+j&gh(mS)*6R~;VvBowlKJk5JTps(Iq$|*B z#qDM*Wm0wV{tL+Eqi<3hV``S$=e*aY7c4S7j&jHZOadM)NAjO z?vR(CrI2@DQP5q#aqY#`sk>1qr4T`f;DshTor@kg49kg^=%Tr6(*)#vireWIh@C~ z*;}(Yb?KeQ4mB|lGP7#dd>OE^ilO~xmkRi&To@kYMHYj<;@Y#pa+HJlNy5#GkA;ZW zICgP7w`Iwb(*~hUFVpxlT*mB$l`SvkG<{63+rnQa^75iQPONd9d(q}3r*l)!q}v8` zrYE@B1h%&#j=8VdR^*jtEBtWb7*)8(x^_O8?nX44+Tq-Vr^AD?mQayQgHO{a%lkCA zQw8nB!tY^(nqs|iLMLT;I=kQy8>RNHX#N=jcMHQ`t0jv)-ve7-&r&1aDG<#G5}LwR zEo=?l<3501hAb0L9>SmU-8GgfUcXTMpk+;$qQ<%>{52Q93aEj#TpmLUd=R-GO}R-7 zr*|`=pd@{aq-tJAqoUm+v6koER6_dYAaudawzVM^S_3U$d+Q6{?PMl5uq}1cfTis; zso7Yr?y1pcj_*qGDMt`H_S?)t>H)y9D3 zjxC*}N?9<@PE`~+cwl{sc-I&G1Mpzky4exhkiHi7lWKc|tKk(gFv|=haa)Vh99MN) zGX?y3Xs-@y#5lu8!WVEol1GWqL7XJ|>5q)nvA2aQ`nPa>;aIS2_)7*+EzY1j4S+aW z5*4hJgl!jsvEM=%qKlKc&g3YP9#G^k_Q_U-l4H+vu&<`Z-ha*7%zBNxMuNpctwU?T zA10hjFs=sEUlm}e{K(%p#x<)q{)%gvAXhRZ%X;eI%re!X5PWJ?xuoMEez_pntC)xL zge!CuM65;`o$i+!|Mj)4k8eNj6jQW$QrP>%-7MM3TJfqa7r_Y)HuP5KEDI_p3bEO+ ztc2k6{bp|=wo|Dpp04@OQ46tlM#Iu-e%yK}5wR?xH0fl0n#_EPnIA=3#XD9m52(<2 z=(m7m6i#Y#dD`6WnPt1;J8{=dQFk9r@h&{`A?c9gpRH5Na_ev0sW3D5=(mmkkD0sj ztB1JAPL%^%$Ns**D4IuqQ#1wQ@+kjJ(d_#lil(%{muL({bK^takz}AGIP0;KDs?L4 z_m6~}AbY?HS1l*qz#8XeiFlM#Us&r}Xav$r>eLG4{BLtbb&s{L^6lg;!Mm`Go5WO6 zp~CcGGZ<)y{H`Q-Y?8L`APZDJanU!UmNHZh@)w6i-m(*k zWRdyrljFVLq-dA3lc+Z8h*^!`kg;vZXZ?}xtR%Uz)1jdaW+nn)9%Ju?cG6~j)!A}s zYCRR(F+p(p0$TpE+Wz;C^(lMUjB%y|fQd!1)Dhbly!)N*E;uS=yVT&hShvKUzO&(^ z^aQ_ddK%#W^5CNSCaYIv7GKHFy+Ts)Ulr3At39{5H$KA$VLIDMLBC4xf?W@H;)CI_ zC(SWM&?Z&%t*<@$2}K@3^QnTWL)G=5gzFSXb*0@)2}}yN&4QZ+W$-0P-ZFZ~>2lsM z_|EuDPODnM)zwf-*@_pFXjw45iDa85a+?(1Nuf>Z-(HutBCs()*&Co9@cRRhDoXz* z`}nkdrz*mhyA{M5sv*k8Z=lGXOM3$kp1^`UBOyIWQXNi?a!K&ux+G>;EpTv?lF>*7ae$4mNx@jyNXrENMGUzj1=L{_6#nq{xWzx4> z0I>jxn~BXwnpOj^Br$l@0{~oYFPGDSZR|v|5Uq>ZjM?iFM(#G(}FS*IxD$ zTzF;8jK70dqc#H0H}{6thP6?J_CuB5UB1*OydoN0dkWFW=w;dlTL5{5oQ|yJOnE%L zVPlWtZ`z76#tf$uyrPNg2z80H+2TEVl)N|HpDryzI~1>VG3OXFIXn7bf0*5=e(+?= z)?3B^5v>@V_->*eQ&A$}_nw{BcIPvAiDJD&yAFrfetqZfcj(6bBc(FXO`+xckM?9& zklLkd{&oBq3rTl8N2bl1L?0RglTihzH4b0-YaZ+hxZ?K~P*1{~{P)bPwk-UG0 z!G84s`pBH&0C-G<302e_%2OTRT%3~=g{D>HYw~d{;>Uya00#OPQrO4aM?oxXuH)-A z8qduQJnM=~smylO6_rEkdJGH2P}-QX1Gky-bp1b+y>(R7-}?41hysGZ&`1v@EfNC4 zP(z8*B_K!%2&iE{38WNBH7ejIX|Z^;@d>en*X32pF|)N14`nxl6Gjq6RX6ZMONyGJHe_M zGX1ZfAD@-?3J;6l_xP?_v?kLupc>|GSKohJR%?a(@|Q;OSJ~@pkEiYK4?mlDuLW`r zGRg2PwYQLHxM2dAz|?AF-}O_V+U`yBTcVxE1Ib8w#UYA15?miZu7{MyE-`nQ@x0#lvPhpJNSL$e2Hy7{1O5FtFx$Hn3xWD$Y^Z%mEwcF;P% zEXlGs>b-S`4m22HRcc^|8V*n^Bg2B@h)-qfF?0^~>7EuopHwPHLbv#7O4x0vRLCKE zveEy-#>T*)UIyM{q$Wp|GZncp-Nf&nq2o0Q{74FkY=j-~tRG5bHe8|7h!!Yr=!r(r zEMc|aRZ^IUOghDzP7sQI@5shz=A6m^H#RsY=8ghUNB`2D0qUIdhR3?T2b1P)-VkJW zs8fHa!%9~ujJFavm}*ayEn@mLE4c=gF3Npq>bCuG@l4QZg46zjFYOiq;WCk6Z^P`$+QsR6Z1sx$qOQg zdJR5Ts1HE+JxcU<4^XM0Fm{)N22!^jWt8H{Jec}ZwRxsazM#k{<`3MT-99QIMeT7p z0u{=W6QGvK)GV(xSQo0a?te8i~^pv&Uzr=;FOP)zeO(dH_H7z1|jcPq~M zw@JM79&v-m+?kwQ%#_#maLkpAId5ui0h#*S;-AvKJU0v#ZA*sJmgC3{3fXHwbO+TF zuQV;;mjDjGnf;EG12pArr#Gqgc4(~9AZG99;1BYuOaze{iDy|ilnZ%8JUTu#A*ee} zVm&?Be}1fQy}^wG%OuH>S2*oa^L?|6{D|jZu%}@F*2&biRqSs6jBE4nVx#!GKhrb^ z1G#?UOkmO~Ua8FjnZ+WI$8=|dAhv4tX>4bp5!=pw={mv*DJL6Y8aFM{@3VqvYH47U zKk%n=nNqnCu9gE|<>w{sTm}VY+6}mHWfl5)mEhr?Z8}R!wQ8|rQl!Ns5I>O{C}?$(u@~h zBEUlV(J?dipZA)7K_h_nkqG;-e1pUAWvMa@$u_*{f1ee3%jZNbO>RA_Lv<}O>`M@@ zPiOl}PyVA0)7QB{{N~koKB!Wmq_wV4x=2W9QXn0PVgdmp(BvWCn7H;b>O`F%bbNY~ zxrOLTL4+?S-z?ol{9rxFo(SOI*D9&g&{0iMr-x>dtC4Yt#4B2-*74mCL3E-LiD)~z z&8f_98^3thrQz+|K6Xuyu9L03MYXnlKwfN*dQ&ju_VuRaSYiROt_(^I?@p3|jiolD zh^5}I{avDG%{RmNSrkxjI)N%Z9~a7yC)VxM4FogP3R_qx=%))we6c8--r8iDK#+V=TK1$F?obp*I>*myc+kW zt#h@vgP#l8b$ov?%?4e*Oed+>Ejhg_I{4#7Gcfh)<3DQW+uH$M_9Cdt7pJ)NRUt9Q zye*CiO%J>(t@~A=x;}QF`mp&*d)3^&UOL~*Ry(hpD;P8ww0Uw`neILxD};xra7-~4 zQ;ykrHGTU~T2`iK3@J}F2X=5*?Ty#%O5@60>XdBd*KrpUi{%k`tYVe?$Nd+MZ*Wt{ z0vRVti!YWP@{?eR5xxhxjPEzp>9;Yc4s&knii>s**syuA&abPI$9Q->aius;0eIa< z0WP}Xfl39utjrp_M)r!B$vixyGb!8?6O2K8ubXw&P}>cO7JVP)ZaD$k1m97OLp_3p zUDr~aN5GAR;!`LCslGydQ&_OKt5txVwFb}+>#2fZ-`TlG|eo&(}i4kBA z1>@C^-tHQPSy4Fo3q8{LY~&uY4Rl7ziBh>v@2Y$*2RhyO=6RuKKb@{ro`MGA7R6`K z9SG>1^+E$i6P3H|8EQ7a%=aI48Sj+GGiXPtk1#HzKYUO-YK`}I_G_+IBR|A%kCpGU zU|jI${-RsYp1z>9LX$W6vYz~ za-0dgG7{dkSBSirAFOFClM5V%r+e>p9=a<-hafR9UJ+8XV@6l^zIh<|h0vNrKFHgo zUQdbm&i1bG`G-Il49|7ayg;=2mK6-0)}8BM&}p40=t}$ZJN0KxaN|$o5EC$c1Siuo z;>~jByEFW=wKqhdg_LCd8q~)Oday57ZzIgn0q*adxR)dK( zdW2J^ZOqx_bSE+&Sfs?gd*uEHe7l9xhhDOvZ>#>%bZ{Vlcy>uHZrXCZm=K=#-VX^p zIy0cYgZs(I$>ZYiUfZ#%1n*70k7KbFzvsRj+_mtUcJhUxT%RoMXA;cV*F5H@<(^h# z;&`;16OlZpeVX$o#n^v%t%Gfu0U=xZrwSv^zJaaqC5W@p`h_lYM4i^s_iA}416V>M zl}|WRKCS^=xt#p$3}S+Q)p&p39Z}&A#<=W%bTtx+t823%w}FXgvE1*%*1D!fAoE@s zhvWChR@b=LplIE6Am6tv#!kG>ei3&@q0B%cWDJH!2Oe4CPam5S$Z%CL&z5MH{^U39 zTjl*Udv}EebNbx+1y(P-B@m&Pz;*l;s1>IQUynr=W#@%)7D2C4+@7=F9YqsWR-6VfhehE6gPcur zOj#_L#1m?9XY2A^%jO6??W4I-*5cSE^4uRHza>Yv?zK)Bk_uB4yXWRsMOvu*}~b4(i<4zzL{FNRHoD~*4{-5aSeZ5vUKLxkQfzw9`w!eB{Gm=m_9921JAV!Pks zkISc!xnh(kqF}`IHq|AMtR8EGZ6f=zJQW@;32|&3i=s$(AZ7xL$w^A!8kKq8%QpX_ ziXYVI$5`WMlf8+IG5uV>B|s`>RPj@JGfmhh*R$4qJ9!D6X{d={)pebLLU>Ojv4eS8 zJv)qJ-$goW(lYsp=R@?69Pv#MQ)e;)Ru1&JW)c3~C)_z4I*HEnhj_4!pywg8FY)%x zX*(~;``?|#Ja|bGh{>0@SNdIl1?G+n<7mY+=aV$se}Rha0oq;UyK*~AYB$eQWf#8M zYkW66m?y(ub*;U#MF_Dlpd!B?^>v&z@_a26El?fo`vC6zAC|nbU4IDS*4P16a>TfMTuH5p&Xk)z?3Fcq>JmzL;Us9+LMZN;sK zCLgF})`iO(Dpz+ukh!}?$2#_qdiZr}1z+Al_1>s{lX}$XT@&d*6jmKx6X{_knLAn^ zMjSQTtF|9YUwRteb1OmW`2FBHq(hFwG*X{r&zdH;BZ(#EeOfhM(=A2C%T#2gJ8P8D z^`ftsB1;E47jK?<(<=Qe;=qvv9$I=|=o=$9Qkbl^orkcgOl}w+VYwosn}~ zuvy2K{qmq(X&`kF`6ur5 z*@$JZiqJfMzt84FF;ODQ@*RX+rYPuR)`Zz4U;3a3vu{1=5r|JfEm)8|T)LGiXu&%T z%-waN%=wb%yKS7a;0U1sHTtKqKd^s*0?**et)!>3xPM0`17tK-yWB}^CD}z<`cVX& zd;~oJcH}6CD?tO&z-5I^U4t3L%ys|)cGxbUEvWj`b}Zkjgw<{?U8_SF0cj!-og%z| z61yPnTX6Eig6cI`F}93m(3UgsT8CmJ`BRA(xm;jKgfkJhGbs~zoz0u-u|=G-FA&KJ zE9v$ZOE{WHFZ)}3)eVdl{7Tv2g#8TlvBxSo?Wr1{61i92Fz(5!Q9WbKed6t=nPoFhYO4dBu_NM)Q<66WAxagcCYp9 z(2=!_NeMNk;nIrM8)+dx7|Vpg%@@69nV|y!dN`?PQwIktaqY)d4}ZzyE46Qmf)RSp z(m!Nx{aJ>iRVW-!$r)OgCu{>k9g(wg+zUaQC*rlw@3vt9JU)PPgWW{mf}CSVZ{ zu%AK`J^jGHp$28}C@So%t;d@W`<6P$j>BJ^^dNlDdZVNkTwCyf-P0y$@e4-JXP>r~ z&NVNOX}^`ro@z$A&ZHr_E*y5h;)a6VL;MG~+pL3P7LpUbgNbPH`7InV!#Vu$m7M>t_R88ViBxcFK?BMlUszf89u z{zvES-+r@>6L7MVWcTPy7Pw=UaXArJn@D(n4-vWDDARBtOz*UI@;b~F?=Yi-k%E3g zyxG0O9%lMdBC};N(FtmRNub>Tqgj4@>qVch*-)t*0rb#=F+IY)yKV+>UXPXXdK=Zf z4uISJI{TcAH|K%08J_f`4EF;FWh>T|hsGjlxr)}qqg)IG3Izm=Uu=LPLCB!r#5G)o zj*n6{Qx5II93CXP5tc2w?!4IZULT<4WJ?HwZoV!@X0b5ZY8cm4EgA{rv4nV6e=mIS zGn1`WrQM!G5%s1IELFJg>)QgnJ@kH``Hfuqccu+S*7PpyPI^TQh3tO6JU3j#Ey$pl zi{>|FYnbGk%X~-3NGU>HTl;WUSNh5xISzGDF$IQY&2np*$vBG{;~dck+yPqiScT~O zzv?>0;4H?XQ0=MLcxZmmuf~qRYz~wO$Q=u zXDq_p+jDa8m+#+sXBtAI$<~Tt$siEPYfHg=iQ4ez=7fd_QL%w~wJ$zpOQ5l^Z9#-j zcK4Z}X~v&scD_4UVrn=NTVQGUu`;fP?&hR=VL>}F*(LA{>3Q%sjh^|32Q;kv0)Zl4 z`kjI|M!t;OO=rKNimiGIml<`!-19ClSADK5n;WqeO!4cU1Hg~4aZ05e2n6n#WR)b| zB%REK{=BThK67v5B$%dTtOLkjzarKMh#C~UeADnb+qqi8DfA|75*|UCQ|6(Yyu=;? zA>BOX+O^IGrnC*>A(P_1U{~ksRI`K)IQ5slh zS2y0rF|B0$PT2Ov|h3KJhkt?hBL0bzr%p8>^}jq3U5^3N#9k=sSgSokX&PCF0TtINoDB7HxW*IFqTUQSs6I5- zHXE#Wu6%de-l|wBq-spR7gfyQ#L9<)*o9rwd$133X$>%>;yYy+Qn7;pTtL){Aw0e- zk-j!Opwv56&4yWBhxvLaWpFJEM;B&`<0|V75GWQN^H&tF2G*%rU6qm@6ao z)1nD*2e?1?v{RWtshs$V6`iTkJ{xhX*ix?w?7VVC-8b$uhij@=wSGCbZZh7l)}2rQ z!k=^J8k|2UUl=;~#Np>;-x6ijcK6V@9{!BC$0$R7dE=$RNx#dz5CLMzX}Q6khW&5! zBJ;};i-MWPO%o{;D99LIn7{V>`c{)mM-@p9+qIy{2W|f}9IS}}%7#3Bs zab@DiMPnLm+o(6`rOL!&%duvK6~8|JWN&@T_3`lT?d+`0S#XD#*;{@u%J2KQ4V0#& zMWN4~wEJz?Nw6@S1tFXsNEM5_dQViiBZ*yjE5R~QF^fQ`nNiw_@v7pSjZAE++?q*_ z>QQ((Ow0PkkRoIs_(YOYYHT}6XVJ172-nElyc2uC?)FH$p12!JAdqU>?&n)Fm#;Wx zILm|LK{veqG>>m9UVEzxt-9V0v8Q-Dvo~@UDLAk$^ZIJRxSok5CY0j_Xehe9m|NEp zMghdV^3Oz4DC4qncN88gsgkYyV$;eg3n08E&0XNx#n1u8CP?8hp{VT(-0&j{aHG4U}_BKKF`eKApb@|#Z zEB9mOmE|=pO!l{(c>pyEkI&Z+@B`}6V2i7=w7%dV&)`K1*1VUaTW}+qL70HK$i{uv zPb(fxo5dyh^KyXBsQ??xEk8@X;d>sPnx@?YloAPFLu>wVR}>N>lr&}pQi<`<_Wv@1?DNUD-^>jC$X)N2E&d_WP?dZ4CZ!W*z z=}j(&re+Zl5XwLARpvWIKH!u(IzS~hn<+7dzR4O4^Qh`lMTZSGkZd^73kcmiS0VUX z^1$JBn(ga{s!Qu629z9)Es2aUy4XqQMe|S0RR!|oidP^e_0A3}xpegz)O#8{dl5`s z)c<5XXQGi^DKAJ?-phwdmTr;D!FuD?k~1BL&7^E4C_%QjiX&8R?D1!Rj6<)4;IrGD z&%LGuKVIo??_9n=ZuP#pcGGE4*vd0bPmice09#8CJ64lva`(eRhcN#MGjy3Xy~y%X z+ii*M=ew6psd%!}1|OT(6kYzn&vvn2VdjVw(e6`H!Z+qWYG34hrfL6z0q#KV&7^W$ zd;n(ydnttU2}f%UGe@FFVbgU;z^1!T&-!q#7MqkElaGc?SgFgIp>}rs*?BK_x!swE z$q_8;4aG6BI}h+(*{_vc#pUvLc!d5|F$e6W4Qj7@F>-xGw*&!G+yO`G`{+YXg@T{$ z%**DB5$!2e z@9tRU8a3KI#+gwlM(Z){_$8ecv?Pk>ytcoU7C%yL{{qTr%|rdmtGKw$kkd0MsQ}*Q znUjGPzju2-THRdzVC4mHFwQCZ$HvdKU-QxnqnKq-t^HdO&L;?B=b>A;SY{Y5T*5f3 z)qzwj8YYg45-k{%ky;aU82BnR(#Loo$5^wnT(mt_vc7^XdR6lqBvg~fAzKu%Qckqn z<4v~MO&_8-ivB>IQQr3d33VnC{s+{Vjrpn0FgBtMo8(c#HE0?EA+HgYVXgS!_F<=j ze@{}K(e0E}Xz`*VVZZ|hbna-%9$CCY=Mb2^t}x@8)8TpI-2ZXAcQD25jw<6_#vCUD z9LAM`a=J*TW%QB_OLM37T4Yx%im{!)t>u5yQ?{9}6#da;c4GX*qCjdswCi=MJL7CSKxv z4#2ejrKiOHuDdftgMH31r*CK8wSM?ef(gkiPfELn5Pg7D4fARjYk)eWwelLCN1XDsi{|D<_5m+|LqV4juHH3o9{QP=MhQd1+R05pcL zeR;Z<+)M`uR}}_(kf0lHwfh=@Csk`)-Fe3D<0DbPgk4uXHiOPN`w>w4a|VI`3oShN zg1-QF|JhHa8Sx%Mk(I*R5vZZ>)&B$p>;4-c*qi&m0l{mpQWH$h+0o|QjAl&zox6(N z*leJ39P4p9bcncD&SW`F235Bu?!X9n-8)n10^pI@Gx z(@W;@77PNxcQu8F=Gbl*NHwIrym)zW0SjVF(uZPTtu?EKrf;=)Ksu!sp(jVi0LUtN zDc+3L;QiOf)zf15Q&PxIiG$-366GqGO>%pD`~WR55>BY+olO}*8$$I~sf`ArZpq?ahxXYLd|33O@E*K-P#(j!hS&DRszAYts8|I0=-Mm_s zR!z5MT5bIS;g-sclxO`<3|K(XjR4Rl3~?F|sY)y~u{ctXRo6GTsE@&On zG7mTiuYe;Y6cghJ*ac0dcR}W4DDbp#V*-eZ9vGWvg$#g-uoX~|Nhkrjt^x$n245V{ zOA*qER)lnqD&WpndDv37IJb+D-+EX zdiu6`pt9e5Sg|X6w(_0b!V>{MZ%e8#QBB_?iRL9jy@fK(jJ?H4v9&2Wo(ep?V^Yoj zA$WBS+_}HW%T&8Zaf)~z(p01KdWj(@`E@SktzyR9coiN;x;|ZyuN-`!Or_cX>`hQNB z3Td!v_b@k6P0PwSIXi$#^ptI=d4bbxpQgAP!j6EY{?7{#cfDu?NY zxidR^lzr`-fzIIYUj$UCOevAbKLpgwKKLVCzc+=&75bDI0;;U|L`usrQcRJ0g4(AO z;tc&*`6?<-j*7<2AVVsHT|+e>TGMwjVo0}|B?f5<8WAwN)Oe&do!7Z2$ri~EytiMr z!m`hAwPpB5a~yHu`e!&e(~+Pk&nB8LT{gO4A=4v|FfRxD^nm4GU-ibqz;5Y+Npb(< zsr_%Bcp-5B5USZuuPtQ*IxIEw^F_k20#;u#bGqF`_-w?Fv1G{x7CYeAyB8Cf;S_eF zT#Zz*`LM2NG-X3**pbV-mzPqoD#zWVy_N6Xo0%y{d{FN*tR_&Y?&FD+BvL|GKPIP(xEiH~Tly?Z~`+^Et;6$bY_v_Y*61uKT8+l_Nj zQmLbBu6skaDj*)JYm+J#ef7wk(WtnyyV2dz-tEW~Hin2sz;sNmQmp>}2*VtS`@7>? zoeF!`&rE<1;l6|vfHAxZTVQr*v3YHh2N-d5ya&7CLPTM=cbo{^ntPjB&U=}ubPQR5boN^C>J~LWh?fKQNq>q za}Yc3aXI^G8`e`2PMOp-0!?M|;Y~8CDi{=PQ7*XV$TxKDjkLOi-TOAm`|!&3J_XNC zA=QYOy{B#UW+Pl~47B$<5m6+e)M?zlTkNzt`%4Y~%`s#}J~4wD!*lzSd{%x^XiubS>agXo%g`UI$OW2q~=GB0EK|?u#YVBYd{fn_Tj4MSnMJiX> z{F>|C}Pqe_6v#JStNPw|JlUC;@ z<9`A6QpkP&LD*xj&u3?BQ@diO!dNk+g&$3z_^wOmp+S%c;~>_rK1!4G?yv<8lY?bT zK2Rj?b&C|=f*B|Z-tX5j2W&GbpYN&+2%lEd?~^7_Qj|g}f+}vk3e?7yE$IV)y^R*$ z#7yu4M*{x#CE*5s^iSr5C*Bg1Zz%&ff?KF$7kIxi%l-%7Ev!S#^As(5guL7Ff+h4I zT<+bPUZyVY9g7{ zw&aoFZlEfZ?Knr)xJPXe%U;|w65gKQk=4dWH9!$_t;+fwCt6xPGN*Y@Ifl_^WpD}Z zatkorh|owDFLZq7Y_A%3&r((wuEu2=T+t{E zCi|~FQ=JxbQN8~D>fc^eb#d5r+P(O$zlSnNK1T9l7$9_Sc^hy38Z>k;=ndep~sVe?#S0Gr3TpU*CK>IiyEqfG*)( zjbP_&UiBvqHN)p#u~O|oE9!`8j9{LJ5DjmnZhZc@Y+eEHk!Ac@kAl;(5!B0n#u$`DZqs-F_4@-5X_ynnBn-<0(PfD8XJH*N+G6J; z_hxmM+s$hC%1LYjXi`ZL@ge54(Jn;^c62UBvl8g30i-acU&p}VIwG*y&g@g1iI2g# z=z@VMx0LgV?Tg-A2RpHfueu&%y(S{ni0LpZ#thrC4u>fa8rf5v6C7UMDa-m$Rcy=( zIf73&FrLi+IR}QTMs>x@jJx^DS3R)}f~PBbcISX?7VxwyoA!p}TKh6nGkk6GHivmQ zhvemQu6)_9x3(TH`Wg`w=t-pD56M@UA~ zo}j94dfP|MOAMfMVq$q^y~y1v>CD_&LXpI6I)S`CI9i(#-p^jVfoZD0x_8itywZ$2b#| z*(V2wM8$mzLYcvaL`M3YlWII(*U5M-&whT8*Vmodl^e5+ejEzlXP?_b`6JwV{C-FL z|2cDGYekU%Vgda1Q!2#8I+0>Lo9uE$3}?i2&BW)l3crSP1Zd%CDDf`s#tePs06f8@ ztJ#(hVbC&xkgT;>De<_tAya;t%(X$EgsYciVqrz-Y%Sl7j$F-$9kS);Ct<&X8BE|X zwCLq}qKb#LaDJV}IMW7a((0f-=kV(XVrq_Nd;T0G;@Z^!xF-Jd(YEPR?#(w0I2G4{w%sH3!jWVGTLr(vc{PVV{{0sb^4o)#03*~l5Q=Y z^qyF_)2{H@KV6!{k*578Nk@g`5=G&`g)UT3qo39q}D%D+gPmNtO)LNt3Ki`SHpV?HSwcNH=vBpMfq|GM7-?JtyHJCXQXW~$?WOU>~xUu*! zj6dH4uCu3QG=(guMjDv*eI7FJ(uiyWG_EBhs86&U4Dc2W+0}KNE62Fa|;f}eqyODngX?& zhG#i7-Hf#8?7n^TJ~1>~yOr%U8<^#$YiNG{e>urE<-zpP6Xh)Q*JTZWJ(ljlc3&O5BD(8+AT6G$3(#aXe?1xg2OCZ>){?5fuS?0 z`=fs$gouw2W<`noFvNh37(&^2CE~~Rf{3Qoh|*O=4DxAU`QDoC(+}nvS<&=@xL7d{ z;zyyvG6$2&qJv#ydOZCqD4YuEp2N@5?FztKfNcz`l8fms6D`x9yd%YjQ+v`w*|^sS z`xMp|MG#}`TV-l=Pac*5_%gnB5NA-}N5LEV)b&6AOL3Y{gp=X9S@a5^^Kfh1=D;kV zl~8c~%ZtsFOe<5Ie0iMCNE$K*zjM?bAa4l)m(uDLQcU#NE|_J9Bk!>j#}A zGmAPr>&HB+e6#By2x8lK1#WKnYiNLvA$|6?X#BUW-MyS`b`0G3Z@G2gG)}n-tb@*A zocyQqY9g0lGpLi>4JL6$^2?OTiFPTtR^xdF>E=le&`hKpq^T(K?Lj?^4yyX>0kp%j z|7s)LV?l{i#Qb0pzT!Y(SV`T+pX~k6r*p%W0bRcer#nRe7Ng&-+xxg*iytt^MdZs1 zbuOpgS&MWa@;A`l62Xzg?%o?Vvn;P`eZFBSC!$-Y3hS4COXTb_iwjgX26eze+XlcIw-f+IkW?7KKI;S;&pyzh8X>#8 zEqyPHeW_LeaFf{Sn}DK*q)uAQKS7HdA3LnYn4HEYk_!6ElMj)?tEywkqZlO<%d_F}&KEQl}dU5M~B@RPtgK+`Kn5#igCc zScM@SV>#7Kjuj+Nt{8MyaD)Uo@#yU_e9{wlq!5yEwH&55Ppdv+R#)C(N|)EC4jeQ-PcxBki#ejLn5 zQksGr=gk0!(-~`91;fFcxOA_iG1!#WF4$2e+;{S6;7!j-XHRgUJVT%&CxPfC{wixC zus=8ZSQ)Ac;*B{lR-cW0xdGV$ItHcjgDaN+v~t7ydt6Z};y94;oar2}e~3VO#|sI9 z(Y%5jDPw>}z(`hvpE&~*8IG~Lnk~EmTua0NE>kedrFN5$<}Rxdc++g^Hr*!0*3#n5 zWcIAtOwOh!uoZu_S_SRs^?(;GU1>*rC&u-8(>yU~A7erngpzKWQjfe3vaKH1HN57V z%%nY)_xXiiM3_4x)TqmCICMC_F$25}Z~yr=e1}UgPc(l2e+pWZ+Gm)jrKn<%pr<_c zRWc`YKVpF$g@mVZG{WN;${;>OVOuuu3)H-cP$|@b1$pO_%jnAZX736aL||;D?~5)m zTXj{tu>u{Qt@cXU0?~DHIVW?vuO?z*ifS(o5RP$-%+bzO%2(4bWnzn4ErdOI^&R%Z zp6@No#n?OSVauX$Ser&VUTpr9VAOipDS8D$FB?HL9IOuVojC4yGW9!Drr>&(DxxYi zd=G6B1$X+0=AYGu^WV4Y9t1so6helR3*oM15*8|2Y4gOr$e*XG8#;Qb+1OM>9?+yj z__6_|0L7O$o^`T0!ss9Y+>4j1ydBen*vdmol) zXTRXnLAZOsyWP6z-HbF-5y>oCjl|$Qd=HRkF<#CXR3ZKtNS>Ktx~+#M`T~^uZGc>t zxJN<;oqcOtmde!@4MNhTd4TucunjEoIevHphQ_rBSRA$=;+Q}S$*gk6i$?$!^;;(yU)B&!Lr&bwtGxYq|Fn754^M$`bOd#P93|~UQ==LGS z)ptgUgwDO33<+k+jE`;^@$AKGp~HC3CLisOQ`Z9~;L^yV91LGX-mnuuU=9|aQ0yz} zkOGn^tp0%ttiDR7I!hvn9X}RZ-)GM{ElJKFLeSGCX7%-C6gs&W7!7+mtVpgU{U%ec z(lR%K#ZNk!ztnqqP*ec)&Yk+iA0*=c4+ z%Vh-`;#lFAk*7gVk@SGWKB(lA-j#j5^5G?tQy^sFDlxuB<|L^z@?qF~;=eHkw2aDU z85viDO3%T(`vf5voM~nr+f`7G9##}8({12JGOY*a+Kot0N#SWGpa0%U$4z0AAHP(A zJCej5V9|EVV9DI={aon(W=xHZfKZ0y8ssX1RRd09^xB)$BH)R%^qbq^Pnp6ZuygQ~ z<}7uBq_Vop+Ak(Ra^~towc|#gv!mHm%R!HfjN&qJ7uE3@moHu~8jr~Xuait^TUDwR zVD%HFcn&D*C>pN_yz5nF8)L>+_?&k#u`H)(ac^&rI5r_yt@v`mgsH?xgm)pqp}ToJ zSjmbb)Y;r&WFoJfYI`iniO3GR986$OGNpOnnJT=iyDm$3aa>QsZG#P)hl@$I{U_Vz zuRf?c+$;s=<9Py3XhsZ@lw%y+QSJlFBtz}vUb06B`DBni6)OB)-(30vLoeM0Gjmq# zt23|%d+-KO1Y$D%{FDqy&1`|sfQa@*UG^A(76Jl9XD`V#Vi7)n3Iee4w*h@j+iL>S z^^f}b4^v4o$y6jJ;;jIV8-J>pKwsPTPTb|W{XV=9xCCKU2m&NLh-Evsb7u z!-&-NO@k>~L1}1sLTGKqaEIO7(DWRB!9}LhJ_9u6n%Z}2hn5A~)?PdCfil~&|KpxG z1hqLZ_01-j(A@|Ke^S{maDIYBC!Sa3A6w~Wt#hO7G?I2KepyDDg^0P0KDrl-k(dXZ zK{ELfRwqTLd_$a&7+%R#g4t2Dx6^>I#ia}gcon0A8;-iFw3nO`E*Z!0ZGdfi9L!x` zpwO}yt>Pb&uvZ(%5ut55U*V@ZdOslOR=DQ1DE;6@jWF*qJVQzihPFr%bugnAbF?^} zC5cP68qqbhPptjIH}kgkmsO;jBa~^64k_6B1y6(2Z#R%Jh`YSuE)Tf4fGEC*tB467 z4$goadjT9!`B9yI^C?j}AY3+X0w+a**VjDd_z|bD+mW;LseTeyONCH8t;RpjfPi;C zBcsOqS)CP%uk{Pr&NCy9IhF8VrY>{G>l~BFc&~H7VNQo?Ba_{v=O|hRd)1c&CwJ`l zn@-G58w6HwicB&!a?GHpRxo8Y{OM}rY?GSXsp`nhS`R404oYX$YuLTv!!2yp_L7iz zTQTftf0hM2(f|H2WQ&7zd;3K`lep^-y5aRG{DutPuh^5v-dM$snoV~??z73nI8Jw8 zcS&HL98E3+6QG-v+%_zdnnVXhpDvedxHxp^J#c*BwH9g@`D)8z7Fy=&v>OVELf3nP z8{d@D8bA-1%Lo0WjwkVnZnV>+&wD5Q>lCauK4S`t&X`Tpg_ z@?tyU{V#4d&4|6}9J-{4ZI|Iz96eT%pS@KE11vtC+)+OH>#(1%= z*ak2Qccs@FcYIzNNc{e01tW8v4%=R{3I{eL@LB_{BYtu3NR0O~OBkW(gwbaoOP#QX zj^6~j@=9q;_|sDZmE6FdL&Wq!c?XmT_;4KAKQ27`Uz11y{sSA3r&y%F6ok`~vjy%Z z-__`$lozI7Vf^rIv871CH~f^5`+H$(-cY(%Em#-b_Tl;o6TIS5psdsqVl&k1Dws9_ zlG~zYlG_nMKMyz5{5}^JyVB%+(NYy-t9WI|3NOhqA>gTyZhl_2;s&l=Sa87vCP&|G zTa%xPnn6Y<0KYCdrQXh_nqtm)IuzOpgn{oiPp(eI{(P4ER7Tw$0F>GQ+~_iLC_xyJ zii!4413r$hl;?f*gJh3Lv7g0N(6eRM1FKY(iOZ+`E9NA+h!-}Nm|RHA{%Nn#+<IGFBkf++)M}SCM2>42Z*nb7`cG zV5IUD7x(fiT)|gj&~8Ba&GFhc?uioHy*YPt&Z(Nh{-=q;GJn>zuLQ`@B!65=hBVPK zU!!T;ry3y}gx3~b03k5l`frRx(0?n?L^49$W0h#ddxxAGh#n0}t9rS@4r+ld>b-pc zv&Q~atnT&LY^E*>um$;cGKIa43o=8U5Q|^tU$J)o2MA>_oh-;u7N&Nigy&aVg=n1`d`c)*6 zysx?Dvr|2)YK!)^c;Q&OP0SQ>gRyfa!cC-%(dmXJ|Bhb+ZY?Ro>pUfZ@nj{}<{xX; zWzDOk(&LFO4tR5KF_ydF&|xXIKwka#kEgdup7OGm1y%`fC%6N0ghPxzz$gQ8K~V5k z&NVa0<{QoPtAHF)e1wE<7&Wk!g!Ol?E&y@^?SQLW!i#cb!$mmf4_}@wFeG@1+)NqLLEO;aWw`FkY^Hw=EN#GLr6M?*JQ=dsmnfX61 zxB}ff$TxAx-iM!(A4RQG#HWe|({KSl5PfU(!Li)&>4Sb)8>IVQN_Rt+SxHT-%bDlCDf5Y@%~Yg^ZC}(m0D-Q;9R1xlS!t>*6s+ub8R~a)Dy|0IbyPc!DLjPo(N(?$xA`p7Vf(k*J zc-`LDnV;<&V{JsQ;m18>lZQ9Fm{+#=GI{`5(!Je3V;el0n1RxNeXrpb!1kVQIT14% zaJNbX-C_I3!W|G^m1cs=60J>ryBHy5?}L2-2W}I(|7HI1%`)L*t8-{9Z+*<&t~#kF zz`j3qHmANg+UF+Xt1f3@SnhuF(A}k-m{FBs%-$xNmPu{Il zLf|=%#;Au9Pt~{|ROa`MAsrQ4sKh-s5r zaC=g3=RkkS7A`d5+Jy5`9g0;q**Af{1)f4|IMX}X)<7K7;4>0KZ!*&lw@(Ylx8;rD z4X#Z`KiuXqaiSc;K7b2$K%-!x^vmT9CY854pX8P3!Ip-P7H5$0ub&I$rSr^zJ^-e# zYPrzj#L4eT=_1?SH?uzOJ$P2?_#(`mL^F(emT3`;W@5o(-xEIIevy?lXQ{n%<63SwJrPAhMC zWE{ii`c=wzzn1&>-P&>!S-r7SbdJcnEt}mD!1(@EW1ZjL-1}qW61k?$`(e{A;iZ7i zl)kgKZ6gd$R=t}X6OR9Vr2g}q%}U1Gl|1@@aF5S5vCn2RCM_bWlY^GUh5l|AJ7>{6 zaOQiV%hT)rXe@00K=WHf8;)XF?N}Uix#N>&`k@-Fw|XeOCXsiG{Tu%2S5MWBDkJW)E=l6ZFS~&%7(rr!D92;6s_G5&B0pF z$qFpYsO6GV6#1~-aMQp0r@{S7@u>nr$tSO-vW;I$9ppvWb8p7fWH+4h(pGnbPCt!z zI#7m86%Z|^N!YL3HW|ZGyvGI^V}=D({mm4o}$P;fOn#$LKpv z3-%n5MCB)%{%pt<{6{BML7ZP&#BE0M>ZsIEwR46-YzX~mJ@x=bTiHyE{J#l*I3+_bU?QIZV!cu-qvK)SaqFCWn?`_R;6P2 zf+~{N@VtUzQoHqY{^PTO>PIxocPJD4DD6t`B+hg<<#4V-f%k38k9TS(}8=b8G7R zR4`8R3TiBzX4LmrRp*~25@5_iGNIxc4l8IkH;`C>gmqun!yAAAN`^MWM`bvJtfB;4 zZ+8iAkzK0_X#kPea>wKFDc0wGVKt@~xq<5Z*^$2L&+L1pT&iSfe1_}t$Res7Vhe7* zW;k8%Au8HL*`Eb5j>i|j+@p!8f)z(s89=*gZVf(%hmJ#Bj9i8N&+A+AjHqS(jG=T}giK zs?pfX|BCl>UN*Tj)6l=ez_OIQPA2xh7YH0%6MwlHP!jL)ijxU!0ZZN>G)`I3=Fd8* zOnH#U&JC9~)gZ2niy^lRbj)e4@ZluLL1=c{Pd|v>wxO`$=j@PjH9Z2pa+R5?qB5Rw z(R))C@#OSfo0X5==8VyU3Dy6h?7hR9-u5V zn?yq*X%6T-yEHpg2egLC3D5S)8q)BN)@P%9!A}aC{F!XDKqvDu+>uM=YBnO)>1oYo zGjcr0qs=E4R8Vxnm|zi{{qRrnp+hhkfgtI8fCRYD4IL`efiJ1srPX;@l9gCyq#ghm97x6JU%g^kk(C1$-vL51>~@>Cj5I{!Se161Y3FH6G+Z)iSBv$oS zBSmo@prf-}_?86)z0S3U>5%_RLC8);R#!xED_X&3SjBoQsY7vh zw&da8HvMJ>n1|6ax%*slf(uLe43G(B8HjkNJr`nFGwOFDMcPWENgxXe`q6o57df8f z2I}!#XzMe-a94Iq@E8u>w$gWACzj~59_3$^r%6#eGA*PpGFHH^YHeXfou3=&YFOl4 z5hkG4uXXTNn{6)Bg)-QA2WHfq96=r}v2Sz-b(U)kDYgufh7}p(sx#$??tA2~K<(*ly!&ISHyDZ1_h!a7*VJCPWtL%EQMc_dj6|&sqNq!FL&7eH8Fzd}GdTkOW zT4bXM@XPfPN!bW(l;NJKJx3Y@^F3_yTnxt<<5x>sIZExrh=pFOKCwBjGtxs!D@~Y> zxo^Mi^cz4u1H%WMV$FxA+M2wZqqq^h4+qEB6 z<2T~jBdeD3ly}Yz%zCsv74A<-kXg0ej;z?7U6rr?Q`WjXze<}vb}VZx3j3nAy*2zW z+6K0CaCP%uyGHuH{5)}w+K66dVnVFc>T5C@wj-m3^iKn?M+bbD^)uCD`8~Vme3QH1 z<8Sc15Zot+W0pry?ZHw zj%+#{6gNa0G6qlf0`iSY&L%PUHT+UounDa5Z&!pjr+qBH8t-0*A#yoR#7s$SXc9Xt?Pv^=TD9VVin-M9df>9JtybFiVT$ zHVpA*8KMj1%WZW}hte*xWlIHrO_-RDcgFelmqZG|)}XLW+>Qr$gL1@Sn?hFWNhVJ( zTO76h3$`Ga8Gb$gNK}5Lo|2xN zqnqQr3hJqn)?UIP3;z9#27Z=JKG=XB!V-)xRb@P5h&T~Qq+BR{CyvdFY`z}Rd$16( z)QZV|o#*g8&vA+3e|9+(<7+nTL`gVwzeuZ5D`7!TyGiumg7rnr?ZZ#p*YaPkqV6eG zW<6F+7{NHDnZQ{A=mPZf(|0y5+lBPsW;q1YpyVv-l50G(1&E$7Az0C?odh>)qYspa zftxhxp~nR*s^jj}+gfz2satB9i?<>gk)c5WH{6!{`wg>T%C9VAD@?3PyaA6${So_3 zY{h_4;vJQ7xy?qJ__f9`8gfoA7;2M%W6(*UOGt%JJCrohO#x3kh^hS-fc^zmPgkN%y#HN-yZ_Kz740oI%fkr$tzT8w0G{B zE{k$ixlf`Tb zM;%w(CLL zLl=KV0KwG{mdwbl0~0sW-!AO*_V&X9$eL2y!X}d*M}EPh8r813v!B&=G~m73C^_Ys zh>&xkx%>~{jd%zA2#*6yi&kx1^xyJ*OJM= zv|D#Y+~DTx#qQewx%M(Z1*}WVcoC0%m4{K`KU}+YWgG_H451?xbIzYb5oJi31|paP zW`O6BJ|kk9Ten$8YD(>0_t*9ZQgbCJrV%}PKes#wq2(d;$^$lKdK1T-e#Q1#i-$iH z&Y;V4R3-_98MLt!T}z=WcdL6!2B>WFB({xPHEA#2w25o7_4|E7Y3NNjcGv)+suhCYwt0I&5NF z?U{@5k3D*z+nbo-lOMT~747d=pfE}Z^W%W>PE%Z5Tq|WG0_%;0a?I@vzDG#D5~8px z;)bx2#-~h!pqeRn8%p5UFBLWqle@UcZ-%fu)pnDvaIkWt#;l!c^;?-QJ{m zr8iCpjMy3=3e?(W2>F2X0Gm^1>Ghgz(gUvhG_fRMPa*eUR)Ttv6o`q|8lbiCKRbu| zM)Ub#81KCWy~wIyQMbfc9QDBGJIF@C2q@XoMIzQ<6}p)Y67j4xMyT!G*P?L%WQKAt zOj2GBwzO4CwQ=~{CBNcyI^tE19W(r??aJX+3-Z6XO!x?h*hy9mT1}LRkO5W~GV-R? z8#5x+*l#x;gKj@kEW=mVX;N=4hOK({NPIMV#=&myJxov*0K@Rm2Sa&lM!dGh+kl}R`8~@g;kaDSrf9i?5_ER6ak? zr`hxht?>T8Ou7V!K58_w$*nW&X5w0Q{u|qnvk}H6kX$Q$J59euCSMveJH@M<_x_ca zYl*|@$ljK{18Vo9Vkw7zzZDZxLA?KABfY0n&McenR=J_~h>qt+brl)+VyoSrc>m=^ z`YdOYmlV4cOcj@A{;1amr4qBQjnkxxyu7cJTTq@+cd(0%2e2NEZ1# z+8Qd{@^ZA5&KIg2g=m-IO0d$On_UuJ&3iAJ&?d@nvly=)?cCmfTj8UBMZD-z8QC}v z(^%blTQ1B-L|&;r%tQXdh*>%EE% zziO?HsOTbj;kZv<=ilT5^;+9SqAM$>?%7xH`T9ul5$;uP7*!m{>~(mRspI!c7a!=y zChT4_Yd!)i4$-%&EMtOwL-0}>YXOCa z{hZ+20b}ApvH1L|MPWFr<~9lB^Q9TCxNd?%b-3X39RjuTg6Cx!5d2J}`#apacpe*D zlqLRi6$nQ}QU2B6%@re zQ&a->KQfIk!Vi~D$jszSa@HczccA#`8Q%*^nLiRhg9YlNr@y3n4oj5sY)&9!@uhz} zZxO+0N*Q{GhUoV|M)1XXc5$ekdZwoW8@1WKR_50y+M|VsPkoJkM#vceM)AHxv(Y~G za_8Vw4QFxA*G6h1(7E%BtIg)7mM0_Ses+BKLHCu#o@*Y;Dcw!hX+DN_Gi39_ z#|i9%jMZTwukNW9=;-ozt;t)_rE3aX#!1UATE0DZ+ea$|ZT~*X2>LDIxlS12HQZ)$ zpv9dWgAMJ6=Z51!xU^gDE5k|i1-0?5nA~B+|J&Q(`a;Q6byRX$@j4aG!!dYLI*b{e zAr1%>yxmq`b)KLZYd9;=R95dKGLu=P@AS4%R&ANgavJfPEcVdF`h$2lt7ydGs}XDC zJsET!TKg<7_l{o)n(@IdpRviZjq#aHv^({V%|sHvg`nZW6UmGL4Dn>bMfT;qOLr|F zPhQpIk_c>;QSsh!(;6oVFcYEeyfcCux$1Ff>>a2ra9&y@-qmI=w>TA)K>UtUS(^rR zHekCfU7TxZl^zc-kM-Z$dWT{H5Rt!4I3}dO|4=A_V?s5j z7S9tx$aAjn9vd4^!lzLylf*Hb48lR+s^w@w#3j8}3W8t~{#R!RTu*ppf507Qpj`AGPU?H&3pl89i`Sm<6HfNye}TvqY0I<~{mA|J;q zIo1$>3E7J9hy>W~-3?y?HxhvMGU(EbEqr&&C10-$mosI?6tLf41;ghlmURzw6|1Rs zRy{M2PE7$LwdUQjxyLNi(W|*z1X)zy$t3d&X7WD=w+TAk`oS2}?Ff;oya~Fpe?%8&vZ=dn~J# zwW35Dct9*eV;bg>vSH5(_?5H$T_MkGyp3Y;(ZPQ&GD$you{4r*S9}|CWB3!7(d|sxI$6RLL z+3=jHtv@7ahG9zVh{X(zYIw>GE0xLdNTr?McDd=Lp1_J1VdJ~tQtwN)#Wic=;L{2G`-!|?LX=c2YX*Pc_soPbHg6_F#4 z*zW`p{k(7F624Ah_B{|KAw-Af=` zX5*S3q5;;;+orv=uxL!tu*w$;R-kcNx)-3WP*f9&X~%i=?_bG$=V43C=BRS;il7Ax ze9q*+ohC5N);e3mRzdCSKKd>GE>pVYU!+`w>9Z}M{G;evYx>W_X)UN_`mN6$tJGt1 zgaeDoXl#~&XT*QepJsKUEW(&_YCPZ+l^^(F;>FLp5!-0oK<0@&5m|DHYE`TnR{B+P z+VpZKFWx^fzSqci-qdRrwprM!|DpC>i*yOULgJ`%)Z3!HY-Z2ERPNN??!N{K#<_yG z_;jr=xDHa@S-4J8FJ?&@>|%DceKA6BB`<2PU(9jY=GG(q48)GxRGS7B+n~SP&l7UY zNKQJogVn9dGG@8BLs?$M{LC(*cKI=y=`dF-YxBnK5km{LPyV}V*$P;l?!oeorjX`{ zdsp4T76<$Z2#>EhuoJCfu9jPx3=n#oe6gMp+IOLg^jI{?nwDgXX+IVO+;TXmUhaX| zfu-b?YuTY8bocpUJ2HT&rT=A!JcK>z7qW@KyQ7s+$8+oo0a|cA#c7Xk=bnUN*HNDa zoK<9`Dym73&KZVdM*2QN1r27uA_>0o6{1_)5OJ7E$CX?2nHc23%No*qb3lfzVHQ|Sq)a;<9Q;_{*Vh-} zkbn!-ogW8)=k(7xN0)nEwZA}w9E zwCp=6lQpczz{qwje-#|8!Dl9xjv1tQq>O5e``+c+`)@seC?sJy+s^Dj2W=CXZF& zCw%+P@*~>KA~P;krk~*pWIepGRo$jz6Xspd|5mEkf{s&R8KfT%022DSeP zzs7T)gGlBo+`$~HXd-Vi5Y6-@s# zF@jC_1;PuYiw7hd+{=-*D38x26^`c1wefdl(=EsPeJao7C$58;bwzWFJZRIKbeNcI|qU53}IbZb{VHr06qVq0h`)f1fm(Eo-!H> zwnd)j2S~D#v&77MeNz^UE5-K|-6)X62I^lCn(Z=K%JI2rE~Hwl#STn?Y!Sy7xqlU_ znP6L=b@H^0sU*8^i8AqZkRl3rufInHU zFK)#4L)SQwhk>tA5nK`GdIOaXPBk%RgH(HMzJYnt~{bF)!$mt=>~ktaIAWm%te{&tS+jThQE zKASmm(exCNc$$sFp*?e5qNS*DB(`Zzw-w>d1JEJ$m;mow z8P^qia}UyzL~LPe^r4i^0`#6I4}6kx^Xr`zIy^GM=C6TTy6xvtfz>&md22_G`#nX`6qtLwq1C5 z?Fxg0?r{NxL=TsZi#$l;t<>*M>XXa$SPM_k_B2QM()HA?ou+?9fEE#;h&|T~JE;`t zkqs!qR-_nwQXgtg!G1UTIdt6VtF8JM0# zV7E-wAe#bTiz0uOK*R`Fud)9x)maON{OY0>q76rDP|6iD^J zfLVO<^a~~pxY<|tJbj>3nc+6(E8f|w3a-;UVvVCq>`OXh6x%@daZ!xZP06N$D zy|d$WZLYt-Iav1o_|M9oR5u3+i9to%#J0Ppx-!T75Cqb-;VdM0z9b<(A z<8!yD&lRW)amvG}k!<4i@UuQ6FR|1)$w%#v?S1nikK*?=Qlm(S|Ab?2Fd!b2eWJ8~ zyO$={5b%``M_Pm!`C#g~d?7%pl&S1q%5r`@&2Q)LXW}kN$H_KG577AVJ4w3Lj zDRE7Y0IZQlm^G;}jyMB$!ZG(yDhzL%lP0z3h^w^jXam;GCk|oND3dK_$FyHlN+12V zaMH#H@%~s1tc*=*bkq^%>q$Oq<^dWV3Vv5LqfJ@XL3>-;<9k4>%ct+%4joHQ;bu8$ z(yeT;WW0)(#)i6nMg+e9?h>U_gxKomObF|2t~U&&GPB0nfnrq?o=KFhQlV-QjIUw! zv!?Rhfu6k6$h1c9F7`zcD^v9#btZD6DGrTUj%I~37A5?GotOD%0&tb4uP!)?nXLb} z%y*t(J5Vws2(aj7o-O>#gy8zJK8Q+zf&F*M+!9YJHV)s(UBx>#pW)i8W>@Hf_daW& zul*v@K~!HZHHVAI>oc_4Kd@9(Xp$X9uE z=w2H3`K0gm43A-Y`=@Vr%`9&G4$dnZ*5gg=&LpR8PaI;GyfI1_R^Qt+#mqFQXw%<; z@7fH_GxgLPby;lCf0^N$*a84iXOg6&@WpqWTWMWA$(Ur9k(@g;KkzxMv8-psO=1>u zNfBetW}QjuBHvKp_xY`9?At$n4IO$=hz+2+#{QRkBb~#tGBalm*ox?eGxp|^4`Gim zV?&uB$l`}P`BJ~y`3$5}8Qgo%D657Q4F1yx_u2s(a848Cq}-Uw9KA4eF&V;2O_s)U zfI>u%H1=dMo5wD5z((X2n9FItW31&@-gPLauf*qGJ)d>clJ~@Nw9jOUFT)NqJ@=|8 zc3`e{03)^1rij?mHunP`6sdtFS_q?YZgSZ!e z|GLtG?bW@h*cE}j=f6x<1)dX@!(@tO;Hm@p9u(IGwb0RSCvlA=*p)#*YN6p zm+P{%g=RdB70xN)vwx58O=QVg9HbsQyifW_vLT8RfifrV`HB$yc286P!QaQc7kap< z?k3O>FjP-g+j;m^p8OTA|Kw_?A?pJ#*Eeb3)UcS%L>$IG6>1-S%#89{E?mZN4=Q># zN3jtwRA;Z*7{feh(g_%<67YVu1XRoZe?BAd{Qzw=eFI=JCudCv1CVB!X5F{C&6(avecJLcJ6QeSR}X(eU)Nu&5fPt<2$r? zNBtF1CxSTB@--)P-K@G%L@SKUqz}H44LwkS)No59A-52T5hmF#JCpDwW;3jlmW-!K zbnQ2%_Rw~lPy;uRja0z-NMErjb=p+H?tk*Du7{qOR4@KbOE_bnm4S|hrf^HN@SpeQ z2v;S<=W3_vKRa#g^U9(eu$M1Otaulg|9)90AA`Mq)n@VDl<6J=d(a0K&kEI+`58N& zE#B&KPSNv0%E*t3C(e1o4%tO}J7g1E+5)+}3Sxv?TSCXqGGZ+%p+KM>p`7x}_YpkSl{zJ(Qtg8S={ zMi9YHDv5lZjk~e`+b2h60TNNGpQ}YdCAXn8`oR~h8p(lU*3$c(3>gWVodZb}VmZ$d zc#&Tc0+f8VQzt$;v@juvTm*;+XoDZN3fn35h%R6|pv6!49m`w`=U{wJvkp`3b$WjE zQh5@%DairV6SHnb&>Or4jN%3Yw=>Dqx$Rab!(Ynaee!XMm?Ga*dn@3g{A}M&xTosb zId2HU$7gydV4IV$?}pPltX(k}*Mb=~EvHya4{DP2-NRiws>@n(+{?d=y*Cpd=o*Qn z4o_$L*heFW>8$?ys0epzk;HdPV32 zuYRd^`476`z-EGO@}Ul8)jPua*3|ECuB{tr-+yd%h*~VifBLR?)Dumbbpg1joTq@8 zP;?+?8qDw^Eo}Ziy@$)jb=RAtSeV#j9DuJp5F^zJf^z8rBqe?;{p9dFl^;|(#^Q9@ zcuM%$lzs2~EWo5tqS<_1(WH!I7%)5?a0IrBU@*_ksbYElTa2*z zCEmHaB0ra)-{8CdhaLyDzoaq)?4_)f3I~(L)8T@n1)sN)&D`%D)SVyKL7!_~27_IT zVXzjiD!o-LISw?CKY+ZRcKl@i7B7~tC5Q@j1b@>X{x-YKk1D|#)n$O<{Ra@4vy5*> zJJ$2sdYZM9O zFK$3Dr^i#xEq!Sxp!n9YB2THw*Dlk- zLw3fEK%*7%H>7gEQJy3S)HHSpj^$7gL(AhZgsK9wV(vfB zd}f#kxE6A9(Hh6_N0p0N5s##B;z(I*5SPTyy+k1eTPILC;mtNIg)t+blxPrZVUD-E z&qT-@8wN6=(kdU)tZ{9>t$2g0x|rr3;;YT9p5JD=ZOvDjwPxwG} zP-Z!x{IK-^4!(E_$ZM#M7l+|OgXO*r$daNW2-}=hNn~J3vYXYwiuaG7H=lqt|0knY zZM)em9XBMM{d9vOSSit)3Yk`0TZ_~=1C}a7Oqw6DviQo&-evg*!)}AJJ1njJ zI^TlnnW4yWHiX}6aYlb`*+NMD^haFnJN42mc+ zdH$a+rSGbQ9}()%mo)Q~fnVhhfxUw>Ay8`aBM20qlYQS5I&sXMfPmcloQJm|@9u*U+7tDntJ|g9w@Sblgp3@LGICnk?z}CSn z)0IVDyCA=Q8G3cgq|@C0ba(2n#kp5FA7)1}t5MccK zs58uikvYSOrz=I81C*iY_EC1pz>H`aJEVOrD$dN(JT6<9Wq+30cZq0NK@B2AU?)OpGa)9%XO> zq5|d=i3oP4tjN9U4Y66&;Hx}yU^)yq57x#O_$Rd0wKu(w(;Ue%J+tFIqn|5B^*0ap zWjG(kvFQ!8Jrz>-jTdbn@LzrsMru&F`SG?Z>qfuWNOq9G`}fR{x$AkP^)l{xGtk3V zVU4wy4!uUFX#RLkzq{P<^`sFy&o;J$I)&9Q_P%uSiG$DfG>LfbhS3ssdeKy%!0366 zF^q~jQe%8!5gCskRGb4Nkv6H-`N)>7zFh6|cYgQOax|V1-lb=b?xO#yzy7`A_$3EQ zT6@;M@8zv~_l4dFgR)`@Ohx$IazfDjH9%jhF?%C@YzLr>+Oqzx0`kFB05N6pK+a(S z3C^5)a}-r3$aLo#d^{R>p380crN(zZKMx^Tp8#;{0CC`ECEG{1L#Eiy572NCzjf~k za^xdHYKW)h&%rt*^Q>1FV0)tq65G3g%FPi7Z*#vYC-7N^vbaNlr2BEs-XA{0bgy^@O9D7pu2@#%@*Q&WC=~Yg%861)uRqu$j{PNrTC8yLlFWOQI9k4GrP8?kh>#c5L@tIBCC6MCYQ!C$Ab zNx-xzdmCx~PF~qrTc4JcG`gR+B3^j;S2AlpC>`meomcV{OVz%PwqQ$h5s42~y-HQX zC($ozeRLEok050nisbwP_j-aj)V3T#nj%K(A#PLgmVfhcB zc++nKcIqS4lEf2-vYiN=mydRsKg1Wg9yHlv^aDB1bSED{Pg+Jb+(om=u5SL17N*L* z_A9-L>8ptn+k*FKS(qsC4~eMy8~^p!&2e*_8*Led4tSmg7zzqgj^O191&plo^ck@> zV(`0_gZr&Pu38Yr0XjSS)0-zB%^T=nFj!L^s8VAdLA*91AznPJdYyYS#%(X9HHKl` z8eGz&>QDoId)l|@xk!Ef&pM^gQzoj%J*ROjyrD`pUH?p+i3QQdg(6VNHvK|=Q0F7`Fx5d#QFCYHM zk?d67(tOaow6V?2+R(632YzmKEsxI_&GRo;&Ggzj^=D-ye-zf7wMSdXVl${%l{WTF zs~GG7IcN50CF&}|ctySuuJ&&~M&n?v^ae- zS|GJf^MW<|GZ4VvLOIBS;w@f%L@FKWUJY*l_%l#^4T-jo5ikLGT^p0pAC$5}Bg*@L zbwo)(=6nHOO?}4TI>46yZ~~7Iio@U6_JW|MHhk9-eY}D-EwGki!Q*VPP)!j0We=jr;g1l7ZuPFd6 za-dWzp-vqZuZ%hYUth-!a8qp4z_e>ec#?5ARD*jUoM;d1AcS!dJM2d+01cP_r1P~{ z$~Ucr7g$9CbqV}*tua=bZ_$Sp;IM=O(%{XXOJEa!!a=C_@?L6ExrG{jV4>#i!h09~ix6Qk-C0*7jdiWsYHMzNoUgP_a_9vp8V;*F<}R;&c!_GUGC$J}0HGmc!-i@7 zA76X&5Wv*wx%}o$`3ubod(kGduL1c6evZ}AZ+gkvldX;)gspHfsQEq|Q*}SV^mT?1 zoJ_G;bmaBKtd!4XT?iD9Kyt|^$>0H?@L=EYg)gsV>qe$F|ZImsY%axTc^vX#c z6MbL(sS_ElenoHInelzKFiXmWjk!@-%RsfAQSyfnkQgpgpx_i4rEv6kjB5_4_TOtY z_l12%80Ts~(YRv%PXq3odP1!s1oQCQOu0`8S4eQka^U36^l@&GNIzf$!x9E}NGE(+ z{<`emgh##Zi(#G&niCFh9W9V8@kIj&+OreX*jQYrIP#fU!gg}d1>&PIElGM?2Q73} zX&U3S621Bbwe3kq8caK|5xoL@xw5NPd!Xh?yG7@Rnw9*z#e(Sa*mSsW`;!RfAt@-+ z6%VXsv}zD-Yr;F;Sjq({Q4=7tV4}{8Rw7Ce)f)+g>8^Q0*~Pm?(KRRUBXme%&qfZK8n|iyZGijlK*JY z%!Krt+NDo+_b!A$n)V*Oih#Il2v-=`SschYnXxnBM=8JbEB(Aem%zbH2*3=?3u^_+ zQl>MI-ogb3nPh1?j~Pox>FW-f49LDaeySK0=nrBi)#`MJQAN`7@FeG{rlzC2`4h>0bk9EHcAZ%2#pOiPMI+4X%0 zDe{>U41?(Q7Xf9tSggV8F|dD!asUch9r6WVDe>1A_T=|I@PFrRWL!gIgH8dDvbKLm z+yAI<1N;Xh2F7FtgYwiu!FvxYh+45b3_yoDbPl@`6nvEGCxI{yqma zGY?!Xg*7wq8Q4Et0S^bu+ul{ll}E4Ae|vkJZT?1Xkt{tuVpn?eCL(C}-rAl*k<)|F zgAXd(e4g+{-Vd`O$m7qqm7*Q40*+UutedA2RpU!QUz7ra7xm zwvc~X%RxB|JXctNJ~4@X!x2*=?0c5cze+g8i7hGn=(Q#zk2-sFK=;^1@^N{Oq`6Bq z2OqDY-j-#`j8l2us@TW)A(c$pz})HP+qwcy;n5f7>)(yK=a(kHm2MrO!lKBqXf2n% z_@Me}=HrMBzgOMK7CaCm|Ea?tEXH zCz{gczqqVuv{yD{4w8@YPSYH$cODJSZ(3rLTe3yN!KQ@%c zX0;uU)kVt+;+_+ z+V&I}Tr_{OpDEprzYAye4Kh_Bq1n0D%B@b@6IuRxY-!Ib2xyG9s9=rp>5OwfT5l6^7hZO@YFuirK` zmLT5wFK=&yzP5ZKTvUbGXLrDuCX8}Ac;3L!M+inmR8L5je)E9b!iLBy+%xosMbVe( z@FZXmX!*Vn8S)In0nz0;yz>hUpK&t7T}1}-frWa8KsXLv&bAW3G?bDTH_Smz(-Xo# zuX~XrRt4h?c(EBLk|4uFl}at8BR%ypt?st(NxV|1CzdRLNNlMe}AM#-w zx)8_707t?`t>ZPRmE-xekm6hdYz@A&4H?0IG381amEVdSw`oQq9>3{VUhb)C7^>Z? zD4t6)DX>#V4J&0nPU*ac-AJ+Qu*rIV2KsI-U0S>PZ*L&p>5$-|OfZSfzwB#$W)-AB z6Z^_r(zCS$84+A;l`{r>x(u>k_YF9v-GW?bT%2wwcKjJ%_&PuNQ})unNLI3VWeU~r z>aYS*Seh+t8+Uv$8==^BvKJcF*Cew|Eynd*qZuVg2asGdXRS3eGR>!9elE}EM-}Kenc+JY-QHc# zz#Np8B}v8;#1!i!V7Fc&U#li@wR&5#C=M?ZPP%&^?@^QO9=XMVN>!+Yc~-G=I#7eT z_q+V8S3cM9K+46qfcbzZ(Pr6I*!rf&#)B)*L3F*u&F$t?E&Z=w48b#ZfXa@Um}HDK zR%cXUBy-49b?wrq!{)P`WusXZ9N%Qqm!)W)_F0a#Y6w(1?=rJI_Qy87LM8o+ zQNLA$c+Nq0gwI=J6YFez;IK}*0oqzWs5fBayOQfgOui}`6LpuQi^n6{~xtkfmcC4Xrt39#RzwUy@ObNPen;y zCZ7)HB7#NmiDQ-BXJgSkSy#z(h3eID5a)xb&|H1|&7U;F?R3BFHo#kw+vKqY?ZWXH zaV6o%?u9}GfLm`h_ey@qV-KM#y<|svhIc<=5pdQjL2^eFm>-w@6 zvkSSZid$NF-l$b9-&P)Cu9JGgI5y`8bh^1;GH)vXs<%x1dO<|UmGeD1ni4$cdjX$F z@5zOBHfG7X>^G2$GQW+#ns8Erlv`N=s)R7w3x`U&BjInT`NJG2Mjp^MT+b{j1qIYA zVj}w3-Wc8Yx4DIcoI;!(5;a)cXg2F{-IAwPvFRAYLtz|8tWtl_S4x$OP(3*qV7G5*8UCVG3UR$*p~)2YX=xp#Yc=lLHhZ3XLN=0}g-c+Ub2 zW0Hc4n&%*!cU=yjzi34j$`cdXDS;_Q#t6kpbV+lf%xx%@V+KxZ0B^E#TQFK8*d!x# z`C*Soc>9+7YhsWw;&ajN*K2gs{&$mNj0~9C06rQ!fES!6Gg)oRkng<_c30-gdfo=Umjs#9C7F8N8le+AFy4$ z=s1@q`au`yQ8bge+A;%THEN;RGGCDJ{>|>(_Qq!~QiIn_H{ZUJ%X0p5dsc?4moR7@ zb+OcN+enzr6#vU6Ut!GT3SD78;C;3$ZELy}7PXaK8p3*Jr;)Ov!^5=9vdJL5y&n((~H;Y}2W2MVQxp|79fHJ7Db zVUOSY#SMkTD7IT`d-W^7nR(Dd)h@|80`l$?c~SHwo=ZJ=jPYJhDCHSr&`AfY6v)wm zk2n2qB9PDGL{y4r_oa{H=znCc`3s+HpMRq}JI#dpc^na0rAvOP==9rKKktP6eYT%j ztWz^1{H@W{YPQrRL|#!r`>y||5f{0#iEA6Ivj0wGtY?COGyK!fIFU~bOBSXS9LUbW zG5v=yNST$=BN4v}Q)7=TehoH)sT%Ua0yLL{_{4`yT{Mk8-x(o7>>5I#i}&EH*77(` zR8|NU?rjDpvZr*W5j%#>Z~(VKN|usW^tR4G9I-D1{u#6n49DT0WbtRS~7~ z2Q0kw4gLJ+m&QuvV9}l=B|$Q71Z-LL{1Y@V*)(h%>TtaWT3(*!i~Nzo+F`719zdM_ zZf!?{V^ldCwKWTaXWPl@FvGp_u>wUjkSa_Dj z;n^t3%Rh1Yqmg~L)wtq#t$)G;KUM<{3s)(pwK1j$lBw1T{cRF~??aM_3uMn+qBp%k zke8oAFiFMVr6Q2ugs368U>T`LE*&I5B2v z)#(vIr}v&tD^R`L10rVouX9Jh5SH4ygOn`GJ}cdaXsk@%YjsKXOrl>){4EhHx0LC9 zYwSDqYP@aQyzThQaZ$eR361TlLl?+Yj41~s$w9lrHj}RkiKm@nmeusps!F$@v-P`L zUu^~JI&@m-{=|ZNhP`$t_}4#H0Jxui@;OJq>F=_fVti!R*c6)kc{zbd#VS&y9Tl_6c)<6+?SwaB4LQser3RIQdcCehgfV z*$+<(KhN~Lf1YVByZ%^dFbM(Z(dM3S@-q@t1FXnPcGHNVtCz&R%HO?`vy4Ss)0hP` zDu!Z#&ZDPE*V}a<$-tpM!^@2CF!y8Lx8=k9l+m#>UD5M|KL2s4O^x(jHtqP&%_{OO zHJc2puub?CRlo;kBKq~m#)RZ-qAX@GBYIZ$sc2D$c8e&j)LoOxw?iGap}$?uGhjxe zCljYt*U!P$NXwM3#-(D!<<2Ro#4D|XtQgUu1DlZ#sZZ}8g>2kd-g^5yL=<{=rL-ZL z@}#sTUQ`tEJ*nviJ`BFB(j!XjU?H~-xhh3;Qr41$Ikb>ZKAb!IE_yQ3@UlBRg7bzf zdwtC{#-;^_W5MPZlo3ll98W9V>?V382|9-_9B;iXijGjT64p21LAy_`{`ejZFQ26! zMsBpxjI*y44_kc5w2&KQ=%D+RU!)SC)J?sKGySm_j%pZmM|P;*-FbP}2qhHuIa~n& zh!E!5y)I+C=B3-H7zl9)!ez|Ox4XVGa_%^>yO&K z2;uNiw7y)6s={~rDG2MrSTu&&5f2!hcEL76gX`L8`5Ur+jTOnqC~;)w;r33ScJ7Bx zF`PHv_g3ZtPxJ8FxM~ZaI4w{AUNvQ2>2{{s_r#xB%UVO8K{2u^3pVSpq~U?(@y2iD zL}J!Ylrdr|y0USVxBWp1 z?$;gPGl}0(xS`-off?P2!bPbbUX*pyI>Ce9`f6EKp(5CycY3a8(*JX5N*}N5oZ=&icahTiPy5AnQ>|ySoN=f;;Eo{k}8j zO#WlYOeT5my?3v@_P16cEcY@I5e7{1Yo=3qwJ-8?t$Smw71~dpr*4NKzTcCNZ-N89N6WSq|q zhsQRH^!QM~0gavabj~P@Z?f$&o_y;;${+b-487)#d+P<{Ea}#FPhq#?E!J^`=nWrv z2(Xzft;5!5MnC-$k>F1O7~YG&-o&;&Y0vVk$%*@Z7)&n47QQiTD6!FNhmsl0IL}$o zJj9*th&+3|sNj>Van(5O-{B3?UVz|awv49t94Q`mL*Gdd9NAjmj~U*97fWg2*dcvf z>VXD_RtJm=V?3<7ay3DovyCh70D5@kgrqaRXX=iPWDmh06W1`H+*lg<7n@rgnCuER zaE?}IBaGPaP6ke8pxy*?jk2~S?ExL6NRNUYK&KOx7YAskR#R<&x`F_uL z6r1DbxmWfb0@58de{4vK)KmlY`loC(gBZgB>f+5s?Kfl_sPW*>Ncg{FWr{Ed+$jvH z;wANJw8SZgV2X=>%c@rZymcHIH44mEAvLgg@#{lT!)5V8?2kb4T=JUTL6OS3o``p! ziG9ppYot+H7?v*U8a~(@h2iWWpBXaVZqkdSK4q=@p_hoMk3SzLk#^lv1D#|LrQsVg zr4F|}9HyJqUZ|Q>m-RQ&m&Gz1s_-Jm#zm%|pDD*3AAz(%k}HRK!|Hv^t^0{-6s~{i z2O~L+JO9nv{A%Y>DPn5`@dsBq#dayid0>}0LYC(5X_$yHUI#ZE0a?t+T*I4nAMM2j zCzcMW@#bXDu;ny5nfm18!f6k=_vJ zPCPVMsgq29Xs{W-s~mizQ-Mh*#QRzZh zA+zZm2=Fb&o^OZW#=aQJrcifz5Au+u$tf;+s za{jsQ^13uoVJ2Nb*I99?bS94-iJvN*d)p<2eOmNh_@6_*ydD1E>e) z$|MA(=}k>6<@Wno|9s1rKRnM-?`p2NO3)$s8J^O2&lcXFi&Gc6|C<6STN6aNE*fD7 ziw`wNo3(kkfsxs(Gj=LeoYJ)CwTt{S}Q5A9>1M$eu_5+KiP5Cl8rv|c%Pgag1KY#3swO5Xna z-VKzZslJ4X^wFYbUjoMqZ%$hYowH@eNr&u}{yDxeiYWjsiO0~fbt%?vzO|`(^T_7} zNcIELS}jN! zTYnA3tjTz9IcH!;-<{wxN1bRDTdXU&iU!KPoweuXJ|!Be*-wQsg7}JxgA5-NU2UE7)Ha&=(v{+#H(qf;m-4#0vWx9 zxur12mGZT0^l~s48voE5&Hyk;KwO|;*$LtLdQoIMk{6BTijT8DorIB%4$}YJEKy_o z!)I^KY0FZMoD2&n0DwIo)3LKAeLK@Ve|En<*NkkdNi-2Q8zC4l{J-{*2B!Zqb}GK_ z-M{3{1?#3yw#(YZ(}#K0&$yGFrXn66iny#w9PSe_M)fl&wwvD*$M{kW&%iMjS52^; zINCRww@Oo$vc~_r_>E_CsdRn_j1(KREm|OZQ}rSkzT=R1_n@24k3bED$(iCy3k9osOHJ;q zj;mjnIV6Nn`ZY!DE87nF`}JqK&`zcsabZd)auv6+9A+fu7DMxLz_awZ*sl;du^pfm za$xUj)dD*SP^Nf3zckfT1U;M#9W&9mhFDt?G<^JMABJ#K9)Yo~l|v8Ae5I_+-vB|k z=NtXCLa5?HG>6$xO2mZ;sMl*9AT^}^{u;0OHu=9MQ%6zBS;Ok6j6~A|kCg;HRT{|& zwoQ9KHt!GV@Qxy@f$D(MUTTI8u-C2Ixke3>V|ij`@rI`zusT9Z1<3y+s%bjEb_70( zP#;LMKQu`ptObz`dEx{9-FE~g=E)%-z3z)canZHvx$^s+Y3K2PKBnuk+ zO5{c*yIz*kNyUK-%DXt+cYu;-legfQL2bHKoBwVbkPtC}0^P=}b`q969Awx3K`TU- z!zM&Jx9h(x7N|)DiTLN8e0`WPnzT)7pBuLL9hA2Guw*hNG=s{-7Wn}X*BAPq4xgQd zqqkCYGNk|S&CFJ^4itPqVy|}XQAYcl(K(92#O9Y}&~JH!S~fFd1*$8+ zNvD?kO&0JrQjom3&PWho_tpSe_{D)ljU-lrXYk{TZeGeTnl*LymYR!YP5@8MYnC_E z2pJa)$rSqx$t45EDt~e~@-7gc;tzkx>3=8xu7Gu^!+#cy32Q9^(2o}~mN@`&KYCt1 zTJSe`_wB8ctoS7;OeF|9$#`1da(6U?f0A=5DUn~lUArJ31{_D=f&iKCd zqUeExeTxt`dTW^d<2Iphj44A)w?LN4gi`M^A5*n+eWv^e(Ws>I?Gx z=w)%dFC~HnjYX3i`XE0j2`V+w>lwtWhgZu1T2aHZ@O@?eGA z*18{pfY(MVz0QFnTShl`XrHFuRJ56Z55fK|5)?s0DFnKj!-eWbo0xz9MVBwV-I!Xnh`hN3=+-@!bGgw*U-C?|CaXeXn0&m1gcU=xlvmK8M><1CRn zcbDh5{g$bbgzHTP8A9t`=JQb^OO@&$R_$0MDvV}YY<#tIn&LND<9^vVE_y$Rsag@p z5IwqZj|>BK49asOW$w=ndXZHNrBBbAT9)5Pn+{$Le*D^Xgdgv_^l=(&Ditx6G9VM8 z>fVbV1?X^^`>$3LB|bas8;~yoS9;j70Xv7<;5w+oF_`xn*c1J1R9_1IxU^Ge?v$~C zpUDXYCt9{_oshsn!nIbR(V}y@(ib??nv&mLqLNj&s2oE5lGHHCLEM%5D(w@-R{la{})WtT0vsO=1FDlS& zJn7zs4Rz0#S;uLA|6LPlRCU>~S}F?hE@4FkT8k*n>eI>T%ID$(Xqzm+to>r_0a&B6M@ zcQo`0{@C%*CiOr~XS*RQP*Y6Hfv8gPBbP;ZSvUT-uZt?m3~VrYD$u(T01B7e0$eMD zdt9Mc?IPp9&Qu8&n=%S_t~C4BfDa%On|sr3K|Ao8ty9-T@l5WEFwIZ~P@Qs1LMWXm zTgQN{cp+*MJsE)EyX^{p*TK(d1-JZ_&XA>W@(bLlCQo^Vy_GLtL14Xdc!!AtDCb9tnj$yHVfrEa!VXo!N<2!PgK)V6c9;dygxa76XLw z)n%!!MZf3APT<&1*b_`{pfCMDd3Es*1^)1}@v%@jy4qr|0r-WOeaT@9F4XLau+x&C&i~L zFI$lEuiXdEb;e|P5zaQCI0^N*Ou)_nNeO!FzKUSBPmS$-;*0*_C(5C0|#CBy- zJ6v-bDz>FPOA^wYkV#CHd^E*{mG$En+Nd!;|JWUQ_K|?mX{Y8gy%cF{elouuXf8g) z@o$1f2Xq&VfHemm!awkEb8nslPDTNjkwJpptzg?O1c1LUVo1H zyZ*+a5&4^P758f%cT*fSu{&@$ z*Z|wc{mQdU^L^%di@E1$hLzChC-p|FX>E0DV3aV}PyKTIP(9jNQI_&U~Dhjt2FwD!5%E zZ(?XhDmiz`STIMW?7&#(#bYBJDDmYwt17)aGgU>`CgVHS_yV)H6nEC2I+smDno2Ox z>M1a|SN@b>D4egPgT`k>Hx@`^t7EO1Xaq2$8$p9(oC+Rsqn7T;vH214LG}q? zD(zB{G0v)1Gk-IGAuIoh;OTkc)`u2NU%F%e?}m|vL3Jgr7H{;MgzBZ-b1_)`CY)%_ z*PykNKiST1>Py6B4jPhF4tfKE_u_W6>Bt|T)Z!^k#wbhl|Ca@jtGoU|j7Hzr5=Z#q zhB_qO{p>(+Jl@^z0%VR(oG9SfvHhDNlMz-T!SOSKb|W?&;dQC8{Ca))I&SY*_P|rZ z*ev-jgXiDr>4K7qChzrJq_O3bLu3|~nCwDHy>G-H#??YVQa7hJK{q+#{B8VqK{9gK zKI75!cR8gU8KejTTkf7+jPqR!7TK3g-R>-hDyK_al$(!J>j0-vT1z(Z0%| zQUxe{vg^<|=P$dY+~Oljec&-P0OOKif)f*Y9z{Po%=4vjW$T@zgu2}*kxuzQ$LrptYGw?dB}C24OCdLA%JHSb(MW?()C&J-G-$I*;IU^!O^FYZ(jUfc>GxYMOjuER0jR{5k zE1h>em??Hu7Wrj{L%{%+rsE`QMx+#=MGQwNl21sLW{1~~zb`16+a-+TAC`LZ@ONJ^ zb;WWrndD=emul$kPOn4ji^NnYI#b{UVPTMyX&@&Z~RQmkv z;388%fXck=R4qA#F6#j^o+rHu7aykmOwA9;ziL^hAa!+CT6}_2heMoO`6g>@8^6+8 z5x=m@uuSEiE3EI5(~|CH(5mC7*XS|-1#Eh-IQ1!0gG8@&_8a|%y14dK@TS(TX;J%Q zt{>kv1e7`*3E{WEr__HOibiy}Kp4#Ojk{i9&w%9Yqq#cZJM4l`Zqm3Mg;uo~zFw<$ z9YpUXYi*_pdrnLrds0@X+3zY*wBO`*d&QsinYAU@?6r^s`9yPp=~Aa@f@4~Pd8NO5 zxNvy-BMa-lObTJ~PV38>yTzLnb6&2$WGaY_`zNXs(=0LR-LOvNoSynfw;Y-5i3$u) z>^DP%&@z_d%c31kx51E;lnUa>)f!tJ>|hN7qG$36j+J=HtWvE*!682%y+IWNLNy{5 zL(Eo3H8|T%l1y;af#r%yMf*i-5$n(z! zrL6ihUd$7Yv)qxZm0$FN>*$Zrj;C*@=7LkajLwRfp}cI$jW+mm;Y?-!$m}mq2?kFZ zw+M!CmfnhR^lyi(g}&YnKj$RE_S)Rx-#f+l2a_qG$#(}?QfJ9Y-Q1{@-0sn<={|Hf zN+q4{hWS2p^nH%i3jwvd`#SBr`x*^|VzIPt1}*JwHH;|nx30UQ?|0ISUJgl|{!WNs zj2WtvVh^=mhpKeELwm3H>LU}%X0k9!!Ip&mCSn;o1A(LzbdQSu4o3Ol+R};VJ8MGe z9m^_DM7?VB1)3Ko0-HcrN`oGK*!xEDa7Or8@)&bE903!R7&l#|Gr))qC!QdmGX zudcUTNJDNoj{Az?)Tl4tP#OLO)f@XUBFL|%yD1{k4YmKNVD*u5-(>!wlY5lxgOL5Wk z_`m)VRTO9LnAa?eWc_geTtvh8L-~tQ7J81pC?mplr~SEa%!0DuwQDLmRZy<1V=&-0 z`5;+|VOwb5g(*<7tv~jLL_l0n=w8459SL!VP=WQ>PJ;yTjz1`eupyR0JW)_Eqk{3v zN1Lu`8wgy@k)gxZi;kj#h&U+an7;1Y@>s9^Rm11NxQix1+pu1WRVBMAJgqhsZpyGs zIM@_3%0$uIV)#<9D_h^T7H=q&Xq3}rY!DLRcED3xukb8S0iY%_>?`i$?JMD<*0GHC zX-|&%5EzV%xsbLA(aNp;6T|vSyin#bYe=#+L#QAcl-p?>Z5eDHS5cmzIdu5(g+%L# zHq}wCP6LSh{;AWKo~{HG=>zmKNYdOA*4M!SCAta|lO;Q6JkGi>TySlr4&p$U`XNeo zlGs0!UntPjqOyU-W^B#IA_msui|S0V8WuRWPbz6u^@CMS3{Y257M z!2&Nh&~lV1VA}_4cSNA)WJQUyU-v{BQ7|sU_mIUzQzQPeMZ5r0_S($C@BS|`F^>Ie zbNO95K7L)uzSZo8sH!Wve>tS0qx2a?S0s#10Vv{TEANGfeXZ}?^!)BSquf74KLtvX z*c2-u*yPv(G}NcQZFduM$BkE_r122l=Cw2WR=ON` z)d+SAgJ3uq9CuGOJ&dq*OpzzkzemV;QV?Uo6i%ei8PT1c)|UK{jQ}HT0n1d=dtYHX-txlcw2G=H`e{hxMp-Q zdOC7wZ^>c0`S@o>fdK3e0*tRT4ff>_NWE%fy^2rxXnk11Gn>*arbU}PjV3aVUGjZ3 zhmD?B@6mF985qjbW2A1n5nVeFE5Fh^@W))vifj>2$L!L%(9-R0Y?2nTKcw8a5LMrg zcT8|>F?x1T75I$;9>(ZW+kx}`%Q`;8VQ0i%>K5g_syQ0X6O9b*2zK48tB`*+_y@5E zDe{2GpteARj4LV$mdSMIJ^XFQ(Ny{?GbrUwx%q4KhgZNh#TmkQm3%n5*>rgM`;{zU zk|!tQBG^#a^K(yL1dRnYJoBt=32;nJmQ z2>!*hjVs4ht7UjnCHhzGMAPZ2{;V)%m{W*COh3o^cwwXN*F!E&HeZ6c>~I#U3zv)^33T0dkRt zel^(D+sFDO)F$*DdfvNw43$^)F)<$O$L!3 z$*_NqH{S%;EedF0OMPfcXM>R<99u$n2UQPe(bP&`rAf8mJaip(n|!N_b~mXl@mM3C z#0O6LD$*{i_v#W4q!=qi>F!Bz>?Kj`t$3>17FR9&g4O+ilCxD8PL#Gks z|D>nzo(hxNcsw2$tWq$Ci6F|rX@gTZ+A)h_)hDZmZu~XmM@S;P`ozgO_|MjgDo2R@ zKlflt!LPv8!2K)+Ev|Z7UiZ-(OjQcPa5eW8A0xL)cdO+fGUjU`>!RG<`?`p$5CZ-S zDpO4}2t$TQ#sqN{T3@B@VvTU~G8#ghwCAxy*;p4_>ZgiitZUY6Uc?)XQIcJ*^-Oj1 zSadGMBGD%8 zUZ$F9qZ(>v0Vu4Jb$0E0203KKO1rD3`lr?-ikAGoJ3X8&r?NHMmlPS2QF{fVZ0Ai1 zHhCd;Pk<79CE)PaxhcRTmz-L>IWDIP&e-}5D9hZJPg(aI^KnJfQ2iuEh6vKoWbbY* z8n0eMx2kH7;3Vw@s6v;JOsdmjly>)POzEIg&*&I3WK1-c00f3bY5cXY{z7HC68X)7 zkR&mKn+}4zey)=fPk|~X@mVI0iu)|F4~9GeA*mAUwf{cvGdo#RW@fM`I8Fa6trY)z z-)FBpv8HA5lJP1yHJ_}IjsCHZL1$gfiMfG*d=7-HiQMt7FY-m2Q8A&|IP8|dyWfq_ z>5}$_H=TfMPMZ)DE7~~&$-%{$A^wyuDcj+lX)4oH-H{C46%pC(3uG?QuFeiX7~pr{>?)v%2Pna@m6%WhS5UI#ZO6V^5mM zuEu7Hb?${TYGUqREoDdAa1bz{Dj+!9UNFTNF?|M_{O>W!s+uE8E9O7#{N&W$MLlE} zD(C0T@U%3v|leZ->|o3=mL;C^BDE{L}W ziAhoHWrq4W;tE*gPIS#SI`q5o$@a^&4G)mHjzWK*I2{ktx{Z6TG@8LPbF}PusEks& zCNxUfukU0t^p5tc4iS}KUFkbc;4VuoyN)%bOTTOLzwH$8EY!&_^IIRX3J5r$p zic-)VPN&oDo)B#Niw$vIOISGQA(kdWcq@9PZrzcL2%Uz;Qg!Cd)Imtar$Vm%nu7~& z?c$g7Q+;K(0Ir3^!}P&3@0Yu~A8T2k3cSu&eOlpUz%IR{THqMZ?qAE**#G`TEKe%E z8du?h%hCTEy*F0Qjick1>*CI}1pf`;6rqW&JrZslPAA6S6l6__S0|36K*8Q^K*YL# ze7T0v==V@iSbyN_d+@FyeQ9^?_+y^b!*o2>UJ0jpz4bIVo5jS{74Y5hU!ttUhWWwO zQxO@m!CCNr6!?gVy7&^GJcHXZe+kaQ5uu#F-Xtn3HYFZ&rcj2Xee6zY)oS}D`VA!p z^M+WWNX*?>;#w?x&V0p-;{)q?;0Zcq=Jl(Takyf5Gdu=31#uuWi)&TtlB|vFk9vZ7 z4&zWC5L3RWLEJClGQ{3p*P(CfR?&>wi!>tA&7_#Lr&Bvv>|qHHF_xux`b`~FOb9GzqjR%DeoJIK&^cFeYcP1C4} zRLPT=*-gr_tT3sqnpc%5blA6=9vS9?qF=zO1#bPEGUn8ufLI9*!pjV^am_l(_T)VY z5Zi+=(HO@G?4=8Y8Mq4-XtZ+5bZ%!_bJ<;%^}pj`bL19uszibQ^@0nq9$5R8p10=qA~p@D`fKcSU+s2yRM~Pde|S^1O{_0eJYlgqk5kWpY|`iuFWtE`2%>6TZpk>fhv)TKF5R(0CtzfFrF4$5+lW z$1Ele1?2~2W{Mft{W6-ra9tj}Ys6iVJTbaU3`c;0U;zbiR6Yjeh!+%X=Rd~H*ld~@G1CDVsJ$6hZTLS%(b|{ zdb&vyLEl+)#+4PNB(B&*ch7UVg*R1n(VKD6rzqHo59r}f36b7+F*mz3a_-Q21`gdp z(B_m=X9zFHDP8fykOC63tjSFtPXEu>XZgzg-st->?shR%zV30tvzyt08#2FcWBH6s z?qu)~xA^VC_CGj9fXBEu-7@MDXpF|QV&A~}S%vzlZ+7#PJez#SDU=P+_dPlZ^kner zZ}wVcZ*46_o4y4JiDHJul#a11?y_Ng$&Lu>v=iM9=4}viMRVZfg{7 z&5Z>{JLe-q;aT85WNT>@vRY+%9QW5bjgZs;?}67_yhRkEM2v`s0K=+a{dAD zHYmby^^k=aPeen`x0IPVt{_z zOi-Y1>msjV${4GXb1-O6;u{(2y_Fm@1eVdno@Earia0&hUX2hh_Xm;O2W# z!K(p7;}%!2Uf&3@Mk0dStwzCM2-hI5TMEx?)MHI&h+^GI+=;|W zZvp6EKll$-)ADrl^X)3GT4ciLE~0KZX8u0Q2*A^1zba*Z%k>CjXhS@eFQAR3bw1vS11ES=V3x%KCT9mVP zM)*a$0y7O=O)~7bl@MszwmgyHQhbO(*8=b(VRrd%_(`w%HqIC+uYPp2+=7 zbvW3ZIglkbot)*~tA(&?j~)n+*w^5hG^Y%^huQ}=T+YKNZ1JFUoO|8DKXHv!` z=liL7f|aKqN1Hr;FngB@mbMtIWX0Sq|Mok1C%Q#L4ht17gol0mwatTZ=!1VMoNT{P zn)uVF{(_X;G|{!_pw#AS(v8ADdK3p5rhkO4#$-8Daq*9XacKbql}G#Z1Mk zdj^qMTpws39gX8SMTQG(P!1Znp0Bi!8yyjtT#y+kCoVM{9W8GJ-Nbm`ghfMh2OCug zWR>lF-JpnK$^z@a(OiF1LfH|=A_f1xKazC?Hz+HdnjVFkvBAkXo{oRtfg_HtVv`E4 zep5kLnlQB^PRchAkDe8plg#*GEpFB6Dpk z3#5TxYJ6}dBxs7&d+YtOB*Dq<(`6F{_~aq`M3$(j3D&;+Dc_*Fv1eK}<1nep9&*69 zz~e1cNNp2h6SJ_`O);mnqC@8A0Kcl&(zx&|`QX^=>|MiwzRqPG-!$Ve4Q3f~U!>k43Ky+t zy5m|nl|f0dEIF3dG@ykB_mVox&(Sxa5FIXc_Mn_moTv0&G+ox*YCIDW>P7!Sh7yHx zu|>QlMPQT{4_`3P^x{xx`Lm_Pjbop}8gMH5Zo@)lF)F@Zg-|)PokKKv9YT2eeR(WK zu^BxPP!OZcu2yIe$1`V%U6N(uh<}C<6c8}5yGEBeni%SkafWeFGWa&XtDFCzsNYLQ ze^h`LFWmQ0{_-0GC85!!B2n1&F=4{0MK9!3X#*wHoNcPBvnt`9ar%=rH`187E zrV)|usL2kqt1>;1jQYN=ZEzu^eOhgaux1qdtD*gZfn0{2?r0L1ynq|7Tz8ino7JqJ* zc?{xye@C|Db%y=gXyVjLvvFarf3}%E|KD&}H~Ae#o52DBoZ;Qg!KIo;dS~?lWPBO4 z>VEA+p0=%Jh+!=5Yx66k7_+5xoMT{p_bZsUBqvg2Nz6h!eV4|fcYbSWZrTA?mKinL zmnF@ts6bJmAA8qwRsm!3qB=hhD1K9r*vQ*{Wt8n`oi?iYM%I>>I>uXUgwn5tw0h3DZGEj+C*PI_;MaKQ zOAxXa7wkLhYZ92n(zGe@tPBd0o@F`J*Y9 zaV4`$@~I>{_GuT7Rq2Dy#2P)TcSpRNB{lC|r{-^|K#?;%1{*4B2NhZPJ{7oxh#8b9 zc2$R<*M0I|OXA5}-Mb7(AiBJ-I5;_exS8DSD%}xgkvzs`vCTewz!v7O^OYv;NJf2s z*DV?B?rSKVV9gRocXyj3-ehp5g!<#D%P~?}x0b7oMW-jUa$J@P`0W|loz*x3ke@bL zS@trozGvu^iEOuP?vr2ZG?wbm?(REy#isW%chM}LnL*s2;HGaQSN1Rb|Zin&W_p_K%g6p@Y>X2Yu7h-<{jy8)=Gzs&BGUmexssZqpE+K6c%Z zll^YmOpUuUEu|k^7FhLE7oIl~h?PV&dG`2)Vl4dU+}Sc95ymrnk3pTNC?#qU2rKBL zj$|0b#K}Z_KlO0?E20=A$H^O`Y%+{Ka}K-BB(Bdc{!<)&wgstlSj(YVPwUD@4McLC zTDv378Es~ZcUv)5V*@xtxHu7FB6y_Y3+WK|PicM5W}3kse}#EEX(N{3o!O>pZgWg- z)l*N_meMu8Gogogx{brZyic5lzP_|&;O18V=+t%NG@!eCwAQ<}+$bc$BNLs{tsWCy zviEVfo-mbttdR9s$~A+?iR0*Cb`A38B{j3c!!`vPZ5QUTAr8ca?c0^P=~7pMg5m$A zQFO10W2EBg%wD)%*PxW6QBlFI($;ryCt%)}-gc|jOK-bYU}0dAX$*Lkl_MXbGy@84 z<~Vhx%;S&9_eYy!enU}EQTIz0*yMnP_b|fCtMY4`qCwC5NDq?LzPdH#;7Kl0_~^y`O<{)Rvn9c3}fu949LQwNYFK4$`4y8kFCpqFYEc_|Z zIZq)|FC>~mhT^s(j@NrYlCDR{ED}?IQ|JEoe(#Pw!?#kW z;w8?Uf&Fs2dv8Edbr2|ZEz%{*n-CG+%q&uG7Y7wP*^Azo*z_hR8YNvjLgkDqUns8M z#bkhpY7(%up!U}1-?fO>ytmW#u$8s zSNSJ*N5`mn+qbvHn!Easg6dtz31nVfQ*g-++Cg5xkY2Sxu^u9<%ltEM@3i(Ka>P|! za#QZ=r`^j^KcCh{veQ>(L%?pj-cY>_E5WbtSXk}-?icT;TM4lQ4$Gbx>H(Ao-FQhj zz0fuE_2doh{qxgtR;tc-S=2yRis7LMTvPO!rd&46#BXkXN4rA?SQPowUP%3!(9nP4e z@}Izl?ZA~-DK0|Ugocz3NuJ{>2;z4De0Lf#H_+UC>@;^|i2&jbZ`OZb)#&)=r=vn! znLqe%V!P;~*Q6bV#+Y3dr^NvD6K1w2F69dK>e6O6ubQ5clHy8f3e1^RP zKV+qEW5MT4oZ@cG4itZ6FDiI)*DHKg{zSNKx&LpDK|pRMd!Va$K`-~^mUMDa6rEV` zvSH5^6uB3`DYetVT=W)CuQ~u8&gqvjqI9J`>EwT&)?4Nn9>3->3w_IlsJ0LI1pxWl z@e#V{VOs6-KL=q_I~(P#K(o~9YCq1WH`8@f0syPp*Qku$#8_>cd1jH>MQHi*19Okg z3`x9}(nt&8EO6;U^{hSYfVzIpfT;{4bSI^#G=YMWTvS=q%0apv#}N_#yV!RTD9Y@Y z-uFV}Z<)Th=TZr{Gk815Zmv7peiOb6u$T30k`YHCCZHGkEy5qaLnT5s&Z_4^7rnIm zCO<;gNTyd|r3>?NG7NS4Zex{*bHfj5B*g~P>s1^=&$~={XT6-aX$E!H$UEkT{0b2U z-)9LwO3|okbNsG#_aYwXVAQ(+p=|fH0p=@+i+eoCZek*~s#~Bz463%0mP|3t5m+zf znzpOt`@L zEQivyfl7@JCe6-B;u=l{kOGMdz@Qle>?DHK_kV{#ZF&0z0jTvjpU`GGMI+{YR(ws zIO(~K47H4bPnr9(jMQK(Rxx0YhLx6(4BQw|iYnl$6}xZZLW5V!=AlGzc zm&7sn8867~d*k}saY4$Ij1N1{*boa&X^-l2_0D~9h@}k zaZkVB*nOGe->Ju*zuf?!J)>KyfL8X>8j6hCR1|7y1%iUX(aMkgoXLaq#veP`GqVrF z2!l1Eh*0Lm-wOJbqQI+d#UB3Ake*@bK>vE597y$t5{)oK$s8@|y~CH72oV%58`p5Za2&k>PxFkgI*ns0(@ITVi;B8s%d!mZ`4 zh+)JyC!!6D#YHbi&?_Ao3=cb2JG;y~Yb<;CPV_3Y2&HNI=A*A*nIyMEiSE^UnG}=; zJ9-{GE2G);$gS0JPNPQn!v-klTCJNlB`L@{^qgUIMebg&{LTWfCH*FTP;9FczKIg? zD4vW#T@6A7{zR8y{j}RFz$v*qgpP_Hm%7kR9nkT+mmB&gCPMkVn_{C|+Ohu|o432} zEXTl>w7JQ9ebP5rCiFfg>*%rlWzZYg4&AyOvEaBtlaH{KrY;%l2=@aJBS% zxi~$R==#pG#wV593P9h<6{P?Tfo>H0{XZ3LkBX1_*SsgUPYt4i@warB<9uTzWB3qq zVg#6zV4Au~8$NH-I_CX!$xUA6Mq)o{+s`9Yf=tT~qR0;$XI}=?c}^YRG(6l6HAJ+5a{-eUMUzD7Q%Zr%W*a#w{?ah90uX8}wh&uh z1U@N!-Rqggh&iX&4M!U1U6hL>K8?omsKx5HDT2MDnI7Az%i|!5W*i**So@L(L{Fis z^5~;1>s36lL&B2PJ4Tu7fuL7CzwxGk4aKg$tImZinx!O?OLg2%rvSDIX7mMIkqt&}X1-OWF9 z-}v~ULLXO79`#$jDl7is9bJ6NRTo4R&p2w(GEBuE(;qD99!wCBNs>`cZ@u`egwJ+14vL z-G>Vh=%L@QB&4G6-8R8;_u@f7W1OF5r)Cq4-vE>Rf;MP^Rz$pcVn_msNjCNu8^>1y zej-J&18d*hHZhu9AoH_XhlLx%SyI=!gN(um2*_a!vtfAnTAPjR?tKo!-RUGMO+MZe zb&4&g_4TgAh63wo6!X7s;tBS4qa${EDIPnz8iPga#ZsC0|J6lm*!ZJ#>6EvpH~eM7 zpL@dBX=s9zK+bwkL7>x_p zbNm&8$gRbUkz(3ijP59kVBsrps^x!hqkz{E^{k6+avCa9SKu{lptoR4hcmj__`rxt zV(K)YaRnhN^%%Ck`z-{3C64^vTt6K#<>r*U28VO9{~yM_1E}e*+m<3C(nOFVB`69O zAP6W(3yKhsE-KPdKty^?XaS^42L)*XDWcM)*U*bJ>7CF!38526c)$3)JMVsT@AscK zznRP^VQ67#$#=daBr28<@`COq|tH}NEmJOHXyN9t(h@H_L2jNJR|9<6B=r#%gFLb z!Jv?+%}B0A-a+W@J5{sy>8m$7%Ex_;Wd&UmTM^I=}Fwcc-duEF$sbv^V!c|}A+tD890C0W_< z3}KX?nL}l3E=6X(ATMJ5ak!lCPZFGoTxX0csmIkjBRThTJeX`*FWJYh$jkjQ6GLSt zxBJ<&UUQcNrrJ*qavlio*o+0T{B9m^pW_6daj?iVKnX)B!zP&TwROIK{jWSU>{WxL zFHU}eyNzxbs&P*nLf`)MZNC|e!05fIK(M+^o>aV{-GQRVfOAVHLrLY0PLcwAGB(mZoJn1_b;i+Uq76ly1Gs-KTCJYY$^SKW}+ z43eLWjzV@cM=|yX>msiU;Eu9)6^^uc0v2UY&7b(pZ|{yCw4^28pPLUnCZFfl=BG7w z=6yh>I(~TTKJN_AeIFgUMheC=LRj@^orQPw)k`1vR9!V<@CpLIwY{WXx|K)+^4}+& zo7XNeqPPp_#=b&MN+27NfOPi^<0q<=z@Qpe8qal|w28U}ZtU!qfV28HfS7LrQjevr z$h<7l<-t-k7ZD{}>3PQ4?oU6e3Q;$#8=yS{CRs)(wOy9|sAKr(xmO%}tc^=hy`Y8w z?q6j7mrj&47k^i$`Ahd3$*sYG}vHh=iRcPA`kJO?bzReYLuwZpwhH=4$23t{H+b04*SwW^p5RH!;SIurJww8YcH~H|}^K;Rh+YW9HI?(To*7D5tz_mNj zt6C)isOJcbHVF4!NlyjjMtp}}+iZq(Yth%=P$07c{qiN$?)V3mL4>#`wJGYgB%{D^4poPAU`4{U12~>+t=jSJhwg9KmJM zy~j(I0_T{Aqy_ARodcclbu>v+Baj_MP!FPT7H8ot=?7Q=Bsc~b^au!pF^HEjn&f;aV4HQQ{ygAV3gdi(}L#+=%>)8(JvRQ{%sz{5>TVZRDn@hzTc}cb%iMX zL!I`a;T{W7-=t0cCCS!HMSpNVkEtEJ6K8!xi?vfB+=o* zn=kEhVKZ@y)*J=g1-`%J01MS9dCq3Dk8H(4zL!M!wnGkWmG^t?nx~VNi?_6hN~3?d zRx502u-CGeUU~-zks%itDCvs*Q@I7S$+A!V>eaG5htImf%h;G=`Z+#REdtPqc&Y-ojZBym?8nS+*Zh6v^{o?G2 z^Yte#cISHxutLwM$z$X;^!nD(enXUz2ij?&o{Q3mTQU*%zPVs+KY zusD^Uq~-3$2ydWtQ_Vo`o*qrlF~C+ea}oQn+J8UQ8eWfIJ-D)NT8|1Y>n z0yzJ-r^uX^eGt6R>kBuz1A(F%E;n8~ZWJdcU#y0EhQ~WpX0%W;4Fkyj0F^0A5sy2Z z(4r`Z62Tuk3n9}4Ss=g(%UngfyC%||UMLh_T!^S$1wY~=oc1$&R>mVa6AjnQXlw5) z1{Y;T)wT=+EMA?H+a{l$73sgcc-#N6RjXTI=z#_h(VktC2SzQ)<0L9MLoUm zl=#XNR8yPiQV*p6GGeP6qAG(Yo4pE!unu9>2Ac-@xP~`uMpLeg-c5&6ytSHM_~7XZ zR87fK?~#SVDcNmZhD2i=R|-FJocas-(fQe?;*au>!RTs^bR4b4;iF$_>rWwfEA6ft zc_y{ve0;6QoP9q7M9IaVrIf$tP1ZK&#adc>dG7B?(Y>+Mp51ReB;q?NcSUs3?uNgS z^AuGPBiSdj4~M$Hq}iiWJPZgHheP|3rpQqS-+VXjCuHirvThR-fKGsy^Z1{`E{&K5 zR<{TjL4oMknW?6VXe-xH`;rHt_G6diJkxJP*ys*337b;TVZ3dCs`3q=<7 z4LiyzXHiW8JSGLlnVPRQugJzEiaR!QK6DHVIllFAS=C$bj?+%uZ6dqCXs6AQuxj0i z$Uv(v{Fpl&=2T>XU(+`3@dSq{fgYT=mZ__22g*!S3o@ z5P(;zOQw9sp0U3^dhf*Te)0RCfmX?TkIm@@p(ah)3sFRU4I0csM$|?^ z=|BKvZ7oL{U-eZ#(!ok=Zj(E2ZO;S{bOZ||v&P}n~>=KE~-*{7c`C8C+|zFIY*3Y8kz?QICVY(Y#J9B)AssJy7vB5Y0t+3N^#$FR@qF>o{Zp` z1yW47MkC=+ATn-zoP5_xI?z`*Yk!b|*Je z-fUu@*V{utX|#qKaO_?JW1~u@&z_DyEsdd?a4w1o)IY5^1u%q3Hq5gwv%k0}3H$t? zPlMk(KZ=%6@(=md?)#NaM{eS!KpS&PNhE z;)QXBkbpig<0pqvb9_JO_kH9l3!6Jl0#dF(#DZS{XXqHR5iH=I*9G6djPQ38w=Hhs zNe4bOrIP)fWU8e9_{6^(3bp$tJkSrsGT#8A4T1$w%V+7GWx2mzq%#Oz3aC z65LXyWGJfbGN;NuUZo*pEZ&_UQX2yq0we661}(D|-F+>pY{!KR_xFo?1&7{nM?{RZ2q42b0ua{x3V` z|Lvg$Cqc3^=Rc3AQ=es}njqLPu@|k+Jz@KBn}X%zT^^z`yNq^`vLU49N`g3fL8w9# zA=da+gL2b$aKI>jL%g5-?1?~PXIjy!Cfwn942ND*rb+cIDnKmYmegXKZc>Oo3ZX~VNBO`_?h`L5z6q3Nfed*0#vj|-TsU4(bu&uF7uGA z(;eT+NaQ^Cnt*|EY#KYe{f?b^jE#PQLq0I+Z_^^27g23*d!*&DuZ3q*vcaSV`iD&9DEw z{YXEFxAgl!Uac8((7IFe{d6{LHuI8=HreAwDH_`IG;OzK3{kW3!qZCvs;@+JTPMvj zx0`NKZL>b?SFmq7Viu-ryce^Ul(xZ^#|)%%X?y1VYggs&;EkY~Ta3LwpG58W_JO57 zN10Tw3P>D(RKLy!{%GW8+;a@(>q=+&*!8X|-U=1{Skdz0W#hFsBCiK--$y;1rwI!Ghdto$OLIZ0fvVvgp7hd+oIU z+Ue6J*j_f^5w#qJxUmuO(u#DtvdfYS{?oZ4{k;XLF&%H!!=DTES^o25>dtygzV?LG zY6S>SZYqIn6m&m*wiT}NiUlyv+=Bi&pKyblDCIp5_^)5NWJn?efA6LA$ww_`LY%g% z7<`2I=0tQF!)}6Ze%EBHn)@s#`k|~T*RTn9OurP;43ZoD8ZZj@Q8r7I-K7kBX7_Tc zL+w$ACVv%8UxY@AOO>|koL?_{XqYb73|>G^A~m;ZJ*dJ~ zpQS>~Y6c_GcJ2$eEL1#XR0Q%yqDJo%uI&J=_@P!dlUiB79-~y!)^IJiOZum+5pPXe zy#m?f(tlb#VEyz=*)Cys6=zzPs58%vv8FJeY7v-)c}6a{(NK-HTwz7Xz~`bbM+&eI zw;h>*AL}(;k3;<0zDV16KM-uUb5*aiQ2a>Syj5M_N~@p>VLrg=-74MWf)hXija94b z)KR7VCJB$Gx>+8H3FKXF+5Qk)#UjeV5(!?cjtqnRiY@F2^E3M-B_k1HGdCB?*({)b z6p*=1zraTuby~#)&!#QhUS;&@(aC^H7{dnwp{ zNbyMDQ^NKi<53AI9`(hmKl|r+Bq~(2@or)_Obt5Nq}q7f@pbTQV06)Jg6~GOwanbY z^|=tvKS*m_sA}a#K))jR=h8(+lOAR{$EG;Oxv#5!F+lI_R7AUMsv}a+abWm)dn*_T zIsRT4C*X9XJpho?<=!A6O|02K;?<)V8t2a8Ce-Un_O7)ih~k0SVwTElYd+;CFON2? z=Ufzh3iyI;q`PC-kc&dMelHdmg}Vemtkx?7hL1zj5Y>cB5Bt-K7KNnIijXRWhfM{~ z5E4M7`ETU&e?gxlxb=TNf~}-gV-b6B?VnbyheEZYL6~=jEzDGUzLDYh+F0h*T7H?a zpGi>=$(zF4oGDB`hOd>sq>0aK70i9Pes^t^HcfI=M1Ah=OicIe*LCrj5+0u&7J~VR zlygLsjU?Dkef~q)Wj3{!hWKC>?txx)CeaGtSdm0ErR!pWPyJT4qNm6TBu~u)409S{ zWNQl=o#wuRr8?)Mir1XfBa13KIXU*`=h(1P?pKUg#PH31^eS!0_?Gg6+O!{TQm zh??s!B_C?!!HphWAGWT4{|q`Ok%x+z29nE`i4|Rf20RYR{od$@n1Veu!ppA z;yMo={nN?;`=q3SWM+$*^=GWtWI9^fIl%}w7Cj|TqN+FtSzNg~jCf7MMh!a`wnx~Z z<^L#igS&}Y@cC(sUk(GG!Yh~a)K~Oqz=C{&tOOS&$oL$1Mh+F483w_(3aDMhKZXa@ z&IjbkoI2<#5N>`K@QP{H9G!Y@X=i-xwwBP{MDq@INrcDczWuPqj>oRG)>QGxux%B- z@U&teI<-abohZ7&ot$Hl{c-Wh;woUInqxoM#t`2!$pl{8I1PsrEK}q{yD61)psKii z=te`G?l1H~@5AR0x91r#7nW~HW*#{kWhgcL%3{<|;fg)aK+~$}ru+)Hcwoc$IDu0Y z5TP?yQq+I{=b$Q|COobl4!xl+qBEfQAV^=%XQw^tGDxEGu2b~(*gYBVmRg?x!7!Gj zN7uy?Z<>7L$QLexk50AV1Zv?Y4tC01A73|hWkVQ2NZ;wB%(QEP3oHDPz4i{8sP2i` zrqc}6au3GcU9!nw%#$edX+B$3A7Fl7CypszWzka!KK!#Iy$(2Q5)&b(*AA3&Nr_(m zz=XQ)KP{0ciICe>`ZjL(pO;967N}(iVWmEIQC#Y@eCGyRs4jirz9@H>oqulrb);#| zrxdIRZS4MOi4|Zm5kJ`@c_*lDWfIK2x7qd`K+GdTf zr)%n5id5xHou3yFt1Oz|8gvX))PM)}seb}02^KTlsM1fd6gb{ouKLOa8r8X$;nMz-I5W8<1HUlOPkakPs#1-2{^Jo9fU`*{xe9iKNt5-8HKXvQY zXX4A^)Bg3(2?G>ppc`7Fz*q)*3QUE_+WQ^IV2(ZiI04K?I@-;#;!Nq)bbl^&PsFiz z&glnPif8_^kBhV}^eP`kQ+!vItY!L`yw~`6NvbkC2@Jm_)1P*<%BVR-w!W%HJjP{q zJWbiiT8iycho3g;+^j9yTPnP#*K`@2YGNcj8k6QyC9Ey$^LxePZH6hw^DdQZ=C9_W zi=+%+UDU4`xTSS5tT28{>J;8Ge4Z(-)J~p9k{ErYWj-o=Jolq{At4?VWwJ-B3dcpx zAMJ|J5ma<);O_~phFe%zOATN$+c#8Y_y53nQasw6W<5e2Pap{uXza}1foe@5!WMeC zZ;x3;9I#Tu3Xc|YH>WvF1Yl?)CK3~1a?Agg#T0%!P4c_+I-c5<@$|DoHM8AIiQ6Mg ze=`1OvUKn__!)aSAME52cED#&Y0W05ttOioz@ZJZRAoDE%_>}_2o6EOC>WtEux=uhRJmje^l&?Zpx;X6a2dZc6IA_ zK4S*ch%UMsAJ*->7C2!5Dww6RO33uhXGwnV2RZVGtdckkZW7h~5!IG53mnNmb6JTW zb!#&`hjWdGxm|~}r`K}QW{lRJ9%xwslvYc@qVN?*y{$kiq4atm5{B%(X$IOL0uIh~ zKud3-x*cfV5Avf0j!4a0H!!@Bwz`=SQd@Wzu{Dawufez$)@Ux)Svd9SrvsrVBQ}og zgYU+Ng!%KiH%iEn>Q1<)acSbN?1Gms`U-nBWkOT7xA|+&MZhn!>LSEfuQP&uE`Tnw z-Z^H}+>2v6)fECqv~D|R13=$V7%T#VzZ&JDK!CsH{}BHuPSmbkpIqmi*S*ThsatjR z+o7=TT#D;f*C8@TvgSu^92!+Xq=9=L7i6Y|PkrB$YVBvLDoeR6a|gNyde)R-B7<04 zVvAXj`g9r+g|IrRGXJU%Fp0xgLK7|F9gC@9r7VsstK^9R)o8bLNR--PYo~AUmdm7_bVb>KeZc1of>Vqzop5i1+msL4i z@Hvgbkl1rD5+Mmyk=qf5>q2a!5;z0!l<^-MKind#uEp=IEEpmlVB(q8V6qGulW{ z(#I_ZL@`hv^nb2>3OZgK0M-Aie{!_$GRLQ5==*UG`at5~)(kQ$jH{q@hfTss^^eyL zg)UwvbCI1`$6tY&EWVA$xbzm)WD%Jd?Jl0*rXkntg>s%8?gY+t(MNINuHm->6E>4# z)AW^2J7MO^$)Zl3i}NcP9c;mdyK&bFn~zqvw?l#XD%;zECG{2P#yv z$+Zf=u^EJHxk`ZbQSCXii>z~07pGVN5Zw^TmQ^f~Hip}Tq#IyB6;(JC7t|!>CgpztQPuoWazruww<>18K zG&DJYs^Ukn#)s9TTNXEM#uM9t)K?;E_`om;f3m-63Gp=Yg_yP&pz$MeCH%plv!ixc z!+KZ7`KH9aSXL&o3-99copO-JPLt2JB3O$ir$J{p(4pR-JrDH(ppH`i2LNI7so4mJ zz^yXs>yU82xL#nx*LzJ?KfW&ESa1X#Yqd19UjW-Wahof&5M1!w156OpN#u;`^S%l8 z@egb+@M4RjyloDhA&1U1`W@c0l%O$hU>C1hkZhd^!ZEZoDWW)WEbdbV>zmw@LAU7L z+TN!q94D%ukao7~gEu!Qw^?Hw>Aho?cP6p`9gsth}0=F{a!|JyC1;yQO zTs^zQN`@W_J$hBr1?RKdlhN4aHd;E|c-ZHz0XrDCJd{qGIhi@cl-?Wa9IfhgZDVr) z(Nl?1OHunGj=M}|ycamptL>kK(kpj9AJ$iW^B(Fxu_#wfUIki%yIok%r5qg)FK1qK zP^>k329RB8k~7Z52-lvfbVaCDW|6IS2&C8V$A)=?6bttBDK+&_iUQapK0RD1T1lV$rG*NbE4`E zWXic-Ka&gG1x@ES3W@85)uhonF?bo%mI^QO;C*C<$HX9VWExPK8NXGd8j1oEDCwn_ zU_B$BlH}>UnmKy=F@ViI2^^`F>{U{1M`MqazAW4YoNFugog^scx4`>LN=j3@esJIr zaE^a%#g;aRuKNS9_ZjjV@LGXcD{Tn=%M>y`{;hiuc%pf>2HB5m?vfj@*ZkmckY7{& zpdzySBpA405U?E7*$K*obG#sl>RXX7%@h~)*3r0*#yxO_wBFcuS)q4+37@fgSJEqV zoNGh<9**fhA^214+k(L5wJ>RU*3q8G1 z`j*TM3$Ul2CH0Bb8Yyl}W8Yjs9Cp*NdBz^FT+&P=zs#Lk%h5i75$fwk)>bUINYsRv z{O&E<1wEw5# z{ge1C6G4ddyiviaY0&JqqZn(*IjFgWq$6S*S_DND#4(_XuBI(YIemnE;@_z<4~POS zC8Z%mTU$+Pt<7nokgM(Ba6y)FSNLAoia<`}3fs5v3%z&TuSs}R73{|K+QW@L;I})R zWyP3kZ{1wDctfl}n{Hko?rTA#%lpaY_V*(8XcIhpdOUMo3`m~)Kgu40(uHvYEotzz z00DK}!6%nuMudAf(EL}HM7X>==GOLwTkh*_*=Lgw>(5Cwx044b&TIW8`I6(lm5$yS z^JU6&c=XbSxTr~7yfakryuH2eVDE_?OPZS;8z+RtRkM_NxRiYbdBgJ;!&t&hrp37D zmQK;wusAw4LR^i{ED0Nifr9LM+ zdxBF?3m7Uh>1<#5U6_I%HY16+LFkw^nGBz8tF%h*P)EJky+H?pJakZL)QSnLY+{aL ztBla722|VxDCa`CMh8BsBC?@PxZychxz(IFgWY*eV_+x3WDrMjIe`2n-kE#qWm7ia z|A&NI!@KaX%ep7HR(Mmt7IeNUh6%Zt!0BWD+jDQ!>UasHh%Abh{Kd;sIbR7Uyw~gR zR2<+pW+#+$N&WJbF{Wjjd{;)=T*DJJR>{2-CmT<8T(a#AJ%3Z&zl5a+SG|WNOm3yg z*Fxo%GVD$sCb+e8xog2N$$;Kl39t*- zxi(L)9p1QLsdKUP`qx1n&_D6UK|V1%Gh z*PW!W);?H}bCwPEwyFSBX^~67@z5OE9H=m^ew~8N;@&TfT7%t4pFSZw-9*@1*7sy7 zq8BWdY%jD>PCpBtBSd9kJ}OIQEI zjwYZ^mxxd3Z}!8AqgUmxp|91j8FZwyc2hqcH+X1S(om3Tg))3*RC)KNRy2sD8g)y) z{5999_P=RH2_Izvjm1XsC4H~GQK=3!F5Q%(?Hl332qz{sOxL0);g+LHGkq(F!=*!- ztuEs!2)KSt2G8(dXvyiU;>LT;wDa}@LV_?~ZfaC@1o3Wt z!BJuDU}axJC`4BuH{UVKpAz1|6we8gtL=|sbnI*a^WdP7BKS`bkA;PNDo{{+ho{Y`gV4D%>lT&75*OQZdt)=@L!l5eQ# z%q=DSSr$4R$xBX(M1 zSK}vh(1CMzyZcJ&=*nQt!^m0`QV%-_5JmBxbJKf~nLV#)4q-lruxZi}tS>NA#Uf!V zfX;_<+9)UbsI89Z=sJ}nxBr8fdJ3e?lb^XmJx|zqw~_hKT{+K^8D@7l`ebGlq}_{b z#%tBWjevm-t$`LHJ4Sd2V9@~zqEX!S@L z9*<>!RW=W-OH+1{hDUW;7-lyXKxgnnGsuD2v^{azKC;Pu2se|Mw9btK#4@0Ju63~X ziZFEyP`zqQ34OM6O{#8i{2BS>ji&2q-)VPWxHljzU`Kudwcr|kxDNP4ZV-;0pX8mqhacz&S z-C)Iwb(yGL>2JN#Uu7R)xOo!ZK6^#q;vA5e=~cE=dcVW%tWIpB{|=zfjV|8bK^do* z6_GGMp1d7q2#(pCu$H`d@-uR3mGGsaJ|&x5{Px*kIb*yw=)2_x%>(zOq4PWmX!m;B z#k~1(&IB~2P#!SooG*>>_9E5zmL71H^zuzo;Y1vhYtI;e@oqqZ2#hRaC$H6aHk%#4 z4?E(wGRVl0S-S1|T;kl^I};Rek8MpJtV83DCid$U2fg}A3%8KwHjk5`(y9+jO}rGm zYl8M7?7cE6TjU$aCYDGgvouuJ%KDfAm`36wG3z!b?eU*C7suOkXGZP%5Br5r0!@wr z>+L0n?$;u3qVPyyBx=`#Y29K;tUg_n?J3cj8^$WD!mR7lbFY##!hMoPj3A~?e~}e=I;3b`73r(9RI4Kem`Hri*@Qu0(IQuo%Shp? z6EVJi=+3&Q8Y#8@9U;^B*{5A97 zyJjX|9ho;~D0eH& ztvHkEo|Y?Rzx$ir600waT2Y?tJ?hj&;fIOHpO7-e_Wk6bHOo3#jz_^f_JcCnNzYW{aatAsu2ZC9N=A} zN5DLDa^1r@T`LctSq26z-N*ctou9t{ zGS61h#>Z}1;@mig8Biu|hSN~n^L>GC!SV{tJ<58dwEw7+bHekV{JHKAEh7APo> zA5SBUPq)cP47PPHT<>eC13)oi4cZr8{MNZ$uc4w40Lq_+o;V#pjHioKUSSsjrkU=} z-XF_&?M3#aDW-J5A?_ReL`0_XCXKT?e+tWg(j1Gmh<$L(%u2Y;dAxTG*AI=~ZgJK& zuZ)lC_^}kkXm38Nu78}Ed_n(H$F}OV*oPd8nqOm&FAv3SPw`q2wr_YBbUvbKk9)k! z=h)P-7sr48x9im9VV%XwA1?IAMgqc1%CGjqp!0Di9?{mge$})+I3WX)UVnLLHwauE z%kP96wAb5+ANc+rX#9q}&;dFz6Z7h5an>(XaLP(kt%ljvXu5FO{U4e}gYe;wkwisO zsRo%4t=7nWWS8FSTdA=PBJ_iX`(?bN8}X^gCZ;@Z@w6vV*a9xpJ^-Y6ovlZ}uZkZq0Ufx=vF&{&VYLKIV!KwzK(md)R0OsdELQ0 zbVk-NgY^E8&PiuRz;FQ!P1djEJ1o_61LZkal^8^qE(`GRO`4ND-@Hl4BLS4w^Gn(U z2v_AZrS?5`IuLXwAAOvP9^djz;XY~0<_H?sHr0!hzP+N=zO66)sNOp1(7n(i?_!9A zD$p{B924o^;EbE*S@#-6_%HDr568$SW6rJvN^GH5wvt}gbedMLw5BgbztqDD;UnpH z<+jQiF#yP%oEpeSzBgi}ehMKm)dgVd+ea%uz?Qbuin>#Jlhj?`8P#T!KNZsaF|B*x z246WA&f6JRm18uoAl*GR_OYH^m-@^<5sP6jPDT#B2Pi~tBL4XE4EY=F2eR_h((rsl>gPP==*< zpjFQI)@vw0A}_3z+12w}(OO{6u6X-|yjw_<`zUl1`S&`q_0|F2`wC(<8 zkm%Zl4o9m87b&&erxti5q~;wv3c>bFT}2RIO^6ZagoYa6b~5lP^xzh2KsgJ zXf)Y?+V5%s{N?6yCIp!zS`!OZFJmBMv7lP!fVPG2!P_eX=d-Cmh6q)%TPc5P7L*@=Gbf)-$r z>uviIVF5Q$PuEmf?8fs5;SD=SGem<93fgzczNF#8EnU_R92ZmjeMBBX?DAe4CRsJ{ zd#ip^;Y6y4z9sNj1%E#YFIg>tx9dJ?OA6Ov4 zNML-Jh;R)6JI+A5JOvvw`b-L4Qc+|$-?85}d>~4eb7{pG6|~L#6nH_UzIot!Lz<95 z8zo5%7#rrnW@^p#16F2L8W(Q+6Iybscv-@@th@U5ue9Bil|A3LwhXpWN$c45Jlkl! zG!73oA-)sYb?vALTjLKluI$@+ZUN;iJ9Q=Ru0K!E<^IkzI{tTa4gi5sgL9Sp!+SM;}he$hLSY+1^d*|1Kiae@~Tf%d7 z@Rllm0jafl#+P^SxLwucy_lHo%foRFP95KmGofE3j~~+%Hg_n`Z2wO^G@b>1qj0BV zBd?3bI!9HvoZj&6WZspKu*%3}5a6@AuF69Z%`7klz7gIXu-jGWGQX(!YR@TfZY4;w zvM4JwQr~AlQTM3OaDZD+uEjDUnMK$!;z2)&gAv+ho3T>fP};yrNy{HVUg?sqhF_Q0 z`+BZ6%g-Jv!;K}u&Dh;cWWQwTo$=Z1#_DUscRB9&YRceRn7U-7prK(o$jx)ggSW*) z>@4nI@_#Y&@*byrC+}Bsp;Q*%hq+dC{Je4bz~IIpFdRNzIFd`vu4Z~G_r?9Dt(T=1 zUGZ|Mj}rde;6?Uo`a;QA+|nNpQsB0K)jUe}{W8YQp(VnktuuY^nUcRQ|2^{2_wwCu zeUla!^m0rFWOuWr{jS?fFZ{tgkT@K_s#!79TW#p16S1=(N@v^l?F-^pNCA zf#kR^<~ufpFvFJ8eZRwo^pMX#I)n{o*zPXLC~OAMy&H~W3M0c&e7P|y{VrQV*8Gma zJ2B)q8E(^Qmgw1jTqj+>HDe-egap8+P9?@CbnxF#{8Xs@KQ)Q^NicLj#Fj{4Wn<=i zzarKW5I@jcX3s;6kbsW$;7HjMV2I-#rY3{~f_+WRXdB9X z9|Fp&YdKjdzrUs;?_I{Si7v~V*wW4ca_zOAzT}u>&u@eu-0Mc-ZD!qVCG)A&N8G>p zeUx`=p-V93YpfCw$B#e!LeJ_=eDKSR zzGV>R)lh)V^LQyM6I$EMF^LPOBnK3d4NAG{E!SE0#h-zH=q&aN*J8r3(fA?u5Dzs1 z;2*8PEQ6N+^N4NeZKu!v>#+KRTdejwK1yDQUi zmkQi64nO)>9|LCJUd(HHSw=SrZ-++LIl>ah-MKn6q$`b0ZM%n4G}ZU#HN%vj`9%J$ z7DmwE*#~CINUAM{!~RH@iI|y(SsGeV-A`RT5to5^eSjc)PjE}5?;GrCN+6MgFMkF7 zV6d$V&JQ$iMsk)KmcX`IC!Ys=>QCuaZ{_$1<%#ca@fpQe|X-?bl(0t3DV)clxRs8%vOUs%Y@pFa}{h~PP9-z!)hk?F#$qS4dN6rdIzQ%OXfXw%ON3WbN*he?s?VGCkc%M+J+qACd}>SoeFDH zd7+%JMvXZzub-o!_m|q>LazSeOfsxeE!9|2rkcYZ&O&kGR!WXbh8v5iF-Z5kmfNSu zom=%TPu!*e{uHRwBFbX$(5J|(-3Ysz$~{`$N+n(3olEOxxV;6+&wVrE`HUX{`_zc5 zr$hSfcZg}pXUp1i+~O&=L)Uwo`-|d4E=J|hu>!yEepSjU(!KYl_ruTo?uC``>*x$7 zS45X-TcjwiUdf!iW9yb_BypxNl-*EG2c-OrpHu1JHYJ($OoAxoo&|9R0=7&5{)QC{jbM$ABska(uPnPtE+X-aw$e6tw>$I zLY)Ed3UBpGwwlhfgsRZ#ggkk3`Mwfif$XaIosUP~wV#N{?}f2PYfGZ>!?N}zZmF0$ zPuStiiXle7Z?NWP?#uiaWz}vkT!$xLJP0jq@ac{7i60!QE9g5nUG5LUVrh!Cka%=@3!+~LCImuh^a zX)}1zC;9#KLr2A~MW~xcWEHD?6AY6yc*haiTu^GUM}CtDYVt@b`G!ztuBX9;yv0e4 zf)_`5vZt_4&ID}2#@@jXtT9r^Mpw%A+8|VYukTk~Y3ErAn8+E|A?MpsTbgV!3At@+ zRI9%J;=xx4&Ybq`3$;7ueehBfuaC}fDb2%qj zcx$P2fp@KG-}`9-uJO{ApU`iMnla(?a@MM+MtG_KLD;mxvuJwWbWEyUd~2lpC&Y+F z_)p^JGg>o;8I>y|%c((J?2}F&1c@`bo#N&wX<_)%bgp%^;`yxVM0eHKV%N>MX?o|rnkJW?~xPy>21;vzr=Cg zoKvMQ!Vh=nSRLz93%SME?d^VD^J8<_!b9ubuQ+y@^BK77zf45gH$3Kja$)93y=m!? z!i8>{ZG;4U*)fP-yD%tvZp+rU@8_2xs`2QD9kH`740=2R(#{0kbLw*JR3*Gs*zQ=k zY(@QvNWHK5sQx>1xTj?qrb(vocc1g6evMlo0P(N?05v?(`tejXt^bJ(cujJ*TP&dn zczZ_ev-n%W6m)8zcdcsFme|V%%fp^GKJ>6|H(7Sso4&Mm8*B?#QTWu1su5+>867<- zkE>;u^ty4k#4h=ZrXqMZ_2w}#bAvrgJ$21MY1#U|kK#!W{OgUGU3l+LbY)&0d}rzY z?5ljPqm^L+yj)Hf-1+5JS%T{1v)I(x*sX3aF}JtV`8V3o9;~{??iN>M3*?%HzJc}$ zY_?_(8K4YXr6YN-64oE*ssE&N#WHu8bD!g}(Uu6ZlvQ)iA{m~1j?fz)>)IL&o`mjI z8FtfC2T~;o%1_$8O3#^a{a|G3U)jLmcZEW%h3Z?#hOZ)9EfZoc>SZFxaA3XFTGLr~ zJg_F&$TZ2VnAVV)?X~p8%~NJ!`0XNXL(^{#Gz%0utyFCn*=nz_-xY3ZFk?EeL_3Q1 z$6hX=mHAR+baRGQhW)kS|6%Gq+}V8G@9{*;rZuWHTEwQcY0VHVYOfBX_9|LiMQn?_LoC>zlA+0wo%mFvMLm{S%d)Na2aAw_t zrmYo3M@_{d>uU@=Sb82oPWE0|X(3&$J=f)>Ag-pJkQqBiAitttFeLiWBKBFmHa}w84fq;f#vzId zw{}w%lK(@rII4NJ##PZ1PsTE#KdXMw-CUY}s+0MnAJ@(dwngK|LiHPtzlMfE?U~7) z+q0Yu5L1`W=(WCDzj-P@EH=25#r=`ms+Nzxm|@Edj#zkUcomsK_c@{fRHo6Pcegin zJuAcG1xcIFg}Q&mUYqAkvZLz^a_2hZC55y%@pG%#S}JOVV+4~hiXT&QZ_-I4dPJZN zvx7=7x%%)-pEbSck48rVaiB)OYo7F`2ZA--&u}B_?UlxCEM!W`p-DS6l5wx}pxe46 zx6q?#Q|w74ckf5QV!7ix+2Tp~$31SlqtkVIyD%GfZq$nA>o3W4;baCSzZ7t}FTd7^ z`x;M{>2w5CMtlU!KI&wl?+eghP9|>Id@<+8;yd-ca&5~?9nVj=;+nR+C2vMU=sIhL z&+F=x+euL{=yD~_(@-N_!T6N8HCu!h{MUfWh+CPD9BBBu-4|nzBU=0|LQM|7kLfr-BEP{N+*05Z@JjWH$X80Pe8$lYrsy+ul-?%84)*y{VmyC}&HGVObMWode(8%l z<6;vD6A6_&8`p8K&;f?u_hi&c=H0R=;Nx3%87}i6&u<5Rd$_M%7dmvA`By*qN;i5Q zRqtJRzAV2wa=-Q)&TVzBCDHdr&>t^lIM2v%qkZSU`+kL_snKEe_9qBui+zRTK!Y3# zhR~az*#HU`$l$a2+di%d=1(7B{hpX-N@tqf7k*~M%3@`X7s)*cRF@+z=7a@)fp%(f zQ6sDGwN5&z%5{d%!TWxnC8tlS5P1%-1Uyo#yZ7`Xndq746Z{~VyP-#m`%Axk5X)$e zJ?+ZnZ45XN5HE-?5tc?r$z8=Bbk`Pd)NN1|ZX2V3lfDd~Jqz+uf)+7T05YD6O_8D$ zHfKKftThDff6NQ;u-UWVqSnT%15TF3^rf4Rn;z}X4@k1kQZLVY=|BLdpaW<2DT;!( z`U9KxV~)d;^YOc|n&>B(vMaytH6U_XIeYdij{YhPj}1gd8w#{_aMR=6>Ro-sH1a($KI7dbqIBF`FYwEXfu5DUj{)|Oh z*mW^3uYI$W8UBY!+ihUPTkr%Os21A{9p_NYJv zivsaia$_2LNe*F^X2`bH^=Rby>`G|_1A+@_hMCy`E>V0TJJUMjS@=#4;vsqSN!VEU zrFlMa3&@B|IDJpwyeMR_nd)QYWiOpj&`}i+CH)p^&uqTE(f0wokr> zs_K9vzHBeNADyITxEDt$Cj@%a8K}Hp1yxyA_G(G+f6x2d%e~5&&d&y|Rtp&G7dnh3K2A2+d&|Ikdt_m{{q`uoxZMRekat(*tW3l4u# zzCtLDhf;z>i-_0J=67X>qxa2gJuALd2)W-$MQYCH$#>ALKdUI-Euc-hJ`+lr)~v|W zaN#Qjy3T%0x4L#Hc>o!F`m`dqqH`FXR#TU0YbdVMKjk|G;Bodc@$`+3PI@PuJZAgp z_jHNaQf1o-^z2qy46?h)*-U+f!*f4!LMy{cb;94Q9Ybv^q|^y#>2_eMe9rQB4GAx& z$6JGM+@74gnvs}^>x1r|JiPjL>6|)y)+I1Rp_~sc_>m^sKaWRV%u7CE=4g*~6CcbNc7;+-t-9ZN(5|VWj(atG9yE2}iiXvC z&EQEH@dwwxhxe7Wgo;M`2W3tUQiJn-PKHcM%j%tnSy*rS>_I0?XX`i2*yo%>og-~W zX*BEmEPc|0cv5b5co??x@%1@7n(5ot)qmUg^&Y!n_d5FNe0Z8_%ixT|pZ*dlT)>D{ zoR)vZ;_4aMV&|W{cQcz88Ux)T#15OVmccT|sn?+1B|KX@n=3RgT04$;W4iu|X#3$d zpY(ar1f|!g?uN(3$D2NfDRZfpoY7QSCh3aa+-0!rV?{`I7FTk#Yo^m=$cvhtn#}`U z{b_}xQE|qEs|spSw;o-}GDuqisa$WRN4r6|vmFXwaSdkD{p(7jIg(rNlXNJVT%m4y zYd%4;E%@Xq{z1UeM}a`S_KP)x8%B02@5T#{TQ`@K#g9L7c(19ee|OGKTMXwnk}rsU zW*QCeUvA9|v@WwK3#ud41L#lxaCL4?mIjcr!Fu_79G${|Cp4W?h%9 z=nlG_(w~XS>u+2G?wF?$gG83B26%dDFix!JYg*CQP{NvJLvdL+I%))Q{wL$gVN{#i zKGG&B46C^w+)lImhzZn%z|a+n764lg2LsWbhu2oMZjV3BSHYPB+8E-n1Yb*rXj>(- z@I9L~14#ySlqhg_3~i-QcF3elc`MdzX`;`v6Mm<2cRLEDcJC37AWNoKBLlUZ_A!z-lovhi0 z-0lyL?PMUyPwzJ}0xSE5T#a6mr9%K6ufB+q6cy>JO62H4Y}qG1lMTL#u;ge%zTq<; z2g}I8&c+BYmd^Hlvmq$Z{Y6FNR@R@n#=r3Nwr1yC>jFac z3cqo%@)tK)hHFpC$kc8l^vLw0R@;lDdu49BTlCanv`osChbeU_F;6jy;T);AisP<4 zV5EBLq?mr)<-xLl^jN5s#RJPe7x11jSSM4}gEYO~rllh4loe$7!?6Mg)73r-CVkiw z+rxFJC2+9JJWdrJ5I2>p&1CuCi^EmYif8NrgJZR zwRzfXPR4$m{?B1Ikk^}MwB_lZ z93r;B-sU!iQ3}k>^th70Cn?j_?m0^PD8)DAf z`+TsyCqqSLEhsOpo9s;f%cHqZX1ODwD=#k+^w!m`_Ovu_OM5i42Z>@$`1r27{=X~$ z18e#91(xPlY$6|40+4Ixxg$m_OEC-m8mG? za)OjERQVX)A`bWWT&PrGa8_7H$d_jqu{nt9z0!g?r;|l*7NOry4$I{M`z!Bu2gdq{ z90Mi%t0q0CO)$V+nU&ijM&jR4r=-wCCvetYkk^Zg$eN zQbqQoc_#+{DD|xU-WEmixRKjDe?}Xt86T%XU1~1N$I2p9T3X&W)v!6Z?qs|a*27FAFSTMXxTm?^ezvS~VQ`#~$HJ~7XGvfK380J&~1 zgM_#M=Dq#9f0d|joAJvvq?CD zjIOU0^*{ofP61}&U&^n0kv#MpRNjo;+*2c2JkH;pr91>Idh`~^S(<K?Jf8 z)EMJQ13oM}WS2L9Zy8}P30=g-cp5zlh5~HmOhf$kucW5L5uey}p?SHL{Ed#Ouh+lq zOXByFw|h{qqkPaMTS^I2;}ADd2Wv4o>kB^z{r3J^Mu^iH*hqdk%rvANXjMkCSR#3g zwK4+dd%L1C&FJA6H{pA#`Vm4e`+d>fQ5*m<06!IUuMtNxCus_iSpOdjC-pkPs#3LJ zy+AS9kdJvtU$pyHNxL3ko=GGaGKbo`9$cA8I!QpzE1Hs8m|Svn9tyIGZ)rC?n>gzuh1ve(oMW}LkNDkE1#Ufr-wrm9L}S#<=RexAjICff(z!w_22rr zd925*2ynvd@)2f-D8^bteK_r1VRH&r6x8|dn1cL$$6bqDjJ*_A3Fmx zSzIP04|bb1<RO6%VAexg!6%dqbSO%<;LAe9s`Mb+=y%z7@L zmPNv)U+pLxLM(sr+|!3FB#j`Ov6n@zkcoq!;`i1trKgIhx9v}Aa?K(xtu&t1JMOPe_3cWr1OXN%4j*@tJClEoM z$toDTLnr`nw5C7fQL#8nc$O*C9Mbxnfr0C+3dNs;WjPS_ph7k`2~#xWJlbmt_HFId z_Rmr9Up714^EN!Az{WWpzG0#B>4e$0+Rkcj9Ofapnt1<_Ex1?*(2AON z7x&G(|1LSl9_k461YPrau^ z(iuGz*w5L}x4ik9^f%nWI(mg9mEsw-s6{^-qsmLhe+{6t zd;-^#N87{chrg39H$US#Z;dbvOulZoPdB8hUH`!366TpBAl{&VvBFcSYUG^nhtk?$FiR>`xMLP3c0M0Lf4^P@-(xHH$J!#O$lI{WqS>9v zZ;!(>d$nO>rRU&_+0>(}bBLow@Vx7TAIQV_BrbCJYkNlwh&vzAgvIyZUq@P)(q{q} zS+{-`?bZ_Q16~moTI+_>pT|KN;B+2(^3W}X`{L11-WU>CeLagZf1BNtr@q5ub#nd0 zX$nO9n6mP<5kU(s-VasW_r9B%KTl^?PncOa2I1)J2T4xicA+W$?F&tw_+8PTn%k0;R^I zH_<|}1kX%Yrc;|7T1-Un-FLPiL_GWt2NjXr{J54d;D8}TL)~9r5MKyhi%4@zR*9S^ zWXZeN5H8`8Cl1II_~B1C?(b6(h^@x!Gp46hyYQnN{zdOat4DBWqU^?}wlfp4=S%-nKnQfps&3YZ}B$38Lr?|~_XKbTuT-J;?1JC4s*^NTEo6M)aSC%+Q6M~KsA9%<5 zMsa2%yGN~BEIs^1_2MVKgY{d1&o=DF2oQmNfAIHAKa*~@D6fIN?)0n7VtKwo9NYNr z*ZgAFooxId_3>MB#xG4EMkqB>a-}FScwvcBo4@5>7Ad1*?VSJRdEOITy%1w%_n@SW zDXFi?WtOY-9kO{KfC-WZqzpyCR)UvZWnA90Eh?LvVyNZ(e{!tQFh~rK0c)18G#&}D z&gvX%pF6p21|oVoEqDOBfw6}4)FQc`{E8{As>fQB3DEc@IBk;n6U#W951D*lkl=%M zN;&E?8&^JJ4%VpXjLO)$@2#dUSj)kK)MK*p~k-?u%*BI;M|Z+8;V+` z*Er)iFl6Z%8x~UiG~;Maw)i!QD)g_=`5rGaL_K41Fv1`4{=u!&1HLp88^&yuKdwXf zx;F(|rSIL$nt}3Qdx86&C!}j|BbZ+>gMe^aZMqAua76-nC-4yQK ztenyqdXPn%_kIsNpm*?1`CvYb>L~=hr0RBu3btOwddB*Sc-aKk5#!(5gq)kA_3xsh z(SlkS1NPyS*rC2-A!0hZM`U1O-q53F5we7D?EJ!mM9BbVGGPnLqg404&h{>so{;F> zRNiTkH9I}Wlx<`IVC((B6DH*ViCf=>h2Y{q%AK*q1HFw4qUxRQx7^YYfn?4n#1C^(>KH0p_`*-|n?UMnqE#cBddA&G?PV+2mRG z6Gy`lrB%l?O4-1jw-3&XnsdFlRc^;9*;rVlc0xAjY+!iY;i0~z#vL(Ww(5c?J-=G< zfVyd7kHrV3pDE^i!}TZH&YHUywI0j339<^U_K9eO0&Sx%_XeA34UiF@BfbqR1=|P5jf=I_uZw==ck>e7P(tNDx_&J}e zSt=dW!E;y(U&2D~te%i{31ReO#j- zQ&sa?SbS%8`TE-X3yFY$wI;^z>3Xh5E(t~cRWcm)lo{Lh^roY!7f$TzH=(Q8TTcPt z{G*%-7mpzm`lIc4>W1Tl`NJsI&o^*?oP-Q{S5!PO3fwB^2#eb7if)L|0QYnKBt_!0 za{Tq>Dn);duhxA61F99g@p9hgEaFu<id_2d@fWiYwqO5(t8LAH0$I+Ud`&0SyA`@(A;%8#=+kI8Y z&VEm?D|0d34sVavi-$YTn|ww_v2Hu;KaAR)XWJ#3?xhWvQ1pK=mmS*w z?I<(SBzqzvwYAR;C3E2`zgEhHqn_{hcXzw#bkCnLUbK*Af3|5yMN_#hvZ(KPd09n# zC9#d>+)B637v%tQW4IAMPWtF$okvsw9=V4n+}n#4aAdq1>lL5k4{+%?OF%l6Wli%3 zA$piat`$xtEww(h?#64~o6$9O7bJ+I@|4!mmu9ruCc$B%Vw6tm!#HHkSi!fA9}s7h zJhZD@@B*itltJ`TH(Ci$ReETDE;uo!=iy5LM1o$O3;Wq^_JW}n22>mzOwxpCOXQrI z$8x8OG6{FPwlnLK^n=4CUS1W5&d%q97Mr^48G3#fzu>?I&|J0sJDbPFKJ-u?A#S<< zooTphUcm=G_3%IJYXfFrj&vvDJ=|E{z3@BI#&S)E{d>xyZH+%f;UulNPPme3ZU8D2rOk(5cVH> z!_vpd-O*=`%I8)>HG+SIt z%x_NI@}&te!|}T`E2K7~nVPHVo3g;wL)yMc(UORT7pY!+ULgsR4-S6d=Hp=N%F*vr zB)SuPjr+}h#A_^v9%buRyWY)p5u&=b;jxK}dOFSb3w^qf4*BbXTu2cdx?Ndqk|KBk z{JB5YQP&)9Yec?Z;wgS=oRi@*zc_^{PcS((MDM)Yfx|oN=DugRGk8`+YA+@|XkJd= zyoQ%Z$dbjl54vx?9Z%nRZR2lJ(A!XHa*6S1{0{yQ8aWxJKv$&DE88PD&9NojR!BB= zd`IEEkO2qtc&elM{AZHF%;HA1(m(->(1f{T6J5i-KQ^G+9#F=1{ZNO5U~|2Hq4mW0 z5cuSkcfCaM6US1v_ZZjT30gih`J-5nBPzSc+00vL0vv_xx^^Zs8YMt47p*yGx$n6f zr!mLc2vtbc=c7#%>snrU-(;B2dWNe|G25Ta-d16fsECQfI+h?f`{*A3eE%h%bE+xl zlSJk-M%j)lTcJ8Di%Sltj`3W<>MY$i8Mc;YuoX9*afjzN3v5(g9UrzW|CoaTQpWJ& z&iPR3%f~idrY#RIC&cG99i(ur0SI?NEb!fR|Hg>HSYPZ3k^XW!ce!*on?=eAK+dSA zOWHBg-w8#1{PpBRcca!T+$tey|KW7KT4D3D2&+Z3(B`kYoBHcp>Ov*@h5rz;0PlR> zP$a5@xLJidd?$oc(rB1+{kN!MQ$9I%?kn;$tl}hu(Cbdl0w&cLDH1DwbKR=Q_Gg%| zZK8WYo~)v91olwN%lcU)ey-m>B-6wFwUqKw4V}P$))B86GI}taPP3aqah2L-VP1=Q zf26x;zd?Ts@nV0VzbEo+_n~vyC^qjOS~>y?h789c-m^on&6Btat&?JtwbD86g2P(k z1*keGZ`I|prn<*;)n{s5pgY^w!#ci5YL?qe`8(?W=N+gdIWYF0Qu-;*xGmS;4j?Vx zAFe?8wLMXYqWWk@m6tKm0yoMlk07c&0%x1_)vUH}T{K_{ArFUS$8x3*vk6kFt)tOV z5B|wUUJ&pr`3o5Z=&r^|?9go%qV%gRTU)6kS!@U0$A^B)GUeAiq#+DE?Cq08eq8Nx zfG!JM183G|z~@tm&f?InlJjCJU(q5z29dA*fWrih%c`73X7&bht0;o4%ailLJvHRg z!oe1T%G{|j8rHo#v=rpI>gs;Sv`w*bnHl19e46gg)28TBgR*z&5e^8`*1P2O`oHO*_rza z`7uvlp(7J9J6o~YJ8}E|fMpZBwR3lT#C39_F%=v?6n)oNQENl}#tCLhRn)h-{aCrY zxt;i8f2(Zw65eBF^I{Sn*NvZz4;p^Rh%$jEA@A+~G3A*gt!IwFz8S(J@-8YBU1`ka zF{#=hpXipn)FawtzSiY*x5=Fy4qP@*YR!gyxZ9b3i6+dVHgXv~5jHKySFOp8{PQ-& zjw9AtIU;&(`Pr57xCpr@_b4OcqN2e&?2idGPleRUzK5WYO-1hw9W&jjgT5^7qhm6> z&LeA|-(GH)#ay=9hsibi>9=^391A@GmziR7Q#+ZK`O~h)G(Y~qZ9Ow&oa{lvNNA~} zycY8$nYfo+6#mhnZnh2cx9EXh{0$bwcE{GVV8X7HrWL}vuer^}w04BT4CeLb*C;y= zFaNwiV{NKMkYw_SVl9jLcr2XRi9V6dMRES43zacClr(+laAe(PT12wYqF&&jFfC{ zbfxGf8H;o=E;efp=%jk4;a_Z7LuU5TY^ScLpX31(Z2$Up2Evt#-aq`PTT3put4vgh z^e)nj z#~4=)SX>}#k&zZ<@e;3CYs3dp7P17XO54+ z;wO(C##)!qxSIo;cI0Wpf^f{v6RCg+g?LgqXYU2pdg7%C`ma&~^W=da)1hZ}T!4KC z&&s##*{PD>D1VvMR+NGo!wm<<>(37fle%1gOY~^xvU$@73LqVl_40#E*t_qoa8Sz6 z@avq?!gPcM(IWHZCVn-T?DU;$5I%vK#Dp({UNnu)%wZ9 zBmM*zP}Nn_+8naYiNX?^K_m6LLv!4hpFhdOBAxej2&!;F}{#t%m_`i55jfNaSy)*K|rPyAoDUh1aWuxzcZ=w!d=w zhv7PLs_d=x05Kj}9|g5B^Qw*fe6_`GCR_nd1p~XPy8n*r#Qo>(S12iL8#r*RI)#o6{Mm`6(AQ`1g!2nDjxBoYN` zm<^E`KqFPL_0Lhvo3CX5x|#l1%Gufb#^tRgwfrS^O}yVzg~09Q9XUB7B`VYruLQ3v z*{@E|wAUIkC9Bb9c2VN*SXqw!n1DBi18z2k@PrbmqF>$=X~)8{CN|>;cJI6CEw*4$ zd*jGD3|gj(a&LnvOJK9 zt7Gi2)4A4prKW-46Qj`yaaIN-J*JU&x>DY_s8Y@R`EA4O#r2(8;uh@rcT-@8g&>OsA4xb(D4_#2+WC@ zNg$$w-rk+0O|EDC>(bPWt2}IsVMOl?X&)m2zK=RTI(6I(S%H=HE!%{^2!I8k>kte? z5G?@feF9CY$b?MiBdQwdw;R@O1P}{S;D5G)x8fQAb0yUb^3Y-}^Hi76fZNnm{9oqE zZc?YaysR>2F(Y9CZ{1DgH(n?suE(ZF`WWw-%-6ew9^Mv@auM9KFz?!(>0nH>1^|A5oF9)hKXA0K(g) z3TizA4ry0dC5qzF_kYFkkfu?FO*-HD?A3Y*dF$QRFT-_>f%|}kg?1C0@mcuxAH=rp zPCb0TeZV8;yc)2u-X8*?W;rFau4U}x16#nX>CQ2K8!U_(quugIQ#B@lUl!gy5rnxG zDm~&hoBY-u%whK;QKNW!I*{m3M5xe05!r65E`)mikj zyME~unal|w6zWO%>S7abAg9{ma=dh7m^7HEilw>*nOT<|ybM$G%>xpM;y{pvc9)sFtPWMK_6~Js;6`TXC=LfZQ zqXMG8O^Cy9=gyELxUX}PR-uv71h_)F*|UY5$e)iY0DpCJQpm{fS?=clZ=J4rKNEk$ z4EJQ>YlK@u@EJixTazRl&hgc0L|=5$VmRs6*2th9+w{d!X0OEzv3RmT-mR*ghY%du zn z-BC^tW2b5X?d8Jn8I^EEzyG?8A)s1)&;Oa5?t#q7=x$s4Tx+x3nJwFs>Mwb)e9zK% zpi)++R@Pn_dN4&8m-}ky<)P`Atp{>;Teenh?r&>J)&#kRc0~k3k*9vM7V1NNSy;eY zluVfzLupq@^g)nOC4e^#>V6@6hH$>irpm( z?La-fe6KU?Hh;y}M_p^1Tx{5+atKBi>FMRiDkfOh&x36z zNWHk|%jK|{Y}&Q35+e7a3qXxidJaW+SZe)p zrsinXN6*)F${e+vR3HAQ8WON>B)~kOK z!oGBrr|+HdXl314;u)ca=y|!j$GHesZH|TW%8g^Thnt`;CD{bRHY$Zvq7{s0VEYgsJmCs+kto;Fi5 zzxCf!Boj0}qcT8;z=+~oa(bIxs`VyG$hE7u7gAlS%NQ9Mco)8rgQ9r0zBD4HUNfK? z5oe**L^16oT44IruZ>{-WDDYc8UT=FxB9%got zz{2uy=An?9XbO>y5bX7Mpo|0$lZioz#;ACdq4LL%t=@21qtbU{Z z=xEelD87>$_{YF#Ui;t9INx$<)^sh-Zz01WPBiRA+l=R&EF&xDB(V$TT~S?}<}^>& zTiV~9^~4ZW=f>oJk!t3gQ7M`dGmmo1RXfTEi5{HyRgilVeT?gbh=ii%7^IvXVYJaY zt(P!qk`~?jpZ~&{H-6ju%hkzZ+KxM`eE?Y27Ng4FoJ=TgI=2|CGc zPp4{<)%T?0u}^7d)s{rDwrH{S$!5DeqBGjMr!vK{!tncyxcQq>3fB@&P&8Kxb^gvK zR6C%vcik$Zo`bonzir(eLfin8DNW;!2j)B^nR57}iE*mkjswQT2`Db_A$^xP?57+V z`^R2Podk}M605?kHM#5v1ClCfx@t!tVc8yr!_T@Zw@rG|;#IFxsPQG+m2+}~FifNZ z#<6n7ZRS_OAMuhHhas3Q59`vsJ+?_s-)rPLOe|9R9Uu*d+q^!N5_=3gNq~#8TH0Lx zuE0FpE*sYBjNa(<(z~6Kr$IO%7;@Zr@sFNj0zfL9M%g{*nL7iN7Dg9<@=Khv!@&$=1s@cXfRWm=wEBMV5)~7}I-Mx( zBzLFG1&_zL1K&+e|2r@5v?*xFdN9H8`Zv#WVAf|h z%|U-;3o3QJ`A(^E3FKv4{sxHn+B{4wTp1lI*lc=c$}{6oU;{AG1C! z4Nc}+xRI#rW8c{L(NU7(njN$_E+rS))1Xy^D>P)WPqkITSt3JzkQbFmP zE_&q+?T`T9QdJCB4dLM61^16DALV>lVdaZT4${j+)#VS7W;x*_ekCDOc?(j{# z5%xM*ZN!r)B()w3%CKElcQWxYZ@;xt@d|p>@2#B~aHPZh|uytU;DpnK)DU7=;Ee3@PtD~MRw=d}A6HN~H{Piz)Ln_(RZ}wct?=X_7 zEh36y$#%=&IYbtH*&RJGLdT`Pe?A*H*(o1a?tZVFqK)`~#TLTPh0$G++4|f5ey@p4 zNYw(;!zuIQaoC}g$Fys^4eXGq$5X!SFSI)j(VnRtN4aE237!@2N8v+fl^BFr2vMau z$-eyrzmifJ{s_drKA$df_c(i}!3u(UT^Z{5 zjBblK-Wt%))ayGE%yN_|J;r6x17l2-IOT|X%rhBzJuJ7_vwK6C$yM?D)$K_#r_RPg zdx9MN8zb1da8HMSzhNLTta`oFzw*E12jBV)TtA{s>>!os@V7VRBH_o#*oVjxT3ip& ze2!>l_xh!)bWg_(D-$CTMJb%`lNT_H#_VZ)tXZA|#CAq}u*l;6MiKL+px7JzE9DFk zl@w_)MMnEvgIx=!&tBRfbMCf>J*Ni&Z=iOKwXw&f7;9L%z0s`KafDynD`;c=_OXhM zT~*0vk^>)Myi(iuqgzqqjLry4(^#n|7`C>J3O>_OeV=;5OSYcyl6`?+KAyMj`M$sM zXuEXjY#(Z+g1N6fqKfekuLu-*sT#HK)jwdYB=s>YK;=HwE1oUvB$}?90maA5KVS`f z2Tp(Msz2%R$K=sXew<4u)thi71(#=^{x&#$3rH&<4Q-`GKnbN*@~R++Yn7Vzz4N<$ zvi{bNmMD}mQ>hBsLNgybi~muasUS2voHWb^q0v4;$WqMr*s@G?~%MYiYCA`d$1RB#NR?h?ve`Ggo!e2jC(Wzohh zsy`5%^itH&n8js!$a>CPclOYJX84QOtwuWB>pZh&ir!bBIGA9rRhc^Q%FwJ@{XPL! zJ2^UX)>+>zrq@3z0fA(sIe>Tr-@76uot#1BF{JWhq(3xbycSz82+6vdCpjvXB~{Uh z2IhoIVnf9@rH)L;gPmYmp%ZkVaFrlEe&a|qW|gE74*2=q(0bX1sW{c~GS$p9nfnUZ zvVYsrjL9a3Ccaan%l~3HqfbaF@HLK@TMcJzlT+3NGS>h6vH2cb0c^B>kyc(beXvBCsX}x76;B)qq>h)U zh)nrT=K9!v@TkH0`O~WfSj$p+qv;~ad-B8$!+vkQ^odu9xtj6iq|6jNg<~qlHl1Ue z9{js(v#fOlLiOg*E4||PtJfQp9&7*N#z+oynHml0ERk{-b|f~H>J5!c>|WW9r^k1L z%J%;`93r2Lf{emO{sK@^ET-O9_b%|MAReaQG}sK@+)^rXqA&x6QPBL4b=Ev2;eqtCUlASk;(AWgbUu@LYEr=PgQC6waOT(J54 zbu?VNI&lT|j>{ng4rP3|I!>W3rMSz|k#tB~(H zP8d^AI7Vd-u)eDakK-7$&ia^ zeJHoJkR{kA444714tgG%wzi92bbO}>_iO}`EuAhCMiicYD&YV?W02D8*>_&BP&HPN z1z-UPB>&a8C_T?YH?dZ`&%>2ZnAN|^70}G*xH;@KfIROVFZw3Q+Sy}M3a&cA~y=Upt z{l@pfgJ}8}TGvLnIY80=le~^#nss+xK5$=@f=~nQ;AY1Vnd?LjWq26>3J72+@(gHA z)|ddzhd6;-u*@{_OyDM{&`Q_Y+6Wxf?HIUifcoPkbGE$t&23&BxF3%7T34W&O(>!5 zkM~w#&b}6bbjnbAWFV>4S%ut^^ZxJk6UEI6a{MWuTQ-R18>ZVE6!Es-1x6jD0v{dt zV__OQ(3epV5II1$O@GWXjp{xm*Qn0K1SClQ7e@>lMvD8o37xvx6bVWtUIQU*SLN!y&n2~*ec^s{4daAESw<6hhK!HyAq06m8Am(08f+tNSum?o&GhUni+cf$Nn!%Ep&`|FpYhInDL3=0pV3cQC8i)$NIMob-L zXV)SNd&H_M`IWt5dnsXiPE5C+CqUY ztt3E=&$y<-Xg_KUMYf|S`(-&%?~OGKXn(v9i8b|#XKDT0O+tk}YYi?qT5JkkDy*%& zH1!g|wvKlxxtcv^L$Fel(8Nlu$7DqDX|yev`sZ-{x_R0*3<`uy4haRv=t=K)Hx3C+ zX1{<6(i1~a5AQ5YbHszM*k}H7q_wD~H>)D$jGKAI-0mRNnL@frkOyns9paKc6Xsv9 z&U)`Z(gqU~f+NN#P5zVtw#kA=b_wisH1KOgsknS);dyeU7WWD8iOvrY71U*;be{`G zEA+a`T=%Q$w5tp$yu6osJu!2Dvp#@vQOWywV^kr}fE}xvi{rm)=pQ!0q_@>Ne>s_S z&pK-45LeBWwf)0|CO-1xE`Q2HENT&KigAV~Sl<2|8uWwY#K=i={k*6~3fNqWGxGd_ zueCQZyZkyg$9^>yj|p&uvKi54c`Xp@5S@|Fv&N7Axd=Fzv%Vd95?Hirz_}k^r(GGp_VbU}@MgJ=75Ah|k&YTqn zN;#b>7CDo{;yFe*8t;!lxN|n^_fBhSj=*c*9LahpCW2MzHwGR>O3G33jrJ2U;At>| z7?*~`%IAmEkIe|UtMBJG^jq8Om6Scb!II6Bcggz$=qcG{&#}Tlgl}=xbbWUm)*tKJo37K?O4^ou`qpYYTOuUbp;On*Y3M|55&K ze1*!;*R3>zN77;Hl|53mJ-#3PR>qSv4%>WIbdzX{HU_*8L&>5C6JS#!ujPrV5~yNzpZSo zkcY~J09Bf5@4x&S?9-U+0dYAOZ`=(JW7+_)QpzPWDWkKVo8kxeB>h{V2e3!Li#LqA%v>7fEAav0= zbLdHAfeUVp^_KL&?lCo)D$IW|!E^nCwnfKS-J$^RizFeUg#_I50IiW@WyXzU)AcV; zmh$(kUp_nXwuUagLJZMT@_zo{7E6i}&RJkF6rdrPSvynwtlQ1=Q^f~>lK-{e&pe&rXvT3kTern1RZx0 z5i&mgx_p)%^9z3=AqtoH!nMj_dv6{jWl7HpS8WcR@JcqBRNC6Hh1lr;Vhus;nrYHLD?aRa_#M#;+J zwV7;|5J{CN$^F^tK{?idqGhunto0c@*@8z}UX~s14mu(h&R)0E+lRXX{YCMOJ9^0l zq?ye$4O=zjnV=Xo<`Ujt-a15gf&Rr)0Td4Lsp65>1kbGjHR;QKU$9KcS*S%9g>p8wTtYzlmS4k!ly`lHHlG;dI=*S^DuI$0j6-W8!xlt+rySn_Jg|+$AHqig{}; z!gjwIhLqDi-;nX&#F(n%IZ-F+;-Qb3;JIVmU^(U!qGGbZhMjEg{pbSZBEe9vwb8(7 z%OVebZ$hvod*L(!^6@Z_+vd`{0!NY36j=lU7{%rog|7ccE(}EM;z$^f6BEnU*jkJr zvkl1@xl0ETrPakNZBePO z4gQU`;Xs+;v`c2enA*aWZedy>oAx@=#adnsi|yoF7~;CB`V?;r?z+f{bU|=toaL*M zBujr&mtPS{7v)Z}*0Heu0%kWRc?GOergSwX%FvD7anxtjmVV#dUGeBA>$E!3i|?v~ zTd0fbU>?hU>vXLpbnkDZF|LbNkn`#+2f|G4I+P{4@Q{gRIbN8&?jetToqsa{MhwN* z6RRiwO3yW{k_gz<|2NHUGh>>G4l4j=dk%kk#l5~+j{bag-fdpbYb)PRENC<%mM7G( zlbAUk%Jx(o#sw zW?O;Z_h##!+lS+bH0Edgrlb4(jsaa(JPdS$lf6DH?j2ibvY03iipg^{rOL>WaS7RR zVC4HHFQ%A3s(k|snvFz_FD6i{ifL)wMO%tw!hlS6k9zPoddBRG6};XCQAqpX2vp{} z)oG=5;UY#*V_2zRU#Kv zVW5t3*JD;!&7NfzG$8T9_uhZwPWoddu^CWqGWkqvkQaol@7&>5P8gkb1DBka}*B1NxR`N5LerZ^Jg0yi7^3@fY;fpQ=p-8nLQy5{O5yH z-w++AhRr1Y4qTfD0p;o8#H^>qZ);cS0j;LBs(zvV5MKq~5xni!ZywJPzs6sm0!X=g z&N1ISvi33%iHC2kDCBgl;D)QXN{6@J3{@YCUB)cXtM31?plPz~4!wRjJpscaWLJq@ z;RRK|+y`J9G$N5QDBB{H3k6ivNe9D3sD-e;Z9514asbaVmLmv4D7W3NNd_qlFwzx@ zTzp3#)JrvX-J(xfBEYPGX^k3u#J<=gr@jK@FOyt^fodR)GTX1LJ%)GPXv@NQVmjPhYsb*BEDa*F-VeXT)2EoP?>>EW}DLmq$%_H*buGCeS+nbrt;G@%twbNsPU- zsXDGeA-Dk8?jX=j#d7IR9B2^ zF7;2O?54G^iaBkj&F?>ex=%rjP!kV{o1;t)BBw$DOunk>AQnHD^feqL*8ppv%}%)? zic=t3%5(Z1osl>6dj^6-GDDSFXOroIi_NW)@ao7`t_Ag2M$mx9NH=eCn$ZYZqa#Ty zTve|}s&EEj=J_-wxNWKLrmd>bAtIvN9z^SuVfl>vAP#epoEl}r3B<#)Li8d(`2&{+ zf_n9X=AW^saY%ZdM|j=k-4+!hS-QPceuqaAUQ2b@j)(Z(_4Tv}-@O*#~1il|0$ER-WJPhWL} z0Sx(W(KK)HZW6sAIyIVm$6uz3BP7QDSBpC zf}QdCO0T|-tXF~E18g-)paLqo^(#d%wy*#jqK_hyzGgwnu6fMW=0$b18wH|gXF}1w zg!!X^*5qy4w`E?*K2L?_(R(s?dy5N;+${3v z4RPDa+&DW?N!?E@q*1dj0tOur6tuVLpD?9ycTCfC%Mw4${calX=ls4zl&|ENi{2Qm z60+?!j|n*DBKf^394UjDOVH*~U-}uw$BZ_-4K5PS2A{;oI174D=3B;hvyawW=h_Kr~0Jzpxhiz6+N=lqdVK z`!@`~&M-`~T>og7EnS|rj2j(M%dVX&(6|awlTw{Zm;TMI~99BQP zhR${v1@#eMg)RK(RT?Qh=ro_k_}I?T(+wnV?Vc=dn?uiX-sw?}xVgQ@dx7qzjel%6 z_tM0ZikOW)hxuI2W%a3KzW(X_5@2Bt_~2cPoMZ9=n7P*3vtNI+SlT; zzBxq8(X2F3t_^Yk3eOWiv}l&HbBQQ+;v@*tGU<+hIymF2kI0t_Wl39?N627;AGZOI z{2HGSo#}`${QZnYi(i3xg5#XU@|qZ#W4y4=G25H)2dE*goAPBS3`e$x#9ee7ubRA! zg?xZ|x#+G!Pv{TWpFKAn#(Wx<6E`k$IqMSAL?#rck}n4fdyA*Ljzkk#WPblb#*V>=6?6tn9k@A>vtIhbZe_Cz8Ud*kw-rTSJ|9?5BoL@%JCA`}}U6#b}% zRZV#n!|~?9B6rA+1DptgUi^uF0%p)Jn;X%!2jlc z|79i9Xd{KrhjkDr)o?j#87_!hM6t|q zyLs}dAP-GILO9qwbAEcO=^tDGz4m3rRJ1+)Pww8!rx1|$y9Mj#3TGq7Vy5-2h8G_0 z#=jLlXCRm7OcUWeZR9kS@sm)8{Y<7abV$mA+5%KN5x)uyWu(!(Ekj_;u#UtDi6{4O z3nY=fg(t60{-5t`6}fI zvin>C@bPk)_VWEty=>8hU2)Q$+HN+mQs0#)x;<)1Y=RXP6>(ydFF9fhTY#{0>*gV8-0cYtQh{672BUTpu6@>*fO4po z4U>}>_|K=vWbf(%R{*-eQpTO=vr-Wj1`blKy4Bq>jAjQL&SS}S3S4b^myS{eP`7lX zge--&xh&T_UG&l{mllFvJ#431T>4C9n~GA5IB`Wi)!j*WOYo&)*Z22y444ItP>eD( zVF}@53Zlla_Z|viyB0c@xCMit4f)x^Z_?}Eb(Ht%o+f{5-i2Ps4W8}ALV;`c%s7LZ z`Cp^||M>url2h2@LVNrExLg0x+7yheRLL9i99-@-5?sSCqp`SdXvFoD96Gj$(ztD& zkFmCjXT@LbRB70!QfYwFIxEt`P>TuRU7Z9HNDy^ET!n5Q5}FTYLfzCDT-hjSXfz^+?KAHJ-VdIf>o>9~gmReNHnDf*(2~o^1P}A$12AnmT;b(| zu1PT(rvvFr9*~QkAK}A79-X;L?k!B@WqoWH=_aZBG{AUhFC>C#Te%MeTraoJ8+yVJ zK~OdBoANSe)811~_MuTXK9=M5-_k#_?mw+a1kqcZt9x5*r;2lR|6(rxcE7SUN>bHe5{j^d@^|@O zFo#(sky%L#5=rO)0s)hz%ccMa6Jg+xfQGbRo{ z8ydf*CWW9li4NxsuUXZ-ZR-w_7venWRGePmz5!Hh3Y1t|1mD{qF#Alq9cKDG;SO8I zWqJc6lezr=0xkX@E5(M(CfG_DtNzo{;6OJjsXCT6|Y;GB5O*j@5!+gVNZ{txi^gAPJ!2>bg0s%1NMdA9^b24B6# zP8-E%lDp(CMBwvXHOeyd&#k=(maYXpmthCRXDqZTM%)Q#?Pz+Mcx$^yjBqpB90dFx z*?2fD$c;hcEvwn%PM9Vs5}AL;&^Ljp_leXRtL&V_v%ACV*7NV;2*Ky<=fevfTuK4E zuF*jA#2VgMZnp67^=a-4z^3<&btn7ETAW)B#;P01{(qhxz>k;JV7}dvA6PWEqnAdL z-RD$b{@O<6rZ^Whaf4D$XjjDw*3e)mbxgK*%(>0gjd*suw_Ew`@vc%+H!KM7r$}EF zTWTTMVIcJD3FDlK)R4y<$1f~kXdW}Nxf=A5yBE;I{mt_i_;v(&A~jf!^l8G*5=68^ zdnk_LC{VKV1Sz~31d8fKVK?s*qPbfr=9W~;7s+)a$<^MXe}*%yMUsU5SuvGCudpyu z1tjP&*u@1nC929ebQVM3@PDYZeIoUnBnZoMG3}uk(E)OD8s8@Fl;-}^HDrc6A&noU zlm4^w5zfKcVa`3Jr~mC9#uv1bM$6801`d@?Z4%flhI${jQ&Ce2sU36f83dtOhw_Bq zaFCcK2tVx!b0ssBS;MQ(r7@Q?JB`P0=a8IEOp#cE@5f=6Is)Z>K-#ia-dOr7#sZV= z%2G?ch_rmmqeXm+Hw!9dw)2PVv{i5__{5!PD-nt>ZMH_BC-V*JMG}^}T?+}8?}-_1 zEIiDo?FD7OUs(u{y9F!u?29~hU4m=&v0lgt24O*JEY|GkI3iXMT*3_6h!9xoe4|REw6@a#gw`{UWlY+8UD+pth$WmVx_lL>CIdf zO^l3GajD6q$B?X{=4|WP%uXRt(|1)1ij_T_*asx%Jk=UN5*sDe!w2J*JK+f}Nrity zTV{{O#Q8aXx{VAI@DJ2w1Ilb8OK{7qx+&-8{Z4MVN;}>#K>^_wqLjQAGs?^n(?U7r zbMcL>Pd^U2nm#uEveZg6dN5D=3=Hy>V>^g=P}Ge)^5NP{M2o z0>pL3o#843X50Y@KnR_BcZLRXVL>878(Az9tzx~3f|-%hPt!B-?JK?0zik$Oo)Bt* zjV13@E+6K1=}R0&!GwBQUBct9|5RZWu~o2R@jYg{j(UUNgMc=0GoiSc46!`I)_%Lo z1DJ?v)Z60o7#)$gj*hTh4>csqBeE!c2@%dnVOglBTFQP0$^1HgJ7K(mJE;=bF5aRM zJ#Qg$>n%lrp0OYgJlMnIs0m2&24A>6_}_@{V?ozh-xVAf@>0|l#f!#Xt z6M)*8%E~li`9ZlF%x^T0xX(EF-o6b^u^mo|!^x6xlH*+Sa&wGB(8s4hGx17z)s+qS z%xKc@wb%#B^;eL-(HlBQgG;c2*#ghz?dL``gpfhF)dl`W+%+QlzV4 z$auuFn_1CN{HR@}&Uj)&hwtefbJRl7!rSp=+Sh}&X)Z}A)9|;{% zAy7)Z!4Yc6VK#6e6=pb607VNUS0g@JRB}g{VcPi_cliWQ)-*}iHG1Zruq8=~L|MLh zvJ9jg^R^cABC*38ERu1kdBa?cQYZCWO`+i)g(moGy);f0yoQ8q|E@1g*As)#Z0Kam zeT8WnNXse*(5*HM(ak2Zv%sjqhgF5nSN{x`{rWc$fuH=PbgYbSuorHKLE$3Uo< zLQIYe1FX7C<^UCYkJH^q`3!?nljMo^jV$%R{>B7Fma9GatHjphE{Fka8;~ouXGc1P zKyl)(!#H8;j6(p@)Bq4nl`4R4C0SD1-{7OugJm*SixriRP#53tHY|xmh|7a=9S|Vb z*i3HP&U=>PAvxK<^h0u#Bjm|{zZ(5h z05U#k-Ul(icggFwaWo#A@gZ(jAKJ)!iF7!hG#tOVht87Nc6+0U0?CmnFk5$a#5k4@ z6~Qea{S(FKs&DtHBOPsdv`-6Y%#YtBCj=d15)Ib4l;-J@qg_GYY2*WjA@AwPZf$qO zYs%zXo*4n9|D0@z?4qk;~rv$?$c!YQRzbM|vcWM6V-F=Hl{zDaH2p+6Yib;eoV z!B2uf{8t+qX=f>WKzopmeU|SFp>4<|8d4Z|G~?4n$BZ`%u$fI=k6IzeKi&q=BeC&nsBdFbu8)fL!5fP!%PyB##fm(s3dmCpoSaO$LMI<`X@MwA9 z2=&md9BBR3XVY2xo*pgHYe~`PK9?wm{#j7Pd*eI{=6X!Z@nKONxoG@UnUAon=Zsb? zIR@RDPrw>Upb+sTqzQiSmNpxa2#4lTRyI_Xc+cHem-Rjup&X+{fI4JhL0w)X+K}Ps zGPEs{(oBf7kt*OT&#+F0Efowb49@pAixM4%SxQB%Jh}XduZBdso;do#OM6#I+(c>=X&yzgk5z4w6X4+ zm7DS+tZR|%Kc!9&Q9mUybC5>RcVx|14qG za`zo_(IF5P!WKmkXKX1vQ%uF;`c`}UKv?*iZ+r|>SA3R4D4KITtV$a_*Im)m31d2L zI6B=D>z?n61ByevDKhB&HoRYK@EB;%3cO~QACUEUHiVF*q<`YelefrM&PTWwUnD~| zYOiQaqB64WZ22?0pYiAara~0^O<*1hh4}r9!Tt;ZiiYqJ+|?2AeSrgz35{;P8we1z zYFeI6jt>LMGQnJg*X%DjU@{`IbNC>J^xqq0%|aJb$P3dkuZ|ny0Mp>_ySN#LwbeYB zHm?18(w639i{JX!YKzImAI0UZQr7g|H0Qr8FMjRsWnakz9u!+@ZK_6K^E-qnXk(O8gNB8QO&;rdUn%*Ya9Of;PtS9sZ(u)B|b$7P9D_rWC_mg*oEuR z%RU5V7(4;x;TMuP5ly06cNRBhYZeG6y8%^6f8%RTdq5>2Ytvq)W3V?1kP441z)dU3eXb9lbQdvr z{=O@9V?1bUd>9T03Qr@cw2{3GiIvaQ0{bPM{3V|ve-wOZ-9?e_HI&qZB8zlvnJiWA zpn|J4Ec5LFp(mW;xXfki{;^hjWBLXK&Ag{)=%}hzPU= z?Bbxh8YX~;C3LinnoKEzzk-T^6QoV^qA%>eoZ8xas8JGJV0(VW0?KpTCdWq4JbhoS zQ1rMZ2%1dH7>8Y6PzB{$O8pE)E~-TC1ASe|DrQ1a5`9q`sl)R?B3TgRi6Zp9z?R3P zVGRk2G{sP5VV^_X$qWnK8Y7>+Jdg0uX~)<&W0U#WS*n^a5>Cc5Rkqe}pk+3g&x{_!xFfZ^bvJUEa}srmC2 zy-I-m=}*{Th~OIDBh4vN*Jq;zEEIa$>t{f9G}rN|(3Zl?-e-pIgsaSb8L zrDNK-nubKm7j#n+O$C>9l;V35M$_c|(IUAAEptQ=2K=fc!IhdVyFWppB3i}z-V$s1 ziFXMw$H;&=La=T^-wf4dy7}2BT1L z&B+0}H$ySZnC~||3IR~+_gt>?Cn8_~mh*2TlEiN-H%M8DUIG<8jg?HF*`DXz^X1Sk ze!e*%Mcz*LF|~;#Z3_^1tmqZegsTAhj`K|x1Dh4Jh8sQEr0U*g`g1x~j~%oQ@xa3* zk3O^KwV(6{y?u@!n`tsZyWU0!`feqG9f*YpK&y7iDm%!m9`^M39HZUA}Kj5Ni9!^>lw&Hz8AtufloEi+Hn zm^JcNcgP1AoTT6(LgWSAY_o2Z)`2&53&Da941=H9C1&#eF8$CnNU4+6L*6_NUB}8} zylANer9}b(KUy9_l?2cH#RG{sT&kQiUswF&{^UiQEx~Z54ewIOU4T@MHSo(7d{&$!v|7!BPeMyiO?C!vN2z4`p7dL0Jrn!=&@MNVs6^bEL_hn; z?NZL^hr4{D10bd`#X1=@8SsrT#B5F6L3*uY!cD*C3Gnx9HMp3n-HwQym5<^Fd}m;k zb-J7tHuG>TSO)XQCgA=xFTo-bbUf(WyG^O@v9{T#qeVBRGZi60m>3#xVAN@f$K+v^ z3sRxA=+~F3%Pz}vFZp$xH2-4jVc zA+1Tw!E9~Q$bAiD(#3g+%i$Lh3n)R9Ap@uLe@mfDsK_UX1veAiYt8X6th-8P>@(pH z&;*9pF3FxS1Qk%P#tI+L8UEjdvTXFm>Nc|iaN(|ASkPLW<;i#;FL`5xn_9hZwVbQr zVs;HsHC{4IBjYF?&lT;{`2rX9;HJIRWlKd!L+l2T7jnDaF+}7mk70-=uec3gM0Lvw ztvsLaUJ47o-;DQp{^nb7XPD3+p)ENGRd0c4`14K3;MNinb|RU*66Eb<4@j(;Nlz#r z$Ht6nFT1-TW6Ya>*A|-})xQQcds`xQ%iYK2mRBaH$}TpgtS~G`tj&~l8$Y@wn03Ri6J#`#GO9udVq~4Dx>C!;e007((WKiH+S-S`G{T>#|sAB7G z6SGcUXZl?gn(g@*}IP+L{4EGn=|Q7O_Px7@Nv>y)uFQzYAM7ry$4Y zXqUWd&4r!H6P#$f-ITC%^J0QVfG10&BhS@9Ss=BI@4?0>gmCtmnC<(#p!otwpaX5J zec3|OE^;Ia` zA!ndl?Ttyz$s3SG2~{Y8j6B;xWcr>tC+!StH!n#AhAq5Ht6m>`iV4$rq+P)c20p)4wyTeN8d`mGw$G-l%_ek&Ae~5CgFY2#9ZDCp*bO;DTTDRA ztWl&S-;ZeBm0M{mh2rlB*|G>m)_Zqxj-->^WEnK%S{U*x%)NO{5qMkJ8P2T+|pCGORe0r~@3 zj#-D>lq9UtD&_n9KocC;0f8e%rG$tyeE!}%MM<(!<^SkMfM8B$koQco7$1*7#W~$- z6$gv7oa^FO`4`d5DifvG`FyIL7m0iCf0~_oxUVX8jNHrI$^Ua&`UjQnQ@22RkGlI2 zkh6im*I%6vU1j+A=}$}4!v@{lr#er}djUmMl6;?*4Rf1BbHBBMH9LsE@v`;NM|Tw= zcE?K5Kmf+k!to)@8f&P;OtBkPy;;c^qr)#YPj_!i1$!@zxayb^PceUi(ZD@1~zuB@Xlw z1vW)s)5U)2PfsZOCg77PG_uvR)F5W!j2>xz?DR|6#G3A+Pq57julHT%u+tjF{tHcn z)^0VS9rJ-h`2O_9W&eApRT?J(_bw)_siiber|=4|ae(n&8&S`2EKB0Hzl@9U!Lq4H z9m$JWDDos7nU-~gSoyHne-z{5+i!|>&gY=;9;wf8n(WU#dm|>*?|yoQ1hRjv9sfUP z?s53rSb*RoNa@t&)E$2578s9z{58)(2LPF;=}-0%p!N>uX2ez0Sbd$wiO|dhb$N~I zG^Czr0zaL32D?uOlk~jMt!0StLv0~~Mk`(Xl8dv&0}+bsc9!I#@~nKiXz zZ^zHc_L`276_;rn-Fjl+k2sy=`A5XsudONh#)x);UVZlsUbyo|701KzynZvsnJx;W zEZ%%0?bY

      1. mBif^vFSfYgO3w>&ez+`HxzeB`rI5ajF!XvT_ai)xBky14 zt-QGKuVXjuw#vPD)jUBB3ZP=(P!+O9@se3SVxphm+@iFfeN`lVY;+!~GQsh8qR(6v zdiR3tV-aSzT~v|8o&lDW-|fkw{z*Gm@Gy*NP0Zy@FPNO_Ja!==O9PZ8eB8+| zUj+>rE*FWT3j?u)u6Tlws)%U~A?vRUa)Ow+;~$X%LUFmxQ~B6Niq7zVHYYk&;i6z* z%$~$9E)qW2W<*{?!SaBO0@U5*hG3+zA-Ks~I>|=&q;}#UGWa<1-5{$>8!45av90X! zTsSv@?CEMrlF$CJ@}ChMd0DXj1MORhe?r7rLm*5mJk32sC7<&SC9+Z$svqTBSF|pr zm=@xQe0sfmOx*)Yp-TkU(4PfJ=V-crr*KkDu|+Z^%mPq?!Oy^U-H}O>uDWJJf+#gc ze6N~J;dOlwUWoS>|KwahXzEkq)V6zNA-qpPLWo^dK#~LV1fJK(WSz^*hF<4+aQzJ3 z2*3w*bXDyG)~)BV%iKNU`NaCAmq6=i3r|#akiDJwF|lrr9<}0=#CTS{Uc!Mkyo7L` z`{Zw&u_3Dum32QQFrwo0eK_1w<{nzzy4W^EHXQ{w%?1uh?x-CF?rfP3nVdZh%KBME$ z9YfDkj&8eRaVfZ;ax4dgIdYxHVQ94Q<*$3Ix((bh>)yZak+uzHbX=qo-}M1uDWz}4 z7MdSql}Hg6fXYPVRgJer@E&*#6bAL%Wc^VgjeTTZlqpE%G8s_lq*SSCATPo&{$-&0 z`kZS##$A8s&1fKXTCcQs%t3P#bnE1vy{O>;2}`ekzD&9U#OJq<9(kuf5QkfcKQIkC zsc4JejD4XJIW_UC&VF;8WNKl#do7)E3aWS!{!Q!k;dJ{@FxMReISR#?a}s%<8U&Ls zHU?>wE^-+>5xW3%BAF5K77i?VhPS`@c2%FSqU#=7#sqPZi)Fgn3NO-*Y$e_XaHsL3 z4Uq>2__yMIh`J;EE8m)xmz39^;9;GE_R>MfJ!z!A{Bx&~Z$W#kJFh%?pU($qV7q|e z{Z#SmReemEtdn)c!4*QnQ57vwj|P&2m5V>48|GK-x~+ZnyRtBX)HHaJmJQ>!$#~Nk=T|0U6YiD7C^UxXhB*OG#dYDrLs%Ll zM#zhoF1$WLnKgZZzImeSt^48{r<=L(Xw@m3L<~D!l#!cp#Ml-|@qUZ)`U40^cM=EL z<}%4jL#8z6daIhu>vsl97c(B=aU4}L4asniho%c`9Ll1GmmLghz9kzUNRrK=aj<9S zr=lAiz_zXqhB3Z|3rgrP11}2|7|}lIuHoq+#JfRt6cBunso+Gp6Nv8Q0Q7w%sTguydP-J@~T==x)9MpNyIw) z^~mg!P_fRTaKa7k>&eh#!j9Cgib;ugAQ9pwg|JM z7U7iUsPAr!)-e-eU7^nqB*tAfPQIEdebrxPid$n$ShIYqPTVzc2naD=%b3*myqI_G z7US7LJ7wpc*9DP2`h>WQ;w|#LAIT&HZ6_ZCaR>!i7folJInYt<;QF9zLw0Psadel2 z8%4PtPI)p{X-|T|A~V>Odd-UF$O__Z@A~E&xRM0?D;s~+$XEpqaP%X%#t#+5=Sf?s zt+5}tX8G=9T1Jvuj34b|PZxPaFF<<$O(jhaV0X5M3n)3@>S< z%40jfz^dYDvUq94eLJ|Fd7Ex4|9Dj}#QR1^C>gC2epA~naVKNgls3=o77s+;E?Qov zaazK;A29N$slxi}S#U$+rJhH91tn1TUtHJ%Wo>NAXSK8%8Mz>XW zrquh&f-bS+j#2mHdE92t1F@pTr(*I|w8Z!ZFxQcItkshtY}!5&maCalf2MxV3SZ?V z&=U-rHDKT1S{RVKyU*Ocz*CuWZd|FlB{6>3pn6J?^C3Cb;f{mCgW-VaUU$Qne>YHi zhQxw|d%E|%J}x_d0t-wX75=jMDG}2eB7rEjSuDb*#r8|kRo zzwS*F=wcSRg$l;d2j2tQ?uS1A#`~cyce2<7eK|r=d7et-7A$8P($*9Rx(Xqu!$+5% zW?XZfS4|&BULJHB^xvSvm|ATBUu*VN@@FEn(hHa~C`kzT!zC12Cv?|JWF zBMGQne)(6eGmNf3|9zrp>dhE(TZ4Qmw8wPzT;S07?=Bj)^wXh@e2m7a;j*v%Ts`xC z>_(-gbhq6bdPc~&FQkOe!z{LzUV$QJZ&rHwL$%mvSdzU*CeA~rj~!uyUWP&e$NXSh z$*F-5W8&m_mHP?*D$i&bJI&0SRGV0-EVE@V`~KN1CNeZ~>hZ|}%TdF;`HtWCVoDX= ze#VN7{mtzxB|}1d^oeDLSNqnh*Rx_4O80#*?d2l`RK-@f6m8>P)ukoj3N9xrO<6I% zREFYB)xLg%-g+a0jfXJ-6lEY%gN<#u-Fx1u_hXMGBn(cAGD)A1J0BMv?cLz_B>7!? zbx@-9zI)o?StZ1_1u}}={dsc31=_*+Y@GN0X(LF6@bLk%8!88o8gDtd6bD)c*9~r7 zSP2FVWyv1cJbYcCT_kLH049?~Q^Qg-Jasu@E3&olFk)^y<3#AvDW9>Ht;nhK=QD>a zUzh9wC;aPl@awpfi~m#;sAs*_XEFX^2?huGm`y%hiT{*6JGdmO8v^y=~)?mjz=EH{|WhKxVxvwM3*zI0kz6_2d9lr9esbNsWhKKj7*^UEAZxoyE0nH$ey z=QB)8rDxW(A6TBS+r4VN1F%{?xOjh`VR~A{Zp6jKn5hi&H>k8F!L-$V<_rkE+*~BT zK6j}M()ay(w&m>8+|m_r6|r*HPCHd-p4Z^sT`&F^uBnuK`mLNIf`nPID+C46=Z5+a z0nHY~wC!{DCXO#F(AEmsj?YM18M>@H>UUar!R0pnM zg#Ut7Es+oO)eFScl`Nl%{|3=*`Frr!Xni`Po1yK0NU|uD-sQjdo>pNNe~mrm*Vf&$ z+0pA-(Ej^JFgyIIvjg8}CkR(Ap>bp5n0b2)e+V&Q$Asnt%BHlY0b~)3WlR2>%p5CjAxn zxBZf=sg{m!$+~}JJnV8`WdtZRFwxi4|S^rA;?K_x1kzb&rxCZ}!WYG-Knstg#ox$FVx)6%wc4?vBTghKN{a?mCSkwWSAK zuuMAXL&wPUeFB+ulO32W}?+m|beDpitIT5rA<{es=+WAz~ zE4gM01P7PpKYS|v?)}^We7qK)Tvr}woAbacDRa~t?j_;Cy3^pEG>iImD5oiTbq{1G zGG=SuarGI|eZ6g0x6HeID(J>7Jlz)iuG>3(QuiVo0Usc~R=pHn-GYAc6Nm%WTb34n zeMCCWf-9DF<(SfT`M`!+b~b`)nR^+x;{J>Vq`%v|2+;pH%`CSRwWDUqOSf~UZyT_%-6s-!7sF#T-^1XEE{RIYwBuJ zO5V>!ITmC2QG-G3JMERuCdi|!R!HEZtABgOn@A`p_*F-HVRT}a40h{wfe2sR^@3ru zWbG{DOEG5HV$74g2_9bSCHMRJOK-15th{Z^6>@VHLmp3`*AeF1tO^Td_7u=8sjDo! z8)5T$%&ezEJEnKyWicmBe^oi)6@UR73T=}uNmZH|P6Yc}nHlnq55YISo|PBVii18z zZi`Eix~wQdJ!k3TK*M(ms?CiFN$x}yJ+DVzY;9btVrp-2mo1_dFmSz_h^-!y^VdiT z=kkb&V+^%x*X?@uJD)k^ZTcsj05lCv>rzj+pyO1RN_yPL=YRpjetDpeU?w2|m^`fh zCJ*!@Oy7j;CYJ};v3n#c$h6%j*XmkFTijWW8E#)E**l&62*ShSlPv&(o#yn^+@497J5|r(?hz zUiZ2K0r>2?Ob!BOW&xAGvgvOKz9EOo9;sTgjXDn?mCigu)u=<*s|8mw@5mZW%*1-1 z{eCL%HMrNPnpyvPq-Ni1R=F4tGips^GhS1->6szdkT^Q7=lx{Ld~7~H^!?U~0jtIA zUK@0FylXNzFuMhpC1yB}P@9ee4i4a$x(X19#00yrkV4)GsdVV{Apj~fHBYbX%l#sq z;XX1p)8R>lv)mqBG$!V-a5+09UN+2Z*T6&d%Az1;-a5FqDHn5f6tr_xSK%~no4p&s z?WmScw;Ql1i^a`co1}2CZ>!>=8{_v*2k$z2UYf4yM@sz&rrFw(q0A!Q+_Q5$T~(3y z+r7pdmN8YEs#M|Eq8^z>e4TDpd#OpUvCIPKR%ihHC;gS$Qj>e*+&ess+3w?Z@D^_n zloJnO(@#|03EsRJ{#*fCmd#I}LDOcwtJALB{wSIRMY9r?`~15mlNoKsv+23=xvJy& zny{bfZ;)A{oux4RaGHh4Gqes9z1aIZnyJF?Qv)y_^8+UJ*SO~wwVDu(i%M!!^d=bk z5ic^(i_@pKFM`i9PWk0T&@TL!U@qDDV||$$&I?OjV2Jt>yYnKq(7|=^QW8uC1Lg0A z$oj_kB*1yUE$Yz))1TxG*Y!&|U{Jdo9 zX!m=IhwZb<$!D;2D)|op`ZXpQ=1Oy+U<&w2z%t!OpZCoGXYs4bvBY7%kp~mgJ-I@H zuO&9t_o6Kl0ZaWp3}LF=g0}TAj9W8#2k2FL>gJKpHL$n=>_?QrzzA*eg2~ArbC~S? zK`F{!OzNzgv~nYIQR@!G`wZtiy}q%kGzM?lfQxNfD~Il_vvo^I4B`(+f2_m%7Fl%? z_gv|Opp|9je)L3+eKIcet}(A&830XIeS6*=p5`wxyua;(^iN0Jy8^OjU}MwwJAldR zx&jL#8R@iQsB@Vs(T19-!;H6(h(+0+#e~UJV6L)lp&7o^nA;QS0TSjZ#EeAa)KFnl zI%KuD=d8d{*Wl`I@R%=sT3!;!{FN7->_>xTt@q~XqwQZ2`-(d=nV-soFE*Y%wNx?I zS-^3HuU|!D@lkV901hIKW8L*~6fjt>mmRJRNsoLUXb;HjwhA*e!=%zHjjbrTMaYx%??aA*mCM{Pu>N#rBFp@B!K!AfyG~N z9e8a~&C>m9b{FWtN3gth98fund3NU19ZASVae$N!e2J|6^lTLvB);1Hq7(S_aDQt_q{plW-DI&4S zdZr-ir8REkx}0V|hUpC!fqS(d1_!J+^a8)+xZhSb2Rc-;a*b}3>`?9K?9p#Xq)UAC zF4_+Cyyc@G$bCNMMxSOWARYW87-1QI@H{YxuJ+;^Vtz4EXEwph`1kdCnY}UraMoC3 zMAN)O>*yfZFpZ{$_LqIjNU5=DxTts~+#tju{G>_Fw4@v~_M>}m*>?|#LG)ZnI#rVF z2VV|dG2+l41IaD|jO&Nj6>Im?zl-nkgMG)Yu8k=(-?5ZSD)V|G?)7MDrrzO6&D1Oj z-`Htnu_g1{mr{boJMLlMtv;MejW=p%a%(Moh1@A;y0~Z~k#jXkkvgif^a7d;eRzsM zn#&0y<@ZvZLAe-`Oi`J-=l)KeC!{6P0|VY+rvw%F|INmq}Ha0vvBwqNvDPS|S!`SWhlV?AHqfo@SN_TqPC z$ji{t2|McsCTa12qvk)Q>AQ3`)zGh-QX(Aw&wPx9Z%HnxcAb(uz9V2pNO-u3ql&5n<6$QETyi2{yD!z)TU(eSFf!HwLF}XPDWv>(V9qv7{ z??rRY(k=CmBfWAtmn;se;5Ur->x^&EZt|)p&-U{+JAhu%Qx!PU=zcMI zu9(S>`qqQed1Z*79#Llxy-5+cWb%mJ-}ne@gJUt#Q!J^ zfgYDm9zB8EncIYF-3Wf_L}|WZGX6D&G|Pc?^nX$I)zrqU@(PGj66(CLr%)8gwZyDij znB?}JMB8cVSdD#-xv@1-5uXZsC2jvJ!|d_iS8~#2f+Y~B4i#dDJ=#>?`^&{{$QYWi z0#gyHsyvs8=%5Z}&)s5S{Q8z!B&ss4z^ym?Pb2SiD`CSm8(DT62dVOwgimlbB~z}bSz2=K#y9??iKaPe*;^8JpOh?mBJ@x6 zYEBKYh>y!&_N7bh)%-h-6y|!WE_A|Znigf{>U1>W9?uBn*oq0FYDU@pno|P7flH>8 zpnI|Vcj8rDS{dZK$EDJAE)INl&P9l`d^D&HGmF3+&uQI2n5d$p9ho6yfxUkQh&KFb z4X}zcDQR^0YXkAo9)wu;K!o2fsHVmMj?T0jR$9U>a4Q~#kYGr`a{g;e41q10?SWx2Fq)2H$XGP5)1wpzx{qx2i2l|0*G9dT}@+Nk^gW&zB7mtKAa`3QQe7lyVxU3q|NC%$`t!+>nx$Q3>KK4X+v z=@8dyd5!&hK)3JvDN|b2f+>fIZu9WVYY$vrS~BA-qNzHgdau)+4+HkBeR*{gZoy63 zBnuA(xK`(#YwzUU^-QhZ;^(;eFwpEkYAY#!z$`!?*w`Cr?Sp%>J~06dsGO_%J?ltZ zMNFz}bOJ3VQwikDlDb#Hcrkf7SjC`-rS0kd4fTv3KX~*2IMLC4nX}~RgI;g=({QmjYofVAePZw&`Um|X5f#jH9x}XMa%O(u ztb6SXMl5YZ>Y1?u>KTz5W~RJ{5wj$VF+!V_Eao>~G&9JiJ2z!SMyQ8r3S+%u_#ubR zF=-2yK-X!(>%nn$?Z}w#)+_w*%A^k~&+#7jQj45j6Y&MNUcCo%h1=ruTzcw2S>L zx$a^9Yj*Nwqj#HZTyl4n6BW|GHhn|#@)D8uvJep>6=V>yD}n|>Je%TPcfwL#-qOfF2BY!U##Zgi;CCZFZl!?V2#%!25{mSjRz`^^vL@o#-q8_0+ zDt?qZWQMG*=4UoP{OH8{ttU1Z9y-xc^`|wgR<}F2%hdINyiWDK?`wi`PQwPc01K^&!6`f-iqJNGGDO9 zf&&JTVz=YmtR0W=+E|M0wc<_pN-cUqRel!9UR*{&nr-R}4nwmkfAxcBB!7prlBsFb z@DJT-KJuH|b4FXI=8tb!cTmE>#$FHs#l7g)&0flXKdAmG6UOuEqdxLGi#b&dlpCw# zy>)E>KA|P}HM2qmL9^^9MAu*+kW zBvn9Q%Sjud)A)xo3>`gXMz0{FI5K$;O8MTKJY}#}^JR$T#P8J4zQB>{?XC>82?k)T z+dkCAud5e?qK&o zwnbKo(x$eGZieRH@|HbT*5kp$`oVf6E=p+B8$glk%bj$~1)l!{RNJj0l-gCc&|9d$ z9evZP#;3O<4(`=9XZKYIDqlG7>8*GZX5G!M$ReRDj*WzFwCR8r$ zRe)-d4D{=z(3+j-Xu8ze)~T^(q>pgmSFz_^Y_F?)$MPgCj-MXO6fI+%(;dKiyA5@< z3r|hkV}USNLn>eN*c9E$-Awt^>ji^`5w`)&XT^4cdzK3ys&$N}JkE5kA-DJZ(tCd0 z1AgHcw0dFGZ&6J`9E-XmKW(3e7QYaGyE0Mk;1o>rp3r61Fb}nojOwQvmI?!p4>Qs9 zTtaKHE`D5R&oo6e7JJKC`i-?zNdJiRw`?I{v*esU#Hn$WTJ<&;yk^# zk;0d3?=>AFB)*3YUx*pe4y?JcR!xWJh^ftJm3#V-UG@?dXe_^fE@3D^M)y)7XIo^x#tIwC$G&NqGGz zI_L@BtnMP;thHODx#SVg-p3p_vwFV?bh~ibMN8`s@pbzfTl$*ObVj$cGCbC|7~iyQ z){M+dSNh`jzZnjHf@^;}X8|L^ETds5r*_}#zn^?J6`Jq#Ww&kEn%zQk6osLH2~wFl znyzA6vrQvd2D1+$B`asWDuAPSH_hBG+xjdEuPWElCo0GHejN9lFm_<8kapzz@RjcL zHXOKB)l>nm$`*F3jc~QT_zOztcq`E#*9y(&zj_ya-Eo7>$c(5CS*<%b=DA^g>}4*j zo5qPq^-Oll;=|fim7c=zJS~J{RW|o(w?{_tg_YtAzg3|XQxCV z3k)Y@k%JLGlKpbX12oLYLXB8>74oT+AzRU znmAUj?|CMKJz4fJ!G&cYg=8)aNcny$6hzUfxWl%g^3yJKw8!Ao)7yVF_RpWbVkBIxEmT`WaHm>i)S zog+f%Tk>1yj@1BOUJo_})VGqZNcx6cArvtQ3hO|V~jSB0^GFij{ zg%FlQK`d_kl#+(0#0|U#q`L{8??aS?e<&$cq z6?p^ucfZZ1W1z`X$zb{#qsr&ERb#UJ+bw%K32%q5MZQw1gxftT7R(fIyH~nM(rKCE zF8nkSH$=)RsfR3r{Iu|f0}FMTI^LXvdy0u{y^>K23(_x+ZT^x2z5TjbLAy>NwYdix z{KT;rsy^u+NN0|kC7?rJvYsx*l7@#L%>NSaU`s3~9-wOPQfwbutHe znw3tDQiNN&{uYc-zPs9eHB}jWVwK`v2Gmln47H^S&V^gOmX{#HDR|xSb$VmWwh9oX zyI6NcQ3J|KPPvD_j-HN5?M`Els5gTAT5wKGWF}|nnma88{t$OBDjslgEyhl7rEV>5 ziSm=`VV}d5-o|)#Gwt3s=HU=h%h>T=wpq5CSHCnv-?x1l%j|F(Y?Ek5oSEzh7VFAjD)U8yro z4FJm6w<&(KR>aPL!o75~a-o*`V!>xty48os>?Pzy?Mxz(jce#qF0gaSWs*>|+~02> zfZIaQE8JX_v39R!mK-0~`jJqLIiDQ{^anh@Ejn4jtr%Yjzs2IP4knR~73#rU2fG)h z*Il2BZUw=d(XVeoEVCu(u&lXqmisg@F;jN#R{^j9mn*|le+tTPwAYawhx6|)Zil4B zu+5A$So8jHNXRrVsk_2R>3ctGZ>7|+WkIKw+=4sPk=8^FT>*+H{ckO%qz{h?^FXg&{2kk+s^gYIAO2CJ{Q9)yApPvCCY=5zhmpI zdGvdu_pnL3aT@S!|HD$K=6%>v&tX27FeD;_RwW(qAYVm;g=+NVes_j z)~FWhz2Y1|Y_yfPrEHZX1=TpS_eH$Kugd&=Sp6l}<2L#4@~t~XfexEpkr@03-;1g* zLIFN8r9$AQ^53)NSIu}of)FLk`N%O&tzp<=0{(rQa#!Ztt9IMxjj;IDD7$u-M9IN{ zl_cd<V6T50+ci4jPaXn(ucjI%6Z&4VUBc{7cfo)|r_l|Ajv7+H-7n3%-S1o(h zhDLORn&!<$yg&j{(?2cKm$3N()G3IKTBD%FdadZgi%2zD2bemu_263QLhluelB~X0 z{=lN)T z{>ODS$m_zNB1QwIwc}IVui883bMxJ&;9`Hi+FadCB(r(uLeopB&UOfT`UmI|?bf_Y zC1Sal{k__F8hQeS_%_s5a1t^k%zl$ceR5Tx3vJ!tBEwgSH~YZK9qo(*VJBl`FUDGUe=W@&qkVap19tQ>Df93 z>OdYMvJw*Ac1*GFf~XKHF37$fBrr+jqt>$on&Vv+93)(r|k95IpOY#?wingO1KIS^ZA3Izvmw4xmv9%L0*+!cF zi1&pOfFI8z=EG}ci_3?1wIp!b=Ov;fculznwKFSFMKQ;A?zf#>=r{J3&5$WwTlkY_ zpab42h}qQAt53kmuN zG9NDx2Nfw4qCuseTUb=3VhhGuXC`|IFnKAuo$K@}o@9Z;w5wX<*{=ModI?t08bt}D zSn}`Kti2=$iSxnbFAt-eYPl1vBFjnPeK58@58jK#hZRh8)jxYCXF7Hl!H2r#QoBO_ zS>Xci!oqrVeWpXqy)42!{wP*F&`Q%ZFE;mu_`@PwLYvg2wkX@9Mdrin7cw;UZYuR| zS4xYm=GXr^Z6b#vxjl)gzI;D75e|g3Cwr6#>1UR^nFE2{!l&E(spZ6vwTJ2L_;(>- z3$J8O%N7BwDJo})bx1QSsUv;Ep8*c=?YtxWwaHK1@C@(WS&}<(VT6Azh)or#O0m05 z^XFvnwjhW0hnD6Ix0ZB%eZTuX4a4{tTg8N2*?a+eo z$AG!^r;mS=bYIC03?V>~4~^4^-2CH1&L48o&E9pthdb9zo{UEH6NV*tdc7IQ@?Gl2 z-401^IDW>!<<%2vr^aHmG|dN9GcvC#qBC?>*Q8G1o(pAZjMak9F!&dhLyG`b`74gL zhD5ecS{5n<(s0k!Z8@e~GiO9-oJ_-6Sh8TZn^cFY98DHY0(yW<;Hz@V23bs;V>&08 z$U2PXNr^tXFuf(r&-v)c(HBDoAzx(vHEz%|9*#@CgJbzxZOB-f`Bjjmw8O3IUkQ+ z)dWrPuibls75C^$e%;nNRHM^CFjPCy-Lb7wra^7N6pNliuQ4CP+U`8glf&m?RjnJ4 zstS^g3UJSlyQ_uk271Sjodo5X`HOWtKPcKh&Oe&(uJu~_L>708sbk&g<}V$4p0y47 zZl4L=pld$p<;zC7pC}$w-#Zjzvq_sQKy(*MH)cM$1JPtiq|v);@Okd3SImaLl6ZS` zU^19XIJOJk#Q|L3zV}0H7P*JUer1qkOAZ|$bBY5#?7c9v=)6p+c6j?{An&rdDG&eS zlc3b|{rOi)%dr&~)gHIV+y*zm`w5q>Zyd2_)(j}*BUr^d#*2EbIEAQp9$KnTNb@)n z!0L`jw?6#gXQ?|c1+&0{^S=z}_XLRwA2isS-UE?ExJ7#qm9jS%uv?K_;+;rT)*0ySV# z<*SnB%Of6#6|h$|%yMV3a{2Os?FwY_p7}ngWaiu#G_Bhbe_=x6qb>G%&QE1-oEgZg z4PtFG9SyNnmWphR$%zs?t{oFyER%;OYL3;M4H`LQXEF`fw?VNh&4=|1fJ6$6ieV}jpkP6SUD!F z9Vxbs<>|{@UaJ;FKeu_xgi0 zyD=_vvbIF*KmPk4OIs4Bb))8`Elz(YTa~IEJb!Af2+N4{DvnA~#0GY3HxsM1N8BxP z@yC^LtepqUR22==5!0R(9`##TY@`7Gmx}34Mk6fd_%;56{_mWO1}@VhZeoG}|qr2lYPl z=LBnd<#I9h_J#J}or^x*_gUV3Zq z8zy7oz|rs8;3~FXW&Co5_IO;A7YkRm)tQMutv>=K6)!=6#1V#ZdEy*Ti>d`^`nX`N z2)%gdRcLRy#;2(XdaV|Xr1qEjb6j19B@a5Jvk#aC{1RSdu5B+G!Ki_J;$&t6*8agQFJHTbARO6W8=dd1BM zt(`*(0b2+JuS*jF9alY!TJVav#Rj!jw|^_5nOg#%AOQ(^U;@ZRNx;~CQRazK>G8|< zA2mN)S8i`Ev{dqMU*8C9;Mm%>mT+vhY^*0>nlt3QH)()XtoCv5nBJdVO}ETFQ_|a_ zH)*LSS6S-;iI9;WRgLTMS?G;{Fs0bJKV?A&ycG=L9u@$@3xAx3e(ns_?qMp<$;MPfb&Gvn;;OQD$iK;az_2W32Z@j2nU$2m<)nocF zy$XHAH_8;`vCO>Ly>%u|huzQkjfi7;N+pAy`m;#%#`fm~SsGeJ`OktOT-h0D`#=2( zB2Ql-Hr<{NYXH)9m(Bc-(#|3W6_|S~jC{H0f8JXqMObML6jqWHb3qMu79PT)e8$cr zokH0$p-WQH0^*{2-iKvw_^^ztL#`o(!c1=)vCqBOp7^2+sTY9ymU!ffr&zN@bpC#I zb1~F13GBFriM(0f{8At1kb@KRHZi>ZSHQvs&XGu^77Jv$;qB+I>*+{y$ z@A6~7U0wRrjO(wmPzu*vB9KWB%`AE7OTzCYf0OwH@BGF3-m(*86j`Z6h6D)gV!i+@ zq}aIrh12P)f9)W@3mT@VL{pWipQ-qFk{ccIA1yOfa>kesmM?l()INa&ab8-gIP&`& zn%=%I7K)$-a!?7K@@!&@f>B%x!XC8;mgY+_y!pvM$`Ij$D*pjVOFzMRR^^=@VEzBA2NQGrK5dNlg{ zBxMu38yH8C8vL9foA{j7xkF$c6f5wZ#XrGQo9V`tUv6}O%Mpfxf5h#3Mx?}s*tFgp zN=C4ep^%IS)S_?a0(lCedyI$+)vu+gj|?Y_nN}25gYbm*uyfH%X+~_z=_B@s8aKF@ z_u>W%5Y|pe8>bhkgYhhe%g&p*;l~kA6BYI0ngN~mx}I{bo6M~7-iU4Kx0wyc@(^nY zSBE6;aAluPqs;!8EOsuN>w&`k8t7VN*e7k-jpIbzjX zHIK{#44o6%g{mB}FH1*QB{**dS{*E-IFg*SM+QZ$hPh0#L$yCaF{0Ri@HdLOc={E3 z5>Segx<9IZ)<-WKuF`R+K#WN3ZR5$538>--!v}jiyV$6n^%%c>Q}vi9hFb2$YA5O%*>xu_(~s16Z}nw=2v?^T?AR986H&oeU-eQ=rVGA3sF|*$VmcKzv#}A|bPCDM8k2$5SrC*LiA?FJ_b4r%>BqiwO9Rc|ljwtTqT3MepLZb%yYOm`(qkx8CbI$6XxCQVK zPZ3M9IYr+#)gU0#B72i411}Tcf+siO{23v1tx#dVVtfx zFY9DVYNf#HQHW<7jm?aHFIA%4^H?KFd!0ps91Qvz7&KE|OZ(h@_IK4Ga=Nv7(K%+= zdc(lVK?ILaacHr()MaG>fd<6k`Do_L(FVHCf87h9lHz6$Y|7&X>?^JQYq>_(-AWSN+0P&d3B6`ib=~0QxwNn5D zB>eknK%H^E@mFN9$R{C!QP!If`N=!lNr(!hsJEiVTKO3Jpl@h(VTOYo5E%K zED5$_{uf_+%wwkACjGURGyq@A8Po>Q50}{{4Jm9;4!I>GsuuLxJ+Bu`=n}XdTr>&) z&)Dog>kF9gX&oN3(lCkWZnj3dIL#Q8=!=XdVvn z8PaU%Bms%ef!XNft@~!4ZE~^p)nZ&rAUm^lx!-|peO}_oo~*7=TycRP(8yiTizX|B z3$&p|E-;P$B{k{nz($)(MMv+c7B&xw0zRg%XHeNc1v5G3j{5JeB6@Q9i!Ld5d@#*r zW>KW2s?ccdmJgt86&aXJ;s~6TMgLZh4oL53?Td_xw?$(5?p_2Hj*gYgf_%y}DLy&Z z<|nO+!tE=AT+>lCxb6H_J^5e1PsuY91Z?bRJok^lzA!)AmttIj?uPrHU~cebL%fd~2O8a+;DInR#< zI_zbGJkpO=*RW6mIY%E<%Llnhj&B5#->PA5aoYyrO$0+37+KLUX)@HnZQcPu9g}*;++<1ML-Fihc`+wn^-}I?C#wxG z-U)_08Y}Na%W^H>djm8GY*fFjqdR4lZ#0$C#CbN=Kl7l-jG*MNsYCmS#J%8>=-od_ zjwdXRX$%ZrYAiQNG05p+Ph0#oX>m4oC80;C$&ajg>vX{VreUy;RIU%N2f*;yn3(Oq zE&jY9hX;<5UqwTHcQ1)4~ZofcK-ct_ct*+$J>s+*r??7>fTQsH`*z1geM{~Y9vUCO!N8RmaZ88M}5QZ zxETU1JBl;E+TpC8*%Hs2Ima4Y&&;GJ<^?7p0MfaMQ!U3A0$m+W;Yf;+TT_mRrxk%Ob#M1Gn zevWhzo+a>Zo@}P~bTT4Q^vHI6Vhm%=W|DWv?=t;HUJJbDHCvZkC2LsvesJ4rK)aGQ z*_5MC)ujYl@phBGcVY2|rvGued94lDk=A`l537rq1(+Ouj3FJZZ-jO_0$>A{zN68q z$X6EAx?L}5_Ayd){!t#^%c-og>kRWJvyR&PDg1S`Do!{LWIl*n9()O9xjy_X05z%o zoP5y@PNWC!PVxw|b$+g);2Cxq2k+j+^+vklVFDHxa7pDydg`=D)$q`H;7M*L-+y6h=nS%*5Dd5`0%>XS(fBS0d(ej=QgWqY=3-9yc zHf?bt4x0yDsK(`q=m;r5Y$Lzt(}Z_^YxibFyRxa+027XfAynmSiNzq;v+xSc?heCD z%bcxja@>9Rqtu0$0A=|H@r!8+X~B1mNqK|C0I-j;911Ey z9tl7?XWi0aO5 z8CGuaJ+dVwHw$H{crZS}3$(G=XA3_kx9pqO{{9E((8#we$WF1gt7_bXy+WZ9{ATa3 zvB9;ntu0NxEF*m@2V=*}jOaB2?cN6_pg3{#8cA4$;pq>J!uBZB%Y936y{i<{E(`m} zn4!BOkLO+*-EA+^Rxi5o61VpY`b}#1^$pEf&x=u&5|jeJOc2!+Ltm9T zzD&K48pqy|DdTb>deQIrecnxMW*K;7dVXDkp zyz4Id(=;x~62!{s`MOtmYYLOO;l5F{J>wC@@U7naVKY3Da0_&urkC;yrdcv(rKn&& zT2IYEz4WK*`f6VE_-fb^;(Dmsp*UgR(gRyq6-skUhx+XO_8enh;3XwdUU#XyJ0!BS z#a~|}TpYC3cVcB|dSBX9MLpi_mq*GKf8y&e`pJDfo7-m@I%j&!{uHE+@hAAMql4$}E!|o|$tEF-~df{(I}usvmjHay?*dTyGYW*%D&G#@O&_ zSrIxDd;K=ROr{ev#b*Tl-NVWMT^*~FlF*Y}FnQaDoYAn@g8|#%dN6Q46pd@`#{TTec&UUuRwzz5rUm94}r%rDf%LqTi+@oo^h64wu^^mLD5f8 zq?u*Y;$BY~VpiL9{n4zb#=-6$aTH+Kiebo47oFOeQy982uDO@0;SAy>cVuS>#b;%S zO03_Azfs@(VI1OtWQjowr}$1iDl{nT=UN^#5=6lJqhKal;>q8OO8iwC9+%<9N!t1Lq4=4ZIy@z?7zc2_8 zsHAgxe3}BrGREZ4p6Ezn31X2|?gj=P*=btlhMj@4bH7C?X_mGEeE&JtwE1=;eq5cF zj^sq4+3E3rs6R6jD4@oX2rW$`Y5=f=qB!jQ{D#|D`CC|UyNWCz)S2O-q+W2GTIn?r zigQ5r%RtlwX0)LamN4WliGW@1p+CH&F|-G_#Q=Wgh0Fa`yVCgiW4!Su zAUD&vif_$hsO;SEuUvKRrM3jy4Xgv;Q3qV-hr>;Oc)uByzCY<&n7}CXo9+c*)QPMz zeM)LTl)4832%e%OAP|497z_V!(4(Q)-md25v$BO7jQfWCQNag5j{4_J-tTw;05xFI zG{t}3zW^=OQY;QSS9QJ0gh!^zX$87tunX+tJHVuh-zw2VrD+2^zZtn?itVw)H>u-^ zpXGB@TLF1&Yv-ror*FedRnndD1hJg%R)VBg!1I+0cda@Q^dOLvMPSS+;r)e&@@XWV z?Kr=ddu|T_DL%zejQuh)>UD1vX|`mqtm)bm;F5f1zejItD5L2&4?99Nqr$AVzfxR}4Np?% z-Y@rBNO()6V#wM!AfAX~q)!_*1KoYbOgOegtU?}fpyI-=pGNcp`oYQqH|TNXR1ekk zd%{ta^*>t?1?> zTG{6^$np-i@E~%>LH)dwS|f{CsbbsfkUjb;hcAJ%L35H3!x0;}=cWc^wI@lBRs9!8 z^dHVOLA>G7r)5(3IN|kde)VH9P0`zNFw$%ukfBu)A53u=B|^%jdwAIN*a{5G(C|D+ zdz%$3|A}o7SLD&^V{vpmH~N8AYe+t>_A{}( z-lS!-zCf!vLp5mgu^QPB*?H^$r>HY`Q*7(?gLNoJR-8U6BA!b?)Hg4zKc34A?!b0t z?bV&-9Trw)mUln16XB|gl$Y#85B}T}6yx~_+1X~F%d8@GYm)W-f4oIAR?Vi;&Il-e zya^=U%!>?id(_>8M`(tLc)GE55mh!P7)CYV?rV+xSyUD!o+P^vg_aVyE_hiJL}~jt zPzl6eIm$mOP7=;i-eenG7cyOaEipfl9T{{}!6Q{}%l45V+MpM< zAf2E*##5OS#g6vwAT;F0cm+?Y6ek0PvF_Uaj1fp=NwM$*6={Dlq3dNXVv3x=#H@_; z)L=g0QE)q#bF_byTRw*4F!Re4OWO9{cU;oCeCIa2J7(}r0KS=EXBCxu<%gj!fJB4$(&-&&;2ejL>(WZ!om3C2%$~wFR*;`YBKvPx!o|D&?M$N8!gK1J2(RuqGeTjp=_>%#|FYa(_Eo{-+&9I?$D@AT zO!TT9ZfjjLW7^-atsDlf$VkViR^lq>1YeZqYg`G@O9U@B8UYqaX7FNV?25=IV$dov z9%+oR>)o@v;ad74(gpO(wh&hB^XuwCzs2qrfw>PUgr#a>I)0WJK4qK-K2be9mqb8t zx|&fw_F32OS()2hYzr%C4AgDwj=kTAj^DH~c=(D46q9Iml#cQANrLJDu?LxisGFPb ziwb+lhX>oapxfu#$*wi~m=eJRKA?R$Vm`IE1GNr`d?jBuy39A~^e3#9S*DTH9(g4| zH3jsc>B0qOZAi*pqOg!8h{ekT72WZ|n)HpiCB>W*Df(?lk9emCeFzC`n#>oZ} zMk5;$A!?cpn-hb{_)$Z#TxFYV;I^7$(n3yaEkwdkSwnwdgcf3m60(%HzB2nIJbPHHAUIAwaRaB-f5SMg7b(yKPUQKArU{WlVSu2~Mb zDR_O!;vBcOm_jDQR9yJBD z=r&B}2^zxPa@}bONI)t{v8PWc`U)PXAXaV;R+QvZsRi(0LcPQd53n*LUq@F{(S5n5 zZ3uG9Gq<|mt$wa@xLpj&(Zn(}*i}pZway*k171?}*{<`(3z-xj15k7WzY{)YizYdX zEtY&$%GJ2?@&txKiT{!bYXux$D+p*64FA1vKD&YSR^?n8ZI<=}GqFercActB5?uSf z2rwMX)^Bt~0xESi+H~PdPs(-uf$RkTVnVdTmqKF1cS6KbL|5vZ$1fHQG{>fP4>KIN zs2f(q?8K$Les|Gp#(bjF!&zcuG~6X*{R^pRwLT=f1SWu~#`sZK+&jlu6XGab^jeff zQu!75bB=tG>%p{)4c2}Go)$`*hMwDdd(~EdgaYtkBa?P9Mw&RigOlY)YJ(X%oD^_? zypaZz;eN|`N2dF6Ixi*q!G5f~;N}M994tPh3-I!ocVT38{WDlx?3(j^`!%t;WF7ay#=F%-PvxR)V1z!ixf$A#{(mPF!A zKQ~B0#+Rid6WEsJ*eI|2%cEnt_TRuZWh|a2vvUo+viW(t{}WTkmznt!`hTlV+Nof| z#@FVD*z7cK!O(eL98IhOy@d3V4xkMupjk*OWKDMJ^fc|^!s-VOyI3Zb#q-jCG{>{+ zD#x~jw$l8pXQ9@C<&rs>BC7al6W}hv7s^>xInD7Kh9DJ}Gh5APeH3NxRSk3@1+eh1c&yJv>YM83&*RW*1{?T^WV1_o79=uw~Iv|{J!N9lz zc;W;q>4hVvn6Dahje{)dVr&m9Xg2yko`Ld&&VQTM2Yz^KqTMwW`}=SP$RM4Aa`JxFfwA7TaC@o!TnLj@Zp^DC(l8WOGm^uR&ecz- zndLG{V4;sPf0jW*KM;TEvQDDx7K5$>w_WBQlTpTfrj(%9daPxrHN?)-_-;Ngf@y_d zesky(p=2-!mxO4X1rN!Mi-XX8E%m_esl0r415@(0UqwaxOzKO z``XPUyq3(v`6OgCah6xMAs5t#{uj+$>gbBmz2!E*+*cZCE%V4@_p!DN4sQ6i)k1mV z9{v>ygxk0p+Hfpcp~VK95h!fJ*JU2V zet;5{=}q9_?3pzFkHMS*t)8|`o)WwcyIH<#K{08eNQ2lcnwNOp&*@{1A0*Q#YkEqx z`i7^`JR?!#_w9}?*n`lgv2qcy{>vLJHa@hcR8oXBv* zDdt%my8=VpoOX)}XXOMtQLjn7Rm7q%3;hZ5vOyq%c7Rysvv>?p8!B|a-*NB(@E7&D zv*8RU-}~NIFxvi({@%Ky=%~wKH%E|^g+W1dVTP-$Vdld{HBDt4zJKi{Yt-Ab5<5{c z1_4GS&|)Hf%o7{FBDp;#>B6K+HjO9zfJpE73b^aS%tgHONr;H3UJ+CXNQlZz;nCoF zbTcfGAL{~T=2x;L7GD@-)jy~4^ysZ`+~br@=gxFeLlCl*0Zz%pd*ylYY3$~S)_dXQ z+;IY)Kc|)THwtNQHlFOnh9x8OTva{q7Rw-Od;x^O@izhU8B6m{D}&CiMCm-27yVh% z`H1Jg;ye?TeG}pl_tt|Sas@mdiOKuYHI=XMD8Xqd?me3?b|B3*rIPMKY(sx?bY5ZW z2BXPNtb8T{(ezY2yY->Q3A2$|z5;SkxwUKI;v=KsL?@>TP|o@^*$kNe|NDxv!j!Xq z^p58JuTW%_d#W9C^^;%<$M`bu+kiU6yeg>Mq~Mp~pDt~jmMn%|0mq(S7e1{&VEp>` zSBIOQ-wE;PyvH)_LHsQ(S1Fe1FNUH+f+1qWxyk7Fb&6wfb~ig&H`Y&&;*y~ot5!%% zXwZexN)b>cc!r5AnRo(sB;H-#f#%3`DF#X*``^>kVtsW+AgTgM{vml*^ld*0I3CmEy z)-qupOxmj7RwVmF{s?w z4;u_}tfwYUP&SORi;4UVfnH|O-5< z>o%?~SVh0B;TknKyJ!u-^lTjiGSwP-MIY_=ty+k0vl2q7=VkeyjMyj{=_5%a$+C6O zORG_N@Mc}`d&JjZ5jiguss7||1_-z8Kuio28B+Msi;Q#mF)@Xlpfzl@=vclHR{D$s zeIcU(K}cnOteUJ#h;18TF@!h|hB$778Of%qEVL8V-gI+pK7?}SVT3?IC*~}0} zAy!|h@2+~*WAOOxLizQAOQ_GGq%`pP^5|dsY8dkWE z&$1vuRerP$IASEF)Y>r7&~Ggg8M&Kv@tgHypziC28HxLu5Xd~c$jh8Uo3@>Q?pyl- zqteRHa2Rn$MS#IupUIR(og0ARo~_R26ktiQ^CY(xplxEYj`m1JT$f;VY{jK5jq(< zAU;~{L=~*~4ezJjVnxW*UAde)ln+NofDFO zPiaFYcCA?76DYbYac2wr8ceF{8JTY?r@B=B(t`3uMNHD$-(Q*Lvsa;Sn`XnD*XDw$ z=PtLvbgy$8u2UtEVoa%1$IruBrtbe|{F1120#gBvh$tJ{af!oMM#4Q>PcphNQ3}ql z<2@iqIb;8h^U%BdEe@a@x%j-ed|t}F~$vs-N)d_7y=>Nc}ZmU$eqhM9gRP%xzv z=`Ohi3~+#AwVzZ0Z3;{+(p_`L8{POGhk}^yz(il5l}o;P!ZNvZ{RJv!+SyUZfbPXf zu=!rgBI*`k0ULWxr7iQ)`khX6VPtH7%9N7ZeqbVgsh+bB|31O~&tLIXajpP`X2Erz z%cj*r;Ph(vrzbEx@SWg00o_DpMT+uXUZh|(&wK1lw4w>V70Sppru#z)JRJg3pP_8Q z_^C++qEE$n)VH1ed7c_I_AAge#y(f1X@sdor!~pa46&%wPY=cf7!Ag?nKYPHa?DSC zXlmc|aeWna}&~z4qQ~uVwLP#h96jZ965meFkHZI)8BW4F-5( z7NA!2S{%5tM(bAup-BYoWnDDFr5Ozz+aLy1M-(oLgBW1$>YCR_l<@uJ&DyR+<4iMl za33BeSsSyZeJ|Vg7s)-$5ag@K!i&5@p8e`S>eD@6Zzjmuk#F4H>dV3`1JTa`F&y!#usV~p_TH6hIIsGh# zWYQZYXudMjO0v%Z3DMesCUbntOsAOh@(4N>|g&X{pP@rMp$>;!TUJ`Ea~b5Y!REeO=HO1}m7sbjcqmi;?!7j4M%RQL z`brK#dih`tVRT2fMCCsK_P=2E|NCdF7{Ps0gLhob6}_OlHXmg0Ezl&~;H@-f5|i?5 z9R9kpL8(q~fLe@-K%=_y!zvNd1Qyg2#UBpYVcz@m>6NFy`FR&ru1FJVR(^61Jec^Y zf6!`}-%{T5s*%)hl0$hy`z10<%(M>4A^osOVc{DO`#7J_17)eHC*s4#{I|1Fa(5k2 zD1}T6^R^my7Du_n1d(C2HaSvq_-O;r{ycqOJU@SiyR9b@FBiUFS7%RQER2#BYm`Fe zav`H>fxwjCa%e1<_YWs(!vQVv%-U2p9W>1O_Y(j}b)d;`K^8NQ8XWd94Pj!3G&fH@ z@QJjRKhhyb)D$(gKL;HWr50z-I=UWLTJZcdu5ZDdFFz^}qWnlLjco zC8A%*;Oulyb?C`cAeX9_KlRzVDneepqxG4VUA zA&uQ#!lRv`cl|unWl+(HF1$U7EU%DwUFl9t1^cREfM$H&%b;X{43)AsJpRdnQutM$ zRrV+#vGBWUn_Q^Vu)7JPsP*M=bnW|zXCl^S%goq0Rr?C1>SixDpc=~87?Yi6-T2~X zD^klng~|)DE@$!1^k=F4gajeKyjS_$C|z0;waJ#;q5GR zh-ImoF}Kh42MY-;6iA&XDejBG?Pv|TAJO8wexU9_6It8Q^wE?+yU@|`Z2VMgFZnokG06CHPMTNMRa%c4J&Gp=ka3iqwqX7eB6@t$6 zLc?vF_HYO9r3EyB@gE!j5*XK$ORyf#4#`@s|Z4qHlGt+ z<%5Ncxf?G)ClPyc`49eZ7C&)r=L9Z2`P*_nMo!e^x+M^zrWF%Drahs@z>f7Zhk@Ja`G71X0-=_@w%QL>d+G?-Z|GESCxp?@VOv@ zt}|4+OE^R`S;WtJ+Bt#lDW`}IM@BAM&oyA_7~N4MN^F>3*}Q5*b2k-*7dO!hAA3MQ zqi#R?23>&`rl$alRO`Dp|19R%>Wv^~d#)DATLkW7cvrFKq@G`k=w+uKoc7C4!Gv|k zjtu@L04ax zs8=oLzk?J&ClzR?APfeN{LZ*<%uiSOTLitqp(whVt=*Ve^k8}Si1YCQfG`e!pI)L1 zh9l9eX0*KEU(`_A5%^x57AUuK|Mq+^N9OEsQ$`?H#mQM|IkE*en%csm=+8ApKLXvxLkFsQVaX!5~$}^ZhC=%f~M;e z{wIWo)9Jx#d3O=g&GzOD1_0QIm7^=pudNrM<*>OfRFpir^G7rU9iW^&1L$H z^Z$)`l=!L+CMD6`6hiif(9Qp{g!X?kn$h3syudbZ=|qWJCO(!KX?yss_KDOFw%c=z z{kKc*&%?pG!T!{GG|M=HxxU!qN2wnyj;L_&jU}hy7;ftx^0628%eiUz&cC_$vt@iy z+Gh)c_6L!@A6aM?aup~0mGl<%eVII5+uTXxkc;v1o#KQw$Pn>x#deF|Y)E83q%$*~ zTiMf{rHFsI6SBI(lEs@(}sjHVD%v&UzE%bB+-<@k=FOJ3Ito@aN&`W)7A$hU= zJ*O+hI<6D6M_oxZ-Ryr(IqaKp-hgT!tg*cfRcb-|7~$R*0E?7CxgslUvF^#AZjM^6 z$2{#e8J${iTNP({ROR+9#V;lnhQQ6#xZ;u{+RoYk@{^LsNeiyy+YM!Lj#Se|A5?Kc4y!%nuz;(U!OQ=b%D^ zKX;b$h*oltC~KJ6exo(u16E@e(E6oEk$&B{Sr`SX>8_IFg|no|#YJDgqNniz$B{il zQRtyKA%@U3nrXI&*7!fI071|(+B0RD!gA~Bz7WnLh4ZdUuCNyIH0EuE!2T;4(M`2> z?wfsX2f2v&EY9esSZMN9P$B%NKwlj_<|9IjzZW*=Hre_u@%x&(12fuMb7$HBt*JWc zQxbpIDf}$?wezvh81AA661mA4hfU~$;JfJ<+Q-zvgn(mtqH;()M{Bp|^B{CEhxhN{ zNm-wCn*^hZ&!&d0wkJlTMB0fyFj;Lky8LN0T1xwsS?x!;BH({^WGf5CS-bw9#bV0=g)ecDzA9tRV68Oz}x|3%z-OmMDP=N3y-#q~_dIn@e(Q!65UmWi+|$ zjuoM7-UHVS1tU-QKNV?O{=e)+ZtAxU+?30ar^?*R952AX1#a1d-Su|q1Oedf6)erN zpUW9`?PM&?)=smVwC5g2vAJ<^o0Hu8+P%_og-*QnY@^k(ND zNlBFxL#O{8ZE+Bc$8ub-ymz;Z|9i3WfvG%c@q_gTZuwgG$1fE`4Ah4G5qd493W8jB zbcn<~42Rp&ji}Bp@fFs(?*3G17T93jKlwPYKrbHiD#-&@W3U4D$IL@kHhDa84^oyA zZ`Q`sSQgZ9%zzfN(=vom<&7D@{js0;+i-~%_PA%ibSY;yT0JV!hHo+eu+>X?wm=^) z-Ixg&@?qBV?_>UK(Al(F;C-?1-=GWGE^5HZv7t+zli|s%(ZOGL4FON2N1d@uS=3H_*8)U?NU9 zdNIPcT#oOKWXruLe7obq;byx<%T|4}-4oY`?rR`;j6T1e@IyJ!v6%=XtY-`hg`xUB zPUnw_39-bdVqJI4En{u&QCKy(j!Kr{T(9V6m$gLe}ylAJK ziCS&0)tW+^4k-&C<)b^*zj>J_itc*Cbx2=p^2iam6j?7gM)Z!h&EKJieoWN?39PPfgHA#m^a?`K>PzYX>sdXh~|k_CDmD*xJS&r74GrAvnZ-Q-Myg;kXR`RG46by8ZcjDEDYN%y1I(IL5UAH+T?5B zm_T?Ev|_D%rD#p{st4Iy27vj(w7#_XQZ;kqdTrumVg0tiYLh(&kIL($KL%X~=e8}! zwhy|=DE_V|WGf^P_uC%*MN6*#ZmT#+${R`hGCmfi2K)K$66O1*zz^;<68O zoD;F_{H65kpG&;vTc>hpMRn}=BjpQImyXk)YU_h*rOLX4aSC+09ayhZ*!bVmtv2=r zC!pXUuSyN}WHGBy4XUNG29DxtT-s#U8g>8SLG-vV<*^3}k6Ywa&8!Xfb1o-{=&aRe zSe>>JG$}XN*kezZ?N{XP$|b(^HDgk0j$4Wpaoo(bTMo2Db|}s61?z_tzl2okZ8*y> z#42Q;j(iQ&m{=ChJ=FfmN`4#JtD?I&sKLb_F||*i!nIhv@%_Wvik7w@Z?qHJ<1_=; zU~lW_*hVHBb>{8Q3EZwqkN8KCYh!Ls7#A71mWnhQ7*BJjYS$|(9^tJ6?NT@GUBgKi z0<#f)_W90{wByPJz(#3fd}{0;u0r{(GZgK?{oJno%Mo!`)<-H0FZ2wiU-3^O&Bb^Z zb3RrcM%XX353K#f7S6Cq_${TWs9xrIAjE3-9_!6`)a_%d4c8K{nGPqqzi-f)WNLZS z!QUOKvzggIW&bkKY+k&#U^XLpR)TrZz4K{-!8}QFJ*VJxZ#H$&rTyzI-J`V1R>p1L ziC(z&5AIFdr;$t|?;rl5*bqF&3Ut1~6gpDb7D2Nrlkp`msUH0rdx&7U_PZ*%(YlyE zU58tv{j3ZzpK%1_4?Y932EY=lP>#b_aMPJ)qSg=C=jv9JP9Gy=L|!{_CBjTro;>iCC?4`;!2f+ZFgJjGQU zHNkFNPg&G*mBMz*-ryLE_RHH&iuD?14YD`YIeTR1d@Le|gsbzG)ln{#hd==`h?WB8>5dC^9U>PBI@-c&Wl;I{L%4SboR{_Vk0p;y}0ZWBN%qc zUtQ0C6!`qJ?zOj{*wUzd6RhI>+P>obS;@sFp5rt7StHW(L6dKoOLGs`eV;rgEDGU6 z8Lb-ssW{mAUoYRdJwaSkeM6j3iea%2+0)~NEX})cydRvmSg5nIBvus0$RuFZuECTTM@ z5Zfmyq4Ha<@s@W{3Kb~^Q$4xsIF|IS?zK;PVvF&T(Q_Zx_oRoRk)bl~FMTEahOl3y zrGs@W^Vt2vMYlHqZLCD2t`PCyChcQIK2pq9o#&JqcRTbS1l~_| z?9wjO^T6Pecr9UIijgIR^?khd^>@3;p?1y^>8rxoSh5aG4BV7)^+J9b+DXLA?XtF! z_is7JLAtX&Q#rtm>rkgJ^d7OA2zR^sa0H|LcrM&(s31{@8C6!kBmj4LGBtrrUoomq zE%TLrhu)?j8V_@={OaEE!Vn{c(5>C=$+ zt)};S%!%()n9-O$>CR%kgT!w0CZI#~A+YW|%IOO0raOHi@ernZUsCNB6pxpP_s%W6 z%u)<;%x6Sn7h@$cyQL0uVr$16J6;2F7{{R0X!2&_- zesD*f8cZV)xRH3pB+2`4Kfy9Is8bjmqh*Jr=V`u~9$6FND~m8~{(9wwihr$^X~0)@ z+o5MNlTd$AE*k0A$K0^Klz1#Z^exqH;ux7J1s9Y34Y&Sdq$zj(8+Wp_C!sXP?>uhX zkAt1XNw4^*QhPHD=VgI%tPLGIOaE%N>6Dy|kC_qF=lx>8fa~&a@>Yv<&F!j4E=t#O zHtLC=gdYeqJXf-1yv}O)1UCd!NAtgLnyQhU<<7p*)VnFjOc8O-f_3P#lc0*j@)d$0 zZ=vuY%y;iNA-@zH60Tk+jcQ{>zl;`k7nFxRg(Df{=^tA6uqEVv)aeT4gCZa+rhT7z z*fw?l5Cw+d(t1BR`IrL7atlDnR6b8&4(R*Qs}WA>1nKx8!b@RV5m@fH)R~R=Fu_Aq zRg(BQ>pQ}I91@LzMaUgP{{qUfkYn|d4=Ptsw3oZZQ`W%Om! zB-DyoN*n7`Sa+j^HlC_?3B-Pj@tdS(SrZ?Vt&p`muD$mlzQ`)kb*Ib>C{;cvmXm%g zve$||Qtn>B?WH(6ns@lQs{0(rNHpF(hiy z$~M>?CV_kzLDCbDCpc#0=kxSkej`E!f}$&xSe1a)SM=%~cu58Jw-X8%L56tQEUyuW zkvA|AsNTZvw;&q%K-G*667wgIUDLdDr}~cz4U(aY&l`%5yq?}%9HOf|r+x!W3FB6|ptCO&xgSA_?^MIu%?Kq< z4S$f0@hq=Ehr#LRs|#9fG)aMBSqN@(_}3tI-CU6=xaI?*UUP#%IBvQ|N4gy|jYMy= zmaKOfT0OQPD9;-K4o%G9OwvW{J51HRkSJ~v!#-xi35M(@yD2ARsg&17hh2NiepaPv zfbGZPNwt?=M@qh$;1~<7BO}$T5((KdTqb96FE(wf;hrDWg>}}1 z|X_M_v6Rl{e&$5({ zHI=y>+LI4CA9q436wUMUIgCS6am zHl4>qy_?!X)e-BqFcYt{l|)KN%zg&b5Khd)q3(Tn_Xd+OORzhK^vh@536r)={qQGx zP?}pZh=^@@VeTecudTBC_;+YwOq!JsGT@ROCTu3>u;p^0tba~C)RnV-Jp;QQTQ}A@ zdi1pyAQZ4*MKY02d;&~L#c|*gt)WH(i6q}%>WWn9HJfys@TTb@N_B%*>dzEiHTpC> zGyLtiI^mGpcie=x@V26#PeCEVf`JE_E6N4qc%3v`kl{?EKi-FYNogN9KugKlAMv;_ zy~ZI@4({_`gL^1vwT_-mJYUL)0cnDZ%&7Wmu*F!c_XDPfy3pCGF*qfeo)vwPY<>c3 zW%M}?>*rLcm~=-4q(W!FX@9u~TlO6+HPFho$D>n=K|cY3TNh^wKKe!e^{nw*-N(*92D3LTbX<%Tr0cpe;u^Q+>$l`*cex2Xd za=f71ets&o8$OMkWzLdQ1S)xx>H1}mM zypNBt_%bhjls<06;Vk!Fw2yk=ebGZyzS9vmS@!k9+$2M!&P|w9hOcSl^BlTG!<=pr z^?jF9$oxlwMOfoP*QDsZ@b_@fgAcBGdA6R`o$67*e*Pw^Gk6b^J^-QHxD5Lu&HRBC z%YDJ_S>|rkrse?=cAMz)kJ?Q5*VrTe}nUM8S zHOuP5A30&}NzSvdb)mn-4aLu&v#N|Xs`#CcC(nydNy-`2g!OM;Rf;}$+peB!gUC?v zaKM1Eh-WRr-GE!)zDny6>2my9x}R9|Q|Z%b=Rr~I1NWy;S(}G9arBF9!*qOloZPx6 zb-7|S@`Z2^*&*gp-C4SI%P|UVXKU%{A%b1xx@OU;W9Sh74coPEHaixNCc$! zg5uPPZVemKGwoXU!PQS)&rRw<(wbw>_U-ME)5-mf*TG8M12xMF;0?g7#Y68XOr^<{8@B06Y5T>t_K9Xg@yVxhKAh;RN;ogkIc=_t;2g?echfA3P z4Rtn8viCe~w4XQKcpPnbu;$8oUi#)^-{;DcdN+FK3A}-xll>Gmklm(}+4yJz$_lPj zSZlC*Ds0M!;3N8aWN=2RT1=%o4+t)l_j29sqvWvHc~<`j_9UT5>ipsYTP>u#jU)ib zEf_f&bq5l{u;gujok8WanxMZ=#0?PUS!&=)+Bt(bClBTD>AYBgULEP~zp zyAAUhIIk-&hLiD}bJKl2%e#5oKwT_!_rU-Ss#0V{U4b*cn?ZMf?l!r>FGSm`8+;_P9$>OWCFuxyN{<=qE_j8P#~Ebjr_@YEO=oNT2Lt`qXMsqLCM8jhq|L^k`l z-o@n`DfSgH;+XMJ?&i-01*%f&DlBo1y!-9l~; zPi?)5W=BW*UGSUUL}i`KdhK?03Ao+!{_NaE{cd^oL|=69gbz!(V#xD#Av^w|AxK>MG z@K#1BUZS-Z)6Hf>*awD;2ff$TF+zh)+P-#%@wOVU#+5`PF$0$& z=|6Tz()`eF6WBpu3S+)$%Jy{Z=<^mJC)UHJ$7p81I`5XpmgD~4d zg_XiIG!7RM8g=@i_gaLT#4X?7Gqacu1mxn@9p(QCfww{)lK7v#NoFcw?%LkoK<<5{ z!}7;t`F3x#!`l664y8dJKApj8|}#B^2}@5xk=TV zdBvgGV}_j^-|k`;Yi`O#y>GprS!E)_-Lepq8Qh{SOzbt+_DzR(a-9rnB_p7z-zwzI zVQ zZ)fH5ZPIT4%1sj)+TVwns(HDLM)3ZnH9SUf{}59ci3l5d%$)aYWPl#L?E#bRv`;U; zrY6pETy%x%;5F*ol}QJTCaitTZrh5{Yg9BlQ-Q7GC8awHZnGuNd(dzXgE#k|G|x;UBM+$xyeY9t1lglol7KSmkur8!^nNh^Qe9QpT;-+6!4qt*)D=$2-&z9YRI}=d zArje>V0g{IJq>`$80NN)7;2|sSJ@nZU$$sOa7u*-cNM+RYlW;s3z*2JE^p$2=hk>x zIMW!8OWW4Ez}seLuJA|Ck)ys*{cslZt~39iHg#@Y`LgQnRb2{AbQ#M&Co|*-vs1t` z<$cHYdV@@G(!cE+K;3ZPs#;^g{bH+L=qU5%%XaA01eJBHm- z8f$g@Srr?1w2GA=s3$)!tNM6*pH06w{S?=?tB}A5|EIjnxAi4I^DVAhl~?=qxnwdr z1J=mimDShyid?KM<6k|MCfdMpd zX0n@5s50J97-w^mjKZejn>F1$oBG-_S=T71L&mKsp%rt5s~AyC4pqB4LgH$+#0YiF z629R~s%UsMy!zKSKPo&IYZgP~iqW|?i#9)@$chaM^`@)(xM!gZ{CY^5H2_g#<~=^= zJC4gytN8+;iun11&gTrj1{53&Y&R5TO&S@^d-6Tj%;oXfNTv+m&BSMX?&F{H#!jdN ztiJOSi3)WZpreMwx3=*H0vArE{M1eG-*ZKGERC5gXHg2O19uonL-v60E=ug;g_ zVFhl2wbXZTr`t((AZOk?q||-;nqLAeO!v*ZuDWLzb2n+1P6Lk3QpR6fViJvf1r5M`@@I|Zuobi!Wz}LT zw@Py4yQkS#`E&q)0{U=LDAw2xaG3hi*?aww96nB0`KDpJI+$3m%r?L7e5{Xo`Szvd zS^#?&T2=5w2nh+dSWiu!GR z-pXXlJ%^ASApKdWI`wmpX?l_p;~NqT8s4@7_ap7=17ZDvgXdl!YK6 z>e0vJxo}r@OC$5sHtyHk>Rh6Q45FK?uf$msyNRgSCUPP~Qdn(YRhx$jP3o4pA~jUt zSEU!5q;A~|HZn<xk}`2iU)0GFB1FstnKx%8OiHkvg|A{j14rs2^nLT|qw{?H8Z#aA$$;W;|YL z;+tJsZ8+#)!oJ-FWi8kH9j;{PuN{S5HjSKH83w2iB>ulD*E2$MM7U+?Tj^j#3_=kP zD6Iz)r1a>@ADJ~Zk~@vh_+D&lJmZ~|+;1m>sOh+A`Sg%D6cMfH{<+UtH!hAijgTy%iC}ea64vb_Hr;+R89C?o}e;ty0)%=57>;hsS`2gjYs0 zoh~%3TP~mXItg6!kzQk220U1-Wts=`iarFzQOC=cEKbbq;qP!ehMN17{wtV>#O2d=LUrg1!Bws9<%F{L=vu=mc$)f0*gp06SHq9?MN=Tjl>` z#`LVIl^5lz2FOhF=Eh$|@S&wF@FDX1qwi;7}&% zEOpL%fEMqCuCCX16)9vWAyLrsck|YNT(ooeKNl^|mNbLxgaU7kHqdQHe9rUlcg86pD^k*AZ`R(CVm<28XmemZ!40FtqHFVc-V5h0 zZN*YAjMEk*LZ*3z-7a4S)nM}Zz%K3yrh(SvC|jM5RVQGMmSj*A^I;%IUB{16!w17f!x zo3Ua(WpP6Pp;TliOD^`2*|#kc<3?5{&quvB^6nJ(CTyl_9ocMjA5SCPUXJpe_qi{Q-=#3I8p55!X)rJ62SRYZopP=FyMxjy8h9%l<+YWHje=HM=B`Z{h2~N7C8O4 zFqoXos)fSIOfld5NR^Db## zuv;fNzIb7rq^$5{dD;jhHEgr|`tDm{3W0?pP@E&;uX_Es=8^c--|yG)6{hX}F^X=) zbDTE11hP^JN;)Jd&iGijt|ag0y^*g_+)L=?rVMYWYQx~nDcYSq*C%Bcm4d0J@(L)Hw?~>*7R105T(3z3+-2D)4=sSD-4JptI zY9OAL7E~wY#<_9PbgtBZ)IP%9d_Xr;CCOCXe6|pq_Nb-1k!6ORt%d0_=dFkfhgqam zB`j3mH2k^dsBEus@71G+j#BEd0-T-V+8W@oxLOuq$7#H^eCSBz$W^ zu4p{hw~?AJ(yTq1aR9xa%;yDjH$}$w)SYru}!aW0z_j|-vPIIV0ua;q4Ey+b)y20;> zy4HG;Pzh#l@phh2q&RY@-wiI&o%TNKJMuN(N|nQ3vsfWMiL86{+4qM0qr{PBDxRZ~ zUzUuAh>*`|CS+u;<5}WWk`rm{4_wTRJlE&bdAeJ+OafdP=@$)YG!h9JK=DL~y|eR) z0Fx$9@+E^4)y*mC_FX46$S?&2;r=iePeCt)gF7Y-N8%Y7JZ_(a^o2pf7JZY@NFv;m zO`6R_F{(Wz?7Q-fxm_?v+g&p#2H~32pc}e|mn4S9P^%e_BNSi7eZ8kf0%funSPQ`; z%CTyvnjRZV%%CE(eicM0;FwCh5M=(5p314|9+P>eU|jz~fu)#nl2Io=MO_M$xr7stkv{ z{c<$5BWAiZ8x#qlTb4{%^<}11t2Au*e%Rnj^MqUk$V>$PY8aM({2)zAFZ}0UPi!z3 zIO=p<*W^C!mZJ4EaQyiI^YwNZySIB=6T#5Y+55JikacFPrz2HNR7ngwjRymjp10LL zow+CAwY%bH`QB>qHe*VnC`+N}%34~ncD?1!tg`HT9V9sa9=nZi%1&b@Pv44ee#{8_ z&ftHHm;2u1?QQXhjZL$;U45)oN)o$OD-Zn=Tyx705$@Bm%BCUcx)(7IMLlQ`P#c%B z3i`^x6}MmRAHms&L(p3MPC;7Zk$U8dGZ&T|f<)z%Oo=tU` zx=yLIAbQ=KGFE)gaw!_4?4NGMMG%7SNp%)Xb&SW6w7+A^@t@eySEu>lD0->i5}j0i zNmJU*P|ik&8f2at9{Qo?CGkpMy-Lk%vrI1aQX^puegx~#@R}0eTuFC2C)!Z1{(hsA z;)2Q+8}c2fJ^C56NCV-<8nSkT!gC?-{F)*#I_g0Sol81*3JkN_;a=On{~GR0Ttlw% zTUx}AB3H;KJmvNga!sS+yP*uKELgtHW5GF7oAK0D ztn_ZeJn_Dqj++G^2gO*Q05dhWN+AQr#?e;Apz^0v)ui9H7UmvcyoXJDKj8s1u3|W_ zqePs3A^%^wzBMdF;@&V8WcRGr+FBUT41MaCbzC(P&s>q2?zh0)WP4@8J`6K3W z6e*J7nZ0Oeg8R)tK%PY_?kXUUN((Xt}kr-H~si5?2eV77`YA8}>6n5!b)k`=&c1zW&WxmXowfAo7dbN%& zWI`f3oob|{g*Td_U29}+&c|BX;@C8Xc`eBeUDQHKUt~!pT%LoyyUCdW^G0DFHf+T1 zz$o77nV1IcY?9ks<&I=)qVGg~|Ac5gG~wX;+vCQvqz&^*Qk3VlOR}|)`$l%+CtMnL zI?=y2WIko&#hhuqs7AsGfa%(qlkH;mx34__d9DrgSkk_5)=WEX1fb6ozjXVGuCXD2 z{`FB?VX5^4B?E`m?;7tXiR(mXfb+Fy;9fK1cGt8kVmlSnLQA{tf3;vHWE_rkMD=gx=_VA&VeRVOB?_bPRq_$#PN`ka?TSxUNPxC(D{nuiR?67mI(^K3S#c(Vo9b}ACz@K%SX-eElI7IeqSp`eyr0rB-i`S!^Xh20#y2mq z+53)rD8c^0&U(UVJi~n%z_w+cd?cJ_;5Ams-#?nmT%W)UPU>JwH`_BL3Q- z>~)q*2X@*(C@D%Pvd(LZ;8x`&N0W)1dIAN*qcpR0pX2<)l`mU;HXEm?rFJkfcw#(m z{C!0TN7KclD_G7@3}dG`6Fj|HfOK`0&IJdTZhSbfnjcWzn3l zc$bh8izC1r3^tgcljy?3K)mU#J(vYJhcm%-SDipxp>O-I>PN6J;{enPQlduD9-^fK zLVxf5&eCimMalp8Q}xm{)yR-iB9V$bNqqfLuXxMxq^&=~y`mn?`LG`7Z(mplq9sJr zEDB!B{mo9$vx(AUe9XvO&hBaAt8FCW`tL^4r1bm^Ab!1IOd^FifJs$Ea;;3%=sXSm z+X!O!mvNTTfkN@^{4e4PM2}fVn%xz&RlHeUmW__~xv8@c6%qusJUH9tM$lpSph#{lh{@!;A{Im!f$;E8ae)xaeVhw z1EdEhEsW0BRV^{U!R-YxgciCL@)EnNmCCrO^@~O9dotUZZ{qSrEGS)I54TDjK+od_7Pn_TasAV;wk$W&XVE2~)lL$?vQkDyM(+b_K(pmo z+0ycB+Ftx}Bv^5Hg5J?WuSJ;@ey_d*HV)RjoNj^bqLMbSdK`1!iERx%sT06@`WQsm z!6F&ARhqFxur##SN$J4&x{>>VxHGLSZR$TaL5mn%(FcbXjn)5p$o=kXb77N9P}moE zZS^KpJ{6$N1vFZwoxKKKY|832QE)2CiV@)cQP__D_R=@I&f78nQ)V38wwB_otYaRp z^@+-xyKhj+ZTP{z*(CmCc%QSa=R$3uw6jY2dHm^gyn|8Phr@=aQq_Rd4;p}*uJ zozA{RIBgV&kUe+N%!#{h^@|a8=~4J4)$vjNCY#}AoESLLk=DqcXH}|&_-u4-Va&PF zQcs#+WsX!E=Mh@}am2F%&*Y`b`%qRHYPH!c8BvEL3c44R6N!Z9DQ4>{m|eBw%iY)?uk&Tnj}OUz5MGcR1$mz365xHgqW`xRfQPyr z{U7oA%2-+2RCCkuO$C#VdKWT~s9eb$PX2h|HQrobEP#3Toh%NiUUEyW{{*4`gZ!1K1x8KO56teu8?e<*@Va;(4>xh22~;WsFvi(0_c(7 zz3exITI%^f?6`CB`nlvZTl6ean&4*nXN|h>hDoFlvH5%+RN>es%b(nKC4io zsvpc3>#@*s73wxIkI7$Sc1_-hEdF<+8=y~kHHUw5&A%3?z=F;oEJJQa|Lw;Keh5&6 zaz`O)|G=at00Ql3HT=B}QkB3Ku&c6w-j-_*d0hOtT8VFhvG3`iNPv)LAjculW_~*D zz7)Oy3Rr@Y#(nwEyyo&cX3^4ZVDL-Xy!VkiPz8u62W+YDEyt>S!Y5_Us=vOzE(P?* zwM~fD4X6f{Tn`Vxj$Z|!_iNQ1jMO_iXGg6 zcx_;>Jhu%DHoM+}(PbS$BfHRg)2+Pk4+h2k z1WxAzuuWN@*PypSDR9#aB;*2T+@|{7_~UE5;Ck3Vo=LM7)K=|tKzYOk9>BRq(&YpA znKb*@zd&bFPz1Cn7f@ZaMCe}TLqR7qp?CbCp;HQ)VfwE)54>H_A2kd0llezWjTLK! z1GI7FV`SWYt(*S1G_qIzqn~cjBoMpWg-@J5&NQITn}NH=nKgKVT~Y z3hOPhzUVo_ThNovVISb`jF`WOk|LBlv+xs;85G`a)Vu z`JNT)tWLd_*crorquzOkKIL6X&|S_-)l;w&LIbp{t{;azKJwYpt#+!@YFF3eE>6 zO~rS=Y^``f&!=~$Rg#5v)Ouh46g>jJAZC?+hZgk7&s<6d93YRORWSu!jm2IWcC<+q zr&s363-FIVJHpyJCLb$PM4jE!;*uH)`}940_IPECUrN*A{FvZ5_5pb@oKgfTEBQ8j zo+P@QC`fjNCppmP7WJfDV&h~ClDUx)vR*2acAq+UvfRNQRJ?Q(ZkrWVY&WAlIOd1a zOEJnEHemrG_QZ$3WWe}YOU2JFeGg5llU;dgLAj(&ZJrH_P>Kyz?7_$V2o4>Y@At6*7S*?o=_J)`zpFDkg8bu8wku9wrr?_cAB>&6jQ# zUEW`SD+3_}ecG%)Hgy8fO{rEXATJmBYi=%m{~TLw6~Pc8ns+R6wUC<=rMY!C_q-E(S62iw`t_AW?`mCpy=cQ7OzU{ z3W#yO?ibrN2L+_MAqcssqVnPGB}|k3la?DFD3jyPR^3`!@N|yvo0hBNh2*(Qi^=a! zaOA9cq9Nb9PF}?Q4|lpmRRkO&#IH{e%Y{p5NM_I#bteD@B5n?xQOeB#3{-0_UY=d9 ziKn}4Ro%vnG$l-Wu0qEhK`rd2`Ww6=a^KT-+8isF0QOw+x6M+l0aR>)Ks$y+P4i;n ze$3AEF@so6no=UkXI`9ystDo32@>wYl=N{fg$`3fL7)^x0uh{&*&YPN*#g*>mW0ma zhb`Uyk!Tyf6d#|jk;{xl+krcf2pY1@JVZJ({~i$rKlGfm&YdX8@$mAM2t)6zCcmUK z03RNqE>_Su7b z=Fog*5kQ6foTUFfZX>{6r5SmtxAKl-Dze~0E7;w9&GLL^!*=ks*6*4s^MeW7^2FU> zM9pGK-1kmffTH4B^X;ZXe zihN6Mb&9vJGyl2PD(7SafL3?0rg8f~sc*XIo)$_8L3L1k;FqTHm+JV`$^d;t^T?~}+wEG?)Rq!1pL}5NOI7L+=IoXdh)L_O zarhGZmE;(IA}*0)H*(l{*O>_fzn5@@_h~ESe$`whL>x|Z;e1Hj(&&6>M*AXl(>k+p z(^{r(vcry~id1ZUMCQygo!}dlPoPReLI|v}cNk7|vp`Q{w7tjln9>Lb6-i9lmI${K zk)2nNX?9;+cw{7bRIvVo(WnT3%>U^oK4Cx)_$fB5l>RL#63q`x!)G(U!rDvMUo%wJrA^JdeCPkVq>dPz&lqr;Kqw z5HeE1!(KdNRPm#u`k6?}_J!i=TSVU5#xO?cLs%|4C1YZRKX}3rL$w4|AN$N>I*j^f zSs}*{+z<8pkO&5~T)X>4Z~+=m6J&*+tYnH&7R)U`LdrK*iBC?d*a`mny%i5IhHz=S zBQmCInd)LEI175fuiTF(EMsXS`q6dl{xQ)|FCs8VB7%Ya(G~L->Y-lQXpSU~2dkI# z^><+$fmR4AqGEDNrtkx&(L6P|F1S9Ld00;<_)6Qz=P2+2#8jX&rKTHXSOJ9bEsw}< zLA)U|fk8nQdPgTNCBPK?jharudu@=5=Q@v_w6++^t!xgPY3Ik%)eQWh8Fdg;of3&R z6xAAv=NzTVWWW&Oq;YiFVF4yk3FjR+U7wdET;z)%m(F{duh13iuCgsiWObtTGue6~ z4#NIwwF%lY(5Wjw%jB#chxW(9R_^D&vj38OeEGHi!7GF4)w|I2@8w8#Yc7T_^f02p zx=7QcRE>Hbmfw!P_~Z&^{>EL;JIfXgaPQ8N`eU!9Yx|W4zM8PMe8cW#*z+ps|Iqf9 zQBk&S`?n&g0yCrt1I*B^s7THbLzgrtAtjPZN{7?{(lDS>5+dCxB_OFF2$G_tfOI$i zV|=dbx}W#C@B8EXiM0k6EY^7(=U&_P+v|$HADVL_j9(((ooDMT=tcRB{kS<1TEF$@ z9{+MM^lB~4e=^psyn1J>cOSh2jM3^7^shl33R(%q%<|N(m zKjHIR?k`xtOM-v{zx_T(-v0Jg6URVvi!isj!%lxEcf}cwk9I8TFf&)}w@xc9$`qlO z9}siRgL=`B*L$WH+lvx{xLAbxjBDneEeAY5vh1}-ZA7bU7DO~1QB*`WWwnJg9Z^*% z&Y2wVTr^6I?<_uv*QFpWkAr?4eU82fle_&;^i#{Q<8VRh@`|Ljx`edf#mHP)|A=>e z3j>ty2`mOo`5cL)OYfSqdwSV@lKdvH;-~T!(Sjtdqt9dHm0(=;cHgkxafnJC3Cn|Y z76;|dPz$|{*%8}TTB;Mu-Zrk*`Xp%U;&%USa)En8M5;z0eis#C#$-G#ktn#D&-{Gt5E9X1k{WNsu0ysP3M7 zxeI6SB%;wte5W-5d6R!{8>>?_%js-O>~+ohQz{v$M_Lxd|cHDRT$zY4CIvh1wyT$8GrZZ({LyxPDtAqIq*@b9bbVI(+JJDwBDa?GO z4ZeqbGu#-mYhThVxb1wmq*2uS0dM)?%AK(YaLMX=Ce@EYHX32}ab0*H;m!M8(gIWw z_FBe%2eA3H>w`D<@1T9ZYEJ4z*PRv>9H(Iv+zkUy)F@J4liw=bn7*(tg1$I+7yIKr zkL<6t{B7*+l85}mM^emv)RUvzA3MapcH(nkNSh!_06MltWte3Lv&?6yI_l}1v54?I zP>A{6t{y&?&>7mJP-WV7^w7jLdl?8cLj<-)Wfi7P=ss*K+$Z9MG9$*NyTd=CWT+?&>95-RRVx)5~)iO(IP+ zm9fA5O+TTd-|rR6?4@*)6UqJXjs8m}zqXN`Sa>~~>Q@LrYg~YVU_J2f zuH*me1^fw|2~t3}VR`Sj@oOAzHBvzb{m{1B1r9IwBU4*6dVP!y?%RX`l_vbQFg?>dalxsw;WY?Xzv;pm@Da z9QKV?`(KHrkv)(-q25GlgS-ToUZFyeT{34o@+zY$^iaP41c~HwmQw*o?tLFD290UEh z+hP&m-746N4(p*Tw&WA@ZMjHvRiC?laZ-D?K3}xvW-(%0o(Ew(jMPpw={<{@hkX_8 z$*0)t`PBctVQ+ck`{id|s(Z^4(9;sp{Sn9L`&2xcY?Qk+a6A^KnmLkzdAA=v`#U!~ zaipIX@lb7vg*Fd$e7e*hT)s)KPRW51p*ay~ZJ&g5+L8SFb18Hgr;HbfKXnm5U1vIf z27yNBSWiR4O3;jC&=f?MZT6Ta6vHY1Seah4Dr`(UB+6Yep)6Xp3%OWPQl6~pVK*RG ztu270&KvJo@kg4`9us?xQY3{7C3H7;g!r7mhkBW+IrSvC5cFWNs#~Ga(iUpl zzH9m1qYu9_4~dAX7zb+p0-nJhSO3SoAyMPDOk$Xxfq{%}mLZK0RiW|HF`vZF8P;+Z zJVV`dpJ8hT?s>=<=}13G<4UK=VPCM7`aXfTjtrQvG1OKvk^K&L&EI^2jq7LqrF` zV?EZVrNfwzAYVvG$NGVf-_Vu0o62sg$@yo~9O z2V$JNu_NzhWnXuh>zFuENXS5C^yRc-&$o^)7!VF#)eOe$=Lq<4LB<5s`-Ep-P>Do} zW(I~`jUOhkMd)olw*Uqdb&Z|uHo^R8)R}vDYez)4ER6wLhwm#$2wlE3-LMal8s4VJ z1nrE2k3l9p6r866y+&K;P)d^Dpe5rh4793TWH?b#_*$}?&5>4+f_Vua7R5GWkOt9M z#}zm_z+2*rAXr$s!!vt*`u=oXEuu}a23(73m$N%8GkJ{P%eM*aC)j4jocW$`q3o3O z$sk*>?Rn76Wxy;4<2JP7I<%M3#zCKW2Tt0yJX3yuB85a%w5xSd$M6bUx%PF-6%3^@ z8E6_*e^t z&2)MYLb^*zpF=RK!!{wcH!LNZ>)8X*B+PXRC~(6gpmEeWi?%MwWF7T~g6j8}?w>KT$l7W!4i3oP}+Ciq}} zg#xqED{sN)beZZfeu_rNEju@+b4Z(4n%)>F}_&-NOSrOhFJvLdr_ z2-w85LSq*3zGmgk5&7*YuH=1G_KLrXekRW=^)zg z;n{aAdlE`d_a=xIZdm{;hl+&`cGOlbLnWNxoC-cTY8yd5Br@e;#`1mi=G>Ar+RV<4 zMd@msQFQ|7g=vmL!!qcgB~jays8xzhJ67b=pUE{83thA(-Z!B_a0djihg%_jIGx@c z;S!v|#Yw7EReX6YA^UY^jhoL#1NPH4RgDdIt$;;9W#kC>a0aVVxG$f8yeUW!WBIwA zB9iXXwnS#v<2f-2j_Hc1?OqCl5QO1u{4*4;6&fDbeKU^gHcG9xBYtpE*Ay|MGBtkOGgm1@1qO3J1nR{EH&u3Yk z7(9B~@0z8Hzn+)QgIS*3%HLarZ^V^*j0Lo@`mAK|GAbmDO!biF zLSu9c+@giyvd42h`vP6FxGP{(Qhm(72jv9#ig z6v<~<^3i0#)8Pi*bRyb@-1EOR9ctZwN@t6ckZb8R7$*v5@99&y*`@o@20d{ALE7#`b|E1I64{uK+5e zcu@@ua4Kwhe$Rr@rCJbo&o;)r!Jqxr=d5VtD=bH_-7AjotTUh(7JTa#<_`JA+ya+f zkStyYTp)GpJX`EVIgB{k<<``l6rf99Y9yGKhq-Fkf=0h)rF5yKFY64mMITO!mRQNk z&x%&?jtS6bta&%Ooka~L_QF0^(MI*5vR^w>oc(5>p@wToA3chCXe|>JjTPnXk39nBoss3H@+gl21HXnzXtD-0nGyO# zW#v4(mdi#5+unghM8(x=%`ldcmtcI_<3_ub)ps|rZ#zhf;|`P%GaoaDj3?Pw<9kr` zLoB0}r&WgB%X234*_Ar!^Gp(3m;;?TF0CJ>ox*pJ6IiDp!72{R-tYsHMI}^$mOIlW zSK><<71^T}rQ;*aF8AKajE;QBP+3(d%Mu;eV%JPr>ByXuIl2&`I^Kgi{^mES>Y9zG z>9%^U%RE{Xc0<8+)G~`vqj{LdXLvwOWA{srTIS{rxiKA+JA{WL?gQ~Z19PmC!q3Hx z`$ojS#{e<;onV(5<$)+h2~j?df#u(Qf<7OK;Op=?#f=Z2Nlh2T_&_avduFZwzxj=q zaozw|xX6hcRT+soPK=MpsQNt|C$-Z17|UYL^#J?TVys$MI*3blmSwq<|NTnbP(jn2 zg@^)1k(lYY+{JqT~Yq)RAo``=YOXW-S%Jxp$u=c7O2_^fqwcBx&Qa_5jf4DN;bSE(~d@+oNYIn+;?a*zL6I ziu3#Iugk<9W`W3I!?bco#xMU<$?92@^@(flcjg(_?eT)I&!);amG}!Pm{!x2_r&?d z_VpU&3EpSw`v40k8E>w#|8?RYt4c=trWDEAI%@&}ygmj%5YfisN56*5zDUc<1#+NV z{t9ZmIq)Rc)oejM|Im8qIkD5gPloaG=%-8-g#c~<7knj?Lgg^OMqX3m-e z&h7BsOK@_1mEeO8WLFnCzM3Nba6$+VMMHi; zDZ@0rdNk%ovT9saF#qbDiO@YPsf)HcHv(3_%#t@gBV%t~?dbn*#Jz~$qkTN%g-?5R ztlzG@@9n6%OkWejYFE7TF4z0a(_EEeO&;#;muf-9>7)PN2^2CpL=S=*6CvzPUoFHX zVjh6O*bu4ue>bTm!@+Q7>Z)V1CP!GDEAYPMo|uNhXxueMiZNHE#guJEK{Ea|qC!`o zWA1nLgu@jyiwtjU=AyD1LL(B~s49+pBLIr&p{%>?g{gXd+38F&W%>lhk4QtTL1iOz z4woUunUaqJByn>SA}lP3v-Oq{!l{gxeGnXOU#h_=*s zNBHO<7|Yg@FW|^a-0D1AkrUG8Qn zTv|Mvh9QUJM%Jux!c4a}=-&ge4gORl&wVcQ`8G=IGkM^2r;qaBaqTzY`c?by!R!*uDxmequqEX&HQ+&A{}C4 zsJnSo7`Qs zyaFQ;x`-9sTKvuYCRb>&3m_JJM-xOJsKbsiCxL-0TE#+JB~85?ToaRy4+N3z_0Ng! zrc#|9ih^O1R;|kkKj^A0*`gW8si95FGYi22)>c3V)uMTE)c=zn+Sq4z7}%a@v-cLa zgRhe##OhRvC^y3yxJLeK1JoGj6K{0a-a1B8U6xI+n0w*9dZMXJ2%JxtCk+SE`V^N3 zWp2UEXrYQRKx1&Lu&m=cSO1_NFKIZA3{4uR%6-F+T|EtK)^_aFZtd*=T7m?Q=Y#^g zF>i>kqt{uuX$1|@;-;;)dI4~G-yT|{*?IZI1Dvi_FgvGpuiMH~_u)R-2t}zB&Am=_ zfRTIC{?BRG?A-Hi@iS`eodrMuLB7LqRRw(@3A%5(EsMGRxwxp1GPa4cM)|8R=)kHE ztYPpK+m(+s9|&C|>doIW^}NgSPfmhMghzo_iITxPhFr1W9l7gYUbNyR`tr!velY`Br#t^pAu=bBi;s7V%$E*a?*v1&v&V=&_tx$K5ZqEWd zv08Y`NFfa0D0W>~pyLHyymqkH-33fS;n3=kh)Yx6 zI#Rzxy#maqy*HHGwiW-MJF)tnv(B#e_=CsbisAnxC`#wyW*^HJ!dpd$H0MS?_dGQ> z+Dq#)d%SK^ep++R0SFDQW>YQVG)aeU1fHbQHrVkmtBBKDIu zO~iG3Fw#{qfYGsa{g!2A6>>=KwEHMW^}+Lid<6Z~5VCQpg0}1LzH>z1cu00R z^Fx7JHJ4tR=!J~Pl@7ZsmE9r5P*3!6ewIpgX@7te5k2m1U4mBR8QYKQHGi4?IW82l z$|?V)ts3pI8|-$FM0zN1a>kXFc6vA?ggCq8YoH>=eq+(J3Mba@=D-(i>PZEO_Wiv8 zHvHnIqvf4MzQe)|f<@^od{nykt#fuP*C(CZZrSml-1;1iv_J-xTs^R=9=_DJ@NK*V zRG!Dl9#`ZuuHxZ{G_^}_Uk~cd@WO5m8ESRN=Z>EMzqb-p!sAPy%m>iVQLA%9{f8>` zD$a^_>F44htc#<8*boQVz#%%`_BS&R<5=7Z1K%*lHKS$`Ib{Zd7?6L`PBchrTU7Hh z$2?$;l43VID?U6|>we$!QvE=7m$LKzW&*j_DXunn-*8BmiVH}q6UOn77X3Ie^^o^WTVvn`isCY= z96!+O*{}1?kY=3_4}f%v?E%>f541z}_B#GI%e64fLO$_85t72RI7B-PcOPx0dc@d4 z*K%*iFfl^z>IC|JmRVKEG3-Yz_y!JI3 zIgFLAk}(OYE@ZsW3*c7p1DPabchvF#(1ku{%%lu(>dB5KJ=8PeRa)gsTfF5Pr(Kq#c|{)}uFm28Mdd$hOWh{VXW1=k^iNZ5KHo-BPD9oqj-a z?!BE;gw313$bi~gJ(HR2k*^Ttn7Jd<(F+Ukg#I+WO>O`=n`S@ReZhU=Tm@h-xob>- z+a31eZdTOCl{=a7%S4=G)^cj%NpmXF zB@r3VKo+Pn3K{ybBv!V9-f$HQn_9%;2fSU;|ZtNz_5Fi;xt)PwG^#Yo0 z%|x~t4M}t@Pf3H|@TOpLQmaA0jW%bL@k2zLZ2Rmbvm0~wGwhDH1btDsgISRQm~7Rn-*O^aRJ>DlCzc6-yT)31!+rH~@%rf|@l-a+yH@B&>N zRy=MdPZ>g4_W>V3YhjP08tB-_Lmg%z=tXwYMRzBz*VjcSo!fCSdHXj2Enkxmqnb7_uGm6w94&!z6_10iI-&z*S8q~fB z)-#s$MUCEVKK;l}Z260IBvk?Rn5fL;t&$pPI?Shzv-F zrMujG5`&w|%sWFsq0*T58?@a7Bo-+h`?hMr3~rcH+j$b(C8n<1R?MBCp4p|CkgK0}5tYAh<<5y%;+KXd&Uaxv_z zjmVBT_OP^Vt0ra`$g-l)m>B}5fh}V&_%>yknLbZyKCu*@PtfWj)V&1HC+U|Ai;?xi z`Qw3TCWnXVsxdfMmyirWknT8}EVY3}3zqH<4PDWHzv-Gv5olz%|HjkqYV_4xdrdyo7DiEk+Ge5puYW^d5r^ zHO-3BL1{{tb=PH{!WiSy?P=joLyH#O5$sBg5DN(FTfCj!b^USqhF8S3LW3?C5EWk2 zVuX?(^BVOEdn`18c5x_fi;^iw#y_#eW~Orh0?lKs&O?I`Oy{Tp61z`KEPRvP$!II( ztoZ$!(g@$c1mu0CEqC%+s572fF8(J2OAek^>G>i=h!TfD73lU}C2l~wkK<&Z3>})@ z_%{#0qBa`$q~|H%d4OfzATDOA>-2*u;PibZoL&+;&uj7Ir4W#Pa1cDlX)ckVW=u&?ZyS0nf9CwsEPo)2q3BuV&e}2rljMg)99c|1L?pM~l1ASGxPgaHg*|(3ZevT6Ob416Q1- z(juf*o@2~GFS#5ozGK%8t?C_LAfO+}wsS!&NoTi}VEhxdH;WMFrP&-ByXZ`y>HZS> zuKl2tt<2}A2m+rPF(mcL=I)lBn1JR7DpU;F0}^HTK@L7Rml3gc!-3_P4oN?Eu3GB# zDUZ;HgkLw{N)JJoqgBZ>`#X|Rwwr&as>egoEAxZnWZ73GTpgd?^)!W&qECQ09w*eg zbVZ=yDdOGoiFvmE&&*ifglBM-Ln#!yv`8|WUO&&*CB<*X^cW1d1%_ZcXO z-+>PsK5=B`P#Y)nWTx{y!O|WUjty4Y=hgn}5k`6p8aZzVfsjru7ajm&OS`+aO!zyx}g%R#%bD>t2*`FuY&(3mE6CJ>H z@mST_wcqSrs2Iu4%zv~yS~4EZ{fpwPpzl;?U1Q=y_?cSr4LF|&9Zs{9PvRzYkKn`>Rv99u&BmN^H{FxItV(Pu4-9{|h zhNVB`aVxOdBBAFh8`1GQxlr%7tDQ5zk@woA4E|u0Il7A@g>&A%apfnI6O-#Qd36<2 z1(&)KeWLQnQI?vtgzJo-VzlQ@C4hc$W}zw*nZ~r~a|RP(Ic3%&u~|+!DdzbJA z!fYQ`T~DS;M&hfh_{{Zl7bCXDW;+5{s@yE&so+(+G(UCgD|28-=y)FA{6UVumU`-m z!d;p>WpLXeAqVf)Z@JLK1ydB zoc{2PnrHaoI8CORa2@tP=uuX294faj%P=DaL-DLYs#eWXicIHC%_ks!GEpg#z?2EQ zS!Uj}Q8+aSo9C$?7eXf>diu*H)X-onOWrbq=`M;S3^O4YVfl59wHR>(<9vgiC71Nk zW0O6o$P!M&?1?-88?4Mn!`ycWrZ1V_fD2|&-!RR)rEs6u{w0U_1S>aXEk)J6)?1pT z7XpF)SnFfppaWxcrUk8Q{fbB49&e|dwp3vBM&8BJ-W;m{8&2YNtO*>czfx)g88hrx^6 z9oZM*gw*HQVjUsxE!Wi54yV{G)tf)zRc>z+m}5`naZ7s>RTsjRey9H)mLrAylU9rn ze4n%a&G3BkjddxEg@Yv-AIn%>66Y%j9sCV+S7QseM--a)AobUxo2^>Dr>|ugFS^y- z`eCX6Z4UT2tFqV@BT1Y*kQ@GWS7bgjfyj5w52#LF;#4P&-x*xKNG%!tSa|&e$$Z&z zFPY~1It^6)^!K-_&~xsl;d8rJe}c|XwGyf)O?k`6b*;oH`aU6#u2W!)e5LMpEg3SV zn`Y?y3u(kn-r0jH`43emrfWG6(n9+(leSBYu=3m6ca)1MNjJdeFLjxG>Gn3sM2`Zx zx5jJ4pWYF-pIdjdH>pQWRF>4e-ORp5<_*W6qF_Mauf_H#a*ZH8pT<^3^WV){(NdfG zmL9*x)j*ot(==^?^vcj@1dcJDdw0kVIdsH^E7V2Ypj(4U#hT03 z9Or{Me4+{Qx$5P%r|mONnPiE!5=DtsZ!YF#E%W9n*j>MBxoBW&vUiO+@NH@fl(;+Gn8D=~`!1`&1Rmq6hLk??LMOP3*-Ar6U7FuVrN0emQ ziyJ%=+#xopkgulHzB|NY#eQUmro*UD9#Mz&@g-Mfb-7ht}UJ0E;!Dbun%0oP|Ufv27&%B#MRsEYkulO|mT>AZ6xtDKap2=K>Sffwx(|CaJ9NlbxRMAcdkD#g+n6mjyvD?otMYbjR>n|@}@`5F#9vAcxt^Vxt z;_9QF>fAKW`yP##&){5oJ<1C)ML==!wHN&C{92UAgKK)JH5Q#(z)B;>+%(I9m~wVx zK`;uOOmmlU_4hi)E@~6~QZQuIbb;2&FY5b@%RHx44-?%PHulcZAL2|>wcE^S`Tqd~ z|NN&M%ww0Jbc{pCYc&gGdUi_kZe@WPf$xkxmIjQ^id5A^$*5dy3Xb#>&}Vry^oie^ zmpM7qVO&svctLsUb-3sgAYQbNI?t-OkLi+29eBnHXtS1117!-!Dvi>Ux_Ru=`9!9x zq+3b_C4$VK864Z8kph%JPd`x#_5o0D>Bx2CG>h9pZ2=d0uctV6(2>sM?|#s0=H;?) z?pwIx)YLU?`nIvdPONzUtC|=e_2&FrBe#&ypC}+?9Hgx}devENdH5PMn`@S2j&RGn zmXzf)b+>N(kn2lG1;?C2P~aGg>2!j|crOJ~69?mXscUVr(&^h(*@#EuZYNp(5>292 zt-GITD^IjyIZoQz%i(|=_%XxgOyq)CCZ$EN!2F>NE$C;`zGOXA}>YZk`%ajhu7*hMp;r5;AERm%yiRtRidnd1>XfO+J==nZ*XhNA?>3!ZFc zdAf{!k<#-`$ZvE}faZMNLyqd1RO}A&Bn)=vX9k2^Tj z7b_Uy6x15K_etLDQ-6$jYy#O1QBJ|!HSDVY?gmK~b~HQad)5^HYGasVP7AB$|G1Ol zN*9oyy}~$KbDRZm_TB-@Q9lp_Dm+eD2bJ$MuKLl~rm~K6n%ih2SD*gU?d(J88eL*c z?4g<<9yD)5T$0KGpvm29VH{}+&X+uj9gBGovqjBkM_l=At9;OCpC*W97)jUDp!W;P z)O6nWLs8$8gM?oNKG>dxUXG3rBV806GbAMcKHbfIj*4c>b_fsy#3e|A(R>@7^>N{`AG@y9!IlKBs(= zYNpd_0nCu~P?D*bg3GcTF2)_LLwcStZE_l5#dZ$5FaSRzfTTihJUP7=3iLJ0Wno>k zp4@HKdpgnlajUeJi#@*IP`f#@FmC&Yo-(cwuj}G4YRtFjmOmiz`51s7pto0$t<6gF zaT%NAc|?Dqo16=bh4+T#nl=QyZcYf-ZUr))Cfw_5Iw>#&Djv<9FP*tP!_E2$N1=YU z>P>}y9dM22vQE!%$R>Ypgi;QnjutTo#1Mk5J(=2XqNOo%8F>5X2QbfG465UfUHa3N z2P?iZr++7Csae;*U{#8-V(uW0#?g>t7DzAMd4z7Kv+?M;ZdA`D|L_7{$}g|AI;;B* z)D%;o&m51nl?tn$jS}ORye@-D#yQ>Jicc3B^d!D>LgyTVU1YI6yF_O6theo6z{G@B zK&w1oNx6&BbMcM!Iry_?!gDb)*WcvA-`_+{dT)OYYjNvlOPb@i=0PyZVHD(1_U#fU zG8ut(q523$=uRK%{G{?WnJdmZ#*D{gx(5Hm70%?k;|JP|YSqjf6d$8=Oxbv~CV=A) zONEoejWFNVBzKH@=Z~Jj9qVD%oS{`<5)Qji3wSa)X9@v1&dJ*?$v1IblE`^ycGXu2 z3IUb!DHx8Se}M}AdCxfDa%_i;HRRu8^Z)}KqyDpJ=cN3~zgCb8Lw-u^hk{+zu&l&x z$JcvK9@p22DN^y(peOL0r?EeoGzimip+_hvL9`0$7%3X$Bvh4q)r;72QJE89T? zxg+PoxG{8dEIW`pE6a{}{`xz@7NpxdbIQXPlwtEm6}y#f9QDras{aSVog}m}3rd`5 zez)!d^=!-ufFye}4|PX(p!1zvhSYl?CpIaSRcBmD=gF$o)_1KY<`i1Ezky^RE0{=r{+8!Tt-TxBVHLBQn zkBczG_pwEvPewN&*`|N906w9*YMOS7(8vVU9Gr)`4eWQ#ZHb$J`0h%93h_V)|rpUoSKH$bQ2_l=)xeSb@c zl4XGfeu~%gr_boWhHdvq0uH8L(XRG?Ty3oVK>M62xP^~G3gfgl*44%Wq=c~Hu$tR< zzQuN8HOJvLM0#Q3NDFyiJ35cVtk9oKe=yc|hyyU8w~6NSE+@YzbvBm7^t!XU9e{#2 zdJh!xlKfWkOeloxB;5*g)upN$t^%9IFA?F;(gt_Rj11< z@+HijhOYl#0p+i)M3T8U1_BPS^!M{`DGZbJ4y8VL$1r`W=0*@_KuOJ1^>2C0O$~G4 z{Z1?Hj_|-pxdozF11v%^h<;!)tY+XJS1$M_+AUh5+}gJ(NTP&@=P4$Lw!SqFx0S5C zLk-pl4WWd!Dr-(L@AJ;fd5p$;Luz#w1=)KB%(GxznbnKRhKci<9)caWl{sPb4z=(ToDWNsr?6C7 z7_9wyu$)xnf-p9iYcMh**3YC18f#$7GSI!=I)$5#7lY1zh%Gh;H0-d7!Pj!<9|7nm zP;A6<*1%&Q8ax6P$YwAJdi<=5%87}!xe)A(7_0ynyH}Tdyap}a(V|~?0-P$OkR9em zDc|^$eZTW(=KS{z3U&%B`YsogGmGVzltHWX!XwY@aPJf@rjBw0k3SE(}>5 zRI5+uZQdzTD|BFR?-^DT9r~SJx~m)AaFP{qj}ZE#TcQ2^^XJnPT?oib3_`h4?WLe) z%U0Fe5s) z7<_qjZ6W5G5TMh9;AZxcyEuU(Si$xq2(0HoLBBnEZC_n^br(nckYtqRaivg3%)Y|; zuXGY$Q`}j{E$_|{g>K?3^@P}0FeP5lim9>(3Kg`pMc=63`Kf*UlbS#w^Q4Gs1AZ$QwYInIo9FXsvkvDED3Z{jH=$uhFg^V9=Y?zdsV@Zs6kmHk(Q{}M$D<9$tfo67Lu&-C0~Df?;Y&nxhRux9)^GE*klQY<2Y zB^$9?rrx-$-PZ)D@h0u#IfkCP@}5H)#lH9WW0{0C%T-|>!W!R-?RsfkD=W-?C*-Cz z9GUJ9bF9S318V!BI<@85!@_)h`s=s3GDStzL&tKXe4t;<-25?igk3gSAMQgQ2k|XU z`1EYDosTEM>?lpiyaqLXv}bBFWhu3V?hJQ)%lot^?{PBwn)E}|Nr8$FfNJ}#JX*ac zq&_Kk^)7TBEK=6}In66QREUEc%s)64St)J93lh)na;pApSEfDJ9!9Bk$Ko2jb%_Bz zeJr`zAXtGlq*A3>N4d%U;a8-sr2pbmTyju;+q5<4hSOY^lx`i(I+&PIZKV@?>N3ZN z5kCVsu@Kx$4%aai2MiTcz-O@?)qO2I5`>%X@~zi{LNyq?sP%O0a}YDDfaEYu|Kp$| z#=e(g6Q_rG3V?FK?(uO780Sv|ypl^l`H6|JO2S}$7ZHSFpqf=dxt--XXY3C1`FD_o z23|!0ZiFdN*XA`)Lj~SX9)u#Z)5E0L8~+LP|2%1i08LzZL1j19^>3%(pS;mj{-G#z zy>1bMaeo>*3aORHHptc0>VW$Ko_oxXpLDT$N_5h6^f<_De}oO7Y@8@Yi|$R|Rup(d zFLaLbvclt+b!rELQch=rJUebPX z3_k9lo(btN(trfcyaHZM=H!{jC(Wb&7W$@nE8co>NKa{%aLhK74H)ZONOuip##*M6Iu+b8v0d`CED7vNIS0pd9AN8f|9sbW>3OPKTZ38kqix)U(NE-yn^V+Vwo1qQI%G(E!ocBPK(Jw_2F%Kj}>E^%30F63` zFSm^CH=7eUsRV;YcIrMOM$bt1z%s9Dy|AGO%rlT6&|qpU$asU%pFH2HryJ`ZgDTl@ zR7uE~XFoYN&6E3`8N#^1=tfWjK$ZwH(o`2ntX6(~&L4s4>@5WgP@2YS3%4gebzKkf zhd(5~hWEd}Bn0?FH+wGhs*qlkX@T6pzxwZA-m&1NVQOl~_urtHXF&E?c_~RDNVHad zFzg5ZU6KcmY42DDfef?{9xIWvGql+aXQcGmNT6bREsS)#UUGAk`9KPzE>WHJxt@xW zewb_iikM^Jmu_;=!!MJI^4Cg|D+eg)B{KEf2<|7H z$lp3tyv$k-Husi9U9|_iq^#c)HBSavE1LlrthCYozEvZ}9iVKV1`?89KClDo{k0%U zHHFuG4BM$U%|j+|^utsT1%cdg=P+RPtCdsx3sx$z~ zOgsELkcX{}ijK7Z`y&ppfj>ky*ubrQ|HHHY>p;9?#A^uMBPrS2WJGOs78Y?@IVPfS zQ$8U%gAm!X7H7q$A>HMl#&!jtTFEl3fu6Qo*Ootw{ zYkRxAi2b6=RQ8SsDKvPKFr6YY!hR_$GId5qU#Vk1pSe72wxDE1FwJl*(2D%ajJe4x zR>{lm!*p+bmB=oJ2(Yf@l1jdyeL8xR5a!yF8P&y6eIYNN???GS_kg?I9c-NM(d{(f zRL-4t`6MCZQ;YVm2kyRG$_zW7m7Xabl#8ocAR+^qkXITFhp<2%wSGHXB*7N zFOwC_q-W%sh!Zbe);&GmC!b5a?WF#pOYg1f>jj7UC3d1WvaR|Gd^yB(jizlO1X|@9 zv10`^X6T0d88*mXS%2G8u)gtf8yQe?ONyKG=ysXeDJwrx6qJbq`#ku-dJ*SZKTwH$ z2Uw0#m2^2|{KYv`bxv@~dq4^!8sr({m3| zgUJ2i=QjY{)VupGVVU3ZD<)U;DR)@+{W}~xuR`q_@|`{?Rt3pk!g$-1A6O0g(+DK{ zjwdW<@i&$bO5_9~(JfurxP$tG(u=|?kdH(PJEK}QNYQR%oiDu{=6Ri=GrdGUJ!!cS zGJ8!t?IW^^sM*_Cq0j{-quLvUu>z58)fK3tgQ5qa@jm&wcrOI_#4T|SV?>v8yhE|qn+4%gTtfWC84|zEP~>20v*$WF*2B_f=;DH@pzOQ*m&iL zb6#m2D~Uy7^thaaieC{+5(gUY;Wo$Cu8x+Ok0P&2rv$A&I-IoZZV9;bJ(S5;e-R0S z!FT_QmoBeb5X5~4Of$XF^6O^w=~~F&K%wdS!TVrix(KKffZ?-M;sPE_n!TA(!ZYXy zq%9QXQv*N?%a>C9B1iRGbM0sBBo2!)?OVN4-dn%_!;eWTiFM`_EYTolRj@Dk>_h(i zCfLLicmZ<_D$w!}^>0@^BN1`~Va#*!iRph20FN(TRBxwWQJn%rZoAM-Z2T2>Ss&UMIt{ODG5vgTE|YAeFlQ z=@cukc9{Vr4xg*KQ}?tydX{z8yzRramh9rX0~=wFMQGwysJ-~z1!#2iswMrzED`fCL$wUJtxP+0-&xf1u-~108i)gw2P)P$ ze4oUvbg3&UJZS)Wv^8A8$7)pG_;IkpO1%ao7xh3d+#KV>zxKnv<~!b-$U;p917QXT>#OIaUehL_J)XCEdbu>M1$% zwW-e4xcv03b}l;TO4FTYcLul3`p3Pfy`8+(f)CB#2m+EpgVuZ4XlX-8z_#M6zeg}u-tN^5n$827=7M8bWG$Z=py>b-o&aR&V-uAj9$ zh>~n#`Kl+vDt=P&nYI0z1(4M_TbVQ<6*x{^7Ax?uW$vb%p?;vtgG_?bo4xyOvq=gcEv0pGUfIza&55IBdh#^GrVfHqhey3@%wnzUKA(6 zX0APBvez`u>o(cJ&W9ATyb_fUH=qpl@4%~iyn5 zBnObrp_P!7?oI)vnUPRh1w-T;PKlEF~lPHTKuHE$*-ZwD&&cuC=YA22xE6RC=<45JV7Q(?|vQa^cB z3(mr?U=%0+Isu>vZdxItlwaLx!R=_w?tflvjARG@el}xVnKYmU_eKU^fQm81 zG><@RoT?qzLU=eyCqVebZjAVDJ#h?|fkR~fWa5AAJhp#(^^Rq}hq)ii%vk*G7k|t2 zND4#BXkx*4T)|J{5L*HYnd$hFLlCOs2`7La5I3?QlSXu=4AstpQduzQt_vfpSBqr@ zQ&xF{yYasnfW2(O1q- z26xvArC#3+$1o6dKVf7m3AaHU6l1ac#2{_bDsk8V`IG)IM%`|9IY}w9_qr|#3}<5^ zolhlJMa(p!CVF#{maxTlSjX?OPxgoIR4m6mGQjU@C1aKn>x!5wKuvQrBRrC~S7W7o z?Ry}CcAQ|1%b)?}KRB)WF;!}KyPT` z=UQ<25aJk&|JxmIoa!dnOQ~MrS^w=Bg~;IIT!Ju3SD^I!BlGe+Te>HVeJBpc)g43> z`h$o<8rnCs=!in6kx7xA(auYj*@KnhV7>$GaH1I<2CvsB zxmEGW`%+iqNYYb1gdI>Ig|mY*O(`T!i+txmAf4kO~k>}VX~*$qXm z#7rzE>Vn`L(zoMOyf-YQBkuo!j_W`VvV9Rt%E(IDir95-nwcM6*Z~=rxt0V6MA=$b zQ95Qf%L0QAn52lO~`l=tF18Ta#VE#&+cy3zIpvp03JHIvoD^BSCi5W zV94K86WM}y+li#-N`Y<9_S2J5;3&TLAf5DYhlLFm`f$GU(M08Mf8znBn#_0W4w}`$ zh12dY*KaM!NPic$GszM0s$R0dxyLuRD_3?h1zy$4H4V-Zq#+WYbyzLv(9Mpi_Ec`E4EV+RmQ|nNFx=-agYD#WiOV zf*4u3!5|3tJKSvrHSHp&tw@T`zG`cDHgTgjD9lR~Tz4>Ga}>k!S4q?b9z8L-u4h&R z5e%{ULzj>4~_=9PV&D@R@=9Bz)NjR1hu`#IMSEF9QviIeCSZRL6G560OTJM!6 z)z<;8Mf3$YW``gNrRIR>l2GO}0)XuNQfpxU0+bxeF!Q@BnugsV=J#`S?Ay0yp9}KW zp8q)LM?)NKO`un{4y^fL)s`LX`r9!g!;C(-l|=A_vH$){uPHn|nXF+r z%PhA(mAiv@%d3Fvhl5TNvtkfC*6BL=?B%+zDDBPCtn!EDj?k}&SsEQ5L6q4zd7({$alyc%0`JnROLP#q2d@` ziy=D_cssiZv&V7UZkv}}eq^S%*D+15%I0PmTb8%1(J#NV4ev?yL2Ke6R)NK}b8d@1 zyJ+u#xtQDT4v4*~k%`hXU3=g#{Q!+Qss94veu^)kYlD0?`EjP#uBcl(!9%i;H(TSJ z9lImh@*s#ij>|{ylLl@BfQuFYc%&74ZTvVY%mDB4V8LIHm0Rdz<<_&v|HrMv17~0% z{mo11EoQ$8q0)K)4;DtcVR>kpvLe$qDE!036 ziws{S8SJ-aE7~|~#5IuT_j)}cKGJ}B`sX6;RC5XYd0)cb#d>ql z`=Gi)&&l9?;fiLaoSog7VwOTMsk~D&*^%xJi5bfR6vBp2=G-upXfPUi7jNiL%{ib( zNS3X@_caddM|Iv;LNR=_anr96KDCTh1q!RmHw{@arKF$ISbQl7Gr{_<}R;{oP9ZTmC zRf^bIcl@Z=i)A+w|IB;_H;K+%Y1sR&rwl){y9wzmR}GNAhTZOBdYz?`nDMll!$vXo z+cAhWldzyQSRv$PiQFc&mR>x!72fuew|wAumj?ZOX1AP^kkN(bt=8Giel<4wX~-~| z{q_k4wPZjBXkjbRmf9#FOe4~HPhuX0&@;e47X|2-QCPWDpWz`QR^xqlHO2=NQ9T);j<#DKv|U_evpTWaYpbm{xWdMU;WPDBW51AMcFSaEoX)d z4{SQ8EGY48ratF@l!glRm9Kpk;%J_{ugkC!-a1*+^nBo*lK@yT)fqpc%QLVJOip*_ z=fOpBPYMJSJP3Z4V$?+ke7-_yL!i}W9n4r#Z@2Bq!CL#NAJ+zf$=F5AftX&}NlsXG!e>QJ(YVRTabv1PaI8 z04gBee$D$v4*_Od4)P8q4)58Dp2A!`r5d|0V_?Kq5QKMzjO_WW9q^wQveYngKb zPHj$j46juzVaFJqtV#4Xb=16{KrI1v3gb{D4+tbn{ISH}=|de$0Od(?sOWyk>dmsl zfs7<@tk;O(^-b*Rw%qs6JLaQ@Xh#b3A%KNy0v3obbm`cEtj_;&n_nZXUmnAzd_rx-?~$PBRW(NcYk1N-k+aQ;h-n_OUv zzqfHq1l4_W$S+S+E2U-(&u(Ev2TZB+Hj!OR4GjQ6oA(zWm$`hPT3qY#@8?$RbaUF; zfjmN)-Xm{Cavq?LyJaAk!A?ee_}nIFU7mTs{Do+%W2I%3*5!@ITe3y%g@>Sl`6*7P=uc>y0-*UCdYI#_+2qlq&ururc5uN#>lBN})Ao;bFocMcj~>HJRR(P1AUOv$z6 z4(*{tL{>pymRUc?5(9;>^B^0E@>*YQ?JJL2L(Syt_nq7)7R`om0rp889KkyxzHXn)OLG zWNr^vPb!`He1xdH0#DHs_K>{Tm3Y6m{^TT{{rnb`9>Xt8K1bM;nb2JkI;Ij@+77EeUpj=7>}-)3wx_bI00sn(sG&SLH6(PAxz z8xNFxeQH1IN&8e~Gw7K3Y^>t_`9SHgFZ-UvBm)Oda78U|a@ZD=NE7St5K7-lxJWV~ zM9~F-OM&gPQyB<3r(g5~F!Uj_&&)k^@#t6Z35@%k(oxY{_W}jS8u~^&m3>R1b*pzE zO<*46p&)hv^@ah7)p%>QMDyUO%rQptMsJuqE5@_u|0`kozpfu6uh6%KWi8cq?G3OJ zayeYR?tm!QH=V9!$o#xpcYF>yBgpIC`+zYj;E&EBGTU2dqIqs&%x1jP>0Q}8pjfvY zqtx23A~!=}UX(TAKoq^Gw?%F8ujBNC>P6I`950bSJJGev%CwTZlwcd}T8fK7zx}sy zuh&f#egE6zGZP>$I3@;OrzYTqj@f%JOQ!cRcU)vg(MEk1qI_M^O~^!FH=yb}4iG;P;vHf$ob+!y$ZXVBd!}a; z`$-9dthTfmVVHXpVBX#c7%dyCqke6IgNetX`nyC=Sa#haGH5$8eNt5<sqDC7yC)j;?s!hrs&GeD+CnQ{ zJKL-PtSrX&O#i)m*wJS_{!Dpxdb&4NPw3zuWICs)DI=eTM)$bbS@OnnJDw>P;4#yy zOGCvG%aN8$en$sCYZnISM@u#E_$-u^iVW zlSEP#$`#L|>U9s$*q@YZCxpI+N}Dq)DT;!8x+{lrLlAa7PSG9Ponp%F4jXN=fE%-r z=9P7lsGp2)VvB6n$joAxG2&vLwF3~hQhqhE!6C0e`zk3)ht|QSpFQ8AySXx#Xc5PE zU)JQ>M`)VkJ;QH7xRb;nw#imRY&4qcG`BYf#N5oRf`l|hH*KcJ8kHN^PQMlDeWkc$ zbYMc$%INF+0=gCPMP(!$~rJfuG|e#zx0z4G$qUh~BZ6b-fG^+Fwxy9Z}* zqMdA_Y~3%&nU$h&&Od$nRH3;=s|0IZT-Fl(l{8X&w)XxTx*}qHukldp6og}jw#=jJ z0cDj3qLm_-^VR)exCbrpXmeldX_zijFdRizXI%{(?=4DCqp=oqt&%Hr zm0$qRS^FQyDap(IcC;Pk)gMrQiT?9-fYxGt0U@JkwNLrRCGr>qAvOSCl9(w`Bdr-= z2j@Y}7-bAvzwrX(8EAxXdD$CVyqagag-wXxy#7keq;)YEG=I&FAQ)=W7Unr3_t-X{E0Ay_D80E?jd0mpX-v5{H?`tb*5%|Q1^Ano?QK9)5}xX2Vu9V^ z#dK5nuqmHy(6HgxVV23nH`ngZ4;y_!%|jcHo4ug(OfmU-D+{AFQ$^!|-3W+b!`x3AcJF{TTyllC;b8Zz}y4i|9>c%mXBo|P; zN(CcKv2`gt7LeRK)!J7#VQ$dfixtDZSM2JT>eAfTq-Th*v zC9WEDDBRM8JL(PrCrZ*qhiyu|-Qyj_l2ymFkLw1AI?IMIT2>IrHSvnmJ5uMN7R|oRmj>^Sn zOEf04IIcl_WBtN0?BWia1+l1zU&XQ&KSZ`7LSxPz=sT_ISw8O5_kDbxog9wwMEE>Z z2Q}K7S7Hy`XjzVu zrhes+@`+$JDZdvrDmJzwXmG5fhCq!Qi90c#;D!=5FLX;YDhXmhhKE^ujy8X^Q%rof*g+W_>FMcm;2N$?J5wU zKxrnf{LnA335AG6pP2&6S!BfTzvJjya@q2(O=L}W<0*#8HO`@N^xY7AD(InTA6hq% z0SuV3@EyyDa(XhRaQW%=8CR?*LP#I zJ^1=IFO5v^`m(=G#|Egr1&hf+Jny(JvFx^FW9uBjgijma^X7)_(uZ|ld+fRq2LiiYIdRCvZG}nzi_TO|=2bMK z`4+U0F1XBj>Yb~!+ECyP3HyXL@pS2HWbAS?2xK()2IdnVi?zyZyn?^ijdiA!5)^SZ zT9Q9qW0L{O`tVK*ZF)%`xX((-^IGs4!@ z()Vfo4gJ8zmS47xPS#=UkXt1)7ak-El9a;3*;81-gxU`4o%I~z^J4ech>oA9WuAJm zQ?gDO?q2DL=;^P_maTdxd&N$EIP|tI>@pULwKCdU#7;ma{(gtqE$w>=1_@!%LLOa9 z0XhX}Fl@C_Gt)~`0y|SS!4B4PVEgQ+;&*9-+vgM7N7yDmp!<2mC^?))RuKi9Ip$5y z(cO9zl z4G^FP;7Iuv|J9&6zsuU`Ztc{fvnAZSv*~d6;+jaJA?usWCljBEs*8_ZIPYbnc!^5PCuBA;e}{2l1C~U~u}mfyrH!$TY!*_|=&@+zVus z)Kxl8^A)$NZa7E3dSP^nw+&JyBNr3i%e8S96;D9C?AxyHw##evX_a0kTqbk5`O&Vm z5PsQ`a^{8EWlrW{cT=zzbJnvVzV+mi=OqM^B&0t5W|osz9GTcuT)kS#pEa5+}{bT z8L*DB##qO67N@Es9^%gHKnZkR;o^I|fm$^@lNc6Q>ypg4xG}}1z`&of#)LpNvbo$n zb-8??J;Zz}J7lup(nnn%8y8Gw1h|cM&v(-9PJ64(9j+bg=#rlImXfvLr}GHuUTOCLr@!b&X` zk!JBj{LwvSt2QHi5f>H|OdjI*^v(^EZRlRBD#xX2wXcqj=LxKx-YPFOwm%dGr`-`kZF3( z*RUsP95&B#t)s`RY96R*rt9LxXYw1RYD#Dcr!zZ-@7%l-K;ttmMDhKTW)afPvR^jK zyHCj%8Td4?5DsMEFr;Oc>FW<1=YslIu)7M#%~&F_71Wlzc7~LiZu{{;i^AMie+YS9 z=C4SxmbgkuOh00TIu3T5a4oF_=GhAIpZInLWA|6WpEqLPA5ug12EQ!27{J6EId<^4 zmj3)Wh`VLF_bfe;_$=@{Rw`^;DqV0pHrrN9_yT$3v^t|sb(=rqZ*crLE}BBc-MAOb zBo67|Qh^gQy2sPw`Pm10w@rEyi=e$Ea&AJfFa&-T%__$#XcWb@SvMp{$!m26KQK6$9+o}=pIuZ^|sxU#nO>sK#sefEoS*makAT>4POscIeUrHyjRIaB%oP?o{{f!NCaB!&RwCY;y;8|6U9wV*pphj&d+3&xr0Qg($9eVnG*5~UGs+CeSL7wHTNmFl z5hSp3aoay}cwch=$DP%CINrT2c=8>iC(Xn^&=s0XIq{W2l$c+GDViE7*#enZNO7}n zO7S+juhY8xMkh;b5mN2De=W9`WHav#^YYNs)ARoj(VVW(*obnb6OfL7+auLk_OS9* z)2mYX5Lw2sIDZ`y>$@bQT0TiucUCiR*it0i{b|xYGp%-3(siv?y56+d$-5QaE2RBg z1m{+z3>z~Z>pDijI2t}zPU+X3{MUVh%jZL^A>snpv*!gWa&P_vdr#+Fu15!=ItMQq|Bth}eVi@Zr#l`j{YmuKh_Gb+_#w>-k!QGu)7)%U5`_e47% zQhC%WiXE;l^q&?OB7}0a%L-D!|9g0URdl#5!L_zapow}>Jkh@7=$bNXU9J3g<9g)b zqdrNoW`idO8QIkK&&s$}n|v8;Z0Vt`=Gd@HUoz>$k?pVY85f$D-{gdLh0^8up!AjZ zn|!J4EpSkK5A(FwC>F~vZz`+giNXm?IZ!J5AxpBYigFzJ+9}iKvC)LDaU8dzAhD_| zqoi;aF*pGLrh47aVvaZV+udhSc1+D%Nl_~{>qHJhgmf!H4?A_F>u9H+7K_{yf(a*u z^%<2i%%6VRMijBTh zesC6KGtySo?GSM0kMk#AhS{jSOw4w{-LJ!JbPzU%wFa**43hk@i!M9;d6tYkei(N zAlx1-?t{BdJVcq!x_#jmy4xG`3sz?EU~u9(>!!zr+x)pYB~sw2>v;B)JBZ8a z0}W2YOzTx^3DSm=ofUyu(nN6P5AnR)4HWPxNm)5xJ5iVV4 zYmEiCRN6f-OxZ*~gc3ECdL0QX4PIJ3qaoj3p3GRFRflxt>Gl+_>CY-A%OrlLfGa>G zPfV0V2@H+uXhLBy?_LS4Q8IrC+;DzP(AZinvk=sQwMokHAG8^@U-*QND9 zK_3KeJzve#l`2;C%da_H*t5vNW#O;GXRX#wuXy2jtIvn=tKu6@`+)|A&ch{_&Ze}p z4vhFn?xf^a(kkY(`-wS}5`Nd<`YbF?w57g4lqiJ|KBcM3<5RAJ_PN+_289 z@B)h2i(^%g#kWkb%{of-mj_$tI+3$@-fx!8D9SnZn*5gsX>T)q`R5M2*^HFZWjwus zFG$WHp+4m~!#2VrVa}o>3{rGB;H4F=db_qaksaHDXIQXVJRkSxlPy@HsWx}GyGPb? zzC~}kiSD%5!hdA}tfaxB_cD;whjR?YPLAu6@DHK704{D3cx+iZP|I30wRekqP@Y9( z*Ujp7XkjLq?;={c*5+oBNhHC}GEqNeL)aPS?okFGoan2Ie%lgq+XIsgbt?gjmIb9n zi{t37fCFC;*@$!{J{_^_XNre8Mh8abQBJo%$x&cuIACttyVs$t>^+E`nT)uwE7Vg1 zvQrKVV(A!ph8)!RW;c6|;k0V#%i4)p?t~8%Vh+Egsj{vk6iGi%x9<3-GhWxYv)v8OH0^Y%KCMB9QJd=_Anm zj`d5k%7xRNbR@wJ4?jPUMs#13-H#a-V@ZE_Ep~Pbx}fszC)=^&Qy42k^V%xH%Xdfp zMYZPb`ZBY0Kc_U&Loc@>EQ5OO0&nu~Qi!;#xr6=_?i+pwRDRAtQkk{izwadP_lt2w z^;+oc$Ac7m*TD$`CxBt;ndwviw~XNb(E4Ver3e`}%jN4uNR>1KK6l~id|Difd8I)t+=O7eh%wspux^7dsV5`SqRYtZ=6w9mY6y08}gcw%>;LJ}srHtK>pQBKF<>Pp-Ew z<9-wJb6N39+1p|O&!|yv7zJr}HKO25w)^lV^q$dUrenG1!5tL+XmtobW6nxux?+8R z%0OM|QqRdZZ&;iXDk?ZUX`gvJjV!Ch-BC5Qgf2(G=pNIjS1n5JN*v7he@fjyv~iYj ztjnhrw0X3lMlvg|PK!av^@(^FjOs!Z^G zsfJk$d(CGRUul$goesH2CoeE;yE<+^exAX5ZqlHF16DqLFTxz&ufa zlM|;_ud*LI(#lRk5uR`>J5SqE!8Dghb~qckp`aue+JxytD@~tEdFVxBfzUgYFF=h& zDzj!C1jCS2AWFrv3rbCTDnQ?4!AY2ZzB*OhHb;inw5APL%)xr{j~bcCJ^h_GzwG8a z4(tFJ-UNotN~jcJ{BV67`Mz>hmQzPZU6b@{{}Fv!ICn?)Lzhu+%m;N**_s+^L1J~N z{4!A;XoNPOo`L@@p97ts{P&L8D-~I=(^loJs=Qvs4aEQ)xWxC(3Yt#`M6I1Ux8CfXK#k*&_Bc*)b8Y&r`Bub%^=wcBA#kK4qpQ0*jhKE^Fb1YqF&&)ge$pu8-es5gLM*jsm0%^_ z#f5mX(~>`Y&qx9&<`>*m>@wcXCVZtn{r1jgjO1nnt}IW0mBRDRRc{kx=9TJQWuydJ z$~Iu1{M!$-7_FnR$F}2$MZ@V&Ca3A|G{QCYFWtROr-U@SwD~_qyrcU0N*d7|6qjHA zPKI$sss)e?p(QV;h1;yT?1%ED5)p@~DcpP~yg839HNwJwJLC^mi>fms`N-vL!0ZxI zI(N_PEURu@e+`7>!CcjyVdv=-c{2RYY*TtKp)k?mecei{=u+hW{Fv-L(0H{75%+xV zp|5q}FXJ>nuH$nb#+WpH3f!`Mzc-IQwW1bcTN+QPz5kg_$*>mGLq1HI?=Ejoke#8| z?{oO?1DjAI(i5#`%IyBV?I@LtXT77e!@|adbROzCg}*$?LzffIyrCe zAD_xlC!EsiN>JtON&UHRHM>6e*E!v zIKHoMq;F}Y%eUo_>EXq5uV7M&byWhZ@(DHGqZ+IP??-(xz=7e~)r;+@;4&t1mP6z< zqw`rC>3T4-qI?*yeMG%i+?sWs*B!dE8cMxGin=@Ss7`2d=x@c*=CTsyB>%Tu$`T+2`U& zE#2_v|Lwf}m(_afEpT9O-EdBpmr?o(7&JL0XcbBP6;$0AG)DD4pRO=BSL^I?N*6G4 zy9WGgXzBj6@FOS`7E3QV2h_SeuGRd$=0;p8RZsJPK)O?p)OIuf-W#J1(yAkL1IIlz z8=VgptRivT_*H;GYP#D4u|47247j%7U5h;C)5q*vJ*jaB)p*_xaJJBa$GrnjqPW?t zyx#_;uu#gj`J>vYd)CIYKawLvS0Mv_{5!DTc^v9e_*7`R%}Ot6b!Xk zEncNY)ODp+g#h%rJ03}B{%sUMvc*dgQgtrZfZW3qyJtl-XOkO^;p7s0SKnr`KuJAo zLU;Iy#)HzXD;~D=Bso|}UXSU_$uU@|I2@#h#K1=)Y;>CIPH!q7cY7=^Q$a$7)yiR| ziDG8E=O~4ZSWp@;RW)TAbS8?484%9(^O6Z`4bsx1w8vX#%rSKi(OI|+Za?5V9%|BU z)=9&b3H8Fo4==3$xw!R4^;Bb;zc=f7*ctS@>gz(nb`dtDe9YRt$gpa6(*2Xc`!Ive ztIFA_H~C<-8X1#p7+)uDwitB_u`3sfi7)x0&{5oV$VVkmnxPn=K6^0l?*hD+znZ3q z+3g9D)-_|>55E%He=)<9fV}(&zXINtjA#sRrZ8FLO+OWkUi?@x{kT*@@av`Q-+H;`XREF6%W*NO7@njXN}%r_QBlSx?B!a z%HcL#CspnGP%wISQ_XtwF;XQMJL7sg*fpinC`pwBRn<0ylzgJvDM)zf$EX-}EYun5 zkh0R1kI(G@b*wf(HrwX~&@itV#2Vw+-x#^N%X%?0?|&R!jI_WZ7FZqy7y)4b20f^qCTW3h}$5!m*|@(G4f!ksJ7-v z_wF|?1m2AJ^sI9rf$*!iPkncLIEnG6&-qfoRi)yUc5FgV#Im@kO#EHyR!yr?lp@hP2yQ&N@p$nlO9_2#64HYR_f%xmZ%8Xo&VOYZmS<^ zsuaTMz~~o-(|HnqN#F@o;Jb4!!;ZpiGw#Sv3OZh|c<_N7Ac`II@=N^j)B3s;*`)Xf zIu4Gf;Gx?XZ8wc}5_)kN@v0_lQhCe}=G-KV?y`PAG#?7lBu>7i#MvYYAAXsC`VFP% z!-w%CO-)UvThIM8v6CkutJpD>0Yco#0o#>4ll)GIzo2P5DPBNJ2 z;e7%{W5awd_Tk{4Fs<@sVASX9g|@PGTS1WEsuh+f6zVLMi{d=-E?CTSWPb2I?BPQ0 zezf!whpa;&aFky^^8Q!=I+o^G6&l&pURQPBHgQ)Ovt*8M+TqA29ma)ktR|vRZR8o4 zu*99mc4Y_oXZ*Ll6q+B~aaj`Aa*FP&nsy#eU=&0)tVNct^-!L*hEzr{l>0YVDaQ2C zQxXvG7Yd4U>yj$OW(2*ND`@bxg&nZJ#ZoJo!fku#Ia5fsPt7cT6tF#HjrThm9#k$Z7YR@w*Hrm~;w_nVDgy?F$4)0I2Y6UZ(y-|G!qcbmsy zxknp^{8Us_G?QfFi97)>u_(U_V}7IHGrBnJl^unsQX#M+WDY>kLqgcIGG)$~%%S&b zcU^j81($(R6y-8ci}&OZSsXqiFL%r3fqxv;g&MQj2pp|flj@R7V2Z@?yET4NWBPtJ zMR>vZ?u8oGA5#}%sZ8JV&A7_2)aC1EN#fv4o(I$jsp-ReDNZLPx;>1xBDVL(R;^hE zQyfKmp9en%?-T{xXDISn{kUh}*HD?hz^I3BcBW;9^g>3^B>na`(}eW3M|MU-rbtd& zgbP(m;kv*;-N#Oaj_?}p(!;q}ga_F-x2eFeQ!oQVeq(qD$0;I#%HqxMS>!plSyD!{ zLs(o;e=^uUe)+H^dtQHM`<+I-SR9ezXWn18>>a8>GBuv{Bt>kvaXo1r@>AsyfB6zL zbjup)IsYioCK@Kmc8oK?;L>E z2h04^`7uecOncTvDg?6jlD0a<^GZsl#3BLAhnQaIf6a!8df&wDiZ}mIcqho>tPLVy ztLMei4ky`-qZixgfCrd{j&v!#Ny70A(#?~cJu24roE?Ki)~oDLH0@Z>%#4P@4rO?C zXhn1nG#Ok)bSmLzDZJ;D6zX#YVprorvGt{*%b{X9P8(#>uOA=Wvi4v-$yU^ZZdo2^ zyaQ&Cn~x$7CIUVx-!QVQF`Vh=ZMGVwtmUi>|6SNm)O?o8blDq{;B@}HT-5UkQ^<}G z+ioIHX6zPL>l0zk^Ng_YSU1rgEx@ay+6%cpQ{RiZyb2SR84cUXzhnP~+c(pKh zv<}IAbI_e%S(dt&1m>BTADvoZUs{_26j4UsxSqo8p|B`rR(Ctie{B?DZf&^iWK}n+ z=3h;fnf;SkzR?{7NV;`c{pq}4Xpg6d^;`iaLqEaI?I;%4Fp zJazNDQ&lP%6X3?sNg;Ow^JY-#DP#OIRc|8n5tUrtM_70fJ+l{&ZCSc4hdfoM11_X$ajU`@1( zw)XVaG&pY(fLZ3BcH5c#^cbdC&(8OHy|9NrVSL}kQPmh!rL3GykI`-nqsPN@;E{JK z?@gB%DqCC?E17=-d8gTNF~TgPBvCI&2qs?{-vE&Zz z2#co%l|8DRgqJd!x}@>i+-i8x+jyh6AM=R3yj5)MTMsfEZb1WJ!X0`V=Y@C<7NcGC z8ES(B3>}>zVplan21iJVyYQ1Fk}ewp2Tk?ACQJS4PKs|9EE2$Q3=ivOP%dxYeSW(3 zbMJQ2mjy)ki%`ce>9>&9-HjVc^S&=f+_t7i9b0~Afw>6I_Ffff~W?F@Im&_$}DsQ0nYFnN8lb&-g=Cn7_;rjMs@xK z(u!@gE=BZGX5btw&898BF3wssqmEQcdl<1?j0!1^l9i}cq&`k0;Imuai@JRJ34#{qfSM4VBnWB2DPNnc88}3n z5>2kbN7BOuqHsP*IL4;eWj2bHQI%zYAQj9pf@|u#>Q#J54@Ny2lTUKO(YVxnwoY^Aq@ZHGA+modr(Sci&eg{Tt|- zWI=3tu4k&TNk~29#+~Xlvd*|W(1U|(&aTeL>XNYxKeg|)(y;gGI*>|Klk_X$iw^5< zir}U`D;p`$&f53M_3?t)4{#nDrejrKqS^`yS5Vr3pv%pjJ`mh&8 zZe;s){goMG@9_thA<^C4Z+mYdxvEs^WAo=*zGmJgq}@O%-_9e0!i3P!R__NjCd8(c zS*f+BP_tVXn(8r(w*N-`uWdwZ4=f@j$sQ?Cu#SJs|7sP#l(142<_<7otHEsQsh7@l zlP|vEpw@~0aDwPA_opDbOYq^J9g-nppb_bK8Sp-+R786mvPq?!ArJLZ+bmj1l$T&T zU*d$2N>6tnD}T60x880g%JJxab5zOGne_5#V>Pl)M1RA^Uh5$H>uBr)7@uvfb<|q^ z|HteuSL6tXo)%AtIAF$UDm^iKr*F$F<@4BBCf?E`pWz_`8^->Hz_ z&~C0sskSfs`e}*5M1@Y(zfk#v?y}Nn707TA({;MKVEPE{Ta_UruelI<}BJnbd^33dOHs|m0LyO&32?nMqejQr+JwG z^I}7lK&uLi$R1~`gXA#9xTqefL^dn?bV1t$wDz)1C`OanQZ+=as*%ZdwPW5Wtj_g8N*YOjO8upwrJl&QR6JPy;>Q?Pre<5dF11)YCj9 z7{5S+T1G>NyH_`hQ%LFtZ{xmP4=wI(#eTpjzxHqIKDIppNOggx$UU%yLdsZ2Ph&thRhrxcIJW6v3n1JhUwkh1Sz-pBF zVn$b;J6X^L9lc#&z9jA2ECe8~J%OU}Lu?LPP`xCf{G#bt|MRkF*2#`9s9S6Ep~jCd z*}Iu7@Jsoh^&WRnk`!^zMM)SK9sddWv1U7bs=f`@ImWn5@$(>(jf8FgAZ#k4-r0Le zTzOW^$w{EtM0ii2@iABUlRJ>|+2PlSwW|fHa)=)QmH)-o474QuYmOPB=NKw#a^=)N zWi1|kzw1X2H5k}&?95tvYYo5sW_obJfP;#yjlD!pIAAW_3%6lgAh~2BoK-PZW|#EY zk6D5uWkS6$mv8yutPnelxD@g*Om~QRf7H|HD*RoHCFy#;FYgVq3dOoqY>HzI!PY^u zNg1de-ql%mG}@(wT=rpI0S@Px4&;Qv8!GLxoz`k>8)PM~CJ7@};}*W2G;8P$u==0= zxXsvwC$d8s7$f#nM|qXhS=Bqm$|=clu!cxH`FxZ`%tk4WrtU6vVqz)>LlOyr;*0 z_)EGP6xWA{@D}OyuIBxS;h<9^)ZScv%FeRB$uq^N0yk~9-vrgy?(Q}}7{81~^yiE7 zmHw4SB}4P5WDB3gLVMcqc&~}I>sYErk#baHH%-t5;Iq-RqGRYxHKq&l)b zqGL2+jd4;N9|KJRqe|QCp+m47Nih|-8uzY{n5^0_ECto<$%o!|%4-rh+{8hQdvTkgF1n6TdY2K8oEVmM5p|PuZT^PJ3@UU} zQ_%J&x4ngIg0mQkf!R;VTuQS_RDnvJB$sE65lemR?^5gHYGmZD~4w?a^UtbC62*0w4sRs6gy`m@M%Kq2$q{ZfgPyhN*`v zN>$m&nYCt|>@X=+&a5XhDSB)FNG*&gPF?C&eo5g;nMzx|4I<7P?gHsC8$B{g1}KOgO`2&G%nP1}p=Y9u5BhQZmTFBN5~>2iB9{ zCO^{w!rx52Ppz)UAl9a8AIPbNCR<&wEbcFACMYz5i_0R?)MC)8lZM|a3@xC?Fi*#K zw~7bmqQ|J+{5`FFaPyFA?{5XtF#74o7idYRbz_$VxZ;|kuehib=h&f(eaB?k+nbBFs`#6Fd{VfyK81}WIhI(U|QpX_W-)JA79um znv+-BFblie^~g@5xgzmVXlPJj3@@%&7?e8JkrwXK1_M4U5);fUglFdpRr`mE33oVm z7|JNh`h&M6@kK!l_hD{KA)Hl8(C;`m7cRVUpZvpP^&50DtBDD{(4_xIq+Y$1w^rDV zf^qM#a#G$VZ$zM{H;1nSUOZ2;h}GVNIei01c&A8o{$Tc3T?(Ek*;VzGir+i2026!^ zlGwa}M#r(B3vdRy-}IiV;WxOf8sKydEq_?uvJ?E*Qj@3znh*a};#!Ym!BGk^XTO(U z^wLL$HeCG!bo__pQU7zaBj_BF@sK(Q2%|1b73C&bo_zvYWSSV^>Q<>Nkl0k0xKvP8 zDM>(-_H;GY@w`WcmE;jQgqMx02eK;Tcr)}xTM#Z24GnKLi zgs?~Me4&Voja@9a0D9}i7mK35qDq6G$2zF-P36f_|YmwntzqbK<~*To9@;IUyLE3(oLWbV0 zWmoX8%9t8!b1hcD7i&uQ5;-2TFHi?-f!5M_q=QmA+~o|`+b>uoY1M9x(MkNZ?H0kd3oRL^ zzILJ3Me67tFfv?xrq~U=`LON?3xhF4KNoe8=9RF@U_d1s2D$b6;r&cV9MK4x=0jAr&Y?Bs$=m$T z*Qg(70lvV^21@%A$Z;cgB8B_hPGOCizU$eW6h7wKv#*A1yYxi~i}{5>6{*ZzSL6p7 zYW47>4DggfLOuf?cuJDX)TI3u;_Be$B&odwmBUw!a@&lLB8xGRO24Y>&zImzT1#>X z6YZ_Iw=adX3K0}We{ypXW9;Q0lTAxJ4TAN?vjKsQR2yiIXi_MBo?;Ui##@Vj)`{@< zi>P}m;xo;t^@5uI$GscWZMO~TML^#{KtgjjY}EVi6zSk4wU zXX+&frcsLtf>{R<)Szo7zQBAD7(Ns}bZOBQ89?N{X4at`wdil&^EV*E2G6zkf1I<7 zI<{ThRCvPN1ll+? zGbM`z(j$XJS_+yQtWr#uWny{qd7Z$8CBMqoA>OD+G=H|dN07uS$!<_YzecFGS>&_k z^_@+ViGY<6V~o51kak2^@r|iGgH%&sJ45_$hCbN~br#lU6?eY;i8yrivU*0Seb{LD z#$}sP3?nA@zD>JXh`{T?HD3b}dT+}6+@lRVvg#+_(}S6n!SxaQ@wddg2(y^m#^F6t zKI`UYbsaUZKrwG~8H|L9aVhyUW;W+LpneCZW_>n(8{yAHk%ynhQS_*#;h>rO3qeK| zkeoXbuLf`5&-v?COTQ4T>wUx{Mg*k~TX=VGbRvLG_>6#nrFe>`qL~>ms@J+)bJQ32hKI3HTb~2LGWiXB-KQa~#cg zxwC|>?LC2P9eY%-TU2apUeNdxZgNHaDKPq%`*ynAAVPTMI4|d}O$3fb=$Kc8KX@uQGd({IJ`Q>z85d?`S&% zUHx%o$(Lbn+00?PZFd`ArvW*Bo^+IWb41VGq??kyZWc6Q;R#u<0^srnp{&HD<~dlm zZ!2o^sit?c;n$+)CPe4c45$o-%tquYu=?q^M?9~O2qsm4F+A6JdU3^D7uGF9uE`t^ zsaK1bX#adfPn%W1k1oVrvwt9{4Xw?~!J#?WSJhtDjxN3|qTs=Xv? z;2nhyOrK!n?$XUC)JJ{Nb*^d0&qvgO z#?{T__yvb!a7iT`cxBif*`(r)WB#kWl8tj!wHwyWE6(%Jj!W`=Hw?MTHBY2!L}v7D;I>zG46R@GI*dA zW8U~pM19OZxX%N1JQ znO|GDtrMVOaY$cQ-s2zhz)WR4!?EX`7OAF7u7+{*!bCP}?(}6`VdUxj0Q2UDn3f7s z9d|YqTY<2EWB(0F(%&buUxIZ!g0dygQS?^twdE> z83fy$9s~!}gP{ZBT~^ZBJQIffV$vm5`csYARpIxona?>fW=VxD{78(sSIv^PAcC29 z4T{$iLbV3`W`qxZ4-Vcd%HtlEUge1scTFEZFLYm;qEm)mt#Z!^HP$#FdkY+loV`;! z{{up^TGk?SrSbIY%@rTDSWU}c?8vx{GS{jQ z&nl7rmYy^4gP(}KVyHEH_`xs#mM*0WRnS{^mW7cV7NQ5Qa3L>uGXmz~+UY;N&}6zv zA$A@Vg-3Dhk7Po&>6lTRhI`nd2XDtfPZ-hla;4~y=bU=b>;bZb*2;*5 zll%}TK~Aox3$pvI&phhs3BzUGSjVjVQ;&vd=Q536^it*}KsV&LIk!xtNXt&0Fbi z3nFBoxk)wQk@Ri%f<|poEo;3Rw>CTqyxaE8Zz!AiXH)baS^Hz``TvFHgfZ@7lm9I; z6%tr{&a-;xDsyd5;`*>{)mA0q>G)rw2Di0IQE?&u^NR(GFWP|2J{2KEV)@SUk3iT= zI0hpDUnJ=x_&g4w*`v}ZssW9^Zl~zQA_kJB%3Xa6R`}HLmmN?yN6kTxwUtRQK z{KaTnk6jhK^h>8zqGqO6-QK*hdDL?e%A-*&tdnWzi8odZFM@86lY>``5?he2=%;S$ z)l2M62$p$pBehnS{5LjutvVU~<}jsvmqV0_kq)}bgy((_N^#@VX{sn32>5AGAWMFj=2ALR60UEMoBxf9n9A%%hQ_Z zmpQQ77+cxR6Th+dNB-d7cmnW#?&XG{z{Hd42rpH?HDnXqdN=?JsrC2`eRj12K-XTz z%-#W4^)E7F7vm2Lih*L%gS{5#(jL{h#8xm7?N0zfgc!qnl77U-Scxs>I#FP!iD(j& zWh>#K@$%U&X7iZO+=+J_F&f#bcD2yZe+#3ZqJbVEJ>1stdBr*VLij1^_O~ON5U&wKq1fEJh`7RiEHoD1Bt9kx1w9kp{kLDO;3z4 z*??$uBtJ<*_XDve(6)?q^e>Isy8}_oCQzR^{8j0QJLPG$3G!NBYPW)HmHr$Rj*(oA zGRzTo5wZSs7`61-F~h*-9I&@1d~Opp*qVYHSv$ejVr6sv{I3o_Oy>3 z5O8E2l9i=l|0qj8Z_7Vk8(s6g*K}3KpYVcUg1KD09cH(h611Uwv^pK=j+P8t!+Z}f zNi(F(Pl(|mp7I9@CUQmLA*zErfiD|Qy%5jc#E|3&W(6&nf9C`fUM~a)A z{*_KDVIxh-gh>JJ5dTd2eNJCReK)S<0tm-#Ds#7n$cDsHJ76I0Av;!tTiY8w(x2s< zjp6pnMZb)N@;8t0o)O_E>+EcQ&_4g<@7DW{dY9-limG(iGq>eQ(#M+;&Nrcy>OK!z zZ)BM#`^6zQ2yBjqK}=XNJpDIEEhMZcfi$b_YTBW#QXsX}lJxyo)VuYpwev->Cy z7p+^Aq4eQC|0pBaqTiW}raN#}E{ICdGY&e_lRpc&ST+9Vd2b_|tb~t}zP%Ddo zg{kb>7yqXs2r#IXZ%8(Af$*)3g#`Ec(3Ok#t_*sVn)GN61iDI%^0W=}$$I{spZ}|`K zGnRC~2HTaVNCsTK6llWiEIt+Cc=Cwq$pV00hFTM@FTjVhv=y@2{}RHpy?=ls{7iu) zxR-=Xoj34a`-`uA;s*JpR|3y%zP)+Zfi-uddi|O9v=R#pwh|Mf@Pe(wnN={#v`E_v^k` zbNml4$!B`nFYgWLSa!R`#3m+wN!(0);Ph)xGkdiuduwV_*QGYEK@R!^`i+xKG-!1| z1$SN3`22C#YNxn>WjVb9di z^5lQ&6MjOdUWrU&WC|Qo4eXWu>HB!NTNwBUcH6`S`NL;F@nq`Z9$$aN7od!60iQUC zTm5QQ^$PiNBz~L)St|dojjqHq%jQ`Q3hOatd>u1F0Jvnq04_8C0$lQC{_HC@Pk-^n zhSgB4>J$$6Uo@?RQe3T3dn8=`{EEjFOOE>8Nclx-Skn} zkJj&$_={t+fWMf9r|OMmxAYzLzN_YENif!Qb==xx5MBoxRq`^asjyRd9%r8Tv2AX|yPeo!Wi_aWS+ zIkR>#FSc0I);Gr<1+fg<@+S?;EC5fY;k_&0AD;{b=E+ceO8j5q@QUaNxaY>W7$~9a z{!Z9uwCn*bR>9@d!~q5msA@k#R`3$aRr`M`G=vt~Fo$qPEDn-ES7sgu)TNP~ZPV77 ztv=Nmda1KFLiYO^Dbh|eo2s%8Yl?V}>9u=u+(F4ZyQXxmdnw2B!;I+)qF##6`Bd)` zy&%oKZJNCD8P?!c!R$}M5oeR40;RY@kW!r-w_?!x0J`qqQk1O3zH6($O^cjXsJhn>8W-0hT#5*tmaqsoiN&!VRKXi+)j8KDuPfTS#R~WSpUmLY9@~9ZVFVP_2); z-)m>RSQcrt4^}evTCphjn^O?|6|aoRcQ`&s6O(l6wKYe{N$QW@2qEbq`^ip$T>l3w z&}^_**7tMtFn;61Z024C7CaBgn9X@+iW_>)?75|l)_|Kfo ze?~4ogkJOXZ|y6dYfMYQ5c^F2CiZc&qowIKKUl1HLZ=|GS!zh!qDYS_ojYMJTCr%M zC0xb5XeP(4xI&P5G3&VZBL{J1Vd83r{-P)BpeI;K&P_RqEH~~o_sW3VPtEGEa>{S* z5i*gl;Es=8_U7b2H_>fcB=Ss)Yy3=UjI={VY3Q%g_UFjU2*y|l@}JG;z$(f;v-7zK z0;l~#+ic0_IKnyf7oKNe(FZq&w1v9N&&JYgn!AHsLJdCpv9u!0!BXVp%Js+X1I26~ zXmn!x|8lUFi&@bCVG2L`@oPEtAvxPQzu*aM=eD1!#|WMiBOZ9mu}#{+GpO524h)u^Pl=lC zEB5r~0lCRngYN`_1#-7M#`X_+sh&l&V1X2gtOWco3xxIBkicv(j+Dn8Qa6V1v1MD@ zZC?U)yX^qpSd!ZCGh;}Ja!NMYZ27zl-U6ZFZI2-zqBM6C73$SBUiEIj3G@^3W%?#b z4jqu2c5ECZd&Y6B+bFMpk_`x44`ar@cIe$>)mcyov{Z@O*WT64AWK4E|yHwe$8>zfU%7iwTSV4^0BcalbJt5l<< zMWR-sA~m<8``u7&jEVPhSN$xy0^#-nDuMXc9Z@Ygq4>z5ugcY96D~g)hes&=XB63W z(@wgW9WO+b<1>w{`;--8gGj`4qy|iA`v(>e7b08QC2S2Ig~Nqc&??}S^5$u}a&-$> z7kmpT)$=0TA_git?oBx`>tGVv8BBTJ z8rx1Uz{c$pjRWoG)S9an`8^z(j{ES%b!)n*XICa=`2SF~3aeqBiQ1ce2JlSwaj|~? z7Yktef8J}Ks4&k*h=Ga}lq*(Y(*gm3&1BS&Ypwn`8rk0EV69vbu5i7k)MOZ{hvr4B z_OITVd?BxMP^hG%@AMkfRfY1bLdc!uOc}6Hntk8s2lYk}DX^WT(wDUq%>~Z?!lA0| zNYa41_I*aS>vhdif zv-8hBDzL4x>MXzGQL%p}Z-(u%n0o?B$c*PkJB>-P{ig0B#7h$A&!9+#+`nx7$BTHR zV%44=7Xf2w5!h$M{!Tz@RV5qG+y3Aj9a-|(&?3&VmV{(#o8sov!tOY(AESoy&^hrm zE5kp&ubyJwS5Lnt{;}|(^n5~d<DmgR{nxiB-_+E_3Q|X3+B%1?TVtJY< zAW*FHL$97vkiRL4U|;j21k)2j{xinqffM5(lX{PDKp6zL%jT$&eAtntxvZSTyHnRo z6!`E#2~nta$t%Ct+zYtbL8%#`}>im3t*baEx$Wx@78<+dKM!L1jK%phc8goCDkR~+q zuc&eZUc0zGlkbkIRA(wQMp7XI@qWr_?pc*22s-bY2Qx~1;Ef@Kd{zsw>sA}h7n{xaux4|OF^J{aO`iBd(@uhvnKl9qiMvKAx91dP zhb5ADhnVsg8DD%N)e$Ry75womCg2mI_@TP+z-K92Db-IVCbYYZa_^JrL!Q&^@2ETy z<|L8q5MhOz86!`cn6dQ5Y!%~ebQ^Wti;J>qEvQ{~jbI%C+B?Yj7B-H^+B<%W7A@=+;_-8Pr5$Ty9;Fkk@`%{e z_*^iW-y_uV-zzE4FBIS$Tcdgn$^kmbXSKTq}1+Cx2j$kRObZV9>FC>^SSr;_qLgrG>mEq4)>ssqHLZxJ1^U_Dk}O8+HS*LHtS$D^p%)29 zQ(LjBR+BUG;|GD^b>oFZ{2A!nAbxO%llABr`C^jhxfEVIW2D=CB^^yt-*;~7avh=@g>9<{(qIU;v- zeMR5+Fn^Du?6wZr!Ik;t@%9?JYH?(+CL~Q*eFJBQLfvmzjro@}0hP^n=QmkI?wu}0 zm~X@c5SbrVEEWw&goNh6-Ue_Vnxez1)X-t4`{7BbM?cam17?EL+RDWdt03zNv3T`= zc+Eaz1ZSkFw4GrWhRRuk$pjs)MY>ik#+sUi@S*XnoDG03&H+fvDUvd%98kKYAQ>u} z$=Xv5e5p6(eom&--$*~$Lk+&109Ph0A234ncb&(A1zBsZ7b{RtkXhP;;o-FeB)aXk zm(G4)^WO2tMrDXIs zxB9r;2$km8N6nD`)DqqHRuK!7yFgFlSOeA$!)^>T*RH9TDMtNdkcqT5h%r0q#5AuX z?U>LT{!P*tnui3U>%+5~TtgYE`ji5O>}^PGMDlRlaDB+H1m16g~~0q3ZfBCiwE~VC1*i;phSNYoZa>{PX-^GCmfT zQ>typwZTHI#m6q|PF3?CDQ3&}2&vZVkw4g4y@;qd*b$vGnQvqi}J1FD_XYFUea9{^B#-p5q0-Ss^Ax6>~S(KSc_eCBZoMgSG; zi?z`ohU+nN&^F;1EeEw1Ls?20l4w?mDN&ne2V-}>c%Qz|!G6)XR7fZ}VbzEWmH-w1 zGdG|R3LK33>^<_i76L+Jc)kNbr*#CWrj;iKoIP;llkszXSle|&)jm|{umEJ(dXRU0 zwP8GW&ZHdH{%3z_bobhj#6So>C#5Wo&YeWU4d_fZo$jlZzg&-xTO{0zf$Q;gs!$8+ zZDeAh-QYL&h{fj|b%PS_s9sa*Wyb9564DigeSSnyi^>)Y4dR+CS+dCWeXdZu?|k8Y zuy4F}*-+f(GenUhV|ViN0lFei=LcP66#9@}(K26uvs-N+`}C9uu<2sX1~^?zvT9p8 z5Eky&8I#bFLzO-8@nT#$SCKq~gG`{IlukChxz&izBcNs}@8L9g1aoKo* zY#%y2CMEi2KCEU~G9V}Tgz|X<{kr0#YjF3y64~RG46=(|w#!0V(s+tf)6J^7T*uzz z!!z8Gv4I$^d-iM8sGi|f*Z18+Htwh99URY_xh(s>p|X4(S7Rjx*hg)zuer7&gFB8+ z^Oe@mTd50se!Gs;qPLNzup_}8^q2$dQGuLko|a)A2h6F*7tV*OrGWo>;Li2aJ?Tla zdZ`6bUTJC9gSZcrS|&~IJnm-O(1?{y*h#_nx|d6g<_XvF+FR^iqg({yOg(RYvzYba z*r<`n)`mXh&#M)8XktHFJrGFWO()fHa5f#$k0Q(PD9_jubgJ|1tL-IBXxwS&L1ixa zj;hd0kTJBdQ&_&!;+{ZVa8ME@bof9T%>fP+MY>gIdU?8wqfww_sFB+Fq;x%9!@%~% z`4ALvUJm=7A~sItVTJ9Nr?e3?8jq?AO127P?bY?!;(ol9sc>2Qk1FHoZEz08Nm&@& zkFf^Nd=wZU_1GG=E(xLlS*f<@E%fQTpo5hGro`xi5p7qs-?ad6QxzsATTv>yS|z_g z@TRQFwkP)_$Sfzfv7w@+?Z~=Sm!9hPiC3>MBTj&#dO&C zZ%~nPq6mVIy^FyV(q*@?g-kB;Oq8cH3vQIb*`btFx0re||H9NH2wE}Y+?VbptI29M zFPag3Qt^!(P0S{(Xy-+cDP=;}k@ehIWbh4b<<(-;Hj|%EA<6fNin&jZn4qg!4=R>% z%uF~R;PaQnQt)L4;v?6CfS++iP+8}qm{70yR!DlYhdtOh z;6wA^1A?7fzQbt^*k{TCPWVD6skqeqkG|EYY-#T-tBH6V*5wy)FuA=Y*f>dY&~z}{ z2uto6^A5!e*DyQU`cY-CW)eWo4}FH`$yz#wYN_7WOYs^On75)h?Ff9{Y<}GHlw3K- z*ET?`n#0e-sEiub3UgiBAUEb(E=6*TZ?1cc(8ZlQCQWW6V68ql>n2Pb8amn}(vMop zJ>4w5db*jW>up}w>Z?8;m5rT6FqSuJz4qu`&cG=JgXDZ1XUayr^6NG;0{XHI4{h%B zr-xB7>$_~+9d;Dd&Sn#%R{Jda4h=ly4rV>I8$$AkP9wCtr$M8>Ef z4x52Mykj_9*#fsxRPvDwYGwLF%dvoyqxK~t2`^gJRcrh*F>AhIa1r?*&C6$Nh!x#b zkn2{g%_0y>6#$cZ)Pbscw*}wy*?lWu@E8m@hlT1Vc2ao)}2F;Zq1YS$!c$03kdef5sKm0=}F!`2YI7M(SV^6RPvB z#h3NSNFA~|P2DGd{M;&Xnj~OP3>prin2_uNXU1t6^6upNJ@8EUt0JG9f3ihY%TVyN$PuL*kkR zdrgHpLPJ+`6P@`;@DP6AE`r z_mqtQ$=g4jI)_){tkD%o>oIG*G$s$1Eo~;zY6=mWeV=&=Y_{w1IC=i9lcm_TL`<)# ztc%uujgMxt=6`N>$=Cr)*xza0!0}=%2bDimbvg9m)v5C95^pFuvuv)>##ZU z2q8=Iu<*fjCOU28o?L*_(Z$?D*NYR=Rol=~q-9-ew7N%1m*w=uDJstKcX;rgJ<5Fh z{V8?3p-sYnl+<1IU=nM2tJWE255A>LB2Uo(C;JDVZ{L+`vZd2TgccI*kc+l;1vugA z&r|=art7uCJ_GhbGxuVR%x$UiY-|!`O-4v}lZF?(shLdbbUC&4))qEUK zYi!u8XjVQYI+fq%tCH-_*H1Dh(-GE%newtjOl4;Xo?j~5CVeW%^?u0HsC$pO*bkbM z3WpKUDP@auP=P~X#^B-$a+w~aW@md3fB9pYa?osHBvIUIN+&6YfWRy>ECK2;B++w5JIU;*4$n;C zD0#*-8|Rmk0xou5e!jJRDKG^ws;N6AeMRVPn(%=2jYn68CbLi0& zd0zUEnB~DKyit!WRNZQ&h8bD{I_{NAQozPNS#Lq@WH@M9b1Yse(o>@M`;r;Yv$Y2{ zP)oU^i!wHUfnwgw{cLbiy767MY}5LPYlE7J3a`_=(4Kc{KjqtO<S6sX3Q#Y%uW7{k)=T;JJcd@*!?6&+)G>BJeP}zdA z|7@QNe&WAwlGU!>?)`N{aGnUa`2rDPb35=B!NQcaw<~yXv4g9GLKnrcp%ykT-?}U?M7z6W)!Mun*mQQ`ork_CtfiJ-Z(@$- zj9HY{DJSrL7&E*5mbK`x4rE2K)u|9YwzA8*d(8uwm?m{ezw7qYY2x(Odi?ILbWkhu zz3{t~EmrEOq**A$~-OBJ@&%|=4E54;&{+| ze)VBEJwIAclBm7;V9|4iw4ow{h*JKIM;b?85&H1+3{?3uiJ#|!V%3#;Jg`NlaWsnP z+i_f9%6hzV#%6puD7-d4lWO;f)=>$x{MsyZH* zvTV=U1;(~%LtAGwaUQ+Nz=N_X1s_5KOS>d3WOD10H(XC^xYk#`GW$C*Q)hF5$j13bRI ze8B80x#9%c)|4&E8JRbjWC~nY3uIyvMxBR=ssTZLN8g{LYpOswC=%9 z`2c-U3Xr?wAdORpHJ$V0_H#2=a31Sl0Iy2J1KC&u9Jb;xw!$XDokR{0vE)2}1Q~A* zK;9;S(c~IVRyp$6fqxIg*tidYN<<^)b*|Z$x6y@l=Np#8rRL++&Wa0d;q)5-OIQR@ z8f}=!$dMN77K}_3(^QS_#k9;%=|7%D_kt3&8+L)#UmMDa0rBwK#{M;6-5!F^HJYiA za@U4xP0J)JZMLNSL7eK|qMHOV8~m5hj`O^lEBJ#_l5LlM?Uej{Gqv5^3<5S-R@Ypq zQxFI6?>hho@ic_%U2ZiuiI$y$2GBK{fljduWRbckN|MJ^O|{f&_iF|>d!lRzcAV0k z7crS3==kjy92N5s!)Y?WeUaj~;EFG`q_zGuZjp@NF0%$av_qgW9*fa&zrV%UbLO&^ zYuL#FKiI3^s=J(G2lnG9f4^1mdVqr0yE=$2m3dt|b5BC7$vX(W^qgaqF%2PvC zasoQ58$=!ttVQKnWY4ufRe=O;Agncq8Preklyeu_Y7TfbTawlvsX8$vE5QNg$C#snqcNZXq@s=>=-wM3?LUoL>^# z5}#y_pII)7CCTuW+-h#)DR1KX%EVz_t2)$_4&%#W{OS8uiTYR^QF!^#x^Sn-SmFJ1 z_)X@7g7v1y&O`4+u=&~WG*)|59gZ{X6+MQULdoh=IgraOaemYaIc~Anxlg+2gXPZ` z;_^NSqK)MC2L#mvcm2&W4p_K-nt4k)STFg!l54j7u>_-H>OiqLxeY=l!)3qh<{;0z z%MRN!k_?3{tAFxa`w1}Do?c)Hoa>M_&+K+O6lyt+4WA@=sG;9%OK6x!ZI;U9o15*U zb{yJ?dBl?Jht<0sQ1708aMieWZRD02+{MMH%W9cO-j8bMb&;t9szV&lm46iv_;c0s zU!Eei_2xdtnuG%bF12&p#g8R+wRX@RnwYL@9nf|s(K6YLgrCoDI_-mw&p+X8O0rU! z&`n(MJhjICl;(6Z()zG&Tlb)c=#tbN?uUWng$YBH@-#9up7 z9jfV0h-o1;FL;fD?3m*Q>pK`G)TmK<_kmZoeq&zcqaRyV7tN(7+NVuaJ91`q{^umH zu9$*3og-}ljhJBW5{G1Nfu)LnHFbYqXw`RNvx1Fi9lU+F}M>x+1 z1Q=#zfZEv@@gZxJhTYndrg?}FWRL}!W_9AV?*hX|_FK6vPKH9Td6)=u=G*p!%?)~C{OpC?|8{KPUv-zjz1*5)GXNr_ivgBR2m@ES z1h(cwA04B?C|Q_~p*!XIV_g!zuQCVA#l6Lh zzBi2v(PDyEA_RmV~Pm^ zE%$dik2skUiBBnIt9re1gHp_wz8G2v%q%0!fD5AF2!7Uaw0{&bT)jks3Dip1}j(eey-Ktcf&NAFEz#cAx)J9gml03f?BM z?k?sI3pHqEa}e;E_biaPU*%;iA!f%6!S|X3k+x>>-y428g=x^>7P?Ya`L8rZX*Li# z6SPr+n#-oi^T5i(`2y94QS*oN(7F>8W1@5_zbsQD;@1YVB0*Y^M&Vl?=0syV!5-}S zhYorOr{OQG1`n~7z8`%tObp<5n9(h~_%&KZvF|5|5^l6_ z3YEwk;#EM5q@?CK$R^aI+T?Mv?)j<7r6-J*SYtap5KYvxrYQwTh9e?9<{q{Nb`uPF z$9^5fxp|20Mc|Ku*hO;lbuVmPjwr<>H5)3x__Jo>IhlAW`Emj)QE6)2D7+SV+LCZ@ zlq$%OLf24wv3}EdKHLg_w1j9zP1jK2qP!i?52ToeG(Fqo$Y-6BZ*O;{oi}jkV0|TB zVY%RBp-LeD-#wz6!g1=EF8LMWR4rGySGjclo@y^l&)=!JR@`Yrm_dRD-x5S{7ABqI zABoIsKAr@Gi6=4AHKYIzw%7A3Ul9LnLZ3&{L3duwAW?E{ICrCREidQ!qelmZP3WDu zxxM!DS4fA_g_@fbRr4!bud3mel`HA@MeBctO5 z7yV^7wJYL>&zB9e%lv{bMCYNdH^{R8wB;3uw#zk>VmbPvK;2R5xr8iSFr^r#-RCsRC!{uIYukllMT!vCsHtv3ti zaJHjci|u?5NFRUZoiz1kFp@?Lx5n@Wob9NA_=$_?7B^ERscJUdtLI*ODs;1+DF5)3 zjSf@GkZF4jYc85>P86t`xrL<-g40-L6f zcasO?N;5ce#*7O^mQ4I2r|#?Su~&W;LiZ4Dd|_qJg0$dS+Lo#JE@HQazql*$qlh(e z9zF8=sRJNSg4$zzIdhHUW%O?2jYp9pi6qk1HJ1NR-S^-2e8eo!lp32|5C=GU@ z2GCi&$^#vPq_(Kz;uphr^Gq!t2zIu;o3M@_3Xu~ENk~$=ZT}3PxTbJrH#QYEJ5a10 zx2URuBezb_2FU}lohg`9&c3J~eR;lxdvoX)*c@Tc`%@lUd)Zx6z<+Yf;K{aMxvIbL z{wknj3VtNG1YKO=aEJr}baZkR{QGp6(zV?Dk%vu@Ogiy@Xn0$1VHm(TIkxP@Y8nnun;N%axSMuCC~TQ zuLj%O&Oa64ONXtv1UlDz`iLkL6SVT1Xi><;HYlNT$UIh~>tXDnG~nIj5{O)poU;-9 zv9jqvHtW+6^~39_=~3V;l7>+Fu1w7Dt%!2iycEjpbH)=p9-IPv50Y z1%CDe?tSOqRUkUar21E%Y2vI3Vt%gb+(b`ah7f1v zPZT%M+occy^+MAVcu5DvtLEE8EPi2rw^@=N$XV?BlYEWy!lx4`?4L=YG~S$`yb`_^ zw|INeOdGx8%Zl%C`@nypA!Z`W2xg3Tz-75W19b3x2DQ-A$RKf2x(i?aGG|BM`^5B4HG+5Q)OPbm5 znhbZ;!S)3?nUk5qL z{@bk)wUktHLj7j^FyHxm14>1^sIv_9aBpWc0XAoY{+|s-3y@1gxze3O%?#!a|Px{(?&~igH-|@U_J?)A0j-BqF@No8;k$OD1 zYgHY87Z+Qn!g70_A;jV>7IR2{)S!f0?6BzoK}hxb_Nx)j zg!Ro^QutYGQwurWo5}>q1pdMVUc2o;E=SgG_6}hJ1LLen>@2T}gJTENIy;sE z!3=iGex|%by516#LxXo4*8OKHG!$Of1+p)E1}2LjYwPellb<8h+Ocuff8V zxk5H1OosPkOwYqT$c8lIY~gj53!?t11>(ktqA=3~y!AL58yRRAuC-@8> zg62G3V3=66X-+8YNOVfVS$2`gL0Er@H_<-Cn(gncT76{VCpwkle7GxBX-a$8LbxN1 z3|=-Q-pav;q2I94G31+LH&zBo54R@{0%O-Dz~!0V9cof^-2rt^_+x3;P0 z%EqCe4xhVtf$PHx+V?+fjbNUS&XO+AS{D;tf$1@|trP6q-R^e#f0c(Xsc$rFSrM?c z_^oAF{k%^Yj>`^-r*8pHYW&HEK@d0pNDgFkKg-hhWR7c8$IAn=^a_vWo=K=fp$t4B zC(HfuK|8JKl*^w3hZ&Q;cDSt&c~ASn-8&Gh0>=Y<3K9vR2V_c&xtJCd*qgI%?S#$kKZfMQJ!hrGcSp-C z=g4KN;2qC2GA8GfH;H^tf${5QA%uonB@UE1GR-!vO7O><@ZVtEP8Zo?)k*Gm1gsJq zEN)aGtGFG|Kao$SEh`uBT-Oqg=E|M--W`Uf;FU)2$)4XlXz0xQVLb;AK2*A}c0$wW z*FG8+2u4hox??rHFWahPqL%4=QvtMQi+jZdugcDb$8RZ;XQ;*<2+mu%X1h363}z&k zcZb0Fw!(8cjgv2L47m`#3ab4K3610@S-DpTOMJ;V9BlRiYYKc|PX_OWHZiK)jtEh8Ow4s9cPmeF|@Acz2 zG{25BNI$@bcW}dZ26^8(!W>p2KLz?bHV?<4K9lPB8!z2~;uXpoJH?Bi zLDI%0KOjhATpeTCeV`aqhdtDq#ms=~O zICfFcCm?970b~kivIpEtCErFvt~rp<2l$+P+&GpqrhPJn3vsnH!@eJBGPdIq${q;A zjt-sOhDPsB>5P9`-FVXNhA9DP;!ZB>80RKd{EEWj?`VcMGPZ_7cT^B6X~K~<7BwyP z0fU|N#?qR|DJ`Z5?w=pLfve@=wdqTwR_z;oL#OUs?f_U9s)yDGV=}7&fBEEKFtL=? z*=4RqGmY{`YUfAFwzN4hK&jk%__dP|)r+E7s_GlAZOmQy^$ZO*5=4sZGwfYk21!66 zR=gZ!h)%l@JF<1T95`u@j7czR2VW4|??PPNSKb?B5e>?4tX%xn*pZB-YrTkXQ#)#s z*)Lx*RSGIsS13*KIJ75w921-=}0 zZ%0!t31@3yuM#PMONcnq1Ie-ut*G~Ymg~ue>>qD|nLbL_#ghCxLnON!m9|EyS2!gn z6PFI30|~;MjPY6kuP3B0>!lP7S^3!cS`-wR=?60Fdx4prGlQx^D_E=mPT=P&^7^(?q`tkWRu_*6;e2UOv=&iZ?p~O(kLxu5|{ehplXx|x*GM|n}@I+d?^~H2D z(jHE*ctv&BJj`|b00g89-WUD@cblvJh~`QYJKP|o6g!-LrRRjEsUH2QZ(+CV&C^!W zkiVs0LoHhQS%%>Bjm58(&)nO7DkUMbYA!|@{?v^NMjr-5!72O(^ZYRGt1Sbh)FX_< zbw*+N$Do8yjaC9q{a%D>q_NzQ@8^vlnFVU)4jls(A_a;J^Y8^9v$F=bf$pH9&x6Ho z&w|G%@_17qGT7fnbq%b-xEmVFajEwQ?|qwD*)u6$f#n*Pb<}f_2DhhqwUu1x4`lLh zF(A*ZS68DtNMH0^tr?xCE2V*J zSg}n$S^!5P1%uMQx8Qpcg5IqT54!9YPT{ZXdS6LnZCd`n`V+oO{Ykl98V&`a{1h)+ zT2{j|sVf`9nF`PvcWsuecLw{9>17+e8dkIArsg(48h9j|tHo$^JSg0A#%D&33kftF z(!782x+eE2{A`2IVF{-aFS+-hm>T1P{zJyNv48qt%BhO9uA~)}2N^9$WZ+3K@iJ(BFo$W@Q86KglT)*ufkWzzEh^x^` zQ{WNKJiF%bAOp_A=J$e;T{#9MzpUg0mv`Ont}6QBH6r_yRGj0;Wxwddb-R11!H3Nr z3xCZyd*PCpikThy?|JrTL|j7htizE|rYiu%fRW+m%zz3op#g|tzg2}OSXubhaGx60 zihxy&#CRc8n9wUOn74e2&-hG3??4&7DVE3GX0#R7vPM)tJ&RgmP;O71_A)DGA5dD9rg<L8niju4SU7CQa}*Y zgiHGzg_kQG@S1Ro@^c_Y9XIVmJj@NGtjt)yZnT}#efl-wM|~XUl-0TW9|*UFv*&{? zhkBK_cF&GBZ4DE4icC&PzU7~BSB4N5MzSur`@7iu;Mc7Jpxv)GXI!{kXujJ7oU;gSQtl8ShhU+NM?JfWvdox^4*s4`h}@8 zdDbtTl2}R85Jb>?apaHJaB}+>r`M}!WpF-Qzp*u=6&L4oiIA#!NQ>znq~76aQr0n|49 zIf}2)N9`l;$pO&ro7sZVDJEMY>Z~pg~+#buq z3mCiw&E{kvd?e4zAq^lfZ(j|1kCpE(1dKBuZGnMT_4!$$54ZZQtKb#h>YIzR?z?et zRMr4huyrh=6YX=DecjBcNsoIuimF>eM+(oxrxe_VM4q043FETeemcjC(oE5SbA8hO=nSD-boQHR0D3SIXOkfI1squAN0N< zHU-a(){9csL(Qy58DFnzDe7-uzP*-zoQu_nwJ4gw+*ds#HoOC=@757SVMETpW}8|5 z`uW2;%J*LAaP3g_)DZ&&1z5cV{#km7Fzxp$2=>WA97VUNS^6Hw^33OkG3T?zh=a$I zVg|c^ZL6zNm$CzO>1x`-hx=VdTo~!fz2HT)FZ{h#>9G+4XkCdsGp_BuXu8R0ed#oc zk>M={1wH?Ao64kEudGZG?|p{Ky=DtsQZ!`xjtskov2b4BEb!=!=`^n82(yy-TCrj~ zu_wQRWHT`ZUm08JQJ^)UH@MQevf552E*+No;+2f*GFWqlulho}sxE=^YWvS=gf$P&|XX4K7gqPm9+AmtHtSy^)UCSJ-X%bduKG1 zR<^oH^?g?w`Y$ilRkQ1VER?CbZGb^5TzVIJ`gYE9v3dIIyQ)wiIFfBd7!-c1P}LW; z>E=m(^X^HNP03$6k$+oi-;tC4t9eyI=qIlgGk!atAj1U`X2HZTpPgt#0YCC5YvXMY zS>rwmnFdqy_C)oTkS&nV#4~AN*8kNLQ;8#bc5&2lQEXCZeT6)*7U<>Xz5;_@{cJ|6 z;q+7r-aDRa4p>Sd?ooDAcT1teYTB5xb|NP7$QV_(qJr1OgtZ^iU-wWKE9K{)lotpPvjA`GdNA{#GTh?K3 zuXLB^=1cZ2D_V)S=NFgwCp7Qs5}#GL2Jl-P+Q$c|87}(W3{xs8TXr zpl>>q-#j7jvqe9p12@=skt-MH&nq0yGQck370*~a*ceJe6wkJ@IKsdu%>2kWY-Gis z?Y8F}ooU^kMq}rSR92TlSPuNTjDi}MY3)e)p%k^8M{WLCFZv}%@&tX#mYG7Cb@P}M znVGKP76i_nxD_@=sy(dhQ;bAkuRy33!ZUo^k1ler(M~$_xo}7HL1-xK1&j-bh zG9svt@= z0=DNbnN${2{0M7JYK(p^5$klxQi)*5tv{Q(HTWb_+hU>$UN6%8T=_iVd7R&s#b){E zL5T-$pCq;)qLB$R&l$f7ZpS<=3&14W9jh~ut9{&iQCwyLHuP+nub>0Lu`{-iE@_#5=y z2Ac!CirN8nk?{$M?K~R;W6;Sm`!VlJW!s)cW#fC=c_D1oo6+Z7Rg!FLLP_i7H$VZU zliv|PfA!0L&+O-q_q+}U%V~Q?^DeOiHV3ilHF60%n(Zrp8&UjwlX#E%Qy1$(fJ^^M z2r?Kd;wtD(bd!LF3NEsGFaQSUETVe+XpJ=Ljj6h@lsciUirKc|T0)MkZ>*2`L1p~R zY?6iP-fXt47|iqRWc<7>$8kvd?K_-U8r7tok2g@3DJ~OAGPk!#_fKP9fmpU_HLEd` zuYmLV)wNHv+^ETO8es4=er8&JZ_{vb(x1zmO~J=Cd<_Z@O^5plut^Z^QG1=9Wn9wJ zst5dY=JCRP$(O4o}mW zE#8Ye!!95EAAIE{t%8cWBi#wrJiLpmXRJCGGC{uamM3jK;^338``;w*s|s%~GK12N zZCuWkYUzes#gPQ9ND8TyPoO$fWN11?(_(i{k+I98_G0PAqOnDrr$#(28<8UhU&NE) zj(Ic!jP#a%4k%sdJ!^S=Hz*(U#i%O;+YOMwZK}SV%k=Bdfk$7WmKbf zPYRuxYE(~8B!2n}hY?(Zj$3yWZ7}6~+AHc|_u*F?5G57HBL+R-UT#@l?xnPOn)1gepwC!}tAHZ!1jQ&oLZ$N(6YT3j{(^88^{r~|4 zLge3oj;Z*?)G@0r=3Xd4ZWItwNr>i1`y?7ThDfc+V6J@cW`xJFS|3|bEWi+@F9%bn z1;rl*-*&Zl!jMY$k;rFwS#dff)+ZdRhlF#DSJC}o;F~lTUbV#O>x_ttmCt0Oo+vr% zQ@^R_WuijYT^c@lcQf#ZIk%@4v2amlS0%ziAeZiQ7N;h%OgH^Pa9z5dZ#X!k+SxR~y zZbU;~XYdY6=-ZSBqUMKy@yABD{%}ekcF+6du!s0rOF`6n;vXO+zDQpH45A%Eu(Y^BaZ^#KTRx?xq;4o^uhF!k8TLC6CbS8zZZu|YO!4w zmuk@C6`Pk5k!}4)?f(g=5F-XOrT?FT6g3CDM25Pg1yqChQD zO%3K$oeKv0kT%CNpipj(Kbe*647?v~A5aweX8d#{!H`R?+U8$Z!?k_T?U8ll*-fER z?}H3(_jWHBstGLxxMMkptSdK@YSd^mq#6-)oQEs=<~X&`ajeB2o=J!&RfDEa^KtFp zOvJsxk{HwO9r|w@_EHFcMyxKS6`_+2grMo8H1<_#R($G4#*XFSR{h=|>;zQI$FbPP z;{&>k@6EUz(#Z;;A{gxz#!{;wyZ*w{aL6_$pT^a>Kn3coxD{+vJ{7Nvj)x1~I`2)} z8sjb)UkL^6*^z5x6<1`5Uku}zy-N@LtQg&oMPVj;PJvs-$1QlXsevPOw@QMvpq9`~HX z{SIkw7~^(Q@K~^*Yq$5f0&d5k_%J^c0f?Cp^CXtQ(RBIID`%uALp9mkWM;&0BL{5z zUQ}UycF&Gw6{JnSfy|BVPyYC!c3ve7pf5_%5amF1Kj3q{n(UG@p7(j*aB5pw)cSf& zS;IvTr5&02M&9eA=0oAvFjyC9C%x{PviBgP^%=;iEjH_#X(-P2z!aTqWWpoa%C0?B zqW|6@xbQuj>avY_sR8`~(gNUpLZ^G}5h>UQx6FlHA1H$?m!At0^YI`GO0%pE zaI$uGqDdtKw$sf%bys&4t+pGwN?!LMC_lDN*taa+;;rQ{YWkPT^(uARQ`*L!dZzp@ z$GhNA2A{j$&PkNVPje>{J2Mo9SW^?&brBbBy61J!8*rt^_$F5$B_w?0cw)vWEqH^n z?Wy4P6y&QOMoJK!9;!9}DU^SOplpTd37R|?-Oe-f>PFUnj`b&Xs7<{|)K+(2AoXzL z-LMuLgr%;iSGiIp%|u>fQsKm>6FqJpA}f17+vL6C2L0pK7kW4?kM`b4LEqVQVH0xd zRhA7xfAxPAS`P2GO}4GhM~BfZyd4n~bXZB`uAWX6a>&4=65_GLOS`8iG8!5VB=0NC z?vsDDjsANIZ*l+f`Y$ub#UAh}nka6IF-RCv%G?trVPED15miDxV_Lz64%#UC0I8oM z!;(rn)v5=2T=yH`gFa#323neM(IzP)tNutwFXr1yH)7}l;;c)XCPbV!9>l%^6 zojY3XG!>{_wAW&ZP>(A{sbobU=oK8^h&pd-*WO@r?3*f_RdM~Ohx)FD(wZ?wYmeua z$Ody$J=u2V-N3!(g{b3QQ0bV0_FxUKS?5?CF8O;Z5dIeJ4D*Eofy@galtb8nKMZD{ zapTAMZZRSafe6VJM9s>*-ruuXxh*U1`Y4O!DLw_?{TSGa?uO?91l0{#Okgv2Pw-f) z6ch?N{KXkESLu73XD06<()?$Vk+?Y3D=+!gnqTLXUc z4>l*q_PyaABH*dN&$(-T0Sw1B#Z?m(a_zUM8(&L`ti6^w4rrm(K{ml=zMp|f%_f4Ezx!ci`}!{@dAS5HCptt3AL{`#XA z1z>Fu`pIhgD=^_hio2!lqck0pgtVlnkDr8gVM9m(ST0uI>;CEDy=YR}PWunqX+CUl_*&&b9SZV=M;z&=o-%TZbPN|jt7lKf5ZFrJ3yoh`uCypm zb(c}>=)p+xNSc^c`^bhfHZx!Lw{2c`rC{9iufO^DTEs_0jEswnpt2p8SBRGPYU?xM zz33E@{p7XG|8GpWyzlxjUNhpecI+FV2}KO8M7B5abYUV?j`s(0UL+bmX`k8;ySgwI z1DeG&C>drSkHtjHiMd`B3g8PDs2!63QXBkrcf3@)J{r6nUwJl*R;@q5k!lZd@1R!2 zy@mAv=UV=&o_mQ!-q(o+Kp!jZ2Tqp~{d$_OPi3{;oX8Gc^@uY2GZ16I5Q6PUn+3s9 z1M+g?(+XbO^fuI|mucRv&cQ3#!}ue_0aDFlr$G5ho*PbAtXEY5qLQ+2hVXznbP*-5 zsjOIaLP|w+zvL*p?;QVKU z_8$EJ!J*Mi9S@H{)VkaQd~?=w9vu4MNp-et=w}e<($@_a`;1Lx|MoIl7qyEuO9@LQ zjHqiNeEu2;OejQi=YWJ1ti%PeD(}$pE`?$8r5qT zd+MD@$ogk>#M54%CTY1|HK zmHb2^6j|c3$6}M(uETawZ<3=Mdsf2VWhtcZtQcs%*}-uq;Y&m>6`3mH_L!l>oTO0u zFioTZnY_3G<92T_f!DpxP~15oW>QbX71`kXf&$LHQfaux`=DL|@WGJSOZcF~K%f-* zZkV`R$p+ye#=6Av50@pkCI7r;)4N^oq33d8F(jAJnph?MM~?_ows_=URVhj;o{f>Z zUsK|&yYhzwu=@+Q@f7A8RG7&O$pCm!-ClH*7Qwauck+&%LyVOL_=4S&XCp|2HO3`WXO z4F(tosL0%?CKM3uCbP8;4tR?!J;9_3&X>yPX-MNfr*o4F1f|@O4#bw$WIWF$XO(!o zI~^wnKmRQCJ!9XEbjcR`+(<%SGw*wG=J$|@jXuU39Dvi-RUlgsMK(7(SBIg*5}k8^ zYb_m5s)aP-s|l~hg*OJ!$`0(gkt|O=322ci(~wMqdRxscY(%Z6{dqj#X(8P=9uA6q zo^Yt&JTp5I#wieMP&5m1N5q{_fK)WYThsZ3OD>-4DQ**C9`}I6N<|pv4s0E74?RJD z=jEXIf${?JB*^qsjJsMU_Z{$_>skA|PMh@Ip07|d))6XruRiuZ)u9FCrjOA>0$#YUp1)#eKJ7|24$^!_ z)g|}<5~;G7{K^ZHsE*052EzK|M=1X|Abz1MjVSIp7Rad9TBl6#(&s<>R1{+_#sVU% zRZE=zsr)Cua#{Xg5oG;fN{@xdg1oDMxKuS0XHo8e;@snsqUOND;F_-zNL^b!ZIP__ zhZRsXTUlwRFLDKn3#rg3unbhz^GQF5&RHSja zrND_#B{VdJ4sXVaArQ4GA0=yey{b$;?mgC_0-T+#xMKR*Yn;B-S20_XdG- zEQC*|s3XkGk5At-stwcQK~Q_|hO(>HV(O<%A~IEuIYiPf=OAFO=eQ9JlBULdK_{M( z9!`A)-7lrKoHwDPYskN&J=y5tWN@HdK3EikNf!mNLRXX;C&hxA@-*)nOsvq-BQ;Eo!*QIicUOk#qM;(m27-zH@9 zNKtfeS=?oB@x2O;D4V#p2Xx!mRVg2#aF$Sd|17m=sw-V)Jk*6~qN^$>x9dpjiMhjnqJ5|@zA zbY`D1EpJB^O>vRcE(IsqQqKx4Ef3VP=A#*11D-CbOK9BwtMhb9+wgc?>X@(D%A+t} zR_%harzA35CC<_mea!Zi?wo`THizYm8?qK=OBEV2g5;)pdJ=zR=H*B#KM@l#t;P}93um%jzR~~y$@8za}L`mqGB%GQWs9Xh>Uis@E->W6M zcDxNR{$G8LbC?&zR=)YxwQ<+`-^A;6t&L3~P~AFt5o$(A<9(=6*O_2kCI~ntm~@>T zY^l=>FHrA}?@1gE$=CufUVgfD=sN&Ax~4O@`Bz=|mvHOS(HJiYth4cw)7Gcsgl}iB zqi#IF4@mb~snz76mq0wwbNym=bU)I$NX0S4eFpM}FHqInb)ho7t|plo;NFGV5i>u6 z2@8z}R5=!z*9DqM)6YttXQ=VE8T3eb?Y!&@T=B=W>DAHsyt^w(^+dDxolN<`i(sKt z%SgsmzK`|YuU%GO17}?__USW;tWuzKwP?^-I~nI^j-*0U-x{ErexX`=XQssJdS6NNF^<9A`K&2ct$4lD6#HW)TqTQ2ob4=ZS8zxw%@7Qo4(_m`S2eM^(sl{Uev!FZGj}>yJ0Wy$QC|f3GfRI^@twB40W=$nZ*2#-R~JSKtP8EzzIZVa?$IH2q(Mo1E3PT% zpGsoB8<(i1+uGu}j6B}-k7 zB3=_Pj}$=XCvxxkBe7z~5h8AmJykjWAy%VfbCvJ8RQ$rq^_@_pdNPQzpUG7Ao9L z&Q$Baf;qQ+fBg{De-W=kak@rtO%C;{Ee{lH_%V*Q?Y(q?s!5z3+Pv|oUbd)d){OM% z7CfqV22f*M^2z_Bi~Wz+?(k9`n{y<(a^QretN`B0Y_kpW|GuUF`PF+89PM40AlKMA ztHEBhtX1YJdzw$i? zzvIm*Yo_|dXFR=J$rf=-(rfcNiKnaIa_4Z4M|>KvULF&Kd#v&@nUt&PP_tfRs`~6Q zgXwVMFqAu|3E0qn0OkFF^tAA6P-hKxs?Iqu7-=zXA5;Hdn(?0#mrwbZBuXv%?;h0e zHnG9kttxTU_7eGjw>?QSLLAw~`7gd+wSZ;&jwP^_RCC~WXX(<+R5qVf*27rT8d*CFl*Ag@Vg5*2OX>pk!bXhsBNd|nC@F(+ z)doz<`CjT*ZL?LgcN|GV?-&W= z7zK^cSuBywTe%*7A~V|X1eJ0`w=rrgw|Z+-c|>d@L`qxY-f%SOmmJT^mB(u1q?_tO zL&#Av1L`(>m+R8{4t1b?{R7|-ySGX}iXZ@#?cPx3-Y)BcRL9uO)lUQIQmKiY9)P`K zS#bYmJ^u9os=ft}U(ywA^-Y{dFE8)HA`SFV>c5OP|1mG@pPVKuz zR7ygNjAM_`rKLS7kScVqszdv!6qO1Swr3l(DWgAV?VS1-2x$x>GYT{K$T`EG#O91k zXXOt3=wpe9g|Br#W$=AFf+{`aCvCNOROlX|L!0c_tKiY&zv$mx(tHZj^*-tCk?D$P z%XvEO&lc)co=e(U*=)11X_omyp;6!+%uW9lI~R!0tp*!b&aOxo#EiKtu!K=$OW7PM%t?v@4-Fs=1?G4FUcf`t3#{!uErtQH5@L227 zoQMHXCyuVmdO!K^L-*fb@n1fPhJMIcd#Uhuj7%d28}eLtyqMf&_C6urWW+;jItYBd zoYQ5qJZ*;R%27$w}vy!23A1VhElpO5We=l z#9{u^Yf;X~96XoIM&ONi1p`E@SDgCQm0D`T9cv$nBcG3U10Vcrpd+$M@B#?E&pUGs zFPD{F!1=?P)fD+p=TF?_Y$%>mWAGob&5@EGmkT&2ljE@D2gAm`)f`*Ljy5vu_#&r?ce=!u&sAJ9G;nwbB&%rtpqJSv>6E`JM@C6$L+i(M@$_tP z1Uhjzg(2f@>LQNT9HPyNJB>q2g{O7sa#GHu$HTV@uJcRnTcRFm)8)97Ihjl%Llm%C zRRt5tP8eoQUWRigS_RtOjM^F^%01~VB^%FZ-Vd~Mb<$BdKm>hyIbQ(B*YME`AdxuD zXKh*|)pqb1Q$HA17&$4D$?%AMy#r=5l$iCjJa(3`U!c`w+y9=|6+j9N7jI<{EHb@jWcV zoxdbD06Rfh2Z?@vTe60Q^;RT!+bK*2|0Y5D?28*kwThJnIGh3MV&DccoUj=~N#VjOZwCj99IO2l?oVxMsIzs`N?llYa<%aBPIWrk3H)V_?^301dT`=-2uNt64&ulvJulg9 zbc(8EvY3Y>!<;*q=h6h+_wB45#(#XS#k&Q8!OSz<5`gUkHPY(CZD53tEQWGM(7va5{GvBKX% zc&^E}{?8X1H?bZezTX@&9QmKW`mfJuhSog13!9LS7>)eCx5U$l6HepM+X|C;3Z4?V!P*gxZQr zLT!-_OBx{54#*K;9P*ienW=r;iq-YLMZDTU3gL2k;&Pr9Z2=SLz_t8jLo#j~T! zvX>?Ka3v~jpNC;Ada;yZ<4vbE`oqJQMhEA=D(8hCfKGbr#m8cK5@RovJrFAf1Fb}r zLvZWSLE44bqh#hbJIcf?x-KP_lrb)HI5A3yyp&=S7z2gC`&QskJl!SRm_+aNzt;3W z3&;bfd(JQ~=Eyi3^xupApKo}MrHmuXFdvmiLCP(jO4Lk<_;l(g!Sv2NXc2os5&r2e zcZksGf&27O*!n#p1MPcK+&yoer%n!@<&}zI$`gE3WjuwnkYV}oJY|Poc4Hu9FkttZ zCiOh6?e!>I;+B{o+H|6FY&b2TvHYYlJTQ{?aR%pjoGJ6Lez*dXOBw%~W`vxM7a4}P zaN1Uq+zwmRXRc6!6S$7c3>paM(?d2yK12!~v&x@cl4I9CCg>_vlKx4K_3-w3c1ez< zQT^r%lD^xsx5H6|#%ET+mgrZ{)INO!EX`3J{6#ELwTfj~(OUrx{1Z``5TeJ0U+Wew z=|=yY!N`q%xBmB^zlCg&y(3|m-`L=1G_sGQs}5Pm^1a_OWEO0V<#r2F8Ujf0c?F0TzZVJTNnf6EotpqfjjF%z$ z`wB3BV+V3pPf7QMGGetT#WLTMo(K3GO|kE%!yrCcC!mCFb$fa@kX0)uD1UVRR?{1A zzWLJm^v|^Z20CW05B|PK{I%>9(yhQ{vglOyPtUUm-n#?M`*0KE0hNHM65JOdk!)ZjdvI&Y&OQRJwvuyqc!bp`j=!^ zJ>vE2${>j%%ck@8bC2*^fL5(BnM8^84dv&a775#=Lc^^^LRx`RcY@0b&K* zDW0P}ZUyS|jx^3Hoz_()Oi0^CRA>65{xI==oy!c;z1HglOfB+gSMYExwrz-|v3| z^*65)qv~(I)aCvC=i!pYIF-N>j}THr_=_R}Tg7{OtT#G}d(Ym7zh3#o1??~Y{G@c_015z{;Q+vi9T}SWZvf}uo6MY_=}CY;oH!AVkVfe96QSf0 z<)ch2^LSuBOXYny%s*Mb*M{5vc@Ub66adk6_JA{`+wTDU-$5b7EXDX9DFp!61-&>Eu`KL*<7OFU61Kb)9_qdSto+uq7=I~-o;W1Peb1ICy=HIIO%ti znAn!$M-6|}sM{m%x}CEBNedtSCyVk~X0CvzY?UK4(Ru&F^0Q_27(O<>!nG=s)feqn z+5=hy;?1jTHv;x=DVk=7jq**3)UdJ$a7oGr^JK_4Ginp0?Dr5*W(nJocz>GoiKC?* zpZuu7e^7S{D_$u)-ER***_Hyz9V)RTuwzy^Z1Y*(gzPFvoM^a%xq=ov?PM&sjXs!4 zvwR_ptNwmCmGFbGZ{qBMg)RWy7J&`lJRH70?GM>7D*(YQ&ew$RhU;VmWAl5SCp`?c*eN zY-n91)rPi~*!|TQX#E`njx8-MbPwl+km^~lJm*>g+)%_ckL645b{JmM&vvSLojM=w zdtcN&-fI=w^&}Sxh6u#1YsOw-eaoL4xgBnBE!;rS?&UyG$V=Hh#+%emt)`LpbKhn` z6CL{$1Qk$kOPHpiRQT}6H^E}G*-WLS$yAw%$%!+K19clPJ(1&!?MZ$p zr154j8h>2%UC4T3yKKs|adxKnUZNrO`LDJ-bD^K?!9nk?pWIcu@HTO-U8yJ>sb8=v z44`(KVm>`5a0?P-ZXr*IWI?8^5uJBOW8FK{3HwGmeJp%Sn&TzGpesIv>j90;YQc?A%G7VPKNtF77v0wg714IIN zbiMf&J?f)x6JC>vTFXzrSE0>S8od7{2#4(Wfu=F{-zbUUTMB~01-F|ViTcD^w2g(! zHV?&`03}g1zu72mDnyIJnhV`)@NY`ukGrMkpDhOJ*P4#(cd2^R5&B-J4jIr4kOtu6 zFb9w}MSxQM)Q*HpoV(Y8$u(};)$2C{mf;f6D1r|nE>^Xm7H{`GKS*m^hcQOtq+t*& zp)PM?!66#}bSeSmW?eZBha1CJQxIT-AQ~Xw_1zn`UmmE*HvhF#r;j-#N#h`bQ%dm8 zdUhGNzpVMjR@5}nnkDh;G_37=sk#89RI-QoH$^g4uWf^gCjsClnUK zmOl$ajewLdoDj@SDV&`s%ripQvdotOPFQZrezcyZan~tD0)(P{U}kEOA5aYPKH&x! zv%&9OFGe2rc2a$z)!w)w^ZueAb3yMy}Q|DsMB`W&1h+xR-R#=GS;6~H8~Sm_q+9d zw<8DYqMeR~@rZx83Ov4b6~iCKQGo-`p(f>4OD8(QiJ_Qf#NxVhZ4k%%nQUGxO*14z z1BH~f%PKZqt1$QnQWdX=rdeXh$P zD9J6fMzl?|`c+}Sk7d$Yjl;>SR+~2E&_QqN{r8T?sqDdA zra>m`XfCJ!Y#K<+Wv_62PcHWXGYHKjpaZKT-&{MU(#mZjP9;A!5X0O3$@4}4USi1c zQRJ|8DA(=Vo0Qj`vW--DgTGzXeoC+{3BI1ib~E{>1Np(V=}gO9g=8El5P_U%dPg_J z9x^yX39vwJ@^S&$JCP%Zsago^3d4L3yu@7iA4({>3{gt~R~Mn=IRzX@?m2yqp{#4l5pLqI;D z4)dg96&;d(Q(&LRQRBK@tQDkP4!X+1jb6Tv349FtBMFL&Mt`)nW;Q zjY!K6b2U6N3!v%g7O=OPP<}PLBn2`{1Hl`#vaY7t?Fz#Cv#V6SiNDr7fP-Avr9B?I zA%F_glQ>(KC!Z?gWCL>~RKe?rise5KhwYomJblO#WYp(6PN?)cWaHuUiK1ui3vb|) zvXi%3FrX8xjA#T%ec?wR+AQBYnSU>?!S}}|n5Y=&4sll(M{B!-4d$A;fZ7v(o*K|z z3#gjVW0$pfolM3mbPIG3n1G@RA0P@|GRzlOjwn-ivgJHmZUc#9n+c+AO$1^iH!Bzk zsHrB5-HHWHly8INzI4-+|9>0K5Y4q{!Oy;x5n+>}C_h<7hGfi>q9sBla8An7_$A6x zF^a5(zR*?!&6=TTc%6`nLy~Mc$37Lf*%NLPIgcqMu4{YS^uCKUs^mVF)hQ=fL(pNC z;GmJxtM;RjWvlyZ-n{n1f>4?lGP;R*_J&_LrTB{E$7=VjuCG?L%9c{H)7refM>m8k zyS5_xem&9ZVZq-x9HtCU1j96>X-@YNd2~|@N~u5%s?uh_5A%Pj;O&eEoy|SL0n+po(#U{H4_Tki2@|H2L?bWBxk8s@oWC5nKa?)waDk|-QaPj0rT%+hGPu{>bnAS z&ZDMtIMFg?}Re89dj%8w!1{l*@VetN;UVy57kEqYXb7`zujG& zX)mi!+Mgvh|FpUMBy&lZ(Wo z6yS(R(I{>Dheb}Z`&SVu=X%zXlD)AD>{Bm^D*{Q!DtXWt2H@uY_X6$pcxc!wp? z_+%2zUVN&sM|@a0{V+47a?Fi&y7U|qS;`!fImJ!#yDa+68q?&Pq(gL>SGlB%WSvg2 zjO_Y;MWtvsY{~e9C$Y1e4gwOuR%uZI$3(V~6nyT`Dn%R9(?&vVMXA{1>jcy+h z+T6WFlVxl_(YL)D^ar_Sk*L!?aP$ORdP?r|z8d;u4=mB7-%H+egaeS**)DEoJE-L2 z>1Zl@ZZ0i;`Q?gJ6XH(YW|sNe)wGiWHHh82Il13H&tNfmbg}ekR7Ig8YSs=xcMvy> zVUTmeS=L(l7nCB?WKO;VnIfxg__VhiQ!q*nNoz8Q{slkj;QpaDF%KeY6SbmPqi_kP4 zn;Jb8wq+GZV7(d@NfkP5l*#s^PQ*2r<`%5l&n9ECbk|zu_S%a@ryq+xb*KDz|2NJ_Y3uN+C5#I@E zD1Wfl~d_T^IExj7uwXsuOx!v$k1-a!P%EBZORA1!( z$TUUrZSFz1Z&6!2w#BxkRXIE8jj_nrndg>pbr8iKDH=`SG$Up5K^$MH(7qPImlDqv zX>L)*4633{8IS$O{dQg9Jspm-F-|5c?d~txs(Hc`<|V56$9c+rscYG!LZOpMVlW^h z9qotMY;^a?g z3)L_>&2KSpyy?sj;fCH8{0MaECIEk1?ls$eajK5#6l{h7gG)+f$)P{-w#8s7wZJ!< z&)~LMxzH@R=LwvEZJ@c>_EO^4bQuOobvpUvvMRR+2wW_h=r9hz&)$SoUFs$D*VTqN ziewwz=0DJ=37-Yu8a_XJg4gAHwue8=4=I&#|9#(Ui1YFa%30Qs_q#{`D!3Af$X@x{ z&j2cHV`mClZX8~FxNNw;HI}g=qZdQS;XY{>4D<=Zk#xMlX;|s_)UIAVDU*H6I)a0D z=fZsAWYA^N$y6ZQ&Pp?^u2vK9Y@AH*mQsx^Qxa?@}b9@xY5wbXqhI6aZOaC z2CHDV9^S~u?F~YC0hXp#9V%Xfs44JtR}vmSWawpl+g++xUl*zoVW5uRai0_|7u6n= zs^S;-&$g6(W@Y8gVvay4MW{C3}-CbBSehjtA;N z+&fkJ!9vNfNqR8>ipzEV-#haL$>qF=WXf>tpXNnQa&$B>7fELdYHpC~8L%i6Le)i; zf{`!!;IwLRza!n>EzA9s&|PV@ZogG2M#5uHXHJlG_-0f(_dW|*I@o!UXYJio54y-JioYYZNpRh%kg(TyO1 zugr1}h+h>!j;%Rc_Zw&LzyHuH_3>?D8uA7-b1Rm(!MW%IaiP1_;$Yw>g}qT+AWdP# zc3l%WSGAT8ARB*KLNQghf8y|LEHR>7z41vX%a~!Xj4sZ~XOs4z?5>ysn%s#Wpb4o* zvJ6Ua5&*NW=W$_UdEs*(=<#j?z42jisEsS|odk&PHa;Acr9+0i5#276nF1Z1Zy$4x z_Sy-8!Nj8?UP4w3$0LOkmkqL8BY4Iu_7f9pG8!TH2W3%z0J=-kgaZ*r+W{f{``l@k`BU`1dNS|M`rPrp~Na(iQT z$_$BTXFAYqvirdc8-6*+UBN@R6n33|1!Cu=PLK=J4N-F4X`y$td59Yq4lCw^p^S1^ zol`zOH1hW=<(+ER_Jk+>ld_=OsrBB+*dH)b2__PnxueZZiWPP87Zjc$iIL{kkRw|3 zPLh8CD(=n2`ZJFcV^i&o?VkKAmolTsrC9$*E|sVAAGy?>+09AGAyy!ln(@7d{9ke@ zgR$^Nv^2r3fU9g7mdr&HSRX0z77&z~K2wnBpY% z0#IW_=D9~L02y|oOB4EJI;&B#?J_eEtZ|6mjbcH0-S+}u;NAI;rp}G$d*=W3CBEg{ zIto-J7f3Z~gTsJ8e!e?@^4Sf%?-iz%8G&K@&HR!977vF>kHzIcI?tnnL+RZzLV3oJ z+|sA@E$fPbKMqon$}HRf#$tK8#PsLyKZWE$f|j~IGFx5(M@9vf|BaU^6l3s!M^+0C z*GtXML;8s{PCm!b=6LP5h$@~7SbNzV!C+T)qd+_$jzGM979OJ`O@J&E3P`<5I>>*! zi_d@O^I%G~q*PPGE!@h;ajUJOd_YMI7Io0+*g z<<2ut)0(LF^BhjcEAtALPTl-1t9R>1h&Tw!<&Xsn)v~Lq0ftHou?D5RH|q2As!`HPQx zDj=CwJ}5iZ{MZYq;`?^>e3lcg`|fdThG!KEpt<>2KYZeF zX{m-0lp`KmV`+r0DHPxxU?Q6Fr(--V0))+b-NQye&p!dQ6w4(S9()F@5hcZBHy?`W zHtm>IG+e;G$1HSw;NnQfiY=Ra|R^>O$oxcDi z$;VRQcE-S#LZ%@;zo+|P@%I;#r@@s*8KW-5zrZZ*xsgsP}oq!up+}s>aWUJrLlm4TsFrr&XDDe>14ZR)Bmtsh6|8Y|#0MD`9mxtov&` zb@s_U#kP+>99Ddn>1^cSOtNjVAq9D=AK_cYkrCBfkw8D9UQS_mU8p5l@*FLL2e5P{RIk-vWYX8(7qB;9OF)bO z_%2Ba$LohzfJt{gPp?4i^Jx%s9*8u>ngoVa1llgrPobOtSb~zZN^S+JJHxUB8rEs=I)1Q0G$I@UDlVUdj7Mg!P!pf6? zdma`_;hwV>3laYp_q=HGn)82g&zTGqA9bjwQft5#V;Rt5_N|>9oSU!hqSD~ij2-z{ z`s1Qe;m}NU# zO>EF`2$r9^SG4b(?B|vYUDT;2`7BVO0se?x5TW|C@%R^I6!?w64eG+Wia?`Tge+AP z4^rMvs@qp@E1@(o>MZAjc>tqEVP4{+tlx@j1}&HvJSXm^D?eKtu5`TfI|nRZKA&@7 z`OD)<#(;)U?^I9z|J~#NdrB$W7sS5}A-iEMvp87`Rv|H~I!?zE33BC$kIl#$q(_Kr zKkjsd@kHy^PTdr9PFyq5qgG6w^_YHJ%cWTu&>SUh7YtX8+#sokmLz8M59Sq{%|V>` z7*GGl3t<0TllkV)F06}9WC2X0lysXbirmldz3$HcmBvfYL-LJ|H5oEJWipE{Z1IhD$VYQyV+6!PO%@q z%LH<~M>fWB20Fhce9Ysi*=JqfO}@GSOP3|SGwq33X!!C>_7XCF>+No2tFA)P#g>RG zv#L{t5KiX;akM2-rPDlBbjdrd>b-vNP5&;}OcKYh7&dFLjpLJka)vXYy2Myfy7^rg zv+M~Kcq_3$P{FzVwo)f^U&}k6Nb_)hjl*z|_j^0T;N`4}{@KjknAzssgXVWW1s%zN zdQ`l-KxKjTD&m3;$jL{q<8GwO!&6;ag>G+pQ|NJ^0sbUBw&EfQDgF}UY4PV*+#3Th zBifx)X<|SAm%rf3_!tgxywUz6%!}HbhpgiihQG@chQvz~BQteLkD|WHz`(~0JtY{x zB)y;i98-)p_pxse3oVbIZ4huUN`2?m_b7_@5k^UhUal$~F7iBPUze3Cr1B4#PM4eQm{=}O9+)VOc>e#syKA!YhFeH)895TW8_ z2}s3M+5(yuv}s561wAJl8Ct`s4OE>J400g0P5%B>h+}#cokRVf-)DIzL5I0;tb^yz zhYe8JPMm^49P3OU`r+Pz^=Aym);YQACam<^b3(o5x~!gSRGCEm-R=;j`eZn~F{^dG zL7yp13>hKUs*7`(t$D+X^}6{ULLqz9G*r}oklnx+0!p|=_1ZTe3qUt!nLwSB_gVP| zAv=#1H1AI8Kl%8*#CYXbo|c_GB2%xdKlS@RY@|8`0q z)1O!i1V){)2Uee)DWeFr%33IQm-aZ@+ehbCDTG~dZ8;4uT?|<_{C-ri*NtvNT?s(G zHawKotGJCm5ITc)`DUlul*-oLRcdUHf?A~0vfBmA66=1(oiw=NkgMp^cgtU6C|;)E zpR@702Udl;k4p^RdLLt^Zq<(K?z+VC48`7e#xzcoop~pcg$e5^I!qy7M>NrX1^-~0 ztmr~q3aS@-%=oOGtt70S$S>|nvW@I9dcKQUFg)3^Xcrv?heJpb;;R=GGBtnQLSt)l zYJ;n|h-OcAH|7U4rQdIGeW9j6j?|Bn{_^Hcj;0i|&|aE9pBhli&Ygl$J$AZr?Oz@< zR@+=a0}?#WQhLFYM!{8#tQ|?lBwZ`F7W+bCqLK-d!tu?_8R@#aaJtSD)r{i)!(dL` zU7-205XTS@zff+R=7)3$^ZAO^m1^na0ADrn2WNl~@g}$KMX*LP&#!a5dNz7J=1kH# z$-gju?&U;vO^y`AtI1;1rSmvCgC|BbnPZ(fJ8hST|I(e|fH^c3<~fYK^4>&^a!$Qh};P9dxD zNDNnb>4hc9>M}kj>Ed8ZYeiEmxnb?!FY(X^Hb&TMoW%(eafoLT1$;Yf=*Fui{u~Kd zI8L~6qRH&gn|>a+xGwM_4O2<2NnX?3^a`rzxjU{2>-WG<@}9qYcGH!@J?=B=JAR(S zz5JSRuCyv9`9XX-9TP9R^ZQu8^_Z?>+S#)9S92-** z;Lx%JHs&c2NV{@F$m(k^MYj7!6ZECllEkYSH#@Ry_9)n(SNE=F5)3rmN%hN?f4(Hj z%#bU9^LtM&;cxrnWQ;N`#L?{r9I%BW@L|uy@p5(J7w?C91}o08H(HmqK+#$*1QkdU zZRy;UCK9pvy6}a|OI?XMK70W>ihK*o6>r;U^AeZ1h0hyIEzjX9u@NuOl$-&`^GmE0 z5V+?)+3)HT6*l*L#+nxurf9TAYVsUO)NNuCO5 z{||Zh3X|Xke(65(v8Bht1S7QfRH09+u9#Tx2t0@Z+L-kynxXnt;fpQxbkN~-B5)X0 z84Tb;9s8{N#|8G46M7V&?A_NnzCS-DaCziTh$3)FmIO~Ac%b>fSl?`RqL|u}JrzcY zi}(R?ja_{ef#o~O6W(vUdrRJK#+<3IbNyz956Li6_7?t9rHjW@M$=^IB}Me4rh}L9 zf(SD19`nFI>@{zC^5hL}V{FGwDlcjOrm=jJY{c7|uV@ipT8B03RI zZwrAo1Kp&j4@674N1V5aC?N0G<`_cBJINVw1HzPIm=2HJ{@thWbu>@LDxV~qU^nq z(`up3`rf@Pb{130#UqR>8-!ST^o;IzS_-fAqniYHE4oXJi#_^(;Tr!nnbUzHlYAzJ z`7fnd?M2{x8)}GW^$D;X14C*7yg8UNBv$E5^scxZ?n*AU~YEI-3dIL#4&e`7^&+76kMrU6ren_lb=g zg*R_krOogHd1FR8iUoukr(!>Q6sCoJ1&SorbdXG0(k|H+3?PrntGaMcD(d!RDUtmZ z&pKMD-aF zU*vnSVfPwT3D(@dM(X3O}JEUE%tO-(p6+u2oZL zSR6{IcJ0J)^Jn`1L(9Nkh4wv&TI*~&#MZuOuO4y-O<5n z=yc-U4^F;->|YOt_C?BqDYPX{P|$yMw5H)}(8-1ickLk_BhF1^wmY?Jj{T>$j%Wl^ z8Att-n7z~nfzxI^I0;EJX`5E9@j~|(dh^5ldMX{qeh3?yjJAo_$x{dfjnB4!zEvBZ zs-AekUJtY!@f#E=9Y|+JvS&OL3D}>6hEhUX?pO2~(+;2()$XQ5IachDEy2n4)LYp< zTm`<9eJ?(d?*3d6L_`A@E%jg)m}fhPMXE9d~J}LRRXPK%F)W}>wjVMU7!b3=<3(19u~^Nvdo#R z?u6y0{&ux>=Z^F1{>ZX0aR3W$wDPd?$^osnxkTvpwW~c~t8QiFuiJW0X4AKx<@C{SMQMfxNB`D~da8K>05Y{j5?I={o+)>^cm}$?r z$Nik9Yvby($tvi0!3bEa(>o=li57?6X(MPUBJY_iuV)WOupZlx=po!6q`K$FUV@kzp2uecs zS_Ln|KXzxA##&c%StZT+zYWoCW$m&(Q32WbP76|3^ zFdeu3w7)lYgsc%-1vpC@^>Z`N@8kyP;gz+JRY223jrU)4UudED`n>>RmMZEH>JvPO zdWBzLxp#8=+(dRdB~x9}^H`bCxKYiWUW4SN1U@MNIk!`A&_Fv^y#<9u<%v)C5=N0Up=I!kp<1+by3E$V(9fh0^b2@+Ma=Dq&^!Hx3x6p2)oc^AoEEvhE%~6<&h-wjw2%b1g1opYMK~ z(wT{1Jxp|}B4wHO<0^1VYRh0|_By~*=bKteDn zC1rOU^qYvaq!16hPpJl{KulPnQkuEwM;>V3L_{x&??BVpzV7@ zUkQF=X=wt7tzC1+6^1$@^DjCf!^+%5PXILE@q45vGsJQ8urQ}*H4**6aqgmi7u#m{ z;Mzv>Y<+N;D-yB*ATU|?Ip-oSxCm_2MPi2ex%59GA4>cpE#&vNL%Jqbw-wI0xlGpj zE?-cr*%AD*^+NPb9|C{ZXFjJvac`+-MGP*5z{f>nynxq>G3;~H#j66-yFWZ@nLR*i zGz_T3N7-xley_fhg7ef9AFFYx$ayRceoX=^BV(P!$FP$WKETC`0%zMAPuSM;|Ph*p#Q<0_nPT{T0rD zyEn#6JOpR?!fGQ9y;L!Pa<4gKOZV()Q%iv>FCk&QpWWm~&uu&8!ZS?c*!Z{SJF62r z=wxjNJ4!Xqlcv13+VvQAR^FHY&~cz;gNTp$dM>R4=MS9>ksVx%%@4-48THpmN`gNk zysC4(DXim}8ec;6-xk)#P7sg6R-mB(kcEg7qq#@I#2YVtcsXN`;I^Z6*^ke;a;-x= zHflrZzWUENFf~}^D%P8OH0HBR8%8eZ>dQ-qZA?vcqo$wJL$|mOSzP-bMK@=}vPOk> zER%J!1@&`wNrg6i23Ha6{7G!q^v9zr+{mQ{3zjD@*~j!uh5DCz&4(yQlG>;O9V7!1 zp7zwn%Y4q+Z+*_0vJgkb!y*;W!YT2K$_`N@&NW+rO~>J{7HFhiP!&T+FB@!DC`~u& zZyMffW7wY$j3Q&cPjIH)NTBi_l|KbuS6tK`$x_#uJiNRs5_HAB$T2Ny@HdpA;n&V` z{493*ye_^SoM2+cWB>8n=O?w7eW$tv>nmhNUi!hcS6^i@2odD-p~oRa?m>z+?l!+I z7Sl9o0umJmH>&P1NgRP9H6lD)S-V-Z@yd{^L#t-rxx&Q{fI9UbZF=g@u-kLr?$JPc zuqg%j4T8+Idf4VPF&QtRZ%X^Iz4UBK-&WVdvcRfcNS;$7_UYokgWTYWxga1C>PakGA%4b6;>$i zRbs#5lpXBqzVs)0za3cN&a2RPYiInsw3DKH$AR3oiSmpCd-CCS-Ix@6QC2H%A6^>0 zEc<|mvMvi*d*|Es=aJ{DJXX0a%nKywM9@WOp7Nv)cqv9k5IF8XR|}z2WagC?Bdf!@ z8f^$7LZSQKXGQrSvPK1J7KHo;4uvesJ8eHwO{e2B7Od2obNt8z&AQ%P{r%fYNJB*p z1Wt515eh1lru~wdqFJ1YDu<5+-f|!hOl%oHZ(c0O@6d?t}UwXK|=%)?GycmP9bGL9aNXH9%hanu#tTe+zJX*hE?Zn@TV0Uma? zxBL;-X=Pr}-RS!#VaVePz`to@9>AYSYKs45fgc{C8LUPR&(>p+&%A*C4vbKWqH3<5 zPwkcg2Af6%a6$i}0C_$m1eV&hkSjnoAD#pM1{9lT&ayI6*um0@|B^bEhRT_3Vl+Ep zjK5Z@CZn&-QlS;qb|-t4oLa0y&Kpw$^1Sy4;h9v%W-BYS*F;G0#Z#}``|k+agU0F! zra=8>6f=aVcu2&C(l84Io1nb;&q5XDH&(}#oNfu{UUX@l0J?|Nt*%iJWw4yEt%6kM z0Q!>glRVhZQ}KB8(eA(mNKo;g!&IHVv;K_=dIPV&vJ9NAGq_$;3RfsLApRseMUYbR zdK8WYHfQ0)WJMWI@CF-jb+&{VFSk@VPuABRZWgy zMF&+ar`<$@nU@kxEyKb^iPS$S0@PIQOH(Hd67~!(tk4w?L}$nD?SPcC7Zk>N&FG`{ zSFy;kVYeQ=lUUVdEfjE%|GLT}OEOyqzFa<{egx(WY6^c0xq{oa@^Pb!)cE8pE1dTsYESK7am!@~V+fiiSxp9j@v3KSw*Q!5` zis+f*K340`jNG?kRcxpb9B&-+rpc)EIx1_wP9d4Bj?j8q{&^F?8pJ_io(DK9h@pD! zf&jH~4x8ZeQ=u40nwLhI=540Nl6&dJME+3vD?O&Hc*V^bnR&?w2fEv0yEm&M~?|$deo1 z6+xtA)~70+->XVV-x5y-p|~Xl1?z!qF(sA*GxOdW@DuU0raLA5dID#lMMM=6ZsC6P zv>JMY94n6PG4q|e`)~{R2!u!UWGV)bc(z{>7oc@(ToB4;u%v{E=YG#$Q*R49#D9ej4@!$pKV*Usj$W8igp5MV{a*X+P3-CCdI zFzi_8|2ecG^{dGb!`0nnyARq^7n{WZ|HpS+q5>G<+s)0zTFa?8fHadMFCGjGJTy?D_M`bSo9_FGSd>kk5>&bv0O(+!Bn~DR0=0Z<{VuoVDsJXeMnn2A z^z^H(ei%W;%nW2=H-H8sg-gvFn6KrCm-CpYN)jR-G&?6?yf(M~A^vk>3b2yyR#XB} z;5+e$Jfx4B_{oS7%IKx=x$L%+xw7r`$;hj}VzOETD&F&G*8roec_U8$u+*mFDnj@K zm@4&yJIssWtj+{F(wDIVF@=?+CWpk3fjsK8LEA>@!1yc0v6956sry`{S2j+ey*tmL z`^VgQfa9VXd8jkM_`Q^kc*fG^s6Nt+QlFT`HjER+{pWQj?9h8=>Z+VIOtcq2z2tEE zdVE3zy`#f#*ddo@YNR*LpJd)0{w6Wb{|Cr2+t__DR;|p28-GSC%%t{tck{z`4X#ed z6{U&Wo~_@53hEQhF4N*~a+%OWd>w9yyhZNVh85@$|KLuwkf#@ zWzf@>zGi;l3MTE_^}uy0qtL9wU7uUCXZs|B{LfZ;p;y~@ovC=x3M$cTlYB*k?J%ko zXWTEV6-D7j)sHteQLDZ;753~u4hZwi|12_oW>&OH)j|Gp)2>5@{eyc(f=jzz(pYEp z4rx1~Gq4)mW1tVuYZ$XoL=(Tfj@x8ENX^@RZl;(rv-f`csY@BT0qx9Ks zxdM=Sa_JOw`Ww~#Y-t~j`PXqul~*-^A%J%uEphN%u304BSv%L=h`)wZ`r(dNe_o!m zbasj|@_42mtrkUmQ{`uM;>300iKqLmAiI>ofKK@$WT*9mY>-@&9kLe3Rbkqe;Uz}+ z8J7X~(3l>O2%B36gno7ZMw>D_MDcFD^3I(?#Y4~w@;*0?0x^IRrk^hag+yUwz$R|u zb!=y2&zggNHVw5xF1>=-Mp*V|+XqWkz*R8=ooFsI>Qv)27lbYlXjgPqQ3htPN_FH$ z@n4%Sl)ovcku-Zyz@m2k0X+5u7)y(fRTnCBS=E=Q^P-iI>3x)E~{-WT4~tr|b^ zAev%ipK~~NbTAff<2!h5LMB-GgElaR~8TXA24!Eo*}@ zEar|eSOgI$@5$;ehdDCAA{a=jSS4Wf3LJqqiC9{;Yu{}XekPdv!nZ_4Kvc+Z>*k%( zZVs|OKIRBEDcW@Roq>6y<1`7Fg61l`oq8abrrHC66vyt-Na(IY8QplOR1?*ysu}VT zd6OTdP{laT?{#yCv_xmOep|bl}lY5k}4lYFKHU!bMG~W zY8}`$TFecVKdNVYdAxoP!dGPed2;gy?_>2}gqn!$E2jt+0j;py8!8%!YrD_!6i+X~ z^MX%Es7CFORNc9@P=(( zJ+1NmG-WUGaYUzWn3pg<-!CRRY})anD*d5=nr*Byc~ar{QkSdC=+omTyYr1wFA3*w zphWH#S@9No+V-t;8LcX^FIO1b3-1i5-YlFwc+*u!yV+~+mXSax>~el~#Y>0WbOE=; z<3N;wu^a}hab3>$%)qg%VXu=p2?x=EH=Zh+eE}=*p4pR!8sRBiQ%#18VYPUa`3HwQiOGf`t%O*21iZ+mvyDM(}6+<6^=i;72*tX?FNa z24vRg`hKevYl#?0cykWndMzK<4$+Xl(ZDu&?SB+tEwo>+=xh*Fa(zzd11kf>*D&%6 z>~5A=rXnezYu2Oh5uYZCS!weF*EL(m-X=|;bTaWX;NX2XTINpX{GXG$3m^jNZ@xENoLC@mf^)D8S4d>*N*Z2wQbvVh$02_Ok z>-Xwv8U&?(=VdVt7a)`oxaw-Cd#}L+*p}-!z#-VCW#TkPJxdzsm92^DR<{xZoCplL zp<19Zk3p_YwCR4>stt|{tl`altpb~3dojXaT zStJ89pjC`R<^}n!`i|*7keiu0C0;A9**e9zG$M#{jbY~DC4G)lJ|+i3WO@{)OI<-< zTy}#l3ViwjyhIa+;nXDLvl3|fdv@=R?HV`sFs_T&I8SXLw%#_qD-*8`esSq*K0NAP z;h4UQVbXws7$A0{>ODae!wp{SPdk0G<#~=+unz&Hx7p?13#V?DVoinggt6OP=nh^u zkGZNPS;VPcG@4wU5<_O_uA*eqq&?T z*GBQHocOcNx0QBU^ux`6Z~BO{VVF@#G4En2pR)+*uG6}tiR222?-0s_g{Y(kH-A^; zS(_iVo+x_P$FyK}x>3Etd2^%Hf6|>?iuJ!d0_11Y-9`P31nv={44q^lYM>~U@NC<8 z)XI*BK;-hAdmDNo|Le;!s^GCeEwPuB&gnRe+ofAuumbjcJ-u_@Rcoh4T4-_KV0E$P zR<-Te^M&7!uKE`B21w0F<*ZEW&%jmeiz7js^_!+sKLfAs-xtj1Q0FJIuJ zoxP&%>zn(-V~5fQR_FWukmHC+om*|Q2m6W zd{XyEv5Y$s( zMu#KA23r_tqGEqdkG#)`v#>+Sk02~BcIoB?r6(__ZxR#o6iWvo8XG{`%sNrH>jNn@ zM($8ExY+#A>Re*!3g9LXmwk`Ce11~bJ}sea^-e-o-`!oI-d0@GV!wx#cXKig{9W;D zZrE_-V4JGGsPc&a^+1HPW}}xbV70|#l03h$#Q2qV3TZ9VpsQ2_dW7y)Lj^@u9tZJN zg20N|cQ0lcTVyBbTJ#0Gg}j$zr`Qh4;(RLnzO`zjDCR}?@2`!2dxBi|S*{r9p4S*} zp5){amV#Ns(lG)t!zkcKf|whp_0#gQhM{=rcp?b|U01GoQ-M%nK+pVOZ6QjvRQN1oBV&$tO~nxB2!DdWGClZ}N9XEJf}ljrPUF zuzgG1``!{qo!g<}6u0K3*B^7!6OhlHT7`0(jhx>no-$lLn0lawq$6zmlh-C1^HXfk zSmsb`rrI~H1|v=h^fSsNff&2ja{l%p)!rs}Jb@M~8qAp8bIE$~!@!q?tNp6@p7|H@ z0_QW$UZ2{{f*#~?m#7%Eg(Z0F&G_g^ESzd8)6a3IT%3RIAh3j*`FANNvUP&DwUF2; zPg_dHp&X_#Mhm`!t&3O=LpAj=5oPsao9-?Kn~|b{_Zh_X)w&s>_j=gcrMgcgbztBR zlWpHq-KjAqZbrhZixLNXbIdAgDWmAaEwlV1Tem)@UN&!~yzNz0Ua28VGGf^HjHi)M;~FYCHG-&F(%*qnlnJ|b(1H;+)qw&d3{0G0kzNo+pA zP?{Vt!+)VCMJgknuD+b)IS!_*=FHTH({QaRc(WZ)ev}7ut}uMsLLsYHPy_!WP~1@50K=2&qx486xZ!I(x^Yx;!1 zoq2^}F_=4Z2b8kZ7u!p&ouNQx6*4gPisQTfDg7uMFDoDYOC20Z`w>|UM<_-4 zSeL{|MA2KpfTD$_p-)LYy9^LU2m{kG!Rr-*siS#*Sqa8wLQax& zxli2ru!_5ns{sDjEyT*m>Jl`C&#Il-nyZ(8=-?V#o@i#9?^Y1ke87nrePe)&%zz7>l`+N{Z&@`DoENTdgZmBl^ge35jCHWQ6fe zhR+$PvX>;EBOf*Z!T`4f56J$p9A+rc0W)K5lX=Y|ggj~yH#T)57MUw~D?>46-_x}@hNm&hW!+T4p>iLUvezru+47_U zH!9MXzp0Sd@83Tx5`06!w))nX^=~jeSm2~vKiSgQM%6-l*FE2MCGVgLe?Q{tnZua@ zvBOr26^^HC-IrnKMqmRs|N8Y-Ut~^P(omM7n$d0(O~RGO8|5}d8QN@(p`CX7V(VjP z_D{Y7GlI0jt=jHU;rXvG12M20Jid!{+QK_`2R12U-_2KFGXF+OnR#*SNJ&&NgwWRI z=!YXqa-rg6Z#jj6+y%rq+c&|NsKYr%vicmxI$EiogELqW;W6DhNwn_B@lL0$vArVf znflIW4j+4~j{GLek(kq);*y_EnpVh+dn1UoZO-s=DY)PbnI|Sib9g(F`}p}Bjauo- zjGxkeyvYuGt;A4xa;sHhg)_l3!<^yXaIzBWya*8zcLWMCoCKKI697eDpovk07I3`M|Z zf?6M5>mNQ!x`9?8y(!sBKH2Kf=mU%_mOBHztzq}qUNshTIp1TIeS^Ngo$Y)Ip<(LU zA=Lmpb?)3&jn#0Pk+>_rKmuz|ee9B2Q`p^9X`?9RbK|ig3`+Y>K2yTkXC5@3H@SiR zHQDw_<1`aPuCp@v`BGe*w-;Ur`&&I4-~wyY;_Kd1YBr!Tl5ErBjb=)5x1Oolwk!o)yHjC+3EZjlxo!8VqY-OWg3vp$;UccCo80RVkK3J zV&l!9`Ht&A#JBuAZrcp1M|=Fvw%WnkDDC~QL+=Bv&x@NMb|WhoiLyCynw_7veI;#s z^9YdH=^nQA)gr{=08BmtZ?h;QoqBK`t^gm3^YZ7>4o zppTk>Ub0bY?WJ4pk`I);u91OH{cjsVLLbSe^Ox|uJ{*-)Stsze)-A?0^{V1U>H^QR zN5=i{7in|pD%QpgB?@Lyf09g0kD_<4k7oC%l03J@=9lLfla5DBn*&{kE_ZjzS&n{& zXaXEj$!}u>=@>w`3q7{EhDWAC1)f`KpwR!x$OfU1aidQ8(4^IQ^RqRjVj!uf7JVmTv>esRh_*_W-rLq=6=?FT0_6O|*LOy!>5K z7GNAdLSWu^>?XSW2vJz#N-TPc%Z4Z1shjJ9Dom>L7k7@?M^zu*IcbF#rMi* z^%1g_unmR}nbi_bWXG^=VUgJmjfy~XPX13eOw-2OWt$v+B3`d;5l9IJ znX0li-^uI^HYJSp4pkE`zP4nh*8kI$Ft#0y#1ti9n)ditQ>^n5_{m_g!|%MQz6}=)8+x8tLNg zHV)pT*U?7xw{PEFR$PCjF$+4jh2OL7udnvd)b2lL3O0;{cU&y{f*EK0N#1LlZ2>s; zJ3=DDZIK>^lFHCtXcQc~Ecj?0>mhqlie*%gM`PW)Tm<>C!_F6=tw6iNmH6Yq-++OK zJU?AvqvNj}-EiCl9;di*+OX@VWWwMq9IzoEGmA3K>O45F571@=FNXlx1b-=-g9&s~ zK9Sv%y7Z?wrCb902j?|wnryo27MOXzVcDqR2};HKik3zUDYloAcKOof&8>sJ@V8H) zxAJ}To;{>ye{)CU$qk^9f3u)b-ru2|E2}|j){vKzj?N%`w>i!TGGj33OYrfF0GBwf zeK~U%?<$nBpcbxXga*b!LFuuk!4*Cai{#oXptj@B^Bgt&hU#_!PZMx6y*;K1h`Pax z+*$uF9>K53ZuzcYMndg-w0lBAeOOZmJnFLMQBmcg`2NyMw5Da_u=c^Uzb8YA<0qRH zf_EHcc3NA03Do}u6K~oHBhiJ9(#$CXz zaM=!D2kjf!Dg*?QNohxnb932m!lM%6r=AXa0(e8<#B4AP^Gm8+xa#G!;g-N0H&+Xf z^FSDdT7@42ClWL9Q5yN&ZgqPK>?7$kxx63fblS!4jitK@K(NW1Tf4JLNAOhV?-%Dc zRJ9()-1SDlri``Rak(x!yn#nv973yUoZ62-AStL2fg1Em`)eDoMqI>q*>46Ei|+N6 zeMlNH&exDyRf$?Ee_dm|P{(FbajN1W*aYl)zP%_FqEfLJA9(dU*bZ#2#MQxL9Ab4c z?(9$r;Gm@Hs@DjdhEhuZE@fdS{9BD{cn{FT1YVK=G7!Tx906Tb_v`=Eo!7YAaE2rI&eo7fJIll1N+)VvPxmR|)-+(cxK zJb;I;+g6fOTCCW-{j7X%tJb@zvbyP5wyFB(LJCc_VbC3kwZ-e25K|2Ny9pdHBZ^a~Xr8F!h*7fNw#SWBtG>xcJTdnC#( z4q4Bjf0B{a1Di(LPRN#*7avCmw(?{?k$*ON)xhAX_u z5u?{ku#rxAMrx&`HoMHMMB4&IpdoN;O*>a{$gPr<$#G4!{JqUhI}Ndo!HS2`#{^_f z-;YK~TdpN3BIBa=Vej4=>bc=9XHVD@_*)~Q;m%Xv84SeB?rR!lRFFi@T=#J)P;?dB zxzeP$7ujQ(-bAbit@uUA7A$S6L+LK+Nq4sPz;4$^PtUJ=*i0W;t&fcXw0j9 zWo3BQE;ttFl+|1aax}z|hL>ww8!*LQciO`S6kjoS@^^9dW^GIr+`ZJBS3>jTsh_tR zh%cbI`~=0`{-nK>caY~@>{Y5ecGFfyQL>_ldo-rghW?wvPWj)=_r9UAp&d`~)BY2h z917eE>h2ZBsk@h&COSjXS@-jgj)tx?c;$yLVzDs2bEnVKa?6Ws@p(XKKViZYY_EO7 zJ+_SKV*R2)*FOb~l92GQ!tyi4<>f)xOEnrt)e#a}m%?H9b~-)N>!xvg9?&nI+vmAv z{S-YPt+c;(eHh@o3K%f~+h<`%y*v^4qN5nzm0BA@@16XwN*qCns`uKhhd;&JRQ^4M z=D+jP{`kjNKkU~Nw3it_dn^~^*eFFk{R&~K)b``qnvnV?&J-IhCtal>95EE1q=@4s z&2i7Q&_A)(-;8hZY`?H%DBxcqn2-k@d~3eD_P&?iV&S8{&Jm(FOLTcE!+$7hC|(oF zt|OGhWfdFPTB`Q?R-X;}a9Q@TN$I_+3zO#zhL!S2jf|ev9UhkpW~Ukh5b;= zu?6A0JSCKcvV2k?PAU%QL2dOV`ip!jo@+iMM-pd`0b$4r3;g8xHw_vWQ+7YN4E?ON zzh7rJvdgeDuOOqBO1jhjS@wizD2V4VqrY4EzvX@ZU-3MDd?Nq-#jk+OeEzfNDm`R1 ztx6A@;-$A1#vK-R7q6&lyWXAjp-L~in^#}KoNuG0oF_h?E?btE_BeumZ>meB%%jn< z>`9Ku(Z_}hwWXRUcM>$>pTlM=wZoQjZIdnSQtfItt54h{m7rgCK>k`o3VD(6zzJ3K z_+EeF8EvYXbLq(ccmcH7m5^U5dM{kWwO&)+y2zUU>6Pf*eFlpip@$igy002oG8JP7 zSPCSEi~_atdDXKYJ<&Ds=~hP{_8D&tnxs2-Ux*Fd;px+;*=Pm~+#N0am##3cuM^!b zL4H{=f0z64|Bol~KTqpQ9q&)zdHJ*2^$~>l5Frm@)5TBKY4J%Aa|Q(&sAx#+FfOJi zkQ_Q+*DB*V1Hs|ma`91S4{Nj>DMGBicE1g~WfLK47w133eH(rI-66h!kHnCn*Mok=_T+e;3H7%SSAiU`zDTQyE%rBxrd)*It=+c+4;7lH!1vB-E$QCA(CK zl#Qit!GXJ~zeF8Q@fO5VJo-4gOE&+l=d}T2!*fDs@BE z|HIf@hD9BJ?Y`0j2+RP2NDn1Bf=D+*m!vdO(j9`7^bFl02vXABiXc6-l%#ZrbV{5b z&)IvQH_!9m=Pef(Tnyh@Yu)$fZmQM=>aED3$ zB_%eVjYW1Ni3RE-*zGe)K=t1$*B8}oOUO5zWrvloL~obkQHrwg+~8c zIL{2J=Oxp~r8ex}Z`ra6<%yhr{a3#m_$DYkv_3P1&iByqKJEWi+tIqmEwP>W#>d@4 z+J8d!PK%4SjvT4tS=33Gdwx73c6KRea;LCva;2+fT`A&e6I%qkZ1h~CHJSaTO z0;OU260Dt*I98ES2(nugY>?0SE>Y}XU3}~8NQ~tQi+ZX9OqeY-;Mz>kpiYKdG^7P? zS!daqJzFZC#0txXCs%T)dD-~ypEkz_>~+mTO|5z2j^^UlK;%ermVzpt?oF* zP5&3GPWF?hXr=~PXLL77 z(Ed-&{}j*m|3&crpRMx{C;Pv)+yfHBr^~{3UJOYoLJyfV<8w*mU?r>|7Rt9rsA$XK zIVohgPqW0TG^zG?DiKSn*l;NB*T-^Ee#@VhN}3fq%F%*RpIge^)$Sj%v?gD(`|KIq zKP&9v6fL-{ZQXBmuK}P#oB|a(ydZ*S5{&MuVo8OoY~!h&t;e=X6d8oikL$X{8ZOc0 zXTZC(M#$r1m@DPk^>LNm?Erakf8V&y9sNunKkKceoWB_#vPVhK`$~@7V9(BQtRO~& za|1PjwClgy)}@egp)uFe#<#Bp_q(femG4-|b&?p8 zs`a9*+5bh+{+l)9Yg;NJ%Oy06jfo#qC+N6V?=7BMvQZOU;(5(C8)y5IJL7!RG7&bL zlgGEG>9lWfU(I$^PisW~6=n$u*5J^474^DMo! zm|%VD*H^j!b5)JCrheTYb;vpFv!cS|I$=Yf1Rse3x!DiQ+i-x@%1sae=*?9vL_8a& z%_1LWj)SFDUTxHY0Pg|NDDx@?&d;^sY3zkrAMO0x0n2FMpkzB7FY z$arvg<%E*qJ!GFL&b64o+WXl{8$i_)O-Y_&;(t}Ol^gl{muv6KSN=DbRY0UnI1uc^ zFDy`jw$=Q9mh1oJqIdzL|JgDMjB3+1x;Byp2cJTmMi58eT^OJ==vJtNttG;CD-FDG z`Ftw(;=ISh8alCld`I+8W)@+o&2peoue2jO#p9?~5Jw(}D^08ibf zq*lv7j6|>85+F`i80EQ~F{S9{ zu43@UMuDNHfYCD(Gzxq-LEI6eZ=qdTwd^!tr0WFuv*Yyg-VYAFCSb%p?iB-AKM5ws zDjN=2h?UVE;gTwfSXCqUPqw|QnMdVym zQ#;H|T7H=d`MxVZyGbc2-YPg29wBDPpmF)eIa*6CeXrd+p#tPl(izT7&PsBjus&Vu zXJ+F63$m$jS1l=8yf+pma>H?Y*e>R&kenLO59w#Ey{kR%t~WEB*7p1DSjKjm;p?cr z=}LL|EeBi1R#KD|0Cw^0j)bJievM~->ACu=nZ&GHo-*K~ zF8tgIo_TF>HPtRD=rC=O>Z|jskjgK*w?UKo3~`evXL3g6`)7sE8Krjc!*qpo_{TX* z+#%QX%=Pln#n*6*5kFq#&tj!RLe1AdyE~R%rQ#7qr$06JyU63)l`Dw(&QbSP*Q&s{ zcn04|jo{@w*QUl+E$OacU!3K?z+j5V!^0zVSR7CmBSRX2`R+r|P4nx8XX&uE8=fi% zL4P;IdIY4LEhhR9Z^-&>$}EzT>;d2=p{0=;ZaZjzdBJWxRtc0`2*~Ishye9=8X8CUpT# z1qLQNDkbhD?qT$7l!|2Juj~g}fKLd;E|=hZ7TYHe*_ma)^y_5DSwDX50i9J90IDwS*Zlvz#-5-b5~tN#_}9zD z(%8fxmgoU{^g$HPA)NeW48$qFB3pd!7bMA!E^HFG~-DsmhAVunJR6X*y%uO5=n08WcluXW^6uKI^NRNLUe(}7ZrZ_OK zr2V-QPA=LQAtgd0f#7GTZ;zPAmTlyW*4JPR%848~O1PN(3`cy7-%LWlc6Uj>-L2J` zjna>L1>w^}HPMb%Or!Jdmq9VtDvFCtHFmv0guB56QII3YOaYIt?sF=$#EdPf_*~!y z{rBlF>^s+`?!`oB5v@*}JQaS`!t1H;b=geR>60kt5F~jZ^F0K|zftAm#JP8`SO+TtJ=TqK~X};V(jFnp~otEW%2CP~@^L~qNkvr%3ol_zr4vg-ZYUHU< z=9X(!ANIgsLq5k;H$UH-VeJ?>pL5C{I0Kx*ZLdvCvS*3^j1ZH%QrLIOQrmDifXs&s z=NftGI%l>lUD0!F0R9nQ;L`S6 z->%^JH*{I@%LCK!!MaY|3MkC0`q@hJDYsk|>NzSE;KTfjzApiEKTBE5aX&Iji_r0s zX_gk=1x&9BP^Q3sTjzBkp+=4HFL;^jtGWYi%55*xLA~Y6l~0!dRF3He5a{C>efK1I zP`Guf3hyUr57m#*WR^EW>pE`X@(&?nylR$}E*UH)0?JZHd}JzSuD zXSK}0Kfz_^t)7Hp>{)`i~dt6HsR5FR{$?y%!z911~^W*4qtqo2UVVoJ1Mi?wEU+s=ZiVr zm(6UWZ|*k7Hx1@dRen(``;CjLCq`~QjtWjJs+mu{{QGV&B!$_Yw2lMTYf*=3dI5|R z`$6v+!5hW>1{S}KBM^|Z)_mZ9@qPIt2BEyyj2O?z`%VJ>5P&F08~F3dVDgLilUZxK zz^QXYmnnfAB#y~~>kkoOINz5Q#C+-!&B2cpaVUTpX#h|0AbDDYnqr=#%;{9o<70e^ z5Wfb&t~l&_Ho2+e(kceO`gYi@G?CxVXziV4td@EFy>8OYK$h>9($+Cq&&X}f6oWN^ z#=z;<7`@o%(@zm&X`D%OB0{roj2k9k1wuubc@RVm2Ydn8RS_jL& zVZB|Ad~4D$T3~3x_itjL(%oF$R;ih9vY5bgg3NC{xxbANyPtmLEE3+5F-Hkh)bd{J zXGXj?%c!%?kCq=ks;OTwChV!UnkhH!9$ipQR?fCrUCyOvkoPwTZkR0pK@x=g7>>_; zBW~Ya^|}zNQ#0P;Vp=IWb;QVjn`Sx7gh<7qlH$r!VE39F&ojcZLewR(>h24Z#@aV0 z8h0!16$B=@#QBVI6fH=s* zGaig(Wo>uYB^3gGfWESW!YWgp?iIJ>zXvzHFE9nJm?k5*jDMFdww9p8rNGZ_V?}eb zC2yXNv+OisxiI{30^1u&X(P`amqPc!Ra3-fEdR6tyNecKJ)cHIE7qc3*C&hZ_P5HN zX%kyX(Mmy?2nb}m1k6`YNU8DB$<=$o@j<}DzZ9cG9z(dx9=Y9j(z%wMbLB^|5*8`JV*S9~(S$E4?M9@3qQ zl#p7U{Q&&EjJYSpg;}#4+g<0BL1PcA?@{`i@Zy!Kz)n$~y@$*dAj%3m85V{)w^)R( z2FVu*>C~KgU(nx-TE)!O4hyko0%0}F4mo!?B4*ap9-MkR;#1rT#jca&N}Im}P$6+&9{>-9b!h~! zjNnIbr@yy!I#$SZx4Mn2)%GWV;MlYVvo>V0Up-H@peS29oNs=vG$zSTq_^v2MBFJ- zv$djv3!gyx}>iTvX|LHd-lZ2{C*UIVr z1xlZ1d+doPmzBKPP^HSO>(4Me%V0CIsho{VP5RY*TT!h~_exYTMkPjTALX*=P(d!& zs*xbf;~GoJlz<(G`!r_SY!wXMXprn$!KZ(;v+X)pYZaj#%2$#{klR{Q*=qXc-`3l3 z(EA;7OIz6eglUHBRh8$r-sAOfDi<}zl~-jp)E9Gx`avO$vW7b6J0yI#k)Al8uqpVD z65(GB^5>*XC)a(jp;HQ6x4o3hjr?t8f076*O<2l)bgV4*y;)(Lt9L`W`+e}hC+fEL zMhy|Qkf{DRZcdsC2ahI5Lst(*Dasoe8FhS_FY+x`$M*-DCT(TMr6Qem zSk-MiLU55(1gz_6<}tY5xnZvR8$|RSb5TXM-BBl^w4F$%67Z zJ@r(a>eYz9I23rUW}H|F0s&F)(MRNe82s~WAFu=3981{P z8wOoXo5ym3D+GVjSpom9f2KE=N8A2Mi{>cb2r&EilR2lTp8ewg&`y%*m6ZTuS`br* zq9jJqR)KgL>XA-uuMl1@-wn#U{l(;w@Ve{IBp4C)<|@%PQ53x|>lQE=z;@%o+@J@m zHJ6G(C=MdnD?p1tQWUxyjJ(Vd{z%Vzten@+GyVz*nJ&CrQbD1 zI${Fve9gq6D3$1{(P6L2-do0-qPR$1R_`-uT1~Mew{B@(3nAtyYhqO;nx?Apm+6MB z)y`{kTI!ic_Ot!1t&h%BJh$<4&+|d+TUAc~6a@e2-Rf!`su`u&hjaE9jR$_@JQIAU zX?$12;B+zCjty_Q@z`)mEsN&x))O~`IH8J@Eo$zj^J^O3SEa1&8UpAbBX#) zTwsTaHav|xZ;QhGXxb|Z?(u(dYZpC+Bso$vH@7RHUoj2e5{55VOUY{k;+vVTfuLd` zkSv&`>58s@5~$qAUE}!wxNAaP!21Y!m1I0dF=kDm?%8~#m!}U=#}%f5RO<8o5LH@o zF$V==Q_0T_LfGsA%Q51=^5c3e>t zSPp@!2G65Y5NbRNkVn||sc<;ufVb7u>(>f1Nu{Q;-(*eb zef6$@+KNKgm^`Wp8D_}%z@)`sl)P5Nlt5?`BP2NPl@^g+IK?WMkDcG%w9p4n9LK)l zNjnKX0=s6cE={%Fd2B6wHVEyP8Az3?x&}htGgFSryCP=Cu??SKXZqd!a#p5;x_$l3 zCQf&IWaJ3A(zn$L1|bx&CzxYTdaXD^4(@@BN!2!mxH5siJ3BiGHvXMY$<>eP{M|Cw zm`WydEA=QNWHXppC2iLQu*ErN`Y%9^nIlW6tMDpb-hmfWK7*(J(Xv)0rZMx0n&-epUVajE++pkLeTZ(;z)JrChSzgBvX!cEE%4 z8X9!BXC7UL02ahhY5(=~Zh2m|2*hQL$aLiMK zFG6Ei+x$H-b0`0)!9`6Os4?Osd|sp!>uAihQmqJrJ!RV|7tX3q4364Zc z#i8k36}vwk45tC?tjIW&?^8F(zGN%&%09(E9zMsJ0vnm4U>`>GOaZ+;hQrt{H?!;y zE-|Q5)fTpaLMd7!_vv4fUG)h8?x@I%5CZpKZz$^v0T0hjZ7lUwYU_@I19j_RvF8rS z2j|iW{`zY3n91VL_O)u_qdA;XpZlMWaH7)zuiQAvw{mnvZqr%|L4~gIgVU)X&$w3f=Ou-9b5anC68Ed-Lt_KxIeZrWhGbK=aXY zwU(#8bD(o)UvQ@o`VDcaM3&rc|??{>b^KB?kr z;N`qEX5wlbcz=ACPk|d7EB2YhyL+}=yHy`bbNej>Y0n~$kkfb`c6t*+ZlZh#i;%HHkmd>@C_>9ybvQxBUM?XJ522CJY#~pe? z98Z+1qf-@4v`1X5Da9)i@97=+Zd`?5Tbuq#F^(A>BRvEYAFn*qG~EeW??S+2`vuef zlW^nDxRVaqLJanbsm?G0CAiQG5ZI%qlXALFz=p5}+AAEqtDi8rKkX7uF}04{Vy%!V zskZ_hMI@EY{c{Lfq_{cq| z@J2vX$&w(nh+)A5W%J)PSY&f=B&CR54XrlE38EON(qUT{LDBE9OubqI`d=_G4f`3B z-{;!;D8!p61WUlVu1(D2PZ#fT6KEYWzMH6<*v4<{v-DE8oxIiF;V;pFw*cq^Ud{u@ zJTWmqea-rfwU>|4l06FPqw$wjk+ZM75!x*4s_c4Cm!9o!&ihX7KTWWN#L(A8+CEd_ ziTDf%I|=a5&3w4wy}02nHQByvQS35bfbh_qFb__Vl5F636=zyCis0`9;VsfhU!_a}&F=u4ZG@K(0X3L#(Q?xHr(kRt|H8ktR^Ir{ig|iv zM1Ga%h!^8S1609pA;?Z`ma(kO7DHisp3?a7n?JWY3Yr5K+Ys5uiyRzOxVE%@Ji_)~ zTYp?!Yb5>Fyrmy1W=7)qtU__(6vHw*ueFN;Sbnd`wer&=)a7dc3pL_NOX^=^j=^d+ zkoOm#dYRG_uq^}xB4HCS^7#t?W2i#PjN@STy}Y~ey_~bI z=;UOmr&}3)39(Jvg4M$*F^N%Lap!cZx`BI-ii4gD7BIV(i+O{*;0-}up%N{`^jNt_ z=*??23t^}t1c?*K*fHhiLqZ#I_EZLd4V#*K13pfr)!3nX zN=PkK2SGzO@W$#Ow-3lQuac6}E_&4K1< zxpYc~wky;b9Kp(`^<`k=D*%?J%Aa{kf==roNJj5EgFLgJOIZldf0!e`5p6q&%k z&H*`eCu!DWVJBfHU{_2p1-hzC_b~-l#ms(rnV!`&1}LQWQODTl`BUNo&XEjWU#qzJ zOMir`*514og~>3#V_dU(LkBJX^~hL#=7?T9pIA+N0=#8uzTJtt!>XAvqiiH)ntU{5 zHQlZZllWyCm>TbK4LUMfoCT^=;pGkbZ8dqN1QBwyGVinQ{J1&HvXVMe_-(I8 zIcas_teDn#*6xcm@QiB5(@Pb`l{Y%@p4FQgB|khIR2j#GadFZKUHB?u5#vQY{KGLA zMz44Lh>_h_91KO8;g0H!&B8@)j{l+eRqI;+6KPYL=l>|$TbF{`xOs@4*CZVYCKP%u zv%DIJ(e?*~X^WVgzyHO@4i^vof^58ibX00sN% zc$h)hm#_%F{f(IJJBwPZZ^kuWZN$!n5ha6rDt0LbJd{r9LQ|!-Fm6{qb=OD!6KyRl zbIz9L)eTww&6W5#>!j03nT%xd{eKv;Z%u=ePHq}V(btD5i7^A2G`(s1-1^KqY-I)m zNXOfW(6G|xJ_7_vyp*3WO^s1Z0`T+h8w_klA9jjai*V3H6_+jd6Q^$U&ez>bdt3NM;vgHKQ{Ue^br&s{Sc62s zd~4^4$HmoVwwjxDOVyCA{Jvz`eM~O|-s0l&?{rrT`4bzXhj^v+T^Hl<=u`<-N7lK* zG9$fn>huz|`q%U65Ry=on1{V{n%0QezI811q-GcmrC&i-3(yxY4>%^CjjXloRTSMX zGI{RUAleF<(KfyXo-v65=Q9%l_3>HtGDckO^5r3t7_IiUucsR^axzs+IJ_U#n>_Xo zah-+Q%F)DGk9-Y&bbpR7WAZjf?Z=}+>a*EiA|d$(lcb!;*Wqtd`F;m%HdSJv`)&8w zk4;JDcy3u!m1qi|VP!lE-jR=&S>b#8F#2&>N$Sb3&@$+ZO}^%ORw3rUYEex}aqxRQ zJVbH;Mi%pJOMH3ZUbzT)A@dDJnsqte*clXGCC%Fc^zGiH2^xgUx{xcugN!b?KIbl^ zE_W7ZKS`>Ai$Eu$Tdn6TzJIack-J|OUmosVbb1398UMjNGm{-aaW4LE^zd{yF=Jvf z_sc7!mwv-9)uxx&@^3hjnp~hG5 z^s@VsCgHUtTm=n^J7B5FXGO1BTfZPR=wA4m_&~cD5bS{%X zvEaYaFtB-d&@myP1S(i^L<&^_^=2$D5gm&n`I_xI^l*# zM7$ZMm7rJ`81=}V)@a{yQI<@Qt+`bRec~(8(oPF!0dd3E)}CR{MA^Zncu|UAU;1Gq zz)EI$kIOYl;7>%SMQ-p_!{I6U)QbJ7{A6RemQ(Z5Tl65K6lceOpe(T7elyHfv=?k~ ztXMD)R5aq3gnDex#$I)t5khGKBCgyrlK~>k^M_C|r2RLe5l180o68RPyRzmzKucB8Qj{(Y;{TQhqC>WH_$JsgLzu+H17enB0a1_lM zg7elebt`*;Px(oD?4F09=4VfO+;<1$5!;pnd-dUnfw&as0Y(0KQVu^zBB`K`_j@iAOb(9Ft0u@m+TrhB!?-S z{F#`Xe6rgwV$!n%2lJ$dAB+_!$*h_#q)QMD4P9wjRAKjLk{qR9FN{uPxCEa<@4&2G zIPx!*Z6j%))G92g(ywsm;I|=MkCO&u2btqVPp7MpKTVHrYw7 z#jpu>wPt(NI}WzPhO&yARUCD3>u>`5V%i-He^e>gyF?UAgEdT&JSR)&yjrgw<@_qF zs-5}ER(`*IxONOIgWOp!&O)u&9+zt0T+Q;boA4*w2swOVXW$Ko>bLxz#7AGFJVBN< zN;Ekp{p`uKS90MZXJc~V7!pE?lj82>{_`sTCi2*CE4am-QILx+gqIu0s=7?Z!qK87 z3;#Xg8=6LSU5B4$XvA|U78b2PM80>cdz=ZM`OO(ysa3t`8izO_MACo0d*Th8|E2jW z@_xYL;^3Z!Ry8($9h^JZ{-*|V^f%x-*m)E&rQuf`yGV6h{*$Natjn^GX z0PQ>a8rYREg~-QOJ7umg>K^6@!z<;w?}lr8ZC2b**zbc;O>+4|7p=4bMf4vK37 zzeDt61%3&*zYFzDw)hD;e(Yon-o~QMzXT#o5l(NFc%OE~g!;*}1uLIzWH>ReECI7e z73~Peymfy1o+D z5(k%u$fJi-xynN=c+y7*_`B#^#d8ymsI7yfoNebFaZIp zr)CzL{vn3pLs>RK+mkE@aPsc+%~MuM2Cq&e8D(3AeQwsP%lYCa1uBp+IHScH#bJov zqi%1kzQ<9zL8LWoA>7wp23%CMaR|Diq+kZVcIp+F)0H#lM_*HgTB^>>NGkKUCFY|s zw}4~>ucbP4&FI6_Y$-Dl1#*`xKc!3}Hz=vI9>+Bb)e3e*Jd?F}jk25(XSvY}neKZP z_&j?ZG^H}kpFeSgeg}5mIsjOu$+#BmJb10C?Y=8(kNAt6f?WkV`iqj##eLDgu%_d(P3DrxgH{hW-5h7*lDd16rGP*IQKc61> z_nlFS`kc;NN@8_iEVo+hU=An2S zTs3I=5=qSl8_wRdtD!p;4It>Vf)cAv;?i0CHcm=Y!mS}A00_Lnht zWwPHg#;S1om3Y6)QkPnjBC0;gJvQPfxaXvX#Qwx8iwJq~9@T>FCWiMyv&`hgjG|o^ z^sW8nsYu5>#>i}Bc~eTSG3RWT)jFL1DLFr74t5sA5Q=%1fO$+M!YH7iIGX(WxAVtg zg-IHpiR#J*?hN~Qvv60w(Ou9QfEa%zGg!j}T@GtVWqDGBY~kG#6>jK8rh zw@^49C2tfzw;CQ3A8(;x>$Z8WrB1tAYW-+oS*?3%DxMQM9%I@Dh(O{}C5nF?fqt_V z{QaZ5kVZ6V!nWNJT7TZ}b}g!nO!~K8sl9$$(=getyc)Gi$K{;GSIR|yZhi_cPq1gR*U_5;Y!hAq2YlbYk#fX;Yp%V=ek?2%anXP0ocKUC?Oaxr`VB4l6 zC_2q@NHfJUPMo#tCxLPc>lP-ozRKxnDkV+VldgO|l3E?oNzgImHbM9J8RH9iiMUW; z{1AHDgMB+Fi#4wD$buI1!jlT_9yrhKeY|!m8_xW9y>dPY@fN(SyYeK681jX2{t=J= z4!yPHo%EhA-PQ{Q$Ie#^gQp@rp%!`&$wI-7tODKp95mbxe@hRyV5Z#|&Kp$9l`rj49f6 zy*@hOezVe9!G`QB%$vaL$nQGw-P~a~!5FQXg7H{j6&e!hMiXdQx~@|&uFpE9C~tM+ zveE)$K25xH&2)>YoqvwWeV187bj8HZK}moXYe#0WD(wG>aor(^}$ z3k*s!*LklT!8CXX4!tNu??t)zJoxysGyTnFUc?Wxcwx(N;;--+Z6hCrO)O{@D)%k6 zAZ3DB?rNbZKpRvO-z3X7@n;c~J^S+f;DC6Fu|nl$*d+`3l!)0du}SA7BN}MBr8Z{6 zx!yJF`Hy=YS{|^{HA0eO7wu@`w!f9z;cRlRHHvf`&`ePadm49qd`u`vRAa`PV*+oj zRpL`>G->nSzB6?sDiqprigG@j_z!C2w|A0sL=f0W%Q7tBYJl`b&h!pX$-rfKwsX3 z+xD45V=Og~(!2iT8daAs!_zyDB5W06wWzqROb&O2&SZq9UuV}8`{qVg#THRz)RFfp zc_igXi+c3;+9$U3PlRc$ri#0l0kXu<`u=jq8E>j7DNNo5`*6C_>PiApG(vh6iTG5) zv(KwvF#^TL2;&JouM&{#Hi6Qq=VRoQ;|-dk9+z_Pm^?xwK+{&mt&>U+IBAd!}1wWVAg5_wP#Hv&64u9Sv zWYHOQr3RR8ZZ>vLaZ_(v&c^W^bhzrpV!L`Ud@ZA(!p68_$;)!5dkrY`Co4{KmbC%+;iRp95T?gK-1$};Vvfj{1u*VCfE=>zI=CMf5 zxqeFi4?b99;VEkj`l$=X@kANK1#&*9XJs1Rc&W=dv=lv z-wd3~wa`JO3j>B~jw(%);8^F(-#bd0tXE1vC&qM%gS_J za4_J!0?~h)&`8tCZb=ymd4c6plC-6!&NO;n(?FMX{DRKMhz&Tf%X2p+QLA2k42GS8 z#$ad>TXwxAuJTR$5al|rU1Q3>{ZK@28eN^zu<_-Nrzi?CJ$2PEO^S%flHd zUu;g&#`-StmnxqHxm1vVa*3SYdEaWVXC1v|_J`B*fIXBLpmA0GR>N?A*p?3rJlDhd z5IqG#XW<`q;G|tKvk4l7E~qy9=?~j|j`k^P6U)Bkn{^$8)JdXf!Px7d;{6xi@Uv$x zEU(A33LEmDiCpcG(`RfIISew7l9$0qsoCoai0lD3)xQUWOy&nn>QZ*f9UKS9%mleA zg@g8pn8SqeYQCXR4U)i@_}jZBX7T3L1lDY>Um4amHA?g*_AMvvn&e8Sq`=9|UFaQ)$X_A)GGYx(6$$gY-T-LqVEdOzC zEB*9pIj-YxdHU;Q;@ojbAxYgGl@R`gmX8*iF}hG13yFn~D7=Aw$>WmBO11dE_M%P1 zl40vGdRmaMytq6oG%MQCVqelea8IgEp=ZN|>v(E7&RQAynVswwU0_zG6n+aZ?1?-gAXh8$nkz69P8@ZVL} zzV{rT@wl7Psz_hv8$f#{z3RHM%&s}LW$T3Ftrap7mpjABQ;L{_Xq^(06Kux67KndK z1|PW(t&BVy=uG+MNy43Y@X`8HgothlZFhh3Z!kfuwLV9VU1}xJxCvhBrgexxTX?jJ zCPgz^AGrHpYOD!N3mD4Cuopmo2k21k*A$IDBaf&9)WP4QtePD!RYH9G1%SktKdu>1 zPEY9yU%!TSa)0Qdu;RUr0Zs*0nI?8^<6NcUrp!CH=%r`SpvJxRE29d zOw&6TUntO;U*BeF6%+@^Hg}KcpZx(^)Tz!(`g-=r6TqxL&+p7}GWWB(7)KVo*Cgv) z;W|u4;&(sc03;om0w50AF-wLTllBE zWgC=xLEfeG1Cdf-IhVo8W-mJM>ytubEM>_07}g3^3QmIrF(30M~W zOa7k`T!Y;tTar>$I9a&6GbR0-p-DfV4YC|3c+o7&*z0_&mBcunE|#Ip67Tgc>vIYH z9GokP;Cs2k+zQF3Ym&+b4=jP>HNpVLLj&DdG6CB!Ir(ye^#b+`#d5!!4sU1y6*at} zuk`ax5uslQDJ2-xHy~c@ZpN2vXTm3Mqg2w6Ki2vFciWDT_U`$ZoO z(*ur?XhiVycVb~QHr?AvSr0P9RuPbO_g>eEl%O}7t% zTY=VK_PMlmaF(wb%bcp%uWc&+tJoR$s<#-_nAFhc?zH9$d-Ti{7d><&*n(h zvT*Oaj&Ac}Zn6E==tbxSi;EFn4jJUA;{Vk;hB1K>N1?P+SxpMM0l$bjrMmu2z8VSN zJ)oTHvST@Hz7{UN*`8tv{{c`Qk*f7roHAXjU-5!IMT?=QgV4zbeH}{>w&=L|`ZfSA zhTj1g`G3$Kt`!t7KzKC}kPL#cYn())fP^hh?{^*<1NRU5r+kLo+6T=flQt(rjlbZz zbQtTCbvC;};v>aBbu}%l7WvoLg23}0jKqd_Wp3n?LSjMh^%I60SXPMgd4a~kCvYzw zJ4!;K*Yp-hz!Jhvee(7(eHi7n zVu*R#mSLQnok~X@t%E`r1`#Tfqj6AUbbzB)nZdg09hd;}_*eSe(R7i^JVYVbRbB>2 ztI=V2a`(d3-o`+Eike$|ehmTgZ4Y;Jm53z}%v;08noI6=#FDn|>OEefv3#>CWYs5IqaJ~f z6Ls>f_Faz={+ou1wAEB7F?R)k!LX=TbH=^eS>`-;r3L46BoH+sbzU9$#<(fnm`CXK zO!~Qr7lBC78@(0#V%M`m-4YyiL!v#N-5Y;NybUys-?4jZS4K5$N9X=ZHrMcWQs9?d zxa$>SCh3i!N1aT5p=XVnC||s)i@EO@eKNr*q&_j`PhpnpjCq?`yF@+o=hL`HonIw> zeW_hSRn8W}^3l<$&$Yw-PSMbP&_i4SQ%&ql5CNJB+gwd})@*UWm?SM=-aZ{jDW$y( zeO>6^Wq%yYm2n+PU5}h$yqxkXP9@y0t8C2)7hA{gbx0=&@Y?sz_MP-ep2=R#_2^DG z;uFnf{ob_M@wqd(*MU?g)}lpvB!EZca4&%U@6wO98Mf1dTIbBS_@=3vG>>bX_V0$ph6?P79c;e+ptKgF(W)@oXr4r3Au@Sb#A zhUG0NXiKjgx1_$R6@e*w3~&+u6?#9AAMmg9AdG~|hi~2PO5G0F?If`x$MSjBZZmgM zUxOw(RNint?A2dA;0i>32NCb6Dq^p*CW1r!0sdWpw77oD(#q)_EhI09_kN(ugHMro z^c-NyIBSu(V7SWa=sFUbCOiuwi+X=87m}yi%KS#uc=BO=yXC>0x@>14l-Q~ zK@ea4$P|yEZb{Gi$5`}NP-?-OEt*aw8ra48%A^*M}x238fP|3#|r)c z?JXKWXs=^1;zI&h9Zr)N<8 zJbUR&3N+3lb(kT4M*w5$kyfRrVtMN^I{eEV1_3RC5Pf?rrNusu>_m;i>{dx_eL9Ec zKJM>YHc!ZhtHLNh_?>nynzT5hZEvePsuad17t2$%OU&<{s^^rgr21*5{(!mmo#y;E z9_y>D<&srC!Uz3F)nj|^z^M0Yj-_FX^Ea;0-Y4TW6?=6UzX<`ANu1W**(uI)6@C^+ zacjG+Qiz?ZHR2=p#t^IN$T%(QR*G~NgDtJnw!Yr~c1y?rkzm5UsoEXO-^)Jj?Y;DM zzZ|hkEYGMqXz*Chr{(2v(ThOvZ$t}xeYp{(fbF?Z7a*{?QPu`tk6LK}2&#MuE!08J@xhoG6>xCXw z!waC5zfv-uPhZA)AzB-Of2)R}=5iP@E%*l=H?a#F`vj})Y;GhUJa$m2%X~%<70``x znP-%+E_nh`i$@b=rW3G8{lj!j2!Eae8zMfc__kBx{KsR8sfI4`ZeN9t5i%Jq{;C^_ z*${r$@B|XO8tz6e2)O;mc#69ZKhC@C6c>JFiy?|pz)Zk~q=Of-%)GnGoEN~<1T`Vi zVVF6gZW!uo`Su0~9jIP1wEEp#-GtZxQ_Td|Z67hW-ZSk{O!{8d{^!?*7j!h5StbGJ;iXM>{m!W9- z_H2$#97b{kC)|9Gjqac$@J>&ot{mazdqIUkg*#|8Mg!=hxc$KS1=$ zQvR!}R%in)t@f?|h*+(8R-zzi!&6mgJO72db*D({UR(^dFdw8Jb;1z!jd9giScj2kYhaHG9e`#w|>@=^?CcRD&Jt z->2Q8cT9{ws)m&QVeZ)|Eqld|T+8)760qv^SB{#qatSu+!e*6cO(b+qT_T7t$xIS* zPiBjy@g9%~0+gg0vx*kIDSd4_7QjUxLn^*wzy}k(;UeX~%6^&76K+?)Gi%*RcBOeC|-1#;W4GH-61Q^WLifU_Lp|ESdj!Qbie+mk6EQk8Yb{L`cJz{sh19A z;xsB7gix3~LZCBybhU=!LPIl$nU=kNaR<7UKJoogE0YG+PB91Y&UA0eO>U%oxSzeb z(jBWN<#wOAXNs}U=CZi4Gty~~*PM(?UrmRyO1J6yGP-kOySBsM>Q?yXJ>F)(zGYwc zH)iO3$DgN;hEmRJ2FooO#u4I}=cV|jf3!b@EBUvY>gM|dFJLtSbRhTM-B7}0=n7}O zSL5MfC_$o!lS&#*7&U*%uP|j`Y0Wt`84BE2g+-ogzi)do{A0O0DBICUC{%cOR)k}* zP>zjVrYrAwp3(&G&7ZS(Ir}_6zK6Hn+1CCNmPLd6J8x_qPLxI~_+zcJ@zgV~j6RWS zAtr08e|Tr~y+tvDAbA|>I8wMFd?=5H{sBmUqaL5)@iF1(8L1!Js~Fl(T}%Rbk_cdz{z=QZ~dN571p(or^9?N+GEz3R<^&^PDe*GVN3%v z)u)zva`_1bHpq`MYYYewFj9Oe)B#6HwYA>LtKYf|@n*=UHleGZ4ziyIX9{Qb zM#N!L*gqt>_No-4^fHO!^ud&$RrvoVoxD>gGXU{{FD_3yui);l{#nI&ma{?$tQh^kS$hlH+2VRNo=oN;#M3;}EmF?v$nJFyXGD^Kjr4 z>S<2d{bs0;4YVJAreDO`WZ?(`u})~2C!WRVlP;>Rj;=8e=VYt%!q)rWT=l9(3yVym z&sXLH-3JHoiD^=*;DV!E5CGzt*6&B2;1`_4^VgiTW|8>l_&jkJ4{m$i3``xDbLsf5 zvy3*h)rHmbVV*OyQmgNHKD_R&_xkw}O+hn%u00s1a1m)Xg#7hbolO{NS@BdEN4#;3!|D8R9mt9J0Kn1B=Kny*CC7iAK)Tl$O%1b>Nr5Z+lx*&%4e4 zAIjc59?Jgx8*Zn>kRn+ody=M7b~CvM5p$uE$RwmfvSb}Il|9Q4Qdy=fA!LoLBl{AQ zEnAFzXUq&{pSe%h_r8D6AJ6Z1-Ouyibe_|^Ue4n@j?eqp-fvyl=d{I<57w3eIrwA} z-tG+Kkp4a$V4tn*o(U6BAbl!Rd+U;Q_Ry_I&8ia*^lsl-j&MoIGQ6^R^3I9KJr{4k zrav@K)*P$eW|p=~nNr$Ey3d<+rwPm%-L8CG+(dE8@D!Gd&@9u*yyd(r=_|S~bgtB@ zK<#2$uLk1ET#Rn4kE7x(1Krl)uFk7wojCa3&M5pzbOxZzr zwC`HMxrgHGS&7>a$>j24ot?pOFUAYBF_a7!W2|V;Cp~_3hwXr{yA-=u7g!*-;y9-q z*MkG=mFOqYJ%3((dU8&=SyQdU$SDm=E0Yy zEDPMdw=(#K-Pu{ost2y0b9b<2&M{VAhT_9(U!+nq<~`4+q)%-MM_M0+?(!5L5UWC3ArE zvh!A^`Z9m$6Q;E}(-MHk2g6gv6}*`WzsOccTT|p=mICtkfA8 zOpGddF$oM%WOVr6zgkgOOKi{<+IK>;c+gD3Jyp1A!7FR;f?)41-J-#r04|$q)go$E zp$U~*>AxUjp6g&0m|X2K9M2u;k>CmZ_105{#^BTqyl2UIh0rO zC}p8%FCSeSREw)R_oMunZL1F*8g=(+4yHs9ZuZS z%Xo?QQ`vSCjUfju-Zn}p84jABD5CuUe_}8gp;5tnF~k=XVe;M5c^5!E@+5CQD?fP& zk5Jl|we>m&(m;ElwU`&;f3)-9PwApfo`fYk-bK~nCZK||1T3AJ(DcjBDx8BK-J6h? zonzdChcex!?|#e+Z*@yP8*=qPLhNi9Dax(=+kpp)j`JGxw2JndNGzT^-e1uOOxWAXWu*KnOf?pJF{*OnH`fFbS~4*1ehMm)C5I-Z=b5#_v#ET*^bAi z_rvUQ8SsNB{{UvdbeQNNMpr55Z~`TbpuqBUmp%)YL)eG^;uHLXyZXiOj_<3S`%&-g zdg;yE(Gkc$m}kYG)naxvr*2Sv?+R#ZUI4$n(N3!Wm(d8|U$LpVrJjTvpN*9+WseUuX;{k|XkuTh`tc zf=pkk`r&Q45aU1Dna0!f=K{s!SZoyABtto?SoCGU?;sYbJy+908=PCJif&7LmtoOg zsp-Jk+1=XpPOo_B-+|mu(bOpq-W3q>zS$FU5#HAQ`!~wFA>e(6%V*vn#_!Y*S&dPC z3VVU~^7;FA*D2}UJihj7>S9bXDt>pMyZTdwjUnI5?x($|siX(4oT})kZPv2_we3fP-7AoFV z5{95BqTQ?%BrWN=acU!tqR*40mmVS9OZ2P9THU&=4AU79-ES%AvCi8+McRrk8e_G_ zjk|XO=03{QBVRkV$38T0w}9`8N4ldV`bp{gu&2&22Y6Zaq*NN_aA5a!cWA z=}VBodf%=0FK&YKvu>-%qjF1spSK-xWRX4C ztus!->{do`Ic1@nA37J455{NLwK}h#5CNrtYb|KBfzgYMFPq2Fk!zY6Qrmj`xxyWzt!Vt5mvGoxkQLON>ityCbDk{7H1>}^&7fpLjij3yUt zrpKmEp1bTN;b$U5nvzOB#m#=KDofw|Bock&4nF{>5XJ%*I)$E^Tpl$I)p(oi%C7_z zd&A>WRe0@q)usMCYTPu6Y&tl-M=2r_U@f9f+TN**iSkl-`&_@pKu109n8N(~lf$vj zz>cYm(9L7PCY4EJXV6J{g)g#Yr_Df-@iGShcqOD1(TR+7;tkbrYod0i3f*|*J!=W< zltE9Q^Aa{buH(>#-6O-kV5mSVH_#a?)sZ}K-ZGRJ!tr!enl_A8zdQEV_xE9!fApw? zLf-yXHoEi58xVrYmsIb1EAh8EbHV5P-iZ4L96FD*3%7h-8&|s>p|dC$dWd6i=jF-$ zdkg+JrV%4yC*Iy~@{4#@cm1^WET zZ2$C~EP}*vP23ggPU2d{?JiOyR+?da^Nf()*=^YFC~j1|ytTA#vT1J_ik8(W?#6rI zPH#7$$tu!u?wsV|eDh($@yeSSOWA3P$l;!Z#nVjBq8E0++@*=ZN=VFMhmvE{C#OFA zwROb+ZAZ_-e~Vg`1}U1TxY|V(-(4lgzjBrL_+jJFY1X@+x!L$z8IQG5p%<0`I`DF3 zibDIklUHRwMa?D=_*8D)eQGP!^#ay@{4Z?vd7x`^V^=L<*)LNi%74pLNU?KxcvxK~ ze1U!M)g#^nvnK!TppIsRUc}ebw~-O&4ZM3@4iBq-rBvidg3by8i8BlivpJtZZ^EmOg85 z)`Hs7_^g=`ssegeQq?MAd-;+ojNNwm)OX^)@m%>lIyQn%~xgGRhfU%wE#d3i3)kIl^gtIdbTtm`Bu_{lDmC-O7HXY&cTvXD zU7avS(&M9*y7Ob!L98h-bMSFYk}0;V5bYz>|J8H#Pj&lD!P94r{3-DFoNJ<)Ip4Ai z%Pota(IGO2A%;!NA2wOd%*4AHp)T#^*X6p?OQ@$DS{tH656&L!=yEA<;2oY|`hH*9 z8Qw=P{KF~eX@0UlFudLV1HdD_*k?FoFr@92o7^lQzHOF3ssUP3=HClnMjB19aT90X z*op9_wB$U+V@xO26whI5=~}@}T<8a}LtqqKb|_3s<)k_6SygS10FvQVq<`C?quQgjST?p@vp`Q0prdvz- zEqO>7)fHy(`?^9>p6D%dEbi zn4111ELATPSpN;zRrpa&nk(WDbNGyW>Zq67&;Y%L={~P?loS!^byq~>UL)41 zxN&v!ld8{o+YL)g&-z@k$T1P>{|pezKMg;9O7HvqS80!~B1O-I9G*U{94{Q{-xgZS z=7af5>W%RizdI<%;QvH=Cdcu=I*N8W zo#=HmFmv1`PxFKYR74iVnW^sP4>*RzjO7}+H>RWo*Y5#0H!kDtE_eH z$$MMgcjx5o^EVey_G8%lqxnl*@~ywB05!OdvnEr0MqtVB8?mtodeRFodC-@m&Rd&& zH}`a3sGDV;&XF`wY;alIocbgo?IjJ8JKc2luB+yHwtil)ags!N;K?6YM@Fj$KQ6>h zRQjRGFC4&<_LpydzvcWB>vJl(TsuBGJG+?Gt7<-BbYB&ygAc>vtiMLoL`IWMyFfPa7g35E8!@3uwrCuC#cWpmJX4VtJTM2XrE3Zq#fOvTP z(7M>a!8U&MIRmqT9O<=vlEzAx9_n3A^B6vEzA?O3z=!=mzTnSADX<<=4TwK1+O=!P`Qq$Hp?1 z!AX2z%Tl>b?A_CTgxN-v*6ssYRO`f}A^ zQzy$PVUT7K)(|N;g3gzEe0WSu6$VO#We5v>$zj;>3xUXz>Q@XZUVW7B>lyqbBXS*g z#Zn>oL_Ht*wS2+1P_)9pk3)Zf3_|ZF2Al*XcK*4kcj>HQV8PJ$cUy}^`;7%vrXxH{ ze3bWj9{EfEwm)B}_*XAu`*^|Ab$aF%9&t|Yl{*|@cPYX6d`!yhOI~PQa8s&M%=@J< zR@6({ep0CSkxOQP-prG+TMcktAHj{&_)(a0yri_Qh^%X#aQysfcM<0K)Af2jFXEd# z5&6$1ulAq*ASw6J1P7D3>^UhE7JbHj{>Y*bFbXVL;b`;NG*4;R+;p`MHhC8qi&>OG z$92iS_j1#V2i9&hT{79XlqF0JO6J~$(|Df-$ZVJ1&}jLKBUtwHY0&{oaJ%D`Z2dUD zIHge7mzdJu!<4(RqBG*4zsuxQ;yii-z83fB%1zPy0nV>urOBQq8oo6BNf99#P5Y?E zHt|>I_p>MCEJg4%KK|CEcrj=7(sz@NA)h7Q^F){GIP#|7FOfkrjOvKrH*NZvM=0 zi8Oei?AMSGAe$kiT4lRI>8%6y|AL01+jSBv_lcF*aVzhs;k^;Y&km^FHxEq-TU3~5 zJUpLLZM^l~akh1NVWIhl$m8h63U6`MZ6xNW?W5-+9A+nDwtRBwzgAzB=T6~m zN4;5jglW8w*re30cwyZ}|6IKY8hv)mEBDxWE8QRc5aT}SC%eH2gke-g7tJsn^}^pHUa z0b3KVIn2{f0zY$o*dh4klLp_VHfdaLhe7g9)@hlE;+3pdpcc#K>yj4V{q(|Q?t zRZjmcD9q0BT6c()|J2LnSQ*<~9ijNhNb9v&d6@ydrdj@Ula&3*!SGb07cfIX`KWgt zq*6fMDA)1e%)=f3>9hc#b7a|aCeuO>Iqi=1>I~|kX8V5g%^x4LNq3A|3g?mZ`IYuc z;DhWdaNoV++Kn0ogPXn9#!+?OQgqD^@EkDXUDXjRZ3^M}i&$K}@ImR+mm&&sRpxI2 zq2lL3bCdtpXZ`2iBdNWSL4{*`KfQM8xqGjGe%pSPH_7ltwcvum9r-)}q$oX!3!OS& z$oo4ZG(hZCd<%Vm(E36gjR|(Nx!d8oncO0L%)%^NqpQ_L2426@8C`I^JYT^6&02oU z@dT)yoX?2h@_>lsipn%U?%2v`3P0Tit3@g;G(Ttl3cS^qGx^lB>Vn81Ml9gkJHA)=C<09Of_8Z+A0E?z-9Aa3Fr$*#x6CFZS-xmpaR?z5&sq z;2c^a+%maaEx*BOMQ}@Q4p@4U)-L!F~aZ?6-9D z$s?E7x6cI|?0fgriG!1M_vuE)2Ju72LU9)()8`xH z6Hk4c1~qAi9$*X3c19ElBz(V9cGBy70>|#Iz+R41NoeWYKMG~S2DdxX;IU#+DZQEAl~8$gT#)riq>s-v>Y{hKC)C3vZ54Xi zkQ}5qmLa9Cq3^aCaSnENLj-7)hv>_3j=2jCB}C{betqNi+RnhX>sNxxa>s3eS2j#1 z5Fj9~Q(WtO%ebK%;AUksxzajuGfqm&__yKjw-YI7nsu2ncBE|fqola=Z=Qg$M}=kJ zX!7AhUrvmEblhkDqM&(D+81%)a$`xrT4&s$$T-##pIpyAV=;FU{?G_nvOGU-aOcGM zk~Ffk>?MpoDB9Mr)?MjSa$Sr$_YGXG1lOz-TIsO*jCzxT9^qb~7kc?5(*N!u%o)vdw+{D(q$+jj&bGyxCiJLH z_zcj6ZiBtUc&{FJxPC2C?nu}r5$dHOEGj7pt^09T$ zd@KWg3bdd;0ZV?BT@*>dy>HKjUuduH_NqGv>At9UpcM!$%4@)E%1iI6q-SPRV~u5_ ziW&Y7WM+l*gdcz_cZb|d0LstgCmZucFLtFJ_B#1Z|37r<|ION}#=a|hQ@ccENB+FH zX#ZBxpKtF$JBgQfPj3Pw3E`@EopQnWS67e!^emC{2s*Y<9ThHmJ>i*MPnUVg@a1NsGkb=zO{>N&nP)WTsj~LFv?mfem$-Q zP{nfkawLAh0@Ua-tzbskC$%-xIj}C$6)d@I!zC-}uEiVORK$)Xb{xuIvvi^Kt7xA% z>8ySxlb3dMkL}9$!3qfMs4*k{_vNcAovIq-GNbpr9$&Iz__e>JG_U}ngniLo^hPO0 zg{c3MLv)ha&Y1yn$x=a_?-NMS6Vr5-MH@7KyBKAAZ`2?qa0}?W0-_=LX~$*kt4^LM zemViR3z&>4uA!!1Ox&o|*!NBU<0%;_p_Dj{nMi|2=uq{9tBbvYfx0AOg*a?qR? zE9h%eHipSv_~lBk0T^6m6O@@d>*9d`>nvGdBII9i(SHc}HHD@Q5&_~jZCzJjOCotc z#o~P2RTZK8=K}!hxyPu)gs6LW8Mek1wK5h0_y-O5k|IMR|O zEw}e;ll3#y#uTp&3W%Q)ogXZS3)Yrmb-@A$AH!B*x95eQ129IjXwb%F@cR5Wcvm>w z(jZ{WHGWTMo=1Pqjs2pLYgxNIP2{^jMaJS&(DOqALFD2}V0y0!y8bvs0Of?aba+0V zIykvww4S3Z$#T@MIa{R^FqRdKCNB+qb^RkktlEi7-I>_hM4+@B7xtAybH`eR^7wZt z=$G~iZw=ddn;lV+(9i!IUkuE4Sl#`7%nK6@JktvJ0R{84cbQIlH4XuPcDeQ3fcaCU zGG|TQIQ8h|KWN}o(gzrl{sJI7Fv<~E=JQPR2f4%@!w-4>Y2)XN z?ro6kvWzh1-TMX8EBuI)`Rf43+W73>_3;1Jq5qqU6}AT+T&^pgd1B~d2c(doR&(NRbD|3U?P+FEyMzr`)?nRSxL^#*cp*6)*3a!cnN9c4L1O+t}kol z%!QRw*R=zA*X2fF27{e4wRcg?{%xSZqY zIsdBf$+eKu%E17wM?A5R0=RC7_4`8rkF@(fX^|`YQUdpUQpv1b8i%y}R&1p?ur1me zSZ8vMrbe#h5ByNz`hxG#6)_*%!}$#Y#{DEO4E9Ogb0=Sa;+_?~6*+F{`V`%7Kk=5} zgB2@ph%r^)R}?M#x9&bbMehsorR~2-Cj8I$KF*$gHtt?^4{R;TFqPv=f+&yDQ7PIog0`lq7TTov}Gb+P2Y{wDu{b?MB-&5^ucp+ zlZB&^!CU9@&8GeqC>5AGP_nI9TdGCBinxCr{yfR_rqSzPh*hi(RH=$H`*iwhvs9{E zdl(Ed&mrsU*3jBT#1nRw_}EwTjIc>%*B;#H$-$L&SMxwBT277sd`AzU zvG~5+lX$rz2uPParvmndANbzW`*A;< z_oZTJSA`s+C^eOB&p<8DY-6GDqPJDEC z&r@B=yDB|&I;sDZuJXtm-LVUgUVin>-lsTj&nZNcU&tRzUHb&Y{?015F4zI}G23Gq zZVybMj%tT}3;F5IxNjksp8tlekDO^f&mez7l|WL-ve+c*QonNos({EUV1xx0Rc`;Z z!A96%9ot%kIxxWLN_JdS`L|W7{~6c62o+7q;)es!ESSLF@PlC0+{bu;ZO)lPrABfW zX@8AP0lQi{TAL9DnX)OW&%jf z+uEeoS5pyj*TgZYySk0T`8FdYi+L2VuW_15DXG~%`$ zYM}lhiZj1Yb=LA50u}Zea8OM^7p6c$)#LvLPX3!%20+_JYj2tsVt4yRT@qjstO^E_ z39z9PG-|x?yWSz;;Yc0U>Ex&ik?3Qh*SF(eOeuUaeM0f95~A}}<~m_BBhx&Q_r_qJR=pa&*$_|0N6ff2-=SU_pN6 z1>=?JeiMswzL^@AA4KuPV-^sxgdKiKl|rV;c?c%RV#w zh}q-};TYE3b^@1)=Avm4+)Xg2IAV?q&44yhg5y2HbsD&Rw;7*}mzQm`X*{b#RO1Hs zm7uJZ(a)>s;MBM`XpBe925{pbB6y}imL0QDbq`4ffy3Sla3m-!k+Wj8&rTVkR-%1% z-XWjBnz1bX`GZ)ZHk9sXCCPZo13M{ln&V@cpH=?{_!0SEbNm^>A;K5n(8U*|Z}e2? zKy0pLLmq!!*1LdAyvKR>aZC;95kMQ12xYorfrrVUi~|O{yDm^bSbg&7;%GpUl%!WSb3t84@NM7wf_8&drzEu4uY95pbxT$*LFN5G{s~nZz|Z`J}bz_i2+~0LlJIdBF%?_ zh5OpevF7|&>iylpb$#6#=aA10L>knF=gd8$MH9%y4xDAI zR|G1cVzs|>6vlmExclIv>63ng|9>C&?kl`&9Xp}T1WCp`unJEb>GiwfKPE*WNNlxp zx3HW6E*s3wLT}+%A?QsIrwR;hq>v`KK|0VDlJ4IGcHS(#Ef+NTMzT;;SBJnS&B%am zE^EuIH$0Xh*2;02wwy%DwK#=_z=ovhUsmm@NX`r?pWkX?pvruDcA2o%Z8%P~Xv3x< zS`>cL&2FA_qJ3*#w36)c6isYv7MLDjUcZ@(ev{bz4l9-Z1-hR{wn0nmb;>=Rc?smp zR%&L&!Ls{iu!GPT#*a8Dlh3;B_?!X0&J3v|*g9004UVh_JLgMpp6SH*JcB23swTjb==2USRIHn(W2LZfq+f^Jgk<){tr=WpLMF`Fg zk+lKg^dso2=$&W;hYVqpA>3^OqZIio>Da-bzX#GoP#4EQ;=aZK zKI@+f#JG8ji}E*kKaDt(1V{-5M`|d8j&@=?SdX*yHE+eQN2R)8M;lQFO&S8zEN4Dlwstf z$;%ii;W=8?&H^|U?am2U*#6zNKuASlIjLK z2#tQGpdtPN#AJ4JI1ivn>PbdA3LPY)bvD}>jUFW+cBm=6acuTuG@4^eF;1eSP2zcmcI@|>sp_c>Wk`bJ40@sDRhGk>9b68d)nuFnzV4Own41&eSW!iuV zbi^-4Wv9_YsE?J=u`>k9R{c%zj|A!U4xYV@CN_{}v~7_aEsAP5J1V1v zY$PJ`Q)z2LQrKjFx6x2c1X&C!CE4(hKmfm7IZxJ^m2YYYu`P28EM~my_%%pH^;^jVj)vNfzMBdgxKnoP z&3sDiPK!&30!O0RmWCu#q)@^4Sm0vxMJ&;E7Tq(Dj(*tATtyEPHej{f4SM+^ah#3^ zOv`oW1kK+{{eE}N6Ca&Oy*-hl|dDWkP5D~4jM%)z2GnE6|77qr^^B-7Hvb0@A618M$eYVGgp zy+`WB&Me9zef_Z8Lg<~aV%E*32-Wtx2nDD;%ZJ{(lLtjA4t$lmt>b$VjSfBGHng4CTJL0;#ZoPA#Y-*U!A)spsg@+yoKy0y`FEBHHMtTLp1D zmMfO{AdA({BG460YB_~DzpdtX&8ZR86OmW_DY%%(32OcFZXK}bv-#H#tT^8m@zrH5 z+1od(nZylTE!RHiOLG61|7`+g@pZDsCtdUoYgs)>7mdH-;O@pDG1T=gKK3a3!*Zlx zdSG8whc^0lzs#E5{c;aXjXT1cP1~P}P7iuj??5T;!7UK3rwXSRC8wgFa;oWz$yTGf zw&M5|LL$0XRf&*{0QiwFtP^Qtcrwh_n~Ohh=Y>)P7w;tXXwlOdjpqpTrTrC;@wdg7 z5jA5gbol2UICRq@ursxJw9ld)F9I?{K4q$OxK4>U1OKm546bg>8Hc-G2&n<75K8jZB~;aZwU7KR^s&VZJCiJ z6_yKUvT2d>o-+gci$!ys<<8O}7qo#obfd&$Hp~`Y%aJl&7RuTY`N!~3TS$*k`9msU z0zIz$GolA=;D9IW8fxi$C4G1Sn~KKb%5}PPcQ~FI@2NoS<&;t}F00N&@M0ioaT2$~ z`9>}Fmb?QB;vNsHM{lsbiP#{n&SE2g(m3^0Vm+GKJ2x7(XP@U1Qk?n^A* zspAfXYbt36pQh}!nZ?#@P0iZK&SOTWKe;JLWhhSgEV<;y5qR84<>?#-O$FP7^3-)XVj;`mnVI|XRp_6sQLGxk`-WR0+ zJ(^UnmAcm40SZVG7$<&CLso?}mze)fKt2&K{0NtPzW=P?7D-Ti{ZQIOy}OV!E2A$=F?+jj<>n0OuOl+_h41J$eF-9$^mu$4C&D=1CZu#a#U_!;FLb zIGks_VPc@5ITkaQ&7Q9bitd@j6{Xb!=W!5`5X5b0C@oP(Ef7J!$E!AQ!D~YqJ*Wlr z5OEQ~prxbzSZ!Z!7)^{`x7H*%1pV4-eOOtZQxNw>x!DAA^wRcbtn_Gw<_N@}CX7f$ zR60lv@qo}X>bISJ@tdPCN(ux;&nr5|q45&qirv{ivawiA&Kkuiw;?=nLOPJt%u}=K zVufB{dcNz_S)H+(+dlLs~galhsYD8mMpZH^y%5fC*od$z_Gh*w?P3xsWFWv(v@ zY3w4?j4=`&>LqSnH^kFYFDKKi)ZLtk@`P4&99AlGfaanL_IX$joo*h^INopxJ&nKk zP#*#tEo&Yy1YWuzuVU1+5&iGm5rl;k#IFd#se(7>KhV7Emd%lj(eUjnG}dRt9}&c5 zbq?T*!Cu3JY6Vs`6MqHrHE)emyNC~X>zlDbXU?-+fXIov3rR)WyF_|BQ;Jv9CRnRo zm({p63#})TUDqqHYxLShVhRd9x*KJ8qJcQ8>$Cfx)VOuzm>yX14Oa@@)!xpcdZ)KH zu?MEk{llU#YF(LzgQrGWK@_538)Tc@q)@3oC*qb9AjWHhI>5Ym;bl0E$Lliy5@wRIq^vWaZujr-AoCSe^ znk}*w;o)@QV}(Tt_7v>{lSm1gtnqJ7gaJ19MFfhMl6;WkKVU4UkgA(gSR z?6Izu*eJ-L#^|r8t<(4r)d;bOVfur-$UaL-p9n27!zmAjo4mjw8)=Ogw%M$f=u)~Dx@^^1sHA3TD& zxC@lOt3F4$aZ2eC)h`~RavJEv&r@pKbGOTZXpBfj+eliYzR`!pqIdABTGq%N)&why z;<$T~s&TdaIsoev)YSnLWke6DezCwvC#PI|DHqqQGrf<*c|xKjiIOuNFw(pau82=wOE zZ!B_}loA~Lv@l{RY~&{s-Ebyv5r!}Ueem+n2;#09)vPt7?&Cb=Y5w)`pd8jD{hIe_ znr{8k%9Y5%KnO#cruR7mR^t#3xo<4i@G;^g@vsp)!>P~6jrK8mDRc8%s=@T|qR#*b zn-&AtSec%EjQ=jt!y|8Hj;wJ*`V7CiLA|dV$&rLf$lEyn{u+m&={rTjg4>FV*{i`m zo4Q*`EHk7|;C6a3EB;pd;{NF%L3<5Vj{6y(j`A?@AylQXkz{=s_C_ZHy1+`Mu|kW} zXtDFUtmZj~M9_L0w}?h1K{yx!h0XS0`Eh#KF8{&FcMlR!oOJ*!a~ELN4Yj*QTxeY2 zF6un;cvg8_bh`)lRoki5VuMW_-vCl0H%_0_08wpSwaclf6veljTVdJko-Z1mclCle zYxDsq;|dN$z)e4A4i z0ymG!C_)EU6JSe>hHN5asqyd61WA~ibG5R~JELt$f?hS2&aVV>XkKL!#>!T+V@ZnhoFMkW*~AnWfxg zV5z;9D^7Kz)3gYh^T(A#rfBo8%NTR7nuCgUb7M{iYim-F)D!_*uj81fCzJgdaCLis zp4Bk*iv_8tS5!q5;B1+0^mBR3aABx+9nDQQ5*0{i9Yf6)qqn8e({fmv10MC-(Xjxs zZ5p*v+Lo1yYs)$cOWhR=BV zui*wDARvWVXBPxn&rjmM{;}P#o4jXZUr(p*`sDTw5mS`-U!ds^b8!-ue(;|hDB#5o zr<#i2NKX#p{sGSBPq{&U&eYc%gdS1m;nZ5G$rLhN4e8>pL z5oPpNpK5(=Pd=Ry(m4sc*P#0-j<5L6mqas`e^*rJXO?xkM2{A08PmJvM{FO&W4(43 zAECtOm&OZGg}PP8pq>AR3xJ)sS|=cW!9)sNytl2u{VM-kd%%UIGKCGbOyJPwTy^@8 zacIiUR8ab8)#mJC!5fLktF@h0I^>`dd&Z050|hug#9S(wFw;QXi~9;2MhmRb@5N3y7j|q3ehgBsJwb-aF)o> zrlwDzcdfZNCO>An4hrI=c>5|8rG#y}YQPi{|q)bpq|jy#mVIIYx1$5>(H6 zggn+>0h^i_f#!i`2C1!wolvRjG&?`YQrXB-ec5{q|;=W($PI zc-d4OgKrx+1y{#T!+&b3ZTpP=eyTHF0wUKxvbuMjRm<1Q|aP7#o8zz++C5|f~kcc$BM ztLR&)S(uNbq|r~%ye7&o<#R4*%;b23mgG&sK$dV{KL38_2y7arO@q`)an%v#K7yV>&JN=@mlm-PXe+d} zq^*ZB1G2LaoYD5Qwzm6m6g!Pp4%-sM<&h%L7?^DhOYKMWj~{^@9g3VFB6_Ag1QY_l zR7q0W1ut`Es}3+? zSMwUy&;xKLwr-lk45`!=?o0KhjjiX;W4E->Bh8A@D^!VyZ62(>7h`&0y}ohlQDRox z3q0nH+YIGX@ph^?itTZqNOSUIxh1jWhD9CkTcvd@%~SKBd8Bz$ag?Wtxh8j@Sj#rB zQyd+*9FM1>FC$tnvS;8}1PggmaizYk7(3^LpG5nzWNHS`v^iv`2a;g+oK`Ezy5E5j zSSXGYo|Sce`O92gd)>dj!l~SC(_i7n%U=uNFgzGKQ+^oJ4zdK*zBwOo$r(!G3*3HI zj$L1t#YRL&z!*ZQYa_qXlg`~JTUic=jeAVzHp6`{42r{S4BCcc97v1NZabbc3*KYq ztmdtkslhblN2Ky-g0+Xw2MY|C_t&-LmtydGPo<6qeV9s(9hT)R^Sd4cpQ`(%c z_is^dOivrZO?MGZ`Qo)mSgm&)CTLoJ0M~Nu79+m(XPh;8P{AYuPW>Z;o62?LPy->4 zivO^>ACqRw_j~+PvY2>IffvmDF-qDs^C-QPPQ~Ek>(O<+nh(!6(A&jQf5S=dn5(;B z&W+>Ap7^nV@Qvuf?NIUFQoxZw_oFxOmO%;L9rbA7U6`zXSYO@Gu^8`s0MP^9iz#Y7 zJA%k05_@_!T_bEYxf`FMzMO&1^Q=+7vbJA5cH8pW(7$U|+!o%g1gSY~OG~A%j4lW( zutrmyMsGf}wLy=np|-Vy4`Y!tlpM*Y@;JJS>MWdRIn_v8TaB*s1wy_+e=y*Gitpa# z@vXmUNT=xHjl*CF%Pmn^e1ART4vy3itwGDrR()<@w0apglxvqB+nA?b;&UqPjqb|9 z>_mjtBXZ}AH9X_#Ntz#WeY0sS-S7az}I)>R#=+;wtp0s}{XyrXc%P>w*AZF7+(y6c`qyQ+0q(e!WbSDZKO z&u&3l7u}ooNjKBG&O4Z_O({xUvHIGuNX!5{cZ2Q<0jf}S+;2utInUF@d&MetZ|p?< z?pOf3oNL+N^F7IX+8XNxV6)wn+LZzc0xXz{UMCWV#cJr(WOX-=N;Kff|GWCJ8Z*LN z6yu}IexP=5q|t!K#a3VDEZ;-VaTL!ZPQi4v@V$tO^>|#!_SCc}#RmB0sA79giaTvA zuhLHxiXz_9)$u|mrE8%skuNmE6=O`0HCumcxU4c%xemXWcahv0i3h?@<)KI>cm_L} zzG6+An_g6|ZHvJ}0CWbAfV9AAKIG;@&ZY#b!iT!rHFL->1XA;@@T_d{UN`U>4;DvM zh(n(p^4x!R6M1AGm;Y|mjJmNeN$Lo!VgRzosa~*h?%)9&s4FS2VUu7mqg?1lq%BWn zwOz%!v!XBrp67FJD+OvuGE%(~_$!7L$v)()bd(0;ugQ~}%teXvW-Aw4WZX)#0(y+G zEdtfN2cOLaLu*-7{LMF6PK;kP(yF(70P(d%!jMtU$*C)Ga}F(74Z0KeHxp)nIoTH` zL@Ge=qGx8|$g(KxM2j^B@5hN-Nu|YdWq~ZB?w@Xh_VDIc+yr{98^6PyKo`YfG`TxK zrvXjDdh5D#fUIcOO4a(A|GN~TBiwt!lkJ;bk3-unI^$%6SBdcdG#{wdwQii?bw!yn zdi#I8R2u(!ErAJ`F&4<6C=V!jO5Gn8^AETy=O-VU2qTL5?+D`OT*`51iIeAeP zIB`|>Hw=tmG8KPT?I2hSmh2Cd8^OJ}URAX`dIXwig#y2B2Rrm-A#mg?q~@1+^YMs> zq~-_R7%E)7$y71p817=}JVvUiilbmoW4r*lFgVAc+%1dQ#YAirT#ZE3hy{bMs6ho$ z!Tb>5MU23!aY;$ESoBPzLNUQ;+qpON3aQiL`^uWGe>no_nt0`H79+T&)5sD6!SUa= zY3HwtQ-pk9zQJBW1|A87KnnG@E{)EX-oi(C&47D&eq7r|uec=YAms@TN{bpxS)0vQ z9B45e&G3jd``ksLT4;^-7mzKo<5gZBohk{>Aj#TL~svO%^K|1e{USIQ+ zZ(q%-&0>^T$dFl&3aH0ZC(&NczRRHqZfC+V42Vs;aAYc1tI&}@6!zQ))FN@&CP^jW zd5&l=+IQbY*n-vvQ1Hu7V5!u+DN^!!QhDEJp4=L896SXifA2C=9GcEZ<0@D<`k&-( z8ofi_vVNGj(UKe8gckq`a1*puP(7nV1V<{M1ho(Qf%l#5q+IiuDOhB_?~QS|W1{A* zL#2tF$AmX#_C(yZQ_gOQ=@hH59+Oiq4<_wDw+zx^uzAZ~TR}x-hi)f3EBs|sD zEt=ZKy_-d)6aI|S{fcBSKJNWl?L@qk+wug!ROp4y4cu_euJyo+e3wLldgh|O%XOd{ zJ1ExwzTc(}z}L8*_X|;)yRM2@Kd~-)O8>B$?amOEfSIlEG5s;C4@Upo zOnaR1PWGQq_I;Cpkr%+};tMScVBeoTu%BV%*xol|PIURZb_)mgYrD-+~QVD(ewxUDHxW- z5K%S``i7R8ZiNl$r|0R3%)Lse_uc5&J9YZi>sWc~KLQV>-ZY5U!e=+qga53fo|M>1&S{nvg zq06`|Aw*HS&8&5aMZ>y;)U4~E5=z&ZIZKG`G6N-^Yy&EPDkK-u1I9hWK0I;k5*~r0iyV$>UiW{ zY6*mH=^1TX3s{IEiDa`tq0B(bSuD*{9fu-T9Yp6c=k#AmPaS;58kdRx zyj}6ECka_GV^hvA+fszpyYF)g!JVa7=Qb9DVMwhjkP7ZXgSyC<31f|b$;{onEI+aORu3GxxzHZ0G z#fokC-I_ss)0_wxqX@NM zeI2)giz{>ueI8bX*}mC+D~_LPr+FoVhov-V`%kbT$E7Gtc+~K4rz`zm z`fdK6*@@};hp$!Z&|Bij$B~SIgzOC(rQ|A`kZ*=t;|k&9(Ypy5RL34OpnWQV)|RG# zLoll)cFH<=xtHAiW2#o)7RI|G01uAHjBOIl!$Dm`F`vj!uV6nsH!!UHxQ4CK;EOg9 zW^y|r@LWp5LbW@@WmGU1E*bex^*g2_7{2>6gp%VCrZB32WtL$wjB(xiIL{y4+==1S zp9f+Whcd_ZtPz3=Q-a3D!4DIjdLVZ2? z5;RGf88y{6a+)>#rO9OExv2JwhgGlF>BplKD^KEp&V0ucccp30?J1MO_2Q=C-Y1#< zk6%PiFS$YS=tuyks<@{otOxl#l&}mWi3sX>P)NnD6c~wSmz=-lgr)24F}*2AnHlY^ z%acf5>5D%R7%w5ZBlyhCR`~T@p{;NpnQGnSx`ac;^Ag15GP{sy?NfNLUuIe(x1w5H zedL2H^AdK_v1$eH3dP2!*AjO8d1Is!MldI=^+CHXbZAi!`UVR{eS%JC*v3j1jZv5gtw(vp3C>N&}xIV9=V-b9b3ZjLQ3~PR=_6^vD1FEn|gy!laOB!E_0yc z!7|V}WOnXYX|->WvcZ(?<`Xus)ORcny^{vbgVv-X@)stEPi5eox_XOqQM=5q{IHFi zxcl7ClYF9fc#s)kTkKNP^?$-9_hJLb#I1HDZR0cv(5u+oelF=}w{Di@y4eAAQbP7I z2PLb|RJ~A@NvT*s&v9kCSgyOL=+}74D2%3pZMt|ip*K<+N36H>4il3tAVvd0E3Y8W zh3TI_jGr|yft`iTi*ZcVr#CH08EZe%7X>@DuZz%0`CmNO>>=ML~dD-B|=u>KEzhl{405R3!V zxG-TVJz3b>MShhhw)`bUUIJy~EvUI~kSd;P*cE;k=TNadMJkbNszF5OmxL}}sJfNt zKGWKsITEaB(p}lcB9*rG*;wQZc&K~hQ#?tx)wd362ahyoaN=7J+(F*0!RUVEvcTA$ zXSX}8a1!(1(Xzl|achR;Ic|20mp*tW?RZ>hJ-iWlNaMB5wn?g3O1FRF6RTLlQwlI* z9kC97UCp%r9$#UdNnNzwD(L_{qM3r+DQbp{VOc87V&4c|+>9>628v+yEQsk`$AsHjjOVl5I%&QNS_5QenA1O z#yVv`98G2vM^mSK8-x!DS~kiqwu)F9vQmgj@7rmBP)v2`i3L0*SH%j)fOb$nBj|*H z?MFU6)OO5h)#6*f)xrDDR~%8X{9rH|tI=#VzRjRnG>c_ zICny>jOHH4sKFTN@-E$a3H&zC}j2@o*$6nuGAUVnsd>3H zGwh9fo819=!h(?g)0wIbCcU`tr}r`3xI2B+V>|5TqLqgk-HnD_Ka3>refRS_|IGBu zhke+$pXUaYe(ayPT;=^*@gm`AdKy)I9MHfW+c)@5Nm0n;4`%hW`)fBG>3%M;0P1NO z`2|zk3v zh?vH&&Ii|xIQV>;31j=Y`hQrs0b-ID;Uhkm9nkF}BI5EzR_3jX#u7GHUbQ(nzFqik=%I2GL^JnfvD>t`p+#)C=mKI48dOi9jPK=t_cI;fD ziJ>B%5TZ7?Bcvt%h<}DVlR3HoN!Ks8UY%q36RGAfB^8S#9PP43&}n_3kwhk%!QO#4 ztGpmxQjWs5ks#j%?Fv|2LqzSw6qHqtw}Wd?&2z+vPIxGmYN&mM2Qh@SLDpC$Sou>x z1%!lEN_}cgpfePLf_j2taE(*SdFDgo5nOE!+!@1o%he<;dQ2r~4N5Q0y`T~Vb&W={ z3Zu^0HpI3XS&93EQvyIt)?IZ6&?(P+J>{0OaXJO06|c*pHhsDAHf`kfXYYU9{>NHr zt?@*s5UP+}B7lM6tVL^dUy+TmaIc)0)ku>P$wBS~m2w%|Gp9>g&Jh{BBC0I#a&jBt z;MiTpZ}*51ja zLNm+PTfv&mFq()p?U9-`r}ZT6wc%Q^1e51HH}lOUUP%+||4L`zMzClIVZPQujcssIu`qR)bB4 zOKk}3l}FhueOcNo4|k+}bP3i#Kb;xPw%T!Vta0oVsl8^Yt~~lGnQwQEWF0#|cyNO( z8?+$f*QuL;`+%z)iBo)SNR|^>o}|Xz^)3eg#u5o}Ie{t$yah+KTT5Sn#(rVgVT=#d zc~DXe^;c%QL8OI!gIw`?cMr?7A#&YYA87MYz&_xSK$?g8f<*VBA)}|p$OZ{SL=oh2 z(FtEV(|FXz>4OwV8|M!+o=Ki2evgAjUW)K4TKyW?_))}BVe#*EwqW4VAf2jEV}ZZ* zWV@j6fake)8*tEx*h%IWJc7!@ACcsixmXvP?i`W?ZN;huC3d11xlg(?&RE*)wD#QB z4@zR4m$uTJSinH1&h%8g=Wrt8(j6~*4xjb32eJ7tPCsa=;-dw zC`G9sa^$r%cWgJ~dF~=$M22`qw_}C{lTk}9s!UmFrSHGCt-!@#r0doiF1>f^M0y>N z;FCz1!2H3$=!~wx+9+KaF*yAoOS53HLh$5=qEe0npS`oUpj&3@eTSf~fH17$lmx2(CHqwU z-eDxNB)=jZ?R|!w0)$@&%5UHBa)H{|bs6`dq(w###WCyA;A>0AtJSsA*ja&H>ew;l z(%`MMmaUOC%04R1zZ_7&M(0%V*pISD#YGoXTwBsms?n1b!wCL{gL7tj8lkWNunrDK z0mU%wNa)h&U84V?+8fkXLv&udbp~=BVY9gh@z)&=%gekTM`ADQAQ(TDySZlYi$S{r zuD(;Z{bG|=7}3@po`I+9PDwas)^lsl0(qlT(cjATua1oywt_>n{l{Gy>pblv^gs$Y z=y5T2!#hkfM z7ah2YGyx8RKP?L*<2|New5kvm0Nbu_O@=gT@O*KQSe@tl%Y^zboTAN(U34f52b6i{{A1F!|0k?** zhzz1zzzKAl{I8O~PMUF*4O7|EK6n42Df{UoZH8##k!eS#^~H9ixH zxql()>oObWThhW0?3wOmG`SeYM!Y|_(TB9TUiHdo(E;(J*JT_qEw%ff^bt)@83=9? z?`NaZXg6@F&L7g3IwF-bNF@VDF6?su5Lgk2&>6pys8k260)L=^l_Fh%Ox{irwS!Xz zW)6q?{~zUy=-i<+k&({>t&v&)raL)^1cWb}t#aZ7qA2aZQ`XXGyanA2DC64)=ug-N z4cTMPTW+9n`sfo$BhG065%5b4R^R#RAc|?^k+}Y}hC6no*8@l{5%Oszckz;FdFPfA zh}l$q$X12*9$R(6e(jKF{pk)5Y9qk{Q!jfkcvp8qvdx@{mD+3+vVk!QiwV^ZmU2C> zmF{oh4&DvIn_dNasDEMR_o$r=t1b4tRl}sOiy~PrhHk2>a6!Z_w9hPivXf81nC>S4 zXP+_41)g)6=YNu$Gby@T8hWnCff^ryizDcZNCS0H|UdU!|-$FUTSmM%N>E;xgKhp9S0gAG)#^Pc+aGJ zs+mTSry=D@=Yh=JB8fCo|CD&mCAH?chs{Fv6EsiT@A=^%6^X;^fp1}0Uo@7{3B9rc z$kcZBnbc*e@JoxQz*<<4yV%(k%#Jk6^2c+Q(H?}LR^RI`m7l(ye_#kHYI&^70U{0C z$OQ>in$ITSY!$x!cKXg@r-_O;9^)RUaL++hb^xrzyJ){H@|*WT(*=WZMH4;lbZ8f` z$21%=6($QsWLq4lS#@Yk*OPk7pqF|#NPm5Wh)IYHkQVcJXVzIUPROGu|CPDewB0n6d3>`&M~BBFgKGJ{k0bz zT{SPo9#W2^PbHVKH+5;jPjCwPgErV*Nptt@E$2ip7qpn5lNGto-d}0>ZptcOJ0EX% zUJi%5n$RMt_-QG1<#!iZ6K|A0Pa}p5C``|3+r^C=gijNO$~opd?4hDRGx}*fhus)D zr1!Yi_Pi|6zeZvBZul?vb4$QnRC<(83u`RUmkUk~SS}}cN2C=fR2zxPOY>mTtc1$h zp8t+!nnP|O$h#yteu`IqeZ_qxmr8Hq(EV%#j=&!*k0)?KgF%P^6P30m>YoyXj2}r* z3{)8mVmi6b0Kxj47aHwp!?4t{O(m`IdSF$*TkwI*3&uJqMv0{{4Q_P?0iMGA!936k zRi(^qpr%EQL)w$$kaql5tOFi?U?f)+oC^hmJr6e&eLf-=(MZ78FH6fan)?f^K?(hQ z+Uzt&2aCZ_hG7bGRAUnPy*^e%ZKv_x;5Fw(rHLJ#Fuc_6m0TAH+pwkZ#k5ri(GmFa z5Gr|pv=!Z0#ItIS-f^SGxeSEv7*y-s=Ln&4XODofIgRJ~PvjyAIq-s5;&E>3vFwF36E*&8iK9CQYjVdu|A+Yt~-hLT&#G@pTrIevc~Q(6N1LLagB5V+jJ z_rsJS6q4ir$IkTEzc!XhjvC&A(H=zW+Cf$-@Q zl)9aTP((qOj5Y{GcO=RebrnISOjG#q)9{S7Hd5qROl+Bhl%@*pZk%doARJ;fa#a&y=+>CxgRFiAu%g2yq=3U<=1uzB@!8kuWv8Bv- z0R~`dXBhlC?jhqZ2>STHv?L&CzLgYy0Q{k!4d6`52|Vsca$zQ4xDJN3pELw{C$81q z*9rLET3*7|F86fHn4MaoO?sv^^VkSFv6BZUNdzrP{aWl-}v1QFO_hR;#Nh`Hh+XsY2vB!8IP ziYZgM*(DNjuRA4`bk=zN5kMA=lPI?G!}= zun$=dpD$Y(QiO%zr;QGOLtvydjU0)!5&Gn)Cg_R76ZDusq`|RA#V3qT;X|&*qBnzr zk9${~tpq_J$-%b6XUYWaP%%ZN->wtf5y^?VBxaMk5Z$wk8ZdQnWBo9Ak#^LJoUxI% z?nl(6WX7Fq9!{2vq1_?v{<%Ou$Ytv*l~eG)VC`=F6dgT-==Wd**-NE>^g$_u%J0F5 z*I1hB5^El$)mD!r5b~`zk$)z4wD$w{3c6990*=-tC)IxQu(`yOMJgS;=8L# zJN+}M=8rA#yW5;-k1bp~+p=AK3B|vG!1+$BH0iBaDvPK1lC_eu*896d{&;H!XGc?P z7>p;8#O;#f-t;BR^*u`=C2YbDU=C~54ot>1@=#M_s!}jKom^=#EwwUn$H5QXPx%zL zH7Q#4BKljgTN#%t_Omd*udVP2=W{Hs*|U)yz=iBT!2FSk&BpIT7P#NpVUVyG%^vj~ zW4F}2f~8Wfa}@6+4oEk38qa{ILElD&O-AciNBCPEE(7EYP%u9C4&7~;bl=e1$L2!# zOyc?b@Z10lji8K&WQ=quke^N~^=_SrN_{Z<{}CXKmTnbaSK0;RNEh6Bi{yZZ=clFh zvKh7`J47D-0v`TuBRY0Vq(k|mp=YQNzWpBcgaOVGoe^HAod1XVp{nfVlT6P7-U&dq zVWpQlvICNbRGm2q_5Z6=sSA^7 zxRu-<)18o5!l{K&KECVBeB!{U32o|cLDO>b-;**0^IPF1?VUEniA$;eipE|FV{Acc znEI+O$QK{s3~rV>6fN;~RQlPv>$hIZh#%{eHf;;-mZoGWb2r2}q=Fmm)C1vXJ|%6( zLASV#jIqp#GbwYi(G+Ald9Z&z((lmmTx1}Si{|2CjUp@dv_EJqWv1k0d!%b$PFJnv zcAjl@gk9KDVXmImO@0T|3FyP6mP*DdW3_00dvv>HY`b8Vj&5#&$Kh@^9}$X!;&;$_;_GjR%}EoprWtT z4~?P4@lFa@ZCUYYmAnAQiY&cJC%S?&Tqw8QGl9%(47eKU9%{L&75keMgsJd#8mgbN zM8#!fmh5~k(x7%Fs|k0#wAz=E_T>T~?4ECkH$U6klj(8pcBia=uYNk$ojx#j$=Y|; zD@R^*z^n|OMQ6TW3wbKhZ*Qi)`7$e37`2 z>{U7kx?>PBI=!>sj&4t?c1y@0@j~9Vo53zt+7c+@YdnRM-IJ>%Pl+d&78NLGu&;NP zw}K4nvDOEM9SH3|d}0h9woMi|bmxxYM!esl!cjU?#TL|(jbk4Os&qnWoxrcrfdr~V zb-0t!J1K{y2Nex4Zd8xJC1%wB7{gq&5CRD#{522-*BK458t!sDpMW1$5%!OEVe%|` zi0|x0`Dqu_^yNY|dR6}cmTQeMg$G*UQbXlN#(;HQ^b{_$ajJ;K@r=(X2_eEe*@97E zUC?!#%&l#b6d@{arLJ}h^p96kyY?CH6ornSMn-pyfe3L%s0*K6=YZ%FQ7blmEP=Ze zYCPG^(L6d~h3?{%B|og6>^|Y<4&pqw!uFHVQis@wGZpM2yV{a>G^o=kYSjht}T%pkNn{~epm=P&%11Z^#{ryZ^X7)>V z`!lQyNbK2@$*zoKNo$%!AS&O(9&+8nDA!!6m~_uRRiPYppkF|fv>vJ>9<5O$4*aA} zZ|&-wNCN)-Ii#Ve@uViG8-KxvwFWE{gS!GlP&hu?9n?f*j4XiZTO9!!-$mfD5u%|2 zVnITX54{Hku@oae$zXI1>I^Q{#!d)c|7oz1!R+-1);A>5RQi}Nnma#RsUeC+G=%?@ zS{Xe^C2v)>eY4l3zJ_(WL_*G>rgsYbkBVvuPl7-9y+rw>)M@NqvMS24@Mht5VC`oT z&LG;Ya8v)H2(hhFc_+`p)K%xD4enkhHpdkzkN6Syj&n=4xR}9u%SG137fJ))2hz_q z3$LwFD*FzU3SKEympD7gDTDH`_N8QGAw6Hcd7H_tb^D8hGgt}`JflB}VU@ag6ScJO zwZA3Wy_&ZvHSqPUAGZ~K-~FgvIJ)p|SjqIac^v0zk;*1CX`wfI;*)i^r? zB>2EIbwOWsAG_7rFLe_b*3K_mQq$+D`p?QZJ_OkEPr?2yV3qkN?m+Oh>y1FKcP`R- z*h(KP>TVFhi%$=~$^SnI$r1mzzHO{#3}gjgwb3cq8o@(NJ@LE^YglR5T5aO)7NLRh zZBBzVr!$8UgG6!~%T3wDDSoUkpJH=xeFB?oAF-9)zk?3Uz)cw`Jlj!NWR!IhU0iIG|hqf(s^L##HvI7dyRx z^UyD>-|{glU0BFcMTFZ=w}J`98+z?}eAqxbi=QffIF>jz#n3uTW_@(SmXg471SvnU9`3vS-S~D4 z;|&EAfFbsOX^`Y&cd2(Bj5P)6ull^*STT$b8p)925l#t|mVFBP%IsY+gzWXG=`nx^ zP|P<7V#szMl*1l#`b5t8P+CJFlPEF{5A}ebb_B}P#}8abT;JTs?(#5b5=W?!q{pEm z{H1(pAxf?Pk}PBU>MqLJZpbnxTItdBRNP;GfYo`Y_Fyij*7^i7O)2$jPoN3BfXjsy z;V5p58weURW7iLE9~0MM4Jx-X{>BnmA(ULi227D25A{C8hBWu`K?ndi0`makQC-I7 zeZ9#qYL#DLjD41P$ji3ckW&8oaOspLY{P(Rv7hP8`|q2VZ0tGSzVqk?&F{GjqEg`1 zRX}h(@`(*10)ysArNc#Wt2v#LPfu`KP{!wQ0>vP9macn9U*7LHxl!G4(Cq&AC0og* zNfH9gYk&aA7}+kNBwGJWrOFDhUkGl1K5qgYLzFaHG{+I6$?;v0yOclMQH8TDYL2T< zblZRwsQiJk=VR-%M^<5#aN%o}{1D!fns+G#^)Y~K58#o3@CpWLfeNoTr9BVIE6#S? zo*a9YKCbMnj1D}z6j%{k0LcG;WFa>Lny1RK1mHteyj1WRSY+faTb%na%w}dJ-fqnE zX|V9&iCFOd$HpPN$nAo00w)5_MD$ri9F$U1@K2isV-P8=lbp&PEqfjK5bQc3UGC1c z#RsM=siiX8p(P}%x94`FcUvWqy8?JkAY!ErOWPJ)tzC2SgjPp7V3#i!H`+Re(vixW zu}tlNJPu|y5;o!yirw}Xb1Fd!^M)uaV;JPcXWE4vu@&3OwQ+@7z?q@D@N=JTu%o8D zng7lYnYNgZ|1AQi-*_TK}Fz&q1D2SjF28S;a?; zfz#Ab%Kbp>JlD(-(Uoh^29Fx8*a@rLK#M0M`kmIp-b}(>b4&GeK7k!JAa)|rwW~jt z+mv~=h(OcSx2z|$*rLwUT-1x{dNY{$Yczx3S}!l>d+Z^X`15A7ty0pQF?uJT#k$iE z#ZS{0}gmuuC#j^ijRKdfhgsKt6?hH_EWI z=3BXy5#&_aQ#S?xnPlTwFm5(=!kG-;dP8*ELvA(P&r5{*qU+rtrCh^4SBtABb8XNO zk$wkza1|%IZ~buLZ%K^RRekXSlM=-18l`g81JGUAaj1#XY~B7LeXz8bdm(;epgskC zNeyevIR83e1xVPEi^4|dW!hUPez&-I?VD_?Rnv-Oy8&oSY)HsQh zT6vJTT=+=QZ?k8=R22`sX0Bxx``=OfIO|52D2bCwidG$r@wQS5wet1iomkmd?IKZo z&)0b90>#JWTm)_gwdkfMmWeXFkMd-KioD4m$ zVauj;pqkI?q{&XQy1V}urR*s5o(p}8%^Ir&VEo{O-Gx_Fzya#8+(CNZ7;rQuaqK;6 zau0cdM-C-9jf+0kn}!zm@rPmB-o7+fS;d)q;~$NGBglWXT++BE&`7wnx?OMI{(;pA z37&m$4{eEQUSV`!v|65K2l(u(O8M%K9gx{*CDP!D3VPesCLo(^w#sXf2DLV_b zOC2qvICW^~xs#!IvPk#$1}DbQwj=s4)9aGF*d$#;J(Y1h=2PlLmr)u5Z1!Dx{zi3X z#M|6KtE&ff=M)E_ruTvoNMpNxXR+?lowwg>M)G$4^n^7y-HMWr<>f7zM(RYs*lkVv zvr8%LR;3@$9EHQDvg1sM%gQKR?3QY`D=h4`35-2H`mx;0qjHlIu|K5;4sweFi=wVS z*cp-}v6ya z<=VjvqU3M3??{yTGS~NT4uim+Hdq07FTd8cPq{Mw+r9Ye;wSxU-*&ty6b~;61S(z~ zA?Vn*8NBG5FyJeF;Sg-pO>4QpP1Y%K!g*si`l8XJDtVA#R*ccIo$kJ;P{Z{b-(CV* zC}Ws~x>x__HnZj4**IieGt+5T^R#DLB>uK#n=;$ixQNCsatUaxLFx3c*batsVXPWf2J||J#LUY`pC7z_e>z^1zHv`cfMb zQT%m6_$;#bkSj^ZKm-ca%N~x3)=eBV#|Ol;%&FWYKpHWX(x|h_UVfv2%NAQc2A>+8 z7l}?|Pa*xuW#!QjCF$<{)$E_`A7~c7E}i||-gnIt{U#O6Up{f?&6Dmvi(kABrT^7M zNGa}*VkYSnt46jvk$Z&J&54?)L>+r%@N4~=r+X%6YRD3zwW0D+JZm0a&ZpE*nsgsb zNBcdI0sqEFRBv~jS{hxVU6>EVJB?)Bs6P~+r z)P0#ZhWygO!@m}Mog2tIS%hTB_nySI-zyH~Gl%j1o0@65`xosabk9-mEe$#yv8t#+$xmlggAI(@79O;vKMcoqxQ>jmU3t#Q zR+fTdd?z{j>jvS+#jRVK^Ef*U@f5ZvV^5ApcO$xpjv)JQU)|=rqKe})Cs?cIcJwal zY!6NoCwK@ythxRE%GD~jU}c2#B_5@=#|Cqfl`IdKv{XXd{>sy_cOZ`Hjs#bY+!92o z3x7nUkA1hkU$gbs={svoB-*Gf-ZImf-uj-2v9S!|on^ZdZgw#if|wqp-e%EDO}|UAS)+{S%r4LtsH)7aa2rLq*|duY>Q^V4ciDja*f%RgD^=kg7bSv!?%=Uq z6i2j)MblQ?-#HSdo#q(7(t_FM#y4%P+)|73Txj8=?* zx;BOHkIvQ_uR2hVmikxZqKZ7Y9_@LF1`fDos*Iv5=$M0;$`=E66(jfWveF1fA0|`4 zdb|J_n&o=_^Ea4dbXUuem}_I37PpH;V;cT{VI?W^U!CTcXpBTN`gIkd^k?ebT^}v` z>(}9{Zest1j*S$wOfpOz%DZb^0#S&&l!*-3*qGaHr^yn;T@4&@zUCkITt6E5ng|qcFJ)`ICaO9b;7d8! z>@g3{C;2&H?Z>wYlOplpSmQ>vkA6sv4znOLv5dMz#gX1z{dig_)i3DPQ;jhoZsf^O z<$Yi)a@jsOqkD}2um23LLn&}(Az>?rbV0o@T5bY&v^?+Z7@{+NAxM_i-~OMi58xJ7 zdH=%;&rnp3?93}_!+^2I6HjPIhb0`K);XLt(GUF4#?oN1P{^O%EL%mEmcw^@yngO2%QW26Y>%@_IwIS zB9K~9~K|cksUpYuVA2pXF3zuyEM@E~i&!Fz+1YpvH|V0MWck zYN;?D&p}<#s~bj979i*zZ!>xhEKP`u6I}P5 zQxjaJ^Ss7Q6}ghad3VwVY0y0R0%nz;t*%P&1~?6LPepn!ZlK;(sY-+vr#=h0pdSGH z^2%E|*t*};H^@V5v1GGY#Gm7NEY(rS44XVE{WWaj!|%(yEXz~vewVvQrTr39!u-6<8yU!jS8JzwC9_>IfS88jba zCUcSQ-%Z4e(`A#%!uJu6R z`5dqSZB&cNv6!$&#$yLI>bOz8XSG~Wfq^dw>|Ujg+9y*8@fJWq+->dFbqZPNeo=8RLuy{Hi}NGtD%-c%C+$G1i}2s-8Eqo z<1TzZXyE!;>l^0v8}GcavMsb8#Qcot`{wFRmlx*Tn1}U7?-VXfisRr>k z{!1k>)$xCEhF&BjLeFU?6Hbto zVsV+*r(WVZe8i#GjO=qEzaCN#mL`owYd5HegxVuFWr1i}rVmlO6PO^}Hrdg#Tv96e zuXuo?kGv*Gi{+kc*4bi;ycxviviJP$v)OF_va0>tu-x76$QEC|o7qEq-)i&yANzm% zk@vTHB;l#RCNg4B__1O5>5D}Zu(P-0UXDxsK%>-WR%oAPH+baQwF|mMk^k~>V0F^1 z3R(Si#6g({T5JE6jOdf9{99pbxMa#5N6w7TZvS>d zJkYODjf;6*iaTCk5@Hk>+AWNYZG7Sym$ThVEKeKnsdf>Rby=oq2gl>3r5^--5Ab4m z>PjPAq(w^p8@2y$HCge6Up4V1(2Y_y+u&7LU(f@${D>A{m^r&XS5BsbwE+hHdwqk( zBrFJT-cm;fv{PB8yRtvwk@FUWrj3iqVvca)ni@v$677-I%||o}8-A={l_;!YNo+x- zfXIlTd(s26X?olr2?P6Gy(G^m3e{%w)9EzraqS*Xc5VZa2Q&wsDs(SoedaeZq5bO7 zhtKBsNB=eJ-}aKNZ^K4q4vdlDyxk}AC+@SjMFBxPPm2R3z`pv}A;5-YHH(=)s=E(% z^hJ{cw8=xr4(|)dYSw`1`!X9R@z;gL{S)Ng3SFk%>b8+^`Gn;22?bkO11yD15F3iI z1n*)(*?lHl7?a@n!rR*j+ZI;DTO%v5bA}qo@lXRMEgrvASnL(~Q|@W7i8Z zct!>o;JlfE!&YOq0e;UI1s8@-XwXo7o4P;-7D~N>M+$-EvLr+!3i7e!*QSv@rW~^9 zZio=7Lci^#SRsG)88NimX~1G-BYbz>Akd9x?1oWQjZN(uupDl^U`-6{5R#sVu^TbZHH9>C;L;yQ(^1`22ZA~(E1W)F7;(!BAft9&eA9c1h?!Lyh9Tz1LHzUPxYPaJ4$%Z%h*p{O6=muRQ2Yf2&Eu#=2O*dlEHsi zA}E;IYs(DiwZhMukuXbmtekw`Zs^=FSYjB%Jd5b_#*w^nO4fyIa6l8TD=?0_MpQ69 z^OB{gpYaDey)c%6O`1c-}q*3uEAcmCsryAXquExyWp)auINSMs@v z-9sbAk*nt7-eWkH=a^4bp_>^|$|-DQE|XEz@mVR0&QX5akk?%1wO`;!2b;b&-0OOi ztaZSm^`>3rAeF4b3p8hI<76%mhia2?9HtHV6+w%JuxJPWN3;mrU;d{rCCb zE%y!jeqfKu+V8YFgKcuq5h_SD#@3AJYl|mEgfeD_H)lT6LP2L?j9QM_!G zP2%bWmKU116YNjMXOpi@Fj*R{d(L)loliJ+ajB{EK=ia-W64a*gM}Yc`x7U*ocg$o z!1#@%|LRc?^a*}S^zA8?9kOhE5!8u0s#BQ3zKsO;p!V48FQg{<0W=8z(zNEpX-N9z zQVW{yHxNqw(#&D@^)Vk^GIwLSkha6J-J%S86!vGMD!86FLws=s<0N8>&BALT51usZ zE>4J?1u3t02dd?1Hj1kwa_dELQ;CJpK4>p^v((+w{)wJ%E1RUhw$(*iOQF^+vg+>^3$0!y`Uwo2XoeCXC&~c9w6h zOlG#OQ8$>JY7jqgaeI@=44~)Z&L-@L(@(ub*WSK6Y;t`c`Pg?Z`aLFL=h~tAWqh5t zz7rlf%$1qoGtioilUR=X&gw&p{vwD{F#en>Os>HZc?i;vT*R*1{idV|Ix0lz%=dOR z|W7GpoZmsEd=k!TG7N0*-_F*`k(?2b*Q>PJ#!`Y-Cj@}FAy^L ziskWtA2$09EXWiwpf>ql2gd^*?I8fx@0{Atkj-@C|7&PHdn?@c1&qHkm;`DaP?2hL zRx``LRV#Cv-|8SBp10IH;3+PSx6R$FQk2lhqG;mHYSWjSu(*%6Sk8aJR-O_pRFzoJ;Z!J+}aG z_T6J=6{Ux zn!R%5oov3hX4YYL{rfpdep@D~2AmrSf_13EcS6|5iirM9k@DKxFBwzR8wvlu5>hpU zy17eDBlK<`UyXUee#dvPr8~&Tmpr^l{l2E)~faydt?4-$T)T17fa7g6&+5xYw2Zq}u zQ|+qXoF+*sPFqeLNXlyn^>>Xkoi^bN@-lJ_X>IXq-47WnzGg7_Revs7x%N#}_SH&a zVnC-kjYD|0XI{A2Ytqm<^ovh)a7|kVvr&pYn)q@?x{i^$%Kc+Ej|<{kri zBW!=F5pOTZ#hLdUTmStH3oR!GWTzdOqOQ`(ks;-4P_dQx9Vjc{dOA2bc7=OaO9vM9 zdG?9CA=`As*xT+vu`A2(fHHEBvTbdTkPehcT)pLxtJtcUDmP%6Q%`4-r-3|O4Q%`a zY>t>5{gI*!Er`lClih)8$l3`XMO0rLwTQgA-FZ>|sJlacGttAp^TQrATlj_3N2RNU zN)a(~uE)po`OvwKhZ_aq_hGUU3HU0iXG>=sOd}uq4SnU2n#pWk(AmVD(td+OsH$}% z|3cF7gr>>j5Q(zN|-jOlfnW`Cd?Wu#ETg z>+;Xp3kY@;E5sgSdH=N*6b$iRG4HTTp?K0VXGo*bEDPkIRoG61d=z&5AB$DQ$U_+S zq6#Z|Opl%whf5ejN+T`7OTwu)WYX||c9bZI$0e`fY2O}cV>Jjw&7LAI-ao}d)2mZ= zoV)!!t{>Eq8=Z1Ba(pv$zLPklERJ!n+x4R#8@SFarptvb?h{#8bZizV9b`smbC|!? z^zLVS#AZZp8A{2AM_eHJ0C`s5*;0Pluk>r&$3zG45-r>4}1Nn?93>WCa_+cbEQ_jP3 zvFoTt)0}!1eRf~;L1?MY0Zcx|#yrpBV>Krel*Nl~%H9z62K>(qJFv^^qZdf&AjlDI z)o#Hp$aor`I|lBD3I1=7d??9%;9f%dDMapFp=I%vM;l9wo-%rZ$$d2a52GK~Q2+;i z-8QA*9S%7P8OxBt5)O);Wd8so5|MNBQ=1mNn^E5Ov+;J@ zjv(a?hG{5W+ts*`7I_v+=5|+JpVe@IXp^-#TX(R@4GO(Xn@l!6*XbAS2rUdBEiP@g zw}n1E!s)K9%VU}f9(f}0=EYZ10rMOj`m4R5s{QSl``xuU==9>Io38Z!HDRgQTH}Kb z6eT%9`Puzv-MVqw`C0mc)rr%bl&kHxryXs^ZZ^24=F=y&#y8z0-R*V5LoFk7=u^ix znlN^j7LjV?FU@rInbYx3RBwZu7x_m3q~rN_S$Rk!+V%>n0&HGS5$cSbZGFrxUN3zg zFqndN#0Or!kV8L{IUVm>xp2@UeL9}K>p{x=Cq67UymX&DT)_s@%mHTOei8f^6mK&1 zH7rSY#Vle*l9d!}aJIoB4?GQR#IqSEFq;cbGRae|S`|1ub{Gv#zrtrI5abAeX36#i zR{r1~i5_-Qj%=_RCaqnU0yiUFq%Km!WqvWAeBm;TKNR}4+ zbN)x*K=!=$+|ADt^C2b$mTPXAQ9Q;Y=|OMcq15N+BCT-`NtfuKon(VW4fAeG0mlq& zv-iV}i_KU$q?)Hi>b8brzdh#*qA_g0`&@|0a+hjc4XW?7yj~{mZ1wCA5!I4g>Z8=o z{6xt}d}DNzaL9P<9CeDObUyVn(cnU7ZeU~EcIaiQ)GhXqsQYEOxl^p z^{6x2rctp}k|F~ZuRB;JzT`bpk3Yvp@M@n0aC?NBX4ppjFX#<-fs@HC+}n&qPj1@% zX$kfOVB~XRZXhA%pUL^P;7h!B}m*dW@!ILw74KUOJz`3T~s6q=?QQauEjgS8Y>*b}Qu9%AE=o`vEV zKc&wBgFOh|7EkZS6V)f$*mBX1N;I3^V1~8i(%tJM#6m8~6>a^Df93$m?&?CKNun_+ zbU4CQVIRL$TwPI#2go(@>Ep6(-`L#&SKj)mkYeb5CXcD>o@s_Q_vVmymh!WU>Ekh5 zUd#u1zRuAf^F6TUU0zU8LZ+2ppH7EP{dO^nN##55cI9R#02eMY7v=rbKyC~=jR&^i0iWtOiF3-$oHpO z^<(ns6Ky+0B5x(_8e+7UxWg4q%sQ1ssPdC%xv)w>Kqt3WpB1xF`vher06JA=fBLP8 zXB~wi>UJ50^Qm6x&wX?0K1QUItz+_+j+)#7@DCrwj30G5C3+GaKgmY@-_oUptE$Iu#Hqx+`(6%Sx{AUP1o?$V^ z4>f5X$k|5dC5;ZgFV47?;IAm1tI};?59Tv>Rp~@}g2uU!zP*;gYl+1QYUca^vTS_g zNw|@0BN~U;+`O7|UYva2aI>Xo* z-T4@|F+)QLn5jeJgaQ65%=OIfgGzJ`oQlU+?lkfG;<}!EU62Ec&TIRXVK3L zEIT(FSiXLTLU~-91C>o`uq%GRQZA$@Q_(B)b?;06u_v}e+Hs7fzq-KXWqtjzdd2AY*GTe-^lPr^7wQh8i6fE;(~F)|`6HLB zRp&-DiPxyDMx>C1(Hm{^+ZncXXh&6GM7P*(3uLlzU$e9Eu0yqHbY4};nBe-RrOJ@kI?4x1MRctv8s0hIMRAx>VXfzx zqbJl}JIBr^ZXA8s6Rs*jX}L-dkk*f)6B6f;rdFe+cLwD&-2B2XvXtMl<@F_F;obqi zqg|3>7HnYgP|=udm51d2y(qA#mWKszwyc0NkHa1%Hug{$GdwpHr_#*FAV|05>JdaR zKeVrfJ`%U;WI@r}Mt$$eIkJy$@tUyY`eU~4hIL^(T;q2rGggPX4BZ;L=Q{|M^5gWZ zqu5Hg&%U;Fu2{i6loFOru?==Xl)^7+o2)t@6*ZtSw?z{pX>Q}^ZoQ_bb@IE!PkooB zzZ!PS{>|8MJ@)*)-f1v->O1qu(s+5Q{VH`qSmjEWMQ-csI0Sy{|3ZWp)2^)U!oMHn5GWD7}y(6wZ_x@7Z0PFbj=xPCXadBZV<;LMt~SQ(3Fn7;q~VSbbi+eH9xsp)DjU9>oOaIWUTOuAm!r%z^XU>YbHU%(E0S%R1Nr9(a#`T1uM(zi=uPd)OX-_|nO+4S;K4mg%hlNBR((ed6(D|%^a zvR!sRS*KU|>Igats+o|5jvcuJg$j-Lu{S7|Vc)jch9okxNXMs`g7CtPavv1@4kF7e zt##G#EW_XDTk2)`n?moNu!DGN%~9w%sY}G_o3TgT5cpGT+EN3@SMl$@qV+cOnF7=5&aPTWL!Qs`!6fym?}%JQ*|oyrpvE zr%C73rLoi=yxEOg?N9P z7n_}RI^H_%&u0>1E2Ec;T+n7O6*3y+hZFfXg7^+s1>s)U6NYU>9jz{3$9VjYUJMoxRyHQK&t9M)}M-- zL6{}VAPIrJk0-iT`+5`m)7SveEW83^on;mBu`hqmhjyD4h{FLg5)9_bvjMLg!uh(3 zI|x<5vs|e%u!IiRETci)X{uKaz>l#Q6s?x4mSXObs+8DzXocbOMBf=?D;hINhyt6y z-~99}6*&bhV)3of2=o9TsOF!y5$}`UZSXEc)@#nKgCC|YJ2X_m5%)9X_fx%l%Cg82 z(}n7uX;r>2zp>Y+EprsH6vH!WE+m?v_&u9T@~=LsUpuU(_!K^spXC zg{yzrBaU;KyfT%m9D4vaN1cdo5I;R>eV+CCls?De`V8wnfu|iyyel;*!MAwz>VJnX z-W|s~| zJ?uws?@E2^Np%l-h-c#M&Bf12?ZpRtHn}OPcb|_fRZK~N)j|H~P6N8dWqn)iBZ^{+ ziih?GOc<0WSu2AuQc>PW4tCGAL?^pqMTp51p>f@LFPhb|c*C1tAxSpor*OkM z@ouc$>|73gzS#wr*FzBxQ~lDG<+9~5K89CA;E=?cmk#<3{5gU+60oN#h z?}Uy{Vp%@LVDn2HC|F^%`uR3C%FQRKFLY=$S$4o@;i(aCnzBc7%u1P0Ki@Y0f-Y{i zB;(Ob+&*NXLseoM-3fFMbpfKV7Q()U|H3nw3tWL*1#|3Yj{=~hS`(hnSFRk)g$js; zOa)e=_+!3Z#3-Sk)=}e0_RjX8*$M(ntyOA?#@lY^iJ2-Wdw2CP=?ydctOUDY%6{t1 z#pM`Pxpk%Ji2fs8tVJ6$rk!L*)AJzJN?M#Z5bIg0vw7L_kxFB1Z-_u?1?RxcRFI3Y zd+^JwcxnS_f+HgG?_ql)r;I3eIo3^aLHu|p8K0VIYbUTa;cUP`b?0n{C_p6~PAgq5 zo@NRhbkrCZ9}qKLKX1JE14PRt5klsnz~KJNlP%t~q8`1LyLviv?}K&D`R=kbA#1r) zUeuJb0|vDb@_^oFhKF`9wwk&c%kc^u7nb~y5!#A;LZm44-Efk-V_OJ0aGiQGp5qm5^ z$GcU3SOiT`5|Gxn+O?K9MzZNkk6qBYSJ{b$iiI>Cv3&yl-T&NOcI-TFt_xdZNr zza;E6Ef_0|{>_-7Gu9I4MYzwg-lSt|7^~}9+G=klZi&9GW0?M@tkTOTV9HINOqjhz zSmPZDM2hsD-iJ2{gh!Bg>}i4adE(6=K4l`064~Y?-%Pkyf^Pi0O=LOj(tV3(dt2Ma zTpTo*FCU3?M0O)?coh!9{(d8L}e2( zH=2 zqJrp)evx9@6ar3VDH?X8QvlGqtwP7}xj8V@5Va zu#PNi0FK9uaKK_%oif+A@G9#I;_N4LvGTAR2GK<@zm!<(=jkEd;^N--gj7|6+BfPG zbnaTta?pdQ5auaSitL6aH;-h!6EF&MtA3a$D3rem+FGn;ef}U4eHikVtJRc{XZ>?A z?T!Ubw)_;+k_z*~kZJDhqYS-8WC5P3kTZ9`VNX#1|FuQT8IVtUFUjy^7m*mUu%oyLfVol5GUOx2UbYj? zQfN0DQ9B}C>-?x2I-0zff;JsOqBRNEOG|EFjr94Me9c2_RlIdFa*vw1-4Jal4hy>k z`TmNST-kN{2xYYiH2JEjoE`Mot>G+v;n(;Bljc9RE>f;%zxhmG@#RRe^YOU_=7=&V z`UD{)R>z5gE~PpoE%K=Z1x+GYs3% z*c!guWGNI1LVR(|g!Kc8VV{RQ6=u+9#^oRMcKE7y%WlitQ!!9R1%GJ?zhRCB$#`>@ zIBfiN`U>0A^6QTv4l_O|zLt<Eilg^=GH(aD($>g9v32 z5(X#nbT= zcX@NTbLsH?U}q0W1zNo0AuWf#RK==TW@3Y`y|A+_XAWNx5=OoPZUd;AIIK+-tAe;y zh;YVZ%cv3XR5bJeSi%m+EMd9xJWpbF1l$JpT`NU{2Zu4X9t30r##5J7>YTMoWaVtI zSH-5(5GsXYN;l7xJpvhFqThxdD;hRZqumE6wO*={9G*?yP(5D9Lt0s^)5`M)yiAcJ zuu>_HlW19+VMf{!<0un-;ddQsPAl!eJFDfSrC~Oo)cskV747bP9%VhCXZCe>G7g-1 zE3o#CIDvO^(ickwBC_;ly5DW?{O+)kE5uYuHyq;JeBK#Y5$NgFIh6IK(3dBqj1vRT zf9%eC8Me9y+?1DrFuQ|EzM+?3_UqU{=nomc+}j-PO&ihTXp-;Sw-B6A^NlodzUT{- zf7rIlQ_ziuqEq5vkuVYz7HxK%h(RQJ?rC$JzVA!NZ2gA1*Jin%CtA{TVMkDdeWM-m zPo!oJ6s}*~SP{>v4FQCA7yvWu_W`bks}PXQprB;*bv)j*&b3b};9PxlKI^}#`ad#-p41}Y8D zueamA^ct$H>t`-5&6~oDAq;%4q8lZ8_ACXtq*Rv3gNm-mrtzjvy1~193B+NnZgG?5 zUD_GQ5xNk26p}u<$r9A$z-7=<^C9AFYPuQvK5#2paa898>9fFbhi!q!J3|kx7JSfa z)P8d+ckPZw>1vVo&7i)Y9X=eRSg1uzxuH!GD7VS_dFP*W;zBq2?k!Np8fn`v1~gfB zaH?{!0O^GY&e9fQ)ltYCz(aI+Aa`-f$IDuA#-OecMIPbz&@LdSE7XVHGgc4#<5YRp zzR6V7vnPhb=`Kb=&mu1sr*$iU{txpIsT;;Za(P@>x*RgA zAliQNx${%5@`sRRG#l*3|Gwg?9*9H;jwVPyy|D#=7XVyfT(Kwox{&nGKZTS*2nhar zs5ETbt9v6Q9LSP;6F%N!!-YPiL|Z7ZP)EEWY8M8WT7#@qv7WSqi`#{~!wL*uT*QVo zeIwhZQHo-q4=SCr`8VFC-j+G-CaQwxgqpNiKbOfQGz+ilB~{h9wVW=r?wBh6v|OEh ziuF&*tC--L?Pt{9H#@WpJgfkx8ihp#m&RT=v85(<#|bNwoot{QM9j2k3r*0OHBnP) z6CG|t*@~1D-Ac2mRtp7#&x|QLJP@Nd%wDQ?i_FX-tuK0mIV^4QX2Ii^2yMI0vE^;R zLE$na$CA^q8HhGs@DYI^JS2L7W9|Hg+aq=Z1&xYRH1!@oj{JSiyix2By6?=uOY1z) zLsXZTtJhW{XnNtd-#p?+f%v3xo;;EGOQQBf7?<+bBC`~g^@3u{{t@v zwugK2K_SUp}ASgC_ zY`LK9$zQAn5qb!*EhLZQ#badNhK=j%Iiuvo3|z55yr|(Tt{ml_N&w{x=ia*zRq=TT zPI7-Ya2TbHUsnayXd&K3In%{=_V$$^XxhE-A=lt7Dvq$apO%?j4-||Pt!lS#^<2VR_R)lX*pLbBMn85F-!Y|1z2bK z2k}CdxH_FrGpNKDT5{+Z}RAGfFoqs$GP z>$kPLF?7si$+?Lh^5jb_KY8+#6XKx93I6Vr>?M0(QJPYpoW$JFg12S%a1K*b2I^bw zcX`Zt2XP52dZ~Jkdu(mZBT`?*GVX;Ie1leiDXtvc5{~xTYZAW zNyu+&pT|67-MRFg%mQ(vhkVZ$DcsWZSqeC7Of$a74DH@OryYW~Ru8@9co}odmJxoB zZQn68F(b~w+V6C&+Ty}9C*Oyfc%xbZw)UmoaGz-v`I?P|sAb+~FGrvJUT;+rD`swP z&dAIlLcofB9@E}z(Lsh5?h;&qN31cfz)zm42@Z-mQLKn{Liw@F2Oz&V(LH)tJ$w+_ zaZHg)pPSO^bWYgXbI}osc?HUzx>_Hgi`9_2pq^XU*a=yn7%BN%6>kJoA+^G8g)TI~ ze-Aq3b_AY@d?fdiT;X%LB8rN4RV}HS?B5Y}_66hf(f{Ti+}){lf6qnb&z`Jol{&6k zUv5M-G+racNKD=F8Ax`7E2GdsC@an=nr12-2;0R-8SEQL>^q|PmXNOG6Cic8 zhmP->#;&o*bBtp%&wugymaP30VI7-)Klgj2n*MRB8m}eShaLAIWPUX4AG76r3Q^bF zcR0IPSg81|F^?IRt(WNsDAN5GHXI8bKZ^LZC3~hU__lMftV%#$L_I?U53i66itq!_ z&bEJzm7rFDSnbINPk&GzGlz71k@g6mUD=z|44h4w&jlB=Uxg0}L4~cNEo^z%f9x>r zl6afkj}9fn`MDXuU;pg`fXAdwTyT9ufon5(ydPAAV2xQHfrY$FQQF9`dLDum$y?m{ z>*q=9o1+C1W9gSmk{En`>#LA=_+29=r9%{T-`;ThA~fbP?+iXrul9m8nY5E%y{s?} zJ%~y^kPLn5Th`fj1FXJ-2aciO{^B+DgN+ng^$adB-cVBgiC5`fY zM@({3r0nMY$b|>??h~2Qk{hp#4Pu(S3x>kp;pl_jdu~b1>%68$_Fat%a66u;KH0wJ zF~!}Zr(6h6Tmh_kDnBJf2I}s7EDTS&tzPK&Kx+VO&k%CZbV|3YC*=_r&4JvI2!a)nw5XJqplRRAw{e zP+;e)>0VEFJ4GcLxB~1tH{{cg3Yt;|AxX7mq$YlM*C%5_u7m9?){Ayj z@0W8URsF<232O7F8a{6vqKen|asEOIH0=m-(i33d zI3X&O#&gZ^JGgzewR7$iagvK_*XH8#+n5O6Zx5Eti;}*8xqt(_sWl6JDeI@QUV36 zrO0W^do+W+hEnxL{;AbJy4A?f1z#XO4!zk}_BNr_Lq2l*j_#o%sX_G^h>=3;B^SI5 zjU(i&4!c}|U!z9?TpQyX8!a~4c)zwBj~3gf&s5Alv-wI5~!eN z$irUgMX2?Gvbsm#FTHJ#91E822PKD_n1@{_TAep6*prX^c{kpspu|^wEKj;1I+em_ z7&T5AcTij3Nu9v6V&AF~`mYfn3!I;AcBgg^{!;RbGR=~TAHY2j=v!A*Y=-v)x=O2H8S%LlaNZ;-2!R0w}dD)klP->RuuZu<3~dyj;F z$JVg(pJT@ce1b^q9k`}D-@g=mSeIQ8kSD^^);vupR~cE%$?1S+I{U{O^NkIw$Nmv9 zb`V@i56prcC%a?zsyEm_X@09I7sa`3M9Iw>)sr{4b&{k5Kz6ynzEUv?(P0K&!i!!m zE&$?$sq?#MmgexX$O10lnB|}7o*P2zfhT(UgM@5o(+Y%bj%_IX)zfxF>q7#WZDVnf zS!1V@ku8M!z2ewdR*d7D|InSq93!|#&H)f%U@R7immpDLtfl^sig89b}J$sA%TyH zbqK!j4z;&>X>-{_!dZ7n2W1Fxvn5JDQZAhV7jOW7jt8bFgBXslli1MVrC91~?kJ#H zw&Hr=DoXc(NN2xQRUsXL4a)Rt`Nj2ypi$fngiTjiXnXSAb(th6 zFRC}};wmbBVt-oxLLy@P2OF4*PLyy_!7|#Suk4jkv7Y(XDE`?PN2GFi2K1iJljPAN zZqdjcx^D!_1<%1w8~OdxJ$BEN8GY4NtEXO{Tlq?lj!y>q_`NcV}YqnjaHvUwFu~#CxySZ89(aGT;KbnIGTXPOF6(z&yLBSRpeIV6={{C2myeLEtSkT2wwrC0;k zcYMGzZxH2CAIvjq?{`1YYzr%G2o|nLxaiYB}4>{_Yw5x60Q$X?+ zUB?R~hUk>tp8N0o-O!%p;_D|AxAp-g&2y|5OO4a3g|&RAkke+!?w8u9DVG0s8g^WK z!?sbpe<}O-M91-Ui>FAr5>31_`-H4$I-HhvS1;BfHmKRnI0ADF$Nm-G6-Pf)EVUTQ zp={f;d@g7jbcWzT(JDKO3s*ni-YVcBd078i818}>qJBM~1k#SVL!ZdOy?LTq@Fa>Z za_|L+t--r?QC`1$D~3K-FaP{$@*yQq>Ic%menOZPf5RT{(*?n=A{;%GHU%oGq*VdS z!tu#hl`q2ZJw>e%Dlp^(Z))ZnJG@qz@`*tzCbk7}7+N7!gS>!o0)S2tt}x~i9%BOm zPd&Wx3i;yG{VOs*4;AyuNCm-3ne!-Ny{HfzQ^$ybW0#W`88MP`Ua9g)tXFf>plu&+ zlYlhSz=>5yWW1<4&`K2*+MG*oz;yqizkqM3`w=#heoIST{9eAJS5k#fe^)d0R@4&T zz>2z|Wkx15ZVf3-~m|PRE!iB2-SmGNwiGVz~5` z+XQfso?29jp6zG9X%(v_$dqd^qkJXP~5? zGJNRagsNs5pebD>BkREy0IEw@YSZ7(?pVg6N-A=&a$_Rb$Kb4^4?yDB|`*43ey^9#g?%;jl40nk#*-Js=dWRVF5_C$91eJlIb$g}Z9k@JlgiO* zjeNs2(oMnhfmu+M2j;&hQ}6^zyP@%EthQg>W6G#>(MoIgm-o}^*7fljJ;1!KB9)sV z>{|B+%dvm`O+f9{A2!{uDh%1yhtXPtBubq{YTXM^1r`gLUlWrk{D-se#O*wp zFPP-Y-G~oIAAzjb4s?_)^6-#HW$*G94?qjX20Jz6KlnNb`-=8?&TV!`_m;7j9Q~qm zV9&-A9i)D0J#6*DfwGD0mX7@7bAV#KI|~^N+kR#`w%KR(@Oh1p=1-hKq4B~`ZgHqp zlkcF5?|IfFsdRvp)NF>BO$o#;^#eYtBscM(}niv#7e%H+Qpv-N^K>fe9q5ZMfbE0I?h z)CDR^k3$2oAAXd+yA=H2tTnmZGeQ*eL~E&?z&(Kcr$vb($2ujsEXcsNO_EZ(Us(WH z^1kp+Ca!ptGFa;d`N15Caj30au~xYARV^2}4=+g^%&?M*3MI2l?ZaHMqUS`)j%}B* z9C&9Fw=_45Jd@m*;w#9yoM{`8{#ouqTWp9EYmIop$mIOZ{Whgdqn~F?$Hzxz9567K zbQZ_u$D5YAGa7>1hB~G~QbezsSXyE8Z7Xw7LU>Dc35g!2~zlbxz!v z>1c>zDm3z?L*ngBkDc;0Wv^apntxZ9bz_x&sI?{5UEAi~wwX{9IvP0b zP#mx3MgNX4=XU~5ui!fvKbMimg6|(Q-Y#xK9H5>2T-*>X64`)Okm70T!PfcvWBxch zpo1JbJQRgXrov(VFL>bCG~D+C0Acc+EvTowFv%3)x1~;~(4l(ZIZmB{&{|xHv!p$; zXgav*z(Ef5b3U_Hw-D=}jfLhS7#gar;ZAN_h*`pNYetF2{uRanE0;`_;3VcJ5A39X zXoG;Z3y|9!V#cj>mR~GO$bP?h=LT?LosAc9;|}5SW2^uy>(iRNOLu>**?I8}tfROE z_)}#9H)Iw4G9J|OqRs*3pqpCVr-!7}6Lp4+Zc1A=F_shof>0AMCRoQ-O%=-x9C^0S zS|~);Erg!kvMSeT{?(%aKqpPGBPTdpyBgm~NO3Ym2jPX2q301-A<>A2qnXCr{FQw7>g9KC+b)GtWh z#f>(c1;b@GN}CdM0ioFta`bQam?wI$G{%4oYN)7&%=IwU+Cdn-09hB!wxf_eBqLZ* zF+$P_Cr3lgfn3_`+hctd3s5QkiEk-=$T~}kZ{JpKc~|F;AAQm-ZZ0(+ zHI9j`p`vE!CmYU0#7>y0y)<&_EpL57(jOi;4tfd3U+g(!okyb8)ymrmFJN(;;veXg z+IvKCXc;!xW805|&KwoV;{o!>ieZ8x`l<_I!uWshP*e4)6|6{VLw>JRhATN%iyssY zA;_#T4?_Ue_jOv~*fjJ_|wYL>~3VX|9(>_BH`vfbDGRX$|?_wPoLKj17 z7u_4=MBzU0aGScFh!tR*Y5SC&(Mw6SYNTM~RWi3zmR+Ul5o)|PTgx<^kZ+`7#?IAY zQ5j7Z2Ef>y$Ybz9{dHH97$F6_<#xWUuNvse4HfP~ng#?hX$xKs6h>ifKe^FL`S+o7 zyn#GQm09ErzM4^k=;nNZ_Z?(CGxfi}IJPMpFc}+!dWwf$#n6^(=|Eb{eX= zPYTH`i7kVl9qK0Zg^;v9*g8OF6RNDRJhlU_!-*rVp8G`t`;GHU7FdTGk4+6`! zB-ulT#-Z*+k_}#C?9)yWIG?Yv>i3ZKpg%j3>h=W9 zQZ~3xx1B<*d@{S>Htc5XDLm}%Zu1axgLA8X@t<60oJP}kOI;4Lld3iH`=2$wagEe} zh?m%y7n+|l$fu<8|6rF{8IyM!>I9cAe7i9d=zK2gn?TRq&b8xVLCiuR)x#XD1L9)9 zc9>aKfuxq>6G zZ*px{H~?{!7}bWzmXEPS@Z?wCKYmdL@~_w`NZjbTT{G1j;uIQR2en;53%C67179sMRA2|l89Xtjsn0h6^lG? z$@=KcIs(TmbAdIbL&8+)o04t{W;&rHv$L6C;=);e?mt{|xR-B`uT@L1T-p!N zLUP=@h#N$m&z)P0OhRJKyH^+c)t-eXUMZY4R%u_<_SMe#bjI2`@lpG;bz`s9oSgT5 zyQVN{kHPvHV$IUXQ5|oE<-*k}wUD~bVy82}!DD^n{cnt|<2yL%QNF6_3=#66X@_nT zRLB(Pjit(uD{AFs^WoFD5Ks~_48Ml^;4}D)Gz}jl;Z}g(VRJ(Sh>DjOl2`xz>8oK# zq;OpE`wenBdLUw;HonPPw)&Dm9?o?uymJn4iYoHNPkkAz8a=k?m zE>h~@f8iC2q)JEWv`mC^b$_F49ut5;PW$GTIVFpb-w(R#1s-W};Y4=36S@$LFMIq^ zy72y6ZQF50Q*{;=P`Bx&pZ3&u=0uuD#xK0k)spoFFQ%W~%w)w{*U9|k!S24?_hf?$ zQ!Z+pGXMIPONWb1O8Gfq-126cBR;U0N2*jKxYm|)-is{TZ(}{Gz9`yCQXqVqgHS<>&0z2XaeH&_gw@ApbTV`5nL`+^l9`x0-W;* z%N2yWI+xLmJBz^2uJ1eH>TiB9&e`x%DLka?#PVtt)R)mB}Pi_W$cG>tP$ezB{f1)C`Di z_Pi^O4L)Z+g|e4DP%#F2-+C}3Ah2u?dmb42NxjAf-~0S+x^?>vSEt`-#9N;iE4yWDCYn#065 zo|sPO9?}CSlxi@Qa}*HOGy7!1I2!E^CK_7lXT&9Mm_VK{23i zur^fEw3be)qckx|GVBm$GxL|tBC;p~SGeBU5^fAvk$@FS`^gs~5eY+Iitq`pQPJso z6@Rbn1GBBH`+-pzh*FYd<3!?k!pg36c6v1{ziC!43Sw1b<24J4jRH!~Vz-3SjWvnj zw))KLMC_`seXY{zPm9>fiX}7hU?NmNIhpy4AtW7 zF>Czi)up-Lv<**gW!sOX*Oc;^H1S)}y2@s|A8JaQK_pqsrxTNRwmN5&6tk$n?`I?T z6ogNQ7f$m64D_gSkr)cdOJvT#MP(9BKOYqkKYWWf{v&!Q@;kg>_ly$E7!p+fgw3*w zY}SQg;b}lEC;~5sW4sLSW$|rr6$si>#H9q}SQgOe7C%Us;?=5lDl;CN#rho^^e$XJ zc?9bX_#J@$WfTB5q`-8=aSw)kh;OTQnCjc}p{GAfxT@fblwr?z%hxWDpp!;Ftj$&* zGxG~a)4O(Et#%m7+A-s}1sS`(v=B{l5BqlGjb(tbE*Xwj?)CxWIx4P^k8Qm_q8nPj zR{P`@1D)IptEXRE5r(kzTt@bVyHg=|rD6FyEhYTcR>zVsGOZytVkz?4OO^AA)Wy*6 zu53QF`aq54-!F)YgWN06%cP)55PRY zx&5?)>Wjy=2Hzswo$tDD^t(`kJG-5B@*s9$x(RFy|I|HfIua9S&dKsM~g9 z&oB4fx5lm=J639GWAfSc*foadopLGjmbo#Do(HI_inEQ@TJTeJYL(QVWP3>qYCRh0 z>*^v8c~@Ne6Yd`m>C-G1NZ^P|z*JV10&WR&Z?6<~U|RsSp^D8ra7Y0L{(byBAH7CO z_L08>>`|D-)&>)dy#A|3K`q(;|I7(iQbHHAQFN}HGe$=Gvyya`p4#4X*2>8%>90h7 zlOjq1@)G|;M3Pz!N1yfImM--`@Ka9Ft*Bp07(R>|baXOU!#di&GgiMCt=DavUd4a^ z=Cj^D zCcR*;kICYr`8}>&C&1+5wLItQ{cx$_qfhYvdGgoHS0`B6odXsGKh~APVT+C^*CNDp80aqzRgp%OR*y$@h)OdTPM9w4t%|#-;1Fbu~N9=f~Sm^+Zmz{S+=>H7)Eg_4$>W{Mnk=naGG+ z@05V=D2}qfvfggm{38hq_VEE{c8$Xk zM?pJ+)oG`B-qU>`YQUi>q^I4^5+ji2l&=&JS8w{pGuwa1o; zW1z{5bV%qXppxuBw$4D2?*Crb9@17tL&|ZW{QL)Oe*F96copHUZ>S?B2>9y%wjeL~ zCRF%nge8#}FT_wWandOzApW44kwPx_aXoEEruFEbkjg6hGJ0!la2)TL9pO!m`Szq% z^|ni8W$Jdy{TH%MwQ6##&$l_x)wTWOrs4XEB~I9@MoloSYlF0_8Y%)QLd~YMR0G}Y zhAwRU^gdOmW(VsxNTA7bgrY7j!5o!w^J5eG|6<$(lNJDc3i`XNM5RDbP)Ynp57vMG z6W#M2Xl~H7IvDHK|0lkd4lnqkJkdGO`wfhZlzD}bKPje7BmX9R=)?@Nb$IXm=cbu& z^=creo89(tpPo;&NHn)Zzm{g{BZ*h<5NCGiQNtI)L61T0x zdm4^Im#H%+xFiJ@F{{W9J|kyHh)UmAC3HM)TbT6&xabi^Fu6Yh{rJQ37Tw{xdBQib zwmKZmR!Ys~#kuyVL&gvx$Y#6CZrapHO5j2VfulL_o}&*f++39!Gz}@9u7LzU8>2@N z%R0d8vp=~52B?2n>!H4gQt`pYC3rUZV^<0nRD>0vMMC{w1a{mmR}d5c3h{FO|Ju9K zsHU#9%^;$U5|L|=io|M_azz7WmISC1DhkVDWl{pB5EO6#g&;#1sz@24MJ7Q8EuaDd z5^w-X5KI(-098a#MwvkpNJ7SQzI_P2t80C~zx(4`l0PJCC;Oaz_IdYy-)A@^^)H8V zlfPi4AI70~pkUeoN{6BS*qS)*lwtcHI9VUC$RaqNq17{{h2zlE-WXjK;0q+> z1K6g|LirZ+i=fzYFaWXBK=S7;_r8-#Esl>v;^I#XEA~g~tC>=HDHQ66rEZ6S6$ZoB zGMz{mSLrLsyQJn+qlDWbI)OT`g#VY{TzkjDbqeLrOD*16ru<0qt1NJ~zT0tpPP^^< znuNMnd*l6oDW7@E8T46YG^^*TP4aQl8(m>TkCtZEEjo!sUB!pi%o{H1aQX=}q%c@@ z6~Vq9K={e9$w2>^NhAqi2%j~W7zf)UHBynP*>4Lwd%qCFr<-g(0sTw}$S+p#yhqot z5MJzCHxsfEqA-34^=Z6V-gG#?n1qmuEFe3L>Mu37D-qcrVA@-M&uDv{RG{E=*~~%> zS$EGiu$0CEb8XL$8uiDKf-_C4Al}DA{(V(x8DjFd%TE85xdF^eBxJ^*k$h-X$!B|B6av%rPlHyU;yx-6BF{((`E1!JB>fqY(+Vm5Uj1W0fr zg_pI<{U1kzya*WVU^2x+`hAR6@6VJ$04uDXRrTuUe<*oUwjm--ZPj&RA&xMHF;b$e z-?lEpE5?St+!&qQpt1|sD%|*2vy=6pQzyss+zd9`2wmaCo`Q;ZTu)fNf;o5g6Y8*s zII5G;D`itJSL2_c%*=3<%>d343Niu=@{a@{Ag|GDzv^&zmwr7Oxpln^r~xc>D|Goy)Di zLW~Zs>wCIBTzd)<$fOy>_PKHG0Ror%F#om^Z4+E3Dz^c?q&2hFF56~8r}F&o z!>ch&<=8xua;#E=m)>!-fx4Rv|FN{sN}@#aT5UIQa}b|#?!pA)EPT2)>qJAjvaWP~ zO~nj}Wasf0yYKyUIo1wG3zVRHPqC-rXVL9rzz->}-fmhc={r6!OX#2DT-fF-cLr`% zyX%a6yOF8u>T%s3k!@bP9cvbE^CGibdHtSo#r{HWoe_?INJ@8m1v?$v6k(BMZ=lrhH@5V#nNiarJmRd-h51XaWK$mjR!R##yPJTc= zF{s=&&CwHec^rl=ga@v+!03QLIPQ}brV5kTN5Zs4; zM#Y9s3hJMyJoUK*%DlE)9ur)jq1dn8#l7meG6Gzv>X!`HOEcE|>cEElaOXVr)r z6AYjMG;7W9DogpY4GG0KPd$&Z&xHuM_5Y`Z>^U!fVdJkchTQK_>n+!XVlFl)FYmH4 zH_GE#kx|LC%YnFWqFNo!Sqn5pW0cNrM%ROE%q?+1Bg&F(XXQ+kRKfiCi7mqNYOdJM z1S?zZ6*ZD4nPbS#N#g2*MlISt>>gG0%;eA@`P~%l&sm*!;Ed=XRK&eNDgR>!{$Tv_m#wKqfymN|_5?EZn^l1}ReZ2qf6<-^X-hgi8$l-tV z3XY|{MV+deNfa+N&o9prCkNNGi=wkR=5@?0-SbL;fJ$*-GBvIdE9x z$pHFMG){(g4{|tZ$h79e=FtW)&Tk@aVWTvUaa;X8++u0UFZ}cj7auh=xUXK~7kR+a zP7-R(#np5a@nfc`-QUC3GVfdy*)oP3$7cyvz3%Yp@u(+z!vk5OW|VS>0sMu<#MlYg zgIa)rWeY^hQ4Lo2p`Jh^`JKhRPnG1a%c)((v$nq`PtMlEGf_-N4%kxG5-QZ%<-^>B zFW_4(yR>ZYgFO^Wy@;q-89|h--rLWh)n*7cojXn?UD*g+B;Bhd;R^{20aUpcInwZkL0f|*1$+5jz&3MtmmgZx-DwtXxE{V!`!*< z4Es8|Gn%dxti_o7!N2gAZIrO-H(NY=?yI{;KTRNp-K_5Xw^kiqIHHN0d8@jE`LU@S z-|T)mZKbE4bnaS4$Yc!0>+Fz=o=+LQc^Qrt8P?=rEwDowS@5>g9vyf0iOpcw8(ZMmXtLf#mfjiOhRG}G z^^~vzZ8n}_XGO2#=Kl`2! zb-8qzywu&~={f$=7dto>#D@qAUIREzwio+CpR37| zG*3E9(vXpTd}-b`sUjxi&)bospsH!xMk6mB;#AftjWtLYnHi2??9oS{g$r}Ztpd{-Zo(U7_E0p=eN~0?FPrGtf*0>vU`yG*NCP<4YB5C-Y+#9;#q88$P=~%o zqAsrpAcTN?Hr8PB^CCa5#J20Q|3(+8j`2d5`(3~lPBgbNvakQU&Kw7d%*cZYN+kYe zkGn1iGBktFm6<(YXw>?pss?|~rdC6@YVN^kSFhDKVP<;o&^lBLN*%VHpNE}ujDOP1 zfw6p13Z$wL<$j_4R_25>;FGpHg{fMC=QSUp3fcN|j5im=Gj$ZlUDVo0ZrTvX8#P_Y zdOI}hojS+4QJYX%QjYMXM0>@dwEO;bfOHRs!d5{mD(^`AY3sUQs3(E{rtX<^QGS1} z6!;53_+y-oQBS1oTYy_vMNKjFleC7oX~4B~`)ICN5wOIxmFyKST*7zkWTk;xB|74c zgv2rM2Zmq3Wh4iYg2q-=vEEM78n;b_xd$rPu28+qpHOMv49WF(cy;id&ek94_la@y z>W$az=c#7yi+j0@GFEuIzNSqliMhqW-D9K>zO=a+lB##hXwEfx8#w7RO~h+a9jzu7 z(nYxTeT}GAx)*S|Oh{WJBkstm$e5ukVeE7rp7pz*hCk9zi^-2^H3d7MFXjdS6(X1Z z0R3&}d2FTqZJ*~xq^)L|66Q=f^Ek#k>4+ zvdIWV|0R*Xx(Bd^z&`IC*5o*nRLTtm#b%vbD;AtEnHZx%rxS8R?lrX{v}QmT^O_;* zpkKj_wm-i~R+t@OJb6owIMHgk z^@Pg^7BJY~S>PQM+&23hd}8rPKOy8>ll4exyeYYA{!~hX6R>WoiY3sK$@di;(F;R{ zxi_f^x{*{f-&2W8wdC@u2=C;5Irjj+Z>zA~oYkqw1GhNlyiA>R+H5Za7ZCuH6?K5_gi(}dF?k{~zTsn`n*u4hW~%{+}PNF}B~ zE`9jc(Ck^Qz`M6~7F8k2HU&gVI`>;?`vHr8{z??R=jkF}SntBiU~fZSX*-6hVcpvO zAepWcqO$D>a0ySS=>Rf0P^g>Lbir%0);cE3!3|KX<5Ar~*Lrf$S@v>st=vygwTO&_ zH?8Abscfp+4P*k-rlb<{PT%g8nWn(dW?RpGAX-K!F!m>SC)PVynhD`TQLTL<)T#pN zP3SKD2L~=&fMP4Ew9}BdMOtiJWR6KRQ^2xw`03-k()ew!`@Qc4%|no z@EI-ARnW!-BFKusL_4|INTGXDGz$H{Yb1RN_!O%i*?~~+wn=d=U*B9;`#J_+#{db{ g|DAcj-G>oT4+cGI6zk|rD1pC&`yBT^-0c literal 0 HcmV?d00001 diff --git a/latest/ug/images/contribute-web-edit.png b/latest/ug/images/contribute-web-edit.png new file mode 100644 index 0000000000000000000000000000000000000000..09f851c5e61744452497830edded78468053fdef GIT binary patch literal 801738 zcmeFZcT^MI_cscnU_oOA5g{Nbq6h*?hp4EaA}FYUAQ2D&X(C-9qYo;*DN;m;D1u1u zouKqCgpLrULkOXzkTP>8_&ne5v);SzA9vk#*LvTze%VfDn3;3VoIPi^&)zZkhQ7|u z?T5B=adGXuqI=Phi)-6B7Z>m2t-SCVVTp7xE-wCS_S)Jvu4rqE-FV{i(B9F8i%U27 ztudd;z9E4cBSZ1cTQ8owI(vP0^xkt zOYG+E^lejrnFk>@JyYJ6TA;xdWZ0Z&(DCNP@}nS+2dB>kWyYvzzf6o#x&AVDZN0wX zu{dTEmuXU0oDJ89?wvk&YQ%Wve^{2(UOBS=niw@;P)gaWVE1_W?vZmym1FlZy7Zan zr6ye7*$2Gy!!(NBnd-5fwC-5V>TXj!<{nYvR=0I-2BDI zXXkD&s+dX!N8Vm8OFq+uy6hq6EY%S_PitadQvG&yjDK9k2eVLHz3%h)$=9{zBlZ@z z-k;E~(g;N!`W(VX*zuiPa5I;{joMh=V*xT^&ZMv8zl^^oi`DWeL~&oNO~DG4N#y71 zY>LePz{T1Yy|tN-yhc<$E>h{cGtrMunfl0so( z+#1ir=*T_GmiuZCKe=y2g?us3*qx8X_KkHN=e_)(n@=P7c|DiaR{0>iP~l%%WrCu+ zA~AWY6OKQv#Ujbzi}V*t-zC29yrBNOQ_?lXQ8&i=ym~KUKG$G4lJYJ4L)yv3NMCJ_ zFJX$VJine**1D>c$sHa#Q1BBhdwbh*XE$iZi_%EJphEU-`ON=`e$(;QScYZ#Z?!KU zvnY|2n+@-jOk5W4cl}r{N8Lhi?XuL?%)d0qy>QrbZ{@SImXv2NMVb!f2`qfsi|8zq z@>g`eUld>CU69iGLv@wia^j@4*H_nhcgDy0wtd&zjB3Juw)D&?xL$rJ8p>nLzb8~` zk4nUSRdvrHOlRW*2H(AkIz6v8?C| z_hT^coOqkDYuU=VXXssOe$2J!^5&zC_q94}cY1T9c5l6KUNVU1%Kal@TKhWPgyOe9 z{LAOV)|h8g_jexWORT+fV~b}1`-AA2=Wl+=lx@y=Cj3kGy{5>oEwjAjTHDR%b+_)c z6k`N!vkD%R=-ev2e122(V@cjC7Yw8MFaC8rDxujgb+c)3jD%U#qX)<*2UUa3&kaYZ zH*2Tv^9lF6Ab(4w?|k@;lkSqOmsRZ!9tzYyr}#tKj=O^EUPx@p+gaJ7U7Eob7hFD& zW_J|v@x&i$tk;w03k!G6*Od{v*7RV|G3(&Th7`jjd8!Gybo9eVjFXRBbJ?6!p|?CmK@xtu}$N<$^~A_6DdJAt`6#}TvXv9 zeBSk4{YZ4P;68z`E`KuZX4$nAX$%|QJxkh8;wA;~YS-NiNEh#o|8z6u zX1eR`iK9suN>klt_swltGh}cxY@Ws)yM({`CbMPWeYR*kucM2_vOHekrG&#@iZ2N)CvZRcYi^#Hqo3|`@#od?}_4hSutH9uYDO$UGDgg(CV zd?o)%k-zj%$wBHtA>l2;SHk;+k`(3@9v)%}*$U+T#WtQxDu}4%wQsRWp&nGv$eyL2V_o`^PKTvz6E}+)0 zUUS%9UcqNFBzopD#_fqmtLyNzyH^bL%a5BcKONGk_AGG|P%&0PBd-gKoO#+g`>H$F zeBs_jS>b!ml?vuf6|(M5p6vPQ#ba)n9z^%j#|9o~GA1;;F2YLA5=#^Fru()p+pW-N z=cW^8$_cA-a(uatxk(mXO(v0h!iSWm^Gg$y3BI9Tm54T}KHEZr%G?Y<L{z8e5M2 z;ZjLZj5s9~S{S<8Luf%y1I>`;z#H{Y-y>W*w(dH<%Wh}yt}uiQ!f*EjftWqF_VtP^ z9MX`WU)(A#Df8e`^Qq)L2DO>f9)T5so!d1<(nJM>?}$>5|CBWs7*i1t5mxi;8}!{1 zyXSQfLw9#esQCdORIA#ftG&^7R_?dlFRkI@Z^|oLcQzK?2e8m>?Z+E}#NWnfX&NG@k zbyxan>|#=l0^8@6SL4^PPCY_vW}La_zxH3;tN?71HNRJyhvrqkg@)*q1FOZF|-?`)DWcVs*RR96XLO)M%%*8uL{PJ~#oj135B&>L^#t#HLSM+ypg1X?ps*BjHC(yR%`*@ST`*X%SXQ*! zdvx5T;rn>#QT?NzkD_C@#+tKydb?~;G}-Iu;fi*rp~k8Dsn=7=#`K&ocQc9$?oUnJ zwl?m|ewZz5!S?J(Ju7(i-c{x7&pEfVoaA=MIhfeyJFi#BO(jezpJ1J&W+|KFyxGj1 z-**}-Gn}$U9~5Ogz^B9VRa&~)B_p%wtIX)tpYL##xsn%7GZ;(AuzK{qZwob7T~d8G z)9S0faiy^_`OMGqEZ*#!z3z)whdgY&Y8PMK4IDn@8}ECS`d4*GHL!4P)XNPR1gCix zc#8Q>A#zalD!0r7d#~pbbGouzTy!7VsULn?R^FYt{9{j(g!((Z#1j$oqW3(*o;rTZ zADh_Hw6xH@Vyp??o0;$K108%$WW4d_f(Yf|-MRngYdb|ee#LO(!f z;U+yZavF-Ke&puhL?3xLWLGX=%72G6y=^R!cWTOESZMm3`ZYX6tRluaU;JrTDFm!i zvt!Iir7ugdgqHHv`BD}^i;(0S`8bzeGtKVddxbawl(PK|D$SVPf!qi)(FUywrpXe$ zVc+^2IguU7J;||JiavMPKi7SXY;VlGMKwa*%NH2qZpPi%yFd`2JP%0k)j`#tvxi zQ{^v0$0;tVGf(aIdAt!<&`0jwGu%JAKk<#!TI9G8GR_?NDeM@*co&<<3x;PEega1qAvPvg9$vrBbpk%#%C(vM5Z4y?h#TItxP||7e3|<= z7thA|O8Vu<4(>w~c?``RADTF?@~d zypi^mEAZaP`iYH=vzwiZ`=^?5e)z<;$GWC&TwDT2IUDyCL&+t$|3Uj(ChjKJ_0+6g zoMbH@xLDc9dOL0O!=>S^1|K@vxLb;OJ2^VLsd;N2*|~86O%GpigPbdHMbJ51l`icExcY7CSF;2ghRxTdynn#Xs z2KvwE&vV*%+y8eYXSctn1y4|pb45;G_O#r8`i7foaL%gTu=locG`(o=1oI3YLrY%i zjEcraga6y5{|@=DrY8Sws&H2E^uL?_>(c+)^tPML6KxkKcu;q(|Gu!l8~^*_-wie7 zICK9OFa9uk<1EZ+t?e3e|9NX#+m(c4Im_{|{Y8UY@E%@foDYu*{B``#9zNc(y4m!S z)pstgb6i(0p1!;M4}6gSOY%_5zAgI?;9nl6 zAOF1n+Ql0`PGo&QvHh#xZvL2;2$`!_OmBsi9F^X)>AIEJ`KTK)cXV}+MoUVv7xf94 z(VEfHdsu=RmM!c%N^l_)v~02d)bbg{ul>on@=fupm5qnp+KXp~W)@_&Ki|FefByXs z2mXfx|F1cq^Sri=EPd3!VWqubB4yD=Aa=i2^HXN6;)thSTcq(=X1a*Qdfb9fa>W|D zp2trtZyO}CzY>XWERsG{fa@m|?L2i1Dja_4a1_e4F<&bsp#+zAf2LxogmHv%U4!Nw z>{W;5rb~_&v)HBVxaz)QL)P!svND1IU|z2s6N2K9`A$KaiT{c02BcvAp8WC14U+S> zSx!%0wyL_#^4Wv9c>t4ivSps#tumiP7gdRKhvd!BleY?Ewk26Ze( zej^~wobgTiR#IuH8dmn2Rn)@H0)+*MT+&h?Bx>x+EtS8|$WS!DNYsL9YHKP)jUMo% z*8!24WzXIW21`pvn%qU?va<@a_?gWP>a5?mrrYMVR~G7HVsvD(0|zkurgvWXPZo=S zON5CNvcDuft**98#P-)YpolUj>$FyecL8+HbRO?jmp}SH)A|4R?L_VX!!$PxjnpCT zq*Ae8wJD_OJP(HRuCyW|%WG3CvNd_GJyRRgvzBWYv~#W#yRFef}G?E_X&a7SGj&5e%u;EpbGI)bQJ zPDhIW-#ap*A(#KinR+PKE(E!kN_MI^D&8(ti;4!9u+;mQ z;V>U3S*8Qqeg|G@1tmzj;HbBX%gpU-DuRk20boC%2i(Un^i~&DVX3DHE!#oWL7|@3 z!{7**xzlbR2}MFJs?u++4hP!!XHjB~j;!F;3HE}6fi{NzT}2u2Tswlh&5ieE27mUE zPy5Lj85ya+5mta>AKL$>A5C;&9ON`*g=*POPqjglzz9Hfc;Ug_aTX8a!B0Ewgh@CO z&Moq6uD?mL?_zt~0LY}1a8;GZH(wCj?0lG8X|oby6F-QhmPgAp+|!h%th~lfm3NEr zDcp~aR8vN-yjH*?!67se0dW5o6k`WtUi9h^&R0xzLFV<_WWMQYNNZcgLmkjGunIqU zHCi$q=Lijv50G$~*vDkaspmz4J;D2&mIn2O40$Q*1eOcvRVrgql)QrTMa#28$|iw3 zmEE{$_{pc$zNrlZp{O-PX6YcacRY8zYn(jpLglv;HW0EcPj6SKG6P|yiEz3!BIX2H zdXTp1)n>r@mP3MQt~o_YoEt6))5kakIgxS1FHE6Le7k>qL7cfwc_IGn(^E?ycN2Zc z?O|+;hEl-3fH=O7k$$PIVlG1(>=uKM5mId5g?d}7OIoZ#Tt6C=f<|B-RxZA7Kr-V) z4yMo@ig)DgMyxhqea%d7-nDKWCwC%~aMT)n@pD2{vllqe>RZoTHJ-`sL?_|;lk!&w zw9=?m+zQF6^-c8W?tA4gEqiTHDZzOSfj6FoZ9?eZWGrXzcWE0k192378drh!D-Gxd zY@`C1TwD7NJ2={5+=SbH(2-a8leQ(IWyuw=@C0DE-UQP7**AvzuA5gsmc5YVM z>m#rDxudEoRjWvQC91STt@SrT!MExg?uv`_c+Rk)!VimO(S=A^br!KP*h4ipa^hsXkzJWt#rpG$tseS98 zR(1Z}s(XFH%5P1wfzTNAS$y}VNbXIC$5fUsq&bd9N&6rg($+pDHDS_<&d0n>5oMAO z#v=QTN^t&qPK9#zj5;LqSGTiXA?l7E5#jqIaMtzplAUteI`WPl$oGFvCqGX?g%Mw{9F`q^ zuAP{pj}P~VO}9P^$b7~kG*(^5i(Hrn{wfsHSlSKLh~Dqz6lbk#t~!B}H~6B{P^@%K zy%7b@y&5bIX+~&j9Q(R&ypk1Y@|6_*T@mSsCIV{xg_EH zg!ZUk?0CekmXuvbI=}*)Jpy0Sj=VNEqv&LSacVD^>y7&}Xm~s-_K|NY{FEaBjuN@= z|2^ymU%rir4VSXh|4iyb_Td8I|AjXXfgwUspuO32cB>s%) z3)>#ZSpAoj!za3L1CPvyPNZ+*EGxe>P{m%N7;S~&_P2x+nTl2&X zK00#gX!_`C^%yTc>R0n|N^jAcCRtZkQLCk#<9;X+OZ{WEtWMrOMxn~PAc<2+Pk+5k z(`y~kY8_rV;Rc_>W@oLDN!znNEOmi16@xiK13mqB?gEulg-r2>`|I~&ovKZSN{H@c z9imI5P?V#58#oMw0(WfX{adLi6!8<@gsNk=?n;I zR*CYu)zsF@*`FW>|*Hp z|HC8W1es6rxuxbRsJ6Hs7$9;u@(ZofZF$r4=G{Qub@wN!iUUB+YECe zX$Q{ZniBh2UX;q~P7SBuSav?fTzhb{(gjnqp&aR9v5h;5+R_jABm_#q!j-qrX=`Hb z<>L+~%@TWZvP$Jx{ilW&5W5BT>hvU}XHy0k*6gxZdD|Rc6qFR)Gb%dYKO%@B+Qk{D z!ebl2!fz=xyj$sc_>KNMB}$*~nYy6q*=7YpNHH172slVEBj!??7_K`l_YH2fak8mQ zvkTZ5qgxjHMAud{8P*bY`bFZ7n}k!cvK^hSRu+uaESZ%)C`6qz(LH>{Hn{}$gd-^v zhrS=n+tWJS>Uq7JcVmoC_q3*>IyE$4fe%cw`)7v3F`hQn{=Z9|TOI=c@E{vDOvI+M zFRtI0h$((cdiQbX#uz%4ey!q3KHjiGLa2BDGs9wOQtMOZcbC!E9UzybxT|E6&+uI! z8`U4_@Hd-A&R!CJz!@XLb3H~|ZFT7ZFog8{n0fW)-FicfkbBo8g;>bB+l6gHs)_Be>hDtG*_!vp+DPDw%;!)l>#eTVQY zrny(? zQe}$>;+upGs&)4CLfve}8v`M=y~8cc8?kY>G|hba+kB1J)N@oVlx{Zaw0eu5Uhb+> z^TN+HBU(O@Cojnsd{KV^FzQfnj5P(U;7F*pV?HieN9bPu>Dbe!z`>@h`_lF;16104Qh>@LPq!lCN!P#7d5CX6Yp3B5>uOiG(pn0 zJ8qh1wuNw;tg$o526$sCXXg(*W!0ee%$&=yp{Y@;ji@L_Yp4tZj~HHzTe*q&#w?o^ zj2o?m(crCiXG(Kb!>tU|1eHUrN}lg0^_CB26e2xjCFir0-^LXbIr-jV2sL@i1WuFr z(nu^em;VsU{u3df9mPKR>Nnt;{Sa`->t>i~64z`Q#Vi95HY4m(x-})5)vGMpIw9B4 zS_DsU2l6hEth4@? zmW^Q=n8E=kH-M#|O}FazC3oza3PsUO4ggl-4OoAuCW%ZK92SSP+uQE`Oa{KBM`-QV zU?|~D4Mc}aI^r3!vuK^6E;DVefFNfEf|&3=IYiLeS65uhV< z3Oo+pHP&99Iph`4n7*bmgg`6D{KYKh!GM*Fy*zA*t}f@oGXEYk40fQ7m2TN%D+qm>&{ zaX0FDQ&?$BmjW#2JGSn4-lhbm@dxAAaE<9}mBCD9Gxlt?Jv$8bw0SGNN3`Ib)ZMBb zeLS1)=RIS6IsMHtSe^6|7whH+`%OeOH>Y9{Mr~lXjsum_HhbM{Ye4&saP6?(`j`WD z)*sW?1nkvwvf*(5Z(@tK)oh=W2t~kc&JjE^Dw(|xb~ z9Z!3~?nq-VdR`(FM;meaD zn)q;i#Bb3^VslA0)Sc{n0afrZ@CBFL>8IXX^P)^P%f^@gFqf1)Vn}Gp`V_gNrQw{q z2lZyZVX*|0kPDW7=nn9EaGgE*TRX1Ps%5cRO=&N)?waTmztoiz4kOMRFS}`eFc&$X zM|7cFI;rN1eGRoh6~G@@C`+_}?hyVt1V!`xoL?U%SE~b=ZYW^?ZlK~}2rd+tzoo_H zP!fvD)Y+ILZC;#nHuy8g*E)UYbZou09`s|~fpQ=Tr4D$4RR>YCifZt|0;@b{C(WS$ z;taWy&}iT_$K+8`n}8AqFxl2DjWA#l==H%wd1VYoFH6YdrB_Q)Y%%5=(H@-jd{c+G z*pjl8{1vOOdjguxb$gk4rct)vq5_Xs{z_ZT3y<*}{#A@j+yy-iR14Z){lkV4UD%ha zC%B^DyrMm1gj4H=SSw8AbK+iA22n;p}HL7ijpl|=O>NVp+>yB%s@lA7E zP7Es7AI>cRXsyg@$juJYyaYKvW0whSc6U^kAhpD9ik1DCFkpHA=XiEXz(G=!2i1oA zwQ?~o6tCcqSiZ^Ebq7TOH(9kL6H6ng(gy4z3E~O%N=D%Q5Z2+`ir9HGJXzyMFy2}; zD#N-Wd_5hA^rh!|#eR+-X@h(v-?c}>W{%xRvXWB^`Sc1A31aE z8cj>W(QI?qH8WQSLPA|{bK+&r>ge>gVq9a_Ur)mIe)^fXgj)1?FM@0Uy+SZEB+z>O z>v|g>IQd)IVEauuRe<>G_s!glC#4MgNYUNg=yskEpYckA!)LAdW4G`PMRY%+AEGOH zEFV^UOpFfrS^gz%eErBfMtWz0SC(S+74~8JhYYvrbPLzP`9Rwqk7-~ZBi(sr4!!5M z=8CgyA#RCaeQDQ7c@8^wFBMgYI}o~%`}dm2!qkd(BX5#3GmlaMXZST9=+URe)D_rnnE zeZJQHRLI34dZ&uKT(s=wSGI-ow>)p2})RD1GN&h^O(ZUgnu; z7>ga;=pV&u4So?^(C~I^+naVlX{WpOhxoJ(YnI`sFH0kxqMo$WW%^AGIzLipEzvFB zI^eV!_7h!qUwF zLKh2DR}(nsn98B}O3#VzJehQg5KT0&|An&T0gvRXu5aTq+Z8b`Z3 zs2!Pv5}gEhC`7I!Ny`OHIlAj`bbd9U4a~)`krwMgB4SgoQA&`}8Xl#_&3!In5&2wb zFpsO=jki&j-*CPAcrGa>+xont%@1C(xnyf0cCLin<0SY2FE|wOlELglHGQnfKn_K% zbo(YU`W)VYaFFNh!meD@GXr1;9Ze*cj3d|)_ONWcf%V8F;5@@h=Sb5Z>={Ou<20YU zyozG-5O%RKLE-f4H${hkH3TkQdzKJ40LBWIxUF*l_dk?r&<+)-FVF&E_Ms;NIXILP zzbVT{ej4_tu$PJsumh*caqghE{d<&msTYZr;Zo5Kn&gIwsK1!}Ec(%LRGNwOkI_L* z4x$s5E=q}sJ(kLAED-w;&^KFepq)CV#HENDX{n5FS#^CjQoLgKbN=o-*|*x2{@pW2 zK8~>*rGR_vrb)53rt&u5H;iik$|OD;yZ&^*ANT8sz&_;4fIsvbmxDhQ5tCvnH{F|v zB~8`=J0I4L?}s>$#9)i3$jw&|s~sYqt`;Ww!7)^z!8d^wlyMVw17)X;YXy*hJ=ax- zvJRHb{1v($j97=?I!xmTzw;cg@HXLZ@L8@gfvzta#PJzcE!i-86JbE#Vy*Cx)xJl+ z2`e8;eG}G?=x4G#kWc<%22C8yvej5LN=6(<)0jkg)p_yTHC5O8aw5)DY~p@i^%p7F z<=EDSTJznL@()|@>uyKz3CxR+oMAX=Du^*VyyU|Zo+f8tF-EAT>u&G-eq0cpH2IZC zi6APlmsBh$CyivB%}^7RbGl&8tnJ~_=g>Xa7Iw3cAcM#zbWpJDQg9Vm#|4T2Q_w2p zB@a454u4Z6J?Z7yZ>8MHiFB|BB*28j5FVWR`IZbcp#CAjiTC5!aojjz9O^^~vd7sV zSiOp#!BzT!6Bf;^&TbILz;p)giyJY4=-Vm30Dr-2)GATYS28!Rrt z^6jbB{g}CDw^Wb4`$+OZ@yjQ0jaoYe11|ACsATKfC$g5ry8Z&TI5M0#+ zCM9SkYcBa^dbriDIqX!t3 z{_q-Y;W!em`tW+SZa0ComA~)|>}39-PFxap4`fKVF(5D5SrtMG3+^KhPN zOF*Ho5>U%d?R-bhPM4GDf}^D=K&OF!YLpF?MPgMOOCqa&jz$mEz=2;1;^RHh5zn3M zK?$ze?$AA4aoNizGcT2%mdD%UPfvY9`3OFngWbedi-J$NFyPH=z(>rmc6-r0()Cgd zsnDHbf&ctSr&C*Gr3)N19XGmfqN&1RlR=}v2B5znghf+ zh=V?0e=^KyYa5}VZFuI;*|i;ry#Oa&8ggzKfN2I3`A;Y))Ijhh++Y=#hK_f^A&(i$ zX>Ev>3un?`VvCw>_?gv_g>dKqM;E>>f}EIv<_k?$%ph3#{?0@iBFkg3MMDOf5qa;# zB559(xw1aU3LX&~CN+7_sWaagzk(-7)IKz-&Gq49=vF&j6+ix6JnvF}M_-+s8lZo{ ztB`n5D^Z!E^UWiXS{kfO9ABRcFqvX3VuZ3T45#w-MaqayI#c9s%e{lH6TKql5YU3l zJ(nB^4vzQ;tkY}&j(~I7I2g#t+@R3v4|KQUfIoBCNV*YFOt6%3v9m*YnO(d}3$gtJ z{P!2%U{#O**>1AVzpoWFWfkWH|4AkC;h^Qz_o$!@Nx#_?CJJ!~c=9`neCf@P&*Tyi zLs94R$5K&K@amgXzhl@;MmuC+)i-aJQn|CaK48Cum8)gUp@r9)QnIc2H+~gk{bJ_Q z_ZTIAlcOxX9v-+6W)_dfKw%>Lp^ zbk8v?Xp+oo#;L; zV=Z%Nug7Eqf55v}>CY2}2QW()s1lJHZIh+`r$KARlvmacV#KaFnuG{{k$Pa;TAh~& zd;V;an`#=;Lev%Oe{iI(9~feBvh0L8u*t(kZD1vzLSVE(Q_u)B3>l-;{U5?k8i)8W zTq}oFyPWAex`4)eY52JPK(?*J&{O^@ubhou4W95iwti$wUg3q^#~|FP)2~C`q(GwoeWsfCC_|@kwK11InRYQnayr#H979)yXe( z=EF|(5aE%*5CQx-zTV)`IPAdArcVO>l-IB~LuG#=qcIa|MYe;DW8LexRbU3{gpwe2 zs1WHrHqR<=#E<`04c-3)U0k!;BpL^^&A?i3pv7FVB;PXxg?&%QAN)ka)wq#>v_)m* ze5gV>`a(_v^BX|L`goXoL7$La`4j`qR91o^**wb_iN!o_D+#68+OGqtnB+ip-8pr6hZ{&DS23zZz8K7t`mW=`o*wQh*u_f7jR7kxG~-RFpCgF424&FGvC1{Wtm}hVvN~(S zO)vnWAVSl&1=aCxuy6$9DR0c|3TX(a2XadPHj-%ebLLLbG#G0%_B{>*a9qz5LC^^H z_5M&kCejPnFdzUN0PGPkmK?-!k=bN46ZC*^kO%IMy^#g`kq2G!2F4z+GGrz%%vU-= zb*vAGJzezhj%Eq0<~xmxiM}Nj8CZsWshzjE>@;~>re_016#Fu5l*k^@ANT@d!Lb}OBs>!?U$6M zMDPY^%1LtXx&#(bO~Fk5FjgJtL#-PmLE`LIc^kd-c3=hj5ecs0=_HgCRw*Kn5x~C8(!0!gsrh=3N%__(>fn&Llt>~{yA^f6^ z4>T0m8Kh2sOW$8?J|Tn6>whH&wTvZ7x+OPWD8Br{()Hl`Gd?YK#AAyW(%^CyqgRbr ztJ$UNK3tcmlFS=3bXh!k{3Tjb_Lz;SoB+ZI%3oKkF{0G%80}(3&S6c=&qB9-8Fj$D zkpWX+h=5VVIyg_m$tSrp=XwcIf4%92)o%Ws6%^5;{pqvXdXIu|7=>Ra@Pz|jmrGd9 z8=4pns9-(2u%!V>?Bw9irmX6mmz_wWT;w^PjpPB0NK^=zAiz%R=^<1GnMtU)BXGR4 z#s6gp2f*RzqD2_bsN`U^qKz~`YTOm&JpkSRL8G4{aFxXeu^Um!DM-B^2JfFHKsN8K zbjJ#OCJ3MB-hY{J#VFA+r*IF9jzOtWZbuuAi}Amzi}Z*&tK?%>IO=|Apr`7M&WNOU z3Ez$3x933x_MxLJs{H5cL(S1~8k2)lDSBvKp-Gq%Dzz?1ywTbx{7BV6U!eg;HA?f!1C3ByKA)&VGevmcm2YUgvR!vw}^pvkcvpcc*ZvtZ~W2uytcB&EO zq*;R8-2NNMo1X+&=Cu2$lh=D%9L_C8+ZLuJ*T%9OZEqeoDo^dlcdfkEoH;7zL=irR zH()nUSdG}m+LmPMjAcYtm|BGJQHv10E+^LrfMzPJPDOj& z>r}XN4C#|Wk=pwQ8Gz%mS>rTZigT=~%?iobd?q)p0P;W{dFjkx`$ij=sn0ALy!jG$3P3mH0Fn(*t&c&z`r9_QTKKAoc2JM!pmG?dtJ)7^#d00hM-FmMc z+UVZ0$RB*GC;qtg{X+qbDcwTvADv#x46LFoy^)%dXzk5y|IB#*i<0z12eT3(EGjyz zD>CtVbm~erP7mjo+T#f}t###pKq~+tpeiuq_Z1|ukhgGbJOEIoFf=AeLV~|@<;o%; zJf;A5AehKNFLRuoy8!V~GxS~*m`A}fhu&=mnRZ#lCE=#mn<#h~2O0q@b6#>6w?L}oPB^ck#2VVb=4aHMNAH^Z3>Mr23A(yiEc_;{zegsYeosI`C~041&0IbW|z5W|L?)XtOBEDE&V2l&jG|zYU}NIg6NsV*DaTIRS>W^F2muZH3oom^!ju z*Ividuf3hVW)o3!F+4!c#iQ;TX8b(HEcdzi4xSfhcDEh;d@)fWLkdNyR4I8nYaoIE zVs8dWUOL8h=Q5rvC5yA0rgImy8PRSDm_~_vXCZ6G9QojTIQDq*7Bl=gu{W}vlYa7A zhh=om{|-8w@K^062PYcJm5UUC@t{p%{G~#>chg%YbToxv6kbs*wQjMkWNScj4o{80%^a*51 zuVQD8Fbpv*(PGuT#~Q0l4myq>ig|Va>rF+km0rA#jt*+xv5;U`{6>}d)&>i!?rRc8 z{dZ8-Df*)^zmwdagcV(9`yE$T0vL{eV$EIyY&M2*7$3k@W>yat11Gi&rx zx(mhHOBHls&%nBG9q^+_6VSu3+pfP8qi-oQbWwM(ldQ%> z_~#UYQ6!1jI1p1*Xa}hY~HL?J=k^{ z{b=&Nx9g!DuM~)91$H(I>TA9@f9_zaMz8(u-fmu>-{EQ=hAtLE^XX2R*n-PjQ3@$D zaWffH`AJGsAF&#wgBlERO0&+@kt}1J+FOI|P_Mxl^{8(K#zS9=qOR3CpB_=Qazzer zAdGMu>Lkz8nL&4iN=<4}7U-LjrQ zLiu7xz`~}Fu;Kedf%hyap(GsfX|3F|Es=yHLvj)RKx#Oj*)Rq=2@YBp*1AO){l|95 zS>&_h*dJh|p9i?H;fRc`Pq=CUu6NeJP}{oC^NpRT-VcGT`H~ z3PxHR$!R64tzC;T7=nKD475#0wrkVzakld~8SuqGwOxya547F1{r6Grzg7(sc3%#V zSCkXo$;tga-CmvmX&51$3bQcG9)zf_e~c|^crtL7v^K4LkAjtR%=|4I6?|@bAGjT^NzCj$kuu7BcTy zsyC-(u|qZO>47-v2U7e)Ak#^vZBi1(z$!tIlT(9Byo7&{-*JHOtevwlbR5h+9l}i( zjwX^7+KEbn)F2BDvKNR83ao*1!wzKaP?V?TU}%k*VVl}_IO7xAtK)~fW55ArMa zGBvt`&769W-njC!dx=vN!*{%j>!vXW14G?f78}Pq?zGNJ^+oNP(~(u1G+q>EuLX*} z#mJXk#kt9QfT_LbTaN(qtT`SyHW2lA^A*|+E{zp|8R{IjB-`V!K(Y2!c0KVkAQEK8%3nth5$lQ0v zV2kV{-Bwd_6SW%G0b$l8$hTNRZ8nSsg6eyPjl8tiJ2z0INCnW9~L|ge)6aAB&Ob|{;eA_ zX?>imd8dJ30_WrjP`_sC>cA!3&>ucg!oF#J!`M4o-es{T8wvEL#HY|8-h+mP!w|ld zi2}NDVk|8lO1Btmo6gNKnsBkP_>A;f`5I90KzPc@0yCofwzL7uFy$j#U)lG*>B*+H z4>O0)s2MgZp(SmGCqH4XRhigPQzEp?FjKV%(_@zgR&o!d?rXfg8hFD$7DQ1Dt; z{QHN{T2r0nKVCV4F7^}`rqLagLN5?RkUybq(Hb|0U5y)9hR^xHqhrC99`XtH_+~lx z5eA}Trho&Hz0LJs=wsKTmS?TL>GsOB1pS%P(Wo2ykO*8~LZ+TDo{Fc$qzm16Vxf03_Y-#cki;;-Bzh$bkUtqI92>l5ga; z^rQm0!=fv(eV_9U5x9c4x%^t5*V%aPOk_gSno;Dg$qO*BbB{eaSK8+ylEEllHI`Cn zuR}OdK9PU0e%~H=kMoF|6I6d-o`$X=&Z1tR*xfv;SXJ~&A%E9xGSYNyXdDZ&dHvc! zzuf!YL(FuMFkeWHin4mczDEMgAlP=GL_fjsFl5Do9pJ`;4L~MPD;ffX!eCAoG35`= zm4q7F=dW>Xjh#+L`vY^#HWrMA5^A9FeS^Xbu$u9z21jN0#b=OR{DC@TJK1T{wwzP+ zHP6Hs9AC^1twAkxjV&UrRzJ+h`FCf4d|EVxmAJXU$kke#0m~at8`>cO;kbdF!WXqr67lobZq465@$ys zd?w3Biu&?zk?iKrxBxz)i80$WI_v5F+uUUPeTJNv<4#he)8DLNe=r~`JLS6$5cblu zMU8(5JTxYrq&Rq7w{sk0!BO;Qwo=P@9pYST#Mj!_-R; zsu#3qG7vp-Nh*WxG?T0UUmURtbIr76>MbWa6lR4%qFfOCre2j-2V1*JW*r!Bu652*M!T@OMwZ2_muP zKsYIJdH1i!^R&ovObCif{}W|!zO#L=z)_l%1NXb-hA?EacHt-mPosH=1S6IkY&cbX ze^9C)z@K=!z}F&7&iMp*-~URpUldzVbzmJ_VSP7{5fi~j>e)3KkE~lu6yAdiNo|<< zbn6o2FyQEgF@qVrUgSjS@|@u(do1ZR_M%o>OLws~n$veZF^2=29$vDwj^4QIQ49Ww zrmbRO5r~S;;NCa|v?N9AknsP-*?T}WwQf{anAO}z+f=VX=QITd8R8&e- zKrA32y(Cdkf`Wu5h?Gc?a!`>XC@mmJDAGYXL5hJ;0wEzid7E?Yz5hM`dvA<;?=Ztb zMlzKBeczsIuDRw~d)HgJxz~lRGB%sedSF-X!XXUuz@gAPBsAfvJ9La}3FTI?iXCvV zvk6FQ-+9>{?gG3f3%u7o<_mxZXgo8I{0GwqAGn7{H7r2gt+@o96_9M*Rg5*Eft;YM zen1FUJn{k1Rz}&89H7&HO(sdvUgW2JLya?RkZy4fvtZU%Zu}m4<*W5_*M%h?RD3Oo zqwdPYp8U|xcja+&09rm=;rpi~j@O;7&v~|(&E*O~zKvuKT?W|B zWzMJ7<6CA}z$bg%*GK6n@V%NvMy!Eo*vPsN1u;Tw!%Bz+%qRYH765-*X!_}ga#Scy zeyzk}A_2&`Sguuk1GL*Zn4)+Z%9Sb6)c^z|@8K8FMSm~e^v}}M**4g)@pAVLeT3E zf!kS1=knHBY?RlAkfi(b z%vvi8J2~LG-Z`i{YRxu$vK6)P88GDF9#->u*3&zPoS*7|_~hNI!`*aPy#hrPMlc6a z8aziSx3daQ6k?Dj-S|O2xdA9MVdJW}B+}Vx$HrSD5L{)Y(!AThAq1XT98u>B*9&xt zRP1jAMA3bAbLMzz3C2&MpUik^Zmr1lG!CU1@PRB^nQS`*V=F)8watCG$7|bmq|GlK z8+JD@LY}*Z%|#jWEyAiXwZBy0*iQTpc^1ewwBWIS zkaG%@E{U24B2<-M={z9Vz;6MhJfvMJ`SU*&2H?&|n!y&+75Hs*#~70*kUIS#&Z+#Beo`gV50)5WpiM|0HV7QG#L zoDXh-P;f^M4-mWSu69wi8F2ipan@qg2b8--+r=JRP!~LFQ`K}1Rq)+yGx#NvBZDYB zPcOKY^kuImkHR+%9PA79cy;deivPjt#|drp<;q zcP1*XLtdpB-mF z@2YIbe)g87?l0TWmco&S`JTYrb+o`dS&6Hr8y;tT$_sro{S{TiyJi(bngpbygci%*CB$I2MZVO|+%U5X4= z$ApGnqd(}+p`kO~)(IXPmOlnD@x}Z-)1yXvZykx!bN_g!7m8OYdb**gd&mbyB;ATWJG69eVB!&&?*Q1U56oOrpd0&`F? z1E4Ve=N+Q`A@kfL!zZ{>D{!`?;#49T%mI!2ZdMcW)en3KUcr~&PpbqSy!W&C^Us&e@sP3UQV z)&AMBxNFAxi>OHgk#)LZX*lSILBMll=rpvF_vQFQfGiRMX?esEu2k!eF2f=Mvnz-Q z!mVtoz0JCmHJ2C+WxcEjfGR37-8QhSq1{k7@!-&Rg?pbhU$4o7W-;XDr=H%lvk(u! z!>qF~v}B*EySDjtS06+lZcekYRy@~S`Jm(NWW!){tZf^zBCD>|9Z4$eLXv{T0k*KT z5{qOFR1Lx8Bhb_%odGw;kLtDVga(XqhIV7!zI;Hky@{yjNH&n$*kZciG7eCwW7QkJ zCKXc+`tRW!8A*`Q0H{NXV8bZAui)HrYfL@#$7Uelo2|X$`5p&2Kcv9^el83CMfzC& zHM$plXbqrEI8NNbJ_xOZs7H+* zxWd=X7ug7&0FE|JI<_wp8i@W?`mUI-%YpTQd$=Sa)Pfjq(D>I1JD5kwS3I=2L>{Co z@{T+hC6M&5S+d{>cLCAhFwj#YNe7tRbM*auuIINMwV%&(017wr15l8oKz}7)*L(OO zt$>n;+@tUfzEmAK1ABK%w;`1}>#3{I#!wlG<_Ld^cp2X!{=hQzcyYQ!%JNQqh zGj2;I)z#Jo{73wQ>RW=T)w>C1xC@9AA=gc)10zPcnfwKjta9GZS`ts-;V+1B51gZ4 zj^}{aM|Id1#GDNr+0&R`OuR`7c6I_*xQF3ckBDD^4jw_ZyS~D06dbF@f@=K&nVD(FSCes@%4O7;$iMM9n0$^0E0cgQ(Kn- zbNIR!x71)ui}A;pq~Prz+yjdCb0{+=fQCP zANy{?vX?w-KPR5g$OvUr;Fe3tifJhRt@rb&wF68=FM$qz1A|@hIiZU0T$y+m{Hy7o z^8)DRDE=8|&==@D5HDAcZ+zF^7_kB9&(@!w<|)*g@wm@L&Ep zt4%Y7;-}RYiM&7JG}9neojsY?;K_hE+WUjwtv5D_Z@1`hR44~^p-7%_l;q&=Hk)Ty z#TofXd z#!yLH)`s0v9Jft0m(Abns;fJ%JQR|)91l{EORS@w`7!7-X^;4zsNfTQ&vvcLP(!jl zz8zvS^yS@F0T9ua3of_1OBV+PBx4a87SxJTx4_J9c=o905fKHNrsH=ROsG8(N-WO; zQclY>3h2*kUMTR zlr!8+OZTHzdb~$kfV8Fw?MkPEnS^fW$mM^Cxut}TtwhtHkZ_vwG!8H(#Ah8Ohon}< zt(+SBsMjUk2H)g1m5l`(qgbaZOL}lutLHBtn2qWMW84Z93{9N)#>~6HwlG4%v_W#N~PHl;1B0%o%d@32rrV$RAgn=j2xLo=wGk0h+_|hP`Zh= zwheNv8VhxTX6QSFgNYG8j#x~&;KLD#vo`ZPzq+A14o)PQmZAweEfjJw(Z|>W5Ze7i z)SMNdmbDvfvRRgGL^}>48q&Z+wMc52qULE7%M=0TkA-Wll-8sLi#jv}0u@K}!JnytWWirNapTO05j3c{eHf!OKOU?t-j2xyn)5l`jK#{QZ_ zL9h9O=8@*5h~KKM&TE0K>v-!*c9I&pHS9EEZ>k?Atk^FAP30%fsTVy;QqocY*K0dg8m3k4l zwD}9cz;7XM1o*#>hyvV4tHgpk&KtD&(cJS{**#`o#9EstSBERIG^xA`;b_$;@Gxmx zGGHw9Jl~)Mk4JdTp6Qm_1@%y1t*sGoHJ?+L4K+JcqAgg()j-`=Xi-iIG2|n=;vAU= z-FSV1cD)oiuY#^APKymTDTQYbb8>_0X48FGLpWAR!-5U6-LYYPV~TO6G@N!nJ9KCO zhFg4D8b+eQaHOHq@SjhmT-X0_G^N$-O!AP!8nY)u1rh!q+&K}pRA#gyAIfZ3Uh!7*%Mg)*kRTO*vsMK^g^SmoCSwQld-PXvM zEeW=^>rQpyqcZ^JY^7aN;cn~1a;SE88Kd?eG8T@_>!qhPKxy3fWDEke!mc3BHQ?xM zG?HJ=NqR?st~BIPCZANC!l9Pv7%uM<0ZM1nR~0|12k>W_$Z#zl^*ENf>cK$t*RDfhG z_Q+-7SZRM`nT!pRKM$Fs7&596oT1v``W0`VaJCQU1!40joHq|&@A3)T$Y}VL*8^b> zT0&WU6&M6(*0aZyJ~65eWfoTuv3%;NCzL%p2|kWR@s88AzaFj6GmhE@-dydSJlHka z^fvK{nec!3GRYPW**VvT;jPBa^||>uo^5>l!?7-s_*-r4Dh$dcRTN^8L!%{FBx`w} zPe}795iv!~s$cz7ir`5>SbezlStvljxgUb-m%<4f*>qn`vQ#Q@wzJtqQQIj5b9ah= z?T_FSWPSpXC-KDULUaPqjPb;Ftlshvzl;qNSz2{Xq+?DP23~*!@pp3_AfbRkbp_T@ zq4taX4Paq~-&Z2u5jw)=Jk;0PgdVzY+ot(>8+2cyc2&FO;gQN~pwhEX_r~ag`@>kH zXk^t*C7_&IX#q%-ZMk;MxqCq#Y#*9aDYD5tUXHTlwN4Sd9ICLp+7S=$g>p1 z9w+dg;^wP4KL{L~2C5B#xm=;hj>PhrSSULk%MJI0a*sp(H+gi_wy8e{5&<)b{)^YN zfLO?q6XD^e8l3aZ6V7-_HV9{rPgOa851$o6k<^hhC{{O_pp*s)`r|rOOT7|VF|_BIUUn!xM)w3+QWLX3eaayT4ROHHG1G6SbVF&0f5es* zM;WmbyY=SG0ICVJ{ViIe=B{O%IPkwd4304;oRP2vm+PD*Z5z_rK@!Z?b-xD>Ik9K_ z{%?tkBWi5b+R9L$O!p@nkycJWevLJP2b zy({t^SzPZt9LuhnrDGJBh?;ePnbN8VTrz)((4aMkn)l(o=Mz1k3=3$$=2wvb%ztrc z{&~V4>=57?kC(E?N=?}$)N~qZl}irqLGf2m3=lu92g>J!OHJ||KRJJl`c`;rzCSxZmv^3oKSIp8Tn*YKq{uyC%TS`--#^%Q_S)!R zv4i0Pv1z35Bn|v+qb$ktKtwNK;3y_g264b-3n8Oy*KB=lK9LIMnc|30211cPSBPAx z<@eLG>d9O(He%l5pI7;xFU$k+$DUKH9~C~l0w06$mHVz-6vvalh@uDq<48xb*9QR~ zDh2KoR^4WNaYB;9>#HMIUcwTxaxuY~za|Sp`NG*NTvfI=8F~@Zy~0)R7#tAoS}#(} z0hGoRv3Qzf1ki)yeDyb$+HN@e$ym!vzq0o*HP38$o5<+PV3 zUch+4wd+WQ-8K&$a1Xrz58CWmFozVJ2~ehU%(-fojMPd;4u>@l{)zaBVz7C6d`6Ta zqqmgnPhd-RLpEfVP5y^zsUa!Cb(EK-ChU_0N|$F(9qlNet;mW(P1C_B88R_#-6Y({ z)|rw{kC8hZ=z1!zn|;a^xsjb1oc&8)mGPyprCx>X)MN>te-#G52YBSNIa5y8TUKJK z-XqC2-ZZCdO7Ev3&-DGTIaAHoofOt#LW~%+pSda6P2!EsoJ<8+{Dv|Muvi$Mc3o@V zU_897fF#u`Rl9>E%6s1;-OU`Jx(pvr<*^~3P*SyGF{_>-#7|9mi|nB0fl&L%-Z(a$ zH-#dOVvx)5a5|jD)Bbt%(P?0i&wuywbrieGYx^;(k7$MlZN45h;i}_iF`Pv5)mEB+ z=SFe(?5wuf32;vr+p@C97&axJ+s(Fg?X`%{ckY<`Ij`&^>oK=h1Z1I~`GRDiwlHyX z3pc74KuzjEjUK{~0i6a6oYVxIL(7|031+1F)w!b?=Y3_M9%H{>#M`K4t#mvJF7ZhX zU0k#GRCE}t)2wmt*_Tph;(((S#0!l|Ya`ygM+P2A)?cfW<_ud z9Io^;uh-%`r_(ZgMa@dt7AKZ9^;8NxR-+ev{e ztmC{YydDB?W1l_#6cfaM4Q#aK)-@*IhL5GZkn5cLxsgsUy%Y7zAW?^Q@k*&C;5ogl z7^Z};O8uc5iZ>X4dDEDsXsA~Q`hmf?e35`wHfR&Ay1)0rRwOh8Xzw$ud z$puLFc8nZ5u^*#H(;5{ydxtAm&9d|MU+wU zRB#SEN?0Gj;>(Ksi;Zw1XN_qlZHGSLfOe|;s#&@k1f#BJgc?fDg^yL5kF1?OYQcKj zHzap8zK=x6-DvIrg!6M>Vdv{H5i+Y~cM6+usRN#HJ|J#Z=LO-Px^Em`+266+(QAH8)C_+UK zBz)7*QZRV`e+hm72KcIrhm2Aj*QeH^hq2uLQU(P|og~l-`E$B$7%fon%g?~$A(ZS_ z#S+7CZM86)A?D=akUG9QoUEjrY%<4H4XNh~LNO2fREv|#Lm6@db^Lr}NTNO<%y8Q% z+uyM2RZr56Sf=Nb)Ju7zXqJ<@Kttd+*{6?o+}X&@0C(z*slk)L<_hct6&uy^DISS3 zKaPb|-aV23qc2St2#caf(z3Y_mP~CRGE$r-rG!mUpY}icq%x2ER0h&wmoMJc7 zaij|D&glOoz3?-eepwnZKYAP>%Y`Tk9z`9-(E)}v-uVhzWilZ`S={R-wb(h&sgwN|c3XEXd;MsVC`Xv?HBS+ei;WYVN~;FMdgodQ|e zn@Qvz0XOxbJyREn&C;Tixa)rea|eCW0n0%fx`5{m?d%pXOmfTr9-_3QRr;x#Gw^J( ze9S*^yWP`A3B$f^&9gRwmjsfr``1DZ^VclaLM!^y%sY<556x@d*UVlj+$Ynf_BL+f zC~n08hmhKIfjTTD&TrIfTk{JEvqDL&jED9$j?X)6kF#}(PqX*d6;8({b2 zVH}SJB$n}>yb&zF0=0<&&mzebU&okmiwWhKY{@wn74mOgwf0q^Lc5V3y{+dz+{>b565`jZkOm9m z{ra?`jDSdyV-+tT+qE7Ij$+bkb~+&K$EGj-N-`ziM*@Qp`-GUe)!_Ir@In(>RKY{8 z9}M#D%}l1uD?jaRmYaLa8|vKnQOah)xojxsC!A3Qi=ZUi{4eOgwfjI4;J^7xA2k)s zp9V$n6|c5-ovDL?LG-7eRa@j$6;}6!rrinGw}LEHFZKu09aj^6a#cg?(trZxd|wY6 z24r=wP397JBs#`>*z-E327Sf{Ve{4 zeLf3U8^`ucBQoblr;^K;SUUDIN)Xz@Rdv@u8?n}VcXd%xtYoU^+%%FuBw!3CgQkvKPNw+0c-4}p(v;2;*dyT#KTx-^ zv&lmKO_$zMW*T@($_(0uynmOU9L73qX>nWbN4t0W;QDpTbW7DYKv&?b@>5v(JHQ-g zPh_;=ZifOR(2(<`tPdarL#konsnnhS_3GCtX&dkX-gg4yK8mJ)be6X`&upn*_fKnM zTW&N+(o%_Um6z%bBQ!wcUP5w@1WHCjM+n zDHE`Xqu9M@2!-j=vLp4sk9`VYLDvT77ItJ0Y6Hz9^OuBB&AJp|at-V#i2kGwdm1_A zas9b*d3+=t`y-V$l`J(@pv5}ZQCPPElV6!asgSwqW1olfBgoLuv^|JHLkJ#bj8Ga+ zEY_kVFOah|f!NjIct8`B|NT>d2=sD<$RFL84Q{I2gbBMF*{*3AySm1M1ytW;r*&gJ zs87E)H0+8uzxWEtDpI^ARyR;oG_15`CP}p89xM;DddaR)~GJJ__5gx#V1-Pb5%!{M+6<9yTZC;P{M&ZWO6dp}|QlW$JfUq_JNNHX)l~9 zK+lAYpCe%5U^jK^fGViO12d+93O-6ifNgn3N!QP4=Q1-vc*u zAIIy#@wsFa%O7hI@jo!&H3Q|f^0fNp<@D;hc_wbtkx!}Cn&lPGGe>}1z%$0?-V}6( zCl=_upK?ke6xijQE@R8eM0)m1?$5$5N)kdGt6N|3B(oiL4z~i>4Woj{kc&j1Si`Iv z%;T-NXn8n*?OaLIKh1@D-Y4v+-RE(>`6RHOn-}i}4B|q2{un>ICuf${x#5AMEH&^Z$p|vLD0XY7 zZ=f5;37b_FKHO9vBX)rgC%OX6Oaeo~f2DhNyVA#oqt6SQ*b73|pTRQg=?JnhyB0++ z?3v;s2*I26fRfaM%^;Bn_?WuNV` z#88>{z7$pES(sFa{_eB-Jtd6s#*H=n!*X*&>L_lUe;-QSLHM|LT0M=J+-cF+sr4Dv zvQW=ILDn-256yaOlAq+A^4{?mka*bIk1-Xkl|x_JWz`MZwai}x)g>34fG5#ilxI zZ--a}bv+RidL*i74aYin*dX< ziqPj4ZLsjMGj%(k0(f)-y)A=6W@X`Km$S$mVz+AX)Q(JAqa!ZWvIg3%fqA(qw+Z%J~2 zA$O}wP4e4bNiEb}wH#l4sa0GKEaqPKJ}G1f(M6s8yk<6o_3}N?Lx|Xf>TO;FgKLyK zfHbL!kF8(Y_U@0iF?G|&`@_ifss}C%UN(0bui5kbxiDu$Y8mlcQ~Yngg*%BKi76_% zZ!Rw4k}~!7$DLp$sUo#ez+y3;dk}|~ANO9oWDT}p>BhM@vm8Zpgfqz48 zyQl#A(ZAmAL7S~kIj0+Yepnu>uk{tpeEF}B{`{udy2`eoI0XB(cWO+u(bJkSPe#C? zh;|OF_R+pQhx(4MN7^h{>>(8@#wlt+0<6uqpRQ9lNCKNCi1%p0Y%(mLr02cRnYba4 zuKoEug4DE2h;eaR&3puHByP4_)_7OzA}DaoTuR8$aV>T^Y#~bY*IDBfvDQLSs?r^c zW#m|{Vqo0pY>{fTJoc&}o|t*L-hF5C;iFA6%7W+{GpEJ&=e+?*&rVz@@0Pr^BU*>5 zIxau(+r1&G^6#RxPy@*EWu0BtZ1>!KiZShs>s`T3#~Mt}D}MaMUis7n`q5+PCwgb& zE83KG6OXKPqurT_33(nVi8kALc3b+|RLF{&<&C1o;l{plYCUU_F($jK_IrqB=kCBI zUtziJ+uNQ5pBk2&2p>_tF@Nd*TGoHOot_qc6sLdxmzI?c4Eniz;Q!hH4SB)FfX4~@ zB#T%rU#6?NiprMOZnluL8udSM%D2f|G?q=w-FM zqvo%n62iM$FBHbR3_sZM`!DMYyN&P{PEFS;iS^+>YvsVoW-as$Ag#(Vm@j~nUopP+b=N5;h8lklLav%?A;fL+@6(1tn2yv~otPCN@79l89SHtn zf4q)2A};OowvYW1+DYoqVl5-We@Yi>TbIk+MN2-Fe4K5VME(QO6 zz5a1hA4{0sU_PHOM{=Vj)|Q=({th4e_Xv34=EfhSo^O1vT+&JnmEXA-edFA>{U39B zg~o!iW*_q+BUmf}LcoOt?HSpV##QopuSh?BRF({>RTZdt?*8fbai6xhq4k{fMIrBn zn^gvFXZCd8Mk5~k&{g1;y^uguDYoJ{MLm91I=gZdzwZuuNxif9 zPhdFx=0Vn&?tB{d(24!vedp!2TY|QK`SRrwWtXYOpJ!NkJ&UOV&FzPU+6w-EQLBw58WC63qdx1$fuOg>4Dmok)_~ zUY$3V;f&LYPu7bq8vCM;2KY^PE5Y7e>5{f4v5Z3k zG5egX&wy*Nk7n>S%6Ocy~26sO0@IVG~AgGiB-(=*ai5$y4&% zf7|z%!3Z&|vPpYhg6}T1<-nJ{UXHhp@Gmi(Xgg$hMdm&M?PzW8n@7TV3ds^iU z<(TH=ugSNu+o+>A#Kj&7C>t!GwXMa567JPs<+auE z($2-gtSe;)R<1bR6nn+l=+RvxE&ZRBZhdjkYM{XG$XNMgnEc-f#6Q;b&3^H#pYFYU zXJxDPEk--#?+o zX^z$Vi}e$vmnk&-M2{pkp1oe5C=up9E%A^Hmgbd(XzdXaR1z@Q^k3KL!|QApoZh{M z_(De*k<%hgy#bP4c=JLh#o$d;6+$N$Q?{(r9kqV9l+-F^oqe^{67Cx@=C(I7$Txy@ zJ7QsE{U+M*mYmG`>wuLHGV6LieSb&-XZ4MW^4b81U_J1=-QoVE$?HeNwwGKfO+DUi zQn>y7=Sc0#{5z4;I!BH;@C`cpj=I$~^nMhZ3^TS>QBmna>*XyJ%IhDcUx*hsSp7VE zNL#N;uC&o^@=u1Bf)X?eA}JLHk+of51|J5cDgu}Eu6+u7!7&Q_<2$zc&ERb9qkn^$ zOM3;A9PHgUmq&kdD|_(r-##%A?AWv2z0Mcnb^qD8$&`zdygQV3bqsi1UJE$ zg!SHxNHH*o4t(Q{x0L<*<;_0R7Bc|!qeY2rj4_XZXW{^T3msXyxtH?khST!boxjz( z1xiOmmKg|3y)crpT6<%0>}4GMA^LX^!8RIls^q*{F5HNK0t!pM}g9yzmEO3YHF98mz#g({dId6ctwe0$pc7;nwoc7{)$y(kHMmhjD) ziRZW^Ipxy1ZadA;AQ=~%-FKu~|J>|lA%TRoFgO)g`Lq1iw>?ZoGDgk#2zo%{2V+Xhdb6)1 zrrKWhElJ=>o75>^iS7$R#Fz_t@cO%~{_+ zD6rkNAc=gc`PBTY?yP)Ii~^+^mvwlz-@1gn+vA({H1l5`FGicHqOoyIp@#Z?tXo=v~IIidCB<9 z-wq2ps&NjBg2)9HF8w{9yl`6Z6m{2ey+qm*>VeXyQ`6%;5ZUOcf=i%|9|PmoVfT%C z@P@?9BkDm*_YAh-ct&UbxMY_Qzhd0hJy|=)CO4$nfa_aE-e3P>4dE=PR>&sXN#79m zk(kO9Rc|P3%Q)X?zAh!8GL=pWeW?&mHM=Ctv@Zf|Ai~zZF$sa9`fJ5P@?()=+k}06 zGdC-h`Ohwl*4+CwUWRSBIK~09(ED27^nB?{)d5&LRT>L$n))kTBcK~0ZggFw{AcE# z=OFg2-vl+Sly6+sXnBw)+7!8B#2P7pfcM1b$lD^L6eWf)SlW_~HB8>#J62qS6-{&t zim1itZSFp;sQrMQud47QjN0_&W?aJ!d@Lp?4kRBp+bBK8xLy0~c1s4pYyL!z=VqrO z>Lz?=_en@9Jxtko;eht_d`(~cZ|qCYPqmC^WE??p*PeO3K5hqXoO>mufr^ayGQbJW=U2gKwkOP6uw3tGZ*cBkt)%3i+ZU*^6ITDcx6JDPX4{*cnr6^%Yz zYClcN>Y}*#FHFAEgD+MeP48Zs%ken6({<$h?Ku%}N1RN>A=M)`#}^lUB%Fil9)`*o zss#l?WRr27j&Q_LMCs>K*FW9!kho#OoO9@(|Ex{vK{?-9m4AP&;%sXj^z89j&7FnP zGZ~FLC-wDrd}E6#&Co8DJ_}Q-1;hmdFJ6KkBBfDLMQV4Zs_*lU_Xc(DkL8HEFmi9i z=}G4$B=3|R)H(aX{#dSw+ecu2N;8xg?MJmh-|2@E_sR=%eY@j8;c{YeWnI#}6-&Kt z8LUks9oOYZGc~ofuBXRDo0RW3E4A(xCJ8FM5%+!6ti$?gK+|~;)vae8^B#s%X%QR4Xi$9GZL&C5pL zv(KrepSaU|f%N13tWyK?S4KG!(T8A*ezM=MGWD9kQ@@X7kNHc5e44@RW^BLRvCZoo z?Y?V%W!I&qg7@`!=g`^~{X4f|U0e7R+1PigC3ZOO*p6MIC&oWWyh?*3ulWvq$rWzH zwQIKb=U$Wi!v0V@mo!yRIcj?JxYLgZc4>2!wpN{uo(Ma(>~GrZI^z8wZ^yNqo>6tk zj#K2Pn=q*Z<+tYVJ&S$eKWez~MpOSJa47T(JM0F5;ALPfZXhiVg35)gza4g`z5+de z(%2|~m@hz0hVL@RqOEAE*Z=`}Y{)2k|H)*I(ePH%L4S4`jpQ-R~13B4axE4Y~% zaKqX+b&FFEJCE9by7${a2)SOT{Na4Zjt_Yk^P+X{^eW|TbX61D;}!=%MW~{vkgu*2 zC20Yq!M<0vyhZhN&ITBL4|y)^jPguZ7~)kvdE&OKv)JB^Z~pJihqG%|v|O)igtkY~ zy~Z`14s=tz7|-+X(P}aeAMI|)-1Q+qc)#p+%N^pS)-MlRf0b3b{3&0{wfr=M$&l2; zuyie}8_wI8Kj_Gzm_39e zFICFlKJY52e5ZKSv}Q2%!_g8})w5^!=bLUe&y|$o5?^(cNgQa!_%u8(Nx3N~CtkW2 zE2n>Qi_f1@@>Nn%D4%vYxi)r-t$dNoqPc&s^-(xxoUJ-@Ii~Z&gm$^#?AiWeH=zwT zV|V}aR#q=BmkhTpL-`4FlT!z}=7anm%>2pMrp3gBhj757^w2!UwTdzHBAxaN6EszJ z<1YKAqO~xu&C{i1)NoYSgA~BrWIqe@X*~Go!R{E~)K^jX^QA2>w485P4u`7Eob*waNtd}56C$AKQWKCE zz3*Tfos}+GdvY``<7*nI}bdq8IWpB&{gtSA(Pz6ZWc{OC zzq)nH@7ik~BHq28!`@jc!{T*^zU_)ByYSFl8vo2qacmnUD}%w?~;GBPSFd8%*i=Fi=glhpi_n*uE^nMz7myMN+HchaEkwO84ioyY0c zS3^EaQ1(Ahnu_dx4KJxt$vXJdCSzA(e`P^;X$_t{k(8oVQnkSO;n7jo;&rX+B8)2j z3Vz8n(c13op{k4dEranX8pm<op#F9(}prD2oi3n!b<^*Ak~B>H5d*ud>Ic56cvk_O#p@h(8fZWPhRzL|z)raZWF*)t|6N>vDx>qzKkYNzYrSB3;|MY*QJ%hYa&9)MNsJREr%>wmz!9PuC7*BwBh< z7wB)xJL4QbXlnp??^xJr_hSq1_lS=u0(dXY7`CgHlHHBzeH=&ci0!c&uks#wSsHM< zF2eWoSs8OBqu;Nys0~-gK6yJ$$E_LCYM)8YR}%_;GgvkHQ+jCZi!|%W_H4Um+I_6k z%F6ELB~#JEpJSWA@?A&wk*`=fJ9`vgDo)bjQ*iv`;(_Nx%RZsk7}XhhVR`*u|4v!o z2#T#iSo5C4f@mH3Yg*GUV$Ph`r+b3la?=MMM+m)ogVtkS)%w(_Sf~)VC{^?EX|Mil z-U}lyO(2uW>xuUne>G4vt0j(^&}Qt-1`*BVE9p|$CHIKdGqT%_ThBaOza8;jwmJQbPtSC=d$P}DajBNuiqT2i<*Q`S2!nKkYYRe>vFo2+ zlLea;Hp*tpUg%IQdeM5besSIliE~0Oaxvb3^5H90b8UFF5b5*)V503ujn!?gqtR`P z>wOQ;eloawwIublrKMHK>69m@pM)zdrlpU*&W4zpx=2)eCAM3&>xKr`Xmw4M=#v5$ zH$}=LFL+73g3GE+(-x%FJcB-Hy*Sun6PL78HRX`BMD#$ex_t%P-NU_IL2dW%AI8<7 z-F7dnHjcYLlb~3;Arq||OTywF?DTc^uqtx2%cXYy^qs5%YfY%`iJW`&*1gsCo6j)o z(5RmA<)H8F0N~8MT;M!kIlX_XZ|!GuoKDr_Z$Tf0l9LY23>96oh~BHAJ(u#U$x&^k-F8%M^lmsuN|$GpbA6zy z|7W>!sNT~eZx;&M3+VV8P5=D$dtO*2h|$DV{2>b_gCw`k2`*x2ANu z`&1p1Wpu2G|5B8V8M7xi1gn!%MNUdi#r9xQ7*7N%2JgmJcf|OWc-%i5`0RN}VSbAj z_oV&vC&U8l`L%#&d)Il8wh`Ii!yo3V86Ua=Rlk&U0RcKssK02%wtDD;ZGC8;@w%1p zVY2q5Jo7!}?d{fBj6=Vh72>Q$jwEe)0A`KfTnV_Z$ZZnP6_Fl2a;?UtXK?ZO+)up1 zup;>X;p!}-;@Y-to!|s1B*CF@cXyZI1OfyKcX#&yL4vylcXziS!QGwUE`?LrtG&;C zuif*0!Vg+2V2w3q?_clpuW`vx?H~!o{f29Cz%G6jKJrJS>+Q_AIJ#_0f;*lKuffAc zyLDA*;p+xTX=yws{yNm1KZI$a;L+-XEFcxO|HJelNhzXCzkupcd&_?m1c@9{Xr|Y^ z7i9nF?v-<9RSV+@`y< z;(D^Xr@2WR-z~xBCfOk&HhlD7)+H?&oCA>J8_a$7mrLQ$YH{Ba64wnpgzLyJ?K39* zvz3+{vwPt*(hp^RKVF~FD|cIIRee@X9T#Eo!4qG)%Wr?P7}j82{vg%)w1PwHCj#*h z1@feQ{@Zu#82c9Nx0c$6M!#zRjw(Nb*J2fXB+(vDTPA(FbZFpn(}!M*f&FUpnnH}| z#Y@_-)3ScYdF29Cqu^buV!&)PHwh@x>qZQGk4DZGe1Z0X1}wdL3JyL{`IRsLSw&?A z-S!TX^^CpO+?4Nj$Hrus$75p$5+=slg5+zN`xIC34GT*9?LwS4N$ISvgCk(wI)pX2K5UKgxi zK=zwM5z75*|LNkR>-&P!I4$R-5u5G$8B~QWVVzJce=-0pP=`IhZ?ps(%~LF zx!M+K_gkNrTNfy{dXTr>yS6oCE#~T`gfk5vWpX;Oz{hh{OfQHx_x@W^9N z)R&QkpfSi_wd%Sw0X2vD`S*bNP^FBMXC7(7hbL^)7-jFHmzm7m&=eb zM0aMDnnp=YJwoNnoY3ERlGIS#twu{@BG|G2`qb6Vl?2h#%EJ$9qM7AC*D`D5Eh{LSI zSgGBZ*u$g8f-+|}zS1aNoxZ_|@1QPHx|!28mMNfYhv#&S3BBZ$Jge1ZJ?P(6kk<$a z4jT*=fcARzQuaoJ5w~^PxhqYk<4qqS0Mi*Ta_!7@B*)m(>NeG=FZRRpRlPE$Qa4J? z-e(N(gz%FB-;RCp$bKcr^v3&Q6nY#zqa&_~RoLps z7S@VPG(=o;F@6+)=GXD1+D^AruQNoFo`rI0aYUVg%F;W&_QE~MPH|N{+#@~bFdS2^ ze|G6J%zUo#;NPM6%Hc@2v$fJq=gO3^ii(#3o)8__(EuI=OkFCb_vBfbm;kb2U@xZ% z;v!Nock-RhnWfW8O|Gz~nnlnH4Dn4ax)74j6u@_hKg{~+JM$@76S3`93d9YWkmwhR zZR2P*?7%btSdvfa|H1Ylh%}kWq8`9~+4DFRQ>ky`ionDjDi+P^$sC+x;K<85!0-Ca z36%=I?c*_~LFDr5SpvFlm{2sg@se|{espeukPYoz5R($C+$vz3f|^EO?+?i!P5+!(b>Z{4 z8M0eJ%E^1dn?ZG9(0rrH=jvMxUQfd^)N?@&oo0TPFz`!(UR(C&ZuZG?xh&f3U{-;H zH^?g_^%3QLhZX|;cl2ws++`~b#!bo#g*CdJBJ-r7=dw&JX0%s5DXV51TFmr4v+9kO z!RIiFB8i?Kg%@AUdOhk#7EnDiQmT_0H_s9aHtQnX{ZO?LMgqe;n%9eht3;`(mB3IX zD5X@bIEfLnTG|z#y?^wh<^ucnOBp^m@-GBgXKtT=;0J7Nw)Wv{(-FI?uzsWds?>N` zO09sbSr`AuFV|J3Xd3sa=QCFqn(2P`Dr}gv&;yH?mvifzy5>>nv&CD%_%A-SuE$Lt zkG8LP!}Cm*5-v|C2U(tSUias=3qraaTkCJH1jAu=h8saM@vrgS?ii0U%>*+|V!tG1 zLg>C|Bk#UXyd*(j_R-d;V$^E~b)~oJcIoB-{mQs_vgz_>G>7tE(uZWBSK4hrt*qfQ z_l?48OG6E_);fS^pq(yipjq&KhuE3d)pFUXg|p3GScH2^T>5t zL}Ak$yDRZab%z;}C+YJ1B8$Y%&NcfRvtFBy+lAaTYD?|ah4(r5%xo;3N)xSxJA3mx zETn8={qd=)OIW|XfRMC7=L=*b=tEhjF25uBQ$W(qCio97Iu3Dj7pqY1fUu-7OYd4(yNgx##y0_qo+pYck zVgIl02qrgZ`Q+t4xQ1sOj!~ip-5L}*9NzFhKqdGj6qe^=(&=bNQSb6+g$u;-McopI zm{l9a)x00)2#I7AF!S8OG!j`*^*f&qMump8wr6U?mJ7mg!X_0n7;vdS)0f9e((RZLv(ZnAc&(Fv#%( z1eqGb7R~*H2RsYhhBg3OS`RK7`s?0Fh58+?g1^WB55oD4>d?A>;SM;k3cF5)0Eyb( z(mB77Z}6C=hZXaL*Aky;CH3wNgv=Lu*5i2X!xW>J=fKquU(y$0{B^AM{4%Gl5&hg~ z^`oQBEkj`~L053K0%70X?mz|K$&br&xvk1htXyl~BbiU;ZT=&1Y7)(N%i}avnA{Cf z{VtdMNC>}dS7rvN;yU62i$02_jNTQ*Go!zLg3~3}3k#SWlayDdoU{Q#DR?=d;veYL^bf?ie6v*(WxNjg=#8)7#z2`*2{DR;5zMk?gqW zaEiv;$2K{5v78P}Faej1g{py!l+>g7A@o2x1Q2=t+sq&-rO!FzLU=OE)i*{1^tVXv zu#`#Hd7BYmPM%dE&)=csungB(=!{1_{i2^oE>0!0IW?2ykez<~!Xzf=x3@Hc^{I5V zkAZ@Pi9=Ibd4)7vK{08_%9fIYLdz<+B5Bdyip8~TyBV20MR!Bf?{!ZzJbF5^X@7ju zCFKaQqe)ftmyDaBj>L|zmp-y*dyy^hA3tf=)Zmcc~26;d^>{) zmLqn;o%;8A+LicCy=^GJLSmkoZBG=%GT={cyV`X36vqVs_41VHZ(h_hoGjQU!ciS8 zFP~2>?o>G2a;ar=f=_(>w1Q8^{$?@_*8>iC_bf}RMDC~-JK~6Na$QpWO-3vAR5EJo2vN&i|_N|+6J#wB>239 zG(4@pDDV#)31x8zVM4-+{Y}t`&!Ho4wbk|HKi~f!7gU8D3GQ4ZBV)QnEAGOqzDZF( zryuSsu-V0GzKm*7&%IJr_BRzWlJBE5IqCLzhKTZ+c)v-%^|`Gg3OUJKIUVN3zK>)_ z0E@FTVNXNlpI~HclXJlb@V0aMd)w*&2`BYC;-N*gUr{URQeOLW`jcwVJ5YX)bBqOt zYA6y%;vn%!m+V9!S70EX)a2*r&%P%hyy?UFMfK3D=s8fcS~80$e|F`mb%`lD|FG>d z)E&rtdg>{L=u5i=L{t(qHjJcve`lF;f#`bEXD$YwwjW$90&bp%GOhe!P8F3!4%i-+ zBFg%h4EG8Ag(j62nLzF-*q9Md;bt25MHJC3EJj$Mi~Hr5ywNpfdT(>U9pfsa2H$CC#-u?l4Gi?Biz0{BG|&;VPXM1#5QQBi~Vj&v0K--(#uz-Y0`*e_LQ zHOXNOUL;p2N@W8jl9TF4$v3|5Yvh4uleZ#0x>+f*0*!?Q-cjmMV08Kks%9-T0(LBn z@lulg$Bn-UlyNhyEHu<_dVamLS+;-)KEBN?pL86s-+b~a-KfLPJEvI2x2!{1T|Vx= zD-#nBGK0C&8yRS4M8d<3hx0w|;BxHr;pKvUY8xhRx2gnxmyvjX{e7XBBBhKX(41Zs z{#M?NWx`wQQFbc3#`|1!P|!{UIuT@A!PypO^TFV*B>^7Jv^vr06Q2 zq24BQxZYRXTVmFAkzXOcx~^8cGJU`oz7du!QJo*VxD&XTc)M@9BcT&ti~DIEP$CL2 zzY~<0ICTse1J#HMKU*Ng_L3i3aT)hmMQSt8>rA$$}6Apm(-FdQU1^3NjMZvR`& zfQLi%>}ik5joEN#D9S@~K|B|E;+S@;miLmUv7sw(vb3~hKe^w$_0GsFgK-M3rYpx@ z9Ezsw^e;1FhwAo*=M+MiL(mI3l+IR~Zc#C?^X_ULYiCN;%u7p$U8a;~GDG!zdgSd4 zoVdZ%=7`ImNd*(y&reM1|wzvP>CdXYjaRQ1`*QSj*T-0#2+<5OX!sc)=G z%f35KTdo&S*L(A+?0B~IsvWDIfd4Yn=FU+{1T?p6frZ1sjeJNDlZyNBaU*9@>REIE z){<7;f4SG)M^iTQgU)Co9K?mF#bYb?eeOl4>yweS&8uo9Uy1iy=h9WPbU)YmbWf%6I_4>)u{SdIf!LjAaYG^_U5;j2 z6MTdXJ0z{R+tWtfhh8o!lTVkLAg?Xz6PBH7=Pf134}}{M5jb%WnQ5r0$VE6_94Nx< zFmAV8C&k=(qk6PZnE@GNU1Ul1;FG%{e0(H$G_(BVyIDnMNGHDwevK-$9<`#z9{z)S zpDc1Pp>~yK2dIFUYQ>&iba|i0Cn%rW4LLzQzof}*CUwp|e!sJi1X%R<0Agwp1&FMk zw`t<`%5v->H(eaF^1Zm1b*(KA_KUlPj^Gu7^9gCa%YG$qy|a zP#0tr_eVy?zj_SRivHX$k=(x1mZ@#kU2tpdSagh&ruZwct0Pei|!mbBEtLJ}h3x)g? zFKev-b5?SS5tX%3^p3Gp%*e{3wzFPw^7m|k|F5aDg!_JNck2v)VSIcf=T&r;(qbAy z?7mjzuRn-S(qCTPWp<8j*^Ie%&Ndb$dWVPg*uupG9W>wvq&L08*X^JJp51*iEKNS8 zm-D1J3Yl~`B&0yP>sOwYrc;)#O0{3NqSAsk9JQ)3oI(Mlt&)=S3Vf^x=O5vCVpKwz zkD(L5IT61^0+EP15_~#^&J!!^v6Jfd=;h{f!-23L6l6OPD!h~64^IsB`2u&YrBgeV z7T7}g;a;}@wnQcQG2q5y=T3~EmoR0};m2|Zr$5J>eW>5ZGe~JZY>=*9JO%VU-DfcNUqoEA&RDv*+ z7-$=5+=VgcIE91TySM0$P^lUY!+LlUFEbGwN>-Scx~AN!pO24*!h9y-%t zspenQ+RAse`Q}H(pixm$1DYkLAYsAPk>0K9XmVRUR!gP`vY$vbzu7}z8PEFI z@LKXf?=+_Fo*wBsrOgFJ+||T$i1qVn-ALk=JU;ZxNDF3!rIczxpn=6-X4R|b%ZLtl zc_%XsQO=1f)!{B3&o~mhJKtvLsi^(pLuEV)d52f>J@A%!{1VhyVx`x?kChH}pn6QZ zbRKo9ri(JImldL^;k)kr(Yr$Df(^D}xr&Jwl|n%buy(U0lW!s;4i3&kOU}We|E3=U zhxr)qoGFQ}7bJM4(K-~>_wT0DQ)P2{W7LC5xI!u}#dK1+yvK^1XPG|Q(G;&3d;JX> zuCiWdN!%y9HamP_yR~mGRH}++fN2|Y5NgvpG!GE&;emFQr5?AH%kDpJ*Lu)r8&ACc zm0h)YR4Q|JcSCr?mDg$ax{YaRCq6bu%VsP>e)&hsAb#=aW$ry8k+k4rDKyz03Q)e~tO56CIWU;9C4o*5ecQdn~YU#%1A}_gm0YfJ(QY5dQV~s?5*T;pqqNq?|;!Y6fw>{8Ej*d^RyZIQ0BR_GNnd zI6sZksw6E@P0e&XT~aF_Pi1@OdLaTx1V!Ex8&4L14tfnjb9L_35xc=V(Mfc(W<&nn z5J-;M{ib({)&=MdzjAS1A93FO!+$o?4zj=O+eytF`}_aJQRbkM23$yt3FU}dDkJMB zFWuY2v;okG>2nQpA?wodkpx`ylYw1VUNDWF>6q2oelf8k6j}HMX!4_X+Yv0u6X_~2 zR}ez`5osU$PpJ$=rd^|A8L9yQ^rWv)fgS^a0NrtOk~$!9;f9Q`#F8A)-qeL!yV~GrkGW>1g3oZWqf4 ztlryv5+b1OhaC!~8o=>K>+k?7Iyhkuws&wSG*hXt`+?lSq&?`u4)H_rlqFLK&wLXR z5}}cRq9;S2n^_to42zppns5j$X3A?WqQJnu4`1|*9!I$UC9Gk%pMdb9Qa4`yZ{SMJ z_uq&&HC(nF<6-x%T2P%gA(IMsKze9BQ(LyeZq`z-@i+N&C5ccEJCdveV1U$fhngbG zEni`yNjEFK`D>TLaB_{fnQQN}S0)Di{hc+fdYLA;$(u{fn7SiqoTY}TVq#_tr+Vz6 zT3`5LtxI0IBbzpRe1vJ{8A}N@&J8w0E^s@goCgV&2yzU3HtqWU(;;p6K}Zk&dgd{W z?wD|i`Hwxgz1-yBrt?RZzDh9rG-Ftpd!ZffGL#?o_iK62Vc2_6=KV0!LqK{386C zGEO^+);6a7=y`b;)C@VqlDcoj{0bH&tDFM^gsOVb2iE^(KCo#?>aL?Q!u*L0o1l?% zwbQKVJh>nVg%VcliIkxE&$4g9Ms0B#HIk#in>Jo5j-LG0w*6vlgDps~VtyhzEg_BC zzw5r?bXvh<;9KYST}`y$&%Tx71MN01g{)x2$4cXDvW;-Hbz=T5gEa=v1NA3yE?A8~ zv#E%mF|QVlbzECmdMfFllKoxgrYwk9rb5{dcRj-n!;h8G#ke%xO&W zT@NwnXGy69je8H}K*rCNzq{&``cI~EI|B~o*?Ez^l0LpdeLwiBVsaOlps^dFt36!o zF^zJ|v}N|)y~jEWcVl0`Xrf)?;wUz(E1^~=y0bd2vb-Pxd6pf+)9_L)wKd^@BW&kn zp>M%z`1*~s6GGcp@!v;0PMhuWrUUyBh>TW2Lxgf-3W9rL>JV!}*>kVI9%EcO7uJQh zsg^^+TgXXO+$|yZ=kE7G9fWfb{5&WKcQu_l?IqC}VyE~N`+T`W*?N{t=H!_zT=!i4 ziT$AnL`B8*=V>hv{+Pe-Q>qOWdT40KD5CKO7flY#Sy?4ED@_0aDe+1( z&uu8sS7#G+KcuECXw|+{?6*qnp3!9>zBZBBzWZ_9fsm1q$1X8N-*=s6#_%~9J365& zT@nB45m$d?visTW_^wYD3Qr2R5u=zq2P0pt+RrKo@t#|acir9BPu|D|Ny`GEu@efQ zpP&ZR+w8BBU_PNkc8>LvF4fcR?nB0ky&O<}5HGSWYB8{!%E`jQdm>~vxx{mmd$?;4 zXNMY(L7^s>QHykOH9wAk*FB+5g+|x}H#{S!BCnh$kE?X+dmYZN%$VuwOUao6?n4nQ z-TU_P#xb9Ypz`1kvGL`9HA4;> zemmQJqjg4|V@qPg>&aHD+bz@ojSJ)V+91D$Pd_agvPplRn;pZ==SA3vrq<5}jnFhF zx>K10Zj|vIs^O^L;S}zRRSG8gpkwT1&g3_4+@G(k11*eOW6{dGiN6>glr44wM4>t7 z{rA}zbB3^D3QwfPKkue;Mdt8;kQLo`#jRs0XOdS3R*q;YH%jBBHJ4?HW>5=Z z@Zedr-?~Jy!+w+=lZAmp;=G)YCZ)-qV#`YnzuMp%s@>cLgBj(N?c($&i|dfKtjeAfYI{LsiWiAbzw9-r;Tut1ABhHVXXCQVV9xc~!~ zqVTg@r69jv^CVO6Gl4E91=EB&dDJVppM7*_Mo%><(tVnRfzlz5+Vwsz7ET_1@ZHdr z{cC(9u<(UmHtT;npzLjBX2PQ2b5DWlFPNdoP0qBtlYU2o5jQOp|=S;vKVN> z2iJ&WfZZ&m8(V>qH#Og)sM+b4b}^?s2eo5W;% za)&|v3~80~t(sP7dYo_eGdPbg_jD>gjbDy2cm7lK~#Xn>ETPTDz)J^&d{c%SmMqXou#JP?&K}mCs961VP zxP);l+Ru@f0D}yW6v99vx((k}Pn!haf;nJH6e&}tIavhy{sqzvVZU5l)A`h%?Hl;3r5K0Fnp-a>l` zry8yz{!%tyzPs)&gHpFdS{}8W-ZWY0WW)o-d=B!Cz0;`fT%#5u z8N3%qu7e2V${~*FM`md^trgWa(>APeKYZS9&D5`AG<7y)>{=~rTKW73b=^m2Oh*gl z!~=ij^Q2ZkcE4}SvWU+rA?qAxoACv5#)RVqNT!(VSk28ZQ?NmP>=tM@?lYg4U;dv5t)w#(1cjXli2hXuCn z8dracjTP%_Bs=!UGe)8o^~*0}p3$Q>P?!Od{qhTAF3K?;6$TP#>*fB%YkmivX3z}R z*&-=xjoUiEC%91aCDQhfRKLJC9Uo@z*FPzy`DV2OUwhi@Iz4Op2Wg0=b_Zn>_R6c@ z4o<$#js-RwfpEtI-AVDEjy%$ewDxUk!#&*m9f*0kZKg3=#4Os^(I zQe2P@HvhLp3oWFOCUv-=aRAM?;|6<+V?=KG0m`J6fiOg|TYVv75(&5!DLi8RL2x(s zr5Wf{+qY`uPyp)4w}2)w?BFC9>tlj331)Rh+Pg51lN$lV=rqr1^i0I?3w)e6W0ik& zhhh6={U$` zDA(V=9r%OMF~S4$Wg?nOx!K~x14ceK^?~9>UIZID zXZ$w?<|oVGGtb^=ur1*j>~+(ky6mcAV%WW+7S*ny=XXg(Z26*hbp~~Fa-mU4G-8B={%T*?Be-W}!HnUqm4Na<* z>eEtSlTe3wI{HzU@I(a(m6Z+uESBsb>ZI%TTCviC_-q}x*Eq-+twHB4nk)1yqKCat zzlbP!QO0G>a>nwa`5kK0xo5Q6dHk71$6w{w*~dgj;apQbxVjKdRCF#%eYix1F);aM zM^#$)oWWM-xZ$EU$hB&Fxg(bx#bYaMFuDfc#>HgAmJ&jfMW?9To!XcFiAAj_vSWP| zuTYLn-D(JVQDiqJzixN5*>u!sTo31)NSFudF7eN?=~LHso(gWTvDLz~g1yAOwb^Hf z3n5b^pNBmJJ$rtA&y42p3A{6%XJpXj4v1MMF8t6 z|24~*=P}_T+e;OryhqcpySWpmpA8RBpUffwCuXmt<|LuQF2Wt7M5n zdN$>xZzpJmf>7Q9;^o=ougF&=#Z@n~{D#)1jl-lxJuNrIG&)mfisE_ncyLqXT49IV zuGOp#Dh9RAYcLv7YWV-gP@|I$5xOZ+c-|WP&F%TJH`0}ovDheNX-U0`CXD-68+Bg6 zizU))*(9UYY)TY=sylnx3b0yJd;-jAam>u09OQ5Nv&OA>;wRPp8XcyY%!1Ct^KZ~l zr57nSOcO&4eRbxQlP$(Xok)!?>=L*7!oPd+VZ4O}6|?#$*7QZ&4)+@e{^#fJHxf;PDy$hA}bG`e*;rU&{xvTsQ=op8G-M7eoQx`IAR z_DdjuY*4a`R{M=Xvn0jYMcF~OK{X%hwjD=jwyC$bI{o%5mh03-1h_2MzP-8~)A5U3 zT+qkPil%>FoJ2#!wn2_?T`W@{EjgcIbQXEzmx^@-_-5Y9ytiF#U^6DA625v!poS%G zTIrNHvpQU8!LW&XI_Gs@*kq9MS8X;a*B;+n(k#{+{a^HOVi&62j2-=7v)i?QXqtO4j=unbh2ktp0 z^dWL68ZeYq}!R*U7E+x z(70X2G6!rud?3CNs;$G%C4er;UpleRT@oS?i%>R*G;m-^TJ|G!goe>W@PRM?WchO? zHle*Vx+{*1E#nV|<~|c>w%#vOxvavrQ*$%+c)~!h z&i%PK_s>o7nlIMCPrk!2aVHKO+h_BP@Ut$~vo zao*%$kq~nng0A<&j`W~Ozqf3001C)OU|meLe%$fVr6{INhU3IDji;>nnDNX7MIEG} z_^Pu2wVB*Ab>3mJ2neaWS>1IBfp}6MjZm~~Fxy?1i5mN?)9olqB|CQRWcp_xSqR?R zY@Qfc)U-#Pt76+SmBBlC?AN!5RK|mD^}jAZk59OR^xTB$&5BOr@mXG0JH8l<&u1_= zUSY-XhF4mTYjmnCu$f$z&(gi!eOpZ)Pm;pk$PuvId_pMQ$jjdpUK`0eBQ)Izos{3t z`sl11eAFRu->EL!w+v%s7;T4$5H43z_R?(GdU2|2!5xovxy`S37fe)ffK&>*V|vadps$;^8$X;HG&u=^ioWtq^NASaLMCIe&$c@SuS z{PuEe?GIYmrrfU7@7Bu#-u}$C1@s)xms{7ZNFByJl3qmmDeq5$42}`KLX0|AbzQwvR$tbQ0*CeV(`OS1j{hac$fV5b!e<%CxQH6 zJcH#8Unr#Sv8f223|6wUv-P1&q1$FwVfd}L2t@d~}pKd0|+jYd4hR8s%As3aiDvhs))v81~hsifL>oz5H@PKa-(meGlGFUvyWlGU1`?T5`Z(~pNqAx3r3>#pKZhLIHX!S3=|o*~Bu zzw&$y_c%ND{(Z8n+Dy-{?2DQu=0KS41|0I<@AjLHRO|jG8z@D!O`H#fh@UXPyaHpS zpHIo!(YX`=l+u}-dYPLcQst&f@TA-8(3@P_8kJsctgva666w^69_Bf55)T}XA)@WG8PV-ijo8%?kpl<^#1j(#%hh% zU|#UpaL_pmnUQLCY=rNx|FNJ^ah52Gr$C<}d~8P*UPwU0wdxYrgsW@Z9y>4MPZmDg zb)QAZKl8F+&PkCab2>h(kn(BMmoWqPrAnE&!)@!a{sOXvu{v}f6V?n_tfq7v;qic^ z@w)P7QZh}Rg=z>J4v4uRU}M`#9rx(lWJ;SoX-9HUkhreicYOgL{w|_(uh6Ev7V%sL zRWlcoj$PpsiNmhWPCOlYQqi2V6|?85nsz!S=NCv(*&b6;80{2Xe`-F#X=z070r@4> zDfE{YtyZHGv8w2Uu9`Nrb4*I1B@xvi@HT&G>NY00ZIpo}iakxOh;fbH-LFNBLwg}% zsiJ#VjB4A}j)*~P$%+`a_B*{~9_Q20&C#ss=~C?gv#$Mi$WhdypQbKV)Q#r-^6~@i z$04bR6MD|C&<&0$CLj#=2os!jo~W?2xUJL$sv`j6wN2^k62 zIh8~pt+KDB(9mqDoYGRI-(^J2(nxI}A<1xig3v?M!Hho?_?a18lXCg@#Lo>=sMyay zOF^=)1`TwY`g)z<+_go8jSOZ-s^x7msx<=xk)5f;`eEr#H=cl;_-m(2wkr+EC)J%R zF5|B|%ARjQF$$f$;T{xOej41?8tVo}%R4Tuf1j@v?xFXH$J#?HfIZR44>F(JMcUU= znGslZwb;(pIexVy#MGkpe>IzWn4buUPYKqqu}^3d%8RXK@6!S>pz^whLU*p zYSwaWcUHo2`xG_p)d{B@dfs&rz3KQrT-BRFgB^)#O7R=G`ZjG{FX!Hm=TE@Xt-dmm zhu@v5bg{_b8q}b~;-kigKe%sb$F7S1S?9YjE#}L9{PLNRh46SQB5T%p8^Ue2n4fGm zKWq`dnz5i^k?ceJ)qe1S{=c>eOw8Xez%|4VIOV{;j<=rzqJ5zNnV5=2n|u4N+hlhD z-BPG&Oa@VpWXIp9&7Lj89a}|0((TTdriw-2tEYQTV8hurBKndT<3HcDp|vaXl_{wO)C zX>&)hT&twY2XLVkf?!OPK<=HOaTpNMVUWQuKU>|ZKO_gg&K~eWnf*4_pm7%cBz5wv zPOi$sg$5F=wnSgO_qBrJdGjz-tmtNl(F*J7ZkCR=imNKkKT*}L!Vnhv^0zz_kh11q zR}Oisr#M0)oxPJdFGm|1*$D}E~WtBH;k z<^w4Ex3EgRPfKUEPe&W}b?5oC@Y&z;aj87}tds$wy(;jFUy}yXF_oKng@}5RYe25@ zOM%v>3YNt~`vmM3Vjhz2>bcJD_MA<(%he&tTP zq@OPV(cVK(_@VIMcR3CIzAG)Gf?u_P9_JTqkVm?Hel21ktIynU@zeAdn=6Tf{)%;) zi-_|3XL?X7CsSIr06~=d8wpOSLTpZB*besW1w)9dEK-r>DtY)AhRV z>cWlBnqQe3 z)|;D~H!~oUZxD$+?qU0)CjW;1 zqg}@OuUoX?GHIKzqr;!THQTqm5?HR6B^~)0&dJw#xf<2TeLp*?Zr5IESkT4zn&oep zSRtze%Gr3iUuWV<976OoSdxe*SX!8(-bV92#9Xcv!Kv8;LQ76T9y%4%w}!FQjB>80Lu0fB#K6SN@E?4K5g)c3CE{}nDH z`T*1N*q0$nYrBO9seoJ>_C+p0(B%5BIkrn->}{+*-2)9_zOOPo>C!Q2H_S=G9c?T$ zm`MV28nPb_pno&n@fd;okyW{VP`g{Exv4;r5YZWputbuiR=XQh8ni0}W$vC{Xy)d3 zd6$1Xy6y)TLkaH(XxHCPe!pSD zS%W2<^PbP)Xcylf;X{MUOJy8v4Lu8Cd?!q8?oUN$$>ZqDBS?w{ytCZTQ#7 zxg`2k?w~#b=Vj7@T%mQ4#4EnT6KbZJr+32zI@9qTiL+CF19u6bs^DY0$mA5Xh+`+<{ zO4YeUGdQ;4ePdKz8&A#c(@ zVA7dOv{y>9PqBY5dLcJ+|4TZ(Qf8Q^<@mXD$)!VZ(DS;;NG~R>lUw2j)x4-^G<1`C zB!B1rqop5Ob=dT&);N`RbN;9l0+|9PFT2mi+=nVLfLedYGZ6i=pvTG3bwm{jw~wep;RB7US?z z(ys3Sl8$mmg$gu{x?j^&BvsUEnSY+tDHq&-fP?g5N3GgcaBw`7mH}yiFw3WklkZbD zk02YUmYgE%Sgc$3{c44gwYE*hhtgIcx!(58#mfT?BK!84-hIlL=Nq5D(LXRHgeH?p zov<-^>Nk$^wXlbVTNTK18@GY$EbA=8WWrlnwyA4Elsqxft-|a!;%BwlN)MpB`?jXQ zcGYA7NPxpkv-t>xqzdg;?#AUXe3ts;1gsnQrC0QPD)H~YQ#hZ4&X|{ZC`iIQPzH__ z#o@s9_?wnmGCQTw=&^zoV+)rD}6Z@6`~=+NYQ^XP~` zHIyEUjS+d}jr~(uQ_hm@mgd#DsLCk(xJ%(o;l2zpX}!&Cj3-)Aahh!&`b1+g90keB zNKQNHOo7jOCf!!dX44&rA~tWbP@EM>b#g&Dc@K*yS6`&aML{IIu_ybFjib0}Eb{9U zS?(7uD!&VUe7=(0hB6?{Xfktxu%-?fsEI1A5_DZLBF&^B0wC)nZdzqhL{{I{71!zD zwBH!}MQFkn@OO~NdH=9!zOB*L@+Y(vg?fcK`Cs%B3Or(g?@~(7=Tov$vV@d27i%zt zILuy{p@}v#;AqpC_AqX?mq}r-jpEZ%U*Gd-v-{?KfXSKp=q<>Ogi(=zhZ`&(2sQM! z#66!fr=KdSrN;@J-a6egUgJr(EA=|1_3#Rpt57f!zMtnBnwbnn6JK5Cd*UB{P~p)9 z0D#8{EElc*B_>wX>k@IHAwqx6b3|g-xq_e-)puu+qndi&63Hz3hR58P7n>5HvMVG$ z&A({&;=*|J>mk0E(=?tD4*zt`{L|#kn}@_pzJd8;6aK$?dvos5P}<(gd9WRuRo|}l zE^4+m-0@Fbt+lhma8)>1S8m@``99qxK??`vw6)U(`L^k*afO+XqoHkg2XZ{n*LxTg zQ%GJ;Us%g%vU$#^byH}!J4qIWcAP#Hx9L@dnu&vDP5$B{7Qh(_V8lC#tLTGSZ zqp?4(T$$AEZX-t%BXZ9L0Ry6i7YvP0b_((VFuF)CeE--gGtg_rn{tC-!G`vOlEkm6+*;ALOG88+q7uj^rIgy zWE_*cbhT+X;W~LZg>D%OC%QiR*Da72g`OLY#a_dc>o6yY z$J{m-_D5Ew?yCDR_C{6uiHHWK?yitU@VFH0*=6`^3wad|j_v9qZ*q^Sq$Q_0Q;BfT2)1Y8` zDiivwn@y6*xQBF4VX*v^&V{yy^@?(Q8OYy$k&CAe39r6VIEqg(17xXRCuWSDT(CzCGI0XI6FS)=zTX`v%!?pZyR}G~?&u!UvyL zT8eQ$Uw6__DRLZpUZ9fAK51p4n+G@C3d^pPB!ig()3 z_ivRGy_Bl&8RFThfA);rRx$i53eqI*ticx^^q|Qe#lL|nfM?_yFT8!bzD8*8iJo6@ zizc1V=RLOe2nf)MOz?JdT+U0Ed8w|{FoY-iH120JtG)H)3vgMwYg9)$Te36PsIw+* z{Q8T|%N^FshDS|~*Hrs%a_~N@-VWV7ZXmlEYz zfm|kT-eY@^&0O*6U46MJd9)Pici%4Qw=CTy*+_RW7Vt@ud5FM`L&F7DAo@4pui*Lcf%9S4 z!1HE%ce%P;>BfB;=3I2Ezbz_Xse37TY~gg$Cw(pEQb?uNZt0 zKapIpJ5Ov5#5Sr1F%i~_x@xzXz--Uloy0{1R>(Wt5L%>*lh%z%V^>p~5^4P_Z^B-Y zYE=NHe3(2>-;8j{MmYwAos;RNK~)`TYBR@P`rEr_CMzPwf21SKDVbF{A}jQPW{iuS zwbulqSTNnGRx#xR2@!@p<+YpScWC#^YSg%{@ai;!=d@RmFgV6 z8K%<~B8Up1)6mRra#!|q@LTC}Ijeh{iwq4?LuuOHc%gVaN1o?OG(eh`&K5y@c^Vbs z7!IsGtgYh#filspPVbB)%5cQmw<2rxL9PXZhPn_#_ zHMCMq9{YHwN#T7qexIwT1U=BGWksHaL!Rth2bk1%F5-UGGUpjCEiLCc5CZqWlHpFX z5^SUwa+6-YOeeOp16+&S9s>fek1{KJV}40q zt3wQ99r2H?onjM%At}hd=g4_XV9Rm?UH*k)Jsfr-I0nmZkOX-Tj(jiBI|b~c4__lL zhq%97yj+eY{l$RT9j&SUz7~dYYcuS$hu7DRa2jl!`n)Zmz?iJmBFx!2&U!GxA})!p;Q0 zscM|p8tR&KM`S6H)qpU&#UL&!UnH`mk}^m73SwETSG`rFYGKYkqx=2=c(zZ@)6O zHX<(q;^-c&&nEoDz498quhDHRCQK+@6J zVCA;Kg`DYW;;O2J`Pmrrn5e6-wdMr*?kKexu;UNdNwW(?bNrw)%(P5M^C{`aZ$R;e zqy!MXM>;JaFM}pFPG<8Xd~tCbwFqA?GxU3u#s+}YAUIM#ZFT60w*A?ExH6cO2dCR%(?ev3=5v!0?D-C;S6B5lx-1bNBBE z_s>Vl7N!h;c(^DpC=cD0%&P}eUSDL$CuwkMG!Lljc7FoKKTheJFfrTMpK4(-XNKoH zy92YrA*WMo8&TLh^RT{K$VZS(TWB z`O#HdDl;IERGT*aD{@L#Uck(2kO4LkVSi`ER+kgAk*w`K+^;n{YXiT`zB^%$(Lx096OT>QqHgm0-Ui`Ho zR&Pht5-rZDCJQ^BJ36J+Dp(6_Zg3`+J*XZXA}6QnjlVHr_gD2$)Ai;vTc>o0IQoK8 z6d>frF^V8FgeaqS>5qV@t&OPqz({kDv+^ILw|=xNDaZ0l&^&YJjN>0EN2jjkg)LP% zlXd6F$2;$rvA;#+KjWGpPn=uI&jMfj-r7=2TW%24>^8mw&tF*>nrs&LAYb|xDF&^B zDk%npu{EN`0-tb%$cEkz$$=??mg1^Fc-Od9jm(53s)*<31%cT@RCz?Shnc3B?~r+L zw@=Q^y@B%~cn&Sl9rqNm&1}hSI@Y#__Z;88dzk3<`cI<$rlPezu{pYp`vq`tNi+$n z1&kp^L08yN-c$(SNl+iG81hkiXOuidO`2ivo78i9ZY>Y^;c##CvYHAIbJ-A)1w!>> zEpf5jiVoD^!y&Pa;u3PxTX*?=$raTWDP|F~gyY}-2v1bBBxOgrX!KoKu}uG!k2R%x zF4#jiBflMCk1{$ldeQq{Jjf&ILB6{e@ z$lPtW1a!R%XLcazbQSC2Uo!q^uhMg|s0&q?c`dgG>v~w$$DY31OzIfVQ6V&A0GrD9 zT7w(T7U^2#IRZ~DBT!5*QkZdxyjcnOb z#W1IIGw&ZA8*o?@@&*lY!oW1H?JRRIZ!6F%pn2SAikBZ#CiwdJAIMS)pj7Hkm-TUx z*`7eCdAv)8y=g994Ff~o;a?Gk9HL93KdQ9BNQW^qIj@WryJuaI0jPd~%oJl|PJz8Z z5>;~V$OP7RIQfEjo(In&cGUb{RrrZ`=@<^lmfj0~0=uBd`(dpb?zoX-e=_F*_ry1& zQxD&N*%Lvum8-hk$*^jkbxD+e{Dz5v4hbL~eLi|0i{Dz=5nxYNj+WsnaXs7F8{4TT zm7#5Faf0U9gQFx#%+xi?yyqd9>g0Z(Gz<8+IoR9sv=*M=nN^QJYf@^>*_JI%01naRIox zpx)E6Luv&b_ZOrQr6f5d;wQJ@&u7!71k+yJcEm>hk#p-1VvLAp5k9z2ccF&)0%%MyXt__o zDvo57l)^P|J@LRhu$5^0812B7`&&#rvKQStR7D68`R!r^_--wg)AI9uKF!({cQ|IO&?n)d;3k4T+UsGA0hsGzoVnXfB2r ztZpIjzh4o*qjdpZhS}oM^w1haX<>PuN`YThwZ2^Cfu5<;I_`V4RthSHO`Ji5bs3TA zvq>IL3i6CRsxtM~FlBA-5Jh%alP6X^-&&yJ3woaRl&;F+L%DcVc7(*-6(S04%v z7xf9dQT+V!WU<`MzLVBttZHor4d9dD7iDmr-|givmlia8mdGqZ>O787K^#ZMPfb4O zpAT?kJ*iI@L?B*NKBwW-kX^}|Md{R=nsetqCt6Y=`J*9x@OoFXB&u&~<$D1@7~tD{ zFE{`dWE&vONtzRPYnts+c(Bw;KgN!|L59BM_-I!R&!+{Vb2lR(%Tf(^JEK+joTq)p zvy)4x&$@pGNXJdr8Vk99c&M!o_v8Fs#ie#&c-!iQ=>-xHbpB_3M!xUC(2a?```A6v zJDsFhI+&37(O-;@R=H-te%9jwo8MYo4)O}+m)pBg$6*|^-5G$1L3^KDpNSG-VNhLp z`8Myq*0kl{DR(%c!>PRKN6>BuvSSsNT@J6@9d>RTn8n>05BOm0G2P9dvD);IQz)Rz zYihY~psH2G^jrx)970=kvZ{z8Y`_cRZ`!NxNjtod%aXX@>z2oGDs;1ny;H}J!UGfV zJxGrW(~)#Z`Apwc|0Ts`?bPtTq6&g>8)5SPMsiMaKG=9KU#lB}ZzF@ryZ>HH z+gABe-I7*Rb|T0qz-TwLg+qn?qS$lw?w;zEdbG@NmYD23am0TNi3!;g$btZeQ^h1X zjg6%nT?}JsPJb`V0jS1LX8B%_k*+_lz^-^VIr=-lPwxmB%fh}eqJ}i@H94}%TRsc) zoGT>Ky|9IymO@$4)gxeoY=_ozGR#Bl%QXJ&>VK{>&@<5WY4tAIyB349$h(^$=Jf5} z5jxv#S^4U|{A+g^d3RBm@oLi$7Vkfo&k^D$IdE`R@0^EL6E?|sEC()Esl0GdStC^& z8cx+g;K6#R^Ir5|!vx`Sc)K+5t+R1Kr)CwTTySfG7at}OZcO~0Xpl$6X@|dP5h4!@ z^6vlAvk_^2;Sk@~n4|>qGiPIPUF^KNk-pG&Z#YFXr*4>dvLM;Iv~xQcIG`2?v1gS% z?ssw}_p!9D{@_9FTPmVjPe8HC3tm1#F3Ud{Ho5?Wr_Qvhr1Ivz@yP)Ev1<0|0_l3N z^;I2Qk3A9)H5I-5xg;=d7YUnyso-{|1Om2UU=tptn7ibkgr70*2c?D^gmg0fjS1V8 zBipa8Wybrh%6khMm0n!jcT7>kAZKySMFS#TRzjK3;-%8HY%OylzJ9Z22l<2nK@{~; z{tujNr*7e*m^g_{9N{fNw}_N7w<4mj!6TV~Nn!h!^h?4a;Rc@xxsl@8cfYydFRCAX zY;DBf2BHfyijM7O94-ixwK4`pa+6z|QyLkwZG}7-Hy|ek52a;p$QP+lO(^i}Q!)SP z>Q2v#hs?nuAKBuLesq{LTBQZl>OahJcwEIV{~d3nrgHPQZgw30C``j+f<`aNy^Q_9 zmX{7p?IFBbLIoXQuM#VMr(O*|sCKC>d|$$(#6=sg!uA@qJl;|xCZH^7%oa~q=g0MC zNdU0Y!+ak%or{3SBR0h*r)OL2aAq;?FW19x`Cxqej0%z}N zosUgd1JACUS>?puwMzZ=%=FI}<0!gSU(aC=xYo-h7)Wfm5s`@(G@53~CnJej(}o;! z4ErH`#b;h}2fvD%5_;6a6&ZcDXp6!$j;y6z=JD3>&#KsT({fa!baQ!^F_2_lfDN8s ztI^7B3kgFA@&52mRvLo2-yl(*1lV>viOCJ8?L++5)Am**U$LCXU4$t7HCLuu4l{Fi zF=7m0l(d6i854GuD~kx|ln+eiCoGX3kV2OL1B2j$;c-3qN;DUBm=1t5KB-$Z@JKyt zI5bLq7J#jT=W|S=wsP^`sYs@!{O+wgCJx>VOrqFo3ZU92>bfP;c@+B8*E}Ox3&{ zovYECQr%Di%<#~nzZ=Am(L($fxfNd}gD@%kWf^8~h!ln0ePj{odE{swA0u-RuFgB{ zRDH2=#zn85A|(pK9W^|;e-Yw=KiaTg9Wu1<==`MMZo-<|aywD5;$8YY2F}=|&=Oe! zLk8Lp3Q^@cU!(oZL=#%Dv*h)I$DUdFVeT)|IT64F-wUBU%XAGC0$p@ZA7$>Dwsdem zW^fHr+ztL4VFmG1Cn&Y_>ttz!0dP%DVV*v_0`i=2kp=loLOIHS2gTvlZMkvITqZMI zs_r-Wn-uTTibLc%L?6z&5CbyCnly&dWXjz^-Zo+*=XYE>E)Y%_zAmsL6rG(3^4CWT zmXasH{+-VAM*9|IxQ~ASK{w>+z6jrzjC%OQrDEz|ZsYK28{rTzZvqmbQ30BO2~zdX}k7-Ad%u9F7E> z8xH8~y@H-OF1$cth(Wn>s&Jj5?3fdv78vI_J`db!8q^eLLw?fCU-Q z*BRj^zH&k-Ok&o(LsCIV?wz_V;Ud?J_L!kmF@b=!?|TJ?*fwP=U{>tD-QV!#zAKe!(g!(Y&?dHTh1#K_!jEQn z-NtOfHjOThez3z1mPSluf-W^jGBfi4%?ZDl!dwH&@c07-I6XWjtvkuj^PoUjT+h6% zyM%egGT{$gBrqJRn;fTx!}f(O%-o~_qJ{p(wrR_0DNO z;S`x^Q{-fNX&kJiQu)^2&tXnyW5D)Ze)>BR`vsL^{d3vfue%$jDlS>xGrsRP$LIx? zMw825hLkkr3h?$4G^AbxTlayJ1O2uRHw=74Oht&a5MM=BeA+PTPiEa9`P+bkrANh? zFLfpm6KE-rlOf?Xsj)JCY*`+h{qDlr@ceixcRjM1o?$Q5HcKPf%x{B6qKk@SFYu(f z8UVjWu$5!2Y$dnEg5OV4xi?W^ls=@pm=PI3&PC!E{e4Cp7jV~%OfD$*EWlfxRc15% z&Whi1C?Nl?HDI7X-?_0%jZvV)d7ujNbEpOgZr|br?28|jLM`grPG}b0u-kX-H@=@? znXGIaw(AWyM@2YGdL%P6fgFk9eLMEy+1zA|W;Ns1$KmKh1Dv>RU=sJPZ)rl(E9l;} zj*Ik#QwP7<%0v{~o}ZH+en^jL43j0hnyo-%3r;j^wteZ!QmZ%P)f`yllkuYY#uw>7 z-E?&W{Vt|s-}wenIq|Fc3o)s27yJ7IBp z;Pw(WAOdCPJ3C(a7DAAd*-k{fpz6tiP+g61IpkW#ZO+REwozS+yptzQ78d#*uJUnm zQy00YLbZ(U?15Mz+fH(wOm2>NK^naFhHmN^irS#^bv_r`g^0XNM~sjNm7Tk z?HuRE?{vz54l-;JjSBU0D*5`40>?b5Qd{5DlL#Io^9OxBJO z5Z>Rynm)3}Wv&rA=uq+gex6sZEoVumOCJ=AO4V1lIN{l@n)y8dr@*ad=7Jt9_}M|PBzxvf z`E5O;-X$n3AuFnn;w9HUIo)Wl&{UEk@i0Kz{os!tvO$KpCJ!GUCn&V1+P28<=(e1c z-7R6l2)8X$VF!-}R3od>!v%QdSTFwr8}ZNDm0ED0N)P|_|KHh0<*!$%m+4@g$kUYg z`*Ktp2Wy1NEP}dR+VR++Bc9Nq&0tVuL@5#9jM0G#L1O|<>9IH26QgUHuvQbf*+3%A zq{u+cl;^LnLH0xIvS`M$tf)wp-cA8bSHR4&;-heHzOZ{qzrz?nZH(TEP_&g-cPOX) zO2fYIQ|f5Tl6y zgthx=yXP;V(duEAM%=@p%x8bOBG)}eKmyd9^QhpfG^iT>~FjsL)TWRMts^ z439wY^7b~dPfw{tkJ@v_ei&fE?N*dC%t0~g-B%)9u*9>5r5LT|-uqmPFCg+XkIj7l z3U^8$XIW5_0==8|Rvg1knI>!bSi*e32MeATBE1El=Ihl!=T32}AbD}zj*Q@rD8zoo z=1q1@*B`X~Vc`7XNxtD>QeHt;W^z_a4HrnR)<2EBoqpWsu)}_oU|6&^rn=#=#}a4O zcCLT7F2e2E@NA4cw?-75w;+75i1>B)eZ?~j+IFE8h4$Y`^q#Tr8%MYz?ofGn>!*k&Z-Lj7T%ST)n zxQKWNr*91|clWWm+8RHm_Lk^5+uzPaHUqhmrnD!?;qffmQ=p2yV1>9{T!I-b@>s&I zHs|_e`5hRs{q{W>D6(^O$8@(E2QO3kwj|WiV-u*{=RQa=#GF`UC=;M^yD_AeMbT{@ zOv0PxYG$bLa5@`oozZ=>-&O0pd&5Ie|Do0z?4t9Rf#zyYFYGmvU=x-b62gTXmY7|Z zfB12qA859~B^bEd;t@hv5F%G40yYM+4Ky$F>sOI?f#n^74>x{Hh|eD)V0q?d0h#K) z?BWh2^-cggC6ri6TQE)9iIF|DZxCQ7)oq^)I+jP1vIss|Q&X)VO$zYpu&XAIvhHyK zMeG&dx&0xj#PWn7tlAu1%gGV+*?a?b3B@Ph^f0hM`&^`Tdtk|NVZUiAU;BJ7*{}PY z?)u&if3JD?!s(V&>v?0*>#5$XR=<47Zu5jar`g(S8{ zwDLtF$bd1a0Wo^=EsPW&=qCPFKk{EGL#G?mWV|IhclG4o#gukx&j*wk16or|oRy#> z{AT2Q-=0w#^kN9X^DH?JUlKvEn@Q0kOB!w5fLTt2tbF&V5Q+!+ghemCo>=?KzE#Kg zv(cKI;Be+P4bAS7)#7)E8@?irg$v!40nBv6aGrPaxgirL0F3zE5_B*~o>=QM;tm-9BpvAN%z$W)nzTzljfl_S5Y_*p!s4)Rv^CD;ht> zY!qgUGXQ0e?PrcW&xfQp5FU5(`jX3>vin-~i%TzRXBNt_A2Yhl$9OofV_^H~U&F5v zSWZ<~1c_zKSP3k3>($7lZtR)IST-Od+r{6`&2RfR#ImMu$kNh?TbHpu23eh;};V0a>;s)nH( znR0|B3Y(83_WT!8?f3t5G=?G3f&O@7=%Y%B$7nndgS-A^Syof#zH_tlTxqO)x4pkl z{gS=^vJ(x%USrsvrWRqhc);gnfNeyE`k`dS>6eA^io%)dvf{q$I`v$j-Sct}%*W!O z$|{zih4CW6ful$vJajf zo8QCZEU8b<$6B|F?GBR3;LqTvAO?7VVw0d&`#FwwDtF#{w)S~!DLHd_eXls1*wD{o zpV%U}KeqB8VVnC<+T_p@6lIzMQL;n(l zq;XjQ&6uQG{#!tZYR9X5J%u)^R&K5hVX@jfhiguVauF#K!6`+~#=WWKVzg#LsbjC? z)4JGp+IM`a_XWN2p+g4r)Z{8Ki>#u+!eJTwJpj&fd@TFOOU2X4lcrw0O{RB>0YF0# z$O!`(x#y%fmc?VqVqg}9%jFC?tNXE@Y3yu0aJ3d*!keW&ks_AwW4lh9H_q_s)G);k|g4IwupN0&Cd7}dlPqB ziRI)( zsghD+z8XGRY`psVA+DCnT_=Qw+f0Ix$jnh^=CA7jqyapUI^SEI(8240X1Ock#cJKrm8n0jjCGIgqUKqwOPolL$(>|t_1 znRT&^l`FELew4AH+Ak}3Mm9fk?j3vLg8yjN1%C{^4hxC zbPz$&MSV&1SpEDSv800MsHEIRraJ{!my!#56xwGkh-HZLsu*8$xAj5Pq6)kA;VL#D zJZLt)5gIT@@w3gbQkiZQTnL0WJK5=a79H-j)ycG)Ox@ z%%Xzt>MSjH57g_TUvWXj1{mW@OCGSi@!3K1;1;~!vSL3=<_FHk6rSQs80>5*C9VQF zW1klK9i}fN9Hadw$ct&9q%YBFyc1^iUv#Y3`iklbS`QPX7*@p;dTG9!{P3v0lb=nn zw`w9TUbX-ES&01fT`1fNdowA%^oeevUV6vbFm}PRnjiV!Lr}eYLsqA;ZM7Cvm3u^u)eA%9s!Sy};r2JVWd~%GiT8~uA zS<>E)yra+A)8srZC#sn^>$3i9TkPEsXoK8SsdsqNO+C)@zQb0Y19qtsF*CzYYFRVi z$cH?v>iOHRDvG$;_bAv-TLUh7EVhf;%`M`|ll|cG?Mpnd%v$Q*{@4m1oBw1uzQzMz zwV9U&9?wxm`1yNfMnD!xLt-QOgTk#((B7dzI=HIt49Wa7#Tl-0lc`k4J>wO94s+Pi z=*9Q`O1 zYdBc$Tlg4B9TVrYPVbh+)yF+Os!c_4+3_P`AWQ=sHBAqV2;vPAk?=gQ6*5+L^z*!3 z^{fXuM^kCCo`Be9$fN{$=_&f&8ZoNuejx($oW5Zdf%_4*-t&P|HdrIDo4Z(q&5r?{phir@jj9gdi}Nlb zv}v6-Bi}f!S0v*s^+pRYy7Ib)eXdk0o>D;0d7jk$I}6|?(MR-&4*(5Up0`kA((f_D z7|?v2xK5sF{Q&D>;Vn|+xiN_a5%w3Y+p}NxdvZdw95Qb~Z(U6X06j?}OQh#y-u-Rczt7 zWOqL#n>4rP058hhPN@__IiF~%X~|VT0!boNj4Eo3jcViqkNakWIOh#=(ep_K&UhhB zS=x=nn+vuUthG9yq%^j>BjU$=u~XW}==goVlcJ22F!Y!x{UZj1^_+kYS>V#1AK9K3 z4%u$Fc-zAGNr1BvX;LoXx~tSuoB6STvWy$U;NR{wPEq$e3^5 z zSqz>>ZIz+p1D@nr1-&}7O$AqJ?&Kq2#H|uoO#Vqajz{{JYVn@NlrCvm2OUQ)hxct0 zL(~FeA82Kp+!ey^&(W_KfTPD869Pd|6DlaO4ki0@qza%yutAZ2G9}VA*Cn?vj0PY~ zY3}*{%YFznA^;T~c zwaiv5%4rrJXZz83-EsO{R_risH;;+?=zQDxgItrUgKoNosS78lEoxKY>!$}>6<36T z?+04u?xm#K+$8MBWn&Bn^@F1_A)eEzJW-`ZK^n=>yOkTCiltUw1wiRn6yfX7LrkS3 zp2M{Q4TYz|e{rV-u0p0JgKbb#yVeDLMa}m^1_)~Js=Kz zhK1)@!$Ebb8=usY3RF?dxs5c*`OhPhS0qhaF>(7uKQFCW=XqJ2!?N?pgT}wpOH&y6 z&Mc@ObaO3!U;i>H=p8@C>udUoel$5P%ggYFjX{g8Z5;#1j}$)pmgMV1-rX>+qxI4@ z8+Re44L3J0H8fJ|-kL(X%7D=Z+l_0Sj_P1pPGkQwEyRm>fj)CdZj~pira?3O z!iymD1ol|tQSnz7HBPW+#0^#jBDGWGtuS5e9QJg)45 zuJ;b7-mEI_SwR=h7m}~haV7+vZ|%S|VCUxx2j@eqU$FUN@hcA&#k~TT3^nRlQ_IWY zrry8#G9j4jXRitq1@-e0&@(}Mw-#H|#GEvVzWZ;Q#K+AiRGWv%YQ|P^#%E9dD9NQU zWWS8=(0kUc&FFKT0}Sk|R1ROeB1uSH3aPlJ;B;9zI{p@lUs{(6^z5b*@gCCCMt(iq zAYk>gPC$cBF``*rbNDu(xD<8q;|lyGIb&uh066KXQH`A?wD32G1M;WvD6U#Q<9OZ``KE8lc~aqy zh*`#N>j|1%3o%RBy;w^*rOU}HvV~`1V?NhgCdGu3^>`dRF^zwR6$x?5$xq>ZS<)PP z-y=m-C5d>+yTQyr%nodSuzGApmho{G7O|Ukt~W&; z^QiD%7&VAqxTp2aYh@j%ryUF>96>Ua&M_3BYPzA4Q_cb$#EgCU!qeZXL~lOI_HZd?YS z_;LN8ECjM5(c#}Xp9K(f0hvzYmN76xWN8E)w)m5VxUNCYK@sVF*+ep(%<78`gVCCO zL5+I7=~s;%?l}%=aqk$mi;a;CmjxbO1-p%jI>g9(Ohnl`mosZ_L~y9tsXGRnHdY)0xsx%!M5iuRO8f?j`cN3bOsgf-T8&~xxKEB&Hx2JY<*)JF zWC|eAyqNjEnIGdEED5?;`be@cV*l9UGT*eS0^{&qj@$U9Xr3gowIGjM|1E~woDf9v zgw)jAjedXP|1-n0kAw6Ab}?u^Mx>KV(SK+j$LfFV=f-J_ypI0D?5M_%X?^pfx%}^p z!`I+;D)b5Z$>s;*~bn5DiQ0+BSyw0rFJ%0F_4 z|I@C|(EcrFr+q2#nBu>O-o(u%@hS?~w;b_(H0-h@?|Jw4ZAi} z?c55HZ%xXDITZ>_rDrxIr%q(;6iKx4Z?9~Hk#jhC7{y2&sifVoP2hv(N_2FP-U zzs??-J<48`BAt_>iNVtJ49+L47N$&gzncN)b1mdUO}|7T^4oF5bK4l5 zp?m{y{C)Qw;bX)`XgVyD({F!~xt5Mu@;@ggp+T91c#}nHa7E2!`q=!Rg7@#rYBW=j zF!nxO_MtANU*u|{A^-5Qh#vEhUVUh2sONqMRUSEc2Xd~R&@b{=l+!CxZts%M;GSPe zIejhr7s6pMB8BIriJ_2ro!oF1NEU=$j^FqRn~PihnQ9>VqpY7rHhkp!W2DGb-@6|iDmmXQ{3oNAK#a3t+2!UzlJZeph@d@Ky=FGWI5Z_*1!w4JE;{_WTrUKym)&yuLrWYx%Ffm(E$Q)w?8fo` zapU*r*`!$I7?#m~@0}g*JCwcAfb5&H2ep|t&6z&g6UbK>jp4C8wXx5)1rH*8E{)Y1 zCy&=U){nRPTkk|CU5BLqRI@=s9=ajh0wgnOeFgq0c;5`a^tMHjPCECwz*6m$gfII} z1D0uwBS$6uwlsProYRw zbrrB7E}}xPK}6mLXn7|VHI}X6Yh`u@-=&TIdltZxB1SBleS^QRC&zwKG(wHiC%i-{ zthO#1FbCY0i_vf4{nq{heBBMBdS66h!aByx@hmoM&S-15FfhddHv#v{%_3A51^(vo zT~uCF(JaG`=Cy3{sn>$VZM*5T1Kd?BD)ogoCL$+=SZf>aT%C}v_La~S78hnN(^L8L zhwe)U6XyP@Mg7al3JffgE+%P@+%VV5 zHmv^V8|z2Z?QerFha?<+&i`&*9=}?p)e~2-dG}_C`#nwTl@yt>D)V@$hiu>597;EH z=ih}~qgA(7UcgSi_>pc1O1l$F-=M?@(Rd%uRh4K0+^!Ps)0C^k7%svs6i1BY9(c}t z+thP;ts|^+w*b$Oc9l)K;YSI6KRZE9VuCO9LKh(0W)eQhx?&Uku^2igwoTk5*zx&@C9Lw-w{q@pNhkMau^Mehqt2Fr+PnubwR+w9D z;&s{+_8Q`k5dD)`ILFqy!(2b|RMa?csEM4S0rcUi65mFYIE7J~*k9t%+iWQQz;25^ z<~BwTVcst09B8*sF#^$?i~nrB{F<2Zt^)xMz35IH<4g$SaxZM#te7-uD-{4Yi|NanGR`j?l}!h}K`A6n+ykxDIuI?~ z13Ihv0m^4rTw3WIl>!f*hefkYd=UWyaiRiu(%m0T(dtDVf25PX>vdnHuxfp@MiQ?i zr+^uy_T;3jyDKL(e|9p98I6WURe3$O}B0u8bm0}vPZxRKbNr@caO8Eu2<=J@fMo7n}~-wJuhc2MWo=K=xcR{giCUl zUv=v!VuXcj;`o!Lcd8~$3i`iw@q_Q=D2bLvbY0u{Af0TL$}<3muaX7BK=}#9=$o(! zftwvFxVzXc6_cWrNxWrDVLmjRTmL)WhCCkOKs#W?A^`z?@&FduSJiljiutlbQd~aE z<(xo{;?j6|$J{w;w@cxF1S)2Shgy|iw;Yat@OPS8BpO^(H6#>)x6ZC^4SkRw)h<4D@gQJxZp3B4_y|qL@6?o`H-1a()GTTCcK(MR{nyY@Pn&rj z9rst-4Q{yqgI}*z_70U$M!vZcc@1pt zk(Z{Y@3D3&G448MEGt6hLmX`O0=?uw%m8^tJ;(jgtC764K!E_99O^OnY@gNTOYXX5 z^!OcgHQ;t$iukZ0Qg~}>_6<*Q4!ZDD3=KMdQ!x2hh3-s3PX(v9$Gplv1!?K)YY6o6><(-qzcB&4Y4iF1dexv zne8!QDXvE{tbe55S3IpVhGmmQVyNprdqS?CsfV)V$qfwSTVG)1&Yyjz{2xG4>lQm7W9A6E%}> zb}sqo8df>m8LGpw+(X_+lNTN<2SY2mOE75j8BPp)Y_TdanZI|EPa>e$jT;OasAe+$sGOgO4mJP zip1r=%#}dZy~#S5Ck7&Z*heqJTn(!;2E!_kx~T4-qtYr%wdhWBmhv4Rp7SAe8{dU%ZHTbpHVWdE0IOTxWWIioy1ID>#M~L)dc*{{PFfX)_E=lRz=(xu16rJ` zr;n?YS@g`k4Au69K8Z7%2wLeebATecRbo~hibFRYc+EslUsNQ2_ew1wQz0{#n&&~E zs?**bQnSU`d6W+JMl3Qy(!^d)b2+wt{pE;Sp?#|5GGV}R6z*Qk?Eap6T;L{P{?b`V z;BRX~00q}~zkwXDRF%N)K`rsx{5A)xB`ee8aFMe{e4qFb8O;CnH+o=zOv!4gu4Vdb zZjR|Kc*{t0p##GdEuOOr5I>2KH;4N5jL4eoxlEJeX&rZkA?acx&mTGdwxzCP-R?hD z{Rc;oAHAmqDwi11S5D+(-;JcAHYy)o`k%W#ZAbr$$L5TMElEv!?CtvF4owNqFQvvI zm-)@&)KC)+rO9}Q_r$3G0}*Z}Z?ox{mE@lOVPuY!mIG31G6dgrx&7+BsLHS8swa24 zzxKi9mOn*yhnqRB7I$T+1)J5ftO#cMbpX|IRTc6xdPV|5E)~mOm3wU z0Jm^xo=TXA@BaP9H=nP2Z7I>#3j66Lu<`;lM8^u-6T!N_e}u_y0Cy8 z4-%zUB5ztgJXC{geC^kK$o$>NCO}lUG8uPU=U9jX7cS`f1iKl+vR#}bHPIQP*=U{i z+!4RcF;$@*#_rcOUW9s}4-+TzR1~niAF@E4oFb;oXrBMI-oUozR$~i0S^{53ETNzI zxKPeST@qN@sXN~dRCi8~^Q8Fy+ILOqL*FR)_|)3IgK#yI>C)cJ|HNxHF^UQkiviuf znIf-EL+?q^seYe>ksN4G!)Q}f*@kYRkv{l!-}JH)=ywGC%mJ6^b0vC$2^$mP&a{M~ z73Sy!1b6c*^j%$h(ZUnAx1V_PC!>cFfv+b5!KaJu>NOILD(x>K;JmFW;>m~?qS0M) z)5Gc1qX;mOY}WWIM{r9l8JsUI55~ay>&NZs)(6PFdp4S9^e6{zOXIvbdX4)9s}42e zG#2xhCY!FGD!%B-X8uC$I9BL3J%_~nIkog12mOc^D3DNLKaG-hvb zW++Fo#5GCoA5Z;H{QYnEu-Kt~Xj=Cq8Xyk_ozHpL_qYeVtv+Tk{(oUVGfK+t*l$k` z>8VA5-7CI&+0i}8e~Ai5P3Y|F^BgR)t!9KsGkt`L+jt4Ls_QLmPnra*09~%A;*?tI zpEtU>34M-~Z1SrvG5z#lj~)c&qbw&wyJ0M|h`s92B458|sW+`;gtT|2Q9;_b0i41W zjz+%Hm4dVbOWgoMznaLpxRn56^YAjmAylo{`bI7OR7b@p)WoE8)X{X+HYVX*Sw)zP zRTSXn=}N=3_f;w5RhTvG%X<^e$&7=3qge^ae zfczcCS%O$8=uWmY5~}-Jr&`j@upPPP@aikKwMc=m_o}DY?!hkUx8YpYq%) zgGHEs(G0+{y8m6$l6Xl;)-CR!B%LeIR_#m5>NSb@%UH%PMDi#^uv|0HY zRajW!_sGia$-|KX-@~=k5A}<#A%gz{UA_|OKZsvZ7w5$)f%R&$-U=Q@ijq+wxpjeQDUB_;>7z~$`)=&%bJ1a7`XpZ}Z6@J197);6 z=&0P&&oBQ}$8?1rcHR6;w67jaCyFt+&uLECx+%7KO*F|7Gf+~hDFFneg(@9HdP}56MF>3*N`#0=ReBF1C>=zqRO!7JK{|vEQbSWZM4CcqLPWgp z-us+!?lg(w!8c&swL#F_~U4tXD>>0Ph>dKIhE zF`3$W%4k3a9n&4(*{@O;QnE@i8pOtg*H=MY4#IRq_jK4wD~ns4Rj|xVs!hzA ze^QhG_hbE===o>k_CJ2@T_C46Aj*J^YXMTraphE%Md45rZgZMb4w4l7ah%I`$#oTo z(;K>AO>f`p(QM$zRr+ZDyxOK?_Pyc~!luC^7} z>CGaug`WAEdVW(s$2Z-is&_q9F_8*I0HMkIG4?KI8b|6xgQLwaGPNt4pUB^=7THRa zjfaa(kHqNxxWlVMv0X~fW8?OMOh49ERo1xLxJ}S6shXqLYI+wIOx=lO??s&Jg-eqw z$}Q`oASDJD{U;{^&%sh1Ne<(vz_>Uz)S4mNUJ)EeWsq5$JxPqu(MIZc+p~;eBpSpPvBd!e$cHPvo+vEyED0cPUJY#U0-eqVF z(;-ZQe5q|Yi+B~A#Sngn;aU(ehX%6e39z!Tcg6wv-SO}3^;39g6jKVHngjRN+}Xqz zzH%POFA;rR>2$tk(^eJET8d8gyRktkFXhWVq>}*|DP9;0PTreJuW+%+5F3Jw0d!w3 zI?mi>vzl~s1$D&BIe!QN0k8j$ao~?*3!n_U1HehnbjNA^;uWWMvlklN=J5we@%ue| zmdFSDED%~*tU*UqM$Rh2<|ChukQ)}&aT5iUs96l)u!dt4))u^HRjL3uARJ|Xn7v3O zVwB_6e!eD!9-&ZN^4$zL-KWR3$h(t!sQIN*uPXTbGnvB-tEhHQ!_vZmo@$(_au zp_aQi^9sFUv9hmzoaXNy{w5eQ1}Fty&J)YtkrAo8#ZmUsshxp__bMCcl+#mXkY}A+ z1I_sjR2i~e@-}=thyv6X)r1WPzl6%+L{|og$%zC|!lg8CLxq!29n7IVDx4$?0mqI) zE5l&H8NLHQvt!M~rbjuZ<6$i`BeSC1Hlo1tz;S=!<39NKESa~+X+7Upg%NFal$?UuP4#+ zD((}B(<5AdD@+hzhF6{@=Y}*q{)cq)KMn|1ssI7d4tD*tu-;Rm^jIU}S@fb*yBG~Z zAkWx{t149VrFkm<+G~nmZv-!Wxe`!Z!!1IH9RYP3Oa^xbE#_lJmbfg+i2VVPjFSgB z3jLYHu>r){cI7s6<7CxKf$&`}1_F&GH4YIKR!4z~uczR@Ewh?wp`QF`B6aA=$B^FO zhUc_=VO`x#gW=_EAjVv<)Lw72EPJ(~rnB?@2-oxof0V4;=55Y({b(8cD)fr-Dq?cN z^hX=aPYeOB($jMr&=EVPof0qmBSX3Y7B~M*hRn8!jy~e;mV7_0-skcH8q_BKLV+~6 zfX-I~gbD+3q%(@RBE#QvL-&A$N#$Y*Kz;+n+fq^h?2dbgCFOU?)Kj##+Y?0ZCZdds zx39}{wmR!K5pl>fE2!)}jh2FE8kWiX!uthYOpiN5wlB0~neD&26m`1kQqc{QjLXnD z|lFf~qK5 zf;tv3)jw8MVE;`xhzh-polN38bqP?z%MzV#f#057s^)jspJY{L=A2vNi zC!>uA%mH5*XYs0Ts!VrdFl!~SWwl*2oGgnWlLZ|HrZpVhRa8|hfXJ?2!dn>a*ZQ-i;SLuL z!1V!15pYpN){jspU>}(?>Ww;R(#WM<@P#$E4=^hhb)Uf+TT)QnBas@qQF$-UDu=1$dcItLAu(ct6Cn%Z%}9C-E{zYYTy+E_naRbX%-P=KZ2G}XRhf421#b;6 zAp*}SMUGS?cb9nCSeG&Pq((ZS*SIR~KReHMA=x*M0j%ncKbM_Og0ZnSpX3!iG=Lx8 z0I0z=+B{P|w_bh@b#MGC|4LHvWv2;VsJE)y4W8|b&=cw@-m;}^N=nZ88XK|N{}}rI zDj`NdpaL3#R>(XrR+Dd7K@h+h?S$>hBZf))*CGflsxEhb_)ODg-yPK!d>(&N2j(qw#%xW=ab*!vqp z7psLL)7URuVq~UyxJpYloie@>$QNZk5&gW)e6ueQ+D68=y{`78Q-l>#avte@c)ds{ ztdoI*9()QqSbwb>ZRV$o>fwJw6(fq-Oi|cm1*A{rgb23-QGS`VaA&F2s z{DsPvR|kL$@q{|xJSP!+sFp71Fc_+|yQVB5AT7#x$kVu4?0<0Rf+LmRl2ZQ3-vy@%lVBda5 z`@QzEvt1p^LnX*i*RMAj&f=Ww1_-D1bx=E8tUuSykFvC{$JFZv=Mg%cf?ng+CVRy(liEOmOvH&QX31GalE+^t6to$r{ z1I%4cvSWqwjIl9UkPGkcHyC7ip3;^39yS=+MIZM=^JL9`s6_LLN*2C+eG!VgGbI2> z0shj+YW9{Pr%B{eMqXX#)n-ra6U~#Q%9bhvv2s4|?PQTBd@!C6w!76s+I~}B&U<9V zI<$vD=UPk1!QcSK08oP67N9~mlp8%x@or1h2$Jv8(KsAAjIaZG{<6b=P&of0!T!JT z!Bv~2C_2y2r{I(L zvYE$j4shLibqGKivZGs%9;NGvIzd@PZz@W&C|(CgasWz9YhmpgrvP5mwmq8?ul(7eS7oB~eK-BU+GTXC)8Ipe1Fx~0sBei zz#bmc@72odNo4wPti0FJAb3-2BTfQpOhwQ!wxo;!9`Z5RrCZ#Kf?`} zg6!14ijrF$*~-&Oqu2YrMTBDccAL98eT2&V<0&qqmgoyhY+SX8~lt;7; z6qIkAmo%boGhmh>7UM|C>%&a#4B(AX3q8LX#;!zNO<&Mjhe$fT%V~|Z`s9Sgs^=FO6YQm~|5&x~IiYxMts}AJ`^WHr<=RbrX7CQKbl@Ybf1@V2T4M zJDinjKJkKqsuYfkSC;z3RusEJdIJA>7x67HwZuR^&v>^h5BXVt5+Gud5)TQ&X#EV( z0?`QILvCwf8@qu?3ZTRIkEzR30=UloY8XW zwkAaBR33Ac^ksus4|~r)y_X|5Givj(7kM}V<^mQ>X~&V}VY!gXqR4de_B_-6Nb|#_ zY-`Q(W7}Vw<%5}W5h2T~#mMV+~nm?^FB=_5(p+lice9_zC`Vz zN`CUH&NW3o(ZkWHDIhV3m5NDU=k=c>^R0*%TfI}D1TQL=lnULenq-0EH(xePb}0R! zoqe!S|LR1w=}!B<9U1(uXeoE=0$q02E4`*g7>1ttB$qKft78J~djbE<_n;wjqJ;2Td?uR3a7u>SKKAJOu>}Y9nrFaeS)zxO%36VqWJ+r zk%`23-lv|y^3Y6?F#{E4*r;!Tt7 zVrLmE-`u8@Z}E1jPZyqRvkDrhS4sxZ{-Fg{u##Q7mY2vTwb zbdun*nJwzWYc4CnOWLws4m14}DaRe+sh8h1@q2+0aR;XQ?vJJCrYlZE;Tlahj~_e> zGZO!zya>t+Mg(aoaDi4Uq&@gAQv&m$(>Rn@r63!4vZy?H8l>)OIspiFs|&2@SF;i} z`_xPJ3e5|uwCoPKP$%MVsG5C&1R}P^)aneKo`^n0D!i#F&5Dd~sJX{9@wj43;H$m4 zY>m>ScL3i_eM#u@0CRUTGWQ+r`Ldc=xH9EtF&xKG5n&oOT0peum-6N@Y_^0Ih;mS6 zfflORq$aVJdc&I>`n5**pUbn3OUt=aC8mYW1^-_7@W1!kuG}Oa+_r$J;ErK>2xLRMDz!y*TwGEe&P&Mp8QHkN2He~H4m7G(;ZesMYrj^<01l$<@vo|jlXtY*f zPnYjoSPPq9x3eS&ZpB{YcPVUfou#!qY&Ug}Te2oR6EDt-fAkDXq!t9Q-x-`nofvt=?zdMKl1g-5Xo49Pk*U_Ij z_4pp(8iI6cPURcfGREtKQ65apGS-WR_sU1wlM&I~AtYgI}r zXXqWEotf+>W#6+d^Yo2Vaihy7PQNX_OyI2Kr;<9Q?ka}ZZBO)|4sQ$)!>HVZNh<+o zoAv@CQzdP5tH|=i#acS>_;xWQ1el_6(TgCRCAEGpV*;`~kqgZ}Qk$bShTw8Cw$c-=h(w zVS`k~Hw#j^134nw6SaA<(Y8y1+-@U8N1H^JyA%y8YoYqf|hIqQlDAUw2D z-^fYaA@Ayg>XzK>=YQ_>uoF*qPFdUP!YzRRM0Z|sy zjQNO!MC77oNWBkL{IsylA0CdrL3KU(J?>c@7)8DAyQ9eb2h-RiDJtTr{Ce`1lM*tp z7@Jy&VJj*@)3s|tcBATz#5s{Gf*)g-H(@6l<-`M{3|f?Hl~{u0)|cas+M?lmsQ_-5 zqSm;gZEuk>L>7sH)m70}wYFyXxY8~ziW-BOD>2>EA*w0pQrXDjGDk|gA%fb7Q@l_w zje_Gj*-NiC?O5}KigJm^_jpJ8OeTBEAh|G@kk~5CdC@%MIE0%vO*XlrECH?Bn_KH0 z1BC#1)RA@RSgJlGYv)p4WZ+m= zokS0r>fR2MQ3Hlcef(Ow#<0|z_F)LW<&p4DSSHZ>@CG7Uq&M^iX6{_tunH1d$DqPEYg=CwNP^NejoyTaSpTf8Ga7w+# zYk4$&Tiuf6mQ;{ri)m4=>9l@u46$F-ub^t8hfE*WQ>GZY3ww9486c_L z?}t1}6m`exvZ}k%Ok$l5qX4m%M!B)g&EE$FhJZi(*Z%;7KS+3$*VEj)u_NMP#UxPj zfJAQA?7L18zz;xz%g6`SfV)(^;W{-iq$)pMuXM2xJ+as{KDssK-O-(k!DhcPKe++O z3Wu8}1l8T`w?T?>IE2;I&`E3LGg z^;+3ds`8E)9BYY9+HQO4x7xK>+=7Qt^~WDX%;M-{|Kl3s*#GF`#g8AeY*%<^>^0_G z$pW|~lqWsp9#s*-l$m=BC*%m*&@>5cD~ zUykW1GXpngnmwdvD8B6aynQR4KeRvpd9HcK#ri_P9d>Fm5;@un1MXP)X*g%}M(QTTX^rzgOy4W$6QsVTgOL<7JA~3F9 z2`5)GJ(w=w5y7nHm!B?s7gEmfL%m59<+@D|_E*B~)F_v2*%lJfU6#x}n-+t!5SpIw9Mh6!ilThiJ6qrI zLEZ0SSZ2oiq2dR>K%_pnfOHwtFclQ0#`Ks!V>u6#94mTM)rsP4-WxFAFLjKs$3=x+ z?9whlc1?7M;W(edh zC+a^8witXlWHgqg#k53^RR%jHm7_yQ)do_xtpqW&F4H*|PNGiY27_Do(8ET;-fOTP z9=13SmxfWnR!{9B2Kf^{s8}U}jZhM&Qabs@xpZAH-PYjDRk%On>CU&8;WP|v7J%V@ z<}zOb1}Smw-rko-ywnDX$a9w!@YhphH=0wfe3-a-$-MGO!R#4n}VlnL~+ou6L+8Q;GX0PNK3Ib^O*hB{VWH(=vY z`{CI(wSufoJcQJy6sKV9JxfZ9h{)|HpqWui!EZEvL!-gj+~A$ZoIXf=Ma-gxP?rwW z-`suO7~cQ#jj$LtLpgEsZpP>SVWTYBHSM44xt)e+{6@Z=!8O<8XV-;D1P#X+>9RXQ ziW}&z*)!&!vlLW{K6ks4x|aXpdOX~VF}$R^>2w6mC2tunyfK%W4)Nv&vRS7oQ@Cto zJW48APpHdckkVreJA#-;v5Lh zElp3N7*a`M9#d~{&_Io}?^3z%@m_@&YClGfp+S={cZY>W$wo@TFfy7&f`<%K_g3Yl z2P`eQd|V?M^vhj~;wx?S%$R6N(-BNmKFj=2m#|X9tu{mD2P6wG)ReALE=CFHzU0fJ z&%G2A__9K~cF+QT?Fw3$QPHo)qR_U^9-yNm8)m{2?4-0RehO{TinynLthw~MRV(Vu?J5oErzkd(`cX-v_g^Lpe z1~jPl_IikyKvZY1J>i@anb{e8;S~XZlIFTp$iZ&XdNu=TD5j+uZ`0+M1s4HrG8W$? zVznKP*;nr*APv9ySV?i792Y$t7x zLe}f_!@(9MUVB{qaMb>og$Cv{9(7hjRyUXrS%a|YnCWfFFN1D#19|ZGa01AmTo-tF zcnr;v0ArAf!VOHaUtm?>IaYfegw5z6NhA3bXBT9?|14@<96rDpz|Q+I-dQZ)%l<7d zFT;r>97Wg|06xJ}MwPnYHTX|OeXWY?)&fJ(=OG=+4Mt!;)qUH-l#>Zk*8M7i{ z$9OSwRS>E5xQqm&WgoHNTj~;1GPV=6fk`%wL$vUd+RKDieewNcP8$qf4@F$n5e6&~ zq5-w6Dna*C_uC7<%G)k|uy({Q-fvG75jNVF*?2WV%1B~%Ro51-Ff@=py$*7%g1d~7 zKEPW=Q%M6tv()6NB-yTfO|%#cGSeR==9VYx74WVHbyU?(WzuDB&Omsp7fw~F@A2|` zuy9dfBSqkUl}nn)T+8{;uqFa#=(`5s%5v?p8rfM)fimZ?Sa*V9kkroO7mA!T9fGgtWuEL?VZbj;3$HD2X&DV*;(ccE?50 zei+RY^h^OxLD;D`llg^KqDQsY+-C{EJe(SrR#y}wh5Pd9`?Ic!zX~dC<-32Biof|0 zaaAWt_!^R*Z8HOcH*vWaXsDU;*Q;?-ti9h;i)K|W*6?OHMOr*j!MaF9X5M425__~h5x*_cZ;oN^H?__unP zW%kwX3^6~FjML*i;eFZd3Z;x0NPVWA+e4m0s4 z_rc5GJ&HeGXZ>egwbFF<5)%po);A#vT!dh(?2AAW9m*D(CT=9Y9{cnSl~d9b4{Ap2 zu~tJ<$`x zrk|LLC1Dd7XWJh5A@S7PdZ_NOD_=sV0Z=T1_^u{S@-pK`1l4B~!NOT$egNg)#Q=4k zcu?%+yBe)27aeIS&{}+(*MQWm~PQ}&H4mt#RFL)(8WvHXRvdTi_(uL+b zIT=(eavSj(jAUq{=|-yaBJV@1>=d_H<%cX;V$e z9-5cgb?zsVp_!gX@q3QH+N$3=kCA&IqfK7RqXHo)b^yG^AivD~d2JztJOG-* z`el)>QkI=7b6D;v$}C&4TO)yVb_prS%9gST%=k2#`S2Y;+GG*!me5?eYk?9V@K9J zk4wMAv8TaslRc>ib&eVZR2l@1qVs&hoF+p9@OM&3$!?APnDEMN!j}#zMZ$(Sy!d$b zCdiK|P^`8)27^&HmXMR?Fdt}~iCGPDSOPfaXT1=Ym6jjh#XbM22dE9yx|jtlgf@s>^m zGph=_S@6!sTaF0$%SA^`hrz>NGk{ACPKDNDBDZf0m~V9_dUcHyjlC zrf*6l6DH4lSUW#-P_s8~`ayeWoQC1~xOk9W+XMpR%RLx_!b;oggS|kwn8|QR8sb{> zyRp>iLU-IdL%VEu%e%ng?0FdEX>4_B+41c|oTLg0?ds8eG#&pPjHt2$ecp>H)K`Wk z4v`Qg+a;>dRCPf`VV7lYn~w%>wY;~fW9FXZs$_tJD?{#uDG5^2?tkcoXUMK0G}kvY zl7c%gHBgPFp4#wi3SK_x>g-TIj6s~O@BQe{Ob$_Eb+~z7`@tPcvO56}6o_Qu%esWB zd-tr7GNsEKd6f_CLHN-xu`^?*)6bSvN?ZrSVX6v9JomI906}`D_B`ur0}9IF<&)gZ zOT}U*291{e>MdB^3`0?c84z$kUIVI=9yd9+DX;h6wx}CpJb>P@OUe9Ulp6wNkT0pV4Ou(@ zXO?@%!_UH$!YTGcy0O|A*JN0}?6O95luSG(l8iGwoBHp&H4{-3&p*8Y{w@o-I+J`r z#IdexBrPH$QM<|Yixf_UaKSQ=cg&!!55iiCv$T)2`B-BRM5;w2*OjG~q^D&+(UTyn z>SkkJ`8KvyMmM4|zsvmO?NsXI3)V_H(Na*Fs#BcGQGaKWtSu}D?uOMqlW@n6B>w_6 z8TA1=?5jC4L)j`%+|WirZSi1;DfPz+^ipAOI=znXc~#%Fj*J%Hrj&~aZ~U%RiP5U{ z7r8Z9w8T_Dj6`<%83&f5&iUQ=hev^0C!-bvxoP`JT)_a699^F$MtL5#aIxY4D`33= zTA!^gHi&bRAG8C11@`eszJXRHJXQD?!o<8um_=M^>_^+x?*GJUyiqK5t(g`S@x$N9 zck)dt4u)XDcrmeiojzI7PW{L35Xu z>x}pR`oe3I>+`tm(yfQ*L#|qllA-asitM3}ZjLZ=RZTIX>~;O0TYggQ+I6J#oauvJ z0?T(}ANbwK?vY-|_-wl2&E8K?*1P6A#yG9V<-Hc$+C8X|I2ovQHa|4?WadqEB1)ym zZqu=c{rCG8BhUpZ1?k~*Pjo=Dc;@8I;j;JrRb@wgLq5|V!Cx)7-hZ>=G0UtED!E7E z3u{tQ{Pm=jeYu^L=1L@l^9_pvmt)dh=fO;L1e*`?L>!hu9|L8{k!!7p&v4E;gQSHn zuTVvYiiuILQSaP48?+NH5*#W=yToV6ZE#KVL*&+YDZOf1CJ?6rfQ|oJKSR9(LFTs#}+$fy7;9S71$sy`q+t6&;)6l+-w+Pdn$A0(rXs>otT`P2zHRmKc)Ufy(d0ATC+7ZA^ExP z(UqJ3MJ(x&JRY>GUw2MaG`#<#`~c&&QInCKam(>EWK%s=ar#r(=MzQ9c$; z6C9F2P6=}1tO~t@HG7qU&6Qnd|NLknfNO0?7$t zS!(03;iQ-2q}vm)#l{a;v@b*^eQ56w7k&dKHvtB*VigA0>?PpEr_=omCaU{?cqFK{ z4B9y)!_g1Rn+mB291DePYnf{T-|aeIhTFp2HnJ+pj4$fynON7JT{hA)*>PybO-)&= zl?Ui1=a9sYjX4^Ads=n zW2HIR9mHGcl$~!K!r0u=?pWtZV|ztG9^r=FDWw4;7JT~M4F9VIFBu=TGR+!z+j}$ycRo!N>N(8T6dIbDIk?r<8tRS> z5s$X)4E&1hd%aa0eo{zPL`u!}LOz_(*UjKlezXQU7Z()tiiCKj!BRsII+&0t`N?wI z)(U$9ez7oTX<}{`AW$PM`hK-zXS$ddx+c{o1qMT_QEY7g&xZ z@LyHUSBL;1g=wgDRaV4M(>@&SlXkEQ zkKFT-uFh2hR@~HAo;0K%uD~%QjT11J{*=kkr!P?|c3Vu2sHRu$z-7;2H>&ZE?a>&H zVGPHSbj5AnRyVrB;-|fLU(}ujQ?{OKd&M>aT+*~()BX@vD6#qXji?;M1%*e+5W6V< zf*Bs4^*#p6lZc9mD^&lAHki`8`75^-c$XXKhr<$x{uh53)DGY&$cydl=U=>>iBe=e zoH5qe8Ti$$RTCLpI;FcWRUKI0`?IL8m$A0nMf)4VhnDY?{dr+B?2fhqdabtigQ`Nr zLMHN@d3xxX-@fw$ff;=+#6)5Xfu zG7r~pSQXKa@2j7t)-){|9Ed15oBi09YDQS#+{a&U(TkMS0hf&i0XOcf9Chpu&u*1B zCxiA3<9N8HWb}Lrci0mh%`ctz--6qtGo~NQf3oReb!hzRQPJQ3ZE~(Jbgt0@rBhFt zZEdC{0GUp4!YE+_7qEb(lX8ZJ_k0k0?~;i8NrQki45c85B+;UQ9Is?odWb8E#q$RG zy)`G;^p)2~@L;=OE}QwX6T{^&uj}FU>-9B2*5Bs{B70FaZkkNX+S1?0;^#ZUwa&;O zM8aoC7pTnlx{|*1MeT^|1Mv9=KObd9n*&sD%Cg=J3*ee;dN8(Bd|G9}Hp&QHivu^* zi>-&Y8=X{+CV6d+=HIL0xcNb%6-cKig1qQ8b}4r(h<;kE`*OSb(O^t*K8jg?YGQ8l zt8Jp!KErHD!+t5s;OW*}^-8Ppm3Lm`MGljxUX$f;(XF}S;EA*>2AzB>vZd{ zpB0K{(_A;cTgWy$7A3xzj)WPXAUxhe$>In$-r7pOTEy>hJCb1G+B$tYI~< z*?skKr<&ybjX`>5Re(-dr`}knMWONWs6#%=x@FVMY`7yKy(y&_q^O+I{V{I9by-sk zuH}>)GNktT6jC?MaWH;*5ZcKz%0#E(y-Y8J1crm3W7M9U$7+y|B_(JqJ|Q3<%E2PF&05Q=DWwaS zWLV2rZqB{_7U6JUz#!)^_o^A+WOte;JJD+FV#2Vn=HS-v%Uez8!M<+4c&Zs)C71Zj z@i?bY{4~1Qe6l$9lmkm&0*C&LP&_U7|1==lYB`<{ub!#?@(8NBH!6Avmb-ZQS_Oy7 zWG&#KIRg=Qruy_KR&#I2lI3qPiZ19J6$gMy{tNSGx3JLT1KvwKmObQvKuYyF>7GJPzS(wTsTJD)g0#y~)3z)qD9zI9=<}r+5&es)rnnm!X_D{HqLi`O zQtn+VGv?)NbDw}8f1drM(UZtnKgs+V`eUxJdCzxxrK)%tc)B$EPh5?&7pT55KN3uj zPK+y=x8CoXZ1r?nX$4Cao{z12-G-J8OM59_xzn&Sb0E8n5-#^wYYs4&+n(Q-Mvl6U zdP}h;%Rg=T`L(5W*6;fn?(Ad{`lgjDb3};HD%ptK>DS%bK%EwCnm=w9xL;BPgKvFd zp>pp`RrC)KcDikzSjHpe^pTTU(XR|A+|3YRTWxwQ@3v|U+<@(eK{3lZ=NxXXnSxpu z4P7Ocb~gI=bffZEcczqE7pZKN4nW>i13-|=X1WG?ME8n z)Pc;sYACxlhIXwJU2qpxz3#XOu0SjlJqych+1qz~&8pd0Po_si3e)8(r4 zUvG3~1EStJd?jxE?41ogBmY7DOYMEh#g>LDHq5cY@gnr=Qt&UUXvH(t?o-FFa#pQp zM3uDH(qoYC4Sx2;rFC&~vwu6*d}l!RYy!7xQ*Hkm3_|FRb@g4ITUK%|roOiFkJm{? z0=9LR{hzmb5_D7W@};Hn1+6>ZkjH_?ms(PWg?JA^`QlLdfmTu0&=8oz>*AXa(!a@k z-~VBdfN~55Po0eR#^#-fPr6-3!eqN^Is*+=16W4ooUWE9E}!}7U4TVt9r;L4?3h{e z%vR|P1+{T~53?0ikfZgm%-5U$SlY^ywpS%`)H^Kg5NcEGAoF#n7J;hP$#$&s`F0XM zlqSv_e*U~e;g08*$arFz$JW6&$F&x*iRCVe$>OGo4{pYrLEGtdz0u!aO;=Cco6S9Y zdCSCf2kNg;GXL|juzf|Li(ScV1N|8q68cGI{nPvMuZ;_5M{DIQ55XtBu-muUc1E|I=nYN%Y24=ROy2T_&0)tw-A7Pd845)CCzB+9DFt`DFH z5{dYpGMw_Br5d>gTIW_4u=5Jx^dYVrHMt_$(e(GiBk?#IDwFep4lV?%m2u;1r`H4N z!D|FZDZ>XiA$j};*KvqxaFkfXy30~{@2i%{Ou12;=CMNa?my;Pwgf9!(_vbO$JQqI zvS#Y?g4BlbhKa35i8R+ao67R~YTNWxm{Q0U$LlRH= zP8-#;RAG57_n&U0*K72bAH0POcprm2>^hxl_{o499X;p36?ibmWW@U9GOimf)`d_(b`SJ5C&&==++jT3coTqSRecZT1p z5}M^6vy<>1i=UYIM7O~6RA&XaG>UDHYjxHsKkaK# zOH+-iYLl(#4Xx`M!J?`IFGCWsNf1+>5EnAJ?kXO2fw6ICekmu$6%7=F93f@Q3-QH1 zL9fhDDQh#FdK0h5ZE7G`~ctqTKTH~6+-yQ(nv$5@v}fUmG&K1|lr}uF7KOtazpqIg~6u?9sVJ%iSb}l~n#mg;jEcM728w zKionzI6RuOmWe2GyC7zN^!daNS1ryl0^H0w(VcjK_~YlMdE3viSwjz#ufs;xWmdyR z2Kj&88eT=3 zVeL|z&}aVXsERy_aqRXAy^)jZX^C<5HgT)GTIc;|d-MW0ma8R{{fqS|QuJ390t$_) zdvq@_cFPxbA8K0{{glq&tLj+4V{Tpj08O#e9F6s`zKq3?w9R`WkDHe179K?}_#JKA zDD};IOLEAaW+6ycawg`$CX{%4=5pt&PaMH)j;NoT=M4>TQ{|9uP@Nre8dOo$w5?r^ zZbGqWk|O|->;(@piwJXNRN}E(#6~sWN&CGQE-#^`IYg^c{3x1BhjPOTRxG=X%g3o* zTN_oVeGT^a)Um-VzeAi!lpSD|;HE(>+wm&G`^S}9Cw+-x-pkst_;H0Ykq7$P7W0wj zHrIsjzAQ3A#!S~Rx=!bI7!i!v!@J>&WF%d^-w}`vLU#G74GY5Br5`rHgYtbO>c1Cj za$>_{lPYmp>R2V6D}6FBN_Ne_(RV`-demR;Jwo`@v8yKOmYrnEdfTnr-hW@fuDW^! z0UIjrZ$CMdY;oIIJnx6Fnl0O}t*v$c*zn~O;Hf=T=Cv1yAcFb7Wca815y&%!Gs2wy zE{fPkNY1;TF0Dg=FDAr)HG9^u=V;q6CuPPgiVYvzFs0@nU7@peB{i<4-tIT4{bH4e3|KbuUR=uG^o}%l`#4- z%CR*&|LM^2s!;&fT~FZdi<*U>-<%tlKG@lp?Sv)Lisox{mu*Ie>*@NE1vg)<7@4Va%H2Gr(`*T|YsTI;rc>9!96kST?!vJA|*>2I#+tKR;V7BSC-U1BTxlT)E59FxZe+L3zlYs+$1?vl zGJ3fvSV=}mFk)N}oxYh4k~Wq`%K1KmqcDT{etYc4#nBXgBE;iPj%qvLPN9{V<2Di53>=~0O3MlX#TJee&8t<*5lH-TGAs1->uVzMa*BjQ z9)-!%T_%%}8k_O2IkE6c#7~w3NuC9TZ_Ms{eZ1}=U;(?UfxXOsQ*u{0lgww_>S`T9 zuH|dgV0zxg!=h&Xne849aR3xhcizV&bZ2nc_$H@JmGiS-Eq_2vz=%$$=OM+J{nO2B z{&iEtAGx)q-`uyc{AUqvZO9Wj<2j=`DO6>7V(r&?NeHv(=>i<+>aS1VXrN8}X;U>o{WxnsTFym<982llEv1cP%t6~df{MbP8 z{?F;-t~yr&%_sNiho5Y!m+H>sR7&6(^M+$Mk4}@%i!KzCr8R@z-v|mrvsaWWR>sJ$Dxxi&bL}M}D|NJX@XPn2p(js3&bB4Q3Imbt zF$TIiEbJY)ytQD`0~>o&@BPBBd1m=Osm~8XTE%KnQ8?Bc+v?FNkC-X!8XXKws$Wf+ z`^;%6Y|y1hIUwym&vv=5vNe8!`x9w@DUCOqEyG6s86p1;cRoh8`Jj0pbHALXD0f-t zDS-T?k9fy_VLOa;#y8tyOET?Adx-S|u1Qp5dYa7)aJTCFyo|3`GA3*6R>UVKOZ+uw z>3?_wr4AHkZo(F=BFOl4_>|mFip^8VU(%!7e@gH1)TaXfp{mw1k8f8!x_=NI4cxKm zKOOGu#8FoJ&Xs;0T9lc!E3Xt3`DIW?%SIyoRXy?0Poc)6fnsZ_(~FNsYB<_=0UaLc zkUu0{Bf#5r_zgEK0MPkkVYdZ^_f@$3el)##<5)N0&=}`>XrxinZtPCs=2q9{(e1M~ z^#1Ft4_m+c0JB(5hVUNiUf##zTATf};mgdT9E~|SO%T7L?Vz31N2nvT?T_zUiC?3p zW^3!>73F{ZIb~Ui+$ZN`Gvz!x8RI-y0&#fzD3iXwhbGeCxmhj=GP`2wctcy9+YNNJ zkY@8k8ymFY;a^<{uOd8yNeoA`~`y`*M>u^Mg^q zHGQoHPxT>=h^4?f#>%T-zTd|K|)3kdY}^`wU-kV`jJmSoiAiW#(q1aRB@*PMQxN z&DsrpHFyg1r*MlShPAgcE<{zGoyvt7>xs3TxVgqTW!ec$lyjA&plvfe{Q{a5Gbg*X zN~?i}-M&%t!zU4wgBnHXXz|efROzSbKR1T`t583eb(w#hCEawYT`~QYzE+3x_A6YPq#K1X4b`MzrK>+scn$lPs2{lJtl$<%A+$JDKwbxJ?}4lq1yZD;q){4wYZ&` zZ$1$<=PwfFt+VnU82SJ^c5K`CdVbW7h!TR?NAE3iX6CQGK#@SNW{Qf?2s0=Tr249v zqABm8`+`~SGG&N)ujLzP;o~lv(>jF=1d|<%^0yukpDT%72TZj{poG?umGEBPv>tG? zGd~~+q?Xz$uEtJtG#*X ziIEaJ^S_y&|51BZZB7@4;`%j(Za?a3op2cd?+5L^v?sj4-Lo{wboGvBB)}K*L9zr0ypOguw zswQ@Z+_1%r83c{iNY-61EG$g+>_c^;@s3g(&n#cn(bXp&$n-yZN`8GK6=$(m_C#jh zkL2KH1Z(?Ue8nX34Fdezx~v(};{L1Z%Yml*a~tn4!QpXtMXWOdwt9SHplAv*UVuL1 z>+U%f9$*}qBXHbQ{_f`Q!Cr7H53bBuZM^w_vbE)>$6-}h#^nrh?N2Hrjt@yX@cix>{r@v{oFO)EK3NFmvd_ew-po>R0^9p zkKq|dicm=B&17xQxM9u7>-6>#}Q}5gZ*1W;_`_8Aqa*qu9Zrs~$(%l~w4J6gx`QZCZ`r0-5qWAD5V5Jmx z{zcn!vfH_}xrd>OIhr=Hv}?s4B#U!zib|YpS4$TNANaGz)-f%t73V3Fyes_&)T_Y*HS0$$vt~JwO|&%gKU@9QSFum1Ri`focT>S|#Z z5X)NCkvskxSiN|8(iF59Hk{Xik{JS_5byT8n zLjLP;p!e+HW5lo3s1|DRX-dsOAau6~LddqTs|w|pnG^-;dDeR`4%C$mF$2b*|>#@-q)PCZuc+9DO%rbf3w_^>9UUyR{jR~73U4D?g1R4|GkYdd;AVM={AoSVB(m>vwI_Lm66P6x@<`fQ9; zCi}@2lqg)8E^I!!F~D6)51Ejwhe*zs20u&P3RiO(v4PH4uXq;vO4`A9ZDmB|E8|;x zDguG6;AaE5`JKH7{Q>B1%LT^WBwVB@r)Dc{>n}T&qhX!P@u!}}-7tEl;`Om3_B?cFaihSli zx<2f>`_Shq65^YpaL^egzwt6WYTlp1MqWKDD4#WZZ1d`DsGhch{C7dU;M6;+;Vc_^ zy1r}m$&y=!`!#xH@ex+X6#?Vv29EJS9LvY6_CX0=b{9o2GxdaNLKgbFOjWx#?tbgd z1@FZItWS!umaVhamuP+cPtB+<`E$wGYZWo^=0LDDrAP8+@`hF88K)Q5Rf-!Y;+Tf(?7J!bB%W(irG)>Sy5W#p>A;1v`_|(F>+9>D zQ`9r&X4dXUL27C5*$%9$yaLGt9m6w3|ll34F<-E*htoj*L z7zIN`h#F%2Ls`YKM4e@lt*IH=gl4is$?uvnZ)WFe2=%4p_@)Z zbn5vH>tUJ6+4~2vH1x12y|HuW#y_HmkilSM{D<5-oRHJ?ydO;HSLDN$RLe5&_DNM- zCMr4G`3@+@McORh9r(TK6hF}(sj-*OR(B_0_Wm_h-@UuhF<5(9!9e;G!<8YIwEFoh zhv7S-2O;#nxu$0&yoJvV9bEgbKk&U^`X@ZmLGDBnBsrwr`JEgKEmBL@($_xP|B+mB1p z7(|cFXOh1et5xo+J;yVtmu7*mKax^bQ$OYE@r50%-QKHG~PmHJ{6l14cppoVLt%hl}kl~NgEq6?@(i4mUrCu%k3hvws#Aeni> ze&RHtTF4HqwOJ!GsbjPo%{BtLG1FEx(Wr~1xFkiB9nJ1f#<|P>#q5Or>tzRVy4W)1 zbMjxMTLIM&?gCPy&w&wf1!mHz$7b(f<`}hAAnf%82>u@>7`kZ#MG&acSdsYn*l`OA zGlN(WB;jpDJ?;_}|GX?AJ{kvrbPN^$|gO5!G~NVV9?6W2T!y)YB+IbeB}#XS>37==yJFKaJ! zIebhz;D*$kywt+JoNOgm{`EoxKFx%ypsME-Plczdqd~2mx%o&>0B=y?(3ybjdQS1S zeseOxMW^7v=}vvItlpo_@0~f z6RS8rN*dg~_Sq=QW=hym&b|*}-69z@MfZ@Z5c~0lN$Xdg39z)}e8he`A%p|Ma!`v` z(BnVd({Z5Q%M%MC{cyEZ*OoeX#ePat0hXYD(|l?u3Rcz>tdt_XwCA-P6-9lN7qx@x z76;KBg0nPKTEC2K*Sea$G_hfs@L49K-+56!v(_b7@3RE!$9MC2TZS?!Bz#JEr;o9w z0EMVCJ*`$H_A60lWhox*xhc)*iX|N_3F@mu`KtDhI8^r%T?(!GbN#Mk32s-YFO1Gb z=3L>>WR-p`!r(-Eo*yeH*`X_2Nxq(!^o8YstO~?fWhJOh8vqcUQPyJkWk2p!JWjW~ zEtekQe>e9SO4CVc!^&@ONig2-fD^;oaTzbW6G)fb9|*%0MepN+ztJUHinGfas+5)q zZ;wjaDNthNC~<>BJcV^(NSLmwh-uhvk5A3&g~(%gNA;aw4rRw&kbchh^5wKACN=_w zRn*3J73=JUkdPci(@*9Erti6Bveb4Xr{Y*1UP~uzvdSBTIaEZv+7;z1S&-VE{m87? zN(;0yUoCklGIoT(Kt2OGb}e>0Wlq^f1Or^_e3xNyl~$lD*4E z@i1t>w!j`0_KIRk^Z*@p))yVvc(BjiP7OZxS36Vtz>(Yl0fRlBrs>HB2OV9^oogDY z($TFe_pBe!Dca-S{TEt|i2nOZD%!4PBwfPHEl(0#;z7p4fYowY96`eu_|sG%If5+UU|xMR+`6zRx>la#hMHi36s*uL=*T!(J0L$|Dri(y%5iyRHGIK-(_N{)aUID6 zw1-RwfzZiUYWzlpQ@%OV2F|qgFB{eIf1cS>OaiXLy|KI4sl8mtcn7z}wyf}b#ay|c zX5C3&NlQk1LQMMT_*N>-2>@M`L=SRLE)QLvD|Ht~@D%pk(PriTRqy%Wd$_C&=X{3d zIK~yUJVE~NoYGpR9BzjLfc+*w;sxj|fTCt?6j?P(NVtKm5~1~1938%`YN=E~ceRR4 zl>9mJaEs42uX9c3cdfBBw*4p%{$P*WIXn4!>+aAR zUTVm4&A6c&56Ei{Y%qhmKO0=7#nYX{c(rLKqm=E@lDDOG+RjNmtmXz?{50t4e;e$X!TA&~|GxV=Dj_%OKF??f{J=g& zr)Y1Fv~oFadG^{hV9iY+cqg7m_4FIwok3IL#qv{2&G&+=S{hA6W#4}NXrlB~WcM_q zv*V&pb-z^SUHB*Ufez_pS0eNDlfp-ZUq?R(sL4NViQ&;f(^@!Bx9~?(AFNClqTXoc zCUn0!ep&OApjd`TI&AfVDY*NO|Ge{Kj=&-VQYkCH*ezC>*u{-s_7DJp$D)xcSF!Va zA2Zz~=ckv6ufE;Jzil&3aTKztonLq!CeK)H;sNK-!R*1;-r5!!st4>i9@2%#``(I$ z)QCFB)(oqq26!8fWq9I6bSB8t5N2%ac)*J3MCB+Qo~^1he&ggTdeoXH+H-1-_+S=CoSfWx#i=R$UPicx2&TTexQ#fT$PNRfUd=k5T6m_)d!4-? z5||R$T0I_V)g~5{KrES-8Cc`-!~XNSRQ##mc({OMCe7ja207qk^QS~_oRZgsx=AL`^VF6OM_uGnUD5qfM2yf?a9hhXL+$*MX~ zEM~E>Jbaq@%kx*5Mh)r_cJ4Isr5RNl}_ z4W8r7MU^rBr1O}~9P5Y}8a46toQ6wSXBBCc}Mr3(1^d*Y^HJ{{byzTy{Eai3V zotymLp`TwX-5b!=TuWTwasPe)*fF&;y?i9z;~%&J74`+#lAju!d)pZr)%p+9t85^; z6Jti}XJuv=YWVb9z&)~9W4z~S+30SiRukHs?a~V5nRJ=qu6yyYrUPbVsR_{r)=l5gviw>S|nAW-jap1$#lYYM2jqJ21sWYj*1|L%2#Jiv()IFkPoE8UR{Tg#3o zM(gw72H~&$7q~{pxwS6fellMy^2AGr_!rdUqjVXd!zNG2_)8A47nq>+m;&(Wuv-#( z5+VL)E&}E^U1bshLEUN|Uzl@#4Hno}EXmU=tpD_7yRh`LP5(C!$aC#P3p`SF6w-)U z&Bg9a!!8;66V^%lD0oL_7wzKy$Hrpd=(K+Uz;++&;j_SHFy@vEE9imv=lPx2ch3q# zz`Eign&l;!&i(qsfohl35rxIp^}AtZiY@@6mM_e4FhWcDsk<>zbOYS7<=qZmpe>gM zS9N$w>wR;|P$#w@{*-tH$TT+b zqyFJ=ypxvFsAUu$ih1`Hf>uBhz$9)@@^7q`p)h*mb9#Y=$3=*Au??_2@fuL;CQ}4RlpwBGDFnqjoFjN@uS{ITAdfnlq3UB-? zcG9DZwR#z_Q|Y{7RUr4zZOz^%EoA}Hd>@l9jXQ5djaNl!-AMI%%+!@pp7F&4Z%mq* zs296_w^!OoTK-gpJlZ>tUtG!O8RD+y`jB|v>(Psv1N^fMT4{xoZM+q7$BWDwrY+l? zu5kvnuFs=~!`3~$j?Nc=riLMTKK8a9EDCkMyhj%u`;1H6!(k?H(Agx_YaykOu}rvR zjY7n7ZA?x}^l?o(>dS5oPj1piW5|8GikAP_=e(RNd-96+Cw^`hJ|D1((jX^;r_``Z zxxcweuH%Kh{Z6-;$H&LrY8F|s*e^@rU7Z#DWBH-rWNwIVSUS(jeQl|I6>?s8usLJ? zTDt!B``}N%kS9Kyq+DYKi!56h7x&U+f%53nN~ObA0|)&t3+OXFXLRQu@)?yX-Cr2A z2-@T8DY%lmK3cmT&2{kMZYU>rw0fEAvBwXszOuZV^0t5PhP$a4fC9Ii1Fg>ZhP?YG zFHhT_Z#p%*v+Jwh=U`e8_%_Bic2HJYX*D-~NA{F2Y^U*He?GddpiFZw!%-YayRrPF zXzw$pZisyck2Ub>s+XX_`Rz>eyXCWPVH zGbgP+-r^-$eH@waob2m+q3qII_J=|IJ#zn_Kbnu7`o9Ph*hRjpWZw$V5qW*;O$CQo z2{y<%%CzWwYxwh79zq&yeY_itRU}O3U<&nM>ZBn+aarWhvCA_!g@bRvkhPe6t!GRj zY;`A?w#bcMAWv3UPn!Y{Kj@I~E>;z?G40V#*-qn|%S7{`VD)X5TukiVRp{k?QFQ_Q z<6m?6OQ$a!C>K8hIyuW=@Kk5P(|?J913Tkc-luU2P8*o}rLbzr0Qg&ENKR%Wg_POq zq6?x82oZdt5#6*41J}TwpBFvyO#j6d=lHYpDc;R=`v)R_DduL8d?9HFzR#)K^~`Dh zvzO=Gu1w*>;AGi_qo3}h#bCxbUXkh&knWxlXAk>_gK47Z~u`j{uU(;4!p-R86w+xg7r|ANQteFiPy zpX{~rcwD4hy4S9~78;3W$b>b{cN!|rN_L>t6H z|FA!=xOU&|PZA`?BfYcdLo_V<3DiSH@$jZ89PaUZ`}o6y{1%Kxqi7H-BB)8VC_?iI zbI1;zr}L)dv2iC#ef3#9MEQhd(TFVQZL`4-q{g>hs%Ccy%dt~6|6B8)o^$vyC|zR$ zYHO-Z%Myc3Rarfq*&ns_)FM`xg?UUiu6D{IyyKbVug|_*n#Jo(?41u;8+6tPq2r#tSRTzrc7s=gF?k~^`6^~mBCiA>eloig%BE~?t|hKWAA zACeKoisW@3%rUNf+4M!Y?QYe*G5dhM1SQp}ASi3Ydb7ao%><>b!?>0u^q*5AHxsS< ze(o@e8t=&Nb0o&w_@m#*fvoS_+6LWg-errj64?CC*;{tJUPRv| zc1xYM&FbPyJ3BkU){U3(0$Y2^iY2n}acYB~Q>cmh(zyaka4_L#)vn2#8*QB>*WW6H z_c40wwa=_zw`-S-4_T7p?I70tlHTD4UcCLR#$E$zY!f+? z?e>^GoI#nncsQNsKLKSH|MCL^Xi6A zZiwSPp%}#M@e6HZcCR}W%N(lJb{&43YE?VoW(BIM(S0fc>$#Ww!PJlC3Ki@O*qhZr zeZrKo>EP3X$qn!N9>#`N#s>kQk$MjL5vvE&=0ME;;UH4IMV++OE|5%cwRyn@S(G$@ z@#HYt);rqR`gcSA^#{tAXO77%$Hs#z*?onqItIKLHl1w@Scxef&d_!V9j@`bixP*Q zBfhYn=)pEGFne}W*;gJWdR?h^4{*Xg*qAB6_+8twxBFhF>HK~AEd^8riMkG*t?ZZm zbY)5W*S+wrp!f+{R822>;+3p5Zi^px-6Ht^B!6&5@*zrYKjF7L-phA6Xu*}ny!$KW zlsJC|3xhAaJ=EUG28Z)``~dBCDvDHI9-0g0*1A(zJBQy5dW_j4_sGJDwG|Ps)zsir>kMnZZIx(=#KLU!H7C!q zMev1#9E|2GS!n|(YJ)}gludeJ9b&JD2d@4Bk0cfyl8M(p7B{~0<`xYc<0G@ko#Ms; z!pLJpNl_JpdYw4Y^lo<%RkQvIO0HfZAee_pZyaVwcjue&5ywm%cphTX{w>W8am1xX zsogCH%&Xzw>c{Y$x7?UB5RE;u2Y2@yjIRKh)zaDLnd!j*bQH}Ty+U6lOikgL3?2++ z=8&+jHuHDAv8sLZ>%&z8wW=6X&HgXvguj=Y1p~Sf^o3L~W=r)n>FoTBbh3ws0l+Vd zSbyk+?m=rg=BU{qiip1*96 z7vy?})~)3vPv}CooH)d(`#fVP?$3;?bHCSEpxHJ2?M9c9-}+O`>O4ym$W3!A^IfXh zD0YAbk;}mcYj}4b$GvF^eHgx%>8p&FubOI9!0fq@KPtmr6|wXOWKU6PUCfFLp?0^o zUI&a?`A)ZQ&oy~qJgX|DBGso=wNYhMPw8*4uub?@_~d+HrW-l5&{#o7hCmt-ec2_Po1ysG z@wSPy%{5d6h>=0!xyKGAkFO9C97I4o04>0}wL7T`i(N_c1*6^93sCiO zo?-CL4w(s38=~CMQ(pKXQg^zzZZi-YWqNREFU6QLm@nGG+aI>7MdBLwC>+nD>#qO~ zsjAh$_RX5zNFKt)E>by8hXQkE)NKW+L6J@khpJ3zz8M6Qo~u<}&uIHr$#Ra>=^TtL zkQs+tF0W3n$j}ZCLgt!?AyQGjZ$*_^q-z9=+MBepF~k24u`N~Xy}hmhW+zF6$RbvH zz$a<6yDQIeX#jeyy%Y8IkM(S<7kx5c9!xXzedDNr6wCHGOodE_DPmtGd)20kL5I@U zo{pf_2Qkl>UX-2x$^rn5(Qmy|DOBIo${km+urYrmuyRCQiPJfG)Gy4)u8&2eqp}0; zh-!34SxJOOtc1p_`*utpwU4o9<9GqU-@CjDl0W#%8LF6HRS#eYQQ9) z2W>HXdl>S?nBEs!TZMy@1WIcG>hPn^VWZLb37po(A$lg-FG&H-o_TvDtE7c`-l0F^ z5~e?@A3m3DQ5GHjOSgIfJ+4$v5KZ{n?mx^};^reI2%Qq89CG6CqW=Aq%(DYWp5j~# z(Z_lrCjtzND{I8GylRiAx!6wnz0J)#1eAbDv%*{3^3-#XIv|rlVqbB_fv-wmsZugI z;}wpf9RXdFBZxhrW=H8ZLRv72SRt05G-3&P7pr*&RbidSKX;v_`Q`cTr;?Tr%lE3` zEKmB{!GUjm3uC*a0PDqaZjN8sXHZfGooh56d%cOzMrU=M$LskNN2L8dyjjacj+EmA zRoC&R(ctXwAmvtQ6`oNqHS>b0C75J#cvgiP>93gt{^r6jdD=(J^dUyhy?@Yv z`Z132)yji3yfiIW-1=4Ogl)cs_;O#Dd0@+J#Z;^H_slH+v4Qv(!Lwc22Tqv@&91Pq znVV_9pOxjd7|4@i@fc&DTnCS&t|;Sz&$m1!Wv`2#xWqY>QOZBty>^dOd|hkV=;*|Y zlYo|ZE^=*qi95IYNJ}=W=bL9m(b=!wTeD5o@VV-BscpF0?<(-E#gdCSl%6Lf$?Xuj z{?d*{N;fr<`>Q8P9)5n@q5QG2=aIZovq|(_t;)~!YiKhKPeHWKXbVrwH{^Ji#Ax9| ziDm8WD6EQ6f>k2Ox?4|^HZjW6{msVw!Y+%*L=VoFSCPB&SZHjF|zSb%~&y;AV+ud1xaB`4K_cSd_RzEPr=7kSk1u9IFE zV_!4*0pk>PmH@H$cd~BKy>jwY)CNqb-&2h*Vf~Ja-c~z z9&J|_I-V!>VLM8&r|S%!5tr&ef2PN@`1T=27FEU?tAZp7IJOrc5KjC&?NtV>T(_Kp zZSRrVZMt$b?Y6t@N$ehDC(UXttAT`W5D<3Gk83mqw+J8ARXu$uIF}75Dr0(aDZMoVNGq%v*O=oBq;I*!uZPP-4Uq zQjcd3r-s{gxYk9#+V<4n?)A=^i%WhTWvYprx+65WW=;vSwJzXCH>TIU+VFT|*8U+R zKBK<^)Ey+>Oj)u3RpIUYg3Oys4aDuWh$WtbAHH6Eb8{m=$TsONbwG$xstEU@`6A=K z$U7Q;wGBtv_oXf0xf}U(8lGH4Ol}iTGf`R7Z#|se@~%KKev|4VI+6{J`o*C;YXsp| zZ-u&Fp+S-#Z;w9xg?v>z`@PG9{>iYHXVnY1t9X40o7+{KO*B=go0<_B^w$&u!R7ByU1VXl!5+u2!wLzJ5b>q)P2h?fd$Vw#e{3 z^T++uHF18WEsS&CaYzqU==wQpm*!LG&3o1dr(~6jdQFGdr!!ro`g7b9W2tY@VX2=i z%&>i|rp?_fx4X=R&iT@`R&7{3ppxd2L{ndiA+gT?Yb{ciS-GMlYm!0@Uu)aSia!=v z`6DD}B*6+!P+(j-|0V+7RHj6i+8gV?;cPN>#e>CJPY$Crv5svQLCdau2igr5Uaf9$ zSo$;)CFI0^H8>r}8Ttdaz;N`D4(Z&Q_rC%xtI}Lx55@>BSWa6MDa|c_rb^!iI zvYO0JP(3%1wh_3J3h`hn0!lhxg-QAs-tgx;L|%+x+U8xsWKSQ(W6WO-ipRL5 z1)xif`0*d8e|Su)SisZ^*|c(v(mhD9^(FcVuWkOyj4T1bn0sdeHpw;ttUp z(U!IiZQ!-Rxt8DlTW#=%{JBbG<)=dH7> z5hO=2%8BF6158J@|56Vx#yY2LF2ZL62?>SXLl|T*C{bPdj1ivLW8gmk0dMQ zUZ0TE5>b_j(mrsFywjqjOgO9RF?K5P+NVC`Q6Y&(xaWw{2dBmmW-%kv{!M0!_>+gqFc28`Ir_sVAIZA1$%>1 zn*Q+AwN1>Hw+4WbN}SaaHX)B%)r9?Zs^DV?WdQ*4sG0#oi^UlY)9^#0vc1oNc!ZuV zAL@~fZ$}3Ie;H{0V~Q_iXEB``6N}f(h$)kk{#SZ)=Ia&LFVDzVO*=WXMpCeb!NP43Dl%#`ZlMMG+=R49M9If`G{U*j z1iE!lYA=ez9HFfzbtp$oruP0?huY~Ds5CUqIeDxeiJt_zxH241MivKdr!&WV6>B|| zkDA#cSEpg+#-5xq=gy=O$Z7_UlDbAQ~&wCp7ocG`IPorNF zf-g}qkF|M`vYQDL!qhYD+M(=76(;e0FrmK<*|{uxy|Y{leUU{Z@1r(dHqMFv`1ZD- zKxiDv48-c}jKw4pS=ve`dOWb85VXqtYHOVyU_C!-SLuiTea&32*{I)jLUFlXa2^`N z-y#mlxQL^VmC7?+f(F;Efb%*ZDUmNl&Q+G=u_Bkb4NKm@{QytR zV6z6hHwW`P;RsKOd6L!?4$jKm>C#1txq+scoU|^FeQM&0U4^@sE3CIG(w`7+5pp3g zs*P3*lS!p|LKlI|S37EFfH+=;iD5@Ty-O-U$J*Y&6C3JTvnhdLwx|&}wY-*?b~WQQ za021yakitCmq0uhD$39HiFYL;aP5D4mbyybND68o1t!IFt0ecs(cdYj_pIT^|gNV7hbr{>7L8Ef4 z@hRHwELrf?ju?rXti5oQPY%nt>-bUjWpLoAF}5cF~S( zZh?==D{fo8jOKsMO1u!rXcYJ-D3kNyUJWZIle^^P$-wvbkqM`d_MUiI4QHu;y#icn zz$SwNmF5bP@5)MYgU5_kWli%f&W*opx{{6(rRo(*0X1PA`npSP_h_-WXRYI0O{@g7 zdrHs6o~$M-RO)?7STWG9sC-M|SZyh53bP!|A7OjXmNAsSh@#NP4JAcTorTlOTeTae zWF{e%1NO9qzm4O>rOQ(zv;QFVMDxb*hL_8_G5h1qpD!LT1S#&|cWhREtFL1o-53o~1oE7_cy)KV zC&u~gLk&_hzsGeVF$`5JnYn*LFE<$l5h@wnd?a>E6;pcDqaY1SUwgf49ME7Xlj2`S zU#^c1b)KksuIyC_>Ds|@gtJ`8GqJ~VOvxo9xha>r3eAnXhH7_qjFgV0AWWhGK(Fw) z{35;p`LX+V%-4tBP5i)R*OvB6%5(d!Br4tNVHsC6$(J~~M{4#CmENjO+DfXC znyKooRu+MScIF^F9DRQmRlTgqan;Et`+-0rz2juf-JCyGGqheUsJc#?oG`sJEbx6z zy-1tO^Ig5F(0Be2@RsC90mrk)8-tefWIlgyyhry$Yww*F>4a|8^LL%NPv2Z0HxgWp z;0ihS<=Fn$2an(TKOPlSfs;_44OqvI;kf2R0)r+pSvAfm9X*dynK_iJqf^iDFS6Lo z(D!D8T+Iux%{m;s^hUqq(<_7G67C`A@kH-+-bp)cUd2~74yW{G?nwN%-wXbbTSFVJ zc;)bU4nbF_y!UOkiD_|AVTX!~2O(%avM5rd}Q zC9N(gvvbwSUc}`Fdw5=+ZeSBprjB&a`3C?_Z;3Vf3NrEQxrLZ4QY+?=lZt^N89W^~ z*^fzQNO9}@b&6_qb8Gi3TRW|61XST)IyI0T{B*>@TVpu@F<4*Jnd0)e!O5CUbDyS4&+IP{F%k#6@Jzh*m&9}5V}OU3 zbC!Y4noGN=#n4=iHDh)!*~KfJwW)}D=Xxueg5(U?+Dw^6a9I@X}hF^kLSmX&w|PciA#@Ae4`Vcaq^j? z3A^?2c6o@dL&7ul7ZZfPUS)1Zl%*KOe-ODJc|+jE^YoC!pLM1+UwAF19 z2%7>2q|kvC@%ExB%3G`=dMYDwZ*@Y6M?%3e`7w@!!ZLCUU-kX~)HA(wu(bE2=Vs-n ztULNAN4^1^aWO$)yxsL5*NDfwxi(aWpb^iq3r|>;$H@(pRfH|=D(ag3Jq;KrVVIYF z)a6xiT1S=nMRfW+EpTxBQ;5&1`LLVs^~~adn@@y5L77v>&fT&{fP*}&lfFh~*YwUV z(wCEqjS{}#)|Lt$IjM)MaRm5nj6@(6$V#OAr;;%@cLw(*q{PEcD4+D|6l_mmJ7I7~ zRef2#0YH*^|FLvUk_Xo&qok@e5wVsKWaW_{8r0spM~X6DE<{ahqi2%=yHVQO9(vA` zE6IrEHHS82E>D!s?b$*P`7sr2ML6+RloY&Bu1yUZ9`^8}Nvy}5M@Y-xU*sgh=ahMb zkz9H?E+U^@j%P*Hvo};ZzKzD)a?T zw;02eu!hL9CrNysp zCvC9}KC0!FeoSFD1q*XU4_z~U}W8sl{AyOgXrP#c)4-J#Q?0n)n}T;aM_7MS{` zb!}(6DXMcR9we<+(RJLAydG5LTnO!Onp)4irPkgM3LBY0fI#UsFZF&D0YfO`Rn_`q zcwY$WlLXoV1hr)?klXC0-l{bK1lgQA2kU!ZIU`0gxvl2%s%fs(30`9Q>(!7(hAP#6+DF?E~Ium!7*V^|wWlmAo2cb6MdB znJ{wg!{@zURLcuTKCQaXLr2Gdm;(E|Etl-WBy^N4dDCM|H1#%FjEyQKJ}ys}u$^hY zAn9G3zvA3Brj9j%yBq#x+A%kXQ@3Vy;9EJz!6&wFUgjU?GZ1&s7iRQMCiNG;@pu?~ zqp0c2lB1Fqsd-^34da{EzDMcBx5~swt2d-xJG^zppU!$EZHwFt?7qnH!SCZqW~KUK z^cYXXq}SGU{V%mkS?8V3iK(pXSJ&J2n%QxP|Hj5;z^6J|*+>fRgRMuNN*!E$ozL6i zyRzlp?jG^@ATaHv_yW`bE_RCWe*666$7Fti5FtO$#|tY+5Lx@xBJ`}>j3$oE9LDYR zJG3s((LTzr4~53EGv~V$msp?tt1&`-{b=kkS_wn>ZDbd)^i1uc8m}UwT%jM2ME+3} z4-rx+MvwM=IsNIs{XEX{g#?O4oO?}~VgBU&^UPE6NwjG{z~^>A$O-(+vty!rAU2YJ z-)`Jw;O|0iN0LNxu<3#{>@p6!m-J&;B#SZ~lq;LsQhS`V$`+@&-X2#L?<}z(JvC~E z9X$$K6@PwNYrIFzM&4W5AsqZU$u-%@8-ssh8FLScI;kI)jQJtnNV}Pz` zvKA*Cupe1myruAMGlT;Cp{6o9Kq`v-K5};F!I!hUZ0a5nn?=?*-P^;b9~2U+aCT3u z6t!7lm0i`dIrHxf(!OuiGy7ZC#xkR#r@`a>`*U0f?;npC2?^70k75ID`xMewu(vU^ zGpnTUoVbzhz)4qhI4#NW)%WlN^%ck#m(}-#aI;54RNyYXYjY}^Z>8JJ^n1>v_d=Ov z(60Q-fs_knRf;=S*~B*f{S3$aT(Zjc!Tgt3&wAcH$Cw+(3zT3#SX;PxTvGj|XyDo! zBOM{~N~3J;#>;`+oiIj^o|-Kp*0~1XyB{PWey-t*kmai{oF6ofXYFYk| z&V3gdy3pm4yn7PsE;dhf!ZMlT&b8FIbMY(gR}!rbC_Jt!5o-8vZ}_D*xD32Bq@~NO zPZU<-zBNB#_s!h&Tnu(t9G3JJ@|a3yPhr{KG9C?83M@P5qq|(%q)fGQc`kjdydTj{ z?{t6VoBp)d{erEy&1}88FjNt{_u)hnoxDwP8VljEzdfkVE|qd03&m{c zpVy$gJUc*I$sly>nf0rPR3t0&MsetA`VrUacXu%%c!QR^+7-=BMvpKBlbyu}snx$O z?29tD7fgLv#?nrhF?F6FpIIGj%sGDKv0yO_Em9M$&y7p8ybm@2))ZjGt-RViLmDBi}(dp@+&Pz#qj!T_aZmi@Yhwj087Okc@$(B3iG3=}=9E)s*pzo484y*I3G{ycHSF}#K(aD-788B5Z);{v z8m{FS*P{+PqUW@o)p?%5Q;`YMjOS4ZE$X{HQq?n%6i$j(PNvVE40a6cmgE5dE82?( z*pTfsSa}53X<=(lhqsC4`x!ic40=}%HyRXmd$1jsz1{o0Jcwfpw`NANYz>z2t%Z_s z+c6bp#kFsqH?Byfl>z=5lM^rFDu1Es#aR_FSgt`uKPJ}b%5Pk8rGJ5@0o$dAD_uUO(Y@vff* zDu-h%DR=J!k#DDgO~X{9<-*z3Xs76bEZ$o&AGtN#ThBMs0FB~+Vwi1M7gzHVjz#YaoQdWv00qfc7Sj%8h^Hag$2wD08CKZZPZ zej?s3CV)ZH^P%WaY9vudd`-dC^*lo-j%n_Egc!F}va<9FQv3(5Da|yWad1eKGzBim z(O6uSgD)vnh(kvaN{rpL;eOt~mL{5GigD&nKH7M|argOXIG(hg||P=})++nLMLM)T-aG!YvI) z-R>yZi!9{v@82u3q@r?PHqAVqb#ZAkQRCf8os+6)rWN%Hnewt-h(HhzUkvz5*bV(| z-O>oxKY9DV{ZyAv->HjSb~)78&stby4UdOh_+pUeKXSbP_jtQ;+uJ8Eg-P4frtcr& z-O$)OY7e&n+X-=;M;-4w6|j5su_r+iGofwb@-nFjWLy6tFa3(oss?DmhB+UwhK0n5kJbPAl_rK96h6nn_ivN#z1-A1tEywu=@W9si- z-)r6}dMRa7Jtc<5k2onfD!ihDf)+gENj$tgy3i%|pWOab!{bl+K<2$1^KYh;by}Ek z;;?}-@nLd$;$D6Su?jsZ61{Ol#L21Xb;G>}LR*z>UOxLvLKq_LmNpr@;AgQ|?YuWU zYPOW#miDF$GX182ZM9mDs(9yxa_Frg-0xq3@4`Wk8ptQ*tG$}>TH~9)v3fZLHP)VM z4=mXPBXcdwnbG*Ypm#f4T{jO!4FTv$bg8!5>N9q+MaRrZy)CnC@dm%Ds~7ydVa~O` zp1p1jM?U>!-5CZ#JWJN*!3gDNop?NIos6ip zcd31%V(7Wh&+<28cQ4(gTtBjFVmqZRIv4-Lw4!%XMQT~pIPGO~lQ7R-ol&RzJrq5p ztm+5$a}6FI21T`-s`3Fl)4ENr*EoL!`<|LVo^kTw8L^B+S&^3G7<6CoWAMO}rO*B0 ziRHG-cZ1bC1eO`gkJur%VN4H*@#IwEV)CyQs@732ocfZZ<7^MuQ$nkDfYMR_zX*HJ zXt=vJ?0b-qAV@((PlD({bcRHY-a_<<(V~p#y+$W`uOWyYz0VMB^dOnhdyPKIFb2;* z*L6Q1p8HO1!IlhF}?sZ4W=Ueyc3im8707u2uTc z&MzH)K~2PaK(6ha`iW!TXq5=*LUY4#ZG;QKk+tks%2g;%T8cI>5^xo5re+*fI6>2W>j1`HSBj z>go#}&Qz}rF3NX zoko4!Hy$bu$%k##JRIO&)e~Y$?m-_j7IK|w-AmS*(lZ0My6qORsDwRuCLhtQM+7&@ zQ)yva>3n&9P5^3H@Vi(S&ZYu)}Z3NvssxRNQ#^|8&i0JeEn=>TUUOuk3MSX4tz4*0Kne!?|G8g1XH&dEC$S>b- zvYG83O7c!>vy4|t`K%zGR|+y8vWAJ|ZP zD21F-lpnp_d)e31OT_T-Srw_@Z@dxQ7BJD)tZYAhB)ao61uS0S+ZsNvtj&umG3Km* zEyrksTbxs8WcjoxH6kn)jQF)A4^T+O`p-I}-Z&C`86r(bK?Kh{SVc3VL+z{BT| zupANl3t}_g{gJ2E{H1hT=pEW7kI98{sP|z4i^2P*b^-|2XZwi3*)Ubj=}*bFbSTTs zZq7f`S`nsZ8>t=-Zia8bkw8vMdB8{(s;KAp)CBw`=TeRXQ;x;m9^Q90(i4X-J}y6P zRtZdxBkxvbsXPS#5cx0lhe`IG`RBj-k54hIL|eF>tXj5Vj0h&?+5|(GA&_A+)9!6D z9=GhR+WBsVKg&)crGTQ7cprc;%U)|X#`*?xyr_4}0-6sgs#@laS{kiTCm`LO66MBu ze$2i<8j@3M=aR(Ve$?QazRyhv65eYni={o?oA0qut!39B8X~DuEYdab_-?xYcmFWyJ4JDPFM4hFnQSq8d)nQtqeq!X#E@*( zA1-l33WATM3+N5}k!ixUOM@x)^N&W7g30an&Q2EwlFL>zXdQmj(%G&>3Q;3q-Ww9n zZH~U&xjXsm$v-mB{N~5|^lyh_w|(1Nn}<@tRo{FE^0k#_Z#fDuZTzjZXUnzl=g&=a zC>Tz)^=Yx^W1)7bw(F4I!W;IF4JxPZao0W~zy0FPPuItfm6vn8cm8zDMyy9=VgfA{ zeYl5d?vWTeb8HAkR$kKY!E-IW+sn!TOJejH~*aF4Z+&?<37A8 zqk6_DMPs3E`GnHA_GPOm!Qq)|S9@;IvoUu;(<|ZOARj0^?EUW?oai>eddo)TOcbt> z;e<~8H<5|~!z@=rk%u&GE(v%_f+;P#;Tw-V`IJmb<#39Vg+O8D{7U(o+7_Kkt=9rO z!>PHj3pu5V{>lZZ3E1(!OOy)c}w*(t1X+EpsisYpmEu3%0s9Ue7Mo>9=sh9O<*wmlFJd2Tb9+c_0bdG_{BRBoG- z(AQcVoz-`_Bqv+NO!k03aW!-(O<@<){by)T4~h7oSKn_gtlKcxcBZ+e(Jxf?GusNq z2^u5sr$0~PFbnPyGK(?~Jhs^suzXlVzg!Lv80hj97$Inm@q_`(S@Y);T|YZIr|n=btf% zIo|S?f$-Z%tXaZPXk`o5fJR&Twv^qkD$|8zO4VMI7Rc542BXaw`ry?tX4kul&fU(* zf{j=(GAK>W>S~oj9oS&y6>IYHi*?x`r{fvaOof9z2ii!(qH7(8A2_71t`-`B7PqD>B|C5xBkqat9@=$LYglA zFBvp9HdVH`doP5^K`#hQ7?1!wonuxF*3y)DOqtr`qHoshNOePb6$2+s0@$)$@ z60qR+uJlX5?1XjWbj+l5eLn{VIE$)k`U10mvAlOL zr6ov@uHO7y7=U`g6rw%!V83=UP5m$Hz4s4M+rjZsHH=bE81~Ia|6C-f1BTRJL+-%X z3wM#;PiX-NGZ+&&5k13~z><2h}C|=_iBv8`~C%pk}JNc~Lyosw_T_nh$lxs)S^n(tY ziDVI}=>uc(M*F`^jC+>HjhK8alkCakZ$hFbfeVprMs_5@9Mt@xxZb7&* z_uDboBG;gV%bEpsMXK*G&M=cpdSsR8*{yxrn=3s8B=%sqkiOJSyhFsed_zN!lKa#) z$uZ^5tknNTG576K}=Z`{L&DD&R=su8#(v zA3JY^F65G*w2H5f6DHM20s@E$)72}T=JVE?aZWvw=wfU*7I#Q z(F5Dien9+kCNGbxaL;6oA=Zl5TX^Nlb0Y26z!s%f0X#FKo1`& zp6Djb@ADM5+whH#3vGRK7?P=2l7h-?2ZMd*{O8#~Cv2$d==?T{-~^0~Od}y^)u+uo z5GM{A{JApJ?iR=DYO6FnutrIuVf+DA!e0LY%1nbbTVKAk6gN=M`LsYK6tYdgs;|#!(U~8@@3X9j-uyXMBj0I%es__+ zvDfFuz*evTqmKx3iFCQlW33>8zxDmOQ_}KE?;j`0w{3VUZ+SeJZBJ10(a})!sZ0`| zbF|GEpYOrz0LDeWST1Lnl94ZtoA>db3Bhs=B3fn`&TrvG1lRGsJ;P1d_V3)Xx^+$*iq32XY2g!b^U>{ zr)aY)nPWbaDFM;3JIf=I1ojb8siW~kbqUrawUey~AT`48lEINll2dgMH{0yI_Ot7= zi~bg<4TQ{-Ws@e`1e)QAa?eJQMcSz!IliZ!Hs1QQ&4;~i4zRrI_2FDz%=`?SE)`~2 z*c8P(u4+7oUB6&llr}!^>F15wBsj#L_)F(_EVHxUBJ~*SNfl#aDs*j~_scX~4hSSC zrYUY1D>k2}NokZQ-8I`9FU0n|ukbEK!8dJ>kZ3Uf$ML6nH7;8Th06q^Dy;O})Zs+! zxE7;4_0{@tPVodXf7ozm#@&OFJ$F%E`{8ck533iR{5069HJrx-LfuHM452>;c2c>% zr_DxATNc&DDlOKh4M!tuFC$KF|6GVys37=-UlVmbZvE~}ow~@9M>8fTtGI?_#``7B zA=32q6`j;6z@^t4`Mx1jLPbZzBOEx~6MW@0_nL?>e;OqD| zkJ(ynM#zUD0UqFok7!S?R2MdpYT0YMjm{1`z>nnj{x{@(rJ-pWc!RV2ryPZvm*_g(nv{E` zNm?iU0Uio;Ug253^0xjQNJf5_rj#-);tg3|5D21=e*fyGi<;<`h-hUT8s3k;>e!_U z9vDZK>dU+(7cNOCgj_zj(Oui#DE7xuwBqFOwlVqdXwQA?^)|>Ll{5FwaH9eu?PDS& z-I4-bVs`0O2{~YB-Mwc%^XPpvzL+1*b507q>bxCj?{g9q-~l>L!}Rm>{qSzOmegwC zYGfs5V+=C8Zf-`v`0Kg#iFkm0g?I)5UH1M_aSECSCJKLQXmrvsSS)AyXc2v zd8bu}n6J7gAGBlymfz^m$(<8ZerG&HC!SezRAhCA^H?&~8T2 z!dA($hoi>sx0ZgzluWHIWDvc^2{{~J<6o>Nhs+8~i7kHS=DI>fU&8R(2&UQyjy9pW z+<)wr_`P+16ICdJ;vJTA{LY;$M)aiM+nuqLDK~l}GA)tCuF6B%1*1#mUsR|Vnx0H3 zkm093SP&L}m!QHRj(Fc^#~)iBQ@`CC8uH%G`QU6UNOEGL^2z#;AJ5>_%Ml!3EbmO_ z7SsM3OtoUD z2{?BX)npPFCUm0mNEGlT0au*&u^#oB@8nXf9=sgHGoyYrV)AS~SG2ZM!uKM?&fMS@ z{gL{D&+}2U?LH#NmHp=wx?0y%3k!IV^lOb@!gC344LQK$%~j(2JIuk7AVt4z96E~K z2JVrT3q8wK$th3&G)?t%d7ZHRAZw=`V-hkznc6X-F7?EBf153-7YAAPsAx4|vCJs; z85PC&q>G)*oCJ8>st2#VINvJHU5k?;L)t-CjQjPZU;NCMi(2gnHc$k-nHInmB@dK- z;!i%&P97V~@O6kVahY~#-9-+PDm2gDS07;4JfAEe7iZkmFPW4)otz828u&9oEDy38 z0dGhwDc@QpIF$eVh-DWDONmN*Ob!-tl=RQ_6O)@Za%(2gpZmQs^43#DDc#_;LVy;i z$mfxiS&-4ko;PH4BAX#rC$qb|@A)lv-m(GSG%M?ji?*%O{v`R{x;eL*H-zvX)PT`R z((A78bhQ4Dn}pILEUz(Jw%hE!F)w3ig;SRHNn?x^bNI|dvs_P`s}t(C2$$uINo=o` z;XiZSu=@O_FY|v!urX9kF*r*be~w>-2a`FJtff1HR3M*yuv={A>KjL1tzU;Nc(Mgb zvmM&yc$yY{tO}p!>3#&7xhq8~#c-97sy1A{Uv~+87hJ5~5QzbeQIW0WcTJq>*fM z8xD=Dxc_`w#W#Z<{U5R=B-^yHQ;8HO6UynuRMo(R8BCr__+ zmS+?@sS{WYWAt;m^gW$2%<)1WK78x;GmpAZZ$Inkvoyc71X%cVs!^Zx?Nr^?>0Z6u z5HtL#z{)@3^m|T?aOwYgbrjtT)Tt_H$Ccs}_eQ%f<;ilhyzGCZM=_ixYRKSo%+Ab7 z@oPQb+2Y#r;=xxfF6VyyLqF`f-qytR(k!}euKvY1$8Z8_SW-G^vo{s^$Q)eW%tYO< zJSo{QxmQzouCKGlc<{~VdS&$0>lx=!F~Khk8j;(xj6J&kY>gW6o`4lP1AZs6~zJP>~-d*hKhDuE_5qc&Oj^ZFyZv zO$#|hztv_cfU&c3-i)m#nlf8@?u7ro(p$YF3yF>-T9k4woE#Zx}EC0+8VSR_bWG#E8 zLNyna;xk%W4%A#{dJfIIJoUA@pTWx-%)us_?0_1q@K+5M0v$eGI3fz)3no{%SW=o? z@a!uB$eh%^J^PHfYpn9IclRpVwjgH(*v3^yCb~JLF2Cjp-y~gE0N)w~IU?}mY;+1T z>Lh)jC0bv~bt+8cI9K0%#0)D{8F8mm4k#xpiDK#n_y-22qsO&a3!;+-bee|$)F&iY zEVfeWljSwOTEklzHf>UI@H`gO|AxV#mYGu99LT~lkIU0_Bd+a!v}d-m^_WCR*3GToYEy#4w3LZbF)TmS=s{U zn;U0&0{RKiUF?!bw(+~44v0zn*VyVoz%|Q&a{Dz?{&k1 zYj{r9c_fFP6fiCvgoLo)j>Hxj-m_KiQ4qse&jqW)u;t`1~B(nK)7&~nLk=8Y|O^*PC>imwck4A=^d<|0V`~xn+Ut;#=R)3~& zyE4+e3awMih9-I*t-sdhraTAo8bz{2o!6V}tlOY;J_j$I-1klRyw6%-b1^j@hwq!O zT5Q(_IC&e_iV80;ay`e-Kbzc4p?n>+VpL#$aw2moRv>di$5`GmEb2cJFC0p$nKum= zN@kOJXZEh}8O>pSC5s_k2W>zYM|^mBkmWoQPu$#*KS@~UJZZ*F|M32NqPiqEW??}} z=nhj!4|CY9DKzLq0`k$c(o2V`HVMUs$;TVFw|<0wW@ZxqkiUl}c3oC{x;az1PoeN z*su513>|$wyy{sJpvyCn!R?TY+YK{J6!{m7|G3@(7*Mpv>ZxD^#RiLX} zoM^7(5|$_cI$(rBI&^{{n)LaBx-S%WIs={C=gN#CT9%6`n;)p@QE z+kRVvE4S||n6jMZ%_AIEgXZM$t<`$UDQe(!Mu@$p|Cu*GTghg|9oPc=bp1KTYms61 zO{($gGUVuHJsfx1I(VxQNCdlSlazpDqc^l>-3;2{qjpu-JlVOFl44@1%JjaF{EBHP z+GurQ7{P<+6%Jq*hOar9=1EoCoGxAU1~y}*l$snE1FZ1DEzH!-q^FaqC3#Q>PRjbkCb|;5%8P~kh{UGICh>t$@ zc0`tr^REx?uNB5hX%E`IXJYmtK=Qr6qmwFt?hHJLvmZl0-|}>4EYU9rofoJu&)>3j zm89f^Xl1xHFwD;0pnxz5Ix0qYJ{WV7=Ay*i<)&Re*id1lL44O>4VGxIsg9xJK8-UY zP3gx?gh8<|GNC+K=S`V2;oOFG4^N*o|Kp+Jig=_C@F>|Vr887i#58+cpUD!UFAb%v zio&lmJ0F*>-EEASB&-O5Mip6*P8Dr+Sq=4W-M2IC3#!_Y2&~C7yKiilX1XgD*%-p* zwZ34-WG56??P*YXHR)v+Q&$v4KJnXO=LR42;>2Q026o3In%T4uH{&%FyBmDWt(wAP zdiWlf8CaVXdY$i=_SKBN=L3KCh1W}g)8kYA)78d4h|0V#fJY!~jMBObIbx z{`8UfQ<-j@Vl_aJi(f|9zNd*tMEBhrj#+0Dc(Z-3_p{G=mtM}@r`#>@}iEwOjJJOidJZuz|;He z!YKxPsdk={z$&c|d3R$d!76UdKvHk?hwQvCW_;RssC{w7MI%95W z&F5aMHMfF@pj32R6iE9et(lb|5COllG{UxHHv{`X7uDSppKdi!P* zHc!RQ*HRqT1L3sj8T*O1P&*xWVXo^dD;Q45zJ=gXdUU6Prb1nvMV|q|awn(>T}5ewr}P`o6mA6udpDqT>@nllM)q^@L!nvu-G(i{bG+h)!518CF_f?+|K_u3*i0; z%l1YFE!34}C>E?G(3+JXTsuf@>iZ;C;;`Jr2Sw|wXL4^)%ZkjCJHGm}Z3K0;e+uW3 zg>%I8ls}H$RQ+;ZwO-;3gn5_7tB@7po+y9E__oD*e)sidJmcUtw7mdzSNZidSn}A? zAS8_zsifO#GhszV6CM`NK#a`#@@^P=@<*vSbEc=mZOE(@dabZ()xKU2M4KvKY*&4v z5Afh2{`&#r{xkDy$4ISSsa;a`q!#(wPPX#n+BL^@lz+M%DE)+?rw!3dn;&@wsiqoy zB1gj&^bf_Mt#VagsOWK2uFxy5@!#sGX(6FjKObR2CWh^kP7fBmA6-_!kgs%)gcr_Z z-lzVEmR|fLk7wDwdx5CC;3B707b;K|xxRl%P}H!Rc`e$l-t>dXcsOvW^SkqagPX zhh=Vadtgjf9nLneRu!SGV>Sw8-wM#PQSj3iTEPef?vgL>+Kv^d>ML*iF}iw0CFSJ2wlEE`w;unhZuENW$7;iz8?C4JW@fc8=ErK3b567k zaOKrkKbvYyRyPuuhH{(t`6PMp#~9@_w6|~56GuO!9kjgpY&XNUGR1&6x^-*a@DrC) zu3Ao-6{W;s^EDokc(#C=le@%82;B(Ue7McS%|QsT?cp<4SLjG!MwYZN^@> z`SO%!I}r0-`8A?1*F#C*^Kj(WuhKWl0@w798{Kxk@l||!Yw(vD;HmWWTKJ;Qb?u&^h z;cbz2n>8c4?{07A9XpB>(!b`3!hUVrkAqLZeE09qE1x^rb*IiM^E4~+h+MZlycH|T z|I)-`j75!$;n&UDm5OZ0Ugak0_&W z)t|s;@4n7DnyVoruqWGtMEkLhJ{Pg0?Fx+Ev+bu9PoL*<>Y2J0?$k}FRiiW>GcgE7 zKGHj)o&N8Agd$Lt8NbJsK4w92pIvcFa`;xmtJ-#I*<{W)2?FZk{g;54&VfD$ac=|3a=@G#478!p@^0bTUP+2LW`+K4NF^BM{odSsJzoJA}3F48xpo7v}X6-l;K?O4*EcI*Dl93blL`F|p?5!tFy3DC>pjskULSa$>7Y6N&6_ha_FK)C z!A!3uDt4h4zuSCxHuqr_&Am)&?NC`MvIuNR7V29I5XkGaKz?31=z9-VaA3^Bap>nb z>Ps%h1Qr5q;E%_=(!_kK(sA*0Tn!~_Y-JI)(-@UB;63uQAl(hrj~W%y^3sVlLyC zL$R9i+Sf!w+k2VZ^gNxb!76>o`}@?{kM9y{vD9{2zRiQ%7=E|^#W)c*`JC-$&G1atR4CMU z{T4_JP-pmZh6Swnhh&5rL_I7?F0vj%zIUck>5Jc;c0DTUnnZ@sv7u0Sc0`P?$Y$h` zjrDn9{!X;wyZv4n#)HKyYYvd{j6^$+R$D`Ms`h4wKr*A>^t`wCEtvPWGYMolwgi`B$&mml_a_87 zj;|3;V$UMybNfstH_7-*IF^w3PdIOKf;Bw|Z8@5=J0KNj_L-zxj#&w@+~_dZ^16)s zH}-TB52q|7529zk24bx{Qds2RS3;_LFle6RUG!|N8aI36Ikp<5=c)QpCA8y=*XW$1 z$ZQ$@mPA>3;Xb!{GXt8G@E74#T68e3eXo6E&&fK9z@o2c zhQ-7he~+uZSIVH1D-oQ&Tq*uo%kaLwQOUbm`8!7@vC4TlyqwAHYqoW1tmE|!fP~CA z(t`zgTzqyHK{i|EaDbBW*JPQJk1`_n`pj7o%EYj+Klbg(vyQ`S@g47tZ2fmisOdn| zhGBG*Mm!SG%NtLISY%3e*eQ)`9%6QLoyqf@!`yxZQ}6!?7L^GlbC)h9+TTy!ztq`F zH}Th|)(c7^qEHjNdU$zxQ0%guuHC~9ZrcZgrafdTTzKZ}UezzbK>P@JqGFHGbfzm*X^bip) z3UDrLDQT#opT>>E7)xhKEs4OW1IZ*#lYH0U?_C>Z;k9P4Az_~*tE)pBxA>I~2cLyw zmw_qi1wc5kzeG&JhN&bFrpjc+x2_GJN9NV!Jj=8Ym|Q-fhL~s8E>5o72M^5vL9EOk zgqG$jLSf|M{h$e-YcUrHIKI9kg8@xw9hE8rH0H5%pQIrAiBr{{t78IEh?l3Y0?0>K ztIe+L)%4XCV%g9;j6tzn5@Z1$C#gJxUg^aw%0YliQEt?%L_0K(}K{5-E@>w*TbDX$UU?S`O*exs3-Dm*|SLUgMgWqoi z%Cdb=^?R0tCU4!1qc-)F;U!i1HBN(SCD~?v%8bv9pJ{nxMB>QKmt$AFv02_=d?UqB z%(^$Ui0rK-FngnUv03==tt8lXrHCf}d)fcCKQZF?Td>cBdC{2+H|J)bu|LnjJ8b&W z7t{X3`gk$|y}Xze7C-%GxY#mdiRCU0#eUio@$H4AEydVv zp1Jo(Jb)XF^T_h4N}oYUkl`8FwpeM=kmQVg5 zr;?Ed!kH7T&Dz5HP1e(jX=qr5CDO;Zx{x*NK|0872H;yZ3;e+V0sQ<8_AS!|V=sovu)!%VC&wjTTF1J3P zbE&X5ucc)ye(AMu(J~*~jzufKXFBpoAN~lySE_QUZ!Z?F{}`nIC3RUZeed|fjwG<% z&ebX&Gq$12rzq3H4#7Nvv1iGWh53W-O|a&Lk7Q8K?{yNZAk6dLQTWv!%su}1=T9^d z;Y!x@EiUf*vYDIhp;04J+Hhe%R)BVzj)1C2w*k_u8~HfhPajj!jc8;@utk?q@Ld(*&)XJUGe)6CG<#A z3Hr2~_x-}r{R+ICz&#@=hoKEL_+pRkk_f!aKjBbl@liSGt#-&z%|l z1X5-YI|Mf?|9*RF(!dmKGHUnO_Vl~?MNz%z%EhURn3!3U2!bk#+wkkjN*~pOGi0Oc zbnj19St>4Z(dg=>i?F`7sRq6)rWM0nDqk`+Pz!|%mUQ(l$SNI^EUxo|nYg*g?H=pQ-Ejm2GvJ9MBdULjb~3!@#g7-T>}|F8QiE zT|VWS2y=5X9-maW$ zNA}<`#pCZ=^6!3qBQKo0BfNfacYpWrQk`kCZZ53xNrl^G0c^*+I3bukN;frJP7s5%p#%y zd)o^rbYA~XbE9I}(z8QhN3fLq>=628?l^VnZpo~}oCBrU*FXO7XzA3A*n zZ&5HXDZ^^NzWQhLMdCVS)DeKA>MiuVxE}n{fZlb|%P046EbS1DE`wsZP|%jS27^+} zpOdqG{`@`mQigyjzKrsxbF!fy@8v%LJnSS=&Kp`PcE&8*T`_Wr+Z-moxtJAHnE-7DH z0d+>hxRXQjSWg5FC5bOPr8Kf`t5IrcEQoyn^aFpf~I7U9*D<8>D*XWbDwp) z94h*wU{dqi*S0X<83bRL{VnmycXp@s+Yr!iW)hZ~wTs#lCgla(6Z5NKLT5;~ZJu;n zDo&VftuRK*b3%0{KeE%Y1#>coSs2_ZX3KrO7eJ7qyl*0D5yjo`EOd@V=nybfIvowu zTdWVIN8DU)nt?WElhS7-iitXKkjmVMq{AB+mcX6WI-ze@tbQ_&<*4z~xOMl|-N~lM z2UAwLgZ7Q?uKEYddLuFUfbe82=C%{JuUhJn{hSQ=rvHAO?LUs&+qRaQN+<6X2TawU z${$@*#=qQYaA-F!DPJ+9-{PNGYfO=qZo@$)`guv2g#7@^^lV<|IC_y_74Y!Iwk7?* z$qLau_}6e4DT=QtwUYm5t7+YwilTPdZzx{pwEb3ReE~UMlLzF_qU#QMYR-v^YR}#S0Vq zRD(ap(|lluIoHsc`*!hzoIJEmz%Fg}7c84gAK%Z8{ydF}@kZDuDU?@k_FA{ETU@fO zZog88hs8h(x=zRJhCiDv-hd7J48O%}7xz;U{7*!cm3C7#T7~Z^OG?RwB`@biJk5t> zZ_b0-^%c${G5g9uN&{ecK}h=UC0=F-rnY3#UVbXRNgmLuQmuRU>^KGz%)o=|*dJe5U7$ z1b61uS92p*T{z^g=)9<;AzSyk&Loh15d|l^8L9^1$XpD8Q5;vx=Fkx?4hH}vmt8%y9_ zl#*1%Exz+T7%&z${bWSZUaof${_m+&=*z97Zr8f}PutYo=7Oq&Rd`e@Mar)yQm->P za{UjbQhx_KmCoL1X;q+J>echB`vN+wY_3kUY}x)(qxjTddw;?b0k{^pRqJ9-68x;&dv6yj1c z0#r4PQk}}I=n_T#ty#mbH$9d9Rh>v)Z&Crn_z_!|`x&oM zHCE5=-ctMWk<3-Q#7AG$>UyrQhbP8jZQyr8AtnWxvJB%tGWe|9=}{;sGyh@NisKnD zyAT!TDb_#aPf|Ao*9HX{+75J}3IEeF@(ucxq(jz;?qSn^-%P?qL4h5Vf4}j zW+NU$00Bos-K_1&JhvyNzZf^Fb*b_R0tazN5!F-X!FG=%u|;9g z3n;Vbq1-9CSQzl@@>Vapc*C~x&Cx}pUI+G9HZgW{bq8aCLvZr^E}rhJ^8!KR^&zPX z;p7#FN-KsTXr+ zGUQTRP?+e8QHfxVHynf26$bryL<~$9yRESoKi{f<0}(Plg|uhlwjR(3JG4bJNE+zc z(4XW}*q)sgX!a1_;)=Xxq6NCJ|F73~GugbSl?C<>#Z?_BdG9bhW{k~V{Dk+)$oIUb zCOd_cGhFBa)BGg?!|$Ef!(Y$+ys7JElh#?)&tI`xTebszetJT79^F50p>gluG*MYE6EA}@tUakhi({e&(+y2ZmII8=1KT#z&D0&KlLL-$Zq2w>z2B(PkmWJ*2v6> zX_@uBn)05J*K!}Mcq-1RtjpQt@O#?GuImxVlQ@OlP>sKCT8m~lJXNzYD``Tj4mTGk z_nAY5l2bQ9DY>jaD@56%V|#z#Or2G9kwJrwfS|XkhiGBSh`oMlccgVSO}FpE=@j>a z8@b@c*7M_;$hE=vyU-Q}NH>9kER#q%xg|o{MTlq}@m;YF@k%-}?r?34=!TUD%X*x! zuS+@9r#6DyQ5hz={@vn$#o(yQ*owpxmk;IU-%RH=UBDuK3NzLfLG9b5C_i4=-`R9b zKg$Q5-7_R9klYH#%()^l3cTvmv zaGbxLb*dfZ>(qbKYLHB|k<(CwM=U?z_mGsV-d$_R3SAAWi)m^8Gb(vNXA@rMY~E%Vx4X1c$!ZM-N3+^?!Gl ziYpwf)nSN>8|o)1Z)}nFMf>`hJQXJu+p0&J$L<*=7AR+OU zqgV64o(lS$-P&>-tnfr4Xx(zX_fu9riz5$b<{S&6>CVj99=c8nHyZj;(Svnw2%FFD#fmyy8`2TMy-UpVVvBFGuS5v1Q6bRpe%zjb_ zhLooXmKVD$F^_(!d)git-8F^kO3{{YUf|6|5TnA9!>3;o|U zr!#uEo}c?yDsh*If&N`!?%Gj(MGr|vG(Yaxj^)dtr^~8dkG8h-1BU#gEG)4B`1I=& z14KF-LxDvEC*sfVvadSwHtDBRR>YzgD2tYY_ojev)QGTkjZ?R!JYM=e!bgusKzo2= zk>`mF`EY=q5}q%lk5ijfMqufUQ=v^^9h%a!_9W-RR)1P6p@RI?rNF-F`C`{cG~oL| z!>izlES!2G7lhwy?L4Dxe|=-77oTGdWAOT9*K9#wqEn)kBl*?413Z|@=?ufBe<6~V zXds{O|Nb_*^X|)c(IRO_o*>NPlR-0x4{avH+owl?5^q@yJS@9*9-0=vzgk*aKoX1$ z;A~MRHZkf82O4J`@cl4R1a88LAv5m$)riMrL-p_zlAbCOh8jz$d8woLeyRsk(v|t# z6y6PNShnE)#t*nsp1gpco~M=-bTO?TtR*flRR3xuws;NaM(FSRZ6!d^G;<3-7YNS z{tVm)SHVr$%Fs^=LH<7{umATXHW~d`BLOugRPg<(*zj^M zEEfVOn*8=y75#&KID1v0{K=nj06-Tl?+L7#_^hhkKu!8@Vpx*Sze)pViErVumCU?h z3$melN_7qApwVC%T^)H1Taz6VM^ZG*s%g^;T3 zhQyf}W9}J;iMP6zR>0}r_JPX(A@04ynu@cnVL=cSDFLK+6hxY#*U$+?x)^%zMWhOm zB1Jj`q<85x^dd?xp)0*v=#i!pAR3VJ9p}!>o%_z*dGG7}<1_ylBRo&e`JKJjUTf{W zn;wPw@!FrfR1x~Q_uk%cUVp+3rT`o&ZSPM!x;oTq8F>bM#_lzS16q;kHT)UI78)7+ zy!N8f7G(~oYTbq+=>vm%#igbT!9 zDCj^rQl)6?xl@*~`PEu5QLlK-%N;9nMe+bn9FxOXppXZoN6wmv-jr2l1`P2|S`slm zn2>`lSy^zfM22cT<%pPC)49f2Ae&EztN@O_6Pn|LO zGD7)Et|vr~xMxLJM{Wl~UA#?{_pj))fBZKsUi@zDOQlx#W^7qYWqr=yKf_Dtshe@! zb2RJZ7%IB`9egXmljok>@H5T7_@sF9*C$kE{~`zh>)IavNR9ngMuX4-)8rPfFVp%1 zqRNA03)#10#|7OPV}df!camGmdhxkjHN1PH6SaD&%u6eekS1T{1I8}Sq38$aW_nUf zFAI&oX-KC|z?ICdAN>LT)4 zebf-iPG2hg(4x?<+UvgEA_f1`w~9eEX6727SuVO{FdyR%_r`Z(*Nu56vcC&{_2@G6 zTP&=^$GE7MEekl0PDDSgJ)Kh-@sjPKrN2++2Fhe7hS-wzvo+|YG)VUI^a2qgmg!3dF@Msn9gO-i+tCc&`{6?q<+TFoELB?vK{W()kcQQsjsi9>tOqvCZl6 zh9I_qaKvpgo5{N?@+at78Mz$& zoY>Fk*gYVt84JapkA74se4FSinO;;q2fakyxfQqb^7BG-+Tdw-j?b<|B;jX#AfgI?W5S)8e@ZN-G@c9 z)v#mMya4_edjI79{;&Nzzq@ywo6u^V$XzvK{$Esg|DIN@3}SjT2(OIiAGL|pb{i(Q zJv4j%fn)S19cuX*)nUeU|)$nR+;uj0qw>(6)mL7}WlkX79RR|3rNoko!L{1@;Hf6KfkMt}>pu zzWV;_=hlI%Us97V+xHLmA+&Ti1s(Qu(`SU=a>aEm$&*6{y2fcc{H4d)J-p%*;=d2| z7Kpc(n3_JE1{RJQ$A?Uhm$?(%GQEw&Xbqt!o2a%tSSINeid51i?aspkq$Qgv8Zq)> z8=U3{N!2J!`VhTLtfa&ct7S= z0HpurRbL6UntEy9=oXOfW?1f!+;&5)Q?C;#R{6}4CW7=<^iRuAADUh(JBtrKtI=CO zu-txPdnw*I#4K9fB>glS1UG1x%?H*c0Tx;qrVRHqZ+Fku+-DwpktJuDetA?r%U7JW zPyM6GYfEE72>OnPu=g&pM}ouaV#3=)Wv++FA_zI+9==b@xr7jtgXUdUb7(1k* z=SNoC$T2ufRd~;STd&N_m>-%`xaG#HAxgMvKVP#kx{y9M?r&v!Wd#p4rkllN!pocP zQY1}rsuuEe#r=@ON>YS{ZU{u3^7P8Ru&6|C;St9~&&H`}Wn$WYcp za@=^hDE?alc4)KHT9%B^aF~)1L`ap(!>bu3oJ-ZZnx%DSOJeM=ieAZRYsuy}6_on6 z@8a58BWk%VFIKkI!vz^H@H1c8&kC_~PuR}PQ$9T4NRdo*lfT7(u-L;A<^GZ;EGjp7 z*u2MRDRdG?=KIsEm&XGUS>+` zgxq$|vVeNdpWFv}>T~QiE69(=nVy>Q?!bS!>$diOKS|{bMfMB)?bwOM5s#l9c~t6k#y-@q574{* ziQjc$vE*Bx@l7$H4^o5h!5L;jj_iuF>!-;NJ567wWd9^NQNH<`dS+QYAX;*yrA&CGC* zz2_cw!98kO?&$6Cn8UBx?oESCaL9@GykmYBvY+)scD)j-kgPv?MN9dF+_v(iN52>_ z6O<{=u{S=;*6oVOS2X+89FW~i!^EkA{B={V?})XHv9k}0`&KzOy%&Y)O>@q%OALm$ z(fylRLj}V5-7I?>tSd|ue&gL3H}~|DcW1WZpUGrcq}}VyLjCCkub=J}5b9gFTEVLE zuRWQ0^&&1qBYmFx3shg-;L)RWpVwQDPJpq;hp%gm8j6^JiF1t~YTr72!eoC7x9bff z3_B~$uy_e=t?!Me7cQM^7{SAgZW9?U)V2ZIN}fsP(tXx{OK|}*WR|KGy1=_sb?%;i zyZ(y_5q#?pe>-nE`UL4ts=0)5G@9XWOqG}CSB@^zyl&iGOa;ym+wU_J65#RP#$eXZ zpkv5nmhKF8SlMME*5XaOp8PW{Q$t3qW#L+~`W==4&YY(N!;e3AoZLX=a2skMlY~sj z(r@}p(qpKfWaJ1RR(1E4z)Vbr01|NLc`q%^^1*jU)AG$V156utd1Q!_%q!=zeLb>jOKk{Go~gI; zndcQ6AGmDmO^oGcG)26;Sh>2c1zRD&-=`oVkQpYb>lJrP6NIij(P)0Y(nCMhM#DmY zxXO%XW26#kvWMe@CDC-@&O(6O&aH_2M9QI@Ex9 z0t1~Kkw{WToJu6*DBc};a1Lw;Nhudq9Qq;eY!cWLUQaSf77*f&YYxiPIYRJ7B{)wJ zM#C(H*E>txV3~|Y4timN5SW(qY6YUnNJ}1{}w#{Yo_|gchNmJ zIwcRkd_2()sg{Bt4G27oT>Q`B&2E7pqZXHz@$93v**O>8tZWeX4SwS?dB_CKTb@tS zO%iSu@-i$pDhxZT9>yp2PX2f_{k0JoLGU?DYmdcMedvCb+&997Dm^Vr!KrVAZ@quk z<-d)#`c$!}oni3~NN7=m;%WW_`w=SOb{ew*8GeJD&I8uU^ac$fQA1`cNqNs^iaW-5 z8)>72yLhiny8?~*Of8&MR?_s1CR`@sp{5!`rJ}+tXF@l+cuiY#@xN0S1#RSnpmPhc+YCBDm#uBcJ2#;r1&TF=<^wiq5Sl!H2{^2{`H2x5<^y**2Uhwc zk06tyou67{pOhONRyLD*<(}QYbRcIeDZLu~v$6G#YSWi9PQ!b!q^dOWiyHs9biTAf z&2-I9q)Ud;*`c?H|3US1^-tN_ZvnwVzx(__{VVT0q}W52n|HiEVz{|-g&odMv73cN zM8kllXVUU^HMUFVDK2=8SP z9|ZXpekMoby?i*FCyk_ol}@9AzR?KI`SVTtm*9Rb5zMCeab@I0cv-1lWtrd@@lPx-x27?OjT3+@>nmFRWo- z(ZP~!TzAvn#Sn#eOdSnf`oJWgH(H%=Yb?WMaQOk@x2?mugLS@%={BFz8Xf}+1%Ja* zm$@pk+>CL^G`~_VAn%umeC3l(-#ooqZ6`0>&ky1wLnW<5IR*j_s!)~bH{D8%M7xuDlN{vbFt+!X0PzlU-n9YB7^wMfC5bF1a67PEgztW&+m>i}6D# zD3nV$*QFv+p&eLa4)zf7>ASqb^d*eqRfImTg!Hs%x4Z9nh%-{h{YS^ibZDN5-@7t zc>1)a?OVlh#r}b}G!e`>>kWH~h2@YpCYVNVj{Nm8ERUe?WK*!()A5EhtZlZpli;HB zd0^F( zI?J$1&vk$~?PB7#5U~6ilVM`#YW6l{sKs@Ys_@x5f$j!7fddw;J>FNuTdbbKRk~pL zOcd+>OqhR8gj00Td%Y$FBQa9zv6U*LJ)9%9feh4OIn|Fgj!*ffn5EM_R=zr@9#DVi z;N?W8oh1Us?#bORh#oSAU*^e(YPo4vI`{N6Z?5(_PriDwM{&=e>HHV=MYOoU@}?6p zfz*}fO$4wQEg_ok*WZDp&wHf;^`~jr7Ot~fb*Co0 zVqWXjovC}!sJeAqBaqENR#C0jhA!H%1`AfTgXw7f&|o3xoM$g^tN1DR@;J5L`HG%4 zfBG38!{jKbt)sReqwS7uCia-pE&6$~pez=<+E284p!ATHZE8cO4!g|}RaFGjwxQ3^ z!lqr#(SAP@u5@8Nip9Pf(9X5VnrVK7>U%+_+)f=O7(##3Jx|J=di?VVPvEoX;>&Ce zqU&F|{R?~Ba?_1n4itYPsTL>XPN(vAie8(4b@dc+<*BX_y8Y?t_fMrR`5TS}=Z?!k z2*ku%Tko~Ka$u9DD6;d%GjzSN_5X1~{_(g-h0ANYnx4LQy^IqV+?bb~(891gHeYyZ zzLH4mvH9x{T3IVtx#SkjEK7+#u7ikr^7hhWJYLvmXiuC=>J&Rhyq{n*@gx~nJ=?FL zxj{k&`i_*~;VH19<9_M;g`nT$S8lte%RvLK~?CBzx@)$DMt-wAou3p{dGNufk?jd0yQvuisE(F&Gl+~7;+aJ9qsc~ z__5qrjQ>}k>>nQ%`zl{480}GUuPXG7u@ovTs|S6R^)%q>%*xItx^^O<-AAH2HA^2f zv&yzXPDW|b{krsPA6JdsW39KAHG4}=Z$$ZX!s(O+^HXrfSJ-4_yRBBW)qy&BMNP84 zP-#HN<^j{mFvw?+iBk^FaIrXc3Z8(&m*_ZgoU<@8w28Q@%>x7NuL|Hp(u@wG29^q*zEO$U)20aBe1%6BbX~vQYN`K@$HSH-3Vl-j9Yo#!q2S)b zg`p_bn^r&-XOk(&0$1)lTr;gr@J+>(b_Z&P9Ih6Nf>AmFldk6AaRNp7S6IV#G;qRl zJ`cJiVkUX`-EE0;SNcd27S<85_L5~yp^3V|oN5tu=id{W-I5Oc8yf00TwPt??0tJS zoe35%=g!AHv*0Re|NhDISw{NVdYoX{SHDFbxi>hK-=lNNK%76ca@^lIXB;jr{i_J` z*Yo2Oai!$iFey@D+%*QWB38laxR>zPkH(<{INiq>wrFv2EJ>q82_{&96z!i<)?5M$!^uf#^O^YV^fL3eSs#Bi$++h1eZaQTP*pDYaXBIf%w-BL_DBJqQsc-S_|H+n}T$T9qqtdwk6Lolj{T>ensZenvq~F4ru~eJ2-{6WzOPDlT(q>^qrt- zO3j;zVortKwyQm8F6{wER(Bf_PXt@#^_vn=XpNwBQN~ zinWIYom9{k3Mk&&bNm>*=78xwfI=S+PNx)Dz!L_`UqZ|dFN|penjuRu#n#0z3vBF+ zjM=^5_&v%S*of4C=Ib=$XbPWFmOL?&9|QFY?lj#(;@&44;Yb34w>Irp;631UtBku( zmr^Vtr53g}^czYBK|a$%^)|LOL`qmAusuS@xVt%RBap*F^Fy=VN5N+b#2&yL;N`uO z;7?~$eQo9^^Lu?>)v)`{ai){4D9_TsnHX_`c3KI+M4VE!-sY6trR4dKHbe<9om~Lg zj?Ol>_;LPIE(w*uTHyD|{!82Pzz zdAel8d3Q6$8M9+xaAY$x^J=w#pp(;EMn7QJyxxIrS*w7htp*sl-&W(!z1^Fa1%ht3 z5EwWg&h9vmHt*~p+15yzB>87wac}i!G!V!|ZPx&Vw`YYXZrm2Ajneink0oW>L@`Gb>XW&|quL2xjiZmgbU5{uF~1`WgN1t{{Db`wpjs^mQHuukX0mAJLF7i)2+Q zH0OZYvhx@SI#xfGw(bZQeYxGa8Z+=6fkvZ0W``YoR1-Q}OdQcT{pJqj)wGjfI?NMccGl;H=RnmY( z4teAPDh1`{$PG&&wr8UfC&}bF(Xq3z$M7{!Ki>ckxoks?PUm4{6~tOW7TEcF()`4$ z>4`Gqq)IPQa-Px7fnK7}Q(v;@6+ifoA|$^+qY4CGA6jMTlFOaEd`pciA1`c}M=}lQ zD}gud66Iuz&K4=q@iErOIlnmyb;Qx*s21%Y*JIOQ42!POKVZJFoci^@%>wv8!QekV zoPWE?49s}MwG>CoLQ5@q2ct1fx$yG0s$Nj#<@GpVuwRj7ASSqyXSjmm`)ko4&e3ry z%#VZ?1VT)bL52ggv`X14X+svJc1q`9ow&-GPbr0pErn_Ot8+{yBN`+$!Q(|nT=t2L z5D2l~b*cH#+VRTM#nh|Ju2Wr`R8^x8I;!y1D7oNKB|+(yF;P9J9~`MAs$^(f?6$p2 zd8-yEF)2vq6`P-I&0VYdf=|^cP!m{>m;PK{kb*vi%Gyk9u52MY71~Z+&MF_x2qV6QnpfM!iqb|UxFG=8>S>cI=Sqi-9os74=nW~x~FN{ zWVrgx@%UVHvEh5AH0!w^*8Ykw!PYm7m{-3fg2HyAkWrru46$a-@bor7M`gz?p`X<@E9uc@b+%_EQR@Puh5={8v@GdlFXNt&MF z)o%4FZk%bdkPnZ)_L{hXG66&7Uy3w~+CPq+k=lgTHFz}=%?aAlHw7!7Osdx>lPI#t ziopY&?FHsapwVf}%-HrAY!$!z%;Tws9B|vex%vO@dQ4goQ@54nQD_#3c%K}kIvu>& zUL)_#3v+$wuEfn4v{UC<;VrO#kj%CaQ$XD>LsPEqyqo zwW_Pfnydvrrc6i+e^ZmkqNig%=<05gVuLA9_o{DYp>i*hzCOZ!rN#dcthz`{dc~+C zFtZrCJvGD2%BWgS!rJc!B?l!~>}3>qB}K)(xL;P;C7>+It_}CPOD<*Z@4}O@yAd_H zhrbq1Q7yAwF=X)&))|<|8|Aa98~=l$s^b#99i{E;&dAJdVDb+U=6@VjfS+;FC2$ze zWN9mN|16#^$Ij4Jc1!$*1BET7maQ(P`Zk2h4;&3_u8l5)J-FFK#)^443FhXO;W^9F zr0v%TvPsqS+pXeB&-6;zv`<{+g{00$X=86egLl~%4H0JB_T|vjaLGO0e4)Ct14FXF zTVwED8cJW-u)+*ivjoksQO@+bQW~LbT!zK!T?_9+w&{&JEn(IALQd`kI=qth)BE;% zETGk@^Q^J5Ahq(-MbN&9pf3e_(J%u(u%T%Xlzgg~7PM7v602u%Rw;LX`92i}pD^x^ zo)4!d1lPpGzfzfIQn+h~yoPe1dPTzoOIRSu%J7po+W{spPa+gSlQ*GAJ_0&zX~B|YjdlPX*!CBr!eQ?<|Ll@@H?{7Hi&iDZRDK0Ac9>(PY@HZv~})+(Dih`Wd@9NjKE>-SVeHDo2J zi_KfT^aG#cLSt5seGUiy`WiSKV|^#Ac85fQ-meG+=^+FMoqtkf=}vq!W61F1xclge0ga?mZE1W;W(QVC%JvS zfR;yJ6|gOq$*02#q>r_vOG@3BCuYiB<1+vFl2GG&LdSuzAKtFZUy66;n>i|bIVq!} zE$rAO)b2=XIu-=gKSKl0rk~HI*qwQA5;O<2-sqr&nh_Qw# z4Dr?Hm4&ARm1Xm4I!g5oP`FQQ@xpSw;X*kVM9tW8!%vg;64oaWIf1TCa0=g@a-BLJ z2f1g1;b^y9uvG>aUv9Pu@6P0~I-lf2@krw;?={WbU0$MhqoIiXV~**yYSC%lbcWaj z>n(iigtRX77@Cy&xpiw;6#xU=?%L*xQB#rHXwy2>H`PLXEF5;QCEYCS68g zxx{JxW{mP9%Fi0Xw`>DfY0?JTGaY2jIQK`R$n7}Mv2oVmV3SAdO?FWbr!r*1hN+rIs?KN->{xS(^D|Cu9t$BGX@0qTt1jIEEd8nLniWAvF^tC#*+rm2shVg1ow+9AaCceahVFH6-=xA>C z2B$0&7p9FmoE5T}p=CQ?&A{M#p1om;wuw(HTLzCq4r-0$8V=*E?Q3L5%1b z1iT3@QL~!uNjkiF_U-noNk$MVNOSlJmT<#2D~faQO5pQZ9lie-b5z>MyV|h zIofNiUiZs~V6+^OOSN=p6WU<2k3!cPnc)O-UYa8FCeg)RUKNmwDg>GIQSa2FEC73Q z!T&6o+{Y)4y&^uqG}&F*A<7@flRUn9V``PYmvveq(%9$OqvL^9B`S}~Sz#KTn6B|V z-)I`*ouA|$6tdd~p`s;Vvj#z4ni{fFTSHJ+qZft9;b=-s%JyK!OQcj{$6*Sou>C~%PZ71h*c(lOf?D81<1U;Qn6Fku*VaXQEGKy zS&WFezYlH%X6xmNXK4A1ji#5JHTjFkkR^vDdNfX(JYI-KnnP|kIc}cGeK>W#Qv7{p zA@T+4Zxrjlr1Jj>aQ{7`$Sbj5xpbU-enEjjspQa+3V>v8GvspNRI-QedpA$^^S)%J z)RT13=F}$OOvVmJ36ka<3adhcP}#PQ4+NBLcZ>TID}sNyJt8{;1;&728Yd4~S?3&U zr24`oF~_6oIvw>rZPat}<^EeK$QnzOAN&F4Tdde4^fZ?-o2`4g$)RIB^J>Y=wJZ{! z(AyNL*hic-r??`E*L~OpodatgdZ^=3ZDam? zxS;La5EP)qO}j+hf$xwRP3!cJHSPaHfC%T9Z1Y%|?Y6W8VYr6GRykv4QJIlFjEdV+ zz1-{b%?Akp0IKjPXc?k_rU*)=YUbWKGo;c^MU|QdRMdT#a*^FcWk~kXv8%#Qij*?P zbiCcxLq^CMgR_Mn$@8(>N!xn%$nj+@bY8j@OjFSQi?s*H?mX6$Rh&K-M};{moR%a_~3 zaaIPhK#5Ym8+Xjjw2j$eb#DP!?P9~bXqtbLxBmNQ;vYX@pa>0}(8`S#7h~XF@8t}u zR-U1Im!#&?*egj%8^dBrpaFuE%3+dL2MqcmyVnO{Hw;zkayP@;9-{kI1*S5#4do&w z1utgrSja*KcwqE(U`V`SxCI8-tnos#woa5n$w0um^t7fDeqLCm^RT&V`^Q~=RmS3l zqMa7d&QA5vA(Dd(#Yz$@LO* zlbJ6xxu0aZ))@KBol?q}UpX5=p5jLs&DrriH?(YzNy*EPT!qeDy&>!EHC-V%#l$){ zP!>2%r6UXX+0T+`oUv8fcE&j+Y_VkAJiljPvY{+B8>a#g)!vepF?x*Vx*IYt3 zXVAtK@_c(%<<<-67$^~s7HtL{isPfTW1^r|i;WSUn(uauLC_W~-bK&y#Kx%obycyi zjnZV(<2h*5T{&4r;Qq{}TI`V+TCifr0^^e#A-|HGK5a5m^GEvwb=iF?9o%bi{J&>~ ze|!S|FO>;E-F(dUTQS1noKhSfU#SJ%mb#wH;aRcW&@X3mvp~)4Hk?5bq1C`qYppaH zS6xDP$Ud+psGwsYFgH-ka8NKDjsPli@N^usG#4+D1bfvu&v9yKQgq zS$C_Yk_L`sH8n3Hox3F?96fk7pQbFAPgjaYLut~rc=?L=p;d8AAnIz&hqsSD#1wON zX-yqpv96T@4js3+>lB>ee%HYLaxU3EI?F?$`Rr{FkfBaz zH`oV#I;CL_%X@tRU@VbR>^vk$*ZBYP{r|gb=A=yEkRL5BGY=7426&t}<@j*Z+hG)N zw1{WYs>BFX43oaxhsreDjZvZ|5{vln6kijnivV(zoYJA9x16l4^0P;jp&ME@p!J<%+yBnmh0 zF`ltszb#B4hf{q+i1b$f^&;BO#+au2vnVYe z>=7F#8d#iA)-kP{tc`U|Za}Nwg_DMyfHTxA*L9b-7IyLpePBKfv%KYEioyIZE#T%( zK+*Z)o;dl=&7^J2V5G-V{oeW{C+-o|Qppg}+ucIPn%vnWVxPPR(A+cXVk{_1&JUHF z4%2L=9o#6E@UagH%rdZ43*}XH-4NYb{P2zfL`Px8>2+ zG(4u4RZjpLd*|9zZoaDaZk5GN-dq8ciC~urCwMfRyrIhS8=h%~O3WK3BLZUohbFmV zm4rpWDBF%^=NdDUjKk|zq58YNp~DFlkX^zKo6RVeWXl%w_5SqoUjCe&Aa@~u$kBRkUigOzTPyUfBIQ zLeXhI%!0M2kuZ9erivvr2+vE6w$CfGprY3&D}%*mk61_E@Y<8PXR{4*iWf5tlc#9kw0t*Z0Bre#v3Pm+F`aA{x5TJaibiUdMxNa=ST5mRC-9(e50bi3m61UN@$95ms7=*NyUmt7T|#U4l~rDi8U~;9sc2A=TohnM!yLEIlILCWgxWQJ29IcDgV?IcbQW1w$G-;-`yx+sU859 z2IR6`b8)m3qugvUX#$Y}H37~B+HNB9%2AWWNAk#6}$yO9Ob}4+9msRq$D8F(?&i@8Zjc0;6Nf{;!OlP#Cf1t zW-jnDw$K6SVkf#VpP<0S(rvqi6?ITswHI}dBzUwx)5KS^{WUzrN$EcvYW1kuY zp5Yg%erUH$e}H4KnFL?sLq&VtP}`kJHHEy9h$ZqFoaR-+Je80Ens)ggVz_vVc+oWEo zj^~aPU8}~?J&K_7EQ>aH%rtry-vU8J@9z%2Ow3wXP0PIe za-yife%W7p3Nd*SgF@xWRMvcE(F&=Wo;U%JyVKsRbMa@mrsmMxpC(LB_WMWk&A$e- z3lhpqXZk>4fAtlu-v=_r7vgWJ1aij*38_~Zr6MG}*apB{P*V|`O{h*k>oa4yGGiUU zO-2x++@7kl=b#nuJX$GxSG8;H<gh7r(n!+t=xFMe-G~*+C#-n^eM8`~QG2H@8wa|Y8DEO9?(*LTVMohFt!&4oMsd@Y zU0W8vG2FoG@#4 zzk%>+Z-fd&beSkuq_A{>iYzd|!y)ile}@}F4XF}*yE_K$B=()1J*AKPTw>M;hVjXs z?36AT1>W1~zw^C&)2=WjPr{^K5ItHaG0~rT-Xe!Kr@3+b&-NMi|E+yyru^w1SYGx| z^Cby!XcqT6Kw}%&&~p$d)KXc-TA1B=bZ^}lD%&+s0W#QKS&rOXuUgzd1+N+*-yYAp?dBL*-+NMfpjIG-P-Q zq%JeK>rX&i^`4_SXZ7AWFtKQg;sttfK4dGjpLraCFHn|GtxL(sZNz| z&!DaYsKSkOb)ui^L-=z)^05>;uD!X7V{4@1WrmFEp=;k229|ncK~JWV4QR~*>NST$ z3j#;XV_i}uMNpA)MbYL_6BO7yGPMed8RqJ`H=BPsBT&(BiO3d%Jm_bY+bYb+Ti(j9;FRv1FUu~h zs?ihk@r}8$@VnF^bY(Yreduy^&O0>5g7y()@rtJWE86Jzk(m1eIW9A_a=f$~6Ksoe?s)H9_kdsZtBc%_wrMJ|ofSa3g4t&p_%t{0K=nXspChDSEwG&j&vVjKP03Ui@ZMP?1@-h^f&a zN~Q`y9v0I6_++?1Qj+2>J#5wt#W9XkQ<;$x zKve;ifxqR=0oLZ$zQ7ahDG zx9j?j;UFy^9FP{*Wm=@=$Eyx93ya7myojWI1RAB)dmC(@%5o#qr@ z(8KG#C1qC*%bjPJgD0e=$W{c?k7Z&xN29dE63i$Lw;QH5GJ|h4d}#Lv&7AmNcznQx+WQj!IA0^pyU7t0G<=eClwWl;W9dS3~E%td|n$-QC_>= zB8F6Nz!_*t8kr(u#HR8hHYuK)$ehq|xO!e;>)pW-~;-bq7{7XMbuTZ^NjRqL>0 zI+DZvgNk%Bz<%nYYzl5!$yA~|0htzH$2dl5+c)$;A=;3|XVzA*sv7tWX-ZOFcU7N} z8h#G(K2|DkZcRu`;rZio<1W6i!vh4s<9=rxE1&=f-B?CK;phf`Skl6PA!Wh!w{*(! zAh&@@Uam;vD1^WIc4i7yKJ~?TX`FQ_1PsV@zH`)?5871^g`fwwST**P%1>iC<**d{ zRZxNB#u?7h-dx|iI$5w_+&!YMSbJGtl9)HVo3EUyOqfXQYP6g&g`;8lgPMX*sOuyH zD0VOlW%QhjlgTNn@mHqJf-)QLB8Z>NU5wk$KuQdP_KE$F8B)Z6okdf29aCD_r502; z+I48aKX@0QPg&{QGh_Ti!~W1aAc221C+9~D|AT0;I}9H=K^v+`gn?5aFt*p4c>Hyl$VqHzykm6@3jvFliF#9*X^KDlULsy?~;nW zRc>;OBad#~1*9HZ2b@~R^F9Dn_7ufmY1L!@vIH#zHEQ1`zW2BV4n z&K{CWOU>P3l`1(_sx#Ujtv(%v<`RT#3HmZD%(;5{628AVeJ!&QPnpDihS)o_Fri63 zd7Oa3TlpfJq+Upn_J%{57X|m~R=Izu4q*2h5McI34cyCTzyaZtI2it_0wT86^Nvo4 zwMbG{F@9J05$S$&WAFoBtbMVi&~j{w>GI>=-oGGmBWh44&E{KY17P6qOqp+vzqsHT z+bCZbZrvFZJQbGe2>#81&MLm*{(Z#^NR0RXepUV*?Q`%0$_BW+L2m;E7?fp7vIkI1 zAgKCB9#2GOKQHBiy4k%m`Y|0p$l2q6wqwi@ZEx}|n0i&#S9TpA54cQJAy{pd&+ehN zo5cfkDDb-UMEGXGVIZLD3|n({~!a*CkHMFpP-b`WklS{WEuko*V{5=t|F;|m=$w@4Pe0E^ z&e6#$C)GFZ0dsp)*Kl75#AN zZ8A{ju;P;>4XivZ5#~2@Cd?V9uFd@x zd9pZ{MQo49mn3X^1Z)X{D;%$Cyh=_n@~U`zv+3cNz6^;u7+G%GRo0~)m6Cp#YYB`` zl$x=Bl(4V%JiRMES%^pqtwvvbYJ%8xVx3r%bDK_`p9)lS1#TN9J`(A^b5Q`vG}YAH zlWBX$uhO<`)6_g9AYED-_R7)Oji5~H8LyhZyXTGkU>$+XbG|PB75|xb9_^7CgP&o> zP@P9XCvtVSA=_p_i<2U4EBu0IzXp$yu8$u$=D`DX(w_=&PSz7|ekpDBw}>^6dZr}t zqN%bHQ{Z9o>}$7kAjOxxWQFi+Wuj=z$A>x=Lv*1kq3h zRUH44gGfO=^FwrG*R}_KdHgFRxh?Ql`%7bdoET5GgwiQR)$NWn;L*bM@ZXE^2HI~f zoce16aq?m|wXf;Wl7O8y*}!9xM_g=fAycwz(?Hhcm7_MI4v?}qLXbpq%Gg_Rop9tf z0NPxU_BT&fpRR>hblKb*$^|+EKiKO{3lKdbbOPEaNJx~+rN%*UcS;Hkxdg&|d3_y$ zEB)lGX#2#>M=tj=_7^FRllG%w0)e+T35?w0F$*evI$&Hy@XaHsQ5I9@ArzBd&=cL@ z<5<8CWG=ene6jHkdu!yN_@uktL3rV7bU>ZJ6x3Ye&qTExk1#I?CCszWj13vG)U9_nT z2^j{0x)$=(!QNYKzZ-&pFnuATbv@M=yeuqZPiQA?rkEv}K5Y9*rkl#%wmbz2`X zp9}GL-Ir3;;I4r41o7#LobPHOL1!_uc`3Oox41tApV_`GOAs^i(0i5{(5?CkN^!8a z%@R7L4hMzOTEZn|83v?>pI$PE2PbM=y(UuL^0`x$fl~Cnq-8D8EsPV!fEwqm)AfWGq@O%fLIZB&uK8!i$Fs5Ot-NM9R8coNBPH7I|?U z+fG%?{bmUAJ>&mhEkQ=NDg0N>vg!=r)B1l#-OfqzP4gydZp*ybhjMV zCpY(J-0|$p`-kJE9@tQk!0(7(Id5($GuZaT7*O!i(op8>x^fR4dn~44UblR2r!`NH zsa{Swy(%Xx6J*t-C8EW#=IO%1jn0aOg`&b$s6$WAJ7z21i_5(}`s}mNNq#(BY?oD< zq5UOf%Wj3C13KyRQsw&Zhd;H}Z{us4pfSdtcerS-adY*~y|zO0U$U-T+A&)|i{_sLDRV_X@2Clp`TfmSW{90>=q!G zb*L=Bzn07v8w3Y7s~%TzON*w_%4OS(HmvvMdQ;S$#*bk)!b$VI{y*xz{4L40-THZ& ztbB^n%F5Kr%*xb8=ONP^GBq=Y93Y1>=NwT)NUhXNan@9%G&ScO$q6dwIWff%oDoqG z6j4C=?%uuM<2&}dzklHS%|m_w<+{&no$Fj{ou9NjtE=4VRyE($$+)NV#6?@k>HCiC ziB;%3^FvP5acRFw{K)V(_us$ny-l+iLb;q6JhpJ@cm#gG#~|XjsRoas{Ut))?UDEh zLpt{DWW++~$LcQ3nL>Hdo%e=n3}^m+*wO+pihlbbecZ08Mt65l(kp} zJbo_afwzGJhm-X9O5zgg=r%SN*}9V+sPADguxm3V!_inx65~|AqT-g1hK`n&wzaOw zH>9zGRIKtS#OP5<@mz(G;BKIcqd)9D~^#dt;6Y~r%QyToNu zBj;;iObOO%_Ij`;ux{YW=LQNS&0o;ZlZIdf<+mwDW;laZyZ5i}+I4Z7wd;#OPf5P@V)FZXwP0^?1K)c}%JMT(ZLP0a#EC7s z(*eIC-rV4f5zPRj>dpTV{7GVV$=2W5n9lxRBcM=SomWi{_pQ_0{>--kATf3F+~U+f zQTZ1T!V0Io@}j^@As* z@sv-4NEixdAvGE~i$yNOu0^>lB1B$ROuGE)etTKHGg~dTu+_;Q)HdkOORcMpp}%LH zUU!u>C}3W|6VY0>ScUdUZCWL4PT?=7zq0c9P z)kVkp2D)-9d%3QE;9{*OYTzQ9Hs|%-SM(ubC@^-uY4FkJtEc7Qv-wDhDlu08!5pY+ zIU%91C+;1X>!ind7cSuCw&%p`+M^tG@_MttfIM!~M};LLGTZihM^Xc=Q8hPD{RC0Z zT*1+uqsCm2o7y(BARq@q1`+_JpZh|l4L+%3+WPj^QgZ1?z5w<6ZjgQid}?y>arDyo zw{E;4`4WI`&;2CV%F4>t%2xk=)W}rDSxh{lw7Ev<(%(Zi*@o2hO8M>%<*1+t56xp` zdX@$C!-n$s1aZVHC^^xJPp_0D%x8GoLUFZwnJ2|G5pdXa6h2>ZMi4?Pt~9oGD^aSJ z$0=+JZE~-0VOlF1GW(N{OB-KT@Tb0sf4Zf%TM<*4E zmEXlf-+XZg85uZ}ZS;O$>V9z{qdkf}+R6N<+8`~hfSpL0wr-c^YJR9 zig_8jF$TbQMzh(vqT;tu=z`zY&70x|JP=RvGTA`#W-tT<7pai%?z)(|!&{IDzOj8b zLomC^z&SI+gfO)`W+qmpN=_(CVH3}9%<8ROC9LC#qV(! zL|Yrih+CiffC`<)i!xM8J#^;R_)DzXyy&tt#v4px>xveqD#h$tfp0q|<>AhxEZkQoq*jxC@SH!J$ z7G{4!h)EQp%#t!w{tfsO^P%|Qm?}zE@MkgTFm8VB(4K4~g$cEuG!02vU?nIO3*r~5 z44wz_>euKMiUit%^%ve|Y5f4B4HIYNj1GcvW~DVvyGm^8YPVwVkwT3{@}Ze z@SXh>uOEMc7Y;=Zd?IAwYh{@uMiv^C`(6MPc&IX>TJh=>URtY~CBM3rLtw2)9^0MJXNL@yT}j z>Qq_!%j{cn%bnUG#^0LqSaCLMC+DxLUng{l078(A*UAcuMJeu^mt)HpKM8{ib28tV z%0uQ%%TC*^n1A_WGnh4XG=0A}cHX*}*Lf^AM(OWJdB^W}`-tyqU#>p`&wbWgFbqDh zIu4JLicR0|{qCNL-B31X_^}@DQ(^N9iE3Vz#mIsbAZdp^)mjoh+>oPMmFvH_Ks}_} zEMpMp9$4?8k+!k@8~l%3r#y0d%x@r#zVFvf82Wvi=*6}(!Eo5>56Ev@!vfxVzGkwq z@>cWKh6npzawL>8!OoYM@Q1ubG?OGu#@rjtgHA1;))dALe_M64oNYVSoTIJDAE{$L z7N8m}t@Wy_BCkO_*bN$c03)(Z+)EW14{smRTq;s>0>OpKoRdcTIgC1@CS=yE!{tM$ zY3mteHQVcGKf-~dm3q%eAO6OAPMxTZxkv%~J%O!2X6CInY8Yz@YKWB!Ql~)Ye+`nq zDP@3RR84B}8b0MaVwqk1Ay%0wc#z6Kc|Vx$R3s);v+P2^h2R!PlzNs1e=A&O&(LuTt8?vHcB<5x z_$)8jbU4*orvcfzTq^#K7{x!WDu)TEZx#wCyrE>Ka9F<#bU2ORknKWBQJaS_9x)>2 z!Wy(JQ^++lQB^NpMh!S?R3cS4Up5kBC@-z|9B+NLW4o>k6SEVH4?nD;v<;hgt29y= zQJV0ZVO5XUBP(3JUgVs{N(y#v zycpD`N{Yu@DS3`>!d-8QLVSCm`CfKG_pH5Jj;p@WmQ?OprZ_akkTCp0g(JT<9hn|J1-rDnF8%Hpj?W`oNB8ooT_RdBv~MZ~jWfFP0G znjzO1r$aiV1oHidz%qwU-@0Vy-*YI6UHU;Hr1^(363VwZ($}&E>-nBF&pMetw&o1I z?%nX8enKyaJ>M9Bo54uZL2o9<+s%4U*0EiX{h`=BmIp$EFEoC;mp%jNQhnhaEoanc z2(g+PLW6POpoM2m5J%W;fMq2e^Bue(PC9l(yI@)^cv#oZ0UI?a8 z9^$~b*OzwtdK-8s$|WRw@1V$pxcU6A)~biHDc}nV9{a=)xz{W;6x#Em9E+9Uo!$>* zvSFQu|I%(Bc|4ROXH?$Y4q+5Wj24>6_t#PTg~Puf46-HV!;Dx9$D@r{_c+3b*JmTB z<)eUjp#RFTwKw2GgTOKPi>?RESHG?+2Cb&z4IDkUz^@4PP7MRbs*)k>Sb9%Q5*r6y zuG*T<$Q7Ax&L?lLK%;~QFAU~O8jwY|v-O*2_I#E{zl4p)7TzWwoOz#!LeJP>Sq>qr zYQHQ?_0TGc%t)v7RxU{H7shU*+>_-MW>H4_7nP!VNpBQnb|~}^XJ8}Ca}q!;49ApvrZ~{+SYBQ z*bqz*%*tXig1bzZgW#*C&FCL6C##kyK_79pX7X*$iL%XH# zcLwl7phVuO#KtV#O}rz|szhLyONy#+YL6V4TOTkn z3T{gk5s{*H($Fs6g-TdjCNbE4@PZodQZ+rFo$hSw>`in-@4eUTh*o(L0=DuCF!}Fi zH;isM-Q_>iswsgLkPylziix2rN58Cr|8lAq+1Ylm*2qFxN+{ftRZmU4A5=C)1o7p> z*Fpvq@dz#J;+*E{uEF1Ok(BA)hUW|2j$d*ped(grg#WlXL+_pVV=!oPTyxCvJ}-{^ z^us*c3zgh2<4)uh}vWwK7j00{{`KWwh7*-MIe?{8eZ z*%qtmA7zOGd3Tz(y1fTE4t}(3;4H$X5@>FRntvr3S`}!x6@rmp7KM+O$k(agkM3_> zsD1(S(1CFl%i%!$#EY12DW<@s{hq@o-DF?&WP%y#GlorhnM_kK^DH2KaJ#BGZI18m z2#*zfV^m%daV2`uQC_sQ0_VPP$}xwc({S$3j3owl?lTyGpu{n!hJ*#(o@XgfF2;!a zJ6d~Gf3m&{1Iqk>$czzNbDP>NQTD zxk0VU%lSd9-^=e*xEBM|z3K*q%|KQxz$4`ecAM3ny{z?hvH1PTatI7qo-p9kC7The zJfG%AFj$s=qv1>g7xo0S=)*jc&xMRSV?u6rZ2alou;Vbd^!54Ak;|N@z+)!?B{L&t zM>okaY_k(PtT++aw7#{QO?xRA$G`;*vZ!H|CIy@0N}QVYF0xvJSNu9Fy02g%73g6$CGB1bvue;Y$u$xA425(riV4U40*0&4& zS;dt%ucNoV=hzxL`=spH0gK3k3RL)5e27uq#wh(Wkb-)}*kt17#LK1_|D%ldu}gi5 zc3V&DPRsX*TsT^m1Ipi0R-I~2WR?^?p}ZCKjDx5St!eqFqsCwkubnNqr9+E_{PCdy zw5?st@}Hj?KYE};#6o)arnZs=ci$|ZLDQ{1nRTti08j9nvc`?N^}#Z`geYjH0d(5bOxXjN}qr>ged50;I( z)zA%AubGKvV&GNnFb&RX9|dpcwp@!f2>iXY6nxSeVkrT&V_BlDL!5p6*A=aur|UVJ z%MW_3gP&OWOQR8<)81{g&>57*Rg9};FzS(tp024L z>tU$yx#s(6QgZ4b=%Ad?-T&|0GIFy7J0RbWnBmlrXsjZ&4J58~ z=5G4Tn_Jp_(D*iJam9`*4bX|Bp7mmc&j!n0DnOZzr>+TXLt1(#F@5SH62;`Coz)1< zJc`5nf8Lu_Y`zMhfjrO~WTexOIiC$Y6`$Qow~S#6srYw^K0C=hnSc2;AC1VjFDgmd z;CE9hN+r*e1{qU3Urcju9suc)E|EKJ%{!c*KQQ!on_KgHyYu;;`yKkq!iJkd zekt3#P5!l+uP*(kJ%s^7tXVH^7IQAA9v$fE<$&K9MGhRdgx}m|mA4TFOf=Cck!DRp z0B^G1k6KFFAaMt7yZPQ1#a41{G8?pcU+s%>{fC0QRBniaWJ+#vT{Iyo^WWg7heHM6 za(|j>N;|Y8H#HZ+=O|LOB{)wx)A4%U&m$rOCj1pY2h;22F}y!rCZ(<0!p7r6z|Ml+ ze4wQH54$HAhq_THYXikSEO8Y3;K^mQPiM#0iSjYe`Vcu~#q;9QQ{}1lO%{fVq(E)X zLT|labRpUPoH@~%07J-ay;`sNCbcGu z9Y2i^-bqFVkk_)R30i#U)6wS{pnMa0qnEJ>I!0mi8cHH)7D~;I#;0QvOHsGY1+5T_ zFB_CLFI&VD7_t7jrg{~SMY*xH+6J9Km*RKcZlX8t!?x!5v*f)?0tE=U42eFypLs=n zhVODDR0G^kU-!Y^@>s0$Ydw|!Y}aZogJ;_p6*%jbM9JtyT^tYv1OgPk}Txqu0mu#0`Lgo(MFv zmIm}-GMA9$&1HcQFE@xK6Wd!Wi=4V?O-0+kPy_prj9=QdNM=Vqp`P5RI|{GtVTu>A zqwvhoraT}$7^4~}w(|&n>h0LLNBwfdz|jba6J>|ey)i~A+{{}x4|hLM;i_2YlV9#y z0Wz&>?KJDOU0q$%DTjkO{(k;H)HlXu66uFEHb25AaefhyFjlixZR)@)+Ed+Ih zw~6+)YiOOS$xICI{>j~A<5_+$6IW-pli{R5aUhJeDV}5DRt6ojC}un0#>*tg<~E%l zN6K7(&Y6=Jf6ygY|6ooT%d6ew{fKBL7nilr^Y8*L@^i%Zo97$e&fcE6oS&6N8L!z; zkFU2DkH#nWsnM2-ag#jXndmoekL$1gUh8cjg}!F9WXgK5^k+8#dfZ)Q<%{f2Fih-S)Zqy>kl0%jB_iiRr$kt1{L#LW5rTe>bNUB6F=0AbBhQEgPuyRz#d-Vc_ zFNWOkbdi~&4|L5ic81A2S>_Vs4wdU4;)A=!OArVR5$ODFZD$E>&d3#vW*7T_?u4KA z>D#aeu!T>MJp2x;Y|HSCTS@J66=r*rGgmZcPgxd5c$!>V7Ha6Ortm+-1~KpcI)j?e zYdM$nJ{rg$&^-c|_AXCrlDy05b|1bk)~xQnNw`38D^>cYUl^)sD+TlG{G>*RD0n0x z#;O(%v;fi()bdiZ$~PbW{)l)YAezm2U!EvzD$DyUiJh;QiGExrD2D5V*hvIW08JVC z>GO{#^ff%P-W+VMi2dGF+9Qk-e{@fVKAymzLui!zXZ zWJE0eR~^wp>)qxM*j&Ee0;36&PH+QsShO6(2b1bf&XRVvf1=mJs zT_g_QsO09)pi~1CZcEG}<|_q0>q&Uv?H1iz(^m6%A?yjvV0C0*s;$ox2RpF?*cS~; zgff5q!o^FTT8n*+s}<|E4UD?huY-gGZN0|gMPLzZ>t;uv_&b{x^>kAGhBZ}E)m_x< zITp`=EEjDp*sSQQWo=F}I=ftvk>|<1>tc;j+p}gSx!NH0^O(n0GJQ2;o{5^7mrQ;s zQ^wZ_3;l{jpT5^0y5#Ylv+GyBc~o&ascW>V?xZS5=gkbZ5Q|>=(sx8 zBy4hPa|T(o(D|c1zG=WfI_qH}^IH)uLsConc;ZY=)p$*QC37JMweQD^oTXmbg86&R zGuj-0aXnA=nJX+Ry-zE{gGUh&V)eiaW0Oa`L`_L@I%-)1#IdJ2aKo=NC{2ZsjhkFb zmnpr^V9UN2;BmkBxTq2=&lK)MH81yQvTONWqjt~#6$x4~9XfyK#0_?UaWHdx{FsF`ury~6Fgw!RwrGRRi% zVv2W{0KQEe3csi{>(GLPNA1bp`N3!rG=L&-^>w&X4)nF48>OjN9$k$(LpEL$ersu_m5nD>I(-wEx9*cii2diMT_8uC zH+Gt{TxJdt6APb{2g-7~&YP$)*y|l8)yRiP3JNCyx#()F8sbD*dSnzJJ5$HJNf;qt zM-->*XZL>Vj||j9Qiplat%EXGF`oG4l-jIVh+ugzy-{Awcgg!UW=2Vtosyx~w*fO$ zu48Uq%p(ySVHy+jO*WLVuQb8PS>BwyM0az!wWdgh2ksf{Ca%iLaHXDI`hH+Yf+S~@ zsdQb;?^h^wAqS@vK?|Zl;ymkI{4O%K*QMF4;blw8rQe3{f*MH$7pGiK4LUV!-TRq? z(4*Tgc>fy1TLLo}#-@VO*dbYSFjz@QKI?n z-l!MZWL|7FYs?@Yoni8G#;`)w9qT{3v@Mz|ods8!V1Eyfstw6~8a*&{>oJsl&UoTk;4tZ_Y1<(SNaLe4nkPzMqiNy(4daJ5sd$ z{Z^w+Hfd((pIaY3COLf?$eJ-?EVM^_Y=VU0fCP#!Zx<8I{%BbVj@n6PfaXWTdm8yk z`h@8N7isZE*Mh^1?wz8A4GM#I%UF&@hE<>H!kqV&2g;@Wzb(fFkSbSI@88X-Wi;B~ zKW+UTtO`s#hq77wpTeW;jg4Thuj6K)72occEbOyl6@)%D6I+e~!{AlMe*68aO&q#7 z|4Il@^xn=XxdBA}lt={$M7%NBVRJ;OylA|*S36Hp-Yo;<@!>6fo8gK7WNp-{I^V8M z_&R7&5=5*+2x0(%sGB~!r!}dzp*;>*ZKx^V; zs%vVV50HY9SI~&j0w0?N?u^OKeU2C07cpQot?)r$Ns-9fSt#Wa&`_-Kaqsb$+x`Rg z0)5-3Nxu9(0vi!%*&E#P#yMAN-w&@6hzd-Y`y~fuz$WwW?5s|WZ*FK3pZ{Fz%OCS> zRG$bO_+q;{M&7X)b?uT}OKUrj|LUx5r8a1)r!#a*2R$&Ik|E!?{z&7tefL5}1&BYm zrX}cAAui??JSnXiGbSY~?({=@n!)+On`#GzXXXf>H#vOwN95TP`ilV6t{*jdZ__+v zsE{Rc6g6h(BQxeb(+cRDI9BilBpeKeMg^)#1AJ95Dz|j{x7m&t;75CXKzMpL*Y3tu zVhAPu54Skyt*$A(CqU;LO&=3IxLF1d7rU8nymI1o!=QzYY-Ceci)^n&FZOi-g~Ft0 zBCm-dn&Y>$?bssT9|0pr3jsb|56IT>flfQwfwXheA=X+W@EyZH|=4hp$8@xiSe$d zD|qjckyi8>on0_hw5WMZYpQ`EP(F)8S{O|wqnLqX%3{#j_Mio2f8-H-dtJ8jngE2POE;DH~jm zAwW0${cayM;Rcg~$v25(gB$C#7lXN!sx;G_)(gg3+dFJrh7r&QeL&`W*I8{zU25@X zIe!M2!S?00!Xqn<;zDgwsgPtrIOA(Lp^jEOVPD=$O5b2@j%aQ)-}DhTcAiek%Mvn{ z(3p8&>7!!Yp)&cZZ{Dm|*&Gi3NxOlA6NiRU_!nnu;W2{|a}*!k0|tiQAXFw8@tp87 z=!TW01i3f|DA#jqm+1zpxOQDp&$M)o;#?L{yc!|bijt5hb9DZ!u32NbQN-F?oz@I-C0jT(nOe=S!AI0A582F792{WUD*r~!gRzl;Uaj1}n)Kdx zm$8EQG(iE0%o@&Q3Pa_E>rU8iXu>4@=x53E;tII4(535;`x!0d@J#)XZD6DA@L2tqLJ^L@MlJz*aqod*7$D^-WxIDn9t%I9Xh~ zxPEBOnZ?~B!5z+`&M?FW-^rAwiAR}z?ZZ!IKkyU3;iP}XD~g21Bx2Xxp1%B#(56sb zy{Ge0fpA|B_o~bNlY))M4^4p_8ckniDaTw_JFjHSj6Z}E+NgQ)z9Uy$JzMG9{r3f* z)C$cOPa2{m?uPi>1VSBVb-n;~_PB|h>x~GBTu!%n{+UFZNAtfpU%GY{%8UMYWWsAT z*H?Mhqw@@glU!XTnNr5DK1s$Joqx};yn5%lh<>M*yrw%aCv3hf;H%^IDAUKj32^5F zd5Uu4Fy;&O&L}YBdiR!7BH%4D16HJ}2=UB!tFz6mOMpDPOO0C>+TIl46(fzI-4|3! zj$@Nl6g+GD&AiU~)bH`kc;#Nxp-cU^TX(3@-+1?cELY!W5R3cZ6-*p_jU~Zs<}9u> zm{^lYDKx+Dp#pPbBJrtS_567vzFUg)P8hF1avI=GT{-B9Z&92&2RR3K%d+XxFN_Mb zK?aU>F27LTiW2^KAv2qu>loWJ`;RAs6G7(J*n64=w~OF2H6tfhnk2ftG~7(8Ic9xo znvEwVUKwug^&e?*&Y$0TY2hY_ZJevIYk!h2j`_yYg?=8&7`9~_@iC2Sf29^(B5&R~ zd*sM5!Tq1!#Oj;Ioo|eMtQB_}c3kJq*>zGdT_1FAofHqw%{i;?*N;DVF!aKnO(ecH zD77}D@frKX%1^F(U+vAc9?Rz>_27+hb$ajB2CJ}R3Qp~%E^9psC7&nln+&8e36>sD zl=M@J%5c^zj?c6$l$^Mudg6$WgPpQ!4Yka|6v#1pId{c=;O?gDtX3BQ=QC?YVPlz< zoFBIw$3ocZj-qKctu~j7;u+=_?VRTT`0MI_w4|*Ocw}tASwZtpf`W6q9B)T^g}A*t zgX_|1h`iBq4C3i))|ZBN9V-(&>ILwf2JU8ieysPQG;C|h~>O6 zbh0H%ne)Yh?!`MD0x7MXA7y-8sIV>`q!Ve^iuImZj}>e zI6Ulm+2}(5QT1~9%MwjTttS6j*YKi%Q?+=_Z68u8{>S8S)}p*ix=WscB{=8_I9@+3 z=8W=lWeXSqUKzhDZH!6@7TLuo^XDKMMo=*85x_cnm@*l72dtzgX71M1+ z4DG}Z&RNP6@B!90r=#|-f@i0iB3g!geG6syXXjF7O42*TXvJ$8eh=LRV{XBW3iqtc zB=?f^u)qWbR(!gV53c{+ptrKZeet8?%9NpeB^(D{sp#r;DU!vu+qn+}Y)Ux7=uK|T4Y2=m40T9##rViQ zD9JvfrhB^0o&SIw?v&ydnYW0xkOVo*`{Ut?qhIEbbD~}iay>U*Jd`0n ze^KR+zbSq|-s0p;=B%wl_1A>=5v5rDz^B$U)qmFKf_^1piad@oJikq~Zc4a&y%i$v zXb+^jRTck2A7@Y!>{I_R>E{*4B&W+4C;E`MwDBAB#osznNvQLlQ=)G%T5iQYe5Tow zEW7hAR08%o=(0%NqSCs(yy~bB)$mLwV#L4h_eYiGhfQ%mlH}7JT+e@d5tl^h(hJ$7 zzPTd(C)(vwc`j&-`4J+2SSn0bLul?(^V>&TUq6+m%>vmjB@ZGnOS3tQsR;G$-`qA+ z!&@R-j*^;w&k*h|iIBVSVa1yvYOdWdRrhMLH@y3|Rw;fZ{lVKJ#YqkB3Z^v5+#t@}0(@C4*qtWJ z+I({Xv`fmp|K|x2c|7kv;?v|6n$hx11-Gs9WhLIA`lUrbb_mF#&N(`H@5Zoy z#Ql1Uxee8s=w>%-oW9ydtU_Ms!VCa6|o~S zWX2uJ=1gqQm=Li-#y>{wg)(i)mtY``PU!RR-EzH*WQ1@%u(N}8UtOHwgXOAYp08K4 zhnJ5sfZ8rmZZyeZe01}B+K6=5YfKog1Ck^~7M`DNeSFdOae7o_+dF+I3E}o^9n-9B zXrXvU!95ThniRWOk|r92Ig&5?)6ND4cQx4B8*F1kyUoNonJ4cRvA&?SsIl1IB=ec% z^G|VFwHI9X+`3SX6~v8?~B+Yw2ZsW zs_X5-4uh%KwcYhw2sP*;(JQ;Ey$_L)C!r*E?eT0Ql6Mn`b#U~Sqw!nrTY~MjI`a7m z$GOY3hUwmKLz8>;c6d4}?4S0ve~MV%sXQ++tb>(vZb=`@+CEl;Gu+VGndB}1cNF*$ z&EBSwBHR4=4Wi}+j$XpLmTp^y-_doKQa_)VxcYVnbWQhxr*S>z=wPtD2dv*Km>P(nba)QTVFJQk&F4ZkHI8M<3 zQ`TR8o9`QX9AK;U?XbLDdPkf+*a&Wc z^G<@5I%unjjy2LucZ;>9mueolQ(CvU*l_-GbDgXG-g00hpvI6?KEQUd?RrwO(<~fo zC{wyA=npJ3d|0JhJRYP|JQ;NhhERl&i)g@HKrW$Im7Uo++-F|6tE0faa5LWLksoz4uitd#xDzI)BSNk@1;MO(8W-2VBwbzMt zh!nE$<3v41&`gZtKxa`E?M}qPi7C8 z!h$w_LUZ!Vw=G%-fs7yGrdN|Y-+;0eqy(;ae1eOoww0@MWTfmNBZ7=fF86v$X< z<1YV)7b+jTZX<4KC<(F-7{NQv@P@ zR;hLk7z6X5fYDQ8Z*2oco&iN!9CA)=>Q_5=558tU)Pu?>keU-&DmJz*4Li@(C8f?e z5Bn3r=;xRag*Qb>^0@U!?mu`L<12^HgC%D!1T_-1;iJKm{TW2b*0A5fb}(g&E8~6x zJvW19XU{sypCKX*QlkQmd>SuX_7cYPx2JxWpI#Ps&BIQwWqEwnjpcpIE;9dcTVsqp zUc!2JIwUkQ|2U%%J66Q{T0&Y&F;B2++*`YmUPL(K+YJ^>XZXbkF&4!jjT`?|osg4n zSiOtmf5MlzjcD#LP!0a)6htzSo(&j;ZgqtZ$YuoKlSxl3ca%A4XYYew_6LG!qO}*3 zy}3S(mF)gOorb8H2z5NKrNU(nB8TBvZhyw z-!wna+g!LFihV2)Ajq#GA|mq2wXQsunPU;3NcOO2Byx$m4e`jy`%z0wE;+B3;#zCj zIF&axz)~cqur#^UT`omE0#Mac@&YJL^$^*MCVK3DhO3~5`yn*W6NJg?^{QM+g`oHwaYu*Nft z-(28hX}MbEBh#1gey2rYI$KdTVgh2pDZQ%(M;QA_#N7J!Ky|I3yX%q72d{R?Vejs3 z^%4F2t|I&(B&%1EZ?g7ICoStGd^x$hbC6ntTBZgJ+jBq5=P<(W{Ag-(y==KG6BX#3 z6%?Sdm6QU>vf%!91&KFkjXKjCUHw_g6C)IGrg$)u+ECYZKu;_a`(f!toco)8Qb1KM z|C1g%jTE?6(r_1Ke@9jAP!6Dk-|-j~&0D$o9E z60+$}*=6cGmuzuAcFw_27?YIk$+!Fh4^phVvNG zThSzyiHa@haXv<>`aZYSJbg`2gCkvA?-g|^AQ8QYZkq3BRA|6 zmXmvY8tsptZTDf1vme6LHK6eT?!AEa8K0^J8~rTW0ZwhAiNX_WcsZtJQPi-x2|onN z=j=LaQgr`uVuY)@yQ2mx6FV2oE0C5D^)fV`9!vn5>gGacc+4;nz#h%1IsdA_dLI3eep03XrSY zhoy%n*!>q~^)5xr)#yk;S)liwTnnJvAH4n<0JTA=$+3Rt_kHFM7lUe_E<7tgzlgc1 zH8b14H55#06`c0f)6-ReIiW zWbGpyzu)+;(TbEHa&Vs=Rh7II`}4N>ljulj8)n4_yYI4J38X}beI2rMG6&|6iDj#= z>VpsYbqv?k3^hKiHi1?FMK333?PI-$0<^+wwOwa`#lhBLlFuyr;Q~o|p|I?ko`6csE}N2yNUg z!8uY5aE4p)CIRdHZwD^af3a|Q2QueeG7jE2oyZif>@H9UXrBLc?b+q^D7SlBR-L;Jj7*2JR%%A_1*@=>k7){!| z+nk|c(JXr6nVG(2N1*z>pS#s?udI9uo)NfoWL!C~?`O$xHThfR<9)8r zL=U}<%Oot~t#1M*Ket+q|7PWSSWFNowTdv(uP5=r!p1+@0)#qit-e9gyPs-{=e?5| z0B+Dsn$%G`FoHF#UsCz(fL!<_t8o0@V_n3$X*$n_+*uejzhzo{O;K-T!kIP~&LVqZ zpY2q8Ko6x5VL($G^Ahs;cq-&#c^KF-w?w}Dc&bOFc;Ms@ASpoH5SSW0>77L4N9Q*5{2OZC*-O9NIEGUi81gh=Rmu@m?s-uf}@$3T!Mqz0K zDY(Ip?{xJbUmZu=xy&elSQquGc+%@flT~azD0y=pwk5y}tEnuAh-5Dom9;vLm9<4r zv@3Nne*3B~b?*i_u-94oGiB_$$3l!_IVA~eoYB)xyqcv92F#c7RfZ4((s*=k+B|V} zxbt0vA3C1xIQXfbq0DG^G?^6$-#io4j+;5kQV}jnG19}(n3s{i$~#&`bJf}7c6Q4N z$FD7R2MJzAh96SwyzW)U;G|>Pl3(A;l{^o&q0`Unl*`HNy!@x=nm{i&`XL=4OswC%$OKzjbiz3RXFuQ;D zY4XGU576-wP;yDdvU3joDARBK)QoTS%`#o0$8cSo>_73zmbP*w)vcRsl4BbpC18y9 z{nm|MOPsj!RfPU+*6*1_U5Vgns^3PC2*nD}4q01Ywg_DEs9h&aF>(q|RBV-(AJouX z3}SXj59o?|r9}Ar(h~Sw;2PJX5yKBYJI~Je3bFRAP4QOzS6@2T&q_M*8wQz;YQe9P8M`=*uRYoum}>v zuA6WujODK=wLcF-BkIgtJv&wIXuv`V@!5FLK)EzJz9SHhZMMLow;Aq5vxjcgtyw?d z#IBtBN?kZ@MdOV0v-beRVI5P$zF6OxTqHZRC34&tpYZ*$4~Uc0$Y(O`NdMC}ep(?~vP`L8+^dt~{)*JiuR#dqz|T zb<3psKMx*-BOwPmYw@O_ z`lpr6&hD_+ZTEwFF2X+`T5c;gFCK%;%9F5Tt^*CSe$MlZPB%#c)fsX`Mgwt7B2W19 zZDh5N^;~Kfw6)q()Wb;i<>Yt2wq?l9Y5dL5(*P%j{lm#|YFY{XB1@Y9BgeZ`dM^5E zofY^A&?Cl|9dTm1)^2a8GFkgV41g}>YTQXo$b1K*=3tmwLr=}v+)GY(c7MB)Z`^65 zN}YJXe5juPaMm~R%X*E(T$Bdq+BO?sVySIj>{eQP(F?_zu$o%V^zH4Ky;ZV$A!DQS zc>@U`LnrvFKzw`u(D|ttF;#`_<(AZerOF<{;-`rc=s3ExZll#=wfi<@DJtUagcN$q zmI9v)9c=<(d6Byk)G$Q})}XQ9mUcD%Bp-T5z~kbpfjsZF&&d{?XVq@Ir1i6fjeg7b z<{0=QbLezN7|N{bHcofRZR)4C?tF(f$!td8V3#a*De%+Qx$fr~ULRO&GSY-}I!4#> z!0u<+v84vN9*|P#h6X2@2<|I-Ta7*B!BPvJ)<{2d#Q2<8`OoDi&RJlz0u~CK3Mz0T zWzA>$#`^UPT0XY}N?)cb=RKn~{oD#evw?p0&E4L4TeYW{3D?r@!0(^hK12CCV4R}n z{Ob0A({AgsyFLD^lajH9e0CXS8GC@zIZgYfSg z%1$uteufIHU@Tqdk%@0kfNzB`wnV5)m3{h#K%|c>5$MRX$T1{#fS>xaSJfnu(}8*y zjxCkq=0}Ia0{9K;%d(2(v=qoxDz%YKa$8e9*|I{*jS8%WeA@UIKC|=d|K&Gpsz(V< zFLJ0}&|L>|dNFW7Q zj}CeKXM_jr#NR7@(h}DW$Y?c+0kPs0KmMJhe5NYCBGwqjnG|DyPRUGuR}b^mQQM=r zM|Ay6q0Byo+}M)~Nx~A3n8RlippMklE}~-mrcI=(-eB#)Fy@gJw2y z3wtFBuU1@MD=J&5IAc4}J9FmN){T^X2jX^t{l|Zsbe#Jh`6g+*>hJx?zazvn7QXC0 z;jeSOe6N1v@H<)2MkQvO1ukiQKpM$m-Tfr3S@(aKd+(^G_itNN6a^IN(joLJAPNYf zgdTdNqX-BArHUZE1Q9j#NJolvX$k}p5UCQnB2}8S08#`cA(Vsw_v_y0+;jFm=bra_ z`;PI(`-_nQ0~nvOK5NZ2*POSGH-3SR@G?E6jmsKe4jjFPUR8eredgABSdbUBl70^8 zMi6RPcU!nYlEmFyp!OCfT~m zzVl4KaK>$cL(h{B^8oMp{dFlG$<7=`NlYpp$i_-7tq(18F2HRWaW?!Yvgds8;@Q=b zJhF4-h*Y%Ti80&lAk(jJTBj@A(r@1F+tux!ka)mzaqhYxJoMIm#f`MR=%B5xTkhp9 z_}#kzE^qXkQ9gZ*ryAukwv3kYf=a$kSUtETDc!t`C$wv!>N(FkBtC38A{IhCN~-Ux z>|xB;o8z9X?we0F^lCzkZN1bQE&L5zB(xRFfJkRA2J?z6Tst}$)G7T|&_d(cw6WRMutw}&%L|Y9|tuINZb~tWX!^VxSm*z4) znFmq!H9hS;aq&KUceiDZ_5&H{8@14Xr+V<37wjt}$yH(z_XK&Iyl7n#`ZGez7&2Su zmXTW@H<34ASnT(Srd0T+xbP@uqbi%u{yOts@elW#KOVNk_r1U3ystU}^aIkzJ>$YV zh^y%$@_pwMavD5N?#_~Vt6HH#97~gOR%}lGpLE#lgmMFaDh1Ofw6^{D0~M_Ls-;H& z9)f_7^_7g#(-%JFNjGhitsv5lFK5ol9&{ji2bVKG9Q!Ft-vkRJj@^1+I_#0`tDrSy zv_Jg2$#TnOJpEDy3XI>b0|YC^pJb->1Aa0s^1qS97MSlJ=<+x5B%Jem%Uz z5(0gRvc#FNH%QF2H-7*1ZYB|Z>AFLCm^cV?A_`L>dNQbe*Bdof{+z*Mx-|dv+DVXx zlZQ^Rs8#3ENu2Of#M%1tdC#}TBR{nQ2Hsbkxayb@0>2?VI29i>c@|zGWZb;FZlqXs zoEHf)A#Xip!-sb~<9h8tGt*0)T?_YyPMDt?|9bdXtseG7&g`g#GCVm6*Y-2nP%3+C zZzk|pbI3wq>&{lQl-IT6eEl8LD`p%g@wQi7^!~I*b;-N0_M#EcZfTa%mm$7cE<^dW z@+YI@`$(Q^!OUHcFC5F+g$J)dGeZr+Ru}bP&rRwqWHNa`e8x!bYUJUAbmnC(dK0a-4 z(kt@P-X74%nRyyvIe`U&vU*9&!|3Bb>t-Muo>)69PTH4%{}h^#)Cx6H8Z=dwSKi!JR6LL=kb>(@Aq6aWYQmC}M8j+x-u*StI zd|y$0vA38)TUMOovL=n|%9Hg{<8rl)5vcqRabW`gY2EtNWn_!~Wy*z$ot?+|Jul6c zI-oMmgjjvrjgI_XNi)s{ZfOD0gj0pohIp|s_-jOUv{WyA>J z32)B*M1{VXSMM-yla~IKm=UHN1ffZWX2IHjdo=|Y+iLkvtM)YvtyPdxP7>7 zrMFnH66o$3B{<(|b-dqpVtB|Mq|M3mFft7Ng;zPyZ9wUY(ng~>bK8Q>GmN{+LyUy- zEdM*+$(;d&)s5u~`hyvQD8**qDhO#U?^*{Q;K~>&A0v>2nfd!ENFQ}ijW8WgolnTi zm9{=~I5o$aE2R5P>))Gad!p#SSreHEW9BeeX`avBW|$e6Fr+n-oUTO zy>Gb1u#u>?5uJnF9}oHAmD$jHwAWB-gaie+&XHVd4+;rSgHHJkbs)c6>Wk2iblOEU z6=@=X?z3G-!<-jiTAa+i47&j0w{PBU;qcHY%dzqMQi^PjG!d!kB-dG{p*NJRhjn z3-YTy8kcIAPunuMIyVelET!n6*B{aP4BOwc;PvG985cjSqtqq>r(9P1H#}cwlF0MN zti=tY_<9_}9Y!_i&D_cm|6(9L=2Y_b2G}Q!tXsJc(Xl`GaGmF=^!chHyjJ zGKLuilRS2MdfS_DWcTY} z&Uj5gilyo&RVIj|j6TJzjMc*)X2NdF7Fp|Rq~a8q{=Hm(lh%gt?a0t2`@q^PYAtC8 zC*awQ9m)3M)GnJWWOZ9seeCe>o$9$1Lzy;_S^r;Wl=vmne{Ii5^~`*)`RaP$5C=+E zkxNv+y1Mzc#4g}lJru$H_7~!?6o~r@C-d+2Zh3S`OwYV>E6r7)k30Ecv$gev*@PR) zm-PpkDUIJDU}}XJahU}e+{tnqkh=b5SwN4qv*=gjl1Xo6o>jH)-2aZ*-E+TV_K~7< zH^)6aC{M8Vagv_=B7?G5xgJksP^0&AeAdm@bzoEfNRWMazlH5c5vk}&#&cu1q6>3B zPGUh;_?Di0ji?ci>V!2b0sGKZZ^3=#&jD&XMV3~)E4;~RKikT}EN8E#{K6dlJolq2 z4bjxzykxw!dwtG;jke`-b(wWQx=+A2M5Wv>m4_L#7bn_cJ$!&3jM1yVL}KXgd?TUR zy3gfr-4@;aeTGMD%(kQVxj7sXfDZF^lp^0b(~qKASLkqW7nt>7G=DfrC=(9E&V{cr zU>VPJpun=-7{H@eOsS@{4aiAfms)`QAGqbF{ks+bWvDiq1-5k8XiSO4{NZzyXQ$8? zik1guE0sBfauXw8{WYy2#_Bqq`5LhYofIFF*ts9++~^mt(Xpu$SHE$d#_wc@O3&}4heed z)z9c2?s0c6AOdAX$sZsu2||vYEwn1J@|m^#*YC%Qa9wfBXt?Pn7R;7oA4VMa+l(n) zr4FT^5(hBRZljP$@<%1V4IHvTNfc-t`%Hw7lr;uawf4uZTUQ=mjld12E9eCxhF_lP z&I5+LIm7enbQ(PjtI<{&JmDSEzZ=vCR*<1(aC^pHFD!zT(!Xj5R2B5Kvj7&7B&q zX0~O7aRx_BD7S`ead=4G9ugFAephG4$zTi9tjh4LISv7&y7o-3W$-XU0l@Hq=W^DV zgb%Y^)}mV0VT{A;MzcBJ^fwt(kKe00zVo)?hD-hm{Y5li$?;xR9htjF3*UY}JtsMQ z6n=XL1zCA*!?82YopW+jKjpO4%w%pm1-#?*qeOJv<>SQVU$?GtjaJzIg{|AE?(W19P#G0pzt9&~3Df)JJ;3 zxc#>I*J}rE>5WeM&IjxmJNy)QL>DY(b$!d&Lplo9s@e{10^(%k_{$q=Eoo)U?IP3m)vefn2D^dV8(f!r+`4D9uM##`o zsB!T$@9g;j=@(xQKWABd&}sd*i1+$GMLbkA^b-*Ac3Z9c{?16$%@1VE^c*?n((P`* zKDxp%U*oLCcoGz&MY&47XjqaS(d+vb4}Ag_C!lf-h;ebn3b0#X(Q^c-ho2SK9 zk#TX`Rx+v9;_~jW^i~YaHe|f3G+E6EPv&4#l2hAV>MWs#Wf{LyK-o0OuDd|kzPtyRlKq7-sF(=Y0b8N9a zcq!4GJx|%}bF9xxKEw-Oee!DetL=5KroL_$>q^o9pb*$V06MlkqqexGEFbqS?tHoK z?J3;k{CWX>^JSo9sjK=k@XqVEqv7b?H)I<}m%}YY_IH4!(>zV32GFqL5961XJ6lFDtw(+^we*~L>%X-@{vw{5EK-O}hw>ADVJ~w?$}g1tR7y5R=jd)mFdpr8e8$oPCZ&8p^adPd`MdI{BCO z*`9q`9JtMoEP;Z;>ojAdSh~(z1CnI$TN3s8Z&(LE9MLOY(F0gJUasp%mYQE`p=aL{ z(*2HhuO~t=ozE`4m8N471u|cG=-_UiRNW1R;{fW@UtqEx!U^%!mXE+(MNm{06EEuZw>}E(`*T~Q$6KTa7>Z~bRIgJi?mRiif zYwam1dP~u8+#OB$nvkZ)3u`!8f9W|l5gkNZk+dH}9r$_>)6bh+PuQrIRwg}esq-#w3TO$)wV~kcX0Q|oC0q>GhRsa6>Oxwll zlYD3%PBY*;6MqIgB%twxE!c(Q-uE-lT1G{ej;n?qhG2r8SL2(;UQcARF5f!#rSClg z?ML$HOI_vNSN%mkY9UxM;B0U~S#AjSeg3!3SXIdhynUsxG8s|o2mCjsfI{c>t+x5r zODRB<+xgPQHxI8hyLLJ(?CVL$XL-2rr#Bwhsouj6bGUJjc~O zB|@pmWp|E=tEeB7OhDeGP|Z;7EQ9R@dVDXAYjzGWMvP3Aps!2wz4H3O*(IAl_J_Zy z?06nKQU|>Z>DT8uey|4A^ai%xM>Di1#ML9&>b2Jsg-QE*K*pzL{nYbUT9{gm?}o!m z4{4|4nAHav3ju1Bsgh{rF7%_r59=D!u#zE8&w~U zNtphW67^(z*MhU7j!52|hD@o$vTOIPuC@Xg)o*bJb7BF-$v(iVaGZA9`P?nID6ZSG z8YsBm!ea;HFbw^50b$g=&opuNX8M~a{On(wkjtSjU7U7(t*&#)x!wS>^dEAcUr7OD zxe*oe)(+*!?~HBHC{TodM%^xtE_78RFubak>ExD21GyTvt+n5CzVn^6`KsE|R2x~? z_}Z?VTcXlkZz5!Oa%qGJ$kfhzd)|{-UyG<4aPpr8B+Z13*=+C32lsgS4!A&9y<7H` z-#or<8uiBI{kezLYWq2FMXd%`4;wwa8-*hvXBUaRTCHSLj2j?${SvWPO+*}INM25{ zBCecYhx}^Gdl|7<5|)tTm9F8|8XPgUMICl&0=xHf(}4v><4jlm4h5 zMelFm#1HVhaVfpL**BpH$9`+8IGw7JL&k**zO9W2fafxDh`u`19y!|8uMVm3{4zBa zPd3;&+CNFTo9q8IfCf2^I|km~o(fr@u|lQ1^ZeGa%IofZ$Vo6H<-^@f$7fA=2@?m& z7i=>ZRmrZ;uV_xrIThp$=2_VVKeZ9Ac9G1#1xK75(T{AQHwIPrRV|4A(n8H!4O3w% zcw4EHpI_0_6wVFhuSg~&;LprE1`T!w&L4$7AJXknC>Ragc=sf}(<)fylVe<8$P+0E zwM5H%=S;5KiJ$_OXL=97u{SFr%)ZbB6Zn$KTHIArhAVuP>PnU zS!`k`c=b@9H$+O{<#)_#k0?6U{$4c&zUXye&aORuUnKoQ$AORTSaWYX6gw5((k>(G zC}i}p{ZT~l>_8fh#c?=KDzpAu{0TJM94I!G_W3>^??;@(9b(qO;od+q{Lc_GT-hB3 z{pof$dOV6~Y6vqBoG5m^S1_L_Upwd6OH!q zwD@J;f$B_sN#$S7@aelh-ZUMStnUU1V0ZnnH}Ad_-$MVO%T@al5~AYO^{anXVqXc6 z2{xm@`0>I?Ho&PYnWFU`=@Yt&iJV z?ti_e@#<96@wSY=K3_R>%_$GkPX#Z~#Wd>j95Z_zKvO5nrS4mmNi>U)Fy5TZ{yv!t zVvB|#VNJU*$=x&}j-M(VQ?SfO^-W~uBQh!|7IqsyU_#Wg?1S-q7=Z;~ieTD0cu9ql z?PzyaG7FN)p}W+~M{7LuO8!pxg3!yUXSV`zcc|+wPd3 z+#sHSkd8}81P!q!MG9>=9MsQV;qfgtQbuW6%V>JiTp$(((#!^{#lLHEP|_Y*vMtjn zf*fr!wHDX2M|z(>-7xDD*hC^_@0_9j9J~PvgB-b5DdEq=i{rnl4*C_TiBi~ zJ{$yb+V(f6L}`lU1OkV`yJ5O`ykGF$ReVSe^Ng6)dX1K`dLR1r8%OA26T!c6&Tr+?s><=w*^J_zyf6_Y2SX(t8b5qF>h6Yt%^_!` zH|^)KwAo8(T3f&)iPd&KKnM_en3z(rK0JX9q$t14(#| zovP{TEBt6F`x<-Pcj4?CmftmaK$OaxXmf6Z-INd9%)w)@aNWAD;c`wQZ)B9PAST9M9Mj4eAq zLjml(x|Fz@E6V%K*mS1s;uaEwNPS5hcM z4k(V=(5(ORk*R49+Y#zL_-$SSMm_pfq>M_FIy`q8?!-0u;b$=4Y{2U5dJ*bYeZGtH z5qtnsl5TVPP3;Ii*Pf%!8<>DsK5vz%LdskkdHY2z8_46|Prka|r7-%gfyG-lwXs!g zm*5aWK*GZ`6j!<5mH-L+N%e=#)*k!yZZ2CZ2YB4Z`|mk|0q5CM0;`6;vDtbK`;pvA z2?rJL`}d7yZqjULGMfNU9N0-ktd+-kT8nN{5U0gq_=|sGU;mfmmeF5@&+@M`E}T^N zQ5juT^lfFNlElVb6Vl}AjMTzJwhKDRD{d+-fI3vM`BIS0;WV<)bS(3DEDCGRq!lp6 z_^v!9FOyKtJ8p#@l0@O*s6?A+rwl-XCJ*e>kJwlPJommB!1=52W+PuCK~R5Xi<{L! zbw5~72U^NK5W(DW1w8o_{_y0}j3&$d_T&Q}pU#gjYK{dw`GgDEH$>@uQbAmlhrZux zlT^K&_$I~Gz~A!^7&gXGsEv&t`j#-@pdvm}g?5*b>y#J>lY;ZHa1tN(;(!#uVV+l~ zg`=?SkcK7?$!*LqPh21=M zrkB$54zo5nQ`CM>PT4MzgXYfG-VC)J4PfaxddJv1Q4(}z(tPILTOKJ}+QSfYt_Y8W zM~r14ih1Y+>V<0SEz0hAqMRyelGzQzhmDisrfhEgpo6!Lvzq^Oe0=z;v@64= z>1w0=#DOJvE&t32Mx&yRJ<^>LZ_pc|ay=K({Q|walQF-0rze*1qq^Zf=T+wkwKg5^ z-R7*8i;INcjXyT~kdmuu>!sNWZ}zk0A754q)mb(8#rJ!Q7dHRSg=}EFBTv>B`PpE) z94?hO?9(nQ5fd=B$WX8v`TjuP^v&41mI2p#u_zsVQ&+)AXP^OLqX!i+*r#7*R!zpJ z*O+ooAB>dZuqfBtC9T|4#6JC-(@xa@{C73LQ?X_u6W9de_+8pb16XcjKWs{PSm*;w z@dIfM&Cib*jWa2(`CPnxgg19kG9|A=*=6!^QalR+8nUNBL(F!R1#+l8%HIQkCrlh#xl{J!HxF;(3Ed&K@cip zwUXsoOW_tP{z{M8>pstu*OlIJ1}-THY5aLL-;yE(+qC?{_)_nEP71*xIQ4;AQ%}DC9pILC^S7Ve zZT)5 z$TTlZOcEN>Bf{CXEMDq7TYdt`u{1^=hvc=%}wt2|DwCn{E2%MKfx(jhKYN$7EqO*K=i2>Z6#*+70nguto zb{h7~*7{*0q^_HVi9<;G5+FeMPex}vNmP(s)OUp0HkDc7mx^pQM62nDSo6fB#yUpN zF679;ka!z8x*EAdkOZNJD)X33X{Y10eEJ(}JFR4E(qxw0Y^cX9`OhIm3OZ!fH?mUC z0nCy$j%LDX=&?I9RT6KgaTZt;1a|UW5PURd#bI}o1xnfI9y+}-s#0u@ATg5U0ZG=n zb!&V4B0%rO$BnU7cuFd-B%`oSu;V@~yR(3O{vF^Z^=ptG`d{s?WQUzpF|AHNpd@>$i17>map}g4@Y1 z9O2!A)8~GG(vFYvpmfj^4iktW)Ux$ND}>jHcWD&TL1;92z$CPAz>8{v_1smfOzZ9< z_I@Y`9aEsT0!Y}JvRNAt(WQyidnftD3i zdbVerA8bI8H%|YyQ$!p*PPn!6rCf(QhuQ*<2 zy5@EgqY(Q*5c?>a3QC=r((5xe9OJE>4TknTO$LF3p!goT$P5cRYi>pTT2Z?Cep^YX z->MB(bJz;uw_P3$y}c6eo>+NM$4Ek(tC5DqWpG3MB|IU-k?O|&>YxMt8f&syX^2+I zxrygHilWAkM3~j(Zipldv9f0=rm*xG6J4K^U-oHMgcCDfN?wUoTsOR#JV84sm6&ow7B5 zjVOPy>-e8O3^h{&a6uHD@Ovqc7Acdif>^N_W#ONUUO_roaE#$oRsX4S(A-F-;(|m> zwUB^)SuLv3*xg(LQcn=XT*Bca%rublM)ZN@*sz-?2L3Y3VLgslLo~u5 z(Vg++g6)*`j9-)Sqn`{S?RUgu`kcqV3K0s2kV9YNB25sf7*o*kns%)Dw;LY$e*AuD_ZX zI|ilot&!g%6m`e9q`vv`w}e~~vy zQ9D)OLWhP#pBvWbDR}42GU}p$bSfDwT7Ph3vcph7TA^<7s(9OhF+dzs!>GIOE~1`0 zDD`QyOuyvrN9Fmt$ER{rhkr_9$|Z}*E08L7Qkc1lKUIeq!g3=n)tEF`eb0&(DPw9m zXROaPTwGpM`WaJxCSYA~TWj{bSfs8|SWH2)>1Q*Z3%2A`2iYrDw4P%yaRHusPQj9} zKK}VKD|ab+W`x!n`1Cqn13}+Z!iTwDT{qMu9|Idr@=dn^Z z=V#Dv))$?+@{D|!TX2a1(7LWo-nPP5mch?7lnD*$T>G)eIb0nysjg5c)mHXh0X_7C zPXw%uUN=XKyTJ`rRs^X+rc);k*v2o{P6X9xr8=|{tWlSE9`lAKyd&`QlBGQvRx+x| zuI9j)>JQelZ)VW_8d2hgM(ljxm4bvD?#YjCOqWY48WS%kv`ETwDIEsQiQy~?>+%EbKQ!tR1HnBqkH#`6($_K0zFS9fBv=76( z=}taLV$ZVtcOHa)F`WBvKMdtitFv=naXYzK7$iv-9Yjs$r;C|>kf6A5DaKiZrykF^ zPM6zgGm^xlJRK_xnbzYl_woc>=!A~b!)iL89c-BA;v|q8oNd#S>FBber5iuX?s5fL z$AcWEbl#awbxv_-aS(!i`fJrZ_ zLN7oOT{jS$X&|1Xy3%O)GoYs8U@iG)HofeTB07&Q%2FAPw0+BBZB5m?`{1eK0!IhP zOts=>ovLI=Sj{4Xclnq(8!VzLAlqGM-dDzRJ;dpik6jFA%GU1I@pB`~(& z%ky%UdvuXuu9eblH&)mWBq6)LvE{spiR%f-M6C_Y@g6 z8FHyPKWxSnkT*JChQx^OeFAB~AYfoCM^WUUu@YvZ=;?p@!dw%$qHzTWu=-_z_;Cq{ zA5Y;=%AQ;kdYOD+Oz>&9X7Z7#crP6q1f7fyed5hQrRo)Ppr490EU%tMHP)Jg>SLid zKc_h5aMG6?n3;YirnY%rqa&1rzsqxSsw5w{&ZTaow8pc|CR~X8pe1MHR7kE zfbDc_oQbIJx*7MTkz(csp(^(fzw?0n)k{p{MPVt3ZViV2^nXRq<3>GY{KX>xJ2Qk;<7bnC6n# z)}X0vCA%)Pn~a_~Mr#8cPztV;R;hf9QaDbH)sJbbX|HElQ5TKqGIw~g;`c$RdsDr=+526RJ6W3U(${*IQdta#do_ynGC zjBd0R?Q|??+_Pw$>^c!^`F%8~rUYOVi?uloWi-6HC@=?zwVl5B&sM|LjFJQx*onMo z%!>{J^~fy<#*FFao{7Bv4D+>aJHZ(iQ|9UR?qH#Z-_}ViUD0q-QZz?wd;rnK z-&S8V9u%D*<@E&o7)7YnK@O$oP7`8Igq2A(=Gjg70=PAY#9jkA>6B^VBGB zv35mK?Ao0hWAcpe z(jiM~z~1>!PA5p}Kb=n8;egYLmuHL)m+EdUDAeag;jKRY7VM35qGjn=Bm{vq9=0+e zFWPBvvxpk(+&~y~b=i9vUoPmqZ)Jxcaqis5Nx)q- zIm^x&iZf-4MA3aPbCu*}b{;vP;f~B_A3yFFRYi=YwZ$`Ud@Bu0<;HhG_wb^S_i1@% zX5AVn`a-gBOkyK-ct2F1w#x#Mbo}IuutEw(c1N_R`*xxB@ZSW{{-Vp@MW)m?$Wvb&Qt3qL#pLIsIT#qh9Kyz>U}%@hu#ZQWUVVoE&fnE4g6_upci6 z8M>&DqJ>FJC3vWOPuI)lgG$UfNSDNsWzVxF-y8i7F8-}o`iS!9!W3ByZNwq)3f_n^ zPG(`RPanDrqlPhJ@~#HP+9CZLO`ZmjDcATq;aVy&uM-11IECkQD&E?bxNdGVB_{2| z;K{ICDXmOS%WHD-9l>c1i#qHAJ`$emGW6g9@`e^HSIxi*lYP8o3YU%>`KR$RMc{d# zddi*yisOs#pBJ?5;FRn2^z;M$Eppc({KI&)(#kI&$b$A}YuT4}~F;)(W${ zE}@trx}>`IRU}qqxD2#i41WyNci)3PJI>+SiP&y}x?$pgb@6 zOh=-YC`-sRW|^-|+siXGMXf7^Hv(^32p`0lLWIMqg{c%c;YvN?T98iBBDjvq)m#5+ zV)eKD)75}dB)4`2p;WpnJBgi2rSAmd7;q6I%sOP(J zl$4pOwBMuz!XH86V!c?lcxs7TULEU(r?ucq4_;f%cSz|0@f6FoG#=bwTTDbuPx^{k zTS%S~rx!-_S0CVkVKPa33rU$OylW1De~qI7U!=v7$5eo!3-vXq#yyolp~x;O8+tGD zg7xI?V~u&C3^+BOy{9jNKKA@;)#~3@4_Fo_kLim}3*KF_zTYSpI5i4W+QpfWvB`)7 z=-47NV7by4d1FM>fpG$0vc**jfw24sjxriw3T*oI+kD$21n3kvL13bu3~!o~1Z&7j z4~#5BI1s>#AL5|ZxBIoq)w(WP@@D%MOdPCx=*bm4%jr>)4Qd~4XGx(j=urp2#jG+B z^=w6gPjpy!3}&xt{OBNwdFI$>jk4g4is_qWQ3d#L5apHngCP-7VND)etl31S7$fjt zk(bri%y~b@n1y)C0qU{A^02T0@-&H+M-zeoVn}B%OxHo7gR<-&7b}8)!24Iak9B`* zGqmYp6dQE}s0&Iz^V2bLi%ylnnoDGdp}95^IIU$WnHaDV3pCh($A2BIwIIuwt>C}H zHW5P}OLI8J2#9(enD)bLgZrC;tcLA4&IEAx_mRt%O39e<#wRgYr#R}2bgQTc4!yu= z5gi&=_iL_nG%02##@h7%naia%zlFgJ zcE#K5RS1~jAQt8pa#7Y&IV{Af*ThGR5wBNcO-D%Smfb0ng(DHiN?QMgq5hZ1`G5W} z^!m?ocGJ5Hx7euE&i0tyf_ED!^!yXU<^q@7g#qn9ikb6Kr?& zQB|z{<+RxH7zT%^;#7N?I@0#&1xpj&5e`06Cqq#Eibk6~w*lphyFfN!a;Q3Ntz1$> zN$9klGlHY3@XtZS0I3GmprBfC7uz~3M z_zZ{Byc3t_IV{<>X_&oM)x5p7BFaVbH%mP#;qhPTVb!2w^u7a_BNzQ+R3nGlh`}=- zP%XLVG5trPabUKcDz-@1!KOJB(?{Q;d;7U7{BX0CRtcmazR7(UJ$nEZJ%s z4+{GmW8c^i7Of4YO2J2C@`<%?WEqiQ0f=9Jo-!v6-emnTsiWSjKPv^kID{a0B3hM03;#@P6Z`qYSz6?xSPy_o5Y1u}dt9}90|Nll(_f*ZnZ)c2Xb3HZD$6CCN3FC64g zQY|5j#eCuCWe(p?O$B9Ng#_R;=oP4a81UvYTdvorRxrB$23;RbxF!8!qf7u4l*C9* zOHl~%ErO<2Ep$HTu)q=;*f`0EGhwCX;Pl!Vi$1mwbn9h%25mPJ)ay4 zr3EU?=s>sB7J{#Tsi4;&1q zlNHu3FU# z8_VuC{T=e0+RPGgx96wCA6bf`Na9MA?C9sUc?!(kc}yL2Aipt+IB;R+>0~nZpJSR- zenhi==rMsgMQsIYJ>YQkI$HF^H;f<&3F)R^H$e}O3kK_#M>4nbgc3DCC{7+ptmE9y z)xDU|kx9{?KZ)9dL-!anT{~PxwJ%7I-s@S7{HxdTzY=rvIT+U_svWYNv54QqtEDBM zhmX{$8mI@EZj0+_j&&(Nekk-ZX~P|A{nSPz0++g`wH=9kQfA^w1NM1^`6aRAVFaZ2 zM0qPxw0M>EI*K0t(drmbJyOFOEtdYL=_zO0PiczOA&X+!--g#fkNq;PxScXJx|n`I z%Q@6fGYZQ#3m+>%xqme`Skt16_Z07|PNC;|)JbQGc%+R|E$P-mL|$%j!Wy=yq_)+K zZv=ytoIzDeZ6*dJT#AerT|!#ZgAOXw%S6Y+H;Q*TkJcv(^1@#gz^5PLrv|oFa?|1r`K1`LqJT2I##+|N|(+rB}cqGGyoj<1-r zc!bw>ccAr?c`k^Hfd<@(s`3bZ}a< z=ex!~I8rYdGsUbhhr^!NY6a$OeZtt0jnL;~3%vXSG=O}KgOtFSKK(qksd$7>!5FJ| zc^xz8JlBeK8-75ygxY_3?4TSDJl-VNfsEvX)R9VQwKRfb@~VSx?NB)glIUw+cgX<( zoX7eJ0Pv6!TB8$Ra%G~;?BicEPz4*;UB)?TW?c?&@tm&hdDhCrKw25Nkk6dh^aK&( zlmT!7%{MH2GQbJ|ux$dUD3i*5IG0rolwL-Q?_`9#s8&Z`cmD*Oort-ThmXSkNof9k z=~@LSyWd2YzHx)ZI7a_(9wU2s^gXY%No>)XJTodb8pcSIfVDKF8lg5#&EgW*y2VxA z16V9l%AY16y72~Q+rP6IF>jJph1DctWDd*f`|aw{9o1lng8zlcCaq~sMM^o5GJUvc zyH08m>fcz5S2ZX>{|6T1EtfK%yz~M4RiF zQ8>UoPMfXbe07W(E_?Es6}O0@!2!@Vzri+d5blBq>(v1Hh$;0_H0ZzIUgUd;WzHbi znjhb=#G3;@fT$JZ4Hu9|c2G$DC|GfGTdVrae?t{h(d=vAExZ#|269-hF^#_(;7{8n z={2Aji%QJ=lPM>b&F5Ul$DaOU15QQ}csBZuCJY=y)+FbIEVm}5h12>h5 z0OJ&3dKq%J}1P!=5vML^M zeilCm?k)`O6R}7O1{Uf3|93Pd>t(f-9$jLZjD;Is@oub_n~bBI!9PP3fnyN^91F8H z#L>B)wfX3%OE?S%Q$b=(2R~MQff3Eg9l*VfTHy5=N(b$&86cRvx?@g6q;Nu(Jmv`__YyPVqgkAo(PH?-KO?kYz2ux>wGr_so0OY_&8kY z{#5Tv1zCno77)+F8(~r@dJwf*%Qga@Cgn1oS#9!~?n>$B$ow8&q80aOPxgb%m>>@N zzpD@ai*Ji@9Izk?u^nx!J!^^!>}lG{8xNv~It`g1;uUG&a6LD{TmmLCLx}DYn&CIW zh2ED-sn2pFEsvdAAy$jafh1>7W=yCY%UI%TqYf>R+T*<7vmAAi3c+b^@m8#DI-bII zy`0$^E%reu%Q@pQ%b>7c8ON1EnrnAjo{yOK!@^gz$6o>aadq>z#)ra=<;N7ft^$ zbmT5(p5!63fZWnE+`E3+k-m;|kPt<{g3HAD8MRnvSy4=jN z5i2qe8O*~|Ia54~1=;+u0;$h8{(rzCNzqj@XTV8oIR1S$@?UJ><|{F>H^^_D12E<# z0AuzkTHrBd`*j|l)o6gdHY_v9NH&q@)8WaUtZKOiO!G+cZX_xW_)_6+lKw%;Y|x=6h$UYt7olNKrNYvYsSI zzn+?hc!EgCP@(oBrDcR2zy}J*0=rKoX8KLuFBdgVrbN^#o_i6^CT8{RfEqI_QvB<1noYA7FTen_hEKbMdf1uB>F*J;l zLJx$MwBggyADgf8cHK}TMH|xsu#InWTvMZ2KT6dZaz_fn&=)O=XU4Ex(eF=)By zvoMx8vOw=J@}<_}#LN-%d(8*KrOevF;=_(GapkV(DBo1#O6l#?N&4uhH*QEBw|{yX zVi=>}xLuE3L`9zw;N|95G!f`Ag^IQ^dTnqEvl$@P7I^wV%9QqI{&qeKLVdsptAzI( z?%`Z`%mp1=;&4Z)0IyHlwF;#wEYNA}F(Ix&OPeuT$kc$f6~i{HL>qQdw8I`}n7eT? zjq|qF;8KnpMV8U2Vf7bsnznabu|{S>*CKVfl3J!uzm6ZcaQ2$H>^AduZAx2vsRhDm zM25#}rG0coqKgV}INWfw=|tqi8^^i+@~5VLDpT0BaHxs?BAe)M$b=bA;IiY#=y)1Y680HGLcmE_mg^Qu$W4m$ z%mWF?7SOSM2r7AG@y(ZREC!lqe?`w9vyu-Q1}s5a09>siWO77wI4rXW>;5_`3h&V> zu*(<)Fu#<;n`vZp{%-;W6a$3aK{t!ZSm2Igrp z;8w&6I>Es8ph*_j>tG^=V+Lt^YRjFr{VTM83G2V3wReq3(sEf4g)zC8ErhLU<@T zMn*REdd1BOxMN%%Uh-UbY-9pST&K9x3SOKFQ1H3N`!8s>eYc%9gZ8tpxeAt`@E$7t zMZrd#dr@kD#;YM9-MG04`A4UtomvibdMP@HtGjnT9`4MIrH#?HVwy7m_Sln;Ar151 z^{(n|LDD69t^EYS}F&2lYIR$4#eTFw`&~*BUtJf=SQFb!-K@}2g8F53B5-lYMtbdyMW21 zJk3u-L-F|X&!2+=aVd8?X2aP612ej2dDPOo9EWFJe4^p}G(N)HvnM}tOpH;^O`&(M z((He?F0Zh)t{D8`7Ft?a_D)Y-Z)=P-=(N5(`V_6Q=US<3bM}{V8_s*Q8uWd15nUg3 zHI1Yx;dSTz1)diIStxSANOUW7;F|??v#Suy1whp5m_esd?Y7|gW`U$n!2YTU%oZ@S8G;oJCWiq* z(qZUG<_26)m0JYYupGssfSJgg{$#B*_LV%|qmZD(#iR4S<;7I{2dCqM{=sZw{nvQ9 zc{ya5T;9j#0~TRQF>98nt}7jW!&x<~S$l2`8c!krt_2`?IWz9DD~{9Lli+^s+^GYx zs_Q%8gli&P-Hf~P&rHzKUw*Sk2<7PUr`vZGq(P)Cwt(B;#;9s}05Y1B;n>&P+k$OQ zVvxOlRH6^btHm!+U@qJq`H$A*&$Vp#jDN(88!2*IG>maRXB~a|3-$5y>A6qZJ#Pzp zsJLQ-49j2E2N{gHUG{0%E-{W=dUEls{?4c_=Dk23p4m2eV^~~GAxki1WmHkA50wxb zwpJ+xv38N&wnj{^lhKZ}x#VH~_1nH#0>`4J?>{=-q(zIZKN*|IY#+w13&wlID=bli zlcsDMyL$`bXl127|C%*QHP0_f1?>scU7AjU;%a*6_(Aob^nK(KRS_(d%G&glpY8TA zHxLPqFy$`h(66Zcd)z!{1?;awvi6P@v%V%#)BNKFxeKSviS8M$(`sIGy``ud?XIYW z6_1(6u%B&Bjt-ssG+m1fe3H-zJ$U6aG@22er!Cc*+I{{gT2eW|u`+1vsfzgba^j6R znU&9%^YEqN-y_xD$q>wqJkvm+H`%w~0F^te(U1RuU9^bdWn;6gkFDw&)%C39PZw>| zs4v@blQ4QaMey6`aZ!*!%kZjqp0n>n69%Hh&L1tl**pkFU>)rF`ny^(qPpq zW)9tqQ%NYBR95>YVq(yKC=b&=yC8oYhPUFU2Pv-3$6pYbyCVZ{X%~Ks)Q%jbY|{(( zzRN8|*p8K>YY_7qEnR>nME~ZEh{ubodHF4uzENAMi+NgRjPQ#W?9co0IXY4m@RY$C zh`+?ci^z3p(4e87yj!y6I5yVFSB2bb%hf@ghC8LL@9w8G-yZ%rVslG~x%f?2vf*AG z2bJP_ojU2X9Ul#4SEm)&6RpJ(SMOPT?|;$uo?%U`ZM&`_2!c`s0jbhO1VpM-krEXF z5do!3lo~*!w;&?YL3#;Ax^yWCov1*N-XRISw@^Y41Xx4oobUS9vDfjfcfV`z|L`MY zJmb0Bb)VOhxuL_GG*Y|QVhw8t(P%Ms$VZu$FJ*_5U63jm=SiVOENae@IcRxd($*~)-ZLi4~b_b!+10ZXj!-t|qE)>3)g5IPpPT9rm z7lkJA2hnAaYamGk-y>N<49OFB?nuhmtdhX5W$hgfb$0r>;KNJzAvPBnz1%*`{nW{K zx)#flsnw?Y-mapRN$DN;VLOw8XL8uKc%FQPtKKAN?Q4gY^Dr}xa`9&VUKK#;` zlmh(n8jbSdYoUXPTv`rHuy=PB+zLJ^r{Hd!gR;SV8(mt}F!GRr(}e^#3lcuV@h zg5gLgWB0IM|5PHfs8VbpJMR}0C#ExlIIj=2eZ)eppcuTJ&nr929WKZzDaN2nP&=Zh z9zshT42TDNME>6#2N=)q^Hg zZb7surfA!%m6x$0SAqlFa#cIjkkFXi`bQ~(0+b?;Pli#S5bvILnz_DGly2X)qdt84 zM=9cbD-~Jvn4V9#TW%@0-TKu~iUgdITfy~}kyJqjL;`el6>}jj(l589_MDWjEupB4 z7%rFxVMvsrkP1c(C$OIa<6|+;KBr9P*fNw!doCu9i?VDt28cwPOT@bI zl!9A}GsA=bB%Ao_Ucs=P7noh2(O|}r0hJB!q1LQLe-P;7cd@KH39C0YLV`Xvs(S4$ z0E()6--3#A8isC7cC7&y)EpokPmkaB7Pr&Y&^Ge9xgBG6@9T9H=Ip4a^z=F+xEvnD z5lb7RU@DU=W@@J zQ~B%l*s@@|aIWQ6y%-uiE%968m;9Rv@9vheZDj-pL@WkrDGr2za+5*>O$m7VGb)9q zV4ndeV!u%0_EWnjPA2i)nzem)r{VFuhEE^$45lT?Pup08wv*<9vlvJl84Jn!1gOCb z(Y+owoEq$AWT5jch-4;(`^!R6(mRBZZet0~^WnmZyX}u6`cMfqRgwa>ss!M*+@nRs zf$XvpI9R*s*&mpe&`(JqBb(HM?nIh7i%#Tg!uG$M(RqpU{)ZXp@5f|mKYT6kbORPM@b`+SS3c!kTz7Y|FClvTnLbN z9vyWBd0dzCCEE&|mdGVL{Y)Bj{R6uX54*CE=~XB?|CB{VG(GX*+tLowM&7gw>k@vp zfO`5zWD{nvd(H3dChH$CHtQ(XOjUzGgw z<E=xh5$cIIL$+= z+mGC{8m zWJ+J4?EU=LC$JVM&mTuGk#_ah={}(yeF*k63 zMCP&22L3Kae&}X>k|Q;vP!>473fSBz0%kVqeLO?l>-|>7;DN!!NaK06ftuwviP&F} zV!J8iULo7xqn|-g*3BW0=WZb^#6FqbT1mnJF7fgMO^d2**kEFxpr6#!4nI;Mg8^nk z3CS!m{@#x(;_7Ck5{~+`(cR}>DjGs4NwivGe6b*Hkp%-Yr{HdC=a$%rMSjNI#btg1 zTScO_EWe2?C%j$Tf${;{LZX)QV2^u;_V`bkWkb)E4bY(CwCjKV2xuv~P!vxDX0L4X zed7UCBa|cuH~GpknW}HWvxU>IO3q7rs8{J_tMut?y}GQ!$q{SO9_3R34p&U&$9Rf! z>iT>g0y)`MjHbqAB-v=~mGel+i>^LrrXLLzbEH zqbfCH7S;W3=KYq>eWM?))ql%~S$M6YxWLP3@2@Fx)S?U=E}n~?<(b_wzTMY+WwjR) z72u?tCH~nq?f%qUBC2w@!P;ouwWnGOZ3$V5l1;SuKZQtZq(`LcfBq!yu<}f^eVOn* z3TR;9_)8dq75qmSV*N)Lq8a@w-4Kw4<_EX6F#ksK^LPJ)?ZR=!uR12ZiD zM&Cx6Hv2{Qa(9Fisoz3QRQmWb-NIvn@jyGj)yw%aQbB{HV*WBRArYz(RY}k7%r?Z^ zZITCgQr@NkPjS1Vj7UL#FvES-pr_d?E`Kxm#U45v-(K`LUDNRamgDVh7oLn&G*{pH zi^*?w1z19BnYIQvvIpdJz0uaHccHVqFd3WB#C9pCZ3fugH@3OtUOXudPxxq)-cW3* zjugMtwZk+d!y*0S8sc^n6|J{n+Pu{NPMXHTa$f1A1Esy|{dnA9_H1qaw;>K{8B2&#{?v#+~7FIG!Utas{*mN-u(A(%d zFFHVl5N z2R#!IDP`WT&Y*igCL;@7(cc=a^rbV=P;uKTH7Q(BsjiSH*%Rrpt-aJ%vz={q`gwyv zu6uK}E5SI0{*<^UdR1=r9%Y0o|6x$hW>CbIKx^&Eqq;yz_YZV|VJl^}5w8=(BJO{2 z;`+{XIX12Mak7j}3=sQa!b7#X`|D6(hNSK6{9?HD0q25$9_KQyVpR^&# z|J>`!K*nYCG%V|W!|^NhuW-^N`>xrR@BEsJ{?=09ca;?j2ZdZS_b-3EK_QraJZd8A z-bE2!X=|&M@-bK%-T86lx4y+1-~&HazMm;PNteol43fgYDO9;zvVg5iP&#P*0 zq0tv2&IdI}F?0TDdfHJ|dsqF5Q{yu~pCo$3_JO787M&HPQY-34gtpO6c7(ODq_cTR zi*g?o2=n?v?kVVV-BrdbH$n^AuVy^DU|464TG6!&N9;~^?G9Z<(VpiqvfW<$5p?DI ztDu`o_p{p44R^SZ_Y+LT@VRM>3)=Q@?{p5f3ir|5NRGJhIRUdHhVFR8-};s@lm?C8 z)f)1E&o9Hi_wsl%$LexjH-<9fXlMSdhc4ko zT2s9{xTOOP*mAcU$qB(XdQ@6!7T0cC4CR#5GO#Fwiv9RIP#4l3x?&{+5>IS(^GTYPFu?+0yO1<6#N8r`e7zGmrXmr;FOvjY97D36w; zSu#$Hj_x-r`QME$?GiC8#eT4bVESTrYD>toCnd^?6@1kD%YiC-O&#q?*p?Q9pUhbv z1@;a(EoawiR1dl$m>IrjX(>MzD0Y%=XDl2)_mSa492Q*Ugvs}$+yV1UpN~Z>&UWL@ z`*Y}&c%bu~!5jsCwxVN0zv-Y_RRA|+w^+?d6*1_wu*RR9VcQz7uq6GUrJe?O8$std z<4~GO);kD0yY93fe|kv^Tz4>0E~jt0UYreN#&=6Q)^C3ZbpKcC^51+4eZOemr*1X( zHmQ6*TN}!ZaNUBPh&yOYRkWjA{>~dMok^k9I$!~Gu+Cg+)oguZ_f+}h=8wp&(c1o| z^BQfKI2Eyw!H3(rS?&F zWrmdts3Aq-j%I~(-DXu@WfNHppqQ_WnUSd}O7=Lq)&XW;!ZZ2|LoYahDV)@-*vn77 z?ZVO)6;m441W*cnIXiH0#UnMUOREnCWDH5^EuARpo=0g>Y1;X`_{iiY~feNS!f$gA54xH9G@F;MGc@7Zgvxy?G>0Q$F?8YK?aB`FR+p9`1`hu zR7M5Rvq1{02ku*Dg5`o1zvJT&8Hq0OD>efZxh))Xl7wYUZTa_lcwMIyZygKHra3DD zZx7YR!XcAGiz(hBFsltuBI?+9+^07Zc;E&sLVv%aBt44zi$_2Upn>Qx2!&Z9y%qYS zOi!R_ii`o{k)mUgkwQLirQyaWsS>SC$2K*wC)nN**6U8j>u;yx3f4$=UUo8Gspryt zC$X-Ie83&3TuN^iYG}+Sk`-(KY$PmHLs{kY)7%|m zC=tgBFq=9(mFkv`55~MV;BtN8d$0+^!ht1YM$< zdK-t|Vi;{u6R@CcOu%PqYToAUjuM7m#egfnD)~=l`+sF+Ja5|2bbU7f?l>wtR$KI{ z5`?&K-UBi(K6`Ajn}kQah!Vl)HmCa4f&>4LMR6CN;;@7dS-sn+xeYtsakaK$$HFW4 zp||aIMY;a<-@aUThNJRMhC9EC(L)Zuij8Ew6i1TRf1U~`ISy~=f$yZv%bY;m63d~g z!Ux4nCN&xX!h9Gy$8Q4c(hB7skA`j;E6}xBH~VGv!YFNVLrft(dY-2A;8|&>%fe9f z51pThVzwU)91`GQ02yBQU(zqLnDgN2j;6K`qD@-}y9~i?Cs91%aNJyls7D z{NOU~wFd5a98W~16gb#oT7#NE8>_fK6g(^bsV_f*##xxnfI52Du&$f?6y#Ah%2j#p zd=DAtjOa6}o+%r~*HLl)-#IV%bNX@2jGZ7V-Rv#Tq;37eg&2!2|DQ9Tuhi!^gs&Vy zlO&yICw`j95^OZOA?cnj8sB8g`uR2m(x+IGv?_6V3 zMT$7n2F;RBsl9FTWZj3tH-oF|&G1~N{2u-wUT)Z-{_YGd@F_o8=GlsA(R~0iY8nb{ zhtUH1ro^lG23UyCN{-k75q%?Eqfd;+1#KH{2oCj+thF|&aMGJh0Nw){SbLS7eQK9_ zxRN^H1mubLOyV=LQGM~ekBwt?Tm<-wL#$tg7LhURlkt0*yujSK_=1F_@qUg81)J;& zuqgVBt@Yhtm;Sx20JeN``qR1>Lw{kK5ZgI_Fii}X>=(Y%Sg;fNXN2Bm{BE@aTs6D( z+#p8*ud*|`0U8@~(u;m)&TeeNOCSEk)sq`{yl@_VDl)^2rq-uNk7#u+{OfrBH&^<_ z2k*T#vfCo6$z&1Lo^n+YXiHq;#dzf-dz@MRvqjZ5XlT^%HwX{op`T&p0#B;J}-1g>4`p@qg52lMRlbkQeF> ztm)9uG$T`b{Ax-s*%ZIbBupw|AmPN=@_HG-94Y?694QAAtDXXwBdJr88xenDjwG{~ zS^mKsxl96>Bj3L;MM=1=TG^EdX8bpIV zu5(;Donkr(l8vngtE23;=A-Y>9tPYvcWKl6EdIx{Ft@XSVwr^N|4oGaJ14x8&;7lT z?;&lN%R0n<@jcJ+;?Nqy8s+bAz+6k+Je3nJ`~8wLTUgWUG6&bXA<-sw3lrJOxgu*} zR~Bdj=^RwDepVRs{-7xBLRF9`0-4xuI?bG`Du?}Bgw+lsNP!>P{udFJ?Jmn-BCPm- zL|B|=C}}hdj+~iI7ueQ#ihtAWZvEFu;iP_qb@*&WkYX3DCoQ@Tv2=@ z#F_G{Eq}Q6k0(iicC##r8K{B4*~6S?`%^>zx_y7z&+JNtTAir1 zb8ktf0u?`<;06DCZ0DKJE_@anfx-@ zk-z`3FNyYWZ`5Yr^NdUDesWRI<_}A@P=}t(B&(j8r$njlO#>Qx^zpD(%bYbf(-fuc zhx@LZ^_?l}lM<;roUo+jK zijMKY`E&fDtVhdqw!1^2Z6EqqetL_uf@tU>40jUKENFwm0{ilAB1KfWxU{@1Zc@vd z{6h#@BY71tT_m&otIaUZ01jCe`s4y&UPe|6At%BO8#Ag6-Z~#8NcG`r$M5 zAk_V7nor-Q1DYz|cpnf0N@NpQ|DET`1)SQ~$*tZmQa$38>CVXhO6nx;ko1U^pZO}> z>@*xbFkgC3t)?6ZwgeCH!B;${S7nb{ zJ_-aX_^trOa7bX3g-vS1t!-Dmzn8y+)~#0#~2v8GF5qt7c*v)TULI~1X9Vt~w-DLT=vl=o-Z@Pudb@RM;q z#wJbucpJFCE1Bo|FrOF>jHH|9m6yd!8|IsVraFKNS}N?)ckAHe1SUAdl7`z? zRpmji7~4~ixbKEdhgbREhf_$*v%+iz=>Dy{^nNl$aInE>OVHi?Ya4%GzJ7N|SJ(Ee zwHBUA%%9i>$3Sn*Ih=lGTYZzoR0HBh{gC`1n!}Zihay8Pt`Jl-6KUqP#04qqE zsKNLlQ7Di;r|i<*dlA_xU(cI(`3oue-29AonQ2UB!szmZ^1Kf&Gp?%vFhI|>FB5Ju z64X9}FDt11mW&NrHXVxPkq2)-%Wh6LbPMI;TzI(Csa^ZE+;Iiy;BD^6zGl2}C%-AU zi{vKHn;TDgNUji2dBFar`F|5>{?$Z%dXZ#L&F3cg@eIpfN3ric#kVocVMwg~z`UT; zo7J+H{vMLzP8JE0_&HOUw4JSRigcyEaLSnc8@4k;voetLt)Q&TO@rgoTJJ-!#e1e; zkGCJEWkT3MtZ9epyEeMd0Des054jj6H;RUwpNQG-k79sz1HH+@cZY8oHH>c_bwp7s zUc(0$rA~Iu-ct1a=!A=la&qa=kau}#8)VuPE>yZL!~wmEyQVZ;VDhY_J$_z(;t|!C zP7+$pI5nPKvQLaX+-i5}t#|1#MWWvaYK(6tC5QTFyiZIck}1Ns>0_N%mVdvV`S0l; zzJR_BUQi=k*S(CgQCUB`A3t-sR@T;;~f@ zHujBi+}l3IGcAPt_HL_b1h_zSLE7$)th`L z4-NS{Gk@?z=|y)ronS-xKv(!WC^)%Cdf}N^9&tc-uIQeSl3NuWzQ{Uza6Gt87Tz?( zr0_xObSUn@A3PBgcBoGKeH|_1_tym>?H0qM+%7uID$8rX6>E}C5}*Dk)<*SSQe!UM z7Q^d7k8Gfumf#@(Pc$gm$Ik(-Gyl9AtnrGizX4FJp|%D~z0i00`@LQOinUThK(W^N zN3q7HIo5qfu?gybu`p_ukAZDASc#tPXtK(9JWSJeJ|)Ov)Yr=FSxc%D;0{-KuLwA= zhCOWNVooOU$8z<3c7)hUXMg(>mjAaW_zRx<&h9ZMt~JrD(*1NVb7~%DJfv#1a8RPA zDG~nXa!Aso`zkuy450))k^A$ilt@Wvi=fxVd(@-S%&TBs;@XHJlR=o-lo}29RN3H{*d$l$QS74qD9VQ%p7pJ`Y&82`yh{J)gQ9$TyiCfz9MFf* z=am#`kWn3)Rl%Qo_?wtiD?4Y@&dCbYUj(o=1fTgWAW_vAvfTXU859qjk1FvA_J1y! z;61(gTTExog#AlQ*Bzbm;SP$WpuauJ&>38ON9kU<@&M6xNj;Qkc0SCd$hh zZeVDaPB=x%>*#i>6qDQ@Ft8VVYD-UV26?^I{e%+G(s8;Ch0b*QTn2Wqg#l(#3J=_; zJ(CD@k_zFILkUtbsHc$K0zgZr*pcm8_4ZgTPZQ=QI`&yg-*Yd*9XBGkmLXKLqP~Wi z^mVg+%FME@_WI|?5UK4%z^l$K(XgbSlWD~7`;9fUlj+(#A1`fE8lCkoX{kzaEwO`t z-6#K#4?|{kH7T~Yf{w>ekShEo-q-FWJ@wL`KewbOT@5>Y3R^f^C5_DZbfsD+yX|#O z6!rQTh9qrCG^IfYX8h{!-1p7}|LE*C>{qe5v?q5B5Mk_cn0TQ%A1j59%~P7YrfvK7 zVU#a{%jimb=1tolZ&;+~PgVgB97V;2AEqd8y5AtDxUGckB5Uvk|C@Y0p3;NOk`~7J zZ~kSfX3)v5qm~C{51zOLTZrcoZ3o*DJURq=7<^mfd-RfjneOO_EF_A~1v;w*eQ7gw z*7OY~M^dq>5*CD%jtn&{Uv&6U8iqQqX1C`^&OM<`+wKGXf2hj)S?LU@@*qQ?!P9k| zMn&2dqw$x@k}Bd|#f4c??x~L<^d&pQ9n38u5rcLD?DWEVk>in3C!;VfrL)Ir(PQVa z)LyQ2FjF+AAB&~7{7J*fQfzNH%|j~JmwoQ%jN3-c+`DZP_h#D8;Pso{Xq0x+G)-PD zq~BD*{@5Pzjn7L|zoZu@|2;7*1A3Iax6xQ5S+=w`^|{t^$?n;xvm@~ST@?<3rLAsk z{Upy`KPmIbfW<;#-BuHec6koKn7f3wW^G}{tre`4f`q&rC8S{ItPa=o2Y1((x|+wg zy6&(le(IGzRezUWi<>vG1NCKi&d=Vyc$p0+y{G;%jIkS%oSRtOPgsa*L%TQUqZ{m( z%I!ykImw48^sfc9nwtcAXX|wrtl3t*ADwFuR%nNLJKoNW9$T6T{%H;aQ-nWrMk~ApG zp-)KUvC350K0CGh!F6hU7HiyA(9NrRGb}naGrTd$F6a(Wj-1P^#UpaiCAlMD`}yc0 zi>~i~rF60A!U(s5uqntRbY8i2cJ|F`X>owk)df(xJjJI*Qu=3L0HteDH;E}D>*KkF zP>XNO{7E8)^dk=j741KgIqT30n}S0lOzlzU&T+QxS(@fMpw5XL-o>WR5P zBa5E&-n_6jRFJK(vm4ul+J-8BXQ~CUc|N~5fEa^-Pmb2p$csyz7cPLZ)k#^7A~Yjn zLw+dnk}OS~H7Xope-W{pvgL`wQ$??$RC)!XP>`_iC;{JB&7d89QGun+v2KKENkARE zuv%%yj&*Bpz6;@5S&M5dI(sgJtdkm`5%#)0-rXa2(!$bQ=GtW?HF-%k%-!B0Diz@o zfe?Ff-QVI{DQ?0;(s{LxMRaygx{}i`*%p?u{U*V@Q*Uf6@L2CO{FxudIeHHNe2StM zd+69eNLYvWo)R7zzn#P&#!BUuj{5;sga9ea*c_oksI{f>QUG2q$k{>P7Vfpi&#p(%uNpRvlhorblPF7HXd?ci%}K$D-bi2uyM*k zT9$D)F^CeQH}x~alBBp$X*c3W+}E+5G^|zIrXXOb&^(Qj4OIV!$UnQ?SR!F&Mecs|JbMQ?d#8+$9i7}tO|y_%(+Z+~ zJs|4T-uak3FU<{&;y)&AX)DH#DVPHWFx9{9=3;tr#pa_(*O8Y>+VTwxi>&s;dIo}a zk1~8uYxh8fx zG?NPdg1v)GMScm~1?Gd4ia_0O0q4&KM9SauUZ3!Zy#nc-aQo`Cx~JCSy)Xs7`^+ND z(s|5*)uqaFab#?hC4cZnfU9J+MY+T0)?wusjE#w_tMJ-6ggUE*K0V$tzb#f|R&MjO z^CC4{PU*>;V|(AA{(GC`x&*QW3`Lga@HwfGHXU%P0XRh$>@7d4+Tsm(RX`FaoTnnT zZjQeV*u(7`ITjwBzZX^&ai#YqsY<*}K(GPd?aV*T%rE^no|?4;{UoEle$;5ens02%sLx*1nDbT#bd5i4@`K~WLxNa7Sa)vZ(k5O9C z%Bopw0^#2D9v_gfzh`(T)DJEJ#7_-y0rHJsJx>k;aZ05A9b|F zO%6pvX*ddC84%vCJeaPd)l7Jil7kIAVYm&4KNK#myLaioilePKf_H6o=d}9+K|yJd zVSYxYr-YDp<|YdJ|Ghezp{ZbVQEql((=|K(#%w&)<`my6jq?Yk-+>0Y4D&5n)?)zk zM3sHi*ja@Z`x2b0mtd4Ty=3C@#*N`^Z(#kHnYOGftI}ThP9=?~hA8~w<}D9%z6^|s z)1)U8nkP!pw)1vn_{qt>QOTp&-QJSJVLea_&oh&yTTnN@Cs8+M0Rtazu%Rnp^)@)1 zk$V!UMCd}cbg!qr+s!;4yCo!SFvq#w(e*^nGLIdo}CW-Qt%)2LvXmi$7mFEDAtDp%A zM~AV9hrJvqhd9959WqSw>t&8T#G{9sx$p_AYQwEpm)`uTeIhRY&LDEA*d)Ee)1Vu< zzq9dVujajxil+M0R(FlUqvKe!@eMB}-_;#aWDm|;bfi;D;dHBFvpUDQu&_JQH%gI^ z+DO>2YDDpjT6$vkhzoYp-#J2RgiGy6;ts@Lm>qQI@r!bH+cd}!!a zY&V5~!wcJD*Z7~LzRqro>~$Mo!-0lI)Pb(c&0r6>GSZTD>0GiSiVT>xF!gYJ(jcV? zA<4f4jXs*}k}+KNoEeZA&#KbQ_`oU2UBQ9>mU}1fu&O^g1922S$j_K1Md%lcyy;ge z&2w>|0&y5Dl(Vo~YXo10P%;j{m zv;j@C-r|-04$$4A(D=ncpKrM(e}IX17(s)w6qVawKORBp2-|Cp>jOe%2YN@MQKLp< zj0ZG|H1focfL+>1g4w>d+u@I6OYn*xjnaNq<8G9Jr^P;vo*eeIU%+W!wzehzT502_ z^)lot>U9H*AeT0U}?Lz zQN@26X+w;E4kbafY4#J*smgl;k!|19ezfv7-rh~WelPNP-F50R3C5|u1SdKM(aE(p zxfujKQ$c{Iw&-{&-#Yh7R?}}R!ud5}=q)+wfi~9bV^OIG*vD^MqwdW$;LiWav79cX=^gj-hbiL|)AhI)j zOBqNuhNXkD^uvnCvw>to;m<}w-2b|ffWHxd=`pzp^y&(o8&heZ44A7b2zsvG%4CxP!;YV8OR4vJfX>5TTz&-o}Gi#ym&!!&#+8jsu^r zjl?^4>@2MRisrEgOxDWw7(UT(I;>;ioqp)AaPXB+&AxU!Zl|x*In60Gt<+nDs>%wK zDvbl1h!r-w%l&Gvo->2BaKAH+)jMqBuMFKTTU7Ep6M8gGxzKCRa?WUC?ZKzu-rL5TGQayKIz_h0-wqDgS(Y1m6xWa7{U^~R!UOgA|W30r;Eq! zr&Q{drY0#yMT@zw^gI*xvIVW0rjJj42|{;zApV}tQ4zHoGKwz6XX{r^Jwsg~V=Z+q zx6hpLYgJPbZCH;pIpZ4VxrU3`DD6s4_WJ!2=bDwa>ej3H)m4_9s8aD>|!b}O{Op&pMZ*R#RoAMV-N26*;gq;Y#fk|pUkaXy8U$`9NNgEXr*RQ_%||H zcZbgt)Q|bd@SdTb2qJTbMEU|L=5IrE58of;u4 zQy;Uwad+#2)nn4`Hh!s$r(z8k2{V}W3}X_)Wf^jVfDY; zR{MUF@;q6udhPb*Hho_o$ZsWW@=8uR9`(FoN^`aiz#Z`eDOIyW)hSj_6WQb1mf;n7 zvYas}<;=FfTB#e4$FK{Y_|X3jzLaln^exjeA5LgPr%v7125M_IUp#*Ki>6uq^;F3L z&aj^S?%JP-mTTPDp?I1)H40a0cq<`HqD|>9`tiF_%BiMHdPbn>c-BxPEPB=X!lxIz z{exOSM}el zSA8_FS(3^i-95KD0AQnlt(ACG-v+YUDdCIkZUub?@{GT-@boey%3_o!@xUgA zwU8f6+b||+TSs?3EDE=v4Sgr11m}$i;NVmx=w4-aqC>?+r7(vU5V=n-k=sJhN_AEM z)v21*ryerjAg)!#F;V|!{nKF?m#Hc$D#KiQ(ktH=KP-)jK}-1{eUGq|ohJoYKIopN zU;V|Mh>>}=N<_%*6om&TXiLPRG?;EjcZ*4SZ?Bu-CJofli7EoQwtk99 zol=IGY3vQIOX1e~ulnQy(GAn+@q=Ev>ryId5WZLI0viK-Mo5>15tShAa@O?gmZH8g z*eKb)&MM^L5&Q+XK+0_^LvD<+(Q^DyuPK=h-{fjB0X5ilw@5Ud?B1WUfXe+6yMOrE zb;r4OP01SldUJ_8wtCH{8`8WmhK(K*eQ~!|oT(evT-G+mWkAz~Jb&+9JsG4|^VZq6 z%>h+Y`>*$h%Bem_xJkZK6?CzHs<%y%F!fvoGDzc4|Aq2+nwwRtcZrs$1k$2VKeBAPY117J|g?nsRy=&s& z%W+Hq+g9%&yXUYC7~}oPVLc@0%>|a5W}1>9XSTO3AsD+86l*c~WFMW&zXO3-s>+uV zCeE1C704evW0$fm6rP_)^VL^ZU1PL=<14-TdWW~Gwz-tudXE1zfi3|QF;`OiWx5vw4m-b`ngFK1CL**~`jfdOjdY7WQSLY+nBD&Kv z6j>$2Ix#=m>w(VC%ss=gCRndkH*B?};iaH+k%*(<3$u+fgR>Q-9~os!<(<@qH6#ul z&0xZ+0JNjdm*@nqMMhqujA|w~V_oT`kG&kuw6zrS#tTu^Ty64Q)&mE2U`wqnzIWnT z*@w)73a)XRmPgV1TqMfeJCp8q<|?bzYqxQyhW}{Jd!Zo^J>~Jdw<{;kj)0jCaYG{0 z{qcAFO3u2GHKMWXkIGdeU3(PQeIB3*JgoN_Ba{lQ(#6oNWw{G zw6$0ZQ0`#MaooZuaOnBDd$v2eOPS1vnzRQdFir{?lR zN#Hs{88l{ITUe%%~h4J zVr(hH?-hvMxdCa`+o;d(-KB$AV1!-k>HuV}p`OuIP=kS32%j zR=UD!3An9w9t&4I)IRg>R!AhCAYdg%)un{;OY{O*g@Z}QDEXrrKmFwlg|oZpiZ>cY z-X)TdO@)JRKxanCu?$5afZLm}GlMPis=Pj!a4RoCV1Jg@Y_oU+wu`v>&8BK#B!dkV zy6tF{hL<*a*Uner`rBs9ZBDZq{oenA!ssS2iZM82L&T(cZHJtKGdnf~gH2Z1@M?!* z0}}`1jt5FxU#_r8$ka1Z-R{GTm^qrrouaeX!$gr)jr$lSE8Lm0{GvnsM(Sn}{*;^( zYhOL}stk!w&~zE69jPI1cgkw{uJ;-_@(s!sNN$pI_}qj^f7JSwx<+u=7dTu3tiA3X zI_9S(_qzVXx1lXz4l$cWI=BW6Pc}gVvAr_-Hc~ww(`dg|f~ZP! z$7VjLdA3NFxdK@8RvVakH#cn~uScrPHNHG>n5bx*r}o24N=+5twKOnuZd5qwsw5D5 zm5y^JoJJM)2hJKHKwqA7&Tz}U%?f96wn$-!lWf;+Vf8YOJND25k083I_D$TU>>Qi+ zv=FgM(9c6HsDgi306K{#i`ocmVG$beB{K@~F`}oV!PS(;u)CutsTG&cx!Rc|dZj&j zYT%J@EH8g=hr7hVunC{*# z`OEvub1$ZU3Z)sjyVL1AWX(VQ5F?nC*l?kc*4>vVE*!gCFt5MdsV z=ET%-J+=iak-!~y zJ)5kYT+gKjiR;3*(@n8mp@M#QX9S`Z?mLY}l<)o|k@dAL(eYiddLs5F zyJlVu5KERKaKF(9q3r>YRIN!qk{g9jUUzyJGC$d|yR2aU3itsNM2$r9PETi0-%;GE zTgx#%KjS3vb`*Aoe6NyG_}0~;0Ro%*Dh8TuQB%_Jv%;-wCLXy3i;c>=M(y*;V+ilp zSvLl$O}1Y{Ql=#P>~3n~J{fKN>WWlar8UYrun>0^v}LOpFK|uqcZ`VIT!94G4FG080RqkH>;G#FodK_`GbL?95 zjfzcrcBafM8^lJ^XeZ(9+_H4seDo>-r4Whxe0KaqD?7o`pPGA<{Xdm9g#nHV{*NbQ@A zMz~je%3#T6V`r60$#>{Ug-e9qOL@cGtJclAZ?}1ze|eB+6@=N-rs=d`I3>Sya+p?!R--xnd_@mbcWYPU zIJdYcuIELO!dnn1?iQzZiTcktX#%%gzrMmJGTNd=^V5jVKE=P{%eg3IOnY? zOZ8Oy>kj4#l=Wt%o4xJ7uzt2+uz*(O*?t*Op6vX#zb;dy^TtW(&*LzO5yK6?VJ?MR z(RCVWFpH^^?YH&2(S>F^o*N&lit&XU^tcBdc4x>Y=CaT6w!xpg9SsS4g)y)Ev*Oz5 zxk_s{E(ZL%@G@U^Wws+EULd#qdaaZmJfJzBJ9SEq8FTDC4A-^p1+T?~ ziQJ*MTX5Os-OMK#B-&to)X~xVteIvVd3IuEny(J*vQ*xi^juPK>-D91Xp(6-E(CN{X|YJl!-vy%p3ZHaE=d25V9ROvpccHc z=N|GyH{8H1y(Bvcd5;nSQykGjw=~zIc=480~j@{0OeG=-sU$ zB8%*~gdFDIJs-JUKi|Q+Q%}+Ewx_3G#Y4SerQAZ#{nxf~pUiIw&V`~kp!$F)Sq%U2 zaUERW3`4D8zL}*wZMhiYrvOxBHc7%w%iL}#!8Qi=Y<_aZF!p!51*n3jVY|j?Ev0s8 z?=8;$=K^eS*9Y%Q>kf;FrJfZ*G8FetDn*+R$|_AeoD8nzxrr~v6O1eiihns+ z?zI|BP9IdD-qfEz-KdU|BT(1ak0IK}Bk%e6tqnO%`UE>^rGVQM-{~H5*tAcEVFxrs z(tXYJVG}u*-1Y+vj;xRcTE)G-pHh3>MI6OX0Ee=Jbvr6|qnn+c2PaY3M6-kHVf~js z5EHh8Po%}UIh=j=TMck#oIW@?lBg~>DPzkOJ_sf^u}V_ks2vI0lOF%QobYs$feuE-KHo6Vec zIU?q?e_S-eR%9k1Az$f+YbV2-77b;9jqPDx5rZlU5sIG=c%Nw98?u}QJVK6a0gsSO zMKW!sbKVw0$a6mo?%7b8FBm|G5?Y$d-?Ep_2c|2E3C<^e1tzL@^E?LTv=wb#ij!qn z@+~iC=9y>T%d>ku_I~43=+o~GUA!EghdkDQ!>NwtFbIh{GgoD%hRI z3ow$CZfo84uo5ZQ%HAo`z_dDu!}o5b+)i1Wk%5w8sR$q6EM0Z|rfSWgmYl5Mmt=*l z>1L_7)88pq5EE`N2&i5;;3Cjgm`p>ixGr2v#9U-8&cIY$nCz*?rO?qHz6A`3y{(@3 zxfOXFtytMF_hlwe2>lj{9;CWO{`U!={LtJ)(+;%#9H1HKbn7q&eYZR5+>X2bRo*YIE^`X~ zzR1r3vEFldYm7^vHQ6Mt3T#lQ^uxV)3_N%Jb@_vem$pWFFjfqfucXk)h33??9};vE zyU;w_l%OVwgTSIjGE|1Y=q8RAwz_iv{k6r%WdZ9zVtI6lqj^s_<%~Ol~3A{<5 z=gy(c>We2@ZZ}%qr!8vjn=JDNs>-hn*0FI*D0zIb0=_FOc?F)BW>l2@2nhM>?u7Rc0eO;&B1X9&;njJm$U5SZA8P)Q z=I7+I#rh!bM8)j@&D3pggl>Ub|2Sm94cg^GKi3Q%+bL9&m8I>QDz`mJ>+#^4@49kD3!UST_$79+Dq>vu-bNV3YX#VYV~} zMm$WnYy55y%c&6A+Pe^sz+SF(-vgvxqP0D3!6blG4>VCq_R`BKVo8X*5?@jJj6;A| zC@9#V3(iYZpQV+W>Mf6dVOrvD=hu`W)EvP+Pdlk%?CwEh(& zA|##XS*H_05*+qFc>C{vw*UVN9Da4GYKhn3Rs1|)SL4Xa zA+URAU!D|f)Z0F?+;TR+@KOO&BrQ|E1}jp|pV@HBoG1QBez#JUL&n}x4J_(lh_(&e zDQPXW=3BVT;pq_`hHA*x)KpHiR|L!u2{wH$LcU5>^0u&gaC2Wz@VGjk?f&{uJlDlC z<^Uweu}$~%t~v$@38?oSQI&y91SVd5kMlpy!mc`+O}-+jZF`}DmJ)+_&M0c^I#D@6 zH=s9r3^zI9IsH%Aa@_&nlw;|=k|B=|nYIDW3CPG#Y&QtHd4W<%-);+A4BaWf8j-g) z$j@W42PA6a@xxLQm<_3urBMQk3mnbm^UTEx*Lu7&3BS=-xBJrl#^xU2M=? zU7lh({;TU1%~n0??Mb31{fIF_aJO|fR)37w(<%!PrbS zhN?Zl<6kMDzo}&&b!TCFSw+Go6PjHE&{r$ItF|E18gkDTCch=~4E>{Y<_jH=ZuxL! zA|nR1ad}P>xi*Etc`R;Io895V0e{RM?C?)(zU=V`5MF*f0X^%4VQ7$LTQ!E?ZGG$0 zMe{xiD<8E+a}o8(J16esoj)5};kX}YgIt671qfba5gqn?Wrk>0anGYSW!8M!}nU=`@%gJnlcMN~hKlww-zFjRCXgL{KgI)cA+ni1&sWo&C+ zs|(V6+WA3ygMsl!){jT}`&X2E>Vv4ieW&9ijd#Cj3G*D!7=Ikd34Z%A`nKAdc^LUF z8<}M!ha6X?JR@a98*QCf=e@b#u>;zfTrZYnnfCSFHqNqFEFUR;fIk0 z`Fm_2=wS5o@=Gqx{xA4!wa-{aPe}9boIDZK9dli4je1^};u`oI9=#Zsu>ht>JOGiOfOIMA~ECyBOIzU!9Ym>?J$ zs-(0MKfb5>O)H_M0cR2gY^Lfx8gsLAoX^--@&RA`zALyPc>%N^!$$S($kS2QkP zB|kjfY9rxBHIjN0UEW8ah9QT%b5(z?tj_BCo)rc9dpfyse6wf)sAMNqL3QuP77ezz z`A3?hgvzTW+;At}0j)4t4T7!)#={u!8-dRfd zosv|SpxPGpmP&6EN$n$_*2=`iZZ{TT{<#1gUvPA3)w{Qd&RMRCHpktMJXV4GzMc1Q zR|8I%RKkisBgnV9`J^`Sf!4lE|fdNmOUd| zN@+|GqYT2TRzoXy`SqaCsl*#WHTpV>;DNwW#e?j}EOWgrac3&k(8QEg1q&|Ud!11N z%UofTKjU}5&Xw0MuJ5~Q3nd-!`}2^#eO@#SKzCIp$C&TPKHJIO^p!;RBab$%tg7~@ z0UKl)TXXlllEfHPN++ZkZzcz4Ufnsg*-$98>~M785pF)+G%^Q{rDhvfoCC6{?MXdO z>q&XYMnYiT)zxaXf>YB|GENd%`&&i$y-HBNO65DzxQYFf7nBkQz>yl$o-tY$Q+NaRW`K0!&Uz&(;`-SU_g&%0 zB-+G2RqO)3_Lm$oAZ8~{{J}~TE$Wlqo|i{-H!F0GxDU04pb#4+5=4UL$MBPr z`d)DBa4u}&A!4YYp44i&UyE0#J9|W^m=l-|nVPRSNejc-yJV`s{ZD_fT94&B?mm z4utTBR|6-hw3FQ~L`PxRvxTe`;l6{U_LorsR;R%|Bn@Rbcq=s(*IY}-fht=F8m}O4 z_~Nj^*xW2Uuu5nrXrz4nnFrl!Jyl`EXZvuvsd8706ug((n1!c3C$52=m(^mQzmcHaf=a6|SUhEg}!q!+E=Edrr1 z8{^OSa`VH8f}uwQ*P0Z);gcMH%lmI+9@1L6?vAAN6{TH~pE z@aMoF_P&Mtp=tS|ZHxIEN{wb%>frl9K!U|olJ=gD6hf|MIc(^XvX{v50oc>MM3;rSdy|J<%Wdc~ps#7)T z?)3#XGpAuYfTmQZ)G?{&SKr&xO`iYDtW7uGfWLn(+pxh1MHml{Q3?oo`vvSb=Z*+f(fYOd^mTLvE!ykhawy9gTJ7P*?00Ki{n_`cj-2jDJUGCte& zfof{RyMZ87nvt@LN-BTek#s=AJjLb3@&1$*x(S=FGQL4@s2y(Ra8kN0hCFg0?rO*+ z>X%+;!dGka)Y!I#nD+WkJVzZ}kCK<3e_^ERLMPekH6@W5V~(-5M*XuCQ~WQWD7HR? zNS1YN?Ar?r2-4!&9VNweKy4~{V9WO5jDm6}jyf7mD&FK#CSh8PDz>*es(2S?UL)-w z@+BQi8SdmnZAQRwhn9Otj-z_$&RIjZKFoOs%-l>JItESj8O|2P&6Npo&4>AoTy0sM zqx4^CIr=g;^oBFgLRg#ci_H!-=6SkTxrmcQpO9#M?EwAY3HWmhv7`W(f%UPYAGNCq zrE9_T$qePb5+eU8BLw_Rzp&?|;t}KH$koAY9CIDj=!0{*hf=iP;^||`k5r--B4pf+ z{8GCv3y0;mn{9`=ss*s=CtY;T)VQL?s48HTS08k0F|W?Yt@*y?OlrpPejgq%nU;{F&~secyb{Nja8|383#aFGcg$)JVN zX`t`RXbYNNM@yl^sZuFd3!eoXQb-L=JgT{y7qt_ewE_AJ&pZoUx*-Rnu;b;cmhRf; zt1(?kEjC!>l74XnW7LpW-H0ov<7IKUXS_2PWIH#VbfBdWMP5i_tJu9A&7Hd7frU9P zULRpPqT^xaoF1sg^d@K@*2!jOS984jesE^k?)yV!Lm+JRw(x7XeBS3g5w{~apgS++ z@8uzc4f|E1TErSZGh?PolGj{>3v9fW1cT=%&22N74xa(b^ovo)B(*+nm_rW*Pg;b? z@Xx-<9SPy2q5XAvsoFaehHf5Kbng==V^E>K4qXU5&fwfugDP(JcGh_CGI=fpE6of5 zmq4zQ*Md5{S#Q!35&N{!k||pbi6hFCTrTekZ*mx8 z33uR_`9OwDZ?>lryXQz7sce@lKhK2!70pwfX7o^;XJy7Q5l~>21Qv@43!ywSl@Q|K z7QO0gn9@cBd+`2+deF_CTMfin_u0IL#pM>$y?P_VQ__YjVxSTtn*7a}&(>xz)Fp|3 zsAvY*Da@o2tJJRs8flQ$GVRdvi|e*_Xn(Jj1iA7mC0+3PWc%4$+z+Q^-khL#!#tN( zd=_r?tL)Um9iz`UK(s$uDPp(lVp9z;xAAwTP%7ltlKO_8FK*`wTo6CYy4WG^BweT)8?6p+;nfkXH*4~DyH`??p%%XpDWp+m=)3THgyLwFLs0{se+Bv3Ml7(gMr?GHanX>0B{^6AHI8^*B5); zvhwD;R^s;C$8zmwUK?}chP$M28Dzn`DriqrCOS}!`ibe}4t3HDaH@i|zGMD{0KOeg zSNF#!=Foe5?VZT<(jI?wiDW}^0GRu1`Y;3 z))yeyA>6c%<=c(3Jl~yQ;@@vcu5BNc&FPuopRCKh&o0pS8^t>M(ydiAEDV?B2OsM! z2DG^&?aZ&M2F+7`ek0E2;0GV9-e_a17dgLXmbh-{kho`bm|U(HQ5X!JzT}l)yPZSC1RLZn$CorjDdn^RFWVHrKbp;l%ki z>R+usG9{q4!h9>)pRT%Tb2JhhzILzYY2fIujh_|RhE7Buh=g#QK{efWWl55TiU&8FX{6wSIkH%?m@=K3A+;>Wkc}BAc#$ z!R3_V2{N&z92Pl$4!&=5jm;=Pg-=dNqq-%vkU|~8v8x5#5)oMT-;WZ2OLj!Ctrd;!G2?@RIS7 zpsfKEz+AVz-!o`r=-+Ri>jCN^)WPnGOf^Xz7p(xj0&T;smSp_!%=1c?O;xtA9HxPp z>b*SC%;7|a?mvGyE|Uq356?4cVjKhiI*5wRmd>`LAN(C$&zLovlwjHNi3t)(sTH~b zxa^YZeDM_3oB-a9%`>zTox;Np-xK7!R4zIQ@Lqi1GB6O=LWyo^VOIBge>w09J?+kp zhvd#}VJ-Ei>M=Kv$0G|e(+%hr3}(LNiYeKkxuvLNTOl~b(p)*CT^Zs$ ztwYW3dqSTf+51UtmK7eh(B?Y*NNh4sPkK((EFgh6^UZO_x6_AD2Zw!#**uD`sYsN! zEOI`6c$1lMFLZnH=-{u{KrOraR8dBrx88t$rZ`9Lo=xhc@6sg>fe6pzxI8QBqyMa8 zYm0&;npV0OJ7klRben77v{&9UUMib?sVwx4+a4X>cPBS#V(RdK%w{LV-u@tZKfb)C zAjK@X888d@&HChUJ&3F#zI2Z|B`xM5Oy8~6^sQT!WjXy9y7~pGqm&cVu$GY%odXIT zvDiVBJ7V(#?Ms`FzS4DYx8So8C7ixb!W%ZFbDn6nBqSmA)TS9W?@reuv$WjX(SbhZ+_+ z7J|=UUwn%bms0nKKXva^QUG_7T0d+g;W`oRm?=Cm{n_ctszz5_xQ*|&|5ApP2VLNz zzjoyOibGESrZ12#20T313Seaa=2nk5i5nsLAz`zLq7ZzuTG&zhUVFEqKaO#D+use8 zI)&dpdm1F#%s~IHh1BFa@#%`~G^s2hhUT2(53Vc@mbF|F56;cI?Xfw$@M@2sCv#r; zwq|2mx5C?cj7u5Xf^7MIW!+;sxPg<+58+fp@FS_Ow5^EM3>!=OQmXmUvT5FXqEw=C7PQ_B$JS$bj1tA(r zKCx3@2{W%bn-x?Mb+MAaU@}V0v&{JlY1A4TvLiNE+UM6J#*JT3^pg zPA0gp(Iy>E9kS)zT9Ld=O?UF)6&-vw0DbWLN|2Lbf5v7^5d5W3apcP$9v$9tUuwgK zTwW8x#))GlZTW2Q#pX4#P!#%30@}hpnZG4@;?N*^Dl!7c$f2> zvwUZehRXCiLyZHTVw+Ejwe>Eh7G8>Uji(m^2=u_r%^;8m zc4Q;+w$0q@3=yvrWa?7hxR=Sm;)i^vcs3_hc+ZbnUgfj>vOhnJ_>W6E@P^K}xCGAgddzKm)`8B~;5F$e#!gKSfBaLjnr(gcn@< zYA!7WAMjA~GE%Z{5FC71xiiXEWv^Q5jkRN!H>Q3&-BCg#+7r?kHG~{mwqfL z(_RuKiLL4G`sJcGw;W=E2s6>cbtD#kPHgI@xeSBmerKMot2S(^SDOr%o2FQqBzqFT zGfk>Kv{|6QmOt1+ItOf9v3UN3Bj19SX#Ev)9<+bPQu6Md72by2s@E2w8|$?*RTaB; z`44;kjY?M6QpXl+gx!dsREh*rXyzC)J`Q^tZ9=@g>aR8>?Zmf*$!MA8k`=vNlJ>)R z@USazF-dIefQBdRrs~;p+|L~RUQAHYrdW4YF z3D-qHZfMO^%i>!++cE$Jw{OpwXRWrbuBdrgjz!{5B>^z`8 z^F#u6XF>SmUI*rF`_^``@YX^_z6ESS*rywUvO*I3Sud)wg*T^td9k8MZp(f1f-_0< zvZ5`_^spHS9sA_#y>qR`zW{B8{`nPMyvr5#=k&{TmdY3rS7|~FEn8pv|3!xteBL*s z&2(x)ClIzGDwp)!(a(`n;q-SHapE{w%d}BEP}ul!oASf$r$&+rbAHH9(dgGF`(ERw zY(owq8>aF?R_()M_8-16%&V2xPPy6dCfhF!?#qzO@9aO`9LQKioiHUT9pW@0>m{ft z=Zx&bU(-0Lx-!0H8~+pVQrbwnE+R?gv^U)6Is*j1$+K|312vX0^OllNeku|hWWG2m zA4WxI>dXxJfK-&mPcyLJKa3@@Uc#hx^X*@dg-XL(~ig>qH9qe zN=2Br*gc!9%1XR>CKKWEY}of1LJ}7>rr&^eQ>K>w;6UTfyOxMoH1L=kc|EVf#pNrD zP+EMU=;yk^`OL`CK4AhOQd}{18AZ%43wwi%|HYjmnf{?DXWQ+C&!4ngA6zF3C14+t zD%N{%k^7vJDqlVS^PX$w(YYiBs`u-Zk5?3N0yST_rq}4W)cbhfUeYa}rcG@FnOqG@ zNZ|_63_zdMZD?4~2)~zGaf-7gIP+jE0z;O6yXS)bPCsEHp#mmYc&sjR1*$8u11}6T z<;9q@(a+_3K&swT}GB9rEL6mM=ON=DzhdAjcA~>39F^=q8=m%Cc z@N{5bJ%l-e8du-#xgRhNtOw!fv!?ZkoKFys3k- zturSL;gj09mkCBxj{38N;gSlb$mX%G&YV+l0{JyGlSZ4wOW)-I+1(cy-JxC zSO#3DClVCFFsaYS_0`?`^w_}=gVwXW6e^tkX6G}o%EHSA#T9jUakV4r_PY}8)cMNh zTL&Zbd<)D*s$76svd%9=Wkf-oGi3MO8>LE6V;}3rRJB2loWWE312&)*`x}19{@Zo= zn0a&EF41mIG%?_F3Y^j7CxnbXOAR5y;H}3m6%Ka4z3|uXikmLDZSrEta|o__rciw^ z0*Huzw-P#9{%^4Tba^G$=$RU2Za?FB74^HTKJc%z&@~)wZPt6d3qh}$M_GAnxjXrt zfT9pz%WH|*OW!#vb0Yr(2I=m>QJPVtt!tk7J1=u7_24pKb|x)CEP3f*Vmn>C1WG%@NdN4j(Rc4i5CjMD@x)S=#fJR0TxZjH^Z2K8?C<4jk;#2U?_)2Ge? z&|UUoPxtI^C1ba0rav_rH3zAdu4K+|UV+}UQyjXk^7ZIwh!|d3!exUSx?5ZPL3UlU z1Q*Tg+*S4=0u^#l6i}aTenptu_pg{<7%BV=ow*0i*v(%H25<#&Ha+@w}dw7D10 z`V<`JIl!DaLw!aH+vcZoqPH8+eA_uT=|C3@xZxzx{_m)LAI)0rh%&pP-``}3B%VU~ z887A*ru#C3qMEJVD?O13atmUXj+Npeu7ff)Hg=?l8~ zhzbq1YH`h4K_!0MT$@S@zJ;NYczP$sGF`c_*Vx>tyYaJ*ki!5KAnkRD=TIwtuJ65 zHxK~6G0Tw>OPa|r*orLU=CJSj8~?;0Hb{z{zGH?D!Qvz9 zgK?uIND4(5f!#f7(tA40CKN$9jb<-W7t->nF)7{G`?!p(8dzx zR>aNR)w@LfYzSdl+6I+rVX;9iw!1HmHl|B1fekp?+fCBB{9_=OL9PW~t`x{H9N_XN z+|y#radXRCN62wDI#IuzLrB^a>ImYkS|Nz;=qUTh`DmhQpUnQAJK)&*d%pPM^*qju zjj=AI<0M_ENllxl^7qj#TAm!wCh*Y)*3Kc&9%xLvGS9kw`y~RD;_asvZ-x z<=Ob=mLhJt3so~9#`VvLKf#l}`SdXyNz_tUt>Pb-istltq)_YnkX@52EYQxQd$MD- zkG;bwntr>Jf^SXnn+87co4)Z4g}Ech@kfd7Q}NjAqWvnQLpp43=;PA(*dWYyqx;eE zmggAqggCEMfl8MY51;=aTABRgHrfE0uVQGhnI^V1n;(j2%NaJt{zA3j|K@=D^sv8C z`HcCYr`;1f74o+9Hi{$1N}2_tmGts+etK?f%!Chl@`hzCiB%#_ka!KP_*+ce5ULJ_ zcrdxU-LM$VE^`E_`+Cy{va-~KwY$$L>hgMZuC~aH10(pwbRc7Cp(gsE3J!?K|L<nUq?n6A+`7;BwMpgJ|lfWj?)@R;*9EjS;_je4r{SyreL#F#Yg+ z;#)wfS&e=KpbwNwRr){y>k#_rsKAMCa(`GEjdaJJ=17G0Fy0<+IVu(4;I<5}tgFzg zjrBo0y3L+$VBamZ>Q(AS^vk2!}-b`g)hVwqZ#5^({)) z5w`HZU)LY59r1Vci;8gsn!kj9hzaaVCw|^+P@6GpbdTU?K+6{=wSe8{GwonXVlGzq z@)x&0=E|Y_jc*VnkjuxrLxE~9dkALd&O1nCc`V{NZUtATf$cEW8tZ`v)&Z5i0HiGc zdj^wmYgmMP^BC&S4wS@Hz&>z!MJq5iYC8uSrpkrP&IQM9|A;Hr>`PK2Zax0`qJ$^x zFZR_nNX+b>p4Cc>uu^yQc;P2AgC3bE!c%1}XladWd5>dsm(*m><;6L%qWDNv?~1>U z5_>u#?Pdl~r2a|*SBY0Na?jExHCNN*;>O;`{8INjKM~#b6BUJE61rugH1E%!g>^bVgjcIkf8Q-VCYCKPYJ zAXKkC%So*cbKe1V6+(R-wUm*Ac5g&-eZku9Te^V6!XmT$xFbAXzNKhFQ`zHtMLiLg z%0sfUy4;v)8z%7pWO2%G-+syvF(9#(CKhVTyIlPV@KsECc*W~`D9rm~w`u$Ct2Q*u z2ZY{Ic>V0tBJ{c1R=JF?NAOKd=2z}C!urJ<-0r1Yl5$TwnFNsXRue89d791XTP7UT6ImhWQjLQ1-ig@*_{$)zd!jh5|b|q zt4Zdto93FAr3R8&C!2FY=yuhUVB?^JJntoceo|LqtCf+(gYtAo%rCdR>~ogi4Dm`2 zWQXcmR*rOF(T7H-67?nVF`2h51PlHx;YPXcg;Dh6w4^=3_W;yRm@( zXV5DSKVQ;W^_6Uv-gxMArqUU8W+NPJ>S5}v*_t0nPd5Vngm%fk7NbJ?Lo1J5&lsQu z!eP@-qk^meYiH}^eR!}frHJv0>52IGI=|;xzK1FFM2f|ZBK5B1J0NFNsrDcggudNP zb;o!fc(0>A#jtsGrtd*e+-XoozJea~nw_$OAqq;PaA7U%9{nOcrK zE?t@}JB~=?QqoNar8O;{i!R&-tc%5YKE?`rF&Zzd?kOwO9r%bAW4c+@O^*9xoG~1~ z^lO$bpIr}JfR<&yA(yFiw=7)FDcoiOQxb%ELKWWpKVuySAvk}*ZwG$ghaD`P+E1FA z8DdIvgQuFl*qzZ#UXx3X3ghWi%RU7(gDm7w{~M+5de_~rrN9Z^OXg0 zuP&B+I$&oe=t|+k00k=dLy1wIqHNgShU?O=Xl~jORg!v*cn!6Ux-7$jC>e6KMHK|; z25oM*uJKtz*4FHEDjLd@yPW{T{IvooG1%b++ds|hpPYU(`L;<7_GER1A)3Y90?Nv; zf--u#ka-l^UNRry>4N4=`A30#|4$)7ugK574);QV+0Q?^c3)sp?etawBiCrd(Btzl z+j^$(#29T(=Opn5>tVzf2hh;%>_FmY^_3$9?VrGof0}S*LXL?+AHP9*8njX0a3hEf zkN6?jtRR4HmV9oqw|ED$bJ)M-aUHbrffEqRwG^z{Zftc-z9=@N6V8PizP;PDk{{(LivEG~cv-fWg7h^6^P0>E=K^3fN~RwX=+W9p^v(Cuz+sSuDuyG15_a6(zd z$hT%)mygqYdaq6XiRKsTiVa{@T#ST2bdR&c^)&m2ZZ>L<0ndFKNPw2OzkEx4I-;=2 zc?11I*C>y`xh(aY#z==y9lPRKOt>9>{XLK7e&Y6DN1G3^37a4HBJ&i?{=RlM-22k> zJL$fy)SGXv*FrR_W0L-8E20IsWKS4`yRW8AuGYUICkU7JF*B$j&}nRpd%}0vMe|J4 znrFQW!p2bNV*WDf`o$PVEPqK;L;t3ElbF`6JnF8pmz1zvW?1sc+a@4>$XWEPrZeiO zIp}YuTG;Ln1M^?d4;na}6+%B@egfw8@+{95FvUFd$^MFHt6+`e6pGaO{w z8Akh4#4C$|vF_qK`YSrhXd4A_isnMlDdFqB%_qaz7J^oWyZ{fxcTD)Oo@OhcsIW=k z)0$$(D{U}dyT51zE&mfbCA$V4EopZGmaI>Is>gIiqgwFI{3X-fFsj1YFoh=)h}0FG z=dF=&zZ3p_)S*i^K%YTxteKYY2`O_>z>TyK8ON-5}ui|{Oz;a67n?uKT5jUuQ zE;x{)EG=zwf&B~j-=?5cf~2X7X$`HxfaI*e9K@|#+!B5D#@AQ+5--*z=O$&DfXF8- zI>C^lDma+zzw=9`Wuyl3$0)#1t)^TxfGo^Di?D0)Z=QFOV@krAi;7PPaDv$1IsnoO z&(5SuoqHY`#J|O9Stp=pxn90Q=PJFU!RZd)R>2UEUXL z?g?uP=G(1m*3bn}O1AoL?Z8(^dujXs?E{J!20}V~=bvlOWU%>U zM{NHjgYTJb;;^}6&x3DC#V@MMIi<0=0mK1sV8ljG(T z=BaCMOs4e!Hi0qPVKuY+>cCpWkPs1S!A=_(%AaBLjJ7&nERJ~_@?QUAE4P57(BM;# zA97$5Nh~XzKnxo^Y`ATn${$?IBGRu9P6`si;mFD5M@^T18{O}77* zQ{3DF*~LNOxcOI~@sv$va3kT9<#bPAYB;WKLuPB&7``*VTB&^C-q`2n96QK;Im+;m z5fA&heXfAnwhm&E6q97m%|NtZTPM(eQNHws+@7Q+r7W}9H;Z8v7?3ni@yofr{yZ2v zPwGTccs{Ty$H>H0~=`jIQtBc=ZiiC$}Ndg6iXSEM|y4! zKo7SA7mKIjUViVDqcag$%J*G}TmqC6O zLdZ(GpEAo+$Fhnh58WeCStdy~v+n#fW9t!?N4>S)<3kOR1O3n!uX+=SR{f^t)@Jqx zqxPL0tX3YGPV(Ozr)>hRX4-{3cX%Pjltg+j*?z3Zd**zG{QvR{Z{GsaaxC+iewEu? zbqN0=6Tf)vJbHsMULD029p=xmxSxy zqv7(`RX@PE#3gj*w`^Pd+JqHAnJTNvk1W&(76a=I#@*3(?wr|#bzkq(cqxmXYWS$x z%Aj^CW*xYn*SGVc%}_-`?01`0q^y4SfqBsIu&la^8p6--pSm@x@fq0MPBU`X-_uE6 zrQjPp722Wz+eD0cD3)o&Ke+vNVhp5m+u1%EokH$>&}n+(w|=YOkp^d7N@Jp7$Z_NT zb+%ZBQ0Uv75qc_byhhdIkuS|*ub8)X-x*4=e?yqQQ1L(B)d+LAr>fZV^mSR11t7q4 zY}^VritXt}9Q^JvBrHLkQSzpIHL)vY@E&L7rrQh>9G|;U$Ok%aZ|;`L=%0M#Jb%sZ z>6{VA+gp-&?@<{Tl05cZGSPFWD|$*@jpmI@Gdj+zaxlgf2w9#EX(}6Q*uloPmoRu(`CHSK zo`lZd(OkDOY)eBgL2TsQ!edBtz9Z2xp?P_#PdMSx9RF!VT{Ach%F2uhDklK#T?h_# zQujc`Gdr(ea!ZLAN>rr{Tgm4$dD+dqxCF2HDMZq^fxTbx_JR~|_k$nuc1J#c?9Qcj z|5Xdx8h&bXgAikZqu%+!>An5=qZo?nse;S_w_yrFPgvqEA7UE@<9X4>{vVQjSp z*fpa5f}Gu5ziM$ewHmN?D2XQ@M7YNwD!K50cdNu^T2pzs=0p&~p*thAHx}L^P^ch{ zPLain4Y=Jb7>^#=HtLEM^N8%2#CS}J#x~E+d8&R9w;=n0ccH|Bv~*_<*u*c zopX}4PXQjXsI~KO1aTF*cQVL4qc8&8q0z{iSg#o)>K4B0SIJ^g;TrdutAIJbUC()1 z_r(FI6ejE3*kKMNL+9xuka>#+yGR9i>$p$uD_#9+Sx{3hgjD4R&E%OC>`N_K*!(}F zQ**NVPTG-I_HNlI74Kw;Hl^)AkAz!@wZ%tHt1)zPOCX-zG;KY7$8Db7iuJsB!l(( z%(xiy`KE}frfznGGe3+yo3llO;?--$5?cy#hS{TommpYzZ^o54#E8?i3IpJi^5t-M z$JC)n8Bs)urHBbm@Aws1Ov6uRS~{ztP{C=`$sqo=gqW_YRCI8D!Mc)C<7 zEszoykjEVV0pJJ6Tu`Oq@`>o6ksg{4*}wjHHAR~zl<(kguvw(If+HWdWoxG0oBI3C z{S#d@1&5h7KF@X6L-8jJ9erA29I_#PxB1xsnCh+TBx0guKxGre?S9&}!El^o>Q0;_ zt4Hh7%a(UFjVU7Eh0tAwYAb_R;e86sW`F?n$-LTkP)Kfh|14lpma}S6mDpf3y$e)4 zMJ=$|-MD=1mZteVDJIWP;B&1@LRN(l;!ooso^9x-kSzh?Tv+(qU}6)t*kap5vrR9d z%KV2H7iZA!k`A$Jh6dJ9?~ak99*vJ|ge{+biZTBXjP>Q}ChV8M_O}D=G1~*N@dILQ zCP4>FH0o(WS@?84JM%>#!(qF8d3DbwpbG?VSM7TMt@G`Ms4i6~kGuq@ zo0FMyXXg(KK3i4ad&Jz2%OQs6N*+7+j()KRLQDEk(ckwGH4C95DyjQD&4zfiXe()f zW|N+@0MS0a4dhZtXsn$8=JnYrrO`=m3E8mlQQ6|hqwZX+@scHuGEq`Yy7sS;E8`>1 z!E5EvT-fps?`GSYvdS(23%G_FWqP&{s^epkLSw>!cb14eN|A5|n1j%*>vmTZwJ-(-{$ z%Yp7n`)IJ75kl9Qn_nxD9;8Egt8(juc;S)W2>#8!1nk*rz5F6w;2htx|2?vxod(cWO7#tJl{G+ReGI9hC!%oK`I*8Z8qJNg>n}rzW?`KqCMm8W%ZmBw$ z>_N7wE|BO&#ajIKtacj~&u)6O)!Kc!@9kjGd#d`%>Lr3Sq^%2dlDO}!IwiiEnXBQI zK{;nyN~0Zus+?6?_mR=5z6)JDvg*%3vxQXorm*!*IRNUP$y{{P?V?0R-w2!&q*ec# zk#1)F`*i(CnDaHmD?}Vrsb7{(czI2|$gdf=?bsk>w;8P-uZ#S>_AZgfoIJYD_D12! zMAL?L9>?^@I#Y9uN#8Bq1e7^>Xh(k@`pfX5%HbZzhb*Ya$Jfdy-eE(16R~#3ECn~L zE*8wVi4&;5?aPkL3?ikvP~3KVVBqk5_P5#;Fh%YEj9!OBhcx8=(y``#)U~KHysJtW za$?eb6vw8o2G%`%p1DvOn{TYn!}rQbPbX|9=SclO2_@A(bY8kc(Nc<1V*|pfKTy%j zC#Qk_^){Z{m)ZVW2J{y*O>4?#UyZeLz>=jL~$V)u=$|@xAE!bw%38)Gn-p3Mj$=8 znO7&Howv>?JAt27WYvVkY6r)@z}oi)po=H;SM1QtGmJOYg3h?E(}nKT8yyYjuX`@E zS_WaamykO67 z)mVLsP8cZO4C{5-;yeStoeLKmtF%uQ5%PbPevbcpRNk=YSxQ8O4SJbH#0AR8AXm$= zmHcxr9je00FknekiV$a)4EEBr)!?m~b7bFVwPmyo(c1eJRl$OGc%F(+2u8bRuAJsF z_4doWcIp=U&q*Wv;{9J&l&V2h4sl-F&uv}+nw;{rg_vYYX2r0f_0o%;; ziP#ehUI{10n74Ef;5^9M3aztTYp9C&Ys~^zptKSWdeqe?Xf0!{MAp^sx)A5E&f#hF zSm-b)3A!2;d9X3*_e9o3}@j6bqir8Y|@ZrGv`?q_*x66(6pLU@A#l`exOv23Q6f@NYTZ z#9F}vM}$fc6`Bx*REkj6cFi@8oEPL8tDe<&OsUh36T_up^=ad z>5d^rKtf>XmKs1sh7bl+hH^;18~1NN`+N7X-{;xS{=UDELG+kwuKSF2uC>m=dWf~k z)|O2At~*eTur1!-{k@l|ju)<{BolKP!n|y{Ez&+1?@WapscNV|E>1UIv^Q@( z>2$gh*a}2C!Zm7Y&BC1*Yt5P)`wqsU!XxfP>6MJ)`Njcg;q>>8bL$bxd{jl`g^^i# zk)=}Sd%j#mdxjA&WjCnBd4{=j|C2#cNysmbn(OHisQYSb1;P91UOzG$UZ3$2^f&kj}0Y39v0Nw4;QO|vAIT?&#AJ%Juhev{OQ zSbW>p!DyXnw2CZG-_9U`*sCz7_MQ?YL&P3F#+SR zB8jHD_gw>)VFsID^o{zu(z~9oaxryXYg_Pc){BhWwld}x)x*dMu@1IQOmhMuY4!Ae$=RSGsn6y47 zR3{8fcodh&gBtO(fnJDjZRpCbPSjX^`Kl0rH|H3zn31g(UN^_Q9OW3cn0^AR>}~MU z6yOb<8Ob@}$wGA0BUjtlclS*aU@MtzcZASl#$L^V>1V~EDtFK4Rp2X&>=*I$7wC}& zFx@A^(hWrj{@u`2E2a@98MeF<3=ZYqw6Kb7ZO%3)8Ul*+o$ zlF5{vRk9#h4%ourMU#0ggr{>fA}TP)97G8fVf!FAdr0+qnknfSu`edxV}^?NnPuZG z+883j8^sCoaU8Xw!s?XO2wvQgJ6y0KQ+8bSBu@Nv-8v%JKcjR$IF9P}I5sT)>wM7Jh*?YZ0O-ffI zIVQ0S;|z-A+*v<$IFDoKCvpxqb8TQWBFN9qZn%Y$x{?ngU@UDmb;Kb_#;~~Kk6#La z9`8uZ(`9~NMhGqQ8QbxU0z-_1-NRwr71YD#E=rGjhy`yyqr<(X@#D4-=hT$g?on)o zPh}8a^%$i$OB*GSY5y3HY$>+UK&oVm-eIC!duNnuJnTq2lf7WiztMch(`vmxwGqlv zEsGTq2eP(m!&wL;X@$fF9i)yr3zDJtwA{5v+fxB%L)-w2o0&my_2QX*YCaD;tuudm zjjtySLd9rF(g&bR@Ep-S5X-zrBQ0{&@%5l|_hpDb5r8{c^EYewy&*vdXfwDjRxhM| ze`}U@s`x7@@uODsHBTFdX)L9VFJrGZ_4OsAj}e_U{G2FBy zD~{vN(s{XzZ@4}B{3*p9vl7!&G@|R*LC*T2EYPH^`n(v5?}>6_0KMT+ zs$L0ej_Ol?Zy4NG42uoG7Vv$VgE7mvL|1W2l^tCRK*(_2Od+9TRMB}vi%mUO9IC7BzeI`lW5E>2xF zY4GP~vwn7fy0dze_opoETpHjQP8LXE=QC8~lbW}>-anCRys+!D#Ll2tL?q^R`ioN$#u zQ;>DYlPxKhQTr*Ms(s#*5Z9I`J4=4QWcnYE@teM(3mQ*ZgRduRt0x&PWfV6cRxJd8 z4H5hOy0`iURp3(2Ju(`CY`@k3iO6-Ia0?p+$TD2yX@Y+C>-G)7TDc?LNk&KF1{dmU z>Y9o@EZ(ae?B4|=UbXTM2ROVB+J;v2Tl@@3e~Q;2p-5@rx4GF549HxGqSJpTRffJ1 z=)6$Dj0^GqK05s1fWLBf^10_686W*7!$!>g{d~FTRd6&m2H>SdzgsB?Yi&IOcnQL~3`aErtuMZkjnd;073QObH;38ON4~$92eQ2 z-tR56BRyZg`7;$;)^Rjk3Usxw$^2Dwx(D^?&a8{gHI{ba|3M<>yKDc_C(R z^BkMX2}qhLbQd?;JHnYw)nFZ|Fs7! zxVw@O)W;o9?8n%m@**rlr=f3#E{Pmr8yy=L!l`_++|3hZ4ZsJ-mn|{X{@k>w?s)FL z@OSmy1e_+a0>?#^qGzHuOn57{hl<~v+qZGih1b1x`DY?j#Xj%#>#DXdBaS2IzPw+( zSKYw%l!R~x?~u*ZGM@2#mF{n;S{=W-CCmGEGtmy=D?a@P9(^{*}n2;SK^`{Xr{G17Y9lQxfVT#xG{u#XM9CD*fy z?;f2v=ZlHAED_7G9CWl9*3U*7*ZF@#xKrGj88n(+Sp}fW)^a@&SCWT=1Lt$VxQcYL zQR|EQkoYy}IGCTAfj%PPrSEFUWglR^Nr6~MK_4z@moHkskoC24NO9o(ok%SqWcgyg zb#2M1P}eiPs@ZK(xi9p5kAkqNPQ8gOH|9B@T8vyzmg;zA#uXDF&g+|$bMJlye{)6W z(v{#OZ(HBpv8d*tW35mxcB!|lR7Hv15Qb2ZqptP({WK2(T6{TU&-MYwwNkPqeBu-h zK43SgMoe3--rehEqiQ z?IDqkvK3PP!)w;Riei`Fa0Kpvi# z!C0;wKL7n^R(7#MQptx@)b?T%rYYr>o#IaGU|#3C`ni6k#-PtyV-WNn2j&Iwr)Uxw zt8XH0x@++nCagfSv>HdjaPI~OZn%4*MfPhZqS$v6b>sg2JJ~E@o~>5Hq38TJ#hTsd z85T*hXi2EWo+W%v&Q0kQ;A?wyOjJbKF$i5}XLZA6XLcn-}h04XxO<{mm{ zr=-rM{j?I~$h3F~hFr!8;lD@#anG0-BO{=awK*80TqrIbLTU~!4AWKFqcRU5y> zn{k}0G^DMj)hqf}VT2PlV%v?qIOr4v$WQ4cJwdMu>MeIdx`R&R>E3fSL{^d)M3_28j%8Z$zUd|!9jGLlHrDGJ37=(}xbC5gbL$SROR2JFT@|B&l zH9OMV;M=D!nUItc$BA^WBRibvHzwwxI?|i69M{^Oaen3k%0A+a}w=Ot-wP9#Kc_FSry%7p0LXp(dslvpOhZ+D#T$_YPa5|ioMh~CShK^YQbpFukRbimIYTA`im8}&EZ2$?1m42+V1%9 z;#b*On%AmJ1@9@X#YD3M?Jf2`F>XNpL>xR|c~k6zTf$6@pr?ogVUUN#L(XlVBEv

        BL4`74=Ul;(B#w5C8V&3K5d7E(RaNM1MNsXu-Qr zJbXuT-Wm)``h&c}4g}CnLkemK;~>my+-!Bmw_s+x@uUPbB9E0j^tA?v9W*L-gGu8L z*kRUPbf8zIR$|pu{$iHB=O;)3IuH+8@upNir62S_wU<>jDUp_vZig(K-6Vumixf-x zg@@P5aiVijhVbmp`-PJ`AR7=_g*DdWG*2;YqPe8!>CV-sa+ni9;$^bO-QF!nh(Ps$ zDKg{&MLcj7M##iXL3Us!vT<$dCf{_$$BzcRp}U|8-!qyfHy-?5qax0FOIE{J;7Hnq z)eoTYypk4KKj)kguT%RXMD-i6dYld0t+b13!w(0^(o=zv3GdB2q=wyQ^{@0-m}fIl zrCWIHO_L)!JOX`U4>hXdmc~tUBp#`HfI}V!X7MkG;eIXH;mNXpCgv8?hHrI+n$xlz zRAHzcV64otbi^Y`E@VM8OCxqhW>Jc_8C$_QPl+U~m& zAxyv)S=Um=LN}{#cgo?2`YEB&A8MQK$hs@sHmB7Tmaje5%rsc<*CIQoB(MLb&-y>B z8||e8vp%$kA3Cs5+mvFT+6|}JdbZr5kWW$Pnj#StKbHGl+4)+hIub}DbE%g8XOe`k zB#%X?X4Q<&R01JR;WLv2#a;kRMp%{L&2H&ERY4W2t~ng$CA<&5Y6T|>-AN4`ZDUSC zJ%!gJ*>=Y=!il*L%&~%y_M0@-LE15Wl10p|oC#e@|GZ5<;gPjF284gC2Yw@!(JuXI1$}P>mk<;4O}M@CYY1 znyl0ZCsECSYhR;NAB0|I2_6ILk2((7<7Pi{^v5hGYm5-E5;c-7U@QsGaGbxar(Ers z`lYCfgz(S+o70M_ah^*RQ)^4}>HLXNO3f&Gv@UApQnUKa<+YhOPib{Z{Kb5H_pF5{ z|HY-grAho;&*+YP2!_0+o&Q20pNBJLhkx7AGlH>ingXB5tf^In~hK zRa0dPiB|Y~LzLQHwuR}CrDg`4ag`;q6PA_;%z)+?*X!qj5wQ{Rp?xDKK@@mFC)_@? zj-mJVGM<8ZRd zrPCN|(f%xhx7A$xFWp5uAIAgxj$3rE0z+V-yet~12*PvufJUnAsyn4^>t=KS*m%b_ z*nCn~w%=qCF1)g|dtuc0?5`UN>)SXA!~gO=k6!aFP<~&R_soAY^-{WaxZzer+*m+e z@3Yp%eVHkb<9ZvGp9x;oh5T|c>t~LDDdfCoUv&EZ;?r7;DE+J>gF3UWdj{mFYxnfJw_`!P`{DEcN|&zPisy(gCL2DcWZ(u*lW-TC0wM^Op zBT`?WcC}#1fa$j;ZF4N(qJKO?Km!?7EZl3D`_9xA_3IT2Q%h%ZmGhK5BaUT2Ioxi{ zy7=bmtXfTOMp!>_#?xmvMsiunBf@tzIK9TL!PGrTD>LHM2vlI{J7!Gy%HRhjwpUyT z&inCrq|EsHyMR;I|S(89&$-PbS2+bc=tse}L=BS;)a z`(tQqH2AQ7sX@W#2u$OfSCkVQIzeLwto{G7N zbfK*Y+hCIfBoOK4u+{|b;ans=G1=wbm1gf4ov_~@ds){^PfDWkUG;K+kMJ03PQfilG?fMd zgarHU%3`m>>$hfJY2zuhNfK^7B^N(iIs`2Ws2)Iezxyi4X(XRW?sN5Tug!G}sxr(o zn?l;<%Appd?WOZ-iPgfj#dqCZXtDY`+eRpLDlPDBF;=d!TNO5(q`0ksVj-O%}|A9GP;FJB|R1}r_siX{b0V8e(o{(*eeMQ>?xxj0D zB5|D&_^ju?pQ4dO9;>Uy#0;E2qP>palau0+iL*=bL{~l6qprWLW_g*@?x?jYluHAM zO}ua~COkpeGW@ZHy60OwB2mjRhAliWW9*Ze>s^MT&>Hhcn8bD;E1WJ#@~W0T1R)s^ z{Oe`!v<~Y2pBF$ENnHe6Wr6Tif7bFCmnsVE68{38Mj={pODL{n(9+rEk~#j?!a6At z{eBl9(ZFR(ptZ>Zf8R1&E;Z<)1Bw+^I+K_F&dKE|_49+4N2G-4n){z|YOs5{CZV%E z5|i<=hU57Kr=arsg9cz&2+DR4wf2>-lCq;r+y z^)bGrD9kgvTwGf@W}B8HqaJQDf^J>*1sD(qo*nO>=ZO+DJ6U;sKR$6PR`3t$B11T3 zPyiyH>v~~*%t={i4eYig5zrhM( z0c1BZ_gUdkktT182rJb~Rn(xgl@YO5$B6Zb8jd|j%enN_@C6DzYu}YN3Hj(8-Yl4U-EpnGmK$agzWyKs-!E1 zxBGXs@CN)|U+LbP;`xqVyA?xn*q`PEDyhdD`NJhXa!?ob=Pfdq@xf~=MrtfnLt7WIh}>&<00k1`q0`QOAUjtjhTV`}A+^pDuP; z1_=b1IMTNH_f~}Y=YPaM=XS(eGjHg#f04+?Z1oHGvkpj-1-9blR7s387a^$x71#70 zpw;61X|*5~TZRG!m9*Q=vELt5Ffu|NUg>dJr26^l)`Z(iBu(CK zTo$llCsPy9Wss8K+GEpFJ3Z;V`ddypyl^Aoe5gw#aFg1?%=Nu3=eL{0%2NvWngOwRnqSuBq37b8-(q7$kcRSO;Wh)kg(4`@P!*=n{UC z&?s|y`%riNgRHD`HCcXoBaz3tsfAI6eX zjWh@MbT+M=Zn|uzOzSoP8x5Z7bei*RwIf|GP0FtG%c-M;`{r4=nhyztWtdlx0m}zRDdjV4iM7sEdq*h3wrqCCyDP~V)K`pqJ{3ek@AlwDF!5S zak~4CfHw!RlWsJ=&i07P9r2$>LL1ZS(<7OA5bxKqkd~l@BKwlUa65oOtvt!50cm+n z-BgS0E|Ghu2Wrb|ZlJ*z+*5RTGGx6k=_&DRPm6Jn(SU?NXn{u5rJL8k19@&t80JMo zxXW4*tw+_n9oxc}MNfE@ju*uC`zm^90A*Cy)=K2bhTd z-gG`ZXA6v~z1dQ%O=`a}IJBRi*fQ+#0#~W4t~G4@VA^869YSrfl2JF~n|>W3u+CeqmxZg& zHh2}gD=~;NHNu~#8AqQ$0x$i%*u?=#KiR`y8#(fKHpzT^X7zW~>PR+`wsTS$Ied2q zYMI3_55Dr4$lJ$qP}`FU6>1)3S06_23Jp8eRfH|fjvq@ePp1lV&3d|4t_gq`$wQDrsb#tSE8KQUu@)zA(BKGtEJIpds4ZFQJd zhw7tzScAVHU419Gps<%^!(-Iyal{VZmXJs#z4^^zD+t9U6i*f z4Ep-5-NwYe=g?GOg>cY_N^h9S*SQ5H0jt!_*ZOn>Z zCOFTwhD>P4>kUoP-x$9PpDYU73Og_fPo|-*WFD;X90NzLIkk_V_yXQNgrygB@^rHj% z>mlW0gS*xqD3GI({y6>hhi>Snb4|?qljo>BQ;m#47?EtSi7c8-XD%ZiLr6oA7|YdR+nRNJIIh1}5vFR>WOaQyFcf-+cv0 z-$@P?42$u(oFt3g@{W#csO8t&F3CTQ167YvqwJkMQT8*ZT2qacR{y$Y2xqp+d?;Ki zlAgGzz5T)-N%05JhFFWO$Ku0l=2m)N!LmEIX{g;dnRNy&-PMoy^3uMc>b7G4r)Mg= zkBN3~xPIjRd2k0W>Kff;LFRtMB@J*5+l=RD=QpHF4c$?bGGyx3n>L`r zlO4*7e(s@bbOBX3Fj6NuKYIr9dbU=7s!>06!FKwojCz4CvK&es%%Y&CN?+W+u1}$0a(OaxacD*e+Hy7}=;@=JM?3xwzI|t-fJK;(mq~J-= z9E$&5Y3F_oHBfdN^bp9Is*V#UIuH{c{vo*ej#U*-IA%+#6L}t7F@!3-&I)cEv}s_* zs@>|OYMe`d^LSiTO<{Vll{rL?DPxvN7-51(xOb>yL4WYHYX*TqLIhPQf}8H<2;F$| z_kuy&;rPO0$)$Ynp{w#dv*iP2NvuYkG@^;MeNdUp5=ox15-aQNn>H+NB6Bz$Y~pq_H*ufEujjrNSE z#pdjs8tkR8l)T%Wn&yeNw;a>}IqPjLEOX;>$@@vixMo-w%JV`;Ew{du%|J$f9xN5-l~~W=S=Gx*T`siwIZ{=?BPdhEj->}7#FA>E|eF+ zlRQuC`FaO<5rgMAfG8NdsnETGr`%?kDtvnWd~IcYxV6{T7-XYTiz!4D=jIs#B(y_iA0Fo;smceUt8Ax68C=xS>PRrs zRR8(QR`2`Y-_ik|{OYtJ>yCV6Lhi==$kwwy1(DR4pXp$&En13R8F!YxTbb4!9P5Oh zdUdF!`K!V$E$s>O4-Rv|`fAF7GY>D@xaH>Q(7M@Y&yg;jRx`=BWuDzEkCoXkSH7Gb zXxO2Q&#LZtod9i$H~v`JlxU8U>C%RxjjQ!=mqh%k{_(z;iit%5Sb1EO#u!GHJWsz_^u zv!-9@vuH9M{>HuW^=dWS1_RTn&)Yj@vQW6;xm?VEp59;wzYgsQG+i){)!eJ1v#g#7l)!=9y}7>{C`cuRf7Gd=x#44XFe`@d@1(;9pFtbVfN<|BU-tNM^d^R;Ox z%5DF7=!)r2sRRvuF!esKZP^rCAMG2nT za*cD%Zat_1Af6-Ky>frpagz_zyRX3@Dyz*x-(MNoVG4GzI>Z% zn!C1r)f&3q<>v&BKGqiR-*5xB))q^+_KV_I7-y;3FdYj)-Mknzc6n`OGH~`{T1Ng) zmpz|>)OYPycx&|6=WqpoMR`1TFy4Md&^o38j-9WS$Z+$l%1)g{PKQ2}ClfrP=6i!U z!ko}Pz0|6UZHQ9@@lTC}7;f;Wk(1HTaxvGG^o7mb?M}#=;oVWPpu|V5uVic8t(~%0 z;8iB@BV~&0mftv!6e+Hi#HcpA?uS~%@HUF@qt?|`Crg1r)I z&Ray}y}(GmQ^NA_eYspw|LV>_0g8Hx^BTGtmxa4^WPC=(>b0KpTN`x3^yLQS)wS*- zJQwNC?yj(0sIdFw4l$?8mcsZ3OKB`G_cvZ}bV9>-JOe;cL z7Hi=_I3yL^8ZHnQp{9{~pq}y7W`~&)j>3YMV$;$5cn?+w;tiQ5PUSA3=t`)0;;4-t zhv>NI@!sRFfteWU*{w$m*Q$D2J{1k^=Kai6FTHj{nCGOv|6GGV{(V#CGNCS`nB&An zw!M|H68;WKP`=o}MCx-ryI%+z~9pi z80t|zxh$3Oh|J~p&QZNY@m*s%@YHSWAlLSF|AP_QRCxcZ^A;!Xj?h^T>`7skUauEv+v4`INa0>hPdF80wFAVD% zc4lc0ugU#}5t9%Ix(u<^P$Rcnm4^-Xl1{Pl0+Y2SXVU~2R5cB493yj1fBzElKtr4sOgIp!@ zTA&2%Dh(fOIlYbh@)nSTtf3~+FtvO1 zdQ>COcl#!b)rHiDC2vxnTbMZfvlYIG8@0ap+rJt9dg0*6HS4DAk&uE3&*s)=6`P%R zP!!FC?u7}&&1(As0|IZjjV9D7MLOCBUUM8t9-J2fw+iOuS3|mrt`7YZsFMFJey`TV zrlE_c5adAf;Q5Zj)0?*+>>TpBq8dIpYqEP9czlbKrKTTM&d0!)j;Y-7ci0|aVQO;C z;_hIg%my{oMMNnelAR`Dee;!HyI68G~ z{Q^;%!5Kt7Of7@BbXdxZ8C1R71M6-A+h(alHzvWgb1Bpt^0xp53Umtb&~xDI|wG ztrFic=kpCX&2h`=g{Ui2BbEc&WT>$WqKFTPjF>5DgHRkfs;yM2BWqG z<_9Xng47C^{$&w8b3wdj$HG^7rbBj5U%fHbUYm_^yjFHknx)`aEu?XU%0rW00-FmM z|3htW$QMeob4)r{f_;?FHi*-d)&q@GZr8*VKLA79dQ~mSdw4I42#qz|lzN+5#UX@9 zj?P63e6ZGmXAF~cnN1uhj`rFh{|Z_v_jjcSWQZO>BNJH? z4Lnu{tX)Q?cRUx)?b@p12sU=de4Wv=Yfuic+C|ufD1j($L$mvCR3iY4dzs1iS~vh5 z_Gk@9E4t6rx&#LNF7uzRI>-4Btb#eWg~gY}*k8B(UAa{Gsk#3k%PV4*$PF%ZWUO?s zS30Q2y}-_GBWa8huojwn$N8YQJeTGL=29T?%c)QzmyMbZ#(^OWDBOT(d zDu#|EN3)PBhM?W-!`9Jo6gGy{7qUqTj2bTyKeeLy-Y6Jyw@6zjW zlL%3(=WShkfmag|H$$%V6jN!pS&E6{WKdghPTu>1l@Y87f7~W+d3OxlLjE)MLIcxM z{$2|1P?c3-X*a*1-yZ=1KHiW50Jf}_h(qY-^A=O0Hk&vrTHxGN)fOh{!-WREox0Bc z)#t{fGN?c$Iof#Y!;k&kK>jA#1Y^hQ_jXQ5X@aHmOSI=>SroMpQFP3jq1+T<1+zrW zW--WQHHE1kVBjyc>nCwp{$#ruWYI$iVUXZzrOX>#4F0%UcvDWg>!fy{AHLBSM?7z_ zhHnm+=1nLVfrs@ zT9wkwVLyg66Z1YIGk{wNylKm#xA7j)Gyp`05A$l83aD6ZDWin?!7a^-7Hy-zOI3IO z=o;j_WBB0qH2B%3NP|t7t!nbapEf4@!R;O;OsLn{3|1)mZFfJqU2=3Qyl2nCmr1KS z>;R{t>LV(^L z_6R+CM_V}Fm%zl^Hkk9>d|*c`)GmutFw)^z#QDO>PDf!$&>Ro5^f`82(oC%uCgRpA zmNPlI2_QLnIYskdpgaA`@y6>jX^&2}4rqi|dCKG9UCkMcvoeeb-SlX^v%ANYkDT7Y z|MUo2u{Q=@f|j36;Ui+;k`k4GTy^K)7WBowicr4mOy|-0h!p=4qZs(an9{_waPhfN z?gwz(9)mgC`5&tN$4e!4(py_ZxiN6k^7laVsYlsBmMtaiw(yw&_It^`sys|!;FTZ_ zU%SQk(=%pIKI-gZtp57*bVbsaHjQ!L)~e=|zryUiYJ8`}-x=t4^(kM(Xh5Yq*>Dfs zIu?sghL=1`^RT`T;D;`{JB`sL)kqqCmt}m+XEJim_C#3NM5O5^&j!`(?v8)xVep#^bC1K4|Ur3VOIm^$Yrj&>6Q_DM_KF%m^yhrulS zCt~Ple=QCNFdZr?f;?~l@SOPy{(kPPhL&au=jY@N%ZCz!@_=7)2CR^9Sr9 zX!d1`4yjlYE8PkB?i0+Im~A_@sdDn<56*R zoJZB!sz2QN^vSQoyPXr4503M)Whk4&GSZF;T*JG5<~)ryrk457Nn>xP+OwxjS&o+T zrLk2h&HA4fpe)eOQwb5nJ#7VK--qvM1H8@=~e zqSRBMDkAxBg3l`MJ%m8?0!K7q8R*C5pXysnL<8+vK_NF3nd$$1U(roR1)h+x!GF?< zggpjS)A*{~fF|V7+)JvfD55<5k^LyW{7A#?uzUiVW$C;M;9$`I;Gh>nxjbloT{OI0 z;3P+&C_pm3{uc@3ZX;uT7|@*MtPue?5SRD&e&jUlFX>=-8SS3`x#1qjCnWgIf0>3^Bqgh!7(gejRX`! z{HEV&H{Zzz|`0?=bvS(vHVBb)tGSKwFD;ryr`ce)MWozV6uDXggG->*%4Z zsKons1?JJPkYrai1$RxO{fY0i*0*J(y{p51>WDJmEJ`?#kaXSx;j{>#-0e}{=3YO9 zd-){#?&0-VBNcY7eb5KY%M6RM!MVYHmwkB$yUT}4m4&oM7lWko z`R9cmUt+WI4$5b&wO&7I+K1Y;;e}DS+$+QC48O6DS=m#6xphBqZ_3$Zv6TMLe9W)r zjq+H9mIGa?Hm5R&49>MMCqBP?N8YBL_)g(NBJ#2hQm^dmF=LnGG|z8xUzVR;DeBL6+wtVp$O(LDRd}=-QhJ$FTTxW7%V7sEURQRRIjj=+@joPy8K|b*; z(bM7J*|O&*R(BS>Q#{W(#A1g%I5_;;Vk*X}@JK+GW5WCOQPkp%n&Op|9omhqL2<(Q zb|bXT);GK7-rPQ4o5c^G2h|eOv`LrJ71g9aRRCyn3~%W+lk&7`y$5r|IlJ8Sp$7hH zWBRBGtGPP6_ML~X-K`?Wj+YK99Z66%?dQGFvn&*DeF~Trvi7T=8sf{6xDl-MAZ5R` z=I_Hncik#7yC#{oGnamOrMy=FJa*tMe9WGi|Q9jZAZHc2W$R9Z$Ym zs?iMn0GylDeK2+(TDa)qvyicDGm#D@x~*S(dg z%5Xc_9U2M9nq5OE2&c`=Ia$2iuaU6L92~N1eT3op_Ka*+GLMQ5np8g=P|o&ZK+)G| zcGNdk%c;sA=FYY1FY)++YU>wCiojb!%VMeVp9O)j!i?;pW1;hm^?J}u6Y$1ZQ$_ml zcvH?E+yk@&vda_Z{~o}*qh}6$?5{3kAp26G-fccWftfq=bO9c=uK&CL#O(&wR{qM- zaaq*5zEvngP}!FU0fuMfv`>;gUVBPco-0@z#p)IRgKv$Pa#G}>EvJ?_k}sk%6V?vK zA)0GbCf}`M1^FM!vDyEFa$!1i9l!KHKXSaQ<2^k{mTcU(M~%yydk9$e-CMFt_+O-> zjIitc1Q#-0xRDE}eMlJWUY^Xt0<=MiR4To(1L*c%M$_o*aFI5+w|$33-2K;K?SV+k zXgDhq369#^A2CKE_UEQq5R1*RvvTVXw%yk_Nnm9O*uN7>0-9#wr!9eE7gyt6izxE2 z=6Ie+!I(<>p_#~&RtHis!{TXYPKJGJ2i4b$jz2mcd<9*nx=tV0DKhqioG59?vB+lnoz2Klm}&`n;kfBXDH=otE`#(5sx7I8E<2sS z0R}P=qW;j6^w*l6<9jEst@Lm=q^x+{t?`hbRKH7>O-e$f)yodK4rbMq;V-D4*_PThAF)m&SU&#^wKRoJB zRaU^4Go0DodF{Jis_1dPUKLN2+o?)xMv9+5C*LS_-G8Y;8H&B%Cg=}KKnXP0@Yx!JS`vVwt=}htlJgd>1|hQ<=i1#dOJS4 zqN@kI_JIaFUyH{u)3o1v1T`J`E{i%Hh=lI>4rktT^RT+`i23m-2VR0xoe_>_Kic?P z&N!kj(=M()UU++)2?ee29Iw1YG;HO2i($n68|1O*n=c=nq4Xo`jD1j82hK$voda431LdxdyN%4N1N2e!!5cGhRvkkcTf>L47Jy=I4aU zlN-`ZcaIDZZj5Ql)?gPtxXr(8_cMOoq>_jz!lI~%zS&?mJUbh{QfSE_6xA^Eut^7Z zVGUT7!m1|%w^hlFO6ktJAbs>pmmL5}$KG9YPhW59rwG3wcTfG8m3@P9I0ai5i`Z$& z;qT_XOvm0kUCI$>8cwL~{0YGNbqMotQfArlewpxhly`nul;k8$wrL&lpV~q5tI!3frIeST_pDW zsSWJGt-!w`U@J0++*k-wY_7>wmOy34aMHOGO~`Hcfo0ZGgw&PGHo{dM)IRpQFd{(c zCn#tL%F$AbGj*<{)r%f2dEri0QJY|nQ%wImRjNG6*r%|0)P9;t`C6-%RaGk^iAECa89@)b?SaVA2`Jh*5N(~)a zgRqA=i8)bHm)ZpnD!Y7Bc@{P|Fb3ZC#%uGnR9f2*o#${UfuWth)s| zaiWZu09(6ZtY=mKFF#^R!TAn*m+L(y{y(Fh=14Nry9+A~&L3>B!%GPG~iRl1SVPOIcB;z%}m>p3l zhgjcV5=J{aB5?ObJrsL9szR3a3#&(qKW=B$E1=i0)wI2Mywgjx%tKUQn!@#)>O8e4 zxESZfF>^Uuqavxi&#trF@!X?ahO z)@tY72;KMQKd*;rHa0(T>3(o_srN4In$Cpx+`8Z0op(yTRLp@4V_U${@r1Tup?Jfv1^K~ z2(m#2tQ6wwjLp8&mz9XC?YfP1;=tS7n<;?pmsmhefe~2JL=g_rH!vyTV+NN6BS?JA zni*}aF=Pn>y5EKCg*P$?SrJPLxMP_AkF@uWYqHJOMqd>LMJb{bDM3)MP>e_@p-7R4 z2#CH&uThZ_krrx#fC@;7f>Na91yn?&387bsiAa|gLX|-1H3X6n;5<6B&z?PV_W5S~ z{tP9*JS+FT%5`09t!<%D%Z-s~m-K>r;x!ddsv&H?>2PGmzEJRf`DTvt!H+ z|7)jZUZ#yK$V@3=nYMweF_{iLbpx8^ytjkt{3oaOM2efu#SMDDJ#Uvcye6oU4@RDA z*vN0V8UNAUVovc~>kHn%`^@jj4L8xV$%QsNRqX{v+u7zO8newKVfZDG z`7&yIU#kwM#EsEyQ%~%ygZ7)`;IU1W)(D=h_O%5Ut%6b!^&-~kx4jMyN!NzupbN!% zz2AL`1vpNoczFuoCWWUdE4BOg=P?0p{Wc0U48S*=HrT5 z9GmIjQDeVCrjpkNL$@kE`OT}eO4Kado2c#_8JT}g8n-)`L|6At^In*D7L%yDgN`~pUl3Yv8v%+^yb-4ZR%h~dkW4!o^Cn@lqmKw)0zJEfz;B>9^*w4#bm~< zQ(m1{eIZQzz)0hFY}UZZVL`9q+#>#3!B92@+q>CRlZ4%68re(F6?#vF@v46sW}5h) zDMC-Rl20cAZ5+Y$?O9}UrGeZ;%5#d!{MMg!gSN<_#dA~0iaJCdbp1HBRXM|bwAG%K zy-0=DZL}j%3&9Y!!rX5aLD{8FW1Hg4*6MeUV54Dzf>^{V_g@#TkG zYyL&(z-hbPEbEQx?J1sIg5EMJ@$B{w%n`x_UPH_ zfwQ>-?%#Z{+p%knEUnyFHBh8|Bx8a0J_j^VXSzBX)TP6jB<{ZbMG;jMjA5`;%KJNm zRL*;9{!q;|AHzhVWP~GxTAoU5=Ah?)Ou^}OOzarF+`G9t{&wd2WNwm*STK7SyMHJJ zPDYKE5`c)LmERjmc$urUZADjVqs+OaVo~Vrd|A!64;Qr=5M!gTd5r}gSUia}C)5|t88g>jV9+18 zKJFHz6D_6>E@IHDx_eeUI5o)V3{rxc|XyLEK@xt(48t z-S?XU@v3VT-vXzx4#=_XilyY&}Q>Mqg?19@$QZP`6oQbN=-#j+mt#{AR=E z_NRfQ`B&SULq&f&TQirf8Ere?k{jNjUFs+t+2FBl!uZ|K^x6jlpe*F(=gLf0#z<{% ztwq_u@nz|bYFV3>z^N;WXjlKD&5_;p@=pWw!ht8&%fUm6pk!2FFX(ARCB>25>_lnc1{k~e75fiJIVC_3b0_4qs_R#(Qn?-vHO`6q&l9ApPKD={tL^-8Gh zTs_SV#VS9)r>xgl>l?kW!bOd#w@a>C4gFp{?=hgYaimDTqF^`p);Vxl$V4JmVR?Jn z|K&a&M{FLp<&*(twS*O`?VmbH165aN)2YJPAgI8Jq(@bJf6hZXlk z%fknKokUpg%iO*-xVJ^sd%>OP>xdr)%};PQZjEbqM~3RhWuORip>Lo~Nf3B1zV0tU zcCivK9Dn(~k6z#K`VgBj-m2y59{(qkG6Uws-lHD)G)q;Hp+DPw$2zQZV|9)CR2U7R{<72^OONGnLh zm6nP$Tm%k+{r6c0uF?B*(&}dYn5T(^xL!y(E>jTw<3>xo&=~u6q%XKB(!sslX2Epp z@NA<0TZhIKOCgV)iK5I}J5m;HBAFGs<`O!Hm^IcwepZ_}$y--BnzA&}Nk+wqhcJ{C z8r+DHpA|=T8K%3nTT=r_f!8_B3Su70K;?!m2x_A_1VlR|uqw&@$m)?LUqacOP+1IU zBMN3RQOXS(x-yV%R}rIXoZ7j0vR=EUzmyJZtXB-1*p|I9QT)df^Nc&$_D7 z0kd~+!#GeoS^J?4=jvNWmXrfWywE@VCk$mBq{?hkOpB7W!1oT;{84OliWsyT@j%0> zwQdQu8xwd8Z_U+U5WL}oRSA?|<-TLz`4h{WC3SmS6T}4IhntcYM+4>FG(5YP%z-St zANuy1E%Njqu!lD_2I|+}D*B&8KF7ZsF?MPr$C-|7s+WxxT|tMb0%JTjmp0i(&_%<) zsc1$h)M1ytMdi;UoD$n9MC1Ou5wH*Ao$lV&{aY!(xQX53eY(L%sD5oGN$lz%>!*d{ zyI|s-%%31;W>vu^{e>9nZk2OTstD5l{q9pO`(Xu(JdY!a{kC=A{=1Yu*UVIG{RRUiuTbc2@ z@W8)0qg=#W%VcX~5fIv(2r7IYI^*uuA0L3v!+(znUF7kfU6~N7E0CM;dCZ*SJyNY! z))0d9sFqmUQQFXapzea*>6(Xtx6rpmwyM|sKF1p^oEU%58zPgf?Jg7!UOqC>vzbmr zf1Mv;XxYaP_@CCwvo8(G^g(|mZ%OzILa1V+vCBsmb-ZP{>n#d#zhb04wXIITzid22 z=)0tlW5`cHIW3*r70m3c*5?eJKlvzZezdXb z3?6!Qb+COl0;Ha2TxB;j;zhRWo(8z^m7iSrQ`?9VkQA`yW&2b-+KwM9F$jnsZB-Z7w{`6HlAx8fQ45-)#^7k(twUtpd_D&mDYw=Im)knOL-fw!S zYc}H^F zAn>wovzZDCZfN#>_j!gSsq?fC=lems>#f3<6x7K*s1V0v*)C2Oq;XD%k*9Dwq(gk_ z_{x3+distSeAb00L``*a;Hd@!_o!#nvHzYd<8@^DXANryk28l5KI6oLdT3upLT)=I zj@fQuJ`!DRf$Gsj%7>a6jZd9|PRK`IUr$!%m=pD`sOfXf#da^oawcN!`XJVG^L1Ot z!BBEL+1L}u>;pzmhgaJSb`Fg6lEp9IW0pwwn-_Y&^6txDlc)~7^R-qro_#Lf;pK)V znz6ziiqyT6jHOrCXPWz)ZV^;WX3LTh^nG4Vvd>W)qc_n@(*ZWKvg56rXoiM({t+)7yzN@ZX4Ns^mLmtB^^Y(1xW z3Cf`SepU&Y=iv@9sOk8TpwM{Xi^=`SuUn?`6`70R0YnFr&iFVHAF#0G(^_4sHhr=t z%Asb-VEKV|s}p#mt|7? zWM4s?sC^9@FdG#>4k0R*N+lOF<`ZQYww9q>W+Zv$8{Rt4PwoRB1JYYdkq6W6)|?p$ zs&i>q+70Yr)&~;NCN}c*(20@4rC0``T2Jcp(!y}X#IO~w$g=^!;mwzH%%*%ylU4C3 z4<4eSsVBTgMq>xYvj&dEQ|{GPw7bBNBak*l6{0z1m4np06cHPv*uAn$A6?U(&Sk1$0 z6^g-kt9rzjZ`jj5Bp2LK5Apy~M?f2h!fd68>BVndazsrlFIHHw^p;-8xpkbklNM}G z`~fwu!}{H^+sebSD+Sf`ygxqL&%?j}2Pk~kh8uZ|0b9$RnUBuQ?u%ew z3zNGI7J6i~!6K!0X+vLhJtcro8gCg@VpGQy$u&+#rbE>GqZ(_x74XW6$|!F1%UQI! zUl64mB*&3yk*><^d~uzBPZlQAOJ9>)cikszhT}P8XKxn)T(o++w?*~BQ_AGYc&2-) zz`{_VdyXc`S&}3I5_i9#^;n&_TC%8$o}uTpo2(0f7E*JVv$y!xNz%oz&G(9*DgA38 z8@tK7J94bOrEQn8dG_i^a&d%7@^OS;=HvSL;$u`}+Gy=!$q1)dvBM_As%6Y2bZcnp zYotb5aLA@lCVkzTv=3D5oPPK~nB>FR%Z{(3{AW|>Yo+Tij4>XG9{#mi=F!)I;wPk*LLpihPOPSr4DU zOokitReqE#=GRCK(*E)O*;v0d+L~J|C+R*+l!rekz;G?m&FA~Q!>)+lJXxOFQvp{I zhn=(i#k9X7Ch>)RX;@({$jq@25ubX7bVq()1x>Qyab3S)@U*TNsyJ(WI^C^QfHvg9 zL;8?wYzsH*JgwkeC>iI&ebh}Rw$f2%A?#1n0xWz{S3LJ#{UfS^_soj92V6E_(Gto_ z%%l5Akj;i5GVT{b=Z(^s(geNS3kGsrfxWS2a3fcEYT}8e0WaT4m*B#Ab0j^@t&VRH z5FhCZCY}1{FUa;CpCf1O*6?oFRPQa*{F)s5yy2Cuf5?n1*zDXYNch__23lO>aw&B)D3U$ z;XMcZ(B_qj_$Eu)4i>&Yto>=@y!|d=4L~t+j+z>cq=qhk+FGhf28Kv-kC+53AUD|X zOuHr2jHb#^nG$xtbn#$xK-B|9#^bBie>+x{ZIX>0_xx*nM!xxXsO8%9j4UGu);=ZI z&s;36mpjGvsL^2M&N=?&mDj9TYxHNa4~@678-=o;YIFD>D(qetRwur<2_7;Z`Qj|5 zb#zjlX^0!dwPeMUbz>o%DB}B!M9AFND`}Nn%5T(x^z{LYTHcDRnG>%hG|4>fKxbJzkJkKYwU%@+}VgE#4xguV-YZBSUD4j9X-|~`K>JSs5x|#J#{F$)YtbSey}s;G zT{T@@H_KxvbL?*pBl##tfbZ%)9%%MYxcE#(-sZ4`&w5V48|vFT8>#pBW+EH211}n3 z-o1(<=D1D)o4c~*mk+JIwmr?f9@}b_9e3d=FHQ?LI9vQ8`Ek4!_=lmBse>KDWQ_us zBeuAA3t^G*iw}^bZ;{^UnYJR(YF+V#2U^Zq{^=*c2T)X}bVwnRbYhZ7#s+~t({ z8!l)9KOsXgkdGCcmK?%>8-W|%)PI=sz$qnb5x!)yYx+O=M+F>za`kTx@*ljV<9-f> zj~JMqxAepP&oBNmNoD%U=bKMk2lsS(3q5TFHkRHf47egeJ$mq`Z~cdVmE^Kz@mpTv zFY1eXp7E~TTr9>!G;B936MnibWFNwZ?RbCV+UMbSqetNX^njTRsd z^PZ!S+sfEBqA(R6OTs^FV^dEFA*yatiJ6dkmZ%;|e2xQU)Yc;brL}f{)$$p&_gGJuhR~^*U#|t`i3c?$LFwqZo!>jJq5Ag|nNC(66WuIyhq#8KX z2wk_1`QraHO=C_FQ)Ht8^SYf(3o^j#U|5=iwvQRS!AM@?^+u(&qP`$1%<5})!m0oH zjQ`_-|MwTyPyTe;to!7gxl1N_`=um+1-B*%l>0e}p88nG+bP}INS@IbJEW5<3Gapo zVTo@vy^58WKZ^NP#+(*GDuv9r zNNjlBs!hhC87@(Ds&;a6@64w^@X?>{KdyJId?=izpkdb5nF1EhJ(9{>Vj4FNN0X_J>EEeEBZg?=d;k2Y z>Q_;lGKU3E{uEW=s}rPu%N%7~a<64e%cMtN`0?cS?&arAl_}|lO`d7VNC?&k*}t%r zt@@MH)8FA0U?kML*TS$qLBICHT*xG3Fc+d-9xILam>%-Z6IN;natp~QWtQZ`eJ#q4 z>!{+#_*K{U3u%U%0HZC-zV3d$z2%xVirV|}N%0>tM#k3#-N&v3+z{5A3BJ%Z3o{lY zuE1o^c2t`8O?62)Mn@MhXDgWQ6{0zUS1IMd@IeiNhU4?OC?h8^uThrsvM_q-L!>jiQb$+z56E`0<3;KdtBAF~9B7EtEpHH=W@8#~kc` zzbXIp8>?R@MIR5%?wBgGM&FD{KWTVJ{zt)-MK|HVUNfWg{1Fr0fhaGE(>{mjdNgj3 z9{prg_quOXiHK4If<-#o8RGqJM%2R2+%LP122N(u?}h{w&H(u$bf7;nV5O#5r>&?6 zy>4gZqDsZ+5EB>#iK6rprD4%CmF#!uJ*Rd~Jw$g`cr3~-Q75Blu zi>p^z&W)dOf{j_Sx?$v$jS@57NW+~ZEs~R72+>2y!H0z0*(gE4yA5Dqe*_Y;QkbG$ zPwu0>S$y67V~E;CWL}^C;_{r&(H?vt#wmO;JENEzu~o(|*ruanTMH)`c&35>Xe3tR z)VkF=QXsL?8{&E{008A!eDVOw%|nw9HyAgsHx}qbY(k(Uhq7SB(&f%WRpT%;JOva? z%Ymown7a*@0%=1&UH6W(!Ub+C%Y=V@*nh`B2g2gUTmF=?-@0$jxS7y4e#mTGqzUxN zE-ix*aC@EMsQ03xch0r-R`vsU%gE4Lp#g9`k+4a#GAfkmEH7%@WYZA*7446xDc5^f3-7UZAPU z-SjXG`c!jK&~(8{J3Q0N_gGXwa4)P!0t@T8eM;(|_YGf%8(l-l7Yc{R ztfVX@#8~+Iz?V7^}zG5hYL2OcSgi$fBo7vM$rjm9cxG{Dvl z1pdXZFu89XxCJwRJhZ-_`$b%3qud=Q!{56UCpdueHBaoXn<|v>D1U2t?GO7E_%%)) zN|#|=*>EqV+|P=%m{c9kE;q)8gOsJLFae~S!b(~Q-^pAA){BhS^+*JXQ=*s^bhO~U zU=Ev*$!j8=Y*GrgJP;qDwbM&@LvWBQMtl*QSy#z~BX;^L{L?0B&$!*;Raa%M4t+^5 z3MR+yOIH`V>d>{{kS{i}K;5H6FZPO!C_PrqBn}f;oaK4l&8MQI1ju5zyrOi*7`VZ~ z$~4fnRS7wygVTmgB@);KM>)*90!jUU=hXj;k7%?8qK1?Nt>|Y0>i=NzGc2LkAT7L6 zRQG*%lk7xy*-BhluEEC&dO33()}16wNGN?=r}jgC@BuMS4-JCNheXB6qaH)TF+qs# zlk2$B&J?!dqHuGE7J`-q*CKo>{1A<)C!Zjm7&7~Ag8mcOb~$00attBlJl5h?F-bOG z6h`ljl1DV^cA7jCQ=Nkpg7f(2khS{*PTPd6O3Q|0>t|Y8ZGoI3u&e-htNE0>)3)L{ zx5?}>D`=qPMs%|RuFm3avxLq3ldlH0j)I?xPyK5q`S09>BYQ=g67%$HrRR^C6g`3U zNUgl#W9V|#o>tZ88kVMe$1K1(g<7=A@!6P6Bs9Lx_8mEW@`k6_9Har^#=XO6Nz3*$ zVgInx5ql{xrQT+Wuw7WZB_Nb#tW$$5V8PohrVnVh&LhOu z8In{_Ltp$AVI`0t|uH6LZage_#oA385;2za@fPa<5zuaq0;^&p%w>|v~ zp{kcKBNpLvN+|k-4X}C(QlPo>e0=gO_-WnF+N%$4*(x$6+ELV~3u8#QVk4`7WAzNpttZ30WEO>ALpTmdXomvc`+L zK%HKJbKNfUieEpzxaS+O;X6{{kulafbc^cJmO>UzR^@_3QOa@6W9+iH7DHl~^K}Pe z{s#esh$nXh0!{4dxflCde08I8COgLDy$6YG3v5m0Zetal6ZySsvBBlRVfxPdk%X;_ zmw~)?;r{sNZ>q=(l{Z#iNFHj6NZ8abKvxrZf<5GB_*iADFNklngVv0)^V>W619};v zHGMhKJUirG>M7uGu+Ka!DDLAG-|1-Ah=&_B9k8KU&KDg~cCIVfEUov+kQgYmXg@W5 zTHOT{Ja8+-NX_OK6>)DNvO#33 zOFDbwhgB+&%Rq2J48sfU;y{oD~*&`G@K$B&i;nZe+n~E=@_xI=yS= z52JXK=K%_t(TAMVBE1e#6eL1@pMTe=WOOAxB&wo3fMs~?2QO2z2%T(T|C#Niiao-F zr!X*G7S0t!MWB77R`dAX7K&wagQfwLp8a)ZB z=zl3w|Eci&|1?XAfn&Eu>bE`T03BHK4?l_Afwjc9%tqyK{oKa033^xBRoT+ymFP(+ zvs-*_g!NaI1mSS|!UQe6-b%B*jwv`vO+s>YwEb5}MmPBM=FGHmPKC zN@7`EGajT?Qs*q6DY@Q$D=m?Yzo*avdsOlzQcEq5pG-QMT<()?&}KTsp1drqgmKTl zjftb_M?N3$n;4>Qc2~^s5mtxtk~9@-S3V2O#S}vZ9DbG{yT=PcpYnz-Bu?c!K;PPK zkq6F2j&64-31rd$iQqDOIy6J=sdvRlp)F6%ZdPl&%fDm4U)bqCSk@82PvXkFj=HqS z?{_@6-`ie(CFT^NNj_ZZ@n5;7FCsXIhN8qtdAl3L`vR>ewDq+E49i-a#As#eZbc3C{ zQtl`5C4am|$QYYhzErb|DrX!NR%ctD(iIIx?Ri!&DH34~B><6SRp|fmLIr$qnl=dtYex|5;=m9`AtgPQ9D*ZRK{14{&KbW+* z{Fj3QGU1Q;s&z>q`GN!WeChAX8$mZEQ%{nbRMz;*))H2l>*@Z7>ogP%AN~Y;-e&Au zgoL`o&=g0Q!xrRekm{|qFX=FIKQy6FFckh3_c_Tgix_`VJQBQs%PD&A>2;roo3~R6 z3;Yss7ja!kH$>L3V00f4vL)UlSD$zM0R#m?F@l>SA?5~TKgVb{;CcuxkNcvDV$c4n zQ4&X!XDRHJW?(?#LXwJ+ZOjg7CbF;{Bad1;kDu-?3%2v^zC!F5%3}Eys7&lFE#$V2 z9QP1l)$^v?jJ0iN+xV4VwW`87$eFpN+pIh3Th*|(;T+?-|?98XasGSISnUfi+e8KPXpO-i0jvm zoabLQJ~^?ch5DQ~eZ6~)*E7Ut@W&zO%iv*p{1l)AvkIK(iMM(YwQ0J%eOc`XXv{qG z;d*mx!2_?J_LApqQvW&rk__j7MEwLSO@F3IpOeFL^^f=i>m9;Pb^!4Cu@;1ECOyON zW*EFK;(s03s5vR6_?>X2$j&`S96po58T3Wt;hWfYVT7s~!WJ$X17=&h0=1>dP+%Eq zT3?JD1;ChNM`D?J#er|*eq`tI6H_z<-gOG24&KLAWn6{qyMwaz;NEM3|6aeCBb&@z z6pbV;T!3jH($nOwOoHa|H?3b?g)nB1d;d%sJ_m)1a4A!-8U{$xXwQZ^!vM+epv z3C3$_$iQb|T8qLtyt#%o zXB=vM_@eq{Ki>ose2T)i{VyV(1pM({q&ZXg5K72nVHRza)bliidP)${BqM~H_^TB8 z057QsDHF+Ew(YK-0gCNiYGvDCB=#GCmpIYu|I}|VJj-KsP#z$ zOiKQgPhQWxw5i4hj#P`3kBRfNVqKOCOTec?#;(R^ql=c@AIpEusR#86`t(^O3=XR<$3U5Z7S9QqMliBx&i_ zY6q{CR%fgfGHBXBF96Z*+n%jOn-1;W+$rqnR@ho!k*EAXHC6eWQs%nsU0_+@ApU%N z?|+{8KOEEnEU59^Cg{?lD=u*9Xae8NxL}i2`1$?0QRTJLs<5?KkD($x0q0a;uDP(@ zN?7D$l1zEHNykfeA*8|QvwbKHYC(uPJCIK&MyfgGhayZkKx(%bBBBuxEyOfT)N9y! z^tcz_`ow! zz)<^DQLyD>5B&an{PWhGV!-eo#n5)qZ=0bj&EDAH9fPVLVOz%Ue4Os8Yp>=JU-opU zmTLR}W6o4mGmT~7uK#{I^4}@UN6_Ev=*ZsVsGOgW5{%140H-0#wDL~rQsSBBT6!5S z9>g#pI35-c2Z8z6_XQ~7)+^odufsJdh#m6cdT)HUK`|`$uEunG`u$t6vnSTO%U}Dt zUpBR!v#O`wX@h{Lp7huI?D#YX zQTKy>lfFA;C9v2jVH7Ga+O%M_Jmeg`?~P4pYm4r*D*7eTZauCDyRF_kSfj;?c*5a+ z5+Nqk^w>%)ys$6FCkqkB%k5o4!j;UrV~)V(C1dAX_pCh5DY#H5TvHHTWSn0Sr-<-4 zLxttmLuBD)nj-IpSY^r(#18T!0=TZv$&=qBqx^xX=w2t~q04POPb-o;w~0dExE)w? z-t#u2A2pV`d56#!>VC(E`Te?qg53aXR!e?$>_C-C{V|;FTXH&I=c&Jp2S^j}rrf@! zE4rt;Tq8#{VzUNrqs)yxdaaar8K#8hr1Efa-RsY2{RB4t`EDN}(dMnDvQ|HSpdM1u zI(iglzuK`o zYucJ4vFjqvzZ}@f$oGzOsAM6z1BYrxZO*{7X3$eh{#DIL`0Q_8HQv23G84*xqrYvj zPI+tIVw7FpD4tMhAi5)fV!(PygUR|9<^uKt@U^sn!v$h8s@E774dS|zJf|$vKp^i6 z24Zf9)W#vH+@M3Nv8J|b?k+nYUQg!Ak6qISC>_@3;OAmUUrSX4i~zE9RXQlF~{CI$?q~Ux;66DcSsWgI0;Q{1bL^+3e-!; zxjj)OITdw5O!HNqB1t!nk*STm&f?7OALpxnV$EYA=H`We0?r;Nrb_6*M6Hp#0539M z|6bW-r7CncByb>jR69C|YUSduuYPQ6sct|&G{b$@S&dZz`c4P-a}^~`*D=he!nqY@ zt_G-7b%#x5vxb*<*=(WKUAq8aV1(yziI^7&C0qY{@j!7e&>{aP&y7JZqB!PbzWUG9 zH&Kbh^O`rGnAD-Yn5dC);haY8@L>I{BGAT+HTo!u(o4k?8NK+fc!)C=!i;W7StJiD z2nNvr637>?8#^-B-l>Y1D5I2hml$wlzVbO)7??L}vyyXtGyg-6C}zj;9T!$x#*R$yOK2V=%E zVs%93g;z+KpKYC1-y4B#JZCWVKALrmLv!QnEBC>idM*q%e^E317F%sr8hfTFaAY;V z1EAzF+2-YFS{X3?L&By*gSHTK6A|ocOPRA!tk}irecR@#OS_jB@$VpS{~b+#9csZx zjoHxwa(Uj5;y?8Ll5BA#{7=c&sDb+6sDU_=@HqKYbDNKcuz|C0X;y~qq_QD~DpksPRMQUFqhkZ}n3MSogF zeOaouvxe^>I6mSztX){S{3S#X*mhLv4($+T2BK%_b2+YKfBwH%z46P*VV}PKFTWmWz}kF-*?CD!KjWF7wVA7w=B;-ydjPm=GdEn3C%@ z5N?jN#*!C&Nnee0Vc3+FH^sR{g%DZhDmaNUiJOTrg%Xh}P>(4+HEmz&0ERKCC#(W0 z>4KWX2}fwrE|`c~Kt1BZ3hLWj%J}ZvpFHs8imDpGXkAfbewgFXOter`Wev&lWJ?4K z8H+j{76+eYa6L!OtM^8GooX~5>hW*$d#|KT;i7aTYjB|m?M7PclD8=iHvs~*oSbR| zqBxuG*triv^=qH${+?jw76x`1`-cBH^D!U4nUvETByff3vEPIb=py0 z@$clUfn+br>#+dFS(0c&-=Ks!w92f*$VB0h0{7+gGcg7;+)ue(UL>?}#A#*Mq4u~_ zy#I2%cVeG**nmlB6QINai&((0fFLVzU+|%DiKY&LFYH*62ru$;Cf`;smlib_!9zF; zlmr=*{;@$7)`dXVl;>wh{!jcuDOWz8SNknrqjZetg34 z*(%ujkK-+V2}Vye5sPAx6}~$14_{55H^k?E=zu*)M7h!6t*W|h$a?wYXJDYqpD>`7 z27;2K*yqSI>7uKax%2L*Zt0oz+;`Vw*oq!FZ29bnY@;<7x8tW?{GE~wyT_bQz>n)W z_hq1a@m_~ReG?{PZOrX>7WX8jFkWNPX${C4uv^%r2Q>%CczD~s19|b4#|Zq>1&SN- zKc)+VNEhE#O7!2iot`_*jvMitiv%eTA1hBmo<(W5|_+sF)+D%InnRu{YY~ zEWUlI%1^a*(LMUlFIOzK z*+p@e87#lao0SHXhe0g4bckbxR=7jo(4N!x@%Ut6YC*fnJGfH}mKhgT0xtGSx0Vtw z?|5PD;5}oLmbedJIgdcNN+S;YuD|FfvO9-Ul6*LP6;P`_j1yLofULZlnYT!@!&=VB zj7JAk=Yv2+aW-&^;@PY@*ci_D zDSSuRH`a5Wa)js<*x3=eM854F3gs&ttt@WZxelu{LP}8I)MpW>x1g zurEPMi}Qe}b5|~*f1g>}NTt?#h7eM0xS#Wrcn}BF`Fwc>H+oX#DYHaHTb(fL@HR;k zfXjc1F(Clm@chYX!{1^8@ALg6u7FjYz|2g=(=CS!`Sxe>vri7;2BR@9zbC9HA`4HDziG*xk)DX+uTxee? zt>?isP?FEA!y?Ok2H%OSBP*9%$nz`Q74IxW+<>-q%QZpNsJn5(TDHtf#@BUbBI}&;Td(JXpnN(xqoa zV6d>L3K&4XtpcL5E59o$;|e z3e(77I-*ux!=9^FaNlFq)1NEfgM^K&&t>1VmbtJ=y%1s<3sS-3%0GlFl_h#y?x-{N0!%RAX9u+D71Wf5M zfT777K!=MQ9>VMf$ESqaEW3bN=#T0Sfjs0cs(CxM`lTeCU zKh+ZzTw$nHR9Os3in$YBW+zuwmfNn{nCBC=zTfUSM^galL$e?hZ&`*j>rA2aGEz82 zS%fzbe^F5=Au5h9Qg}ViAuS`WhS`lhp5HzlQv4Qy2EgjWgthzRL%*A2DgVr|z`Lyb z*3kje{R$zc3=w5#xoS^7J|P|=C1K1xb`=m!2ibV0@uH6*qMhW_j7Vt$CNCF}!>W^; zUS%DTB+_@-eQCz~0YPzH2k2I8%kKAh@WMh51f))d%gujy&6vqA@cLLHetK~dw%^iQ zD*lOKH}d30#z&-4pI43Alf{#`1D0c+gpk;8L*5elG`ZZcOWatu3s%R z*YMC!CO_7#11`z$H9Zuj__)y~T<>wC=1s+luUg25FBafNa;zEG3JR(9?uT|m9y%fG z0T3t3$1&L2vn(neGu>=po8Ic-bvDj***qTMFPz!)Z}$po?g|NUsuE z#hrfAxXZ`>F$korU8kUd?pyEneafGQaU=HhZK{h&53T5fm-Bb8(V^P(SneF;_g)2k zO}ej5TED62^i_v$iN8YF=MmF;N$Yv^3Qqu+$&2%fj&O`neP9D+x0?>7r2C4UA*}n= zeo*gDS}ngoqWT}!L=fH&@_S-p6sl()e|uWcPEQ6@g&%i6B%J&WmQRw)1M{n0hjXUM zPtc`zjbc5{W%xS3J)V0%=wLRV#+g9V-nm@&g<>KhoF~gv6cl)!l_T45s+zpu5eJKF zD6!F0pBOJP23kCZ-Vrc+2M*b6cl}r%ZlkD{AM+?y#^83yH>CTAg0$zM1G8R>L4DV~ z?Y*)R`YoeAPqsOwMdu5MvC8RJR0=$sXn#1GdeFGJ>Zxz!8>uP~bo{Mbd<$nXZ_LaJ zBA!jH@x<&K&%|m6FAOFj6fLj0yk-_d{F0 zWbDW06+h@PHEeJ@!aD4cs? zX<`+|dA2KVdSVJ2fi0qdSLG7qa+kG-AOv*rIVAMoSvdF zt_Fr*)bYFiGW;+9EQLo}Ucxz7wJ7=%tA#xj#tVU=^ZgSCb;mStYAvQ7)QJ!dVVjVd zM8J*4$$Pm%W!>=XvUXD*z*AJpxY0?froLQ(cCz&dGzb;L<0RIQ;WkM7%&n-ARnO(_ zvwasRLFf)<7dgVF_}>>5tnKiIykD7_hK|kh+$D;mq7|2Y0wvTau}c3Bckdb1RNHlp z-YN=+(v;poLAn&F0aUsm2uN=N0@8a4B@q$nAR--tQl*9>y+k_FB0cm@=m`V}5X!f` zpZ9skcg~;l|NLdZ2-#y_^O|eUxz_5BS`RfwvT9OSM4`<+c_SpVL+)wR|BJpEUHdoF9oJ6f z^Wy(Mfg;|0;U<#5y=wwjmuy!$<$+n-z$6wF6#IPPGR`kq;UrgK`}}e}49Sm|KZJ$a zm{~BtSzEZ&@)HEw;sX9V|7*U#f27H0D6l*edU*;o)17%YjFdMeo6c<|r||CxxkO*Y zU!4b?Ug8m!e+Q=Z56R*rf=(0qanp3cU(qcE0s*bR=>RdIn-iM^KlhU+%q$2=f;PT+ zmN}Vw+3-}q@Rb*Xc^`xeTh#!Yn!YlbK^K5P4(go5Y<|94NH9BmNQSU;Fjgp69ki)o zxmQjR#0Ejn%vYUi|B&hExteE7hJqIe+xELzeQlDBR^WLNFEwKW&V8 z&?uf6pF!#fF}kdQLtB8hLC9L;WXoQ$UX%E8Q^I7A{2>^X|l;zw}r)yKA@sBcJsNr z$Ct4!xj#UOAL2-dlr(sn)155hJkwrJ9M0HQdr|Ae>gfDq5GXHaQdeIQ&1G$3N6Den zLlg=-!^3uU&Bn_nhdn9^-TXk1v?p&WRS1NoHyKZ z4Lz$~d!`D?J72%CXBY<_5;OE_={(6;IEY`<@@p5EK)mh!{QmB$IH|3=J|6kg&4b}Y1^xqW4uj!hFh!tBxz^y!o{)V_`wXOUd+sE_sHsWEt#}mpyjo`_VTE>fklzAU;fsD=l1T>mQ(p%ZG{WX6Yqi4$L}UW_EB!) zj-gs5FRB^)ofXkLBi-Cg@wcJ#br%gy8sGWPo?Kt337n`u0R7xOmJI`TssEOLq)oS; zWxw}0=%k{e!*}LzyCHArV*97q4zW-CCt$}tAGR{E6^tgOGk1@R3KY0pxVog%IztyN zi8Kk<#$oNa1%{NV`gm@svrx;3?6YdmFxY+0f3IG#akPvxYa0(N>SOL3;omtqq?>p^5_+-vRx4+xJZKL>f?iZCi5%V?G zUsUwrlpAC)O=2pypKXU}H>F-!8dD-kFJCeK(IcNE*`wyPxF;erWfLk0dazlU&}-q_ zITDHfDC~WpPB>|&%_8DV+__%@Kghq-Rqf9QM%0L2!-qB1)VsyKkvz+`~`O!@2j!}0BZep^UH-E7|KC70uD za+U`7QFgb5uxrarPxqrV+9s=%x=YKdBP7vpRt7ZPoaIkc|LN4 z+V|5Y^&$4VnXD4JQsR74jDjlN&kzT42pWgdUZ19j1<_il!WrArkKFjX_q3#*)f0wH zJG@7=W_}M2_b}73n{wjkgH2Now7MUP1)o}lf$J77iNnN(KuvZS)tFSSOz4oY)rdO6 zT={r<+m*zU-uOQFBmo*OhLqts6hcjc(575!jnyWyRggA!m*_N5A+ALqY zrxu_Q_nvE!MCy9nQw-N1Ri);;E^pyR^iJ1W?}Hv%*DGSffDPZm&&m~hZMbBuiR7Ng z2%bOq=;;wiCHmi407>fF7BbU0<`0gdEqse&cOEIiA>UGdu$-|kd`(#IP}wqUU5gey zn){+NBAU<3UIxhnACW5LQH?7W9@{)iyK&65{@XRT!G4I@u1i~;@Q_$s;db^y_5 zebvyUmh)we<1rl=ea2Ya&-29$nsqD>ll4}la*=#`@${!1eICI?q22hAlYE!!AJ}Sy zv(5^VFk|wNYRI3Lc2?Yk6AxIIU_xvCub*$<$e|)w;@vM^)`gP^weUgSq&ttOccfO@ zC|YpN=Nnqk3ALW5Kb{lU3%`NCP)uDVEMVH^W1Gs2xM37cUxtr$LdLglkuy`0U-Vzo z?eQ;fQ2B^qavdy>nEdUa@EhB6DcTQrR%$-&I7P#zv;)@W-qBv;S$-1z#_K3L({QD) zXL6mg$ehpwI-ZVL9j$7aPBJvVHzd9Nvp(OW)x`D4{P|O*W(2FRdn&kqq3O;=;5}{T zbuEM164lO8VI1+D)GqlwOUi=Gs^GOJ2I6UMZOZMcY!||p6>mE3LTpV_$tfu058b6M zKPE2oW#fA zI4$`UV@Up=iDT=r*m$L8r}7q|FCZS#5wx4%oOEep-wUgQ-`r%9^WGYZT!%c_L5#Ji zok=UW!tO9Boo#vj!B$0oIbz#T350On-UzB&Zte*-1G6&9qi6U3k-zAKc5mL`eQu@w z#rR}@vOMiUCYEF`TKqsdzNGUOCeL^SS&9 zwj<)|TI~pV$;xi^BwGiNM44(X}!GE4S2>VVASg3aV5=8jqhTIw{j_Rjt=*RMO(bOR?Tqu(#3O&cT&wJm1PL#{el$u(--iv;64|v^c6l>d_?%~) zLFTy$`0j0{>mTAg-?OV|n_S~$lpq?}(9aeRK&cb;MNVBesO3{6HjV}D=dm~#eBruK zB-@z6CkpH9`F55vz(EA@gu<9qkX3rz^q=2TIl?<7fY3g?_?!n2L5ZYTt zsbyR*L7nZ7$rJ?#<`Y<5MF__O!{51J{q0D>0edSCGA5LU(h8(Tg*DLEJ8V&xEriLf zrCQW6I*X6VtwCdLmP{D_v*pBd0MoF*am4TQ6@-6oT8iH;gX%H39GPu#VORCE^>5u_ zG%)sw_1R*agILs8v)Jl>t;;a~E%-a&I1gCT!Z;&eRnPj8EjokC&!9cOkZVu2}%3ZtHEo5oa9a9Fx zCcKi63Rle*NkUROY|IC@dse=OvlY<~S53RlH-dLI`f`D~h)2zcI(H3d8Hk%z(<&zA%OK(H1 zd{LZ;OX<9by30YH&*gn-xCDKTI>>-o>?8QijGg{`&~{n+ONea`BWQ$Ou`l(icGq{U ztZqKJQBRXC8@xW%xJFNgGeH-x2bGCF`HBbe%J`lNGkIBf&Q&Gd-b*ILAm z@kj}tq7RA%E$p`B#bE5ZwE|<~WbwatGTF78sIx4MWs}gcDV7d3QmXan^@Mv`=k`A( zuN#e@1H`c8PNs{IZ8?}W0?9dkT?2H0xl$rzBb(kd)8^X_*v@eO6y082qA>;Dc)lzP zw~JWozzpX`+Zf@7!>aVwKC>oo3z`Pk!dP^}Ro*dpMD^kVC8f2uQtRkZ$X7dORTJY0 z3v^T;29_!u%kE2U%d}SuUBVmB(oObq%ZD@Jrj^e^65d+R@MHx!(rKJ2B2)(Cpedrf zLWt$!chyJ;vD)~$F*XU^@?S5Yt_+mn4A3Owrb~;oqx~)l7TT-a&}OkL)P?S zfW-FVl5EA3EpcdlG_CN(5s4JNUK~V`cl&3!R2i=d-?F@1IMsH z9gATcm6vqJF1G&Jjmm?deLP+rS?g6Wt(+OC-5Z=l(p=or1rtot6 z&_7=OEY|41+Wj3G%!-4K-f)y_^eE*m$|IZ z^$m{a(a6f3zLN62*RSo$vDfW;vi!;hL?(lVdDuKBF4xXHV1JM%N+64Wrnlmgz;yHs z+ixU2DW+cDO z^}a2VKR9TO>*!c^PnSU+4H{p$er+X;?sBGR+|;$D%w(u?rFprvWpbXNzn*qA<8%ur zKx2_E5{^Cx6U@HvQELbq;u?>Bg;I1$)XoMpjVWs)@biI{&S`4~Te=2^05Ts7-Cci; z^&B@)jp}6Yez|D21X^6P;j`WEBJPyxojoatZR=2Z%`R;p|9yIekwn_&m6VH6~w9n3!cKXMXQ*vEjE68P_0@C6ftKOT|YSo zo|H3hoGU1S_e3{H2s2RoVcckF~3xqq< zNEVL{1YWO6kQ5SQi#7}8*mQ4otDcLaf#uSf`R}Ky_AE%EVNk1%@~sOSE>4SiX-nFL z9IyJFpq*X9llPKhXeQQ*&TkuX{BDSPNiT{e3`($eT4;!OZ~TpY$ydXLwgY*I3l3|3 zv`qr;K}e~U=hclX>Yo1io(I5L*B_grMd^0=4QJXnSWt|L4`Br1L_o4JRQ7*o$P7lg*}{9T6Z5x2VoDUx8vQTa87 z7#SJX(+T}Rq0Fjv|JhrRnm+)29BT<$(gw?xktsLb$jWIm1--Eix-8(E{%`Us_0x^6 z?a>E`oV@M4J#w$GtttWjiM)-KLs)B?D4Dxg#kPP?SjyR8gGA#vzf~mC4^NZRzU`rKURfjs4s@ESjG#@f(-~8 zj^l>XN>9fN;StlX2^*UViK@1pjtgHz$|@H#ei1RhW0M-HwB;3?B8<>!xE^2r2&fIi zE1W!by(uyLkvWIbBJg6cf*=odsDHAnoMO%*)U*tz#xMK>S+$E)CT4|*B@SE*Zt z?h58rB%q_iQLCi!339I?Y1R6Js_3dN5qOycI@9L(OnSduGG?A}<1vwL53QrRST4*|*M4fCU*p`f0-nm^!~yN4`Di zu4lI~`eQI&mR<9mmq&wbN}TQSbsi9Iz{_gdp)k^PW=Iq_AWCsu#bYgo8xRZgTL=~w zXhm^W4#>NQiP&_1%$`X`pfiI5-Za^EvZ}UcQ=Dkben@K$_9v&1J5)nCkH)SX%WpVF z1_zPNIM?Y3n7mzmZk23oM~a^X1}bglr>xNWqO-hIQr#?I5Bq+jDzn3MnA{j+j3~JQ zx>_;zMWa&?8uOOYBRA`GJ%h*0`%-%RmWoT2aXlJFXxBG1qpsU7p*6D34#rd1!-8F< zfHg7gjwR)0f_yTDJ0ZNzHM`_X6Q*u;Wr;lG8iF-%7iHRLl@|!}c<1dk$qr`;1-ItQ zEk`Cx@aaEjVtCme)a&>-z4NulNE0pr(SbUni{x5TvWRy;xqHl|x%J z$!eEhJ16ayl~*`XqgmQ((C1{raSnlC`gbY2Jh2~XxM3%ORujg=x7K&4qlIau!V~Zd zPz8FAv7w@?=~EFe(4;h8+E4!KJi1~|!Zb|b{IYI1`3hw*V({&D|Md9@Ic9;b;BjZ4mE+WwIN+O-~sooc)HvkEkp`Mt!VE9niSL-FR<5QR);!^B}h!R*yU}Y97=jU zEUkarb}+fM(!e0g3;XkL+1`FAL(w32d02y`G-Wm)__|u&KR#KRU-E0Z;NAhAYJPZb znFG9OJ?gP{@8T!ONSTA=^t;fC?)2?XhL(YX7K#${?>dBzjs}$4AcQ>{m8prJ&I~h5 z){% zfAz1%La zJ-M_?FDfJ-MG@Rh!H;J>W@5+vj%sQPF}bgQa7zI3#`!b;JG&FLZq9V8s! z_ALvbSE!T*d0k}Jf6WSaq602Kl1hs!bFi$nh}+!QOrh-%JnO!0RzxZ@vdq#Z{an?; zVeO^Sf+z^DAz_Q(78SjnG|{6F+%B;j zZJYZl{J2P4?zHx;CLm|olpN>lvD6e@mYA)m5ndQ)N4IYL5&3XSh4Gp=k(|ShZO>$V zDNNLPZN*J?LtwzsN`mZ$?DBV7icOLZS!-`E?~l@g ztX4~C+BZKc_~xx?ReX?xyHg_uV!?s6_}~>mWR$A9vT$MpV8-~8c zsxdIj!F5B4YtU&5G(suK)=p@2sWIsw00S+5tK9)2sHR|4!)FeT z)PMK0*es1^zmZ8c%URse$l)`jQuo!_wibj#P_v4ExzhH!53Q+nS|3j~#H8!PF5l0- z*T-}dWvTJ!*E1pe{PV9*9zI5F*tX`Gj(kmvXIeMPuNW3lCrp^jV8CG%Wgpt3;+(a) z)a%%Swu%b#_wM5~0){lW>|UQJKc3`_q|*Fa${c{AqOu%PcQJj=0jXJLK<7U|Zb@ng z*X0b@n5}~x>~^vkG2C9mT`30WpvITnE4DN$>vLkYEqa2#qlJBpNhvG~vpfuV3`=#x zAqxs@D0S${OUWL~AMo0BnXEWc{t{~>e0ux0R@1q}^ekXI9BDdkF`4WAc*|Cp>$aX- ztD%xT)Z^VWD%!&WRlXTyy!6Oi{pQ;l{Gq!sQj$Ce~H2ePZ)=BrdN;->= zxk4kl6yg*rb58SU_WKSsykJSvqq|Zyp7-j-+;n+G(W3$2(bD>-O|$U67r8XPSkv{i zZ)s=_7P!jft|-!>y{K1C!{?yW7FlA4&9RK#GY%lPYsLDdeWbZ*JWM0!!3UztwV$yz zF#Jlt^kj=y<7!9;JSBzsA0+0qS;y!Psh5*FE0fEcK^qe}@lH#6hpnic*=2^9O6;8h zFFO7b$)*n_wXpGvX4#k#(X-(NgHC>6(DS;PfY+6}M}MM_m!S+z9;O%mhBLUAGx_sxV+*$wXtG&xJ^Ymhc;D~5ViBw#bkU#Z~8} z_cYYC`>=b@&Uw7u^L{e2GV>m|7ozmP(reK;NEs{}M?!D%Xgq5cJTc~t*KqJaRNT9Y z7H<~a@3^l=UKc~Jl~!;66)>g5MV^74XmpE9+^+gA;1pf1tsJVOX+QE)rqt-h_+qaH z53q4uRg>~no-_&3rq8SUHiTd@W^wOM<~Ln=ylD1&smw%&no-_4kHJP-38eY-BP>7x z*6T-kK%%J$_%IPqzNgLJ5V-U6X?p78dai*9Dz6WBFeF|^nu{Mf0kOWB#fmDr$$n)O z;k#P36HTUB9(QDu3sP#t=PPw%>Q;LMG?%B|#@vc+=ct zU<6jalX8SVnP8PtAw{zH1|S2+LO;Xn`|3;w#<$+(ro0}rihgLp%KUC7J|EgUc`#Y3 zB`nNHwSTx@M_Y8a>i*lu7Ako;bW>Bi)Rn`>+Mmg{)LA)M`>~-kGcRlvE~^FqSxG z=?OI$P__7cH!HZjK8eR6vNqo~y7_hAK#wTf+^9r!9u8)BGS*{Q+ueJ6=BXF+=~E+( zpZPD#1mEffn$8KG{r=)sG39o3!)B^0#mt~gcRe>S4VRZzX(&6xZpH7=wVwr9pE4Kt zD_;A@{-|5?vj_sGky(BHeDS%YOq|KwW?Z`0jTyId^m?tc<@CF@u*sA>4}T+c-{UEu z9hbOjcTUTTWg%=YXjuY>S0H^wyOYjT8U7aU-*#UlmOZ5+NnNcr<)&jvjPM`GH+jZp zw+dKbwaj1Tg17e=h&;vL(w5H^E8cO4A^7?EjJxL2Q=-$XWAI89T3^h6SaQy5>%w21?U*C3 zP)T=d%Pm6Rz%<(VK1}#1HxUpFbqcSXeRBMFZTF5IQVC@WUJJ!Vpwd zMr0i-9%TfdDS~yiSM)X;AVv{O?K!*6#<*+uXt&t+1+*58E=2erota=5YBm~-)-Uzo z+H;%H^K|>;1BB@2$y4WSCiCqI;j=okVVf_zdg*Y#Sv{r^Kn}Ovx*x3l*(Fz}bs$K< z>#kO$ws7m=F2&*on?ls8$uGI$c{z$EmCj62uT~zci+FhSP)}>UWhndsCNm{Cw|*)x z`FwIKCBna?ytQ_KZ<^0sVW%ofW%>MU7vl?`{%I|rEUjJ4GLW!18#Y$p2Rmc>uLF!M4=+qT&n9sRFw{+{bIMTi0JZGBJ2%_=~Mp~M>fh&Gz#I8m(jBdS+kX3pRL zXEZud=?~6(XPG7 z<@vSt!C5t(9!A&r6|Zd4EYi1>_**N$--g8Yp3zh7r@hgk1x7MSHX01ijZIjSf={z$ z^0cU&+zRSv(nE*E#kz~(9+LYcRpiN={0Gu-wXeT zBmQ?DJ2h)!0_l(6B>dvCR=>p(I2Iz`OP1u5h6)VWh1|1_xS3k?afu})(Vm>l%VhEG zhln0hiMpFwGL}@r3pJI<(gVtUU&6{|g1g^km!a=gp-ZI66#g5R_0$u|*^#21CK&JY zPQsC$sc(qJ#|le< z@#OkSDwNr>S{ibZSgdd^%N|g zD9e>CD$dM(GMruh1}d7>Z;A~(HoOlZ_ej+Llx*rTuJ)_&it+{fq6B~Yns7L?LCDXn zyFrv1%1WR(Vd0A!U2guZC)5zswad?Yz<$#2QmWYMafunp;^~U>Fa1LCmkzW*amJpf0?b%UY!&ASYKnp9Qs-SqX8(e=hvt|2D?btjD+w?p<{D~^0~o^yGrsW-X!sPh1)!g_B}U5j$QA>5a1S{x&gAcpFyJM74@sJYKEste zw+ByuNL#Lgep^pILO#hr6dB)5W8+fvUU8%A?yo=Uuz*Mj^9I6RSt^0%ZJtn5?N1mv z&7s)NIw=}(F93v509cQsEaor1w6>sdRjQQ8nR{Y|_Dx5#^yp;{-Ye z3N2a(kDu(zk-(a3jc1ucQWhIZKe-GTTj_n>f0L{(#qyRldpij1rEh)F4h8B&ExC^e z5DxDbSubVtt`*0C9Cog~yg~VRgQ`#M9uc3+ln3P_E*0(48%i+o#+|m+H(u_;Vx$pC z6M4Trk>;r@n%vQ*+Gn4CHgu0ld*>DRBL{B&XZO;6Ytp|7A(j8rz8L3k5FKtrKmA=% zq3LFpc&4V;!)u)LLA12Bi%QMslRfg4&Ptu3&UM4IvW611f(|{9W8)P0dHf<*LWE!E zaMo`L^E(KeC?K=pQae*gCPVq>q@$51!e0upHZhYU9K?4g+Y44;=-2NH!i1v{Y!~sU zc$1PBONn$+hq%GI`C^Ih0Io!6n^;+O#6rw#klX;CofxS!O~o!pKWx0z(F=Nz9?UOen5fS*kCX8=U2H#279tc-=#V0kMxUP85C2!_c^67@f zI*5u2K7guT`H_O2eH%1=TnaN6Y*D)#i*3QT5}06yha7W4sp6*2Rnv5~L?hF+P4Gy6 zFfviJr-gPR*8B5t&6bW=iQ-yx{Y*4 zjJeFVlAc}VKyUyr`D-{>dx4O?3!Q|Tps*Wo^i zGTPpI^=^5(>(lvXEvKM7iGyy=%--vb%4;o#@fqeSrqKvo}Ul)QxJhAzY99TTh|+J zD{K{<*8tC=5x|7Sr%E6g7h`0E|4;ZYir*ux-ss$6U}bL({?^uguok~paNb=yAierO zA=XEqo|XW~sDoIt2Y}bZex1yZ_mg7hvIRD3ks;EQXj1Jw_gV6%6e4?4^FDK3z<{kS z4D%=Mi8KN|>h)VzYm3*Ff4Ca?KAaq=stsRs%usVsCVbLRVQr=Ji6Gse zsZb_%yVII#-N)O1fE)oi+}tUGdmcns_nn3P2%U;6!SNNYywFQdPQ3LfL^&o{;?~p6 zue6Ju%=gK^ejw)t=KcLi&V&d^j<*5|B=v8n6@kM8Jlm!R^Z zh*QZqS*<4G9`{`I$0O~Zx`e0(jqA>?kD9p=RCiUB znt^4??9{**{WV2QNwtUS;+=o?TC_I6uOeM`_0&c-+AK*ZjP2YbUO zDK z8!GmB*`|UxM^@*+g6wQ+#YXyqC?ml`ufAClsl^n1ZSXCE%y0Xq5#pzNnd~F|?X!Yi znT7q|%~%Il&``nOA%0rZm(Wje=2Vp3qc2oy7WIE<^htVI{Pr_76>0u4xgl)?y)kwcQOcH=hvYl| z_DOn>Z@%X3cwEx=o|~K&{6k#=D(4$96s@HadfI)n@QfDW+8UZ{)6WZOWHk}-N8J-@ z$QOzyrG6CQ?~y+Igy!d2mn#42DTjac6o-${vV$DFa*#Ogk`v=2KQs9kA)^1k5rPUn zfBP+e>1=C@PnjPLqvF3H5s$Ik|4+?gFbB`b!pR6JFW1&~<4ZX&9Frp^GjNpyU|k{& zXJyW{IX;N9iGb7on`c}k8B_UhWam2n@}SMNILZegT5S60_4Dsm zw7{+El*fKa74%@F6PtL;i1Hf18#1|pOBI{h=|_DPY4nVl*I(DYU{R;CfRfv5E~MaEycOd-kx-)uDmd~-+sfw4Yd`De4&>mMugs8rST z8(ITxpZrxzNp+(mdLDf6FH8ail519>q9QcCPJt%Y+(P$EtlsAn8`HnDG9XiwJx~;2 zb^cCEMKMQ0mTC4GOOol$w0;`;?RYJxzE)W1aaZ6J!cm-adDv9VKerZDbZ|*v^W8j; zt(#})*ODc)3)wE%DnmJ!E5{k3?Dn?V7vvGbC!>N7swI?h0FvZtTb%pw0Gq>~{wz7F z+|Kfwuc096Xezz+gKo;%FomW}=2~P9Y?WiVQkRD9F}r&u%QL>iXiGj;-;;!*M)&ly zpE^!ABh38>iUL3c<5#3ispwZ4gY566#+>sAE!o@_7gJsyerHuRCO{im|I>i>le;qZ zA-_{yf~@hB-=ZsVPT{*wBV1OcYbSr)Df0U`*P^vdZ~?4*Vb}W(tk77U#DV+1{=$;5 z$JRfhkFV%}S?<`8GEPf8zNjCR>dWLAjLDL~MHt9QuZ@*|)K?q&s&I(qdSbrTl~N|! zMs{F!eBLG^+*?g#Xikg@5T!|Y*Tl8Fc}DuZAwv92?SpWZ-xGA7JTz`a6K-xB7nmS# z(_fsuNai5I&q-#h;B3Epuo@lLGT^Z=GbAZr?{$ZRjh*ruefAy?C|;c3HqyV8l0C#o z0m%K71Si7$Q_P`sM?s4}9!^^`e6ccaSfAduVajl6cu7acIXEb{(4IxoZCh^c3GDsB zG@7qp<^lu*09PVU!2_2_GN6XeP2+@1CWmRz~O%jlB|EWdfi=pRRL&4{8e0iT_YoUwr1oW z_MESrNYzc4LUYrFjykUG=voaONdgSWek=#gxdJ$;>LUFa|Iuib=W%i~SN}zn_0;=v zds7~O1ty`#gZYm_tBkfubE*KMX1G}|T?Z#8=&iM^bf673nSU-KRnKmy-%spBBE19n zwGtpRGX%Dpd?XYAa1OX#q(6{g?a$54z~@2Tu_bn0SbE3o~)^CoV8 z^Cq7#hVCIUQqPu2p0#ImTvq~Je*o(B=Ui=j^1s*$97L2JMd^DI@oCK;sAnG!8StgJtJ7!iOGZR#&=aq3aIUZC5Mr+24sv zt+yLVEX)KsTzA+(+;_GkI2Hz7LlPqrqnI&VIkXL*ZCe#46yg!kwG?Su1x!!mqe$dOkgcax8mXZc@xKxivP7R$9r*UcOVn zep8g$%=rDZd4yQop!o++^PQCr9)6&K_f~E5$&?4$+y-Gp%1+bL`)NSztjo<(B98UK z+7^hIb;}r9dbyb7>&Z}1#orEi)>cbI?S5b9{VrPumCKy;+mndf!c-4~I!7hG08nyC zeEBdgzHI#DoxmxY_bMtN&gO-k4wz9g;CoToU1{!3T5dREU&ZI>hX9p!Y87KIU|yTM z#L+adhy8(nogLjeB`G)z8UK3nsEaJay}iG~EdoarYFXN`ycN~#@6 zDq{~80rtq!aFX&<=WylWzLphoEPh7JX%1<>WKm=k+ut&Y4lE{ zxkXUr_~}{viuMCj8a08;T;nP+#K&7b-bp$`id6lLT+1xMngoNT(#)?9Ul=fzC%j@C zb<&+EeZ){U;DM~2dW1Z>Te_ZZAEJdzp;;A&5Yl^TnjRSdqpFLeS`9yi;fC*ly z33bx*%fVYvW;&{;Nee3sF7gX(4gRn1-dwRQB;@rMgn*}gG!aBZHyGQDR`)ZS;5P*_ zA0;I}wp$_Rq&)gQQ?(h=+J} zB>q0V7)LO%AX7Zc-_E^%YoBkr4o|2k24cy?`>r>=tzrbKpZezl^Ecf{gsAdBCrXNf zzeE^ksX7(X#}A0=)dd)DX{$$vQ&pGnWOCPQx@Rp)KWpa#8s$F)5%WZW%y<(H7GFok zqcm1=b>u+qLu3|CYpYTUIN>`81I@9|A9J zR9_MJGzi~4txwszReT*xz8g&Dr- z6?4fFKKb~s=S$PP%OnV0(dg^DBFZcu>kLu!_~t-{t)?*2`~@i3W6bE9-m{zk{h z>*j)jYX;O_wn2Oh1{Z?*%a#(g;*8OyBVz#^X7Q+DR$2)5#-7Wr=VcgOn8IFz-+(~ni8YXoD@lf{==Z)rlagHfYrQsGS2`}6kAO@qW2X|6+JQ}fNKeI%BBsL0 zdDJg9S9h3kwU)sHz&3=irzpFoEKU`m*U&08_;|^RGdeqHYt!G^;>67~)vXoWu8hvs z^Z6ZQ;u7ogp~WyZ*ywFS!qRTtJh{pVDQ*CV!vgv1@Z5MA&eGbgzHu34bX3b2S#8U+ z3jNUQ7bgDSZ?*%WE@pJ!YrU5=FKSX8snFvRRr&zfhBRC*hKq^^O}# zWckF>?`Ul}o3AE7o-yPB=<1xT5*&9#n{j1gzIh+eFMy0(;Vm+|1DN4)&Xd`|g&RxL zB|>B!pYHCC^+5=1_q7yOO0jiZP02a$r9D~K$jhp$DPK7&7N&ct+VZEX zR*Zd?VtDL;s+wINyPTc4vp++I&jo#sO(%B&3Q36bM zrZmbM@x*^iFn{_Z4n$E51}U`u6oFl{P-H3b{3 zMd0oc_D~GjiIy2E`%gyBlaQGoo8twOQ4R~7cu`VrHQ8PVgtfFBCwr-^s(?mAZP5N( ze?pdDdpzVY*S*_;#}MN)h3=^x&i&g@&j7Sx{@FYg4u%NeG`~q3uAhQ1K1~~5CjW=D z?~Z2sf8TCZOP5hCMeUZhsI68Kwbe*Vtx~bos+zSzt)f=dUeVgK5wopT#NL}wYDZ9l z1hJmCe#h_o{PR4Y&-Zsu4u_NDL~_6G`?{~!bzk>{x9)(s)>7?#KtJbAzl(SC6T8n> z)2%g|!NWRcqq5O(QvX7petoOBX~sF#zDjZLa9dz*=34nxrt2ArkV9;w6 z&68AMic(Z|-_jG0-Tj*A$!gp3Es3St0ZIRZIFZL%KDpP zfq8ODwf&ml~QliN>J# z%;m5n!F$IguZrs0-qh|5N=qQv-b{Fg48zqYsklu~&QVh}9QA0L=CL%u$EwD_2j{2f z@xMtQ!+WVu9u6oBfW3_uC1=8?nLB0j;=h3}MaWY_IMZIwb#%TnTnAdmhyS4{`6Tj3 zQSz$&!f3c2zYk_0)sc^Td@}r|JnKG&%qYvAQ7RrFF}!m$Zor@Rp6g3w@eI%Gr*aFW zH9PN5KRQXbEvXo@^?c~9gPZ3ECS~tw)5kJndQ_}^>ScsBcdAx<~h(%OzJ$dI_ zc3X+U{5*ZGSyFO#n5jz{C+iyH7P^+7>)k|w<;}2*LvHBO=PGm_(hp;U8KnoyU9&0l z)xACh8}N6J#w>*&n_O<@>we{5?NjhR) zwSk<@OIM|=KUk}>KIpt}o8VwW4W46*@2NU+sGKI&{5FtWtyL>*sE;dY+t)>#w@CQ5 z=-35|mC!c|9BU1Ti;~Xkmq^rnOrvGKUz}Do+nTED2ZGk==)t7Fh{lpO!bExH)*K9} z%9?HzO%KpdnhldGF^UW@rfQ1eOOnM;(2wu0*gnU_`abRLyk?TCLzXWOJ_t9^#T5oa zb@ht)G5tt>%Rc1Gjk*nAx4eR+_`>lfXFQCL?w~z^%x@gt_rC6R^#0m=57E|3)R2rf zjku&AyJcO-;=}cP^UMb|o$A2+=Oyt|g|d^Kacd9mNq1_Zv9DxR%!}Y~Uw>fH^T>O} zVRNzEnT_MNOWP8>C5UK1tfsXl?XtFBJ=5Wyr(NIflWjI&K3ISPMD@!z+QQ9$5aSFa zfBgtFXXIT_k#H1kvugnwwsdvrmP09z1C}=h-8Dbj^)qxZYnI-5B~(L~lq^c@t6D}! zswDg-Mw^X^EvxeGm5Mle5cGW%XdM=FI#_*8k4a_u@QL9_@QC8RqU)a_BwiQPPsVX) z`%uXZ$GUZ5MOf0(7(V0{aSTU{?tY`2V{gaI;#N!?NuM$|6#r5`Do{kQiMD%o-}1}7 z@2{-&B%1{$Glw+4KjtK5wxt6(w}e*D$dZ8bv0yzRv}fHvY)S_^IXLKc0z46L!~BzB zFy1WrazryYO;kEUA6BIDt6cY{jbU$Y6Am4^-3f_G7=eibVmktZ5bLah+7l2L? z<7Y91-g5)3^->)lQrC%XFxkbb$1NFE8znmNH{O+Yd|@?M!rVClTB~t}x|94!8I*2z z*O!R2(M7NBz4G0TOrZ5uEs+a{EL|v~!I4baf(Nb4zqhAtXi4VH!421g9ddSRRcDgy zx*LJ1ozJm}Wqr|#85dLFteq}DtxOaVLn+^^-N;ana=Sfst_$=?M!D5}IPS?F39kC- zoA;p3`arS{?q-Dnp z=sxTaA*b@?UjEkpQStB20D?qYQvfe7aQ9s)MtZl=m8$&t;;iyv$&z%^@E6?_>$+!a z%692K)~h!;z+wXN4*;zm@swM>C-RANR}pl12}s-PP{ei}wo=pK`u;zqdRaTkMox6^gqmo^lSTLBdl?|0YoHKS8qqSE%9VFirI+ph-3kiLCS zS8-5r!$6T_iSG7*{*si-oZklUf$|M$tJg>q0xT>_m3Il4P*OPJy;k1CJ8!Ohy(7=O z72Uw$f$XXI^jvE}W?-~u!ux^e^vUow0`I{aA-JJg!J=7)!8d5;yl&CemBD3`5ngA< zPnrYEqPRFfsT@6m_jGLc#({P*4DsRr!8^--8j)c{KqD_#)Caflbvppev*GZyaC!7& zHhI1u0-Wz075D(=IoqG*tnsy5IcMq7<^f&k`yO-RVavCV>56`#m{?`*Nob)TLkB+7 zH9Qt7nvbEUz8pn=mPN?xtKq#wwW$Xl#&NXG%K^+v&uQFhXCZFc_3R;A8}sNGr6 z$(6!dSa)bv6^7SW{K__Hq&S=VX;A$Nndb#|dJYshs95fdtN=6aiJs?R=+1a}qzcpL zE9qyn4{Q(>J_f>7YAio;`8&0|x9$%~WNRNtJ&7x7*pqG7{^GvEOF-Ruc}tz%p4Q$n zuj-kyFDehtjgzgRN^@{h%N9rihMV*uw&<#o%ULiV$-^JIJ;}$`>%3MwS-(B?nAlC& zg8vL?=pF4hQh&|Z`Ql^A%LjLGc^5zO-B4)2m^BC(>v`BMIv-Si~wBfk{|Dote|i zTZz37&GWXF#m^INc!$yJjhR&5*QHtGN3FUW1&8WHNw|9kNg)|^XP(uEwV`U}`TYPj zr_z^;ClbHWrQL&S!Ld*&O^r9q%gNEs{e|Y4#85zuXOljyzFmZ6JKhW#@tk^LNSqV? z@=|j3$JyDFV`%i<7j~j92v@?WG*c9a*TMIQ@X+bJ)Dh`xo}oF|`BjezZ%~=pi#JV$ z7l_U>>L9|fsj%Vx#n~x^t+ZHTNNkBF(Q*$_^1k12J}kXp8&(v308F4T=$WhO!OkOP z^hX%wq6@-r?Xuccut}IHen|x8fDsp`F9%wsiXC?Ax~x%u+{Nf1kwAJ;{0$*sa9802 zzHngXzv?;O+BC(+gW@CfxzMubZ^5}2G8@Yk@t?VqgWlW$@c?6vDW0sI0La}=8+B

        Pj|M0Z2~=_dupHab<6r2J#MVidur7?A2#^j zC1y0zharO8-lOv5Lz0dtvVLnYg~e{&=CAAc_?K@)F)pkCjP5IcGc|Kwa^@Ir}|Tu-1;V{l2bf6CkDFO!ul zb!^rT=q|hq-7O48(f^`DIj4P9+6-2qtM&Zo8fCA&y&4?2$pkDMIt)%kdpndh@Zu1-U-}N0+hwx2TxKZ@+@@n)RdtgFV#;7IxF})L_Bl>fciH zIGO{Eh6$nxeDXM%zggke+QaniDA(|}89YCmM5gIUPHc|UCDh%gJe5D5%0DKYpRroz zc-535#BJ1AB#L@)J-Oca?O*a<5@qjnnSJTlORnK!6a7k3A0`wFxBX*Yf<_ zO%X7>^E2uw)#>uw#0BcYS1Uj5u700)y5^5xJZh1+=o_dRy}EJHmNtXw%D0@BqpPq6 z*zWJyjg4*88|97Z{~^nM&|+bfJLjRT^kU=fPi{J#NFZ3=O~QD{VFvWIJ4P&hQ=-KEa$@ccNe|{@*6H{dvl-T z{9zFeqq^R$PCLS9kp8Sp8}1J+CgN4Uxh|ZBg3USavyrTgnskcm+T3h$vG2M=?m{D; zD6hxrGRM&k68Q}sV3z2^D;w5IXld#|T@{#-$#bCxj?KWkEq4=UY*9`&&18pUHZHs2 z=err$(R{1CkF_;|g%05{r)v1ElSn`~A~un+&|Ra?Qxur*LAG)^Z-F+;v;Y36*u(uo34FO#Eg;FTDeviN1u@@2Qhw?ZWz&uNBvE3g{VdXj_bJ=avb zG#57$>Pye)sruZZ#jD>~4V}!EL1EewoXIn6{O~-|ox}Az=wY3V5wLqUEv^e9MY!r0 zp*F9!nyK7h02bolo%1v0Jt)@rEkorc=lUZQ-(j*+yOR*{=@Sq8+w4GpO+sivp77x( zx_g?w8aF0CfPT!yez(o2l^uTc^ngsucSO&O?D+1`*}!MYFUS@tZ7QMC<3$l(&vp7f zq9Se%c-+i7EJQK|V#Yiaaamx8QnB?2_iKpo%o~Ha%j&$X3l66?Q_^H7QtJ_$`S2-> zWgbh@5C3zR_<8KfM(y^iKck88s+3bY=vF-m*Chy$IHkV=E(iT||0!8YC|2_%ANR6I zCx~Cs)*uX(mYRM)0<7sU#Fj#3 z4HtL_a?<2Cf8WF2yLKWsH7Mq?fGC)1qHO{AFeGVjW=z8tZaFtRWQI-C)dF^6v;ED{ zSL8#kT%2^M(P?O`gUqk)u1=?NAGv{v)1g1h{|E3$kR36cYJjCeJ?u3OQqDVQ@P1^H z;dBZOy-0a0J1*@);yr$CxIK;2XNy2keM?9amGL!S6bE&p>U#K0Hfg+&3jE=@J=^{>Q@tiOze zj7*#+RBJBHG7CYy6xYQDY*T120_^r!Vb~j+VN@}Wo&6mYHe^+M+TL+lJWzGe3Lm2) zu|VL`a6L{7vCb<6EM~&lJr8l8ePbG!4qbM{s_5GBMLGk zP$M~=y~zMCJ^LKTW(eiA#aSlWUpK-mxLK+SxdvIJoKV?;SwSqGfEU%43QpV8K0BoO z_HhEvB;@L`POj*Y4)f!plTPzg5@%%8rz&9f{@05EKU`<;$B~NGh^X&2%!OIU7Lz%e z9F334IoYnfqsk4`4H4@Xg)*7`xOH6taM>s>O8`M^fhg3)L50Rl8-hCaSQ`aJ>ew`JPanN6Tcb`-_dwGA9VGs>LgEOsEeYvE!)h;XVIF+sHbcLMWFa0?sfC5Pf`o< zx*%;uwqd=4?4e_Gc}A%b<&bQ+&Diz5jCUzFE_9h}Dym3l*LIReU4XKFHnPmVr`#Xb z-TFgEiCLL?uyq%koNV9mlyYD3a($o)2i7dg4K0^K8cA_zQO z-&x9&J{Ja>SMJx2iaJBV5(@4T5HAHEQ=}EZ(28P2)08F4dtYVJ+_?i+KW%`ERBcE@j>7F z7DCW-YC!*!M;wwllFh(auXgZM*=9&FJw$b8LyrucJR6;$p;Ew1pw^1L@uyFE&jW{l z5Fr{r<`!>Gtuh3=~h+?XC|m73cIf;F60pM>h1)-;?WKmGLh|!+(_00NEl>;nuU4s%`>v zM~VDC_Gcf^%G@SPg9TZKPZ6T4ITdxQW+hI;VE$sqVUAgb@2!hg3nhKsR*BnU2e@{l|J+K)jl@;X3|8WSooZA$B16qfa3CH}wu`(v^rN>;)> zH{ds!qN`9Vln@+!TZ`F-jLeaeLy00Iw8UnXxdU(X|~F=5yJQe3uQ+4&RAVKbp14kB6s}X(_qw^^ z>F(^riy^A~pm3CFU)9$;gA5Ew z30JzA|NC=tjhqy~W3Ev9bTn9xuT<>+Ud8ayc#3lo6&Ri^Q?G|YC6upWoEI7a3lcpWQ)1>itbI_H^FSP{I>fUT zm$$B8m6k8RXj?t@82(ZgmoKHpcP;foAXUw?_Aa(_7X8C?5@e6SWrPvL&M;RAQ5%vQ zWoa9o^y&L>OdW0r>`(+ZQ^iq$+-NE@K4Le+pX3rl@f;bpux!YzY(&p4|CQIAh|m9< z2w^9KE1=C4|KWHj!};|wdCu&WFoir}3FSFXTJ!K9peF9hJn(G^eB9k;V?v9bu#S#E z#$G^m94YGxY)+N72(G5oFh2Bv0C3o#{l}}kkymXh9~G0{m#-(Q+QZRwupL~8rPAr1Nf(#xkfNT?(^hc z;ovsO0_U2iHSLJ(zxQ|-@E-)-|0K-6lwtb=DR*dT9l4mBx&RQ;_$XlG_5*rP4+Y9w zTx6C7RC5Rqm2tIfJ!8Tz&Vs9Jv-b;Ln4MSCC1j6)7b}o5GQ5?J9ZB2?h>E=@6>0~z zfl0za!dsL=VA{&ybk{vy8~U}9FRMQJIZgK4 z1t{G0!=UTy0{Q1b(w!aVYEKLkipjFwfp&$s2y+{zU+>DeQ$(S+o}U3gwUug&a!5Nw zNG^hfSaGk8WL-E8!9b5~6Aqq#WGYi0fk)G8w9d!WIn@Mx$lmEWn(4WHoh;!Gu z(_S}SEoMXN?^R?$UPrPIsQ$VhCaK68|z$o_T(aDJl_xdOxX*czo1>;Uj$^ClVHU6P+a!nurji0mG_fy`M~H{f4vxUcX&ov7uHZAXo?CbZq>G80RknlRy2yKaV2zy)10g!rl&ZwS-5& z0I(VMjR|#n9scVI2eyL_{Rr4Q$Q&P5y%QWC)0$|8<0zyM2orT^kH)CFW#_a}`F{;^ z+{zxQ|EgI51*|Q=^)F*(4)0b%jn}hR;@IO!PflJY;%T+N5b;I67wPs}=xHCUfBSec z6oa5Syn7~P&^3kK^ogzZxfp%|`AsRDkV=p!vGDSfh4UYMXu6`xfO<0=OT86J%J$k) zWF(ex=_X^w8s($e2+H7rqWU{oka*Q->WL0&Avx)5YaI+;7cAsi&rv$7^60wl>JUu3p_q|$Z_$u2)Xp05+*>m_BPHmV^ojP3ty`c zAfj`9=VJwR_7G898k5Mj*4_msaDdY8;ai5OwOhQlcnxt~AzyXJg&*vU)0X)Hx!Zl= z&S0KI_F`EV%aFg7B83{t$CiChk0&f=%wLz0;QDE>QC{lYZ8Q6O&Ei+%R)5iOjcX}q zx`(1TbiKzvBtS7AC|yg`l|d5)Q6y#1+C82gThB@b^QUn8XVfn+;Hm{1Sb$$uZu;VB zBA(QgTk#hA4J2YDReQShzqyXTlyCm{QUBwaV*j>lcUu;@{5p=kDr}kD@9tIXy%0O{ zHy3Gv)P>uAgA9u!8ECi&@R?sd@3{v~qa39lfO|lqO_xB@u`&xblTywEL_jF(2 z*gNUyHdSkE`#$PuGT0Cp3<)t(TY*>IMtr3%bY2R-b>mCYGn&o(VacmnEDF)-K|arO zD|`xITRd;iKQ0_Q+w{@up|ezt408Qp4dmabIHDuhLTPs>Q7YaG_w*gS{Toqld}C$-v3q=6e;k(*p3X=T=*k zet$iv-<;acYOWa4WYIOWnRvj@7$cnKOAMY}MM_Q)EDH;KuZ-~1mW z=zKuv?#J`G=sP|QV{{{^9w~pKvJBnYOj=MQyo9>P z#e@vq{(t#8(~Z3sb}G9*l2<)->hc#-M>JUBzdcJY@^J!@4r2RJ7lK_aq`Ezt&hQLqZORPjUdkSt?*ym zjr`Y^!$dhjMqGpBVQXPIJdu6@9_n$8+FA$W+3V(cq{6_f0c=4;)janF#y|{O$;NEI zN%I!3>sFv9c=%x_Ev`so3v0s+%B<1?C%Tr|RP*gYG*fO!74_Qv*y?&a^3)AM>^Dzc zuYLOga#r;P!0HTj=2>p3GM=Rw;6P((SSTw)G>?I9BwLb-{zw*yZ-Q-IJKeik(H8(NK=G{T1LK+sDyw%gI`EUsH5Iq4@L? z1uCUPrl+bPf=~EGP20|8!<4=g*C-tjzLRs_DRVRA33a2A(cPTIbE(fls9kNfW$x~O zoK`P1;=|-=R7N{a7zz{hEGrbBuWLVGaeE03&=^e+-eID)@z9$fYTP(4z0aXxm~&^{ z$bg6G2~I7YT;*)B=z4xy68n$M;OxZ(MnOUt?OJ|dl&DFJ(t`FMM@Gx6z%0_+FW=FH zS){o6SmDa(FS_vfa!v#;?464J3|6Ahb|o+>kec>0Yhi?HbM6OM*aX`cIA>Ltqnfv*R3$??20YjXLk|`>OCIE zaSZ#11l^5vyeQ?Ai{1d7Z!=2u-~dUd^$zM(H%J=(3>`15zf&Z~;*^`uGjlWhShdJ6 zn>L=8e&Z5^(rfl^s{RuqByA^7@a35ps2lx>D^vgAS#3>(zGZe!wZ$-<+Fg0_2>UP_ zSS&Sj%ukgf_*;c&5Q-#!KxW{zuYOh;ko*>u==KdQd?-m)_SSgZS&;XA;o_cx%4G%| z`&N$E`0zN$=&!OaS}Q}*M%6TyOcY{u2_>(Q5kX5CbWn-_Y8wLR7e51W4<9Ohi7 z-RQJ?b!8dmoKy1dA+qFMwGGsL=zp&3{z^RlM+tTfJcVNsq17n2m4-jG5r>2ZdQLJd z;|>*_SLf`l#`KRSA*}T=K2P3JeP#vI;9^?a80hnXRS;xEpt&^^$A#%AF*UNr2<&S& ztkBs6_}E@4|NAMzT1l0YW+4d;ADbXG;}ZesfzrXjY8Y_FUGH74c&j51H%og&L@F~%~R5mj^h zLE=!E=sNG5|1(G;U_ti6xuw#-v|VmHWW5@boe@1)v;1G-*dKerr-R9#674mlN6R>a zAAM2V*O|NjR1sb7B~&%6^GUNXFgz$!mPdNWHU!8qB|A3HrCN379nVORf1gfLjEIjo*#;FSrIzZ z7Rr*7wZgJNQdk_uH~%W0QLF+%ifS^I>KKsUg;_RQ^SoLW*WALb zl)H2dVGb`_OarnMUUY`i4$c`C@Hu2iRXk$!4ZT=#wp!KUX~@{a!z|Pz-YgGC+3!px1VpWGPED=0=e$~ z&9rm~@wO)0*nf6%GSn_y^}fvFraW^zWqdwN@uI_h%gD#UgPfLXnS42<99SyM#=Q9R zNWJxp*7F-?FK={eW}SHYS|MP|zRQDC(!0LMnTD~Nwq%!HZ_x7oHy46O_W^!CNS5-? z1L7ZsjV*9QPi7*_l~~@4Jz|TAv?m&(@bK_oG6YWQf z3#SfrzxA-pN8`9Jg_{1 zSa34t+_NR1zbnB>zRC}LI5#0;A^8qMHdM!Go~L$n6d^BN?u3wsSdA?$P>nj88@TwQeX!T< z7cx1b8JR`uBg7NMl4;ECaFM%+TZ^ZY@1p4$MpVRvgXNw05qEf@4$$o8R`L zc(s_?+a;eXL}U+=UhwAk$;a96;`_ z-DgYsZ$}X=`Guc6A_qeiq7hTiC^B*@AHJ{W8YR9MsI@|VJW?NDH!zDd0rcNV-`8CC z#uJ00K$0u5O&N9HzXOYhT8%ITtAYth#EA9DwarSl&h5|T^-c?UtN}m07UYoWj6xLN zy`~6pr0-tJIheU*Uw*K{_WcDDkBii8XAQjXQNw_xmCKvBVDnn$_FHbrh?)k&a!092ZP^3pifpw_LQ*_9j^-7#9L=-r{vfFvoqv2{$Cv z)qDEgZZ^+@fpSaQzjOG2lPaixdj5()vX+C{s;Og!)6d#KZvEaC=C|sUb}mZ}L9_G6 zW>~q1;TmZYmp)u(irAH1-A|A@k3{^pb#-jl6r}jC#8;$a}n=O zNLy~udXwI-iIpW@@*5@D!=eg*bxC3X}>>+WUB}F%RT8sTSNr!X<|h zx<}ih#mxL}*tsGieWvJO2L;8Atc^1sR=`c!Nig#G2<%eF)2L6$@T+vaWy(9OYBnNe z4Sw_OFTUP|0VNsn)VXd$ofjJRd*>3;iaP??4yt^Ax{F&qN=cM(Nu^Guj>whT5-#Oh z_Y7-+F+0`kARkCGi_F2lW_f~&-moKl5FNSog*aOvknRx#W*hvDm}t$}1CP&(Tu|10 z|M$v1fDvvA`9Iq2=msjA$oq$5vw1cST3ONUten6{L#;KLX4MxbK97I27A(x_=R8Rr z%vJ|oXbAz;sgG7Sba?nga!?4TMS290Mzb%h`uf@GXGqw2DOp_zh?Ex25{a59H(fP&>q_~(Z0Ltw99GS&sY~?WfkpVGm4#XaT*mzTvXf}5hagvcfO`ZwK{6a zbM$TVPA_Tc$Hc9@m)2D=RIt8wdp@y9Vv#f@2?e)Slb~P8Yr&x)t(IDEJRR_!qwZc>O0m*U&n4c_lEfel4Q%erL~V$2^Te z@Qv>E%MOe8jyUAyjZxO@Z+?b_)j7FMtgkONwX*X_p{KAV8!4drg>nQ)d#$JF3$SE< zW?R3D)M~Z?0c1*W?@{r0K09w_1NCS0=f}Mhd!0o6l3Ybm4iO()t7U3R486Bx5L5Fl{V*Y+i@cw~1Q_-H?=2iJa5vNB6%Vu`> z_llTVzn(>GvXoCGYK1DjP9KMT+7w;)Ey5gF4*GLG3&F~LP#w`o&9-Id(&Je&i`lMe ztL|xGVrj;>P3-r-Y1t1OK|b)d+lYu7uX-nh$ZL2Y#C7djcTrMc*Xtj|LDuo`D(_KB zhNaK!#>T1N25MR_oH6S*Oa!I7+mlR`r|jgdA8c)#Y;sU|Tlv6g+$JU>O*g)6&d*i} ziB5i2-sGyD!<5q~!(H^*{8qD?dwo$-3CKtfqGbeYkQsetcNF&(%qpL#f7!EnxDhu&&uZtm6X7$)AhBncO#o;-c|WRa7omD zhcvj^uH^147QeZhl)j-5O2i94XMGs+aj_v{&&7`%; z`m=%IlGm8=U^uOG8f8~VGXm(yT*rIX5niEQW8G*GpH1xM(3sdakGG?{RA|nfT|H5rq3r^q0D+^}#{w`djA-j5-9*0>!X~9|* zxuzrCrk+yNDeQ0vVQn%S+JQb2^c=gwJE-aSw8pBBJ&F-!5bd)kT$-FACWR|^k4_i+ zMl&|79KwP+F8(Pmxv9K)r`7o0wgDU4YI#+Z%s5@2y{6TirN1NZsH}DEenll=a{QaI zwvTa3c;&a++Y}b-mIXNwyS2C4%jYL9zfh4AWUI$*wonT(*ujU*hkDf`+%`=eHLdKb zzu}veUIoc4m^dDPU-R)vWjmO4t|Z6+PFW?<(S#m<{*2rb8qU89BRB*{frJ>^w!aD# z26Ro$s}<$4f=ID*pB*Vpm6Rd08M!$#Dt=aI&(T-9SDdcEJ4_#VCu~-8gPwjdtntj> zSbhnj{)V@VE>#MBiWHCvs`LGgnmEZ}6F;0PuVR(zHGi;Nh-+S+3 z9xXV%zB_7+t_vA)bbtAJzyB9Q@D~cg zKMRQbDVnn7n${&yir{_?RZzmUD39bQ;c7cH96PK9)z$4F-yP0xZHY!}1Ld#Q_a?iZ zCDt+FdYY$3-}J1pBP0%T#|>jWNMByws^IDL*3X!z-K(+Y7HCTG$F4?1Nvy7_@qw`h zF5JZNNhvpJDZFe}IO4|0(xx2iaI^3vddaeXcI=Y(w$q~r8fmYCOrnlGRttEdfN+t~ z`8iSC)-9ND^C&V8Tv^grT;bVI7pULhkjW(w(Bsv;AecvRAjO^&0bd?PnK9w-2dn(` z|NEcMjNtIUXp5eY^msVj$c)EwW$J~^rXV;{u@wU@76R8q>M84#_bQIjL*&*O*Tezu zEm%RJmzT@O@cJBaHgV?(o)-I~?`vCg&=+&*c#d8phgv%yeZ#;BkL6>pk({Cp#!%BF zHQmu=^`m8E;Xs(8G6RUWv)Mz)in?b_aad#*NwAsU!AGp!I6Awy3^VYiHz~IkpROaI zlC{~kKTY;n(0Za<@VEN^KTnpwsIHKqzJ3-{iw?nPX%cmi{Zjut~DLqYgqbEUTQj;wS>=BDl+Z6Z}~ zjB0U-ea!!hK$!e)JlhI@f-H(KUmkDN_>gi?zd8EHDDLG{IrT+9#X9eKtYX=PHVNihJ~9emDLgWCz3%a@{*lRComFGJiG+>tD>>=PsGrkI}} zd@YNfS`us;JodK(v!K0DZ6r)}=N9#Z$I)!No zrCDTN!U_p$z2jVN?Ev>q&+h}8=h*O+wUy{Hu=i@kYSp8{p4t8UuA?NBVMZ-NjeDtu zA*QSN=iQS9c5{ver!zfbAy#*dI#Y}lU~}Z}q9h)KmA204%c2-QN+uDSM@OwS(j>>Z z5FHXOrp+*jmBZ-n>}Q_nWg#A~`PH(nJPnZKjtI4g9Lsq>yHBwEs2g?<*J!08{#T*G zoe9kqpL5XZ6UvH`w#o?c{Cs;X!n{@?dq!2?~*{)J4};nE}4G$ELhZ#ox;X7GZ>wS)DgZh5qz7l zcbBxeUlLo5(g)DP3W7^>~>#q)*AD2n^;{jTld5h zBG5?`Y-S}h(`P3`TNJpc?8(TZJDWXKsY6*I!EielhX;L@;Io%=Mh@P#M;fzPH!^3j zc_}pb)_mKX^^u|U2^(UlBM=Kh@7i>`cr`R%YnTI-?8!v!2%+mi3SB1mL^uVqa;A&Q?B8?hO*P{GiIsG z53leXSREr_L$1~>%OdqdSns)*n`=OyrH)N4H7ObKmh_0Zk0P>udUJ1;Dn-a!AN2~R zKvcw$gG-x(-J#-Cef|^X=8or{zo4Q`?Rje-k?6odqwwHp669rTFjME*-ow1qo)>Lh z9zH0dn`nIXDAL9OhuQv`3$A3O^ejg9mhUe~uf|qGsJ{oV>eu^s zaL+Mx%RWdrg_S2fl&Adh=^$P3()`s?KbvGnu%B4ePdvp_^EJ&>^}h~1=l{W7HG~X> zzL96CrH!8ExFEOjbh7r{^mO59bS3<8w`jwFH5$Xn5)k$1iZ~hsS6>p2@*P{BEpF>YZTFlF_RibN%m$sRH52;AVmcJif&j5{+`#jC?oET9 z`-I!>Z$!x9ZeEw2aa~8!j3tVm@&A(iJ1eeIU^JyK!y<(Vg*b~u`t8P22s8MX04*JjB;1@uL>e2n?3iuJXtTx0Adm*#uD)MmCv(Y8k`@7>J)(0ZTOeI;57p zn@7cLWW=)CeFoDV7I{_yAV;Op6s928r6Fo&4Hp@{UjONXB%sBqv8uAF8I2yF_31&f zfrpo=Mjx_C?uqgP9eEBd@}oywrzeAv(U<*og5^q1#xvu(feX~$og}MfXQC%VLdMC~ z!$s1}j6OHiIKNob!Pa2+yj{Ew;&?bD@&GF4bNGR-lWZGOwN^D`Cq?~93^Pf`C(e3sO>4MKNitumdn}$ZQLS)769^joGEmT_ zG(%gbLOuM*@ft`OzzXu4kNRFaQ29J(k?c2!y}9c)F;w2F#ER1%B4I_VYC!r#zO*hqKx-2b^B64yd+@REw};G{2X@k6ubgJsrgDB$+p6+dHql2`USmyKV# zZt=#Vc}=Yo)yX#W2NwvT?I;P%-q13lvz)%X*h*xOxth zd%QtNt*??Hq7I+mGGw%gWVY_Un_BBNv{hR<_8o6G?J~)5aH5=;yEsz@;f=Qob8D10&F$4Sqo@4GS!fLu)`V01Vwt|ueC?~sfi7Y$C3OLOb)%ngg5%9eYPyc>Q8tv|&OCn?d- zG^6h^z&GZBE7Bfm-!Ddou`}^@0((B5Yd*1^c%Bzp?o->PTk+?r1&}jX&*s+d$U&vr zoJ8Y7pCdciirn!|UPGKV6jYMt-fFN&B(>Hqe?fUk9)HbR;(pmKY#GX|~?2*9^ovCu4dLM0_ z_9b8J%0poaaaT&G1=&z@ji`fFb|r|_h2!x_;QXv4SE7_QmAfs$eLczgBHb%25d+oV zUEjz;jhAN4O2T@?Bnxs(XzP91VJ8U(r&2Sy1;RI8%(py)W!6FXnXIVCfD}gcUjSeG+7EriGYd~M0yE`DCkl^ zM0y7S>Ai%IAc7PrQEAc=5$PSIlc3Us&`W?&1p-J2Js}B!?1%NXz2}@gXZil-%rL`0 zQ6RaW`)c3M_i{-0hSL_f+Woq{`Q51%o4^i(%g|uPjHXM=Zl`rb@|Hw>kxRu7x?Oa) zh0?ry0||D!j)n-nx&|5XBOG&9^^YW}`g)J{J0yeI6$=EmvUd`bG3zOWHU9~7BxRN( zLCdnvZ^TGWAlaeuS#rg|?++8>F=(j6)b5NeHgm9d>D-P1vVPk`*gLzD%N_su4AwXo zrF>zbH<MSTM zdXi+a{GiyhCTDC5Pb|5{Dqd@44DU=(Sh;*$H|qwYH_+|e0J3rAmRKCV=i)9;r-*<^=>-2l}dvw3vagu#k zZTCN#21Z(Z`;(3PN>c7EX}ax#zCi0W zK9%{Kmc$=-P+W9)d8YPWQSbzEnCDebz^1jg`}Dj0B~pZqD~yC2X&(!(KR2MH>dfHs zhSXHED{e{^`n#$o(w7G&QQmLIw;aXd`lq7Nv{-LTt&FA}TUDFPFGly%+8=sYiAQ{J zCNDKUSK@Ad)p#B5>PDf@g%%%sIcX&HLe-<_%*yM!@e~IAbKpozMO%b5%x9Tc;b2SR zP-o)b`?cj3Pvh~vQ;{tBnknglZ3={mEr}~@0mLLb{15@#9Zc05BW1C4>5ESJnYtRt z2K3s9LEX8ZeyhR!jb zy$WU5Y&&d$PR0|9-Pcu}mx!ghCHWXsi6oP;*tOX#ReBwJqw=otuEI6{APLN74M8Uu zjoyN-*oq}ekeGfJYl>le6E47YhM?|Xn4ts~Rb}AE&V<(MqKa)WKZ~wlk%{#rmnh_@tv&6RMqEK#~bKCMw~(b7Go2)rR`iPZ6nDX zjqZy`P_)|6haPm5=W27q+VF70R!_q+Q#jxeq{pc+@dyVs077Uhy`p0b$@Ze>tA4AB z$BH+7Y;@cz#vUg&eGVe`N#w8EpXPcZAP#_s$pSBSH@ zh89oG0vc!onP;$;?W|6R{oSoe)02|dt4BZDP5N3I`2{Uf?5c*5;1>T+G6Ca+f?l}W z$h!Om-RXt&O6?nZhDO$rl$Wd$S6N`oQiS9thJI!WLPxh06KF??+Ux90G;CsQAcC(q zkjnjO8#JEnM}^9BKkb?g8yi;`NI{yaH5hjG@8|utnpS9rxuwtSR?vwPHi2CM%I*KefLeBxrgV3Y64Q+{k*#-q-V|jTJ;HU zB!bb8jNQg6rY%4#=qoX!lRFA!&Yx+Wi|p6q#Z@@`CsqE6Qe^zmkkkHi|67c>&yQXsy>uq%z zQ+reRFnFWt*zs=@FdL>rvcIFG+Dh zlP!$S7P;3oP~TxYXRCh3*3`u2aJgqE8eDe(bpGSVdI4b`0f@JAv+ux@7n3avrhsUNt2sPnYEkzi-0szxoCMVV_HtnL zL#!7TT(=wM$sAvuqQnVyjya%Ak>oCY>_dx9V6X-;RiGsd*4sZix8Vn2LZP(Ezb~KT zRXQBH8t*t2>2Hf}&8T#@u{>QFIwj0MVl>EXLGFv%GbYB<^!3r0OD+_-jR&gG_e;7W zXZfYR;o;X@U12tPA+gF`r=0r6pWU$GotILDqzg$0Hv8MtdYe7@N}ON89reH~H1 z5+=WOlN(D*?>5!X;%1jVD{^@Y;^F1((ZWi7ysq|{yO15^{kd+}`?rrk^{Urx4rGtC zFWsT$nL=>-yM{Bpg9{#{x^6XKjxH<)Wu$Oz*{Y9LUJ9?Ij2BzS3r$y~8!%66mjctW zzJpn5zNh#tx!3@XAsu&Z)rA(Xg|S8dSfgGDrGNk;4}NN*k$fjj@l)&gSgf-gq*WfZ z-H+PG>pY*o;AyrvA?m^njJ~A~WNS}lX8epKy1j3?&fZ18&fUgyOFIj!u?bD2> zWi`6Qnzr{g3C%hZi>NYp<9v8Hh0f1>f}7mVBAA=HKBffpIydBW9OIcU9sW*udu}7Z zQ~-57!*j5k@ClS|WME9-^Zp}XUr|E5hCy<-OR-BTi8YpxXn-wcYCKX&?i}BIBh{;z z>%#02bgo?RA|%8&S+3Q2ty!Gy^Mw6;wyT7iDX2CU&Xz=Y3(z1JJy>wAPr zB}`%RVesNU6|?%!mc@3MjH<6n7!F$9ql#?q=)py+io6NE2G`8E$x3JTsi$rhn#bKkgE>8yJT|GQeZg`5X&BOGhGajHKW1WUm? z)b&VJC1p7o<&g>5Szt{j7>MW&dyVGsj$>rDK!nu29SyYWG(AosmF8BUl`aw3aoq0h zy|ei!>YlZ+Uy5Czr19UMhsH?!a~ytaI%sRdAen!8CN_X_YV2|QtDnL)=eM~wWaSyW z+n|1EixEN?FWxu@_(<7<}1I|AWg5l+gI>vg@}SDbT=mlY3H zT(bDhRfw269j<8KB7o0V7b4Du&P*dsL3?BIN51wlmTE(3j(LOHG0voxOt~C!B}r`+ zs<#HQ(&79P%y;CYFF1SuqVlcSfDaI#P9Q#Kz@}ai%J5-3qqK!9Zh#9D7`1O;Ugr|Ofu`EgM-Yr=f`P0c|4 z8tL3JCg=;LS!mvvxMq@5T=taqRZeAMOcnn9Bq12%`DYz<7j^lX{$68bYycuZxRS@j z1D6}R*1*J+NWN**2^`?Y>S_iR7Bz1E*_>4VVD-HyheR)Q%A}e8AqeX?o(w_-t3ie@ z@dLIjqtH!v`~?7B`-^G;E3)4)+q= z`q7gmsFA&$X-go_EKTSjyEN6(JB4FIOQCydojSpOGE9d;=TS3<44woY+{RFDk#ZPB z_7`%%hkxaO7|L(1=DEb>+EVtw7`%oOZksbRSE6J8Q~gSDxo|N;kvtE`_l2%{33n}3 zacg?>%j6F)7X#98&{mn)*|f!rLK|kq7%&Ujb<`QQv2%T1@;K3Cc~KgO zo0s9)QjSVa&%L1K!Fp1LMWgX13q`HKK~~!os!Qrh=Xoxjb%;mUz%v%LZej{$Cv~+! z*!SL>r^PE7HO1O>)3~-W^~&Bxhb!B=bWv~N&2Y~&B8TJR=&VEKclM-7{k}qx2a3fI zGZ%sAE-lfi5-98=<_sxm^DReHjWX%VH8zEAe+={qZIwgkO0Nl-&u+)u@0`u94t@nb z^Oi7BSaKtHpGYE<)=cRl$=d|%H`W`ESMyOwG<`%a=_0D^xv^iqSVFO7lLcfv&C&!; z9#6wIsBV(+k>t|NXlJ*p50&Bln+bGdlX*Np(`?^wJcE#;lQw|PUQGbRk6Ws^rh3sV zK-9q4>a~1Mz4JWA+%ek`IPfS_*|DX>$whULc%hb8vZWW?*sJ3rsHfNkLon?G(kx1u z->IONi8|#J;Ig9jxj~cG1cGf8wy{h-i;YdT@C2Z;HN~d(n)-h`w;|s(wwP{8*`ppJ zg!8+tWVmk5ci6QHPU-r=cjCa49?=J5s=tx+&l zT{tx>emOU3ZHQ(_#O2ZTfXJZ^61V zIEr+p?b>-w(@?ameeWlPqEk7b*LXC|1AaQB`I)b|s8*K6S3yZ?_L2Dm$a?pm1pwiL7uXx91%BimMJWGNO%fYAx( za59W@v^aM%b>Zs>i_Q&iV~}cC$|yy`GwI+t`9L!0A?a*fgH0ywpvXgynI_vslel+{;KyF0i z6=(KECgMz*%Wj8Pb9YTb)5PXZiR0?Ys&e)^0xsCc9hJp}kPC-7_1?g?Ntk9a)?=<= zS6Kx0-5U0KHovGkB(+OmJdCYEXxOG@XEVon)8}7l*xBeCW(H=fQG|%;bM*X?w^pD3 z)4F-r*E4ddju^aCs2MZ4>biCr*isDNJG%0NFxCslm0=J-)g2-2@l)DD#&6nt&8w?? z`U+_8yAYvx9Np?Q$*3$0wy!gq1&#%10DLrrw(1}J_<6WG#(&n+t}5b3Bfa;~ys-jPs%+AngU zhs*J-?l)P|?l_;TfY-`VHXO&Vl{Oaa3ovS(Uo@iOhiTaod!?J?Qn=mypkKMd)UEnp zw<=Y&oDZgb*@*A(i~rR3KXJ}gJ^7XAtH!BHN#C)b>*W$B1)*L8Vy{%8z5oi*aWAIs z^SDl{i;FqCf+(Z|G2@_`u&C|;Tho9q3y&6Sif`jnxV+021r{8)mLp0P)@72mVodH! zm)>CyPhR&BcvF?UxvoEaG7!XBekv%&Uq|RJSj8e$<|Uh;0$n|3fs$wK1_J=HM;~X6iy8Er0Yv(rLz@7)Y z=_5=ah^(mXu1dCR?fVg32{6!9?)CcbA_Oc-X-2i0i{s|baLu$9^am6h&a5(_wK+JT z`&Y~xf~$gdhOk)oU`Aa9^<(_vjDH_blcCD)FeuSGZuhw{IbW}H4bIHn{5Asnyi(hZ z#bQ7cF6_*=SC0=zw)6L6VAO4|nL{9nw5Ff2>Tw;xkq$lSV=^Mzsq>{#5oQb3T<)J_ zFdNsc7i%D~FLU;~FeyFM`CTPiU@p;Q`t31>AH{bA_y>b8fIf&a(5Ch8 z;HA}ZHN$OnizQXskj?ny8>%XcF{`dI#m%bB4yH~Xvp{V8wG z59^gI0{bBds_Z@6TYq1f924{91OEoqf0e$rpEjcR|B5{<9Qqgb5FD11$u8&@)G>*3 zo+}<-C|E^ry>AX2{jSCCimSO)Wi)=x4#qI%c5YM{GSm}W>QIlv0o;S_oLS^QxQ94h z){aGeI>+~^BVO{PB~E+sT#MSalds&4f`ZH`cLA-R@?nvts-W67qpachW?pa4oFZVpRF9XAa;3M)@l1K_ zBqSPM%|+3(rczdG=i(~x=PGN1_q|b9O5ww88Ki?&Hn0N873({)2S)-QtkS*aaZ)f7 zN?Xpfyv|?5tgzSY$fJwuBr#A=tN1XmYeLs8_i zn*Rq>@^zYVwZA+5jfX`m>zfGH^Fj%%A}g)S_jBp{H-KKA%LgJd-5 z>VLQrKy!CahmCOzFdXg${Xw*qV)4UCZwapg2wYJw{@f^^>mHz||0h?H6aOEs#QD0j z*+x7naSi1YC_(5BX6V%cbAWm<3ZN zHLTV*Fjjb)#HDHLvW=4}Wwt5Rv%iNkHG8JzDd`pChcuH!o65Y$tk4e0N~`rX%690T z#1Yq81BLAm{-?0dhLhoC*O~JdvH62LD=WJ}3$=gsLJn%s&4e?_e6sczI{T$(H=_EF zurr<++SA{*`)nDQV(JVj-R}4znKz?b3*$AC9bpHkghZH>2D>oxjsyAE^UCv zX(+E&%r#7#YAg8Srr#zSrWzQSdA54}v`h9yO`zAmMFY2~Qk`s1Mj&22IJZZcxbjUb zO>XLW^R3{$XHpdl-XoXCUC?$l3y3`q##0*JdOB~>xU8tMhqd#yp5bLfGg|y+C2Fs6 z&VS*jSmMPbBcN(ZJ%^sDAKlMTI@9xN{klO3TO`K>^EPe5K~;ZxUydl%Iobml{8n`P zxjPu+ETG++F}bQ}Gw*KqhRThF2ByNi6hS|&%SpRskt3LDJ4PKYy%x;eRsFrlV*TZ! zFL6tvHV;5%GNvnS#|V3Ct-rv3-fTNi`l-9$-t%V`FUypahH5B(YKn>l+aLyx_)b!U z%5zI2EiQz?uT!X%8f$r2amv2pVBxc-cd-GZq(!H#%o-KUkmkB$??aWnGGj}yR5@~t zPA%7nlv7pg)lgY|CE?AF6;g9hmddhRVSY1Y!clco@mAMcSa23G&4sxdyM2?pH(xXx zr$-HH2)W3%rqmQD-X2}w`C56213vUjBk1xdr&{Vr<*mQ?p*Rj3zELh5E|+~DA1T^K zAN^ykS+JXEoH9;tsYDHXKHeBZ|u$FE#O$hFILz3$>b=GTLvwC$UjkG>ZculuQJNK%7 z+FAIja9HyLFHk2Pw01Ys7gd~u>Y)voeAkA>5{uy5DVjS0d&3BL4WjhXrH{R>bsqdj#?+5JVl-@uo zP(L6OFMTZ?(OE>odg=(Tua&G!8ANOt_nK7&Ju98WZlP-YdXrn9JAFR6TIgOn!F-{U z#428&H{sD7v#R$s{t`IH%xAw2UBj~+Z0-7#F$&*Jp59yaulicC&+=)1#0nU7HaJk< zF$2rp(6rxw75hZpMDm^ zug?BVo`2&6x%g+w?q0q%Y_{kpUrO<-Un9J}xY>qT4y)fj8JphnuDRZK>_M=25TM&t z@Q`Iu!KXOFx0I1@$BdkKO_R|qVUxSnn4-6`EQ*x-{I;-OTfw#R$7GZ&Fz)?{IaY|h z85ew@N|m=D=%&$o=$DjJUC$a>g;ab?5ZjrelJmeG?6Mw*84=077!_(M3wBd4C+2~= zHS?l|$r0v(zym8@`DmvSOT+D!k|SWE$g0)Gt)9&Yx@=QoPVwmOd_i@2IxT1|R?6+F zj)h-}uzM~)_MB@;a8J6iJ+5Ya!@m}Dt5$~1c+lu%E&rHhx0TP1iET>?c)UkcT?W;QTt5)L7pvw-j}CwfcDkW z{zA_>UQMZK`$X22XG*a+9|zDgA;0aFlqfwwZoV|V@XZQlTfT!jBluD%xEJ5{IC)<@ zh?B_gEC9t(5hjlm|I$}KQnHWMYMqrjo5Q2_PwP5uvpHgAdA0%f4-1F{v>4Byhj{ zE&|Xt>r28nfgu6{Ik<4)?{|TOZ;FMe$<2Dcq$dLVbEBfJ+B?*|+=!0-8@B7s5e&SUw}o>pg|WKf>RqnUUgl@+ zr?PGC3AZ5^VyEy*S)$d&)-j7eOCNSch8^9yx-fG~pbY()h4PVvl==1wayc@2#NKVY zr2Nne-YuM+POe~@$|%>7xf(fPf*(8E|{-ui)k~s=&kgTqlZs)j+l~BzN zT0gP|9ZJ8(^7o&d6CrgMZ>j;we5#*@AUrimNVFvdDZHDo;{L7egJnk>x_$*mAM_7H zpfy{nA$^sGD>^pSmVcTC3qXMJ0f1%f?tYTbU9_&YED&!9#JTUJAAu34K@QqM#X2!N z_P88Ow_$e{&uPS~03$ER{gFLr<_CY$MKo`Db5vQ7{7OeZPBUV1Vl_V^&%gVTax)8p zT@_{?AI=YU4JO13lmOKm3T+xPG;=yWLZ5OT~F-)Ht5iQw!kgxQM-YaKe$`qn0)+iMLSX4S>KVeh&q2bS*r)WO0^SZNui% zmZoEB+7z2XlxbbmZ!}87KJ>bcvq&nvr`sIu|4fIv~rNRp=s~d3>J`88%+z0ZUVQ3@UOFZwpxER zi<{u703zN%OoCrX!y8F)(!)9JeYUwb98Ku4+YTD(4kY_l&i1}!frSc(lfljd+=Tk7 zvk4#Z8gXqV`AZ-X_yIstPyfDy;;s<#3fgiTwMssDHll3-9Uo zA2gJK@%vv|aTSrkMBWkrPL0y$2WtZG&0KUJG)#x6qpamYxnkWs9k82NP>?GpR<~s8 zv}G-t413abAoc(nUKgkMK(k%LZ4GS^RWk2m{Z~s3&FksN5Z>^*XLhijq2T?3a~VcH zKK+#+m1B5pDScfQcfsCF6O^nrsQ0@?Kj<-hKe5UIkeJ)gO_~DZQL>~2gfobfR6-U7 zP~Ywj4ndCJ)5`IM1>CUmnj^NRmi&RZ(f1J1sRUr1^ZI){n`!c##DN%(;hy;WuU!Se zZE!Q;FHl+NLpSk?Tftn9;u2SdV~Kc!#bx^2=YM?U=){QGllP?H)VaCa5oHcqF|bE% zS-BW39{|lxMWh6H*97{^3tON7qY>a969~1q78I+l+2~Li=NH6BopBa)m?K*sJWWD) zC=T8L_m=Vg4ml&?G+e>>AbNBcPW%nsFvJB>EPtpm3AnMhH_r<4nKoeEO6g|@dA!fB2FgM-jmOg!UO z1XO5&ZK*U?7GUd?p3DXG9-M{7wFJg5pM^f1 zgC2AhOWvbYX~*cmI6mJAnO)`WbNzR7`}Cf1oRRXQBa8-h4%p2j)@}AhvChD+MY+nS zt`a8CIJ14q+nBpSW+_+%5RP(WNG_AIZspeXnWE%(oBFt;c?a=Pn(jAiwXps%dQjnGN#~?7_E3 zO#$;La!0qZGUCO?#c(iSQG}zuORjRT(E!>s^r72j#_dXyh3)O$AJy}S;3!w(?oYt8 z+Hdx3ku5Dn%0Wnvc^XHcVm}0bjbX+<5&qj9tba*-7cLwqc*%pGO>yxPj}M$=EDxMy z?rj5R)nigCY9HGlfLtjzCM{iyItY&hYy@Brit??6h@Ta4%Ny#?%|zs&I9$z06hP9s zE7#?9Aonj5D{HhH-1tA?1(1mP2?SpQxr12u%*G;!tF8+lyQ#x|>+BsNmOeA@=i%S7 zi+3`$TG;bIC~gKC~z}C$or!l zM!X>iKNPPH*pG=0>8{rtr@vY@D)(y^%546h9hHBv%>q)(wYC(<63@rne8FvwE7B># z)PDDQvFD_RBJ50A3;w{}Mwgd`1=@YrNPI>$WK-4UG!|6~y+&bZP|B|9{bF8$cuyn! zv^zVrc%5Lev|+ow_%*xR%y!w zxCbnf{yPoO3l0Gns7K)5!#udz;z1xS;rVm(@2hG5`AXiuoE`uxlm?8@;*{c&?#J?O z6)}1QK14_f@E8&orpQQU4T3;HKh>Wg5FeZ1UCS%pB0P%TPf%vmk9yCa4fKvxree2F z+s?(;rN>@8?%CUQUd*=`0Fsd6I3$l{@BJ9ax-gDT5-f`~dL%vj<X6H8>zvyGDUOwDa#O&Tkxr#mXOrU}2^T(^ zvG-7VM0jPRAHk=FxHm)_ozlf`Y{t%7vB zio3K_4dBge9Y_jzw1WtTbBnwWZtYYSE%e#eRUmKZj(I+}F7O^KOOgFBOyDdZJN3OS zVC?K+wfTXj$*kNY@?=`XM5A?F5IsP);WF6P_vdim^m|-R2^itLtd|z@rk%d53>ei_ zsz7$PKA6_V5deDvM9Kfm=Hb9BP+|^H#D^;ehzgM|f6m zWR;ZSQNd7Nmq;l6eV3g8dAqp{iM+J8T#-Bo&y#IaM$E6J6zTL-=Rg_XwNO0X*G5;W zzS-*}Ns)J3&$YyvJi4`fRHjcokkdQxio{(u@!2C*ZQ-g4e^4w&C-!!$jkQ6`#_?uF zue5GZ=G7Kg#=fhW2N~HqtQq&$EPlr9cl|Co6{0ivfb5R?^(-=m>j3c||0u)^SEK{8OLalCX3_Y*NMQWZjf%x6nU6>dQQWC} z!S>{$j@~lFNq*R$xc1y)1ZtygCiD$UrV0^<0Q;9+QYlI4euV-XEOmwU2q4*%?lj7b zW#!5SwwSo8CM&}1A#v+E@45;-j5yX_bz@(F^CEJE0)uurBu;Fdd}nkp2A!;t^|rD7 zjZ5%b4Eu(f5l04XyIEsUfFs)b!;Z>Adpo@(rFaZTsr=+Ew}=rOPT9tySdSI0^ah$ zmhCz&QsLMGSa=z$Ax$*x-WtEwNz>B#*dnR1>3RZ*i34kh~EY1-E zShI2dN(KFo8&L9qPE(Fk0o>{2aD>Uq(mO{4fslB;|JpqrF6Z62C54LK?^U}_%K#zf z4j4Uz@zURLj?5eMjY-)B8=6i_{cvw2gRjYY;fcd-+|4QLG8l2_ofxoQOUi%PC70nH^2!pW#XK0CP$fOJ!kXx#lZh~B`@@!-J0rrxw>k0Rjr2zPOw%NMPUqO z$H5)AvMtcBlsyxHgo}DxsYh^XvWLmz=4+eSZMJRgXMidTaQHzQ^E)36ZZTWfnn;h5 zX-=Q|$_p!e=+Ck}Zzm*=MmD%5A?r0R zEvIcE;q5!Z+kBa8Jp9W;gYIGS{O%G7(A^{x)!oeXa*Q95IOn1+C`kcH-fZt*W-QWb;O+TksCLdxIBB9dpmn6aykEcZkD{Vs*G zLW~*si4}4?iz(~ThH~ZKf@h4bjh^wYk)n|u$t6*Cu^i3xrJ)hK-Znfae7{PP6r*F> zR8>W6Hs2xLG!DEGLD=72lVAmA4Xc<%9Ts+~~oN9m0C{h~v}4g0%CmxFHKUANx=sLw!GNh#ROWHn&6`qrYVPq> zk>wa#$3xg&k)=MGUbG?FCcpPRqFdwMGO_vpca8tl{IXQ>{>5~Q#gOkn>2zxTiLKfE zkW|l=MP%>;NV{px^}!r*OSk=IRHqvVJYx-n!iK#yyG8RI@rU9YVP4;JDH(Ip$>y{{ zbX$?hzq|mvz9+L^>$P-_t=M9B&uA9<`(pHexGQ}b<^H!MUF-iQNf*|(#I@Z@i^p8x zU;5sTM`qWrv>3^{##O7RobWp)NbavvCY>s zHI*tID(&^jJ$Y=Cc`e_ven$$ngn%Pi4jyO>!AbbIYoi_-f&=o^qVET?w$wHE9cPwdK zUfvv&2&z(c9(G8W^dEC%hyL+vc?{=a+ke&lU2@Ywro(9yk6GMXDjgy*SJFb40D-o2 z?z*fzVA+OP0^5|yu?PFO2A_s*4cSSwF}mja5Hhn!8Ni;i+t-{O7%eH{+ChSKoIqcQ zXzQSb#PysL^uN1Qxp{rQN?Z!c;u*6K)AtSBDhHLn39x7l^%iDt7UDVq-Ih(tU%V6P zY4JzKZ^qmbFJuwE-R|mwQa0?QAz=i0Lk-AVixK-P9U(IgaG!~<49q1iB}uxIq5C7> zpDpsVnO?r)US!CJc98MsxC4vJw~j5u0OhO91EHfpU@pgs{=R3sAmIgqWMS}rb6$9d zI_>^Q0toI8#y-Ip`~Wspt|dw9Zxa#!JcLxBnJy|+lLx+SI`Xq#akVg1D66_ZP6m8; z>F2`=)qKFV(B(ccOB)PXdRP(h+U$f>AgQH)LPN``Dv$_>&D)h%qFNUqQJTtzh3>s- zFn)@OB?HU~iTN6#mhMo1)h=2?O3f4^Wgy+H$~v5r;MO?n>|LQK))riB)s>OA(QmuP@&_Rw%Yhlcw5+pn%p-s}Cr{VqK{ z{X$bpM^_KSP2^~5sF)sFhIDf}Vq>4C4itGbF8i6xUVwI{Ve{ ziW)HO#6Z*^R>Gf7I$5%Oe9tKcR+(qXU{`kSNXECb3*!!bJDyp>_>cu|`{;KD8{Qan zKZ0Yp-w1s*CipB!;%8LAr0&x@skSfkTWV7)Vx{jkUI}LWD5>8!*cn?qa>vj<&DTKA zbN0fH!?&L^6M*1*NgT}F{^nPs=E&qb9R5Ps>ICnvev{@qoVd{O)Lp9~7u0tXG@5EK zaXCQqQ)|P^#!DsdsE-n&E1%wz&!5%TW#J#*=$K*Q-+0&ewp~p5%1Xz>#rRj0d{N7* zx#q`)v$ZGM17wt3S|gq?`|@GK&8j5fghFsorlEqQ2x$Ii1fvCR7f~E!Ran0*Rx^`l z_LW5~^zq`-c}KQCGjRfdG@sBICz5_kNk8w0a{=EGJV=oyj;>VcMj9ECmViU<2SSqj{^ zdLKkw&&24e*32}TU0FR3@qN>iFCcj5)Y1T}*>D#7q0?#XjXG!VQd%MzC(bhpZwQ(V z>++WifeJ(|KTEt6uv#bjt zYah=Kt0+>RQkzTh+Z{88`yHYQwz-tcnz?=(5$sWChXy-y#(|KX7dxRzKqKMkM8=^k(ErB9B$MCHo&;k7yr|FOoBsS%Yk<5IUXN zqB^Pd1v>nr+??Ad{1kPERO~j@6db9)xuD0b}fgWz~?02w1Mmtt==rJKl~t|+oaC}P1MyXT(*9ga(B);X0s6Ebjrzc z?o2)h=<`?H=V)4V8O!TG?`Mm>|1%~(fBgHOE&O1*p+8yc=XG3lQ8`Z0G_NG`|wXVH8r!3+b8QB`~GW3u5!IqTGA)TVNILEclc~C zXygXAEc4s7k_Ioy-k-n>=wIYxCO5|nJH2;4f9`|L_Oi4j}u!xAURPb;-Y%G%-DE)8sv$ ze3uw>>UatN@#^gM-3AydRF3r}Tx6Ph^l@4khst z;>P|EQeJPKV5nI7y9ku5=?cV+?8e&CCC=^9!ctE`#@DrP$8~oL3Ipe5lC0h@sw#Br z$(3aFv`7+sI5Y6V2u|lWFF41q+*m*Q&L-#(uixk!1dQsEsYQFDV0R+$zTZ%?gv$l$ z{O!jY=b(ZYR-Ur(SFOcof;=A?n`!ew?vg@78Ciycz)rA2Et_veD%Y1K?u@76j`Tm7 zuabi{jIX%`yuA|{U}zSg5$mS9$H1T3rC=Fe?0arK`31zG!l)I7|1 z^fJ`zo(k_N!5EfecIOYCNa=4c6fQ>|FTF+6D3!MR?Y1C|-0@PIkkAqCbr+JD885-` zwkrF|0sQ$Gh?X`3_Pk7^f1A|GEZ}NGm}zoxVv;&Of`Zd8Y(ii zr&1Dma0$K*F&6!A!$bJ(u!H!Z%q20EdKQy#-`?ZZiS?Knjw_^iwa?&dfy-9vobFd} z@n?0S*ISk6+P#XNPq#n4eF{2pp|lPc08_{75Qux6+j;&I8XfdtW|yY{v- zSF_jzpG7))?yB(Lb^YBZp&$Z%!nM`!vuN$`tKnwtwz>=;4+0PJq(1-6Qv zipsqJ=e9da{ZnL>_Ut}ZXo^dAR!CQl5{hiR%eY{(k^R)bjH9VSkFR=D)2u80BWjtW zocctC53jfDiG+VZkfMnlV%1J4#dC7you3eUv{}Z>xi(JUvzE)B23jE@FD)F|o*c}5+p?8OFOl;LclL?__idzQ>{Y8;>C*n!dM{7+*mP5@~dOj<#}vA1rotmqsI}% z9PPn?x{o2P80q_p_f0~xZ;Zv~2+VvM{H=r4C*%U>JcsGevR3xD5(5=)k+%}L^)yLV z>J}m;gmdxj0zk~za&E^{MDbc|c{b)lEOZ=U9x8!Gb;(=VZk})qQyjpa1qMfcoqCt{lUFV`YeNQ{I0X0JO0-(&=VjGbB!XH; z7v9xw)d@T`{DwH3AyOQ2xwNOVq~0lV_SW*r+b$1|oDDR1IroLD9Zrbn6^_H&z93d+ zivzo;Gm*<5bIs`=DOdEAD#!(Q1Y@%jGUx@jY#vOgIJRjkaqfmS7pb5>IW+t2c;5S@ zaOwT)Q(fmI|Eo0VAg}tXHk^wJfbNQ)B8L<^as@m&5hQ$c>a>8!(bc!xvuCd$1kElG z%3FCL+n?sVR$A>gJMQogU^zU2;N9~3P%bh+Z+`d^`G>ihz#n3N0*m8XHlxv-E!2DW zxjDzKYG{J1ButlWLXpxi5go`xT<-$6?`2C;fk`2 zaPM-VMVqw`yXwj!c$ z_X%NmnuB;3j|d3AT?o46kvSu(_Qy+>i&Na?+pUs*qqbQu*oAdc6=x;$RRZxmQ9WXz z#SAVzON=d8k@474R>k-^uzGfxYsSR7FmNfa6q7HQX#4QXanq_SBeI=(%;l0!Eo@VV#)jNqO2tH{nBf)WPsvtqjRPtR?g)Dt%1WvB&;0y zsrIAWWui-AcXWhMNAby*fh*(Fqy100DkQEf+b*iEf~4IE$wT~PNujxPi>BJ*$VJ_o z|NUcgjw{4oWR^4+v7P~x7c=L-`k&^BR#p}{8pjno8df2EE>%{(2IN-4TGzpj8=23ODZ|Hs-_35G%O*&~iB;+6dU0cC`MuY> zuh>m#5^ku?iI40AzsKgff-R`yI-199CfEr_J7ofvvqBScLLUkah)n2e3z@#eZ+0BM z?G*7o(8+RNU(>Z8!=OF;F;gH&j=yyjyl1ex#7Pqab^JfXs|G~^3 zQR?>|DKJC_)}w%@>C*X@g#407=LF%UR{bY}4B??>i z+B<%SNq(rO=JY)6Y4L5gQ#VBU+Vp zBW%?@%j2c$*b%P4ePoTrx3eoH7M79y=W~=rk-jgLm7hHtbot7ACV=|#=@oJeXXKV; zbZ@a%=0yK;sNR)bXN(xj)>3BcceQgj%s1kTUf6zmP{w=Z6h3 z@$vtipVEJgw;mo?L@p?%oWLGTzr5@9LG4zEeb`$@thV`JRO%De&86cz8ZtSl+MZU| zFSOhuoL{e}O~f6nFskgOHv+>U-kOZM)xpj;k4(iP3&ulCc=mn2F1BeXpTA}6D$y>_mV}?bA~Ip9_02D$ zTF4}5B0fcbDxS%={JECuWO3ZFmg=U2Sf6u1!4o?JsOu|s%NbDJvXk{kcwM38?tt3q zCP7AhJ@bKk9CM)#qkTW?|AN{0?_bQ-|NLSKGa?iwAdcVIJ(F(MMdB{N#o5**!d)&v zm^msVZ)9&)w{Zz3>`iFf%c$6{cli9~Rwm~|gKeVq&VAAGiyAd08^Vi4788RdOe{BU z_Hc4;>ohqJh_Pfz4{gZQZHR!E8TmF!X#SUz9JrKvEM!Y=&Knf_@a8K=2&yoX>z_N3 z4bjW`XIPS6SDydmu~%bocivcwzPT}ZJ++rxeh+azL~7qY+G?v8RJYUl`8>jE-(I6Z zFRC6`CsKY;tvUF(!+eBuNARAoV0_yDe#DIpeI&=RGm+uAucBbaOF;7PP1>VW|Q_Ncgv1|JI{Z3h=Um{$_W2vOic%dl`>Y%Sx7{k1QEC40y7O+Lt9nWX@&ik6roF zcZQzAJ8|Q}odw+kFF{p0EMHk+#FpI)SDXCqVQWx=n9Cmw+cXxFPLw7fhHCYvFI-S_ zwpQMMA&D)9Qn@IP6*AeQDdkRp?f-kz9QV@42!#$tla5f8Cy(X@JC`5sEt+)t<#!qh zhfx^@B5G}YnUv3g#Wj+`F}JKsw1R5#Vt`qqlVtn0qNA5y0_5TWE2tsmC}#SVph|E% zNjUEFeXnwHPBC5CE$-;4ukP+&5@*Fa#dK-f2D@^^);0 z!uPMt$IJ^T?JTjOh&|6(ZO&Wtza{6v3G#ZOdb?Tu%+M4|Fv3sGbe2i=aP9>ex8vc6x^Gj5MM9M+(w5C1mfG2b+RV}#cq12OR!KWQ0?f;X9LZ|g2{pnr#gdUStBRqEx z&}Gbiz9J#w-J(<*Ksa7&@qzNXL@49}w^J1R;*$mTT)~gA^)H|GGRjx80oFze{a^0h zZc&i%tbUJ_9|g5K(8(e6ojj=_XQcP~ca5N{u2F6h8kIZoVG!e)R?~}ZdNA!_6Zc4! z)bU7$YZODVvxa9RU#Q#>6J@#=EaasW!0;SudqHL6s|f4sd=B!p_*(sVkIA+9@1U=x z($yQ^K`Tf3&$sd`ur|mj+%%Kcd$gdoC^o!0)3Eo>-rk{s@6NtPVXv^#n@!^Y<>=u5x{i(gekTc-s zKRf-hlfl+UDOMo6U;j8pV6LU3Bwz18W0{OW*-7*uNN_jjc4R!4^vL67-Tf*Wid|P! z#~Z+q98Vwm@5oBKwEqtn!d@uS1AFWRPGLPy7RILYe`GEoXX2j!&)nh)tM&Qs<}$=I zL4D23J8rVOiA7n{_WPQ%YK|Y~{x$Eqqd5qD2)Or;eyTp? zsNc=}2{MEGOPKlT4n>HNJ#OWRcdbu0_y2eM(sjCMNe8BsW46n?kIjdFb9@|rayKXO z$Sliqh?De%n~-!tWp6unIrP47#F0*ZakyIW^MerO8WGXAbfDQfz@S>)qb)KavU?l8 zp#T+r5w9Qn7;KM!@%zRgOSmC;RMg?wQexdL`tZ5UJ^gJ!$~$X1q%wm2+*=OJ%}xQ6 z1_kEx#?zOXBp4*>FeWQCh-nFT0N*+AnZ(-T#l(gAT&-)pfI2VinwEuHU8=yIK->EkS*=2Z(Ei+Opgs^{=RZ11czKB^sB6YJ=4`-id~W? zHdC-y(+totp6EE9^>-Og?-Vc=K21uv4AeKp;FInk!uY>Di=u}Lo^k{CT{Nfrhb9p1 z;q+`=`lYoUO}GNJ2x*ZiUp||NP|fPp{4pu$Gs8^yoFmg<_AY%A{2u+WX>nI~Mwmrr z#+6nbhJX5&zK>KvZ1Si#b38?vJB@-j`;hQfORC2@tqGz zswzIy>nY4=e>?@`(Yo9y&|Gd_J*-Sv6>KqNJ!mDU&WIpD1O_;zJoBE-x2E+jmswFh zkE9ZJAKpnIab^-jBw7WpK874?Dm1x4l)iSeVX$s6s{8gM1=l}c-}qOw5=3v~zNBnJ zCdaK|t1!WnQ1jN=XEv>+qvZ7`{|s}O@35NES8K3aZ_0>@RO5c~ao2l?pB(QcFtZh% zQZ&b^KIuTO%88R5EiMLiM=yL`~T>VCF)95kOs%iVVi?F97E#|k1ae` zS`gRaZ?Jh|z^Z+_GN;B@`Ev;LLAlC821KLnC#G_x&JrFu_4N8!3=JAJee#KW7Nr*F zgCUN#3H&r~x^(#V*g5V{vB|yhBju#&v3q1eDun%jT6XUPU8P#bA-?#1w9ef+s+MeoxPpjork3XHwu(=<1TV|6us#UufIVPR{yTrg zw^}fpffqAk^N9DZU$w_>4JNGS#+4r9)bn3C<7z*7M+ReLPaHV$$%WERu1wB=>^+c~ zxJY?ou41{eSImnUm<3mnn zMx@X^e@N)U9D$a@r?_UWfI&M#dSy^C_~uSg_nd&$J5C-wU7GVhxsgnl55t^2Ln23K7>|zg!nqVp5i6ZB{<~uI|m&R*i=#PF%p-W_?}dvYM2p{kHL>a_!*dR`dE+sFe=_ zEnn4D>2_zxKkO+RF|Za-UhH+JM>_h^g8~y=rt4x=b|XqiVxgJuWLroTK{Hwa_~J42 zIeAuu{ox6bx9dc{3yh}S89)8eN@!}cZV14c4@$LAFS#S7F-^Bq-DmIG zA?J7n2;GJ%?)6#b>?M7#3vGC=F#5FxIlOJM8|Wzo}t#Y)&z;avcf_ChSmt%jsH% zg1+L538!4lc-R`6~K_XxCLq8gdA;#oxtUI}%qoGDI8jX6ECi<(A}N^CYE zpo2JyT@ z>R|-m#Ho?O!r{)s?b$bYH-g_BrRq&7i(__pJ;DOsT@3!+%{V!Gs8(W6)>mWmY4Z5j z)(4{S6LM3J8zxUx9d(+#lZPqPG%yuqWX$T4qBiAW-NRLOm(qWPo$gXN2Cdp zT0}2yi|JXnntkb?$BHfDyrlHEfj4}{{^zycIQjp-RvOV)YBd1yhVtj<bC( z95l3P^&_W6>QcWSqd-7l@0q`WHuM28{mPNbEZ_aJa@jlpI2dr)f!COM2TT58u4fHV z#*=%V3y=SnIXw`ez`sn`Mz7 zO!)0|1ukxMD1UkVL2q@E64gp$228o+CF5O))}W|LxS1&Sl*f5H|@(6j-^dbLJOQ z>x#AfginHv=_SQ3&6gAq4>gev?*~JM?)W7A3!`?ynj7!2{ZvaFFNXG17lCM++ZtBi zPF_|V6l-MMu-2xd(vieJf|(A~PoBt28Or~`qs5q!YbR)$ds@?83E%95*HS2j=R`J? zB3G`K(UuA=6tq=sQV;FQ!o zIBDiu<~d}_1_^DNwLoZD*?lz|ly3@0tzFecy%rV>_5X=minAUNK^|-^3APYL$6q~Z zjz0Bya&#tOUqD|eLRU)jjWhbqB~T|V?Y=`z&;qmm(_Kh}6doGXAt%MN~2tZ5|GN-Ter$67& z_$sT`i1ngfBpl%TA>n>17=elX+T)CJWBHZ=L~7Q*QC0H1z|XGRodSr~l_{{ri^-Zr zVmO;0#RJu7?(}ni<~j;wl2X}Kb~)Fn^dZ;&zy!ShK(dm@nUkTZT6u4E7S$W5u|vQdJ5{C2SceT$e$+MZXEQ~> z^{!yiKf|!w_~i!2pB*mM32B{fH2Qn>f1cugBP7Lp=2UOoHs|m=E1-L|`kt^AY2LkD z56zSh#VFC@s=R_uAdLzSq`jqjr$6Z!&Gw6-HyJMTEJ>>bf>FJq`Xc-;issjr@DOf5(=zeS|2;QM9Z1O?n)*`Rdk^b@mfWxk+x!%m`dcDqenm8xg zsYXA#y+cRcvL}LLXwkg*t~*k>_Aw7Eg1PoAO2^G0{DT@9BeT`3w-scZ3;oY0ayGZM z(j%g3W%z6t77`zS54Q?w+|#e71{#BMHDZO%Jv$lk3LXyllop5o`Zn}?R^yP32%ws1 z3)tnJ?t(1?1VG?lE8*VEpsGZvRy(@mh`m5UV>z_3Hdp!R7D824_%umqS;r{6l`FNB z^~>HwWkoWYsfkiAY`D%`C>-ki@oAjW`dtO*y&I?#WtaML1?)th3UP)I+KOzX2>Sn} zfowji)byUXmp@d#{-*1oK5>BAzJ+!;HR@J-GUZMsqMI^__2bY3@|kg)&+>#McT1Lo zl<(^E>*2&pu6xGgQ&k2xZHnP0aq*XFes5n3xbB$rhD&AVi@D>}%K9FV?n-4ua37|+ z755YBtP?qQ`Zwz;gUIROGpvWLH|mCCrrrB}b+=4?Y;E0ApU!^}81uD;oqRb>qa~ew zZ_#whyZ`gQALn=-?b+Ec^c(Neoaw9O(&{!?_Q0lq)tn{+Wm1u~lMB|(6pRht513%6 znC3BUbf7--Z-?`5xHm37M}v=8Y#hE(kf#$;_1oWKhgPjeb?jii1J6E?C2fv}*)`fz zreh*U)zkustdJ}<8B?qBsE9^aJljtbLXQee`%aMSoY0jW_r}weW_R8eLCG)Kz7u*O zo=iL2#9MYx5qsu$YJJL1jyv$yMRP+NDdrxKR13cXmHlPT8Jlpy`?Km}*GRy(&AZe* zf*R%s@R|%T04p81qSob`8YkaTAg==wlesYnO5c{(d^KTWSVr<~Dp+t)>+Fnfybv~c zrGIx|rtC@}!5G3gJ42FwNrc)je!|Y0xJa+Uv*afCw-2*AQ{TvsP)bity93@Us9{<6 zNmkG&%{PdJCrx+Vb=OnW^$g&l0!(V<3olnc(PBcY}JtpxoXLZoR^JL zbzTWduh0}(ENJg8yL?tC{y?B;Q%e5A$sMLgU3_XbQJHQjJQ_!(F}+*7p`QJ0-srwT&3t*n&2f z!(Xq|3LHlIz0xadEq+mXXV1W4E#t-7y=;-OM-fX89PWtaR5xZl=(z9dppovnEopA+ z8kzh~voRf-R-i13i1l5TSaMvuGR~AgIhO422befa^k)MMCW`fqzrJ|jWutTdfY%@m zTg1I*BLv`zJ4Zf^{%s3td2%gfcikcQ{Yv`~sJ5bChPbp6{NB9W1!wpB(r6}C)c%OK*VK)+~lZ89JlZ*T>d@G=5k-WmAbez*ma^(X6DETXgPdW zrF5F4aYx{))c#^TH*+3D1iPpS0v$S!)IG52H zo$%!TMk>d{Juik#x(*RGucpp$N<`D1J=QYQAQ_ESBLvAlL&POWA`*TqM0ghKYqwV# z)_#>|>WFse6?s~3_U!@ljS*A5f(LdOHP|(3CGOHzER|f;0spE4+L~6WH5LD^_dEwE zK|aWoX>V9jTjb*A-aSe>Rg}K*AbwsEt~&o?8ONbE<`PNlP88*GrH0pbaAL2bKbt=u zPm7ezgX`3X+5L^8;isa#^kO#)cgx?gax}gfu906MJTEI%Mh$qy;Xv7@tShP~5I3FF zEC{QmDa^RibIZ2Zq7BLzd}~CemEA@xTg>;Cg;)Z%E9O}%AMoX5g6s)jqr%JTEPOUO zs@hXf#DZ~#csTLR?oTQSY0WBgbc~JVF7R%zj>2gc;7cv~Cw9yu@rU{C5H>|m_F~=o z@Oxa@M#}*vJSXjgjV0Gs^-iPP=1;3s<)zmiRF0WVa_92|g#rA6MQlO@y6=Rgig=@Pl@cbi}nJ%f1^{px|5?;)$vYkj$f^;PqBsz2tGkWpAB zcF_vUDv&|l?X7LNEstD0mA7TXrD+e!j^iyf2B7Df)TltyyHXB0Mb=I3W1#sd+Cgb_ zQ+hLXvpv_9UZTDmq<{sZB#X$?x9UufW0nq>q3d2auwk-*X&~%5N#RWB(7sha@WI}6 zr3>(f{DqYM(4(9;*4bt7)CEaA|4whj!UFM(r75+%rzMG0Q+;cT`nn%lErDdVcQ%NLk^cKA?CUd7JC0?@#ZXBnjG8BkFGNam2{ zo@1AAP)|uNZ--Lj_@v7&UL^9>ui}-hU5v$Z|M>J{+=u44S;qDDP#>t@+2_Uosjzny zT}kyK9!%FO9DxkMLmf_WI%8gg?qlTYnd%}{K-gLTI!s;kt{Y6Xd$j>u&Be)j?5@hjt|q)yvaI#DJS{J)U)axDda{@itUhR z4l1j3a0NZONi-bJbFWwv+cQVq{kcSw%8oZkhe-j#NE7n zMo1=`;Zu$`Yl3$V)0x7@UGmS)Cp{_@3^>R5NEW1cBMSUBLaBbDi!r_SoEQURcH+lJ z^liCpZDH&eoINMA$5~{UzgA9Sa^e@xWX_aCqg%jT<%UReO`8CuRTrbJdgjIrbt@G> zeY~;>+%>dw41=!rmHq=mgTvuMY%a&d-pd# z;7o+|Nb@8<{Wqf$$afHZ3_8$w6S|D@!<)6UB!j0n@;VkPHIOng8RBh z8i9Fnq%e?dT>04Ry8*Qnsh_+J3q!+~60ObfU?#auZg|hya&qdjq4Vb?6dxkCUv># z=8&5C^I}PQAjJS$LDALC5z+DPt#RusP12II2^vZ?$hE=tERt3EZ}!pk)vMZCoi(Qi zF4vB8Pp)As{ieUxzbOpPAsIXYT5V*(_Hw$z1aK02KIkozN}sqt-tG>(Pnee^PClnv zFGyYIAf`Jab;q#pf8>wWxSh+jTVI(HWfbuCzv=R4zY=}I+jFy12XydBnaSJSwI%zN z4i*7oYm^QLORZ^Bx7*pfTPXnkp6?nH&Y4?@E)^}gWBdkr-v%Ng!Vz5wy#q?}{Bo<` z4ZTkV#y{7TfZ00=hN?3+^1K)J~?YEQ*yml!hTvlx-xZTo6s06vX| z($fR_7QKXI%m28oujXy)Js_1D9>j$^t!DJA&=lSXa96=vePT2 z8na(h*f4N^ES%6PYh=9oa&P??YaN})!}T=J80%fa!VH6r|L{wm3J@^oD8DxmgO-{X#; zavW!FC5$2t&fBavB-y2)&-SE;-~9d=H@ty!sj$oO!HYOEbrjxObjTL53fk!|!Od?p z_(zYP$XFc4>U8wpS6gk7FItA&oh%o$W*H(uRM&4xY~4_Z$TcfRJ( zVqNO33&gFPr=Vqj2ts02-Toqe_;XiTH7Pvdt++kAyz0E9HadYSg_TvqS z%|nae9UjYeCHT_HX|eHV$0@gQOXVaDLgZ~cR2ENL-ZDkXSX3GxmQJ2`%JMi1T>2{F zDRalPhCi`v>8pns4%2Km;0;<0(Ca0|$>FQJl?W52&z{nhWtBE+P>BakY6-PdCm~l%W{Eq?tvKhCGso0vN>~kUF6W?s z{+Ew6dn5N;`hms-Z6H8u4Rl(#ddN#HuNkn*jqy_^klzpOC!iAaTQfjhV5P&lk{xUB z@mj|_0wNJkrCX;@y1nd32V(7sTXDqnyG=`>ZH4>&?6;e;$0W&t??>62R>J)$oK|<= zUeHqjQ3H18a3To;`hgN=jmJk{0ZN6d=gyjKx9qm+yVT|`o#5-8ST1)!4FfyAGk3S) z&|iFKmj0>JSlNR_8&28=91J7WHcx%3ly)*e-O7pv$5kqye&VGEtkT`IAqNLGQUH^kvvF4}gt&+wRW78yzX+J;{CRLT?w|MQV`^Rj zH0O*0^Ep9af&W=qrU1{3`TK3)kGKnmI#e;+KM>Dv^BQf*S0&i>u73jh%3?0%TzA;6 zyf*I;iMqI>2b3C;GfwSXRvFrEjaZ1WIWKd$;zr=^vqZ620WaCp%K~Q&GF~4H8LXK?* zu7NduAM1w?g6-e}0vi_IOByx+@&2S5cj~z`w1qO%%TV@NvlS0Ff@W5; zAu_&y5>Qf%*4t~6@`acCbN3wR8!b(=t^de&wTSi zn0cdY-qS|YAP`{*IUAytLts-SY^w7GP>em}@BiDH-?Bg|1UAaaG_||6EP)<6li7J} zrqL{w#0B{|?;>@xv1&EnfmoZSCV=jo|0Qn>9sC=3`7*JD~Ie-LYiD)pg`yyJ8 z3o?TQj~4l(53|G&|55S!+^Q!1+-1=h&9D%xCzR5>x|-%9csQtw&4wRmm;PtD+iDq4yV(;v=I_cLHx(&-;+cZnBxgO zJ_y!n$qJN?qXIFQrC|WHu|;3SztYnlmRC*5@+DDJG z|NGUv!Kb%weV%O>_u8u42juKB6<1oZ!~olgG`E|5F)Kr7Druk%&c^ECrsSDym|lhr zgQ~M4yw%uGFW{8MKI0xlz|%90VTV>k1^g%6f|j6<81fi!NY6CsEw6i1RJD)K^k~_F zQQXR0W&;Bb_c#%s?(>(S7YYfO1+@k`LFFxX>~;bSY0n1JgRHY?AoAb<{zp9{0MxE2pOf)kZF(chI&QQlOv5f_M=E9w*NN^V0ysHxBa|LoQ&V1+K0wAYj#hP zOjQ*+EQPt#tg~+AwK?dWG<#@DZJonq`!Mh z-Kih_XkTU~^g!wN7y${VR%H4R$TOd?n1;CQF*XvW1B+>rbcfEA|M)kSYi&kk4X8L& zqgw^U1X^{|aFYknEmqW}0gbG2IxSx43E#25IllB+KPvZc(m>;F`!TZYzy!~uf=X;6 zVxqH!ygU3b&PO)>#GxYSG}~&S`NkUYu}cNIfo~lr)D>}$eRlr|avS(`uJYVsKL`d- zARO*2QK=`kil}vk6+GJ*!8RwJeMgdZq<2wKvT$R^QV^ za@|7RH+G`TyRqg&J#!Sn`MGskMbkFbXT~Z>FNh%qf4WeKeIY+P1Xb`&GY_uTv@Fsq zt*>N+E*M}aD(KtRd5r;ly5%Z;O{E#IY`O3Iyn^m9xAg68F6e2Y32quyH< zE^7LSqxJCZ!H7OPtZ5zIklBb{RxbM;M7Yy^ob|N4>~IKpSXMUv&H4+5%$^tL_-m3% zx(PQY%}h+6TB@YNMeV6T&bi%RrK2Jc0v$-~63wirp{8|$I90W*1fSaKy?iDHZcalOvHPAW>}JqM0fv!|5_Fa{M7P4 zp`qzB58l1`h5sC>G)-moxVKA-0`f{?D0`B{Z}7iq;d@D35Q z58K!gL^bqMgS=02&^xU;?vrD|(S7s{cnbC(#cctbDzzlIzOTtDhTPxU0zPgU+t0zZ zrtQP-cc2~N8w*Y9aKWZiuG1K~$!zfC)&j8~-uK{#`Ov^)PO;~nE@h~6m7Pr&=RFl& zQM_!oGTU(i{Y#WPD8t$1;A(+H#UK1EuB5+hW|$mC>;3X#Y=dJqKyqj1%l-{pBu=^e z_=O1GYd|gz2!7q{oLDi?K!ow)xU4<>#*4S8{gtnAAih`o<=azB&>9-2Frc6hu#0y>kx)1kOQJ_E{Edbj;YA3 zbkW{_Ie$>;aB1_6(^XI60pCI(T>f|8L&|ePa%P<$>93Mcm0R(tY*@A)Olf}axcniu z`*6o@5+7qayBj^QVpR|8<<)qb#h85>mbr#vo}&v^vsYRA2p}HC9s|dJ7vDkXB5tJl zdnjnTkeg2qTaB1$?-v1XR9o6b%O^OW%&Nb+mWdlP(rDv=(+b#md-I=zf{WU%F%@5sjLstfcxl5?RuczgCN{dbl~Cs-O3EAjt{e z*heGZQ`ON8fbCiEL4LyLb}wMhAWu0ODSM%)S$7IRK#}Qpt&;!!QS)K%kFoR+C?rVq z)~GD!`56h&4X)H&BOck68q=xLk1{=EMdbozV&2VK4FTIvug?O!_?G{_)CS9k#m1f6 zt@AJcfxg`z6-p780@UhaBRM*2OOH1)kMkQRhEswEQCzou709WEqm|rqsE`?z2w2Ja6eG( zel8UJ*VEWZ36tpSJk;pcm#b?2;~VUf3$iKU zM6yTheUo?%_)5U6^IC6Tz8MEGHWkSxDI6ly8?O6$6agZuZRVF;cj+x%yzb!46R0^> zO<}Aa1fjQMQ2tbUt!j6MQcJ3&yN4#daNN0N->TQ|u#CN)1E`r{D(V14 zub^LVF|6idbazPb?xYsw#=5!UkdJ5+W9pY zCKh>ZuQRfI{EhHLRl##3ohg!m=w^6fR zjx~#SO2bE^+?$IJoYSk3{nNy(yVH%(-95SCx?lE9Z3mKmm-f}@R}R{!Yjz0s#!3d0 zY!xx2ci^8Nyu;zpQj>Yb(~r@igmM&CVuZ37eexL9z8jXP}%g^lXF6hNm|$Zn8{hOWAWzeRtslugLXHow8I z9v>_41{el`(it0#x5h@F>i!UGD79)n=8M1qXCS|+iEF=bU$wB{fb(ARXhP<*3|rV; zoX3YU(iO=E7|FmLi{k67G_9UM8<&#nJ2m|r8K_Co7@T#a$-)Z1IK*YDjATdG9X1~9 z%Z22~0L{!_emrL+yQzocMwPf9uCzWmhooqrH55$_Mh#)Xkrv+8f-5K zD!-QEsM*YogjLl`3L#fuvsVYmK)79s&y4QJ*Xrcu&{G!77vl=M1s>#eHZvRLxkmW` z#i6nY)b#4s(kjdPT};bM2?zC~cj@@Kz?I1l+yhR>Dv_&n&84a;0R)G1d~0a&zj&|w zoEZ?(0oGCQm9k9)3--vdO%>!-FOdVDkH^sE8wuR zY1^QJXve*xrq-Ue zv4`a=t(e}x=RG`HIb_+bi61$Lz}3a0cLDHRlH`_(-lSvXkA8aR6g<2w)jHy|0U-pe zYR%Fwo_cgCKJZf>04H3>ddCIXAruY{hnm{2nuyt5uk&wuWuj=eUjrQoEPvadQnMD< zytnn0vVhz9e7*lbrKyLYfZo3&-;{mqohumGE*&VhW;QFuwO2}@_+PE8;Z8->?saJa z`MTQ18mqIwB*w>ZQXb6?to`GvVA>4ruj#{{M$1u^wSk8HcHTe-0(=4gvK5wEl(-+f zhDYTkS8aLhMV7k;D{LKGyf1CNz9Zd)OMKg29XF6H!+_A6A{={)Qx3vQAk;lls7#4T zhux;>(efRUxytT)4aEA zT&TQek4t>$YRnD&aY-OIF=D7ALRqJ*&FST`o$A4d5Ua1^0{F9;z>o(a=RZn0u{{g^ zp!k(vo2`WHfvnisYQ4)n{~rI+(8@>*2X+9zY%5M`b3W;?Gkdy64@fFgwh>y8S~xGZ zV+dMXc3&B$H>c)ca0bwc$=~8`IrMc~xZkK3BY@LnCnP!siPNK~a|~R0kt8o{1$v8# z1t7CLkI5k~54V>FMm%?iBdkBRP8S3Vv}YTU}# zoAqN(4`0-9^SuM~FLt+UiI=v^r7q+^H|Nxi0vpSG6a5g=pFU$IQ^)wSA3Mm z10vsS!!#fFFQjO9*hzl0Wu7J+FZI^(BzX5rk+nJD$7bkrHn#YFm0KRIWWQaly&U8lD3Jj4q=Mst9A>sv{4`(C#?-HDv|a#vzw(?;;e!N;)82`Bg`HUZ_kBj&kw zMa%S2;1y@F9f1!z2bGz0!Jfag6tq*2A){cZQYvphhf}`$Q^41=cZG#|!;&I;uv<=_65BzJK4P?LU*p!o4VUKuBWUj8f6 z9&o(fqR`!ZMeXnix?pDj1kgYAap^KMN7Q?ikPY5*)pm8Nw4$N^^uv394dZ7i?0g5% z?H_Xtnb&&KJ%qeH8UscVDmOvHT+_o9BTjv986We_UgWlX^L_j(E`ZSf_r)yRWb5F- zgUHpJi~nS3U!AD+jXKFr$JVK_tDle373=zZJjCfupqBJ<2D4aO=M#%`igx>h*RYX| z%uAALd;m|S)9CeezA-fC7Y{R5(<;%wvlfD-QX@>;y^@Mu=y-2Na_9Lk_M&=Nz{#N` zgOlr*DDn)|`q$VKM+QcX!VbcxCQTi_^oy(i;i#P}e# zT53OQfTZwF3DYw6xLBhN;aXo2!2S5mH#etrv~9OsT-VLThjjK8RH%c?#y`2SNR>$m zg_y}?9d@eS8D%%DMDLBLUw6~(ZMyiUbYDk&5$O-ptl5S|Q(&?N57_le+7YCBwWDm2{7b}Z0ocBu{HNO2LV<^!zz%*eL(Mgs z4$FKz$Eq<)+R-xLjN|N}9CG#50RdSn zr{RE##IhrLhZ~N|lido7y}=z}82{_m$w0k*L5rZSyh_c6rT@U3Mkwp_aLvlyZ(G_j zRO?a1h;izcj*yk*{Qi;C^N?!{PEs%Ym-0#=JMkSu6LxYND4oxQsIUHBwW{TH1(xr^ z850-KRI94nvasJt_DX00DVx0sCzyCp3lVWP(Na%>W`(S4i`jZlfvQH`0n^W&7YZ$I z!2&A>k!P`bK{=-3wQj_`%F8Jwk2=grzr;8rLaTwa)%f{RA5>0tV52rFABVYd4~lYi z7Z!w{50Jhxom8dBO}+WY|H}3}3wZCWAV+{#^gK7m>myw{gB={WzVV2+KY@!qG=?!X z@^e?jf=c8Et>=P6me0F59WT+%<|b{G!cyvj)rxNxo!XW@A~i1~b!Gj8Cn9m0mjRbm z`R~=g-TvFbEK>NqS$2|(H1J)6M^^pKN2#m$Dh-*Sp3E0fD%v2yn4a~!XJ3wx>tmG9 zv8Xz2MlRj-EI98!#4m2kc8M|iky-E=rK+9BVlvr!Y__gXev5?piiL^E=Bs4;W<@M3 z=_m<-YrJ>W|15RfW)(tk1~~yzO5)6oF}=t2KiS<%&T}(z>zf0nC|_AFofG8d;pXF> z&DrS~9B~p^bkOqOO_J!om}<%W$Jf*n?jmLTmws84zBY%S+S*$_3D03#4~KI-_S2Zp17R3v<>_qz*0S%x2wnc}SSAfKVKMevNQ#Y!lbto9f zTs5F}SotjXpXegr*@tDfj{1JdY;5Q~M%Gz>zQn_cLk`{E>-BIl{vOa_mB}C=^T4)S z#V>eGlU1_d;Vm2EyQc{;K9@gku%_muJQ|6Fb66u0VOBScQb~!aC(RMkT(k{Et5E|P z$g^_Zb{1DlOlND&GO=Z=XCBwjCnIeZYmFY(lO-E>NqvbJr#py7Thz-^yPJcPlYHE} zwKCF@qi?=eo$LLW9rl*!}**+LxuwMe#~%>o|ff@)#89B`w3>_c~fPQ(vF*8a+yB5ouT)$ z-2o{gth+}6>up{$4x)&~XQmtJE3ecZTX6S0jpI$8!7jBe_moz?pa(dAyXPTSS#{w$w46GTIM;F1eU3G9Pq{)+AvWM)(!+}!mAPm;^9>~=&f~9lTvME8#%s0ukZl=*Y5v~V zyD=K$Iub)HpNv9*kGT^r1Imn!0ztsJ+9SgvI{Sr72Y`umu8wDEaAF-eu45A1t3-%Z zoijZ7kIH#vxMJhP%==^u%E{3*rgT)yyIK~;P#k02_j;vlDF-16n;v;o!h1YipRYA= zXLsU<6?d;B5e{H-xY8@HxR<_sRo^~{+(Jxb&Us>55yLMhTZT@Or{-FBvH{AD86#!bOarOnE~x4D+uf1$oC)yL zQT8DgJ>6S9oeHcR2w2@5IrqY%O*L@H#q)-4b0gBEW7s*;OModl2AWtg>~}k=*WA1D zwyIi};?HZsg3w)yuPxBm)8Wa`L0e1Nvz6K7?P9`VE*CKGl>qZ1ZE9}{mBSJ*m`2{X zpTl)kL`pA_iO&aR=60 zURs2>vl`6OhS2OFIjA zVd%mif90JHCWnW>>L=iD-n&s|C5oa;QcJz5hc-%plyW`Pj+Z$gV%n5ZT3nqGpnP1F zz>cR>1p#FrfTtq-C$Fr2J^?GxWUj2A_z)amO@%r?`QQHVNVN-P{nTuy2bAR5ovr#f zs{#cvIiThyTfS17L}7e#cNWIKQ+E|yAFo>jw|7IT@P(4MDw|*KOMdD4E!KDbgVo3* zHc2ifwY~DRh@w=;Mv$dfgDxIJ)6wY2Q>`0za1q^)d{El@#pAND)m-(Dg!7-Smal$2 zc`W)?J3(e<$y?Q&mnru7hZ;G zE9FgWL5cd)xd`wq&^eNx?KdyY#T3Uso)%%+-(b9{<|bIfpC1|8^jxLCV54;g zpZsYwzUp@Eo4OZ6b+jHKQ2^(T=yCbfEV$Y;iij=d^|3lhWN45EF+tz`$ zc#&ekDWzD8YmpW!?p{hM#Wg^HK#Nl(I20|#HE8fq+}*9Xdmu=#_x1NX=iK|oz3;p? z?)x)?Fvget?LF7pbImo^a@f-&s{_?u4o+~y@XWw!aEVO#*W`8vko93`4 znBLEtlM?x^tESoba8frme0lT&o!a&WyjE_c9ZSDt_BTdv5$KDOhKL>iBlmVPXw(gI zgNQ}_opTqSzUeQh$P55VK1e!t`@Wp>$Xh3?p(z+$e^BV4c%<#f=#A~h;Kvj+Ki<)@ z`IV(Dm}nwx$=lhvHL@e%JP8sHn9)bVoVf|{f6`!X8+(yxiOzX6-X*qCz1VT$WCTpR zO`hFcUnHJx11MY`^(=v={-~Cl3O75+^o!yv^|HRLL>}6T(>$auXZ0KpEEothlns)LV-#7T*QtE83ey3URi{aKq)5^4r zV+JbhvU-*om$@t}LdT;}sg;-)1C?8@sp~vrMVtTtZ+1kPgqx>w5}wWE>uBsBDgS=- zCQ-o@W$Hk^N?A*K)GM{6oOi9DZArDI&a}j{uX>aWgJ4q8=OP0abA=s@0}kdp^h=up z#N|uqgMF*0m#Bp&6N2wMDx1;ijZZ7s*$Zq)6;dxg(0mA=CegJVbK=5x?Y1_bSjuSKdQ?N93A$OdZ*7Q+79k zxRF|}Mpp}gA2V9ga8@m?{O4$JRx0$`pFSxJa-Da&tM1QVpxx@Re?*wKbEsc$xJ@(0 z1}HtpItLXZF*F`v`y!)|%$&n<5+|x}Z=~yA*=Avw6rcLzh*VmhcuJL z>QoogF{fvI^h?2)ugy3NM z{51`V8nF83;9Ao3)R_nrMZKeiY?BjmQaZZ2dJ9BsC<*M=`^D~WMP(=nFiig8=D&U> zm?@2Azt<2*lXMdDrTTI|YVFO$rxenMocGS|({l3i8-o}9#yoW-Wb_Y9itcf)Q%DWh zzwSQz8K7BwW*T9`rO#^cj7DVISmt2V_ewJ(9R_Fqe|RW-3vj=$`?wDqTMqtFoxGd9w@5 z{r1q{I01kI_IMKIo`N3o~Y<^;2LtY^Q1jR)W&maG^RuM;0BKb%m7ujdp=CT9N@TsI_G zlR@CY6%ydzrG)Joo$j2w&z|MSx3q4A1iLjD0m`j3cg)nsRn3Wa#noGh3yCDkoDDnO zC5mU3R^y7cR;))NY+*0?4;QmJOj17;!>Zs`c=R-3E_X$DS%w8Fyn#~jjPY`^_QQR`LuHNrxw^s>?}KL>HgDYW(oiLVLn z#kw)8G?o>P$D##sXTf%zQl0W113y!AfOK_ADanb>Xvh#vm!+mfMhG93XQNjduk=x! zz5pwTt{+{7>GnHJl*$r26_r2CM&yu;A0nbq(dJb2OR;*aa(>l7%G!gumb@xr`-7NR zIE9{i6Bku#;z28h4<}l|@yQgOVfyeIH#f3o(L6ef4ZYr1_^Z@1Qc#;-)IT9J*NS`h z2$FhQrwfxyUGATJ)4EJWbv(8n{2NSDvrp>39w$OhG6C7xqihiz=%*0DFJ)(Edwz4W zz42kBcmKWv?FXgQi{MVRN+Gpu`oHiqv7o#cX3>#)>e(w*{lFz9uub119wPg2to%>u z*64F9%kUEA1l`<|zd$r`8zo{#3d`d@S~Xy?IAmY1=3mnZfzBQ6Xn%cOId>@9@(^sD z^^HJ^f{l5p6h(o_nI|Wb)h*l#D7o4&JN1m(aat?r+PV-YbOv9Y_MJ8|;UjsTO&y8D z?-`$6IKL;!D=HRZms6hKJbL5mMWq#}-v=X;OfLz!zzoG}0%fD;R0TIiC0>bYw5YM4Gbq1~yak_rn5zT+F@ z#vO>wL0C_JM}$E@7J$m-k)nK{C1$oPCb zg$uW*AieX~?o(TX(;a?%W87pT55)*vkJEhtbG7Qhag+&MP5J z%Q+w1nTzbWVR?G!bcHX*j)aP26I?zG5%GeIU9j}X;Ykm1%Z@mtT4Ktob9_qVE0Ol9}TVZ2LVa)!yK&3*^Py&s7?fh4)(I{o4xE+mX*DS`|FRP^uBzth?Xb zR+II)ALx!0ifMxg;Xu`qr1NPT5+4v0KLd7d3giUx)!DVzf#seW4Vt!7Vr|2vxr^@l zG9+LxZ6!D&K#-V&MP%Iy zKT#+sB(KxG{+zXj@2(w2xAzM40-|I#Q+!r~6by2^X;=!izf`zVVcc^P+zdzs9nDg9 zpHtHAinPiX8q`Jfg}hm*1SsOw?+mm+`FaVKo*Y5|e#RCb6#qxk^B2WCAHHxq*aEeZ zSVwx`dKVB)E4~0y(Omuhz#*XGR}ISqQbb-*vfGAIn`X3=k_gv=+Pl`}eYS(z({VP- zu^~ZK4nlZV>Jj9+{l$9q#GUHf{#pg@Cqo_&*C`oO0G=1`dVIaQd`pYFNqeSTJ29xE z8qnLglQkcylpZLBLw=0b)i{`XEAo972aHiM)f2v06LJ*)1lT}KkAtv%PGvM8C1Wxv zwt6UcM8i99o{$6ohqT819g51eor9jHpow-K1E$# z4#-XgPowKU=BYtp;QvbZPG&(no=$W{^}qZ>3e3X(gB0k2?7c@jqzd9#W6c6=f>75t zJAlvT?$Fz@+BP-DzL#(0l{BfNvs?6p5XNpj8cGBNjbi*u+*PkhVQADC1rReY5Xc3 zjVmtn)3)RlNj9TfiVd-&pid2oKGbTUIM%K5BxpZxwHhhz1B{B!#($OXd(9N3#^_ON zL)rQNbmJWA=mD^*Jb=LZyS3dq*fCVIx@ZwgC5&*4ZaGums|F(jwdv zLk`W6WUR1g^+MIj%;eS=`?)_f5983aT4FEO?{1EdrH8?0v~p_fr!Q_jg=gR!Xc&A> z0TNQInMA(Sr~0xObQR_v${;>NNeM}*cl5PDgRGJKK(l2351qSioE>@M-f*Hd2y#VD zg<&269`>I%g}j2b>!V0GvD`|D9&s{IC=83-T7jra-5jg!6(?~N4H=4sm(+Vpf#6me z@{z!eemOp-UME!h$?`-q23r$ExDRxWJqDjMsU0dzFYTF8*NL^4ptUdQj<#>7-7h>V zY2|y7#i-CIKc<{<;WGGz%Y{ak&LfsSs#AHqw7_VZjMsq0o%^c2hgW+@1l>6&B@S=c z_*ldKv;danb(sH<{+0xJNH9Et@4WKGIw4z|Y&W!qK^)yi>;(dexj9{xD8l@l)__hC zJm`nmvf4}{>H3OwQ!RQL(_x2#(PYUag2QR}Wbj8h$bQ4=-L9X@-326Cvds~(yK#0i zbTK4=0iVZZ@DIE4=5JlP>l#J3aBgP+Z5~9Fp~b$d8qmq`nLaT$%P?g*C$ zkI!BfPFEQu;mJW6>-rFr%%kvu2j04V_>?C4!rtspyen3abf~wN3I_n#?f?k-xA0=Z zQqiEXP=oG#v%|zc_S<#7v`D+&=5|$Hu$yP^s9^DtdPjvozwk-LXO1o;I>h8{o z!Xaj6q&Fag2L<+FC~Ya$oUtK^9u^@Gnz=CkIeKk6+u$P+YEyrz@Ld}HVx8rhKyxB7 zJvFWRC>1AyLzn4X#f?WZmpri>p2gb$dD@Vk+<1GqUuxD#KP!Ro7b7*?@+ZjTP}LGMr|aUCa)3!$_p4I+#@R$ry^>RT|12-w^=y895ye$pz}^- z&`Eo`(c50{Z_JfkFCZ4O+o~ls_TJ3n61)Did?x$gcst1+wjjdFykrP%3YHj{UoM@$ z*so^Z$W!M4*uUI;_RW7(+YCDxYIIi)i!QTMb35zGs*2wcm$Z@=*FBzg)tFS3d*=u$r)VQ zs_w4TaK<@_cS**nfkxVOVO=-nuB7%_B)cH*o$v`f4WTDo1o!XNwQ)SrCu}R$-f3>$ zYbFhu;Mi%_($KIbl#qC$63MmijV!;Y>jlOdohCcE#*f{ITzpS)U;F-j{`;%b*8Sd? z5!j28^D+77GJ?K@jg$r(!2X z)%d6rkuIM<$j))0XI*gGMN%+q2n-m8G3Zp<%)c_~CGPyzQ|P*oks9=X4*vs<<1Uop z$U+q4FbKE}4bq?Tr%9Y5?U3+H{hvk9)D-cxB+*{Q@eo+;}JYr6xij&U>!1cpQYY z^lop9*jnsit>Tu8%>n{)0zqy|FPcp0fjH^VOh4ZQ^}+J@CHD9If@Lg^hevYx{IF<2 zr>RaYnF~*e^qz=--a%zh%Q}51C}7cNaRIv6a$B7Od1jJHj0gFg8EndY{oVP1aFZ<* z6h{{xp%oWn^J|QQQjjcrvGvA9$-$FqbA?Tb{JcjHoNPY{nPN6HL6s^$odP#`CZf8c z@y>&mx)~G^B{$|-czn$#Kcy&qaAWC;T}+~VVKgSr0+W7($IsYQb!^h9&^-ZLGRElW zw_*+t4j%5+H;$a+(t|utD&aX&+u68k^WvpZa2Z%B&{^3z+m_KMdOC|3CF+&)f7y}j zH2Fn6ynO0Y0lCl~`Sf|bfhj2bvX#{EqltcHOE;fcw}!{QFYLuS;%2YzhGx9MYF(1y zX2A6QcoDiDf$qPU4qi9V=lon9ABQ;Qv(imE0jO2{dabhX)87=Iu=bIWMOB*!m*1MF zq#Kv0BgPr)KC_}Od3Kx5S0Iv=nqAG^ASmM4qM&$cP7ksB-WYlkDX123g`1yjy z@h7$0ip72Kv#4yt=h1ERb{*iIWkS1)pEsi0&u5Smx0(7fck4WKKkZowcpRik*mAs| z<_}!|`rFvEE6e7lMd@VmV4h?hT_tQ+-@5kQRcw3I>@NSc-XySUYco{`KSQQOmA&4F zaJ2KP`&VQ2pDd~4vs&7|k#;g}oeI$3`Rvr!#v5+>1wI7K0GQ*4w@ivT5A^LixrV=J znEh5v6W*nKvh_&n>P&PYNZsZ}O1XQxPV-Bl9UQl?!;c1k!NNs#FFfX2L=R{^65oaUxglA=`JRCt+WoVXT>>Of)zy&pH$WE7L zIj)`oZK2_ci9B6m)Pl`nvH1y#X<{vWzpWK6_Uar?(r#W@8rBus0K-tq8xGs`5wm4I zlL@8s)4z`T5h!|5S4aCvwAc#%spL)2-^a$IP}}y+w+!YnjJ>EdyNn z)`h-pL(0|V5$E_%$gAyPGjh_d(;U`Aps1A@3oeCLuBXI4(NW&q@?YYsf2%-PLV+sVw}ZC4@K5%Vod)NUCQau+iZtDftLn=uThCF`lx1E11N@${iZ z;5pt=5t@RwIGySC>Ul1i{?fVt~ywcYZ}v7ZCBOnybmf})|jehm_=Q`e<$<{->%EJ5QU89@K{xr-CSKC!Ng~0 z!R72F3(b(e3g`f;F1MSe+9Lv2WR+m%VqtmrN5+7LBZ>HKLdUI%ECVd)+1@r{p*cj) z+%>g^gz3_5aNhgMjM5tEo8r`Fcpsd#>mjlDn6RJwKzOr$yJ$V!gQd*AW1+6MNW(Ia zYIY)AbgeVWY<9fD1@rXotN~wA(R67BuSHpX!>da}xUkoyoBpToW;?O*scg?YT2(s| zfq6Sx1`hW<4r_8ee^c5a%^F+q&T-C_0N}V{XbJ)jpbbHHE7O+i-lS3 znJP6%uN9n8m{U&}bQISW90+KrDn$+w9GME9-g0K@5?PTYUki#kxpJMKq`%Q^HXacg z_G`ERn#x?A?o;x+Xv8{YSMS^Qm|q;h=C2_Ac4S0G!oU@}B_N!7k?}NS&zF3e0>wX( zV-{!JrB}KAdAaebefD7wVh5!NHGW{gH_12c$nx$}R0Yr*Jl_^j%j^cUi|^!KRhNlAzbW&X#UDwv74ZsLfLw3py$-KoM@>#je4SFRXqzL-dR2tjZc--uo zXcps?T^jMXbK_%M>~jMpV#uKSJ(qb$FeUn2)_5t1n6t#_A`ZDPH-rB;)xNX%q*qZ(^N(OLEo|x(SUi z#}QG_wUR?o#R`>&c2w9XdO%ZG&u!!WSXzwOojUj!3N4UtFQ-EH)>FUA&vtB{{4$)N zY&7)^sQ>8H+r*ZETB%7toskRF6tP;;J1L!b8}IoxZq=20cfad+Q+@ZF)5Qhekh1iE zG>%<)5Ay!RRHj*EMF*pe_-A!MQJ^qC65jD*!h#Mdm*x;)HXIP$-(+!-df#}u*!(m4 zyjS#(4+uE$BDWd6>85YpWwtYwh{tx1Rj*?Sf#;d*uy$s)f_rl#RXohp4wr+tm#v zNU3B_skoXMw8iaR)Fiip`PTrCs>%&ld&TVu*wX`gpVN{0#%|;V{wQ{ zdhlto$EQ9tvHN0*17cp66SAzp$(PpPxI9kNqE?CPVOPHk#)OC!9Ca(`&18p6nrC<; z7SrBUh+ku7IK&YJ=pEz-WG=(TQ@7vf740>FP_c&7HTL?(m7hmbiw&Q|@HNvb&hVf% zg`(#e9g?c`-_HzBYL;As#+k)Ig2g?nQ8iyNE67&bSq=?qZ19QVn}1Gt<1wc~89t6FD0r#82co zI~p-Q(Y@?k5&YaM-y^S)f@vx;U)vq8bS`&3C3`5fUftbipQ%hcSAupRb1qW(8I{`| zI$h=VQaa;x78Rwb8oXX7LulA`5oz{^1*~l%PbOly0-B$^waD z3XL}GrZc(nBeYHrq#iSNkgUGPVj|=)B_jilF2=+tr<8@zD48{vbk|th`J(dExLiiP z$c`bcW+6O`)(UUr@80B;2MK-QlrfDBr!m=kxDpL}bmW#);7rzAPGxfMphp67988=# zA=v#4L`}6>^6bz=b1A5$w$-?^=Kk|#Ke_e3!JqwvETNolS$gmP)(YO0OW^svLbw)B z5ckZsM!w4DC`q8|rxTkdrY~iFRPd8Q^I6ezL&|md4wcu8d}G6rLxE6Lty4WN!|Ys* zQC8f5D;XV{zT9V1pOZRICc_TjdmjE_!sDjJ^7zJi2IPmj*l%3tXmD4th26y)h@ZKM zFm>W=K)uZ+ZHdL^+S_kH=ljGuZBZmMzPn6}+nOM2^~BMaKim3T#jbT!P4Xhgn{g3`_W88r6;rM}zrRg{x>8sHo6<;n4%5 zjgfva*Y{%Vk4p?~Zitn;&^mS*o`!{~uH#>vt`L>!9E)%yMJ(k>cL9>UBIBYqt19A6 z6&2*<@aEiRK;V<3r_Hvkv)5SchZ&20Ht5%4k`A8z^0A1O9byc|T{k^sjLzcjvck`! z`MCoOqt*|p4#Km{rJ3(*Rdn0u{ad0H@it4J?;f$*P+#rnyvG`53 zIY);jH1NoD9C_CTn$~z35U|UE=Y82Ed~T}rMYDd;1U>b^B*Y1ouYdIbiiiQZO)q-c zntLc6e>YWtihj@D*YzSB^FpZppkCaP>3(!oI3Z=d?Rd=^NLt9(-2J6cx+i`&i&1f2 zAyzqh4O`I5gIDW|SyCD!3Q(4v3xaoxx7Vl~I6CBWqFHVqE)p!;wX_~S=rF3}aCA(%LOGS=jGC6Zwek++d_c5429B|9Cu$XA}T+(bvNeZ0nPaDOMQw z1Y*L_Q7>Gx=GRqM;QsS395(al3xhds4fi~&u?nYqZ08ncFLrE4GW_Q)ie$R& z`TNcGq=(*EAvQB)NAw6-)1 z0)Eyf3doTS(OHLf4K6>#AI#od3z&F@y%{;aD^-Ysj^3VGg9)>Fm6yF75IM79H7XU_ zc7T@-F}*AYIz-#{Orw0ZD{zH4*7iIwD{d~@DF^zsX7MB<544l#8-*$j;+zOgE!NWu zuYPbKcvl6d$LEsP&!9#4Kup#|XH&zT$G0mxK>=aK-$6NEj}V_KTk(RoYB^x{@~nQh z_R;Wb^&*bOCdwjYW>wdffnwB&E1|xHm$Hs(+30@a@N5SGFE6L2(X?q)Hi!ps)=H?{ zw`eyV->x8-WE>EXx~f>rbmDRuITmF@;-Y&+`~C{KT0U!4C1Q-bkSNmmijD>`j81p9 zhjf(i&G@O4jZ2}59(kZh@Wmp#>$)u}krYU^UzDTx~6XM7v>ve2(ewXwsIv;N31b}a?cav&nM5r9XT#mJ5{uOq>hs>^Eb zFwg_n8EU;2S-I49wAwrW!nv<~EW8sui;M56mZcm1c@vE1GDAw%v%*TEf8rxyh_g>z z{d@f>6k3%1PM@*|&CtkD+n(E%Mk4aGk5KRP=c(!``++|XV5l}l@QeF(a%ztBGP|xOhrfXkfe^733 zUn@%%_y|cl%W-Ce>SEx)BNwaZN^V9i#u5TX|4V6$>Udrhcywv@2|3Q5z(_bvtztR~ zwzsrm4u19y$wINkB|?uzO0vU)gRyn|944{1Srp%^!Iu08#{i~p)uDueHRK12p?_)C zT}kq!6;)EYcS2Z{ss?;=(ZwiDrois>e|iDX)Qy7TnDCoAR6z*)$G-sQ?AjiH8gY12 zj|u!v;`g>j6TOz^Ev8@E<;c`nQFx=(Nyk$96 z!wV>&qh`ygj(0~KmnlBfqLsJG;e&>E`Plkr_>(TW7dT*_DPbIZjB%9N!g<5vG%J3J zb(l(pvb!&Kx{l}AiMt|?Ov38A?Iy-)JXUUlIId5ZVZo&_p&y=-!8Pc~W5 z9ksD1C3U?o73u_YkEtAfeZAV5T2DP?)=fUiB*x5KU+kt-d>eHqZuj2S=KfF_Yc}_s zS1z+OMSJy{k8$&rQ0OBqi4S7~HP5w4<@HYHe@v*X+ev*uPZ)b+#`pzNc~g$UiuQFo z>KXDU-A>0Ck3&c#2_uUn>-xx_ zka-(i+xaj`a|Mo?%sz3@fcmhZ_!=$~HcvYw)rv!=zFd5k*FH&8>y*uoc|*P-e-?VQ z>M|wRF@>nxv%A7FFoc77{SFIHZ&k2&iL`_Z?c+)_MfeAyU6GhdQ15MY<=xk@ zN=)x$g=vTr*;RTRp+@g%B^Z0S){N$lGA=sjk=IM6!ZSs`8`JgM8pRm5|A1G3 z(4GYsW?9*F_i~v>|HBZ(<{HAbaXS`1Ig6H|P^jGQKfB_je08m@KVFoNSh)O2Hfppt z|AX769k7-5%R|gYJ(|38EXew>Nzp=A@py>`x}bNR>=4AoH#6$2wtT|GSJ!1Jwk9aL2RGw0@IEGJ;f) zGUWuGEtW!obH7smXYZ~uBVoDhB&FZ^24x1b9-j=wijM6^q0q!yqRqYntA}R9X{hEq zb1E8G7SDm!hezA^Jji z2y6wJ%@tNq+RJ<_>ZP(^c&*gTMr5GPJ>f}Ojth|ay0!L@o5#$ik$?U7;0ED>$;m4izQfA-8|wzeD#g*?;&bCR`^ZzI zVggqaasI^Scwd~}HyABtRV(E8?07WnyMATo_>{eZeya^TDbrsMAmX{-=dveZ=!|MeFey$kg3*4c+z*KTEokeI)oB7)?$ zk!79cf%S&3Z;?|~*bYh`G+_BWE(BZp9);i?5z0yX$~I9tXzq-pQ?_4pU0Xk z$-Jg3sVI-x6hqLW&)_o3uzFXiJoEU+C=jICY7Hwx}6894$bV=@%Gk?iLjtj2H6 zve<-CLw$@U%dej1zVM?Kq{^tJDNb zxKZMx);liT;ZhyBfBZ)2d-Qky)4TrH#|7hWx7ZeTt4v)fg)xsBKe%tlYL{=0@G z@LZLtoE}7O|D>b|27M^2$A)?0lpAM^)-^=ciGh(@8XtKk(D;SS8Ze!A0Ox6JCEkx zr~At7gop0J_u2*cD~WLaw*jNWZR~1PqSdnBGD6swfQrM>5LtZJ{Uh)*LzjaV3`u)@ zhRAAb5`D1{EB^k&r5^&STY+00@rK7F9UUB!`9}Qo5vk<4p0zFMz8SBY&8*NTB53+w#xR z`qy&*ebWB*@rT|$=Iet7ThW7+0J@c3DcLzO6k16ak+$=I{*yRSX2yRZr^j`$GUVu8AK zcqtU-QlXpi7agmo6T-K<-TH}#=&y&n7N_M3334k8;-3Z@-hE~6 zY2)N@@%z#bvEuhfR?D7k(A&cXanP*zI7%W+s6lPWVXT3gm?2;3eLL0)85%@ubhGvq z$HwkY<%XDe7~bkfwij?NAwNwlWOol|@j%`gX6!-t!bb(2Jg;euS+DpQMGXtYFiF-Z zIry=0Si81NOt>*soRW@`kR^jd@bPW=nMNWl{aZ-_$Zob`OjoqxW+#UWfiuA>+Y8a| z0t{=;|maCpVUWf zVWQG>ZYoQni);;(GWbyE6_<6K1SLn2dtbkCPEgI>GjSAT*i&f zXE7~Jm6F=4vKjT$+3qng4m@gSO_*nFJf0YRBR$`%Vg%{B0%xQ$Lk|g9Ba>H%KHVW- z%7mhr=c|-~Ni0*5fapDCtXoj)0LK5IKvhLSiqd&F|qiS8JVke(Pmj4pdg+*H>v*% z&{DZRFGpVKayN~-rv1G7SCsr8EfV(~+`ecBDq6r`Ys%GWmwb74wEN^2ua7j#S9L}_ z60!3G74`9i^B5LGa2}24YFDuW%0}HVv*2pQj0pTpeX(1Thvs0EYbx`r zd`7x}pEFp4nl_voWlx{R9WnX4QXmb8Eqk;57GDUoML81SpqYv{yM(_s)B*&+OALNP zZ5$?*I3U$4KTUBk?MfaE8pn8ZBR3_JZnVHljjzyHe?BT8Lb(Q#tiK2trq*_(_;Kjm z3=a~&yE=U~{_n8wzigxb^5xubzX}(+s*5aKUD==R&N{CzkOh0IDddnWAZwqT znIUo*=j96VD`iS^4C-!DpnpeQmf_ya(=0E8|Fzl=h*g@6)k>qvI_LrsL~gXe<+Cwm z1GL{_1TD$5%0+Jc^sVg6Y`o*0 zP@e7~IX^DU^G7PJ_oJ*A6kzp0)QyS8T?(4cbS!&AgBfnoPTiVlVxShbgjq)wqX0N$ zRo^X%<=t%HwLgzze> z4)XPE4FndFAUS)m2^97ErPQFWT_*eIHie&57!$~9B*&l0ryO06Hls>#{aP?mqFeFQ z$3Y6>73t0b>PsPc)Er&$(T1C9MtrT6lJQ=V;WWjQc#sVRShe&f9i9pDnCOD%hrv)& z6lc;F_Q{y6XV&&>HkhN3ipe@%%55UC+Ld%lAr#pDfY6zhK~?l@W1&FI8M}uWEPJn3 zD?20kSmW((1{G$7_)}%Q+D~Mzh|qHxJst7d);wb$C@}hTbHDM1W=BafYog%K;<)ds z@X-AKEzZ|Jn@5A_@NLanuRUHkQ7hkJ@&dkpxHD>zqRCLQ)vB3A5wr2*5x(5!hHNIM zsApF2x*z-S$7oEcKZgZT(7WMiIHEglTHz^S+D8Rsx7q_$Do~)}mL`-VVcnTf%VS8B zl9fStLq!W62&Lt$>{QwEk+^+ZIf^1jDgSF`1`8d{8tV&v%lI9f_g{&!w{MvwId687 z9Xw|c9VXl)S??hgssIL{a;#=5)NaLlUVWm390%8b?CnjFGGCJstkcbC_b`Y7? zI$@&2FO2_8SN}%{B>lsdAmI(r)Rj%WOa%-+;ViN(S(wQ17~U{bK2~^)b+in*lE!CkgjtA4w?EMu>pL-% zN`}w^#Ywu*Tq=wFdGn9wfu)X273oUL4BZ)rJP87j);F)6n(h!zJ&w?Pn}RFxg8-2U zYM0C57=u^uyiX!oD`BCoRD2;{Ih41u9f9ojgUCOc$>2h(^W!yzZ)qn^XUFbqh`WUB zM({N{u>o+f@8ad#S(xyiBGa@q>i-Xzzx;(TZPm0(VJ_h$hYNU%1l2NhkT7QlU=nci z66>Orm#?|Bj+h0ug+O;i;4?g!96}=;lL>e^3MdXcHPtH~rZ>MVQ;$YYXJSg9j^_!u zPX?^}gC0Vb^dec5;ykxFNyj9ndg&Ry<5v4vW>U~6ZN&&lQ#(sz-AWTVE~TR@#_Mr$ z5Mk_*3&d!!Ag~`+t7kfs5?GQYXI9)?X%hAcISzDMk~RT?woiDq%EO)qLM9Y^ zvg#>I5?yh_De|cyZ>~o3Fs1BJvg2J%8Ze>O)e6ubGs+^7qZ1DtF;MeC@waUtryY!@ zZXS)*ZEiQ?{fP%$|7E{C`Snm824r@39_z~{C@15o(|{ykFEa@ryl4)xeki-u(S>k! zw%4E;)Fd@F(@6ESj>^Hvv1uBe19MSPCKsLBSD7PTvaV&+H4tU&j~7Vld%tPeWj-35Fg7Dmsjs5 zzd{%DHPG)_s11(A(!1b!l5sd+Ivka6Y{P_~wB+u;$|{vKs0ktKePq`9{b#au1~6T> z@PzPf45x8D+YW8!Bbm*!(83!oHEqe9+tPevIy)nuUq2FlC+6U}N~l%)2;=OD0|ADk za)_a=4$>LQC{4!jBQi5!@Dr8B*IKpK0bim6)UVQuwFX8OB8t^dF%&T?>Plw8%O$}C zq#Q949~D*y4F_vt9cyN(pYizhe#6P8!;ozMpD%F#c4_``_4dQ=eV7``u(Z25eURle zok$u^kj(6PnA|!*6c`LdBdVs9s2?&yo(xm8Fdje0$=AE)TMZ7tX(d z3L#P03>yq(Odgi}HuRyzzYq% z;#~DFZv^hKT9=^mVC@CALVgk1{gGr_#M;Q?7I#VLSTK#*t>}_r!$FY9FyVPw4qt>! zf{Wj(6m&BH+Jq-$NxV21j-eN(pUG={zWwdo5oM;0IjVgOB*s4n30?w0I$%S)km0Wj z{Quxk{f*ne<^d@A+htScX(>e(9RmDqf(|g+ye3h}1xdPtP+3k=!mSv*dF)6yYDton zGmN|Vv?O&2J9nGRFZ@lGHMSpMclOY-OPluPo} zVLlw8ZA@;tUD)W)UVizla!bZP=$AP4SAjLkdBV_+%tPwv$)79OmsbPJ^o ze~Hro&t3hH6_+i&@=`=W@x{~KKYYm_h<3cUWGCfVI2bySyLo`QDV!rP&7#{nyYYN% zI?wRmu{m1zC=!EYgaPEsse6{pc+WBA3@BPWk7QZW1&h_jL}t88ctD0j_*Kb0vw#LA z8(%zZsAeQ%fwI8AWSNqRFS#cwZSbtpSSTMvx#aDC(pnTHCT6x`YK-B~QE?@g33O~j zXGH69X^^QIwm=l#V2xQE-xGicsT87^MNw00v3T?`kRnkna=e=fc&aU`RU!o{o7o*A{>nZc3#*P+APD&j7`SEh%N+oIDiJzSYL}Ba| zoj(x=^dXw6#RH~lS!D^pyTrPe>SkY(0-5#tjd~hC`zh&UwvxtD&aSK!!3I_S5d7!O zw1(ve+GeyI^RUBJouEp2KYytN~L*DU$ys}QcuG_kQv#hvIF&s z@{%{DTiy(J!d9!kZZ}RCd6qqF?cvkyO02ZjW@->4LY^Jpy)e0S9d}&TQJ9DX-fV_~!3C znzpnmj?TB%D1QB8R#0Gx{6FW?Ke%cCV0Ll(bM4lPcJ$4J{Nq-I=6GLV0v@@^nR4qQ zXfY$Fx>}cmb-;>V`H~rtP7;U{PGr{AB7+@bmj&E>x>c|slR%{ji<455%*=i=8oHy_ zc&yQ=&^@87@#otQv{Q^5qmU7<{xU8=vuFH=47KgEeXJM=il^0LKIn79u{% zEnt;Fi5O+wtaJv-^xY4XWn^0cE+5l)thc`O;GGj$1EnwPz@I{rln>rr@f_b9p-supk#F}FZ!&UU#l1K#=iJRP z&el1~W}AM#t2g65SNF@P7%?6k%{&9VrOJ74Kz1{0Ed@+G%_Tl>1t3`UpAox|?%l-&ykBZ@=g~Y(KRadpFUzEgrqC z>RyO3_9_FU5(t<$x$S%?rk7OTlhx|CJIPGOzz{<1h)=WD6X3W#UM>#h7#J|YHSV0i z1>oL!FVe<;DtgR-_oWK@;QOH%s-v*;>Udu^wogV5zYqDQ!{TS>4L)denpKI|S{0Q8 zm8P2sK-rjO4l?HyLH|$$o5%(7)=r~O>wkRy4IeO#g0FyRo}JeFFk%Kp`TuBstvZt3 z<+`kJ`@!LDN*+`z#gH7%)aQ#bHs*yTQ{@VXz8#y5JPu?aD4 z0)P8e#?(eT;}#3wl5xl{i7UKvmNfVFI764G`ljfyLc==eu1B;z(PvhZU#T*jetUmOj@Kj%{1L`ykP69rr0_#El7ycGr#V z&V)AbtBeR>M02 z$k}jJWnAuU=d3K_&zkHv@D}PVUmS1S_0+8EWMy*C-OReJP65J2(}#(I^OujRxo5j; zk0)Cb3rBy_aw@D~6qKs~Z}lqqp>#W_dB}@ex7gzZ6<6#~R}h-s7vX z$Mg16-%naj=QXW-VRRQX;I|Uj_j9Oiy|2#$Q|wQ8?{7+{dMt@~T&?DaPKmrYt@0>7 z8f@U7y4btK9A~)N^w+GFxloT+fPu-J<1-(Vp1YJW*Q1(=Pj;4X$_K=0Oh$4P(V#D` zyQO)%lXZ4Y&rz#@4du+=jQhWm{9J{=5sgm2@A&hUK_ubw28l%FOtMH`05H6C`5JNF{U ze(Xbo+33PUqAZjrnYUEM#2{z+BlnN4v}i28OOu#CH_#1wP(Wu{y_0{p&EczDEncB> z=iL{#C2C(YhAR5mZ)or%rx}IIvK;e$Q4z~L3C{|A{W+WP+&2`k3sSiZ`7#6Xlq7Y) zDtI5L0kOaCR=U_247d$KIl4&gZJAt6d8?T}kbMI){o!~E5d4`b@W!WB>&Bk3is#^b zxXa1Zr>aILD#`La!-+Dni#=PXUK%_c*M+%|Lvv&DPp!qXk#1?V_EHa7!pfU=fN$rzU9-8+)l_*NV>hbF%D zBjhVH+!@yUHsfVuLZ>B<;Ej##%)DBX<3RPK>N;>|i{_5Ede)UwZ9ExEibskKa(C}O z#8AI)85Gfg!kKWW?12%tPmOQ$6ls-iyC==G`O@U`HPXEt4nNOaE-j@wb>v#T|C`i` z)6V)n2Afp`BTA zY`bpv=E;SeH<|exZ@x)4rwh#X5Z_Llxy|`%d=iP`v$}p@0-@e|Wu1pGs0N>fV#^D; z6CiW<2Kyexh+WH(ve^5=>d;W~>)JWj4&L#EAh(L`G|w=-e)RI`a{IK)HsaPD{h3H+ zj)qOb|3%k#hqKwgZ@1M}TP=^O(IQ&&sjanVTUwiHLF(5m?47L zvqmXFVvp2_EfIwG?)UeO??3O6zc?HchtGX|uIs$c!9jbzX42!dMIKicfjVdkTS()d zDc)OF;!e3T##0&tF<$mpXg;!!1rf_KO^d)uv2bg?;6XF~)9K z4w-Y3_NV*9;H>YQs2S20pGb~bJF^!dv90aLX)@IM(vIN)9Ra+hCwWtKR7ElU;4H z0d9g;kgP+WpA9Gk1x!wCwNwq`O@7sl4Lff)&>#S z1QsJ6Uv`NUy>zkQbFhA!s*Qy7p6gEBJZK@jl_|Z;TEX8B+7uDx|j(A&r~# zxOR zDU~y$35sq`_y6=MIvhMD)@gB)za&)bC09Js>5A&V&T-(7x6T)vL)E-wX;=}vu)+_p*=`;?{{H_E_f&W*W3h{^9n;tsuc&kPA$yEaCMR}3)2)XA*` zbg%mX8u?V{F*)^&*LT)$wQBA0J7ey}l?Nrak9xt+4}0_C$OlWYGLanL`DMGVW9D4* z|N6<#LLv%x$^fy6GYC6OPAW{!VDm-+jy`H1)SF%oc&xjI6y!}LhJdcr%_mr3HUa}M}EAweftZx2e_WT$jnO zGjD>?{y6M(A)w~_v23Y9aQlJ_`rWySIF?`EYa;Faznmi%uKh91tD@h%_if|Q@VN{o zt}Ga`_R$uCT}|^44p@w-dTm%cRzv%RR^d#31KO&01v=$bLraW7aj2|+4yV4j(#{In zAsUOVhwyP6py*B)4Sy~L<+5%;f8ocw&?aJ_jqfw(lB{K%J(1zp1S-&gV8A;+AhyaM zA8GF`g!TN___Zd*#fhZExtJ9&u7Eg=9HjJ2aK!ocWV8CC{|Y)_<77=|Nd9tv(z=0Z zATw$6Lv%nWfCD)sXu_>HRGJKiINlB*tMmmukjWeOIl}ZK!+Y3}!$b>(yZdPdB3|62 zp#A4tjcbokr?~TJ8%;rQm~^{Es+W|9O3NBd(T?x3Vtdo#MDAaC%bwlnRpW^5{EnGt zR31ZX;e|z0fQ-v&e;ECyCAJuSX46bmXpfb4d!s%U<3{WJlcdD+G&e#Tz#kX`N{q4@_Pl9lR>dk;xP z9={_jfk(9J(>LYx;Ogb#<}a$hD?}BXs1FVJU_YW-rWZex5qUw%R$%w1A|+OC(;q8F zuiF|OE=lp{x{2Sjvc9Muc3oLbV2CeHTa48&F`){G%TLGEp%m?;bhu1uk7+zu&7Q~Cp-J$m(njg^DtZf zLaq);(3~;}kLv`hz;7oM22Z5hGC$w68x@5@9la`5DQ;o3R^5lc)-QBexY{D9c z*B~b|N9NlUx`9KP12l5({3!3q?nIk1WcE;sPFPLpsFwkH9H^@(N19@`S`kLC@^S>8 z%+O!)7kk9;DIg4&>d~2FzHdl)$2)O*eZrQ?YIRSbqU8Bw3xwG%5lq1f4w+FQ%V*K1 zLCE1fPdo8k4v?vLfBJoIYv3?5;Mx}qg;IYP=`aQxL{dK_i(krTL;+Jl`4hhA_^=i( z5AxeZKtq?sdOnl(vb;K8}`w zdWQjFfn{9EKUa9)&w&&$2js0>^QWMtdb14jjnTvxET}JY0VrYhsNW^3*eJILpjfN! z>q`>91wh-K9gn&g?eE5|fJlpyznOC6cf)Xiz)5eZ!3J{N(un+K9L%tD)Bdx#Sk{y?@N!xoQfQne-CHXM z@V;^Oiul|lPG8C2jRBjbEY%AXbARQSxdCed#Z>J`c`nk;;n~{6rEHEIVGw2?pk`kL)y@e`E4I&=kXC*&{liVM(v) z+Ed6U>(O^V(-M@Z)$-*11DPy5lBC=gJ2SEFl2T_U+Y!8p+LGIA+uFQ3>0i{8iuI?- zRg=z%GSY%cD-d0GVRvCSXHnj$0^eAD7!sNzdS(`Q<_5JYu^i_DG-JB5!vnB;N&_xb zN1-0iz!+ugfW)6(xrz&X97wE{qq%Q)LYE0yx`DY~^Xt5YMYbm_Q*`$H?0ZzE*XhNU zA$t%jC*!tl(WD!sBxzAhReo^WW;EbveO)&(n|QqYZANl$lC8=`cN-=2tn^i$J-fM* z?03DVXFWhH&cNDq;yz!gD>yVOOUl8j>oN($3a|Py%mFalU+<~E!R14B;@`^KpnNlr z#Ed(PbECP}{PcC$V;n&G=$hjm_S!t9A@d##FVIMZA-0fS_H*7_%mCsoyD(x2d}!aq zxvnO6yN~-J`=Qn9%X5zm|4@@ooXrULP!>Z?gA^=2Cwd1n{HopSqA_W@%r?f0w+{y$ z7;i2YQKE=OG-6EP6i%dY`D)+B<9g}a+4YZies}Dx-FR<_UP<3i{z5`xibSY%<>Yfx zc)smQ`Ht|sj@-}CWCxhjZ&%b!Y^c(A(I6akCRr)Us zv+?Q17mEVb123Vj2-p{ww+ z7`I7C(9~-M*}@>Tnc(F!FT7#q;}%F;R(E){E=W_e9ve zEM+5?sPZ9u%5Ne(T-B(2*{CC=*JN4P1T$%QsnZ~kQSocbkEO3UR*L$vsC7PXA8WPw z=h5Vj+f5xvxNoq8@!j6|U6$6H&h6R)9YUFNIAqEYz4MZ}0DfAwr*Cu!NlaGcd)3qW zw9~8yIkVw?qj+i>*s^_a)>|5&%;)L4<1KydwibG_OGX<=FCfd;z3r`B{hoqUnjX-} zuUa0x`lpza9)1DDvCxJ2#_HlG@>!twgR_ME`QnEaTF2#N)tF;h(nv?#>e8_MiMewp z^=Bw{$K0TbX7&B38VbPw0xqZtrfP_m9otgGPsR2EI?KEW@4y z#i*Q(E?2XU>m0>XKlVc4B<$`V)Oegb-7M60>o?HaIJmUzIkm8excz$Q&79+Jfp!;Io{|PFdDTI~sK&`!j!qG5Fibuq+q2IV-OunAXX2a{QPL%Xap0)&J@DxtiWD>* z+s>6kY(v3M#6cgpOu8W{yJ?3Fc-Cyu3m1tyPy`@BU|E)5o_ypJvNvl6fA!{=zM5GKMnY}m1>*fv%b)g13iT$oBmqxp_cdS6?7|o+2H5;i4D&py8?J3qOF(y z>P7BTyNrW*IQU}xPI3eIVL`8b{uF)XAkE~O%?cx2kjG6pl*_FF0@{{zy3N0qN!6s5 zJA69C9xzYa!nUu7F0Hrl`Lr$9*i?B0bcyF5kx|Kw zCUZsj(G`<)q|U8(mh-r!6?QMNdUx&Dk(HS%J_-K7B|y*wLf$IeWHN5oV?RoQ029!mF~eS5syY79>ghloNj>4pPvDZ%|w~jBB;3g zswQ!}cW;`!e9(QY6Dn zH{HJ!UHjYmk z)?=-U8yz)DX*fZ{+783k0pNvguc!^I-_mOcY}f0ye{?EaFK$NvteS>8OJ>wQ; z+HyQNl{}4?|E&pFHUX91BWC&~Ny!ARw{dbTCeJIz_Fo7%;hMO(Zm7?vSeoAh0MV;d zhT2Fi$~!{&GCjP`V<&27fpsA&@G^C=NkLF5_ahLF$5*RiC6l3EU7l|@N2PPj#_s4w zNABlvK3Fp3ns4xfnT3wQ_J>-sndR{VSB9gc(7CfGQ=MsFx?l0Z7OYdvvI{Jk+ zC%R!YLO|C}Eh(FZ=}(E^+Se<<@>|l?v@lMTib^$&HeOY=gXdK3TtF=~wqGEYU1e=D zm+cwLgE;Yvg~uJz)>H04(9olg+7`G7r{i0 zN1l%)XRqtuoqC>ge7ABCS1URR2tjIW`UbDA8B@J>-=@S(cf={#WjHrf5b92J$fkkE zWM(r@`qh#f$i?XlLQMT!46uOt2VYaZiNssI7cvvC_ZXHLfO)5}yUw>EjuxY)HsCGG z`!gCok|$0zSdU@ax)3JQ-ibL^gA8$pY65yr(fc=j*px7eV9fzLO33o+E}rlk)R{Q% zG}vq=sZO?>Y&sNWLu_7}HGV@ls@F)An|$#yj{0r2#%OA zUV*v;?4(YXY?r0~v9*WD3V67s#{_Lly?i)!6}L|BJ^d@-#AdAU?1M|w>6gFy`qzj7 z1!C>Mjp+rEL3q1YKA)LCgyc)bof}25Um@l)Rr|<_L$#b=Zxf3!VfBh80oMC z$ZI7cPHzn2#30yE^zL_H&!_<_&EiS}N0_K3e-@taRs3sRa(8Ku2{YFi&o24ik)b=Tj#)9y$)gdRhzsIF?HqJa$a|Y8 zrRk>qL6^9j$gUxoDmc66!B+&St>>iN3IHbsm&69#hCfGesZW-Q$UB1#O=cR)(MUNu z-e~~Nn?L1nnp4)PrHYdmav@Uct?Gijv8`#ES1kjq6tgbihyMba|7Vq_I9&e5y57o4 zj2R;J?#tXe?Xb4-?aT<`O$99-X&1U@PPv3b}r^5Zfp=WTzQY z>x6A1dJvSWe=2W%Dkp3pjL1&Q0Wj8N=M5L@t>?MTlxdHa7T^m9=GV?ful4d!_m4Mp zJxXaN2ZrTs2FgcpjV=wzx*pu3Cx@vyW!rl8lZupM&6!~bXaM+4`E>b*IS2*0J*Ocw z-QaP4*A^?V+*BGi>7U`W)M0|ZW+lA@M71$WyI}J|w7qR@|76VFLyG_*IgtdPKkCj= zX$CZ=t;m+{>5ZvOk3sM@THz-s5E?y*Zhb~o?P~4xY1QrK1^n^a z7)%02!bM%n5CfN3_)@44Ls!lGah8E(hk%7*>U|bksB2{oI>#S>!f#fueqAm${=@!| z9GXK}J00QaajN;(0L3Zy`I#+Ak&+;E%&}!)uQC0|WICDH$h9HyG#%;4d#Uf4$#7RK zRCgl%S$VAo<_}!4E^KC-#r-@BGsOY;&J@wIEyGn;(*ruOFo{tT1HaZD~z4d7z-w&~#*q3K!@=Aj3Y{3H>uBhW;>vSKvRGxLKn~lBilvRIgCw%{B{Br>8MCb zJMruu=7Dm1JIaLc4!T`QjClZihO}Gaq1>M*a$A#mfbr`VfN}4`5cJz6Vn!*fAw-hbM>4-&#oste8zXC18q4#zQs(I}BhaQ&Kz z29JShI$3XDZ(1fTv_N5QEITTU&>YfCS@-yBL&Aa?&uxg)-8^fHSc+Zmg%j;SEaR!5U-_aQCScRtmkZ{d~- zkf84m9q^5dt9(+#0A@D_?nDL1j_|AzQv)Ne1{FdAn^uww`)U??D-tcX*_~^EbfvCyL z?l}zHcjHXDHKzBuHQ8glK%=|;>vE5Npo?hWJ(^R1AWf-O&una#+!-)Y#xplQd}r$l z?UXHpk41g4h5r~AIl2}dMgE-piQ8=K%&hwcWzsH*mN=6J$2FTjHmfr*VqMufQKYyw zs4hioI@f3iY?)rroA%2f#Ky_J=R0S62c)!l4O=5BWpIZev=~ll|8x}UYVC6iivE^e zORs8)fGeK#UR9FBrPo{X=uKP^?f^R)aYyvD=^4_pN(TS{1|%*X<|AK#f1Kn9Vt(9mqZmWXZRG!J z^h~FJ|33RBNpXw)u}V|bkhTx4;;)>c2*=A-;i8HV&WO~ot z@;$#=8a@BC&|BkiXM&9P!bhG2OIzQI_%}zI*8QGCaEE;VlSdtVS)#H>xq0#~H@_5$ zmZ^_@uL5$XUEBe^tn(KXZ1Qy%eR~{bR8>-@*b>8B3 z5_NcA=n~{rc9H+s8An1w>11W=F`radyJO&f1K%4sEyt-w0om}LfOcg`S7?S)cAQJg zxFlJ$^d%11pdgE~VcjlfrO6K`ECQFBbW*)02I`!~TJ8@K4NRU}Metc<#lWwSOA?dS zBaN!$D3ef%QAjL{;Rstx=8B_o%dr=o_r4#-+%r;_Poy^4=*P_+Ms8V&^6;M2FMlfU z1tZJ~d>dA@(#shlu`k&$Mude(vo6_Ac;h_xoUkFa?a7tvr3wz?iU`wE8fz~((Q8JB zB|{a4FR0+#I7C$9KO)mCHv|@}1AD z3=2OJX(1;{e&M#dzFqAw4$gkNbcS-?ITXv`W;9&Rk8ui0d6me9q0oqIGwb+OTZ=d!iJrB!mHwx zcMFbJ^7NO)HcpRPErK9c2rG092i5!o>k#^NyUbCLA#7m-s$xbqhc5IfR#f?rkv%8A z#erpl5n1U#=%B=1PvcyXJEJm1Inc!xVD_!~ay{nvM1>%R-K66B=#Ygq2jDD|9c6Ny zjS%|dc$)te^@^_a#U3l5o)_{+y(x`&lhNxMt1XAI&e@L~C$^7^wyFrcs^m2EN<8>` zca)UYG#=yxp2?7w4RrC&4ZEwjzaA6t1$blO!8%{{FApp`ALf>M$NA=l5{ ztyspTTESMvj@kW#b!|grXOt_a+4lxS&_}gd-dV`>KfMVYC$)fog;(jPpG_~I8w4Ns ztcmp$?7NeaQcXYGE2 z6?s!$b;sJfUcs;$V?yd2EW(fqe^f2|-YaqW-fORXq>(TQ)Y3>aOs&|E9>PznV42o^ zJ_6#KcFkP8!8cLee+_Q(A0&03|NWZv)d73>!4Gk!>t zSJ&@RvIFsV!x6rtjJx-+6goV};s_0fPwm0zdT zm^&S_BJ;A0phxOfNXRYNw4WI|3itR?j)rf_H<=&5OF~CAfj4ZDb8eVCm)t$M)3}Id zpB$g4Eql`sr4snH+mt8kcDW)FKSaxV+~IYNbmnwu!TkL-2*~n#od}qqXL}Vizqo~k z&(%z4)4Y>`ztT;2{B7b!`QiQIzk$Bd|FANbE**LUS@&h%FDhND_=k=2NO>pRkQUPL z!Zq4dhMMF0nO>9zht6$to>NBtjw5Ne^mz#&SQP?{f!8`>ZWwi&{q9=OYb)lwnR6p2 zdB=69tP{lj$X^HxmIpr{nE&<0LR0epcmaH~c_TJ2zQYn8d^at4SK_6_#|QKD z-E@7vLgr0%9_5*iCU>1TPQ8Z~>fxT5FB@oqt&Fn-e!{EbAY*ZKUwNt+U{yRs{fcRA zg&P#D#>(spqJ;?Y)S&XZ=Lz9PjGT!4=0jo|a>$|)Zxy|E9L&>HFa$Xnnf8zkBfBY*~HKX-tJnHv|Z&#uN|ud>G+iMVj{wQW*>$f zwa_6c>6HjNN%nucDd|2w%K^!gM9%R!ifsEFQ zi|E6p(ScXqU2HQFxe*!on8nCxrXSMT5ilfx00Z$83m2*-WWAnu3e1jTlen^=>ok2% zD?j7><6{PO6*JY#u2(V9#}Sfwru)s_S|UvIw(Z&Kb6%Ak9ShyWT9$RD^h{dIM+O_0 z8L$oO^8&3BYShx_jhRTrs5wJ^7OGt_{}!JDbIpMQ*lc9@kxwxQJO?q4AaoT3<#<=n z3^0Wa%bs0O(s68rX&j@BQwjXeMT=aDN1}lWXuDy8J7AL@i4Aq+oqFM~erkIj@VVY= zj`A4(OWNqc5xB|WO77ifY$RqUU6g6jjb}8S3ZqvuJzy>AVz%AKwXbEp`=L_K=86gq zAN{R>Oba%WXk*TT?f1q+?tLyVyRSiG+1n;VU5)n_#}BYi=B6eRWise)PIk-RK}d$N znL*-G?S7`p4Tljl?o|-#9}FD6l<{CERK%rjWvW87THQQLbr@Say!SUMsw;=bpwB-& zvs1wYswQfa$T?hA7`LG^+n46)Vd2D&l97Q-G`I7y-p2Qb8SvP zMDg(~N+3=+j(Ip|SMZ0!w?LliTSQjje)c&RJkFn;>2S$sNg{>6p&qaYG>*2q%{hzq zD!WFb$oX#TMouoj2!Zm`Lds$le7MmZp|uQE1Z-phGKn?(%UGBVx!>Xm#{-v92M4QA zyw7%vgy5^<+p97O*A_~`?B7HFm3g-5oAs$Ns!?z7<@G(2++b#;w&jo$&lE_$Z(AH_6MJ{17o6^;2V0|6pv zoNmGxV#S&6Gn`*nGOxVZa!3B*DDcy+u4OxaGicfqBy&9SpEh;SExDpPH$KzxIva`2 z(I~PwG{h@~!o&i#&3Z2BFgAr<{ zwcbM7s~0W^#)>vB(|6-9JZl_lh1-HmJ@iJOgs6QoF$ zd@<6tGV-~GIk)_2;ZR-K!Si;>3 z6s{X)UGqu`O;VhnZ?hwL(=f?<0-@s5O}OOcw<2p%(1Yi_f74)J$!~8gps;{h?re-HB(YW_UmA!AfVI?2_?7rSp-!h%VrdB{( z#~$Yp7htTKz5|mhTk5$C#a~n`{r5vitBsrqNGDYC9s|9u$jq97{(^whkWf9;r_HZR z=IU-_6Se|%-$h3xTNBzmNTYHPWn`+iAnp;||8_U2MXgJ+G-+gYcMg^Wk7Vx4uhLNe zH{T)oj^Ue?i;4oR2}1*p<7Uh%@|G`>Zx0$QxWo*R1^4qnZ#|q1`8XHFTDaGxO4B&~ z-&hILyG-uK;rsT>?s=?``IaqVL_MX{;w>8`&95Ubz;B~!G3=8QQGjh^@lZO@$o;ga zPVLh57k;-EkV1S5G;wj^zRp+yp5%kEA+Ja6UROlc8@4>nqEC_^*4^#__CL=*ygtoG zN10$>7qs8IZJg_jrlRc!S5Fz9rDu9vwr$oG|_D%p!x$D_qw zhS|#!Sw2|eX(CW&=;M-DyWJRiBaoxymEo88|CBdoi3fVMh`CTfjIu1RL&aEo_e77T zkD}>Vr9jWXStEZ-STM2#4dD?KYq4B_-)tk zxxkDBT}%zF;rRj;O{F|3Kgc8gsfr=JUx{$IZ~RFEU-wg%Tt&9GQ*iVtFs)o#QRGv5 z1ft>hOyDM^tz`45uOAitRPH(&XTliUG>vn|5P%&naHPdpk8wqJ0^g*r0C0X1w@OnW z)_7sb4z>hGEqm&wFzZDm7ew(8DA9)PLbGj`Q07stS{sSs)VX)|tg4nsNMn`Gyj#=P zZ8JbZ?&wqTV&giEOuD;m16K7&879`BIR)#*`VHy9-CCV_eGV0R9f0K*MR(Nk)wF~_ z1&6Y{jr4zw$0dJ3`@+QVdPg3gb6=OS6L|t%I3Z)P~HahioLqX zZQY~BC2SE=0FNCpY3HYj&tJIwf#s?%`!kNr)Qt#Fm&bB-?n zNnxQr&t`)!VLOtN6>vxt!3OuJa;dHo6~4LD9Xn}z^%WQ`7ixV)Cg=7S?jE|zKBRX6 z_I{^9ary#^dT`ME8qM=&?&2*?G1f_cZEo|1O@3K-2sxF;(6>$)u zc)KSSYNO02zj>Zb;B#In=svjWuJw#_Rt}E-Go}Xb3&D;Q5XL?=OYR^{s_w^(WOvtc zg3MwnHKt3?v0@GT77)ernG|`n>qq}LuhA^-E>ouRL>5}Ur!@6&Z z@I}_&|E0OCU;3~royM+|E9F;VHxSg0eKl>yzE*iB6mXNS65)#0ATJ|3P$?szS z9iPZ|P`AqefMq=XN%K&~x^+S!H(vNNTj^yD7u2Dt-|b4oL5iKu3cz{l{626U2xH7Kz9#NmH3P5$T#s*4misCjCE>>Jo(h_FP6l&t=H~ zOrF2b1Yx5dfb(fhE#CmHz+a^^<6!CX|I{#+PnSy=A5q9#6~!!3=4SM8;5}2klQ-YA zcSeacE74`ja>SIp)iOrC=R%sN9=L z(^5r3A2iqMml7cs|;-IiI9{=w*ch7#?u|4N`)u9c zm7E3BFxF~wy5z^0UrpSdMYWhZ(_7bVo;{>@sHq6|Rqx5$5yFF7UIl*8(DbMLDBof^ zY4pBR6(MeUs(DZrbmAP$i2K!6Wy=2D5d}1SyB9&W%+w1Zh-xTT57M~*KeQ4i%-3a5 z4Q`)Xo&Efa-wzh_^rCvWZ_Msl7;H@jB**KT6C!u~k#LH1-|C~3cq$BR+f*g|tw#gK z3$R$BT0fn9nQ&3mwSVA1c(3Q|MC30gl&PS9g?_4vykVX$Kj-3Z)jEK1xC8#C>r_A$f`^Q*7U*J3Vz&`fuHmE5L#Y%aRt_nciFuJ`Ntz2oDm z?-NJ=JwLAh1E6(UJoGM7JwT|6%+b?Q!{eP0SJR)4cFdt>+|Mipm_ws3lYSI?xF+tn z?W8P6^<0KOJWLeeJrVe-Na=F+}z zj+PfX=oqYSp0SvVda4B(ykJqyZm&U#K2v-Ka)``RmDe)B@!*jkM)|-gH)52ZDcu}< zX+C+~D{&}^@8fcwCd+;09QO-!BcnXg+2Otm7Z;zny^;Cmp5NBV&7O0ywKbl>!+={J zaupz4+k8&!{>UY)527;o8>@2DCdKE=Sii53h3R9wsf=m^P>g_aG1*!tlQ{IWd*crq zA0wYBAHGqJxxTR6S<>n9T0Jdj(WqT+HTbcI()pg|BGYqD%hx|9Lp3^4tL4)xl34c) zNE03*x7zWi^7a)ojkV{j4y;a1ewJatZ>ryjkAu&6&EPnkSK7jXPNQ=vq{@mO-bvH1x{VsQH5ik8Rv=m`EClpc{Y5-) ztK3072_lImE9J6A7TCo6nnVV#CuRIR@zeK(n9#mOTDF{vzr3%h#P{4U+xy7qJ{#mS z_Xk^C4k_K>TS;naeWIIq@CnG?5k4`2BBGXX?+z=pG3FB-R-iv&-@}rk%WZxQ^ab9a z*Imw;HVnOS;fKDVG)!*U zSWJIyLBlT}Sd=50Mj7;~gd==QiW;_?>rFfAh0OH|Gs${%)nuUx9YD!fZPU%ObM~wo5&z`BEI?lt63@3SBeTI$kVkc&xr!vG~YgQGK`zu-_Y_UAqAn_ekvr zE^l8i*fcVBZm=9BMZ&XUGT(G}u&M|=W3r+P_Tr;hXkjZVV+9xbk^=WIM`gxU#3b;+rwBFxFrQv2)d5By2IB7LXf&F-sj`uSw$YBHlZ z7emm@zr+66`GE!gj({K8Ef`#(sjvFk_f1yG`CyvE4=3Q4b7TKgbr9krGf9@14-!kj z|Dmv-*#6t^_ZjxcuM&`Dd%4l+o{Xs_Zm13!(aRo9YGY#kueKfD;80ROC{tFES9|g2 z%@UxL3aA4{tfzt+{QuMYL}3&Ee+4HZoEi4A+e;izGh7oHQ3BYoM(t`o`-@;PX48D) z5rFOGUVkfoIp+WQfwzeM zPQ?P;hk|N`0;t@(FZFFuEwA>+SF@Fv0EHACq0J@yBqtw(w?l!>y)5e|{qNLaf4VTQvT%RCEj2Mn`3hPCA|P$JQ*nncIwofh|uB=^4e0E zb;BEJU#lb6RsfQMv8)9vgYG#jrbPtuvO`pkZ!Cq`g>&T(y64h=2$#Ln%?S85F&c*L zGIocyUKY&U{Lb|Ujy>|_Os-*8}bxM5eJb3%h zqDnj0&-u6U&pLzRd*(yJ`Cd2}FsC>!v^T5{)wx$_+p(duJOt!0Eu#-{ZCyq_&ad(J z7kSP-QLYuecQP0mv(SvFY#a>(faNa)Wy2i(`HN2UtPWHaaJM$!^lr!hhKm;jmqwdQ7OFbLZTg z`MXINMjvt3k5!-oSgD2-;U7XC>L0i^%Gy{|Jw%)@S*sVPf*1miW?kCaHDnXl#tQxS z=lT2Y)$Iw0O;I7C^Axex%V+YR88N3^S(cGT_^;dOf{U ztUY?WdUA^zD}P_GF7csCLcHKBGfKhUly|Hw?KC(~e~Qe!-G${eC~>H=Oxk&KcgZV}P;>WH4a06onab)#oDH`MNh-oNtclF}CrzGxEm;In3fdm?D3 zCi!Ij=c7%jLdIR=@tctCM)F?ehT_fKh*SFQCewJIg}bW9kLYGR44%r; z5B*g|md|Gn>@Avvj{T$uB0qHZI2lpXmeqHVnsf=uf^CxAy;X_V--e1=89C({1J~^O zq7?s~g&sp&e?Lu_%)V_R_0%o(PFp#tp*fph(n58~{wa@gDbu}74sf~3^3>h}81P8G z6uZbvz%ddZfQ@a75px?r3BxiS)cmw4;d@B0Yy0n-dCvz>W>^8@-#cOjyquPRN}-mZ zj~>`HfmZNx&L-(95a7E=qDTsqxUsY!8R5&or@gnP3ZevVW>IG{))9M#4RU7e1BfrE zpE^xe8aYj}+Q26R+Ggc$Fm2vq3VU}Gw28>h+4YXZkvjVZ@7B#K$UIOXAZipd)%najBLu{87Rkqn{n}`H= zdfmkn3n;O4Qz7!UEu(%d`4=BPzD1E-Hlcg{2=i-GoNi{n%<v(q9q(!9Ti}oMz^*MsXT8$uC{7F-aFGZPS;NtH5##kjq zSLw4;!rrMclK_T$^ulh5g5jiHs$0AHSX%xZW!XOJO1$IE`?KI6;oW^Mxj^2C;od#D zv9c%f^?6=uKRar#zd0!4Xf_gDoCYbPuIzocPLvLNIQKSrqVM}}zb(17ja%?$alb(} z!&Q<`vd-fZ-T4WxoX3M~nfBW8UNQF&sCyVC2h5M!(!@h9(j_0PyB)el&~aMr7uElJ z#VmbVZS9j5e0k(x`qB4I*yV02C2p;RR^R#PYwaALo{t*InV~#O(=V{l$tSh?bV4W$ zWein2x*xZL!#HojB3W>EjviWI& zxzT%>&te|=Ug@+IecT&?Z5Zhf@s@C~`RIFD=cdj*n=H}HmzP_8KJG~OUGCg?O*`^S zdQ2TGGzhqqIX@r3%b&ClfP(8W7gZTs*vMY1S5@y@f>VL?nc@o{b#lOs=bxx4%GE;_ z=U26$GVX5|+QLA>hA<)$Ps0J(u@*xQ`LiC&ek9(XS=l(B(;Kk z&{p)SeYnNdWAP}+XGcn9a!QbU=J%4pP5;)oChwqm-u^FFfo3o9F~rJGS?W6I#>tS` zmjk-_j9LGJOjhSouk69pUCDR0|Ip2QK8}zQ*~kMy($1T6bi}|jhb9tZj~L|sAin(Kd|QtG zN8iS~1KJBa46ks;6ZY@hGkzZF(Une09Gq;wV73_8^8F~i7I^JwaDU!Jqvj`lNfMvV z{{7caxV`JfGIn#zf!4E&)T|4yi*ka{U)qhlA`#Jjb@Ael*Vyo3nS~2;g_f*>$>Lc7 zFf9+RjQ#MI8dRd1+~;5RYINL*Xmldq1lv$hh`S2Mm8-s65ht1|N53V(4Ld*cG>-h% zzx?a^HFP@JekOq$2TkEDa)CB zZMac%{L$ATkhun-NvYtz8eZS2KePU7cfC}Zk{;M+mm+fd$oiRHtRod6GVAiw}Q!7SHepDi;??0kCy)bk0c2aZh*umxz#!|!nKN69&*b;ahbP`km)Hu4?@**X}j|0B% zg+{$(Z40KK$WOmqlW00lkkqMx-RZsXO-p7JPa8(-H_bc{c4;xWbjkslc_7ysE1)fPxzn*2qjX?~4`|>5L7r$F z#hfrd_?LfpoAdbD=r;4mJt4j9PL)wl(J{sq)&n=9nRgJ z2T%Ur>k8;SZDw@GW$^Z;43FzvwfUM1!5r(0qi-UgLG-9ona_UIY1WrtZ|A?*NLADM z!lrZnYpcZdjePjW&w=_Q6~0b3y!W$3Up;8K@h02VsB^xi^$mTiJ$X zW)`uo_P{pfY!-8trw(27{c2%i4%TDg#ng&17xZ*w1sQT!U|rm{$^74|oZ_z0Cxxl; z?N8pZa_}OG7#Uji{Hw}jpTPT#tCmi8s55pi|H0I&^t9t(C5vyu!I^K9U!>ArbMVxE zVG%A4p_R;U@@!8k>wnGBJW02qf0dr0GEDdqm8-Rs6>f2{WJHbwx$D$n9e9DGZ5}gY=ssb?eI4k(~U=7a|xrQib z7AOn=H-8nHt+EhPlHl8F*mssI*>;m06hE)lRq|I#7BDn{f>|X#)Ux~UeDWUobW%`~ z^x{u?l&+Ld(Db`BH{Og5^t`*{SOne@tSK_Qz5KTEJa&WdbBVb7HQ8{(`aH|$A}g`` zpA&$C@AN6eY|1Vur;^NMuChp+7-8O=pOKXGq3W7S8^+-)HV1~45IHb5M~~sh=$Ny0 z8r1ud4#a7{PGz4DNR1YrYE5>QtAY&%J_YHYtG z<>q6Svq_ti=E(H5rHgXlHym_b(4q{Z?X(a_YBV#EB0rWq^E} zrB`QS{U?errj}c{fo*;Vaod0nM&=TXl>NnF>gps3sD`<99|DkPUFT4kH8BM8MUeu3@Nb;{0sTNB=VeeNMCo8IrKto+ zc*FJp$32JOHoyD)FuH4;DQ7&z1D(K(n$!5RSaUKxh&ia=*z)U>6{;$WIr9$&Bi~VD zU8C3ufYtZzBidGnVMU@+&T01hqNywyQ_tCO^rmb*=$$4R!*Iuo_MkCj7`u$~P4*}5dO zgp+Vvyo@?3YnlD6P;b6w8)NkdNU_V{NNxGHYBhlzQpgmi_OEl9x#vohIp4tO(#G4m zv>ay+%AIpM6ONGVKE&h+k5Y?gkGnjl=eo)W{P%v`ufj!^PEJNRKL_%SdMg z8c?jeEMq7hLo#7rRu0cu&zIte{Q}D1wkxak306=rJ{uYet~pEr9DR>QxPC&@Czvce z=>v$xJ&-8@IBlI}vk!5tP0G?Yh5;ZgP0sAmM7OmqON)tQl(a8zPnA7ge1J=#5nYvJC9_ z?z`HRMmSgrBGpgHZnD=DZ2k`LrfKRbwD%4uD|k?iGHJ3C^*zZdq+OO8l{&Zg z#Y(r&2zZ1h{45dGohE^-du3tOLtcG#^Wnov)pWCdGfWOMZL)G!QSFZUz9yKutt&#d zF=wa@(yG;avHA&<(H8QtriYv{_7Y9q-u}!QGcCePa(X&L3sG8Jkz8ZhF~DK6D7ew1 z#7o(lK+<4?uPb3GB9N`^r`%wNGUvLb7Vl1VDlL-i5OPz;3_8lz7yrIsB;JBgtr?RbFxd&oLuy+Pj*WVXv@d+3JTe&7hSx zdi1xMs0HJ-jdn<7&afjP#~Eig4N{F<|Xs2rJLCGw8NmgP8iV2nKFAPGa? z=a}^2?47majNPgj=~6kn*E$am=`eDr_iMv`_rT_<0o^VsOI8Hggz~9NYX-h$iS?O- ztV|$iu>Xs+w~mVX``5*#L`6yzRJu`0kQ|0kq@|S(m6Fb(Q(8KQZVBn3JEgmsp=*F4 zhwl6Kd+s@(bIw}7yME{1^r9^T0 zLj7h~P0!xX*s1C(#Ydns*-yh-!&MHo^&mmCY&t46rB$|AyJFqERn%8Iyr zoPqZgm-!$mQSNUB7RCI?7Ql3bVNPPOBL&ci=u>jhQ#XF`+kOlo5TZ+a&!Xu}z!0WH ze}lW@ysRmO0ElNs`d$}_Ew&gvp}2T=5dJg?+&x$(u0R~tN*!gy&J>EH(ykSBCRwR# z1J69YVD6Y_+t0O|hDvDH)QE@gn#@mY=x?+Bth3!*cwJ>{(9F7>i0}cVu3X7*mq2w> z7j!gw$^uau?!D_f@CH3LJ1-mlNj}YApSjXM7Qv>vruO?9Vs<{dkS3rwTfA|z=MOut zZZlaPaR~1V*f-p0?h6xEU`2=&=D!_I;8ZJ-0WKIW5pH8@;x1Goi^AuR2%7;pBU>y; zh@RVQb71;5_2WQLEr#1Amm5NE_~ZQ-w)9WG>^(HmH$s(`Ww38hnN31EW;`}VhD1CU zVfR`_BoiEkz%vQd6h!+s>6UQQ4k!HE_&&FfwYFZpg57ZOvxPP4{H!S4W$oRv2wa+> z&Fe@83w-dtv)fY1yFZ{g?E7yZJ+{c%qKd;OLxxY3EC#8Pq4z$%S~o^t_OmN-5^?TQ zC>wA zeKc#S0b-{y-D{H{jd!NhISARaKdfHW3xwW_6(`r+kg8FQo)_6%DRbq*KSyr_F0gIX zZRwK{?FU>1x)L1%N0nuA@l+Szf|-fXLMnfxl{?w9I2pfI;h!$v_J|WQM5GDzVas$V zS-t_(XlKb_*q+cq?dak_e+uLR_itiDg*Tf2D6&`I3@q9L8erp_O)LY~07$S=X{1A# zq9A0*#(TAj@<2ca@S)lEJigW5aBO%}ll@zrw_E3^HZaSr9x7#A4J6!c3Uyy1PiAt| z$3AkUZ#WSz|BcZ-i8GE@l$M(#)0W)}O+``>5X%xkW{V?Lj@q^5?AAtTCBON!4VT)5 z)qapS?_|MKDA_bOai`Jq#0(4rxr8G;+FB6 z&hL(_UA@k28V+-{cm9wCI(t(yz8w_Eu7Ru(2Tozmc-&r)@tGZecLRznyU{*SL^~e4 z;jrjc=i(!B+BhT6$Ads`Tmcm6KJ3aN;=ca{<#oC2DI6rP_j=_LcZ6X23vKOBbfX9L zww{*2VsWZV-3M%&o5{PaOT6TI7Z)sV3Ma)F;?wS^5Og<*w} zqUUrL35&l+xQEiSS;i3%W3QiX>t}7;Q3(%+JDI!P24C&^(CXJiu~D~{tm^8GU@`Ev zah+l$vKCn&-tgNtZKS#q2$2QRE}Lr|PP{dUYHjBIm8o9!tdh~qoz=67yLm_X)XU?s z$C&IVmx0xFiej!Ahn5jdsQvv`lEZe2FIk#%yjy_WlcpVeI>7cpfjO@xU$W|loljJ2 z)>QDj?N_A7HtG~ruZ7i#cFKLP(Q%4uaeAN>j)MPHdbx)nwaKVPPM;Z3y#MvtTf(25)>)rT~0VwXO@yJ(8_o>z)mr%S#1F#6Qr z*&491?3scdDelA)feF^sP9j?k zDp0M6=C%r9GSSH=G7(49kR4Sfp=d}EAk>zfk^=wD{Z09MdgXo6R*{RZOi;Z6-B1Fx zU%BDQ20u)%Uu?BZBtR!s=d{PhEb^F>K%drT_mMR3xsQ3e|ZpWx7w*g+rLkyKHKV9CA|W$8R}|E!D+uiVCj* z`fXX$3xycz8+dVux-a7TY-> zbz)|cb+Ae@jY~hwrTLWy!~A3d3SDGAZ*sQ7e|AOQEcS~}UFbGXze637jz4RVmOth3 zBLJR-HcMfiObD!Av@yMEZ<5xS4#C{E4n1qF%=;|7s zCeb+p@5Q<+N_)YP{f}?uJq3SwzB8S!T0drT*)%laZT&Mxn4%KwX`^ow+rX4M+7#M8 z4Nl4uEwY?5NxV6^&zWJ{QeXaRILVvOP&fPcJp1k?^YA6{!A7j7zEU@R*FS{;_CHvI zJ~6haIZB;7srrl>?pB$1Oa3%Aaxr9oVh)v8@U(Nlc3+}mar68*&<8Ss>pgh=Yta(q zD{_Rk-}Ozu;cTl$kmtUJ%5VENtVou=QJ(SVyz2bT3}_v0`b*2{!G6BVOWTo)ukUGP zmQT*%uUwtEkjC#*ce5*23Iyc@{4VdrEH8L_5Q!Jucs%+JBrhx|r4Siz=rK!@?wVsH zIk7?rc+{Q77eA#C<@)55~=xb@SXk2Ah#9HFE%GA zn8Rx;dc*fF+gLwH6oR?eKI=O(cE3jdBGFxnfA0~SDJSsi+pLpJDVfWT ziarhDEYO|5OTjSgz8qEVu@I^UFQnIH<-#vv)Z2z5 zwizs{x^Y7B%(Hpm$4>)JKi^O1G3sp8t1NTtKv#FUqx!dsVv-Dg6jX4P)3|6?1t{>{#_reXHLN$*H#xqSC77^!O@>}tjT%!R>`_kT}J2BRwt=AqV#aZV9)HcO?J8j{h}k{j~G1I@x0-P9(Zi=ll=OoA;Q5bvfPdeWWn?u?b{rnZF&z zaM|_HXWt{FQ%nN2a}|iV@8EqvM(e3v1{HA5(^6Bp=5xM)vcc7p5?ry%)OvnXfwv1S zVcB+u4|`}>g?@h4=kAPL>8)!yGBbzi*cE(xsrjlP8?$(nm^ds3|Ced4vmJrUug_$9 z(bOQoyU4|%znS8_?kod4Zhy0bs^WSl_5;Bm_n*3>HyOU@=YY9kGKt5*iXJ<}9ofU1 z%7R=*L|hmzstbXfLat#o2&)&w}#%aJ!n{h?7%85Yx;er zEPwIlViI<8NdEgya3DM|UF*N3w6+8}l&4-%%#J0KBgpw54t@-#az2_w-t@N@7BwkfQ*6XK-!n+g#?AUK&&y-6 zw-|?x4)|ANI6z%8vQ_9|hy)b{F?Lswm}U=FEi=UvG~HpGx^S5^%m=K&ILoMJ(@U3L zxuY8HvEHWH+bnm19mI_$;sVjmzE=P{u$I~xW*Rmu(X!siT*V@p zcv)(GB>gm_xtwr$`IGAzfw*sYiB^TK^?sYb3 z`pZ-DcVmxFc>KJ~#?Adec+Iutbai&@o(fX=Z_DjJl`f9O5z|NI^{`y;A8+Fuu#lL3*23_t)2#!wn z;~$(w(c2k>SyX7cb6~T}_ZeYblek7IUo91cpSLT^d-;iT6`Zu_lI1afM_ z#EZDMAZ&|#vp-5tRpUb@GIiq2UynMcjQI05XVC}pAL zcQcEa{gvPvx$PrI7lywTl^Q9f z<-SJaEw{-8eZ~9W6X!OV)jdh6hzjz)8SDZ*E-`=2k*ZmwcqoU#_oCio}e*G z=h8$HZ6!FcBLtTOx@@vBUV(_grP=x9Pn5TUWGGgnndxx4UI9NWn+ zaSc|(Ei(7D2QtF3w48##Miv+KTaT8b9QT%$!Idj__)Wj5P9OYd+DGlhi9<&F5EiII zrn5&Sz~VW}bQ^5|07pqX21U`v3mZzyG4p+}t9Q)JPFwpVwVO=^pjXB6$6*Z$3RnAhG^Wy7PZKG6IiK2qeCwSwNNuw$$B| zeE22VMqw$i{a(6VndBEJ&2m!EvJBM=!#3LBh)`+ZMa_Qzw>KRT-Zc7t#PsH7n5yl!Zz3S89%BSh> zP+6Uj;UyBWqeFj992@)PD3eaXmgnbAN#oD~4gDsl2Vuaaj@E(c)JJA|P&_a!VAec` zab75OJtHFoyHCbEUI&blTv((4e9eCeqf@&Fw6c?8KH?~LsG z4#sCveBpvIq6728=IiMFojnwwknyCRfqG-vK<+dSO65?|L2=2DUHwp^fDaUvh2LAK zpuwaE)XmEyEHVA4X2}#S$A_F?5eqp~&Tkvag06UWivhHew;NkEE?k2C|8{x&^Esb? zyOgeC2JyG!ICf$QeeiCj@?YXTZ&&lT%kfvGyMKLuD5&zAGZ7dQ!r~i?+s&Z+J5ab+ zS(55w%$g1?U)4FkEc|$axs*51`3ckO$;|S(0}G_u42eT`7T_6F2pbbp~JI*$-rEGlSt^XvfSpF2EzQ{#rx7FlZ|UMh5?v zMxuYd>HlODw&r7uxnjAWB--x3mS>8SkLC6O)Jf(ekEzWtKw>KGUM89Ikgk^`MDgVf z_HqIXRvyDukKbvOs>kHJ`|k<;JjOC9TrO#ndsyVzbbB5e;3&E-$ppeB1wVMqG7wTD z4rpf|9qO#e7{d&^?pO+9zZbm(=7Ez^O?=XMr%j4))>-iV<(l;NPh_-6vAYISYAmr0 z9XRMYRSp)d+d+<^T`We@>X%W1^X-UZdipC_l78cacnU~=uWZX&WSfXbq{o&xZh9_G zkdqwtilE|$|D1gOlZO6JM&B8LNFIa)BKdCRIE;Qlo#R?%9KTE!GwERswr7wS)uZu) z&b-HS#2PuGIz&v5Jcv$c4E_97v_O#$T{gX$liT0PK+hF&g8sCN@EK9hM?1+Z>cxEx z0Wu>FDo7dgd!|=%FWgT8d1?!DJi5_-DaVmrYF3ZPq3Xe)r`sy@wmB38VqXxsH|8|{NN-;?MhnwwL06}Ggq2(bhe@Uy9F;6 zQ?{&e0boOE9FKobA$3f!LwCNWXK$8s6)6wmmJW|%<2vO%k0hQ6tK3GjPW`QV+v0YYh8Y4*+ z%@G%+uKVqnB&4+R;M0l_@!}m(436UZ1ijx49p}yOyhc_udYk%Uz|W^ELn#9E&UcFf zn{%y0RjMNaRy^VkGq*yDGn%fb86 zf4Ik9KJKmD_TvJYfy>xFc2gc6eEKhizkf=A|C5pAsaTbdGmq#w&+Z54GnU6TsRt^Z z?XT+$iJh75X>m)&gC0#hbomlRgR#kgtMAC-%c*%tS;#`4_6?44D{~pi$o`(-390OE zeCSTL_<5;PdfDe_=G^da$8rmdau$IuhWXISh>ynal?{}1@o~K+0q>)=H5-g|76T}M zukw(I-WJUV$}Q+)^keR|KEZHLVnZOg^+dxW2q;;0xust4(?CV59VIrp{@Bc+zuSrSH_5+rbPG9}z$oYaQc%Lb3iQvFJa)7ifz$!#eyydD!eA zeEut!teugV)tmB(4Ineij9!Weic;010d>D#Nn#;s4jvwP)PXG-Tpvp;p5tGmqWL`? zG?VdIxD(sL+cKJcn`ngjX7f+;n&D#k&r=yZ>tC+X;?zc%ufGBJeRQClYZjF|&i0td zpD~oiMbLfT`@PCzc>&qUUE-ZQI=DChh%)hv@Ws{x2s1=lpM`uo%F}ss0s~6bC$TA} z0NW&x;d@Uht9oAs7gC-H+GL0Tb1~e+zFU(~4XkGBHxj35N=*4^?(~Gf(e`sboaEzY z(6g|A!?pgtt{t@M1Kpj&!Y(aW%eTb|K@sI`@g=yGA_`ZW0XS6Y2x;k4o`A=G%dw?`m!5hP zc;xtN+Q}&XmSdVAhD+Vg(!q{!Y{i50i5QJxL;$WT(Y8h3M5R@6-xIj35gdv8-pr$0Ga+s3T|v-)7cEFR?tpIc1f!TEFyHLKh0p4 zjf3rUTHg!bk(u^_DGxZNk{VSV~NQ{yVO6rP_qWk&lZ_Qp`qmLqX3yIUGxa-<~qh=h&xg?~_ zWT?)8GSJSIwWMa?kQ@TAC4x4X#!;OG?o(RiQPnlnc*)+87fAv76E%!#DLX#05i)9` zXvtANlw&yn?o0rR8*Nr@$EiiHb6H$2uf{4Orp%5o@i>i(5$t*)gxTzD(%B*toV*ll@^+BBkiBW{_2ATuz;Nx>>iFiH4J#&#P&5 z7$-!XeWtI%CTzT1iTR6N!0qOzEuuFXMJ@8fsD--fIV!RS`L0srzh%FaJt`V594&d( zCaIHG6`IY%JKXk{?`Ra7GxM|SSS*E_+0A~3aB((bwR`4xe0XW|yn(sUyn;}+AptVuO#Py-2 z6I%+J!4K!gJf|;{!bblN1UC|;f6#N)foVux29MGTjzyw#$|Dr|VjX**=pGnJokj%) za!A*UH}9w_ycGT_XzF}Sj0yOEWT-m^_p&NQL=FhWBjx@Ef)!aA{5)}<05C&fWFY64 z#B+xSD#DPbX%x~)mv&MUY%+bcG zHTvvB;e!E#vrFBmmtzBmLS_52d?-M;R9jrX%)_nJfZV#Og3{~sGydmdvkQRCP>zvD zZRJL37ronjR~}|{mCCPQ4Ja;l#Ou3I0RGPQvVSm8h?*1`}tH=@StT2LKuiP%eNU@u=WB>d$1 z5q251xWGQW{e4kj35|(Y18YdXeN*`Jm24V6T5XHRzL?LtY24HCJov`^@aw0m1P1a^ z4Wyfj^+1gUq5IJZwE9odZt-V?f@43uHNUn&-l@y2FQG^!zMIuviSB@!UR}c=|9)e& zVtP}NM?>|X|p}l4;LWEhM2%~;uFsf2kc)s@J?)vC%CxwJS`j^A(GxZvLK2)k~ zb-91;zi+vhR|4yk>XtNAyABC{l)A@>cr6Y0x>&H`QTN5Msdb**d-_e*U1@cO6eN;X zNzoFB6tGgTrI?!g*k&BZ%1`OkB54^VL5C+6FCQ0l@Mz$wxPO~e)tpg|BN^9Ax&Is= z`F`TrtFV+5vUvYpCBgFT0!jdC(*kYz?gT<)0O!}srC=6uGH>v=zMv>Zzk0)%=UF9v zfEb-C87YJ?${GU1RRC`L?NAgI=6<-Y?l^>lwTskeavmJNHh+0l_~t@Kx9aLq^|VzJ z(5b@nVUET|%-h_$aWKu(N}Byb(>QT9Tp&N9${JB0rTt=(QP{?`Wp%fUbx01@zp?Lb zSIb`cJ^4YW`LbAJML1$w|Iyj_l z^@7Z%?ko6rX^+(#ymq*II=NnH@axwPv0N4t{&xm>jx>7lydG00E+iBsuT<72nib5q zeffS3xAE&jn(@JB8i=DM63YmzaMt<|w*!DjQYC!1hBZ}urRBH`A*|JvtVF(7X8TNs zc{l(YfE1*>^ndvWOZDj5`Eb@_cf^7`JpXe|o17 zChIukta-JQeYU*=x^3F`AO5-Svhk(Wt($TJaZipp7@Bvb>k?6Ax+tg_`)b&_74V}o zc3N;YopnvEcLV~V=-0PH$7gZ_>@KN%RfBE!Hr4mh>9B5&UTi-nl@?U=&hItt6^gl7 z1IB;FpWk)|D$h*;VnPG7uE`v(&hhbn>c{)R7$6MJ505<`>^yBHL4SP#jw234%L-Lb zO9(nMv_jgM>v9wg0DTV}2R}YT?RB#l!=*se?)GCSFL?N+Ek^~Kvsn1nH z*(cQz6HJp5A`?E;FT*B+WuIn=E2yrHO1;dY$EL{eWe;o(42oio7ctC%))TECU}O;& z-bBX`tT{ZBNTRs{5yf^$1@;-Kx<*d=Kq+9b2#OCMb=O`6O3M*~cSgNtKeGWXe6&=c zPf{KbHfsQZ=G-79^!@tD_irgrvgIYB>z!2EcZ2S*nn`udQNHc+>OtOVic>gw$4;*H zeziWcLgmdF{7-%9O!4>AM5I2f5O@BY{h(l=Wy3mC_4}G%J1FJFnHxgUucghm@q?m^ z097P(H3ZGYHH&q&Xxp^dmR~LcY0uMX0oWv?P4q42Gy9HJ(kKGQokS?v1p}x-;^O%2 zz;hpGc8VaU_DrE!62dtv=-he2-6!SVcSXzByavju81}hSt7&K8 zf-a(jmk|%ivYO^7u!;6z$?4x!_(e}!Egi=)g{JX3<@hq--8ltAXNE1`nvGmCe%(9N zidX-=n8aGr2pd9xw^h3+|_1t=QK_XK0reS7i*9^u| zA@u31Df5?vIh3r#LDM|9rJqm}1fBg2xx*DArN&Sjq0XYf1^?w6tzI&6;208~SpF zVuWh{DXCpA$O;1o=TSBH``+ZHT7eL#r5KC(u$uBjle9^|gweC%d?)+HYN*LkXof)K zbPl$y4F_48CHrEiG~ZmV4O%#Oa|qpGlW%nOHcO@G!Q@U;?1v3P>X7wOOl}!T|9dwi zp=Q*`nN^QWwJ;9PdDsQ$mgA)HoN%1+EtFw835@4NkOJ`{5XY8F&jToS1Q^sNL#wC< zh8~+bC<9r0xGv5lq$rv%i|mF7)-GP)abT$LAuf7K(`Q7ed+=G|u?(&YoK`qfua}mU zvgbF)uBn_Nh14$TP>8)z)@BT#C;L$KBM7KYZ^mF87x-TG>3jTj?)7y1t@vZS)hp?M{Cr zwC@qbdG&Q*CK^^Cyz1%xh_x!Y*`|xjBWd6nb@N?(O?m$Y>!j)GpnCclcOGSviSkB+ zbu)+ibz52cev3RCdRwlReH?F}(2c#y-J`x8rd`@HQ?r{SH}qguWVd>b;~Ma6!a0-F zC=Wetzd9Ng4FNMU$zRSxmz_p|^^CqGoO2N`f28kmq51V#o&M)Vz!S|Y1#&?SK!aYg z&0{0C$Q3S4{a}y%^ZL7vJT8|LyKiv?$iv0A|=}9pTBxTN}fgCe3g6f$Ap>`(RI;vao6eV#Pf+) z)g@_lZ{a&yBwO@r{;(3GM|VrQ7x&y%tq8eh|44rV-I}1{SZKFl^7Dw4mh(64zXX{~ zA^vvD<*G?8B^RsMI#`?k&t;TN|+zoVkC#urNOy)K%|VQZpQoNw%H;6?KrM%1TtW6y!r zMevdPOb?HFoKl*@)DeSbO92|H>uJ>HK~-xrST&u;-Ntocx7GvjtYh^>Zy237+ z5B9W6pUxp&w=LAu?72Q|=ska3=J}+&WaZjWSeG5TsDraQo##3b+4OP-f|YEQv}+5a7n6?)!-kbpy9tS7)gZ!^!06z;$&#VoC&MfT&-ea0I=pv zj~R^6Marz2*10#jMGi$kgV+jLs>#5j=_|$5%K9id`?>M(3$s;20ewo+??Pm1wixas zV;pQiLuDqT?mejwdNXtf5`L!~54#k2F*V@oA|El(un1lVnKzElOZ*}swu4;yK9dx(^HO!Zi#mb0%l zk(gC6vCJ@9eq}gc`~}wsEkCxW=ty5qm%ik%XnY20N6B@bcyIfO^RiHo9jW_R4@uy= zp=X3rF&kpU_DTX8*nRC-JwEG8s0_T=Jd8}A_j)woZ(>f5S#a(r->1Zi0{g~d{BG-8 z!imlEc}x@GGvDQ}#%qg8s!a_Msvjv}ay>JJ5$d(J6_DHbUX2$MvM*Kx(C z*s7*($=SESDXb(=xX9>#Mde-;e^C?AgnS1vNpVt^nSD0Bu!ahy6l(TU+(?KSLPG+) zG#+IXFbX_-<9S;!AHl}w>4JdR_M14Lr?-l{c`|0Sm&GU1yL zLvpC1i2HPzY_WqX$90;^@xl}R(dy#qEgk3Otw6IXtos?U9cS>YvZ1j%_EYo1DzZ}E z>RMuNMFO}{b~~|~^_G!3aPMBe6)NSdUcsCn?Mal2i$X)dFGn7ycKO-H2Z zCP0qN`FjZd8o!S1ayuYOSf_^Q3cG0&mHsT;yTE(?QwuitJm(rPreXnKoqI^k9|$P6 zlV^WjH=(-H&z!z5cTwL{(sKR7AAyU{#=}gs|MQml8A3eyspqAw&dl*Qko96+!Z&yO zw7#y~!YXzh!KK)&J=rHN!!ebsTo#CVetp3UfqL?VW23MV`=@h5jEqN$EY!KlD>`dg zvLg7acnU&b9$f&6dQYlkxOh{;T2$V-BS9&2sxx#X_j?JpZhTHmc1p(WBW&ns60}$m+TGYKyj5|DHlb`u7u~}e z7AlE(aU)S5i_~S~b zfj0e*`nOBs5lpzeFs#(e&$X;>2+mi#xb3K9X-sATc{8(FswmLM5y$q9M?);!@gHA z1ld27T%v?LflP6w|Dui_+}7VdBpT5VnJh}hsIV385$}n7T^C;{xd^CnI6Ld6V4l`wn)a`z8Qj_v9;{S6>Uv+fl>C8#jHaWRM91D zw|xzs19oX^x_L%*_j}y%In#}T0R`T%*@>2ryBtA*hnUO1s6DA`_c&@C%?gf202ZCj zwY z)W+je0LCTtq!5)X8sIupd_i_ide2+-iG5*OiyvpJzn$rnsl11-S}#S4(O%!t70Kmq zt*uJ2Mz%BMqe_4rTorv{3=lA7yJV+$%{D74hY4O6lT4MermolKQ6Bwm0M^K$)X|vr zH_{m~)}_4{f#1|hLhQ?nX)v*Xb0EDG0iWvp65aZm7^`bs@>`C-Ddsfx14VD}fnrXZ z)I&1HdsOGIS{?5lwW<>jtC6&7K8%rgDdO@*do8%vcUtA%A`Z0$^oNc9mk#L;X3~Yw z=kAGbjQj5T4{6p56kpQG3tqelk}6t?jwAm0`d1m3*CdNCuB>V*ouX#X-T1m~sB<3x zsM0D5et78-Ex{Rn*@3fV)4M_%8m;QFHmX?UDAVE$6hhQb%6-5XKL}~1601Ro%2kS7Sqbo&*I>boctI1^&WY%h6pg9=`M zY~{FlcrzgUpgLskbhH%T1#acFq6@HM`aDiX4{88?5%scgIX3g@#UmBX?iSu-97N3- zXsW!Qd&BA)0g#3()GUSIteoKGnz7umSuE=sURMh>mBrm0lfb>Y0-5h}>MlmX=0kR0h@Rpi zoB|=cA&LP)vyQh%^(0K!7Q=$V#~yhiQgBZzgeB1DWKs3Ur0Run(yVc!5#QbH#@T}F zA8Hgps9dSp@Z8^3->uPS)&S72^3PN79*&l!59AKBf_#5@n#1gzCImrWNIY*xHyjPD zlT34~>gGrnERgA7+*<(nv_PEH!}Fuk1%-+&3#{gMj}%4A2p2s%YSv?K`86Wa5Endm zbN>D(TUGH@0CD_k%mbZh*+#YscDa3cWqSRb)9Lh=)67ehrB+dgfS_|t*k6EG8+Dpm zoQ(*-ZLpTQur~yJS8BKx!>Y$QDRj);pFLZX&Jo<(dlw;mG}9!p8!;y|linTCbXz=l zNiTc{44>>b@s?g`x=ML)S$4Wsl3gepK%A8-ld%`u2`;nhSD};G2j?>i8ccN z7Ia#0s7v+gYvUWN9EY2sjvWllMBI>r(19i#Gk_Nyd3U`1-blnW zes0rB(4zi|f(GiMuvo9kkyl0&KS8_o#LWD|WKuxPDFzn)%T(mk0X%85NU%~Dy zRXm3HowA3GQ*4bztI4b;hr$+-*T|>F$sP&~H-~2y;evI>wjr~kOtXLWPsUpm&i|y6 zM_ky~AY{#*({3qk$NU-XHK**AU7sQ^a^5EyL_^X_r!LYU;0?h&v?ctU_l(?TX$XaQ zA5vWLVsWYnHy1xU+z(@-=FS_)bmtVCVc2%xhZlN zRcU*L5AYvgyCnPz`W}Z55l0y$1M_}dXE5)(urFcUf6H?vd7^CLtADiu++EjtJgTc{ zhrx#9!*8ZCH=034z0gB2og~teTSUitDeo2!Fat+lcJ7 zth(OvZ~P?!#sk5*AOTYRKD7w>5b|4IXs5Ce-(~BW&}wB&@!6@@T}j~Xxu_Gxv~9ZQ zjoq4hbx%8AWA$`|gfCU~ zy1JgWF`Hs4cok59Jt`8~R3aspz%`VvoDdWcC;OSDS-PH|U{w4AkX=mxX}%iP7|k=i z(3$K8Or=;$>Pv2xrcC$iQJ;e#aLAskXOd}c7+)ef)MZkh+~kDQmAckEGIi9+`c9}8 zz_#H#_5^Ar#KudZv^_^o&l+uEEo!N2fDWj;okmua}GZ&Y0^Z@~K>LvT_ullH2A=5ZKem>_nKG#mT|;85e$Kx)-P^eA;)t! zD696TZeRRNbBe2go`{$UQsN)NN|cXE_yNnT4N6vk)1K)y1{Qj-E`uzHnTQ$yWCBdP zuY;i?oAQv|k=Ld$8MMx7z1xd>hv%8e8V1-FPxu8My-Q=Lr9W?1P*$L!?!)8s2b=cF zP>W{7=n$Pg6yfU?Z?~6812bH;E3~QV&PoNYvBY>B2A7xe#Xu=cgDx+l0`sbA11TMz z1VVbn4?d+QL^3S5M8>(RWr87Dhi6SAI)-?&$N)WRX%s^A2PJ3 zy@da&x;WQjn!TP((&I!T+kvG&+Wu0H|NmOE~HIs_bW4ad(O7w7o*Y6 z#Qi%!Ie~o{+4~(S~!rJGa(p=!9R{-#<t1~WOI|%Sy|+{ z4v{-1GB~KFY=-i&h^@3c`ngCtrvdKU(ZT7*EZZxCDP1|>Ze1bJL>0YWT60Al$fNrV zL~tCVh-Xir+BNhzOu}?HhHW*f`p_|R@o>CK(0w&!)dfx5aN#L%pxHFvWB+mcvqo+t zrSPGthtP^C7FHBL%_(!iZ4=$XwM5^T-GOLDAvIuawoETKdE2CRIX`-ZN+3k#%Kts~P01Q4{e?y= z0!H^J_I%_=8#jE4rtKy-g~A>?bpjdJ3}yofw@K=P(|+{D<5}=gwqs|9Laq5jbI1j2 zqnA%=k;m}SRX8O}f0CzNSnnOsf6{RY0hHDPVV82%6-CrXDacn%q)u{FKtX{>4wd2 z?>+*ABD24&jlC+aVQ05phLpPx4m zC`}{1D^7hmZ8MU24fSLz6bic_iSTqIf)c|$*{iE;$IovSD(Lm5uJXf1Zvz0Ck?CX? zKoKuAuE=~Mr{%aIY5n4J8c3$0*PXGushLY3kQh0`q$CZh$!^1j*nfRN7H{)ahV1=g zVhuVQ32Yn5FOhztW~i}Z^Y`RrzPgyD3}BKif88(qU`!2W$75Ww9a&s(8qRJZ`k!F4FF?-Cm+6cFGWF%#-i1wHrY%k|3n=;urvE#oV{mM zQ*F03jG&-5U6fu$z=9N&o&*sUl_sLn2@nyHCN;DqBGRNpL7Fs?F1<-7B29XgP(vp` zfDj-AQs9gCeV+53^Nx4Cy^HRoDu&z00cP`|{8y}a_pNLoSEPegBF zDJZP-jqQg^D{)n97n!+(A1X3MUuRDH{_v~w?6p61PcUxWEHxlE%D~6;p_m&7Ey|e5t27HjwEQ4rkC76QkuJ$f~r(F zq)KZq^TM5jqYP^$J~X~r8i7yW(S3Vue*!K7mhn^6)gT_eW5K7hjh^R1ZXVoqmC*)g z7;4@Md={si>anyGw&3sE>JTsCGSm#E&qYs1FhKI-sOKIViQnHIWHMtoC$aYPZ5Tu% zpF<$%i?4#@0^mi_*Pcz&i{Ftl^x;*uM7d*vz42Ktd6(I>Y`L?s3?|+Ctp`_Ft^2)i_z@Z#UG!pcL>gl8RPL)Pm1+aHB`eHOakrOqz$AH^2HqLE5+r7$TQHN12}_r|kni|M=W)Sr`Y zXNQ*DoX0#B2ehS>?x=V=>YTlFDY=nw4Q;(j=?gBuNEqbFxESQ?x1tl&CJ)MU8)8En z1|}rYPFQ7Z$qMUTPA<zedS)(tN&a+4HmzUuAf! z5lk1uOmWGjz5;pEz}})=NiyBOci_P=Ys|Ff+2yr>v03QEh5o;**_@kW@%{Cp-HY-Q z{T1+{J%HoOv;?f6IF80jY$#vwz-rVN5*za2dTX9#x5Vpf+Ju*UhKqJ58*}=#)kWI? z=W@k#_9w1CM?Z9EiYZ}kbnli!UnDO%#rN;mQBrW|F9V*l5Q~gtpUYBd)KJK0l}9p%tyvDf;s#x77)) z$LWFT>dSlY8Xv|4z#z?&ssdY%>av6TazzV_2VZht*=^rG>9X>BBBzD-%m*|kCq(nr z@~};8_?fwcbF7^wOD>{4(Zz+*`}eJ94M?b`!U>&mmy z!9P{?MjqY%d%S_MG|T0C2~`Zf?+d~f-K(BIFqY%8rn|L15;oBsyE8K54Kkq}^#aRaLi^ zf#2-`pK5{XP<>t5H`b{T9$n+SLSV~HZ^Sn`yB9;8GteYmpabIE!c|=39Ou-|N*U=d zjZN>@wuzuHUJ!Yyvg}fB8q4&veJNJBkNX*D=1W-_`x6Ty6%^^}-oJdSiRx*(-6w4z zBsRJI)*mUKExC$@yknj~a_+cakQB#kS(H59L#xRMfA~PwNFiR(qRp{KcvL|KmK&{> z?tF{O!N1~DX|H%ZDHQggNxyu1L?1|wOW3Tg*YUyr*)?_V;*^s_(U<6Xw6GBE`8y;hMHebEY0 zN%nwYb0wGmfi*&k=#@Idq4-|T-t!FC)+p>IseJXdU%lu@sG2-M>{@$IQEJ0~5 zi;gp#bchP|d_D9*clCvwcvy$@CUeTP2*1Y0v~EM}twuTxI^OieUhs@rr4RNdlGQrc zjkHw;@-w{u&`8Jp=x8(e;dztu{`gwm6N46099Dnnh{E))5Fs5g*QNt|Ttap!U{h7% z-VN3*o+{D3?>ny$!4#vme&}l2O~=Rcjk^@SdbuXc`5+dtoeG96*E*t427Eg+On1Ze zd%JSF;S7i(`l$9OH03Wb7{JeD?rh8TWchnh+jE)>zJ;ZAuC_J6eYvt-FyzD7M5B%8 z9(?Lxrer1$((|p~U#@~l3ahn~BYN2Z{snMyfnJM-0$!{&OzNfj%mg`G3ytdQUi0HH zm||JF$r(R&XsPk$S^cxF8!QfM+K-k0;2(ab#`?jxON=>wiu#|Ry@l{eRlNBJp-uW= zX+gmcpiV57rBKu%@3w+VOV(Cw9 zfzBT9PJAB5+63K73aAaWf<#Qv0Bx=Y%lULHw6!2UN}?taE@%`My z!w2?eSRLBYQk{cJ&H&P^Ga)cls{e*t7&+x^I6Ages3NL(5bQW&9=Y>YQvRtl6Dm!@ zJ}tPlej~g0b0Xi>g9`~`9~nxnWG1k+^=P1T(t-&VQl2K0vl$O#3^DbNZ+y-0St~BO zrlpxmuQ0?HO7yYOzv}O?Q!s;-!H=G;0lc5ol+@DO8D^8*{S z{6>n=;$%m@w!YxT$88-KtIrJ55e!_0wNkJ3mQJ-v8k&Pooubfv6m9`t8!>E;*Xo^M zqnC!~i+`8~H9Stgc|wnu0ia+$SN$s(dqH0~x8*JO4;Xjw2_B^BfxHz-8ttc z>u+X8vu;|gn#RdkPlxo&$r|x|+FIY)2(9_V%0T#D>J;nv7o7ewm;Mm))!I_$`q!Qk zqIlz?ff^cCvPNRoN9?Teh0N>&8_O0&SJ|)M){zZ*W{j5gg(crDH`h`8v|6JRrSeTqWibm zRQQ38>26YfFmlyBr6Aw&g^`{>>n0_wSti*bbP0}9kw3)eneGcT)*2vxktU9eGJx{|HdN*SQko8@u#9A3zs&uJg z1gmQCz%V8Nr&RsT0m!!tcoJ(g(+ecEF}1&{GIe{rQwDgzc$$vZepsE~0rV7p(`8yr zS*5G?=wRQCKT7dA&`|Id#P}0}?%Qq~{~NtOR|CbsN)31rwTUtNGsiZ^e&%mnPlBGZ zen5Ji4QF}8dBh?He=_ce2C`~wG+Jn7I7PioV3V_IGNE{+C%C`d?hp*Ac;EninJ#R`dZjyC6-Z{|uzW7QoYZENP@ej?-+J@|!Nk z9wlx4Tg+_yeg}Wqv|eQ4W$WelU|jkrpXlR^1ZIKG*^Oj7cyuituLgyGeEJ4mbk0Y7 zLUlRfW7d$Dfg<&}KtIo{RAfI}nrvQ{F3Y{;`4c=`$lwQD3`qVTA}lEoB!qQfLP{FEORkc%z2Np*sMqE`!kCpBdo1zIkjM6;)*KyA)`t-lR4doSgN$-r^C;0(RN2y z@dwY`wL3530N~q6ueEN9MjqArhxRRy|nf^75&4 zSZv>wuF@JULwS|J0~RT2N3TKxLz}zHFr@Aj)ps%H(}#-mNIa*|I`LhDS}3_n*Y%IG z%%e{l%*ER_jFf2nR5x>Z=RJ~bu`ZmNyBSMw-^lZSKT`B`r@y7*qmqHfvx>L3uFywR zQGx;mkB^R~+I~tGekWjoIES%!MQ6k}y{s>Dm41ftad9dv>9o%7qpJaI^KqUJy45uw zgKsr%SGEpQmb9V%nmYmyjnbPPXt2a<3$jk+GV64rpDC)@D}ne(6w&ql2Lm0u9Q%1D z9{opVZfoYI6kWOi_B-5lF2r%B^RX?xiEk8S2Rz5& zw>tBc!O0_Nl&=G6h@s+r>Zjs_wZ&5nm+GhxR~nhLx@~JJBVk+VM((v4P>Q!lhcY z%1R2|Fz7GLgQG~?{4dwS*D z;O!4G%zXDAnJd;_AGXyqAHQk09%Lwa>r)&@Pn%5Wtlj-+b|HDu=!?aTb_bb_sS+{? zkp-+`*hQ~l)r8>N)_`uc53!5l>vPg0OKJyfXE|;%y<-qZp2$uLy8F4M{nj}yL%PI$ zv%{atX2Zyo6x1XB?B(+CUv!|QQ!Gn{K%GWk{nZUS15rj9V>BJWFdlNRhlzj5B;*?W z0s4?q_oJBPh5>>8fGkWWcv{P#<%eSbGbHnAl|}n z>XTGNN|a^P>&hz+$i2>L;-cQM8t|8e`&%L}_B71ygXu*CR!(Ktx~&TZmpi5}Wd@Gp zwBI)>WTxGwS3}c3%-Gb^Q*Djq4>b>_*RvnwG(hMLy%w`bU5W^JSUJe2dj_C^UkYvl zZEii%7fZZt#3eJ7q96$jGOUj^cQ?Ag!LLSr7J`!x&xsY@IjZ={`R-26R#Y(mQY z$kkV4W^~y|;QF29hb!ef{G!*T&PqHHy%=&DX#Z>cu-_(IxtGSUmT@X?$0Q{;o0rzZCRdf*GX)2Z~(f~0!o z^banEU$lLd##+?IyIl?PPSh8z*+RBmbw|EV_W;6;?^b&qCLkwn^hk27WDM0*$EE>z z0TW~B{|dXChKIXNUxyPSD>Y!pA_U)e*Ouy<_Az-li531Y0G@w&0Z0H`6B-t^elE&E zi>ED7QKD5a2>9&lH2kssi40xe zC)c3cu6Wbyt4<%m_k8)bXODJz-E}h%Lw+-Uy>-)P384`JD}lmZ_{{|wN;Bk&(xiW! zfP4XZuB*r@Lrb%VTV*vM-nO)*#C;H6f$jcsr_r|mPzxP%{N;eG`t)eL08G`+E;viL zR}CGT*n8OoJttQap9i1;uC+82RX@VK37UfUDmkJV#VK1cOrW> zqgm=e2FtWT6q)Eg=!x4`KwX_#gqXX>0sTS9)<3u=h+fp`^4&F3@$E{L0 z5qJw3%d^l-Y$g7VVRVv$4Wra-n4b(K;z;4$tlG9(dZ!s?48J113vxM^(KC&CUfObC zxIC#ek)c@<34bzcp&uHqvP#O|1ci#s4h4+b&bo0>Jl*N5sDL-3DAs4qitJHth)KWr z3Mh8H(n;IzKQ!8Xez4fsed=vEX?s$9R;y$2h1KiOIqnv*uc%qmIHxM3v>wgLvKX{b zN~^9No5Vm$M2r2~*^?O&iYmgvxQoXRK<82m5~5fVABvtAzAD(JQA?j1xCB-V%?iPU z>Wd~?%GFx0uFb={jy>3PdKIY(*zF$vDfy?JH}3!;8!jV;VE^3(B$p;`SZ?rc!zJGQ zv~nSz-q11}mifeOp!yq^fQwc-my z+HEP+8yr(t2R|$tfo(!9SBk=DbE6qv@9Jm3w2r%c;OhjiVO3<~5&2Z)K5!0b)!V5F zb9UJ(9T`%)4{R20S~14_4d85|2n)c@QWcZ zs6}aW6c5WXN%kbVl+F}ugdSH9Aollo*aQ2vb2jxN=u@@R^ZUQh=ds?<^_aLkdpKG9 z$qlnuH-q5}APIG@rQNF9iH2~`G-||zsfn=wx8mBj zzf&>W747eQ!yPRb$pa#b%&=?LyQIQ~z$Iry%&zIn)4rZ!$t5OLMd^g-Oss(pyW(1H0PRl7-HIvgET7 zz8R|P-|^u!xLxo#_d00rWa%wT=>l~U3 zSxuH~AmZA9PqSe_hvzyaEye%)?9o0natt*<<8|>u_37&92oyYo5p z#~6H{LbxnL1X1+k!&TllMRHT-INi=2efXu*PAP(;#q|Z2<#gB z?!@zoSumS9M7@OjnjG|I`UcVc3O?-UcPX+p)dKo100m3J`J_N{BYa2A&uXgZ?N7fd z7kmy7p%0Lp8B-c3dIINny{>+^LF34#%{;>0m{3Gyw@_T*4$Jr_;meJSH&nhyq)Xc# zbu}6awPUZNZ~UV46<9V%Q+D&L5e5Gj+cR17H)wYLS%`jZ9oyDkW3IPOaZ&hox#l2%Wbd8)`RS|L8j(E8psVs_H z7HiS9Ys8oazdMo7^udo{G3Goy48NyP^QLLK0MH-nJszD_15{RXTFsLkiOnu~3s4?U zj^c|U_OEf%cn5foXD7p%xEA?m9}D^4YV<2YyUwoI7p031S|Z_l_i;VKh*uZd1R~SP zMIo5Ry`{k#jsV3iCJR&sv3lsL3#_9k&DTKIeQwFJ#@aHbfOelg00TV!dm?a=c<(VD zT>dMB&+75M<~A+o=#gxXY^9zV5woq_Ngr5_O@MCJ7@EB*XwUm$dklM`M(eHA$WwX- zuI^1+oIiG$UWAU9IHP91A3vd{AlLoC-)DU5c9tAawT;U&I{l{wiG<6`A%=dh>+m$O zCm`Cgn4#$+UtWf}bsdhwzM)gIx)HlQfZRQ#%$CR+j{8SncblPnk`Kh1EIJeUUMyG3 zPZo>-ZE!lDDAR7c9!Ge@)AdE`o@*+zPcVlqSv`=9y$yH8V1xBUujOF8KWqY4%G8b6 zA|zP*O35e4i;>DbP<=I5G7f%Tw%@XpbI2*1zTP8e@*O_Dzg%iUEqD@Z zQFolcdD$Vu{gq!Q3&=#YX4g~wn9RDjQ-O6h8M6!s-bvI1n~$Z|SerQnNB4waX(g5( zE%=_)I?o;noxpMcRWXt@aq9Om^NdDkJ=_)yH^a?%=LCFm`99M;iUJjyraj}uchaibMmK#rx;1QNaUu1Ye zp2KTmJmQ)L=y~zhwA%a>cHcSP+4M?RJ{8hJv?o@NT@!MtxLZdZj_eVG2N;+^iizF! zyYiRt>KjQFtp)?@?QH7&E48G~(FVo@TnQ~;0^aG6&@dfB3SAta^TvL)WVt~=HQ zBT6Ue0~L0f4vUPsovdq()o4}tgn>X}p8cZ!VL&+IVUvcv8X-xt(@LzIOt$c;TgEw& z6lZX>=}NdI+_PU`#(g;u)!7~BQ&+vQyW@~xYy0QlMvsEd`&<- zvI$z?NLm0Y-?|VHur<&#iF315b}0dF(!;QHur*eP;LlR7HPC4rLmAH$_@;4aA(K$E z)rDOrM-W9xSB@!*k=?_(yJLt(wq5gSC=#21&)AEX#6 z@A1KhJZmPsnhA*T$5wev*YKira>t&OAgLRHv@OHUgh2dLv@Do5@5f`ULm4>KsPAtm z`J;%)>TA5#$BPcc#qZ|DQ1*bI#y$n;P(!Emv7=Q;%vFlWc1%U*Rj@T?o7^PbYbB;{ zfjI)>znRKC6)kJ$wZ}A8cMl8z3U`~RJ3T$?g{9VTukNlzJ20hQeteIY+U$^3B;*DNo z0lp(Sn*1i!%Os+}wBznb90i~Fn>1hiM?qG0IDx6zkB={99_g7EZ-35*ewDLi*{bed zC(;H(mbHm6F+4Kf){Yq{7B|0AFa@l79i4f4`8*ea%bFM9!3lv>cm5PnerO zDFD+z*)T!48~2kZE)#cuPtIU7YMQYSd#poqnMFrg#`3*#DDSUJC-L&C0d*sNUl>tz^y!X+@pj57R0|5;@hn2MlPat@>YB%VrZTxY6wF>%M7^6rBW4 z7#Y!H)d3oS2zlX+59Qwa$N3p*_EJ1OIIqURH18Z~5d>Fgi(g9PY%zK4WC5F`f$d;X zq!t*zBt{%)r|Y@xAu$9(jryVH(|*7W6)`WH ztKXRq#!MF@@gCfoiHh)UPwQ#eY^SNfis#0cQo5ovTrm%uRZwDXy7$PzG?~t1l1SRn z1l*zmc1)oYGKllB$cmMz$4?**Qk-O{pd6wIoyx&n`B$a|U(6D7xo7Yt2Qe5tY6=ke z47gK^-+vNp9qd+55L-Uqu<__%B6wS5lbJM8MO{gB@WDq9(Hk)v;+Zg%2cg=m8Ce;q zUFBtYB8ji3xXg|w=Y^}F{sp~;qWw-@KDKf-xO3T5S;YB<|D_T=k=($E8xhJ&Q}f@s z5Jg0zMK#>V(21sjgEwC2uejiz5H}(sy*-QGg{arC-09f&9zUFSYVB}Ked#Qy6(%AA z^laA3OXPM$aze)AZgw8DHoj|=#>JL9>v=&7qi0<)kfN69JDsVDQCB+ls4vFS71@0* zMQhB{Es;J$TrlH-O_Qa@Q_R(hxr)sLrc<^1q+*wm^6y>aftBTlywxa#i^W)n+xwbg z7c`m4>-lvdz1fd0uAl!(b6=U5N!#=Z=t{4dnzcL@G$pwD*6{5f@^sD`b&ey@>8RWz zsso1@lqG(x!|pn?t)Z#2^AP=sN^HI3L3W(AsOpKa@PYQu$!ph2vO%*8#HcbJVx}rX zB82-MG$LBge`P<#3o+liXls7hk%+W@f>OXc7ex>QDTo-0JwhvHXl*^LAw58f-KSm! zwXQZ(oa@(?O__6#Xq!o3t0$399eoWZ1$g62GxA%(_uX|aAK9(#zq5$mJx~^Nc<6kb zc23i4FvUM$YySsf)d}i_EumXpITeBd#H}AT>|2&QyBX9k-ni(xxNeL6Y5O4_vBqbd z;G@4blMDmDU|Z+*x57;{8GM?j?ZZD~f_|X>B9vH6`<>80)*ClA*i!f$s6>6*?aHvr z2>o7>(Ast-RZU8HiU5YVS$Dnvk<4^^>}Q^t=!gbQD)xpbhT>!|D&euw%4T!8Q;%2Ab8DH=)Q!XO5wTs*Z)85ML zZ@mtiWz8Ue*eY*2m`-?&&eG=a)hE@jZe1~5tj)R~5O&9o1$K?2l4OhgBUO{(O_4-# z?4m;FjC$+dG|e-NrDQnGQ22N%jviA1&3oSRuvdvGyW2w+)1KT2rS6$fwHh)W&?$0Z z3azcN($wR1CSV22hIGkeh6XGv-8f#@Z8*FGJuSLVHbvdCsv6NoZ|&@?PEEzy4jkHI z{=_u*J^&^pgVPY+#vJL3Qa9eoqW3b+JlK-p3>f|TFx6tOG9#^d^;==bG24RrUb;30 zJrf_J)4!86E~B}b9NDjV{MLZ9Dw6)Xa2d8^oUyj^?6&oQ&kPX_Ef;dG>iX(b+VnjS zx?Ko9_8&@_t(g6)<65K5r(3MAJmoQ@G3)(^G;U7Y7@&X6-MpjKs=IiNz2LNCNzv-y zT*u88RBS^-=R=D6{CME@512o+%!!qQY<@9efcZ#v-gQvkZ%k4n4QjgFWRGIwxv_ev zx{8@nGT4W8K6zC|l)hmdThbC|hQ9*}4or}QCy}nS(iN{c{<#+&fqY@xas6p%|Yh(6L- z$kaXnbXp%w3=A0958|@$Bekt^vk$g0p^c-XwO%!jXsTc9sASGw6JIVm7%%Op+E zi7xX-hb6h<5h;N8vVN(*4?f`4`hi-C#?_kZ8-IhoXId~lSy1Q0zPsD0G=yBIYu{;Z zB$15_yrLNV>%Ra!J(mDOs;^>Nypxi&V#1n(g-KoMyOk|*1(xDR-?$98s9#vdn8ByF zxKbr*@9dEZ+2Py(Nnf4UF-u}CcPC#LDO%Sk`|3HNnG+*KU3nmT9%)OO#gDyTe|@=W zMc6XKZhx!QO{ZS*efqj|b>4c&T#k45{HtKpDZ|3ed5_FsTsyx|v|6gd=S4M$r@xmA zCttMR)Ld#Z6Y#CraQ|{{W@`y2T)XQN&*(Qye#$7)0>V~$j@B_Hd) zYAP}Crx5v>&UyMTra{nQqC=gHMeN+KH&^*_I*r7sRAIfOxbdjp)=$$u2&ElvD1Ike z03ptMsZqP@@|p(Q{ja=1S%1)7VCGRQOOO=9iKE*~75;gpzj0QXwN6vcx=p!WPy>ta znDfX66ZQ)xVB>#@8Y*D0~Z3&Q=c{^YLraW`NSu=gycue9YC~VyBgIF>mXR?ozKa zwd+fh6hOpaLugpd(`Ocy)0JPmJ-4^=Wd*63GNLOwhyguYAxKP!Rin8W=r zy1&I<5nWw>c^z5S?|(+c3%Qy;+Oon^ckt446KT7|X|N~8f8;&xjw#2Ey1-uG5)r-( zE?wPvr(y-&O?k!tl|Dw2N+QSoyy}GsHZc$oj)Wj=OiGgQm zmF{NwH_1m}B@qRry-j5~YT&j(F3s2Arr1)oDI(eO%H@Wl%A@6!1@(VQG&_kL+wakn_{j#^AelBNb8no>Ul3GMJ|np?T#e)GgS^r_n;gyBdtW)>f|mH{lR@HKC*R)UI?bqMlfX6C zv+U2;xKmszY%Hc&rwtojQhDJhby?_ShvaKdSQN<&rP^TW-hQ6QDd;N8IqNf3vHp!J zu@rkv^Qg;^71?36j4Av?ajvp8gDD*)?Sc*0(@xcQu53WJWx5Rp4v?-)fwtuKETpVh zAR5>6E&lb+Z{s6XS4eAHl>wftnj&&zlF&DUQ{tM zjod$PW`^QuP;Bz=*vZV-g*gpEw96EAR=XlhSv9?vd`d*X*$AuEZ6yQ(wxJ!#DyZIK z`i1pkMv6n`+wrj$gVwE;2pyKoeZjhHkTcNn2;*i8jp3W+vHRJQT75J$)E(@N5R2&|25POf47ON3^8xAe%NZxW-WV|sF z@bKtApTysfMZw~9;7WL~F0A(+$)xs=eo>=(&dQ~@miIYdlkpC|#bx@I>)@xuaRXg? zqJO)cOSpn7LAjg3ioJW>`hi&uJecVm{NsHD-e{Sip$VOS9~L2yI5+DY>$HuUI5FTu z{|5R~|JN4y!F77cvz682u06|9zF@OnQFUHW>#OnHxvtEw zogByEih&pE?(f}vCz?`z7F{N>x_m`I8}v?T2 zZ%oGEh|k}S8)B|OSS_{}@poA%{^sg3b{kJFXP0t)nLk%9&dcd5*PAN)NQ5;U{vFde%T#iLiY5BVD|=*f^|-y!7H)iOw5>RH&NL8h6J*Y+||7SDm7P zaq{S`GP6$LP+@1M_gC$F94NvCmsJB7@u`bgJpAQ^c6ghi@J**Nn#|bxLh?Uv|L?V! z>wo{lAqJ2gh@S$>;apzN?o9J-nki2N7HZ(0RhH79Pw1_=Dmp@OcX=Mcfcsn?kQ|3mg?xi4S%Fu-nnQepn@ zU)MOn_=iG3+oq~-LycTmUj@rwROE2wPQ7pv=qU*Cz4JPCZ%Ep0t>YC$PcC4AYjN(1 zVs5Bk(a1V~VJBxMs4n@&caR$Q`i<|+gr%?2o(D!_4z6iFdagNr^W^-Vqt$YYjK&gO zz1~Rq3v!VT+D8MobG3g#m~M8;e$Fks>{QPUi{Mf4YAb*6PVuON@tmjDb(SXh_#`<43l#A=tSXQRgRf-jA^z*;`p=yvB@&e4O4X_BxlRRQmh9<3NX@qFn(ZL)m=K~<< z{SkSnFb;c1&TAzbRJVOM@7D9-0ZjGh9^zR^LYL)!$Jt=jyu6Qb^<#ytqIr?!xOTMC zS%_$0cs0C%#hEEGf|Wl2vUqwJ+(3=`eTojlIks7TJ# z*~8VOu!@a!2K`7>g$-GNkH_*p2e8mH-een6_RGy;F$iuk@=I`d%`>S55wQ!RAMX4U zZT{c4`rq#R&xap-;tINV0HXTzT>$vZ+k6fnnr+hYedVW)p0$qtcZ4DxT6)VB6W=@wTf9>tATG4{!h-Acg~X#xVPJI;ej2c} z!r{3z(pla0)hqgUj)^t`VxCg(1B@v!bP>EQiYxSV!5sFJmo^82T|*|vN|3q0=6%VJ z6SY60oRgf%@{cfY!w zO0m4^>`}2%Fe^VM?(Ot+Bi2#-s>Gi7xY>@_n3v30XJ z%cxT+=Dl6P{g~>H!Sx3U9sSeQU)|7-FxuLAyJ;q5ZVt2hyGE|fZ8!8ieUhy{Zc*3M zz)<#1qaQKGw{s=N_k6_t|NZ^b*DOi;6~}Xz9*$3n)jf*o3oKGzWmbNrmE9m7HpfRBe=C8$1Pq1saiusB7u ztpWLuajx}GyU@OE1r{uS4hMh#PW04ie1H4jTnWiPD^b2zt}|k78HPr>oMIH2zM!i6 zI%n>jVgmFe_I~jhr&yP3R59m=RYD#VILh~&xZ-?5N2d~w!_Djh)b@(E z(oix|J_}Ly29h#AO)bN<=*P1eTI@1&H zo?O5nMwL=cQjobJk|*;btkdJDvTAy(<*jOOHFD;{M4LaVm1Sy&OS0S+hImYy3MrC@ zMz%XKW2GYohNaPpZ#C`YcI#Zn+LB%vkZhuwf9Fgw`R@!Ho^#T7j_JBAU&PU%>hHBO z#77&vJyh^Mg;BQS+WpP9)yBwnixhT=)oJ1HV;OZmv?=vsloCObSwWz%v~_DPQ)i-NWXk8@W=%^hWDfW3Tu}Jyk3hM!A20ad z>Dm7@D}C$4y|^v(}eC64;&yLceQ3tE7;=Wa`EM-7r9->DO~qqzbWmv5^j z){K(7!hUv=CyPswP4CoS)x$duBv*zzrcM2KMhc;_84qFJYx}bv6@!j4F=Jbib%)WO z*7|8E3ItU4$VNT8Z&BJ*Aw_$z+TY8yYBR!C+m#oktl~){w2U#noiXKjBO?qs)nK>v zT?Pdz#weCY5i-rh(#Yx?6Z`?!_mI(!0fCd`;$jhOjIa3lGmQVvEssR~$dB-qMbXK| zTlM&J%ykCM=b9{Y)Hk>XE`A}B4$eX(bAPwoy?t?TEexYRK8P!9{^k!_-!NmL%Iwbf zn6_|!WL>T&mV?xm5Y>lE&(;hLqkxCR(pLBCDK$_V5#8xvBQfOl%jKFdqo9!2$ibP~ zJ8I6;%leudfR%Xm3vEeYF{)bEcFJkh{kxTPs(qMjks&O434c8-T5!c>_ldWg*cdo> zy$C6SSTK{nExPg^*WwDZ;~$A*b)?6J)UTQ#p_QSkpRu4n;^Tk4`Sm#efPoUdc2K)D zH(74=OZRI{i%6_$2mcX|=Yh`Nfm-4nlczvy9_2%QK5tD0Nb$I5-0qRmtGkmP{n>DOsr#NZ^8909N%44vYKOw)>AY9u`GJ!aeQu8g8 zhxew)g-0u%^Gh!Xr-7`bFLS{!WuA$ER$h9NunJ(@)QX~}x`+RdzF;c}7C1S!;k;9o znlMDWS4&nYN6ym{Jd8YlU2$HdAv6$rn*)h_U&5@Cw(EdTg5bY2c7bK8l=}>=0RP?ioRh4 zt22cj$^xEjn{u)GNXSh$x_&{(C9ML>$Tm!}LAT_?qq-s#TvMvotm6E7?NgP)!-TP2 zcZygdttB|&2UnwtN7nl?#XvVh%9X-{O?6;iZ4b99L7=f3>!~vUo=nu&S*VhL_ zb7C#PuZk)h2(N3J5p{m+Wqc60zsG7Pzk7cYd8uusmZNj|wwnlU5gB6{UT4unEWaUb z=;RO;1H7V{Mo0ul$Z5dvEBB zIAr0}mp+Kqu5NyoPH$$K`cgRvboywso;Z}Drp86>MaBS=W~VON$=m~Pu16QhrSZ#v z4l3{AZsbX<5_GoAry9u@0Lph7IgnJolm8Bj%smxk#6vLkT4n&Ee6Z+!45FnrAHrGGj&SSRDZdQWWmWWy=ev3{afGi zR17Q{j5ha*_y!vzh1KoOcOIOvc5*^zreRdknPN>4&k7b?O?i}=rX9%ZFJ%v{Us;{^ zkn+WS_WJ(sOgC5aQF<=8QJoP{F#Vu7TiV>KC_ne_p(gtu-7OGsbCX&hh3iOQG>l*d zhl?I@O<%6PM^pBiT(v-SKAl?EVHJ%1$ ztE)a4)u|HDE>%@#@ix-{+8J6cTBSH$=S93q4zAWusf{SOcrlEj-gigw-uP*D2Gd4R z?~vr)>RMlC=#bwWuBGBmV9pJv5RRAn0MO#EI%DwdI?@dJAWT{1jZ|4{Oklv0{FV0auM+hb!AHMhKM#9bE zB+730Zv-mWxeTLjU#YJwHw9eCEK78Ix|5sYCMN?Uee&3^L&=#?mrIw^NwonJHZ<=Z z`j+@!RK2oZvxB_wZ{V@b3KzeU;fsx-s)kXKzS3x&k?!cX&^A-d`6Z>ghdaq-J!W=M zHj<&3B=wE|kG1!3YdZb%E0l$}_`S5*>qX1ep%(EIP@-I>L3C=3iVn zN7pa@Zv58TZ=LN445lZ-3v6!PNiFS9E^!yg(!YT98w???D2)FE`(!Bu5aQyVcTYOy zqp|#Q;Nk|3C|4<~)0_Zxt1g+7v9+$K+B=sbw|DSgJa8S_|CRSEIdyF;c2UU{A5>e< z9h;dH(K}a+fqeQxhW_a*^&F4z0 zJXbDEj4#pQM!ZrP7hTNF7G%gNLW0?O3P$0-F!Q5C3nI7EU(TAua}QqjeI|QHOY?Zg*aZCNGr+SJQKHi5cSDHzj>Dl?pP2 zfmlz%yScawtZuP2{-NFwY)dEs1AdfiOA*8|%IW0@F4Qt;z_i`1J1Af%u=I92+j#Fj zj?P3RDs^dQ<<+#;6VrK?CpNnO#~bjsp3;Yo0)W7BE2w>XgH|B_<;ZDqQAzbXF*Cv$ zv52N*#eB-ulNi47==E*MwHQ_l^;zsEUH`T66$6!=YT`?Y;xJ}!L)K{tRXE8mk<9K8 zSlYJa*V3fL@QZzCrK_E&_0LD>O#jL5oLCg)AE>QLf8O$Z^cNG=r&T>C9yYkoxcn9K z?t`LHSj&XQ%!yylU} z28JO6UI^2aDng43(nP|T#jp%$c7@7Cfz|C{tbrpSEyqOOhDGbzY|haM96nhYS$v=d zdp}P?t?aU-ETyysU7YMizc4oA>>J!$P@jX)nf!3Gu6D`n0Jt>}RlmMGHpUqDokTk@ z2h0|lAN}Lp4EXYwkh~G^rImb)>c$qMety^Q5PMiuD>6pw>{ggY-RWvWxmS_J=;0~3 zF$+-OnVp-*)^l=Z?Au&D?;wH#i=}2=$i_OHB1i`lV7AT7!07YQ@r$gB5d;;Jj&qDfR`etuAD~U@O$j7a3$6D$9iGE|= z8qSZbxi8#u>!B#8;$AAlcj!Cmt@6KS?_y8MOO&Mk&=;N*$&rfSV)hI?dD62HXu&5p?2 zMz=fi3{}sM`W=x+QZ$77*3PCei!z+slkmKPlr5N~QC& z80fipjMzH$n~`Le^gb9He0}?52$o4JvN9Th!IuZ$N|AVYHZs%*tb(!kj4}$`Di_DQ z@p$<6rWko(>BlvHTCkY4n`KpzC_5^M26Hs8ABZVV*^E_cS0P(lq3^AxZY51{(rfj{ zbD`XiC7mJS?lODl|4m-$c<4u7IoSM{v0S<%SUD+H?0N)d4GFffKXmNaEz^z$M~jEG&O%FuBO0(5N04`qsugyQ&WpkJ|6<=^ zg#oAdxUe1?CByZd_a2k17 zJhRu%30(=OwFY%C_>oOm`uJYfalANL*k_p0E&+l9YfyjnO_%An= zRiIOR>~HHCIg4_S4YN33U^?t|{Vx~=_+_jQ`&EYIwqz=AflaWd1r)@Mu+m<4+T#sa zntyzBojL$y=7~mqW@i%aRxePKh>{ZOA8TvJ%&gpOH-~3F7bQwt%lS5GZR8=_Bh|+4 zqnSw)iKSg!hid9DZ7~C|`QKe)zV_@!jRt+II{)80lz&eo&lGxQd3t*N@v!lejovc% zh@&WVeR|xinq7w8_2?>d%$P;6pV4+J_;f{QNNV+I-B-4_xC*X1eKG3@bfb4`}e6k`LXRU%2xaLiS#k~EGaO$h3Pn@mu1sZ%eT`XuEOtmVIZ>{;LK(ejCPix_-m zP^7Ki(bh{c!iAjG|v{Vl>OGHXJ5se6Nwe%TsIA`N(ca~be zsxKio$EK@MJh1+c{HNTyQ@vb7|IOzLHTu!#^*hIOv_85nU$Fds81Pxr|JdOC96DRa zrxkS~!0+1d)QNH!Re5?|peIcIqare-Y1ISJ!Y z_jY?z{o!!Tski)4@9k;K+wfwY#bW0yX@chVB{k{#@{!SPJ1MoR;+~h(g2jAv#yhb) z2Gzp>1w2p!silQQ{h9zAxuXe>c9x2vveGGmH-9FH+}#yZvlj!OY%w2M{*>J!Ycg?jNK zU4Z^K@)NZFAi#QnFLii|LD=;T-hA-|ZfV(#R zb_y5q>tV3(^O>)`mHwSKusxNVCniTW&L*h;XS}H`l+Dc(aQb@v^=AmA6~rNc6zi@l|fpXl30F6LssYRQo^I?+!d$xb{%h?{a)trPWyT z+47yo5B#q3j!M4J5IuchB|4z`TGx6=_^c>Y-Mph$$!&R?=#bNBdxS|%N6@q~D+M6Q zbr-0lGvedNoAfm9tu(S2)aD5du)hF7*#L_2YO;hv?br3X->N7AN_TeORMWvDLiOr7 zol~LKU&22pHc=gWrpUh|H;VOCZzoUkKG$H)G_#KkS2Ak+VqM;XEf-Dgc(?nKt}24sa_4ptJMs*tsnBd=>?krkR;n#HNqUJSL}B zQkM(dC-#q<$X7EU4s&7>R;e6D3UM^RS9=x#l;@(XDQx_PeASnw&C#qxF^R3WBb|b< ze{(4R(*j5RGZBrv}=E=O2gZ4NWXIB`VfsJ@brN{W)B z9EVnzGu8C55m>k3spu9leyy)ofXU#%f`-+Dtfi3Gf}cK{42>*?|LR3$5VTr=sFBQi zo2bpJ6Xw&x5v*{TAws^6$n-o&hatKQA@;mUU;v37F=GxEx(;zzLDS;YodjCvB~ z9GZ`tpHD&r;OXQ&Uk8mm6_a-6 z6(DwacNo`IkCcCq!fKzVhB3wZYJIBA1|#($b@0+CALLXBqV_~!q|vJ8V$nv1d65)L z9hxV$2JFLoIH>NccF{R9^1NHj{|g=#Ggg!Vyx0GY56kWhm_KQP6;IDZlIKL$(#xg) z#LeoN<+v`73KTZlzuH-yb4oGMao?6+aR;aE4Dz6Sag95b_&wOp?A)F6i8emhz+c1p z*GuACD=8P6#P`Juki@bX`ZS`|6m1mCvcv>Sy zn^bIAYmWSAV$IK$AsrG}wTM(2>jn;N=2qD!3Lf3?+_SeiF`<^EHIom>X%1b3uqTOS z-j3jZ-s7oKlKPK`-5@yh***XuVFnICc)3TqfyS93$j2oc0m4OOh3REfqYst9Mm++3_ClBwT9`6Pc3S)Qi|Wj@orRzwzK zxWmd6{6`1n2aqM}p7U)Qd_}e+IcmZ3{1Lkq!?9nG^oJQYbY={u*9$m4(_db#UM~Mt zU6V@6Zgi8IZ|$sk+;MPFnA-ozNO;EBme4dvwlfc5g)y_Al`+L&uu<&oz0~ZG?dw*H zyYp6yGEH(;Bg0IOOzDW%c`A#CBa&`Q{3}7*@YPqBwMRhm=$ntK`%-bRya5(NG?<`A zy(QXQ?S6acM~e3+C$hXj<-42h^yE23Ok$I8N_m*K3)Tj#+4R2SWMAK`=DjpUCgmp3 zr{0+~vP`S?9tOI_X9AY!|(V!Oc+n8$=CY+RCTzm z_OXx$1pONXRmfF@sQ)nY(uxqBNrumqoealc4O&hP)Xw#)Zx01O!2Cb4fPb@~?ZN)| z5*Gy!l{HbuPiiw&HH_V3htC!AY6Z%07K@}xdu5uY5ZYW`#kJH~{~OO6L(7nXkxni_ z?2Z;;+jx)v;8NqPS)`cvVDme3=ya!^Xuu2abf-JC?vNwFoVPNIBdnjWl>C$LzY3}c z6fJcw81i~VGZu$VDGrChqRNsm5r?ibw(T1$T?fJH3|<_^K$W@uuu?pLK>ZYYdY`>VTdNm#{!L>0 z{EF^ReP3$Y<}TS&-_<>Q)}TSieq7bha8Qyj9kFBRJv_u{5sFFHK0p0H@%fZjX!C zeh@PtX-tycRKyPy@d8Jc)A3R)JG261fQb106*xnuGtrY_khu99<{n7}U+^H|1V8_&3$$^RLR1|5sXST4W#M z_m!igrw^n?C!cWiYH~_O?!jvfvVk}u%tLTFxVYt)y;zr=@6?Ba@)32z7TN*S?MpmY)J!p8 zJ?t+fiq!szy4mk(!gGx6GIT_zzT3(rBb}i6SFzV#b+R}-weJG}UKWcZDJfJx=B>8c zC!s^gaEjos7Pe{(igwx=CT0Ks%u9V6=H3Ib&sAOJ1tSmI3N)#zUjwL|SY(q0T@1E! zon>y?4IPhJ2SUN0v`YUk5HKeqTIyOvb*Ddy>#B_oTVMV`OO<-scn|)jT5UFHaaa?z zao-e@_iUoaJ|6w4WjAiotD2JE-G7q+MJ-R-5yutOk?wNEx8{@AbzD=Uh#25T9`zbLEx49pU80=*D zxStm(OPXKRJ0csQ4fDSP%n^RC^ypZZBC$xNI`!2>ZF`ra0_gY$E=5vJR zw?(K}UX`$I4-b+YD-MPgNp6?&k(@*|mpT^8%L54W0)*lDXaEL4^nSc%T#Mb}1 zdx3Bxs;0OXP$GdWDj+b@A?j|6B9hQA>135uRiT62dQte|Y9J%OQM~(gUH>aF?tyAf6p}dq+s!v>>>ap~maMlM3f~~UfIy%bs zzr=dbx*PPd50Uwdu3|-_Ve6)1)%UpkG!%g#d|3>()i}s%ipJt18+n{jOWTWh7cu=N zt&0EeM5$qCY_{l!%T8UQ09xzeN>(*~=5z+bEC1&{{u}h<zy;!+MEf%;qR?gz)Re93%gK|NqNY%n0 zxYQVmd6NI^pYQpcH>!R+(Lp`xl`k%K>Px9~=#iQs&85Kk<1=fL1qTmEz%+hIwT=+5 z7gIve?kJmM(q@Y75?h$|mE}xu6|jL~OWt?3LCAU6Cz9%d;#5nG*D$a7{qg$V4`e1| z(BxmDbLjsQnQ3V*AG@1WC&lYa|2$8*sZo$~hrHPYXgjqp5hJb7zTUWcW_|&<$Uciw z5#^w{2OUlk%mG2{?RyaM_ox9LF`Xqnt`Ll-WXJ&2tMNfn6#iqXw%`C6@gdcqPtq;U zT0TzkfHHM)4VKa0eCY1rsjLM|N=se9>7y`o(AwOo88rd-6=K~$J`o|lG?)hwe_`E! zNkP+o6hQII6--)4MiATSh5UOMu%yt(PVj>X&O0Gpn(s5%-c&bB?GJ&%muF}GU6}Mf zV0gO;R4bKgP)A$jn-ypfd!F_v1afAM7bJSoW$oR3aqpzijgPsFQH78AIR1a+i(aJN zP4rv5WC%gXB9|kkpzk2MG~gZ0c z``u%ED6H8HF`grG$D+q8?8>|Dm$6CBQViMA&guV7QNhInM=U(2vE$l+-%n(ERynRi zV0ZJBqEG&I6?*X$p=XQSlvOThOxqf08BJ9tnoclj;g_(P`B(mB;^g&H)T0&nHlb{R zCWh;;8yDANCPjygEi#OxyRV~6z3u-HBrJWD-FfWjv>Ndhl_E{Fpr?YSBm0kq?Le$d`nDyPzAGxU-pE!deLtW8|0fJ z-;s|nx?lY&%y5a=pUYoyf|v2U^=&fmOoe4qs%RLDI(*V9#P8VvrkW>NI52r8q|D!@ z(VnOq)H`E@Q|+oo#SLch`^+pBnM>#fwboyCrO8`YtqrnH=QY0jiB7Q#{*wF`Ajc`* zh#%_kPn2@5YplFr`X_e24|6^0IC9%i`M|d~zR4jbvtz48us*D)av(+gozZszA6U^n zK`5=#WB#a@Cr;QTP1IF>4tQa|g|b@3tM7Pw^U!vkBD|yhSPEyyWD_O%KjmmN@|&4&70@B{^;8Z zofhx;m*)e}*8tHsw?Op6*b`s0t9Hrp)Hk!2tF9g$o4o`OmTS?#y4`Qdq505`8{!0d z>RK$^LClNPQaCU}e4qEsW-&xo7^ka;J#p)-VZ3(#(p8*++7_uLbu1RrovTgVcPUv|pDN zrg-nbooSFx0k$TL_Lv-wE4NBZ6?MJMwyuR2`67<(^!FuA0BDTYGHVUVPwZC|&NGp? zjk>yQbQ+k~IoU?|>)&D6%Df$iexg1bw95sBN5+pH!Nr5wl5Nh6#f9P<7aOT>#}(0G zkJJLZ=SQ?V1ndQnJw&^26NW*AL2Ce!La2B@7vnoVtJ7pbXqx!}P%$ZXQ!}gxIGGfc z{jBPoXHk^1;Ne?mB{eLR4ujd=#dH;A2we)AZwps=F1B_mz1O5xR}JYs zoPwlZZ;Cx?Zklp8B)Q*9j?`ifP_4xPZ3VQLh1bh*(gHxWB_%%Vd8_;VkisklOoz8DQfb{A%(aeK>6&Op7~hWS#HbKZJLxVt>ds9fKLp zY36n*P!KlLwc5fx@=UkCQw_S-`XYl@TZ+JF`gY?qKYCtr|0Tou;u#?M(YV!Q*=

        Nr`V+F6!E2H;|#8?P08YSeH7xSPnYElAJdE^E4n`-ICb{<+hs> z#}R(W#El~UxaDzSjYh~sU>sFI{(gdQBCqKaYFwkT_o8QlVTwuK{n8t z$s=zbT?a@g51UXRmj&Pv-U?;d*`J-|I0;S}du3}bK6ej&d+1@kce`Vfi**I6Nx!x> zV$6058O$7^_w{vO1R=`M{{4*-0jPq#iV9zGAA3uxym6vh{o)0&LlfKv4NB64R&L!C zMJv%CK1wsIO7`g5q09>gTi7y^jS}V5Y$|1~fnEc0vX_De6`1-=c<);6@aJrEB)Aqh zujxc$^&GdvI--h17_Q^u6rySRL-78F0)*Po=6 zhQ`2I<6FUZ$Afw#DeS}YzzppqGEFB(ds<*bGo_cCjO>zY5%s-liCXrj3={@5zbG%j zu@ICGArn?+H6vr~RulBhuDNYN+}$o#^Uw_2+}h(M{VPDwjkuJWS_YL55Qc`^+9r1O zb|w&krEIDiUXE-N95mz}!X)}&10MNv-D=s!qc_$L0{i}Urm}S}Le;0QdHJ;aC5dtw%qSV|KJzi?Caa ze;X#M8eV(|yd$uYUTT+dDET~LwwXUYYl^11=$?%CUsJ-3N$vC`?br1pOc}=phvJUY z`ec?Z#;ybfM?ZVsl05c{NrT?ppPN;oB3aR)>Gh#~PjI@^;9JYj3A5gp2i+mTygNu?T z%JyoBY4U&vX(Qa$wqn%2G*vF7nOC-Iicr$f2sQBuWF$~xSE08m0)~=wY;ghKPg1a1 z;$|xq)1H;j7r*icSBv`es}cEe?pKB$Wt6u|$XC^Avln&~&Fd%EDa$Bbni)6bJlegT zpD2#P6vbt<}oKVZ_HK0J1@*R_FpxLv**aIu5us~DBc=|VlO`42W$<{qf}Otf@jSB)|Y zeCtie6oQ$-?c;^PCjK3;3Yj$ac617-ybz_olUB%C%@4fSk5@gv8oY{X?@MLPdidDp zB7$3E?@*W3{!SSljef3(@_{}{m#59&YZd3*uHHQuSIwjEzTB1(>E~JEu|x&R*(&G$zc5v&R z2=4n>J!^?n^9ch`H0G zwZ}f(&WD`rPxq4CzZQ9{xP%?7(L?FEhX9x?$zi=? zNFCOont8S)JHz+Z9YUBlKuzp-mGiWcKmp7k`3ZPwK80*oX}D4DLz~I?pp;PWap@f` zyi3%3Z~#Gb4heL+4Ga_YRV|ZQ@w{HLzAhp!e_+P1!MA;ntUTKKAKYuF9aJ_AyctgU z6bo4pht%$dpSpwPuEpQ8Lo(EjSTY zF_y<(eorG3umLvyEWyf!FmJ&IFTByJjjDyy06nr>{@k_Yt?}+etoTMsR8{3vP44YK zFJBPDDg_ZrQ_WY;L5yW)?(;{W4FKO_|9CSL!wPZ9vCt1$|?^f?y=`Q7d{6s ziWk=qL~?z7{o%_I2;2_U6IL&1i+7iwNGKATeG9`X?BY2olmS%T$GVkrR1^|X2pM%= z&3u3fD&0fx7&TK8-Xn*eU?x=~0+$5SWO?f6>M7Zfq3Xc3o~r>Nw^F?-0~ zLbd}1HC|e3+@!U%e^mzJPmd)uuL+M}gV?c@1qkY<1|x`P%Vk8@t;Mt9pin~P(k`K7 z*VuNnPigXAc_F%UoZ{wN3)h&->uVVbO|kZ;#E-$S8tB~on#C8+=QJz5X6r278;{I% zX}NF=>JA=uJ1=DIr&rw_3fk;~AO}&Ri2z!^a&M#~cw=ND-gHp|M-YL}`y_G7$+lJ! zc7b-)s|1ku+`2(js@0t7>G7GgD&$t!lgMrT!C4_Y->#}iyDo*vPN3hT=wFs0 z&7--|S6NIgShNKrdrHMUg&UKFTa~D0Mp%mp3;HRBvL|yjKS$FlX+Lz+H3&AJ4H0Y7 zB!~dMd|dtT8<;znPR!d6iwhn$a1x{P)+aFz^mYsLr)nGw*ElsJeZ4Cm2DPafCS6hk zpHYL)1Gn$%F{iPLLokE26cD7t0A}BBlIFKj0kDo;<+K*jrH3tfrqCDC{pd44IOglB zDxKHWC8kf2T5r@7=YJ8RsnnwR5CT@X-22Gg5s%nSGc$A|h zoEcA4#wD7^2aZ@g?nOAqxGf8O4XI&%@-}Y6-(Pq(s8~LUe~Lq6@nLBXnCbRfMc$$ zS?X4@m9D&yXD^zkE@Rwdxt7u{Q@F^MbO7&Kc2^zW>3kWu`)M_9|3$qhqYA)YrS{Iy zo-5+Q2-&E#g3jd^HPi9jj?T{kr3FzT#G5kfXO`BdZPo~I1bBBe3wsgk*Hn=*C5O=Z zAnMDWBg#N=DE}E96c)+-xlh9lHnfL$M7p7TzE98j8z`puQ`jMWscRRav(MiQJ$hDB z`RKpvmp!NkelGE(uI6Xi^4V6Ad;akYIl1-q9h~Pvak;_%LvKQHQ0o9ovR}pb z*Tlq`D2<%N;J+gMg0mwZYDc>^9Hc5FS~L2(=F+yt%oFkpr&H=xFT`ZvEu-sY%Nd?y zChPLGvw+obqAm*gpzy5@wM%PN7CPumzPkJ!Zp+CD;O5=a;bhBUluhYp2>fnE_blsm z23FS^aT)$vDlr9wV`PxGhdbyF(&$NX4N`btKQ>C1t{5v#=ARDl4)k z1q%LX9WX?pJl{ZD1BTmHl#k)^@>uYuUsh%XA_%!x5Dh`i5#{k816?OL#8tE}%=KgKZGRHE0jJ=mVBRLCp|Z7Iml!bjz- z44gwmb};U~(}yk(C%3jb+}W535xwfTbm!9Ny`vAGvDJ7|fmuj}!=6FiBVKlwEOwgbu|+72U8TpW^jO)Q|5oflciA28dbtgEdL z@^cw=azF*rT3$WF?!1%S{MZqsi*G-XcSJ(^;iVJGVEIe1;=^Jyq8^2K4F6PomoAMvgSq- znf7b_I9L=Ix3vD*hG?WF5_pmFNo3tGX7XY#F29cPS>b}Yt&fKgO|87avwkZds_r(& zneDJ;C;W;vlJNf|ThE}SF_Ry2SUZ66e9e?$&;x7F91u5;f3$ z&%{VIZh9Vzsy5*G9Rl9kfD3EBGZt^5a8Thw+Q1&PeU9P(Ajd2?U)QPl9& zIBWj_1tNO`UzZ%v{#(5?r`M}y*@@?Uv_t`w+RH%sm=C0>WxLCF)sDE23kp5sZ8&VY^(5KFScp;SqkUoV67wRP(7S}sNi!9^h+AuQC$` zUw}^8TD^fg9s>2)zR7tU#-}x{H`w>q@Yd2mwW@fj#>Ek-hGP~pzv0S%m)Dpam8~lb!)OXMNX$$cu;hGQYhd1+^B=JTxUq~AZYXRvL&Ae^||MQGb-*H4gPp9fChG;Y%Q6oPPj8m`m#uJN(1Iv z-I}=)r56oe3|Qsd4WI&9hau81T& zMo%wzxAaQ~Fx8AXOW(rVGt)*(WH0TpDWk})yxrveTR)4X%7S7u*W`WOo(A05QBb4}M$GfB5b<1#T7HS= z)D6#!YicCNZ@#3=Z~jz&yK2VtVVdB!pOpUvb12ev$UYb1d&I>l+2^JLr(bzG612tk z?80`>gX^(}n##w^?`+-I711Z7x3p0Hfb)*N$o%6^AqDuUN{1BYq4yEp`A1&Y1(-dk zZAW|w5HVBZwuZhYI#o`jC!-0LV@^}XwaedQiR{m*A==SzGJ7Rb1M8;k<~l3c_civO zr+Lqvn)~=dv;$YyvO-B&wJ`CZ{)0~8*E0fd#e*)F3v`?J>HHO*VH7ql*@~7VF;se? zkEFyj0fX=MizDm9eZB{~W7#h|ykfG}{f7bKn;H5W;c{bIG z)}Zk1Qc{E9`klOuw>`jRifAJkYP2;nvn^^@y{}Z~>Tq1@eG4te@#D4UTB~S@TQb4* z6a=Nz3h^MpCLsGxa8s{zTsYd}+7N7RnMOM!l=^iJe{U@p#C<>-eY{$->oj3rG4A&v z-7$V^#TJU(@v3Gsz?he_`e`h)Dbq4F8&-aS-fF}~p?uQv+L-4cSyg7$629i_+^7i& zT`O)8mqD#=Fg?GwWyJwk^y6GZEKO&xy4wd*kqeCj`;UZ?_nzDqp_y3)K9F&3vh9pr{dY0u6|84tSSGwzI$gv^5SE?NHr4frAb zs4z|EBw(HzBrLQiu$iDKo)cnwI^gBJ^v4?!D%$%O=gP?^pctLJ-oDnSVD0@^Gr_k# zHnpb0kHGz0PEl3mxe+9DtL2=U@M~_<0_G_@xnC0bQ-!G*r^oO>NBh&{iW2Z;o_(A# ztR|a+iZc23Ch$pHWO?!EnSh?=}ft#{0h&n=cQUd*yd{fPd;YS;BJypoE-2 zi7bmkxVsY$6Z`ousBxzt4nwS(q3(Xe+KLO|Y&>qIl0uu%%#*E~WK(3A&VGx1VQN#o z8mzc*;@p;IL2|&L59KxyU!(n3+MCMx_7Sfm-k3n|zTd=h9=)mzDv&MdF>bds;?s6s zBTi`N2ky2aiSbV8&$16FeXqs+CZSAcYu#mAd_eED#JF7vzYmA&35y812{2>QRs^(e zyZhcev9z0Y4B^Awu0&LT_my?9%XxGrsUiS1M3+$Y`kmoBxob4MFrRN1XiMYsI>fIX==`5 zE1O}`W(5W1cIwO0uDOXF=x?#K+R%b&oj$!*c4}Jv{O{wDRTUP?!*%(5x}fhx2SuL} zLJ6vOL_wn+A-6%5@mq7`iW)DSju>JQqA(P+evVUsd!n5GIKcX0rs;B@6kkd^kC@N>>cvH9{Q6-z3m?w6 z3g+=IrMK?3ub`HpZY-J{Majzb!FW-}*S@t&H>Ji;-Pc+P3f!R-A};#wak%uYU>%DD zzk%ltQA3Uwuq5+t+r3>YVx2;AZr##Z1zAwNZ+uA`D>ojr=Y<+#g-@)emTivcj+;^6 zp$h1)Sq~n}XIibw?^Ug)(`%ZAKE&1~qn7SCQ0LYalYAJf!%zKZdt2fPSLzW$j6sP& zJp7Qooym9i&cEh$i-!^@-_oG>LEodYBb^af?yGLE84*qK?1`wfLEUAzokIQ6YkG8~ z+JbGP|5_zpQ8DpGyHTzH_7kmcjzeM5f~~r=IT(kwv$p1ea?9f=z{S*JZ+~na+%q0J zu?HH9-3wG%9j4(5;TFIRnIoV3dJyxXSO9CD-=#uMPI2qf?0Z!4jZREdnZU7*?*1sR zT^PN$+i81F+4Kw(h{(qz(&1D><*qpNg09Z4wEp}3&TFIoEn@B4>xZ}gx^r7xPuLxGsKvx}+r$|G=%9Lb81gw2|vws+%26IPEjGUoZXr0)cIQ z>Jpgs=!w)gMy86*1F^kr%r6jh^=Q!bH{e_QbAJUb2@jTOb8fJDV-30m;j?S`wzU^m zSn1Z4N{V?rTCbAdRFLeuV>$P>?L(5;`LJ*vE9!yFbV$)6gHxi}gxo^tf;3HvZPmQATLyX}@E1u%1h53&H3XrDUE80Q} zJS}@g$-z@+9dLX6C?a@Er$?o;zDSj%x5eFnj=`Osn`U0w?XIw= z=v|faHfVMqoEQbwN+0#z)2Flr?`3s>-J&iNWt9@M(gJeevq`R`ceM4l84+oF*C;JU z!FEj+I;?pZrA<0*-d5};7fp9|Ts9eWX-XOtTqgyPYbgA|!YqS2tZRv7^>&PLEw%1! zqV-4J+m)Hm+RmLzyHq*-J3_Wa0>voW>^>*jX;_yL?C!GjJrxz-sk`%Pg;`dYu!-AU zk=X;fGY+Fw9^Gccj}{95lQ54%6Ks4I=*tN4yJim@%IWXT@j2|-mMq95LTX%%pB-T7 zwEP=XY;1L{a>PvrfhLMj&MKfisuy1yvj)cA8-5M$&+2il?IZyomrwZ_A6)(2Rom5o z<#K$%T!TV8KZJ9y8qkc0Pjd4g;DWc)>v>hD>z(7{iTqKTAEhzXoK3BEprCjC2x-z{ zXicPkm|BybOSY=uGMtD&YxSlEtF;leo>?Y+rb(f-T<3Ik~SEAPAN#Ga2U={L~PWjXNugUUGUtJjmJkq=b-XTH=ho?b13y<=i$ zH}4G@v_y!D)nAKh-+Z+FxNtAl)G_#24LW${yqa$HBk0sC&5_QLFmXPmaE~8{1 z{v|(6Wpf*(FRqmuR{7Ng0``7gcsZYT@ACoxD-9fpv|lSld+KQ{l$ExRDhQkVOgPul zr-eF|Tq(Cd+x-3o@JpH9Jf((du8vzI)3FVx19ah}iUb4jZ} zNn2?(M3;icfh*Ej(uF~ewcUXG4BKO<1gKCjtS5tL)+nD=ya`0Bz6=sjD!@Mi>@+Qu zt?Ri8R(p>buOVnH#MYkQ40R7ydwW>{dZLDyy&eODJ3vhZQmx=eQ)CF;oX{Oo@+V3O%>dtxZ z#GA<}B&~jS*ehH$(Wz=Mq=>=uEpf=6*3@w|z4dP1$J(_UU0TG7H12(kwWJC8ksxXx zr7vyx$-a#Xu1&kX&8SzO6BbhM`m&3S;*XnKps#lXb7)Y9cNDXWrT0e*cbR*eB4;qd zw+YW@+WU?>7rB7Id)zJ5;m&Yv?~TNA0rzqLx#f?XO<%PH-@=XYm25P=25=!7wiAJ7 z)y{vMA$E7^8hNY_l+g+{R_KxYH)(BlI^~^C#35acN*6OIr4||Vxls9Yq~F#+W`o0c zk-a~Vr8@_=G!g*Ok_D%;jvmz`GGwA{4!b5w*2w;oR7g<&hlJZN{(+wq;Fdcxr8zHH;+$V%gE$rmYh5t0FAKEsx$NZK z!I0Bf3$bVvjJ1{af6wo77g_MJYh0z`50`hZ4r)|ty2L3FVF=NUt=;Huv<$l+l-0Sa zGgj%J(nhAbk%t+y;&(2m*ZX6V-1}TCKB^;IO{y;Q^TGXtq7}8%C)dyF6s!Nz@yC}= zZ2lPpdMVD|J#2)kCRFO_7uX4L3a@^b%>&xFUm>*>E;`O0JQiNQ`~8HNb_hoh^kl08 zmT{s(a9z_n)nw1wbI6oZYb0(?{Zgnu>s@wOevK|L;5)w+bs^Dq9q)imsZ+MQ-?Ikm{L6#MzWRDZHLp#nhkooB( z(Rq$t;!@lvKeo zh$!e5jf#i}f)I)rAOg}M5mAbiz{UbnBBCNvLNOF60YN%M1QQ4))X-~4NYB66-#PdD z#(&4X_nb2ZV-3by5C-dg-#MT8%xBIycQ7t!G!o-KvabHZuEDj;Ur+;u+}OJP1BR@P zw7)B0cNOGkU3I#SE#G5$6OLZ9Pzc0@nof@+U*JiOd9xN4;LFxn!N5!WPM^#xSJHlL z(;|R+xU#jX&$}fr{W7%1mObp+w8GatKg(0 zm?`6-;c8Yz=OixT+wRF?eE`aj>Qk7QEmRcHM4=R zM~i6P(cK;Ds;56SjHQ!{Hhvwkxnfj8{@5xlOMj)jF|MPPxctjX3Zq_U(rg?th^_?2tzj%gljJ6F)l`kp}CEm z*Hd^SL!q^onzC6A>=fD;|4m&g@F5e{dki}kR9nuPY&M|urPNI?Qork)=0r@Exz`wI z6fUM@1Y~*;fWYhS;{dNNn2$rR=@zei{wVlF?Go>)D$4%fk>MSU+4d*&pPxZLzs%{o zey?@IO4VCRBKDZppD&qEoz`4G^@n$gLP9n3>=5WY?!c2?Ioge60y`zOf?+{AP-*rQ z6q-p`ep-(CRberzN@9kUMm*R}yj@iKG)3oj;+j4HC>!$1)ztSL41KZ_w(qd=QyrU+ znfK_oPKOy_p#F{SdEyc2qYvC`ffE-n5t{^r;Z^IyJlmf$_anPqP;kk9krL-ju>2Ei zFlo9O!}oF?N-i39Bt84#*i!CszhBG{!s@mM@-ynBQ0wi0q16rEf3gE0%8HjN$%0Xv zPLB-tmm7b{?l&p;bXljL?s43Ch(W(Yw>_~s3k1f$rK-UiK1NIww!NAHaUR-7zBtkq z4T9cuD(kFtuh*wumEcl5ERwMH^+EXMuE*Ngs;uCV-fXumKI~YmVu1NJKh$-im1s~z ze7+}imnQd1We3(HYa?A zbDQG4d9WuYP%i4b9e$D`JX{SKxo~iOg&>S7kzXmPUD2u_e;5|p-|x_EQw(^nuyDd} z6&Pi^FZ}IZBoMBUKfFGa6EK&Jz}aon26*}4)bg{DKTq=Bzq->`|GLtr{M6b@2c%7} zDRTVuq#laL+UOGUsbLZt*R%+{&b<%T;zMvB_lH!CqQZS1hFi$~irwba>ilX9p2L#` zPLX&$qy_j*>Z!>)Ve>OHYGCd;*}F9}FEw$fpM{-ZAuGRRZ<_jKBsY`$DwwdC{XtH5 z_;Y+pK(8_FQL1^SP@k$y>(Qpz-zTIk{7r=86{- zNR*@cy!Loa*a!NKvZGoe%Eq2_yKCBnMtDC>{b)Ylr?(sjNb`X>>vkT=s^06O%H$kLJpV1KpaIrm}K2Ne# z#?S4p^I$weMic_w?+WVeyj?pHF5854xq$=jaxL6UNKqzHS^l& z<@vwqtviHj8+#XaE^PPb_yW(<;`FhtA_pcF`PJ?iHsr@K_xw9S3LBgCE+esV_go{I zH%^fAt4(j1l~2TW=7cXn&OtS0>MDbuzOd6g1>X3rGQR#dJ=+(HTmEUPiS(be?xY0+GpCXbnNR$O++V#Sj0S~! z8gacVUVzZ|_`Xm+&SmCjv++`O0GoaOmG~g(Xp`+iO(oSVoJ^i6xhiwVE!Dp%)N|`P zB`%l(f@x4qdExjd`j4+RYpqG)D278pL~(;ejd0{gERD!Kma?0_9jt9fZC==R&+_f8 zYrl|9M3=xG6*&(uvYg#g*GJjhm$uZRq22T;4AhCqSumR^KT+~W)qsbm(@@u9Ca!vO za;#s~Z!!ce{0JVXcXliRJa|c}B>Mm^+=o4>W&Co6TCLc1_1|H5%O$td8H}Vbg@H-m zg6(Xfw(FVhO+}sYdFS%rz49i}9=~~b1McmE@R^euqg{^GM}MbTx1Q0_^r*C~@4Vr9 zX@4v}w6tutgV%C~=N0U@{*bW$9D<$Kg5{L`vkV!8q6dNKDRJ2Zi zBxey0y8)A!W}QsjM}-ZlwTOqo1n?k<&<%f+_6jy1cARoKn6x)gL z!6qrASQDJj6~>(r+L2zNP5W|8+bX_g%7o?oQPuegd14@lHV@7Eq~3NpA?(9ZQQRKE z6jtDPPwU-0qLT85!NG?PJ}pxrL<8!jE^EE@KwZDEx!l-JC5Bggf|f4oS%`5C7}w zDnaev*(wGh8ujt5pvp+ODB4Li&gosycj)1vcG~L?dLJ1x(36W8(5%%Dg~xw)RJ-f{ z_emh0n&iJHZG|Xpf&lspEfr~5G#phINpTp?+>OC8DY`(e&h$r4&SCiR3SvBdeSF#P z?P|P!vspoB5c>sum}w_v6&~4sDRR&Sqg)Fitf!AA09lVNq)EVCL@`S)_;k3N+EHoD z=`(>3r&?5$qmxeCRjMOHy&bz0y1rzY7VQ4T&>~cJPF~)BM}UlV#CyT%!85Eg6eAn3 z*kgQI+4+?wkEF3W%FS!D2_v~zz>{+c^>r0&Q~8wsxT-TgEyjjPA!lTM-6b@TWFe6) z#;la)&Z>sU2a#bTY3@u8Wk5RF^b?OL)L@{e#^3*YO{!Qp^Seg+lk4{>4vQg05(oQL zIC*nQZ;5-}26s5AKa@mxKX0}unTYpXJ%F0KRh1M>Q8R#)bz>YeJDJ|M!>5ar%vuoP zx!stN4@MDX2Fev|#y8RHo{C$Ejv0E)m8jFjnkKs5@@hv9z%=nXf3$v$E9_0GzP5CG zN7;)Mi^m|C^##fCq^G?mG%Jv*=bm)4BA+*fOOoj6!O)aGhcxb)nEmg1@%Zve$bx?o z$S>q;cA#oMl{XicG@|H}HB=ap%X!_IwrFznZ!J%G+2Osr;Bk%F!DIH!q18tlpT5az zJNT9j$$6lB-*I|#shYD{;V66WzVn?&!PII%KX!na^!57rf5W_PSKf<8&G)I>fLqV2 zjr9bsoiho0HTV1Dbo)!2zvE#k{St;IrkA=QRNKl$^RvhiQd`3jx53gF&-N)YB?BD( zG06%ijfg0EDnE=0U;13Il#*4{gS=A`e;NCGz@-*Fg4tY;i-43rYIg#AXiUXsdce~= z^|6<=!OvZkT|i%L7npcFUcpjA`w!Xz(z^N8V5@=X-6=!_=n-DND#fu!`CcPVnQ zB?r$=Kf?RTFc_BFC(q2;)AA#~ygvGh_`^Y6N4v@dbG5O@jQ9|BAUSg8z`vtL`R{LV(RBr`o97_9k@U5`jOr12hZ1~vD3Ut7PDQUFFVOrc<<>BV( z46s57HzzJ?Ka(?ubo5D?B2sF~>mwF2iuVJ_K6`1Su)?CtU{{+%F01GyF12ku{Sg+lW7i~ zol+|X?>_~!T1b>XBr9mK%}_7=0JM%RP%SG`S3Y4EQZ z%t85Aw^|>zCXXGX5BIw%M~th&4}#=P_|874#pW?i{J#0c#G>N!#y-Ufc((`yoZ8Yz zilBVC89N#mf7j-c@5dzfR7hr-`OZtY0H&22n?4VION?(&!8_uux;b}CI^a`Bqm6W&oOsmR3+_HmogF_n zc9B7Ut!E`2Ib9N;pIFzj^H!*YWCQ|Pa(u-*qxj;Z)CnxppZ>o*d1HRJi0gJAbTz}T zRX*}i4(`MIL!88=%Wu&a--afe9S$!{_dzwcnjH<{B&+b_V-xW@$A`bUR@M|R2b>+F zAfgqGFJvI@KQ5B0ufI0!dCy_U3AJ%Iwq(X394=M+tu3UR7DxhzyOo?6o^dsG)m@Jh zF_{`{^^^WhTr!0dG}Sr!(Fii_QI<-PYcJIiGh+14nN+VGFoDp{mtZzX4L=J!Kd4F= zgM!>^Pjf!?-*i4G@}49kkMO&j1QVV~9?c5W;H{#C+&K>F-s=s^>}~16g2JDV|Fg3q zz6(C8PR9cARL898YN!I~x^FQM1_SVfD!D(HX{b}x1BWCth)lhq+Nab9(X5o9wLx>{ zgA8iJ(M^thSBpnL(9T6@>&+|Hu0vB#v)42F^3rfiyX$l(=N1L_AS)m&trs*8!CqQl zJ=zs=z;aho{L`=fMXi7|u(3bo=+!mKo7opd%6IR#fPTbOD^A-l+>2_KK`)m@--a^g z+Cf8#u@Vj&%@!@X%7{%;Nj7)$(LJOiPi2~=mluF(iRvacjE~lG8%4h=54mE1Oqf(f zuhAlXG4EI^=6Dk07mphTY2*Kw?eKp-QFjmRNeskxH-n(OamRoj{6)=Kl96&jGfJJ4 zIH%_S{jeKR%7}yg-gl`bG1&!e<8J(wD96-ZKX^MleE{wq5dsK_p@_}FDt0_P!eeSO zUvneKc@ynrr4cwdAyT6qNQzd@PI}zZ)T%f)63b3%DjFNAw$;}yA5RShg-ONkN>V?0 zOC>ga`0<1)!&grJ(PrC&W!m~8RI;_Dwfe4P= zeCw37kdhR)=On%*M&rq2&DYf%#mdUy9Z|BkLM~*VQJos^djxS*-0YnArEbQ-w9arm zzAH)}E0!?C>A_vL4P>&6Q_NX+V-<5w^HH?MnEc@kLV0#Qs;JBl)_UG7TnU&gx;09T z=u2?=d?wQBRQa{{+q}tw#{rXny}s*z96syaQDsYMp`7{rOUpaIEW2xm4^`r`2tNUJ z+>-oTWJjw?Se%?>SXi>kCZrP2ztYEHmTt06g9debUmY3JjRU5~S3i~ySIo8&zYxB|$SUj$QFQk|yQ*qx}7*!XePQ|ZO> z2E40OYjVzJD7k$V)rW}2A`s0I;nM*FI@BHmYTfGBecE*)GgjHH8-TgVy!aoQ8>!u` z<**pbI^&hNnK9-oatNHyC?JCn;;3y_YYB;25nRr$- zmC7%(?483U4D!o9-E(u>NDYO}9l6l@J|u4F>rl1ARU9?|p{=d*cr54M^dpm@&);On z@|968FuX2(UsY?JP_1X?$^Y6DxW=3q<;DO(rTi)2U zX9!dQWUt_Qvp2CfN5dm@X?)n}FsCH0DG}$Ebu&gA5!iZvW+A-;?!&JOntmVK$s5pW zLd1%Xxvc(%uVR-4p!tSn(cP+7Tu;Br78Sm}d;hFd^Zsi4$tDZ_nY)<8o|6{coVT(X zZptD29kC)!iB8TiUGrAavqVV~_?AHnzU=l`HBDV6DTIde#s$IE)XdCM^rgG%2G3GT zgS2T@A22~Q_1;TFGwxCk`8J|Bkba-?%<_-_>;Q@EZv7&)+WjX`T(c5Cb4Kg|NNj%RUIs&Um~-T*l}yqYohJ8y?bm?**p=KwuKytt5k+vCct(h!rQ8z1_7uS=k{L?Ca+gJZNd|~i^n2UdX zx178PycZZP?$1o0%As}qNABVqgJ({M!=B&!)wNx(-_s3z0Ks{djxX@eM+Q=cr_Kc^ z>xQSdn>*1nu!HTlj5EP^hUGk$j<2}ZdO)BRsKKVf3e<*5KecY~U}1TEWUbh8-vm-? zI>oO{U3P#*_C2HbRCplbegWYON#=szLeJCQ=n-EzQxULek_W}MvR`MaA1s~m=&hRA zJHneo(iac|c2Iw{yovqF;d|;26T82UMR3NE%I@8rCx)efBYfTj`z2q|f_`84xVVyX z|7SGFEClvE518~GCBMu+jQY>qki<5L4^%k#1o4?wgh;RA8EoM9=yO;}Q_E9d`cAw{ zY&i6=U6sVt2z=~GYM(Q{&;JgGIkwBoN1L=hwZcK`>Mv95)f(0$B1#RQ%)tvj8Z+I4 zY1q@8&+Jt5xffGyXUH@I=)D7N3=sb3VmyrE7fwg>SlX%DX?z}i~GbC_Wzq*QT`Dtlv&=@ z;JW2RY;>s0IE74HUah0|LdlV4w_@wBGY<{bwj3Kxl<1wL$j#8<)gI!}GFYD-&R z^7`a08!azyHh2$-A}!3rAFD&c!gB`}F;}3A`34K|o)M+7BhfkxgB<^jTVP$+tyy)9 zV5R<9*g1h9!gS`j?r%DpaY@&T8q0OazGqYV%zayWemxMd@3$SQ&B}*z0u?TWdw&P^ zCCvc#dteJCI_eD6ecWfP#&qi=j4xM}nSZwa-YDw7WqEnUKXw!1w zcbMC%w2A52P1PZbmc%jTLkH)9rd*vFg2RCh+dyH%jolJd(A8AX!hn86U^{C3SN;Z6`=-&^?oUNR>{SF8LE*CwaO>rKZtdlTc9N0l_rz!4VFCy z;0o1TRrO>lX+DuBEn|z#TGa`D>pD4{p-$3tvKq(Zwf z4N7vGZEuzLKqoCopL`tj)<>X~q>tJh2(--7T2#sJk*8w3h0Ai{pBet711jNbcnfvv zF3nZ(9fP57?ii;Lv${KzdX~&B#az^zfQb_>ittkAn@VSG`&_oXrMCLjKLa3*o}rXZBcpXoWF?L5Y2 zR=o_RWz;%GE(gvGO2bZIOgQ(3!YY!wo^@#tpNLhTjofOV>ZGjR%Byq9cpv7Uk>T;W zAkq2W&Q}@#N$*}u`KYqFwA{U`saDE0NFHn5VKjWTzG^_z^oE$Jg*YdcBKY`aX+A}7 zPPH7p7kojeU-F_U`2F`Djcl~&B`dVF znkb*~m^`kot{X8S|Hx;hGsuWmdD9gx1_Zw5j_~k9rI3a)yy{V1(i#w2ueZnV&yBY7 z$X=t_ktd&y$rTedY|U16+7v6AVibH?er9jhdR);Z+jRv4wnj5*=-)H9pj@BgE~^QBMK$UBXyrN!`# ze?tQM-yXeR?C*C>oc)-WY~-JI8DdzrvH=b>xhcjsm*oG+)aXO(2IW>6{OO=DRyq|Q z*1l}~$=eeLh0HD69Fo!9qrlA^?;AStbbsEROt8bWBzr=h=6V#&Z2caKcS9|;FCSD` zrtoM3$*0#+i~IY;}zc@I+ zT@#eU-CAP1F;@)rl0qu#*Pd!SPGiu#sRqV;2%XIM`27|zDDwT9j(Aw}s^BWhQDM<( z>-D!T%Bmy$f`_v?mtsdKU*grkwjQ=+Z|3>;{sPsmMY#-be6rIbrN#ay<0aG0_9ULi zT1Wmmrj(%Fz+!HV22*_kUkN`&H>k7=RKlWFX4d{LouVrtmge-!XA8=+l?@vhFFq$m~(GjJpnDvy4?OtR3gkmeS4_+0j^VxQ+cZ~(VgbG<&&%`I!R8j61+De$Q z#zzrVOX4p+-J|>fUhD^-Z^Ytz>R9HKKMmHajYKbIc3DAr0w+JJA#cu~ZA*S0$sDN} z3F2nYd?1Ydn7=m|&M0)c=8^fLS>ZpS)a6d>wycHG3i5Np!WN6G#^?ZZQ2%aazQO38 zL`7(K{?8%slaaAQoTvB1T|Lfpj^n?*+L`;x3Ikmq|0xePp5FY!eC`e+LD87h^4Qbk zGoI{jHF&Y*knDO7rkA(YzKqcYG1tT|jPY2_3SfncVA9&46y{4&agXyin=8AsZ~N={ zXe8t}2K7(hU+$|2b@y%8udtB(^ikx@gFcZx4Ji$SRbuac2FEb45U?(Z=4WYXeZkad z!-9q+xA%ZRE^R8JhpD8omAzT(3ad?dP!Z8 zSDx0=OTs&~!k26W^Z^_Egm1ns^^)_CLgXqRbevGXj&VAv}9(jGt zv-6UZ$*N?i%>N$B{lC$DUTot%M#q}bZROHH0GffT062ra5&QtAgdv%WC`6uNiuT#; z#&yT&xTOTmtv_9|cnjX=UrG3wh4QcDUG>3yt89G z<`$d`!S9vvKe)K#&qu=%t;GvkV$8?yfw{SV8F|Eo0aW<(xiK29Yb@TvBt~bv$9X76 zDabF&2t3J`AOYa_C^meXixy}GZd)l5q z?M4LaMD#IjR9~GtZZznRfNmYGB;nr@oc?o#EXAVw7Sak}Ur*RMh0d@Gfgof8X0qOr zjptY`gp>m%B74oZzr@U$C-)bL&dja5yv)b8pI$rFH38E;P!|^VvKuZufa=T`4!jfe zWaLZt;=%CAiq>Ahf+Arz6bPS;9rz!+OeiiQWxgFF?HsyI!eFXwLotz$*ZI`({2JQa zhGu$qw6#=j-|xS97)&G@1Zhfjg|JG!%*h!02ONG6nHDRi0aPl)Y8ufqhSO>JP5XtF zdx_~Sx}NUFhps3zM@%E9?k1M>V89~seq{!+fu)cSq22Kjy?#@znh%&mo@mz>wm0qT zOY-HDNWXZz{+*>LzBx@0-eH=qrT9;Q1vg$s^8W&ga*&ij{i^rM{w+E)4P5Xaiw%p* zGl4k!y8Oxc(At$6=Nd-ka95>69A!+l`_J`mp?NMv`Rn%da24a%~Xd&`TAZ7-TZB- zJOlf-=CaB8&!2?jQ?j>98(f2ib%CxZ*4Kt) zogzZn0v+|2!F7@N@(D4j-uVWdf2Y{spAbV%epmk|Sd1Xmb8bHEiqU*a5`;200Fe1m zG_E{$G32ep>!v0B$N3#r8J7{Z1B^oj>VMQ<9Mr9fxFg{OBsmV1MkC2B@7fBI`e{gR zc1l0hO%YzjF20z}zxvbXf-i}77^;t7@8}X_Bt4A;(x9ySdX9omEA5e6xZ%?aA3~09 z3#=s{LNsbFl6;?hU3b}&V^Z<%PWagxFaMAorRtUJo;*cxyNHWpK)J`QeU)=^?WS*D zEN5>{m+q7_L@YGLnsDqY+u+ezM#WKCCB-0xkHuZ}I?`>tL31AzY2a(PwR81183&E6 z7q|%bv`|25iTcfk{)OTd7?qnW6y^LAyJf5%(blS6-ptTlVH3eY!x)o|d)o<~F7JvS zqbR{^XJGE9$=q5wPvNB&c5HG=dQR;hA@cv*TL06207oF5xyL%eOrG;ljxirxwOZb# zMKzvIu_!5cG3Fe5Ib>6;Pp{>TFjimB^nAB?cu2eb}_B{_4V-9)^1|8DDzS@``J@vKIOT?r1%) zWrc`AwYZt9NvtL2?U2G8$~ZO`Y!TomFeN11?uFdeWcNf`H#IOvJM%UKpn( zNO$mPYt#N9(v8ctoLkbwrh~4abvADO9pKo3UrMTgKi#*TNRgIq8`8NK_S4=J_EJB61 zd>-IUtwE_~-OQ8odCq7Qk8;$E?jXVu2u`}S=wR3k9XtJb#>3nI?SYop^7d%n@dZ~n zT+7EHgPqjVowBC$3c^ZE-vhx9_{P0WJci6Ic099lUyiw=$C8(8bB>5tfMVD~Nh65^ zh#YG%my%Wn{I=r^eh^D zUsjuiVvG()42hf*FrVl{jUw80tdveo_tcIC4Qp;EvowSYc7(8b&To|&p$8NO%#N)V zf@%N zQ$TZ*g+#sH>V-!l64lHMQIprJ$_3G5Dx9b#Zj_ZJ2D2Zz@adyxthdUuduqA$n+lbJ$L=uswA`5j%BZ!)XaX&JHY3d|=Ju40h}d$d-U}sY?eFfvo3YT* z8wy*=+5nU}mr=v1W7^_AR=(#|LT353tw0s@&10+f;hH_zelC)5i-S>6U&fgYiXUGQm-JTAD&^ZD}|m)E*PkIM_vWiBN7 zAqlp0J7fFdhM^bqgro5?_W=`?K%c95AdH-H7LXW*bwOoM|G3N{Zf9MuMlOun0EWE1 z8E8c{Xu-f&fJOp{ro!s^51A|M9waKDYd#-~>bes=`fbtEt6}Q*&zq1wH_JQ)lNQ-O z42GDOhIYqFxN7$8dtzDMZ`YFbe%AaYMT0Bijd*sqBA-c-l2!_0HD(fk_8XeIbcHT?=RFFpDb)M{JbOJh zMXFz3zJZkvmUpwJt2M{m@>y=r74TSIR8m4VJGFWH*X9incdo5^2i~1hi3$HIqpJmx z^y^vlcJknlszcT!D>g_nNrP zs@UsM6yCD((U;itmW&%H#AU%=sPOKXGHx6il0)N7Ev0YHLa_u#v_HRR3)X;EM+wuo zm=WQOAb73e_?D2(PotvQ{7fpa18^JM@NuN%n^Xc+90jATf<&;O5^12gV26z0<%3?T z^TyUI9{&g$-Ld_xY=iV0Ch9MQ1@}%9-xh_Q-7=UxheF#*9>-%}@dWLwAnxv*MFN4v zGaKeZXXzDpgnaRn;e!6(NGn*Alro-^4iu~U@Brdt56ol=z7OQJ59#!9tiKu-F|IT? zo&YjBxXclQJ+?ragdl=IwgXZ+6yC~S=LleC!J`o)N=PxzY*|qD4Tmiv8f`8Ushy(= zx}r5b$jjZN`x=21yEI=R1<%?N3P`dJAwKagCJ48f(lUv_c6_WA)D}?ezn_3uxU^I@ zR^Hnv3(DgMwWpeMwnt9A5c%|OM2^;mgMQFIghZ&m^vmjiVz4f5dxndx_bi!yl$D5--tm&arZjiMa7;xgF^d6$MvKyb>^o{ponVl*P^`K|g zJ~J|QJ=@|F8tD*DhbJhXMG9_um~66gEm~6s%3gYUq&q7G2-*3)^vC*c;u{CayrLt4 zMO=33beq_rm+M(+=<&hm*uxOu);RQ0{NPFGFdIt;J>OtYRZP!z7?QD$Xx7S1M2d;Q ztu1g13eAWQ{z4O$$P@6TAP&{4#4G3G^$dpr47D^P!- z&I5^Q0b=}hBVKjOxkh+jn0adU3AMPlM%c~wT!D(M7F36EhUAjL9ehu2www2?Czp54 zVv&l)G9GN9S$Hy<-<^jvHMN@BU1qk8M5FZ*;P#|c&i$?kdO`R1_wfruq8FIsr!v(M|G=etO;ZxJ2khh zWV8_FDC~)~Hq`T<{LEe~ukecGghr@(ZUPKrtfIW39H6XC0+hAh@M^Dw>$8@(93Jj_ z!|qd!-GRM4IpyKd_^Dc~9N?HG?$4~1#4ih7`jDRR43#MhRC{Ej8gdbk1r{j*IXAUr zHoo9(a*A4>W$7bXX?m5}LW+6GL`STn<7ZU~SapTgjP1bBZ(jiPK!JNYBF>4{w7n#Q zlp<=;OK$`r%}VG9Zb46Mui{#Z+vjSjJR!^On$=tjk@rWpdDhEPyI7!O@HyXmuI$(Z zgEC%=Vy_w7IIb4`SomZX+BnTqsFQh+%wmIA=+BAHTh|s&Zcx5vEy79&&5=$fR;Lkw z4FKlm{W5E@fei4b^vsqW3cWu!w3V+&rhnvc z2!tRnJ^Fx2ic^9VWia3*TsiSI6|hu;t*5kfROwA>h=59ypcKE4u_m3vAluPD)*Gv9s;g#~01gMCo{Yd5N_adgCXcQSpoA`P3S*>5`1~z-ov@(!;FwX}cKB zX-c(^^~1q3H0+?~ba8P_hN)Joj4((zXg*jid}$yG(L`Qu?;w6TLf2Cu0-l)B)O(sU z32^Jv>%jz(A5C9UF16l$sZNm9cIPumG^dQRr+~vo;eF_E9Ioc5I@Av@TQx1#GmfPr z*NifV)JD(8=m5UFiMHsq4u%00Dnfma!qT`~L#t?izzS_2VZYn?-@bBnwc7~MS^bwAF=%h zQ`*c!NQp3tVe%#ZwzQHV2UYI07j3k>j4o3-vI3vSg%qN(qf>k6R(Nq27_o# zVq>>ho2zYH?TFD>W=Y1(sC1diRy+uDAP|nwm|iO>d+I4{J!$oO;53CoiA3lP1vrej z88hU+upuwcmrFqg2!4$24d1x6&U97SuO53GAXg&1Pmcpp96Lbe7ddd0FCwN5?BHrh zd2RYfF_gXT#b5M~gC;$s$?ltUNT@68_KEDin&}K)sGyVU)2Gxu&VSYth8LsIhp9wK#m~umY~vu zAHRRX6UC41!YEmwL*iqR*cm)cG6sVM zOv4Od8k{4HL|1YCLj6Zi$;6!xMb|sFkSjo*p`CBHLI7?*c-qaM9j6)u2(zi+G3W!W zGt0BhtC(#l2VCTM5z_=HNYL|jv2BMDo8QFfC!pyWF4n#L-~_N)%Q`0kEu00(Lo@}0 zFby;T8kAT$RHPLym|Js6r?Pym@cS;#EobaZK%w1I*ud_vBi=@PFj~m@J;?o}d_s7E zuM$u}@B~_RYY~@I-%RI|u>gS9VY?h1jv$rLecHd*5v*biE;Bt;zdH~`IEP2;8hmu} z`YWXZxG#X(K$nA2D){2J$)&4Aq_W4ul?=Rze_V*9QC!GC;>hjDFfgQDeo#jm*Mku^ zMyS8^``)3ZF8U;Er>Y(-fgt;v_xHt1r~nmmRgVbhvIfD(V^TiPR7l~q=scS^&HA0q{FbloRQ2#F^KVx%p20-lszyPnHMOT9Z01vL+8#N*X zWr;Z{uzaOtStIEEf|%bFXgon?IhFdirzgt^eWwCr?6a{tLYWi*7C_lt1?;n(lNGyW zxaw4>la>1HDwQoz;w4K}0Z4EQh7!(fIRp3&mo(xKa_0$=AG|^c5ca6MJo-T9SGC=} zJ*^%Cccr37Y|b`E3JTr}x5O$pUk#$8_8X?-w+tF;GU|iRdjhr|{puUYuto*`)y81U zPtq{{X>na8=RQn=52&wQEJ?IjB)$34+N7nE|JiBuTM1V$7%F7_Pze|3t)0(pyXiPS zN?2dhQ4UH8j7DdIBWuwC)#%M7k?Uee)J*GDPt;U(e!LQzH$rHOQlxnveTgrHcqX|2 z9&Fa#swY}raA?$v08o6Or(XIwmkzufasG#ao#^1z^br@jcje((P6=Uq0{|y@`{-Wo;jiuh%0_#)k805|YUdZnwUi=4e`y0K{w$!P={0-f*#I9~X$R`+Q)46&CXpPxv-stku>aS>Yc*6tJ zrhKZzP{k;ElI}f=r8*E_5~w9HD>JcnuwEv|DqC`0l{{$PyYeb5{@c9{mX9~0^-4Is zDm}Lic9u+0v%-wIGD&vL`{QQ?N$y%xE};FM1>7Sm1)l3R$df$!0A$r z*)-R4$1A3B{>-;e*>rx|D!5mQ;3)>R7s>MXK8@V?`;JHlV(+X~2|?uJXY$BP*}|Y+ zAi8tzmBLk^O0r(Sn?r#QEFolx{Y5^|i*ZDYUG>7%XlmbF&iebdnv*Br(eOlD4E-pX z>WDT39mXBW0t0d5n;%XA4o*cB!@qA^)%9{}{BI`jpS@f{s1f)pUvRo~8tTtiI`h7s zR#|roA5cON8sG>{vZgQ7!UX|!43`zCpjGK~nkcSoP?xf(UDJ)mBg{WaaVIx4E1wEMNpfXtYTo5k z9Y~1NJcR>ZW=lz!T=qojR9oVmgtDNyIM0#JpfX_IYX;S5nCD|UXx{R4guv#mx5+w8 zhCNO&|2@!X(?@VoNeF?Wrq#uC`X&;x_2+Om7 zY+?Tqng<9oxJ2fv_DI020N{Qs@1|10Y<}OE!OT|MI75{H-HscebZ*)r{J$6;bAVWX z6h$bkj@=}nE4QTB+)Dz%Uj)MRs+KGEH3+ zf7<}kI-_68XZJB?$*~!y7Yd%5j;mdnE7kLLH}*%jx?V>4UB{HI4_B|TT=U2Hi2VH= zCW|~Hsfd?FFU2Q}$Sp~4R3ERpvN;!HEZ|7Veys$?%WSrsgmM*h?ANvncrGaZdMf8> zo~4A&zTF5P2E4dC`a?rjGV}Ch6SA*P=MN>Yb7VTtj{KRGyNuM0hBAe=FO)dL`IjVvY|5I;6`q?kl<*>$$4Td@MQp?yE+(K`J*JSA zIdnp(Z4G^uF;=#?nsuTFGm0*uH{bSx{eDD;!Ve~b>35039yCN4UN8IE&Q~z=nZ+H7 zs$!FA&h(Wp?0j3l6}8SDsDW^aH^}3zdbW>2on{sFWU0KV#LJ8MA>I5yI;IB-5mpO= zO4+YQUFbNzAhb8ShhQMoLJ#u7>8s%qHCvc^bhk0N$iR*Qy>D#4bY!k#3xuK$qgf4T zG}1T5*?6RrU6sihWW&^J*F32m2Q8rEpR|Y8qkhb2dVR;U(&*5_^zA=r}>#D>FN zA9RO1IbD_Oh1B`&f0y_wsQLwuhV4m&D!oH0FE0&F(?2$}H%}*Ap7PRo*yr7EF+oq& zZ1|!cQMXocxx`z1a{8*BXG_25tDN7Iu%KpHd`xA1ZL+n!y zvMwGcL2zb#z=yp!vN`LC1`4TabVAivZgf=))S8wiYry@A7m{)4{!RgUpi^C&t< zI7*-GmZzv0wHcGu33}8o1!gk~{~uHD0vA*M#*goQE$s@i?FwCnwS=q?MVC428{4{M zw5(V(QVc4gdviIvLfX`zY*NiZ2+`0*beXfdjZ%%IrimKURMT{udvj*y%sKxv`Tl;t z|Lf(&bf!}C%=0|&_xpK2pF_vS4V5wl2c9_B0<@Z_^!`Dr@TDYoljVsp=y+N4Q^Vo4!e7d& zE0robcbKSx`J?Yu8CR3%vpj?M^tInhuGx4%2pepYdTA;%k+3aUzht|K752B=zJoUvr|Nehg?X$m7mi$by2N!MV!pK_W!M_`|B+YIG?5O?BA=Y0 z6*WKz@kDyAKeOW^g`;SQed>f7H*e(KeIlw3wJIASK<@w+@!a|!8i zJrAf<&SX)Y;8b5BU*-k+>HN_K+!0A5_4Y-gaadkhypTW$69Y68J`V5Y>vKUmHfn$k zf|ne3f+I|Z>*J!fK~fGFfhBOhk^TLG=XgS)XOC2kdc6yTfe5VHpdS>=#)}R5GU(E4 z%V&mT&kV`lF2#Q1dV$-5956^$KM2VZUK;c-fz0jMcGx(em>)keThLD{5d-P}I%wfV z_&bVX#H$k^L1ye5%@ea7{BjRG=)D`#a5a}_p2Q?#Q>Hk%Pes|M9TIXG{^;pXCG8Ww zB}nkI0lulgUUJWtk|Ms*rS`Lt8~|;d8O(o^-I(Bc0l<8Z82V{_8UCo(PAT6nEzRaU zm0J6Tco#}aT0rk5EGe|%Y2%1KfSK(U?9Vv+U6CiJS;l4P zY5#fT#cE~yqDrAWp{|J36ZuGzx`6Ze*{jI^T+KfbD1Jvof}!%$)_h9F>VTUz zLDFm_*x##)(d-GJb8!I=j785==TrBC*N@m@kK5f^Q%IDQ1%9eeR{mh5gpx;#VUcTu z;PX`1KWHmg(97*{SOK@>94XZ(KHBmsuvBRg%vaM#w^U-WIAm%Zhb!^!zz=qrV>xsT zEkR2*j2kpJg6LRoaF>ZsrC(;!1dtCnfhJS~v8P5YDNcC(E9RGopa^ zkI>(J4!0^1JTCr-hG^K?QO(BBZj_j{`kwWrqg z=7^a6=51Xd#5|I!ju_7br3t%YPY?A=()n{UDBi(5*_O_56uCj+c;W!3U@B8zT1m2K8L&pHxv)9bn-gqos=7b;dP>s+K ziDOYvOETkGM3p?$OJ!(TTAf0%yFi5%h-9G9-RExeL?I&j8zj%g8F2mc_(+tyJ`uuO z^725T=eHSy&AHnrRz+=l9BUrKXq-`u{v^i|y)(RpQNaRn6gm2z?`)oJ%3GATJg?r8 z-XC&LaBeKNxn6k0h z@@VY)F-ObSwY?198IA?>KcckrX?c2Tkrr+d~|M%Oseg5`P3-GvoB0|w$ zA_IDeJ+gJc7`| zk|7qkHc;&qBk@PWYn=&aP^nKhs@b38^e#PeN5^%MLq`^-uD`g7WZ3u!{>6dmtn%Y=fw>l;hX1r(jOX41A(z3kKa}H!CqFu_0mv;!e zuN!EE0<>+Wt521&VH)YEhpG|zVY@3B-(kP~IrSA+Oq~z&&U4ACk*JWz?9)RD#XgU? zy)bL>*~IV#M5KCDsyj3!zMa*_=bMgW^4$nyFL;ski>Ktcv)3b6bA?o(5}UZyh&?{o z*$TMGe;m2v<9qP$wjwx+@;w2xS`&gB*15*wOeRL?i~}S(7Bq6#9IauGgwM%1Zb@bj z{KeVJ6READ7NDrB%kA$smMm>n*jVcN(a6*PgkuR~8F|h*;3-UWaMv$6V5Ft6Uk`cy zOOsof-Xvz>VS@0WQFDlbM8`Ljd>t07pwjVflklZ8mSK{Wm`0j`#~Z>TIDnG#1fX>` z(;m6V7eAkPwt6X68p!TC7D#m&MO&P+xOW1#M}_!a9@%`8Zf0*#k^%Vq(` z+h>thLH(-C`hf@JWupv#Fcjeo1wqEp@V87fULs2xtAqIf7w6`SUds5 zf&Xe3sy+kfg};e4`tHC{=OaImx-Dha0)wC0EIg|Jk$&DP((-ZhU*+TCHG`G*l6++WfGQg` zY~k)8|G>PU4U+aH8ejLjj#$ze)YmSuuiaN3C>+mb)hhT2x}-dw)J5`9RVM#{w|hOZ zaagi(dU+y(&V^2kJ}nyP*VN9v+NN8_TI(60+eRqB9y#6Uh1-_}ty9XASM?Ij(KVCz z?eCl?RMZZk%!WO?K9$KnsjPQ07edDB8LamKtm{j+;SX!&zCQT5lu~EbroGo*Eu;Xs z-PO6#*Zudz*xd0@$&b^oId)`a6bsTj4NL_DF#a9#PzMsl-RI zN}1p~IBGEcN(6U9&EZwe8sE^;H!Zn~2cR7AAg#%gvC-_D5gGxBR+SrMWq~({D?~BY zlQdt(G_;zhP`yMP*m5bRD7gjTx*gRBEQBih4^G$}m=sQAbotAt1a^B&w0TRUU+M+b zAZMeLu2;0C2|mJ_e1;4DF99B`Mm7asDXbK4ZafBFlP)O$#w0P=)wV62IPO5%xVRUU zEXbi1Bj#U=o^`f@iA_%P8g)Hr2zx=T$TQ-Tv|U1KiIvL0bSOw=eITU=l?ro054 zeZQ|%W!TY>-eP&*yiaZBlD|(@HjX3m)9?4y6o|c^0J;G2(g80PIa49=U~PyBmt4TZ zQQa2c6KscvqUx;>GlcxehEZ$`TiG2w%>FGWygMxUs^BTI{g?xTw;rF>wwn>VnjN6Gk zAIKgTlX7oPR$q_%EwCUmd}5oSy+jd7$Gc3)G4C8UKBD8_o==)&NaHzl+*{w+_soL4 zb3jNx^NjLVH8@$Eg%zhy{c~X4Ed9g2HQF2EIdN!ra#JA+nAK2s9^NY_ zTvcA<)h=_gNeQCGl0{NyiWMb~azi_`m=VD$UR221Lmhu1?_azhSZfXWJnq)MS1m}r zM%vH-MUK&sw5txk7gtKfe48v5lIDSSM|c;ec=l(7WVo#?(O-hlkQ!1{v;QT4S8;*iF_7dd)w*p^9oj_4LS@`fu_VT;ub zKL>e%qGk2el;L(qnB~tfDkKz=LSk22FGdt-WoL=*ZDNm3uQyW|vBbUN-Y{{oSvX^( zv_vKtK|?q=9pgmR9TaI~-IPDPCb}%R>sj(CEb{k*XSz^nx2roI&%}Gtk%KO0(=3(v zrkMDv>THWewRrCIwihU3{MWngsHLlRn`FI!9!u!)s!UdxHJ+}P1f`68xu1BBb-wSa z@0i)7?|})3aue)LM<l#A$j#hZ{{a}KGvJ|^2)=EwrV36*Y>JoA_R)eB#_ z?DD_zu%Nd;AhLMRvE2&|eO|eht`Xny-mxFoEZkn;IUh!G$tuzM<*yfTF=gJ9vq$!_!An$Q2V(fI?xoQoOv=S2Vm@gnuSU2RdjG>4 zVQBy)<+@6elh`Lqe6P#H3I*izV0p{Z9nU+icZ-G=KXOd}cEE*&G_jS2!K|@9=vfyL z%o3+RA}g`C)FLNE(qCC5iC}=J zmI>uurmV}Vn>IaenGdSgVnp0tOy*n9vp<}pT7E2v{XcY>sJFf7hlHn=+&p`+8hm}D zNcYyqH>IhtPhpn+{iYYdn$5Ki+A2FRQl5`eSDmKfqc=6f1J*5I#CI6#dMEGN?)$AC zUKCcb0u2@joBhl3wVF+x(l}R10e{uXV&%woqGf(m*>omRH=6Ens=vjwIfC$Ed#Y}^ zso@QWHP(=z|J{r3E}?u#GM}sWn13XT^W2jZy$e$;ajZhRe?5V%Z_r+Ai)`+2CRax; zSqN;M`uL0H=bkHGcj%U9dwy6tBQNOIT6n58*K@z;u;F(~>>d)Y`n&%6r{BO>>()(0 zEf-1OE#-Lf&I|;4q4~z?;IPV`%(S_gaikA=XYKYO1u%8J=z6FTczEeHV&zKF(WpJ7 zOvr>7wnU-20^Sa4{l@HTECx^ccSdX`>8!4MwDvvJ9lV43(~jZ>63_i6VyL&_?t4GW z^+Puv%P_D12Uw3yrsM}*xk-@FYaZ9o^x_^c4(~C?SswIUB^b{S7|%p{{QtYEM@1T8 z$_tr7VZ>H;T3X{I-TC|=+4hVDI<;zUiNDP)=`-P&KtbuJva&wyz=!l!_%sGH-UWXP z7QcR>tlLp7rmpKv(tRsvfE2w)Vf;AvO_s*>T$>^k`2~HDOo3yISC3HU8GcaUv;NuP z#qdc`LKOK+uCS zXO^*vp-Cbjv%LDg@I`6i2;}*jUzwpv@2lL6uX_P01#wfp;r~3f;Ai*K>d@i-UuRFh z|LJbl_{v7_sm$jc0ay)GF>ISeCeB!{9kv3(HM_U6FZ%?=mt8+T?6IoCX>FntHoMmm zS_y0eSnUPjD)mOwnWxlI8O|eL!6nd$~2d)~uYRv+CG;2W`W@28TgsjK+r%p{W}I#i-a2H||=A z33NxHXF#{T%qdmOdO4zq3HOX!0iVT2jYK>NW=Xa1QYrc~9Xo{uuOa|U5B|h@jmjLN z5eTF5t4hvl1W~=(YW~Mf#Bb6NCJ_68Emox#>2a`z1Jki?>)e9Zxm^S{=C%M-McP2X zbxSinA=d7535Zy7Q*%_KXn|X-LRk+Yv6umB=hYjGIBZb^)nH1BF^-~AT9K?1VVc{w zc6xCTEgj!xlOTl+HVvCbzEg*EiJW6mXAFx7zwa}-K$f;b=2-*3C(JEp1IWLCj0r?ZDduj zM4(E&O|tn#XVqE<#Z06@V4dro|62!=yfp>1=wAcS@Ptzd@ZJelh>&eNEFg zuX>@H{`C15E9m#x^FR6y+*7|M15*0>{Ff{qC4Ak%3?ymq%R3Vx2=6Hukv7d4yFIa_ft@F@V?uj zyGb>_CDs6sT-}2|#*`XPz)x@sq}}KBVEtX5Nihx!)HYF}7Ga?| ziPJiJz>HwZdw=L+1+q!vGWAW!*vSF9~Sl3%32 ztfSkHg-0upvRaDs2YKO{Yi;e&X_v<0hdav89M8BNFA8{9j3q&sOZ(O$e?pAq z7Xrh_habpt!i~R0=0;zJpB-Q9DO%PD=WW22Cx(5Yavpbx-n1&-e-;BE=fKFy)rPw{ zj%K>)uur^pv5toHhgLgaXjZSWV<>>BJNItDB}W-nkgr{Ml-apg;TJnvJQLpXt4H=) zF=D8L%v=5Bo8+C?*I)xapB3_OhA&?GHv8hz;c; z`ep)rIu0q&vnO#Y_m-t|uD4oBXh>T^KBr$bFXR-_Glhc?4eJs^gV?94Wd*;HO&A+C z2ooCS7M8?dl?MLzX%|JC&fCp) zfZm;1<<*vUxD4+j{-ol#7iYP^9k#`HF*``bl}20gumtOn0%UH47QZF&@k=t^ZH;{fUT^_tb z)KT6L|1@Y>&g#t5G>~wE82{y3T@{L>YeNI`R`n%u&h{0I_?ssKE&ATGk@Y+ZRNqeEwQmc+y zlpv0>5km7dHY0X8trxc_K}B#FzzidR4NVV08~z`}A#Ux6Ca`eP=hE22(___QQjzAj zm4hAyT;e)GDG9#M)s}v4fv!TfG*p^{E z3@gkdP!HUld|kW|_Z+GA((c9dPP{mK9cBn{4tvsU$|6Nw&A5Fc?(EJFEbV&pQwbHS zX$;Dyx^to>GFQghOtZ)nAAsYD0TntNx-9&txhZI)o-$^PC0ZhFdk|P+Q?lmX0emEh zT&#ak;)<1JINq`9h$PP;ZmH983}Pz@Fgxsrj%G^il9kw6=69ntw2bs`m-e!E-2(d1 z(~mUzTl4lzDdg;2Qc2MMq|$ut^wrrF3j-&<)m)&OAMoDS1`K-mV4Q%&@T$Y>%mP-w zi$le5bmk>sb2(O!1ff9%ZYoUzpXOmcS^KwI{Nmd3jGmY>gLVpFehr`9nMi)^)4?7t zOnh-&?$4NbfSvy)%*Z7vs&SE>jf??oLZ^c!zNFCWEOOlqSzRxj zUazv-@0?MpCnlzZhNCc7Rv(6eQGJ#fD-}Z%rgpGX?`$$r2Ed6_Lf9GdA8uYFd?e5m zkgg7V&_AWcv7Yysj-^0Y0JFbh+vY(@3F?e9j&f*Yq$Zi2gvkaApBeU6GgcM2UlX!yIN zcH?lif$t}S&7qd*%9w$k=SIi?VQ+$nLb%>_)Q%XWt?AOx1SHzDZcQA4dkD(^5v5x= zz9)R4l0I(Mm=%h%$<-ia(DuSydS@@J$9fXG6gI+&r_^zMvfDJ1IT!}eau9rKcMC$W zcVtZ)=E7%MQ%}X=<}C?lm;%t`WAMhGXrdd3vv8NLUchN(Y!6U6@*#lvI`cuU+sX;U zO>b1Ga;_(|@`mmD`7AO=qLCP8kcn186{qEiy|8NL1Mk(DL)8f7rRQVgM!pScqOM>h zTS2uS@T=bU9av?+Mo8r8pxPdPs7k~CV_Lp8!1{;W`3^UxmLb%s(`q0tg$%Fuho z>CAd+9+p?Uh;9STV8)`+n*9s~qRT#r564MeS2Z;Vj-^8a<2wF1JDy&QsM<;&g3-HJ zOIgo?lOZ^Toz>z9IT`$jmUn?lwYlU$&<=Y%50rVH`pE?jA-oG8%#nJqK)?Y8H_^tL zfj&`GEWR=7MGt{1MTDa6_9U4~IJ`b{LVn-I;{tID&{Rf%Q_W)@Wy}mJa0>zvT4Wh{ z>r=hLl4+(2w^1{FGTAiYqdC_qGjC+N9nTPX7|mNMtilvxu>NNTR{jyFKA_M!Pr$Wf zZxoArE5RC;HGJ@1!u@s5GBhOha;=+;ritropXq9^DAZBNA@3^dd>Mv0IlNnpP&d^` zocWWrKO=^MWp<;#6IjkOjpUlZJglEXwl^ra7de?gYipHEw1%YeK#nbv`j`>B=c5Z%v)Tt-!wifoc6PD}Uv} z(4e_$>ah{4K*Os*8vs<%ZwH^$FJ2wX_`!N>Uan0h)mw+ty(Od$t79*!H{Wx8;W)4!HJen>>q#hT;$C1_YR+Z4^`RZe6hl&u{tuENH81bRVFvnP9wemeu z-~j!!qvFVVRpadax+C8L3{)BXh{7Q5BVvlhbvl z`@(AkskSmZ3_n=?|>twWvH?U1}eQ8$dp=k87-n`;Le0K+%yY4DCv6ROF5+M}Ya; zC|l>kYc6v0(mhvT4L7LXiE@VyMZTw=>Eue8c1z0nI_SpCWkC@Y@^#36RvWa9Q(Z_+ z=L(!y%v%sUUZl=?ycYG<#(ybq@MuW!<3J4p_m#28GR{P)bBT{DrYoqys^vgSq2E-XL5HsmiuqExY^etnFdY_pDWdI`vcfCkRY->Jh1Y5y| z+5|#jTkk>4J3k|sysW%DVzOb94wASEyfu~6+SYnykYf6V+)a4CYJE<lRtuDiZ=ru_Z=b@_0^u4v6y5?T^8e zxQg5|!d64eVKJayV}39aWh(fM*S%od{k)z4=C0>?a1=W5tlk&i#WDsgaOydoiEa^{ zC}|-^2LjfxJ>LyYGWYqJD^5wt;i=)iPZTGh1``m z+q?`756hr^FhS&EytB9!ENquN{@3Hm{Ml3NZp2SLpRj3>)c3S0VDDPv)PKBvyw@h0 zi`ULLN^Z2)1~9w&T`xbhXYt07eq9nkM*nbY+PO8Z&tpOhNlYZY?2)Y zTruvak`@6WTQ_h8%7VPa3O7vT*vF5rz1@ynTb{bVN{gg8AG3v7=P4e!G(@+a5h4Ar zE&Re_VW{0Tm;t2#=Bxfaihl*-KB^{C3bwQm#q%clpWZiE`yV2m9!1yF-qI%E9xzBD zuf!FGav4!eC$>xqFL?zyI81i&u)NxbdV@|x+eU*hj)o&(V0d*QD4NOmgM&$yPkYcQl8KffGlD}g3GU*cqHI3S6cN44OQ?hU) z8-MctXI_V#+PdJ+L5I+YB<5adQxWK2T1g>K-^J_tRPY8ej{174hOMiW?BUv-qSRJe ztpD@yKH=U(?bR9nj$@UAhZ*B_0+0PtTG9fVCt;O*yP@PI8}iOBj$e>$91XPok+T++ zdl(k6y4p7(?X>5+VLgcz>xQZB!(IgZX?>h*$69+7sV)qy&f547Bk-CoNV%(+ri1Fh zKZ$8Eeq+j$G}FP4hPWa@=Y4f$CqNx?(im2`WA=E$&Ks_Tea}q`ao{5<7E1`A|F~cL zStR8$e~Yky%iL-@#v^;ci8v70VIl3+9KyPh>rz|Q_1W`Pq$AEEBv{1%IQdA`35}v0 z#}1|c1g(wq+@0s#$m#IFD~|l$Y{_O~pox|Nx1d}cB{sXle&WSpWszm&%XKCme$Q_3 zwt6}Vj-gycvJu0wRo$wZC%FvW*E@^pK6%@Kx-c84!u+$1>-0c-ajpCG-Qs-t?mV`3 zsOkdVhB&jxhTU*TUw#VxY>)sp_H2+T;2~M%HTZ}h2Sk=t4>yLnq<#ZPq@caLjxtAV zh+Nn`?T^#b8%BLIENWG*kWL$(uuSV@Sx~n#^=D)A)BmDB2moAvFyNA4KGfD%zI7$+8NSFlY;Xc@bhtz(#7OCl_^{%zkpw~QJ;Ybh<0Yd zCl);U%$7r|qm1E|_&AYOxXFMH0zeixj+K}M<3J_uT`4$)l^eu^a1I`6kw|($LCL2| z7(eydaAz@SFvq#(N)YTKu!vc6aHi#wxj-FhQYvnOPw(g_K-xfwrg+{nU1p(dcVm&5 z`apo1(jmA35~M(B#p3t}l%9OU6-h^Ah2(?mePdgxaGW36E^{+`@nU(%riQgTWEGCC zAcLYIifa09ds2tpSPBQ-+izT%_W~urx!!Qhz@X*}VhR^2#3Pi-)5( z*uLL*oA$*uxo?uQaPC*{-#j|>bK-tP)inq`sc3Xpb(p^VSSO%P#8q``hn9`d*3=PW z2C9-qB4!Xi5fcR7@XH~1a&|-v`HHcQZ_73wd+eWBL9KUvuG?+jAtrvtweAvHfol}n z9fcZl;)hF^{0D4=^R(;V-|pLzIjoD6B9bkBoIE;|xQjJ7uY_(*`XyE&0lr8F6XUu^ zSbg!d^-VgsHCi*&fB)5ImHn`kv63-cC^5L;rz>*&3tD(-XO4(I)je zODh|RpY+CABoB*5l2vj>BhV=3wr*j=^A|o->DgS=9Q+w`u<{~LVP;RK&%T;++X)cF z2CVi^n9g1V&JYGYn(|FVZ#OvFE?4fy+`zX>?bgOMW_C9yHl>kB@+?p0W>>}%GN(8; zB-k0B4(;?_g7%SE*y{iu&AzqnS6W{n6jGNIxD)vvZLkW=i%Jsl1x$*2_lOLM^u`}2O1KZ27sxsikKu6;hmeq9!wMw4QcS; zahvs&(aHQFLh*7|w-;e?nz(S}PPpPYFo^{w$E|VA6R8uIEG~%LsM~IJ-Xc`vNqdrU zT*G!*RliyE@dP>IGyJy@?K1=O#`-n>aZsGQmG&2$v=$tt9kQ073kMXuPKMprhDuM%d9*B{N359DA zsN5ReZwT|yB@FURN$Qwsk;KPCa;QKlv)-On?RoR;1V36YQfy z)NT!d5$gs<m+zW@Dv=wG+(z!p}rE6B8J6?#@1(jb^5b)&C-+vVFZVs6u1Nqh3KQ) zU;^92dhAS5np$SYO2qI4mM}mej1eJi*jsbc{%*s=^vp)RNijcl67-{{XFj8P@!}bp z$n-IY7G0!}T9nEUhL;v&k7M@Gv|LqFKptB)!AfV{W9rc_>%|c zp*76=L@yr5srqI>GUpbdA$^-om*9Z&8~`a3Y*(Db}(*U~~)TO$5_bXhn@BGd~$ zCBGzk*ZP;QLJjz6ec^mv2&0rO9jHq6qRw^nsscygXwCG{BW10Pgrea#=XIVDOs1}{jnT%TH(53csH9wR=ux{WFX4mTg0jd_c6g)LUm8hI6V$DMmal)GZUzUeKS&Mi9q`^l)X|rGZ_2oA(z+IosS<&_k$c`u%Z&Cj zDVXHrEM`!vDY@&GpkEvvjb%v$|= zFkN6(jRsz%G_1-s>SsV{W-FEL`n_YuXxRYwZ2HtlV~+U=HNO4+nWqse{d7}-%6RR9 z!nO9Q=_Ftqc;rzzz7sD|)B{eCZ5CC)e&_I-{U66x`-4+lPwRjCd3r4Krg`PEXr=XO zPh0*QU;kg8OQZz{wz{h{TkY-@kf}=TL#K4!?G&mb0Jcvf=QZpntq|Q-%AI%bm1)w! zrInuOA9oYc=7916+txtk2)_?fJl|j^Y(n}fKbJ}!_QE8Hxj2T=$8Tzyb994ED=k76 z-$9-`_VLMO`2YAO zp`eH8#cnI21bMn6>)%XX_3Ne`2)wS6-|!&tDHi6md2Gobe;lUm8RU44)Svuk@@jgi z;CaysY5ST;Vmrtz^uE-+y_xVL3m!E4#C4{2tOWI#wZa9_ww352BVP-NU++?tN_^%+ z-~w=iO)VVWAsOjr^xR-8gYec9hPrgc-CDMe9SbLcjm2OCB{Vc z*sEWVOOb5%%f?tX$Xr&GJe+!ptd1f9_jzd37(I4VlJ2gba} zA|@(OYM%5LXlQ+;Q9GP)C=|}*-f+jfSSnf4Db)bK-Nc0?4tI#Bv|QWug%r}@U&*`7kmEgm>M>%eBp|z{#TCq99r_|2?y8G*F-12($)m-M59;G z4e0MSS+j=gIZrfHvfL%Woi-9q6X-LAoExK`nt8`;SxNIg2#y5`>QZwmE*l;mV;xSh^kfY}$uA=8gq{?D#1nQwVw}?{ufic+ttEHe z;s$H#AL({~;8n`l%SH_)1kZ@0g?&{F{QFUa)(%f%q9`YesW(nW__%XGanu6~(&22>f8Kr+phq+cnW6l}Ede0~d{6+! zxjxbsVR)8U>vcUFzqUlt^9(Y9p8eInykmKngUBao^h-|6RXES&>_;qs^0|)3fWt0x zo1zbQwmx4=J`{7;sRNX5&$>*xyY8a0u-#wwfLvD12Of`}Ea8HoKK1!=={DuOld_PB z0@XdL*CEDTM@2fm3uy%ZgKfRcs9mvd>TGUSc5e8zbIeUUoPqA+>h^j8B~j$h00!4S zQ{M(eZGPQ|{L@1LZCFkDhZJ#^U6Fiwr|ovfCA9@?@sF(nLQpLWcy2pIkxq=Mh7uW@{zuqdX0$-eSI2*!)q3#S zu>OVRIw79PSnu>u=W7lu$Gk9bv`SDJa;7aj3xy1T}3)-g3nNb>e&STW|2bV}eQGD9&x3l}^l%??b*?!s~f0 zEPuFr_kBWspcL?yix#Wo*c>v8<DB;8tUv^ZPE_JhgGq_pitJKYC{)2KdZ^lSB1L6WZID>N>^_3o#6KYn{@ z>43%TzgL_&HRUI!`ai!k@JN}<12V4kGJhCgJAt~b_5;+sRit?TOZmogl!>`yu|&vi z*efEGlz9KIbY5g2d_-Tz1;ZbK)4+7R1VP=W?Zcw3)f)&K{%uU|dNMq`jaadeuVXDS zH*8K88`H!lSh@~t6p#RgBtw{-!o}wB$Zdv|Sa7Gxb*e8w@M8OoZ(IGMmH+r!EnWdSZyjdZ|}vst}41TL`Fw2*X7iejM!=j8l;w z(fc+xG`w*{sD0R)?z&m5prE&&h_g3nukxuH!B0tIx9hj46Q}3TmiXSRL zw3^*J{%)&nQwfM!S5TrY6?m;0mje4-*H{;_G$}!cNAW<> zu!5{nzov}{>C1ULr~Y^LS3xNYe#}nvEZNCrtq{%CF5m6iB_~dHZlWRnoD?YNIU})Z z9kT5^Dl^?T=cfd6P2in=(S@yhsgIJUl#{CK^YdG$)!SIPf=04)NUSbxbiWTt&_HoF zzh@J}nw$RWc-KXj0d`a-nS0& z*7f+@U%~&aE?HI}bj0z~6WvWOWv#}KV4g%_#?Gxe2@1-~OrvNyw_r-Uo8X+faRN^P zAMkd$%QZ>&;pjdW>2h5FmGDdwzi@m*1ZFrR&g**1eot2yC|2(>=OFRAa^4jo`^W|< z=@@GP*wqwz-D>0>SLe0gXbX{v8w+AjUyDjwAkQY~j1L_b^{7$>wT%?a%}SNAf#LD` z-1|?B$8NoD|9yJZw{4pEIp@|f?*%Hqa%fXbU6&G;u_gE-2xP4qlg=|~&MRdl21VJa3DjWuL}FCedd;$iHrcmY zV0NAS*4YPUERMB%Y}Ioyz|Fm#a3p=wQf*l>w9vjl)1U>cEQfy?{IC8=HJGQl6Mt#u zNt*~tgrh~Y@e8|8d`UPFLPJ)W-erWs)ATA_A0MiV8|kSGj}Rzq`c;Gl!mvjHvnDWS za*pULDuBYfO?r|G%;{}+IMt!<(iJY_ucpht6Av1iKq*Ip{s@mE(jM&t^dZp z`*?0i{4$>Z+c%r4cN7Pm_dH@1GOf&R6E=h7>QE8!LaVWMW2lWip#mPJ*>6tg`tV8E zE0z}QlhM+N18=rCS2KircQRh+_TwB8P%9W;ouEB*qPZTZLf7-Wcj^>t^~l zo%NQiBoZ~spYZz8$4Tm^Tn?x*6y?p0rfPS}L?X|@w`Mvzz=*C%tuw|NGP z^=msINl6NqVitbU;f$4n7uj|fKvKwtw3zNt)7X-?;;qW*KTo;H?G5>KZsE^C4rVX^ z1H}(1|M*WZ8g`$Q<^M_Z8&oB^P8iP+mgzzPR`bc@;8E5%l04K_?#07RA}`jyre#j} z>Cz4fji}I{?Cd*|y?@N2tsK z9;lWLdl}t;e{N<(1MA;I=wL8R*c22*iu2UTUeblsrykKeZ!G4RvFNWPx40~Dj@MnrKcG(f!i3hkCPT!LA*aMZ zG2buRr`;W6aEBSCn2Wr4%-sGB*u;^v`*4Tdnt`Zxq-t#zHMaRFN2(+&Aex zOd*`I5Db>G1!hwNLQr_^>%CjC56eD@r)~K2E5m-JZtI`dzMuV< z>)~oNRIX{{IMLmsOX&}XFFmfm6sR<)e=H;sEb1E~B+9ap5G3^190g$`8MX>SRG$_{ zR4mJml}4bUhEr%bCyj&?Ka+aqIVisffogSyi~^- z73dDe7%?F7l(;{qAw(-{NP)QAPx^E_{3h5}u7W$^ge6P8@E`@?_iK>F+bnY;)=Ff0 zya(h)wN;6TlM})$(n>)!u|aRKwssTRGoe=Xw7+io#b24co9V|F__X0!E^VB&)R%^~K>E z_JJnzm%SgsvH%S`0zs4~DGX!i@$@-_3t0L?A%vb-9J7u&kURs}5!2;^Hm;GDyzvNn z_Koz3O5;Z`AX}y}p$KCq8X@)7YxfPV`nOqMdp0q@HRkU8`cT>1kc zCd(%BCb}oUuqC}8y+#AOJ9n8*4SakvZc=EUjYJ9wkL)3EAgU5SNFO5_QN@PzEFUm^ zUa5OszK-C@pMB{2dk+yNgEA_y4XLw4WaB1*;o1K%e3SE=HP?w|Bt61?N}K!tarGup zOd5&$*+Znhs+)e*Ed$jcL(}uh|@To7ZTOJyB zaB7{onFwAa3G!MLV)>@7*3yR_c7O6}`l16%({Hs(lfF`g(q1@ zQ>8souXL0S!pJEuz#0|yBMXy(tX?=S>*^Uw0b2M=sk5Kt+3*SzO8RA6wHAew51U@H zmC#$t_)^eqvi>$;e)Jp=n|GHSYOP78CdaYCbqB6YiPu_uL1pOvGn@eSFWkGQkLIYF zKHDvtZCvbxr%8a*rw;fV(XLY#>z;4?j4X>QHt(A?yQAnXYkWrPrG&8cDeamKFaBh0 zzs62xkEfsPJk*KJpKURiNFTV?niyJCQ*Q}@T&QQB3tu8l?R7w-hnr8OU2=K7-I_dl z=sg%sbCXh{eo(Ty(WtX%7LOm`o%Lkr-a6uO$rkMdjHl%6D#mxjq0r&A%)N7wi2g)N za)*_@b%`$XSLT-pekOL^N}N()a;bKysUC6FsZ1#jV%Qi#!~Lbz#U)b0G#R4ld=CKK z?!qsoMuD(G!*zCAK);(Fg~TOXZV&WV%EK%ZJ|`Jx0JSQR(QTjshq9EZUnT}z#FRaG znfN#lc(Q8271H@TV|9a;n;Zq6;G8eJ21@k9#JQKCgm8dr6oEol=rOg+j)2uY8W zUC{4|8g;LBO7imEg)|f}slm%@JRjbcaKxb#O=dU{Vm$29n{zP{VZDM`m}OYajM;Po zG-9mOdf=oQ5TzbT6zOWD%b2UaK)SD5d>f!U@RR%bF!`^Aw%&y8+dh0o*}Apk|JXT= z1RUKp{xI~jG?HP|Z6;8K7g67|uyyaMFJBOPL&4_kOgkg9!^9F{X}b4Rwm-Rep+$gh z^4fcEjo$Wji%yk;&BNa^EQsUEaV78>{N)yN|IC%;$@Apa$b4uaalOFYJB=9!?D1UE z{8)O}CQrt}KFN2)&kddvS}=?R9|_0!1kl4tYP|kZRqCjIFSE35Xv-f92@0EVC3?j$ zfZql#0-P3tD4JHh3|?h#B6az_zefF~`cwgI;Zwc~JYwuFs0)qaUO2&+p$l|9j|-r0e?`4BkRX}Sxr$uA|CU{q5RY) zgy4>mddEElL|bZgN&K#OF>L&77eFOkRtxBRF0H#e@lOr7Pb1qMVy?TnqQ@187cb-6 z>C8F4h4envDJj~NVs&$Ew_z35tyIw-A-eeBL`S}E9=Upy3h6{hU4CxfrjFf(thaV# zGN_b7L8vjeMNg|8(Z|FnR+FvjdMqGL^ew!@jGM9k*QHI*G?C^@7$-viTh>nR>*<4CU4;nim@cvlw! z#jsSe1Ab#gytL2GdY71h;h$~S(I02K%HsNCy`A=2+_Ma7i7V2#Qh)r4<0}=yA~2rE3CaF>s^U_EPHRa=;=C!>0$lfP&)98 zA{QEmO&T1RtyzNZp+Bj1dd`qoKcx;fJ-#F11=%075-^#8goKH$4zrfWu6A8Z7>X50 z?GB&-SX0{g_=B`Zw8iO_O@9ZbP2Nb$9yWa=OMeoKtmF{*3LC-SA@~2TUgHJ6qqr1& z3YDCHj;PT!-Uy9Q@B`$wzXFWP68P%cT2O4WOtGH`!-{S6N3oxG>eP0PuAo61J|Nxb ztRMNwHAnsi-%$z8?skZI)s|V zOczaby}kj_yyPoTA@WUYB7K{4+FG9k5A_31$4~E{zrt6bq5n06%U?f^En`@+Z}<30 z;AKRRCAq3D=eGQDwoNPlwGPR9+YD{vT8tD|U;gLOZ;KPkx6KZE9_Z~(#zw0)U8`En zHj|yz-C?zt{PdP}cT7)t>&U+8O`Vjtq625#O@IK}diaNiRJt{?OHK)z2d{ zCOyYH>~Zxi_cRNe+MKw%jON2_d2i$${jZGU%fvNOR#@5lAr=gMJ_|IShEq6s$ZMmPLnqH7 z4AeT(9+%gKuUfn)_4gLQF&6CCqsuJXHa^_ck(nn(Iot7tkM{R$oyHnF^`z&}n>}p% zZEsW^TN%Nr+k?mo-Mger?Y!*A<+BWFn*vm$( z1A6F2zu;tXCJN*!l=_}|Q>WH#`E4>?vYNTTW{M{ND% zn?XksU651@NnFMM^Y`&PFzLm!ouG6{E0GGX^z(K9lG& zW&7)E5FAIeLRo&XR^b4e^SmKo;xl=^h81k-$^^lcj|gs5Yet)42uJY&;!91ABsKP) zcEYo;R3IK5GjdAYjxmXy*^mkjyG|NxBy3(t*yF`gob9jM^46H$rA>4t`+WPb#AU!1 zmaph+NwLY4+Q13)v*Pw4orUuBm=0C1{CRvg45YpcwBslJEXrn)Y8C_~>h5OE@^q&& z@t@X=L!B3<`yKx>_*9!?)uEBEeI}yY*VsI;47|4uh=s>r)omIXOnknS?iS-_$n0#P z>b9U;PUug~v&CioRdLjTduBfC#P7bq0gG4u+U zlg1-5h&`b8hYEl!<)c#igX9d7TIv2zp8LPi0j6>$YQKsl)?)D=3YU-5mP~w(DdRxM zRoEDI+F6x@z`7K4uEtx5ou8$l=@NB=+67uMtYds0KnvD|PHZ01T4Ogir6>1T0~&XN zNorASG+2LOMFyiDqwC!!LBXF&L|e2q?5&qYl|`Y^dbR|S)T~^pUSQE{O(L~YnRev( zD*DfMOrGAOGtm`WxN)>N!6K z1h$U-&fP6Uu6A4eciFOo)iQi_&{O;tOMO3l)-~b@5R_c$PxPTo#Gkh@FDDIDCsJ-t zG{naI*k!nvG0N2$_CkeuVjvc)U0fY^O<1D528RDz!V7)Ce`P4U7Rud-uC9xVLg!L2 zTl5|Mu6Eom#Skk|mFmI~;u5mJ5T%;(Bu_QuWa!km6%(#n;n|LAGi!ZU6+o({%0Tl{hB{c~UsBzB{9zhV=oh~-3D z!pJ2E=js+l1^$8`^z*ykvC!QAdXLpIa!*`8ACa_RS#KNkSs8Jk27E#tr#?+^{oyvN8V|08cJx@}O7S%tCmHygdBnR-}B2r)kRgUr&w$#>}2; zjM`Mq&5A_8xH%B>Rs&Q2K39h0N-!-D5S$nuld+galnGKk2x_PJ8VUehjhN(0v<*S0 z;{F1SwQhnpwq1p?_5Ixhwl~*mHEL+7-g=~Jba;{c=|k(ZwQ2ertbv%PHq0WfSHceL z?QB~Tw*6f1q$Bp$E=ZES(8ibUBpf1=J<7Idv`SL02hvXkg9NGK`TY~xS#SzOCx30E zKP5yvG7P2B^+_B4`QiMdJHpMUV2h&(O8s!^jq1x=cnMeHI=*F%ztW9I-sn7Ze&t`A z1k`KSMu9vpVBT)sr3;~&es?-!ofqi0U0BLnTbZff=u-7Q=~&gMht*Eq^-*Z1^o^ zMLLn&cV3feQ~jIpjJxHT5SRE1^9R-smuz4`6}5~ZY$0TF8pLMW(Qx{0LKtVt^FZMv z(wa$Mnd%vn57<)fyJe6GJDbF=1!72JNZE}uBM$hbL~&g-U=KEWl}2nssaPI6Jdb#<%2JAB z7Mgb-a=_z`->AKB5~34YpvjM&TR4hd?7mI+JpY+x+@@hK*=gjxGwVT@Ak;PdZY_>2tgpYB!V%aBpu? zM;&n+kS>Dap6^ZaWTN(69>yuY-rF4&%rFTI{#|y%BxID0PPM1w_l$xE5Uv$YTx^0e z#gOaPq!vF9F3;42X}SRhXMRW;pqU9YR^=~D1wQcG7!)2R8Ya=bFuspG*u6Zp*C_ff zomv3ArE9$Zb(k8F+Kb?gSOar1N5<-*YT$(W1VjNV`i-YR&wN12#K*e=Hsq66HN1ZX zUc`ST>=Vk4JHL`&WG`I0PqAYJa5n1w5ok5o*1a3%zxnBR1+fqH>&=)LFt}LO}Qvm4qBeq~c5> zov0EZtn1_J+v+^uvHu_8#{Vfe!tgafz;c60#_%l~PXyEtCJ{LJ=>PvWA_W8{+{Q{v z+?ZFZyL%Qr$=fvgCRR%5Efkxag>7TM#LY$4rk83+7+qm>t=tU8hI_g8I5X9*Ov4u4 z7MI#RuLN_OmG@73lKHH}@!A(z_}BQ|2_0vA(3MTGhTIspb(iu$`gjcgh>s@lM@D5i zCkkDe2|D7-Ct1Wr0owY7{k>1Vc#>eBW7*a4%d>Z0(!=CV{m9@OR`zcNx*u3YV7g4l zvz_-YaJJpFFI?)Yi<)+s@foNIR17`ao)V(4$3+RxqnL2>t5 z=)koa0^--$k+jN|SK^(FzUB<9ghf6x z%)9vwixoFgr(ir4p0oH(`PRMv7pcM`WvC$>{_nZDExl0K=V$}EB-r9g3BSgp^QUUy z_!lPrhYYe^u<-Yu*iU6E<~^^Goqdzz9yGH&qM0w7`E=toI8p#hq+J_EAZUR-n5xUe zC$4P2b}}|$r&IAViPV)IR298YM$_rjB|-~V`Yu>jxzYkl=v#J|4P;t zb%(v29-OY=^hq5^=sd!3F7ZEiaDPAtFOhx1L&`I*F?SHH`x<$0z?NfZLF z@%`7<)GKk7ZlIlypHg~$sO3aPvDn3{%eBk%BNwl-@XWi=wnhHY(&P>-wI(0TltCPv|zM72`-LF1BNJ-Ii5W6~&5#DqyOfvCAs zu?#hdQ{Z<2{}+6Eel#&iGzDSAve2h!JOcb-_pky5%K=`pF^)l6&YTMCSe!|5YEJZA_DYiWkj%&r_fYjCJvCt#zfo+2 zQkCIgx%BMDs_5Gr7wlV~J@{ae%-lP*tssxqtUYU7(!WvA$ar`Bza!yqY=EaH-K}rwGa=~bL z4btI3^(WF8L%-iF2+<6NFUgiALZbffd9U#_LYWL7#X7_VV;D(kPlOQP!Av2{z5-uF zYAKq1`fOC9&q96i6~s+gq>5GZRYIbbGPT&PV$-5AV2ZQ&B~=Fu zkN)r9a>(!;G4BcfV;#AI8I8)%6)do!eL>!oyEZXGIRBjj8m1&6$&Zt&*50bwYHV+Q zsA>M4?_4t05bjdMTCTYpgN?s!B^Ofl(yxt;4O|yt1vB%Dd;anqX_?G2{Z+OFo0@u? zmQU&4iwOTgi-b|*RZ%Ms@xCg58m?L=Ss%Cd`Td!j_I)yQucCD9@og8EWP6Kv>yu>3 zWw*()Mf*aVSEq~?amLm-M;~8WCsnzK>X<=n{pAeR;+krgPHnlBsN=eqnb`wKE_v!^ z`R@CNy+w#1hauf~;HTZJLp6mLOOojmi)txw*;1dvY|*@eRCN;t<%Ma2Ry} z)DMm5C+LKb=!9$8144Iwsm>Q=oWOSDKNHvC*U%ul#>`FISqRlv4~i$k!F3&C_z7fM zDcw;rV+eQ*Uf`o{Duw;j*GthZJuyB_h?QgzMqKHI5PcG13eonh7R9Igz%PSlMT$EN zbddmR+c@SmbXTG9wG!P_z1bk}1j?Dg@Zh(B3H+3yEd_(`!=u$6mFNMN7J$kABz=V)pSkyv}q{=)}R;{)AEv%C*OV{`l z`FbNVvdSVMhoP%~ldtJtc1(m2BESr**1#%OpQnlrVzPmo-0|cRR9rH_89a|K4 zxx(1vXb_p9f3POIvc{87jwIb3cZ-dOx-xDH^XB?Ba9Ay{$oXrr~?-8tb zmD}2reYHW1$t$Pdw(_F3qgMj+9gG5n8>`(rQFD_~Ck`atrjy%ht%~Ld^>*?=2V*}Q z*zKp@`Eb2-{FG2Yyu1xw?^3j3`%fUCu-c7w0*cO0X*v!;cHaWCajjSYC0az|&Lh(g z)}VMYdxz_By+16&HJG(?v{VZt#1aa&6RhXkAK{O1r$|pJA|#BqwEU?f@^tQNh@AoJ zdg@VZ`Ym`j`h4Z&BgQ)nGiT&;4J01*71zLyIDeuC9?6&53+6PIcUp?VhFkSD@q3Kz zfi`~{yV=!nujNE?lgc6?KxW7wIt|w1hj9g-a3^&v25TWl*=}qwEI56uOVwH=bh!nq zp+onNz!Tsuw-rg~*t@MI-_bK^yuBw+xbvJ2(We!?uF1A=PRTd8Tnenu(=1T=+};YZ z!xd4-+XFUXIUFo(c*E<%EzS=ab+@C6g;m43n*J;^{jA9wG0A&;PS28J_C-LVFrm zr>TxTv9A~}e{(kau)6OEiJHY>$lVW8Tm`H!c8rW!!5B>_KOu6HSFSyDS<3WBLXLBv z)VS5Z@UDw5OI*rc6`}MQa>9Hy3%pq6cRWUOk}|PT(llpOg=oZToj2+{5UfmH{x=BP zy%b_^RG*{96mrf#@cWoNDI$TmmF>}+i{HQa2+swpN^8to<7lj7s$)$HWK&88G+-lJKITw`ph=x{0%Sf!m_UGVQc3{B zo_Ijv{gyOndLcg~#_MnZOuR=KIF=X=iFicc#yQFv=#XO?S1|?gJ^;NBzrOvB0TY;l z^3vnHpAWVh^TB|N1aS_D#usgg#z#;+S12A;>nlGGIVbET+UcJ7VELFHe_r9&(4o!t z)i}21C>1vu5u1YBDC0sVak_C08h>KA6W?fYZ}7!KfQHM9nTMKbKM)6|-*e}3dH{a$ zH`6R)H#x_SIbxz(W(%LD-s`qZGy}Ww>_pAhTlUSVzf!F1lbsg@wPpo{zV7k}FuGK` z?W>Qc?}=V49q%}DCBn~Lo)t*(j|=ahhSl4eIYSI7EgBp7Z?$5UOH?DCrOD0|{uItL zkE3e*b6kW^g;wMwjMW~SqQ}!L$Y=6?j%xE5tCq13Pk)u=5@Jc(P z5!;0_{NWq$Ys9om4u52-Kc+~iO<~bW*;JR&n00W2)!AUTJn*i*bN%){JnUGcO79xA zrGV@=4`x9L<#vY`Yj-MR`8B$~@eW27fcT`p8X%4~F#5RrEy9cN=;A-=y{{2%duiQ+-M#w3o+rfo%9}(+xIdyQoL3*Sh~HkM=%y23YwO;4 z_2P9Exgq$lr_G9J4x{Z$J-xHA^zb~=lSgjH@?5*JofJaWPBFoP_2 zNObvpN#e>=w|FXBNFH8lX)GFXvaIN&&bk*gTl$tPFG6~F?bH+pW8?F)?&o=$+YQE~ zXZ8!iR%c@%Y*!cKG`X!=^HEg*xMtRZaMwI)gN`^TwOz)k>H`zx6jEVd!w#T4->^iZb!ErfQ}%IK5A_QQc{mzQ}!#9q7>}+ zJ$d+V=T6{V$m95Vj{#cA$8q=6J@6htvzb2HDjsSQkP!Y~1TGb)9nL}Q2V=#sp2L7J&b8j_tgO z(y#4rrA}8)#I4G$v6M7iQJ9zXY_fmpt{T2oU*pBrTXj{~)8j&CzZ(wmNK7*{O07yq z9n3WO9n|g8R`9?Zw>7k-)ZJ<2xv@nti?SJEi)g`Y>PE%CjIb=Yi5xXPO4alS zTK-2~5v30;9nG@aW+Yoym5x*7S;n14RazlDx=fsh$7=8z6UJaH$G?M5%(w_f(E@yz znsB<}o*_`Utd&w}zYE5h_>-yE5&&tl`qY=xS04N^ReTLSR#>p|OjUuzQZ`}z0PK@# zU2ETg`D5EMhe7ptdhZ*3jw&_ghrE~#rs6UKa)G~|>jIy^ad1fhGg;HDGAn=It028x zd0x||wUF&UB%EOL;4rLnJ)0akakxCcBUTWi7j-sL`^C_Al3u*U z!C!cd(>)pT8ul411R?&7gnt)X>b%`XCoWfQ3Yd2YW)w`^=zkEo-l`DUS2B^>;idUB22Ims-ifOa9UM9ol%uD=p9N*>W_D&#XJ7k>q`&T;`$t z4)M8wajo-_X8t)L986kps8$z>rBnxrrLDd08pjq-uFy}#2qNTK60R3>H899@Ua0#- z7&!K-J)rJ3@fqwW5JEq!VPj3ER}N%athhK0#x+zj{!a06ubn2sz~)oc(gM;G zNQt%!%mJB-C2C@5mIHczUspZ;$?$VHZC`WFFmQPRjpp^ z8&G6_bDmFq>UMGJs1@%|MZDgtPXD&{T%iCUt8EuEBZpU!w4MHJJ%k)88M=`b$yzxv zygKnjn5eugaXx?TeMV3iqa+5)Sve7fH9lson3KFY>VVKj8NG=m{r>A1|7yE|Oj0hIn_eK6epdo^F)9-s05hvU(LNx3Gv_s{i z?GWr6$}{AELM{fn0jKQ!KpAQ2zJS_0JHi>UpYtna4{VCJvG{m*P?ug-pPB(_xi0b3 ziCb%CXfqHNy;ILsWm7K+#75qtW9MHbTfdt>c46_5br%47{Js0YL;J>J(Lhb|;$B*2 zEA=q644<%?v-T!H;G4;g?u^H+WLv(R1Ay>ap`NU67?7N4H2 zjl#$dft}(Cd*N^LtZat7GqZzgGn5haENV8ph9=z+JYwj69mxrMNBr{5Wn|>8r%hYx zD&LoJtH$36Eo-;dy$3US!g^B4_WmARj_sq<Zydv`e0)nYIrSG4^fc2zAr4#r$q zYDDh3xc#C#8w~?h*{#!J_VRDlrG~QSIoFr>d^n-9WM^ZIuN%!Uq zKpqzwi&*)ZG~)_mGIwb{D7jAinPU#d*XL_j7;|gXNRW8VQBt*oF$!~QSYez?05a6e z*obAD2nas0ZxI@UVbK=wcl1>O>#E$+Gbf*^ezm%9kOu5NSvEic7B^OTUWz8z$zlv z&RKgfe7-~SvhhofAJAI6#gMP&a~hu(l}x*!6cEG-e2|#^9rDHz--MkKR%?y6M!$q* zxJ0YfK_NUUCWvX^tsZ(D&-qHj#%LOnP?{MNkl9}?^YAndysuVJ$S3A|Q9Id;cla*{ z??PwyCfN(t#4B9lPldWzzp`vBvri>Uu5Mp1yQOMhBAhRZ{ye%Y(PCSC=4smb2>x&g z$p$(Wm~w;3TM)O&t`2T{Q7F#VMuLyNOg2i%HsE?$Ny;sgiyqj9H9bxHFIX&BC(! z(yQ8{H!pK^T*mBl+t#ODCm^IMLYb-Cr*i*H?80GmA5f` zdcWlbvlYK7f5AuNPMYh!1(Y->`78?Vpj&r!2Od=O6)@q*>Kw4wedVp@fA+%u8;gC1 z2XbHCuS6=RjX>|l3c_c_H4se>_3kZX;TK0>ghnUsdTe`{5FGXn z>lW7I#WQw5XZ@1wFT^x!d+`yg`sb4W7W8i(ULV!HD8=nQ_l?MTIIE$$c80c-jlDlq zzx_Y58{5;EvdtK}Qo0{?kUKca0PYkvaE~{sa~wsi(H}&ghx1-$N-2u}6Bi!YveL^e6%tql( zc!Suv2OcBuZ~Dqc11L+=`bb-{60QZPwWmDPT0HNf`=|4?I9Bk1kk5dI(n2(@a1R+y zI}N!Kjf6|4k7rl6xG;RBlM#F6gL>e-s#4+c2J&h@$`RNBeqR6mRjD$KK^7(F&R}iz z(H9MGp1k6#;z;1IhI`C!%55k%(~h}(67qX+ill7fGJD~n%Iak2F|@v{{IZYrpXslU z3%f5zH7CXb3?9&UckC!EKrU40#&>#Helyo78m)Xt8(r3Ln`|qL4i+l`4^h?5JjW1? zIdtXgglZ~;0uF_uluDF{jz+=l2`lw(z!-kWCk+V69c;obczF8DYXX86@ZQM(+V`=e ziMz#kUH@xCWI!oaN93DAi_YBxW!3*>A&tcd-M{b~hptxBL%bp+OYgxU z7+KO`Sg_Hu68dL`!DIQ5Xi41q+^rt}eL+9MYcCI`xVTXY6I{%-^mhJx>=`6?;v|Sh zjr6YH?9Zf}>Ag)!AJ^OW=yQ5nXKT`EgF<7NZt!>@8!)LN7Dj}MRv6uCiX0Wii?^o_ zn>&9N=uZ@ZzjGj=iLBbd4id+6i2_X93jmJmn2Gid*iUNS4!0jmf{|Z8G5;d@{(w+s zko2OyD8@jhBA?inG&k_l+&bUR0mZ35K-_Z>5`$ta-P}0PrWcp3mV|*lam7ykl*6|A zx)k6}_o};7`)(6IwP{HF?x_Th5DNAv=@A&Ax8Ea>C^e|oWf{0&sc?g;)1s~2L#V@R ztQ2{0dn=0$uhU$?glK+C)oOW@n)}(G<=8PoyBv2>&_>|k-7wh#EgiLGZBrKstC6$+ z@KNa8CxdoZ?f*-4rrfi?7Q>OTx4%frH1Oz$Mne+I7rk4oZ@jzw_vPu+jDn{2`>ptO zZ<6)Oy2HigF%*M<)KBJl(#bUs6H*zOk_DOqvz|iY zC!CcFmomHX1vngubwHZiI0=W30cfLVJ9DsD-3vAtMTksSp^9fq2yTLFdD(#I(N{)vOwE#( zfXkoSzHpDkTh=CM+daL1;XAZa7C0o)NeQfN;-HgcBp`%G(?K`w6 z?C-uVz~xzlr?g0~dcwtue?jYTz%o+MN=9iQmZdS+VV&YU8zO*<()wadJC#kFM0ZbD$ zbYVmh7KJX+y!v6x6*e(;9r~8N>#ERW((r?Abh5#Zlt=89(j=q=R;LH`YDh&1fx`Jk zB|c#Q?BPErCZDO^JW%h`MQxs!Ag~qE)SyZWp#{T?6#ZXt7<(oW9eIhjE+F3x-u>F0 zq2Ip&9+d5Gd@$X`UOQ*D-KwG60KG&a@}+m@?nJ%J>~O7{Cqb>&^h zVsFh?pJ+S5%%gS>vwJ~uKX8Mvb{;OH^*%)Q&mg|X!PjJ?6fH3h(+Mf;F=|@^+Ro!# z$Qte>77j1`j<{&506mpjrJ?Kln>U?a?*?Izrg?%t#&htVe+K?|`Nym9+1(!!f+;EN zfeqV+dKIQ_>>s9XY>tX5Rq&um?193Q0go74`lmDCj*yo^1O5+(@jIp$Q%?Bw(B!I7 zg&sfC8Z9SSIDWVeZqwW(RLkegCr9G{3J0xHFEIauKApJMR+N8sO{D&t zu%2D@Er~3L{$0nuk4t%6S`fgzKQsLG;l!Ke?VG5Y<^z6qEuRV8<+8rcewz;G?5HLx zk54YyW0V;<9bm%3$}v(gB=UswYe0og5fPy8P9YN)o5e6F3KXhpKJG`XF}lqS^lNwWMFP9VldP&rdjW0e&t6-I z1iE3Kp)Vk!#d4~MSIDaV;w?_}@x2a{1K^VnR%N46`*%)Jvq^}`&lH4A0cSTnCjQiv zEg=KORq-Q+hS8Y)rWeLr$^i`rr2b2q-zYdyT<``71?&vy)l7Cg9y}(@MRfib5hPwA zX6shGq6yf!@@fQW-z7$kwz7$G0h4%PH6G6#(9=YU1sBxo8oyY@SvBxN_n6pgg}+tj z$qrWMcciWq(xUtNty=VDseQJrYr|&*St=*9gb~5XJJpXpNPoxTx>@mjaUsj9q$n&Y zGpf6gGv-HRX^OMLI%)E(oGP$0oRupkZ)p5kW!*0b2hi*4g>jgIh7j%$08aqmvj;rY z!hobbpmOcA@XO5VGbumX%!~X;?u0W%nP^=i+1xetYMEk-`|SC1n=Apa3|D&q?oawP zNuM&^Mug)*+m4JD$&JEO2c+<7d5Xt}(*Ns)?G`Wp8hB8^MWgz>aDD8AJyU3-n~fvx zb!W*VaDL*e+#6$;;JTUPaYgtB8`>Phn=Ei5GCfAKrXNYdkBVu7es*PO+{6P^cXp-u z?Ua}1iF@p>aB?^AO!OJNG1qGnvu|i-i@NJOeWYFiKJfL}U=sEBl$+9%mp3NHXEd}q zU%^6+=@-0=?bRZ(EI|Rzlo@+e{1KnaX@kuGl{>SDTCu4{L}{L&#bIj6?ZnpSKEm(a zqhr&^tp&_vRUHPR9`Q4e zV7DLnBMxIZBZ`kJ{NA7}4%`dZ;;w1bxk{W>JUb#w!ga5}sqJ>eufjCqxov98RsJH; z5sF*6w!r^Oj_%vHkQ|G0VMP9YX45KV^OOld;m`EFmjX zcKol@Gi^X(w+T5WJbZ*>sLJ$&|KA0uG_bS*b5G!aaMUWW@JIli!^F;70yD+XsT1G| z2**)WuT)7JTevBpC}R>E{^IQ>3MmVy0Yj3Ww1(2LhISv&9=1wQ;2sKF4I@~@&4hhO zZlUYyE01*niAr7|Rp%Uik*hG|0R%FsZrE%ZgAdqukXSs6~_Mr<> z$p_iaZ?n%H%Okj>u-d>yjO!H;5l&EE^pP%^Y70+&tT-0@)8cdVmBCcDnI8E1J1Ez< zUKy*MiJoeIrUlfg8^{5fpOs8S*3_OIAZUy+cYysXv;=kWRJrlLlzXk>_&4SKnPTM5 z>E)KvuvfHw!=7)&ozHq5Mk_OY5#ss0`_luML zj6uOrAV#GR84G?}j}|1+0}t%KqmnG@mVNFrlYV}c;WKmVS-sagj#1uq?|5A{?eKz1 zK2Fa(!sZFzq4_hdul5vqif5E{#@ciqVc}J5O@9u^$gADvN=kv^$uf=Fg~VcTCr@!s zZ4f*gruYyeF#J6+3cKOmTmq5dGE9pro2L2zTQyke2xkBW1qTIRMx+uA#2_)k9zl4B z8n9O!4x&|EVwq34lBsr&6tI!03?~(}eY0QU$c&IwMaUKQU2h<@mL(8pARijGjCaW+ z!Vw`SA9}noxY`5mm1GeIF>080RDHU1jl=`kAzzgbbJTWjy&3X6RF-h%fkl6MX&Yx& zUS#`IJR>Tz6|Tpx&3H<x-Lop@N<>tB*6!5u=J=PqC>JwTbr30S^GHRBu!Q&v6?5@XVJXo` zJmYF%0v8gRTfwuQb9*mBa?rZov`+jpFQpFMG!{BBp@5~7Nme821P~4sww-#Q`ugd&l{^=?;zsgCOUCOdCIIXV8kvJpUL!X_qaNeFnj@o7v zTu3(fYBw~Rvo`Ew#7*9HhA^MdJjsXyX!M~=538Hc(jQVgqzl^A#AaiztC8|CgccLL zUkE@qOr;WK;t2jo(J@zr9$#Q35k4VI8kH&Pqtat9!ui$|HN_HRkeV;k?ZDJk0EB@C zYAcB&*$NVhY4NE9R;qv)#AC1*3E|kFB9J^`Ow}4l!bWwoSp1i9*8#!%(nUk5?|NwX zT=ruj+BiMfuhGKds%OK4<$;&oG8g!>)!*ZSq%mmoC-dZ=pFg{OM(i=0u^Y_=W&8_^ zZ)g6qX~910aF^9|`{?&sGPmw7(G|zGv-3|sWQ48e!=(*hJ*4<;0B{pyVU1<8-$n>cB+WHM3w0ia^#CtDl*hF2k}6$@qJrJq~~u)TAw&uua+W=Td1tw{K;Z(Cx<#N>}dr>&4+Qugnf z6~@=AEEr$*>6drOgK7?o=J|xRR2=h_G8%9{)lqi*;)cZ$FL(Y$30w z-Z?p*1J2fbK@UOHFO@~|LUXb%w=yuoKOfzkQO~qJqc{M zLwK^GhDtpqg9a9C>i$>xm$9z0bc8f`>oj>nb7XOtJQkx(`)NMYV;$AVI3%7w9`kF) zKA((R5p|2KkGt?@^GaM4CShIuMs2(F*;k9rw;8*Qx!hLXiOcCf0O*)TB{vi`RCU7- zv2vz7FHED2ow1S%zM>%Y^b#o}BeA_wSWlw8WR#4p*UJ%iO80A|bb@UR3j-pdseN$* z+j8k70MoCb+oIPuy!Ou43;h|t2|oOC z+AF^e^q+{aM~y&#bZ|`<2pE>&LlvCRLEF<}6Vlh6I<)*bbP;j=#bHQb`Z*vDfwm`i zY?-gVzR%Hw(wU1EY#nC}C{kW0mz(5y8A?(0(vqSHatKktPV;qbzx@N?)79S%rO7nR ze7LiiIL~PNbX&TcA;RT z>&g3Aky2vCm^k(;^(30hk%gpa$ZU?3gZKl`8E9X(f<#7UPjER57Q~?wKteKinX5RX zF~@TTyHG$l?^+Ag7DYISt>iChSfp?}xZ(}rL=uc3{am~RAtLqz-)Lf?><9=>OL(0K z!r=n=k79Q`QlI#XED0=BKgXd?YDGbUwgn^jE|+^0725@n(cwpOtVSW*+t z^?aN3^gyn(lanRxwV(x?8C4XsUWO1G+~ISZPHIwj`4J=7#rzCmhtPx3OlSW|?rje| zpN;yU>W6qsEQD7C&WZ4qtvSUmL?!w42+cF`{ctEjw+J z1;-*50z&ABr0X)!e96F4CX3JpGB+ED&axO6JOQ8g)@G)(1)qlJA6D^{q+{_3-k%!{JDRHd#doDF8qp~)zi7{C~ z8R7beXM_W=bi!FHWp%#KU*yzH$H3|xISNA(9%UhWz?ah7v{#L6} z$BY5<5Aj`E@H0zp{U4{6Y;1yeP!{jLHbK*Vh-zg<-UJfvA=vvR!1}_o$?CTj@4`R8 zcEm--v@{L^s{=?4fN1*jYGO~=Q0*P3(9VT_XE7k#wLJuSzihEZHl}tk9I>pa!(#mj zD=(R8#>}(G#^ea3$H?h)pfDuo;%q$U!nXIk<_%by4y}(OT0kIXTZ7t0qBUFtu7z;q zRTE7hVg)T;4k@KD1R+o3!1duB9~kM{LO0z~%SxA&X;WqXT6(2gl#- z*fpFiuz%;8ILLfXFC+Bq!qg<8 z6y;W;bsu+0C>^5xk~OIP^Fe1y9VBJ#0+DInui&tv>yI1?&IM64gKL@`=B60%gxid~ z?S2&jLt4`V49F!Pn7^Qx2G=`SeF@BtFbkbc88H32s@E$Mvc+__WJj6=w%L~&oQvYT zXKpVCa)Zu((_eTtS~WYwJY%TpNJ@VO9`CR;WK#KJ!y4iK1!mIsAbCoOh#~(B#;%D1 zfTl_ZM`bN%^n|p;s~453z%7#(Pshi9`0+!(@o(IUU|l})FM0XMlU9ps6l#**e3wY_ zY`nh@@9V9VabbM)#YCB))rQ|rPJ8pZF5`gp4VM%8BU$OpaxDfEk$@?(_F8+13*7jz zkiSGN<$Kl{!reEzlyv5mBby!aQ_p_XAYSCdVb5o{LT4n-eHgeW!;$rn>Nda=;e)dS zZ}oT}WTJHIJuDm}1|m&pC<8OcT@Zx82Qbc#Zu}{jp%a3hO~WKEo)U154B5RH#s0Rp z&@_UP4k57CLTQ@S`6;2%2lWh7eQ}m$;^tn6BfcFno4{s40?QqEYY6BSucC{iL zGN@3O^EokZu29pO=uchoy52s$^WZ__T0c_7(>u=2 zX))j8_qYh^nsCvK(i1iEl=g``;Dp;QpY<=HGT>$ePAoWQsz~)~7_L-B2@|MHyobr# z??6wkfDnUA@Bk8#Wi8X^-x%8t7^9sA5&cCB@b3Tg0{h0^CgeYUM;8i>#v@N63kk<1 z(7ce4*PqYjo_-w?L%~juy~!+nzq z&7CA^G$WiUbmmiSM8K@jc%1SH0$whTfDj2$7H9q&@ykJxA3tFl%gBaIa*SRb%I8AS z@4p(VcSX1}@NMS_0_66n*Bht-P;~}D9v+QV%5z0($9_hyL~GX{tdqLXXQY9D7M|Of z9nG{)U+bL1SVy=snDVYM$g$a)XTO+SyP9n|><%|tnQmW1;RDX_^W=zym(zRM<|DPL z!aTM$&{B%Hr3O(`UkE9fLZa?Ea9J36l8HkwCVUje z(HZm7F{?vDX+A%I40W^D3M8$U1}w;#YPWL%2oYWhi) zs1Zytn3ha`EJjlDu^okvN^>b+X4H=KSo-0YXsAuuzfT#!)T3FYMx# zKQuC|IdH>4LvB}ey8MB2HsW*ZEGdP(MIPBIWUiK=C6Twf=&**!uY<}iJs6&*uI-Q; zdNzl=3jq6r&trH4z2!NoBn7-@V~ESgN#Jf?@(qNUQ#}V{V0;+c5TJzoJcDHvB{e^V;p=-JkSGdHlCiO@4}Xwi8^24iFt(%zy4 zfP3r}pncrXcgxY14iBJsOC;QM%C9`@w+)lm<{>@1nrP%5q|@LMpaf^zLN9nvylOOk z8E>VEY@LyanO>djmOQBEW%HlHGi@g&T8o(}e(_leD@?bFEtJZR7dPyC@ZAYP{}5dn zK37qmJoNOn{ZLQQ6~6Zz@6^R?GS%6(xOFEyBWgVFFHJH}i8=8rVaJb)xV(BD?@8FF zEDiw6SS?sWLBkiMm9wu3WI#!TPJ1V=UAqmxCt)RSLdCPOY!gE~So2sCF{CLyA$Ae@ zaor~~F?>Day(kQA{|WgR?7zUwa$8WGNEoN+Y6zZ{0nQ8j9ELnd6>c-&%%o*X5gU&% zfWftiZd|Mp>;og3wE@T0D!y5AN5aA@nq(59dPO9$WRixkJ1ih*P*Oy`M;2}q?4@2_ zVQL~SQY!Pj5Ha1N3LhewFkjB3rz2Pv{QrXN#?c%d@<;4$Cn?^X&5V=o4g;PyK)s zgGGf2Ad|}WC!7EZ6I&>{(Y0NhN=D8{`D;xHO!};+?eqEH>oQx1%ln zyx*2rH0hS!f+ug1uPPq(SL<^o*;J-86J74#?WqcGIT+_4I9gK?*tXCsv>Rr`l2&8tjRWx9m#dv#s=)#y0id+@S6`T|29qw&UMApl%ZX}#EwdE;kuIN!YblvI29=u0v zYI?)5n2fknaPRwPZnk3qg>27&e7uWh+|eB2gxF|9%NMH^j)lCOzOv;AojS=c%Mwv9 ztn>koSL_7Ny#s)#4&DTW4xgC-V9=tbXSgilP%H5&sY;K8xgle(%0l%8eEf4-XszfTi6xs+s&F-<8v*KQV(iI|1i1tEJD?L`{8qbg8CM{aYA=v^|cMJH@c zlrpQBs?D+@E-*pq_$~n-7f)JNqyCgJ_>zp66EUm|fy38s+=+`o@foeMO~5hMdto zlu`c&<%$vjc2)BB6@^wZiVc@0B#IGN-qVzKT`J z6ZFCQJ=s%GpP&BZK>DWC`8&c}@zF49Uy!woDm+o+3k3`u}E zmL4=>nbf&ya8-a$_tX{ENQ~mUk>&PYvi1kLhkWpY-q5Z$=p17V_uhGu=)Yj^2|CGl zOnMiV^_wY3=&}he_yQ<@FIzb+ygxu~Fc&FK0s4ve`1!jQjKG!+TBa8SUFS^y*oCvZ zh9!WYJ+}~R?=Q}p6Q>GGKizApgD>it%YV1Y!ZZ>Wlt34_{Fj^Be$l6~MH!0KBrfDs z%SPZnEkl$@Ds8+_o6ZT1cu*AHw-;I~PoH6oCP#c&CD;1^eJQ6Rf*cRv>HH20P3n;Ev6$K(z}Iu1Wc1DBi@nEe`)x5sI^v11yay+V6>u@4zF@c#u8 zN&|!|k&_^p?3i7l{6xU)SI;DW{>8w5wwZ^`3 z1r;*+9@1*K&dnYg6_gmL$#WItRLxL6r>NC(sWqkV`=m#PL=Wbj$C<%FjB&Fp^3CwX zyQ!}cQ+X}rVTnO^u_wNQ<8n=x+1`DP+xrmcXM6nQd7 z_k=;i7N{-o`Qdi!{#+7KSJdok+qgU7Ao6U`J2x-*pAP;rg8$6He-_FAt(mbdO z`w{BjH0<4~{B%_A)Abm_H;EUjImA%T(`b1S*Uk6SD;nRBysfd1J^@@ej_@vS=8MS7 z5#*B#Tctl>?{-&+@cL)IN-8d59|e5p|MLz|V7%2n;1dZ-FwY50%U%;i;8eM0=NoKUX3wiLq@;OTKP-Bx~ zj^q&+qXX;yC9So`IF|u+f4T?XozbrceS?lvxu?z4$hBAT4OED?` zWjj1>YB$!unJc5HY!!ir(kes|3)?*(i6?6Ix~Q^}1CTbc zzwb{d{<~vq?w~cdyav8h7>S8RsUi`&m1Xa^HVehiFC`%>ab(Z%#y?ZXA^>9S@kgK2 zMC4qiCEQPO8-h}%=DMQ-si2Z6a^~&;J7(2|JoA#Jh+{t^)C6ZhHtIkvJK$HwGY2dNiUJugm3(T0N3hI%( z<-uYD>6&`PUz1#Do!pIVC}?)O*hJw}%vt>2NG9&shBX`1XLQ{|#a%Y1%r3FLo4ag? zi$tS`Gh9N=2sBwp=9axYV}x#+KX7ikyfXj;bSg{hxgU+Nf39UbHmE*KwJ%aLZLuv) zXyiUt)nabR9;WKz3m$Aorc*IS*5b&r!U1&H^x5S{tU{mEf?FG1JpGHdx`XuaF|A|V z4SPZsM_Nrm&i{rHacZ;ApI&FRk{JhdcO<>F$4c!6OvS4KY9Nfqhz2cVP-MeE?up-T z99suA08!W?zeUoNi_D_Xs8r10jR4O+u4&l>lSI*qr6u`EQBv8}EHKPbm1 z9tBlW93bA)G-3_>HXBCCY;c)wCcs(N0*zo5t1 zwuxGRC49rEODvN5Ce^xu1h!gU&v(%08(F8FGpueH4HGvxbBT#*$38>KA@@x43a+Vx zZ5r|va0TY~Fc=r`MS%m`vVMWqSwADl+KQwTZUdg{<*^WRquh-kCi=@1?-nqrd0f-|1tviWpsG7+o;C$=BfsV z9nEj6AGh3zwLIAc=@$+<8?%-*#Mg|cl}YgtS4x+H`@SXRYQ}3>IUdShsw8dNCH9bM z|Lg~@!>^9MdR{=3*q{Hi;BdkgSJ0JNjXj}~(+fp1`Y@vIOW~D*y6W9tpPJOEWZd6+ zNb=Eqt+q5zCMVMitS2AecAV3JrVQ})wu>zl9M;NNwj2FH0pu9X4&Cs$ zPg`jXV=#Q5_RrWJ8%wdggVI+pCUwPxevu=h_nL>av8QP;^IB~t+HrPtGi8r2HB^_^ z8wmG2;@NNiONSiZ+&CCDR|xfO0O)@OVZ^6kS*%R4dqt0KCfKS0)@#0S$lmY0aL-f`l00Bli2zEme&wVO7gNg|dG0;y)@G^N~qG6l@jVXh(Nh3Wk{ ze$qW#JCf)hoc)_j_IUJl}on(tiM}nWK^b literal 0 HcmV?d00001 diff --git a/vale/styles/EksDocs/ExternalDomains.yml b/vale/styles/EksDocs/ExternalDomains.yml index a4431cc33..69d6008b2 100644 --- a/vale/styles/EksDocs/ExternalDomains.yml +++ b/vale/styles/EksDocs/ExternalDomains.yml @@ -116,3 +116,7 @@ exceptions: - xilinx.github.io - https://cert-manager.io - https://www.cncf.io/ + - https://github.dev/awsdocs/ + - https://vale.sh/ + + From d3c1299c24f5d8360bc6882d3647b62ec0c0f8c7 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 22 Jan 2025 11:47:38 -0600 Subject: [PATCH 034/940] disable style check --- .github/workflows/vale.yml | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index ec3c4da5d..08ddd6b0e 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -1,4 +1,4 @@ -name: Style check +name: AWS Brand Checks on: pull_request: @@ -11,22 +11,7 @@ jobs: - name: Check out uses: actions/checkout@v3 - # For AsciiDoc users: - - name: Install Asciidoctor - run: sudo apt-get install -y asciidoctor - - - name: Vale Style Check - uses: errata-ai/vale-action@reviewdog - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - with: - fail_on_error: false - reporter: github-pr-check - filter_mode: added - files: latest/ug - continue-on-error: true - - - name: Enforce AWS Brand + - name: Enforce AWS Brand Attribute uses: errata-ai/vale-action@reviewdog env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} @@ -36,4 +21,4 @@ jobs: filter_mode: added files: latest/ug vale_flags: "--config brand.vale.ini" - continue-on-error: true \ No newline at end of file + continue-on-error: true From 11b64684cc46cdcea598a382315ea733d318b439 Mon Sep 17 00:00:00 2001 From: Steven <143614555+nisi0495@users.noreply.github.com> Date: Wed, 22 Jan 2025 09:24:59 +1100 Subject: [PATCH 035/940] Update efs-csi.adoc There was a typo on the documentation where Step 3 provided a Note stating that Fargate does not require the creation of the EFS CSI Driver where it should listed under Step 2 --- latest/ug/storage/efs-csi.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 50dcbd07d..63078bb66 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -179,13 +179,6 @@ aws iam attach-role-policy \ [[efs-install-driver,efs-install-driver.title]] == Step 2: Get the Amazon EFS CSI driver -We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. - -Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. - -[[efs-create-filesystem,efs-create-filesystem.title]] -== Step 3: Create an Amazon EFS file system - [NOTE] ==== @@ -193,6 +186,13 @@ This step isn't needed for {aws} Fargate. A [.noloc]`Pod` running on Fargate aut ==== +We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. + +Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. + +[[efs-create-filesystem,efs-create-filesystem.title]] +== Step 3: Create an Amazon EFS file system + To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/efs-create-filesystem.md[Create an Amazon EFS file system for Amazon EKS] on [.noloc]`GitHub`. [[efs-sample-app,efs-sample-app.title]] From d0a069598fd2953c35dcf1aaf8e843b54346a63f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 22 Jan 2025 23:22:29 +0000 Subject: [PATCH 036/940] Fixed asciidoctor issue. --- latest/ug/contribute/create-page.adoc | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index 02eaf81cf..30dd83186 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -21,15 +21,8 @@ image::images/contribute-new-page.png["New page metadata"] . Navigate to the parent page. The parent page of top level sections is `book.adoc`. . At the bottom of the parent page, include the child page. + -[source] -==== -+++include::${filename}[leveloffset=+1]+++ -==== +`include::${filename}[leveloffset=+1]` + _For example:_ + -[source] -==== -+++include::create-page.adoc[leveloffset=+1]+++ -==== - +`include::create-page.adoc[leveloffset=+1]` \ No newline at end of file From 94cd0d262ee8b2a053d864144053bb9b346e4c17 Mon Sep 17 00:00:00 2001 From: Sainikhilreddy Date: Wed, 22 Jan 2025 15:59:03 -0800 Subject: [PATCH 037/940] Add January 2025 Amazon EKs optimized windows AMI versions cr: https://code.amazon.com/reviews/CR-173601828 --- latest/ug/nodes/eks-ami-versions-windows.adoc | 192 ++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 68392ce8d..5a7d1b1ca 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -52,6 +52,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-15` +|`1.31.4` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-01` |`1.31.4` |`1.7.20` @@ -99,6 +105,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-15` +|`1.30.8` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-01` |`1.30.8` |`1.7.14` @@ -164,6 +176,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-01-15` +|`1.29.12` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025.01.01` |`1.29.12` |`1.7.14` @@ -259,6 +277,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.01.15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-01` |`1.28.15` |`1.7.14` @@ -378,6 +402,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-01` |`1.27.16` |`1.7.14` @@ -539,6 +569,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-01-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2024.12.11` |`1.26.15` |`1.7.14` @@ -700,6 +736,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.01.15` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2024.12.13` |`1.25.16` |`1.7.14` @@ -867,6 +909,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.24-2025-01-15` +|`1.24.17` +|`1.7.14` +|`1.1.3` +| + |`1.24-2024.12.11` |`1.24.17` |`1.7.14` @@ -1066,6 +1114,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-15` +|`1.31.4` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-01` |`1.31.4` |`1.7.20` @@ -1114,6 +1168,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-15` +|`1.30.8` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-01` |`1.30.8` |`1.7.14` @@ -1180,6 +1240,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-01-15` +|`1.29.12` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025.01.01` |`1.29.12` |`1.7.14` @@ -1276,6 +1342,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-01` |`1.28.15` |`1.7.14` @@ -1396,6 +1468,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-01` |`1.27.16` |`1.7.14` @@ -1558,6 +1636,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-01-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2024.12.11` |`1.26.15` |`1.7.14` @@ -1720,6 +1804,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025-01-15` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2024.12.13` |`1.25.16` |`1.7.14` @@ -1888,6 +1978,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.24-2025-01-15` +|`1.24.17` +|`1.7.14` +|`1.1.3` +| + |`1.24-2024.12.11` |`1.24.17` |`1.7.14` @@ -2087,6 +2183,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-15` +|`1.31.4` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-01` |`1.31.4` |`1.7.20` @@ -2135,6 +2237,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-15` +|`1.30.8` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-01` |`1.30.8` |`1.7.14` @@ -2201,6 +2309,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-01-15` +|`1.29.12` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025.01.01` |`1.29.12` |`1.7.14` @@ -2297,6 +2411,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-01` |`1.28.15` |`1.7.14` @@ -2417,6 +2537,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-01` |`1.27.16` |`1.7.14` @@ -2579,6 +2705,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-01-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2024.12.11` |`1.26.15` |`1.7.14` @@ -2741,6 +2873,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025-01-15` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2024.12.13` |`1.25.16` |`1.7.14` @@ -2909,6 +3047,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.24-2025-01-15` +|`1.24.17` +|`1.7.14` +|`1.1.3` +| + |`1.24-2024.12.11` |`1.24.17` |`1.7.14` @@ -3108,6 +3252,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-01-15` +|`1.31.4` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-01` |`1.31.4` |`1.7.20` @@ -3156,6 +3306,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-01-15` +|`1.30.8` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-01` |`1.30.8` |`1.7.14` @@ -3222,6 +3378,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-01-15` +|`1.29.12` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025.01.01` |`1.29.12` |`1.7.14` @@ -3318,6 +3480,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025-01-15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-01` |`1.28.15` |`1.7.14` @@ -3438,6 +3606,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-01-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-01` |`1.27.16` |`1.7.14` @@ -3600,6 +3774,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-01-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2024.12.11` |`1.26.15` |`1.7.14` @@ -3762,6 +3942,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025-01-15` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2024.12.13` |`1.25.16` |`1.7.14` @@ -3930,6 +4116,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.24-2025-01-15` +|`1.24.17` +|`1.7.14` +|`1.1.3` +| + |`1.24-2024.12.11` |`1.24.17` |`1.7.14` From 62d94ff24f0546197647aaa886238dc68749b33b Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 18:21:48 +0000 Subject: [PATCH 038/940] Moved Fargate note to be more global. Other clean up. --- latest/ug/storage/efs-csi.adoc | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 63078bb66..f4c150c45 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,16 +1,11 @@ //!!NODE_ROOT
        -include::../attributes.txt[] - [.topic] [[efs-csi,efs-csi.title]] = Store an elastic file system with Amazon EFS -:info_doctype: section -:info_title: Store an elastic file system with Amazon EFS :info_titleabbrev: Amazon EFS :keywords: Amazon EFS CSI driver, storage -:info_abstract: The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface that \ - allows Kubernetes clusters running on {aws} to manage the lifecycle of Amazon EFS file \ - systems. + +include::../attributes.txt[] [abstract] -- @@ -39,6 +34,12 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +[NOTE] +==== + +A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. + +==== [[efs-create-iam-resources,efs-create-iam-resources.title]] == Step 1: Create an IAM role @@ -135,7 +136,7 @@ https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ---- . Create the IAM role that grants the `AssumeRoleWithWebIdentity` action. + -.. Copy the following contents to a file named [.replaceable]`aws-efs-csi-driver-trust-policy`.json``. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +.. Copy the following contents to a file named [.replaceable]`aws-efs-csi-driver-trust-policy`.json``. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. + [source,json,subs="verbatim,attributes"] ---- @@ -166,7 +167,7 @@ aws iam create-role \ --role-name AmazonEKS_EFS_CSI_DriverRole \ --assume-role-policy-document file://"aws-efs-csi-driver-trust-policy.json" ---- -. Attach the required {aws} managed policy to the role with the following command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +. Attach the required {aws} managed policy to the role with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -179,13 +180,6 @@ aws iam attach-role-policy \ [[efs-install-driver,efs-install-driver.title]] == Step 2: Get the Amazon EFS CSI driver -[NOTE] -==== - -This step isn't needed for {aws} Fargate. A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. - -==== - We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. From c1d2e0ec9235432fbeaeb4214040bd7c3b73c844 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 18:28:32 +0000 Subject: [PATCH 039/940] Removed certain GovCloud specific info that is covered by GovCloud guide and to be more consistent with how we handle other regions. --- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/networking/lbc-manifest.adoc | 6 +++--- latest/ug/networking/lbc-remove.adoc | 4 ++-- latest/ug/nodes/eks-compute.adoc | 7 ------- latest/ug/nodes/fargate-getting-started.adoc | 7 ------- latest/ug/nodes/fargate-logging.adoc | 7 ------- latest/ug/nodes/fargate-pod-configuration.adoc | 10 ++-------- latest/ug/nodes/fargate-pod-patching.adoc | 7 ------- latest/ug/nodes/fargate-profile.adoc | 7 ------- latest/ug/nodes/fargate.adoc | 7 ------- latest/ug/nodes/migrate-stack.adoc | 4 ++-- latest/ug/nodes/monitoring-fargate-usage.adoc | 7 ------- latest/ug/storage/ebs-csi.adoc | 10 +++++----- latest/ug/storage/fsx-csi.adoc | 4 ++-- 14 files changed, 17 insertions(+), 72 deletions(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 5caf27b59..c62d333aa 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -91,7 +91,7 @@ aws iam create-policy \ ---- + NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. -. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. + [source,shell,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index aa421bc94..32a07d249 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -91,7 +91,7 @@ NOTE: If you view the policy in the {aws-management-console}, the console shows ==== [role="tablist"] eksctl::: -.. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +.. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. + [source,shell,subs="verbatim,attributes"] ---- @@ -120,7 +120,7 @@ aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 ---- + If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. For more information, see <>. -.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. After replacing the text, run the modified command to create the `load-balancer-role-trust-policy.json` file. +.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. + [source,json,subs="verbatim,attributes"] ---- @@ -161,7 +161,7 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ --role-name AmazonEKSLoadBalancerControllerRole ---- -.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. After replacing the text, run the modified command to create the `aws-load-balancer-controller-service-account.yaml` file. +.. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. After replacing the text, run the modified command to create the `aws-load-balancer-controller-service-account.yaml` file. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 8e0503381..44b19bba5 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -85,7 +85,7 @@ To migrate from the ALB Ingress Controller for [.noloc]`Kubernetes` to the [.nol ---- curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_v1_to_v2_additional.json ---- -. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`.. +. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. + [source,shell,subs="verbatim,attributes"] ---- @@ -101,7 +101,7 @@ aws iam create-policy \ ---- . Attach the IAM policy to the IAM role used by the [.noloc]`{aws} Load Balancer Controller`. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. + -If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. + [source,shell,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index b730be14e..de8b52a55 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -32,13 +32,6 @@ For more information, see https://kubernetes.io/docs/concepts/architecture/nodes Your Amazon EKS cluster can schedule [.noloc]`Pods` on any combination of <>, <>, <>, <>, and <>. To learn more about nodes deployed in your cluster, see <>. -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). -Amazon EKS Hybrid Nodes isn't available in {aws} GovCloud Regions and China Regions. - -==== [NOTE] ==== diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 6f1f3c81b..f5e373f1f 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -10,13 +10,6 @@ include::../attributes.txt[] This topic describes how to get started running [.noloc]`Pods` on {aws} Fargate with your Amazon EKS cluster. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - This topic describes how to get started running [.noloc]`Pods` on {aws} Fargate with your Amazon EKS cluster. If you restrict access to the public endpoint of your cluster using CIDR blocks, we recommend that you also enable private endpoint access. This way, Fargate [.noloc]`Pods` can communicate with the cluster. Without the private endpoint enabled, the CIDR blocks that you specify for public access must include the outbound sources from your VPC. For more information, see <>. diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index aedd924b0..f2fd84586 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -10,13 +10,6 @@ include::../attributes.txt[] Amazon EKS on Fargate offers a built-in log router based on [.noloc]`Fluent Bit`. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - Amazon EKS on Fargate offers a built-in log router based on [.noloc]`Fluent Bit`. This means that you don't explicitly run a [.noloc]`Fluent Bit` container as a sidecar, but Amazon runs it for you. All that you have to do is configure the log router. The configuration happens through a dedicated `ConfigMap` that must meet the following criteria: * Named `aws-logging` diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index cbbbfac8c..e7e3d3b50 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,23 +1,17 @@ //!!NODE_ROOT
        -include::../attributes.txt[] [.topic] [[fargate-pod-configuration,fargate-pod-configuration.title]] = Understand Fargate [.noloc]`Pod` configuration details :info_titleabbrev: Pod configuration details +include::../attributes.txt[] + [abstract] -- This section describes some of the unique [.noloc]`Pod` configuration details for running [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - This section describes some of the unique [.noloc]`Pod` configuration details for running [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. [[fargate-cpu-and-memory,fargate-cpu-and-memory.title]] diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 4d854ce45..4e96b3c13 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -10,13 +10,6 @@ include::../attributes.txt[] Amazon EKS periodically patches the OS for {aws} Fargate nodes to keep them secure. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - Amazon EKS periodically patches the OS for {aws} Fargate nodes to keep them secure. As part of the patching process, we recycle the nodes to install OS patches. Updates are attempted in a way that creates the least impact on your services. However, if [.noloc]`Pods` aren't successfully evicted, there are times when they must be deleted. The following are actions that you can take to minimize potential disruptions: * Set appropriate [.noloc]`Pod` disruption budgets (PDBs) to control the number of [.noloc]`Pods` that are down simultaneously. diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index cae05666c..ac0314fe9 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -10,13 +10,6 @@ include::../attributes.txt[] Before you schedule [.noloc]`Pods` on Fargate in your cluster, you must define at least one Fargate profile that specifies which [.noloc]`Pods` use Fargate when launched. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - Before you schedule [.noloc]`Pods` on Fargate in your cluster, you must define at least one Fargate profile that specifies which [.noloc]`Pods` use Fargate when launched. As an administrator, you can use a Fargate profile to declare which [.noloc]`Pods` run on Fargate. You can do this through the profile's selectors. You can add up to five selectors to each profile. Each selector must contain a namespace. The selector can also include labels. The label field consists of multiple optional key-value pairs. Pods that match a selector are scheduled on Fargate. Pods are matched using a namespace and the labels that are specified in the selector. If a namespace selector is defined without labels, Amazon EKS attempts to schedule all the [.noloc]`Pods` that run in that namespace onto Fargate using the profile. If a to-be-scheduled [.noloc]`Pod` matches any of the selectors in the Fargate profile, then that [.noloc]`Pod` is scheduled on Fargate. diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 0a39b29a9..50203bf51 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -15,13 +15,6 @@ include::../attributes.txt[] This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. Fargate is a technology that provides on-demand, right-sized compute capacity for link:what-are-containers[containers,type="marketing"]. With Fargate, you don't have to provision, configure, or scale groups of virtual machines on your own to run containers. You also don't need to choose server types, decide when to scale your node groups, or optimize cluster packing. You can control which [.noloc]`Pods` start on Fargate and how they run with <>. Fargate profiles are defined as part of your Amazon EKS cluster. Amazon EKS integrates [.noloc]`Kubernetes` with Fargate by using controllers that are built by {aws} using the upstream, extensible model provided by [.noloc]`Kubernetes`. These controllers run as part of the Amazon EKS managed [.noloc]`Kubernetes` control plane and are responsible for scheduling native [.noloc]`Kubernetes` [.noloc]`Pods` onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default [.noloc]`Kubernetes` scheduler in addition to several mutating and validating admission controllers. When you start a [.noloc]`Pod` that meets the criteria for running on Fargate, the Fargate controllers that are running in the cluster recognize, update, and schedule the [.noloc]`Pod` onto Fargate. diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index ac74e543d..67f5a5af5 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -138,7 +138,7 @@ aws ec2 authorize-security-group-ingress --group-id $newSecGroup \ kubectl edit configmap -n kube-system aws-auth ---- + -Add a new `mapRoles` entry for the new node group. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +Add a new `mapRoles` entry for the new node group. + [source,yaml,subs="verbatim,attributes"] ---- @@ -261,7 +261,7 @@ aws ec2 revoke-security-group-ingress --group-id $newSecGroup \ kubectl edit configmap -n kube-system aws-auth ---- + -Delete the `mapRoles` entry for the old node group. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +Delete the `mapRoles` entry for the old node group. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index b57717404..3d6efa708 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -10,13 +10,6 @@ include::../attributes.txt[] You can collect system metrics and CloudWatch usage metrics for {aws} Fargate. -- -[IMPORTANT] -==== - -{aws} Fargate with Amazon EKS isn't available in {aws} GovCloud (US-East) and {aws} GovCloud (US-West). - -==== - You can collect system metrics and CloudWatch usage metrics for {aws} Fargate. [[fargate-application-metrics,fargate-application-metrics.title]] diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index f7506a783..726a2352f 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -81,7 +81,7 @@ The specific steps in this procedure are written for using the driver as an Amaz ==== === `eksctl` [[eksctl_store_app_data]] -. Create an IAM role and attach a policy. {aws} maintains an {aws} managed policy or you can create your own custom policy. You can create an IAM role and attach the {aws} managed policy with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. The command deploys an {aws} CloudFormation stack that creates an IAM role and attaches the IAM policy to it. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `arn:aws:` with `arn:aws-us-gov:`. +. Create an IAM role and attach a policy. {aws} maintains an {aws} managed policy or you can create your own custom policy. You can create an IAM role and attach the {aws} managed policy with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. The command deploys an {aws} CloudFormation stack that creates an IAM role and attaches the IAM policy to it. + [source,bash,subs="verbatim,attributes"] ---- @@ -139,7 +139,7 @@ aws iam create-policy \ --policy-name KMS_Key_For_Encryption_On_EBS_Policy \ --policy-document file://kms-key-for-encryption-on-ebs.json ---- -.. Attach the IAM policy to the role with the following command. Replace [.replaceable]`111122223333` with your account ID. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `arn:aws:` with `arn:aws-us-gov:`. +.. Attach the IAM policy to the role with the following command. Replace [.replaceable]`111122223333` with your account ID. + [source,bash,subs="verbatim,attributes"] ---- @@ -251,7 +251,7 @@ https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ---- . Create the IAM role, granting the `AssumeRoleWithWebIdentity` action. + -.. Copy the following contents to a file that's named `aws-ebs-csi-driver-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `arn:aws:` with `arn:aws-us-gov:`. +.. Copy the following contents to a file that's named `aws-ebs-csi-driver-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. + [source,json,subs="verbatim,attributes"] ---- @@ -282,7 +282,7 @@ aws iam create-role \ --role-name AmazonEKS_EBS_CSI_DriverRole \ --assume-role-policy-document file://"aws-ebs-csi-driver-trust-policy.json" ---- -. Attach a policy. {aws} maintains an {aws} managed policy or you can create your own custom policy. Attach the {aws} managed policy to the role with the following command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `arn:aws:` with `arn:aws-us-gov:`. +. Attach a policy. {aws} maintains an {aws} managed policy or you can create your own custom policy. Attach the {aws} managed policy to the role with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -335,7 +335,7 @@ aws iam create-policy \ --policy-name KMS_Key_For_Encryption_On_EBS_Policy \ --policy-document file://kms-key-for-encryption-on-ebs.json ---- -.. Attach the IAM policy to the role with the following command. Replace [.replaceable]`111122223333` with your account ID. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `arn:aws:` with `arn:aws-us-gov:`. +.. Attach the IAM policy to the role with the following command. Replace [.replaceable]`111122223333` with your account ID. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 85f70213b..11f55821a 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -66,7 +66,7 @@ Cluster provisioning takes several minutes. During cluster creation, you'll see ---- [✓] EKS cluster "my-csi-fsx-cluster" in "region-code" region is ready ---- -. Create a [.noloc]`Kubernetes` service account for the driver and attach the `AmazonFSxFullAccess` {aws}-managed policy to the service account with the following command. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +. Create a [.noloc]`Kubernetes` service account for the driver and attach the `AmazonFSxFullAccess` {aws}-managed policy to the service account with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -126,7 +126,7 @@ csidriver.storage.k8s.io/fsx.csi.aws.com created .. Ensure that the console is set to the {aws} Region that you created your IAM role in and then select *Stacks*. .. Select the stack named `eksctl-my-csi-fsx-cluster-addon-iamserviceaccount-kube-system-fsx-csi-controller-sa`. .. Select the *Outputs* tab. The *Role1* ARN is listed on the *Outputs (1)* page. -. Patch the driver deployment to add the service account that you created earlier with the following command. Replace the ARN with the ARN that you noted. Replace [.replaceable]`111122223333` with your account ID. If your cluster is in the {aws} GovCloud (US-East) or {aws} GovCloud (US-West) {aws} Regions, then replace `{arn-aws}` with `arn:aws-us-gov:`. +. Patch the driver deployment to add the service account that you created earlier with the following command. Replace the ARN with the ARN that you noted. Replace [.replaceable]`111122223333` with your account ID. + [source,bash,subs="verbatim,attributes"] ---- From 62164d9ebf7cd2c3a2cec6baa8a271358db1c248 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 19:07:58 +0000 Subject: [PATCH 040/940] Removed abstract metadata in favor of the abstract block syntax which seems to be prioritized by build system. --- latest/ug/automode/associate-workload.adoc | 1 - latest/ug/automode/auto-elb-example.adoc | 1 - latest/ug/automode/auto-enable-existing.adoc | 1 - latest/ug/automode/auto-glossary.adoc | 1 - latest/ug/automode/auto-migrate-karpenter.adoc | 1 - latest/ug/automode/auto-migrate-mng.adoc | 1 - latest/ug/automode/auto-mng.adoc | 1 - latest/ug/automode/auto-networking.adoc | 1 - latest/ug/automode/auto-reference.adoc | 1 - latest/ug/automode/auto-troubleshoot.adoc | 1 - latest/ug/automode/auto-workloads.adoc | 1 - latest/ug/automode/automode-get-started-cli.adoc | 1 - latest/ug/automode/automode-get-started-console.adoc | 1 - latest/ug/automode/automode-get-started-eksctl.adoc | 1 - latest/ug/automode/automode-learn-instances.adoc | 1 - latest/ug/automode/automode-workload.adoc | 1 - latest/ug/automode/automode.adoc | 1 - latest/ug/automode/create-auto.adoc | 1 - latest/ug/automode/migrate-auto.adoc | 1 - latest/ug/automode/sample-storage-workload.adoc | 1 - latest/ug/automode/settings-auto.adoc | 1 - latest/ug/book.adoc | 1 - latest/ug/clusters/autoscaling.adoc | 1 - latest/ug/clusters/cluster-endpoint.adoc | 1 - latest/ug/clusters/create-cluster-auto.adoc | 1 - latest/ug/clusters/create-cluster.adoc | 1 - latest/ug/clusters/delete-cluster.adoc | 1 - latest/ug/clusters/kubernetes-versions.adoc | 1 - latest/ug/clusters/management/cost-monitoring.adoc | 1 - latest/ug/clusters/management/eks-using-tags.adoc | 1 - latest/ug/clusters/management/helm.adoc | 1 - latest/ug/clusters/management/metrics-server.adoc | 1 - latest/ug/clusters/management/service-quotas.adoc | 1 - latest/ug/clusters/private-clusters.adoc | 1 - latest/ug/clusters/update-cluster.adoc | 1 - latest/ug/clusters/windows-support.adoc | 1 - latest/ug/connector/connecting-cluster.adoc | 1 - latest/ug/connector/connector-grant-access.adoc | 1 - latest/ug/connector/deregister-connected-cluster.adoc | 1 - latest/ug/connector/eks-connector.adoc | 1 - latest/ug/connector/security-connector.adoc | 1 - latest/ug/connector/troubleshooting-connector.adoc | 1 - latest/ug/connector/tsc-faq.adoc | 1 - latest/ug/doc-history.adoc | 1 - latest/ug/getting-started/getting-started-automode.adoc | 1 - latest/ug/getting-started/getting-started-console.adoc | 1 - latest/ug/getting-started/getting-started-eksctl.adoc | 1 - latest/ug/getting-started/getting-started.adoc | 1 - latest/ug/getting-started/install-awscli.adoc | 1 - latest/ug/getting-started/install-kubectl.adoc | 1 - latest/ug/getting-started/learn-eks.adoc | 1 - latest/ug/getting-started/setting-up.adoc | 1 - .../integrations/creating-resources-with-cloudformation.adoc | 1 - latest/ug/integrations/integration-detective.adoc | 1 - latest/ug/integrations/integration-securitylake.adoc | 1 - latest/ug/manage-access/cluster-auth.adoc | 1 - latest/ug/manage-access/create-kubeconfig.adoc | 1 - latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 1 - latest/ug/manage-access/view-kubernetes-resources.adoc | 1 - latest/ug/ml/inferentia-support.adoc | 1 - latest/ug/ml/machine-learning-on-eks.adoc | 1 - latest/ug/ml/ml-get-started.adoc | 1 - latest/ug/ml/ml-prepare-for-cluster.adoc | 1 - latest/ug/ml/ml-tutorials.adoc | 1 - latest/ug/ml/node-efa.adoc | 1 - latest/ug/networking/creating-a-vpc.adoc | 1 - latest/ug/networking/network-reqs.adoc | 1 - latest/ug/networking/sec-group-reqs.adoc | 1 - latest/ug/nodes/choosing-instance-type.adoc | 1 - latest/ug/nodes/eks-compute.adoc | 1 - latest/ug/nodes/eks-optimized-amis.adoc | 1 - latest/ug/nodes/fargate.adoc | 1 - latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 - latest/ug/nodes/hybrid-nodes-cni.adoc | 1 - latest/ug/nodes/hybrid-nodes-join.adoc | 1 - latest/ug/nodes/hybrid-nodes-networking.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 - latest/ug/nodes/hybrid-nodes-os.adoc | 1 - latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 - latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 - latest/ug/nodes/hybrid-nodes-remove.adoc | 1 - latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 - latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 - latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 - latest/ug/nodes/hybrid-nodes.adoc | 1 - latest/ug/nodes/managed-node-groups.adoc | 1 - latest/ug/nodes/worker.adoc | 1 - latest/ug/observability/control-plane-logs.adoc | 1 - latest/ug/observability/eks-observe.adoc | 1 - latest/ug/observability/logging-using-cloudtrail.adoc | 1 - latest/ug/observability/observability-dashboard.adoc | 1 - latest/ug/observability/opentelemetry.adoc | 1 - latest/ug/observability/prometheus.adoc | 1 - latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 - latest/ug/outposts/eks-outposts.adoc | 1 - latest/ug/quickstart.adoc | 1 - latest/ug/related-projects.adoc | 1 - latest/ug/roadmap.adoc | 1 - latest/ug/storage/csi-snapshot-controller.adoc | 1 - latest/ug/storage/ebs-csi-migration-faq.adoc | 1 - latest/ug/storage/ebs-csi.adoc | 1 - latest/ug/storage/file-cache-csi.adoc | 1 - latest/ug/storage/fsx-csi.adoc | 1 - latest/ug/storage/fsx-ontap.adoc | 1 - latest/ug/storage/fsx-openzfs-csi.adoc | 1 - latest/ug/storage/s3-csi.adoc | 1 - latest/ug/storage/storage.adoc | 1 - latest/ug/troubleshooting/troubleshooting.adoc | 1 - latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/eks-deployment-options.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/what-is/what-is-eks.adoc | 3 +-- latest/ug/workloads/alb-ingress.adoc | 1 - latest/ug/workloads/eks-add-ons.adoc | 1 - latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 - latest/ug/workloads/image-verification.adoc | 1 - latest/ug/workloads/network-load-balancing.adoc | 1 - latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 - 121 files changed, 1 insertion(+), 122 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 232512ed5..25c79c488 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment -:info_abstract: Control if a workload is deployed on EKS Auto Mode nodes When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 10edb9ed6..b799d0e37 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload -:info_abstract: Deploy a sample load balancer workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 1e0dab076..05df23913 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster -:info_abstract: Enable EKS Auto Mode on an existing cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index d2bfcb7fb..b66b36069 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary -:info_abstract: Glossary of terms for EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 976ef7ee9..5f4ac69fe 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter -:info_abstract: Migrate from Karpenter to EKS Auto Mode using kubectl include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 10fe6d8be..caaa27c23 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups -:info_abstract: Migrate from EKS Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 34af935c3..7c0407049 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups -:info_abstract: Compare EKS Auto Mode with EKS managed node groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index a3279d9c6..2d585acc5 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking -:info_abstract: Learn about VPC networking and load balancing in EKS Auto Mode. include::../attributes.txt[] diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 25be16060..277c091a1 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works -:info_abstract: Learn how EKS Auto Mode works [abstract] -- diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index aa301da42..7bf491dc3 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot -:info_abstract: Troubleshoot EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 7a99b60cc..a7c1e068a 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads -:info_abstract: Run workloads in EKS Auto Mode clusters [abstract] -- diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 99eec8c18..94b29d96e 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :config: configuration :info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI -:info_abstract: Create an EKS Auto Mode cluster with the {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 714f2b2ae..789b9c96b 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console -:info_abstract: Create an EKS Auto Mode cluster with the {aws} Management Console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 8677b35bf..cd6ab8e8a 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -7,7 +7,6 @@ :config: configuration :info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI -:info_abstract: Create an EKS Auto Mode cluster with the eksctl CLI include::../attributes.txt[] diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 57220f30f..accf312cc 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -13,7 +13,6 @@ :emng: EKS Managed Node Group :info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances -:info_abstract: Learn about Amazon EKS Auto Mode managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 015a1856e..374aedb84 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload -:info_abstract: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index a9a6353a3..718354e45 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -7,7 +7,6 @@ :toc: :info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode -:info_abstract: Automate cluster infrastructure with EKS Auto Mode [abstract] -- diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 4237fb19f..bc13bd7f7 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster -:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 8be336791..401c58a0d 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters -:info_abstract: Learn about the tools needed to migrate an Amazon EKS cluster to EKS Auto Mode. [abstract] -- diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 4230d0e1c..488ccc928 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload -:info_abstract: Deploy a sample stateful workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 23f7f2bf4..18b86ec22 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure -:info_abstract: Change EKS Auto cluster settings [abstract] -- diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 8d87ae743..5bef37add 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -11,7 +11,6 @@ include::attributes.txt[] :info_doctype: book :info_title: Amazon EKS :info_subtitle: User Guide -:info_abstract: This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed \ service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate \ your own Kubernetes clusters. Kubernetes is an open-source system for automating the deployment, scaling, \ and management of containerized applications. diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 38abb8a6b..86dc07a30 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling -:info_abstract: Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. [abstract] -- diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index dc1096ace..b3401bf7a 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access -:info_abstract: Learn how to enable private access and limit public access to the Amazon EKS cluster Kubernetes API server endpoint for enhanced security with your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 32a496cf3..03ddcd797 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster -:info_abstract: Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. :idprefix: id_ include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index dbbd39f77..648eaae6c 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster -:info_abstract: Learn how to create an Amazon EKS cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index d9da28153..10bff9c57 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Delete a cluster :info_titleabbrev: Delete a cluster -:info_abstract: Learn how to delete Amazon EKS clusters, including managed and self-managed node groups, Fargate profiles, related services, and {aws} CloudFormation stacks using eksctl, {aws-management-console}, or {aws} CLI for cost optimization and resource cleanup. [abstract] -- diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index fdf3e63ea..9d8e3015d 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -7,7 +7,6 @@ :info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes -:info_abstract: Learn how Amazon EKS supports Kubernetes versions with standard and extended \ support periods, allowing you to proactively update clusters with the latest \ versions, features, and security patches.. diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 6f92be955..e6e3bc43d 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -8,7 +8,6 @@ :info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch -:info_abstract: Learn how to monitor and optimize costs for your Amazon EKS clusters using {aws} Billing split cost allocation data or Kubecost, a Kubernetes-native cost monitoring tool integrated with {aws}. include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 447b87998..59abfac9f 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -8,7 +8,6 @@ include::../../attributes.txt[] :info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources -:info_abstract: Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. [abstract] -- diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 56c8385ed..ee354e2bd 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm -:info_abstract: Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. [abstract] -- diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index c53b83554..c09d86dc7 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server -:info_abstract: Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. [abstract] -- diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 132c39421..c2628ee1f 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas -:info_abstract: Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from the {aws-management-console} or {aws} CLI. [abstract] -- diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 22477bb60..3def600f4 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters -:info_abstract: Learn how to deploy and operate an Amazon EKS cluster without outbound internet access, including requirements for private container registries, endpoint access control, and VPC interface endpoints for {aws} services. [abstract] -- diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 2a29b8ae8..66d019e4e 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version -:info_abstract: Learn how to update your Amazon EKS cluster to the latest Kubernetes version, ensuring compatibility with nodes and add-ons, and maintaining high availability during the process. include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 6826baeff..245b794a7 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Deploy Windows nodes on EKS \ clusters :info_titleabbrev: Enable Windows support -:info_abstract: Learn how to enable and manage Windows support for your Amazon EKS cluster to run \ Windows containers alongside Linux containers. [abstract] diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 5f3cb087e..f62ec6246 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster -:info_abstract: Learn to connect an external Kubernetes cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. [abstract] -- diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index aaa58c363..e3956c285 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Grant access to view Kubernetes cluster resources on an \ Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console -:info_abstract: Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 090a4358a..f25f0a6cb 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster -:info_abstract: Learn to deregister a Kubernetes cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index c0d61be84..b7f97aa91 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -13,7 +13,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector -:info_abstract: Discover how to connect conformant Kubernetes clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. [abstract] -- diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index e7dfa1cf5..c58304952 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations -:info_abstract: Learn how the open-source EKS Connector affects security, and understand {aws} and \ customer security responsibilities for connectivity, cluster management, and IAM \ access control. diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 3440d66ea..f64970779 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector -:info_abstract: Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your Kubernetes clusters to Amazon EKS. include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 82c65f309..bf9cf55d7 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions -:info_abstract: Learn to connect and manage Kubernetes clusters outside {aws} with Amazon EKS Connector, enabling unified cluster visibility and management across environments using a secure, outbound-only connection. [abstract] -- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 4ba153e50..a0b6de634 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,7 +15,6 @@ :info_doctype: chapter :info_title: Document history :keywords: document, publish, release, history, log -:info_abstract: Important updates to the Amazon EKS documentation, sorted by date, with brief \ descriptions of each update and when they occurred. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 734e148be..b3374ebcc 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using EKS Auto Mode Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index e388fea82..9ed820357 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the {aws-management-console} and \ {aws} CLI. [abstract] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 4b05e9744..b69618b20 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the eksctl command \ line tool. [abstract] diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index ae1fc70f3..a11bd7c24 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -13,7 +13,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Get started with Amazon EKS :info_titleabbrev: Get started -:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 08e3a9cf8..b909c911c 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup -:info_abstract: Set up the {aws} CLI for managing {aws} resources needed to use Amazon EKS. Follow these \ instructions to set up the credentials with {aws} CLI. [abstract] diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 4dc27d89c..dac69e02a 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -8,7 +8,6 @@ :info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl -:info_abstract: Learn how to install or update the kubectl and eksctl command line tools \ to work with Kubernetes and Amazon EKS features. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 1631c12e8..a7cb044bc 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn -:info_abstract: Find learning paths to extend your knowledge of Amazon EKS. :sectnums: :toc: left :icons: font diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 036f89865..253f8f5d3 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup -:info_abstract: Set up the tools needed for creating and working with an Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index e936c6bfb..8efc5fc6b 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create Amazon EKS resources with \ {aws} CloudFormation -:info_abstract: Learn about how to create resources for Amazon EKS using an {aws} CloudFormation \ template. [abstract] diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 038992f36..9fa6df1c3 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] = Analyze security events on EKS with Amazon Detective :info_doctype: section :info_title: Analyze security events on EKS with Amazon Detective -:info_abstract: Amazon Detective helps you analyze, investigate, and quickly identify the root cause \ of security findings or suspicious activities. :keywords: Amazon Detective diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 40588b762..d206504a7 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] = Centralize and analyze EKS security data with Security Lake :info_doctype: section :info_title: Centralize and analyze EKS security data with Security Lake -:info_abstract: Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized \ solution for collecting, storing, and analyzing security data from clusters. By \ enabling EKS control plane logging and adding EKS logs as a source in Security Lake, \ users can gain valuable insights, detect potential threats, and enhance the \ diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index af75691bb..d6984b2a1 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access -:info_abstract: Learn how to manage access to your EKS cluster. First, this includes granting \ developers or external services access to Kubernetes. Second, this includes granting \ Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 7c480d368..c32106d49 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl -:info_abstract: Learn how to create or update a kubeconfig file for authenticating with your Amazon EKS cluster using kubectl. Follow prerequisites for required tools and permissions. [abstract] -- diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 427812745..da4018941 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -7,7 +7,6 @@ :info_doctype: section :info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs -:info_abstract: Learn how to grant access to Kubernetes APIs on Amazon EKS clusters using IAM roles, users, or OpenID Connect providers, and manage permissions with access entries or the aws-auth ConfigMap. include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 7a66764b4..b4ef2a26a 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console -:info_abstract: Learn how to view Kubernetes resources in the {aws-management-console}. [abstract] -- diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index be85ead18..cc0ac8b39 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters -:info_abstract: Learn how to create an Amazon EKS cluster with nodes running Amazon EC2 Inf1 instances for machine learning inference using {aws} Inferentia chips and deploy a TensorFlow Serving application. [abstract] -- diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 3a1aaf863..147a1300a 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -15,7 +15,6 @@ include::../attributes.txt[] :info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence -:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 6b11e983a..9c20f6db0 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML -:info_abstract: Choose the Machine Learning on EKS tools and platforms that best suit your needs, then use quick start procedures to deploy them to the {aws} cloud. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index e813b68b5..94863c285 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML -:info_abstract: Learn how to make decisions about CPU, AMIs, and tooling before creating an EKS cluster for ML. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index e040f88e8..e02bfde4d 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS -:info_abstract: Learn how to deploy Machine Learning workloads on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 934678c52..64151b8d5 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -8,7 +8,6 @@ :info_title: Add Elastic Fabric \ Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA -:info_abstract: Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine \ learning training workloads requiring high inter-node communications at scale using \ p4d instances with GPUDirect RDMA and NVIDIA Collective Communications Library \ (NCCL). diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index a776cd768..47369edd6 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC -:info_abstract: Learn how to create an Amazon VPC for your cluster using an Amazon EKS provided {aws} CloudFormation \ template. include::../attributes.txt[] diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index fdebdfaec..68c363b7a 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements -:info_abstract: Learn how to configure the VPC and subnets to meet networking \ requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet \ types, and availability zones. Understand IP family usage by component and shared \ subnet considerations. diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 7eeed60a2..4269dfe33 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements -:info_abstract: Learn how to manage security groups for Amazon EKS clusters, including default \ rules, restricting traffic, and required outbound access for nodes to function \ properly with your cluster. Understand key security group considerations for secure \ operation of your Kubernetes cluster on {aws}. diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 9b1fa8463..b98a0c42e 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods -:info_abstract: Each Amazon EC2 instance type offers different compute, memory, storage, and network \ capabilities. [abstract] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index de8b52a55..b1681385f 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -13,7 +13,6 @@ :info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups -:info_abstract: Your Amazon EKS cluster can schedule Pods on any combination of self-managed nodes, Amazon EKS managed node groups, and Fargate in the {aws} Cloud and hybrid nodes on-premises. include::../attributes.txt[] diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index f7dccea02..068124bf2 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -6,7 +6,6 @@ :info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI -:info_abstract: You can deploy nodes with pre-built Amazon EKS optimized Amazon Machine Images (AMIs) or your own custom \ AMIs include::../attributes.txt[] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 50203bf51..a77c7395d 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes -:info_abstract: This topic discusses using Amazon EKS to run Kubernetes Pods on {aws} Fargate. [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 317b2d471..a10cbbe5e 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -6,7 +6,6 @@ :info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes -:info_abstract: Configure common add-ons for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index ac7c0337d..d61b31b93 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -6,7 +6,6 @@ :info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid -:info_abstract: Create an Amazon EKS cluster with hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 793c196c0..80461bafa 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -4,7 +4,6 @@ = Prepare cluster access for hybrid nodes :info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access -:info_abstract: Prepare cluster access for hybrid nodes [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 465a94f16..8522c7c8f 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -6,7 +6,6 @@ :info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI -:info_abstract: Configure a CNI for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 37db4d870..4e6ac853f 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -6,7 +6,6 @@ :info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Connect hybrid nodes to Amazon EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 69cd37d74..b2a241c81 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -6,7 +6,6 @@ :info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid -:info_abstract: Prepare networking include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 1e07b179a..87f1f0dbb 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -6,7 +6,6 @@ :info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid -:info_abstract: Hybrid nodes nodeadm reference include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 60be83bd0..6db6305ec 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -6,7 +6,6 @@ :info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid -:info_abstract: Prepare operating system for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 4f8711190..1bd3677c3 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -6,7 +6,6 @@ :info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites -:info_abstract: Prerequisites and requirements for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index e9053a4ae..fa4e74605 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -6,7 +6,6 @@ :info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy -:info_abstract: Configure HTTP/S proxies for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index bed35c5cd..0ada802c5 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -6,7 +6,6 @@ :info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster -:info_abstract: Delete hybrid nodes from your EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 30293b86a..6ed4babe0 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -6,7 +6,6 @@ :info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid -:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index dfb1817ad..a7c4b942a 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -6,7 +6,6 @@ :info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index e856544a4..c1c884192 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -6,7 +6,6 @@ :info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes -:info_abstract: Upgrade Kubernetes versions on hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index dc678f56d..a596610e1 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -6,7 +6,6 @@ :info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Amazon EKS Hybrid Nodes overview include::../attributes.txt[] diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index b48631f88..33767b5e3 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -6,7 +6,6 @@ :info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG -:info_abstract: Amazon EKS managed node groups automate the provisioning and lifecycle management of \ nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. include::../attributes.txt[] diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 747613458..8d258c791 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -6,7 +6,6 @@ :info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node -:info_abstract: A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. include::../attributes.txt[] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 45651d68d..3b3d23029 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs -:info_abstract: Learn how to configure logging for your Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 463c58f04..19d615d40 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data -:info_abstract: You can observe your data in Amazon EKS using many available monitoring or logging \ tools. [abstract] diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 4136d6e62..1e25386f9 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail -:info_abstract: Learn about logging Amazon EKS with {aws} CloudTrail. [abstract] -- diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index cb949d4cc..2a9375324 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_titleabbrev: Observability dashboard :keywords: observability, dashboard -:info_abstract: Learn how to configure logging for your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index 7345cd7fa..c76514a11 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT -:info_abstract: The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable your \ applications running on Amazon EKS to send metric and trace data to multiple monitoring service \ options. diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index de795dc4c..9ac6a2f91 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane -:info_abstract: This topic explains how to deploy Prometheus and some of the ways \ that you can use it to view and analyze what your cluster is doing. [abstract] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index d16c40965..f9b424aa0 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node -:info_abstract: Learn how to launch Auto Scaling groups of Amazon Linux nodes on an Outpost that register with \ your Amazon EKS cluster. The cluster can be on the {aws} Cloud or on an Outpost. [abstract] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 13a940afc..3ff1e013d 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters -:info_abstract: Learn to deploy Amazon EKS on {aws} Outposts for local or extended clusters to run on-premises Kubernetes applications with a fully managed control plane. [abstract] -- diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 475439e67..841d034f0 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -6,7 +6,6 @@ :info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster -:info_abstract: Deploy a game application and persist its data on Amazon EKS include::attributes.txt[] diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 7f68f7e77..8b559cd16 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -13,7 +13,6 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS -:info_abstract: Learn how to use open source projects to add features to Amazon EKS for management, networking, machine learning, auto-scaling, monitoring, and CI/CD. [abstract] -- diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 227222e7b..a6f21585b 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -14,7 +14,6 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap -:info_abstract: Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. [abstract] -- diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 535880c62..6b8ea7a68 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller -:info_abstract: The Container Storage Interface (CSI) snapshot controller enables the use of \ snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI \ driver. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 892450906..052944ee4 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration -:info_abstract: The Amazon EBS container storage interface migration feature is enabled by default on \ Amazon EKS 1.23 and later clusters. Learn answers to frequently asked \ questions about the feature and how it works with 1.23 and later \ clusters. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 726a2352f..c2ff4e42c 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage -:info_abstract: The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver manages the \ lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. [abstract] diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index fcffabe03..4d75500ac 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage -:info_abstract: The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI \ interface that allows Amazon EKS clusters to manage the life cycle of Amazon file \ caches. diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 11f55821a..846bfd72d 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage -:info_abstract: The FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface \ that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file \ systems. diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index eacbd3bac..27b9aef0d 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage -:info_abstract: NetApp's \ NetApp Trident allows Amazon EKS clusters to manage the lifecycle of \ persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 53963c5ef..3b7cad7dd 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage -:info_abstract: The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI \ interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS \ volumes. diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index f7b080538..3abf5e8a5 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage -:info_abstract: Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a \ CSI interface for managing Amazon S3 files and buckets. [abstract] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 0c4b037c0..a1c45264e 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage -:info_abstract: This chapter covers storage options for Amazon EKS clusters. [abstract] -- diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index e2a1ff955..50c83df78 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -13,7 +13,6 @@ :info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ -:info_abstract: This chapter covers some common errors that you may see while using Amazon EKS and how \ to work around them. include::../attributes.txt[] diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index cb382dbf1..ad6497389 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description -:info_abstract: Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. [abstract] -- diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 6fb916dcf..e2f0c090c 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -:info_abstract: Learn how Amazon EKS aligns with Kubernetes cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, Karpenter, managed node groups, and self-managed nodes to meet diverse workload requirements. [abstract] -- diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index ba61dcac4..7419467ec 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -6,7 +6,6 @@ :info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison -:info_abstract: Learn to deploy Kubernetes clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. include::../attributes.txt[] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index c583f8d3e..a79f04349 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -:info_abstract: Learn core Kubernetes concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. [abstract] -- diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index ad3c14ea1..4815ab966 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -15,11 +15,10 @@ include::../attributes.txt[] :info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description -:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- -Learn to manage containerized applications with Amazon EKS +Learn to manage containerized applications with Amazon EKS. -- Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that eliminates the need to operate and maintain the availability and scalability of Kubernetes clusters in Amazon Web Services ({aws}) and in your own data centers. https://kubernetes.io/docs/concepts/overview/[Kubernetes] is an open source system that automates the management, scaling, and deployment of containerized applications. To get started, see the <> page in the Amazon EKS User Guide. diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index d097b58ef..b95e0a718 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing -:info_abstract: Learn how to use Application Load Balancing on Amazon EKS to load balance application traffic at L7 with {aws} Load Balancer Controller. include::../attributes.txt[] diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 0ad07fb1d..8de8312a3 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -7,7 +7,6 @@ :info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins -:info_abstract: Learn how to manage operational software add-ons on Amazon EKS clusters with Amazon EKS add-ons for observability, networking, storage, and security from {aws} and third-party vendors. include::../attributes.txt[] diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index ce25b2c06..3b36a46d8 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler -:info_abstract: Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. [abstract] -- diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 8557afaf6..54868bf88 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images -:info_abstract: Learn how to verify signed container images during deployment on Amazon EKS using admission controllers like Gatekeeper with Ratify or Kyverno configured with {aws} Signer plugins for validating image signatures. [abstract] -- diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 3b71b4f1b..34f203875 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing -:info_abstract: Use the {aws} Load Balancer Controller to create network load balancers for Amazon EKS workloads, supporting IP and instance targets with {aws} Network Load Balancers. include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 77a0ce920..bf07a97a8 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler -:info_abstract: Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. [abstract] -- From e6fbc9408ceca00ac0560633df4f506ebd70400a Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 19:24:57 +0000 Subject: [PATCH 041/940] Globally removed info_title metadata which does not seem to be needed. --- latest/ug/automode/associate-workload.adoc | 1 - latest/ug/automode/auto-elb-example.adoc | 1 - latest/ug/automode/auto-enable-existing.adoc | 1 - latest/ug/automode/auto-glossary.adoc | 1 - latest/ug/automode/auto-migrate-karpenter.adoc | 1 - latest/ug/automode/auto-migrate-mng.adoc | 1 - latest/ug/automode/auto-mng.adoc | 1 - latest/ug/automode/auto-networking.adoc | 1 - latest/ug/automode/auto-reference.adoc | 1 - latest/ug/automode/auto-troubleshoot.adoc | 1 - latest/ug/automode/auto-workloads.adoc | 1 - latest/ug/automode/automode-get-started-cli.adoc | 1 - latest/ug/automode/automode-get-started-console.adoc | 1 - latest/ug/automode/automode-get-started-eksctl.adoc | 1 - latest/ug/automode/automode-learn-instances.adoc | 1 - latest/ug/automode/automode-workload.adoc | 1 - latest/ug/automode/automode.adoc | 1 - latest/ug/automode/create-auto.adoc | 1 - latest/ug/automode/migrate-auto.adoc | 1 - latest/ug/automode/sample-storage-workload.adoc | 1 - latest/ug/automode/settings-auto.adoc | 1 - latest/ug/book.adoc | 1 - latest/ug/clusters/autoscaling.adoc | 1 - latest/ug/clusters/cluster-endpoint.adoc | 1 - latest/ug/clusters/clusters.adoc | 1 - latest/ug/clusters/create-cluster-auto.adoc | 1 - latest/ug/clusters/create-cluster.adoc | 1 - latest/ug/clusters/delete-cluster.adoc | 1 - latest/ug/clusters/disable-windows-support.adoc | 1 - latest/ug/clusters/kubernetes-versions.adoc | 1 - latest/ug/clusters/management/cost-monitoring.adoc | 1 - latest/ug/clusters/management/eks-managing.adoc | 1 - latest/ug/clusters/management/eks-using-tags.adoc | 1 - latest/ug/clusters/management/helm.adoc | 1 - latest/ug/clusters/management/metrics-server.adoc | 1 - latest/ug/clusters/management/service-quotas.adoc | 1 - latest/ug/clusters/platform-versions.adoc | 1 - latest/ug/clusters/private-clusters.adoc | 1 - latest/ug/clusters/update-cluster.adoc | 1 - latest/ug/clusters/windows-support.adoc | 1 - latest/ug/connector/connecting-cluster.adoc | 1 - latest/ug/connector/connector-grant-access.adoc | 1 - latest/ug/connector/deregister-connected-cluster.adoc | 1 - latest/ug/connector/eks-connector.adoc | 1 - latest/ug/connector/security-connector.adoc | 1 - latest/ug/connector/troubleshooting-connector.adoc | 1 - latest/ug/connector/tsc-faq.adoc | 1 - latest/ug/doc-history.adoc | 1 - latest/ug/getting-started/getting-started-automode.adoc | 1 - latest/ug/getting-started/getting-started-console.adoc | 1 - latest/ug/getting-started/getting-started-eksctl.adoc | 1 - latest/ug/getting-started/getting-started.adoc | 1 - latest/ug/getting-started/install-awscli.adoc | 1 - latest/ug/getting-started/install-kubectl.adoc | 1 - latest/ug/getting-started/learn-eks.adoc | 1 - latest/ug/getting-started/setting-up.adoc | 1 - .../ug/integrations/creating-resources-with-cloudformation.adoc | 1 - latest/ug/integrations/eks-integrations.adoc | 1 - latest/ug/integrations/integration-detective.adoc | 1 - latest/ug/integrations/integration-guardduty.adoc | 1 - latest/ug/integrations/integration-resilience-hub.adoc | 1 - latest/ug/integrations/integration-securitylake.adoc | 1 - latest/ug/integrations/integration-vpc-lattice.adoc | 1 - latest/ug/integrations/local-zones.adoc | 1 - latest/ug/manage-access/aws-access/service-accounts.adoc | 1 - latest/ug/manage-access/cluster-auth.adoc | 1 - latest/ug/manage-access/create-kubeconfig.adoc | 1 - latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 1 - latest/ug/manage-access/view-kubernetes-resources.adoc | 1 - latest/ug/ml/inferentia-support.adoc | 1 - latest/ug/ml/machine-learning-on-eks.adoc | 1 - latest/ug/ml/ml-get-started.adoc | 1 - latest/ug/ml/ml-prepare-for-cluster.adoc | 1 - latest/ug/ml/ml-tutorials.adoc | 1 - latest/ug/ml/node-efa.adoc | 1 - latest/ug/networking/creating-a-vpc.adoc | 1 - latest/ug/networking/network-reqs.adoc | 1 - latest/ug/networking/sec-group-reqs.adoc | 1 - latest/ug/nodes/choosing-instance-type.adoc | 1 - latest/ug/nodes/eks-compute.adoc | 1 - latest/ug/nodes/eks-optimized-amis.adoc | 1 - latest/ug/nodes/fargate.adoc | 1 - latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 - latest/ug/nodes/hybrid-nodes-cni.adoc | 1 - latest/ug/nodes/hybrid-nodes-join.adoc | 1 - latest/ug/nodes/hybrid-nodes-networking.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 - latest/ug/nodes/hybrid-nodes-os.adoc | 1 - latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 - latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 - latest/ug/nodes/hybrid-nodes-remove.adoc | 1 - latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 - latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 - latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 - latest/ug/nodes/hybrid-nodes.adoc | 1 - latest/ug/nodes/managed-node-groups.adoc | 1 - latest/ug/nodes/worker.adoc | 1 - latest/ug/observability/control-plane-logs.adoc | 1 - latest/ug/observability/eks-observe.adoc | 1 - latest/ug/observability/logging-using-cloudtrail.adoc | 1 - latest/ug/observability/opentelemetry.adoc | 1 - latest/ug/observability/prometheus.adoc | 1 - latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 - latest/ug/outposts/eks-outposts.adoc | 1 - latest/ug/quickstart.adoc | 1 - latest/ug/related-projects.adoc | 1 - latest/ug/roadmap.adoc | 1 - latest/ug/security/compliance.adoc | 1 - latest/ug/storage/csi-snapshot-controller.adoc | 1 - latest/ug/storage/ebs-csi-migration-faq.adoc | 1 - latest/ug/storage/ebs-csi.adoc | 1 - latest/ug/storage/file-cache-csi.adoc | 1 - latest/ug/storage/fsx-csi.adoc | 1 - latest/ug/storage/fsx-ontap.adoc | 1 - latest/ug/storage/fsx-openzfs-csi.adoc | 1 - latest/ug/storage/s3-csi.adoc | 1 - latest/ug/storage/storage.adoc | 1 - latest/ug/troubleshooting/troubleshooting.adoc | 1 - latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/eks-deployment-options.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/what-is/what-is-eks.adoc | 1 - latest/ug/workloads/alb-ingress.adoc | 1 - latest/ug/workloads/copy-image-to-repository.adoc | 1 - latest/ug/workloads/eks-add-ons.adoc | 1 - latest/ug/workloads/eks-workloads.adoc | 1 - latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 - latest/ug/workloads/image-verification.adoc | 1 - latest/ug/workloads/network-load-balancing.adoc | 1 - latest/ug/workloads/sample-deployment-windows.adoc | 1 - latest/ug/workloads/sample-deployment.adoc | 1 - latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 - 135 files changed, 135 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 25c79c488..5ea0c38d1 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] [[associate-workload,associate-workload.title]] = Control if a workload is deployed on EKS Auto Mode nodes :info_doctype: section -:info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index b799d0e37..15776ac9a 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -4,7 +4,6 @@ [[auto-elb-example,auto-elb-example.title]] = Deploy a Sample Load Balancer Workload to EKS Auto Mode :info_doctype: section -:info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 05df23913..9de38fb3e 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -4,7 +4,6 @@ [[auto-enable-existing,auto-enable-existing.title]] = Enable EKS Auto Mode on an existing cluster :info_doctype: section -:info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index b66b36069..80709a7f4 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -3,7 +3,6 @@ [[auto-glossary,auto-glossary.title]] = Glossary :info_doctype: section -:info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 5f4ac69fe..b616a9400 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -3,7 +3,6 @@ [[auto-migrate-karpenter,auto-migrate-karpenter.title]] = Migrate from Karpenter to EKS Auto Mode using kubectl :info_doctype: section -:info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index caaa27c23..96a0b5b95 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -4,7 +4,6 @@ [[auto-migrate-mng,auto-migrate-mng.title]] = Migrate from EKS Managed Node Groups to EKS Auto Mode :info_doctype: section -:info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 7c0407049..39c37d292 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -4,7 +4,6 @@ [[auto-mng,auto-mng.title]] = Compare EKS Auto Mode with EKS managed node groups :info_doctype: section -:info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 2d585acc5..370117a39 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -3,7 +3,6 @@ [[auto-networking,auto-networking.title]] = Learn about VPC Networking and Load Balancing in EKS Auto Mode :info_doctype: section -:info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 277c091a1..2f5e88977 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works [abstract] diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 7bf491dc3..7ce38a9a0 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -4,7 +4,6 @@ [[auto-troubleshoot,auto-troubleshoot.title]] = Troubleshoot EKS Auto Mode :info_doctype: section -:info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index a7c1e068a..9dd4516fe 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [[auto-workloads,auto-workloads.title]] = Run sample workloads in EKS Auto Mode clusters :info_doctype: section -:info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads [abstract] diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 94b29d96e..b2d304106 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] = Create an EKS Auto Mode Cluster with the {aws} CLI :info_doctype: section :config: configuration -:info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 789b9c96b..57fa8709d 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] [[automode-get-started-console,automode-get-started-console.title]] = Create an EKS Auto Mode Cluster with the {aws} Management Console :info_doctype: section -:info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index cd6ab8e8a..d0ba2f5df 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -5,7 +5,6 @@ = Create an EKS Auto Mode Cluster with the eksctl CLI :info_doctype: section :config: configuration -:info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index accf312cc..36d7cb7ed 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -11,7 +11,6 @@ :emi: EC2 managed instance :emi: EC2 {mi} :emng: EKS Managed Node Group -:info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 374aedb84..abd5a84f3 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -4,7 +4,6 @@ [[automode-workload,automode-workload.title]] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_doctype: section -:info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 718354e45..029389ac1 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -5,7 +5,6 @@ :info_doctype: chapter :toclevels: 2 :toc: -:info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode [abstract] diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index bc13bd7f7..2a87e3c59 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 401c58a0d..37f43042c 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters [abstract] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 488ccc928..2adf12a43 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -4,7 +4,6 @@ [[sample-storage-workload,sample-storage-workload.title]] = Deploy a sample stateful workload to EKS Auto Mode :info_doctype: section -:info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 18b86ec22..3fb47b69a 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure [abstract] diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 5bef37add..8199bfe8d 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -9,7 +9,6 @@ include::attributes.txt[] :idprefix: :idseparator: - :info_doctype: book -:info_title: Amazon EKS :info_subtitle: User Guide service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate \ your own Kubernetes clusters. Kubernetes is an open-source system for automating the deployment, scaling, \ diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 86dc07a30..814ff17a1 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[autoscaling,autoscaling.title]] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` :info_doctype: section -:info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling [abstract] diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index b3401bf7a..09617e57b 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -3,7 +3,6 @@ [[cluster-endpoint,cluster-endpoint.title]] = Control network access to cluster API server endpoint :info_doctype: section -:info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access include::../attributes.txt[] diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 0235a5660..aee8ed1d3 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Organize workloads with Amazon EKS clusters :info_titleabbrev: Clusters An Amazon EKS cluster consists of two primary components: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 03ddcd797..a8ffab697 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -4,7 +4,6 @@ [[create-cluster-auto,create-cluster-auto.title]] = Create an Amazon EKS Auto Mode cluster :info_doctype: section -:info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster :idprefix: id_ diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 648eaae6c..55ac5c74b 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -4,7 +4,6 @@ [[create-cluster,create-cluster.title]] = Create an Amazon EKS cluster :info_doctype: section -:info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 10bff9c57..72154af48 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[delete-cluster,delete-cluster.title]] = Delete a cluster :info_doctype: section -:info_title: Delete a cluster :info_titleabbrev: Delete a cluster [abstract] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index e884af946..410283586 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[disable-windows-support,disable-windows-support.title]] = Disable [.noloc]`Windows` support :info_doctype: section -:info_title: Disable Windows support . If your cluster contains Amazon Linux nodes and you use xref:security-groups-for-pods[security groups for Pods,linkend=security-groups-for-pods] with them, then skip this step. + diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 9d8e3015d..f908975e4 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -4,7 +4,6 @@ [[kubernetes-versions,kubernetes-versions.title]] = Understand the [.noloc]`Kubernetes` version lifecycle on EKS :info_doctype: section -:info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes support periods, allowing you to proactively update clusters with the latest \ diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index e6e3bc43d..3c4e3c412 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -5,7 +5,6 @@ [[cost-monitoring,cost-monitoring.title]] = Monitor and optimize Amazon EKS cluster costs :info_doctype: section -:info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 42e6db90f..68ca5efa8 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -11,7 +11,6 @@ include::../../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Organize and monitor cluster resources :info_titleabbrev: Cluster management This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 59abfac9f..32ef69cd4 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [[eks-using-tags,eks-using-tags.title]] = Organize Amazon EKS resources with tags :info_doctype: section -:info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index ee354e2bd..467bdedd9 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [[helm,helm.title]] = Deploy applications with [.noloc]`Helm` on Amazon EKS :info_doctype: section -:info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm [abstract] diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index c09d86dc7..7662ed856 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [[metrics-server,metrics-server.title]] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` :info_doctype: section -:info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server [abstract] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index c2628ee1f..7cedb4762 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [[service-quotas,service-quotas.title]] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas :info_doctype: section -:info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas [abstract] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 6a35ac91b..273d627e4 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -4,7 +4,6 @@ [[platform-versions,platform-versions.title]] = View Amazon EKS platform versions for each [.noloc]`Kubernetes` version :info_doctype: section -:info_title: View Amazon EKS platform versions for each Kubernetes version :info_titleabbrev: Platform versions include::../attributes.txt[] diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 3def600f4..d065b79da 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[private-clusters,private-clusters.title]] = Deploy private clusters with limited internet access :info_doctype: section -:info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters [abstract] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 66d019e4e..ae9ff6d48 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -4,7 +4,6 @@ [[update-cluster,update-cluster.title]] = Update existing cluster to new Kubernetes version :info_doctype: section -:info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 245b794a7..13531522a 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[windows-support,windows-support.title]] = Deploy [.noloc]`Windows` nodes on EKS clusters :info_doctype: section -:info_title: Deploy Windows nodes on EKS \ clusters :info_titleabbrev: Enable Windows support Windows containers alongside Linux containers. diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index f62ec6246..9eba24570 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[connecting-cluster,connecting-cluster.title]] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console :info_doctype: section -:info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster [abstract] diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index e3956c285..99a387793 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[connector-grant-access,connector-grant-access.title]] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console :info_doctype: section -:info_title: Grant access to view Kubernetes cluster resources on an \ Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index f25f0a6cb..6fe44ebbd 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[deregister-connected-cluster,deregister-connected-cluster.title]] = Deregister a Kubernetes cluster from the Amazon EKS console :info_doctype: section -:info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster [abstract] diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index b7f97aa91..24b6b0806 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector [abstract] diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index c58304952..6eee06bd5 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[security-connector,security-connector.title]] = Understand security in Amazon EKS Connector :info_doctype: section -:info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations customer security responsibilities for connectivity, cluster management, and IAM \ access control. diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index f64970779..e37c9d8d4 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -3,7 +3,6 @@ [[troubleshooting-connector,troubleshooting-connector.title]] = Troubleshoot Amazon EKS Connector issues :info_doctype: section -:info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index bf9cf55d7..5c2c16e11 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[tsc-faq,tsc-faq.title]] = {aws} Connector frequently asked questions :info_doctype: section -:info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions [abstract] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a0b6de634..6ef799696 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -13,7 +13,6 @@ :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Document history :keywords: document, publish, release, history, log descriptions of each update and when they occurred. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index b3374ebcc..1f5894ebd 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[getting-started-automode,getting-started-automode.title]] = Get started with Amazon EKS – EKS Auto Mode :info_doctype: section -:info_title: Get started with Amazon EKS – \ EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 9ed820357..371d57a9a 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[getting-started-console,getting-started-console.title]] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI :info_doctype: section -:info_title: Get started with Amazon EKS – {aws-management-console} and \ {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index b69618b20..69d58129c 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[getting-started-eksctl,getting-started-eksctl.title]] = Get started with Amazon EKS – `eksctl` :info_doctype: section -:info_title: Get started with Amazon EKS – \ eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index a11bd7c24..83884f968 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Get started with Amazon EKS :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index b909c911c..e01c828b1 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[install-awscli,install-awscli.title]] = Set up {aws} CLI :info_doctype: section -:info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup instructions to set up the credentials with {aws} CLI. diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index dac69e02a..f92885d60 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -5,7 +5,6 @@ [[install-kubectl,install-kubectl.title]] = Set up `kubectl` and `eksctl` :info_doctype: section -:info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl to work with Kubernetes and Amazon EKS features. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index a7cb044bc..fb6e41ccc 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[learn-eks,learn-eks.title]] = Learn Amazon EKS by example :info_doctype: chapter -:info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn :sectnums: diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 253f8f5d3..833da771b 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 8efc5fc6b..aa8dc69f3 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[creating-resources-with-cloudformation,creating-resources-with-cloudformation.title]] = Create Amazon EKS resources with {aws} CloudFormation :info_doctype: section -:info_title: Create Amazon EKS resources with \ {aws} CloudFormation template. diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 50107196f..963aa1817 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Enhance EKS with integrated {aws} services :info_titleabbrev: Working with other services In addition to the services covered in other sections, Amazon EKS works with more {aws} services to provide additional solutions. This topic identifies some of the other services that either use Amazon EKS to add functionality, or services that Amazon EKS uses to perform tasks. diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 9fa6df1c3..537c5fd06 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[integration-detective,integration-detective.title]] = Analyze security events on EKS with Amazon Detective :info_doctype: section -:info_title: Analyze security events on EKS with Amazon Detective of security findings or suspicious activities. :keywords: Amazon Detective diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index e38d5df66..bc8a894ef 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[integration-guardduty,integration-guardduty.title]] = Detect threats with Amazon GuardDuty :info_doctype: section -:info_title: Detect threats with Amazon GuardDuty Amazon GuardDuty is a threat detection service that helps protect you accounts, containers, workloads, and the data with your {aws} environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment. diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 0d31c02bc..da2fcb324 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -5,6 +5,5 @@ include::../attributes.txt[] [[integration-resilience-hub,integration-resilience-hub.title]] = Assess EKS cluster resiliency with {aws} Resilience Hub :info_doctype: section -:info_title: Assess EKS cluster resiliency with {aws} Resilience Hub {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index d206504a7..4734aa513 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[integration-securitylake,integration-securitylake.title]] = Centralize and analyze EKS security data with Security Lake :info_doctype: section -:info_title: Centralize and analyze EKS security data with Security Lake solution for collecting, storing, and analyzing security data from clusters. By \ enabling EKS control plane logging and adding EKS logs as a source in Security Lake, \ users can gain valuable insights, detect potential threats, and enhance the \ diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 84bc58b1f..76e3d2cb3 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -5,6 +5,5 @@ include::../attributes.txt[] [[integration-vpc-lattice,integration-vpc-lattice.title]] = Enable secure cross-cluster connectivity with Amazon VPC Lattice :info_doctype: section -:info_title: Enable secure cross-cluster connectivity with Amazon VPC Lattice Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 4df1cf272..c3294950c 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[local-zones,local-zones.title]] = Launch low-latency EKS clusters with {aws} Local Zones :info_doctype: section -:info_title: Launch low-latency EKS clusters with {aws} Local Zones An link:about-aws/global-infrastructure/localzones/[{aws} Local Zone,type="marketing"] is an extension of an {aws} Region in geographic proximity to your users. Local Zones have their own connections to the internet and support link:directconnect/[{aws} Direct Connect,type="marketing"]. Resources created in a Local Zone can serve local users with low-latency communications. For more information, see the link:local-zones/latest/ug/what-is-aws-local-zones.html[{aws} Local Zones User Guide,type="documentation"] and link:AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-local-zones[Local Zones,type="documentation"] in the _Amazon EC2 User Guide_. diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 25b1d1160..fed482c8a 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [[service-accounts,service-accounts.title]] = Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts :info_doctype: section -:info_title: Grant Kubernetes workloads access to {aws} using Kubernetes Service Accounts :info_titleabbrev: Grant workloads access to {aws} A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index d6984b2a1..63bbde1b6 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -12,7 +12,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access developers or external services access to Kubernetes. Second, this includes granting \ Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index c32106d49..bf2d918af 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[create-kubeconfig,create-kubeconfig.title]] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file :info_doctype: section -:info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl [abstract] diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index da4018941..2b699cbf2 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -5,7 +5,6 @@ [[grant-k8s-access,grant-k8s-access.title]] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` :info_doctype: section -:info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index b4ef2a26a..cc551cc15 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[view-kubernetes-resources,view-kubernetes-resources.title]] = View [.noloc]`Kubernetes` resources in the {aws-management-console} :info_doctype: section -:info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console [abstract] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index cc0ac8b39..5134844f7 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[inferentia-support,inferentia-support.title]] = Use {aws} [.noloc]`Inferentia` instances with Amazon EKS for Machine Learning :info_doctype: section -:info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters [abstract] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 147a1300a..0f74e8900 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -12,7 +12,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 9c20f6db0..49d20cdf1 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -4,7 +4,6 @@ [[ml-get-started,ml-get-started.title]] = Get started with ML :info_doctype: section -:info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 94863c285..6b93b68a4 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -4,7 +4,6 @@ [[ml-prepare-for-cluster,ml-prepare-for-cluster.title]] = Prepare for ML clusters :info_doctype: section -:info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index e02bfde4d..ae86bacd3 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -4,7 +4,6 @@ [[ml-tutorials,ml-tutorials.title]] = Try tutorials for deploying Machine Learning workloads on EKS :info_doctype: section -:info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 64151b8d5..5138b8dc4 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -5,7 +5,6 @@ [[node-efa,node-efa.title]] = Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` :info_doctype: section -:info_title: Add Elastic Fabric \ Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA learning training workloads requiring high inter-node communications at scale using \ diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 47369edd6..82ba088d3 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -3,7 +3,6 @@ [[creating-a-vpc,creating-a-vpc.title]] = Create an Amazon VPC for your Amazon EKS cluster :info_doctype: section -:info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC template. diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 68c363b7a..7f26e15ef 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -3,7 +3,6 @@ [[network-reqs,network-reqs.title]] = View Amazon EKS networking requirements for VPC and subnets :info_doctype: section -:info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet \ types, and availability zones. Understand IP family usage by component and shared \ diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 4269dfe33..78a9fc2c2 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -3,7 +3,6 @@ [[sec-group-reqs,sec-group-reqs.title]] = View Amazon EKS security group requirements for clusters :info_doctype: section -:info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements rules, restricting traffic, and required outbound access for nodes to function \ properly with your cluster. Understand key security group considerations for secure \ diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index b98a0c42e..5bb480d4d 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[choosing-instance-type,choosing-instance-type.title]] = Choose an optimal Amazon EC2 node instance type :info_doctype: section -:info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods capabilities. diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index b1681385f..21588e48d 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -10,7 +10,6 @@ :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 068124bf2..987c5daf8 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -3,7 +3,6 @@ [[eks-optimized-amis,eks-optimized-amis.title]] = Create nodes with pre-built optimized images :info_doctype: section -:info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI AMIs diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index a77c7395d..dd933ba8b 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[fargate,fargate.title]] = Simplify compute management with {aws} Fargate :info_doctype: section -:info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index a10cbbe5e..5804a0214 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-add-ons,hybrid-nodes-add-ons.title]] = Configure add-ons for hybrid nodes :info_doctype: section -:info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index d61b31b93..7fbc19368 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-cluster-create,hybrid-nodes-cluster-create.title]] = Create an Amazon EKS cluster with hybrid nodes :info_doctype: section -:info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 80461bafa..d87b571af 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -2,7 +2,6 @@ [.topic] [[hybrid-nodes-cluster-prep,hybrid-nodes-cluster-prep.title]] = Prepare cluster access for hybrid nodes -:info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access [abstract] diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 8522c7c8f..cbe68ea0c 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-cni,hybrid-nodes-cni.title]] = Configure a CNI for hybrid nodes :info_doctype: section -:info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 4e6ac853f..5e29ff0fd 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-join,hybrid-nodes-join.title]] = Connect hybrid nodes :info_doctype: section -:info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index b2a241c81..83b03839f 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-networking,hybrid-nodes-networking.title]] = Prepare networking for hybrid nodes :info_doctype: section -:info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 87f1f0dbb..85d6c137c 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] = Hybrid nodes `nodeadm` reference :info_doctype: section -:info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 6db6305ec..9abbb2048 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-os,hybrid-nodes-os.title]] = Prepare operating system for hybrid nodes :info_doctype: section -:info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 1bd3677c3..5338f45b2 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-prereqs,hybrid-nodes-prereqs.title]] = Prerequisite setup for hybrid nodes :info_doctype: section -:info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index fa4e74605..cd30ec072 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-proxy,hybrid-nodes-proxy.title]] = Configure proxy for hybrid nodes :info_doctype: section -:info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 0ada802c5..c70208dcd 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-remove,hybrid-nodes-remove.title]] = Remove hybrid nodes :info_doctype: section -:info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 6ed4babe0..4932914ae 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-troubleshooting,hybrid-nodes-troubleshooting.title]] = Troubleshooting hybrid nodes :info_doctype: section -:info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index a7c4b942a..7e0d3da31 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-tutorial,hybrid-nodes-tutorial.title]] = Run on-premises workloads on hybrid nodes :info_doctype: section -:info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index c1c884192..e43d06108 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-upgrade,hybrid-nodes-upgrade.title]] = Upgrade hybrid nodes for your cluster :info_doctype: section -:info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index a596610e1..8438d1d9a 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -3,7 +3,6 @@ [[hybrid-nodes-overview,hybrid-nodes-overview.title]] = Amazon EKS Hybrid Nodes overview :info_doctype: section -:info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 33767b5e3..c19ec157f 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -3,7 +3,6 @@ [[managed-node-groups,managed-node-groups.title]] = Simplify node lifecycle with managed node groups :info_doctype: section -:info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 8d258c791..db5e0f46f 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -3,7 +3,6 @@ [[worker,worker.title]] = Maintain nodes yourself with self-managed nodes :info_doctype: section -:info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 3b3d23029..8b7893597 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[control-plane-logs,control-plane-logs.title]] = Send control plane logs to CloudWatch Logs :info_doctype: section -:info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 19d615d40..b54e5119b 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data tools. diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 1e25386f9..c73062a70 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[logging-using-cloudtrail,logging-using-cloudtrail.title]] = Log API calls as {aws} CloudTrail events :info_doctype: section -:info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index c76514a11..c335eba92 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[opentelemetry,opentelemetry.title]] = Send metric and trace data with ADOT Operator :info_doctype: section -:info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT applications running on Amazon EKS to send metric and trace data to multiple monitoring service \ diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 9ac6a2f91..c735c764c 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[prometheus,prometheus.title]] = Monitor your cluster metrics with [.noloc]`Prometheus` :info_doctype: section -:info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane that you can use it to view and analyze what your cluster is doing. diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index f9b424aa0..faf31c14c 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[eks-outposts-self-managed-nodes,eks-outposts-self-managed-nodes.title]] = Create Amazon Linux nodes on {aws} Outposts :info_doctype: section -:info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node your Amazon EKS cluster. The cluster can be on the {aws} Cloud or on an Outpost. diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 3ff1e013d..c770bccd1 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 841d034f0..a5887f015 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -3,7 +3,6 @@ [[quickstart,quickstart.title]] = Quickstart: Deploy a web app and store data :info_doctype: chapter -:info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 8b559cd16..b3c749112 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -11,7 +11,6 @@ include::attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS [abstract] diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index a6f21585b..1dddd04b0 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -12,7 +12,6 @@ include::attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap [abstract] diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 41afe5093..0d0bd72d3 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -3,7 +3,6 @@ [[compliance,compliance.title]] = Compliance validation for Amazon EKS clusters :info_doctype: section -:info_title: Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance include::../attributes.txt[] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 6b8ea7a68..f9b2d544e 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[csi-snapshot-controller,csi-snapshot-controller.title]] = Enable snapshot functionality for CSI volumes :info_doctype: section -:info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI \ diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 052944ee4..091f36f57 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] = Amazon EBS CSI migration frequently asked questions :info_doctype: section -:info_title: Amazon EBS CSI migration frequently asked \ questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index c2ff4e42c..bb4e54651 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[ebs-csi,ebs-csi.title]] = Store [.noloc]`Kubernetes` volumes with Amazon EBS :info_doctype: section -:info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 4d75500ac..cba8d35ab 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[file-cache-csi,file-cache-csi.title]] = Minimize latency with Amazon File Cache :info_doctype: section -:info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage interface that allows Amazon EKS clusters to manage the life cycle of Amazon file \ diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 846bfd72d..7393b82eb 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[fsx-csi,fsx-csi.title]] = Store high-performance apps with FSx for Lustre :info_doctype: section -:info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file \ diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 27b9aef0d..b7746216f 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[fsx-ontap,fsx-ontap.title]] = Store high-performance apps with FSx for NetApp ONTAP :info_doctype: section -:info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage NetApp Trident allows Amazon EKS clusters to manage the lifecycle of \ diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 3b7cad7dd..e8e456a47 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[fsx-openzfs-csi,fsx-openzfs-csi.title]] = Store data using Amazon FSx for OpenZFS :info_doctype: section -:info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS \ diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 3abf5e8a5..b2bbf284c 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[s3-csi,s3-csi.title]] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_doctype: section -:info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage CSI interface for managing Amazon S3 files and buckets. diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index a1c45264e..d66ee04af 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 50c83df78..959e8f530 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -10,7 +10,6 @@ :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ to work around them. diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index ad6497389..7e10d6fe1 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[common-use-cases,common-use-cases.title]] = Common use cases in Amazon EKS :info_doctype: section -:info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index e2f0c090c..58bc7ee23 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[eks-architecture,eks-architecture.title]] = Amazon EKS architecture :info_doctype: section -:info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 7419467ec..2d1912462 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -3,7 +3,6 @@ [[eks-deployment-options,eks-deployment-options.title]] = Deploy Amazon EKS clusters across cloud and on-premises environments :info_doctype: section -:info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index a79f04349..ce43605c0 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[kubernetes-concepts,kubernetes-concepts.title]] = [.noloc]`Kubernetes` concepts :info_doctype: section -:info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 4815ab966..e28366c30 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -12,7 +12,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index b95e0a718..650abeb07 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -3,7 +3,6 @@ [[alb-ingress,alb-ingress.title]] = Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` :info_doctype: section -:info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 2e05fd705..d3668e9b7 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[copy-image-to-repository,copy-image-to-repository.title]] = Copy a container image from one repository to another repository :info_doctype: section -:info_title: Copy a container image from one repository to \ another repository :info_titleabbrev: Copy an image to a repository diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 8de8312a3..f511c3eb1 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -4,7 +4,6 @@ [[eks-add-ons,eks-add-ons.title]] = Amazon EKS add-ons :info_doctype: section -:info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 4a7e965a2..f2a6ec351 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter -:info_title: Learn how to deploy workloads and add-ons to Amazon EKS :info_titleabbrev: Workloads Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` in [.noloc]`Kubernetes`. A [.noloc]`Pod` includes one or more containers. Typically, one or more [.noloc]`Pods` that provide the same service are deployed in a [.noloc]`Kubernetes` service. Once you've deployed multiple [.noloc]`Pods` that provide the same service, you can: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 3b36a46d8..2ad34b2cf 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` :info_doctype: section -:info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler [abstract] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 54868bf88..d6803ae5f 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[image-verification,image-verification.title]] = Validate container image signatures during deployment :info_doctype: section -:info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images [abstract] diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 34f203875..3c89449a6 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -3,7 +3,6 @@ [[network-load-balancing,network-load-balancing.title]] = Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` :info_doctype: section -:info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 9d595b197..e9e3af831 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -4,7 +4,6 @@ [[sample-deployment-win,sample-deployment-win.title]] = Deploy a sample application on Windows :info_doctype: section -:info_title: Deploy a sample application on Windows :info_titleabbrev: Sample application deployment (Windows) include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index d1c011335..ec9d3e7b1 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -5,7 +5,6 @@ [[sample-deployment,sample-deployment.title]] = Deploy a sample application on Linux :info_doctype: section -:info_title: Deploy a sample application on Linux :info_titleabbrev: Sample application deployment (Linux) include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index bf07a97a8..af21c6b2a 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` :info_doctype: section -:info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler [abstract] From cbaf4d6d2c375f9891f9b4d6e1c8e79933ac5012 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 20:10:49 +0000 Subject: [PATCH 042/940] Revert "Globally removed info_title metadata which does not seem to be needed." This reverts commit e6fbc9408ceca00ac0560633df4f506ebd70400a. --- latest/ug/automode/associate-workload.adoc | 1 + latest/ug/automode/auto-elb-example.adoc | 1 + latest/ug/automode/auto-enable-existing.adoc | 1 + latest/ug/automode/auto-glossary.adoc | 1 + latest/ug/automode/auto-migrate-karpenter.adoc | 1 + latest/ug/automode/auto-migrate-mng.adoc | 1 + latest/ug/automode/auto-mng.adoc | 1 + latest/ug/automode/auto-networking.adoc | 1 + latest/ug/automode/auto-reference.adoc | 1 + latest/ug/automode/auto-troubleshoot.adoc | 1 + latest/ug/automode/auto-workloads.adoc | 1 + latest/ug/automode/automode-get-started-cli.adoc | 1 + latest/ug/automode/automode-get-started-console.adoc | 1 + latest/ug/automode/automode-get-started-eksctl.adoc | 1 + latest/ug/automode/automode-learn-instances.adoc | 1 + latest/ug/automode/automode-workload.adoc | 1 + latest/ug/automode/automode.adoc | 1 + latest/ug/automode/create-auto.adoc | 1 + latest/ug/automode/migrate-auto.adoc | 1 + latest/ug/automode/sample-storage-workload.adoc | 1 + latest/ug/automode/settings-auto.adoc | 1 + latest/ug/book.adoc | 1 + latest/ug/clusters/autoscaling.adoc | 1 + latest/ug/clusters/cluster-endpoint.adoc | 1 + latest/ug/clusters/clusters.adoc | 1 + latest/ug/clusters/create-cluster-auto.adoc | 1 + latest/ug/clusters/create-cluster.adoc | 1 + latest/ug/clusters/delete-cluster.adoc | 1 + latest/ug/clusters/disable-windows-support.adoc | 1 + latest/ug/clusters/kubernetes-versions.adoc | 1 + latest/ug/clusters/management/cost-monitoring.adoc | 1 + latest/ug/clusters/management/eks-managing.adoc | 1 + latest/ug/clusters/management/eks-using-tags.adoc | 1 + latest/ug/clusters/management/helm.adoc | 1 + latest/ug/clusters/management/metrics-server.adoc | 1 + latest/ug/clusters/management/service-quotas.adoc | 1 + latest/ug/clusters/platform-versions.adoc | 1 + latest/ug/clusters/private-clusters.adoc | 1 + latest/ug/clusters/update-cluster.adoc | 1 + latest/ug/clusters/windows-support.adoc | 1 + latest/ug/connector/connecting-cluster.adoc | 1 + latest/ug/connector/connector-grant-access.adoc | 1 + latest/ug/connector/deregister-connected-cluster.adoc | 1 + latest/ug/connector/eks-connector.adoc | 1 + latest/ug/connector/security-connector.adoc | 1 + latest/ug/connector/troubleshooting-connector.adoc | 1 + latest/ug/connector/tsc-faq.adoc | 1 + latest/ug/doc-history.adoc | 1 + latest/ug/getting-started/getting-started-automode.adoc | 1 + latest/ug/getting-started/getting-started-console.adoc | 1 + latest/ug/getting-started/getting-started-eksctl.adoc | 1 + latest/ug/getting-started/getting-started.adoc | 1 + latest/ug/getting-started/install-awscli.adoc | 1 + latest/ug/getting-started/install-kubectl.adoc | 1 + latest/ug/getting-started/learn-eks.adoc | 1 + latest/ug/getting-started/setting-up.adoc | 1 + .../ug/integrations/creating-resources-with-cloudformation.adoc | 1 + latest/ug/integrations/eks-integrations.adoc | 1 + latest/ug/integrations/integration-detective.adoc | 1 + latest/ug/integrations/integration-guardduty.adoc | 1 + latest/ug/integrations/integration-resilience-hub.adoc | 1 + latest/ug/integrations/integration-securitylake.adoc | 1 + latest/ug/integrations/integration-vpc-lattice.adoc | 1 + latest/ug/integrations/local-zones.adoc | 1 + latest/ug/manage-access/aws-access/service-accounts.adoc | 1 + latest/ug/manage-access/cluster-auth.adoc | 1 + latest/ug/manage-access/create-kubeconfig.adoc | 1 + latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 1 + latest/ug/manage-access/view-kubernetes-resources.adoc | 1 + latest/ug/ml/inferentia-support.adoc | 1 + latest/ug/ml/machine-learning-on-eks.adoc | 1 + latest/ug/ml/ml-get-started.adoc | 1 + latest/ug/ml/ml-prepare-for-cluster.adoc | 1 + latest/ug/ml/ml-tutorials.adoc | 1 + latest/ug/ml/node-efa.adoc | 1 + latest/ug/networking/creating-a-vpc.adoc | 1 + latest/ug/networking/network-reqs.adoc | 1 + latest/ug/networking/sec-group-reqs.adoc | 1 + latest/ug/nodes/choosing-instance-type.adoc | 1 + latest/ug/nodes/eks-compute.adoc | 1 + latest/ug/nodes/eks-optimized-amis.adoc | 1 + latest/ug/nodes/fargate.adoc | 1 + latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 + latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 + latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 + latest/ug/nodes/hybrid-nodes-cni.adoc | 1 + latest/ug/nodes/hybrid-nodes-join.adoc | 1 + latest/ug/nodes/hybrid-nodes-networking.adoc | 1 + latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 + latest/ug/nodes/hybrid-nodes-os.adoc | 1 + latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 + latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 + latest/ug/nodes/hybrid-nodes-remove.adoc | 1 + latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 + latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 + latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 + latest/ug/nodes/hybrid-nodes.adoc | 1 + latest/ug/nodes/managed-node-groups.adoc | 1 + latest/ug/nodes/worker.adoc | 1 + latest/ug/observability/control-plane-logs.adoc | 1 + latest/ug/observability/eks-observe.adoc | 1 + latest/ug/observability/logging-using-cloudtrail.adoc | 1 + latest/ug/observability/opentelemetry.adoc | 1 + latest/ug/observability/prometheus.adoc | 1 + latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 + latest/ug/outposts/eks-outposts.adoc | 1 + latest/ug/quickstart.adoc | 1 + latest/ug/related-projects.adoc | 1 + latest/ug/roadmap.adoc | 1 + latest/ug/security/compliance.adoc | 1 + latest/ug/storage/csi-snapshot-controller.adoc | 1 + latest/ug/storage/ebs-csi-migration-faq.adoc | 1 + latest/ug/storage/ebs-csi.adoc | 1 + latest/ug/storage/file-cache-csi.adoc | 1 + latest/ug/storage/fsx-csi.adoc | 1 + latest/ug/storage/fsx-ontap.adoc | 1 + latest/ug/storage/fsx-openzfs-csi.adoc | 1 + latest/ug/storage/s3-csi.adoc | 1 + latest/ug/storage/storage.adoc | 1 + latest/ug/troubleshooting/troubleshooting.adoc | 1 + latest/ug/what-is/common-use-cases.adoc | 1 + latest/ug/what-is/eks-architecture.adoc | 1 + latest/ug/what-is/eks-deployment-options.adoc | 1 + latest/ug/what-is/kubernetes-concepts.adoc | 1 + latest/ug/what-is/what-is-eks.adoc | 1 + latest/ug/workloads/alb-ingress.adoc | 1 + latest/ug/workloads/copy-image-to-repository.adoc | 1 + latest/ug/workloads/eks-add-ons.adoc | 1 + latest/ug/workloads/eks-workloads.adoc | 1 + latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 + latest/ug/workloads/image-verification.adoc | 1 + latest/ug/workloads/network-load-balancing.adoc | 1 + latest/ug/workloads/sample-deployment-windows.adoc | 1 + latest/ug/workloads/sample-deployment.adoc | 1 + latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 + 135 files changed, 135 insertions(+) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 5ea0c38d1..25c79c488 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -6,6 +6,7 @@ include::../attributes.txt[] [[associate-workload,associate-workload.title]] = Control if a workload is deployed on EKS Auto Mode nodes :info_doctype: section +:info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 15776ac9a..b799d0e37 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -4,6 +4,7 @@ [[auto-elb-example,auto-elb-example.title]] = Deploy a Sample Load Balancer Workload to EKS Auto Mode :info_doctype: section +:info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 9de38fb3e..05df23913 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -4,6 +4,7 @@ [[auto-enable-existing,auto-enable-existing.title]] = Enable EKS Auto Mode on an existing cluster :info_doctype: section +:info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 80709a7f4..b66b36069 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -3,6 +3,7 @@ [[auto-glossary,auto-glossary.title]] = Glossary :info_doctype: section +:info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index b616a9400..5f4ac69fe 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -3,6 +3,7 @@ [[auto-migrate-karpenter,auto-migrate-karpenter.title]] = Migrate from Karpenter to EKS Auto Mode using kubectl :info_doctype: section +:info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 96a0b5b95..caaa27c23 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -4,6 +4,7 @@ [[auto-migrate-mng,auto-migrate-mng.title]] = Migrate from EKS Managed Node Groups to EKS Auto Mode :info_doctype: section +:info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 39c37d292..7c0407049 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -4,6 +4,7 @@ [[auto-mng,auto-mng.title]] = Compare EKS Auto Mode with EKS managed node groups :info_doctype: section +:info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 370117a39..2d585acc5 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -3,6 +3,7 @@ [[auto-networking,auto-networking.title]] = Learn about VPC Networking and Load Balancing in EKS Auto Mode :info_doctype: section +:info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 2f5e88977..277c091a1 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . +:info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works [abstract] diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 7ce38a9a0..7bf491dc3 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -4,6 +4,7 @@ [[auto-troubleshoot,auto-troubleshoot.title]] = Troubleshoot EKS Auto Mode :info_doctype: section +:info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 9dd4516fe..a7c1e068a 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -4,6 +4,7 @@ include::../attributes.txt[] [[auto-workloads,auto-workloads.title]] = Run sample workloads in EKS Auto Mode clusters :info_doctype: section +:info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads [abstract] diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index b2d304106..94b29d96e 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] = Create an EKS Auto Mode Cluster with the {aws} CLI :info_doctype: section :config: configuration +:info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 57fa8709d..789b9c96b 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -6,6 +6,7 @@ include::../attributes.txt[] [[automode-get-started-console,automode-get-started-console.title]] = Create an EKS Auto Mode Cluster with the {aws} Management Console :info_doctype: section +:info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index d0ba2f5df..cd6ab8e8a 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -5,6 +5,7 @@ = Create an EKS Auto Mode Cluster with the eksctl CLI :info_doctype: section :config: configuration +:info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 36d7cb7ed..accf312cc 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -11,6 +11,7 @@ :emi: EC2 managed instance :emi: EC2 {mi} :emng: EKS Managed Node Group +:info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index abd5a84f3..374aedb84 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -4,6 +4,7 @@ [[automode-workload,automode-workload.title]] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_doctype: section +:info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 029389ac1..718354e45 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -5,6 +5,7 @@ :info_doctype: chapter :toclevels: 2 :toc: +:info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode [abstract] diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 2a87e3c59..bc13bd7f7 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . +:info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 37f43042c..401c58a0d 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . +:info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters [abstract] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 2adf12a43..488ccc928 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -4,6 +4,7 @@ [[sample-storage-workload,sample-storage-workload.title]] = Deploy a sample stateful workload to EKS Auto Mode :info_doctype: section +:info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 3fb47b69a..18b86ec22 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . +:info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure [abstract] diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 8199bfe8d..5bef37add 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -9,6 +9,7 @@ include::attributes.txt[] :idprefix: :idseparator: - :info_doctype: book +:info_title: Amazon EKS :info_subtitle: User Guide service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate \ your own Kubernetes clusters. Kubernetes is an open-source system for automating the deployment, scaling, \ diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 814ff17a1..86dc07a30 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[autoscaling,autoscaling.title]] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` :info_doctype: section +:info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling [abstract] diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 09617e57b..b3401bf7a 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -3,6 +3,7 @@ [[cluster-endpoint,cluster-endpoint.title]] = Control network access to cluster API server endpoint :info_doctype: section +:info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access include::../attributes.txt[] diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index aee8ed1d3..0235a5660 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Organize workloads with Amazon EKS clusters :info_titleabbrev: Clusters An Amazon EKS cluster consists of two primary components: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index a8ffab697..03ddcd797 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -4,6 +4,7 @@ [[create-cluster-auto,create-cluster-auto.title]] = Create an Amazon EKS Auto Mode cluster :info_doctype: section +:info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster :idprefix: id_ diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 55ac5c74b..648eaae6c 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -4,6 +4,7 @@ [[create-cluster,create-cluster.title]] = Create an Amazon EKS cluster :info_doctype: section +:info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 72154af48..10bff9c57 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[delete-cluster,delete-cluster.title]] = Delete a cluster :info_doctype: section +:info_title: Delete a cluster :info_titleabbrev: Delete a cluster [abstract] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 410283586..e884af946 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[disable-windows-support,disable-windows-support.title]] = Disable [.noloc]`Windows` support :info_doctype: section +:info_title: Disable Windows support . If your cluster contains Amazon Linux nodes and you use xref:security-groups-for-pods[security groups for Pods,linkend=security-groups-for-pods] with them, then skip this step. + diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index f908975e4..9d8e3015d 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -4,6 +4,7 @@ [[kubernetes-versions,kubernetes-versions.title]] = Understand the [.noloc]`Kubernetes` version lifecycle on EKS :info_doctype: section +:info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes support periods, allowing you to proactively update clusters with the latest \ diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 3c4e3c412..e6e3bc43d 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -5,6 +5,7 @@ [[cost-monitoring,cost-monitoring.title]] = Monitor and optimize Amazon EKS cluster costs :info_doctype: section +:info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 68ca5efa8..42e6db90f 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -11,6 +11,7 @@ include::../../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Organize and monitor cluster resources :info_titleabbrev: Cluster management This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 32ef69cd4..59abfac9f 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -5,6 +5,7 @@ include::../../attributes.txt[] [[eks-using-tags,eks-using-tags.title]] = Organize Amazon EKS resources with tags :info_doctype: section +:info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 467bdedd9..ee354e2bd 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -5,6 +5,7 @@ include::../../attributes.txt[] [[helm,helm.title]] = Deploy applications with [.noloc]`Helm` on Amazon EKS :info_doctype: section +:info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm [abstract] diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index 7662ed856..c09d86dc7 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -5,6 +5,7 @@ include::../../attributes.txt[] [[metrics-server,metrics-server.title]] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` :info_doctype: section +:info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server [abstract] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 7cedb4762..c2628ee1f 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -5,6 +5,7 @@ include::../../attributes.txt[] [[service-quotas,service-quotas.title]] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas :info_doctype: section +:info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas [abstract] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 273d627e4..6a35ac91b 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -4,6 +4,7 @@ [[platform-versions,platform-versions.title]] = View Amazon EKS platform versions for each [.noloc]`Kubernetes` version :info_doctype: section +:info_title: View Amazon EKS platform versions for each Kubernetes version :info_titleabbrev: Platform versions include::../attributes.txt[] diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index d065b79da..3def600f4 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[private-clusters,private-clusters.title]] = Deploy private clusters with limited internet access :info_doctype: section +:info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters [abstract] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index ae9ff6d48..66d019e4e 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -4,6 +4,7 @@ [[update-cluster,update-cluster.title]] = Update existing cluster to new Kubernetes version :info_doctype: section +:info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 13531522a..245b794a7 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[windows-support,windows-support.title]] = Deploy [.noloc]`Windows` nodes on EKS clusters :info_doctype: section +:info_title: Deploy Windows nodes on EKS \ clusters :info_titleabbrev: Enable Windows support Windows containers alongside Linux containers. diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 9eba24570..f62ec6246 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[connecting-cluster,connecting-cluster.title]] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console :info_doctype: section +:info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster [abstract] diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 99a387793..e3956c285 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[connector-grant-access,connector-grant-access.title]] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console :info_doctype: section +:info_title: Grant access to view Kubernetes cluster resources on an \ Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 6fe44ebbd..f25f0a6cb 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[deregister-connected-cluster,deregister-connected-cluster.title]] = Deregister a Kubernetes cluster from the Amazon EKS console :info_doctype: section +:info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster [abstract] diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 24b6b0806..b7f97aa91 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector [abstract] diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 6eee06bd5..c58304952 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[security-connector,security-connector.title]] = Understand security in Amazon EKS Connector :info_doctype: section +:info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations customer security responsibilities for connectivity, cluster management, and IAM \ access control. diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index e37c9d8d4..f64970779 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -3,6 +3,7 @@ [[troubleshooting-connector,troubleshooting-connector.title]] = Troubleshoot Amazon EKS Connector issues :info_doctype: section +:info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 5c2c16e11..bf9cf55d7 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[tsc-faq,tsc-faq.title]] = {aws} Connector frequently asked questions :info_doctype: section +:info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions [abstract] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 6ef799696..a0b6de634 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -13,6 +13,7 @@ :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Document history :keywords: document, publish, release, history, log descriptions of each update and when they occurred. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 1f5894ebd..b3374ebcc 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[getting-started-automode,getting-started-automode.title]] = Get started with Amazon EKS – EKS Auto Mode :info_doctype: section +:info_title: Get started with Amazon EKS – \ EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 371d57a9a..9ed820357 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[getting-started-console,getting-started-console.title]] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI :info_doctype: section +:info_title: Get started with Amazon EKS – {aws-management-console} and \ {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 69d58129c..b69618b20 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[getting-started-eksctl,getting-started-eksctl.title]] = Get started with Amazon EKS – `eksctl` :info_doctype: section +:info_title: Get started with Amazon EKS – \ eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 83884f968..a11bd7c24 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Get started with Amazon EKS :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index e01c828b1..b909c911c 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[install-awscli,install-awscli.title]] = Set up {aws} CLI :info_doctype: section +:info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup instructions to set up the credentials with {aws} CLI. diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index f92885d60..dac69e02a 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -5,6 +5,7 @@ [[install-kubectl,install-kubectl.title]] = Set up `kubectl` and `eksctl` :info_doctype: section +:info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl to work with Kubernetes and Amazon EKS features. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index fb6e41ccc..a7cb044bc 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[learn-eks,learn-eks.title]] = Learn Amazon EKS by example :info_doctype: chapter +:info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn :sectnums: diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 833da771b..253f8f5d3 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index aa8dc69f3..8efc5fc6b 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[creating-resources-with-cloudformation,creating-resources-with-cloudformation.title]] = Create Amazon EKS resources with {aws} CloudFormation :info_doctype: section +:info_title: Create Amazon EKS resources with \ {aws} CloudFormation template. diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 963aa1817..50107196f 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Enhance EKS with integrated {aws} services :info_titleabbrev: Working with other services In addition to the services covered in other sections, Amazon EKS works with more {aws} services to provide additional solutions. This topic identifies some of the other services that either use Amazon EKS to add functionality, or services that Amazon EKS uses to perform tasks. diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 537c5fd06..9fa6df1c3 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[integration-detective,integration-detective.title]] = Analyze security events on EKS with Amazon Detective :info_doctype: section +:info_title: Analyze security events on EKS with Amazon Detective of security findings or suspicious activities. :keywords: Amazon Detective diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index bc8a894ef..e38d5df66 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[integration-guardduty,integration-guardduty.title]] = Detect threats with Amazon GuardDuty :info_doctype: section +:info_title: Detect threats with Amazon GuardDuty Amazon GuardDuty is a threat detection service that helps protect you accounts, containers, workloads, and the data with your {aws} environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment. diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index da2fcb324..0d31c02bc 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -5,5 +5,6 @@ include::../attributes.txt[] [[integration-resilience-hub,integration-resilience-hub.title]] = Assess EKS cluster resiliency with {aws} Resilience Hub :info_doctype: section +:info_title: Assess EKS cluster resiliency with {aws} Resilience Hub {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 4734aa513..d206504a7 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[integration-securitylake,integration-securitylake.title]] = Centralize and analyze EKS security data with Security Lake :info_doctype: section +:info_title: Centralize and analyze EKS security data with Security Lake solution for collecting, storing, and analyzing security data from clusters. By \ enabling EKS control plane logging and adding EKS logs as a source in Security Lake, \ users can gain valuable insights, detect potential threats, and enhance the \ diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 76e3d2cb3..84bc58b1f 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -5,5 +5,6 @@ include::../attributes.txt[] [[integration-vpc-lattice,integration-vpc-lattice.title]] = Enable secure cross-cluster connectivity with Amazon VPC Lattice :info_doctype: section +:info_title: Enable secure cross-cluster connectivity with Amazon VPC Lattice Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index c3294950c..4df1cf272 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[local-zones,local-zones.title]] = Launch low-latency EKS clusters with {aws} Local Zones :info_doctype: section +:info_title: Launch low-latency EKS clusters with {aws} Local Zones An link:about-aws/global-infrastructure/localzones/[{aws} Local Zone,type="marketing"] is an extension of an {aws} Region in geographic proximity to your users. Local Zones have their own connections to the internet and support link:directconnect/[{aws} Direct Connect,type="marketing"]. Resources created in a Local Zone can serve local users with low-latency communications. For more information, see the link:local-zones/latest/ug/what-is-aws-local-zones.html[{aws} Local Zones User Guide,type="documentation"] and link:AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-local-zones[Local Zones,type="documentation"] in the _Amazon EC2 User Guide_. diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index fed482c8a..25b1d1160 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -5,6 +5,7 @@ include::../../attributes.txt[] [[service-accounts,service-accounts.title]] = Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts :info_doctype: section +:info_title: Grant Kubernetes workloads access to {aws} using Kubernetes Service Accounts :info_titleabbrev: Grant workloads access to {aws} A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 63bbde1b6..d6984b2a1 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -12,6 +12,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access developers or external services access to Kubernetes. Second, this includes granting \ Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index bf2d918af..c32106d49 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[create-kubeconfig,create-kubeconfig.title]] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file :info_doctype: section +:info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl [abstract] diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 2b699cbf2..da4018941 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -5,6 +5,7 @@ [[grant-k8s-access,grant-k8s-access.title]] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` :info_doctype: section +:info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index cc551cc15..b4ef2a26a 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[view-kubernetes-resources,view-kubernetes-resources.title]] = View [.noloc]`Kubernetes` resources in the {aws-management-console} :info_doctype: section +:info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console [abstract] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index 5134844f7..cc0ac8b39 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[inferentia-support,inferentia-support.title]] = Use {aws} [.noloc]`Inferentia` instances with Amazon EKS for Machine Learning :info_doctype: section +:info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters [abstract] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 0f74e8900..147a1300a 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -12,6 +12,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 49d20cdf1..9c20f6db0 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -4,6 +4,7 @@ [[ml-get-started,ml-get-started.title]] = Get started with ML :info_doctype: section +:info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 6b93b68a4..94863c285 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -4,6 +4,7 @@ [[ml-prepare-for-cluster,ml-prepare-for-cluster.title]] = Prepare for ML clusters :info_doctype: section +:info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index ae86bacd3..e02bfde4d 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -4,6 +4,7 @@ [[ml-tutorials,ml-tutorials.title]] = Try tutorials for deploying Machine Learning workloads on EKS :info_doctype: section +:info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 5138b8dc4..64151b8d5 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -5,6 +5,7 @@ [[node-efa,node-efa.title]] = Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` :info_doctype: section +:info_title: Add Elastic Fabric \ Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA learning training workloads requiring high inter-node communications at scale using \ diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 82ba088d3..47369edd6 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -3,6 +3,7 @@ [[creating-a-vpc,creating-a-vpc.title]] = Create an Amazon VPC for your Amazon EKS cluster :info_doctype: section +:info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC template. diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 7f26e15ef..68c363b7a 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -3,6 +3,7 @@ [[network-reqs,network-reqs.title]] = View Amazon EKS networking requirements for VPC and subnets :info_doctype: section +:info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet \ types, and availability zones. Understand IP family usage by component and shared \ diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 78a9fc2c2..4269dfe33 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -3,6 +3,7 @@ [[sec-group-reqs,sec-group-reqs.title]] = View Amazon EKS security group requirements for clusters :info_doctype: section +:info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements rules, restricting traffic, and required outbound access for nodes to function \ properly with your cluster. Understand key security group considerations for secure \ diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 5bb480d4d..b98a0c42e 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[choosing-instance-type,choosing-instance-type.title]] = Choose an optimal Amazon EC2 node instance type :info_doctype: section +:info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods capabilities. diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 21588e48d..b1681385f 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -10,6 +10,7 @@ :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 987c5daf8..068124bf2 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -3,6 +3,7 @@ [[eks-optimized-amis,eks-optimized-amis.title]] = Create nodes with pre-built optimized images :info_doctype: section +:info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI AMIs diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index dd933ba8b..a77c7395d 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[fargate,fargate.title]] = Simplify compute management with {aws} Fargate :info_doctype: section +:info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 5804a0214..a10cbbe5e 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-add-ons,hybrid-nodes-add-ons.title]] = Configure add-ons for hybrid nodes :info_doctype: section +:info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 7fbc19368..d61b31b93 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-cluster-create,hybrid-nodes-cluster-create.title]] = Create an Amazon EKS cluster with hybrid nodes :info_doctype: section +:info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index d87b571af..80461bafa 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -2,6 +2,7 @@ [.topic] [[hybrid-nodes-cluster-prep,hybrid-nodes-cluster-prep.title]] = Prepare cluster access for hybrid nodes +:info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access [abstract] diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index cbe68ea0c..8522c7c8f 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-cni,hybrid-nodes-cni.title]] = Configure a CNI for hybrid nodes :info_doctype: section +:info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 5e29ff0fd..4e6ac853f 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-join,hybrid-nodes-join.title]] = Connect hybrid nodes :info_doctype: section +:info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 83b03839f..b2a241c81 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-networking,hybrid-nodes-networking.title]] = Prepare networking for hybrid nodes :info_doctype: section +:info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 85d6c137c..87f1f0dbb 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] = Hybrid nodes `nodeadm` reference :info_doctype: section +:info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 9abbb2048..6db6305ec 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-os,hybrid-nodes-os.title]] = Prepare operating system for hybrid nodes :info_doctype: section +:info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 5338f45b2..1bd3677c3 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-prereqs,hybrid-nodes-prereqs.title]] = Prerequisite setup for hybrid nodes :info_doctype: section +:info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index cd30ec072..fa4e74605 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-proxy,hybrid-nodes-proxy.title]] = Configure proxy for hybrid nodes :info_doctype: section +:info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index c70208dcd..0ada802c5 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-remove,hybrid-nodes-remove.title]] = Remove hybrid nodes :info_doctype: section +:info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 4932914ae..6ed4babe0 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-troubleshooting,hybrid-nodes-troubleshooting.title]] = Troubleshooting hybrid nodes :info_doctype: section +:info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 7e0d3da31..a7c4b942a 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-tutorial,hybrid-nodes-tutorial.title]] = Run on-premises workloads on hybrid nodes :info_doctype: section +:info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index e43d06108..c1c884192 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-upgrade,hybrid-nodes-upgrade.title]] = Upgrade hybrid nodes for your cluster :info_doctype: section +:info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index 8438d1d9a..a596610e1 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -3,6 +3,7 @@ [[hybrid-nodes-overview,hybrid-nodes-overview.title]] = Amazon EKS Hybrid Nodes overview :info_doctype: section +:info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index c19ec157f..33767b5e3 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -3,6 +3,7 @@ [[managed-node-groups,managed-node-groups.title]] = Simplify node lifecycle with managed node groups :info_doctype: section +:info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index db5e0f46f..8d258c791 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -3,6 +3,7 @@ [[worker,worker.title]] = Maintain nodes yourself with self-managed nodes :info_doctype: section +:info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 8b7893597..3b3d23029 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[control-plane-logs,control-plane-logs.title]] = Send control plane logs to CloudWatch Logs :info_doctype: section +:info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index b54e5119b..19d615d40 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data tools. diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index c73062a70..1e25386f9 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[logging-using-cloudtrail,logging-using-cloudtrail.title]] = Log API calls as {aws} CloudTrail events :info_doctype: section +:info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index c335eba92..c76514a11 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[opentelemetry,opentelemetry.title]] = Send metric and trace data with ADOT Operator :info_doctype: section +:info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT applications running on Amazon EKS to send metric and trace data to multiple monitoring service \ diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index c735c764c..9ac6a2f91 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[prometheus,prometheus.title]] = Monitor your cluster metrics with [.noloc]`Prometheus` :info_doctype: section +:info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane that you can use it to view and analyze what your cluster is doing. diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index faf31c14c..f9b424aa0 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[eks-outposts-self-managed-nodes,eks-outposts-self-managed-nodes.title]] = Create Amazon Linux nodes on {aws} Outposts :info_doctype: section +:info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node your Amazon EKS cluster. The cluster can be on the {aws} Cloud or on an Outpost. diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index c770bccd1..3ff1e013d 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index a5887f015..841d034f0 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -3,6 +3,7 @@ [[quickstart,quickstart.title]] = Quickstart: Deploy a web app and store data :info_doctype: chapter +:info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index b3c749112..8b559cd16 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -11,6 +11,7 @@ include::attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS [abstract] diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 1dddd04b0..a6f21585b 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -12,6 +12,7 @@ include::attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap [abstract] diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 0d0bd72d3..41afe5093 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -3,6 +3,7 @@ [[compliance,compliance.title]] = Compliance validation for Amazon EKS clusters :info_doctype: section +:info_title: Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance include::../attributes.txt[] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index f9b2d544e..6b8ea7a68 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[csi-snapshot-controller,csi-snapshot-controller.title]] = Enable snapshot functionality for CSI volumes :info_doctype: section +:info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI \ diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 091f36f57..052944ee4 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] = Amazon EBS CSI migration frequently asked questions :info_doctype: section +:info_title: Amazon EBS CSI migration frequently asked \ questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index bb4e54651..c2ff4e42c 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[ebs-csi,ebs-csi.title]] = Store [.noloc]`Kubernetes` volumes with Amazon EBS :info_doctype: section +:info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index cba8d35ab..4d75500ac 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[file-cache-csi,file-cache-csi.title]] = Minimize latency with Amazon File Cache :info_doctype: section +:info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage interface that allows Amazon EKS clusters to manage the life cycle of Amazon file \ diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 7393b82eb..846bfd72d 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[fsx-csi,fsx-csi.title]] = Store high-performance apps with FSx for Lustre :info_doctype: section +:info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file \ diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index b7746216f..27b9aef0d 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[fsx-ontap,fsx-ontap.title]] = Store high-performance apps with FSx for NetApp ONTAP :info_doctype: section +:info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage NetApp Trident allows Amazon EKS clusters to manage the lifecycle of \ diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index e8e456a47..3b7cad7dd 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[fsx-openzfs-csi,fsx-openzfs-csi.title]] = Store data using Amazon FSx for OpenZFS :info_doctype: section +:info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS \ diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index b2bbf284c..3abf5e8a5 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[s3-csi,s3-csi.title]] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_doctype: section +:info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage CSI interface for managing Amazon S3 files and buckets. diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index d66ee04af..a1c45264e 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 959e8f530..50c83df78 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -10,6 +10,7 @@ :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ to work around them. diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 7e10d6fe1..ad6497389 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[common-use-cases,common-use-cases.title]] = Common use cases in Amazon EKS :info_doctype: section +:info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 58bc7ee23..e2f0c090c 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[eks-architecture,eks-architecture.title]] = Amazon EKS architecture :info_doctype: section +:info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 2d1912462..7419467ec 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -3,6 +3,7 @@ [[eks-deployment-options,eks-deployment-options.title]] = Deploy Amazon EKS clusters across cloud and on-premises environments :info_doctype: section +:info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index ce43605c0..a79f04349 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[kubernetes-concepts,kubernetes-concepts.title]] = [.noloc]`Kubernetes` concepts :info_doctype: section +:info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index e28366c30..4815ab966 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -12,6 +12,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 650abeb07..b95e0a718 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -3,6 +3,7 @@ [[alb-ingress,alb-ingress.title]] = Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` :info_doctype: section +:info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index d3668e9b7..2e05fd705 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[copy-image-to-repository,copy-image-to-repository.title]] = Copy a container image from one repository to another repository :info_doctype: section +:info_title: Copy a container image from one repository to \ another repository :info_titleabbrev: Copy an image to a repository diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index f511c3eb1..8de8312a3 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -4,6 +4,7 @@ [[eks-add-ons,eks-add-ons.title]] = Amazon EKS add-ons :info_doctype: section +:info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index f2a6ec351..4a7e965a2 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . :info_doctype: chapter +:info_title: Learn how to deploy workloads and add-ons to Amazon EKS :info_titleabbrev: Workloads Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` in [.noloc]`Kubernetes`. A [.noloc]`Pod` includes one or more containers. Typically, one or more [.noloc]`Pods` that provide the same service are deployed in a [.noloc]`Kubernetes` service. Once you've deployed multiple [.noloc]`Pods` that provide the same service, you can: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 2ad34b2cf..3b36a46d8 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` :info_doctype: section +:info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler [abstract] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index d6803ae5f..54868bf88 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[image-verification,image-verification.title]] = Validate container image signatures during deployment :info_doctype: section +:info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images [abstract] diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 3c89449a6..34f203875 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -3,6 +3,7 @@ [[network-load-balancing,network-load-balancing.title]] = Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` :info_doctype: section +:info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index e9e3af831..9d595b197 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -4,6 +4,7 @@ [[sample-deployment-win,sample-deployment-win.title]] = Deploy a sample application on Windows :info_doctype: section +:info_title: Deploy a sample application on Windows :info_titleabbrev: Sample application deployment (Windows) include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index ec9d3e7b1..d1c011335 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -5,6 +5,7 @@ [[sample-deployment,sample-deployment.title]] = Deploy a sample application on Linux :info_doctype: section +:info_title: Deploy a sample application on Linux :info_titleabbrev: Sample application deployment (Linux) include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index af21c6b2a..bf07a97a8 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -5,6 +5,7 @@ include::../attributes.txt[] [[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` :info_doctype: section +:info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler [abstract] From e3d7a562ab6cecc474f57c4220ca097c2af550a1 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 20:14:00 +0000 Subject: [PATCH 043/940] Revert "Removed abstract metadata in favor of the abstract block syntax which seems to be prioritized by build system." This reverts commit 62164d9ebf7cd2c3a2cec6baa8a271358db1c248. --- latest/ug/automode/associate-workload.adoc | 1 + latest/ug/automode/auto-elb-example.adoc | 1 + latest/ug/automode/auto-enable-existing.adoc | 1 + latest/ug/automode/auto-glossary.adoc | 1 + latest/ug/automode/auto-migrate-karpenter.adoc | 1 + latest/ug/automode/auto-migrate-mng.adoc | 1 + latest/ug/automode/auto-mng.adoc | 1 + latest/ug/automode/auto-networking.adoc | 1 + latest/ug/automode/auto-reference.adoc | 1 + latest/ug/automode/auto-troubleshoot.adoc | 1 + latest/ug/automode/auto-workloads.adoc | 1 + latest/ug/automode/automode-get-started-cli.adoc | 1 + latest/ug/automode/automode-get-started-console.adoc | 1 + latest/ug/automode/automode-get-started-eksctl.adoc | 1 + latest/ug/automode/automode-learn-instances.adoc | 1 + latest/ug/automode/automode-workload.adoc | 1 + latest/ug/automode/automode.adoc | 1 + latest/ug/automode/create-auto.adoc | 1 + latest/ug/automode/migrate-auto.adoc | 1 + latest/ug/automode/sample-storage-workload.adoc | 1 + latest/ug/automode/settings-auto.adoc | 1 + latest/ug/book.adoc | 1 + latest/ug/clusters/autoscaling.adoc | 1 + latest/ug/clusters/cluster-endpoint.adoc | 1 + latest/ug/clusters/create-cluster-auto.adoc | 1 + latest/ug/clusters/create-cluster.adoc | 1 + latest/ug/clusters/delete-cluster.adoc | 1 + latest/ug/clusters/kubernetes-versions.adoc | 1 + latest/ug/clusters/management/cost-monitoring.adoc | 1 + latest/ug/clusters/management/eks-using-tags.adoc | 1 + latest/ug/clusters/management/helm.adoc | 1 + latest/ug/clusters/management/metrics-server.adoc | 1 + latest/ug/clusters/management/service-quotas.adoc | 1 + latest/ug/clusters/private-clusters.adoc | 1 + latest/ug/clusters/update-cluster.adoc | 1 + latest/ug/clusters/windows-support.adoc | 1 + latest/ug/connector/connecting-cluster.adoc | 1 + latest/ug/connector/connector-grant-access.adoc | 1 + latest/ug/connector/deregister-connected-cluster.adoc | 1 + latest/ug/connector/eks-connector.adoc | 1 + latest/ug/connector/security-connector.adoc | 1 + latest/ug/connector/troubleshooting-connector.adoc | 1 + latest/ug/connector/tsc-faq.adoc | 1 + latest/ug/doc-history.adoc | 1 + latest/ug/getting-started/getting-started-automode.adoc | 1 + latest/ug/getting-started/getting-started-console.adoc | 1 + latest/ug/getting-started/getting-started-eksctl.adoc | 1 + latest/ug/getting-started/getting-started.adoc | 1 + latest/ug/getting-started/install-awscli.adoc | 1 + latest/ug/getting-started/install-kubectl.adoc | 1 + latest/ug/getting-started/learn-eks.adoc | 1 + latest/ug/getting-started/setting-up.adoc | 1 + .../integrations/creating-resources-with-cloudformation.adoc | 1 + latest/ug/integrations/integration-detective.adoc | 1 + latest/ug/integrations/integration-securitylake.adoc | 1 + latest/ug/manage-access/cluster-auth.adoc | 1 + latest/ug/manage-access/create-kubeconfig.adoc | 1 + latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 1 + latest/ug/manage-access/view-kubernetes-resources.adoc | 1 + latest/ug/ml/inferentia-support.adoc | 1 + latest/ug/ml/machine-learning-on-eks.adoc | 1 + latest/ug/ml/ml-get-started.adoc | 1 + latest/ug/ml/ml-prepare-for-cluster.adoc | 1 + latest/ug/ml/ml-tutorials.adoc | 1 + latest/ug/ml/node-efa.adoc | 1 + latest/ug/networking/creating-a-vpc.adoc | 1 + latest/ug/networking/network-reqs.adoc | 1 + latest/ug/networking/sec-group-reqs.adoc | 1 + latest/ug/nodes/choosing-instance-type.adoc | 1 + latest/ug/nodes/eks-compute.adoc | 1 + latest/ug/nodes/eks-optimized-amis.adoc | 1 + latest/ug/nodes/fargate.adoc | 1 + latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 + latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 + latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 + latest/ug/nodes/hybrid-nodes-cni.adoc | 1 + latest/ug/nodes/hybrid-nodes-join.adoc | 1 + latest/ug/nodes/hybrid-nodes-networking.adoc | 1 + latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 + latest/ug/nodes/hybrid-nodes-os.adoc | 1 + latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 + latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 + latest/ug/nodes/hybrid-nodes-remove.adoc | 1 + latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 + latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 + latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 + latest/ug/nodes/hybrid-nodes.adoc | 1 + latest/ug/nodes/managed-node-groups.adoc | 1 + latest/ug/nodes/worker.adoc | 1 + latest/ug/observability/control-plane-logs.adoc | 1 + latest/ug/observability/eks-observe.adoc | 1 + latest/ug/observability/logging-using-cloudtrail.adoc | 1 + latest/ug/observability/observability-dashboard.adoc | 1 + latest/ug/observability/opentelemetry.adoc | 1 + latest/ug/observability/prometheus.adoc | 1 + latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 + latest/ug/outposts/eks-outposts.adoc | 1 + latest/ug/quickstart.adoc | 1 + latest/ug/related-projects.adoc | 1 + latest/ug/roadmap.adoc | 1 + latest/ug/storage/csi-snapshot-controller.adoc | 1 + latest/ug/storage/ebs-csi-migration-faq.adoc | 1 + latest/ug/storage/ebs-csi.adoc | 1 + latest/ug/storage/file-cache-csi.adoc | 1 + latest/ug/storage/fsx-csi.adoc | 1 + latest/ug/storage/fsx-ontap.adoc | 1 + latest/ug/storage/fsx-openzfs-csi.adoc | 1 + latest/ug/storage/s3-csi.adoc | 1 + latest/ug/storage/storage.adoc | 1 + latest/ug/troubleshooting/troubleshooting.adoc | 1 + latest/ug/what-is/common-use-cases.adoc | 1 + latest/ug/what-is/eks-architecture.adoc | 1 + latest/ug/what-is/eks-deployment-options.adoc | 1 + latest/ug/what-is/kubernetes-concepts.adoc | 1 + latest/ug/what-is/what-is-eks.adoc | 3 ++- latest/ug/workloads/alb-ingress.adoc | 1 + latest/ug/workloads/eks-add-ons.adoc | 1 + latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 + latest/ug/workloads/image-verification.adoc | 1 + latest/ug/workloads/network-load-balancing.adoc | 1 + latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 + 121 files changed, 122 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 25c79c488..232512ed5 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment +:info_abstract: Control if a workload is deployed on EKS Auto Mode nodes When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index b799d0e37..10edb9ed6 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload +:info_abstract: Deploy a sample load balancer workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 05df23913..1e0dab076 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster +:info_abstract: Enable EKS Auto Mode on an existing cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index b66b36069..d2bfcb7fb 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary +:info_abstract: Glossary of terms for EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 5f4ac69fe..976ef7ee9 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter +:info_abstract: Migrate from Karpenter to EKS Auto Mode using kubectl include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index caaa27c23..10fe6d8be 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups +:info_abstract: Migrate from EKS Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 7c0407049..34af935c3 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups +:info_abstract: Compare EKS Auto Mode with EKS managed node groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 2d585acc5..a3279d9c6 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking +:info_abstract: Learn about VPC networking and load balancing in EKS Auto Mode. include::../attributes.txt[] diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 277c091a1..25be16060 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :sourcedir: . :info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works +:info_abstract: Learn how EKS Auto Mode works [abstract] -- diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 7bf491dc3..aa301da42 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot +:info_abstract: Troubleshoot EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index a7c1e068a..7a99b60cc 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -6,6 +6,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads +:info_abstract: Run workloads in EKS Auto Mode clusters [abstract] -- diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 94b29d96e..99eec8c18 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] :config: configuration :info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI +:info_abstract: Create an EKS Auto Mode cluster with the {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 789b9c96b..714f2b2ae 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console +:info_abstract: Create an EKS Auto Mode cluster with the {aws} Management Console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index cd6ab8e8a..8677b35bf 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -7,6 +7,7 @@ :config: configuration :info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI +:info_abstract: Create an EKS Auto Mode cluster with the eksctl CLI include::../attributes.txt[] diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index accf312cc..57220f30f 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -13,6 +13,7 @@ :emng: EKS Managed Node Group :info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances +:info_abstract: Learn about Amazon EKS Auto Mode managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 374aedb84..015a1856e 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload +:info_abstract: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 718354e45..a9a6353a3 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -7,6 +7,7 @@ :toc: :info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode +:info_abstract: Automate cluster infrastructure with EKS Auto Mode [abstract] -- diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index bc13bd7f7..4237fb19f 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :sourcedir: . :info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster +:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 401c58a0d..8be336791 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :sourcedir: . :info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters +:info_abstract: Learn about the tools needed to migrate an Amazon EKS cluster to EKS Auto Mode. [abstract] -- diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 488ccc928..4230d0e1c 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload +:info_abstract: Deploy a sample stateful workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 18b86ec22..23f7f2bf4 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -11,6 +11,7 @@ include::../attributes.txt[] :sourcedir: . :info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure +:info_abstract: Change EKS Auto cluster settings [abstract] -- diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 5bef37add..8d87ae743 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -11,6 +11,7 @@ include::attributes.txt[] :info_doctype: book :info_title: Amazon EKS :info_subtitle: User Guide +:info_abstract: This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed \ service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate \ your own Kubernetes clusters. Kubernetes is an open-source system for automating the deployment, scaling, \ and management of containerized applications. diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 86dc07a30..38abb8a6b 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling +:info_abstract: Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. [abstract] -- diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index b3401bf7a..dc1096ace 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access +:info_abstract: Learn how to enable private access and limit public access to the Amazon EKS cluster Kubernetes API server endpoint for enhanced security with your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 03ddcd797..32a496cf3 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster +:info_abstract: Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. :idprefix: id_ include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 648eaae6c..dbbd39f77 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster +:info_abstract: Learn how to create an Amazon EKS cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 10bff9c57..d9da28153 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Delete a cluster :info_titleabbrev: Delete a cluster +:info_abstract: Learn how to delete Amazon EKS clusters, including managed and self-managed node groups, Fargate profiles, related services, and {aws} CloudFormation stacks using eksctl, {aws-management-console}, or {aws} CLI for cost optimization and resource cleanup. [abstract] -- diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 9d8e3015d..fdf3e63ea 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -7,6 +7,7 @@ :info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes +:info_abstract: Learn how Amazon EKS supports Kubernetes versions with standard and extended \ support periods, allowing you to proactively update clusters with the latest \ versions, features, and security patches.. diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index e6e3bc43d..6f92be955 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -8,6 +8,7 @@ :info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch +:info_abstract: Learn how to monitor and optimize costs for your Amazon EKS clusters using {aws} Billing split cost allocation data or Kubecost, a Kubernetes-native cost monitoring tool integrated with {aws}. include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 59abfac9f..447b87998 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -8,6 +8,7 @@ include::../../attributes.txt[] :info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources +:info_abstract: Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. [abstract] -- diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index ee354e2bd..56c8385ed 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -7,6 +7,7 @@ include::../../attributes.txt[] :info_doctype: section :info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm +:info_abstract: Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. [abstract] -- diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index c09d86dc7..c53b83554 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -7,6 +7,7 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server +:info_abstract: Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. [abstract] -- diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index c2628ee1f..132c39421 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -7,6 +7,7 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas +:info_abstract: Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from the {aws-management-console} or {aws} CLI. [abstract] -- diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 3def600f4..22477bb60 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters +:info_abstract: Learn how to deploy and operate an Amazon EKS cluster without outbound internet access, including requirements for private container registries, endpoint access control, and VPC interface endpoints for {aws} services. [abstract] -- diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 66d019e4e..2a29b8ae8 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version +:info_abstract: Learn how to update your Amazon EKS cluster to the latest Kubernetes version, ensuring compatibility with nodes and add-ons, and maintaining high availability during the process. include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 245b794a7..6826baeff 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Deploy Windows nodes on EKS \ clusters :info_titleabbrev: Enable Windows support +:info_abstract: Learn how to enable and manage Windows support for your Amazon EKS cluster to run \ Windows containers alongside Linux containers. [abstract] diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index f62ec6246..5f3cb087e 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster +:info_abstract: Learn to connect an external Kubernetes cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. [abstract] -- diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index e3956c285..aaa58c363 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Grant access to view Kubernetes cluster resources on an \ Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console +:info_abstract: Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index f25f0a6cb..090a4358a 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster +:info_abstract: Learn to deregister a Kubernetes cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index b7f97aa91..c0d61be84 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -13,6 +13,7 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector +:info_abstract: Discover how to connect conformant Kubernetes clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. [abstract] -- diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index c58304952..e7dfa1cf5 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations +:info_abstract: Learn how the open-source EKS Connector affects security, and understand {aws} and \ customer security responsibilities for connectivity, cluster management, and IAM \ access control. diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index f64970779..3440d66ea 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector +:info_abstract: Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your Kubernetes clusters to Amazon EKS. include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index bf9cf55d7..82c65f309 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions +:info_abstract: Learn to connect and manage Kubernetes clusters outside {aws} with Amazon EKS Connector, enabling unified cluster visibility and management across environments using a secure, outbound-only connection. [abstract] -- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a0b6de634..4ba153e50 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,6 +15,7 @@ :info_doctype: chapter :info_title: Document history :keywords: document, publish, release, history, log +:info_abstract: Important updates to the Amazon EKS documentation, sorted by date, with brief \ descriptions of each update and when they occurred. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index b3374ebcc..734e148be 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial +:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using EKS Auto Mode Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 9ed820357..e388fea82 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial +:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the {aws-management-console} and \ {aws} CLI. [abstract] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index b69618b20..4b05e9744 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial +:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the eksctl command \ line tool. [abstract] diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index a11bd7c24..ae1fc70f3 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -13,6 +13,7 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Get started with Amazon EKS :info_titleabbrev: Get started +:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index b909c911c..08e3a9cf8 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup +:info_abstract: Set up the {aws} CLI for managing {aws} resources needed to use Amazon EKS. Follow these \ instructions to set up the credentials with {aws} CLI. [abstract] diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index dac69e02a..4dc27d89c 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -8,6 +8,7 @@ :info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl +:info_abstract: Learn how to install or update the kubectl and eksctl command line tools \ to work with Kubernetes and Amazon EKS features. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index a7cb044bc..1631c12e8 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn +:info_abstract: Find learning paths to extend your knowledge of Amazon EKS. :sectnums: :toc: left :icons: font diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 253f8f5d3..036f89865 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -14,6 +14,7 @@ include::../attributes.txt[] :info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup +:info_abstract: Set up the tools needed for creating and working with an Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 8efc5fc6b..e936c6bfb 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create Amazon EKS resources with \ {aws} CloudFormation +:info_abstract: Learn about how to create resources for Amazon EKS using an {aws} CloudFormation \ template. [abstract] diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 9fa6df1c3..038992f36 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -6,6 +6,7 @@ include::../attributes.txt[] = Analyze security events on EKS with Amazon Detective :info_doctype: section :info_title: Analyze security events on EKS with Amazon Detective +:info_abstract: Amazon Detective helps you analyze, investigate, and quickly identify the root cause \ of security findings or suspicious activities. :keywords: Amazon Detective diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index d206504a7..40588b762 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -6,6 +6,7 @@ include::../attributes.txt[] = Centralize and analyze EKS security data with Security Lake :info_doctype: section :info_title: Centralize and analyze EKS security data with Security Lake +:info_abstract: Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized \ solution for collecting, storing, and analyzing security data from clusters. By \ enabling EKS control plane logging and adding EKS logs as a source in Security Lake, \ users can gain valuable insights, detect potential threats, and enhance the \ diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index d6984b2a1..af75691bb 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -14,6 +14,7 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access +:info_abstract: Learn how to manage access to your EKS cluster. First, this includes granting \ developers or external services access to Kubernetes. Second, this includes granting \ Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index c32106d49..7c480d368 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl +:info_abstract: Learn how to create or update a kubeconfig file for authenticating with your Amazon EKS cluster using kubectl. Follow prerequisites for required tools and permissions. [abstract] -- diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index da4018941..427812745 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -7,6 +7,7 @@ :info_doctype: section :info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs +:info_abstract: Learn how to grant access to Kubernetes APIs on Amazon EKS clusters using IAM roles, users, or OpenID Connect providers, and manage permissions with access entries or the aws-auth ConfigMap. include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index b4ef2a26a..7a66764b4 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console +:info_abstract: Learn how to view Kubernetes resources in the {aws-management-console}. [abstract] -- diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index cc0ac8b39..be85ead18 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters +:info_abstract: Learn how to create an Amazon EKS cluster with nodes running Amazon EC2 Inf1 instances for machine learning inference using {aws} Inferentia chips and deploy a TensorFlow Serving application. [abstract] -- diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 147a1300a..3a1aaf863 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -15,6 +15,7 @@ include::../attributes.txt[] :info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence +:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 9c20f6db0..6b11e983a 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML +:info_abstract: Choose the Machine Learning on EKS tools and platforms that best suit your needs, then use quick start procedures to deploy them to the {aws} cloud. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 94863c285..e813b68b5 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML +:info_abstract: Learn how to make decisions about CPU, AMIs, and tooling before creating an EKS cluster for ML. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index e02bfde4d..e040f88e8 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS +:info_abstract: Learn how to deploy Machine Learning workloads on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 64151b8d5..934678c52 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -8,6 +8,7 @@ :info_title: Add Elastic Fabric \ Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA +:info_abstract: Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine \ learning training workloads requiring high inter-node communications at scale using \ p4d instances with GPUDirect RDMA and NVIDIA Collective Communications Library \ (NCCL). diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 47369edd6..a776cd768 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC +:info_abstract: Learn how to create an Amazon VPC for your cluster using an Amazon EKS provided {aws} CloudFormation \ template. include::../attributes.txt[] diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 68c363b7a..fdebdfaec 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements +:info_abstract: Learn how to configure the VPC and subnets to meet networking \ requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet \ types, and availability zones. Understand IP family usage by component and shared \ subnet considerations. diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 4269dfe33..7eeed60a2 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements +:info_abstract: Learn how to manage security groups for Amazon EKS clusters, including default \ rules, restricting traffic, and required outbound access for nodes to function \ properly with your cluster. Understand key security group considerations for secure \ operation of your Kubernetes cluster on {aws}. diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index b98a0c42e..9b1fa8463 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods +:info_abstract: Each Amazon EC2 instance type offers different compute, memory, storage, and network \ capabilities. [abstract] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index b1681385f..de8b52a55 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -13,6 +13,7 @@ :info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups +:info_abstract: Your Amazon EKS cluster can schedule Pods on any combination of self-managed nodes, Amazon EKS managed node groups, and Fargate in the {aws} Cloud and hybrid nodes on-premises. include::../attributes.txt[] diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 068124bf2..f7dccea02 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -6,6 +6,7 @@ :info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI +:info_abstract: You can deploy nodes with pre-built Amazon EKS optimized Amazon Machine Images (AMIs) or your own custom \ AMIs include::../attributes.txt[] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index a77c7395d..50203bf51 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes +:info_abstract: This topic discusses using Amazon EKS to run Kubernetes Pods on {aws} Fargate. [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index a10cbbe5e..317b2d471 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -6,6 +6,7 @@ :info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes +:info_abstract: Configure common add-ons for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index d61b31b93..ac7c0337d 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -6,6 +6,7 @@ :info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid +:info_abstract: Create an Amazon EKS cluster with hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 80461bafa..793c196c0 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -4,6 +4,7 @@ = Prepare cluster access for hybrid nodes :info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access +:info_abstract: Prepare cluster access for hybrid nodes [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 8522c7c8f..465a94f16 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -6,6 +6,7 @@ :info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI +:info_abstract: Configure a CNI for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 4e6ac853f..37db4d870 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -6,6 +6,7 @@ :info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid +:info_abstract: Connect hybrid nodes to Amazon EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index b2a241c81..69cd37d74 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -6,6 +6,7 @@ :info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid +:info_abstract: Prepare networking include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 87f1f0dbb..1e07b179a 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -6,6 +6,7 @@ :info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid +:info_abstract: Hybrid nodes nodeadm reference include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 6db6305ec..60be83bd0 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -6,6 +6,7 @@ :info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid +:info_abstract: Prepare operating system for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 1bd3677c3..4f8711190 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -6,6 +6,7 @@ :info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites +:info_abstract: Prerequisites and requirements for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index fa4e74605..e9053a4ae 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -6,6 +6,7 @@ :info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy +:info_abstract: Configure HTTP/S proxies for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 0ada802c5..bed35c5cd 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -6,6 +6,7 @@ :info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster +:info_abstract: Delete hybrid nodes from your EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 6ed4babe0..30293b86a 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -6,6 +6,7 @@ :info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid +:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index a7c4b942a..dfb1817ad 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -6,6 +6,7 @@ :info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid +:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index c1c884192..e856544a4 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -6,6 +6,7 @@ :info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes +:info_abstract: Upgrade Kubernetes versions on hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index a596610e1..dc678f56d 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -6,6 +6,7 @@ :info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid +:info_abstract: Amazon EKS Hybrid Nodes overview include::../attributes.txt[] diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 33767b5e3..b48631f88 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -6,6 +6,7 @@ :info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG +:info_abstract: Amazon EKS managed node groups automate the provisioning and lifecycle management of \ nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. include::../attributes.txt[] diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 8d258c791..747613458 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -6,6 +6,7 @@ :info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node +:info_abstract: A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. include::../attributes.txt[] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 3b3d23029..45651d68d 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs +:info_abstract: Learn how to configure logging for your Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 19d615d40..463c58f04 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -14,6 +14,7 @@ include::../attributes.txt[] :info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data +:info_abstract: You can observe your data in Amazon EKS using many available monitoring or logging \ tools. [abstract] diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 1e25386f9..4136d6e62 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail +:info_abstract: Learn about logging Amazon EKS with {aws} CloudTrail. [abstract] -- diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index 2a9375324..cb949d4cc 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -6,6 +6,7 @@ :info_doctype: section :info_titleabbrev: Observability dashboard :keywords: observability, dashboard +:info_abstract: Learn how to configure logging for your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index c76514a11..7345cd7fa 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT +:info_abstract: The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable your \ applications running on Amazon EKS to send metric and trace data to multiple monitoring service \ options. diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 9ac6a2f91..de795dc4c 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane +:info_abstract: This topic explains how to deploy Prometheus and some of the ways \ that you can use it to view and analyze what your cluster is doing. [abstract] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index f9b424aa0..d16c40965 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node +:info_abstract: Learn how to launch Auto Scaling groups of Amazon Linux nodes on an Outpost that register with \ your Amazon EKS cluster. The cluster can be on the {aws} Cloud or on an Outpost. [abstract] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 3ff1e013d..13a940afc 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -14,6 +14,7 @@ include::../attributes.txt[] :info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters +:info_abstract: Learn to deploy Amazon EKS on {aws} Outposts for local or extended clusters to run on-premises Kubernetes applications with a fully managed control plane. [abstract] -- diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 841d034f0..475439e67 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -6,6 +6,7 @@ :info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster +:info_abstract: Deploy a game application and persist its data on Amazon EKS include::attributes.txt[] diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 8b559cd16..7f68f7e77 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -13,6 +13,7 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS +:info_abstract: Learn how to use open source projects to add features to Amazon EKS for management, networking, machine learning, auto-scaling, monitoring, and CI/CD. [abstract] -- diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index a6f21585b..227222e7b 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -14,6 +14,7 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap +:info_abstract: Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. [abstract] -- diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 6b8ea7a68..535880c62 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller +:info_abstract: The Container Storage Interface (CSI) snapshot controller enables the use of \ snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI \ driver. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 052944ee4..892450906 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -9,6 +9,7 @@ include::../attributes.txt[] questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration +:info_abstract: The Amazon EBS container storage interface migration feature is enabled by default on \ Amazon EKS 1.23 and later clusters. Learn answers to frequently asked \ questions about the feature and how it works with 1.23 and later \ clusters. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index c2ff4e42c..726a2352f 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage +:info_abstract: The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver manages the \ lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. [abstract] diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 4d75500ac..fcffabe03 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage +:info_abstract: The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI \ interface that allows Amazon EKS clusters to manage the life cycle of Amazon file \ caches. diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 846bfd72d..11f55821a 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage +:info_abstract: The FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface \ that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file \ systems. diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 27b9aef0d..eacbd3bac 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage +:info_abstract: NetApp's \ NetApp Trident allows Amazon EKS clusters to manage the lifecycle of \ persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 3b7cad7dd..53963c5ef 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage +:info_abstract: The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI \ interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS \ volumes. diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 3abf5e8a5..f7b080538 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage +:info_abstract: Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a \ CSI interface for managing Amazon S3 files and buckets. [abstract] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index a1c45264e..0c4b037c0 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -14,6 +14,7 @@ include::../attributes.txt[] :info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage +:info_abstract: This chapter covers storage options for Amazon EKS clusters. [abstract] -- diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 50c83df78..e2a1ff955 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -13,6 +13,7 @@ :info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ +:info_abstract: This chapter covers some common errors that you may see while using Amazon EKS and how \ to work around them. include::../attributes.txt[] diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index ad6497389..cb382dbf1 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description +:info_abstract: Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. [abstract] -- diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index e2f0c090c..6fb916dcf 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane +:info_abstract: Learn how Amazon EKS aligns with Kubernetes cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, Karpenter, managed node groups, and self-managed nodes to meet diverse workload requirements. [abstract] -- diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 7419467ec..ba61dcac4 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -6,6 +6,7 @@ :info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison +:info_abstract: Learn to deploy Kubernetes clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. include::../attributes.txt[] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index a79f04349..c583f8d3e 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -8,6 +8,7 @@ include::../attributes.txt[] :info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane +:info_abstract: Learn core Kubernetes concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. [abstract] -- diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 4815ab966..ad3c14ea1 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -15,10 +15,11 @@ include::../attributes.txt[] :info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description +:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- -Learn to manage containerized applications with Amazon EKS. +Learn to manage containerized applications with Amazon EKS -- Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that eliminates the need to operate and maintain the availability and scalability of Kubernetes clusters in Amazon Web Services ({aws}) and in your own data centers. https://kubernetes.io/docs/concepts/overview/[Kubernetes] is an open source system that automates the management, scaling, and deployment of containerized applications. To get started, see the <> page in the Amazon EKS User Guide. diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index b95e0a718..d097b58ef 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing +:info_abstract: Learn how to use Application Load Balancing on Amazon EKS to load balance application traffic at L7 with {aws} Load Balancer Controller. include::../attributes.txt[] diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 8de8312a3..0ad07fb1d 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -7,6 +7,7 @@ :info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins +:info_abstract: Learn how to manage operational software add-ons on Amazon EKS clusters with Amazon EKS add-ons for observability, networking, storage, and security from {aws} and third-party vendors. include::../attributes.txt[] diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 3b36a46d8..ce25b2c06 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler +:info_abstract: Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. [abstract] -- diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 54868bf88..8557afaf6 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images +:info_abstract: Learn how to verify signed container images during deployment on Amazon EKS using admission controllers like Gatekeeper with Ratify or Kyverno configured with {aws} Signer plugins for validating image signatures. [abstract] -- diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 34f203875..3b71b4f1b 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -5,6 +5,7 @@ :info_doctype: section :info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing +:info_abstract: Use the {aws} Load Balancer Controller to create network load balancers for Amazon EKS workloads, supporting IP and instance targets with {aws} Network Load Balancers. include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index bf07a97a8..77a0ce920 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -7,6 +7,7 @@ include::../attributes.txt[] :info_doctype: section :info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler +:info_abstract: Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. [abstract] -- From 98659d7352e620580b9ef686dbef27319d550ce2 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 21:44:29 +0000 Subject: [PATCH 044/940] Globally removed multi-line abstract metadata in favor of block syntax. --- latest/ug/automode/associate-workload.adoc | 1 - latest/ug/automode/auto-elb-example.adoc | 1 - latest/ug/automode/auto-enable-existing.adoc | 1 - latest/ug/automode/auto-glossary.adoc | 1 - latest/ug/automode/auto-migrate-karpenter.adoc | 1 - latest/ug/automode/auto-migrate-mng.adoc | 1 - latest/ug/automode/auto-mng.adoc | 1 - latest/ug/automode/auto-networking.adoc | 1 - latest/ug/automode/auto-reference.adoc | 1 - latest/ug/automode/auto-troubleshoot.adoc | 1 - latest/ug/automode/auto-workloads.adoc | 1 - latest/ug/automode/automode-get-started-cli.adoc | 1 - latest/ug/automode/automode-get-started-console.adoc | 1 - latest/ug/automode/automode-get-started-eksctl.adoc | 1 - latest/ug/automode/automode-learn-instances.adoc | 1 - latest/ug/automode/automode-workload.adoc | 1 - latest/ug/automode/automode.adoc | 1 - latest/ug/automode/create-auto.adoc | 1 - latest/ug/automode/migrate-auto.adoc | 1 - latest/ug/automode/sample-storage-workload.adoc | 1 - latest/ug/automode/settings-auto.adoc | 1 - latest/ug/book.adoc | 4 ---- latest/ug/clusters/autoscaling.adoc | 1 - latest/ug/clusters/cluster-endpoint.adoc | 1 - latest/ug/clusters/create-cluster-auto.adoc | 1 - latest/ug/clusters/create-cluster.adoc | 1 - latest/ug/clusters/delete-cluster.adoc | 1 - latest/ug/clusters/kubernetes-versions.adoc | 3 --- latest/ug/clusters/management/cost-monitoring.adoc | 1 - latest/ug/clusters/management/eks-using-tags.adoc | 1 - latest/ug/clusters/management/helm.adoc | 1 - latest/ug/clusters/management/metrics-server.adoc | 1 - latest/ug/clusters/management/service-quotas.adoc | 1 - latest/ug/clusters/private-clusters.adoc | 1 - latest/ug/clusters/update-cluster.adoc | 1 - latest/ug/clusters/windows-support.adoc | 2 -- latest/ug/connector/connecting-cluster.adoc | 1 - latest/ug/connector/connector-grant-access.adoc | 1 - latest/ug/connector/deregister-connected-cluster.adoc | 1 - latest/ug/connector/eks-connector.adoc | 1 - latest/ug/connector/security-connector.adoc | 3 --- latest/ug/connector/troubleshooting-connector.adoc | 1 - latest/ug/connector/tsc-faq.adoc | 1 - latest/ug/doc-history.adoc | 2 -- latest/ug/getting-started/getting-started-automode.adoc | 1 - latest/ug/getting-started/getting-started-console.adoc | 2 -- latest/ug/getting-started/getting-started-eksctl.adoc | 2 -- latest/ug/getting-started/getting-started.adoc | 1 - latest/ug/getting-started/install-awscli.adoc | 2 -- latest/ug/getting-started/install-kubectl.adoc | 2 -- latest/ug/getting-started/learn-eks.adoc | 1 - latest/ug/getting-started/setting-up.adoc | 1 - .../integrations/creating-resources-with-cloudformation.adoc | 2 -- latest/ug/integrations/integration-detective.adoc | 2 -- latest/ug/integrations/integration-securitylake.adoc | 5 ----- latest/ug/manage-access/cluster-auth.adoc | 3 --- latest/ug/manage-access/create-kubeconfig.adoc | 1 - latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 1 - latest/ug/manage-access/view-kubernetes-resources.adoc | 1 - latest/ug/ml/inferentia-support.adoc | 1 - latest/ug/ml/machine-learning-on-eks.adoc | 1 - latest/ug/ml/ml-get-started.adoc | 1 - latest/ug/ml/ml-prepare-for-cluster.adoc | 1 - latest/ug/ml/ml-tutorials.adoc | 1 - latest/ug/ml/node-efa.adoc | 4 ---- latest/ug/networking/creating-a-vpc.adoc | 2 -- latest/ug/networking/network-reqs.adoc | 4 ---- latest/ug/networking/sec-group-reqs.adoc | 4 ---- latest/ug/nodes/choosing-instance-type.adoc | 2 -- latest/ug/nodes/eks-compute.adoc | 1 - latest/ug/nodes/eks-optimized-amis.adoc | 2 -- latest/ug/nodes/fargate.adoc | 1 - latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 - latest/ug/nodes/hybrid-nodes-cni.adoc | 1 - latest/ug/nodes/hybrid-nodes-join.adoc | 1 - latest/ug/nodes/hybrid-nodes-networking.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 - latest/ug/nodes/hybrid-nodes-os.adoc | 1 - latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 - latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 - latest/ug/nodes/hybrid-nodes-remove.adoc | 1 - latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 - latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 - latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 - latest/ug/nodes/hybrid-nodes.adoc | 1 - latest/ug/nodes/managed-node-groups.adoc | 2 -- latest/ug/nodes/worker.adoc | 1 - latest/ug/observability/control-plane-logs.adoc | 1 - latest/ug/observability/eks-observe.adoc | 2 -- latest/ug/observability/logging-using-cloudtrail.adoc | 1 - latest/ug/observability/observability-dashboard.adoc | 1 - latest/ug/observability/opentelemetry.adoc | 3 --- latest/ug/observability/prometheus.adoc | 2 -- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 2 -- latest/ug/outposts/eks-outposts.adoc | 1 - latest/ug/quickstart.adoc | 1 - latest/ug/related-projects.adoc | 1 - latest/ug/roadmap.adoc | 1 - latest/ug/storage/csi-snapshot-controller.adoc | 3 --- latest/ug/storage/ebs-csi-migration-faq.adoc | 4 ---- latest/ug/storage/ebs-csi.adoc | 2 -- latest/ug/storage/file-cache-csi.adoc | 3 --- latest/ug/storage/fsx-csi.adoc | 3 --- latest/ug/storage/fsx-ontap.adoc | 3 --- latest/ug/storage/fsx-openzfs-csi.adoc | 3 --- latest/ug/storage/s3-csi.adoc | 2 -- latest/ug/storage/storage.adoc | 1 - latest/ug/troubleshooting/troubleshooting.adoc | 2 -- latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/eks-deployment-options.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/what-is/what-is-eks.adoc | 1 - latest/ug/workloads/alb-ingress.adoc | 1 - latest/ug/workloads/eks-add-ons.adoc | 1 - latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 - latest/ug/workloads/image-verification.adoc | 1 - latest/ug/workloads/network-load-balancing.adoc | 1 - latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 - 121 files changed, 176 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 232512ed5..25c79c488 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment -:info_abstract: Control if a workload is deployed on EKS Auto Mode nodes When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 10edb9ed6..b799d0e37 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload -:info_abstract: Deploy a sample load balancer workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 1e0dab076..05df23913 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster -:info_abstract: Enable EKS Auto Mode on an existing cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index d2bfcb7fb..b66b36069 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary -:info_abstract: Glossary of terms for EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 976ef7ee9..5f4ac69fe 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter -:info_abstract: Migrate from Karpenter to EKS Auto Mode using kubectl include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 10fe6d8be..caaa27c23 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups -:info_abstract: Migrate from EKS Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 34af935c3..7c0407049 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups -:info_abstract: Compare EKS Auto Mode with EKS managed node groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index a3279d9c6..2d585acc5 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking -:info_abstract: Learn about VPC networking and load balancing in EKS Auto Mode. include::../attributes.txt[] diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 25be16060..277c091a1 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works -:info_abstract: Learn how EKS Auto Mode works [abstract] -- diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index aa301da42..7bf491dc3 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot -:info_abstract: Troubleshoot EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 7a99b60cc..a7c1e068a 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads -:info_abstract: Run workloads in EKS Auto Mode clusters [abstract] -- diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 99eec8c18..94b29d96e 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] :config: configuration :info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI -:info_abstract: Create an EKS Auto Mode cluster with the {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 714f2b2ae..789b9c96b 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console -:info_abstract: Create an EKS Auto Mode cluster with the {aws} Management Console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 8677b35bf..cd6ab8e8a 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -7,7 +7,6 @@ :config: configuration :info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI -:info_abstract: Create an EKS Auto Mode cluster with the eksctl CLI include::../attributes.txt[] diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 57220f30f..accf312cc 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -13,7 +13,6 @@ :emng: EKS Managed Node Group :info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances -:info_abstract: Learn about Amazon EKS Auto Mode managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 015a1856e..374aedb84 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload -:info_abstract: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index a9a6353a3..718354e45 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -7,7 +7,6 @@ :toc: :info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode -:info_abstract: Automate cluster infrastructure with EKS Auto Mode [abstract] -- diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 4237fb19f..bc13bd7f7 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster -:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 8be336791..401c58a0d 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters -:info_abstract: Learn about the tools needed to migrate an Amazon EKS cluster to EKS Auto Mode. [abstract] -- diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 4230d0e1c..488ccc928 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload -:info_abstract: Deploy a sample stateful workload to EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 23f7f2bf4..18b86ec22 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -11,7 +11,6 @@ include::../attributes.txt[] :sourcedir: . :info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure -:info_abstract: Change EKS Auto cluster settings [abstract] -- diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 8d87ae743..663ab035d 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -11,10 +11,6 @@ include::attributes.txt[] :info_doctype: book :info_title: Amazon EKS :info_subtitle: User Guide -:info_abstract: This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed \ - service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate \ - your own Kubernetes clusters. Kubernetes is an open-source system for automating the deployment, scaling, \ - and management of containerized applications. :info_corpauthor: Amazon Web Services :info_publisher: Amazon Web Services :info_copyright: 2024 \ diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 38abb8a6b..86dc07a30 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling -:info_abstract: Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. [abstract] -- diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index dc1096ace..b3401bf7a 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access -:info_abstract: Learn how to enable private access and limit public access to the Amazon EKS cluster Kubernetes API server endpoint for enhanced security with your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 32a496cf3..03ddcd797 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster -:info_abstract: Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. :idprefix: id_ include::../attributes.txt[] diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index dbbd39f77..648eaae6c 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster -:info_abstract: Learn how to create an Amazon EKS cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index d9da28153..10bff9c57 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Delete a cluster :info_titleabbrev: Delete a cluster -:info_abstract: Learn how to delete Amazon EKS clusters, including managed and self-managed node groups, Fargate profiles, related services, and {aws} CloudFormation stacks using eksctl, {aws-management-console}, or {aws} CLI for cost optimization and resource cleanup. [abstract] -- diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index fdf3e63ea..8492b4980 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -7,9 +7,6 @@ :info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes -:info_abstract: Learn how Amazon EKS supports Kubernetes versions with standard and extended \ - support periods, allowing you to proactively update clusters with the latest \ - versions, features, and security patches.. include::../attributes.txt[] diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 6f92be955..e6e3bc43d 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -8,7 +8,6 @@ :info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch -:info_abstract: Learn how to monitor and optimize costs for your Amazon EKS clusters using {aws} Billing split cost allocation data or Kubecost, a Kubernetes-native cost monitoring tool integrated with {aws}. include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 447b87998..59abfac9f 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -8,7 +8,6 @@ include::../../attributes.txt[] :info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources -:info_abstract: Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. [abstract] -- diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 56c8385ed..ee354e2bd 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm -:info_abstract: Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. [abstract] -- diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index c53b83554..c09d86dc7 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server -:info_abstract: Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. [abstract] -- diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 132c39421..c2628ee1f 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -7,7 +7,6 @@ include::../../attributes.txt[] :info_doctype: section :info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas -:info_abstract: Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from the {aws-management-console} or {aws} CLI. [abstract] -- diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 22477bb60..3def600f4 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters -:info_abstract: Learn how to deploy and operate an Amazon EKS cluster without outbound internet access, including requirements for private container registries, endpoint access control, and VPC interface endpoints for {aws} services. [abstract] -- diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 2a29b8ae8..66d019e4e 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version -:info_abstract: Learn how to update your Amazon EKS cluster to the latest Kubernetes version, ensuring compatibility with nodes and add-ons, and maintaining high availability during the process. include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 6826baeff..54dda27cc 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Deploy Windows nodes on EKS \ clusters :info_titleabbrev: Enable Windows support -:info_abstract: Learn how to enable and manage Windows support for your Amazon EKS cluster to run \ - Windows containers alongside Linux containers. [abstract] -- diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 5f3cb087e..f62ec6246 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster -:info_abstract: Learn to connect an external Kubernetes cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. [abstract] -- diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index aaa58c363..e3956c285 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Grant access to view Kubernetes cluster resources on an \ Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console -:info_abstract: Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 090a4358a..f25f0a6cb 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster -:info_abstract: Learn to deregister a Kubernetes cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. [abstract] -- diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index c0d61be84..b7f97aa91 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -13,7 +13,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector -:info_abstract: Discover how to connect conformant Kubernetes clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. [abstract] -- diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index e7dfa1cf5..7cf763659 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -7,9 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations -:info_abstract: Learn how the open-source EKS Connector affects security, and understand {aws} and \ - customer security responsibilities for connectivity, cluster management, and IAM \ - access control. [abstract] -- diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 3440d66ea..f64970779 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector -:info_abstract: Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your Kubernetes clusters to Amazon EKS. include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 82c65f309..bf9cf55d7 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions -:info_abstract: Learn to connect and manage Kubernetes clusters outside {aws} with Amazon EKS Connector, enabling unified cluster visibility and management across environments using a secure, outbound-only connection. [abstract] -- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 4ba153e50..8e20b7aa5 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,8 +15,6 @@ :info_doctype: chapter :info_title: Document history :keywords: document, publish, release, history, log -:info_abstract: Important updates to the Amazon EKS documentation, sorted by date, with brief \ - descriptions of each update and when they occurred. include::attributes.txt[] diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 734e148be..b3374ebcc 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -9,7 +9,6 @@ include::../attributes.txt[] EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using EKS Auto Mode Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index e388fea82..b0d44d78b 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -9,8 +9,6 @@ include::../attributes.txt[] {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the {aws-management-console} and \ - {aws} CLI. [abstract] -- diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 4b05e9744..b421729dc 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -9,8 +9,6 @@ include::../attributes.txt[] eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial -:info_abstract: Learn how to create your first Amazon EKS cluster with nodes using the eksctl command \ - line tool. [abstract] -- diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index ae1fc70f3..a11bd7c24 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -13,7 +13,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Get started with Amazon EKS :info_titleabbrev: Get started -:info_abstract: Learn about the tools needed for creating and working with an Amazon EKS cluster. :keywords: getting, started, tutorials, quick, start [abstract] diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 08e3a9cf8..ec2bcb58d 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup -:info_abstract: Set up the {aws} CLI for managing {aws} resources needed to use Amazon EKS. Follow these \ - instructions to set up the credentials with {aws} CLI. [abstract] -- diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 4dc27d89c..18bb2d0c8 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -8,8 +8,6 @@ :info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl -:info_abstract: Learn how to install or update the kubectl and eksctl command line tools \ - to work with Kubernetes and Amazon EKS features. include::../attributes.txt[] diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 1631c12e8..a7cb044bc 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn -:info_abstract: Find learning paths to extend your knowledge of Amazon EKS. :sectnums: :toc: left :icons: font diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 036f89865..253f8f5d3 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup -:info_abstract: Set up the tools needed for creating and working with an Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index e936c6bfb..d2dbb7bd1 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -7,8 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Create Amazon EKS resources with \ {aws} CloudFormation -:info_abstract: Learn about how to create resources for Amazon EKS using an {aws} CloudFormation \ - template. [abstract] -- diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 038992f36..555d8820b 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -6,8 +6,6 @@ include::../attributes.txt[] = Analyze security events on EKS with Amazon Detective :info_doctype: section :info_title: Analyze security events on EKS with Amazon Detective -:info_abstract: Amazon Detective helps you analyze, investigate, and quickly identify the root cause \ - of security findings or suspicious activities. :keywords: Amazon Detective [abstract] diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 40588b762..48772302e 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -6,11 +6,6 @@ include::../attributes.txt[] = Centralize and analyze EKS security data with Security Lake :info_doctype: section :info_title: Centralize and analyze EKS security data with Security Lake -:info_abstract: Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized \ - solution for collecting, storing, and analyzing security data from clusters. By \ - enabling EKS control plane logging and adding EKS logs as a source in Security Lake, \ - users can gain valuable insights, detect potential threats, and enhance the \ - security posture of their Kubernetes environments. :keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection [abstract] diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index af75691bb..1d29acbb2 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -14,9 +14,6 @@ include::../attributes.txt[] :info_doctype: chapter :info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access -:info_abstract: Learn how to manage access to your EKS cluster. First, this includes granting \ - developers or external services access to Kubernetes. Second, this includes granting \ - Kubernetes workloads access to {aws} services. [abstract] -- diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 7c480d368..c32106d49 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl -:info_abstract: Learn how to create or update a kubeconfig file for authenticating with your Amazon EKS cluster using kubectl. Follow prerequisites for required tools and permissions. [abstract] -- diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 427812745..da4018941 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -7,7 +7,6 @@ :info_doctype: section :info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs -:info_abstract: Learn how to grant access to Kubernetes APIs on Amazon EKS clusters using IAM roles, users, or OpenID Connect providers, and manage permissions with access entries or the aws-auth ConfigMap. include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 7a66764b4..b4ef2a26a 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console -:info_abstract: Learn how to view Kubernetes resources in the {aws-management-console}. [abstract] -- diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index be85ead18..cc0ac8b39 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters -:info_abstract: Learn how to create an Amazon EKS cluster with nodes running Amazon EC2 Inf1 instances for machine learning inference using {aws} Inferentia chips and deploy a TensorFlow Serving application. [abstract] -- diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 3a1aaf863..147a1300a 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -15,7 +15,6 @@ include::../attributes.txt[] :info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence -:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 6b11e983a..9c20f6db0 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML -:info_abstract: Choose the Machine Learning on EKS tools and platforms that best suit your needs, then use quick start procedures to deploy them to the {aws} cloud. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index e813b68b5..94863c285 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML -:info_abstract: Learn how to make decisions about CPU, AMIs, and tooling before creating an EKS cluster for ML. include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index e040f88e8..e02bfde4d 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS -:info_abstract: Learn how to deploy Machine Learning workloads on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 934678c52..c53dd484e 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -8,10 +8,6 @@ :info_title: Add Elastic Fabric \ Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA -:info_abstract: Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine \ - learning training workloads requiring high inter-node communications at scale using \ - p4d instances with GPUDirect RDMA and NVIDIA Collective Communications Library \ - (NCCL). include::../attributes.txt[] diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index a776cd768..3227d1bf4 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -5,8 +5,6 @@ :info_doctype: section :info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC -:info_abstract: Learn how to create an Amazon VPC for your cluster using an Amazon EKS provided {aws} CloudFormation \ - template. include::../attributes.txt[] diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index fdebdfaec..758c90d25 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -5,10 +5,6 @@ :info_doctype: section :info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements -:info_abstract: Learn how to configure the VPC and subnets to meet networking \ - requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet \ - types, and availability zones. Understand IP family usage by component and shared \ - subnet considerations. include::../attributes.txt[] diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 7eeed60a2..a910efa70 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -5,10 +5,6 @@ :info_doctype: section :info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements -:info_abstract: Learn how to manage security groups for Amazon EKS clusters, including default \ - rules, restricting traffic, and required outbound access for nodes to function \ - properly with your cluster. Understand key security group considerations for secure \ - operation of your Kubernetes cluster on {aws}. include::../attributes.txt[] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 9b1fa8463..52da26e99 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods -:info_abstract: Each Amazon EC2 instance type offers different compute, memory, storage, and network \ - capabilities. [abstract] -- diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index de8b52a55..b1681385f 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -13,7 +13,6 @@ :info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups -:info_abstract: Your Amazon EKS cluster can schedule Pods on any combination of self-managed nodes, Amazon EKS managed node groups, and Fargate in the {aws} Cloud and hybrid nodes on-premises. include::../attributes.txt[] diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index f7dccea02..7fc17b261 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -6,8 +6,6 @@ :info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI -:info_abstract: You can deploy nodes with pre-built Amazon EKS optimized Amazon Machine Images (AMIs) or your own custom \ - AMIs include::../attributes.txt[] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 50203bf51..a77c7395d 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes -:info_abstract: This topic discusses using Amazon EKS to run Kubernetes Pods on {aws} Fargate. [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 317b2d471..a10cbbe5e 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -6,7 +6,6 @@ :info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes -:info_abstract: Configure common add-ons for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index ac7c0337d..d61b31b93 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -6,7 +6,6 @@ :info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid -:info_abstract: Create an Amazon EKS cluster with hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 793c196c0..80461bafa 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -4,7 +4,6 @@ = Prepare cluster access for hybrid nodes :info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access -:info_abstract: Prepare cluster access for hybrid nodes [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 465a94f16..8522c7c8f 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -6,7 +6,6 @@ :info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI -:info_abstract: Configure a CNI for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 37db4d870..4e6ac853f 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -6,7 +6,6 @@ :info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Connect hybrid nodes to Amazon EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 69cd37d74..b2a241c81 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -6,7 +6,6 @@ :info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid -:info_abstract: Prepare networking include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 1e07b179a..87f1f0dbb 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -6,7 +6,6 @@ :info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid -:info_abstract: Hybrid nodes nodeadm reference include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 60be83bd0..6db6305ec 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -6,7 +6,6 @@ :info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid -:info_abstract: Prepare operating system for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 4f8711190..1bd3677c3 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -6,7 +6,6 @@ :info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites -:info_abstract: Prerequisites and requirements for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index e9053a4ae..fa4e74605 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -6,7 +6,6 @@ :info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy -:info_abstract: Configure HTTP/S proxies for Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index bed35c5cd..0ada802c5 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -6,7 +6,6 @@ :info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster -:info_abstract: Delete hybrid nodes from your EKS cluster include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 30293b86a..6ed4babe0 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -6,7 +6,6 @@ :info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid -:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index dfb1817ad..a7c4b942a 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -6,7 +6,6 @@ :info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Amazon EKS hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index e856544a4..c1c884192 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -6,7 +6,6 @@ :info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes -:info_abstract: Upgrade Kubernetes versions on hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index dc678f56d..a596610e1 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -6,7 +6,6 @@ :info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid -:info_abstract: Amazon EKS Hybrid Nodes overview include::../attributes.txt[] diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index b48631f88..5d5aa4509 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -6,8 +6,6 @@ :info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG -:info_abstract: Amazon EKS managed node groups automate the provisioning and lifecycle management of \ - nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. include::../attributes.txt[] diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 747613458..8d258c791 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -6,7 +6,6 @@ :info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node -:info_abstract: A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. include::../attributes.txt[] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 45651d68d..3b3d23029 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs -:info_abstract: Learn how to configure logging for your Amazon EKS cluster. [abstract] -- diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 463c58f04..404d8033e 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -14,8 +14,6 @@ include::../attributes.txt[] :info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data -:info_abstract: You can observe your data in Amazon EKS using many available monitoring or logging \ - tools. [abstract] -- diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 4136d6e62..1e25386f9 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail -:info_abstract: Learn about logging Amazon EKS with {aws} CloudTrail. [abstract] -- diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index cb949d4cc..2a9375324 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -6,7 +6,6 @@ :info_doctype: section :info_titleabbrev: Observability dashboard :keywords: observability, dashboard -:info_abstract: Learn how to configure logging for your Amazon EKS cluster. include::../attributes.txt[] diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index 7345cd7fa..5f2b0a272 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT -:info_abstract: The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable your \ - applications running on Amazon EKS to send metric and trace data to multiple monitoring service \ - options. [abstract] -- diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index de795dc4c..86da1041b 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane -:info_abstract: This topic explains how to deploy Prometheus and some of the ways \ - that you can use it to view and analyze what your cluster is doing. [abstract] -- diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index d16c40965..d1f244369 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node -:info_abstract: Learn how to launch Auto Scaling groups of Amazon Linux nodes on an Outpost that register with \ - your Amazon EKS cluster. The cluster can be on the {aws} Cloud or on an Outpost. [abstract] -- diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 13a940afc..3ff1e013d 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters -:info_abstract: Learn to deploy Amazon EKS on {aws} Outposts for local or extended clusters to run on-premises Kubernetes applications with a fully managed control plane. [abstract] -- diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 475439e67..841d034f0 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -6,7 +6,6 @@ :info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster -:info_abstract: Deploy a game application and persist its data on Amazon EKS include::attributes.txt[] diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 7f68f7e77..8b559cd16 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -13,7 +13,6 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS -:info_abstract: Learn how to use open source projects to add features to Amazon EKS for management, networking, machine learning, auto-scaling, monitoring, and CI/CD. [abstract] -- diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 227222e7b..a6f21585b 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -14,7 +14,6 @@ include::attributes.txt[] :info_doctype: chapter :info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap -:info_abstract: Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. [abstract] -- diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 535880c62..9eae9a683 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller -:info_abstract: The Container Storage Interface (CSI) snapshot controller enables the use of \ - snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI \ - driver. [abstract] -- diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 892450906..626605e43 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -9,10 +9,6 @@ include::../attributes.txt[] questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration -:info_abstract: The Amazon EBS container storage interface migration feature is enabled by default on \ - Amazon EKS 1.23 and later clusters. Learn answers to frequently asked \ - questions about the feature and how it works with 1.23 and later \ - clusters. [abstract] -- diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 726a2352f..be4310bbb 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage -:info_abstract: The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver manages the \ - lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. [abstract] -- diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index fcffabe03..9105079a8 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage -:info_abstract: The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI \ - interface that allows Amazon EKS clusters to manage the life cycle of Amazon file \ - caches. [abstract] -- diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 11f55821a..6fc9b2a86 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage -:info_abstract: The FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface \ - that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file \ - systems. [abstract] -- diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index eacbd3bac..9115d2fc7 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage -:info_abstract: NetApp's \ - NetApp Trident allows Amazon EKS clusters to manage the lifecycle of \ - persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. [abstract] -- diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 53963c5ef..de0448a68 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -8,9 +8,6 @@ include::../attributes.txt[] :info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage -:info_abstract: The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI \ - interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS \ - volumes. [abstract] -- diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index f7b080538..7a0f8bc48 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -8,8 +8,6 @@ include::../attributes.txt[] :info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage -:info_abstract: Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a \ - CSI interface for managing Amazon S3 files and buckets. [abstract] -- diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 0c4b037c0..a1c45264e 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -14,7 +14,6 @@ include::../attributes.txt[] :info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage -:info_abstract: This chapter covers storage options for Amazon EKS clusters. [abstract] -- diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index e2a1ff955..054a6a8dc 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -13,8 +13,6 @@ :info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ -:info_abstract: This chapter covers some common errors that you may see while using Amazon EKS and how \ - to work around them. include::../attributes.txt[] diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index cb382dbf1..ad6497389 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description -:info_abstract: Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. [abstract] -- diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 6fb916dcf..e2f0c090c 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -:info_abstract: Learn how Amazon EKS aligns with Kubernetes cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, Karpenter, managed node groups, and self-managed nodes to meet diverse workload requirements. [abstract] -- diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index ba61dcac4..7419467ec 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -6,7 +6,6 @@ :info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison -:info_abstract: Learn to deploy Kubernetes clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. include::../attributes.txt[] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index c583f8d3e..a79f04349 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -8,7 +8,6 @@ include::../attributes.txt[] :info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -:info_abstract: Learn core Kubernetes concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. [abstract] -- diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index ad3c14ea1..14ded8db4 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -15,7 +15,6 @@ include::../attributes.txt[] :info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description -:info_abstract: Learn to manage containerized applications with Amazon EKS [abstract] -- diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index d097b58ef..b95e0a718 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing -:info_abstract: Learn how to use Application Load Balancing on Amazon EKS to load balance application traffic at L7 with {aws} Load Balancer Controller. include::../attributes.txt[] diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 0ad07fb1d..8de8312a3 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -7,7 +7,6 @@ :info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins -:info_abstract: Learn how to manage operational software add-ons on Amazon EKS clusters with Amazon EKS add-ons for observability, networking, storage, and security from {aws} and third-party vendors. include::../attributes.txt[] diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index ce25b2c06..3b36a46d8 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler -:info_abstract: Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. [abstract] -- diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 8557afaf6..54868bf88 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images -:info_abstract: Learn how to verify signed container images during deployment on Amazon EKS using admission controllers like Gatekeeper with Ratify or Kyverno configured with {aws} Signer plugins for validating image signatures. [abstract] -- diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 3b71b4f1b..34f203875 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -5,7 +5,6 @@ :info_doctype: section :info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing -:info_abstract: Use the {aws} Load Balancer Controller to create network load balancers for Amazon EKS workloads, supporting IP and instance targets with {aws} Network Load Balancers. include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 77a0ce920..bf07a97a8 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -7,7 +7,6 @@ include::../attributes.txt[] :info_doctype: section :info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler -:info_abstract: Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. [abstract] -- From 27e602c541f49a672fb8bfe8013a4b6fe6fba63f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 22:43:22 +0000 Subject: [PATCH 045/940] Globally removed metadata that does not seem to be needed to simplify creating new pages. --- .vscode/asciidoc.code-snippets | 4 +--- latest/ug/automode/api-reference.adoc | 1 - latest/ug/automode/associate-workload.adoc | 4 +--- latest/ug/automode/auto-configure-alb.adoc | 3 +-- latest/ug/automode/auto-configure-nlb.adoc | 3 +-- latest/ug/automode/auto-disable.adoc | 3 +-- latest/ug/automode/auto-elb-example.adoc | 4 +--- latest/ug/automode/auto-enable-existing.adoc | 4 +--- latest/ug/automode/auto-glossary.adoc | 4 +--- latest/ug/automode/auto-learn-iam.adoc | 3 +-- latest/ug/automode/auto-migrate-karpenter.adoc | 4 +--- latest/ug/automode/auto-migrate-mng.adoc | 4 +--- latest/ug/automode/auto-mng.adoc | 4 +--- latest/ug/automode/auto-net-pol.adoc | 3 +-- latest/ug/automode/auto-networking.adoc | 4 +--- latest/ug/automode/auto-reference.adoc | 4 +--- latest/ug/automode/auto-troubleshoot.adoc | 4 +--- latest/ug/automode/auto-upgrade.adoc | 3 +-- latest/ug/automode/auto-workloads.adoc | 4 +--- latest/ug/automode/automode-get-started-cli.adoc | 4 +--- latest/ug/automode/automode-get-started-console.adoc | 4 +--- latest/ug/automode/automode-get-started-eksctl.adoc | 4 +--- latest/ug/automode/automode-learn-instances.adoc | 4 +--- latest/ug/automode/automode-workload.adoc | 4 +--- latest/ug/automode/automode.adoc | 4 +--- latest/ug/automode/create-auto.adoc | 4 +--- latest/ug/automode/create-node-class.adoc | 3 +-- latest/ug/automode/create-node-pool.adoc | 3 +-- latest/ug/automode/create-storage-class.adoc | 3 +-- latest/ug/automode/critical-workload.adoc | 3 +-- latest/ug/automode/migrate-auto.adoc | 4 +--- latest/ug/automode/old/hpa_scaling.adoc | 3 +-- latest/ug/automode/sample-storage-workload.adoc | 4 +--- latest/ug/automode/set-builtin-node-pools.adoc | 3 +-- latest/ug/automode/settings-auto.adoc | 4 +--- latest/ug/automode/troubleshoot-lbc.adoc | 3 +-- latest/ug/automode/wip.adoc | 3 +-- latest/ug/automode/wip/create-vpc-console.adoc | 3 +-- latest/ug/automode/wip/eksctl-docs.adoc | 3 +-- latest/ug/automode/wip/tag-subnets.adoc | 3 +-- latest/ug/book.adoc | 4 +--- latest/ug/clusters/autoscaling.adoc | 4 +--- latest/ug/clusters/cluster-endpoint.adoc | 4 +--- latest/ug/clusters/cluster-insights.adoc | 2 +- latest/ug/clusters/clusters.adoc | 4 +--- latest/ug/clusters/create-cluster-auto.adoc | 4 +--- latest/ug/clusters/create-cluster.adoc | 4 +--- latest/ug/clusters/delete-cluster.adoc | 4 +--- latest/ug/clusters/disable-windows-support.adoc | 4 +--- latest/ug/clusters/kubernetes-versions-extended.adoc | 2 +- latest/ug/clusters/kubernetes-versions-standard.adoc | 2 +- latest/ug/clusters/kubernetes-versions.adoc | 4 +--- latest/ug/clusters/management/cost-monitoring-aws.adoc | 1 - .../management/cost-monitoring-kubecost-bundles.adoc | 3 +-- latest/ug/clusters/management/cost-monitoring-kubecost.adoc | 1 - latest/ug/clusters/management/cost-monitoring.adoc | 4 +--- latest/ug/clusters/management/eks-managing.adoc | 4 +--- latest/ug/clusters/management/eks-using-tags.adoc | 4 +--- latest/ug/clusters/management/helm.adoc | 4 +--- latest/ug/clusters/management/metrics-server.adoc | 4 +--- latest/ug/clusters/management/service-quotas.adoc | 4 +--- latest/ug/clusters/platform-versions.adoc | 4 +--- latest/ug/clusters/private-clusters.adoc | 4 +--- latest/ug/clusters/update-cluster.adoc | 4 +--- latest/ug/clusters/windows-support.adoc | 5 +---- latest/ug/clusters/zone-shift-enable.adoc | 3 +-- latest/ug/clusters/zone-shift.adoc | 3 +-- latest/ug/connector/connecting-cluster.adoc | 4 +--- latest/ug/connector/connector-grant-access.adoc | 5 +---- latest/ug/connector/deregister-connected-cluster.adoc | 4 +--- latest/ug/connector/eks-connector.adoc | 4 +--- latest/ug/connector/security-connector.adoc | 4 +--- latest/ug/connector/troubleshooting-connector.adoc | 4 +--- latest/ug/connector/tsc-faq.adoc | 4 +--- latest/ug/doc-history.adoc | 4 +--- latest/ug/getting-started/getting-started-automode.adoc | 5 +---- latest/ug/getting-started/getting-started-console.adoc | 5 +---- latest/ug/getting-started/getting-started-eksctl.adoc | 5 +---- latest/ug/getting-started/getting-started.adoc | 4 +--- latest/ug/getting-started/install-awscli.adoc | 4 +--- latest/ug/getting-started/install-kubectl.adoc | 4 +--- latest/ug/getting-started/learn-eks.adoc | 4 +--- latest/ug/getting-started/setting-up.adoc | 4 +--- .../integrations/creating-resources-with-cloudformation.adoc | 5 +---- latest/ug/integrations/eks-integrations.adoc | 4 +--- latest/ug/integrations/integration-detective.adoc | 4 +--- latest/ug/integrations/integration-guardduty.adoc | 4 +--- latest/ug/integrations/integration-resilience-hub.adoc | 4 +--- latest/ug/integrations/integration-securitylake.adoc | 4 +--- latest/ug/integrations/integration-vpc-lattice.adoc | 4 +--- latest/ug/integrations/local-zones.adoc | 4 +--- latest/ug/manage-access/aws-access/service-accounts.adoc | 4 +--- latest/ug/manage-access/cluster-auth.adoc | 4 +--- latest/ug/manage-access/create-kubeconfig.adoc | 4 +--- latest/ug/manage-access/k8s-access/access-entries.adoc | 3 +-- latest/ug/manage-access/k8s-access/access-policies.adoc | 3 +-- .../ug/manage-access/k8s-access/access-policy-reference.adoc | 3 +-- latest/ug/manage-access/k8s-access/auth-configmap.adoc | 3 +-- .../k8s-access/authenticate-oidc-identity-provider.adoc | 3 +-- .../k8s-access/disassociate-oidc-identity-provider.adoc | 3 +-- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 4 +--- .../manage-access/k8s-access/migrating-access-entries.adoc | 3 +-- latest/ug/manage-access/view-kubernetes-resources.adoc | 4 +--- latest/ug/ml/capacity-blocks-mng.adoc | 2 +- latest/ug/ml/capacity-blocks.adoc | 2 +- latest/ug/ml/inferentia-support.adoc | 4 +--- latest/ug/ml/machine-learning-on-eks.adoc | 4 +--- latest/ug/ml/ml-eks-optimized-ami.adoc | 2 +- latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 2 +- latest/ug/ml/ml-get-started.adoc | 4 +--- latest/ug/ml/ml-prepare-for-cluster.adoc | 4 +--- latest/ug/ml/ml-tutorials.adoc | 4 +--- latest/ug/ml/node-efa.adoc | 5 +---- latest/ug/ml/node-taints-managed-node-groups.adoc | 2 +- latest/ug/networking/alternate-cni-plugins.adoc | 2 +- latest/ug/networking/aws-load-balancer-controller.adoc | 2 +- latest/ug/networking/cni-custom-network-tutorial.adoc | 2 +- latest/ug/networking/cni-custom-network.adoc | 2 +- latest/ug/networking/cni-iam-role.adoc | 2 +- .../ug/networking/cni-increase-ip-addresses-procedure.adoc | 2 +- latest/ug/networking/cni-increase-ip-addresses.adoc | 2 +- latest/ug/networking/cni-ipv6.adoc | 2 +- latest/ug/networking/cni-network-policy-configure.adoc | 2 +- latest/ug/networking/cni-network-policy.adoc | 2 +- latest/ug/networking/coredns-add-on-create.adoc | 2 +- latest/ug/networking/coredns-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/coredns-add-on-update.adoc | 2 +- latest/ug/networking/coredns-autoscaling.adoc | 2 +- latest/ug/networking/coredns-metrics.adoc | 2 +- latest/ug/networking/creating-a-vpc.adoc | 4 +--- latest/ug/networking/deploy-ipv6-cluster.adoc | 2 +- latest/ug/networking/eks-networking-add-ons.adoc | 2 +- latest/ug/networking/eks-networking.adoc | 3 +-- latest/ug/networking/external-snat.adoc | 2 +- .../ug/networking/kube-proxy-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/networking/lbc-manifest.adoc | 2 +- latest/ug/networking/lbc-remove.adoc | 2 +- latest/ug/networking/managing-coredns.adoc | 2 +- latest/ug/networking/managing-kube-proxy.adoc | 2 +- latest/ug/networking/managing-vpc-cni.adoc | 2 +- latest/ug/networking/network-policies-troubleshooting.adoc | 2 +- latest/ug/networking/network-policy-disable.adoc | 2 +- latest/ug/networking/network-policy-stars-demo.adoc | 2 +- latest/ug/networking/network-reqs.adoc | 4 +--- latest/ug/networking/pod-multiple-network-interfaces.adoc | 2 +- latest/ug/networking/pod-networking-use-cases.adoc | 2 +- latest/ug/networking/sec-group-reqs.adoc | 4 +--- latest/ug/networking/security-groups-for-pods.adoc | 2 +- latest/ug/networking/security-groups-pods-deployment.adoc | 2 +- latest/ug/networking/sg-pods-example-deployment.adoc | 2 +- latest/ug/networking/vpc-add-on-create.adoc | 2 +- latest/ug/networking/vpc-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 2 +- latest/ug/nodes/al2023.adoc | 2 +- latest/ug/nodes/auto-get-logs.adoc | 2 +- latest/ug/nodes/bottlerocket-compliance-support.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 4 +--- latest/ug/nodes/create-managed-node-group.adoc | 2 +- latest/ug/nodes/delete-fargate-profile.adoc | 2 +- latest/ug/nodes/delete-managed-node-group.adoc | 2 +- latest/ug/nodes/dockershim-deprecation.adoc | 2 +- latest/ug/nodes/eks-ami-build-scripts.adoc | 2 +- latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 2 +- latest/ug/nodes/eks-ami-versions-windows.adoc | 2 +- latest/ug/nodes/eks-compute.adoc | 4 +--- latest/ug/nodes/eks-custom-ami-windows.adoc | 2 +- latest/ug/nodes/eks-linux-ami-versions.adoc | 2 +- latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 2 +- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- latest/ug/nodes/eks-optimized-amis.adoc | 4 +--- latest/ug/nodes/eks-optimized-windows-ami.adoc | 2 +- latest/ug/nodes/eks-partner-amis.adoc | 2 +- latest/ug/nodes/fargate-getting-started.adoc | 2 +- latest/ug/nodes/fargate-logging.adoc | 2 +- latest/ug/nodes/fargate-pod-configuration.adoc | 2 +- latest/ug/nodes/fargate-pod-patching.adoc | 2 +- latest/ug/nodes/fargate-profile.adoc | 2 +- latest/ug/nodes/fargate.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 3 +-- latest/ug/nodes/hybrid-nodes-cni.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-creds.adoc | 2 +- latest/ug/nodes/hybrid-nodes-join.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-networking.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-os.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-proxy.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-remove.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 4 +--- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 4 +--- latest/ug/nodes/hybrid-nodes.adoc | 4 +--- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-node-ubuntu.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 2 +- latest/ug/nodes/launch-windows-workers.adoc | 2 +- latest/ug/nodes/launch-workers.adoc | 2 +- latest/ug/nodes/learn-status-conditions.adoc | 2 +- latest/ug/nodes/managed-node-groups.adoc | 4 +--- latest/ug/nodes/managed-node-update-behavior.adoc | 2 +- latest/ug/nodes/migrate-stack.adoc | 2 +- latest/ug/nodes/monitoring-fargate-usage.adoc | 2 +- latest/ug/nodes/node-health.adoc | 2 +- latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 2 +- latest/ug/nodes/retrieve-ami-id.adoc | 2 +- latest/ug/nodes/retrieve-windows-ami-id.adoc | 2 +- latest/ug/nodes/self-managed-windows-server-2022.adoc | 2 +- latest/ug/nodes/update-managed-node-group.adoc | 2 +- latest/ug/nodes/update-stack.adoc | 2 +- latest/ug/nodes/update-workers.adoc | 2 +- latest/ug/nodes/worker.adoc | 4 +--- latest/ug/observability/cloudwatch.adoc | 2 +- latest/ug/observability/control-plane-logs.adoc | 4 +--- latest/ug/observability/deploy-prometheus.adoc | 2 +- latest/ug/observability/eks-observe.adoc | 4 +--- latest/ug/observability/enable-asg-metrics.adoc | 2 +- latest/ug/observability/logging-using-cloudtrail.adoc | 4 +--- latest/ug/observability/observability-dashboard.adoc | 3 +-- latest/ug/observability/opentelemetry.adoc | 4 +--- latest/ug/observability/prometheus.adoc | 4 +--- latest/ug/observability/service-name-info-in-cloudtrail.adoc | 2 +- .../ug/observability/understanding-service-name-entries.adoc | 2 +- latest/ug/observability/view-raw-metrics.adoc | 2 +- latest/ug/outposts/eks-outposts-capacity-considerations.adoc | 2 +- latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 2 +- latest/ug/outposts/eks-outposts-local-cluster-overview.adoc | 2 +- latest/ug/outposts/eks-outposts-network-disconnects.adoc | 2 +- latest/ug/outposts/eks-outposts-platform-versions.adoc | 2 +- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 4 +--- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 2 +- latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 2 +- latest/ug/outposts/eks-outposts.adoc | 4 +--- latest/ug/quickstart.adoc | 4 +--- latest/ug/related-projects.adoc | 4 +--- latest/ug/roadmap.adoc | 4 +--- latest/ug/security/auto-security.adoc | 3 +-- latest/ug/security/cert-signing.adoc | 2 +- latest/ug/security/compliance.adoc | 4 +--- latest/ug/security/configuration-vulnerability-analysis.adoc | 2 +- latest/ug/security/default-roles-users.adoc | 2 +- latest/ug/security/disaster-recovery-resiliency.adoc | 2 +- latest/ug/security/enable-kms.adoc | 2 +- latest/ug/security/iam-reference/auto-cluster-iam-role.adoc | 2 +- latest/ug/security/iam-reference/auto-create-node-role.adoc | 2 +- latest/ug/security/iam-reference/cluster-iam-role.adoc | 2 +- latest/ug/security/iam-reference/connector-iam-role.adoc | 2 +- latest/ug/security/iam-reference/create-node-role.adoc | 2 +- latest/ug/security/iam-reference/pod-execution-role.adoc | 2 +- latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 2 +- .../iam-reference/security-iam-id-based-policy-examples.adoc | 2 +- .../iam-reference/security-iam-service-with-iam.adoc | 2 +- .../ug/security/iam-reference/security-iam-troubleshoot.adoc | 2 +- latest/ug/security/iam-reference/security-iam.adoc | 2 +- .../using-service-linked-roles-eks-connector.adoc | 2 +- .../using-service-linked-roles-eks-fargate.adoc | 2 +- .../using-service-linked-roles-eks-nodegroups.adoc | 2 +- .../using-service-linked-roles-eks-outpost.adoc | 2 +- .../iam-reference/using-service-linked-roles-eks.adoc | 2 +- .../security/iam-reference/using-service-linked-roles.adoc | 2 +- latest/ug/security/infrastructure-security.adoc | 2 +- latest/ug/security/manage-secrets.adoc | 2 +- latest/ug/security/pod-security-policy-removal-faq.adoc | 2 +- latest/ug/security/pod-security-policy.adoc | 2 +- latest/ug/security/security-best-practices.adoc | 2 +- latest/ug/security/security-eks.adoc | 2 +- latest/ug/security/security-k8s.adoc | 2 +- latest/ug/security/security.adoc | 3 +-- latest/ug/security/vpc-interface-endpoints.adoc | 2 +- latest/ug/storage/csi-snapshot-controller.adoc | 4 +--- latest/ug/storage/ebs-csi-migration-faq.adoc | 5 +---- latest/ug/storage/ebs-csi.adoc | 4 +--- latest/ug/storage/efs-csi.adoc | 2 +- latest/ug/storage/file-cache-csi.adoc | 4 +--- latest/ug/storage/fsx-csi.adoc | 4 +--- latest/ug/storage/fsx-ontap.adoc | 4 +--- latest/ug/storage/fsx-openzfs-csi.adoc | 4 +--- latest/ug/storage/s3-csi.adoc | 4 +--- latest/ug/storage/storage.adoc | 4 +--- latest/ug/troubleshooting/troubleshooting.adoc | 4 +--- latest/ug/what-is/common-use-cases.adoc | 4 +--- latest/ug/what-is/eks-architecture.adoc | 4 +--- latest/ug/what-is/eks-deployment-options.adoc | 4 +--- latest/ug/what-is/kubernetes-concepts.adoc | 4 +--- latest/ug/what-is/what-is-eks.adoc | 4 +--- latest/ug/workloads/add-ons-iam.adoc | 2 +- latest/ug/workloads/add-ons-images.adoc | 2 +- latest/ug/workloads/addon-compat.adoc | 2 +- latest/ug/workloads/addon-id-troubleshoot.adoc | 2 +- latest/ug/workloads/alb-ingress.adoc | 4 +--- latest/ug/workloads/community-addons.adoc | 3 +-- latest/ug/workloads/copy-image-to-repository.adoc | 5 +---- latest/ug/workloads/creating-an-add-on.adoc | 2 +- latest/ug/workloads/eks-add-ons.adoc | 4 +--- latest/ug/workloads/eks-workloads.adoc | 4 +--- latest/ug/workloads/horizontal-pod-autoscaler.adoc | 4 +--- latest/ug/workloads/image-verification.adoc | 4 +--- latest/ug/workloads/kubernetes-field-management.adoc | 2 +- latest/ug/workloads/network-load-balancing.adoc | 4 +--- latest/ug/workloads/remove-addon-role.adoc | 2 +- latest/ug/workloads/removing-an-addon.adoc | 2 +- latest/ug/workloads/restrict-service-external-ip.adoc | 2 +- latest/ug/workloads/retreive-iam-info.adoc | 2 +- latest/ug/workloads/sample-deployment-windows.adoc | 4 +--- latest/ug/workloads/sample-deployment.adoc | 4 +--- latest/ug/workloads/update-addon-role.adoc | 2 +- latest/ug/workloads/updating-an-add-on.adoc | 2 +- latest/ug/workloads/vertical-pod-autoscaler.adoc | 4 +--- latest/ug/workloads/workloads-add-ons-available-eks.adoc | 2 +- latest/ug/workloads/workloads-add-ons-available-vendors.adoc | 2 +- 312 files changed, 309 insertions(+), 624 deletions(-) diff --git a/.vscode/asciidoc.code-snippets b/.vscode/asciidoc.code-snippets index cdceb00ea..7e0093784 100644 --- a/.vscode/asciidoc.code-snippets +++ b/.vscode/asciidoc.code-snippets @@ -152,16 +152,14 @@ "NODE_ROOT Section": { "prefix": "adoc-topic", "body": [ - "//!!NODE_ROOT
        ", "[.topic]", "[[${1:page-id},${1:page-id}.title]]", "= ${2:page title goes here}", - ":info_doctype: section", "", "include::../attributes.txt[]", "", ], - "description": "Creates a NODE_ROOT section template with topic class and ID" + "description": "Creates a section template with topic class and ID" }, "Include with Leveloffset": { "prefix": "adoc-inc", diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index e0e73f46c..814ce1025 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,7 +1,6 @@ [.topic] = EKA Auto Mode API Reference WIP -:info_doctype: section :ind: indicate :Ind: Indicate diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 25c79c488..c1c525057 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,12 +1,10 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[associate-workload,associate-workload.title]] = Control if a workload is deployed on EKS Auto Mode nodes -:info_doctype: section -:info_title: Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index c5fbc1fe0..29d46980f 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-configure-alb,auto-configure-alb.title]] = Create an IngressClass to configure an Application Load Balancer -:info_doctype: section :info_titleabbrev: Create ingress class include::../attributes.txt[] diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 916fc6934..ac3a287fa 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-configure-nlb,auto-configure-nlb.title]] = Use Service Annotations to configure Network Load Balancers -:info_doctype: section :info_titleabbrev: Create service include::../attributes.txt[] diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index ce6df4116..382f28b67 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-disable,auto-disable.title]] = Disable EKS Auto Mode -:info_doctype: section include::../attributes.txt[] diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index b799d0e37..0dd5fce38 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-elb-example,auto-elb-example.title]] = Deploy a Sample Load Balancer Workload to EKS Auto Mode -:info_doctype: section -:info_title: Deploy a sample load balancer workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 05df23913..a04171cf1 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-enable-existing,auto-enable-existing.title]] = Enable EKS Auto Mode on an existing cluster -:info_doctype: section -:info_title: Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster include::../attributes.txt[] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index b66b36069..ac250f9e0 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-glossary,auto-glossary.title]] = Glossary -:info_doctype: section -:info_title: Glossary of terms for EKS Auto Mode :info_titleabbrev: Glossary diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 020547d0d..d33ac3a0c 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,10 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[auto-learn-iam,auto-learn-iam.title]] = Learn about identity and access in EKS Auto Mode :info_titleabbrev: Identity & access -:info_doctype: section include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 5f4ac69fe..34c31b0d7 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-migrate-karpenter,auto-migrate-karpenter.title]] = Migrate from Karpenter to EKS Auto Mode using kubectl -:info_doctype: section -:info_title: Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index caaa27c23..ad7afd1fb 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-migrate-mng,auto-migrate-mng.title]] = Migrate from EKS Managed Node Groups to EKS Auto Mode -:info_doctype: section -:info_title: Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from Managed Node Groups include::../attributes.txt[] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 7c0407049..317aa2c8d 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-mng,auto-mng.title]] = Compare EKS Auto Mode with EKS managed node groups -:info_doctype: section -:info_title: Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 4194fc26e..0f495d0f2 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-net-pol,auto-net-pol.title]] = Use Network Policies with EKS Auto Mode -:info_doctype: section :info_titleabbrev: Use network policies include::../attributes.txt[] diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 2d585acc5..d9365c9af 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-networking,auto-networking.title]] = Learn about VPC Networking and Load Balancing in EKS Auto Mode -:info_doctype: section -:info_title: Learn about VPC networking and load balancing in EKS Auto Mode :info_titleabbrev: Networking diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 277c091a1..8e4d9d638 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,15 +1,13 @@ -//!!NODE_ROOT + [.topic] include::../attributes.txt[] [[auto-reference,auto-reference.title]] = Learn how EKS Auto Mode works -:info_doctype: section :icons: font :experimental: :idprefix: :idseparator: - :sourcedir: . -:info_title: Learn how EKS Auto Mode works :info_titleabbrev: How it works [abstract] diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 7bf491dc3..3cd9986a5 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-troubleshoot,auto-troubleshoot.title]] = Troubleshoot EKS Auto Mode -:info_doctype: section -:info_title: Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot include::../attributes.txt[] diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 8e3d503e1..4ef6336ce 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-upgrade,auto-upgrade.title]] = Update the Kubernetes Version of an EKS Auto Mode cluster -:info_doctype: section :info_titleabbrev: Update Kubernetes Version include::../attributes.txt[] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index a7c1e068a..31bfce233 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT + [.topic] include::../attributes.txt[] [[auto-workloads,auto-workloads.title]] = Run sample workloads in EKS Auto Mode clusters -:info_doctype: section -:info_title: Run workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads [abstract] diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 94b29d96e..662590033 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,13 +1,11 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[automode-get-started-cli,automode-get-started-cli.title]] = Create an EKS Auto Mode Cluster with the {aws} CLI -:info_doctype: section :config: configuration -:info_title: Create an EKS Auto Mode Cluster with the {aws} CLI :info_titleabbrev: {aws} CLI EKS Auto Mode Clusters automate routine cluster management tasks for compute, storage, and networking. For example, EKS Auto Mode Clusters automatically detect when additional nodes are required and provision new EC2 instances to meet workload demands. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 789b9c96b..55b18dfc1 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,12 +1,10 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[automode-get-started-console,automode-get-started-console.title]] = Create an EKS Auto Mode Cluster with the {aws} Management Console -:info_doctype: section -:info_title: Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index cd6ab8e8a..7a58aac4b 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[automode-get-started-eksctl,automode-get-started-eksctl.title]] = Create an EKS Auto Mode Cluster with the eksctl CLI -:info_doctype: section :config: configuration -:info_title: Create an EKS Auto Mode Cluster with the eksctl CLI :info_titleabbrev: eksctl CLI diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index accf312cc..467b1c419 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[automode-learn-instances,automode-learn-instances.title]] = Learn about Amazon EKS Auto Mode Managed instances -:info_doctype: section :am: EKS Auto Mode :aam: Amazon {am} :ec2i: EC2 Instance @@ -11,7 +10,6 @@ :emi: EC2 managed instance :emi: EC2 {mi} :emng: EKS Managed Node Group -:info_title: Learn about Amazon EKS Auto Mode managed instances :info_titleabbrev: Managed instances include::../attributes.txt[] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 374aedb84..4406dcf67 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[automode-workload,automode-workload.title]] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster -:info_doctype: section -:info_title: Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload include::../attributes.txt[] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 718354e45..449691757 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT + [[automode,automode.title]] = Automate cluster infrastructure with EKS Auto Mode -:info_doctype: chapter :toclevels: 2 :toc: -:info_title: Automate cluster infrastructure with EKS Auto Mode :info_titleabbrev: EKS Auto Mode [abstract] diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index bc13bd7f7..e61b4751a 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,15 +1,13 @@ -//!!NODE_ROOT + [.topic] include::../attributes.txt[] [[create-auto,create-auto.title]] = Create a cluster with Amazon EKS Auto Mode -:info_doctype: section :icons: font :experimental: :idprefix: :idseparator: - :sourcedir: . -:info_title: Create cluster with EKS Auto Mode :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index cf1bb913d..f6e98a317 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[create-node-class,create-node-class.title]] = Create a Node Class for Amazon EKS -:info_doctype: section :info_titleabbrev: Create node class include::../attributes.txt[] diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 74ec9097d..06afd012f 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[create-node-pool,create-node-pool.title]] = Create a Node Pool for EKS Auto Mode -:info_doctype: section :info_titleabbrev: Create node pool include::../attributes.txt[] diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 8e28c3a80..739d8fbc9 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[create-storage-class,create-storage-class.title]] = Create a Storage Class -:info_doctype: section :info_titleabbrev: Create storage class diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index 75c3668ea..31d235708 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[critical-workload,critical-workload.title]] = Run critical add-ons on dedicated instances -:info_doctype: section :info_titleabbrev: Run critical add-ons include::../attributes.txt[] diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 401c58a0d..c4e952f2e 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,15 +1,13 @@ -//!!NODE_ROOT
        + [.topic] include::../attributes.txt[] [[migrate-auto,migrate-auto.title]] = Enable EKS Auto Mode on existing EKS clusters -:info_doctype: section :icons: font :experimental: :idprefix: :idseparator: - :sourcedir: . -:info_title: Enable EKS Auto Mode on existing EKS clusters :info_titleabbrev: Enable existing clusters [abstract] diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index 5e0fe70c0..7bcf3b296 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auto-hpa-scaling,auto-hpa-scaling.title]] = End-to-end Compute Autoscaling with HPA -:info_doctype: section include::../attributes.txt[] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 488ccc928..4c4a419b7 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[sample-storage-workload,sample-storage-workload.title]] = Deploy a sample stateful workload to EKS Auto Mode -:info_doctype: section -:info_title: Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload include::../attributes.txt[] diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 0082f30ab..701627c9d 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[set-builtin-node-pools,set-builtin-node-pools.title]] = Enable or Disable Built-in NodePools -:info_doctype: section :info_titleabbrev: Review built-in node pools include::../attributes.txt[] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 18b86ec22..07920c453 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,15 +1,13 @@ -//!!NODE_ROOT + [.topic] include::../attributes.txt[] [[settings-auto,settings-auto.title]] = Configure EKS Auto Mode settings -:info_doctype: section :icons: font :experimental: :idprefix: :idseparator: - :sourcedir: . -:info_title: Change EKS Auto cluster settings :info_titleabbrev: Configure [abstract] diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index c9918fde8..50afbfc93 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[troubleshoot-lbc,troubleshoot-lbc.title]] # Troubleshooting Amazon EKS Auto Mode Load Balancer Controller -:info_doctype: section [NOTE] ==== diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 3ae07b146..81b1184af 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT + [.topic] [[auto-wip,auto-wip.title]] = EKS Auto Mode: Revisions to existing pages WIP -:info_doctype: section :toc: left diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index f96c7cff8..961262b41 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[create-vpc-console,create-vpc-console.title]] = Create a VPC for Amazon EKS with the web console -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index f7f7c4789..fa1d87ca7 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[eksctl-docs,eksctl-docs.title]] = EKS Auto Mode -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 073651955..0f6509b68 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[tag-subnets,tag-subnets.title]] = Tag VPC Subnets for Load Balancer Deployment -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 663ab035d..b842cfb54 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::attributes.txt[] [[top]] = Amazon EKS @@ -8,8 +8,6 @@ include::attributes.txt[] :experimental: :idprefix: :idseparator: - -:info_doctype: book -:info_title: Amazon EKS :info_subtitle: User Guide :info_corpauthor: Amazon Web Services :info_publisher: Amazon Web Services diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 86dc07a30..4899304fc 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[autoscaling,autoscaling.title]] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` -:info_doctype: section -:info_title: Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling [abstract] diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index b3401bf7a..cb6b68486 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[cluster-endpoint,cluster-endpoint.title]] = Control network access to cluster API server endpoint -:info_doctype: section -:info_title: Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access include::../attributes.txt[] diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index fa079624d..b2aa6a1b5 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cluster-insights,cluster-insights.title]] = Prepare for [.noloc]`Kubernetes` version upgrades with cluster insights diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 0235a5660..5c9161eba 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[clusters,clusters.title]] = Organize workloads with Amazon EKS clusters @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Organize workloads with Amazon EKS clusters :info_titleabbrev: Clusters An Amazon EKS cluster consists of two primary components: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 03ddcd797..97c96650a 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[create-cluster-auto,create-cluster-auto.title]] = Create an Amazon EKS Auto Mode cluster -:info_doctype: section -:info_title: Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster :idprefix: id_ diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 648eaae6c..b4ab81173 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[create-cluster,create-cluster.title]] = Create an Amazon EKS cluster -:info_doctype: section -:info_title: Create an Amazon EKS cluster :info_titleabbrev: Create a cluster include::../attributes.txt[] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 10bff9c57..d90ee5dfa 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[delete-cluster,delete-cluster.title]] = Delete a cluster -:info_doctype: section -:info_title: Delete a cluster :info_titleabbrev: Delete a cluster [abstract] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index e884af946..1b1324a92 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[disable-windows-support,disable-windows-support.title]] = Disable [.noloc]`Windows` support -:info_doctype: section -:info_title: Disable Windows support . If your cluster contains Amazon Linux nodes and you use xref:security-groups-for-pods[security groups for Pods,linkend=security-groups-for-pods] with them, then skip this step. + diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 7974fd6af..7e85661c8 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[kubernetes-versions-extended,kubernetes-versions-extended.title]] diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index ad1034fce..ff068c9a9 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[kubernetes-versions-standard,kubernetes-versions-standard.title]] diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 8492b4980..821497361 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[kubernetes-versions,kubernetes-versions.title]] = Understand the [.noloc]`Kubernetes` version lifecycle on EKS -:info_doctype: section -:info_title: Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 8c773eae2..656586ac3 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -3,7 +3,6 @@ include::../../attributes.txt[] [.topic] [[cost-monitoring-aws,cost-monitoring-aws.title]] = View costs by pod in {aws} billing with split cost allocation -:info_doctype: section .Cost monitoring using {aws} split cost allocation data for Amazon EKS You can use {aws} split cost allocation data for Amazon EKS to get granular cost visibility for your Amazon EKS clusters. This enables you to analyze, optimize, and chargeback cost and usage for your [.noloc]`Kubernetes` applications. You allocate application costs to individual business units and teams based on Amazon EC2 CPU and memory resources consumed by your [.noloc]`Kubernetes` application. Split cost allocation data for Amazon EKS gives visibility into cost per Pod, and enables you to aggregate the cost data per Pod using namespace, cluster, and other [.noloc]`Kubernetes` primitives. The following are examples of [.noloc]`Kubernetes` primitives that you can use to analyze Amazon EKS cost allocation data. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index c3297daa1..0145f0a85 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[cost-monitoring-kubecost-bundles,cost-monitoring-kubecost-bundles.title]] = Learn more about Kubecost -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 5f8311846..97fdf5bcd 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -2,7 +2,6 @@ [.topic] [[cost-monitoring-kubecost,cost-monitoring-kubecost.title]] = Install Kubecost and access dashboard -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index e6e3bc43d..8ffceb2bc 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[cost-monitoring,cost-monitoring.title]] = Monitor and optimize Amazon EKS cluster costs -:info_doctype: section -:info_title: Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 42e6db90f..640128ea5 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../../attributes.txt[] [[eks-managing,eks-managing.title]] = Organize and monitor cluster resources @@ -10,8 +10,6 @@ include::../../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Organize and monitor cluster resources :info_titleabbrev: Cluster management This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 59abfac9f..5b1d9eb41 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[eks-using-tags,eks-using-tags.title]] = Organize Amazon EKS resources with tags -:info_doctype: section -:info_title: Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index ee354e2bd..2aa775274 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[helm,helm.title]] = Deploy applications with [.noloc]`Helm` on Amazon EKS -:info_doctype: section -:info_title: Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm [abstract] diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index c09d86dc7..9e031a998 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[metrics-server,metrics-server.title]] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` -:info_doctype: section -:info_title: View resource usage with the KubernetesMetrics Server :info_titleabbrev: Metrics server [abstract] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index c2628ee1f..d879e7d26 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[service-quotas,service-quotas.title]] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas -:info_doctype: section -:info_title: View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas [abstract] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 6a35ac91b..1f9a12245 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[platform-versions,platform-versions.title]] = View Amazon EKS platform versions for each [.noloc]`Kubernetes` version -:info_doctype: section -:info_title: View Amazon EKS platform versions for each Kubernetes version :info_titleabbrev: Platform versions include::../attributes.txt[] diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 3def600f4..12138cbdc 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[private-clusters,private-clusters.title]] = Deploy private clusters with limited internet access -:info_doctype: section -:info_title: Deploy private clusters with limited internet access :info_titleabbrev: Private clusters [abstract] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 66d019e4e..f02e4df77 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[update-cluster,update-cluster.title]] = Update existing cluster to new Kubernetes version -:info_doctype: section -:info_title: Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version include::../attributes.txt[] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 54dda27cc..0b6233d82 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[windows-support,windows-support.title]] = Deploy [.noloc]`Windows` nodes on EKS clusters -:info_doctype: section -:info_title: Deploy Windows nodes on EKS \ - clusters :info_titleabbrev: Enable Windows support [abstract] diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 78107e9b6..2fba18e7e 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[zone-shift-enable,zone-shift-enable.title]] = Enable EKS Zonal Shift to avoid impaired Availability Zones -:info_doctype: section :info_titleabbrev: Enable Zonal Shift :aws: pass:q[[.shared]``AWS``] diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 835602e64..b7149eb6c 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[zone-shift,zone-shift.title]] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS -:info_doctype: section :info_titleabbrev: Learn about Zonal Shift :aws: pass:q[[.shared]``AWS``] diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index f62ec6246..85a16b735 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[connecting-cluster,connecting-cluster.title]] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console -:info_doctype: section -:info_title: Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster [abstract] diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index e3956c285..9e1a9fe42 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[connector-grant-access,connector-grant-access.title]] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console -:info_doctype: section -:info_title: Grant access to view Kubernetes cluster resources on an \ - Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console [abstract] diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index f25f0a6cb..c534fdb34 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[deregister-connected-cluster,deregister-connected-cluster.title]] = Deregister a Kubernetes cluster from the Amazon EKS console -:info_doctype: section -:info_title: Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster [abstract] diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index b7f97aa91..79c7e1b85 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[eks-connector,eks-connector.title]] = Connect a [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console with Amazon EKS Connector @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :info_titleabbrev: Amazon EKS Connector [abstract] diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 7cf763659..0bfce05b6 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[security-connector,security-connector.title]] = Understand security in Amazon EKS Connector -:info_doctype: section -:info_title: Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations [abstract] diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index f64970779..40b88b935 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[troubleshooting-connector,troubleshooting-connector.title]] = Troubleshoot Amazon EKS Connector issues -:info_doctype: section -:info_title: Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot Amazon EKS Connector include::../attributes.txt[] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index bf9cf55d7..cd048f113 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[tsc-faq,tsc-faq.title]] = {aws} Connector frequently asked questions -:info_doctype: section -:info_title: {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions [abstract] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 8e20b7aa5..fe7a8af0e 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + [.topic] [[doc-history,doc-history.title]] @@ -12,8 +12,6 @@ :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Document history :keywords: document, publish, release, history, log diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index b3374ebcc..24da21b93 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[getting-started-automode,getting-started-automode.title]] = Get started with Amazon EKS – EKS Auto Mode -:info_doctype: section -:info_title: Get started with Amazon EKS – \ - EKS Auto Mode :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index b0d44d78b..bf97e6032 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[getting-started-console,getting-started-console.title]] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI -:info_doctype: section -:info_title: Get started with Amazon EKS – {aws-management-console} and \ - {aws} CLI :info_titleabbrev: Create your first cluster – {aws-management-console} :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index b421729dc..563b6a45e 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[getting-started-eksctl,getting-started-eksctl.title]] = Get started with Amazon EKS – `eksctl` -:info_doctype: section -:info_title: Get started with Amazon EKS – \ - eksctl :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index a11bd7c24..d5ac9a086 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[getting-started,getting-started.title]] = Get started with Amazon EKS @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Get started with Amazon EKS :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index ec2bcb58d..667d61263 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[install-awscli,install-awscli.title]] = Set up {aws} CLI -:info_doctype: section -:info_title: Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 18bb2d0c8..a8218b47f 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[install-kubectl,install-kubectl.title]] = Set up `kubectl` and `eksctl` -:info_doctype: section -:info_title: Set up kubectl and eksctl :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index a7cb044bc..0fe688eca 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[learn-eks,learn-eks.title]] = Learn Amazon EKS by example -:info_doctype: chapter -:info_title: Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn :sectnums: diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 253f8f5d3..76596608f 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[setting-up,setting-up.title]] = Set up to use Amazon EKS @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Set up to use Amazon EKS :info_titleabbrev: Set up :keywords: setting up, setup diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index d2dbb7bd1..20af6e396 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[creating-resources-with-cloudformation,creating-resources-with-cloudformation.title]] = Create Amazon EKS resources with {aws} CloudFormation -:info_doctype: section -:info_title: Create Amazon EKS resources with \ - {aws} CloudFormation [abstract] -- diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 50107196f..24d617911 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[eks-integrations,eks-integrations.title]] = Enhance EKS with integrated {aws} services @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Enhance EKS with integrated {aws} services :info_titleabbrev: Working with other services In addition to the services covered in other sections, Amazon EKS works with more {aws} services to provide additional solutions. This topic identifies some of the other services that either use Amazon EKS to add functionality, or services that Amazon EKS uses to perform tasks. diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 555d8820b..90824f669 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[integration-detective,integration-detective.title]] = Analyze security events on EKS with Amazon Detective -:info_doctype: section -:info_title: Analyze security events on EKS with Amazon Detective :keywords: Amazon Detective [abstract] diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index e38d5df66..0cdc5a764 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[integration-guardduty,integration-guardduty.title]] = Detect threats with Amazon GuardDuty -:info_doctype: section -:info_title: Detect threats with Amazon GuardDuty Amazon GuardDuty is a threat detection service that helps protect you accounts, containers, workloads, and the data with your {aws} environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment. diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 0d31c02bc..6a0d9b4b2 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[integration-resilience-hub,integration-resilience-hub.title]] = Assess EKS cluster resiliency with {aws} Resilience Hub -:info_doctype: section -:info_title: Assess EKS cluster resiliency with {aws} Resilience Hub {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 48772302e..5f734872a 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[integration-securitylake,integration-securitylake.title]] = Centralize and analyze EKS security data with Security Lake -:info_doctype: section -:info_title: Centralize and analyze EKS security data with Security Lake :keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection [abstract] diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 84bc58b1f..3a3462d7c 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[integration-vpc-lattice,integration-vpc-lattice.title]] = Enable secure cross-cluster connectivity with Amazon VPC Lattice -:info_doctype: section -:info_title: Enable secure cross-cluster connectivity with Amazon VPC Lattice Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 4df1cf272..5f449ed89 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[local-zones,local-zones.title]] = Launch low-latency EKS clusters with {aws} Local Zones -:info_doctype: section -:info_title: Launch low-latency EKS clusters with {aws} Local Zones An link:about-aws/global-infrastructure/localzones/[{aws} Local Zone,type="marketing"] is an extension of an {aws} Region in geographic proximity to your users. Local Zones have their own connections to the internet and support link:directconnect/[{aws} Direct Connect,type="marketing"]. Resources created in a Local Zone can serve local users with low-latency communications. For more information, see the link:local-zones/latest/ug/what-is-aws-local-zones.html[{aws} Local Zones User Guide,type="documentation"] and link:AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-local-zones[Local Zones,type="documentation"] in the _Amazon EC2 User Guide_. diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 25b1d1160..becdbbc5d 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[service-accounts,service-accounts.title]] = Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts -:info_doctype: section -:info_title: Grant Kubernetes workloads access to {aws} using Kubernetes Service Accounts :info_titleabbrev: Grant workloads access to {aws} A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 1d29acbb2..f69b287b8 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [.topic] [[cluster-auth,cluster-auth.title]] @@ -11,8 +11,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Learn how access control works in Amazon EKS :info_titleabbrev: Manage access [abstract] diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index c32106d49..990a55741 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[create-kubeconfig,create-kubeconfig.title]] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file -:info_doctype: section -:info_title: Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl [abstract] diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 7cf97db0a..836c58ee2 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[access-entries,access-entries.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with EKS access entries -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 3fad2dfd6..6a02a9691 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[access-policies,access-policies.title]] = Associate access policies with access entries -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 833184b69..e42aa260f 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[access-policy-permissions,access-policy-permissions.title]] = Review access policy permissions -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 4ceeb3b3d..a97b9ee80 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[auth-configmap,auth-configmap.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with a [.noloc]`ConfigMap` -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 6e9d3db71..a6022423e 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[authenticate-oidc-identity-provider,authenticate-oidc-identity-provider.title]] = Grant users access to [.noloc]`Kubernetes` with an external [.noloc]`OIDC` provider -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index c5ccae3ad..b068d3c93 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[disassociate-oidc-identity-provider,disassociate-oidc-identity-provider.title]] = Disassociate an [.noloc]`OIDC` identity provider from your cluster -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index da4018941..a8611977e 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[grant-k8s-access,grant-k8s-access.title]] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` -:info_doctype: section -:info_title: Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Grant access to Kubernetes APIs include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 4c91b06f9..091097bef 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,10 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[migrating-access-entries,migrating-access-entries.title]] = Migrating existing `aws-auth ConfigMap` entries to access entries -:info_doctype: section include::../../attributes.txt[] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index b4ef2a26a..514526300 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[view-kubernetes-resources,view-kubernetes-resources.title]] = View [.noloc]`Kubernetes` resources in the {aws-management-console} -:info_doctype: section -:info_title: View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources with console [abstract] diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index c8d664dcb..38a843e42 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[capacity-blocks-mng,capacity-blocks-mng.title]] diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 8f9ab3eb7..847290dbb 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[capacity-blocks,capacity-blocks.title]] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index cc0ac8b39..cd27f295a 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[inferentia-support,inferentia-support.title]] = Use {aws} [.noloc]`Inferentia` instances with Amazon EKS for Machine Learning -:info_doctype: section -:info_title: Use {aws} Inferentia instances with your EKS cluster for Machine Learning :info_titleabbrev: Prepare Inferentia clusters [abstract] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 147a1300a..f120dc089 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [.topic] [[machine-learning-on-eks,machine-learning-on-eks.title]] @@ -11,8 +11,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Machine Learning on Amazon EKS Overview :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 7e08f399c..ee065dacc 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[ml-eks-optimized-ami,ml-eks-optimized-ami.title]] = Run GPU-accelerated containers (Linux on EC2) diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index 9dcf0425b..58bb9b88e 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[ml-eks-windows-optimized-ami,ml-eks-windows-optimized-ami.title]] = Run GPU-accelerated containers (Windows on EC2 G-Series) diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 9c20f6db0..5f3f8dc5a 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[ml-get-started,ml-get-started.title]] = Get started with ML -:info_doctype: section -:info_title: Get started deploying Machine Learning tools on EKS :info_titleabbrev: Get started with ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 94863c285..992a110b2 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[ml-prepare-for-cluster,ml-prepare-for-cluster.title]] = Prepare for ML clusters -:info_doctype: section -:info_title: Prepare to create an EKS cluster for Machine Learning :info_titleabbrev: Prepare for ML include::../attributes.txt[] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index e02bfde4d..c609fb828 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[ml-tutorials,ml-tutorials.title]] = Try tutorials for deploying Machine Learning workloads on EKS -:info_doctype: section -:info_title: Try tutorials for deploying Machine Learning workloads and platforms on EKS :info_titleabbrev: Try tutorials for ML on EKS include::../attributes.txt[] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index c53dd484e..e836938ad 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + :AWSEC2-latest-UserGuide-using-eni-html-network-cards: AWSEC2/latest/UserGuide/using-eni.html#network-cards [.topic] [[node-efa,node-efa.title]] = Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` -:info_doctype: section -:info_title: Add Elastic Fabric \ - Adapter to EKS clusters for ML training :info_titleabbrev: Prepare training clusters with EFA include::../attributes.txt[] diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 4e3d3cf86..1d0b20502 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[node-taints-managed-node-groups,node-taints-managed-node-groups.title]] diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 0e4952c95..66f94d091 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[alternate-cni-plugins,alternate-cni-plugins.title]] = Alternate CNI plugins for Amazon EKS clusters diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index b9238c1b1..0668c2f13 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index b87d10f4e..10ef92d78 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] = Customize the secondary network interface in Amazon EKS nodes diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 0192d4cfa..088121ceb 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-custom-network,cni-custom-network.title]] = Deploy [.noloc]`Pods` in alternate subnets with custom networking diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index eb50a667b..1157c57b8 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-iam-role,cni-iam-role.title]] = Configure Amazon VPC CNI plugin to use IRSA diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 499b26af5..296a80b42 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-increase-ip-addresses-procedure,cni-increase-ip-addresses-procedure.title]] = Increase the available IP addresses for your Amazon EKS node diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index d13bcf44b..07e002eac 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] = Assign more IP addresses to Amazon EKS nodes with prefixes diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index c753d9b9c..8fe2d537d 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-ipv6,cni-ipv6.title]] = Learn about IPv6 addresses to clusters, [.noloc]`Pods`, and services diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index bbcec8ee1..f04b4f39e 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-network-policy-configure,cni-network-policy-configure.title]] = Restrict Pod network traffic with [.noloc]`Kubernetes` network policies diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index cbf1d1bc1..bb57d8c55 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cni-network-policy,cni-network-policy.title]] = Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index 7d9667bf7..5f3853879 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[coredns-add-on-create,coredns-add-on-create.title]] = Create the [.noloc]`CoreDNS` Amazon EKS add-on diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 8abf9dd8c..c2b12f896 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[coredns-add-on-self-managed-update,coredns-add-on-self-managed-update.title]] = Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index bb3d5c6ca..f85bb0eb5 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[coredns-add-on-update,coredns-add-on-update.title]] = Update the [.noloc]`CoreDNS` Amazon EKS add-on diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 7e466ac32..90ab36ba1 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[coredns-autoscaling,coredns-autoscaling.title]] = Scale [.noloc]`CoreDNS Pods` for high DNS traffic diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index a405075f9..356e6a083 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[coredns-metrics,coredns-metrics.title]] = Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 3227d1bf4..cb8e25cd6 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[creating-a-vpc,creating-a-vpc.title]] = Create an Amazon VPC for your Amazon EKS cluster -:info_doctype: section -:info_title: Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC include::../attributes.txt[] diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 132da8e0b..cc5ae665d 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[deploy-ipv6-cluster,deploy-ipv6-cluster.title]] = Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index b2c274cd1..caed5bc65 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[eks-networking-add-ons,eks-networking-add-ons.title]] = Manage networking add-ons for Amazon EKS clusters diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 607962e94..2632a52bc 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + [[eks-networking,eks-networking.title]] = Configure networking for Amazon EKS clusters :doctype: book @@ -9,7 +9,6 @@ :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter :info_titleabbrev: Configure networking include::../attributes.txt[] diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index e3bf0dbed..5892ca021 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[external-snat,external-snat.title]] = Enable outbound internet access for [.noloc]`Pods` diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 00d0a717c..7b8ea5218 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[kube-proxy-add-on-self-managed-update,kube-proxy-add-on-self-managed-update.title]] = Update the Kubernetes `kube-proxy` self-managed add-on diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index c62d333aa..a845480a6 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] include::../attributes.txt[] diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 32a07d249..a80163cf2 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[lbc-manifest,lbc-manifest.title]] include::../attributes.txt[] diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 44b19bba5..786a3b471 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[lbc-remove,lbc-remove.title]] = Migrate apps from deprecated ALB [.noloc]`Ingress Controller` diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index dbb2c5b65..754be5b8f 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[managing-coredns,managing-coredns.title]] = Manage CoreDNS for DNS in Amazon EKS clusters diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index b3591ce2e..a607d7e15 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[managing-kube-proxy,managing-kube-proxy.title]] = Manage `kube-proxy` in Amazon EKS clusters diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index f38bf2c89..0ce7b1178 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[managing-vpc-cni,managing-vpc-cni.title]] = Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index 13d789267..ae20b0633 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[network-policies-troubleshooting,network-policies-troubleshooting.title]] = Troubleshooting [.noloc]`Kubernetes` network policies For Amazon EKS diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 08ef0040e..9015ef737 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[network-policy-disable,network-policy-disable.title]] = Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 95778b625..576d7103a 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[network-policy-stars-demo,network-policy-stars-demo.title]] = Stars demo of network policy for Amazon EKS diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 758c90d25..06550aa41 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[network-reqs,network-reqs.title]] = View Amazon EKS networking requirements for VPC and subnets -:info_doctype: section -:info_title: View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements include::../attributes.txt[] diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 95372eb81..0c565e666 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] = Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 34c422d7c..5038b17b3 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[pod-networking-use-cases,pod-networking-use-cases.title]] = Learn about VPC CNI modes and configuration diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index a910efa70..b779368f8 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[sec-group-reqs,sec-group-reqs.title]] = View Amazon EKS security group requirements for clusters -:info_doctype: section -:info_title: View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements include::../attributes.txt[] diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 88ad2c793..a9315a233 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-groups-for-pods,security-groups-for-pods.title]] = Assign security groups to individual [.noloc]`Pods` diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index e283bb265..dd7729b85 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-groups-pods-deployment,security-groups-pods-deployment.title]] = Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 0338a0cf2..454b17b17 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[sg-pods-example-deployment,sg-pods-example-deployment.title]] = Use a security group policy for an Amazon EKS [.noloc]`Pod` diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 1e9e2e6e0..855856979 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[vpc-add-on-create,vpc-add-on-create.title]] = Create the Amazon VPC CNI (Amazon EKS add-on) diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index a80f4da33..468063ffe 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[vpc-add-on-self-managed-update,vpc-add-on-self-managed-update.title]] = Update the Amazon VPC CNI (self-managed add-on) diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 399173da2..c8da60223 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[vpc-add-on-update,vpc-add-on-update.title]] = Update the Amazon VPC CNI (Amazon EKS add-on) diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 0f44be2ff..86b98b2df 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[al2023,al2023.title]] = Upgrade from Amazon Linux 2 to Amazon Linux 2023 diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index be4fac095..d3f1a9a52 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[auto-get-logs,auto-get-logs.title]] = Retrieve node logs for a managed node using kubectl and S3 diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 2977db31c..e8b225d2a 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[bottlerocket-compliance-support,bottlerocket-compliance-support.title]] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 52da26e99..1b95361d6 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[choosing-instance-type,choosing-instance-type.title]] = Choose an optimal Amazon EC2 node instance type -:info_doctype: section -:info_title: Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index a508021a2..7f268fe06 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[create-managed-node-group,create-managed-node-group.title]] = Create a managed node group for your cluster diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index cac678fe7..b5c199d85 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[delete-fargate-profile,delete-fargate-profile.title]] diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index b957db2c4..ca093a255 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[delete-managed-node-group,delete-managed-node-group.title]] diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index fe88a0687..741f2b9c1 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[dockershim-deprecation,dockershim-deprecation.title]] diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index ee6387c01..de1fed1dc 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-ami-build-scripts,eks-ami-build-scripts.title]] diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index a05207d61..26f6bbde0 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-ami-versions-bottlerocket,eks-ami-versions-bottlerocket.title]] diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 5a7d1b1ca..6e9af85db 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-ami-versions-windows,eks-ami-versions-windows.title]] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index b1681385f..54ffabc41 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + [[eks-compute,eks-compute.title]] = Manage compute resources by using nodes :doctype: book @@ -9,8 +9,6 @@ :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Manage compute resources by using nodes :info_titleabbrev: Manage compute :keywords: nodes, node groups diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index 273d87e76..ac0b8684b 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-custom-ami-windows,eks-custom-ami-windows.title]] diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 4c91a40ea..104484e17 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-linux-ami-versions,eks-linux-ami-versions.title]] diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 91ce64da0..ca75dff3e 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-optimized-ami-bottlerocket,eks-optimized-ami-bottlerocket.title]] diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 3b1549e15..4bd24b620 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[eks-optimized-ami,eks-optimized-ami.title]] = Create nodes with optimized Amazon Linux AMIs diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 7fc17b261..12d69206a 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[eks-optimized-amis,eks-optimized-amis.title]] = Create nodes with pre-built optimized images -:info_doctype: section -:info_title: Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 1ed169a8f..4d5d3c625 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[eks-optimized-windows-ami,eks-optimized-windows-ami.title]] = Create nodes with optimized [.noloc]`Windows` AMIs diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index b52ddc992..84ebea64b 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-partner-amis,eks-partner-amis.title]] diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index f5e373f1f..1c6454a23 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fargate-getting-started,fargate-getting-started.title]] diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index f2fd84586..c0162083e 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fargate-logging,fargate-logging.title]] diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index e7e3d3b50..02d151a93 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[fargate-pod-configuration,fargate-pod-configuration.title]] diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 4e96b3c13..8d96afe68 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fargate-pod-patching,fargate-pod-patching.title]] diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index ac0314fe9..b162b6219 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fargate-profile,fargate-profile.title]] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index a77c7395d..5491eb545 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fargate,fargate.title]] = Simplify compute management with {aws} Fargate -:info_doctype: section -:info_title: Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index a10cbbe5e..9c99d1140 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-add-ons,hybrid-nodes-add-ons.title]] = Configure add-ons for hybrid nodes -:info_doctype: section -:info_title: Configure common add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index d61b31b93..194366c33 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-cluster-create,hybrid-nodes-cluster-create.title]] = Create an Amazon EKS cluster with hybrid nodes -:info_doctype: section -:info_title: Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 80461bafa..ac86e3ae6 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-cluster-prep,hybrid-nodes-cluster-prep.title]] = Prepare cluster access for hybrid nodes -:info_title: Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access [abstract] diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 8522c7c8f..3d0210189 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-cni,hybrid-nodes-cni.title]] = Configure a CNI for hybrid nodes -:info_doctype: section -:info_title: Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 6777dd5a2..1f468c8bb 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-creds,hybrid-nodes-creds.title]] = Prepare credentials for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 4e6ac853f..2eb59f60c 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-join,hybrid-nodes-join.title]] = Connect hybrid nodes -:info_doctype: section -:info_title: Connect hybrid nodes to Amazon EKS cluster :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index b2a241c81..e7313cffe 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-networking,hybrid-nodes-networking.title]] = Prepare networking for hybrid nodes -:info_doctype: section -:info_title: Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 87f1f0dbb..663d508c8 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] = Hybrid nodes `nodeadm` reference -:info_doctype: section -:info_title: Hybrid nodes nodeadm reference :info_titleabbrev: Hybrid nodes nodeadm reference :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 6db6305ec..5a25aa83f 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-os,hybrid-nodes-os.title]] = Prepare operating system for hybrid nodes -:info_doctype: section -:info_title: Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 1bd3677c3..f9728cc94 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-prereqs,hybrid-nodes-prereqs.title]] = Prerequisite setup for hybrid nodes -:info_doctype: section -:info_title: Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index fa4e74605..9fb812354 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-proxy,hybrid-nodes-proxy.title]] = Configure proxy for hybrid nodes -:info_doctype: section -:info_title: Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 0ada802c5..d2f69a483 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-remove,hybrid-nodes-remove.title]] = Remove hybrid nodes -:info_doctype: section -:info_title: Delete hybrid nodes from your EKS cluster :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 6ed4babe0..43a87a0d7 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-troubleshooting,hybrid-nodes-troubleshooting.title]] = Troubleshooting hybrid nodes -:info_doctype: section -:info_title: Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index a7c4b942a..33bd922fb 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-tutorial,hybrid-nodes-tutorial.title]] = Run on-premises workloads on hybrid nodes -:info_doctype: section -:info_title: Run and manage hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index c1c884192..12ce65277 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-upgrade,hybrid-nodes-upgrade.title]] = Upgrade hybrid nodes for your cluster -:info_doctype: section -:info_title: Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index a596610e1..874f77edd 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[hybrid-nodes-overview,hybrid-nodes-overview.title]] = Amazon EKS Hybrid Nodes overview -:info_doctype: section -:info_title: Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 732dca9b2..cafaad24d 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[launch-node-bottlerocket,launch-node-bottlerocket.title]] diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 4ad3cf064..7f103ceb6 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[launch-node-ubuntu,launch-node-ubuntu.title]] diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 1919066da..131718b3b 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[launch-templates,launch-templates.title]] diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 24b334685..12d3f5086 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[launch-windows-workers,launch-windows-workers.title]] = Create self-managed [.noloc]`Microsoft Windows` nodes diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 2156be5c7..ee5804df9 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[launch-workers,launch-workers.title]] diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 0cc8fa08f..070ab979f 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[learn-status-conditions,learn-status-conditions.title]] = View the health status of your nodes diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 5d5aa4509..98d71ec2b 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[managed-node-groups,managed-node-groups.title]] = Simplify node lifecycle with managed node groups -:info_doctype: section -:info_title: Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 8a9cff1cf..8b805bad1 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[managed-node-update-behavior,managed-node-update-behavior.title]] diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 67f5a5af5..02e3cb53e 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[migrate-stack,migrate-stack.title]] diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 3d6efa708..8660cc045 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[monitoring-fargate-usage,monitoring-fargate-usage.title]] diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index d11d41ad9..6bade151c 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[node-health,node-health.title]] = Enable node auto repair and investigate node health issues diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index d908e9041..b2586b9d5 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[retrieve-ami-id-bottlerocket,retrieve-ami-id-bottlerocket.title]] = Retrieve recommended [.noloc]`Bottlerocket` AMI IDs diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 197fa8989..ebc394f67 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[retrieve-ami-id,retrieve-ami-id.title]] = Retrieve recommended Amazon Linux AMI IDs diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 861ca2632..797e78623 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[retrieve-windows-ami-id,retrieve-windows-ami-id.title]] = Retrieve recommended [.noloc]`Microsoft Windows` AMI IDs diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 4b339d382..e7e91970b 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[self-managed-windows-server-2022,self-managed-windows-server-2022.title]] diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index caf056281..e794042f1 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[update-managed-node-group,update-managed-node-group.title]] = Update a managed node group for your cluster diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index 122b92c79..9f0eb251a 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[update-stack,update-stack.title]] diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 2c7bff146..1ae0396ee 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[update-workers,update-workers.title]] = Update self-managed nodes for your cluster diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 8d258c791..cbebc4441 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[worker,worker.title]] = Maintain nodes yourself with self-managed nodes -:info_doctype: section -:info_title: Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index f378cbaa9..0e86caad3 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cloudwatch,cloudwatch.title]] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 3b3d23029..705d3c6a8 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[control-plane-logs,control-plane-logs.title]] = Send control plane logs to CloudWatch Logs -:info_doctype: section -:info_title: Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index b7da384d2..e8e6f774d 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[deploy-prometheus,deploy-prometheus.title]] diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 404d8033e..b32e0f2bd 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[eks-observe,eks-observe.title]] = Monitor your cluster performance and view logs @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index e8ec7789d..bddbc9e71 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[enable-asg-metrics,enable-asg-metrics.title]] diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 1e25386f9..412dce193 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[logging-using-cloudtrail,logging-using-cloudtrail.title]] = Log API calls as {aws} CloudTrail events -:info_doctype: section -:info_title: Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail :keywords: logging, API calls, {aws} CloudTrail diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index 2a9375324..8c1ea5256 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -1,9 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[observability-dashboard,observability-dashboard.title]] = Monitor your cluster with the observability dashboard -:info_doctype: section :info_titleabbrev: Observability dashboard :keywords: observability, dashboard diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index 5f2b0a272..0d1a2c452 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[opentelemetry,opentelemetry.title]] = Send metric and trace data with ADOT Operator -:info_doctype: section -:info_title: Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 86da1041b..de2c02642 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[prometheus,prometheus.title]] = Monitor your cluster metrics with [.noloc]`Prometheus` -:info_doctype: section -:info_title: Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index a096de03b..a786aa15b 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[service-name-info-in-cloudtrail,service-name-info-in-cloudtrail.title]] diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index f8b044d3b..ac6823ea1 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[understanding-service-name-entries,understanding-service-name-entries.title]] diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index e373899bf..a55c765da 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[view-raw-metrics,view-raw-metrics.title]] diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index a79039d99..178deca3e 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index fe3aeef13..af3ae128a 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 5ebe6411e..82d436b40 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 330c3cf1b..da3a3af7b 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 2f0828e2b..9dec767f5 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index d1f244369..1fd317aca 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-outposts-self-managed-nodes,eks-outposts-self-managed-nodes.title]] = Create Amazon Linux nodes on {aws} Outposts -:info_doctype: section -:info_title: Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 5df0da231..592e11959 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 801a99dc6..f7fa52a08 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 3ff1e013d..fdc4acfc7 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[eks-outposts,eks-outposts.title]] = Deploy Amazon EKS on-premises with {aws} Outposts @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 841d034f0..864f22f6e 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT + [.topic] [[quickstart,quickstart.title]] = Quickstart: Deploy a web app and store data -:info_doctype: chapter -:info_title: Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 8b559cd16..8e7c61156 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::attributes.txt[] [[related-projects,related-projects.title]] = Extend Amazon EKS capabilities with open source projects @@ -10,8 +10,6 @@ include::attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS [abstract] diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index a6f21585b..7a3eeaaa4 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::attributes.txt[] [.topic] [[roadmap,roadmap.title]] @@ -11,8 +11,6 @@ include::attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Learn about Amazon EKS new features and roadmap :info_titleabbrev: New features and roadmap [abstract] diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index ec163d415..a6cfae129 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[auto-security,auto-security.title]] = Security considerations for Amazon EKS Auto Mode -:info_doctype: section :info_titleabbrev: Considerations for EKS Auto include::../attributes.txt[] diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index e04c90f68..d18d81ee5 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cert-signing,cert-signing.title]] = Secure workloads with [.noloc]`Kubernetes` certificates diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 41afe5093..cbc7d280a 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[compliance,compliance.title]] = Compliance validation for Amazon EKS clusters -:info_doctype: section -:info_title: Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance include::../attributes.txt[] diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index bc9880105..f188e0be9 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[configuration-vulnerability-analysis,configuration-vulnerability-analysis.title]] = Analyze vulnerabilities in Amazon EKS diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 0cb5878ca..0de9bdfd5 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[default-roles-users,default-roles-users.title]] = Understand Amazon EKS created RBAC roles and users diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index de33547f8..631d56b80 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[disaster-recovery-resiliency,disaster-recovery-resiliency.title]] = Understand resilience in Amazon EKS clusters diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 314619f36..12872a3dc 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[enable-kms,enable-kms.title]] = Encrypt Kubernetes secrets with {aws} KMS on existing clusters diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index be9ec9417..6df36a229 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[auto-cluster-iam-role,auto-cluster-iam-role.title]] = Amazon EKS Auto Mode cluster IAM role diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index 69cc82bb8..fc63ba242 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[auto-create-node-role,auto-create-node-role.title]] = Amazon EKS Auto Mode node IAM role diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 24951b62b..7963969f0 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[cluster-iam-role,cluster-iam-role.title]] = Amazon EKS cluster IAM role diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 7fb902c99..f09545c40 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[connector-iam-role,connector-iam-role.title]] = Amazon EKS connector IAM role diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index cf39d636c..0cc47cf9d 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[create-node-role,create-node-role.title]] = Amazon EKS node IAM role diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 38f5efb33..a1400e478 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[pod-execution-role,pod-execution-role.title]] = Amazon EKS [.noloc]`Pod` execution IAM role diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index b853d34d6..b8a45d280 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../../attributes.txt[] [.topic] [[security-iam-awsmanpol,security-iam-awsmanpol.title]] diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index d5b151735..668d1a43b 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-iam-id-based-policy-examples,security-iam-id-based-policy-examples.title]] = Amazon EKS identity-based policy examples diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 30837bf64..edd89caec 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-iam-service-with-iam,security-iam-service-with-iam.title]] = How Amazon EKS works with IAM diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 6087b2c7f..5422a51c3 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-iam-troubleshoot,security-iam-troubleshoot.title]] = Troubleshooting IAM diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 63f8b3b3a..ddde0a048 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-iam,security-iam.title]] = Identity and access management for Amazon EKS diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index e7f4387b8..76761b6ab 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles-eks-connector,using-service-linked-roles-eks-connector.title]] = Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index c302b5205..1b1b3e2c7 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles-eks-fargate,using-service-linked-roles-eks-fargate.title]] = Using roles for Amazon EKS Fargate profiles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index 5f82452fd..6027b48a8 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles-eks-nodegroups,using-service-linked-roles-eks-nodegroups.title]] = Using roles for Amazon EKS node groups diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index cd2c268be..904cba19c 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles-eks-outpost,using-service-linked-roles-eks-outpost.title]] = Using roles for Amazon EKS local clusters on Outpost diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index cc9838a47..d525f510d 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles-eks,using-service-linked-roles-eks.title]] = Using roles for Amazon EKS clusters diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index ffb7f4a59..b89a30bd8 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[using-service-linked-roles,using-service-linked-roles.title]] = Using service-linked roles for Amazon EKS diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index e618b6200..3f033a558 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[infrastructure-security,infrastructure-security.title]] = Infrastructure security in Amazon EKS diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index e3b2a246d..df1dd5822 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 8cac9d46d..ad979e673 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[pod-security-policy-removal-faq,pod-security-policy-removal-faq.title]] = Migrate from legacy [.noloc]`Pod` security policies (PSP) diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index 58c3d790a..d22314850 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[pod-security-policy,pod-security-policy.title]] = Understand Amazon EKS created [.noloc]`Pod` security policies [.noloc]`(PSP)` diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 94ce58b1a..bde84244f 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-best-practices,security-best-practices.title]] = Secure Amazon EKS clusters with best practices diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 79b200a9d..e37f338b4 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-eks,security-eks.title]] = Security considerations for Amazon Elastic Kubernetes Service diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 59bcabb53..45cf53569 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[security-k8s,security-k8s.title]] = Security considerations for [.noloc]`Kubernetes` diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 7aaa03700..71ca45cfd 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + [.topic] [[security,security.title]] = Security in Amazon EKS @@ -10,7 +10,6 @@ :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter :info_titleabbrev: Security include::../attributes.txt[] diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 8752cccfd..61e1c3af6 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 9eae9a683..2a0472902 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[csi-snapshot-controller,csi-snapshot-controller.title]] = Enable snapshot functionality for CSI volumes -:info_doctype: section -:info_title: Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 626605e43..2140cca47 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] = Amazon EBS CSI migration frequently asked questions -:info_doctype: section -:info_title: Amazon EBS CSI migration frequently asked \ - questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index be4310bbb..df702c5bf 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[ebs-csi,ebs-csi.title]] = Store [.noloc]`Kubernetes` volumes with Amazon EBS -:info_doctype: section -:info_title: Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index f4c150c45..765c48d6a 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[efs-csi,efs-csi.title]] = Store an elastic file system with Amazon EFS diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 9105079a8..b86f1330b 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[file-cache-csi,file-cache-csi.title]] = Minimize latency with Amazon File Cache -:info_doctype: section -:info_title: Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 6fc9b2a86..af9fbca8a 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fsx-csi,fsx-csi.title]] = Store high-performance apps with FSx for Lustre -:info_doctype: section -:info_title: Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 9115d2fc7..1a8aaa4cf 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fsx-ontap,fsx-ontap.title]] = Store high-performance apps with FSx for NetApp ONTAP -:info_doctype: section -:info_title: Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index de0448a68..b4e90e266 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[fsx-openzfs-csi,fsx-openzfs-csi.title]] = Store data using Amazon FSx for OpenZFS -:info_doctype: section -:info_title: Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 7a0f8bc48..ee2707c63 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[s3-csi,s3-csi.title]] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver -:info_doctype: section -:info_title: Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index a1c45264e..4838b188a 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[storage,storage.title]] = Store application data for your cluster @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Store application data for your cluster :info_titleabbrev: Store app data :keywords: persistent, data, app, storage diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 054a6a8dc..a105aa872 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + [[troubleshooting,troubleshooting.title]] = Troubleshoot problems with Amazon EKS clusters and nodes :doctype: book @@ -9,8 +9,6 @@ :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index ad6497389..01e3d2fa7 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[common-use-cases,common-use-cases.title]] = Common use cases in Amazon EKS -:info_doctype: section -:info_title: Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index e2f0c090c..7351641b0 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[eks-architecture,eks-architecture.title]] = Amazon EKS architecture -:info_doctype: section -:info_title: Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 7419467ec..0705a23b1 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[eks-deployment-options,eks-deployment-options.title]] = Deploy Amazon EKS clusters across cloud and on-premises environments -:info_doctype: section -:info_title: Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index a79f04349..b428e8744 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[kubernetes-concepts,kubernetes-concepts.title]] = [.noloc]`Kubernetes` concepts -:info_doctype: section -:info_title: Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 14ded8db4..1cc587416 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [.topic] [[what-is-eks,what-is-eks.title]] @@ -11,8 +11,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: What is Amazon EKS? :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 79e807814..d06c5bef7 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[add-ons-iam,add-ons-iam.title]] = IAM roles for Amazon EKS add-ons diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 9266005ea..3afa72152 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[add-ons-images,add-ons-images.title]] = View Amazon container image registries for Amazon EKS add-ons diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index 0c874a011..d77415923 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[addon-compat,addon-compat.title]] diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 24686340f..beac36b9b 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[addon-id-troubleshoot,addon-id-troubleshoot.title]] = Troubleshoot Pod Identities for EKS add-ons diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index b95e0a718..23d40635f 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[alb-ingress,alb-ingress.title]] = Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` -:info_doctype: section -:info_title: Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 6172eae11..ea79b399e 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -1,8 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[community-addons,community-addons.title]] = Community add-ons -:info_doctype: section include::../attributes.txt[] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 2e05fd705..02e8f2fc4 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,12 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[copy-image-to-repository,copy-image-to-repository.title]] = Copy a container image from one repository to another repository -:info_doctype: section -:info_title: Copy a container image from one repository to \ - another repository :info_titleabbrev: Copy an image to a repository This topic describes how to pull a container image from a repository that your nodes don't have access to and push the image to a repository that your nodes have access to. You can push the image to Amazon ECR or an alternative repository that your nodes have access to. diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 67171b934..dad22cc4c 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[creating-an-add-on,creating-an-add-on.title]] diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 8de8312a3..bfad5782c 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[eks-add-ons,eks-add-ons.title]] = Amazon EKS add-ons -:info_doctype: section -:info_title: Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 4a7e965a2..3d2c83b8d 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT + include::../attributes.txt[] [[eks-workloads,eks-workloads.title]] = Learn how to deploy workloads and add-ons to Amazon EKS @@ -10,8 +10,6 @@ include::../attributes.txt[] :idprefix: :idseparator: - :sourcedir: . -:info_doctype: chapter -:info_title: Learn how to deploy workloads and add-ons to Amazon EKS :info_titleabbrev: Workloads Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` in [.noloc]`Kubernetes`. A [.noloc]`Pod` includes one or more containers. Typically, one or more [.noloc]`Pods` that provide the same service are deployed in a [.noloc]`Kubernetes` service. Once you've deployed multiple [.noloc]`Pods` that provide the same service, you can: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 3b36a46d8..02901bb02 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` -:info_doctype: section -:info_title: Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler [abstract] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 54868bf88..976ac0714 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[image-verification,image-verification.title]] = Validate container image signatures during deployment -:info_doctype: section -:info_title: Validate container image signatures during deployment :info_titleabbrev: Verify container images [abstract] diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index d59cee57d..33cdcaa3c 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[kubernetes-field-management,kubernetes-field-management.title]] = Determine fields you can customize for Amazon EKS add-ons diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 34f203875..00954bf34 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,9 +1,7 @@ -//!!NODE_ROOT
        + [.topic] [[network-load-balancing,network-load-balancing.title]] = Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` -:info_doctype: section -:info_title: Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing include::../attributes.txt[] diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index c2ec0d41b..a7a641e0b 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[remove-addon-role,remove-addon-role.title]] = Remove Pod Identity associations from an Amazon EKS add-on diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index e8026954d..8d1b58c12 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[removing-an-add-on,removing-an-add-on.title]] diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 6e4e860d5..067ab824a 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[restrict-service-external-ip,restrict-service-external-ip.title]] = Restrict external IP addresses that can be assigned to services diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 44d154d2e..c8e34f0c7 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[retreive-iam-info,retreive-iam-info.title]] = Retrieve IAM information about an Amazon EKS add-on diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 9d595b197..116e8dd6a 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,10 +1,8 @@ -//!!NODE_ROOT
        + [.topic] [[sample-deployment-win,sample-deployment-win.title]] = Deploy a sample application on Windows -:info_doctype: section -:info_title: Deploy a sample application on Windows :info_titleabbrev: Sample application deployment (Windows) include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index d1c011335..c402cb0a5 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + [.topic] [[sample-deployment,sample-deployment.title]] = Deploy a sample application on Linux -:info_doctype: section -:info_title: Deploy a sample application on Linux :info_titleabbrev: Sample application deployment (Linux) include::../attributes.txt[] diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 2210c3f46..5a106d037 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[update-addon-role,update-addon-role.title]] = Use Pod Identities to assign an IAM role to an Amazon EKS add-on diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 56f8714e1..f61d5b517 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + [.topic] [[updating-an-add-on,updating-an-add-on.title]] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index bf07a97a8..a93ba71f2 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,11 +1,9 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] [.topic] [[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` -:info_doctype: section -:info_title: Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler [abstract] diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 4ff6f0c89..8476aa54b 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index cb0604fd0..b1bce2593 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,4 +1,4 @@ -//!!NODE_ROOT
        + include::../attributes.txt[] From f9480b3481f2e61b44c825eb221c623d706cd877 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 23 Jan 2025 14:21:41 -0600 Subject: [PATCH 046/940] publish kubernetes 1.32 cr: https://code.amazon.com/reviews/CR-173776189 --- .../kubernetes-versions-standard.adoc | 49 ++++++++++++ latest/ug/clusters/kubernetes-versions.adoc | 7 +- latest/ug/clusters/platform-versions.adoc | 20 ++++- latest/ug/clusters/windows-support.adoc | 33 +-------- latest/ug/doc-history.adoc | 7 ++ .../aws-access/service-accounts.adoc | 46 +----------- latest/ug/networking/managing-coredns.adoc | 1 + latest/ug/networking/managing-kube-proxy.adoc | 2 + latest/ug/networking/managing-vpc-cni.adoc | 1 + latest/ug/nodes/eks-ami-versions-windows.adoc | 74 +++++++++++++++++++ latest/ug/observability/cloudwatch.adoc | 23 +----- .../observability-dashboard.adoc | 22 +----- latest/ug/observability/opentelemetry.adoc | 5 +- latest/ug/observability/prometheus.adoc | 5 +- latest/ug/observability/view-raw-metrics.adoc | 24 +----- 15 files changed, 170 insertions(+), 149 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index ff068c9a9..38eff8932 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -18,8 +18,57 @@ This topic gives important changes to be aware of for each [.noloc]`Kubernetes` ==== For `1.24` and later clusters, officially published Amazon EKS AMIs include `containerd` as the only runtime. [.noloc]`Kubernetes` versions earlier than `1.24` use [.noloc]`Docker` as the default runtime. These versions have a bootstrap flag option that you can use to test out your workloads on any supported cluster with `containerd`. For more information, see <>. +==== + +[[kubernetes-1.32,kubernetes-1.32.title]] +== [.noloc]`Kubernetes` 1.32 +[.noloc]`Kubernetes` `1.32` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.32`, see the https://kubernetes.io/blog/2024/12/13/kubernetes-v1-32-release/[official release announcement]. + +[IMPORTANT] ==== +* The `flowcontrol.apiserver.k8s.io/v1beta3` API version of FlowSchema and PriorityLevelConfiguration has been removed in `v1.32`. If you are using these APIs, you must update your configurations to use the latest supported version before upgrading. + +* ServiceAccount `metadata.annotations[kubernetes.io/enforce-mountable-secrets]` has been deprecated in `v1.32` and will be removed in a future Kubernetes minor version release. It is recommended to use separate namespaces to isolate access to mounted secrets. + +* Kubernetes version 1.32 is the last version for which Amazon EKS will release Amazon Linux 2 (AL2) AMIs. From v1.33 onwards, Amazon EKS will continue to release Amazon Linux 2023 (AL2023) and Bottlerocket based AMIs. + +==== + +* The Memory Manager feature has graduated to Generally Available (GA) status in Kubernetes `v1.32`. This enhancement provides more efficient and predictable memory allocation for containerized applications, particularly beneficial for workloads with specific memory requirements. + +* PersistentVolumeClaims (PVCs) created by StatefulSets now include automatic cleanup functionality. When PVCs are no longer needed, they will be automatically deleted while maintaining data persistence during StatefulSet updates and node maintenance operations. This feature simplifies storage management and helps prevent orphaned PVCs in your cluster. + +* Custom Resource Field Selector functionality has been introduced, allowing developers to add field selectors to custom resources. This feature provides the same filtering capabilities available for built-in Kubernetes objects to custom resources, enabling more precise and efficient resource filtering and promoting better API design practices. + +For the complete [.noloc]`Kubernetes` `1.32` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md + +=== Anonymous authentication changes + +Starting with Amazon EKS `1.32`, anonymous authentication is restricted to the following API server health check endpoints: + +* `/healthz` +* `/livez` +* `/readyz` + +Requests to any other endpoint using the `system:unauthenticated` user will receive a `401 Unauthorized` HTTP response. This security enhancement helps prevent unintended cluster access that could occur due to misconfigured RBAC policies. + +[NOTE] +==== +The `public-info-viewer` RBAC role continues to apply for the health check endpoints listed above. +==== + +=== Amazon Linux 2 AMI deprecation + +For Kubernetes versions 1.33 and later, EKS will not provide pre-built optimized Amazon Linux 2 (AL2) Amazon Machine Images (AMIs). + +{aws} suggests adopting EKS Auto Mode, or migrating to a more recent operating system, such as Amazon Linux 2023 (AL2023) or Bottlerocket. + +- <> +- <> +- <> + +NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about the operating system itself, see link:https://aws.amazon.com/amazon-linux-2/faqs/["Amazon Linux 2 FAQs", type="marketing"] [[kubernetes-1.31,kubernetes-1.31.title]] diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 821497361..e0fc98e24 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -32,7 +32,7 @@ video::_dJdAZ_J_jw[youtube,align = center,height = 405,fileref = https://www.you The following [.noloc]`Kubernetes` versions are currently available in Amazon EKS standard support: - +* `1.32` * `1.31` * `1.30` * `1.29` @@ -73,6 +73,11 @@ Dates with only a month and a year are approximate and are updated with an exact |End of standard support |End of extended support +|`1.32` +|December 11, 2024 +|January 23, 2025 +|March 23, 2026 +|March 23, 2027 |`1.31` |August 13, 2024 diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 1f9a12245..98da5740c 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -34,11 +34,29 @@ The current and recent Amazon EKS platform versions are described in the followi ==== +[[platform-versions-1.32,platform-versions-1.32.title]] +== [.noloc]`Kubernetes` version `1.32` + +The following admission controllers are enabled for all `1.32` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. + +[cols="1,1,1,1", options="header"] +|=== +| Kubernetes version +| EKS platform version +| Release notes +| Release date + +| `1.31.0` +| `eks.2` +| Initial release of Kubernetes version `1.32` for EKS. For more information, see <>. +| January 2025 + +|=== [[platform-versions-1.31,platform-versions-1.31.title]] == [.noloc]`Kubernetes` version `1.31` -The following admission controllers are enabled for all `1.31` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. +The following admission controllers are enabled for all `1.31` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`, `ObjectCount`. [cols="1,1,1,1", options="header"] |=== diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 0b6233d82..774f797b9 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -32,38 +32,7 @@ Before deploying [.noloc]`Windows` nodes, be aware of the following consideratio * If preserving your available IPv4 addresses is crucial for your subnet, refer to https://aws.github.io/aws-eks-best-practices/windows/docs/networking/#ip-address-management[EKS Best Practices Guide - Windows Networking IP Address Management] for guidance. -* An existing cluster. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. -+ -[[windows-support-platform-versions]] -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - -|1.31 -|eks.4 - -|1.30 -|eks.2 - -|1.29 -|eks.1 - -|1.28 -|eks.1 - -|1.27 -|eks.1 - -|1.26 -|eks.1 - -|1.25 -|eks.1 - -|1.24 -|eks.2 -|=== +* An existing cluster. * Your cluster must have at least one (we recommend at least two) [.noloc]`Linux` node or Fargate [.noloc]`Pod` to run [.noloc]`CoreDNS`. If you enable legacy [.noloc]`Windows` support, you must use a [.noloc]`Linux` node (you can't use a Fargate [.noloc]`Pod`) to run [.noloc]`CoreDNS`. * An existing <>. diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index fe7a8af0e..b8b112a0d 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -27,6 +27,13 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-01-23"] +=== [.noloc]`Kubernetes` version `1.32` +[.update-ulink] +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.32 + +Added [.noloc]`Kubernetes` version `1.32` support for new clusters and version upgrades. + [.update,date="2025-01-14"] === Amazon EKS {aws} Region expansion Amazon EKS is now available in the Asia Pacific (Thailand) Region (`ap-southeast-7`) and Mexico (Central) (`mx-central-1`) {aws} Regions. EKS Auto Mode and VPC Endpoints for the EKS API aren't available in either Region. diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index becdbbc5d..adb2fa28f 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1608,51 +1608,7 @@ Service Account: my-service-account [[configure-sts-endpoint,configure-sts-endpoint.title]] === Configure the {aws} Security Token Service endpoint for a service account -If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your [.noloc]`Kubernetes` or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. - -[cols="1,1,1", options="header"] -|=== -|Kubernetes version -|Platform version -|Default endpoint type - - -|`1.31` -|`eks.4` -|Regional - -|`1.30` -|`eks.2` -|Regional - -|`1.29` -|`eks.1` -|Regional - -|`1.28` -|`eks.1` -|Regional - -|`1.27` -|`eks.1` -|Regional - -|`1.26` -|`eks.1` -|Regional - -|`1.25` -|`eks.1` -|Regional - -|`1.24` -|`eks.2` -|Regional - -|`1.23` -|`eks.1` -|Regional -|=== +If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. {aws} recommends using the regional {aws} STS endpoints instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. The {aws} Security Token Service must be active in the {aws} Region where the [.noloc]`Pod` is running. Moreover, your application must have built-in redundancy for a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 754be5b8f..747ddf57b 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -38,6 +38,7 @@ The following table lists the latest version of the Amazon EKS add-on type for e [options="header"] |=== | Kubernetes version | [.noloc]`CoreDNS` version +| 1.32 | v1.11.4-eksbuild.2 | 1.31 | v1.11.4-eksbuild.2 | 1.30 | v1.11.4-eksbuild.2 | 1.29 | v1.11.4-eksbuild.2 diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index a607d7e15..b255cb1fd 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -38,6 +38,8 @@ The following table lists the latest version of the Amazon EKS add-on type for e [options="header"] |=== | Kubernetes version | `kube-proxy` version +| 1.32 | v1.32.0-minimal-eksbuild.2 +| 1.31 | v1.31.3-eksbuild.2 | 1.31 | v1.31.3-eksbuild.2 | 1.30 | v1.30.7-eksbuild.2 | 1.29 | v1.29.11-eksbuild.2 diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 0ce7b1178..067ba4177 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -48,6 +48,7 @@ The following table lists the latest available version of the Amazon EKS add-on [options="header"] |=== | Kubernetes version | Amazon EKS type of VPC CNI version +| 1.32 | v1.19.2-eksbuild.1 | 1.31 | v1.19.0-eksbuild.1 | 1.30 | v1.19.0-eksbuild.1 | 1.29 | v1.19.0-eksbuild.1 diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 6e9af85db..7b2a5a88b 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -42,6 +42,23 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [role="tablist"] +*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: ++ +[cols="1,1,1,1,1", options="header"] +|=== +|AMI version +|kubelet version +|containerd version +|csi-proxy version +|Release notes + +|`1.32-2025-01-15` +|`1.32.0` +|`1.7.20` +|`1.1.3` +| +|=== + *[.noloc]`Kubernetes` version [.noloc]`1.31`*:: + [cols="1,1,1,1,1", options="header"] @@ -1104,6 +1121,25 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [role="tablist"] +*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: ++ +[cols="1,1,1,1,1", options="header"] +|=== +|AMI version +|kubelet version +|containerd version +|csi-proxy version +|Release notes + +|`1.32-2025-01-01` +|`1.32.0` +|`1.7.20` +|`1.1.3` +| + +|=== + + *[.noloc]`Kubernetes` version [.noloc]`1.31`*:: + [cols="1,1,1,1,1", options="header"] @@ -2173,6 +2209,25 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [role="tablist"] +*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: ++ +[cols="1,1,1,1,1", options="header"] +|=== +|AMI version +|kubelet version +|containerd version +|csi-proxy version +|Release notes + +|`1.32-2025-01-15` +|`1.32.4` +|`1.7.20` +|`1.1.3` +| + + +|=== + *[.noloc]`Kubernetes` version [.noloc]`1.31`*:: + [cols="1,1,1,1,1", options="header"] @@ -3242,6 +3297,25 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [role="tablist"] +*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: ++ +[cols="1,1,1,1,1", options="header"] +|=== +|AMI version +|kubelet version +|containerd version +|csi-proxy version +|Release notes + +|`1.32-2025-01-15` +|`1.32.0` +|`1.7.20` +|`1.1.3` +| + +|=== + + *[.noloc]`Kubernetes` version [.noloc]`1.31`*:: + [cols="1,1,1,1,1", options="header"] diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 0e86caad3..8f28a0c37 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -18,28 +18,7 @@ Amazon CloudWatch is a monitoring service that collects metrics and logs from yo [[cloudwatch-basic-metrics,cloudwatch-basic-metrics.title]] == Basic metrics in Amazon CloudWatch -For new clusters that are [.noloc]`Kubernetes` version `1.28` and above, you get CloudWatch vended metrics for free in the `AWS/EKS` namespace. Basic metrics are also available for existing clusters that have a platform version that is the same or later compared to the following table. - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - -|`1.31` -|`eks.12` - -|`1.30` -|`eks.20` - -|`1.29` -|`eks.23` - -|`1.28` -|`eks.29` - -|=== - -The following table gives a list of the basic metrics that are available for the supported versions. Every metric listed has a frequency of one minute. +For clusters that are [.noloc]`Kubernetes` version `1.28` and above, you get CloudWatch vended metrics for free in the `AWS/EKS` namespace. The following table gives a list of the basic metrics that are available for the supported versions. Every metric listed has a frequency of one minute. [cols="1,1,1,1,1,1", options="header"] |=== diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index 8c1ea5256..b4d1ce582 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -1,5 +1,3 @@ - - [.topic] [[observability-dashboard,observability-dashboard.title]] = Monitor your cluster with the observability dashboard @@ -36,26 +34,8 @@ The *Control plane monitoring* tab is divided into three sections, each of which [[observability-metrics,observability-metrics.title]] === Metrics -The *Metrics* section shows graphs of several metrics gathered for various control plane components. This specific feature is only available for new clusters and previous clusters with a platform version that is the same or later compared to the following table. - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version -|`1.31` -|`eks.12` - -|`1.30` -|`eks.20` - -|`1.29` -|`eks.23` - -|`1.28` -|`eks.29` - -|=== +For clusters that are [.noloc]`Kubernetes` version `1.28` and above, the *Metrics* section shows graphs of several metrics gathered for various control plane components. You can set the time period used by the X-axis of every graph by making selections at the top of the section. You can refresh data with the refresh button ( ↻ ). For each separate graph, the vertical ellipses button ( ⋮ ) opens a menu with options from CloudWatch. diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index 0d1a2c452..e584004c8 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -1,12 +1,11 @@ - -include::../attributes.txt[] - [.topic] [[opentelemetry,opentelemetry.title]] = Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT +include::../attributes.txt[] + [abstract] -- The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable your applications running on Amazon EKS to send metric and trace data to multiple monitoring service options. diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index de2c02642..29cc247a4 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,12 +1,11 @@ - -include::../attributes.txt[] - [.topic] [[prometheus,prometheus.title]] = Monitor your cluster metrics with [.noloc]`Prometheus` :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane +include::../attributes.txt[] + [abstract] -- This topic explains how to deploy [.noloc]`Prometheus` and some of the ways that you can use it to view and analyze what your cluster is doing. diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index a55c765da..bf68ccf00 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,10 +1,11 @@ - include::../attributes.txt[] [.topic] [[view-raw-metrics,view-raw-metrics.title]] = Fetch control plane raw metrics in [.noloc]`Prometheus` format :info_titleabbrev: Control plane +include::../attributes.txt[] + [abstract] -- The [.noloc]`Kubernetes` control plane exposes a number of metrics that are represented in a [.noloc]`Prometheus` format. @@ -62,26 +63,7 @@ This raw output returns verbatim what the API server exposes. [[fetch-metrics-prometheus,fetch-metrics-prometheus.title]] == Fetch control plane metrics with `metrics.eks.amazonaws.com` -For new clusters that are [.noloc]`Kubernetes` version `1.28` and above, Amazon EKS also exposes metrics under the API group `metrics.eks.amazonaws.com`. These metrics include control plane components such as `kube-scheduler` and `kube-controller-manager`. These metrics are also available for existing clusters that have a platform version that is the same or later compared to the following table. - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - -|`1.31` -|`eks.10` - -|`1.30` -|`eks.18` - -|`1.29` -|`eks.21` - -|`1.28` -|`eks.27` - -|=== +For clusters that are [.noloc]`Kubernetes` version `1.28` and above, Amazon EKS also exposes metrics under the API group `metrics.eks.amazonaws.com`. These metrics include control plane components such as `kube-scheduler` and `kube-controller-manager`. [NOTE] ==== From ce1de4601392d5057011806edc96aab91d2941a8 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 23:15:16 +0000 Subject: [PATCH 047/940] 1.32 --- latest/ug/clusters/kubernetes-versions-standard.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 38eff8932..af4a28927 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -68,7 +68,7 @@ For Kubernetes versions 1.33 and later, EKS will not provide pre-built optimized - <> - <> -NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about the operating system itself, see link:https://aws.amazon.com/amazon-linux-2/faqs/["Amazon Linux 2 FAQs", type="marketing"] +NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about the operating system itself, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. [[kubernetes-1.31,kubernetes-1.31.title]] From ceed203ee2fb58d90ec9a376699df36ede01a01c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 23 Jan 2025 23:34:44 +0000 Subject: [PATCH 048/940] Removed empty lines at start of files. --- latest/ug/automode/api-reference.adoc | 1 - latest/ug/automode/associate-workload.adoc | 2 -- latest/ug/automode/auto-configure-alb.adoc | 1 - latest/ug/automode/auto-configure-nlb.adoc | 1 - latest/ug/automode/auto-disable.adoc | 1 - latest/ug/automode/auto-elb-example.adoc | 2 -- latest/ug/automode/auto-enable-existing.adoc | 2 -- latest/ug/automode/auto-glossary.adoc | 1 - latest/ug/automode/auto-learn-iam.adoc | 2 -- latest/ug/automode/auto-migrate-karpenter.adoc | 1 - latest/ug/automode/auto-migrate-mng.adoc | 2 -- latest/ug/automode/auto-mng.adoc | 2 -- latest/ug/automode/auto-net-pol.adoc | 1 - latest/ug/automode/auto-networking.adoc | 1 - latest/ug/automode/auto-reference.adoc | 1 - latest/ug/automode/auto-troubleshoot.adoc | 2 -- latest/ug/automode/auto-upgrade.adoc | 1 - latest/ug/automode/auto-workloads.adoc | 1 - latest/ug/automode/automode-get-started-cli.adoc | 2 -- latest/ug/automode/automode-get-started-console.adoc | 2 -- latest/ug/automode/automode-get-started-eksctl.adoc | 2 -- latest/ug/automode/automode-learn-instances.adoc | 2 -- latest/ug/automode/automode-workload.adoc | 2 -- latest/ug/automode/automode.adoc | 2 -- latest/ug/automode/create-auto.adoc | 1 - latest/ug/automode/create-node-class.adoc | 2 -- latest/ug/automode/create-node-pool.adoc | 1 - latest/ug/automode/create-storage-class.adoc | 1 - latest/ug/automode/critical-workload.adoc | 1 - latest/ug/automode/migrate-auto.adoc | 1 - latest/ug/automode/old/hpa_scaling.adoc | 2 -- latest/ug/automode/sample-storage-workload.adoc | 2 -- latest/ug/automode/set-builtin-node-pools.adoc | 1 - latest/ug/automode/settings-auto.adoc | 1 - latest/ug/automode/troubleshoot-lbc.adoc | 1 - latest/ug/automode/wip.adoc | 1 - latest/ug/automode/wip/create-vpc-console.adoc | 1 - latest/ug/automode/wip/eksctl-docs.adoc | 1 - latest/ug/automode/wip/tag-subnets.adoc | 1 - latest/ug/book.adoc | 1 - latest/ug/clusters/autoscaling.adoc | 1 - latest/ug/clusters/cluster-endpoint.adoc | 1 - latest/ug/clusters/cluster-insights.adoc | 1 - latest/ug/clusters/clusters.adoc | 1 - latest/ug/clusters/create-cluster-auto.adoc | 2 -- latest/ug/clusters/create-cluster.adoc | 2 -- latest/ug/clusters/delete-cluster.adoc | 1 - latest/ug/clusters/disable-windows-support.adoc | 1 - latest/ug/clusters/kubernetes-versions-extended.adoc | 1 - latest/ug/clusters/kubernetes-versions-standard.adoc | 2 -- latest/ug/clusters/kubernetes-versions.adoc | 2 -- .../clusters/management/cost-monitoring-kubecost-bundles.adoc | 1 - latest/ug/clusters/management/cost-monitoring-kubecost.adoc | 1 - latest/ug/clusters/management/cost-monitoring.adoc | 3 --- latest/ug/clusters/management/eks-managing.adoc | 1 - latest/ug/clusters/management/eks-using-tags.adoc | 1 - latest/ug/clusters/management/helm.adoc | 1 - latest/ug/clusters/management/metrics-server.adoc | 1 - latest/ug/clusters/management/service-quotas.adoc | 1 - latest/ug/clusters/platform-versions.adoc | 2 -- latest/ug/clusters/private-clusters.adoc | 1 - latest/ug/clusters/update-cluster.adoc | 2 -- latest/ug/clusters/windows-support.adoc | 1 - latest/ug/clusters/zone-shift-enable.adoc | 1 - latest/ug/clusters/zone-shift.adoc | 1 - latest/ug/connector/connecting-cluster.adoc | 1 - latest/ug/connector/connector-grant-access.adoc | 1 - latest/ug/connector/deregister-connected-cluster.adoc | 1 - latest/ug/connector/eks-connector.adoc | 1 - latest/ug/connector/security-connector.adoc | 1 - latest/ug/connector/troubleshooting-connector.adoc | 1 - latest/ug/connector/tsc-faq.adoc | 1 - latest/ug/doc-history.adoc | 2 -- latest/ug/getting-started/getting-started-automode.adoc | 1 - latest/ug/getting-started/getting-started-eksctl.adoc | 1 - latest/ug/getting-started/getting-started.adoc | 1 - latest/ug/getting-started/install-awscli.adoc | 1 - latest/ug/getting-started/install-kubectl.adoc | 3 --- latest/ug/getting-started/learn-eks.adoc | 1 - latest/ug/getting-started/setting-up.adoc | 1 - .../integrations/creating-resources-with-cloudformation.adoc | 1 - latest/ug/integrations/eks-integrations.adoc | 1 - latest/ug/integrations/integration-detective.adoc | 1 - latest/ug/integrations/integration-guardduty.adoc | 1 - latest/ug/integrations/integration-resilience-hub.adoc | 1 - latest/ug/integrations/integration-securitylake.adoc | 1 - latest/ug/integrations/integration-vpc-lattice.adoc | 1 - latest/ug/integrations/local-zones.adoc | 1 - latest/ug/manage-access/aws-access/service-accounts.adoc | 1 - latest/ug/manage-access/cluster-auth.adoc | 1 - latest/ug/manage-access/create-kubeconfig.adoc | 1 - latest/ug/manage-access/k8s-access/access-entries.adoc | 2 -- latest/ug/manage-access/k8s-access/access-policies.adoc | 2 -- .../ug/manage-access/k8s-access/access-policy-reference.adoc | 2 -- latest/ug/manage-access/k8s-access/auth-configmap.adoc | 2 -- .../k8s-access/authenticate-oidc-identity-provider.adoc | 2 -- .../k8s-access/disassociate-oidc-identity-provider.adoc | 2 -- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 3 --- .../ug/manage-access/k8s-access/migrating-access-entries.adoc | 3 --- latest/ug/manage-access/view-kubernetes-resources.adoc | 1 - latest/ug/ml/capacity-blocks-mng.adoc | 1 - latest/ug/ml/capacity-blocks.adoc | 1 - latest/ug/ml/inferentia-support.adoc | 1 - latest/ug/ml/machine-learning-on-eks.adoc | 1 - latest/ug/ml/ml-eks-optimized-ami.adoc | 1 - latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 1 - latest/ug/ml/ml-get-started.adoc | 2 -- latest/ug/ml/ml-prepare-for-cluster.adoc | 2 -- latest/ug/ml/ml-tutorials.adoc | 2 -- latest/ug/ml/node-efa.adoc | 1 - latest/ug/ml/node-taints-managed-node-groups.adoc | 1 - latest/ug/networking/alternate-cni-plugins.adoc | 1 - latest/ug/networking/aws-load-balancer-controller.adoc | 1 - latest/ug/networking/cni-custom-network-tutorial.adoc | 1 - latest/ug/networking/cni-custom-network.adoc | 1 - latest/ug/networking/cni-iam-role.adoc | 1 - latest/ug/networking/cni-increase-ip-addresses-procedure.adoc | 1 - latest/ug/networking/cni-increase-ip-addresses.adoc | 1 - latest/ug/networking/cni-ipv6.adoc | 1 - latest/ug/networking/cni-network-policy-configure.adoc | 1 - latest/ug/networking/cni-network-policy.adoc | 1 - latest/ug/networking/coredns-add-on-create.adoc | 1 - latest/ug/networking/coredns-add-on-self-managed-update.adoc | 1 - latest/ug/networking/coredns-add-on-update.adoc | 1 - latest/ug/networking/coredns-autoscaling.adoc | 1 - latest/ug/networking/coredns-metrics.adoc | 1 - latest/ug/networking/creating-a-vpc.adoc | 1 - latest/ug/networking/deploy-ipv6-cluster.adoc | 1 - latest/ug/networking/eks-networking-add-ons.adoc | 1 - latest/ug/networking/eks-networking.adoc | 1 - latest/ug/networking/external-snat.adoc | 1 - .../ug/networking/kube-proxy-add-on-self-managed-update.adoc | 1 - latest/ug/networking/lbc-helm.adoc | 1 - latest/ug/networking/lbc-manifest.adoc | 1 - latest/ug/networking/lbc-remove.adoc | 1 - latest/ug/networking/managing-coredns.adoc | 1 - latest/ug/networking/managing-kube-proxy.adoc | 1 - latest/ug/networking/managing-vpc-cni.adoc | 1 - latest/ug/networking/network-policies-troubleshooting.adoc | 1 - latest/ug/networking/network-policy-disable.adoc | 1 - latest/ug/networking/network-policy-stars-demo.adoc | 1 - latest/ug/networking/network-reqs.adoc | 1 - latest/ug/networking/pod-multiple-network-interfaces.adoc | 1 - latest/ug/networking/pod-networking-use-cases.adoc | 1 - latest/ug/networking/sec-group-reqs.adoc | 1 - latest/ug/networking/security-groups-for-pods.adoc | 1 - latest/ug/networking/security-groups-pods-deployment.adoc | 1 - latest/ug/networking/sg-pods-example-deployment.adoc | 1 - latest/ug/networking/vpc-add-on-create.adoc | 1 - latest/ug/networking/vpc-add-on-self-managed-update.adoc | 1 - latest/ug/networking/vpc-add-on-update.adoc | 1 - latest/ug/nodes/al2023.adoc | 1 - latest/ug/nodes/auto-get-logs.adoc | 1 - latest/ug/nodes/bottlerocket-compliance-support.adoc | 1 - latest/ug/nodes/choosing-instance-type.adoc | 1 - latest/ug/nodes/create-managed-node-group.adoc | 1 - latest/ug/nodes/delete-fargate-profile.adoc | 1 - latest/ug/nodes/delete-managed-node-group.adoc | 1 - latest/ug/nodes/dockershim-deprecation.adoc | 1 - latest/ug/nodes/eks-ami-build-scripts.adoc | 1 - latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 1 - latest/ug/nodes/eks-ami-versions-windows.adoc | 1 - latest/ug/nodes/eks-compute.adoc | 1 - latest/ug/nodes/eks-custom-ami-windows.adoc | 1 - latest/ug/nodes/eks-linux-ami-versions.adoc | 1 - latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 1 - latest/ug/nodes/eks-optimized-ami.adoc | 1 - latest/ug/nodes/eks-optimized-amis.adoc | 1 - latest/ug/nodes/eks-optimized-windows-ami.adoc | 1 - latest/ug/nodes/eks-partner-amis.adoc | 1 - latest/ug/nodes/fargate-getting-started.adoc | 1 - latest/ug/nodes/fargate-logging.adoc | 1 - latest/ug/nodes/fargate-pod-configuration.adoc | 2 -- latest/ug/nodes/fargate-pod-patching.adoc | 1 - latest/ug/nodes/fargate-profile.adoc | 1 - latest/ug/nodes/fargate.adoc | 1 - latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 1 - latest/ug/nodes/hybrid-nodes-cni.adoc | 1 - latest/ug/nodes/hybrid-nodes-creds.adoc | 1 - latest/ug/nodes/hybrid-nodes-join.adoc | 1 - latest/ug/nodes/hybrid-nodes-networking.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 - latest/ug/nodes/hybrid-nodes-os.adoc | 1 - latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 - latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 - latest/ug/nodes/hybrid-nodes-remove.adoc | 1 - latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 - latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 - latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 - latest/ug/nodes/hybrid-nodes.adoc | 1 - latest/ug/nodes/launch-node-bottlerocket.adoc | 1 - latest/ug/nodes/launch-node-ubuntu.adoc | 1 - latest/ug/nodes/launch-templates.adoc | 1 - latest/ug/nodes/launch-windows-workers.adoc | 1 - latest/ug/nodes/launch-workers.adoc | 1 - latest/ug/nodes/learn-status-conditions.adoc | 1 - latest/ug/nodes/managed-node-groups.adoc | 1 - latest/ug/nodes/managed-node-update-behavior.adoc | 1 - latest/ug/nodes/migrate-stack.adoc | 1 - latest/ug/nodes/monitoring-fargate-usage.adoc | 1 - latest/ug/nodes/node-health.adoc | 1 - latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 1 - latest/ug/nodes/retrieve-ami-id.adoc | 1 - latest/ug/nodes/retrieve-windows-ami-id.adoc | 1 - latest/ug/nodes/self-managed-windows-server-2022.adoc | 1 - latest/ug/nodes/update-managed-node-group.adoc | 1 - latest/ug/nodes/update-stack.adoc | 1 - latest/ug/nodes/update-workers.adoc | 1 - latest/ug/nodes/worker.adoc | 1 - latest/ug/observability/cloudwatch.adoc | 2 -- latest/ug/observability/control-plane-logs.adoc | 1 - latest/ug/observability/deploy-prometheus.adoc | 1 - latest/ug/observability/eks-observe.adoc | 1 - latest/ug/observability/enable-asg-metrics.adoc | 1 - latest/ug/observability/logging-using-cloudtrail.adoc | 1 - latest/ug/observability/service-name-info-in-cloudtrail.adoc | 1 - .../ug/observability/understanding-service-name-entries.adoc | 1 - latest/ug/outposts/eks-outposts-capacity-considerations.adoc | 1 - latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 1 - latest/ug/outposts/eks-outposts-local-cluster-overview.adoc | 1 - latest/ug/outposts/eks-outposts-network-disconnects.adoc | 1 - latest/ug/outposts/eks-outposts-platform-versions.adoc | 1 - latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 - latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 - latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 1 - latest/ug/outposts/eks-outposts.adoc | 1 - latest/ug/quickstart.adoc | 1 - latest/ug/related-projects.adoc | 1 - latest/ug/roadmap.adoc | 1 - latest/ug/security/auto-security.adoc | 1 - latest/ug/security/cert-signing.adoc | 1 - latest/ug/security/compliance.adoc | 1 - latest/ug/security/configuration-vulnerability-analysis.adoc | 1 - latest/ug/security/default-roles-users.adoc | 1 - latest/ug/security/disaster-recovery-resiliency.adoc | 1 - latest/ug/security/enable-kms.adoc | 1 - latest/ug/security/iam-reference/auto-cluster-iam-role.adoc | 1 - latest/ug/security/iam-reference/auto-create-node-role.adoc | 1 - latest/ug/security/iam-reference/cluster-iam-role.adoc | 1 - latest/ug/security/iam-reference/connector-iam-role.adoc | 1 - latest/ug/security/iam-reference/create-node-role.adoc | 1 - latest/ug/security/iam-reference/pod-execution-role.adoc | 1 - latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 1 - .../iam-reference/security-iam-id-based-policy-examples.adoc | 1 - .../security/iam-reference/security-iam-service-with-iam.adoc | 1 - .../ug/security/iam-reference/security-iam-troubleshoot.adoc | 1 - latest/ug/security/iam-reference/security-iam.adoc | 1 - .../using-service-linked-roles-eks-connector.adoc | 1 - .../iam-reference/using-service-linked-roles-eks-fargate.adoc | 1 - .../using-service-linked-roles-eks-nodegroups.adoc | 1 - .../iam-reference/using-service-linked-roles-eks-outpost.adoc | 1 - .../security/iam-reference/using-service-linked-roles-eks.adoc | 1 - .../ug/security/iam-reference/using-service-linked-roles.adoc | 1 - latest/ug/security/infrastructure-security.adoc | 1 - latest/ug/security/manage-secrets.adoc | 1 - latest/ug/security/pod-security-policy-removal-faq.adoc | 1 - latest/ug/security/pod-security-policy.adoc | 1 - latest/ug/security/security-best-practices.adoc | 1 - latest/ug/security/security-eks.adoc | 1 - latest/ug/security/security-k8s.adoc | 1 - latest/ug/security/security.adoc | 1 - latest/ug/security/vpc-interface-endpoints.adoc | 1 - latest/ug/storage/csi-snapshot-controller.adoc | 1 - latest/ug/storage/ebs-csi-migration-faq.adoc | 1 - latest/ug/storage/ebs-csi.adoc | 1 - latest/ug/storage/efs-csi.adoc | 1 - latest/ug/storage/file-cache-csi.adoc | 1 - latest/ug/storage/fsx-csi.adoc | 1 - latest/ug/storage/fsx-ontap.adoc | 1 - latest/ug/storage/fsx-openzfs-csi.adoc | 1 - latest/ug/storage/s3-csi.adoc | 1 - latest/ug/storage/storage.adoc | 1 - latest/ug/troubleshooting/troubleshooting.adoc | 1 - latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/eks-deployment-options.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/what-is/what-is-eks.adoc | 1 - latest/ug/workloads/add-ons-iam.adoc | 1 - latest/ug/workloads/add-ons-images.adoc | 1 - latest/ug/workloads/addon-compat.adoc | 2 -- latest/ug/workloads/addon-id-troubleshoot.adoc | 1 - latest/ug/workloads/alb-ingress.adoc | 1 - latest/ug/workloads/community-addons.adoc | 1 - latest/ug/workloads/copy-image-to-repository.adoc | 1 - latest/ug/workloads/creating-an-add-on.adoc | 2 -- latest/ug/workloads/eks-add-ons.adoc | 2 -- latest/ug/workloads/eks-workloads.adoc | 1 - latest/ug/workloads/horizontal-pod-autoscaler.adoc | 1 - latest/ug/workloads/image-verification.adoc | 1 - latest/ug/workloads/kubernetes-field-management.adoc | 1 - latest/ug/workloads/network-load-balancing.adoc | 1 - latest/ug/workloads/remove-addon-role.adoc | 1 - latest/ug/workloads/removing-an-addon.adoc | 2 -- latest/ug/workloads/restrict-service-external-ip.adoc | 1 - latest/ug/workloads/retreive-iam-info.adoc | 1 - latest/ug/workloads/sample-deployment-windows.adoc | 2 -- latest/ug/workloads/sample-deployment.adoc | 3 --- latest/ug/workloads/update-addon-role.adoc | 1 - latest/ug/workloads/updating-an-add-on.adoc | 2 -- latest/ug/workloads/vertical-pod-autoscaler.adoc | 1 - latest/ug/workloads/workloads-add-ons-available-eks.adoc | 2 -- latest/ug/workloads/workloads-add-ons-available-vendors.adoc | 2 -- 305 files changed, 357 deletions(-) diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index 814ce1025..e2988259c 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,4 +1,3 @@ - [.topic] = EKA Auto Mode API Reference WIP diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index c1c525057..9f777524e 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,5 +1,3 @@ - - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 29d46980f..329f1073b 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-configure-alb,auto-configure-alb.title]] = Create an IngressClass to configure an Application Load Balancer diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index ac3a287fa..7870a9326 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-configure-nlb,auto-configure-nlb.title]] = Use Service Annotations to configure Network Load Balancers diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index 382f28b67..727105422 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-disable,auto-disable.title]] = Disable EKS Auto Mode diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 0dd5fce38..47eb417f7 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-elb-example,auto-elb-example.title]] = Deploy a Sample Load Balancer Workload to EKS Auto Mode diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index a04171cf1..9ee5a98be 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-enable-existing,auto-enable-existing.title]] = Enable EKS Auto Mode on an existing cluster diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index ac250f9e0..218cc827d 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-glossary,auto-glossary.title]] = Glossary diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index d33ac3a0c..2c982b8b7 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-learn-iam,auto-learn-iam.title]] = Learn about identity and access in EKS Auto Mode diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 34c31b0d7..c56e82bae 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-migrate-karpenter,auto-migrate-karpenter.title]] = Migrate from Karpenter to EKS Auto Mode using kubectl diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index ad7afd1fb..5be715d0e 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-migrate-mng,auto-migrate-mng.title]] = Migrate from EKS Managed Node Groups to EKS Auto Mode diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 317aa2c8d..8f63a2a91 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-mng,auto-mng.title]] = Compare EKS Auto Mode with EKS managed node groups diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 0f495d0f2..cce84df4d 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-net-pol,auto-net-pol.title]] = Use Network Policies with EKS Auto Mode diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index d9365c9af..e0f57b870 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-networking,auto-networking.title]] = Learn about VPC Networking and Load Balancing in EKS Auto Mode diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 8e4d9d638..0735a0d1e 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] [[auto-reference,auto-reference.title]] diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 3cd9986a5..76c6d3075 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-troubleshoot,auto-troubleshoot.title]] = Troubleshoot EKS Auto Mode diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 4ef6336ce..2afe7f3a7 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-upgrade,auto-upgrade.title]] = Update the Kubernetes Version of an EKS Auto Mode cluster diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 31bfce233..6f769e09b 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] [[auto-workloads,auto-workloads.title]] diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 662590033..f90361f31 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,5 +1,3 @@ - - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 55b18dfc1..9021aaaf3 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,5 +1,3 @@ - - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 7a58aac4b..229349927 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -1,5 +1,3 @@ - - [.topic] [[automode-get-started-eksctl,automode-get-started-eksctl.title]] = Create an EKS Auto Mode Cluster with the eksctl CLI diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 467b1c419..21ed0a71a 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -1,5 +1,3 @@ - - [.topic] [[automode-learn-instances,automode-learn-instances.title]] = Learn about Amazon EKS Auto Mode Managed instances diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 4406dcf67..72bdea10c 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -1,5 +1,3 @@ - - [.topic] [[automode-workload,automode-workload.title]] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 449691757..804aee2a6 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -1,5 +1,3 @@ - - [[automode,automode.title]] = Automate cluster infrastructure with EKS Auto Mode :toclevels: 2 diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index e61b4751a..3403407b2 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] [[create-auto,create-auto.title]] diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index f6e98a317..d1804849a 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -1,5 +1,3 @@ - - [.topic] [[create-node-class,create-node-class.title]] = Create a Node Class for Amazon EKS diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 06afd012f..92a44feb8 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-node-pool,create-node-pool.title]] = Create a Node Pool for EKS Auto Mode diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 739d8fbc9..6801d6066 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-storage-class,create-storage-class.title]] = Create a Storage Class diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index 31d235708..bd07b15fc 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -1,4 +1,3 @@ - [.topic] [[critical-workload,critical-workload.title]] = Run critical add-ons on dedicated instances diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index c4e952f2e..41365300a 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] [[migrate-auto,migrate-auto.title]] diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index 7bcf3b296..dc23e3215 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auto-hpa-scaling,auto-hpa-scaling.title]] = End-to-end Compute Autoscaling with HPA diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 4c4a419b7..2b942bd95 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -1,5 +1,3 @@ - - [.topic] [[sample-storage-workload,sample-storage-workload.title]] = Deploy a sample stateful workload to EKS Auto Mode diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 701627c9d..1effcd571 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -1,4 +1,3 @@ - [.topic] [[set-builtin-node-pools,set-builtin-node-pools.title]] = Enable or Disable Built-in NodePools diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 07920c453..9cb028e22 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] [[settings-auto,settings-auto.title]] diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 50afbfc93..6b1c92539 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -1,4 +1,3 @@ - [.topic] [[troubleshoot-lbc,troubleshoot-lbc.title]] # Troubleshooting Amazon EKS Auto Mode Load Balancer Controller diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 81b1184af..cc673c99d 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-wip,auto-wip.title]] = EKS Auto Mode: Revisions to existing pages WIP diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 961262b41..b1168de1c 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-vpc-console,create-vpc-console.title]] = Create a VPC for Amazon EKS with the web console diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index fa1d87ca7..5ed8bfd4f 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -1,4 +1,3 @@ - [.topic] [[eksctl-docs,eksctl-docs.title]] = EKS Auto Mode diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 0f6509b68..79fb44a10 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -1,4 +1,3 @@ - [.topic] [[tag-subnets,tag-subnets.title]] = Tag VPC Subnets for Load Balancer Deployment diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index b842cfb54..75554a62a 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -1,4 +1,3 @@ - include::attributes.txt[] [[top]] = Amazon EKS diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 4899304fc..862365cbd 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index cb6b68486..101e43fa4 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -1,4 +1,3 @@ - [.topic] [[cluster-endpoint,cluster-endpoint.title]] = Control network access to cluster API server endpoint diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index b2aa6a1b5..68147f723 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,4 +1,3 @@ - [.topic] [[cluster-insights,cluster-insights.title]] = Prepare for [.noloc]`Kubernetes` version upgrades with cluster insights diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 5c9161eba..ed9c48785 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[clusters,clusters.title]] = Organize workloads with Amazon EKS clusters diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 97c96650a..939c508ef 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -1,5 +1,3 @@ - - [.topic] [[create-cluster-auto,create-cluster-auto.title]] = Create an Amazon EKS Auto Mode cluster diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index b4ab81173..54c7c38ab 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -1,5 +1,3 @@ - - [.topic] [[create-cluster,create-cluster.title]] = Create an Amazon EKS cluster diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index d90ee5dfa..e8bc07362 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 1b1324a92..5587786cd 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 7e85661c8..3a38df6a4 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[kubernetes-versions-extended,kubernetes-versions-extended.title]] diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index af4a28927..1eabb4d7b 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,5 +1,3 @@ - - [.topic] [[kubernetes-versions-standard,kubernetes-versions-standard.title]] = Review release notes for [.noloc]`Kubernetes` versions on standard support diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index e0fc98e24..3427c8dd2 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,5 +1,3 @@ - - [.topic] [[kubernetes-versions,kubernetes-versions.title]] = Understand the [.noloc]`Kubernetes` version lifecycle on EKS diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 0145f0a85..eb0adab99 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -1,4 +1,3 @@ - [.topic] [[cost-monitoring-kubecost-bundles,cost-monitoring-kubecost-bundles.title]] = Learn more about Kubecost diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 97fdf5bcd..330f1b2bb 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -1,4 +1,3 @@ - [.topic] [[cost-monitoring-kubecost,cost-monitoring-kubecost.title]] = Install Kubecost and access dashboard diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 8ffceb2bc..d377f8859 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -1,6 +1,3 @@ - - - [.topic] [[cost-monitoring,cost-monitoring.title]] = Monitor and optimize Amazon EKS cluster costs diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 640128ea5..71e12d756 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [[eks-managing,eks-managing.title]] = Organize and monitor cluster resources diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 5b1d9eb41..1190cff65 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 2aa775274..87c95ff7a 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index 9e031a998..e6f9db464 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index d879e7d26..523d10424 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 98da5740c..3828100b4 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,5 +1,3 @@ - - [.topic] [[platform-versions,platform-versions.title]] = View Amazon EKS platform versions for each [.noloc]`Kubernetes` version diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 12138cbdc..7d87dd5fc 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index f02e4df77..5be4c0255 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -1,5 +1,3 @@ - - [.topic] [[update-cluster,update-cluster.title]] = Update existing cluster to new Kubernetes version diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 774f797b9..6089f6644 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 2fba18e7e..04864b8c3 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,4 +1,3 @@ - [.topic] [[zone-shift-enable,zone-shift-enable.title]] = Enable EKS Zonal Shift to avoid impaired Availability Zones diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index b7149eb6c..094b42358 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,4 +1,3 @@ - [.topic] [[zone-shift,zone-shift.title]] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 85a16b735..e98f8aa7d 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 9e1a9fe42..e5dde0782 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index c534fdb34..762f875c9 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 79c7e1b85..c0c7c58f6 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[eks-connector,eks-connector.title]] = Connect a [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console with Amazon EKS Connector diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 0bfce05b6..371e6bcac 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 40b88b935..6b1029116 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,4 +1,3 @@ - [.topic] [[troubleshooting-connector,troubleshooting-connector.title]] = Troubleshoot Amazon EKS Connector issues diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index cd048f113..359530e1e 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index b8b112a0d..cfa6cafd4 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,5 +1,3 @@ - - [.topic] [[doc-history,doc-history.title]] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 24da21b93..a91ab2715 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 563b6a45e..266ac2717 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index d5ac9a086..a1b81e15e 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[getting-started,getting-started.title]] = Get started with Amazon EKS diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 667d61263..8d1798eae 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index a8218b47f..2ced97f88 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -1,6 +1,3 @@ - - - [.topic] [[install-kubectl,install-kubectl.title]] = Set up `kubectl` and `eksctl` diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 0fe688eca..ce1c70597 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 76596608f..df2619246 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[setting-up,setting-up.title]] = Set up to use Amazon EKS diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 20af6e396..d501eab8b 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 24d617911..9755ee626 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[eks-integrations,eks-integrations.title]] = Enhance EKS with integrated {aws} services diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 90824f669..f26f3603f 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 0cdc5a764..274665ebc 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 6a0d9b4b2..97f50174a 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 5f734872a..7e77740ec 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 3a3462d7c..6fffebe9a 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 5f449ed89..ac11a2418 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index adb2fa28f..d2f1cc697 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index f69b287b8..6ed6aa831 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[cluster-auth,cluster-auth.title]] diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 990a55741..596a0ee9d 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 836c58ee2..f15ee46c2 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,5 +1,3 @@ - - [.topic] [[access-entries,access-entries.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with EKS access entries diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 6a02a9691..c0bfa175f 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,5 +1,3 @@ - - [.topic] [[access-policies,access-policies.title]] = Associate access policies with access entries diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index e42aa260f..c55384a0b 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,5 +1,3 @@ - - [.topic] [[access-policy-permissions,access-policy-permissions.title]] = Review access policy permissions diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index a97b9ee80..162e95474 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,5 +1,3 @@ - - [.topic] [[auth-configmap,auth-configmap.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with a [.noloc]`ConfigMap` diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index a6022423e..08317d460 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,5 +1,3 @@ - - [.topic] [[authenticate-oidc-identity-provider,authenticate-oidc-identity-provider.title]] = Grant users access to [.noloc]`Kubernetes` with an external [.noloc]`OIDC` provider diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index b068d3c93..57166c99b 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,5 +1,3 @@ - - [.topic] [[disassociate-oidc-identity-provider,disassociate-oidc-identity-provider.title]] = Disassociate an [.noloc]`OIDC` identity provider from your cluster diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index a8611977e..373363009 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,6 +1,3 @@ - - - [.topic] [[grant-k8s-access,grant-k8s-access.title]] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 091097bef..2de93b6e3 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,6 +1,3 @@ - - - [.topic] [[migrating-access-entries,migrating-access-entries.title]] = Migrating existing `aws-auth ConfigMap` entries to access entries diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 514526300..8aa51eaa7 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 38a843e42..624c3ce50 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[capacity-blocks-mng,capacity-blocks-mng.title]] diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 847290dbb..5e2587bdf 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[capacity-blocks,capacity-blocks.title]] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index cd27f295a..b59bdfabf 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index f120dc089..cfeef17c7 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[machine-learning-on-eks,machine-learning-on-eks.title]] diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index ee065dacc..26986e44a 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -1,4 +1,3 @@ - [.topic] [[ml-eks-optimized-ami,ml-eks-optimized-ami.title]] = Run GPU-accelerated containers (Linux on EC2) diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index 58bb9b88e..77ee28c7e 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -1,4 +1,3 @@ - [.topic] [[ml-eks-windows-optimized-ami,ml-eks-windows-optimized-ami.title]] = Run GPU-accelerated containers (Windows on EC2 G-Series) diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 5f3f8dc5a..9c624e21d 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -1,5 +1,3 @@ - - [.topic] [[ml-get-started,ml-get-started.title]] = Get started with ML diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 992a110b2..c7d934ef0 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -1,5 +1,3 @@ - - [.topic] [[ml-prepare-for-cluster,ml-prepare-for-cluster.title]] = Prepare for ML clusters diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index c609fb828..bebf0dfd2 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -1,5 +1,3 @@ - - [.topic] [[ml-tutorials,ml-tutorials.title]] = Try tutorials for deploying Machine Learning workloads on EKS diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index e836938ad..5deb39a12 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -1,4 +1,3 @@ - :AWSEC2-latest-UserGuide-using-eni-html-network-cards: AWSEC2/latest/UserGuide/using-eni.html#network-cards [.topic] diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 1d0b20502..3d29876e9 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[node-taints-managed-node-groups,node-taints-managed-node-groups.title]] diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 66f94d091..6831002d2 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -1,4 +1,3 @@ - [.topic] [[alternate-cni-plugins,alternate-cni-plugins.title]] = Alternate CNI plugins for Amazon EKS clusters diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 0668c2f13..0355caad1 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 10ef92d78..4e763ee2f 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] = Customize the secondary network interface in Amazon EKS nodes diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 088121ceb..402010a2e 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-custom-network,cni-custom-network.title]] = Deploy [.noloc]`Pods` in alternate subnets with custom networking diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 1157c57b8..13616c593 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-iam-role,cni-iam-role.title]] = Configure Amazon VPC CNI plugin to use IRSA diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 296a80b42..4b8d48fab 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-increase-ip-addresses-procedure,cni-increase-ip-addresses-procedure.title]] = Increase the available IP addresses for your Amazon EKS node diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 07e002eac..4810a36bf 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] = Assign more IP addresses to Amazon EKS nodes with prefixes diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 8fe2d537d..b2f6b4eeb 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-ipv6,cni-ipv6.title]] = Learn about IPv6 addresses to clusters, [.noloc]`Pods`, and services diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index f04b4f39e..626907545 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-network-policy-configure,cni-network-policy-configure.title]] = Restrict Pod network traffic with [.noloc]`Kubernetes` network policies diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index bb57d8c55..7dc6e97df 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,4 +1,3 @@ - [.topic] [[cni-network-policy,cni-network-policy.title]] = Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index 5f3853879..c26b54c9e 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,4 +1,3 @@ - [.topic] [[coredns-add-on-create,coredns-add-on-create.title]] = Create the [.noloc]`CoreDNS` Amazon EKS add-on diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index c2b12f896..5f28b44dc 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,4 +1,3 @@ - [.topic] [[coredns-add-on-self-managed-update,coredns-add-on-self-managed-update.title]] = Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index f85bb0eb5..042178b42 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,4 +1,3 @@ - [.topic] [[coredns-add-on-update,coredns-add-on-update.title]] = Update the [.noloc]`CoreDNS` Amazon EKS add-on diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 90ab36ba1..a4a1f234d 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,4 +1,3 @@ - [.topic] [[coredns-autoscaling,coredns-autoscaling.title]] = Scale [.noloc]`CoreDNS Pods` for high DNS traffic diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index 356e6a083..55b734716 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,4 +1,3 @@ - [.topic] [[coredns-metrics,coredns-metrics.title]] = Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index cb8e25cd6..6826ccae6 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -1,4 +1,3 @@ - [.topic] [[creating-a-vpc,creating-a-vpc.title]] = Create an Amazon VPC for your Amazon EKS cluster diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index cc5ae665d..2fc549e7c 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -1,4 +1,3 @@ - [.topic] [[deploy-ipv6-cluster,deploy-ipv6-cluster.title]] = Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index caed5bc65..a0aa9b838 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-networking-add-ons,eks-networking-add-ons.title]] = Manage networking add-ons for Amazon EKS clusters diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 2632a52bc..ff5a5ed7f 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -1,4 +1,3 @@ - [[eks-networking,eks-networking.title]] = Configure networking for Amazon EKS clusters :doctype: book diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 5892ca021..7fe59a7ea 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,4 +1,3 @@ - [.topic] [[external-snat,external-snat.title]] = Enable outbound internet access for [.noloc]`Pods` diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 7b8ea5218..cc72d464d 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -1,4 +1,3 @@ - [.topic] [[kube-proxy-add-on-self-managed-update,kube-proxy-add-on-self-managed-update.title]] = Update the Kubernetes `kube-proxy` self-managed add-on diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index a845480a6..09d58b4a9 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -1,4 +1,3 @@ - [.topic] include::../attributes.txt[] diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index a80163cf2..efddec994 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -1,4 +1,3 @@ - [.topic] [[lbc-manifest,lbc-manifest.title]] include::../attributes.txt[] diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 786a3b471..e801e3a50 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,4 +1,3 @@ - [.topic] [[lbc-remove,lbc-remove.title]] = Migrate apps from deprecated ALB [.noloc]`Ingress Controller` diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 747ddf57b..307f311ac 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -1,4 +1,3 @@ - [.topic] [[managing-coredns,managing-coredns.title]] = Manage CoreDNS for DNS in Amazon EKS clusters diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index b255cb1fd..59b23d60b 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -1,4 +1,3 @@ - [.topic] [[managing-kube-proxy,managing-kube-proxy.title]] = Manage `kube-proxy` in Amazon EKS clusters diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 067ba4177..46a929bdd 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,4 +1,3 @@ - [.topic] [[managing-vpc-cni,managing-vpc-cni.title]] = Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index ae20b0633..475d9199b 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,4 +1,3 @@ - [.topic] [[network-policies-troubleshooting,network-policies-troubleshooting.title]] = Troubleshooting [.noloc]`Kubernetes` network policies For Amazon EKS diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 9015ef737..1e2e32435 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,4 +1,3 @@ - [.topic] [[network-policy-disable,network-policy-disable.title]] = Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 576d7103a..3432fcef9 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -1,4 +1,3 @@ - [.topic] [[network-policy-stars-demo,network-policy-stars-demo.title]] = Stars demo of network policy for Amazon EKS diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 06550aa41..85e70ab81 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -1,4 +1,3 @@ - [.topic] [[network-reqs,network-reqs.title]] = View Amazon EKS networking requirements for VPC and subnets diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 0c565e666..1f5007f0f 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,4 +1,3 @@ - [.topic] [[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] = Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 5038b17b3..33e836ce3 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -1,4 +1,3 @@ - [.topic] [[pod-networking-use-cases,pod-networking-use-cases.title]] = Learn about VPC CNI modes and configuration diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index b779368f8..48a387a7d 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -1,4 +1,3 @@ - [.topic] [[sec-group-reqs,sec-group-reqs.title]] = View Amazon EKS security group requirements for clusters diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index a9315a233..0eaeefaa9 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-groups-for-pods,security-groups-for-pods.title]] = Assign security groups to individual [.noloc]`Pods` diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index dd7729b85..7c2e16a01 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-groups-pods-deployment,security-groups-pods-deployment.title]] = Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 454b17b17..be6ae3b9e 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,4 +1,3 @@ - [.topic] [[sg-pods-example-deployment,sg-pods-example-deployment.title]] = Use a security group policy for an Amazon EKS [.noloc]`Pod` diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 855856979..331570cb3 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -1,4 +1,3 @@ - [.topic] [[vpc-add-on-create,vpc-add-on-create.title]] = Create the Amazon VPC CNI (Amazon EKS add-on) diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 468063ffe..fb0675187 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -1,4 +1,3 @@ - [.topic] [[vpc-add-on-self-managed-update,vpc-add-on-self-managed-update.title]] = Update the Amazon VPC CNI (self-managed add-on) diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index c8da60223..83a5d0762 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,4 +1,3 @@ - [.topic] [[vpc-add-on-update,vpc-add-on-update.title]] = Update the Amazon VPC CNI (Amazon EKS add-on) diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 86b98b2df..a068dc914 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,4 +1,3 @@ - [.topic] [[al2023,al2023.title]] = Upgrade from Amazon Linux 2 to Amazon Linux 2023 diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index d3f1a9a52..bb40d8620 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-get-logs,auto-get-logs.title]] = Retrieve node logs for a managed node using kubectl and S3 diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index e8b225d2a..2c3c1be07 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[bottlerocket-compliance-support,bottlerocket-compliance-support.title]] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 1b95361d6..a0474efa0 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index 7f268fe06..f0145489d 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-managed-node-group,create-managed-node-group.title]] = Create a managed node group for your cluster diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index b5c199d85..b1d0f551d 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[delete-fargate-profile,delete-fargate-profile.title]] diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index ca093a255..f2a77a725 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[delete-managed-node-group,delete-managed-node-group.title]] diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index 741f2b9c1..4339d1c1f 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[dockershim-deprecation,dockershim-deprecation.title]] diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index de1fed1dc..7f7c81057 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-ami-build-scripts,eks-ami-build-scripts.title]] diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 26f6bbde0..8a0fd880f 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-ami-versions-bottlerocket,eks-ami-versions-bottlerocket.title]] diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 7b2a5a88b..cab460614 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-ami-versions-windows,eks-ami-versions-windows.title]] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 54ffabc41..3fe68d4b2 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -1,4 +1,3 @@ - [[eks-compute,eks-compute.title]] = Manage compute resources by using nodes :doctype: book diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index ac0b8684b..bf67b5520 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-custom-ami-windows,eks-custom-ami-windows.title]] diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 104484e17..5e5e6e5e4 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-linux-ami-versions,eks-linux-ami-versions.title]] diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index ca75dff3e..64be92719 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-optimized-ami-bottlerocket,eks-optimized-ami-bottlerocket.title]] diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 4bd24b620..8f89e96c8 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-optimized-ami,eks-optimized-ami.title]] = Create nodes with optimized Amazon Linux AMIs diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 12d69206a..b2cba2371 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-optimized-amis,eks-optimized-amis.title]] = Create nodes with pre-built optimized images diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 4d5d3c625..1c4145815 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-optimized-windows-ami,eks-optimized-windows-ami.title]] = Create nodes with optimized [.noloc]`Windows` AMIs diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index 84ebea64b..e0d16c876 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[eks-partner-amis,eks-partner-amis.title]] diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 1c6454a23..16e2dfd23 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[fargate-getting-started,fargate-getting-started.title]] diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index c0162083e..e93e9a9c4 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[fargate-logging,fargate-logging.title]] diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index 02d151a93..a4840a6a1 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,5 +1,3 @@ - - [.topic] [[fargate-pod-configuration,fargate-pod-configuration.title]] = Understand Fargate [.noloc]`Pod` configuration details diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 8d96afe68..492b37523 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[fargate-pod-patching,fargate-pod-patching.title]] diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index b162b6219..464dfde0a 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[fargate-profile,fargate-profile.title]] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 5491eb545..2f6180b65 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 9c99d1140..cf999d578 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-add-ons,hybrid-nodes-add-ons.title]] = Configure add-ons for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 194366c33..4c9612977 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-cluster-create,hybrid-nodes-cluster-create.title]] = Create an Amazon EKS cluster with hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index ac86e3ae6..c18fa4a51 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-cluster-prep,hybrid-nodes-cluster-prep.title]] = Prepare cluster access for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 3d0210189..14150029d 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-cni,hybrid-nodes-cni.title]] = Configure a CNI for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 1f468c8bb..f93b74d9b 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-creds,hybrid-nodes-creds.title]] = Prepare credentials for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 2eb59f60c..05d86d802 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-join,hybrid-nodes-join.title]] = Connect hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index e7313cffe..b46f3f6d4 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-networking,hybrid-nodes-networking.title]] = Prepare networking for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 663d508c8..73814bca2 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] = Hybrid nodes `nodeadm` reference diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 5a25aa83f..09e96ad47 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-os,hybrid-nodes-os.title]] = Prepare operating system for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index f9728cc94..9126a4b72 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-prereqs,hybrid-nodes-prereqs.title]] = Prerequisite setup for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 9fb812354..4a04ea491 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-proxy,hybrid-nodes-proxy.title]] = Configure proxy for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index d2f69a483..62afc5d4f 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-remove,hybrid-nodes-remove.title]] = Remove hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 43a87a0d7..5bb896ef2 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-troubleshooting,hybrid-nodes-troubleshooting.title]] = Troubleshooting hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 33bd922fb..4a85248a0 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-tutorial,hybrid-nodes-tutorial.title]] = Run on-premises workloads on hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 12ce65277..d2e496652 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-upgrade,hybrid-nodes-upgrade.title]] = Upgrade hybrid nodes for your cluster diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes.adoc index 874f77edd..34ee318cf 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes.adoc @@ -1,4 +1,3 @@ - [.topic] [[hybrid-nodes-overview,hybrid-nodes-overview.title]] = Amazon EKS Hybrid Nodes overview diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index cafaad24d..6189ca609 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[launch-node-bottlerocket,launch-node-bottlerocket.title]] diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 7f103ceb6..75891fb89 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[launch-node-ubuntu,launch-node-ubuntu.title]] diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 131718b3b..8179a9d7e 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[launch-templates,launch-templates.title]] diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 12d3f5086..c17be3b8d 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,4 +1,3 @@ - [.topic] [[launch-windows-workers,launch-windows-workers.title]] = Create self-managed [.noloc]`Microsoft Windows` nodes diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index ee5804df9..49ba3b9f0 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[launch-workers,launch-workers.title]] diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 070ab979f..53a7caadc 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -1,4 +1,3 @@ - [.topic] [[learn-status-conditions,learn-status-conditions.title]] = View the health status of your nodes diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 98d71ec2b..175fb93b1 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -1,4 +1,3 @@ - [.topic] [[managed-node-groups,managed-node-groups.title]] = Simplify node lifecycle with managed node groups diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 8b805bad1..1b241e698 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[managed-node-update-behavior,managed-node-update-behavior.title]] diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 02e3cb53e..8b12f5237 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[migrate-stack,migrate-stack.title]] diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 8660cc045..ecbef1c7e 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[monitoring-fargate-usage,monitoring-fargate-usage.title]] diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 6bade151c..1d732cbd2 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -1,4 +1,3 @@ - [.topic] [[node-health,node-health.title]] = Enable node auto repair and investigate node health issues diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index b2586b9d5..90126ad75 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,4 +1,3 @@ - [.topic] [[retrieve-ami-id-bottlerocket,retrieve-ami-id-bottlerocket.title]] = Retrieve recommended [.noloc]`Bottlerocket` AMI IDs diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index ebc394f67..e7bfd8558 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -1,4 +1,3 @@ - [.topic] [[retrieve-ami-id,retrieve-ami-id.title]] = Retrieve recommended Amazon Linux AMI IDs diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 797e78623..78c6779f1 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,4 +1,3 @@ - [.topic] [[retrieve-windows-ami-id,retrieve-windows-ami-id.title]] = Retrieve recommended [.noloc]`Microsoft Windows` AMI IDs diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index e7e91970b..a5caafc22 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[self-managed-windows-server-2022,self-managed-windows-server-2022.title]] diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index e794042f1..50e73e608 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -1,4 +1,3 @@ - [.topic] [[update-managed-node-group,update-managed-node-group.title]] = Update a managed node group for your cluster diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index 9f0eb251a..b304f3b5e 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[update-stack,update-stack.title]] diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 1ae0396ee..d82bc998f 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -1,4 +1,3 @@ - [.topic] [[update-workers,update-workers.title]] = Update self-managed nodes for your cluster diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index cbebc4441..bc7bb4260 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -1,4 +1,3 @@ - [.topic] [[worker,worker.title]] = Maintain nodes yourself with self-managed nodes diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 8f28a0c37..ef815caed 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -1,5 +1,3 @@ - - [.topic] [[cloudwatch,cloudwatch.title]] = Monitor cluster data with Amazon CloudWatch diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 705d3c6a8..7923ad57a 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index e8e6f774d..a7008c0d1 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[deploy-prometheus,deploy-prometheus.title]] diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index b32e0f2bd..d861160cf 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[eks-observe,eks-observe.title]] = Monitor your cluster performance and view logs diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index bddbc9e71..ead9cecfc 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[enable-asg-metrics,enable-asg-metrics.title]] diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 412dce193..981e4f99f 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index a786aa15b..e0428654c 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[service-name-info-in-cloudtrail,service-name-info-in-cloudtrail.title]] diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index ac6823ea1..1dd581cc6 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[understanding-service-name-entries,understanding-service-name-entries.title]] diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 178deca3e..75ba95c6c 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index af3ae128a..413d1dfa7 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 82d436b40..5d7c6a1f5 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index da3a3af7b..baf9c765f 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 9dec767f5..e3a4bb9db 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 1fd317aca..0aa2814e3 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 592e11959..b3c37f3e8 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index f7fa52a08..07e181cc5 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index fdc4acfc7..8058910d1 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[eks-outposts,eks-outposts.title]] = Deploy Amazon EKS on-premises with {aws} Outposts diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 864f22f6e..236a31599 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,4 +1,3 @@ - [.topic] [[quickstart,quickstart.title]] = Quickstart: Deploy a web app and store data diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 8e7c61156..ad08dc451 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,4 +1,3 @@ - include::attributes.txt[] [[related-projects,related-projects.title]] = Extend Amazon EKS capabilities with open source projects diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 7a3eeaaa4..0d782eb65 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,4 +1,3 @@ - include::attributes.txt[] [.topic] [[roadmap,roadmap.title]] diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index a6cfae129..6e817f183 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-security,auto-security.title]] = Security considerations for Amazon EKS Auto Mode diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index d18d81ee5..93b8ba658 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,4 +1,3 @@ - [.topic] [[cert-signing,cert-signing.title]] = Secure workloads with [.noloc]`Kubernetes` certificates diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index cbc7d280a..9b2f26638 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -1,4 +1,3 @@ - [.topic] [[compliance,compliance.title]] = Compliance validation for Amazon EKS clusters diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index f188e0be9..fb9d1612a 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -1,4 +1,3 @@ - [.topic] [[configuration-vulnerability-analysis,configuration-vulnerability-analysis.title]] = Analyze vulnerabilities in Amazon EKS diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 0de9bdfd5..744b24cae 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -1,4 +1,3 @@ - [.topic] [[default-roles-users,default-roles-users.title]] = Understand Amazon EKS created RBAC roles and users diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index 631d56b80..e41df74fe 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -1,4 +1,3 @@ - [.topic] [[disaster-recovery-resiliency,disaster-recovery-resiliency.title]] = Understand resilience in Amazon EKS clusters diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 12872a3dc..7b223b2e1 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,4 +1,3 @@ - [.topic] [[enable-kms,enable-kms.title]] = Encrypt Kubernetes secrets with {aws} KMS on existing clusters diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 6df36a229..c4eb21165 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-cluster-iam-role,auto-cluster-iam-role.title]] = Amazon EKS Auto Mode cluster IAM role diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index fc63ba242..bfb221e52 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[auto-create-node-role,auto-create-node-role.title]] = Amazon EKS Auto Mode node IAM role diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 7963969f0..b4d234ec5 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[cluster-iam-role,cluster-iam-role.title]] = Amazon EKS cluster IAM role diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index f09545c40..2b3c733e1 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[connector-iam-role,connector-iam-role.title]] = Amazon EKS connector IAM role diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 0cc47cf9d..71bc33965 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-node-role,create-node-role.title]] = Amazon EKS node IAM role diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index a1400e478..108750046 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[pod-execution-role,pod-execution-role.title]] = Amazon EKS [.noloc]`Pod` execution IAM role diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index b8a45d280..294e9ebf9 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,4 +1,3 @@ - include::../../attributes.txt[] [.topic] [[security-iam-awsmanpol,security-iam-awsmanpol.title]] diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 668d1a43b..8059b4d98 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-iam-id-based-policy-examples,security-iam-id-based-policy-examples.title]] = Amazon EKS identity-based policy examples diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index edd89caec..1048072c1 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-iam-service-with-iam,security-iam-service-with-iam.title]] = How Amazon EKS works with IAM diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 5422a51c3..9e20eae63 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-iam-troubleshoot,security-iam-troubleshoot.title]] = Troubleshooting IAM diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index ddde0a048..0619d63a6 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-iam,security-iam.title]] = Identity and access management for Amazon EKS diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 76761b6ab..10916e35e 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles-eks-connector,using-service-linked-roles-eks-connector.title]] = Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 1b1b3e2c7..5820ece18 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles-eks-fargate,using-service-linked-roles-eks-fargate.title]] = Using roles for Amazon EKS Fargate profiles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index 6027b48a8..1b62b4c84 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles-eks-nodegroups,using-service-linked-roles-eks-nodegroups.title]] = Using roles for Amazon EKS node groups diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 904cba19c..d22daa5f7 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles-eks-outpost,using-service-linked-roles-eks-outpost.title]] = Using roles for Amazon EKS local clusters on Outpost diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index d525f510d..36e33c778 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles-eks,using-service-linked-roles-eks.title]] = Using roles for Amazon EKS clusters diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index b89a30bd8..12c5558aa 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -1,4 +1,3 @@ - [.topic] [[using-service-linked-roles,using-service-linked-roles.title]] = Using service-linked roles for Amazon EKS diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 3f033a558..9d59895a1 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -1,4 +1,3 @@ - [.topic] [[infrastructure-security,infrastructure-security.title]] = Infrastructure security in Amazon EKS diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index df1dd5822..163fc203e 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index ad979e673..14dbb1d30 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,4 +1,3 @@ - [.topic] [[pod-security-policy-removal-faq,pod-security-policy-removal-faq.title]] = Migrate from legacy [.noloc]`Pod` security policies (PSP) diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index d22314850..aee5127ae 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,4 +1,3 @@ - [.topic] [[pod-security-policy,pod-security-policy.title]] = Understand Amazon EKS created [.noloc]`Pod` security policies [.noloc]`(PSP)` diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index bde84244f..73fd74d62 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-best-practices,security-best-practices.title]] = Secure Amazon EKS clusters with best practices diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index e37f338b4..d0edcef13 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-eks,security-eks.title]] = Security considerations for Amazon Elastic Kubernetes Service diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 45cf53569..98b11aaa9 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-k8s,security-k8s.title]] = Security considerations for [.noloc]`Kubernetes` diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 71ca45cfd..59930a3fb 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -1,4 +1,3 @@ - [.topic] [[security,security.title]] = Security in Amazon EKS diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 61e1c3af6..ec2ccdb4d 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 2a0472902..a6654dc8f 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 2140cca47..e220db5e4 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index df702c5bf..d10f1a15f 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 765c48d6a..194193a47 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[efs-csi,efs-csi.title]] = Store an elastic file system with Amazon EFS diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index b86f1330b..b33bcad7e 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index af9fbca8a..c46b7003e 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 1a8aaa4cf..922f29f97 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index b4e90e266..8fa015bb7 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index ee2707c63..043bb42e3 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 4838b188a..7cecf833f 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[storage,storage.title]] = Store application data for your cluster diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index a105aa872..fcd5f26fc 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -1,4 +1,3 @@ - [[troubleshooting,troubleshooting.title]] = Troubleshoot problems with Amazon EKS clusters and nodes :doctype: book diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 01e3d2fa7..7c9d1490c 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 7351641b0..683b77fbf 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 0705a23b1..1a3ec54c4 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-deployment-options,eks-deployment-options.title]] = Deploy Amazon EKS clusters across cloud and on-premises environments diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index b428e8744..a7b194eb6 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 1cc587416..b3df7017d 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] [[what-is-eks,what-is-eks.title]] diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index d06c5bef7..08fc1ee14 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -1,4 +1,3 @@ - [.topic] [[add-ons-iam,add-ons-iam.title]] = IAM roles for Amazon EKS add-ons diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 3afa72152..8a630959c 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,4 +1,3 @@ - [.topic] [[add-ons-images,add-ons-images.title]] = View Amazon container image registries for Amazon EKS add-ons diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index d77415923..a25d3c56d 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -1,5 +1,3 @@ - - [.topic] [[addon-compat,addon-compat.title]] = Verify Amazon EKS add-on version compatibility with a cluster diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index beac36b9b..f48be9303 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,4 +1,3 @@ - [.topic] [[addon-id-troubleshoot,addon-id-troubleshoot.title]] = Troubleshoot Pod Identities for EKS add-ons diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 23d40635f..813463a84 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,4 +1,3 @@ - [.topic] [[alb-ingress,alb-ingress.title]] = Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index ea79b399e..8c2ca41d3 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -1,4 +1,3 @@ - [.topic] [[community-addons,community-addons.title]] = Community add-ons diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 02e8f2fc4..74585ccae 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index dad22cc4c..8b1b3cae7 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -1,5 +1,3 @@ - - [.topic] [[creating-an-add-on,creating-an-add-on.title]] = Create an Amazon EKS add-on diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index bfad5782c..f5318b423 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -1,5 +1,3 @@ - - [.topic] [[eks-add-ons,eks-add-ons.title]] = Amazon EKS add-ons diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 3d2c83b8d..cc0ab4a8e 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [[eks-workloads,eks-workloads.title]] = Learn how to deploy workloads and add-ons to Amazon EKS diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 02901bb02..5a0c185c1 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 976ac0714..26be480c0 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 33cdcaa3c..76097d1ec 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,4 +1,3 @@ - [.topic] [[kubernetes-field-management,kubernetes-field-management.title]] = Determine fields you can customize for Amazon EKS add-ons diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 00954bf34..17d7eda8a 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,4 +1,3 @@ - [.topic] [[network-load-balancing,network-load-balancing.title]] = Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index a7a641e0b..436451ed5 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[remove-addon-role,remove-addon-role.title]] = Remove Pod Identity associations from an Amazon EKS add-on diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index 8d1b58c12..47edba46a 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -1,5 +1,3 @@ - - [.topic] [[removing-an-add-on,removing-an-add-on.title]] = Remove an Amazon EKS add-on from a cluster diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 067ab824a..17cec3e38 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,4 +1,3 @@ - [.topic] [[restrict-service-external-ip,restrict-service-external-ip.title]] = Restrict external IP addresses that can be assigned to services diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index c8e34f0c7..cd5c66b29 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -1,4 +1,3 @@ - [.topic] [[retreive-iam-info,retreive-iam-info.title]] = Retrieve IAM information about an Amazon EKS add-on diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 116e8dd6a..880760d6c 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,5 +1,3 @@ - - [.topic] [[sample-deployment-win,sample-deployment-win.title]] = Deploy a sample application on Windows diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index c402cb0a5..87e1bea6e 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,6 +1,3 @@ - - - [.topic] [[sample-deployment,sample-deployment.title]] = Deploy a sample application on Linux diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 5a106d037..db88103bd 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,4 +1,3 @@ - [.topic] [[update-addon-role,update-addon-role.title]] = Use Pod Identities to assign an IAM role to an Amazon EKS add-on diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index f61d5b517..5bdcd8c48 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -1,5 +1,3 @@ - - [.topic] [[updating-an-add-on,updating-an-add-on.title]] = Update an Amazon EKS add-on diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index a93ba71f2..db748e876 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,4 +1,3 @@ - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 8476aa54b..8bb2c43a0 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,5 +1,3 @@ - - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index b1bce2593..fd43858b8 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,5 +1,3 @@ - - include::../attributes.txt[] [.topic] From 33ba0ab0955e38e9f45b34b058a5f7421e546a1f Mon Sep 17 00:00:00 2001 From: amedirr <126819406+amedirr@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:05:10 -0800 Subject: [PATCH 049/940] Update platform-versions.adoc Kubernetes version under the 1.32 section was incorrect. Fixed to reflect the correct version --- latest/ug/clusters/platform-versions.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 3828100b4..d54b2559f 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -44,7 +44,7 @@ The following admission controllers are enabled for all `1.32` platform versions | Release notes | Release date -| `1.31.0` +| `1.32.0` | `eks.2` | Initial release of Kubernetes version `1.32` for EKS. For more information, see <>. | January 2025 From f89acbf9a37499ed11b923348a0aed076eead126 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 24 Jan 2025 13:41:26 -0600 Subject: [PATCH 050/940] Update managing-kube-proxy.adoc --- latest/ug/networking/managing-kube-proxy.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 59b23d60b..72b83e1e3 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -37,7 +37,7 @@ The following table lists the latest version of the Amazon EKS add-on type for e [options="header"] |=== | Kubernetes version | `kube-proxy` version -| 1.32 | v1.32.0-minimal-eksbuild.2 +| 1.32 | v1.32.0-eksbuild.2 | 1.31 | v1.31.3-eksbuild.2 | 1.31 | v1.31.3-eksbuild.2 | 1.30 | v1.30.7-eksbuild.2 @@ -76,6 +76,7 @@ The following table lists the latest available self-managed `kube-proxy` contain [options="header"] |=== | Version | kube-proxy (default type) | kube-proxy (minimal type) +| 1.32 | Only minimal type is available | v1.32.0-minimal-eksbuild.2 | 1.31 | Only minimal type is available | v1.31.2-minimal-eksbuild.3 | 1.30 | Only minimal type is available | v1.30.6-minimal-eksbuild.3 | 1.29 | Only minimal type is available | v1.29.10-minimal-eksbuild.3 From 1b1cffb8d7acd44aefbcaeea44ac2c79112d5451 Mon Sep 17 00:00:00 2001 From: Robin Rodriguez Date: Mon, 27 Jan 2025 10:47:28 -0500 Subject: [PATCH 051/940] update latest/ug/nodes/al2023.adoc to include documentation and example to apply kubelet parameters with nodeadm using NodeConfigSpec, this configuration is a change from AL2 and does not appear in elsewhere in EKS documentation. --- latest/ug/nodes/al2023.adoc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index a068dc914..8baecaad5 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -32,6 +32,26 @@ spec: ---- + In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see ` link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"]` in the _Amazon EKS API Reference_. +* For AL2023, `nodeadm` also changes the format to apply parameters to the `kubelet` for each node using https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/#nodeconfigspec[`NodeConfigSpec`], in AL2 this was done with the `--kubelet-extra-args` parameter. This is commonly used to add labels and taints to nodes. An example below shows applying `maxPods` and `--node-labels` to the node. ++ +[source,yaml,subs="verbatim,attributes"] +---- +--- +apiVersion: node.eks.aws/v1alpha1 +kind: NodeConfig +spec: + cluster: + name: test-cluster + apiServerEndpoint: https://example.com + certificateAuthority: Y2VydGlmaWNhdGVBdXRob3JpdHk= + cidr: 10.100.0.0/16 + kubelet: + config: + maxPods: 110 + flags: + - --node-labels=karpenter.sh/capacity-type=on-demand,karpenter.sh/nodepool=test +---- ++ * [.noloc]`Docker` isn't supported in AL2023 for all supported Amazon EKS versions. Support for [.noloc]`Docker` has ended and been removed with Amazon EKS version `1.24` or greater in AL2. For more information on deprecation, see <>. * Amazon VPC CNI version `1.16.2` or greater is required for AL2023. * AL2023 requires `IMDSv2` by default. `IMDSv2` has several benefits that help improve security posture. It uses a session-oriented authentication method that requires the creation of a secret token in a simple HTTP PUT request to start the session. A session's token can be valid for anywhere between 1 second and 6 hours. For more information on how to transition from `IMDSv1` to `IMDSv2`, see link:AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html[Transition to using Instance Metadata Service Version 2,type="documentation"] and link:security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure[Get the full benefits of IMDSv2 and disable IMDSv1 across your {aws} infrastructure,type="blog"]. If you would like to use `IMDSv1`, you can still do so by manually overriding the settings using instance metadata option launch properties. From 3659a6076d046cef32868217a89992e5b1f853f4 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 27 Jan 2025 16:27:05 +0000 Subject: [PATCH 052/940] ticket fixes and version attribute --- latest/ug/attributes.txt | 7 +++++++ latest/ug/automode/automode.adoc | 2 +- latest/ug/automode/create-node-pool.adoc | 4 +++- latest/ug/clusters/create-cluster.adoc | 10 +++++----- .../clusters/kubernetes-versions-standard.adoc | 2 +- latest/ug/clusters/kubernetes-versions.adoc | 4 ++-- latest/ug/clusters/platform-versions.adoc | 2 +- latest/ug/clusters/update-cluster.adoc | 7 +------ latest/ug/clusters/zone-shift.adoc | 2 +- latest/ug/getting-started/install-kubectl.adoc | 2 +- .../aws-access/service-accounts.adoc | 11 ++--------- .../k8s-access/access-entries.adoc | 2 +- .../cni-custom-network-tutorial.adoc | 4 ++-- latest/ug/networking/external-snat.adoc | 2 +- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-node-ubuntu.adoc | 2 +- latest/ug/nodes/migrate-stack.adoc | 10 +++++----- latest/ug/nodes/retrieve-windows-ami-id.adoc | 2 +- .../self-managed-windows-server-2022.adoc | 2 +- latest/ug/nodes/update-managed-node-group.adoc | 4 ++-- latest/ug/nodes/update-stack.adoc | 6 +++--- latest/ug/storage/ebs-csi.adoc | 4 +++- latest/ug/workloads/creating-an-add-on.adoc | 18 +++++++++--------- latest/ug/workloads/updating-an-add-on.adoc | 4 ++-- 24 files changed, 57 insertions(+), 58 deletions(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 784e706d0..ccf4a7b7a 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -6,6 +6,13 @@ :auto-cli-v2-version: 2.12.3 :auto-cli-v1-version: 1.27.160 +// Kubernetes Versions + +:k8s-n: 1.32 +:k8s-n-1: 1.31 +:k8s-n-2: 1.30 +:k8s-n-3: 1.29 + // Words Geoffrey often spells wrong or doesn't like to type :ret: retrieve diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 804aee2a6..c363f4382 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -29,7 +29,7 @@ EKS Auto Mode provides the following high-level features: **Application Availability**: EKS Auto Mode dynamically adds or removes nodes in your EKS cluster based on the demands of your Kubernetes applications. This minimizes the need for manual capacity planning and ensures application availability. //what? -**Efficiency**: EKS Auto Mode is designed to compute costs while adhering to the flexibility defined by your NodePool and workload requirements. It also terminates unused instances and consolidates workloads onto other nodes to improve cost efficiency. +**Efficiency**: EKS Auto Mode is designed to optimize compute costs while adhering to the flexibility defined by your NodePool and workload requirements. It also terminates unused instances and consolidates workloads onto other nodes to improve cost efficiency. **Security**: EKS Auto Mode uses AMIs that are treated as immutable for your nodes. These AMIs enforce locked-down software, enable SELinux mandatory access controls, and provide read-only root file systems. Additionally, nodes launched by EKS Auto Mode have a maximum lifetime of 21 days (which you can reduce), after which they are automatically replaced with new nodes. This approach enhances your security posture by regularly cycling nodes, aligning with best practices already adopted by many customers. diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 92a44feb8..3a800d23d 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -7,6 +7,8 @@ include::../attributes.txt[] Amazon EKS node pools provide a flexible way to manage compute resources in your Kubernetes cluster. This topic demonstrates how to create and configure node pools using Karpenter, a node provisioning tool that helps optimize cluster scaling and resource utilization. With Karpenter's NodePool resource, you can define specific requirements for your compute resources, including instance types, availability zones, architectures, and capacity types. +You cannot modify the built in `system` and `general-purpose` node pools. You can only enable or disable them. For more information, see <>. + The NodePool specification allows for fine-grained control over your EKS cluster's compute resources through various supported labels and requirements. These include options for specifying EC2 instance categories, CPU configurations, availability zones, architectures (ARM64/AMD64), and capacity types (spot/on-demand). You can also set resource limits for CPU and memory usage, ensuring your cluster stays within desired operational boundaries. EKS Auto Mode leverages well-known Kubernetes labels to provide consistent and standardized ways of identifying node characteristics. These labels, such as `topology.kubernetes.io/zone` for availability zones and `kubernetes.io/arch` for CPU architecture, follow established Kubernetes conventions. Additionally, EKS-specific labels (prefixed with `eks.amazonaws.com/`) extend this functionality with {aws}-specific attributes like instance types, CPU manufacturers, GPU capabilities, and networking specifications. This standardized labeling system enables seamless integration with existing Kubernetes tooling while providing deep {aws} infrastructure integration. @@ -41,7 +43,7 @@ Ensure that your NodePool references a valid NodeClass that exists in your clust apiVersion: karpenter.sh/v1 kind: NodePool metadata: - name: default + name: my-node-pool spec: template: metadata: diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 54c7c38ab..ec41e44f6 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -26,7 +26,7 @@ This topic provides an overview of the available options and describes what to c == Prerequisites * An existing VPC and subnets that meet <>. Before you deploy a cluster for production use, we recommend that you have a thorough understanding of the VPC and subnet requirements. If you don't have a VPC and subnets, you can create them using an <>. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. To install or upgrade `kubectl`, see <>. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. @@ -93,7 +93,7 @@ You can create a cluster by using: . Create an Amazon EKS `IPv4` cluster with the Amazon EKS default [.noloc]`Kubernetes` version in your default {aws} Region. Before running command, make the following replacements: . Replace [.replaceable]`region-code` with the {aws} Region that you want to create your cluster in. . Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -. Replace [.replaceable]`1.29` with any xref:kubernetes-versions[Amazon EKS supported version,linkend=kubernetes-versions]. +. Replace [.replaceable]`{k8s-n}` with any xref:kubernetes-versions[Amazon EKS supported version,linkend=kubernetes-versions]. . Change the values for `vpc-private-subnets` to meet your requirements. You can also add additional IDs. You must specify at least two subnet IDs. If you'd rather specify public subnets, you can change `--vpc-private-subnets` to `--vpc-public-subnets`. Public subnets have an associated route table with a route to an internet gateway, but private subnets don't have an associated route table. We recommend using private subnets whenever possible. + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. @@ -102,7 +102,7 @@ The subnets that you choose must meet the <>. ** For more information about Amazon Linux, see link:linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023,type="documentation"] in the Amazon Linux User Guide. ** For more information about specifiying the operating system for a managed node group, see <>. diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 3427c8dd2..9fcb33151 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -12,7 +12,7 @@ include::../attributes.txt[] Learn how Amazon EKS supports Kubernetes versions with standard and extended support periods, allowing you to proactively update clusters with the latest versions, features, and security patches.. -- -[.noloc]`Kubernetes` rapidly evolves with new features, design updates, and bug fixes. The community releases new [.noloc]`Kubernetes` minor versions (such as `1.30`) on average once every four months. Amazon EKS follows the upstream release and deprecation cycle for minor versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. +[.noloc]`Kubernetes` rapidly evolves with new features, design updates, and bug fixes. The community releases new [.noloc]`Kubernetes` minor versions (such as `{k8s-n}`) on average once every four months. Amazon EKS follows the upstream release and deprecation cycle for minor versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. A minor version is under standard support in Amazon EKS for the first 14 months after it's released. Once a version is past the end of standard support date, it enters extended support for the next 12 months. Extended support allows you to stay at a specific [.noloc]`Kubernetes` version for longer at an additional cost per cluster hour. If you haven't updated your cluster before the extended support period ends, your cluster is auto-upgraded to the oldest currently supported extended version. @@ -198,7 +198,7 @@ No. A managed node group creates Amazon EC2 instances in your account. These ins *Are self-managed node groups automatically updated along with the cluster control plane version?*:: No. A self-managed node group includes Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update the control plane version on your behalf. A self-managed node group doesn't have any indication in the console that it needs updating. You can view the `kubelet` version installed on a node by selecting the node in the *Nodes* list on the *Overview* tab of your cluster to determine which nodes need updating. You must manually update the nodes. For more information, see <>. + -The [.noloc]`Kubernetes` project tests compatibility between the control plane and nodes for up to three minor versions. For example, `1.27` nodes continue to operate when orchestrated by a `1.30` control plane. However, running a cluster with nodes that are persistently three minor versions behind the control plane isn't recommended. For more information, see https://kubernetes.io/docs/setup/version-skew-policy/[Kubernetes version and version skew support policy] in the [.noloc]`Kubernetes` documentation. We recommend maintaining the same [.noloc]`Kubernetes` version on your control plane and nodes. +The [.noloc]`Kubernetes` project tests compatibility between the control plane and nodes for up to three minor versions. For example, `{k8s-n-3}` nodes continue to operate when orchestrated by a `{k8s-n}` control plane. However, running a cluster with nodes that are persistently three minor versions behind the control plane isn't recommended. For more information, see https://kubernetes.io/docs/setup/version-skew-policy/[Kubernetes version and version skew support policy] in the [.noloc]`Kubernetes` documentation. We recommend maintaining the same [.noloc]`Kubernetes` version on your control plane and nodes. *Are [.noloc]`Pods` running on Fargate automatically upgraded with an automatic cluster control plane version upgrade?*:: diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index d54b2559f..1dcc7d97a 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -7,7 +7,7 @@ include::../attributes.txt[] Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which [.noloc]`Kubernetes` API server flags are enabled, as well as the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated Amazon EKS platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. -When a new [.noloc]`Kubernetes` minor version is available in Amazon EKS, such as 1.30, the initial Amazon EKS platform version for that [.noloc]`Kubernetes` minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new [.noloc]`Kubernetes` control plane settings and to provide security fixes. +When a new [.noloc]`Kubernetes` minor version is available in Amazon EKS, such as {k8s-n}, the initial Amazon EKS platform version for that [.noloc]`Kubernetes` minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new [.noloc]`Kubernetes` control plane settings and to provide security fixes. When new Amazon EKS platform versions become available for a minor version: diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 5be4c0255..bc387b6de 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -237,12 +237,7 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X + ** If you are using Amazon EKS add-ons, select *Clusters* in the Amazon EKS console, then select the name of the cluster that you updated in the left navigation pane. Notifications appear in the console. They inform you that a new version is available for each add-on that has an available update. To update an add-on, select the *Add-ons* tab. In one of the boxes for an add-on that has an update available, select *Update now*, select an available version, and then select *Update*. ** Alternately, you can use the {aws} CLI or `eksctl` to update add-ons. For more information, see <>. -. If necessary, update your version of `kubectl`. You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. For example, a `1.29` `kubectl` client works with [.noloc]`Kubernetes` `1.28`, `1.29`, and `1.30` clusters. You can check your currently installed version with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl version --client ----- +. If necessary, update your version of `kubectl`. You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. [[downgrade-cluster,downgrade-cluster.title]] diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 094b42358..a956cd398 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -53,7 +53,7 @@ For zonal shift to work successfully in EKS, you need to setup your cluster envi * Pre-scale your Pods (including CoreDNS) in every AZ * Spread multiple Pod replicas across all AZs to ensure that shifting away from a single AZ will leave you with sufficient capacity * Co-locate interdependent or related Pods in the same AZ -* Test that your cluster environment would work as expected with on less AZ by manually starting a zonal shift. Alternatively, you can enable zonal autoshift and reply on the autoshift practice runs. This is not required for zonal shift to work in EKS but it's strongly recommended. +* Test that your cluster environment would work as expected with one less AZ by manually starting a zonal shift. Alternatively, you can enable zonal autoshift and reply on the autoshift practice runs. This is not required for zonal shift to work in EKS but it's strongly recommended. === Provision Your EKS Worker Nodes Across Multiple AZs diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 2ced97f88..63cf437cc 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -30,7 +30,7 @@ This topic helps you to download and install, or update, the `kubectl` binary on [NOTE] ==== -You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. For example, a `1.30` `kubectl` client works with [.noloc]`Kubernetes` `1.29`, `1.30`, and `1.31` clusters. +You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. For example, a `{k8s-n-1}` `kubectl` client works with [.noloc]`Kubernetes` `{k8s-n-2}`, `{k8s-n-1}`, and `{k8s-n}` clusters. ==== diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index d2f1cc697..636cadba3 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -205,15 +205,8 @@ To use EKS Pod Identities, the cluster must have a platform version that is the |Kubernetes version |Platform version - -|`1.31` -|`eks.4` - -|`1.30` -|`eks.2` - -|`1.29` -|`eks.1` +|Kubernetes versions not listed +|All platform versions support |`1.28` |`eks.4` diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index f15ee46c2..68392f452 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -20,7 +20,7 @@ Learn how to manage access entries for IAM principals to your Amazon EKS cluster EKS access entries it the best way to grant users access to the Kubernetes API. For example, you can use access entries to grant developers access to use kubectl. -Fundamentally, an EKS access entry associates a set of Kubernetes permissions with an IAM identity, such as an IAM role. For example, a develoer may assume an IAM role and use that to authenticate to an EKS Cluster. +Fundamentally, an EKS access entry associates a set of Kubernetes permissions with an IAM identity, such as an IAM role. For example, a developer may assume an IAM role and use that to authenticate to an EKS Cluster. You can attach Kubernetes permissions to access entries in two ways: diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 4e763ee2f..9d4845b2a 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -15,7 +15,7 @@ Complete the following before you start the tutorial: * Review the considerations * Familiarity with how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary network interfaces and assigns IP addresses to [.noloc]`Pods`. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on [.noloc]`GitHub`. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. To install or upgrade `kubectl`, see <>. * We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. For this tutorial, we recommend using the [.replaceable]`example values`, except where it's noted to replace them. You can replace any [.replaceable]`example value` when completing the steps for a production cluster. We recommend completing all steps in the same terminal. This is because variables are set and used throughout the steps and won't exist in different terminals. @@ -532,7 +532,7 @@ kube-system kube-proxy-wx9vk 1/1 Running 0 7m15s 19 + You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. + -If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned `192.168.1.[.replaceable]``x``` addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. +If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned `192.168.1.[.replaceable]``x``` addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. [[custom-network-delete-resources,custom-network-delete-resources.title]] diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 7fe59a7ea..76541838a 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -49,5 +49,5 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI [[snat-exception,snat-exception.title]] == Host networking -^^*^^If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. +^^*^^If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 6189ca609..3e460cec5 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -61,7 +61,7 @@ kind: ClusterConfig metadata: name: my-cluster region: region-code - version: '1.30' + version: '{k8s-n}' iam: withOIDC: true diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 75891fb89..2462ae15f 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -53,7 +53,7 @@ kind: ClusterConfig metadata: name: my-cluster region: region-code - version: '1.30' + version: '{k8s-n}' iam: withOIDC: true diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 8b12f5237..d187578b3 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -71,7 +71,7 @@ For more available flags and their descriptions, see https://eksctl.io/. ---- eksctl create nodegroup \ --cluster my-cluster \ - --version 1.30 \ + --version {k8s-n} \ --name standard-nodes-new \ --node-type t3.medium \ --nodes 3 \ @@ -176,11 +176,11 @@ kubectl scale deployments/cluster-autoscaler --replicas=0 -n kube-system kubectl taint nodes node_name key=value:NoSchedule ---- + -If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, you can identify and taint all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, `1.28`) with the following code snippet. The version number can't be later than the [.noloc]`Kubernetes` version of your control plane. It also can't be more than two minor versions earlier than the [.noloc]`Kubernetes` version of your control plane. We recommend that you use the same version as your control plane. +If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, you can identify and taint all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, `{k8s-n-2}`) with the following code snippet. The version number can't be later than the [.noloc]`Kubernetes` version of your control plane. It also can't be more than two minor versions earlier than the [.noloc]`Kubernetes` version of your control plane. We recommend that you use the same version as your control plane. + [source,bash,subs="verbatim,attributes"] ---- -K8S_VERSION=1.28 +K8S_VERSION={k8s-n-2} nodes=$(kubectl get nodes -o jsonpath="{.items[?(@.status.nodeInfo.kubeletVersion==\"v$K8S_VERSION\")].metadata.name}") for node in ${nodes[@]} do @@ -215,11 +215,11 @@ kubectl scale deployments/coredns --replicas=2 -n kube-system kubectl drain node_name --ignore-daemonsets --delete-local-data ---- + -If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, identify and drain all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, [.replaceable]`1.28`) with the following code snippet. +If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, identify and drain all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, [.replaceable]`{k8s-n-2}`) with the following code snippet. + [source,bash,subs="verbatim,attributes"] ---- -K8S_VERSION=1.28 +K8S_VERSION={k8s-n-2} nodes=$(kubectl get nodes -o jsonpath="{.items[?(@.status.nodeInfo.kubeletVersion==\"v$K8S_VERSION\")].metadata.name}") for node in ${nodes[@]} do diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 78c6779f1..8278553e4 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -35,7 +35,7 @@ Here's an example command after placeholder replacements have been made. [source,bash,subs="verbatim,attributes,quotes"] ---- -aws ssm get-parameter --name /aws/service/ami-windows-latest/Windows_Server-[.replaceable]`2022`-English-[.replaceable]`Core`-EKS_Optimized-[.replaceable]`1.31`/image_id \ +aws ssm get-parameter --name /aws/service/ami-windows-latest/Windows_Server-[.replaceable]`2022`-English-[.replaceable]`Core`-EKS_Optimized-[.replaceable]`k8s-n-2`/image_id \ --region [.replaceable]`us-west-2` --query "Parameter.Value" --output text ---- diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index a5caafc22..36e6debf7 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -26,7 +26,7 @@ kind: ClusterConfig metadata: name: windows-2022-cluster region: region-code - version: '1.31' + version: '{k8s-n}' nodeGroups: - name: windows-ng diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 50e73e608..8007b9425 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -61,7 +61,7 @@ NOTE: If you're upgrading a node group that's deployed with a launch template to You can't directly upgrade a node group that's deployed without a launch template to a new launch template version. Instead, you must deploy a new node group using the launch template to update the node group to a new launch template version. -You can upgrade a node group to the same version as the control plane's [.noloc]`Kubernetes` version. For example, if you have a cluster running [.noloc]`Kubernetes` `1.29`, you can upgrade nodes currently running [.noloc]`Kubernetes` `1.28` to version `1.29` with the following command. +You can upgrade a node group to the same version as the control plane's [.noloc]`Kubernetes` version. For example, if you have a cluster running [.noloc]`Kubernetes` `{k8s-n}`, you can upgrade nodes currently running [.noloc]`Kubernetes` `{k8s-n-1}` to version `{k8s-n}` with the following command. [source,bash,subs="verbatim,attributes"] ---- @@ -69,7 +69,7 @@ eksctl upgrade nodegroup \ --name=node-group-name \ --cluster=my-cluster \ --region=region-code \ - --kubernetes-version=1.29 + --kubernetes-version={k8s-n} ---- == {aws-management-console} [[console_update_managed_nodegroup]] diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index b304f3b5e..efdc44a4b 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -75,14 +75,14 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-12-23/amazon-e NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are shown in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on [.noloc]`GitHub`. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. + IMPORTANT: Some instance types might not be available in all {aws} Regions. -** *NodeImageIdSSMParam* – The Amazon EC2 Systems Manager parameter of the AMI ID that you want to update to. The following value uses the latest Amazon EKS optimized AMI for [.noloc]`Kubernetes` version `1.30`. +** *NodeImageIdSSMParam* – The Amazon EC2 Systems Manager parameter of the AMI ID that you want to update to. The following value uses the latest Amazon EKS optimized AMI for [.noloc]`Kubernetes` version `{k8s-n}`. + [source,none,subs="verbatim,attributes"] ---- -/aws/service/eks/optimized-ami/1.30/amazon-linux-2/recommended/image_id +/aws/service/eks/optimized-ami/{k8s-n}/amazon-linux-2/recommended/image_id ---- + -You can replace [.replaceable]`1.30` with a <> that's the same. Or, it should be up to one version earlier than the [.noloc]`Kubernetes` version running on your control plane. We recommend that you keep your nodes at the same version as your control plane. You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. +You can replace [.replaceable]`{k8s-n}` with a <> that's the same. Or, it should be up to one version earlier than the [.noloc]`Kubernetes` version running on your control plane. We recommend that you keep your nodes at the same version as your control plane. You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. + NOTE: Using the Amazon EC2 Systems Manager parameter enables you to update your nodes in the future without having to look up and specify an AMI ID. If your {aws} CloudFormation stack is using this value, any stack update always launches the latest recommended Amazon EKS optimized AMI for your specified [.noloc]`Kubernetes` version. This is even the case even if you don't change any values in the template. ** *NodeImageId* – To use your own custom AMI, enter the ID for the AMI to use. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index d10f1a15f..e7713ac05 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -45,7 +45,9 @@ To use the snapshot functionality of the Amazon EBS CSI driver, you must first i ---- aws eks describe-addon-versions --addon-name aws-ebs-csi-driver ---- -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* The EBS CSI driver needs {aws} IAM Permissions. +** {aws} suggests using EKS Pod Identities. For more information, see <>. +** For information about IAM Roles for Service Accounts, see <>. * If you're using a cluster wide restricted <>, make sure that the add-on is granted sufficient permissions to be deployed. For the permissions required by each add-on [.noloc]`Pod`, see the https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/deploy/kubernetes/base[relevant add-on manifest definition] on GitHub. diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 8b1b3cae7..6d3967cc3 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -43,11 +43,11 @@ You can create an Amazon EKS add-on using `eksctl`, the {aws-management-console} == Create add-on (eksctl) -. View the names of add-ons available for a cluster version. Replace [.replaceable]`1.30` with the version of your cluster. +. View the names of add-ons available for a cluster version. Replace [.replaceable]`{k8s-n}` with the version of your cluster. + [source,bash,subs="verbatim,attributes"] ---- -eksctl utils describe-addon-versions --kubernetes-version 1.30 | grep AddonName +eksctl utils describe-addon-versions --kubernetes-version {k8s-n} | grep AddonName ---- + An example output is as follows. @@ -65,11 +65,11 @@ An example output is as follows. "AddonName": "factorhouse_kpow", [...] ---- -. View the versions available for the add-on that you would like to create. Replace [.replaceable]`1.30` with the version of your cluster. Replace [.replaceable]`name-of-addon` with the name of the add-on you want to view the versions for. The name must be one of the names returned in the previous step. +. View the versions available for the add-on that you would like to create. Replace [.replaceable]`{k8s-n}` with the version of your cluster. Replace [.replaceable]`name-of-addon` with the name of the add-on you want to view the versions for. The name must be one of the names returned in the previous step. + [source,bash,subs="verbatim,attributes"] ---- -eksctl utils describe-addon-versions --kubernetes-version 1.30 --name name-of-addon | grep AddonVersion +eksctl utils describe-addon-versions --kubernetes-version {k8s-n} --name name-of-addon | grep AddonVersion ---- + The following output is an example of what is returned for the add-on named `vpc-cni`. You can see that the add-on has several available versions. @@ -86,7 +86,7 @@ The following output is an example of what is returned for the add-on named `vpc + [source,bash,subs="verbatim,attributes"] ---- -eksctl utils describe-addon-versions --kubernetes-version 1.30 --name name-of-addon | grep ProductUrl +eksctl utils describe-addon-versions --kubernetes-version {k8s-n} --name name-of-addon | grep ProductUrl ---- + If no output is returned, then the add-on is an Amazon EKS. If output is returned, then the add-on is an {aws} Marketplace add-on. The following output is for an add-on named `teleport_teleport`. @@ -167,11 +167,11 @@ Retaining the default role name enables EKS to pre-select the role for add-ons i == Create add-on ({aws} CLI) . You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + -. Determine which add-ons are available. You can see all available add-ons, their type, and their publisher. You can also see the URL for add-ons that are available through the {aws} Marketplace. Replace [.replaceable]`1.30` with the version of your cluster. +. Determine which add-ons are available. You can see all available add-ons, their type, and their publisher. You can also see the URL for add-ons that are available through the {aws} Marketplace. Replace [.replaceable]`{k8s-n}` with the version of your cluster. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-addon-versions --kubernetes-version 1.30 \ +aws eks describe-addon-versions --kubernetes-version {k8s-n} \ --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table ---- + @@ -198,11 +198,11 @@ An example output is as follows. ---- + Your output might be different. In this example output, there are three different add-ons available of type `networking` and five add-ons with a publisher of type `eks`. The add-ons with `aws-marketplace` in the `Owner` column may require a subscription before you can install them. You can visit the URL to learn more about the add-on and to subscribe to it. -. You can see which versions are available for each add-on. Replace [.replaceable]`1.30` with the version of your cluster and replace [.replaceable]`vpc-cni` with the name of an add-on returned in the previous step. +. You can see which versions are available for each add-on. Replace [.replaceable]`{k8s-n}` with the version of your cluster and replace [.replaceable]`vpc-cni` with the name of an add-on returned in the previous step. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-addon-versions --kubernetes-version 1.30 --addon-name vpc-cni \ +aws eks describe-addon-versions --kubernetes-version {k8s-n} --addon-name vpc-cni \ --query 'addons[].addonVersions[].{Version: addonVersion, Defaultversion: compatibilities[0].defaultVersion}' --output table ---- + diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 5bdcd8c48..ad0b4541b 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -150,11 +150,11 @@ An example output is as follows. ---- v1.10.4-eksbuild.1 ---- -. Determine which versions of the add-on are available for your cluster's version. Replace [.replaceable]`1.30` with your cluster's version and [.replaceable]`vpc-cni` with the name of the add-on that you want to update. +. Determine which versions of the add-on are available for your cluster's version. Replace [.replaceable]`{k8s-n}` with your cluster's version and [.replaceable]`vpc-cni` with the name of the add-on that you want to update. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-addon-versions --kubernetes-version 1.30 --addon-name vpc-cni \ +aws eks describe-addon-versions --kubernetes-version {k8s-n} --addon-name vpc-cni \ --query 'addons[].addonVersions[].{Version: addonVersion, Defaultversion: compatibilities[0].defaultVersion}' --output table ---- + From 808370bcbc42243373bba2341e17f86d073ef843 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 27 Jan 2025 10:55:46 -0600 Subject: [PATCH 053/940] draft of tag subnets for auto mode --- latest/ug/automode/auto-configure-alb.adoc | 12 +++- latest/ug/automode/auto-configure-nlb.adoc | 9 +++ latest/ug/automode/auto-tag-subnets.adoc | 76 ++++++++++++++++++++++ 3 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 latest/ug/automode/auto-tag-subnets.adoc diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 329f1073b..29d235253 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -24,6 +24,16 @@ EKS Auto Mode creates and configures Application Load Balancers (ALBs). For exam * Kubectl configured to connect to your cluster ** You can use `kubectl apply -f ` to apply the sample configuration YAML files below to your cluster. +[NOTE] +==== +EKS Auto Mode requires subnet tags to identify public and private subnets. + +If you created your cluster with `eksctl`, you already have these tags. + +Learn how to <>. +==== + + ## Step 1: Create IngressClassParams Create an `IngressClassParams` object to specify {aws} specific configuration options for the Application Load Balancer. Use the reference below to update the sample YAML file. @@ -39,8 +49,6 @@ spec: scheme: internet-facing ``` - - ## Step 2: Create IngressClass Create an `IngressClass` that references the {aws} specific configuration values set in the `IngressClassParams` resource. Note the name of the `IngressClass` . In this example, both the `IngressClass` and `IngressClassParams` are named `alb`. diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 7870a9326..d02bebed5 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -11,6 +11,15 @@ When you create a Kubernetes service of type `LoadBalancer` in EKS Auto Mode, EK EKS Auto Mode handles Network Load Balancer provisioning by default for all services of type LoadBalancer - no additional controller installation or configuration is required. The `loadBalancerClass: eks.amazonaws.com/nlb `specification is automatically set as the cluster default, streamlining the deployment process while maintaining compatibility with existing Kubernetes workloads. +[NOTE] +==== +EKS Auto Mode requires subnet tags to identify public and private subnets. + +If you created your cluster with `eksctl`, you already have these tags. + +Learn how to <>. +==== + == Sample Service diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc new file mode 100644 index 000000000..f12ef1c47 --- /dev/null +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -0,0 +1,76 @@ +[#tag-subnets-auto] += Tag subnets for EKS Auto Mode +:info_titleabbrev: Tag subnets + +include::../attributes.txt[] + +If you use the load balancing capability of EKS Auto Mode, you need to add {aws} tags to your VPC subnets. + +== Background + +These tags identify subnets as associated with the cluster, and more importantly if the subnet is public or private. + +Public subnets have direct internet access via an internet gateway. They are used for resources that need to be publicly accessible such as load balancers. + +Private subnets do not have direct internet access and use NAT gateways for outbound traffic. They are used for internal resources such as EKS nodes that don't need public IPs. + +To learn more about NAT gateways and Internet gateways, see link:vpc/latest/userguide/extend-intro.html["Connect your VPC to other networks",type="documentation"] in the Amazon Virtual Private Cloud (VPC) User Guide. + +== Requirement + +At this time, subnets used for load balancing by EKS Auto Mode are required to have one of the following tags. + +=== Public subnets +Public subnets are used for internet-facing load balancers. These subnets must have the following tags: + +|=== +|Key |Value + +|`kubernetes.io/role/elb` +|`1` or `` +|=== + +=== Private subnets +Private subnets are used for internal load balancers. These subnets must have the following tags: + +|=== +|Key |Value + +|`kubernetes.io/role/internal-elb` +|`1` or `` +|=== + +== Procedure + +Before you begin, identify which subnets are public (with Internet Gateway access) and which are private (using NAT Gateway). You'll need permissions to modify VPC resources. + +=== {aws} Management Console + +. Open the Amazon VPC console and navigate to Subnets +. Select the subnet to tag +. Choose the Tags tab and select Add tag +. Add the appropriate tag: +* For public subnets: Key=`kubernetes.io/role/elb` +* For private subnets: Key=`kubernetes.io/role/internal-elb` +. Set Value to `1` or leave empty +. Save and repeat for remaining subnets + +=== {aws} CLI + +For public subnets: +[source,bash] +---- +aws ec2 create-tags \ + --resources subnet-ID \ + --tags Key=kubernetes.io/role/elb,Value=1 +---- + +For private subnets: +[source,bash] +---- +aws ec2 create-tags \ + --resources subnet-ID \ + --tags Key=kubernetes.io/role/internal-elb,Value=1 +---- + +Replace `subnet-ID` with your actual subnet ID. From 7cfa451952465f43f63a4d56f9ab1fb85e4ce9ef Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 27 Jan 2025 11:06:08 -0600 Subject: [PATCH 054/940] fixup --- latest/ug/automode/auto-elb-example.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 47eb417f7..dd76764a5 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -139,6 +139,15 @@ spec: controller: eks.amazonaws.com/alb ---- +[NOTE] +==== +EKS Auto Mode requires subnet tags to identify public and private subnets. + +If you created your cluster with `eksctl`, you already have these tags. + +Learn how to <>. +==== + Then create the Ingress resource. Create a file named `05-ingress.yaml`: [source,yaml] From 0bb85e70ff1afc68c96a9170ec2a37465ea3cd16 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 6 Jan 2025 19:11:43 -0800 Subject: [PATCH 055/940] Release update strategies for managed node groups --- latest/ug/doc-history.adoc | 7 +++++++ .../ug/nodes/managed-node-update-behavior.adoc | 18 +++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index cfa6cafd4..d57dce6a3 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -25,6 +25,13 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-01-27"] +=== Update strategies for managed node groups +[.update-ulink] +https://docs.aws.amazon.com/eks/latest/userguide/managed-node-update-behavior.html#managed-node-update-upgrade + +You can now use update strategies to configure the version update process for managed node groups. This introduces the __minimal__ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The __default__ update strategy continues the existing behavior. + [.update,date="2025-01-23"] === [.noloc]`Kubernetes` version `1.32` [.update-ulink] diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 1b241e698..5b9ba4cbf 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -77,14 +77,30 @@ Node disk pressure, memory pressure, and similar conditions can lead to a node n [[managed-node-update-upgrade,managed-node-update-upgrade.title]] == Upgrade phase -The upgrade phase has these steps: +The upgrade phase behaves in two different ways, depending on the _update strategy_. There are two update strategies: *default* and *minimal*. +We recommend the default strategy in most scenarios. It creates new nodes before terminating the old ones, so that the available capacity is maintained during the upgrade phase. +The minimal strategy is useful in scenarios where you are constrained to resources or costs, for example with hardware accelerators such as GPUs. It terminating the old nodes before creating the new ones, so that total capacity never increases beyond your configured quantity. + +The _default_ update strategy has these steps: + +. It increases the quantity of nodes (desired count) in the Auto Scaling Group, causing the node group to create additional nodes. . It randomly selects a node that needs to be upgraded, up to the maximum unavailable configured for the node group. . It drains the [.noloc]`Pods` from the node. If the [.noloc]`Pods` don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the [.noloc]`Pods`. . It cordons the node after every [.noloc]`Pod` is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. . It sends a termination request to the Auto Scaling Group for the cordoned node. . It repeats the previous upgrade steps until there are no nodes in the node group that are deployed with the earlier version of the launch template. +The _minimal_ update strategy has these steps: + +. It randomly selects a node that needs to be upgraded, up to the maximum unavailable configured for the node group. +. It drains the [.noloc]`Pods` from the node. If the [.noloc]`Pods` don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the [.noloc]`Pods`. +. It cordons the node after every [.noloc]`Pod` is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. +. It sends a termination request to the Auto Scaling Group for the cordoned node. The Auto Scaling Group creates a new node to replace the missing capacity. +. It repeats the previous upgrade steps until there are no nodes in the node group that are deployed with the earlier version of the launch template. + +=== `PodEvictionFailure` errors during the upgrade phase + The following are known reasons which lead to a `PodEvictionFailure` error in this phase: From 856ea83ddbd9e9f436954ceb3c3acc12bc7077c3 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 27 Jan 2025 22:55:21 +0000 Subject: [PATCH 056/940] Typo fix: 45278 --- latest/ug/ml/ml-get-started.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 9c624e21d..931989ea3 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -14,7 +14,7 @@ Choose the Machine Learning on EKS tools and platforms that best suit your needs To jump into Machine Learning on EKS, start by choosing from these prescriptive patterns to quickly get an EKS cluster and ML software and hardware ready to begin running ML workloads. Most of these patterns are based on Terraform blueprints that are available from the https://awslabs.github.io/data-on-eks/docs/introduction/intro[Data on Amazon EKS] site. Before you begin, here are few things to keep in mind: * GPUs or Neuron instances are required to run these procedures. Lack of availability of these resources can cause these procedures to fail during cluster creation or node autoscaling. -* Neuron SDK (Tranium and Inferentia-based instances) can save money and are more available than NVIDIA GPUs. So, when your workloads permit it, we recommend that you consider using Neutron for your Machine Learning workloads (see https://awsdocs-neuron.readthedocs-hosted.com/en/latest/[Welcome to {aws} Neuron]). +* Neuron SDK (Tranium and Inferentia-based instances) can save money and are more available than NVIDIA GPUs. So, when your workloads permit it, we recommend that you consider using Neuron for your Machine Learning workloads (see https://awsdocs-neuron.readthedocs-hosted.com/en/latest/[Welcome to {aws} Neuron]). * Some of the getting started experiences here require that you get data via your own https://huggingface.co/[Hugging Face] account. To get started, choose from the following selection of patterns that are designed to get you started setting up infrastructure to run your Machine Learning workloads: From 1f004605fdfe47dfb7059d88f16ebbe499b3dabd Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 27 Jan 2025 15:42:55 -0800 Subject: [PATCH 057/940] Add v1.32 to CNI compatibility for EKS Hybrid Nodes --- latest/ug/nodes/hybrid-nodes-cni.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 14150029d..99fd6d55a 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -23,6 +23,10 @@ The table below represents the Cilium and Calico versions that are compatible an |Cilium version |Calico version +|1.32 +|1.16.x +|3.29.x + |1.31 |1.16.x |3.29.x From 548276fb90f1db86208f947b6a09d96d9b943798 Mon Sep 17 00:00:00 2001 From: Wayne Galen Date: Wed, 15 Jan 2025 22:24:20 +0000 Subject: [PATCH 058/940] Added information and examples for creating the systemd configurations for `kubelet` and `containerd` from the userdata of a node --- latest/ug/nodes/hybrid-nodes-proxy.adoc | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 4a04ea491..cf14a8dd9 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -30,7 +30,18 @@ Environment="HTTP_PROXY=http://proxy-domain:port" Environment="HTTPS_PROXY=http://proxy-domain:port" Environment="NO_PROXY=localhost" ---- - +==== From userdata +The `containerd.service.d` directory will need to be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. +[source,yaml,subs="vabatim,attributes,quotes"] +---- +mkdir -p /etc/systemd/system/containerd.service.d +echo '[Service]' > /etc/systemd/system/containerd.service.d +echo 'Environment="HTTP_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/containerd.service.d +echo 'Environment="HTTPS_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/containerd.service.d +echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/containerd.service.d +systemctl daemon-reload +systemctl restart containerd +---- === Kubelet proxy configuration `kubelet` is the Kubernetes node agent that runs on each Kubernetes node and is responsible for managing the node and pods running on it. If you are using a proxy in your on-premises environment, you must configure the `kubelet` so it can communicate with your Amazon EKS cluster's public or private endpoints. @@ -44,6 +55,18 @@ Environment="HTTP_PROXY=http://proxy-domain:port" Environment="HTTPS_PROXY=http://proxy-domain:port" Environment="NO_PROXY=localhost" ---- +==== From userdata +The `kubelet.service.d` directory will need to be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. +[source,yaml,subs="vabatim,attributes,quotes"] +---- +mkdir -p /etc/systemd/system/kubelet.service.d +echo '[Service]' > /etc/systemd/system/kubelet.service.d +echo 'Environment="HTTP_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/kubelet.service.d +echo 'Environment="HTTPS_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/kubelet.service.d +echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/kubelet.service.d +systemctl daemon-reload +systemctl restart containerd +---- === Operating system proxy configuration From c95e32792c1c3cd827ba3b7f22e799dd3581d7f3 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 27 Jan 2025 14:31:25 -0800 Subject: [PATCH 059/940] better formatting for hybrid proxy config --- latest/ug/nodes/hybrid-nodes-proxy.adoc | 51 ++++++++++++++----------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index cf14a8dd9..606bf0d5a 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -26,23 +26,27 @@ Create a file on each hybrid node called `http-proxy.conf` in the `/etc/systemd/ [source,yaml,subs="verbatim,attributes,quotes"] ---- [Service] -Environment="HTTP_PROXY=http://proxy-domain:port" -Environment="HTTPS_PROXY=http://proxy-domain:port" +Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#" +Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#" Environment="NO_PROXY=localhost" ---- -==== From userdata -The `containerd.service.d` directory will need to be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. -[source,yaml,subs="vabatim,attributes,quotes"] + +==== `containerd` configuration from user data + +The `containerd.service.d` directory will need to be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. + +[source,yaml,subs="verbatim,attributes,quotes"] ---- mkdir -p /etc/systemd/system/containerd.service.d echo '[Service]' > /etc/systemd/system/containerd.service.d -echo 'Environment="HTTP_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/containerd.service.d -echo 'Environment="HTTPS_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/containerd.service.d +echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d +echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/containerd.service.d systemctl daemon-reload systemctl restart containerd ---- -=== Kubelet proxy configuration + +=== `kubelet` proxy configuration `kubelet` is the Kubernetes node agent that runs on each Kubernetes node and is responsible for managing the node and pods running on it. If you are using a proxy in your on-premises environment, you must configure the `kubelet` so it can communicate with your Amazon EKS cluster's public or private endpoints. @@ -51,18 +55,21 @@ Create a file on each hybrid node called `http-proxy.conf` in the `/etc/systemd/ [source,yaml,subs="verbatim,attributes,quotes"] ---- [Service] -Environment="HTTP_PROXY=http://proxy-domain:port" -Environment="HTTPS_PROXY=http://proxy-domain:port" +Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#" +Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#" Environment="NO_PROXY=localhost" ---- -==== From userdata -The `kubelet.service.d` directory will need to be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. -[source,yaml,subs="vabatim,attributes,quotes"] + +==== `kubelet` configuration from user data + +The `kubelet.service.d` directory must be created for this file. You will need to reload systemd to pick up the configuration file without a reboot. In AL2023, the service will likely already be running when your script executes, so you will also need to restart it. + +[source,yaml,subs="verbatim,attributes,quotes"] ---- mkdir -p /etc/systemd/system/kubelet.service.d echo '[Service]' > /etc/systemd/system/kubelet.service.d -echo 'Environment="HTTP_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/kubelet.service.d -echo 'Environment="HTTPS_PROXY=http://proxy-domain:port"' >> /etc/systemd/system/kubelet.service.d +echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d +echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/kubelet.service.d systemctl daemon-reload systemctl restart containerd @@ -78,16 +85,16 @@ If you are using a proxy for internet access, you must configure your operating + [source,yaml,subs="verbatim,attributes,quotes"] ---- -sudo snap set system proxy.https=http://proxy-domain:port -sudo snap set system proxy.http=http://proxy-domain:port +sudo snap set system proxy.https=http://[.replaceable]#proxy-domain:port# +sudo snap set system proxy.http=http://[.replaceable]#proxy-domain:port# ---- . To enable proxy for `apt`, create a file called `apt.conf` in the `/etc/apt/` directory. Replace proxy-domain and port with the values for your environment. + [source,yaml,subs="verbatim,attributes,quotes"] ---- -Acquire::http::Proxy "http://proxy-domain:port"; -Acquire::https::Proxy "http://proxy-domain:port"; +Acquire::http::Proxy "http://[.replaceable]#proxy-domain:port#"; +Acquire::https::Proxy "http://[.replaceable]#proxy-domain:port#"; ---- *Amazon Linux 2023 and Red Hat Enterprise Linux* @@ -96,7 +103,7 @@ Acquire::https::Proxy "http://proxy-domain:port"; + [source,yaml,subs="verbatim,attributes,quotes"] ---- -proxy=http://proxy-domain:port +proxy=http://[.replaceable]#proxy-domain:port# ---- == Cluster wide configuration @@ -127,9 +134,9 @@ containers: - --config=/var/lib/kube-proxy-config/config - --hostname-override=$(NODE_NAME) env: - name: HTTP_PROXY - value: http://proxy-domain:port + value: http://[.replaceable]#proxy-domain:port# - name: HTTPS_PROXY - value: http://proxy-domain:port + value: http://[.replaceable]#proxy-domain:port# - name: NODE_NAME valueFrom: fieldRef: From 8b8ee0bbae2a5a4b898c1ef57d67c667f3378602 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:10:46 -0600 Subject: [PATCH 060/940] Update al2023.adoc --- latest/ug/nodes/al2023.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 8baecaad5..76e011bcf 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -31,8 +31,8 @@ spec: cidr: 10.100.0.0/16 ---- + -In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see ` link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"]` in the _Amazon EKS API Reference_. -* For AL2023, `nodeadm` also changes the format to apply parameters to the `kubelet` for each node using https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/#nodeconfigspec[`NodeConfigSpec`], in AL2 this was done with the `--kubelet-extra-args` parameter. This is commonly used to add labels and taints to nodes. An example below shows applying `maxPods` and `--node-labels` to the node. +In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. +* For AL2023, `nodeadm` also changes the format to apply parameters to the `kubelet` for each node using https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/#nodeconfigspec[`NodeConfigSpec`]. In AL2, this was done with the `--kubelet-extra-args` parameter. This is commonly used to add labels and taints to nodes. An example below shows applying `maxPods` and `--node-labels` to the node. + [source,yaml,subs="verbatim,attributes"] ---- From f264c8a7335e767d3a0d2ee44798252ea2fa50e3 Mon Sep 17 00:00:00 2001 From: Donovan Date: Wed, 29 Jan 2025 11:40:43 -0800 Subject: [PATCH 061/940] Add `kubectl debug node` and more troubleshooting for Auto Mode (#850) * Add `kubectl debug node` and more troubleshooting for Auto Mode * Fix spelling, formatting in Auto Mode troubleshooting. Add 'reachability' to custom dictionary. * Add pricing note to VPC Reachability Analyzer * Add manual ToCs and titles to Auto Mode troubleshooting * fix unnecessary pluses in auto-troubleshoot --- latest/ug/automode/auto-troubleshoot.adoc | 189 ++++++++++++++++-- .../vocabularies/EksDocsVocab/accept.txt | 4 +- 2 files changed, 175 insertions(+), 18 deletions(-) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 76c6d3075..fcc74f25a 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -10,24 +10,35 @@ With {eam}, {aws} assumes more {resp} for {e2i}s in {yaa}. EKS assumes {resp} fo You must use {aws} and {k8s} APIs to troubleshoot nodes. You can: -* Use a Kubernetes `NodeDiagnostic` resource to {ret} node logs. -* Use the {aws} EC2 CLI command `get-console-output` to {ret} console output from nodes. +* Use a Kubernetes `NodeDiagnostic` resource to {ret} node logs by using the <>. For more steps, see <>. +* Use the {aws} EC2 CLI command `get-console-output` to {ret} console output from nodes. For more steps, see <>. +* Use Kubernetes _debugging containers_ to {ret} node logs. For more steps, see <>. [NOTE] ==== {eam} uses {emi}s. You cannot directly access {emi}s, including by SSH. ==== -If you have a problem with a controller, you should research: +You might have the following problems that have solutions specific to EKS Auto Mode components: -* If the resources associated with that controller are properly formatted and valid. -* If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. +* Pods stuck in the `Pending` state, that aren't being scheduled onto Auto Mode nodes. For solutions see <>. +* EC2 managed instances that don't join the cluster as Kubernetes nodes. For solutions see <>. +* Errors and issues with the `NodePools`, `PersistentVolumes`, and `Services` that use the controllers that are included in EKS Auto Mode. For solutions see <>. + +You can use the following methods to troubleshoot EKS Auto Mode components: + +* <> +* <> +* <> +* <> +* <> [[auto-node-monitoring-agent,auto-node-monitoring-agent.title]] == Node monitoring agent {eam} includes the Amazon EKS node monitoring agent. You can use this agent to view troubleshooting and debugging information about nodes. The node monitoring agent publishes Kubernetes `events` and node `conditions`. For more information, see <>. +[[auto-node-console,auto-node-console.title]] == Get console output from an {emi} by using the {aws} EC2 CLI This procedure helps with troubleshooting boot-time or kernel-level issues. @@ -54,10 +65,61 @@ kubectl get pod -o wide aws ec2 get-console-output --instance-id --latest --output text ---- -== Get node logs by using the kubectl CLI +[[auto-node-debug-logs,auto-node-debug-logs.title]] +== Get node logs by using __debug containers__ and the `kubectl` CLI + +The recommended way of retrieving logs from an EKS Auto Mode node is to use `NodeDiagnostic` resource. For these steps, see <>. + +However, you can stream logs live from an instance by using the `kubectl debug node` command. This command launches a new Pod on the node that you want to debug which you can then interactively use. + +. Launch a debug container. The following command uses `i-01234567890123456` for the instance ID of the node, `-it` allocates a `tty` and attach `stdin` for interactive usage, and uses the `sysadmin` profile from the kubeconfig file. ++ +[source,cli] +---- +kubectl debug node/i-01234567890123456 -it --profile=sysadmin --image=public.ecr.aws/amazonlinux/amazonlinux:2023 +---- ++ +An example output is as follows. ++ +[source,none] +---- +Creating debugging pod node-debugger-i-01234567890123456-nxb9c with container debugger on node i-01234567890123456. +If you don't see a command prompt, try pressing enter. +bash-5.2# +---- -For information about getting node logs, see <>. +. From the shell, you can now install `util-linux-core` which provides the `nsenter` command. Use `nsenter` to enter the mount namespace of PID 1 (`init`) on the host, and run the `journalctl` command to stream logs from the `kubelet`: ++ +[source,bash] +---- +yum install -y util-linux-core +nsenter -t 1 -m journalctl -f -u kubelet +---- +For security, the Amazon Linux container image doesn't install many binaries by default. You can use the `yum whatprovides` command to identify the package that must be installed to provide a given binary. + +[source,cli] +---- +yum whatprovides ps +---- + +[source,none] +---- +Last metadata expiration check: 0:03:36 ago on Thu Jan 16 14:49:17 2025. +procps-ng-3.3.17-1.amzn2023.0.2.x86_64 : System and process monitoring utilities +Repo : @System +Matched from: +Filename : /usr/bin/ps +Provide : /bin/ps + +procps-ng-3.3.17-1.amzn2023.0.2.x86_64 : System and process monitoring utilities +Repo : amazonlinux +Matched from: +Filename : /usr/bin/ps +Provide : /bin/ps +---- + +[[auto-node-ec2-web,auto-node-ec2-web.title]] == View resources associated with {eam} in the {aws} Console You can use the {aws} console to view the status of resources associated with {yec}. @@ -69,6 +131,7 @@ You can use the {aws} console to view the status of resources associated with {y * link:ec2/home#Instances["EC2 Instances",type="console"] ** View EKS Auto Mode instances by searching for the tag key `eks:eks-cluster-name` +[[auto-node-iam,auto-node-iam.title]] == View IAM Errors in {yaa} . Navigate to CloudTrail console @@ -78,23 +141,115 @@ You can use the {aws} console to view the status of resources associated with {y ** UnauthorizedOperation ** InvalidClientTokenId -Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, Cluster IAM Role, or Node IAM Role. You may need to attach a new policy to these roles with permissions for {eam}. +Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, cluster IAM role, or node IAM role. You might need to attach a new policy to these roles with permissions for {eam}. //Ensure you are running the latest version of the {aws} CLI, eksctl, etc. -== Pod failing to schedule onto Auto Mode node +[[auto-troubleshoot-schedule,auto-troubleshoot-schedule.title]] +== Troubleshoot Pod failing to schedule onto Auto Mode node -If pods are not being scheduled onto an auto mode node, verify if your pod/deployment manifest has a **nodeSelector**. If a nodeSelector is present, please ensure it is using `eks.amazonaws.com/compute-type: auto` to allow it to be scheduled. See <>. +If pods staying in the `Pending` state and aren't being scheduled onto an auto mode node, verify if your pod or deployment manifest has a `nodeSelector`. If a `nodeSelector` is present, ensure that it is using `eks.amazonaws.com/compute-type: auto` to be scheduled on nodes that are made by EKS Auto Mode. For more information about the node labels that are used by EKS Auto Mode, see <>. -== Node not joining cluster +[[auto-troubleshoot-join,auto-troubleshoot-join.title]] +== Troubleshoot node not joining the cluster -Run `kubectl get nodeclaim` to check for nodeclaims that are `Ready = False`. +EKS Auto Mode automatically configures new EC2 instances with the correct information to join the cluster, including the cluster endpoint and cluster certificate authority (CA). However, these instances can still fail to join the EKS cluster as a node. Run the following commands to identify instances that didn't join the cluster: -Proceed to run `kubectl describe nodeclaim ` and look under *Status* to find any issues preventing the node from joining the cluster. +. Run `kubectl get nodeclaim` to check for `NodeClaims` that are `Ready = False`. ++ +[source,cli] +---- +kubectl get nodeclaim +---- + +. Run `kubectl describe nodeclaim ` and look under *Status* to find any issues preventing the node from joining the cluster. ++ +[source,cli] +---- +kubectl describe nodeclaim +---- *Common error messages:* -* "Error getting launch template configs" -** You may receive this error if you are setting custom tags in the NodeClass with the default cluster IAM role permissions. See <>. -* "Error creating fleet" -** There may be some authorization issue with calling the RunInstances API call. Check CloudTrail for errors and see <> for the required IAM permissions. +`Error getting launch template configs`:: +You might receive this error if you are setting custom tags in the `NodeClass` with the default cluster IAM role permissions. See <>. + +`Error creating fleet`:: +There might be some authorization issue with calling the `RunInstances` call from the EC2 API. Check {aws-cloudtrail} for errors and see <> for the required IAM permissions. + + +[[auto-node-reachability,auto-node-reachability.title]] +=== Detect node connectivity issues with the `VPC Reachability Analyzer` + +[NOTE] +==== +You are charged for each analysis that is run the VPC Reachability Analyzer. For pricing details, see link:vpc/pricing/[{amazon-vpc} Pricing,type="marketing"]. +==== + +One reason that an instance didn't join the cluster is a network connectivity issue that prevents them from reaching the API server. To diagnose this issue, you can use the link:vpc/latest/reachability/what-is-reachability-analyzer.html[VPC Reachability Analyzer,type="documentation"] to perform an analysis of the connectivity between a node that is failing to join the cluster and the API server. You will need two pieces of information: + +* *instance ID* of a node that can't join the cluster +* IP address of the *Kubernetes API server endpoint* + +To get the *instance ID*, you will need to create a workload on the cluster to cause EKS Auto Mode to launch an EC2 instance. This also creates a `NodeClaim` object in your cluster that will have the instance ID. Run `kubectl get nodeclaim -o yaml` to print all of the `NodeClaims` in your cluster. Each `NodeClaim` contains the instance ID as a field and again in the providerID: + +[source,cli] +---- +kubectl get nodeclaim -o yaml +---- + +An example output is as follows. + +[source,bash,subs="verbatim,attributes"] +---- + nodeName: i-01234567890123456 + providerID: aws:///us-west-2a/i-01234567890123456 +---- + +You can determine your *Kubernetes API server endpoint* by running `kubectl get endpoint kubernetes -o yaml`. The addresses are in the addresses field: + +[source,cli] +---- +kubectl get endpoints kubernetes -o yaml +---- + +An example output is as follows. + +[source,bash,subs="verbatim,attributes"] +---- +apiVersion: v1 +kind: Endpoints +metadata: + name: kubernetes + namespace: default +subsets: +- addresses: + - ip: 10.0.143.233 + - ip: 10.0.152.17 + ports: + - name: https + port: 443 + protocol: TCP +---- + +With these two pieces of information, you can perform the s analysis. First navigate to the VPC Reachability Analyzer in the{aws-management-console}. + +. Click "Create and Analyze Path" +. Provide a name for the analysis (e.g. "Node Join Failure") +. For the "Source Type" select "Instances" +. Enter the instance ID of the failing Node as the "Source" +. For the "Path Destination" select "IP Address" +. Enter one of the IP addresses for the API server as the "Destination Address" +. Expand the "Additional Packet Header Configuration Section" +. Enter a "Destination Port" of 443 +. Select "Protocol" as TCP if it is not already selected +. Click "Create and Analyze Path" +. The analysis might take a few minutes to complete. If the analysis results indicates failed reachability, it will indicate where the failure was in the network path so you can resolve the issue. + +[[auto-troubleshoot-controllers,auto-troubleshoot-controllers.title]] +== Troubleshoot included controllers in Auto Mode + +If you have a problem with a controller, you should research: + +* If the resources associated with that controller are properly formatted and valid. +* If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. \ No newline at end of file diff --git a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt index 3fef970f0..d8cd47dcc 100644 --- a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt +++ b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt @@ -7,4 +7,6 @@ StorageClass PersistentVolume CSI Karpenter -VPC \ No newline at end of file +VPC +VPC Reachability Analyzer +reachability \ No newline at end of file From 424020030d30dacce3e198f404ab337417522e0f Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 29 Jan 2025 13:43:14 -0600 Subject: [PATCH 062/940] Describe disruption for EKS Auto Mode (#857) * add desc of auto disrupt * todd suggestions --- latest/ug/automode/create-node-pool.adoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 3a800d23d..b6da84a9f 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -177,3 +177,18 @@ spec: * {eam} only supports Linux ** `node.kubernetes.io/windows-build` ** `kubernetes.io/os` + +== Disruption + +You can configure EKS Auto Mode to disrupt Nodes through your NodePool in multiple ways. You can use `spec.disruption.consolidationPolicy`, `spec.disruption.consolidateAfter`, or `spec.template.spec.expireAfter`. You can also rate limit EKS Auto Mode's disruption through the NodePool’s `spec.disruption.budgets`. You can also control the time windows and number of simultaneous Nodes disrupted. For instructions on configuring this behavior, see https://karpenter.sh/docs/concepts/disruption/[Disruption] in the Karpenter Documentation. + +You can configure disruption for node pools to: + +- Identify when instances are underutilized, and consolidate workloads. +- Create a node pool disruption budget to rate limit node terminations due to drift, emptiness, and consolidation. + +By default, EKS Auto Mode: + +- Consolidates underutilized instances. +- Terminates instances after 720 hours. +- Sets a single disruption budget of 10% of nodes. From b2bdfab1d7e3fc9850f856253d3792469f4b15df Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 29 Jan 2025 13:46:00 -0600 Subject: [PATCH 063/940] Update automode-learn-instances.adoc (#856) * Update automode-learn-instances.adoc Add description of how AMIs are rolled out and issues detected for EKS Auto Mode * todd fixes --- latest/ug/automode/automode-learn-instances.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 21ed0a71a..90ade730e 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -64,6 +64,10 @@ The following functionality works for both Managed instances and Standard EC2 in * You can view the instance in the {aws} console. * You can use instance storage as ephemeral storage for workloads. +=== AMI Support + +With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes. {aws} monitors the rollout of new EKS Auto Mode AMI versions. If you experience workload issues related to an AMI version, create a support case. For more information, see link:awssupport/latest/user/case-management.html["Creating support cases and case management",type="documentation"] in the AWS Support User Guide. + == Supported instance reference // Source: https://code.amazon.com/packages/EKSKarpenterController/blobs/a56aeb0ddc3e8a54406421e8f3a091e8e13abea1/--/pkg/providers/instancetype/instancetype.go#L43-L49 From f116a370b8545e27b5f72455400506c7e917ad20 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 29 Jan 2025 20:32:53 +0000 Subject: [PATCH 064/940] fixup auto mode tag subnets --- latest/ug/automode/auto-tag-subnets.adoc | 1 + latest/ug/automode/automode-learn-instances.adoc | 2 +- latest/ug/automode/settings-auto.adoc | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index f12ef1c47..259511013 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -1,3 +1,4 @@ +[.topic] [#tag-subnets-auto] = Tag subnets for EKS Auto Mode :info_titleabbrev: Tag subnets diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 90ade730e..fb1b64d6f 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -66,7 +66,7 @@ The following functionality works for both Managed instances and Standard EC2 in === AMI Support -With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes. {aws} monitors the rollout of new EKS Auto Mode AMI versions. If you experience workload issues related to an AMI version, create a support case. For more information, see link:awssupport/latest/user/case-management.html["Creating support cases and case management",type="documentation"] in the AWS Support User Guide. +With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes. {aws} monitors the rollout of new EKS Auto Mode AMI versions. If you experience workload issues related to an AMI version, create a support case. For more information, see link:awssupport/latest/user/case-management.html["Creating support cases and case management",type="documentation"] in the {aws} Support User Guide. == Supported instance reference diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 9cb028e22..d619ecf22 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -107,3 +107,5 @@ include::associate-workload.adoc[leveloffset=+1] include::critical-workload.adoc[leveloffset=+1] include::auto-net-pol.adoc[leveloffset=+1] + +include::auto-tag-subnets.adoc[leveloffset=+1] From c920c442ed1c7ae1b7bab29a3cf3400b35bfd4b8 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 29 Jan 2025 18:52:44 -0600 Subject: [PATCH 065/940] Describe how to create a cluster without node pools (#849) * draft of create cluster without built in node pools * add role example --- latest/ug/automode/create-node-class.adoc | 59 +++++++++++++++++++ latest/ug/automode/create-node-pool.adoc | 28 +++++++++ .../ug/automode/set-builtin-node-pools.adoc | 9 ++- .../k8s-access/access-entries.adoc | 12 +++- 4 files changed, 102 insertions(+), 6 deletions(-) diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index d1804849a..ba5c13dfd 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -45,6 +45,60 @@ kubectl apply -f nodeclass.yaml Next, reference the Node Class in your Node Pool configuration. For more information, see <>. +[#auto-node-access-entry] +== Create node class access entry + +If you create a custom node class, you need to create an EKS Access Entry to permit the nodes to join the cluster. EKS automatically creates access entries when you use the built-in node class and node pools. + +For information about how Access Entries work, see <>. + +When creating access entries for EKS Auto Mode node classes, you need to use the `EC2` access entry type. + +=== Create access entry with CLI + +*To create an access entry for EC2 nodes and associate the EKS Auto Node Policy:* + +Update the following CLI commands with your cluster name, and node role ARN. The node role ARN is specified in the node class YAML. + +[source,bash] +---- +# Create the access entry for EC2 nodes +aws eks create-access-entry \ + --cluster-name \ + --principal-arn \ + --type EC2 + +# Associate the auto node policy +aws eks associate-access-policy \ + --cluster-name \ + --principal-arn \ + --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy \ + --access-scope cluster +---- + +=== Create access entry with CloudFormation + +*To create an access entry for EC2 nodes and associate the EKS Auto Node Policy:* + +Update the following CloudFormation with your cluster name, and node role ARN. The node role ARN is specified in the node class YAML. + +[source,yaml] +---- +EKSAutoNodeRoleAccessEntry: + Type: AWS::EKS::AccessEntry + Properties: + ClusterName: + PrincipalArn: + Type: "EC2" + AccessPolicies: + - AccessScope: + Type: cluster + PolicyArn: arn:aws:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy + DependsOn: [ ] # previously defined in CloudFormation +---- + +For information about deploying CloudFormation stacks, see link:AWSCloudFormation/latest/UserGuide/GettingStarted.html["Getting started with CloudFormation", type="documentation"] + == Node Class Specification [source,yaml] @@ -88,6 +142,11 @@ spec: size: "80Gi" # Range: 1-59000Gi or 1-64000G or 1-58Ti or 1-64T iops: 3000 # Range: 3000-16000 throughput: 125 # Range: 125-1000 + + # IAM role to use for EC2 instance role + # If unspecified, EKS will create a role + # If specified, role requires access entry described above + role: arn:aws:iam::123456789012:role/MyNodeRole # Optional: Additional EC2 tags tags: diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index b6da84a9f..b3adde228 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -178,6 +178,34 @@ spec: ** `node.kubernetes.io/windows-build` ** `kubernetes.io/os` +== Disable built-in node pools + +If you create custom node pools, you can disable the built-in node pools. For more information, see <>. + +== Cluster without built-in node pools + +You can create a cluster without the built-in node pools. This is helpful when your organization has created customized node pools. + +*Overview:* + +. Create an EKS cluster with the both `nodePools` and `nodeRoleArn` values empty. +** Sample eksctl `autoModeConfig`: ++ +[source,yaml] +---- +autoModeConfig: + enabled: true + nodePools: [] + # Do not set a nodeRoleARN +---- ++ +For more information, see <> +. Create a custom node class with a node role ARN +** For more information, see <> +. Create an access entry for the custom node class +** For more information, see <> +. Create a custom node pool, as described above. + == Disruption You can configure EKS Auto Mode to disrupt Nodes through your NodePool in multiple ways. You can use `spec.disruption.consolidationPolicy`, `spec.disruption.consolidateAfter`, or `spec.template.spec.expireAfter`. You can also rate limit EKS Auto Mode's disruption through the NodePool’s `spec.disruption.budgets`. You can also control the time windows and number of simultaneous Nodes disrupted. For instructions on configuring this behavior, see https://karpenter.sh/docs/concepts/disruption/[Disruption] in the Karpenter Documentation. diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 1effcd571..c5c621223 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -23,12 +23,14 @@ Both built-in NodePools: * Use the C, M, and R EC2 instance families * Require generation 5 or newer EC2 instances -## Prerequisites +== Procedure + +=== Prerequisites * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. To install the latest version, see link:cli/latest/userguide/getting-started-install.html["Installing",type="documentation"] and link:cli/latest/userguide/cli-chap-configure.html#cli-configure-quickstart-config["Quick configuration",type="documentation"] with aws configure in the {aws} Command Line Interface User Guide. ** Login to the CLI with sufficent IAM permissions to create {aws} resources including IAM Policies, IAM Roles, and EKS Clusters. -== Enable with {aws} CLI +=== Enable with {aws} CLI Use the following command to enable both built-in NodePools: @@ -45,7 +47,7 @@ aws eks update-cluster-config \ You can modify the command to selectively enable the NodePools. -== Disable with {aws} CLI +=== Disable with {aws} CLI Use the following command to disable both built-in NodePools: @@ -55,3 +57,4 @@ aws eks update-cluster-config \ --name \ --compute-config '{"nodePools": []}' ---- + diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 68392f452..f84dd25c8 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -142,9 +142,15 @@ Before creating access entries, consider the following: ** If the type of the access entry is anything other than `STANDARD` (see next consideration about types), the ARN must be in the same {aws} account that your cluster is in. If the type is `STANDARD`, the ARN can be in the same, or different, {aws} account than the account that your cluster is in. ** You can't change the IAM principal after the access entry is created. ** If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the `roleID` or `userID` (you can see this with the `aws sts get-caller-identity` {aws} CLI command) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's `roleID` or `userID` for an access entry, Amazon EKS stores it with the access entry. -* Each access entry has a _type_. You can specify `EC2_LINUX` (for an IAM role used with Linux or Bottlerocket self-managed nodes), `EC2_Windows` (for an IAM role used with Windows self-managed nodes), `FARGATE_LINUX` (for an IAM role used with {aws} Fargate (Fargate)), `HYBRID_LINUX` (for an IAM role used with hybrid nodes) or `STANDARD` as a type. If you don't specify a type, Amazon EKS automatically sets the type to `STANDARD`. It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile. EKS will create access entries (if enabled), or update the auth config map (if access entries are unavailable). -+ -You can't change the type after the access entry is created. +* Each access entry has a _type_. If you don't specify a type, Amazon EKS automatically sets the type to `STANDARD` +** `EC2_LINUX` - For an IAM role used with Linux or Bottlerocket self-managed nodes +** `EC2_WINDOWS` - For an IAM role used with Windows self-managed nodes +** `FARGATE_LINUX` - For an IAM role used with {aws} Fargate (Fargate) +** `HYBRID_LINUX` - For an IAM role used with hybrid nodes +** `STANDARD` - Default type if none specified +** `EC2` - For EKS Auto Mode custom node classes. For more information, see <>. +** You can't change the type after the access entry is created. +* It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile. EKS will create access entries (if enabled), or update the auth config map (if access entries are unavailable) * If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username: + ** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`. From b4fd8fcf770d1006a6d76f10344b773d2d62236c Mon Sep 17 00:00:00 2001 From: Daniel Morales <54182283+Daniel-Designs@users.noreply.github.com> Date: Wed, 29 Jan 2025 20:47:16 -0600 Subject: [PATCH 066/940] Update eks-outposts-troubleshooting.adoc Adding new troubleshooting section for KMS key accessibility issues when creating EKS clusters on AWS Outposts. --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index b3c37f3e8..63ddd3680 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -216,6 +216,7 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. +* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured. From 0e48565de033eae3df16934f442f5782473779bb Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 30 Jan 2025 19:34:26 +0000 Subject: [PATCH 067/940] Fixed formatting issues, other tweaks: 45316 --- .../cni-custom-network-tutorial.adoc | 119 +++++++++--------- 1 file changed, 57 insertions(+), 62 deletions(-) diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 9d4845b2a..dd189cfed 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -14,26 +14,25 @@ Complete the following before you start the tutorial: * Review the considerations * Familiarity with how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary network interfaces and assigns IP addresses to [.noloc]`Pods`. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on [.noloc]`GitHub`. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. To install or upgrade `kubectl`, see <>. * We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -For this tutorial, we recommend using the [.replaceable]`example values`, except where it's noted to replace them. You can replace any [.replaceable]`example value` when completing the steps for a production cluster. We recommend completing all steps in the same terminal. This is because variables are set and used throughout the steps and won't exist in different terminals. +For this tutorial, we recommend using the example values, except where it's noted to replace them. You can replace any example value when completing the steps for a production cluster. We recommend completing all steps in the same terminal. This is because variables are set and used throughout the steps and won't exist in different terminals. -The commands in this topic are formatted using the conventions listed in link:cli/latest/userguide/welcome-examples.html[Using the {aws} CLI examples,type="documentation"]. If you're running commands from the command line against resources that are in a different {aws} Region than the default {aws} Region defined in the {aws} CLI link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-profiles[profile,type="documentation"] that you're using, then you need to add `--region [.replaceable]``region-code``` to the commands. +The commands in this topic are formatted using the conventions listed in link:cli/latest/userguide/welcome-examples.html[Using the {aws} CLI examples,type="documentation"]. If you're running commands from the command line against resources that are in a different {aws} Region than the default {aws} Region defined in the {aws} CLI link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-profiles[profile,type="documentation"] that you're using, then you need to add `--region us-west-2` to the commands, replacing `us-west-2` with your {aws} region. -When you want to deploy custom networking to your production cluster, skip to <>. +When you want to deploy custom networking to your production cluster, skip to <>. [[custom-networking-create-cluster,custom-networking-create-cluster.title]] == Step 1: Create a test VPC and cluster The following procedures help you create a test VPC and cluster and configure custom networking for that cluster. We don't recommend using the test cluster for production workloads because several unrelated features that you might use on your production cluster aren't covered in this topic. For more information, see <>. -. Define the `cluster_name` and `account_id` variables.. +. Run the following command to define the `account_id` variable. + [source,bash,subs="verbatim,attributes"] ---- -export cluster_name=my-custom-networking-cluster account_id=$(aws sts get-caller-identity --query Account --output text) ---- . Create a VPC. @@ -51,7 +50,7 @@ aws cloudformation create-stack --stack-name my-eks-custom-networking-vpc \ ParameterKey=PublicSubnet02Block,ParameterValue=192.168.0.32/27 ---- + -The {aws} CloudFormation stack takes a few minutes to create. To check on the stack's deployment status, run the following command. +.. The {aws} CloudFormation stack takes a few minutes to create. To check on the stack's deployment status, run the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -96,13 +95,13 @@ cat >eks-cluster-role-trust-policy.json <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the [.replaceable]`example values` with your own. +This tutorial requires the VPC created in <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the example values with your own. . Confirm that your currently-installed [.noloc]`Amazon VPC CNI plugin for Kubernetes` is the latest version. To determine the latest version for the Amazon EKS add-on type and update your version to it, see <>. To determine the latest version for the self-managed add-on type and update your version to it, see <>. -. Retrieve the ID of your cluster VPC and store it in a variable for use in later steps. For a production cluster, replace [.replaceable]`my-custom-networking-cluster` with the name of your cluster. +. Retrieve the ID of your cluster VPC and store it in a variable for use in later steps. + [source,bash,subs="verbatim,attributes"] ---- @@ -170,7 +169,7 @@ An example output is as follows. | 192.168.0.0/24 | associated | +-----------------+--------------+ ---- -.. Associate an additional CIDR block to your VPC. For more information, see link:vpc/latest/userguide/modify-vpcs.html#add-ipv4-cidr[Associate additional IPv4 CIDR blocks with your VPC,type="documentation"] in the Amazon VPC User Guide. +.. Associate an additional CIDR block to your VPC. Replace the CIDR block value in the following command. For more information, see link:vpc/latest/userguide/modify-vpcs.html#add-ipv4-cidr[Associate additional IPv4 CIDR blocks with your VPC,type="documentation"] in the Amazon VPC User Guide. + [source,bash,subs="verbatim,attributes"] ---- @@ -201,7 +200,7 @@ An example output is as follows. Don't proceed to the next step until your new CIDR block's `State` is `associated`. . Create as many subnets as you want to use in each Availability Zone that your existing subnets are in. Specify a CIDR block that's within the CIDR block that you associated with your VPC in a previous step. + -.. Create new subnets. The subnets must be created in a different VPC CIDR block than your existing subnets are in, but in the same Availability Zones as your existing subnets. In this example, one subnet is created in the new CIDR block in each Availability Zone that the current private subnets exist in. The IDs of the subnets created are stored in variables for use in later steps. The `Name` values match the values assigned to the subnets created using the Amazon EKS VPC template in a previous step. Names aren't required. You can use different names. +.. Create new subnets. Replace the CIDR block values in the following command. The subnets must be created in a different VPC CIDR block than your existing subnets are in, but in the same Availability Zones as your existing subnets. In this example, one subnet is created in the new CIDR block in each Availability Zone that the current private subnets exist in. The IDs of the subnets created are stored in variables for use in later steps. The `Name` values match the values assigned to the subnets created using the Amazon EKS VPC template in a previous step. Names aren't required. You can use different names. + [source,bash,subs="verbatim,attributes"] ---- @@ -213,7 +212,7 @@ new_subnet_id_2=$(aws ec2 create-subnet --vpc-id $vpc_id --availability-zone $az --query Subnet.SubnetId --output text) ---- + -IMPORTANT: By default, your new subnets are implicitly associated with your VPC's link:vpc/latest/userguide/VPC_Route_Tables.html#RouteTables[main route table,type="documentation"]. This route table allows communication between all the resources that are deployed in the VPC. However, it doesn't allow communication with resources that have IP addresses that are outside the CIDR blocks that are associated with your VPC. You can associate your own route table to your subnets to change this behavior. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#subnet-route-tables[Subnet route tables,type="documentation"] in the Amazon VPC User Guide. +IMPORTANT: By default, your new subnets are implicitly associated with your VPC's link:vpc/latest/userguide/VPC_Route_Tables.html#RouteTables[main route table,type="documentation"]. This route table allows communication between all the resources that are deployed in the VPC. However, it doesn't allow communication with resources that have IP addresses that are outside the CIDR blocks that are associated with your VPC. You can associate your own route table to your subnets to change this behavior. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#subnet-route-tables[Subnet route tables,type="documentation"] in the Amazon VPC User Guide. .. View the current subnets in your VPC. + [source,bash,subs="verbatim,attributes"] @@ -256,13 +255,12 @@ kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK + [source,bash,subs="verbatim,attributes"] ---- -cluster_security_group_id=$(aws eks describe-cluster --name $cluster_name --query cluster.resourcesVpcConfig.clusterSecurityGroupId --output text) +cluster_security_group_id=$(aws eks describe-cluster --name my-custom-networking-cluster --query cluster.resourcesVpcConfig.clusterSecurityGroupId --output text) ---- . [[custom-networking-create-eniconfig]]Create an `ENIConfig` custom resource for each subnet that you want to deploy [.noloc]`Pods` in. + .. Create a unique file for each network interface configuration. + -+ The following commands create separate `ENIConfig` files for the two subnets that were created in a previous step. The value for `name` must be unique. The name is the same as the Availability Zone that the subnet is in. The cluster security group is assigned to the `ENIConfig`. + [source,yaml,subs="verbatim,attributes"] @@ -278,6 +276,7 @@ spec: subnet: $new_subnet_id_1 EOF ---- ++ [source,yaml,subs="verbatim,attributes"] ---- cat >$az_2.yaml <> later in this tutorial. +If your `ENIConfig` names aren't all the same as Availability Zone names, then replace $az_1 and $az_2 with your own names in the previous commands and <> later in this tutorial. + NOTE: If you don't specify a valid security group for use with a production cluster and you're using: @@ -305,10 +304,13 @@ NOTE: If you don't specify a valid security group for use with a production clus *** a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that's earlier than `1.8.0`, then the default security group for the VPC is assigned to secondary network interfaces. + -IMPORTANT: -*** `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for [.noloc]`Kubernetes`. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. -*** If you also use security groups for [.noloc]`Pods`, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. +[IMPORTANT] +==== +* `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for [.noloc]`Kubernetes`. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. +* If you also use security groups for [.noloc]`Pods`, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. +==== ++ .. Apply each custom resource file that you created to your cluster with the following commands. + [source,bash,subs="verbatim,attributes"] @@ -376,17 +378,11 @@ cat >node-role-trust-relationship.json <>. +IMPORTANT: For simplicity in this tutorial, the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] policy is attached to the node IAM role. In a production cluster however, we recommend attaching the policy to a separate IAM role that is used only with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. For more information, see <>. . Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the managed node group <> and self-managed node group <> options before deploying the node group. + ** *Managed* – Deploy your node group using one of the following options: + -*** *Without a launch template or with a launch template without an AMI ID specified* – Run the following command. For this tutorial, use the [.replaceable]`example values`. For a production node group, replace all [.replaceable]`example values` with your own. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. +*** *Without a launch template or with a launch template without an AMI ID specified* – Run the following command. For this tutorial, use the example values. For a production node group, replace all example values with your own. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. + [source,bash,subs="verbatim,attributes"] ---- -aws eks create-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup \ +aws eks create-nodegroup --cluster-name my-custom-networking-cluster --nodegroup-name my-nodegroup \ --subnets $subnet_id_1 $subnet_id_2 --instance-types t3.medium --node-role $node_role_arn ---- -*** *With a launch template with a specified AMI ID*:: +*** *With a launch template with a specified AMI ID* + -.... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods `for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. -.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. +.... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods `for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] ---- -/etc/eks/bootstrap.sh my-cluster --use-max-pods false --kubelet-extra-args '--max-pods=20' +/etc/eks/bootstrap.sh my-custom-networking-cluster --use-max-pods false --kubelet-extra-args '--max-pods=20' ---- + If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. -** *Self-managed*:: +** *Self-managed* + -... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. -... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace [.replaceable]`20` with either the value from the previous step (recommended) or your own value. +... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] ---- --use-max-pods false --kubelet-extra-args '--max-pods=20' ---- + + + -NOTE: If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, [.replaceable]`110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. +[NOTE] +==== +If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, `110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. +==== + -Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. +. Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text +aws eks describe-nodegroup --cluster-name my-custom-networking-cluster --nodegroup-name my-nodegroup --query nodegroup.status --output text ---- + Don't continue to the next step until the output returned is `ACTIVE`. @@ -468,7 +469,7 @@ NAME STATUS ROLES AGE VERSION ip-192-168-0-126.us-west-2.compute.internal Ready 8m49s v1.22.9-eks-810597c ip-192-168-0-92.us-west-2.compute.internal Ready 8m34s v1.22.9-eks-810597c ---- -.. Determine which Availability Zone each node is in. Run the following command for each node that was returned in the previous step. +.. Determine which Availability Zone each node is in. Run the following command for each node that was returned in the previous step, replacing the IP addresses based on the previous output. + [source,bash,subs="verbatim,attributes"] ---- @@ -487,7 +488,7 @@ An example output is as follows. } ] ---- -.. Annotate each node with the `ENIConfig` that you created for the subnet ID and Availability Zone. You can only annotate a node with one `ENIConfig`, though multiple nodes can be annotated with the same `ENIConfig`. Replace the [.replaceable]`example values` with your own. +.. Annotate each node with the `ENIConfig` that you created for the subnet ID and Availability Zone. You can only annotate a node with one `ENIConfig`, though multiple nodes can be annotated with the same `ENIConfig`. Replace the example values with your own. + [source,bash,subs="verbatim,attributes"] ---- @@ -498,14 +499,11 @@ kubectl annotate node ip-192-168-0-92.us-west-2.compute.internal k8s.amazonaws.c + .. Make sure that you have available nodes that are using the custom networking feature. .. Cordon and drain the nodes to gracefully shut down the [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the [.noloc]`Kubernetes` documentation. -.. Terminate the nodes. If the nodes are in an existing managed node group, you can delete the node group. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: -+ -*** Replace [.replaceable]`my-cluster` with the name for your cluster. -*** Replace [.replaceable]`my-nodegroup` with the name for your node group. +.. Terminate the nodes. If the nodes are in an existing managed node group, you can delete the node group. Run the following command. + [source,bash,subs="verbatim,attributes"] ---- -aws eks delete-nodegroup --cluster-name my-cluster --nodegroup-name my-nodegroup +aws eks delete-nodegroup --cluster-name my-custom-networking-cluster --nodegroup-name my-nodegroup ---- + @@ -532,7 +530,7 @@ kube-system kube-proxy-wx9vk 1/1 Running 0 7m15s 19 + You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. + -If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned `192.168.1.[.replaceable]``x``` addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. +If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned 192.168.1.x addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. [[custom-network-delete-resources,custom-network-delete-resources.title]] @@ -544,14 +542,13 @@ After you complete the tutorial, we recommend that you delete the resources that + [source,bash,subs="verbatim,attributes"] ---- -aws eks delete-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup +aws eks delete-nodegroup --cluster-name my-custom-networking-cluster --nodegroup-name my-nodegroup ---- -+ -Even after the {aws} CLI output says that the cluster is deleted, the delete process might not actually be complete. The delete process takes a few minutes. Confirm that it's complete by running the following command. +. Even after the {aws} CLI output says that the cluster is deleted, the delete process might not actually be complete. The delete process takes a few minutes. Confirm that it's complete by running the following command. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-nodegroup --cluster-name $cluster_name --nodegroup-name my-nodegroup --query nodegroup.status --output text +aws eks describe-nodegroup --cluster-name my-custom-networking-cluster --nodegroup-name my-nodegroup --query nodegroup.status --output text ---- + Don't continue until the returned output is similar to the following output. @@ -580,21 +577,21 @@ aws iam delete-role --role-name myCustomNetworkingNodeRole + [source,bash,subs="verbatim,attributes"] ---- -aws eks delete-cluster --name $cluster_name +aws eks delete-cluster --name my-custom-networking-cluster ---- + Confirm the cluster is deleted with the following command. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-cluster --name $cluster_name --query cluster.status --output text +aws eks describe-cluster --name my-custom-networking-cluster --query cluster.status --output text ---- + When output similar to the following is returned, the cluster is successfully deleted. + [source,bash,subs="verbatim,attributes"] ---- -An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-cluster. +An error occurred (ResourceNotFoundException) when calling the DescribeCluster operation: No cluster found for name: my-custom-networking-cluster. ---- . Delete the cluster IAM role. + @@ -623,5 +620,3 @@ aws ec2 delete-subnet --subnet-id $new_subnet_id_2 ---- aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc ---- - - From 0e91cddc4b7130d47b4e96a07103045a074dc89f Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 30 Jan 2025 15:29:38 -0600 Subject: [PATCH 068/940] Update enable-extended-support.adoc (#860) Update what clusters have what support policies by default --- latest/ug/clusters/enable-extended-support.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 2e6dd4b78..43297559c 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -8,7 +8,7 @@ This topic describes how to set the _upgrade policy_ of an EKS cluster to enabl Clusters actually in the _extended support period_ incur higher costs. If a cluster merely has the upgrade policy set to enable extended support, and is otherwise in the _standard support period_, it incurs standard costs. -EKS Clusters have the upgrade policy set to enable extended support by default. +If you create a cluster in the {aws} console, it will have the upgrade policy set to disable extended support. If you create a cluster in another way, it will have the upgrade policy set to enable extended support. For example, clusters created with the {aws} API have extended support enabled. For more information about upgrade policies, see <>. From f5d124d457d8f8e20c6bb22b205df07a4928c643 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 30 Jan 2025 13:52:43 -0800 Subject: [PATCH 069/940] Improve Hybrid CNI compatibility description, clean up ~50% of Vale issues on the page --- latest/ug/nodes/hybrid-nodes-cni.adoc | 67 ++++++--------------------- 1 file changed, 15 insertions(+), 52 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 99fd6d55a..2bf59c873 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -11,50 +11,13 @@ include::../attributes.txt[] Configure a CNI for Amazon EKS hybrid nodes -- -Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. You must install a CNI for hybrid nodes to become ready to serve workloads. Hybrid nodes appear with status `Not Ready` until a CNI is running. You can manage these CNIs with your choice of tooling such as Helm. The Amazon VPC CNI is not compatible with hybrid nodes and the VPC CNI is configured with anti-affinity for the `eks.amazonaws.com/compute-type: hybrid` label. +Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. You must install a CNI for hybrid nodes to become ready to serve workloads. Hybrid nodes appear with status `Not Ready` until a CNI is running. You can manage these CNIs with your choice of tools such as Helm. The Amazon VPC CNI is not compatible with hybrid nodes and the VPC CNI is configured with anti-affinity for the `eks.amazonaws.com/compute-type: hybrid` label. -== Version compatibility +== CNI version compatibility -The table below represents the Cilium and Calico versions that are compatible and validated for each Kubernetes version supported in Amazon EKS. +Calico version `3.29.x` is supported and recommended for EKS Hybrid Nodes for every Kubernetes version supported in Amazon EKS. -[cols="1,1,1", options="header"] -|=== -|Kubernetes version -|Cilium version -|Calico version - -|1.32 -|1.16.x -|3.29.x - -|1.31 -|1.16.x -|3.29.x - -|1.30 -|1.16.x -|3.29.x - -|1.29 -|1.16.x -|3.29.x - -|1.28 -|1.16.x -|3.29.x - -|1.27 -|1.16.x -|3.29.x - -|1.26 -|1.16.x -|3.29.x - -|1.25 -|1.16.x -|3.29.x -|=== +Cilium version `1.16.x` is supported and recommended for EKS Hybrid Nodes for every Kubernetes version supported in Amazon EKS. == Supported capabilities @@ -110,7 +73,7 @@ The table below represents the Cilium and Calico versions that are compatible an helm repo add cilium https://helm.cilium.io/ ---- -. Create a yaml file called `cilium-values.yaml`. If you configured at least one _remote pod network_, configure the same pod CIDRs for your `clusterPoolIPv4PodCIDRList`. You shouldn't change your `clusterPoolIPv4PodCIDRList` after deploying Cilium on your cluster. You can configure `clusterPoolIPv4MaskSize` based on your required pods per node, see https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation. For a full list of Helm values for Cilium, see the the https://docs.cilium.io/en/stable/helm-reference/[Helm reference] in the Cilium documentation. The following example configures all of the Cilium components to run on only the hybrid nodes, since they have the the `eks.amazonaws.com/compute-type: hybrid` label. +. Create a YAML file called `cilium-values.yaml`. If you configured at least one _remote pod network_, configure the same pod CIDRs for your `clusterPoolIPv4PodCIDRList`. You shouldn't change your `clusterPoolIPv4PodCIDRList` after deploying Cilium on your cluster. You can configure `clusterPoolIPv4MaskSize` based on your required pods per node, see https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation. For a full list of Helm values for Cilium, see the https://docs.cilium.io/en/stable/helm-reference/[Helm reference] in the Cilium documentation. The following example configures all of the Cilium components to run on only the hybrid nodes, since they have the `eks.amazonaws.com/compute-type: hybrid` label. + By default, Cilium masquerades the source IP address of all pod traffic leaving the cluster to the IP address of the node. This makes it possible for Cilium to run with Amazon EKS clusters that have remote pod networks configured and with clusters that don't have remote pod networks configured. If you disable masquerading for your Cilium deployment, then you must configure your Amazon EKS cluster with your remote pod networks and you must advertise your pod addresses with your on-premises network. If you are running webhooks on your hybrid nodes, you must configure your cluster with your remote pod networks and you must advertise your pod addresses with your on-premises network. + @@ -173,7 +136,7 @@ NAME STATUS ROLES AGE VERSION mi-04a2cf999b7112233 Ready 19m v1.31.0-eks-a737599 ---- -. To use BGP with Cilium to advertise your pod addresses with your on-premises network, you must have installed Cilium with `bgpControlPlane.enabled: true`. To configure BGP in Cilium, first create a file called `cilium-bgp-cluster.yaml` with a `CiliumBGPClusterConfig` with the peerAddress set to your on-premises router IP that you are peering with. Configure the `localASN` and `peerASN` based on your on-premises router configuration. +. To use BGP with Cilium to advertise your pod addresses with your on-premises network, you must have installed Cilium with `bgpControlPlane.enabled: true`. To configure BGP in Cilium, first create a file called `cilium-bgp-cluster.yaml` with a `CiliumBGPClusterConfig` with the `peerAddress` set to your on-premises router IP that you are peering with. Configure the `localASN` and `peerASN` based on your on-premises router configuration. + [source,yaml,subs="verbatim,attributes,quotes"] ---- @@ -206,7 +169,7 @@ spec: kubectl apply -f cilium-bgp-cluster.yaml ---- -. The `CiliumBGPPeerConfig` resource is used to define a BGP peer configuration. Multiple peers can share the same configuration and provide reference to the common `CiliumBGPPeerConfig` resource. Create a file named `cilium-bgp-peer.yaml` to configure the peer configuration for your on-premises network. See the https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[BGP Peer Configuration] in the Cilium documentation for a full list of configuration options. +. The `CiliumBGPPeerConfig` resource defines a BGP peer configuration. Multiple peers can share the same configuration and provide reference to the common `CiliumBGPPeerConfig` resource. Create a file named `cilium-bgp-peer.yaml` to configure the peer configuration for your on-premises network. See the https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[BGP Peer Configuration] in the Cilium documentation for a full list of configuration options. + [source,yaml,subs="verbatim,attributes,quotes"] ---- @@ -279,7 +242,7 @@ Before upgrading your Cilium deployment, carefully review the https://docs.ciliu helm repo add cilium https://helm.cilium.io/ ---- -. Run the Cilium upgrade pre-flight check. Replace `CILIUM_VERSION` with your target Cilium version. It is recommended to run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. +. Run the Cilium upgrade pre-flight check. Replace `CILIUM_VERSION` with your target Cilium version. We recommend that you run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -290,7 +253,7 @@ helm install cilium-preflight cilium/cilium --version CILIUM_VERSION \ --set operator.enabled=false ---- -. After applying the `cilium-preflight.yaml`, ensure that the number of READY pods is the same number of Cilium pods running. +. After applying the `cilium-preflight.yaml`, ensure that the number of `READY` pods is the same number of Cilium pods running. + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -324,7 +287,7 @@ cilium-pre-flight-check 1/1 1 0 12s helm uninstall cilium-preflight --namespace kube-system ---- -. During normal cluster operations, all Cilium components should run the same version. The following steps describe how to upgrade all of the components from one stable release to a later stable release. When upgrading from one minor release to another minor release, it is recommended to upgrade to the latest patch release for the existing Cilium minor version first. To minimize disruption, the upgradeCompatibility option should be set to the initial Cilium version which was installed in this cluster. +. During normal cluster operations, all Cilium components should run the same version. The following steps describe how to upgrade all of the components from one stable release to a later stable release. When upgrading from one minor release to another minor release, it is recommended to upgrade to the latest patch release for the existing Cilium minor version first. To minimize disruption, set the `upgradeCompatibility` option to the initial Cilium version that you installed in this cluster. + Before running the helm upgrade command, preserve the values for your deployment in a `cilium-values.yaml` or use `--set` command line options for your settings. The upgrade operation overwrites the Cilium ConfigMap, so it is critical that your configuration values are passed when you upgrade. If you are using BGP, it is recommended to use the `--set bgpControlPlane=true` command line option instead of supplying this information in your values file. + @@ -374,9 +337,9 @@ kubectl get crds -oname | grep "cilium" | xargs kubectl delete helm repo add projectcalico https://docs.tigera.io/calico/charts ---- -. Create a yaml file called `calico-values.yaml` that configures Calico with affinity to run on hybrid nodes. For more information on the different Calico networking modes, see https://docs.tigera.io/calico/latest/networking/determine-best-networking[Determining the best networking option] in the Calico documentation. +. Create a YAML file called `calico-values.yaml` that configures Calico with affinity to run on hybrid nodes. For more information on the different Calico networking modes, see https://docs.tigera.io/calico/latest/networking/determine-best-networking[Determining the best networking option] in the Calico documentation. .. Replace `POD_CIDR` with the CIDR ranges for your pods. If you configured your Amazon EKS cluster with remote pod networks, the `POD_CIDR` that you specify for Calico should be the same as the remote pod networks. For example, `10.100.0.0/24`. -.. Replace `CIDR_SIZE` with the size of the CIDR segment you wish to allocate to each node. For example, `25` for a /25 segment size. For more information on CIDR `blockSize` and changing the `blockSize`, see https://docs.tigera.io/calico/latest/networking/ipam/change-block-size[Change IP pool block size] in the Calico documentation. +.. Replace `CIDR_SIZE` with the size of the CIDR segment you want to allocate to each node. For example, `25` for a /25 segment size. For more information on CIDR `blockSize` and changing the `blockSize`, see https://docs.tigera.io/calico/latest/networking/ipam/change-block-size[Change IP pool block size] in the Calico documentation. .. In the example below, `natOutgoing` is enabled and `bgp` is disabled. In this configuration, Calico can run on Amazon EKS clusters that have Remote Pod Network configured and can run on clusters that do not have Remote Pod Network configured. If you have `natOutgoing` set to disabled, you must configure your cluster with your remote pod networks and your on-premises network must be able to properly route traffic destined for your pod CIDRs. A common way to advertise pod addresses with your on-premises network is by using BGP. To use BGP with Calico, you must enable `bgp`. The example below configures all of the Calico components to run on only the hybrid nodes, since they have the `eks.amazonaws.com/compute-type: hybrid` label. If you are running webhooks on your hybrid nodes, you must configure your cluster with your Remote Pod Networks and you must advertise your pod addresses with your on-premises network. The example below configures `controlPlaneReplicas: 1`, increase the value if you have multiple hybrid nodes and want to run the Calico control plane components in a highly available fashion. + [source,yaml,subs="verbatim,attributes,quotes"] @@ -434,7 +397,7 @@ helm install calico projectcalico/tigera-operator \ -f calico-values.yaml ---- -. You can confirm your Calico installation was successful with the following commands. You should see the `tigera-operator` deployment, the `calico-node` agent running on each of your hybrid nodes, as well as the `calico-apiserver`, `csi-node-driver`, and `calico-kube-controllers` deployed. Additionally, your hybrid nodes should now have status `Ready`. If you are using `natOutgoing: Disabled`, then all of the Calico components will not be able to start successfully until you advertise your pod addresses with your on-premises network. For information on how to configure BGP for Calico, proceed to the next step. +. You can confirm your Calico installation was successful with the following commands. You should see the `tigera-operator` deployment, the `calico-node` agent running on each of your hybrid nodes, the `calico-apiserver`, `csi-node-driver`, and `calico-kube-controllers` deployed. Additionally, your hybrid nodes should now have status `Ready`. If you are using `natOutgoing: Disabled`, then all of the Calico components will not be able to start successfully until you advertise your pod addresses with your on-premises network. For information on how to configure BGP for Calico, proceed to the next step. + [source,bash,subs="verbatim,attributes"] ---- @@ -541,14 +504,14 @@ helm upgrade calico projectcalico/tigera-operator \ == Delete Calico from hybrid nodes -. Run the following command to uninstall Calico components from your cluster. Note that uninstalling the CNI may impact the health of nodes and pods and should not be performed on production clusters. If you installed Calico in a namespace other than `kube-system` change the namespace in the command below. +. Run the following command to uninstall Calico components from your cluster. Note that uninstalling the CNI might impact the health of nodes and pods and shouldn't be performed on production clusters. If you installed Calico in a namespace other than `kube-system` change the namespace in the command below. + [source,bash,subs="verbatim,attributes,quotes"] ---- helm uninstall calico --namespace kube-system ---- + -Note that the interfaces and routes configured by Calico are not removed by default when the CNI is removed from the cluster. +Note that the interfaces and routes configured by Calico are not removed by default when you remove the CNI from the cluster. . To clean up the on-disk configuration files and resources, remove the Calico files from the `/opt/cni` and `/etc/cni` directories. . To remove the Calico CRDs from your cluster, run the following commands. + From 688164b8800f950cbde50da08cd267b35983a30a Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 30 Jan 2025 13:53:20 -0800 Subject: [PATCH 070/940] bump eksctl release --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index ccf4a7b7a..6e973ec78 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,6 +1,6 @@ // EKS-specific attributes -:eksctl-min-version: 0.199.0 +:eksctl-min-version: 0.202.0 // EKS Auto Mode :auto-cli-v2-version: 2.12.3 From de2a54a739a2e322783c919ec46e0bcb94d6c178 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 30 Jan 2025 23:12:08 +0000 Subject: [PATCH 071/940] Removed some ,quotes for code blocks that did not need them for easier maintenance. --- .../ug/ml/ml-eks-windows-optimized-ami.adoc | 18 ++--- latest/ug/nodes/fargate-logging.adoc | 32 ++++----- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 20 +++--- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 30 ++++----- .../ug/nodes/hybrid-nodes-cluster-prep.adoc | 10 +-- latest/ug/nodes/hybrid-nodes-cni.adoc | 66 +++++++++---------- latest/ug/nodes/hybrid-nodes-creds.adoc | 30 ++++----- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 44 ++++++------- latest/ug/nodes/hybrid-nodes-remove.adoc | 8 +-- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 8 +-- latest/ug/nodes/retrieve-ami-id.adoc | 8 +-- latest/ug/observability/view-raw-metrics.adoc | 6 +- latest/ug/quickstart.adoc | 8 +-- 13 files changed, 144 insertions(+), 144 deletions(-) diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index 77ee28c7e..d671ebd5a 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -50,7 +50,7 @@ Navigate to link:AWSEC2/latest/UserGuide/install-nvidia-driver#nvidia-GRID-drive For Windows Server Core, which doesn’t have a desktop experience, install NVIDIA GRID drivers silently by using the following commands: -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- $nvidiaInstallerFilePath = nvidia-driver-installer.exe # Replace with path to installer $installerArguments = "-s -clean -noreboot -noeula" @@ -61,7 +61,7 @@ Start-Process -FilePath $nvidiaInstallerFilePath -ArgumentList $installerArgumen Run the following PowerShell command to show diagnostic information about the GPUs on the instance: -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nvidia-smi ---- @@ -87,21 +87,21 @@ When running GPU-accelerated containers, the device plugin supports two modes: * **Single-tenancy mode**: This mode dedicates all GPU resources to a single container on the instance. Install the device plugins with single-tenancy support using the following command. See README.md for more information. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-plugins/main/deployments/default-daemonsets.yml" ---- * **Multi-tenancy mode**: This mode allows sharing GPU resources among multiple containers on the instance. Install the device plugins with multi-tenancy support using the following command. See README.md for more information. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-plugins/main/deployments/multitenancy-inline.yml" ---- + Alternatively, use a ConfigMap to specify the multi-tenancy. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-plugins/main/deployments/multitenancy-configmap.yml" ---- @@ -110,8 +110,8 @@ kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-p [[ml-eks-windows-ami-verify-device-plugin,ml-eks-windows-ami-verify-device-plugin.title]] === Verifying the device plugin deployment -After you have deployed the device plugin, run the following command to verify the DirectX Device Plugin is running correctly on your all your Windows nodes. -[source,bash,subs="verbatim,attributes,quotes"] +After you have deployed the device plugin, replace `` and run the following command to verify the DirectX Device Plugin is running correctly on your all your Windows nodes. +[source,bash,subs="verbatim,attributes"] ---- kubectl get ds device-plugin-wddm -n [.replaceable]`` ---- @@ -121,7 +121,7 @@ kubectl get ds device-plugin-wddm -n [.replaceable]`` === Verifying containers are ready for deployment Once the device plugin DaemonSet is running on the GPU-powered Windows worker nodes, use the following command to verify that each node has allocatable GPUs. The corresponding number should match the number of DirectX devices on each node. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get nodes "-o=custom-columns=NAME:.metadata.name,DirectX:.status.allocatable.directx\.microsoft\.com/display" ---- @@ -136,7 +136,7 @@ This will indicate that your containers require GPU-enabled capabilities, and th As an example, see the sample command below which launches a `Job` to run Monte Carlo simulation to estimate the value of pi. This example is from the https://github.com/TensorWorks/DirectX-Device-Plugins[Kubernetes Device Plugins for DirectX] GitHub repository, which has https://github.com/TensorWorks/DirectX-Device-Plugins/tree/main/examples[multiple examples] to choose from that you can run to test your Windows node GPU capabilities. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- cat <>). + @@ -358,7 +358,7 @@ Shipping [.noloc]`Fluent Bit` process logs to CloudWatch requires additional log == Test application . Deploy a sample [.noloc]`Pod`. + -.. Save the following contents to a file named `[.replaceable]``sample-app``.yaml` on your computer. +.. Save the following contents to a file named `sample-app.yaml` on your computer. + [source,yaml,subs="verbatim,attributes,quotes"] ---- @@ -386,9 +386,9 @@ spec: ---- .. Apply the manifest to the cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- -kubectl apply -f [.replaceable]`sample-app`.yaml +kubectl apply -f sample-app.yaml ---- . View the NGINX logs using the destination(s) that you configured in the `ConfigMap`. diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index cf999d578..213678b28 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -56,11 +56,11 @@ Kube-proxy and CoreDNS are installed as unmanaged add-ons by default when an EKS Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. After installing the add-on by following the steps described in link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent with the Amazon CloudWatch Observability,type="documentation"], the add-on manifest must be updated before the agent can run successfully on hybrid nodes. Edit the `amazoncloudwatchagents` resource on the cluster to add the `RUN_WITH_IRSA` environment variable as shown below. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl edit amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent ---- -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: v1 items: @@ -107,14 +107,14 @@ You can use the <> To install the {aws} Load Balancer Controller, follow the steps at <> or <>. For ingress with ALB, you must specify the annotations below. See <> for instructions. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- alb.ingress.kubernetes.io/scheme: internal alb.ingress.kubernetes.io/target-type: ip ---- For load balancing with NLB, you must specify the annotations below. See <> for instructions. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" @@ -127,7 +127,7 @@ The original Amazon EKS Pod Identity Agent [.noloc]`DaemonSet` relies on the ava . To use the Pod Identity agent on hybrid nodes, set `enableCredentialsFile: true` in the hybrid section of `nodeadm` config as shown below: + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig @@ -140,26 +140,26 @@ This will configure `nodeadm` to create a credentials file to be configured on t + . After you update the `nodeadm` config on _each_ node, run the following `nodeadm init` command with your `nodeConfig.yaml` to join your hybrid nodes to your Amazon EKS cluster. If your nodes have joined the cluster previous, still run the `init` command again. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm init -c file://nodeConfig.yaml ---- + . Install `eks-pod-identity-agent` with support for hybrid nodes enabled, by either using the {cli} or {aws-management-console}. + -.. {cli}: From the machine that you're using to administer the cluster, run the following command to install `eks-pod-identity-agent` with support for hybrid nodes enabled. +.. {cli}: From the machine that you're using to administer the cluster, run the following command to install `eks-pod-identity-agent` with support for hybrid nodes enabled. Replace `my-cluster` with the name of your cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws eks create-addon \ - --cluster-name [.replaceable]`cluster-name` \ + --cluster-name my-cluster \ --addon-name eks-pod-identity-agent \ --configuration-values '{"daemonsets":{"hybrid":{"create": true}}}' ---- + .. {aws-management-console}: If you are installing the Pod Identity Agent add-on through the {aws} console, add the following to the optional configuration to deploy the daemonset that targets hybrid nodes. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- {"daemonsets":{"hybrid":{"create": true}}} ---- diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 4c9612977..17b4eac04 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -38,7 +38,7 @@ If you already have a cluster IAM role, or you're going to create your cluster w . Run the following command to create an IAM trust policy JSON file. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- cat >eks-cluster-role-trust-policy.json <>. Attach the Amazon EKS managed policy named `AmazonEKSClusterPolicy` to the role. To attach an IAM policy to an link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"], the principal that is attaching the policy must be assigned one of the following IAM actions (permissions): `iam:AttachUserPolicy` or `iam:AttachRolePolicy`. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ @@ -104,7 +104,7 @@ You need to install the latest version of the `eksctl` command line tool. To ins ... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. ... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig @@ -127,14 +127,14 @@ remoteNetworkConfig: . Run the following command: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- eksctl create cluster -f cluster-config.yaml ---- + Cluster provisioning takes several minutes. While the cluster is being created, several lines of output appear. The last line of output is similar to the following example line. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- [✓] EKS cluster "CLUSTER_NAME" in "REGION" region is ready ---- @@ -149,7 +149,7 @@ The CloudFormation stack creates the EKS cluster IAM role and an EKS cluster wit . Download the CloudFormation template. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-eks-cfn.yaml' ---- @@ -189,7 +189,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp . Deploy the CloudFormation stack. Replace `STACK_NAME` with your name for the CloudFormation stack and AWS_REGION with your desired {aws} Region where the cluster will be created. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws cloudformation deploy \ --stack-name STACK_NAME \ @@ -201,7 +201,7 @@ aws cloudformation deploy \ + Cluster provisioning takes several minutes. You can check the status of your stack with the following command. Replace `STACK_NAME` with your name for the CloudFormation stack and `AWS_REGION` with your desired {aws} Region where the cluster will be created. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws cloudformation describe-stacks \ --stack-name STACK_NAME \ @@ -231,7 +231,7 @@ aws cloudformation describe-stacks \ ... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. ... Not overlap with each other, the `VPC CIDR` for your Amazon EKS cluster, or your Kubernetes service IPv4 CIDR. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws eks create-cluster \ --name CLUSTER_NAME \ @@ -245,7 +245,7 @@ aws eks create-cluster \ . It takes several minutes to provision the cluster. You can query the status of your cluster with the following command. Replace `CLUSTER_NAME` with the name of the cluster you are creating and `AWS_REGION` with the {aws} Region where the cluster is creating. Don't proceed to the next step until the output returned is `ACTIVE`. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws eks describe-cluster \ --name CLUSTER_NAME \ @@ -306,28 +306,28 @@ aws eks describe-cluster \ If you created your cluster using `eksctl`, then you can skip this step. This is because `eksctl` already completed this step for you. Enable `kubectl` to communicate with your cluster by adding a new context to the `kubectl` config file. For more information about how to create and update the file, see <>. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws eks update-kubeconfig --name CLUSTER_NAME --region AWS_REGION ---- An example output is as follows. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- Added new context arn:aws:eks:AWS_REGION:111122223333:cluster/CLUSTER_NAME to /home/username/.kube/config ---- Confirm communication with your cluster by running the following command. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get svc ---- An example output is as follows. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.100.0.1 443/TCP 28h diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index c18fa4a51..f25cd0f80 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -24,7 +24,7 @@ There is an Amazon EKS access entry type for hybrid nodes named HYBRID_LINUX tha . Create your access entry with the following command. Replace CLUSTER_NAME with the name of your cluster and HYBRID_NODES_ROLE_ARN with the ARN of the role you created in the steps for <>. + -[source,shell,subs="verbatim,attributes,quotes"] +[source,shell,subs="verbatim,attributes"] ---- aws eks create-access-entry --cluster-name CLUSTER_NAME \ --principal-arn HYBRID_NODES_ROLE_ARN \ @@ -58,7 +58,7 @@ In the following steps, you will create or update the `aws-auth` ConfigMap with . Check to see if you have an existing `aws-auth` ConfigMap for your cluster. Note that if you are using a specific `kubeconfig` file, use the `--kubeconfig` flag. + -[source,shell,subs="verbatim,attributes,quotes"] +[source,shell,subs="verbatim,attributes"] ---- kubectl describe configmap -n kube-system aws-auth ---- @@ -67,14 +67,14 @@ kubectl describe configmap -n kube-system aws-auth + .. Open the ConfigMap for editing. + -[source,shell,subs="verbatim,attributes,quotes"] +[source,shell,subs="verbatim,attributes"] ---- kubectl edit -n kube-system configmap/aws-auth ---- .. Add a new `mapRoles` entry as needed. Replace `HYBRID_NODES_ROLE_ARN` with the ARN of your Hybrid Nodes IAM role. Note, `{{SessionName}}` is the correct template format to save in the ConfigMap. Do not replace it with other values. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- data: mapRoles: | @@ -89,7 +89,7 @@ data: . If there is not an existing `aws-auth` ConfigMap for your cluster, create it with the following command. Replace `HYBRID_NODES_ROLE_ARN` with the ARN of your Hybrid Nodes IAM role. Note that `{{SessionName}}` is the correct template format to save in the ConfigMap. Do not replace it with other values. + -[source,shell,subs="verbatim,attributes,quotes"] +[source,shell,subs="verbatim,attributes"] ---- kubectl apply -f=/dev/stdin <<-EOF apiVersion: v1 diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 2bf59c873..ce4054531 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -68,7 +68,7 @@ Cilium version `1.16.x` is supported and recommended for EKS Hybrid Nodes for ev . Ensure that you have installed the helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. . Install the Cilium Helm repo. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm repo add cilium https://helm.cilium.io/ ---- @@ -79,7 +79,7 @@ By default, Cilium masquerades the source IP address of all pod traffic leaving + A common way to advertise pod addresses with your on-premises network is by using BGP. To use BGP with Cilium, you must set `bgpControlPlane.enabled: true`. For more information on Cilium's BGP support, see https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane/[Cilium BGP Control Plane] in the Cilium documentation. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- affinity: nodeAffinity: @@ -113,24 +113,24 @@ helm install cilium cilium/cilium \ . You can confirm your Cilium installation was successful with the following commands. You should see the `cilium-operator` deployment and the `cilium-agent` running on each of your hybrid nodes. Additionally, your hybrid nodes should now have status `Ready`. For information on how to configure BGP for Cilium, proceed to the next step. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get pods -n kube-system ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME READY STATUS RESTARTS AGE cilium-jjjn8 1/1 Running 0 11m cilium-operator-d4f4d7fcb-sc5xn 1/1 Running 0 11m ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get nodes ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME STATUS ROLES AGE VERSION mi-04a2cf999b7112233 Ready 19m v1.31.0-eks-a737599 @@ -138,7 +138,7 @@ mi-04a2cf999b7112233 Ready 19m v1.31.0-eks-a737599 . To use BGP with Cilium to advertise your pod addresses with your on-premises network, you must have installed Cilium with `bgpControlPlane.enabled: true`. To configure BGP in Cilium, first create a file called `cilium-bgp-cluster.yaml` with a `CiliumBGPClusterConfig` with the `peerAddress` set to your on-premises router IP that you are peering with. Configure the `localASN` and `peerASN` based on your on-premises router configuration. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: cilium.io/v2alpha1 kind: CiliumBGPClusterConfig @@ -164,14 +164,14 @@ spec: . Apply the Cilium BGP Cluster configuration to your cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f cilium-bgp-cluster.yaml ---- . The `CiliumBGPPeerConfig` resource defines a BGP peer configuration. Multiple peers can share the same configuration and provide reference to the common `CiliumBGPPeerConfig` resource. Create a file named `cilium-bgp-peer.yaml` to configure the peer configuration for your on-premises network. See the https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/#bgp-peer-configuration[BGP Peer Configuration] in the Cilium documentation for a full list of configuration options. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: cilium.io/v2alpha1 kind: CiliumBGPPeerConfig @@ -194,14 +194,14 @@ spec: . Apply the Cilium BGP Peer configuration to your cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f cilium-bgp-peer.yaml ---- . The `CiliumBGPAdvertisement` resource is used to define various advertisement types and attributes associated with them. Create a file named `cilium-bgp-advertisement.yaml` and configure the `CiliumBGPAdvertisement` resource with your desired settings. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: cilium.io/v2alpha1 kind: CiliumBGPAdvertisement @@ -222,7 +222,7 @@ spec: . Apply the Cilium BGP Advertisement configuration to your cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f cilium-bgp-advertisement.yaml ---- @@ -237,14 +237,14 @@ Before upgrading your Cilium deployment, carefully review the https://docs.ciliu . Install the Cilium Helm repo. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm repo add cilium https://helm.cilium.io/ ---- . Run the Cilium upgrade pre-flight check. Replace `CILIUM_VERSION` with your target Cilium version. We recommend that you run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm install cilium-preflight cilium/cilium --version CILIUM_VERSION \ --namespace=kube-system \ @@ -255,12 +255,12 @@ helm install cilium-preflight cilium/cilium --version CILIUM_VERSION \ . After applying the `cilium-preflight.yaml`, ensure that the number of `READY` pods is the same number of Cilium pods running. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get ds -n kube-system | sed -n '1p;/cilium/p' ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE cilium 2 2 2 2 2 1h20m @@ -269,12 +269,12 @@ cilium-pre-flight-check 2 2 2 2 2 < . Once the number of READY pods are equal, make sure the Cilium pre-flight deployment is also marked as READY 1/1. If it shows READY 0/1, consult the https://docs.cilium.io/en/v1.16/operations/upgrade/#cnp-validation[CNP Validation] section and resolve issues with the deployment before continuing with the upgrade. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get deployment -n kube-system cilium-pre-flight-check -w ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME READY UP-TO-DATE AVAILABLE AGE cilium-pre-flight-check 1/1 1 0 12s @@ -282,7 +282,7 @@ cilium-pre-flight-check 1/1 1 0 12s . Delete the preflight + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm uninstall cilium-preflight --namespace kube-system ---- @@ -291,7 +291,7 @@ helm uninstall cilium-preflight --namespace kube-system + Before running the helm upgrade command, preserve the values for your deployment in a `cilium-values.yaml` or use `--set` command line options for your settings. The upgrade operation overwrites the Cilium ConfigMap, so it is critical that your configuration values are passed when you upgrade. If you are using BGP, it is recommended to use the `--set bgpControlPlane=true` command line option instead of supplying this information in your values file. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm upgrade cilium cilium/cilium --version CILIUM_VERSION \ --namespace kube-system \ @@ -301,7 +301,7 @@ helm upgrade cilium cilium/cilium --version CILIUM_VERSION \ . (Optional) If you need to rollback your upgrade due to issues, run the following commands. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm history cilium --namespace kube-system helm rollback cilium [REVISION] --namespace kube-system @@ -311,7 +311,7 @@ helm rollback cilium [REVISION] --namespace kube-system . Run the following command to uninstall all Cilium components from your cluster. Note, uninstalling the CNI may impact the health of nodes and pods and shouldn't be performed on production clusters. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm uninstall cilium --namespace kube-system ---- @@ -322,7 +322,7 @@ The interfaces and routes configured by Cilium are not removed by default when t . To remove the Cilium Custom Resource Definitions (CRDs) from your cluster, you can run the following commands. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get crds -oname | grep "cilium" | xargs kubectl delete ---- @@ -332,7 +332,7 @@ kubectl get crds -oname | grep "cilium" | xargs kubectl delete . Ensure that you have installed the helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. . Install the Cilium Helm repo. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm repo add projectcalico https://docs.tigera.io/calico/charts ---- @@ -342,7 +342,7 @@ helm repo add projectcalico https://docs.tigera.io/calico/charts .. Replace `CIDR_SIZE` with the size of the CIDR segment you want to allocate to each node. For example, `25` for a /25 segment size. For more information on CIDR `blockSize` and changing the `blockSize`, see https://docs.tigera.io/calico/latest/networking/ipam/change-block-size[Change IP pool block size] in the Calico documentation. .. In the example below, `natOutgoing` is enabled and `bgp` is disabled. In this configuration, Calico can run on Amazon EKS clusters that have Remote Pod Network configured and can run on clusters that do not have Remote Pod Network configured. If you have `natOutgoing` set to disabled, you must configure your cluster with your remote pod networks and your on-premises network must be able to properly route traffic destined for your pod CIDRs. A common way to advertise pod addresses with your on-premises network is by using BGP. To use BGP with Calico, you must enable `bgp`. The example below configures all of the Calico components to run on only the hybrid nodes, since they have the `eks.amazonaws.com/compute-type: hybrid` label. If you are running webhooks on your hybrid nodes, you must configure your cluster with your Remote Pod Networks and you must advertise your pod addresses with your on-premises network. The example below configures `controlPlaneReplicas: 1`, increase the value if you have multiple hybrid nodes and want to run the Calico control plane components in a highly available fashion. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- installation: enabled: true @@ -418,12 +418,12 @@ kube-system kube-proxy-lxzxh 1/1 Running kube-system tigera-operator-f8bc97d4c-28b4d 1/1 Running 0 90s ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get nodes ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME STATUS ROLES AGE VERSION mi-0c6ec2f6f79176565 Ready 5h13m v1.31.0-eks-a737599 @@ -452,19 +452,19 @@ spec: . Apply the file to your cluster. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl apply -f calico-bgp.yaml ---- . Confirm the Calico pods are running with the following command. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get pods -n calico-system -w ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAMESPACE NAME READY STATUS RESTARTS AGE calico-apiserver calico-apiserver-598bf99b6c-2vltk 1/1 Running 0 3h24m @@ -506,7 +506,7 @@ helm upgrade calico projectcalico/tigera-operator \ . Run the following command to uninstall Calico components from your cluster. Note that uninstalling the CNI might impact the health of nodes and pods and shouldn't be performed on production clusters. If you installed Calico in a namespace other than `kube-system` change the namespace in the command below. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- helm uninstall calico --namespace kube-system ---- @@ -515,12 +515,12 @@ Note that the interfaces and routes configured by Calico are not removed by defa . To clean up the on-disk configuration files and resources, remove the Calico files from the `/opt/cni` and `/etc/cni` directories. . To remove the Calico CRDs from your cluster, run the following commands. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get crds -oname | grep "calico" | xargs kubectl delete ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl get crds -oname | grep "tigera" | xargs kubectl delete ---- diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index f93b74d9b..021306fcb 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -45,7 +45,7 @@ See the example below for how to create an {aws} SSM hybrid activation with your It is recommended to use one {aws} SSM hybrid activation per EKS cluster to scope the {aws} SSM `ssm:DeregisterManagedInstance` permission of the Hybrid Nodes IAM role to only be able to deregister instances that are associated with your {aws} SSM hybrid activation. In the example on this page, a tag with the EKS cluster ARN is used, which can be used to map your {aws} SSM hybrid activation to the EKS cluster. You can alternatively use your preferred tag and method of scoping the {aws} SSM permissions based on your permission boundaries and requirements. The `REGISTRATION_LIMIT` option in the command below is an integer used to limit the number of machines that can use the {aws} SSM hybrid activation (for example `10`) -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws ssm create-activation \ --region AWS_REGION \ @@ -90,7 +90,7 @@ The CloudFormation stack creates the Hybrid Nodes IAM Role with the permissions . Download the {aws} SSM CloudFormation template for hybrid nodes: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ssm-cfn.yaml' ---- @@ -112,7 +112,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp ---- . Deploy the CloudFormation stack. Replace `STACK_NAME` with your name for the CloudFormation stack. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws cloudformation deploy \ --stack-name STACK_NAME \ @@ -131,7 +131,7 @@ The CloudFormation stack creates the {aws} IAM Roles Anywhere trust anchor with .. Certificates issued from public CAs cannot be used as trust anchors. . Download the {aws} IAM Roles Anywhere CloudFormation template for hybrid nodes + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/example/hybrid-ira-cfn.yaml' ---- @@ -152,7 +152,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp ---- . Deploy the CloudFormation template. Replace `STACK_NAME` with your name for the CloudFormation stack. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws cloudformation deploy \ --stack-name STACK_NAME \ @@ -187,7 +187,7 @@ Install and configure the {aws} CLI, if you haven't already. See link:cli/latest . Create the policy with the following command: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam create-policy \ --policy-name EKSDescribeClusterPolicy \ @@ -227,7 +227,7 @@ aws iam create-policy \ ---- . Create the policy with the following command + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam create-policy \ --policy-name EKSHybridSSMPolicy \ @@ -261,7 +261,7 @@ aws iam create-policy \ ---- . Create the role with the following command. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ @@ -271,7 +271,7 @@ aws iam create-role \ . Attach the `EKSDescribeClusterPolicy` and the `EKSHybridSSMPolicy` you created in the previous steps. Replace `AWS_ACCOUNT_ID` with your {aws} account ID. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ @@ -279,7 +279,7 @@ aws iam attach-role-policy \ ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ @@ -289,7 +289,7 @@ aws iam attach-role-policy \ . Attach the `AmazonEC2ContainerRegistryPullOnly` and `AmazonSSMManagedInstanceCore` {aws} managed policies. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ @@ -297,7 +297,7 @@ aws iam attach-role-policy \ ---- + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ @@ -351,7 +351,7 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t . Create the role with the following command. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam create-role \ --role-name AmazonEKSHybridNodesRole \ @@ -361,7 +361,7 @@ aws iam create-role \ . Attach the `EKSDescribeClusterPolicy` you created in the previous steps. Replace `AWS_ACCOUNT_ID` with your {aws} account ID. + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ @@ -371,7 +371,7 @@ aws iam attach-role-policy \ . Attach the `AmazonEC2ContainerRegistryPullOnly` {aws} managed policy + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws iam attach-role-policy \ --role-name AmazonEKSHybridNodesRole \ diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 73814bca2..99e6ee18b 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -18,20 +18,20 @@ The Amazon EKS Hybrid Nodes CLI (`nodeadm`) used for hybrid nodes lifecycle mana The hybrid nodes version of `nodeadm` is hosted in Amazon S3 fronted by Amazon CloudFront. To install `nodeadm` on each on-premises host, you can run the following command from your on-premises hosts. *For x86_64 hosts:* -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- curl -OL 'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/amd64/nodeadm' ---- *For ARM hosts* -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- curl -OL 'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/arm64/nodeadm' ---- Add executable file permission to the downloaded binary on each host. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- chmod +x nodeadm ---- @@ -97,21 +97,21 @@ The `install` command is used to install the artifacts and dependencies required Install Kubernetes version `1.31` with {aws} Systems Manager (SSM) as the credential provider -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm install 1.31 --credential-provider ssm ---- Install Kubernetes version `1.31` with {aws} Systems Manager (SSM) as the credential provider, Docker as the containerd source, with a download timeout of 20 minutes. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm install 1.31 --credential-provider ssm --containerd-source docker --timeout 20m ---- Install Kubernetes version `1.31` with {aws} IAM Roles Anywhere as the credential provider -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm install 1.31 --credential-provider iam-ra ---- @@ -199,7 +199,7 @@ nodeadm config check [flags] ==== Examples -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm config check --config-source file:///root/nodeConfig.yaml ---- @@ -210,7 +210,7 @@ The `init` command starts and connects the hybrid node with the configured Amazo ==== Usage -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm init [flags] ---- @@ -248,7 +248,7 @@ nodeadm init [flags] ==== Examples -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm init --config-source file://root/nodeConfig.yaml ---- @@ -316,7 +316,7 @@ The `nodeadm upgrade` command upgrades all the installed artifacts to the latest ==== Usage -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm upgrade [KUBERNETES_VERSION] [flags] ---- @@ -367,12 +367,12 @@ nodeadm upgrade [KUBERNETES_VERSION] [flags] ==== Examples -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm upgrade 1.31 --config-source file:///root/nodeConfig.yaml ---- -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm upgrade 1.31 --config-source file:///root/nodeConfig.yaml --timeout 20m ---- @@ -383,7 +383,7 @@ The `nodeadm uninstall` command stops and removes the artifacts `nodeadm` instal ==== Usage -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm uninstall [flags] ---- @@ -420,12 +420,12 @@ nodeadm uninstall [flags] ==== Examples -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm uninstall ---- -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- nodeadm uninstall --skip node-validation,pod-validation ---- @@ -442,7 +442,7 @@ The `nodeadm debug` command can be used to troubleshoot unhealthy or misconfigur If errors are found, the command's output suggests troubleshooting steps. Certain validation steps show child processes. If these fail, the output is showed in a stderr section under the validation error. ==== Usage -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- nodeadm debug [flags] ---- @@ -466,7 +466,7 @@ nodeadm debug [flags] |=== ==== Examples -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- nodeadm debug --config-source file://nodeConfig.yaml ---- @@ -477,7 +477,7 @@ nodeadm debug --config-source file://nodeConfig.yaml The following is a sample `nodeConfig.yaml` when using {aws} SSM hybrid activations for hybrid nodes credentials. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig @@ -497,7 +497,7 @@ The following is a sample `nodeConfig.yaml` for {aws} IAM Roles Anywhere for hyb When using {aws} IAM Roles Anywhere as your on-premises credentials provider, the `nodeName` you use in your `nodeadm` configuration must align with the permissions you scoped for your Hybrid Nodes IAM role. For example, if your permissions for the Hybrid Nodes IAM role only allow {aws} IAM Roles Anywhere to assume the role when the role session name is equal to the CN of the host certificate, then the `nodeName` in your `nodeadm` configuration must be the same as the CN of your certificates. The `nodeName` that you use can't be longer than 64 characters. For more information, see <>. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig @@ -519,7 +519,7 @@ spec: You can pass kubelet configuration and flags in your `nodeadm` configuration. See the example below for how to add an additional node label `abc.amazonaws.com/test-label` and config for setting `shutdownGracePeriod` to 30 seconds. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig @@ -542,7 +542,7 @@ spec: You can pass custom containerd configuration in your `nodeadm` configuration. The containerd configuration for `nodeadm` accepts in-line TOML. See the example below for how to configure containerd to disable deletion of unpacked image layers in the containerd content store. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig @@ -568,7 +568,7 @@ You can also use the containerd configuration to enable SELinux support. With SE Red Hat Enterprise Linux (RHEL) 8 and RHEL 9 have SELinux enabled by default and set to strict on the host. Amazon Linux 2023 has SELinux enabled by default and set to permissive mode. When SELinux is set to permissive mode on the host, enabling it on containerd will not block requests but will log it according to the SELinux configuration on the host. ==== -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 62afc5d4f..13d57db79 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -22,7 +22,7 @@ Run the kubectl steps below from your local machine or instance that you use to == Step 1: List your nodes -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl get nodes ---- @@ -31,7 +31,7 @@ kubectl get nodes See https://kubernetes.io/docs/reference/kubectl/generated/kubectl_drain/[kubectl drain] in the Kubernetes documentation for more information on the `kubectl drain` command. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl drain --ignore-daemonsets ---- @@ -40,7 +40,7 @@ kubectl drain --ignore-daemonsets You can use the Amazon EKS Hybrid Nodes CLI (`nodeadm`) to stop and remove the hybrid nodes artifacts from the host. You must run `nodeadm` with a user that has root/sudo privileges. By default, `nodeadm uninstall` will not proceed if there are pods remaining on the node. If you are using {aws} Systems Manager (SSM) as your credentials provider, the `nodeadm uninstall` command deregisters the host as an {aws} SSM managed instance. For more information, see <>. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- nodeadm uninstall ---- @@ -49,7 +49,7 @@ nodeadm uninstall With the hybrid nodes artifacts stopped and uninstalled, remove the node resource from your cluster. -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl delete node ---- diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index d2e496652..84520238b 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -119,28 +119,28 @@ The in-place upgrade process refers to using `nodeadm upgrade` to upgrade the Ku . Use the following command to taint the node you are upgrading with `NoSchedule`. This is so that new pods aren't scheduled or rescheduled on the node that you are upgrading. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid node you are upgrading + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl taint nodes NODE_NAME key=value:NoSchedule ---- . Drain the node you are upgrading with the following command. For more information on draining nodes, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid node you are upgrading. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl drain NODE_NAME --ignore-daemonsets --delete-emptydir-data ---- . Run `nodeadm upgrade` on the hybrid node you are upgrading. You must run `nodeadm` with a user that has root/sudo privileges. The name of the node is preserved through upgrade for both {aws} SSM and {aws} IAM Roles Anywhere credential providers. You cannot change credentials providers during the upgrade process. See <> for configuration values for `nodeConfig.yaml`. Replace `K8S_VERSION` with the target Kubernetes version you upgrading to. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- nodeadm upgrade K8S_VERSION -c file://nodeConfig.yaml ---- . Watch the status of your hybrid nodes and wait for your nodes to shutdown and restart on the new Kubernetes version with the Ready status. + -[source,yaml,subs="verbatim,attributes,quotes"] +[source,yaml,subs="verbatim,attributes"] ---- kubectl get nodes -o -w ---- diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index e7bfd8558..39cfdbf4f 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -23,13 +23,13 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama ** Use [.replaceable]`amazon-linux-2023/x86_64/neuron` for the latest AL2023 link:machine-learning/neuron/[{aws} Neuron,type="marketing"] instances. ** Use [.replaceable]`amazon-linux-2` for Amazon Linux 2 (AL2) `x86` based instances. ** Use [.replaceable]`amazon-linux-2-arm64` for AL2 ARM instances, such as link:ec2/graviton/[{aws} Graviton,type="marketing"] based instances. -** Use [.replaceable]`amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for [.noloc]`NVIDIA` GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. -* Replace [.replaceable]`region-code` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. +** Use [.replaceable]`amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for NVIDIA GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. +* Replace [.replaceable]`` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- aws ssm get-parameter --name /aws/service/eks/optimized-ami/[.replaceable]`kubernetes-version`/[.replaceable]`ami-type`/recommended/image_id \ - --region [.replaceable]`region-code` --query "Parameter.Value" --output text + --region --query "Parameter.Value" --output text ---- Here's an example command after placeholder replacements have been made. diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index bf68ccf00..782bebaf8 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -13,10 +13,10 @@ The [.noloc]`Kubernetes` control plane exposes a number of metrics that are repr The [.noloc]`Kubernetes` control plane exposes a number of metrics that are represented in a https://github.com/prometheus/docs/blob/master/content/docs/instrumenting/exposition_formats.md[Prometheus format]. These metrics are useful for monitoring and analysis. They are exposed internally through metrics endpoints, and can be accessed without fully deploying [.noloc]`Prometheus`. However, deploying [.noloc]`Prometheus` more easily allows analyzing metrics over time. -To view the raw metrics output, run the following command. -[source,bash,subs="verbatim,attributes,quotes"] +To view the raw metrics output, replace `endpoint` and run the following command. +[source,bash,subs="verbatim,attributes"] ---- -kubectl get --raw [.replaceable]`endpoint` +kubectl get --raw endpoint ---- This command allows you to pass any endpoint path and returns the raw response. The output lists different metrics line-by-line, with each line including a metric name, tags, and a value. diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 236a31599..ff270ff1a 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -143,18 +143,18 @@ kubectl get ingress -n game-2048 + You should see the following response output: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- NAME CLASS HOSTS ADDRESS PORTS AGE -ingress-2048 alb * k8s-game2048-ingress2-eb379a0f83-378466616.[.replaceable]`region-code`.elb.amazonaws.com 80 31s +ingress-2048 alb * k8s-game2048-ingress2-eb379a0f83-378466616.region-code.elb.amazonaws.com 80 31s ---- + You'll need to wait several minutes for the Application Load Balancer (ALB) to provision before you begin the following steps. . Open a web browser and enter the `ADDRESS` from the previous step to access the web application. For example: + -[source,bash,subs="verbatim,attributes,quotes"] +[source,bash,subs="verbatim,attributes"] ---- -k8s-game2048-ingress2-eb379a0f83-378466616.[.replaceable]`region-code`.elb.amazonaws.com +k8s-game2048-ingress2-eb379a0f83-378466616.region-code.elb.amazonaws.com ---- + You should see the 2048 game in your browser. Play! From 0ff350285ab73c2477500e4f849192be0ec285b8 Mon Sep 17 00:00:00 2001 From: Ramneek Kalra Date: Fri, 31 Jan 2025 09:32:50 +0530 Subject: [PATCH 072/940] Added aws-sample for automating CIS Benchmark update on existing Nodegroup Added aws-sample for automating CIS Benchmark update on existing Nodegroup. You can modify accordingly as per public-understanding of customers (mentioning about having this sample used for lower-environment and use then for production). --- latest/ug/security/configuration-vulnerability-analysis.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index fb9d1612a..f51bf327c 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -26,6 +26,8 @@ The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Securit To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. +To explore an automated aws-sample pipeline for updating your node-group with CIS Benchmarked AMI, explore at: https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline, type="solution"] + [[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] == Amazon EKS platform versions From e4f344139cd8b068671984198d384009829daa12 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 16:10:13 +0000 Subject: [PATCH 073/940] Some manual adjustments, mostly with include attributes location. --- latest/ug/automode/associate-workload.adoc | 4 ++-- latest/ug/automode/auto-elb-example.adoc | 2 -- latest/ug/automode/auto-glossary.adoc | 1 - latest/ug/automode/auto-learn-iam.adoc | 1 - latest/ug/automode/auto-mng.adoc | 1 - latest/ug/automode/auto-networking.adoc | 2 -- latest/ug/automode/auto-reference.adoc | 3 ++- latest/ug/automode/auto-troubleshoot.adoc | 1 - latest/ug/automode/auto-workloads.adoc | 3 ++- latest/ug/automode/automode-get-started-eksctl.adoc | 1 - latest/ug/automode/automode-learn-instances.adoc | 1 - latest/ug/automode/create-auto.adoc | 5 ++--- latest/ug/automode/create-storage-class.adoc | 1 - latest/ug/automode/migrate-auto.adoc | 3 ++- latest/ug/automode/settings-auto.adoc | 3 ++- latest/ug/automode/troubleshoot-lbc.adoc | 1 - latest/ug/automode/wip.adoc | 1 - latest/ug/clusters/autoscaling.adoc | 3 ++- latest/ug/clusters/management/eks-managing.adoc | 5 ++--- latest/ug/clusters/management/eks-using-tags.adoc | 3 ++- latest/ug/clusters/management/helm.adoc | 3 ++- latest/ug/clusters/management/metrics-server.adoc | 3 ++- latest/ug/clusters/management/service-quotas.adoc | 3 ++- latest/ug/ml/capacity-blocks-mng.adoc | 3 ++- latest/ug/ml/capacity-blocks.adoc | 3 ++- latest/ug/ml/machine-learning-on-eks.adoc | 3 ++- latest/ug/ml/ml-get-started.adoc | 1 - latest/ug/ml/ml-prepare-for-cluster.adoc | 1 - latest/ug/ml/node-taints-managed-node-groups.adoc | 3 ++- latest/ug/nodes/retrieve-ami-id.adoc | 8 ++++---- 30 files changed, 36 insertions(+), 40 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 9f777524e..324542296 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,10 +1,10 @@ -include::../attributes.txt[] - [.topic] [[associate-workload,associate-workload.title]] = Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control workload deployment +include::../attributes.txt[] + When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. The examples in this topic demonstrate how to use the `eks.amazonaws.com/compute-type` label to either require or prevent workload deployment on {eam} nodes. This is particularly useful in mixed-mode clusters where you're running both {eam} and other compute types, such as self-managed Karpenter provisioners or EKS Managed Node Groups. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index dd76764a5..219555764 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -3,10 +3,8 @@ = Deploy a Sample Load Balancer Workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer workload - include::../attributes.txt[] - This guide walks you through deploying a containerized version of the 2048 game on Amazon EKS, complete with load balancing and internet accessibility. == Prerequisites diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 218cc827d..fe9d30bfc 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -3,7 +3,6 @@ = Glossary :info_titleabbrev: Glossary - include::../attributes.txt[] IAM Role:: diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 2c982b8b7..75491cbad 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] - This topic describes the Identity and Access Management (IAM) roles and permissions required to use EKS Auto Mode. EKS Auto Mode uses two primary IAM roles: a Cluster IAM Role and a Node IAM Role. These roles work in conjunction with EKS Pod Identity and EKS access entries to provide comprehensive access management for your EKS clusters. When you configure EKS Auto Mode, you will need to set up these IAM roles with specific permissions that allow {aws} services to interact with your cluster resources. This includes permissions for managing compute resources, storage volumes, load balancers, and networking components. Understanding these role configurations is essential for proper cluster operation and security. diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 8f63a2a91..bacf3f782 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -3,7 +3,6 @@ = Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups - include::../attributes.txt[] [IMPORTANT] diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index e0f57b870..bb7894431 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -3,10 +3,8 @@ = Learn about VPC Networking and Load Balancing in EKS Auto Mode :info_titleabbrev: Networking - include::../attributes.txt[] - This topic explains how to configure Virtual Private Cloud (VPC) networking and load balancing features in EKS Auto Mode. While EKS Auto Mode manages most networking components automatically, you can still customize certain aspects of your cluster's networking configuration through NodeClass resources and load balancer annotations. When you use EKS Auto Mode, {aws} manages the VPC Container Network Interface (CNI) configuration and load balancer provisioning for your cluster. You can influence networking behaviors by defining NodeClass objects and applying specific annotations to your Service and Ingress resources, while maintaining the automated operational model that EKS Auto Mode provides. diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 0735a0d1e..857923748 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,5 +1,4 @@ [.topic] -include::../attributes.txt[] [[auto-reference,auto-reference.title]] = Learn how EKS Auto Mode works :icons: font @@ -9,6 +8,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: How it works +include::../attributes.txt[] + [abstract] -- Reference information for EKS Auto Mode diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index fcc74f25a..446e55d34 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] - With {eam}, {aws} assumes more {resp} for {e2i}s in {yaa}. EKS assumes {resp} for the container runtime on nodes, the operating system on the nodes, and certain controllers. This includes a block storage controller, a load balancing controller, and a compute controller. You must use {aws} and {k8s} APIs to troubleshoot nodes. You can: diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 6f769e09b..94adaec1f 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,9 +1,10 @@ [.topic] -include::../attributes.txt[] [[auto-workloads,auto-workloads.title]] = Run sample workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads +include::../attributes.txt[] + [abstract] -- Run workloads in EKS Auto Mode clusters diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 229349927..fed52fba8 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -4,7 +4,6 @@ :config: configuration :info_titleabbrev: eksctl CLI - include::../attributes.txt[] This topic shows you how to create an Amazon EKS Auto Mode cluster using the eksctl command line interface (CLI). You can create an Auto Mode cluster either by running a single CLI command or by applying a YAML configuration file. Both methods provide the same functionality, with the YAML approach offering more granular control over cluster settings. diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index fb1b64d6f..10aa74e39 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -12,7 +12,6 @@ include::../attributes.txt[] - This topic explains how {aam} manages Amazon EC2 instances in your EKS cluster. When you enable {am}, your cluster's compute resources are automatically provisioned and managed by EKS, changing how you interact with the EC2 instances that serve as nodes in your cluster. Understanding how {aam} manages instances is essential for planning your workload deployment strategy and operational procedures. Unlike traditional EC2 instances or managed node groups, these instances follow a different lifecycle model where EKS assumes responsibility for many operational aspects, while restricting certain types of access and customization. diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 3403407b2..640f0628a 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,5 +1,4 @@ [.topic] -include::../attributes.txt[] [[create-auto,create-auto.title]] = Create a cluster with Amazon EKS Auto Mode :icons: font @@ -10,13 +9,13 @@ include::../attributes.txt[] :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start +include::../attributes.txt[] + [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. -- - - This chapter explains how to create an Amazon EKS cluster with Auto Mode enabled using various tools and interfaces. Auto Mode simplifies cluster creation by automatically configuring and managing the cluster's compute, networking, and storage infrastructure. You'll learn how to create an Auto Mode cluster using the {aws} CLI, {aws} Management Console, or the eksctl command line tool. [NOTE] diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 6801d6066..d5d1b2844 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -3,7 +3,6 @@ = Create a Storage Class :info_titleabbrev: Create storage class - include::../attributes.txt[] A StorageClass in Amazon EKS Auto Mode defines how Amazon EBS volumes are automatically provisioned when applications request persistent storage. This page explains how to create and configure a StorageClass that works with the Amazon EKS Auto Mode to provision EBS volumes. diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 41365300a..c1c854962 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,5 +1,4 @@ [.topic] -include::../attributes.txt[] [[migrate-auto,migrate-auto.title]] = Enable EKS Auto Mode on existing EKS clusters :icons: font @@ -9,6 +8,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Enable existing clusters +include::../attributes.txt[] + [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index d619ecf22..4b5aa72a1 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,5 +1,4 @@ [.topic] -include::../attributes.txt[] [[settings-auto,settings-auto.title]] = Configure EKS Auto Mode settings :icons: font @@ -9,6 +8,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Configure +include::../attributes.txt[] + [abstract] -- Change EKS Auto cluster settings diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 6b1c92539..8ded4d18a 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -7,7 +7,6 @@ This resource is not ready for publication. ==== - include::../attributes.txt[] This guide helps you troubleshoot issues with the {aws} Load Balancer Controller when using Amazon EKS Auto Mode. diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index cc673c99d..f2ad32251 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -3,7 +3,6 @@ = EKS Auto Mode: Revisions to existing pages WIP :toc: left - include::../attributes.txt[] This section contains in-progress revisions for existing pages in other chapters. diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 862365cbd..75eb6fa7b 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[autoscaling,autoscaling.title]] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` :info_titleabbrev: Autoscaling +include::../attributes.txt[] + [abstract] -- Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 71e12d756..ca17693b9 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,4 +1,3 @@ -include::../../attributes.txt[] [[eks-managing,eks-managing.title]] = Organize and monitor cluster resources :doctype: book @@ -11,9 +10,9 @@ include::../../attributes.txt[] :sourcedir: . :info_titleabbrev: Cluster management -This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. - +include::../../attributes.txt[] +This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. * The [.noloc]`Kubernetes` Dashboard is a general purpose, web-based UI for [.noloc]`Kubernetes` clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. For more information, see The https://github.com/kubernetes/dashboard[Kubernetes Dashboard] GitHub repository. * <> – The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster. It isn't deployed by default in your cluster, but is used by [.noloc]`Kubernetes` add-ons, such as the [.noloc]`Kubernetes` Dashboard and <>. In this topic you learn how to install the Metrics Server. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 1190cff65..0353002f9 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,4 +1,3 @@ -include::../../attributes.txt[] [.topic] [[eks-using-tags,eks-using-tags.title]] @@ -6,6 +5,8 @@ include::../../attributes.txt[] :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources +include::../../attributes.txt[] + [abstract] -- Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 87c95ff7a..362a54078 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,10 +1,11 @@ -include::../../attributes.txt[] [.topic] [[helm,helm.title]] = Deploy applications with [.noloc]`Helm` on Amazon EKS :info_titleabbrev: Deploy apps with Helm +include::../../attributes.txt[] + [abstract] -- Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index e6f9db464..ccec9d2e3 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,10 +1,11 @@ -include::../../attributes.txt[] [.topic] [[metrics-server,metrics-server.title]] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` :info_titleabbrev: Metrics server +include::../../attributes.txt[] + [abstract] -- Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 523d10424..c9a6a6e0c 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,10 +1,11 @@ -include::../../attributes.txt[] [.topic] [[service-quotas,service-quotas.title]] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas :info_titleabbrev: Service quotas +include::../../attributes.txt[] + [abstract] -- Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from the {aws-management-console} or {aws} CLI. diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 624c3ce50..f0b5f43e5 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[capacity-blocks-mng,capacity-blocks-mng.title]] = Create a managed node group with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for MNG +include::../attributes.txt[] + [abstract] -- Capacity Blocks for machine learning (ML) allow you to reserve highly sought-after GPU instances on a future date to support your short duration ML workloads. diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 5e2587bdf..0cd52c60c 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[capacity-blocks,capacity-blocks.title]] = Create self-managed nodes with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for SMN +include::../attributes.txt[] + [abstract] -- Capacity Blocks for machine learning (ML) allow you to reserve highly sought-after GPU instances on a future date to support your short duration ML workloads. diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index cfeef17c7..7e9939db9 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[machine-learning-on-eks,machine-learning-on-eks.title]] = Overview of Machine Learning on Amazon EKS @@ -13,6 +12,8 @@ include::../attributes.txt[] :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence +include::../attributes.txt[] + [abstract] -- Complete guide for running Machine Learning applications on Amazon EKS. This includes everything from provisioning infrastructure to choosing and deploying Machine Learning workloads on Amazon EKS. diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 931989ea3..3bf119c39 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] - [abstract] -- Choose the Machine Learning on EKS tools and platforms that best suit your needs, then use quick start procedures to deploy ML workloads and EKS clusters to the {aws} cloud. diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index c7d934ef0..27bfb28a8 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] - [abstract] -- Learn how to make decisions about CPU, AMIs, and tooling before creating an EKS cluster for ML. diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 3d29876e9..59a3d5044 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[node-taints-managed-node-groups,node-taints-managed-node-groups.title]] = Prevent [.noloc]`Pods` from being scheduled on specific nodes :info_titleabbrev: Taint GPU nodes +include::../attributes.txt[] + [abstract] -- Taints and tolerations work together to ensure that [.noloc]`Pods` aren't scheduled onto inappropriate nodes. This can be particularly useful for nodes running on GPU hardware. diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 39cfdbf4f..20b91422c 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -14,7 +14,7 @@ When deploying nodes, you can specify an ID for a pre-built Amazon EKS optimized You can retrieve the image ID of the latest recommended Amazon EKS optimized Amazon Linux AMI with the following command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command: -* Replace [.replaceable]`kubernetes-version` with a supported <>. +* Replace `` with a supported <>. * Replace [.replaceable]`ami-type` with one of the following options. For information about the types of Amazon EC2 instances, see link:AWSEC2/latest/UserGuide/instance-types.html[Amazon EC2 instance types,type="documentation"]. + ** Use [.replaceable]`amazon-linux-2023/x86_64/standard` for Amazon Linux 2023 (AL2023) `x86` based instances. @@ -23,12 +23,12 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama ** Use [.replaceable]`amazon-linux-2023/x86_64/neuron` for the latest AL2023 link:machine-learning/neuron/[{aws} Neuron,type="marketing"] instances. ** Use [.replaceable]`amazon-linux-2` for Amazon Linux 2 (AL2) `x86` based instances. ** Use [.replaceable]`amazon-linux-2-arm64` for AL2 ARM instances, such as link:ec2/graviton/[{aws} Graviton,type="marketing"] based instances. -** Use [.replaceable]`amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for NVIDIA GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. -* Replace [.replaceable]`` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. +** Use `amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for NVIDIA GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. +* Replace `` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. [source,bash,subs="verbatim,attributes"] ---- -aws ssm get-parameter --name /aws/service/eks/optimized-ami/[.replaceable]`kubernetes-version`/[.replaceable]`ami-type`/recommended/image_id \ +aws ssm get-parameter --name /aws/service/eks/optimized-ami//`/recommended/image_id \ --region --query "Parameter.Value" --output text ---- From 7663c5e1cdbc546504c17fad29019a129f8b02c8 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 16:37:37 +0000 Subject: [PATCH 074/940] Globally moved include attributes where possible. --- latest/ug/clusters/clusters.adoc | 3 ++- latest/ug/clusters/delete-cluster.adoc | 3 ++- latest/ug/clusters/disable-extended-support.adoc | 3 ++- latest/ug/clusters/disable-windows-support.adoc | 3 ++- latest/ug/clusters/enable-extended-support.adoc | 3 ++- latest/ug/clusters/kubernetes-versions-extended.adoc | 3 ++- latest/ug/clusters/private-clusters.adoc | 3 ++- latest/ug/clusters/view-support-status.adoc | 3 ++- latest/ug/clusters/view-upgrade-policy.adoc | 3 ++- latest/ug/clusters/windows-support.adoc | 3 ++- latest/ug/connector/connecting-cluster.adoc | 3 ++- latest/ug/connector/connector-grant-access.adoc | 3 ++- latest/ug/connector/deregister-connected-cluster.adoc | 3 ++- latest/ug/connector/eks-connector.adoc | 3 ++- latest/ug/connector/security-connector.adoc | 3 ++- latest/ug/getting-started/getting-started-automode.adoc | 3 ++- latest/ug/getting-started/getting-started-eksctl.adoc | 3 ++- latest/ug/getting-started/getting-started.adoc | 3 ++- latest/ug/getting-started/learn-eks.adoc | 3 ++- latest/ug/getting-started/setting-up.adoc | 3 ++- latest/ug/integrations/integration-detective.adoc | 3 ++- latest/ug/integrations/integration-guardduty.adoc | 3 ++- latest/ug/integrations/integration-securitylake.adoc | 3 ++- latest/ug/integrations/integration-vpc-lattice.adoc | 3 ++- latest/ug/manage-access/cluster-auth.adoc | 3 ++- latest/ug/manage-access/create-kubeconfig.adoc | 3 ++- latest/ug/nodes/bottlerocket-compliance-support.adoc | 3 ++- latest/ug/nodes/choosing-instance-type.adoc | 3 ++- latest/ug/nodes/delete-fargate-profile.adoc | 3 ++- latest/ug/nodes/delete-managed-node-group.adoc | 3 ++- latest/ug/nodes/dockershim-deprecation.adoc | 3 ++- latest/ug/nodes/eks-ami-build-scripts.adoc | 3 ++- latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 3 ++- latest/ug/nodes/eks-ami-versions-windows.adoc | 3 ++- latest/ug/nodes/eks-custom-ami-windows.adoc | 3 ++- latest/ug/nodes/eks-linux-ami-versions.adoc | 3 ++- latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 3 ++- latest/ug/nodes/eks-partner-amis.adoc | 3 ++- latest/ug/nodes/launch-node-bottlerocket.adoc | 3 ++- latest/ug/nodes/launch-node-ubuntu.adoc | 3 ++- latest/ug/nodes/launch-templates.adoc | 3 ++- latest/ug/nodes/launch-workers.adoc | 3 ++- latest/ug/nodes/managed-node-update-behavior.adoc | 3 ++- latest/ug/nodes/migrate-stack.adoc | 3 ++- latest/ug/nodes/self-managed-windows-server-2022.adoc | 3 ++- latest/ug/observability/control-plane-logs.adoc | 3 ++- latest/ug/observability/deploy-prometheus.adoc | 3 ++- latest/ug/observability/eks-observe.adoc | 3 ++- latest/ug/observability/enable-asg-metrics.adoc | 3 ++- latest/ug/observability/view-raw-metrics.adoc | 3 ++- latest/ug/storage/csi-snapshot-controller.adoc | 3 ++- latest/ug/storage/ebs-csi-migration-faq.adoc | 3 ++- latest/ug/storage/ebs-csi.adoc | 3 ++- latest/ug/storage/file-cache-csi.adoc | 3 ++- latest/ug/storage/fsx-csi.adoc | 3 ++- latest/ug/storage/fsx-ontap.adoc | 3 ++- latest/ug/storage/fsx-openzfs-csi.adoc | 3 ++- latest/ug/storage/s3-csi.adoc | 3 ++- latest/ug/storage/storage.adoc | 3 ++- latest/ug/what-is/common-use-cases.adoc | 3 ++- latest/ug/what-is/eks-architecture.adoc | 3 ++- latest/ug/what-is/kubernetes-concepts.adoc | 3 ++- latest/ug/what-is/what-is-eks.adoc | 3 ++- latest/ug/workloads/copy-image-to-repository.adoc | 3 ++- latest/ug/workloads/eks-workloads.adoc | 3 ++- latest/ug/workloads/horizontal-pod-autoscaler.adoc | 3 ++- latest/ug/workloads/image-verification.adoc | 3 ++- latest/ug/workloads/vertical-pod-autoscaler.adoc | 3 ++- latest/ug/workloads/workloads-add-ons-available-vendors.adoc | 3 --- 69 files changed, 136 insertions(+), 71 deletions(-) diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index ed9c48785..52b9ab701 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[clusters,clusters.title]] = Organize workloads with Amazon EKS clusters :doctype: book @@ -11,6 +10,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Clusters +include::../attributes.txt[] + An Amazon EKS cluster consists of two primary components: * The Amazon EKS control plane diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index e8bc07362..47e1dafd0 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[delete-cluster,delete-cluster.title]] = Delete a cluster :info_titleabbrev: Delete a cluster +include::../attributes.txt[] + [abstract] -- Learn how to delete Amazon EKS clusters, including managed and self-managed node groups, Fargate profiles, related services, and {aws} CloudFormation stacks using eksctl, {aws-management-console}, or {aws} CLI for cost optimization and resource cleanup. diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index eb45b0932..7dfa2985a 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[disable-extended-support,disable-extended-support.title]] = Prevent increased cluster costs by disabling EKS extended support :info_titleabbrev: Disable extended support +include::../attributes.txt[] + This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next [.noloc]`Kubernetes` version. For more information about upgrade policies, see <>. diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 5587786cd..35269ed46 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[disable-windows-support,disable-windows-support.title]] = Disable [.noloc]`Windows` support +include::../attributes.txt[] + . If your cluster contains Amazon Linux nodes and you use xref:security-groups-for-pods[security groups for Pods,linkend=security-groups-for-pods] with them, then skip this step. + Remove the `AmazonVPCResourceController` managed IAM policy from your <>. Replace [.replaceable]`eksClusterRole` with the name of your cluster role and [.replaceable]`111122223333` with your account ID. diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 43297559c..6667544ae 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[enable-extended-support,enable-extended-support.title]] = Add flexibility to plan Kubernetes version upgrades by enabling EKS extended support :info_titleabbrev: Enable extended support +include::../attributes.txt[] + This topic describes how to set the _upgrade policy_ of an EKS cluster to enable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support enabled, it will enter the extended support period at the end of the standard support period. The cluster will not be automatically upgraded at the end of the standard support period. Clusters actually in the _extended support period_ incur higher costs. If a cluster merely has the upgrade policy set to enable extended support, and is otherwise in the _standard support period_, it incurs standard costs. diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 3a38df6a4..a23a1a0c7 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[kubernetes-versions-extended,kubernetes-versions-extended.title]] = Review release notes for [.noloc]`Kubernetes` versions on extended support :info_titleabbrev: Extended support versions +include::../attributes.txt[] + [abstract] -- This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 7d87dd5fc..80aa25dd4 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[private-clusters,private-clusters.title]] = Deploy private clusters with limited internet access :info_titleabbrev: Private clusters +include::../attributes.txt[] + [abstract] -- Learn how to deploy and operate an Amazon EKS cluster without outbound internet access, including requirements for private container registries, endpoint access control, and VPC interface endpoints for {aws} services. diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index d6e089802..17d152a59 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[view-support-status,view-support-status.title]] = View current cluster support period :info_titleabbrev: View support period +include::../attributes.txt[] + The *cluster support period* section of the {aws} console indicates if your cluster is _currently_ on standard or extended support. If your cluster support period is *Extended support*, you are being charged for EKS extended support. For more information about standard and extended support, see <>. diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 5c8d515c2..af1fb94d3 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[view-upgrade-policy,view-upgrade-policy.title]] = View current cluster upgrade policy :info_titleabbrev: View upgrade policy +include::../attributes.txt[] + The *cluster upgrade policy* determines what happens to your cluster when it leaves the standard support period. If your upgrade policy is `EXTENDED`, the cluster will not be automatically upgraded, and will enter extended support. If your upgrade policy is `STANDARD`, it will be automatically upgraded. Amazon EKS controls for [.noloc]`Kubernetes` version policy allows you to choose the end of standard support behavior for your EKS clusters. With these controls you can decide which clusters should enter extended support and which clusters should be automatically upgraded at the end of standard support for a [.noloc]`Kubernetes` version. diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 6089f6644..d3dc1694d 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[windows-support,windows-support.title]] = Deploy [.noloc]`Windows` nodes on EKS clusters :info_titleabbrev: Enable Windows support +include::../attributes.txt[] + [abstract] -- Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers. diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index e98f8aa7d..d428575b4 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[connecting-cluster,connecting-cluster.title]] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster +include::../attributes.txt[] + [abstract] -- Learn to connect an external [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index e5dde0782..f08f7ea32 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[connector-grant-access,connector-grant-access.title]] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console :info_titleabbrev: Grant access to Kubernetes clusters from {aws} console +include::../attributes.txt[] + [abstract] -- Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 762f875c9..1ac8b160d 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[deregister-connected-cluster,deregister-connected-cluster.title]] = Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster +include::../attributes.txt[] + [abstract] -- Learn to deregister a [.noloc]`Kubernetes` cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index c0c7c58f6..b7a9155d7 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[eks-connector,eks-connector.title]] = Connect a [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console with Amazon EKS Connector :doctype: book @@ -11,6 +10,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Amazon EKS Connector +include::../attributes.txt[] + [abstract] -- Discover how to connect conformant [.noloc]`Kubernetes` clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 371e6bcac..043efe1fc 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[security-connector,security-connector.title]] = Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations +include::../attributes.txt[] + [abstract] -- Learn how the open-source EKS Connector affects security, and understand {aws} and customer security responsibilities for connectivity, cluster management, and IAM access control. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index a91ab2715..cf8482c76 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[getting-started-automode,getting-started-automode.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Create your first cluster – EKS Auto Mode :keywords: using, Auto, getting, started, tutorial +include::../attributes.txt[] + Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 266ac2717..2e92b47f6 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[getting-started-eksctl,getting-started-eksctl.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Create your first cluster – eksctl :keywords: using, eksctl, getting, started, tutorial +include::../attributes.txt[] + [abstract] -- Learn how to create your first Amazon EKS cluster with nodes using the `eksctl` command line tool. diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index a1b81e15e..b0c416492 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[getting-started,getting-started.title]] = Get started with Amazon EKS :doctype: book @@ -12,6 +11,8 @@ include::../attributes.txt[] :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start +include::../attributes.txt[] + [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index ce1c70597..28a44df42 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[learn-eks,learn-eks.title]] @@ -13,6 +12,8 @@ include::../attributes.txt[] :idseparator: - :sourcedir: . +include::../attributes.txt[] + [abstract] -- Find learning paths to extend your knowledge of Amazon EKS. diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index df2619246..371c239b5 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[setting-up,setting-up.title]] = Set up to use Amazon EKS :doctype: book @@ -12,6 +11,8 @@ include::../attributes.txt[] :info_titleabbrev: Set up :keywords: setting up, setup +include::../attributes.txt[] + [abstract] -- Set up the tools needed for creating and working with an Amazon EKS cluster. diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index f26f3603f..af0df007c 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[integration-detective,integration-detective.title]] = Analyze security events on EKS with Amazon Detective :keywords: Amazon Detective +include::../attributes.txt[] + [abstract] -- Amazon Detective helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 274665ebc..cbc22cc6e 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[integration-guardduty,integration-guardduty.title]] = Detect threats with Amazon GuardDuty +include::../attributes.txt[] + Amazon GuardDuty is a threat detection service that helps protect you accounts, containers, workloads, and the data with your {aws} environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 7e77740ec..079d99c80 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[integration-securitylake,integration-securitylake.title]] = Centralize and analyze EKS security data with Security Lake :keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection +include::../attributes.txt[] + [abstract] -- Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized solution for collecting, storing, and analyzing security data from clusters. By enabling EKS control plane logging and adding EKS logs as a source in Security Lake, users can gain valuable insights, detect potential threats, and enhance the security posture of their [.noloc]`Kubernetes` environments. diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 6fffebe9a..cedeef391 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,7 +1,8 @@ -include::../attributes.txt[] [.topic] [[integration-vpc-lattice,integration-vpc-lattice.title]] = Enable secure cross-cluster connectivity with Amazon VPC Lattice +include::../attributes.txt[] + Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 6ed6aa831..2abc65074 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[cluster-auth,cluster-auth.title]] = Learn how access control works in Amazon EKS @@ -12,6 +11,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Manage access +include::../attributes.txt[] + [abstract] -- Learn how to manage access to your EKS cluster. First, this includes granting developers or external services access to Kubernetes. Second, this includes granting Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 596a0ee9d..1b7a27f2b 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[create-kubeconfig,create-kubeconfig.title]] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file :info_titleabbrev: Access cluster with kubectl +include::../attributes.txt[] + [abstract] -- Learn how to create or update a kubeconfig file for authenticating with your Amazon EKS cluster using kubectl. Follow prerequisites for required tools and permissions. diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 2c3c1be07..c3057cfb7 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[bottlerocket-compliance-support,bottlerocket-compliance-support.title]] = Meet compliance requirements with [.noloc]`Bottlerocket` :info_titleabbrev: Compliance support +include::../attributes.txt[] + [abstract] -- [.noloc]`Bottlerocket` complies with recommendations defined by various organizations. diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index a0474efa0..21018679d 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[choosing-instance-type,choosing-instance-type.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods +include::../attributes.txt[] + [abstract] -- Each Amazon EC2 instance type offers different compute, memory, storage, and network capabilities. diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index b1d0f551d..2ea50acc6 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[delete-fargate-profile,delete-fargate-profile.title]] = Delete a Fargate profile :info_titleabbrev: Delete profiles +include::../attributes.txt[] + [abstract] -- When you delete a Fargate profile, any [.noloc]`Pods` that were scheduled onto Fargate with the profile are deleted. diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index f2a77a725..f4e989b63 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[delete-managed-node-group,delete-managed-node-group.title]] = Delete a managed node group from your cluster :info_titleabbrev: Delete +include::../attributes.txt[] + [abstract] -- This topic describes how you can delete an Amazon EKS managed node group. diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index 4339d1c1f..ab1d51851 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[dockershim-deprecation,dockershim-deprecation.title]] = Migrate from `dockershim` to `containerd` :info_titleabbrev: Dockershim deprecation +include::../attributes.txt[] + [abstract] -- Starting with [.noloc]`Kubernetes` version `1.24`, Amazon EKS AMIs that are officially published only include the `containerd` runtime. diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 7f7c81057..52e758841 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-ami-build-scripts,eks-ami-build-scripts.title]] = Build a custom Amazon Linux AMI with a script :info_titleabbrev: Custom builds +include::../attributes.txt[] + [abstract] -- Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are used to build the Amazon EKS optimized AMI. diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 8a0fd880f..981972c78 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-ami-versions-bottlerocket,eks-ami-versions-bottlerocket.title]] = Retrieve [.noloc]`Bottlerocket` AMI version information :info_titleabbrev: Get version information +include::../attributes.txt[] + [abstract] -- This topic gives resources for Amazon EKS optimized [.noloc]`Bottlerocket` AMIs version information. diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index cab460614..acc36aafa 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-ami-versions-windows,eks-ami-versions-windows.title]] = Retrieve [.noloc]`Windows` AMI version information :info_titleabbrev: Get version information +include::../attributes.txt[] + [abstract] -- This topic lists versions of the Amazon EKS optimized [.noloc]`Windows` AMIs and their corresponding versions of `kubelet`, `containerd`, and `csi-proxy`. diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index bf67b5520..bf92493eb 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-custom-ami-windows,eks-custom-ami-windows.title]] = Build a custom [.noloc]`Windows` AMI with Image Builder :info_titleabbrev: Custom builds +include::../attributes.txt[] + [abstract] -- You can use EC2 Image Builder to create custom Amazon EKS optimized [.noloc]`Windows` AMIs. diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 5e5e6e5e4..747103ee6 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-linux-ami-versions,eks-linux-ami-versions.title]] = Retrieve Amazon Linux AMI version information :info_titleabbrev: Get version information +include::../attributes.txt[] + [abstract] -- This topic gives the location of Amazon EKS optimized Amazon Linux AMIs version information. diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 64be92719..e8e94fe51 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-optimized-ami-bottlerocket,eks-optimized-ami-bottlerocket.title]] = Create nodes with optimized [.noloc]`Bottlerocket` AMIs :info_titleabbrev: Bottlerocket +include::../attributes.txt[] + [abstract] -- [.noloc]`Bottlerocket` is an open source [.noloc]`Linux` distribution that's sponsored and supported by {aws}. [.noloc]`Bottlerocket` includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index e0d16c876..062300cd3 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[eks-partner-amis,eks-partner-amis.title]] = Create nodes with optimized [.noloc]`Ubuntu Linux` AMIs :info_titleabbrev: Ubuntu Linux +include::../attributes.txt[] + [abstract] -- Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 3e460cec5..735f11c07 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[launch-node-bottlerocket,launch-node-bottlerocket.title]] = Create self-managed [.noloc]`Bottlerocket` nodes :info_titleabbrev: Bottlerocket +include::../attributes.txt[] + [abstract] -- This topic describes how to launch Auto Scaling groups of [.noloc]`Bottlerocket` nodes that register with your Amazon EKS cluster diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 2462ae15f..4ee13a25f 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[launch-node-ubuntu,launch-node-ubuntu.title]] = Create self-managed [.noloc]`Ubuntu Linux` nodes :info_titleabbrev: Ubuntu Linux +include::../attributes.txt[] + [abstract] -- This topic describes how to launch Auto Scaling groups of [.noloc]`Ubuntu` nodes that register with your Amazon EKS cluster diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 8179a9d7e..a56623ead 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[launch-templates,launch-templates.title]] = Customize managed nodes with launch templates :info_titleabbrev: Launch templates +include::../attributes.txt[] + [abstract] -- For the highest level of customization, you can deploy managed nodes using your own launch template and a custom AMI. diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 49ba3b9f0..04b90d330 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[launch-workers,launch-workers.title]] = Create self-managed Amazon Linux nodes :info_titleabbrev: Amazon Linux +include::../attributes.txt[] + [abstract] -- This topic describes how you can launch Auto Scaling groups of [.noloc]`Linux` nodes that register with your Amazon EKS cluster. diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 5b9ba4cbf..a94eb7dc0 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[managed-node-update-behavior,managed-node-update-behavior.title]] = Understand each phase of node updates :info_titleabbrev: Update behavior details +include::../attributes.txt[] + [abstract] -- The Amazon EKS managed worker node upgrade strategy has four different phases. diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index d187578b3..63f8dff83 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[migrate-stack,migrate-stack.title]] = Migrate applications to a new node group :info_titleabbrev: Migration +include::../attributes.txt[] + [abstract] -- This topic describes how you can create a new node group, gracefully migrate your existing applications to the new group, and remove the old node group from your cluster. diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 36e6debf7..a919b5003 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[self-managed-windows-server-2022,self-managed-windows-server-2022.title]] = Create self-managed [.noloc]`Windows` Server 2022 nodes with `eksctl` :info_titleabbrev: Create Windows Server 2022 nodes +include::../attributes.txt[] + [abstract] -- This topic includes a YAML file as reference for creating self-managed [.noloc]`Windows` Server 2022 nodes. diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 7923ad57a..4ff975b69 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[control-plane-logs,control-plane-logs.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs +include::../attributes.txt[] + [abstract] -- Learn how to configure logging for your Amazon EKS cluster. diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index a7008c0d1..bf5f70d7e 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[deploy-prometheus,deploy-prometheus.title]] = Deploy [.noloc]`Prometheus` using [.noloc]`Helm` :info_titleabbrev: Deploy using Helm +include::../attributes.txt[] + [abstract] -- As an alternative to using Amazon Managed Service for Prometheus, you can deploy [.noloc]`Prometheus` into your cluster with [.noloc]`Helm` V3. diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index d861160cf..99c5fdaae 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[eks-observe,eks-observe.title]] = Monitor your cluster performance and view logs :doctype: book @@ -12,6 +11,8 @@ include::../attributes.txt[] :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data +include::../attributes.txt[] + [abstract] -- You can observe your data in Amazon EKS using many available monitoring or logging tools. diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index ead9cecfc..b544161bd 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -1,9 +1,10 @@ -include::../attributes.txt[] [.topic] [[enable-asg-metrics,enable-asg-metrics.title]] = View metrics for Amazon EC2 Auto Scaling groups :info_titleabbrev: Auto Scaling group metrics +include::../attributes.txt[] + [abstract] -- You can use Amazon EC2 Auto Scaling group metrics to track changes in an Auto Scaling group and to set alarms on threshold values. diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 782bebaf8..81ff84804 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[view-raw-metrics,view-raw-metrics.title]] = Fetch control plane raw metrics in [.noloc]`Prometheus` format @@ -6,6 +5,8 @@ include::../attributes.txt[] include::../attributes.txt[] +include::../attributes.txt[] + [abstract] -- The [.noloc]`Kubernetes` control plane exposes a number of metrics that are represented in a [.noloc]`Prometheus` format. diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index a6654dc8f..dd3dc44b2 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[csi-snapshot-controller,csi-snapshot-controller.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller +include::../attributes.txt[] + [abstract] -- The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index e220db5e4..97a9efa78 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration +include::../attributes.txt[] + [abstract] -- The Amazon EBS container storage interface migration feature is enabled by default on Amazon EKS `1.23` and later clusters. Learn answers to frequently asked questions about the feature and how it works with `1.23` and later clusters. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index e7713ac05..07751b735 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[ebs-csi,ebs-csi.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage +include::../attributes.txt[] + [abstract] -- The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver manages the lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index b33bcad7e..8d1d54c08 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[file-cache-csi,file-cache-csi.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage +include::../attributes.txt[] + [abstract] -- The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index c46b7003e..338b0e14d 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[fsx-csi,fsx-csi.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage +include::../attributes.txt[] + [abstract] -- The FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file systems. diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 922f29f97..11cad30eb 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[fsx-ontap,fsx-ontap.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage +include::../attributes.txt[] + [abstract] -- The [.noloc]`NetApp Trident` allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 8fa015bb7..7d32e182f 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[fsx-openzfs-csi,fsx-openzfs-csi.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage +include::../attributes.txt[] + [abstract] -- The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS volumes. diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 043bb42e3..d3e714463 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[s3-csi,s3-csi.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage +include::../attributes.txt[] + [abstract] -- Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a CSI interface for managing Amazon S3 files and buckets. diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 7cecf833f..808bdc63e 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[storage,storage.title]] = Store application data for your cluster :doctype: book @@ -12,6 +11,8 @@ include::../attributes.txt[] :info_titleabbrev: Store app data :keywords: persistent, data, app, storage +include::../attributes.txt[] + [abstract] -- This chapter covers storage options for Amazon EKS clusters. diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 7c9d1490c..fa6e6ff59 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[common-use-cases,common-use-cases.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description +include::../attributes.txt[] + [abstract] -- Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 683b77fbf..283b194ef 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[eks-architecture,eks-architecture.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane +include::../attributes.txt[] + [abstract] -- Learn how Amazon EKS aligns with [.noloc]`Kubernetes` cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, [.noloc]`Karpenter`, managed node groups, and self-managed nodes to meet diverse workload requirements. diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index a7b194eb6..999e8cdb9 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[kubernetes-concepts,kubernetes-concepts.title]] @@ -6,6 +5,8 @@ include::../attributes.txt[] :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane +include::../attributes.txt[] + [abstract] -- Learn core [.noloc]`Kubernetes` concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index b3df7017d..d86a0929e 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [.topic] [[what-is-eks,what-is-eks.title]] = What is Amazon EKS? @@ -13,6 +12,8 @@ include::../attributes.txt[] :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description +include::../attributes.txt[] + [abstract] -- Learn to manage containerized applications with Amazon EKS diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 74585ccae..143466ca7 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[copy-image-to-repository,copy-image-to-repository.title]] = Copy a container image from one repository to another repository :info_titleabbrev: Copy an image to a repository +include::../attributes.txt[] + This topic describes how to pull a container image from a repository that your nodes don't have access to and push the image to a repository that your nodes have access to. You can push the image to Amazon ECR or an alternative repository that your nodes have access to. diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index cc0ab4a8e..3aa8ccc42 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,4 +1,3 @@ -include::../attributes.txt[] [[eks-workloads,eks-workloads.title]] = Learn how to deploy workloads and add-ons to Amazon EKS :doctype: book @@ -11,6 +10,8 @@ include::../attributes.txt[] :sourcedir: . :info_titleabbrev: Workloads +include::../attributes.txt[] + Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` in [.noloc]`Kubernetes`. A [.noloc]`Pod` includes one or more containers. Typically, one or more [.noloc]`Pods` that provide the same service are deployed in a [.noloc]`Kubernetes` service. Once you've deployed multiple [.noloc]`Pods` that provide the same service, you can: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 5a0c185c1..0962a7159 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` :info_titleabbrev: Horizontal Pod Autoscaler +include::../attributes.txt[] + [abstract] -- Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 26be480c0..ba3ab9c01 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[image-verification,image-verification.title]] = Validate container image signatures during deployment :info_titleabbrev: Verify container images +include::../attributes.txt[] + [abstract] -- Learn how to verify signed container images during deployment on Amazon EKS using admission controllers like Gatekeeper with Ratify or Kyverno configured with {aws} Signer plugins for validating image signatures. diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index db748e876..d5f9560a5 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,10 +1,11 @@ -include::../attributes.txt[] [.topic] [[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` :info_titleabbrev: Vertical Pod Autoscaler +include::../attributes.txt[] + [abstract] -- Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index fd43858b8..cd889272b 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -5,9 +5,6 @@ include::../attributes.txt[] = {aws} Marketplace add-ons :info_titleabbrev: Marketplace add-ons - - - [abstract] -- Learn about the Amazon EKS add-ons from independent software vendors. From 84c4ce285ffb993974bf83a9a02cfd131a02a65e Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 17:28:10 +0000 Subject: [PATCH 075/940] V1661361829 --- latest/ug/automode/create-node-class.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index ba5c13dfd..51187a863 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -73,7 +73,7 @@ aws eks associate-access-policy \ --cluster-name \ --principal-arn \ --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy \ - --access-scope cluster + --access-scope type=cluster ---- === Create access entry with CloudFormation From 2afdd13fa4e0baedec277deaebb044d0209b803c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 17:58:45 +0000 Subject: [PATCH 076/940] Removed redundant older k8s-n attribute that was causing glitch. Alphabetized entities. --- latest/ug/attributes.txt | 30 ++++++++----------- .../ug/getting-started/install-kubectl.adoc | 1 - 2 files changed, 13 insertions(+), 18 deletions(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 6e973ec78..69a685857 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -15,16 +15,23 @@ // Words Geoffrey often spells wrong or doesn't like to type -:ret: retrieve -:resp: responsibility -:det: determine :cap: capability :caps: capabilites -:recd: recommended +:det: determine :config: configuration -:ind: indicate -:ena: enable :dis: disable +:e2i: EC2 Instance +:eam: EKS Auto Mode +:emi: EC2 managed instance +:ena: enable +:ind: indicate +:k8s: Kubernetes +:mng: managed node group +:recd: recommended +:resp: responsibility +:ret: retrieve +:yaa: your {aws} account +:yec: your EKS Auto Mode cluster // AWS shared content @@ -224,14 +231,3 @@ :us-gov-west-1-name: {aws} GovCloud (US-West) Region :us-gov-east-1-region: {aws} GovCloud (US-West) :us-gov-east-1-code: us-gov-west-1 - -// EKS Auto Mode attributes - -:yec: your EKS Auto Mode cluster -:yaa: your {aws} account -:emi: EC2 managed instance -:eam: EKS Auto Mode -:mng: managed node group -:e2i: EC2 Instance -:k8s: Kubernetes -:k8s-n: 1.31 \ No newline at end of file diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 63cf437cc..54012ad22 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -4,7 +4,6 @@ :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl - include::../attributes.txt[] [abstract] From 3598b97f43e4caf1a5e720dda54f0a80a342c656 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 18:55:02 +0000 Subject: [PATCH 077/940] Simplified attributes usage for easier contributions. --- latest/ug/attributes.txt | 22 ------ latest/ug/automode/api-reference.adoc | 73 ++++++++----------- latest/ug/automode/associate-workload.adoc | 16 ++-- latest/ug/automode/auto-disable.adoc | 2 +- latest/ug/automode/auto-enable-existing.adoc | 12 +-- latest/ug/automode/auto-learn-iam.adoc | 10 +-- latest/ug/automode/auto-migrate-mng.adoc | 4 +- latest/ug/automode/auto-networking.adoc | 16 ++-- latest/ug/automode/auto-troubleshoot.adoc | 28 +++---- latest/ug/automode/auto-upgrade.adoc | 4 +- .../automode-get-started-console.adoc | 36 ++++----- .../automode/automode-get-started-eksctl.adoc | 12 +-- .../ug/automode/automode-learn-instances.adoc | 4 +- latest/ug/automode/create-node-class.adoc | 4 +- latest/ug/automode/create-node-pool.adoc | 10 +-- latest/ug/automode/create-storage-class.adoc | 4 +- .../ug/automode/sample-storage-workload.adoc | 8 +- .../ug/automode/set-builtin-node-pools.adoc | 2 +- 18 files changed, 116 insertions(+), 151 deletions(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 69a685857..ca8ca90b5 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,4 @@ // EKS-specific attributes - :eksctl-min-version: 0.202.0 // EKS Auto Mode @@ -7,32 +6,11 @@ :auto-cli-v1-version: 1.27.160 // Kubernetes Versions - :k8s-n: 1.32 :k8s-n-1: 1.31 :k8s-n-2: 1.30 :k8s-n-3: 1.29 -// Words Geoffrey often spells wrong or doesn't like to type - -:cap: capability -:caps: capabilites -:det: determine -:config: configuration -:dis: disable -:e2i: EC2 Instance -:eam: EKS Auto Mode -:emi: EC2 managed instance -:ena: enable -:ind: indicate -:k8s: Kubernetes -:mng: managed node group -:recd: recommended -:resp: responsibility -:ret: retrieve -:yaa: your {aws} account -:yec: your EKS Auto Mode cluster - // AWS shared content // Region specific diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index e2988259c..f1bc94240 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,39 +1,26 @@ [.topic] = EKA Auto Mode API Reference WIP -:ind: indicate -:Ind: Indicate -:ena: enable -:dis: disable -:cap: capability -:caps: capabilities -:yec: your EKS Auto Mode cluster -:yaa: your {aws} account -:emi: EC2 Managed Instance -:eam: EKS Auto Mode -:lbi: load balancing -:bs: block storage - :fmis: For more information, see :in-guide: in the EKS User Guide :generic-update-request: For example, enable the capability. -:generic-status-request: For example, if the {cap} is {ena}d or {dis}d. -:generic-describe-cap: {Ind}s the current configuration of the {cap} on {yec}. {generic-status-request} +:generic-status-request: For example, if the capability is enabled or disabled. +:generic-describe-cap: Indicates the current configuration of the capability on your EKS Auto Mode cluster. {generic-status-request} :generic-config-request: Request to update the configuration of the -:comp-cap-desc: If the compute {cap} is enabled, {eam} will create and delete {emi}s in {yaa}. -:comp-cap-link: {fmis} {eam} compute {cap} {in-guide}. +:comp-cap-desc: If the compute capability is enabled, EKS Auto Mode will create and delete EC2 managed instances in your {aws} account. +:comp-cap-link: {fmis} EKS Auto Mode compute capability {in-guide}. -:lb-cap-desc: If the load balancing {cap} is enabled, {eam} will create and delete {emi}s in {yaa}. -:lb-cap-link: {fmis} {eam} load balancing {cap} {in-guide}. +:lb-cap-desc: If the load balancing capability is enabled, EKS Auto Mode will create and delete EC2 managed instances in your {aws} account. +:lb-cap-link: {fmis} EKS Auto Mode load balancing capability {in-guide}. -:ebs-cap-desc: If the {bs} {cap} is enabled, {eam} will create and delete EBS volumes in {yaa}. -:ebs-cap-link: {fmis} {eam} {bs} {cap} {in-guide}. +:ebs-cap-desc: If the block storage capability is enabled, EKS Auto Mode will create and delete EBS volumes in your {aws} account. +:ebs-cap-link: {fmis} EKS Auto Mode block storage capability {in-guide}. :iam-link: {fmis} the IAM Reference {in-guide}. -:launch-limitation: Currently, you cannot selectively enable or disable {eam} {caps}. The compute {cap}, {bs} {cap}, and {lbi} {cap} must all be enabled or disabled. You must enable or disable all three capabilities in the same API request. +:launch-limitation: Currently, you cannot selectively enable or disable EKS Auto Mode capabilities. The compute capability, block storage capability, and load balancing capability must all be enabled or disabled. You must enable or disable all three capabilities in the same API request. == Capabilities @@ -50,7 +37,7 @@ // Storage * BlockStorage$controllerRole -** The IAM role used by {eam} to manage EBS volumes. {iam-link} +** The IAM role used by EKS Auto Mode to manage EBS volumes. {iam-link} // missing compute cap? @@ -61,12 +48,12 @@ // Load Balancing * ElasticLoadBalancing$enabled -** {ind}s if the {lbi} {cap} is enabled on {yec}. {lb-cap-desc} +** indicates if the load balancing capability is enabled on your EKS Auto Mode cluster. {lb-cap-desc} // Storage * BlockStorage$enabled -** {ind}s if the {bs} {cap} is enabled on {yec}. {ebs-cap-desc} +** indicates if the block storage capability is enabled on your EKS Auto Mode cluster. {ebs-cap-desc} //missing compute cap? @@ -76,12 +63,12 @@ // Compute * CreateClusterRequest$computeConfig -** Enable or disable the compute {cap} of {eam} when creating {yec}. {comp-cap-desc} +** Enable or disable the compute capability of EKS Auto Mode when creating your EKS Auto Mode cluster. {comp-cap-desc} // Storage * CreateClusterRequest$storageConfig -** Enable or disable the {bs} {cap} of {eam} when creating {yec}. {ebs-cap-desc} +** Enable or disable the block storage capability of EKS Auto Mode when creating your EKS Auto Mode cluster. {ebs-cap-desc} == Cluster$ Config @@ -100,36 +87,36 @@ == ConfigRequest * ComputeConfigRequest -** {generic-config-request} the compute {cap} of your {eam}. {generic-update-request} {comp-cap-link} +** {generic-config-request} the compute capability of your EKS Auto Mode. {generic-update-request} {comp-cap-link} * StorageConfigRequest -** {generic-config-request} the storage {cap} of your {eam}. {generic-update-request} {ebs-cap-link} +** {generic-config-request} the storage capability of your EKS Auto Mode. {generic-update-request} {ebs-cap-link} === Load Balancing * KubernetesNetworkConfigRequest$elasticLoadBalancing -** Request to {ena} or {dis} the {lbi} {cap} on {yec}. {lb-cap-link} +** Request to enable or disable the load balancing capability on your EKS Auto Mode cluster. {lb-cap-link} === Compute * ComputeConfigRequest$enabled -** Request to {ena} or {dis} the compute {cap} on {yec}. {comp-cap-desc} +** Request to enable or disable the compute capability on your EKS Auto Mode cluster. {comp-cap-desc} * ComputeConfigRequest$nodePools -** Configuration for node pools that defines the compute resources for {yec}. {fmis} {eam} Node Pools {in-guide}. +** Configuration for node pools that defines the compute resources for your EKS Auto Mode cluster. {fmis} EKS Auto Mode Node Pools {in-guide}. * ComputeConfigRequest$nodeRoleArn -** The ARN of the IAM Role EKS will assign to {emi}s in {yec}. This value cannot be changed after the compute {cap} of {eam} is enabled. {iam-link} +** The ARN of the IAM Role EKS will assign to EC2 managed instances in your EKS Auto Mode cluster. This value cannot be changed after the compute capability of EKS Auto Mode is enabled. {iam-link} === Storage * StorageConfigRequest$blockStorage -** Request to configure EBS Block Storage settings for {yec}. +** Request to configure EBS Block Storage settings for your EKS Auto Mode cluster. == ConfigResponse @@ -137,23 +124,23 @@ // Compute * ComputeConfigResponse -** {ind}s {status-of-request} the compute {cap} of {yec}. +** indicates {status-of-request} the compute capability of your EKS Auto Mode cluster. // Storage * StorageConfigResponse -** {ind}s {status-of-request} the {bs} {cap} of {yec}. +** indicates {status-of-request} the block storage capability of your EKS Auto Mode cluster. === Response pointers to objects // Storage * StorageConfigResponse$blockStorage -** {ind}s the current configuration of the {bs} {cap} on {yec}. {generic-status-request} +** indicates the current configuration of the block storage capability on your EKS Auto Mode cluster. {generic-status-request} // Load Balancing * $elasticLoadBalancing -** {ind}s the current configuration of the {lbi} {cap} on {yec}. {generic-status-request} +** indicates the current configuration of the load balancing capability on your EKS Auto Mode cluster. {generic-status-request} === Compute Details @@ -161,16 +148,16 @@ // Compute * ComputeConfigResponse$enabled -** {ind}s if the compute {cap} is enabled on {yec}. {comp-cap-desc} +** indicates if the compute capability is enabled on your EKS Auto Mode cluster. {comp-cap-desc} // Compute * ComputeConfigResponse$nodePools -** {ind}s the current configuration of node pools in {yec}. {fmis} {eam} Node Pools {in-guide}. +** indicates the current configuration of node pools in your EKS Auto Mode cluster. {fmis} EKS Auto Mode Node Pools {in-guide}. // Compute * ComputeConfigResponse$nodeRoleArn -** The ARN of the IAM Role EKS will assign to {emi}s in {yec}. +** The ARN of the IAM Role EKS will assign to EC2 managed instances in your EKS Auto Mode cluster. == UpdateClusterConfigRequest @@ -178,11 +165,11 @@ // Storage * UpdateClusterConfigRequest$storageConfig -** {update-config} the {bs} {cap} of {yec}. {generic-update-request} +** {update-config} the block storage capability of your EKS Auto Mode cluster. {generic-update-request} // Compute * UpdateClusterConfigRequest$computeConfig -** {update-config} the compute {cap} of {yec}. {generic-update-request} +** {update-config} the compute capability of your EKS Auto Mode cluster. {generic-update-request} //where is LB? diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 324542296..f6ab510fb 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -5,20 +5,20 @@ include::../attributes.txt[] -When running workloads in an EKS cluster with {eam}, you might need to control whether specific workloads run on {eam} nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. +When running workloads in an EKS cluster with EKS Auto Mode, you might need to control whether specific workloads run on EKS Auto Mode nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. -The examples in this topic demonstrate how to use the `eks.amazonaws.com/compute-type` label to either require or prevent workload deployment on {eam} nodes. This is particularly useful in mixed-mode clusters where you're running both {eam} and other compute types, such as self-managed Karpenter provisioners or EKS Managed Node Groups. +The examples in this topic demonstrate how to use the `eks.amazonaws.com/compute-type` label to either require or prevent workload deployment on EKS Auto Mode nodes. This is particularly useful in mixed-mode clusters where you're running both EKS Auto Mode and other compute types, such as self-managed Karpenter provisioners or EKS Managed Node Groups. -{eam} nodes have set the value of the label `eks.amazonaws.com/compute-type` to `auto`. You can use this label to control if a workload is deployed to nodes managed by {eam}. +EKS Auto Mode nodes have set the value of the label `eks.amazonaws.com/compute-type` to `auto`. You can use this label to control if a workload is deployed to nodes managed by EKS Auto Mode. -== Require a workload is deployed to {eam} nodes +== Require a workload is deployed to EKS Auto Mode nodes [NOTE] ==== -This `nodeSelector` value is not required for {eam}. This `nodeSelector` value is only relevant if you are running a cluster in a mixed mode, node types not managed by {eam}. For example, you may have static compute capacity deployed to your cluster with EKS Managed Node Groups, and have dynamic compute capacity managed by {eam}. +This `nodeSelector` value is not required for EKS Auto Mode. This `nodeSelector` value is only relevant if you are running a cluster in a mixed mode, node types not managed by EKS Auto Mode. For example, you may have static compute capacity deployed to your cluster with EKS Managed Node Groups, and have dynamic compute capacity managed by EKS Auto Mode. ==== -You can add this `nodeSelector` to Deployments or other workloads to require Kubernetes schedule them onto {eam} nodes. +You can add this `nodeSelector` to Deployments or other workloads to require Kubernetes schedule them onto EKS Auto Mode nodes. [source,yaml] ---- @@ -29,9 +29,9 @@ spec: eks.amazonaws.com/compute-type: auto ---- -== Require a workload is not deployed to {eam} nodes +== Require a workload is not deployed to EKS Auto Mode nodes -You can add this `nodeAffinity` to Deployments or other workloads to require Kubernetes *not* schedule them onto {eam} nodes. +You can add this `nodeAffinity` to Deployments or other workloads to require Kubernetes *not* schedule them onto EKS Auto Mode nodes. [source,yaml] ---- diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index 727105422..61c36bb93 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -27,7 +27,7 @@ If any managed Security Group is not deleted at the end of this process, you can == Disable EKS Auto Mode ({aws} CLI) -Use the following command to disable {eam} on an existing cluster. +Use the following command to disable EKS Auto Mode on an existing cluster. You need to have the `aws` CLI installed, and be logged in with sufficent permissions to manage EKS clusters. For more information, see <>. diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 9ee5a98be..531f8e023 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -21,7 +21,7 @@ You must be logged into the {aws} console with permission to manage IAM, EKS, an [NOTE] ==== -The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is created. {eam} requires additional permissions on this role. You must attach additional policies to the current role. +The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is created. EKS Auto Mode requires additional permissions on this role. You must attach additional policies to the current role. ==== === Update Cluster IAM Role @@ -59,20 +59,20 @@ The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is cr ---- -=== Enable {eam} +=== Enable EKS Auto Mode . Open your cluster overview page in the {aws} Management Console. . Under *EKS Auto Mode* select *Manage* . Toggle *EKS Auto Mode* to on. . From the *EKS Node Pool* dropdown, select the default node pools you want to create. -** Learn more about Node Pools in {eam}. For more information, see <>. -. If you have previously created an {eam} Node IAM role this {aws} account, select it in the *Node IAM Role* dropdown. If you have not created this role before, select *Create {recd} Role* and follow the steps. +** Learn more about Node Pools in EKS Auto Mode. For more information, see <>. +. If you have previously created an EKS Auto Mode Node IAM role this {aws} account, select it in the *Node IAM Role* dropdown. If you have not created this role before, select *Create recommended Role* and follow the steps. == {aws} CLI === Prerequisites -* The Cluster IAM Role of the existing EKS Cluster must include sufficent permissiosn for {eam}, such as the following policies: +* The Cluster IAM Role of the existing EKS Cluster must include sufficent permissiosn for EKS Auto Mode, such as the following policies: ** `AmazonEKSComputePolicy` ** `AmazonEKSBlockStoragePolicy` ** `AmazonEKSLoadBalancingPolicy` @@ -83,7 +83,7 @@ The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is cr === Procedure -Use the following commands to enable {eam} on an existing cluster. +Use the following commands to enable EKS Auto Mode on an existing cluster. [NOTE] ==== diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 75491cbad..b676d8af7 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -17,11 +17,11 @@ In EKS Auto Mode, {aws} IAM roles are automatically mapped to Kubernetes permiss The Cluster IAM role is an {aws} Identity and Access Management (IAM) role used by Amazon EKS to manage permissions for Kubernetes clusters. This role grants Amazon EKS the necessary permissions to interact with other {aws} services on behalf of your cluster, and is automatically configured with Kubernetes permissions using EKS access entries. * You must attach {aws} IAM policies to this role. -* {eam} attaches Kubernetes permissions to this role automatically using EKS access entries. -* With {eam}, {aws} suggests creating a single Cluster IAM Role per {aws} account. +* EKS Auto Mode attaches Kubernetes permissions to this role automatically using EKS access entries. +* With EKS Auto Mode, {aws} suggests creating a single Cluster IAM Role per {aws} account. * {aws} suggests naming this role `AmazonEKSAutoClusterRole`. * This role requires permissions for multiple {aws} services to manage resources including EBS volumes, Elastic Load Balancers, and EC2 instances. -* The suggested configuration for this role includes multiple {aws} managed IAM policies, related to the different {caps} of {eam}. +* The suggested configuration for this role includes multiple {aws} managed IAM policies, related to the different capabilities of EKS Auto Mode. ** `AmazonEKSComputePolicy` ** `AmazonEKSBlockStoragePolicy` ** `AmazonEKSLoadBalancingPolicy` @@ -43,9 +43,9 @@ For more information about Kubernetes access, see: The Node IAM role is an {aws} Identity and Access Management (IAM) role used by Amazon EKS to manage permissions for worker nodes in Kubernetes clusters. This role grants EC2 instances running as Kubernetes nodes the necessary permissions to interact with {aws} services and resources, and is automatically configured with Kubernetes RBAC permissions using EKS access entries. * You must attach {aws} IAM policies to this role. -* {eam} attaches Kubernetes RBAC permissions to this role automatically using EKS access entries. +* EKS Auto Mode attaches Kubernetes RBAC permissions to this role automatically using EKS access entries. * {aws} suggests naming this role `AmazonEKSAutoNodeRole`. -* With {eam}, {aws} suggests creating a single Node IAM Role per {aws} account. +* With EKS Auto Mode, {aws} suggests creating a single Node IAM Role per {aws} account. * This role has limited permissions. The key permissions include assuming a Pod Identity Role, and pulling images from ECR. * {aws} suggests the following {aws} managed IAM policies: ** `AmazonEKSWorkerNodeMinimalPolicy` diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 5be715d0e..689bbfebc 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -11,13 +11,13 @@ This topic walks you through the steps to safely drain pods from your existing m == Prerequisites -* Cluster with {eam} enabled +* Cluster with EKS Auto Mode enabled * `eksctl` CLI installed and connected to your cluster. For more information, see <>. * Karpenter is not installed on the cluster. == Procedure -Use the following `eksctl` CLI command to initiate draining pods from the existing {mng} instances. {eam} will create new nodes to back the displaced pods. +Use the following `eksctl` CLI command to initiate draining pods from the existing managed node group instances. EKS Auto Mode will create new nodes to back the displaced pods. [source,cli] ---- diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index bb7894431..91497c8a1 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -11,9 +11,9 @@ When you use EKS Auto Mode, {aws} manages the VPC Container Network Interface (C == Networking capability -{eam} has a new networking capability that handles node and pod networking. You can configure it by creating a `NodeClass` Kubernetes object. +EKS Auto Mode has a new networking capability that handles node and pod networking. You can configure it by creating a `NodeClass` Kubernetes object. -Configuration options for the previous {aws} VPC CNI will not apply to {eam}. +Configuration options for the previous {aws} VPC CNI will not apply to EKS Auto Mode. === Configure networking with NodeClass @@ -31,13 +31,13 @@ Learn how to xref:create-node-class[Create an Amazon EKS NodeClass]. === Considerations -{eam} supports: +EKS Auto Mode supports: * EKS Network Policies. * The `HostPort` and `HostNetwork` options for Kubernetes Pods. * Pods in public or private subnets. -{eam} does *not* support: +EKS Auto Mode does *not* support: * Security Groups per Pod (SGPP). * Custom Networking. The IP Addresses of Pods and Nodes must be from the same CIDR Block. @@ -52,15 +52,15 @@ Learn how to xref:create-node-class[Create an Amazon EKS NodeClass]. [[auto-lb-consider,auto-lb-consider.title]] == Load balancing -You configure {aws} Elastic Load Balancers provisioned by {eam} using annotations on Service and Ingress resources. +You configure {aws} Elastic Load Balancers provisioned by EKS Auto Mode using annotations on Service and Ingress resources. For more information, see <> or <>. -=== Considerations for load balancing with {eam} +=== Considerations for load balancing with EKS Auto Mode * The default targeting mode is IP Mode, not Instance Mode. -* {eam} only supports Security Group Mode for Network Load Balancers. -* {aws} does not support migrating load balancers from the self managed {aws} load balancer controller to management by {eam}. +* EKS Auto Mode only supports Security Group Mode for Network Load Balancers. +* {aws} does not support migrating load balancers from the self managed {aws} load balancer controller to management by EKS Auto Mode. * The `networking.ingress.ipBlock` field in `TargetGroupBinding` spec is not supported. * If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. * You cannot bring your own target groups. diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 446e55d34..1236c6381 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -5,17 +5,17 @@ include::../attributes.txt[] -With {eam}, {aws} assumes more {resp} for {e2i}s in {yaa}. EKS assumes {resp} for the container runtime on nodes, the operating system on the nodes, and certain controllers. This includes a block storage controller, a load balancing controller, and a compute controller. +With EKS Auto Mode, {aws} assumes more responsibility for EC2 Instances in your {aws} account. EKS assumes responsibility for the container runtime on nodes, the operating system on the nodes, and certain controllers. This includes a block storage controller, a load balancing controller, and a compute controller. -You must use {aws} and {k8s} APIs to troubleshoot nodes. You can: +You must use {aws} and Kubernetes APIs to troubleshoot nodes. You can: -* Use a Kubernetes `NodeDiagnostic` resource to {ret} node logs by using the <>. For more steps, see <>. -* Use the {aws} EC2 CLI command `get-console-output` to {ret} console output from nodes. For more steps, see <>. -* Use Kubernetes _debugging containers_ to {ret} node logs. For more steps, see <>. +* Use a Kubernetes `NodeDiagnostic` resource to retrieve node logs by using the <>. For more steps, see <>. +* Use the {aws} EC2 CLI command `get-console-output` to retrieve console output from nodes. For more steps, see <>. +* Use Kubernetes _debugging containers_ to retrieve node logs. For more steps, see <>. [NOTE] ==== -{eam} uses {emi}s. You cannot directly access {emi}s, including by SSH. +EKS Auto Mode uses EC2 managed instances. You cannot directly access EC2 managed instances, including by SSH. ==== You might have the following problems that have solutions specific to EKS Auto Mode components: @@ -35,14 +35,14 @@ You can use the following methods to troubleshoot EKS Auto Mode components: [[auto-node-monitoring-agent,auto-node-monitoring-agent.title]] == Node monitoring agent -{eam} includes the Amazon EKS node monitoring agent. You can use this agent to view troubleshooting and debugging information about nodes. The node monitoring agent publishes Kubernetes `events` and node `conditions`. For more information, see <>. +EKS Auto Mode includes the Amazon EKS node monitoring agent. You can use this agent to view troubleshooting and debugging information about nodes. The node monitoring agent publishes Kubernetes `events` and node `conditions`. For more information, see <>. [[auto-node-console,auto-node-console.title]] -== Get console output from an {emi} by using the {aws} EC2 CLI +== Get console output from an EC2 managed instance by using the {aws} EC2 CLI This procedure helps with troubleshooting boot-time or kernel-level issues. -First, you need to {det} the EC2 Instance ID of the instance associated with your workload. Second, use the {aws} CLI to {ret} the console output. +First, you need to determine the EC2 Instance ID of the instance associated with your workload. Second, use the {aws} CLI to retrieve the console output. . Confirm you have `kubectl` installed and connected to your cluster . (Optional) Use the name of a Kubernetes Deployment to list the associated pods. @@ -57,7 +57,7 @@ kubectl get pods -l app= ---- kubectl get pod -o wide ---- -. Use the EC2 instance ID to {ret} the console output. +. Use the EC2 instance ID to retrieve the console output. + [source,cli] ---- @@ -119,9 +119,9 @@ Provide : /bin/ps ---- [[auto-node-ec2-web,auto-node-ec2-web.title]] -== View resources associated with {eam} in the {aws} Console +== View resources associated with EKS Auto Mode in the {aws} Console -You can use the {aws} console to view the status of resources associated with {yec}. +You can use the {aws} console to view the status of resources associated with your EKS Auto Mode cluster. * link:ec2/home#Volumes["EBS Volumes",type="console"] ** View EKS Auto Mode volumes by searching for the tag key `eks:eks-cluster-name` @@ -131,7 +131,7 @@ You can use the {aws} console to view the status of resources associated with {y ** View EKS Auto Mode instances by searching for the tag key `eks:eks-cluster-name` [[auto-node-iam,auto-node-iam.title]] -== View IAM Errors in {yaa} +== View IAM Errors in your {aws} account . Navigate to CloudTrail console . Select "Event History" from the left navigation pane @@ -140,7 +140,7 @@ You can use the {aws} console to view the status of resources associated with {y ** UnauthorizedOperation ** InvalidClientTokenId -Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, cluster IAM role, or node IAM role. You might need to attach a new policy to these roles with permissions for {eam}. +Look for errors related to your EKS cluster. Use the error messages to update your EKS access entries, cluster IAM role, or node IAM role. You might need to attach a new policy to these roles with permissions for EKS Auto Mode. //Ensure you are running the latest version of the {aws} CLI, eksctl, etc. diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 2afe7f3a7..6a1006dbe 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -11,7 +11,7 @@ When upgrading an Auto Mode cluster, many components that traditionally required == Learn about updates with EKS Auto Mode -After you initiate a control plane upgrade, {eam} begins replacing nodes in your cluster. The new nodes have the corresponding new Kubernetes version. {eam} observes pod disruption budgets when upgrading nodes. +After you initiate a control plane upgrade, EKS Auto Mode begins replacing nodes in your cluster. The new nodes have the corresponding new Kubernetes version. EKS Auto Mode observes pod disruption budgets when upgrading nodes. Additionally, you no longer need to update components like: @@ -21,7 +21,7 @@ Additionally, you no longer need to update components like: * Karpenter * {aws} EBS CSI Driver -{eam} replaces these components with service functionality. +EKS Auto Mode replaces these components with service functionality. You are still responsible for updating: diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 9021aaaf3..fa78856f3 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -5,45 +5,45 @@ include::../attributes.txt[] = Create an EKS Auto Mode Cluster with the {aws} Management Console :info_titleabbrev: Management console -Creating an {eam} cluster in the {aws} Management Console requires less {config} than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. +Creating an EKS Auto Mode cluster in the {aws} Management Console requires less configuration than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. You have two options to create a cluster in the console: -* Quick {config} (with EKS Auto Mode) -* Custom {config} +* Quick configuration (with EKS Auto Mode) +* Custom configuration -In this topic, you will learn how to create an {eam} cluster using the Quick {config} option. +In this topic, you will learn how to create an EKS Auto Mode cluster using the Quick configuration option. -== Create an EKS Auto Mode using the quick {config} option +== Create an EKS Auto Mode using the quick configuration option You must be logged into the {aws} management console with sufficent permissions to manage {aws} resources including: EC2 instances, EC2 networking, EKS clusters, and IAM roles. . Navigate to the EKS Console . Click *Create cluster* -. Confirm the *Quick {config}* option is selected +. Confirm the *Quick configuration* option is selected . Determine the following values, or use the defaults for a test cluster. ** Cluster *Name* ** Kubernetes Version -. Select the Cluster IAM Role. If this is your first time creating an {eam} cluster, use the *Create {recd} role* option. -** Optionally, you can reuse a single Cluster IAM Role in {yaa} for all {eam} clusters. -** The Cluster IAM Role includes required permissions for {eam} to manage resources including EC2 instances, EBS volumes, and EC2 load balancers. -** The *Create {recd} role* option pre-fills all fields with {recd} values. Select *Next* and then *Create*. The role will use the suggested `AmazonEKSAutoClusterRole` name. +. Select the Cluster IAM Role. If this is your first time creating an EKS Auto Mode cluster, use the *Create recommended role* option. +** Optionally, you can reuse a single Cluster IAM Role in your {aws} account for all EKS Auto Mode clusters. +** The Cluster IAM Role includes required permissions for EKS Auto Mode to manage resources including EC2 instances, EBS volumes, and EC2 load balancers. +** The *Create recommended role* option pre-fills all fields with recommended values. Select *Next* and then *Create*. The role will use the suggested `AmazonEKSAutoClusterRole` name. ** If you recently created a new role, use the *Refresh* icon to reload the role selection dropdown. -. Select the Node IAM Role. If this is your first time creating an {eam} cluster, use the *Create {recd} role* option. -** Optionally, you can reuse a single Node IAM Role in {yaa} for all {eam} clusters. -** The Node IAM Role includes required permissions for Auto Mode nodes to connect to the cluster. The Node IAM Role must include permissions to {ret} ECR images for your containers. -** The *Create {recd} role* option pre-fills all fields with {recd} values. Select *Next* and then *Create*. The role will use the suggested `AmazonEKSAutoNodeRole` name. +. Select the Node IAM Role. If this is your first time creating an EKS Auto Mode cluster, use the *Create recommended role* option. +** Optionally, you can reuse a single Node IAM Role in your {aws} account for all EKS Auto Mode clusters. +** The Node IAM Role includes required permissions for Auto Mode nodes to connect to the cluster. The Node IAM Role must include permissions to retrieve ECR images for your containers. +** The *Create recommended role* option pre-fills all fields with recommended values. Select *Next* and then *Create*. The role will use the suggested `AmazonEKSAutoNodeRole` name. ** If you recently created a new role, use the *Refresh* icon to reload the role selection dropdown. -. Select the VPC for {yec}. Choose the *Create VPC* to create a new VPC for EKS, or choose a VPC you previously created for EKS. +. Select the VPC for your EKS Auto Mode cluster. Choose the *Create VPC* to create a new VPC for EKS, or choose a VPC you previously created for EKS. ** If you use the VPC Console to create a new VPC, {aws} suggests you create at least one NAT Gateway per Availability Zone. Otherwise, you can use all other defaults. ** For more information and details of IPv6 cluster requirements, see <>. -. (optional) {eam} automatically populates the private subnets for your selected VPC. You can remove unwanted subnets. +. (optional) EKS Auto Mode automatically populates the private subnets for your selected VPC. You can remove unwanted subnets. ** EKS automatically selects private subnets from the VPC following best practices. You can optionally select additional subnets from the VPC, such as public subnets. -. (optional) Select *View quick configuration defaults* to review all {config} values for the new cluster. The table indicates some values are not editable after the cluster is created. +. (optional) Select *View quick configuration defaults* to review all configuration values for the new cluster. The table indicates some values are not editable after the cluster is created. . Select *Create cluster* . Note it may take fifteen minutes for cluster creation to complete. == Next Steps -* Learn how to xref:sample-storage-workload[Deploy a Sample Workload to {yec}] +* Learn how to xref:sample-storage-workload[Deploy a Sample Workload to your EKS Auto Mode cluster] //call out refactored IAM diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index fed52fba8..b813d03e4 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -16,11 +16,11 @@ You must install version `0.195.0` or greater of eksctl. For more information, s ==== -== Create an {eam} cluster with a CLI command +== Create an EKS Auto Mode cluster with a CLI command You must have the `aws` and `eksctl` tools installed. You must be logged into the {aws} CLI with sufficent permissions to manage {aws} resources including: EC2 instances, EC2 networking, EKS clusters, and IAM roles. For more information, see <>. -Run the following command to create a new {eam} cluster with +Run the following command to create a new EKS Auto Mode cluster with [source,cli] ---- @@ -30,16 +30,16 @@ eksctl create cluster --name= --enable-auto-mode //Cluster IAM Role? //Update kubeconfig? -== Create an {eam} cluster with a YAML file +== Create an EKS Auto Mode cluster with a YAML file :enai: enabling You must have the `aws` and `eksctl` tools installed. You must be logged into the {aws} CLI with sufficent permissions to manage {aws} resources including: EC2 instances, EC2 networking, EKS clusters, and IAM roles. For more information, see <>. -Review the {eam} configuration options in the sample ClusterConfig resource below. For the full ClusterConfig specification, see the https://eksctl.io/usage/creating-and-managing-clusters/[eksctl documentation]. +Review the EKS Auto Mode configuration options in the sample ClusterConfig resource below. For the full ClusterConfig specification, see the https://eksctl.io/usage/creating-and-managing-clusters/[eksctl documentation]. -{aws} suggests {enai} {eam}. If this is your first time creating an {eam} cluster, leave the `nodeRoleARN` unspecified to create a Node IAM Role for {eam}. If you already have a Node IAM Role in {yaa}, {aws} suggests reusing it. +{aws} suggests {enai} EKS Auto Mode. If this is your first time creating an EKS Auto Mode cluster, leave the `nodeRoleARN` unspecified to create a Node IAM Role for EKS Auto Mode. If you already have a Node IAM Role in your {aws} account, {aws} suggests reusing it. -{aws} suggests not specifying any value for `nodePools`. {eam} will create default node pools. You can use the Kubernetes API to create additional node pools. +{aws} suggests not specifying any value for `nodePools`. EKS Auto Mode will create default node pools. You can use the Kubernetes API to create additional node pools. [source,yaml] ---- diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 10aa74e39..fec284f8c 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -22,7 +22,7 @@ Understanding how {aam} manages instances is essential for planning your workloa {ec2i}s created by {am} are different from other {ec2i}s, they are {mi}s. These {mi}s are owned by EKS and are more restricted. You can't directly access or install software on instances managed by {am}. -{aws} suggests running either {eam} or self-managed Karpenter. You can install both during a migration or in an advanced configuration. If you have both installed, configure your node pools so that workloads are associated with either Karpenter or {eam}. +{aws} suggests running either EKS Auto Mode or self-managed Karpenter. You can install both during a migration or in an advanced configuration. If you have both installed, configure your node pools so that workloads are associated with either Karpenter or EKS Auto Mode. For more information, see link:AWSEC2/latest/UserGuide/amazon-ec2-managed-instances.html["Amazon EC2 managed instances",type="documentation"] in the Amazon EC2 user guide. @@ -53,7 +53,7 @@ For more information, see link:AWSEC2/latest/UserGuide/amazon-ec2-managed-instan | You can deploy containers based on Linux, but without specific OS dependencies. | You determine what instance type and family to launch. -| {aws} determines what instance type and family to launch. You can use a Node Pool to limit the instance types {eam} selects from. +| {aws} determines what instance type and family to launch. You can use a Node Pool to limit the instance types EKS Auto Mode selects from. |=== diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 51187a863..d701bf096 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -5,9 +5,9 @@ include::../attributes.txt[] -Amazon EKS Node Classes provide granular control over the configuration of your {eam} managed nodes. A Node Class defines infrastructure-level settings that apply to groups of nodes in your EKS cluster, including network configuration, storage settings, and resource tagging. This topic explains how to create and configure a Node Class to meet your specific operational requirements. +Amazon EKS Node Classes provide granular control over the configuration of your EKS Auto Mode managed nodes. A Node Class defines infrastructure-level settings that apply to groups of nodes in your EKS cluster, including network configuration, storage settings, and resource tagging. This topic explains how to create and configure a Node Class to meet your specific operational requirements. -When you need to customize how {eam} provisions and configures EC2 instances beyond the default settings, creating a Node Class gives you precise control over critical infrastructure parameters. For example, you can specify private subnet placement for enhanced security, configure instance ephemeral storage for performance-sensitive workloads, or apply custom tagging for cost allocation. +When you need to customize how EKS Auto Mode provisions and configures EC2 instances beyond the default settings, creating a Node Class gives you precise control over critical infrastructure parameters. For example, you can specify private subnet placement for enhanced security, configure instance ephemeral storage for performance-sensitive workloads, or apply custom tagging for cost allocation. ## Create a Node Class diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index b3adde228..9c5039854 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -75,9 +75,9 @@ spec: ---- -== {eam} Supported +== EKS Auto Mode Supported -{eam} supports the following well known labels. +EKS Auto Mode supports the following well known labels. [role="no-scroll"] [cols="3,1,4",options="header"] @@ -170,11 +170,11 @@ spec: |Number of gibibytes of local nvme storage on the instance |=== -== {eam} Not Supported +== EKS Auto Mode Not Supported -{eam} does not support the following labels. +EKS Auto Mode does not support the following labels. -* {eam} only supports Linux +* EKS Auto Mode only supports Linux ** `node.kubernetes.io/windows-build` ** `kubernetes.io/os` diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index d5d1b2844..68a3be308 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -9,7 +9,7 @@ A StorageClass in Amazon EKS Auto Mode defines how Amazon EBS volumes are automa By configuring a StorageClass, you can specify default settings for your EBS volumes including volume type, encryption, IOPS, and other storage parameters. You can also configure the StorageClass to use {aws} KMS keys for encryption management. -{eam} does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of {eam}. +EKS Auto Mode does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. First, create a file named `storage-class.yaml`: @@ -37,7 +37,7 @@ kubectl apply -f storage-class.yaml *Key components:* -- `provisioner: ebs.csi.eks.amazonaws.com` - Uses {eam} +- `provisioner: ebs.csi.eks.amazonaws.com` - Uses EKS Auto Mode - `volumeBindingMode: WaitForFirstConsumer` - Delays volume creation until a pod needs it - `type: gp3` - Specifies the EBS volume type - `encrypted: "true"` - EBS will encrypt any volumes created using the StorageClass. EBS will use the default `aws/ebs` key alias. For more information, see link:ebs/latest/userguide/how-ebs-encryption-works.html["How Amazon EBS encryption works",type="documentation"] in the Amazon EBS User Guide. This value is optional but suggested. diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 2b942bd95..b464570f7 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -34,7 +34,7 @@ aws eks update-kubeconfig --name "${CLUSTER_NAME}" The StorageClass defines how EKS Auto Mode will provision EBS volumes. -{eam} does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of {eam}. +EKS Auto Mode does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. . Create a file named `storage-class.yaml`: + @@ -61,7 +61,7 @@ kubectl apply -f storage-class.yaml *Key components:* -- `provisioner: ebs.csi.eks.amazonaws.com` - Uses {eam} +- `provisioner: ebs.csi.eks.amazonaws.com` - Uses EKS Auto Mode - `volumeBindingMode: WaitForFirstConsumer` - Delays volume creation until a pod needs it - `type: gp3` - Specifies the EBS volume type - `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but reccomended. @@ -209,9 +209,9 @@ kubectl delete deployment/inflate-stateful pvc/auto-ebs-claim storageclass/auto- == Snapshot Controller -{eam} is compatible with the Kubernetes CSI Snapshotter, also known as the snapshot controller. However, {eam} does not include the snapshot controller. You are responsible for installing and configuring the snapshot controller. For more information, see <>. +EKS Auto Mode is compatible with the Kubernetes CSI Snapshotter, also known as the snapshot controller. However, EKS Auto Mode does not include the snapshot controller. You are responsible for installing and configuring the snapshot controller. For more information, see <>. -Review the following `VolumeSnapshotClass` that references the storage capability of {eam}. +Review the following `VolumeSnapshotClass` that references the storage capability of EKS Auto Mode. [source,yaml] ---- diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index c5c621223..7234d75e0 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -{eam} has two built-in NodePools. You can enable or disable these NodePools using the {aws} console, CLI, or API. +EKS Auto Mode has two built-in NodePools. You can enable or disable these NodePools using the {aws} console, CLI, or API. == Built-in NodePool Reference From 7f483080b2528fb7d39dcba3fa13862b4cacad2b Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 20:03:09 +0000 Subject: [PATCH 078/940] Removed attributes that will be easy to globally update as needed. --- latest/ug/attributes.txt | 202 +----------------- latest/ug/automode/auto-disable.adoc | 2 +- latest/ug/automode/auto-enable-existing.adoc | 9 +- latest/ug/automode/auto-tag-subnets.adoc | 3 +- latest/ug/automode/auto-troubleshoot.adoc | 4 +- .../automode-get-started-console.adoc | 6 +- latest/ug/automode/automode.adoc | 2 +- latest/ug/automode/create-auto.adoc | 6 +- .../ug/automode/sample-storage-workload.adoc | 2 +- latest/ug/automode/troubleshoot-lbc.adoc | 2 +- .../ug/automode/wip/create-vpc-console.adoc | 6 +- latest/ug/automode/wip/tag-subnets.adoc | 4 +- latest/ug/clusters/cluster-endpoint.adoc | 4 +- latest/ug/clusters/create-cluster-auto.adoc | 2 +- .../clusters/management/service-quotas.adoc | 6 +- .../getting-started-console.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/nodes/eks-compute.adoc | 2 +- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 4 +- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 4 +- .../ug/nodes/hybrid-nodes-cluster-prep.adoc | 3 +- latest/ug/nodes/hybrid-nodes-creds.adoc | 3 +- latest/ug/nodes/hybrid-nodes-networking.adoc | 14 +- ...-nodes.adoc => hybrid-nodes-overview.adoc} | 14 +- .../nodes/hybrid-nodes-troubleshooting.adoc | 6 +- latest/ug/what-is/kubernetes-concepts.adoc | 2 +- 26 files changed, 63 insertions(+), 253 deletions(-) rename latest/ug/nodes/{hybrid-nodes.adoc => hybrid-nodes-overview.adoc} (92%) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index ca8ca90b5..be01e098c 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,211 +1,17 @@ -// EKS-specific attributes +// eksctl version :eksctl-min-version: 0.202.0 -// EKS Auto Mode +// EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 :auto-cli-v1-version: 1.27.160 -// Kubernetes Versions +// Kubernetes versions :k8s-n: 1.32 :k8s-n-1: 1.31 :k8s-n-2: 1.30 :k8s-n-3: 1.29 -// AWS shared content - -// Region specific -// Entities that differ depending on the Region build such as China +// Entities that differ depending on the AWS Region build such as China :arn-aws: pass:q[[.shared]``region.arn``] - -// Service names -:amazon-cloudwatch: pass:q[[.shared]``CWlong``] -:amazon-rds: pass:q[[.shared]``RDS``] -:amazon-route-53: pass:q[[.shared]``R53long``] -:amazon-route-53-resolver: pass:q[[.shared]``R53Rlong``] -:amazon-s3: pass:q[[.shared]``S3``] -:amazon-virtual-private-cloud: pass:q[[.shared]``VPClong``] -:amazon-vpc: pass:q[[.shared]``VPC``] -:amazon-elastic-block-store: pass:q[[.shared]``EBSlong``] -:amazon-elastic-file-system: pass:q[[.shared]``EFSlong``] -:amazon-efs: pass:q[[.shared]``EFS``] -:amazon-web-services: pass:q[[.shared]``AWSlong``] :aws: pass:q[[.shared]``AWS``] -:application-load-balancer: pass:q[[.shared]``ALB``] -:application-load-balancers: pass:q[[.shared]``ALBs``] -:aws-account: pass:q[[.shared]``AWS-account``] -:aws-accounts: pass:q[[.shared]``AWS-accounts``] -:aws-always: pass:q[[.shared]``AWS-always``] -:aws-artifact: pass:q[[.shared]``ART``] -:aws-billing: pass:q[[.shared]``Billinglong``] -:aws-billing-cost-management: pass:q[[.shared]``ABlong``] -:aws-cloud: pass:q[[.shared]``AWS-Cloud``] -:aws-cloudtrail: pass:q[[.shared]``CTlong``] -:aws-command-line-interface: pass:q[[.shared]``CLIlong``] -:aws-config: pass:q[[.shared]``CC``] -:aws-cost-explorer: pass:q[[.shared]``AWSCostExplorerServicelong``] -:aws-direct-connect: pass:q[[.shared]``AWS-DC``] -:aws-identity-and-access-management: pass:q[[.shared]``IAMlong``] -:aws-kms: pass:q[[.shared]``KMS``] -:aws-key-management-service: pass:q[[.shared]``KMSlong``] -:aws-kms-key: pass:q[[.shared]``kms-key-long``] -:aws-kms-keys: pass:q[[.shared]``kms-keys-long``] -:aws-license-manager: pass:q[[.shared]``LIClong``] :aws-management-console: pass:q[[.shared]``consolelong``] -:aws-organizations: pass:q[[.shared]``AOlong``] -:aws-marketplace: pass:q[[.shared]``MKT``] -:aws-region: pass:q[[.shared]``AWS-Region``] -:aws-regions: pass:q[[.shared]``AWS-Regions``] -:aws-security-token-service: pass:q[[.shared]``STSlong``] -:aws-service: pass:q[[.shared]``AWS-service``] -:aws-services: pass:q[[.shared]``AWS-services``] -:aws-service-quotas: pass:q[[.shared]``SQ``] -:aws-support: pass:q[[.shared]``SUP``] -:aws-sts: pass:q[[.shared]``STS``] -:aws-transit-gateway: pass:q[[.shared]``AWSTGlong``] -:aws-vpn: pass:q[[.shared]``VPN``] -:classic-load-balancer: pass:q[[.shared]``CLB``] -:classic-load-balancers: pass:q[[.shared]``CLBs``] -:cli: pass:q[[.shared]``CLI``] -:cloudtrail: pass:q[[.shared]``CT``] -:cloudwatch: pass:q[[.shared]``CW``] -:cluster: pass:q[[.shared]``cluster``] -:cluster-cap: pass:q[[.shared]``Cluster``] -:ebs: pass:q[[.shared]``EBS``] -:ec2: pass:q[[.shared]``EC2``] -:ec2-auto-scaling: pass:q[[.shared]``ASlong``] -:elastic-load-balancing: pass:q[[.shared]``ELB``] -:iam: pass:q[[.shared]``IAM``] -:kms-key: pass:q[[.shared]``kms-key``] -:kms-keys: pass:q[[.shared]``kms-keys``] -:license-manager: pass:q[[.shared]``LIC``] -:organizations: pass:q[[.shared]``AO``] -:privatelink: pass:q[[.shared]``privatelink``] -:rosa-service-name-long: pass:q[[.shared]``ROSAlong``] -:rosa-service-name-short: pass:q[[.shared]``ROSA``] -:route-53: pass:q[[.shared]``R53``] -:route-53-resolver: pass:q[[.shared]``R53R``] -:sts: pass:q[[.shared]``STSshort``] -:transit-gateway: pass:q[[.shared]``AWSSTG``] -:cloudformation: pass:q[[.shared]``CFN``] -:outposts: pass:q[[.shared]``OUTlong``] -:eks-a: pass:q[[.shared]``EKS-A``] - -//AWS Regions - -:us-east-1-name: US East (N. Virginia) Region -:us-east-1-region: US East (N. Virginia) -:us-east-1-code: us-east-1 - -:us-east-2-name: US East (Ohio) Region -:us-east-2-region: US East (Ohio) -:us-east-2-code: us-east-2 - -:us-west-1-name: US West (N. California) Region -:us-west-1-region: US West (N. California) -:us-west-1-code: us-west-1 - -:us-west-2-name: US West (Oregon) Region -:us-west-2-region: US West (Oregon) -:us-west-2-code: us-west-2 - -:af-capetown-name: Africa (Cape Town) Region -:af-capetown-region: Africa (Cape Town) -:af-capetown-code: af-south-1 - -:ap-hongkong-name: Asia Pacific (Hong Kong) Region -:ap-hongkong-region: Asia Pacific (Hong Kong) -:ap-hongkong-code: ap-east-1 - -:ap-hyderabad-name: Asia Pacific (Hyderabad) Region -:ap-hyderabad-region: Asia Pacific (Hyderabad) -:ap-hyderabad-code: ap-south-2 - -:ap-jakarta-name: Asia Pacific (Jakarta) Region -:ap-jakarta-region: Asia Pacific (Jakarta) -:ap-jakarta-code: ap-southeast-3 - -:ap-melbourne-name: Asia Pacific (Melbourne) Region -:ap-melbourne-region: Asia Pacific (Melbourne) -:ap-melbourne-code: ap-southeast-4 - -:ap-mumbai-name: Asia Pacific (Mumbai) Region -:ap-mumbai-region: Asia Pacific (Mumbai) -:ap-mumbai-code: ap-south-1 - -:ap-osaka-name: Asia Pacific (Osaka) Region -:ap-osaka-region: Asia Pacific (Osaka) -:ap-osaka-code: ap-northeast-3 - -:ap-seoul-name: Asia Pacific (Seoul) Region -:ap-seoul-region: Asia Pacific (Seoul) -:ap-seoul-code: ap-northeast-2 - -:ap-singapore-name: Asia Pacific (Singapore) Region -:ap-singapore-region: Asia Pacific (Singapore) -:ap-singapore-code: ap-southeast-1 - -:ap-sydney-name: Asia Pacific (Sydney) Region -:ap-sydney-region: Asia Pacific (Sydney) -:ap-sydney-code: ap-southeast-2 - -:ap-tokyo-name: Asia Pacific (Tokyo) Region -:ap-tokyo-region: Asia Pacific (Tokyo) -:ap-tokyo-code: ap-northeast-1 - -:ca-central-name: Canada (Central) Region -:ca-central-region: Canada (Central) -:ca-central-code: ca-central-1 - -:eu-frankfort-name: Europe (Frankfort) Region -:eu-frankfort-region: Europe (Frankfort) -:eu-frankfort-code: eu-central-1 - -:eu-ireland-name: Europe (Ireland) Region -:eu-ireland-region: Europe (Ireland) -:eu-ireland-code: eu-west-1 - -:eu-london-name: Europe (London) Region -:eu-london-region: Europe (London) -:eu-london-code: eu-west-2 - -:eu-milan-name: Europe (Milan) Region -:eu-milan-region: Europe (Milan) -:eu-milan-code: eu-south-1 - -:eu-paris-name: Europe (Paris) Region -:eu-paris-region: Europe (Paris) -:eu-paris-code: eu-west-3 - -:eu-spain-name: Europe (Spain) Region -:eu-spain-region: Europe (Spain) -:eu-spain-code: eu-south-2 - -:eu-stockholm-name: Europe (Stockholm) Region -:eu-stockholm-region: Europe (Stockholm) -:eu-stockholm-code: eu-north-1 - -:eu-zurich-name: Europe (Zurich) Region -:eu-zurich-region: Europe (Zurich) -:eu-zurich-code: eu-central-2 - -:me-bahrain-name: Middle East (Bahrain) Region -:me-bahrain-region: Middle East (Bahrain) -:me-bahrain-code: me-south-1 - -:me-uae-name: Middle East (UAE) Region -:me-uae-region: Middle East (UAE) -:me-uae-code: me-central-1 - -:sa-saopaulo-name: South America (São Paulo) Region -:sa-saopaulo-region: South America (São Paulo) -:sa-saopaulo-code: sa-east-1 - -:govcloud-us: {aws} GovCloud (US) - -:us-gov-east-1-name: {aws} GovCloud (US-East) Region -:us-gov-east-1-region: {aws} GovCloud (US-East) -:us-gov-east-1-code: us-gov-east-1 - -:us-gov-west-1-name: {aws} GovCloud (US-West) Region -:us-gov-east-1-region: {aws} GovCloud (US-West) -:us-gov-east-1-code: us-gov-west-1 diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index 61c36bb93..d0bbbe3b8 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -19,7 +19,7 @@ Steps below describe how to remove a leaked Security Group if that should happen == Disable EKS Auto Mode ({aws} Console) -. Open your cluster overview page in the {aws} Management Console. +. Open your cluster overview page in the {aws-management-console}. . Under *EKS Auto Mode* select *Manage* . Toggle *EKS Auto Mode* to `off`. diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 531f8e023..b4e9108d0 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -13,9 +13,10 @@ Verify you have the minimum required version of certain Amazon EKS Add-ons insta ==== -Before you begin, ensure you have administrator access to your Amazon EKS cluster and permissions to modify IAM roles. The steps in this topic guide you through enabling Auto Mode using either the {aws} Management Console or {aws} CLI. +Before you begin, ensure you have administrator access to your Amazon EKS cluster and permissions to modify IAM roles. The steps in this topic guide you through enabling Auto Mode using either the {aws-management-console} or {aws} CLI. -== {aws} Management Console +[[auto-enable-existing-console,auto-enable-existing-console.title]] +== {aws-management-console} You must be logged into the {aws} console with permission to manage IAM, EKS, and EC2 resources. @@ -26,7 +27,7 @@ The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is cr === Update Cluster IAM Role -. Open your cluster overview page in the {aws} Management Console. +. Open your cluster overview page in the {aws-management-console}. . Under *Cluster IAM role ARN*, select *View in IAM*. . From the *Add Permissions* dropdown, select *Attach Policies*. . Use the *Search* box to find and select the following policies: @@ -61,7 +62,7 @@ The Cluster IAM role of an EKS Cluster cannot be changed after the cluster is cr === Enable EKS Auto Mode -. Open your cluster overview page in the {aws} Management Console. +. Open your cluster overview page in the {aws-management-console}. . Under *EKS Auto Mode* select *Manage* . Toggle *EKS Auto Mode* to on. . From the *EKS Node Pool* dropdown, select the default node pools you want to create. diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index 259511013..511383171 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -45,7 +45,8 @@ Private subnets are used for internal load balancers. These subnets must have th Before you begin, identify which subnets are public (with Internet Gateway access) and which are private (using NAT Gateway). You'll need permissions to modify VPC resources. -=== {aws} Management Console +[[auto-tag-subnets-console,auto-tag-subnets-console.title]] +=== {aws-management-console} . Open the Amazon VPC console and navigate to Subnets . Select the subnet to tag diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 1236c6381..b20599f57 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -174,7 +174,7 @@ kubectl describe nodeclaim You might receive this error if you are setting custom tags in the `NodeClass` with the default cluster IAM role permissions. See <>. `Error creating fleet`:: -There might be some authorization issue with calling the `RunInstances` call from the EC2 API. Check {aws-cloudtrail} for errors and see <> for the required IAM permissions. +There might be some authorization issue with calling the `RunInstances` call from the EC2 API. Check {aws} CloudTrail for errors and see <> for the required IAM permissions. [[auto-node-reachability,auto-node-reachability.title]] @@ -182,7 +182,7 @@ There might be some authorization issue with calling the `RunInstances` call fro [NOTE] ==== -You are charged for each analysis that is run the VPC Reachability Analyzer. For pricing details, see link:vpc/pricing/[{amazon-vpc} Pricing,type="marketing"]. +You are charged for each analysis that is run the VPC Reachability Analyzer. For pricing details, see link:vpc/pricing/[Amazon VPC Pricing,type="marketing"]. ==== One reason that an instance didn't join the cluster is a network connectivity issue that prevents them from reaching the API server. To diagnose this issue, you can use the link:vpc/latest/reachability/what-is-reachability-analyzer.html[VPC Reachability Analyzer,type="documentation"] to perform an analysis of the connectivity between a node that is failing to join the cluster and the API server. You will need two pieces of information: diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index fa78856f3..ab7d57a74 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -2,10 +2,10 @@ include::../attributes.txt[] [.topic] [[automode-get-started-console,automode-get-started-console.title]] -= Create an EKS Auto Mode Cluster with the {aws} Management Console += Create an EKS Auto Mode Cluster with the {aws-management-console} :info_titleabbrev: Management console -Creating an EKS Auto Mode cluster in the {aws} Management Console requires less configuration than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. +Creating an EKS Auto Mode cluster in the {aws-management-console} requires less configuration than other options. EKS integrates with {aws} IAM and VPC Networking to help you create the resources associated with an EKS cluster. You have two options to create a cluster in the console: @@ -16,7 +16,7 @@ In this topic, you will learn how to create an EKS Auto Mode cluster using the Q == Create an EKS Auto Mode using the quick configuration option -You must be logged into the {aws} management console with sufficent permissions to manage {aws} resources including: EC2 instances, EC2 networking, EKS clusters, and IAM roles. +You must be logged into the {aws-management-console} with sufficent permissions to manage {aws} resources including: EC2 instances, EC2 networking, EKS clusters, and IAM roles. . Navigate to the EKS Console . Click *Create cluster* diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index c363f4382..cfca93a55 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -16,7 +16,7 @@ You can delegate key infrastructure decisions and leverage the expertise of {aws Cluster infrastructure managed by {aws} includes many Kubernetes capabilities as core components, as opposed to add-ons, such as compute autoscaling, pod and service networking, application load balancing, cluster DNS, block storage, and GPU support. To get started, you can deploy a new EKS Auto Mode cluster or enable EKS Auto Mode on an existing cluster. -You can deploy, upgrade, or modify your EKS Auto Mode clusters using eksctl, the {aws} CLI, the {aws} Management Console, EKS APIs, or your preferred infrastructure-as-code tools. +You can deploy, upgrade, or modify your EKS Auto Mode clusters using eksctl, the {aws} CLI, the {aws-management-console}, EKS APIs, or your preferred infrastructure-as-code tools. With EKS Auto Mode, you can continue using your preferred Kubernetes-compatible tools. EKS Auto Mode integrates with {aws} services like Amazon EC2, Amazon EBS, and ELB, leveraging {aws} cloud resources that follow best practices. These resources are automatically scaled, cost-optimized, and regularly updated to help minimize operational costs and overhead. diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 640f0628a..f2ceb951d 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -16,7 +16,7 @@ include::../attributes.txt[] Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. -- -This chapter explains how to create an Amazon EKS cluster with Auto Mode enabled using various tools and interfaces. Auto Mode simplifies cluster creation by automatically configuring and managing the cluster's compute, networking, and storage infrastructure. You'll learn how to create an Auto Mode cluster using the {aws} CLI, {aws} Management Console, or the eksctl command line tool. +This chapter explains how to create an Amazon EKS cluster with Auto Mode enabled using various tools and interfaces. Auto Mode simplifies cluster creation by automatically configuring and managing the cluster's compute, networking, and storage infrastructure. You'll learn how to create an Auto Mode cluster using the {aws} CLI, {aws-management-console}, or the eksctl command line tool. [NOTE] ==== @@ -24,11 +24,11 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a ==== -Choose your preferred tool based on your needs: The {aws} Management Console provides a visual interface ideal for learning about EKS Auto Mode features and creating individual clusters. The {aws} CLI is best suited for scripting and automation tasks, particularly when integrating cluster creation into existing workflows or CI/CD pipelines. The eksctl CLI offers a Kubernetes-native experience and is recommended for users familiar with Kubernetes tooling who want simplified command line operations with sensible defaults. +Choose your preferred tool based on your needs: The {aws-management-console} provides a visual interface ideal for learning about EKS Auto Mode features and creating individual clusters. The {aws} CLI is best suited for scripting and automation tasks, particularly when integrating cluster creation into existing workflows or CI/CD pipelines. The eksctl CLI offers a Kubernetes-native experience and is recommended for users familiar with Kubernetes tooling who want simplified command line operations with sensible defaults. Before you begin, ensure you have the necessary prerequisites installed and configured, including appropriate IAM permissions to create EKS clusters. To learn how to install CLI tools such as `kubectl`, `aws`, and `eksctl`, see <>. -You can use the {aws} CLI, {aws} Management Console, or eksctl CLI to create a cluster with Amazon EKS Auto Mode. +You can use the {aws} CLI, {aws-management-console}, or eksctl CLI to create a cluster with Amazon EKS Auto Mode. [.topiclist] [[Topic List]] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index b464570f7..41a543386 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -64,7 +64,7 @@ kubectl apply -f storage-class.yaml - `provisioner: ebs.csi.eks.amazonaws.com` - Uses EKS Auto Mode - `volumeBindingMode: WaitForFirstConsumer` - Delays volume creation until a pod needs it - `type: gp3` - Specifies the EBS volume type -- `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but reccomended. +- `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but recomended. - `storageclass.kubernetes.io/is-default-class: "true"` - Kubernetes will use this storage class by default, unless you specify a different volume class on a persistent volume claim. Use caution when setting this value if you are migrating from another storage controller. (optional) ## Step 3: Create the persistent volume claim diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 8ded4d18a..0b4d5fb5b 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -28,7 +28,7 @@ Look for: ## Check {aws} Resources -Verify these resources in the {aws} Management Console or using {aws} CLI: +Verify these resources in the {aws-management-console} or using {aws} CLI: - Application Load Balancers - Target Groups diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index b1168de1c..32f2161e9 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -4,7 +4,7 @@ include::../../attributes.txt[] -This guide walks you through creating a Virtual Private Cloud (VPC) that's optimized for Amazon Elastic Kubernetes Service (EKS) clusters using the {aws} Management Console. +This guide walks you through creating a Virtual Private Cloud (VPC) that's optimized for Amazon Elastic Kubernetes Service (EKS) clusters using the {aws-management-console}. == Overview @@ -17,14 +17,14 @@ When creating a VPC for EKS, you'll need to configure specific networking requir == Prerequisites - An {aws} account -- Access to the {aws} Management Console +- Access to the {aws-management-console} - IAM permissions for VPC and EKS resource creation - Planned CIDR ranges for your VPC, pods, and services == Creation Steps === Step 1: Access the VPC Creation Page -1. Sign in to the {aws} Management Console +1. Sign in to the {aws-management-console} 2. Navigate to the VPC Dashboard 3. Click "Create VPC" diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 79fb44a10..9686b770f 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -4,7 +4,7 @@ include::../../attributes.txt[] -This topic explains how to tag your VPC subnets to enable load balancer deployment using the {aws} Management Console. +This topic explains how to tag your VPC subnets to enable load balancer deployment using the {aws-management-console}. == Required Tags @@ -19,7 +19,7 @@ Your subnets require specific tags based on their intended use: == Adding Tags in the Console -1. Sign in to the {aws} Management Console +1. Sign in to the {aws-management-console} 2. Navigate to **VPC** +>+ **Subnets** 3. Select the subnet you want to tag 4. Select the **Tags** tab in the lower panel diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 101e43fa4..342359e13 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -29,7 +29,7 @@ EKS cluster public/private endpoint: EKS cluster public/private endpoint: `eks-cluster.[.replaceable]``region``.api.aws` -{amazon-web-services} in China:: +Amazon Web Services in China:: EKS cluster public/private endpoint: `eks-cluster.[.replaceable]``region``.api.amazonwebservices.com.cn` @@ -55,7 +55,7 @@ EKS cluster public/private endpoint EKS cluster public/private endpoint `eks-cluster.[.replaceable]``region``.eks.amazonaws.com` -{amazon-web-services} in China:: +Amazon Web Services in China:: EKS cluster public/private endpoint `eks-cluster.[.replaceable]``region``.api.amazonwebservices.com.cn` diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 939c508ef..26bedd4c8 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -12,7 +12,7 @@ include::../attributes.txt[] Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. -- -This topic provides detailed instructions for creating an Amazon EKS Auto Mode cluster using advanced configuration options. It covers prerequisites, networking options, and add-on configurations. The process includes setting up IAM roles, configuring cluster settings, specifying networking parameters, and selecting add-ons. Users can create clusters using either the {aws} Management Console or the {aws} CLI, with step-by-step guidance provided for both methods. +This topic provides detailed instructions for creating an Amazon EKS Auto Mode cluster using advanced configuration options. It covers prerequisites, networking options, and add-on configurations. The process includes setting up IAM roles, configuring cluster settings, specifying networking parameters, and selecting add-ons. Users can create clusters using either the {aws-management-console} or the {aws} CLI, with step-by-step guidance provided for both methods. For users seeking a less complex setup process, refer to the following for simplified cluster creation steps: diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index c9a6a6e0c..ddac157f2 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -15,7 +15,7 @@ Amazon EKS has integrated with Service Quotas, an {aws} service that you can use [[service-quotas-console,service-quotas-console.title]] -== View EKS service quotas in the {aws} Management Console +== View EKS service quotas in the {aws-management-console} . Open the link:servicequotas/home/services/eks/quotas["Service Quotas console",type="console"]. . In the left navigation pane, choose *{aws} services*. @@ -59,7 +59,7 @@ To work more with service quotas using the {aws} CLI, see link:cli/latest/refere [[sq-text,sq-text.title]] == Amazon EKS service quotas -{aws} recommends using the {aws} management console to view your current quotas. For more information, see <>. +{aws} recommends using the {aws-management-console} to view your current quotas. For more information, see <>. To view the default EKS service quotas, see link:general/latest/gr/eks.html#limits_eks["Amazon Elastic Kubernetes Service endpoints and quotas",type="documentation"] in the _{aws} General Reference_. @@ -80,7 +80,7 @@ The *{aws} Fargate* service in the Service Quotas console lists several service New {aws} accounts might have lower initial quotas that can increase over time. Fargate constantly monitors the account usage within each {aws} Region, and then automatically increases the quotas based on the usage. You can also request a quota increase for values that are shown as adjustable. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the _Service Quotas User Guide_. -{aws} reccomends using the {aws} management console to view your current quotas. For more information, see <>. +{aws} reccomends using the {aws-management-console} to view your current quotas. For more information, see <>. To view default {aws} Fargate on EKS service quotas, see link:general/latest/gr/eks.html#service-quotas-eks-fargate["Fargate service quotas",type="documentation"] in the _{aws} General Reference_. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index bf97e6032..6c10a4834 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -175,7 +175,7 @@ It lets you run Amazon Linux applications on Amazon EC2 instances. To learn more about different ways to configure nodes in EKS, see <>. After your cluster is deployed, you can add other node types. Though not covered in this guide, you can also add <> and <> nodes to your cluster. -*To create your {ec2} [.noloc]`Linux` managed node group* +*To create your EC2 [.noloc]`Linux` managed node group* . Create a node IAM role and attach the required Amazon EKS IAM managed policy to it. The Amazon EKS node `kubelet` daemon makes calls to {aws} APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 09d58b4a9..e3f264a7f 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -44,7 +44,7 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Controller` once per {aws-account}. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. +You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Controller` once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. ==== diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 3fe68d4b2..e4c32d7db 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -219,4 +219,4 @@ include::eks-optimized-amis.adoc[leveloffset=+1] include::node-health.adoc[leveloffset=+1] -include::hybrid-nodes.adoc[leveloffset=+1] +include::hybrid-nodes-overview.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 213678b28..aedc43a8a 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -145,9 +145,9 @@ This will configure `nodeadm` to create a credentials file to be configured on t nodeadm init -c file://nodeConfig.yaml ---- + -. Install `eks-pod-identity-agent` with support for hybrid nodes enabled, by either using the {cli} or {aws-management-console}. +. Install `eks-pod-identity-agent` with support for hybrid nodes enabled, by either using the {aws} CLI or {aws-management-console}. + -.. {cli}: From the machine that you're using to administer the cluster, run the following command to install `eks-pod-identity-agent` with support for hybrid nodes enabled. Replace `my-cluster` with the name of your cluster. +.. {aws} CLI: From the machine that you're using to administer the cluster, run the following command to install `eks-pod-identity-agent` with support for hybrid nodes enabled. Replace `my-cluster` with the name of your cluster. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 17b4eac04..7514cdd18 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -82,7 +82,7 @@ You can create a cluster by using: * <> * <> -* <> +* <> * <> @@ -256,7 +256,7 @@ aws eks describe-cluster \ . Continue with <>. [[hybrid-nodes-cluster-create-console,hybrid-nodes-cluster-create-console.title]] -=== Create hybrid nodes-enabled cluster - {aws} Management Console +=== Create hybrid nodes-enabled cluster - {aws-management-console} . Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose Add cluster and then choose Create. diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index f25cd0f80..944955feb 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -31,7 +31,8 @@ aws eks create-access-entry --cluster-name CLUSTER_NAME \ --type HYBRID_LINUX ---- -=== {aws} Management Console +[[hybrid-nodes-cluster-prep-console,hybrid-nodes-cluster-prep-console.title]] +=== {aws-management-console} . Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 021306fcb..6dfae06b0 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -378,7 +378,8 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ---- -=== {aws} Management Console +[[hybrid-nodes-creds-console,hybrid-nodes-creds-console.title]] +=== {aws-management-console} *Create EKS Describe Cluster Policy* diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index b46f3f6d4..bd6116579 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -21,7 +21,7 @@ image::images/hybrid-prereq-diagram.png[Hybrid node network connectivity.,scaled *Minimum network requirements* -For an optimal experience, {aws} recommends reliable network connectivity of at least 100 Mbps and a maximum of 200ms round trip latency for the hybrid nodes connection to the {aws-region}. The bandwidth and latency requirements can vary depending on the number of hybrid nodes and your workload characteristics such as application image size, application elasticity, monitoring and logging configurations, and application dependencies on accessing data stored in other {aws-services}. +For an optimal experience, {aws} recommends reliable network connectivity of at least 100 Mbps and a maximum of 200ms round trip latency for the hybrid nodes connection to the {aws} Region. The bandwidth and latency requirements can vary depending on the number of hybrid nodes and your workload characteristics such as application image size, application elasticity, monitoring and logging configurations, and application dependencies on accessing data stored in other {aws} services. *On-premises node and pod CIDRs* @@ -195,9 +195,9 @@ Depending on your choice of CNI, you need to configure additional network access *Amazon EKS network interfaces* -Amazon EKS attaches network interfaces to the subnets in the VPC you pass during cluster creation to enable the communication between the Amazon EKS control plane and your VPC. The network interfaces that Amazon EKS creates can be found after cluster creation in the Amazon EC2 console or with the {cli}. The original network interfaces are deleted and new network interfaces are created when changes are applied on your Amazon EKS cluster, such as Kubernetes version upgrades. You can restrict the IP range for the Amazon EKS network interfaces by using constrained subnet sizes for the subnets you pass during cluster creation, which makes it easier to configure your on-premises firewall to allow inbound/outbound connectivity to this known, constrained set of IPs. To control which subnets network interfaces are created in, you can limit the number of subnets you specify when you create a cluster or you can update the subnets after creating the cluster. +Amazon EKS attaches network interfaces to the subnets in the VPC you pass during cluster creation to enable the communication between the Amazon EKS control plane and your VPC. The network interfaces that Amazon EKS creates can be found after cluster creation in the Amazon EC2 console or with the {aws} CLI. The original network interfaces are deleted and new network interfaces are created when changes are applied on your Amazon EKS cluster, such as Kubernetes version upgrades. You can restrict the IP range for the Amazon EKS network interfaces by using constrained subnet sizes for the subnets you pass during cluster creation, which makes it easier to configure your on-premises firewall to allow inbound/outbound connectivity to this known, constrained set of IPs. To control which subnets network interfaces are created in, you can limit the number of subnets you specify when you create a cluster or you can update the subnets after creating the cluster. -The network interfaces provisioned by Amazon EKS have a description of the format `Amazon EKS [.replaceable]``your-cluster-name```. See the example below for an {cli} command you can use to find the IP addresses of the network interfaces that Amazon EKS provisions. Replace `VPC_ID` with the ID of the VPC you pass during cluster creation. +The network interfaces provisioned by Amazon EKS have a description of the format `Amazon EKS [.replaceable]``your-cluster-name```. See the example below for an {aws} CLI command you can use to find the IP addresses of the network interfaces that Amazon EKS provisions. Replace `VPC_ID` with the ID of the VPC you pass during cluster creation. [source,cli,subs="verbatim,attributes,quotes"] ---- @@ -211,7 +211,7 @@ aws ec2 describe-network-interfaces \ The existing <> for Amazon EKS apply to clusters with hybrid nodes. Additionally, your VPC CIDR can't overlap with your on-premises node and pod CIDRs. You must configure routes in your VPC routing table for your on-premises node and optionally pod CIDRs. These routes must be setup to route traffic to the gateway you are using for your hybrid network connectivity, which is commonly a virtual private gateway (VGW) or transit gateway (TGW). If you are using TGW or VGW to connect your VPC with your on-premises environment, you must create a TGW or VGW attachment for your VPC. Your VPC must have DNS hostname and DNS resolution support. -The following steps use the {cli}. You can also create these resources in the {aws-management-console} or with other interfaces such as {aws} CloudFormation, {aws} CDK, or Terraform. +The following steps use the {aws} CLI. You can also create these resources in the {aws-management-console} or with other interfaces such as {aws} CloudFormation, {aws} CDK, or Terraform. === Step 1: Create VPC @@ -233,7 +233,7 @@ aws ec2 modify-vpc-attribute --vpc-id [.replaceable]`VPC_ID` --enable-dns-hostna Create at least 2 subnets. Amazon EKS uses these subnets for the cluster network interfaces. For more information, see the <>. -. You can find the availability zones for an {aws-region} with the following command. Replace `us-west-2` with your region. +. You can find the availability zones for an {aws} Region with the following command. Replace `us-west-2` with your region. + [source,cli,subs="verbatim,attributes,quotes"] ---- @@ -250,9 +250,9 @@ aws ec2 create-subnet \ --availability-zone [.replaceable]`AZ` ---- -=== (Optional) Step 3: Attach VPC with {amazon-vpc} Transit Gateway (TGW) or {aws-direct-connect} virtual private gateway (VGW) +=== (Optional) Step 3: Attach VPC with Amazon VPC Transit Gateway (TGW) or {aws} Direct Connect virtual private gateway (VGW) -If you are using a TGW or VGW, attach your VPC to the TGW or VGW. For more information, see link:vpc/latest/tgw/tgw-vpc-attachments.html[{amazon-vpc} attachments in {amazon-vpc} Transit Gateways,type="documentation"] or link:vpn/latest/s2svpn/how_it_works.html#VPNGateway[{aws} Direct Connect virtual private gateway associations,type="documentation"]. +If you are using a TGW or VGW, attach your VPC to the TGW or VGW. For more information, see link:vpc/latest/tgw/tgw-vpc-attachments.html[Amazon VPC attachments in Amazon VPC Transit Gateways,type="documentation"] or link:vpn/latest/s2svpn/how_it_works.html#VPNGateway[{aws} Direct Connect virtual private gateway associations,type="documentation"]. *Transit Gateway* diff --git a/latest/ug/nodes/hybrid-nodes.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc similarity index 92% rename from latest/ug/nodes/hybrid-nodes.adoc rename to latest/ug/nodes/hybrid-nodes-overview.adoc index 34ee318cf..b6b1ba030 100644 --- a/latest/ug/nodes/hybrid-nodes.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -13,7 +13,7 @@ Join nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters wi With _Amazon EKS Hybrid Nodes_, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. {aws} manages the {aws}-hosted Kubernetes control plane of the Amazon EKS cluster, and you manage the hybrid nodes that run in your on-premises or edge environments. This unifies Kubernetes management across your environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. -Amazon EKS Hybrid Nodes works with any on-premises hardware or virtual machines, bringing the efficiency, scalability, and availability of Amazon EKS to wherever your applications need to run. You can use a wide range of Amazon EKS features with Amazon EKS Hybrid Nodes including Amazon EKS add-ons, Amazon EKS [.noloc]`Pod` Identity, cluster access entries, cluster insights, and extended Kubernetes version support. Amazon EKS Hybrid Nodes natively integrates with {aws-services} including {aws} Systems Manager, {aws} IAM Roles Anywhere, Amazon Managed Service for Prometheus, Amazon CloudWatch, and Amazon GuardDuty for centralized monitoring, logging, and identity management. +Amazon EKS Hybrid Nodes works with any on-premises hardware or virtual machines, bringing the efficiency, scalability, and availability of Amazon EKS to wherever your applications need to run. You can use a wide range of Amazon EKS features with Amazon EKS Hybrid Nodes including Amazon EKS add-ons, Amazon EKS [.noloc]`Pod` Identity, cluster access entries, cluster insights, and extended Kubernetes version support. Amazon EKS Hybrid Nodes natively integrates with {aws} services including {aws} Systems Manager, {aws} IAM Roles Anywhere, Amazon Managed Service for Prometheus, Amazon CloudWatch, and Amazon GuardDuty for centralized monitoring, logging, and identity management. With Amazon EKS Hybrid Nodes, there are no upfront commitments or minimum fees, and you are charged per hour for the vCPU resources of your hybrid nodes when they are attached to your Amazon EKS clusters. For more pricing information, see link:eks/pricing/[Amazon EKS Pricing,type="marketing"]. @@ -24,9 +24,9 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym == General concepts of Amazon EKS Hybrid Nodes * Amazon EKS Hybrid Nodes must have a reliable connection between your on-premises environment and {aws}. Amazon EKS Hybrid Nodes aren't a fit for disconnected, disrupted, intermittent or limited (DDIL) environments. If you are running in a DDIL environment, consider link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"]. -* Running Amazon EKS Hybrid Nodes on cloud infrastructure, including {aws-regions}, {aws} Local Zones, {outposts}, or in other clouds, is not supported. Use Amazon EKS Auto Mode, Karpenter, Amazon EC2 managed node groups, self-managed nodes, or {aws} Fargate when running in {aws-regions}. Use Amazon EC2 managed node groups or Amazon EC2 self-managed nodes when running on {aws} Local Zones. Only Amazon EC2 self-managed nodes can be used on {outposts} or {aws} Wavelength Zones. -* A single Amazon EKS cluster can be used to run hybrid nodes and nodes in {aws-regions}, {aws} Local Zones, or {outposts}. -* Amazon EKS Hybrid Nodes is available in all {aws-regions}, except the {aws} GovCloud (US) Regions and the {aws} China Regions. +* Running Amazon EKS Hybrid Nodes on cloud infrastructure, including {aws} Regions, {aws} Local Zones, {aws} Outposts, or in other clouds, is not supported. Use Amazon EKS Auto Mode, Karpenter, Amazon EC2 managed node groups, self-managed nodes, or {aws} Fargate when running in {aws} Regions. Use Amazon EC2 managed node groups or Amazon EC2 self-managed nodes when running on {aws} Local Zones. Only Amazon EC2 self-managed nodes can be used on {aws} Outposts or {aws} Wavelength Zones. +* A single Amazon EKS cluster can be used to run hybrid nodes and nodes in {aws} Regions, {aws} Local Zones, or {aws} Outposts. +* Amazon EKS Hybrid Nodes is available in all {aws} Regions, except the {aws} GovCloud (US) Regions and the {aws} China Regions. * You will be charged the hybrid nodes fee if you run hybrid nodes on Amazon EC2 instances. * Billing for hybrid nodes starts when the nodes join the Amazon EKS cluster and stops when the nodes are removed from the cluster. Be sure to remove your hybrid nodes from your Amazon EKS cluster if you are not using them. @@ -54,7 +54,7 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym * *IP address family*: Hybrid nodes can be used with Amazon EKS clusters configured with the `IPv4` IP address family only. You can't use Amazon EKS clusters configured with the `IPv6` IP address family. Similarly, your on-premises node and [.noloc]`Pod` CIDRs must be `IPv4` RFC1918 CIDR blocks. * You must enable the required domains, protocols, and ports for Amazon EKS Hybrid Nodes in your on-premises environments and firewalls. For more information, including minimum networking requirements, see <>. * *Cluster endpoint access*: You can use “Public” or “Private” cluster endpoint access. You should not use “Public and Private” cluster endpoint access, as the endpoint DNS resolution will always resolve to the public addresses for queries originating from your on-premises environment. -* For information and best practices during scenarios where there are network disconnections between hybrid nodes and the {aws-region}, see the link:eks/latest/best-practices/hybrid-nodes.html[hybrid nodes,type="documentation"] section of the _Amazon EKS Best Practices Guide_. +* For information and best practices during scenarios where there are network disconnections between hybrid nodes and the {aws} Region, see the link:eks/latest/best-practices/hybrid-nodes.html[hybrid nodes,type="documentation"] section of the _Amazon EKS Best Practices Guide_. * *Application load balancing*: Kubernetes has a https://kubernetes.io/docs/concepts/services-networking/service/[Service] object to define the names and domain names for your applications and resolve and load balance to them. By default, the `type:LoadBalancer` type of Service additionally creates an {aws} Classic Load Balancer for traffic from outside the cluster. You can change this behavior with add-ons. Specifically, we recommend the {aws} Application Load Balancer and {aws} Network Load Balancer which are created by the {aws} Load Balancer Controller, instead of the {aws} Classic Load Balancer. For steps to install the {aws} Load Balancer Controller in a hybrid environment, see <>. *Security for hybrid nodes* @@ -62,7 +62,7 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym * Amazon EKS Hybrid Nodes use temporary IAM credentials to authenticate with your Amazon EKS cluster. You can use either {aws} IAM Roles Anywhere or {aws} Systems Manager (SSM) hybrid activations for provisioning the on-premises IAM credentials for hybrid nodes. It is recommended to use {aws} SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use {aws} IAM Roles Anywhere. * You can use `API` or `API_AND_CONFIG_MAP` cluster authentication modes for your hybrid nodes-enabled Amazon EKS clusters. Use the cluster access entry type called `HYBRID_LINUX` with your hybrid nodes IAM role to enable hybrid nodes to join the Amazon EKS cluster. * OIDC authentication is supported for hybrid nodes-enabled Amazon EKS clusters. -* You can use Amazon EKS [.noloc]`Pod` Identities and IAM Roles for Service Accounts (IRSA) with applications running on hybrid nodes to enable granular access for your [.noloc]`Pods` running on hybrid nodes with other {aws-services}. +* You can use Amazon EKS [.noloc]`Pod` Identities and IAM Roles for Service Accounts (IRSA) with applications running on hybrid nodes to enable granular access for your [.noloc]`Pods` running on hybrid nodes with other {aws} services. * You can use Amazon GuardDuty EKS Protection with hybrid nodes-enabled Amazon EKS clusters to analyze activities of users and applications accessing your cluster. *Add-ons for hybrid nodes* @@ -78,7 +78,7 @@ For detailed information, see <>. *User interfaces* * *Node management*: The Amazon EKS Hybrid Nodes CLI is called `nodeadm` and is run on each on-premises host to simplify the installation, configuration, registration, and uninstall of the hybrid nodes components. The hybrid nodes `nodeadm` version is different than the `nodeadm` version used in the AL2023 Amazon EKS-optimized AMIs. You should not use the hybrid nodes `nodeadm` version for nodes running in Amazon EC2. -* *Cluster management*: The Amazon EKS user interfaces for cluster management are the same with hybrid nodes-enabled Amazon EKS clusters. This includes the {aws-management-console}, {aws} API, {aws} SDKs, {cli}, [.noloc]`eksctl` CLI, {cloudformation}, and Terraform. +* *Cluster management*: The Amazon EKS user interfaces for cluster management are the same with hybrid nodes-enabled Amazon EKS clusters. This includes the {aws-management-console}, {aws} API, {aws} SDKs, {aws} CLI, [.noloc]`eksctl` CLI, {aws} CloudFormation, and Terraform. include::hybrid-nodes-prereqs.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 5bb896ef2..5d2fe9827 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -494,7 +494,7 @@ systemctl restart snap.amazon-ssm-agent.amazon-ssm-agent *Check connectivity to SSM endpoints* -Confirm you can connect to the SSM endpoints from your hybrid nodes. For a list of the SSM endpoints, see link:general/latest/gr/ssm.html[{aws} Systems Manager endpoints and quotas,type="documentation"]. Replace `us-west-2` in the command below with the {aws-region} for your {aws} SSM hybrid activation. +Confirm you can connect to the SSM endpoints from your hybrid nodes. For a list of the SSM endpoints, see link:general/latest/gr/ssm.html[{aws} Systems Manager endpoints and quotas,type="documentation"]. Replace `us-west-2` in the command below with the {aws} Region for your {aws} SSM hybrid activation. [source,bash,subs="verbatim,attributes"] ---- @@ -503,7 +503,7 @@ ping ssm.us-west-2.amazonaws.com *View connection status of registered SSM instances* -You can check the connection status of the instances that are registered with SSM hybrid activations with the following {cli} command. Replace the machine ID with the machine ID of your instance. +You can check the connection status of the instances that are registered with SSM hybrid activations with the following {aws} CLI command. Replace the machine ID with the machine ID of your instance. [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -522,7 +522,7 @@ Failed to perform agent-installation/on-prem registration: error while verifying *SSM `InvalidActivation`* -If you see an error registering your instance with {aws} SSM, confirm the `region`, `activationCode`, and `activationId` in your `nodeConfig.yaml` are correct. The {aws-region} for your EKS cluster must match the region of your SSM hybrid activation. If these values are misconfigured, you may see an error similar to the following. +If you see an error registering your instance with {aws} SSM, confirm the `region`, `activationCode`, and `activationId` in your `nodeConfig.yaml` are correct. The {aws} Region for your EKS cluster must match the region of your SSM hybrid activation. If these values are misconfigured, you may see an error similar to the following. [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 999e8cdb9..327c4fd78 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -104,7 +104,7 @@ In {aws} Cloud, you can create link:eks/[Amazon EKS,type="documentation"] cluste * *Managed control plane* -- {aws} makes sure that the Amazon EKS cluster is available and scalable because it manages the control plane for you and makes it available across {aws} Availability Zones. * *Node management* -- Instead of manually adding nodes, you can have Amazon EKS create nodes automatically as needed, using Managed Node Groups (see <>) or https://karpenter.sh/[Karpenter]. Managed Node Groups have integrations with [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaling]. Using node management tools, you can take advantage of cost savings, with things like link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] and node consolidation, and availability, using https://karpenter.sh/docs/concepts/scheduling/[Scheduling]features to set how workloads are deployed and nodes are selected. * *Cluster networking* -- Using CloudFormation templates, `eksctl` sets up networking between control plane and data plane (node) components in the [.noloc]`Kubernetes` cluster. It also sets up endpoints through which internal and external communications can take place. See link:containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes[De-mystifying cluster networking for Amazon EKS worker nodes,type="blog"] for details. Communications between Pods in Amazon EKS is done using Amazon EKS Pod Identities (see <>), which provides a means of letting Pods tap into {aws} cloud methods of managing credentials and permissions. -* *Add-Ons* -- Amazon EKS saves you from having to build and add software components that are commonly used to support [.noloc]`Kubernetes` clusters. For example, when you create an Amazon EKS cluster from the {aws} Management console, it automatically adds the Amazon EKS kube-proxy (<>), Amazon VPC CNI plugin for [.noloc]`Kubernetes` (<>), and CoreDNS (<>) add-ons. See <> for more on these add-ons, including a list of which are available. +* *Add-Ons* -- Amazon EKS saves you from having to build and add software components that are commonly used to support [.noloc]`Kubernetes` clusters. For example, when you create an Amazon EKS cluster from the {aws-management-console}, it automatically adds the Amazon EKS kube-proxy (<>), Amazon VPC CNI plugin for [.noloc]`Kubernetes` (<>), and CoreDNS (<>) add-ons. See <> for more on these add-ons, including a list of which are available. To run your clusters on your own on-premises computers and networks, Amazon offers https://anywhere.eks.amazonaws.com/[Amazon EKS Anywhere]. Instead of the {aws} Cloud being the provider, you have the choice of running Amazon EKS Anywhere on https://anywhere.eks.amazonaws.com/docs/getting-started/vsphere/[VMWare vSphere], https://anywhere.eks.amazonaws.com/docs/getting-started/baremetal/[bare metal] (https://tinkerbell.org[Tinkerbell provider]), https://anywhere.eks.amazonaws.com/docs/getting-started/snow/[Snow], https://anywhere.eks.amazonaws.com/docs/getting-started/cloudstack/[CloudStack], or https://anywhere.eks.amazonaws.com/docs/getting-started/nutanix/[Nutanix] platforms using your own equipment. From 9a96e0c1a0636cc5bccfa61bdf7678b71199f2f4 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 31 Jan 2025 17:20:53 -0600 Subject: [PATCH 079/940] Update eks-outposts-troubleshooting.adoc Added mandatory {aws} attribute and minor rewrites. --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 63ddd3680..f73ffd1a0 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -216,7 +216,7 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. -* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. +* The control plane instances fail to create due to KMS key permissions for EBS volumes. With user managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an {aws} managed KMS key or ensure that your user managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured. From c8fe4946abbd0ee174f3427731c756828ad6d8c2 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 31 Jan 2025 17:31:19 -0600 Subject: [PATCH 080/940] Style rewrites --- latest/ug/security/configuration-vulnerability-analysis.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index f51bf327c..01336d8bc 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -17,8 +17,6 @@ Security is a critical consideration for configuring and maintaining [.noloc]`Ku The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Security (CIS) Kubernetes Benchmark] provides guidance for Amazon EKS security configurations. The benchmark: - - * Is applicable to Amazon EC2 nodes (both managed and self-managed) where you are responsible for security configurations of [.noloc]`Kubernetes` components. * Provides a standard, community-approved way to ensure that you have configured your [.noloc]`Kubernetes` cluster and nodes securely when using Amazon EKS. * Consists of four sections; control plane logging configuration, node security configurations, policies, and managed services. @@ -26,7 +24,7 @@ The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Securit To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. -To explore an automated aws-sample pipeline for updating your node-group with CIS Benchmarked AMI, explore at: https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline, type="solution"] +For an automated `aws-sample` pipeline for updating your node group with a CIS benchmarked AMI, see https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline]. [[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] == Amazon EKS platform versions From 2bab17e1bc103c2874bcdab66fd642df0d4e4c42 Mon Sep 17 00:00:00 2001 From: Daniel Morales <54182283+Daniel-Designs@users.noreply.github.com> Date: Wed, 29 Jan 2025 20:47:16 -0600 Subject: [PATCH 081/940] Update eks-outposts-troubleshooting.adoc Adding new troubleshooting section for KMS key accessibility issues when creating EKS clusters on AWS Outposts. --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index b3c37f3e8..63ddd3680 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -216,6 +216,7 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. +* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured. From 5992f465d3835197ca580d5ebb6425272b812d3b Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 31 Jan 2025 17:20:53 -0600 Subject: [PATCH 082/940] Update eks-outposts-troubleshooting.adoc Added mandatory {aws} attribute and minor rewrites. --- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 63ddd3680..f73ffd1a0 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -216,7 +216,7 @@ The most common issues are the following: * Your cluster can't connect to the control plane instance from the {aws} Region that Systems Manager is in. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. Or, another work around is to delete the cluster and then recreate it. -* The control plane instances fail to create due to KMS key permissions for EBS volumes. When using customer managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an AWS managed KMS key or ensure your customer managed key policy grants the necessary permissions to the cluster role. +* The control plane instances fail to create due to KMS key permissions for EBS volumes. With user managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an {aws} managed KMS key or ensure that your user managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might not have internet access. Check if the subnet that you provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. * The role ARN that you provided is missing policies. Check if the <> was removed from the role. This can also occur if an {aws} CloudFormation stack is misconfigured. From d8ab476f58d88c8961e0d83384c33e19b0782241 Mon Sep 17 00:00:00 2001 From: Ramneek Kalra Date: Fri, 31 Jan 2025 09:32:50 +0530 Subject: [PATCH 083/940] Added aws-sample for automating CIS Benchmark update on existing Nodegroup Added aws-sample for automating CIS Benchmark update on existing Nodegroup. You can modify accordingly as per public-understanding of customers (mentioning about having this sample used for lower-environment and use then for production). --- latest/ug/security/configuration-vulnerability-analysis.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index fb9d1612a..f51bf327c 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -26,6 +26,8 @@ The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Securit To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. +To explore an automated aws-sample pipeline for updating your node-group with CIS Benchmarked AMI, explore at: https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline, type="solution"] + [[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] == Amazon EKS platform versions From 09aa910a90e4f596a00c95a3fbd7fa0b5523d0d7 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 31 Jan 2025 17:31:19 -0600 Subject: [PATCH 084/940] Style rewrites --- latest/ug/security/configuration-vulnerability-analysis.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index f51bf327c..01336d8bc 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -17,8 +17,6 @@ Security is a critical consideration for configuring and maintaining [.noloc]`Ku The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Security (CIS) Kubernetes Benchmark] provides guidance for Amazon EKS security configurations. The benchmark: - - * Is applicable to Amazon EC2 nodes (both managed and self-managed) where you are responsible for security configurations of [.noloc]`Kubernetes` components. * Provides a standard, community-approved way to ensure that you have configured your [.noloc]`Kubernetes` cluster and nodes securely when using Amazon EKS. * Consists of four sections; control plane logging configuration, node security configurations, policies, and managed services. @@ -26,7 +24,7 @@ The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Securit To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. -To explore an automated aws-sample pipeline for updating your node-group with CIS Benchmarked AMI, explore at: https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline, type="solution"] +For an automated `aws-sample` pipeline for updating your node group with a CIS benchmarked AMI, see https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline]. [[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] == Amazon EKS platform versions From b33f75d6e0b887094684da40d8564449de5707b1 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 31 Jan 2025 23:59:39 +0000 Subject: [PATCH 085/940] Tweak. --- latest/ug/security/configuration-vulnerability-analysis.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 01336d8bc..9ec6edbec 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -24,7 +24,7 @@ The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Securit To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. -For an automated `aws-sample` pipeline for updating your node group with a CIS benchmarked AMI, see https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline]. +For an automated `aws-sample` pipeline to update your node group with a CIS benchmarked AMI, see https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline]. [[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] == Amazon EKS platform versions From 0a22cddf974e09a34d5dae9bf7c28b82cd1728b0 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Sat, 1 Feb 2025 00:23:13 +0000 Subject: [PATCH 086/940] Typo fix. --- latest/ug/clusters/management/service-quotas.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index ddac157f2..044721f9d 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -80,7 +80,7 @@ The *{aws} Fargate* service in the Service Quotas console lists several service New {aws} accounts might have lower initial quotas that can increase over time. Fargate constantly monitors the account usage within each {aws} Region, and then automatically increases the quotas based on the usage. You can also request a quota increase for values that are shown as adjustable. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the _Service Quotas User Guide_. -{aws} reccomends using the {aws-management-console} to view your current quotas. For more information, see <>. +{aws} recomends using the {aws-management-console} to view your current quotas. For more information, see <>. To view default {aws} Fargate on EKS service quotas, see link:general/latest/gr/eks.html#service-quotas-eks-fargate["Fargate service quotas",type="documentation"] in the _{aws} General Reference_. From 5bf57a3d5535fb693ff9bf2f5ce91ffca5f2356b Mon Sep 17 00:00:00 2001 From: theincognitogeek Date: Mon, 3 Feb 2025 15:29:49 +0530 Subject: [PATCH 087/940] Update cluster-endpoint.adoc This changes is to correct the steps for configuring the endpoint configuration in AWS console. --- latest/ug/clusters/cluster-endpoint.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 342359e13..48de9ae67 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -135,7 +135,7 @@ You can modify your cluster API server endpoint access using the {aws-management . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster to display your cluster information. -. Choose the *Networking* tab and choose *Update*. +. Choose the *Networking* tab and choose *Manage endpoint access*. . For *Private access*, choose whether to enable or disable private access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you enable private access, [.noloc]`Kubernetes` API requests that originate from within your cluster's VPC use the private VPC endpoint. You must enable private access to disable public access. . For *Public access*, choose whether to enable or disable public access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you disable public access, your cluster's [.noloc]`Kubernetes` API server can only receive requests from within the cluster VPC. . (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. From 3112838bc10ef66041ce09a3343de3bd62d8c88a Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Wed, 29 Jan 2025 23:06:41 +0000 Subject: [PATCH 088/940] Remove the requirement for ALB to use scheme, "internal". cr: https://code.amazon.com/reviews/CR-174992655 --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index aedc43a8a..c38c16b7c 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -109,7 +109,6 @@ To install the {aws} Load Balancer Controller, follow the steps at <> For ingress with ALB, you must specify the annotations below. See <> for instructions. [source,yaml,subs="verbatim,attributes"] ---- -alb.ingress.kubernetes.io/scheme: internal alb.ingress.kubernetes.io/target-type: ip ---- From ae87cf6678336273eda0a3f48d9f109d3a7bd2cf Mon Sep 17 00:00:00 2001 From: theincognitogeek Date: Mon, 3 Feb 2025 15:29:49 +0530 Subject: [PATCH 089/940] Update cluster-endpoint.adoc This changes is to correct the steps for configuring the endpoint configuration in AWS console. --- latest/ug/clusters/cluster-endpoint.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 342359e13..48de9ae67 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -135,7 +135,7 @@ You can modify your cluster API server endpoint access using the {aws-management . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster to display your cluster information. -. Choose the *Networking* tab and choose *Update*. +. Choose the *Networking* tab and choose *Manage endpoint access*. . For *Private access*, choose whether to enable or disable private access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you enable private access, [.noloc]`Kubernetes` API requests that originate from within your cluster's VPC use the private VPC endpoint. You must enable private access to disable public access. . For *Public access*, choose whether to enable or disable public access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you disable public access, your cluster's [.noloc]`Kubernetes` API server can only receive requests from within the cluster VPC. . (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. From 824324a23c772eb3e28889d39076b15914fac6e9 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 3 Feb 2025 18:17:49 +0000 Subject: [PATCH 090/940] Updated the link of GOARCH values: 45391 --- latest/ug/automode/create-node-pool.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 9c5039854..ff96ad406 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -92,10 +92,9 @@ EKS Auto Mode supports the following well known labels. |g4dn.8xlarge |{aws} instance type - |kubernetes.io/arch |amd64 -|Architectures are defined by link:https://github.com/golang/go/blob/master/src/go/build/syslist.go#L50[GOARCH values] on the instance +|Architectures are defined by link:https://github.com/golang/go/blob/master/src/internal/syslist/syslist.go#L58[GOARCH values] on the instance |karpenter.sh/capacity-type |spot From 1c40e772f7d1818445e57e19c460268e6721bd3f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 4 Feb 2025 00:04:35 +0000 Subject: [PATCH 091/940] Merged from gdc/refactor-irsa into mainline. --- latest/ug/automode/associate-workload.adoc | 2 +- latest/ug/automode/auto-elb-example.adoc | 2 +- latest/ug/automode/auto-learn-iam.adoc | 2 +- latest/ug/automode/auto-migrate-mng.adoc | 4 +- latest/ug/automode/auto-upgrade.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 1 - latest/ug/clusters/create-cluster-auto.adoc | 1 - latest/ug/clusters/delete-cluster.adoc | 1 - .../ug/clusters/disable-windows-support.adoc | 1 - .../management/cost-monitoring-aws.adoc | 5 +- .../management/cost-monitoring-kubecost.adoc | 1 + .../clusters/management/eks-using-tags.adoc | 1 - latest/ug/clusters/management/helm.adoc | 1 - .../clusters/management/metrics-server.adoc | 1 - .../clusters/management/service-quotas.adoc | 1 - latest/ug/clusters/private-clusters.adoc | 1 - latest/ug/clusters/windows-support.adoc | 1 - latest/ug/connector/connecting-cluster.adoc | 1 - .../ug/connector/connector-grant-access.adoc | 3 +- .../deregister-connected-cluster.adoc | 1 - latest/ug/connector/security-connector.adoc | 1 - .../connector/troubleshooting-connector.adoc | 2 +- .../getting-started-automode.adoc | 3 +- .../getting-started-console.adoc | 3 +- .../getting-started-eksctl.adoc | 3 +- latest/ug/getting-started/learn-eks.adoc | 1 - ...reating-resources-with-cloudformation.adoc | 2 +- latest/ug/integrations/eks-integrations.adoc | 6 - .../integrations/integration-detective.adoc | 2 +- .../integrations/integration-guardduty.adoc | 2 +- .../integration-resilience-hub.adoc | 1 + .../integration-securitylake.adoc | 3 +- .../integrations/integration-vpc-lattice.adoc | 2 +- latest/ug/integrations/local-zones.adoc | 1 + .../associate-service-account-role.adoc | 279 +++ .../aws-access/configure-sts-endpoint.adoc | 152 ++ .../aws-access/cross-account-access.adoc | 110 + ...enable-iam-roles-for-service-accounts.adoc | 85 + ...oles-for-service-accounts-minimum-sdk.adoc | 32 + .../iam-roles-for-service-accounts.adoc | 70 + .../aws-access/irsa-fetch-keys.adoc | 41 + .../aws-access/pod-configuration.adoc | 127 ++ .../manage-access/aws-access/pod-id-abac.adoc | 84 + .../aws-access/pod-id-agent-config-ipv6.adoc | 85 + .../aws-access/pod-id-agent-setup.adoc | 115 ++ .../aws-access/pod-id-association.adoc | 288 +++ .../aws-access/pod-id-configure-pods.adoc | 96 + .../aws-access/pod-id-how-it-works.adoc | 59 + .../aws-access/pod-id-minimum-sdk.adoc | 41 + .../manage-access/aws-access/pod-id-role.adoc | 44 + .../aws-access/pod-identities.adoc | 147 ++ .../manage-access/aws-access/process_all.sh | 22 + .../manage-access/aws-access/process_doc.py | 49 + .../aws-access/service-accounts.adoc | 1768 +---------------- .../ug/manage-access/create-kubeconfig.adoc | 1 - .../k8s-access/access-entries.adoc | 265 +-- .../k8s-access/access-policies.adoc | 1 + .../k8s-access/access-policy-reference.adoc | 1 + .../k8s-access/auth-configmap.adoc | 2 +- .../authenticate-oidc-identity-provider.adoc | 1 + .../k8s-access/creating-access-entries.adoc | 130 ++ .../k8s-access/deleting-access-entries.adoc | 31 + .../disassociate-oidc-identity-provider.adoc | 1 + .../k8s-access/grant-k8s-access.adoc | 2 +- .../k8s-access/migrating-access-entries.adoc | 1 + .../k8s-access/setting-up-access-entries.adoc | 74 + .../k8s-access/updating-access-entries.adoc | 36 + .../view-kubernetes-resources.adoc | 2 +- latest/ug/ml/node-efa.adoc | 2 +- .../cni-custom-network-tutorial.adoc | 2 +- .../cni-network-policy-configure.adoc | 2 +- latest/ug/networking/cni-network-policy.adoc | 2 +- .../ug/networking/coredns-add-on-update.adoc | 2 +- latest/ug/networking/lbc-remove.adoc | 2 +- .../pod-multiple-network-interfaces.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 2 +- latest/ug/nodes/al2023.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 2 +- .../self-managed-windows-server-2022.adoc | 2 +- latest/ug/nodes/update-stack.adoc | 2 +- .../ug/observability/control-plane-logs.adoc | 1 - .../eks-outposts-network-disconnects.adoc | 2 +- .../eks-outposts-platform-versions.adoc | 2 +- .../ug/storage/csi-snapshot-controller.adoc | 1 - latest/ug/storage/ebs-csi-migration-faq.adoc | 1 - latest/ug/storage/ebs-csi.adoc | 1 - latest/ug/storage/file-cache-csi.adoc | 1 - latest/ug/storage/fsx-csi.adoc | 1 - latest/ug/storage/fsx-ontap.adoc | 1 - latest/ug/storage/fsx-openzfs-csi.adoc | 1 - latest/ug/storage/s3-csi.adoc | 1 - latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/workloads/add-ons-images.adoc | 10 +- .../ug/workloads/addon-id-troubleshoot.adoc | 2 +- .../workloads/copy-image-to-repository.adoc | 1 - .../workloads/horizontal-pod-autoscaler.adoc | 1 - latest/ug/workloads/image-verification.adoc | 1 - .../kubernetes-field-management.adoc | 2 +- latest/ug/workloads/remove-addon-role.adoc | 2 +- .../restrict-service-external-ip.adoc | 2 +- .../workloads/sample-deployment-windows.adoc | 2 +- latest/ug/workloads/sample-deployment.adoc | 2 +- latest/ug/workloads/update-addon-role.adoc | 2 +- .../ug/workloads/vertical-pod-autoscaler.adoc | 1 - 107 files changed, 2264 insertions(+), 2112 deletions(-) create mode 100644 latest/ug/manage-access/aws-access/associate-service-account-role.adoc create mode 100644 latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc create mode 100644 latest/ug/manage-access/aws-access/cross-account-access.adoc create mode 100644 latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc create mode 100644 latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc create mode 100644 latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc create mode 100644 latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-configuration.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-abac.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-association.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-id-role.adoc create mode 100644 latest/ug/manage-access/aws-access/pod-identities.adoc create mode 100755 latest/ug/manage-access/aws-access/process_all.sh create mode 100644 latest/ug/manage-access/aws-access/process_doc.py create mode 100644 latest/ug/manage-access/k8s-access/creating-access-entries.adoc create mode 100644 latest/ug/manage-access/k8s-access/deleting-access-entries.adoc create mode 100644 latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc create mode 100644 latest/ug/manage-access/k8s-access/updating-access-entries.adoc diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index f6ab510fb..338282ac1 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,7 +1,7 @@ [.topic] [[associate-workload,associate-workload.title]] = Control if a workload is deployed on EKS Auto Mode nodes -:info_titleabbrev: Control workload deployment +:info_titleabbrev: Control deployment include::../attributes.txt[] diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 219555764..77b473a1d 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,7 +1,7 @@ [.topic] [[auto-elb-example,auto-elb-example.title]] = Deploy a Sample Load Balancer Workload to EKS Auto Mode -:info_titleabbrev: Deploy load balancer workload +:info_titleabbrev: Deploy load balancer include::../attributes.txt[] diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index b676d8af7..8b817e46e 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,7 +1,7 @@ [.topic] [[auto-learn-iam,auto-learn-iam.title]] = Learn about identity and access in EKS Auto Mode -:info_titleabbrev: Identity & access +:info_titleabbrev: Identity and access include::../attributes.txt[] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 689bbfebc..d0d2cab9b 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,11 +1,11 @@ [.topic] [[auto-migrate-mng,auto-migrate-mng.title]] = Migrate from EKS Managed Node Groups to EKS Auto Mode -:info_titleabbrev: Migrate from Managed Node Groups +:info_titleabbrev: Migrate from MNGs include::../attributes.txt[] -When transitioning your Amazon EKS cluster to use EKS auto mode, you can smoothly migrate your existing workloads from managed node groups using the eksctl CLI tool. This process ensures continuous application availability while EKS auto mode optimizes your compute resources. The migration can be performed with minimal disruption to your running applications. +When transitioning your Amazon EKS cluster to use EKS auto mode, you can smoothly migrate your existing workloads from managed node groups (MNGs) using the eksctl CLI tool. This process ensures continuous application availability while EKS auto mode optimizes your compute resources. The migration can be performed with minimal disruption to your running applications. This topic walks you through the steps to safely drain pods from your existing managed node groups and allow EKS auto mode to reschedule them on newly provisioned instances. By following this procedure, you can take advantage of EKS auto mode's intelligent workload consolidation while maintaining your application's availability throughout the migration. diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 6a1006dbe..f46e6f007 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,7 +1,7 @@ [.topic] [[auto-upgrade,auto-upgrade.title]] = Update the Kubernetes Version of an EKS Auto Mode cluster -:info_titleabbrev: Update Kubernetes Version +:info_titleabbrev: Update Kubernetes version include::../attributes.txt[] diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 75eb6fa7b..a650b459a 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,4 +1,3 @@ - [.topic] [[autoscaling,autoscaling.title]] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 26bedd4c8..b1da7aa1f 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] - [abstract] -- Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 47e1dafd0..706cf38f8 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,4 +1,3 @@ - [.topic] [[delete-cluster,delete-cluster.title]] = Delete a cluster diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 35269ed46..a1852e14e 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,4 +1,3 @@ - [.topic] [[disable-windows-support,disable-windows-support.title]] = Disable [.noloc]`Windows` support diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 656586ac3..ca791c21d 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -2,9 +2,10 @@ include::../../attributes.txt[] [.topic] [[cost-monitoring-aws,cost-monitoring-aws.title]] -= View costs by pod in {aws} billing with split cost allocation += View costs by Pod in {aws} billing with split cost allocation +:info_titleabbrev: View costs by Pod -.Cost monitoring using {aws} split cost allocation data for Amazon EKS +== Cost monitoring using {aws} split cost allocation data for Amazon EKS You can use {aws} split cost allocation data for Amazon EKS to get granular cost visibility for your Amazon EKS clusters. This enables you to analyze, optimize, and chargeback cost and usage for your [.noloc]`Kubernetes` applications. You allocate application costs to individual business units and teams based on Amazon EC2 CPU and memory resources consumed by your [.noloc]`Kubernetes` application. Split cost allocation data for Amazon EKS gives visibility into cost per Pod, and enables you to aggregate the cost data per Pod using namespace, cluster, and other [.noloc]`Kubernetes` primitives. The following are examples of [.noloc]`Kubernetes` primitives that you can use to analyze Amazon EKS cost allocation data. * Cluster name diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 330f1b2bb..63062536d 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -1,6 +1,7 @@ [.topic] [[cost-monitoring-kubecost,cost-monitoring-kubecost.title]] = Install Kubecost and access dashboard +:info_titleabbrev: Install Kubecost include::../../attributes.txt[] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 0353002f9..2e573c2dc 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-using-tags,eks-using-tags.title]] = Organize Amazon EKS resources with tags diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 362a54078..4a546ea93 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,4 +1,3 @@ - [.topic] [[helm,helm.title]] = Deploy applications with [.noloc]`Helm` on Amazon EKS diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index ccec9d2e3..677221587 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,4 +1,3 @@ - [.topic] [[metrics-server,metrics-server.title]] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 044721f9d..863630e93 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,4 +1,3 @@ - [.topic] [[service-quotas,service-quotas.title]] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 80aa25dd4..2213c6cdd 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,4 +1,3 @@ - [.topic] [[private-clusters,private-clusters.title]] = Deploy private clusters with limited internet access diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index d3dc1694d..6018fe55e 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,4 +1,3 @@ - [.topic] [[windows-support,windows-support.title]] = Deploy [.noloc]`Windows` nodes on EKS clusters diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index d428575b4..5b0f72bb9 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,4 +1,3 @@ - [.topic] [[connecting-cluster,connecting-cluster.title]] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index f08f7ea32..626c8af55 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,8 +1,7 @@ - [.topic] [[connector-grant-access,connector-grant-access.title]] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console -:info_titleabbrev: Grant access to Kubernetes clusters from {aws} console +:info_titleabbrev: Grant access to clusters include::../attributes.txt[] diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 1ac8b160d..f3d8ba68f 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,4 +1,3 @@ - [.topic] [[deregister-connected-cluster,deregister-connected-cluster.title]] = Deregister a Kubernetes cluster from the Amazon EKS console diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 043efe1fc..8329a7264 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,4 +1,3 @@ - [.topic] [[security-connector,security-connector.title]] = Understand security in Amazon EKS Connector diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 6b1029116..dcfe7f921 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,7 +1,7 @@ [.topic] [[troubleshooting-connector,troubleshooting-connector.title]] = Troubleshoot Amazon EKS Connector issues -:info_titleabbrev: Troubleshoot Amazon EKS Connector +:info_titleabbrev: Troubleshoot EKS Connector include::../attributes.txt[] diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index cf8482c76..5b2709cbb 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,8 +1,7 @@ - [.topic] [[getting-started-automode,getting-started-automode.title]] = Get started with Amazon EKS – EKS Auto Mode -:info_titleabbrev: Create your first cluster – EKS Auto Mode +:info_titleabbrev: Create cluster (EKS Auto Mode) :keywords: using, Auto, getting, started, tutorial include::../attributes.txt[] diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 6c10a4834..a0810064e 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,10 +1,9 @@ include::../attributes.txt[] - [.topic] [[getting-started-console,getting-started-console.title]] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI -:info_titleabbrev: Create your first cluster – {aws-management-console} +:info_titleabbrev: Create cluster (Console and CLI) :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial [abstract] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 2e92b47f6..5da9ce6e5 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,8 +1,7 @@ - [.topic] [[getting-started-eksctl,getting-started-eksctl.title]] = Get started with Amazon EKS – `eksctl` -:info_titleabbrev: Create your first cluster – eksctl +:info_titleabbrev: Create cluster (eksctl) :keywords: using, eksctl, getting, started, tutorial include::../attributes.txt[] diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 28a44df42..66e58c097 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,4 +1,3 @@ - [.topic] [[learn-eks,learn-eks.title]] = Learn Amazon EKS by example diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index d501eab8b..8e5935bc1 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,8 +1,8 @@ include::../attributes.txt[] - [.topic] [[creating-resources-with-cloudformation,creating-resources-with-cloudformation.title]] = Create Amazon EKS resources with {aws} CloudFormation +:info_titleabbrev: {aws} CloudFormation [abstract] -- diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 9755ee626..b27eabfff 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -18,20 +18,14 @@ In addition to the services covered in other sections, Amazon EKS works with mor include::creating-resources-with-cloudformation.adoc[leveloffset=+1] - include::integration-detective.adoc[leveloffset=+1] - include::integration-guardduty.adoc[leveloffset=+1] - include::integration-resilience-hub.adoc[leveloffset=+1] - include::integration-securitylake.adoc[leveloffset=+1] - include::integration-vpc-lattice.adoc[leveloffset=+1] - include::local-zones.adoc[leveloffset=+1] diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index af0df007c..08cb2b86d 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,7 +1,7 @@ - [.topic] [[integration-detective,integration-detective.title]] = Analyze security events on EKS with Amazon Detective +:info_titleabbrev: Amazon Detective :keywords: Amazon Detective include::../attributes.txt[] diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index cbc22cc6e..285f3230a 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,7 +1,7 @@ - [.topic] [[integration-guardduty,integration-guardduty.title]] = Detect threats with Amazon GuardDuty +:info_titleabbrev: Amazon GuardDuty include::../attributes.txt[] diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 97f50174a..0a72cceea 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -3,5 +3,6 @@ include::../attributes.txt[] [.topic] [[integration-resilience-hub,integration-resilience-hub.title]] = Assess EKS cluster resiliency with {aws} Resilience Hub +:info_titleabbrev: {aws} Resilience Hub {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 079d99c80..6a9e565dc 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,7 +1,8 @@ - [.topic] [[integration-securitylake,integration-securitylake.title]] = Centralize and analyze EKS security data with Security Lake +:info_titleabbrev: Amazon Security Lake + :keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection include::../attributes.txt[] diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index cedeef391..f8afb6d82 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,7 +1,7 @@ - [.topic] [[integration-vpc-lattice,integration-vpc-lattice.title]] = Enable secure cross-cluster connectivity with Amazon VPC Lattice +:info_titleabbrev: Amazon VPC Lattice include::../attributes.txt[] diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index ac11a2418..3162b46d6 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -3,6 +3,7 @@ include::../attributes.txt[] [.topic] [[local-zones,local-zones.title]] = Launch low-latency EKS clusters with {aws} Local Zones +:info_titleabbrev: {aws} Local Zones An link:about-aws/global-infrastructure/localzones/[{aws} Local Zone,type="marketing"] is an extension of an {aws} Region in geographic proximity to your users. Local Zones have their own connections to the internet and support link:directconnect/[{aws} Direct Connect,type="marketing"]. Resources created in a Local Zone can serve local users with low-latency communications. For more information, see the link:local-zones/latest/ug/what-is-aws-local-zones.html[{aws} Local Zones User Guide,type="documentation"] and link:AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-local-zones[Local Zones,type="documentation"] in the _Amazon EC2 User Guide_. diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc new file mode 100644 index 000000000..844c693a7 --- /dev/null +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -0,0 +1,279 @@ +[.topic] +[[associate-service-account-role,associate-service-account-role.title]] += Assign [.noloc]`IAM` roles to [.noloc]`Kubernetes` service accounts +:info_titleabbrev: Assign IAM role + +include::../../attributes.txt[] + +[abstract] +-- +Discover how to configure a Kubernetes service account to assume an IAM role, enabling Pods to securely access {aws} services with granular permissions. +-- + +This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. + +== Prerequisites + +* An existing cluster. If you don't have one, you can create one by following one of the guides in <>. +* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. + + +[[irsa-associate-role-procedure,irsa-associate-role-procedure.title]] +== Step 1: Create IAM Policy + +If you want to associate an existing IAM policy to your IAM role, skip to the next step. + + +. Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. ++ +. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. ++ +You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >my-policy.json <my-service-account.yaml <> for more information. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >trust-relationship.json <>. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn={arn-aws}iam::$account_id:role/my-role +---- +. (Optional) <>. {aws} recommends using a regional {aws} STS endpoint instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. + + +[[irsa-confirm-role-configuration,irsa-confirm-role-configuration.title]] +== Step 3: Confirm configuration +. Confirm that the IAM role's trust policy is configured correctly. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam get-role --role-name my-role --query Role.AssumeRolePolicyDocument +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:default:my-service-account", + "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" + } + } + } + ] +} +---- +. Confirm that the policy that you attached to your role in a previous step is attached to the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies[].PolicyArn --output text +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +{arn-aws}iam::111122223333:policy/my-policy +---- +. Set a variable to store the Amazon Resource Name (ARN) of the policy that you want to use. Replace [.replaceable]`my-policy` with the name of the policy that you want to confirm permissions for. ++ +[source,bash,subs="verbatim,attributes"] +---- +export policy_arn={arn-aws}iam::111122223333:policy/my-policy +---- +. View the default version of the policy. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam get-policy --policy-arn $policy_arn +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Policy": { + "PolicyName": "my-policy", + "PolicyId": "EXAMPLEBIOWGLDEXAMPLE", + "Arn": "{arn-aws}iam::111122223333:policy/my-policy", + "Path": "/", + "DefaultVersionId": "v1", + [...] + } +} +---- +. View the policy contents to make sure that the policy includes all the permissions that your [.noloc]`Pod` needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam get-policy-version --policy-arn $policy_arn --version-id v1 +---- ++ +An example output is as follows. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:GetObject", + "Resource": "{arn-aws}s3:::my-pod-secrets-bucket" + } + ] +} +---- ++ +If you created the example policy in a previous step, then your output is the same. If you created a different policy, then the [.replaceable]`example` content is different. +. Confirm that the [.noloc]`Kubernetes` service account is annotated with the role. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe serviceaccount my-service-account -n default +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Name: my-service-account +Namespace: default +Annotations: eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role +Image pull secrets: +Mountable secrets: my-service-account-token-qqjfl +Tokens: my-service-account-token-qqjfl +[...] +---- + + +== Next steps + +* <> \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc new file mode 100644 index 000000000..4fdc874a2 --- /dev/null +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -0,0 +1,152 @@ +include::../../attributes.txt[] +[.topic] +[[configure-sts-endpoint,configure-sts-endpoint.title]] += Configure the {aws} Security Token Service endpoint for a service account +:info_titleabbrev: STS endpoints + +If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your [.noloc]`Kubernetes` or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. + +[cols="1,1,1", options="header"] +|=== +|Kubernetes version +|Platform version +|Default endpoint type + + +|`1.31` +|`eks.4` +|Regional + +|`1.30` +|`eks.2` +|Regional + +|`1.29` +|`eks.1` +|Regional + +|`1.28` +|`eks.1` +|Regional + +|`1.27` +|`eks.1` +|Regional + +|`1.26` +|`eks.1` +|Regional + +|`1.25` +|`eks.1` +|Regional + +|`1.24` +|`eks.2` +|Regional + +|`1.23` +|`eks.1` +|Regional +|=== + +{aws} recommends using the regional {aws} STS endpoints instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. The {aws} Security Token Service must be active in the {aws} Region where the [.noloc]`Pod` is running. Moreover, your application must have built-in redundancy for a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. + + + +* An existing cluster. If you don't have one, you can create one using one of the guides in <>. +* An existing IAM OIDC provider for your cluster. For more information, see <>. +* An existing [.noloc]`Kubernetes` service account configured for use with the <> feature. + +The following examples all use the aws-node [.noloc]`Kubernetes` service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, [.noloc]`Pods`, namespaces, and other resources. + +. Select a [.noloc]`Pod` that uses a service account that you want to change the endpoint for. Determine which {aws} Region that the [.noloc]`Pod` runs in. Replace [.replaceable]`aws-node-6mfgv` with your [.noloc]`Pod` name and [.replaceable]`kube-system` with your [.noloc]`Pod's` namespace. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe pod aws-node-6mfgv -n kube-system |grep Node: +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +ip-192-168-79-166.us-west-2/192.168.79.166 +---- ++ +In the previous output, the [.noloc]`Pod` is running on a node in the us-west-2 {aws} Region. +. Determine the endpoint type that the [.noloc]`Pod's` service account is using. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe pod aws-node-6mfgv -n kube-system |grep AWS_STS_REGIONAL_ENDPOINTS +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +AWS_STS_REGIONAL_ENDPOINTS: regional +---- ++ +If the current endpoint is global, then `global` is returned in the output. If no output is returned, then the default endpoint type is in use and has not been overridden. +. If your cluster or platform version are the same or later than those listed in the table, then you can change the endpoint type used by your service account from the default type to a different type with one of the following commands. Replace [.replaceable]`aws-node` with the name of your service account and [.replaceable]`kube-system` with the namespace for your service account. ++ +** If your default or current endpoint type is global and you want to change it to regional: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-regional-endpoints=true +---- +// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. ++ +If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for regional endpoints is similar to the following example: ++ +[source,none,subs="verbatim,attributes"] +---- +https://bucket.s3.us-west-2.amazonaws.com/path?...&X-Amz-Credential=your-access-key-id/date/us-west-2/s3/aws4_request&... +---- +** If your default or current endpoint type is regional and you want to change it to global: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-regional-endpoints=false +---- ++ +If your application is explicitly making requests to {aws} STS global endpoints and you don't override the default behavior of using regional endpoints in Amazon EKS clusters, then requests will fail with an error. For more information, see <>. +// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. ++ +If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for global endpoints is similar to the following example: ++ +[source,none,subs="verbatim,attributes"] +---- +https://bucket.s3.amazonaws.com/path?...&X-Amz-Credential=your-access-key-id/date/us-west-2/s3/aws4_request&... +---- + ++ +If you have automation that expects the pre-signed URL in a certain format or if your application or downstream dependencies that use pre-signed URLs have expectations for the {aws} Region targeted, then make the necessary changes to use the appropriate {aws} STS endpoint. +. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The mutating web hook doesn't apply them to [.noloc]`Pods` that are already running. You can replace [.replaceable]`Pods`, [.replaceable]`kube-system`, and [.replaceable]`-l k8s-app=aws-node` with the information for the [.noloc]`Pods` that you set your annotation for. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete Pods -n kube-system -l k8s-app=aws-node +---- +. Confirm that the all [.noloc]`Pods` restarted. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get Pods -n kube-system -l k8s-app=aws-node +---- +. View the environment variables for one of the [.noloc]`Pods`. Verify that the `AWS_STS_REGIONAL_ENDPOINTS` value is what you set it to in a previous step. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe pod aws-node-kzbtr -n kube-system |grep AWS_STS_REGIONAL_ENDPOINTS +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +AWS_STS_REGIONAL_ENDPOINTS=regional +---- diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc new file mode 100644 index 000000000..93c730e2d --- /dev/null +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -0,0 +1,110 @@ +[.topic] +[[cross-account-access,cross-account-access.title]] += Authenticate to another account with IRSA +:info_titleabbrev: Cross-account IAM + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure cross-account IAM permissions for Amazon EKS clusters by creating an identity provider from another account's cluster or using chained AssumeRole operations, enabling secure access to {aws} resources across multiple accounts. +-- + +You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. [.noloc]`Pods` that are running on that cluster must assume IAM permissions from _Account B_. + +.Create an identity provider from another account's cluster +==== + +==== + +==== + +In this example, Account A provides Account B with the OpenID Connect (OIDC) issuer URL from their cluster. Account B follows the instructions in <> and <> using the OIDC issuer URL from Account A's cluster. Then, a cluster administrator annotates the service account in Account A's cluster to use the role from Account B ([.replaceable]`444455556666`). + +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + eks.amazonaws.com/role-arn: {arn-aws}iam::444455556666:role/account-b-role +---- + +==== + +.Use chained `AssumeRole` operations +==== + +==== + +==== + +In this example, Account B creates an IAM policy with the permissions to give to [.noloc]`Pods` in Account A's cluster. Account B ([.replaceable]`444455556666`) attaches that policy to an IAM role with a trust relationship that allows `AssumeRole` permissions to Account A ([.replaceable]`111122223333`). + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "{aws}": "{arn-aws}iam::111122223333:root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} +---- + +Account A creates a role with a trust policy that gets credentials from the identity provider created with the cluster's OIDC issuer address. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" + }, + "Action": "sts:AssumeRoleWithWebIdentity" + } + ] +} +---- + +Account A attaches a policy to that role with the following permissions to assume the role that Account B created. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "{arn-aws}iam::444455556666:role/account-b-role" + } + ] +} +---- + +The application code for [.noloc]`Pods` to assume Account B's role uses two profiles: `account_b_role` and `account_a_role`. The `account_b_role` profile uses the `account_a_role` profile as its source. For the {aws} CLI, the `~/.aws/config` file is similar to the following. + +[source,none,subs="verbatim,attributes"] +---- +[profile account_b_role] +source_profile = account_a_role +role_arn={arn-aws}iam::444455556666:role/account-b-role + +[profile account_a_role] +web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token +role_arn={arn-aws}iam::111122223333:role/account-a-role +---- + +To specify chained profiles for other {aws} SDKs, consult the documentation for the SDK that you're using. For more information, see link:developer/tools/[Tools to Build on {aws},type="marketing"]. + +==== \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc new file mode 100644 index 000000000..5bc9a4b03 --- /dev/null +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -0,0 +1,85 @@ +[.topic] +[[enable-iam-roles-for-service-accounts,enable-iam-roles-for-service-accounts.title]] += Create an IAM [.noloc]`OIDC` provider for your cluster +:info_titleabbrev: IAM OIDC provider + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to create an {aws} Identity and Access Management [.noloc]`OpenID Connect` provider for your cluster. +-- + +Your cluster has an https://openid.net/connect/[OpenID Connect] ([.noloc]`OIDC`) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM [.noloc]`OIDC` provider must exist for your cluster's [.noloc]`OIDC` issuer URL. + + + +* An existing Amazon EKS cluster. To deploy one, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. + +You can create an IAM [.noloc]`OIDC` provider for your cluster using `eksctl` or the {aws-management-console}. + +== Create OIDC provider (eksctl) + +. Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. ++ +. Determine the [.noloc]`OIDC` issuer ID for your cluster. ++ +Retrieve your cluster's [.noloc]`OIDC` issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. ++ +[source,bash,subs="verbatim,attributes"] +---- +cluster_name=my-cluster +---- +[source,bash,subs="verbatim,attributes"] +---- +oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) +---- +[source,bash,subs="verbatim,attributes"] +---- +echo $oidc_id +---- +. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's issuer ID is already in your account. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 +---- ++ +If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. +. Create an IAM [.noloc]`OIDC` identity provider for your cluster with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve +---- ++ +NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: + +[source,bash,subs="verbatim,attributes"] +---- +** server cant find oidc.eks.region.amazonaws.com: NXDOMAIN +---- + +To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. + + +== Create OIDC provider ({aws} Console) + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left pane, select *Clusters*, and then select the name of your cluster on the *Clusters* page. +. In the *Details* section on the *Overview* tab, note the value of the *OpenID Connect provider URL*. +. Open the IAM console at https://console.aws.amazon.com/iam/. +. In the left navigation pane, choose *Identity Providers* under *Access management*. If a *Provider* is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one. +. To create a provider, choose *Add provider*. +. For *Provider type*, select *[.noloc]`OpenID Connect`*. +. For *Provider URL*, enter the [.noloc]`OIDC` provider URL for your cluster. +. For *Audience*, enter `sts.amazonaws.com`. +. (Optional) Add any tags, for example a tag to identify which cluster is for this provider. +. Choose *Add provider*. + + +Next step: +<> \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc new file mode 100644 index 000000000..16de6aa3a --- /dev/null +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -0,0 +1,32 @@ +include::../../attributes.txt[] +[.topic] +[[iam-roles-for-service-accounts-minimum-sdk,iam-roles-for-service-accounts-minimum-sdk.title]] += Use IRSA with the {aws} SDK +:info_titleabbrev: Supported SDKs + +.Using the credentials +To use the credentials from IAM roles for service accounts (IRSA), your code can use any {aws} SDK to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. The IAM roles for service accounts credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. + +This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload. + +The SDK automatically exchanges the service account [.noloc]`OIDC` token for temporary credentials from {aws} Security Token Service by using the `AssumeRoleWithWebIdentity` action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire. + +When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. Make sure that you're using the following versions, or later, for your {aws} SDK: + + + +* Java (Version 2) – https://github.com/aws/aws-sdk-java-v2/releases/tag/2.10.11[2.10.11] +* Java – https://github.com/aws/aws-sdk-java/releases/tag/1.11.704[1.11.704] +* Go – https://github.com/aws/aws-sdk-go/releases/tag/v1.23.13[1.23.13] +* Python (Boto3) – https://github.com/boto/boto3/releases/tag/1.9.220[1.9.220] +* Python (botocore) – https://github.com/boto/botocore/releases/tag/1.12.200[1.12.200] +* {aws} CLI – https://github.com/aws/aws-cli/releases/tag/1.16.232[1.16.232] +* Node – https://github.com/aws/aws-sdk-js/releases/tag/v2.525.0[2.525.0] and https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.27.0[3.27.0] +* Ruby – https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/CHANGELOG.md#3580-2019-07-01[3.58.0] +* {cpp} – https://github.com/aws/aws-sdk-cpp/releases/tag/1.7.174[1.7.174] +* .NET – https://github.com/aws/aws-sdk-net/releases/tag/3.3.659.1[3.3.659.1] – You must also include `AWSSDK.SecurityToken`. +* PHP – https://github.com/aws/aws-sdk-php/releases/tag/3.110.7[3.110.7] + +Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. + +To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc new file mode 100644 index 000000000..0b2118710 --- /dev/null +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -0,0 +1,70 @@ +[.topic] +[[iam-roles-for-service-accounts,iam-roles-for-service-accounts.title]] += IAM roles for service accounts +:info_titleabbrev: Credentials with IRSA + +include::../../attributes.txt[] + +[abstract] +-- +Learn how applications in your [.noloc]`Pods` can access {aws} services. +-- + +Applications in a [.noloc]`Pod's` containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. IAM roles for service accounts (IRSA) provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. You can't use IAM roles for service accounts with <>. + +IAM roles for service accounts provide the following benefits: + +* *Least privilege* + – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. +* *Credential isolation* + – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using IAM roles for service accounts, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +* *Auditability* + – Access and event logging is available through {aws} CloudTrail to help ensure retrospective auditing. + +Enable IAM roles for service accounts by completing the following procedures: + +. <> – You only complete this procedure once for each cluster. ++ +[NOTE] +==== +If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: + +[source,bash,subs="verbatim,attributes"] +---- +server cant find oidc.eks.region.amazonaws.com: NXDOMAIN +---- + +To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. +==== + +. <> – Complete this procedure for each unique set of permissions that you want an application to have. + +. <> – Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. + +. <> – Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. + + +[[irsa-oidc-background,irsa-oidc-background.title]] +== IAM, [.noloc]`Kubernetes`, and [.noloc]`OpenID Connect` ([.noloc]`OIDC`) background information + +In 2014, {aws} Identity and Access Management added support for federated identities using [.noloc]`OpenID Connect` ([.noloc]`OIDC`). This feature allows you to authenticate {aws} API calls with supported identity providers and receive a valid [.noloc]`OIDC` [.noloc]`JSON` web token ([.noloc]`JWT`). You can pass this token to the {aws} STS `AssumeRoleWithWebIdentity` API operation and receive IAM temporary role credentials. You can use these credentials to interact with any {aws} service, including Amazon S3 and DynamoDB. + +Each JWT token is signed by a signing key pair. The keys are served on the OIDC provider managed by Amazon EKS and the private key rotates every 7 days. Amazon EKS keeps the public keys until they expire. If you connect external OIDC clients, be aware that you need to refresh the signing keys before the public key expires. Learn how to <>. + +[.noloc]`Kubernetes` has long used service accounts as its own internal identity system. [.noloc]`Pods` can authenticate with the [.noloc]`Kubernetes` API server using an auto-mounted token (which was a non-[.noloc]`OIDC` [.noloc]`JWT`) that only the [.noloc]`Kubernetes` API server could validate. These legacy service account tokens don't expire, and rotating the signing key is a difficult process. In [.noloc]`Kubernetes` version `1.12`, support was added for a new `ProjectedServiceAccountToken` feature. This feature is an [.noloc]`OIDC` [.noloc]`JSON` web token that also contains the service account identity and supports a configurable audience. + +Amazon EKS hosts a public [.noloc]`OIDC` discovery endpoint for each cluster that contains the signing keys for the `ProjectedServiceAccountToken` [.noloc]`JSON` web tokens so external systems, such as IAM, can validate and accept the [.noloc]`OIDC` tokens that are issued by [.noloc]`Kubernetes`. + +include::enable-iam-roles-for-service-accounts.adoc[leveloffset=+1] + +include::associate-service-account-role.adoc[leveloffset=+1] + +include::pod-configuration.adoc[leveloffset=+1] + +include::configure-sts-endpoint.adoc[leveloffset=+1] + +include::cross-account-access.adoc[leveloffset=+1] + +include::iam-roles-for-service-accounts-minimum-sdk.adoc[leveloffset=+1] + +include::irsa-fetch-keys.adoc[leveloffset=+1] diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc new file mode 100644 index 000000000..a0f5229c8 --- /dev/null +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -0,0 +1,41 @@ +[.topic] +[[irsa-fetch-keys,irsa-fetch-keys.title]] += Fetch signing keys to validate [.noloc]`OIDC` tokens +:info_titleabbrev: Fetch signing keys + +include::../../attributes.txt[] + +[abstract] +-- +Discover how to fetch the OIDC public signing keys (JSON Web Key Set) required to validate the ProjectedServiceAccountToken for Amazon EKS clusters, enabling external systems to authenticate with IAM roles for Kubernetes service accounts. +-- + +[.noloc]`Kubernetes` issues a `ProjectedServiceAccountToken` to each [.noloc]`Kubernetes` [.noloc]`Service Account`. This token is an [.noloc]`OIDC` token, which is further a type of [.noloc]`JSON web token (JWT)`. Amazon EKS hosts a public [.noloc]`OIDC` endpoint for each cluster that contains the signing keys for the token so external systems can validate it. + +To validate a `ProjectedServiceAccountToken`, you need to fetch the [.noloc]`OIDC` public signing keys, also called the [.noloc]`JSON Web Key Set (JWKS)`. Use these keys in your application to validate the token. For example, you can use the https://pyjwt.readthedocs.io/en/latest/[PyJWT Python library] to validate tokens using these keys. For more information on the `ProjectedServiceAccountToken`, see <>. + +== Prerequisites + +* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* *{aws} CLI* -- A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. + +== Procedure + +. Retrieve the [.noloc]`OIDC` URL for your Amazon EKS cluster using the {aws} CLI. ++ +[source,bash,subs="verbatim,attributes"] +---- +$ aws eks describe-cluster --name my-cluster --query 'cluster.identity.oidc.issuer' +"https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE" +---- +. Retrieve the public signing key using [.noloc]`curl`, or a similar tool. The result is a https://www.rfc-editor.org/rfc/rfc7517#section-5[JSON Web Key Set (JWKS)]. ++ +IMPORTANT: Amazon EKS throttles calls to the [.noloc]`OIDC` endpoint. You should cache the public signing key. Respect the `cache-control` header included in the response. ++ +IMPORTANT: Amazon EKS rotates the [.noloc]`OIDC` signing key every seven days. ++ +[source,bash,subs="verbatim,attributes"] +---- +$ curl https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE/keys +{"keys":[{"kty":"RSA","kid":"2284XXXX4a40","use":"sig","alg":"RS256","n":"wklbXXXXMVfQ","e":"AQAB"}]} +---- diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc new file mode 100644 index 000000000..a49aa9e17 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -0,0 +1,127 @@ +[.topic] +[[pod-configuration,pod-configuration.title]] += Configure [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account +:info_titleabbrev: Assign to Pod + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure your [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account that you allowed to assume an {aws} Identity and Access Management role. +-- + +If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. + + + +* An existing cluster. If you don't have one, you can create one using one of the guides in <>. +* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. +* An existing [.noloc]`Kubernetes` service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. +. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >my-deployment.yaml <>. +.. Confirm that the [.noloc]`Pod` has a web identity token file mount. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe pod my-app-6f4dfff6cb-76cv9 | grep AWS_WEB_IDENTITY_TOKEN_FILE: +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +---- ++ +The `kubelet` requests and stores the token on behalf of the [.noloc]`Pod`. By default, the `kubelet` refreshes the token if the token is older than 80 percent of its total time to live or older than 24 hours. You can modify the expiration duration for any account other than the default service account by using the settings in your [.noloc]`Pod` spec. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection[Service Account Token Volume Projection] in the [.noloc]`Kubernetes` documentation. ++ +The https://github.com/aws/amazon-eks-pod-identity-webhook#amazon-eks-pod-identity-webhook[Amazon EKS Pod Identity Webhook] on the cluster watches for [.noloc]`Pods` that use a service account with the following annotation: ++ +[source,bash,subs="verbatim,attributes"] +---- +eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role +---- ++ +The webhook applies the previous environment variables to those [.noloc]`Pods`. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure [.noloc]`Pods` to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for [.noloc]`Pods` that meet this criteria. +. Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. ++ +NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ++ +If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. ++ +.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. For more information, see <>. +.. Confirm that the deployment is using the service account. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment my-app | grep "Service Account" +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Service Account: my-service-account +---- +.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc new file mode 100644 index 000000000..9938fa445 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -0,0 +1,84 @@ +[.topic] +[[pod-id-abac,pod-id-abac.title]] += Grant Pods access to {aws} resources based on tags +:info_titleabbrev: Grant Pods access + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to use Amazon EKS Pod Identity to attach tags for cluster, namespace, and service account to temporary credentials, enabling attribute-based access control (ABAC) for EKS Pods to {aws} resources based on matching tags. +-- + +Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, customers can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. + +For example, the following policy allows the `s3:GetObject` action if the object is tagged with the name of the EKS cluster. + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:GetObjectTagging" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "s3:ExistingObjectTag/eks-cluster-name": "${aws:PrincipalTag/eks-cluster-name}" + } + } + } + ] +} +---- + + +[[pod-id-abac-tags,pod-id-abac-tags.title]] +== List of session tags added by EKS Pod Identity + +The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`. + + + +* `eks-cluster-arn` +* `eks-cluster-name` +* `kubernetes-namespace` +* `kubernetes-service-account` +* `kubernetes-pod-name` +* `kubernetes-pod-uid` + + +[[pod-id-abac-chaining,pod-id-abac-chaining.title]] +== Cross-account tags + +All of the session tags that are added by EKS Pod Identity are _transitive_; the tag keys and values are passed to any `AssumeRole` actions that your workloads use to switch roles into another account. You can use these tags in policies in other accounts to limit access in cross-account scenarios. For more infromation, see link:IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining[Chaining roles with session tags,type="documentation"] in the _IAM User Guide_. + +[[pod-id-abac-custom-tags,pod-id-abac-custom-tags.title]] +== Custom tags + +EKS Pod Identity can't add additional custom tags to the `AssumeRole` action that it performs. However, tags that you apply to the IAM role are always available though the same format: `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/MyCustomTag}`. + +[NOTE] +==== + +Tags added to the session through the `sts:AssumeRole` request take precedence in the case of conflict. For example, say that: + + + +* Amazon EKS adds a key `eks-cluster-name` and value `my-cluster` to the session when EKS assumes the customer role and +* You add an `eks-cluster-name` tag to the IAM role with the value `my-own-cluster`. + +In this case, the former takes precedence and the value for the `eks-cluster-name` tag will be `my-cluster`. + +==== \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc new file mode 100644 index 000000000..c1382cee7 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -0,0 +1,85 @@ +[.topic] +[[pod-id-agent-config-ipv6,pod-id-agent-config-ipv6.title]] += Disable `IPv6` in the EKS Pod Identity Agent +:info_titleabbrev: Disable IPv6 + +include::../../attributes.txt[] + +[[pod-id-console,pod-id-console.title]] +== {aws-management-console} +. To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *Optional configuration settings* of the EKS Add-on. ++ +.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. +.. Choose the *Add-ons* tab. +.. Select the box in the top right of the EKS Pod Identity Agent add-on box and then choose *Edit*. +.. On the *Configure EKS Pod Identity Agent* page: ++ +... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. +... Expand the *Optional configuration settings*. +... Enter the JSON key `"agent":` and value of a nested JSON object with a key `"additionalArgs":` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "agent": { + "additionalArgs": { + "-b": "169.254.170.23" + } + } +} +---- ++ +This configuration sets the `IPv4` address to be the only address used by the agent. +.. To apply the new configuration by replacing the EKS Pod Identity Agent pods, choose *Save changes*. ++ +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` `DaemonSet` for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. ++ +`kubectl rollout` has the following commands: ++ +[source,shell,subs="verbatim,attributes"] +---- +$ kubectl rollout + +history -- View rollout history +pause -- Mark the provided resource as paused +restart -- Restart a resource +resume -- Resume a paused resource +status -- Show the status of the rollout +undo -- Undo a previous rollout +---- ++ +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. +. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the EKS Pod Identity Agent pods. + +[[pod-id-cli,pod-id-cli.title]] +== {aws} CLI +. To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *configuration values* of the EKS Add-on. ++ +Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks update-addon --cluster-name my-cluster --addon-name eks-pod-identity-agent \ + --resolve-conflicts PRESERVE --configuration-values '{"agent":{"additionalArgs": { "-b": "169.254.170.23"}}}' +---- ++ +This configuration sets the `IPv4` address to be the only address used by the agent. ++ +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. ++ +`kubectl rollout` has the following commands: ++ +[source,shell,subs="verbatim,attributes"] +---- +kubectl rollout + +history -- View rollout history +pause -- Mark the provided resource as paused +restart -- Restart a resource +resume -- Resume a paused resource +status -- Show the status of the rollout +undo -- Undo a previous rollout +---- ++ +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc new file mode 100644 index 000000000..3115e2024 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -0,0 +1,115 @@ +[.topic] +[[pod-id-agent-setup,pod-id-agent-setup.title]] += Set up the Amazon EKS Pod Identity Agent +:info_titleabbrev: Set up the Agent + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to set up the EKS Pod Identity Agent for your cluster. +-- + +Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. + +Amazon EKS Pod Identity provides credentials to your workloads with an additional _EKS Auth_ API and an agent pod that runs on each node. + +[TIP] +==== +You do not need to install the EKS Pod Identity Agent on EKS Auto Mode Clusters. This capability is built into EKS Auto Mode. +==== + + +[[pod-id-agent-considerations,pod-id-agent-considerations.title]] +== Considerations + +* By default, the EKS Pod Identity Agent listens on an `IPv4` and `IPv6` address for pods to request credentials. The agent uses the loopback (localhost) IP address `169.254.170.23` for `IPv4` and the localhost IP address `[fd00:ec2::23]` for `IPv6`. +* If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. + + +[[pod-id-agent-add-on-create,pod-id-agent-add-on-create.title]] +== Creating the Amazon EKS Pod Identity Agent + +[[pod-id-agent-prereqs,pod-id-agent-prereqs.title]] +=== Agent prerequisites + +* An existing Amazon EKS cluster. To deploy one, see <>. The cluster version and platform version must be the same or later than the versions listed in <>. +* The node role has permissions for the agent to do the `AssumeRoleForPodIdentity` action in the EKS Auth API. You can use the <> or add a custom policy similar to the following: ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "eks-auth:AssumeRoleForPodIdentity" + ], + "Resource": "*" + } + ] +} +---- ++ +This action can be limited by tags to restrict which roles can be assumed by pods that use the agent. +* The nodes can reach and download images from Amazon ECR. The container image for the add-on is in the registries listed in <>. ++ +Note that you can change the image location and provide `imagePullSecrets` for EKS add-ons in the *Optional configuration settings* in the {aws-management-console}, and in the `--configuration-values` in the {aws} CLI. +* The nodes can reach the Amazon EKS Auth API. For private clusters, the `eks-auth` endpoint in {aws} PrivateLink is required. + + +=== Setup agent with {aws} console +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity Agent add-on for. +. Choose the *Add-ons* tab. +. Choose *Get more add-ons*. +. Select the box in the top right of the add-on box for EKS Pod Identity Agent and then choose *Next*. +. On the *Configure selected add-ons settings* page, select any version in the *Version* dropdown list. +. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The [.noloc]`JSON Schema` with accepted keys is shown in *Add-on configuration schema*. ++ +Enter the configuration keys and values in *Configuration values*. +. Choose *Next*. +. Confirm that the EKS Pod Identity Agent pods are running on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system | grep 'eks-pod-identity-agent' +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +eks-pod-identity-agent-gmqp7 1/1 Running 1 (24h ago) 24h +eks-pod-identity-agent-prnsh 1/1 Running 1 (24h ago) 24h +---- ++ +You can now use EKS Pod Identity associations in your cluster. For more information, see <>. + + +=== Setup agent with {aws} CLI +. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster. ++ +[source,shell,subs="verbatim,attributes"] +---- +aws eks create-addon --cluster-name my-cluster --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1 +---- ++ +NOTE: The EKS Pod Identity Agent doesn't use the `service-account-role-arn` for _IAM roles for service accounts_. You must provide the EKS Pod Identity Agent with permissions in the node role. +. Confirm that the EKS Pod Identity Agent pods are running on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system | grep 'eks-pod-identity-agent' +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +eks-pod-identity-agent-gmqp7 1/1 Running 1 (24h ago) 24h +eks-pod-identity-agent-prnsh 1/1 Running 1 (24h ago) 24h +---- ++ +You can now use EKS Pod Identity associations in your cluster. For more information, see <>. diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc new file mode 100644 index 000000000..0a0dc4274 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -0,0 +1,288 @@ +[.topic] +[[pod-id-association,pod-id-association.title]] += Assign an [.noloc]`IAM` role to a [.noloc]`Kubernetes` service account +:info_titleabbrev: Assign IAM role + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure a Kubernetes service account to assume an {aws} IAM role with Amazon EKS Pod Identity for securely accessing {aws} services from your pods. +-- + +This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role with EKS Pod Identity. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. + +To create an EKS Pod Identity association, there is only a single step; you create the association in EKS through the {aws-management-console}, {aws} CLI, {aws} SDKs, {aws} CloudFormation and other tools. There isn't any data or metadata about the associations inside the cluster in any [.noloc]`Kubernetes` objects and you don't add any annotations to the service accounts. + +* An existing cluster. If you don't have one, you can create one by following one of the guides in <>. +* The IAM principal that is creating the association must have `iam:PassRole`. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. + + +[[pod-id-association-create,pod-id-association-create.title]] +== Create a Pod Identity association ({aws} Console) + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity Agent add-on for. +. Choose the *Access* tab. +. In the *Pod Identity associations*, choose *Create*. +. For the *IAM role*, select the IAM role with the permissions that you want the workload to have. ++ +NOTE: The list only contains roles that have the following trust policy which allows EKS Pod Identity to use them. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] +} +---- ++ +`sts:AssumeRole` -- EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the temporary credentials to your pods. ++ +`sts:TagSession` -- EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS. ++ +You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. ++ +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +. For the *[.noloc]`Kubernetes` namespace*, select the [.noloc]`Kubernetes` namespace that contains the service account and workload. Optionally, you can specify a namespace by name that doesn't exist in the cluster. +. For the *[.noloc]`Kubernetes` service account*, select the [.noloc]`Kubernetes` service account to use. The manifest for your [.noloc]`Kubernetes` workload must specify this service account. Optionally, you can specify a service account by name that doesn't exist in the cluster. +. (Optional) For the *Tags*, choose *Add tag* to add metadata in a key and value pair. These tags are applied to the association and can be used in IAM policies. ++ +You can repeat this step to add multiple tags. +. Choose *Create*. + + +== Create a Pod Identity association ({aws} CLI) +. If you want to associate an existing IAM policy to your IAM role, skip to the next step. ++ +Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. ++ +.. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. ++ +You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. ++ +[source,json,subs="verbatim,attributes"] +---- +cat >my-policy.json <my-service-account.yaml <trust-relationship.json <> diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc new file mode 100644 index 000000000..69c132390 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -0,0 +1,96 @@ +include::../../attributes.txt[] +[.topic] +[[pod-id-configure-pods,pod-id-configure-pods.title]] += Configure [.noloc]`Pods` to access {aws} services with service accounts +:info_titleabbrev: Pod service account + +[abstract] +-- +Learn how to configure Pods to use a Kubernetes service account with an associated IAM role for accessing {aws} services on Amazon EKS. +-- + +If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. + +* An existing cluster. If you don't have one, you can create one using one of the guides in <>. +* An existing [.noloc]`Kubernetes` service account and an EKS Pod Identity association that associates the service account with an IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. +. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. ++ +[source,yaml,subs="verbatim,attributes"] +---- +cat >my-deployment.yaml <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ++ +If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. ++ +.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an EKS Pod Identity association. For more information, see <>. +.. Confirm that the deployment is using the service account. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe deployment my-app | grep "Service Account" +---- ++ +An example output is as follows. ++ +[source,bash,subs="verbatim,attributes"] +---- +Service Account: my-service-account +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc new file mode 100644 index 000000000..805ebea06 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -0,0 +1,59 @@ +[.topic] +[[pod-id-how-it-works,pod-id-how-it-works.title]] += Understand how [.noloc]`EKS Pod Identity` works +:info_titleabbrev: How it works + +include::../../attributes.txt[] + +[abstract] +-- +Learn how Amazon EKS Pod Identity works to provide temporary credentials to your Kubernetes workloads, using an agent running on each node and the {aws} SDKs. +-- + +Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. + +Amazon EKS Pod Identity provides credentials to your workloads with an additional _EKS Auth_ API and an agent pod that runs on each node. + +In your add-ons, such as _Amazon EKS add-ons_ and self-managed controller, operators, and other add-ons, the author needs to update their software to use the latest {aws} SDKs. For the list of compatibility between EKS Pod Identity and the add-ons produced by Amazon EKS, see the previous section <>. + +[[pod-id-credentials,pod-id-credentials.title]] +== Using EKS Pod Identities in your code + +In your code, you can use the {aws} SDKs to access {aws} services. You write code to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. + +EKS Pod Identities have been added to the _Container credential provider_ which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way you can safely migrate from other types of credentials by creating the association first, before removing the old credentials. + +The container credentials provider provides temporary credentials from an agent that runs on each node. In Amazon EKS, the agent is the Amazon EKS Pod Identity Agent and on Amazon Elastic Container Service the agent is the `amazon-ecs-agent`. The SDKs use environment variables to locate the agent to connect to. + +In contrast, _IAM roles for service accounts_ provides a _web identity_ token that the {aws} SDK must exchange with {aws} Security Token Service by using `AssumeRoleWithWebIdentity`. + +[[pod-id-agent-pod,pod-id-agent-pod.title]] +== How EKS Pod Identity Agent works with a [.noloc]`Pod` +. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following content to the [.noloc]`Pod` manifest: ++ +[source,yaml,subs="verbatim,attributes"] +---- + env: + - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE + value: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token" + - name: AWS_CONTAINER_CREDENTIALS_FULL_URI + value: "http://169.254.170.23/v1/credentials" + volumeMounts: + - mountPath: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/" + name: eks-pod-identity-token + volumes: + - name: eks-pod-identity-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: pods.eks.amazonaws.com + expirationSeconds: 86400 # 24 hours + path: eks-pod-identity-token +---- +. [.noloc]`Kubernetes` selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. +. The EKS Pod Identity Agent makes these credentials available for the {aws} SDKs that you run inside your containers. +. You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. +. The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. ++ +NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc new file mode 100644 index 000000000..8200a51bd --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -0,0 +1,41 @@ +include::../../attributes.txt[] +[.topic] +[[pod-id-minimum-sdk,pod-id-minimum-sdk.title]] += Use pod identity with the {aws} SDK +:info_titleabbrev: Supported SDKs + +[[pod-id-using-creds,pod-id-using-creds.title]] +== Using EKS Pod Identity credentials + +To use the credentials from a EKS Pod Identity association, your code can use any {aws} SDK to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. The EKS Pod Identity credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. + +This works because EKS Pod Identities have been added to the _Container credential provider_ which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. + +For more information about how EKS Pod Identities work, see <>. + +When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: + + + +* Java (Version 2) – https://github.com/aws/aws-sdk-java-v2/releases/tag/2.21.30[2.21.30] +* Java – https://github.com/aws/aws-sdk-java/releases/tag/1.12.746[1.12.746] +* Go v1 – https://github.com/aws/aws-sdk-go/releases/tag/v1.47.11[v1.47.11] +* Go v2 – https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2023-11-14[release-2023-11-14] +* Python (Boto3) – https://github.com/boto/boto3/releases/tag/1.34.41[1.34.41] +* Python (botocore) – https://github.com/boto/botocore/releases/tag/1.34.41[1.34.41] +* {aws} CLI – https://github.com/aws/aws-cli/releases/tag/1.30.0[1.30.0] ++ +{aws} CLI – https://github.com/aws/aws-cli/releases/tag/2.15.0[2.15.0] +* JavaScript v2 – https://github.com/aws/aws-sdk-js/releases/tag/v2.1550.0[2.1550.0] +* JavaScript v3 – https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.458.0[v3.458.0] +* Kotlin – https://github.com/awslabs/aws-sdk-kotlin/releases/tag/v1.0.1[v1.0.1] +* Ruby – https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/CHANGELOG.md#31880-2023-11-22[3.188.0] +* Rust – https://github.com/awslabs/aws-sdk-rust/releases/tag/release-2024-03-13[release-2024-03-13] +* {cpp} – https://github.com/aws/aws-sdk-cpp/releases/tag/1.11.263[1.11.263] +* .NET – https://github.com/aws/aws-sdk-net/releases/tag/3.7.734.0[3.7.734.0] +* PowerShell – https://www.powershellgallery.com/packages/{aws}.Tools.Common/4.1.502[4.1.502] +* PHP – https://github.com/aws/aws-sdk-php/releases/tag/3.287.1[3.287.1] + +To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. + +For a list of add-ons that support EKS Pod Identity, see <>. diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc new file mode 100644 index 000000000..1939440a1 --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -0,0 +1,44 @@ +[.topic] +[[pod-id-role,pod-id-role.title]] += Create [.noloc]`IAM` role with trust policy required by [.noloc]`EKS Pod Identity` +:info_titleabbrev: EKS Pod Identity role + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure the IAM trust policy for Amazon EKS Pod Identity to allow Kubernetes pods to assume IAM roles and access {aws} resources securely using Amazon EKS condition keys. +-- + +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] +} +---- + +*`sts:AssumeRole`*:: +EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the temporary credentials to your pods. + + +*`sts:TagSession`*:: +EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS. ++ +You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. ++ +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. + + diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc new file mode 100644 index 000000000..8aa2dc94c --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -0,0 +1,147 @@ +include::../../attributes.txt[] +[.topic] +[[pod-identities,pod-identities.title]] += Learn how [.noloc]`EKS Pod Identity` grants pods access to {aws} services +:info_titleabbrev: Pod Identity + +include::pod-id-how-it-works.adoc[leveloffset=+1] + +include::pod-id-agent-setup.adoc[leveloffset=+1] + +include::pod-id-association.adoc[leveloffset=+1] + +include::pod-id-configure-pods.adoc[leveloffset=+1] + +include::pod-id-abac.adoc[leveloffset=+1] + +include::pod-id-minimum-sdk.adoc[leveloffset=+1] + +include::pod-id-agent-config-ipv6.adoc[leveloffset=+1] + +include::pod-id-role.adoc[leveloffset=+1] + +[abstract] +-- +Learn how to provide {aws} service access to your Kubernetes workloads with Amazon EKS Pod Identities, offering least privilege access, credential isolation, and auditability for enhanced security. Discover the benefits and considerations of this identity management solution for your Amazon EKS clusters. +-- + +Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. + +_EKS Pod Identities_ provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. + +video::aUjJSorBE70[youtube,align = center,height = 405,fileref = https://www.youtube.com/embed/aUjJSorBE70,width = 720] + +Each EKS Pod Identity association maps a role to a service account in a namespace in the specified cluster. If you have the same application in multiple clusters, you can make identical associations in each cluster without modifying the trust policy of the role. + +If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the {aws} SDKs, including the {aws} CLI, to use the EKS Pod Identity credentials. + +[[pod-id-benefits,pod-id-benefits.title]] +== Benefits of EKS Pod Identities + +EKS Pod Identities provide the following benefits: + + + +* *Least privilege* + – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. +* *Credential isolation* + – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using Pod Identities, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +* *Auditability* + – Access and event logging is available through {aws} CloudTrail to help facilitate retrospective auditing. + +EKS Pod Identity is a simpler method than <>, as this method doesn't use [.noloc]`OIDC` identity providers. EKS Pod Identity has the following enhancements: + + + +* *Independent operations* + – In many organizations, creating [.noloc]`OIDC` identity providers is a responsibility of different teams than administering the [.noloc]`Kubernetes` clusters. EKS Pod Identity has clean separation of duties, where all configuration of EKS Pod Identity associations is done in Amazon EKS and all configuration of the IAM permissions is done in IAM. +* *Reusability* + – EKS Pod Identity uses a single IAM principal instead of the separate principals for each cluster that IAM roles for service accounts use. Your IAM administrator adds the following principal to the trust policy of any role to make it usable by EKS Pod Identities. ++ +[source,json,subs="verbatim,attributes"] +---- + "Principal": { + "Service": "pods.eks.amazonaws.com" + } +---- +* *Scalability* + -- Each set of temporary credentials are assumed by the [.noloc]`EKS Auth` service in EKS Pod Identity, instead of each {aws} SDK that you run in each pod. Then, the Amazon EKS Pod Identity Agent that runs on each node issues the credentials to the SDKs. Thus the load is reduced to once for each node and isn't duplicated in each pod. For more details of the process, see <>. + +For more information to compare the two alternatives, see <>. + +[[pod-id-setup-overview,pod-id-setup-overview.title]] +== Overview of setting up EKS Pod Identities + +Turn on EKS Pod Identities by completing the following procedures: + +. <> -- You only complete this procedure once for each cluster. You do not need to complete this step if EKS Auto Mode is enabled on your cluster. +. <> -- Complete this procedure for each unique set of permissions that you want an application to have. ++ +. <> -- Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. +. <> -- Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. + + +[[pod-id-considerations,pod-id-considerations.title]] +== EKS Pod Identity considerations + +* You can associate one IAM role to each [.noloc]`Kubernetes` service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. +* You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. +* The EKS Pod Identity Agent is required. It runs as a [.noloc]`Kubernetes` `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. +* If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the {aws} VPC CNI. For more information on security group for pods considerations, see <>. +* The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` clusters. ++ +If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. + + +[[pod-id-cluster-versions,pod-id-cluster-versions.title]] +=== EKS Pod Identity cluster versions + +To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. + +[cols="1,1", options="header"] +|=== +|Kubernetes version +|Platform version + +|Kubernetes versions not listed +|All platform versions support + +|`1.28` +|`eks.4` + +|`1.27` +|`eks.8` + +|`1.26` +|`eks.9` + +|`1.25` +|`eks.10` + +|`1.24` +|`eks.13` +|=== + +[[pod-id-restrictions,pod-id-restrictions.title]] +=== EKS Pod Identity restrictions + +EKS Pod Identities are available on the following: + + + +* Amazon EKS cluster versions listed in the previous topic <>. +* Worker nodes in the cluster that are Linux Amazon EC2 instances. + +EKS Pod Identities aren't available on the following: + + + +* {aws} Outposts. +* Amazon EKS Anywhere. +* [.noloc]`Kubernetes` clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS. + +You can't use EKS Pod Identities with: + + +* Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. + diff --git a/latest/ug/manage-access/aws-access/process_all.sh b/latest/ug/manage-access/aws-access/process_all.sh new file mode 100755 index 000000000..4239c9c34 --- /dev/null +++ b/latest/ug/manage-access/aws-access/process_all.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +FILES=( + "pod-id-how-it-works.adoc" + "pod-id-agent-setup.adoc" + "pod-id-association.adoc" + "pod-id-configure-pods.adoc" + "pod-id-abac.adoc" + "pod-id-minimum-sdk.adoc" + "pod-id-agent-config-ipv6.adoc" + "pod-id-role.adoc" +) + + +for file in "${FILES[@]}"; do + if [ -f "$file" ]; then + echo "Processing $file..." + python3 process_doc.py "$file" + else + echo "Warning: $file not found" + fi +done diff --git a/latest/ug/manage-access/aws-access/process_doc.py b/latest/ug/manage-access/aws-access/process_doc.py new file mode 100644 index 000000000..7aa55e909 --- /dev/null +++ b/latest/ug/manage-access/aws-access/process_doc.py @@ -0,0 +1,49 @@ +import sys +import re + +def process_file(filename): + # Read the file + with open(filename, 'r') as f: + lines = f.readlines() + + # Remove first = from lines starting with == but not ==== + processed_lines = [] + for line in lines: + if re.match(r'^==(?!==$).*$', line): + line = re.sub(r'^=', '', line) + processed_lines.append(line) + + # Find the index of the line starting with "= " + section_index = -1 + for i, line in enumerate(processed_lines): + if line.lstrip().startswith('= '): + section_index = i + break + + if section_index == -1: + print(f"Error: No line starting with '= ' found in {filename}") + return + + # Insert all new content at once to avoid index shifting issues + new_lines = processed_lines[:section_index + 1] # Everything up to and including the heading + new_lines.insert(0, "//!!NODE_ROOT
        \n") # Add ROOT at start + + # Add the new lines after the heading + new_lines.extend([ + "\n:info_doctype: section\n", + "\ninclude::../../attributes.txt[]\n" + ]) + + # Add the rest of the original content + new_lines.extend(processed_lines[section_index + 1:]) + + # Write back to file + with open(filename, 'w') as f: + f.writelines(new_lines) + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("Usage: python script.py filename") + sys.exit(1) + + process_file(sys.argv[1]) diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 636cadba3..b7b3098ff 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -3,7 +3,11 @@ include::../../attributes.txt[] [.topic] [[service-accounts,service-accounts.title]] = Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts -:info_titleabbrev: Grant workloads access to {aws} +:info_titleabbrev: Workload access to {aws} + +include::iam-roles-for-service-accounts.adoc[leveloffset=+1] + +include::pod-identities.adoc[leveloffset=+1] A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. @@ -118,1766 +122,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |All of the supported EKS cluster versions. |=== -[.topic] -[[pod-identities,pod-identities.title]] -== Learn how [.noloc]`EKS Pod Identity` grants pods access to {aws} services - -[abstract] --- -Learn how to provide {aws} service access to your Kubernetes workloads with Amazon EKS Pod Identities, offering least privilege access, credential isolation, and auditability for enhanced security. Discover the benefits and considerations of this identity management solution for your Amazon EKS clusters. --- - -Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. - -_EKS Pod Identities_ provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. - -video::aUjJSorBE70[youtube,align = center,height = 405,fileref = https://www.youtube.com/embed/aUjJSorBE70,width = 720] - -Each EKS Pod Identity association maps a role to a service account in a namespace in the specified cluster. If you have the same application in multiple clusters, you can make identical associations in each cluster without modifying the trust policy of the role. - -If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the {aws} SDKs, including the {aws} CLI, to use the EKS Pod Identity credentials. - -[[pod-id-benefits,pod-id-benefits.title]] -=== Benefits of EKS Pod Identities - -EKS Pod Identities provide the following benefits: - - - -* *Least privilege* - – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. -* *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using Pod Identities, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -* *Auditability* - – Access and event logging is available through {aws} CloudTrail to help facilitate retrospective auditing. - -EKS Pod Identity is a simpler method than <>, as this method doesn't use [.noloc]`OIDC` identity providers. EKS Pod Identity has the following enhancements: - - - -* *Independent operations* - – In many organizations, creating [.noloc]`OIDC` identity providers is a responsibility of different teams than administering the [.noloc]`Kubernetes` clusters. EKS Pod Identity has clean separation of duties, where all configuration of EKS Pod Identity associations is done in Amazon EKS and all configuration of the IAM permissions is done in IAM. -* *Reusability* - – EKS Pod Identity uses a single IAM principal instead of the separate principals for each cluster that IAM roles for service accounts use. Your IAM administrator adds the following principal to the trust policy of any role to make it usable by EKS Pod Identities. -+ -[source,json,subs="verbatim,attributes"] ----- - "Principal": { - "Service": "pods.eks.amazonaws.com" - } ----- -* *Scalability* - -- Each set of temporary credentials are assumed by the [.noloc]`EKS Auth` service in EKS Pod Identity, instead of each {aws} SDK that you run in each pod. Then, the Amazon EKS Pod Identity Agent that runs on each node issues the credentials to the SDKs. Thus the load is reduced to once for each node and isn't duplicated in each pod. For more details of the process, see <>. - -For more information to compare the two alternatives, see <>. - -[[pod-id-setup-overview,pod-id-setup-overview.title]] -=== Overview of setting up EKS Pod Identities - -Turn on EKS Pod Identities by completing the following procedures: - -. <> -- You only complete this procedure once for each cluster. You do not need to complete this step if EKS Auto Mode is enabled on your cluster. -. <> -- Complete this procedure for each unique set of permissions that you want an application to have. -+ -. <> -- Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. -. <> -- Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. - - -[[pod-id-considerations,pod-id-considerations.title]] -=== EKS Pod Identity considerations - -* You can associate one IAM role to each [.noloc]`Kubernetes` service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. -* You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. -* The EKS Pod Identity Agent is required. It runs as a [.noloc]`Kubernetes` `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. -* If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the {aws} VPC CNI. For more information on security group for pods considerations, see <>. -* The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` clusters. -+ -If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. - - -[[pod-id-cluster-versions,pod-id-cluster-versions.title]] -==== EKS Pod Identity cluster versions - -To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - -|Kubernetes versions not listed -|All platform versions support - -|`1.28` -|`eks.4` - -|`1.27` -|`eks.8` - -|`1.26` -|`eks.9` - -|`1.25` -|`eks.10` - -|`1.24` -|`eks.13` -|=== - -[[pod-id-restrictions,pod-id-restrictions.title]] -==== EKS Pod Identity restrictions - -EKS Pod Identities are available on the following: - - - -* Amazon EKS cluster versions listed in the previous topic <>. -* Worker nodes in the cluster that are Linux Amazon EC2 instances. - -EKS Pod Identities aren't available on the following: - - - -* {aws} Outposts. -* Amazon EKS Anywhere. -* [.noloc]`Kubernetes` clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS. - -You can't use EKS Pod Identities with: - - - -* Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. - - - - -[.topic] -[[pod-id-how-it-works,pod-id-how-it-works.title]] -=== Understand how [.noloc]`EKS Pod Identity` works - -[abstract] --- -Learn how Amazon EKS Pod Identity works to provide temporary credentials to your Kubernetes workloads, using an agent running on each node and the {aws} SDKs. --- - -Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. - -Amazon EKS Pod Identity provides credentials to your workloads with an additional _EKS Auth_ API and an agent pod that runs on each node. - -In your add-ons, such as _Amazon EKS add-ons_ and self-managed controller, operators, and other add-ons, the author needs to update their software to use the latest {aws} SDKs. For the list of compatibility between EKS Pod Identity and the add-ons produced by Amazon EKS, see the previous section <>. - -[[pod-id-credentials,pod-id-credentials.title]] -==== Using EKS Pod Identities in your code - -In your code, you can use the {aws} SDKs to access {aws} services. You write code to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. - -EKS Pod Identities have been added to the _Container credential provider_ which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way you can safely migrate from other types of credentials by creating the association first, before removing the old credentials. - -The container credentials provider provides temporary credentials from an agent that runs on each node. In Amazon EKS, the agent is the Amazon EKS Pod Identity Agent and on Amazon Elastic Container Service the agent is the `amazon-ecs-agent`. The SDKs use environment variables to locate the agent to connect to. - -In contrast, _IAM roles for service accounts_ provides a _web identity_ token that the {aws} SDK must exchange with {aws} Security Token Service by using `AssumeRoleWithWebIdentity`. - -[[pod-id-agent-pod,pod-id-agent-pod.title]] -==== How EKS Pod Identity Agent works with a [.noloc]`Pod` -. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following content to the [.noloc]`Pod` manifest: -+ -[source,yaml,subs="verbatim,attributes"] ----- - env: - - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE - value: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token" - - name: AWS_CONTAINER_CREDENTIALS_FULL_URI - value: "http://169.254.170.23/v1/credentials" - volumeMounts: - - mountPath: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/" - name: eks-pod-identity-token - volumes: - - name: eks-pod-identity-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: pods.eks.amazonaws.com - expirationSeconds: 86400 # 24 hours - path: eks-pod-identity-token ----- -. [.noloc]`Kubernetes` selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. -. The EKS Pod Identity Agent makes these credentials available for the {aws} SDKs that you run inside your containers. -. You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. -. The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. -+ -NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. - - -[.topic] -[[pod-id-agent-setup,pod-id-agent-setup.title]] -=== Set up the Amazon EKS Pod Identity Agent - -[abstract] --- -Learn how to set up the EKS Pod Identity Agent for your cluster. --- - -Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. - -Amazon EKS Pod Identity provides credentials to your workloads with an additional _EKS Auth_ API and an agent pod that runs on each node. - -[TIP] -==== -You do not need to install the EKS Pod Identity Agent on EKS Auto Mode Clusters. This capability is built into EKS Auto Mode. -==== - - -[[pod-id-agent-considerations,pod-id-agent-considerations.title]] -==== Considerations - -* By default, the EKS Pod Identity Agent listens on an `IPv4` and `IPv6` address for pods to request credentials. The agent uses the loopback (localhost) IP address `169.254.170.23` for `IPv4` and the localhost IP address `[fd00:ec2::23]` for `IPv6`. -* If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. - - -[[pod-id-agent-add-on-create,pod-id-agent-add-on-create.title]] -==== Creating the Amazon EKS Pod Identity Agent - -[[pod-id-agent-prereqs,pod-id-agent-prereqs.title]] -===== Agent prerequisites - -* An existing Amazon EKS cluster. To deploy one, see <>. The cluster version and platform version must be the same or later than the versions listed in <>. -* The node role has permissions for the agent to do the `AssumeRoleForPodIdentity` action in the EKS Auth API. You can use the <> or add a custom policy similar to the following: -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "eks-auth:AssumeRoleForPodIdentity" - ], - "Resource": "*" - } - ] -} ----- -+ -This action can be limited by tags to restrict which roles can be assumed by pods that use the agent. -* The nodes can reach and download images from Amazon ECR. The container image for the add-on is in the registries listed in <>. -+ -Note that you can change the image location and provide `imagePullSecrets` for EKS add-ons in the *Optional configuration settings* in the {aws-management-console}, and in the `--configuration-values` in the {aws} CLI. -* The nodes can reach the Amazon EKS Auth API. For private clusters, the `eks-auth` endpoint in {aws} PrivateLink is required. - - -===== Setup agent with {aws} console -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity Agent add-on for. -. Choose the *Add-ons* tab. -. Choose *Get more add-ons*. -. Select the box in the top right of the add-on box for EKS Pod Identity Agent and then choose *Next*. -. On the *Configure selected add-ons settings* page, select any version in the *Version* dropdown list. -. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The [.noloc]`JSON Schema` with accepted keys is shown in *Add-on configuration schema*. -+ -Enter the configuration keys and values in *Configuration values*. -. Choose *Next*. -. Confirm that the EKS Pod Identity Agent pods are running on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -n kube-system | grep 'eks-pod-identity-agent' ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -eks-pod-identity-agent-gmqp7 1/1 Running 1 (24h ago) 24h -eks-pod-identity-agent-prnsh 1/1 Running 1 (24h ago) 24h ----- -+ -You can now use EKS Pod Identity associations in your cluster. For more information, see <>. - - -===== Setup agent with {aws} CLI -. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks create-addon --cluster-name my-cluster --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1 ----- -+ -NOTE: The EKS Pod Identity Agent doesn't use the `service-account-role-arn` for _IAM roles for service accounts_. You must provide the EKS Pod Identity Agent with permissions in the node role. -. Confirm that the EKS Pod Identity Agent pods are running on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get pods -n kube-system | grep 'eks-pod-identity-agent' ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -eks-pod-identity-agent-gmqp7 1/1 Running 1 (24h ago) 24h -eks-pod-identity-agent-prnsh 1/1 Running 1 (24h ago) 24h ----- -+ -You can now use EKS Pod Identity associations in your cluster. For more information, see <>. - - -[.topic] -[[pod-id-association,pod-id-association.title]] -=== Assign an [.noloc]`IAM` role to a [.noloc]`Kubernetes` service account - -[abstract] --- -Learn how to configure a Kubernetes service account to assume an {aws} IAM role with Amazon EKS Pod Identity for securely accessing {aws} services from your pods. --- - -This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role with EKS Pod Identity. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. - -To create an EKS Pod Identity association, there is only a single step; you create the association in EKS through the {aws-management-console}, {aws} CLI, {aws} SDKs, {aws} CloudFormation and other tools. There isn't any data or metadata about the associations inside the cluster in any [.noloc]`Kubernetes` objects and you don't add any annotations to the service accounts. - - - -* An existing cluster. If you don't have one, you can create one by following one of the guides in <>. -* The IAM principal that is creating the association must have `iam:PassRole`. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. - - -[[pod-id-association-create,pod-id-association-create.title]] -==== Create a Pod Identity association ({aws} Console) - -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity Agent add-on for. -. Choose the *Access* tab. -. In the *Pod Identity associations*, choose *Create*. -. For the *IAM role*, select the IAM role with the permissions that you want the workload to have. -+ -NOTE: The list only contains roles that have the following trust policy which allows EKS Pod Identity to use them. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", - "Effect": "Allow", - "Principal": { - "Service": "pods.eks.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession" - ] - } - ] -} ----- -+ -`sts:AssumeRole` -- EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the temporary credentials to your pods. -+ -`sts:TagSession` -- EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS. -+ -You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. -+ -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. -. For the *[.noloc]`Kubernetes` namespace*, select the [.noloc]`Kubernetes` namespace that contains the service account and workload. Optionally, you can specify a namespace by name that doesn't exist in the cluster. -. For the *[.noloc]`Kubernetes` service account*, select the [.noloc]`Kubernetes` service account to use. The manifest for your [.noloc]`Kubernetes` workload must specify this service account. Optionally, you can specify a service account by name that doesn't exist in the cluster. -. (Optional) For the *Tags*, choose *Add tag* to add metadata in a key and value pair. These tags are applied to the association and can be used in IAM policies. -+ -You can repeat this step to add multiple tags. -. Choose *Create*. - - -==== Create a Pod Identity association ({aws} CLI) -. If you want to associate an existing IAM policy to your IAM role, skip to the next step. -+ -Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. -+ -.. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. -+ -You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >my-policy.json <my-service-account.yaml <trust-relationship.json <> - -[.topic] -[[pod-id-configure-pods,pod-id-configure-pods.title]] -=== Configure [.noloc]`pods` to access {aws} services with service accounts - -[abstract] --- -Learn how to configure Pods to use a Kubernetes service account with an associated IAM role for accessing {aws} services on Amazon EKS. --- - -If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. - - - -* An existing cluster. If you don't have one, you can create one using one of the guides in <>. -* An existing [.noloc]`Kubernetes` service account and an EKS Pod Identity association that associates the service account with an IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >my-deployment.yaml <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -+ -If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. -+ -.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an EKS Pod Identity association. For more information, see <>. -.. Confirm that the deployment is using the service account. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment my-app | grep "Service Account" ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Service Account: my-service-account ----- - - -[.topic] -[[pod-id-abac,pod-id-abac.title]] -=== Grant [.noloc]`pods` access to {aws} resources based on tags - -[abstract] --- -Learn how to use Amazon EKS Pod Identity to attach tags for cluster, namespace, and service account to temporary credentials, enabling attribute-based access control (ABAC) for EKS pods to {aws} resources based on matching tags. --- - -EKS Pod Identity attaches tags to the temporary credentials to each pod with attributes such as cluster name, namespace, service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, customers can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. - -For example, the following policy allows the `s3:GetObject` action if the object is tagged with the name of the EKS cluster. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectTagging" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "s3:ExistingObjectTag/eks-cluster-name": "${aws:PrincipalTag/eks-cluster-name}" - } - } - } - ] -} ----- - - -[[pod-id-abac-tags,pod-id-abac-tags.title]] -==== List of session tags added by EKS Pod Identity - -The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`. - - - -* `eks-cluster-arn` -* `eks-cluster-name` -* `kubernetes-namespace` -* `kubernetes-service-account` -* `kubernetes-pod-name` -* `kubernetes-pod-uid` - - -[[pod-id-abac-chaining,pod-id-abac-chaining.title]] -==== Cross-account tags - -All of the session tags that are added by EKS Pod Identity are _transitive_; the tag keys and values are passed to any `AssumeRole` actions that your workloads use to switch roles into another account. You can use these tags in policies in other accounts to limit access in cross-account scenarios. For more infromation, see link:IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining[Chaining roles with session tags,type="documentation"] in the _IAM User Guide_. - -[[pod-id-abac-custom-tags,pod-id-abac-custom-tags.title]] -==== Custom tags - -EKS Pod Identity can't add additional custom tags to the `AssumeRole` action that it performs. However, tags that you apply to the IAM role are always available though the same format: `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/MyCustomTag}`. - -[NOTE] -==== - -Tags added to the session through the `sts:AssumeRole` request take precedence in the case of conflict. For example, say that: - - - -* Amazon EKS adds a key `eks-cluster-name` and value `my-cluster` to the session when EKS assumes the customer role and -* You add an `eks-cluster-name` tag to the IAM role with the value `my-own-cluster`. - -In this case, the former takes precedence and the value for the `eks-cluster-name` tag will be `my-cluster`. - -==== - -[.topic] -[[pod-id-minimum-sdk,pod-id-minimum-sdk.title]] -=== Use pod identity with the {aws} SDK - -[[pod-id-using-creds,pod-id-using-creds.title]] -==== Using EKS Pod Identity credentials - -To use the credentials from a EKS Pod Identity association, your code can use any {aws} SDK to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. The EKS Pod Identity credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. - -This works because EKS Pod Identities have been added to the _Container credential provider_ which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. - -For more information about how EKS Pod Identities work, see <>. - -When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: - - - -* Java (Version 2) – https://github.com/aws/aws-sdk-java-v2/releases/tag/2.21.30[2.21.30] -* Java – https://github.com/aws/aws-sdk-java/releases/tag/1.12.746[1.12.746] -* Go v1 – https://github.com/aws/aws-sdk-go/releases/tag/v1.47.11[v1.47.11] -* Go v2 – https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2023-11-14[release-2023-11-14] -* Python (Boto3) – https://github.com/boto/boto3/releases/tag/1.34.41[1.34.41] -* Python (botocore) – https://github.com/boto/botocore/releases/tag/1.34.41[1.34.41] -* {aws} CLI – https://github.com/aws/aws-cli/releases/tag/1.30.0[1.30.0] -+ -{aws} CLI – https://github.com/aws/aws-cli/releases/tag/2.15.0[2.15.0] -* JavaScript v2 – https://github.com/aws/aws-sdk-js/releases/tag/v2.1550.0[2.1550.0] -* JavaScript v3 – https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.458.0[v3.458.0] -* Kotlin – https://github.com/awslabs/aws-sdk-kotlin/releases/tag/v1.0.1[v1.0.1] -* Ruby – https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/CHANGELOG.md#31880-2023-11-22[3.188.0] -* Rust – https://github.com/awslabs/aws-sdk-rust/releases/tag/release-2024-03-13[release-2024-03-13] -* {cpp} – https://github.com/aws/aws-sdk-cpp/releases/tag/1.11.263[1.11.263] -* .NET – https://github.com/aws/aws-sdk-net/releases/tag/3.7.734.0[3.7.734.0] -* PowerShell – https://www.powershellgallery.com/packages/{aws}.Tools.Common/4.1.502[4.1.502] -* PHP – https://github.com/aws/aws-sdk-php/releases/tag/3.287.1[3.287.1] - -To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. - -For a list of add-ons that support EKS Pod Identity, see <>. - -[.topic] -[[pod-id-agent-config-ipv6,pod-id-agent-config-ipv6.title]] -=== Disable `IPv6` in the EKS Pod Identity Agent - -[[pod-id-console,pod-id-console.title]] -==== {aws-management-console} -. To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *Optional configuration settings* of the EKS Add-on. -+ -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the EKS Pod Identity Agent add-on box and then choose *Edit*. -.. On the *Configure EKS Pod Identity Agent* page: -+ -... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"agent":` and value of a nested JSON object with a key `"additionalArgs":` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "agent": { - "additionalArgs": { - "-b": "169.254.170.23" - } - } -} ----- -+ -This configuration sets the `IPv4` address to be the only address used by the agent. -.. To apply the new configuration by replacing the EKS Pod Identity Agent pods, choose *Save changes*. -+ -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` `DaemonSet` for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. -+ -`kubectl rollout` has the following commands: -+ -[source,shell,subs="verbatim,attributes"] ----- -$ kubectl rollout - -history -- View rollout history -pause -- Mark the provided resource as paused -restart -- Restart a resource -resume -- Resume a paused resource -status -- Show the status of the rollout -undo -- Undo a previous rollout ----- -+ -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. -. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the EKS Pod Identity Agent pods. - -[[pod-id-cli,pod-id-cli.title]] -==== {aws} CLI -. To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *configuration values* of the EKS Add-on. -+ -Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. -+ -[source,shell,subs="verbatim,attributes"] ----- -aws eks update-addon --cluster-name my-cluster --addon-name eks-pod-identity-agent \ - --resolve-conflicts PRESERVE --configuration-values '{"agent":{"additionalArgs": { "-b": "169.254.170.23"}}}' ----- -+ -This configuration sets the `IPv4` address to be the only address used by the agent. -+ -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. -+ -`kubectl rollout` has the following commands: -+ -[source,shell,subs="verbatim,attributes"] ----- -kubectl rollout - -history -- View rollout history -pause -- Mark the provided resource as paused -restart -- Restart a resource -resume -- Resume a paused resource -status -- Show the status of the rollout -undo -- Undo a previous rollout ----- -+ -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. - - -[.topic] -[[pod-id-role,pod-id-role.title]] -=== Create [.noloc]`IAM` role with trust policy required by [.noloc]`EKS Pod Identity` - -[abstract] --- -Learn how to configure the IAM trust policy for Amazon EKS Pod Identity to allow Kubernetes pods to assume IAM roles and access {aws} resources securely using Amazon EKS condition keys. --- - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", - "Effect": "Allow", - "Principal": { - "Service": "pods.eks.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession" - ] - } - ] -} ----- -*`sts:AssumeRole`*:: -EKS Pod Identity uses `AssumeRole` to assume the IAM role before passing the temporary credentials to your pods. - - -*`sts:TagSession`*:: -EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to {aws} STS. -+ -You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. -+ -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. - - -[.topic] -[[iam-roles-for-service-accounts,iam-roles-for-service-accounts.title]] -== IAM roles for service accounts - -[abstract] --- -Learn how applications in your [.noloc]`Pods` can access {aws} services. --- - -Applications in a [.noloc]`Pod's` containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. IAM roles for service accounts provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. You can't use IAM roles for service accounts with <>. - -IAM roles for service accounts provide the following benefits: - -* *Least privilege* - – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. -* *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using IAM roles for service accounts, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -* *Auditability* - – Access and event logging is available through {aws} CloudTrail to help ensure retrospective auditing. - -Enable IAM roles for service accounts by completing the following procedures: - -. <> – You only complete this procedure once for each cluster. -+ -[NOTE] -==== -If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: - -[source,bash,subs="verbatim,attributes"] ----- -server cant find oidc.eks.region.amazonaws.com: NXDOMAIN ----- - -To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. -==== - -. <> – Complete this procedure for each unique set of permissions that you want an application to have. - -. <> – Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. - -. <> – Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. - - -[[irsa-oidc-background,irsa-oidc-background.title]] -=== IAM, [.noloc]`Kubernetes`, and [.noloc]`OpenID Connect` ([.noloc]`OIDC`) background information - -In 2014, {aws} Identity and Access Management added support for federated identities using [.noloc]`OpenID Connect` ([.noloc]`OIDC`). This feature allows you to authenticate {aws} API calls with supported identity providers and receive a valid [.noloc]`OIDC` [.noloc]`JSON` web token ([.noloc]`JWT`). You can pass this token to the {aws} STS `AssumeRoleWithWebIdentity` API operation and receive IAM temporary role credentials. You can use these credentials to interact with any {aws} service, including Amazon S3 and DynamoDB. - -Each JWT token is signed by a signing key pair. The keys are served on the OIDC provider managed by Amazon EKS and the private key rotates every 7 days. Amazon EKS keeps the public keys until they expire. If you connect external OIDC clients, be aware that you need to refresh the signing keys before the public key expires. Learn how to <>. - -[.noloc]`Kubernetes` has long used service accounts as its own internal identity system. [.noloc]`Pods` can authenticate with the [.noloc]`Kubernetes` API server using an auto-mounted token (which was a non-[.noloc]`OIDC` [.noloc]`JWT`) that only the [.noloc]`Kubernetes` API server could validate. These legacy service account tokens don't expire, and rotating the signing key is a difficult process. In [.noloc]`Kubernetes` version `1.12`, support was added for a new `ProjectedServiceAccountToken` feature. This feature is an [.noloc]`OIDC` [.noloc]`JSON` web token that also contains the service account identity and supports a configurable audience. - -Amazon EKS hosts a public [.noloc]`OIDC` discovery endpoint for each cluster that contains the signing keys for the `ProjectedServiceAccountToken` [.noloc]`JSON` web tokens so external systems, such as IAM, can validate and accept the [.noloc]`OIDC` tokens that are issued by [.noloc]`Kubernetes`. - -[.topic] -[[enable-iam-roles-for-service-accounts,enable-iam-roles-for-service-accounts.title]] -=== Create an IAM [.noloc]`OIDC` provider for your cluster - -[abstract] --- -Learn how to create an {aws} Identity and Access Management [.noloc]`OpenID Connect` provider for your cluster. --- - -Your cluster has an https://openid.net/connect/[OpenID Connect] ([.noloc]`OIDC`) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM [.noloc]`OIDC` provider must exist for your cluster's [.noloc]`OIDC` issuer URL. - - - -* An existing Amazon EKS cluster. To deploy one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. - -You can create an IAM [.noloc]`OIDC` provider for your cluster using `eksctl` or the {aws-management-console}. - -==== Create OIDC provider (eksctl) - -. Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -+ -. Determine the [.noloc]`OIDC` issuer ID for your cluster. -+ -Retrieve your cluster's [.noloc]`OIDC` issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. -+ -[source,bash,subs="verbatim,attributes"] ----- -cluster_name=my-cluster ----- -[source,bash,subs="verbatim,attributes"] ----- -oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) ----- -[source,bash,subs="verbatim,attributes"] ----- -echo $oidc_id ----- -. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's issuer ID is already in your account. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 ----- -+ -If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. -. Create an IAM [.noloc]`OIDC` identity provider for your cluster with the following command. -+ -[source,bash,subs="verbatim,attributes"] ----- -eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve ----- -+ -NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: - -[source,bash,subs="verbatim,attributes"] ----- -** server cant find oidc.eks.region.amazonaws.com: NXDOMAIN ----- - -To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. - - -==== Create OIDC provider ({aws} Console) - -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left pane, select *Clusters*, and then select the name of your cluster on the *Clusters* page. -. In the *Details* section on the *Overview* tab, note the value of the *OpenID Connect provider URL*. -. Open the IAM console at https://console.aws.amazon.com/iam/. -. In the left navigation pane, choose *Identity Providers* under *Access management*. If a *Provider* is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one. -. To create a provider, choose *Add provider*. -. For *Provider type*, select *[.noloc]`OpenID Connect`*. -. For *Provider URL*, enter the [.noloc]`OIDC` provider URL for your cluster. -. For *Audience*, enter `sts.amazonaws.com`. -. (Optional) Add any tags, for example a tag to identify which cluster is for this provider. -. Choose *Add provider*. - - -Next step: -<> - -[.topic] -[[associate-service-account-role,associate-service-account-role.title]] -=== Assign [.noloc]`IAM` roles to [.noloc]`Kubernetes` service accounts - -[abstract] --- -Discover how to configure a Kubernetes service account to assume an IAM role, enabling Pods to securely access {aws} services with granular permissions. --- - -This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. - -==== Prerequisites - -* An existing cluster. If you don't have one, you can create one by following one of the guides in <>. -* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. - - -[[irsa-associate-role-procedure,irsa-associate-role-procedure.title]] -==== Step 1: Create IAM Policy - -If you want to associate an existing IAM policy to your IAM role, skip to the next step. - - -. Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. -+ -. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. -+ -You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >my-policy.json <my-service-account.yaml <> for more information. -+ -[source,json,subs="verbatim,attributes"] ----- -cat >trust-relationship.json <>. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com/role-arn={arn-aws}iam::$account_id:role/my-role ----- -. (Optional) <>. {aws} recommends using a regional {aws} STS endpoint instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. - - -[[irsa-confirm-role-configuration,irsa-confirm-role-configuration.title]] -==== Step 3: Confirm configuration -. Confirm that the IAM role's trust policy is configured correctly. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam get-role --role-name my-role --query Role.AssumeRolePolicyDocument ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:default:my-service-account", - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" - } - } - } - ] -} ----- -. Confirm that the policy that you attached to your role in a previous step is attached to the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies[].PolicyArn --output text ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -{arn-aws}iam::111122223333:policy/my-policy ----- -. Set a variable to store the Amazon Resource Name (ARN) of the policy that you want to use. Replace [.replaceable]`my-policy` with the name of the policy that you want to confirm permissions for. -+ -[source,bash,subs="verbatim,attributes"] ----- -export policy_arn={arn-aws}iam::111122223333:policy/my-policy ----- -. View the default version of the policy. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam get-policy --policy-arn $policy_arn ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Policy": { - "PolicyName": "my-policy", - "PolicyId": "EXAMPLEBIOWGLDEXAMPLE", - "Arn": "{arn-aws}iam::111122223333:policy/my-policy", - "Path": "/", - "DefaultVersionId": "v1", - [...] - } -} ----- -. View the policy contents to make sure that the policy includes all the permissions that your [.noloc]`Pod` needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws iam get-policy-version --policy-arn $policy_arn --version-id v1 ----- -+ -An example output is as follows. -+ -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": "{arn-aws}s3:::my-pod-secrets-bucket" - } - ] -} ----- -+ -If you created the example policy in a previous step, then your output is the same. If you created a different policy, then the [.replaceable]`example` content is different. -. Confirm that the [.noloc]`Kubernetes` service account is annotated with the role. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe serviceaccount my-service-account -n default ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Name: my-service-account -Namespace: default -Annotations: eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role -Image pull secrets: -Mountable secrets: my-service-account-token-qqjfl -Tokens: my-service-account-token-qqjfl -[...] ----- - - -==== Next steps - -* <> - -[.topic] -[[pod-configuration,pod-configuration.title]] -=== Configure [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account - -[abstract] --- -Learn how to configure your [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account that you allowed to assume an {aws} Identity and Access Management role. --- - -If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. - - - -* An existing cluster. If you don't have one, you can create one using one of the guides in <>. -* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. -* An existing [.noloc]`Kubernetes` service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. -+ -[source,yaml,subs="verbatim,attributes"] ----- -cat >my-deployment.yaml <>. -.. Confirm that the [.noloc]`Pod` has a web identity token file mount. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe pod my-app-6f4dfff6cb-76cv9 | grep AWS_WEB_IDENTITY_TOKEN_FILE: ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token ----- -+ -The `kubelet` requests and stores the token on behalf of the [.noloc]`Pod`. By default, the `kubelet` refreshes the token if the token is older than 80 percent of its total time to live or older than 24 hours. You can modify the expiration duration for any account other than the default service account by using the settings in your [.noloc]`Pod` spec. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection[Service Account Token Volume Projection] in the [.noloc]`Kubernetes` documentation. -+ -The https://github.com/aws/amazon-eks-pod-identity-webhook#amazon-eks-pod-identity-webhook[Amazon EKS Pod Identity Webhook] on the cluster watches for [.noloc]`Pods` that use a service account with the following annotation: -+ -[source,bash,subs="verbatim,attributes"] ----- -eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role ----- -+ -The webhook applies the previous environment variables to those [.noloc]`Pods`. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure [.noloc]`Pods` to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for [.noloc]`Pods` that meet this criteria. -. Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. -+ -NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -+ -If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. -+ -.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. For more information, see <>. -.. Confirm that the deployment is using the service account. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe deployment my-app | grep "Service Account" ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -Service Account: my-service-account ----- -.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. - - -[.topic] -[[configure-sts-endpoint,configure-sts-endpoint.title]] -=== Configure the {aws} Security Token Service endpoint for a service account - -If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. - -{aws} recommends using the regional {aws} STS endpoints instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. The {aws} Security Token Service must be active in the {aws} Region where the [.noloc]`Pod` is running. Moreover, your application must have built-in redundancy for a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. - - - -* An existing cluster. If you don't have one, you can create one using one of the guides in <>. -* An existing IAM OIDC provider for your cluster. For more information, see <>. -* An existing [.noloc]`Kubernetes` service account configured for use with the <> feature. - -The following examples all use the aws-node [.noloc]`Kubernetes` service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, [.noloc]`Pods`, namespaces, and other resources. - -. Select a [.noloc]`Pod` that uses a service account that you want to change the endpoint for. Determine which {aws} Region that the [.noloc]`Pod` runs in. Replace [.replaceable]`aws-node-6mfgv` with your [.noloc]`Pod` name and [.replaceable]`kube-system` with your [.noloc]`Pod's` namespace. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe pod aws-node-6mfgv -n kube-system |grep Node: ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -ip-192-168-79-166.us-west-2/192.168.79.166 ----- -+ -In the previous output, the [.noloc]`Pod` is running on a node in the us-west-2 {aws} Region. -. Determine the endpoint type that the [.noloc]`Pod's` service account is using. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe pod aws-node-6mfgv -n kube-system |grep AWS_STS_REGIONAL_ENDPOINTS ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -AWS_STS_REGIONAL_ENDPOINTS: regional ----- -+ -If the current endpoint is global, then `global` is returned in the output. If no output is returned, then the default endpoint type is in use and has not been overridden. -. If your cluster or platform version are the same or later than those listed in the table, then you can change the endpoint type used by your service account from the default type to a different type with one of the following commands. Replace [.replaceable]`aws-node` with the name of your service account and [.replaceable]`kube-system` with the namespace for your service account. -+ -** If your default or current endpoint type is global and you want to change it to regional: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-regional-endpoints=true ----- -// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. -+ -If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for regional endpoints is similar to the following example: -+ -[source,none,subs="verbatim,attributes"] ----- -https://bucket.s3.us-west-2.amazonaws.com/path?...&X-Amz-Credential=your-access-key-id/date/us-west-2/s3/aws4_request&... ----- -** If your default or current endpoint type is regional and you want to change it to global: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-regional-endpoints=false ----- -+ -If your application is explicitly making requests to {aws} STS global endpoints and you don't override the default behavior of using regional endpoints in Amazon EKS clusters, then requests will fail with an error. For more information, see <>. -// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. -+ -If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for global endpoints is similar to the following example: -+ -[source,none,subs="verbatim,attributes"] ----- -https://bucket.s3.amazonaws.com/path?...&X-Amz-Credential=your-access-key-id/date/us-west-2/s3/aws4_request&... ----- - -+ -If you have automation that expects the pre-signed URL in a certain format or if your application or downstream dependencies that use pre-signed URLs have expectations for the {aws} Region targeted, then make the necessary changes to use the appropriate {aws} STS endpoint. -. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The mutating web hook doesn't apply them to [.noloc]`Pods` that are already running. You can replace [.replaceable]`Pods`, [.replaceable]`kube-system`, and [.replaceable]`-l k8s-app=aws-node` with the information for the [.noloc]`Pods` that you set your annotation for. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl delete Pods -n kube-system -l k8s-app=aws-node ----- -. Confirm that the all [.noloc]`Pods` restarted. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get Pods -n kube-system -l k8s-app=aws-node ----- -. View the environment variables for one of the [.noloc]`Pods`. Verify that the `AWS_STS_REGIONAL_ENDPOINTS` value is what you set it to in a previous step. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl describe pod aws-node-kzbtr -n kube-system |grep AWS_STS_REGIONAL_ENDPOINTS ----- -+ -An example output is as follows. -+ -[source,bash,subs="verbatim,attributes"] ----- -AWS_STS_REGIONAL_ENDPOINTS=regional ----- - - -[.topic] -[[cross-account-access,cross-account-access.title]] -=== Authenticate to another account with IRSA - -[abstract] --- -Learn how to configure cross-account IAM permissions for Amazon EKS clusters by creating an identity provider from another account's cluster or using chained AssumeRole operations, enabling secure access to {aws} resources across multiple accounts. --- - -You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. [.noloc]`Pods` that are running on that cluster must assume IAM permissions from _Account B_. - -.Create an identity provider from another account's cluster -==== - -==== - -==== - -In this example, Account A provides Account B with the OpenID Connect (OIDC) issuer URL from their cluster. Account B follows the instructions in <> and <> using the OIDC issuer URL from Account A's cluster. Then, a cluster administrator annotates the service account in Account A's cluster to use the role from Account B ([.replaceable]`444455556666`). - -[source,yaml,subs="verbatim,attributes"] ----- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - eks.amazonaws.com/role-arn: {arn-aws}iam::444455556666:role/account-b-role ----- - -==== - -.Use chained `AssumeRole` operations -==== - -==== - -==== - -In this example, Account B creates an IAM policy with the permissions to give to [.noloc]`Pods` in Account A's cluster. Account B ([.replaceable]`444455556666`) attaches that policy to an IAM role with a trust relationship that allows `AssumeRole` permissions to Account A ([.replaceable]`111122223333`). - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "{aws}": "{arn-aws}iam::111122223333:root" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] -} ----- - -Account A creates a role with a trust policy that gets credentials from the identity provider created with the cluster's OIDC issuer address. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" - }, - "Action": "sts:AssumeRoleWithWebIdentity" - } - ] -} ----- - -Account A attaches a policy to that role with the following permissions to assume the role that Account B created. - -[source,json,subs="verbatim,attributes"] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "{arn-aws}iam::444455556666:role/account-b-role" - } - ] -} ----- - -The application code for [.noloc]`Pods` to assume Account B's role uses two profiles: `account_b_role` and `account_a_role`. The `account_b_role` profile uses the `account_a_role` profile as its source. For the {aws} CLI, the `~/.aws/config` file is similar to the following. - -[source,none,subs="verbatim,attributes"] ----- -[profile account_b_role] -source_profile = account_a_role -role_arn={arn-aws}iam::444455556666:role/account-b-role - -[profile account_a_role] -web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token -role_arn={arn-aws}iam::111122223333:role/account-a-role ----- - -To specify chained profiles for other {aws} SDKs, consult the documentation for the SDK that you're using. For more information, see link:developer/tools/[Tools to Build on {aws},type="marketing"]. - -==== - -[.topic] -[[iam-roles-for-service-accounts-minimum-sdk,iam-roles-for-service-accounts-minimum-sdk.title]] -=== Use IRSA with the {aws} SDK - -.Using the credentials -To use the credentials from IAM roles for service accounts, your code can use any {aws} SDK to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. The IAM roles for service accounts credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. - -This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload. - -The SDK automatically exchanges the service account [.noloc]`OIDC` token for temporary credentials from {aws} Security Token Service by using the `AssumeRoleWithWebIdentity` action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire. - -When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. Make sure that you're using the following versions, or later, for your {aws} SDK: - - - -* Java (Version 2) – https://github.com/aws/aws-sdk-java-v2/releases/tag/2.10.11[2.10.11] -* Java – https://github.com/aws/aws-sdk-java/releases/tag/1.11.704[1.11.704] -* Go – https://github.com/aws/aws-sdk-go/releases/tag/v1.23.13[1.23.13] -* Python (Boto3) – https://github.com/boto/boto3/releases/tag/1.9.220[1.9.220] -* Python (botocore) – https://github.com/boto/botocore/releases/tag/1.12.200[1.12.200] -* {aws} CLI – https://github.com/aws/aws-cli/releases/tag/1.16.232[1.16.232] -* Node – https://github.com/aws/aws-sdk-js/releases/tag/v2.525.0[2.525.0] and https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.27.0[3.27.0] -* Ruby – https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/CHANGELOG.md#3580-2019-07-01[3.58.0] -* {cpp} – https://github.com/aws/aws-sdk-cpp/releases/tag/1.7.174[1.7.174] -* .NET – https://github.com/aws/aws-sdk-net/releases/tag/3.3.659.1[3.3.659.1] – You must also include `AWSSDK.SecurityToken`. -* PHP – https://github.com/aws/aws-sdk-php/releases/tag/3.110.7[3.110.7] - -Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. - -To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. - -[.topic] -[[irsa-fetch-keys,irsa-fetch-keys.title]] -=== Fetch signing keys to validate [.noloc]`OIDC` tokens - -[abstract] --- -Discover how to fetch the OIDC public signing keys (JSON Web Key Set) required to validate the ProjectedServiceAccountToken for Amazon EKS clusters, enabling external systems to authenticate with IAM roles for Kubernetes service accounts. --- - -[.noloc]`Kubernetes` issues a `ProjectedServiceAccountToken` to each [.noloc]`Kubernetes` [.noloc]`Service Account`. This token is an [.noloc]`OIDC` token, which is further a type of [.noloc]`JSON web token (JWT)`. Amazon EKS hosts a public [.noloc]`OIDC` endpoint for each cluster that contains the signing keys for the token so external systems can validate it. - -To validate a `ProjectedServiceAccountToken`, you need to fetch the [.noloc]`OIDC` public signing keys, also called the [.noloc]`JSON Web Key Set (JWKS)`. Use these keys in your application to validate the token. For example, you can use the https://pyjwt.readthedocs.io/en/latest/[PyJWT Python library] to validate tokens using these keys. For more information on the `ProjectedServiceAccountToken`, see <>. - -==== Prerequisites - -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* *{aws} CLI* -- A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. - -==== Procedure - -. Retrieve the [.noloc]`OIDC` URL for your Amazon EKS cluster using the {aws} CLI. -+ -[source,bash,subs="verbatim,attributes"] ----- -$ aws eks describe-cluster --name my-cluster --query 'cluster.identity.oidc.issuer' -"https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE" ----- -. Retrieve the public signing key using [.noloc]`curl`, or a similar tool. The result is a https://www.rfc-editor.org/rfc/rfc7517#section-5[JSON Web Key Set (JWKS)]. -+ -IMPORTANT: Amazon EKS throttles calls to the [.noloc]`OIDC` endpoint. You should cache the public signing key. Respect the `cache-control` header included in the response. -+ -IMPORTANT: Amazon EKS rotates the [.noloc]`OIDC` signing key every seven days. -+ -[source,bash,subs="verbatim,attributes"] ----- -$ curl https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE/keys -{"keys":[{"kty":"RSA","kid":"2284XXXX4a40","use":"sig","alg":"RS256","n":"wklbXXXXMVfQ","e":"AQAB"}]} ----- diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 1b7a27f2b..90195c259 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,4 +1,3 @@ - [.topic] [[create-kubeconfig,create-kubeconfig.title]] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index f84dd25c8..f60de6451 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,10 +1,10 @@ [.topic] [[access-entries,access-entries.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with EKS access entries +:info_titleabbrev: Grant permissions include::../../attributes.txt[] - include::access-policies.adoc[leveloffset=+1] include::migrating-access-entries.adoc[leveloffset=+1] @@ -57,266 +57,11 @@ NOTE: Previously, this administrative access was granted automatically and could [.topic] -[[setting-up-access-entries,setting-up-access-entries.title]] -== Change authentication mode to use access entries - -To begin using access entries, you must change the authentication mode of the cluster to either the `API_AND_CONFIG_MAP` or `API` modes. This adds the API for access entries. - -[[access-entries-setup-console,access-entries-setup-console.title]] -=== {aws} Console - -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose the name of the cluster that you want to create an access entry in. -. Choose the *Access* tab. -. The *Authentication mode* shows the current authentication mode of the cluster. If the mode says [.noloc]`EKS API`, you can already add access entries and you can skip the remaining steps. -. Choose *Manage access*. -. For *Cluster authentication mode*, select a mode with the [.noloc]`EKS API`. Note that you can't change the authentication mode back to a mode that removes the [.noloc]`EKS API` and access entries. -. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. - -[[access-setup-cli,access-setup-cli.title]] -=== {aws} CLI - -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. -. Run the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. If you want to disable the `ConfigMap` method permanently, replace `API_AND_CONFIG_MAP` with `API`. -+ -Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`UPDATING`, and the change is recorded in the [command]*aws eks list-updates*. -+ -[source,bash] ----- -aws eks update-cluster-config --name my-cluster --access-config authenticationMode=API_AND_CONFIG_MAP ----- -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. - - -=== Required platform version - -To use _access entries_, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. If your Kubernetes version is not listed, all platform versions support access entries. - -[cols="1,1", options="header"] -|=== -|Kubernetes version -|Platform version - - -|`1.30` -|`eks.2` - -|`1.29` -|`eks.1` - -|`1.28` -|`eks.6` - -|`1.27` -|`eks.10` - -|`1.26` -|`eks.11` - -|`1.25` -|`eks.12` - -|`1.24` -|`eks.15` - -|`1.23` -|`eks.17` -|=== - -For more information, see <>. - - -[.topic] -[[creating-access-entries,creating-access-entries.title]] -== Create access entries - - -Before creating access entries, consider the following: - -* A properly set authentication mode. See <>. -* An _access entry_ includes the Amazon Resource Name (ARN) of one, and only one, existing IAM principal. An IAM principal can't be included in more than one access entry. Additional considerations for the ARN that you specify: -+ -** IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. -** If the ARN is for an IAM role, it _can_ include a path. ARNs in `aws-auth` `ConfigMap` entries, _can't_ include a path. For example, your ARN can be `{arn-aws}iam::<111122223333>:role/` or `{arn-aws}iam::<111122223333>:role/`. -** If the type of the access entry is anything other than `STANDARD` (see next consideration about types), the ARN must be in the same {aws} account that your cluster is in. If the type is `STANDARD`, the ARN can be in the same, or different, {aws} account than the account that your cluster is in. -** You can't change the IAM principal after the access entry is created. -** If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the `roleID` or `userID` (you can see this with the `aws sts get-caller-identity` {aws} CLI command) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's `roleID` or `userID` for an access entry, Amazon EKS stores it with the access entry. -* Each access entry has a _type_. If you don't specify a type, Amazon EKS automatically sets the type to `STANDARD` -** `EC2_LINUX` - For an IAM role used with Linux or Bottlerocket self-managed nodes -** `EC2_WINDOWS` - For an IAM role used with Windows self-managed nodes -** `FARGATE_LINUX` - For an IAM role used with {aws} Fargate (Fargate) -** `HYBRID_LINUX` - For an IAM role used with hybrid nodes -** `STANDARD` - Default type if none specified -** `EC2` - For EKS Auto Mode custom node classes. For more information, see <>. -** You can't change the type after the access entry is created. -* It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile. EKS will create access entries (if enabled), or update the auth config map (if access entries are unavailable) -* If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username: -+ -** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`. -** If the username is for an IAM role, we recommend that you add `{{SessionName}}` to the end of your username. If you add `{{SessionName}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that the special character "@" is replaced with "-" in the session name. -+ -[cols="1,1,1", options="header"] -|=== -|IAM principal type -|Type -|Username value that Amazon EKS automatically sets - - -|User -|`STANDARD` -|The ARN of the user. Example: `{arn-aws}iam::<111122223333>:user/` - -|Role -|`STANDARD` -|The STS ARN of the role when it's assumed. Amazon EKS appends `{{SessionName}}` to the role. - -Example: `{arn-aws}sts::<111122223333>:assumed-role//{{SessionName}}` - -If the ARN of the role that you specified contained a path, Amazon EKS removes it in the generated username. - -|Role -|`EC2_LINUX` or `EC2_Windows` -|`system:node:{{EC2PrivateDNSName}}` - -|Role -|`FARGATE_LINUX` -|`system:node:{{SessionName}}` - -|Role -|`HYBRID_LINUX` -|`system:node:{{SessionName}}` -|=== -+ -You can change the username after the access entry is created. -* If an access entry's type is `STANDARD`, and you want to use [.noloc]`Kubernetes` RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to [.noloc]`Kubernetes` objects on your cluster, you must create and manage [.noloc]`Kubernetes` role-based authorization (RBAC) objects. Create [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. [.noloc]`Kubernetes` authorizes the IAM principal access to any cluster objects that you've specified in a [.noloc]`Kubernetes` `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the [.noloc]`Kubernetes` role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. -+ -IMPORTANT: Amazon EKS doesn't confirm that any [.noloc]`Kubernetes` RBAC objects that exist on your cluster include any of the group names that you specify. For example, if you create an access entry for group that currently doesn't exist, EKS will create the group instead of returning an error. -+ -Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principal access to [.noloc]`Kubernetes` objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access [.noloc]`Kubernetes` objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to [.noloc]`Kubernetes` namespaces that you specify. Use of access policies don't require you to manage [.noloc]`Kubernetes` RBAC objects. For more information, see <>. -* If you create an access entry with type `EC2_LINUX` or `EC2_Windows`, the IAM principal creating the access entry must have the `iam:PassRole` permission. For more information, see link:IAM/latest/UserGuide/id_roles_use_passrole.html[Granting a user permissions to pass a role to an {aws} service,type="documentation"] in the _IAM User Guide_. -* Similar to standard link:IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency[IAM behavior,type="documentation"], access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. -* Access entries do not support link:IAM/latest/UserGuide/using-service-linked-roles.html[service linked roles,type="documentation"]. You cannot create access entries where the principal ARN is a service linked role. You can identify service linked roles by their ARN, which is in the format `{arn-aws}iam::*:role/aws-service-role/*`. - -You can create an access entry using the {aws-management-console} or the {aws} CLI. - - -[[access-create-console,access-create-console.title]] -=== {aws-management-console} -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose the name of the cluster that you want to create an access entry in. -. Choose the *Access* tab. -. Choose *Create access entry*. -. For *IAM principal*, select an existing IAM role or user. IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. -. For *Type*, if the access entry is for the node role used for self-managed Amazon EC2 nodes, select *EC2 Linux* or *EC2 Windows*. Otherwise, accept the default (*Standard*). -. If the *Type* you chose is *Standard* and you want to specify a *Username*, enter the username. -. If the *Type* you chose is *Standard* and you want to use [.noloc]`Kubernetes` RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. -. (Optional) For *Tags*, assign labels to the access entry. For example, to make it easier to find all resources with the same tag. -. Choose *Next*. -. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the [.noloc]`Kubernetes` objects on your cluster, complete the following steps. Otherwise, choose *Next*. -+ -.. For *Policy name*, choose an access policy. You can't view the permissions of the access policies, but they include similar permissions to those in the [.noloc]`Kubernetes` user-facing `ClusterRole` objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. -.. Choose one of the following options: -+ -*** *Cluster* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects on your cluster. -*** *[.noloc]`Kubernetes` namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects in a specific [.noloc]`Kubernetes` namespace on your cluster. For *Namespace*, enter the name of the [.noloc]`Kubernetes` namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. -.. If you want to add additional policies, choose *Add policy*. You can scope each policy differently, but you can add each policy only once. -.. Choose *Next*. -. Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. - -[[access-create-cli,access-create-cli.title]] -=== {aws} CLI - -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -. To create an access entry -You can use any of the following examples to create access entries: -+ -** Create an access entry for a self-managed Amazon EC2 Linux node group. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-self-managed-ng-1` with the name of your link:eks/latest/userguide/create-node-role.html[node IAM role,type="documentation"]. If your node group is a Windows node group, then replace [.replaceable]`EC2_LINUX` with `EC2_Windows`. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/EKS-my-cluster-self-managed-ng-1 --type EC2_LINUX ----- -+ -You can't use the `--kubernetes-groups` option when you specify a type other than `STANDARD`. You can't associate an access policy to this access entry, because its type is a value other than `STANDARD`. -** Create an access entry that allows an IAM role that's not used for an Amazon EC2 self-managed node group, that you want [.noloc]`Kubernetes` to authorize access to your cluster with. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of your IAM role. Replace [.replaceable]`Viewers` with the name of a group that you've specified in a [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object on your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role --type STANDARD --user Viewers --kubernetes-groups Viewers ----- -** Create an access entry that allows an IAM user to authenticate to your cluster. This example is provided because this is possible, though IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:user/my-user --type STANDARD --username my-user ----- -+ -If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. - - -[.topic] -[[updating-access-entries,updating-access-entries.title]] -== Update access entries - -You can update an access entry using the {aws-management-console} or the {aws} CLI. - - -[[access-update-console,access-update-console.title]] -=== {aws-management-console} -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose the name of the cluster that you want to create an access entry in. -. Choose the *Access* tab. -. Choose the access entry that you want to update. -. Choose *Edit*. -. For *Username*, you can change the existing value. -. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an xref:access-policies[access policy,linkend=access-policies] in a later step. -. For *Tags*, you can assign labels to the access entry. For example, to make it easier to find all resources with the same tag. You can also remove existing tags. -. Choose *Save changes*. -. If you want to associate an access policy to the entry, see <>. - -[[access-update-cli,access-update-cli.title]] -=== {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -. To update an access entry -Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-my-namespace-Viewers` with the name of an IAM role. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks update-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --kubernetes-groups Viewers ----- -+ -You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. - - -[.topic] -[[deleting-access-entries,deleting-access-entries.title]] -== Delete access entries - -If you discover that you deleted an access entry in error, you can always recreate it. If the access entry that you're deleting is associated to any access policies, the associations are automatically deleted. You don't have to disassociate access policies from an access entry before deleting the access entry. - -You can delete an access entry using the {aws-management-console} or the {aws} CLI. - - -[[access-delete-console,access-delete-console.title]] -=== {aws-management-console} -. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose the name of the cluster that you want to delete an access entry from. -. Choose the *Access* tab. -. In the *Access entries* list, choose the access entry that you want to delete. -. Choose Delete. -. In the confirmation dialog box, choose *Delete*. +include::setting-up-access-entries.adoc[leveloffset=+1] -[[access-delete-cli,access-delete-cli.title]] -=== {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -. To delete an access entry -Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of the IAM role that you no longer want to have access to your cluster. -+ -[source,bash,subs="verbatim,attributes"] ----- -aws eks delete-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role ----- +include::creating-access-entries.adoc[leveloffset=+1] +include::updating-access-entries.adoc[leveloffset=+1] +include::deleting-access-entries.adoc[leveloffset=+1] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index c0bfa175f..6be46b093 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,6 +1,7 @@ [.topic] [[access-policies,access-policies.title]] = Associate access policies with access entries +:info_titleabbrev: Associate access policies include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index c55384a0b..b7011f458 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,6 +1,7 @@ [.topic] [[access-policy-permissions,access-policy-permissions.title]] = Review access policy permissions +:info_titleabbrev: Review access policies include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 162e95474..c79464cbe 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,10 +1,10 @@ [.topic] [[auth-configmap,auth-configmap.title]] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with a [.noloc]`ConfigMap` +:info_titleabbrev: aws-auth ConfigMap include::../../attributes.txt[] - [abstract] -- Learn how to manage IAM principal access to your Amazon EKS cluster using the aws-auth ConfigMap and Kubernetes RBAC, allowing authorized users and roles to interact with the cluster securely. diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 08317d460..8ed885575 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,6 +1,7 @@ [.topic] [[authenticate-oidc-identity-provider,authenticate-oidc-identity-provider.title]] = Grant users access to [.noloc]`Kubernetes` with an external [.noloc]`OIDC` provider +:info_titleabbrev: Link OIDC provider include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc new file mode 100644 index 000000000..5bdd8b810 --- /dev/null +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -0,0 +1,130 @@ +[.topic] +[[creating-access-entries,creating-access-entries.title]] += Create access entries +:info_titleabbrev: Create access entries + +include::../../attributes.txt[] + +Before creating access entries, consider the following: + +* A properly set authentication mode. See <>. +* An _access entry_ includes the Amazon Resource Name (ARN) of one, and only one, existing IAM principal. An IAM principal can't be included in more than one access entry. Additional considerations for the ARN that you specify: ++ +** IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. +** If the ARN is for an IAM role, it _can_ include a path. ARNs in `aws-auth` `ConfigMap` entries, _can't_ include a path. For example, your ARN can be `{arn-aws}iam::<111122223333>:role/` or `{arn-aws}iam::<111122223333>:role/`. +** If the type of the access entry is anything other than `STANDARD` (see next consideration about types), the ARN must be in the same {aws} account that your cluster is in. If the type is `STANDARD`, the ARN can be in the same, or different, {aws} account than the account that your cluster is in. +** You can't change the IAM principal after the access entry is created. +** If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the `roleID` or `userID` (you can see this with the `aws sts get-caller-identity` {aws} CLI command) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's `roleID` or `userID` for an access entry, Amazon EKS stores it with the access entry. +* Each access entry has a _type_. If you don't specify a type, Amazon EKS automatically sets the type to `STANDARD` +** `EC2_LINUX` - For an IAM role used with Linux or Bottlerocket self-managed nodes +** `EC2_WINDOWS` - For an IAM role used with Windows self-managed nodes +** `FARGATE_LINUX` - For an IAM role used with {aws} Fargate (Fargate) +** `HYBRID_LINUX` - For an IAM role used with hybrid nodes +** `STANDARD` - Default type if none specified +** `EC2` - For EKS Auto Mode custom node classes. For more information, see <>. +** You can't change the type after the access entry is created. +* It's unnecessary to create an access entry for an IAM role that's used for a managed node group or a Fargate profile. EKS will create access entries (if enabled), or update the auth config map (if access entries are unavailable) +* If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username: ++ +** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`. +** If the username is for an IAM role, we recommend that you add `{{SessionName}}` to the end of your username. If you add `{{SessionName}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that the special character "@" is replaced with "-" in the session name. ++ +[cols="1,1,1", options="header"] +|=== +|IAM principal type +|Type +|Username value that Amazon EKS automatically sets + + +|User +|`STANDARD` +|The ARN of the user. Example: `{arn-aws}iam::<111122223333>:user/` + +|Role +|`STANDARD` +|The STS ARN of the role when it's assumed. Amazon EKS appends `{{SessionName}}` to the role. + +Example: `{arn-aws}sts::<111122223333>:assumed-role//{{SessionName}}` + +If the ARN of the role that you specified contained a path, Amazon EKS removes it in the generated username. + +|Role +|`EC2_LINUX` or `EC2_Windows` +|`system:node:{{EC2PrivateDNSName}}` + +|Role +|`FARGATE_LINUX` +|`system:node:{{SessionName}}` + +|Role +|`HYBRID_LINUX` +|`system:node:{{SessionName}}` +|=== ++ +You can change the username after the access entry is created. +* If an access entry's type is `STANDARD`, and you want to use [.noloc]`Kubernetes` RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to [.noloc]`Kubernetes` objects on your cluster, you must create and manage [.noloc]`Kubernetes` role-based authorization (RBAC) objects. Create [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. [.noloc]`Kubernetes` authorizes the IAM principal access to any cluster objects that you've specified in a [.noloc]`Kubernetes` `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the [.noloc]`Kubernetes` role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. ++ +IMPORTANT: Amazon EKS doesn't confirm that any [.noloc]`Kubernetes` RBAC objects that exist on your cluster include any of the group names that you specify. For example, if you create an access entry for group that currently doesn't exist, EKS will create the group instead of returning an error. ++ +Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principal access to [.noloc]`Kubernetes` objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access [.noloc]`Kubernetes` objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to [.noloc]`Kubernetes` namespaces that you specify. Use of access policies don't require you to manage [.noloc]`Kubernetes` RBAC objects. For more information, see <>. +* If you create an access entry with type `EC2_LINUX` or `EC2_Windows`, the IAM principal creating the access entry must have the `iam:PassRole` permission. For more information, see link:IAM/latest/UserGuide/id_roles_use_passrole.html[Granting a user permissions to pass a role to an {aws} service,type="documentation"] in the _IAM User Guide_. +* Similar to standard link:IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency[IAM behavior,type="documentation"], access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. +* Access entries do not support link:IAM/latest/UserGuide/using-service-linked-roles.html[service linked roles,type="documentation"]. You cannot create access entries where the principal ARN is a service linked role. You can identify service linked roles by their ARN, which is in the format `{arn-aws}iam::*:role/aws-service-role/*`. + +You can create an access entry using the {aws-management-console} or the {aws} CLI. + + +[[access-create-console,access-create-console.title]] +== {aws-management-console} +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster that you want to create an access entry in. +. Choose the *Access* tab. +. Choose *Create access entry*. +. For *IAM principal*, select an existing IAM role or user. IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. +. For *Type*, if the access entry is for the node role used for self-managed Amazon EC2 nodes, select *EC2 Linux* or *EC2 Windows*. Otherwise, accept the default (*Standard*). +. If the *Type* you chose is *Standard* and you want to specify a *Username*, enter the username. +. If the *Type* you chose is *Standard* and you want to use [.noloc]`Kubernetes` RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. +. (Optional) For *Tags*, assign labels to the access entry. For example, to make it easier to find all resources with the same tag. +. Choose *Next*. +. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the [.noloc]`Kubernetes` objects on your cluster, complete the following steps. Otherwise, choose *Next*. ++ +.. For *Policy name*, choose an access policy. You can't view the permissions of the access policies, but they include similar permissions to those in the [.noloc]`Kubernetes` user-facing `ClusterRole` objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. +.. Choose one of the following options: ++ +*** *Cluster* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects on your cluster. +*** *[.noloc]`Kubernetes` namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects in a specific [.noloc]`Kubernetes` namespace on your cluster. For *Namespace*, enter the name of the [.noloc]`Kubernetes` namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. +.. If you want to add additional policies, choose *Add policy*. You can scope each policy differently, but you can add each policy only once. +.. Choose *Next*. +. Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. + +[[access-create-cli,access-create-cli.title]] +== {aws} CLI + +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. To create an access entry +You can use any of the following examples to create access entries: ++ +** Create an access entry for a self-managed Amazon EC2 Linux node group. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-self-managed-ng-1` with the name of your link:eks/latest/userguide/create-node-role.html[node IAM role,type="documentation"]. If your node group is a Windows node group, then replace [.replaceable]`EC2_LINUX` with `EC2_Windows`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/EKS-my-cluster-self-managed-ng-1 --type EC2_LINUX +---- ++ +You can't use the `--kubernetes-groups` option when you specify a type other than `STANDARD`. You can't associate an access policy to this access entry, because its type is a value other than `STANDARD`. +** Create an access entry that allows an IAM role that's not used for an Amazon EC2 self-managed node group, that you want [.noloc]`Kubernetes` to authorize access to your cluster with. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of your IAM role. Replace [.replaceable]`Viewers` with the name of a group that you've specified in a [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object on your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role --type STANDARD --user Viewers --kubernetes-groups Viewers +---- +** Create an access entry that allows an IAM user to authenticate to your cluster. This example is provided because this is possible, though IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:user/my-user --type STANDARD --username my-user +---- ++ +If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. + + diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc new file mode 100644 index 000000000..1f7f83338 --- /dev/null +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -0,0 +1,31 @@ +[.topic] +[[deleting-access-entries,deleting-access-entries.title]] += Delete access entries + +include::../../attributes.txt[] + +If you discover that you deleted an access entry in error, you can always recreate it. If the access entry that you're deleting is associated to any access policies, the associations are automatically deleted. You don't have to disassociate access policies from an access entry before deleting the access entry. + +You can delete an access entry using the {aws-management-console} or the {aws} CLI. + + +[[access-delete-console,access-delete-console.title]] +== {aws-management-console} +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster that you want to delete an access entry from. +. Choose the *Access* tab. +. In the *Access entries* list, choose the access entry that you want to delete. +. Choose Delete. +. In the confirmation dialog box, choose *Delete*. + +[[access-delete-cli,access-delete-cli.title]] +== {aws} CLI +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. To delete an access entry +Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of the IAM role that you no longer want to have access to your cluster. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role +---- + diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 57166c99b..6ff308d23 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,6 +1,7 @@ [.topic] [[disassociate-oidc-identity-provider,disassociate-oidc-identity-provider.title]] = Disassociate an [.noloc]`OIDC` identity provider from your cluster +:info_titleabbrev: Unlink OIDC provider include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 373363009..0ee2f8c84 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,7 +1,7 @@ [.topic] [[grant-k8s-access,grant-k8s-access.title]] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` -:info_titleabbrev: Grant access to Kubernetes APIs +:info_titleabbrev: Kubernetes API access include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 2de93b6e3..26c5f0d13 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,6 +1,7 @@ [.topic] [[migrating-access-entries,migrating-access-entries.title]] = Migrating existing `aws-auth ConfigMap` entries to access entries +:info_titleabbrev: Migrate to access entries include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc new file mode 100644 index 000000000..efc80a0c1 --- /dev/null +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -0,0 +1,74 @@ +[.topic] +[[setting-up-access-entries,setting-up-access-entries.title]] += Change authentication mode to use access entries +:info_titleabbrev: Authentication mode + +include::../../attributes.txt[] + +To begin using access entries, you must change the authentication mode of the cluster to either the `API_AND_CONFIG_MAP` or `API` modes. This adds the API for access entries. + +[[access-entries-setup-console,access-entries-setup-console.title]] +== {aws} Console + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster that you want to create an access entry in. +. Choose the *Access* tab. +. The *Authentication mode* shows the current authentication mode of the cluster. If the mode says [.noloc]`EKS API`, you can already add access entries and you can skip the remaining steps. +. Choose *Manage access*. +. For *Cluster authentication mode*, select a mode with the [.noloc]`EKS API`. Note that you can't change the authentication mode back to a mode that removes the [.noloc]`EKS API` and access entries. +. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. +. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. + +[[access-setup-cli,access-setup-cli.title]] +== {aws} CLI + +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. +. Run the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. If you want to disable the `ConfigMap` method permanently, replace `API_AND_CONFIG_MAP` with `API`. ++ +Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`UPDATING`, and the change is recorded in the [command]*aws eks list-updates*. ++ +[source,bash] +---- +aws eks update-cluster-config --name my-cluster --access-config authenticationMode=API_AND_CONFIG_MAP +---- +. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. + + +== Required platform version + +To use _access entries_, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. If your Kubernetes version is not listed, all platform versions support access entries. + +[cols="1,1", options="header"] +|=== +|Kubernetes version +|Platform version + + +|`1.30` +|`eks.2` + +|`1.29` +|`eks.1` + +|`1.28` +|`eks.6` + +|`1.27` +|`eks.10` + +|`1.26` +|`eks.11` + +|`1.25` +|`eks.12` + +|`1.24` +|`eks.15` + +|`1.23` +|`eks.17` +|=== + +For more information, see <>. + + diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc new file mode 100644 index 000000000..1cf451fe8 --- /dev/null +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -0,0 +1,36 @@ +[.topic] +[[updating-access-entries,updating-access-entries.title]] += Update access entries + +include::../../attributes.txt[] + +You can update an access entry using the {aws-management-console} or the {aws} CLI. + + +[[access-update-console,access-update-console.title]] +== {aws-management-console} +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster that you want to create an access entry in. +. Choose the *Access* tab. +. Choose the access entry that you want to update. +. Choose *Edit*. +. For *Username*, you can change the existing value. +. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an xref:access-policies[access policy,linkend=access-policies] in a later step. +. For *Tags*, you can assign labels to the access entry. For example, to make it easier to find all resources with the same tag. You can also remove existing tags. +. Choose *Save changes*. +. If you want to associate an access policy to the entry, see <>. + +[[access-update-cli,access-update-cli.title]] +== {aws} CLI +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. To update an access entry +Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-my-namespace-Viewers` with the name of an IAM role. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --kubernetes-groups Viewers +---- ++ +You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. + + diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 8aa51eaa7..b89c7d525 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -3,7 +3,7 @@ include::../attributes.txt[] [.topic] [[view-kubernetes-resources,view-kubernetes-resources.title]] = View [.noloc]`Kubernetes` resources in the {aws-management-console} -:info_titleabbrev: Access cluster resources with console +:info_titleabbrev: Access cluster resources [abstract] -- diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 5deb39a12..b07aa637c 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -3,7 +3,7 @@ [.topic] [[node-efa,node-efa.title]] = Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` -:info_titleabbrev: Prepare training clusters with EFA +:info_titleabbrev: Training clusters with EFA include::../attributes.txt[] diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index dd189cfed..d5b450a86 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,7 +1,7 @@ [.topic] [[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] = Customize the secondary network interface in Amazon EKS nodes -:info_titleabbrev: Secondary network interface +:info_titleabbrev: Secondary interface include::../attributes.txt[] diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 626907545..c4854a699 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,7 +1,7 @@ [.topic] [[cni-network-policy-configure,cni-network-policy-configure.title]] = Restrict Pod network traffic with [.noloc]`Kubernetes` network policies -:info_titleabbrev: Restrict network traffic +:info_titleabbrev: Restrict traffic include::../attributes.txt[] diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 7dc6e97df..e2c119228 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,7 +1,7 @@ [.topic] [[cni-network-policy,cni-network-policy.title]] = Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies -:info_titleabbrev: Kubernetes network policies +:info_titleabbrev: Kubernetes policies include::../attributes.txt[] diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 042178b42..d5db97ba4 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,7 +1,7 @@ [.topic] [[coredns-add-on-update,coredns-add-on-update.title]] = Update the [.noloc]`CoreDNS` Amazon EKS add-on -:info_titleabbrev: Update (Amazon EKS add-on) +:info_titleabbrev: Update (EKS add-on) include::../attributes.txt[] diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index e801e3a50..eac568c8a 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,7 +1,7 @@ [.topic] [[lbc-remove,lbc-remove.title]] = Migrate apps from deprecated ALB [.noloc]`Ingress Controller` -:info_titleabbrev: Migrate from deprecated controller +:info_titleabbrev: Migrate from deprecated include::../attributes.txt[] diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 1f5007f0f..fee6ff2af 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,7 +1,7 @@ [.topic] [[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] = Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` -:info_titleabbrev: Multiple network interfaces +:info_titleabbrev: Multiple interfaces include::../attributes.txt[] diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 83a5d0762..7bdff484d 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,7 +1,7 @@ [.topic] [[vpc-add-on-update,vpc-add-on-update.title]] = Update the Amazon VPC CNI (Amazon EKS add-on) -:info_titleabbrev: Update (Amazon EKS add-on) +:info_titleabbrev: Update (EKS add-on) include::../attributes.txt[] diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 76e011bcf..b7b4d13f3 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,7 +1,7 @@ [.topic] [[al2023,al2023.title]] = Upgrade from Amazon Linux 2 to Amazon Linux 2023 -:info_titleabbrev: Upgrade from AL2 to AL2023 +:info_titleabbrev: Upgrade to AL2023 include::../attributes.txt[] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 21018679d..475471dbb 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,4 +1,3 @@ - [.topic] [[choosing-instance-type,choosing-instance-type.title]] = Choose an optimal Amazon EC2 node instance type diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 99e6ee18b..74a51c77c 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,7 +1,7 @@ [.topic] [[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] = Hybrid nodes `nodeadm` reference -:info_titleabbrev: Hybrid nodes nodeadm reference +:info_titleabbrev: Hybrid nodes nodeadm :keywords: on-premises, hybrid include::../attributes.txt[] diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index a919b5003..2b5d682bf 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,7 +1,7 @@ [.topic] [[self-managed-windows-server-2022,self-managed-windows-server-2022.title]] = Create self-managed [.noloc]`Windows` Server 2022 nodes with `eksctl` -:info_titleabbrev: Create Windows Server 2022 nodes +:info_titleabbrev: Windows Server 2022 include::../attributes.txt[] diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index efdc44a4b..d533a3583 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -2,7 +2,7 @@ include::../attributes.txt[] [.topic] [[update-stack,update-stack.title]] = Update an {aws} CloudFormation node stack -:info_titleabbrev: {aws} CloudFormation stack +:info_titleabbrev: CloudFormation stack [abstract] -- diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 4ff975b69..f5f87e7ed 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,4 +1,3 @@ - [.topic] [[control-plane-logs,control-plane-logs.title]] = Send control plane logs to CloudWatch Logs diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index baf9c765f..1513d1915 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -3,7 +3,7 @@ include::../attributes.txt[] [.topic] [[eks-outposts-network-disconnects,eks-outposts-network-disconnects.title]] = Prepare local Amazon EKS clusters on {aws} Outposts for network disconnects -:info_titleabbrev: Prepare for network disconnects +:info_titleabbrev: Prepare for disconnects [abstract] -- diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index e3a4bb9db..7352337dd 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -3,7 +3,7 @@ include::../attributes.txt[] [.topic] [[eks-outposts-platform-versions,eks-outposts-platform-versions.title]] = Learn [.noloc]`Kubernetes` and Amazon EKS platform versions for {aws} Outposts -:info_titleabbrev: Learn Kubernetes platform versions +:info_titleabbrev: EKS platform versions [abstract] -- diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index dd3dc44b2..0ee0691ea 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,4 +1,3 @@ - [.topic] [[csi-snapshot-controller,csi-snapshot-controller.title]] = Enable snapshot functionality for CSI volumes diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 97a9efa78..0790b61b1 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -1,4 +1,3 @@ - [.topic] [[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] = Amazon EBS CSI migration frequently asked questions diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 07751b735..18e60cb78 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[ebs-csi,ebs-csi.title]] = Store [.noloc]`Kubernetes` volumes with Amazon EBS diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 8d1d54c08..b2332e5eb 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[file-cache-csi,file-cache-csi.title]] = Minimize latency with Amazon File Cache diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 338b0e14d..73d3f8701 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[fsx-csi,fsx-csi.title]] = Store high-performance apps with FSx for Lustre diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 11cad30eb..a088bdd4a 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,4 +1,3 @@ - [.topic] [[fsx-ontap,fsx-ontap.title]] = Store high-performance apps with FSx for NetApp ONTAP diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 7d32e182f..63468505c 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[fsx-openzfs-csi,fsx-openzfs-csi.title]] = Store data using Amazon FSx for OpenZFS diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index d3e714463..a1f521c0b 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,4 +1,3 @@ - [.topic] [[s3-csi,s3-csi.title]] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index fa6e6ff59..1019ea1d7 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,4 +1,3 @@ - [.topic] [[common-use-cases,common-use-cases.title]] = Common use cases in Amazon EKS diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 283b194ef..745330e2c 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,4 +1,3 @@ - [.topic] [[eks-architecture,eks-architecture.title]] = Amazon EKS architecture diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 327c4fd78..cfba58970 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,4 +1,3 @@ - [.topic] [[kubernetes-concepts,kubernetes-concepts.title]] = [.noloc]`Kubernetes` concepts diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 8a630959c..8883f15c2 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,19 +1,19 @@ [.topic] [[add-ons-images,add-ons-images.title]] = View Amazon container image registries for Amazon EKS add-ons -:info_titleabbrev: View Amazon container image registries +:info_titleabbrev: View Amazon image registries include::../attributes.txt[] -When you deploy <> to your cluster, your nodes pull the required container images from the registry specified in the installation mechanism for the add-on, such as an installation manifest or a Helm `values.yaml` file. The images are pulled from an Amazon EKS Amazon ECR private repository. Amazon EKS replicates the images to a repository in each Amazon EKS supported {aws} Region. Your nodes can pull the container image over the internet from any of the following registries. Alternatively, your nodes can pull the image over Amazon's network if you created an link:AmazonECR/latest/userguide/vpc-endpoints.html[interface VPC endpoint for Amazon ECR ({aws} PrivateLink),type="documentation"] in your VPC. The registries require authentication with an {aws} IAM account. Your nodes authenticate using the <>, which has the permissions in the link:aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html[AmazonEC2ContainerRegistryReadOnly,type="documentation"] managed IAM policy associated to it. +When you deploy <> to your cluster, your nodes pull the required container images from the registry specified in the installation mechanism for the add-on, such as an installation manifest or a Helm `values.yaml` file. The images are pulled from an Amazon EKS Amazon ECR private repository. Amazon EKS replicates the images to a repository in each Amazon EKS supported {aws} Region. Your nodes can pull the container image over the internet from any of the following registries. Alternatively, your nodes can pull the image over Amazon's network if you created an link:AmazonECR/latest/userguide/vpc-endpoints.html[interface VPC endpoint for Amazon ECR ({aws} PrivateLink),type="documentation"] in your VPC. The registries require authentication with an {aws} IAM account. Your nodes authenticate using the <>, which has the permissions in the link:aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html[AmazonEC2ContainerRegistryReadOnly,type="documentation"] managed IAM policy associated to it. [role="no-scroll"] [cols="1,1", options="header"] |=== + |{aws} Region |Registry - |af-south-1 |877085696533.dkr.ecr.af-south-1.amazonaws.com @@ -44,8 +44,8 @@ When you deploy <> to |ap-southeast-2 |602401143452.dkr.ecr.ap-southeast-2.amazonaws.com -| ap-southeast-7 -| 121268973566.dkr.ecr.ap-southeast-7.amazonaws.com +|ap-southeast-7 +|121268973566.dkr.ecr.ap-southeast-7.amazonaws.com |ap-northeast-1 |602401143452.dkr.ecr.ap-northeast-1.amazonaws.com diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index f48be9303..023301518 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,7 +1,7 @@ [.topic] [[addon-id-troubleshoot,addon-id-troubleshoot.title]] = Troubleshoot Pod Identities for EKS add-ons -:info_titleabbrev: Troubleshoot Pod Identities +:info_titleabbrev: Troubleshoot Identities include::../attributes.txt[] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 143466ca7..600753767 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,4 +1,3 @@ - [.topic] [[copy-image-to-repository,copy-image-to-repository.title]] = Copy a container image from one repository to another repository diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 0962a7159..9253cd518 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,4 +1,3 @@ - [.topic] [[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index ba3ab9c01..5b6ede70e 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,4 +1,3 @@ - [.topic] [[image-verification,image-verification.title]] = Validate container image signatures during deployment diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 76097d1ec..b394a2355 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,7 +1,7 @@ [.topic] [[kubernetes-field-management,kubernetes-field-management.title]] = Determine fields you can customize for Amazon EKS add-ons -:info_titleabbrev: Determine fields you can customize +:info_titleabbrev: Fields you can customize include::../attributes.txt[] diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index 436451ed5..d0e009bcd 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,7 +1,7 @@ [.topic] [[remove-addon-role,remove-addon-role.title]] = Remove Pod Identity associations from an Amazon EKS add-on -:info_titleabbrev: Remove Pod Identity associations +:info_titleabbrev: Remove Pod Identity include::../attributes.txt[] diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 17cec3e38..302efaa2c 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,7 +1,7 @@ [.topic] [[restrict-service-external-ip,restrict-service-external-ip.title]] = Restrict external IP addresses that can be assigned to services -:info_titleabbrev: Restrict service external IP address assignment +:info_titleabbrev: Restrict service external IPs include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 880760d6c..303bb12a2 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,7 +1,7 @@ [.topic] [[sample-deployment-win,sample-deployment-win.title]] = Deploy a sample application on Windows -:info_titleabbrev: Sample application deployment (Windows) +:info_titleabbrev: Sample deployment (Windows) include::../attributes.txt[] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 87e1bea6e..9ab1c42c2 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,7 +1,7 @@ [.topic] [[sample-deployment,sample-deployment.title]] = Deploy a sample application on Linux -:info_titleabbrev: Sample application deployment (Linux) +:info_titleabbrev: Sample deployment (Linux) include::../attributes.txt[] diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index db88103bd..342ff9dfa 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,7 +1,7 @@ [.topic] [[update-addon-role,update-addon-role.title]] = Use Pod Identities to assign an IAM role to an Amazon EKS add-on -:info_titleabbrev: Use Pod Identities to assign an IAM role +:info_titleabbrev: Use Pod Identities include::../attributes.txt[] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index d5f9560a5..2287c7bd9 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,4 +1,3 @@ - [.topic] [[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` From e57f2ff40ec038b9003f9915e299278e83b38ed4 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 27 Jan 2025 10:07:07 -0800 Subject: [PATCH 092/940] fix rendering issues in the contributor guide --- latest/ug/book.adoc | 2 +- latest/ug/contribute/asciidoc-syntax.adoc | 3 +++ latest/ug/contribute/contribute.adoc | 1 + latest/ug/contribute/create-content-q.adoc | 3 +++ latest/ug/contribute/create-page.adoc | 2 ++ latest/ug/contribute/edit-single-web.adoc | 3 +++ latest/ug/contribute/edit-web.adoc | 3 +++ latest/ug/contribute/insert-link.adoc | 5 ++++- latest/ug/contribute/pr-preview.adoc | 3 +++ latest/ug/contribute/pr-status.adoc | 3 +++ latest/ug/contribute/vale-github.adoc | 3 +++ latest/ug/contribute/vale-local.adoc | 3 +++ 12 files changed, 32 insertions(+), 2 deletions(-) diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 75554a62a..a29eacfe2 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -23,7 +23,7 @@ sponsored by Amazon. [abstract] -- -This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run [.noloc]`Kubernetes` on {aws} without needing to install and operate your own [.noloc]`Kubernetes` clusters. [.noloc]`Kubernetes` is an open-source system for automating the deployment, scaling, and management of containerized applications. +This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run [.noloc]`Kubernetes` on {aws} without needing to install and operate your own [.noloc]`Kubernetes` clusters. [.noloc]`Kubernetes` is an open source system for automating the deployment, scaling, and management of containerized applications. -- :sectnums: diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 734045db4..7dab4d7b4 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -3,6 +3,9 @@ = AsciiDoc Syntax Reference :info_titleabbrev: AsciiDoc Syntax + +include::../attributes.txt[] + This page is a quick overview of AsciiDoc syntax. We suggest using AsciiDoc syntax. The AsciiDoc tooling has partial support for Markdown syntax, including headings and lists. diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 732625f41..846e726c0 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -2,6 +2,7 @@ # Contribute to the EKS User Guide :info_titleabbrev: Contribute + include::../attributes.txt[] diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index 511d5aea2..c47512981 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -3,6 +3,9 @@ = Create docs content with Amazon Q :info_titleabbrev: Create with Amazon Q + +include::../attributes.txt[] + You can use Amazon Q to create and revise docs content. This is an easy way to get started on a new page. Amazon Q is available as an extension to Visual Studio (VS) Code. In the following image, Amazon Q generated the lines marked with green. diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index 30dd83186..73e178ecc 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -4,6 +4,8 @@ :info_titleabbrev: Create page +include::../attributes.txt[] + Learn how to create a new docs page. This topic includes instructions for creating the initial page metadata, and adding the page to the guide table of contents. == Create page diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 4b9c7dfb9..d70a16e95 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -3,6 +3,9 @@ = Edit a single page from a web browser :info_titleabbrev: Edit single page + +include::../attributes.txt[] + You can easily edit a single page in the EKS User Guide directly through your web browser. image::images/contribute-web-edit.png["View of GitHub web edit interface"] diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index a2b541df1..070233a66 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -3,6 +3,9 @@ = Edit multiple files from a web browser with the GitHub Web Editor :info_titleabbrev: Edit files with GitHub + +include::../attributes.txt[] + If you want to propose change to multiple pages, or create a new docs page, use the GitHub.dev web editor. This web editor is based on the popular Visual Studio Code text editor. image::images/contribute-web-dev.png["GitHub.dev web editor user interface] diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index 34330d6c0..7baec84fb 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -3,11 +3,14 @@ = Insert a link :info_titleabbrev: Insert link + +include::../attributes.txt[] + AsciiDoc supports multiple types of links. Using the right link type is important so the link works properly in different environments. == Link to a page or section in the EKS User Guide -Use cross references (xref) to link between pages/sections within the same documentation site, such as the EKS User Guide. They automatically update if the target section moves or is renamed. +Use cross references (xref) to link between pages or sections within the same documentation site, such as the EKS User Guide. They automatically update if the target section moves or is renamed. === Define custom link text diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index e4fcf6b68..7164258c6 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -3,6 +3,9 @@ = View a preview of pull request content :info_titleabbrev: View PR Preview + +include::../attributes.txt[] + The EKS User Guide GitHub is configured to build and generate a preview of the docs site. This preview doesn't have the full {aws} theme, but it does check the content builds properly and links work. image::images/contribute-preview.png["GitHub comment with preview URL"] diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index fc0740c1e..843725055 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -3,6 +3,9 @@ = View the status of your GitHub Pull Request (PR) :info_titleabbrev: View PR Status + +include::../attributes.txt[] + After you create a pull request, you can track it's status. Pull requests have three important statuses: merged, closed, and changes requested. If a pull request is merged, the changes were accepted. It may take a few hours for the website to update. If the PR was closed, please understand we appreciate the contribution but could not approve the changes. For example, we may have been unable to replicate the problem. If a pull request has changes requested, review the feedback and update the pull request. diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index 041f71fe8..4b7fe4261 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -3,6 +3,9 @@ = View style feedback online for a pull request :info_titleabbrev: View PR feedback + +include::../attributes.txt[] + When you create a pull request to propose docs changes, multiple GitHub actions run. This includes a style check using Vale. image::images/contribute-style-web.png["View style feedback on GitHub"] diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index e7f7a39f8..6f914ba45 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -3,6 +3,9 @@ = View style feedback as you type by installing Vale locally :info_titleabbrev: View style feedback + +include::../attributes.txt[] + You can see style feedback as you type. This helps identify awkward writing and typos. image::images/contribute-style-local.png["View style feedback in VS Code] From de6cc06ce937c28500a77e155d46ba3feb80cbb4 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Fri, 17 Jan 2025 15:41:38 -0800 Subject: [PATCH 093/940] vale: add all domains currently in the docs to domain list --- .vale.ini | 1 + .../ug/automode/automode-learn-instances.adoc | 2 - vale/styles/EksDocs/ExternalDomains.yml | 208 +++++++++++++----- .../vocabularies/EksDocsVocab/accept.txt | 10 +- 4 files changed, 156 insertions(+), 65 deletions(-) diff --git a/.vale.ini b/.vale.ini index 5f93659a1..858da4d52 100644 --- a/.vale.ini +++ b/.vale.ini @@ -12,5 +12,6 @@ BasedOnStyles = RedHat, AsciiDoc, EksDocs RedHat.GitLinks = OFF AsciiDoc.UnsetAttributes = OFF RedHat.CaseSensitiveTerms = suggestion +RedHat.Contractions = OFF RedHat.TermsErrors = warning RedHat.Spacing = warning diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index fec284f8c..6ffab05b3 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -69,8 +69,6 @@ With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes == Supported instance reference -// Source: https://code.amazon.com/packages/EKSKarpenterController/blobs/a56aeb0ddc3e8a54406421e8f3a091e8e13abea1/--/pkg/providers/instancetype/instancetype.go#L43-L49 - EKS Auto Mode supports the following instance types: [cols="1,4",options="header"] diff --git a/vale/styles/EksDocs/ExternalDomains.yml b/vale/styles/EksDocs/ExternalDomains.yml index 69d6008b2..2f82ac779 100644 --- a/vale/styles/EksDocs/ExternalDomains.yml +++ b/vale/styles/EksDocs/ExternalDomains.yml @@ -4,119 +4,207 @@ level: error scope: raw #ignorecase: true tokens: - - '(?:^|\s)(http(s)?://[^\s]+)(?:$|\s)' + - '(?:^|\b)(http(s)?:\/\/[^\s\[]+)(?=$|\s|\[)' + # note: this version no longer detects the valid URL that uses replacement syntax https://raw.githubusercontent.com/projectcalico/calico/\[\.replaceable\]\`CALICO_VERSION\`/manifests/operator-crds.yaml exceptions: - - https://aws.github.io/ - - https://kubernetes-sigs.github.io/ - - https://aws-observability.github.io/ - - https://github.com/aws/ - - https://github.com/aws-samples/ - - https://github.com/kubernetes/ - - https://repost.aws/ - - https://github.com/bottlerocket-os/ - - https://kubernetes.io - - https://karpenter.sh - - https://anywhere.eks.amazonaws.com - - https://aws-ia.github.io - - https://eksctl.io - - https://catalog.workshops.aws - - https://github.com/awslabs/ - - https://github.com/aws-controllers-k8s/ - - https://raw.githubusercontent.com/aws-observability/ - - https://github.com/kubernetes-sigs/ - - https://d1.awsstatic.com/ - - https://docs.github.com/ - - https://code.visualstudio.com/ - - https://cli.github.com/ - - https://marketplace.visualstudio.com/ - - https://docs.asciidoctor.org/ - - https://brew.sh/ - - https://github.dev/aws/ - - https://catalog.us-east-1.prod.workshops.aws/ - - http://developers.eksworkshop.com - - https://s3.us-west-2.amazonaws.com/amazon-eks/ - - https://www.eksworkshop.com - - https://community.aws/ - - https://www.youtube.com/ - - https://kind.sigs.k8s.io - - https://minikube.sigs.k8s.io - - https://www.terraform.io - - https://developers.eksworkshop.com - - https://docs.aws.amazon.com/ - - https://groups.google.com/forum/#!topic/kubernetes-security-announce - - https://raw.githubusercontent.com/kubernetes-sigs - - https://helm.sh - - https://public.ecr.aws - - https://gallery.ecr.aws - - https://amazon-eks.s3.us-west-2.amazonaws.com/eks-connector/ - - https://www.intel.com/ - - https://www.tensorflow.org/ - - https://docs.upbound.io/ - - https://docs.upwind.io/ - - https://tetratelabs.io/ - - https://goteleport.com/ - - https://docs.splunk.com/ - - https://docs.stormforge.io/ - - https://docs.snyk.io/ - - https://docs.solo.io/ - alas.aws.amazon.com - amazon.awsapps.com + - anywhere.eks.amazonaws.com - apparmor.net - appdynamics.com + - aws-ia.github.io + - aws-observability.github.io - aws-otel.github.io + - aws.amazon.com + - aws.github.io - awsdocs-neuron.readthedocs-hosted.com - awslabs.github.io + - boto3.amazonaws.com + - bottlerocket.dev - brew.sh - catalog.redhat.com + - catalog.us-east-1.prod.workshops.aws + - catalog.workshops.aws - chocolatey.org - cloud-images.ubuntu.com - cloudinit.readthedocs.io + - community.aws + - console.aws.amazon.com - containerd.io + - cve.mitre.org + - d1.awsstatic.com/ + - developer.hashicorp.com + - developer.nvidia.com + - developers.eksworkshop.com - distro.eks.amazonaws.com + - docs.aws.amazon.com + - docs.cilium.io - docs.docker.com + - docs.fluentbit.io + - docs.helm.sh + - docs.kubecost.com - docs.netapp.com - docs.newrelic.com - docs.pingidentity.com - docs.podman.io + - docs.rad.security + - docs.ray.io + - docs.tigera.io + - docs.vllm.ai - documentation.solarwinds.com - documentation.ubuntu.com - ebpf.io - eks.amazonaws.com + - eksctl.io - eksworkshop.com - etcd.io - explore.skillbuilder.aws - gateway-api.sigs.k8s.io - github.com - grafana.com + - guide.kubecost.com + - http://developers.eksworkshop.com + - http://localhost:8080/utility/stress/1000000 + - http://localhost:9090 + - http://retail-store-sample-ui.default.svc/utility/stress/1000000 + - https://amazon-eks.s3.us-west-2.amazonaws.com/eks-connector/ + - https://antrea.io/docs/main/docs/eks-installation + - https://anywhere.eks.amazonaws.com + - https://aws-ia.github.io + - https://aws-observability.github.io/ + - https://aws.github.io/ + - https://brew.sh/ + - 'https://bugs.launchpad.net/ubuntu/\+source/containerd-app/\+bug/2065423' + - https://catalog.us-east-1.prod.workshops.aws/ + - https://catalog.workshops.aws + - https://cert-manager.io + - https://cilium.io + - https://cli.github.com/ + - https://code.visualstudio.com/ + - https://community.aws/ + - https://d1.awsstatic.com/ + - https://developers.eksworkshop.com + - https://distribution.github.io/distribution/ + - https://docs.akuity.io/tutorials/eks-addon-agent-install/ + - https://docs.asciidoctor.org/ + - https://docs.aws.amazon.com/ + - https://docs.cloudsoft.io/operations/configuration/aws-eks-addon.html + - https://docs.cribl.io/edge/usecase-edge-aws-eks/ + - https://docs.datadoghq.com/containers/guide/operator-eks-addon/ + - https://docs.datadoghq.com/containers/guide/operator-eks-addon/\?tab=console + - https://docs.github.com/ + - https://docs.groundcover.com/docs/~/changes/VhDDAl1gy1VIO3RIcgxD/configuration/customization-guide/customize-deployment/eks-add-on + - https://docs.guance.com/en/datakit/datakit-eks-deploy/ + - https://docs.guance.com/en/datakit/datakit-eks-deploy/#add-on-install + - https://docs.kasten.io/latest/install/aws-eks-addon/aws-eks-addon.html + - https://docs.kpow.io/installation/aws-marketplace-lm/ + - https://docs.kubearmor.io/kubearmor/quick-links/deployment_guide + - https://docs.nvidia.com/cuda/cuda-runtime-api/group_%5FCUDART%5F_DEVICE.html + - https://docs.nvidia.com/deploy/gpu-debug-guidelines/index.html#understanding-xid-messages + - https://docs.nvidia.com/deploy/xid-errors/index.html#topic_5_1 + - https://docs.projectcalico.org/getting-started/kubernetes/managed-public-cloud/eks + - https://docs.rafay.co/clusters/import/eksaddon/ + - https://docs.snyk.io/ + - https://docs.solo.io/ + - https://docs.splunk.com/ + - https://docs.stormforge.io/ + - https://docs.upbound.io/ + - https://docs.upwind.io/ + - https://eksctl.io + - https://en.wikipedia.org/wiki/Reserved_IP_addresses + - https://example.com + - https://gallery.ecr.aws + - https://github.com/aws-controllers-k8s/ + - https://github.com/aws-samples/ + - https://github.com/aws/ + - https://github.com/awslabs/ + - https://github.com/bottlerocket-os/ + - https://github.com/kubernetes-sigs/ + - https://github.com/kubernetes/ + - https://github.dev/aws/ + - https://github.dev/awsdocs/ + - https://goteleport.com/ + - https://groups.google.com/forum/#!msg/kubernetes-security-announce/jk8polzSUxs/dfq6a-MnCQAJ + - https://groups.google.com/forum/#!topic/kubernetes-security-announce + - https://helm.sh + - https://hub.datree.io/integrations/eks-integration + - https://karpenter.sh + - https://kind.sigs.k8s.io + - https://kong.github.io/aws-marketplace-addon-kong-gateway/ + - https://kubernetes-sigs.github.io/ + - https://kubernetes.io + - https://marketplace.visualstudio.com/ + - https://minikube.sigs.k8s.io + - https://play2048.co/ + - https://prometheus-community.github.io/helm-charts + - https://public.ecr.aws + - https://pyjwt.readthedocs.io/en/latest/ + - https://ratify.dev/docs/1.0/quickstarts/ratify-on-aws + - https://raw.githubusercontent.com/aws-observability/ + - https://raw.githubusercontent.com/aws-samples/ + - https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.12.6/config/master/cni-metrics-helper.yaml + - https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml + - https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml + - https://raw.githubusercontent.com/awslabs/amazon-eks-ami/ + - https://raw.githubusercontent.com/awslabs/amazoneks-ami/ + - https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 + - https://raw.githubusercontent.com/kubecost/cost-analyzer-helm-chart/develop/cost-analyzer/values-eks-cost-monitoring.yaml + - https://raw.githubusercontent.com/kubernetes-sigs + - https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/ + - https://raw.githubusercontent.com/projectcalico/calico/ + - https://repost.aws/ + - https://s3.amazonaws.com/EULA/ + - https://s3.us-west-2.amazonaws.com/amazon-eks/ + - https://tetratelabs.io/ + - https://tinkerbell.org + - https://vale.sh/ + - https://www.cncf.io/ + - https://www.dynatrace.com/technologies/kubernetes-monitoring/ + - https://www.eksworkshop.com + - https://www.intel.com/ + - https://www.leaksignal.com/docs/LeakAgent/Deployment/ + - https://www.powershellgallery.com/packages/{aws}.Tools.Common/4.1.502 + - https://www.powershellgallery.com/packages/Watch-Command/0.1.3 + - https://www.qemu.org/docs/ + - https://www.tensorflow.org/ + - https://www.terraform.io + - https://www.tigera.io/project-calico + - https://www.youtube.com/ - hub.docker.com + - huggingface.co - k8s.io + - karpenter.sh - kubernetes-csi.github.io + - kubernetes.io - learn.microsoft.com + - man7.org - oidc.eks.amazonaws.com - oidc.eks.region-code.amazonaws.com + - oidc.eks.us-west-2.amazonaws.com - opencontainers.org - openid.net + - opensearch.org - operatorhub.io - packer.io - portal.msrc.microsoft.com - prometheus.io + - public.ecr.aws - pytorch.org - registry.terraform.io + - repost.aws - requests.readthedocs.io + - rolesanywhere.amazonaws.com - rubygems.org - support.microsoft.com - tensorflow.org + - tetratelabs.io - ubuntu.com - www.canonical.com - www.cisecurity.org + - www.eksworkshop.com + - www.gateway-api-controller.eks.aws.dev - www.itu.int - www.juniper.net - www.python.org - www.rfc-editor.org - xilinx.github.io - - https://cert-manager.io - - https://www.cncf.io/ - - https://github.dev/awsdocs/ - - https://vale.sh/ - - diff --git a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt index d8cd47dcc..ab7ed47ad 100644 --- a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt +++ b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt @@ -1,3 +1,4 @@ +# Each line is a Ruby regex EKS eksctl Fargate @@ -5,8 +6,11 @@ Bottlerocket EBS StorageClass PersistentVolume -CSI +CSIs? Karpenter -VPC +VPCs? VPC Reachability Analyzer -reachability \ No newline at end of file +reachability +CNIs? +repo +CIDRs? \ No newline at end of file From 795d1c2e4b9ec2ddf3ce2cbfd261a71ee08a8301 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 4 Feb 2025 20:28:44 +0000 Subject: [PATCH 094/940] Cleaned up some rendering issues. --- latest/ug/connector/connecting-cluster.adoc | 2 +- .../ug/ml/ml-eks-windows-optimized-ami.adoc | 2 +- .../cni-network-policy-configure.adoc | 109 ++++++++++-------- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-node-ubuntu.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 7 +- .../nodes/managed-node-update-behavior.adoc | 23 ++-- 7 files changed, 75 insertions(+), 72 deletions(-) diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 5b0f72bb9..e3f43ee8c 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -141,7 +141,7 @@ To install the `eks-connector` agent, use one of the following tools: * <> * <> -=== helm [[helm_agent_cluster_connect]] +=== Helm [[helm_agent_cluster_connect]] [NOTE] ==== diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index d671ebd5a..b8150c8b8 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -113,7 +113,7 @@ kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-p After you have deployed the device plugin, replace `` and run the following command to verify the DirectX Device Plugin is running correctly on your all your Windows nodes. [source,bash,subs="verbatim,attributes"] ---- -kubectl get ds device-plugin-wddm -n [.replaceable]`` +kubectl get ds device-plugin-wddm -n ---- diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index c4854a699..997904c71 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -25,25 +25,23 @@ Before you begin, review the considerations. For more information, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: -+ + [source,bash,subs="verbatim,attributes"] ---- aws eks describe-cluster --name my-cluster --query cluster.version --output text ---- -+ + [cols="1,1", options="header"] |=== + |Kubernetes version |Platform version - |`1.27.4` |`eks.5` @@ -52,28 +50,30 @@ aws eks describe-cluster |`1.25.12` |`eks.7` + |=== -* -.Minimum VPC CNI version + +[[cni-network-policy-minimum-vpc,cni-network-policy-minimum-vpc.title]] +=== Minimum VPC CNI version + Version `1.14` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. You can see which version that you currently have with the following command. -+ + [source,shell,subs="verbatim,attributes"] ---- kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3 ---- -+ + If your version is earlier than `1.14`, see <> to upgrade to version `1.14` or later. -* -.Minimum Linux kernel version + +[[cni-network-policy-minimum-linux,cni-network-policy-minimum-linux.title]] +=== Minimum Linux kernel version Your nodes must have Linux kernel version `5.10` or later. You can check your kernel version with `uname -r`. If you're using the latest versions of the Amazon EKS optimized Amazon Linux, Amazon EKS optimized accelerated Amazon Linux AMIs, and Bottlerocket AMIs, they already have the required kernel version. -+ -The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. +The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. [[cni-network-policy-configure-policy,cni-network-policy-configure-policy.title]] == Step 1: Set up policy enforcement at [.noloc]`Pod` startup - The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the [.noloc]`CoreDNS` pods. The default deny policy isn't configured for pods with Host networking. @@ -95,18 +95,18 @@ The network policy feature uses port `8162` on the node for metrics by default. Use the following procedure to enable the network policy parameter for the add-on. +[[cni-network-policy-console,cni-network-policy-console.title]] +=== {aws-management-console} - -{aws-management-console}:: -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the add-on box and then choose *Edit*. -.. On the *Configure [.replaceable]`name of add-on`* page: +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. +. Choose the *Add-ons* tab. +. Select the box in the top right of the add-on box and then choose *Edit*. +. On the *Configure [.replaceable]`name of add-on`* page: + -... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. +.. Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. +.. Expand the *Optional configuration settings*. +.. Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. + The following example has network policy feature enabled and metrics and health probes are set to the default port numbers: + @@ -121,27 +121,27 @@ The following example has network policy feature enabled and metrics and health } ---- - -Helm:: +[[cni-network-helm,cni-network-helm.title]] +=== Helm If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to change the ports. -.. Run the following command to change the ports. Set the port number in the value for either key `nodeAgent.metricsBindAddr` or key `nodeAgent.healthProbeBindAddr`, respectively. +. Run the following command to change the ports. Set the port number in the value for either key `nodeAgent.metricsBindAddr` or key `nodeAgent.healthProbeBindAddr`, respectively. + [source,shell,subs="verbatim,attributes"] ---- helm upgrade --set nodeAgent.metricsBindAddr=8162 --set nodeAgent.healthProbeBindAddr=8163 aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ---- - -[.noloc]`kubectl`:: -.. Open the `aws-node` `DaemonSet` in your editor. +[[cni-network-policy-kubectl,cni-network-policy-kubectl.title]] +=== [.noloc]`kubectl` +. Open the `aws-node` `DaemonSet` in your editor. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit daemonset -n kube-system aws-node ---- -.. Replace the port numbers in the following command arguments in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. +. Replace the port numbers in the following command arguments in the `args:` in the `aws-network-policy-agent` container in the VPC CNI `aws-node` daemonset manifest. + [source,yaml,subs="verbatim,attributes"] ---- @@ -184,16 +184,19 @@ Configure the cluster to use [.noloc]`Kubernetes` network policies. You can set [%collapsible] ==== -{aws-management-console}:: -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. -.. Choose the *Add-ons* tab. -.. Select the box in the top right of the add-on box and then choose *Edit*. -.. On the *Configure [.replaceable]`name of addon`* page: +[[cni-network-policy-setup-console,cni-network-policy-setup-console.title]] +[discrete] +=== {aws-management-console} + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the Amazon VPC CNI add-on for. +. Choose the *Add-ons* tab. +. Select the box in the top right of the add-on box and then choose *Edit*. +. On the *Configure [.replaceable]`name of addon`* page: + -... Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. -... Expand the *Optional configuration settings*. -... Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: +.. Select a `v1.14.0-eksbuild.3` or later version in the *Version* list. +.. Expand the *Optional configuration settings*. +.. Enter the JSON key `"enableNetworkPolicy":` and value `"true"` in *Configuration values*. The resulting text must be a valid JSON object. If this key and value are the only data in the text box, surround the key and value with curly braces `{ }`. The following example shows network policy is enabled: + [source,json,subs="verbatim,attributes"] ---- @@ -204,9 +207,11 @@ The following screenshot shows an example of this scenario. + image::images/console-cni-config-network-policy.png[{aws-management-console} showing the VPC CNI add-on with network policy in the optional configuration.,scaledwidth=80%] +[[cni-network-policy-setup-cli,cni-network-policy-setup-cli.title]] +[discrete] +=== {aws} CLI -{aws} CLI:: -.. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. +. Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. + [source,shell,subs="verbatim,attributes"] ---- @@ -222,26 +227,30 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers [%collapsible] ==== -Helm:: +[[cni-network-policy-helm,cni-network-policy-helm.title]] +[discrete] +=== Helm If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to enable network policy. -.. Run the following command to enable network policy. +. Run the following command to enable network policy. + [source,shell,subs="verbatim,attributes"] ---- helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ---- +[[cni-network-policy-setup-kubectl,cni-network-policy-setup-kubectl.title]] +[discrete] +=== [.noloc]`kubectl` -[.noloc]`kubectl`:: -.. Open the `amazon-vpc-cni` `ConfigMap` in your editor. +. Open the `amazon-vpc-cni` `ConfigMap` in your editor. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- -.. Add the following line to the `data` in the `ConfigMap`. +. Add the following line to the `data` in the `ConfigMap`. + [source,bash,subs="verbatim,attributes"] ---- @@ -260,7 +269,7 @@ apiVersion: v1 data: enable-network-policy-controller: "true" ---- -.. Open the `aws-node` `DaemonSet` in your editor. +. Open the `aws-node` `DaemonSet` in your editor. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 735f11c07..d3fca843c 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -45,7 +45,7 @@ eksctl version ---- For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation.NOTE: This procedure only works for clusters that were created with `eksctl`. -+ + . Copy the following contents to your device. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`ng-bottlerocket` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. To deploy on Arm instances, replace [.replaceable]`m5.large` with an Arm instance type. Replace [.replaceable]`my-ec2-keypair-name` with the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. Replace all remaining [.replaceable]`example values` with your own values. Once you've made the replacements, run the modified command to create the `bottlerocket.yaml` file. + If specifying an Arm Amazon EC2 instance type, then review the considerations in <> before deploying. For instructions on how to deploy using a custom AMI, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/BUILDING.md[Building Bottlerocket] on [.noloc]`GitHub` and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. To deploy a managed node group, deploy a custom AMI using a launch template. For more information, see <>. diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 4ee13a25f..024205970 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -39,7 +39,7 @@ eksctl version ---- For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation.NOTE: This procedure only works for clusters that were created with `eksctl`. -+ + . Copy the following contents to your device. Replace `my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 100 characters. Replace `ng-ubuntu` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. To deploy on [.noloc]`Arm` instances, replace `m5.large` with an [.noloc]`Arm` instance type. Replace `my-ec2-keypair-name` with the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the Amazon EC2 User Guide. Replace all remaining [.replaceable]`example values` with your own values. Once you've made the replacements, run the modified command to create the `ubuntu.yaml` file. + IMPORTANT: To deploy a node group to {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets, don't pass {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets when you create the cluster. You must specify the subnets in the following example. For more information see https://eksctl.io/usage/nodegroups/#creating-a-nodegroup-from-a-config-file[Create a nodegroup from a config file] and https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index a56623ead..ba827d3ad 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -57,12 +57,12 @@ The following table lists the prohibited settings in a managed node group config |(Only if you specified a custom AMI in a launch template) *AMI type* under *Node group compute configuration* on *Set compute and scaling configuration* page – Console displays *Specified in launch template* and the AMI ID that was specified. If *Application and OS Images (Amazon Machine Image)* wasn't specified in the launch template, you can select an AMI in the node group configuration. -|*Application and OS Images (Amazon Machine Image)* under *Launch template contents* – You must specify an ID if you have either of the following requirements: - - +a|*Application and OS Images (Amazon Machine Image)* under *Launch template contents* – You must specify an ID if you have either of the following requirements: * Using a custom AMI. If you specify an AMI that doesn't meet the requirements listed in <>, the node group deployment will fail. + * Want to provide user data to provide arguments to the `bootstrap.sh` file included with an Amazon EKS optimized AMI. You can enable your instances to assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, or deploy a private cluster without outbound internet access. For more information, see the following topics: + + ** <> ** <> @@ -145,6 +145,7 @@ You can combine multiple user data blocks together into a single MIME multi-part + The following is an example of a MIME multi-part file that you can use to create your own. + + [source,none,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index a94eb7dc0..6ffba17e5 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -42,35 +42,31 @@ For example, if your node group has five Availability Zones and `maxUnavailable` ** New nodes should have Amazon EKS applied labels. + These are the Amazon EKS applied labels on the worker nodes in a regular node group: -+ -*** `eks.amazonaws.com/nodegroup-image=[.replaceable]``$amiName``` -*** `eks.amazonaws.com/nodegroup=[.replaceable]``$nodeGroupName``` + +*** `eks.amazonaws.com/nodegroup-image=$amiName` +*** `eks.amazonaws.com/nodegroup=$nodeGroupName` + These are the Amazon EKS applied labels on the worker nodes in a custom launch template or AMI node group: + + -*** `eks.amazonaws.com/nodegroup-image=[.replaceable]``$amiName``` -*** `eks.amazonaws.com/nodegroup=[.replaceable]``$nodeGroupName``` -*** `eks.amazonaws.com/sourceLaunchTemplateId=[.replaceable]``$launchTemplateId``` -*** `eks.amazonaws.com/sourceLaunchTemplateVersion=[.replaceable]``$launchTemplateVersion``` +*** `eks.amazonaws.com/nodegroup-image=$amiName` +*** `eks.amazonaws.com/nodegroup=$nodeGroupName` +*** `eks.amazonaws.com/sourceLaunchTemplateId=$launchTemplateId` +*** `eks.amazonaws.com/sourceLaunchTemplateVersion=$launchTemplateVersion` . It marks nodes as unschedulable to avoid scheduling new [.noloc]`Pods`. It also labels nodes with `node.kubernetes.io/exclude-from-external-load-balancers=true` to remove the nodes from load balancers before terminating the nodes. The following are known reasons which lead to a `NodeCreationFailure` error in this phase: - - *Insufficient capacity in the Availability Zone*:: There is a possibility that the Availability Zone might not have capacity of requested instance types. It's recommended to configure multiple instance types while creating a managed node group. - *EC2 instance limits in your account*:: You may need to increase the number of Amazon EC2 instances your account can run simultaneously using Service Quotas. For more information, see link:AWSEC2/latest/UserGuide/ec2-resource-limits.html[EC2 Service Quotas,type="documentation"] in the _Amazon Elastic Compute Cloud User Guide for [.noloc]`Linux` Instances_. - *Custom user data*:: Custom user data can sometimes break the bootstrap process. This scenario can lead to the `kubelet` not starting on the node or nodes not getting expected Amazon EKS labels on them. For more information, see <>. - *Any changes which make a node unhealthy or not ready*:: Node disk pressure, memory pressure, and similar conditions can lead to a node not going to `Ready` state. @@ -104,12 +100,9 @@ The _minimal_ update strategy has these steps: The following are known reasons which lead to a `PodEvictionFailure` error in this phase: - - *Aggressive PDB*:: Aggressive PDB is defined on the [.noloc]`Pod` or there are multiple PDBs pointing to the same [.noloc]`Pod`. - *Deployment tolerating all the taints*:: Once every [.noloc]`Pod` is evicted, it's expected for the node to be empty because the node is https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[tainted] in the earlier steps. However, if the deployment tolerates every taint, then the node is more likely to be non-empty, leading to [.noloc]`Pod` eviction failure. From fe4901803ccc2d987b7b46c2611f3cb8990e23b5 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 4 Feb 2025 20:36:08 +0000 Subject: [PATCH 095/940] eksctl v0.203.0: https://github.com/eksctl-io/eksctl/releases/tag/v0.203.0 --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index be01e098c..66a281a0f 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,5 @@ // eksctl version -:eksctl-min-version: 0.202.0 +:eksctl-min-version: 0.203.0 // EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 From 1cba78a5023c9756152ede2b5a0468016ffbee96 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 4 Feb 2025 21:31:23 +0000 Subject: [PATCH 096/940] Cleaned up remaining extraneous pluses found in PDF version. --- .../cni-increase-ip-addresses-procedure.adoc | 39 +++--- latest/ug/networking/lbc-remove.adoc | 7 +- .../network-policies-troubleshooting.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 3 +- latest/ug/nodes/dockershim-deprecation.adoc | 4 +- latest/ug/security/default-roles-users.adoc | 117 +++++++++--------- 6 files changed, 93 insertions(+), 79 deletions(-) diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 4b8d48fab..8ce155873 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -9,12 +9,9 @@ You can increase the number of IP addresses that nodes can assign to [.noloc]`Po Complete the following before you start the procedure: - - * Review the considerations. * You need an existing cluster. To deploy one, see <>. * The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend that following: -+ ** Using a subnet CIDR reservation so that even if any IP addresses within the reserved range are still in use, upon their release, the IP addresses aren't reassigned. This ensures that prefixes are available for allocation without segmentation. ** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both [.noloc]`Windows` and [.noloc]`Linux` workloads can run in the same subnet when assigning IP prefixes. * To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to [.noloc]`Pods` than [.noloc]`Nitro-based` instances do. @@ -52,14 +49,16 @@ You can check your current [.noloc]`Kubernetes` and platform version by replacin . Configure your cluster to assign IP address prefixes to nodes. Complete the procedure on the tab that matches your node's operating system. + [.noloc]`Linux`::: -... Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. +.. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. + [source,bash,subs="verbatim,attributes"] ---- kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true ---- + -IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. +[IMPORTANT] +==== +Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. [source,bash,subs="verbatim,attributes"] ---- @@ -67,12 +66,14 @@ InsufficientCidrBlocks: The specified subnet does not have enough free cidr bloc ---- This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. -... If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. +==== ++ +.. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. + If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. + IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. -... If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. +.. If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. + Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on [.noloc]`GitHub`. + @@ -90,6 +91,7 @@ kubectl set env ds aws-node -n kube-system WARM_PREFIX_TARGET=1 ---- kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ---- ++ [source,bash,subs="verbatim,attributes"] ---- kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 @@ -134,7 +136,7 @@ NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different [.noloc]`Windows`::: -... Enable assignment of IP prefixes. +.. Enable assignment of IP prefixes. + .... Open the `amazon-vpc-cni` `ConfigMap` for editing. + @@ -142,14 +144,14 @@ NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different ---- kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- -.... Add the following line to the `data` section. +... Add the following line to the `data` section. + [source,yaml,subs="verbatim,attributes"] ---- enable-windows-prefix-delegation: "true" ---- -.... Save the file and close the editor. -.... Confirm that the line was added to the `ConfigMap`. +... Save the file and close the editor. +... Confirm that the line was added to the `ConfigMap`. + [source,bash,subs="verbatim,attributes"] ---- @@ -158,23 +160,26 @@ kubectl get configmap -n kube-system amazon-vpc-cni -o "jsonpath={.data.enable-w + If the returned output isn't `true`, then there might have been an error. Try completing the step again. + -IMPORTANT: Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the node events. +[IMPORTANT] +==== +Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. [source,bash,subs="verbatim,attributes"] ---- -"failed to allocate a private IP/Prefix address: InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request" +InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request ---- This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. +==== ... (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. + -.... Open the `amazon-vpc-cni` `ConfigMap` for editing. +... Open the `amazon-vpc-cni` `ConfigMap` for editing. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- -.... Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. +... Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. + [source,yaml,subs="verbatim,attributes"] ---- @@ -182,8 +187,8 @@ kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml warm-ip-target: "5" minimum-ip-target: "2" ---- -.... Save the file and close the editor. -... Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. +... Save the file and close the editor. +.. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index eac568c8a..c0d095553 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -50,9 +50,14 @@ helm delete aws-load-balancer-controller -n kube-system ---- kubectl get deployment -n kube-system alb-ingress-controller ---- + + -This is the output if the controller isn't installed. +This is the output if the controller isn't installed. + +[source,bash,subs="verbatim,attributes"] +---- +Error from server (NotFound): deployments.apps "alb-ingress-controller" not found +---- + This is the output if the controller is installed. + diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index 475d9199b..c49f44785 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -181,7 +181,7 @@ Only the network policy logs are sent by the node agent. Other logs made by the + The following screenshot shows an example of this scenario. -+ + image::images/console-cni-config-network-policy-logs-cwl.png[{aws-management-console} showing the VPC CNI add-on with network policy and CloudWatch Logs in the optional configuration.,scaledwidth=80%] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 475471dbb..47f89a1d0 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -38,7 +38,8 @@ Do you need [.noloc]`x86` or [.noloc]`Arm`? Before deploying [.noloc]`Arm` insta *Maximum number of [.noloc]`Pods`*:: Since each [.noloc]`Pod` is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of [.noloc]`Pods` that can run on the instance. To manually determine how many [.noloc]`Pods` an instance type supports, see <>. -+`NOTE: If you're using an Amazon EKS optimized Amazon Linux 2 AMI that's `v20220406` or newer, you can use a new instance type without upgrading to the latest AMI. For these AMIs, the AMI auto-calculates the necessary `max-pods` value if it isn't listed in the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] file. Instance types that are currently in preview may not be supported by Amazon EKS by default. Values for max-pods` for such types still need to be added to `eni-max-pods.txt` in our AMI. ++ +NOTE: If you're using an Amazon EKS optimized Amazon Linux 2 AMI that's `v20220406` or newer, you can use a new instance type without upgrading to the latest AMI. For these AMIs, the AMI auto-calculates the necessary `max-pods` value if it isn't listed in the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] file. Instance types that are currently in preview may not be supported by Amazon EKS by default. Values for max-pods` for such types still need to be added to `eni-max-pods.txt` in our AMI. + link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types optionally support significantly more IP addresses than non-Nitro System instance types. However, not all IP addresses assigned for an instance are available to [.noloc]`Pods`. To assign a significantly larger number of IP addresses to your instances, you must have version `1.9.0` or later of the Amazon VPC CNI add-on installed in your cluster and configured appropriately. For more information, see <>. To assign the largest number of IP addresses to your instances, you must have version `1.10.1` or later of the Amazon VPC CNI add-on installed in your cluster and deploy the cluster with the `IPv6` family. diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index ab1d51851..cf025a233 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -34,13 +34,13 @@ The `containerd` runtime provides more reliable performance and security. `conta * If you use a custom AMI and you are upgrading to Amazon EKS `1.24`, then you must make sure that IP forwarding is enabled for your worker nodes. This setting wasn't needed with [.noloc]`Docker` but is required for `containerd`. It is needed to troubleshoot [.noloc]`Pod`-to-[.noloc]`Pod`, [.noloc]`Pod`-to-external, or [.noloc]`Pod`-to-[.noloc]`apiserver` network connectivity. + To verify this setting on a worker node, run either of the following commands: -+ + ** `sysctl net.ipv4.ip_forward` ** `cat /proc/sys/net/ipv4/ip_forward` + If the output is `0`, then run either of the following commands to activate the `net.ipv4.ip_forward` kernel variable: -+ + ** `sysctl -w net.ipv4.ip_forward=1` ** `echo 1 > /proc/sys/net/ipv4/ip_forward` diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 744b24cae..4a2c036c8 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -16,64 +16,68 @@ When you install optional <> to your cluster, additional [. You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. +[[default-role-users-console,default-role-users-console.title]] +== {aws-management-console} +=== Prerequisite -*{aws-management-console}*:: +The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the permissions described in <>. -.Prerequisite -The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the permissions described in <>. -+ -.. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -.. In the *Clusters* list, choose the cluster that contains the identities that you want to view. -.. Choose the *Resources* tab. -.. Under *Resource types*, choose *Authorization*. -.. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: +=== To view Amazon EKS created identities using the {aws-management-console} + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the *Clusters* list, choose the cluster that contains the identities that you want to view. +. Choose the *Resources* tab. +. Under *Resource types*, choose *Authorization*. +. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: + -*** The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. -*** A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. +* The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. +* A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + In addition to the resources that you see in the console, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: -+ -*** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. -*** *`eks:support-engineer`* – Used for cluster management operations. -.. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. +* *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. +* *`eks:support-engineer`* – Used for cluster management operations. + +. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. + +[[default-role-users-kubectl,default-role-users-kubectl.title]] +== Kubectl -*Kubectl*:: +=== Prerequisite -.Prerequisite The entity that you use ({aws} Identity and Access Management (IAM) or [.noloc]`OpenID Connect` ([.noloc]`OIDC`)) to list the [.noloc]`Kubernetes` resources on the cluster must be authenticated by IAM or your [.noloc]`OIDC` identity provider. The entity must be granted permissions to use the [.noloc]`Kubernetes` `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <>. For more information about granting entities authenticated by your own [.noloc]`OIDC` provider access to your cluster, see <>. -.To view Amazon EKS created identities using `kubectl` + +=== To view Amazon EKS created identities using `kubectl` Run the command for the type of resource that you want to see. All returned resources that are prefaced with *eks* are created by Amazon EKS. In addition to the resources returned in the output from the commands, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: -+ -** *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. -** *`eks:support-engineer`* – Used for cluster management operations. -+ + +* *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. +* *`eks:support-engineer`* – Used for cluster management operations. + *ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any [.noloc]`Kubernetes` namespace on the cluster. -+ + The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoles` on your cluster. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl get clusterroles | grep eks ---- -+ + In addition to the `ClusterRoles` returned in the output that are prefaced with, the following `ClusterRoles` exist. -+ -** *`aws-node`* – This `ClusterRole` supports the <>, which Amazon EKS installs on all clusters. -** *`vpc-resource-controller-role`* – This `ClusterRole` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. -+ +* *`aws-node`* – This `ClusterRole` supports the <>, which Amazon EKS installs on all clusters. +* *`vpc-resource-controller-role`* – This `ClusterRole` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + To see the specification for a `ClusterRole`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRole` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRole`. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl describe clusterrole eks:k8s-metrics ---- -+ + An example output is as follows. -+ + [source,bash,subs="verbatim,attributes"] ---- Name: eks:k8s-metrics @@ -88,31 +92,30 @@ PolicyRule: pods [] [] [list] deployments.apps [] [] [list] ---- -+ + *ClusterRoleBindings* – `ClusterRoleBindings` are scoped to your cluster. -+ + The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoleBindings` on your cluster. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl get clusterrolebindings | grep eks ---- -+ + In addition to the `ClusterRoleBindings` returned in the output, the following `ClusterRoleBindings` exist. -+ -** *`aws-node`* – This `ClusterRoleBinding` supports the <>, which Amazon EKS installs on all clusters. -** *`vpc-resource-controller-rolebinding`* – This `ClusterRoleBinding` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. -+ +* *`aws-node`* – This `ClusterRoleBinding` supports the <>, which Amazon EKS installs on all clusters. +* *`vpc-resource-controller-rolebinding`* – This `ClusterRoleBinding` supports the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + To see the specification for a `ClusterRoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `ClusterRoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `ClusterRoleBinding`. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl describe clusterrolebinding eks:k8s-metrics ---- -+ + An example output is as follows. -+ + [source,bash,subs="verbatim,attributes"] ---- Name: eks:k8s-metrics @@ -126,25 +129,25 @@ Subjects: ---- ---- --------- User eks:k8s-metrics ---- -+ + *Roles* – `Roles` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace. -+ + The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `Roles` on your cluster. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl get roles -n kube-system | grep eks ---- -+ + To see the specification for a `Role`, replace [.replaceable]`eks:k8s-metrics` in the following command with the name of a `Role` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `Role`. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl describe role eks:k8s-metrics -n kube-system ---- -+ + An example output is as follows. -+ + [source,bash,subs="verbatim,attributes"] ---- Name: eks:k8s-metrics @@ -156,25 +159,25 @@ PolicyRule: daemonsets.apps [] [aws-node] [get] deployments.apps [] [vpc-resource-controller] [get] ---- -+ + *RoleBindings* – `RoleBindings` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace. -+ + The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `RoleBindings` on your cluster. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl get rolebindings -n kube-system | grep eks ---- -+ + To see the specification for a `RoleBinding`, replace [.replaceable]`eks:k8s-metrics` in the following command with a `RoleBinding` returned in the output of the previous command. The following example returns the specification for the [.replaceable]`eks:k8s-metrics` `RoleBinding`. -+ + [source,bash,subs="verbatim,attributes"] ---- kubectl describe rolebinding eks:k8s-metrics -n kube-system ---- -+ + An example output is as follows. -+ + [source,bash,subs="verbatim,attributes"] ---- Name: eks:k8s-metrics From 99f94e8834c01f47bf2f62fc9f5088925d6a6475 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 4 Feb 2025 21:57:42 +0000 Subject: [PATCH 097/940] Fix rendering: 44634 --- latest/ug/networking/external-snat.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 76541838a..6520151fb 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -14,7 +14,7 @@ Learn how Amazon EKS manages external communication for [.noloc]`Pods` using Sou If you deployed your cluster using the `IPv6` family, then the information in this topic isn't applicable to your cluster, because `IPv6` addresses are not network translated. For more information about using `IPv6` with your cluster, see <>. -By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"]``IPv4`` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default ^^<>^^. +By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"] `IPv4` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default <>. [NOTE] ==== @@ -25,13 +25,13 @@ For [.noloc]`Windows` nodes, there are additional details to consider. By defaul Due to this behavior: -* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. +* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. * For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your [.noloc]`Pods` behind secondary elastic network interfaces. Your [.noloc]`Pods` can initiate communication to those resources and receive responses from them, though. If either of the following statements are true in your environment, then change the default configuration with the command that follows. * You have resources in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] that need to initiate communication with your [.noloc]`Pods` using an `IPv4` address and your plugin version is earlier than `1.8.0`. -* Your [.noloc]`Pods` are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. +* Your [.noloc]`Pods` are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. [source,bash,subs="verbatim,attributes"] @@ -49,5 +49,5 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI [[snat-exception,snat-exception.title]] == Host networking -^^*^^If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. +{asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. From 26a3410f751263780c50a4d2fc974ad65a845aed Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 00:06:19 +0000 Subject: [PATCH 098/940] Merged from pg-cloudwatch-recipe into mainline. --- latest/ug/observability/cloudwatch.adoc | 328 +++++++++++++++++------- 1 file changed, 234 insertions(+), 94 deletions(-) diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index ef815caed..ada31dd4b 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -16,113 +16,253 @@ Amazon CloudWatch is a monitoring service that collects metrics and logs from yo [[cloudwatch-basic-metrics,cloudwatch-basic-metrics.title]] == Basic metrics in Amazon CloudWatch -For clusters that are [.noloc]`Kubernetes` version `1.28` and above, you get CloudWatch vended metrics for free in the `AWS/EKS` namespace. The following table gives a list of the basic metrics that are available for the supported versions. Every metric listed has a frequency of one minute. +For clusters that are Kubernetes version `1.28` and above, you get CloudWatch vended metrics for free in the `AWS/EKS` namespace. The following table gives a list of the basic metrics that are available for the supported versions. Every metric listed has a frequency of one minute. -[cols="1,1,1,1,1,1", options="header"] +// Match format of SQS and SNS documentation: +// * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-available-cloudwatch-metrics.html +// * https://docs.aws.amazon.com/sns/latest/dg/sns-monitoring-using-cloudwatch.html + +[cols="1,1", options="header"] |=== |Metric name |Description -|Unit -|Metric dimension -|Metric type -|Source [.noloc]`Kubernetes` metric - -|`APIServerRequests` -|The number of times requests were made to the API server. -|Count -|Cluster Name -|Traffic -|`kube-apiserver :: apiserver_request_total` - -|`APIServerRequestsHTTP4XX` -|The number of API Server requests that had an HTTP 4XX error response (client-side error). -|Count -|Cluster Name -|Error -|`kube-apiserver :: apiserver_request_total` - -|`APIServerRequestsHTTP429` -|The number of API Server requests that had an HTTP 429 error response (too many requests). -|Count -|Cluster Name -|Error -|`kube-apiserver :: apiserver_request_total` - -|`APIServerRequestsHTTP5XX` -|The number of API Server requests that had an HTTP 5XX error response (server-side error). -|Count -|Cluster Name -|Error -|`kube-apiserver :: apiserver_request_total` - -|`APIServerRequestLatency` -|The average amount of seconds taken by `APIServer` to respond to requests. -|Seconds -|Cluster Name, Verb -|Latency -|`kube-apiserver :: apiserver_request_duration_seconds` - -|`APIServerCurrentInflightRequests` -|The number of requests that are being actively served. -|Count -|Cluster Name, Request Kind {mutating, readOnly} -|Saturation -|`kube-apiserver :: apiserver_current_inflight_requests` - -|`APIServerStorageSize` -|The size of the storage database. -|Bytes -|Cluster Name -|Saturation -|`kube-apiserver :: apiserver_storage_size_bytes` - -|`SchedulerAttempts` -|The number of attempts to schedule Pods. -|Count -|Cluster Name, Result {unschedulable, error, scheduled} -|Latency -|`kube-scheduler :: scheduler_schedule_attempts_total` - -|`PendingPods` -|The number of Pods that are pending to be scheduled. -|Count -|Cluster Name, Queue {activeQ unschedulable, backoff, gated} -|Latency -|`kube-scheduler :: scheduler_pending_pods` - -|`APIServerWebhookRequests` -|The number of admission webhook requests made. -|Count -|Cluster Name, Admission Type (validating, admit) -|Traffic -|`kube-apiserver :: apiserver_admission_webhook_request_total` - -|`APIServerWebhookRejections` -|The number of admission webhook rejections. -|Count -|Cluster Name, Admission Type (validating, admit) -|Error -|`kube-apiserver :: apiserver_admission_webhook_rejection_count` - -|`APIServerWebhookLatencyP99` -|The 99th percentile latency of external, third-party admission webhooks. -|Seconds -|Cluster Name, Admission Type (validating, admit) -|Latency -|`kube-apiserver :: apiserver_admission_webhook_admission_duration_seconds` + +|`scheduler_schedule_attempts_total` +|The number of total attempts by the scheduler to schedule Pods in the cluster for a given period. This metric helps monitor the scheduler's workload and can indicate scheduling pressure or potential issues with Pod placement. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_schedule_attempts_SCHEDULED` +|The number of successful attempts by the scheduler to schedule Pods to nodes in the cluster for a given period. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_schedule_attempts_UNSCHEDULABLE` +|The number of attempts to schedule Pods that were unschedulable for a given period due to valid constraints, such as insufficient CPU or memory on a node. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_schedule_attempts_ERROR` +|The number of attempts to schedule Pods that failed for a given period due to an internal problem with the scheduler itself, such as API Server connectivity issues. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_pending_pods` +|The number of total pending Pods to be scheduled by the scheduler in the cluster for a given period. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_pending_pods_ACTIVEQ` +|The number of pending Pods in activeQ, that are waiting to be scheduled in the cluster for a given period. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_pending_pods_UNSCHEDULABLE` +|The number of pending Pods that the scheduler attempted to schedule and failed, and are kept in an unschedulable state for retry. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_pending_pods_BACKOFF` +|The number of pending Pods in `backoffQ` in a backoff state that are waiting for their backoff period to expire. + +*Units:* Count + +*Valid statistics:* Sum + +|`scheduler_pending_pods_GATED` +|The number of pending Pods that are currently waiting in a gated state as they cannot be scheduled until they meet required conditions. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_total` +|The number of HTTP requests made across all the API servers in the cluster. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_total_4XX` +|The number of HTTP requests made to all the API servers in the cluster that resulted in `4XX` (client error) status codes. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_total_429` +|The number of HTTP requests made to all the API servers in the cluster that resulted in `429` status code, which occurs when clients exceed the rate limiting thresholds. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_total_5XX` +|The number of HTTP requests made to all the API servers in the cluster that resulted in `5XX` (server error) status codes. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_total_LIST_PODS` +|The number of `LIST` Pods requests made to all the API servers in the cluster. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_request_duration_seconds_PUT_P99` +|The 99th percentile of latency for `PUT` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `PUT` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_request_duration_seconds_PATCH_P99` +|The 99th percentile of latency for `PATCH` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `PATCH` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_request_duration_seconds_POST_P99` +|The 99th percentile of latency for `POST` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `POST` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_request_duration_seconds_GET_P99` +|The 99th percentile of latency for `GET` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `GET` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_request_duration_seconds_LIST_P99` +|The 99th percentile of latency for `LIST` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `LIST` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_request_duration_seconds_DELETE_P99` +|The 99th percentile of latency for `DELETE` requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all `DELETE` requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_current_inflight_requests_MUTATING` +|The number of mutating requests (`POST`, `PUT`, `DELETE`, `PATCH`) currently being processed across all API servers in the cluster. This metric represents requests that are in-flight and haven't completed processing yet. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_current_inflight_requests_READONLY` +|The number of read-only requests (`GET`, `LIST`) currently being processed across all API servers in the cluster. This metric represents requests that are in-flight and haven't completed processing yet. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_request_total` +|The number of admission webhook requests made across all API servers in the cluster. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_request_total_ADMIT` +|The number of mutating admission webhook requests made across all API servers in the cluster. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_request_total_VALIDATING` +|The number of validating admission webhook requests made across all API servers in the cluster. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_rejection_count` +|The number of admission webhook requests made across all API servers in the cluster that were rejected. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_rejection_count_ADMIT` +|The number of mutating admission webhook requests made across all API servers in the cluster that were rejected. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_rejection_count_VALIDATING` +|The number of validating admission webhook requests made across all API servers in the cluster that were rejected. + +*Units:* Count + +*Valid statistics:* Sum + +|`apiserver_admission_webhook_admission_duration_seconds` +|The 99th percentile of latency for third-party admission webhook requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all third-party admission webhook requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_admission_webhook_admission_duration_seconds_ADMIT_P99` +|The 99th percentile of latency for third-party mutating admission webhook requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all third-party mutating admission webhook requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_admission_webhook_admission_duration_seconds_VALIDATING_P99` +|The 99th percentile of latency for third-party validating admission webhook requests calculated from all requests across all API servers in the cluster. Represents the response time below which 99% of all third-party validating admission webhook requests are completed. + +*Units:* Seconds + +*Valid statistics:* Average + +|`apiserver_storage_size_bytes` +|The physical size in bytes of the etcd storage database file used by the API servers in the cluster. This metric represents the actual disk space allocated for the storage. + +*Units:* Bytes + +*Valid statistics:* Maximum |=== [[cloudwatch-operator,cloudwatch-operator.title]] -== [.noloc]`Amazon CloudWatch Observability Operator` +== Amazon CloudWatch Observability Operator -[.noloc]`Amazon CloudWatch Observability` collects real-time logs, metrics, and trace data. It sends them to link:AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html[Amazon CloudWatch,type="documentation"] and link:xray/latest/devguide/aws-xray.html[{aws} X-Ray,type="documentation"]. You can install this add-on to enable both CloudWatch Application Signals and CloudWatch [.noloc]`Container Insights` with enhanced observability for Amazon EKS. This helps you monitor the health and performance of your infrastructure and containerized applications. The Amazon CloudWatch Observability Operator is designed to install and configure the necessary components. +Amazon CloudWatch Observability collects real-time logs, metrics, and trace data. It sends them to link:AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html[Amazon CloudWatch,type="documentation"] and link:xray/latest/devguide/aws-xray.html[{aws} X-Ray,type="documentation"]. You can install this add-on to enable both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. This helps you monitor the health and performance of your infrastructure and containerized applications. The Amazon CloudWatch Observability Operator is designed to install and configure the necessary components. -Amazon EKS supports the CloudWatch Observability Operator as an <>. The add-on allows [.noloc]`Container Insights` on both [.noloc]`Linux` and [.noloc]`Windows` worker nodes in the cluster. To enable [.noloc]`Container Insights` on [.noloc]`Windows`, the Amazon EKS add-on version must be `1.5.0` or higher. Currently, CloudWatch Application Signals isn't supported on Amazon EKS [.noloc]`Windows`. +Amazon EKS supports the CloudWatch Observability Operator as an <>. The add-on allows Container Insights on both Linux and Windows worker nodes in the cluster. To enable Container Insights on Windows, the Amazon EKS add-on version must be `1.5.0` or higher. Currently, CloudWatch Application Signals isn't supported on Amazon EKS Windows. The topics below describe how to get started using CloudWatch Observability Operator for your Amazon EKS cluster. * For instructions on installing this add-on, see link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent with the Amazon CloudWatch Observability EKS add-on or the Helm chart,type="documentation"] in the _Amazon CloudWatch User Guide_. * For more information about CloudWatch Application Signals, see link:AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html[Application Signals,type="documentation"] in the _Amazon CloudWatch User Guide_. -* For more information about [.noloc]`Container Insights`, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. +* For more information about Container Insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. From 4bb548013d4113055718b75c5633e4f596ff3ab1 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 4 Feb 2025 18:19:30 -0600 Subject: [PATCH 099/940] Update platform-versions.adoc fix blog link --- latest/ug/clusters/platform-versions.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 1dcc7d97a..7660b77e9 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -70,7 +70,7 @@ The following admission controllers are enabled for all `1.31` platform versions | `1.31.2` | `eks.12` -| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. +| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. | November 15, 2024 | `1.31.1` From c0f4d7c6925edeef7f611635449e82341b6429f1 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 4 Feb 2025 18:31:29 -0600 Subject: [PATCH 100/940] Update update-cluster.adoc add link to update cluster --- latest/ug/clusters/update-cluster.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index bc387b6de..b2b577c6f 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -92,6 +92,8 @@ kubectl edit configmap coredns -n kube-system -o yaml == Step 2: Review upgrade considerations +Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. + * If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. * Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. ** Because Amazon EKS runs a highly available control plane, you can update only one minor version at a time. For more information about this requirement, see https://kubernetes.io/docs/setup/version-skew-policy/#kube-apiserver[Kubernetes Version and Version Skew Support Policy]. Assume that your current cluster version is version `1.28` and you want to update it to version `1.30`. You must first update your version `1.28` cluster to version `1.29` and then update your version `1.29` cluster to version `1.30`. From 4a439554f0dd8e0f5dfaf8fa2e2d3003df9787ea Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 19:51:57 +0000 Subject: [PATCH 101/940] Clarified previewing GitHub builds. --- latest/ug/contribute/pr-preview.adoc | 17 ++++++----------- latest/ug/images/contribute-preview.png | Bin 800938 -> 576012 bytes 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 7164258c6..6620e1812 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -1,22 +1,21 @@ [.topic] [#pr-preview] = View a preview of pull request content -:info_titleabbrev: View PR Preview - +:info_titleabbrev: View PR preview include::../attributes.txt[] -The EKS User Guide GitHub is configured to build and generate a preview of the docs site. This preview doesn't have the full {aws} theme, but it does check the content builds properly and links work. +The Amazon EKS User Guide GitHub is configured to build and generate a preview of the docs site. This preview doesn't have the full {aws} theme, but it does check the content builds properly and links work. image::images/contribute-preview.png["GitHub comment with preview URL"] This preview is hosted at a temporary URL by {aws} Amplify. -== View Preview +== View preview When you submit a pull request, {aws} Amplify attempts to build and deploy a preview of the content. -If the build succeeds, *aws-amplify-us-east-1* comments the preview link on the pull request. +If the build succeeds, *aws-amplify-us-east-1* adds a comment to the pull request that has a link to the preview. Choose the link to the right of "Access this pull request here" (as called out in the screenshot with a red outline). If the build fails, the repo admins can see the logs and provide feedback. @@ -35,9 +34,5 @@ The preview is built as a single large HTML file. It will be displayed as multip *What doesn't work:* -* Links to other {aws} content, links with `type="documentation"`. -** This content doesn't exist in the preview environment. -* The variable `aws` will not display properly. The value of this changes based on the environment. - - - +* Links to other {aws} content, using `type="documentation"`. This is because this content doesn't exist in the preview environment. +* The attribute `{aws}` will not display properly. The value of this changes based on the environment. diff --git a/latest/ug/images/contribute-preview.png b/latest/ug/images/contribute-preview.png index 495e9a2232c9122f328f1acef386689f767393fb..16e971f169761f92f651925266ef63f9505a6a9d 100644 GIT binary patch literal 576012 zcmdSBcUV(d+b)heBX-7$f*2J95rsiOIFh7V|xWz(L`fXBovcj9LZYfpX)8* zF_64^dL-Fg-)o&@o`1VOfOo9ce)`+spKpmre_H&%4DXOyXY|kE`y0+m$^3J8OzM{p z8~!=0C-wj4t>cqT*4?kVVy+5{GgDEW&T70%yV{gu2vfv*t%nEX>(OC&l%{R5J zVXrPt;!zN2jPT#QkY>}fs-(uwDlI_t;s+u7P5@zjz+pb*aM2!uYQ8c!R>bfwcFzN4 za+(T^{_UOq>q|iQMKXR}mh#JWGKr7&huN9?62t8`ek+(KGNilq|0)l2B}N-)=O1}J zk}Asfxms&*`+@Mp#_0*)&Rk>+b#yw*@!!n$fB(t)5wr%0XcfZh)+MH7X~`Utj(H2I zqp*kHLYkDeSE-%p=N65-~y*CjFy(E&eG+3e~&xc4J1tq3gx#%Bm~l z+4CND#`lL>21Yd)AGiK{4gI%VtH$Ub73oI7yXrcQ&$+A7htWLE`?mq2s9{Jm>~1c zZ@*aCkdehXF&uF6#}@3E3vIgR(KGM*6H!hz|4e>gp7vu_Am)7+qwvFgM?&^BKTuCw zwnI>ma)41?$&R-1I`ERR|K8$%wo}QJaTy}j75$vWt>q^JP58)r;Vz>WrcG1(iXqy! z#x8pRc4=j!x;CCOgJFKmmj#sA|6uw5E!Pce;aMYQih6c=IhWh4l4=;_Oybb4YSsLd zAe;#jwm4Jiz7sivC=MkKr8IaThD{l}8~*Em|C3Olb+nrN5ytPmWG3+W`fjf77?mzi>)Onbi7pAaha zWXxj}UU)&SpvI>|5Mo(h$Cr!Dz6C!xM=hD8H2jd?O4eeH!r*74w)GzV)NW^6lD(Gc znGc#Kg%o($4egsw5j1uszjLx{$P(oFz#pXqEtngGdK3+*uh@A^&}OaeMG1Mw(=4LP zm?Sr|rCQZ|pOrHVXb?{$kVvSM`2iCb=Lxe5TsHGjT65N_`HS=zQ)9iKwIgMJ&n*~^ zO6agG4&B9>G__iyY8bT8C1wLR&S*}=KTNi}%P4za`R1yXq4gANZYoXZiV zy$a;IC6VT)RHi<~k=QQXa)}u3wB2opSo`#2A1%{S3kW+VeQ4eL8Xun~7hqHls)StFrVAgwqj^V8b8#Ewy1fbF z;OB-wt+ul#U>AC7KzOtRTUVOP(QA=7i-Y;C{z9%#VExuU z+E2Eyid1%dpEWk!{6tOs`ssQLRUL#&q~VG0f#|$b9x}a{H^d|tztS9aYx2%C?NW`F z(?E%4f2MhJeTt1a!a}Z4>l89iui(Ar#^EXT9}>ap2*e{E+7Vjgzet~Kr+q&zjM;YZ zl*@O;g5iS+BWGI^c9TMO2T$HKW=JR559O4|`(0Nvq&LOMUzu*p$Z7KsB%@IuvP+5R z4k^b`YvFWvN{~f&0sA1b4yTF_&R@6#q@cL}qZRzcQh@pxbfCUvkY?ptQg#V@s9pSF zXA=9Dn1`)-!J~EhmA?K#hmwjUD{WHOy;w<3@bxy2cGU|c4q@!KxD?Q&F$G4AfIWk4 z5Yp#Coh(4D>yU1y;C?WM?-7vBgI=-ldrI0W(d!+L<_D?qde6?JtQ}bFSn$a<2-i0Z zS#>Gps5CAm_seEdY)x3bm|+{n)5)r}k19ffo>|am%Y)$l_tz4;rlYfhQu|VBE(#ny z8hv03-{9dbRVwC`+pxpT*;})80~9)78LLRy(Tx* zrH0t6YiAEXO;ZLR2?%o^Z93@MP>8f7N?JlP($&?o@x~?*1)vwS;W4 zSnm5n{sQh^30*L9=cm0DRI;IF>CldcOX^$Khe?0-d$Wi7<^fp&x}$rrC^N8kyY8*} z%}M<)=J(^m=Q90>aN4S&P_DO8^Oq1g|F(PN7|1p4pvgApBWwt?>*-#Cq45K zen{Hy$EKpiBx_E?2Wo%~fIDcH3@vVres|!f#U1xUuQQu$3;=&b_i_3*SsY^+Hm#f> z-!S}Z0@<0bL)T#0qcb^zu?bK;|NU2ejS|t^#*V=SdQ~C3_akyKjky&@xGQ!8qpN=i zXvJtIN#CEPC9c#E$8dCazM>L8-e}lIYqNb3Zgv<~N&l!(q(+?)ZslOLM}@xieE9_38tvxv#=DWj zPYi_~)E&6Bb7zDW2@l{UF^jHrlEWEp*^ilYD9}#Vb{HjjO+XWc3C-lqGbr<=gLKO3 zv#58vo%d_kWnSUj$*$&Pei=0zs-I-g+m@4Mz6#68{({ z6mSLG$>?>hbEuCeHfBfjO9H*Az!s4WI4I1YfBGYW1HSMbC7|QMMvk8Y+bTh7n^m!|ipW3tX?C)xK`Jjky(zwdD z%;qYCi5ad=nKZ8LoEDmFD0EPkAnpd1DOf2w3|=<&pFpi!&J(JP{3lxTCy@rL7%bvd zK{9u|)`_)IY{G$x;#&z2R|jzO41%j3h}_kyI+KG&o?t~;!oouax+w@9V~;hwy}n67 z_%j1%#LH1l>h?FbA@&_-GDf2k*5vDY!+QI{x}}C;>$3ECmBh_B-XnB>auAU^LrsHE zp6xAy^hGTO1C<624C#jbQmI- z(&G=zPZZ3T?v_EO{!#JFr?BOMB!G9QpFEa1lDp*TSIo?AJ9orc6tF=f4ro;J4PDK@ z>HGcE%7*?JVFgwdNm}cdsq+?1ubdN({)nh!gpO~a^r+bYO=b?g2{pxZ6Dv*Kz}(F zxhiO{rzSk_Sjy113Mr)pXESM^X@eC*4Ec?JC~{SPEJ?zR;wUIuDq;kMtC*D05-TD$ zjUGdofyamVR*d5UY4P+7=2fhe+Yy7b&>PnG2R`br$Q!E3Qlng_6m-uYwBr`_^{0@t z=L=3{N4yR={DeJz!>PWFsG9V-RsYVx>k}J^$msFfO0|`uF(+VX=7FuxR`KxJu$N%J ziO}Gt7*_iu5l37n>N;>2=zJJ@4fG@8&VgR{oYmV!^<0P}`1G)w%sQj?WK8$Y<_E`C z6hi9O4LtmAtC~DxP=e;jt2$!6f#K`b(A2ltE8YfAm@`-PG_VWIOXh@{eFIPWric%urj2~VCVz$Q{Iq*r(<}4mriF+#OGCpr^b2GN z>$#ibi7$-6m?&pA8N|RM!7rsl*QbZL?wp+e*G2rZ2xR0$7@}!*vW+@U)~g#}g|4JE zj9}(hDYzO@?04Sek2t{+#uW(N21@KFvsqXaf%6jhnl{3sTju8jrZAgE6HZF}ciPqx z{Zh$t7e=3MuS)k;v~b6Bs}rlVLrk~!Tq;c5L3xX7|CF1OB#`H55J0_}Q><2K7_;6^ zT;G_uyd%aCyZ_0=O65FewOQ2fPSi-)fFaup?DRwKh>!4tio9$_vEJeU zL93lWw1z#iEbWFjcRwBkCI5hefe?|6zdNX=4~&C@CZQtEO}>R^Sw&@R516Fi!JvKK z_5K0Wv$MoAPoCn>&yCu~FWiHC3^j68be!H6mNS~Nc4!whH`hrzPTpN_*dT?b-K`os z<)venotEtqY#rCO{o45;W)^(%)vt5p%2kLFj;P z2k-KS6!>bHH(AB6^=EhMSxsC}heW9>*vlF6I(lF3Yx6dzKfPEOnm3U6RFvH&@6ext z4|p)0(&I1@d0gIWu}Vctxt4(h{`b2z|9$KM;dBIDG5yFacXk z9H@c2)Aw#jk|{9R-!}JJlr~GV{vkwI!jwY2J5w&sm}SgZ?`XwV(we0aK$drkf>3@2 zs8kBSBMBZi!OOAFfer_HIbY4y!$rs9o5L*Ob&%7RzTV2#s$(XZEvql3T4-c%XjkVJbHFXqEuGqoY!@KP`N}@0U)rtOS&^~@)0f@ zUm?8|Dc~`lH&%;}i!xn+A4DcU8Cj8KOfk+f1?D>cV3JKmoQb-q6M>9G5lzpa5 z60XDXoL-s4q=)ciEeFW+xsF)*Y}KCBcCz6>Sk)zCUv%d|?hx1B9C35*fEgVkJOS%j zOyk+8d(*oPZ5watfaqRz0NmB%yvk@bcoUo^c}-`BQ9BoZzYc<{g?bxYzLlRu6J@}qf(1rw6H)u2ISP)5dpa@J|&rxfq_73M(^44#4AOm)vq97xKxyi$KX-!Rs_Eb)3` zO(yIQ^T~vh3A*{@ow}DwmXy6qDgzYf7t;c5Ogj3&+a7db#uAo0i;@={2J5;04Bi}a zR}2pP5o3_l+Hz1-2#SCJOkUxtPG_!FacQ7l$RvqYbu|^Z5h;>U1M<~UJXuG*l2?Bt zNDt=c44AB5N*VEP9`8|AR(R{X>J|6UuP3b4@*RhrS$PWo z-Xk*V@dLQ1OI1Q6+?Z(!hKR~Gc@2ATv5bSC(<`rzII}{gM!$N>HS5qF#oxCT$VUSD zpd}R!{}IapOGYr-UC(_o#C0w}pOb*s3$`Wta>uP_P!Ze)aOhB`n|QI)O?>y*H!Itz zoLeCVBV@k3`gloHAcAtAwHB}tdM5?JrKUUpk*XP`kS9#DU z_}ze;?iXB7*zRp$z1_g_#w}upAz1`D>|*-M#L8a1UyySC!n&oq;yh7)=dgY~)X#wz zxh3@Vl4%0Rg$z>QyjH!Ltbz@fnY1#IV2R`=E*9B%c?;+ij1Ktmn?3&X;RQEHU#Rzw zWMUGSlUMKqkJ=+)nbYtPZ?Pl-FfklbHBFRR17*j(UB%Kzs;0%)ot=yzlKXMRwihx?{v0Kdt0%4_4NA~MKj}-E}g!zfU}Fl zfomQ!Zf1CR5o9WAJA(qr4%Wr7{B;*&z4K$v4tC+31+rS8C4~i!P*~J6zT%r}x+38Z z#eUY*ap8!^dzx|PYOe{ERo+a2ApI$zQi9Xl#k6Byvd4mJ)x~>m!^|>p4YqeABtjXc zMQvbzEIhm`V_&iNvFVo%6@AIKv(@tZE}ph?mviU|o*f$ejkI)``(1m~rDy+>__a(5 zyrv(#!zzw|;E@?SPAm;}X{gbWM1Je^Q|fKJ2S@US`hcFIZ}YchElQq5E38$a?wub| z02J&JB0)tXm?1|+ddbWf3EocTvd9op{B|mYpJrJO9K<06_6*Dl>jl6#feX6MFR5=J zopih+g$;hTdbKLAAnJNWuuoK2QSigpQ9k5BSY_VzOue+*Ge_x7#RFJ2baCJ<~WCsI&T>IYe#a5!Hc zx1*8o?7P5H`Z6CX;X^p;VeuY;j3LmUDnyeyLucx5rM^l)#`Xihx$^J18{dN6?a+?v zUUwTJTpY(syGDQQMoj8|Wf&rZCl>Kb-QD?1GfxbJ%8Qx)HXZ%houU{HYmvH?xi;xJ z$6X{pV7r0k^AcM&8>f+0Xarn0{eQr+zlJz*rHF80*(=h-2k7x+^4N`hcd;88M>P}h zCjIj?#ka=|U}8d_WmLzU1qG`dn4AVF>KJy;8Jjt3o_|u+4!Jif2Pu@KqA#4 z_LGeQM1kPnP`BCWsT?bR$@C7PrOrmU`Y6vgK^OI&vvGNCfIs&!FdH5cMQNoCE=5Y- zeUknI$)pijcu6Mg9_lT&S<|imp-}Ag5mPD*;3E$(aqnfsfvt0x>U7-5E754qNI6i8 z5S&t}Mu4zs5j&9MXw~_d-qO(N^hN@Pv&tq{w>EF5&MA3B)zw__4UTh(%d5CU)3h~r zPNLXaE2M z(1jsS!7h1nxcH@_6q!&aDnz{_*Ca+4c=wJxM}g8&>;;rORl2r@GV?F6!D7XE;xdGI z_=j`^99wO5O|wiQB06!O>(7K-@sj99<|r@$HdEk&P;bBo{BZj@6{A!=T#YR$T`I^h&nvIft7c} zayHulUAZ(q(B2sa5A7hLs^7tD0&M{A>B*UwtArRt(`(VoI@pBhv;TDTFDV7O*O;hE zH?!fd)g&63$y?`DE?V&C-oXjxxRICruv{#Mg%rv3fVpg};D^GTbt7~(OjIeM0x{4K z4Kd?6h2=3&4JG>4a=n-$K3?BHP?Tv*p}|@ixn&AzO1>F5IiZO~PT4(!RZ`%7|BBET zc9u2yH{C7AuUmv|`aUGR2eR-^V|_%;p^8ukR#;MBid7}sz&!mnKFn*`ic%z#c8N}s z^Z%x2(h*JxTl8+KkkkW9ci;kKGe+|Qg4(&^>jy)=VC%hwMmcf7-^wKou2ai4e;^Y`F@-H0 z%TM8wy>b&hd)+ik#2`Ab8_|%(Ii2W88)tlT9{$?;EMlCzoMBp+n0b5AxxT!Qg&6WR zG!X{OfA(LwNYCMTCFss(0p2p=RK94nA?I574R64>u9`~`X&xpsF^ym`Bb|e%%Tebh zC)R4^q!;VwpaQ-lGi?9>k%GDZR`Y*Q?ON3g2l9e;{f-xS(E|fzP5bL$#GAwoToRvL zjU!?@B}^nB3l8{;hgW!Khlf}EOHR)T8>2yay8lUSvOO!5Lz=+`5?#Yf&0SUV`%*U( zH;VoE*s8Yl%yp#o$d;cc;+-IcFf;Xcy1oU33ZTEWcgjL;`e5PxrTun zT*p*E;Z_clk}>V6A8S&>$q+s^?vnPw>O< z*IO3u^}Np=$i5KAR9CT$(iuSt-|6*koWy zayJurQO?lQLUuGs`vOb}K4z}Xaanj=xk!2?GSli4(8K(<+WY?(3JwA(uK&Y0li!S=NtvH!dl^nrWR7B)~x>sGJ$1yyn7tPgZ0l3z6HJl z*~f_2q)6(Z-?@4s&H2XZ4*d(#MY}R#`N=8F_$*G(r_jccw-qCV_Kx;Z!51EJ>5?yl<}V=kN4|{l7vEfc^dnUp^jcc%JXU`j z(AP}FQF28AI|NH+{CY0w=eaWoT&!TmM9kD-(ole}pyb}j80suM{a4>fA=xQ?Gxkr& z{7|6Q$#r8u8|~}ImTrbD`Mj=I9@syy`cb7MW+#gv_jzZFx5cXZ`J3GcNufKDp&P3m zau=};Up8O&I-Fq`9$b*$Ka|RAYyIEo*UY@+MB`kl28IY z@U1ARkNE;%e;aAT;55!T2VSoNMN_z=o5C{mSJpM{YVpp?p4&=|EE2!UuT(rA*)N@1 z>eB>AP{xzi<|^MOe!ELgfXJ|XD#;7xa{gNoO^D>?oK+pyz%vG6tF7bUVkcjo^9V}x z%BIye0^XJaL&KPIk)Q#Tv%~dxl5tfAJ0!WOn6N^|{7@J{PoO4u5HP3@&?(fwYSj!C z^S&2?opiC6)DuTQzXT}bt;h!N2Obtuy(z4ZjmB8qslAQZIsdBB?I58Y$ab)bmLgT? z072-mD34bau53f)YFtZtM-EG zpjVq?F&t%ZP~Fh;CjR0}|B~Wf|58igDDle`!3gcH!SRJUkfQ(XivUTcNpKm*#g@(& zfFma22Wvb@W%92C`~T*eVDCICVn;7_!+U5AYlhb_BkZ~&n2VSY-o|4)6l>~f8@%1T zdOX3mLFJZxHi?LikWDJrz&gXosqPMP7s5>@-I%z63sGMs>Ftl?vevl(avK=@feWX6gH(NH&V=%M+~7&eE<@ZEwp%_( zj|1%a?!X9mCr!|(Lxy`(Xb8~?>pi$es;&lwlR_0TfD+m#7w&%TG5Z@I+uO8(0qb>3Qubj}S9;ud~{$u0v$0m1|ZimWB!1A#MB5%9VtAV5<}$E0+|q(VWS= zB~PvuJ)0^DTIo|TA>Ooz{=Oi$a-?yqFLgA8Hxf$YOvutiY$~g1@>1WmA`h@?ctsWU&Tt698*{$slkzsszk2{ zUv#w87?=!&kf6s5Ylu(}m_EJzbj7%1N*9M;(uP89==GSw2}OvBYm#cmvBR8~Q3p+y zD}k4f-}!K4qS!~)q~F$+6lA}xVwSC0Reu}Y*&G!-dYpV+!Fi$9EO?&6!bc2U&TqhV zzweFAl%z=dHH-_Py6=4je?+pHdB5wn%v#Dct@ZPU1@l29-)LqDyjRN_S|(YSLz=p4 zPY{)Qqs)QP;1{-0?<7};lGRhO`LA81R!>s6>bozY7PZG1xd^#a`^s$Z_SKY?4^et_ z$S%2a*hVX|s~%R~zsZIS5AqWvqfFM80Dc7uq~M|8l1#Zn3G^D|b7b+gNkVUgo2tXu zve4#sY98WA`HpW1MV}F1J7Iud*w94BG$m3XC{y_hBf#NVggGNk3F`0;yW#aH306S6COji_@HeXb^Y|FfAkGl1$_%lHyHk}uml z_HzSAJ_oBLT9S@gaij@eprXFZI+XO&`(qc?5iTtblzMHZk~l9Q{W=NqGZH+W$P?N$ zVF=KE@Hne#wrd)5+hdqz!XtQAHx3KaZc!1F*ETNtn13=&jd8J4wneQ-9~Hd1b>kD! z^P?RyDo;83O#Rzlfe)gtRJXO(lvkfb!M2qxMVMYf0-CBVTr z=~2;QD*)5SjrHPqf;A>etmfJf4Ew7JCGYOlWf_KA(Lz|Y414UVsgC6u51<2rMnF`B z5jDe;m-oU*ceag(n_kX%{5@}l@M$eB-RjEmefY4{w?ybAe!VbRdVOw|#@0rPnq(6= z3@mEw6q4sF-xofzll{Q?oO?l0(nWuuyOjCHxA6a>_!DmO&nHmP(jzAZ-7~8q7LxReZa^ z3Tp&ctq%#Nf#n>YP&Wz8&cl|FHu`#Jq1Ba_;)FIQ^_{Kt9O$T{UzIIY1Z<&A=R@5z zfPH_&4Kx6%-ye2uh6+0JUkE5>pqlel4M`?c&I{<3q@1f?^|4Xeqk#cI=0&RKnl5Wc z#8p(gN1YnG8S#nn#_ZLp!jzhcI(AcEaE&qM3o-4ruXe~qc&}aoV!7ymB&qJ>!L=rN znI1%3{_GyqPHv-V&nZa=U_t}NC%R-rcArB3u_P5@V0|C9NxY%qUh5ZD%%TEom2_-G zb=DxkDK}!pQl|6gmOl#UC?X=u=ZYN1x+UUH=Pg-$IH<}tLxPBGDAE56fDUqta3EB= zSUT-R_6o_L;T|1F--Vsf(^=Ql*W0Nims_Qjxg8tNPIA~ujDKLBer-S@vHF1>F+4xO zpfzIq^milVo8Deb%bCEGgu`x*3d!2a=iE~puj8ETT>}=n>+R8-0dKrE7nFnP4oCAw zWSS=Ic|sKke}(ofX;I)Q!%Ltm4QJW2ozWWfLOgT|P_pzY zC?<4^e10g*6gucLo+}J}0jwRmgdjQvE@-j#>#jQI&LL zZyPKczxLB2W9xC}T)p+-9wALHZQoV==9a=4nz*JO92|H3(;0(XN@|lxW6R0mlfgEa z!gJB5rr#RcPe7R#q4?dPlT zBKb$e*OV`Eg!Z>92d1$`2V`S8%yGUDZjriZayvm4q` zmMbPieF_U>!}RadfJH7P_($|Mnk==O!B>ZaNPh!ViJGh+aDeM%%>JIM5!NbCTUCeY z-gPk-T}a2w2z!W~Xn`WIH(i4Se*`4qC~9Jft?{o! zRQQy2<&keV%zxJ3yRIqevQNhs@2CMov`pbc*2INFNvMD$7L}T*_Y_P%r{^QwnG@IC z@N%tNsk$)NyOe;Y>@5xIt`5ZXND0bQ1`o|3sH zVEsRg3-OxZBmvO6g_v0aaHrz>@N3Qcbbf9Gk_g+Iv5|JvdM`g0T|oF|3c}=6#1iLM zNX_I#Iu!M4i{GmQ)348ypiHz_5{-QXzJJu%Nh+kl=Ig`kivy&m-?VA}(O#pI6MWL6 z^5>N#1^IQ&tH13lcxh=*;TA-kN>He-uH5;Ov+^>!-kIlbe~1@xR>K8(BG`sex7gv> z%=l;>!|0~FHoTWq1OImEHM>aQ5f#Pg&V(;n(w29?Wc$4CAKgReE6U99mEbv-w#
        N& zQdpOl2KEOUZ>$h{Oz-_(nuoWC#e*^$6pK>5xISJ+kKC}L2#FEukKiZL5m zTbnN0@i!evjh%ewqQ26nMH->jFqsUkb1fMK(&JIbx(vLpS)Wi=WAO{$YIWebZ-M;T zj-2tQMk(AyLCuj;$4|%?;=2TaGQH{K5ccM-GtMCcS{|*X5gxWRHS^Xn!!QlA$Xn~0 zUdml{|D^dTXy|7<(OGF z%ZZjARLGDb2^#*5hzXs-YO8xV(=m*EuWYMcp*<5dIm32Df+bJ;t)dS&VN!hCG+?gn zzkhjCasl)yn6C&((i+ogF~N37PxNju?a@qqnJ~mEP4t=0JZ(4HK`Xg(?(M8JhFPt0 zZtj&!Q{q*Z&KUZ-MxT{S=d}%N`s9CaZcB8fqt=9Ni%zReyZy6q<85ia8fk*2<$umU z$wwotAx!dtVvI=rw5ev1oRg;Y*ggl?&t&$-5Om#Z@0 zzSO`ftMU#TKP0!Yt81PyhYdczxZzzAy)}W*9C1&*z~*3T<0eAQ@?|UT zE%y=BCB~1+KHBL<}XDu$zb@NPr@;i@&lEq&&wi)`=l2!_^x0T-DP-8K3Bc57@gVvBaim!;M{PaUv= zXv^uk0}dfsk(2tA6s2tEQyk_==+?i>`(DlUGJ{iTBiWStZKbi~8tv?pohrMW(||aU z4NcNRc(g=24aXMRttzS%5s^MdDvmGeW*yzTT$&wEOiigsRwIldm~+ z06Z?MK;Sicdr;q0#X`$}$6z#kYA)i!TqEXaNzR86G7z20z>aptP|r(k7W*JLf)to}gmd@C;bLCv>L@WD!yzQ?BU(7ws&nNV1Zmei~ z7y1fa(B9b|{79}4`s{Fa=kCo`_IOk262lN%Iej7rB&`VTpa=`#Yo(%qt7I3%-&=n|XX;@@>9a841FF=w9jWuH1;^ml%AIFj7V_ z+mP*eZ0kM?rYUG4=>+^~{@NeNh1$)-N9%OkF|!Z#LIO@|$S2g$H?_k&QtQ)i-zr^_ zucC(Ev6O?pyR2*K^~AS(Hc#^`nNrctSWNLcxEm6cXGrGfBN}=|0bRKdBF(r57Nb&) zhcw6GFmqpO4zymV{Es;wOsVlDd1pAY4@?<7lTFVysBu43Ti$NU%s%Yp{$Vbkw;?{k1W>BhRCD*@hf57i~ z<9}Q!*nU#OuJfUz=ZE+y_o&NdXx{Se8eaQodsV_ChCP0%_cmj6pZZp$E>sTGYX#0lb%cW)G3u(Zw#sDD)WTM`4uP8iv39+9AZM-4WfcPvZAHx+7lW?!VNesEG7GAeq@haJnF(< zIsv=V_?zoNFLj!1yCv(V3XK74Zk}iG=kJ|WF_wlohW5<(YLqviWbZ8=c!tZ_uAyTY zwD42fuYVpI{>ycL!}FlROTBI-nub&B&J4|c-F@kM7e>)>5AyR*?l1h=Pum{*q_*`N z&rN$r?=wa;yf00|qB2)4luxo96AI{OmK^ySgdxk+!i0Q;;)QB2aK28jM#{}x6^)QG zzFl}(F`~HQ7ljkH&)QQ{&}}lBC0Dfe6R2$ga)!S(p(c%fl2!PWjA?NQDE)o-vVmj& z?iD<{^2OzqbWT%_q+6wlTT7Ys*RfL74`$T(VvpRHmLhUkO?IrX#dRa%np#N;xzM9f zODo{eNu<;+eZu;QY5fF$JLsPNxd4>&9J;KhklD*?S^~ff2fZJ+teDd&Sc~6HD~ml(8*4*@r@)cq8E~_7BOEPLiLKave z6;>}?AP?9H^*2iSQW*oz{{0rL7H4NV(H=LT3RR{%)X%0=rljwEv=hLK6PX}e-A zi+&noUp=~=b^vc|uVB-E1{zxcr?uJ79+;oNL+Sn$2dMA@t0xw^s1~vKd+lbaa<}qk?v3UJ zB(_%#&fnr2%~!Me?_PjxYEp^-6BP7p|B`*98nvpj;jVBtFC{PQ@sX2l7*O_%Q<18; z;S@fMybQhLonKM;?5_q-dLkYk&~Ik%#rAo_c{f}E(aN9s(0#kM#bdd&fcdH)K<{ub4?C;|qC}#%xm?^{#nIX%H!4R=1I1JBo|A zUXgYFu3!iC^b+;+UD%CGv7E`!uG08zL!Tv`{PWlKh*ECJK?@yyF{7$^E#phcX!CS* z{%%LaD&2NPA-B{-XK1JeZEUvdm~Co_KCW$c_hjAMs{Y`v+v39>(}q;p7|df$&w38m zOaUfZPPAe55UV7XzCr3c9uiXvreVbOLmr+%Nw(W$>wTX0`FFL>u(!7+&c`a!Tx1Mj zjq{&TzyyBcx#kmVLR|X=k(IhO+M;HsV1=J^U1)9lcn08 zg;6v5h}Ab`kJ^l0(lPrOoXZLQP2L)>~C5z0)*b?BQ(iZyoQJd~DteJ#|&{1~*r z$Tc+t$FFi9*V_=5t#qm3*Mhb9;9Cpi8KzG`q~Jx@w54?+46ov?wc3#H@gb}A4>gFYj6{w_h>M-@&`>3LMfDe>sXBc>obl z^D!}Nh-M~J<|&jcRUSpD>7R3x_;KC6*1CYzdZjPGl41bACrbyMOJ2Ph?)eTjsR_0s z`M#*Y8yx@Zf0JW654zHqy!Kh;Q1{(xiqoM#MVa_Jo9VNr?RX16H{xx{&DLZEc6P6# zGX7WSz1jo09APd(d{KNdmL1!1l#`;pz1JgBfnQiU%Xs|)7xyklW3N0i%y^uAU_R;+ zY0V-mi(HdkMaS-&*@3IoBEAM}*853I$mo8(nml+qs8IlUHg&7hk8FM+PLukxt<$Ga z`;GzcEoS$LX_%D*GZPO`GT*$?Img@;vt$KE!qooIjVzyW3IVe4wvmh1Z-D2!DA|kZ z20E6@hcIsI#_o>c)`~D$k6C%3Mt0IX{11oEiAu+4b3YUEa(mr5iz%LJZ74BYL?>a$ z*5W?v@}h%MSO?c4V~?cx3PdsR7`8=5X{kC7 zs=f@3Qu5HTH8*U7{B=hTm|oS$!kr5>5nKIug(cAaL zCm;MN-%Rb0vofE)?1>MED%C$oZN5+|mzHNKM>g}*$u`!=5oLXXFyl^3YGupFmmc(n zZ|@aRV6*84sk)=#V0I`Ymd1ZzSc4}g2K-jM@oB(o!Rz@&vzxBLGp>mmr@UM4jNyTL zFtnK?jihIXc5am#i+hET8;Rywpb6JrPKTEUhozn*9V)kxwuvMrY_gM4t{zk=#3vBxdzjQQiZ zttZ8Gw+1s*rhAuPwOmn0=C6^{!=n;`rhpVMS9!a*cAvFpxrJPnb<6tiZv0%Il?bq? zs3T%Pl~K-dd=XvDv4$CnYz9n@S9|pL-k~)J9how6=;=GTL`#kr{$s`0TXDEbW!Cdw zPqLyJAIdvp$ZY`?XRsZYtWx z*(YohM~}%%Y^XrEm9Tmm9ES6zH$p+eO092CsLASw#Eh{HMS5xZTwj^PjZ?a2hG&l+c)Q4sEdC{H(rmIEk{-1xCoMaDEmeI>g5YoAVlN$9i?ov9quUY;$_q<*zxot z{HC^Q?$?k~ZCAGe!p{WuLGK;-mZxxcvtp53AvWDbkiP9>Oh}Q302yT@xqm6)?(J4w0c_`fhO&8YLdYjmPCaTu3GO8Vfq@ zBG#T_8M7+56Q?k}UAkFhOI?@3OusrSI(De1-XUVG9m^rWIu7 zes>i6M$_g17_df-fr-1-#0_rCO|ijNx<$?k)GIyr&Z@gLy-lf1$~ZlxG(A37E~-5C z<@jkZ3q7GS!?q@NSbMepa{7u9rVa8YIjJE_c~a)D?IXBKk*t5izsgPbp5?8E=z_qi z+i@Tykgs7mYR2DVh92>c;bg8D(?r>n22Ts#Xe4%&Umm(b(?KVG0rH-y914G(hXC)W zH!3BB7yEb^eXcE*($RV$S|D=pHqaoqNPT|Q$>(bwro}zA0tFpOE0A=3mFUpp zxza<3tjFDkj^4;p4qlO{-yxX$zCY(yf`LdFHDL6ovn;uW!Wg)1pJ^BJwM}GN{mN~{ z?HdQR55Z4J9xO4{x+vs5eFzc1;O7FZ=u1DbTEJzyhS`aPh#}pUD>6ol_uW>yus!i^ zt4Buy38$ttW(1HYIpK^0qEVJO$7JcL*>VLc`U*xcOke(#Nh=~ZO_5;c9UZOESGcfN z!b-zd+S@|bYD_en16ZJpMbx{Q4!t`z6+UwItH0z*KAw;6@OSFVv&yctwel!^a_;6q z$s;4~qWg+$tV&LUO4EHS(PoJKK;VK!s)A@RZ&)Kz>CZ?fwr2rMZ@1jqVV-jH_zJCH za;5@*h)f5WxPGjdgJL9Ognjnm|Ld%u84EWZPU@945r_W^V7hw&I3cM|EZDq)6=3fy zk&dyihp^w!(k8@91k9{oGt<|<*Ljq^Z+iH6kzGem365`n7g&v5wg#7=1C>|4-Ma=V zdKtBUJu2Bvy(Lq*9vAKrromf)2s`bOlhwJlNO8V z?O70PaxDf>R+i56@m{D7;H2FB`fU18k3S?EZBT&sE30wXK2BktXSb*oK_9aY;!)#> zt#sf;>6L4{J$F(hWTTJA{kZ40?=)4b0Ttxp)#bTFtKRgiAyn^xV2;9`sB;4Ub%l|Y?3Ui(z6X#=&FL1c?)cZ?rc9#k$>pvYU~${ zI2Qk_`7`DVNN7Se0r#;dSV9FL^gv25?alt15(Ewh9~H)S2!HTvl%auUIW4bz>fNv3 zt(QAza!E#+ssX3ni>7|rJM$%ZIhAJggQwh+8VSQYTA=dN6U$z6heep!O;TxTp{z9q zca8l!x2HtMFqq*?oeX>zv<+*TB>**fJbTAG@5!qhj&)6(YI(5%)bW?3HjXi8eu?>_ zi+p)>fi>o`KkferMn_NuJde-HR~y*+DVM%D*6+hpbUo$^e~&#rLQ<+gD*c@oo{dS4 zFXiyN0D?(Ab1wSsmilh}2t`#Tx4K_4JntRM(?DzkaRW#~)r_?&jeaN9wOh9PO5m75 z1wH_{Ae*=N3Mv<|ETj43c#6Nq7DOI1F>VtsIKX( z1kOe8)(0jSGX(fb7y!e7kxK+cY@lYD|hXdABT=w612JelH z0Gs{GW!dET8}H(c#n&BOz_Z*@r=xjQvQ$>}l~s>{OlO%?kmMzFh=h733W4v2k7!9) zOc3g^*9ge9>GkRrAlnPK4E>c1Uu8PufS#+IQQ3p#j1O- zdM)Mtl`JQk0`n{w4gmKjRWL@t)S`5fUaHt6PCP?R6eAoZy4&qmj16cteH7#Y@!F|= zFLHa?Y8?^n_~19k?d8PygZ@X&eV%rHNVRMFDw|KKEw;~V-<>^X82sW^DV%Q|=~T&5 zS!^R_Q0^5(J~lc3Tkz~tRTlf1Htktg=$249U{=J!BO{q<9x5Xt)t0(UDBUlQS@DQ} zq$CSfv_-)5+>wxr?TvJoDL>@Z(yMYPIY4b(&mPpL@BH|ZV7s7b9Q0?o|0;~ni|cX9 zB;M{#92OWI9SI#sG?<$5U_b@cvt0R>AU)<9w08bHv!C%r_E;sc$W7wj9f!sJG0Ex zd_=?fiUo3hjDICqy_~5ycC_O42qeqc8)SQ95Y3}sV2*2lJ099?FiV*BE&BRLn(Itd zP}KtHvjdeH-#EGbuW|<-ew{8PeRT*&D_;-6u6!Uz9B?_(gO7y#G~RdBL1$+ie|dpw zy|~W7Ij8}SZXiow*i(G4B|3;m4o z$RrAfah<(y_A)$|MV_|!Uhf_za$cXiT-V8=+o^U`pnp{oCv^gjn`7jP@mFbh4dg`& zvLLzTZ=UZ(%ykNG34p$O>nu#w4JF|`EAf>p5P3yc{f9tO6afbQ-0$uLg`3%D$PeCd z$%2Nv%u?4llt#}a?KK!;;#=-P$58wsfLYuu*0}GRN1VQT(U6p|#&TKw#LUMc{`Gh% z&jFYZ_pYjB6;W0`gXkkk(3ZDMGIH41lnEoJNGKU(dbH z1TcG{!V`7<1!$9I5LZ_VR+}~1sB2};)xMbS(>?q;8q3l6=uBAS`uGtMvdr( zx?9-NbJ4)_^sj>-!>%i z9uw68T`v`68985;>#D_l!Z!cJL0E?e>^ytq2-IPE>nr?*z+oc!a;Ekt47R`KKx_D| z77lBlSQGatyzllUH77_+3o{62{bR@vOpiaKC_+x-`SM?@sb@B!8>#=b$y(zrWiWr^ zFPQ)r^(Zeq4lvVvbm!0yDZB$Yyi&ey422p(S9oyPGSSsV&-v2xyC?s*A_>DNu=%;M z()y)e-BVIpP?#~^V&tg)+avw~{bAFAb$x;}fc{zsCr4La|5FONn*UuHfI)QzC-*+t zZ1d6xRM~X{I#l(Cn=l*cXP48^^q<-=@4wX7060n`?q|LeAu+GJZKsAu9%2P7z|I=T zGYe#CvnAFVGA;l&g{5;kU-wp@upSlEm)zaz!b${E<{Go!Er2kJEX77LJYp2{Q#CfLsE=&GM?BwyDDF8TGq_6&xzKmtr+7cM9qx{iGsB zU{h*{f3N)1NPDKHuf|)ZuU=I|vbK890G9}YS!u^LrO+evqf2|D?=u(RmSu+?GHb*Q zHv(<4hiC#w5}&3OYL}JisQ4`_tP4IZk%jSM+LKk)E^!mwxJB z8>0#av0UZg(4$DhujM~~X5;~UP!b+EW#PqS=q1Q0jgBy_al1rRH5o}z+ivK2<92>J z>Zp@ymmumab&yK}sCLrnWl=ytiPeRnvx}Dw(ChMTEhKIq5AfS$22JZNT_1v-=Pfx) zFN@1L2c9RHyB?C=X=gMrSKuV3{m9Gb5_h2`C%h8;Rh}~N`&Vo7nXm7dm<;aJRhrwH z)h$f=nU&VW)zzB~r(VRQN`Vd*1x%fc1^fe8OAq+K8xreM;P)HYVbK+-ym!W|{+Gr_ zdqSraQ8Y9(9zitn7CoN#f*0p+$)kwW5C+<{{`7W&11P+-UD?x*td-3Ts>nU?T>D zJi>-{9!$M)#xI9{aFWHv#1llj*#{lli(a{Cg_yW_yVRV-U~~j=rlRRS;}1d4Ja*{D zwqIOBAdZWzUyMpDa|+5Y2w|59bddG57t78fVUG7423$CHX|P#EnmphU8e#3(-o4>A z_P&FjQcg$i`YHVKtXym9^-H{nbypZQ$LmN&k=Inkd*$2b%AvV;tBZ034BcC+OX7K8 z{^4xAN9dFF6*q<1&%QeC)rd0A^Z`-GrJ=aXlD8r{6jVBROdF#gXkLW-Lpdw6=}(;5 z`Dz>HsN3S(JuzOI`=)pG z?PxtHH@CJ<)X42F>a)+FMWUB1y9=7+_azVT=Is`YJ;&Z4JPD7pG1vAZQ~4TH$zmP7 zW9Ll6;MP5>29evb)-_?sZ{z%O8kog(8w=d0rE}L+_r`7tgC<;+F%2$3;XWxkSSEs| z;wO9G_Vx?#I3IVOjBZ8!a)@ z4GV8Yd3BuNE&X4MnJanB6jS>e840MOB4XTQR%kxEgx;uxWxK|QF>+aHGjt|Z2&d^ zMra+UNG6GByMZJCtl3lWfCmjKv;Rh*zM;s6lbnQ@bg&-_Tar~1K)>lrAM9vry?k&A+fdHjOpKV#D8w#B=CHs zdMshAa`EyV=PG zt*NVXySfGFl7OGYXxh5&Z(a1WL<<7ZiAi{u#7q=;Qo535lT4=^?} z(uU@#uhN8{85e8HeN{C!Du!1bqoWIjCQ`qtc98G=8W;D7ysTz>TY27P(?#lCwlmUn z0)EaIHK4vgJU8IP*ejdu5lQnvM$f7-5hTz@-!+R~SU2ACwu4CZzi6VQd?N4X&^ww^J6Z2-tUNM&)yQ!L+`~tgb@AXxmlTkjn z^bum@f0n{*+j{_!!G7d`Tkcoq3ySe?+xP~)vkyG4zQL`XE?-p~*JPNs-A9)dlmP=h zOD=FJgdHsIYx+J3{{8s=o_h3$%N`P%_o)if)b7t$@}G#%46x4iaWBS&2&x)3Q!2*T zoHyWrWMs{Dt@r3}o*!=1mgC9#!YNC^dO;_HwhZC^I`ye{I2;4%D6!_MUO%yAWc*|n zOqMy2$z0U_3^~c&(_z~KKLEA%&)Gk@-`dv(pnPzPva$X@U1c5$gV0YH9g7!YV#k40 z{@EWIYmI@BL>LZL5SeYfCPIu9zW=w{|3DPBaWYU&lCy)|?WIRr(i@e15N)R|)aVQz zQnYvttA-QNa&uE;eo8B!UL^ib+3ln5b(21f=keaG%m&N{k4}Vxj&sIUxeUB1g!g9G zPo%N}&ZXq=!NRLoO}G80#<;MAQ7_saiD-`4BQ{;$Ky&flmJ2`|G~lY4=xGYF0{~qg z_&IJ*^X;q94eFpap7f!UNht0S72sq(KGE)mon^K+FZQUFfnJP{h+VE*naU0hOsv-vpnKaChf!~E zBKVn29d1$ozf^!fDEslF8!#i`*1;aFbjHVwwhL&tj22spYS7T%Ocy^U`t3V0*z-zc z5%xcSHG`;~&l( zL8i2{L$aCj%p6GSyh1OHtGY^{INT}s=MhXeD&hFcz#})HqUL>j7c*=bD)6V;T%`z5 zef*Lmi8h9sc6oO2k;LbNxn_zy!*+@Ukr0eIlrurIUW90Q02+aPn<);CP&)z$cSI-rKws|ewu_> zbb*~G0|>FV(uwH{zxi=myf>sA+nMwGC3rp0Adt2qfhkx8E_Ke=#-j zthDmmb#>FjwCd#k0+Na1ST&@{Ya1I5EiJ8;*261DWUDOQi;Sv~nD2%3BQaSO)zn%6 z!H7K9F|7_}zakQ{*{mD3el%exXU4y*{I!3-5y>Ue(am}+2A_BT)`l~R8LPMXlA5hC zQoC*E>*bW=`C3Dd1B7|?WLabbo&W?|;lwivFr4aJ;NF8Z3d0^&zvH;{=H@4qlSQyOG`^u1H;&C#im`m*OSMl zmWD4{@i$&JHN~XBb8>>H76NV;DFvM|i63vB^s40HM2!-kHt#>6`9{hl;k;TOBM4C5 zciB4yg3svxx%|L(1>9*fvcSVjp#NN|-qCIyT+(n-rO|L8IDL{-Qf}ROskJvZekmP~ z|Ca%^2}p*Tzv5u;5Jkv&EnrEHP+)}HO7Q0Rj4t3KCg$Jvknq2DqhV9O*!(3x(<;an!ptW5ko^$sY*?e*W8VeH0jvZiLg z*%pUem>{TXzz}`6Jr$J>rm%e{$-k!T59P+MgFjh1IbxdOe^Qg1?>rr@8wwc;CxqUE zt?63Ha6{<&iP_zFS?BWFjJ(Sd_JHaIM}qG28HFVk39fn#v&P`|zS%p^sNSm<*x9f4pb(fi#gfrnM?aq&cqP;n%qqJK<^cKOMitG8`*xt zDG65$S*<3l;#-;~tyih7(pWP5XIp#yMv4@aB~>$|?bfkE5D}75k%S7M`ps+d0n=fHPGoOw&o{a;;@ia#`qH`G ze=E_Cq=vCnq5PDgqELoYm<-NGsk0F+gkLU#Ls>#(VYX|*S_S-tZbo=_`tqz|oJ$?=mP(NOF# zF`@se;KTCsx%rI7m+Jc2ih}@+fOIhTRmgoKnOr(D*J`lHYO2%S}Ll;g!jks6O2ycA$jt$0eJujik z%47^cR~DiR9E$j@nc2Vz;1V6LnJ%6vA!s>hWNg`=3BZmXD&Yw3`5zOlfssWJDgp6y z*(cap$9u#yeSZu80{$ua{N#eOuogaszb)oqg5Iqjwzl>_cEL%bC#{rvCsoHP3ax8MD zEMK{;%u-hMD;a;^c+fy!pkS-2=yT|$SmRvD)Jj*kY(Z8qaQG-f;GlX5)iqnsE}fpF zAHc-2IlW##Pq8`8R4R>4u}acv`JvyCTbbq~c*>SKmQ$BwX21Y5B6NuBQ{3uaS zQlrCXxX0bOkA6)|hG})b<_SCREV*;96AXo?B~16h?;z&lmDg^t~%#S~<2)$)TXkq%tU!H2}?-{}FYc zS6N*8Poi;aJfVzalW8qs!dY=$#@ZKqxX~_L$^Dqxq0_oPoE;B$U^U3s?$(CGpr*12 zxv{>U+AqEp+`c51v#UAR&~^8giEz*8sc={p^gl6)%Lg2J zGeJ~vQ~|1d4+K+KossCW-Nua_fvtmWzUHsLq6?xfo6^`1J;w{QSsxtuA>rwE^+@rj zS)+r{)@9Kbl1fG%^psosy8^5DqeJ1`B72fq$LMnG0Q}yj@OE+Z`|ISS*&=(WO*-^o zq4B3aUsF@FkH^qk$vgNpow8-E2nJD?B^mub&R|7c0^;AKhv6|A$A_{mV>-#@j zuZX&CKH|frd)W3!Y7w2?tD+nYZtaZ0()z{M&r>HrUDyH{l)6TbOI6f(7hAtT0N@+N z4&N(*l`9aJZfw!={&Y(ep$-u!|GmmRs})@>D3m@M7pKb+lw(7t<9!Smjz>!uQbk#^RS-H@9Ii<Yi!HZp{MIff9(atikYIl4>VoUD*tr zBV*UEW#7Wn-Y>Cq%chl?Aj7YLVYt74$afV7+zq27;no%uY2J?Q&AaHib(7LfNr!h+ zANG8H%%~;|tQ|G=mcAQ)Q)YHN_3mD`OSjK~XWP-$^rvL7#|MlXx>RJ&Jq9E8;zph% zM^QsjU3iiYSg)vt1%2~UxlxGJ?&ds85DC{tiMXgF1M};=_?p4YfvXdy*|%FDt^1Gb zLFw{*+OW9I4e-^6RKTso!LOEw?mMVQ9R1$yv?CodI>d7P_m4;^==f7}>~N2rUsfcS z?z1?|)ADdaG=-meSL&PwNfjEVeJ$rDRn)H`&esj2)Qw{c3~J*zBB4Rs4$*QkqY2+P zo`Nb*F+zZF+>230zYPS4HO zJfj??1YYw6_C-P2?xYN_L!vkI4< z&Xm%!VnbjxL&N74AO?u^R4nUGu64(YM;pTJ1BM}3$h^eJbln$4AdgY}d;M{lWcOFJ zoxUHeuIQdM)F=M<;`iskg+pF%_C-{&+IU}N`kgFeL)`4}wJlW*{bZDWikd=w3O%Rj z#E_+Gp{x5yy@TkrpV#-pU3pH0rn1;MdqG1@XCX?E6n2m3x>-CY!MUI~eKYot;dA$j zsI2|nKCj1YvaR3J_^OLCUJ5*gjyp(c;udZ0bc)QfKBmSOeVwfafp<&mzpLkU+6*KM zgD@xSJi>apk!<823QJcAIq=Pn_aWsnxxro(HShf2$}afPPQ1_XQ~0_*z`Ch}LxFue z7QMT!)8QDVfJ5fFFVW=KQQ+V*5?&LbwR@9X*{dl&8_1H9irFsM-(V14RKZks&nR-o zuLw?C4*6_myn@)=m~~9L-v7t1jNJg7KDBq8$TAmh+)~sAx~DyuBqk+}=g}F{YCc^^ z9hJ%4UAla;fq1Ez+aT9x-3r zhr2YadOfd#PO%aHL|1?fXy>Ukdb%7M|EaLFL}01BRIu6oS2xPu;GRzz9sY6%x_Jmc zs$ao<*o1#aobDf9Gk^pw6hR;c1pFw-fNEqxCNm_&x9jJC9&5IG;*Ch>YX(|YGaTXE z<0v;=kpcIO3Y%W-1byYs6n&gU^V?$xO!MVXgWKJjdREEx(|^KXg4h9*SnZb79|NGH zD#^LA|C@}37d972WRzKw`spqcYBp~B-yBr;?i^!_H@Eh7Na@v(x-89RUdkfhvN?&a ze%u^EA_r~&nt^Zudivqb3BzgEjW{mNlxM_B4SOd8KI@aliUGzmJmj(R72Zw)4?S&3 zv#Zz2M(oA3-{2Dpygjrc#(p;S?zcw0`eDaicF^}yr23La`KJ+o!V%Bo00CP_352L$0l`5XW}bnVb3h;dDBJ1t>Z&p6ex>A&bq8hMgKDc_gvT^jlAwE4)LY} zgs`Fz2NH z`rBwydsbB={bqN{;2|eYPoLh*Rz@D$Iq_WX?8tZgGHV&+cTGD45*Q%F5&Fu4aTdfK z;e{Oz3Fq?bQixHG_4@etU#`4FM_Q%-!UBe_KKQLFRNb)1&IX^UKYE*V$4`y?ZFb!@ z53sX%ZliTKx2DuTEKqiSWRcZEyeRGFM$47WPbTh){XqOr(ER0xv0+WDRtw5E-yD0d z-h`O( zQHa*S^ma#(bowF2IOP0r(kMIQgeu$f{cSMvRE>t7Uil1A;m5>;-(-5SxxfTazbZzK zHG?~!;f_I;e}2`svTB0r3O{H5oqOMCj$w_tR*ugXm-oRLkezM}tr2vCJvCCMR2F;G z`OBnom0(xge`hqYrPm?;&V-gL#(ue%QIuyFigj`H0lMa#+f6(~y}OXMAM1 z%9xG(%gha7JXWV+E9mwgL))1~FasI9ZDF>$sHo^>4!bI+d$Q|0*YCr_+Fhp=NJ|ed zuXxQo69<`^r!V(k$l)dM=@e_dqAy-_EkX8QyqFMiTUF}t^ZJ$W4FnA5lqZ{s4J0Dn zTK}r#HPjV(k#IsCt2+$ZPmLsFMdhIqL46-$DR&k!R23oty+GjV9Xy4gRmql!xu_Db>CMr@3gC zKKXyF%6(o7%LjRz!X42CqN&zipy4!PUPB_UfJ5n;LnLdD!PBsa)u*(~v*t<3KwmpX z069YT;xP<8!BbRPWM^)};Zf^>I!DbEx`F~1{FSi%uh%`5R4CU`I%U-&B38e2wbaY1 z=QvBe;^KDQhRvuvlLiF7sqj7^ncKCvPMmz(sIlTpS1?Ua(}bOJfaOTKh~pVEQ`yJj z>5t7^Jl9bm?q7`UnHG>lgUK6~d?dLtD91*V*i4J0BN5r~nR3+5J9nFKP@HPoa*F?wb-7!baomKd$9m55zqO$9v7u48 zU%^XE$mL^;O2sU*9dFoul{qhY!8NCRFX&k9WAu%4uHSAPiA6C%U6lg}5P=@jb z9)i0FC!3Rq@OQ{#KkCQ34aYr9sj_~a4To2906YdU``hO<>?FFO;R%ZOfd@snl2+ZM z?mPH-%@f6knW?c=1H62r+rx&F1`<~M&Gf+Z9ureNXX9Lc9cl_y@mEFYdkke}T~ zSQkPht}M}lyjycveg$W8VFLv|N6k97CEPCSDitctZ^B}mCyqli=s{S9i5LrC*I!xVEHfazh9`g5xoWU3-1{h&h|X-=$wKgHjK9y&?H(K z<=G$me-&aE$p?;MBqj~6PYxl6ey`l<)Q?L-S*!`U2#2;UIdWYsb2d~xApAX*LOMtI-2<$W-h5Oz+K#W(G%iBebNIuc>h&nJ9 z_*zolm^QiF8m(_+qvH4`C_=dDyMQqKF=;FM0=R-PD$%9nj%4ixK+gsuStaE50`J|m zBNhxnU${VS8BP326SvQ1rCzxJxJnO=7gWCA_iaV3mye9j2D1G=n=8Rg@W?sK2}$-{ zr1%Jho#?9n;0%*t;mre*tG#Ou=#g147JOuN#S>H|9HR~caP7N%R{U?1dKvqG(4t^m zf95ntw}jmQ4`fL{%4l^ZCgejuYHLfkymeft{`rB#+d!n-2AtiXeRcf7^8lR^YVfX`PDo;jQ-Sq zSWzUZdSxo^GXLOszGmwO-C1qzV7hcDp8@yy>}dNGv-C`}3xL~StHNAgbcWKe%6&Gwf}gW$(;EMSrLe9 zZ?D1{HG_2}A3N=b}-Ql@npLZOytiHB;p_DCoNWk6nY-U_IYjQjqclA?q@76aLq) zkp^2zwYj&mi&#$J$1NnT;m>FC64tIT=lzF>}qDp7a4NO$B3IKQ14{#3N|XOc&ua%9LC0S2?v zMWAHZLv8!N0eOcZ%hP5(2XWp z_j31*+bRongtX7A@QM z_G?7_*zIfj#;{MM445GEP#&tk^*w=harcpKa*A7qPwD)`Xdk@3w1v zIL@RNbztM{fwEXpOMwdkfs=NPjB@ z1+jj(q2JG_7{obus`Ggad`CUmbZIchn}kfXa^>4H-%%VzaY1x1!3X6C`V4MM8|j*w z7A2pE9zkG+{2nO++SIDs`3V4Ft|yx1O7m3@dQHmXgGNS9xZf`xQPcF;*wujm=>ce+ zJ0ANIic;gxg57r*(Y2+XzkKc`WXmW!o%-u1ioJL$ncgBS6GDy-e$32dEV2?AA!y_c zc{ldtef|*Z7FTT1Pv;GL(%`3yX4521i+?C6vxCoP|jvLp4mKu(B4a< zNT9EpYPHvTCux8sa-O_altEY8Ne&a}+*J2ly{!KBXMf-=Stj6*?L7gaLI+Fo&A${Q z9THs2WcS%njuu1jdM&#WphGAht1RpSTl(Q8sA}<+-uq9YM&qj2zsD&~e46TihX5o$ zlcQ>!?M_?pJ-^cdrErpv3g+7DL9D#6CA+f6sm$}*D0de#mDciC(^BE*^l4rGT23c~GA8S9LX_OE?A<|8gi<}{BLUBCkWO|DsQE&u zZn5P^o&D7_h?AZwTiwOxSGoeO(dj4`_2;ccHL}wy4}@g2LYX?PhfPJ_fA9Ngzc}8r zrX$n0yv#<_Xr83lt`dWGFRS05X(!u+_2wuS5M=D~@=_D1{3I)M(`N&dWP8468b*#N zecL_dG*3R*OL^1aN|cq5;S3VspHzOoTl{ z2E+#90^~52(jj@L9IUu6u2%-IYtc?t1-joCJxmR#)!Pwh`ig?mevk%Ii>=|yC z+Y14^T0{#MZC{>3v3*t;pznsYvoErlxM6eY%E!8U+>Uk880bSb-Lk%8wKg9Zs1Sh8 z#ao@FO{zFS4GOeYUJb~#eWh3nJ*KB5J7~NpkZC!=Se;8iE??k|z8r$EXg4cd=kAG5 z!10KSH>$EX^ca5F!;~W7B1DA5uPpw?Po;-KI2(3?lN)wb02@^rLK}o+E7-6}5}ui9 zfgPBJtEqrCDH`#P42JFu7k>@_Ukp}o|H4QJq|Cp&3{ji0;6L|4qOP<=cF? zIFzj=Z`;N!Asy(!CO1!zdQ%7 zPe12yePEtV1&K%czb@+BLUgR#?@Q&qK3HD~6H;(U41JH}zdOW#_s7n&r;fBsP3rET z1=3v27gu%izf`0I%&XlR2Ws9nkVuD3iFwkeJNuUr&z?GWC$D)W!|(EnAH6!}(LnDv z^@aRlE4zfZt)Axgukp9=5)#Cm; z5n~iVfeRwd#CHfkAFnpFd*t2~ova4wy(hfHrU@(SC!*5xeOC?`AHNGRQchDg@S_M? zZWv33ts7XF1{Z|GXG&fOLKN^{|Cl+5Y$PyHi3D>~lF0byrRbU}9BL{bO;i>f8n#<_ zEqdsCt5hs{saFLlWEWq@_R>Z<*k8%Y&3E zKYo-J+sNM}M+f38()-Tbzha|qBW`B$WVl(X$@D(?w;Fq6%T1WN#U@$^g{zt(V59BpTW1yvy0zS*h%7;?1 z4$PXk#(hIq8p0yF)cW)=2dZ^G%*7Sb_^04*z zbyxUd&}Y~Z6j0uJxud2%+ZU)G9&+jX;Hk;yQvA|W$2lJK#_Q4na)uZ4w|OC3;B!-u zs87G)d2Q{s0`+GTfQ#MU7`DkNg2@Mb`l6VhU!_1$?)9C!cYl1oynMM)KWNk0qct%- zeOgy0wD zGvsEd_s(phGFB*QF+d>i{&Gfj@^gD@+M%KG&~^HE<~BEA*clacM{=uX`$fzZ4jjxX zKDcrKXU`zH_)iM~KYFtHNop*W?(EFtv83x!1BPjL=RO_AKVag7^$IR-&a&Z6Dv^T#Esp=_vk$R&_`kLyem5l%6GR?!fwwc{0Hd%0RzA zVW)0qfn=628xpP=4JIx=eo|By1kVG$Bp6svM_h&DSxW1Fi$mr2MV>wPBV&Th+;>v5gsIlkzti=7wIp;e| zswYom<*H!qH zfO(J4?rT4{UaIeX8<7b=DgWFkfur6HIHIDvY-&SPVt9a{c0t&WkC*21Tl1}ff)@d_ zL2OU)Qis^iRcpmn@zofqLy=>Iwjq9T`N=#g_fLGt5 z?8%2vJ5F z146cK(RGNtn~V@1Tb$G)q+QT!V`zJsMRTf*4^1LHJwfX9OpU%VtNt==j%HmrLlV5u zkh$+@a0Ylv|K`n`y6SpHrr*3-fLGHl6?VICl7yjgvxHvi!7S)F28g5iGW%3CU#Iut zHXSyoZgDKRJNMo=E~0E(p7ZgYT|{D=%KcN3uh}qz(bHb1*c?wz-Q{oDhVNFzpLF8# z*$o5!L*&5&F@oyJA!IFBM<=KKinZP^_T%|?XqRgb=9rvWHE>K!k1$89PdTi*ya)xM z&uU-6Osj(gZ92Cru5t4jG(ba5o$jqS+mrHZ!M~?iBmzpU#*GZ8I`9?=cX_`jK1xrN5t2?mU*tz}V~y$vu|6 zcbIscO32l{9S_ug z*|a5L*KqJG2-NwPcM90JX>pw-5DmtZu8HmvBTkw%mYcK(zp93=3&lul;_ckuQxNs0 zrVqh4!*<=H9_%7yHhsnPbEFwKxZA3~Nu(N`n|$lgmCBKkU3xA=#2jqh|5d=Ee&$VN zX~kG`_JlyD?1s?#P8I`CfU+$kUyiy^FOa_wtn!sCJh{Y!K3zOx-D^>3^@t}Ez2{@> z_x$~j1Z(}VS6t&^VbqYV5DNJpx0XGHpZ+HLwP#{=b0EKqOjP=N|1+s=H<>J_1bxk7 zgyQorg8Izqpz|8EP_gdfo9%YU{V1dn(bS;PyR@u3@sDol6|XdmNlci?$Ju|{`n}1; z_CrRWBv3tDDOUe8=?{KU-S0}V47|KN>*@eik~~!&eN@bVL1|A-$m!R2gibtxlo4FG zfWVT00jW3~j(Xi=Vw$7Z&F~33MaJ`Z7i;dSJyeo${zF>Q1h(^xu!F&rdHs8SR7smu z{;=q?5=C5bQMKx{_zY844;iQupU5-xH7y5xcB(0JnD)#`pDuS;XENbo_h8YBzVJsU zUs}Rwin+yAq(o0$=%Z*+Cn@4fZB9ELZSOvOZe>nqTtKQ@Rm8AKe}(N9z&$h)nwNFO zelV5oQ~4+Vh=#0mS)JC_>q&Ve-Ls;3G0_N=o}yEJZlK)#_k97@qhT)fG@>7XtVOO= z#Zb3os7y|zcJ>3tB}JYJ%QkO^V%c7A8J6Mr?%n#y#8Y*Ygs566gR)H{BVdTC<6fZ6 ziW7|E=(c0i<}PWl47u&cUQv7;9*Uw4u~U*FZb!N8P6@wXfo~(8Dl1- z-oyOPx;sL;>K~?L8vvTbL^W={!9JV$*!Unk=~yG-l>1=#6wWLqYnA);-1{d#}j>m(U^3|jfrKsW+m70`NW zLFvQFRpH>pMB5Xy`72LDR~~$N$FuH0YUApV`LH4SbXbZ<(||vfGg0Qmew>hnE}#y) zMi(cC@&(O$_WmdKjFH8W4lF?hz?*|BHms>%GPRUYuLRYJ&p%#uO>EPkdUro(GLVzN z)^*Al6S2MjnOm~%Vzda$l&idz;RR}fzQ6QQzo2pw9)(aD%J|Wq33b}pk?C5h>d)b2 zWS~Sj>Szy6{>VcQw911wGaKQHU;oUf(>J9?`^1JyDOa-eaa&6D>T_L{5oVdN>c-r` z*4K%d-0GsGKC27 z{^?xp`;yz8ra%c-%J#c1o530u50f4=h~4xnC16Dk-xJK&q~T?&VWz`%Pqp)`a%JPDw?>FL)gP=syl1iSV?&31jh3Tzy!3NuA=}5gwug&mIzGKXsfUqI_$^rY zGASwhMfKlVjf5S^jLVSa%+dyu=-fVOd-U4@=W@rKa1b4#hNF^hweAj&|DHx0^Px#| z;l@n*ApP%|D};Ej9*^R@Gj#U>FS^inOxuF^*-TxgV!+5(!@{-~7CGeV%6=+s$a*_5 zoG#Qm6jkqRGoaJ@|1tHJVNr$K`|uEwQUcN;pn#M}=g=Vn5`t1Ag3?mb%nV3_l+qm% z(n#kJA}Sp+bV_#&Iq`1K`JL^XAGv4u?`=5RD2HC7nT}@(;vF_fHY*Y(l{yT@?ZD}E!B9#)p`wq)XHE?dd=CVPiAyvn2za1%eUyHf;)9%#g5F{Umm}`Dhom@ z>1$(%^EF#+-(>$n7-7FArB5amTvPc~ScYmwUoD(41V5di+gP}kkz7K(ISC=SoPkNs zWAyp((RFt?yWWMxie*^IxHx-Pnm`V<=_;L^6tbpT3S zVp6f3Y-&}MpC24}Pv6H>3PXUYux!f7RXpN^#=U4qAaWx(u7m_~VBxc~W`N(X^KfDb zIkG%TO+YXUtYd<3EZtOdc;H50dg|)ofKtvsAmG>AI`o2RXS88fAfA=9h8G1ljW=WR zHx38BBp&JsHq+nEnU7X)X>oGG>}{WrnwhatOnaTK*4zG166cE@Q`d(qtq}0Z?4U;; zvyXw;FRw(lx3;E`>1YPBTb&oZZC41~rU)B*2|DI-D1JpmxM&6KJ9eeg*+mPymL^z{ z_OmB^U73T~x3$ZUEQEHq86I#w!@zh`*9>XBC8kr~NttDvH9;s{I_;Kat|2${7txIHud4JO(8ZXr%ke!zIDbGtT zJ>fY)_JYd6P4YdbrT#U2#UbE##!9<}p8h{WwehRAAn%u^7t)NnS`Hirps_>2=hRTi zvKyb@?E~Tr+rx#5)u4XsPw8f|f?#XoJNt9Jztvt>1t?%?!i7kd5=tWLbtUl(H;{k8 zFDpNB{jMq3{wC72-zd;5@CQ6m;<>Yd!1z*-DYs3GmXPD@ZjT%7BPnXa+! z)qXk_rEXAy*F#!tO$#g(B?DvX7l(}bYzL^$znzY8Oa$&%PQNVYOnuYe3+6g`U&7n^ zz0{_tK3yIk8z&(UaqRQX|K-v}fvXG^p8kc+_4xs(PmR!>;wY7m2~YXG?6F5qFQXQp ztLJv_cux+^bZsE52io0E0Dvym~Q@`>cJ)bq%{Dyv{JN0o53~QvP%IJ;W z`C6CmzQ2F})`xdDcS!fY87i&U^*($F`Vhp)7rHJ&YRc!pGSHg@whybyhSJYP37+WO z-SA?BJFo|rMNQbZT-7-@-;`g@;GL*;v|4H=mX+CHU2^YFNPnHi3L-Lby~pv&tn$7I zhp>w_ph$iEp|L;Xdc4}l^I02q@;P_;#+5ZuEU446FL8}bZ0GFsr>1FuPux+(CoZvX z26<{dIhb`*t6_SeEq*b(u#iAf@U}9aYn7oW^%Khgh9}5bQd2S@fqh~(^4^;9lQASx6T(!h3dezf<|M;W=$+uDVvEJW-|318><$M<()lz?2sx9NiM_X#r8sIq&}(ut8TqR4*6kFg+y+R5ksr$Mw5Y z?^wMnsv3u9$m3*jVyxZM=lgAE$DhzX@4d$U{LxhnIaM}!ffc69;acsdaEm;Vnr^V8 z>Z}ewzK|Yq+*cn;fs=Z*T!ZNlo`G&|2^}}H15>zjHaY6vY570?A>ek*(EHH$nN6-D z=2&9N_ebRsFx^ShR5yngK`wIMDGdlL76!1!U7^LK;*yfjEG^X`xS(IUNo(0{-Wm3V z*Bp$jWNWTYb5es?xq#N}0@==+>RDf7L2~oFN9~k4&n%xuNrfN&pWg;+v$E9e&dnm_ z(xWo6&Z9JAXUq?-?yY8-82k1Ac<9E09@fzxFnMKx4nEbJ`PnVGT*v*;Z83TwZLsBX z!_Wzr$A_^@p3$npc>gAz#NYXjZdH*rh1=rxVjKlX`GFGR^7)Yk{7qBk^axNcPK?5r z)^#3baqvOJWopz9_>r%J4V5gJZ!E$Raim!x2KlhqmX}V;Y~zq4xt}Q+fwWhE{r4if*zEi^S}XDf-o!BNIP|wFdX* z57O%vKGHBGH-sM{y|R$m6@8R99b33-IkN6Ev1jn*k};F|c>2?jr-85z*JqXdTRyGs ze|q1uQ7eVvGp*NuTK%1@{&b%dCfT225&Y9&RkYX@o)HuNjmJph710UT6Y|}UK7xXp z(*^z-@+5fLq4;D}q`Y|Y=zMu|$}d1INxs217S`u_uAE24$zD*;+lJ5Xr{nNj7tpm$LOj`~S1ud>j)QEib+k`e@!bBuelEGNi8d+U=cqyd1QMHv$X z#e&g~733sognSGJbNA;5rgEXYdtZvm9Mf(Nz$%8n62Ozc?|muXWg0v$#J4UjWJ|*M zBNtZ^_8m3p3!;XMy`a9sbyuSLD*Q&+9DLC)0Hb#DzIXQexjH(Lv;}j&H0|-{D=Ca9 z%K?@*5KNB814t!&=Ilz-9-+MU4oA^8fWyXe-fuJeUkN#0YcP!qBWLh99g;d-ey<(ylX`fTZ%!RJDW(3x+n#w4JY8hu2gRjw{-T^sBrhZp^(oN z?y`TAKKiBOwSJ~-ax9Bfh#GqmeZt845OKHxCiV7O_#D{qJ@y$|(*wsw`~63l5qLJ| z$IkzTB%H?D|8K_=HREGu<(58twjaN}tbR`&$KM8xWE^UbjXdBW3O>*wddSBd&yfQu zxENXKPrlAr6@cWzL-Qlgl)Uly1l|Ghr0cA8)|Hpsht6$_>u#{Hm1|xpSh>DOc0|kO z!Zw}hz?ZCgl0LJCeJfWB=(g)>!+8Ix8FNM}{`IzNG0>QsDLcgo-s@_aMD}C7wCiFu ze*1Voy$?dEdE~08;dhtryOHVgKd(X3R=VzGd~-6cGHo80Z=qk4>3>qKV`$;v$6K-P zvjPBAe_GLo;gHCONQu`2t`x$D7P+r3Wq%qdYG8@LZ+&z6XR}6>-hu8H@M^?7C@<8| z4?YeoJe2DugFX#cm-^|=sUST)l93g^$<{_109?JmMC3tG+;A}}!rgv!Kt)T;Y33V2 z80j#mu2iv<>-P4AXxjc;7pI-(iPY)DJg3s!c9I)gp2R53O0l3G#$RXnFgP;ONS5Sy3JO?d(h_K{`QMN zl_rJ(Vk*a$2?OIz z0p_Ie`jyS_>A(@Gqq>j`i2U27BN{`mHJ!`CJ!8FhMD@#hSAMcn6+He~JM~_j*Uko4 zrn(vIeML`iN}aJG-`1zqbw`83&KGwv2(<;50OII4S66cu5yX*-X#5ofPrzICf?C6wvP9Q-@-4}g)Vp~t zQ++8L-O;N6q-Fm);OA|2kNslEJ5PhUH#R-p#j$XFPw`?~-+fK4dh?Tx@Lw0#7QhNT z*?)B-0<)eRr|EHkyF`fGVcj~Hs&Q#id+jW`4P%iH%DlcA zSoc`*+BUvUI8SxIR%i)S{Cknb%x8-8R%|bwx47w-sg~}%IdqerbdW%|cTFR3|7Y1- z(n9~wNDl$q!%MTVV7!-eSUduTr?o9tnKY186f^M+ov7u2>i7` zTSml!oC=mEq}bC-O~ntBSkR8uW~_o6-bR93uDO4IC+@rEb#DZ`J%%0~1J%;?*fLhQ zgZw*x$^pnKdWbeL)bQaWxZtJhXYga7mh>tfide6Csz?19!3NII9aE_~* z?-U#7fmfWCh`RBpcQ%A&3dLt9FrIx}kEG|5#2;yydLG=m-RS;Owf?vbJ(cjCbge?n zFzKC7_y}`khxNSYxor7euTw|{LX`Me-s<9h%$-=~R$#1E-xv5lEdZT=!1U>4NIl|AIuiSkldeUbUzQ67@HXGUYeG%W zX2chwxTCGn=(?@xOME`-QYSDVZ8B7V>ZRed&Kxs;zlOCveK*M?chwa50JjQU9sT6& zWP(g>tPV=>d`JjHcy+IF;evxu`5s-3db}*A4P&=-FW^<~O2l?*$LH3WlH?WQ-8b*% z3#2A$z3-dYwx8y6B!11+@;YTT&fA)=iB{0Zjr%rDt}iuj?eTGu_Pi&-|IK28on3(# z<9@IB;Ags!?k<^`88@!)SHIODw+mc7j6U(vx)JyVe~C3BghHW#K#tcM0mr3M^E?V5 z`CBmOb1l17Z5j&`Gupvhb{DN)yD>ZH)|Q&ig+TVgW%yLjt%<_!k9m8}@|+vD8V|^& zeS{wT7~LSe{AGp-Yj=IR{%QMwQ|oxAy!uWfkp4S@xa5ML<%9oLA}xk6RM;$}N%h-T zuM(UkZ*Vhmr_wT2JBv8I=NE(a;$mj)KT~X9F5aJ8hU(s)b`GY#Gsu13`$N$0$eNsx zWX9Leuf0MZ?9R)g02Yg+4u6kVC{j2H#wX93M)}M_wQ{cUoQ6R$6xvVR8rPk?=WTXD`K0%Wx^55HXS2I~Lgv zH>wh`cXDy@#mcpvXd!0=wGtNKpe_T=A!XKnt%-U)+*aX+?YgA1FOv-ue0Qp{pXPze zLfpZDXe`2O7r6!`b%lV^q%Qd6acE(2X1FHD{^l=-jMr-eBHUmyzg(^kAF<7)cgS8V zcHE3)cPI?U{Myy%M{qO2#RZV1R-%Zal7Xs_+zX|CtbN%6DAHn7C2<3TZo_bwp7axb zR`C$iw8eDu<7cWXV)WgBy}j0X=HzK(sl>-l5XlJq)GlkdN#hXL{{=zyi|Tg5O+I0Z z-LDL}vlZXU8lMBWVV(KnOna7pv01`R>U)k|Cqu+%)dT%+sIJMPeIsb*l@VkB>hKr$ z1h0Ad-T)f%L#()U2V9>1wDNUb?GsTp+s0h}a)*FS4Wrw>k{OmS;?&d@!tONAE&IL{ zw)D(11W6uN0YS`=E;(+O=obp^N(al67qMI;_u6-~k+fOcspn(CuTTQTor!0ClQUXN zJITaPT83IJQ4Ki+*OcR$T?DZCh4{|_tz(ZpADjpzNtLg2coX2KGMS)t>&#xOJe+nj zCi2u$yVsC>H?C&9|CttUWjduEXgCAv6<<{)l}-^2G@XVyL3GL-9IxQjFii(sal?3Mv&iMQVf%_ za&?i)GGviutILpB!H)FWPyUA3r;D;cGpFt`vHrZy)gMCN41wDi<5?0S4yyagYj2;C?jrVQLbpj#mRtE8{5H)2U>#!CrdKC7M}^H8=-RS zRwrV{W@dFzN;;D&i!dAtj>XTtoYp*Q0bdJR`8xoMB_hB*v^u%phqD(L85z4qN1quD z`MR^(xVeFLrP@DUoo=j}3U`u#(Z>rfYCZ0QfTcZXtBLv_V-HCT;WoR3dOfNP#NcXD zB%}k&{Uy&+7{7pS_-fab`A1?`H&|LfA!FC|SoT)e{h1KP9V6iV1t+1Br8-v((d$dz zl227{OyL+Gpyy*yJRXambYUS!TH=JzeM@MBbrWJ6RXxC9$mD}VR?H>rV|QKsXiciD z!ct8te_b#A`4fdZ?sR%mMzh!7ehd2dI%RvJ*!toi_ycSK;;_lgiW_I;VZ~uPvCg=e z2)2z)k)l)hd~JW)U4l_8cdkNzGGj@0E6G5LLd3}x`1DWp?{i3-HNiaNkEI>2UAOZY zJABZv%*|7I%$}!LKkhrNUQgzd8&eht3_Y?Igmkh3NK)5JyBs{?<>w{2;hU!IK_{2y z&9B&H<)F4G-AqZFS8k6cL|8T4y*3dwZ1#_^r!J$ah$aL)mTw*+DLn4h_VW@&mAFgw zuWWxUflo2ntzL$aCx&L+qFhx8FkVX7-7NMwtR}yS;`E>tu(F7HqYqXf#qfqw1Lg0t z>Z9^7yJT$N$jXUG=tl1ENI%pFxUeGSSxEX^@=pE5%1l2&;T8)+HpVQM{5t)mt1;#Q zYuO5)9>j%cghUpB&=$vfEj)Nr;xy;b~q<-@sGuT7S&tG^iMa$Y=t2^Gpr z`n}^F@w#mGL+5dV49NY_#Gk9`4^4u1Xm-Iyv^mX3T|>U3;x$?18y!C{7ajz9XVT+| zs4R}|83~A9d8lUAxmRS9WsgPr?WjzCP6{P3QWmwVp?o0Gx*hcprqFo&_$h!biS5?w z?dy;owpZjcjt%FRQqd8Aa*0=U;ADiFKhUUUBaJ2y7fzPT<6g#7viQ2%Pau)i;Von( z1(h8&yOl-Wy+-J^I7zg*tk#|?DE1dG!R?rqID%wcD(Jq`)W560CwIid?B*^COK7v| zYKW^lnrRIy@wJ(UJ6kI|?u}@65M+J1@|Wg3S+}6W3&C8@jI&*iom3S!=%*C>u74l0 zZ}XL%H8Z2Rj}7sGOFW_BCNhl3P>VFmdw^Z#xQSN{B%9?6`^-o{0NuJ-*LVssQ=bey zPsGF^YC;`?I({dSU7eM!5Qs=~-ih?IenGD1yV?I}Khm$$?YuiF9UIzeC#*0jq6zk{|}`LfeqFxC(FOAhP-YL6iNb|T|G<9MB7Rt-t9+fQ_1i1 zsI(uf?xuOJu(+S8y9#CDex5%m>d0Lh!zEgX81wQov?lnG-MmCgFr!F$)dun-l2LwJDVEkzRsY zS8@q{|NHfj!>dixSE#b*rH%FM2^@_VDAWoLy8vE3hA0Nd2X4WaCvwr2XYVgw{ThMC z^}~({O)7lx6ciK~8ClgTO;kVeXidC-THMYTO|4GzFqy0@nGE;?-6pdNkIGE5!yz48 zDgejB2*|~{FL0;C(m1r|*pgHbF-M^99e>O3EVX!mVZeZF@36DkEsTbk;dVffVx)Ue zQZ?9`?BK-l?3&x3I2(g0{BNgb0Un*1iIQqR@M`8(>%RG}3I3=aqu&j|4lTXz4UfJ2 zZHlA!LHA!AVJ|FVjqc`tARhtLHOG5(BWs)S3UPA?AKo13+rFChMZk|Za{Fce#M%K) zOdlK~WZt;^lRI9Gwf}O97#vxW>vwm~XHV&-UNXyj=WCj1p+GeQ-yn`$3wHFK)Um;= zar-;1{`c{sfhX7ZzhEyJnr>R&?XXTEvRH^m6xW^uiP%_Bn>WgK*9tnj4G4h^-0ddd z=BIyf7&0^>7V<-2uJO(FW_Ez2a5HDTa5D_!uO*H9lXACxeW<$s!>#^h282blCOcG| z1@45b8akJ`$f`T;`TgA2_Sf3X@u7Wg+=Z3b{nj2)%kv~$$`!B=4_1BkC#Ke8UFUNB zvrgSHa!iH|aoXvWR~Wd^it0OtbiKKN_+tm87=;533Rf_i(nPdZ7?zZ==;rGt;=MyK zP*R~g@kY3&MXcmgCnxpu?KsXGEq;32T%d@*HWjN+$HamU%anoCI&A2aHK#( zsq&L2QCHN`Jq$4;vWk966Lb+NtrSAJZXPW+%~WCXGVM=XS*|{NA5%bfXw<{`G}Hx? z73X8HY`4i3NlX4POtxUoBL4wmhzR#&blQi9kBCe)mtogw*2m=6H}%o3@Yj;W;|iAsVr! zob%CkhyohhN8K?ZRo{o&{A(*7lp6EGNDBCRCRoawuWBg=<@RK<>g`3TP4gez^HRNe zTfAZ&hGoyl=M0*>(_XWBfBtNG#n<1a!C_wqY5M3!IRX{Y5fm1quff{H^@O%wR++07 z=f*__CnM}`e^uqb${G2{n59Qxq*|k2RkWt_Ln-M#_YH$6t}yU9#idAacun`xjvCd zlIDBK0AV2ANBF#Nvj#$2j9LIt$I$}#}3aM zg-3zZ45r|TjQt&Js`k+3w&~6@n%fk6r1#l4Kco!LNUvt;xKD<;N;2mkjKVwKY8Y6Q zaHzX0b0qtIU(0o2*`PbzzZ{5zH($no0sr~ei^WPUMgl=AcYvje@}O74Su*LQuE?tE zt;fXV26Q%d7nJjW%CLFwn@$~KAL1`|RLl~50CQEeL{hY`y^WBoqJG~HF1F9Qc)sh} z3oO^jzEN3u zyg3F+!X*k4AOXmIxs9F$hUWa zR)2M`Za4@8DB=X%kHa=?b{k#nzZ$#ktg3Hq?FA8xPSlb6U@mir)*w``=?*wfPM5Z{ zkg@OuuA&=`j~5r!FP0Vy8rVw_xc_|oU@MI4;*k)mn5*y^c?t8cVYsL;(v*v#$0U^M zt2k{q`CQf|q7O*2p~#-@|6d0iBCuc*F#_?xS^8=)-F96y4cnXwe{?LcRJ>~^=-n|8 zeIu(miQJrBB~UJfU6IEZZtLS;CnliOXY9S{|6+^2C)Je(>r*ABa17&kiUZFRle({S z9~P~DgOlZV4&uV*4=1%Cb9}{t+_==V`ug-v=AGZyZ?mt5zva2*vy*zwR#ef(eUP#y z$l2)s6P`x7v-4f!hu8}G8|KOSx1_q2KgD^vAsR!B=VzhCZ)Y@W1vVcxZd(NhQai{f z2!AMG5u4C_H(KZ4I&@EJ08f3hc&akv!z$+#R9rk=nBkg=<=UNWUiC*ZS?8QoDCKq^ zF~pahH{0!wg_FcQTLgJ-q?HFbgEhnOm)o~j!jc7!8V;-in?~{tU98R;n+?0Ob=YKQ zHZ`eOu4R-C{xtUkgn%0;sk%bz-- z2ksHv#YHdpMV3Q9>#JF~D6bN_?>quUM1u_M%kM;SMj3v&lkZ~>+RcH}L|{ts{o13O zqxR*fWvIE>)yJ?>(mU!8>Z-Rk9o@+-Tu8V+#QF8FYaodt$#cJiQT^nJ9(6x+pT_p+ z;ogit0mgLw=9AC8_P49yyb?(`?mFq{Z zo1)i7CKb!D##9?W@uYsmXwsl{LjnzuL1 zFLV&<)ln~oR+jVsFebZ zlM#*@DK(huBfc0g^t}1t+SU4BJ6bq`VLE7Ele;Vtfs&dc4haC2jE%{;0auhuwBs>T-o(&85$$Z-r6$TP-$|HsSg&+-96ax*bY{ z&M{4JxW*`a_3InyD_d~9lao^~KpBUe4$Bc!DYo;Z5$)VO_d(wZJMUWW$8DIq_7gAO zuqy>sRSCE6S0e7trXH^C#YHYBycJ*z0#-@AzCPPdn^L5(%k|Q*43Ko4iQYw^*g)Fe zSiARL^y0E|a0{h?s?8dh1t4Y=wbwsU2IHwG9AYlJupRKfwv!}1 zF#P6Y@5lnWd@*Ks-Viqe#yx6?v~)GG&7Gig-C^0*k@P{Gj$AMBxQ>!se^#1#W{1)L zFpvBqWQhBW6392!8@e}3yP!ER>zr5S3Srq!#h9Kakb8X2{?o*y9PE#K{t_{Yd-X|R ztGwhXDg<|1@>XTWvAApwDPsv%jD^BgMVuQyCu7|(^oOHe{YS}Wx_kO;v0+<&Bzl@d zO)S5sx7?ErHwU1j-(*2&JYNTB`6xeq-%H)*2D_J4qh2UP%nPP2h;eb;HbEG)&U>iI zDZ4M55#&)aOAv1eNq5oE7?(YtpOy<<4p)pR2%LzXDPgzQ{!a|XOnghKT`rKyK@ z@OSH17m|W6XG1bMe?E03;-)dsFD<)NFge zGRQ@zfr-6vtj(Q*l`s?LE#>X{;uh%Mn^0Sh9K05XhhaEx0gLEt5usBQ>8ST*miz9_ z4D~mvfoJS-!|N=Mk*}-(#5}5X|G^h9*_c z%jK6{*YB2D^e++nq^witB*JLsqpAtEMX!uy(>S~x*E&}Am%PpEOv@?jLDI_QAcq~| z5#kXd7>?@?v46mg8^#N1jTvAW6SYZU3ni8ZrnFu!&VPKD&NC1ybla7>rfSdT| zGa~k3IVnYahJTKRS_hMKfufXq9Z?30(ueK!{(@VHs!teJHozaW4ZZv)SI_@$RD{Lj4`q@ zt2CGmokcjRx;cskg%qmm1tAN6Af%}VRfsI@G?%vO4E}b=y3J#e&M6+KL zw*w1-?t|g1n>oUwwpW7fq*lyy4zGq(!SWMZflbN^!paO#b7C zd41zJK4Q9|clfVJu8e0jss-#;1#j{zOtq28g&Q-kY+})-jj^r5r|{(K5)JwC-1Ivk z`BjOy^1N!81S%`N)F&NQDj;^GD}K%PVN`85$eof5q|20vtLkc!Oo|nUSBZ{qE9;Q@bAFk?jwgIWFPj6*;YB@@@m#rQZPmwK7|A`CJWR03ScK~|k#^QXF+D1@?6^Euq8M=e&}=wkw;}4Xw5>_CqFX|>8e6>>7Itcv=Q1l^ zUvCU`G*feHP`*uZUWkB$oRFwx%>mh?wRNEvowc(3`@Lx9aWPtFMXBxzzlg#HD08u? zIcM_2*B}h=Ghq=&3cHYQYs5!tumRqb>AAxVC7~jEg=(#|Fb*Fy565AAmxGBl#8-q~ z)POiHyNE#`F!1eK+h3oG>kA7D3I6FjMSTwDi;mSnvm%Uz^VA@Jy_m!8r1g0VQ9-aKq_1!M|10-xxG&(P|BHBa+tNn)V^IOT>}I;TMi-|%%Ozat9h;4h zOp%3*$&R<=8V{9Ram#oT*oX<-90Gl6eJ!n+qS$bI2~b`Tod1t@mB0|Q`{s3H|HD6g z+1_H{B!sn^KtNno!{QfLIE;m3#mHUx|l%$Jv$_e^2C>m+dOmEF_RocbALR) zyp^`x9Q5CP;{n7Z?a&w@{vc)9qOpRayUzX=<%iF1hrhkCjSceWHmCy6RT0T%8cuDM zP!ufFKlS$J_?*+YN65x76d7bUb)pp?yF4A~^Fcn| zmA{<5Su;z-LM>_!rh{fUF_?4K@A&4#@2Zsbbl2R)wBQlO0S4aD|$$k z--LqF`s&q(A_58d&mi}r=qFxF#b=Y}3U&8?eBgjwsI?nzKPv(-`7LV@@+CXljlV&HqBnDX{Rxa(lBD8IOr{mCYkpzQ5MhEw2Ath zNrZ31^3ijlgj8;|$SQmQ(kcH>qz*&QDYE zvt7DU*^l3p$bb{0?oG>pyyFnK9bber?+cVsfF(ZGCps?P>kvV{gaBVg&qh zHI*~@?)T$K{kns!-T@Y=)%92wfN2<#aN{76W(Z?(f%gh+$Wnh8<@Q#3czw|yp?w$N zXw)1+)jsW2CwXFjb0?BZ4fwYl8v*MfS+C6T{>xxaqF6-Xi({9Y)q!{%R}1?8rX$}Q zx$5uhsW>7%1wWd9V}=t_xcwrdocTbG`Cl1;V}CQSWE@h@$}eI|w43Zs@EM5rryR*EVg5OY3ct)la(_Y25v{1>UEHGHIusVBp&X9_at0enHAei?ii)| z=_hRe|E3h4Grx8*so!A%Z?om!=F){WU>2I)Nn-&xx@yzm_RPIGQYFc?=?_meIi;TDO z`AMTuYVzqE_wX%7pQV0bw`K9Fl3#W{Yo1JMpgDUC z_4UlAblfej=ePDc+Pe0bl>1})IolfrfR|}FXM59kjozMzo6dX z@Lz`z67=~tCGMzZIi&`bnTAV7h!p#%T@Crn=?bUMun4~g+Kxe zM!(`E0&jmp&i#?5zru^3gB+{hoK%|YhJJrp364eZQzGwO5-akHcO-<6H&M@^?zbtu zVPKH{RoJZZA8;Y}y0_MMjBEaK$f-`t*Ju71Iv;!pu(LmcqzwPIeeBr64P;8Lq}%26 zeJv3t0--nN7NeH}=ge#OllLQEcLUM&d73tE_9Qy&0ef9C*hw%aD%THoYgoo6O=KO& z);F3xpFb4<9=m@WkP%!O6AwRAO_PEPqiwYC1~FRgj4@*3ruf1?ybP}0_e?h%e&GavIzH0!iRFe6lsSWwq z>0eb5rT?_8ym;`%nTvwtWjc|Qz%H*+cYHD3_+Yq_NBS>4H7<&WC9tNb;(V8AvHpz# z3btr9o+%bE=JXtpZWM#DMkA1Ek@)?T?&oU6a6epA6@z&-vI zHj^&%sgs$&hOQ7fLtBZGG15S8=S{Sh*=*sGc%r$!1N^3tkiCP8s?(f!eWR|bjuQ*; zg-8Ku=9p&&0e`=ImVSJCGcm-CxugzygPB)bYwriatM^L zbJ?-2OX#X6d~INajRK_AeIIkY#Q+^=u)VfBDt6blZ63Gb+_m|87At#=2L zp;7&B^q+$+`}tO;2H(8lPTc#JZ^}lKiiqI!GHk{^`zI>H=2w94oNltk=FUU^Nl~cc zU%V6iSHJ&}2uw493}&rT7~J_#)5_O%eFjHa^wCWE6(z`fZ|?^~=ZQWrlA-WC(O==O zcHoCMxUiBGq5iHs3^i=;{l(cbu@8n?AAGZywD(_LlBxv!Y+}T;s3rpLK2xsRY38K; ziB4Gi!u5Y7T^pX8=wzQDoVNx4hAsTQXU!2OaRQz(uAhS2ig~7B z^xr@MT^qFgE9ymV%6|Ng#0flB9ZW=>Y5a`>1L-cjo4MsP`pxl&5hCNO>cmJKx_g^3 zA!^F{WR>iLQ!VS&@Lf&VsIv@9gWkZ`TKz&~QIYJ~_Z?YLFZ-FF&UH6WLM|HFEgRpq zp1|B4I9QVPQEP_Tjj@vNUr*)<|3P*;49J4AL3gu!#_lgI1SS;Ma);g?$zXt*nRnz# zM+`1NNU*lm6%>5V!*?}izIJ0LOJH@Vcm?;dv{@xei*X)h*TZ*$X<&xjs}B8@6CbO% z^Yio9`EH9o6d))6pm(_vl&5yGgB4`0vrldjKs%t#`{#2-m1DnAqB zWx`*H)OI3D{6yo!&U^S@+(zGT`MnQg-6RxcHB@uEcPr5oUyC{C<}cOj<@aTkRH5II zOlSWEN1sh0j+b!sHrAN`lJulL^V@~X9Y=%XGy}PwWA{NpNQghb;&E;K$8KL@=Y?xB zMN|Y_J|CM4+j$L0Emc?*>?q6r+*PBgfnkU$0tAgy84<03h=+FtqUMtX3dHLX=|k6@R+S-GL2-x z`*gmEadCP;hA1g6jG`Mj1dg&@;c^pA6sIvC1pQAVI~)}~N&izA1S@qbj(_f{%fwk z$=RuQ1Kik{a}&Nf2r08KK60{~PI&`X6}5fsm%u+2WQXzsS4us;`C2%E_1G#e{wh?` z=*36*R%i+D)rud3nhGZ@|V!hJjZDkZw3;nOMm}9VmR4@`s8uq|D}#<7fo*=2cs@q`zo!7V5Fbdgnd>9` z<2R7+GrBMl0?6fJU%Uezi?p#n!NbGDqDahXKYPC^_R1+@^7wyuHuw5-32uVezKi=m z*stJwy_D*o4+4I^^||h%h7I2}eF(sQ;2^)#jk^NWN*3EO%(A?P0w$Whe_7S~Td<@;2Yn4pI1*)R& z^K-I3D0+N0cRZg6wi|LA&r@9JKPb6oR7S{?NNCpTTAC}54Sl^fEYs)4zQjyB*X@f? zs;d0F*PElz0h|R2nJ>gU@BU3?AdTsTJU%OYC~E3hM;S!>3wIJe(pIXEf#xGhntY}| z**emw)0oW_-_tH@-cB(;?oy>%p-8n17pQK==gswaOeweb2r?=YnWPcPWZu!y@#32; z=|SsmL^G-p$fvI(-_N#;Tzi6n{SE4GAG@)XOHy*Y0J< zTOru>C^wAVjf4&UpP}L3y$8!&hcw*#?+dNXHTVY&w@&taI~L{@ROLlI=_rA|K|o?+ zL^?@g7;?jVsWM}q=)_P3I;#e?9C7;;N3W`e5!9yyylGg{_`U5@}LKNj!m+r5o!oy}YGFm&5cHH52JW0lc&*-oWt8u{X2zV6Ucx@ zG5g$IsL<}TvMX`ojuYGKov#J<%=P^`65{xa`yYcef9Ch=A6(tLD{PSl(bDXKD4h&M z!V;b@&Qv+p_=Pe9+{wmHH6T?LhOSk|=6gR*24+WqJ7;9xQZ=j3}O;{o2(5C6IG zPbu-i>H|wjQq%N7t&2O7QuF=q?vzH2+|3lkK*OSfnkc&tM)4zFKQx(p+{RAv+bNx~ zPwV~E)&o9`Mx(;a*etuH|BtWlfM&bz7q3#Zs2VLbtJEm9x1#p0U3>4nx1jc@O|7E# z7PYt5-YY^;)GA_x5-LRgzxKWNzR!K{^Zd`r`JL~PoaF1X_h)(0w@q~0+YV&^y@7@! z6Znlgr>p+`j^`FC^?-J6ujkJbu@CNi)c8zaZRgKCq*$>*R3!+p>eBh4j zHiZ)BQsNH;r`;Uw@Z8&B;3!%iPieEa*)G<78nAyL3?Og>d9i}lObR0<0uTrk_%z!c z?(SyCoF_acR}2xwl=|9MMJVEfFdM2hmM?jDNX^69<-iCO(oPkv&IAfEfIAG?QB$dACu^} zrT)9tXBy_?0|}A)(*x4h8VSBXyyG8nhf7@dwt(?en3G!$=X zr>e1Q&>J7O$dm{Jfd=wp;(cPQkC7tkn7MZsGAI^4-jbJ+I}7P&w5qYqsxwLwA=lhu zl8LuH57`Zw{!&Wx!+!XbEUrRH^?jaU+UUFD{6evNdGB3{U4kDQ?v<(MSsJXu9P|Ly zH!OPbEs9};!zRKmBI{M_@p^g>bB+SGqlAvGr!{=Nlt|<2D-cXTRa`;ydN(g1Qk@Zp zcN-3Gj; zKF3bp8|5~sn)NI|ezSf*I{y`(G!Vdu(BYPyL`Blh7QqXKE8Sd0KDF5Ac|wwHxpa zYb`&7@y~Ted2^(^hrA z*919yjhp`ZS?8$dewyrWiDd5ht?_Qlw;-H)U@y`$G~UL6je3M#D2kQjb~Q}SDCmka zdGsgYpl2#jjGI#%ykFyE3Mrj<5>C}wY!~abKYu$K1@AGIqPmB1Uqx_nHwbBqk-+kDnQZ=N(Rco&_!n7!j^s^V z)iV#jUQ^1XRlIqF_nAE>hW=W5_MzgVwL=4x!WTM$wse#tCwLxREM0!_He#~3U^STU z4LTLs)8Cl@4Yt~+P7LzanJ!1uJu#G6lWueeQ9BEO3Mq7T5ROLrSEhMAj9@>PQj>NpM(tre;OM z`TXtx-g7v@2fi5AgPzTxY>s%~?)u3N!g#Q{vZ>N@yOpyB;iGz!{oRzEX``N3^7R>V zvxo|ps@~x4iUho-U;Jy#_j>dF{}+gs$gU0_GsvLIzhv$e(ai4PaJPIi_~cX^ zwWfOQ$!;5zH1+6Il;}sW#`6Xj1QU@{v48aF4b#WW_u4(V+%)LaOn>67Xun)Xbh@+7 zV2R0jzMXhzR82v5bbrZQ13}cRZ)V+FB}&St%L9zmT-@h<8 zj!_MMWS1Qom+(nlA!u)eoqVynK-n#JT^zR|C-%w`+PcvVz)kuL!aD#5Asc{dNQW@) z@T9PK28Cl_-ux4{8yDRJjdE6B1?6h!Sa14G$>TZHyaoCAZ6&1 z7BsgzZa?C4>Tu7hk$aH|nHufgbRaIN3s44%kY9iKL)LAIMU@LwQgWZ zjSI+~_LvX&Hz>Rtls|RSjCYXE|3Zi7Jo0^L}i!qgdl^!ZBks2 z=&i@io3B}v+Xrz@>m%{;cRS>lCv8BOd=-CFL(6 z?Xpc5>zQWO)(HPd%KG3FlR?*Y(61>BBHssOBj4jRLgWnNTt@VD%jV;Qzzj(rG)?~!-RD)o-+F>?( zotL^Qo~kVDg(TO~2WoNxgwnp(=K~HD?yE6QWGumuJg$&*+c}c*_)B6SRlxbd39F(9 z1`{%Wk=fdQ!w^L!Q|y{-uf_3zT{oo*kd{L=JvJB4fyeZ;Lrn`SY8w+)|$k%5zT3-FS5@ovk{mh>csf8_H;)`k!SpT0u$A8l- zilwZ_K~*5=a*PQW5`g(Ho%1AV0)IdGT6;XUaQ#J~UQt~f58k$u8Q9Uw1Hly0$;IL> zWw01r%qSF9u^qfbi{u0o*Vo6Me0q4MBHh_l`k2L*B-Q&(?%NQzhmp9xZeMGQ-r&g1 zC)BAB%7&V+8ow}+;<9lK4Gh7Mkt@x-Xb;i_Z87<|oIMnIpfy%d&cO^DvIgnVGDq4p zBGorpvFWzdHuD1DeI+h|c-wC$`5Dm5P2aN%9+=ataplyoYD%2dtu=EA zXDun;ho_rr@0iJQe)2UKxqklz&MqMQjFXI4+CdtEhq0w`E7^mcYnkcY)?+g!HHFnz z4xb_4+LB8@@+JSg#+}4b5SshgPIhRjkzrE=LO|&VU+gC3ck1i9sA8#!w?5Sb!{REc z>_^{UK)KUr#U7I4#HfJw$C2e{ViKUt!AFoNpx#0RsJCzic1I~~l1SkSF$lrRi;jN? z7)Fk2R$_b z0(xLffhzS@_)Y$Ixr=XcKtmoOSOWOcm_l4?YU)fO3r1^Ne#%^G>ZIW{W89>YC$syH zK7>VwUkulJEF$E-Yd(Hh8@x{U+V`VoFbYpIuuFyeV&^Z=|JMwo1BWG9?< zkB$b9RyvYPRs7z_{}HHomWdUri+*J~nJl;Q zNscy}W6YHfF(-10J*LQUwj`Xs0Kw!|3tYV7-J!srDLkXu!U?L1K%M;x3rmKRJ0OGGe@5 z-PYy#Q#)JVAME(s8n@JR3V$rh1aUg{w<==~?0Wfg*02%}<7j9+FIy&VsEz!_T*kx_ zA<&`+5)nM>7np6q>}zLex({90G(*%}sumsWA(O9yLt5SbGza}b=wBb3{T*Sv9tf{?z27#wFq*ov0P)a$0 z*2cZIMt&U*ey>}U%e8G6(l$p9H!Qd4Eods5iF+5zKUhFI!|o~D!t_ONS8|B;_yM{)^K@IIm7&*2x=^J7@iv zK_7QR>h~-U-!>&5a0_j*tCmoGs{P%b{NOQ34G~Z=6g&&v#$$->uNnOr5=8|k)>k< zo|KJew=qh3#Wm#OII34x+D?OqEUD+`sE4-Dkqs4st(x-I&zfpK!31DE6K>U*wFjZk z{_~Q50Id9?+D8#3*KQ2xb|dF4@%o!8cT(Zsi5Ou3t}^8LH@YYtuE9MtF%iqv6mMA7 zd!6qM?bgVW5D${l$3(~6c$s!}?RZ6M{gKD1YW&UM@1Yn z^|s-ypuHZ73AB~w?4z@=oA1IsBthXf89J4k?4OKOH;%p7ogtZ>ZF*-Se5-ec zOs&}=h8?)n&AE3GwjBrGW0G=K3pE~lIo|e5Fav>|lE{hS|9wplSjix|=03 zNE&LByQ%Rxx3z%mu<{?p{-2NGAQ_Z&-(`MC;fOQa4Sh`&ReG)U=)0|+dU({Si5^cL zUjxBT&-1JN!5Z+Q{yP2Y!)qJ+X1vv=ak8=s+jRoJyN!k4rugZe7m+=F3`uHi#CPb& z8x%hDwAYw}HM6mqaUL#q_VCwJC3R4ag-t~2N!uAn^fcCJ%*rS2P$zKJcZ)8*fiw^N z5Ni&bc5XOS`tAYvmG^b4XszIX<@tX@R+A9kNHG#@329jR2-GXey>jl?G)d(vs<Y5r_sIJorf_glVj{p0$Ipyn69Am#=^ zE_QFQUXoFTXN}E-!yya2q{_;|`unouPX{6}%`YhL!K-8;G=Y?>YB-rHcd8J&EoEME zkIvM28Tn@yNa_WU-bstLfmSGY^qp6Dv9&YSx#Ir`<3In$u;u1G_#B}Ye{tJvy~>LI zxwzd~hwKf#sUsv<6%pFaek|PwP>=Vz?6P4`2%K zVqCy>*>9Dk8Hzus^cC9v5}N=!L_2MDnzlCh`8S+$KV{ROn{y8^GfLE$dZJVP^MQNKC1qry z=4h=^a`R)n#^`hkEV-X1&%Ory4%}o%^50h55!aN;JE^lmGNx8hoZP!;37i{Tn^3F4I9ss%37v_s6foj+w7=#J`>cz400*kr1%yHFDlbIHjA% zYmZ|@7peNUn9qv!U6|EH$?1Eu-4wVV|bY~b$;F7e`p1oIVkkJRa(=Ub^?hRVHAhZxBVu;LDitYD~^_A=Ji zlS~WVp@;lpqxv|Kvp-%1`PO;d=8Lc_-~9App*7MRS1Q1qS0lHboKL6jsEVohV`AZ+ z6C2XoNN-K{gi^(1jj+t+LcOLFt@0TA-<KRLs&GVnb5!f0Am(4_vP*u(@5T2eUSNT2BOJWMA!2; z&4VxlamW$#0*D{UPBr*fn$RjG{yqKi9p5i|9y_yVzGYnOj$HW4mZ9R5tVc+y;!G4v zv{&s0K8UK%V>AK>vF#Vx7rU5@-EhPYmj$s_xlDNW?HQmm4ttPO44tya$w$PSW{_P! z_FwaJjRIyD+B{FcTTOnc8~t%>{zE(Q?9|d(6~C3kW%0bS=%kQ9`1Qwh59IqkLV&$r z&hQ;X0NYSt%hRzy0)67Z0l`|*E(eio9{(pXuhK~(kCGeJ1=9Q$c?j{vxf+=G?d(6o z)BN2OnwJjsUAyWuI07+g>4b>Lg?KhDa&agBWb6-T#r@IFrkw9lTe|;F){>%%UGi?^ zOAIwUxW%pH#RZIL6-9k7HhaC5o@9>(0QE$*=CE1YfUNFC9qN+4y^KEb1Q}ZTU7e&3 zt)aqv&fEWB43duA&{m=4MK$Oz69+eg6_qbPA@j4>duHVW=h1xDAVew<`OZ$~JMFjY z??~#>?iJHx=uC?BmIOMZao}I#pu9FlZy8~^Ki1;s)XCploEjU&#zbp1Ig@%|Ruut@ zC1Z6dBd5<<-ukG%?_*;$6XJ*SpwxPxEzUEt$ayb21SF+9dtVmf@>uR)1sDH^%QcDM zzV#JWZ`V<({C5uIZ;D7|(5dm9WnPURSJ7JY3!t3!9{a7}dOOFc!{Fh(CABr=)NQ-y zAhM`K;=(n%NF9}3iVTgpBR&-_*Tq3B9aGEPurHn&ZFeZ8`yjL>kBs?t!0#8rv?mb` zrw{i(*CB*S`*@cOKVK=D6fLH!_;BhM?Nu2xCU?tz|C1vAPkTCCS;qZJClt6I#fNcZ zA|M=}TL&zni&u*QaU=@?gwYETGqlce20<10hKFwjV|D70aRaWeH|Xn>wf&02ZzcI~ zB7*hS>@+7O^z}PUwY6o;@<~~vGIqIVFJ4qN%to@#Q4R9*7R;AEW2e<9(ysv5W#xEEr0MA7;E5{4jk~50n!*FWU||v^WV~L>+X;BRS~q)F2^_CVU?a z-^elN+{x&}vVDWq*&Bl&uNn1mEbj6{hZ#tJNu1||PW95>h{fqrSO$+~r(@WXsgR!;%{pScoxvmdBB1|GY8@-VBYbO zb`<(06*pCPDUaV_PG?zh9_;)xa5>!E>>Oar3ftyLrb$?}(oor(W z-%(2TF;p+2c%bn)a@dz24(?w1)^FugOs&?e{4VfwNy#ArBJA83!F3-66NA`Lz5H90 zm2zK=qKhkxa@K>F7H+C4f#pXWPw8O>=q&6sk4Zbm1@Z!7sDQ){<3YZI;ywMjs8dZj zi)IQsz8A{1CImY+RMAMyNg_wW_I4Hw+S$5~wC6L^5mp(NmZSEzQcrxe`3-<>G;Abt zRagYDVZExv{ttowhKprovdFu^eQ^z!G}#PFFuLMEy#Dd)q0L~5IP~bznii0y;fZ(N zQNGp2cEOf(xy;b1$|;d;_BqapV#&0gb&G+28DUvPrI9gMGU$!T zS_Z<)RnL)psJxL1Gn(et2#C`n^52y6mlJn{t&77WoMP_k~3F&BZP*D7ul4R%% z4f=ZjRx+Y30%Tbz+i5MM=24PB$IHeCA1E%J(3q(#dN7b6a%xZ5$k*4VAtXAY@tp8f zpXD$SdyIZBVXB9t7zZAPgz^<*$ZsThbFjIK1K0V;#fn{MiE zScxhiw1dH=f;rConQ-3Q#+uhUDoSRs4@y#%-=w9@Nf5Ok-t)`4()3D);!$htl!yxP zXSm?QH?$7;`Gza#wN#@gP!3Y0fD-i#vNt#{>ptv>e_(rhACDZB@E4f<4+kW%D6pJb znFHCS20Or9Dn6(|kCaBN&>~e%@?+!;V|{H97qNHCJ`!My5RBO5#&}I~l1!?`N9g%V zG&rtAw;KVTfYp_S6zThg3=g7ZwTSKGNd9=IHc=~3rcMn#{}o`UW0)hfmm@vG^_qWl z{Cwg?EaPgYIZO2SAYvpUn0)lesjik(CNaf7+q3IEC3|l5dnIM+hg&R;fLD~>vUpx0 z#@UWmyl4qxEGiFDJf;3y z9@R|wj#3xb_|YRdQ^orRtyyI2JRhueF0MWOH5iC0Oq`q8fj%GK0F|m&ia+sdvplAX zYjYn=$V;#?PE>c3{d(DE->He2<=sd{2Tt}-moAPqXK1Z|tU{g4a(#E^VqV?u;&Fyp z2&VBG*PR#ta0A7X+f*AjW!A8$C+_pXkNN_Z=7!!(3lN?BOEzY9SF2MH5e{mT3!7?I z-5&4+Coh&V0b|o#!0*8YnLN6EjIg(w)cdfPx`-mdW<8g`5B6wAJit)xl8GurS5zRs zn3h?0vK8h<+j6!I3uOqZYHB3%)8D2EF{S0Lu%RSXfGXGq9Y|pP#Iz%PpZ8$d+Dkn^%=A2{LzW=4QbH2eE^U zu-D3;^X;3TU)Y(}0(tfEYMb=1=!0%fN*-cKJox)pK@^b-{}K&a!3B~%DL#v;EWKu( zr2;oxS3SBk$!1=t4lccPQ2gdWHROihcU*qf!Mn3&z4YSy0MmQja9_iGsRPTi?hY1^ zFZEDNCCUiwr*ODgRW`6^F*CSN_C>1l#Li)8dWR%FcpSJEzy2~0|^PDlYu~5^tL+U>{+)_SMANkw68i8 z-Q3(GQAt(ie^Z$=rZoHc;57mfG!Rwga;wzLx;n1zA1(%5I5*m9$gutwQ4TERi`v)$j$LEnCYnY*@x!Voq6^p(5+|R2AEuSm#K$78KyQ8^c@eXF44_P zY9m%6=DtcnGZy3=>C%(!95$b{nX(`@Hw%je_@SS)d)9!#AWGb+27O2s*%{w{fQ6u)J zOI^3eQ&I>0XBJg79oE-;Ry4%u-2^5r3#jCN?*|I-1t265^1Y1vsk|IB2@6`FoCGk~ z`8JBAKnB6%N&Ami37uZ-_iUI)%E8*)bKAqvbLt3!L*JU8Q>6Xv?ToOF+dE4tjKs&p z*qQuhR%DF+`-9^8{bVw^A>L2zlRtjiE}zmFz>-x+pP%D$bm|~po@nHgp-;|UzRP4U7Lj~j@FEwDRdbr3mR1VUL{-Tm3^wvh6xw(Q z`Z%?H7I;q`__AOo_T?mQR7}Z1W&S&Z`K(3L7=WGOk^3%|GJNojrB+Uh*x-{Um%0kk zc_(?PfZ8>DSgTV7*x11Z<+%e+n6U(%!2h170A4GIBK8Q*KF$Alc%$xdlPYZNfMR+! z)6^2AG$~#a3{4Aubn%t=Cf!~}NqM+o!y;{L-kBR3`e*~MM3s#OYBQ)RnJ7MIFjv{! zl=q9vamelI()G*YbC$@hLYR6Kaw76vSFeBtVRYq(K)y2A-{(rqs)p116_w1jyzpB3 z|Gjf+Rhn+>+N|xs;@JwLW|b*53j|NryD3 zX~m5S+WaPX_2{N3>%lP~f7xEl5?WykClnn>YLCrt+<1D7M-N>+K0y^SsK^t3`ueJA zxP81-&4T){4VkHtZ~4tk5oFHd1Ivu60>d#Y=B)uHa&xN5cfWZoFG2dxq>JZj&Zy>q zD(bsbRb;e}58i%VBVH@6O5-o~YmJD_AuX~`LvsQ=9{)dS zGSWYh&(VZVt3a}&$ECOlR4G(7OX7irg<@hx~%3)B)^>f@=s zxv}m}^Xx|jZ|8Xupi|;>9rXAfC!W_AL?_0id}tMxxaei3)DU<`&p@UE-*cE14B{*i z8^N<5N~|(TODKmQjw5Lj8$bS|;tkJ>c3PfpyGf1ufhwy#2WQu;eF**`_*(0(-)nqm z!W-I6+ganB5$W4`1uX^fs;krCFRdtGEPlr3?+auO`ioA6Xg<%KYm*tt5I^V9h}XWV ziU^l~#VU|;74~;Toknxi}^e~%Oz5hRSb6VW>HGr9J((6AMX+$U(OKXn-J^U;P(T%mc|HOupQw(__Hb1u!`Pnsa!Plt>!p(f3 zDAE_13p=i)X!oZY`lPjM7;wxlUhH=^BA8$?R3kCHfsD@0jKxuwzB|}bL82a4{uI~A zJg(*`rq`zW0AcpYiT(PEl*keqopK~jQM@*A(kzDsG$CyfD_xP=ATP(RAoG~UL;E#P zU<;(rg3gfZ0@*+DLwKVyu(t8B!@gb@(|GA9u1ruWUgFsHhZ!M5UUnStqBC0F7Uu-( zrMwDAQ^7g%yhmkLJG5A&_?li`SVPfY(;_XZIAv!}wKa^vGk4zX!$iKvMELGM>Uz{hpS zXJ{dRs!Im>Mg~!C$gihaK_EVro>SNvLumIs<~Hw(GPqz{nZn2xr<*$l1dVDTL%RZ{ zOSMxvWVf|JLtgI!P35IHuS>(f|070(aU9t4E*rCL$mXU^OK3e7^di1_yKxQpW!V-k zianiSUU$uO6_n(q_!27{Bl`jvF2drLSsG)P?b}83(wM^-OxUv)wFV#BnUKG)S7t$; zl)8-;t0TcBCYgEigNeoDZVH_xtjRMG0@57IY}W6nfrCx5Rtn}je`b5h&fF|b2{+pu=R@;Qd83hsvY$7bpj zreclbxu?5VtR(7s@yP450iQMIBzvFA2-TL)L@Bam2D_)FLT}oU_Ts3}HWzQvnMt~) z?x`lDL$Jo_nZ+JrrRhT&&%Pvuq!}=&?~7WvnxG;B@!q4EK*sNM}MZK zZo^@Ace`~3dH=f>;IE|JOC$l}lxC))BfUq0FBcw~fIWjy)OGY~p%B zv~7!e)cTNS>f2wQ5PW%1pq5r{Mf53~le(RyZ7~QIw$5I0c0Yt-u`x3hBRM`XKDOS;09mzBPr?fW{sxC3 z@88?8zJ%eFgTYKx_tsB*Sy)~aw3cULVB&Du4nL56NB-sRQ2uAPA=*T7*0_TM$NGkb zk)Idx;?frtp6KC2mAw&n=U~OVPW~C{qNrLHb=5=odHxgaIwc(w)iTJ%42p@b><6p^ z#nB|HE}rLDHp!A3T-x52%>X%}f|j0hB9@gqNREkd6q`SKHPW=*RZ=5?Ypt1xUaItv zC-L4#%nA7z7K*K|%xk}>Us6rv)prp|je0usOQ4R3 zBGgP7QtV?#w-{t{DuVY{{Dw|PN2+B?J=7-8+_D@BX3E^|Ta!w~282gAeX1+3A~Pu+ zX+oFWmMNsHu~n*<0tO44o4XS&+W`--eqptl(DjZ&_#JuFP+wf7rC!8CZmQYiBJeqF*M8%<0vT5M z9A*c7o z=GnIbTcluDH;rUz*~(sRhOiD)_>E8f+)^uwr;EO_WcCohkCQh_WkOQ{beIALjNdmI z3u)@*j5RGj(2`axyTY4J1{Vs^8&&F|T<)@k1%n~j<`abEo?BS+zOV5iIWiC-1OxBU zB9KW-iFz5hZcYMCo4@3n+q_z8wD+@c@EvevjN$h%!0r66WW1-mb5qL zrS!h6zXqynpZzu`Z0{Dhrj2IblDXrT_GsJYp!FfNX$~94!hWC!&*GEOx$El;qX2Q(kOOao*5fY`zEJwxn7JHP{fth{0sF>3ue=VugyGsd= zW%%&%LM{LFtE_6d&;DAU=IjIo9Z}#)Y zGr8j1JgkXuv3M&c!xr!oFiXw8yWuNC=*D*X+zNkP2RSa6Hq%M>-*(jq@4UXgJt^qH zy^|LpMrIVq<#%~!YkNC+As((b8g%_TBy<6t;71chKoB!i)aQ6#+UKB5DuGZuhUWzl|?kDbVd~{;4Ic@Y>M5q2X)5 zN2)$f=7UmTZ%}xz*&`19aT|zDo%z7?`_#g(tgIgHZ7JnXslr#g$T>fX+vNFS|85~H zN)Rf=vwrbcd{ZfC&CjWm;m)?`5S0>L;eir|NUm(Nf65gA@<6hs*Nuv8IRVtjR)1}b zJbzx;S^uc-2|ckaKxzf9;TWKR)d1_2-0KgH^;Z{G@VDH`kl|M8xhyRxc6o(^sVjQb zSJXY<6Dz_`Xv^|yG2r8E;L?+750tc>LYCUGu`l3Z3l{u6QUV1}IHITyMcwog$H8){ zZj9D0&b!kmHP5JG)QmL8qBK`6Mz7!}drY(r;&K$^kzsb^q}!RKzdF;lkj&%!EF%+T zIzji7ZPQ|xgdK-^IYkdD&p)+QM<$g7(ZpYpczHDiawF))t~{SZN4J+?<(44@o6vpK&V?-0?_+<}!e20pf005p=URGg~<*tUrqAk_jx{BUyPABOoPucEct{KzbI!K6-u&|bASy# zsc0^aeXey?F`yoo&`ij%&G)d#_Ce~5r-7ybZMsSYyv!gK#@CcD#-VM{glKBBo(BFZqUH=@C-bBCtR7;-SJ0_9TypzN%<=3K^MrO@)ueQcgkzqi}M^R4J2o*>7+x{2$Tr(rp!k1o&N+B2*d=AsS8m`Q~6?S!T1gmJwHo78I zPs?AhXm_W+J2wZ_G$J!SRtGJ4efa%`R+5~V@l>}r-&_Am2iP*|vcbXRu}nl;J`lH1B>8Yu?e4BHJkWE3YH#$7qT|R!N@e8`Gra>EgeVnfNoK&eBY+>Dg zL4h=>FysTFMIpgtZ1*l2HvCG-`ve8Jev3ia>02{kX2Sd-B`02KBPq<}aupfQ(Qeoi z1d&Kdccs@-G0(3_pPnh5Nzsgr!l$wK@H(JV&45t~=w~=(b=e$?`ZyiS#9l%=@%OVN z9#j$g6iWr62CCYV4{BjR362YiY&I!6=0619Xj|Tf1!Z--s2yseuBoYZum5(FwJZYZ z;^*OinH5rITt;oFIONqx0&$W+eUfuf$q}4kL>|D%zJTcWQmB_cedCHe%K6OjSf!k! zanC=&;ax{J`{Lf_w+g=_OL4*x#QcI{1|H&6RmVgx$62aTvz#!p&Z$E#kk0O|%%z{! z!ki{8esWGO6bivG{Zc4%y@p05^Eu3W>&EZ#SaUm^J9eMMgFTjOTBgA+%R#OG%SG;{ zn&ZR5knSb{EIWT7G?w&GRlSO!zk6_d$Fc<}=!K9dRKJQ&g}1Zb@e=|R1+gt|%0lEm zR2wUlj*2oFE}YeSZ3w6*EDFi3?Z!jV@2{kAhur)-9kJCiGnBMdjII_i4d%o0c9h>y z@4BRi_-uS0XN+HJR`HX$!_oEYwoB*DbCG5jrR$e_g0Gbmc<}Glcaqu!e4;0ET>j#c zy>+DmqsOKh!Yq}konlzdQE473?iTBhY^SIP8P_+|b1IVz)w3M?MQ`~7o(7{)60|Vl zbP?E!i*ujmJFKd9u-*}{a5zOi?OSTvircWFLwmx`uv~Ej7t9w{iv1IBEz&sUXI@@!*;@Y*;F_zB2IXc3>1gVxnn_Hd3oA8slay49KpA+xU(}*; zX#F!U*79dr5Nu;VT!OEFMG(hygyPq%wXN6nuPa#ps?N_|+V8_grY64ZBVq%8httn| z@#*IkMa2b}&iQHyBz2^iJ^Qh10 z1w@-diOuuH>uF-otL0QZ7$=43GJiNTar5{+D@@WoAS_-wVA{CG-{^q&DH|sE_YYwLm z1@Q>mtKFOQj&2xEZf*BZFx6pj3(z|CHn?#KUKn; zwII+Tgnuf60Mh?yIX(2Nd1wJ{iOii`jjD#>iOIrB#_1A|-xhewni~_)QgL*)L_i=B zbl#BP;0Lh=#vV7bqYIz@6`!8sz&FU;Y4a7$`+@UY6-yF+-akpo-7acx?pC>q>LrTB z`^oc?b=`IAho!o<=JNGtXK7AS;f+;;Lzc#iAfee>qXWRKB9sZ3FDerv(fROUEcWou zwcTr#1`8MAt|aj5;ddcBg7>3FNBw@rh@S$(JJo3Ag&%VXFk62|jGU;a>^~!I{`}M9 z=SQ&*eg_XCsrZr#3ngEc5{|`g=&E;$iAR)leF<-0(ueI!Ij(kP_~kTndK~iG_da@W zwSJLxHaTWy!Vq%Euwy|kD>+zIS-BOl1FSO&a-C=*$4+~n=DA1vp~AKKm!{~Uicjj< zWM2EX(z4+_BN?x~*DeD4&lcI|3qE0%FpV^o03(fHQkC$zG<14xYDGu))Ait{&*C0h z0ZXl$Kh#-#Rj4{t8UX~>*leaY(y?q4iO;n9+6+!ec+J8>CAq2D?=;a?kjcbro-;B` zsLDHC+E0HCa;yw$U!$owRDmu;h-*th7YxQ=djbAbMb7d3+Gy7um!({WH4N#ZM`A96 zk|Z5>#K0N0bM`@|IG^kh6wVze_WLw1r>#70{T=}TG?no5T&=i_h~F*@yYm~YvB2Kc?dnb4EbS+M0nNXDai{;Y7Hi^Yg|O z-Yz?hl+4DFKws$_YGy!0KGtJYW){V?;`ftSsaNx=RLR(WGI(}CSiA2~k`ES?ZO!g~ zwa`4b-~ii!q@hbD(RDXjlKbDYIWHRLn+{W=xKB933S!(9vw3duI6ugil{8anQ#hMC zXsmFLG%H_&?T)xA+Ve!e_&9}VXRoR7uJIo?i`ySctZ}w&dIR8ZlN72_^dtS~8nJ}@ z;3=gg9_#~(Zu)sBjkmBazt5TcoXCeAkBoiehk-K_={;`+kO0JHd@I`lyb0AYF8z)h z`{2=E!=p=41ir-{zr!M~;pdtsEH5A7pQ2syBIn%pyCL@le;#~*&33SM5iTQQ26|Upj#EZU9jl?hbSeH~?&8AH9 zQVg)mqxQxIc~$WHKA-t=fy6!!S_t`q#5!--UW;2%fdVepFMUeY9#$5(n6a1IsTmu{ zF+8GpUtS|7oFL`p_0XmBgrW=h&J_ePxj zqh9+|>3A7#i|^5-v*%VER(89WoFUuspfu>wxn|aa*U$x#449Ej(UM^{qG#iaTYGS6 z@3vM5m91p{`{)I0?wQbe4HB6gUVV<0Uw6y9Kihvow2H52%#kU*$kVqJ#a8cmJhwr) zWYI!Yk?3ZkWmKt&KnyrJfwVQjaOhxCso0W5S9j2jSc*V80Xa=#)TH8<{m$yH$r9E{ z2Vi#HH?Jwxj`+Yb-JT%K3)DeSUf}iAY{Hwr768akr`P!YMri@P?bHH)M_ey;_rY1? z#q)rrz(n4qh8ww!rc{J{NzKk&>cU2Bsz=+#R>EN<*}W*eCVxJc9t0y`oZ#T&OOYH? z;V6e;M6~@nF(bzwI)jhJNMWbsI&GZ(2?vXjK(HX21Dhvizfiu)B#=!E$Y(Bm{N+en ztU9-si}=()ZIPkxBNvq`@;-+oc-Y&ndyB^Jmz=*+yEl0Zd9Matao|&Og#tm-pq_lT zo*t4+BNL9hn{zFiG zWqK8RhlKrGdgvvylk8oWNV5ccK*$*r*#Z8j(lLo7>|W^0Pnwu)hL z67UJbujBY(?@;n$rmn5bW-3oD;fYaKr)Ns4XLc0}pTkPq%h&bT|D|;Gj|Mz(U$oI+ym-v%q);Ld`TlwO zle_KZ1TmzP;!>`?XzS=+IxDsry zfMTu)HPpOGKa$@o{7^y7QS-aPrqZK|NVQL?csM#RwFM_8bT8^GW~itO5F0-v02Qa0l(7^F#P((p%@_wX2$qhFzYQQPIFcB z|0(Z%$*q9LZt<4h21F0Uo!&@XC53l8=U6%{pBLr0=)#?4fT zLw#Ei)$P$S_Ttv^Iy~!dZd8I=vQAFa^pS+32N%}?=Z8BLJ0_dSCaViE4f_;8I>(^- z@Cnubqw252n*87JVcbGQ5F`{NmF|#c#9NV)l5P-?F6m|{2-4CG(%mqcNsgX$GhlSr z$gw@Q-{1H1JD%r0;IEB??T+(xz0UKzt}|LdN+cR4@JiDD$+dUtEoJr5C!D+61c)~n z=3HD}x`rf@`rYyo=U(r^D5Y%eK^efEnt=$_U~d+V3MzB5iZ@In?#%XG1zF z<#QUvvOU2>j|ZoCA-NJMY0%FXeKj<|%VDx7*KLzilh2Fse*v^88Gd(hPV;7Gi0LN{ zqmd#yaL@XH73q^l{X-)MliA86DVInlt@j!S`b+oC2BGSQzZRs_9g}F!3x?c%tWy@i zF1UHkcV!pTo}o!Jqu6oMgYisoJVtNP;OxQ2!H5?zMw$jchD&brVKYMU|Hu9$7k{WE ze?Ho<#`5|8ZZk{A$QZ!~`2)fIXiZI_0ubIP*E$=qN|csx(1utCh!6g?y^>Bf`M$sM zq-Xt!tVNQmbfK@|F=wrayFz~!?k5#rrsh#?XKpFLA2DFx#!C$|U2eNBM^wjhbohwg-JlM3+5V?yu9z)_a4BUACJXKflRPcxz|;Gc z4R7Mh145arc&ousZXhNN0BAQ_{>@>llei80rH-KDM0=^Nv+JhQ+K8rYbe&#{Jr4MK z!FO_cipf}*AgD9wF>k;yo}tHyH(PDi>nBS=T6QyMYj)s*Lgu;gapVcFU;k%dRv249 zyr`q&TllUm2cM)GQ^T0a@Q?z!UJ?PEMUPGV zB?@8EDgivF;jYg1xD&(l)X&B~8OazKJ&U!b=sseijQ*7wA7$$GO5`^WzOWPQ*lN|8 z!0&NzdMY$+p&l-|y6-xQTvOzJBP^W!9gX%V|F~CukfOMGV{%#KCaU5sOROH$cK%3w zNlM++^rmJig|~#w*T*lXwc|!sW-2Cb*F+GQq)_6P`j=EH)D4(+CwHykGo!ABpnpj= z)Bn$H6LzM`Fe?fe){v)J#Fq>6OsfsIpqeJZV!7Lb*>7orPxvA}Wd?@M;*~@=G)3q1 z2+|GwaEFoXni+ibSGN$aces&J_&{unnhIclI##42sO&HQ;^wynii>il2nUrImR9VP zR(SJae|k8r^(PI;(*oVp?wja>X^tN_z2y(sS2|m)gKKDLEUoWJW@lsWCct{2t^K;x zbBqljZzHx8LCiD_?(XYb8-g~LL{wtu)wfV=XQ-j)oqMDtrs?GjSsF7Lq3aS#_}=j! zFy=d{D#cPS|8CZBW@Czk@1?UnrH$ruLfF<&lJlj+<%3V^>Rqi^v@bbae*3B9^*R4x z%Wcs;^uZB$E01W|>BNM!Lbo}5;i!r99~Up_g{FZ#b&>-VapvSj0j4z?@Johpr5 z!$1eNh!c_8_!Vy}%l$FpW>d!ib<3M$0Za;xO|2uZc7SoSlj6N_D9Ue2S(V0hJ)A4z zziCo?l>$5rU9qbEy#0z*m_!Q>?E-%ZlCa}TPpQv0<;|Mff&t(GXKIhb`R-98U)=^D z8exPNSG%I3n9uxs;V&C$?)wX#zkt#;{~C{uf*=3 zISdqj=VM=9Y$D-$Xy0ncNal3EwU#FFOA%xU{FKViXS&3P~ zVdgz#RWILqUMP)1SKjaLQ4#DAasJN>Ag1*vq7k8mi9IBKXA9CXSeQ=0K8m{IkoR~r z6*HCqPOR(*Jx3*yPsiOHGPWg6>x^oCG|NJY#1^9KyaF@wuI<=OKV8B#R}5RRV*?-X z^({zB@qB;6P&OXFmj|c9E~gsmgThPZB6BQK=y_2N}ag`z(~{kPprWO z%#3)G!qt8#{b*4i3jf>l-QArh5|Q#ET{+Sg_Z~fv!$G(WP& zG~|8K0Cl-YjR&wDpPyIbpGu#8DRss829cOV#t)!+BsE{;ceEcnJID2x8|sVwrQ}~n z0O{R?j>F%cX%q&mE)@$NwJsxKz)NsQW~^>2d&?D&o$SmKZMhhhr&r^{#nXNv1YpT< zTH`Nyfx(!{J4Y*JAUzsU&-4ZnC9&$Ik}i^UDR~nKESe`XP$*mh3Hx<$S=8_O+&BBi z6YTSJf_EEH#e?jNv>e8hQ?VX~Wsm-;!uB9 ztEMi&U&iS>u?y{z0DnoR;rtwbHYlkE7`V1eoq_G(M%^%*}nEeNx9YecBd6uJ9 zJS9cpMNpq{Lg~>uIwd%{LI~I4t1|!v3#Vv62Uh7@e%Ui27!y^3&cDS;;m&5fl z7mByBfyuo0wW=1cARlfrDf3XXTDe(opTF_`_Q!(Cw#gU0TVeV}OIO3AAS=9RU9f&; z5rsMzb+6k-O*wx(D4UV&8P==HNgrR%`j+P59d5NOAPOO`=l`AoBJ2%OB&BEuQZ{OM_T&dd!+?Ax%*wbA;^25Q22~JC zdhJHK`v3(jgwF$s<%p1#24JPiy=NHA-R;R9)}QkPZI^7)qr;q?_j=MdX zT=@@s#>Bs3Gtt*2cZ6&I z$cV*uao)*I`}v{K;1&>i7feqPN^G(u5-siTFQG`zV}`zpfATmelX>M8-$B2^T*7(w zZ)Xm@jTa>|iPstFXbgSE!0Jgp$>zaP_wMNjcv?J?R5qv4$vaPk_2{x#eUM{&rpif2RqlUV_LW{8Y}_v(jR!T;ys|hDN@JpL*wgO0*fZqR*4_3) zakk!_iq8KnLtcq(=hqa2BaBSh1t0Gf0viw*x0V|@l2?~{dIIP`^93|XtSQOy-NIFE z32bz#cCmp)jQyP1P&ssEE6e!b=U*nK9q!@1lYSmtX$1@h4PL`OHue~6j#>u=j>l=5 zLIk4zvrA((x!vs@HmD~H1S*gSppn8zo|kO1cLo#gu;A6cEHvO5zFfex=)V^wekv8C zu4UAXK-~UvHkX@#hTbjvPVzC3#7JFvQ5Izjee=dozPECA&C2=H-K`aa=oq2HpgF(Y z-1J=KNIy2$d+B>|*zHVhIbzV?Puwkntk0rZ=X1UI{=shT3@%!y3={D^1%gu1ug0ts zZ1}f4N&?A?iH>{8he&EO5BZw2siN@;zu8dCLc&b{bJTvRSNQI=?m*?k#Fdep#S^u( zZ1~kGY~}0+;6of39bx8?iuneM{$1=uXFn0DMN&}wJK;T;j6q#7zcQ{o*X#zh6NETl zLtWto+gWojDvhZ58)ACjaxT!55m*Lvre!?(MfUfcOmyjoi@b842AqMhopmZsn+8|C zKvYY)A$qD81egj?OJOcMyBu4kB>*g&;9Zua-n3lJSa&F2S;_jPFWU;KnG|eVyl>N} zH$>S#kSK+tfUW^84tR;rY{o?~rNWJ5yB%NqR;lT!8+&pnY+KK$u>JMZ@&!edH>bNiDep_V-)#zQTn5HpfFP6$E#H?T6qf^P0)xvKPttVr^ znAm;&`cq%~>|rY(KvsO-4}*DHN7b;8|yjG~yE3P7hUMFE1* zOnrd=Z9a{;OdcCNZ|vM8$R{z0QQfR;?Z6i2-8Q9Us!&AQ)nz$QhlC3ad4|WW(K}+s z1Sx=9Y(#4Lj+Jy`UlX`bMvhIT?*SNVrc-F|3AM`fvY)+D3Vr7-nqv7jqO_Vd*|Zy%|DuUF zL)?tjgvytIoLcx7MlKOh=ILDgm{EAJ*B+{km+ zx02V`@{|>Ac^ksMb8@p1D3B4FXkmwvgkGulPc&d#Gz9uw%=4+>!Mw5*b9_; z?&HJic#|_{=M(VSFFWc&PRo%FAi$Bs+7~GryWrUVqwD*Fd)ifcL()(mif&#nRAO@f z6edpCR?pD&02SPA>Ugz^G7Ok2U=z&pxzUqM7m5M`Q;+}h(8=3lkMm*x)__dA%1BX0 zhN(N0$oza8*?e}fK*9U@zr1F#=`0@o*icg-J^ARx=miM zR(N+N@iO%<|9pEWe!7RK{%Tsvxd6qg8TzgMK%X!Bs_RQ*&z3H)HhAbBtn`qot`I@7 zbcd~2Dcu?~CT(=`@xOdufU11w;_B+Xf5PH*&@dDB!3@gD#&ysuIOCU{?$lDVb-F$Y&Go(;X-pAyeL0lO!}9#+fL3?NvyB8i(x%OMI}yt-yTW&e zuHf?+@X8kSN);G4sv<)D;5YE}i=PkSiX64M8VFQ%*EmmD24KP9&xec6#ZKNnsNIo# z4Hg$vW0mE23D9e#3qaJrt7RXB?fv%^y)I3#^61Zv9!ox$+Zm|o!Myt;BzR=)#EU}G zj{->R;sCzRyL33Rq$qnMj3xWQ%6I(HEmiQ9|KMIkGUrAJUGHJ&eujM#xBjnFAA_yw zd6cUOB9zuIFciB-tX-iW<*=~m4RcsT$EO1=p}0geYuDt)Uk(>>>=z({d@-P-ro>L^ z$7e`7EMrGSf*yY%(*+g38P*ZI zkHOwsNiml_g+rn7wTPVBx5i!=8OxE>Az){De;cUbfKN}=9s11f!tbrO$^UK0>Pr5W z>S`v11bVPK?nXHD8>$dn8w)x{omj~m0l=?#ji2l?Cv$-HCVf40guH}$^PbeTt??YS z4b{FV6Y*FdLvP<43C~yM7xOZpTEoAJWSoNPrjP$JK&`Ny(rBm&CbGldM^Kbom?iWp z2O>YbiIMc*_K)Tcp-{zgx6rWQd8p#wVJ-|*j&BZhV`iioDIHKy==azE2hb*M`0sCn zHK7SfV+X4##NDDB>&^i8oB?noHNHmykDrOKGr$fx51S8|jRWo+Bu!}J>j?-(MI0U= zI@nQL51Cf)R^f1U#NS`D0h$QONGWH5h-5A+c$R;r*rigP^$z)DuR#Mu@J_`UBWm>) zJf;q?nm6U%epmw&cn_I@jI{Kxk#r%Fr$5vmK?>E6sR``yWl@7H)TOwnG}BMxMdWur zm)%>yu$Igqo|y>Psk(ul%&bR$AHF2GJbFgDD!`wW?cj%L5bOx{mYTDho~)wq^@1Yw z`}z++FrOFO~@>z3uwWu^zqKrBepDoo1s@^F$)AeqOc^K^qlxBBxN zxYVrxKpUI?{rwFn1889$x|m*w(Ax+)*ui zAuAG`(}kT(&o%*qSuz4fduz@xwpL=5wNV4hlAnXvPT3w_@A#vSTkO)s;s5zd2rs+w z+fA1%&q?~<5EQCrcN&220HWpOX|GHPm&z^`Wz$Jvx?a1F^5BJxVp6U3fcn2T#m8V% z-$;ir8XGj4K5Sfc0o`66soIy7mzx3d45xm5ik|D{X^(kKpq-c&g z_Nl>E#0E#x35zgkF}{G01ES-u4ZUkuj%bPntVrT-Z08`ER~vqMdaoLnoXPj5D^%w$ z|93m;d*Roj3&FWQ{|b%Vvbj!a=!FE4KwU2$#rt@4)kPzKn<8xodzc%>ZCd=7wUN z+QOtm2h}0T$;l_3a&%{N=c#SSUHnQSJNcF|F9?1BvZ|vwFai8OC5X>qY7xoa6_6X) zgx$iv6Umql>8<4i7QwDe&*g3|Yyf{F!b35AwAUkU@8uJLj*e&~qj94lxOaZKxxwP@ ze6JOZefRH5*dvx}d%hPw33!zU+XAlRf3Hz2*HG`wj%BGk{@8sjM zlM`|{*g1A4TIMd6Kf?@-IV4v%-(r-`G!V za^YPcf)Lj)8_~BT>zkXWy|p}78`9Wb;6r(zkHJ#T`|QGyqbYpxKx@~4r#UQo6&Hb} zWy$b*FqB-if|^0B6zCW$`$hwg2Y|ZifRh#|PMS{o=$xn52Y}wc%@Kn?6L4`D#KGVi zc$$#~fXiN9T5V|U(D%>+wJS(b*clUWB|R!}Nlgv2+#H^3!}O)w&($WHh#$YMg5J2~ zE(2-BLjVW0v(QKfy*|R4b@kxwFV}^7Vr~el+AhTSEr-7>f5%ahL`Gg1cf72#SRf>% zWk)X7jsDp}2|%Soymoi2NV*KNCEJ_#;}lsrxy=BfkkjA-=N{m0GTVtOh#E(}W=8HW zwI(aXt00Rz{8I(32on>v{!_|&#LCTWcDg5riuz7jK+oG5!}AnUGll z^58SO`h+=`u8#4$?*dfpj$Cq&gq~YCbLyflDFV;r!tEBg{k@lS&CX|#Lw|*NO zWPkef^p*c2pP}=d4E2<-KQ7?74^)**?~SwIV67_7FRl(8gGH?cBjucTgHLEWnE9<> z0iIrmdZ`L7*At|0!1$AFU3Aq6n@AD#B)->pw|+x*T_g1T^T7BE``P**C@NudkPs}I zy0a!v)@3l**+yotTTMd;=1b={IDG(`t+S$=o0}t`oXyryp&b&nD!}^d8ca)3JmuTS zvjI{regM}UDMA?Z_}R*KPEhmOX+*y(6Y=4KXP}iy*q!8Q2gu2CP%gX1^6oLP62bu) zIQ|F>O0}+aKGW8&G=|MTOP_79aH@o`PsU&vrr7u$QuzE|%?vOqypyoT5L1TPk zV(-5b+Lw=)A#l;7U6J?t$$@#(bdt*;Yy#MHkry!a0_>xV#S1#6%)Ziw8Ywi8enwA0 z0N5HbShBoRj||-brvs{2K=}dc85-ICMR71Ml*mR?@pGhy)e+Ud|x}P%kO5)=8 z{kxroB4J#j#FO5^DMM$Qh1Lr=J%i>Ps@VtZwX}h8ae&)XK z;FZu#Qhu$gD*al?6i}^^-NzfNHT1gfs7dYV=e5rU2g{siCxS9L?|&!|J1i@||rLYd^OfZFwHd|2UWhSl2lSPKl|J&l**}n5M10 z1}1iySTiar?mQy_n~$5=OuDz|G{1-EZcEKo?qrM7IyF?>ZT07A{FDOe_}CKxvJVU7 zZ;;^LWV%qxHTGTjYx(|<>-l=?)nh?Xz>5=u6d4>;%J{WM!M?1@C97FS($2{6d?|#H z5&8Iy_q)lF+E-WF6a?P_C*PHJMUv zPJPy`WJl~N40PqS6hf}QRWJ(k2s4;31kj#`!}81#&*3Seq=7&iAg$ku6e+mCWm+%(dV&rNM_@3X_iXnb zgh7`BfVIJy`d_o0sub!GQ*Vt4Su}-YMjdnZfR+w8y|(sLcB{#Hm435t2D|Kgq(EE> z$iC8u0Dte5Z@9oe#hEBnR?WZUGOYeJSGRTVE9{`Lpk5&J>*>Jx!Avq>F>3U~T)&-m zTI_eulQmrsa^39t(z922+ZdcLVs`cQ5Q>$ob*W|J;VH^(%VkPtG3V5!wqx+VvB{hX zfOO>C@8(Srzg8mXUg_`!r&%}q42?*wo^o^~S?jcX9?PwNK>G(M8#`42?%}y&%PT~sM zF8b2LwqnrGP*T9py!s=VG=@bGfX_LG$FS)qm17$o%mcs*9y-;#V7q|7O&f%N zh&nEfXuVd*?*Vx1*owO7X>W5}3aP)X4~{7ch_imC4>$nqs@nR0zYDt8gt^%R=mlWN zfX_2Q!KpSZhU~BfdBGfmGKoP81E&!8H9+`UWqXSiG#qwHhpNZ1V7D5fD*fKchJM5` z=*y~-(&9&-_of{p>4YI8TT}Y;VvR}_h^rH%*X{s}ipdF*0Mv+*SI6BwXLzJ4o51P} zBgf)riJombpN%x`#?I4xoUHY_bpk7j(}}t~0(OY+Chth)%)|kC#80FdH`W5^8+VCfSW&Vdb47|=I{6@2YXrZPpn#A79kz5 zr9dL#HQiGoClQHdSSjBv8uH#u?5dR|RrNXZ>!&~Ii)VeM1p63m&Eg`$cADK>ZITt6 z8I#vtn$hY<t$nay!oj71T?0yY zon<%kjQN`HmOEAB@gUVv&Xeq38aB2Kc?C8*Vf)PtJ$@isp%jk9y6=1pFzQejf%phn zIGGPkQ&&Q7)I*+)+Ml9rtgYRs*Q|U&9tWF8mv>ZoV?TqDRvNwbglm-xj$b!%}#U^qo=0q+6-FRgIU#4Ex$v zRYOAqHMuc3Z2Mg7eNYg{!jF=0a=MsJ!q+S8B1>~-`gEvD5AbcJMxG0(WDBKk7yo2# z+{w<8RoGD@Bp0H?{SdA#;ODLSR`@sG4L{e7V@pNMC@J`WTvL=#!q=O7jw z>4apl2^4a&A4%*WM=X3@!{_{#pW>h~H>LXT*GT_->2h@VV_6}Wba4JNs-O_^*yNiw zm$UsxMa5719{XJTveU*H(&`IUrGz8`%-tol3A?Iu)^71V596!}F5l~#Brf-?i)!hg zZJ1n_^4u8girh`Z z{0~i|p{fhKhY;Z@2P^^O`(mA)Z_ZVe9X#4cza0PGG#Jv>(E&UINRk&V;h>|o?j!S} zY{|@xp*lk|l0R3@$bZl`3+zqZU*g|qCWQ?~*O|iz&CGJI&$8iLz2xM-8q9tu{?V{# zcQ)^9V$A=#HBz;^`!T@y9G^cJ5*&p4>^$x(CknOi-nX~xa%N(5n)%UQi9mQsARCts zojl`g?^-C$#DqFewe(odaJ||NBAQF83px-L<-YHR@X-6ZfE+C; z=`gRU^U?6#yKiuJg2xg%Pbz-I$HxN_W_H=qNxlNWnK9(kG>HQr;D-oV*l{p}c@WcHBaai!1 zj%94RPLl2H|03`fRd2(6zpA#jOZk>$peOE>D(H2Jg4x{wGywf?`PM?-7$BERSa`b?7e5tqQ=f+q%MjV5cT|)8KYH-Nv8*mi0j3UywS3d{~djF zcz~Y7p+5KY2`%w4w>{4h(JC)W-`5P2`0&RfDK6l}B&%yDF=z=SRMdWit*R z-kaUj4-nAI(&;75wfK`Gux%-%8yjs`y9?;MX)0b3kT7d_*Patp)fn^cT#Tj;E|z)! zZoIgprrPJgN4s+A507Hq&!{NN-TYC7R^1v~38C~TJaf5Lv5)o1;AMX*51G|(a#=mL z4KAa@uOcagDD>hCxg0BmsCe3L2(NKMe_5pR7pXGUfla>XS;9t_{BDsvWOQt+bIHpq z(dkv)v){w!5qC`~wMdpHMEJPVY>l3ajtWuj#kX3Woz753kF0+q2ql36Fb)rGBNwDao1~`Hn)l zO$JtmF-oc8(T+8I>l<|IcQMfXw%qT+h`XOTL2p6j?NuQmvJ>To?aOw0?XQ>bf4NZH zio=I9iLuAEVuiBd9aqsC95cDUKR4*t=(l4bm3ob-fJE1XiFRXBOsWDbZ&1gR8*^Dg zVqew8;fpBFO(fgchJL~whiifM#?{@U2YQAW=}}%2R-~ec)zR!dVoXnb7yu^ z#7zlI0&W@PK7O3*U`QUuD6`OeGCtGhC@5f(Tp0HG=(ToABNxrbA(6G7^2wf+H4Y%l z3JPmU4BBxFq-kdNS>wL_+!paM&u=RY36haZ5%cDJ^CpM&@xyl#Ev~%6$;BaJ!!=9Q zlw_Pj93Gz+Fn$+FUX8zBDD#+@YqCkWJZjBtQf~!OS-DT)sr%DUfz{PE>Ne3V>BsH6 z+JYMuNcEn5~K&> zdu3}GElNuS|;^jGCM6=i7dakE@rm zvzHW?y5YUg&5`7Fy=Q8glaQ=a%>+sxW00%0onj}$>5HL*190bk(u-5BTQkm-?l8L| zZ$ibwm=Q$>3is5K#Y*JnP?k;7aa@OCChR!!+6~^s=OI%n@*HFpAf+;aEaeed9 z(PN>fCo3iLu z(+Vi$l`;fkOEikS24EGUS&;GR8uy;-h=>S=H=Vam-J4u7T>}` zMpMG4>v?dfB~W2P92ZtU(l5lehDI4s(@h#VpBVN<+LkA0C52B}njeIW_@NF|GwD~@ z!n**)EtV-Y3@Pg|8=y6y;y*)1Vs>E*ZRPhQ0%hRcg0uMJcQlw=X!jBqYh9?C z`k#UVo1%`uk~7|KCw(XG_U$%qim4J+H8q9M2B~2Vky-RdnjShn;+opQ6H5Ag9EG4g zVSA5TN#9#STdtQ6l$oIm!Hn|SuL!Um43f&qu z4@SK{GrQlN>e5D0FJ!d;=CE+{MH}0+;}OI>Qiu^{Bx_xg%`8aMPk&%)O7?=5kx%?d z-aurouG;?7IUJc;hqv+=9I+a$N*18c=QpcS5;uqF1C4Wm7Ue8VJU#mCym%4K5p(eF z$@S^1%6Z`jJtBQ=lk*z%wNA%w*^alEsTANQ%EI%`#THa<%}9}|9~r`q2$Eg#f)5;| z@M+=$S^7{V6`E6Q>p*>ijA;oDjjq{7r;!0EZ{!ElX3 zgXj_vWB=ZndMD-wrRg1u+r$yiJ6T^Ac%&}?BKuvRzlYP-etY3ORMFU4uqgP0b10Gq z6haqp6^7aq=Ji>ZuhkaOuT)7B`8JHX3yX|213E9Mxj4Fi&&0R-3dcPH0M7k@<;|OK zK>O;CQ0(24xj6%%KbVDwC%X}0^mC57Czapw>y{CiW%hdQ;?K9fldv!=`hkGarRDbM zbO#Ban`Oe+Ld??+MuB&?mkh{|5?aSq>@+{6az@SjoHm znPImRD>g~V7{tgok;gV4!Bc$&4G)T%ml0pGx z?Dx~~aLa}K0L(SHq4*K~47|Kw1M44d;MATuRYrx_Cwuu)O;@+aQwlBr-+%Wmmwbt~ zGC@U&auWgiAV{h7i-(6-2xLog8Mum^owHRehZf{~I{?v;+WK5z}H8 zW$yULV}E`6B;vJQ&Aeh`?eu)BYL5PsjJdn)WhU)vJQ^<8{~#K>YIJrT zY@}vgTy+_D(9;7t!S>BGJsmp3e>E#XQVgra|Ig~J8G#TnHHpGp&0CMHeVN+5Cq%rY zri5K?`5AxyJ}=#u5t!YdoYc{%nlvXACPg$7-G9?LYw;>wIX7py?{vhVddP#Z*WYkg z_ltXEK=g>ZlXE}FXfk%3&AQYqO#74XfCUE zj74pAWm;Sj?9FS>e;CO?BvpzwO1*5%uO)W*O>R3V0A55^?L5!2$g!FUfSN> z>*sdGahZG1#djlee_K0-=Vs`eEM;5yqeLdB>$1ojuBgLM?tv8#8Hc%ZfMv*$-yOr6 zK7>C$&>DVvniQ2&j{}>C1#Z@_t1{#oMn=-W^Tr?-{dqWLtf#N%Ipxd2(idf3 zX9u2b5I`HEmO>wsQq4I1r$(k-X&9tZWIjC0Cm+|-b7Fpdy62?Z;PRsL%^OyaALr*C zJs(=(wFd~EAR>fG|F?(UoI`_VcQ?;~Qt>-brb%A!ySiNNuXbOO(<{Uo)K0{%nfcuO z+6j+{xe_1k={Y1Lqh6N}JA&P3&w#649!3eL`JQjTd)N66=&eYXjHT_b9X@DW>WUIJ zh66mcUSoiSo*oB)j^O1B1MW$Zmn2;aM;&lL$5c(NX}ev%^*c#Kj+7fatw2?!WZV)iMU@p4Jp7Fe z4fkD5dSzrPt9&oESD6qEKU^*0X4{{z!m%x&0x5;K?K%E2rl$Zil^7;j*_&3%{{4Fp zA0>gYf?o$Kt4Mzkk$6wMs^lR`*ZM23Q`^PUTSDrU+avI2z!74<)G{Rqs;aDvzC8p7 z(n|R7y7U}t)5Nf3IWXR%EXP>!Ks@X--7%UZt)5$PiksK|ZK~Oll~uQRCD}MQIF*nU zdXTHDf#%GXx7|iLoc6n+&i2;jW@mQ?3%=XM|GNxqr&k~e!aZlOLy28%Y}C148owR) zX|$z-avO#9n%)1rUY#_6mpSt5T`IsSOzLquI#>%^IdwZWlD?#Tk0n6typU+Q&3gXm zFMkb)sX%T(YBHrdGx;b*NmEyI_?8a5(-3vFY7o$wLr8uM0Oh04r@?$QEr_IFIx8YX z9Un*&dwL!b0+;tcd{Tc|LaHt}l$*ixC;;OD2j+8*C7;(XpAT(IUtWnE@zo>I9N|d+ z&1L^ zIRD=5?+;_-1lYkxC7Z+zgZC$}ih1_s>5%qRVs6bzdpgYV-SCJ@>h}l6X_= zb0<3r+Tw)TlxNDgl4LO>8fb%z5&6Hp(I1)>|0wRo51zBJ6fOK>DN;`T6Dy@lZ}vgA zIFH{DU(!>;fBs8!HY*EIda1|9U)5zp&goe)ZWAq1pC4e(*h15O&5|8~(M)Uu5(?)h zuQasWpYcFzsuivYsdEjqwA_LEJ?@cM=CUAn4GI`OF2VgqHLhP&e_#-;u8yRC!rMRl zg34nq`VH^TLy4fUu-(3sTy@5X7aD=7D=S|gFwoabO^^MaBqe<=C$Gean#`HlD|V_L z|76u`TUTSfr&8;&`NsQ7AlGEVkcFXrIcK;3%A|@>h^kZI| zWv@hr5-R5dR$(c$rLu*nMjMzYW^GTzai~%8W|~~%pnP;AS9oLZN(QUAq~nT7)i-%@ zvPg3Dl@U4DId-k3mf&$o>DU;!MG?VRrr>4fWN2Ew8}>;xf23KL#eOSX&@J3+7w$~V?IWAA=U>iDDHuOGjN<61T{})FwSlK1CFj2 zLXa=O&TgLqaH=v)rq&CXu085N-%tToS%n0RPiedXZ3yT5e8%{=xZxMcMuTIuZ)w43 zypHQl5X5mw_ApB#zo-D1=xM?@;B4-2nbj_dBVKctBM->fdJVSEeABE!H4CYJ!k_;` z?&l8=-v?aEr3&8)N?RyfbDvX_t!I9=e9PysOIE0y`Q0VCYjCQp83lo=8EK7>oA`|Z zCbJObIo%5Fs#iTm@3g0%CLh0~q3Pv`2ykibtE+4DNDZ7>uKCxh45Rh!Lfsj8E_MEW z6XahB;&lz&+XJBV^bEgEovJsxVt9C1nJ;#NoSne3?;S4@NxgMBXXO?_TvA<6CXivou(E%~MlVC@z-yhjbS_JNql5aZB**%$ z;=A~6ff*Upy)gBd7a&a`9W+4%QlqYCK# z=!67-dc-WicTql+l+;xNz}I+d=4I{^yyWQg_S-1A|Bs})sVPA~$XF;tT^1^*qa6{c zTUx-D{Qq|#FNb$DSZd5he8^;0GcTn!mO)M)1<``A&TbjMvu^r7vA-qEX8%}1wkefl zA9jZln)U9w11L4)K}KFykt7n`v7>Tbiro z3gudGxhMZ|e{?@};#J0+7q+5e3tGJWgs1I-P$qzRT}aLxmM3OQQr4Z2)B)W?imM(8$MO575yyIwj73pEo(6lCSW2Gd@k z#2$kGA|ayDb-MhH&hW7nlir`v;VXrEmDZ4ha`{7J*xgRbHmjSm zyfh`$fjRQkz$@B;72MOOUZ@J9VkhgBf|=zFz(4Tj&*T+<4(n5=j$2~bAa(W*Jj0n1 zU_eVId`^d>|(AOsINNued?rlYw0h zr1D$EZFrkL%m*{+HRx$pn#8E^Az1FUB8iyMOq;d`^GX1|hqu2Bc zHo9_UpjV5P2KJmbHvWK8OvJzbSNyQ&Z=M zOAE>$BBCSL=j|#1daC2$?{j&)9UGhAN9jgkZdL7=$D}MOU+oSItZI&L_MEP$tJtSD z0AtqPxP|fB!o2(5T)j=5`4T2d_#Q6d*NphPTcYEUMg*VTrk>-1MTOyj`^-{c?w>AC zgxT!hob|)y?%Iu^`zgMi*?9Qwi}?wRVJGG=podW;0C4g|Q=cFngc`*32XRS*6 z51C~SbV^4l=l~j!BV6a*yZb-|;qx(aqd%76pI@>vm8s4$vzO@%4XbBiWPDCcyh`Fk z=e6<-O?p7bTh#4AHVPQUEhC~tc&9U@65etpS|}J+oepzUUc^DM9KLm$?E$v&xiXM zUe6iE7vO_2XVI!lQ`7Y%^$l#`&2U?1tMEd8{5bB*mkuG<6`9LF){a-a$a4>O+iWP< zFC{g}rPsT1^zhGa2%?Gh*Rrz(k5@&|SW{40Q<9x7t%ZRx3AgPzi%D&ua8Xq31BgJS zy0zcXa7ZSO!cHBR-M4iz7iwLsNgd$){>eM$uuC~go>_-OJ@+lHXmXLx!dOZ=dZsPF zFw6ZO_UWLgsA&K9*0abYX05)wB;EZcv@`fE`44q6wcTlk$GPLHarj3~P%`1WRUx&K z!nf^=f1nlZ7tQx}TP>F6|Bf`vo_<%O!Jfa&aR0c8T*2Ee=%U*aUSJ4!`tMlKlo@4m z>;CG^bJe0jdjU_OHIl|O0_>NVO!yhDtDfQck}nQkrx zxKg3_Zt8Rdqv;z?&A})PC;=JQ4YoFXxb2L3RVZ&2lLftH;|HFl|BZqmhtsiOY5Pcf zBqd$Xc%u+UH6m~;YnslNejos;@*EYe+uqM9{GM~kI(;NlJz>u0^Fy-7FNLUd;m6~M-ma0wC5)G274tTlZ&tpN ziiovwkgBIKW;yIV$HkT8i9w?QB|SZ_`cH+3B&E;a15@FUij{-gyaI=jU%R>$qY@JS z0wyiP*^|3rs4<`!(^Ilk8cMekW|Z{tr;ww65s?hghi3D9qTDsc#oZ&ePJVLQMS4-^!H5ajW4s_?s4y6UcOQCjdacUhIrUtJ4W$ir zcX!896-n?1)gos{(-jp(e<7U9dvBKGlQ-zVA7e9pU*sM8?UNY++10jQSVlb6{;Zmp z+6VQRiz!&~12yESjhvVLwaI#0>e=Yjra%dY$_UUA(S_?APpmx8{Ko}Y|2Lf727yI2Y*Tp`CJ?k%y>>D;H%t?Ji8 zWLKp}C75MqUME(gn?fh#-g^w3dU{@qE}sq0jG|V^)?%4(W~#w1ZMhjLPbN2cp(Soi z@YGErgwOWV8%Pi!jYQw@EWML-;|;+kI6d+a>AF1N^R6cq@g`|@J$lVB#KxieRR^I< zT!Ki@?O7_fO+HAsOr5@{F$|7$0y<>3!3Et_#41&KI3Fj_tGDt#Uh51XLmf~P+v zB1t(=(&hV`YN6NtUfB9I^MBjtfO}bfAQeTn6{iKi>5zCOBb&jA)~egzhe_PHO@5V2 zH&(CkvO5^dh0GImRPc-h(wq)DamPL}@DRFfmnO&oKTx?Kbz}zer@tK-H`<@i?62%Z zVteu!;vu9U6-_t-wQE5W)zu|C+kW`!fYYa}t@6t((?{Ojz1Pm0F%jlr+jR43a4;G% zdNu^WN`g02KCLtNlbJM)8zSv&m^cOTRBKr~!D{A%YLN8IKOmJiz6 zB$Eo6%WM4$;GEhAf_?8=cTmDt(v7&G^36z&e2||0{nP=~iGX>{{->%McVh)Yd{_be z7TE`W7Bn?8V^}riuyEkBF{vO-!TQQK^1O`^C;H}{1$~X#FcmjVFhJqwez*f?U?6Uo z$=?`wrdjn!+w(pOgP1!3B!P*HT2dB8M}huz(PfmQdYRjOrYC3XCR03|b=~Jli!Rmgpy}^bjHy6K`MI1Z;U$3t?qbFg&No?Nez%67M@AuO z^tLix#+jQLLUSq2A%&r+!B~6A39v-{+WDWFwOFn4{S8&L+ifQAm9QcEzYq9X+ITl* z2R`i1=c?XvzdXkv<@C)CK*>sT<>qU4blR!a-XX;@-_8JeIm9FIJ?NPs>jSa; zU(OGxiIjpo^$IA^E8H(*krWnY6&7Q~FH4%}kmBQtGuF|QX8(3 zsWhYtj=s%K%RhWLk5OTf!TTeb`7_hUgrE)ONK(i_A|B{VCD(cC{QUoP8GBaSk2nI@EoXEc$dJ)t{aRK?a_)D;Zd zYnwU=YlYy&Jah_~Dhi&gzs*|>)l!My+9z9xxcBLW6|3%=%B&v_g}=xoY%GjcEM=jA zg4fCSQsvbe`Qc8_N_PU9mFpqSnhqa-0=(Xd%=~-Y`OOG?W)A` z!wzLvcb7Ir|7vHzTs8H=b{$TC%ytyd@}n%Rdfp1|fWK*1-eA;AF7$xq``I;h86*l>{`D@@@B*0<-PDz6g7JdkD$= zF6a>i4|`lQU-UUDTC07ZZtI8x%;&Fahd&)lBT@T+pu0=lee3IEW(}-YbgW;J2wHx= zJ!8%;EKCOcnguHXr^*!1!^X*4IS@g%(_NYWu2qIlrN(!GGR{!^Cmper(Zq>D9#rhx zY4dVIT%^G8Cwj9ye%u>h|2lN-d;X>2im>#=dYs9SMzwV#^rX#eLc7SKeY$FMo1h`A zFns+T%GulcIl?4g*I~W#oYK<#8uM(?B=nFdRpXtp*Ne`|lV$iF<82phxA4x^t7U9nCCZ13V@g5T&u%Ij8prX+ z1jq0Ya>PoHiaanh=CRb_mjaq)!&c28 zQ00O^^-gww#A#Hh8-zih{l!L{6B8(~TiphAul>PATfhA-_1X2!cBYO6%GMU%XLuvW zb5_B~v9XWsrx_x^GD#lt=TDROgPKah*%?cOPK-i^U|8M(91rg+=#-m%KA-0~Km01IBFPI_B@?+O`$I!&T1O2hr^HVi4~st#ayLM! ze&m0ll15+V5n(j!&M#9>t6oi3>`q-Q2M~hQjGbd`nd;yAQX+)J@Y5(+)FVA5g^Hl9@=EiQNyf^~Kf69Ejq z+Eb0q>KEMiQj+Fd?L>&YZteSrXKRb10iR?$F7bE7(#UNGJk+6%>Iffat4`Zy;2{zee*o z94nqBQ%0NSwSk(xlkV%KCk6T?Rr)m_rc|{GEh@9a#ik)%C@YCvOwexb-Qiyu;7mmVj1)gx&v(>Eq5 zuq!WqUL^T2Fq!%y{y^}al1)s$HvGH`vL~#$0hoVBTR!gAEKTw`K3f{~jj%mO^YhVC zOHU04&rT8L=EgzJ{0(|TVoj01Gma{7I}uc-j;3)1FGK_Deq?axV7!uvGeghth*b}| zP?=OL+nP80#ECy0Uus)W=X@bM5g&B_u8Vseg6iTz1}!mC6uivVOkRI%eXOWZx>eC; z9=InsLjbv2FtwO@bNUpEr`?btEIfSk2R)8=4a-ON;&^wB*3~7RBJv=WLqR!TO-@_k9ijtPr(08$D>cy-{hlJr0$gA1+F+3(WZr?bR9m@jqTY(Ajt;3*ZWz$K1eR2^g^zzoY?vsOT;JGmKbTf? zyG?ghZ-xkkV3Bs223%kBO2v>2v_x#jep|oyZvw@5MH`GA#BM4L4UIWqF2*g*uV-pX zbG71AF$;O{ILpx5?=werP?(6;qVsm6vS`TbUs9-GTxW-_-6I(RQE z5+RsdK&_pVmDO=^_pVw}X_TtG<s?kKcfSESL+#DE& zLuqQh|sMlu+w}wFd$Q^InBGFSl}db z8F}uU;d4nu=6?P#S8taICG@zG-&*q#>ZutOIs#2a7>DH;)cuc-Le1)yntGdHM8Ff$ z*n7Y*`qjSXF~Pxphwe63cUGMJ-(&3+-7DV(+ooW00;a8yOrKsQJq2KtBLKO{xWl*R z<^a`kvMf+h8@=XEJ>a2Ti*i7BORcwkBARFnvi6BzpN=nYGhfNPKzd^QYJgn;^5^tV zGkI>-Got66zVIlSy?YMW3vyx!MH%|hwsRCU9sZ>AwpP$MpyPE;4kG_N0y5J_j~?-Q z{oce9sH4`1zOss^joz*Ff>8)EMuMu{dSH3vxHIMa{o!tt^lz3{Y(V{>dn4RsW#`rL zHEASI&*Nn^V~y37FyOVk2I(rGZK9aeW%X+5zta1Bj|Ax*ITX5W*gJiy`n7D=E+JwC#TdEi5nTH4S?Ifz)GryZ9mmeO!jUS~sM0 z*6+JS#jLWThD_yrpns(5r=LRFUD?&>^=@2TA7mBxZ3kSj=oK7^wKjOZq%A(xNMt2! zdZVHFXayd>M;=D@bq@Bshr+ zxQa#V;T;9amjQr6L^)v7xPu1bi1&NEn2TSsCGK}hRzY2gYNmNV-rBRnDX|jn9J=I2 zJk?o(%iR8Z85|oq#VMS2d`gUII&lY~z$4IEBuO&&4sVU@y)ZElsqPmxA-}~jdiFN# z<6md-p3e9qUfH_c23mGFo(-;=Zs?5JxyoZ%{_M3q_4+P%BOJ6(j52|L~bMrB7gFL z=MsRGJI?G&AhD~~g|50)eNCnzg!=vPzo51Dmag53rg6 zXYl&^8sAP?RY%UjfsH1&s&~5(c(rziJPiv)rKM?tnsy&7W%lPP2#qF$Z8W$YrZJa5 zu`gigsI22ya)6CB@E6nUU$BE7cYr9@xPRYk!9-gwpb}S5I1M z>_PdyBs~#zR8k6wPytul(jv%+iAhCE{haXG*sc+D@Ql{5sA4-_LBz>R#C;w41iVJxtx9o({B-f-xxp`1@AM%Xi8jn=U@D3x@?t*G6rvue9LN;gnnvMIRI{~-* zAlg*zg34>uE0H_ouoDMC=M~c7!Wbzz zt{A&$e_=v(Wi3oJMV@}ssNuO=T9s~jiwD@N>vhd!$gAs5M@$C4SEXwnspJT4w+k)6 zo2>DUyzclAmT=Y^Y~WlraXmm%&~gV8udY8r&|jZZ)b>8fT;QbPb>B7ugloZ*_9TRc zt0SIChDKUIJ`WsigJHGmjy_coS-)~pd8^p4Yj*`!2kY&x-88QmXDmGYlMYG+MEjvA z9|L{j0O2Os)q~z20bR9BVHb9SG=ZAw1)lyrFb(3sMmnkV$zfx9MpzlKkycDeU3v7| z2=BE$2A1r$Wr4;~;*%P}Uh2&#=+_QD2@eBSqOo0P^-}a&ms&dR=Cj&%iJltD?8$*S z#Q1@C#_GKM`_Xi~=^1*}S7#S}qzw!*BY^^D7OsdNEpbEA80fIv1g z2Ly-nz3EFU4rb=^=>_D};d5Jqy_|6Hi2o2~@{w3kEIcrijuGTLFcacSnN6Yv+Ch}o zjL7rzKWc(9fkDA9@L&F>u9cO_RU6uimQ38@ey}x%&NZFhg(XKywZTsr>b7`ou^6?l z$y}FjT-jmyiXZL2gdTdZOnRXe#Q265Vei<-_vo{Sp|Umi}vVVL}(gP6loy#`u9bzwYGO4RZ& zpoYt<+=#fo(d4k^UegNv?2-%L0ZJGbqi(f7X`?6Kr%%DXhGOCrWeO~Reti?m#Ik-{ z$2j!5P;PJYT)@|9ln*CU=Ff3%+6ZUwH6fitrvb1d`nZGNEA7(8$nN zluTdg7qOPKtmlx8D7vtlx zk>o=DfLqtSLc-z0bhg>ht9VHlt<>##_a?O1@Og)S56<>|7ry zJy_mVwpKkMMOPOpCK?dPCIa0Exc0vCMd0m`^5G=*Mg2V%X~FE)r(OKPxdJ-4{NMKU6Db|JJCTB}ZS5aAA{5 z%E>%eiz6=`w<&(gTg}*X8M9Xp)8qXQ1YYX>xCNyIFJ1Qu{#-^)gn)(Xwmck`^$I$!dxOO<)iKFu zBZk)B;YAc2KIPV1d=mOD&N!>8y~12GTs#A2ENaA`;qkgiK{ueX{I}7Z+K(J{J;X@P z-(NEbz60$-;JKP!>&Gb=Me%glaf7B_%f}usSaC)ESrI{jb^ZL8CRVgkCPGY)!-ktC zkQ~PMg|2mLQLWR-41l`mq=YI|bVFM1G%Kf1Yj{44W8Efb1KIF<>tOUu2vlm9sLV`JB4V{x7a zZB#7+U`t$XjT3NY1nt!rtMcU8^^219B2zy^L<}O%thWp2GIDEv&31X!P2Yg`1r9#` zdpGk!Jqz?K=_};&hRsJE^Oluu8HGRJMFvNIGdk)}TIndRC1y>LjU<}Cxk4HS9C7i<8v%y}cL{5{_m_vta3u&O~_ox|pInB>9v6DLHng`E8LO0!O~wI-tR|Aa3@maJw*G(9- zV}{e%hM~2Yq2v0ifO)$OSXp*QQ``kB=@@;HBz+U5s->FEeyUbH&YJ1E z^fJy7yG`Y0tEiue1dR#*uAWo7L|8JFdwmHP@dYwb)Eu5boN+fvR>5!EetpiIc+z3| zgYZY-(O%0Fj`ls3s0(P!@Gi6>WsoH zl`?*R{lWL}L5SS&MW*Ho`Z7Evhi=a?{mf_FB9}7$NQHlWsd3l>E!;F~o%5;5%iF!; zzHBY1nu9=#&4-iCqKBz?2B~M^LNVDVVM=nc7ZtJQcEz{&CPJg_nua|&6|kH<`WeM` z{G^D>d`sW((@YA%Kkj#i3|jTDYWdk5-QO>1VVwN^a$Ka06GV`q}Dwn#*uqC=cJ&d zL`B2O$%s+=c@mNmR`V{TealP7hO=5RUX1%n-W$Bj(VKT*zEoBoL`O0V;2 zcL^8=)=YBMPK=$P+~$DF1SIg?<<^rJ&%Xm`WzSS zt&(VkbRyLkmz}hMFhoQtfB#>B!GXM8B~)Jo&-uA5Dopxux+>SY$BEC8owI$n1<7-K zzGJDojj@2UU=y|+hhBY*CuK7 zD8oG2@-BEcGq&@~>i{t8En>k@BatmNps=*mQLD}4Len(Ui>&_cLTW^K+xnN77%6um zB{g-+#btBL?V$`uS2urRQf7H9hW_A3t<$$`zHhB7lH^6YMhPcei{Pd4HHXvUSei!%p4Io*!;@! zyT86GA)iZV#qR3oWQ_+Fm%_gwRKVb``*g7#N7BySi^ zAN&MSOfG3lQ;-euS{a?Xr;`+cM(VPTB+lb9%gj)mHl|@iCKTHDAmog_;0TF5!hJ3f zw^N7;8hcY~X!A^+B)C1vRU3o?wt^xL=K-TGEt+kQ-m%j?Bhi1wO@$gS7PI)upq^pw z0CN6w2NT5_^AlAoS!#|xI;yB0I|cNdFbc(aV{7+mkc zkJZ~7VYcujDj5(;Lwx?IuGB1*N+**XeI1-NJAfxKc{?{h3m+x6guI&ite7CEJR@Vw+3 zNn;BbH|l3Kyk-R*ZY@YctQ=;;*3;ZCU&_6f zQHn4l{QGza18H$Wf-w+aD(vz8dkDeVn;aw)*$S3}G9~R!vt%>YbI79a>{-t$T3h5~ zAhZEf2~>5qD+4>vCA@@}K~>rs=UG?M2h4_Ks)S>2KBE<lMHH9t zPho|qJc%i^ilqwkLt-c7U7fN>Ur_RwkVs**U~gxH$=KwfyG6L}vCAax%yMKzHkki% z>E9)=lA0lkeQC+|GLn;5!2dnuacilB9V-R#`ObxhGYw^*?<->s@q$Ss)*V!I^gey` z&A5~Tr|)FdGo^j`z7jE7E;DU2N6>s03+q+()iv`jAeWEOtKQ`wLQmB}rYFu99d zm5_JV+m-}v1Ocs|Zxk*#J(S~)-K3`o7G}fYUw3?_kt`Ehz=r6P2R}O>eW|&c8P?H9>5EFLhqA=pb@t!(6AzJkRofQ2}3_rM;a1T5Jjy}{H1T;RIw!_ zBs3-7L)RYk(OKC5R~deG6e9Ef{kqSC=ZsA=u%!})Z7To$LZG1Na=)B^VEbHnL~Kj} zSba1sZ9jZ}|Nae$x^Llg;^z!f_{WU>?|DPTbU%6R`{jEIP?+@`o-nQmA6*`{QFVyu4|?>|ch3{P(EpyYr1gQRVC|4~LoDHEv*r@HiUBD^Un zDJm_cpriZp<;yc?O}C&vdRaGf)Ecw&?g>4Dn(L%YuX0Kmc0_(sFXb16nn-_k&%kSrIHC5Fzz8C z4AhMa!<;xfbW*6??m%32d%$Uf8$6$`b(y33_;K+?og|xrj<5-Uy5v*kL-~?dnKO*@ zf@}ENRY_@FQV0=fXvWv>bT86z7w>6RKPlT^MX5N907hu3UBNDF?<(T}crb3{wy``6 zs?jQr!rqi`*nwfRye0wzyA8WjxPl_Lwm5(9{7lV=*zat`!EW~~`4f4_w*W&1RaNMx z$+g9g_1*U}inEhz-ko6tNjh$eliufQD{33gE{*N5oa2I-kI)FOh~9G{w&<#X4T8km zGP~K$X5~k@ogFJj*Tg>UXSTD|xzZmR;jkOQlj{eEnG`eoB`!5!6VaXXHsb!!tS5Ah zDekBvwyFNO_3AhE>RTx(`=yK7I(N^1lC}SyqgIH4{mGY!8tIa{u&A)T@8dtB0Tl#n zPH|7*_f(W2mKfG|*1sG4Hu{Ga$*|d9@|q1IGpBK-kBuQ%b2IE1!%VP5%LSu#D_r3m zIdtgZz2S%h2Jr*z9_eJQVlnasR@(WqxwAvb0mFo{QeRw;=RMXD9isj_iMpowpZylS}kO;%BKJj+87 z;tD*rqLXJ^B+M{fUC%kYr7064?p2lFlwRON4b!_WJQ`|$q#d2QbW=;kcxD~6V9B5J zxQr^)v6zzw$%Q@c(t;MxPVa> zfbo*|3(zJB9(Rb$R~gX)G8}BNza@g%(xEl017RecBP0pGW$_Q&!#zOs$na(u}dU5!PmkhR>PcwD{D&u$}YHk20cw6y8qbi^>x;?^%Kajg3`P5C-| zGNrJh!u5w`BGo=Oaoukae2JQoQ8Z%2Dkxch%8H79ktm#`M-J+LwHvkb1r>cPer&j7 ziy&i|+R4nRp)fErsdV*zwB2yj?=x5SfEd_y5er$nSfSk$s&x5~ zM1R-4I+7t&GQ9AADw_YTZNT>JC9gZn`}MB_k&j%$->$(ic}&j#uDEf_ zE=tOV<1Y98mHH%qA%O;ajPG2(!x!}1dK6Fn`DVDG%So9XDCXg=Gd;w z&$!4={SI?>gZg<;%5%=yMECH&>M*8Y{TVra{;{ShoUU}e1$R(RI=5mmGlDbr#B^@8YGs-5LGR*a5I3dM4$ z;Z7DJFEqjEBo!y7e`r##A1OvC$V9{&n=Yuz^B`&?S_HB8Z4lj?H-}%0wzs^E;i&JB z*Oj(1m9{E2)qLQC&!AH-6z{MG@`_i~;cryE($6f*y>Y8BR3)cIr0(6|vI;hjSHtPc zSuwiL*{zHE#!RV*NskeF4E+%j%!jvEMAeQ0Td)V7=;hO!jLDUMC?Gbm$9_lRycCAD z?ta<*?85=t@Dl;^{wliP2LpMhakEW&x( zC-BF%Hzt`Np_-06H5?v89Czpgu=?YJdInbKooDAqE95b9-nd{$PiNQLh%9Xai4d$_ zKyKI9Dx#t0DffBswy-g?upqK+IzfS`QBnNoP)`iApAs9hU3!oM!Oq2Wtq`f?Yi9Gu ze#?^4^I#i}O1YT@RS~UWycCj$a<@Y_!MMC;1)URhg!zSvmXFW6rK3Bz)U^Fx3q7KP z#)iD3;wIuG#OSQHZYY1+@A4djD3l+|zf%nLP$yIl*l}ys%s57*-qX#+PEw+dbaIfmNrpHv z0UuwvcuG5$Bt8wjKkW%eH*m#@qP^QQJ&&d8HeH`$nB#h(xS@E-ny0p{g7QtxcNoR@ zf>k;9wj78#L~f@~A(; zO8-28b`1|XVzZb?_wv1+O$6Zl#8M(o&ycX`b{?01bc_CBj4XBY7&F(O6e02+!|RN2Wui*NQi z1c}5@>!i#iaC0B!R-$%}H&eDiNV&`Iu;gtp5s>mtx;UBUf-yV%@hS~8xWNw@ykx~d z`t%B02*o-=)Iv|a(m=iH(6yX6%8Z3^$lu>z!%kF#CPAqZ6KA9UAn5t+VF*71w$KNU zoQ6U=tN!d-!>S^b8_E>LQ-#MDA=}zi>~CS-L^<(ML(W%xjbudC@i(;d-+$@p{rP4L zFQUH4eP^39qYi&>`W<8ZTrT)Z>CdR7x1544SBtIN$)T%M4ufi6XGx?UWh-U`IdX+g zrvGdocGyRa33JUn6%~<{t7I}&27%VyccGw-lwDEnO{plCQG(v_48@V5m_qa;bP8Y_OW23I`Ze zt?d*OSW^FUxajo0eGG=K?(Ph~qM#To9xQ%|TR_BIUsisVqG3khkW+cE_`YSXt`qt_ zKr%N)ho#OYOGqTd&MF0dckD*R$}!H~>UrU>Gl7kV+VvxVb$AZOG<53khX2U#mA2Yz z+(C&~70)19&mITVcV-D)zO5*Oh-MX{Lc|asxg#d$V=mMg;vg|0`ROC%lS+E8h|w*$ z;OHQnw!M@fHHt?VRn zlRKP#308D!rn@>KWld666yUzB=B3xNk)re-f+G8Yn}2mTN-@}AXTFiY3jre(0(3ZaVi^B~DuVbhbRto{5X6Sbx2@PrqRIRfBfszA1tE_qG>9 z(2Y0J1A{ZskZ>4{(ric}HiB5Fyl?QlH{V&yM+7dH3sjV9?#71hY2)JsxfE78oCo;m zusz&^dfD64^bW43=Y@IHb}Nh}>?SCMwSw3B{sS08^M>0-9B{8jgl|hfO)HlDT$!&6 z0wNbIX;KHb5=)@>`JY2^_ESP;$Z7a{6`P{B4hG)Rc397!EA|!FO^J8DRrJ=?9K{aW zXa0NB)ReWrDl5$8$yGfSf2~VPN;L`1D@hk1i!n|i!8WDQ>|@19`1;k5(ic;ecx2_h5j6zQ39$`URkbpD%cWz|R-KFDQIt$JOW$W3NXSe44fMd&9Tk?_qs zRig`&jQ5c4nij8jUmxO(%>6ct@|xNL)N>n9Za7#Xfr%L|qJRlua9Kk5OE%N|*DaBH zcr8=<0gde*-H|JQ9&uf5-5i^t+U5b zGg4md@pSM#{~wN4XFLLY{f+$ci+RiPzn7v>abA(M-u1}3bZ*gPL}!1S_Wn>;kPPjY z?2j}X4d6?RK`e{3mCBQa`&?buyR*8~E%7xA3-+2lVXy@VZBKH>=`5|RJ`%X-hnyPV zC8M5muJJO*Zj`Xu~F-#`SN;qU&0`ffUump4>Y-QkR}`aJGAm5#O}joPYEny&xS)HV`S z3)WLieSX`BEVauo<@ax24rRJyZYKP!*v0Z>_sJ(7F-hzA)rb1qEpF`T#x7|*bVjXq zSIBh7y=hs^$5XtublJd*-MF8ZZ&q!EMe7B(CV3dnld86~(v=BcRc_qPApLJN+-i0f z_1|nPoG$Re>ZD0>S(?d&CTf#w*>IsM2(zWE3H(by zELC(_L*vMT)LY9*6brn(Unhr#(kch<>Sm;VX9y!=?3 zhmRtQn?GMwnTz`;L_b-Sx*{H;s-c6_9ZCA&j0avKM0r!c32!V}RNA-)@e?71{O^M7 z=af6AXOPgf@JXP=RvlOG8(_tltHYe+G*G8`l>H2ZQWDykq2dNJdXK~lvBFA1Nad@U z3ucx;eQ&bU)3ey5q!@pH@j!nuy4fIT6RRAT4jdKep$B^DoL> zO_WGK4@W;c-q^b+{H?Swo+=?JIrTM~5Y zV16q@ODMoVbo}SfU~`kk-~EbdAhRfVsYF%?GBZ?dvUty^6;Oo9V!iEAc4K@jACo;z zQ1M9LqsG;RfJger*;!2d*P?fPBI=VC(o2?#BM392)3oBuN1IG#+wY^rkd-E50uuGG5StX|09jIYdw`d@x`SoFh; z?eq+ouIl=Q4>J86efkO)g8~=*mAPxigB2wO1-f)@VMR=qFo~Fr4k0=->}ogY?&Bm* zm}YU|tCgoLDmkTUqiJ`)N^2sTm;wJc*`dEH8W$a9ti&w#YTlCm5q?E{-3tf9OvJ0b zc}j-a54sbL3;{MSam*S_-vzuc_cVGo{PxMf0-8`(Q4iH;4ITdaR$Z+Tv9~-T?#syY z-f~(};z5R=A>sWI7<75-J|M?4NCp{7HM?3~g1^DemeG|>xoah#;j5fSbbA_s>+6Qd zNa@E%xOT2zeq!!2+p|B->#+%4cuwW0=s{Jci{0aNf5VXC5(k}3q2Ysk65#>GSEFUA zx6w_7+a(yu$L=<(?@2t6Nwnf9Tu z$ulkQIRx#=wbnqTnuu!h(r*!tQ;7a7I|6g@irLkScGE^#+I&m}y`446I)T-xOXa!A z9>ugN%+C5r_;}&?Itu77O2mK*&pV#{hDpanFEyIu4_OIzwka2b@QvyT;^ru=P(rty6ue^IT5`zM;$zoRS{>;u^!;Sp+3FmZ@G7eA?Wt&K0SCMkvnB_d7kJ?{|x63U*FmeC5IN6y->g97} zs_#9~H>D8j6h-hFe6OhdC8l`rjmoUGRMlf#4fKzSEZSxrs)NLssXwJs^69%EVZNka zP}g<|9FCoJ7u;_U9wXG1m0^pdtkKJA>G1kvZhZx{ z&y9Q4iX-OZfb`-LZ7-^Dm^~qw(6nO9E{D_lq2^2r`(W$L{p@(RpvHdZ^^*dwH@{uf9n80G;?|1Gt_ir#AjsI;PnPJsE3GjG!wr4Q|TK?VyL)>lo>`vG|f z*=3CtD6Q5Sm|+QtKVr`xIvFt zzTmc-kFl8$(Qjq?8G2}er9Vx8 zv*;;AR8Sgn6Hr(&`?`61Am57r3{TID@`i&R-t5m`lRryK+Z>MNZZV*VpkP5kCnsA#{VjSzpGO5YKtxi%n6#Bna*t!4lmqzwQjs9o40_fo=EU6!i9+u zHRwxgwte~sIi0zu-GPb((bW<53^xMW!Tw^no3*269iT`ld@B7>k6g-&md_RD7U<6n zvd=(&KgiSa)4v5>Y|7s&a&ajvDUtY5j#3v+p^y0bDe6lUu)VQkCMP21`My&Tqkn3! zMX~{IW9<&*X)tU&5`9f!_BAspiTBm>KQ|va>@B<3w8SQ+|~lV`mEqjsAx0< zj|=0K2<{!GFFB(1$>B_{rimHv1E(T*5SeHN26w9}__uK{gvybuznv}}Rpid@Vs8v= z4}|44<=cATi#cYz4?enkEt+!R*u%~arEcH5OQFs%L$Kd$(0JY!@#KOXbIoL9P`T|3 zX-{9H;ivMj9;}o$7ed`@d0Nce<<7AudYN~9FXG@g?J(oLv2Xk3+t{tUE(7K6iYKi> zlGhbQuv6qAm7;dxFN?LKdgMT`^Lau|XMMl;b=6wjj^*XOhXX}IXDr*;Y8>mz>A8i;gmG#h z@o`_?)2BmJC?aVEmJ!2{$`%OrZtu|E4S7ZjUc--5MZ$>U5& z0tm&aR!I9)#79@VjFHkEH#NLdNH}voh`Ecql2U$Qh9V|@Q5j;i(cmFWJ2>WE`p(?=j4R*{?C>VP+vTe z8^KDn!Bn1+KHd3E7pL%kWVXIEQsMP~x8Hx?xFF2B_}OOoyf5%}y5Ru5p(m#*k(4y8 zdnO5}2YF1OyNglfaLm2@%ug_#GePInx<@J495q7oH9_ zc8KN(83e%Ay|qe*jx%s7STYuNp=PfGW&Z#71^!0b5$Vzaow+G+-s4FUne11Cw47C2 z1uG3sUwP`Bvd2YTS_Id#4K}}a?U*J#l@tn^^9#5Vyl<7K2l+Jec~h()u{!Nbq<6nA zzt;HQ-)_E2%#hU}4~s9fYFs`@D;m8c{rCR?nLpp|>rE zt{z<_WILAhc_d5D%s3h;dT)68K0N-$&R4i_omW_b(Ovof*!u3Mrn>dbASxAm*^X%PZMq!W4-0)zmeB!tZ2-nqY-x! zR^T7bI(zT;*>8OwI_cnQFN+c42G^q{Ce_S`k{EpDc)s?XB(Mz>dpwuY9x*uWyE#XBO}eiaZ?AK=r@8M$ zPYS`q^#QCHIqR+IY#}AAecj{VlHF}QB;VdPX5ZP51DV~{ zzI$HJ>e0Qmy=K@NLNRc5>D2IN-=R#?k{UiiRpG%LDd9CfAu!RSB&bJ|?jK827~(Z| zqRYP#uw_+@@%vrTMuET*C|ecuz)d>)`u?^@!t`ZY)w}Fo848nMw7~i| zszNGqa*Z$aDgAi1`#v>NtBIrYP)4y-C>$g5Ugf{fS8~SHubq1UPd?1$gome&XEg0t z1pMXbm!S~C_ICX_BykCQ>2rMyrLS_#J(u(sd>5mgIO|bjsZ`bS8gB-s_>bmIPJt9=mIpEPSeXH)mU^lWd`n5vR%Ru|L8^utPRh zfx`GMH58ukkH;iiJ4t8rWB#7#XpL#7$nT|h^9?Bo$^|e+tf8-B1E^T~ltCyUlhwxl zNyKmEvynpos_0ejuS__Yazdc+O7HJEv}z`sEJlBDWwe3he3^BGimo3|C{MzPD*WSN z?CqG~aRBbVj2y0^l3(et_famIVm*0fbbY!hE&5g-C&YrXbH%mh79bTW!yB<;fw{KV zx~9mzA$ds=pOCkQ#9oFI_XEu#T+3>pL}Shk{4Le~8>yJVbwa+)`~QII|9rd0Gc|1h zfG{?q|3b7-XwNRp(!lJEfY}_fdR-=iX0}OLqk!dUNmtL`gFu2p_u59(P_5L!rL6lS z4R}JAew!IpFO}JG>ag0A&IXw-{h9QaW0))dU&~B-`5v&$6(vZg@U0QBAe09&;J;+& zMb%om3~W++$g4iQ@`}`Bwfj>C>p#AQD((JO;EF8NjdMq6+(qry(W&da+kGS}WPk#V z@hT0TrU+a~+K5Is>6zOEUi-iOsef6a4%N%v$(-#k&=)m9Qh?7P{BZ8Cp`pBhcRv5l zIq$Hv8_B(07kh<;o?hxgU^?EXsorR?xur8(-?e*stGS-$M*a(tbCF6vG}JcMSX668 zlJWRzZ|V(XlAv~BsnB>4rq?@4?AA6k7k_Q|qkGNcI3SPoUq4d`E`zHx$(E0xJ`xak zzx;Y@(lhr{wXo5*v#Q~9C&#={2$Sacc!QVhv56rk-$p^7c`vTEsM?Tk&s^YF&bqC8 zSejc+@~b#-7W*89ws&)gPw?{>zjwUb@vyXo$1JDnUv4vC5_q43Yp#|9#ZhW1)oj*> zcIO%jVHLIorP#-T|1{5})=lk(LHRm2(!`7F3?@sxvX7d@xF?yPIz~LIAp}rXNj6FO z7U+ihtB}}tUwNm9T;&c{di<(@$0l4R>z60J^c_OLq>h$cfgYa1lR${#w*LptxF-59QV8G*_3TnN?xB#W&@>Os^;D6Gc>S$`(qE8(s$b>)XsPKK$Mw~Tt! zj!Nbqu9C@ev)Z+ZW{1XCG#Jmd&A%$rJBG8(wH1iF`IUZPKRb|F+CY z=>FQ#t;K-QiGH)JpqTNS(6{KPe#Y5_7x4+xv%+f|0pY3tbvPm-++)O@YK_-&j9!_a zUr8Uxi9AWC+2+ejetfm_4>dN%vMBEk6`9ZX=;%r5-dm!ujtuV^~=`uRjZ^did=OPb+-Lt`< z$mLwQV0Xa^ISVy>+sbzsWCYOif!tj^U408lqWI_jP2WJiKl3@H@EO33>QLU?l4Z$U zZ^@iWpNmm^l8RInQ~rG`!a05^6bBR%G|G)p6QXSh&t1Czorlh*EY%K^d(=F7yUW8X zQKx`|wJcs~_qr8C(okM~oZ>(C{QrE{H5g2n0-O1#XfE;OOW4HgabJjeXH$$#E~S|a z1&^3P0rgUiS6c;5D^eL7JV6in6dcB<($vlX6_H7_T>l$G=g#ZKINy|cOJf7YC z9}C$hs{BxJ1h^O0$G~c*51*$=10`ZzZ6D1lNLgyxabDOgectOTDKw6mi4>t>fQLlQENv5Fnjr{2VC{2 zXWz@d=F=8CiT;gRQwXeBJKz~TltrcDDV8-L<8Dv?ao;ul0{y$xH?WNQt{`J?#}bzC zdJYp~m;d+E_`AuC;DXlJ$bzfgJ?j${EV>!I%{OSeEliigf zgq$a@%>M*BELbHm{^HkWU?@zKo$p*a=;5R!3T-J_pkL2^{`%Gh?!}-^V@4|$rbvcw zN%8J}5cs{Zt*EtCGg6Gm=YPE32)z?JRlLRSly86#yMk&JHhTqOuif+N5$W=ssi6}6ERZ%0^JhWV2+<MY-f(DhD*qIz zclq-|-JwY9+Vcd}XGRfq*G8xe<+ZV`8k!pjHk@dY-1RM*qz&$|gO?Q|b{lrzsJZ^< zwEyQ9FVIc(b7y8&zd_u!qXDUeZ@0SDTx^}s3OZMPducya{__3A5BU>EzS0WxzjPN% zcAxnOg6`3TX~}GCC3^(gP%HXb?W+y*Da-O3$cx)Rz*&U5s~Qjy>HnXJiTvMDpsHtQ z(s8}7wWN+bHw)EHYpiHn>}xBrayWOk+}G+0U-`yz;p1v5S+A4PMYQFyU6D22&HMf~ zkjb9PA;KatvzXIsnfdKMjqGNa!?_t5a&j5r^yEwC-{Q2rbflrw=Yp068!jLuW9w2z zZp2n~b%w19Fg&;F#M2OHW3&|eepsE44B@dOq}xvf2?I;VJAxnM|5xnyFz)L=F0j7m z<(PjxMT@lhulR&!xrkXd?u}rsl09$;{|4LrdQ>~x!^-ukAStX`Jv-K*@Ap$DMDFY% zBS=?9|4xGMlTWJ38#eeo{CnU)0`4T!A&~aCcwHpi3)7KVloLwF^PfHXpKmXa$QVV% zzcI?>RD;ue5;uq}XL-S=KZo_|MMh+;Uzs21(|aLlR?~7sF~a)SxmE6xU@PU?*2kc1 zExrex!sk@kUQ1&2D-;J0Mls%9hlF{ISXjMp|4md1ug*ACaPX{n1*~+~0HPmQ(Mzb- zw9>`vG2rnzzK~UHM1&Qbp3aL+A`WQO`DVi85+?L1-?Cj;(;)vc^0B3HYS5CR(#XSc zy{hqhQZM*U!hQ(6kYbYAcxFy@nB5s?>U{lwbr<~63d=>8@&f;H%1lx~Owc}{c-!{4& z6_T4qbzR^RzWb~3#lEgwnajIYuAeSV_j-qxPnfrrY8enHeRaTw$80Q_Ni|_!kTx() zBBkdGnFb(XL!~lC8)4)1Liae8mun-HD=x(TZj}9#bhr6Il-?CrV2vo1tlrC@>n*9A z&OaAQ|nu2$}QY58$4Yw!jemBRUahmLvyAf+Q_4*tI(q4~+sCFQUY zPi0lH%|G8nzQF%1NFWbQ+T^l?suM2lt|M5H=DnFocg8Y`VKit%*or44i(K99Z>-B1 zv4UJ~&OqigDFjB96iLr?Z@()4)x?LzX#uVQsza1c{aU(|Xd(Jwy+T!v?=kMaqSvXQ zdwC{0bMBjs+QDm^=BJOMPg#y)#1l1cZVb~$l@#hkoT({ilE=^pzK)Dmt z6dG}#za!xi<1XaMN(7)?(NEmv4}3&+JlPq3u)k#*1rYIBHw<+SHTW2+fH~-O()9J( zE>yte7&r&gLjcjk^OO`ZEVAbiY<~9%hg-u#8UMaENACF^3w@DK%r*2XS6z#|g*0zk z4ESoPBHP5FNi}^h|yM==G5*}-(J|L$&fadSLtB%g5R`7vQwmzzD zW;M%a--*!(q4wtvWEE&xV1c2fCYgB?!w9$g#y;!_VFNTSZoG}q%zjP!to53p=p*&8 zz;T_SKuBrDm_t>riNN(c9;p=8Dj-eh#s8|R+3l$6f}FaV(Fgym!!Hy_grzoTG!ukp zeTlMwMp_Gy1_pckA*(CNa@M%$+@P?;Y}qMG>LP*X-)TA$gum+)9EYMmIU8TP_~Fuo zX@T_U6rS~^o?h%$nA7mv3A>dI(a%RaOO3c@B-#xVAyomStl8o&c%q-R*VA9U=ni8A zbRsm5+*USfvyBZ5g10jKoVmWQ;()b}ie1Ur={~8z9k*UMvOSJc?%V>D3%gu$RV@1d zE=;@w^vq^oeE-<&%FHU}wCts7`iC-JE^;ylGBkhsl#*(mz%Mj-3@!L~xaV~-jAA+b zL&3Qt4h8n>@1<@x<+6YJYhg!79lrAvPr|66jzjbm_x^2y+?(88!nYKzwgtPgx@C!;PlKg)8Q#rpvX57%`lqT zUgy06Rns|0b6hz%8gYff$<&zBuehyQp5E&sHKSlpZoGVSUtjSNB-O_9*L<0dki57s+rUFod|`!lU?uaFi*6lmi1~RpqIXxmE+YU0Bje!>tr)_%GyzZ+yj6tyPM9>p2twBs8T#Nj<1BprCz8DBVIGC7Y6f)FkG3k{gTzr>71 zYBjeu!pPH+Sm@E^wJbdAW*x$Xy-iXHpiAEJH-U6QL7>ih)(_4NEHT$uk+|cN3!vaV zl;pL5IF^}&4Ap;mR3rD8!``2~oF7*`zvF2z_>4<+jmz&xiHkdrh_;l%59~Pd7j5-h zRqePBqmlyTO9m{+V@i=`B^@DK#=R3pRa=YT(jjdH)&a;=7C;^SuyBo|4lrQ zzh=-}-KPT7`o3J;d8~ES_h*Z*?*Q5WLA(VX<;~{mbo5^>#~8=U%s*yc;~d|htym|X z@S1EFz=Mk4M7W<;!EL^6*79PI#O13is~bq5(G%(KPJX|v6`*7~%L<0aubHPal6Qg> z$Uzc>osdWFU4r-fQQ*oziR<0p@2TSmXsmVbADcqjaNM$o(0oBki7Ox~yeIDIp>cP^ zvv`LcBvBqsAP9rFc@-ZiI61Ah(P{v+)Vy-br4uHR>lN@&3KG#Gr>X^k9bafEE`AsE zRqdm}TFU{@5fZ#K`Z&g7kVL`{2IR~~3&Hz*WlP4(5V|PM?!WXc?&l?R_yM!@vd!Qx z5njjHRaq=7UW~`z7wmAEZJf;Vo~EEcet2~S2`6%x_Y<$=3>XLFS;fwQ#>$Q3S-^u` zG2(VsnD>;f+lB?ztSogIz!vusn-eKyHeSKZs-K*aF2iLmqMci=y~AK0k#|E~*{G5nnSiqS!(D&9?)4P-MdJ{isbf-+aT+uFR`Lzxd0+cLD zVb3~GlHf3?hKug8kg2)tpY(onAfGE$!;{~93$(vf-Vk%$uP#Pz2l)n>eRTPTwXIF{ z(A=aJwsh&j{zF`&nHe_oYUX#}-R7BY z+Gqgxs|e2k1TC9^es@`jZJ0yU2(?}XRXVd4oNTNyH<0BtgFu{DCzwS8nPP6ir~!MS zOX7gi0IUtZ*j#P;NM*Od^@7^*RoyTX;3k@G>hMWla?Y>`bAL=%eU!0++nM=g>eFKu z5YvMcne71B$Z?zGwhuGP@d{?bpKrh@t$wzVrzPq0EiDw_FlJFJrkDw@g1G6M-@Wsa zpFt%42rftqFm^<@_lbBsI8Qu9DjQJ5j@98j~Dc9K8u_l@rC zFYw?A2=vn6W$>MlhKr!(@Mp|YZ&?FtHjVp9fpXrH4gs5zwokstg{<(y5UT?jkKUr4 ze;1V2a{K%{mvp~iA~MpkXjgkz?u!H9xv-Qbu@vO*YAbNnoCiA2-1i;TH!vDW^5nZA zZbcjXIJPV%$KoKMcz@gL^r74@J+V)FUL77w)O;y8s-VeB^M*hHpg~7U^mFnjy2z)u zADv?adPa51cIP*2f|WXSa$F~GYGt=xdR1`8#!<12#?+kR5?2#3tMxVs?{%)aia>Za zguj=y`q9^9JdG*J#IBeiG0;4~ zW#6-7+Jd4&o!t(5LYkDI8%#GBI`&W<-iq}Oqf*M(<}QqzxzTTDA6< z)z*9&AP^V}3~pWkjx8`u{LBpdSmw!bk?)a~@kVT^X{#s8?D4#H3>pm14BEJCI0JLN z`$6^Yhp8!`$qr~Ae1BwJ@63JQ#cmiNdX7^UBvFID>Q|V3CM=S>If+Z5OqM@COf+U8 z1>4ReP8ZjltFMhTjfQhaDCZ6ceYOGmP4Jc?1!my=M&x@+f;ED@Ufq#hHadD~4ty|n z2&i#e5HQ%UfG5c8(>^<4-EV)Ma`Kq;UG+(n>W>9%^XL4@#l!c2g6z*wCbO8A_ankN zK1Toy9=0}UclLO7VqePPP|-+u=UK&Dm{}=^>U^PZS$%v;$#_qv4>4wjJv?rX6YWnC zpL$Ei{x-moA7LFYcNG|rZ|AL%>#QB0Rgz%qNuy@8!pb6QyYsEpHLo!W7{#n0Q@?@9 zLCi2rInaaYlQFXK@W^AxZOnNhLWL8`NFwg{d@0CE#u4@d*v~Fi?|xz*E4Y~jn2o(Y zD7ofj;(Ce|F*85T*E|{yW%}u5I_-uQXq7Xz#Qgz3TKK7kBac@r>qPQPYn5~=SNh~t}W3{dhaDi!7p zto!3>e42(T(469w+|7F4PUs7n)j6o?oP5E=lQtZGlP#&oecFFb$?4(T$2=swTMbUQ zaE1C-oZPu!TKTLH;0#Lh%6yC#lwgu}k*^(S(B=!}&Gx+>uN4GrV5ypae?29$Tp-g4 z2|R9%u#~PnuD1s!bWTr%C_u)=B^idzn8Fg;r6EKP&{$dNEL}!>t!_52&9#>k8qNxC zqQ05IkAn)qqjb1^eg+3YYO2dxuvJW;`2)1ePaPGGgcPqtnua>q!Wz&8`QZz;l^P_m z`Zrhj-AEx%nt6i@JBR;K!qJvFN5DgGm*>Al*&^HP%Q9Je#WX%z=ED!f4kjIa0{7S1 zKnl0%6yg`TK<&VZ`6#^|L;0A$%8OQii=ee?m znKw6sh1P|M!^O9+DVBjjMR;5i04I-cPafXy|WFffaY zU0E@xUz9F2YGdSO^YMH$MrseCwe0v9$;Sz_J}Z+?A#Uvy#HEks9P!^2b>ZS!xDCfM zfCE{q_WQU_Ilz1S>Q|&V(hic;vAMdE2aV>7fSwl!6xe2Amf?BJWrNB7%p&oNX-{b; ze4J_)TA~J0fd2p7Aq4SoE4GtXmTuTAVAvRXFjqp_AJ#rXnpboI7OBwGOXd`Dod=!l zaY7L=V*Ms|-(+|M_1x}~rt(CdR^CHr2juA3=t5CJ&U^Qp`5Jy){1mMMqoYTQ(SB9f4+gShcsB0ADLmlX3kJ!{cvc1$YP0xd7p4LyxXER_AA&gqC!fR z591X|kbEA71)aqfqPJj_!MfTqj2Ev0;f32cgx0#Z8jSWN0&%k-{N&2?KGt|~p{2Td zmih79`wx-Np4|G`>bHl(=xTQY?EjPbK==o^yG+ z7p`N3Wpbkb?t-fX2D3THm0(};p$F*1X_yP55^P$2+`7BV@4K?1zsNZ&wlYUP)ebz? zHw(Hj_t1Q-cb{d7iu0@k=oxsE&T0Imd>n zky9RRzpG0$Qs>V;OeeSwnwiuwm|&S9u$TCIqd9r%a0eX09gpWh2YLL#O+a(1n4eV2 zgXTlDZMmmuOfQ#|lvFxRx@)9Axqx5`klAhne?J|ly&KMcAhN%OrV6=ut*ggVSO~H7FRB)uHS`N3^cF%MNqJ=%C#yk#nKC1l(?|O{(au zw;U^-lvwzoD-1nNds+TWn7QKs4GssS@Xmn%VTM=_C{&I|Gkw|;J&~GDX!lw;45?~5daSw1P8 z1M-k@88?CU27{@XJ^jfqLm!oX(Nx9x;(*EsE5~&;6>5c%7V~kR?$1+4F=lsZV6!?i zF2eUyhdj@{s#hDKQsb5OLOvt)nzX{ez^EO^ThesT2IgaaY#39xd`d9}2}!-I(L|0N zM*$;Yr#mx8ln31v+7k7>Yix~kv#usg+H!kVG9SlNvvzo<#p#FbS}%eo+z^(Hr_GL! zY#W9^!OaB!{>)>Vvk6EYJ-x_ip{A?4Jn~Uh0k#!rhI=2m>Ce(BpkN>Zvz$JiJRTTj z2O?QnL`=sfYHeZfn0jZpSahO~xRWi#H10+3@cgsYWVKD>HUVzg-N0|8X9v_Ob^zV6 z_Id${xD0Q*A;7))#A=^JBjCLLM?NdOS6e0=wc6e6bW6ArYu2*#!~7l@QAM*b<8~OL z24|nEFz1ZnfKl5*5qh$HYP6)qhU&!Ifuzwe2a!1P$% zy4XtuCSs@}9n)M^4(}zl*Z%myt0jZ$N=9z3wvF2t*+01=PGt_Rc4)bSwg5i!Ns~DX z3w+vVnFD}7IsB)w4LDO55O~A&>&7F%6{c_wkF}t%CJ*_}Qo|ZRSTOoB1JC#Gfehts z2OB@uXy&|_TBY{{K=bzg?-6;B+I@(pjh zpT?~?X}5k<{CcuAoybsP4)y6XqdhKQkn>3f#2FWkrIB-$&pat9XP|4rg+b@T;N&vh zwj2NmupRfR#z&klf(sgOhLJ3|^=o`_wLGDRW9@&C9lPg{#rJ1e-iz`HyVdaV{j58Q zOD3jn#ut&m%x{P4a{g7Euh<3>SN9ltZ_nHk^qyw}d6IIvgvxnt^hrL6SkdVZw5aHX zkse>MusM-uGrLY_rZ0yC29-3Z{O`!B2*q`sm=2@)CSB+j-GC?X>Kvc`g;af#VlQg4 zVh8$xF7>RuhU78;G!P!ILa{*}yEp-Yb~uh|GkPx5Jut(k!?LoaH)tlW%r_*qlP$2g1#s41zIhXs;X=?q zIn6h-d+^|a>$s^81!z!W>FSLej6d4iUhpYpmBvJX^)DRzHO~7KAmoGRJo@ivLI`}9 zCa!r9q&|+9{J6V*+S+PR&{{a`{j;#j`mn1jl0n#Q@w^O>SMkNfvNU36Tj;O)*X7c; zN_f4?7)6QY-FQ=aL?chCeY~=iGCFEd`}T5bg}v$5Cv1`PXfXV_DL+Ec=E2NXS!rcd={k;Mce@W7;0cwalzt6fo>;T&E?j zVh(nXwK4oVUSWQM`nAyMcJRe+9ylXC*19~ozlqXIy#+adZXjf2{uqEfqFF=R9B=&_ z$A*e~$cE)c&=xtUv7|NpqS2`wVVlVDll@TcqbSDc^w#tkHW$-r+5Z`L5j6ibq=y1D z>x(J-u>O4;&WZkf`K`0$vC-EffC8#%~?_fPTA58xuU9773U&UrjT^`IvZg3QSa1;plsdI(!PUJx#*diS_6=1DwljBxvjY}xP9OfhVd6If z7v8FC(B+5*@JsV%1_kIvQ(*;i7Op9cbaaz4+9Q0~hSUEUN-4KHbA7&>K4=skU2VN4V|0(tiW9z0F=Z6Kb6$W%7CBGYg5oQlY9R zoF!&j@iiB$sGfNPYRF5c`_|TYuVS4)hvIL{z5fo2dO{={47}%tk)kc+#ZzU>TA%zU zk;`)qOSBVAps8AhS>$m3om;W(!okMmJ@8d#;oB?jXR~5<*~i9!IPUq@;{%OS(-uY& z0k3XkJGLq5izOXC3OHbUXx4fjI5zAD9MX(LES&RT4hm1k=)G8ITFXWZqvXPG^25R% zZcSK*Z=Erlbjb(4>(7t6a^@BQU&=Ex3iq7ovvc*e1Dbes@w>qQD;MT#%LE+1N+ez;)J?8z4u6(#I6AYycMQJ(E zgeh;)(Wzol40DPWLCH{}WQa}}@z<_w;t9j3NB-%p4x%Lgs;x2Og)!C&hj`6*V@Eiu zh0PiiKrSJF>9(KJOc#-}>m!lp9Ee7CpKjU@;jD(rlC={ASj&7s!L27U{aJXm4Cgfz zjr^4oeMB?mtPghP$n(HSBTMQUFuG)E$Ot3sMjutH!wtjGE^tafE#C4ZWEJp7CjvG( z0OyFI@^E5=J=hGoC(ye8=XHO&C~I9^ov;QaRV-_`V|nxSGXWa8qj^P8JLl<6zzL3a z4Ur>mHM0G(FVyn$(cB)&0*DsxmL2xjpt`4%I(GcKnzdL7B0j}Izn_T}^ek9PKlYph~j2X49-g1i=cL3Cv4Rjl|412tn{=n%KcVl(CyS$Z)Y zQ;t~dRu{JIcWGQL=GPTW!Y~S%hPCj>MY&4Eq)!=5yRVUsFx_jpK86l|+}T-Rj;Qfs z=*$WDOt4I1vodGl5H2mg{wVK8KFaqRCuHZ2+{uykYdz@d`aHksQ}Z7)5&|^ zjbo-N?-~DT|8Zb!p<4cX;cZ-WS-{&4`!^<*4}t_-wq-jrQF7oR(UA$_6_SVRv`|o-Y|nONZ&HE9_B5&z(1>$t z!;dio%6Eb%!<-2@<2%f@yB;0?+xO3kPa_SHZx1zbg)V+gQ{Zojct~@FSo_H+uqj2tT_>9#D{(V&=tQ`BIy75`l7T5g(MURVC9`5Wy zzP#F3e^)AI%a2~_I?#ju_p% z6bjvHGj-UKzs^~dUrgJjeC$n_lNnS#(sIPm%}URH&bLIl>s>8zkKqX`*6X0;SW*} zVQ7~*`?nq#=~-w6PO>=!?{xyJa~z+~OUqvbK0r3=Sn`;2!asTC(@*1EVR?A3O~c68 zV%Zl?i@|B3$~~=4*Q0M#-+T-!cyekmTAh`^eNbvr$K#03>;tMsu0Jm@Sq-EsWoc$S z5Oy4MIs-c_aB_I2J@o&ex?;s=Vu0+Fl!GiXRRB?KgM8$%8qm0wP38$TVti;2oWief zY3;W$_thLf{NfCd6vKJQr9S}l_a^=so%)0`7a~)8qXiiIikzROC7*fsF)S57g@a4V zo3FfASXE0kxvcDSFZcOcB_OwQ<~99A7torlbl{{uI!{*T{oG4_g+pZ7qrIn~*a%yt7*fkS}wf-i(Dx*;yKbx!rVyT5A z>-cUDGEu%iTb7Eo4>{EGf5FbL+mXWy zvNIEJe4MIuvkrtb%z0B~2NJ#_t)QBmBEb*${IPR?@k_(VEm(~?)=yl9C5#zaNv#ZK8<5} zVo#S1Iq-XETz{3x-2G8hbfV(YN`}}1AQ&5lX_mMb9-^U{upsSh?dKOlXQtxwFVqC? ze0tzn9lsK;kq4VdaniV7xk-uJ#yj|DCjOHv5{H>JOK5|ZJf4*x8Pf8w8rsa*IJ#jr zJrY>WZh)-8_$1BU$enayhTaX66MgVz^i2V4fd z{FD=)!yb6MXZz7DplsRg2!@3NSyA7mtwUjN)J)~Tn-CBP3pu(BJCX9f+Q8C!Q|rXW z8^P0X=;-EwWij%zGg>wxUJWTX<4HQKA7pm71G zjOuG@QrLZ(LZzQCftRtEIlU_ilRJ59rDHQn!AAB|r7Gd`i(1&l-+f>H&c2d+q=LIZ-7QFq#(>xyrF!&{GJ5 zS=Pa0mlnJ{FoP@$0+CzSZCj7W&}x_fAbahGZL0zbp$XhOIncR}fYC1Yu!7sQ02(4S zT@Ljo_HxW(AAflVK(G?4(BAW$$uxp2OMb{BPY{liKVSj{1DWtE+A?_0zBM1)3^Dz4 zpcm@u>4w*R9apJ*k4MET{b&691IgSnd+=4n%hc4KbN)clNsq5Xa?%|zZ2&z*|Dqc> zIsE=o^b@TF0j>2Yk=8g(Z0nw&9O3SeA11>FxkRS--tFaGZ1b7x$(+oY|4GCu!h=XU zrlz4S+s(X7TQ3f$94fXbK?Nxbi8F!Ue&j20(NDW0%Rs?Pangb-P(nd&9a`fH`n3){ zSq>o1QB&KiU}0Aa#}f9}V;t^47Y8+HAJTqiFk-ObI_wtPk1+*9ZLgr zAP{!J#(9*QwHcJ)aPM?CjX$ZwM|!hT_Ka{QDmuUdK-ACjWMnB;r5R1c@#b`O`uwy2 zF_|5y$n3W(nFQi;bY5Mjeo$)Gb`fyeWk42PJEm@{>+tTsLy_AT0k+?tUkb>KcG;)s zBOGOLIH%te4j8NGySv*k47?FPM!pM?I0CGUmA!1_`ua%>cz2dcz^IW9eu^*pEaP{@ z4B~Zh8(6bU@2T}hK)`Xz+4w%uo1GrRv(PLEGpw$iTrnoXZf{65F8_hg1E(X*^46K1 z;+7fW7a|e7OVb{M%D|jyst}n`-#h^F=AfVsJwCO<$^cZ+anIA{F%?W5)ekeFr+&V> zk%*m55$#13)9K}(7MJ+n1V+o7>=Y=gILROHi%4uYTH_{?)qqUExa*QU`Th6rR`)NQ zrL7ZFol%D(?B7JOxp}+0nvK|Rd;@WL&LxLK0B$d_8^=o$?t|JBR5&k#K8ps3jg_0C z=Oux6ZQX&}?M#&n(_QTeI{ufVK5mv3CT^AySJp7w-0Qqtmu~uAVKHs8BSDoxz1~FP zdMq?2*1U44o>l4wu(A}OX`eY#<4IJ>&idx0z?H57BDmtJRPJ$ke-gq(^&N*&2xgYW3&0=e)M+T6+6i!8}QuPVQ@d*-*wD4bmm? z8CS&#n{YF!^MK}U`!(^;dWj|a6>$Jhy~RN(i|?jR&D8L{kc&@;MVD7rtbcyE@D%-- zxFmBFCpIjS{V-CxfZ9caXzH=(&+1TIdqh*6P!FQ*bPk#HZ zl{NUYq@p#(Pz2T;EhH1}y)|XEn+#=g*lzR3cO|Pa>@3mN;Ce6>-`|v_?;HpE?ho;9 zy~%nm8T5W43!ALcT)s5Ms{Gw1+7=WniaD{YmT$l+y{TuJZLUNeH@=+@Ei`UnBxKI9 zbC(O}v;>9$eg34icE_;NUa~vnkesQ8#8ouccU+k% z!ij1Qm(6)~3b%&w@qine?=B|nwIs*$XPXY=ga({UbwqULomr5|~9QxCE(ljZc6N@fw|!b{;T zq_NYe=4)<|gyXcE-baFEel>-iJ}>`heFg0Kz8N`n95Mw$TmT zDI83|V=PYsuwR>R-gX%Kad{9k#NH`LraC2HUjFu#C!bKS8d$>YvN>3HE~5ssr0>Yf zbBfqP!p}-I`tfY^xUC1&Ul8$>pv02be4dl$P~)3BM6BcZl9G$y1D;T@V!BE9+$(O8 zJ&8p2GPKptwY^C&mzmGZ=-;t{z=Sr#Bp%d367h>&_WLeo*pSh66G5hIi0#8LBcUDs8hB0!yRTM?eHy)~iQhM@{``Ds6*GbortwmH`sEq1gBwUy2ZERj-86U-XQQ@3l~ zoAs4$OiN7s03=_8E## z6U7SkE;IhMPG7>J1)J%bn*0nZE$GFZry@}Do6lddnkCsP5w7lOREF+qt*Ag^rnxW zy9aa}udJC@zWs9CgQujO4#!lq^}x1c4z_e!w47xQCKwFb2tFrAOEM-ht_r^a5_z^@ zrtE;8Q^2`o`}^{>@f0s-6B8aYcDWh$V=xz< zAxUjk!PMKU=QisH_yIF5-p^xi6)f#6C>{~e>rb7paQnp^DSEGx%yN~lJ$ZLy`n%u_ zj*_Z-#v3+vOeQ~@wYJhJ<~n=n(M1N2PRJqMc@DRDw3y>rU0N>#B;@BsZ2P-nSVR&s zO>VMF)vBxwW(glHzV}ww=ler$d$9)&eqx~j1qzJnmd1-O^pcWvL?u~9OEP|%q^Z;T z%ZwK3vYMi{KG-0GdN#3Z7CT>~Da&(Yi2f`NobZd_33SwG_AGy z0k;b7pBn}`@F2+D#u;W&|EqDFsII}RmfwwTxm@hi99A1aX3!a|H@9JB)sc{3}WB z+rr5_{Jlljdf&MZf-<?+req-)>B zVO9dK^yOTL5mNN8Jm(kjtn{33SguLVMTPMv15_S^gRrIzWrETLSwo(e4Dgc5jLpfC zZ6(9{mjVEHWiS*`j6c`Ige*ahKINx<8G+L?UwFAhc}i)JFBL5UGg6ril7tBgik!?q zkOd-B4L$pl^0&psX)_v5BQK~2Ril3?TX*I=8?-t}g7!kwJO<--G(8s@3&WCL!Go00 zzYcvX-ExnMP>+1(ZvJ+^BwX^^P^9TUy#TASzGO%vX|SczV~vK`9W&i3(?Xd2+@gYB zkk0ciGit-cUI6@>JhSZ^7D6!umJK1}i3r-vDXTW+2KVXjKNB`Uj3wa(~SSICQ- z{EG&*w%@>AAO*}DfhzOY>-J-fI`0>xLB9qM8jMO`pA))rZZ-NdaQs~t0cx!rI4I3j zYD7-(iDqY;^)`)>iXOJFudgeUb9M3iDQOckxaq3A{Ea?bH9qT4y1Cj5ZB#oT;LHhX z|2vecllQ`XQY#{Axnb_j{P^4(kZ`AAi}zLs0&u+n(ZES$COYq=L5)Sm_vOnY8e#PF z2i#%i4&jrav(w|!wqiRiyE^;TMjU*g&-&Nv)X)2f29$W60oUVL@f90Nvd$ij@`Q~R z6VTrTOq*|!fit#Q9S-h{yO;`lekTk<^(slr|7lPe>r0~u(0JHv! zxQKdIYDBypAR9>EM%?ev)t0k__qvVhak~K?_x!jyv=jIkpMcCV?Wb?wl=jB{+z`cB zFv~TXxOlF6^4$7yJ{z1@z}cRd0}UC+T%HOeC{Tf(y!&*^6Jq#ox-o&|v07z)L6EiA z?>!+PD>3o<4ViPnB`R^kWM$&j*XnWGSVOlprrxc~cCn)uOLcO?DBknfOynuzCV6wL z2Ac5(EiR_NUJmD_(OhfZJmHYtX~pkt%LZ(IZSQrJ)BUuVsS^HbZ~qo^(DA)HojwY^ zSt?M{mM4G%Ob1V2S#g2(BwGG{5Be;HX9(OIi1~_m>L8~K0)XmGNj^M1&|mrIozdFc?5@DifdEYt zl{mYM`csz2fmELliK3lCl=HL;d@FYVP#EwSO~_TL3OM8dwafa%*DF5na~LhQ?4QYX zne3H1#l?)22O zWS0%#gn|v1?>|UW*LX}0vdj7vhFXh0_PG3#fa=csrkNq;eWX?NDfy#TmXy_Mzv0=H z0P%bB|F~5H%2{VbtFH`s(yUoh_;-Ki@V!by(q%m~Sq+E27lq;eiMf zX#(g!Cnqm)_aE)HyQcC!96XAQ!(}y?^K1uZ2h!GF_r1gY=GDe%_h)HvPoobnH-JH$ zP^oL6?^hO_Cu*;O<8rLv!G1HpkU-&Ys3A^+@qO^j;`7+WiDobU-Q9ksoIh+r>G#Ww zzNE2U1e&w_J=do%8`nG4QBsx})m>>a!;F0s0-DCML=VJd_NJ+yjw8jZ#>>n(^(k66 zMvDPp;i2J_HTqjk68akok7w%!+^k%~CFRD&>ZhUQ9$i!A$5!upFH{P02!pWDojXB9 z=L`M^8zI{>ElbmbSwnTk`nC2PC#yQ~E~Ywl??l<8y>A@O9)fyAT|Q>7WrfGBc`C(o z%up69DRKX?E~s6l0v(hrJrZ-7mRMe1UW^f$vThHKwrasW4oX^nySjJmy5+TiHpg$z zP>atppAvQ#Gvn;STLTBu>kd#@m^cTZBE(x*n}1e39~MsAX*Z9B$Is6aITWm{u20oDhQzU>dV(pKF0|oZ-bmrs zdp0hZwNrKRLp|7Q_CkQq}XF)+Y{sK7LB$<>6T@E-CM* zfS-oJPo)e_#QheRkMqZmO>sH#@+v*=Lq3b3t^ze^gptf%m*TG|J$P}w@uAO5cDPp@ZHQ}U$LutDzYRNlygu4DHBqth3L*)q@oZ`b9Cr zfV+2Q&3F|11;LEu&kfSp=MvuPf6?_8P*Ja4 z`|uEgk^&+Pf`JSO2uOz#qDV*#9TGz+-Hjk1ARyhX)X?1^DcudyAkBdEFnl-X{Gaun z=RNN?%jNp5HH*1t?%4O<*S@a3k7sY>=r%wF%isH2%s4H1jTle%RDAd~imq{q>`<@L zCmZG_G8n#4w&@|f|K`CbwS;T?V)5DVF2r0TtVS3iE_{3LpMK2vmAoak|De$kuf}uP z)uK@v)qYfXw{e%a9+x(Au)n~eLVt^CKMGd9EEF6=9(5H#ek4AJE~C_Hy{4wcj0dP^Mxt^soxqGd;RkYs1^@{I1XOZBg!3uu7bM%O zzchX;HQ7>sevSaSkBj{g1+ke}FqaG$$2*<9d&ZgKet6E?L(-hvrEh{ObXX$Rzc-=J z@gZ-)pbz*lpEyW4{*%3RP~2 z)H;gqrOdrC8E!AOY!G{=j4=LTLGp1al>&9Po(l2y*YCe!SWtb)x_hwrVa_}ymdBK` z5w5nQS%DSfkf;8%npCTr&;8AzdluWBbzx0`OpEsfO$IkNN1-Twc3>~88UZ?RhGgz+ zSv{C{^1mtSb#YXMfl)u~`DI@{q`}c*xOgRdb+X!pH55)SJ+?CVtgCiJD`92IQ)6h&`u~_X|pwkPN3cC=r}z2~!1M zwaBCw=Us}O-qT(^szTR_JWAnWhAg=&q5vX>ju|qvVO27$UjTtMU2d*__3Nr7MZMAX z*>SeXyR+`G9Odl0{zRL428SFW>r2C5?;OVwikfD+Bqiak|IIr@cCT}n8HIAhr$#LD zM{{>ezhmUkz!;eF8DF2Q)O;x zZ*FVmb)2-Y-JysQD{FB+-XSI_=H`*J(^?ei>#mX_ZwWrvF=u^7IeMZdC;JTtgIg-c z(i?w`FyhjGl~=|33C71uKoSzC`hY*?q^|m1Ikrovon7j2huT)I(&tSbrS*?#9X6Fo zPr6TavBSccz7$2|9G}(}B5)0A?gro1eGMqOhf)JTEMu_TAvan6uoR*jbW@b}=g;SW zS?UubfI69XjIPHSKRDVPD=Qj!r6ApU+iLAwwh6XQ*7#hF9fkQspN!NAYhXaa(^GeH zOXQ6H&dJ_(*KwAj3-{V?-F7OgO8#dM1WMOAT7;`VkEXx3Ke8m#$Sl?t0hbuz;rS33 zBzDDvMR>{nJNQtd{$r#EiXRHg^=bQrtx^Fc`kn=H_&aNfWo{=s_%)XzZb5e&@oQ2K zd{2~l4sUq>pdfDZqxjPf(uXC^T}t`7mqNhW>FYI_kD1Tf?OmQOT(U?dR4G-+kfYoV zB!M4HR|aB07(#V9OblJ@t0N#F;Jl4w9!h(GWxs1LUs72hc~Eb^8r>QW?$x?oYCiya zLltG^IL(C;P{k+3{n&FntcyyqoUl%)YEf!E%r~H$@t| z{m9|&CJ*Z~LW{VRF~|=IT7MG9ik0F0q+)8yf)aG2;-UN$M`ABZOkW@(KAE?$tFN9* z3cjtheU{%?tEXAUq8fqP_S!DgI?!A@a1?)b$Q-BQ%Nkn^!^Cbu zPERw5hq4@4%Pr@+iKHy2N}m})6g;O(L&k{iJ$cf%Yg*;fGyWB$UM`UjR|f~OGhNvZ zFh(EXuP?UXpWod&j&a(VsqpVv^_kdeKM`YxDnW{J)_S$Dk8X>UNp#`tN8!DGU7cpd zpbgZ*Ujhi(E;pF3&&^N46hDyE^K(zHd>z?g3NW$4rekW9!zrh(=b0YBSs$TK4GDQI zrVOeYZM9%cp|k>|w%Z^9hO2Wo*f2ZiFgU8`dt&?v<;DD!D8AcVbZbCsw96jJak`EsL%fq_wcYtH+=P!t z)mJnuO7C*$lG;ExfENNF7sHM(@uv&ES4>Zy5GLoBs1>2?nQSF*BfXze9+ z#TKVCdSc!W(>{0m5^?IyPUeX5_uD79F=H&E$1$J1SK&Ad#1D>TZ!fpX!h-aRRJ|$5 zYkO-;3U*2)l>MSc=;3iPXRp}x!eraoYy9>pn^DEb4rc%9fd)?a(p53SV zti(~uR78zdE+K0B+KgIjt@??Nk@%JDl+VLnxN1!-6?B0v`&p~T>JvfGL}!~Yr? ziB&WaTwWeynyl*lIeAGU@=>^$+B4HZ2mtEB<6Q{!ybk4lz8i|w^MolWbEuTB3$2E` zn$_5};+RrqP*)XhRWA*{_&vM9mao-Bb#a`Xxwi3au+(M5yW2^rBCm_T%!6iIVc@x^ zr>89ISZuqUjSCr~6EwDGUU#{1U6w_0mP=WRi{b&IziT1+QKL#sH>f1BqYrlwV!*`r z&pq;9(2k;>r$R+82lR-!kR*92&A?)N@Z8c5^!ky>XGKiw1CrJ96?kIXre1RY;3jo$U~S@4DLsA&?4GsO45Wy!p;4Z zb)^016nXrbhrH#DjLatttZR7Vkb;BNI+-xBDn2cpV}l3`?96cXU@;H#5N|8 z%g%TI z;H5)Adx;%stn?b_8R!%_5%KmpIPYuo)GW4Uw3Q;S2NB_qd9N$Fk+WZR^H|k}qo%V@ z&3QcIE;2n_g4g;me?1>^AQVmYS}L8}>Uj*>ZmJaN(#6Mja=QMRyViZ-5Yq<%1~it2#uWeMA8O}?kGMe< zaw77nR@#Ot8j_?O>~?yK^kg8_`uZz2+oDkoUCf*be3sEnh!U2&!=?dgW{Q zJ~iC+?TjRr!?LV7%MzamT&aIvF^xJL*ohN0G#=!o;Lr)`*Qw2T6KknnF@1F+9AW3X z)XxzyLl%k$wU{nv`Av%j@zg-GsuuFF#+ARP@yN;L88GPaLGIVBmU+BdW()rwd(tB0Wi0+s#;~g_;`>~#j(7DhhX9I$}`B!#)hekASnb!$oZYb!C?Wek%c)}eAEgH=^j z1{ViCW^p{L^ZenFSdgE>DSi{bCb1i@lxHE!W6JyWU#yx-wpD#i?F_@$nW3{V%-H9bD#zF%D% zUx?SEp;1{%yr9A3AR#G!dt7p-Elq|5a}Z8BU}KoHqYZ~DeUG>A}A2>mLB%GD6P8=pFWFhZbqQYbz0)RX9Uj5Oy76by)3rm$kFAcl6 zyq@n%$`f597>p9^Wiw23)~!bvGn6)C)(~S@qBMgWtyZNa7UaWxBbH&R3(=c=$j@hL zAve{nPWM?c;>H5#J+^Osm@_V{vN<#sMh#x+k7Ny!@7Fr)`GW(}y4=;7oVnX_eN#kR zG{!gRFTb4i?0hU6$9apvLzw*8`-xEJ`KahOIJ%!7utJW|URME4c>JnCOne-~%gi1( z!^lHv9XHw)2TJaZ!Z<`n(^-y@%gLAqyaP3*M*MA8yk9aRt=vfQiNPGKAjunpz5gm>lJ*!iHaIAF;kB zX^){VOFC1Uzqb}P$GPoE59oRnyB_V`2xXl~DO4{Z6>&TIkr^iTG101lZlGabsdrr~ zSNsN>dhu=iyKHT(S0@VfLY|m0Y+C*s+{Q~lsap}dHC@3PfjC9X{N(j?aRIcDpWmIq zJIE1*wL{Y_RWtQ!Qxd>){anZ^ZB}zbl6k2O|g` zcC0jL$Afs!T^ui0*evhdP7!=j=;BH^>vdw`yc-yB?FPgROe`Y}W{!7`Cpdb%+Uu5? z7r@2VUNJHEiA?qOAHX}1h-E^}1+Ubn_0;HmjWNctNOiVl%Nj`X>s{6Wr`s1qMoZz+ z^a1)1vnQGv%Twr0itr?wJ5HYAvnkfKDKq3C?eb9{LM(<-=#3Ym=q&49i{hX>O;$t)h<}Jpxq9j(Jsw&Q}cgA#dv( zpFopq>GPT`dYLIczp0K7y;IuQk^{Le_ccHkY!?R-jkw@AN zM-`4o3%eqVMsH=9 zxgKi$lGyssWXadC+;mmMl*{27P$#FRZ3*I#A53N+aKsG26ok*J>7rbBD)Uj1 zOdfCAy~~$8=NEwWv;I|wZ7CxDQsDccLUl{&+cN+y6w&VUN_aSUL}t;1cJ{vPJPlWh19@}5t9sq_Ml^$atNpGX>>KRg9dZF zZn5@#38+2L8~1bso%c2!(>7m$^B5?f#nAj5rj0O!%8zfi_JAbjz4h-wz3Rilx<%WX zuTfE-KWq`=>r5bfC$ryH$VA8OB8IIsEApz{f8TRQH5GkzLGk}`x5C?{bHE4eu7b&# z?!KPZPb>`j*|6^$C`+BMs+d;eZydJ9+l%#M7Xibi84&b`mg`e;lsgGBjEv$6yr{wb z|6SrT^|a|Y0l^7GTt+`5)t~=|3t&v&n(Q%jb+o~`?^e(*0f9YPrtVa26Bmw)wHM=N@`)TF5C#^STqfONBE|5vYGHOJ2PwxR!E zy|B=F2=H%{)Edv!l)0xXOP;@-Ro#ToW)Z;5xSdG-Q4fg*F}eQlhrY<8s*#-@0I385 zIu9lgQD%yuPw)Ssxdl&G?MsN`GGltF>p@4vAo}Uc7kkvY7z54|r{gJ;#lpJXaxVor zxpu^rD@oOyKsTBO7_UbkW=$)h2;EDbQ4sGY@>$&y*nOrJ)|Mn-x6L^^l-apIre;ju zFd~oe&x0WhCJGmVio^R)&S?reTR@SU(|yJyej7}yh9mhwK@hGFz+)nGJO;j+qMn~AxU%TBB1u3AH&)cNdqNP_BtcT`SCWr;~Asx`TgbQ z7y0T99Y7h)x8`_po(IcIlhgb?u2%9jJUsM;um7h8-3bR_>v@qE3_ou&M;!WqkkX*# z)aj|g%GhL+7#*?5A1~_~?Lmh=q9ItJ5>=S+!P{o_|FO1!>DI9lxct<8Wen_*dmUeD zIDR{-B2>xAm_s`^o|-<>o?hpMGwSwduJ^|K&T1cerTp-_v5!LlN+Q(X0^B@q6ORBu zRQP=Q6ceITmlCW~=V%DfJIbdA=BCv9bG=liMjmPR0O{%BIzuat;Ys7=WIddQ*J>s- zR@V!+YR>r?$U+m=^$!`wJ6|=W>Vsmk5bqHX$n5ax=rA!J0c?I5=_Tqzq3a4_(Vfnm zA;Yu{>dnzY-}};`lUH?E&HIa2&zn5a-TC3@J@PJOa@<#M@ZE^WnB_Y*$C@&oQt{t5 zoNw^ku2=!IuiR{edP_p3BY1quB-yX6?ExT#E;S&@I6Ygi326Cm7uBN-nr*MuQSl~@ z#bOVJ8{GIt^E9|eAF+hC9n|C*fXvGJ4&T$`4U-c0Gg~7#+^{n=8PYq^LGQJl`g=_1 zfOzzi(jbzi=P>yo$FXn3W=za~sWn%x#pG1a#BoEgUX&q}R>a?l*~2@rh~{Hqve5Lz z-fROdN8@oQU9VaXmNDENQeAxF!VhvKZAu!#6j*+#+;@%yI8~VdgeUVKqdUwODjz(pB0|yy+!xpp9cTb z(BP#DMa4Tbyt#3ZL4r_wK#0&zP3F3@dNJxmUU>Mt{JWo6NY1Xx9Nv7_k&2l76iw$; zu=C@YQJRiygynxO+8NMNNNH zazE`s$|`0-zNMX8LCg>Mo>-95GKF_nXnRUgEP(j#%vApH5_4zx3-36NJDC-s4iiS* z26zsBLrVoTrCCeg#K=fruzs_)hjPy78k4k* z^u7Jj(L1s!!t}8^ymwewjuwwx!;?KQ6L0_phe#B)Fi&Z%cs045#x;G&DIbIaR^d-DoiH>b|FH9G{93^vh-Hv=EC+C+H&oO9h z^lkai$or+z9{;5t4pC_xMY=qfGUGUOU+nL>ItnN(?{j|s2awyt1qtT@&F}iCy1fNQ zgipY>JN5+|?Px#_1rc8D|>Uw552Z#zc3pRj04@wg}f!0yvzT_4ukuR|jP zU%;)v{vsOMbqoiS%r|RIx7*voen%DG5fj-P~uAeZ^R;$6)0kFA6 z;<#K427?#ZlP9piAs}`A^EtnVMQ4&0$^#On3%*a}h0T#h%!*C%fg(!cTY zO=96z4p2K!S6KyIXL#(42k>YbBgwT_FJZHXn2;RhI$n@d1vMGPh!c!eZ}$$IqycZ? z_waXa(F=QMt^F-wwa`DaX@93TkMZB(WHT!yeAaJe2NpliLuhLZ5qym-bVWYO(1=`u z1&=z2tO(efr4B?zJM)L3Esswi-l_$|z|sDZ-U#+)l8Z4er1?a3OXgl_=S{$&-xH}u zpTAdZI5z`MrT=0P*MMQgpBf$ZS-W*PM|H#N-Fdl06L)qgyyAvA@S3o-d7!DVjclON zAYgBE0ug*w=XEFVQS2=4z{@X`p<(C?49yA|-@+|Ucbwsok)38~AoSiJRaRK&>SVyr zTcO*y+6kwfKMAd&;hVR=4{~Q%t(*vQ8cra&{_ecCQ9?40_MxW$M+Z4xJu&!wL||?C z)rfebE+#|*hxp*iy=&p~x-z|sFuhSKzoNLFfS*Fzr*>c!)AEJ^3er($)fAW-^W;YW zLw(q-y$0VJJLBaYzWL|2rB_};_j|W80`)8DEPGo*=U?^DFLk-h)h=A^GWh+#VsC@T z60~I!{|a%Mcg6sce-&hga_wvHqA!{H3KdciA1TMiBC+&$v!oeo=UbpWTQU-mz zJYU$Iv1;4zY4!U0kQ$EE)*ckVdVBg*W$=*s_NiCFovqHUTzlQWYO~+5k|f_z=DWJH zc1Z*dX5|O{DqCm}plWVUSI__+ zz}>SEUxAvM$touf`#HZ+oZNQLND&bcIt^y|d*3}TBiG1+>5C{B+))BCmj^VEGF;c} zGNFYf43BWlCf&&+B0w9qTYJ)ilIq!3Sgrgpj_vfzQ6z#@ji^rdbys(P2hi#F2B}D$ zMm6bEPF7io*&f&q-FsH?>SGvy?XSPXHCml)P)WzWTS5jfb5QNYnu(c$-fHy6A?c!H z&D#=jCGARIY;V3_@gJIOSad|~Z{uiBBAOk%w5#tZUs23p$r=ogIU0M-G0&to8b}maboFBa{dl|x15F42oOef^T^xZRPuH^_I zA^Jm1W#9LKOfqyRbC;lIcgV04@LJ_Z3t{*Uo1?cbvdq}l-4+&Je9O+x1mxCs*AXb- zZU3&NKdylStYXG#8v+4iK3?-8CTxA~C|`J4^}W1$&Qc}st4jXGn$ZFPwvh7-H!7Mo zr*rRHHhM}@^+8?RML2-QNkik6f`T+)5-2Gt1^uaF9{ztIo$}W|f9yfUR@bAJ)U9@L zvt)48BUgoMbC>|n+g+4)px?jHEQj=m#c~O?7FecKPc-2g$FW*jq35(2$`LLi0aA>*iawIq@)mz$(?Rdct^Q90Q`Gt7neaAh?)eQgvo&K<`CakRGu0fY}@~K z^64G?66d5O=zkoPmQ`CumLJbZo7o{#oZM2-xHSpun{x0R`?z#o!jEGc-pw*j=5$97 zs|qT=b1C08tZf@OaIK)DGrlda+8Q~Agm~TUz8#BzuR0&}aXjN7PXmqi1c)8#lFzvN zHXAp4lc%IsRVoSh*XJ@wf*~o;A!etj%eu{U)|klcA5t?KRNl&6l6<{FvODTjX?CGS zjjc}^Ox)DhOZz#Kg+G%naP-{7#=%+L0loI7vQ+KZSR)f`<=JhLHP!rfRWx2!6yQOq z;p;2%gue_0LKtqREy>alR`@1&(=cGfGu6+cYZg3Y`0(Vbni zNsHo3{Q=j5>g6)q!CbcaWhqO`!nxsZ_0}7L5fKqf=W)}iHW0G;E6O^@M2l5>olXEp zEFUKp-8wI?j_h1-{pRKM3FejWJAwBqD{Hj1Zz4p}H!8w|EFq{c2SXT24*=MtS>cOG z4l{7SlShy)SDx#X3+r+`x-x-!>X=pLBLJsmw_)op&->w=FD5VVFgVl8A=geSwvb4Z z5$oUk^T%+@SQ`2wF_dnJ!3_csaJVK<>_p*bcOrbfF8wgDa2WxXUp425zgy#Guc5&5 zh~9I_1?BMDIxuY6wq}1CUm-(gbr?S}rV{YCpUPgWX#p+OyMu3mzwJY(j(O&ne*{Id zK6TtK0~9MWnnsk4 z->;Qq=2jQzMsABYdr2d^Cy{9lzL%-Ig@lDdNKqpeIxRV&Oq(JUxr!RAW`~et@Cb(| ziao=5A)8TMDz*%1JYN&aM|sFC;%g-UnyP-R?w9hl8&wq<2T$ggUszh|*4$c*U#x2r zmoP^f3^dxKYCLcS%dLXVVUhTHFZg3zXq$>O0$vi*r0JVqk|r=p1!2@jMD8J(_=;8} zoWWjr9T-T^2st&}!Py?*{|wkmzJe9<=)C)qC2fbML3}l5XK_{USd0gf!1$z_Fb|IZlZT% zn-vewoAPk(6~MX6O;zjfP9TkY#w{ov&&Yoc@XZ_Mzz~msH}~aeYvMlGMUc1Y;y3Eg zH=72t)dotFHd#O;l6us6-6U;>pGQR=47nXioUTNx5+^pbZzFzPP0ijmPleIufp;<| z>q2gGyc%lTM@%@oF!F^Um67rkb4@+I@u}Qul+mhSMJT~eSGNw<*BS!&4+DqT&*n~PO;_gGdZYs!*7s@bu z;$k9NZ>Z$kJ-Cg(nVB~35S+T&AEPfYRjKO#XN4}SvBw5%0jlyyJL}+72W9 z+>R}q>*Zz-Rb`~q;EF5sUiPn~2z}vajRaj?NEOb(spwIS0(lGN)h45~xBfWKI*6#az$$mT1qz)r&$g{aWN%~>9Ij8Pw?dHZ0l|k zCtn!^0~E8@l{tQfx|@}`zH$|ru;pvRZYobt3BB`J!i8%gdo7DS)-FmUgsfl{ifQ`Q zf$4;-QiG8TZVYDx(!J{dZDqx%`gD@t?95$sWzFqtYHHYUA!eQ#H7P0S*Qf>mLW(E~ zW~f-D#e8V5VLV6`jouj*zWl?LGSt<{NdN?M_r>P1Qb`htrGF=cf=~|VOeR&sKFi!0 z$PCQ+R-jQw1ejLOf$u$73a5^sO8dt26HqKFExeeP7ha4OX;GLJT%&>JaFGJ#@${y! zdqP4qfww?QxWwq39{m5zH&Jb2rg+AMIi&6#&c4da*EnlQPt-j^dk#n_tCdGrg9v`* zJ~dMBW3FUuea{v9P{M|5{b5~P-cvyIGs@j`;lf|-b@9u~V@9lZSp;;aP95?Pv}T^o zn~vzKc5q9ER|6I1^KI4zGl;gqfo*5ryA<=+2*;oghk1@kW#-9vB?1?x-EH5_+27Cu zO%#R~i#XNKNDLwJ1UsBd6-s&4!^i?teVuI0HFL&7TomkJ^tALczs#YqVQYbSKNrr5 zX_^!ndsQ;fdAD5B-n{$7b+PNDc^TQP*78DFXJo;#Zc*O){zq8O=f?!#LURwpr4OTM zyotE8RZCPgH^u^0dw2-TBS+*@W>1e`euS+O zoF1y!CYCPI-k#J~sq~6~{UPWS?B^{hrB3PnBoO?KD%3*YP=~&xexM|@H(TJ)M3g^o zvFmGcZ+TZ}(Py8!eJQ-PoAWQ`_-*3ZK~pDAz=CX*z2jOSnck@>`eWK(&7waclVCbm zhyw#{8^E>lh%B1x?6GoWse3x!cJ3u(=Ub;x4>H>29;Gjvj)HD?dRE{$$g!Qbi!at+ zJlVT1(1`C{Rn96#LK4k<3&i)@?5FOx_MIE{T|M^C-8tPGbFf@$vtEoiRNK?B#}ZZb zv|gIQb((E7C(?}oUe10v3tD+nv{r~S(;EEGG{K8nqi$UXC?)uWg> zRFCbMRmqvz+h#KlfZ+d3yN-@J9`c%n zVMs~UZ`WRKMBBW@|8>@l9hHm>vl@*!R=kmPJ?&ek z|NNqVJ>M~rWUegjXNaCbO5LafgcbrI+nFbfHZ1cz2|D^?3Xa|f8C%M6>}PSgFLdNo zj(W)(>~`pDZ^{aHf66QiN>b1!!alwkBjP@GoMa~3S5ipZBQGIX=oHG3M_6Fz4z8Yq z6qI-zlJJgbW9_d-kJ7WJ*Dlk4z1oQpKXQ5*adn`=$x zf4zdFvn|oNl*=^!B)0DHVq_Y;FggWpg4Xw^e$-+H;8vEz9K78$!}4N_Ys_vU{$&&# zGuguv!>h@lA{0vgm@FIz)2Uq6zI(?s^oXaVfuBD0*1y~2oqofBr-(tXmJuyh8OraQ zPr1B|pBPppRoH%@?j@|w=P;3K{wzh;JR-}EL|9V#Pe2ER2RT_Se#8YgTs@>f_jh=s{{E4HvW(AnVh8D*mh4ezTB3IG9YQT z>*6gRC;Ten0#DR@{%38B=gEsF1|BE(tWCOwBrdo8ulf}mJmGq}M|EXv`h%ws(q#|# zRK86^?|;~lzaP83VHkT+{bEwwjoeX9w2avkWUolnyaqxh__KY%C99TP+by)=m!}x0^KxO_lskT z@Qs6%!Y6V)f8^m7*Gd@e>1kwuwL`kOhgeB^5d6DsD-|bZnOL?lnxzGKzbh38`fSTn zqL-!H=yq`Oy_1a}-hgvGeN1Ki@FqrG1ABcjY2cC**!)d(Z3q2NM<=0gDWQEgPszf$ z9_EgZEO3}S?o{ik4d!gDA6cb?cE--AEO*%kSz^zlincv@rODk-E$qK%BRyWM>>QK6%)LV00`44dYl zc}8FUxrXl)v)YY4mAtoeZ%zE_zrt2|KK)Tu*b#oMjPT&>Z!B=b|Ho^LN--|1x7;51T&q3 zjHQfCp<(?JJ4Vq4Q66q%2lUv-1df#t1QQ})O8-m99jQ97pe z{Nd~Ft!yGUOHznGI!(Xk5oKNY_Yn6}Inp3AED2svcXyJkU|09PZ(8%2g`Rg2kd*XC z@HurX??O_)P@qu9$&INftxwxtMg*o3f@+Dd^C5aQ_pVak11A^h8zEuM2mUsEpm5vY ztx5iI@E`Z9_q|luKq)JBP`s!SzZRxu`MCK5#$}cnJM6Omsiz9?12o9WoP1z~1Kuu% zM)PytqV@jz&ZFm{TeCO8i08X`Tt20^#hSXmZn0xOVwVU7$)Zn&iC{oxJq!PT4EFcq zQefd$GfRqBkUi?{bw^|OgskhU*~b>zoE_Y=9pqeMDnS#B=WNaewO=PAa|&!rqcA4c zVdzaup+RG3)H3Ex6oFw2)j++`J(Z(XvaR>~^8&}G`|~xHr(|(9LXBCS`N5q3n$BpZ z)PdfJ#XG>h33`HfguJ7ylaHX4xsiai&e&u+KS@hvcF6KM&hElIiKF0PZNEI5dBPem zL95}Mdh0p6+hLwX&an5b{XOleDz#{qD52S}hK$9jMYXcgT%&DAw(b=vf^SJjWTcsg%nl}O6ivOn# z2{&k*0FDlqH1;Xh``YUIG!)tGq$bQ>RQNPG%$L@&wg zFzi2E0F~$M!mXSKt>C_JEc5?alzTh1H}!|6yhIdO%G?NdgTJ}^fueHmd_0GDT?^p# z2FyQKVQF$Yg^sngWN;2Wjp?^BoPUCLUa%o{`76Hkln{dOu1%olfnZgxxC1aeNN}{? zhombd++)g6R%@v*^1c-6cBPiQ!~7>XFiy0jnN z+MgdPP0FC1uc4a~oDgW#Vl(_yEk8%^5D)zC+x*bDpU!|@r=>&c(Gne6Fv8mxt+d^E60Dw#`a%P(dQIsOi=g+@;EytV-`b9lw#Uw zJditDImin}7?b-c3-A`1O9wx0gL>n#s$}OaYyg8VG=eXYc3 ze~gIBSZHs+)jcdsr`lyZF=LCC79SIfb-O%#0X zl~krZW7}tDO@5;OOr89&tx^TfA8n-K^ySS5>EmPAJm}!l;w4QX*jO!E*ukfc4*loO zxPE?|l6+lbDx~PZBoCTG{YHl!y4E!hFXm(_xw$|Eu89JkG<}`4?mxNq>C`H%?NQP)jADA)qVK_Z_3Yt-s`fM-M?xL4jctQpI+`Zr&heVvv)BlWg&@& z^kc%w9-qeG{V6}7w{m4@x@|u(c2-s9?zTBor~dCB^?6B6V?9hh2uXLwO@SKQH)`x- zXA7WQExNu6BViskgmNQ1?|u4%oXrEeNxf?)L(erH(!rDz`;~XJ`A|+tS|8q6sD*O$ zQ2Nv9p=i~XFWeQY7$5z^)cp0BQF`qN834QI^+>2TZ#93(mYuv;d2AnKIPjcx;|kzo zM%qi}awRdyW-%KFtYo2=-x=XbPZ`k3kKE2TZ?cO~UIz|21Ji}|%1fT^I$=^2|L$B4 zwNPEzymsojJoT@yTVd!|lQ&}sNO1Jh z?3Q>sVhpy|;-CVh3DHL1G*t_V93L!jC{Xe=R?j}E{QhI!PCc6aOE&V~J_V6RI08h& z?Q^Gos{^CxX!5=M?F0}{DCk(ix`Jicy0gv3jR>|VT(I2p#8W5-yvb?H#+AhoQ5k9@ z<=7P#*vB}kfgRYVZWrCUKl*1@{Nhsx1Vk|mE^sR78;-Ak)! zGj1dBoHzX;s`nHgU=v;$_-_wv+2vaWoaS#OH~0{Cx*quBej)b49Jba@VK8^c{?&!# z7yake{?~JR(e;A2pQ;K?V*)3#Co69`m$zI-_E7D=VtfWn)d_$Kyap6_BHy6$X#5u| zx({;~l4+%*&$04JKdbg=7FEl7IQ^J^G!Y-FayUWTQ@zmC>Jhpn5o#4eSF}v_zkiY< z?ZKJ*^QrYPFl0g&IX@UL7taYmWAcUU>NJYW!5Man>qQ3S3wV#$nMwVQ+xN3+c63`e zJ2ZQ?mfk#JeM6i_Q{c${E{2DIa$d7Dgy{?MRWkkF|1nU~kb_VoZ2T;e%k{ zIVa7>o@JPE^bY0*_sNCfZoEKMuMsr?*501W!2`SXUv8H1fpPT$(#DsYHT4IRQ!#@u zhUdDK6U5j`o`nB&SpS+l#kKA6vuu@3p+l1_v+*~NiElbJM9MphZUo^rXHUG562x@I z5a8DU)rm9BR?`SOb2PBhkG;+fUXzlz(n(I^$W$w=U37;G@?jKLiAG&gf9}0Ae$l^q z?%Blfui!SyBmd`^WwMvdw??ys!gIlExMIFL&u>dhgSV^f^*+1lr){45rg9FP!zl{v zD$a$4)N-t5FJEQ6rSCzHnoL&;~hs_KdKkN+QINsSIF-a9;;{}Q)@89r<#><2<4PpoN-YGiym@QP~ zO0w+ap@Lw3*5ON1PrJ3Sq$A(YI(qbPL>dYTiNnry&zMD0##w1rtj({ViVb{*DEsTeXqwFTmNk->^^RpW+yets6hszd`soWu@@pG(+w>PlfHh*AKSTcM5`y^ zVZp>xrZyb5Si31vMK>CD6kS!{Y^3z4Snd&V8D7rBsP zmXKve>91EiFR+>YU=@<$@NO~qUBwnRi6E7T(*$n-sF&wD^$V#@v~A}O-z_XB8Rhnd zdw7tcikaC(w(i?=FHV|_k2!sN_wS$cMjfMmPVg$~gGUi6-YnroE2k|4yTIR;bm1@; zz8LDfK`D_KO5|+INm`4ahjoHzdk0CUs(tav$MyeX?91b!{M&Fxiptt%-=b0p+4n(; zWKWTGNRsT!*at8IRfGyCxxi( zy-~!m8|Gdd{>^YrWv&TZ;H5A}@zNXdpXZCa?VcWax%y&waj~!Lz6jDT3izn)z2^>RGKNBYyEB=e%AKJr7JJ}Mt01Omv4E=-N(ad;)Z z@#uNCdAV)w|LrmIIQdVOSDJ=zGe7vK%_V4-&tp&?oo;iQ-^}DD!b~q0nhd}AxZNLd zKmSvHj6tnppD3<>bN_-h-_0Fc7~%(V@tQ>2)5#wuVFh$t3E2NG6n5KOk8bkeBtFaM zQZ^~d0HR$vQO`;?StYnOFg^EUyfwSJq-7SZCX_P&3NEFkmpf89`s1=oVp09os+^3D zwHTJjSJA9&Ptb~T1^Q^5=*vpzii9ldKm4Xxo&Ca-*H++5zAw@+p?PM@Ijzz@E!cnrrabwq1g<0N@-R%28r-Uf)Tz`t^!SDvgMxjJ_gjgXiJ z-SF?PT|GQoMic$<&S+~Zu0KtdQ9IcVf5F=QRc^TUsM4_2V82$g&3_L$gsm#N{^X6UE!blZoV7U%m@R`>$E5B_ zE%cu$@`7d8N&TabusTxLa*e^~Ejat0TTqp#eUg?+ZVE~1DR#c=i!Z&J2ghEJa+FeB zd>0{_rg?kts&mhdI*fB{l@h$IsuV?=24cnw1R`0GT{rN*KF}+b5^nt(_|dJeM4EZD zdS70gLJ~9g>?^!<#`)Fj{Os%-)N(S#4K%u~1Yh(2?;ERnWVqNgFhdW%c?;9Ux`mTq?i-R{vT$&iUxJ37LSAjC{;ZYC+{|<4j3ncX(~` z*L69I3+&}?^71n>o-GqC9jGX8Rb&I#b9vbG9}dwcG-H^9rLbt;)(xasL;6}M$MxSe5^6ezC!rU&xJ1ZRZ_w@ee`?` zs;fM(fC$+tuJh&ky!C$#myajE%7dE2^q!|eB@XG@w5_Ty3xU>|-tN8dlj=`n>nWTK zvj!ifouqOn%h|HyK1Q|3_uV+IUUBUvgz%)kePI1L|2lli3P#~YM$v@39)>_V{Fi|9 z|6Uq=U$J;laFP(X!Bun}z?`5}2YPz^#*^S^Bx$^LSLAt-$*gFT6A-cM=byex&r$dhl6U{RS6<(H;tyE)J~(FHduaJVZuDuTtM1Va5`R z?KRo(cnyri6AXqF?NyC@PCK?Zsr?^!>pSxC152@-92@PYCLeR+S^5Xg*osh;gwQG2 z7jW)}vRrL&;@D!9xM!|7Te|9JWGPnu6!R@7gJEC*o|T{5K4SA=bDQi>d*_4Mma0Dv z(ZM%DSyNP5VEUylQ46+%O6&|SZoyIW(#O|4c`xlAMA7Ch*G2?RChqfC9dbR##GxK* zIppG+Q$d7N4bQ~4DSIw7%=}4K6_ILgtK8SA^dV?rP5qK1ZcA zxc2vET<=E|AOm7$L(d)u!CBQ^ZAZD&fA*K>yv`ffKGiT8e9#iAGn59gGn^BqD`L&2 zJFUZc_FHuZ1x`HfYNgQoFgv5~s?Y$BnrgGVXYX$*R0kx!NUYt`f^T$jdLsH>-8@bU zfLGUd-IKzpy%$8{;TpqTUmJS&1wH!1iJVMgjbe#oC9%u&=8r*jKz8?uw&pz-(B2k- zs-#bX!qMGfd*!wjlX3yR%=H5~_qhk;DO6u@9;U&A*b7xUTihWv^<@s@gLm~1Uj_4E zqRz&u$c8cpDL*R&B+CjC{(oiwH*uVJjJb{Fl@A}zYxk#d^#w=iK^y2o522!6?GLt_ zZVVOYU;Lf$sHc>RbJa*f%fk;R5ts7Z=*oxl3E#4~IL#=`DxzlzS9uSrU$c0b*xgh# z?>kj$6SIf=P#lb2BwzW;)5@eOnMb?3953ycCZ$r?Cfq8&%oan7Y;`t)RsT^%Am2T@ z?l-U7eqEavkDq%iH&ANIt`@K_nCp}X;-!m}H5X-;LNfM!Txqn${Ket`_`Qq2l;&QT zcXr13C%PQuLTRfSov-4@Obr@1c7LV2*yhpBEZ?8|ryhLuvUqfKYH>A1zLEIoe3QHB zhxp6i;O#H7@(LP>kz0Y~n=89$dNlV&A z6fV1>x1@;$kYWi33BWyHu3CTHLV|V_a!-XCXLh0LyO9OdEYkwCHX?qhI?p8RaHW%Q-q(Nr1L6M%7cv*YBd^%*>AKg(|9!H#2`Y z55#ZG9?N=iZaKSH*j^Yfp63&qN5M9>1xt#uOGOu|J;6efm6;zkXR*XCyZG57_PyY{ z*V8R47gPMcWn>KE$Fh0ZLNA3$-C0IZo+496?owqO9`G%6kZAC4hWzFR(k;BHIi=4A zb5sf%mf1$Qn*0^!N8on3IW4jIG2oS-4UIe)HW7avodARr;-9-LGl+INT*eG_|0#PN z)Z$r#F8jVG*7mWsApX~WHOLL2->!7^6h_KNCSEY3OJCM>-cs@%*XUw4yHwp6e|iQu zM;!~ZkIJajc?|%a{}+?h^(&LP^+}SixrI{(9Ayi`dG(Gu^kBg|fY=7gmoppcDm74Y zf8c+>bq}?Yn83%&{DghSH9l3UOWiB(Ulw@pREFoZ_aWH+anfv3Q;^tn-a`giVCc)4x1<3M&nK}hj#0S^=P zPwK7w`}buieYHlaHhgXUfS?(wysd3xR@~0;x3N4u_4C$V%dA|gLkC45bQF1h(r&z( zrm*1Z&{@!%sS&6R*(G_>OyPp`EI@N^ z>5X!cdOvo$>aKIiPPH};m%!C1emI>I{_u-nE>7lg(ZBE&1B>5n4|!|A9&(BaZiuXQ zW(GgK!47dXHlCykD=X;VM_Mk%VLT`?k?k_WoE1@9IHQP*6G&;^ zoUG}o08a4<(yL>Kolt9~yH}3bkeoE0$ zp_G+k>H~~8yunK>F)uKslsOvZD|I18;q(eWJ-#zCN_=YV^r9{N=CZPZ{stA*{w8+(>ym|{KJc%1A#R# z!pP;TEruChHS3;y;b(~ycOynnx0llU05e} zb(Mq^ou{l7Uz0;Gvdqt$gIM%xv|KD+-1=>NJWF(Jj78VMyPN!c?)eRlt&e5#4RMa! zutNXIb;1zOUybjoW?Q+flA>>_I;V2Wl{txf2EWBc1#K_Fk;Ugt`5vju7V@=erX0O2 zKZuwMxh9{U8T63Z9Mte`3z&Ato?}*>KE>hv}RHcvyR6rzZV>!HwEYvpV(47iI4I| zs&)QA0QU63S>)#=i9Ev9#xmofMOIvSp!Cp!nESH|zGzEgMxfD!9AYst?QS|Icl#X| zJdww0Hk;GG20D`^sM_s_pxAithLArLCjZDN_=6u;qmoR`PILVuA>#cX`~BPAH>-@; z##i(z%R}UWH@0qo%JHT=dShIXMAvN1%Mk#S%RTIk44%Go$kc2ey##&m6kfJkg_%t9 z*JK|xPkwVa3yt-VJH|fKuY1COgkT1%m|bPEf)b33NN;J{5kDqpxfWu4M#ux;;LtHd zD02OMd(@?5LEvX#c*Dd{|l<#1+kHACkICfe80aUUa#^Mx?kc{vY6D6(&o zg*vnPn&{|79Yl0pAlr2+P%OJ+`2UY$zUHz5D5mQWz~HSVq_^__xJd{N)uo`wll0~${H<1O;d7CG1rsd^V{pI&=MSTUksJp`Yd0a zbiC5unpKdkx;*q(G`&eWbBav#!wLeEGKWO9Uz7{EGkO= z(ph*D6(%moMX!tB5&%%@xpdt0w6kaOEiX1jiKbX1-<#*-Fv%CH9{Sg`CqhlFFFm94 zM#&5Z+b1m9S~3-c|DoyF{WpqYfEw;B@MdG*aK+S~L_MHk>@<*5Scp! z$68M=B}X-Bp;DUuls|g0`TAn=n>UA~kywY^yk8Z%nVGIWe;twN!?zI0U;M5#Eb*31 z)q1thE;o3X>PI8<*3X=D`j&?tTUOGeH}IA#c`=r1QhqU@_kR8-Hc^)tG150L%Y1kIvGe(Be~r_YtpVSScaWCGkNf9?XktKq2JErQKi#$ydGFA z(Y*JXxhOm<=0} zLJg*+RmUIekJpIG9=ZO` zDJw^fSGREf94*c6FUxbu40Cc=pWEK={t+NoS?<)gkVfEr^r-#rLO#K^-B8pa=p$N2 zZXQ7y0F-j<8iEdqyPDR?cB3OIkhs{G%u@Nk@-jE~_wk4}zmqQm$Fu%P-p9M${>->` z-aP)L!n?glhMLa%r>L9nrkNxU?9&2#@o5e8Yn=_3Yb2SCt}54~M>-3~*srzDirBnD zOHatIL6aiB?1CjMD2E(Z0?TK8g8S1M%>qAbQWAt+{3XfQ{G*_xzV@?EQF22+`Y9>O z=3!}bXOak`QH8Q{6?4#=L&7MgybHK<3ThD6<)S-rS;b^VTgzO?z4(FCPlZ%2fBlBuU~DPfvl}C#=ze zBW*LtFiYa}E#+@Vqfy@wyJ0vFzT6xjk`z@0ly342>nL*d@|EpOfD@TRuqG%6)G{?C zcRmO7RJj~X2f3;(id_MwIzQJNMpaHT%q?0ZOBN;!mD{nt>`a<9tUvZ81);94y(gW8 zyiuT^)cpGP9TlTFuvd9j=EmRl=uyx2r)sXtLl=*)WFK(m8}2d ziCGhgbEe|mMv`=?$-s&^<}Te&exF;E?3 zk=*1aTf}?A4nH6~oVKA}JQdH-s|E#)3dUzF`|w<}b9Y(nM73rj zt&L*i;yymuwjzgscepV|B{)5K>`5^&Fko79R%Xio(D9_v{YHNLWoOfeFizN8cR|mR z*8N=NBwPkpHZc49`;|Zl&1wI=+UJA>oS}qHqZxf+gAfC{VdJ7+fob0qk?^USGk}t= z$xdPtsJH|vo2(aNCIe??;6em^t5x!B6dGE=kLyX5xq;ZsUL-zm4hr>v@7Q?Eb~@eU z7yMXNFfHP^qN6fXtS0cmvv#?(t|0r1=)TdI8)>}Uvd){(6qk&M?sgI|sz0@8;*o8$ zKXay}xiEj#lauUQTH0v~R4B^E;nVMtvfnfXli9i|#*S-JlB5-p?&1d@DKO!9Xdy_> zmyY*%TWWVH%I$JX^F>?+ZEFcf!4QAoOFGM`CHtX{;6^FyyXVBR#^K2sD|sqnL&m9V5|#DqCyONSHO%S5K0riOSS;;YYW&Hu4=K#u#p| ztO&h?+iiO7tPRVh#FwvPhEXG40}p@At^58ebXgpYW#2*}gqG;M(@SCeNYW|)=cu7^ zJ^m=a@xPMf1s&{Qp25cp`o{a92ucg9?s_#HhJs*Hq!fX9iY`sEX~ea(`YwPRvtoUxUwngqcGmSd zTecm=7zlN2e!b4y+T;}|kZ8Q)H3VjbhtJ!pw-Pm7MzB0vZ%Y9?qQqpd-)b*RSke8L zGw>i14}%`PkUg5yr2*yR6gZ5(-o+V*jjq>HzEOCdGGli4ea%`GBcri!lgP8_Cr_Wg zQ%T;F36tHu-|=PN=3ZH1EWc4$l$Jb|`=qy@@zslvyBbq*u$MD=+XBCk?vo#@tE+<~ z9;FI45LqZWeMOJ9J6vceTp&NGc`E{8)`K)+)xl{89fpS4d%myxR^= zOa1VOlFhB($>X3klZAQ`d{y`!rs4SGB~2(ziCne!4V&Su0qaqH?rK-tb?g$RDoTcp z@H=fivOvgXSJqbGM|j!l*bkFl5+6T5>WkAQkkTt&y`e%&@h>Cn9jF+O!)RC~h5_)^ z!>^>G^jA?bSMIZa9z=mB9Z4dX@&mjCYUT%T(yxrp>&(){t4hJ(Yb3gKePXF6_cyYy zIu~UAJtyZp=3w6IK-i)sOuB!Sd*tv&8~4c|(*)1HUjkW~uJKoQius9*$e4QC#=eo} zf@J%`CfcNH-3(fYOG#;>cH@(I_=B_X-l*AL_C^1P)jv2Q>>a&a^YeK4&swVIy2$3| zLb)Xj3O-&_vlxi8?27$Rj3_0(*MT)K)nV0yV_IcKmVu%=P$%;g6X)FwACQ>zV!eL- z`W{ACtA)+r)@vIZr&aLkt&%m=D+htJzR*lt?&ct3lC$LdA|OJTSWMRjvpoXhzVUTSHx$m?r=AAbHuYjqc~YbR|*tczHAwO3>pOzA-04 zoyXRXVAec$!XMJic|D-X_pTPQ?z6u{92`sg7 zkSV|=rEom;2C`Obbr~3s)Ca=Md?gS6;Ui6`b3sjMf_B+&tjNWBo=qeEG}{IYPSCm+!Q4U?c@?Poaz5Gg<)nn4=gnHjEwN%t}#RE0l_HgKdnWzoJVWIWkObV9b zf=Z@!&Ao4p_#?ON&{xrMm?y|5C z#Di_no~|a*H(wjNiurM)?sNz9*jx~F=u2%z8Ai+Pn%5fyf8!kL-?{VpyeE3O7fmDG zd8bxHjsmBfgO&5~edq==@U*hY+oVHDd~}rKwCCbC_jOZX$#QPcVaOl!OD%oJ-VDGt znzm5JYT_Uey^WV>dA`4OB?*1F8BUtrQWI?XNk-nC^HlALKE@3A?CkB7gm^6MGs>xK zL4j>$ftJuk1|QaWja`cBAZGOO2JdT_f9eXBU_0QuAhI*^Q0V zB-H5l2QGDW8_<7J(JbkL^dOk`wi*Td&3 z#(nA!7ZIoZXJ(#%@|wDeUZhTbV-W^DA7|_V-5o0tjF+$pD&BIwV_3bh2wI1 zjInpBok23RZqrZSB#ehvo(%|XH#WWd2nIbO8xtf>uP{h{UfwU6bLo!FWpB>{zpSb2(A2zwz2QvHK z#o|J`@G74+?~`9J-S4x=WH!+>FkW*SRV!anZK zn8=ptmy9>xzh_9!eO7Y(Nk+0zGhl`$?45bpmG};L3|(ZEux|p|pvilx7r}b>L7dA$ zPEz?Yb=`7-gLL46J}Cl$RgV=_>T8rhHoQ#*>ptl?(r1rDX;gh89?m0DNYo~Mh>?$? zb)UBP(EFo#4~z{mTl#KDyzYnuV@7EoN-*?bZ})j^vK$!~pv|S#(luy=TQnq{{j)}| z>e2R5#oj|;C7&LDV8;HZuOtBe`Z4ABTu|$h{^9rDW4s%H))bLr{fbiAf+Uy0xb4q9 zC0&eV^(xi%w8RUmuJ#S{H;g@hpB;c{W z@Zje8uRF`bm+HL5WQ85(vPeHH)!x|v>2;-zvEw9V0Al|87gBY}GcG2%hy!VD`IcIt z!Ln7LgZ(iCbY|s3F)}mpFYigO^FYR&M@_P_hOmYc;JVfx9Ec2Aagvsr7dqq3_cl_P zpguPjx)Q?Gl#N5c6&W2IE>1sHG49J~ir9Zw8K&sH)TkqgB612tUJVyt4})UQvLX5} zEH&uMkNGaj3DwxrEKSk@1=E~-izf}f-roUI;nb3>iFy|o_7g3ScC^E2LmX6Knd*L8 zGu~qYeFPre^}bPiLcwU7Dp``>g1n^J@u6)yaF2Nhw4%+2ic%_`n8VBFwxZ zEg6tg6x8n2emc1FN<)Jmi(Q%i)0Xo(IwsBnKLY=9)P4tu$p5)=c{~@mWchVkCLP=V zO{;%2_+Cv=k#w5%>}5tq3nR-bKzZuJ7?XTq8*tZYkL3rP2`<#S3c!;E!OT_A2le#kF#f;i6*kZ#A7+^!D)t}z9WnZVqeqt;wsGAh+jNaB? z-s2B3zfMN3{BZAWZa@sxRYqYm{@vWwCOevZt|VgxE53W2AbrYx7l#mN=(wDl;Z!aD z7V^S^&wLZEtp?XBPb=pZ!W{2mFz0%o;pczPKZQY?02@jjEC22OXdi-Sz3BmCi+%f8 zu9em&PLi~yJkA*Ntm(R%FDlL9#%vZ(xTBrK{^+f8+6UiF62v{cS8SF>($)IogUqLn zk9@8J(oahkB@2fO?uoJSC!o}4((X{V97NG<%05zol27uuY?b8l2FHjgS?n4WF#qAX z%{T?}t|R}X`;d06I59m7ISBc=PMAI-DK`a%U?x1;cgJ$XY&PcgVY6wM!nO99N><}v zwyg}i+_l6K3g&@$FiOUu?oE=Mw}Y`8x~1u0`O)|g&~Bnl`RJcEgtjltemjPT`iH5aU)4am*AUcNj9()bje9}`o_+LR(`s_IxS)J3pzXyEJG zync&q9Ax7Bl?)LxQKk$LjZ5HKos+i*s>bmd8_gl)L3GMB;`w*i>cWMrj_!@RwCfc# z39BsiwI_M+G%@pX1|NCvsuCsZ4}GOyN-Co{;CqUf|sR(r_%YhS!pvmXzK5iMTb8W)hn;b#6%I=OcY7In$?a-HXbj z)||Z_SqY52kr+00R>Qw;sAm46fAk1L_tO-%WzuyJC31Y7w3&S zC=toJ`?Fm-R%DNN!Cf$Iye;+3nlq z({Cs_8+VrFs{jq}k|OGK^2-PBmWF=F0XJ=V-0hoxR8V27J!LkSRlifJ#JyClrs
      2. 2=Rs!OzdkWH%mlI8H@%%?@Umwtq!N(iv_d+08RKYK#ZSAB!&M&PU&Y0p z@Q00H@S=}0elNlH4}LhBE#ZW%y`9cd-$xmFzE4_#lm5}U_zY&y$p;Qx)k>#F@{?bW zxXH^KqIn^(j+DUBeA`;ZTKDYz-Y=13(Q~r`2Fc^=udHSWBqt!KextNgm6szNA$#f+ z%t!3p8-FicPj#4-Gj0cN_W+Lmg_}h~-T7rm9U{i5Iu_QzV@#lGh&}57RO>qVP4um8u> zKzY!tHAa^3#v6|swmP_#fSelGQm%^2(KQmac{PaGmh3C-$u)g4)jh^ z$A8(!OkLJ4{R&%bYHmqFEv5gxZUkXaRIbY`u#zVF=mmMCmm>S@uW4F&3UgQ zAY3~x?Wy6=+Y3Z0hQL!Ea@FoCnxB$$-Iuz_5MG30cqyx#7c~%_r-tmci}|(8In)CQ zJfASDBa*}10`Ui!Zh`J%VuRQ^wjMuXXzV?X&&tkL1kM3M%Q(Ti)8m_a#9YDdOf5lx z6wGEM)E(c2nu1gwCSz}NH&6of&IcrzR=V8||7s*4PWSC*Iam(Z;-ALJ$_0tfZ#L$A>FwVo14%Bal@yUpSUxz@kW%S^wBgK5b{2MazDTn21s1BC#HF|*I8JYL zOOCXw@k*YiXMEk?gWMy`?(vepg!hDl2ev^lr8=W!dmlhKr4D^84<5Wb@sfP-ThCU2 z-{mmoIwTLwF2avync2L5U9H?m?3<~_OdjrCdf8DtIcX6tc^W~wHmM`X4#Yu2IKl{{ z73cH(`;ZalUU*o~E5K~XfPm5dN^j!>Q zce@Fhs+eR5I{tFdNK#3eOiD?%as!7jTz>bgru6=kCr>?(@7x{5uMJQgdlGLMZ^z+u zzB^1E=z*N@}$1w(QG}FK+jz)eUGP_X+0jyU1G&Dv094Hu z_sNir74UH8c77YlRXP~=f}6UzJLLXy2IKv-vTvHwkN6E>evpW}NMD@+p5C@@0~jy2 zC2Jk~6O#rDgcJinS;%_yq+7 z%Fk>JGBA2O_$@W64#*L+crMXSrMC^6yz(~q(Zt>X;_kU18Vy>6jQcepqDBNRblo)}6wm}O$I3`g z!9y)r1?AC+p?-4PANbT4K)xAzLo#nLCw*JzsGBBubmkj1kjZx@h6>gbX%il;vQI)u zuZ7E>>P=%Wtl39uTFx77U|DxL>q{Ll3|7ateh7q)Hs3;VhUkXL0}xkKygu(otOfAliB)emaA(K{6Wc4vLZJ(b+`i^AN*keG{&NC=!aq-eoT0qmm z(X7(0?{QV;O2Jdivf(*7EO)?AtIiv*j`c+&CFBqAYJzpoy$cHJp$GVb{cYXzQ)E3# z9@LXMrvNQKQodK}b}Q|Jc3`I?EvsKR7;_LqoAkR4rix&%-OgDb)05DOB1#`$?`&sj z^LvMey>-{);MY4+XKCGs{JE^p6lDHK((tJgtRfBU!BUtg-*k+RjhBMm2Ve&w65=Y zwy4`0H;@^X+baGZ%m;k=@hp{i^@jq;brV2{nIPpZUmSNRZ zG;;@;f9UAGu^T7@Zn4VV(?0pxC05~SyBN?^idsMRw;R1}*Is8T0!ojgX!7u?Dr@U{ zTx19?8W1Ub!fPydeP1jfuum(#eS>)89V!znGxDCzQ%{MFk!ewGfDTi+=Jea2&s|h+ z9T8@51smh02+~wB75ZNA?hn7B-g*>X2+Ix%s7eWAm58#xi4+wvj%gsY6R%)t>X# z6E^tL8)jL|DmZ29uFc#oz$wKKJFaN0D;2BuZgk|<&n15! z!1O7=$wf?Hi>0+#+(BGF=4hmsUkDF6+(r7h9_7Lmc`tG=w{}LjxU;~IoHDBaA3_FE;L`0 zy*C|fEn{-lc2=2Cc4~^n`pX9z4g${=8IoA%)(!s(k@jEz8U)s(#)UoQ zh4D~)PQt^uHuY!OO|G3EK6K}0-CZEg8{O8{tG|9w33UHe;m^FCb|jw|q@MdVRYy4$ zbX-I2+aTYjXCKNkKfThYb-$)OfAfIP!aT=ss{v|%DriLn0$Avt_9TG+&c+$I*tTm* z618`hV~n*$bWdE^O0?w3kTPY>en}PKWS$mdq#-K>`O@K5Sn%H^AizD!sQkM*zhVXl zs*ZpmTD+KP!m9J*bJOV;>&dy<&w;5ZAUd6QU7zT5sjEOW1mIc4zo`(`B&YXg!9$$o zHxgG-RsFhH8aMFTAe>{I?3#N+P0p<6dR@h|3pEQh1^LGQ!7G3#1}w4&o}0$wCh5Rv z=1#NwWyXQizxj^S;+EB;0%u)|G_4Y!&nNpoe0lEdeE7A#%MOTEQ7PcvmHoYom@%U4 zt9mKdH}8OX3Mn6D>Xc#6#j9&NP~81!x2IH9RRw}}DBBaEmv&q{^X3utsfgY8cd2<8 zBlhc^oh;e8A|3lh5b1o0^`7tzpcib!iY4CgmmR8^lv1h35+nUT>A_5IK88h!^7d~( zhBavKK*4Bw1+>tsJn4HNHyjG(hFO_VSOz)88wDpsiLwC zXB05NRyjbH#&cPZDhs`-x2r=F?zaC(7GNKp1=X+yak2+2mT-#Oj(s}EsYNZATaev2 zm)$3as*H8W{<$QviW<*G$Rv7VXo+i|DKlxNkpSD=Sm2^+MfYwq1O;j&BO|^9L=k%%G&1Fitk45 zrTNNDbtQkzxYd3*Xoa+nS^y~Ncr;L<_5u<-eAlz0-eknw*|{pLFCiO0IMSu?3hK~( zp{uW9p`TF;IyZwg`0ceIL|>&7`73%dZ+RzU#V8n`*zhLmP_0H0Y;g4U!{=-Y^}?!0 zlW32>Vx<=Mah{#!MC!>^qO;GMckQiCMdm(HoyRjr*Xt*fhq7A1Y1{F5wD_=68$qgC z^eDZ!J0f8EMuBU3W1Iw7Kw#*1=H=bPtAAV{Wyok}yl6j(I2eQpq7D_mnM)XgTFHb4 zjqCj9bjn4pC3Y~~v1@r}A2ZofHnB&LR~@Zqm4LRn?Duo}mcw(%{rj|}y0+`D&-}8W zL;X_K1r&-arsDII>yQaGix%@-?5iaapS^9%MbC+5TjvRb%qh}x!#88NkXsn@-+FD2 zS^y1G8@K7wTbr1;@oEIL0}uK#&J0zTU33qxWz>@0WTIFvp*tbZ5I)s1iiwGx8?XgK zNr>4<>GHEGFR^O3wM1gbib4VX1W))hpgMk%ZX*mDt*hVip@e|!@(Z+|@AXZY1I|z} z%#@F=|J+|h1}lWB8X*ZelFf(aBb_M9%&okET!CzB$>`tD2z5Jw=%Sp=msQHOff&mFn|y9_U+EKO*J(&9V1-QtFdak z(ZJmj>+P4W@3-hGgQ7iM1%NK1&3I0_4SV5~S?xs{;jRNXgMH=x;FqhByLO`~`pHSJ zMytiZ=tSq)llL#*y}Nnm&V3!7s}sKNr|S1_)N9|nZCJ6(f%KUCQxiD?1>lO-C4Nr6mUy-YZZyMJFJ-<~a zMMY>3-Gt1%*O~qOAqQX*d$>xNw)~9~|2dpO1S?z{eI3K)b^$NxL3zGv$Ps>C#k~y_ z)k+!~Wj1wDVRFK&er3yZg#GRkZ+$>X5UjNwh=2Yik~C&x>4=A{ORergT^I)GH>&>vHfQazT}$H z%c8EpcPrUP^eTI1N%O(w}i`-+NW=kv5v{s&!O9TsKxwF{zxf~1s`(w$O6DoBUY z-67pQgh~nw(jeU;F?4r#cQ*_@9?Prbhsak#=) zH-wFC@?9XJN1MC_Q~-W((z)a~fYyQ9-C`Ve&3A`-)BFT{sb}A49^#vfUr}8#%XdF2 z*^YEhV2ivysVpzmD7-Ec;hVDi1&FRGQ6SU9CNL0SSD@* zRgcfJEj!KOB)kVdN)puRv&9nr8?E?7%GUV>XgDOlr=0hr@Ul5GR>c&?%%y`S58+Cx}Wl#*N` z=Mz;`?q5)-Ji^`eDKL7lt0N?>)tu<_!mm#g=X&n6 z8bpy*R|g`^JiYPWS#G8{Y`Rf6I~eb-T)ewn4CN`(Hr~BlHinJm{3^sqx0#w_|>mjB^(%K5Lx(&7l^h<3QJ&^#nn8g9sNeHmyhUH;^I&7_oFpZLn zlzWIdbi_4^2FI8LpYctndlr&-d2FUx;`GWB?_N1iOs`wH+{KRUU7Nf(_-)bFn@C7TwWRTGaU#Rqfx3c^(adAT2ur?o)H8pC+wC2E!s+LxpoRO zBsfvr)yBDaFxIp-z4J7fbRUYu& zE1n$Ff{#DFugppW$jKPQg7mA`TxLV!E|oX&<3%ZC$D|R+>2-Baf%iH}GQ@C;1uPtI zGl~Fj*ZrxeR>fz?}X?h^t0FT^X)^jX*!Qe6F@i z#mMf(3Vv8YetsvwHEH<+;x#m<`6jN;!a4U)+=>5_iTkgsXJxg=ewUY43e*D7>hPwJ z6MKYO&Dvy_atIn_}SlAnps?Uqj(|`aPYtBuE*-{1D|9f>r33>N zU%!ffzpr<-0U}5RzI(ofJkT#>Q9WDRiB~{yu?i$Uo+7EJs#EduPCGSPf5h%SdhU38 z4>(DgfZ92%Tj$a7UDPjihH=JNFNLWA;uIlto&HHrZ{onw$<5arc~|1`XiWY7{{?eQaNH2=qsu3kSz%f?2diFu5cK}52!le=!vLWIIYbV;en>KI9*>EdSA zB;q=BI6JFrQCWYYHFb0ABT>(FxdgPIOzey!PdOcxbTT5R09CwQy93xC>lca=#qO7l zmw2}Ip65Rkx{t2gA842(kwjTX47K2X=z z(UWZjReAZ2n|7=v5z7Vfo!N4zp| zgU;Q`jLTTXT7(cb*^BM}HqZT;wswaPY*D4X|}Mt77n5}a`p zrx>@~rOle<$HgsRKX}gHn3%7q#f+J%eGtX#W{7*(khFfFj}xEx`HUpsygcF;ub+tH(oo?n6{Eopo?(xP!)yh(_*4+Z6dtna`+ZA* zFf6>x|8VnIHjY`g#=AkuAE+$&*k(L2HPsc%I5v1}2xN_CJ_3|#&>A8vv3!nsTO%$& zlEN3)_4VyT5-_fPZA_L`h9UGL?No)j^ggql)pVTUu#hC(TZz}$Ey=ZMw4_|BPce2P zo~?JU?gfNWLWUFg(VH6%Upd3ZXjV%BCIY)tR{_umebx({#HDv=X<`KM=n^~31%JvN zO6I1He?dVtSg2_%`8-;U)15b*5TLK;#!^?kN`eJ^=gvFd2gwOI6{gTj0LYhWTkps+ zx(f`}r=^z{&DPeg5?;Ie@eU>W`ywzR7X0l%>W){O2p-9qO|_(izw1*vlfv< zq4sp~r{#pb@p{4`k-dr-BMZH>JD-l_#jXf4G8dN44~tmdt!n?_0*v%W<2!a7XW%?q zTFdDlotOw)SeWohT%YfhrCK652PD zi5to51cc&T*4S7g=`@@sG`VA%RfX|BHXjoDkq+*%siZskHhpXC_roSFWc)snIzIZb zqaW_IibO-UwB$1_S=#5^7QeLW4xdQr8rWFKXxlLCc1CqZe;}|L72Ozo9cuUbL}EfB z+jf0Xg=JD2+*o51&c@+#%RKp%V~t7y?0q-O*z}@B%KRBi*`8x-#84>iG15w+d0IR2 z%~6mvT}r}4O}U;o89-K6+E3U{i=RmN!&x?K=3rVK06&0lrL7AWUb@`+uSbN>-Xqo_ zt$2#U_zu?NxiW(H9nJQ4Y*1NxGe8Osd~298s@^xe90z8-Ng=8^?%_Sg0D;&}dBOcH zPnF)>L3Xr4OM8TP+@Y7%Mg1R4&Hn6@BrWOQvZBzp=EVnt4vu!DKbdS`Vs;gC$WOUK zi^8%Lq~kSNWruCDX2s88d8r;eGRM+!;uknb3PPqzF*Cr>Z34mLmG+v0sU$qeCGbCu z#R{G{lO7pJ*8CnpnEOfJT)8?7abiQ zf_EwJ9u}vetcL>^j+ApXO%=}h7F|z)iW$tRetc3`eeBEd-2KS+mZ3`3CW4PA-PgG= zwethtLAJ5d_nfPp=wZso4WFn2>E7P=;E2J2+S0%!ULGF9Es~>^1ujJePu68NU5F_Y z)rXaL3}D;;s;$4|Cxz&M0@?5lYuv-j{^l|L#{1Zet{6TaaT&+bweC}>Q77SWK_vqD zF&Sg?_Y?@?&4b+Usz)WN_Qm=2VW#ZrunI-mMZbtdOMh%{u+1;2?5uIi)CCf17#tomEMo*rhqd z!v|54!MEZUB0UJef|UT>Z22`dTE*N2fN*siM?45@)k@QmQk){B9Uvmt2t4&XfPHOtpZs|qnLMG*FXF1o;58V=N+fuESK1kpS^YCm=BCkWzO^=q*?X{zZ# zP$@jK`C>x;2!{B1b=7dC9oAws^@j{r*8T2j%?{(>4y4Oi5huw z-n7Vx-d)w!v)?0xQ@<&0`F#KRb1uP#6CP&n2!OQ7se&+SBC|97#J^EpAlr#3Vsq>!KpZ}^4ZG!2W+Tcy!F!tG0X+5fK<+P*|?&PQ)M$+?$k41 zLrdp}bzggpG2<%U^=^nnd|S_eGqe%tQlei+nGgS6V0GLv&L%-7vYODr^#<=h=Ibvx zc&xWfHGV(JO0s-DG={s3W>lxId;uM!S>fkoxHKX|Qu3S%{=}tW%}qget~d5X z=7QgQ8debin#}Zp@-i|C8zse)F$lvR14Efb7EikqL}sdONPO!b-X*)O(zx#(xc#X; z2*d6;x?C@+UT*au)ce{jbo^1yVtD&>b*cVH&Z5b#;he|Eagy7iA4@APU^~?pN91mn zZRL_zGDYNmhQi>evAcV}e%Qa!VV^@%lFZKbV*R(34}_3T@r!9^91f6m_hW+AVnUnl z%}9!Ar2xB|u=lXtEHsii@rJWoSy9rQKqltRH`EVg+9fMYKt86j(J z{LI(>fXydB^!4@W>dyk7uT9?9)b>w+GUtEGi&qz2^IQBNQir#!cW~93<0y*twR(Ke$i>+a7jacN&x;Q z^04mk*6V(V`0Ph@D1?U%nr7`O5+S6UQ?CsnT~VhIMy zYg0Z@OhN7JNNbk;W42}f?I8WJPpq_=;!z4AHuFV&L^@1kYPhvfsqT)+-<$^&2Pg1Y z`sv@kxwqUnm)UQNh8;-zLvG($_T9(g9HEv!!&*@oh~0M{)Dg>ri}8hLd^!Hm`*o*t z=)Lox{_8Sup>SMISFCVU+{gIRNmJX+%yW543-oeT-w?bbCc)FmO>-9y&Dv+@4!?v! zszwmHri`Jzb4Dcgp0Ywh&A_VDa{C5n zDjcY`z$XkG6e9!i#0g$m$ zqtuaxRx$Pa$@lLG-awTN{C!e#8aMBJdEX%Cb1%ZT(}I!-c{uyIcYGmm)Vc4}VHmWw;55{>()#VssMNkb znSqoW;@rXHfEOe@RYZ2Th(>m+xrv%>imUB)ME^2*FsNx6n4jRryX+5Nzxb}b>)_?W z4H1C9v|ehU*}4LJX@?JokZ@B`xw z+GEq0KUI|g$vDEJDLb2PNaTogpWl+&Gxn@)%4WXAde*VwcfIZcCCnws)$A(S(zOUZ>i4GxnpKmACfa1g{BcBj3h!n>rvW;XX;V=(Vv ziO^Mw7;v)bbRfOmAmj}a zZvl9i?rW`HTKnamHvG1C#)u=qo5MyzpSx40=u|N=V=CL`nbD4Z!aJ>l-KBZbYbnYd1(_y9xFe8YBh*#a}Bs39MB_=0(z6T`Iez8oH%wR_HV=f zV==OmX*$FA$Y^7$;~~||JUxFl;yiYq-OT+~Ut&uuvMQ>_`vZtI&`{^G0k_{%|9~n# z&!QBD$ngdmjm>0tNn~+PCD*WNEpYV3nuDgLoE^sNeJzXbe#eNA&vbW>9jY51rB;KB zsvC-2^RiRO`bC@?xeuZ(Dtrk9fBY5QXZSOCqtify_UOfe>*h8}*e53%(@Nwb_C=sSm*F8P0xP3YZ zTts%46Q`Z=dbd7f74uP;d z0MzCx_+T1$?-QSbCGn5_QtB1n(+WrXr(A_8CJE#5E;u_4IF0M4hItF#MCA_;0)8az zp$HPfu~i)~1^uHlGck?}LKj4k{OB~XPZ8t{5l@hks;xWO>@dxz$?CVI7ChH0SuU;& zhVtA`M54uxh6Ojplbs~?%lboz*=A#~8xOVoOqXhF<{{3s=1XeEaEl^FHtXax?z=VNz`*|A7YRZ#U9t zWtf{6_35|O-pI^C*w{VXH@C{n8~CV3joP7VdMYD7_U5~@9BKC#i=Tv)%m7v7M62bF zF*TaPu({7+dGA6?Z@euv`4aiFL^d1EqtvrYkFIezO7L0I8TiGdf;h-q2RE@dxzau_ zIst}TrbYYm85@8IrV;;cHfaxSVGm>Oc6g+;$gP%C^~3R+a{ATVSQSFhVJ#n0$s#(M zP2s#Ek1T=A^y#34MnY(8rvi^4Wz)O@k2(cj`=>SM9Yo9#h{E?_KFy)~$Tw(VA-N(v zF)8UAAb2cqu8L_6>rP$6D4NxkykDTytY0?EN&z*{{cQD*tCwBTqr4wq%vmwt+uzvO z>~c9Ydpq>Y^U@Mxw+uGd;z*Laeond}b8orlgLfcAG~7tjOG}^0#zTWW?q`gB{2m0) zAJ@4ajBU;Q1ZWg10p@86NnlhHGkJh@r+?Il`e88|PxgD=WeWguEN}VbA5tNOk(JZs zDthC5d)hIq5QFyZDMrg#J{v9dxwANDsX`(`4%c;yYbk1ja4#Ojd0v~?d)G7JR0r4& zgWZko(P}qKnw%gE;;`*BZ$_IFGNeL=&;d_@>;Md__nICiW=(It-Q)>IWRfq!>-F_R z-=P>s-~&GSd37kfYafgKDpoTAer-MA?#;6W2C)@`d`+^LpK2>E;eNwm0XM zJE~(`TUUKW^T$iwP8=>>d+yh@`R=xT&J7nAUI-u9Ny3S)f-8>?7+xE5^tWe$hLkQ@ z{eB{El`ud6bRI6hGx}X)I*V!gdqsHQ<3pyg4A{iIGACU7WO$*_6(YkJ52P4|(J0~L zQFoY9-~6_J`a!fQrsL30g58W{e;)GZH=K8pa`&hj#}s? z0l`Y^&BJ%#4{GG$tj+tlg6iDdgLJV+(v)6L#B1B6_HwR$K_B$Dt$VA^K_d&J9bY0uaPcbbKP8nP!@>xHVh!n|Cy0Igl2`+%E(%UrIt zBjl!vKi3e6P~Tp7DS?}%D3cqhkj1Xvui91DByH>+OgeA5Ae-*+syWFX?qS}=!ka`N zL|Vdj?>b!sD1;D;#QC9Y#UnjLe+ut;(~hF5&thx}u$9KBBg`}fqI`jMFOxp!HZgd#W(a-!^b zdh|_nt2%wzR495qk5%vp>PN(9Xq^|(ITosf@92Rp^iw(3 zjrq^LQ=w$s!m#Wx(o$5tl&j}v@=0HTTT4XaP?pe<3HUIq&1aMYKY5-&hrmy$E{IaA zJn#weSDQo@0}`QfK&#Kg@yuX#9UXrXI|R*^&n+^Lgxkno`@`V|vaUghL8xzlUZaeb zb^WxSF^9{^DWc!|GQH*(8q!ClF~>9w9jEhHcbhJiKlELe`(t4`I+A!DXJldU5sQv{ z>y^WN?3uMUCNR>zJ?N+@0QhEnFp3x~3LcE|<%EC-;Zru!({EXZ2`t)CK>W%FF#6WM zxh;1zUf$vW{g~t#Z7EHR9Q1EE?!`Cu1 z)u!19U^9|PfO_vbeeie=2s`n1vWr;(F^7|5nZp#;a7!Uf8QxZ|m{r5a{fr$ScQ(m6 zGQ_2?!#t{lD-{lOby=&@_CZM-CdA!+{`~pz^v%8h*RP07ZQ4|a*X4h(+X}^_C3laL z(}epI6ToaU6n&4-t#@s$HGjY!&sFH6IBFmZ2!K5Vd8KS8Nq)n_KHlAJUrq*kB8fqx z&b)1}E-zj@Pue&E^T$k zITe7r2_SGUZ?CX;*UzN8GxV1`I{I&K1xX!xkP!#x>g!d2`f4f?)c)ICWjh%Xi9RfK z{+j(1lxyajn^!(=VR?~dCP{XE$!g1ODD7UfE3l~*+41MyTvy5Wm-w)R8j-x73g3x0 z>vU^rojs1`uL2EaT&9Umt+*sWoUqzVU8yGJwUn$Ols-A<{_*PxtNbH$@u`d0CZ*jd@p1Z>KQsmz;=l%=q`FY6@|Ef4COs1q&}CT6)|M4WCx?8ZlB@_-`KYfS@yCsl zPhut`IjV5&le&5kz*{o7`W`!@p&4@9AgJ*LDG-DBE1n`B z>#9SQs%nO{4Kd>sRI>B>Mb8j0n?#Ku5R>e?p_nWXPA!MU)DCt01VO$5)%F=+-6vCa zXvG0Q8@%IH09Hn@pB+SNNq1{xTTvhzbVJBA8qHW38K<%`Gauzzw3XRlkg_A8JU#0k z8GExcMpJo`U5_H*mBI;6%(fUd2QSt=w=VeIRs{qp(=(+uQ7v5XFqFjQ2sxp=%F0TO z@+xM^Vjwe7cWU_1OZF)?A(xyuQ7Q0aAMs8#CIEzcj1R9X=NTsDAY z;3oDU+_)YGUDVZRHpJ_jDw1@Oe^I4=tQNK5jvcxSR4jVcgJOpPGg;ct-U zM_m4bS~%HxIQ`)gel7oOk=x9R&z2X)+Ab{5(N9M5_~80Wv6YOwOHVv*eOTZlGy9UN zE-ZB~H!|Ev04oS*$5;m=;Um4mCK%6F`HlEE7mj<2Ch!5-Ux>~kD`FBi7R0kC%W?pkvwL|qalpTq|VbCX_E5-wxbJbz(4qguG z%AH&*ti6{(oDhPohJ1obw1iCj6 zP1IbfRBa%xna~7k%3nkY9ZwLyF5-^LEF;9p^cTF{dO8*H< zLx2t|p`8fJI*i(?j=2b-w5I-K!V6xL-RQ0Z*=__+9yH!LV=&0>(T}n^D?sXfek#TS ze2&7YBx?UG+M;Eza2Y-bp1swvjF<9kFfDdpLf%a;r72ZIsptB})86+RW(dJ`B*OyE zICpbOrSx&`U~ja3yN}(}O;S!v@)7v@cEtooXKC*6C*F5|E2aOu>R}ZFcKVB{r~P_x zzBH=|`O3osXb%4lGK|U!I@P?9|aI8D$&NU4rB67@AV^jqWzQuXeGp^`xYe=)2D| z_Xa$#CC(r;UsIY|oz(uN&7a|qOwVgR-{ zYP=6-%yGEo5=-XxzKg;hk|#IsyHeQ{crElu?{mgNh{WWei~inqa~&)6OHY^w2t6gh z{z@%!F&nBt_SwDbCFRyP;B6fEBnR=ZmslkM#b^E|auGG~Yge$YEpPw$v@>b<&FgOjPZ{S#S9^yii1?fcv5|{nZC+s>t3kF=S&jsr+57jHv~2D z$&Fz?>*7@f_X@^KfuTp6_|J{I;=|mF+X-asw-^LScBwK`v&OJ##Xu)@AjrB#@#pOt zRBHLOnE>2=*S)P>&qmP^DGbv%CsI1UmA2kY+2`Uc1+dPTsye|!aCmUU@e5)cipazR zkQ}(r?LV^pxBCaYa{dgee26JVkUtE(&jy=IFuHe8fj^zFc=Nw3g8#rQIDPK1O2uY)OOcEwpzjri@&+ndcW?z49 zI}!BB&JSxT3vawnEZ$)}SlDnB z#yM4D5h-9}wpeiXuKF2PjAD&un}pPc7mt3%8aDG|PUVcM%obWqye}_8ghR3VqH@vU zJl7e4$W4SWw*5bQ_}8yLQo;*#T!3{F5k*(#koCvnJx*Vx__Y?hK8@*(ndE@{lHjZ{ zxx*<9!nrJBx<*s3fHQ*hc;RC9kSGo#sAQEsl;+&K9A}B1AJu;xua84lKtnqkBA^yG zFF7UFZI9iU0cx5cnzF#n(JQT@b7?fP1J`2ae`Ds2ZMxThd+&0;5s3YiC9$R-A%g2L zAa{2f{5MSX-&fhnt01L07hDf{e=c~Mvxl0)_eW^gVo%#P^}Q`IUXS@kaby>TWf)h| zGzHjuXb9zYjKJl&Q>DOjN#9-W<{qL-wN8hrn__;(I##UNNSg@~1+F?p59jztS`r9N zKYF_m%CVx?pfJ3R1J5@5y$VD1=atp3h}#3BEz>)m?!*Kvy_jxG8jxSJ;u`ztOARq7 zsN!VP)z*l}8h^E$M2Q|rnXZm8aYTbT!RM%8i%sFD^A`;DrUCrVhYs;KBqDr7kNRu;!(qWBE*<#&NzBK_e{1D!$wO<4Hjzu;+?YPW*@asm4TF!6PwIE znqzb@KEr{F8DFh*c4Nj|f~8#KmQmMb#ojOYKT6*lvUs^0$$D#WY%8nb!+=Aw-_0aW z#GtobzK_}O6S5zHxD}klHJU36A)2D}rzshn>j9h_(q89U=APq5=|iHZ{x*`*^7Kjc z>#(sxPys16vA%Zd(&-YSv~R?7eQ%l|lj{iP(eeE#{T$&a?Cd?@^S=!EpGzSX1Z1h# zXf%Th_w$A5p}wXCz!aJsMfWb8M`-Fd6Zfi|@bf(le9^{xLhR*-F?gjSLI1<|&9o5c z7E6-VF0+TNnvj!vpI_eiOVHs)2exzDAZd#2$i>-oj!t8aF^h}bH4Hr>IHCj@<__6& z4z0@bm4qn%Uy9{FQV6RtnG@N?hLd%N5bNKV_nAiTy9ciG#o^Hw-K+LJO65c%I~O*2 zR@ZGUZq|mSH(L?VNsxr z)%T%)?NMt?AP#&{SX1h?a9h&S==$G2>VJ;%&yxiaOdF%++;dGjQ4Drn^M7C> z4@dR(B41X<S>g0zOD11~iUt_wI28xwq}(%W`b*yQ0qj&(&b3=1;m&>o;23w|CUJQCt(?4?at)D9rVy zid=5EkK}C%k6Z8e3dy_KMFiuB#64v9k9Rp{8C~l?LzqX&4cU|NrU4h$d|<%5Wjyh4 zg|(#Y@r%nx)|ZuW{S~))Kz+R>X(I!tIZJUb(RCLx<=)f1pDoWiFFO`!*1ecD{6mh^Y${qHd5FD=;J@mBuNBCxO{+DL$kgY_;?Ua%?{!APYy zmd(6UYjOQPIx5WlqgsX+vQp}#_Py$`7=b3Ugl@I^94fXZ*Nirg+FFl?N27L^8^!y7 z-bi;gAg{mz&s`}2UA{{k_@;M5uG@i`PAXLM6qm;4BFOW+QNxL0Lflxo{ZU|3=rc8-Uly++g!)&D0$-150+HI}Opp1_P=}-8TBcxle zPN0>CI*~*bn90MGBcwthdmhOl=g&)oW}92ZkRxHw(`NDF#iV{7M;N|-QuNZ9zfDNm zddN|ukB!M3K=?QPEY1A$RvuwHuEacBgTYi)_-^*%oW5Ww_;=SUYnugRq>>%`DyGKM zx=eZ~$y2wZ&{m;qYBkZBVe?;51@7uY=%7K z(fi06P0iiptn2T-CRB62&wsg!R`|wRf)7MGzeDfXQbt*)&b!Ztb?jKs{WfVs(Vt?m zRveI{Uzx+`#gfYWf{sl{X%?mBb;n~*O+IZj4hwD79BmrqOhJQPwbJpJl3vIzNWT3{N=V%qY4;8;t5cM#r~DBpM3X8}%-9 zU0;mWAr1_x{@6>5X**fzHZDr8T^jyiMwUG-|BMg@tB=REgs(&Qb#-Q6<4l*~=xNy5 z7}}WaGCP8lQ-`$jjDz_ZjdxxK3cE1(kL#PKN4q+TAse!A`@%(vs zE(`V^$48=fA>H=Ceq?YFg#{lPi#Wb6u)&gmr|B3tJJ35w$S-@6(Q$5+}qwu zh1Knl1?hliMa<1cQ~mFAkP37lMa{KH#Y%r9it=^nM~_9+!JxLsxTuEAcu4z3@)@B6 zn{4^-q)caRVIhUjv~aMYjl7 zr@WKwc-vqw;cA*iHOu;=)Heaai(eMd%NI*+Viz&d(48~nJZwo=k}bZx*wy$2^;)v3 z>al_qn1XaK)w_O_e)#I7QqL@o?lz`A)GZ@q?tZ;%4aQX*)=ohG5z(Gc6a==o}_Gi(d46)>X@Qw*qBke!sp!b zrFY>^kkm*Y?g1mNZ{Mn*?G@lor5sTKS6?-wq+$qfc3dQ?0?9lwkaP~!T zgXY_%SIu>AnN=tniRXM`2An=_H^5DmH@hY?Q;Hoh#6z8y`1cT;cD+0CpKsl#DS{nR zohbpm;SMVxc3&+>MA)AG{NZli;H|VrkBSOgIKy)LPV)TD-pAd(V?>)-Ldc8#2^kPhEq8>~nj^Yby>0_TV1g52o<8=K!NuK9&>$z$xA7|Gc}OJM3l{eirHz}r&tFD3l> z${4$Yf!mc$4Ac-|x>Dy?;w*JA5~=P>i1BM5fbiO-jmayk8$lY4pd|HN@9z5{2|^C# zW$lbk6OK?PXvPvSc+x-klQxVQC6F!j>HzSKhaZD!G5Y=SN(^pL+#T=VS{E!sn6R3# zjjthnXD|ODWE*R$*b;%2mCo6nTuX}bm8Vdnj^9U5H%A$VAk;&;rcLcTd!v4*AuHaB z1J=O<%Kb3#sLj+&H-1ptMRn+gw0qPl>LsktZ~NDP+jV1)nW#oFdd=qNoW?2~8s$_N zjE*EO{P?}s-c4UFY~Mq8m`~J1$k^Kn);X2`B1f+bYxSg5)a0qa?1nXW6%R)v+!Tzn zzoGSSTrxYl#ChCN@Va+Ap=raH{gwcOkG)JTp^3RA+jBaS!<*KCsH6zVx;cO$bUA3* zwrd!x{!!L-SkKwn9|N$qhBSkN^ophB2uc3%NC(bq?8+K=lcs~$!{aANF+ziWYZ}92 zARwB8-w>Z<^Lhn|z|Q3T9NE=vAI}#ZA0M2*tq2kX?|Q2+ZmWYB*PJo+fqJ`AYWp0L zoyI3S8yvGi&5;0MJC)`U#&-Rcokq=SWp(R*kFNzEcJ|8OwXBg|?JzC}rjDovHe^f1 z`=P4;MvqPA#t`G2C5~EBoO`1o%Nuhr*yx@D8vW?&cl=&vPMp7(P`3+-(oXzHgK`E& zGLS^3*zaDaP)cFg3(Y|o*>#0N=RMcGOht*c*USsxN<8d9$_YFV61;*r6@v+HNx90( z49sq{4rD=Sxya)KfiKXHwf`Jp&*|n`yrfRZyG|4?Apu~6+2hKDNS1&#cpyl1AiWd` zCm2CX=fQqSRd0$MU~!{jSALG0*=^yj>w z`Zwwlz|Fxnm)CEm_IHZz4v-niWn4yv^`;XamInx8-gEEoZDTp~vlaX;cL~45fW%SZ+jZr?_3Y*xrAh5-5*R-wX;qIz%8t59ZTEYRAR z*?~(^8-L}cZ;+4W2zdo`09;+as--!wH58+Y{Vc*pm`z(t-gN%M(pa;Tgz_ z`R6NFP%{IlPZo#aN{yW2pYI4$nRw!7Y4&{2UIo>UG(>DR}a^&ZS||` z7YTQVq_;<>SD!5{EtQw`XoMUFB7@cvsIUO&-A7>X$KM-Ord0TW5ML8{rW94h{m`p) z)LCTN+x$H?gLM+ICeV4(Oj>d13q#B`pL7vw4)3KUqFtM>Wf1RL?OZQ*IL=+k{EXpR zsg347H(A7RUkY=NqWqYL^mdZ(L@U$@0($CCs7|2IBRh>B*IA{Sq_$o#O~%+{lcy7y zu)j8-aYoQoq=Vk>h&1jGTUW#pz>|o>3N&7s@2gBG-6@h&4Ek%cGngNZIZkyY{k;f7 z4v;DdxR!Coa6TUmv&~n*w^7Nvy(oOg%&stzc~a4~_MpDG zOm#8>ytT=S8v@dx_~)=5KXd8d0_ttiF<*d5%fi~M0F!Ae^9-JgJ&~JD5gCf%PxvV* z=@VQPWA>$u?JmMmPU)3dKA(?&`7R70j89?7EZcb5b@?-C3{|>=SDuSZ)xWp6FNjIF z6+Lvx&qkBo;BkM{PdT5NM0N~334%X{#c-5_&$8nUpJjv?mk`SzHKIIXfc#>BXv)w6 z4e5ojSu4udOGhE#VS+GTAg2$ZI@<&dL!Y2Gw*y2kBtI%FA#B~}=<^f4oxiy?>WuLJ zGg;nK0HrF z=sn1E^NwC1e1?Flre;=~7>k-`AMzaVKX=ja#FW6x`)~RLn`XXqUU{?wp$vCI>9= zJa>M$IYVdGEq(qXJbXr@_DRmSr`cZL{|*IGFsCEOilc$#5p|(!r1*QhZRw3lB+BUM z5UiX#I%2W8J|d8s_L??Ye9)w^33(^Xs#)@tx#-;2 zbuJt<1bp|BVl}x@u~QhO+tgErc(or&xVnfX{0``Mp<)A-aCIdhzv@rf8Ote=x0&m^ z!+JnxQiDE0y4~3yw@0+zpdf9rAf95~pIRWb1X1_~HZOTIi9|n}?d5}f+cFbDdQC@{ zG;Hwvb~`}*c$6+}eF86{H8C&sM;u3gAJcKQ$InKe2V36Ui7;hF| z${8!^&POikoF@*d^=&X#o8A4R@9j0AdgalED`i9cGno5vEzN(Q8_ap$(#rrPnOYvP{tq`t!CaI-)syD6gyDq$@r9 z-5GiD#~)n4Fk;(v{^p5yHuzfeph5Gf!Z5!`Dg^qZ!Eavea&#@Zn41~CIY(VUCg?O` zYHHj$jRk?E70r2a9m3~J>p7g%2gO{Jb?Z%<`#I$VU8fd_#@(EEG@z_Bh~8F0!^tX6 z!H0wSjCIOoeEgShI){^LUTzYsEO2xiJEukNOgHkLl%IU8HD;Ppw`-a27w%d(51ps6 zm25jp?5P6(vi;q@pn3|*@#A${dL($#QErdjgmrh1WbL9)J4Q=v={8~L6$z_WUgKxFThp5>m=tYgjo1H;p!|?kxdKvp)f-;mUsabhn#v` z_qneTN>_ojQzEwYErxqPu6KQ>V0^Y`K?m=A7@K@Q58SnDQ_uaWTdrO(p?!2;0Otyj z31S*%Vc9hQ0a?Pq{Eghn#+tF$it-<(%Bqz~_7TQR) zkE?e-pZ$^gcS2@q!0Q@ot;21^6UwQ&Wjm$j%e2KK_crY3h@=EXx^|E)_ zu2VxPLihIUhb()IJGL$8TC1Vzj7sH(gla?Jb;5=7+>-~tgBgwTN>Yl#+s9DoEptxo z?QRRY{p6eY^w)GETUY&SjF`e7vIiy@|yBud{WM;*X`fkFW56?ft%rVc4=m$NlJ z4{`a!_F6?fhn8?8rFJ5^ zy{nI0;Zl~jN99+4_@SRaTMwM6xS~5cI@(WUpc)RD>#xjYWy+@LyWFuH-=H91n}jPp zVpwwS3n+Al;rwYsVpYRIK(T19>0eL3P*={!eKXqf7CtG1)It@1){V0sHGKGcR?FD% zfYx^c4sUmgG_AU=9@#>&zY;Um&^I?+_Nhe-zo?IUoYX^ZJEK7ybp+wtKuUJskKEDJ znHb`luidx2bo_0-Y?x6z`p%VSgd3PspB#6j-2B9PiQLbEsHY#fj_~?NpGZ!#?s%}- zFx7a0B*D{j%R6o6gLBg84$ayo;z<{tuDGo?y!Gc7iAHW-wtt6&QU#wMq#CGkwki}~ z4mX!gTD=BkrIJfxuMY0%)8OehPvHwcfj&IxxNLR?A4CIAmC=>?T7gIZmdutw3yT=j z?6GSshI^HO#cSq`UWb-OQB@~(R-h$YD7|s-t#grX_bGm`T=_3Ty=4{5uP_3d^5g>; zbnjsoVWcXd5rt-#KziEe;t2sY4ejKun-@%%76Yt zRu1pPpbs3|4B#qOrcmQ2R{ZTI;7u;UaSTTjb_&{>{)5V9l^2 z5!!L(x%@&+WpYpN>uh5VSWQ;6WwZh?hUQz)Js8!}(l!0pFR%Kp-2ueimqie{1qont z0pW>>V;}?&tm)lFSAkB_i` zt{81j!=lqK`=+8VjBhZ}u?82uV#OV{Yy}?Q`R?~Ty1nZ|=C}bP1~CPByqMx_EhI#R zIN9_B(7a-|Xt*PGK_nuc*@C+W)gb)!?Yv9tN?$LbZfb|apJmTZnO?!C?1GF$dxv^G zZ{e9BaBTy**V%AuJ}P|q#eZ$m8*0|MyfFYQNE%B#0P-k9uj!hU;&$nbD>|FMYUl()l6QRX-ur&{ z`;!0Q5Khisd+nK7GjjMJD;Ki6)&jA%ROLb^w=&os!eSW&o5d9%uv04u>&;w-k2^~n zp+m=yu=&sdV$ zHu~DWn6#S#V+yrrJlH}DTA1;%PWt-CO{_BQp|Qu0yB?DPpQLy}T}k!MDUu&$W9QIj zR08Z|Bu}3HjRnCEWil@NHQu?tvbEc!0_=9+_HE_PeDhTgO0Fyb?XS?S%7Htn&a+cG z)okPAV$6R~9EXSQvty{-Tp$rg*YZybVZZu8+MZoLO%uCtmFTAUy}pWfCgr5_4c=-7 zKY(~A=dA|6K5R{MIk_xIv)A*fjT)@R>(M@o>Iei7hOf26O{SI6x@Je2?|Zap(Buj~ErU z@t0L}zFR2=L!W|mL|Uc7&w}hpp#Sp!(j!Oup zldi^`6Krc}Y$`=fX(=hmJEO5|wZly3S$;xRe<}8S_M6{oHGj&X*R7kCRIE~b9E$!M z56q;P|A?F}<~^;szJIh4e77o`$=VXddH$qZWcZI&w!isdPW+L(>fEye-M{!Y?Gs;! zvT+-Jc3Wy;UQcH@)Df27@_R&f&c}~9A+ysadj1J#^C7GFaZtFxg4CqNtT-dzCAH&3 z=~a@|wY8*Z~uu8ju+rzMllea{UFUmpJ>; zs%q?oV=>m`g@$VYxP-5wugs$F-kS*fKGBhcLe2782e#(fGBQhCOy@8F^aF32%=GGg zekWII!fp43PV3s092SK;FtnuP!E_M`iDeWy`gWBZ<0@T`1WTun{sQ;acUh{aje?XVwzO2X$xv^bSAf zxO(;a)9s?N034X!W^HMS)ckS@ofx-@C3v;Vjzs_ zp2$sGn0tUx9gv2s=6jS$Q*Jfg`);mr&M2DMB$5K%x%3Mid(#x*j2!rDst3?Cb9B;slGG;tIJtnMUCm;>>gzz;_j8+7%tBHCwZ!MCu}`iA zhnADX$)1~%v@DV0KMw7pC^B*513nfVeMU>w1N*^_r~)HN6v{S>rMBt+1(%LHp)!RqbiaugF>4a^@ZZyi{t_Gl-xPZ}rCHMl@ zlq;rO5_hcJ-9s_Bn=rHi80Uk2d!H>70>WNK2I(} zIo23hzGh~|$c5c%byMPqg`CA2j~u1DqPkdI1B0|3fyuS8P}+7CVV8b8R#CSr7bm-H z<0hElrBC>Si3SeKg9-*aJGKou4X9fL>M`N7T^jfY4DR$B?eHGr-+G~>Y!(`X_60_^3b_l4t`ufMm=culI z&41B%BoE+7L)Uu7QPa$r&r!){^YynR3FP7E5z4`vG3WS^HLSz3k6xqIwTVPsv!x&? zvy1~-Cq_(q-8K@+c*?93Ik`w6S>)Fb3$ixH{^6|sn=vYEwg21+SgT{3u4cnNDrL_8 zVi#wa5ILp2Pn3i5{42!W1`#;o1|h2h0@@0H*o72$3*D_*%ySih)wz9~Asl3+-!l5> z8TSXr2OoY+ifDqN=VQVivwS~c+)9^*Cbdk;BVOyPk@%ktbkI`FH56zzL$4ApThLSW z{Ld;k3&+>69plN>{{K^PHactEt#M04Bx$As z!a=#8w?1rMTIBGKJL{3sW_njone;wDhE@R`y@{Foa^9w*XUtju-xVr6hKO`Z``8A13 zkC|Nze3F%!v|qm-CL$VuETQtyfkvX0IAY|$-)neI589~}kd6C#8Ucq+p#j`uhEO93 z{8+GIDM8F7;6&iVm}{J5p5+2z!t`U8GU|ni&MJ-kM)4&* z3X0d5ntGSHRQM>&p1I7Kyr`&G^IqOGrfZQMe1~`PWvrI5Runf;FU3LXPGmf&XSD>Kdina-FT&$br(U=t|&HI?3O& zbrGXfY)o zJgWKdIj~l*A)7iXnXi3?t8afGi>r3Ip4VXDPNH37XYS)U+*zQ-_)K?&#}UdT^xRai z&7WhigAHlKp_L!~%1h1p$spk1vCoh5*mH|735dgyh(BRco3)7*!MI=Enqlr1b;L|tAWOXJypRnNL|cM;$g zT4KvMe_8^0OtIL2Sxs#Q@cO0BHj(;30;hOX^#S*3qXS;?x z%fVTm7XwRKsl`2lBVavhFItQcceGgAP;o{Kw!$j&yx0u4&5Bn>A)8!bB+3Py4 zPOnW$BS_`w()%XvQ5rg2naVa52ynYIB1NrmHodjAB>0A1H23xex=V-zud6PFwD&K= z(^}qK*88?7B^*#5m|oJ{^FrTRgz74@UVKPf~S>~eR zQ3Ur=cmVe!o&B`TTvog!CQZGBUsP+vbzCpAPv`hPd-d=9LrO?g1)cj53!YlX)$TQ7 zPd?F81A{<`kp~e2m=gmKlDWQlmyByWJ{vE4e5UpFr#!~?GjC`956=_&DCD9J%tut_ z7*$W`b~7j*jnz^CWC`9$K|cZ?scU5&bl3yH=R#rD0ycK*;o`0%4^)M4_x3C(!N@IE z{XVz0$#}V0cK1k?^0!zF-^Cn#;Pqg-Gl3h4!Z$)kAGQfaJB0#7^~zh8`%aQuY0dEr z>aH-3a_2X$4vK7xq+dh2cYGG&5z@`fUk_ILVjdibS$HU9CSxyN4_kId3f2_NW#n4x z?|0z#L^jKuisz}?DO~*gDSQpny_X_4QC+%|125goX&Nh!6^(Ega>BEbp=W1jt#k+HZy=dvlU#)wG0j(Nomd&sx4!-_L_Y#vu3lg zLJ-NStRijMkJpq1ugghp*TH{^-%ffP=}x(is3bPuR$uu4HjVI9vU#2?Jp6{ zCU?cKM#ucTQ0!mbb;Aup1Jy$VB;490quJ}opNc#E=7tX_0oCN(l>fKL5GtC(G{7a_ zSZz1<#<>7DH#yzu3|-S(u*EVm>iwQgIT-MR0Rrl7=c!3E=9-%U9x)AWpw}(<%~?{M z+H++$TGdh2{1~C#apc3*hSsYW|GWUE$_nm8F$#WK$Z6_GcF$1Mu zfu4TVat@aLuDVJ3Q4?t^N2#EG&7Ewe>w))mbamtWIk2{Gnt6GiwzZP)gJn}LDTk61 z`F$NS+7BOG+GwvR->0a1(_Pmff&$rq8sM4pp>wRwaEM+-rN|Kh5Q=iA?}#9Lu5bia zB*hzBdtw9T{E4R69%CeX6~8kOH-qkqwlP%ZNsmG*-SCB%EZ(^Qx38Cwsfvu(lX+imEfZcO#y1=z)Yp_{z#Ia4yILT=pBWTeGxR z#!url3D|u8K-DzKSP@3SN3K|*n!TwWt)V7`cEW4uNkcex`phMYhXYdK@{oe!z{s7T zugVI#j+j(*aJX6G?0k7a0F45@MHhOx%|qR`b4(c+Ed}mLDpPWE&moO`q@NRnEg|7r z*TCkbauF`V82CyKy25we0PmBb%{py(M>_PI0cUKLye6ln*5PE#4CW59O@V~3y4B0d6p)X2EtPv^Wj&->CcEM6^Ioj=57Q#)Kz)Ng zj)f9*5x3R;@2%@;c*fE2j-ydt_qqeYwGXT}zQR}5V=3MBL?2cRtWt7_9_|}fbN=kM zZn>L~P`7(&zDgYv;7a_%TP<70cLjSM#_G51qe zvBOFEQCuGP8XZ<nXofm z#PTLnQoQh^Ob+OV4ao}H0)>JEp4_vcSF<5BPDghSaLVyB1f8Tuo{wh7S(*!*JCWvP zRs^|S%bu=l$Ur8QSa}?X6Hc+CRLU9~Q`5ut<^LY!Iddtav$ejvQnJZjEXe(-grSk; zBe$WZK$4|+%0ZjK9edBJ>Z4;y#KCl!niJnbXAPT7s?k)F)m&-*0%iloU5GW)<#mQq z#!)gxE3amu!#?(*PTjYDKib0?ta3c5sxrLXDtMaY?3`OOP7wCpxlO~wnm(AE{9D}* zw_$i9i(7`)OiTxAByEXFdV4kjl}}5>h^^65a+2h*eZe;*D{^8QK;G`ce*9~4&{&`i4 zaLE^Q{wQ;`0fgB6dUULzev*(!(Bjs`XcwQ!hV6gWe4KkRQ0(Gb2-&WHjaq5pblpM* zFY0p&Cf}QOMY@lTo_d}SjlewEQH6*up?Z?!ZXYFX26Bh;U<%(PbMrq)nt*zRd6g@f zkG}B87ti%Jf}lV9yz2YD9G3}IRfBOaX4_p#V=r5{KoH-=puBw70^5$*aWcMy2r0Be zkN4;HPLCmbShV9#ScW?;{zQXqT>K59yIUL+r(`|N-?3m>v-V2fyFlTaX%6-`K#&0`7jQt(8=ieHHnV?`F3lRY;$*!}gEv zD$Aj6mrJt}VO9&(ED|0VSB|zSi=hZxQ?T6eiN1>ZdZD1vZLn-f{?|ofk9r;0|D4>& zYx*;1-EzAa{CyMRI?2_LS(nS3B9Ttz+mR}R=nWJ!D5m4I8oF7Hl)@Bi2~&j>2~?jE zPY=Iy*0~(Cp&!1i*ekxe4rq%-!Supn0FN;>nppLJ0>!u?!Z>_L1*`&kKWmx zI_lSN-JgN#wkO`D52zW|xD6qQx53SxKKgH33{MX7c1nt`-xm}6%rWOCA~l^#l2L6% z3&M@#cb?1x`e1-nhp-N_SBvCoWU}7b_XL89Snn-!jPQ76faK-m|qS2;k3UzchxBK>Qa{{ctSp; zEw$>oA4V9tDPyaT=Uq*PypRikF90`}SZad{>Qf?pgSEbkH>20B7}=A#zQnz!l_*oP zjRO!ofEqqDlz%C^hh3jk{(?ljU-)9w8GWxOF3=0~U3Yno&2fB3GT1XpOtnA3zqF$))7 zBf)nD07OvIWsq+VJ1kgGP=c;TCWVtV5>ozaqq@meQ=mOEqIt2qaAO`N=;_0E6>l(Z zzgxD5lD&k=X;q-7OeS0F3%#2!TU;91nI3A%C5oM&V|v4GY_1&m+{1S8;y&K}*#Ctr ze#I!Dtl_h+xR_Q`AWdMM^&@s&Y}%@=f1R0wFK$De^{=~8u6^7#dPE1NKiNISX~Gzz zVr6a5%SMV_oODPLdIm#3KH(?bFYYmT=Ke}%cB_GULkC@tJ80UO!E9iIUq0QsbSgSK zaC^l9!uc=+*85q#lpZ_0H4w0UAm>T8wCbk3`pZwxbfME<#&G)Rqg32n;?SS51)^+X zM#f8^!zyT<4DVxr5PhBzr>5sT=f~e8((_=D)aUn~d+R**2{_v3{ORlKLS1P~?{+3f zR61XHOThO>314dr#rp2m?}95TcQEI5?G@9DzCpkWWT1>9`VjPudAgmM3#p{fh6k9|VBI$=pz(puq;UYUh0W%{Z2@44IoTeq%k20mVUE>Oon zTWSFo&xml6ZXq_kS81GN7%pU3`lh>$-8DSLO?|ecQ&#_2{}?5`!$yu z&kU2;h1L?{)|^U?ghdxR+|YLl9B!1^Xt2aVrdkM$AmUNZvYdRLbjX49-oVLU9_QAA z{g6Q2kty?vANOfd6h+?13QrG_n81=HpUE|)Ums47VLl3)z8xGo`~kYhQpBOh~&N}S9= z28=`U2e%s7x-^8I2(%GL@FFE1j``4iKa%9Vx=nt^&8zs64Mgu9s*W4dq5n(+klsOW zB}IF}fHr({cSv(#HJ?Xfegl*q;(7 zx7sLt>&>6CT8o|=2nXv*1Pn=nyH%<41nG5MF&1j+)v;dg@s@cKRTne0>k+fq;!bs@ zD33b7!^6dA{=e{?8$EQ4&)>E5DXXGG%a0Uh39I9#M{y@AA#o|X z#B0^}AJwJ}1OgAeXRe-}A?xbs&WDoO+innC=l%qoemI5)*)j`I^}!xC0nH#=!AdRy zBK$zvlu0ENvy-TnTgfoack`0wIowy69O<#jCEX0|OuSiZ+uyxn8X`-=h{qhO(QU<@7y} zmxUWi!ioeNzRpPFz+w^-SMd*1GdwTnz6OwcQx0%$+W$;!NSpbXZi$!8tg(9m*q41d z0t4IAXf38yDR_HtO9y{fi~Hc1Qf0c_gNaR^!_7o6MvZ)`t|$ZeWj+(%D;lV>#GwgS z3gB!V=|dvq-23Z~UmEa7dp@HrCzuU|B8&Tfj*U%}=T%7O21$5(LO(c~A}0G1+YTC0 z;9KLkdcmZ6BLTpg(H`^HY+&Yu&p=4$21|twNl|axmH# zKYuo@U!R_tV=b2iR?px_-D2e6PrB9A&~?a_j- z?KS_?*EJV=al*IAK0OaIUSl8$SZ=FSJj{H+$qB>EL$5OU7kwGkEW5B|Kklk#kA_e) z;{8m6J_VL^t{h5j24F^5VW!jFG_aDa@zCUE!=Ntbk1KICm0%y1U8uq?BN5*`&$w^P zM2&7dwrV&Wd$IwZ=uS+IsX-=rL$pQ$MyU+pn`E$r>f`gngU zJSO0*;Hmu7eD8um;LC=7oXM1u5=k=z%xHQu7gCK|P6BQA(sY*=|~+MDUQ z_eQ)w%!F#xtp-J4`Q&ioN83)eSt0&fOnu`GbCr#$hzM4h;pV(cbd2;Kq$#P=ChuTeL|P-z ze-D4XX5zeC+5ITa@b%~QCGvE`+P&eMCQ~1Sw$ILSiC@H-5onl6T=SnT5kI4JZpWG$ z_W|H!fU1g#L)Ls$c<*Z@SGSSFRaZ*{<1R}0?bixHNh0>X3U>N@(w85JMW>DRF0Joe zL#5;@GoW#vr3(-^w!lN2$FnkFrDgczY8<0cB8~qJtmbH?_04G1OB}zURN& z6(E|uuSa=lo9@zdU62<6CHHO^?OLGJWo7=wpm$}gkkrLn)Cv5LYD>`L8U3fX;`T}F zNdrID6}mb&J1EM5Dd5k&6h6$EWz@tf!1dUjW$-Kc-3nrU3MXvan5|KGbJVN zZ0VA^=1sUu@bCz4DY^uSs2h*Do_M}qi~C|AZr>)U1G(gR{-l~_$0OHwy+ilh>?G~W zZlUO1Yo*P-kX+qQnHP!i8NWZRGuB|9Soi*-D4wmoMi~W^OcBQmdKlE42MC^^j&L-r znOWIBE*Rc5OgA)`GHT4Mh3$y`Er#yKSp;?gX z*inq}h|+oZWp!mn0-V{QRnpS;3deWk@C@U9`6unNeoCazL&-#>yZRz5@967{^ui1R zLxUy_-4o{Ld`-k*OB(cwnsXV?#6HLM&gSRuPW$a@l*;)%u?(LD4b}#Y#ww$ehjg_T z&EM;9Q}$?7$B@>H|7&_n9}9H&FZJu&7tf9NuFE-x$P`6Iu`!O<@`vflaQ{R zYs>P~)&F2I-_5*;T#;R7F8`^RozNE_e}SoPEbo_3=GJ&it*lLwpwv-m7jVbb#W`Ze z22#*8u)@Q`IZe5QJcg2U8<_9wU;k-zE@Y+`#6RMN&Go$l&hA1n!bBB!o&(^H`w!P_Yvr~89Tfl zmebYjZ7RbhvI6zI5VpTu`3w=QO5Z6t`Uc z4`D8D-rA;;y>Ct)k2qDC>6z)TzfTUH{8JC7-K-;_r;5S1HVk4pA1WMX&d4)5@=7T2 z^Sb2!D6fvFdMPuXZ#VT4C?&#bbo+;4(Pr&Pleifj+nIf3;QZjFJ)4!Z>sWe=!dC}$ zcDI6$uCHw4jjO%AGYup&h1t-?Gq>W&Q&#sFf!PiPE++k?SFfxk?{f2sc;kxtf8OOJ zb=9ywi}$QovDQ|5nc4bCV34J{e>;Z2=%lZck1x(D@+e-FupNn|YZpopx4y#>a7>Yo z+$+1*c*{GgGj%ji$i`FNzMvp+PaqF)cSUv$lpe}4GxtBaiPGWgTS;XyMFVfIW{Mp~ zaD0kKK+|%s%3v4zbbq~qp{lB?!e$pdQEW^zr8)j;1KuMnl6&f~sNQ?JbM3xF-qEid zPQ@J>2ygKADVZ*4j<=WhG_+Y~*H6aMReQ&8e7ailk3|%dvhf$ga@h92E@o|}shE5B z1MWZi6^JSG-$@6)k%W-I`?qaTrY!NS(8VPBhxSi}2V0ne&L$)(bBbfu#S@aK6Dp() zb*lRbeo-JEiCD=lWZI_X?xcM>N`q$$k|hMvtU9PSpZNQ7VPQg{0Ti%f$h&jKn|qCD z%$~ZhGjA59#PW3Ju9HR6!iOlAzn8FQqLw#I5ajS74gFWvi9wSbfyR?e-a6Awub4Dc zBEWlz_V&Q{SMq|?T}fMprs+*q@cn`D zV-P!q-V|wiAK_&g-sLvQ&);QZw)!w$`p*p9;X| zBC*(pc9Vt2ZE%xAYCGN2*i>#pYsX@o`!!yVpjE66L{3HiIq+!*RR&jN(t6I#J-voV zfSg6jQ~DO3IDP#3I5bB#nEW0+#^{B|JJ*~-f|X%T`>P){4-d2QPv%~#OG4aJXO7fy z<&_uZgkwE^OmVZoWx>6|<^`ml#^NZNxj`1{?3Z`akPz^Q)o(S&O0yb8%}3e(EVjP5 zeP+G>&m^5kCz~feE2BFpS$m*-c37L^OH*TRo%o}rg461{&0+p8^$#9$%B>$V270~? zpGHnB8C&RG4>SLoJc9Ffyk_98qOGl#&s8wES0OhzK*GF-eRsY+X~bR~yP#9@qeZ=5 zgeru#-Tld;W8m|7{i3S+`u)S@I{YX>Y=WSm>>PeK%v^|%n>X=+xX&q-jT-z;HB7q8 zB`$AvQ(`pg=J`^##?*(#%qYGn0Eb?3uS*fnxeY8lVXtR>AnaE!z~MP1<%_jG{p!Xy z7`r+f_%vtI@8Vj6w#Qx>tBrcPLTkP(aL!Oxe!G%K^bZ7OeBQHUz7F_@Q!~MRq#Y%k zY_tvl@^Svc>eellE2d2s znwnZ!pq&%)%i4JtBe}~m&;I;?)18v6s^Y9suMb7jt@pG{y9X%p94E#ml&Ze$MLslV z4_J`8Q##yN#Bx5*E4JfIkq57*G87FV;3$FSH{#Kt$KS;don6ej0nu*fSC>T&a6T4+ zi!OFFzm4Rls7BW{)gX%fWQ)012Yx0t?(DQ<2tR&b%>5h=6#XhAdWyIu9o)7GATfTf zwvPQ?2D56;5ZvO}@4p;P^DfRlTl#Hc1maTPmc+bolG25auDD{RN_v$YJZ0sANTioqBz_l|H-85sJ?2QJK*QoqfKx8 zQuBDI&PHM71vn!sP1M1tNgCSrKB{~xWWHCItTFrR+?W%eWs%%ZKFZ1WHcJe;n5Ext zN2JW@Vquqws=dR^&tG(Qe_^aL%S&9%2{#1qx|DTPjMP_r zIoS(1faT+3RQqxcpNm09tsvS5FJc`&3h`6+m36D_Hf4zGIC9z>JRWMsg7bHuJcqPH z7mQA!{mxx6ciApx&DD*!ZJk5Js)2L;sCK7g^+kx=wdERQ zNr^LX>W{bx3Rv3`8xs??&?k+}6w6lX(ZhEDT$$pP1pwz{6p$=6J(YoMS&`Hv?^yXO z^TepB0UVw{qJg*v_+88FJ5{iO!^iYD=dJ^J-t}|8-7K*O#>m&QOgG5hy!nz>;=Dil zrO`yt!$!?^uy|8%;#%?IhkgtJt7|YjP6BWyU0m5q&1ww*g_*Wc-dJO)8X+2zUs@afn)6W-r35z~Vn_q)cJUTH6<7AE(~%XDh8OKQl^6QU-d%lq)cK?k=z4LEO8a z3xf>F$nY5+UT+=m-%}6xp5iyt8uOj$>z5L5Uv7E_svKj40!Z^+CEV^VolwEP-ulX% zh_BJ95|&5UJ{Vbk3G{Stv!ePKJJf&eQTsbURM{DL8nww1$WHnsn9pRn_FY(iyzF1d zDB^FJoi?&Wxe%}h{4^-qq%VDEvm2YdG)dpSt*-B>xTnf-o}S!$@;Z*SwW{ZH@uHDx zJ7H?`aDKU8i>Vir{h!O`BEsz5=RH=Qt~WjA@(&suw+P>2_c%8D5{bY3Kh%5XCT*W+ zM`jcv8s0$;5JofZTw?_n;0?{Dq5@Nvz883e*~g4Mc)>?0hWq4cfAY9iPSOZ=FIe7P zeZ?YbAUMB7n%~?4us9Rr{IBp<1qpfT6%~xP9&m?9pI`q*_g><`iB|@bcJkH-2!8dn zs=2UW^2~1gcD8)x*ks&d(YOSurO>EFXse}a=M$sOw|vDvf_yv=91i>gya?JPk9=3K z?bkqSBV8!v^vyVfv-q}GMzTk9f6xqEMRtc>gpbzHR#w<-jjY9Vgx~0wvoH{=fuS=p zdcMp@#cmpg|1Mj1uGVi-HOA_s+Sg{y9NqJ`N%SiW)(Je}-sB0zu)sAhYF5dXRb@Ir zUb?!w##`X}1^+_Td*Yp@mX@7^bkHJZqsP`{HBv?3h8*UM96Op#%&Hkw52*dyDDrP3 zDZ2)<#vrbnt%busj!+ya4CyCzv&>Jn=u7VrC&po;);=KT#`x}#qA6=Q@ z<^q6#&(F95?Eaxr?2qCAnxSSpq!CQ2UjLk3-q;o?YTWqOH$EXgc$QgJFzt7AL4rO& z17!}b!6sO=%=+#$^q!X4?1nula0Lk78W%y*ojT}~FL7}X1$~&;{CWM*y9}!EXFOYq z!vHR3Ik|T;>{nj-Y9d`j69zcT9s!wBBg4b3O(-JeV)JHEG_wnLL=vz=5}`yPXyCD2 zz`r#N)QD`QShI~icNpZ{%Vy|Fq}^wSw8v+c7o?HM-5+*`FPn)aET0})vQyEwqN;yx z-7o1P4=L?*uQkm+lVJamJ78s?&N`XNkQ%JhIN2P|PQbjr9^S||J2BHdq@)>4iCD*_ zKZjV7#NqaDg8;&aS?WRZJcGZl{iY#+=y9#k&;vd7`O?{5aWvIPa29U)cjz41f}k_H zNsYYL_l4Erk>Pflg^S3uKFS8eX~PY4Xjb=W$$&GXGn-B5BYkEkxdy0@r?jD)J`0r2 zX04NsgRNBjM|A&TMSWw8b_aikm<0byUAReswMJ81R2)DE3WxA2pCtYRi}v^GA2SX` zs#Zf}BsDr$LjzB@`s6g4OzomMowoA*Unz&gjXdSJ*4{>!U)z|;oiv`1y0W%@L@wwz zQnix^3W^7tj(L#WVtWj{ywv2)_BSRnk&7+1EaH`bx_f5U|CC*xmp4I+anN@4qcV!_ zKkC9?TTkMRHU%R-B2Q9a4srV!LFEiDjE#GvETDrQye!f?`M%**b^&z?e~UllO9~uM zzW_4cyqvG8mPGM}nb!sb8E@iMkSq|8-DgNg#>byFB=ua2EwnkhI{`79SpPQ{qcR;+ zUrWB6P#XXDPtB-CV<93vd&{D>+Utt&DS*6p7EKH%?0fcUsy&I?m(o3v3*~-ae38k9 z62MU?-9=a46ry5ceC%@c7sq^>U1%|}JN^5Z*1LY9zp>!bqGvaN7=yE;2nGF+G=E78 zlG`5q;taT*s|UqzNnET<$diCg5XSRKZ>6efdGP8xo>y zW!6>51;ZXgObL}7h>ts}a4Rik7S^;%Prx5jk~ALA$N;<4PrF{S%VrWx6G}SKor#I5 zE9Lz|#o2*OxsYU2Ncz@{H1NbVle3#o96zY2e5Q{y*LvyLSE+6|mWSSs7SS-IcR*H^ z`?C1pk49b~0jv~3AN4tTgo+4Blw6e=3DlYcz>+PZ62bK?O z;IihdjuI~GA#w87%M>1WWo$&DD0m#ma7Zx_k`<@KuGV?mkW7?6A=%VFxiX3G5g=7+ z7kcyd?J8)fIodweX`w!orL-v$&~b(=0km?3O9KD&;MR)^W8ITnH6E+q`{p~-h8-a^ zpw3BDz_rml)wZ=~Q?=GCfrM?klw4(<^>;RBiYq3r`W4uh?D!3>fC}%cH27VLK{-od z!0$XeJ3B;T(YOaqgs_i_)&Yk8{#A>#?cr{C-O|-h;e;2~+G2}@<)I$t_*i>`9apE{ zEjKdZ|2k+XkDdqY0a$qAcg*r9lx%0mMrJEe`JWb@mLCsT)4R@+w%A88hSo@FuD3q_ zD*Py>aO_x)9#`s^vGPAj1L@C~$7d9wuGsJvP{ z$Iy_u89f{!d!qa>uGzS+QCWG_c6LQeI|S~yCz##XGt@pAYqjvm&`$84v&w5%SI6b= zG%Si0hV7q7Q2yqocJPpa!MzWE+}ao9B*RU+Y4Z7Rp(uOZW60{{!FmUW15!h)=Gj z88Lmc((_7mBt&Eo-v%o8hE zXJrhVItu|}aIE;u{kBu{#6OyWoY@t<%c7;KV(LqbsG{=42NH z&%eHOy>eGsF+~RK{abvf#ITp8VZyUs<7&vF$+1ZDdutWC?6BBJ!z=`nzneoQRFL^U z!@VNgChIGAH-On=VI~pCOIo8gouEw zEd_9q!wZ?3Uv&+|4-(1pnd4!d_rmp+ywYI3`E<=7wNNKL+2^h3Ar-4lZPSlc`P-#FX_*j_p6Tl%BoAqu0N1}g%dH+TX zdSfuRF6Xnvf`R(^LhrkJGXsaGy2fC6|5Kf#xjqEVR?0B7w~bcl{_tYsjX`5FtA+nQ#UJ`OYw-iI&2WfuCJ!Y^TybcxRfY zRJf|U1@C)||0VY zWmUH@!n{sy-esHi(RXu8~N0xv9%^iP?)IZcnMyOoWvF=-6`9d9NN?x2jzt0{#6 zqS8!;B6*9BLcn!7D%-drFT?vVBEzGTC;Ve#rbln_2S#Wk+?uPzh={!TI>*oM$nXP_ zjQJiWt5go`0uvF8$&WcCwL7$U&wyrWeY8Tn(C`Yq4fuS-9>Cm(Kmsv&AUiW-Z5iD;RJwgTx?m2IS2YZq zOzu~=d})K#@g@^Y2ZCQT<&s|TKk1oz#y*uM^Oy@#Feitg?~8z-rf6} zSFguo^Sn3wlU&krwW>Koo48>vnfbsG#omk)FNE?Lyk2Wj!|IEHE#dp#o4W>o(*-ac z$3volYF;j4!S=pCk7XWah!5Km3x}@2?xk$Sv9KcSnZqIvv{3J3{$6#`PXbNp>fVh2 zD`Zq|AOuRJ2HsZ7zceAs`;#kBYmoaG=AxQ5- z34Q>xPkTHPcKX-y;tNkk3Mj_M8yZYoR;EhVK98C_N7_P@Df8eA;0#zwFC4Y+2(3Rh zAvBxYC(oLQuYK5)+E#CL!CeKAx!Utzh-dPSRDc9;)Meb%P^*`J2nzQf!qfH~oQ8`| z^XMD>h*92%S@Ah%S$N28It9 z`n+ozQlE}G0^gOW2}&J(48XQgma&uQudU#Q!Q|4~l;~*A;`y>vHW`(J^Bo$sgoOAf zfY#d)g}wGH>=%cXpty?$CgjbDKhk3k&@P=X>`Lq-@?f^@xh1s0R)8ehR#57*h`L;a zr0Wp43XqfuJi6K+{mon0amET3(8;Ksr;$m2atXAE?l?8mwemoa%1QIRG(!WD2D#1T z(#ychbsw7HG8C;3_gT?ka+iGEw7z293CrXmFjQNaIE9#T3scB~}zhOaPK?jw9V4CQsQ6{+P z{ho--O!#2!&Wgty6}9C`FP3S8ii8PqoZ}n|D#-v12*7Bn0n%}4X=x#$?!iGT zKxSCGv@@Eexp3W`{n+yo-!xRZ_Y(kU1r81l8j7Jwe*(9RvfpNdaaR0lX(kD8%4BnfEz$TW+s337}L#=4fRE| zQgZBVB*;0ZFs?qTlWKVKc~+qNG2m2e3g{L742PgV9}o>8KV#88f;;H%UTVdF9#Sa> ze5+I*dc#y+P8u&TafxsidziF+6ewiU)l|pcw5F>|wQ;VE)7KwSaBO)X(%KR6xo6Jp zpzMqHa8upJ=G<8|?d75e&KFgi+IdQX**!+PeHya8gQ4IUh@UQyUGj2URKZOdFg262 z0g7kCp}yF+X-BMWraxIJP|fGtmc*ZciXV4|*_bI3lpAZO{f{#(*68-7Y_H<4(A+%a zCaFa)N|WP(4F2Jo&E^Z!dZWDXFeyB@tx(!1YReH~Yp1VENQUJzZDVClhJqK;$lqzg zjAc_`c?#2G`~u`Zi6Xv;*eNk_P{H)in)=P4x{CfTMavFioAbn{NM83$Pv7Qy)n9UdcjZZ#us^DMJ_-aq9iD@G;ke z{MFsPvc;d0l3pntUgv1OTVnN>A86q#km9_8I3U<|HH`Gm z&t_}^X_v5O%&T0IILJXi4_1XX8J$C*bxH|`mp;o}-T|s5F0xht_3Ry_N>lXMybGO7 z-8oBO?aI8ODbw`C9OWp#&vtdOrhZX^*2u)^vdipfk+fqdg4GEW(emT)Lar_~{bhMb z+TKuzQ--?@8x(xTj>1={vKnd7LE~VII+54VkWo;;LPAP9Ffj6C0-dcK>?H{VrZ*zU zmvZ;7@j8}OuQC*3Vo3%@2E{J1f_(s-XlV%pBE&#iHZMP)21bu+w<5)dc!(Sr8lq#f zU%?Ck(AtoXyr+z3z-X?dv4)16r2_BnF36V8xyl`--U;EuiJ+>u^ppU+#^{8U@xs%0 z%T<|1U3L8fqB3Hh7WXtu z@`Z9Nu##a=SU><+G1mV@0@yIuh?9ssYiM`w4br@KsP5=O()@iZQ9<)?PRUZ=k&qRf?Oyp(U)5e24c;kwSJzgJNXILUMSOYtiC-UM57r^m24CrAv zII2fN^t7f2O=qG$Z8gb?+yEqDtbD@`YHY2QKoSQ<39l`qqS3*rzKA`-4;}yd!qcGHU!{7CaRhPFA?Iz zTt%w((O=`e#<#TVsg$UGI=)O(5Dv}|70NLF1YNl{&?HgR@AQM-=lMLyq_Hu{xj8XGk)-Mm= zAa1Af#BSG8=1`le4Q61sK?qP$ER4CPqnbvs2*|)M8{?$Lw2Wm_CJ?I!=!5FhQ*dAt zB-^s1tVv7X8blH3vNMI0h$%cqP2-K$+{E?15$4MXP)EcY*-UKMZWlsm&^~-IWDp*Bb=HjSr0*O9AOTjL3%bHV}E3L@>IX>AEOO? z;bD^)2AslYzLl+?KIO$mkG0n|`*yA$tMOQF(3dV#1A(NsG)_1}zW(21VyMPGx@HOM zis;LDiZPxB5$cNz@diAvoKXblPTARhxw!gW`B%jeCR|(K0Ga6s=riqzC@U}B-oMbU zHiJ8(6#RUvN)_?~!3t!Ah52)JX3pLMi8q*aFF(Vmus@anM z&X}|hJkG9lHy%7Opo_VeZS~w?rtJHzwwDBv6OLI ztZ&vk&mET?r*|yjqo444oWld-WXafq`}UavAefA`*N23e1do5)FZz*JiN%2;p!RLI z)~iO5;!v)4q#j!@DHoPir$+F%0tS*(4#_f+kub6wRMjlMjV_fqq;vMC9u*6F&T9`3Xs z&8bzxLF~mNug(Gwq1V12BD$jfAi;{)V=S~k*a#Fm-&NH0B4zv_BZ=#J-M)U4GhuOD zZ@<>GjeBq3GywjJdb{Bs{&ZY|W+l3yfkFba9fq4x4^c0-2F^s}zV@ z@u^IYDs8-QZEcCvhKaCWOZcF6;v~5ma*d?7eFs)UxOtPMIX&$F9jSA0oNFJh3wGQq z4k3CUhkv|Vm<3g^;{1qK20APHpyEKsnfFj%X2m*0aOrnA&Qk)I4zk)1064b1PU8Wu zgx*Q-7_S+QE^Uw6ud0!-YBSm$HG9szC>E=(@dc=MRFGFHEapGem!D?U%-%&`Pln15 zW%9bNwbS9WcX*qbo7GenBmn8cvdfiR8f!`(<)@U^y8>_?WgN0UVFjT->F5;I~P6jU#y{B)d38kfw#|>=Emx!&5 zt@WMiPmPnOa}Fcd?$>E49PXfcTB>;%Vk|=kG1U}5HoN#c`YqXe`a``p=11U-%Q_`L z_8bp-L%<9zo2%`?bwIqR8H4)yfN)NQ&rU!|ZYwt+aaM z{`NhaVdHp&@?UkOi3lVsI?fe<9Q?@;p5ie!TJ|GlAEC-b4KmIZpew1{DeoLk8bHp} zoXvK=%!DI{BYz@*C3I;>lLFgXrIb54pZh$$_vJHUL>nLPNrdvJ>0eA>N0{2eH!jHw z4i1ISH%CIe6OlJ@os7N#@4;J7xW#AB zdyz?(#y%E%(5@Q9W=@yID>}j!he66ge^9?Yt%FR0sxU1xIR|_t8fCU@x9R z`H#6Ym!l(RwlT!IYpxIMEZ$@lQ}`u3UTB^+)iL7dKUD*jUn6C#=HE3kJ59cxR0S`Y zk~4Uazz5tdMW+&Vse>IDimG?fG9^^%%VYL6A7so$Nqh#CS&DkwQ6>stX&H-a$I92| zDWkp7OF#(yP#=y;T!Juu&FDKpc5VLHNBEQ;wtp!wkK9^1_3F=~5-ooA0ZUiCCIz0^ znwsEK39()`w7GL!iqaJ_L8VC)Z*SB}wCjUh9LXahC8Ek%t=bTe->vQQM`98h%Fg=E zNta8G>L!HF5_j4)H=QS)UL7Yd@6Oz&7RUoZp~oK2i%Tk)#l_?OZp4DNw^kBV^)RJF zq=TV-OYK^kn%e8U_$Q}9d}4xfJ))~cJ#|?n==!gJh%(5ZbyhWbxxqbqO!d_kQ8^dW zAh628jS()K;2`iq2jD@v!J2h+!6&bP48D8YEl{H|BIZP|s3Kgw{qrwd_1=`c*Gvj? zR6!_7F(1lCJIGdmdI?a9mN1uRzzVo^Xkx&&;*&~*Sa?KicdJE}ULN^r&lO8^@7?u` zE6%emcl)wg*NPvBi(e{{VZJhUSIG29kwRtRzEMTMcIU+Wycq#8R-JbJC}m-#f9WO35LQpSx6IT0va zuiD;GU2h8#0!D-m&TRBb0Mau7A@op?2kHrL_)T<@hydwscqfw7xm!g}?R zx@P&|f=VT^kD88-(?a(4$@S92R?!rtZ zrh$7wZuEsPL5WTla5|Tk?CT`;6PtF{CmT6JEQ4(jmxm8*NOC#Gi z)ClE&*T_jEPP#~eW>C9+n7j!h<6R>_JR^|&#D(``HEN;bPq#Xegtu-&AY`)z?bkzo z;$*Qxh>Z#bG?}H)yZmlK{5kV3n-05_t_oj0XvZrKtlADS5@4xgu7<93TN~PQ~?Ah!ybSw&H`rW*nX~4T?MK7bDOmo+SAFb0OGi-+2 zND|OZ*zAq_Cs6I_W$(x&GP4QA@>?22|_(LUQlnGXnrLng=bM6bC*~Lmln#X2 z+TtPS<4V=DzRCqo@fhx=PR*dK>E|y`U%3brPR{L>fwMU$JZMDWxl?~=(E`k$Hzi)Oii=)J=s$>M z?na|Mt?#tzFz4KyA%A>$kU>jInmErG%^`Z4Z%D4tL1u)TkLmkgsY3}3nb+1mM4%8&A$*eY#*K!yDIuOF(l^BE9o zmP<~Ye%U7hsB()PZCoLV$izP%V4^pw5fitJ@kE6;%YqBfq{45##h#<97Q00>My$+SC zt$V7EB#Kw8&u-rlc|!;*Rdf<6DTKDOhGXHqAepLgVC8T}%nuV%0>tRQPUk3(k7m?u zCLPs46Miz}&sqRH2NMtCzLSVP$$X?BA)0jmXq4u8W6AS-c5N9WWBBuBwuJlqFz56u zV<7w2@oid1+DheqC~!ZMjc|DM?jg0e+7AbXfc6|{hb1Aw6Cls$=dYEJr7y?4O6*4O zB+V6DSEN<1`) z@8V58Lh!G~8z1Ma?dcBR|Vo#eDtap9cSnDFK+ob5nPTpU3Sgi zrHW*>frHMpvTF}2i7&CtF7a^9M#s4;HO5#}2&nQbP^tMtYO?&56N!@pUx`FCnf@W; zURh;A@mo2gvQuKW)v0ffZHoxTM-!a1mo02y`{o|{%giT>+p#y{Vh2K-Z{C=19A6ef zYweBMK6n1W$DsSL=HfrUiPb3W*k`_~W~#@6!GTr~NR0F0DHc~$Sk4|=MUs<5;z)~+ ztL;rTO~Ida{!h>7N~8DhKBk=bo!O+S>?*5*CYbpf8))lQ7YE*%d}+BXK{9#(Nc4t2N2 zr?uGJXsqZ}>(dd~GZ$DF#A>aKR<0!jxm-<&{m*2XyVxAwHF6>33k_1;qdq!GoIO>j z!K3!e1#>-sZ54100^|hVBiAq?O}O56-gIU3dtJU6fIcR;%& zJGB=rAQc?lBvi?SWt=6EMIcX@X!3y~;jNp0h)J?;g0F>MQUc~@6eS)GJbd)-b%v$& z%|CX{?d~S|lKCvRvT17mB$PiN4S(6u=y4-fX2>q5i4&Q;YB>-QoVk$=ie;l!xX7H8 zm~646buZ7DBqXvSEIrhi8im7)o$pq@Edu1XH!b)1=T1ELN>e%v?`7Ahoq01T#4cg>yc9q8Pno`q8BqGQUFXkbMUw3oRW!ypCK~Fh856k}>12jvOOwCO`d@)^ zitaV3Uzg>HX)SO5isIW+J1i~>^HF)B=3NHBwA-TXv!(vy&My=Ev@`Fp0--M|ZQT+D z|42MOncmzx{L+n+^x<57^zn5#m-*KwLtPuPU3=U#@ncz)=Z5_;@?lsWc7OiPe|o0E z0%+Ko)v)+6$=Cq0Tvb(r@l64LyOuPrfo7_CxXH(sy23EImhjKQ4Nguq8DQGQ#Bajq z*$MEa_}bH=B`5xkNWBCzEM}4ViVTdMGw7KJ%NR|n{=v9t$2j)&>rOnHJcUk;X*wbI zO&GS+We$K~xE70J_nAFkOkTtMN-$bcqSsPM4kp28nI8BgD;Z}x|1o)~?(1vg{{-Vq<2oe9PE zCrR9{q{XD3eqD^4RIQ?sF0w6b%$T|;uPlW)^|+2WirG5WNNOoAkL>??qm0t7THRMI z*&bh^IN#ww-433&FS8`cN4rWe6OW|p$y%Hl=`H!#plM^~q0H7wd0yq=&5W>)m~5a% zp`#;N@`;K4uJA_YY3{fK#mi3^K-pDNoM?28Nnnr1I^q9#e+uFA;IBW}!)ODBbSRMR zrgeR0w^!kuAl*7UdV#1Ufz!R~oCp*(`h@od4zq~|j_~dozX+)9fmYw zQFY9PofsKJGVJY-3BOH-o7$CcWRU@FOQYNXwJ%m^8~GRPEJ}K31(N-x3x(Kr+bd3$T_a8z`ai9hZFJupn@*Cb0SqKm{>!i z+R6@;c%G>*C{?#wq{8I`)st+BC=^BD8lN$?ga3ys_xDzibLqTY7WoaS^&}I#3+AAf zsNWLMWV})>B`L=S8wAgSeYU6PN3jT{4rk$ev2X$jbAaSms}$oNLF&ef2+Iba6M==e zeuxK7d7aU8yK|Umg6Iz3R?^~}xe@%2lJ&FOxdfP#{qFoQ+VX*o7Szn*Z(? zB@z7Ic!v;`I}5Au2}Xx@xy4l0L%C8tbkRFiNxeZ?S>s?ktE?ELrnj*Z{aF}F^jNTE z2i9uFk85z$&b3V=<)1E(zlk_f%x`dNd(Ims52U zLm}1&XWlEB@->0^7fYfc3{R|zcJw;^9#$5)oRf+pi-X+@U0~2t_$+c)uj*n+O-fB# z%H3Gk{g9)I*=*}VZYx=gPriXkFQF>)0{-)>#^RN}gXISLCX zE9+o#Y3Z8@g%skLXK~0HafDU_r7yC_AY+p$^s{S1@HKlmu2VaDwgmCtKV}pjBMCzXFx_ko)4IV^i<-a-iSF)3Mzpvv) zrYla!AFd60Na`cULeXEWy7?Fnktj;Y27<)hqfC{@B9qQ%ucJZJT`y;YyjD>Tn!DUt z?BZb_mIsLlaW>t*%YtE$q`(5rN$g&;8<9&Hs%+;J<6-G&t@Ryb3v4MIVJKv+j1fB)0~qpZ~6Vs0}F?4vya(1?n>oLG@&HVB0`V@mW+>o7R&ll%)< zb9;>^`9X5mQg!t^xs1el>`x%1^4q@)Rd%*mWjm8sZ<*kiJUMi?$ecWgKlW5F;c;~i z`(BEU7KNg%oAcn?st`7L8H8M>ES)n0Vju=D=R$8h(hJelh@hKvXIUWImn!>*4eOzi zeh$P4>z1c=Oj_#Tl=hYUwp3yJ$^Z9jW?Fu z9^>T*E0Jv3&jMF+YZ`)@<|#j${(~mUIG2?)oXP=$dmLBF?_F^6m1Loo15yJp?kQe~ zs@~S+QFqq53<={pw@ToR`Hwlc7&*8C*D&NdV;jv5dK}-}I{rotijuI2czx8J-lU{U zI~Ilu6{xKMvtla#m!$N55Ufn?-e{B{NH>8SiuYkR4hqkH&^MBm)8f9gNY`ZYSE-={ zt~GolEqqgvNUe`NemnR^q+?m{QK~U=s6vLWryM*t-LBTIv1kT23POahA8TSA3%3+mnqP5KV6m(bla`b9-q9`e?g0QrHJX zqQoj9qh2HO98ZIYt2mxp(UzHcPu04aQI0?5!LE)i-9A@Hl>z1q*LCY8 zlS_a7g(R)+cK!CjeV)YTbQUUqLUgWU>mj43O`yvaWJqrD5~seR?d?VYb9vOSK>xY- z4b!ZDKYTfRTJyk-S85!8lPu*}QmSG6bYxbzu`ZvwQ-kqyw(~C;j(~Cu!L|R?0^EAU}w7sd=a&ejvBk1FLYC+C%&7@sGNO-Y_>pYi4#^ zvH^8$P=-+kt=7tozaiN(t_N1ErT9kY{8b_oG_QHVto{Y{XqP8r`$OBhp%XiA*|`C? zX{Wg0uR%F~t<{mr{pV!H>I(#t@_($oX9(NWT zy}#i4zZ5yH9XOP6@rdUGnSrRRU$zDDyS0`N!nYMi=_}`Wr(O@&xb(_Xl%&U27PNmL zx8&gbXdx?{ECEG@E3QYd@7IEaB7}uvu z4z^s!Z$NL{#UJmTC`ssN1b!)m?ur6&O`rWsa>Tro@(4|}-cHfMvf!7W=C z4ATWwq{&Q=w?TW^g_%wxIus?tOix?3 z{>+~Vof8t{m_5m>)hd}z#kY6v71aKoyqYPGcC5koTa1~wuxols+%^NO6etJXCon<~ zTYEg4A4<8VaD7PhUsu3>@x)c3($vKUlmUf-q@}iR_-U2DOAQ(?-9Ac&AZ}5NpG5ts zim24%{@O_$2*D!2=HbN4bo>liynP9K5_J8e|8?x6+@S{vPNdU~jcjBuQemY3wa9tN z{>>Pw`f{w~DdY4*)$RGT-f#VCckI9t?X?mfteh_?XXc4jRf=p-cQods=VKh>@^Y3` zg_}`(xD2JN6&p(7aDgCscJ)-wMD%`2tu;NhfLbBu52&dSlk-NBbn!;C>QpQ_=}jJN%@~dA6b>5X9#-mZ5ALbvdOx}Qf`Im znTspl7q654t^y(FFGas;6`raVPgVjKkDj(Jnwxf9c(}1*NSa?fxk_SzUZ4=%ep^=bKkHy|4d8$< zmm5ppanME0E*^gRQHt+~Fi3bDUEr|W-+%M2ozIzlv@q6xyq8Z1)Q6w&X6B!1dfFBGBMFU8@a^b$z7!?F*M+6)Oh9Z(O+_k`_ZwVZ1^ z;|;5SfHVKToYj|UgUoDS$B=T_ax-Je=fvb34BdV84FjI8@!{; zFuMscvYR;d{BiBPZ&m&e@T{L-IqUpi_^F$Ry{z)oe0+7Jh9h|c7Tiu;T$wVGpWZR3 z=>wS>QDuIR9!#t#C{i1=`C)$(1dHM*H6R?6h74fla6U9b>^q?q$$)ye+#6>8!3M0K z3LlsM+jasv)T)=3|FmDY)*O{}`SY(v#@NbBn{yIZ3UjFzmogc zT3WZ7C%?asc&_=xh%x5)q7QWy-(Fsp3QKQ3`aTBzO8Crc3}*)Q#Tg4(&~jzM#q{?% zl4nYBpD{j$zD;5U*#*G-qb!8SDK6yy6{C8wQtl ze_T4SJ82q`lwTU~6TQ#twiK~tS{1at>o-`I{fXEFPfoyL*KgG%)$in^3YFs`6q4>s zWbTww1}L0+hi&z=duoU04t)wm7rP|7*qOil!u~MV=+vYXeD7E?n%$7g{l{J{LB)W; z86LJB^x-t0Z>i?8hC@f$p?udrKyMyp(xUaN!lxCqi*K#`N@Eu^a=%W*IAe>U1f@hg zH#)$V?KT1W06ot^xI3uFi}NJT@qGAF)9A&by0 z>JM32+{+K0JU%yV0Hwobj#s-Fzl|D7Cb#Lt?q5Mr5y`oEornVy1>-IjnV&~X!3eFz z(pc$9(nh9Zq=HLDY@ZWomw^@G^n^YACSFyX%NOWjU`>P-7nsy@$8UA)ski_RW-YDY zJ{4sa8mNTv{UG4U3NVO1sGm?PmO-KbPSe%Y{+*+OdM1ak+qW3>kb3D!ZY<#|tOah_ z#cMV0_4XnWO;!YApxg#jTnxvaUiC^$UCwO?GjB7BMO@WF4kr&;;q7;lKEJ}Aso#F;tL*l2M47L%W>rvt zj5Vo)_`gnOHMj(a5D;Mje1K|d+=Q5jlhHQ&S9=TXWUbDJ(mao3AO*^u;evkwWa`5; za-$EZMJBEo2PjYv)KU(ZShIPl>rSzL1<+iv8*Mp)((h};;Hj3NcF7j7;63yFG{OuS z3WJB{KKV$h{}6iW?#(`!*$gZFo`LBx_W)uY zXc2gFDtV5X6Wmyf4Qh@0lNU~EoD~uztlYK564adn*7LZKn$ZF?jiAGjqBj&lz6B9a zv$RfGsyOfrocGH1jsAKqimc35mjGA&{sls7qEX@0oV^39+1jQ16hJ1`l*7B%7V@G# z=7&iRBzw-FCwl^3A?Z9bU-SW7Q3KuZW14`i@ z@2VV8X4TuUne#WlOlF}VPQHEha0w}j1gbY*tz%(6V|(5gxz=9aF8UWek;Ud0_0jna z2&Yx!Bx^-CF^Q<<;ITpW=Q?gf$!{&O&&Ff^=CXf*Nc>-y-NqLOY47&_Zl}8P+q=!E z;%PymRv{I@(p7~2F$}vtPyJ57Lp;&*TT{o2P#>I}TK?;$iW4(~Ssubo`zjVgcy^Tk z@=BVfdtbEDM_{&_}?0@J`V}Mk<7p1w^+K66yr$d_@6_dJ8xg#88!#AQOx| z{{|vzBe>ii)9!3LuYn+T^+s-*6#4-vJlLawdvEhchG|?+9zZb9{T0sVnu_Qm3BEGXY)RNIW`ZE8aJv|I3z%jQ$R3up^!iW)AS{?An-Gdc@3# z?5B`?W>Us44`nY{KL#J)gwP}{H4Obi{MlRILV^7Jj>lMzl|3ELl$%ErI}Jn@aqHUw zxPhG|&TRHYO^q;IheX}_1wQ)22QU*`c|GgH2Y*raG2e>cKCey(`xT$>j;2l_xNy~Q zj&}?dDvwq|o#2?wXE1a3)HnTI9J(4d11oNbsxa&}UclF+XFO(v>lfU8BK{;vgSHwk zX&jKh3Y-%k0L4Uom=@VGYnjoE9wv`)-%TNbW>fYE^C z3uEUAm;c^hZ6mTTWj z&0v352EO(uJs)nqLwkmtxGQ}0sfxX8?`#0*^)0Ir#Pq5Om(wBMgbwI6r8Qjvr zZI%#CvX_u03RbfsXBBYDxt~c#D|9}1d|NqqeuiyW_e*gc|?;pGC=2s42 zB$j1h843vvu|P|}gb=_ec~H82mbd+(hyKfluR0Hdp^4E-V#H=d%h2R%2b~w-)FaYf z)f7LYpFi2GbB*Swg*JQE?bg2MeostIT@}x>`jEo%V-<%X8b^um+AI9d;n%J0$IMm# zRlb!AD&ghowg<0@$f07#augT!{CW-^R66th;@2;Pp*5*@6bvMxoxGe$8Ej9g z4|Tlm@TLD_Nqj`T^W=5=felwM|0f0?>{Omiu&$6{@8^n6UlxMElBk`nzUbYK;M&^8G}s@nYOBQG3+UY`6*ONH!6UcR zmr{zn2FD3jiZQa7FY@s+s6wc+U;)@gDz-qARO`w>7*kn7Y+mkU%qD`C?n%J}cL~qO za{P8gd+6ItbMc}UFX%}PcY--(%#TU#l{5^5WBDh96T{@8UdA&<0oz%>)_X7RUgb;F z=(n)gh*qb4KT(_3$A#(FsYClzV_qZt${7Ci7^UR+Z<`)MWO>MC0YTZQ5CBxTzi$1C zo*dn#xy?5mb`CY;p`f4>!h+BD=kn^(ufp)EEfMm-|*Ox}48nlaQ03EnYI zPOe;K3Gp}acdxZyUp+6b^mhq`dCW`=Pvn6|yyZ`822YGfjunqolr5(aPIpRA2d+?L z&zN*5=`+{^-P1$OxG%5;*WLO{Y?vRIsyZ zgVMvn?H+)@xWN=rTBQI(_Br*hc608hf|f}Gi+Q(7LR4?uc;c!r7y&&@2)!`72a5xP z_)W=wFrxiOQaN*o+Z@`XtA*;MYG(=UgQf6_2z^sEcF}@l#FAPt1R}is2Vi)HFU(9e}|tvRZtTD-Nk+4b<-xVQ?k=z^mu+k`BCI$KR^J z=AfzPya|J)y9cgQ3DLxLYGi8lr;3vmYQeiqMcWz!GPab`iv+|W?c|?25O4K})uB4N z#@3KZn%LWEzWCC2#$1*d)h}vCERH7=@t$)(vK6Tl=~Insa9Kv8pzxdp&^K+tO5e@( zuH^?dZ7(6K?blh9(#{xFp1Oa;y5MPkNGX_8WydxR@FDj`P@1gJ2WNqh&d5B0{H-N# zai0r`OPt&aFxt%h=G@#;dR*WSlek3e^l0_uM+CtpdQVQihowms+?5ohG=Tb4%Jdph z4H~WGZvD{CcBUyfQv^%*7fW7Nwj=0S?!+FOr+e{^h{NlEKlI@ER_Xl|Nb+#0mMlu* zmPBcy2jP7;;dQkH4FX~8U6|?-5%ZlM%5{3FraS>i=A&b~FFuuE(Fzb<@>y~O=)9*X z8~^6(vwRgLIdHdhwU&CEB;i0n0Gpv?gi>Tg-pcsj| z4E<`j;=}m2A2L;t=tbr4(I*afw|afdQub^q0Q!J+wYv7rdYZ5KVJz z-7gRVE4Nd|z2p~^;!ECmZ@j!B4$#MZrIcmf#(9rN?JC6vtUFezn5VH1N}^T|kq`~j z$`=%uAebjMh9%t!|8R#JSW*v!X=!%k+)#WM@@8pY<5-kZDQGL{%fV}wn5+JGY846NyRT3x)XvP6JewMUS)2l`grw zx`-#7DSg(5!!AqRr_gqvgmQz`wdMOK=J>QhZEbC5F62^UC!3d0#;EnwLvXNJORH~# z)hrrWq!?}Ek|Vm@`J|tnQ22*u0Y1x73k!xb4*B_JuKN*!Cdp6UyKmN)JzNRwj(&>F zQkG>Hdy0kc-2Mw%zFdWS2)bb|fTmCiek-%jeM2s?@hn`-Txj8;FQHY}2O?9}8yrZ@ z(Ugm159Se*Zggs@27Ej4(0u$IpeCH0KV!@ws3=`4cURt@YD{RmUs8cdiTUQr2YD_t z%9JehC<>ryVW_w6xfZd#7270%z(h$W3IbXoy8V_!BNv1C1Y~!=gWZ3j zZj0xp7o|vf1^T}0Ipzd^wd0inij;+gMQ;Nnlm6c(sYpQC;6*p?@)gjR?z}U*Gg&6y zOLiAdt3539jHK7vSS(-ynI3+#kb>L!y20uvZ0thlf|AA!2ZlHdrZ)EUA5EZsX4FQN zN^?y(x8UFs-!OBPOG`1=4z~qc@2O+~3$E?j#NmGKOWtUu(49CsqK6CgE%#nM1X9lW&I?kG5|v=x zaa;m-iY5aB1&FMFQ_{>LoIU6H@YH_jn z=zW!R0qX7dN1~p$`z}>Vc+JhiJJa=eDFW7LbWc${w`R%guHwCWD~x_p6w7N}jNiYP z?m+eDIg2x~hfb9yM&Usv34z~fy1eKp4QyA;v`86?R(p9Vof;yWgNjN)DrcjZ@MLw~ zp7a=IK)ZHo+iQA$^O}NMNB4190!OzbjVJ!Z=Mi5sJsb?QFY^VDp9&NaqWsb_3|9qH zh249sVeWCV%@!iHQ@=UP;w$3(rxw7$eyv)Lo(N|}kd=n=;$})PqStI@F-ShPaO%g> z&!byI55F!V?J~pkGw9$;_!^qs%LriH!efwRkfoR>E1+m8Q4+`}(2g6HjN4^O+)P@} zUs5-lQ15`{Z8;{AE(h**-+fW%gZ1{Zn?vdxrFAILzk#Es#(CWS&s$^hKad^nkNC8Q zRazFJAYS%1_uJv~_J?{dD<`Jhy`|pn5BeO1a8T5q609XYp7?5IEGTwE8z5kdjlxf9 z|Fi{s^>l8*4cp!8gvJw*qpT;;ag3_qovv<*lyc0fk|h0|F@{YxqC3m~D=Wcl#R~bQ zCooWZwYRCv$i9DLSnyf*ZU2Y`4qY>hv4;yztPTYXv%)pCMC!W5>L8#5J1v?f3o3lWXW zAXk3&V_Zkcxsh_KHqFi#lAXUnIN#?M{{bL>47T#)uRE#*Bxmzny^bUT0e>VR>bYUOf znMbw^t!E_1Uo9BB|1qKKblMulr`(`{+353; z2|95zuV3N4C|16iS<*`vR22z&KKdp_FApv(S_z)rQ%nR*xUux)fq@W z%?xy-RjgXKEPOWVD+K&pUdBT0PK^&c0e(!iI#1zi#D46F!2R+oLQ$jrik6da3wG@u z0Tz9c)JHe9s;kC?Vj+pf6#fGpO5HKcfjf(>I^)&~!Read;*YAQW>zLk-wNrV7}0F{*Y1K)7i_m(yGgBMu-2hu&L`T_UG-*+Njh&-G?u zTTNFj&yTJ}Y1iS0-kpBTiq!x^f#cryHcnTOo}4u`Fu zURr)cuG%4%qn>M*cb!o?ef$rp zMxo6{Z63D04F(-vs425X6{QS|GuvQKD9ikl@7GY&DLq@`X$7ZrM@!U~7q{OfU;R5t zKX$iLjd!Se2?VK=8bqdrE6w2tFW)V*vq_KAWTwpLGk$Azv==wNPs&9FBJl6)+TNV| z?ntdAKVV8`pqMCWg~)Ra3>X)0IlC%WD#nO z0+m3E6mrj=RiW#mE}_%#)i1L(fnTrkA%ECG${W#9mOQqV+XS|plrBw3J`X4R`}tk( z%(s%+G+$v+W#3)&F5Wi*_s>xGsvK32#{rmc)oaNSV*QL=Ke9{iVeewDt;_y$7&kba z8+?ZapDve!ByjR<{4(X)Xfn0mqUc`pGrMm)M7_C&E2X&{;G7*S;#GprMZA&)s9P`g zy26dUWNJSTqoB+;+V-uhibW(lY<(Pv$^SB%g>rj+)_Y`9xSk`)M1w23nOJT-m=xUV9+ar+2E4c^lt)%~M- zyzeg_6e!<6rWCZ1*;b*pKN(+YU+2-l&ER+Q4|vR7eGhIux280|(V3Of%k))RMYk2V|Et3NMd zZES30$u*7$ne7nai{yF#0EwL(`I5g7yY4uoaldf`%&WA}qub`I32t!rWvB)UO5@Gu z1Ag1-Nj>kuv*b&+!Af1Q<-<~ zpKfJe6A7lSkJ1j!v$C>iXu!7o55lw=W}|AoI%v_a&zD${u>%*ia#>E!5 zKq)g6Gc4g_*IIsvEW^%tGo!oHp&xO#YVo(iyqc45V#smIUk%pSC-BYn0`)}UT$eDH z!>-^=kblnR^J@2f_elUpMpDnM7j+X3=#C0Ms#rqWPcLA)UPW9One6=xe64G!8!&rH zwt8L4C4bq@M+~VUdJs&}SsR~_usTuM`wi?(h?w;= z{e~~^zao?0=5)A}d>pxX4RCtn{+8e1AY`o8gA9LX23w9=g2;NlPN7MKoXPKU!?+adt2U5F!gLPEo7H#V4-Ea)W>7Fu&HV^+M;EklBvhA1nWA zZfJMD`|O!rWv=(q&P*#Sm`W5i>_J!+;7-@sOrZr+kJFNclSeKrToP<2n3)XLB`5KD zzu4l^4F}jz>umo&rrtBIsi@f=4x%6(MT)ejD4=waULt~`(nLg1N(4lDhtLxgDN0jO zP=O#IAiYR02_5NDLkpouFQJDt@*bZ5eeQcdgbzu6IpJjQHEY(anT_LdNQ0ec7YN|o z3f*P`HE|;vII(rU-bE?h1f8C8S@-#YBl!GF*YO&r$T{uYLpM3fNQM_A>u1dWkLVli z;LaD_b!R|f+Ryzue;6`i?x)SZAOD=$0CQVFa#T2NPD@)oeIf#|%u64aTo0|fWV`I@ z=)P|0Fp^RK(j;s4jLtv(J=-tvz_ULEvOA_^>=jyDQa^qzKjAdsnNB}%aQ3LeTo!*ITnrXb&@3TAiH}h_c7jZPJ)JD5- zbU$85i=u9S1CG4O%_VBs0t}5^AR%}EEEvtNIv~T3L!1sK{mdI-La2*mp)LMU#^MIb zV^C9-+f=I0Y0$^}ZMC>8-3+}_B>*iw*OnkbGWFwc1_B%;WP`cOmk03 zY;!2#SSZ<&67{xo24%;nzDGfn`MJ32Ozv_^lu@#i!zqt(wZpo1ColY$j!lp3c;%S3{ZqU$GyjM$Ec-r!JMWeKL<>izd7q+iTPD8=I`G64VQk6$wj(m02(Y+>OeY!~%-&;G zmqwz;__6w0-Rk@3_(d-pvrG;d^(vQX^QO;2b?HkP?-v+!`w1J~&k zQnCuqg$jlXsrjo66j@c%xnSIyNCyI5oqd=~oYBYPH3b1mPYdI>T2t_$@4dJXu(62- zdkIa-hKuVIie4&3sg;}#UsUI1jgWOXzS0YQ5^Ygje=15?kQ^4guq0((7Q|NP9}`+? zXx3v=enO+CNv$%G~jRg za~E!14Hp4uLGXB~mru9f8Qj3_n5Dj(=YRIT)o)C1AK!u4ZoCDjkr$gU0Rl?Q#ox;d zk;cjMf3%`%k~kQ`16FpHjVrt>_r?!})Z})S^S&PKJ(09PF(W9{Krg@Up70}r-9YUa zeb`;SB-_DH*2;Y$TDmPYFvhC~T6}*UCz9i&x{SV2tQx(Pax_Hdqqd(NRoU&3-0Jena0Q@z@5{W8?*soPjn6XhKXdAT|jm=Jxq&z@91e z@1Q=c;M2M(H$!=lL30Y`YyJ}FmnfuquqVz+sk1TaCei)8j*q&S=t>f-!ayPm4PeWg6c9j!N60OdCI4+KT?ZMrboa z@vW0Co&hBlnMa601Grm_g!rpN@{j(jCE8Dt(gaGqEjHxe^wn1@SBvo&w9h%8cKiJ% zXJuHCh!@iQPEF>}^P>(Dxzo~yT$H)qX)w!tQLgaap&Rn=~VYXt}@C+w4<{$|@6JP7I zEFvbxtAzEGGE|12eIFCEGuN3ue?sRaN*Z7HTh+}D=}Etzs@~y(-=>nz)Ewlj%Q^nd z_|wzlQ-{+y=-nGHwGnwV$k@xBLM$Nj z${+<~;Nckn=zHaK=hh^owUhhPH$8xvOH{vYqjqn5)ggUh z+UMSrI&c?|-+t|{ILNQvD@OeI<*4#q$>TK|>m}h{AL_gR?n#G`g=oviv)=1XQEv6` z{d+jRu@B$c8U75VJ4qFMBk&dOR;qI&iSeBnoWXx`SldNsAi^rU*NVmoWFHWg>kd*< zr_v_P)Zd&3)%k8kOC!~91HirjoRP3tFxIrZXVbQABD?(qwM`8DTK|GclelXEocqbd z0U<)CiJ0{dDT!RwSSR^cSqAG*Ye?m|EbS>p;Ei(D2!h>d?aR}&?O{;Z$K}-5t&D89 zOA7_T@I$Fr1JLL*0GK%qGVgB+(KrqO(C+w_%hq0|3x4p9Ss;6YX8rc`{VcP5rU1_+rWaWx0<2n(vfdFKZy{z%=$;^NZny9Jh zIvsnDO<=ZqIqlsEEP`HKr6}pNuMLq^F7}j{4hvuB00q|8dZi^Fe$j78uPoz&xBbv& zZ*dX>CsY+#WI8T7Hyn;djn@|N$u#Wp#4GQ=SSBafKMOd_RyrxGo`OUA)q?pLghv2N zT=v&nfvTbg$ViV41D*9TDbL9VooWhKa^8s{5ohj7n6=8XruvZ{C~thA1J2U=z0}{S zv;edVu?g%@Bs><7YVP;zN&w}ZL*pD9PQmpN*nh@bO4WaDR-LxPYggvi$$raih!0~4 zKL=zk@qHFmHq&igM)~;W@*P`Y$BLQ!+8mK2K7~hoNLH3%Pw+H-z2fKS-3%`0E zy`UA2Wt%W=+?a{WL-)75Y1b=Is2VEQ2MT`wmd3DzpC=gs!1&)wO;yo@4mYH<#4o%V zSk_*+$3_QYTgP+`>IyzjssDDaC#j^(M+QyD!b93$iyt=9q}!aTx(DEU1Fg&K_Dgem-`GkH4_oK*`mxsU@a$A5z2vnoNH5#?g5(YrGP znna3)>tr1pkk#-)l~08R5p)8dT?9hc+X2)uyUUnI8?fZt?(%lf8r0o7TyMFLaGuPzu;q_A4>e+J#_0~4|o!-wkp@|ow4|NX_H6!0dy7(R_OP(h98l*vn ze2?!#M2TW)Swk7XNzRyLY468Shm4^vC~;)r{I5h(kar%^ng1#IvD0ynyI?NRHehMU z|A!7}H&LC>mINGwBIQ|+)YugCFq)umEQKcD%L@&!uO(g+Gcqjy$-`CyW%b?#{zj{w z%S+y|ej=2gNFx1vT8$bRIiPpGc=cDp)q{hbW)drMM|qxsh+E8OE2;x+jp$LbfM@B;%&5I&{^O$TCCqdsxa z8Tr?Ro?Z7q(}O6uaGLj-j(AOH*_I4WfYj@$?;H&?(FXvfivU6qCTmXn+IcxS8{7TX z76}>jg-#)VR?v^&YWE{@8bVtOuHiaS$8Ay7u4?N#UBe_Y0O1Ape$B$6g)tglAz+v+ zoi_Me*FQCMCZbfIWjJ@B>48{U^u0L#OyjIbM|c0eZ8CM`vGJYeg^#*mU1h;Lx$K)e z-85@YRZiIY7`Iru@0ET{{2fV)r*ET#;a6=yGD=E}CFtGrq{Fxf5E4OR5=0E;jaN9y z=g?H;i$K;_A2)JLhOInBbxzTE4^NLgG{_jzC@q!ns<0uX4u|N^Sf%Qeom{eIo0Eg!BynuPB zC!o&*W4=w&7Clf~-V|a^{iCPW@%9o=ud&XisrsHhmfaOxJ{D544lnTFj{{gF17Nb< zm&*Fvv=u*^W6$D>dlpN85YJ1P73JO9zH(XZ*-zsv2FKw^?5G1Uj?sT8=wR0i0E4tm zK=7ODxBrnV9<3OGF%`W66j2@NK+^rtoTf$n)}q~Ik^G?e7ezJrp|BcZGYON+ML=TfXez* zKc2%4Y)pCiu5(;^$rfDj7od1-F(+soZuFd#(w{53yze}wCWN9OK*3FK@^YDRD}%D_ zqcxEyC-oD+nc}-PE?kW}a`?A=SGTds1H)jY=GWB7q46#*MR6e)nzK-mXaxE&fzG(0(^)g_HP#rU#V+Zi87hB@ZFX!3QgmC)@O}A;P@k zrBh2N+v!t$p?l)MwPpf001*f%#t>{e`>n(+>!uH=>%%3PbM=7AJ%1=r0_%61QY?~P znLR%0q))JIU6R^|49d(Y=#eN~aypD;Kdbs(y&K>0X4?8*OD zVkW_%^)CdAsYmJk2>#%Iy=tBvVI~sKBs6NVbt=_8qxhh^o^~5$Z>%+(eWB6pmsAm_ z+fI1_jQriM8L2=CVgJkRVH)T3>ZD4D^>?fcd^W=z5^Ig?p ztVC+=Jcf$tF4`WA-u!raYG*8&`o-Q?Og*jqGw^8r+`mCY-y@(QUfsqP@MnSC&=5!(xZMR|b!_ zepZLr@0(9mIj;gYjVoS_*$#0uA$+Y`)CN@IKj3b7WVpXJ(Ow%mGDmMUun0)AcH}C+ zQg98>TfTXsBLzci*5TIH(sjNYVc9)qnFu_xKWZ}50^@k8uCPHc_%KO1OTuLIht~f0 z&tH=4)?z1=*S5`*vxTvBfXFNDrjN1B{SX9XzaLcD4(6YiZhiSU|^o=39Kvaz3Omb)lA-h5-cI8MUxlnxCp?6q|L z1bG0O)eLBpsRXijaAT6xce}RjqerAXF`*+kkr2V4)M& zG!?U+8hTzco#V`zgGa)wwjHT~$~!g9{RDmBcbwYmzrVQOCMPmVHnMjBj8YC)FN)QA zA3O)$PV9&);6~}$LmY7*%Cg@1ZVp{v1X;J;O2hQjIw03hx9KGJ3wf=C!N027DJGRz zuB#)v&{;#FU?rEyHsHt1#P$nM2us(61_(sG_vzc4xnjYOG=s$!WbqbE=!!Aj1Qzs>`RWDSbvN>8M=Xd^HemGKzC{DPxk>haKeHR$M zVXq>TLqDxmSwnIT44j@~GLn9?1y3&2!_PUSztaqz2CrP;mg-~#!($(b1F^nx-4^^E?E9!)$`9v6KAlUUeTC-8kVAFG+`CN<1j2cfb1uBYB~4 zZj)Tvdyxd;Hw#gM0QumLU5HoXX$%sjrHj?Wxb4;|R)OL`G!Q4ptt?})^@JB`mOc_x zkGm0i$*SOcf!e;ACD?=B@-QL`PhGzNXdj<^G;UE5Yb_9J_4wmM2SFyB{X?sjetFW8 z@mCcG>*=!RqTBtt=_2Rfy=d=#uN~B5Rt$4b_ak}yttnG0bZWYdv&NdRGsi>6=rX9`Y~z zU7ThLou+-**6d-fE6r5$54aW`&@edLwG3?!E<(3t(33KZO16~${m}f=*Jn_F?*{%F zaaP@At%a=eEs||*AwA2ZBQv{fa2N0()T-Xx)H`7@K+KK~mJ}0X1orkx9c*z8FGAET zeMP<3KpKnkT3>xMzH91|3POe$txV==xBUHK!^h`)e>c5T7`}FQV;r!uo{z-04eGL= zWG^qgY|h=olKcgS&@v|_vv3jt=GUXAn=``_lgwi?S@IinY4z*wdqOy^;-StAxKiOt z9gyogPX9D+S)QzPO55JaH?N0_yg5WWi5}kqtUedorR4oOTtQ9Ure)}Gc|ZZI!!JlP zp)dfvhz=SzH@~2uCnS4X))dxDUrsP@Oq<4j`t%rJ{Br;U(M>OLmm=dFnmspg;v|P8 z9UKSU4~t|&Ca}?B@cef_fmEm=Z1ro6HKzX^*yzmvnnd+oa1}z6N^yQDTtjdSSCd+B zQ=T&Q#}TbYOjMG1&MeeZ>CUTtT<<{qk=i}hSP$vP-`?0I{L%n0RYkO#AEu<9OHMmS zUUZ!Vp9d!1Bnl-GYYvZrzOnlP5MtjC7xq&7XEwpb#aGY!MJeNZp+e91L?!G4n?lbu zyjHB8-Tm6I?Q1)v z4g_3gna1-}8^?{B9X`Tla{o;hUa1zabgiJ8zv$N2s|-S_vQC^gtok-N(t3Kr%`2U` z>--9i887N>aFFYL4JjEMpo((HTkG;$J7;r(0PXMgJ#>PYd6l(hzaUI?hB_+}LL5~B z^gg{{%0}&S>L#hl&C8~6$)yDSY%l}ZSf*YH#E>pELhSLB+n=tkW&sa$IIxES+s5e- zi2Etf><@UT*Pa1p;a{SykUd~3O*GPo5km&@JY_?OTbc8**!UXUtg3QLQ3T|^yMck6 z5fOR|rviu%RIyKd4fC(jYqiqbf}PEKc=}T1Jgg(`O2~#T3F;$N=^c=;^OMysT-Evy zoUWse6iIb}bbbczfBfy@s^j8ljn^$!PUeU*r@f~YZi&hbk3Ry!5ePI{;f(bCCTegs zpyBe|o`RPvihul-Uxnigt3NhK$~th5UeXG6UO>sM0|Ss|z$9`T4i}EswB?j0Zr1)8 z7$^v_>)PPJXH#v!&c+yNp}|T$=Y@arQe1cksb?UuL9*Xw-FR^D#?b?AcmIW)qW(=k zSaq&qk%_=Ji8(dU(OUhx8p`}frsR6Ze`ilq=t3YnVxK>MJ_+Gp<-{h7s$Fu~l|9;I z1z~@*u5X6_X|u4QMj9O93p`ry`2PEMT|1#DO-Kclrn2#pFY+8l$PYROIsPgl0WJN$ zj}ZPOSK8(JNJ#B}wq=8JNC{n-A5h;YTej{XUA5Y}@i-0dQn&6?KKqJF0=C#XLO?T zOYo#MggH2e!YpBHJFHjI%KJyF5guB0kVZIX$wl>thqp5PnDa0!{z%ecJWuv_qpQ(& ztP4(Yza$D+N$!4BLR_7Y#IEQ?t@{qkdK`C6@%5#kA6BEPou1t#%3zIU26x2z(kE&w zK_I5ZyD?MPy`NpFz}O{;P1?ct|MZF`F=L4!2bg=CX4u({q|lSL|4zv-w@*(?abEkt z(00dxVP35{kUsGI+eG`tcFrAF+?3qFwt7i*ZflszgEb51K$Vi9&xP)reD@#WqS}Dz zOZ0J`iwmx!>e^tVDG!XabSjHRV4z(hcLL9E1y`|tZ&Bu#G2py%8*sHm>D%Imlo9U zp(hs{bdmnWE)%fLN!!J4Q^(so?#vn&2xGMm|tH!}t+#BXp0f#tO zj(*zvcU*`zpz0@wn7d->*9Sd@1QUeB9$4kjQHZ9d{zfxteLeTQ8JMm-d~$*H*Gs1N zzka+p^>0f*N{nIa!WWa9dLP82kaHKVJ}`e1_G$0DVwo!vJCXKR!^#v*&RXAu7vuzs z`QrQcxAv$ZOY%bbYej#tYV~^?WZV8P$voNt$=0xI$K+2vAdrQJhCr0CHz#b$p0}d1 z(pGpW81Ku%yY`3AyRoGX$@}Yd+gw zh9PmArn(=wCCujDyLf1Ies6IYW#mwKk#%|m^nz6J_{d}MlYb=l__td&>PaQ$5%CJ^ zH>8KLSSw4I-p$}KR?F=)pEBPGX7#-my?}#CrJaqKl1nLlbFZUl@$CQ(v7mgm?$x7i zkz5rj|E@agTSz?5U$K5>C^a+Cs^A`?mQ-y1?y$_xbF!=RiWUXj=G9bgG>4&bWxzhFE-)j|}P!a2_$& zK;zNPBx#G+#F&|m_GIfAA2cZ`GMI}UCN$HuRupnN$Dn|LL z##zCp+3PpU=_fnmwR}vtkcd^&>A(Scg}m(gKB?yor`6nXG`u7W4+@Kydl8WSj;k}d zZm)RDJiN=k1-AS9^8d5j4=(-V7?^%%$%zl6wK5j3RZq*QH6pUkZ1W$^u$T;}aN#Kw z@3&Ts=DWXpYzOL#48D2|MueFaG{*{H-Ycx@x>B88OsKyjXueKdP*q5FtJf#_ZjqTk zdj3s%@juwOrjqPQocMCFfiDFzHp+Q;5hObQ33NHn_v_!d_zcTqy@ZT2^Co)P@UT1X z`OsrY<^}Eqw0=`Rzg>fPgF|MBh3Vyne8_6%$P08Wy4>!D!r2Rt-+F_jnHhgBv#q<` z_mqk_3bDf`Jz|{d?h_ibTKy*%YW%+FtZC>oqvw~q1*`wDXsun?XStKJdrVb0~w@*x3HO`dzcO=Cae=su}j=hAC{~(%GGNS@G>Dd%UxMwK+Pz zBp;s#m3D5`&&}zATN?rw>!;|%HLI81D~a~IaQqCfe2ziu{58Gprf{FKkj01Ne{J!N zGZ7Q-+&zLfPy)ii8(#WYXXbe225-Gp=a)Ax3La;)dLBiwhf|B&MG`b4f1`pF>+0%u zrf^ggUsF8+1t_J56TvbR{AP7W)f^e_RpBnRQNGvjDadHUXFJn?>0#L3SD3ORoIARU zmJ`9b*|N}jadwzA&;5_OvmA(80f6qdoS_})^?sKV8qPIne*dLlXRM{Y{oDi@<>DW* zA5GvWZNG77pDgszFn17xiBj9D1Cuvu)znKuW<^-FDP#^rq(4v?sE6UsET9&<)`0Z_;iRfGwI0$mm;*#P);}Q;}fCKD~?*I<33%_$b z6t?em&yj1lHY%5km1$6P3W`pj`(H*I<&tOAzj=~4y>t4)1a4W zyvf1UQMrH(#>=f7R80hlB7;}CCCwXt&flDHWzS$69RK?lKOKTkfwn6Cc9OSFJZyk$cKrzJ8+$SQdv^7mkg3jBx3pc*FLt%h4h?CQB)$eOed!>qeMa-;~$p zq#=a>Jn4f~t+=JMkowzDoBY-0xUh@x(%9dKLsdoF1L}^%;G`40o3Z%n=mOr@jnQ|(~@{_XTpZpxL)%M`$(3h+buJtM?$;4^N*AC`p=BnJ=gHV87K6}b+O1i znhJle_$^uz<7G5(*>G&9+tuWbpD+n}^n8pXlizjywgC1;i+^ZnXuy6M+79iHk6Bt; znqM%p3Y9wE%S>+fo=#&ZY5-5kW0EG-;`LifcW@tajb zmb?uZ>y#)mIN&VEbN4~|jrb|~j@cjd98H%Qg`(AtgOrl;`ol`lL>|zKDNScadmAvobre|`7ntR6b~M<&l#|WXnkuF-BVJ-50dp; zyATUTuhze=ji-nFs@roNC6{KaZ6$&uDtQpKWcU#(ff&PMcbwVYzRbotLqLXllJe3g ze`P%xUcJR0FrXPQJBMC~BeHny(I|AeX^&ARJ&hddmXt*jnPUchR1=G{tT_@=KbVf8 zo{}tSI8WvhD9LSxcEi}G`6**!ad7HDm+$(^0ynuH;Vqt$k^=9YN~ zDo_zN4Nn>0E0U7BpZ)l#!wemUr_5d{#IFHBfoA7L(q!7x&+(wC?8rcr?DxG=ZCun+ z&Yfi~JJ!Q-Ke3J4sr~>;`aoO91iS7Wm5;UIMN3_=G-dbwdRd(v+w<=!o?FR~ga=$v zO5MLp!K@XarUs>%mIMU+;%*>%{$>YX$eg^`EIlLIgKO)VoBd5E{gj&*J!GsRgYk&d z!5if!=&&g+Al-?GNqVvIRZ;NxbvS6`aNw6Su2Z|rca<3w;Zp5(Wd!{8^6}2TPwNcq zlN`edq6#0A69Z;HqV0D7y*t{rVZ5AXcmhH+Y#>-TcsH+noqbuptSo~rQIxxmnMN!@ zv;vr`z>~Svv%Irhzg04^v-96hhRJdMA-1C~Ihx$8Hv}@Ld!z!dU^;Ycja_)r?T?Oo z=KyD_RhkLwdo^dkm(a_u2IA(=ds4og!od~{$$#cge%4B(`cdqaGQ zr6hRgWFRP3QEsBU)Et}*vS`GJOBQ;nY5L5|MJWh$Wsa{c?a0WCTuvb*GEyiopH#u}aW z9$y=E8a$fMMZy_qq(1zMnRO2kXeP)-v!9j#ez7Hza0;a9zn04wI$im%MuZkqJXp#h z(#JRZHVYCN1K)N#S*>LYu&EzKmE6EY%-7oN0UXjthbl+i7t^&w6K7V)-a}{#| z^LY+XaX9>?j|yccJ{SaI`^E~xI+2eBgntfhTl2G#AC)XM?(j%ch>HN=oB^c*^rn>^ z_s$tN&|2A9tY)+J`N7#YAYLnP1!U0SnU_8h(xxoDjdAJ6yEjfg(UX8%vfUVe+*yW& z&71>bEkA zj&AV;B6tmz!+*94N4uD89V#+bguhWt*e%%Gru0P6R!Ysjq#O0icC^C?hx2B@e{U~g zmXTe{1aKyzt+JQNR_BuA!S_l5RvcY~@mUEoKUdFhL7qo85s$FL1C7xI2&zEC?}}}( zF>nVxmo+%%KNYw)f$=qr>!S`@QUJjiB?rjDCNoM=l|0q7x%m0zscuuDqxNjfY~Puf z{7Lu_ucnWB)w>qoYAT*Kw_g&~TkM@34D^;KJHv{ONAX%_@jviFo zcB%C+uQyQHrPF=5c-(&U%sz^XgrId>HUDQ$Tz0n}6HeR+TP^>f22ml6MGPZM$vjFla}tgW*L2H~(bd&JiD%o<;> zgnb}(#}Qlj!NbX1DO&Ug>!8nqfp zQ!dXCW~eSVZ`Ouxm{UmK3$|}%6k&fsP#HeL0)1AG^68d8StVCpOU-fC|TlFU+TNi!wD86 zjRRKDtael=$jyza)>>IrH6OXYG`q53)Ru2r;6+LXTDko`cD;PBrQYeaoydYv{?+eo zyEc-iyz_R!bKR|ap}98U1)j>@^!a)O^obs({+qnRY{2Lje4CL_LM@OC^!NKIuhnqL zz0wz`s}G(d2ll3FvejCGlS(#ljn25x!+WBM_oOjVdeV)jfc*W8CUHk(2Zye43?~N+ zy%U?=^q*>J`Du|bo@e-T+TRKKCt+4s>}Knl~u0Y+EXhqT%fKbw2ZmOtgwY3 z-N47d0HN*p%h~VhgdBxO&Ejbx3>q4ZN5pK*kBrOVRbx*Jt)||gLWCI@(vMc6Zp2># z$Nmo(Bv_{r7~rIyf|%E_Ch-tva6xm;>IoK%j*Lfpr1^-V{O8(NEUSef=zV_W_;BAF zrt0@Pl~0oL%)GL)8f($S4yA$P^CxdJ$Cfc9_toYBeWiBV^oAO%D|7^#9>_^6+bYFbAiRE-{k-M47i zpHzSOTSd~sdZncrZyh}AlPefiLg^upij<}Y+7g7};!84?vAXF;4m*1HV)XhDntLGz z@ou*$L=FDK*Z&lsb%HO(e{*@bp(m}HYw127&4iGKt7`(K3>EDB|;_MGK{o{j*cw>dXUXH=MG?n+U9 zDr9Qi%6vK|;s1AV_fx>T|77a&>ag2kk=70xO<$Z$APB<@W=ROr(8HckbPE2a}}>QDKjV* zQmWLCzh=eIH30PsN=(H?`J9C%C^Tjr5h@}~CUcoLykrUr3VOj>N(1mt0Qh$J8UOV1 z^_=N$@H+4D%Bc-h=T^<``-0My&FYwC*Os?C${T;RJ&(}{0V%2M4+FZIA*YLLcW+v5 zXVKb#c80-;T6U1}gKssC$DEwX&;AXjSC)v#UP~rp+)sO!rMkLukoGfTa zppoKyWKoSm1dZ)WNI2;tfD~80Jha36Z@$*%P~n4;Y!|n!vh9q5D~Vu5zph7d1ME{QXkfKF%z;}%-RQ2lVB%*)Z1QUeQF z7jT#>4i;|dDd}(BH7z)IF9BaSe5gEM8m=@x>ZFYhQ;^kWPG^l&dyAQkv@Q`7CVK%| zNpI)|ldm74>A3~v*Vn4i3zYpg9&@A=L{zf16lF*=rLWn~suwB8)(Q5xdN>)HoF5;K zUmolsgjync@Ul5Y+?}DjB4wCuy^`M60qJkymQXM&E3n@k1--^ED->95lAkGaBMbJA zzbV_OqYmO^7PiPI-?6v#{ix8NC2v{Tai`8r&lY2_)D$&8bc62%^gQ=A5rAc~;f*Zo zxy-+zE-6J0b9=dhW;=T#wFzMAU$Pvc*;bv@W>SOC&@J0DoSJLI&j>)34@>|S`Rxd; zw$=XLRH%JV4)}h-n`IK3KJ$Z)u8zL~q#0WGEcq6i*mtP`gis&5tWFv9(o%U(=uSmq zDdv*4ZHKZzLypCHJ60IZzVqWuoXy1*pUUar?KZmv9Sav0Wa#m=-e4Eapx+UtZhAgk z@yZ*VAsf+ztjmelrJ?JPto%T*8A<=Tzp!9uGXdqN2>AaM)v41le+~|8Ld}#;vZM_$ z&Dg4{rzZf?o-T0%Vogk~P7n&;L%~!5uDtFcecMAiYSkq7#r#{ZKZ~T1PdjJ{R)YLa zOm13qq&`1~#^KcvoGujFqAjcPUoQao@pTR`ahAOEEZX})V$pgaA{ z?F^q(=1GX+c+k1QkSW!i!CSH}I)sesYTj@9uO7{@;RrjUB?x+dtd9(!2MGD!ej&Bg7c7LI zwDYIz5UM>YsFuHBQZoSy29i+Jskk_{aX*Zeto`oadmp5%>Mo4&ya~)29Lm-k9G;3< z9nQI&1*bEQLn4JG;lWHDmDP6hZA|pi=vSLS^9|~hg`0xk{WJmq8M9=%?x<6$u6t^o3DGs&UnE%BUdAYn+P;lW#M(_I6 z^B7<%(53VNyP-BF1-3s=_Tc@CB+ve81PFAr@u2es%^$Dv^FVivs(#)&aMO>novB9$ zf>P)60?fX>cxb1sU8c9SC)4Z|_Rbn}I5eO}mZ z*5=r#E_$AKA_zY9FVq6)4xk#c)eYMzrnIibD|ng+iyHAk6N_7^&i}m4EA#1#r26>e zbKGXRBVUN)J8{Q5hSLy28C|j(5d7JLLI_Fw$kWUsW(Zi9AgGB*BPnb&EC9mV@7!wM zT*RgY&~lqV;)~bZ-OjJB&0E|H1e$x!yA?@=2gPAX1HTM*G#Qu?hs8jF)>BZQA5y$z z6AB7gtW^52z77b6ioM@e8hiI5AOf*+HM{d*56{@6M-VRZZeZc_QMyjKugYF6_g3Az z{yX+0I{MdGVWp?w@=H(*s8F|IFZJy((66l#X^O0VH&wTn`ZC#fx%LuiDDA-4aUf|T zrx;qy^qqZ(ZigE7T-To%o-Z@?7rW;>tk4z0UH$AbB8Qu%RP=J}WpGe=fsku%7_&1E zP_F(W6wW+#*JwT7O_eQA=4Xh~8jG`vhBc4fGY9m?sBb1>~;Z=!0pzSJ zzh2Rp7_YhO*JKAuP^^+DsXyZb4nB`uo>Rje-GoirSb%PGo(|YNsP^3KtF~J$=N^Y0 z>QlCH0|Il6LaP5~$ecj9+`Ur)8snbZhA6%M8wtQo@J}E1(Wv&)Bwsh>@{hXBn6c^Q^tu;8ES$016Rgm ze!X6!7bq^Nh8Al+LZRHNSFVluF^fzo_S0g;_?ZXxJXcHLuS*aMP_N}Qe>%`}3k%P+ zTqEH*4Uv4I0l$xi*&hU6b;is+%zaF`D_|VALv3&Z$gdq_$7VWU3jeWhsayJY$fz^0 z6kh{3{?^NzfC`U#54Q5XKJyH9Dnb32<3#OyKSdf^Htf*ChZ1tsPfwm!_joyzaC;v) z{RS`@$~v_i&2NgO2f2sSO*F4rVoVz}yjqe5+rQi(k4HhmI*|d)DEtB=gv#9!@6`Ia zE3p(9lQ*A!X4RKpHD@Q_j$D0#i(C`ivsQhi{OGv%V{yQs*`);C=7xFI^CJa{ zZ_N_f1HP!@R-e^&@EL(0dCRX!JdvVX{HM437|pqV*C0M{lvg5f$CuL(Gd8C#1oIgs z#n%<7O?SCr1C6T04i?oi7kwR#N@8?E8)=U*Xa1gjkyCm2^zW06p5A2+dJ!j=OaUHPV!SK=~eAPLcmFZF^U2|s~!34z#M zHNUUhn~LH-3^WUQvhuw$?P%_9vhBp~9Wix`m*?1OdNcV@VDgt{J~)L$J?lDw?_xP# zPX-1(RXd}wNlC9PVS{JFh12y@N~)73+rMD2Z>o8uw+Pb}*AsWX$ROWO*mn$%vHYKf zUCHCuWD$LbQGInIr?a|Mihqo6?E2=~BGCPQiKFNLs`hW@BT!NeKs z@|ZODUQzOb$jrWee5di$L)d5{sjdfF9{Bz3xkRBJU#`kWQR`2R`hWc0mi%SU+mKHm zaQph(KN8Gay?E<5S+KbPEg7Z=lILrhQkUDlbE}RB4|A1{x^y45StNz= z8~o4}>*yd17am-4*9(GRQWRX&yyj%2JG)H_b{1tq_{p1l#UE#`P5uGshT>GzrRf^H zZWz7`=;>PUN7S(lptjGq@W%}TqB3Cq{L@;75v~UyvLbNB{5OwYl5{8VgM5{BmweUt zHGXL+=i^M#_y6@H>gYVt>-fq=*TD9JC3~>E?%X%w&3tVa)t?UMdsd5mRbM!aDq`DU zSNBEdRPsvH##Vci;g$(428Itu$%WO|i84asBN*<-nhtwa8D`d-lz&5(WG>1ij9YKjrG2*zomWbq|EkJpbx}>u*7j0e&d&Y%&;Y!npX56*{Os4u{sK!g z4XlQdN4@27VNLqjbLdUi!SW1!-!GG+k@&F30j}ejNg?+lwtg;Ne&iT07Q@4Fi6q^8 z>zQu)?X=Pg@od$^E}dH0F1gZnQgqbJ{u%u-jLa3MG;zP(X#Y`QAb+sVFSk|RfO6DT zrNjfdSQ2}yzmATG$YP+ZEWmX~L-s!}2mbjvyy2}?@eYu6gH+;Mx3N5;!0T+ci)GNp z_tbVZE@CuctUy)%;wtu1z6IstoB!s(&X>Cp4`dCzwLWE^dPo#Wa~rZzOM@_v1gSbY z7&8~H8UhE(Md$!p`9q8mEDNZ)h1gnjkyM+^iZw^76hA{)viA6|s!pG|E!X>$71z~f z_9SBs=#vX!e88UHDOl-xwu#?P{lck0tQA_ z;RiB=Dq~TPUR~%R{#Cg8(oFrWPN>j@&kOqf;$vMs-Uo}yv8qq4pimJjC?hpG+VOM% zlBKijN6CN|R5QUje5Zr&r^)r7!`EeB7*sd`;{tC51t1way_^r>r;m_VGvlKE+a`7H zoN;Al?B{;f2j+%Gha=CfGG#nideGvcIp5cHl_Pu4sGRND)2fex7HZ=px`&C64ivK^ zi}AlUiGvHON~T*!iHUb(E;q6L8?YUIk|>1djLVPfZ*(atQbm}?T;vgbc#0wCM?lMH zfA_l&To-jX>YW?sQ)k7a#l&PM-aqQ7U6ZR)Wy+HY2pc+s5wQtxgZT#E`*G`4)wKBZ zL%>mIxI$9Zs>>kl&fhQt;@Uw`8#B~WCwr6LGFV?HO_@?O6(>G&!A8454L8g(T9cA;rc z{ik|Dy4inc)LMvYG;@jDe++wUrlPAM)~u$p{=i>FBU?V=__fkAsJ9+!ve=#BsWc*c zoiQ4d9Ab8p_PH0)1rw}H`v)VBR*yv*M;k6z+;LS#EYY3Ky64^gAx*C1qhtz_^8Uui zl`u0wZ2>HMoLuqR3p3XR-n6r~E6+a>(@kQ0n6~+^{nF}PtotMAX{zmqVpvzPzp721 z$;Zb~#%+q@v&MM#{s*CfUOmSTLxq0)cE+-eVmt(`AlXRq1Ltk zXV<)C&wFt1zS730zu)?y50v{23MHlzLq7Tzu#E0~*)>yLemMf`8I_5DYal6haE+Fo z8^NBf`RGsbsvE~=NMgS~eB?>-INiW=f&5epgN}hyl}xh}zt+>VE-S3ucb1)e_5irz z10~Vr^XvZ~U1u2nbWayY_kZv)5j0-H{GL6Ch|QL-hjIoX!x3SZADRviZ4&Z|2|oFNg1U z2Pesoj#h@pzud#W2WcT_>t@mu5Vmc+dlx|$xlMG;QEVL)x7P?D2!xBx!+;p?PI6hu*;69ppV&i7n-AU703yv%&GBN^bQngVf>RR=GasqM5t6 z*Klp?bv9mox_0*DG{Yx;&7nRbP@dD&QO7@A5cUw&V3Qb^k4n<@=>- zT|a^qocjlO5)P*pfHO+HAAU?}m`_q5Q26CRk#UB1_zkvuYE(531H4_pMUEiEX4Fh` z$vh5=)l$LirAR)J>|IWhV2O2h;Db?Tl{TE$J72dW;iXDJ^H+9~&Vs8B=AVM}*RzUG z?)N#23?CdRFH7sLdoCZ7aQnP+%^L4`<2ar)s8bR(J;!IF%eO8QZcfZ{6p*3RtK z&h^6CnPYU`EB4w ze}jL3DWsBxHw4~z_NYvIBrdz-^gJd?3=nY})d3=|?V<(1D^dV&bI|9;<~<_j+gEFP zn4uEoMN?mXEA=3VTo6~ef;FF;GL1Vs@L2m07?Woccb`SVORB7bC!N@BG)$q9HmsufnktC zF{ok{Yq?YfzZ)%z=k8hlG*RFY@<2J(C- zUmHP<7A<~BuD0`66%8pdZ^l9V{WO8%c+2dKg2%grGTp;l=fx;C=10i55HWafg8%-y zta+y3G;@SaxqQetNr?!gm_eO^BTkca*m`IlJ7obvazN|)JNh(rewCx6r>X0>f0r52 z14&w2w|T1?waS_6S%|w62G^<*6S)k#4W)E$4Hj7@5sZ~=(?Za4w@sWm)+_w>?*ox7hCzuPh9o%>&G92fdPDIj|+prf)vTgca92Sf*M zP|&`nWkB&%dZlgxu)&*(d@nCFTRA~uu^l}9CM=?`VgA0>d+UEdLX^5spuG6>@}vLH zjHUE#65Y=V((2NFrUAw8=P*Rh#{}6=xw@Bg#IU?QP%Xf~KQl5VbHXgecLlJ%0y)OI zAwmih!c=~gu(?`9Bp%wCN%XwGRpm-Ozgl<&Ob<}aiyv-{6fd?`5_Y`#Z%7y5&5OrH zrb=nKURYLv8`4w}t4e(XFbnj!#tYw48Y%Zby{}qEJm|)sUDcI@6`OdE7B+}Ap?M?@ zYngY-1g~x@tO;3&l4Xlmy1N5GzW)qS@cXL+<1VAQvDu$c-*`NWlzWA1{DxJ5Ysjmr zC_$h35q}zW@+}B^6W&g;HW`TopSzcY0xzH%j+| zm2{buYa-p}mpuy}HCSxsOCM7MZ=IeIrW{m*tAP7%UgQByM4yL~0f6*1aZWkL@`zmV zE@dhtCO{^J5o3yJA_`Sd)1z|gzdy=z+RScLtNLHsU9oqB({u3&2$|f6Tp<~xSx%3* zpPQ~VR|@pRH!3LD2iv&2?n8*ZN)Q!kkEgj)+tsCT5Ws119LxhpxX^r1rV z-BbGQ{XJwuEg+Trs#l6HN*3;~;uQc)N@|1OuZzGn_R01i{*gZ}g6>FdBukXD(V$UE zY$_M!JA5v{`T5kK32=UL0nQJN#oWFKEO7(E7O91?RmIpAVnu^{gAbjQHT2ia<1%>{ zfZ8T>U6!RjF>?(*tNai4;}0)2dJnlX;hBw9?-;>YbFXO1QzR4IPF$vn$%=a{!}tf& zCwR)AZ&qD1emcZ~DWm_D;j6@I>{2xwEt04GQ-K%Oc|&dDh{dFaZws@X;GdQl#k*Hi zHK+3geqmbqSswa=hsve`Q6&UWTa2GfgUMz)R#G6vNMLHN<6%hZ6Nhuw zuzpHkdfGi!MF64~TCNi@*wc2d_MpL zU)D^QMT>tEd~4p-v-wY#uN%P&tuX?Y22(ON9Hs!?7;S|C^u@}XUds9{YStpV79dGJX|N??BdPkt}NH80?KU4m=wDeHOTt>m7rk#IYR)! z@_!zGUB=$Tm57=Kodw;#6oY*0Cg2P4&mhpnMn}e*LFS~n#-8ym+DHuU24sjOao^nI z<$$>8QMS)RkGfYpof($3nr?h+)hS0qGRglEg3~n7Tb6S#<@-tiuQsN6BuzAd@ts4n zBV0A7L%&QEmM3p$QjFVHg-AX&s8u>MSZIVnV6*$_pb@@X@klcsH43J{D4&MiEsWoLbZu3oV#}l)mZK>db$b+4$c`)Lu6vZTFD76FZNfNLNLdAL^FE?mVDawFJ$2 zdFH9{#e+ybUj?q65)TYTI~q-S8)+#RTL=nTc1xuYCpX@G@A<(DejE_hO z45;U$8g((REhnL4{?8DGgous5n%?5hhDL)YAkM(!P6P6$K>KW*U1nK`B?(HkM_bTs{Sc=)(Z+c+5&fC~MFVTLMZFeiaB1^sU^FM$* zpKuNzr-~~GcSk?Y(Cy^(ntPcfaSIpT#9?JlY z>BB(0-j#ZY8wF2xyi+`zUn_IQucWBn;UwpL)oeKt&3^fMIVaF@a=(X|byep7cd)DI zBQ|F9=heM3fJPZqk?9ftwC7X@%nNT8)TtA``8BKvElOTYgC79xZKI4BmMtVTevvi6 z#w>s*AkU=N;xE;y`iHAQ`l=5X?)hvsyTCqZRSh75C4;#wD`Xs;-&u=*$_gEUU5CZ{ zpWhlTl|y^C`X~!Q1eRcbdxkO6}-@=FI>7PrC_*mz==4(;p+&uHEJ(psZdXv!@lVfXKXM&SkNTFdF1uD8ic>6@ITMRjy3*qw33#n{eQp6_0H`y;Q|;@Wn7dySv&4wLeCOpm+}HUW8|X}!Sorfu@A$K zsx9}iKC$;Tk7_BvraNh;l?<}rQXO!D+m^fT>XuKGVV_>Z3W^l%>Q4vmM4(8DQSqZ> zivTxZr2;P)cOAHE4Hfuo7H&TWF7LMW8{KsSWd01gaKt<+LdSTZ51?ZJ`lk{ z08ungKECTk4ww`tm=qZppajXx?EArd@&9#^_231a#x>)%2|%*~{MeyU=p~?qRHyVz z4cIwPEYc-nLFcL*8^(%)*AfBhD6$HF;tSK@)u_*h3)3eM#n2D()ZrY>hPOWjKY&BN zudge$&ce%v?~Wo!y4QEog+1Td0xLk<%4N7=uSk4%|8=+I`f4C1@$1DF)x11S(GkVa z{ylCneGd=vIc7{Hy)8sZRg?w=!}U3GA)lgXi#8H(N5{eOp(tGv(5mG3?=7I?$=SVS zl|j$roqFw#HH}syy5)Rj52(R1der0{iSK>^gZU~)xGiC@q?T-7{UI}hV{nAd*1M3|d6?>Pkn{V#<;Xjh(;@MHtG`%U zJS2;ofF+FC1lTr?A9^tA>o#mkEZQs`=!Ty1OtrR4)=z#%IgB#w(2AC^lW5cjY}CCd zcMHQkIx()VZ`Cuprthlwz?d9rw7oLAVyldvY4}4PQ~12$(Yba+d$`xEDoV-COuA3h z0+uAG-WJm*kIm7#3@JDHxlPJYAjhplKTMk_?13Ex=2d3p>!R!?#z5t#KN?Z+-en?; zzt_Soy^g~aqiaXn`7ks#^0ZSsY&dAG`^kYh<36$4m9I!8C@#GktzUZHN{T}#o^98w3HVp>MP6t!=hpd^6g_xmXpG2mAs`@%K%`prFe7H5#v?8Gt zzY(s~U-wq-j|lLeqFoJ#mwpYrzDHonX@0}Bq#eM432;`+$uyV_rN`(?5RVhB5$|u+ z%9tGaQ6f>&H83t(8#v(^YL~Jb54DjtDQV^gb*_s!7*LLs7bVTDOlp*Z6@-8Cb*q-M zg$1<{OqE?40o$@1@6ST+Q?6>RJwWw9;|Q3}9C*7(v)uCauytPMOrD`Ls#4ZZbufA< zTn`KEjBu!}9$rp&E{P)gkXfJ-X;(DAZT1i>b9Es{P<(A6YLxBj{2S*nz>q%u}^{^5S;DML@y_bVJ-tqVrKjgrRhYV>8=-7lhr64nXc9 zh9yJ*v(tv9{XuJHZeF<(=?2f`XME&`y$v=5?h)X(@HY%L_lI~Md?0akGi37g+c5&> z=`VlW=4o*Z2%D`ZRA3ko2SQZL@pvz#X;Hh1Z!_*f_Df^Ic{1c{LxT65#3VbNqUln8 z#NNl=#jXrn1D8I#@Br0t?4U20?Smn+KSDR|adgGnve?UR*6Qs=ph<1Q|&s?BSMwh~Td%$n;NmpP^r%D^ML&17Tar8(}n<<;( zx}%>B?+O_Lq&ZCI(F&Pa8P&gCOZWq<5L(bKZ9CrbQCusR0inj*3v=GJLR_~J*>%;K z;-vLKZuQH?8iPI@BrJ^n=FE2vJ4C&5zx`H;0$w8~^ZaQlw@OGXqIy0nxaJ&DtiXfO z{i(Dg;l>GZJ$$If$v0JJHWBNUkpZN9x5Rk%x9@Jxg83l~5tI(mHMKOSmY4lKJUZwO zpgvuL)eVBL3FbTy{vB|!cE^KcY3uGq(i1`h$ZfzwMeFr&(hXh!>8o}$(&Db-2!rIj z6og@`7NC;{@c~xKslkWV65f)TNt2m@8&}(0tFZljc1q%=^-jL@5htulDW$>tSLh#_D=mTtLj7m|+7TJpm|-)j;qSEEvY1Sj2I-;0QR+g5a|K zCJrpsgeX^rn4vJtkBHYLr27&tuo_U29Kvq(Fe2NSQRAt#G+}vLq!tE|^(HtWTvvq2oahfo2`w)MY9_?<5XrkmG? zY8~#OsaJ_rJQg7}+klzG=OtS^h$S`3V4C0rwGh>K0?7nOD<2>|hNr4p4Kpj>k!QN1 zjxP3FXC%auo4Q|Pp-i|PdQCr&M@(LsX#wSlBgIQb z-%u&>RDkvO+VFrs@snI4((7DP|CG?o;<1GY?)bu9~*VOo3>GUK{&dxbNbtjE>GfG#>laJlQsm)NSD)oaG3n!R1 zFpQUzKi$vpV5t_m9l`0Z^e;Jq5-og4OIm*-5iA&qBBrSeM2R9LAgxJ6mrno~N}VMd z2QR+xh;@WQl?$L^2Rn-YoFkI^w_CbhZxMs>h|1OOCDzP*P-5cL13lUunEEo}7yg;@$ZwQ)dR5q?Xku`}_S zA|0pLrzmgPy{s!Pg`2p4M+~dd%03*uvdIh1(j|GSZcK&m>eRh>V=<=UffMCV;5={E zHF*8!vCwj>C%$&77ubDfj42+R1-bW%tu5g1>=+$I+H=X4XrX|zGfs?>WJF*>hny*R zpGaocZa&VzO3~}_+PF|&8{>ODwssQ8j`}4Bj*rWgAOGqPK<4pH0~#+O|L}qnc=?=} z39ghWIOsTaz-e}d=f=RG4~BNt(?tB3iBgR*uc;2Nu8sv}xI)n_%ihZjlewSEm>@K{ zL$ZAhL0KL*@cK@`2QyaFP)5%vhcs_PmN`oLoH_#|s zwn-04ik>GUIi9f!d`nVNhwwe<2ve-qbY1~egmxV_RK>mZRUfO@-l;gg5q(~>T&E4g zlAHTHP0O|ik^OTNH2mHW$skPQ+2IbD`A|0FZgvkaxXr-2|K{?0GaX)YH6Kb4Mh-0$ zsMn0Aff2^06ItL2f(=OzZ$}t@feUM9HE=%Bq#UFkcC!AtyA>`1eAdm<5`n(*yLd4UCLr1**&phayD}nXR1wmqp$HrU4M?|9Vgo>o?CG0XGS0sf4H_We>-yB2o9&E0XRo{pZtwSh6 zmiBVxP;#2>=~a9$K%A}S z*%Q_H6V)0A7*>rs419e2X3)qeqv?18Q0OnwiIZM^wk3@l5Wbx|bv=2&@tp&vG7Hv| z@GuC)e7je+#SS0yYm*_Cb5C7$wfe?NfVL}g_)+gU4@V^|@XqsGWH8uFXl-~bCc|NT>j85eJA`Pg#BU~|16f&tgpY(IEAmj?bop5E=by62=oxLU-fZr z!TlpXxl^7YWzx&Ep_$+9tWpVKc61sD*h==g4Q$h+Ro4w-(Z4-Sq1^bS3ReZ>l*Hrw zV!u&yktu-j6Z)or)GfN{d)2Prf%vAf00?!Lub_hTv|3vFTB$R53hAY4-shCkA4yX8 z{}JdG;F*L)sQiy^3xu*cAC{fwE06nud}aG3F`07w~>b6S_j2I0l#n1pjcpzsI4tMMioe) z>NKy2JuI@}XmVyIVBCh#t5dMFC%2#ikv4*$m+0$>Ho-g$V7Q3!u!g|#U z3{tZXl9b%PNGukLru{tP%OdtbFr~toa@r#f!!6w&GG#?4+#q{Sa`#PWi!TbJ>+m$Aw?ubw}?7RfJ(5%;2Yis*N)4Pumxx^gZdokjg+b>BCt#B+=EgAE9m%;_k=UYSVsvo?_#3S_LnnpyUTp@)XWm=E$bj2>pmu4%#c zYxr*RFljAZKKk2W4unLb)rx0JuNwrEs`P*&oxk5<2v))(B1XXBD8u!EbqI!l5%(5D zW*r@bjzcee{(=bh^H<%(!16edpbTp`SZ}>mr}3HZzcja$h7kRkHsw_%ip8AhBwRCQ zdbsmC$)pp;2oKMzTibL(-1-xA^y`Tfjy<{VG)DhB`U7#ii*q1M4 z14^q+k!Sv4-vkYDzf>s<$!&lv`?ZFc+NCSbcs5+;4M-B=9ibowyNs@U!-I{BYrz00#|0=MS$(Cz z{5{&ANS#=VGP-NgMCVY;~s?K6ncUW7`i>P=e`N3o zq{b)nVAmDO4PHs2P0l9^3V-~XSRd@P9B|a)yA3wzcdlgD!Gbp-ieeJ&fQX|%wLI(l zc5qNZfBYbofG}$fOCJ}~=x>`Ee&Ug8p~RM?2I8(c zoZ0dG(;5^Vyu&PqHFdQ%K>VnsRHaMlnL5P_XmSJla(`_5^)V%sU?$Hb?7G16Gp)aC z?k7?+KeOQLamh0|=gzoKK{-?f_Pq|U__U|l=n^xK#2+|IR)|4i5&hOrxzSwroF(sz z_njwYyL_FVc3iFwR*k&mX$?ntD27O*B)#6?ksl=;MT@7^0R1C2*T0+&AOeN_R&4N= z&OD14Hn@PbXE9+iv$PPDhA}(Wu4iL480mkL%;*j=7-cS$XBzDyWTXv0@n$mxg=!%n z?Lu!2{ilcBDth=)HzOT_&@IMyH#$#T5@S3L<)Z9{0%#x$ZsTSOH_+}Lg2hDX`yKd& zeu&jNNj(NJjUGJx!cLJIUDALo`Li?X^7i+WYcy zuOkxIwguXjPMyfU&7fG;z&exhdovOavpEZ!(a$9m#LS+>d6RI$nefCy791s{aKxXB zV3BY1QF^i9hrqQb{E{wydJy1E1YB!#RQerZ<)`=l*1_#{M9@rQ!rEB>hToJD0n|NZ zSCqUEAEYK+$b#HEaxYDf_u?3~oGF?%(wTuAeG*WHi+MGFIVt=Zk6aM9LWn(L+ z#St8g7=Z@C>WYmC4A1Z<2TbO6x3dmMBxF|=vLIhnyy;~0MYKIW2OK;&kKrZ}RQOj> z-$|G=>yYlCGyToJ+=-y?eZ3@sh@OGogfdvYHN<#^lhcbKjq@f}%$DSX4N;=x8A8Aq zZ~5LaW7^0<9(L3i|L= z1s5ZBSrx%dU5IgHO+Edpf|p+3_4V)3IoOefg=374{?^Eb#5^u`M;#rVmx*=v;9i6{mF0w=#Wr=**aK>uB9=I6C|$+|LciMU;Hq&X-!jVDA;RjvWe`k;VT3BQ z46r1TK_iyY*7pVLvLwZW4eVw?@FZ`J3^Vqq)%h&P)}oPOWD0foW(ZCMny(A;yu};` zh7KkO1z~VTo_}Dqg~D#xya?!~CabT%`JF%}LM(5}j0NYfCr9;njzmVnlrWoESA)9T z4^NjvF%iZ>iO5V((VI8V<5zwg%MXozy??J-#JO;G%sTp)!f+$xowx-I*V269gk$V; zob(G*ZEe)7EylEu6x|F*{cR!YhInl;yZWQbhI9hZNhT}BKA4vHc6e6^PNVS?nAl@S zj*1691}X8+H=?z1h1q!NWwRr!iY}A|$fTL;@&pK4HK<;06hZ{aD%?u4?8WnVp9)yr zYiH|&CC?Ajc>Fs(`Y!U9uQbvi2h>D)8usihJP-I4BjSxMJX>Cvyr+%kFVCeRq0x&7WfkYT#n~RFtn|%zP$%V)Z&Wy4Q z2=t>Fq}qW;KbzTvu$mM7^fhk-yP0GVvizu_BJm-KtF3W2Td{%!y9tS~5K!R)&+lZ$ z&|l^l5NxNBE>h-JSH~PDp5m0{c_V;UH?_63a4-R+9x|+djpV<+haWi<2Ewuw^}$3d z8x*ncP28)VNI!M$e<$1X$jwE^T=B@EfPqe7U_$~GjF4ovqd66&)iF=N{ zipi&mjc*LysjaH*h+j7#qd->Hp_uEE!qmNP+TnoxM*k4k85dr4uPYo;B^3br!un2| zq*Lkhr~c7VoNu1{-#=DPTQiGEv@f4l=`lHGuz}Y4|A|bHbS4|hl84Qe>M4H64C_eyM0#B-D~S#;7WNDwS!jj)*#Qbi1nl^>YSItXkY255f7`kg;?9{tx|g2s1d(+f$ns;cm@K-0XT564JdoWsvS$746r zkjNooi(cEU7hlNIFZ1Fd79wu$VE=ZA^hZyKl$7K`$=U0XrB4eBQ|t3`V>OJlXfw6# zlD{UpM-cR|FcOXZQQ#JEqjs6mQj3pT;YNiJHkn5m5HM)mBH-zoqu19zJ2*N5RE;ld za{nzrc~f}nfd-1loQ)K4XhLdH;Yz24Jp+`1y$bmex&}FPxAg2AB3_z$&qVi{E9V$FNjL_ zOuBB#vdof<9GM$jYViVOGAOtECHT%AT4Zb~U8fZi5z+bQR#iqPPAol@M_t9~I&x6p zG3ksp{h<$W-Ms0*5<}!kzzeAvw5#&V51HS zb#dWve&;FDChUuh206;mW5*cCNOmVzYqxnsqfr~kJi!yUt`PDVK=YIJrnmq0NCsYL zT(5%lr(|M~{;vj_#%&Ju`SlATBtl{+>UEuw$O+6K4eKBiOrfws{r1H&KJ1Qa5 z_tAU#7CNPIat&;AI0F}M#fEqz0nc3P>%+7?N)eVo0lW|jrg@?<~%=9xL zKzI|1LVtyV5G2_&(azd5K7f?z>tz6J7=7FZik(gp(5Px>jCq0#{cTKE61$MN^QlUs zJ9{A*lNXB1Y!qgMl)OB<&s|@JmG&iZn~M!8M%ejR%g*uZjkXUZYi+i4do5l3gOMW@ z^(?HYa8T|S*X+a8lvpmmvb^_om)gDY!4}pYPd&F{T=?fCNR5J292)gxuYr5Zgmi7j#}_^VF?tpGH1z?6!){{0 z;!pFD`b6}c)(GN~1Uj|8DQlImSl}jY|1%e0o-2*d{RcTGXUbKM%8TT0;*}8~r|toD zBd3a|e7Pt*XHczfdFgz&ls&=bMfFAccLV#2%wQ79XQe^z_Axh`$3-onkf+~OVq0oj zq&5&-LE>A!)By>wLIe^Nor_A1()q06VQv>-g@q(6hjA0Ls0~O@^3B2!O_ z#yBhpJLp7kIJ7=H9_$I$?stndScTiDE+ozF8tRE(Czv{h4RO?aKagT|(<3Z%_bxJ~ z!M#Js!_DFs_#{X7^=l^H`$&-xvE0QP%F1p3?SzyF(Y*CVe{UI|=*Ly<+PYel$gqeA zYJ|XT0~`!KNbT_30Y;WLwujRNv-9&xjE(+w971AZc4Wx*nvL~B)4UV}@!funb(;Cm*iPzE z6*pKO9?sFH3Mp-$wE3#-c;*Q%Bg0U!JTO47o?dcEef=uqdiGYu&r|3BR2V+G=I%%g z%HgStwVZ4sNFmO3&g4(AkB~usyPa|cYBwQ=H|i;>ap;*oTB{2RoxL2cuRL6an>^b4~#uNd=04 zF^i^cLE=813>J<_Z?{EqM&L5%Oq3Zk^SQ)G_7aGs+pf!2`h2R$wU_tGP z3_P?s>h2wg?EgM7N=(6x+ePoYd%0QXc}oMIH6bo1hm;p4j>bUy%Pw&Fo{NiX`S9Qu zNmX^Ue=Z4=Lv4ttp^>psOj1U~#y%-|x3l(Xu-$0X=E;LfMaj~Si`~)Y`Yop3m^1MA zXHeAz*r3)9_@j1nrb~Q1EMaFD{!hOa8(Aeg)0kh-<+va4OvW=aW^K+btH>gC1@+(U z>pYs1%cqIie0~PUUVu*Wj{HjBAt5bIimB_-l6cAjc`=?Arg8QNkB*LU{`B$~CCr=N zF}=1nz#PRRwOc3~>_Pbk_{bl@qiTA0G=+rBm(h{CYEA3ktXDiwO6eK*^Y4P4Xi_1E z^c+v}Tx2c()Cxk1-%ft!LK-JI1jBv>b$J2z%bK2igvy1o+_Qa>xipxqBU0b?ew}^Vw7tJ-2!VI>pa1 zE`}C52CRAMA{BG+UdHOi7DCr#BLU^h(PATw7UhA6DYbm8-mOgaCFgSsB`G(v{0Jzz z)i<{eUIs5tiAkh!5*)py34{pil$lSH-QDQqK}ULTAhXO-&hAhk5D*Y%x@&13`3O75 zXvVS$`|PVxu-L*sj^$NXN2jmyc=GWF>Bpv|grfNCF-Vx3zwwsw3=-6E$4;E+y|@c$ zr3*5S$w(6yvmtl~ye&rZlNd}T?Lm!oAT5I|I0TL1M%{3QX2UmW0Ej8U0RcO>AOyEK zi-5?RX~|xIWdIkbuLrl)Fn{fwD770D5xUTF2mSc_q{|@nDJ!dDwVv<%e#BOLXjjc= z*EiC#H-DJtc^S99sZrt8J`7IdVRJNg+=vAySER9>|H_M+UYq->pKN4oIyJNARU9lj z&}_fz@Gt?6lveKeTl}Y|MbLx-APbxSAq#RMc=GpLCU8yW7(jp5AF>g*PvCT&zmy<) z{0P4{Sf?drdIw3c2np&F@9R1Y!$o?ym22FAziu*GTHGJclDar%`woZtg%+D(zts{I z$GQDAn}SJ8eaJeoQco6b!0) z)jB<^alOdgTa*|(8t-w3B;_P5ogpP5xY>A4PEza)@1kr77VK57+B<)_CK~D7xt-N) zBiXf;kgF>uaC26A)9w_;RF|Gs+oAcQ7C~PzLM9#CiAJ7OFyaitn!B|S;|KJ@J;UZ@ zW?%u&k0Vl8OB}asp%Po^3o(=s2b{hhmVfpH2}N?~SsThB^yZU9Mof%gA-_Q4hPby0 zlJ^V|b+q4xsbX|eFh2^}-r`~-8vQo;8Dye4lkv2O$G0#ubL$UyVFq_kxBlS%*h_F- zqVg<3Uj@Y&B=i-*1y}N&U3m+ACC1QFzfyOjJml9_Xf*{XPzLVS+2NV?kG8!5$4$+t z8A5}ihzO$8gM%c^)VJFZ<8feNW6?_;{UPYO_Hfp9YXh$dy*YmI1#@-ggnQ}!J{HJG+GLnE#6D?g=6Ceu zI7fnkz30L%@#0(M)BRIqQb`k9<*+g!{fJlRSL$78ubmsf!ZR2$-HS50^i~ip7pk{9 zT*0eAy_-Zo@lT*=PPJ#9d-HpRdH>$iGlP}N7u?I2tjDJ=(arHIF@KlT9WJt>cv!@I z`Ka^g{j4_fyYwjkUaiFb2G}hJ^Sz8E?i$Y>zkiYWg%k1s_oL!~y~(t?~<`EW>~QL#xl z)Uu#H$?zSOmjt|WM)xzz`K&q+ABj+)F6h{UBg2WPHQy!&T#L*{{xSo&Ev8ffxNcU4 zuiY$&fI&@3NoiKZW!`#Hu)-$q5%BeI=XvYs7`n3)yLl6n6(`N`Q@Gh*eXNijz1KyD z1|jgsP2;x=+Jf^N7-lLeDsZ$w^R2g#efvX<-B&A4qK4{;QIC%h{*{t$muv`Vb~;sq z{S1qZ*0@?tHoLdmQ4}~4fP8WO+D`pOt*3)lf8{?B7&@Q_e;v0fy+m;qdDD|!&=N{< z@9EubDx>|m6XI0MS?8=$7AJfDsvAD-WE6|}No$%Vu9 zDMJohkIJ`z3r3(!dfGl0clQ}iv%0l=-_g+l7M{isv%NRIU0YVAKOJ8Z+KBvks>9>4 z!P_jQv6*n%)km>64)JsF^d)4%b5n{g*_G$#n}S$d-OCR&qa+mUQ9kY0HU=$6tvq)> zH`LEhl-MeDgvs!vem&GU?p+*f`A8|+pGQY-ZmH>Rsx_@abmy1MG~W!Hq8(MX-g@F3 z9f95MW<5u(sjBik90;@Y+y24{>S@9B{^s*E6*WA1n&n^*+!`k>mt7jqC$arq9AERk zrSRJFC3!wOm`tqP)F!E}G}ReD!MLc{6jT-_Dh}jP67pv*UG6a+ALPy0%&g4xwW^ja zDz-#qtbBY|sn;7%C6nTUUbiQ>x*mJjF2{>K>2Y$o2E9=0 z8uiKe30n5}!QbAXHJ{aG6_n@tSB}eJbY7vZu-O*Y<;BHLGs>hheUviNF5k%bNsTw%RWXbPzp61;)nd zj^_h1>8lh{l}~yfq%rAp+v?zbGc#?TPn)`+^_HiG?AD9u2!6Yf(aOrwc2ZdQ3H-3E9dcOJmX+Jb{qS zZ7n~r(?<=@6f#~PVB@iyp72SlPDuo^>uPlaNJTTNVsSV@b9dRAxfc_Q+uL)x@xkMmPzGtWKXguqy-mAy>?@*)_ysj4Y3X@{cu8?QrM}=r!u(Hy$pkubh?H% z_oqo`34VY0NO4G5LXhAT40DmS(^$%5N^M=>Q;>=haHq!9`Ek7Ca^} zn4;utY1uI`iN=Q0O9^5p7R6%ULx~VMzk@W|H;T*106cq74Zcht5!RRh7Q_PBC}#H+ z>_LR+yD6+S9o`)iQ)csNBajx?0ivkg_R>weQZoh|Y=cwdqZyWrM{)TTRJ%G2n*l^7 zwVpL;ebD_*80{v7{L0LX z?L!yPq>P~LgCLn@JTAOE zrj*Q>(*pY37-8LWG*H|tsTmB89esQn_V znTq=mVSipme}1yXe*2^2#{So@mM{2uM#rEzp1baV;+I5rcGjuY+5Y8(GLF;SFph_~ zeF|%|2obll37x~D3Jala3wI;Q!FPX;D8*=4!)@k@FjWyd*K3k=hUBgp#Jd*WoMYgzS zd-b0Dtt@w#eqQ*<0&1odH*3zA8TeigYwPoaBR3m{qe0g)nQReW#LUcL6FS!)_R{N5 z{fkEYl3{DiSf+}$f9qU=9^H zk5z$=Ud3f4`d7)Fmnu39adsT(ZW~kUa^hdw*vZ>$WopdggHJlsQbC~n#J%cGCuSpWYaz zlCSCL04M$cnRxwFze&Zj&{a-TSb^!P7yHluQN$h?n!K;!td9hnjXXYA>k5lG~>~V^Dm{7DisnA^NUSCn&?~L2(sdnT*<<4+BD>s z_bbjLY$a zgQoq?Y{V#i(Lt`qrBZlFG2Qn1vZVFFJ+?hS++9b$R+%5Hec_zR5tbNo{q*_LRPti2 zcnj5Jf;*HK@!CrBff!H?EV~sSzH{|hPuJz8eFvZmzfy-GEWEC_p9I+$cNpeHk?xa! zn$HDcsEa)Bl|ZZ~yZwdAUWN?t`RYXq7+XT(}tsrub|n@HZf)ZZ*;L%NUYZ3Nz)9Kmd~(wH4`ayA5x`&mMk%A`jN z<#Od(9lvz0x!eVzvRgUC(d$uz$blR2$ zSQr0b$?P}k`L0%rui4MlGTEW=hHSSS$6qpslIAmS16N zOs(bd)@kgQ7j-Yd`KA4a&I@F>JEl(m)DWRO3#$GUb(KPkIU0APs*;ZCz)p$R()+Tq zQn&jlaj>3zD&=IKd5!pR?7oxIkFQQmCnJN$^JY!^rQ@_9Av}@RD~*#PqklC{zA(Ew z`Zz(${d&m<1u58lcgYkDVtqAkkNGJ%rQB^_Cz0;6h>IN3!kQ;D*b*n_11rHP-kP|n zIBbx$2f9=00T$1Cq>ZR63g_Z9uZr)hOnFsUDnHm zD&PbGP3Xs^@9Le8z%4FWA4o;!)BD}--nSCUvC+DV5s0$tJcPg4_@f2$bH6=>TgsTx z|6}T_FzQ?a?%YVCDPrS3W9Vqa;TJacZ^0_x*0IK#uy#jd;9!; z&-=cg&)8oKwtM$E-|JlGy3W~9W4Qy8yCx8uoHR)8mZCEGquD#iOz{x2Qn_AiR*`X* z%xj_3_fbP0Imps&dc9*0q>}fklvHMyh8!B1Dr}E!c0;0g4eMipx#dfN7>ggFyIZP|JtfoxdjVcuYK;`54Lgir!jiGv$!gl+PHt&QOxrQV3qZ~z zY{n9~{N=>&rkdGw;Ik~x)(*{07R{7jzRDYs4VmQ}eoCfhp490|FJ6p|6)Vyc^6c^0 zfO$M_kBqE#G@Z8YoU17|toW*|oiFT-y?%8>miAv%>Hg#0PUR#^t0+9LhpJ!vh;ZaR`aWiaxdp=E-u*!AOGfcgAuooO z9h&zaRe&Ly0&;JuO`DV;T!)RpO{K7FxPQD&g&%^4n9#_Fh%cp}^?tvMk--VLoS$jHb;N-CSTi7^E_%>M)c z$r2q$yd5pG8t9M6oer1ny@L;{U14{=zTnOJ;zIvx^jWPVvXP|Y2|+K*#zPajjuo;Y z^&x<4ADx_hqpi(TvcF&d^6%K3;%ti0nzc2O@UpMEs!u4gUK&`uMMXpoVP3xZyH8-E z|Grm2e(`+J^P5buteY5`SG=|bk>x$ZUp$Lkye2dfbfS=SLfFFF+5}%CLca<=rds*J zM*k4q!y~}4#3Xa}8hi$Yvpe;a_;_>GEqMfL&FUv99kj@xFOQ1g{ZR;<#p+F1KCEX1 z;vz!evpt(%k4|QKOynm~3G-QQ%}Ig7QSDs{dqv4DBYe{k29`U-o;A%4%ewqmV^FE> zY7t4`$7ko~{l~Y>?79tFJyp%sn9*3EJETV7lhwEyks*mo%<&qLKXq9>$+*ZroNvOV zQFn&&=pVL}nd7&G)G%pjw?tGRIf=l6p>NH=ED*mfO@PT+>o%&0Lt zT-?12Z08_eTU)#RPS}R1cNo@b3U3WMt<_8BGmIxY1S&n1_2ePEfFqHtmFlVyjbjO~ zjyp#WANrhD^!_fL>)WW=l{^i`&Yo{%f$vcToQi~<=_6c#Wql`l4)Yu`oatrYU1KY2 ze{b`M@Q7^(XWNwl0qrLLI;f|}y7K;W=0EyQ&2a$G#G@AT6J5+SAReqOmjL7CnqLriPwIGU$1~fCB!N= zf=DGV2C?xIuI`{^cYV_&AIR!;Ld8=}vw#g6z}K|3v&RM$hLMA6!onhb{U@j6qJ!0- zBvM;h;1cCa^S^@}#j8r*EVw_uQO}U2fiSnNPMhsh?YTu8D)NO&?jg(5^(pGF^R|Ypf zm&N5^>O$aVW_1_jk1_)eYj%ZiF)uE|%@Y>Vp$3!Zb6pDUUvbGKT2Es=4&v=e zjERaL^}r629--cJeom(1l1bVR_C+}D*gYm}O7;IP@F3&5<9sLFP?sIOm?c4*k4jlR(nG$^=haNO{a*}nBR}-@!Q2H}0 znhns3j7KuLN| zOLy8}A%1g4Y2^FZ8wDp&qq2lIwlBkfls)V$eVP;6!|>pfz1R5UD9i_UlPEMOZ^0_F+$DKkk0vBp8Tk!$jOg=kY^)c#fVw&Bo=nCBTM4w|#=JR{OAb~(+ zW7n1XD@l!Lg>!7PQ;Zyje>Re*inAj#Au;f>Pc3h5k4z$O zk^r4jyZ`F7HeA?ud`R05c#s_GKdPHEK8kkCB{8v;%$Iu+x5&v+P)2>|9~~ce!W|ep zcYhNP8i8DJgU=((4?E4VUscPRAAc5O3TO-ENj_t87VSWD4kLTL7urDw^+5?53dElq z=V*BcR%PlIdq}~qG7`A+-Z0cKz+`Su#{kMEePD<Npq}LmHngd=En2#qnopYB}n}$K0Rk(c@m1f&a}=? zZ1k|OB+vZT2D)i&oO~9f6MdH??~0% zzlUAjX0pfGnXmTVZMt=n%bpZpI1+`* zNc$vMq0KgZ_HAwAOJU%HzWa>1WfP(y(Up#$_&x-!C49f0y%N}D4!Q(vlTUv!2n6KbQ;(7`Ec+{U+PBw+s3RPEt0HZiK` z%luaFFKg_hHc>T)c^3Ky#n?fBG~5r~@mjs`>^7 zIAu5qiMICka$1Ta-s@34kyrSVq4ukSx_1A)5#>Gu!`|8*LyMcp z(W$94N&Zgu)wZ;IThTA_nEDCj(8Cn>ZhxT@P}rq4D_H0{@=4DBGTixAv%%GJ^#rJC zdlHjR>_sr=QnENJ+~eZ(=@Rwk+I?zscrj!)B5j8|_eR==K_PT#_o{Yau-|4OIP9i2 z-D^+{D3E0Fj1y0vcI&O%SZX+#y~NY{m(>sI9N1E%0~O)c0JpwgGTox47`>=}WbovW zv2_z-c-^n6JU=;k9L8=eUOaCfQZ9Gm`QT@@g9$G1-ZMtim*}nd9BZ*jGn>J&qoZ3_ z{3Xxwy}ZRdC%3CUMsxA)*A1f1uy*|dyjykrPu<g|Y`O&+_}T@7}$+8dMv%1r{g# z8aysMgKFwFl$g_9u=y+=9AD{)*WxM$hXz!em!Q09oeVLFas54d$M&SKEo~!Bp>WNXcjspv)Ga*;#I;UL?HzC?kpx3os-t%pWVUv; z09n!_l28Lo`+f9Dprh`s5{H0Gq?Wuzz})&%*Zq7;C2MQeCc5YP`kX~e<~=})6V2II zP?_!nn4@-jdtS#sn>7S^Gbw+yRJ?Thg+AcZJ^i{){=ZWj!>_;LL18StHy)S%k)fEEV6-XRxX+54Cy z=F8us-T28xd<@3JfD|U|3}`Ym-YNOd2TO}#Bb7ZBMe(5qR_VhOeXm-c>=l=;Oe-|K z(O0;p&c1HVFuEYWyiyuth#y!-*!26)W?dVrIFt0r$6sbIwst|w))BA51g@Uu-Yl(h zUYLhi9An^G*HvJ&_P|hK-&%;#EeAnGmA0o&_r5|O324?yn1S_RuML+bqXnR7(_A&j zUy8t0c*jVV>LmE1I_@|5K)yphj6SvUod)dnb)wg&fRm=*3tm6YwFWV9vSAbFN35~v z$w0kbzM?CI#PhVLcX~ZPI@@<@*}y2;Oz?x7Uwr6NC1DnH5mIwz1;&hm26Jm$VantW z{|xoBy-#JnQ;K{)Pg0RWTpL9mwIZp>+sU?kCSv390Kn~^mGv}8fcDj&p@CjcQ=)NZ z+6bSlp6Gv~Y)*=o=jwoRmy%yk@U6GEK$Dj)@{Fd-QY+`w?3a#O(c zFoQBmcb1>wL=1LEv&GW(!)(e}Wp#&vonh9VrgqCf0#~R(|A%K2Iw%#|&UUuU>ez#O zS!Ar5U_Id(p@V~+oT4iCzmad%PXY}qwAh>4KYluNdK=AsV9u`_58dou9FLWc*m!&0 z`=WaRcmEdN$KqW&l-`@S>Pn4|Gx2W0;fTtW1C&eeIQ@u^_>7c_{=w=0p!3^bo&zBx z<{T34CxW}FLoinFKgaMS0ptTC9EZ)}^$vQpP0Vg)Yn4MqJKk3yC_D|G6Uy!5e&74S z&M0p)`#*;v{a^*Zd1InJ_F{ykE-P?VRvvN!Rbs3Czo8}RcHQjTe7S&`n4Eam)RY$P zinIfW=FL+_gS_qs7!c!O)7v3_6l^>#iD?+;#J+Kn_l{4D^@r=)|1K!8?JlgzkaZq5^Bbiv_`YVPs1+S+Z8W*(Hm0g_ zuCF2^MxJ?`Y}LDco&PLwDe;qgS7zC%nK_!wXT%H-N1;HCAdo>>@nmD?Y;o7S#XLfSaApc+sk&dmoyFZhv8xnw^at z=4OdaU0-ylR0}41{mX(ij$qV)=>7{c3zpXBc>49PKM37!S6lcf!NSbk~8R*N~C1~I7^yw6Uo)ve=$nkEk(1syrpeq{h37&#oA4K~28kO+^ z8@%`u42@eN-m<9)rtp4uoUfGHuPsR31s`H?JJWgjO`&`BGu}GQ3*U^uH5ETg5#q7D zygESF{MV7`4mIu0c+AQ>OX_<-zp2W8(+h7{^6a`AL^)u&hq>zO8``fk%XRT^UG?<0 z=jmpDm2mh_G3r-tLn=wGgEM!f?8i|u5g!KrwI@$F%pj)`=4>KO@b5d4B+1qvPTa>y zv(NxH;J5iZaM^uA>W}o$@^=fHmqP-)Ik^R4K=H=kdX2H0uNR^lN2#VW2qt}G>yYza zQf7PHjv^J@{#^j{dNUWU1B69HW^3(4P|XdJcIlPqz}%u;d;3($TwDyBrlHs>K zWT)D0ZGC-wcH7#yiZ{a2hDl-V{~cMo1-4o0s_xpXO+D|`V15)?7adQYKGy%Q5M3&k z+Gn;s6sc@&W#zKBAXRKs8~Fs)tlCZ0TeZp{aJ3j|X-n*bW1pB$*GUttVJpnZZD>GL zwjTsOaNm-NOHF;Fm=>yFUF&FgV+HAXxJ-Hsp>};n;JOUkW0J7AjkrL^*!?cDR5P6Y z(OV6))147sbSE`6kz9P;^lbA3TSAuS(@fY{pte^Z zEj0~KZRoYqb<1()ojzGG!l~IFIkb zlC~?5yUq@OmvKrS{3`Jr(fI)m&;2u2g?`camvj9QVzl1JwrA)?O=98TYtE`pc9y!Q z7dd~tDoX`@?!U}5DXo;B1k*nQH#&Q}T|7tYu7G-C(d)s2NoSwZx>^q4l>u$%{yd() zFFt;FP=5ByfHnkLqTYo{k;HrXKJ`7}3w`hJg*)7=cQ1ghYc(RRW-(6CgY8k{)jpYiob+ zulq!|srJ#J;8qRN+l}bU{!9wC?Zpr`r&MFT0KS>JOyZM=^wZB%-m?ncA&?~;`3?yo zWEmKDYg?E3Y^OA$*6d{pRXS)$cMiDP=&IbvQ#AA039FtTmaIkP1uHCXHiH7Cx0M&a zq?9^L&(Eu>pYZoYXT?tBxw#{>yF_fFu7_gmM6OPo@|z;&(iU|h8K4t3qXPn?6ZQ95 z?&N3ro56(`iEIX?#aWisVd9yD^8T~n6McCv-aNb2Mt)+k8oRr|g3)qIA+_-?rV&

        L!#wZNSpVjf&E3A`;8~RpB9$i$NxNKPf2)mL1aA zsVy!?A1g68$;6~1y-K5bmQ(?Ry5+9k5g}o!?}BS5W0sXI0QmeDbf>`y1>^agC1r?3 z^Bf*pv2cL2>i9_pa5f;G<&pq_8&baeJ98s|)M5^`GzehTM`6LKVzwkmP7V5_Q>NTq zt9tk4_tAiDivQwz9WO}5Cn2A)dve+wdS3V9|3+KJ0|PQwX3G@#%R!laQ9VB69-zN` z-o*|r_v=3DI{NZwu%DGjCLO?X0L@RNA&(i%IjQXE{L-Ay`0(WM&i=kWYmFHH*pnwz zOk)*_^r!{;XGEPpihq6hvwxQBXy<#eL}xcv8Mw($*>YkAUk|Z+XC@ueN8T&syIOyX zhnAjzyAHJ$Ro9Ga1Ib_gqCEVk7<2FXJ3Bd)+`kVfn{Cw6Un&aznR1lzIXS7r`!n4C z;pjCA3|3T(wM*cvEO3(n_FNAYTjseQHA~Gzch>I9*g2xse)o}6n_iEqwEmp+UY)I( z6fV+wo)E1K1ec;8?%5*rd&>o=&>+7@-}E! zXsb+T-v;ZK*>7f>mw8gXCY0w#j_PCY}^l z+l+hvT4SSeyY@l2y&SLl;7dmy#w>(T?+v*~12UIU^!NWxhQBJj!nQ zabdjeN_EL*=Xm?3^y0)`KF7kFui?UXPyrcv6K&VEK6h~7)Uo0+mayH)0P+nm19X-Z zzWdTP^w5CC;+yyDv8owhdM5du4k!c6M{e3uQAs zoT-)~%4HY$yAJA2=}WU4o$k%bZrMX5J>1hHhfcX?sU0ja?KxZTrJjbS8B7t2Ak{B^ z4{)m@g;t{Z8Lk}I=bzt74#rPYReDYKSEEVRYRnCEx*DiV>p}BxN$Pg3%I*FBr3dqI z|AfQpfc*cZN-uuLJ^2jVI=tKLO3neO0$v1~@AALWllWu}+w$cK>YI8`n8MS?o=cO<9_skUeE~I=ldmnJopCitaAom4ecOS6z_f=JSM2HtUDjiEo?#V!x$@1?w?_FMD&%Q(aq29?gkgu9i?1cmbFZ zF%v=XS7||t0UE!D<2)jB=qaBzH0JFv6#&}uMzu>&p;E4jty=@FxlLRGT9@h*0$*q{NRy=FZ;1$NWR|wy(&wHU$AN+x3?xkF{ z(ueBMpKc(|rn#o=d#uSZzqdJej0mQgKdb&FwhU{}?eL(Wq~wSmaCu-Pm`~w`PZs_{ zo#))Tw&^^#DETsq^YHk(Cn&K3b*ixN2K>TY3Qm>f8*h%?LR?@_SSG+ImH%O(EfoRC zg6+emA&^5b_-H@f=X5mGch&jKeensjVk-%10QX~0N*5P)yd1TwGsd*LmBLqru}7gY z7u}@r5fE;_=k+Y&pHkp*jZ?|Zn>^rPV4BSgQvZQw8nWVkeG=n+WUkQoZN4?oay7wo zDueu=X89IP=aM9*8N@crWXlF+Hp=TUwNJOG8Cqb|Nu9%YPG)$=+-|buefO`N;N?joxOc zFbQa^9H;V%F|J#-FfrFUE&SP8A9%c(-CCOrNFPXhY0hyiz8AiD4n}p!JB5Wg?!FU| zG!)Rp<$98s1%Cm+5X4D~8#6LD9(d)A=u9sYSZ=9&^)Nf2^p8vt*a?djqQv;DS z(#Lt`{N8`%TR!Z=Zk{?I%y-v*3X(s>`}s}) zk31&L?``iKcZhk(VzaoJ3mUnAfVIWVgkKl@(nNC`9l8WV>Gq=6n6Y=4^-DUOx0Vs)q>jQx`iv) zC0MD$d7ep;6`yfAD&_pWa@J0NRC;jXo2QQIslu8yT-Jph6RkOm&+Ms+^s-gWIiwT! zCyu}GgvC~@^_9PsUn#iB>474X94FL#3awKmQ;!+kX%I>XHWez!j~i&Os(Y|S8poSA z*}tO*rEWh0wQs27Z*S55a{ik3QazF&nnm#23uB$-kPmB~-?$$1KJ#E6uicI!;O)F6 zK~9d}d2C@IAAn_^rAf82+GM4Nz7GL{j5Rj(i$&T@bkKfRxg#`opUlm~k6|nPx#uf# z;*!kZ;8#SQ1M!=aF5RMclF1}HzHjc(Nq_tHCJb4raE^SulqUE0(U(O&!P1#FuQzj~ zyj)8R#o-OsPb?d5VsM?fB{Wa1(^4$Oc`?YO?HkmrC#KcYbk4Et`clHq-f3f7iRsSr zVjU&=z&Ij)4$zN-un0(k{=3*}Qzc^_ko>U(Uah{9h5veT&i)bM!;2xgGi}*MNa{q~ z^3JZ)kCKKk2=+$EnaEgzQ}~vO;uEOLIH{8yGdlF8rmGOVVN<^KCaLJ7v*S-Y(5uyy zg26QR+vXQj>aTV%=f0d{Q*#|1P;(pPT#bWC6D3^XIWMJpHK66t(<DX!}Gv1&i>dx=~bzQhW~_oe}?;JM_T01Gd$+(s>SL636q3DjROtPk$9RC_d@is z@>@{=X|El-57Wf?AoJCFHZefUC4#ECXZ0?jT7+;+1&W2nN0u>A9 zB22MGpd642ZBwvoTLwWX0~{zn*i9 zX09OlC+Rk?c8Nh_|K2PgR=_VrKl+hkpgKhcf;Fp?Iw`LDJzEpuS)_*^s~V|X{ze5* z8h{p+nB`7tsv$sbz3HU;OGa?#DGE6ZB(jWGS)BYns%ZNE_sF=9X&j}DlOdEIWt`X;QRE`*1gfDuPue5)1<>bBeJUH z>BIg`t}in64GnQTW%svKQsNx-S|zcL6!8qNqrl(QTEl|9{=hUZtnhP z45katfyVy#YxkEih7^>?at2f+N?SXpJ=zAbp(E302_M~6d0u`-pt6~FC_X^)M~ zh3q~Q7XG@nVFe5Z={zm`q!O;AsW<1XU`p^J@YPdKV*h7@BbE+tq}qRAqssu;rNlY{ zzrL4gx`e;2Z;CYxe~2-xb0s_>j?zhl0w#1@ZN0SCha;)^u&zBrCCu1YiGqcS1i(FF z!yposk>P+n-h{6-^2aFL$ku^T#`oQ!qW9x`9vCTq+Sccad^DyW8+srYq$ zlRXWJdwlp>rBS|2Fwdgi$5NvtoyU7jS9q(y?l$pyi)h3|TFVhzp&g;MjBZ|#m1c=~ zKyHf(KWB;b3(Zx!psvu?2gOF2SC7q|vJc?22sWwK4T8>1jHaGmPot;(73IS=!ByL4 zoSiqZA^)UqvTukPo6Y#t> zSji48>Pc9pS?Ht4BHo0(W}T^h)#XaibZ;^Gg}wgwxjAVgK*{O&MUXgH&;{v67ZO)r zf0_hL4C!*6H4oqzWW=|p{V7K@IV9K$B)1pTOSuAT7SWqMBHf272$E1s+mZDHPFP+^ z&9}*cWQz+vKpdF~47N${oz+abz@fAUO#M)MEDwTXGvyrO*a-+8etpIq{r&6LhmrH& z>jOL$ZCxiuT{B!Swuz*pMezCY>zVPT!&y}gI+LHjC17E(GH)86Z_(X6Q<`izYnZH) z$@EBwJ#6+pDRS1&lpZNq_j-G|m}T3~qV4Oka+BoRia@lqoQ8l#XT~}NAbujo68gr1 zw3aE}V|^xozeUL231^i<3ckLl7)3J>bhgwP&zbe3j`JcaGAx0^eWDrJa4x6sayWrS zib5rUbLhaBLodKr>?}?+C06MikqG! z{e;uBK57p=BtB}VKF94>pBOi4Pc@rw5l3^Ow^Z_8qt@S}TfK7>_WlIlAlT@AvujSKr02cQgDpQrEn)_rsOh*;7L{ zJ~D}gdz*PaIlDRVE;hi*_S7#7td!WU<|vzZo#sZlr%nUf`;OI6xaiP?HY# z2&$Nr;wsKF2e!>(-;oJrE{3g(!|TiWdBv#J@ZHk&O$l5I)Z9qDU_z zBQO5rv-j`?6N0ltsI|Zb5lvs$}I4N>a0uDF= zLXs=DeHl@>Ev1J24W=p&^!V|~$!Lu`XLrcGVd*my+O%}TlTNC`-3(h*dmbnpck^1a zt1yXYdw1V@A^1Uc4DB0pbKSNfY#&CY^(=H?DIkmJbZ~!1t|fn@Z7Bexnh^|WDk-AV zyfgZ}!+$*k9{phDE%wJtml`P(mAmL3RV>pIISy|Aj6!mC##i=q`Q?W6+AjNlwE*;< z6zb|jNr4Bb%vlITu*aou9XdWX)?aB0v*^6^bXcssYe^)s$vB+OA3%rd=@)C4<5>dUp>WRsz1tX#!g&3 zXT1$x(}obYT_a=GpH7=J7;ioZJKmfE_bd03hunfRpS|EszRQ{QM-1gpg?F}qBg46l z^Lgas%x?F=_5b|^6W7@{YsaW7;5)ca5s{^gE%BLS(UwGIhzQ;@^ImNRBO4nV4QoHJ z3zQi4&QxTl2sv`^JC;;ei(-aV`L`s%?OdGbP=Bh*wb}Kqif+v5(nwiSi_)e0N->0u zfqhf>B2{RZC%i!VjZ;(NmX(X)^D!OG;iv2}+X{WLl@5X1V#+wXXD0&_A-{o{Ey_y$ z-~UQ*p(am8g5e?lnYDQ*nGUvv3b9PJ5bK?rcYbvoZ>ctNWP*dC{0n?~d5sO=rh~5B z>y5`NIc@hQ)9pm&Zwoo=eNB+48f${ig(@y3rsSZ?Wz6P&oyaE`mPINgqC>_?6CpL8 zy>Fk2Knt9^z`iZCpSd(C7KFAZ+WpGkoagXne-B*b32wd~dIAnjID{=T#q zTK-L=E$OuJGt$0)l%6{L3k&N0>-7}Ld&p1l$H$ZB0pRCZRQd5@;OaUl7{(UkX*cE%gdnHSe2aYw;_3|eaV3t=Va?@TDJnb5Ja2%-3-iDz zoAuoU4db>K3HcL|7b|t}z8LI@3|@v$|LxZ6Ow?p1PdMvTSzxN8F~D(6bmjDE6Wlu| zZsA>bOHCRP$ge4h0(6^uE3-r~TINhV`m!KxcM)<<^(9XGnI{Z@#2vgp@LDq!U|PoH zKlzO0)+95`*NrYts?Yz{e5JDN=76YuVo&~H^Le%jf0Z5b-oFVbPBb0xG18#cC9_pY z4(JH!Iq8;vB@B4oIFLz(N=ih<#iQ5aNqzd)h0`URa%TPt=G2x)OGa<+?sihY0+SiK zU)7czpPY`$`yH3xK}kl>R{D~|&>!iv`fIl zghD_NbVQK6NZHgGwrD+2IPvTlCX0Uw)1!E!2|N-P^CiC8PIWGzW9OA_Or&LGw)PKx z*0cn^2KRY;Z_PC%xHZVG!RK4!?e`N*}widvhX;Fq9@gr!NgTXC$&r;YKJe zjdpu$q0e&~$F4~s;bjB*S`Pk=xCo91a0^O{<&_e zfc+XNfh&o>lQ6LU3G9mwAK>4JvgOBHMu5*P4_eP|;k9CO;l(*?ftMI_i^(+Tm)G%E zm@_!tXC+FxzG?VPAYLhWL`KrRy|2j=hG$&sgnT6tzzCQT?n%FyH{)DhY&v|@>W+lm zRvudlMk5XC!1%eMcmJB+2d>z9+X^!4!g$JYq3Z>*7Y)t21l+YlH$4k=hmXKM7(OvR z1U_Q(S6#-y-A&lHtP6>Kt%gAbFb3h{hOYAIL7L;%Q9LD|lJH3_2iMyOpG!=NHdOlX zWfpudEZ@jrZy51avi{T^Uq5Wm)!OHjt5GO|Kk<34TDD7m`cXA+w7aCYYQI1!xEAn0 z@!(Ia)z`xy$$s`@oC$Anyt9HPzR_{YZK}cz@#OKGigPm4eZG(Etg?i9Ky`)|%r719 z{AyBucSUBMuw1DbI_%_Ox!%dVIl{4#ItZ4^3V7FXYsVNE_T(#H+3NqN@0>EQEJ+ElZfUbFRv*I-PCVxn{s66^6`O% zp4=8>jN3%Ur8rLY_~#HYx&4{w_oU&H#aD_7$`|k0;5TUCN;^2Zn;P=uO{O8e0JlD?z-#(D1L!%K!#J z{_P~ef9!hM{efA7Bz8e z%@trk%l!lV97OmB=le_-eI@V@`;Elcn;<9TToHeMLqS|NN!HLWPQY%`sW?@F_!Eq_ zyk&5_7T=$dpW(6aV|ROJr?h&GXAQG(7b{TCQUUFGWij`wQ3cBV71jU1fyHE!UVu4#=OQA@jzTED{X3|r5{7Dft*A_v2-4C z_qune?&#=}_dg)C*oe z3coy%wEZZ(%X!6IFFl)F^{PN%NJl@5Wda3V&A+|$MTt6OFhh*|m0HbJL3^NueZXMx zGlx$`2NrDxhXLiUkCRl66K_8RKR%wB*Uy{KXANhryjMmsKCb`4*p?G!D>U_?ME&vp zTdh6Wk>v~dxUgrl-yInknyWXgr5hXD&d{=1!i?)Pd5&bO$HoYlT#<;)V6h1_u1mya z!oZ;Uf%sl9m3T+B(7VF7QQPU*CmL|~=G`6ABmHRzHE(nEC-$tHKc1ewL-N;ehkeEy z{B1S=;neT0J9NXVeZ7piCj6Ki$ORP;M${r+^aAkew5942W$Fz{WR&wlx7z>QSzJOL!;ott2CGz zCUno9Zy*a2r@fig7N0v%ZqO4$GZZppJk#hXV?XWqel^%t_Ut+WFOo?jq{32hf7Dln zmNxu)JzxH%5JvTXAU1=}3%oOXk0~5lgV4(0oCOM;rcTSmufdz?l`YCxco}aLk#*T=O>>u)9QlhG@(y z5{<^-n}e7$^tpCem;8P#SM%-|;n`3amp}O?lX48fr}>7S5A)BlAsiARV-#E_#d(gF@12D`d$pJ=e#1b-M!V$wLx(vT5y7QhWT%SJtP-?0eT!Fwc54vLCKwTDzvl!h}4gVeRlbz?l#D;?q zy8071E?ulhAE<=y1DH?eG=@O}R%ec8BuTs8ae)6fZ--ar`?OV$9uD4n7V@`tciGMQ z&g>LEowUVp{hXdmzdbamXu90(Bn>>DuaVkSgMxUkLszmTH@;En^Uq3&8!{fEb|858%%N||#>*8gIqEbw2^}*P0x=GUtSKYYE zt*}piX8PXVL-pfk-nZ4&qtxWA9tsqj=qlG4A33m2WV$Q}$yRyL00GcFJ|f>+?`rA8 zVj7_epHILf4#MP1vI6eAOgwToz;;A*iEpTy<4BN-F&{P}J0$~7Jv1Z_KB^09QM{1? zR;b001}@9(&5X9kZzk)nNqyebD=x0iltb-_)Nk?i2_Qj0PScs!rN2?N)% zF3X`OMDQX%IU_};aZ*vlm$tq3c-wdTCZxEQXwWMrg~gDyXm4aLiVeSW!Syd9!tJDL zHLF-57Dq9PfVg2A_k}IWV7R1`tP^<1Ue<$#;hH>8So+YNVd99mw{1l!pSNwNLu%u} zn?2tdn=~fe@3FqKB$?bjBh=;Mdu;w{|88P&D=HUg4nN}u_Vef%^!4Eg;TH^)zK2x12W&FDDYqpOgap4UB{vZ|lqS(*ku0WYl_irIfNrx$iJT*BF zC{FMv03(_kX%t*pr@^b_Kn)TVwL3jt5h%mAzfUh}_qaPG#1!=7f8j=WWmY`K;_{J26K<2?Z}`l0U%fbTzR{B| zFjs4RHy>swy_}IQ?wALF3lsicbT4Cf3nA0S>?SO~DL=F~%ScN(K*k!|Y+CAk6B3m) zy|^fcKebqI=e~ZT>28be=+`YaX$b*ffGtcNT9a_?(km!9W%rB%k7orQ;X%Wq|~{E5jMA&wfXh~xmwJ|P?1TD{$u<>#)SGPd#^Se z-#5Y-K@TM-)KVu#mIUVa>^?}&qijkSxT>d&C612OwKe;@*8jbSe(mYfx(nL#@*;@l z{U1LPn1HN<-#qIs|3v3;!am*nn^=sZz1cE)?H6JEL?#;9>pDIHCTYVhc->bT$~3i$ zkoME@e{=7nqus_h6TH-h(UMP`LB{oZrvFrXgQ*v|n>fN*VJ6qSF$$?UxaztZy}3S; zo}4gp?lOe;#eAwzpwVI@@#^M1B?kEj^98i=s^msRZk z%iT%uVE}^OKY~{ti~~^geA>AM|J;^ik;8aMZ>MRZIgSiP-w6)w|J^z`ofF|%^3mET zGvS!oPM^o0x_8Rxtcb&`aq)p8iLa)0(cGStvQSwbctdh}Y*J42N;_~JFDF*OW$gMw z4Hh6+ao4zETwFadf`=3u+ATpjf{*wd^G&j&cQqf;Lrcg=?0Xo=0wqMZbhVruqHo9$ zqy%3-GZXc#V}cui#HJ)~{^O?sGr_9>L@x$E5`8$f)^w_w&Gp9mwgN{M=0O0{2paFDt)kxN?=-IdVBHf`xFXiuSLr@myc_=qC#`&lUjKu7is+i*Dv?swRl5b#Po|LP-#uScmMkg_l<(;np(U=;8^^Z zqLKo8s7W&Y1o770x@JcA>4h(T^ea^u{3xq~0tC*_ttBA67*>l);2#1g6Wz6%6S%ai zks+})a+f}o!OvygQ>k}2EiHjFI=`+grWLl7Rw^YzlCCHZeMGc)fF*(HpvGcpT)t)C%{ z3+}I97igBux%f|R3Y`Z7=B``_Y*@0GwqDqBPUq|KNa;N4S}sNwOW{h7SvY!feFlPP z(n#3a=*nh+XLRtUO6S|^aQg~js}A_e>v&e?S4vmbH>T&d)^D%=(jxOsjf?JSJf7S$ zv=6`qFOK5RjpRNRziaZ>!lQEJooBPhsH8McI$^ZWC$xB=RM@^@d!g3=cgZR4h z!uA@Ct(}#)auF6&BhzOa2@kx6Yl*rS#<~WlprkP(`YnUK&rcYRu9NU1U$TrGZ;MDe zwr?+Zj6*C+?1c#@&jKTDRO!aIA3s|2I*% zut@-Zg0Y3e)8=Y?MhFdU=W7a{oUDkSdC2{6EuzKTwQSCt=Bhi6Z&E}^j-H;3Gp&E- zpbBZ;zji-A!(o~5z;3(y87_O8Pa5|BG*tQ6YzupNd7?pxOL?fN9}BWKY6T#^8_){i zj^R>%#hNBiDXGNr%$`^&vT_k@oM7gNT3&^O@PnH$P)H6PPZTt8CP=o0>xR=e>1$7{pIvSxm_R zL~D&({@Dv#wuRT@|Kqs$;l~~Qt$GCtwqyg|F75-A$i+*I}PypEMngtock&PUf(}Ff*)=`0IKjXUyBR z3QEV^#Gg2KF`Sb+z>vBC7_-C(}a-&<-G25To}3PDV`bDLF34fsml zn9=3OJYw4f+=ui4>x8$*0sKFtsNy@vmajyqjzlS59<_$De68%BBS2s(&bv6mG(oTB zv)a1W+!()^z$E`zHq*DFR{WPYU((Xj{t5j*biD^uQ(g8xjEaDQBGQW>B29YlpdzAl zsY;885b4reLQteP>75ADd+!9K_ek$WTIivL5=y?yJM*94yx+{Mby@2M7D?_oyPaq6 z{cH(3dOD8P{lHQt#e0fvV;`)&!S@AzEBi_-?;FHxR^-R|q1+jXsgjLr?|LQ)+!-Bz zGXFQ>?CFXkT_|~@5%i zzTD)1>I#oRqif;iNbx(~#7NH@`MSj>e^`RwHaOA3FQ$t}88&Idx%ld7Ir%=nnV#&gZo~eRzbiUkdkX36;aX?vGFKf6((aO1)sx zW%*CJ+xa@{XfbM_ph5P-PJz;WrpG*1tezgJHzJ7Tf!aJ_+xiP$pgi?733fugU(0Y6 z3nuoZ$dqSY`~Ylt84gGhq49s@mPR0rVGou%!g42JziPn%H$?w~rrM;5j*I2`{9-r7 z{u2mqC)n=f9_W0d+Rb8H(hE9{mcWIAcSd*V%+L|`Y{~ME%|s^=qY<;Ha~94j=CG(| z=B$>D83Fo=-Q5mq=24egRS1eDh(MfSc>y|d&qZfG6q(v|SlowqnP5MVC=H_~iu3E# z(f@r{58)F*w)=$oiP0ysH$(S?JH*THTe9HasSI=%^yO9R#Md?xn;f196-khIAhMYz z3iwaN1e+&WFQKI##$*@kaOr_b^MW2ft^L-Nc%r~5$Vo_br~MHyn2KOP_KabtZgZf= z#iy{!fmJP}UYHpvMzzEmzMgT*R6K{~X>Qz6hjbKMSQaz&eJmByBRVi3P@tppfCRC} zpBjhoYxai>{ESDE6W*cWYdhdhMU$;MP!PL^patBA9-AXm6_TyqkNT-vZ*Qf2WG?HT z9zW*3)}1^y=H>4S-6*US33LOeIE!YdRC)80a0%@G%?PG5xP9~5A5521)Q*OJMV}cu z{i%f<6XNbP7dF)e3#rSot_PTsj2m6pURki^VPuKww98rrhT&Kc~{Mo z8qDXfX^Y=-e4ePt73thrcfZ>)J@3J2`m)+_vv}vjL2Mx)h}QsavzGPj^ox*_baI~ALz3X>2{3-<~D}OV2O#qPs{*m~l8w~3z-ECqy&N(v^U(Q)3$woqXv@prZxW_&{Wr5Cyox7A(9@^&V%|xu{iqGSMdDo5 zy#v9{$Xvd0^al1RnfQdhCwb4c-dG-k+SApfnoDw6L`7VvX+h`^n(ooYpngkpc4qBU zM@RCvt%IEm{mlJ0B}HvAa_{k5SW9iIDg?=%yiuWu3&8e7hx)e@B0CS{zczOslcd>o zp-4_4jP%0yY2_l$A>oFy>OiOekBL{+B3s93)h%aotegz<^dH4_XX5o-h8EYkKT) z1(f{zWhVDw<)yge2Ew>~?y5j%T1t{e%7eo9e6G}dN!)xE8@hZT0Z7<(j7Cs|EHX9K zSk!h(#mb79r(cz&2?Dybm4(%U5J}xaN{-e9jGEZXbu9ElF%IlM`Mz zvWA&b$uxl35rvAd4XC%O~ zH5Pfy5ku4-x&&&OE-K?}925NF1yWWMP{U4rsjOmyxYnJA-Yz0P6C zy7y&CmM*E*GOo$fRLZq#U9NtX^;1e0P~L@SIxW5NUkA8Dd_S}I%Uj4v{?uUWyYo#- z^j`5wdu*9uqjB^8>gbC*npPn56-oDD!wVoFpDcPrp~*GgJwACahO*Y5~@0t+mq)gVs3}US#YW0r5IubQb89c~PvT zYhGU>RT*db4>>7nI&eW7H9}j^RS)VNY&BFm|T)$Y! z_K#l*^3#jjF8VcL1v51{Z;hvowF4}lD_42DHh0BiDVO#ho%7A6`L;X}E32wrciWRS zLW!fU+Txj89A^xseei31*HRwOeUDoCF%>!H{z_9nDl)Y@Br4ZQv!wiknw(I0)LgPO zYNNMJavjpWU4&4{bi^ztt|SlOBA=&46R4WQ#whbqaQ6|cVVUi|LQ08*->;GbPA!YO zrYb5!exlQg)Xd}Egsrd5-*`ZDy|}cvGP;RLD<3g_FsRxt5PnpC%YA6MZ_HI}$j0%Y zM#akYPx)p%0|b#;|(Zak59TKLQ`wivpRQOI6nKKxl6AoD;JMl{fcM-~# zf}3NB(w7S@A-gjCY!>#xr8HK|LHvkc$I_5_jV=@i#s0U`@2NT8Dg}TK`~b8Sj(vY) z+UeMGi+yj$wJEq=IdvJ~x$_68Kl^yF>U`M7+*qm(0)Z6j9FcYmogs`ee#E?P#2qw1 z7WOz0^7kXyznn;YYfY(X&3;+%>1DW=l68Jh5c>3mecPDL^l68ySF^JoXaGn(-tiE^C;PKWbGsffXk&VO?b)mX++)_d0!5uAkXe|&<Qs!Ho zj`CdW-@RhRo>lq#>bDMQR!Wwer`HQiik8G+N9H~y0Nrrts&1-^BDKINdURE<+lw~C zh!aVJd6|+)?A9}=`bzx`cvcqMfaC!;FXH4r;tU6k;wQ1-rdXRmM75#@{`B3<=HLG9 zLpwdEW@SK3Ag{gA>c(hl9eDKnr)Q@NwodZl2HP$P0?gm>^PZnuYNqv_QdK5Jdh$3^ zeyU)93`r{CGn#vT*Li06F*|9*2u2u?nd z%u-40T2hyhr}1MD02BB#NGH?-!6JOlg;1)#?gT!)lS8&^dogMh-D?J!N1cnMcKh1N zCh-_l?Tti&CxPsSP`0}1+@RuCYq{nTL9W=JHevQR;&HdJ%65VnRi#ge_|AUL6mDui zwsx^~P(&^qQ~dG5nr>EOBTmrKY_s=axd(>K5tvugzU~|4{!GQHa+uOKE>hDDEZ!9Tdhxbe*6_>MqTDsNwch2s9x131};c;5csNgM+2ogm6 z#&Ecd%a47IG+Ln$#AI@C^s93A)M9NB)=*c*m&y4BeCUV*J_WfIJT?;f#KfeU!y(uG znQ~;wr@__`prGv7XpeFA0Te%qH1VmG>5bataDmty2C|#oOB2!_!u?;6VTP|db(Jl^ zA$E@-^DO>~3^ccmpK^*urw53uF}<|kiN@~ zwTH~r-=5)J!>{%3_z=c_Xko+6Z!+`AoWY$zS+AiDKy+Kk)un+M$5w0G+gDDDTRa6A zDL~9v;o8I>1Ji1=O?kCG9dcDLKXo0HN!B> z&9Yk)Pc7M17+tdl!MmF%p6bIEHb1Sbcf_2_!fM3M-rGG^G^7xj>ui>{ub(jWSr8@v z8rR+br=w1y%*M)JUoL%$QFmb7vI{FXT9j-XH>cfr5O*1uWTkhRkdJ=Rkk}?Qq+7XO zd0bf8dQ|Mkv%qR4kgD854s{|6cBXDI>f)H)3SN3r>X#b;zzL#3zkfb~cT-i8UD&z3 z!1(nNb#MTk5~6np6XY=Zf9`67WIx}12cpaH8FeMqYsBvS)STDfoD1l=rlRa9Bm^E< zn6fH1JtZd{)aU+uZr?dHH>C2O1Ocz`4_%5Ul24ZP4XyQle(!rPHHWD1U@4SKMkZxq zLX$V9bnO1gwX{lnQ8IK1mAuOPha}Q1{0|32KD0b?V`SYVpS~v-mz^e|E^i>kMpD|b zm_&q(KfD&YcaFy-kC=FFtJ2(NFFTyAvYKNN<$hW7)6I6$Q5pz=52Je;&Wz9>TD}De zi-`>utpBql?_az0kDH!rEfJ39yGw_dZP)WKmeqle+t|>nX!bJzWS`mE_vGK4{6%hQ z&|If2F=;#+=$g@4>m)ImDU{K)yBg*?r}?grtF?LKRIkkIg$)$tYIc!bfLmGJYm=UI zKO3zc>&Sf(XY)%c9!7;{Pxn|aVk<--)p7D8O3&}tD49#$tvD4(zYKCL8!yR65A8@Rdky-fH7 zK^vPu#tmXGfi_ZyZ>KN6`msq$y8NCVRmiO-G~gvS5g1!ENJ>nlLbl;|uoFQb$m}gt zU?YQ@-vsfVgG7rTTM$n_MPj0Wm$$(Ckao?EHY%jPG+*1X^mRV(lBX1L9HLY-LSTaO zyAtuHr~&iK26y2QnE+aUCRJH@c5S9YrsluLo&UOD@iy6D){2*b(jj?4zu;7|eZY_5 z6z+osiPG2L%c8EE9f^|8*!3~SUXT~DnPrAnO+sDS$d=Sk~C5AdskXUKOx z>mO2#IOLLNx=Urw>{ALu3_!fOzH8^*89d=lg0UR94&_LT;&XbOi*aF7B{ zMI)^^7X6u1(X7rxl~Z(k62EBnUJCgENZ#`6sCaRx=&WcPDFg`dyHF0E+lg0b_kUhJ zT%iJf$DmU%1lM%w&x(}Qo0K)%f7XC{VE6Ma_g3pDXYu_E*mA>T_P*EfPY-cVsEX5I z>8Z(`f4)^0z$)1>D^`<#h9fXd@89E;$Kqt)$>8!+VXKfz>uJL{2%!bNew^R2Owi;tb$hl~zLVG*R<6#%`w??;>jy;<%~7VR08QGbmVR z>}{mBUHo)x%;qwk88l&yebax@x$&S_59A&?I5F|6mZ8+l>RWi)d#T6@DbigCNo?Do zs&9>W3mvJ|2WjMYQpi_G*mHUEXRUYZq+IXEot3F}xf{i^!TucubZT%n<% zo_m)6V?pOk7QgL5cF17^t2_qlTN{sy6wDpVK7w?x^|7mv8yn^@(<(b<#`@>AH>{fJeEfeM zXx>3y^)#jF`cnj%LAxtC6`sVeh1reY#D%iaW(;p}Ce6&piq zRTH!7^Z4Y(^Wl_-%b~^Fd$|qfpRBCf^?Q%D{fIbT8ZACMY6i&h9xa)WvyfVsjq3;R z-MDVh(MuTbkouhFK0f0F4SnZpz~p>02|#;B_XHBs;a_`pZ{g;(ljoULuY)Hivi6x4 z{`|?_{%qQO3{B7ZcGD$MI_1rM?8MZRl7YeITvNb*YVtpRa~3Zi#=Q3>8MNF|XZTr< z`>6MaFzR0W;!i;y9oL?lVcn<83ffqhw)Q+bgk_@W1a;2lOJ6SKar~7nym9r4_r902Mr_$;jFMF)+nUZX8+tA#Y zu9CNw4ysD>297_X1g0b%ZZsjUvV)`SX6#>B-|6skGY&MSfAd69Tk<76DM?#Ku7`=Y z0AuMMhr8(M4mEuNxS2*eO1dNF)aKDlH@>tf$(zZa!`Q>D2XWI=`W9AJKgR~4&by0L z6Td5q^{!Ir|9&;l(T-{rn&cNYj%nHj-#XYWmo!#ASuUQZkHvImQTswvJ)j11F z_)aClF|iDQCG$U3At*b=LDnT$V7!{fyqx1ZdtHLATHfLh27)^Mu`=_fYJ-n+i+|eJXEy78da_27obVH zzHHPJwvWb%Cy|%VkH(P(C6^mR!AW)g!@=o9^RBHiovcd%sTBU6IRj!LJcfbT^D2Vaa?{ zkKdXKbYwN=rm>4UMP^eoA&);<*<@B?Mw1|}9nsLn>;Lk<|F~Hh?L+JBY*PMn1qtsB ziA7#UM2~%Z`gRQV-i^}pzhB?D8tjIOcxjV)&>*6^dJ2u6&t9Y7=Xa7)D~sb z?>Eh0zQ2YPdC_9ez+?K=v+8on+5Nt~?&}jKy{`O%*Nvm~zYdX92Xp_;@9 zeuX{gpp{UcirrtVC3UqoEB-KfK$9odlMp|k5p|T6WYFXBE~>vDy+}}w$;{;3tQp6o zGnh@KM&k-5;$&cx#kE<89#&cH7j#tGhmR06iT|CiR?pfR|016RWTa$74m58V_$xYB`KKh(p zuc-rr4n-c26?;y~$pPs<}!P!it)H5R~dO zg~c!ux!(2EoYzooj`GXhr_0XG4SYznzBcg;oUI7I!>QTAY1=KfNfYcZQ1z&vHj2ny zx63uYN9;Jy5Nwz~+4Je4sm!YKka8&*2v#q`?;Ndk&bCperJ3 zY2Vr7=v8^+vVWHQgdy&mk!w|uDfD#9ueM1>#+IfExFOIL@9-8S)pcH|Y$YP;e83OG zY&>2?mVtdC{HSc6%bNtlEIXkdM#TU(A3{W{pO1RHeS8|4lVHE3{9TrpBQg4t&y6n~vi*d#ER zg@g)>v8B0Wth+q&E=^^mroSPo`iljsnw&A0sTfXbb-Ah=k3ZoBA+JEL=%`wir}O>f!_Z{$I81mM#+0BKjToq^ z?jOrmyYRTwYE(;~#D?{p0;Egjxz=FK&VE-;w;O$piX;Zjj)mZ1g)C+R%B0^krpa!o z%+(*(nH!O7hLVPNcEm01g6L6NXU*OITvTV}M@vsJDbnor(}a0^zH)l4qjAt+Gi+*z zDZ}A;`_Z*c11mF%%yhi(NK_X}aq#y<^FWH!`qZR?`Z8Jk_hcTj4gvQM`(ummdzr!hEK_j_xKk!&2Yjpc$2J1xW z)@suD@AG^Ly|Zww+BzPLiG#um?Cu%0J?ialbeEr>h__i$l&O#>R%=Q z1dwCz_T>*mDk?^T9}`m!&btOWfvor*-fUb>JR!M*%2qRc-iR z+dg?S74@vpahZXI-9IL0yNL6GCGaqOSrjGrI$TK!Y+GM|)?5bSj^}qeoA%pW*hgxy zWsbR9mikmylbN^}g3i~tKHuJ2Jc)bH;jh}JO<$(pv{|MKdMlhBXX|mjh_9qV7!YpG zp5PVU)cURgec=&VlAT3*OQshVFM0$flb&Qs>Vb@BW((1lJ=iZa@+nvn4NxkKW24ji z_58OWK@I?71wc4}zIk?b_VDmR~GnaZ+6d%O1I&hxaVY2Ov$um4Yy|7PT( zXP;vgH7FN1PSr8zT&EJ7AXDH8zzM|+xn>$>iX12bxx`l#>IIgKYnS<&f9$-R@InlnBd3a+o6 z0+yD2T``#w8@7IY9WR_$yT@ENolQU9Pp#mdyYJ1_f5dh z&yN5|YU6PL_2n4Mn z*Ec$Ud%%BF=Um09uVWE57aKrGMEk5Tnk{NMS({CvzMy&aJCB`FPjUg@1z(bc?DR&Z z@x>M95sR5U$87Y5{fxEr*NvLw8wc7+b+tgRJYp+)xmw?6;7cb3ZVGvWLjqrqC2uDg z2;5irYCHyU0!dA(9&I^`z3HH;v)9b>(FgjMp#pO@NVY$01IOIoDJEm+?hB8qF)ajBtuBGkR9OZ>TcL=`fx7g59Ur5SyH=sN^yP zi)1#N#12_SUJe7uXYQRh^j%GnVbNr1cA9hfoA6t(erH<|3p!)gi-B!0{&~L1agYkN zZY`08A)GaI@8^@4(Tc3fvDn$Y1Za^?p^As2m~xmxNSqijd9nx5G&xqIwmMzB3FdzL zKLiO_=Oc1W(k+o~xor!;_`Q2FbMx``CmHtDO!#b-lA@;7cF9V<39*|t^-@OtTke@| z_wR{;>*&PR>0yIP(ue3+ofMyk(nM%dyG#Vvhu-bM-R+ROi@#3ENzX!no z7pMSMNj<}I)M^Sg1@Jnbmuq+Aj{q>$Vr$lpe!GRTOtp!?7FC62jr@!Il2X4bfw8uo z9r4Zj25RbKS#Y!IcVhmVz4V&X^KU!u*U`sspAnC`l)#VS-1a{Y^%&cafCA+`EO3TeJkI6jV`FiIqd?Qr8uexbW@89J9 z@A_bdGrKC%GP+1R0pE=*DvH7Ke&)r@`1P0Elpg#*Rr+38r^Qh;O;x=u!xVa&u%Ynv zlGD+lk(aGR#bz-jiG^w!nn$ghwebu?u!F`>{!ek3Bz=8j;;0f<0UBcpg0ant>dn(E zW%5}3l-!)QxjMblxIVHFhQ}eo+Q$btD!kdv8v43FPS+}Nm2r>pbkbO!5qK_EmNT0L z8-!2!KkKnRGl2fj4|{V2`sYV=$tlZJ1sSa94@LrTzGO$Ob*p)X{_p1=Y0E7`IkJ2* zxAb~7rqjnN3!NL?Os#BQ7a+6gxYoWmLRZ=cQlskMTx@{Dh(AK#!}5y%UB>=---9=U zYkq#Y+v$0P5&Xv*6PW&A(OXV{3ql|(%PTPiHTt@1+UDgGh5oGI+_!!o>~|cK?{c$D z0ZAdU+4e(0c5b^@9F}!+jYWP!bhCHD+GX3u%}PO2@mHCm-HSBDf3XCIrt6NqCnI3l zPHJEl)1o-z=NTkyk4qMlfV9WmAU;j%3Z{nl39iC@nsC>$ct(T>UNc71DQN;Z!2K+{D=g$&83d|BgG z7{}=yEjv?ZL?c|LSu8zobuL!YzUO7x`0jPoKJhlhUTk=jBf_v8s1GKPppK$VDnv6r z4xc)3#mEc5>;3+V-VTLVT8-~V!GUR;Ye%9*rweDBVV+y13g^qa&(>vGb7kVhB%HbpJu1000vL1y1%mM!AZ5Y zU)L3UO&r5pQN}UoMP(YI+~qSx^h@bOYScl_?N0+LBso2{JHX@qvleG8z95&cs`j*u zbfjpbbpf*ixC;3T?9P{fWox^O+mW z)V4!za$u_1*SyK~Yi5=!A~}umwguDdHUo)RZKke7>X1Cl7|FgWZ9%;l6)WQoz>P<$M^X3F5%0#P&m%*LMLAUO`(7b-BSE)raI zZE8xQbqrfwROZV!*z7rOgkQbNwwN~ZW(k-10=!_Ow-$`{z(b|rbj|xD5@WbP1(TN% z;YP?13B`k1^o2qHk<{g}+ST8}q33>y`qYMQ0*>L5VK>3at;sCmf69&<;;8is=~^hY zuPoAvNHgLn{B8i27T3paztwPP^{)43U!x>`gHve{Uy-Wmso|z>0+1rh33+;(|=|A#M;D6!xc-3={<-kd)^J!ZQ6 z)OD5Nmu*gII+Y8t6JI(U?m``$&!cx%^GFRlm%`-)GTfCiWv^N#rbuBS)Ow9= z5&lTCovn8<7s%qbzdVaCAG*%CQ{TCBhg%#&0aWtUtc<}OM@PqhkB;7K=45XQgUBuq zc2bp^_xFm3R9VmVz;`_HOu6l(QCmGnKwerY6OmXdUr6|QtF%+&31+WZo>Z?&;Y}aY z&MA4OCX*}fPikT`J8QlKiBh&k(SDn$h zyfZ29k6Og(H4}qaEzgd6Qh!aJ`~pM@hdS@Eo%iqYK>uvGGHHUk-v5?B`vWH3Syp5Hv zk8V0UE5-v(&Ta>_cGnleq|kW@xT5*XFpeO%)&%g-)Rf?Yq)Rqq^E$EGjfFHqraWuU z^Fa0|h+HSbS5C^2k zPs5rUl=Rj^cstDWS4EHg#?+-=x8G zJ<$!`ZGs`M)EbfzN7vLDta9nX{qktnJL;BZeF13FqzU`M^WmzXw&&gYwU&$A|K>DF z0!d+O`amrn$5^2O5_P#j>=S0R*Fs!iP@U?-uD*BxJAIdDRKGARW{3=-9i9Z*h>+3; zTi-Wvv-9Va+cq{L)4D~F2%UUgq3z$f=S}L+^fH;a-aU1Y@{5`?YT37wUVGDXx0@fh z&b$*s;<7*>hd~2Eqt=}nZ{AXRyBfO9OJumT_uLSH31>mW>Pk0Qf%OIx?=6&%4 zZMVoHZ49ceX$1AeEXg33{KdS&S=D8G%+Qd|ADdVGEkJKS+Xbuuy3Mrhig8_m*KTr= zqcvUo0Z&~mquNbR_3JbH!|fQW!qB0T`ktFk#46Ni-sdVFe}RZ>J&n0OAgd5gQyOB$}Bs76ZL>mXHR6|cqfa@BhFaoz6W~L*y02F>zz{XlQfR>uK|>qN;>!yo@s$j z7HP+K)AZKwDY+bb!M0LnC+q9infDJGkWuXQ#{+!{2~v|e?lOw^@SpwTBJv+zUoKad zU9PI1Iyj5Am~oS*-$87KeYY96nIL-FpC}Rl(2~`loFsD$>Zt&+em{%7Gg9!5WppAU z;!T@Q?tKRE1p%H5>yCNXZ!+eyow-K;axgMd%+7dYyjXd1DD!Qj%L77E#`KTf_kjso zK?=&Tnl+!9^{cE?7o~^j`CNBqM)I|SGkasp?dH9DqB;BLiK#RzK9SYQ;z*)kCxNHL zm#eEuw(lp)DC5~GEa&>f#zMs^O{PNRXeBJUgQYh8du-mGT0cQ|Vqu7JnL6_L!>oxrwu3aRdkP3ymXjZ}no zv$C^{;F_IB!~ zblj*e`e(4CN1+KNsIXu4$5XH+R4b?$x3IRyQd!kABy6*N^Pju(uWh=A&#W5F2MUvI z^xVTH*&VD-qcxhmX1{N{Y%Aga&|cSMM#ph#O-=I(2&mdWxci(fb^_s;jmBidN$*a> z(1;7|(C}7%63Gg?&L6+z6GWHPCFM@VVV5Gr)zhle_2{;BC%*?QEPHtR6`wkW%z9tH ztxA@5KPYi&C6ILfq&_KVmSdRvh?t5S|Dj1jwMyX=1LEIl+p~rUw?ML=9VI5i=Azb9 zBv1F!72J;!2Bh~+esT`zU48p+IFh=IECyy7leowMC!A8Zy_x|?By~Ud(QYtg!%G~e zbev3LGo!H=V~wh))Y^-|QKp3^rJgKcdJjvr4v^9d`HLGG2|EpOD&ecO31b&91p;Xu z;_+syJCe~NIYUReXna|US+|i)Nlz+?aF++?7DN~)Uo{))`cR7r>_#a>G-DefgJ>-J zoO6P;@?4d<2=h2l{_{@b4=vBmEiIcrN0}>$p1bv(u_rD;IM5LzJ@6 zitvbuNTS1Q)5G^3bXeZkVFmBgR1Gsz!#v+d`c{4pvxt*{%1R(Ai7gQ)QA z+H>odOO@7x$)s|ZA!faL_Z~b5T^F!0Gn=v+&0_^;Tu!^A@1>=djnV0Mzuw6?^9)?DE{{)4b@YJMoo-@5+VlFs*04i_yz~q<_AQ zQS`j?ixzWePod;iex^qoSll$m1$nY{N&W4(>F}gZovH_Sdj-x3Qbneter>)x?I?-t zleko+-IX58_{F!JyZN5yw;)l>QXv=D|VcwGr$(@%S+J27NKp6LPycg_w5( zrkhM@jblq(`GU=nk4tt+c=y&hsYe+wCmt{5WV|wtBuB9F?bQFdtlvoX1_>`}PLJx} zHMnsGQ}f-a12uYx-~s+2ym#f%qZVAYLU?B@Q1p2%$E32CV>D0a=E9m>C#O-Jwg%9- zIemr_Xf(9Cl0?1YyIgujABI=^xeXhlpXd~^$nx?UEVg&*q`iu0dHk5Wb$f5YNz!7j zfD_L~zw-TIy#4uQr?#lw^vnF!{(zvM+q6==MYrwkb==Me{nyWIVF)_8FA|QZKyP*; zU}>-8W3}sWACI#R`&?XbuaFP3A(=#la5@&5OP!pPXP0q>O*@k7moYN7mV2YlyJuit z9pl*FmkD{R8_nUhA=%@nH(`w* zMmq!NAtSzG7w^|zX3K_|Y=S>68TIe|H`Sk|;5Cf@f^MQd^2!XNtjT(7f3!7?^t_NG zsyXh?hL<~Uir%K+cxq@EqtgG=AybKhPd^%H`{7?`4ZpFY3Kxj#(a9Uid8aI$+Pv}p zfmB7O@SoAt;w6{*+HCnV>tHYqL4T5n84_{PcjCx~*%)E7n`^)W%xToKq@nJC_Isxdk3QKraDPa$AJc z6p!ORi(khHyNqvF-zO*U&*Cw#7iXww+#IkD9q+lnIRIBr*XgA~Y(_*x2-{74J3vL@ zUB{Qs9)6weDfK-Wk`U*4xCr!BEvFn~hu6RO)5@9L7Z4C|`ounozS4z1O(Co+s0!F& zak!mXBQZVb7|9L3Gc2r{-&a6xb&nFHEE#8kdy({5g<}QBus(a-4YX)z==DwPDYXG6V%Pl|iV zvWk&%TF+Bhm)AAn_je$S20$YAUOXND&l-_#HC63Qv?JcNsH#8@#zv+u&l8L9d~wO( z?c+>PiyJSQdhr&d;ruQ%`swd`&nP+lxfZjux*X?B_OyR>{k=bYG_pIu} z7c8FXWklPE*FUz*kKqsbnG-C3D%;fF*FuHx5G9{<^>ORSv))*nBt@ImZV zpe+r>z6hpTSb>rH*;7BEdbzhSZaCuqW@rDowKYAvD4t$>+*)3M9nDLP^O19*#+icH zYe_+SqV&*rk7 zcReEq{p9uWC+Xc_H5#OOJ{B=p{`kC}2G{>$YTi-K?r1$}Sc~jZ@jKG5K*3AwFLC;J z8}P%_tXXTh0_LRC4vbzgr|}z(-Qyj;)X7r*t^YMesXIF<@R`ex*a7uGUxd@wDbLxL zBlDXU1lt0K_e&=}Y!=JtdqN?elC2sd;ViFY5SPEVF#$Rds0yXJI+}*;!$mIO-v2yV zZB-`_usob_!niLW)JWEFym(2~)@GQ*%4l94!Tt+A!SntZBgM%QM8vC0!ZzdV}SitK|15GOhYg=+|-$$*+?vo{~ z!}`vU4wdH`Ts*hNxV+GL=x>tk>NoC<4{5O-(4MPk;psQCc6d01%H z#HPgj7Twr&=`kxK-eKGmhO)3C(XdO6kz{9k)zCC1hFv)tGpQ^t1kY-dAfo>(C9o)M z>nb?Kz0BS?Axa^=BAT7;i7z=huK?`eQYADdN}w!w3PVQ*YP>6Vac&hhU zn@P64gYHCsPOFnCnXS6J;f=`wJa7@cu>4ckpZ~tIf89^|bS{0t)!?H0_ZodpxN5L{ zGKEeySzSRR9Dcg=dSvaUV*d{p)Q-3m!-K!tI>iv5BZ#hr$i=0HSj z%sydeG(OCbC4msBN*&|RJjp|p5aRx59Q6Fg7M6};xA(3YW?5WX3GNVm{VrgZDVxt#ttedwBKpw%MGl+4_v)C!#mwjX~hp8+2e#bCCw>u zvA}ahfDfBqtI3W7PlY<^`CN&!rTDuU1x`0srI+SEq!fDuG$$7#Zxs~fo+(Nm4drhn z?!%qJm5_$nMVos%R1%aR*EGQ;kVM6%QjXRhrYF-wM=MS=PWyt7YdB>GE>W<_*lT)2 zb!}L1(Ja1z^~|W;I8|lx*kh>>{T84ee}cubRGu(4f0vuN)iSECqC&!|6irm)vhGlZ zc8+-D>$8)6GrTiugXws9pEfeq-a*nYtcS#db!9oEPmXImc~)R}nokJ1poCtD@wz){ zFYEZ>f)mr*g=6?El9CYpxn73TT%^CKMq=v{jQa z_?yqUazRDnbufG{X5MHVMNiXE)AR+GJiS)?Yc`EYVoJH>zbt5jW-z*CQ-hQ9Q8X+j z;zSnLr$hn9V^r=qFsmY{vsUoPUXH@rIMEDbHfuyd49aaL zwz0@~B4%WkF29*=*AP^k^mD^Ryi#=M-qOTU{%M}52b=V4*~lMhLGl!pev{!{NJTU+AQ*@#npcW$;)ONp9U^R!@~|&v|2- zAP6NOyvvaBY4Fii1h?9s=zw}q?MuNnRJS_s1#ejsSQ2;Hsu@K;cCFkddKw(tzdm`f zB8=|eU*U=uab*mq;=6*_qq+2A6G!t05wo)u)`Qa4O^3;>uW&*W2vhc1&jy0#<9XHP z&AoYk*SYJu#YW23*0zg9O<_C54X-XdoaG1Xj(23P4kN3$#_u9l<8KPyzR?%9X~~x{ zHt89$I6v>TYwPS3`24i#2jYPGyuV9eX`;l01%(9tu-#4+wi){-Wmg{)M9Gz50Ze?+ zy*x2}qD&rJ{+Rh%c&B_T7V~K)huL+`UP>XD>a~{28I}+#@Xa?k?(_MHy;3yCvtV;o z_mvgf+#^*a7K0K#owlQqbr3#S9RM$_@7rgyqsk7vciHYOT$$R|$ z2rdKVjbekeqvZX{KMy{tvYqWP4VPA#mu-aF$8oE^@2e@EMA%4qk}~{I>5kMcq*Fh0 zv8g@HqK9k`ojJlOQQ|Cck@XAfuDsgk3kV#)`y)qGKdLvvbfU~gDr-GW)AzRY`R^N7 zhxKQIsaWVp8q}bu=~5Db#nQ*}8VpQ2qTbdzG5g-8ygqb1d1($u6d2W~dSEv9kCN=Z zB_H(8dX_n&cYb%bT)(8L=PoP(x{0sGBoa zg?fAIdeU>g)4a02^*v`?Zw2P~(*@>qZEyQBj?N&wxPz1uR4i_}Sp3^^VrTQ{gin0)6IGH@-1Yz z_IHLefiF5#5iYjX)5i#h6=0l@ynxw;Q(fcC1FbWgi1?bMwzk>xqfUytrv3Y~sW8zT zkOxxpW$G_E-1(Bhu=f`x0k4+F^Nqc6>ZOlOXs?K=f4(FE#zaivht$Jx*CgkTA6{7z zBPpjf{wUaag8Kn3>-BI)!F)|%{Dk4e)o>ZU28tT?TfKT$2F?^9Tpx$CX(0?J`K9s- zc|yUgoScD*jOaeUJM=fO$Yc@!gz{B>lOfmh!`5nwF1Xxie2{79)1fI=wXBy?N#u6v8D zt2}SJTH0>`Za7}F(14(ih2<24JzdbHg#B0QdRb~WyJ3KmV&=u*hxU_`a-;-Iw%b+R z?6)!+?76O)8P9JaIPJQ#Sjjl+Gv;;DMdo#8dOPcuy6j#K+M{MZbbYp1&`b%SwJ=u+ z@6LT@uspp^`5%!3xa5-8_Bh;0vD=t(gcs?) zE2Xee$2+(l*sFac0c9{M8@^zdd7U7G*b!O3)Y4z9CsIkL8fY4Nz$vec&Fb}Jz7XmM zX~h`a;i6CFJ4^XPeP3`JWLB3NAtEr(_I4esQXuSgl3C_GRFP#-rwyBy(aFXh{r6*)4~ulKA120k2p}SFI_=d9J0)DF}L2jm7sO%xMAnCF~R5!xIKaO zY4nirz(N{}I3Qu|!PKTLdZrUq7Chx(HB9%7a&x5FpY-;GL@V8nlMh{=0Tohz@!~P` z?9jX;8gy#E|H9a9hnB?u*U`2VjgT!Qu_JMRTD>nx#0Lm8@jM!4Lfy;F`C$X_Xs%64 zMrlUUSr9Z7z=!V9(kdVs`Gi)g;qiz4;*u_(2%Bq)*>^|9$b}kKJtbY<&lS)*t)D-} z1MKBT;Qs0@UFW>GRIT16mW1dTZ~Iz2$K>rn_W$6SUr6|p5+43EZj_8?gY2)PxQ)w% zbL;>;Gl%~=xfQiGQYtgAj`j0BFyH&*?X}#WL^%BI7<-54ljqKiMC#f;H=tn;pFD{K zykZwx4u%eP-8!-NI>j7+x7RIxr+l0`Cu8xpiLn)+!T-jy z24=QtAB*vT+gBX+whs8pOj=(itFiMrL1WeRlC4cb1w>PG*>y7F4j_x4nYh=P?71UoH z;d%1w>}{3XHTvYXUh}+@zjnc8~?Z4icX4FS$z3u5dPU zW!-&n#F}+WHBopG_!mLDF%sF+&v=!V+MU8_I6@|eqpeA&_JJP9bo z;Qy-yFk35cG^(!`U?8C8Gyb^K;Qp)>NQ(tpJh!&yuAXsl%(GHLdr@}5;rb#C_va(c zdarjRHoZ?nV_MpkKi6O2hQ|V<*#AGa-UJ-#ul*mVl8UI5lC2FP6d~&*mF#5SlYP(5 zFs5B4WY0Qe8N2NJsAQcOj3w*X8N-ZijCJOBJm25*`ThUT^L6FATovBed7pFc`+hC= zJq%i5-v5-S^IteXjkqz-U-$^T({W#in#ecyXi`Llpz}P9Y+^xrNC0nP8u`X*yxHiai4+CCuH3dXB;PFI9ntQJ52-TD|rE#)bq=pEC=96&45yRnN| zc5XswM<$!;Nqr~_GhAb9_~mIet@&z5&iYRJRe5T=GKZ-*DmbtsK}_r&6Fc1xywCBj z>ypPqwoi6+B-G9)O$ST*-2gxEcshV_$2|9n#)9|8x$eFAvWC;hQk{9Mbb$4a7vEzZ zneb)gJspgrP$#swRqI~7LXox{0D#M-0R8;D<TtTGG{XZ2lVr5BTbKCTnP_Sk_A6 zEz^d#3``g4S6gX~oqC2j5-)*|S?61TCvzWsdlyQ>K;lNIuWWT^lnwS{x5u0X?UeDLB7OzgJ%LpC>!(_ebPS-53> zArY{jb*DMk0_0JBsV1djco~UuhoDD=4S^f0?l?tMV1@JW>nUZ$h58N%on@`Wbx4r^ zxF;t9zU8Sij0XurPo7QCx6E(bO+(Nxa{lggoe5%Xm2twJ{-Hs46!_5zC0UxuhE5Tw zaUioKXkr|c4Z8=ldcQr|c3!@T^Dfpey$0BV*@$|%7n47f6!&e z0K$m=?i%>Rc!RoiDuChC`N{q~y+YHS|LUm2mP;8It(!Qwh}regXF=9ezO+MbyI&uci!M zez0Q&7cZt)@A8u=6?E*Y)4S%71j?1Gj`xwVaZxW z+!~$Wkp{$BktFG(&t`JE@*<{uWZMzaymaOET_@YsY%d)z*$PMm&_Hj-$~Z@wgJIj^ zK`ZUBx}jTB_eAn3FOSs5Vwsy_G z_r>*m>X1hV3XGT>lP_}?O2&$q@!v=3HH;MrgJ8{6mv(_b>JeQHZk_LZ6l~5#r+Ha& zv%~+Bsbv1q39s_qM9jZJfuLiD-9mS&O)Em;=x%?pLChgO^5Q;ZeYS&5+|XHmw_RCj zo%??CaWcofbY2n)+a`b$bneg9%6rO3|F=|l1)(kD8R6TvG5lrR8;B$?2Ct`nyHDNU zT&9ZC$@wkMuFs*Bz)e_z+(J)EAXCkYpNP`6_TJ1w^V(A{gB}DM4tFeu zR60(L?^U`;Z;L-pyXW~joKyN~gQG6uR<6Tu_3veKm5zgVXNUhgu~OOA-qYszh=_*g z|gNA0ZFR4{L8=9hLFRr-fxXpEG^YlG6&Xq=8X&!judDb zvFbKfBc=NFF4a}8^^A;!x9f0FHf4Wr-8*}=RX>q<&2^<*7B%`QZQwz}oo zjabJcIvEcFh4gRou3J9terlhl6g*J#z4RsBNBb375;fH9;(hYcz+Y=NYLy4>XG>TD zokvH1_DS@cUCrb*0Xk47GRyfv|2|8N0}LeVC_k!`42asFLsF7bZtI`o*4BOo9iM!0 z??YI@uc+%PM~fX=c1!AsBk3-8dVA^2^}apqX$%hBc+Vvuyv3*BkP}#*GmAk)Vv(5D z;A*2>ohfhAYG)--(mVAwaMXIWyiHXx&AmKta#IVTsQjyJ&ULsd9P~@@+WN!Mou<(C z>L_F5>Atm{ShfXY0R_bAVTGX=d&MDApmYTzEi&KpdG8Y2-VqaeFfy13CJ~ zz>S5yhqHLYo#ALc^`2boH~K>{y$AUwnX(KU7bj=&dWDwd@gRtmO_Ck~@rCPf3aB;2 z9anYc#kP};f&%7#+o28Vo`x9y2QPAlYPV?lCC#^6AZ&{Kp+CVZZ1=KiAtsHK@Es-2pc*DEXTknFU@5$TE zwx&PI`E6fnx9ZtBmh$KGyE#hw#pNQIAFe{Ktn!`Gdivzf{V@=-p5}ySkH>S+}~Meuo%r(s1Dp< z&$@>guczb$K#E)|)#l>GjHFzXpBq-y6^&Mhx@DGQJLBW~zFz1|ut|f7ntTVnm~J%M zwxF^W{s6{1`XiV&GB`>C(-urY#Et=FFBm@_Bj78{fwiG{~F_O>C%NWx=?~xx4QDUw}I2c)D)^yMBpf_^)?NrPf&f2wsR5 zC|Q!L+*@upc;)|BT$70;S06iIRjZ>N`aDWgz@? zn!h^eQh90Iy~5!gmcS_7ucXtOP5okErO=h`Od1@?^E`b-k0XD3X{u(GXi~EceJ>9q zcAr^USu-$f?4MR~UIXQ28CPiYPZx#yjlM98#HMFg)z6*#3ZZ!%N}QT=x_kn+7#@dT ziWW4vRq*@`Z?`)Jl`}yE;_<>OK2J@qiXuiLV zL99dPg}dcoIOgGbaD6{~^vKg~P7UQ^^xW#g++F&)AFtl%7hW>e?>JSwDUoX^nZ_;W zUpg#Q%6ZBl#{g-o3V&b4y4$4w^EJbpksAU6Y-i8D!X`>KJx9ljcBLr<$#`u)`74Fg z4pcACcQwt^t+PD|$_Dh5a%gjv%=v4UT7?j<;Zm_Y-6CiCru}X3-ucA+CxXw#i#SZY zZaTaTNGMuVky-WHMkFp`t(lfRN@m+cByxNDUD?$uHQQUq~*S0UM z(AM8htmTpQ`4GJG`q7wj=mCT?TRm1|BLHkA#>Jit?n49x;Bek+(~q#JWa_y3p4XDrFfX+RtT--D|2

        -<=vMy&@c&dj7qW@kVh@fs=2M}tqN8Ky%Nnc*w@#|4oAn{$oJ%6G+WPjT`{=@Uc z@KRf+BMTS-`rFXoIv~`YdjW5L|Lm-Ad4H~DIEX$^zs*XHd2NK_iEzFxNq~N9A=#=& zyFj~$2d4r+iUbrj(>{-F^N%gWg&dd6H<}s3A;F*lQy>syHXQ}s1x>2mVLDCu1~Z`O z%W2C3a=Z%1iCgLm7u<{CVy1tp+@{J$^MWJ`446hA3y3PFJyJjSl*=0(U!*kT_55I} zJp!gG4DgHe=Pjq?$+I(DkdTxR66kWvsBL~t?< zJ+~ewqRC3jS@?PxgrqLBDz5|b5QBx0L)+~uiYT?DHuN8dpf|hZn|k@@_gJ`|5gQn| zWc--HOGo+@-F3Ly_2)2sajSRkx(uKJ^xBMoqj6K3n4V*@p~%io0&Y9#=Yvxh*VO#~ zw;<%3H4g!LKHsJeBJV3md8!&q&Yrd(P0d0*3?4VQ?Y>g)Ri;0nogflodLX8-Vd+dw zG6pu++7r4#y6EXp=3$ zH;Wx>8D{KOY}qP#Q<18iGa5y|w&w7?-gFuWG;B|rRlD14f6!&-z4Hl#_w8cN_evY~ znodq9=|lC}&3*Z7mMhfKF0;J3ESb+Z=3PIofsm0<_SSF8WTPBQcvPrcBy^Zzu}cNPGM%Z-2*OSEdDq87g(+JzZQ1}S8orBxfPHpPU4sKKAOKEft|9pa1x!Y@ z{&as{zXfMC;wpkex-W(r4}L{VXjthwM6oT`z3B$e%O`=|yVaTf1A;Wwr(-X;Qs~ zromi*2zDo*w3KZ+P<%IT8mRHeuLyG8whfi_TbhmkPVn#CbYoEB&hIRwtu;b|f73P+ zdJzh#D}$KF=5fzdT_^S#tmo=upF7}Wy7!?gwv6qCpG#Td8Jstc@mosVC}b!&t?P8`r`0EeY(5RpsJnbR z?@s@lp7K_Xk%Tk@)+6QrSL7wG2`td5&C*b0Kv$b3JUQ#>tO zMA)Xk#EO*;YqP$Fd~+{w={(&Yg*Sbp+yWeC<@fW(4FPxP?5UDrpw2x0;S3PqWIunm zUSrL=xGdZVx@o&%@6j;`(v#Kh`U7KBFdto{{PulWKmM=F(Bo4;3VIF^yiNa} z{^Q5`+NpUtN1zKMb4o89md@L&)j39_L*nzf>=ZU zo5Lsh{V~QVO&jba6Ktz~vHn@?+k~Ko*3S^yGzgvMH7}xo91lxwF?vxyewgoYVz(uL zB9N&wRtVsbl(fdLYYSE&`g#IDF@$C#M5DBtS?}4m?MgiGTUJ+dohXZY#S8DmVtj1| zmt|_kCmdp9V}JKpU#9~Sux!uF_bA20ongJZg;p0|LUObmx{@lvNNWI#d=>YV9k&dT zbZzQ??tnSmfXY#+4({l9w}!EC+HjT4g4QAMkw4%<7XW}htfb{*#Zh0`D$1z<35PEG z;m$Y^*AIzBqzg;puvpw358{3kz2iWi*yJ2Y?`3_RJ@>ay9zx~BvC{qmvo?Q-^|06F zyH2WaTDz3hO8=Wg601_nm097nFj#BeafttX@r+f$Z2rRrx+W0`+qz>SNxqJn{nCPf z?@xM*6rWXkcGAGARo<)nm0BwPj@c8*)>8@j^#(?wnu;M}`Lk{&)HlD?z#4FepAok|dho;4U+wS61ojEP8Yt3}v*pk1cburW6STE# zhe>O!Xj%wiJ~~g8d;^jnzyw>Oc;r59r4knq@CfWqV)4CHEg;o{mA!ACdN#R7+Uca( z`E-$&2CvG>c6K`7O}VNZirp%fn z3dCVwzg|j`cAJioEe|^2xGJ~B$CnncubZQh+zljm_TVLuS z*CIbgL~M~e{$SFkse7`e&w8I9mVxy_L;*N8I0XWyPY_Nl%U1Wq_t`~o$+7o~RsJ1b z<0^mNn9<%XF;wS^{*G{SBh|e@${{`ed=9Q6#0s0mgQ3mkUfGllVh-oX7cr|B^|9?B z+5*@rDzo*-3xHd{=@hJX8i>9i+>pqZEam?2;ai&3QHMYKVN4fA>2ABV{<$UiPV_$o znh)xFQw0^gIgiQe=eykl^4a^yk-F6&txov*8S}@6;TaEQ6i{AY_2v35;WAnxujurv z3!=s;eSD2TXcap5edid&cl@rVLDk?fWX2-Gb^f3bA3lXCp=*=Yc1ksic8CE?t z)<-?IeM07&{*q-T76)RcAB7!x0n%pXX5l?w_}n8q&e+x!zZf8DJp=_xmE~ID3L{2- z;zhq(46OShgF!YXVw%phoC3x8&<$Q$f@AeGJbJx9W*si)WPu&8nE`klKi!b80yT zVfMiiA-4k8q3FyJ_(b11xdMcZ=}__nPGb0uQHuaC%jB?wED+4E#E`CC&#a+M1YNq9 zZuK`Ls(aPDtKFeq3zQhJ5;^CR72CFufqwzfUi3Yt=n!O236SE;Pg>U36SJQEJOT*) z1eO&di=6a-$No541ufQK&5fFve1E6AD8EK%s=NK#T4#IKj|J}E;`DAg>0sJL(22XO zzI(krwh9CMT=^bvw@lrN_4bOVb1BexnLXwHBAtQ9)sM)x{GD0Oj<|&SX>ugzM}8{l zu_EN1CD&~IfxcfsA6uul)4-;jch3Yj?Yl4g)lgys;cVpDE#FE1}0#KiGuqw zSC2MNGzNLz;|2=5%Sefhh}zMWtAcoWme4n2wcep_{);_Vqeacree#~tn^gRYijoxI zc#vWs98BW%PBF3Itrtx3P2n|gJ30rq7(9E{x?P8%@qKup;f8&h;(cHul-#!00>+XKkrcj!* z2GWfyE~@(-&U5|D*HSHi)Fwd)l@_Pff?X(#%-a_mz@+72zK>VeKL_Gt##f37JVSe} zVv{n3)rsd8#YHBaIEcY{v;6$-`jG0L3 ze%@$VI=_=z)dB<78+1!zmCiGpJAbof4xZf<)Ja(P`KjHdX)&~rJDq$#c0lx^4mfde zPN5($Zk1)^y2xBlmDw!QG)TAq2iMR-zBMfKvmzSKR1t6xJz z67NrGWfTkhtZB9M*hxl8y%#OPTgHpF;M0t9|M-a>Nxh|TJ&i|&(y&=m=aM5Jsb>?q zjtSlX7jd>-t=@o{riiL}&YavT+J@tC_5wCbE>8T+5ef1R`!kr)^Q0vk?W?&S6=kw3 z_TQkl>)P4RAnxNe;V-wgcdvS}-5lg&`)Z(V;eYPdnS7V2X<=_H4}$r(|A*j12gZKF zO{1z?Zls1cR&c~G1iXtM^;ltgx_ANXMAy-(@u6ZTZ0lX8v73wzLjM_l4il&^vhg%K zv8H@;q18Q=y3s7OUmbjQa2NkA^`n(BP~qUI7pk^F9T@3>d7Kcx-BDG#yyp8#Oh34y z^yxZAeh^jX#z7pLj2Q-~d;Yc>e|trvT?|QQKHZ*iw+xfVkPEFhEV4NI!lWeir81%5 zhIC_A0VnNf8QTAhtNzk3sh@np?UtSO?z9W63+?r*&pnl zR@@Qg=TGX^mT%oI&GgQ)&H68-41DJU==a!yLpglicHWMIGu+_Uz2@7o_4Z$L@&uyM zvB8Wcdannq!)FX*e#fU_>WY&;Olp%C2K#37x~h>J`joi5To05&T>1h1607;Yw0sHa z12Z=t*mdfyaaVb6idWaUT~?Z;zxyX{x62N&pU{6Xd*d z!ie#ZC^mY2P0pWx`o$%4|8ZaaLLGXfURm?0U$kq7cNMtcUlNMz**lJj{PR*~@2=yb z|L3s2E&O%+bLdOh4--PP<$FUI9?s?Iw6e_S*gHZv@J-ZAnD<$GqJ7+cWLNfAMR`KH zWX0C*rKLKe#jtSXl7R}0_|++ir@*z)xxnE_#hwF{i}fc@aviZpxGDOixW#MseLKgZ zAs+PQw?9m4-CgL@v(HtyMVNkOqVYeRhF_{%%jJ1}6#nVqYJ$h#iMCMAL#gp5FSbSA9krrqN?t52tFw7& z&R%)PsBXd5apwIelJH3v7v!`sP51$)w8Gj?LIU0fIgiLYS0P%^0Q?W8iKN(tc)mG@ zfrsK@PIf=NUrJw3b4qd-&PL!HZSPgQ8*x)1zwmj}oA#>vJ1nmX+A3ekZl_vTagXH) z>l{rZxFh6WzNY`r19C@+!v3uV01s}is+A(&5eYf?Rcb@qF6NfoVnrJj&aOsXr*|7F zG(m%MM_j%b>;m2#r!wC?(JGS0pDkma$WRy~YpLsi={bK=*H!@d`NQppw1335>9>1U z!3>5RrUPFzq78t@EdDKk(6lWW;U=bW4BFZ*A4D|M%Py05hOwMWxU09jzFC$Ti21ur zYgXrqqXS(Ju2&2}gY68C8%H0DZzVgHkYmG~BcQes*hvL4@1QB(zvw_nP(S51EIIg&KVrhd#4@px6N=OdcfFm6>Nitb_VhPO_ z3HdeZftqp|ovXbFbfCP0MW&BIg^pDye&PE)pyR1wp>a#AX7Wvgy7QGTgR_HX?$^Y{ z#mU`L=P1iFm|>>BjSdh2pioJA{wUA9RKC*rw_c`moa@)dF9S8^q7xk3GNq-pmkwGO zhuIhQcWzA3Y;S%Hq8!!9biM#>TsN<3VLPT&b7WC5jtCiU6jUfr9f$NuvRt zGAYVogo;Wd?>lZbH<|PxKccQq<4b?F42A0;iyHrH!Czm=YR5F~w-P+IruwqcbeCA( z47d!HLRVz@fdJQ|aSbj{{d=7r22kdOa-}zUdiCrjt4V zHvcdvlKgaT6o884_YO9g0e(W0XD5}&nOd^EL|p_Y1` zwG|k7)=3COgy+rL%AaW=wFjzOwX@*e(8NiT&BUDO&I#n=yoelOTn=@ zsc>|cSlWqMD*Fn|ZsKRip8ftvMX6Uz)nS1=D@pFAvaST?xY};z@5hilwl|eP{5eQ+ zPs(ApqVWi!EPAlK`|t(C|4ViL3GQ!wyjLf$)=`!jeq^#L{Ls@@&`RvfmI+urV+E6l zx?|JUOKGGy^`!Hxd3vHk0Ip<mo7)zp#7Ln$+CA|&DMobdK0786KGRdl-SGDK|rd`aRgTg+p!Gd4@tBEQ9= zElIm4$@o$%?uu@Loc_tB{12Sd1><& zEB~7@=<0{W@&&q{vOv8F7?O3aGae|&bn1KrCxQJ?ja&ej4d+J;_f|a(95dgrM z`N)=%=Q4uLMARuzo+kovFR@q=iAmA)NBoJ7Iylu*3fFoeBLjn@w454&lwo1Eqh~?O zb7Gh4rd5u9-88Tr?T_||*Uujsjapgf5KbUI!Sv|q%Xq5#DmboTIacYAanqO|a-OiL zmnFA~M$W|XoNc~+ZOx+$v=!z&5q#;)*9%%E5n2tb*J4jQX}jgNNx!;zq#QS_j#^ra zqvsGsb-o4>`eriQ3hI*w#GK_3_NYUn3NPw&--KfNF(e1z$0c zt*B21<1eZ-8+@@xb;9_sGQQA3!d}Aql;8@}%&+z}@q} z9hj|j0F__+d;P9k-#tejQ2$#0_!0S)MtQ)(E&F-uw&QpiA8fDTr$}`*pOn-^VK#Pp z%RExuwkfc--tn7#0VNZg!LI=lmG=zZ_D4X$bm?xu2{2K{4q)^5Qlt8dE#9!KjIRA? z{An_6SY+8e3d7j|_E*!c@5@R9&(@Du(ruFM%{v0!DSq^jxvTn zo0)f$-)V2G0K)W_D{^d!QrKj>RhFwE z)O}g9n0=SoZ@h#9U3;>Cbft^_T!#vgPe}aS%abv1yZICbR3m84GPdhJR!D*H z!^&vLC~0uXVX_EADD4P@T3Em~`V&UX8x2b>H!kh7s%1acf1jl8lG!?Fr%>OK(`tl2 zzOoi~0*Tak7{o0UmkD(fgSj|UmI*@yNygt7ceMUpeEw5~DxFYCHLbkVCcVGD$2$fk zbSXVG2A(Owrw^O#dunu*BY5OmcgdXXF#@comxcs{#9!y;-lP-d=Zi`S=134wr&{8# z_t$i|O9OQzhn%0h3ROmJU^_q!U}m6WjB%sAh_-J?yom(z9CxZ$o~C5??~k}L2VBUh zi=qz;*t>wo_~-`B@^{&Vf^BjesfM~sc)k01&-qAbBu@tL0sU?>%D9i(KV&`P+7Qqr zuYT%jHEE7(w-B>8E z-mnxkueon)JBjd!i4g<7`hen5bc(F+`z3=JL4*7(QV7m}VkTJ?clPYm1$=aOszb}C zxLa1J=&!j?MyfZ$bcBtH=248i%>ey+RGt%i)AO{jVe#{|>FlxLs_S9%n5$N(20HnJ zVCnhpRBg~?qqam3=$PdmKltS}5d^>DfJvK~OR%Jyj8FDp9&rJ*@aoy?^to2mTAi%p z*E~rfbkikG@qhoCTaS{VbG2WF+CC%xG`v#>TUKqZ(S*nU2GN@I>J1mfGuj=qovl>e z_6EITziZ_!6O#EYrA`DtKvIIg&OVgP+M#1_a2-Em zHD{`orl>qkZ2Ud@iJw^4`S4yU{Zk9*mM~Y2leo`pfML<-2kT4V*RfPPl|fe?gWL36 znYJ2%VcTo0`j&ZJN^bj;d~>6dk)zEK7D2|~d1xv3T9Qlr7}9M&KJU+EZ;M}%Q&p?` zQ5h$6CRzCXr#ZB3z@d-d>zuG)@?qBv0|UH~FYdQkjna3ZV(Dn!yyaU*%9$0WixqO&<<1J>NycG zS$zyf_H}!Z)^?j2S#_T;g#(&u0h3>;cei@5s?;+l*@!B!XveyoK>k11Hqkxnsg`SHN!qfKd=l)qY^i{fn{M9m~i&WxVn=RLPar+ zKU_*E86k~OU}@_dngFMYP_B*L7%&R9fdKCkXh8Q`P!G8_d6eS0xp-&3D_I+maeuy2 z>&4~)mo1N5u?wNj8Pzqe%4;Ey%7sR9We~zjzI)9%1Lg`%pbbfAV(chsN9ke(Q$v)T zyI;5bF{_C+zjLQys9ugw{XAm>pDu2ha!1{$Fz4wz(DqK9@G=CXR@p&A$Xv4m*~z#C zD4DyxcSgXtJVb&_=)WQ)9u3lJ3IC~c=L`!^U$SXg@(qyZSsE%<0=*AG9@#9`us+T$ zT|ISGm?;H4_l?%3JX~jUkxhWssTVnM@iuEDJ|m#_TJWa(MW8TUsh=p+g(XSmV_ZDo zKd47T1E#06^lx62jmiEs^)1&CFk?4*nlh?Gon{U46;7ir!>O_XMvRAO^zFnzK zaYh(0+h4ACw&_2f+oikR$7s4p>8ICqIu~~a$$RZUiQ(U7`~QkbS6|8puHUxazjvsi z@9ouf9Vv?gDc{B-n?>&EcR>Xj=`@hkEo|P^%MRSgQQToUl;Zc7kh+Rshpz3}GOr5|GcQY4r8d$N~{psq@vB?B)pRiL;mykdA#*72~ zxJJfd7eN3tsdcU-?S5oK(mnCpqm3=TxVP=Rnc!+#9nHwQ`pFupg=oF|6YsODcJ}C9 z=f5vOyOIss^0JTo#dugBG(ZDxM`!k!;R(Y_-ZCV=aFVaU%` zK&)hB50S4(_wNrKBRDM>wmw74X$)fA3{!{aak@9C4w?HmR=L9-;;2N5@9><_B7wHS z2UfMz8FAK*yrGIz$n?8K z;6Oskrz9_);x_dj^OPJdsapbXV_?XYt6Mtm}q6mgR0;cU15Z;S|Sy2G&T0-6z}?wxz_;hDUOUzu7He?9MM9@*MYjP*hqc7LEdHRPSEEO+(nWOgxyBBauwG|h`|NLjXW9DuU4qVvko6WEy$!D zi+}1uLtH3#PJwTc6hvoKv*b&`0p>%plw14_ZZF4!D^b2RqZPHm=6U*ktE;(LUPiwP z17Ve;8kh3tn;6-{9<7Y%5gjQ-q~H?JmEFSs#}H~sK0Go4?`>7{kdru;d)nVU_J)Yu z;+4id3y&c)-1>Z$Wv)js84aZ|QVp8wmZf*8tnfk-ZME&xulpDo!Y$b9QCgNVOCI-y zdOTG#Itv$wZIL*IQ|;?)W*rdWB=#$_4*6Y4(Ev|06G;L;T*1+^i~5dfFAg(z_xA1F zj45mK)~5c}z~27(QXgClOkpltZfv#rI}c0^V64v^*B*wG+~xxZ3d_BXnthktB*KZ(5jF?2edx_D(t*D2 z`2iU=x-F{?Tu{iLe1@J|Gx}n*yBWJXnNXTeq7ZHNjV}s?d0A8jtvB&u<6Nc3V=4Xy= z!7r9-c|MiQxRkq3$CP-WSYfD7el#3vJ3@}BgqbyWEG<}Y@Adrk?OLM7RIX6V$$WWF z=ve>R6Xl+*cuYSpm0C}hhErJUJP*3`5Z`$N7N?5H)ewE+eC7IT^AZsw>op*x+BbNd zppfDUxh5l;fOhIivhf*pY}B#D;3ySGOk8H!a|DK2KajBuOLuL0pzaJtfyz zD9^*vqxtr*kNm8!pROY8JJTlY6cY@c1M}_^h2u$%qshvcna}nmX)fg{x~ffg#>G z^TRLHt+3~o?}m8gA)HNphQ#ft!cJTZ8xDi!-Iv={MSB)xr@Ks>`*A)d?OGkDP0nZ! zBpZlJ4;}FuUMr!>E;Ee2+4K%t+5Xn|5xxA^nD_U_$M%D=koC|r|LlQW&v~$l1}a6p zb-vPr{z3J1P6u5=aecIKUt3#!PGW;zw9l`#Hf@*G7%f@d zXs`*Y3yd`)TRwk#Lhuk|tkBYmh{>uHh=)^qR1|a8*48?=rlQWm7O(TBPNhCUra?d5 zz^`%3`TVsG%|Wp!Y@R7HE;R>UyZj(xl4Ki54MJi<_76M=hhN;lOD92;NQ1RM}HQB4OfMe+@P6$JeVV-ps|32&PH!91|B z@krdclR=@4BFPxuoeG}d+{?k{jrryz;+}I!M-_Li^Zd{(xF<>@6qcThS38AO$!~vm z#|2cg$Zb9=@=0Be&>&hrBUy@=G(2GxF-h4qZE(zB7c)%{Mom1c%G1=)_%od{5>-?L zwJeCfQ$`-FB~0u&_@qYr>~YWCDaR-f66>~K8xgW*A_vy()Fqod(yHY5+dmI&*l#S; zJ!9eO*+Ci(R_7I|J@7Y#oOpeEN8$5K&H04NtQBW;pIKs9{;1aNVcr@s+L`R7H=C?z z%MVTV>NdMH-{)doL)9DCvaLp_#=QT$&L=Xofw>5K+Wt>g{Lj$7@s=uuU2wy9Xsbte zhY-v4_Mp(t>sB6(jgduOxH`H#W#}lDQW`&u;1^l9< z3mJdMfv!Zqm`D`Xt%91KCI=Z?R&euH1PzDBwqS`cd)V5vY)@$j-g{B&x zR*F|o^dnhXLqZ$@eo$XWjtKuWvjo4!eTl0NN!@^N{w^Ljt@8P(B}bm^M6nHWiKy<5 zRKs)IsvwrbsEv;nyX!+JGsXED8~b2Q6AWxn;)3v?L(``3Bi*cWjI2T>ZSn%TA{~z6 zfzIk49&oJ{Gk1z& zyHp*LuEJYTysR&BSdW zjpN(6HqAuNL{K%VaVRA*C|-E8LQkvLI+Q!#ZIowV*UY`Qr{_D1V!*qJ)m^5i3*6p+ zdOPR5E^~49IXNh*AX9>)6=}oT1>i#|d+WvaR4Bd)wTav9z`!#kT_Uh6)gC=y!u7zw zKptkltw}p5^)@rPMP0FgNfa7G-4nLLW+zZh+YsL$bCT-RN2?U_i;J}^))5F@2M33_ zlsBxF8S08Ojz)q4JZqFxqgRd7CDv7chrd!h=!nFxkapj2jH5ZlP*0>MDl8$}z1lwA zVVD6yWJ=Z}CU(d1aA~KZ;&Iuf+<~~LvRZSkiw)Gu-F_sb0J5{uG&t0>d9; z!iPbuk!@2wNAh+_C2%8F#R>!KGfO5&h)5-bS@~d&w^5I_Ii-ykNU+Qy3>FPVsTB9K zX)pJ|lB=IYTN<8=Isb1h04*tD=rb|3Gauwm;9nPMz_MKza!@3@Amgya-~d{I$b@o( zc?XxAZGH4fJLOGSU6sOq1Qk)8m#O18yaB~CVFp+H$BN9P#_}jsi@?--5x%$_5z{)K zk32Bfz0brAyo+`Z1swn#7XjsWNuTR`&GRHWTa-F=jO z)GK`5Nb&mI8?Owr5_jsKxglGKK&F$ol$TU4Rk;?wZvYag`rFBo$>ttF>>O)e^RDx$ z_sf}kqWr24)Fn)}MM_2zn}%iD6iuAk)bR;lPFD;wRl9BdEZ>!a)TTRs5Ph+*C-t7Z zw8#3mN?}T4$=`O#frJwf&%F8R_a)PR4o`nMu*w{4hT;Zr4I~n|03DL)QeuS!p8~2& zi#HboF+s(OTT`rqpM@++gKHJnr{KK~iW`C8{*5W#Um1|hG;6$K)a3c3oW@RD~i#0vn3087QqiQtHtTZ9nw4X#GQVXkYa5ve9qc-1R2!~lU z!M#SQsdoPqd2s zfhieT!HSAeyQaQA=Y2+;w1=AZHy}%knTG1oyL$@+BxE;@x&@=9gG^5ex8F^0YDikmd>PqT->T4oIJv;IRlKlSkxkr@IUmCES?v zmPz&5FNH3cO{9bBZcskdA2oN4j3Hr*s&N@X#L+_IQo~zT`IQ2Ny_}Ym&VKJM&2luu`zfnS(=Tb+V{kW#=&hMFi9HeRftAQ{pHi)*$y^9wU8)^+AV(XIKqx6Xp{yz(> zim`|gwWaObUw1KWJ0;M>$B)}8+z&)R9UEG)@^wHjt=w_y2+)v=4zh;qg7T@#qI#lK zS649llmy%|{FqWYZKGS7AdK5bx!1yM?9Q)@unjGCU2HUjQ&Ft_V>nw%z4M$kl*HSp zY_-2sUFo(rGg5W1<~6zAb#aLpB#o~gn$Q6AM#6`>CAQ=E-~<`I zg$Uu)gt8xqR0O(kfp9UdTY87krKKQZS7j!xP(S~J`(ll3$gWc_x5L$j&f3I%6F*rO z%^yI>AAD|tNx!>V^1?5dx}%oSmp56j$Fcb2DdnYHtKe+Uldl_m;G|@KIw+UH;EmUC z)m!!uv>l-!DRz^l{zu@JUeO5)m>fp&1jGL!?LDKK+_vvw6w6Um?5KdKH0cP^g{TNh zm)?m;@6v0C4N;KZqz35(LZlN)KoAfRLQ8-Ih)R=$&;ybX_&=O`&OO|Fe`CBK-Z9Jv zM@X`tz1LoQtvTmfy8$at&G*UHNwZ?aJCj|mP${gc`AR<&{$6q>&4;3FdrrYvK2ytB zM+cMOqvFklXo)p>KrE5&CQ*5AWxG^oj%q#I)g)m$SLtxw#5$pdpfhV z?(7C)ur5|qb;xcw2nXJ#5^)PqY9O+oFiC6herCtS^n@#xa?#-=I%HY&88|t=dp2e} zVD#>MV}i$}S^gkp z*^xvepOzAy18zp{6^KDbU$m#BpGc9zu?NMpmwB4_{;s~?R0MOr&y(K4B(zXg*vRyT z9htu9yp<_qf%!!%pnc#8a~>!p}BN1+}Jg%=`hKqT-Ik)eRIf#J$$e}%QsU7}2=7uI+;}8^CwdCWa#w>f zdtg4p&>M2$ujP9Vxx6cS8Tb$4?4i#p@ippKbgOTr_`)jh7)XEMQ#%K@k8tHdERkkw z%};e9Dd}lj9Zz`kUqQQvYh4rU%AOi`R+x6X)=HHoH?tDYVCsKubvP*9G}%Jk+xaHr z6FGj!c+St44 zE5JR8q>4@37d2_L)HT<<5{M(d_#d1a80qs3sgbSRno^L;PU%fvZ^u{HQZ(Iq-z>J; zxB2U_sP^-1yISl9OY0WPMn`tZnkh_Tew@r#@4N%eQfzq%XO&lo9IYQR)dI~LE;i;2 zavda>Ivjfhf{wuT#zQuT7(*8-Hqshn(lPzj8uIy$lXq$)NboHjRVDdsrfJAQ(y`Q+0|H#RVtmP z=fmTo?a1vzo%P;7=&bYq$0qk|WBA zp#pcWLCE)uX;1ja{aoa3`o9mu3O``8i>{??+)ILs!6){mO~4d6a=VWf-QEOd2~NBT zz1Zog1#uBhnSalAn;o5CHgo_fp&*OuPeY-)Frhn0kL#CiPTa!ye-z^FoHo>w#iQaB zq`#Ir>5b(2bT%45fXi*yM9v^ICTxMr;>dJ>vrQq5)M|&~eu!a1Z$(cna6S0Tn)ZI0 z#fO`j>8@UoSK-oczI;goKiAytIM^S~ofi#z<$xKgAHcE;x!jWj6D2hLG73yVK2*fo zxDT+^t(5X)40nVzC0vu9!`xz~WW5qhUrldjkKL+5{CdvT>1m<<($BNvGk)E)zTa6z zt+oGZUHL}nJufR=ERU@=_TpQm(pjzoPI6}(e$xPA2#PJH!K0CedPot{IrKkyB```n z{y-+w*^r^RQ<~@VyUbSKLgX1+)y)8`4->|>Y^^yw{=WZ8lJ+yvShj{G&$IQB28($P ztZn`o3GjKQIV(N{3`#SED_O9&JB#(;R;R4F{l5YCAY)e z2q*2i-sfM3=y~3sM>U1oKdWIpfurGKx7Be}v3v?S+*+vMkN=pR061@43A6m}?R1*{ z4Cbe-sM$3!(Mr#%oe!g78}=f^g@bCH4eIIW>7NW~n8Z4_eXi{tH*LLJa_HDn-HI6l zz=YZ=w$O(S!HJXvIOUjII*fBcKf$xYNJ*|UD;#;IWFw45leQVHRjUeYS5lmxyWl`3 zKt?%i>5sSQNMq1k=#gj71(VgUu*3R)1?ZkTr=oQ}QZV@j{b&^c+$yobV=*Ou_?cS`IcA_V8c4;pqh&yHWwli#&<87;4Q zgOp03@fvov(WDS>kX-dt;V*OE`qV|@T(c{pc-6s(sM?E{HS2LRb+~i*UaUqMMk;@v zDJ$L-)zxb-JF6bwU=n^v5S@inAN-J zA1N~*N)vJz=Kz9xmUQv;Drqu8W+DAUy?rc zbmwy8}Dd#3``PT=(g)9A&AJ6oX=k>rkoBGeF|2#ia_5m)v%J;Dzqjn!9Va*lK zEJVG_5Dr^6$VO}^#$H}NcfQV-jII4-De9ept=&$6U6fCt>B)g-N3sN=_L)l&YWgVk zqm8oB+$r9X2@I_{q}iF4O4GU*-Nm2#^JsdMt=MI5^yiIG={edag@HEs|GuHBN@jliv8d@tFkj&#_<5cPN<#GJW zYhV37S1vwN@z3DpL>T#fDb*3i|29&{t-0%!AeYu0biFih7Ekk|>OHHB+Ca6YdwI;`WbbCP-+hCxaf6uO%O-iN z%&ThAB60B4b0hd$>~Av@pX$4$BAdTMxkr*dqKdsdAR z$Difnw@k@OwZyAtzoM(3XT?t`=QlKuX->Je4qPoWaCiCutn(a7fLuZwBs2j_{B7~Y zbqXg3?&pruOk1I-3;Uao7dJPZmcD=TV?Cj0=X>CvS(7~-hShAbn2W(zgf?xbYPtEI zoEEHf$X7>;JPH*pRzp1Uo!-8LpFXm!X$2}U@~RAcb?xTp^{&mFLDr$>6ZA3FF0;tb z84CP<%?^aKxZ#xHfkmoDegTM?Y2y}iTP|Kww)8LqvcpxSlPZ1!NU?N+kAzE!-=QUr z9Q|h$-zz`$7bH(=bhU5UKAFie%q(Fa zb;M6M-ksTi#u1V;Z@IedhR6@Pk7EQkBxCYP9N!z^h!gp%EHyT+ZXnD^^cqzI-pA61 zt7U!J%gY-z;98yo7=>d`n|U<=WdWc)z{p^R1I3_m7uPW`FUI7ec2snX3t(``!Wp!H zeUl(AiACEL_jyFEK1}AUpip1BDnV_DhNlf)VUuTr~@kN_Y}>)fJ^t)SY~Nao^V$o25ABekGIMnqzz&J!9PrVU|o za}Ti91dcDW#v*99jYspEC}c&5I6T?Joa6@J`wuxnKU@?s%SH#T-3BBamcbj2Ysula zrKJn>it~haH_a?-7x|hNvB-Wo0P42O+(BDWLY~G1)yrcgqaI(|HwPckfH0_BGfr!_ zYSHWB)5?%UySEFn#CLsO8a2$CC z2i2W#M5u6*!Zhz^1tJja@HuK7U0!HSh}>ke@U||?gdJuP642aifX?su6Ya&#+hX1t z7S!yHg_E~wV}5VYXioA_ZWM_SSq>RvJ1@{wfL*g>galv;W%)~3pMb>0@4&MbMQ7Sv zH>4>kDVF&jyWjaEa#q1kLdjx7C^5N*{4k%!poRvQXfD`I=c$R!UxPhmgA<$Mh2<-r z5Q;f*sLh;fpq&k^x}~OSI@k7CQPHxi`b^8dGbKBzRL*?0#O{M@x(Cy&!hpcm#Hx1r z;1)kiNxS-7l(1|{FP9zpVOk@ak;UnejzG#&$ulsL*4bX1OcEWYx+ARJ>US^Rv&WRJ z@rVmX9RTIo71J$jc?^{U)!lC&n+#L)>W|T@*7m`1ivG9KWo+FhmqtB%v!+QG!u7lI ziV+bbvN5q4qR^rCm(azA7;*M)`jyMo~ zL7ROJxMiKU*MIwiAxpMtN3qoo&?kHCA@%+P{TW!ur@oO*)1tKbLY?~%07n5LgpeH# zUy{rTow{RXNz+;EmgderlRlc0_D(?uW$dM&{b&%stl{GA2YDn)XhOIfqptmNTpe?? zFFLF`WuDm|5OZ{ANaoT6Yvsoa$qx9(2Oag5xot>`q>S5-gXx+6^90cEcRa-&lXn<1 zu*QcN=wc<`NunJ>aV4N>3Atku&e3QQ5A;=$A+a^rKOOYmQ(+hv0%31~0fEVsehA-`D3x*Cf=4pXva^hjUG8!_d10We=^%&!m6H2h3 zRmov;{*Aq?H3l|*uBF&6z8jl8G|6L=OrtXGo~3aEo`(*EB&C!`(R~ql(qWU*Y-XH&Zu?GZTQ`Z=66>L9|V}sG5uBA=4!Nk7E z#84-?4d67KeM-kKOM}$1HvkhU24rSDYHXRi-KOD7-&zkdf;I`E4__Pvh~Fi~@?64I zFuLX%%4q*cj(7cGCJ6u{kQy}0kd!6pCQHK7Ufg=2C6ba8pB}{F1MQKL^+ z=%EgbUcqJ%ir&JVOt@-(b6V<_ZpQkheRCxaQDa(q-UsTf0YVj1j!xavhXU1f2Oswx z4EabfntwYI0U!;JJV)D2eu;XqWqH5*9N#VJ!=3ahDA4fSTR(1T@(5<7nz50jPf@N$ ze$C`6qIn5Y4IwDt?GJ9|pe^M;vZH`ZwR?`;|8~<%jRLP4;P(M%7vf9=2%Uju=tg9{ zH3N}=tMeaXrp4@TSA?#Rh4culiUDECSF0Yx`>eSo99>@B%HWGQw7hTRj!8UbzCeUy zZ{BRRBYbSia4%IuA!WPD3?@SVU~V>x5WmmF&~Jo={382#Jw5mF*kO!efB=B=546xCoJoPr#@D! zxCULIOH{g>L_4(ne8X5+rCVnZ>rTeG#piLK0%-zKN)qK&TN~}CF}nEOUXVk#;)IUh zB2nhc8akj*3IV_I%f<{!KEeqY4MORuogMKQAX);nPW?Cm)&AMG$L(h=W%l_o$6GyI zTO4r)CriWJ>9$+^#nMpTq_v0n->v|84wW=#(2SmGEzk$~(H-=N68go_fu0;Xx4U7y zQ}#9~;L6i53`{_-Y<}5LNVWe+7d0_nJZs_un9%BGU4e-YS4TS#&f&}b+BPH>+D%IC zp}Z-|PgzT?A%@_L@gRyB*WGlXBtBxZ3&u)qFh_+&kDzdzleF+FmdDr651yO**t;wh zgfxynfAg`2hmJE0VJ>`8O8oZlaP_|Y`}yU)M2CQdY43b1x`VCOBVOs_m8&hN&SAFV zJ@!i!*a6vpVb)1%*VM7$Ja&U`qMH)q>6VLki1+&TAZx3x3GY76ss9hmI{T#IZZy*4 z$+O4t!$31D=irCekJrnM-HTX)8PK$q* zwI_FhBWq=XX;sL-Vc{SL$Sw-%sK1it<43bu9% zLbzW7Q&ci1+TYMIZ2nF^)x&4=oOixDWNrr~ zJFVI{P{xC(BHq}d(A;ffY5H&xnsoZ;H*SiLxOLcxB(bU%u))q0?48ILm?uGz_91PNJf{I$~5M0(- zxwh*TC)V#yP?yjil|1v=ypc)iJl`$f-*+%km+Ntpm}vbiKDTHj?`a76OAAB|oBR?dJy1ixRaWz6{1z2= z+=5eJLSg`R4o;Imbi9V=KIJd*uyF>I#hvzK!chSO+72T0Gr|FL`YyZBw71|zjc)(p zT?NK;0?u)QX1*6!NBI+TtNE|O@K6H9-*ISG1YZ>xDGgfA&Vp{3ng#Wrr2r)72*Moc zOZJH4*$clpA=B_-l+FSkA;PL8tR_E`caE>A?`e77!2@^pnUNWvq*wHb3nFr}>3!>_Bz|9b-W( z!j-d2pkw%UASYw|VJ4I1hXbIdk~>Ay_l4MIIxvEN93;o`=bQgwBtL5^tAk}q<2|1VIY4dMz{;7l^(QU2rE#s&&oHjU3WzeW34Jt4>@H}UUs=>dpdAEYcUtON&6qQBa zpJ4E3)~N!AQof#Aij|+C7SqyjHUIox_-#Yr8d2Qz7zAEG3+{#n4M5(!o4CEX6@&Tydg&vY7X$Z!$+QNZr8z}e! zfalF-_+B^;Ajgh%P%E97EXb@RubMy68|FUo%)xng8y!eX-`x3V^=zZk@MfNJi1j5> zst(9-iQWUk0m36K3IT0XDB4WAqBck}6!QH>;sz|BeC3$$1ycB-edkq6Dd(P05{sF} zsH=xBsY|zG5BlGWd}*vzD^bzs>u2pZ0N2b%eCw{(4oDu<^o43f_Y{w-Vaj^`WDz=Y z;1l1sf0-$Cn4QLdz%2ye(}1MfHdr)SII|S()>C6pwZ@Je;h{3Z%dH?91@Vo{8|N}J z45FXY|t~KHh@Aa5+3{*E*EFBhRvqpk)`PiF6V8dUDJWeEbuXdm4zFK& z%H%D4;-IgupJRY+>5p41v^labGBk|G2{`a}cg8fTTsE`Prh@A0s{m?UeyXZ){`FL} z(@&kDxP%Wo8M^EY+;h`R-R)6G0G-#)WN_yN(BnIR}0w06#tQkRFa z=xg=wjfPQWq+Qe+&|fXz>wu2@i$9^C&w+}U!;fk3HtXEXe7!FDs*-Y49|-$C>QC?O*M1R}yTS7m((u<`ANc6OjEqXm;21_;IlhV-_mB#d4Crl6HV3Nu)&Od6R>(R? z(8e{!6!KaWyPgzee`Bav(r_ zejl4mU4Y(Oy{XmGkgj&Ro08onwWKqZaqJ4_n$coBE{U#khUcO;KDnYj?#&y$4GsO| z(e=yWD1F#AqclmUuYB%@iwS#2w}>r?5MW9y7*Oq^t>?jvGY}q|*0~N8<(Z{sD@F$W z^4)auBI&WeL->*Khu9Iq#ByDvSV$CKgo>p%BMRT-fK*y9$NZ`)L|{>3!7qRlSfy<( zYqZ*Y&u7$c!(9Yz9QGbFbT`vO_d3ia00=#z-@_X!l_xAYD;wnYEyrWyzbKonxKB!v zwjU*X?u?C&0b69o^`t;1v_fjZ#Jp`JO^p!`pR#788MTdUa@&jiFJWWUF@O(J+fUe7 zZJE6kN2Ru4I(*q&SX-~!3XElV&y8tRUdvLv8=URsV)FZ2tJ_7h9`rL8n-Bi<8~*M< zg)}vPwI``$iF_Nr1bWsnvgvjfIDELuf~b^|y~CIO>W}PRD%Hn{UZzM|Tr@!6^X~}} zEv#+Yy1`lT6osbe!UQ62Ak3kWI7G9G2CG@lxo8DdKvHf%Y`l7sHO6@}OR=7g?!~Wu zZ-eh(O|B{guY@5pB|?nf-#8ib-g&-t$7oV;-~1F++==!0Z70V^J~h`_Vz#W^6?jg4 zF6IUhAdj`AXL_LWbIeC%m`hTcSE(B6BefyM(!dq1(5>?F8g0LcG@2*JL$$Ykb5%FA zvOql=5%H>CNwJov4}G*7TWGZJ?60};+<}u^%50VRtt-i*K}juHI?+Pt-sZD~0N_H6 zKBW`MR#l(UJV1_Ig29(@SWyDCk6#!fI7p&1S>2Mu!KPk$8v!jt&~`b#)%vqn)B)IK z_tg}cZM=LeI@s^dbH-gA|H9cQKPOB}EC3{H1ubZR*Y6+{w*nwb;h+(kxkm~Qpg0b% z0ikUM*8sg#@fz5>4A8%Sb+R1FdU3s%yr`!mGv%<){RW)ficPb79nvPslDV~=6gK6R z>g}f3!)97r|CQpA*t{xN*aDpF=rD>`>QpIurg^)nKXo{zdrP8u!(dC29Ad1Q)@>;N z9XNkcfU;!4Lmr9+=&jz?lLp!+-y~nr6vYjO?eq*rg`Pqx4!g3UzPhErZA=hSAEECy zVj))~zGjeJ3tnTjm$YvI#QSP>U(pb%R9;!O2*v>_O7nmjKYJr{iBw(M<*krZJ4&1|haHWP=2`*9&z z-E*)ClmKx|G##|cIW3G#^q(8MBH0DTmVg1oH)E+%d+%gYFoY094c8o0*u_d{TaxLs zSKxR~u?-tX_F-6cf&K;21D6O(xWgFtFH!lu1!t7i0Q8%17^B4VAMBHI4IoBwsY$RZ z!auP6Ag5F2F6!NAsgYsYruSio*`i1vGvaJO00kUEs8&0wd zzcK?`u;9uPs<#n=&b)E}GOtoJ>m(LPiAH2}Dgil>U2ji8H`H*E_|pF`8VdJFG|^x+ z!D2$ztmFrbP}(bu)qVIc9!m6){q&JCg)9StoT$2c)pX6+W(NHFJ)%Uv`}ox&5MQD5 zGm-8Eq&awgtCeEJ)e`D>4~(4M^mCb8Y!Xz}ieZP<+>EI5-n8mnqTpVl$HIT_b5bqC zIbM8E%GMszLl}8v%Qhe`NVdfZMokM7l5fXE##@T?fU5;t4AsJIJGzXdOYjqAgBSbV zrR9_i>gnmdxBK`wC_mI^;>rMe!7nSl0?;Tl0m7D1R*?*l4rDC|IQ5@*@I~mu`ttx5 z&u{VSW5AmN?=7hz_rXssFZ#6F|0Eo7$P|$Gl!F`8HSbS0Y9rUlA^*aG#tbgy^zplX z9c3O^2e(600LJO}Xtk+my=`5rEwo0r0{2vWuJ2t^)~$vACZw!c=t0$vp~xfQs#Olp zOy--l&AFp(D3>{K04I8}cL{r6p199PEgQ&Zuj%v-11gO@5yed%xKC51cECs9_Js4a zskDIzCaW&dK4~5h!O^VY*ELCJ>BlGr3~G}6AQ7aBt$A^AvC{PO#*J-_*g*uV+r-@& zHjD1k2^`fMmBF+?oTd7av%?_AnVsl;6IZTqx{TqKb8YZw@7mV8@{ZOp;Qd zfx9~Ps3lN{Qk!0NbdIZW+$_{hVY089E!nsL4flS{K<#{Rh0tRYB|1&d0+@5<8^#@* z-BNo!qLP7MDB0Zlz$m}3-}x#Z-R2{29!kmH$)PB7ljZ@RZd}+Z{vqf9f5g+1G0{!| zwg#M>fg)D2V2Gln&S26$y#Kjsd_Yp-;x_Ik)OPGT!JXLlZK);;QrmA1@IHD2mfe~p z0%ijuPjyqYi-y5N1$TifrL=a05e) zfno$w58b?XCshrA@yWCf7HDiN=U%>k(fD2Ihkv zpwW!$pJ+Q--ivpjyFV3&lg|uskBI#i5J`w z^3Pa$;DF*auLIzH3+%YT_l?>dG#3|n%~)wyO0-M06IZgdX1tNq3)9l%h5~72GSJP_ zOKrJN#@q#d3;@jUG%N#Jox>v*CWFUx;O|Ee1>zG+JNa~?_u_BYlO>ra7wn)LKjfRy zI)=2<89H{fb;n%V##2Ez7V_}F>cuhPn;{Y26*Q((;!P8lB+BC6V~qZOt=bt0z_HGC zCI;o_4R;Q39(u8gdK?yF6?Wfhji!K2eZ8NoZW*tbb?rhXTUWTD4}4g9P&n=1qX5t~ zFyYdRLYXoZ-!1-Kp4_nX)EN0c<;j(@#|VejIz${Sm#>s63IVK@>$?@&l&+b>|gy=2M<_j#*e2Z(rLE7xJQ4&UdO($@#jj!MQZ0Wd|uhgL4g# zjC&-=&M+D%C&`_j3+B29Wm~3!Rcr7jQL@NF`!+L^-;hya7#T@Eh zmUtC;r5>Wx?j*wEy%>q=FqBmvi_6lx< z>j14F$I*MSm5ctVG%Y82APF^@xz0nOJx%iHz)WcM{)n2YbDVS7m`Tc-a`E;@L}kMc zxOUQ0V)f-cO>5EJV*064gtAb+!z}yfCR>Z=z#i{&n?R$kIshT{z0=dYDr(AdEX!f; z=K0)KLLL1zIm}s>@52^v`2Ubgxg=bCM_EQst|-M=>V>1s)5=f=2bkaimcuF;&?CmT zUcki)^}yJabl~l=n*Uu2&9jKT1EdlG1~AswD}vN1+30cO4BHXG)Eb^STw+Ki%kP#< zIBQP)Da{STvys4f_Ueda*!hVJS1a>2Gvz$42#H=|NLTQrq_YFGD zFAMVcxL=7csptOy{P#cg^O}DN(BUtt``uu|yFA!gWS-YfQKD(C?hYKt69Fx##i$Rd z(|uQyv|oU3JMIby&@cX6+mht%l;T7?xBr2^hRV`A+fm8B=3-taqPbzZ`nYS;HTb>) z&VAJCP17Y8shj>~kVgwIq)L&b$OLnw<$vi~!GH}pH_(Qy1d}Z75(OssN*R z|57@BxD)wb9seAC51{;YP>V*yBPw*O z1dpz&cil?1b20l9Nq)7;mRv<*Nl5=>_F`}kN=EeljQS~?^=u?XzZ#LfQVC(S^-U%; z742!GSJCJ^088Hg3)zrf-<={6vQ8XGNIfar5~!*$VB|?!nG`BdzORNynq^pM^4k3p z?L$B8dZB_UuYwnxp;*63W#16X`|gZiuqv^BryBe@j=;YeJV4oW`lb%a2L~t&|L2ag zx7cw3qC7WaXvDT@A8hVmV4%>|PS38e-}VT*13;tRm$uWciQ899=;%BltJv*J>fKv? zfn6u*a!qJTwt<_N?2nqGUFBY#58&uOG?ZvlZoz#BPLwwR_1{h-^`-ot)O%0F4A{RO zRm5>m#9X&hRfz*~wTZ-PvPM*P)H!$`ski3ZI_H|JNU&P6?Fj>juBUxe3q+@P$*@}M z2Oy%|0lwp<=-d5s#WdUZrv@0(1LL)BP=^qJdgCYrwYl(YY~@~L#sNH0^?Cv?^OS6j z&qr*8MFR-N!4m(E-gu_w#YQaUPD3CptqQ`ssR+Q3e&NLcIj&eGMJNbmQTmU?|NH0m zB*#3(wjUdS?UBtB;J{yW7%(oogy*6Hm+B*tRm?sw8b={93H_El0)DJ*XJh;_Ljk78 z`WN_p(`}7g_|hi|weAdCt>AYQgMVtQfd{)wPa|&+gzAD4Kt09ylbAVzVARZT&R)G? z@tKin5#t|2QJn7E;wk&o9PXJ3l+y3;bNjoxC&n&hwJ!c4cYWI$HwFo zbe{f?@qbX*BjgRKm0Oaa0c^BJTF;E|2ZxDeAc{Q|z?<~22j4zDzSzRkdET(;S;Oar zSLL_!bOg1FX#Lxo#K+bDg_xZ%zol~Nx$z%Eit2wKvCB`Bb}fM`qM7~$tdOL|bY zN4WS=3%g-sYgEpq_yx1mou0OY1kpe(r}kYL{zsyG+Mz2lr%l7}7>gO5<go)&v z9DkYp#6?Jvee`V9VM7Nx&GhqFuwZdURw>gdH1GU#0!8W3*cOxo^7;*Y0PSk$b6{7IV-np7g2yllge~a)kw3UN2=+) z_^5NrjJ;Xj7f4^c1VML+^8GdA@Bk1zQlVfYv%lSUg z7Hur*k=iv3@1ZG@bvX>fZr6u={X3p9X8PH4_6~FkNJ;swO?}&V7eq}8?V^})-DSDp zH5g$vKgpjr@N>BH@4a&B#GWZBSPhu(_;&$QJ4Bs9LLY+Y*qJLFSM)eKuds8Ccp#hZ zanZlA844y9STP-axp(NOFl;#}d0Ubxc9n|((r<88x1oEr2)s--o58%iA6z377hm%m zCPd@-`uz(k$%63hWeSJOgd$Wx#h>Cx8H-XkuEHs1j63@8tp5y3Kw z*(_F62}MR?!YnPGi77zOZ8X4tW=_WHSyr^XSCZ<(&Z-^UNx>v_{IfYlfGW_RTRwg( zCFf>*ci=SuEiC$W&?Anp#Gbz;`fS6{)Cjwfcz9?#DD-3x-;5=~719Hef-f};jLD7B z#%`e!W|~XUm^`htX0NSEb$gNMsnNq5uFyn|a}AAV`iRuMFhP&99sj_(hLN3kYRL4l zm}Yb>!>@57gEeC;{Bv3GeQb({y8CV(b;3-pwzrIcG04(}1Q+wF9ro950#Yu@D?Kr+ z+ywpTGLIQn%y%yD;gS5Ko9ZkLdFbd>V}I*1Ts9NN7&c7P0xrI`kEV$VRe*gHLq*l zU}JcFZ%#1!pw}v?A_vBb(2&QaXa^^46vK!JeY~AUC7I)gl`^c04fI4E!kGgkgwy#& zNXc23;{2l2%r_q8syN-C^K<@Xf}g-QU+WoLk;sXs(!o3aU&0vEpw8`SwiI&mNq_bD zvPN2v;@mffU%#iK1J#i~`d=9r0W2yvcdooM^^A@afW%}8voE2Ixfn4TfB^J{TKAln zyluOe;_qedhy;_bfNr5P9I+me(sY*{SQS9oK-(QtSX!2am#{WVHk3>@*!3hU9C4je zM}FL#JouXDuF@aHckc^ck9vInKI?&lA2*$c(m!`JJ(+Uv@rvU$wZm5X&eCl*%NC=J zYV3}&E6hQzg7BFrZ%pP`xhrClkr~Vt`Z9$W65i3l7ZM6$5*?auNU?13e8^ct*LgHL z@e3UXbQ>K^yLx(d9rp4IaG8n6%sO)YndFQG>N(Q{qvU~`HI?>&9R3!GB*~LY^6p@h zd>-zk)L-rMs}sDAOov`{GmJdD%AuWpJVi3shAvDzlUd|(?#si?_V(Xrc7Jx74XLt5 zQOB@BBof6alT8PDX1INrzV)WslceftwJp9Pb_h?)V7$OyNeU}Y|3EvL)1hEK3%6PS zq9Bzbx;2LPR;DYzMD^Dc9#D2AgdVwfdc#bxq^A993ac>wmC%1TBi-;dGb7Y3z9AM% zJ1}v0f4OeqJ;U1o5#h|tbVZce{qDcsp!h;(uV*7Iy=KGDeVYPya&ptCBhGkv;)?m7 zEnentKNi3QgWQVYhXp4^_w~K*Oe^SuL4%oRULB><>%%;b)VSHC&E~h*XD5kzsOuE# z=X}5~@;plMIApmB5WLaGqVYVpxK zR=RSYjsJrDwq&7yL9m;>ZGiE?EW8faFXY9l8o#F`TWXOKaQ8wAE=}4m=ajCPG;9MK z$UPs=iMQyxq&%mUy?FyCRy7|GZS%eo9ly{T?OA?F*{yNXWmIK^ibEQDkV-=PNWalz z3IBVEMeFVf?^&_vge9g~QH$11(FUg4hB+{Mjla()C+`cHXeK-6qmN@@gxuQ>1Zk`k zVbn}t!`<)Vt0T$r85zTF77m3m3#Gzl1bkQb!X%*>?gpBgtgg$fgijEIOj^zxo+^dw26@70O;3`tv?=1%s&tG))cl9U(8dksjw7EJ<;A)?4@BlxP4n&O!o0q4N(%eo6 zi~OiM7h`=_&9l`eM&4EMD5vb3`6XyKKH}uGt)1uho!qZqAI(jMU+t_A&I;br3Z<@* z{pJLYHJqXB9_j0Y^-qBG7Gv>c=(OlLXC}f8RX?Sm|H?K0ZW$XgK}++qV;7Q!$` zI(hjOzrIOqXZljerE@10ugaukLHYP0tE`3ijcKPEJJ8w_c#+N zf%P4UypuFpZm@}Ysqh0fKj)#GC*@|)IMjxtoqvgQIG`h95i`%dlQVCFD3U7r()uB+ zSaAgG!$4`UFO`0DRtQs^v#~52n)9!DizSzo*DK=nAx(%R(82&rfgPcR?wNAir-HcTVEfXI{!S?`{FWk_YU)eyxRDmH=Lbo&zyMk+jiC!ub{ByWKiY3 z9WVE0gz(LBQ}MpOx5oH}p$kseQa^q95~NH;qdBK?h^-cM>BP#kH}Y1{7xC`!!~>^~ zhyCtk#FU3n&6qUXzWAiRzJJ}Q%&G^x6dG&pu_JKV%xm(eolwB9a)+l+!FqaUU)+5j zgiLV&hcfHLrzb=!IH&xzZF6@RD_h%DRWu`O66Drexi&WJ(k|Oc{f;O1kVa& zcy`x5lQSDSqI~^Ilh)m7q5_Qg(9D@M5^%9K>wZ|J3QRCu&25OeWt~UygEC{ zn{mvgi7(APoO6qaxBw}F6_FBL9M3#IEw;!}SCIAkA73)d zmWsBbN{K_PH~)9lUS@x|pw-O$LBf+`e%|T*WyOQfRWwqD1_mz6gtm3`-g>d{Rk`rl z5~X$-L-6?FFaqIv`<4l~Ni-@7Ch2kJblljEUym4y!P-0>7rfi?)p~|W*rYKLSF=GW zTS-l^is|xi>p8kc2XB9XZc}SB{AUGj*H$eqb0{c4IDAJ97I%6)ez)s{w)C%lj;nqu z8N3reT4ziQ65}IsdVW2>1Hpg;7tqa~1E{#^kASPZLv3{_U*Y7;EWh|%psQV}Ye)HS&5oVeOTsIIQRIC2~V^R8}OugBdV$;%EU)ZQJ zi~IhRO-5QM-#icOC0>r;>5t_r^~<=)fp?fCektBCfpeWJ-?(=Vy`^&+YPgs$ctUbh z4)Ch*1l}2^kzwt6B)@e9MD+#s1CLe%es58Y_T_)#|z2bRq8C9MdX)@NYJf+m$UH>5)$ zGkn`Gn3wo4T} zNs(X-yp%4z7*XSRyF@(bAb`Nuj|Ppy+yzK%8kTo_<0gFCuaRV4)&D-SB9n6!QWWEf zE~+;uB$3%_YpI4>O=xp=<(IVe$6ydN#)x?E#Lzu*15rpiWJ5BSKn z*D-f~a&J==Cj12EJMShaMwdI>yCszSgM`!eDg9u)f_zbl2h)?~?79@yytb3jU8=VPoZeDYWtew5(L6#31OAsE})rib*?|pC{qvr{` zgX~M6e)n7`pX1E5?0Nx&Ha`Kkuul8eX$LBB@?uCC_YV$sM@W&Mu5z@bMRc32P89QV z^q?HF4z)awzp?7&RY!mEu-r9Ltl8|sxn;CP&DpnKXPWDOgy$8i(I$48>Y;}$?_1p1 z6^Mi8Lw#w+Z=?(1=Xk8*H4K{hcLjAJGl7(%(6?`uFAO_xK4g4=UOX8g$s{B=)jqhG zbILqNx(bp5I=lSbgvCrj@OyE>aQU#>FT&gA-}PF>k?u5$ZujAK#b5Qm1mB&a$TC_> zX!UY%s}m{Gd>K!!IzXzeq*QfUheR|Kuj*QQ8xplfv=WO#b>@&gq5sGBjEyz*uE%5g z(i#9~*&Lx*o7?=xtlXZ{%0m)`Il?g019QdLZn|jiFG>}WG>!&3pWtHS*Hra za0O>1W{kT*)nB>+mng^A&^cPjZZ}S!=*SW?N7Z+3k;v>{zdeenP7ZsNPRNSZJ!tKL z{4?V8c#_7K&m3V2jLyxhWDE{Z8=X=v)PAdA|MNHVBQ@=gxy?#Dml0XtkWlyNul~Et z56t@oedaYcV-g(>t>~p?@f7AsSXOx-cRk)TQ=*iv%wMO% zBm~?xyQk5q$M-%rbV@H|tK}V9zja~UsBdetYHBKo;w(Di|I3!LrW=Onj%j^zO>{V)M1P*DrK+O_SYoE&`fu3X0*A3&TZ22H{^naGMtKt&`q;yP|-1oBZiV6mG$mj^DGpI=ru- z&|CF=d$TXFt2#Rr)lDSvIQz}0{VgrccMoe)%I?1!L%S`vd{PU>MunT}r?Vg`yN?^< z$hij;TAu77l+0Q}YDv%4 ztF3D55%Ly{AXmObay`+}j`BLa@;Mcs98wczUI7sl|0yzeuh*RSZxL{$ay)*(zK}e= z16K^W?v2vZ3o@4N*I5hzhMnZHEjs+aqyO;S*MK)!D6#{Bu{HZCh^#BF0gV3Z(eZ)> z{Ny!$90z7O?!*-AlRkK@b^*lBvfHm445vKd`)*x;Cjm#j^!WNJ9SKI@{d%dn`iGN7 z-21l@FKo+&IdJ#B-EaoQ4`5M)?jGPprlfuMzTldjMFgy5q%|KQHi1@GuUkWJy0sl! z!b~Z;`03xsq^FckQQwK+92|*tjyEw{lmk+>NXsP;mCzK4UB&joNK&p?X^IbB z`ueUn7zE+)w+sJ`D;AgQ8yBn>I@$1I7-gO}gsfG2&hgR#F@@uPsD`;KIZYqa4`2;* z0}f-Sn*{P(2==ME1};1=)JmNj4u3q+_L!eYTcsAYfwCb@n?I)gIXMxLmeaT}`px8t zQTaVI7S`e2tVKcQh0z|icwP*dn8FPIsX<+U0`tuCj`v4pqXV5?x?grzS2bf&kxLb;!-Sl|uIyo8WQ%ceYp%aC07Igt`ufqa^`-5+V)pQN?Kin2^AT`|i{x+*VGT0u5eaQ@9R3!61t~CPh_ESt?|d2->H~7TK%;soDSS z!4#wdFK2L<*g}m55Q|0uV8~be?;!)1>AHxDiTY&nryIvJ#{t-hMm({jKP9FfhvEgr z#X7YW%!s%vCs!qXjarvzSuDyNa8fT-RX6BlvH1Ba0Q>C0 zPZK*t5emU4GjxNQt)FA+o+H~ALdgo~TX7CRIIkY0LWpa^3GlWbaDR%v^SZ%GI39a; z3%KhqAgswnxc#)HC*|RL@yud`qdaG z(`NMFKt(jYaZBAia21RvI0kRp?X0!B^z^C`KO5BZKdg5g7k%z|b{*e4_WB;7wnWs; z-k3OP+3U5{bV-PSNvU(XG=%D=+9xqwxt{MLF>!0k7LLNDk7XV@wl21Q|JFx}qcNI; zY#s-mzBwn2x97>y^?W)ZY+WUoM=RH5xyT)v6keK^yv@(QaASx+3c*vl2C^F6S;!5j zvTfV+1qbD>OBer~PQXYM1{{)jfZ<+JuK4L10-5N1?o9cZ_NxRwT>{P6CE1SGQ;#9V zV2HJJ>MJ?~HJWKsZ+l$iTKS_gl@ofxgX_*{zLv0jNE98$ViWmc+Z>wntx9A3bqLkL z|C6u(o4AMPrnf##>;}vzJzcKjZ?+(nl2wM6F6{S+E<1#)k1>GAt^JY;#l#dW6T~cJ zKf)m{&dE;FWX2mOee?=1QHohhYVReGF*D0Rp|T4eeEq7b1n+;QyEouM^H<*Nv01G} zef=9_N?{f^i3!5auR;NsFXR4pwpXvJ)WuxcwWsE=1lnH&TxkW2k>Lilr!HP?S2kT2 zS$eJ)ZuTTb>Lw;#{LLdkdx3b6hd=VQJN|ws{RY1+D~cnlOYquT{(I*BeCF0cBKIOt z0@l1N@#zl9$|)2`-L|&2)=+1%KWi#nkLC>)o1eM{d+JidnzsY7o}1S$C6$(#AQmr- zYF|QLy(HbKcrv6QNQrWBcw(#py(TN~hr81v@gC`QvIb%+-GA&6vL1ob2(hPL7@jm5 z);G1v1tWguUe!9h&91m`=CXWsHln{|3SBP)Qi?JSg?bCR(I%N8@^O>q+0l*`OP)vC zqP!Dg_8^OP%`%f9S0_MlU&6pwKJ-Ck(ouR`=}H9+15_dw()6Zq_DLC;Ph)IAsHaUQ5ppKbGOwU?QAve`>JEiQPsA9YH(2&!FRN zPOZ7sX}@rulR$tYiGn(M<~V7VNdcU+*c1mTTJwu`l2VF%y#wldhlB77nEZG&z8RgK z8*v#!@-W@46_c*g<`X*hQDt4U*=*Bv$shDeMmOw7k%-}hpJQJMdW)~2^lSW~!=|m| z#-FK5hP*(CeSPoqFLMnjdny9Us=^v4Ac?#9fr1>lxqYpzP4d~9sko5*5@KwrN?s;!QmiHfHubwIN?0`+6yM(Nyts@9fCA5K_1El%sd2;AkEet z?{Mk2mh@?OS?^A_*v(ks&@vlwGYv0a(uhiLsVFywGLqm&U|zF0ui=v19dwGzrgyEk zz@LZaWAG3@HUi{Gj@LGCy7JX*HgRwZgqG&`OId3f`%*^thoSqvEVo*))CX3b*>*&; zP9DhcKjET7Qu^^J)we%_)#p>kb@)m{znjgA)lc<;kY8qn=b>+HT4pK z^qC!ILthCSIZu?NQu2y7CJMWn`lQe81HWVy`nW689IhbuJ@B=)Ti~MkX1iOR=r!?8 zl6;PZ?Ny)V;Q)^m%1wJLiH z98|2<2#?h^SX92!tO|T=f8!ugs>id3$xS0O_i33-!Ut-k0Hq3N4tb_$#&2 zuu2=rdH9&g9P)TeHLx@eL*vz)Cl(L4m6EpMDG!-2=`Zy`R)EcB{ntHa;x>_GG7ACO z=1)k!lUD|A>fIzNL+Qv4*&=+eKrLopU<6Vjqew?n>fF`uU%^7p8FWVMC;5t6ULuR! zi)Q4fqKjbkAK&~y(iZV9G&8Mc_ccX{K6@lHqowKh* z@i;(%ZPlLIZuY|jnB*(Ec-(L_UWkY}4645D0I><`Xl@xCK z;9P+g`zn1SmHdswjc|eQnsh2GA&iZS9)zpCu?ToE`~M0g4`LtF-&rLgI3&DrepCJm z`w%M^CD$|ps1GsGL?JI@Za#my-BmgTP`{>152CfBl6 zWGYff0T8_R{gF8HRwZnPmc~Q<;mk~JXL)BNXF#h0jM(4ltCOWejhS~N^L#NP9Ya!b zcH+Z6vrT8P9K3gT^`t=DtQ@|xWv|24`J|wRRdkKuBpby~eGfSXltW)g%#@TAv`QBg z6)tP3u`8u-Oo}v!jE__8?D8U9eWv)AhPs`cJaY->Sf}oPf9V_(aGVqGk4+K92a<46Jwu7NubvK0 z$adTZBDAl1>__=5!S)nYy3IDFIF`~Gl-MKL40Su(sw zbThP_th~0pB6pZ@{wACoT&_2$7*t7E#fJP{%FJ;z664U41D6zXC+L@7M2sl3X*85| z>(1sy?@Wq{VqR#MZ2?86A@ zi4Ul$sZDKt7V4=f1geFpFS7xhFa8-wep(~`zRM(S2`YHQ!L-OW=jRlH<`UJrn|5B) zcd@#>_CCMi;_S2m=d-Kzzu+e_wDo&iMUT{s|xROcTTtH(iF?oTGOelh;^v6Qv8-*_KmT z8&TAx5r>yIy>Guize+ffgUY^i{s2AIoUpMk68ge#M1A+?XcCxO5wP$-=A#~>XR}YpAs+|)U#i? z4TmL+VS0x8-x$UDVkcsDcyjiILTbbS|I^?70GP^-B4}& zz2a*|WRYQ81*)#WPxno>imM%l*|g-pp1Yb)Po^N|`UR==M9Uo+s1S5yb1)t?&_BHL zxu52A2^sE2#Fe3?9R^1XazRwxSawM72yNXtQ(&knXnc6MY}v9?aB1|H#7li+uZ^Av z{_UrW_Q5&Z@9d0y!J1OMkDiFf*i#;kbgETG|MpvU5Hre+@07ZsDF!;^0Dt(HGr9k0M%y$@UR`nKp6Ibq_~RMzN^bEHA)A%L^9 zicF@}k*Rj5a+KWxA9=27imrg2Zjh4RlyXgqsk0H(lS;mKPd713Oa8?jN8Xo$kECZb zYaElTrdbiRGyTj*a6PfZ^!%qoBl!O}qP6_z)+1GzJ zGa-;qV17r>Kw#$utu^w6R|lm7s+yWJiqB{|+$zejgth$Z9nHr*&eAUD~pZyjE_tnInB#_31B(GPd)cfpTR`PxsY zp~L6g7|p>Sy}i#rO5KTgwAM!&aqwE+)R6urNjas3wUzwSaK{;cJPO+UNb;YEj?BBj zz9Oc5F(>OLWH-39o(5VeEvsBmvq~_wZI_*`D zR!%;iyssrGr4oF?WJ66FN$=;%rQ4tX_jtBsv5`|1fVCffc>X-lacAq{Op=nS$8xTD z>cP-Y%{0W?3DgA@56}N}T*cU@*tS;0QXHiB8#ZR!z%(%xQl5KNri3;K%vH~_55lGi zJ<>jdjW;o03-O?NeX*nN;%v8OL%_1?b+161a?v|Nct&**0)?~{YGm>nHn#OqPT3|~_&CK~R~ zmk;Z?wKKGOcbnwkmB=-N5hK7`sAl+9I@?)o*+tB7yMc-dIhU%eRrB-5uKsPi0{6A^ zYx+c}qKDywe$J8tn+?6sX(~=?cOq>^=Vp~!N3{RA!)a^2IqfYK`pMYn<)jVyXnKc( z-_x75H;~=z;(uLh$MiSu&fomseD;CQ*urwY)qu#4A{RM)@iB6r#obHsUi!Aci|UIf zx)%O}>1`h|A=m1_K>Fw=;H<1HMMwE5?o4TusBC*nPzs$z_*m7u)TkOzVnkP&q#>JK zHA@%z)u#2P6sx|PXHRpAAYdiv7OesK47PTB;gC0 zv;h`MN4qWzE?tl58@_`X8WFL?b;6>n&fnPX)({7d-PhOc49$OGb?YX#dCh0c3%=$a zHXGX1SGs~k3iABiq;%8El)l^!bPk+o?r~D0C=ytl^#Gjp=65p>|zVlgX-q;pg;l^wNqzGANSnKi8Piehv ztKM&>Vcs5BI&y<~)V!H%LMtPTawjF4eWirtew?eXV_%OIS^nePmbb%C73|$W!hY#{ zd`*JV^RqJQl9Po@#fZe;*q7sX8jCR)vSQ$m2_zuOs$46T&=b(tA&7%~LJ6;iiteNl!SUC}~jm;?l2arfggt=+)f%shV zdnXV>uoegMXObxxieZKj_Zjc_&HHeqfkJPUl$1!eZ)}=}MxVx!^R{le0LWM?3e;qC zKRT6r^K%IeknnApweU)=%u~qN_Letaof8^){z@hWsgqgm7Z(<$NbUuskKy;sp^HKL z+v_L9&71#&<@?4~_{0(@&}NkM-`(8Y-Cn;M(anY`27QR1)RHyXdBFLMbGib}^GwNk zo_*|C%_9iI_pYk6B~o%fARUN9j>{M-5!Cq+-mU;!aH1?yu53J zdL8v$=zkFHPToAf+3<7PYAypUx2n=^$-KT>AJ5{sA7c~r{Pp^txv6URz`K4>Ul;|3 zNIUZByvaF&W@FPb`^Gmsh7lE^&xf@3%^#?@AmSh!x62(qn`+buk#_0xW=T|5fgLUt zf9QSm;ldvgB<(6>n=YZ3wPkoe*=5u!<|O6KhA7FBpNS5f`+|MEB^sty?^U$09a&f# zTdwzmWORbd&`r4vx!oRV5aQ#?H9_9@pwk7`fu&Qa+8^zepgF_bg**jL$Xfk!kjg|V zk42`L<|5e-e)ncgm#*&Tn!01U{pwne#U;toIGBW5qmo%gRXO_$I5-5bUk;y(1b7q| zuMQ992{GnXKZI(=@>nQ$nDwH0<8=)Tl$Cn|$;Fm_ zD{TknldZ|z#lp1|s*Z-G*7H=o=|RrcuN7^&?`}Qu!!*gW-6}7cQv+^(OFW~X$QuGGff-9~+8Pe} z$3*fRSHF*4Qe$hhxzoh~9cZF~L~SF}K>99Hq^(-}WG}AD{)#M*y1x_m>AOr1atPV)yYnP*#KqDa*bQcP!El$s<{*rma5rC7danigs6?{f*YIj!G)q=T= zy1&U@4J)CI$cSfggRmoVDW;q zB1PQtFlr56;=Lu9-?*{Xh|?k&r7OXZJ*EqLt_$9~WGT^XOEV2%$6OOw9W(+od8+i_rQvDvhC^pa_Bd* zirNnBbVge-?&}APh-78eY2UE+*ghbqu|dzG0m*`b4_F$YLX*iJ{CIa6+l^Ydb}K@W z0zE@+cXd~jnWnybhCvP5%C&HO+%5l=l>nUfch@&wC5yj3i3xtMI`dpqI58zr%g*kB z>h0vabk+e<1k(L3u9pK<@n1YNmUa)YblnE9S)hmyeg-)3u=Sa4p_ift}}02J92c#Kh#MUoKW4>&=ceVwfJn)t_s#ceR9X=W5(*;%x8n z`(2+-w!wJS&JBO>NqAe`iXu6azg!hT8*6;l`#B9K29s}KhoWE$T$Sdso7-9~2jq7z zAN12A)n2y=`aVgijCI$FsQBq6j=k9be5xT%sqK6g0YIf`F(=-Ytw=#~Mxjpt$Xe8X zDX<^9bqll>}S|z}=b#Y+o??ja%0Fc^~|-)~*GpQ05@yEm!PJy@%Jl&*GE1hI+4) zWkRpnk9~=0XHrmPbP;?i)yvYv@_}g%?f0tzym0M)o3BkINA98An>Sp59^)z%Bb8J_7%~wlBdAidce)jlzdL}H7N0dgqBJ~Lu25F^}CO;mSGa208vs#RxAfR_MNJ(r{Jv!W!Az13m_C- zzB=oOjv%4)oUu)VRBSpTMBd3!rVYgOfA&GgHkq;qG)ubT#^&Y}REpyhS2}ZCDHgVm zN5{t00R3qEjUr6rLQVPBaV7W@YGUW);#h{^wd;8-3Tt7%r;=mVyos2db#yopbXdYO<(-P7 zz-wEuLoz(*9~xqp!Q%Hc}%}wajaBw*lp&QPP%KGOCE*R z>CLwHyJ|o6kNnyZ+0QL{C>kB;_N)SxLlE{zN|N)%X=?aUPFSQS%kj^!G|yo-`x9rA zS)gHidXc<*=*o_)-!e5`=wXsGy+AqR+qOBz%BD5bOp`Ym0QCwAt$$AwhvF5TZ5S$p zFWg*e6VlrAAT!RmZ)0o6Iwy*1*RFPnR%F-y;w|Ula#<|2X*EOJ$LK-C!Aw_@latb~ zU3twrwdhX*$dL0YI|NeSH`ceLzHp;)bSw$R9g$e?`!R-`|I~M#>kMLn^cp>z>L&JQ z8BXuf<7I%E`Fe;9gP+!`oF@ef|MrQ!`$JA-B~BR!C+BrS>X}-uYCk*im9bP^*q3INsTxV-Ry2M^eZ}$uQ_>#@ z-~3}ZVsIx{f(k%8;V+)!lXkfmEtO=k7R2fm<(ICz2$V5IBOjNo>Z=>sC+4d9JsI<6 z{9rh>PG2=?CAsm6wkY&w5cN3R8LbZzRWOS?1W*>`a?|!W1on^;z^ogFR()w=WUA&3 z`xf^h$@^x$_%8xhP-I+p#&R8>#Xp#qmXxzO%Dk zW2kFoC~+tKF9>AceHk<+mrT&E4pXjLvSm(Wc20-bqWp$BYZe68GAe3eDZ& z;%Z)RfC$=liWO-wj|lN~$OBpoJmrX6*?`#auiSAy&ZOF(ldnS}hi5_<&&IC63#e}Z zH%?|>L<9N)$MFea3u|lo+cdpzRu00(zS7_-bV6`FRp z0yQ{1`HJ8MK6B`mI4z$^+{k9%bB!0I44wDVvJtCjvWQM8?4UaL>zbI!NfEri+H+)7 zm^h#{2$ZU9+}*wYHk}fL?b5bC!m2>^49ucqH34DslgJdWiFLYHy4hly7TCN(sl(j? z|Ex@F1R$7bT3PW5x;kn57jo!aP|`CYr2U+g@F|Exwt#@Yt~$E}FxW;Pw*88Xevl%5 z;+(37H4wyOKE>nFr$~N247*j(Y5my^N;qI-bHns&TVAPkAihLu_wc#4y;Q`6y{kuc;$FI+O!HmJ!ijYdl zAnap+{6bHU%=X;6$o2qs1K`)b3ji7-Kp&m}O=C#f_a@Kvq^#ZKvsy=@iEp)CM5h7@ z`%Fv4-|1o zS8G<3zR*U#Hp?Y(v`&E(;_O0$uqmZg(S9G1lJOH=aQ%>ZobIx%yl65NSZ^MtPBFXR9>c;*P*(b=Uc6Z%9S@KEuVzSjlRbQQydI9=vJt-9v~3cJ=A!O+xpj^ih}6+24SM zP71R|QczUj4y2#ozdtjoT3z^nQ-69lue>h&QP{viV3z+;^VF|lt!x5OfTm^+T@eR# zR+sVjRqX;L)Q!rmM#t92Mg1?1_g%YDdq^1>;0Sqmw6U5t05s{#9mcU z_&u@Hbljmrbo;$V&hy;7&Kr~9>0iGmoG%cvxSk3ahO=3GCZt6RFw`>$RhuEEMZmerKOlxJfQ1>D0QNG0};qzDq8h;U; zb~LsF2Y`9g;DzmkpAE6LCgtXh@5YmDfPxQuurk|7+X*|sERH_;P}`B0$d^`S(}VQ+ zE*cwT5ccx@qBJh>eUEzD>S0rc#P&mtE{pX{pR40{xD%lJ-1XGzU#nkvA51RmFK8$> zIM__$kFN0ZXr0dvnI&#->G-%cf8FGKc6G@D8KxQOh;dBU$mLJnE!QxtTKw_J!1)}W zb9USc!Zu|oHCr6&Vh=3}G{=D4+e%IcA5`&15!Dd57rG=63W3Mdi(5HBM}V=m{{V{G zW0O==k$?m)Fl5)*TH9t}GR6NIHTXuh(Iji4Co8R{nddQWj&#H2hoUQa*=SL|=wPBU z7Z=fY+B)m=YW$3O{IzfE3iJ&Pt1O+pgp)pKJmlcX@`VJgnFgb53JTyG`(HZhb0g!} z@gmnq3u;1XBJmZE2>W{3Ta&&ym)XDC`w{LVDr)$>)Q-&hb_~)Z=CMn}h39~0uslnC z^oJzq=-J8n;K}p03Z^=r^A1{kH|09v11+F!`J&Oh^qH1V;tf9nbM>@r? zs3TCP3jiHs&1h9Z(4D0KQuyI?QNI>WHITeA^?Rp_DXtAYbS^UEi?r`c2%& zAGpTv+Khq%3fP5o>`zg(A3K=F*@%1BTDEu%mMbJ5N=n@940>MF^pW;yXnq*?)=h%H zBp0R}7ZLK5+NZ7}lB0WtFfk2_^mvTHt&iBhN;?Sp>S_0*Bo22#bZ+rtF+J$=S~~#KGetd&`^h2X z(QIlOG-1mqVfz>_6!Lb*^_(fIw4vs!r=AA4XRF!Y3b7ln%xYs9LNDpm)IV7v0#`EV zKpd1r{}BNf0BZ$?9E=uch}+A!0o}6}n@`%zU@w0p77mo0i3rpM^Fz+pF(5K#Zc z*DjNDzjovF%@6p@gck&Oju~CEuBMx(tC2fZpDLW;8(g8dDagTwB#ZlQ0->Ji_=KSd zJ*np+AbAmblCyYqvG4M2uG_dc_lNRk?yx;*a213Lh)l_RJB4@v#6`w!-r|v#2YsOH zm`7oR_zAw{u#4kGn%us$0mB-Le!)*i$4#h7P$Km`GHn^GgX{Sa=&wML5prVr-M6__ z&23L*>sosMj1V|SjRg45*GI5?r$vpn#(%XsfXGLtstrpn+a}S`a{@%K+gtgN} zrpudHA)IY#p6+7pVn-IS?P|K`h&X-2P>B6?suz3qFw_2g7lgK*Dr@y(egF9C=H@4SO152RYY^`%HU`33Fyq5?84C zApg+*=g5!>Jk|`}Q2(vMX=0hB8HRD^mE$uU;=oW$sVg<0U4nhLD!;^+r}^e7V!b7H zf&Fj&9*{roPB(BsA+dh4SI_sPs}ehJ)CdZdRJd8JrdE*N*MA^7^1f#Pk6xD+#$>Ua z2Ko*hEsBH`R%7xB<30A~!C`+(+jbbL^2@#D8m+x0BqTDh*gpEmp8@v0jaBH2Ye4P@ z=u82*%oC%kilse5mi+qq*z!S*H*ZX=nRpshe1=38E|zFadFePpo?-X3%w31cNlmplc#p)q$80W+z-*XW>FUY)bCgTS`g8GX4tpaV`w$b!7Z+BD zGMF@ul={-1>)G(+%{BcrBe03ht6=9@vpiXuj#WT)`l3SKKHlv5R*c!JE`BMemnY6q z=g}pkD(yUFY7u%=VZ19tFWdX7nboH&WIh)#H5yG)e7Fpz0A{7e1La)+cNljG|FdPg zv3m<|7q<9I>_W@_^@W9&6z`GU$kBu|AP_7;m@X7;$iM=co{>J~=@E3{=jP|;zS&tM zKh0ll%9|;1liRrdT?Luu^M*?Yib#**B3*r5r9iFQs19F=u+T9tua{~g4`bw=?cZX0 zX;Ujr)lKZ*erCGH$x#%GTF9M=o^)twNh~|)zb&(*&-T0;#Ty?V9~~VfR+1TQt@M0? z2S^OVu`EyGB$2PAa=UXcp%A|(+S0*(8ooDPYH3*^3l8!0-O6_0v)5QWK`%yZ z85{Qx6rU)}MaE`b>ff{&leZ2)F1KC`xVc3UJK(7>KPWM-t>_pL_Kg70X*|YBw|}(& zc;~0L?0YJl-DiHhmQ0!05$R^qGZ%>({Ps)4bBhv>JVvehN#2M_9*>1zVQ&jr!leyN z=ZV!3liZ6J5+BYUa#nt1mJJv?PY))1rEB^t$}&M1JY84Vw^LnvvJpC$5)^tJ8T-1S zC;8**ij0SACVQHhH+iIGwOz>7&L{vvn1$S&F*eQ)T=DR@))L32H|+r6@qg{Q zx{;bxd0|l#xhx%y(n&V{b=dV-HcT6IE&kIz?Wvu$P)H94FzSY>tNQ(~kp%1)s57+n zW8)M=KIo~OV<2zgcC&Zn4GoZF^iD2Lc~0t4*$xUR8;aRa4^Fdbd3jhs*}zTO7i5sZ znGrL{$)>9A#E_x)dn=m>)_A=9Tf5nE76sVsvY=T^|FbUJme+{76c*S8os7w)^4z(K zy-d%wS8jB_pRuYVK{-Dz9evlW;=-km&O`Fs6zg3i?rh0qN7V8bLr_R|qmw4od52}3 zKumxOI`MbGXYM0p0u+>TTUVhtD>G%b1~7bdrhmY#tt-aZ3!mOlrT}qO1)Gq*uFS7Z z+DN6nA%i2I0x*L3Z9owWlm`oaDR}A%QdeJV�?=X|)D?>tev{3_dwITu7HaGy*x7 zet6W;dFrsgwKROm{D_j&bAz)_PuH|=9>}Zz^Mb3h&Y`DJjPBw#bf$r+1}rHe!Zkai zqpGdlBZT${`3h7mb&mFI+gZ4bdZQ;|>x*KU?J2iMoE;I_4Ta3s->~0krh@M6NXLII z3n>#6n9#hY!l{Qo`d-KL=?zm(8TWRSn3uJ-Ee6Kc;Buo{< z7QsR5MNzEVXp!UDy7Oz~5RQzY@nrf%p(v1OH$6KGR<>P}0xFGt%Ca&Nv@Fee5l9B0 zDEOiDtfy*!7SL$G+xaXpCFAEh9TeUt1oSZdM;B#hp}b%@vkr6;cn~DGUj_Xzwb)yZ z_7b<#U%O6X%Yx6(uY+&Ie5`e-UQv%|DFBzZ{S{Eo;iUWs|{74#hN$qrsr4xXq^*w+$ElFdQyFy*T2 zsgTG9ub%}SDKafRdi5ThB3m@gu{YXj6RRL;G0e}rix2_3GN;uC$@XNRMi-7Xebn5Ga zT&u&eb$ypPjR4@d#F)7`fSotzDeNsCuy3+EfU*)9FLH7h_cv$K7HnpNSQ4_6yZ>T# zN#qX(0O=n7OHI}7?=OJbtvy1lq9#g&o#lDz@rXp>)XqQhwQwx^gUgX1gEE$R3JYXz)Yiq1?d#wC(1l$Z#j?W3XX}RAh{QAUdS;ETG#lJ!z#r9D% zv(C9fBS?+3t~?hOv9Y<%HfNrmHn72CVr`Xy$xKR0Ify-KYwJdF(S}~!)0R2o@2fvIP(kV2TSr0`1345dPcfZQ?!vzv3Rq<9qBU#<=nK?0L^N@akhZZ(3R38f;#f zpOW>-6P{(~yn+^sZ*CQFK_-gr;yKVS5vtl?%^N>|9RhI9`-_iLqcht(6D>5OS(hG0 zdlz#2vs#?Ohi9<5I(>(z7P2e)0TfRYNAVt#Rp!b+i>iQpr=2A24p`H`oWcd^X z8$|hfb)k&}+(y#?HaxCE7(p-gC4J_Y4*1Vk6OV_tPQNx!S#A4q>?i7DCM8*b0*$}5 zEC9ssi-2ZiymQP1qAfwdSv~zVwBE}C8d|D(C%4wlAJyiT0JJa(0MZ!a=0F}r!nDJ# zvZ}2#isFAbZw1gO7F5asL$9%L`n?2ev({{56ELL;eVyHxFEJEa?Il&rl3_g!Mxdb& z)>m=Jz6(&KrS~z65o_Ft8TPG>;}^%M!LB1s|Jygj`FjYGz)bFGi`hhD-UuM(YZv?D zBX6pN!T$fW4XF)rb&y1-q;Ilg*~fOuU<9Qdp~EfjN}#ymaXJD^isLe<8L)rSsC)}T zXK1BxNE0B}6w!ADjg>{QYvKRJ*nwJwZj>lLy^zznYsx+zyJmX0rC+~`YvV^vC9awn ze%_nhq@?huLfe@J&1rJ@+*r6}R=O)iZt``v zt*j8W-?iW@pq}EyX((fR8z}TzL5t{pUNrmWd=iNN>(^E&55ohRMm(T7OmD@&J#gXJ z^cI_o@%(~!d71N;hzdXb+TXq-qloTX_R!u(NfdbnO_W{y{u@1_=|ITeE;i83s!W6E zWvXV8g<(sX`_RJ5==}S*k%f>CeLCjgn=pGjqjvRFn}PPFND>P@4N=yU1CV=swK)GQFSc_+BM>_H6rhgsn+tC(Hf>-E`syQA!ptfv zDmZhZQ&VY`^z?)n`##=JxPwPV7P}zh_>p|xS=a`O%se0IJ|#fl0mso5quWJ4&T{%s zH)MGaH|S$vBpW|}F*p$7;Gl73bRE=&a&#Qk3iCvvop$-C{$8VL3B)(a=Un|tMpQ>S zOD>rr?9)0v;>yz_K(mhsxJhuv53q|~eH765iF590xX(17ykS9(>)g}Y=5)1_COe%; zOdA~AjG{ij)_9>HBkqMZ?jy`_8fB>z=m((xs%=eK%VuW zcJl3e&s~rd!ExD?_hqo@6gsp7<`+sPYxR33eJTQPp<0#h=beJn%NVd~D51_O_)L3_ z=ysUc)n`uNbMS3d1sce#sX0V18+f;fnI5qYIZg$?Hfv_aJLr7owxm3Pf&_uj{lJhm zoQ{p1{YtrB$0x<&UTme?X63y9D(cKKlYLm@&owy_F5f29oEPc4r=aCa8|nkE|1}aH zi7IUf=b*g1#zDSxeZ38_JZ-z!0?ks$Ui>t8sjZC)rT+Wo(04(4_xtbmpJ;FMay%00 zS5b|8c?!?jVr^t4;rK0E|2Q*CaQsqQ2NWMaaq%n%=XC2KPA>gh$1tcrO%^ga`SB{F zBb1KF@7M8rzm}OdYMOs^$(Q;+260qri|uvmOUeRDMBQ|x{q-O8NXyU{SR^wQ2?%`s z=EKej2J0Ky(y?0x&+kVLge9C^QT&qM&D7QQL&KM)b5>lcWT-;$Po8mh0%P-X4%$;mH1P>mMwU@l$eyePo&3hr#te;kk-}DRD&5JZ68x=DDq3+>`^YP_7(0V zeO*oUo|vw3`G;U9B!lc(@O+VDr;k~3+F9Sh@{?I<6&QBC@Y`H9RdiZK_qT*DtA$!7 z!U4lb2)^W(^5=WgJ`82mK0%s;^s^O+((hlL0NGAd3=~JMEUb*EID}S>Kni0Pl5}5?^bQ#2YZG@y&zc?4??b@iApqJ)4J>GBO zb&-_0DjvG_eqB+e07!z4AI9(pUeXzVo%7=kA4d zL8SzEjM(3IJ8OE>G(LVZH0FJbl>Qz$VZv~_yOj+LIghZ8yBsN{pswWT!xR?MW0Aiw zOrwirZ4H6GW7iFPcc6=Q`$4c1Mw{Y3+`IL+S4YV={Kqn6=wG5J=#w(eC!Al2L(?tbAPv9fA(IA6;DMJH1IV_ZC)3)r+?@<=BMNpeZg==x z#5A30!eca)r|WFh2ZO*1?Q_jRqQ0mS6>GgKmhJWfDDG>01sOo|It=cwUG?sXQnQ3! z5o<|c)6)-_@CI{Wlz9Ahu=B+y9Vf^v0NOTw`fH?1yXu@_g#vrqpQQA_dys$g@G5N~)v}9U!QG57js^?R ztL|oWQy_@6ppYck!IW<)yaGkNlv_v+Zg<{WrTOWpCv@4M(I5;L>xap*V2A_h-Z|4 z#$G+u^6)4HWv-{{A@Keuo`^oU7vM6I_R^A)Vm}=Tj_-ZzQpbfn+i0Kh+FTtgtL%z} zU4^vPOFZdgplAuTHn1^qHetwx9M*?lrky^!jrUww)Oxt>RszaL(r-Bf(mwZJL);a8 z%-9rsG(%^#cbNGbo$zPL0ra%CtmTdMTJ^!E4bZ^j^>;4J0FKE=@^HBiSag9v{qu7= zP{2(|KUAEH8`!x^vvDCp9Toy!qZ7NK0;9f;4w&*e?5^co z8uDB0n*@KyxhwtW8mB8P{-Ed=J2byf3OWDP^(r%i0?*&NAK^c=6Pk8Uqwml<{^PC@ zK)AZ_DT!Kle)Pw+;-W4B&m^@~%+DgJ*c6{sEjD9H3O4;le{SBui=>UfEtM5DGq+|U zS0~HnMzO4);(iGw*pI_Cp1rk(UEm!Jkh}W9PO_KNLwkURbeha+JD+fEhgxfX=D>=} zF0c?7C8s?C>g<<+DQ2w)Q!2T)@l3Jx$A79=LuZu&jAf;KaXG}WI4SPAuLr5nD;DNf zoR)^H)0@HX^^(Yg(?JRgW5YQXA`Fw?i6!1!(S-mC;rdZdTDPGqJOIJ}QrGl!gW@*6 z#Rj3*!63~1g`pv^x0fe~N1*>PPf_t@POnREtRvqP1s`?J(gW4K0EF)F2)di-P1lYK zhrEXx^n|YjTmhFzufox{NLw(-siXD(6K|0v3h*#Jou9P`{;X0?kvRMQwVMLx z{)WQp2S?5`h55@e;+JAO5u^>v$}xHPckbTNJInZZ2ah!5@pFmS3Is3aDZV7l{P~(l z^ko}R{*(Fgm8|60A)$jLXLFrZl%KgrL7d=RF5Yl@1~pZgPZ?+0VXK{xceBTqrHw@7 zd`+dv10us9gl`SKq~K63|IKCHMwl&4^43b>)hnwR2D*Bl)wwalPKT_90t%!jHxLp_ zJC=T6ry5L&0qX)dEDcL3Q(>B$X|^nJrC;VeLp^*9YC$S&UmtcF+YERD$rSHnd08vx25(mWwh40wmVq= zjm=gJF1P!F$0gkP)L?Kc@*Oc=g~8C5watf2Kka~j+wayy>i>qH39Yb^5q`HweS3F)({Hd9c~mu+RI_Uuh&Iz5?X*(Mbsb(=wOw$XopO}xcdX=Y>3#tUXEj6E-aHWjt^g)y z^|lVxbuLJ$tQ!>_>oZR(4^VTZ^mUx-CyBn`r0`$`LA1zntsCpZ03@@uV*L=&30q2@U%QjXN>2hVgpvFO)F#HL=F{{m_ zJnuo@&wBlB_tP$`@7T&j%HD1uuhs{`I7C(UV z=())0v40QX{M@fj1c0P#DfmtP3h?K+xAEJR+qt8^1^rlf(&RGIqI-w`HdS|McUCTk z&5N2aDLQ#lQ1?zw)v$Q3Sn)P z&G470;-j-{S2^~dn(R|8V5r=mDdRAWf=`EPc{9&_gbK^q}6>LDnQNQVc*EJb;IC*!CBgiH%QWjf=$pi#G~vpUUJ`GNl0Hx!-BAW=h_h2`!Y z;-|QHJzh$V62k@+y>a}gyEs=i8K2bTDY5H^hl&$AFdyZ!{t@(x+zdLyqy+2N7vudQPw29}*v= zJ|Q&RjT<`K8Vg8hbGaE;_T_uOqo#h+-7lJ&`m_Xlkc;qwf`YBX^Lv3l>DYZUk)z9j zvqfQ~VF27$O+6xf;A_gyLc&L6T%?aVeyf=P@ebenHY%}bGs@_0(3M_1y|#j6uzmlb9%17K#LVCD-W9p&ig=shaQ zWNxdMR_GBvmz~1RO1p_K0Qy2eKmrsFT@Pte0)T_%c%Fs^qo!Du)#|CPGZxiS?I6Bb zdTyg$2@hnyoDF8E?d_NQSfS@vGp+zS*#$T+3R1{kyj=2O0Fj5 zqQb(&{94YWOs*?}&onA;Rf}EH5|DiQ6tlWz8nhInK%iwTRkkiFJ{FRusb)?a=!4Wc z;4}Jav=j}!Yq)(FON4iWR@6+OtmRnpaw$-kMemC(Am$vj*v)(8L3i!H0lUHlG?5g0 zMuM1q<(`XhY-9R?SJU~a!SUFOM|M@!HfB-gd&2+{p6&_~IO*-u)403fVt)57rv^@s zV?=E1cicx|J;uDluWgm}=Njc_yq;M#oCu#?s6eyr<_SKP5r*u=Z6T9c(tC9&qMO|?k#$e{CHtkncc{= z=#Kq*dETPQ9Ea`3gx*ZrIswJLT0*yN1VGnO}NS+-vu_5#E?> zZ^aY!T1#rHODJ-=VfU5TH?`inN_R!75B}*R3wMaVE=AaT`S?L0bi(zelG+pR*G}j| zvVPcBxVh{gBRX(-Rxf!E#>I7iwc!8MYj0nAO)aqdYg@o(^vu7f<#J{g&=;b9|MREK zIc#`WRr?$hVEQ}!XkNLV>iRAWRM~7iVZ7=n(5F2cIW7AI_Hw^r55y)UgqcY#B{DJ$ zumt+;I(Fck$nsOx)YTaP1 zY2~aF$T>ng6GJP?)A>n3Nyk0;q4HyP=0>7l!+$20g&SqDdyaN*aN%HJ=1+6SnsZC> z9oo;ODNhG>Qu@%m*-RWrgT zX%oQ}*!~e96zI=6TbG?v0P-Us1GKs2yLu_#xL+L4)K-^~>9)BLB+=8`o@kgD>@VFq z<`|X<90{CH=Fc)kNH;jnMjAKRXlKyfwdnED*C6`(^?@+gHR;S|>_vpOddLb6HPObV zp`tl`Q60=+Y-8x`Y|J=8(EjdSE*;-DWP*2q(QJ}iw{CqDLIU2fsB~hgwV4UGUrzax zdIWbvjhXyIfUjcpfmZk)zt$-usC^GDN~C_bs!E8-XLf4bA7D}f=*!->je2uuQOQiD z4`&4&sq&URK8CY^@$E7J=%Md!t?-}ng2&sBBR}~|zA}Tul@j8Ej*s`b0@ttF-Z|;W z4-FMeD+l2i=T_XlJgj9+ZFK@o=~UxtXwdZz&$zd7Bj1z49F?21$?(rziP(sqJQB{! zt0OBzWa-K(Z;G?l&2L}Kra}$X#E&G-jvDNpMf>0X5C$_24RKy)U7ekmt!Re7jzq9q zS5uMMj@dU!Q)MP}{I4sYk0uQ^wuAGVdPBoQAn&S@8-wQ~97G9~SIuL#j2@@k=_|Rh z)hx5Vsvt|JhM#WwZm+NhC~?Cb?|mYuWpn*%MzaDg=n|Epy8`g=G9js<&6QWk&e=V| z)ki6g5)O9l-%qu?f7c>x&vEis)l4p*Z8R*lxY1xQ55&2jm6IT~FAR(>*by{Kojq6N z@|lwj_PE|Z+0*=Ip^%4%NAz+F-TY}kwKZeDZe%x^(vTI?hHsX6Jl<}VGcuQFtlOOm zz1;agQu=szv=aOllSYsb=(Do}xoE3SPD)m8v|_EQdcote1gg--xz2r1pTkz$t4e-? zEN)Z~R^srQt{Ah-+=O01jAGWfBH8}rHE-gK>^VjmM;Wr^uUjWQLL&a84V!ISIomz+ z*rfevzWpS}&NHg(R^jRz!#XYDvTVr%E@wb{P{IQ{c+9v8tvY|>@wG^M-^~Dz6Vw24 z0uzA7xJd|?%Us;7%B&K%3dr2BYuT62$UiheaVp8BAx7fofBO9XXm78;i!sK{ZB%KO z0~LFo@g-sum_OTPPTGZB3cusC|HTF9*+RfjsGVgdS^e81o5dwHc=1C5`Sps~nzwEd zANP}a4me{(?e7)+B2#hs zS&0)H8+$n(0~Hb3jjsg0+ppJ-p}#6du>ua4cq#64lgQ}Vt5U-+E%2K2CY3G~5%KYh@k6d@)CQL+LOam8=oJ2{0 z)AONrNAiC7yJ}7D|8by$qkqwWGPJ@KI^09wmI=HUkN*9!Uv`BSh;DPkr9Pw zV!B-0I@_=2gA&cfyQ7jEzg52h;9PbxaawUPY%@=`cJ1+VCqp@6yjJAF75$(0HdY{; zKM{Q{XPvVLXEM-bOek?hGoJ`SotG+3nUDp+bMecS1WcQdr_i1m`U&=6Tkh=Jzzf>4 zpMbs0xm@zOSfdz3>W_z{jAtfh?n=sQivkg2DE_mR!l^WqS0oUS_2v?OrK|mojQzUc z2k@SECNY;PuN?&xI=?>}bty$OCLHip6g zz-;7;mZg*w!w;)`Uf2)oFeAI-2g|}YXX!?~NaO{*V(kb;1bJ@GzYf@Upcj`Ki*{Qm z(`q1VlkHa~obsM3b975qc#D2xgVsk=Wk?*q-v0DWiIK}O3LJ#=K%HsK4-GHQlfy-| zdvGE)imeMyQJDT4+`Va_H5CkDdLn)UhvlV-;pPk&Wp`nhjE`yRaY zvy(fd9H#*9kN-Eq<_Nb^UX@o_K769SpBJL%l!+<@pLo@ac&--LG3yXkpYC_1#;`|S78 z24-@7kRE$401bpyLAgl=W;crPSSZAwt2+Bf(=Q?M@>LQJmn+60=&lUdsq-MO2NHog zCVZHX1F=FpKK&d-=J=R9A_MaM7s_YqkIubM?CoU^?^#&jPdZAp?vOG43@nNzY7a1^ ztstQ>^|^lohq%!d-)86TRH^(oQ}Y1JW*}{kjE)ZvDPd6Wa7ds_^fv9VBJJ=Y9;>0? zmN&wG5vlruRvNu2j?F5l00l9>!1tRn{dt{S01q)4Tr{=5q9GML`AbEq6MH|fw3g@( z-EYC)TLLqa!q3J!BUXlkC~s9Af^zN(O{+Fjq2xK=5hu|8u|_(Nv!h!|)EjS+iyzV+ z9v<0tpxB2kYaB0@^)k$prOH2<7QSkUQY?^*jyr2Z$qrfFps- zC7XwpQ&t{VTKaCu91E=}U8|iufS@#N^vk*BzWUp=D0iEm4g6X<^i*#yyf;zX9FcZc z>b2D(Gv!SDPKmXIhWZtjW}=4U^nO|}LM0R=Lblg3RP(C+~Jvy;zikLHkLikqv` zn`u2$m4>wK2*dX+OHM$x&y{}Du^Xr&{eVlZ^hL|xFkFnmP?{9Es{-KvTm*g0+YFQx z!ow5Fvr+5m-e;H86sbf-uy=87?>{X{uArlc5g)*6t&6efsKn945^qG4C9oq$2Uk#S z9d;uan%==bUposlnhM!6Qz`;%{wU<*qPA3F^or)iWUfNCPcF_kZys^GR)FXI9{wBo*0`GRolguX23bTjeWPR&Bp(z=uagLJXX9<{~j*{{Km1;Wa zc3)$4Z^Mq4FDM3Wvae{yYC1FZ$4IVd@(gjyaA>_v@${(UZqPM?dd&XDPAEsj9t(5e zVlJpN%-k7YS(Lu*byE5mF*}=It5`6v5niVxEc9dS%%Ta z*0AT~q)>@G$#x-8V7Vcit{uS&01iYTfs2r6oADYy_j8Nj;4NaQOIiL)Zz3(o79lJ z*py_1xj=kWj0%|>S($TGSiQW$r%u;0L{sE+)52RB2rJs#`|Pb9MCqIAA=DY(xlYqz7 zDG?!FsTr!E$Nc>JoSFIZ^5sj1&EuvaCx%bfNI6%R#Lj3?6huv6(*~*DwZ}kH=lD)ZG_J3&7;0q?V(#u z_r<#25Po(zS7%{C+a10zXiXJ|N27$J#mA;!6>^2Hw>;DAKQE3EUUDVjve+!}&)ECH z&g+E3Ra+1hw6B8z8ZDIYPdRDK&)D#ve3ui&RS%0L%sj21@T@A!gbYC3L@bGx-Q!9i zdlC82`S%rVZ4ieEM1iN$1Z$Squ%i#x5Zkr{#a9K&!5v9;OHP}aq~*Xb-f@rG>u|cf zDT!`uCvxMOaz89M&27Z_8^)KCD&*jJ4ouimB-ih@mjyoBDVzglJhWo&Zgv5{#R<`@ zt&(;#ajh^yzxnx%yzf7%Si&&5T&;d&LZI4O;R>?}vpMWVv&~T`zXN(oQ7ko_@alwn zV=ytONn1EFKK`d)zCy>kZW~^ZqOe7Ii9NK{t2=$~g2U5e{V0^|D&AD@_#TvWXEa zC||_IB>>olz8ue+Df|eItxt7;Wa9Q5W;2M}NC_Y4!8_U_7abShs8`tBgov#&FgPDC zgF3HTFQGKpp8-GP4d%O_w&N3gKJM{9Fth>MqxUI-vC$`8iXuVIix)(TO&$bc0uJv7 zXB4rkZ(FdFAGDkf8WTLnYZA;d-wMxL|W( zJXh6k)!S@&KMefpU4CObUQ-CbGbdNoz)%*~QfR$NM_t#IzsG7h(jRB3*OYLzzg%}} zuTn~?MlmAHuIXpWuw-NKt~9%N{ez^RQIR!OWaE|C%h+L|Z4}#BPS0?E<#)K;##0T9 z(K(mb$rBAQW6MwBMYeO^uGu`9A!)cAtR;%tLQL@Hf-C1`4qq0IwNxoX z{8m;g=HbC(PU3(ZdPiX?OvSQ$sra3bGHvX&7AOc=(>8fT8B$j!d>92IF96TsA^T9h zfR*{Y@d9HqS+c~;FdOh*L?(4^tIH$NUT(cS zS5sxgRLk!3ZMqM9Tf%F|dxr-*p}@#Oihaj#m$i|$)ds`x?N2UN=ZDk{JIRZZU<}h8 zYU-7#?C@VJxdZzfn#d&#xmYK!qR5ZFXm-?@kY!zHU7f1P<^E!2Y2Llnp3ts#A8Pdm z8=eiWGm^!Ym06dg(5w5RqM~+#R~Ns__s>+I_bG@B`eXe5H00wPZGe3n?Zsb9f1xl* zb(KD~(h+`TJsn8z1!lLHmDZ5uc}fstIMhTsrBqAje0hL#xieGDV>Rd*iMiSbj-%J| z?K^9mz={mAH}hrM*Fx55E+_ae`D&K{^$k2w$rtVKx(l}C7PH;I4h)sF)UPEF4f?8L z8xG=~m(pghn1MnW2gJ!~Ni^-GwOI!RgbiE0Fv1KlU}l;rknCPCA7XOVMhL1~ ztCtCNJ23#ySC~cNsYY}DKvJgQ(G`{wje4Bo$+E6gFAtFOCE5fa!pI_fu&XC;08P;( zNBW9VH{t&G7jGBLEzCN71LT%&2%Kf~MedSgFd8ivSPP&aqu9bMiIh zvDgepMCxU&rW$&%CU3bb_?o-z4rvt3HWHt^x&pEAIt;s!YU6U|4j}y};3$D(Ec&M-8(tSc~lQ|tm_?cOz{yK)mqa5Ylj-AGqK>olK z|K;(eq;y$2yaPHga(_O>1aZzfXFw|PNry_meY3*fKM(tK`J#X5z06e<3oz-7Iw_<8 zmpxKU^GAX=XB#fkE^Ove{7a!~y3#s2R-+iko(^L*tpGGy^lT=Cc)wV8?)FW|dGxIC z{?Z~-_qv)Vy}ek%_nMluE7$kNsk^m&F8f$_+e_Oq98fW=q(e48Ej0A=XBX!UcY)<% zU^gfh)A`fovd~27)2CpXG_SjUgaL2lts$saz|z3x25ew5k7NHG5{9X2L-9qh7n!fl zK3p?i8}Gh|!D)H8NPq^jXGr+Q^I*Jvr@fg_eByW(R#wKgi{FZo(NudajTXP3&SBzZ zco1FTz?wSU0MjHFWOgG!?J-HYq}H-IDU5VPo{izE1L7!RNf)L$ep)Q0mX>E@nD9

        OvD2?ObI~bFA(?Ks+J1aFgz^x`nX(cZTyw++ND2b_*o3Y4<)wYo(=G za~nrmNoJQrn6=k*Sx*am&js8l_CK`+@C5EN%FEY3Yqtxb7o+GRjLXcbp?HWd*gNz= zCh2#XC8KQhv$d~z**W(KsdEEp#VQ7y>zvKO_a0YSu63C12?_UzC-W z{F*GC<#y4-w>m!$oQMc_XbZvp!&Jv>UU>kpfGVOpp4FDIgMDz@Pk*HMzW9lP z_|rM<3cLBh-V>nl++YLH>}F;FI&XIvQ$QPbS@rUup1nUD1Eil4-L{(mYD@d4jf5tZe)rOZmf(5wnO00}9Gj@q${9~2@PA0QbOT2&LO~#l z;xg0v=O6|_P6oRR7o8nU8n5;1!3$7@%l3Ov`|r(k%4@n!TNI0yldX%zJ|I0STrwSr z%O0jUm0HGedS3k&Xr{*NxTs!#YeM-nZ&tEY-v~>?^`zP-=^T`lyY3#*O76m5BlQeO^=so)) z$A~BZlP)H8iZ^|B9{gEYUbn6BD+&_x+;Mk;aHhN*1}K`o)6%WiBsmM?(}tn02qXWl z|F8ds82RE50}g4fBxFI1ngzc4Y@m~Q?~+kLX!lvmaeuJ@wqaWUQ=@Wwui56{HmE&E zmTI*->`UBtKeB|7&&8^S%UQn@UOsVEtNApUSaEgMfC3iYQ8RlA(7WHGXPx~zbj#V{ zVyP><0+>=tz%05t-v#L%tUMH0JytnbmZ`QK;Ifu?gQOlzy&>0Y_r`)cwas6Bw(I~* zrC@O^I4|!}Nf}8H?wic5Hg@tI-7st}rXtr(xa{J*G~tCSOLsV9!1vYej0$e?uNXhF zDQ0^y4R19aFJig4(srL{cD=bRN}zux#g+q0<3n_!PU(4`?JeHs9Q(Bu*%ckQ9Y{*Y zP;a^8$y#YN{T|>`JE*%K7c2vmfDoW0W-SOPo4Qw`YsY4HuHzY@UEJ>@bfQJbPnepz*=M zC$d7kxxx^fO1h`h{2JJIig>Z$H^CbzY*%daTMUbkD3wu%AfajU)Dr6=^r&kYFAC$z z#W;$14D^)g>fW_0)-{)L7@BK?0#B=#A0=5Y;)_zY+kfs=i1M|w3rmVMm(-51CN)K} z^RwoB{Ej1~c^^I*jQ)z=yy_2nD`|dMvDQVQ#$35e{03gTjwzWHepFQM=i;_e*(OGD z^_tIP)&bn;S;%~(|Me{Fe-B7-aFfB-p9c-+-RUcV$yOcm^_MqP@|j|6+G@=?a6r_u z-F0O5UUIkS8XGsGK5DQF^YU70y17{p4glR4pbo(SU7c;VMWx9A32%90AziU*snuzU z@aW84tGOyicT()}W>BS-;pZS=DAI@C>rxxgryx!M(4mENQ5qyPjkt@OTYv7`bzA%K z6S8nF(Um`i-z+V=ymZ{@W9eUI+I2k=Ai>j;|uV!OQiemH%lj5 zhkI~J1M=+{cGl)2!IfcpMGX)OYI|vC01Bbx<2#)^K-*N}eoLI?>=Z_*&mRQ>kNLdr>1H6Pl+rSYw@`V^4Y+A$>}6f^PUW;ac>oE6%mcqb(lNu@T*hb8C^+h%V0~UylMp@uULSLYu)GisF({OyC4fkT&e-Ou75JH z8vMRL$4?JUykYo?osK$Z!*Nf_qAYpc9=pWaffR*cvbUA+cZ{k_g;!lWgk(jeZy1}A zl^0tD?gH$Z^I_&U*B%UjBaKYmQO3z$la&nVC1Nv$))^Rd z)Cc3kf8NyfEMjQS)q)$Lb=%SNvSutn2(8ddtMuiCx+3}SUB<~RyIr>#n)xSXA5jox zl#~GTVxLzV^O3n@-hespG;*}x}9fPO^ov4EJ51D0s&erFd=TkU^{gu z1mDY?9$T{p>5kkO?`Li3Ie9P2XJaF*3CTXTm%=czCFMDTq8^q*+Anwe{%E= zH|&1`rhZrV(`TBE_o~H`g8Cil_fJi*p(Q2H82EOVayI!LzPXTCSLrPYl^@M5*!`-p z0U=jik8Hd9dJKo>pdgS8Ba^7fK$X(RkN&%SwE!E7p4ay-=$d-nTL)~wW2Au)2T1M% z5W>&dNjd;Th%?RviqvaT;59c5*bH*J#0cQHC+G;4Go^(|2S&v zwL<2?ZVuoPLMv~-kh_V?#q-bK82NaTD;BDNK_h`smw_uI4muIcMsZDk>y`+>+)hvm+csT<=eY505S`p=yTLmE9fcfaU?ZKp%TUYGR6V)~xf+;xK- zz`|@1^04KQh~F zb$}Y>&DE$Ut)R!Z9al2a@Mi5wH_N$uRhDOew%*N^3_5_?;e3eIlf@ci&G(ygBVZ;z z16ojq70e2tfrXs|YL1f1$~boR_8)}^uR*KbvGe@2A|y23HL*4Utz$1J*XdjsmOeo< zX}RE{A(I-SApX8ytZSCtf9pHqP8Nix3I9P$`Yc7V|2VIoWv!|f_*YmN>4THZ<8yT1 z%)@`b?v%Cp4GpyQR~u@wi_AP8wEc1e6`re)F5#1l-7U_W+FrkYP;)3NDS1~K_S9(R z=TDkKDT5eqff~+f+Pb?#lUZgF2!t&*M2_3w80)gqm){J~tUGG1@%-mn7Sna2Rjp1k zj5;3cUbYu)*pp{kZWFa<=jF(d?a4=1gZC<)-MO>Y;l!YIl$~t5{TXI(GI!2n-V4FJ zUy-RZb9HS5_+jPk0Y5L8&V;e(UKJNqsI%>&U-&9lxCnl>NnU9!qSsUf2h`SpQ3SRr z39!8GfgBhDs7ac~-dl^}u-2e(U=5v1I?u)1I`WflYA&rNhGu7&OdV9Sf@na^$+E;o z4OyLnFjN!`2ka?wH&kB!Y#q7R@o*9SV8P=Q^E?$7IG+^fZNdNvvrrf%+@Ic9Mjs`S zM*npnN3AxzSkiqy?vUsU9|vq-L11k*PbH9yf{q7KP+9%J`YNM7kaOTcl1)sqvHJi% zuZ(tes~1-qtu{Gics!yjvNy9E?t-dVmkJVcOG*U4;e zB&!X;XmD`HNR9fw1{zch8^gN6i`Zq)5PH#D+}^-8UlvhOPOGcyY|rcRLR`Jt3fJ@a zXqFooz5(D<*Q2gfoNy6~r+}US4hUeU0}RG~^RuHxrXJyHG0ETFcAu=K{DF75&&f#& z1g_k!qvoX@l?wAytCrIdt-(t@1*40YJ}M<0)gM60Q@m*1&`( zM*^g0tmJZHcN2nxAJcKM=2k1*))`~fcf2brX%gic1>9<>=7GL@5*Aq5$q2A9sdh03 z%2KMQ3(l7tSXM4G_&!*1Gw-%`+pt&P7shpH4kRQgG$cC~)iUe?Xv!ZZL34qQjn0`C z$yhV(8))}ub`E|?tDIfSx^dgXKWxG5{7P1j$M4-1i?&JjpS&d3nxQ2acMlVq{MaK4 zzJFu6iyA{X-y-yHrui){IM9hmILDbF_epLe|`WcpKh zv;`M>&2fJI#pldx{8$!F>eOlm@=SCs%4X>}j5xJW$k13RYgq~e?Dgs|q?O%k-6+KsuEu(i=HC4sAmMk)l|#P29Z=O9siOXyPKF04=6QS~d5qkj zBk5}Y91m^JrAZBaIG~zU*ocoy7-KjU@!AEQ&NZMAi79n@WUcWPcBLW6!AnIbpX3eT zv4(@5tjfSr#C?V~$LRoI@zY-n+jaQ+2Ah$#mOIhi;lBYzleE%q8j`-lt|UYhB_Ia{oJV$;{KtBWu|X!O_QAJ6!xaLQ~s8 znYhkXaSLVQ5fT;+L$Vdt5|+^z)CYsY@>yCquxX}a^jzVJi{L8gO;{wlD$XkY+l}5E zO3MPnyg;82rHv>mVl59+jX7CKr1;-jycSx=2nb~P`%qI?%-rk+>mX|K^YZS7%7+%v zDp6AT&T0Y>U>*D(02V&r;Hd5bK%m#ClY78KBrAVDMo;g}8&)S6^0ld{Y>>~3k;%!x zQxhmIh{0*!r+43x=JMKUAI28jj)g;h+8Rnbnhoupp^(U~(RB{niFIB;>LKg zc_Uc3xazyWzyOp|n+f@kpFb$RvFpufXtzR}onYCyxzrDT2arqv=}|vPR|BoYL+`J@ z!mMKlW3Zzgf}+MMFJ$Uw)H>a8YPC%g9awopQ7SJq+y;xwxOxQ4I9WTec4cl~3Kp2n zIM1K=zz5?>o-}f#Rz}qti4vN%l-xo#LcZEXIgY{paEgxLD1KeON0d(>FH73rR}>w` z<+|lYR?fzN(OzSyWeg6}kG-EXr>+4_?|$jg1OF2FG6xCv!bll@!=O;+UYnwr05+7i zgO=_>xE6Dl^Zx>IQUEEU;u#gN9|qf5GL{wihj>991b2vO1+B!$dtqm*mriaw-d%( zvy9F;WLgPUgyGwc{&;(r=f!*DuyT~Y;xg0=r|(F&2{IfFv^*aW>+D?3YvR7{88JftLR) z=X(>u9_N;{t73#4`eQy@ZrH*GIc(d09ED-Ttes`JrEa0ACfNVoE3*8s-^Mpt-n(G# z287C3S8d-aIKA?;L9M&z;w}Rh;2>TmP14+)1Mn&Mn`twwjBp?tpWpy(dB6haV(>O^ zuctc@3X2A)ghlf;MFCx8@#k0T!a63Y4nW>qpN+0!4BmiBzR$9#Wv7DbCtUkOo#Cn8S@C6iCQOD+AzI1^+J)%-?jnf8`4+AxwM>&X?L_h7$Y*dP$%I8CJ(xqm)+dQt3nBN+Vc`v!h8 z1lAOgS;I1Z@fuTtYk_WYI8?defNf7Loa6zUC*7PJv!rkgRw`$|${guaEG&nr)dvmY zaQ||gXP1xyPc{|()s{&$=leHE`Y)T%CHsq8M+bU^GsT)rX*st}UbMZP7&fE3S@fLWk=_wJ>(D#wC5E*hAsx)oOlP8|Z*=%YfRCZ$VZ`#@X2?ICIOnC~ zqTiQv$I2EdT_h}+&oh<}42C&x$MoJrclSxZVtw_P(1qp(XaW0Z<&9;XkSde6M}zl% z5F5a@@U!2Yl&N`Zpj-Z*A5uyR9AYZHqWO1kmuek4ex~8NNGCHs@nz;RN z)R&->J?*jnR=+Ik3=?IbJ|1OjpOEPj?Umy$P}cmx2Pvv3q0%Re8<(6nP$7DS$Q$q8 zywrYzLiNI=Qg@>!;)fkR>PCNJAHVpxc(wc@vIXL>8BLxK==?sDbNYu#WI?+^I3SC& z`4YM;ikRK-R`4w;sqtoqg?F3bY-%~e%Y9g(tMS08%gABP^CPv}R=8P-9K;eFD@SVB z$_m?au5wSJN>pwc&`R!)w$YY3=W1kbqDmhp$2mCXg*h5GuY+NUua1p2g-56u_krD? zAJm4bP&)Jr0S%DoI4XXMG-xq%92;fk>FZSKnsnpPQ17_)g{`@zRJU zu@PZDvFSo%QV3?D2{;pMb`z^m(7jQ~&t%5gTDMa!yqOp*MuA&NKC#bOe0l(jC;z@X zs~Ba|1ZjyQbFphfwZh+n&y}_t`~ThZN*xOt_PhYR3;gCtW|nQVxDT+($SBCD*@GV} zKHzq!EouGA;OO0GX<0F9z19Qy0jxm|!3Y;IM_;`lVFldAK>F{A)9~bpp|x=gvMz1Q zoA5qE)sgi2jF9YBXnJfAZKJYI)E|kL-wUim=0J^tETdw7vKOPtgKK1CBvP;x+l16A zx|lgN#6QZs>+7S;oD~>$qcvR|u7YZg76%4{55s^xey9&i3KORjmy(mGxqAQfiNL2S2)AJ%oa#AJbZ_)@iQK}2 zy|aVP#@Tt6u}lBCXEs>U@`{2iNOoW0V}M;IcF*!=b3a`mrPPjx-n=n+@S_)u{>;HG zlZ@-fJlaL%OT@bAI3oWDD8P#>NZ(6&J!Ysl$_QNkJ!LpugUDott>>^ zPBNrdR#ryj?*W>$332S_^q@H-Ssr*}Yn2yKC9faG&@eZwg{!H2`=rF<-x45RgZv<(Z265Ig%a{{;ya>^|EA72sh0ER8!Cd5*` z;8qx^b6&0xnnEB)&xUAmHQ(*4aTTnO!TYE!LAXcJN*U>pajL^s`Hfb(-Els`xw7n3 z8@dt8m&2z=F_K)odGbD465OS&Ot?^6jo)kz2KF_|Z@JMJxLkZe3up1)3`V}lhpNrs1^z`1vl(|H9-%L8hU1J7 zPQm`0uUq5OL+oBEr+HWZfF>Gu7CU=f-LJPIP5bYA5J*&@}oB`2XJGW;dX_#g4e{ZVA@C zt9vg!!otv7-3n$Kh^tDw_nO#+|9yG_tO$DiT+)m#m{A#Ma~R((Uv08V77`~Osq>YD zo=ou1ddVMVtiUhAh_}!n^vD1AuW^nLC&r1)NHwOF{s1oLO-sypqZ5z%M8gLYPJGv| zl$zq<+`{-q$}0&B;8M+cGaRi2hy<9#i7DV8-uO7@sI3`r)>PVaLn~09cA;0J=VBz{1gxVb(&cV? zqrzcR1nG-P(V2Im2(F{CP?;sQ)-3=tNHP1fF{7|m^B>KH;ZqQ;|8fW@7VnH-pMyg5 zHNTRUD-VLV>ydgu!k1Pz>&D{EPV;aVZ6N)piAl-?h1R5ihq+e8iLlAOxECz;7)X6H zAw7f0w>9$mL8yrfaFHju!)vzxyhT|H)z?n42(kuksnE`WSO9$4?n!vM;q8d|5h@%J zz~yMx9{aK3YQth3GRN&cHH)V*@V13@PZH6h`*ipJpTCpK>nm=>Lx;`KWWFVQz-DP=IZ4 zYU4_Z5r|iTvWQ|BxCpYEBN7O}TmSKJgI>F@LNxX=F>UMVh3nAzvzr^T{4Jl3r3gjn zmq)4qr98J;iUqL;Qi@v7|9Ba)krqb(unb;!DLMv|^0??oKnIH{^=PVz$B5}JzH~SE z!Ts+6?604}3oX5Wc}WFK7@#JB2n0yWfqepBTK~dUCxPscL^Nay5 z`h22^i1vxsJ68CRe~a|I48k^45FKi#@^Jm}HRw?HV0`x$XKk9o=YCtXy7s^UAoFsNd^tnXa$1*~enwUYLx&8^+T^$du7lHW& z>oM7}FgODF9e#o9hVDQp*Z#vODBrpYUdp%u=O>FxpvTtRhUwkm+tCuad(MJz@cd)> z7gAy9AJ2Y%b9#R-Y#ViaFG@Zt&;%fUVgbUZDCsADZea4r&~A3XOBS3eYtHYLduS3l znDjC#x@qBJ_{szc=~^v-)`okTIH^sS5fb-({MXn7 z*#(iVi#DSQ{enJg6hv$ilFnNR1{U0UBvTDb3+|De)9}%~!Hb?@>y!HISWY>+$VPG4 zy4=ikqHCT8?e^pm9^y<@XJ{|19wx-mPQB3HD==-tlep)!{QCqfj={@?IhTrmosX$4 zZS>jLkaWv2R|UUF-8@lGAN-Agqu&1GngB0ye%j7+LmYttS?wy%vdct1&&d`feFXI+ z>x-m1Z6Q`~n(CfE1nd;4mFD$u-uV@e9^2brW0wr0c7B>Jk_cOxT7}6y!hAb1gwoc{ z-mWVkUvosE3qJ*=|21a#5AQ2zBQ|oLA2uGo0rgl^Oj2UgYij!qAD1YNL@Otb8Ps)VciM)4QDb23xkHTI^ zvjax`S>S)fk>Fql(bsEms#LF;WHba>Utqln1!UOpHEJt7BaC@nUs1IjrPPpZZVH*> zm0B}~m_liW?}pW&t4&S~ZU=1CPN$VauGTgR+qt z8bt+>C9-A73eK=^M2QaYOAEaEcCGpUl|2W?6gGQYJxn3&AD;m`Lqg(yNCnbbC9v|DUHdXO7W)gunHR3*-uY>N}_R5 zY5ha+t8l~D6Mb=k2vPp2w3~Bz=*T2OW6Zl-s{eU_rJ9JKM@v*`UNb$YG2y-sHl)$+ zlUp-n+aZ)SVSHaFJ@z8Vf)bZfWvP>>LY=G!rauqcrr;$S<;cphOS11V zcE(ha${u1cMk%t5oopk-kY%i68H{~mFc^cG!F;#>|9!sy`+e^_$KkLX@@sy-`@Zh$ zIHb+;!2>YTAuhimql47)z zD2ahVt@Zg5UwCF;&9T@}M#PrrZK6uua77;((W>IPJE(dL#DHo07NB=Dq*O3Y%a z?^Qg{|NqD1Bro%7xCs8)?$IzK9_{l1kk{NH5tX$1g?zSj561asqMmh-jcRV>V{M?(> zMi5+r@FI{_bQq%IJPCgR?82X%qj6Oyt(B$yrF3p6M{{q&Abe^0BEe-2)D&1U{^b!_ zo1f7E(K& z7-Ch4o2h2)sDsn?Fz|ft1pDqrKC9ylFI2W+FW?r`zkYZc!CkuP*68NGl73(KbZ}&a z*iCW@_br8{QQki1lP+e|*yLk)XPB%4rwiPo{C`;n797g({@I1fD{%YR^aXyr!U@vr zG_!CY#g`6I$<4~oP&$WkUytle{FU}>EO{rcL+kY?i@C*VdAI%Xwtls8%$59E8Cf3u zaxMo#U}%8+zXaPeH=n6=(=#Pa>LuuMDg^rlmFVe1mz)fgqCE=1Wq4k6yk{?@q496av`4FLA;*1_3-Sj3=Z-;>!D_Cy z-NCOpXhchN7$P2(eLWD6^Gqn-j$G6Q3hjol60RGL1EfP@*3L?{G2i8FTsm)9;x>2e z$y?8DM~?DuxLPrvYvbBRzn`OBA~Y{CZX4zPFX4RfRhNiQ8zZO{b>+hGk!C?`Tds(A z3l!?zN^n6AXmxUNit6y0ayY05Hhj3BUtDI}`)=-ebsTqv$Gyf}C;QD5e$gIB_acY7 zaGJ7HokzAz6T_Ccg8tj;f5u5(an`@idGxOEnuAP`ig+xKLNko0Z*l?SODg-@;)zO%u19LQ7h3Q;N~^ zu^ht^>`l=D4O%kPz$IH-)h$(fH?j#?IS$5eg4OhWE}Mrb?^wjSzvp$)gbl%9L9D6; z&1DAWDde};eer*|0K&s~8VthVdBkZ=qn)^Uv%ha>=pGdM(N?yK6vg=*XsorEubmE< zA&~&f=(e@>c=p*v zhG>&5J~N7Dkr$G-m@&S*piQ;(z2^ZAe}&efuziry(M_0?KaL}9qP(w1rVM%NC$%6J zdH-liD0MFr$+^Qreshue;`K(z-1Ex?PoAf(M@jRDrbL$!PNeLlgg3vzcXXBzgzX2! zs4H6X{kXv7vlyoB_q@F9&&99&Z``eP zAG<0cG3Ky29;{p3gk-KMQDG=s+50e8|AJ`( zDXLDO>en~PTV}W1E06r4@Soe_#KqJ4@bc9g_x?7H)qWJB4!oK;7)5(4Y^K}ZFRGNP zodsOBq!6kf+eC*OWWpDV3+-Xtfi9vo0m(?85~@+v0)Z|8O)D5sV9EuE84$bR<>eS5 z{xT~<)I=i#?{5O(l_DEY)+8XNoJ-vF#11|O$Auh{taG~i=n$gW-Vl9c9+6;gxLNtE zj(1)!aPG%qG&HuV`@Srf&dpJK_mnDYU$4G#hcaebRoh&3vhDoxLaN=yfmstmr6Fpp z-w&*pc%7$f%iLdboyCg%BYTC_UW|1i_?MU=hTZOd!OC!=EZ8-Vw^g9V$J*NA&LJaX&fi8j9;5D z{?wFV!>64sZYsP(*=fLm^gw|B-Y0@!| zOq%ZaHKW~j&XMv@tP(PTp63Ybdnb_sf!-(KbT~VU)!&jt=HCup5aOIT$PqEEDBRGH zl8|A7^=`bxygRb5swgPEe3bJm;+SKjTWr<)4W*%J>m|FabPLExkEAJ)ozx*)ih5IS z_U!$kY$G z7Df;FstQ%(9J=tIv#V8o$^kYNi%P=29H;jy+$zp_&M_7d@u#m8`%2~Z-ilLt(%fd7 z`h_k=WN>#rvYRcuNYM0+mkLr*QLqcAWw_CnR1IC|dFC|T&D!L0)YxqO7ooMq?Ie@J zfo;S9O;VMWQDx41e(}$i3DcG!0oIiXhfTJKZl$`IvDp2&pG#-H2;D6;J9)a+T~y_W zQ~20pJjS$NjCohAz>VuY<0w(6+IM+$U~&a{q%$BroD^VkL3z-}(;~_E#<`Gm@xL5C zX${K5b%YF>`sd#@HtuI^EMdElD#KM!qwtM^Q)d%vzPmWu-bPu@h@H0H()&*sR#$qQ zt`EqHFV*Yze#30`6%$jwm(K_WzK(1b1MSUpM$m5*9ppr>R3Q>}qIIUA)N?ExQ?5PW zVu|DkBWA5)2)DfVlcuigC`NHRamE9BiyW?r&b8pilCwOTKWne|tG!WO^~ z?m^Zt7Xmm5I5m8He137Sa)wcKcqJ1bKty|fT4*cd5pGN8QRHfg*Zx9}jE!#>TFx%! zj%!(1Sb+B-Ogo{wn4gpBfqR_6&4~I>{&g?O4x>F<>2R&ac>(C=sb*j=?XB$a=<_w6 zd(j@fo4)2S$4H6xi=IwiOqphe3>^WdV)Q}tKW|QzeUqmBny!MJQd$4NKwqhYNlit0&G^1w&x>KZk;yyQ=f(LeNK$~%QN~#w z9)qXl@hK^$A3l6gUh*eA-}!Wuk&ulgUJw3nP)F=;h<{Ku%fnV)h2=T%th|RDJteZdJo)jNVSPfN1%`;wc~IP+#a$r6PkP`rh>t3rq~< zpp8xDC4avpNW=ll?t7B1UiJr98*9z9vE9DEw;u;tx}U6uF3n^(O($id5jifqyloSi z+M>0G5D|h%dDrmu#TTjcX)}WTKurGNQ*!$Spm&!JxL_l4mP58)*Q7H zKEFr0mK?Xb)MKNiOJ7*r%VrNnREh5VVb@TNzf)#*D8-~UOI*nIH1e&s@1{cdCnxP1 zpN#u9DKlC3)rCLO26mRa`?|YtYcz~UrPE-jC)dMB0b3Z6w-cQG)Ja9oRsS^O8#`B1 zAN^ROr#uDxVG46^M1I4%!dcr#;>y^EdjTJa{|Q6)DiTNry#?=b7e)@iu7dU3s|C0! ziGB{9hbD@8E>*3h$tih`7PI9Oi{1m?mr8877)Q81kVUoX=PGeFp%q95=-HOIgnPFf z1~y!9-`wuuLUf3>OeSQu&-bg6>f=wW2lJueGsWT+0(Nx4$t87(cM4;~VBjr!g!tKu%5 zizv^7j$@uzuOL<|t|yL=pFLAe$DE6b(q%44n|;so_@ZwTvt#(*VEgJ%um5`8Nn=u& z_`Nq+E@51Dd3*bzk;U)tr2h+N16TTl zq?GIAjdpy=FCJr^n@DDbLMjP7mk%|uTNh#OE4P5Xs7B(ErGDtVmGv~^q3=Xzh_nuG zSHvRrJpd!dc8l`xNt!waP=nM1&KvKH27S14SCF0T2bT0;Zgyxb1L`jG?p;}gs$=1| ze-(u_utmg zP`9~z{J^uhaA-1pSCH*v&Y6fLNfOeebl9*M#zMUjyb5X<@9sgayT6q+gxx9unv>!p z-8LYHTz>6YR(vnIKvQ{ipOhkRe6F`3*7NllYu?6)vV{oW=qBa+r6N=rdkTT!Sb6TI z#9=iT1hUNg5($w9MLI}SlChU)i(ehfFm)YzDa$#S9T_87O*(A1Tj|o9+4IxiM$YM# zHu=5(YwBfGs+%~sW9b3^AZ{-gvd{c+;W8I<^nc!Su#V#snyluP?FD3g~mfN42zqxeRsb@70w0dO7ncTyuI<9zKS&Lb(0R?(C zeu2<;yYp5L!>-2&TfaTOc6H#^wt1w@s2wKs8>uKWGjnWsI#{bN2PCt;3t_L$4gV z+tT(nqV20dQ-oV*ue^o|6`P-0QX#LkzT->UzrJ0V899sCfN@y!#hN6Dx7bP19|%P%>8 zy&kUiJyxIpBr1{j&3d!mKE>$x^8f(q?aencS}&~o?NglpHLW=Jy-B66MPzwL9L(_CN)aK_ z3-pMPpB-FtvUGaVzOA-RkLeYeOPlursVQ#5f1`PD_^HK#pGoNI$aFik-_g>~(rwl5PDzf#{etO!(OoSO_6}!$}fAH`DZ_o^HwU78*J!^|CowOPwhMEoc z8?A-t-`{|!c-WF+bkMEK=N<5sRQ*oy-D2(2n{Ydjo3@!ZzZ5l{EA)yAD<^aJ>wmN$ z_DA6rz-agncYV4PRPD?33*GSAbM(?@PYRCAoN6mWtRMyQ36m>A-g<0OXUi5#<6nhH z2jZ`cVWdP=X=ISjzf@Db;XDiRZD8 z1W{c0U~~AZzEvp!UollStY@_j4`eS{{r4*lZQEY4R4a2y=%=`p6hUmCD!8Zm)iFF0 z`=0&kZZP*>MksQo$y%F7&=wXJOe(zO$qKGnew6e`VVTI1Ug3lUZ_+U%%iiZZefnze zo#gCGUaWel;;=q6C{6QGcS2{E$Z+P<&Ob&}jK1i^AqlE}cS%6<*tf1O6~tiA_ER)N zlx4f%Fk9~hu=RQ!bh|L!ne^E-Pb4A@qLKL{e>({YIriGmgciDa;ZHPp9NPHaeaHdz z_OI+s^y;|V=_EzH4rL8)Md+eZ&Bktij4$J~srq4G|IT!Zz=@gR(sx4SOo0GhTO=q* z(9&A%D}uIzINI%GsG~ki4ma#t$Voz-_uT@(Dy&bw%jLCOyfwCNLhBCZo7GF1`ZwDe z$j8^uMNBe7{4LSs>u>&BzO}b*Q^Xgw_kFwR?n1|Bi<^m z8b^vt*1dcvsTg5=`9OD?PDy6T(R-wWAig&~D)(|ME;-%PhU%7u+m>kB2cXZVA|bLO zx_!lGh666EbW|$PI!Qe(&uj8LHneSb)CO?BflqwjMb_CiRQY!iAq4>^QEhD>)7Mx~ zu=6IS9&Pl^azm+ox>ftPhL`jrJ5R@uJWq=`8`Lwh2=?q}2u}5UmhP7$zlOQuV3_~` zF065eDZLrikbmi~it%W4rXR@IzVS|^XRU65Cu70QRL|HQGU!wKI&AN){@2TE1x!TR zHs{LMLV|?BTDUk{zU07uA}R{Vet(!1HwuRkhLE|)nyr;gy6d=M&$3NHL7q*|N4t)6 zrVQb_?;jH9#fv3YNWYDF5UxrRSh1X#9JS}4Ihd{uBZp15^YG3j zhu2}&NBaVofFE4p(yh=Q{*8CW7t5D$YAyhM>G6H*3oAtq-(2=n?#9Al(%R2-<-HJ%va>2dQ;+pnx#tY$iY+=J52q6onNrJ;q#U4c7vQDOepX#2sO~>$97+sfA3wW4^NGmlVb0+ajW;HIdFEo zZws;hci$u#d7?zjWrQvk@3+?01sS%M2SKvYqi6e383wydP95x7t>|IQd`F415?nrl zMB!9ATwu*13z5ccJNi89n58(=J&98+pySW*#Cf&WH*1IWZXO=5YB+2fl#qL0F6C6Q zNr$g3@l2^@e(39)U)5y42`S3FC;SOdz)AAd9itnGsjJ%#>LXlEP3fEs|$~!;lEfD9mGR5mK|O6<&;CmBwt-hf8!sc zcg?bnoNmy*rnh$Xz+Xa`Cp_zaE_Vxa3L zRHy@sUmp8FU;IW2ZzpwFwTe*SmltD`l9IFy47krGCT{PvIoz9RR-*J}Q&x>xJEVG> zcDy&Kb}ilRmtc4S!LKN@y#9ZOxHjmOm zrSb`U$^^gYW`0k34!*)AqRa8ytg(g?cM9}gc++Ezl`f1-cS(?07uqX&`toa>Znk3U zSiacrxCYKkm1Oq zOlTyHQ;!uLUET z9i5#o9$s8PoI5pd8`atAS~#kuX#+j^GU8EeQpQ)aQ}p-j=o$)UIWS${1}X;(oo?Pz zFfbduX8@HuNI&wsJuntE#DTQ7?v**pZjnC>Y{BcS}#bl?XUC=@f|iOHu$B*MXAU ztVk;|nZTIfHHx*Y4@Auyh`Xydu~BNTF|feOzVssO;l(b3+ zS_UCL3+Eq0R)+^TSc!raaL#VPqMnqf6w*zRn>(TIMxzbUzM|CTL z;d?Ik5?y@I)P28C7DlbAKixT{EZQ!HUYOyThJ?s<&gvXcD%uY-)UNdz_ga;Azol=lyS#xDEFi~hcD>Bm{ZGcFoQm{ zNG1M)Hq11~0|jr)rR>vNN&1`fk!Uc9sSZM=UOmyL-J0wzNDRw5TeKwc$4B(?@6SyC zKLKZ-sIq@8DfK;Dc)Q*uK6;+)z#Xrr{wf=l z+6c@KP0H;p@(9EbDlL-t7W>PFq>bznX8;2SbBLhM<_&g(Cv2E+`OwCIo6X27?cWGdoTBb~>*GWP?Z!Xx|IQbuZ>RJ=RTGmNeJlf^BB z_uU9npe@aOui}$&K|YDz`HP%7El(aot}G^e3&;qT9USeCi4S-OuDrCpRD=@z5=<1^ zF%p-{E$_Rz^m2epv+2Rg}WJeEQfp7TdkAj;op_BQ8FFH^v=IG>6CTin&Ke2x?N2L^0a2So_bFUU8k zkJE}sDsg&v5I~Im0}4d}?S^cR)03bCkk(pnb@9SSjk7RxPBxc8x7YF3&AH{1Onp`A zY3Q7N%lg2;U^uGKxcpO}o>K9EjgXv|Vp!P0{y_!lpymDUjIJ0yFs2?J#oq;q*5;l2!TxT*>1WA?TTQBlKJx7IkD$<+)DQzAj)_ zmdsqec*|}4_ZU3nU21)ZL~-b%gIaGu?IPSvOS?X0JFbmS!}n_E@@0oRcD~(`{LkbT z<0`Y-(=0%bf*!Y&nP~|f07-QRW{F`B8cqamZI~>#DYBKhvAQS;|MZl2be_&`U^)M? z>%sa~oG*-XLOFUmPJQmr=%{p@qfd8)s7R*^w{NM#MoOwn*D_8aq96WkWr|kT~=!t3c(C z#dzp4ho_m>pwGOST72_I{YhXiKg@;Pbq8Z5}#-bCg(ydi`912wj|6d!`c_f0?GA`_q%r7@`f-3 z8;R@JXSDrBJL=exn*VN6N?Q9R zC$+!3;Kw@`^sdg9rHK<4`p5cyVbr$jS%Tk6DrA%=8Y!>G4;R!H@-*IJOi>}7K@^q|A1pOz84*RRc$=C&R`lX&qeDJwC<@ zHk@EGB1S;4aF72n?Jy;70(}Wuw1=QRx)*zvPx2t?0!XNxuI(s2Rkwf0rJw*p;NNE8QNe`FoY$Tjkv8f=W1103d7+zBQuZ zOakzm$@!kU@BG{k|MaoL2A2z}au9BW>ulc(3OWNlmTLnhNiKtEJ8iqOvv>ud)U#mQ<;`0jk_F!m{U!f)P+&On=_c{13$$c3|M# z^r*m4z15FJh70=n`u9^N1Vu~?MbVA1iwA0w^k(>W?0^ft_}Qx0IVqDC?PKRA1B8KY z-lRv2-kh0&WhHiJ4~6?>fWsWWT{-nUWP2=izOTjz&rC9Zan8qwR=f3Ez#lVsG1#vu z36fME5@IO~!BEY%7meW0_Li2k-E|(+rqj{tR$PcJg&pD%8839Fw5D?S#4nxQ-`lZD zDG=G=8#O&iLg>=ew^~&Fo)$+?^lOu~Q$H<9vh4i&+kJKm=5Vh^O$DVt*LtsJ1f@I4 zI)HuxaT2eCT;-O9N@LDeLocKuQ;+JM*Xl080oGViN9E~vu|PS6z4yGz2KN#>&xskt z`81P3)#Ev>yO~1NG!Wu;7p0$lNn~KkF;(b|t0pz&HmcgNq)}S&f~Il?kNOHnd$Qhq za29h+y#_nWZQW{D+q1T)zZFmZ7SphV{PDZ?1owu4nD+_(dA|YAdi#1( zdZk*APfGygn(po`J{G}5VxiCq-VOZ>i#9cXHk5(+x_u_P(XS*4T|4EK4&Oa^{rdGE z3#F*eqr`o+>uU+p!A6FLEe?`Z$vxpwpS5E?9(YmKYw3^{VCWAGP15~`3m_sAJQ1Ro z(#<#=Sz(HKevrs&;4&$5^bFsaW)|6*U9nTE_5r}sqbIQdJD)oL#wesa@?w%&5RIk~ zu!i8dN-=4XVo_qa{?!HALtpQ4bXxtmxxL*|7!n73yY|gnop*C~9$%^$7?2OX3BQ09 zg4zCXZK)A?gW?kI7kL@i6mCrDmjwmKiqG}L=fKx*LUVKK%NRZ{fAqdCO!=gu;{@B= z6G9!$BxGBQuGtT&80$TSdBdvQUOyWgc)iwHZ5{8dL;3i(EBnqtEinEA-_inm73U<4 zI~Y-W%Pj3uOJwUpumkx~FLF9YsGXsk3Mw(txFL8wyA;!CWqT_Q;v4dt6N^ZDBsUyY zyU6L^bE?eJmS~R@EvZ>VYyvpfTG0S<-*-2+oB`l}PVSc1(AGp&3AX#rM*m|2h?cU# zz{P)&ov64|MN}c|dyYvpvDQkTt8WG;>yaAHMa`pD&}W9uCws5mf$o>-6|=<&RBT$m zb~#c)5+Jx8S$bxMu4?i%QZDVlT(cIxlLvTCWp{2uiC?&0=Wq)t5k4`lnc@NRt9x2L zzfeR^Bt?g$(l=RTK!NTkze~FPh2!|{X;8*?Qr`|EmGjy008)p?!!rYI?)ZBB@l}=Q^6)+r&Sp3~LEWuzYgI$4!C@ zqKwFz8{=4E+bfjz6!jSE%gy1?IXRaNbGE5f#Y}C`#Mmlo@D`W+l2s9%ogRb`R;z|K zdTJXGyMNl~*Y82SY%Aq1g@8zh9C0qF9EYK_Q6Zc!`}7b$eNgpjQ&Yfjv*2*($;|vB zFe}rFk@Xrn3H)b%0i;NdGToezlvF%1-3C+pnUYz)hgQmX z4JuR>RrJUBHoCaL;t{_Wl1a=ED4+>tyh`(!9n=ZeP=VX?cljuu>E*lRsQa;7@I_>X z1uBuVOuLHFU_O>GZ~>=hoQP=5 zWZwK-ttjCU?10xlD8HUaJ88e)-+tRQ`)&8RopX$|L!px4wO+hFHp(waH4X9SR6joT zXkgSgzEkmhuGLME9oo3w@4kOf-|r{Y;=2`l>T=jJi*PNRCk6|az=)KMBaG;_Qj z_qevtx}Xu-{5`paSJw7LgiI&l`t_l*0J+S&(OM1&c`%RuHysNnt)KfuzS-$jiG96}_shRRto=<8w=UWovn${J{V^xcXOJ zn_4xTO=n6usMKYGhosl2Ysy}K+$!ulO_!_5q)D>pbaeKYFR#m82A61X9Q0hU$JG7lYm(Qe-b}~L%?@Ty zGt~{UFl`AF9IWW+zX2No2Gh)AQl1*Nbfq{8hb*Eb#%p#{@*1rUNwnffOd{qzYKP$t zcs4&M9x1n)0?YGvdRX%`pR)+bEF?p3<8l7B=f{HD^kls z$xJK2#c{0Oo`MEA;9XNvQ|ZkftT*}_xEdC{F)x@NfwF7-VPoc6<3%%FhD}iN$BM3* zZw&QKOuS)MEqsXBSUS?$@U!dSumx#x0%@}&W0LE*+bYcE;#Wy+b?3FO2>n!b)d0f3 zT}rO}1b@&Y%d*{Y`9u)f@B(ZVS|+{l773UC0?DWA;^l7Nm^b#OU`#plfMqiK%~G#W zJL^rA(r9^`L3WzX{!_9Fhc7y5KJ;!WRO3Haa==B@!pW~$Zc;vf^9yZh8QOz4+K9Bd zNEo5*HI6zxQ~z=>BUk$Fwh2<&FEqZPCtL%0dst>K8IL(=X>hWU+KXJdzI!Cp{nZy6<>2HEuKGr8mu^^V%9b-|@EZez`&77PZ&ZJEWF^1Zu6ix}Da85ON z$m;~q#QU7K90%(An{i;${|9LVc)qt#QF2q5*dIzbGwVR*aO(SV&ZZ#T-w zGUU`t+w0A&?Me5&4B(b~$M!V3tc)XGRCme>zTLzbzHf6*FbdjL6RVrri-qDuc2k=l zCatXiiA*=MgKTzo-?nFnyNOhsN)i{TW0JLtLKWMZFa+)u8%Gw~#7xzP&>kM*?1+?3 z-tH*fCe-ho0it6uQ=9e76ZMSQ!T_h=;{KM5c7MQ&8QqRb-D>1fC(coWR=*|Dcez3i z|NPUFnY`W44f4=vm0kApYRU~;z4C*nBATyWo9|MQ8}Ar7H_;|00=jHAB^xZfncUW# zMCJYoMM(oI)E$at-AHgSo3@CGFmdyRV3HWhKcT55vMZ1!K1lq@ArgG}r;uN8IJtgp zcBO7-HInUyMMatwYtSQE#^x@s*EK0ha~rqb1Ss8RW{yb?IL)|d{@$T*0bp=kFV&0~3u4%lP$K+@!j&o4W zy0L9fzz!aO*?lYUzWKQ~*|4L-&mK_frdQc3M}xT)LUs;e{5yS?j!ryX9@UCjZobU< zg&0!3`AT~TQ}=NdU@@cmsPQbf)5W}M)jS4OP##!2VI1iJq+2@7ir$4i{8a2db~kWS z(qSvMAuYI9Fj1R8B@Pjv5!qZj)i&jWl4-O z2jOfhp@jOj_Ch_I<=0w3cs6crO;$ABdp}S5rW0s5; zA|Gdi6-Jcf;Hs;~9~$L9pSmw54V;5519o(QZ{J;zlmXFEb69ipalV_edmR@N)nLoN z=X7qauS|xO$lVy>w!|c>zcj>O_0W&;$jz23n3TE;0oDaj086;UCDOFziS34*K2w2P zvReKTmeXf1&6?H%rlg;?w}XNA6LuE#nE%8fq!&9j9pq+d3d7~%LXv27&Ma$t+m8*1 zT}_&Yw9%K;g>9(#qv=7bXU|Dm-u3Z00hVv1+VkT{mcf=?w9Q|b@$e|&2Ju3D2XHf= z7%qMFDD;X}pSvnq^G9`!dRn4lER|$O8=-B}DEd>1D?0>_u4--2l8qpaY8uG4(H-C) z;`J2O^SY=~buHmg9%*paqv_jcmz4GYs|=4;oGN-0%oMPiozxaHcw}7#1br^Gfia|!tz0yv%HEZ?-8SKAGtQRd`<4Y^{KpVet-%9{T z{S5?sbGR^&BtZ95a!CIT?uGuvo;6mF+m*4J)pizDYLvAyeZ#mc0m##WBkMi(`Edc+ zcVs|Gu-4@8!+!(+HK(Vj@w%PU?P5^D)+a~sw zQfOHk4QJ6QP1oe?Vdsw%k?;*ZLAdt@j%TL(^maax^ZgKA%u(q9e&$0*P|tSUDda8Z zWH;T7t0|9uKP7Tvho`O0+9BoNFi2L3oM{0PZpfkPXtvvNbUci9X>64p zdf%!PFeU&^(I#fr7-CBF9v~R(ym_k6X)Vg$@3gN>xA5m;O@@=oE#q|+xr_HFvBOVz<-Hoapo)!74cBYsZS{oBeGoCqKtbYZu7t(=Zw6(JX`RB zL3aGT%Z<~hTW*07Y~%e-eT^`ofSKevPU1J0TO9jJp5V)m;u@-N`6F0LLn64tKi{4Z zsG1}zyxsTEhPiRn(tqC0GF3T>Nnu&Fh@gaw>0LrZo8JjWri+Ee#jgUWbI>uLK`Md8 zxZ;o=aCd9G-N15^gSDoal2U@T2aKvuQdSL>^)LUpZsVy>NRbouX=_h$faHXsNeKJ*nsRetvp&5st5iFfZ+H?k>8N*wP<-x?$BO?orzuL#a)~)X7e5P`t!x_z7hBC9%adjbu(0Xq`;feWf%3^)vAYawORhy?r6%^k-{pBJ zRy)fvPnJgcBngj9+EOXCSZykg*NpY>zNw0$!p#T+O9vw#(c>5=@~vBSx1wg-4c9VN zJUST)L*wdFb%8Y7F~$i{%6&-8Q(9Q*7^H%Bdui~1^Ik8iP>YRH#|3#loz)qsQeo$4 z{IABw%rktN&f0Fc$ZEr4fS}sO3q6FiI++<<0kRVg04nZ=LzSjhWOP&mRJ9IDV87g9 zuoNKMj_Ps_o%X=`T1R>IuMZI;>a;u0rrvn!q)EFMRv@HzjYT6NpDb!}o%BTKO$`YCBl1fC&;1!k{PR$1?mfP8=$seTdzVbGvHM%f{1il{dFJXL}z$;i#l`r`_cmuob!<<9virlrO%0z_W+w=gbt=i`M9ON3? z{Z1SD6}n!%?%|F^*NZ3uS6Gfsy@T^NKuXI<-C-N1WimY->q16NvAETAC6UsOeuY;} zjyvW;YcnUU{lMI1Jw-RMXu{pm_;_@LK@B^6yncEnF!Nl|4}>p5dvr^0hiP z_ig#+?JsBU1|M5v{QO}wx%2*SD#qz-lCYT>{d(7z!iLGsJGD0ZPICXGsut>IUfO(1 z3dkQRN=#wgo$^eYJiwUx!MSBwJ#F!#s!7tH=~OlyQXY_w<=UOqW)t)qEshjc`e-5&{4+(~W#3Sd^#M8ij#j>}1n?DG zSXfw^_tcRmi$e`q5xAhQ60=R8721=j4V^hvrQ*2so~#%=TkW#Xe?|oG>y>s0;v^*W z)(&$Md*ZI^Ii9ngc!a}B_J|aL;{(Lz`@KIeV2UTh=Ql)CL z#pBH+2ptU1o-m%hIh4XW^~4y6eiJmz0!vK>v+XhXu}>*DEDn98No~nU?e91LN&o!9k~Tv(!!>iw{SsIXQXR zWkFkO&jXa4 zC~FM9E8v1hV|^@uefy1Q^#y6rjh_7SO_jCg;yMmkJ-gFZTjOpDaY@q(1=*ecNl=`6 z=w3s7Xy{iTuD12#tat!<%tTRf?{eajN+{6$F7>7#6%JWmg_2CU~e0OWPfsGiBqmSh#Ijulb(1n9=;u*tJ?Qsx~WzqOkHx0vu4 zVZLP-z)~7z4Qj8hD!KL_?ozfneSkr;qvsCjgt#A7@mreO+#JQlEZ54Dc2XI0gtWl5 z_i2H@-zOv`mN?FP2?wp2EC}%XgA0Ns{>wmb;!m-*^v)8Zc5UQlwI8{qK6ulN&AW2h zEGRl#DRC-hb2kyJ5>KI|V>sqbY^2(LfHbL5Y%F1J%D@`Bj^JS9r@rkd4Dv^6IawVC zn9MnOg(Q@ej`c1m3Cv4BAxh_7{JuXgqEki+m^Xa#>)mHf{efMZTzii^a6QlAbM}*9lp^!UiDL)|M!4g^!*k~bRo?nz#WJF+h*vrL1`b%BMFrlD}CF6e^{;};0 zHI%}q&+B&sRWtRR?a(@fFv*g9kW`kv9j|r^-=zR1tz+k19a2Jv>Di9Ezi+ra+|4bZ z8Q`_!+hh$O@o@~dPWUi#b0Y!rP(yKGfPLwUfl((@hPX)}x?Slu5n5Rs{;}Z_q=!B- zcqP=c%pRr^<)}Pc6}QxJ;vpES>M{8>mo+>_eIB=SThxtDS8s%e0359C&tqF7W13Cv z7gD>^)b3W4gNCT+Gl#C`-9A%TlR8}KFNFIGp($q3@|B^goBsTLaAaDFRuSX=p8(aF zM2*S|-K=9p44w&v>_OhqPkzl{*bK=WWSDFD zZgy`7`Z5ZmNdZB|rAv>~vAHy}?{1D4 zgH?AeWO$LnngpbSf9-?(L{Biec`nh0Sc1})Qc6xe89AwwJ%Wdd_+QbB@u)$$}K1*jH$m+{LU`0g`a{x>WeKk`Fp%Na_ z0WlF;s}4Jq^W-SjlUK?0Dvy=FZ&z^v$T#M`T{AE#4wPuKJHt$_^((g`C0{>` ztj63vV;Ov-OE28RA;Lc zbN(4j;*N%VLhUXNx)L9?_0P*SvWJFsL$RflO?>~B~>FwX9ri}-i&s#lazIyZ=_dvxb$vwFSFsrBN`c?-R#1CpW;mMn(+GNkLLRo@g1b{>)3-F9%PAM%CwI(hlQQtIrsQ3fQV zLIz;&#t70rd>71k#F6)kD&QI}e`oDW7ara&mA!#?s+Y*~$~X;sI*qYF;3>dios{Z(9%@vcXe zKX`XLqEK$5RmOFsB&ub?!Nn#L>B*{=rLExz#d=RYi8!`#atwC(Xa9bUE~-_TU&-sIg1}{OALz*T2Q~ zLFA$sP6VbMr5_-`TBE1EomV(}r}>Nuh&mQFatGh@Y93m@&#}a2zOu7kE@M^j zdP_v;#OVqxKu%>bu{CBe)?z7cYCMQ?;Mvkh`Q+ODY`qx_lePcnXceM3L(U=VfImn< ze-k|FqbN-soAxpxql%v-t@JD`)MAB$hU?*Qw!j425bjlwxX#U9D||7BaM+vJ{Q907 zantj8#B^?c?(>v^IEh>j%DB$){UJ+g*zfI9H8)%q7s7bbQD=WL7m^B3K&0mJQStie zKMnMC4?Uye3ksGuAryuQFXn*aQrUfTpV>s!-7Rjm8zv=R%XL)-ei?{8HZ*)-XLlAu zqRypyfXFO)@Y%?^4%_mZ)#-UcC0CK(=I2Wz)JV2k8JP0Zrz%hk#|ws2c39>s5)LII z$!a7)c-~Ujj;>LwR>=x42$dcl#mgjg^+%kAk6qUe3g&AMgf#+Ohkm?j!bX1n@go_` zbVeuaG^xR7K6!-1f7T2?8PmMAiP|>H!`6y1$>~GcQkF8-*~(<@^>zBZ+;95nr`QhPo6z{ z_R)B$*i#ihz@@m_iUU3v$!lvRw?xcBEMG4@9jLJoLp&%B*}2OmSwFKa9qe%C+zb?3 zpimM(H9Q@FAeY+f21YspFs!8UNy}FQQR$^lKa+A_As4)RE8kC*E3)q2&P&By2t8Et zoW{>7BA46DwGXtGkKYD?M!wuf;%;FipOWfvBHxBbD^hwnIe&BQwC5oj1^Z#ZW$4r! zt%k@~x*Rc5)f0>7AU}AO{ZC>AeJ+c1Aleto$);&MKXbCvhMo^UGE}H=J4+yJ3oI_F zrI(X?H_QDB*T7(x=e!naWln`+7nMCGpc#Jr_fet-BSly}@G{8TI`JQbCf7F9fsm!l zTL;VJ#)Scwy*9N}+%qHH6E1`98QS-cpi;bLahNS|FiEztuY4*vUb*xOP5O7|h}k^x z>cID*bUG_%cZV@^oQUvIa2*xIEEDo-2do|o-gIOWH!M72wYg}5&*I$O`$rt{)SWRudh1`KX+y@L<3dIq_mB`GqMh(XyY z%+6~QJ#WeUD${u|9g6=7+C|_=l>DMXB`^0yCd&)p}UcH=}0-;k(b0ZjK8sJ6Vla!77XHPUYNTo^|x@@B8J-S8jI)NihoB zY~KaUc;K&C-%eB``MT~S>uM!)d(r_Oq{+n2Ganjdtr3`FVfoL$t-mI0RqM=;YRH+Tq+gsZEHBq+N&2jvibt|mw4y)km)|;~ zExbrC`}Ng(KK1uDg&hF)0P!_Huc*lOcWjo#1ZekUnTw0-M|%2uo4!O{WBu;IU%yJ0 zky%M5{o??JSm!~HY7`4IZaR&4^NFiPf#qdU=-?!dPzUO-flPPcK zt>vI}i+>zA zVrMvzZv|>zBb-~J3A2wAZ?}yH8rt()kJ*S9@f`WtlWj9sK%uXH=XiM+A!hDwI$yjB>+iyvHiV8fpN_o@9 zg!Np8tOh+l?%-GySGYfg5B2ijp3@!Zj*|I~hRdY3od?YMdP{f@T-+@zEbMQ@7taL9 ztNCbf#GPZkk7HCg=tSPI0lJ4UGG^(|U8}ac{tK=R=v{y5!=5+|Ip{@UvT+sVjUG z&0+3~8F;!bZVUfq&oi7vmGfZ5x(p2=-q`gMb)EX|&KHgKwRqXNw@d0H zvC4PU`HT~)1w!qjg#GU~&JBD{;~y8E}mc<9M>=&b~niWLxifO-vxPk6h}*~LDfh|v@qP~(I34XMr*P9_hX9u|)WFL|XN=|@ zIDmB)QGi)rQcv5CPplPh*-7^wB=t9`N396M-}eTWEXjU$Ra305#ihh>g*TCPnO&>8 zm!yDg|BQI?O5o{i`GSE1N%1~-5=+4)!}Ri+TGXfaISXLpNF88K{OEIWClYhbaY&gB zVv-mfSi%vjIu4%FQkPbhGmC$*B7dXlnBl?}0b$_crEM71H}KmwTMec)`xCud`j^kzs4+fL>q+_{|*Qnx~Vi=7(T*h5uyF~tU$2CaPLDiVV+BMaRu5a^V z5NTtxqEL3OK657|Wq9a$+VCwe*SB3zyK97VJjD%a?9fag&OK1qJ?5wU@)l50?_fMX zO(Ef*0gTYRSLYd)bjKkfBwz-~IV zR`vFRfw!|CD0D)~YeURI$aJZPA0gJWwfd zLXhp>gH^vg%2tN%$xqWmf9o};qKEE*ky(x&ZN^#q#rwh&6ZP{^ep_~u!ZNQn{A*YA z-!V&h+0L?rbxu2P?Vfsh%OI~jb^Pj4 zL)+!U*9iUXZWPk9YHpM7iZ%92t=-%@tw3dNCF6j_g2^L4PGyt((=UWoPVFKSw*pQF zhfPi7O-=nZqKKqZO>#7!%9kLLnT6@$v|APXbmz8X>+M_gwCx%x9}k1IVuN0{y-lWn zZ!h~P`+PiGb|blnO|HTe4iS#U%QFW3RFD9R6-xEnzCl=$Ii!UmK@018`=1b z;H(f3nsDhWmWCs(YPUj4XT64Lo+9AzrAd9d#j4+1smD zRJV#B%8`Dvz$SYTGZoGXf-T`Ld>6DS%7Oxs9c=HcBB29)0?mXiu@BS@tNEX}EOn3o zaN{>CJNPQ@46h;$TS)Chl~}9(0_T8{{V54kmU{)lT5FkiwHHp;%wMNzj*CEsGsPEWyg(6AR}e%iQ7_#nM8Nvz|qbt4(6Nz{Ga?8Bl>{3;#~9U z&i10Wlj)()U%Y5d)*1rbu90TB0Y3oiPmAm z2~zxz44Hy_c6+w(wCjSS6Li8EUbWVFZe0;S?YMg~=>|q>i9Qi|Ztzlpmw|lx`utH` z+Vz9fGOE!2Z>~C-oh}sGDb2 z1r{E*54*`t;`-kB z=~n%Ic31KRB?4DamVlM$uDKbFlXKrMJLEQU2i{ z-(kYJUr(I&rGXXb)QL8No(CN9A2xJ3%l9zVKCYdQZr(iDmyU{|zRyKJ1Tv=oE7M&j zy9?M$OW&i>edq9BJ*lEB*^Sn3|H*=1`LqRD;yupunZ$7#*R__vpbRrJtWo6=60Ow7&_ms)`=o!`M!a{Re(D5kF?50n; zh8dezUzpPJ`bgYHT&G~^aEIeUrSC)SfWo+zs9~yHxQoxcNvQH-J>!bFYxyDJ1h`}FL--ju)I4J7|e0( zK6*XBVF!y5tl~Mo!bYhoLlIrKTW-s8XWQMhdUjM|eOj3C%|=#|haWgpBaP(-01>cu z5UqL6l#QYreu%b^&!6}y4HSl`K*RQ}y5A1GGQa*Kt1=;H?IIKvh@x5Aj}NZ_PP+t= zbhiVNy)yqeQ*7^ieAYBjiJZq=8pqN22JuY9Mnw3-ZG7Mdjk_c9vrJY+qL|+e!>Y@Z zvM5Cj=tM?e0p;|H(@5;RjwI|t5z{@bEg(pHSp!( z*wS6@6?ivd^#T^QW~ih|wB@3r>Tmj^Iu<1|tnz7}dWEXPQlzq~tkjXX*E}PKswnHZ zTAz1U8ZAui!5_?lUspN@*q*>peLhsgUNqekRA=p2aET!@{1M$i<$Ov_=VUcK*scu^*^;~ z_3zWEahWJq)gIjcxPTO!Q!tg62aGI&Nl&}w@nmzX9z&TF9x`_Hv9lR?EG-;_rz9XE zBI=jG)vyf61f8EOplQwhzUbX2LbVd()c~p4`0~+_FyUh`wzbO$H%PNwd&OrX>+~F+ zm9!5^GV7XX#%U6KH#VAVw9|f^?J@Kt+=}G{kybYDcT|hNzUJOeE;ceUeG{-h09c9u zjXr11B*!KTp9}HdU($lj&OLBMa+LMFV=i@H+pR)+WmRt^Ca*M2>Y3`Q3#q4?*6SX> zHZU|ynurcl7`Znhrw%m`X;T3y?*I11XFY*I7uM_eL1$yAS}ZoXX1VC>!%l|sD}oXm z^#`a1WL4-!?-M6q2w3epvrOGj<+XjeIMy(tlC>A=041!!X&(%-{Wvl-KTND#rV%HY{mm>B`G+Iwf}KpWit; zs;P(^O_C$+M}#p>Kw*e8KR$235~{ylSsBe>-L)NKB85sI2tdVFCFc z4Fm9GoScz92c=DR%(&;FV7c$bK=p@qu~j$X=(w=c1=8<^rSa11gZP4Vb#J>q&jJ(|aBoEU2v zbP$(T<~QaTa*MwIJjvXm^+Qs*dFXHA{gLz2*1)+YcTT%B&xZhdXMsB>;uY$s12nvX z%aeERhm&S>4I7&N&PKB_4N#a0O*Gk|9F9!Y z9)^!p5jr%~_jTSPzX@{Z^>~`<6&m(c{C423Y)X%bFxFAEwo zkmXF>69mXa#h1;qKME3Et_Aw?g1S9#x-@Lf%%EknGS6dR8T1|3BnFgLAqh#Pg^p6k zb9j9~#HXu~n&Q}fN!P~htu-&!@qfIY__pUT&(!R!X|-cHazz{B|H*qUFbe1?Zs))} znA&?oMi{jBMn35Ku9tEG?tbOkpj!RSghVoe7K{n(6s4XbvStN9u*6@&XAR-4h=;=V z3s1dJQ|&XvIKVh4=&OV7LqG@y%#|136SHn6RC{N4S_AM%p*G%0}`I(oCmUqF0c;-)qcSz~{_9=qw zfI$I8%7+Fm>V=Ail4bDi2q#`W^BaNpm?7n0CfW`LEIX{}-6Gesu!;cNs$5Td|90jP zv6=AK9?#J0L9LRvUMLIOI0Yx?H=VXP^kZ!`tN~F}dqQCo?#8Bf&TL8vJ_D7v<_j#} z1y`pLP%S*P7yvCcHfLE&^*!&Vdc64P+vurRG#TiwD2QB&RsD-&9WyvU*g1%>`0&O{ z+zmP(-e2dW&rhAGT!7PU`uvvj88MkG$=6#uH8A*`PtpCV&YGB&g88!4u0-*zN8XRU zPHsP4^u>O!_sL~rMt!tgEr0^ON@Qgd$3dGq+IKPQv=#U9p_b*?_c4hm(9t(5pYwgr zkH^BcOiUH{YvQZlrp`C@y|1CdzGB^b!uvgn`-*E)l4u&*U^4X%023loDhQda<+e{C z3t3sK3;J+)&UE|`K7al*XTvf{*4s5E1?MoaA6vwN)1}wkbxbK zsPh9&JuLmQEtsB`WbyqYNT8qzF80<*^K0Vd$Z1Yp}pefL}; z#0z8k=F7mRlkjf5u9j_AE3uuk)M;j1jkn7qO}-cvAqb9e&aA>d?WPaWsjrA=H6XB` zxHbTOh4ftzpm4)U9jn-%*Pk|t`!v(KjJM9GWY4xw0~BvT(Vk#mSbS(9+V__XLxevnOu-r=&~)V@3new zee`-9+Mwc(DGi@5;F|gU9y6G2@-8AxT!hL zF+99~^7SFGD~gJ#W@ucS8>>u+X??ygc8b>LbWH5>vj+~(sjPewJ;NE!+|JDz)S$nq z380bo9M6EP_a!H7<#$fnaxOG<|CEP+_sH*3?THObLT9AS%DJnPUjD8sFfoX+)AB{O z7OdkS!5L|t3$e$E|4C` zCcLNauOZ1i=v@4(Q|f$~(i*GG&yDBeZP-|@td191ebU}icB*e17}}4WMgb+H1zsI) zMUVcp2G*TNOHU-NxAFNP(Qx*6Tg1PKVpDZ`NBEOvi*msB{#lT`DS?TkUEZwtLfQhW z^Rm&gkaXOT{Z$>~7{3N6nVqbCcBWk~7~6hdm~XIx{p?v_I>pcUO+V7vmEMpX;BE09w(D^z&R=KziVxFa8WYjNBd(n7*HKvJd1J}lb37=7JV&C*j@xZJ+kfcL(Q%0Pw-8abv3*NTmaSj-%#yt{w;y8OVUs zgv7+Rv!3P_yN%v)X-PEY{Ni|Nm-?OVmoGDoL63+y(*h{H@i=dK_irR_^QVImGdKj2 z4oLo86Q9bcth&M%6OEht1Rz2F$xqAzF-f(!x?&;QetQCE_calnlJDP@?W@vO~ zdIgnsRbAZ|6H$GNjQ}n5nV*Utx28$it9oB=N^w%b ze5bzz95j@3u|%s`hIQZNq5?GdOAW%>E1Lpl!%EvMA|>%#MW=+UGOJu6WGtVy>NuD~ z-)Chp`HyN8)vuD0p^bCAsFAzasL37XjOXAcS8t#%Olb{XOY4-2dw4rS!QR246)g>b z>u--XIMHKHvT6ICqjwVL%VZco5|jVwGp`B%_%KpAeFRdux#*|#iVU!~G#M;8cl(54#cN|2>HqD{ z{?4K$=B33K85dPeF|Q{a{;FW{n+{O}5ENavp-cjbjXH0loJ6Pji!iy8a5nrLV=QjN ze_rdL_MH|H&L$EiYz+VIo@_PnN4#v?UH&TD1?I1#W>T;-Wf!B8 z_~r1m*ZoX&BR55ZiJkC-C=(*H)cr9_ISV2t908dOe`R5iM1$|Gj(K7t%`ZU}57{gH zf;sw{o?4#Rt@oUH$|NPO((oeLDZf}6eg!AI;!?ky)LZ%r0t0UDbvZ_@3C!g4+KJHZTPZzByg$y)T=%6h+UUsWXvdHD zSGjq6P$z7r<#pGkqvWpE>!F{r!Bhb3O$)FI29U9R^zdC^jNoRH^r4|4#r*E9p*D~a z$;rt9&CVdrO)n7q$JSRYWVSAERb(U6q7VWtuts=i1O?nwmS5G7P;BOIUcBjBN)g+yYi zFNbhvy6FVpG$d~exPSBz} zPEzfHDsKjcm=Mn40JwClz^FDB3Bi%-6&R2_H8Yci%c3vi+gx}4-6Ojt)lfd9m(bgj z+doZN1AHU@#RYJ-*r?<8cXZq^f2m+rV6}ntH1*n^21Y-sIbByPy6!66_X_=K+2%HB zQX2;-kv=PCQs?}Sn*B_GeSzffIMf&{umHYhq!Q*jB#Ie$u%icE)-cpm_s)*auHKNS zRJQ32wB3XHrdWj|Fkm4YS(zN@TUxL3X-3y3v0%w(D4AwmCk_u&4ZMc8`@jud#QV1o zmAWTbNIYbAlWcig5U2|u+3u2Srl4Md6j8e?Tv`3e*%8V~hwVQER18$m&sd|mr=S!G zkwRn>VyvQp;l4~trcxqi#hs)B>Hh4>;l4i&H=&h)#$Qny`0Mp{09n%kD0h3(#TVAU z#*GXx*R})FcVxSRyG-{Es#_zid)mNw|P6`cMc_1D0e(~jNF@bzS@hZi7;fD zHwTG4dGbP6SKiIdElGDYUMHMhHeM6yrGpsipDvW5L#g{jtF@38g|Y=ab)IiZU0zKY zwLJp}1H1>RL-$HQYr5fswr5P+_tHPsc@)?flI=c=O|mhJr(hn*Vo0UNcYQ_j70Qy}75es68*9)waBl|$y=RsEW*i2|+H#8G*1y;*^$Rx> zv&Ncd6HG#}MQgsQSuZ<|ho{kSkFr!E@w%0QJ3@AhPyDh3Eu)AUo-3ps&~BX+7wPos zKyAahqiUmL;_a$z#wcQ^9*s-ymwdC!o_!Dj)?1fu$CP(cZho%|cJ?u^!md_vK-Wgh z0?|*5FG_yc&7A}yx3ngmzF8WD62jJ66NyT&#d+i9Q@MuMJ$YJ$Mz;D>RBaB8E4N?v zGP4*czBx~8iERChus|bx5>RIpC7_4Ucdx3K$)zGTu^gDWHz9+y$sb~e*Og~A>JV!a zW`wcavo=yRItR)xUfdZN;2RwseXgT3!bjpdT9TgoEA{1sSgF^RXcvGQjjGXqg*7#u z<&qba98c;O21>QL2{niC^({?16)&RG&bDQZV&41^EU5t*|MGgFJFlXO51h{~&mSEX zTM%ct8Wwhh(fRMoe{Jz(r2`PWduD$}&4 zQ2p1CEhjv;eqdA;PPZngO0>52T)=eRV`Lgr+^_tFp8KN^b~ATqyMk`XcUWx6wDp=-YlBeGvbzI@`1 zG6tjRsZtFk=U2~dYAVIbks#AeB_QchKOa;ou)p7`s|~KKBj1~br#qOQ-L2Dlv~i07 zzzql|uJ)ZYtxLY1^66FF3Ap;p?9&}i`3kzOAi}B((iy*!@X_JA>Ri(xQ03LZ?1q4A zL`0`@hQhy#GO9k-7JbxtbbDVK-uF#;;#Xl|R%T`a?#$&*0+wpCkaFo911^d8Cmv!d41nDiKsiX>F#8?HHM5x}C5}{bm_FS=pJLoSmWYQ!Q`b zCsi9qV@*P%}`D?tkP3t zhq#nSN|7u5*`eENod-C4x&Ni?#ojvBXo-|j$!lF)w@nz12#*li3e8~md}KyOm#Xm) z?}!}vSttO|;jRM`+~8$#jyP3-t_oO=0gGGg=yzJ<(mr@n*aR^;QuGaKv>`UUSM_u8 zD!z|G9)UOrUmLt}B$y}zr0!z=MRNrX=C zX+}n%T8RkR81C7P9Z88nvVFDK#Q8%ey5i}mHjq{_yW7ZI0!#7Mw=X`nD)e2l&yekf z4g(zx&IhkQXrOpzM)b@>ox88&pu=y+58FHfHKGc|{zwJ>l<5@YlT-QPo%u;FIbPGA zUsApXEv-FofARF2)6MG8F^UlG(T!xL$QL3Rv;$n7C41gaCumQLTrCatqUr1mX#g^i zb%KpP{^}g+LjZB!C#eZS?Nb0-#!CAzyxQdUl=F3)Jfh>p5{ZDXNKte_u0J$MP#bhN zm7d5*&$_*>^Yv?Jc3%yDJYJ^?^@|7-n522;oCunG#qGBZ$LNt7@l6p4en`)iod8J)J3bcY7DAxd z5SgQ#4%0EVC{r1I@vb4kNb+NLJ?pub)RN;&cZ-TyDLF;>Q@-0x|CGF^OKnf@P7}8NNr}Bu{v55F_ce zG*)7Fe_@!?+u^Orbyi<;J&iu6yg&8!BGa{%9QpUAqGPWVa&=t)*c(^?Mv6y%To#w3 zgxMGZt={m=jE0=tF#;AsLEkgD=|{jc(OyLr$z$#aaEN^VbpH%z5dAj$1mg@?2>pH+ z6n~3rdZO=UZjsZE?4p>TZ2?N;j5CFzEC1Oi0rkt9A6B0j9Plb(c0=Q!k=^LIBJ;u_ ze;J?%8%dVWjP*qq}eOG2^KYU61i!2Vy>1aiqr1_Iq8CCT*k@bwj!SA%~9^{ z4LntOutXH-@5yL1!fAh16;fY>!lD4ykn@^jm4jxqWAm?W`+i~`OD4NHrrEhyAZfXa zA@TAihq-kt_pu2}vrqk@Jq5+hH#{zmj8L{tb^y{iq&&>+6A=+HS(VCN$qYd@8NS>X z7eBQi_@1A?@96kDpYBR#zw@kDmDSAX-R3nzgEMj!mroy}T0a@5|C#iPssJZj3qkKK zuB@#A7C1xquLy+qcmvn0#~`sY`h6$a`h3*vSS1i3Z-*&;>2yB$`NFc4%XgS7vGO=5 z^NnfLxWWe?>BVNr4#2P${gX_9QNgTYB8Z9lzaBu~xs80Ttgu5>o2e+a^Ta`bd#^a$ z&6YCtDDkjk>O4o>!L`@`WC$Z{U-uE3nho8;hARi9`fiq?|H5yz{VV)MwZlQ-n1QoP&2Ah8um_aMYC zkq6?4UXh()6AUJT#FDgpRBUY&)Bh5rI|raaN1LR9w}r0=P<~nPWf>S4Xq+3V%;_** zCQx9{bLEU&{t>@9!;mZ{k1*oG-5`@@teU@4=n5FS$u)nu%{;xkXw-(-@w*?RQo;g6 zvU{3lB5gp`rEq9VFGhyHx|zSdYJqZHCJbV&>&rb2+aVn&>J~r$B5d|vj?+38`@SUn*jB?b zbj{TnZa9x_xKQh&^rPiVoT`f0ssoJs8>x3>IastwT-CUlx?9l=gIV*nd?je2$+xT; zSlRHVTg692FZ+ZhG1m@3H$z~vE<8qo05O+56V!Nl-O~A9ARijNMijHTnhPlYcL2M6 zt;N%{$GQ9$k;sm?4LXg|`Z%ggRe||bJKMkxP{-zq&T1b&3oOr;<=-}k;%E&w?a;;V zTHM?(;0dLCGdHXI{_su{#Sh!+(I2F)RA-F^dTFZir_3cjd8Nfo{h%E5riQPe37Y-J zPR&Vc{Tu%nC$(pd`2W^cgA_Y+DkC~nV>FN!q%N%oZaU&6^>9nqO^qD^b)3}kZvYo^97cp;n|kI0s( z3dbt3n^kX=zFX@)BnmqK5oaV7K?rTGYfo6-fxS`f#2~)t=E*$f(;r;(;*#3I)Ol$$U7ddkU#r0LOvHKq6+T2;~e|X_& zCIQ9bOli#bMrxy%t0hhZuL3(Gv$L{- z71&FQlW2#4`Yj@PVaMt90PBxGuj$@0`1lSrFwfzM{!oObr(J(_eP7Z5FRwCQC6#4k z=mX=V{I8kuKd+sbs>$vz=&h;gUa#kR8a?hi&9O8bEe*id2-Gu-zXEVjAr`HQd&^j9 z9ZsvG*#UqX=WC|J$~sMZuRN-Fw?5zM+5k(7UxV*mXQ7C`0*vac#xr-8HyC-Ef+1zW z2hzx@FAD5jS@zD(Gp-yBT9s)SCIdIxQQr3h+Hx2nIt(|LI0HQ5>6rB7zB!i^DVCL@ z=)-1r`oR@@PK+)$bw$hn61)EjPvXz_Ov5ND@uRcYsdHgC+9d1cwKo?}CHVFXyQ`X@k!LXP+CfBwQfU?cWRHB|CDt{xWM7sgC|U|Bt7nByI7G=CS~)$CRJiHHFiT z0@wYCtn|DoX^QB)J3y|2Jtg(VEhW^>qNO=2RP?#2_qC_*kJafN&jx!)|CoY{sZ9rr z(hhC+u8!-s!ux%2oqKba)I4zKs!8hKhjsz|HzPsj5*8WT@KVeB ztkbK#fFtp>4~1M1kg^uOVTbUtJico{_@ z(=T&8*FAgOKOo^U{Im1?B0bcwarJ`YjVJN-;^zH_w5I3uK?jI5)K=DCH+aZrGKNz`QU6b{&$Adsz$_Pe45P_!I*PyS}W4T?6weyEjTce5^X1 zNS3(3%2>sNsrn(i!RYg2f>zer{&ev2#6M(+po~y@p*9Tc%mUUv0+s!lf=Zte0{yz1 z(%|%l$j-H&Z}wj0wuah8GWuK#zcAlpe|~(+*^i1n>+zAJH2g#2ar)-`P(zWs=YKVl zJqvct=i~r=esZEud||RY=ljH*Ph3L&#P+}55%GRK`K}Xw{awL4J)T#+H#IB1%)@(v zcWX-sApQl!%ie*bKO9QUN=-nDBc4%|XwVCI2uZr!o;He6wVGX}Q?#9b-FISwjK&gf z9j~^(?sX^F=|Ds#oK(yty3#)Nq!QRhrT)IaO7OSS*%8njG#nosEde4Nbsn zR3>=J(0M&%3eY?v>4LDRX{pL!UQx6k(OPua{ zoJvRSQJw41^z?M$GGLz9msn_uyJ!bUr~sXM(}%6Z|Ja3rk+HtK!DUgLKOq4rTjKY3 zj+B_ZyqkugB*?12^Lyhg&pdt_@cQ5h@ChTA2BgY;6 zhnb2al!eP~k9cK7QUC{$I~#iDJYs8e@^Hf_vJ?dL(Zr1qc}zQ+>+M7oomB(x+2QFr zxUMOPtqtSp{Bx-Lv(kN_MgBQ#U%wo$W1yEEn%61Q?e@35DlnA;t`)fJNc5k2M&phP z(zpbhworqM+iqKudg{C38g}#f&4;FhaZLnaN%DPu2A;%Zl9XK+tfPGIPy9*)dB-?ZI7BJcX)I3v0lMa(L65p?kZDSDQeaR z<%Z)Fu-#jD&zph|*pmuZ44Yq^t35^^v;_m30(JF7 zOHSIt1ccmr?-4Yh$Dd&_TN4{jTz{X@D?oK-i_}B7-aJ!|rdebfnTxSu$`^c4H+Z6- zTIgDpHKvuAxKZ&rfwO~Owzzse)5veT>s|97jI6$7<8qwxTP1lFqGE%xo`1;@duz(J$Vo>dm}Sb zzPornId-v%8Q96VJJ(D=_3xPf_ZL{v3(|ul3}u~0^M_|m?q_1P3%dAr)?NI4P9}&6 zqc1-rkABh80X*;E zv2qn^y0s!tH!qj2btJ3L;Czr$)_VniFe8kAC?F6>-t66Xe2Vx8xlj2;$bI#W$P4FSz6wVWLz&?+2DDPEhu-v?BC%}N&49E1Ui z=ND#XUFpKMC4XkUeNSS#4N3!u@aNqhsc2{jzfLK$c1EU3`5w>OP*GF6{V6a6`XS3w z1KOgdzp~jgm++Q*y5A9l(O%gA1nt+%Jrdk_KQP5B@u#)gTS>b9g5n9pEH-*7NG~mH zQ|ZD4N6ma(m% zzJc-i)gu3#R>PPs~_oL>ZD$)S824mg>9ty4i+b(hTH4nI z-#b4SQ;=i-gw<8uNqi4n;Pph2>EYHyvF;!VyNphWRJavGlf}AX;y@fX(yLGPN0f!vlyol&3_hbIu(^=O`xRs!x*^4hH)mJvT z+GV9PiRKNU>8VV05t^?}xs88QxPn zNIEDJnucG}mp+?c`_jEk@8r9=fzRwp@#c@lGIvw!;{*Ukp~-12Pt8V%D*-SuK0VAz zLIZT})7HXjw=D{n)+)Z$xj;^BxPOR%X&_&@?V$DUthd+3_rIsz9tu64L$_kM%b`2Q zPZk4hC7G-x6|?b~7d!}cA!N@cpeicCQx&;>b)(<#Py&}XA%A220#42Wz+q(%9`7~Y zkDhq{CJ0yu(v^{Ozbq`mw*`{&PNY9AU zM_HfErvQ)S&CU$b6&@m~7VCy4{4q zZ29hIofa6PWqI@p{zS{$S~HyuN3k&WcoP8rcXs0i?S?gbPeffb`oaX7DhS@8<_>qB z0?KvZdAXFANMk3L8yfB1>Ivt7S^2lX(HP!<9r9HHABo)h?Zy?rj036~_fQDDNkt&) zJlO-#sp-YM$mVgY6CWfjOX-?xE<|O$&VK{{33J4s{@0VkNg71X?S}cb z3L1@~!|B>~hZqTAb`R%I84s6CGW3gr-JYdOcr>In(W$npg-1s|C1Z?@j%57Q4{Oh^ zu+84`?W*}93*8S^U3N!8T(dU;F_fc%EqwV+p#9m8UqhnhO|lSE(6R*$fEMeF7JoLa z_X3JBZmu5Gp4~AvbK9Dzo|-8B@nfK>p`l;2^0#&D<}?EVZXd4vw#d6N=37!2 zLQ4jk3|LnPO%KVQ9!m4}Ev2{*-s~zgtQS2wUu&+rzZL-aC6ef%|E@7)2`cVp2D0yf z94Z3FWAK0IP?g4Gz?kg%vXr1yeEaHQ)De-KC>i0!dbpht33%L#|)2=j_WX4SGjtgFAuEC@j;&%!L4z=8I+>zJrMH|n?87{yg^sjMx zryCPsS6vGBFP2FIu=1KB^`M}j=%6IPx=%sz-&)FljiEk8o*XLD9&7_8)G45z#k$V4 zoCsP?htsdQBI|6N#wDswklnTtRl-1W@9hmK11RP!*sU}!0RdNGCGN4jA0L2_ttGR< z!4kOb1_U=KU|w13fUuRt4O?+DN{Y~lc^%plM5YE(ftoPHhHE-%FZ4u3wq*bM{ht~Y zK2;!rd7`wCjTj=Mcdyu<@yI450NM?mi|5{wTiZ;Q)#JxMG7e0I*)gIk)*!)m4>a)V zQGFX}^m*Q`r)P_A-#?v19F-4Ak@(n}q`74MGS2|>d*;QqNX$Nerf~xW{d@(32zZ$oi zx_Sw37_bo>*e*u@_y-7(oX9O1+pP^-nTla92GI?o&&=$a((E?|Q>uX@>cE}N{ajHdR0`P;CRI>EQasI6O}%wAmRRhjld)B0~uoNT*f znYo6h=7j^6&fR?vOS?~xbvu9~f~ zb!w<|=X~&Y|3VaCE+6J#H21h39Fip_j2Va@a<*cT$=R^pcr2nDAbi2|4AYKFFr5Fn zg}Iwv+lConD|f~St~$a&2oi5O2AIH8UVDh7nQHsc#^ zaNpCePSwONXW*D3VUd6?gq0<*J;Pe*-ey{4rG$e~(yF}OzjYx-Wu#j7Ud~eyX}Tk* zRy+b_%xjutDQ5jd&z~nB_Y}B(4SL3^$gQZVDhN~!AzjzKP;=$QNuwc&iF#f;)1AAf z^%4MU`m+K%U}^b7(b?1U3E)iBIKnWFmS$jJAUx%#2_u4Rc$p>vHy2RijV??6`$qip z#h%6Mp&xQHUR%et2Vwd)v!I|EgWk}@Qa3bB6VR5p_j$YCJi6FkYqlKwH5MNq|JbJY zk4y35{qiW=xdywM(?r(C7YiRhR#jmzn1CZv^Q8f?`PH-evs+1KZ{0%O2V}8aA>=%3 z!w?y{7cW3q49}lGaa#R!!WQQ~y&+_mee&tBw#yoF{@kwwwc!ijTX8C~*;{CB!1b!P zqS$Vd>h5?X@ftEzRR4`(uJZ*b_j;sO@Y+>ub2AW zD%aEBl*&Z5e|O(xuniO*fVNSU~Dt)B3<+h$QDht&C7AL zrfpXtSW^5c++8D8G?Tr6TfbfuDHpKDb)#J*x>UtECNEIv3q>0wXN}uCUu;j=;*U z|L*b^&a@?<3@HgT{y&s`byQXF*6yZJQd+u1q(izyQo5AxmhRewgmg)_G}0m6x#{i> z>D+X47w31+cj|s;jQfWUV6fL>z3ZLvJo9_D zX)+;D<9zBbK8{k?z0=lzdUxQx>&9T1e$r&M=aIgBi=|zMVB_(q4iMSo^&cvgrPSw* z+4)+>;ecikDD$JY8I4l!79`724DRnyV8mm8+S#4EO1@p#4HRAoHCg=WhCLW4oIf9+ zd@R#B{+rUtQ@Kt0)^NyB#%}n4qj-PcVd9sw|Fm9B+|ZYm`wrH9iSUZGu4dA1vX@At zfZ)aIF{@5U0iadV8lA@g9iM{(3h>i!{`s+#r1I4Tvea1LxMviJv`OeQ{?0}KB&Cp$ zkeO2vZ~#MpB>n4m)YtdIssEAl5wnOMOqS&rOCEWXKc%Hu>#bRoRoQLOP-c2d3OV)T zJlc*N*YBs-H$k^j_@6pL0Z?wg2odbq7WCkeAof!0xi;f_!dw|1XOwu?EpO8p2eei@ z>$pc~y4hL)br~o!HJo6BA8yNl(UYxm8OLthx$ykt`E@QQzkfY%kfZcFq-EC)*{vZD zM4uNM5W5G}r$`_#d1H8AeroS^8>3l&HoQ^=a0NOVCodzY!VCYFi|jbbe3Iq+Xrh-8 zKP>YkHDKqwqb87X8S1E!W^pjGshgA@!?rc_Mab+05n(ISDHliT*N3hu29#W!^lgNVm_8%&wRgEe z;@P6vV|q<__4NTjTL=X$exDyde(3NdyeZ3%EZ`7WDI{A3(u#Ci5pza23!jiwD~Qvn2L z@4z!I4vue1I8qYNC01cf_gDW{So>QgKY)jQc2FjEVnNF=)xvV7%%nWY;($GXt64T0 z@6Vvy5GI>L7*GCO<+SKb#Yaezuu&dd9^CwS(;C^!Ay1$HGy!*Z&r)y8oqSrWnbW!1 zAZznxbr<2A4HDr3h37|JgpsBs;jg5-p#|IH`|Qju`0fFNiDI5>RobgSuFu2e*fjSv z157U3L6!b7NQCD#J5=qzpAzh4@=ySEt2rC_qKkP+6cQQ=oH7H>1{D?-67aiXKHOe( zRu+Fq4i%-Oj_LbQ9tzob?qT4t+lmS}y$=mlR(zNjAgvjo(?B$Uwv>T&USD6wI0yeb z9S`)FwbBeD<@j1Q{d`@P0!@f@QQ>+#*&~4uv)5Wb`X(P}0q8jG1aP%( z)^`3&2Jj-XNqx@xPrWix6D>+z+;SshxIjww0H{88Tqm5^9*S(2BKGzVqb^5&G&D2J zJ+LngO;M&rY$sWnIZPgN0(3qq-00tRs!p2ow)3e7KV!$)Qs%a2-jI|OkfARW;99d5 z&14$$o@I_RYG3&2Pjekg{H0Y*sj10PUy&)9Pz-WUH;Z>SDbc!c+Dj|7iNN=NK+MI- z&COMd7qikPX#~=nyuA1yKMVjiyTXbuY8R-?J81(&ccr62x8G&}PKh^0cnTRltP@!N+&mV;=kW1c3Zpc9?e?Hl9&8V!M5^56N!rE%WS*G}d3%`|{sp zqsr;hgof4L#v!JMH>wRS@0N{=$ONZRJjdYh!ER(&pZTi0hD;iyT<%f;m#vFvkNQ~Ox;WXCDY ztm)~HVxH`*vH}J?1;b7fSId6=f^Rv#qLiYN(nkio?95D7$%6fdkE3Pf0ED2tNig}3 z$7Io8hwtwnNaVjEZ@KRt!44Pa6O{ZLaiTBOhQX+m^FT>5o$Cj*3vYcLn@2)9bB&z$ z=1^|8jnzTW0sW9>w++YxtDjPte=MDTcOukbz@v)C z&jv;o`1<-T>(&7xy(iP-rq1kwX_m)fYhM3R>6guKGLgp{)y$PX<6O{X{ggy%9~Ns4 zLH0e5Kt`54rflZQ6_Nb-i5&N%`^r+i_d)6$dsSm!4W{qPv72ippTqFYaH@le$(-BO z!@pKzX`}D&CnndAVE@88B4+O^pW@#f@>Xw*{z37FPp-T%+iC<^0ey5pA*sQ~xzfBzkL9?;3!RmkY7jFKK|8Y>u zxYjQun#{tvkd^l{PBSOTpzie5k0D%KhRO7dKKzOMWs~OmL+83mV3Js5|aE411Ww~~=I+bSoEQ0D{{ zd{-dF@JX_iDVUtWA=fOws1c^_eh_B-ULym(UWia6x*<-3O zS11-=GAptCXp@VI^=)DslOdsfhYZ8h%yb@w6TIl56W-f8W4}4Ys%A+;`#Z-3UM56R z=S|<<3zoUpr%-iuE~53bm|=NZvJ9J;?u|p7B|WeEfbO^dcJF_Do8{j=IG0n~q$YES z4yif2eVgZkl{qN{HQ>;(>FToi`Vh_A0)qfCJyz#$VIm{LTh|;Hg6^6#nrAcYwOWp5 zu(I&v)8R00k@OdVO_X>Y;{+XjAm-KP@MBtoieM5vdFd711IyRkouOV(yc zmI3ejzit9WwlTB!&-eP%fBhqvxJ+oGqrlvdms1Qp{Axr$6>s$ur>A{>A{8n3=S)Ws zgFq4Q1N{mHXRl0m@Ajebrjx=J>X-a*W4l?e%iG{E<~0BR^-jXEGLKWYZ&iB|;GJc{ z-tz6e@NFCX^FE7qPmBtoVQVgAU{bSC?gd^5LE?|7I|v4)9-*XH`K5SR4Owj`i;>5xk;rl+q|$h^F`XY|nO=qZ|Z3%q*u>Zof?HO&hj)evTh5 zj9FrqLL65D38u9Azyivt8yMlJ8rg7IC(kQ(!~V&2LHJQXNYMnE`J0O&82azf>>oji z_M2p7;rcY0z$KI?Q!De9U9Ppq-y@4QB#RtbW6LW)Jf&yRfWBAA5~HN!{|Gto!B(<+7psulfx8W-KQm|e!vbd|Ss6UWb;z+s0_4`;8w zJ?DcFQiuHm@YHi&m+~lQ!p2XiTAna@ebF18@9V8u-myqqf_JH@|6wZsc;dg=be2EG zr=sWgD6yeAp7F_mpQnX31o0??)_lfDHYLZw;U$+T(JF!q3z~m1dhBIih?p?uqNw8J zCnS0)@0-P@Vl)%99rTISQ#X$!Sqh<5N-~swaEm2T6&p_70~q`zk`c$nxd3n7FSKl} z9~Vy-;|!Q;C8+tq9*nj6zxjAf(ctg9k**}K^stJ}>kgk|mBRzB-Xz)XXDhV{UG!DpG|Dw3TsU@VvhhsLO zH~()2P>=K1-SUKD94#wrLUOYL6r=JJ`dJuLChF)A7|GFaR#^KA<*7*EL*INz%8Jh| zF|Kz-%c9+Kc$nxgqVHXGxI6VL5v1V+%4Oik1BN8%4fAM-5H&qT0Ss?n|ZG$|b)HyrMyRlxXlMN&%08ABYyHKCy2%iC6&8p+zv6sSl@vOibZX%Kz`Idism6-BAc82l2xOqWw|(2t zO-9t4VEvdLl`sZXmLdz*mPwkFt{*rV-ia` zbGR<2vB#L>f6NEd*+-@VRV?{sy;1zMAJCY=&=;OCUT3m@V!{HX8)dP@iE7X#nZJmUI>orDA7GxsI&cw5d3oj3r_K0$;J30UN z))8Bb3;IjnWxJP18q4431*AbB5ov9WBH#7*FVpJW_BpeTyU95?N+fTAu@fJkKVU6z zhof=XKV^YzzDV32oSQ7e^MlOX&0lq|RyoYfoxH~lAvg}gp?RyHkEPuHU1-DB!#yh-iA!-%~V%ycbQ zOiz4r&XN~zoHl0Pi11xS97!262UCdj{TGE>u7RM8U(fdWRNJDL!Yi`87aWp@r!h+F z8y4?NdnsiwMeVYt=DkU`dEf0oFE2Za9`4#ZJ4tL>1V?|>Ap7R4hjKnY2oaZ6MUhUe zHFMV2O*-V4$ZhN+j!e(X9M7N~5!EvU9XwkKX`~ku7e0HS9^TzR)t(9Vrn;{-oiMpO z;)|pL7H*6047U!_^ zZXk5#9B7_3E7)cv-wQP1@^hQYp{?GenbO~AhhXXpW`e=-hKaSGjBY~QE~qog)JQT& zkOuq)@o>HGp<5%u8{!lp56gmra*(v! zhuZ7M#&_ft%!)X(`?u3|inMa1Ldb2`C(uvppPbta)p&c}y2+8L?lj2Vr$|c5bd6!Z z{c~kH@)*9;=%OeYZUz_oFL2(n`3I;G#wl~leikT zn{jlpc;nuLcSR7OMG=Zr1EVGY2JA`IE4X`Ot-TdA_{J@?jMJq z-7-&q(Z6NK%g9YO-Ze|I4&~VZa_JHy!EKz<>n-&tUMeY@Kb&HU?^y!*nMkqI-=X`~ z|A850ryz|D^&?ZD@iJWJ9^7bg38q3NhC_Xm5J_7kG3p7LB%o9;`V8Pll;v@^bNBs>OoSZjzA+E z=rML0=6`Ss@CCGNO}E6GjseJ@zii7Ql7uYrb>y z25x*4-H&cl?6&pBUwh@j%G-n{(7B3V_))!6jI@Fl@+2#1^hM5#9!)B6@WMEJS4Z7? z!%Ya>o|nW&%i+Sdws5~)8(#NB5W?u{>Wa-hd7Y6ArvWWV8=8Y6zkB|iy*gPF8BFCs zdeUn0C*q=1X!wosk&yGll{K^eC{a!Rp#kgd#bJ25K!ah=pswxp4r^C;cjm`{mph}S zjN*~^1RNIA3X^lV= ziisKSAc>4t1-fZWmq^OCr&H{7-c#=4-XmT7hS1!5>RIy1h1 ziPnD2nvIFM%ADX~dU7WzQF zYbd=#g3QZDDOZYTO2Xr2y{NCw70Q+@FomQ1co)~rhW*wv!eXX#G)v3@{II!=H=wpL zTY;U(ZUa-Q)%ZO%m0tzpWm^&4?OJpDaof_;l0n*^SR4kOCR9G>V__K?2D;CMK@o=w znTCOvJ9F77Nl{(%PHDRARvNV(S->)F9q@EP-u@K7Am_icR1G8HfL&hJG4ZT(cnj!2 zkGs~gA+~GlZ&XUPUZl;}0^^Pi%MG`gEa#hWDJa?#0T<6189*DNc6P^GtW$-@WwY{~ z+-$VmOQ1>UkG7*{o?iZ22}sxST@>T2`;ktg7YXn*FrY-v3vV-EUcI^|KC?~-kQ3p9 zSPX9?3sh?(nnuPv1_yPwR%e4_B&DQ2R)3uu{UzcN_FAChXhS6?K0ZQsYZ$WJdbxJg z>~TWB5ePW^PGAh&Se;^lR%yY=FSL|eSdjbW9t@d{jZBIlHc_o*cR_R~WBm5<{=U}} z+8I7$d!}EY-Gw^=EF9cutGo^BlNs&e;$peOj5UK+CF9gA3)PL8xYo7ROe$_~C?yyyMNud0 z8Aig6#i+?|RS_v>7d|*R*wr^-3IiGuSeV*!58FgiW_|j=R!Z}F0%nGJ|GOzs{Ku8) z7PFPM`$y)Gw!Lg~H9KmA1gx{DU)YNMvLC7n(|0Da-V1^=Q?u>^_;?7onejm7PAcSi zR`MO+f*7cch)#3{*seF1=s-UDp&NFzlqh~03BrxHf{AC_BE*ry!g+F{uQ6bjh~hiA z%0Byg^DMN)uWuZY;`?Vf^LMqB%PbB|X2+)Z%%q=o$Ij4Y#^(DVcqp?RE3h4z5VRg! zeCdWec0BKlDm7-T@ua69D~ilrpAEN64H^0-46mVjCK`w+=vr;{+8^GX`#oaBAQFiG z$x`*6&4aX52SY?lODps`}7x57&#yMn$4BEk+mv3$;O1>`ZCywTw#s=Qu-X(qrfd-dA~WTLJUN0+Wn)PwKIwFS(g362A!zWIpDS zucXx;z=oS0xFCX@2x#HQZw~?XO0ylShj8kA_c82nwInRL`o`1#_tcfbCfMD3P^TL; zOZ|eYq76+ck)nu^R+G>a-5{_KLpQ#nE4W5iP*7@D920&+U+U$umkYA>QVW$$Blso+ zx)N7(ZFQp*P`B=^@}5bz`Fnmcr{Zsi2X_KQ?-L53xVLH5*XPFVb^1OcgFoCaFj5cd zThA#V+2YKI3S>YcOYTk;dQc^5YU=(wQhv#fcq=~J)AQE{vz4#n=sw3@0TP&v(uZwZfKjE_<|BVb91MzXB!qaLN5((2X$FYkHFpBqAQ`o0NOd2 zyTccJa-{r@>Lp=Ed|BF^lSA!B1lqZ9zwy+LTh-sMAt4a3_RSKS>9Aham_=jIY{6QQ zdBn2$rKD1IMn_JI2}C~$pc`Y;aaXYN&Q<^ZwbPtI7@+_RG&qj~kCgP=$q6z5se*9_ z@H#s?&slircnNKuwgp6&n)8D$u7tLsz(2c#>rcg6Ed*1AUpTC5^;=MqCyEa&n;woZ zwHh47DjxpqvU9uLqCPIxl1bwYD;IzAxHDt^1_Ps3Z9)RTt<{(phKdc2=G~6~ti3jz zz#~9KY+~JUYMg)cTtWo;!fI6(8Su28Z-uJl*va%Q-uvKeAtYb`x|%-mXT5 zr$8Y+LjZj9P15W8n+tcqX8_)9o<%PJq--tv*ir=?@KQL7KO@f`Erkj{qjRNk5jRaO zE&ge%S$~nh$Sm!u6a_LxUHXdt$6eTy1=ZuGQj>HdXjpO#6uNXh&eHTG)m@f`gM2-D1Y3tpyHg zEK^%EB~n>dTpaPXnGG|V%cgHZNlB^P=1KTD?rL(CNG$R8>}x5eE3203h=__(gMN+- zG_P*%2AfZqQu5w14X58NWT}O;mU&-2M5;a9@w(|co@?LV4-j|t^iZ;}e5ep~u(!9{ z>18G6vm*o$hxm*sucqZ$!rU2)&6bpGa|@4Gw7-!s-)9hCE%ZelZX{GTE`) z(ZJgx`y~9e#T+JQGg!^z9o&=X_UiQ?!V@U%Vp3EjpQSlJa52Smm$~})UHN+oQzK{t z!@2MF(&c+QZ_uvR@?M?D;csHV8j$Xdx=ag*=FtijrG^c4_swb*3#5G4-tbju4Ee-h zvroXyMg|%!7xr{@t)pUQCcDER?nrUgq55a;JO~S=Ovs>tnkI4MLUj6E74e8e?}!#s z+o|WvRsGl>eSL3HlQEq6JZ=>eZCV^9(47}`-_6_R?5n~kLB*`9q4s-SMYtH?T5)LGxL+f2lXhJ`1p}@pXm&z zLUNH?onPHu9d)g`tRR987Q8Vb5gFx0HYv51A_fMO%VcZ>-o@GhLqyZ-8*80Er@lr< zMFr`1N>HvKMt`xZFkV1+JennC&wKEB{uRHg6*y38tL-bpw=%x8uqB!`ZTCD?Co}0J z*K2n+3b{&efL1=MOB5o}l(}JW0OALu5(#2Kp)W?w-d|sLX3m~Nj%UlQIlg?a!*^T5&})l_PGS3f(R@*!`$dqJaQ-#6(WdJS{KCbU62K8w`H_ zFpRg5aMEugcbBUt--Hyi8G8@6{0Ll zD1!6t*z5Y$?(S{?*B21n?Nw){r^m@-R6EG$baP;Bv_;_g;*WP13HJ5RjN0Pc3}Kva zCh{EJVY|w9ddEzI={zJ>nm`T(=GfG{uXoAl=JvQe5UaO0u5fK9CZ4ZFQf_&KwYEO$ z?d$7q6SkpR^MdV(cpco_SZg@&z1lUeYD|Bp>lgd=_C11_X6s;5WI^K3T*8 z@YU#bHcUM)5axSWU`kts z3G1qn-QQ$w&4~3M(masAs<(N98B8?B;o`8Ehks^)9-H}C4+D=e2^TR#6H3a}M&?-U zHa&Zn9cCsbumu{4w544RmJO%VX+vhK@8m%rT9=szU|l4RSw(~hzxn%%n!P7{&QdvT z)Ix=(OFQmF5UJk1`$R!on*ihql&4#aO_x&M#kWqcovj!AgEt@@5C~FIk~#sKBlq}t z*vx1ae?F)6JSqs;d=_-EH!ZB7K>iFcK;@t8d+39vTFW|tOB#+uFwWL_p=s1w!hqCj z^|4I`lf!#5Dby+)DbUHTu_wH)(bLmOM|V#v%%Dm|R>PWg1QcjQdh-}7`cKPgiL9Q5 zivU;r==*>)2xVKzpgl~5znMRFRPIFmVL$RAsE@P$KKoj+2Ta%sYR`I zi;I}=H-?bc6C(g-f$eM4@}Q$wQ&1WWvi*z&e|x7Ya&x+ARa$#t`JLg?J?}gIbh9ej zwqVIOu`*R*1#`yAi?)VjK@{LZ}icA%jO19h2v0Y>3c{k7bC0pfH2q zxJVO&dpJFS3ny6k#ULkJ7$LF&3zb1L)O8Uv(g$4e@8Z2+D>B5@aaE2ATRmJ?NnL0O z_m4uew~Pxu!VU(nlCu27K`pK={OA#A9nnzX#PMcW{@-m&r~-(?!R>zUn;VD_BEC_b zwcEP5NcbU&Qyk(RNs#<=Ik>CU7buv<1zjug&cj}qrpC)ULt@59*|Z8${AzS?^U$9e1c(mDgh*L-ktiQ%cCll zvsCCT@tWaa`NEW;bsR3ZlpF6mH=SLkfP5a1(ASQ=hv7gpvIO*@H=v*06GMvg5Xj)` zes$u#eCqg<3&!wwF|9u$o29qq5`|3hrc3YOe4sFnyW_c=NQ(!VUI8z0iKTW6dX~L# zM8RO#=a`aCN}71x$Ia7iK9tO%0MOG-i^rdX5MKdgq*c7hC~1EzR4j?Dr9feLCpmxW zD`Q0W`D^yfiOpmpj4 zAoDR10JxC2{TaKR(O0Rwp5n_#gJ3c~FW5lz*JbP*kg$#ujKKaojT)duSCLBlA3&9V zFxUDD&soITzOpv*QmI-B*U@YNPa-m-t#rv_G~b1}`|+^R84jcae&nf&T@F|~JPhv+ z-OBcAZUBXC>j3GLVOx>SDgY&}cemAD?@EO2Z?NCW>0f1d!+^Z*yqUX9gHB5w`_jo~qGb`zVr~yB}leE%@d4CQHKsP9{s@*sIR_>6^L$ zkdzi3iA1C}KHOcjCs*&k!o>}@m?@*8=2o*l1~$WhwbR3GQpCWR2P*cg+^rF@V3dEG z5A^;NVEUP>wsGCV5TJms32{u$q-Y1`uOpL%6ZrADWR>f0(4cx<35hw&?K<*WF128T zPVCD_PcN65uexqf@GA^wtYsee99-SqHLNxcxmMb?V`zGh6PPvqO&I6NxwtSk`{O$M zbrbq6s>Cn$f}|ze!ZN(ubLmy}SqKINF+d-3rEn_@<_uIyEgfGL0SR@3^KKX^^OXp| z%Xp;XG0Bs|BV@oL8qsdY(FHzn{9CM>?I+b#Fk$^ut)0v zEd6=g;;*8J$0!jh3qkM1w`Z0h9p^nEj0VbzB9=US{JFf0ch`PFqH}NZWAK#m!a2)s zhT7}p*YYHqC9MX~q=-HZu#>h<5M&*o^J&uQWuD%UwZCeqJX1%s^AON%nKMEpbf0H|XVSb1!xvisXat+&DM z4(1B0An7B;^i#zP7efQBaTkd@bvdj^Vj!yB8WeS-E{sjO64`i zxw_c5$Z$mfEqiQRse>T^eb<$c;T@v7;)-H!zFX&UmCm1m&rAd<&}nXXnfY3;2@m7R zjG)GPCHT)Ij#zVt**fm!+thj3AWfn|Q7s-F z@|y)nJ279oVS`w#4`|g_y9%`Gu>fEGO}_PdzPPl?aJ}#@Dtr5AVkjk3Jbdr@{S2ph z;H(#<{V<#Zvh!>?E5ok}35$l@P!hxQpf$BxFF#6w5`nt z<^?&L9p1WMCd0VK&6mx3@P1 z7`LmO^W^;IvXs@M&ayL-n_+F|MoA?@0%ara@nNvWX?If5i^TJ)lpg}Hl141;pLtOB z2MNvR5Vaa?WHkBKZ%!*`L&qv3xYCRE!%OtlU$$$e-0GMquka(#fqs`Aqdh5UbeZhE zdT6T@*;z=te~GgK^WlsxJ@tB6(wrH_%EE0UlKyp2<+!sjs#ysRTs(b=a8-XgH&I3? zx>J)elqB0+Hk(}46!c^K0&p4kAzKEqb_`z=>^gUjwl)OnEYukUeuSU|yVc>uS=5k~ z^CLzKBgwn%@^$Z+?SR9t>_$7_L>ZbMdofMf8JV+548* z5|re`y1@ijo53Zup}jgQRIi@+TY1nn%qG&t&pak^EeRkMpNtp%{wQ$@SU6%P^K;Pbe z!Pw9ZRP1b7fb*qRSjc$zK=?CR0AN>ij3F4a*1D4h$S9_Z2TKKd9BmTHwBl;D8%@BN zBnFwXZP$7{@88cF!}3eq%~gnaT;IeAfBi}*NXUv<{dK5=U7I)4X&`{bt0wW=&}q0(Vc6F z2*2KdFLeCU?yxf2D*)273$ z_wwN%8CNtxKY^;5bFj3vzr=?!uE&)(?`Q3Gi!a6i1UKc`o8;i~VP!c{(1FwWVA&5i zA0%lkdJwM!clPmjRs#fpZSY83j%q%tMPJa0W|pE>^-{T=#91T6?BpIQ%uztAyZI@d zD=Us^MQRnW^R-rf*${cX&MiiSmnVBOT&-U2pJql1@k-N-Ep2zIYMke^0M^rg30Weh zC;X+=fZ~C=VU1D?m#F8`JYA+pZsNzFq>fMF_FJoCIvx=k6wTO|Ip4~ zZfXldQN}Z1;x9}G>E-^Q{ZWfowN9ys0vIRMQp{EJH=#l>JrPAn@TmrvEOS&JG2vYj zPwy(*jg3Ju9nrGf$1frBI)V&E6jRgR!QfXuNU=vQd$DC;aGuX^ybNGEK}O&&p7uji z=uJRJt@%4a<&?_qUt{|hqhA@llVmWvT2aU>K2q~B1_`CThdDYrQoFd*$jQw$TzT}H zeVYqog@Y9aOgorO`&jbxy&i`J!Nm9ae(fS!mgV`_MdZjR-73fAX`sNS;pKT259OY- z)66m{NxpO{2N55d0wMNGnN|dIYr5~VeCP6zuMRkt4V+U6R>}pB7D>2(Z*Hi0!Yvfn z`n>=ycunS3)30_iWh-R;{Hp;+EsrqQO{tr>3$>YFnHCv{*xeETK*z#aHebG7Vj zdfF2}QjFFv&N5m~WcFK&hYR^!0HIJK`RaD$1|=v`-lwq<$=z;OCG?b3xyS^Kn66xG zf0D_JIM=h*dMUcL{x(%gR<@J$lZ^AxqR`IiqIAfEOHRFz;|?-V{rCu|A{c56cUz7a zfC^z{U0OzHuV!tCijV0CVO89?prA=<%vUDu76Wyk?XDXo93Yx?E(|PKrc_re;mk;i z>y#=2vyrVEH4TiKJ`odKvXJRxlyKtH*Z*A$@brb5S37bM{3`tjmd#!iTuBGh`WSPh zplfx*ux?ly2M5A2NL3||hrdUa)&N^%+;&hWG!WtzJ7PsmOr^{JKJYO$M-x}8;+7N&ImXs4y_1F-`$Gbb zE|M`APn9HtXS1R>Ct$aA*7ZaV%+P|)GLsRU)mvkc+uD>Do-|;dQz;jE44OecIsYLQ zrHUBxqf!A*Sx1|PqeMmChgGOd_|5P}E72xWpS*%)<9{~FXX1;A-D(AN?%&$qO+rT2&p5*fL4;T}Mo=;#QccF->iOlG>mET->N&#_q=8Z4K~@qqo% z(=Gytn+Da1dF^okVoR;j3(k5G8Ip%)fdWR}d#N=Q$>V^pw{=ht^3kaNnkBs*@k}1D z8H3kUdoapcpz%wd4vvhcM_P7JXo2FA7Q-0}kGeB@<<#2XDyD1=d*y|adJlQM??MazqqJH{Wc#2g1vv(JbZkdvfY-$Dg09E`y}_+VUWTQXWZQ2M7*c0 z4+tQH{|sr?G37@7hL?8vN)NMmLCeXsoFy5yggwd4M^oB>!Q*g*h=}-8w&)8`UkXd5 zjLk(noX^dsJTzBaHe7#65ZV#M_>+mq(EF({VD|55zAwGHoGn9ESDA_<9=k-iL>=5Fk^rurDdz@sS1#Mwyu}~Q!VfK&xI6IxXxmFI7W2o3k=K)j3>Wmrlo0P0 zTU+`vPw=!CatF;C-p20)Cxj}lUp^!RTz`GQpKyY{({&Swt-jWnf{L((DDSkoKD z2nrG0z)S|;?urzf0}I1=1*P$e0_$DT6?$ralh3kpW9jZ2aJPtovvUkwa5 zw5H|L=c_F;oewo!ZBF+GnA(TF(98)YSIYskD07cfAs4Q}j~ zTCL(0^7#{e=2&haUm3r{BZ*{>wdt{t1O7jYmLk=mjZO-Z6O%7D0BJUA*8);Rxr(QL zTnIe;wAo?~D>|7#gvFO>9*~iVNrxWGPnBOvKpi9UcVvl1%?E`Kprf9y)iO_{sI(Lm zAg_x0j#iwfzz{~n)iHLFG;Fd!MQPJP9?UIL|Ngry&`UTNJ6~a_l}-n|#sfj``jq_M z+8>z1vU+@mZ?`{fHCbBXc=Zyc@f$Eldtu51V2hA_$I@t@|4mz2Yd4A|i%^AQH zaIbh(y-1zjJR=;H0zDk9+6^#-1;qoAvjQh3G{y-NAPpHKgyK~%RD zr`j9L@Tq?cG7p?}mj1}8rSmRXetlB)Uaasq5z&IRoO%dEgSWI;j5ST zq_jISxL!0dR5=jpbT0u@R8@IaCuDlwf9`s{)Ugf-HEMwtV(ZY5ZYWjk7qLlc%@-| zd{g}yo;fx~&Ds>J74KE@(oe$_?U{KrHS5Xz9{Q_Q9vK10Jq|tRVWUd7ec-n0y*Z=Gr z^LniL3N+4A3j>Hq0Bk|(T+BRfE9>N z#)`cHGh8BeDa`n8mtuS(?$=UNbF)I3jy9;xS4=u{;$505Dk9w05LbvaAf(jD!O&Ho zmldY^`6;F+#M8Z*wDAhhG3;{WN?9qaH>H+A2S0*X;Jdhd^@k0Uk`tiVpLUep4Cs>u zJ#~RX;(RkwW3EaPaA4c6Zb(z5!tgEz2)*C4*yysc*$;XbaUGA~glR+v*>DPi zK!3JE>*Dfa_KW7gyobSf0Pde46j#(X3PBION_lECUJ7H}wnSvZ z{@@J4Cw(2Cn20tAl#KZo`A<_c@d?56c@{+|$ymk<-=Cj(mU#dH&$Bk4_y>JPyh8{3 z-FL;krgU7S{KD8psB5FJ?cH1(Yg|sjEhHkKege91<3&)%i38PF3XK2#e42zQTjsUy z^PW}qPX4B7*z*pa>aARQ$JoYO5J)?tdd13Ud|Ow4;W7t=B1z|2Z30eJ46qbtMCEYH*mAIOOi$w{qgND8v#;4 zOOZfy!_J2Rhna-0n399IfjO|J<9gN0rzl4U`kjNt1S{{&o&JYQC8yOqxA2k80 zRx&cO-&PYEuZpDN`awQ`C3XUwHe-nRLHn4OT9(s5J`899&?5$*;8TQ9+B-N@0A?CS zAh2veVmfUAXo^4t2#BHaOcGzeCL8cCyIEj@Rspizu%l}Plj#Ms%~C`7GfJU?gc;y* zdW(q-#500GS;AfN>?V{v-PfSoi61PgnY#f-twkQ9Rw}m&~8gy>#Us5rO)_ z$dRoJm%RMWpny2ew+d_;{gDjszNyH5s3A=f!fI;V;*n|O zp^ua{%U%ATGBz^K@IfG(7S@yK^UicYZ)p1mYOT((7E`W%^k~{o#(C4MlU< z2#{s_@Lf42*3-Yv=3I6uczP3D8V<&!%ME=n8t@!k`9FNU1y~epw*@-1N{57kgaS&5 zB1j_wA|N2$LrZtZ03s41-O@;RgT#PzNOvP3NDkpp1I&H#`~P$PbI-Z=d4LDUVP@Xk zYp=cb-pQZA-_I-bbXQ_MqOKWycv!r;5x6(7Lq0q!L=XJ1Z?{^j@3||a3xulg3Vv0a z3x6l3{I8}sfB66gS(YCu@}4NW2{8eRCCbaBHBVMq7Dw%Mf3qB$AbUX^PV#w~)Mt>& z?Noz#&T@+C3-PByFLU3SJTkgn?#ca#`g`2iOADHwV;(8yxuLCFZxylx;b)3)`MHu# zvobAj=t%Dd=R1T)a>vVv^f_BzARlkK%?#q4Dyo2)!P2Mm>3a?MW ziT$sUTjK7W3R7QdOLTr-bcRw3yc4e0=EN4qN*z3XG1A|U4}@M)-zrUi9Rdn~`uNJ= zM^Xz3I;F*rZ&&E6_t_zkg1-N5@M3kCL>Im_Tb&rr{X6V^Fx-t89Kz0X!sK$Fc9vK! zy<16IS|o&BUd~7F6n}m=!RvSFJ3liV@fY}w>f64?nL+ds{>jNgk|U62C~?>;AeVvO z9j4!&vXS&Q!t7GKAkg;~!P(oheXTfj?NbBszSW4xP?QfGH8?k2VFg;%*kfcl15%TwSf1u7&&Y`w?m85odggZ*lM2QG|IKxK`MVS#$_i6UmA z>pxN>7Mned)<0W7{HE~WpFrwSqL3XUpWQ+@fU@m#b9ZNEW*qO@5qr|nH=)xcjLp~q zc6?=SFQMCfFEFlXa=DJTl$MMd)hIOTt^~cm#Jq%L~}t@s{8E|fV(~D(5?>xF)K?sZFPWaM;Z z`_buP%TnvYfV}J3sQI%*9xL2JJe;Hnr{fedDJ55K@6v6a{ey!F?Ma{^c?{nd1_}@V zfw@{^P&E79W_zf=S=#1j5w8=&p+(rc4G#oVWdD2Qcbsuo&e~F-#JIl^`ZZlz?~*2) z`_syun-CCh#@wd^)m2Db@6(1c;|;f+?tgR)R_N<~EUi+(&V=8{^dl8Ehv#nSOdRud zHkqz(WjWP-ZS%c2du+Iu%f)7)%cPOg7y`lIy;brXpr`~VW6#;>Q)GsGl+LFNF`oOL! zs|^YOENYAB*muULrrs6A2%(x3k1h%^zg( zHW!BL9bgC_AE@!gVv7sEueadb{JsrqFDL70R@#?-dyh{S?mO@;ZDbpUp9-sN2}+h>7< zbpAlLCP5KqAuJW_z8iOSEi1zhv#=2^wsDJ}y#AQrb38VuxU*8}Gg+jA=esu>xRJ(tiw>lKkkG-X1XD3GzY|tiA7Bz} zD7QWpr4b{NSoER-aqf>9qz2DUIdvcIt=oQ~;(RWBeK{;ZJxS##e@G#>UOBu5Hv}-g z&YR;HAYUVJ6#mML9C^pVnG^6A2H)rPhe34hwU`_?JCEUxxi|9cLABKsF5ub$2nYoC z7LXmi2ht^@!zq1Dn~_41Gr0X?kA_G<6VOwyScy8)5cmG-BIb*if!?w z#pboC%X7grA4&)d?CHI9d0JxqrP0cV(!)1?&s;M9NaZ2d#-BRN$aqn#T|rSs_&X@W z?^<#Uu$4H;XQN6NEA=et6WdRMlcn1PR#si@0}VWr$seHIa1o%&o)+gwMB&$3YlZ?$ z@>L&^Am7F=r1vckXq**J)2BIc>Fd$~g*lEk35&OPP{pI|5f5u)f9`#chN4t=^yyy#CSEr5$jPr7iVnApxH^t=}-i z+}P0Jv=II07_&i4NM9U#C`g%kI=7Ukp%}}qL224|nx&tfK(}@Ge=w}>j3QI0>nv#+ z{l4|S?V)OJ%h|+mdD3*J4kzmGw=uaC47%CLlE~9uIaWG-aD+g{zUSW#$F&u*)96tR zwZ5A{Yf!7Vc2x<}<|^%(SVevBtALw-yTnbjCc~K!gVSBjxxnpg3!jkHA2!9@6H~CH z5_3x&PsxF(Qb`@S0ry&&D^NPq;xfyj@1X_QH6UGuI`*-~Amd5i6x0|0T5*quAnr0F z2X02Rin2WdO2DR38qgQVHnX-ubN6o0PKq`5DXP7{zkkn1m<^zF2S6eMmd@_To%sO^ z(~|?yLiGZssU$vQmi0lM;CJ%L21i{klg3g~U#+#o8dcuT&M7KUfZXiR`6gYEB2@V( zEEQ_^LS3B&u(yER1bzN=XNavHph(|=4W2jlRrL{ls1Z8^#D?2b z^UcAZbJV(&PTeJ;qazGc|Iq69B3bWiN)qD7k2f7%oj^5DC;tBZ$6I)GyI-5HGojvr zB7;E9x4P5&l`Dz-!*{>mK&FzOPK>rx+r3j%U(bJ?sLjpL%F-=uCiD7DtcpdgLaIQh8~TU^el_ZOZfynbu4U*Og6cb*g&M?_p0=9p@z=q(e1;tnHy$3I zk=j)r5OC~fUF}}}YDhm#(LLhz=CIvFwN#nrSASepL3jzssJ;(W>TozbU%N&&bHf(I z)jJ1zRq_tblMxU|slF&Nh=PFg4aE2UV3ytjoX|{v=^)tfFP-?Mur@`y_&5cU_gWFx z27L4pz{FWET?9$Me)RGzFG`4bH)E?FJF)*cA(7ei1oY6`5slEwoKK6qhYrl^nFm3Y z7{ByTU+KKoS5p}!uGL(Bw&(5wxv@dTX9csJydq!SziFxgm&0zo|B$5tMPMJfKu#bg zvdM{e=|I#;QXHvTnMX-1(JLEO z(K^DnmQAOk2QXtyk=&w{ns?q}Yf~vvv%<1-uVs{_=GXyiW1LY~<)|8V)@~^)58i4_N5Z)B+ZeD2vAO-MlbwvtseQ~># z!@U)>DR;e4k8WUsEUcYRnG=?}X?Mn=d^FpmTyF5gDe+|!diMACUtD^+&{;02nb+JI zFH{@L^b8+#D^SjPtLV5@$*T?$ed#`#vY#NtTEU6{2dIU&$Mhv**ed{E3x!mtpc_hN zy?|0_L=b;4CplO-8ZtUArU5StF`$5#Xr16G$PkI73cA`q3EHU}vSmSYq5}(cyK^h{Jov_+Ss254YAH!Se?Tx=BmaLj^&Gm=!&(o^b@G z^q$MH&ppmhLkyOm&hMN}-YqlkENl6B_=_Dx`}#7UH9+s(885MHj4bspqrC0C$&Ram zkD#s{ly;Q86;3B~Q~dsNvm4sDhV~}nAGheApJ^P~6x9SSTN=4yMuPWWJSrs5pqR&C zS%^|sizn{LYno_{?TVwC*8=61Tw0qox;3_2H0Qj%7j@<7^zkPSi0rSiTT+kWN-Tc^ zh2DdsuB201+({E2>tkH^Vo3&(7?mF)?ApImJe@CerZgRt#;1B(TOr>2S6;x|fRBib ze!{^6+B;3YHXT7iL!FDb;dauTb#eEVwJTVWFS1q%gyjUa|8)WObLQHanEuU zQ5dUT;pbvr8+1^qB=}FWL4kttVXu&9N*dzgol;U$(25c$1$Rn_h8l;_DmHv@s|&42KDQKHsw9(5|lMN>CtD=Chp-AVs4fAQIg9H9}Z*sh=@` z_lIxOz<*&jZ%Dd-b7|y)%M-rdz1dMZrs@t_yG#4(d zhjdg~9KDN;kIj-#o-`lHl7c$#(oV^ms{(yD7*K;%}Hd#`e_ehUVuf!Z1c z^Ze?t+J$V+{@`C(`LuYc90SBT{D#ajG|Heody8~Fz9neRA)gI{GsN466m9i(EDZPW zV>NpoPa|w%i7APYWd+gEWY&v-v>PtcP(1ZUp71)MP*38AOp?R{{spX=pu{(MI%8WwO36unb1UP! zX73YUP%9yuoqiuzi=r-a;PDqvF`TP7wk1ejZc$u~{`ZEt9-HaDTkqdTvboA}nu;*2 zB~)8^NMpvB?CU%y4Bu(X9^t0;9x(0UjO+U8e2#HwFfBf=tM1Q^`P~$4kOgDf3t?pz zO{^;_9FIAlU5e&yz<$|Z`BLVBC%xXHaKRdK5B;XmrsnoO=Flqd%)hk&al{4GA!{n3 zhwb6pDxo~%X8j6%q0`0>NQY37?kLRdQ2Mus=8-_bHtwu-todA1Y}=oMD2A<|J{{Ib z0|k#4m}v(tdirZ3oX4d9-u!DMxg#Q0TV6L!#FQ_zht8px|9vtF^qVXkn0|z~<8}DA zS6iMD`8bYPaF*qs^Ty z?c}pl&0ISAmO07#KW6-2hc)2Y3v20O_~lnztroVcq}xmPCRx8b*7mDgp$jK(y7L8c z&L#Dcj2F0zqIe8+Li>aRF142uO%8&|p67RpFMLtsc=avcv3O6W*bAedpU(JUx@oa6 zfwI_Jaad|(-qfBV_o9xzGLo$*J!|W~CyCqdrp14J8rsp)`wvy<4nDElqnWmFL<`p*nVC=pW^EAw77Ysgm+h zY>~Q^C8xt?zUYwGbZDGE)1Qxi+_eb?_^ zdd@WK5q&@~kyhI^{?U(>mDvGSN?9FGXw>|vnKVG~iQ;;6@&lHyf7Xzou`iJX?AU8i z#^@G%N!ju9{BxH`|JVQCO#fvAuBWj;jK~UIP`VWg-osS^He;(5UtKbR(8D#6&&S6Y zs^nnLV!C8_mtm@9L?z3q(s^m&^rL+Bk^oiDZN!pIKQjH|TaRN(N>eS1slFu4bwZkB zZ&(dHERj_8eZ1_0ncx3-w|`HivM=rAm5ScP$*CDBgfwbz$F&OA`apr`1>IXKj3Fyb zHkIK#N<;?+8{?32I;Tzp4~FKJQSiaT?Qxj5OF$<4iQ`y@Q7rVkqjlT)af&1P-T&Xc zA&~{|7CX8hADDN^$Er!>vZg%;CKCs3{}CPX+l?kEove zO^4y337Jl$1fi6y|De^L6}>o%invjXYm1KTh8&ginc$(dn6{&~a^0Jy9Ip zx0KL(uq;Jl!^s|cP_z(e5OMQXI{9b8}bHn%0bFEWZmjh>HJZ%jPT z`95`Wwv`pi{qKqTA3J{Sg)zIvwatz>k2^DqH~lEpQ!c@!E}5Q;4Vu|DkYqx=Nj{ewPS6OIDe(345cIao* zmJwD1*_UaBX5T5hcUISGG(VBHb1R$J)_Y-vjwJeP+UYN_PkSklO78XsAb-YBr<@;O z5N7$%Wiycdk0JhhezzjpXMGEc;ig(L+ZxO1I3~%dKCE=moXn!7%HrUF!HGb@P5nYD zW1aV+Hbk*2?4Us4*ZPBE1kKdj?Q3KG z@Avrc-|lcBcj@V>kv1(H7MGG&Nx;UUs$%@iS|ajSo%1H|kmv7WS5i;oer@KqxqatQ z3l=<(KLD;&BY|7FvqT+6H(Ycx^#}4wWCaxHi>#84gWOu`;B{s8S?A|2*n9a>m+v1S zIaQ(h-Q1W;Bc%WP{ckX?Et~2qJ%Qglq4P-;!0TjYel0Kay>&IBa~OZ<6=2S`ygah6 zMy{f42iTxdr;@!F>?+N;E9Afa2*0GRs4bmsDU^X-Y9CuI^=2)CQ4F1ff`-cbxy9pO?Y3Lt1}18IhZnUr!xxnkh`(5mB|ivQ*am;q?RMGwe0{ zjO)uwX~|YvC(}1qmrtfUhOhc%>bXV@<$f%NdBI6Iv$-A5PlYxtquj3@*jpxoS{l?N zp^v*?t7h;qan?Vs<`YB;2X6373`|A-pX(O+A(l?SBazok6q4aKbl?6;OM*KCT>$}= z&0G!kE;^ClgdOeQE?td?>+Ab3sphF`z;@GTj8o#PYP;Vt2)Ow_K+sG+*Q zt4b&o|JcaaHS2twkqn84qRx+r^;oOYA1V>;rxo-cR-J3JOdfJdTRacRBFV|6PF#eA zY;D^Z)(_=?Wp>IsZ%7mM%?KwW_`i-(&z0fkC$+(CtFk6)k;=x*;$m7*3FW$l)99}v zhfzNtWc^F!^u*kok}!sYP)RoOp988Wm$zRO-p3G|X?M&&A|3nV?MdVigIO3~2R~Kp z-P(R8DA1*|G{;iMgqGW~Vl8=zmOV2IuX?8ypA#T5V>fHe@vCTpEwHi_n@b}l{pqdL zf#8|2!OnPoF|Q^?SdS*1$iwGvZMjIoo;gp{McmA|g(PisCv5&d?OuWO@g95I{8?zZ zeXnC|TmlwEy-Y9S<`Rq;Vji0mvSX_UfdJR#ciaLYgd4SilPKbb0b!sGG5EDrlPF*& z>bg!vdm6)lN1Hx0QnxiHW*LbjKQpU!Hk0wA&63yS-278We!$UR=tBHkn{^puUnl-{ zEfw=*2Att-7XwN2G%19e;66@8C`WG2XN>vhSoV2sA-{f0|9SPGlF@}D^9Li66H;KG zx70fzuc}YbV}fMHQQWfXSPz(ejBF-OAnx4`wP7R91D$JI5eYy4-}{+1rC75Dm)_@? zcec*zgODAZ@;wCIB?S)UuwiE*ulvu5pAR2B!hv94_&8fH5rIC1L8exWR4Gn@@g?>@ zJ4oqp&^a$F2Gg2X+ht$gKltSApYnO? zO67(v`ZY=&ik4mDV_4Tc!@wp*=rdd57j3tf(g!xe$B~l>*}_rVY)36?p6+u$WnV&5 zeBad--ex4emnXj_lrB;`c}Vy6IVQ9td}j<;=ejf`YK+I2OP+0t6nFK^Yfm0s#Xdfgo6o3&2ipriCEaq#dMNF&YXh??fGr+P zUB>7kA1(bC4*X}jB29|t%5RdhqJuZ9HnP;zDZ>Q{iGiNwBvWpK==a$DyQzY;(mO*g zsEDDKG(Ti=t-)n3C$;;91NAVP3f0U4Ze2%)hiqJ3{dS-2*Mu0pnABNp^FjQU5Z%lh z=^sOfgvMNSTl8r^HrjrpM8Jf}m~(Qb;rFL%#EibUZ+sYvS}4J9aM`RzD+Y|?yFN@l zj&Qb8v$$kKadu!oXIS*bTxoB2mQ6iQU2C3dkyX{dU@br#wvdgVoa?W+Y{r+(2Fa=~ zAq0G<#T~fNawxM}_l-h31m2FbFin}xWELfWRCpa6;(0Bl(mg!D6D}gB`1xZP=8E** zs;Yhb{uEEV->RXdOrvM4IhYVRv*AHJL~REPVgJkkO~aZ;l8cZy67d#1zD)V$ep&us z#`9lWZH39r3?p|a4Ik3;n4@ESvudU554uyy{dbxU$&K-ebRzPxJTpG^QfTN42ERQ$ z;$q4Dm7;c~@*2~L8FWrTFF%Pby>Ln^gqIz;K@1JpG8k5$;9&jG1<-wbdaYNNq_18a`d7C2j zt`ZEX9j+3(#X^e^HqWA1EHb;D~DBCS=owrm#?fB;y+B5=wz6= zJ~!b7jd*A2e14Jog!SENHE zvgf{i*=i;_mR%FWAw9|^sA=Ka+CHwCZ5h4NAbBB+gRJporiY?ARB_O6(pzvO$qxb4 z4Jw&n!!7|nJjXn=32Hyzrkau-{4xAv!Qysu>C$$hxE~=jQ%`9t#)0@rMCI3Uv`J@j+D9-$qqd-`Z8VZ!S0Hf z3EBg)D)yozD_<=Sf#Y5FR}aW8bxKXOrjuImA(0bJ7P?#d4l+0S>}CQ-D;WgctRvJp ztB78EK>{^+ z?{n^3{?B?J8!;r&C^dCx;E&IrFWo7#;gR-ys1p7+mGXFgn-2u15uI+8%g5=G>Q&3f zVUj6F=hBPkENrEZ5zV_c&B&+>A13r8B~~Rn*mnUm+o@SR=NwJ#>Usi2(*vieU~PQ& zQO`+e_RWrL;b~UOP&d&z+VK)q<`9L^pSnE`_Dd8r8$qb|W5fvs$6mYLCdgIawg?+V zb$xtaWr?kAc&8vtvHOX-`<12F=y|;9L6FZi4yEODzrrE8#-p!kFGT*Kk0$;F{G?ip z!`p^J;~^0BV(9h_cY5C^T^1Us<%Q?Qr(Wrq0CYk25377%ZmR>?R~0DAmOnyXVI$4O zfwD_TN}}Q4`wg#OT}Mk;%6?Kgs#03z-bB$r{5H}(ZqdzlYaa}pTHJdTc1bzswk9~I z4FY64Jc^wkH_}M!u2xpan)oiTIP|~a{`#I#)odEdG4F;V{Jp?)7qUMw9YQVQQ(4tg z+(b((dSC`=P4_`%@Yn*CgFEaLPqWE7r$`~Rc)fmOa(lQ=afl771x6Zlf8%0H^#ZXP zHJz3mWR~WIX(my($|r+&RJG<6qrHtp015<=?< zB4gjjB8Uv%jA75)s7t*d?|u}8rg&+DemL^Do9!sQS`+keqGBsWZTjSwS@k&ptBTTp z{Z=f>7pK)>{tc=ov(`iBr+RXOxwzFsC53DOEF}RBqfoc=F37>A%}teG1nrUOJIl>R_V)G8Ftvl3O`UQwHx9juGTFwLAs=52|ueWy^|_tq!b#mg*BoMI=Vc) zUOXZ#$$Gitr0Yvx(wI8%$cqeNcD=kL(TVpf8wD|;i-USMy9s;|Dij6P_YAMHOx=+s zC%+=Ph`?AA1vboLW8+t%P_}Z3&UsqpCIV3Ut4tn6OG`HY?+l0d_y;3Y`uCZ6{hS8* zCusE5q2a#pKe&^&(-hA&zL&nd*gZ3J-}x@&@MdXopM&#}q8N(I@#qjkl3BFHkfF?g z%JueM*AmqIwl8{Y_4jOn#01NIV2Y<5CL_Ot>R4FshIIUPg&Yrhdn)RY=S2`nbR$17 z4;YXn8XA6dF(bc+ff$EY#Vt^XN8IN-m-o@GYKo(gFUV`Y3E@6N(P-A22>6-n%vqH+ zWcw(5rX}$n`6IDQ8)E#xQS-*$-j`XiQFHWbJ94y)m#Vg4%x(ibyGI7L`*NbI<*;Cv zXVLdN1DG4X!rbIC|@rya- zX^J?dU=?dCy;77`BYr5u$WXi1O9spP$`J>Ps+jcls-7M+TqCQ*WfK?yRPdTpzt?0(?JS2PSV(`kg_7*!{oGA)CQ* z6VBlFy%{~S@JC#aIssA%TMggDO8+SlN;v@90DVeWa%VmFx=UUE>zv)8FNBrhxgF~j zYEOE)-t;admsa=_^4#T7{6Sgmmh5Z_w8y1hVs6Nv>Sw~ot-HU+itxZn9qh>2G1!@j zf&}6R;X>!HfoAj$WdAJRj`pnd+N(hkw!FHohIsiSegAu&J|jTYZP|$H<*v8ve56U> z>T+w2o0B{=zSJ4JNlH!~63kK|de+ly9^3n;u^qBYkMV?&D+(Rk(=wXgd=;0u9xKRL z&-_gi8FQu)vK6|argh1kMWpt6qBQh8+?Pd92P3gCl%1e`e}+gWi?6ySi;HX@BFQTb ziT|{I#5EinGd#BpKb_4T&q_{{+j+&ghfxvACFA_IdlUaLvPOXId3#xxB-xMElE>R| zPXuo&>ck(u&hAkZ!|D43NHFZcNF!TFQjj)~B4sx{dd$HaJ>AU2ce^FErY<7|PXhDy-`|B2a3x z&1d`SA;s>oOP9q5`*jPDXavei1fUR2HzO{t>>z$>R+AX7xt2@j>Srt%y(Wf_983`A zMN_UeI;)f0Wo=?tmv=b&+qPWp(qY&QG!R1k0OrHnYa-PeNX7`3CG-$-Gd!BKc}N^c zLL^OcDPwg*OgkHycp?Y7Vm4O#_|Go$v);SuJ9*&H5f`Ji4e%e3t z{yhxmj4y+3%Z4x1a&~*b4qJUnjnC=5C`QLd--6qtWX^bX?KEC%;L#EtuKQ>}bBTVZ z7}?MbdpQe18HMbpoU9I^2R0rq2v6_JXX#LAfoNuZzQL7c9XZML)gTJtVH{~q86Nopx;6S zYu|QRBoWz%S~?&n+-LUW+hUS4#t_jHct*tK3N=LvFo9R;Ev1MLjeq^n9>&lfx6HS} znD?&l*}^vuDK7DPP( zWUhS11LnL0ErkJGEDo&Fv|9ZfFBhpNdP6^=+h3}pBO`iLd8+<9EAb29ioepivoj1Y zxxaMtxt^29MWI=d{(GpNTyRT{3 z{>b-x-Mr-aRVK5c-mcK@G>Z5<{g}{d_nOj-`6%P7>(!iVNKLlNs+?3rTn>n=#GEm$&kW?j$;WU8=Cq+VR zh7w49`i2zF$uZTeG*WAG5IVw#Kt48}Fwlm-bFJR*apPs?;lWZA@g`pMKDlo_llH-$ z|8rc?lo6m9PJxVM_^X$OuqS%ge70I9b^O}InLoAsA^GFXgAtOkLAsE-D^k_SxO{RS z+@CuEkIbVcXfJ&oC?>%Q5sRT_Y1~Z8G|6lt?l%~YRNkJBiV4zK@}xhR_Yt{pmLSsF zS<=B-jvsdROeP{BN6Y$%gRoG?z^J&scIjBAAr#$v_wzck%u;9RuC{s14(5e3NS>Q*hv@qoJ3ZjUTpaVs(FFSm zVJZbYV_-?830Cw!y5+&t)~o43&6IZ59O4mZ){>^!@ApV%OUGU=;N068=3(B1guT|K zFBB!Y{U-%4twopxtXEIwCsQph48GU=W?rsWJ1J|Kf0va@#&rsD8wdohLo zUc8OI=#QDMx4@4t)eQymVuPQfx4GrXt)5%Ad8L1DgSpMWHA7y1Ol=_JzLD;GNeD9k zzrN9Rn_wP<7q1W4&vb75tWq+L(l5tH-#e}yb5-X*I9;_Lk7`amp-S_@_4(2W(Q#Wd zn4CW|Un(UmtzT=xa(lVvXM`^8KlC>D1x-L#Xg)3z9gf~~U!<(gHM6B54-hg{JZ3I@ z{4`~pxP4cjxu^`r#z}s@>-2ifcayK$uhFVtJc40Mz7ud&pEpu`F~1K!CAe?U?-jUP zHzC_rRO4r+^T7e;Yiihc2Rn;0GsTa7gnaZe5J}5an$xE3 zA?t=3Oh6%vL}g8td>n87CH>o)bJC6}>DyZXP>ydr4!_1Bj`@tfuYubEwzmQI?>poK zxQ5iY-lFM8;@3BPJAM>We$1J91!E-rHju}V+`x{O^}If$0AzR5PT+O_+0{F1WwV#8 z8ywvBz>hZ=4(S#`OqDDJ12OW zIN+uTy6pJb>Itp3IRzS^!gYm@yM0?LIf@s`3;L!4!KVD#o$wW??e09c3|JCzB%ZCd z{Wa@5;$fBrfYFk-(Cu8)u3opgg;T4k)9P{6i@gfee%%J>fDumnIhh}aD$NOZ)P^yY zHagfhTZE}~VQ@lqF8WOIMUyX1hoJwKK=d`nKtFoRnTT(rcDriP8^uWeHgW6*_?NR%Jd zt&b^^cl+F~ANm;*57z3ESoH&NqZXdYUp2h|OGr{l|9i27=g#v!NhODy*YKN9zqT#o z{bgi=z8|qD&9Bcw=lM{zw2l5J0q z0|UwaYPXgXfc#G&e!%v15NZ%heSMYG)7$TMRUu8xeCs+U16^yOnpqJ1YL%eifVvc= zFa36CbdCHuv>V8D>NYaux8wOMHEP+<6vm1z$o~i(n_DkLeK2?!5F6WI?kGcKR85tw zvQh1BmQUta$Q2(jL#NY#sh4`fSVL0e3Ca6uLQLV> z%(l5zjk-Xb`L-|9ae}uM*Ld?`i|2wcg?p5G`s?pEH1+5$TgDSyLPxYF&U**NQVhiY zS-SVnafXsD$!}msMo0UDHVdG(C_m?VqP4{Jg>>FCgg06!3d+h;++wC(y`=HKK5PNw zbek3yr@J5AR?3E2J{=m6eC_rP8d+^|3KO_YVEviGqfp|U)=l3;?pw9tfofJfIQB|! z==vj=C8R+2Y}muM7st$Sb-g69(cnofqNmdd?J>qH3M?E|8c&Cabc8i)r|n8CJ-0(2 z@#&Zyy(A)Sh99;s16r6r{Uj&5zgjGiC~CzuI;x!NoaMI^!T3S3bP5+1_rzv__C4+ zZytWgL%yVNh5;F_QIS5q{9z%eT7ib=_(tVivNFKqiru9uhqmc&F4}(er)A%ZnotPC;EKs=>FMf!Loq;hd$v!m$c@8hnTK=+0Kv=ZRg5_F!lg@Vj58K^w)syW7EJ zCW?xEJ{A7O>W;6!G7HPg%HDeV^l4;#{Cai5SHHhz?%waUMo=Xxpv9Z=OhNSeyuEyl zJUC-VtBjM*EbO0ta5MN3@JO@9RYX><-=OtHp2F@3no9a-pWINHa>+gLlxZwCgPjiW zly@Ss{e2M0IYcV&8U;b~Z(Xo2IwseTeqIULbx5a2bVZx8S8%dYK_a8cUbxnk)*s~- zjg;El)d*wf5+KgCFgoAyc=(7jjD>lwMb2_I`^gn@gO&T@!%(?%rzQ3W@oNabeDYN% zL81Ov1N%scmD%;q>ZSJlIddH}d6`Lab+&T1T-ZZaKMY0m9O@*1do0GcH;ugee09K0 ztZm&!D8(i{9Gif8P*?-%`u$1-!;zZ-^UMFC(Xf|udhtVSv@|A7F@?sGB9NakYY7*! z@MW*`BvfV_Ve5%)JAa#WiSG_9wV zJ`2B|6>REf2|~WCiY2c#7~dt4Zvzr#$50150YZ zn~u-sTe>&r@>oH=#G7N!qGB4!Ei4KE>=WKZcwxSW*q*lZLm+@l&jhrl&0KBZQi3M! z8%4!-LbMyr^?w5I%YfSc(m1@h_?`Qot2sk0%0qltM%wV}oA1qCaMqNWff4(dT>6c+ zeF;U7dwWdiLR5_D9X3F%%Q;hv-$m;5g7nj#wa&CSj8O_-?)2XXYA-#2(4Oth>!*hM zbpH|YGn3c~>APTE;8RD*L(w;andfBq6OYrIuHvkVKKZImoRcE8QaCoxX^zLs3eh<+ zCu~PUOnze%YLY^BQ))AaIu7=$gwToXQnGz#JKam@N$>4%T-J48;|^wD#byhqZ}5LJ zd=#u_Zui*en}wjr5F!aLcqSg|q^xgEXY)`b@-nz40%!iFt7DAH`21|gpUH$Xsqz@7 z5&GUO{PT;yj3f~|C?O7xSm2*O&L$=%{5Ix~mak(&L898NSXmZs089lM?r&gTUy6}f zpAD&j18UO-1HGKSPlu?Ko1C#hUUa+KjDQ-w0md*<{ZWtTk!l&^XEvkteXCgS*OXHY zsX>W5)0(a8*!*=_)860n6(WE4Uco-BM3Z?x*}9wH_uTP^ zWI(&&>7|dZ`yfsIntxTf73d(L1t$a3pP><9{YUKhx2G_>Bg0#Cu&SKX3PA`@+z;RA zOYQ6QNK2OoN;!e#xo19&Eci!?JOfv-< zo~pithUK$k5Z9`1RHyI~NJQ@tgq*}U1RsyOj4tlPOpSyDokDjiMCwm!H9Zx+E|Ab^Yj zU*M8?+Y0=bmqhnD`W>SYYa1B3(SJ=2?Y#ATB_Yqo54Xj1uStsw5h5_-64Bt!8ou9{ zY&EAPf%~+v|(M zv1j$tqkH4%JNQDJG>V=&kzPOg`#zd!`k6eKu#JCq9f{-qXr&aT!tWFOXLgemm*FCx zZ2o{3pmn8nGEww4YPp9RFri(jqjFu_ll0)e0pV}3D?8Vr70?_Wj8*W)nkS0;EWb{_ z8J_W!?{nhDgR2-Kwj-8F4>aH-@?#wGjbQ18k9(Z}tVA|9y)dmSMkL>TCgNV zZ`Ojc%d*1BsnHCdvJcBC=e54Ll9yG%JubE0R8d@|X{Dt#xszyNP3Ec16H&>zAAKuy zXFn*n{iX@aciKB#t7AXsk#G1-e~cGxs~ni)(PX-T>^$kSD?JBS5K}X6?EeZ|UGMTW zhE8sRd7rU~-*erm&Qsr1@aDbdkbs3L%ZrQp5Dc_;L?P$*&_5#bV>hanwzWq+YZWev zfNCJ*tr>M7$Ksr{2HC+{7G&?ZgcRitL=Fc*4Rj^dA0~3MaZUt&AD4S3kB=dnLtGcn zjTHO%l31k%Lb10;nj?@7j#s$zNEg%$AiIvTw>)z#DhF;|Pyh8^{Er_!;%`u{HU}ta zgcRW4DdJ)oIGJzn&eoP9Ort&oL5yr;rhF^MgQmVZo@u15V$`kWMvN`So@!{nD=LN` zSNwHUx1v(8k5Cy+9OZ$!u*p&en_8qYh+9%|lMrnxKso zze}wp?2x;$lFNqmc5rqJPwxeHT36;AGTbOVnEhnraEYE>%BFxL+!YNvF_09(4Kjwxo9Wp#~k_h1-oAct%&DY zz0FqKzZH{-)++ykihmuc?A&V^s40@O9|TA+(HsnO9Q~hyoz3jXmgMX5OPi{ajmS6;8A<%wPeS5n7@?OahzR~U;cQ|KZT8fF5eRgrF z4d&~EZnU>v`D6b!CUW_w1l2ZBRxwe8TQ1k*uGs}cg5S~i>g+~xpB6t1PIF3#f8>DL zPHqw*okuAUu@rNL$dw6}%Cjxj=g@_3MyvliyZY0qaIw)XGKeZ5cI#@rcQAzm5lyNf zR`f{Z#vv+x%N4? zYUv2qi56dSDvC^Q>P!7t89BNAP}>nJ0UvSFV_eQ1LhZzcVhU*&g(7=zwby)R@|x*7 zRb>ZlS;0q5K~^L|>MWmDb z!!zot?SEeV=ap1|=e(87{}Oi|8WWQE^}$~3aYQvWt7zP*B3V}M+yKjAS@niVz6be) zn|7Ng$Rjyu!L(f58pq4>NlI&cihiR#9JqU2S-BL=EilnpGr4PK%2?A`se3=7N#{3$w8QMftf3q&!6?r>RD)nz4lGDD*U1g4X{ zJimHJO%TrZAh{~@?bOiyg1c;Ew)vZ z!Jh|*G!m8&NOBewVGFC&q}^szti?L+oyE;e3bL_MBQ?uO*HT^{UEo(|w}Mt(7BefB;|Y_}bj zzGkG@(X^j> zl9#66Yt8i^T=~P?naXZA)XcQV1ef{h1jjYLym9Jh_Sp90+@N(hh3_9hg7k*F5#h5T zsW~iH&uxgq5o!Dbk7=;HvW-WU8nOJ?2N1D~G@2I?r@Osf8XrxZ_$VyTg+*N*lXY@(uMO*Mj!Xe>0~(-eR%vU=0DL4+Y6NHtnZ<4V6~hRwL59N{@?XM&erO^M+?%uBtUF)kl}!Wn%!tfe`dHt{4( z_{Vr6ehLh}J>p$E2kr|Xxr3jqc40vVg^h1O4B9#nDSU-$-zzyf;39|?V@T_>qVz89 z1!GI)ueGW;m_)^-+D{3#|36H69B}au(y}Fmq2;iUA}8_GL(*ljp9{#+Mp~n75?puRcf% z@PH9(+am^xKOF3%kW%}3Q}#ua33QH@DJ``}XZe;dXt@~n2thIub&`8>(tWnkJI4gI znbRz&r_|ga@gY%6HNSEPjtOc+7lE}&O+qbbxnKlPjvLj52v)7>EWQV#wmGI z_2tqHlc|WtjgP;07P!RzWfYoWGHM17b{Q^IGwR>xSPdDd!1E^0^n64FOpqnQoB(Uf zPf2A*u%vD1Zu~g1Ui`BxH^uRW-v12z?WF4p{Sx3fg_wGo0Vos3x*@f2?%%|Z9O>&G zSLoT4-Rt6P=AEvvkG70oOy8Cod^?a)513z-_%GiYW%DBZ{?mzPj(V3e8_5sr2Q`t9 zfGx|Nxx_#4`COH;-fh$n(1-TD#C~e9xzi^xc~>*e9JGjG zhjs#<&|Ray``#NEM66&~BQ>Csw;3|L1S={Vd1b72>JAw%CT#fi8^|vjJvpQsrDNm@ zgxGKcL7P+MuV&8y^6%2`#880c)1^~wN5LdMD8C@r?0V(1u{>j6QZicIw3UEVe_z(8 zNb9#&Eq-vwn@Iqg_cv#psdZ-e>hH<)|Ki-O*4cDHHvC7OM|E?7D$&^U(ctAoa*1mp zqNs~2_KF?^=x+Ca`czs~OD$MnFOpkK=bJ9-95%V@4n7|r?k8Ra?ZeUlMYHEm%f5v3 zwV!c^!-VKx`n4q`D^`Ok(J&bdOUhH*s93pk^r}FhyMVoQ?Yu8B5L(p=l({1f5I%A_%R9I5M|Tap+k6f#Xz&|O zE8QyI7xCI60qgv$8yi4?4W-0NmBwM}f=nPF&|Ik;YLPFUZ$4;mxmsdzUm$F01BjNc z8?3cU?PSZyCOI@V@_eahOX9Su&3k7l)Bt1GFjyc%W*o~FSsU6CnJx{KVU3=2%UMc- z#DT%~`BBCCwWd?{&Wm~V$7Pm%&scmcoYP$V!7|uIoXu#CV!L_4F{IgQS4sx^7qH@s zm1F#r7}^}OC2D0dQ7}<=c!@eVVTWlKqO>$MgH42k`}-q^$}O->zsQH81zS%jem^AF z+nk+>jcc@C9MZ0N$-r$ves#>V!yohSA&gZ!FcHpo6BO0ZLJK$6jRFojGfYkts+(Vs z1+W=Yfg}pmxSHIQG+_zH$hd`>R?=fJ5NhaR2 zD7D9;0wz=EFQYDf*w;4_xEyW>jFP7fi?FsZ&oJ?_P-n(e%ZUfObiOR53`h118qw12 zsP+v8qK^dUKExQV?RhkXF!#Bf+9L@-ahaQ+)!ie69eM>F9z__XPTrH7mHKlJ>gTHb zoaUt57(7KX6#c06hZy%?0WnupVD9?Sqmlk<8g_7J1FulARwVGExJ8ed6pOA~hNN8tCzE@$stNj+gV*S;(L?+4+`@1k85@WE`-4gYd)_IF$(C*5PfQ&GjmytK|SFe1_H+d@25!xz=!|1CBdrBn`e)})ci z(goq9^H#R_^m=|vZewOj^`(q(HFw5p6WXc*x%6`vll$~nnpT)h4|CnH7k%kTRq(r} zv^H^j9Y6Q(dG9qm+x!~uKe!EzRhG}PJ_-?OJeZ7aO!w1zZzZ)*8oQqsL$$xZDC5@y zQSRWS@>G^UcMUnVZKrdjO^LDM8^tgE_2>_lV*NyxL+5nT801~2US`B} zqNn$&I%fRUic$8zFB~T2ly&u@@(Y#9swF<>=HF7?Ns3V-e%hvzC$8k(58Ok!G&u2? zcD&iy*`~XT8RjXr!i%Rws{YZX?@SWPogM$yS_bUNz*EfMJ-K|FiHIC~S;uqUSE`?_ zp7Kc?J{OJ1rISMZHb!dBKCQdwB+Ye*mi?bqgVJ*64jG|H%iEkM)bq;KfbQQ1S?W7> zfZeWKN>&@n=zOj_M9y$Ia^6gjtV-vu zi1@m-n8tE*g_z3XGU2d$mC*JmU9jmk8oXF6ZdCjMkujJ=mF7r43LY1-lPP_DySR=|yn&B@lu*O}$7pAVamB2|~u< zz&qIrLu}qF#Y=#*ocr0@2E$_Eh`9(VPm&Qck!Um55RWoQ=q-d+Kz?bQ2=+?Ix|NgAt7O@Ti?k`HWcu>JID5^U%zz9TsW>yLKnIQn%%AC zO5l5M0B0E~B(R#qpuv|n7gUlX#?)A&fV1GbJ5D}3enk-RT{JJ$P z3M}7tXN<-mTBo`XA3k*1BL>NHQf~yrvMD?;uz%vYJ0H#L1g8M3!98jObSs`-mV4Zr zhj~dnc`^&DE8Rmtpip=v9E{x(I=4HSnwptFyizGarb!;VtQ33Qry*HcW60=e{lu$@ z!fNl6FQp)A%nNByHFsZ^St?Q|>_6<;43+-nc)aN@0!GYj*9zMJTV&b6ed2dPE}bA* z29WmU$Ys+V;QI$-Gas5H18TYI2-Mr0wsW8G`$PEP0acMoT0r4e!d}B_TpAVN2x={H zBU>mD>iWSTzOsv&S?Y~58(r0Qk8s%yV+D-+pmVpxGu9J$ICDeT5el>#e0E@@)Iex< zqdcO*U9D5HRAGLoE9v9j=?=fx;m+#I)qT;!BNfM4%y_w1Q+kk3efe4Jgo>c$b_uh8H{nU`F)YJY-7Jal4i90QfUtW#0I)a zW?<2vM$7w)v4)!kv#~A@coLEye|zT~oAjoA*SARqO`C9c&OmUTJ*?`G_@B zh_AbbuIuj{t0$Z-ggdoQ#N7UA*WtKavg<}m{{5(9<0%?+wWN3+i?+36^6dX{0a}__ z&G&bM+Z1@<3NY+b_OWL@G$9>4!shz-tfKf|JtUv?bJ~&oQ@AnG=Lg<_%*@ESeUrus zI;-8(hF4G&lA7ZU1*1VLhy*k2%!htM?FeeLM;NVr9IzpNVsO~|OyTP8$P|4rE3O%f${01d?cOpUnBQX|Fh zbEj92)}0@Akcn5hjz0VJr%Cc;tyrfKiNm>1p1JkU7{#cq?{$gCdc5&OPC>>upojw& z<=U2nwUlO2XCb$<;E@tt(0;!=%-P^8bLVFvPtHZr@1&pp2li$u_|qC8e-$^Mo6hrX z1z_B>=0#w6@2~R{sN>(J>M^y zVyM4^)DGS-^8WX6BVK!fE!Gkm?Kq0TVjin00^AiEj+< zQb{@WDM5bz2!2-PXc(9D%=QL6^9i+KqenP1ex8_psbBQVVi0wQ$O`74cfgdA4YEN@ zd92f1P3Gfo`erf7g#zL2!jZp#GuUqJ+~*{II z!0biz?TyALPilkerU>^{e8sO2FiA}_PkA8G;i7@n3-IE@%s4c^4y{}Kee~4aJHQ*PrPR}RLXpY zEByddsn=>PzXngeYGe&52v{f*vyAcgLbh7zplkR3`urk>!yCC8o*n|#`cO2VOSNZO z4JVJAvi@Fz6v$*c;U^a|E$Mx0Wbd6k3+vYXNb%L~qQ`9{j$;RB)s70C}EzqA5I_U2ZwvRk2)#9rGJ}Cy_p@RJcc6ZoQ;w6K#6R++)z-PK%BKaho!Kr z+y3pSlf)nol#axM_TN1G4QFEu%7lf&`U5|;q%F{_?C%G&v!kM%=pM8gLd{N4Bbql- z*HbUlUFABc4E$gEn{5CW1Z+bVYd)!n?7?G_4!x~q{M7lLDvI2B_DO$!`ct&x46Pc{ zAVTTV!fZBxwR~A6#M-=S^;`?=>v$>D)i=jh?d z^Q~~fq@&b9?<4Jz4J#$}o6ahV*yaEyRmp~D6pP15r1=Ot5X0D~$F&$aUrXFF72f_c zByY$u+(*r`iz*hN7AKYvpb?`Hw2!_RJ__jw1Sa!0Ba(UJ?L3r$=p zSr3QUKvAje_?>9OI{{}mM#|k0@c?oWR%v5n*~%(lNL=OxtLA88oZ{F|qQwT9K+ zD|AUT3m*V<01~X5KT9cvJhi&X9Z1N89*kQi-g*M=y$Zqa`A; zR?0Cm|DztFuf1=qVgU_jKAA)$m%i;S~4%0V?h#Ie_!McqSX@ef+OcC0#+}FRG6=28r_nI-P z)(e5OF$#cd!r_VW)t7pASa)xH;c%YXJ`*b;2!_Le)s5J$QJKTN13agw=w;7jhHOmh zNC0Lz!q_+x$oE(-EbUp$WiBBEDQC#gfrfJw&9Q4+V5zgKt-SOIL}+uAnjDVhdDWW5 zN_RAMcv6y`QdsSr8!hyr?*%B3tD^ESG%w@1mG3Rj^$m0D?>9xG-+CTpCIg#?ZXhoy z&42kh7F~^($hQSBn&4sn0D5tWc;9OtExo4$ zFdN9PPyO&1O9Y@@DSW^8O*q8Fh%%ukasUEVYLAJ!S1Al#_5uaMa4SM3!98(mQq)WD zZyU$n3r#d;`jT4GGC3{o)B6-F10=~VhWD^}1`B~Cmd>wi(vrg&jC_9&PJ-RncT$Qg znTB4D<*E!<+0s_^N8}1!;I2qBCwje)tF_ZgSwZKBN?1n(9Ul-LPRehztlC`k4^h3I zMK;*cCnU#?cvq8)*!@l>)cU8i`#uZh(lVLQpOK3ecMa*Z1);N3v7H1@ovLaUvg6M> zRgZXNA@;ODyUfXIf{#zhcri;U?=G}CyW(7~>E?Whw z<$jn$_hqwb)02E*TfNz9{1@p}n3VIdu&Od|haNski%z>#OCy&8DQ?K-K@*#t{g5C{r2e&FBC(kjE zTwN*Q%+tuLS*S&iX4usx z-^D;ke;wV^Uy148*_oT4=iEJpHt#`dMHepQ#yp+t1CD+4yz#JdV~R(u9Soh^Qyg>d z!*JoiNTc~c$Vcj?D@#cyiAULON|LA?50K*G(0rQ)CgAqFU07pIVKJ_ zjH`^_y!86_22t}OY9}sKgDRqhhjKqXXg_hnq_=_z>l|LopU5tJuuvFb{twzLRomV$ zD!i9zHHQ#q9hq^B$!sjTZRn))+2w9ha~5UK{yvT^?@{SDm0u7tcD>qzUn=lZJzMW4 zBb48MGy7wgE%iY}g%`Y5zA+Bn7h9bbBTsJN;Gre_S;AT9b6wpg#G#zYrh;^QN?G3Lm1e{X<*X48RX~7 z@m-tHu@Ax7TBIm@1bvSYgP$j<*+jyftETCE-nfn?3#8bR&^W}dobt&JY_d*y$T-fSj zD1Z2Hx%7JPg|+EK{j`@EM+Y{-?csCPavT;^OU1RtXO%r{0e34Z_!VdO(M!QAF+`xI zi^*7x z1K8aDe?G2?Q+qeHzwUPQh?l2|U)G|3QwIt6Io=SLQqYJM|0o673|lY`uxvkyg!vIP zOc%e{=ub^7gK96f5>mbWx)1b%)FuO_8of$`&w9U@F81;X0&(IAjy>BG_GYM6iAGNW z*S}uvAGM8QzArCF?ZO%`_1SwN-J9e2*{|SnI2nt68&K=4&ml%)Zlih~v5}d0e}P~t zvzFu4t(DY!V~4wmnJbIm@~iD8J^D|VrZ@)Ow~q-zk-ImoON)P0&9#$FYL-kmldk}3#^kScS@*KQ!oTE46f?(JJ!mGnV${6}|V)VZ@EXLPl1Sjh< zzK9Lh8#VLnm#ZgPp1@W^rgY3F4(!y(KnT`3DV~VVv&!G>;!}!1PHOv9+JoIqL}-=r zpL@|a^!YdyTYBx&@Co?^qK6CkcvH({uPkc`Qvb>-dQ^>1o(k^tRA5TWI?KFdh@<3b z$a_W|V^$R#WWAmJZ6)!Xgr^PlGBoz0z8&R`X5Yhys}1h}zc^z*cC*)x3;1RtAT??d zjL_xVX1S5iT#72^Vw~U>x4cl5@XI;%yUMl{o6@8Qmq`|G3;R`0FkKc=hd+sP8LHo< zO-L6l0EPb0IhtiTl^IKWQuJCGPD{DV02AcbK{+VR&0^FwbnTaa>mC&w;W zu&%$WhcGpiJXHy27lDN^(>bA2Y7@9UxcT5-t7Bem2N*ih#<4)c%W9IoK!ki5CQrMc z9Rv_bXSOL(_Y!H&Upaq? zb6NjeH_lVqg-%0q@GOvIU#@07T<~=&ommcu&B0tx8XxuOy423xw{ur!x>u!tLEu!h zB?4{Ii3}?Zw9BVfNVIuuI|vFhShk;V?x|`2N;%o`5o)l7^E-`N8r*O}(Zi=?pEOuI zwWF37_a+<4aDGAmZTx<14)=DNRz=5pMqYj~eK79a4<6gK`pqp+bh9byTs!$~E8(5Q z9TV>5F0(65hfJWC3o`YqACH}hg|w%pJ-iS73DpUJRgN>hAb-0>z>nP0c^S_CL+!2E zso{!8fEQ-gh48d%nEd|Xx{H4P2V?fiXTqn4c^@+GRHRnAjF@4cB4|uirM7PNG{mXO zun9GtKS>bOj{ycHNzg5dsN&SqZ0@d;{RK6=Sqvb5>W-1^FXvBp1U9apXY^2nHP_kF z#sN6Tc28Pf*lp0c?cnTG1rYlA%d+n!pl@4=D8vT_ocS<@vU}eCLdE>$Rd>`ICnwc* z8Qu&R{%$Z@27YxW&GOWZobsM16LBnK%n0zeYWqecE23S2(D3g%o}SN0$%=8M`L@`g zL5~=5y34cOl}C~U&++hpa<{d|p*q!kBc;y9Lu=samk0p+b-}QDaTmqPFTd9oI7am320qJ4IY z5~opQpf-~`a+yNKHN6-H>y8ym3RZnRXUsO!orILW;lb$)N5g3*&8W>r3_#RpFWcy4u!qlB%AMKXoD6o21nK?M|Nbna?ZJnS<2U6hktx31vjL8M zJ|VidZg~y8)1d<4l$!SYuDD&>?DkTmSSE#Bub^Gw?sDiYPXpxhzWy=H+RB19UDp{t z1?Jew2i7C8Q9%FgdelKWT&Y1n=}2ZillB*dTST|Fi?0kK#Ut}pCoNnuo1@z-7YKXbwG?=6U` z%uf)ax%}QoQ`$Hytz~gf-$`Q8V$Hwb>7gugti*wU6Er^mPkp_Z29-swxoV z;S+nK3%P47P|zl>WM9^mVANN@6} zK=ikEzd2mA@Su@PK-Wl*y%w0JH(!Li9nVfclFI+wQhGL?T_hE8lybYbVBn1g|5$*^ zzpW!QXp?O(z8fMO2E|Ysf-%ws2QXY$H<#EKW zc{S`euGANF6e?eOIn(l8s1`>5t_?iaBUF*Gu(w=b*)7(KKox6;c z=a1?lDd@S(LiI>l4I93y4GSr(xzg=}_(HwXew7HB6WTPv4H$Jd;Lp_&X&=;jr0smv zY9}23Trc{I1GOt#o-p{Dkg#T?EshKwUCSeJvx!>?fS?-0ei>RyA^8oeB+e?UN>#ce z=nBoi3=BXD8w^iYI|t>xZeg$WX`5Ue(RuF~60@FtDu0J!VN*WGD&qGU z$(MiQ;h&F=Nd09XOma0yAIePx1MD0(Az`+&^l0C&-~nycGDm52+~8sE%U8Q^8<8a5 zN{NE@qiJ9Uxmc>N1SX#v@{GI>*KTd-z|AaoHh%XNt^8Oy%fiUbX)Lt8dFuuC8gCwE z^!e8*NA*b*Sh9JhkGbZKCk>7&n$SH;&jz0wBDop9H6TgeMt*$vp;YxnlMh71$5OWB=VJK2=n%!?=ZWD@N@lq-rjs zQgXDy_26zAw+{|vnln&h5Q-MV38XTv{4tNTp;!U;o?LD7tLKvT76fmUhq~xWo!Y&a zQ3vBazw73mR&?2)xE`YtHoe{|QVuf5=_$PzD$+_g+!zsgb>zDK_azH-;hjUFs4LQ5 zU-&RrkfI+{G)+5+2AGvW*zF^@YbgdDqRMQc`~>pz|kq}fHCex3N< zd}fv6@$yV>4db#MNbhZ{MKq85#mTeSEImf^a7e1`zOAouY|TGB339@ywu(P$`_iTz z^+NS~-XBE1-5_o=7kK&=c22IV>SJZ{v|179(AznSqUnT`G#N)HF+o2l;bhM6_LPeG zzQ1y8o@doJSjMyK!8NS6;J2XNc~iy~>^C`lL*bp7WpOyO@k|&4^v~NuqlVJ_WGU@F z*3#GcWKLu|<4sN!*sE{!<)Y#~k%1Jr`O^m2c@M>ZyO0&)TuTmTuUwNXk|{xB#k!_o z`h|bNV=x-sf#5N58rQ*H_Ii}Uh)aOaj*~O0gevyZ=qfJZv}yLC8lH~`-(O`Z-QhWl z&9!}F;J$~wDI-0n`h72Ft!OIvizy@L{Dp)2drGN5Z<_R+4$0wfu&_*-d%U|21St8< zRK9}A#%tH0<|`(FzPJfQd*=Ap%LeCi)rC0MXtox;j4HTo3b>EBH~1^7(gT_mr?Unsh0TPF7g+gu8M;fb4bfZ=?3mRE6N{^y?+nL8pad zYnGzeKJ4uS^$)=K`o!ukWbu7nrc@(YdhWQUvBFCKsOGEv4t>0=!RQ2mtlRaos#8_M zHny&{($^*C4TEyqakh4LP3T-M>h;$(^SONw3rTU_32yuh=xZA#iP*<(${By4Xq9GF z)6r)-Q=Zq?W@3>2KzD;+aaKJ1}as03VIY<)TAOz9Y|AosZI zvm=LpbsbY6AUsUfXSJ`?(PQqqh?Ro1IP%Bx3SJ%lj^3P>3!_B~wfdNoej{y`B04N2 zBs=`eV0rH5NU`0)Q*q;8W-WKY+Um^c`A84+`7kjZ+4o*IF( z_D27=kn3>-Ok2ZFf>h=S0%YkTG8Yitkyaml=Y>2&GOVKItfnn6c-FUKYkOwE#$IM- z`s$#~5gxKaKKrk0#750i(i3HZ4xG{^CYfi^d6Xr56e~Hrlbm*Xr6dX`y&b;-j)&_Z zAc147_kN?B%%P=E_OZox4pH`Ubbp`Vx~pkNbEPaG}lY=EKt}m zbdKPTMC$Y@_0}=(zi#wUQyU?6wsYrs#26k$he@tR(TZb;j*=}!)_(tClIa?ZexF;zaiK#1p(g);vy~h-GkfH zgy&}6QHY%3G?$>*5i zL3&F;0qKa%T_8*wa9^=?9BYArf$o#lxIFOCvpli#h>NXMhz%Id?vbn8tYt7kO%~Uo z_Am!$()*_CJM85yOPo8k3-FjjAdpSs@(iVkpZZE0=;Px*dgG#NJ#`7x zY_<=dbv6-^#g*t=@J4S5B}#T0zK#n}UeVBB(#JQ(ojxa_SWj2>ks*g#l*q=!$?J*|hu-ay3@t-{EZU3!M-JV-<+sO|iYLxQvQ^;=) z|HdLp^D`yoD)-}ffyLeS34ma)|ZzwK!C zVruwKvJE4OO=>lDFboF-7n1)L7HWEHjE0_RcfMYBc?xxf&KR)A9X2J^3IzKgU)pHj zxgJ{Tz-rdtTxgooy5C*XE~MbsXZ!+__D1EW9Jz(qfzYFXnDx^9p5eXl4Uc)I{hH{N zJg1&M;~&|tYd+PM?k^{6{aI^ixSSIe-!6mJZ|W`f6hz$S87S!N-km&UpM1m|)WGdr zDh0E@y(Xr9*SAU<_s>bT5$1ZV?=QXq9si;A=J34g1E}>8P#gyaG@%_`YWbCoKL)`a zD_l+%*Lky5Gqovv^klqV@UnbPx>&8NHS|UyYuWPXuUSyjg0%YXK$A~IMG^CFtNL>H+0ffOh@hT zDE8<5p-|37v7KQj$s}N72`*NeU-#V8!(1eoNjv^`MSJL7Owx zH(R9k4aixB!Aq#9F}2s3a?J!laOSC}1Cqm2dIqQfP1~jSx%+X`8~Bbu4q~&#;h+N? zmFUumQDwiSI3zWhHfz)@%&zAf~?dBW+a3!p!`s>Sq-tK~{| z1LP8VZ3C$7&f%A6t#)L4NTl%Ize7g!s`roht~g!tj@G1+Y?nU*x5a+k-gpBQ6ENPI zdnp?C^we9!a;^7c2EuNecTCv%6L;$A?t*wtleHR3?{&6%f4aDkX`^CX-qZZ67?a_^ zD^OtOdVl1cb;_=#<@K4k;De~TW_Sp-n9V>sWhT_Q{!hhB8`0pT;I7C-@5vv2-e+l& zBq*(7qiD%vnyzLKv}n5Di=0b<(fBKiv)R*2g=205@;JwD9`rLS>jtu~H$_v(unJk` z((EM-zG$JeX^t#v*wWLb>MkzS>4N@N_1x!9~pVK~Tzy<;7%|*&IcQ%NqeZY@d41MQc(f*yO+T(}dKs~#d8dMY5AAg5# zq<EruuM{i;I_`y4baIEYWs5$o40dpoI(UR3oT z0Ieb1ksl=HaaNj2?A4>~0hisv-~+e?p^r1zWa?5OL;TZh-RJq?c-y6kdvxcXK@j$5 z5BmSt3_YdOXcuf*0rzkW5tvg9=n(clGtab5p&sMpDqeYFSjYC6?M94il&mPO_2Uw!tP4`7dvkN=aO-*qx1*Te2yN0Ljj)9B1jE`1PKRZ9>^ z2E*|cUh$5(jAc4^j9LO3dNHwT@Adi(*NJMx(jjj~dyS)OzRA_+kh=X(#D|T2rQJOm z;1>_fa0P!#O1f9nWJvy#YxbAAg8&o~LiC@}vOq|+JOefebwn<+%MG3%@%dkMk%L;N zxIU=0pr*8gg&3t6ng|>aNs;RSM@e zmO|NRm>Zol=WpLEqB6kyZY-3$j`4t=8yd29%Sy79!Vj(7sj8==?#YtMo^8drNCZa; z)!$%O!`+;iNO(zg1DqlJ$9mRH{NEOY~v@2!Cukdtn9!bNf zU;pIFSTSNy1G8q1f3W2RavA^GbPj>JHgoG0Q~j!X5;G^Q$TW_~nz1hp9$Gg*)aCAF&sIZN0s3?~E zi;;_sfhL>ueJb4UWSzKb8B{?)m%ZH$Gv9Ld5p^+HX?dT+@Y{d!;X9)q2ARZr4tSfy z;!=wSD}*?|{~6i}qn#X4Ds1Q)a0`@a%BVhtA(yyZkNC#;k;GSu=Y8gVMZ}n_-b0eiaqSh$`l`eUhT8@3k>>&Toh+gJb!7%T4{BMU${b>k z3)idq+p}9c&yvcU?g(0JGR_DB92gh#^D?{aotr`s^WJ0vdaKz54NSRn8xHtiuMQfO zpv=hib~0!*npgFuj}MU`{Nx=VSoj6lfJ^~RZ##RG31e$~BA#-3TFdv%#$dYZpsw{I zxU}gD;I7Jk2DZ5?1*yn+pxBH83L3zQ>0R%JcmJPnI`wXJS|tV{8bcDqUkH>jHcuM7 z_7jd+@<+#4RN}vNP__3@SGo?cmxM0thnk+>q10!eUkAb!lk?aVP+Esnu0d`01shju zy&YyX&P~_(qZlC%XR2(2Mn`wU-efaQ0ltSRsYy|2_Yd#i2Qp+Z$7&485bM`Cbaf>f zk+dwt?(FO&{aHJ{a9Nmxy?XJ&AlGK1f;$6xB$DR4UjL`4sC`Y_5HJ|OJr>1D6RzW! z5XZ7GZJic_Fbbe$e&*PDy~}ZG#;M*6BGA;-sg zmU?5kt5ZWsU^nP8f2_s4EQB8yOV}2z@M5dLYSBzqE+ni>JNLP+1L)CJ#9)li7tj9o z&jP1)YdC?rwE*jv+9mAXS6=BOFaG%_vW<|k_vd#4_*qG284*J5t@3HZRoF9|WCn)y z+@aDK9Ciz9hg}y|N;>xqpMXB=1H99@4o}zIr3sva6{Iq(G+imL0l1Sqdz#5~u`;47 zmzPI3OV>xA426mV;#+R~%yr{>R=WBwT2(`s7iS<|i z;yj61Vu&p{Wbx{1D|R`YI=A0VDdy;(wZY9B=+Sq#Lr%+2s=+J^Ozw#B<#={J5ldZ) z+$eoi5^A`lJ_-K#P=@)|!RqUDm!+|U9CV_h{vq(9?S=>)0Bq8TI|nxEjg7)T?Vr8z z7>xP-H@(bRPO8T4Jo69X3{iQt)MsKjfiA*KseP(U0+~~k>ZZmI-_%tLi)E<)a>s`s zGXkGW?N{r^YFcCQM!Hev>;}=mHDRv?1_G51j_$Q~SbKTolym#3FwXN4W4!tS2^{M1 zGVNWHTu-t$qQ&vRI`QDT?BTjMCB{q)8SEB6YxeSpHSloG^xntWdGIOgmlK>)cS6Cp zW%X~B2dJbuWPD6FiJnXT+)U$Ri^?97(a>YXxR3 zXjox+!xJ+c)D0K2{dJ`SR{Aiay7)hqk^evUC?~e~V?B;*_hES7s#i2M@OhoagFXnE z{$XZk3u*oONU=dR{z1%lAkjn27XK*z(o}+|-r_3WGpFj|hQ_harFE}y5Z0kK_f)A* zS2vdYTzf#ZwbF~W~o>2 z{>0Yx*Xkn{M)D;9$Zd$2mX`o@iJqeZLgO4<926B9cEBEhT5+`VU-=rVv`1^?5ICrV zQu^i>0)USm{POggpZVuo$KjxU>C)miE*AISl@y>^j}A!P+B&oAL0Hh&^z@M4-p5Jm zw8i>0?fa#08lmO`{-dMi&k8_P_~BBgm+LBZD3_2B)yIz$fRIeAed*!#2@FNUXtWDF z(?Bk0L$Ae*M*J5iZbK8s1n*kYjyFJ}Gre`DD-#bKLoemEw=-XzGwY3m)SYLMT?@7V zR3eu|!Z&LA=8bvw`?rF^`v~oljU5vK1iZcV1>wOc*^sFT9vUXkDRNPw4F~~zXR|jE zwa)F&5XNXf1JA84K;lNIJZ5Ka*WNj8oe|@=Utief`)}}d#To_m3GYH~P7axo@0D&^ zK({SWECH79FCY*x@{aG6#<-ytSFCFfj{~B1AIgYdHQ$`*^BoNC-~jH|PNkZcjO?B| zi`ypSkZ)JlYwx9tLq;hJ;m>XSk2$UMqHhOe)?O?=`) zDizdVy;7;)usjaEut}%O6z!vm+DwZ^2yR8Cs@kHa){DM{JnThh2b55?u+XX5U)q&( zYeotFdy#=+0l@T_-^I}fZ+pg~8voEb$ux-_5f0+&ExeUvd`)@JJ~$q~gY4 z`qqd@n0U$KZc8q`?$LV$sCv)C7a`s&1!gB|m6k3Q3lsnCss-;9Pr>r$3UPTJC_lgz z)P(_br&?prfAUU8UP2em;ggXslV2z8ZPo7V$C6o+b?>}F3jb(Xz1-=c;jnp3NbQng z16Y^;q>zYPeDFvx3rgRpUV5CrCiP3z?p&sZm}d7K;qyC#4}iqRywevG$N4<~OsO*_ zmKYUx`5uV@SxlemgEr}--x!}=wgQ&ra+M6lor`kGYHu+0e+mlP8%~+O#?#3wCJG*0 zFyRCFfP$zneGA~~jpV8@S2-_~j2r^Cbh|T z_f-A?&1(pR4zNK#IzDDz_?evJ-sChWhxYf!0hyz7+$~+1cn?C*PY;Y|k!~eDt5lUj z=-I9;Si-B)Y0h_ieDY`ApWBj>jZTg2rzk`=us1V|h}2LenXR*>edah5rOGPZz4r~n z?teQLe0cW@C0lUqg8zhjV?%>fkxo5nv0k-D)$=)OO!8hcJEa1UT20)7-#|$%0OMNY z?P*iU%Y^r~DLeogtN!t0NJIqbj@N)#xd<7X&rKpCqQ65!3P6DE=eD2el*w0^theLx zDzYXi&tH_FW#X$Rk(Fup%{V7VV8+oxlatFS>H@AqK9kK=)tsNJk?ouBHx+ucKD{w~ zH+ECYkwjnMH}afT{wCa}1FK0`i?DqIJoxl68ny0aD;;awkHgV_sRWvV%WdhkqW6q-()SfSs zt3cvY*=g%n(W08HbGWBP-4}~H65D4(vvaz%Hvy^nja=I=j(Gz%CBcZDmb974pK|vo zrQhp~&2(gMgRo_Kh=?Cnb?aZ_nB)z9xcAURVAs763Qg%nSDkvR;sNTjry5FK4eM&R(To;!d8FQ-Cb2t<4t#FgY^w!sH%X zA7*oye0+SSYSs30_fmMFEkh&QZVLZtH3OI*%dVBiuRjk@J6qEgHNI1X#IQ;|)%{7h zgApI_E6l%s@>@i0wvQVg<@nA6PKD$h&mW!~*C?D|$g6BR)gXQL|7`RZ6_B6DyA(S> z4L()ilXijWq8Xa@tlfXKd+-Y6Sj^t{)T1k6>@8o&yhxU|2JkTAE30$HEr`g;H&c8o zG|WGn86{B3O8<5ag*edJREgQUKP-+iYp-1c1qM=Wj#pe%dv>Nd>8)R+Jh&s4n2CWZ zfAp{`q9|Xm&cR+DxsLz=(8|YS1yVrc=pJZsSzUlRem`)1*WKMnBlSaVIf64&DBzQm zHue7hm}gA~QRCnG$p==Z+iMCat%C`|ujouJ6sQp_fVX++CDa>%_+=A4AwF@LJI-L; z`z^^j#p)rDeM$T`xz{)@SavtFjSb;&Q7{dA5&u@Mx&u1p8qiDmblhv~KY_5E+YdGm z_u#E=qidXYh3a{0TemyHQm9-~5~#(x`CQe|9G(ag@BT+03_;-xa&f0zp3&)OTcZC| zoYR))R;~gdB{!)u>#RU@*Rma`HEh1o>5_ZeM>*wVhF!wirD(?MtY;=th0_e4czT z=y!fpSn7JD$h!#Ch0yip|JeUcqg?a46k8MN_sLJW1>=$6@4J>wXXzd$Nqd`HXIVLL zee4+E)u~4P;8N{LDZltP#=6P(0k!z}3Rv!H!yncsycww;-V+=SwqrYWAdS}$T5WzBMMOV;6=Vj5S| zEYQ~0&2Q|i_zSvu`S>qN%uA@8jf|pHi@lmHY7LhRuH7Pozsg1e>%qzdVxjZgI-_H3 zB~wLeFO=PC`TCu#E+uGpGg1~Xa(8we6oN&=X7T?YTkjoD_4~(-tCY%03K7ayMrF@a z$R$6#ie7JeV2ZRI9W{beX1`iut*H7s z9f@>(k~TWk znRdweW40iw$eRzCNrYX@SW}f*rMnqFoUmXvH@~>PVsRqDU0E?)KbNmbtv*hBUht=T z_R5T9QcYg+i_dj_L?e`6|8~?s9=Z>xt>N1n)C@ss$MgPBpbk1?@#BbR6G;`E<{`#X zB3%3;%}MUA9qhc|v-K|%QgrJp7eP@fbl&k6498i7y%fTdPN_LsSiWVTQ?ahI9Z z0<=YC{<|LUTV8_`-nxSrEl@laPyiRXUb5u-s@a^Ve8fsaQVnHJo`u8uH0yodG4R+} z#fNkNHt5XmSfyC{c6#I8%)6(RuByeWmxoRgLT~qYn_mJs5FSs@be`dIi%6jTLDg(5 z=wzh2#(4lx$g#XTo|wk#Qc_Y~$7y!;DqPV3pH)s#(Kb@|6h@BgQtW|NqkHLY#`qE4 z6|LmN=l51Y4Wzp!DbbK*7t&jTkY-9vFm)5Q5DSTV%R9@m1%R<8-z{3z#3|!mdk~=aVm;X++7p!Blf>wsx8%xe>$_iamIt*u#`73pw-kjQ8-TZ|k%+OTQmUt`6!wUo&wOZG;ql@@H7+vwF+R4!NlOPHwz%tx(Fx3zdd= z(&X=cZ?;-1&z2FOHl;+$5@nAhY%l!mxeFx3Dc-U9-77zytz8-~PHeHFqq-S%1&hU! zkqyX`uC)+pE|C2qcyu6nE}axc?2t-+DntFBBo$_!a&JTJS{RncCqB6G_UT^HRMmX- z-4{Ft^~Ig*+pYE%P+~q|opEXd4b0}3lvqdpi0Wkc;9ui(;RgLzw_+ie_4l{q?O9je zJ|cc5NlPK+1Hl}AE4QwIDsR`0XGZh-IHd_;nT31&GK@0g>Sad$Z&vQM#KUn}*`06T z4I*iOWc#>-Q3U?fx#>J5!_2Fg(8z8*`G{$W=lj{VK%5^NU#Quth-f-n?a=H0j#iQ5 z;v4MdxX*Ei-Yis6M~ChLH8a@&`AJt>j1XLar{)r*W!5urr_#&#Yal<3>;~Bix``J~ zTnipQTtsi|z7Al@(T zE{LSv4j&Lh&-B*wOy$G~EBN`!*$KnG;d6 zyI{mSn7PWnY6xthqdzP&7ml4{u49)utXnwg@|U`I|FW%2KJ}y4du^rUp9J-(CF!?) zFI%*+ajv?OT+l_#u3s0fjhC7E*<|IyO$&nQV!-_Te$+!0%;gn}doWtS&U?k28L5*W z5XERcIhEd)XhGUNfKuS~ zZ+o;HD3Lt`+MN32j?ac1lb(+I?Sa1%%Vnnah#M;dTF-zQ($_;08)=Qe@wMVCLF z`o(!~{R@0&Sf+f7>;RlCl>qYOO6xW`-c2Z1EFh70vl5he2fHQnj3*1R>RaY_@ECY% z$`123GNi7Rf&S30!8yIZZkYVpXgsxE`;`I(o~s*A2ShpRoE%Y?5x0RCfdGvIEJ}0s}h<}AD zDrVmI-hXtGyLN;g3)hA8jlVcah7op_V~_l!F(*@KE<*s6!=&oG%HO>Jg)&Eng*aQ= z>Z+;@Bn5!3^=luCyMR0OLRQFjU5@$n02WIVa?JxF4hwU|uObh)EX4p)#{?WOf8}Xm za`R7jVBLFO-dp~U4cILQ+p)8}HR))wkc4l>sHo zfvx;%Kz(3TrODeb1~3n6S{|iFb)51`8?6yIa1A68c7fxkvZ4y$cvi$+>IxH4vu}y7 zfdDM$OMv0bf!#Z`9|MfKl-`x{O)d=#{d45e;}_b5bL1~z*bIdegBs!HTsLs#>vg>L zYzHH6K85TZEoD6NEX;psVO0;s!`8EuA5?3QIfyd9L8eCCQus$ToNnorDv94M!4ik_ zDH+eV%YfP+di~oMYl^@)peiCo_E}PuIFgVcH2ihGhkkf|ae+smr_aBxm^!kRPY_K* z7PuN)pRl&>o%}KNoh`&m^rZNq%!1nE)rdeY0@V#D6H9&Ia{nljR{qeb{{U##pjYob zLFT@AaO2{wHSq=#FTLiNMzB83@#QFME9p6P&%zddLEM?*p%Hn*2gg54;F@iTFPOIw zzK^re#|d7lB$4DGMww6Hf zk?OuJ>G|MR=+)YWG;Q`iO4c_6EDd4x?_=n$2HE&dnS6~%-uj|BP@R)@Hw{TG` zk?;Ru?Je+LlX9HSEgsnDuF>+s#7g8k?yX(24I1qkE;qqRbutGZ$g`mffX2{=opG!u z1E|eMlZ=0g^$K6#kFdTaAyN3J0f^x@VgNQuKuxv-*N`?-CZGdmP~x@pQDYcPAogp?^O2FI(8A`t44nH8udE`dXqJ;7mT*MKB4}>6fP%t zoMH+u;}yyq0QlwiX-43p2Ieg!*R)VdgrmAY$8vjLri)fd>qPofK%3QsPz;E+mfOpV z8R~AG{qkDYS%#&qlVVkh;{oeTMB%us_xJGUO1H5`-%SCk-tbznVnvCDXZ-|&NquR} zKNeOouTbNIIiCho561EHl6m-2V!`l;%E(C0DUHj2^xSQY831MN$Dhv3*EdAqKi=K2 z;x1*Ed`?C-)yWQdEO}Gu)|KPYJAf66G^svA7QW)Oe9w333NSBxKBM04J0OM9!)XOk z1-{|Z00!EL+1>>1A|H1A2HA5|aiL@f)fcl_4^-84i^gjTZ=%S^IOuTIMhH-)g9X^a zg#uuo2Jo55SN1qjepgL2>t7EEC1{pWatc+vnWo~UXICR?J&1glEah8P08kW7uo)ux z#eBh;E{t`luAV<}`v5kQkJtiK6->8zGb-Rq!e-8H!(K+g7!WnlZ#qZhp~h%!e9{YU z)CTBwQn}>b^S@G8%6R??9UX07h5}Uk!z4foux1kn zlpE*!ZW*u~(siEkKm*lO7DRT+Si*Vh+77A$r1Vby+8-xba&BRyOQB5gZaiR@wQ!QB z&8E!O6}wR863=vpeggHr;~5i&bceRx(Wk*5_B|RE-BF@4XK3HnXV*gFm?Nf*F8Nn7 zfzUkU`bnQ#p7OSx*|cloD@_#K&52`4%9Fg$H{YfX%ap-uvZSD*lL(FMUZZR!^&cn~ z*J=gu^P}Su?~Ci)i{NXSr8tTqKWSqw!8xOp=+Y|gYvuf21jVrF`N+eLmFUC zTg+mO6hR(b2ZjyoLjVB0r4fYig0OKI9w%{&mzM=8Pa?0Xt{y0dOb8>t2TUG^U0R37 zS1Pl|1A~D%8YPDN3r*`frj4vELHIW3!mLmI=0MYSVP?oxHprGU&>u5hDx#_GWQ9BN zJ4Cc*N_~)>K=j=jysp(Y^*#KH7wH0kh{#Dc)d;f0sbFveg%SXg$ep_-_uS@~sBVZ} z(TWYGl9Gz8?>H^cIiHorYuvnjPP0Pw>RQ-WnS2tbU`Lb|_fg{OqUF9%mPg6EpQywt zj7Y}n#v_u&!bhoV45%bR*nH}81Isp&>j0pqNR8#5QvLYpS8CL5brolCdkp~58wQXE znuUA6qz3w&un#dGUV3}gTq;Jxm8P51d|3>oK3vti*jA<%b>~`xdwePM%%%SW#T2+L zE7|0S!;2~KFwpWxv`5PgOru|Ir%Wdvhh{uxKEBq$7Rq#|zoKb>svpx^P!JRy-ay;D6i(*If^z6FQt~nTh`JBvnC`Zd zrba%OW2n9#@ql`M?q_$>x@AFj=|EJVw@vLqG4V=_4u21RxAC|_2KC!FHj1Z-AxPIr(oiCGOBW)c5fpc`%u3ZCG%nk$+7cYbZvCb4k^A_;2cSCevRNOnBjs(KV zx6RG6z$M*oIpvY_zZg6_nZWshZ@APVT&TT$L*f=nEK<;{4(QTiZdYvIAZBE7Z>`o( zPXF>jDg&dvALUnbl_t+AanK1^Ri0%<1w6F2ew4dyWMp(M;$`#rIL|uEiN;ZRK-Id> z9hOYyLYLZ2=9t5JCG}TGxmUsyUbY0y0g=H6X?n7EFtwtvg(0-!pk(p7(d^Er#_(cv zuZvT2=uHFkcl>A#{R-C~;fO6{UPj59w@VN=rZ}#m_v%tQ=9S@U7=JwXc`ceJwfV8# zf!Yt!teFTos_B;3HZvY&#Od~6Yz%i5)cpwsmv0HxEfWY1iS9f8+J2<+%_`vnSDMOu z=UlQrE6Z5`@w(v5fyM0qb?+}8m~0TiOT)D|nz9qzATsv>ls_qg`s?ia-dQps5~iJ> zL_r1khn8}|1?E86SGWv(>S;KW3m>Zvgxb zBeq&J5*tu&%9fbbq%$JBg{fGK*#3sG$H^e>RR}(_#rAN5wu|x9Qj9f8ZO#qc zcbt&@$n)D10rnbBD+F>@Kt>1%C8C@Lv9F`QT5(xhTphn|fb-K%Zz91o1L@b*;4I|_ zJ2z)|mdkV22s0q=5>Jjl5bu$ZtQ4T;4*?j2^Td{{mNm;}N`d+n$3pvVt0ga<)j3Eb zf9!0Q#>!ckcr{9G@P~0}VMX2?f3$WK!IW&VJ0 zrioG7AN!WHi)J)354!Z~JCL^IKHZw6jRTtlGhjr>@?XfT2mmr`P2fxlFn*6H(6#!+ zQ-3_Sb_ZMT33G2_bS(;1IJz;l3T>C}!IDWWZ^2SjiDM4k0S_I>Wf82Kj^9vTdzW55 zxbQMimV>JGA_{~{ylWfwb()XSyzs|z4CAYM>g71`LA(Z;$@7BA1~WL8VDpftL|7tv zaO7?8rCLiYjztl`;s2st?xN>3D7yZdK_m9>4A~k0c3D&p%fJ8L(Qi!YTC})7`87fydwv{RWd*RBT zlv~d(1$^0^jNd=grP%{e5)-zuG2E)pf7?#IyP4G0W?W&(rRKS|q{y1j zR*RX}#epX>^_P2M7x4W^W*F$770ZVUj&kFX0LyTU8?UWfsz!)7R8HQ-SQHKIc^yW< zr+%ewnNJ25%20g*SkPjzQu(V8?n=~!1_rb}6Hxjs#)fSgO>CUV(uSV=b-Q>@w$D#b z-lgA{s&$HZ>F;+01f?hUD5AESl#9uMTQgn41J=&B$s{>!QP0M*y6Xw0DVbL{jUk6+ zsb>Wy)bN+0^Ez`~syeC2MUMsdCuYAp^<47T?*d{>Al6w@3T z;Weq#FtmF2i|nc=4M1-^{v(Oyu?se|hp?|#{68tp21y=c`($*itm3u#UIU!M0I+sx zsQ|z;1~BF9holh@r}lenC`u{!FNI&ZN0F_4(Zs~0>*vqM>Ug$SS5Ikn|JuT_WG_GO zD}^ek8mzC>W`fO8GV}lM@TlwmhDX0&z`7o*!N-qG_|6|cWk+-cg${_ed-{xM#W+v~ zR?Y7A;aD|C@1t*#+pPN8GPW18;bO|!i9>+_)Wxd|yW=3&22JF;g89V2Rr4pY)SovA z-qyay_5onI!odNrXw!*Al56Q-q`+*ET>*fL1MmR9d`Jd}@$_@10_P5S-*}~5U;+mi zM;Ef)tw>0*`WXd>yNo;*u0n3W6fItYQB5-|RCWd43!pL#?2Xc7em&OEC!Cu+^e zq&+8Sag+dGl{orQJleRHV`)TWj7F44a(%#UNI7f^JV zUE3-G2h!Q@MHRtxKapA2%Htw5XvJujSuV6z))_n?dH`xTu_0BR+4C}){=Ci-WHwi` zn%QkKq)w!8{hMg-sF5ghY&WnI$Pe#XE|O1eAMCTe{O1O|Ug>|5t8;7ZT-1LDtZ1!) z47X|N0KS$o`8UazVsJ#vUZx%x{}m1#)FObq4JbxFHaH3oT(vf}%Q;_`{Y2`+0+q41 zaT~+>&YLq=2hg&5^HiM;_Vdp+;=4{1&zK(F8DW4Wl9!hP zz`?xmAv2Rzy~!*7M8S4Vyc{8t(QTY8Ix#W)*}aR1NiFMBee##eTA^_Q$loZv0Bey7 z$wxGi?ke>1`#pZH=52YB#s-Qu+b*S{OeqT2b!$a*KtNnKVo0Vl)P5b{CUcAIEunS? z6wFyRGIe_LXD}!EJsPF?TRRUVwcvI9wMzwySDSQVf*&5{sb6Is^e42bgWcnPwr`Z& zr;C39)VU${?=*i5q~wol^UN%oV=1m6qMEV1GNFRRzfxv8D*c(0o-LRU!`{G61Jp%a z8%qoI$+7IxjGxV_NlzZG?vF5}{Ezy5y%Iet=yW~+XS5mLCUW+ZZn|ayeeu&6e~*_M zzXd(H?E#f`l)8+Xz+i_;;6Q4m!4I4^Spr{^bm5rD9(rCjLL7JxStzRDlB4%eH4+Vf zdMU8rZaI={N`#8@vMUq=_OVsUQTy$a5x-?@CxNLp63U4aO!6`X^f6e>GNmbT zV~%5Kr^ycga-X_XZ#7-ls_su`1&%mX`j^5~=C~BNmHh%pd;o1~Tvt`!pO&ht0&>wK zIAJKVli`&5`hU`w+A$0pKl2e%g(g*jE;j8NsNI5Scl4tsi5T76R@lGZ`u_7e$?b@dEnw{)`%#x;?N@1=@8(+kksE)M|gki^XU$-ax{Y+8Ic zch5X|ro4M2V!A#x?dL=CPjqiN^3HfI|9WV1^^;i_J)LI9&)zFuz3ZC4M9gvc5Yr1( zJjI?r`022-fAI4KUL$+oo8&Z1NXQO8!iHhFMf;lWDyB7+?Y+z zQ%~l9$7R%Uw9?}XcK)07nd*e~d5xh)XJq_A0b5^^oXMhrm7QcU&`yF-GqfV=oAT_S zJE!JPS)Z#I(`C9WhRgY$%Yr>@z{dPxfd;t6w z<9C+LCt9EJ;mjMP9qFxwLJauy(*>VDe3<#KxjB8c^3q9IrLfO=vrpSA@(eI~!iGKaoPKbUzPKkb9%>bg`mcdjKL#_xw^cx3Ssm!`k zl}dM6S=);Ju{+;uf;Q9ibMk2w(UdFpOc&0EvY$Nzs(N*1jy$~U=VcD2&#mhJUXH(C zt+=_Zs>wV=LC#(^>y9?!!U5`FYEAr3SKSO-11on0!8C4Q)f(v0C>{h31+hbZU7cLHp9ioK=0Zz`90Z|df4{U9O^s z_(0y@Yy0;U-)F{LbdpxoY|`fWr+hX$W?f5HI6t?L+cVMnMCKln(C8L|i-D;fm$ROts^shoeQ${q;LxngB zqEM)yq!fdk92m3UmbcFPR0X>K^2GhmXCIRiT>vfDRiZq-iOLUU$25O@uQ{IEt*|q> zb7TO+b7Gq$P5SX7D=_FO^(s(g<9JwFQu5Y+t-Pda0?>Byyv`qr$z?GtMxbG^w_-UZ zdezCkxsHyTAGwIq6f(ZDNx!G}XJbX4`V*Ln$w z&+b`R?eby>5680;R=K{G7XQEX^7~Y+g;%%wIc(3S3Jxi*vOburEDdM9@5EkX#k)90 zQK6L=$4WlKE1s9qq_=5DBRHUF0ZjUMY{LdN{TG3;9=W8|V`|1{da9Mbfs z0Hh}7(~1BfMz^j;eb%t1gxCFhPyTrYqD7_kM|p+~WG7U1A97;o^gANx_CB>i5=0w| zTuTGhm@~C`XW##iLbP}=fM{vj@A?b0Jw{{pbR%)Tz*!A#N*`to5`TJK;Uf)TJ4G}G z-i_vDIt#!5C|^mLZ#XDUHUFCO>bm17`VF1LZPHuiTP`LV(5FBXQ|r$FWpJCP3h)Iz z@}nF`&==lP=*sFot`3;=N*Eu)tRoDDz)qBTelq2^H_Jc zcdMODUmD_97cJLpzr?CO_~>T);Ow~vO3%(*y(M_p`MQph*S1;)57O5N18UU77pJeK zjV%xN?XE47f_hyWOG-iuA6IZyTS4i0qu3^8O8-=(tHLjCJ9CM7*htRZnRQP(Up`FX_Zqkr zc+cNk+~E|WPAudvQ-p5}E{(qSUuThj=6B|w4?rgQPSE#g>3xw^7gP~uzw%?JrNW+i zfhG>hNw8@O+o|u}sI`q2Bo`!oR7ux8;!($E z7#olZG)vZ9MinakV({)6wW0zI(t5DMJ7BQ7F-q}*hgmgYcb3!qJsQXVgN%m3 zb~X_uA)3=3e(p~1CUUQBFlnukXo>MgXQG;4l=!b>3bUuJ@%UYr|WiqOplRy&W2L>&|K-qc3p!4%C(`1#>8tlz`3xl6O+=lNX zI|k|o&y>xRS>6sQdD@*AauJIhD&zOgXD!k{02;Ig~ldSIBPE-=p! znjR$%k{K=J0sro0`&cW#V|9m;{vbi-?_Pk;;zwZiYc;qU;Swz^!i)BHfL#?wyU!omW(dBVez62H@iFY-nwgUO$4Ek5)C5Dy=;G>@5 zbU}y%Uhu8stdn59edcD8c!H}GWXPLLYq``M_u8@h5kHIEUBd{PR3i z2z^zkkK|CrmwSgc!_KcKu{mPq50m<;3MeL40(%4v#v9=`jB^i@E36FQ@cE|bgF>65 zp7_{Wzi6Ch36x9qQ^Zn;=H2062h|CAlI~ooZ&qI2x+vJQz>9#LU%fbGZ|gKL;w8;% z1#)p}imo#%0@wkk&z{5DtF#qx!^!>l zyVpBwA>^gfSQU${SBp!fB3gQo^_}ULiLX{arZy=RWn$E+5sU!?XYF6xjy(#%-~liw6-F4AR>NcPTp+-`Kj# z^)Q;$H;#fQ1R(Q1nlH`jbx3YpZq}d@&jVqQpf3cgUK^5T6+DxkWCyjGuyBj!nmSX zP0FOX{YQVPoJl7fiFxH<!qS?0Qvf}5(nU!R9C%;>eaemXx2^T=Rb6qYrz!iz_#S~u02{Teblx*cEx zCS&z*3wcbcevS4(Yx`4aqI{qTBeR*{H1xAZ*O z#lV(65xeR!LGlQ((S;IcMy_>Ms^uq4Y!VTe+tpaSc+TZI&g`hz1Uwnr7so#=9M_%6e{7Ej^SE~$Cig(?(`va?uQHBSBWHb~ zZSzB>SfxR4GT~&`#Z;clF{>2$As_o*1z9&Dz#c?&`@y#~@Qsz`LVd`70ahMb2{*gz zjb3RcJ)LhDtdBHJ*7xreg?Z8r!}(%$Gksb@0ipADQL~uedIz=g!)tM?mc&WxA^|hx zUL4%tC>DfmaCB|$Fss=dM%Oy`h_hzI6}ab>m=DhlCgr6m&;PATXlPn(>6uwFjF$$0 zgLUsmqszF@fhobvPSy8*5j@3yf)3o}2kfRL*-N)?6sB!y>B?1e4Q(l>IH$XUdql5q zYsoW>6ot;jRW^@4#XJ6ls>W_R4&N2pq@Hv8S%Nl1^Q)S&ogW2!s3a~`ZaIE+>V+dK zXLB2E7^WGm)u z1a-@eo5#YFDHdBfi!Q)+aH&d626etW)9fuZ11b8S?-xc>W%oHAkw-yBwnQcGIk&AW zU$emS8d#g&Pr!effPF-4_4W$*TvtsW+&MJJt^5Lq_Ygbg>IHA>M$evU8Ax_n5h3ZbKIM3^|Ir65<1=1&UN)8JM6ONR z9_jDh01L5XG6Sv$YGhu>Z^w19!s|9p}_4h%+o#Y$gHTC2EgUMNe*6YFFzJertrBW^4e$?vsS zIJ>y00cH`Z8QkBEUB|h9?LdSsv!EK?o5UxAA~j9xm2ktK-h=%KiJHT4neoosDefX! zj@QUx9qkvO|16G->=_)ZpjfDJlvDs%1{pi_YJhQ|CvMD>vc(`7$$20oOVpdRM6Uxk z3$H&4sUtKT8eJhD*s^+aI95Yw_o{}cncq{ev@J)8civM?kSs1Ha9K--4zt<#=k{}D z_nwU_bIscN{-8;U$Cdr#7IciU4aH@8s}B-&82)o8U|ptGK8(hotna1^x+MV0A>q;okzazpWj_7>Wi2Evy6p4YSv^1 zdB~s+elZb5`RbNhysJLM(sV5>^}@<4QT`>FY7JapivN$qs?A3HwSr*wMq3iGYt^dM zx>ito$(1-#iJq)j*GvAeg?G1tvbh^hf_#sG{$oVJ(6$9hEj^S}Jw);RA`3HH%8A9A zs|!e04;q0UzVv|OX)=j(BKksN$I68Dqdpd2jIbx5S2}S;$#=b>)CJSBs?5yH!_Od) zO`!elpJ#*o%Yxgo89T%F*e#IBz#>#&J&6wr*|HXcN>ptC23fz9-F1PmI}uRns&7S& zmG}t~OXo5z^{m1{6^?$Tcb|9e5Udgk)ELf6O*t1R9waW;Z48UtO0slfZl)Zds|ihl z<==3B;ugnRc&JcGax4F$-$ZxRbG-?u+U)JLQrK4H1a!rZ^KG+KjKpY@TE{j#{(sT=wWcK)}(>>%HCs?>!F;MCN!0TN6#hmR`^&|-f-51U@sA|gSh+ghuo(70^;LA6Tl(~S91Z@h(a z^9xrg)em*cJ(_pGf+tsh6mFXJW~t0Y-06Lu1z7KMld&~YA- zEwE^sus44EnajDIuIGC1Z=Gt>vOdX$|Hg~IdaN@cE{@;~6wH(f>B9Bsim^xoaPeGp z6X(&Uf9km2f3&@O!U-n@;el; z=7)Z&iKOE{{uYC~hC?5q^>rmCK2N`n@zPmwX(&w>AL4 znbum*3MS;?Sv>kxU5yswFtx$)Y@v3ET+7{#S@N?lG&Kwigtp^Z|2_`jUlcd%BiHC$ zD?x~z6emBs8f6k~r7C`0CvW+T_$*7Q$*sPTy@QIp=OJE$uDOKv!_=}>9GVb|RlZ{m zNte0n|8sj$MDIwzXfkpq>B83FEC2Hw0)eStW2nP#ZIlrY$IY9%M*V(QuO6w}Np!t( z^{-yNO{jZQ2c;cQJ@|~OA$UO09#*Eu=aWl3-7m5XrDCm~L9yddg8w^2s1-;b4(P2B z10h!@yQicU3^fP@1pL<(Kfs1yK%jzhKGW>eC$DE@0WPasA1w}skiynT_;UlpORKAY z-Z09#qjuSk_D#n?YFQz>zs@vw7xPo^?)7cL{<8t!-1?0T?nCB8)KcuDFB6T+`3&Xs z?9kx1eG)=w-(R^OIhulpT0>YZ5bs}||NSzksV5z#&m0$@oc9tgFSmWT&850G9t_|=&GwBi z#$2G-NrfEI$nBXR^&8Clzzh-DeZfDaf+nq+^-AJF;(KFpoopjo^CH6Hj&(l0RS z1&bfKq6+R@$NQ&d0J8@FKD%1!=VXBUxLr2M2T8fGrj{^s>*8a|g?xm&nfQkqR$C|Z zpEF2Jo=dN8X+qFXG50i>Ofwz@vyZ*`N}iMC`ErRp#lrXVa^_TY8I2&uiD(-9-Nl+@ z)7kuaqrnOpP<>aT82Xj83Mc4P!E0@cACa_UaXmw+c|r}EVfcGIVVVZf9C-f#XEz&N zuv~1@RLf2~5|CsGXB%%_=<&=59v*Op@sW^?Nu=*zT{I_%fJM=$KjXJ87m;Z48 zFbT@+B9+TO-&sST32djU@v?SDJL(r?qMps z!rl486jKt+rJ>mQpjz}@ss$uG%;GBfBYxEcHEsGj<{z#N=Pc8isRj~h4|gAb)r93= zRCm6Mcv4GQl_5CqxQ7Y{py|E|T)Oeqb|qpS>lzfSh<32LTr%(ne`)GWWW+?4N9?;e z2~r3U^8^j`2q$wtizR2zVA-nVHY4tfN66Kfv$sV1^S@kw;Bz6E!9Y zzJJbZ4e;}pXKo%UDRmB^xo%$kXVqk6rrySj&;>n6!C{()Pwg{{E9Bg+OpciwNo$|Q zojNa~1XMppY;p_<{iXfzn2sj;)EoXv!ubE9nyc(?5Xc5m`j9j$?5qf{F3 z(tul`@DQR^ua>V3gmM~tFZ!y5ephF0`l|LX2%>k6LpL}Z*GFjAj51l{<;rOfXXnS5 z(1{~ue{fdB=o|4jGCt}TUxPu(*#7e&wO+sJWA`&BHOwL3xnyos5#B`j2)e!?cbE1S ze_wSkD>mDJ`G>k2yM(QgP>~~}jf5(!@Mg>^X(d}96WlPn^3kTTzmS_0XpHV0si&Am z2*BZGxj!o5@bN{%$-X9Y$@(!s-5#lhBhUC2-J=ryJyK#3962;#;DN$y;VW96>Lo{) z6X#=5)d5iXjcmxU9#YOMwRx#Q8t`H@MkWEB8oEF0icfT{=;`RoYW9eoII5d8Y#2P8 zi44mcTr*fYTIYz&&_RX_3!9ZrQEGTMjvp_ZX3mJX{E^BaY$kw z+RL>g1&%r#6gCX*9SB4JxcHNHC(Z`>{DkJes5K{WI7Wv;IL1VfXnR z7^d0*?|z)Hwa6wmiZDiqb`tE3XusXI`*Irfqa+>_w4Vc0@9`^sm>?{SEPpgmUXET5 zweq@o8oUAa<;0QCJjzR~bsN*ArrB}!^)(OPT^o|y0~JNGk8vHZ_rwSVrduAPjD9h} z6Z62Fw%Ao6*Dn=?nW_JEC9wiw48;@Y`y8{c?pdyplCTX$(byZD&`g&k#Fhy!BFjEq z0CK&_mSw2^mq9h5cgw1MMX#D5zb~;Gk}-#T^B0p;5k2FvXYbhTc&F`9ezhT(8rroNV@De+q=e2cada&p@M;s;ZMy$0IG1L5}- zR_46g+XU`ACo4Q z4(ybzAEp9vKogg9XJ2QH?V_#7uyH+syk)CO-S=mdtD_urvzuQ-Q_}?~GHA$b{U@^@ zmeQL7*|IeQ!;3$H60n)8rBWY}pzGU4b?!n3B@M%Sw$6fy_IjYZZwNlUkb}P9>UpG_ zfcwlV|MudN-4}C81AS&q(o@{!+nEqgYms8M@{+t+CwB-`sYdgK^|WO0Gy5UW8pOeF zex;B%pxC@S4U%ZT9|$Wgg_>0jI$TkP#m6Uav97G#PQ{?)qkwQ0XZEeHy!}|T#Pbk; zPV&jluCMc-XNcVu7DMM{o8%u0kY7fu4Z4v1x_YO96!*r1VHw|T_W&m#;2C>sqI$Vi z`)-_ZIWP1@BVcNmPfU(frZRV2ZGe+8pqz{93rps4e~0)d_hNusbr{kUxga27msad> zz)KvbSdMPsl<9k*Za=T!J7|xVQMlvp73O<6sb4tJb8^q`rP<28?U_MpD7EIJ?ukHzAhm zB9e|d7)GkXGLK(fZ<;;0mj%_6%@6AGEFh#zxEW5ao0VEookO7v5i7&4QZFw}O;y`{ z)*5m#XxgJ%ew!cTuqq$0@<(}jG&jCq-Et=*Ausy_9W^y|NkxTGczAg9ZgsFl0vD>q zQ6-$zV%l$aP3T`8K;~p|oBr7i4t9s_Su>4Ikx5p~pN`Q0?JM9(r0N^U=K}e6Q0;&t zGz854uE(#?rxr{Kj05iK44!ys@S6+5VC>Lqg%EqKp3!N~>10Mdsk(Y;%3k7*+@F=a zkjM8fo>ezgJD`KT++y7hVQh41jE}8|9j~lJOYoICN9US>JDbhH^}R@rU8|xoth&g^ z9!>%#ELOgb7EHO^8KIhRkNK)3xuAvUXRZ%ylOlQZ>KFEK$b)AP#04U8(Lh4=svO)= z1>Ax$ZFG8O>H43Ag^^}N^x(4@Nl5K6c<+{SC`Zw%nU36|-2v}pQR!%9AM=|7LW*@2 z2~alKC7zj!3%ZDpdv`8eW*H8!bp&51aX}9}v-E#=9)EQt;<-HP{tr>rguL_%s|mj0 zwaeAM*+bC-4GsRSv9){EcGiluERGTw(_4fu>4>zt3U*pogb&`}`0)bv?&MgxEtVdB zjz+`!iqpZ&89d(q3tG|wfXTi9_OhYStq}yJ5LcYjQy?c8~w0}r7Aw3&@{6HM$*{z>&|J!Y$i)RI` zWQ+KsYXT;}00Fq@=m_!kATu-TKwDcL1MRMe|9`@fuyZ{R9;NVB9VS+OsHvWZ!q!^s zOB{Y$jXAp;|(?6iBBTCu)u)J|X+zPo^YJhbJQqCh#mzCxe`vdR746wNz! z3Xm#iie?*SS=SFsX15|dSSN#idwgQ=y))!ljtL1i4lVzJSs7gwaRu)+=3+a&dTigG zxjC0YwX^(|J0_{E(q9&?4A^;hvtYnolVO|8<%;ubOHh2h{vTnG+@Qf7>NQ~*w;e-s zN>)?FQ)2`|MzH%P#d540uwkqa^|VRPL;lHP;W|nch?)1FIR3gTJF4CM^PW}uh$#66 zsWNzpHElbuL`-$!>P^_%gfSQgTf`}s!^Z)I4L3%79IvqzjVD+$)!9bh3k$dK)Jg?v zTEO0oY%G0@Q0^EUL6>D^c_KkUm@b2Zx?8YxR$V@glOV;$A zecbMRC55FS{CWtP;%D}-)`vg|W^l6PJDiO=Uc<>Zq^;b&XV<4 zJEKb~VP2(bV#9NDNeRZ-HGb#inKRTo{`AfN@&2E^%!4?tS8Fn)Y;#(J8M+@krM#%x zFjYKQuuF;DI^Z>H-K`Z1DI*nI8GvO=tp;57388In+?X{Vz1Z@}MTA?~*p{Q=ghY1u@w!U<@URoZ+yp$cY?CWUkIxwG1~GvUhiP%> z>mAy06jRE$W2MY+z?W)*?&|cb3&bE%gJKtNZ?#!Hz4TA%y7{^W`OIdIEgxMey7uNyGKXKXIyiyEf)Hwh{}7 zUw~D%3Uw{C$Tdart=r80bgVRnK^n*$F z}8wraNWbwrn_K$cly9<48=h&4h!hW^)=`Uqmz zt$z33bJRXt1d6D74)ARa4_AkL@GAi-1t*c};r(FfA7a&MDGxp_AW|K)AJ!4G#C2|HglLXNt;RT(~RzsPYo zC>d=@DF_(c#xYSg11{2b@wyf9613psaYFhcA_NTObxk^UNdi?jn|isG`@s|Y@7D}d zR}9evPOmim64E$}iUJZKZHCFQUs zIv^zH@tEjW+OcsmHRt|A4Fn z>NV-YFkUW>{{i(N;J!8p@j;#mt>JBfPoSWAt{7F$#!H9geR%mN=(0LpA8`a!mArMY zq|!QCMCt`Vzy|eXfm?$dd6~DK5FL@75^%#RXt{ zKIUELXy?IXPaPKf%v7y{{A2kF?7U-LIo-jOxCqW2yX=x~w^kd??C~ZfNrO7Asfv58 z$1y`up-7NGNiH!<=2KI9Qb6+RJPGl$QEvORxlmzO4zw}$$zt!q)`6w_?rE;CvExO# z_;NG&%q};kEYW$UDcpC;e~jdZ_Yk3mo%JKH?HKv^FdYmJ>@YC^r zI)@4tXb_K`bJ6!Ks8#*vs^2>rTQl>+4nIOvBEE1lcMA!*D&bY91;Qx*!9etS-g;ne z$EVl7E+x4J9t9QR{GS`WK5+(BbQf)hr(~_om{SRxyVrt3MOsfL+LYXbw?aV*Uenos zu94k%uIl_az8FWyZhMP=%qo{JPXb$VWAJid+D!cCS}Q$|Q{?@_Eto~`7hm1W>61-U zPS$F8AASe74+jV`8drip-zmwlFAWX4rQ@BCX16hx{#oxAu($$<6uzJ?@+rt-g-zp_1}2MRCc}%q1Vj7^X-@hv8Li$?*DYi8LuN^IfT1VN?SMZt+vI z=-Rd6C&CT#I7|oYLu~OnvJx?~$L(m|z-`jElXdJ^Q01;r7pxxN8Gw8bK%q$;OVJMRd7~> zs);Z`gyyA=kfHCOoMAqu_Pw760l+iZw6qd{F$-7fFn^j#yWHspDQ?qOHXAf?O+b4A zDo}}WMmWRie~VMXV+Ei%HD~*FhWvQ79rge;nkpk)%tk+3x{Ca&Lw+HIyr*}lFm!S4 z^8V%qtIq__{LP&&vnuZ~u2FSASy|M4V1S_SuLrH)tDv(7z8noB1@o4lRZk|7y~$|u zM@tVlGaZ&QE@RzWgC(Hp!%mqQu+fb9sDnGjQ zxG=dN;*!+1;BH@yINVc_hH|?hq+W2Oto1kJfEBZGvhkWHYU+IgYF2KXwwbe(lYpOp z?8d@)AgGrKgyTCC5c!%T7I?!?IJiz>I9GlfK=3Ua-q2Ub)FN(y7wn80L|EhRMCuwo zbk3eTj7OVR+1xq(aw$orR@bO+ZT293-CQmHo?hp1yvswqch(qnL1uG8xtXQ7-(tvY zG=ib4G5*8ZsX1iLn14n`m75U1WIoIOAUo#@7Rn{~3dh`y+VN3(QUo1Zm84)>OrEX1 zv2J`ox1Jom48D7bD*byzvt7WKK!8mfGf~jBf|=l9O$Ez}o6c!|Wm~qenVp6qc8?A- z=}RObdE=XG)5S(l*b< zY6K+)1qWZac(HUZsU+~1VaQJ2{ZwqQ_lpH=&3{l&WCkU8)TzYA+w2qtMB?F~U zUgP$SlWU9Z=~yb*hhWr>0rRadXC~hbV0$;f7_h2%a2wAoOuj|tzjs#GhjLj#l)x44 z%TaCno43Ypk441lGH<=e|579YmiQIjQ&c@!~Q7ndG_P~RI3jws$5=_q~KxNBF4+vV|J!BH;Bn5EMif+3BU zjp2XoL4mtwP;NgvcS9`-jXx$#-Opq)=?+qB5+424wxD7IO-tbI`LP>y|(_YN|0xI;5NLS)y`Y08&BUezG!&BOfP{TVfnE1E%Z!p zoU%7Oc($fbxe&dDDKU-`*WaVitJ2RT977~!+t(az`+Ti;Gy2ECV%NeB>(pnd?JY6g z$-Jx2mf*uy0=ld@l%b^4peiq`?=ojNrDOzu=}xHUN7Od;Ja%}BkR$i%_P_JC2d<+Y z_^ugButezcD5?ZC-}mX$BL%yPn_3MgIJW+TA^5s+!g$ae%4gI-7*sP;WhmjrP4t6c zi~9CoAKklmfYqmHT7&xo;Ys1%|zCNfB5QJ%he{vIPD`Q+AyrMk^a*^?BqxL=}hSiO~qRo*qSjrczT0KNeW!A*#L< zb%aupGkFdSTu?J?Ek=6M#W1jJh$VzSpJ#<%9gkrzCqjGHO|-`idD}u7bmh1$`zvj1 znNs6*6SX>pceWQScc0u-$1U;daWPcYK`u#|+vUviNW^{`80R2bFwYFRL;`Fm5LJ12 za8{o~SS%&RGK^C4Y2M2D{gtP&YEFrE@cw9Kf-LG?(PE-ks3DZaVj{Cwc>QE%KZ08b zl4Ci}S~jML*^K9tt#Iy>wdmaf4<7^#HHy(QI7fQe5?;OFGct)@wgr{ANoAy~gEJm1 zZfPBOU0u-pqGB(Lmi~b}TYbZvH{2XFHE+x2i6X%MpSDSVxb_K|U4&+ZdscA`bTFT= zUIA^b2Y!Ejc;z`}CKBR(|Ii7>7L}YeAAJ;b0k~nW^0jz^5v$!7OCeP%J~pE|XIcG# zg?rX)rWfN-HuSs{v%#vLDSTZu3Tw^st!G^K;ncB>@X`}QwV1Tw^4IBf@5k`toy(tu zr1hovbV9?CkCdBw7p{9EQl;EQvo2li6`BuWG-#ED9>lI~{ST7z@F2iH19ZBSp*5ja zDwU{g%51EyZ$fp;I6z39&vds{QVR@2mh~*p0`sYdTX_lI!?_BQo2zW@UoQ52!j~AQ(3Ps!rcEH#c`_MT%1a$R>IR0Jg0C;z)n(H7VAZ zm=BGza#4eK0<{*R7$U2)qA~ZH$80sP@QD$4qGfzAg8iYg&Jvt9@?P3;4CERVVPzsohM|&8(YV-|Dpc$Cn9fjw-AwDY-a6i;;Cx?Z5 zg96HcCDdb|vwdyx2fJOH?Aef80ITZx2?`C)BCFTC_z{Opf2Nv+?hs^NKM6H#dpQo(2UHU;&iKkjs|~7@>j29;oPyp(Lvh z9~{^dvJmv8SYkJ&gwL@>WD{UKP51df-SrUK_>sA3fn;+v@H@B8Y z{~)#M2459KltAGeYZ>CkC#1EtWMnqU#_t8hpC#lw)-s?6#1Ee%wmP~ zY4k_8l+KU&x-EUd!{Z=}pYYuhFwSEgkYjg3L)OlV+~`e#BAUrdhI}e#iJlBYdeqD( zk(I$|m1wt30*42_p6%%@iUoYb8l&=56|Yu16k_Odl|#D*$A{_TuZO(oQ84S=tOTpp z=E7fPX!JC)__JZ_2}=dj_HF4nTT}ln&l9kRO9kxi$tK#lAOCTkuq7P8f0|izkF_szx50igKjNt7n=kt(IoF&r-~w6g(gm{>OfluNP}nU8Y@iy5i8bC=Wa@B31b! zr1Z|d$*+q9H@y-VbSdg&SLT45V(=#ejd4Ky%KQ*(^Co5tnA#N{`SOAMDln zskykNiD&z8$XJ?qy$7=PJvV~Jw?>B)tPh1`)#Gr*nkAO1AJM4aS}jDI*=;WVcDN&4Hi<`Ty_FM7kelQ1%5&<&cp}b+*NAY)odlXouyQE@QOHb&k90$y3k>|^J^gD#TrrZ3JEh96^=3Ar zL#@G@X7{rte0p6ByFl6QXaVFsR&uS6`03NUizMP_d$TKLjLi;WCL@;p;PgdU?+0rv zD5_7)1kaKvD?{kn5dIC-M{V2Ki~eh+2NcB9Fv}pyDSJIwmZO&k$GP|K@z01;vH3vu zRYYdblujZ_s_~?)0+)O|`T~k@^XapC$SrKnQWL3Gp5qRp-E|ub5)zKC#`3Bnd}0)3 zWa#hT%Q8S_EGNh^mW&O548edqpGa02EY`QKoMcN}bR`_i5UT2$v?B;y>{;`<~5Hex-!Zk6~Gn_fQ0q3lH_`v;-djZ{iO zW}iq>>VB7({zq%4xBn}Nel~Py)ioXLlR=s$^3=ACOs0=Bxwqu9rqn8RmZ&8PEmWJq z!ThP-C{J*HS>vN((8a)lzfAOE#0@R~wscd1VNEnNC;%7lSl%*HnXbkl0}6P)3yMGt zDP0d(s(;l$UrUQDtuW9$8W{u1hgAgFI$hPr=N6SeVz^IszG9BTXC{$;FVD`L12cv4J|sTgt7d9Feg-$*}UB&magV5t`M`$O?x|B{JKlpP$H? zX4|NC#68vz8`y7V8>x=^T)~~Pblnu*Fxe8H(mVGBBH&?iCh@{WNCD1{H@f-XlW>;Ox0Yx~G)rY%8 zV=yOj6$Ws1y^YhBga9jR323pkvD6{83m4w+jnz;MhLxBx>$T!;zPQi_YX1Xu!RUzQ z>oPjcN4zV{P!H1-;a?gD%6w~vn0Q_sQo0k^tHF=!eCLz0vVd{PuoBz!v^VWx?K&tk z-8cXCqQ_97L!4#eG@@I<|AIO}mMy+PAhNXL*}L9Sh=J^3#8d_0!`U7NjC;p+uEN`w zEa~qCYOz*T_o@su0zE)2xH6zKv;8t>hsQv*e!Q{qnPjyUyvA8sh}c+7J8Rf>I8HS?129KK1QX+EWf^JErOSbd! zwI^3BKjCH}=4n?aoevj1EJiD>R1qr|vD!2n#=j{T6`C-wfEVj0aEHQNp!zs9h zw%N(B#dcx}vAM|PrO$7dyou7_8RN8X?C&7-q6RTrE8Kq^w+*IU|VMKeF(G-}w0}5I%^%W!$Qc zbBf0yA=CRc|V`d9LPrQ`Ef_zmOhn3OYb+Kv4a4_Bxp{9yD> zyccfQBhV(R-0ZQ8!;=9GVEj zbJA7EvoS&a(Fo%>^>rw=)-tuyg9HtkGOlvq01uV{v~OAl7rSiR!5?+B!(9 ztgM_Py4Ee5xQ~6B+l=7d^a|w4`3_Y%8>%fojXcts2jM$vlm)tBr`@Q?jhp*b(V>kp zhEtn|@7~>TfqHG7v@#9=Y0hb)x6wspZ||FhEKmuC{+qY5)@P{()L5-H%0*yTnf`5yS-9}Cx5e&WmFCz+Z0mlaJtLoZ{ya?{X=pZmJ-((HAKL?EsQB*o_{qet&=;* zx>hJO@CsiLYT_}U5^`3_9RDya#s{OMFH02aaC#;PPf00!Kx?4qG6Pm{cB}UYILne-Q{8|;ZTG=*i z1cadUI%fLZOSB+VkCd~Ui%91Le)AKIR@lsK!_JrCg6&K!n!)Oy&szB4!o9reFm;Ue z28%1VEw=Kn&YZ(_Rz=KI%9yu`EH65^Oh-SUb<4W=BBfz_o?s;;P(4ZMH5IOncbLqx zFaHXRkH*9rK47#{RD;0J7x0p^$(Ld=9vlN-e}9+$E*X8TU=RVkI1(I^d?vBbtkeRM z_a-<|*Hkkzm$OqeZoSZSqtxb{!?f8HVI9ZOUxCiO2D!f?n3wcNbRE@^Rfly3S~m&L zg#)(Wdcw?}6XL0o`C3x^SDv-we%Fk$^!y%27gDK4HMhM66HKs65BX)49=v== zIN;i)T}Wx8gAwTDrKs#<<67>f<7y*1n8Dkom|Jh)8T;%w?cPAAl1?j}jGHZXc3TZe zfOV5rMjg2~`|p{np~}k~LXx3XY;44A22E|=^0%CIxeo7VxvvMTNQ(2Lv{Y-Tw!&>w z3E<}V-P7Fl-D$$=-_)Fo&7?h1INy82q1o(b80-ryh3aFi<%zoPwz&m*iJ!T4E^A># zC5Nd8w0kiHKqLToIbMh>SI5y*dNL)*Pjo|tC8+uz5M6R-_=YL+CTIB1hl_)WHAkYqN21oh;Q^CNXKbs(ZmI_a> zR({y$?i#4v@g}@Kr0K`3#oAAxN0M21cN~Q%TT3L!0FB2f%RZ&9r8Q$v-zQ!3R6w-j zaK25cCAeu=Z72%AJ!Oorv9*}R@NXME6S~QxXhf|*V?*uK^&Huh^aR7LTQrB&2&@BP zPi>sliC!Ob6ylfE;a|Hd_b-VSUP@B-hZN??=MnwMYx4K_;VC7!3*K;i=m++lQTB3p znIgPuIa&uf$JY>4*NnBOzWE6Gpfwhl>-o$i1#ycB$a|I<(q)(HJtP1pCq%i8;!d_@jNJPuBM-sHm zBh&=QhtuK#w(9#)?&6t6CS0~Imj&QfEpvQ!Q%sjQQR#Qx%cox>m?bANd>i!;g;))d z-;T`|x6#CN6+jd#gIlz%24_y}1o{%>w>$4lNo;~}*X0_&^Jf$jE$-B9zIX1}>2d4B z?4$^wi>hI;s=ipl$H`)5gN#$~*&4cX;q0@3ekO>$_4)6&gnQs{ws;}|{%#v}gJE%E z>jAgS${VTv>ZNsBAH=6-jSyaOEjc%HE?3n4RrdAC(8UxM=$f8z7zJW^a{zsulS?i_ zC%5|pB@e#@GIB{{@*Ad_!xLI6XR1s%GrYb-tjhx4Wbh z{Sg?%vL2pla54{c5K#Ak>z~FHSfAEqe;;Wx=Hd}vQ)UGA+X9&I1GlddxTI$;( zGumD?_$;n23vsh?#+O$+H89nBK<`Wq`%IeQxeGM>!2{cuvec#K%DsU+;cyAi_Q_Gu z=3S47u1q=mOU8D)>%UB8wW*bnisCG*o;d%tOTfqkyw||FRYu&nLA0IeGP+R;w2EIe zk8cfA(GAkZ2xK@Wgxqbv{*fJVHGiO~^X%Ln& zAi?fP_i!_#B2ydLDL1&U=l-b#x#Dbrb1z6zvaasPd;08V3cu`b%6OQ(o(vJl56NQ< zeh`F-Z!;@1J?1%+C5NbWOb-DWLJLXB??b8{x8SQ)BO6jr$_Fg1^W%hHOE@!OaBKqL zMzwzRzc>%LF_-I1w^Dx~pD9Yd^+lBn-=s}%(LwgL6=kDO=wzw&UiA#kE^0fsJfeaM zkUx0_zM@99d+cVp{e01E?DX@$@zV8$sd`(y%4%ZGsF{cYCl9QU#G5v2-tEU6)!9S6 zS(-DKo^DgLk>Q$*n-|-aC*~yUszTZmZp5z25q8ia9^LBxvq6p(cKy;Z7NL3NtK^9 zV~*O=iWC<0xIeNB>N{kG;>D>YZS;X#ww!alS39m_2Y5J&eLg#exfnM6W!0CfMIb6o zkqVf9IjcYK;8Xf92(&xIvYQ>V;JgmhQ7r*y4^EV%$zs~A3y7Pi?kAi)*u8hL;A?$o zjg;PbpoAx@LJm$iGj*94pW|%p$9fkFbk*9W7;gQ8)L%de&ui^025cNt9PvHhD4zYo z2|Y_btBc9}@Lvz-BM)i@A1oEj@BdA6Nu&-8{X~18iMNE zn%2y>|Cv?Nzcl8mv3^bK5_3y`bqOuEffW2YvwP2z7s05UP2C=!7SiXkgSt8gHnH1% z{OtAhHdd!~;=XsCzf+ zf&A==SdaFM$6IL~WeHrw`s>rI+F=;EdLX){?FsL9 zB6i307u(nL{fDArTS2iY=&o8*Ct?}3A)FS&Jhpt)*ahW~Do_3Vm#FriPx55vFHn{jMnUQM?8P6b&6>OR zUngMG@Mkd9SHwRGcV%Z9o;1)C%H4MLv;?}SuuJ=W@N9R~Up4jvr`!{q5`d}(g{&Ce zNF*O(v$0+-JDFUq7118jikp=N)!O@A-0!%TOouib>X5Ytq8Rv=Bs=&p)M^;BPNx7Q=3S`G;Es zYV}=@4(mk*@+P;H!mP6)UzGJ`syZgeH~g!T1KCOp8pK$mh?W_ zGW&Hgig)avoHc=tck8reHAdbBHQ`Z5NoLs5k4}&6k4?CZ{nYoy|67c-;$(# zpuCg1Oo>UaB#m7NAa;H=xO|VHSv7iZTxuZ8;-8{+fh$5fH#$=O|EgQ3E41zHJxgt0 z#}qTCH**hD>+1|mQv2N|n~O_1^BzLnV18yU(HvK2|KF@cfsUtL7DQkKfSpl1rQ*i> zIZl%Q3>ciqO`5wbS8A?ulPV6^>lw<|Y;&o>X=9@2z5Ttt1LCC%`sTw4x-EoxOjS+q z^$vmnmdn+ON-(qm{%@ec#J(-I=>N{Di@@x<1FT%PH%RG6KsToIXyA7H#*i#>lJ7US z=7R%%KK14CpE_)(4AdXL_)_S4-p7F$79>O58|8QGB7+2ON0^rFT1s_=eo}+n=8oKF znj$`fU%!>KhH|z3DN+NWWp-y_gDU?5b=?!X98_9AM`tP&d7&oBaiA;BT2Hq`aahp5 zkQyZ~`8G63=D@R~rvT$xN9m#tg417%jlgV?FADYM4%)dHPk06Vaytzrkg%3=4fXID z2KmwQwbOs%^5#$2eUuHu!Wjrn<_GY0_@6}3p?ppi>4TKCh zXM*@u958Bu0M^xp`q zigYa&m516wRJaqz!}&~ZultVP_kt_7Nhin@-Y_-%frVEU)R5P z`S8bw6efe&?N-|6L9SXnM|n7^KY)dEHl_m+_?6ZJs)(LPOd1k;zEIz{jc(mgb%EAf z2I6DSZ^eV#WD6tbI!vLy z$-iTgClNDME08))-E239KQp_(`B68QH>yVMuAy=uw*FkUV1OTohT|YgNcc(rC9)S+ z!=sj!@Y=F< z>xNpByJAS}Z{cpzr(mxaU$yT{Gz5f4pN{or7JPrH=7l%RTpJwjsKZ{!mU<*{hVM9M zk2NUz>$DUBfeRJB3^Vw&g!x1_ij@XY*1F;`+LX$~c-dqDo)2FjgTk{c3;4ulvjLcx z;|LChny9K}P!I*AI$m4Q@KYhNC3OLT`eP1Rz(H8zEqU^7pB($oNL(wjI*Lx2aj?WD zC0g0mr{A;*P?Gwl=R7%Zt=Ut%B&LM9=<9*dQ)efI-_f8vm=-K&w+MBwIfwRo%^$NY zDdf}^v!5+{C&0PCRG+4hl&av!EvSBG-^C&?Skyf@lzi|%rtNJf6o9|g6Yrhr6~>0P z6UOh7_shk0L@-K?kkaCZ58HHjS235>d}ixbT<-h$XcE9WJ^Y7LE0p!A1VT0WDW$_a zYGVpS+Y_^AT4>Gabv`ZgbF=U z)mgFFyM6%7YP{4}tqsluL_f6nQ!mX3!J>R!LW=U=^>G*enxbu5E)F2Si z-G5$=Nf( z^zdekcqUKfBCa?FdBL&2Ht;;?fn!wlcs#pTS6f?qGV5eEy(8^@g!K8uQ+#O@ z<7m2yzjU*X(`n(E*J&5FbTb__97{w$HxpVg2OaZKrx4-y7Mz0+?|!-V>5oW*UXYI} zZeDHKXycdPULkh>doXKsMe z>1tmb$F5`a_+e7DMs=Fs$&^ahXdJh+>1Co^Iy?j6vMc4H*E1QtBmsdS+mJ)+Z)7t< zb8oHOqNY-l*PaRoF|QZ-$qr{L+IGIz7upfT^nL5JMisho{3Q4gN84*M#Z-M%4|xpm zMe3AlHflkn%-(aZf+-n~lzoVrSu?s$Gz5x)nt>{Mkxr>Sr%sNV^vYz@Tw4312>S`) zXX(2tiYM?J^vb%_!iY~O=M2;Jjv%EE$(%c6LhCGtkDHU$?7r=J+t_Q4ayH>2d2zzW z|8c1Xn3g6y6GOqpzuet5TgSJ5(clewST>oG?Bb-Z^EaJ%FkFF0g@L|+zw*wFKAdK% z*te%u$*3CI+izG{@cUK0K?O8d0o{?7{d@9_1j}jd4I(O(mqn#@N4$Uk)Jl$5`{2t+ z>Z^uJY^hrlhj88V8S0>~Jm@%i%BT&Rtk_88de!?wUtKjY*jb%6c!Zq;DSjSb@cdD-y0!;2YnwmRHtG*bD3%=m<5y4!#%7#6Jqk(JDa6#1nSV4E=05m@?Ff#$|zDHV?6HW7g;m#;{Tt-J1S(4<$a}lsRytI9$mIisnn~^XnGE*Mm<+}VT>UaW%8-WN$9X25}-+KlQ2CjnGJ3vh7RZV4vo2jq1^# z-Zi5u)Z}5%bL)ChlER(GgxErJQK{OM1M4>F_U$K;Qh|rHAQCS{p@&|9Kcr8ofcaQ` zFqd~}sYC1RuV}(U6E0ie399K;qp!+PSny2nR!KFVo0poB!H~7cP?Qa5aoJjFW69ES z(*4qus@5wPoTbV45!>qa9|zi8&5H%IZQ7G;RlE%2mIv{;>it6cUw$=Y>1N(<4K?3$Ek*|%aEk) zqdLEgdMDFQ$dhZ&Ka<&3;Du9J`(5aTGTs>U&g8!gT)wtv-T3tiw{CGpZ%MPDC^zpr zJXz5?!k5uInjhplKlf~cUGZi5?eRJ7!YJlVc!PJE4c;>^AAjiuJ(zHUfBMzt`aksdKD~10uYnfo7pIECG}#-8_)oQEq`!FCcFk~Q8p&} zGZhtm(Zfp2T1~EKqqvIe*nk;jrk=Dq5m7pQ<8bIffur|QPDKYUdT$WWOIB!ZMc2;M z5EjPeUMD9J!|p4+OgL8=@o&t zR2A=OL`V&GYk1jf6iSrqAGY`8t&IY=Qq(ugnSE{u9Bncb5E%QdcqMLzmK;C<1DfD> z>|2@s&|19zT4B3U)q;7(=m!7q`ciq`#z=gZJ@yx!p>FnmEfEHv%n&o7oj$`KpMIUU z2nz}+@#5X`t@AFWdMe6hT{&c!nvg9Rkl_bMS|#v-6mTw0_#=WSsyQIivRP;KmSz@2P$0j=qD^sWhv+#l^WQ9H% zQTvDUIDRGuw5%P@;>gK|)n{1??Fx;SBg@|35IMSN-;MdC#Pa8(L%e^oFFDI|Echgj&nKW_WDCppTq$8xRxUvFb7S8LD<7r`%vq zQhWqVwPMTXn%?l;!ss8X#7tG8;dbbc%lBcIBTG$F*t@?qHPF3vMQmaI7-2Hm*Ry4o z?aR|^H?`s2qU-G<5a)Mxwg=?GXP+fG%B16URi6k2o0a-}jUPKY{Iex|`>!7{uliD- z(J$qdWJ!LDmzeOlHjzFpM~gkmdwOG6@No5Jhi~3T1ZVuB7EsBnF<>c1Qvg{-2iPy zPwnFrUF*JZ&aK@>;EG!?ej(ej^?<+=k<^PH?CPo?Ay5ZiX!ET)ylUOSA9R2~*@if~ zeT~-1|HT!BHuXIkg$o9NL#%x3s8TD%wl&z*k;u-z&n|ma{icT5Kg;AvpRK^hX*n1a zCOdp&gPiU7Qh@2Up)U}F>ek8A>6THVwLj*O*4v8~=}vb;S#q|}jsEZ-{(*~zLu<)t zvYG9p8eTT=*0Nh_+BC^8)+RjpP4yKLKQ12wEr2&79lPUUZ=NTtr6y-2yG71yjIiJ2 z_{A*2Kv=avoAdj7-0Mx**~c9bltTuHPM@2Gk>s)Fuo~+$gKI~&GXD`zL`CV2e{9&< z&~2!mG`H9k6MKC+1@rM9(N%q!nrDO3SXt9s4-D2rI$*-cBs~Sp$ry2-BLR7v5T<@B{l_n1n#nz z-jz;sMl;gaDh&jlL>>t|3_6(lVQJ&zBS@V2`}t1_^YgM=Eg_*`=yX$kXmKqbaN?KJ zZ{V=mvaieNq_MuKmEFEJNBid_U#IL0NUFOc*x7UU$^qBN1!>!SgfwL$U9VWJWt&Ek zSX7LCV(;^XUE?7`7jj1~n~@%Oz0M%iF}Y10K@0|Is6Ci1w2f|k3Wp1sv5~5w{=<*# zHnL0~Dv?vHsZfasxp-lw9CZEirv{4DacrK7LfD%=T<1O?wYt#!^;+~tziHL`&gS3L zyl^i;bewBHeoc6bU;u5J^yr79IcN_*)TlxYjRY>nfji*)R>S{@z;L^or@v|=6E}8s zM-WRHsH%d`t(Iq9%GGfg<6(Do=Ml6)vnIu<$(c~n`)l4mGt@*4p&WIbgt9nXX*#Br zZBquD=^ux4?l%3jJUGv+oCx|I_<)Svzq7qkl`L z%B9Z=1n(&ERE(6)E)>kL*?L!K!Q^Vk%W0=czpz|dfb6%(zMr<+K3?m&c-a87RHpNQBfe3TBM^SdPgap&%jFJ-{Najes5dTQpy>wV?N7IVfxiB87x2*9|0IkjZ z(SQpAG+0)fYY_c#E_g=$g3I7mbluu<_7bkIem=ovK_uyZ&D4ixYzr?at>}L0ErRngQy5xjxqGj!Z@aGl2*~ht{BF6@ zkEYwD-mjA$bsVs)c&!>)+?EPGZ(0}SQyFjI?-!xp>r&s2J+@6pXl`maeJA>hXQym* zQgniF&ono4#hms==%5KXv;6~EIHayCn&FYVTj!tFJW(~Q_ilee zVEIUBOCIl`#VbX)cQctmzQNzm2#8xGG0**Ti2i(iYV>U`h@|_(>RkoY9M2DqsQr)( ztZ9DdibzKzr%aCB>(BY9YOvgCDJN-Hu1@y(-d=NL)@tnFwjY5tzb+@2LcGKLGTi2V z*DgH@f~7;_=gW=(BjxAUHa9g3azYs6^}T`|I`rv7%wl{mobFvU!v2**k(%PxNsdUL zcKO1sA8XyLjh8NEKNO<9ERM7I`bRh8pW*DE+s7!vXmp}G9oq7p9m+cYZopOL^?7^$ zDllqiiX-ng_+N3|7@$dvFjO6?+7q2|5#H`@*KoG%z8Hsec2K1oO-}O(k56#eHM5jc zyW-|CQ7D>uHJ22pjpXeFO{xF;GGedixcBM7i_S@o;W7zAm%42gfVTn8rAM3eWJu{y z!Penx_aBvg3H9jvakaI()Nqf(miLQ+%r>O-@g+zUX3r@~^~Jxq00|FK6?+ndvZOZd za`QcShn8seayOyse0AvAgPZ>Q#^9af5w*v@w`nL{V`^FPXSOQB>EQK__QK1|Y5CN# ze(3;baU&fX?T&I-@15v3%OUOV_J&2!sy9h>`gs!Riv_Up+TEYMYW-tBN_Xxc@NVOE z-LBfsUdcE7JE;2it3yp0&$nko*Y~MNLsStA1SxT;m}Y{mP;J5(`p*9PXO5P+8fR4A z$3HLhKuL={i;@u)`G$-_KJF1a@FY0NYggyKoDS5F+Pm*I$ct(dctnNmwoD@DR>}Y4 zUfLp(o4ZiZmVCD357eQE-Ak`B^i>i2b(c5!)wh3)4^w@2FnMRi-sexw+llS&d!fy= z%iGQ5WDZcRwOsWwJCxeCe%td#RpxZ_p(xDx9;PGp_BJ{rvQ#R+6iqnI^igZv^$U&v z%>F+QnP8uNIhAV`*;q>%xnI)`)fxH`rpC{1a8>n^9#Qe)eYd7+gEnAwJ>AW8_FTbi zGNNnLgW&aJ`0#1!0q-5!|rtu_ZM=3^<0Kl{N+3n_c51|!;|Lqt5yo=+m;7uhr{dxI=z2^4S*$fGz4IEPTqItpgVau{p zoO=oa8+7&s{r=su`NwxFirsC(ymF75aOb-^WT+3lP>SMr8&48FQwkZJ7Wp5y`>%h0 zRLv|AK!{anblBs@-vpCT{jlI9N6RGpgPN0}v;x$6hPeDSE%k0CqkLE0K@ESBawMs& z_~YSOmi(rb!?1TXavqzQJMQ+wpwEvEzR;txqae2e+TT55YMi$C?}-NQT6Xyf%x1Pj z6EQd#4@APj7WQhd=_g7VOL`q$ewfCN(ijB4{`soJi+@u3fA9Hzhr^Aco%A(h zO9p40Fm*Nqm=Sqnt_85hKPvh!S7tv)YCPRJc+BranolP8UA)DG9VhNvn)TrY=Apu`M3bW%%ThRgfKJuWNQA}jLbap53@J^{nVz}cA-)`R-0z^F;w_Z*SC0*x z^EyYq@`&V&+slcLH3R*9)o4i-V9s5?$@hdQe7hQeJXtX%d~OQd?R%*q%&*syitYzFOK?Wm3KnLmnqOIFSeXGk2rjg}E9xG}h8nD@uTS?gS)?EjhJ zpX)35dha?2?(J@X)xF+%T>N`dcM45PUuo?uh|RsBqFwGF z@xeFRDc=mETb;b$nUoPS)vi>Zu~yd?4~q)>dX?mL>+i>D0mr!QFDtu!T1_~yOzx;` z&G9qlEe0!P>r*vRZ)U^OiSr<`PI~dc3K}^cH6FW>Zjq(sBl826Sb;mDC-+W%8$oB) zfS!DTFLMmikI!Fw_bLZ7b*?;UU#T~DnWm|ng8lhwRWUe6{ppgXN&4(mWzeRQ6-<`e zsAbZABNff>UzY^qJ5ob(y|C&R{y((MU>vFfDoyngS1FOhY&(ZzTup8e)rt_{b#{SSis86J9~C{_OqXt zqJD$v^-E6Ks@!_1cc;@nr$>TKDqIxqf*X-76Pq);wZX#t=v31YzAp=8s)$RvWE&u?Tuyvqc?!+! zM-=-#pJum4{*Pc}CdIzPr!f;vahI1$8*u_FjzH~Ppt1QVt46F#EI&Ex8#;Nqi8Qaq zJIl@esArHQF{8p^e;`6st(=E*sdeKeO>xNCFkgxKG@?pATTe;rnA-Q8F0Kl^F{FmU zv@V?Nv+;tk80~WrpVs`VA5vI##=3XiHSAW4tA8vuNzV^XBi9MFFxM1+&Z zdD|aeFWSF~?6|ARfv5?-lC8%lr`}+@wt>YaM8o=B(n#;xlR#swVx*c-XDqo|T&va&;}?nT5(0o4N>+ z7bnn07)4^)@U~V`jr&%f)OffWqp#%DBzl5D9w- zPNzuL3PXRY3RJiA)3@zV62X2;88Y^At*4%rjp>O}i{~;lSBrEOcYLs`J3WP>^1r^g z=|=5bJlB68srIOGfZ zr+S0*eJaOxNMhnYruN8ZEj_*gH*7Qa{WGlgEjfFRYTlD3rhu(0MiHc`7HDyuln%{a zBtL?i)DUsK#eo$sP~vDmT1DC|=Q~Z+2q@2MYi1}0Z3ew>gYI;oFd3fDhVH*-)SAwB z`_I}Bc$nqV#g_+=KdD+w*)F)K4@O?`&Er0k>04M z9CRBL_-x^$q0o@qc-a=HSnD_?m)x?7xm4(?4a)bw99r5mOc%}+O`V{8)F-5e^84tF zWTotmf>&>!D9#T)Y?^z}X4kukJFQqa%4)J3Ct_obdXM`)Di(QXH^Da>` zUr&gsQ?bqjPIXkvPa!;hN0XY3UVeTKO$;@S_$6z(VF zerI+sR>|h2_DOH1%e&P@p2y5t3n3%AG+xbQ8>>N5{Vab|xNqz8)Wg*Wp-S03>R1hq}@{NJt0`)SB0z}AGlmLJ4=k^Fmu zzVMiA40G9Ao-gk^yoCDn$;&rAH%+r2@NLqzHZ&Yj8v4R)H|>6S`NJr;{zT1FvcAog z)$jS&c%p2c^*8*^rWT3q1+eQ=lv&4uOWci5*@qRhelbHO?l5H@R8bD)%~U&KM7b`O zVc^|)0J!tF*w?SBrxlzR_v7!wKCQf*uJgA?WBR>|6C#U`kRv?4z%Lml!8f5yNv^(F z`H#CoBvt?j{2+hBQru9y?J>Al?=q?P%SSWExbg2)UF0_dNqo>MIEVO+U@xl z*Y?9Yg8sVle@+N^B@@h29{p^_XTlqhr-lgAJ{mE5wo?k^1+viU@$H?OJqee z4t&ECuZ=(ih_{`kL-0EL&Vf{wk||!pHfCuh8H3yuC8#g~X5y(=3aND8Y@5sim8v#m z7by0oVL=X;EwWb*Bb!h>X<^?KW+~7AAIRHZH^{yc08_>DS{37Kf1G_B_^Rorz?-1ht=-F(jfZA!zo!Larbwg}VW*RIE)LHBk55x6 zbRyn>UwmMc%{4O!5}x0cWp5_lf0z7}*AQ|yOB*P&g+kLAJii~*FmJgkldCar{yg~} z5lF(OF9xPmjJ%^u8c|uM7-f z|5&h@juP3xTus#yWKlbB)X3{Fz`RedyQ*zc-Z|+yJJurduhr11?(|^!9b`--GF>NGnvfsi z8Hy40dAr&ZR|OH?s*c80~~(-1mJy zJ*uOB3ktJgF^d_(re+AAf=1Z*X-SR(?#F~AuKs2$4T*@kyzFhEDjPjs2YRd`V!Uy# z8i>{=7B>jN;!N-%!FU8KB{wkecl`@|4ov8W1cy+^%+TWebl_3!(w72RBa z_EE8vDZA1y$tijLB~j2~{@<_{y*yuW@~hESFsS{zBV)G&oh!j1urol;wZuL9?8i{* zqfhy~JTbH=O$H+dXStSJ$VnST_axn6@WGoFjE|NPA`ubTr01?h{5YB*g87I&!JIua z35nV%&IhtsPH9XVL-nHD9V z@UaSJ^$C@>zO71y+epWGt+jdMb#&c)P_r-+6&2*%rX3ZlnZ*-L_?Pcy*_6pfzR6ha^m?j&4n`2)JFx9sfOg;XR-xx=}T*)8GS;Hl|P;@GD+|u!(F$w9OVSH{Ll4r{?pTh~t$+p;Tw;JP*RqJv_?Ky4y!94KT7Pjg8*!KLxbTFp9|jatv3OfE-{afMvJNNmOB;HA zUyP!J_#9cHxV>IdH(kyVk;~Uxk=HQE63979ygN9QhE2*#xyDQ9A}#3DXE=c!7fJsM zKY^H;jZ|3xElC?2ne79`p#3ZaqiSwF{J$D?7siIs8M{QYe>SF6$)%|IB3$?xZ^d62 z+Rsmt|HjZ5{=(4C8XH-G=+2#%k}{s3jbKwRkFC)_X`&En z(2xF-*TVv}ej(3UNE@>P89+DK|E#BWgEsp*hJ>wTIx#fEWSGFkMe{61S$=PIk1ncjLX$KOpBib%S2^m}HZD~E! z59IzySosB(BQ*MR`T!u4kb~;KAp-scEPO1sZn+-s;!A}O7`t0+(ZmGw4L2JEsrvkW z{3iwa+hp@X)`2_>K>RqqB#UK_8NkJ;ocNi)hzQ$0V4S{Nm2W8JVmKNxNR42eDj+Hvn+Kfb&RpyMTPs9Bu<8Ch%XaTECr8UNMHu(49<> z*+QOXp+s~;WYr;Ul~oS3UU-qzsUHS*)dI>~>DcX8o11Z!yYtI@&}9sk)J|hzShDi{ z|Np9x(#<%YEQ2HwqhB=%t8qHr;t#%BMgQ?$`AQe23J>u9p@)QdCyTp>WVwvuiju}@ zyXMtI4e(kH`BW2!y3yERpk3BR8sKV{X3wJjsMA+nL?+oAFSG&57Wrvy)NWnn#1iEM zwp6uGl9VKB2arh{7NU>Ux z=jT@@T*6?OyJoY$NMeNjQ9)G@ziwbN@JoHa3^h%^h^-?vKiqLp!uzaD04-P^P&?ZW zb?@u`F*;XU&Hr%$YNv0q8m@G3sE*CgdXwDghiLxj%1};vk>++-(B;$U^g)`i>iTwl z2*PKvIQy-<_$+<980mLTap2(VCVELlHDF}f7pveTE`Tw*6D7sSvHR>!+Lif!o%t}1 z;pB{)I}t}x+I)0Gew1ny`9#&fKE68E^H@;HzV!PU1ShVhfW-R#lu&@74>rV}J^@nD zId0Vu#m3fPr)CVvZWXODR}AT4Cb)UqR{b%^+&2}FPp zF#I)xSV||1+Bp(o#|=xk?nz2BrYqNU`43}GFKvo+iK+Vf!@nH3YDVrR(JW1ubksMr zeHBZ+ekt#kYD3tKJm!2PHQMW;hbZMXuD4M%m!=js#4%~L@hl@$P)}IZ7!sfSB<3%8 zmdG!MR?zI6d>Q@u5{54pH4d~125bS5$zgPDg~c*bb8M{s`V2D@{!FPb)KmKAo3 zk+J&@z9h2RYl!@=oMD(|S3`c6NeRn6VNF#t4?5o_rBs^n&z7P=m2PT2KgMFUr{VI< zrU_2eC0L^GR+XBq{`5Xd#UU-R58L8{0%@x2^nM^S8A>U+@f}59L%S<;BSO>)7-H2j z5gaqMs$1rFtKH6{Br9VKb3NcRBALf`o4xR|ZMmWdzo?T$kyL4DeqR@A z+n0Zix@%SDh7vO$rlmvKO4$H^EByE@In$&TO%oJ~1G@umtqh=aFjgjyd`t4GQJ_X9 zB?0^@J%&fm*JfrjxBb2*e5w|{r>J>@xSH&e|7cX4UvCvBHDx`COH$>y)gEs%DduBc z>$Z{rgvkmrOaiZNR2m2T^Q36(aMC2;plx9ASS?Y23s^b`?j%?TlN6fO#(xs{=Kkh( zmcGhoQVak!q}_(ZLJEJjr)<<1Hk#M@7-TxDggm~nA3nWzJfTTVlDb+GDczuYAV&|Iy zcc0eLj|_wTvZ^l6K!q21XGWSRz{?Li@->E?U2mB?^tFdf(h^ll`DMGs-nZ_Y_kL$j005WAj@#z#sg(oG5$+wu-^2>1 zgJk}Gz3KJHakR&SBJF|yCbk06Artgz`({ziBc{3eKdT|!whe-;n!-q;xm?*BY09H! z0wGHMk{i`EFUuhz{g!;CFhRoFkP=^MRRq)%tqUNNo34T5lKRf!=$x&<&jd*?!jH-4rdy;Dop{rKO_$6(eP>Qimrde-51;r;PR_+({=bxx) zn$?8@a!2KrRvxoqWse$O>cu8(d2X`;0j;wKx>Wa|O@2q-$1$1`EF6$w-->GGFcpr`rD4XO^o%L;OW%C52lujmE@dj3C3LjPY{Vn;>FJw3 z62UK{$&w1310CoGGi?=n?^Y_=Ze8_}8#U(ICd;P4#13rsAQrm{heoOk1Zv&iFvI-m zT85P=0Sd6le*N`{vRnXDCI(5l&Ae^m3S>x7lps$~KE1LXxJyyKNJo8SCsIZ@i+XzF<>tD$nR|l4^avlTu@OI7lN?@^u0`dcoA#63V9p z+cP$F`JVzo?nCjJN#lVAt4Z63vya&yN=X8SyG=KuqInCPFNwbW<6#Mu{xzI6J^ye4 zY*^m2HjXanAKgE^Y0qE4OXq`DyMGR;nsJ;AA~~rxw2NP1_t@(g`Of6?^c`K`_R<7m6_{Is zvfpgU?|<=`_1&CrlHRTtN)_f|c^i5c$}Uaef;UG7A0cKiEO(EX57A?k9V#GQw!7U` z63ERu7rFPk949wk_9tu(eSP zfAX$KwB};&gUud1ZkBRgnX*faw}YtOf?ST{fHyPR6r`IJ%iZ1S7Fbxl>Eb_p%M$%c z{?0~eRqcjZ_sM^Q_4|==H`1tlX29lYYv=DCK6aJ|Mmee-tksL+w|+JCH56N+$w4X@ zXJdmF^9kDom{O42TrF!2G7kc?28HpsAhfo^X$|cb8;G=v+RWBh*uL*1q!rPs41JzG z4GpzGpgn=_>d-z?kz*J7LNF|153199rYrpDF;*TcMG{d+(@~g}vG=nlAtj*Ve{wA{ z`mB$mS+gL&D6J#i6y;HlKhGA$Y-I)dl{eJw7plLG3hE%zsggIN8766qPq>ePy%@@N zhJpe}B3m(AXJ!DsLY8{?Srf-kulU3q>#uf>M)d79-bneN2$5l+`RiDBOsQh^9?2dx zzo74?Zd$-_KSqhX;m*S2A~$J4WGeX0>q&1vMMdeUl7y-BzOU$hbk4c8-^4*#RRoZ@ zoQ#t#w-rY@WK@Cyi?o6~kJ=G578&eJajFsXnGun6e8kmP=k{vmdwhHD-O^m!o;c4_ zli_~P@W8FvZ=HV1@m?Vdt-8WUOe2QvXlt34Sh*#XF%6E(dE6%{zoy4-j+J5eL)|Tq zt9&dfylTeILsP^Q?;?_+4eLX`6 zvQ5hz5>1K;nkOGFsp=gxKk_%bAGvc=yk|mU;;s|G(8~A9;w3U}*OMA7x1`w6)Eb*O zA6fv%I0`75rEklSb-Q`9RD<72&lOtSK!I~<+Ij%UoqI4O@tKnWKr62+$YX~UE5#MN z16`ve9sB+GBMQp)ea5mc!9ArnvGV!qK2*Uc%H*UZGArMb?|8Z0o^+og2Nef&|CXsi z-vTybldOKWu^-ZmBAK1?BTW$sMtq%(a180y{ZV2d&xe_vbcwCSm@lszRrNL{M?YOk z(cjc>woy3m`}7LT6n{U`hPLLab<`&%JO1bJ_;>NGt4VJRJ_lkXD~r7cW=}*1J1yMX z(9Q01_4JKCilVM)ZlSXMqaYWEc}pO5E1;l*3`sZAQ?Gg6SLpfRUqmtzJgEN(V`^Ix+*_mZ8CrXxA518S@QvMvG`0>y0?^t#Qto(>Fh{)3OUI~_ ziH1;p>E?W1pk2-kJkdH+Z!kYcQZH)@(s(4eznkhqPew3^kF7Y`vzO~>p`!U_o9!Gh z_eU`;99zv8J{f`8RRuFt^R8I}&_7@C7JP(2tT>zl!xBdK5E8(oL|9!e*GOv};1h$- z&-MTK;6D}{A9yGLipX~ebv*!W*VSCguTdhNU6CoH?uG7wvjk#1m)2(EP#OeEqYpFa z{<9Y-db@+7g|jmkW4@XEo!uJaG3PZ25GU8!6(rUfgWH~!I?$f)5QCoDJlqy!x8X8* z0zLoEbd?_;K6jZ?4D3gg28O&M#h^bwc(d|rxqe+{EhTy6ONW8Ik}~czU>WR>OGRX1 z=Nq%q47fA)YeUDr?RJmB<#xa_JM5&pTE7o+Ay3bH9e*_KjZk}T%Q_VK-6O01`^MA; zH=wbu0Gpkq{a+bbUI^c7)7t(F=-2TCX^pi32zTpry4!w1!dSyCj!6=&ClF-yUyKZG zY;%sBz5$S!Mk@ew1Lq6?Lk1y_JlR@*sTU>&be2?{<(4*lL&UX=)r(Q=*a>l}R|5s9{EJ2?uze9JwTFtNxJh<*`k$1AN zTF9wvF>^u$c#Etk=qU+mq9iiDukMu%i{pIWNA$r*FRweBWjkZv8h_S#ENlGWIQVd| z@a5-g?&f$!h-yZS`z#nOR|ss0<%6U24_b~shJP@z_t}lw>2ALjF><_1T3;N3HAGyO z_f>FfJ8)ZF+wyjWwJk~igzU0`Zph2C=_~KC1bQpC9WvinWBpwNEa`grG$`z7YZgbk zTc~r+IGA4Lv4BNQb4*W9pSr$FxgH$fzoPiBs5T(ti`Nc!+E3pKoGFw(ENp7spfi7z zr7>J0VKz#oOSb5Zzmk2jaF$xhrLuu$4jf*qsABtwn~0V(F~CV|cp$yIYVQ9tT9HxD zW=N5rN0Lpm*Z~yv4nRv+*lJ%jhIIeg=8LHXaq@&0|57e)4ooM3TshMb@P2H<<2yyOrMoIEXyz2WL@Fcd$2HURiI=d!`?wz)%s>wz*i-GSRltB;v|en1X6wdD!+bT z_pLF*ma~Z7v(lLqvO{K7wKZ$K z0uWi{Gy~jvp35ELQ3`!{uko8yHg0KgTX&k$mCV{GUpjraoH|Au zQ1$LdP6M`kXCw(Xj@o@Fdt;Ca;$YL!x8lzy-LJXjot#h#01WaQK*|=}aE2O8xZq$p zj0+eT2t6r}DLb)#-R7q>GW~>G7@$t0;=P7tsNF+$Z#^Fx5*=$0IF}5nGjdOJo1#^i6!GW>!SlMddcL7|qPUAxY@$*4P zDJS(FGH-p*h#jnQ5G5sLweObs=5#V_JOF3`nCGD@^8ufWIK3~v*zmBs8`vp63BSEL zsOzU{{|v_v`(dgj2&-gj?7TS$z5Opzvq8f}ub`o#N^UAu2KpRe z`{5^&*fY+R^5Q9Z*;+{q$B5uxnH_Hc8(;rW-FlRrPl-v$XKV3__0f>cb-)l;-zgvc z^oTPr6Q0p4sQ|Qs^{$T|G}N^&vY5MvoX^Y#=o4<-3!&^mq{Fk&c363#Si4VBs)*YH zM4+@P^9X$dW#c@1iM&pj_F!|M@W)5}DpMdOPG^f_ZXBVww z&sMIC7h5ZC*T0Ie25QQ9?*)R`zAzQn-rcB#<0}%+ht%)g5p(ZDd zFm3V`&GtvJzJ-a=2L#9)RNG$u<~Dz&1-u!l9SBL;{Zs`15bL)P!lkUA`C8HU#w}o$ za^{;;Y*}S9F%ssdmxwJFOy<|`h~^3jk4-L=AxiF|Ri*-z3{;BZIXtWgE_76+Z)7QV z2f@jE{qObf_@KOB%(qfUbNC9%)hctQW49uV^tPMfm7>OI1h4^5JdyN5oNk6)N9n9v z1I0X81|Fd7e5lWI(vxml?|5gj97hRy)bw0b(q-}*GAoEC5E5)t;vBe!M6Te{Np1G? zZ<&5^q$gItn9IChbXC9IiqI(f`^S$5Z>#H8fF^kDZtyv#Zum5s>#Ppluno+IaD_^; zz-Tz4fceG_@y`U#Kwv^F_w+LIccV*XXQD=9#2m2OggUTc!VOz8>(ir#ONx!Kgmlu@ za80AaWq85hQx=sLIUmox2Q3~4y3#kU#Ssu=nVIa12+%KV9Q0{duPz|&5aANEGgzr2 zMtAPDa_+aF))MFwvQq?m*6P)S-R$UtQFZ(RN3Fn>(>o1DU(O65jh#qZr%9pOR0f^ztskIIlM zSFY@i^hMk`9)nj0_h2|!l`G`T`o{m2EP3PovkjDxcW3lK?Cq+YZ!!QP1%TN_ zSR-MvGvA#Hg91`Q<)FL`yc@wq2WqkVCWV32-G1X^Ncz$9;fyvRpnYwwe|&A>jQPC` zp#Y6m_z1xdf}#8YcXy^NH-gEg>>Pc(WO=z6i4=Z>uU2SLeG1g8{?s7MT$zB7HW=nZ zk8M0?o78F?%4^*_(YEKFal7++idmnl3Q0hnBxOqi5Tl0sK@|G%x=)Bx)t?Gjf%U0X z8zdx;!70R20*U$Zo2UBe?;TKBR+H~<^iE%nYZ;THua2Fh(>PtKko`{j?Ypb)!^P8kE0FpuPHO*@%E3>u|Qgg3aXoP4THGg zodseYn9|jYF|^Q7r4y@wfVu0ygjE8b#LYKcE)NhWk$C>I^DS%5mzNVlbCOFZH>)P# z7c*|N+x3GK?J*a_LubbnEXtw8{5qfBB1l_Sueb&bWyy09fSun~kvl%Mt_#hVmEYni z?D`0AX%~aovh)3V0M-2nP4(nH>TxZ_;EuPXT$8$!2qi8%MPXQ$i+r8z* zEbK+)gP^Xz3>1l-U(+s^o7a$nse)PC^fID4xS(_Z1P`$FdIi|myM;X*uWv6@=uu`!%RLA4l zH;-*}UPU71ku1lZHIGRXHS{sVHk7Jb9Ig(*E}OSW!j zryz9-V}*ZJli~e!apPCOCd{l#k2SpcEU%B<*Ad!`KA*?p*|?zM`Qt0}7h#S_dXb6w z$^O8(D|clBUVRnG%%OydviSy%hDHjXTCH5^@>e|jvoclhnd~yVDeL7q=1O=ODWaMy z^0;!7h8w>#&Af~I1&*_XA>dc}mmz-hY|Om-pMVkN%0GTSiKlZxgow)BtS65i#o(pq zt}!p@9?cjwgwn@;s9!shxBT6dJrD0&Nl@BsCcHd0sob@Sykh1E4VGv3(lPqeTeJA~ zjB^Ki>=}y+e1~^>D;$ix>pSP)ynm8W={n}{v-G&ig(Q~%OYn|IW#*MZBP*6y5I<6FrFBH|4;+h^vMN`$*d1mlx?*Pd+eqor#6=dQ14C(SrC5raNA0?BB!D{3d^Cp@ zn_ASll7SwVnKJ_Ei{l*f-Sx?YEg&gin@9xtocH_m$Wu8qA)uzvW})1vauFTNdzux5FL-rq zbErRjdXXVt3^Kn&>hw*GEanovSGQ+7eX7URLTvycD+)w1O4GVo1F3 z?X6h0s)o6Z!1Pm#emu>48l59(%7s!@LzTNauO#G|)z}%77)k+9Fm)AGFp-%VV`fMzCoUwB=YxA2j^A>T za9vUcCFt!4Ragl2c{HcA(~6P1_-hT$0A3(_W~7~mR-q4M57zr8WdbE@U1!&u2?%BP zE?|KFhJXMta}5&6{MBLHC88vT`HUsr>sC!&WNA$QzbM-(UTNc-Izs1%(*lZ9PWcuV@q zehaWs9B;G2Ze+dhg2ZFL=Fe=BDn^Wra;2dmRJcDO&EmTO7vBoU?I8~)MFuR~Tf?&z zZ>wa zJ%eCHNZ!snShBod@9$`?^=2;R&^+PdrXZ}FPL@7~6Ovtclu+4!Y>sC&2~Fc*W)0h{qZqYom2_?KC~eSu_orZ{G5Cry z{B>dR?))4DSBJi!VuD;+ zB7S4szbx^_kORj0zIGXHych6ch+g#B~rqG3l#Lk^ET^&>91xLYfI zH)M+M_9n2#a$3pRU>73Dovy}klbm$+^oYp1PVHM{oc?nz3z%lpKAr ziNtf)t#m~wKeRx#MYoq^^0I5nz6zypc@cjnbj~z*Z$smF>9hWev~rQ#w>yAV9l)be zS2!KN3Ro)Hnq3fKy2$Z#G4dc6A>0$;X4Ukxv!1Ow04)VlF*9S0=TwZc>56jfwPTHA zNlc{Q#bWP=wwk4pQ@wasX(cB-bNDAWg-dl4HXmVd%IDWBqrM|x2^!pYIhiH27J6SI#uXWLGj=IG- z{Q1QiUFMKi|7_Rim{IL~-`_FDxWryxU;l7>OnX>89R>wTlE_^QptY)#C0;UfhwKnt zHZ=@~r*r9NDNtxHTJfi|%{REvM$t+*%n6H%_T=7Adl7WCcb*rPe!$G|J~8nY?9w~> zf4Bf#Y-c!*=m~M}(Nq zzS>!HfJ@do=|gm;BvDzL)EmslX)_rwDW>^GUtpr~+(EgtRK!fMNWc17=8GR~lz?vW zzrWPF7}%hkJC(-_1qJI@g!KXyRl_6Re@deS`ki4j7Dd(51MNJsj#Kq!Xm|5XrK=n+@Kb%`M<*K1?gd9xALd9+ zGldnyv`kM;%EPA}UasWHr*XOh*PFYC~ z))V4@LfFDH6WmcU1-F+b`DricNI`dYY7*(bL`G`P zf!#Z*mbF%YUT7P1T$~{}yO*c#bFk7sJZ$iy4AEa)aXi{!q)`?E4EP$p$k0hczu1{! zSA<%(l7umGiPSK-v0Uw2oBp8%6?yA6roOk;7S% zSh7-h3BaVe_JCb3_!1c{XJ>4(Kw?G^>*WUz0I^HMXG4ZpuU`*W3JF~KV{p(2$WTU@ zSO;>3MNxIz4-P)I>f=IG^hN1rRP-WGNmQPs9fiz%Pd;k2sB`0^^vB%VK$CAaAjjd_ z7FE(fxbX1xO@y1&zB{-igU6`9sZ63PEX>f_eDm&2nL)ePVT&QhQEO}Fy9ASO=o#Y% zYxO!eD>NUlsBfK&?1^YWzFRXql>SY=W&=-~8X9air|#_g-p5daYq#8D>;lV!e zY-rzb8;#`0LlqFSKEZ}>eou`ydp@SdlWHtTZ}pOb(yfw@ip)nVP9nt`HpBi30x5MOsS04tH|WJ~&vW=Vi3A?3{H=uTS&ylf5m=jL*ob^@@TWn`wD>C(fWH ze2^#ZC8rYZj4~$k@sF=Q9Lk;yTotCV+!3Tp$&6eBtSD6YlXXSVL|SxnFixCF5hsbC zX@Wn`Kz+F56DP7%V5!p;`TEi~cZA+>J=uqvQfl^JkcHvFnoy-FFW8KEUF)ZylIkzW zY$I6F7qKk@2#t~Z=5+P-wUVFPYwE!*BYCdRUa#ZHjng_;S5vO{y#x%FImY-0 z1@*5%CW>qBPDXMnHu8vztHxuH+w-PkP#QIZ?#ecN+U&gdile^=pB>x&4)K2+t0dX& z!h#jsMjYjfmLTs}O&Le&FDL-}%&VSmb``ktCXNW?_w!Rc2ny-We5axQTuOE3lFg{@ zXFB$0=WBr=7NuvPKwtD*2y`*xAXantVDDbt?UCL6{cbW?c~t+iPFl3|%Jc(-UXNs+ zn}_ko@l<6Z7eY+K{TFR%KYC9!Hl?-Yp1&T|ShjC%>~=_)i0vtT1MiI}4bi`tkL5$5$0aP{cP_kF=+~GwyoF=B2M!J4dM- zJzQDN-mP_GR=_mcW-~dm;r7C6OoJz1Gl@H{>n~DLQiwsz@GK1*8~Whj z=HFXeqS#xaq7OVhs|z1}zU{ZMwcv}^&dSZ6stISNxhM{jI$&4Y_|81|H z=SlBV!mXfYZDd=ko0p)zPV#b11xI$f$KA12rFx6MM&1LQ}6?cv=r$ z2iu_ulf0XqVta*bH^|$Uh(gL|Qq$6Y2iuB|-nP#(E(3YT#Jz5Vfq^^ZIV);ZK9j&A zM;C;b1w0S)Q}Nhe8xOBK#TO^>-6@JOCOn&7`_SEcCb&+ww`Qq3Ck30*9)y;@?#Wn| zK*`)xg0!Y#tNaON3}Ie(_W}rU=f&qWrRK*DXD1KZGr9E{c8;I9_}aI9v1qrun$8c` zpK`XflvCzs8ernD8-jR;X6Q>4$9JU1L<&g}KBS|M_a-)|aL47M?g=w-@Y_@ns2K;0 zE4gQ-=45Z5)7|q4GwcTHHSnYr9RB>o#_&!RU>G_lMEkHI9!hvBe4eH4-N<}4VSS*T zeuMaqlSBEX=A6SV};-Nfjqc&RHwcyP3+AB(ChF_n9q|1DP zOt!eRG+ZzaxWQr3(b4ypXPcxn;Lz3GT$Ve*EY?9?Nto@(bV9UsOJI)GskZ}w5-F&TU(yvnSn9tJz-pC4W+s#zeZg8&t z%ehigP&_#Y)%-Gk@?2A~>h{XqRCiC0%N2jmJ><37S}n2z$@Lc79ke!5FYAjt40oT* zKyq+4B+w#VEdeO@D+Ba0p40ED(NBF3N>D`|U@+A}PIK>}%>NhGW6!ns}Ym9;- zLg7`t>AP4Ch48A-sT%^!L?D3{PKhGD_7n=c91~-$QgN2|>F$+FJaIP%ga_E}{w5vq z|FZgGl;7*al#&t=3oMpqRO%p0P4HZRzby9AiMmdv(WwUNnEx>s%(ZNAwshq_Piq<> z-&pf82aLO_jS2rzu-`X)wSL2lNrBA{LD_^3ss7ZMXVxdFNsEj8D%U`qPE7Y`0Q$*? zxxw@JP3QX0H!d%z@V!JL%u)KUOwq@s08J`bh*gUYp_D$RXA-1P-}PSoQ|!tH*EHJ< zv}UN=-h7anKbe9Hx_|3Q`5Be)lh7y!h(Bv;>I~npkg%}l^7yTu)?e?XKw+=WPlb-E z@F#3#_>B$L<8ye{eyw$tMwPXqi}i;HmS6g~iu6Uou~E(ZZyt?mFNE9X+;_GjcxJ`K z6!4#Y*5?z~%cPjWg*HpS68}g$vYgOz#-~Hh+sucXpKn?LF`Y2_2LAgMpr!kVO}+ng zU|;}fWD%lI|WtLILS+N$Ku^ zK|wl1x&=WchwhRZ8WEB1Qfe5Gj`<$m`~AQ7yZ60o!CKB@jWEwSXYc)sy$=9csv&by z%_nClj)BCq&dHze_hmh_YC^6n>mDD|fo^WkWknK&Y_hj;@PfEc=tP%tm}H=t5H z8JL07yef1hrhY`g&bwi*?TMQndO`K*gHE=GU&JR)PF^MJVWlUZ%@pOC^npI*x38ZM zEQzCo-sh(!%%q2YeZLQ?gEXzjxmTRg#4A@U)IW9>bJ5?YP$C&IfW+uJtOH#>k%Www zRa7h?8lL9Ynh$ALq@zpTmb)CjxZXe8*{26>2Q^oWR&)#1%4Op{028%O{g zMqvd}1uydG zY2`L-u4yR-n?67M{@cCtQp1^pi|r*fjDxlHPX^D0^|WCvaZ0)$uBI%iNCBK9IxSi0 z8&c!%`cMSrpV1lf@uOUz6!?zz?i}hqynq|?B2!{d^m1ps?NIl*qVgw_xw+xvBKbF! z&hgHCuJasrZ9Jw>CH=ILCx?*k)tX*M&5U4XuFqGeJBAuR^0 zZxqkmm*`WAD}uh4#wryLt5Gd-{}1B}yALe$)4F#Y3onPBQbCZDra(lNR%~*{@6N4p z7^+Ph935(yL#YDxnf&OQIW|5No|o5&hXmisZss>DISn^@;H8$4o{R6|Yr(afcTaL- zWTI3LJ7BHWf?4lVy-46T<0dZ%r87>BlT&h{iq;>2QO%RgKkv(pat2^_qx9mE=g7~PfOAwn zyu%-u0>}g0m$eYOl92jSxMgCz>ugOi{t|yyo8(oq%~}0`3Em{;^8#)2nY$F04Ye1W z0Vs8%x~TzaQ6&g3i$#a0BCZJw`>f-TU&UYUa{N&Z(SpOICbG-yZthA(HQC>oBQJKQ zC~IqL(9bgyu#I?$Ey>gQ5Wvl~H5WHSmCg|Ilq5u7!y9GDZ1eW_U(wBKi_Sd4~e{f~Pr||04m}F}_z=y#{ z+JV=7rIhMfq4?4=GQ{NMv7@6dW-Uduy2N2v-aH`+&z>EPo5E}+*B!c-{R3=@(tp3- zHc(4Ra}&6?-#yI_JW~o>L3JR>(>vP;Doq=E`qeVX4p@2=1bhY=;oJmgu*$-11Y#$O zD5E3X6w$0Q9&mb_w8w9I#HgMxjAq{Eql~bS@x1AK0qUM>4j`bDpvHLcR|Ovmy$QaE zE+TUY2%rpdPOb70#=s^FOGyzTcyL0K)P|amv$%awsM6&2TwO!iz~Eq$+TUL+zU_~) z%Ll=g8lBcKSE~JYJNW~DrW`!3T)0826M1cupU&m}{$74uG!!9JQ}eZ=zMVK$t&+C3 zz#Z5FCnU%RfJeR1H_2b6c*n^O>}PA^LxW_%U2hFb1Vd#msplMWn$@(l(`N?0IoiB7_UPy9P?q`otEcNy$)^1-@?r&n0E)oF)| z`LywfiOCznG(IJ5EdKPYhQgaIlHcn=7a_px_uip}aKf#qn@!P(;`bt^6)v=bb#HWc`pl=dqn zOms(|>#Qzrdvyc`RTMqn8X(k8Hahy<@tR~csjTd&^xbHA>|IXdVfW`ssqYQm!ue2Z zx5{x&0CH;w`$*Dl%Rt2N@Z&tr7O{-;F~YoKhHA;cp8F3oC8lrASpkk6{pRLqIhN1r z(M$0_NkWpfLQq(W!1nn(#?9@~KB@QGANe^%6-EFG=ZDR4CJ>-Byk_f%zt6wx-RGGk zu(UBsh{=l3%75KS&My_HZf$dL(Z6d|LwC9u>booNajULn@pGH9fHB%RwYJ9x^nOd~ z%!v5q5ni-YnWIEJPM4@w=U?N{+E_2)>qUO2C!H5QST`YQbH7zpRY@rP$5lH|&dz!= z3PRu3h$U+87YKw!8Ob4Nk`ASo1^if2NLl>NL5|?Ck7p zRyr~8h7@2k8yiF`D%XAoPBLdu`=z%IyVX597(PX-9>wPub))<)$ zMcv(2A0Y!{LnfqAMP{FoB^3GkwnIR92R}RL+Gu0=^>nkX(UqmftKUmpV(vC1k{apZ z4~H@sc5)i%=)_{6=s#?=y&xTM^leb!nleY^%Mg>$SIsStjNn_s?q~t2;TRlVhzBIZ zZe+?AGKJ}nXt&4#XV_0C`b7JypF=n<)2cO^WN&(Um{Xlo6{dUggA?<{6m;^EPexM0@0i{3gJZ@78Z(}1q^V;?%sQ@{5r2?=_ThG|^W6=9_H%ItY)6qH0<)LI4D`E0$C)Dq< z1inBA!Wh2H$roJ*XE0jU)fg9@AJ$4BNqe%g-R)Yenhy;o+n)wq>*~X}uW6w(NJsq3 z`tTc3Xko?rvxWBd^mWoPN^=pr7cjBxlNJuX>2Y*y(BbmTo!GNmnUF$AOa0AeI>p?+ z|3>EIh3|-RJS~{a&CM;_708DCwu6i=bM?!gpLii;{MP^_Qx2XuX#mg7Gv{~g5r>=~ zJdJqw&Y+F3!@^xRy*dN?u!{nazoEas7j|sZe$mK}&XWr5&zuzd8Mv>)5QqaqA?)gP z?G(|&R#zEEGr^C$T#Tapw5Lb%dB=Hu6CciY0Ve^~4yXS{%o}X%>4^*2i;Y2YK(0ex zH}YhLjHq+PV1arR6g zz0<(C(0LZ{T`-jhIULyuHoTrJ!s@iFqZV>d4=*o2UF-$2`!)@1tTaS+!}5BkO6J^5P7c(0Z7*WKB>n8fmy4O1mQMyn zkZ)qvaq;UtOiY?+5z3d|)%3Hh&qXdwmRz=m7=L@B)RW-Udt^Ddgm-2#e}*DYBMJ~G zi2RpB%crFQ>tSTW3hdkWZ^ISYUv+Am&kT0s4=UIZ9Q0F~GAhN4C{AhZD@(mjd!Hm97+!c3Z|+^{|2+yaVL zS;8j_yL`n`TRUbML@)Xkws?-ozNoLSzvfe69EOkY8vdR5$`;zVcV?!x7g z=Hj@Q^sUmF!Myhj@HIzjpQqSi$BscIcfm+s-vHOV<#Y9Pq3%YvX@%v9;`a3) zIt{r>!q1*mmX+RqDhGqvho^rRc-~Qyo-1O2ban-ET z3Vx%xfvraU3@u%$hP0=^g`H!h?pX9w_ibcZNB8L~N8C%nMo5-v zb>3~}DaZI8o8bj1tNdL2E)PL|J*Y5u4PJ>7NUCtEZxO~!f`t&$So_aO=byzMxDyMi zvytlP@-g$?(FzI)kx)`b^O{RCNpn|d7%vFc)dD(e4Di@4E-#sciys1q+IguB3(J1O|$zE@p27BymLdM>$Na2a?jkuY3XIv|(*RU0YYXwy_u92uRy!XKwWu4JEa; zj~;v?sp73V4JDlOo=8heV>$T2y1BFU?8{8yOAr3H;o;P$CZ)!JM?ZAAU4I$O5UiR$ z?B(T^?Dyx9NrOuaz_mrSABwMAlpgrj@0^wt6`?z3@D>&~Vig~|5(WWcI z%n~pRL?(f+sX-ni^)Uu^`cz4G=U8OqkLAO{U|?fB2L}hBri14oLI^<3*Rn!nUewV2 z8tlWqqi?rpptyV}U6%3O(edBzVLRBfFH>uqe~j8$?ZU1n#&iXI-?n5Am8+$*+$k_a z+B=YwKMdD4ZC`+U60sUx-q@*Gpo4Dyp19A}`$~aUOTLhQ)UB5gy5Vx~O!CHk@qOltXE@o|lSJ?I2;bou+^aqNP%%+&tF zckDZbYF`LJVG~_f+PoN2h{84j#o^72tduyViOvV0`^t}KB~*#tc`PZX8gTG{!us*) zl@avjd%hNzvqX!&Tm$j-woB06ez9aWyK(6Cw1e$8PgIu*a&pHR1oB^&q$7p@x>Z{S zin=S4wJ*3`3}7%uDDa;ubJtc{VLocWUl{_9{dt{LDN5{3?WgCd2dO? zP_SgXdm;H6j-C1=KaPxn-+>Bq5`s&FtE}MVH1-gN(ev!Bv)fNvM?y`{x{M+idj3)zwEs zSpLgL3rkB6C+X%{Ojv|wrX%9w@b|}>8~_W};bA1TNV+HLnkKX+ zB8CfVvErxHGP53^-PqV*g*qnjsa#L-b*){zP%~%)Fwdo@f=(HC>_eKLME5n)`Ujm{ z&F9K+LT#^0V>I+gLg9>3k!bc~*={~! zz?69M>+`#e)?!+Orhp+{b%3&d^@TPwH!tbOzeyJ^KJ7Lo*jl)1Izo4u1`xKTnu`Y< zw_K*kz=Bvlit>zKAGe@2;L!r>y&XF_7Vc@|$9Gw&oSGJ0sc4#>!&vejkCZ06RVSV5 zOG*9qYCed3O=06Zy4Lri17#Lt4YGaynUp8zr+ah?$$QmeWn#QPi>uq0F^{CkIIt1J zit~O6XGentl9JDVF8$&${XKW$-T0774UZRJj((cm?)D5V>x0Gzdyne#HHtCs`Kz%c zEc}A*?m`v;$6fVQFFU7Jzr%=}fkeliERugLEW!khn^Hi%@+W1$`Ye73^p*BtdbGdZ zr={K8w2GF;61}0Kf>xjgc}!Fw$H;zOdy|Rl2lBZ2>G-F~*go!%m=)ja^3ss3mQuE{ zRoaqQtdlyFwi53F8X7qoFV{j)E;$c+#Thchi*Ltypdrh#lbm5`dZ+!kx%KIaslTtM z;`n1AsrS%}x`;ZwK0W^1ccM9(rWPyoS)DR`Xk$Q*J%qd>9YNo|W1tjlNI@ap6_C&E zhibK<7#`u06LziwOow1(`N>3ag&#BN9;Up9HSWffj4@1cwrjf8FoJ;G7lUjSQO5Nf z2XdW0q%st5EHuout*Z&AJul@AcR|Gz5 zQsaYCaS>0qVYg9RaP8!^;|*fooP}HeafPU}VeaF%913KZ0nIJL*XX8A3fGM!&4A>% z!9HQt_x?@ob5R#9%NFxE5LDti36><5Z!E0h?E=Cfbg}b3o{tPF+UY;e&3n=8wtZwlT;Qvb-fzWOH|+2M z5O*qM0V9(JgwymFQT17o5oFuavA=0cmg?1kY>nq!D7ZI29aWMDJL_^fD8Nl8vNv)x z*=|9WIOlX?Rthtry|mgz-wV<0g1=NXzrRs{h80OPy2zGXr?~VhiE%P z2LaMOFg$^$i3AhPm8F*iaGE^`C#f{K=| zz#u4p4tOj69=%5?t3*V~!M>cI=5T%R>z9&iM`0Ree6X`1kpdi}l-TA6f(m z{fy?~DohFH zVM)$7%h;}oUAIjox9#bjxiSr$K{tLUG04kR9VopByG$o%!+G00A7GCpz5jkGld$)8 zj0XC4(l!E?1Uv8&{wKH+kA)?HQJ)Qt>1^hUYlvSBMKtYi=o_64#C`w6VH#lLd8okb zw||4rmJ3QbwL}aIjrU3NUo_?MtG91Qz-99K4+Ukvt1)dwU6?9j%`#+G(A| z?qb7L5-~vZ&Ca3&@w89RX?}JQbzUMJG8IYhW>1JfA03*;kMwZumfCz2U2XzXQ`4>I zR4mue=B9{eTUo8g2R7nhGxx+O+Fhv8-LH}Fh5&Uy1AmfTeUmcX?D|U>^Wt(9aU11% z?8E&pa`IK-FT{%+b+-1Vbv5;z02W9Hq#ChG(r3vJl~@Lb7orbD_0HcV3 z+o(jq7R15as{nK^;}-t@E|%l%o6&sg;!Gi<;idBdE8WZ1>Wr45gqZx|G3)7PeJ za`zY^iQEwQ5_4$?QI-I_WG%IiSAekMSK!jW(=S_oIe#>P=~$5aJOQ>oT)Qoy&~77M zhRMVDGP8h|6wy5D&z)8nLzhBt%46aL3s-t>^NYnwfc?@Z`ldf}R{*M8Eq)_FJ~BwR zqa=3sV11(;zNWTQwjt%|s+eHoBICjkHxcp77g9+Os3>H6v3fT+-V*;X2YSDia7p3I zVQb;nVyD8?WGf$kJ02e>v}1i;oBaf zLQct!wbQ7M+_J*B{59!P6^}9j)yLVLy^VxJbIJA1ETfhuEAQWg6xz@C(If{U9}&_^ zBnlySkT=cJ7oy2FlJ``^yZO&6ZLcJ^y|M6$ZH=SLoJp*Z>}TJ~mNF54}$fnCHe zt}}dM{+(}a)KBE)LMEKe9ck$C0Nzf|z<`O@f&hrCS!fO{Wn@z_TrV-bVaHW5om2D6 zE}S=0h@0KSJTB8*7#y5$Awp|6s)_?){cs@snN1;tWSbF28)7hX~ zDi@*$d&?2%|Q*^UjEl`w#Cubr_;0`#vaAuN_w5gX=TLL+QE zf9#R0?!6TJoThiAQsZ$xPKfAJoAD1qsUK+72nOH| zC#CL??scu2P;O6S^NodLm{vG+pvghs9E+2a_GC65u#q+s1fD9a@><^lcM>@~Q4RNG zeXVpT4iyOalc1SA7>d70WX01U@N)rjVA)tnAJ@OLhkqhQe?7MH-lUO@#;W?2jYh(9o6l%k1}Z38^vxU05OY zN~AM^M!uT-#P4Y3IK$kGNQMIZy1+#-50HJwmHVeLc(VG%Z`tUfmv1T~@}kJ^;zdJe z>;uh#)Aj#-Rk>4NcWjoUr3^)kR?s%Lwla3FOst{Xz0wxIi;ewWrUY6vGvAZZ0I1hk zHB}%Nq;1ol{6jK4!#?X>1a6fDnT?M`mB-J}CU@dAQE4Byl%&B@^j4mQ0ZdwI zyBnxCJ=^_#QoaKW$-xy{1-Lq=`VIbUa#^+-nB1K?GUCh_^eKZtwZQUT3=>P<3Lh<% zRqwLDwC+1qiD(6+l75(UU>>hbfNJ+gW&7ag^ut+jC%FLh*)$o$S1?$%(*PnT1uk%# zd@*gv9?N{oaw%#3ySo!u6c&xVm}h1X^l^4p7TGRPKP&4?8Id-C{)y=7;*+dTP`sa& z_sN<4A|P1gw4VAQEKKVH>)}A!C`L9Mzm|}R3(1fEsj5<^o&AS~A=k?3>*@4OssC@G zfJKXT#sP4b=(jfyMLUz4GM<4M0E22phT;r!_sZeyX<^|6m(@7vQ(Ec!du4&P)&CHb zZtl3(nD_ga2sKrf#MiGCm>{1$9q$3dqPbovUC4l#+#ju)#>N|#PG$~g=P;f38>CTL zdajqYwh+iRe~sT)I|$pKnqr6cSwnM31EL@QoyetwtJJ}?zHYAHYaPdZI6h-osR&Z5PBb+0vVE+ z@JYo&f+&_W=($wgPB!ULsKgx&H*|+Gz03I1JdxWzuz&u0bo|##Vaa5YSHFLP@jNLW z)ts-s+LsA10&nl^g#*q8v9v+YnfY&Bq)ZZE?L(3bHfsXH23`TIm`eiXj@3NAId_O=OQa|(#t>>*W zB2{^crm6I^jFnu?-HvM^Y%#uJPk9PCVn_YRB&d=m#IcPugw-qu&q}8lYlAv(h73pC zck83QAeruw&a7YnjfX{Bke1812^xs}P^W$7rp*hMZIz#27wR#&3r#!}ZpXD({s%w& z-%o9Z0FJQL=Jz+05sxUC+yPuukVVg^G3N5{R*Z6G_8}YWS&6IR3 zzBv|9mA)GH8D2UBWtK?i)sMm7rh1Gs-K8y29c5~<!ju3!XC-_0EmODBfZDhM$+I;$xnHb;5zm>uqffk*eLJEAh4IrD}C9MF3!+lgwM9XO$;@sjhV`e?&z8_9p&z9uBM7_b)#~fwt6W$&%U{oZ>=B z{_+t1_cMS~galGcH_Q3b^3SRJNLD5EHXI$UczOTW5^NuUF@4nt8F;>85mGfWTN@N70G0vw~gHE;f`pnGy!+v7(T2)sJ%S70(~{ z&Y1_&Z*pjhhfc12%uGA`DqhqQoPr2+f*l+QSZD~zdsFhb?Oh~$y$WXqx~(;if3ZS6 z1D#V~+N0yx49_A?v9>nqxP6_xQ(>N?>vhPV$T>+PI$J+oUx;dB z2cbMVo|K&9g>$(4?ez?lJV?_dLMUUMQ9-fk{rF3nF>2#h?{`i_eCshD{$AfILWQUU z4gR;oNQ~)u$|RxFzSp-Y!j_9P-T~SDk_1is^*uRLRDoXpIPnY6MH-ya1DjQjPuy9l4YJPjIm%t*IMVOqH zHU0FRGZz@zD{yfE$sXKYugg*60$(R@0EJ+FG^V^ThC*AS!s{9B@1|~f> zzQP+~`C^M+eE9v7H2@&Aasf(E(W};$9p`Ogi%Ug8huv#Brq!BwUv7+ifKrml_?B35 zW7EjgUGivCgV34CNN}Mh=gnN4y1~X2QEg7FIYIigM&4F}TFh~7AF zZg5-6Wois}Ih~$2f6>*&4QW&oVzfcuVbSIQ_wDOQ+Lsbci!TiU@1uFIR3T^AaxAv(%y4t0rdy)ZOE zR^IUGLzjKmZ@GLIv)Aixf$S<&4J1(LxU9{znQyf%ob*z#UUYqirVUHF>Os|DBjERL zB(CD-DZq=#iXp~)BlgHxRECth^l{)+a=%VSrrn8^ARSb<=0nx~01!%)pX~LXV^A2v zoF=xJ%Lc5-*`OFw&V3s;bFmXNg+cnkfRA0k6%y{j4bU_jb9V1C8?Q(zvQHnl?Mk+i zIM}~3T(k^uxmDv3(DMqOE^4{ly1ewn-;?g-h@GuD;e&LA;sfyGzTd6CA=MEO=n``m zM}R@d?AH9Dql1!g_9|IXm*qrP=)SVCaf>z7r>)UQd?)nc@=ADeG&-ADiNu``MF1F1 zhOW)b&G+fWM0n@`d5p$v-L*pe%!6k%`M=fh_xo<0T4@AoeMf@O7VsZTNA+DDALqVt z9=YN2wWl+^dmJ|r=Wl|X4!PWPqucv{-lblNkDqqI~QV~Gm z#}$qX>hbOK%5&LmPkHC4ciNO*Ve$escAmue6P}-g2R2=&)z9DV7ag(Zf+ryC8O3Gp^8gSQi2E1#_042_Gd`%LOWkCF@rjSd@8-6>sJb7N)>l* zGNLYb5AE!>JiNV?;DiUZYlmhEk1T?0sA_AyvjaXy@CXXl*r`abGXltqT zc{e&}+u)OM!~7~w`MqWo&L4phdu$H1VZr!Cq|=7CP3a!S2{Lf6uJvNSi24<$5LW@Y zKE!XMI`zGiR6Xw=J5EuSVCO=Dk;flyu=r7UebmHLILrD{h_lC27IMw_tZ+A`JQ^Ph zPpTc{`1s@5&^1Oe2463&!K59cR=T?Dm*u+gDPL@Ayr%s*IJn@BI@0{VUoTbk_2u{+2zI0U<0P@iMHo=kwP|g9BMK zatB=gYn4&QGFQm9Fp!pf^|gH=$$Pz!n%#B7odUG^yR6MQd0X7g;s`HhDUJgnF`e|! zl@y7CA3yJmd{>=2{3+shiO*4>1vur6N&hsV4W|t05FOhY8*>_`TWd|6lC-$`nkbZC zfXtdhXH+3A)Ge zJ+$o&Arfvkf8AbmVx&TMDz>^8T9+ce!1=!F=H9bN*SDJ5T1F9oqcZ?m8u)v@#%=C| z@-5>}lTO{cQZIs2I$g4Ur|Vxni<2j%uA>8)y3fqmLD3SVM4;C+REfce=65I+-g`RY z*@H7QP_87MDT4B$h`(vguD2V_UZ+#^9&n%H0}#-&*|xjcc9n1XtEuKnctB=8a{}YP zKVsmC1ITV!ROwY-eO1iOi}geO%Ba zd?~&!&{fbRmW4L#MkYUP*%8`lA=FhlwKr`Jz(u$AkQ1)2{Cd{U_IVwXOgMC7-5D56 zqLPRzdzU)cY@Cvilw{KrRTu2KHb*Bzt`|4I*>VKNIPBVUq*lU8n%Yfv?(2GHMS|Z8 z_(V(IT+%Yq)iyg85>BoynfY(hEFsvSfWsIGpq&Z?GE<%CgIhxIK>?RpShJnpd_aH0 zw|9MH0RP3zUH{NtvmiQ=uE>ebd5nmL1PTUvqFNqG1^nX$_}jaB7jkqjH3N={%`Njc zNl6r~zK78{UlLV-%HQcaGOF?0nJj8x&YMEZz#vg``C1l0-DsfLIJIijcY(eE%kH_0 z6CelrB)UcM=FQsx1jJFAYDwA9=Y9O zac7@{OfWCF5;Ia$*MUD;oHUr;VSOBEL1PwVCYU^67I0lRYHn#UNiZ$|%WasQ&*!)0 zK@Z?nU1uyiUiX)reI%YhA?QHcdwwf)O&}21=n}Yu+FKy7=QY9M3jFEve1fUxt`BXH zA0mEEh|RI8koV{LBKo%T?Fp=l<;)D-%Zrainj4dDL1iu7abs=muxjoLc&0C3qD&%S zQ@qh-0T)CmP%k@>K*h=69KXZ=ALysAAvU!;>^zBbG|TI)V4T_GRJ+{(6fX4!KMGgt zO2ftUz!F(vZVcHLiK(_-w6SsSH@vnS-LoDiMcC+56r{oI;7qYa@?Mjh7wymieYdm? zH8`3aJlIW#;hP1?gf{EzEGmvKBzm}kZ1Ti^7tyzJ!iEB?HH-&C>qzbQlvlSTzzKyW zgEnFjtp-IJ4G;Bcd?8>Ax)lu#o56;eR;F3%3!VD?#d~}-@k6QhEL9^zy_m%1yN8g*TAE6V^*N`5|lz-H%yfY7ueS;xZ&P$gRUKRkmM%F zCW%=NLt`r-sjKH!sUa#5obPW z?E~an^b?7{$g`>jNCu!ZEMKmAZ*K35T*t<$d59j;jt}JZ4rPi1TRbecL_iFI_d$oR zN6nXx>Or`Cr~ktT;p;|9O04PJ*O<6NrLng)$enxjQzZ$$8gohXv`Qu93Y6fzwC8nL zMMgHfg9Rc`{?vZ3Whapl^MdpK?DZ&&oV;NN)Cl1JEqdwkaU0pHwc?GRX}7?NfW8IX zj)9gsUS&5Y`$h28^&-glubu2!Ar%q8DBPz~Q27RET?LF^0%wtH$29{%grxsj^_F|+ zFJ(geq*R0WH$u4b${x}r-P%`uAW>zAL9HfFNE>EcI3F4xD3QM_rim z)yG|WcUk%n-xgziL5bP8PngmkY#)-faHhP7mh$`W>6-%PEoK8%F@fJ9LWdoC*{1l14yciwcERi8EfaQ(CEa@zH zu1PRG>8k&x8&3Xc!vaemVbtfDKR}Sh4RY}f>~7@LTwU0M(BCeG5N}h&ljnyX`FLSt zqLoAnZf1}%ZmCKNs={8!_qt;Yci9bJ;6GS-^JQQRb}qSOX6`!dpV*iPUFo1;i6ZP9 zEX0^(?q&d@(ppYK&V7J(hc4PE9x@nrF;WBq71;sDF{U~MapD4V=@Z@E}mA!3$2&n1EU&j+i z^WLbm{_eOxRJGCG8-s43*rbC4u+;k?on-Ss|N z7BwFgW8?mQVFuXjQY!gC3)x!lMCbiPgx@63j=Ih3wop$jcqU%`XGv2|rL6~fG@i?B zaGPS6Ve^QlK&}FBcsN(NiUGlcd@O6cqH5I6Y4N~n!;r%AtgG1%!Y17b;YL^@>GfGb z29gF`o%3DmtP12^W#o5Mrd_m_#F!mVmXUX9=8|uh(CKrUg#$x-3`jSATnf}^X|NBv zp8TNc8l%bIrG&&7eYHMG3T#PWu*@5OpENNqS-5@Cu7z!6$w+EtSL)OswHxpfiTk!$ zBOquIz2221QOPtzj?;BPwW#!thqKnn>nIraAP>QRf^VG(3juR;0jO8^cEY*2H^FTHmGQ&p~*=r@p~KZdfa z_iv$1`t}}e`$x8lX5T6hJVC3#FtvVQWYuQqa#cv-+xqYzs;100JEzx-|pCgldbY%7ZDm zA^YI{yK6?!AgjgRd?yotLGL#%5cZqJr8a(L={ikM*b1&Gjv9ly`)b5Kw&~3`zVu+c zw|bkInE|(Q77uC|S!xs{WY~;lgK?+W6Vj4=_ldCpTiyM`=_}BbQ#FxfR#^C1PV`-T zrlV?Sd};~<$a6<$$C#ksK9XZz6A4No6Fd{p9WWz|21MU^E?R8S9#Q;L_z4@Q&?_L? zid!d!UHaNz4#R+5D&Y1PXE9_!{f@@Ou-`lLf8rLLb*Cs+hZNCE7x#98Zs_ZY5!c4y zk=Dj9dLY z@ICp{7=OtjTH83kx2&XeBZObVPQ#Cjs{KZnF}b(dty*wrJsWOcb9MSkGLM7;KEJi3 zel57eg8KK3DS_i(zyP7?N=snM#Co^}fRkkbV5gGwzRKwM+Uq9EhfLKo5haD0up-@9 zELrK-c$RaWl(3uR;2uOfDSzNBusq#6`07{I88E2?-HHXcsDr&p13e#@_u!Tu%Zp3>sg{jy0SK_!MW)uZ#*MgcOR7vO#=rP+x)5{hXn7 z^8vdL&#Us1Q?nyC^$%0ZwK*g~$Rfv6NJq1dj4ZiOcp}#-?M86xujU-( zyI-ii*G9U^HVk(xOK|)EiyNvl)UK!H4-+}$xjc$!Q?@ZP zxA;E+v5DeAwZ=?wmc9ltX1de+2?98Q652ND?+VHB72ygqu7d6AU&xZ0xrbxpkJ~6+ z01{7}Z{d&L^4lK%Ej5LWP8Vs&}JHin#zTXzm`lR z#p$e^n!mfW$nL8}@DVw7|7$Y2E`OZ%-$>q7yW$ zolbxy2Ze2tjpPE^2UC-X2yg|hqvoV0j=q*vqIEg26`nIckprQz)_<4cQ2J}~72O)n zYbYChZc=kz6+J7Z!yT5u{KNS|Qy4t9BY8i>H zS;r#;cP4fDIfyF;$1z>UU-be!*#$2;HjA4RbPs}iQ(NUH3SLpxzjUTQ5n^{*S?jAb z_aq*h-^IK(Lk9*sGJ^sGc~=@8gh~BmY`PS#{|qKgAo~5BV|dsnB9ewfd`3fL8ePBkQ=_=gk_T zi_B7i8|Q9Z3ArXuZ7uo312s#?v+FrG#a-9^oHDhLr=6Y6!;9*D?k^v`y1}e`7?F;5 ziY%pcx_jE`-ccb|$cTf|;YCQt$Nd=J=#?lq8NcC^_)wto`{`n`j#jg7swT(SS6-Ip z#)Zdv9J=60N>;T$Ix$#P64vjt@wtMH_ki3I;8H8DoAoThBYAjzQ>jm^9~GMGGNT}u8$t5axIj)zAKir$zwx;UJoNe(`vzb z0g@zutuZ9UROb;X2nnMX!M&w^69*%Ip{f5Gp*EM$+KhdtWJtC1J-?2D4M$jI+Frat zv=!u#1Y;lw-i2!+rwf11w12%Q+=kU&VR4yq;q-LH58H8h2Cw8$%^e61@LlF3N1#t^ z&ObBq*i1yul-XnOx`m)UTXxKjtEn#=ks-jDFHZT|MlJteeKez_Sdv?HWMOH_Kr zTrua>|B>!{N+S*sVXb4hw!+-@DzTI@m`} zTI^AszP+?8bC>Ddl{JE}H(omH8=qcZ1>l`bpszav2U~wDjWRkT%whh=DOFf6KLOFQ zz{1}4RlFikc>WUP=Sa&_&zC%n^NJxU`cmfh;d0uQau9T)N;kJ%BoqI2{_X@l1KzOD zyMDus>5>1#*jGnI!ENm$VjyK94T=KN(hVvC(%ms2QqmnmN(+LL(%msMQUi*Bzid~1e6FHW$@=nj%ulY~i^S}ZlJ<4~zajtsvwWIZA3&xzd_ z8)dS>jwrRL1IyY4*aworX@+kqYXP)_ihL*P-SBv@zME z^DSTZt-fgrzVTm2T7jpy8Md~Nv>%GURlSWjzRc6)Ro0c|;lQy>gDj2Sek^exf~e2a zq$PL+`K%d96XCPWtX)LsHMB}IEH-q`qh2>sRxy88F-vwSX4SR{Y13;SCjVx8uh_|p zUV~ihJc(2(ag@8)^Qdtvl}Wwmk+OAe)To+n)iH{Gjgj=IzWI3YyUdDE&SG#^&{J@N zla7xj?RM%g9Wfa1&YzPE95!o1Q$xnj#8sd}PYM_ri7k~xUzsp*K2K8mn9 zJt?(!dK&g_vn@;8Z4xJUW}o;3h(yrN2L6ahX*hGdT)-ZS&o+yS-6CEi&mIoVM+6b9 zU;7f<^qCHsaAO;G31zh$wZ>{3Orb52V8X@4U0Pn=`$@4=DbMWHU~%xsz{46JC}-S2 z;RO%o$SUW#uwr?qTr$i+PW)K3Dw1vKFMqKQnW0NB1dVxT!GNL`VJ7v$-@XTEl)+AA z#SO^`QH_cktHraijxVbYSGV+(^M>;?`bR9Pl!W8DHG3B^v!~u&wv^>v*Zfat5G9Fx zbR~hBF%z{I-|C17!#O+f~qTRx_#ogLt?D&)AFu&DgYu7o(U8@0*-t4 z_>W?p{ZdZVhtY?@t%l1GOZS~t_B}UYAkp->Mu)d-DO+dCsn?{DXXQc7&Y#X{3^cJ& zooR9J8zsNn-RrGmw%kC(*55wOt9$TJuHEyHjwEF)7`*6egG~0+d2)DjQbz_qxxg$! zO&yPUy)njYgu(tolKSFF8ol=Xl$3~GlR-rT`#d@1Ah+$rv%+I6?WEclTPI>z{4hnu z^}K+1dpmULv@m*Kh*D&|H^Swt%-6LM3NvO`?j z@OQ+OD=g_|V-ci5KUOwNu6})gn!_aa_}wC_wGM_uBAtwcgR&EN7m+CJtvh3m%OmGSqpL&Z}<$K}TbN|~exkjY8xfUxF z29)J8ZX9@SaXjWQ^hV`%bqk%MI;kYz2Ri{y((*gvp^l-aB%`TuN+grm3lE;RX6O&` zNhr4E=NSzz(tSV(-VP`7drebw%9JVs_kMe%Qhj_%$O3XGA0;jNDN3ZbyA@k;>kFVw|b#Uu^ixH`) zQU2>QhbbSlyr{JFK((?y>7+d$I^dOH)xyX5zJ~~3rQUzc;+C93B;aO6VdxJ^FjHhwrS55+K)kkPuglh@CyT||Hhu?+vDYbifH3O-;!6GTMs|^fdkUC^UaK1+M9V}>x6(nz@_!Xk`()<4XWIZ<<8hXXEK%Nag zhwkY}6(CebNF(~Oi;ADy}I7*^FFW-0tn zNHTs7G<7eSJ2E~k#9@3ae7q&r0;Tc(0V3ZHq?6s|AN%{s3hQ)Z^w7!U5EQ;-l_dr1 zz^1ft$C@4g_oJX9H}gZ;&55Sq+IH`sszkFATRM3XM}N1|;xqMV=^_~q9ZKup#QQ=F zxvEz`o@vegIN`ql@eD_9UYIv$h&cCBefv zno+&*A;eP%*H;OX{M<@zuGdq&;N6Wlm{w;Z0fm6eIsY6nHe$>15lQl77-xn^I zAbh>8d1s(hU-`9h7Y@X*(kiX@#&8#mvruK~LgC#sX=wY7(fG~A5fONKbk{F@~g#Y8&Q z1AK2;c~41H*>Q^~qK@USVP5s~Y0Q$MX%kLmzfW)>3cL?dt<*rfV@$GktD5Z(a?jcE zl|H*fI?sBUh%L-{a~L%wKUDEje2BaG<=ueqQE>XODz5eT!xsUnAq=TLDb1tBt3Msl zcF6uqEJ{(&0Db7ON{$0vp<3y~vG5$|v4?Dy226wJeUcZN2!vR~zQbJPs`X9=l0SR)kc}^J@-iWQ zhTiySR<9q%7f(QOcSP@#|6*O;=1f!kC*rQ)YSFpr)u}1r55xJA1-Cf^sKipcQ=8Cs z^z^{=M`e8m+=!QZJ3?=2T_olm>i(2F@-27AhrJyR4>BL))uEk^e!$aier)i+#5x5R zg=$P(a-9S5tbFnt$rYJV*z8OHn1?zw=6x-G7ZUGoM_=3`v^yhy+NoDf?wdN@u-7SN zoVC6Y#@@X010&M@y9hQn5KM#bE`NKexpt;cQPn5HVoUKERsEsiSm|`JR{a-nX*?Rg zR7*-zD68vAc=XBt?X2cUyFx?K_S=SBb`O1y`JwduO@+A+d~PV|Td79Gc17Isi=xDd zD;Z&S$P|H{VCW#-qHn$1N7PI8&-!J&3S30x-lH3LHwtb$hpE75 ziu+CYoc|0%4u>mc-VIG|+)rK~>xUQBc(_k_Hd?NfRS#_3n_S$;1h=IQ#E7((Hxvv z_6lNw#U(%ZcK^YH0!==F&Ep^=rAo=_@3n|=_yb=J`){hkjH>nA&Ku7p4(0gKl-wE# zgTvCL`kVh_+OOZfk)DW({}qyCL$Mi5!v{8-{w>qpGyeIj69_#$U0U%d!X_p3H$gIM z#lb&~ z=YhH(QB+D(V4jp%A2N?GyZ{z$@BO;7%y6F8!2O6|qQ;^ZjBC>#Yz6%oztV*y&u}zm zhl|YCGZXz^;>zQ?*JHB79Pd8wKyH6crR*_q8Ks8U!ceqt&Xq3XMamPlAq6ZR3U}Ix zNNsOpddf-xnBuh;n@kcpSoz5_j_on6WKUY9 z2g*}7-@iA-w(Hoc<#g-sRP|e&{Uv@f+sdPaJi{}AR zMmsZJJ&^Aq4$EN-X|92pNY2ML)`LSa?111>!r26X)wWkD=ODh zkMuj8&rT~B&#c~XM-N2p9Ion(B0Mg5pseqzzk87X!rt4P?DCgojw4Z;@?h*R)cA9uQf#S#E`!IW!<{4+_VnZx(=W*rJ3+D4e4M8&@}< z?kS%+Ea=HLK~c%%meFKQawdfizzzL@clwpH<#+wowYSzDrhoPnHKw-bpzjmufyBY$ z@2^jdjw;O%sb!Pcz=bj_T~dj7#3UzYp72r%ScAEPlmx0Fczia({NCqoU(4?#L2PW; zk}4~~1^8q#z~3VA%A)1Q9meZ<-x)U>-*_C?*i5(YEw=H^E}UC^igRm3Oxy5*7jy#6 z=~AOdkE3RBGx+W19;1(Uh#I_}q38d4s)GGuwyk;*=G1j@ z>wr|AzJB;&vBzBPQ^liGV2jtd_N~8V-B-%d-*+2l=tN?$k_m5JXXg(tw-xQ+ikxa? z<u~VoFivI`qJRmx#xR?b?WqkzC z1LFtXSvgQ_=Xk&Sa<-aE$aU};&*z!d^Sqa6@nFIM@B^EO2l4k>D|bP@X$J~Gcgm82 zIhv0avib){7>@5BVgtSk5qlF#kc5ErbrPYz`D8f-xJFG6RS{8XX^`}bL6dGW=kBd4 zWPd`b2z01mQhUmI=Q=z)nmgfUhg^su@IGPi%bJ#^Oj7#=Vuvt6%Ry)9kJ-W?4+bABcFQh#yqBGy;)9tZ?+Mu}`J{?FhdIaFAH!}Az#Ux&C!CGeLb}iPllHD{$qi*oe;{X_bTS;s zY&%4{if#$Hu10mk?wIqLtaD51xe%93xa7)4&Qxvvi3JJ{5o5Ev5ocM7VkgxXYeNX| zf!cwLqQ0GtamU^!9{WIzv1WbRbo`3N7OB%7U9olp+gjqA`+TJA&Br(8Rfewgl(GET zs9%9kpX$9Gh;0q(#-xG^4mwraZ{w+(ko`Hg*c(q}{9Jyl+?qM?8Ss6=Z8;K=+JyQ# zQNa^$AP`mDn}kPYT*iZ1TU4}|gfj!{=s0RVIhV=PI5=lwjsEUUfJEO_qLO zH83c%zTY0YN;SR{Fz5B%eJ@9|t_)+S(Wb3Clc_QG4|VA01XT)7U&L&Gir3jFv=ecbIEuB>gbjK z{O7|?WuV5{Qglg`-Wzj$HDxRkh(6&=!IZNEc|JHX?k0D~1`7oo&N(cDXb!uyM7trP zsI(4DVkT0~ks5udCIqV5psPApwvUkb@g6)>ggxmovAhR}O;+8Z8S;Cik+W z?CbV_pPa%9>ONDP;0n3yWV=_I4wvW#6Ekya*9fOr!Wu$nz0X1cP%1^mM@m3GoM#qk z(*r5${_5<2`9u{CM<2lK{$Aakhzz;9iYdYM+}EqM z?~$Cqki=(aY=AWh#3QU9v1@lt)g9E?wcK6lNmKwfZ=Jv(#4u6Co2+UugU^*v7X}fL zXzj|?GP^w$`p=k8T!=#q-|<_q>kF@xSLvcESNGh$Z}maXyioY~!LO34G``CdiDAz1 zl6b9u0^_hFv|o7RII^W8=>6GJgur-tHcn2?0;LRWDj}zIwRhM#Ab9t@SU41g)Ow3t z`B!gv80u(!FyG!-HlUYkr_i1@g)PPpK3sP>ZG=))L@GDrE@tEp_n@6gi#sW@j zcZYzY9JhR*5DYR;q4>V}!Rx&_@yOjHpy^ELU-gL9j{aGhu-6SAOjA&@^`zTkb^P`F zs&DoiXrn3_ZgZpysVYp0OlPQAKk3h?Kr7Y{#VDpf&O2v@l4+wYp`KpF^X;yG7ML;2 zT4eeo!SysYo((=LWt6;Wb9tpnxdmOLiM~cnygiwhv-lEsiLN1rp9z`VDg5DHrBg>( zg*%RVQGDqAfn%SCnd91yWPV`z8`)(B>KYveWg)f4Y0u zX;VKewkPo_N5TkWL~jv8sGbo+I)l$9yc$wM|L0);?>9JEW8)$g44O}1GBBWfZ zx0Kr7y?%oIB|g3*gt^qTGs+~~8zqoReZh|<F<_njptpK=P0xjaJ$$z z$&9K#$2DZ!FNPOy{PEevf_Mu?5K>KC-(6sa?XBqUa2~Bfu8+EIj9Mqp`rH)|nAEPd zNm1-crUi74v9A!z-hq@eG3fT_UM%L=|)*o%0Ap-q7 zXX;}UDoq`2n&I}J!Q@n*n?!4h%?Id85Ob$`E+~V1jJnFY?GteVs`VL@W@*6W*2?nO z%v?$Btnpy>&UKtdL%C$`gmX_4OcV0vb{(3qr6G50%8m<)*fEkLX zsc%mfDY6exojDii_pOMAQ~NG%oAVtE$3d-y(UEF$fFS$V)Fwqy^vBseM7rmhgB)s` zB9Yq$$BnCjfZD~PXOX23kxSIx*gI^|YW%gi1b)^F zeV7TfP6H$OK$!XjeTveBQ;YfCA@1UG|H;QKcmd?YBT$*INDhXE(=4V@#-+_J?|-51 z^{%EqeiJHUNqJh?!bl{2CM#pEn)>zU@ls>JL;?mUQ`$66y4nE z#y1OfzWa@=uWAtOzH2(D%9)zFM|h5xqL}V$HjB@2$>Q)~Z=~|o;-Xlxj7ONOCmlwD z93ocsW8rFy(*Jq9R$@}iZ!t^r{OudYmhOa9DMoGB&bS>=l~THkYzaCqrlP6e1HpQZ zwm)U|PbX`Zza%IBT4SI-G9h&kq?&>vQo`%^JOo|W*O;%Ju5Joo3ES=HU!&E%h zvn)~C;PQ;=R%fofw$)5>FOq;_ch1WdJrT#G{z=oolhC*BfaJ7vN6Zdu2q$ky8Zc0I zJXRH`wCnBIe0t7%0}EjL+XjiuFK)3k%?(XPDab~u0QdKdZ0)=-k)1v_x) z#+`#EHx?qi7rtU8+%a4(9JvClz`eN&BKUoMK74-$YBbGJwUy31&|Kn6^SssnUHPe? zlR4h0EC-3yl->8$zR7&Oy8Ck?wykW`_$@#=j^E?ZJOi;k-9UpCKbe-$J8!o;@aIIU z`knNjeX5tOK?J9>;wR{+M*bASRG(wULbZaQU}2V)mfpN5T6p@$J@jz1H;IqNH+Z{w zjA8a#b}lc$pA&ONu*5ApNF*@JbL4D0|d&(WY@pV(GDh>Ma?hTL_2OkrE#$-o% zT|}Q3yM&@zCAVt;9-~#vExl)x?!@QjGH@^IO-I!xREV^!(3fw6{{9w z&Kt_C>0NJcU4B+g$|*$_5RA011*>Q$uYVb@TtF^X#DA~uVEFB}SsjcQ2CF6D#o%lu zCi-NK!jOAz*n`=BX)pbst*8KiKDVt{5&^f}yF=cWff8ZyFI+FNud>M6S^1?CGOn|Q zXripX^_q8qn(gM3f~@I13~nYd(4D%WQPJzZU>+;++D37z2!D|ok&mwIA=s}EY~e>X z{ijL1CiZLnPna}{-!4k#4W+;G;rNgD_%yV^bC*q!o-z0js zeI9tuZIYp zi;H`&ZJG6)U-#|liN#;@$=LCD_l{A;KgL9THC;bx^v2~3(n-)_w$$2>H1Hk^T5pw* z>YI?OXfRJF>x_MCMxeFTk*Z3*`Ubbl=AX_V;=$NmF%w9rf^DuGI)P&+(s(=BJ$a~> zC`HgYT^xOU4^MY%vgXN?CrbC8YnD>>CgpLO^$BZ~T!v+5XNRD|`7-)sv(0QrKqYYP zPq~PTpex(y_yfkav+;+_<#5E0q&=J7#A+6K$PYg+G{4i@i*Ai#tlQ7qCNso^RMtnI zIF5XPkWI7(6LFytVg+EQd!cdS`UoZe+G1bp2KlIkwkDwxdis>%@5M6DrXB=5mu}g4 zgpB1q8Z2F}kAA6$i+%C*qMoe|Ild8No73$;|Koz8>a=Tdu;Y5h1vAuhSxlhXTg_7> zZrcaBH$slwdW|yE85M$fGS?;B5*V|J;o0BawL+p|s`C$_)2#>cEvQmiH>RPa#4j>b z`H#i}eXcn>D)R};m#{-Tv2*w?TK+6<6g-^9p=KfRqkt&|q1N5PJaCcH5zF} z6|bCCReNV=`kw5k{GaUye!NQ<%cTAu46??jSnmzu_WAL8`#W0H0njAYH*EK}CvD%1 z?0{2_m9Go4`D%S|Z~!h#VqXvEFq>wVCNburZdf4o?8+u9w{6^~*7><^gy=hvweN52 z3?=ZN-J(~xyw++2#+7KMy07D|4@=(+$+wo?Pdh;E?Pe+B#AIC9uX9rZG~%Y-LuE)G z>1EBgv@`_#`izy;Y)ek;e)Hq(T@ zLVRMGHSa*hGB3c6d0T$YPS=hkn{mRtjUPMwkm$jvsb8k*wXUEc>W7`eHd&z673T2a zBHyeZ1uo0ab!Df7uRF%L=58D`AD#xDnK8Ad6iyUA6QV<&WlNR_m#|St$_aDMA@@O^ zxiVQQP*vj*svXIr%<#pwTCoacSG2uLk@}%^IEZ0kmb9r9Cdl$Z{BYt2kmP}VEglt* z%;@NFfj#ugOeYT(rH6V>PYg?l5kpLBRblFaZ>gGMN+|w|B!lxRl3iFsI2!CT2_$z_&0kllYwurYQkT{m7q z7=5^wZjIlXu2C}N35)(Pwo<}pusrueoJFrHM7z@TU^;u}Y!M-#=W(XqlYAMbxEq>n z%}o7~kE91X>dFkN531CEHM;G4D6g+p# z8^#lDU;IpQwD;kSeO5c;O#+%IBpO_-NjdGXtab80PHy6|J=Ny>(3(u}ec0jB`+A?{ zXLb=x-n5s$-lNVBthbKNNS4zWX%s@;u95BRnzkQkS?+MlbD3h8sF6eXu_JvR^BVvV zj^ud@O%ykIh@v;@^q_7jc_Vy|SIVovYEJ7%_iluCe08b4LHgCAs?xgyE!fjg7%G$p zZhNWY`RNl)Fv}I<@qZpa#bN*!IFN471Y%=C4>5spU7Lz}^`N_rWG(ohv+Iv^-|^P9 ztuYJjw1*`+HCTpc`%V!wV$^nsEf+4+P5v2g*KnAXQR0aA%*VhRD4oXljJ8b&)CVi< zSmzbPebdl<-CDw<^$~(o83hG;Mn*>SxT_R(uvXFbDv~!n=Z#g#x!>6}1E>oW?>97~wQXL<9@C7B&<$l)eWZC4qaL1WcR2;N7}<2Qn<501uT zk~Gg(Wy~;s*WbS{{q82J+|o7_&AN* zTq%vWWa#H7vd*0VrK&2FR#o<#H+y+$0l&+qiAXo^ZQR%Q9xjV5-)r(wi^05y&5^Nq zzraZ2dY8Ae4`Mjwxw3uKLww@WOA~UDHNw0@_1T_$O>eA+f8}@=h>~{Sbs`O#=f-c% zsF)wOdX*MyP8PH-o5A~5`|GjCk7J!yk0!%v4v%J3240A*rKaAV$eTxy3yAT@HX?OP z?f)$+{!cj>o0PLZiEN|OEY-MDJyQ{o4uxRwV|pyJqs{FG1GuNVii!%>H{r8e>W@AH zykvK<2u2bzP-b);+$E;yV=Cdp--~Ow&kVemom0J!Z-AhojUf|=3K4+9wNGd>#$eI1 z!K;I?v>Dml2wqGnRb-fB=K2;@<(vTL|v3OBA4r(+C z04W7ZdE}4Z6re*xb3C;dX)Sag${Z(%n6W{RH}~{0!0;feR@U-*C>h_E@>Zs>_gAOb z?w(niD%?{5l`_P);{7xS8sCQ{ynkvA8Rhl`P&mitAhWrXDV`|$yt@olXwW2>Wz$GK z6o6@1q~5OEdDR|)4w>9(3~tzgVznv@C$ub3X~x3!tIVaRI@VnpkW)uiiP^azmn*n- zGAvM{TC4Eq0$_Dt%~HL7oJ?@bQ@gGCY);mu#el5%wM}-~HHMFG5e6W)xaPJ#zB>Nh zK6(e0SiRwfs%t^q5Ao~+VG)i}Y4V9)P9E$r`&$k8LMGs4#mLD0;>OjgwVrfv+bD4r z7j-SC!y#%~a@gP3Gcq#?`0dRQkf}Syh9!K_b8u~33t-8ov&M?p{Ud_ncgMYd9XKl9 z{rM7sder69H8v5vC{_?|pI7CRV^W4UDaIwwHH)%gitP2+8clWlX8+s!kt41S4=IcP z0Qol?V)FHd;~Xo=X)Cp`4~n|^gAWUD@K#xNnGX*=V=7WFAD^zi zcQp82p+szYU2W{BZlnCL;=6~4Db&-M|L}B&1a9NSC`jpJj!J0 z24ndL(wj69UXfwJkS>s0b8JM8SDD9kO&n4DsduJO$cq-TZ5SEzUTgE$uD23^cwew$ z>df!5>TqXSAvsxO6&ctO5j|KR6Kdz$=MjMRzJx_0gG!77hh}atr z?_Z&b**iYjuFZJn)Ae*Cg=$9g3v^fesr@sB#IuT zO#+G+D;M@{FTzgSt!IQ|K`Gg7yDdIp|A1Xj(DV6IHnK6ZH-6j_MhRNv|OJSPEF!hM3!V}ju+g#1ZxABL#MLZk?-aR%T+r@sv zYiZYYm;0huZhH9ePwI)ZC(bC-=*Hzb0{MW5eh^s=9dTBt0ev2z?u!s6ft{kb%G>{) z!Shc)9Dx0dj&5&gY3KXeM~orq&4WiQOG$eVz5y4<79UoL*zSysZXYT$^7mcchHto( zHd^6;T;UmXLnBun9auP0#JMuf_px0dOWIhJ5`6_9(em-dC-|I8EA+V}@{0Jgi(Y)0 z;dOs^_#kqBHpwPkI=cP+`}Y-w1Mfin0Acbp=%6i+CX*qjTM8z&ViE! ziD&&-;p!1JpaaHnT+KyTJxJr8CZ;Py{E>*Q)aCuET#ct=M*1qz0|fHZPQ$Ekb|;fP zwhVTY;yj>3qmtIi6;F=TK2dL_W*h~Nrjf^cDA44gND`$Dh0%ZRSJ!=PE-fcdny_n- zC|p1WYtrNie!*JyeK^ET7hmxBSHdBWc6N$#b9V66IKzK`B>zhOgkc@uIxaI>l&q+% zRbmhb1%8j1@mfNz^l=<(47+9o=za*MVt{r(iuy2?>4Y4VsF`hWWp`&IskR)slVy8F zb6BWK%u_Bj6r=nhEO7C@ez z3G|rlDID$Foa^+KR#sGMtm;C>X!VY1_*-T~pal>yIx9b-xhtF+q^c{I(CwvM3RnmD ze2%MxSEx|n9pXD)yom_k2d|!)A-LtQ;2{v%f|Lihc2YcxD@nD+N?XH>g7kM(5PE{AmQyTnp9EoGx0%-iKbp}vOAvJUR_?D+wb)JMag}kj51NVA$&^= z?R2D;=m}273;fpaIDc@K7LI~rPO_s?+>6sBEljHH4aIL{c(SQrA zCoAEni9Rciqb&1%@v(^do$`rqi7*Yf!~xn6?Uu^hZ&%F{J{}+X-+f-msEo)+2(15_ zZ~M{1AT~>V(PbXu8AyQ%A|Z!tKq6rju^$%2+Yqg30}7F_OOu?)SCKGY4XTIE{Xaj$ zQ0!V(|3*>#pIjoq2mgvcvQnu2jh@@mgT6J0kP-Q$?XwhheOi)j-Dk2&Q!eAtO<$;b zq1t>3AB6778?td#j?%~HL#Gy9YTNZEuRy99G5_K_Cbi*{{u|-|A6lKzCBw^T@80c) zeq(eF_q5nXXLunEdD}%xrsjx^h-hjttuznMk!IBfQ(KB2jLH_?LG$L`j~&P>J4}z} zZ*|4TX59g+dpw-I-J zuEFno_s}UAU_!g>jW&*`h3h%5e`#*Ki-gJiE^Gy(5CTQu6$-NVzO4+Tl9&HJwW$@# zJpB2ezU&`Ux<6SHBq(F)h*ed>3$GJ-6ieUYGgM;96vAjrMa?029)D0CTn<{ zqoeEAejXqPnslX!r0*)2Y{H{GO5T8hc_|-Y!g(sAh;?sK@7defMYe?jCS9KgFPKUE zOx}sNX`URNx?p6g2NsL=o?~RIM;0e9nDxnrnS)UalNVe=+#}9;NBXW4puaVEgxB

        Uxz*I_(JEty_;wx%+WJnaJl-Sk3SH{&<|RcRhr8B`Aj^(m z9b@R)`0^31KS;;&4mH!f83V5^&xK1zY>o%-eR;Bmztvx`i|Z&GZ|I-o*$~M6}jcUOgrAjr9U$y z!aVJ+QtqUz;5EjzfP{bRIBuLV_^jS5Yis6O@4255`<$(1uj0%MHIeU7*=6bImW1Y- zD?tD9&03>3ny~&^)%vwx{Evcm6sRS6wTc^!hp3EdmQRzd>evJskler|dMx+X? z)@cTDqw%!;QTv{wSv*ggZkCa!*$Ay8@ye%F3vdqhY^qW@Ne`z$SxxXsxGBvtX20#Nsjig8H<4cV6na(G0 zvObWoW4c}qTxx3VW$htAC+r004CtAodpMnK$MU1Ef9UWYKWb;1jHe7J$8_EAQBLEy)|BkoWS%<=tdr5Dqg zg6GF)e^Uqi=i=Gj$&9MhW_J$$ol2#U@r=7kt>{7EC}DI}?0SFCzMI3sSIp zE@}?sTos3vXOv|!Vvd#ji{_Bm_dOgwDjkZ?JuLBEB97t5i{4n#M6<| z+~~-tRyKB7nB^Y{7BuwGH##adYQyJ)OB?n)pn^2pDDCbF?&ZG5-^>4xc;w$>liLhj z)RDJ9VL=2hnJu?%ou+MFjB%hOdqGOb$ClypPN}G)BC|fl1JDC*X>MXVg1BiQAQ$So zZpNbwJ+3ia$uuIBr1dk+ZSpSTq!n@Fdvj4t5sTtVeQf`_{nqB5z^lEHB&iV=LIIz@ zdVBuIqyEP?^TWU9?OqOC-aDnM$~`3~8v4DIRx3|Mi& zc_OCc(Ot+@V>)OO(MS}XO;?i?<}T`I5-E}?n&^hDFDiua;zv<3Myr8Wz#cbo*Q=+?Wtb>dC3F@J-9Up*P1dbt}hTQVWoT zH!BeLsvVD;@CWNY7M%M0mkA=;dM`a&!&*_)f1NypntuhoB{reS!w=4mM}f+8mPg_l zV|zSRY4VNBS_jpZ<|k@COk3$NA8bAu{h=KaGf(2DYMxc6Z|=_4ZvV%o_>ZG+C-V-e zHgGCMy=A7}&T}6leNU-^=i}+uQ_Xef;XNK@aD#q4_$^9#jx#h?fB4 z_x$=Vd8vH6G=#fj=jusG>H4)Dnj4uNnzMLeI}tD7oJy?;&D68;9|qFYl>Wwaw8o(C zfJLVqBf5;*hgaMlWpChpDI8L8;1zn8n-s z3-|zv_D9VhPt9_d^Xk;wg@GHLh_}FX70v72pL$2TLddPFBtPM*FYQ`WqfjDOVj+_E zNP0ZbLuB^N`AU|~%O*CM&aUsNhEO#URgH6QaYwyrJ}Lw@nx21(tK->ZQ!a?}Hzt0~ zeU6&k!3PN33>4!ZMJ=NTO8g@61{_gEu%@p$-Er}UcK=xNpKaST$nkl-fK@TZj4jAK zM0-&GIR?M+Y)Kd^$mrP>cH4NmB(BRiksm6Bt8;zFZAzxBwF1|=cNoW$Y_DqP_%Of& zC2qp=(Z^V=@Ku#r>~L;zhwrIQTA@MNy6OlP;iI(2dn37m)it0eeeX^fjn$=x{*q@2 zJJj=U&dBXf5kNnoi#O;DBA}4b4-{y~;J{L@57yRe;^V1p}Wq=67lW zvkK;U3?>_`NuRMuvMk1!hYUbNf{aLAz_;rD;5D{b^toS^ z^=8;k#_lP~>!P3G!^vYOPmmk5b*y)oB*p)YAASgi+C=kMjyf!@4FCg_t5%v4JnBmc zv`7Tmad~#|)4$B7^eoOL2QA-4rUFxU5o(Cep2ds1*0&8|^pQS^l-r`7IQX%!LHF*j z=qDp8lX%%D@BsuuL$^k}i(qkOZE3D}-{5;{;EIT+Vqe+M;xKEed{I?j2j6rpbSX8# zM-8G2bQ-k6igIvpeCl64Hi8IB!shIb!NlxRe z5cK%A*!becwp#IJEO=LWcg!xY?QLBq$lN!pvlL}l=yY)l6s{d<4+-|nqrd-P;^iGJ zzc{zmGWvUVx2x_~7h07dMuE@D`HTn^vrKud=#}4Xb1Z;#_V=fH&9jYzZ9QPOILRlJ ze2O|aK4toB%)dv_;s}(Yh5zM;{_PY0XzzwKUGbm+{Eyd?9wv1~AkIsJJ~2mgfP!(J zjoCnslr7*z|GuKM)p~pRx!BYO#~XO1;IWavLHA8dTaE>0JY`$$wr#()<%+CW*5fw3 z4G79vW-#yU8mrzM&4_1~2P^5;QqvAX)`CvCmWUarb(cr3(`YP#$=YC%oj7Yj@J|V# z_rvTu0B_gryfe>ytbih=Aw_<}CFKg_7bQJWewhYlZ(Om&n-FJ;ejJp7P9gLK7EZ_k z=3Idwp?@s5g1j&_Q7|Eupn~Bj@AE0KeRW#8DxZg;m~2f9{+Q3FV4oZWg9?Tz-^Y|R zXh?>1wLH{Cq4fp!f^J1>Yj~?z;XAfhmPYFdJ5^&IpI$~fw`wYCjtAvh)U)Cuu8HC) z`zYkFsV(dNfNC8+^e=2=#>o}J4~ZPhR1220{!;OTYU0FhVN!nJ4ffFE^^1J>)dy~F zRHM}(O;0^m9(k#;cXUSH5lQ3PCf)uJ=asRS%PB_u|0ZsyuF5rX$SCU9T34m3RFQfP zpC8x}lmaqgrt$>_SvPwVd0G2ix)g{0)ImwilI?GT;+{!oR1OQ|>yKqky>3M@Pbu(} zmo*LaTw3&Ef%*RZ`xdisDk&lwBY@#vK~kJK_sO{Jd|_KrIo+h*NcE-FhPCk~3Tf$T zZBRaRTqjX1*iw)T3lHxNdoHw%MG3t>f}?>;QH zq+LT~>GR!wI56B^f172XP}a_)X&wi=S4te(-tq_n)qn{V=Lz6Hf{f6PT9QG*Xo@G5 z9b+AZ;L9q~7Tf)lP7G^orU@E33WGG0e|-Eac4?@PWcuyDowF-7He0=F{HW0#IYvcvTiUQV@vf~$7LfEedt@FTWdd%9yShlyanpHOF!`% zwP)xR5_|F>o)Q4lOgNk#16a$g7TadURaBDgJm6tx07?+xT6c_zip{q9*w*_&x8c`! zO+D&Xf|9hq+i{3patF#v;dlHu=hYy=<`=PM<@-)fNwEt`#Yk`A!s^?ul>a}p*RLex zVgKv$6sQR)`R#C;rLrk$^-YJmYYTU}mU0Or=ET0iIJsqtZaA>_aCO%jtnMYQLw zy?eWx*N+Hf_;5-%Hk_f?tz^4716o*|nCRYN`&H<^sFP>MD;nb(9l}{B+t{qhYtkqa zd?>S~3b;V$#qhcx3*(Rt;}O-@pzW=0gON;K*u)Uk(|3VBp*eCB=BL~zvi$GM`-z|q zx9rgsnGOs?(1_fYOFqBO%*o}2J@YSSp%>uy0sUaIKNwni1ym})o6m3>o1iDx=N!O4zT?p%JyDo%05_vV__CK;ad zba|ptC{~oxWLhY*lZWaat5^`&V~3|^D9p+=SQPv}%HA`o$!=R41{)$Of&x;bSg=sV zLQPaeM34xmNDYdL2#AO@NkJ45DG{kkiAWWMh%_lCh>*}jks>WXfB>N-A&`XR&YNeS zv)^y*^X&Z|zdtvGF&N{{T(eyBn%7#(G5whLM@{N)+a1TouYB+8IXRc=bLJ$A%{|vy zWF99ooV`}ElAnW|IWlDNH3@kv#^AQ zOp9o{FB%DzGGb*I9pN>KCv@#jd=P|-tQhB=vCZYTrK}Nk0y~U4W``oI(hWK@5$mCC z-p5az5dFV`Kb?nz35}U15&1VuZZ|L`0+nJE)2*IwVf`*U8U^NedKC)Ec+yEKEewWu65Gixy$C&8_ux z>|G2yymu21f0-U#m6 z?2g{*y?cZzj}BKlE8(?xh5HJ9_9I3Gh8_QW$FLWR05ofF!vHRe7Wi*~+E$&b6;8i5 z^j}Walvy@_Krjg5ac`42dC2}dFvZfZaEPQZ71dIzYS#fVp)~A@P$4GrtH3@!^0`)4qpKx7++ovEDZx`%@@vopJ~12=|k5SZlL?g~M(&LFl;l zOjr4Fk`Zf@fHYboMovzgN+%7j!>a~{m!2GO{;45);nLBI@s@Yrwxw7e`k61Y%aG8O zI}MTA;U>J8<6ZP_>2}j!Iz>tQrFSIXx)%2KNWi6!hm#V^c9`^pC+*8tR1j6%^WJf7 zZN7XOU7GP7!_O!u>62+oYgw4eIY)O`-%|(;(Ofix9&&TcNH!7K+(MU(Puj5`4Vw_Z zAR6@M%!s%e>Wz^aM1dLooRq+LxBAtq2~(puDk4*wSJ1t?a-{t zZ@l%!zL=<(-W!&IR;p~8rmoLz`m8Ni>#@DaduzGg^`_I5)|wZbhEKaR-44LBU{gfX zvoMFCl`~D>3(i<%wM#=b28}%j@y65;n~K{1@#3lf`eWgvce%rOGZZNe2I$Z+>L^cZ zIU&#JZsC>7;*u!#&wC^npk1r670=0Gr;|C(yu2Z#B7Rv5CAEZDN@oN8JP{TCj2R^r zM@KcF{3$Uap^$Zdlmdjk2J4y3OIV&%gUtS-K<)@nocxt%w7HTufF9GuR7nar6+_E3 zJOEmj@L4~^BcOO!hF6LNyO9gzk!>UDQ&EyeUmB|gz=C^TBt6@$L}>HW_5g4D%i@7# z#G0D6c=I*Lg)7!SoV;YwuA8SF4mC0Tg9szEm4j9?w7AM_{Og*&#w+a~0nbQMd)LZ~ zP7}_a=~;StsjYogaN7J+Gi32Zt#w^sAI1IDfUTqPjnl2J*AUGkT$`hZ`YWn!l_X5i zFpZo&BRh%{Y+`ln&Oeaak#hW)JG`w@(0$l#8kIa^E^(Rk6f z9Y;beVj3z@LzNQ?0tR(?fxKEI5{g<|LhYz~vT0Fmk$*5_wM?-B4ny%-fBoC*tgNiu zrTBqj-+bdaYjgu@JsD6176q)p5M#$FrC~Luj+7FuYyTJVG zM&q`e`^(8Ic6n1vy|C-f^5K4tJgyVed*r0%-7$0Q9hz0Jdx@^$8}D@+3)x(uhMI82$D zPHBRNOmUj8OxWtxvY5>Uyq$G&i{B`*k_do_Ap@w)|8kJO8C=9^ZMmKPwQ?k2{T+f| zgsPNupT>{kCe($!@mj0W$3{F=pT+VV;sL|J4x3eOH$Myc?Jso)3@H%<`Z zsiYP|Kj@|p1`|AiQOSuVxWIFnLqY)!`d|Mm1cbwY^~I1e#8L=($qlD3_b3Ip1Qi%v z5d7)}u~IyX9Jqz?Gngc{aR3dwvk%oA_w~3JjTCf@mJgxC2C`QAuB}HKjwjk!0icv0 z9q>&Wrxj{r9am?6e^c5g1{=C7VzQ$k8R^#bYm;ctq;{1NGO5MPST*2{r?K5lwX~&y z3Q6S6GP9J!*8_hJ5&PX9HiKl@UNwX?$?*fVd6Ke%IX0W!;}bG8H0sxL<;?e>TgZPO z36i%%gi99{h^Ox4JxB2zcns|5>r|XD&m<+|=da-a!WAu|4_R1~7LoxOV4`1ey>`Y_ ztB#_=+{>d18xhos87kV{nD&lhU5p@8ao;je1%+Bp$z<{A*Hp}lkkxkZXP72QcwsZNWj>MY&HnKeF;fY774Wz6xofR zR5MAxqeN!E6^KGs20=fR1BW98i&}!~@R5GNV~+@)>oXcDrlLnUgZyc++++rRyu$AX z*70GENJifBbHPk`5G8dqjEW!Q1g$MB5jILHogw&s-3vXD1Y2j3>u4?lU6D|^@5`In z1O@azl0`*f|KpCJ^&v8_sD-3QVF=lWy0e@<9hg{rWSy6gqrtjfy-@}2p96?@yPzLV zmA|H|;$1t`OjveXdHMLuDN&q{4=oylba6_Gg;nxjy0T)py16&d?}`+gec`+IkLCv& z(satGj{`n!vECezeoTyZ8kyzrr9@FhFoTZoxZUaZ?Abyo@_IHg(i*?#d)G?PZw=fd zRm|p`A>oNt>aU&QTn{=2HmLz7ra!15;b*V-aM54>;h295J%!Z~GV3z@rv;#(!tIP0 z>o8nu5QDHY>CSWOjmW}>>&}1)L8 zLf7MgoXQD2P>R|DT5nKWPQsv$17zVt1?Y^R^pg3Pd7Tj6vv*{{R4+NkXI+sTW@bDW z$6hvG8&h8TCWA)s+~~Ftj$3<4`awc`^we?O1Se=>Hzt$_UeyU2w?j^y3;t&uYvjB* zgQLgbH;5@A1MX;7?&kTfD?7^|R z)i#3$PjANO_>P={cS)-0Mo<`U^HX6JCok{X?(1y?!ag!<`%LGfmx6k7~$k8sUrX9BkhLfcD9KwK@sX6Vz2 z_~m>v66^*RYRN zeR1ev&!pFeYCoy5>p34(_zD{@DXF6~6J5=6ZhcoN(31H)YhP2Xe5XTHKx5nTKUcvHJpyO8L-^c&JfI;079SI}tUt4jbiZ2HiEz-# z%@D9=W+R^H>KJq4aSjvUUXM=?qn5t;IwYN5G2`zs4V;$?B=zjRL_zG?)N%SsVYTj* zkCG+#)Fy8Q(}2>|x^GoV#cZjv6QQbW1=5oxWxD?RCsX>~C%mXG2TeC>yJ{L_Evw6( zRo|&`>|s|ve?oX!LE1Qir?WYPU2W<%yhEGoIMH*PmqQ33lYn{BD0g%Xx27`i&$s_q zSNiWy6@}f8JA}pE5X^mfrgl7iU>;scaIzG$qWjTSgunO92J0o!+DWQ?AWEC5$)~n;N*e7<-dRViq5YRQ+;q8j0y;ZQmT`i;%M@B zYeUkRSNUCU0rSRyye?Ry^4v94PR(?BDsVifEFKmf@Cy^8*qoDK@L;Imo`xH8e*PWH z&pqI(_wYw(1;;kr_1wsa)uw9LzLZ+18ke|*5pg!6mI2hU%%`#yKwr%j*o*-T>SUtaoek2use5TNhKe9O|8MrB@37><7OSHHq_!L#u_rTOa(c@A!w~bc!25YH^)!9 zA}?r|hPan7ca5>0Zuj1CCqT9&BRV%)agw{3XMU|BSx{@3eA~cR^HV8b&7g=;QW50_esyKauU=Fe!OU3MY(;w5V_U+ zxyR61D@~dAX8!vnm+h`81ynIktvZ=5rsLX>XD8`x3 z-w+Cglh+Vrnv3uhJe)4o?~~NOB-nrXB7ZGVz_zUHIWr;t5iG1Bm)3xjp&>d8$YkwV zlml1IRXWv_AHS_9-{-Y3P>#&T6&jsbeb572n6g{=t;v@UtW)F+tM61aRtyi+_nt4% z536W${bmf>-RP-(R{x&twLQ1r-)TD4=vjC0LeJ`8ELAD5Q-#qwLQ4oNXZQ~_HK8S* zQ=B%k>$SI|mgns7Ts0i621jexcP}vfdvW-ech@9cK00NHXBv`u#$={3nGxYXpEl>pp*9UUrC1*pT zy$@9WqQ^nW)>Znicjv@ts^fat`YKa2!-wP`6o37vc0p~rI^Bx~U6kBX76Z5sCtj(x?P*Y^=R+RMVv<(O zYIA|tTy=#roR8##-p$n5Ck6QKk;QAM&B13r6rpSkKLHjL5X(I!0H?@uU$Hyob%k$# z`IDp>>6qYJz&%kFF~`6P+TFk!4S!c}!(SCfF6AOK1qN}BiUqH&E7g9PcS8u>ZjKFk zl+MTudda&o=2)P_lKstnuzt1BMs1HDD|BBs&NdRW^a;y(TH_g4${ysK*%Sb1%8e#_at~Qn`Z;NQTEgz;eaygE7ec9yVHqrq+F?$o@NT`{zva<24 zka?iNo(LNh#E69p2p_}blYMioQj1QE{@T0Kop6>m-F=}2ftSxen zxUka{u`AmDv`?~^zWbAri(hrOZ~P|TCx=@Or&QutMFMgvnKwICI0^aoW7=1GDwmoY-R6sb&@OL*fwtjMd#kMP*k)<_P z_Y3-fo%v~Ri9~wib^!LgFEH4D-ef=xDUfbDsj=HZR)i_z1nIEJS ze^gv#T70tN<(_xG_1{MJkxh!LoF@vv{o-LOJueDGw2tZ6F`Oi(^MCAzt(*FixA}E_ z*hc+W7YmkR?BbXY+Kib=xkSY5S{fI@&1Xs?W+)kJwNwO0!eu#35yPK%hj0jrK5!nZ zA125bLfjH`Q2p+VN6zH6k=+@~FU*W4_e;)RPa&c&(NyY=j5Oot#=5Mn)`UB3? zN<~qZ$T9B2%X_jDIs=toro~CW@jI8?eJ^v>xQ}+~Mxn~jFH)}qozXVi9;SJ=h2V+!~~LY(xMuL>W$ z9y%y!?AiEe$P#~EdpqZ^pTlYpPBRI)k_F_ z_y55IiiU2tijP#dYPZpK!~SQ44+Pra%VxK(@>q|}xsxQj-zU552hR=$WX8B`jNgh5 zKU?Bh58r<5wM7a#9Jo>MZs|OOT?kg@n9QVV%lw{in-~i@w1!}@zHryCTAH>7tXSMQ zj`Sw7_tQPWNA<4RmbmTgpSK|FgM%%)&E$$Ybom}GQe5v|*k0IY2sjFPkA;5@JCB!z zF+Ki`!T;?doLc78L}3?_*hI$m$3^g|Cn*x&RuD>#wD-vC^NsGNd!r)(3;xu=?16r= zKLUyRj>8jfWIIdaj|KGb9sq3hRzt=qto^7?$F1@A>I77DFmG$W0_x6;--6januFVi z`&uX505^Uk$ETP4;pr)nt2!#Dyr!ZJM@=0Ud>*GH#=ON|({V}LC6bk2T4Y5#)*oW}<6|vQEZ*zM{mzbWrG!@?*dCL$-F*^^rpd=@_HkQ;VM(K8^KPRvg zv8FkO<3}L{kch$6s1qvNm?x2}#1g5x*@$A6FPf95#kz95TX-Ff+>V&4o<xS0b;y^o=#jWFr3fC*+9Jm$YV@&EJ5|MZ*SAn(Z*us~?S9kAnV zz3YpOH)(1)4&| zxT#DUQ&e}Cd+#YcRCTe*M-Ab~ljge5V%KPcRvh@nB!(NmbO+@+IIyDitCZ8Eq)6SB zi3|5D8?hg2<4`xwjRr4-p4oY9{$cV|G9k;uPUNfC5)mjJVQ9;oRNI^)QKEONWF`T7 zZtkGgmG{W(0nD78>^5x~y9mzhg)U$$hv3I}@|9&`hHuGhvUK|u{)2r=maB%*H%cJY zmQVBp?@|1H=Xf4G1Av_=HtjnTp$crwhI6Ap`z~RcVBGukssj9}Jd-RuqjCgq~*B zzNOuV&rR&}zN-Jc_BbOAPI%L3H&5bWUSQ6n2-x5rb|Q$<&w>7sBbp%7P(?9e!TdOK z6uv2ng=LaT(A&E(qI+4MrOwMi3db7*o=(v0(V51jBIu1h2kv@aHE#$Kxj61zP&0Mz zMWDFtiTuZRZ3bX!CK%tZ7s1o<1GjMd23{g46UJ|W7O`o#3oR&wZn9I}IVhHE1#vmF zZ0qV_m4G!Bvy@1Je@$XnkEz1^K7epHc$1z$B9;@e(q&p*ZzPzc)%KKq@4zE3=pS}| z)5iJ?D9|s+t}jw(W|o|d0Zismc3a`!ljXmQT_3=MGq-jXIr`JiI{E8LU?e6S>zln9 zhigrt+6LQm8C8tgJXh()IM`$cjvbxL`?l^VRm^w?n{sapoT8+t!l=28)Nd@w822Lf zDU$ie~ou+N*2RqBhGI|1W}d5fKmurM6J^iPyq zA*=nWdH4gCLw;|~!HD8JUi1T(1R6pfC<&<)!AR^E@?g>1Q2;DV0SuV2yWjC>_= zSx!n@V-##e)4|-4tXEFTJtux%Gq$}e$Q6h)w&c<>6g+Tpmab5*; zKvc{3EGt7CdMnWIuw`Q~g;SkL+Gcx#vdLGP^*jrp)Zg~qFckmUG=Fo)M@sgdsvEe+ zoYoS*;qPVFQ7ygb{c=b7{u5fwA?fh%F1K6;Ea20p8JAz-O$?D5Udj>EkL#Q!KYS}qV=O+8Z%+k`zpWgVYsk{QB1xjm4!1lf9)EKqW zi^d9}*6~RqSA)(lNYxuh-)#;Oxppbh9yr0)I zuf6fisSvv7$|sT7#tTR-?_Y8+Knq)$rU}{Uj9xX=Z!^wTe!Ni+U7b!zk@t)uRlG-i zP{wzl-%rDc9iEyB$`Vv4XDhhkfp{wuvI$=Y2g(7x*qf-W;8l9_Kx01}+G+>;8#??C zZl{3+ivbGj9KAQBK!eyBJHcL5q2y$GtSLsO4GnJ}w?o8Xrh?I&lKjEL&4vtCa+?3b zPxdo?3`rH@)`C)EYJ&OY6YksR(HBFM-O^CXYF~^5Z@{!i*pjmu^kC7m&hPsKH$Wph z(27mXrN!0FA{R##J6x%U>J;TZAK7F!o<8blW;CL#wdvJd;j6upDY6?(eY}!& zUm~7;x*yNpkSiV;c3NZ0F+;lnm$73ht=%tiGtb>3DJl(S+i)xL2-;qb_4vA~_x*yf z8?5C_IJap+VnU6PH79f|eX8E4gx;!Y$Vskxhj+9Ihr2(T2?Z0SIiC+9LuU^3VF(v+ zvDTbg*hFC7B$543y!`*Jv2Z4|g<2ZV_*8Xsg1Q-u@ZdR*9mh5qlTCq=Ws9*Mn=vMo z^L*IdBR*S$VlDOl^=JZqCut(~Y1#pT&I_G;X=&KtyS%ncm62BctH`8~7#Q>1Vd5vZ z{g4jG`X?V{cVW4O+>K@B4W5wt)jkIctlYhS^fSU2{yxfG6#vraY-LJbKGf|+6YfT*DMwrX>+wjZT)dS@~0tsvZM>g!7s+{}7w01_I%2^3Mf*<+` z-GQu6BU_N0%qZ3IxE8HU4RTLn>$cl$lSG zYlTut@nyZMJGV=#r{3OHP$=%Env(xpzBWbc7u))o&_D;u%*W+YwnYFTUUC=ZxUwFF zM&4#UrxhfY60wvR&|yMuRJ`d$Bzeqid_)?;g}lJ;!FTw8M&l)dv7oI}x>_rWRG6C( zUqNE6A&-6G8>fM0Z#qYj2KC#^;i7jO+~TrC@w6g6hd84C%)fx=VOT`RbIEyXkNa_8 zc&ze;?)w(Smyb=lyHu$HlP|7A#%mN1z%QFPn)56$geqwilx zW^0gJ$TAR2&+A%{u*$jtQDr>?o!`)`{(`$lFp7=Vfrk|;idcE6EhSnV_eX%kAsW{q zpHvhLW#KzM|9W=f%_i4j4Qz#b>NQMYzWJW;Oigv?Z|2Iw{o()A0wC9S?H=-`ml*4q z!eiiV5|mvy*<$3k%Rxln2dOhryuGN_2u6A5w?}0+pTsTW8cFr&s4L9oZv%Erc@DQL zGAeaRUyN&ngik~$bVG^BQ(DMt$!sN)f~i3Ac|lko{cxmgecpX&}|YlgQ^S$VsUiuz1{ z_MKEGwe;%xDQpc6hfrB8wbpgo!FQfiYTSINLl+e zv*Qj`wa#;UQvCHvWJNgn{2R*;$bA#4N8b*pE>zuQr`CtKti@1|4zJaFX>>=&e9_=q zBh|b^=vn>FGh}ncy95~HSujc_RXA5&&BPFXw_*vY=MBI9!Xv%xZhbCF$%1*y5p%q& z>JrG@0X2`I_kQVXdV(TuPsmpXR{uoc0I5GfZQS#Zb9~--Wy9l$Wu_>6H4^^7@)vY+ zEGhZFBri=J^}o@W7StZ#`GF zQr4Fyp>k0;yNU|Y+}m~;jO2+BakILTq8n(seCvY<@=i)@*bXc7<7Qpf99l8o6@{ zBnPIXI!O@vljh^Mzo!3I4Ulg-RDfTu-AG8MbFWmEMlD@EM;&*kcB}pHaxwDNF_2stpee2Qz{jR!eLDjFS*u5w1GLU-fQ) zdp0-u&WYv3(mQVe!7 z%Dtnr8bLHkrsS0$t3pGrxD8FvlrG|?pMr#I`KOpm>ot1!@@!rsl_?9k)nWDu#4r*A z3$-|{fd-nuY|554VwX8jAy6FA)bAcg(kZ<3wb32KK<9kt-f__fPq~j@1?{2Oftk7W zhOQw%B1{_tdRz|d%J3MSv8DOcJ!6@ProW=Gabja*yjcbLic{%VFldWHGC?T-=Fd;Cw*mV@=>zx zsNmI-ykbA+BaQbmL3z?YaX}1;T%OvjUp^pK-#2hgup7}W$$!8T_v80C40<9@ z0#?94fH|r$Ada*ehf?L+$#f^z2`sLwVxLuO` zfbL|x!&!&D^Zm`bQyYii(`FJk_y=blvtd!>TZXX+xR8>Xujktc6?fF4MB!ygY&e;B z+z}EKt=0h{3pv~SPe@r>Xro3jT#KgJB6%o@*o0knX!C9`3l z@LnXGl9u+Y(={GZZw2g@@!Sf&Jw4Nb>iG1 zO6J9~E@co`O_t3&q^5Jh<#kyQ4J(G-53?vC#3E$TX=0h>dU}L&6R`IvW1D1fYy*@R zk$+0ig7z*4Zif(*Iqyqlg~4|KLx1;&DGTNS<}XqtL)bZ8IM3yf@ygpaVB!bwSvL({ zW|xc5NA>Ojb2oJ>yziIY?O;1`Jj*!7(^YnustV_c$_bL%D;N`7MfGb(d4f4;a&uLUSH!V8nzq(WjW$)% zjA3|%Ih+vqw5ahzi5G!&_$a>t+II&K zg_;6lxbZd*>EBb2dspxO!$?vAHBalRe#M1BAG*OwV-if!#ZCx2n0viJb# zf8wNn$I|@uH#>Q}D+ETYYM?T4T@k$f%NF--75e8a^gnUs8^pqWOu1?vkZa_0_OTSS zhKt|4!Oq1K{oxgHlJtnVDBvUM)_8T3)_U25JAN;us>Nptb@SVFkg&sMg4V4qiS7)Ol=Ykn=kb$U^3Jzs>Fw_NvtzbIto!)6z7*xjI&K znfGq~UJw83Q7||^X@9Op?`d0+rxOv~8QQ++)djLw(p}F7#S~r&QAT;J^n@@RfqaKi zV*g$WqPAlo7E^EP5ba*K$n!IzQ#yn+Tr4Ov+5_l)0&aHal>iBHOKuseFxt`s>L2DJ z{2ZI3Fj0z%f+_HZ$4X&uk&}`;P~XckvBlh`?uy3N?i(>mF_?Ot)hWGZJKyxanAq#& zILzb-7}*M9e&Shi7hc1NS^Y)4!beu?LV67fQLy`b=DQk<`8Kp&Gr)q_WaD@E{i#l> z=>k&B@?)Xj8RG}1l?+ow9t9d5Mx>n_p%*87E%yFxXZoOItW57)({Hrn(SVf0Vkxr1 z7O%D5Fll{2W!wSrrODqq9!m&HVi$ylM?(m0fVi!wdz)M$!~RPbEDGye%I^-N)@U~1 z2^ZPP=LI>up0$!ktOG?7da=)#SP6ShOAq`$PwodS(r5ZuAH*+@6*$T>q5St0?tjbN zSSzHO+bj49t=G_^*8TLr^1mzwAJw9NGBrtE9Z(x4qRoo5a5(1 zn3OX8D)>P1Qd4J;?sUmp5;6|j13zr3-{b4a`@S-zySg;#z{K3OY%5~Oo18a9w%dBa z>OubQr5tQ(HS4J=Eeud^Wm;yc1UCKLJYc#QDu+%q-8FG8BY7~QW?D$G(w+jEYA&m@^iN?dRIkr!m{7h@97c7jOhDWi(OXROKKzrWegY zv+O4K^yYB;OA3JK_vJ3|gRXwr8k%*Ql&ucVkId0IJIsD<7>aDW{vz2#fOE0U7Mm4b z*?sUhjPG~*y1XLfAaC!TU~K)#V^Pn7&wb8D?Wv_Zte0MLhndj3|mNAe@^DCqw1ev_Y*l{5y0a2Q z0!J+!bxomRyC2?qjuh3C4)kt*V_`~Z3|V)T!PWr81#T8u>_&U{T2Ca?j$87VGI z--+>ax+nJcr?anO;?OOqeard*jI2&8icUc}waf7c$VZpxZ#I**W1X6@%Km^J18-qvA2;L{_$vT(S_UZ38)V$q}7S0Y&HuyT= zxQ0+%AO4TMgvk$Pw(2iC247BLO0kda$;OKg(a-W8w>h&Cbt(s}h|!%c;kR4zJaBA_ zOnHuykNth3XK()(zC-Z=jQ)}FWIj{@)rM#6_x2waA7U1As60kHA8`mVDz6?r8f?JF-em0ZCko>hHe8>budmcEunf_oFl z=7!vl1@WeZq%88c<)e>1zvq>|a5f(-V;4Ckbi$UB2jVaa3n{5hcX&F2`Jom(cS=|) zt`c)~7E%R$Vot=~6Gg%?KH>;y{AnbKtrdp4^oPAHkbD^Lk8t4~DRX#@e*t4$Z_9z> z+=ist8V{AAQHuQSncoQ&Nfo9U$6+YSH`U$UvB+!R@)i=YmdX~MO22gP(l?iJyg-!0 zW)wSQwC-vQ$1CQ*H0CtJ;;5&{*7v13Li}Ti>T^QL9jc?Pp3zT_tiMX?(h%X=TrL(p z^|!>N2Yb=2tKvvb zE+_H-Sy=Kv;34WZxV|Q8B5w<3SQeEJf0%0u=2x)i^A=P=J8(F~FYS3gC*(KEuVB{< zDwT8fMW(rV(xY91P>El#M4M}ZU&2jNH-uX5SX;NzJjij?iYPj!#(7ezO#JMgvG$Bs zW6Y;*I^krMx~qI&>2i%Z+Qu4%8dP)7gdP91gwor1NNYa@L znUZVccwsG@ZgM--7C)F_;2pI1WsW~Dd6L-d>0Ri(7lIN?iv}U?^Cm$G5X1?=hA@(xHB;j&oj2hPwSgoMqic-j|2AamKm%#jp4-4KHA3^$5&Qc~FoZVG zb~#G>GprKhodnn2<&@7Ln&Lt4O`d+wlH+%(Vl30o;M7nafWJyWFR1E$gt~){`V2uN z?GkEBSJA9yF!h0ufz4ZU7E6Ed$W64@^KkfW<59Wb+WNymRtjoXYOi(^BPS+lxBJ5{ z5t@kbk54i|y=xA`agyUq1KAYhUaR^%b_}w~-I}=h^X6jy4C>8l%S353N6bxT;u=`n zJK~dsCPO&2URrtXZ-eCJn}V@gud%qcKlGG#{9Yu^6*uP-o3muUqNQLfE6Xy|03XA& zJsfvf|AHa3(-W7CZWW^@N)LKBk?zy5eXQRe>}Z%@%gup%JE9fKS&v6DUoSL4asaQD zNQti!BcfVIBtqJDi&!fLh&-lzbI>ffmKarN)AAlDF+M8pr-*PvZdZT4Xrg$sm}BUQ z-0n3=)4g(x*cU-<0r?$R;5c#2QnZepaOAzvUo&DWpeE&lFWQoYod@0(EZ0I+HLB-j z$x_C2r;b26@UbOt)Pz^Q6xTjMyiqA&e}{4Ia0Um&4QQ z1u;qP8el(ZKV1g&10)OY`B<#>e$|$Y`@{R89n=NU1g?aabb-WEOL8JMa+QCnlI)O4bxIOb=Fm4zM%uchX;=jd?eC8eq&41&h@dTqgdH)cBu1 z!ZcC2RaLJkOTK#{OXHGilS|$B&Yh7EP#v0!DF!@L5`&tHPC2Q-_@@~2!~ukDF-+>)CR z6tJYX|9W^+C=q>bfNzBknVS4^U(7Oolb62X-PP;%4&B7Rsfr1wuy zTjr-+IG$CS`(+thsx(v3&)x2T7zr4Yj3zrin(zbCek(%1)MtfOh-#PPJSA~$`7(SN z

        $)do$*p*=JbJN7&->PxF$Sb)=}Q~GXarN3<APqc{b*LNtz@{DwAv6Pq zyyCj#1ob4G!A2eh&fUI-jK(Y^F|fdGepmk}Cl6`a5WHD05%AjJ+$mKiceIXHAUM|$ z^gdxz^tOvu-T79NHFFk?aAE2wVRwc%MmkA5`!g~~TRcd>aJojT-)f$80yy-O-hd{< zFxW~3(u_B(;eG>p>U zs6d4PCLhjUZ2oLCL;&Pl27FR^-pu zA}Hw$|M_DTJ%BuuEtEyo8v#vu5SbBwmJ1Wav0sd^ZNTVYpbW`oloIN=z>x`!k=O1) zXO3b?1(2Fcj?M{gQY7CKRXLbr+fN-;&mVj;kGeJ#6Ml0@)>8b&Ik}j|p;o_9+Ck5f z?g-7f#FZ;TErd>o`oaNJUAA^FTAIwED1ie1p1% z(V)v)2pJS4_!jRCTPzseS&SvU79#ZTlVKE(M)YPNt~SCc{?s+l(b_0@MNVjuPpuvJ z)aCc67)L4wPT1PU;YM>0fR`H8v@!TT9uCZE|?OMaW^3c-V!^l&ia6eHz;vFDq8n;{J>#b^-ALcL0A0Cabg5?Ea(R zOHpJ0hNX>|1tGIIV^&lidJ1^K8F+g6mgccXMIkBM8)4#zq-nt}Fco6Pw;PGp zh+5+6&Fby!!#HQNch)s3pR3urecOc>=dDkDe6^q_s{G~m<1btrslg=dBNACA*Suf2 zJ4XGI>>J=>2~3UudYI`TcTz(bGkFqUub0i6Afxw(Ba2Lf%Ic`6$iC`r!abI>%V1kIgS_tf%Vh;Xqw9!8ae}{1`mIwVe zG7`NRR@--aPm>31!Q_^3klv~z$vVT3D*m0kCf~F3Q5JF=_sSE3t7~t+&IFUhd(SUwuN8&=R385}aL-LRf#A~L zn-W7b%Kl=~0|t8PtxX>#ofhs;X`y~}-?_Vj;!Zz~32y05=D4SZaq7F+vl1x`5QnR? z59VeK#-73|_@xO%nVh95=gA(kNurTvFL^(2=bsX_{j!+%Q6?M@F}&j#bqfYK3Al}y z?%?bKDU}k0BbJMd-4&cUPiKrS@&&a`as7@*p6?NeTZUh3ME}NVzql{Ts7cB0Efcn! z7NMpQ#xW2Gq0`18mYvAHv{&z^aGRX%^&^4k)LQ2<=RT>jx`et-`&wmDmJRAN2{vZq z%DEG{GG2#ozsc^Z>^J}9_)jf>tPa-x-~mui!#&Fl1_+Y-_u8R}EN8Dch^r0qE1t3b z26O7PVWU4I4`JUFoy97l+|*k=1SU7K(b`kG4BhF=H=5SjC7uX9|6%&Zjy0uthQ-Wo z{@KOg_LA9%LLqoNfYG@Cgx*Ec-0)G@Q}_OiO-mKzG{G>t@t!MDymRcMwLRctyC~~P z1865gdQLi{zZ;i4z*0t-ol662y_J|c2cH=TpkM!aEgM3yj*-!(Htdb)gfJ+)c4NZ*SlF%HB4; zo9uV<8Fuq3FzxpxF9-R1s=|?y+?f%BoAN8k*BXcVX&&aLJfh0P1 z&OZ)N%0rgvT^tc#dc%t+8JP-Y%kB8-H%jRO_O0m@=?W%RIOm}eHHGT$1xo3SKQ2Ww zV1!Bw)R28w4049;WrABIE zmTT$f9Vm;LSM_cdLRml}fC_P|0amAkQy~IOB)_S6H1_?8MR=g9&?rifsBQS|9p84i zexLIFN+~Hb3Q0D<{aE`-#$o&T;>aw)w`E}t{rK~qG%H>9;#-KuNm&_UBZ)|ko(p58+WznryvG` zb>S&}nV;e~4A^vTS-#4}w=40qdOZS*5>|WRycE-N#EcmZHjz?f}J+ z_Wn})U3VHEKd|D$8N3*?CLaGvgFqr50y61xWq!X~0zH9pbRT)IkA>hm>yB}#<+$_m zW>-8g|Ml|_d2%>9(z341*!4>1&Aq(_zsx_2o1cT{fo)` zLK3$SJG|V;-p|VkFK|P{S(39gXcAj^iuIrKA7J4qm-l!deiLlZ`*OB9k|W%wtH{cs zmpT{YZpWV7i6g~;^YPB#r?GRWraZLj(uzU&nsO4SO`IQ)LPaD4m;G$C(J-n7LWmF+ z|4(mU8rD?Ot*dR@w$kl{5*vj$BPv8hMP!JrA_58mDl$ez8zqLcOaU@%Cu|iVA_^)) zR6s<8G%`enB#J;l#K;&VLX-dzLI@#bPWHaL&vVY7d(YSS>(&o=pdh=dcGX(%de=~0 zz{r05(c`Ya{-!%82-cQ)l(u}HNf-TA^Td4xX75d3#xF-=RzIEnDDmg2KL%cw2cIm9 zJ95v|`2F0|f|(r`ikMT92w{H2&n=NVxS_E(eB_s-LZv4V9h8$&+(A*yD&4;O z(;t62iZdJryH3;pW-jwz%M2Rr|cGkM?O_9i`H)-N2LCfLCMnyFQdJMC)vL zrX4=|uvTC$Z)k>r*OU<&-r_bDmVbAr6mcrU@^z@sBewzn+TL-*98j<*Z+PLKr)FKB>d`}+9Y`{LkOiGh6?DaB z0WSkdTerhXGl{(k8p}KrRgo?CvN6NY$Z`j|n_8;)`Ew`sKYC^~RNHT!`J<@YGrm2; z$Ulje*6QNA^o5Dz7TOlWhHtjok9%C1(mk}*ymy$B8~f+W8$J$%UV=+Zp&OTI%+@b` zPWf{s`AB}k&zR6Y1X@!J6M#|q_H9+23xYTOGk36EpN13`(AAH-G=c`6*5R(;=6A|I zJ17A5p)7_IM9?8$I`Fq>lyBIdNlV9ESo6Mp^KHNmmQjaYg$1vzChbc~wEhES_*-aX z6ZZ`w%2+sOSkB%=84~MV$%m8B!?fxx??ut)z?y`slJnrv>xApzFBzv{CQB5tF29qv z+xFrScmF7(-_48}rUxx!4xY6<^UM(Ul)fH$e|?7A*dUclJeZghj$E2Q@9}yu&S$Yyz=J*-sN+=T}pH#DRty8Ivtp*C;{M5UTWgo z+70L=bc$kG+Sxlv?&#X{T<7!4LytO>ztts^k})os84dV`|3qs1-~Mo*Sk|#_a)gM{ zubU{$IEf5D)7_q<-?=^#wjJU6SleAv1ubzMKfqz*(hC!B?r&pkk~IiohN4%|%!aiV zqg3reG!W{!OOr(E!X%Rxy@sP}`V`hPi3&{O0GzTi^V{>D`LDlf%Ub^S5X{8?=ykdJ z1$T;sIf0#1YwqhkYK^!2T&7+LPR*KeaQ5TCm6HsPa`m8m9VH!m0J>atF-7*L_dfJ_ zy5Um>AH5MH{J7xy%VlWJZ^AH=4P`iq{2PGC;p~iUfH!9_4hj35r0;;a037!(yf%fC zJ;+!`DFT(UKtX>sQd(MvOFgb9ya%$ptPInFVtTkw-*`zRL9Q0wO}<4Pq%2Qi(_NA8$X4RFyu;u zE!o^+IgA@+7$bed_s$(7*MBt?!ZW99j!<^ZWG^6HRc7m71}DL(ENw`Bhx9qDKvxTe zx$OD?fYAHMv<&}F8u?kX9a zAD3W)BCv#~x2$s1Wf;#n-}rv*o?eTC4fl%J^L0MbK_Iv&ps?jFTWkzczN3JAx z+L7)E62+@=<@WDm)9CrUT7>eH-+f|n-mi?*~E$O$CEzhiI*l}HA zO%&B!*zMAKFY7aQq67I60Uk%d#Xoqe)Sqy_ErR;yjw&L`eE%CJB) zzn~v~OM9|in;U))iD;xIDmPvXi6(-YhS%0 zv;w!-L-YnJ%%I397=1?bU*G38#8bXxd<36pMx!wL_ysg_fWG}p8Mj33D-7Xpmg&q$ zl{aJyl9i@XYv(~TLV1#G&`c&ul*K0N^3}df=WWnb>jmyGW{01UjP-Nqx|82q{H+o1 zccoZqSG6oHTXM1R;vaB5BahvmR(ZLc3O&gq={ki92oh3~b)U>%a zhFoBDS#o@Z_OEwNb);3L6UTpf$4m6BvmFxS{ndx=BQ%R?Lg{kK)Rp)knq2sCK)$O5 ze+vkvjc}edP?6_hOtiodIzF;jguL(Un2HqMK;BwMnQu5{{)d9_=KGoN;k|ItxI=|J z#G5d7&?BtVf6cHw{93k z+(24c*RErwlrG?DWj8neF;rh#Ie_k6gqCJZ(n+nxCXtCB?O+qmm9qanWF|wk0&wOf zw~nVlqgY$NJ7)7T#`+@ta#`7gB7U$4zx3}0_4fHGI0V{_-GmzO(il?UOk>^>{qKz- zTSOzv)}Wge^Om<|eL(ZqpXVZk_=Z9_%76+xb@T5EtH1WLv`HEyf#q5 zBNt81qh<_Yp{6jTb>ne;^_J!W08UBYa|W=!c@=jiQh$5N!2xFl@H4c*viZ(9F))(rcN>7mVv_|2xCJ)1RC-WD&@DqVWT5ed&9 z9_+EU_PlJe{qN!(N0CR8CaX+>;7AO@V=2u4uNT;+RH(n~89tt&_TK(nMu=qAjl<9> z+&|?gLS6#Pz`q93aPkjcMrdVEcI{lCQ=3Bmn!xW(GROoHHFHHA&L#axSN-lxjEQ<( zJ@ENU2JBDCs=XG};a9%d=7qRyoim3YYCY9awT5O$AMgWxKzrAJ9vm8SN*}1O;B@#v z6%D*!KcCLETRN_oac$1f{J6HYzX$Al?lX4LyK7lmpU-}!!YSz(_37-Vd*GXcA7BnP zynXV%y#!k>-m)}DJ9GG^_hgKB1zc6J$9YmA+;XC9%apz5e3U8Wjib4t%cU`qt`XHG z!F%pe>j|_MFwMUGeFq*#$i*yK>Ve|M__vG>X4L=Uo8Tpg%yjkUP8rZ?Y@O z`b;o{s@(Zw?h=w+iZFcPmmBV>Zv9)IFCpO2#{ma#*T_3YPv?qag1-6pZu{#n|6J-w z9UNW9+B;F8@1CnT&rqyp6x@8zqe=vyRqx;S6G1|4dL5n={9 z!Uj1S{1EJVt5BDMo^_b#=W~IB@46>SIlc(jUL`j z%U{TLE}&L8h5`yRjfaNHn<}dp>4e%B+o3}s=dqJYK!^B7R?z34rA?U7GF|p~4@WKBo(!j)?=kber5R`!4Tc>Y z$NI>XN&6ilWaSuvEN!+ZXqXRp<$R;!YS8Jv5uRcxZ79 zqV{3!5r8u&u40|{4UQS8yv{YxbUU_g@H%H(YS7Bf0fsYQ_mouN?hu=zV4yIw*9DHq z$$cB)oCl08*F0Qf#<1R+e2HaL8G2S0I==0x360E2ydFEBAXDr$(>-Y;+~Agu!>n}A zD*dh2IV0|q^yu$A2jD%SsAwex%(;sBn+C&SjrA~)jH5JCocZ@Y{?txD&}@Dg2)#ik zd-KofEo*r;-$>E{TSPIed$42L91UvcBk<^9#v|xqm*>JSt+5SnkDl;LoUvfHd|7~7 z#B)Z%f`e(cM8t;~f0SArOoVHH%;x_cH!$ZJX5z|37H$=#yyu?a&HwNt+yOmaow zlBgduWZ!gU6QL`#1+uh49tjRHhpMj!YA`q9)4t#f10G)=92tyVQKNo!0%U!sYm+4B zzT=6LzN8Tk=yzV^?nuRWHX(mNKhCxrLjI*5xw2yXDQCxM#<9AZU>WT$SGR1A73}5~ zzRDP;Ny6mpN5UUWHGZr5=l31AaOElU@8O{;AnJQclu=gT%1$j$&m6X7j(dGGP!Z}snW-9xG;MzT$b`2Fu6IIG!gUo+v=_h zBG~;f=s$?nZ);u35W=?=ZMAn!iNEbwulX>^Ni-K)&~R{&!eWeW14h`#@q>NQ6cRUS z!TCw*tnZDBX+?X%S^m(SkKI64I{k-IvJ6?ryFV3Qw;w94r^-~3hlW2+Q2+cj{@507 zv&#rDZus&C&e4*rzd$eUTmH7JDf$DF<`Nm!#fG+VY0R;ZW~OHdB_Ft zfZC7&?2CdS#&^%0ZK4@jq1NoCd@=@BBu&Qf9M3eUqvA4#{5TnVmg5TkaW}+w4`4~A zFfI<%h>j~8=oiXi_eRYClJ0V3&WSa34wt~98TZZ5fp$?XBy)0*B^(e|uOfHMF{EW=BCDda{-pOxk*nj{9bjNZHH$unN3Y1@5=I z`UJVOOO`!~Sq+Du3O-+_NkhRAyUFG}&`qAFp~;HIZvqxwnC$&fzG;CC`skeQ1VY0< ztguhA+s4;BFF3wspz?qDow?J~*&>nr_k$u&O5xojUF#TjKR&&@OxF_An8)gJ$xF&I zinWI-jXYR}5;;$5N_SqRYue*_FhVNwsd~|mPpNs7 zWy_FVZ0(DRzZId?FeglqjnKmWfcG!)1o-BboQ`bB*M{ohoVW#L-I#yPE`cEBc&wX$ zPH^3yb430+HdE?!NAY&swg)RmcM8J%{8N@iE<11^?Kji;zZ)o+;+9IB6bpQ(3e_RK zboR1jC{;_vvN&;rDxu$$(9ax@(l`Q&IY31NE&hDDG=s}#`w><|$aHe4jYuOUtI!XD zc#2lTP~dHrfoy-k4--!A1NSo0*8vJ0~UqaGL|<>xaO>vB=(B0>Yi8c zFci>-Jst?pWX4l_(3o2i9(qc{_@4*{dT0$~v-;Q@KW9ydJfZNi(uW z`C98S)3M zgq&#_^oyX|RsBiYrpCmKg*kaiMMN}Z`A8Vrw_HsAwNWbJ>Ge!==yS5bFnHnN93dJ@ z(sx+(iI{Texmb=j@4{467Y7;w#q4w$)f}Vi(!|b=yOZwPrlj7*37DM$n6ig$lAl}% zIp>`(q|w%m;etzP{Hjx(#ufECp!!JN@W2S-wWU^m`dv~(Az#&`0$s4{{uFSUq^JZ9 zlaXCvU{*m+LfTI{ct#JQCYeAUrFZ2(O)431jfTL&70>>y>1ksbXQ2>*K`_9DM~{(7 z`bN2STF{w8{{RV2=nYaoQic%dl5haLehu_gCa96Kuy&>^FProIk7{}c?!mrWALiRS0Sf6#+{%b9+v{&SN zo)%+2OfO}sm@8euPO~{czdXujLocgRU^7YnMZ&IUf#gqqXb_AU)jCeYq68ZSlk?;5 z=xakpCYOf+;}OC4=hRjj(v3|m!bU2YD8}w7d14K@_8XI%r5oK^7d% z>?}R1*Yj`vXI)OGJs3nX_Xx={m-Pv(C`y{qa~0V-0j(;O5%;tB$YemOMrz_6BV^h1 zNmuy-S zrF)B&kwvkwy+yf7Hn{U#&EI8ori*s5Aw}7IvzKxq4^!=2%RUvT%%)hsUxQAj=#~40 zT;&>pK*5e56sfy3L=O8bq*jU0D)gjIhJMQqoAwO~nrU-%wLE$?UVl@n)XSF&*tl&J zs82^vAnNmH@gKyZ)O@y1UO|1kYJD@ldI5RMc0`=AK+-Oz>5xPBQ%w>p zdX@fJeY45l88wH+4-4022Ug?_CP40z1Oi6nLs4JMO0>8_MXZfEa!vo31r8g97zTnLwzTUbtXc zPpGbjCwxP~77F7xjcAjQM$qqC#*WpKqR(qPPUy=TIRb-1i0VZ{U|+6KiX)goSF}Zy z@l0$Vag@!9dMaFx$@F<=nKNs%8>{cj-J{g%EHx<_&XP&<%HkItx)!&s7=P)Tn*%Q( z_+&t@GMOH;dg!Y1baQAxx#xRIq>db6;G;dXn5i>p#9c%Dmx>7d|HJ}txXt6S9VdWu z!Mh{uJhTY*1=CxCh?EwJ^$sab5(%ItTV;6GDX8|*kziGatnR&0bB@&L78L+NECu2| zQR!r&*{$q#Tp$I_h5Gdlrs)4sG5_H^*hJf20z8v_0@w_2;H;jZ&Xq|u1~vJYVfC*> zmg+*Jeng~}tBHDpj3J;33>#Qnp<|3>Ql(XW_5sQWdiksIR`yq!posmvA_rR>HsaHw z=+~mia+1#BOAG@s_7xw^^y0Py+9o@!bN*DWA|7&rQ@?P`nL#^R*I0f;+%ZZWwl z_Kh;>(LR1Zw|RT@!aN{-N|1tLGPiUonW%+Knwx-3)gy4I&GsN`-VP4Djg2TkYLDDi zhz!0@Z4~HSMbIKBM<$%60bv3{Eb*z-rq34KrqatV;d7DfXh_Y(ph0;GaFg6YBQ#>l z0Z=q91=Tv0pBpPF7yu21Q?b-r*?ETyT@z|{0k}!}L}ezI7)|6Uc87Uqm)qM+ihd^o zQa6j>_4_^F4MjQPU!8UE&X?pV!)VbBO3K$w{Sumk0B5Lyt4{Q*2qS(t)Q`v!U6fQM zWT6U6Z>V~eC&pSZ-nbzc3 z=#%xio71UvsE|a-BPT`mRx-*>N`A~sZN)Ec;!ad_+?J5!oUr&bu z4ze356#J;D$Kyn(u@Fa$HE`hn1kdUt>AHf1}0(V}^2YRTRAX|*t&uB1#_&6j_w`xH~VHaOzK zH$I{fWNjJR7ev`Z1T^TJ|Xi+6y<_okmfs)i3lhyMUFyNyVJn zajVLp!{dx`eQO0)zuLeO32ecBc8s2(HK?UB zygj5+Yx?}u7$?fVffl&-x6Yu+NM@q~YB)SIkn~nvFbiO9rLd_a)di_KsoxH4#b2+h zrs%D2*C^CQMQ`6Z^d&a}(Pb5dPNh?vLC(@I6={JL=6YXUxc!9Y{Fm{o@tH*%l4wq2 z(q3X=1*>u2{k;5_9mZY~11vHlMFQXREiR+%j8&C9?0NKvq)sIsx+zU`nq(gMQ0ipR z2Zx+sN(HeveaJ;#BlHY@?XdRlE~RmxPv3(wZ?IIlpV{9)8Bv#tp?%?9LN`=832^&a z0Iy%B67W8-lmBX@5$Iz5YTPJ&2ZcetlkOl4E{3#j1a{h#eBQ*`bJ4^)xCD5`fW24V z#&f>cMH`!63A2qpKey(bHqZJNw9j4>^)jQIhvjvb4$Zw!u}-(I?1IamGN~o%DsB_d zR{eTEs~8Idhh(;@AOhac@f`FyF$@v@nUH`wtq6c@1O_$-E%?f{OA(CcV4}(T*!@CP zr4we3koQKWB50PhwaK_Y)D>|Av!g1y%ku0Le!*6}LGs|6eTR6@Ko9g5^vfAucSx&i z25P|cYdPD%jYT#h#~b6m0pk>r+XJK0`oZ{-@jDqtAB^#%l{yDh7UeOsTne4Dy6F(3 ztCj%0#|nF8_}?@k$E7l6oJvp8`<_?*z#cBrK*2J4GSmy7d-E_UW;tYQU`{KZp(O$U zD920tWi_x)e=d}XU(@FZ0jFhbj`|rrKn(S!Ise6BcO5eLVGRhEXhsgyASh%9SHAVR*GbDg`4ixr+ySn@%ZY*T@PQ4~CUKjj)Yha+?@#e|ydCxaDIcI;#cPwx%Zlkp!=xdLv)0ue6uh_VSg?|$lA;A_aD(+4$ zUivs(I-(=Lq_e5XZA z_(i&j8!10Hd%X|Zne$AeYG0oOl?O*h@R3us6GwwhT8gZV`y00&VFqtlj^Q_`Qegv6 zGm=MRZ$j0n)Le7ORZX1UVvtZwks~$7$5Lhd>Mj&=3rK?I0k+^VXlhJb)BydONccdv ze4Vyd(EpKZVV?CT8vSYt&=DKfO7IVQ4n1F-wy%wiv<<8Xp2!!o%N>N-v7`#NSAfMM zM6IehX&(hWX&{5?ZD7>_aWbpgK-X0DpzB~%;RF_Qrq=+WhR+a_GA>^PYEooSO&eWO zAzLs?9e$P{pnq0aeGH1e<6Hu|vp00WTu0i@uVvk7ta#5qi%MSH3Ey-#jo%%>4d%D^ z9>T4DrT##DWp&5XJJmn5?wG2JrCPmHBlUR)<hgNmbIAa6bk zbmU0m>glFD+UKnxk<8E$gz8`@vPDMkEoA@Jg{h)|jEu^-y-#aBLPXrjlm(rbihj0Th(6RLW>yZH7X9GMQHe=v zFd7`2Yd^)uLkNM0kVJ3klaAG30BPWn1mcJ@PhI?pU2avvmtz7QQ0rASzd@JKrfjN^ zU6Kq@aO5d)LXG|+*ad>>Y0Nhv6oVtrgm)E@Ng z-W%)$U8(ta)GhMRJsS8M;T4f!=)zmUHb9N^qNx7Io+D=(!|?ngCo7wMdv#kipD`qn zb2>SfTD4Tzdd2{Mlnb?M`r&QOLA&r> z8=(-WfBJO?76^3CEvN+e-hi3xZ>2Inr#O9?$@3z>R2w|Azfa+(9eR+Gsn@?cUUFy! zO`V|!dqJGf`SrJHNuQls)Fe$*;bN;&{JEzVT^oP5q|u^3siixJBk zMd#RqsZf)eD{~kw;pPej3?@evtFm1I_#uXtU%U4#)aTY2I@nC8&wLUQUd;eUQJ)Q- z?Si-;i)~*S9$R#*Ev80OxL7dXGJI{;ti=f*7;YkqHZC17`iYUS!v+$nK^5_0-P2-B{`S& zUVYDBQ`vkt@XT;wcfxo?@~h1|yxgTiaGhnpMX^!%ogEB9Ihq01?he=KeXs`J(MR2J zhY|vt9k#PDhs)SlN!0JXpVa|H_^7~;HFnc9g#+ptHqOmm-H?0xZ zfdG{GJYk4HH=Y7rF<_^KM;yqWazlw6;(D30om^%Hb)$ae2zsq4nDZ((g_m>eULoqt zu82vUG2`gw(&n_${JW8pWz-n|B`wZ5hiwY`-qhMv@rzBu+`7{GSjbDuxh|krd!fSC zZPIGFg!ucRzT!A?ta4`)bg!Fu_8D7nIT>@8^!UPZDOMmP zR>Jm~s8WKS24j=-C^SFVA z5i};`%0suF(+~YQr}n^+@SM)|5A#T#rTCg}4PP2w9&GC2>EeH|HYOdm>6Oawu)5*O z+0U1w`@PyI5i~mrKcph$u$CNaILqGLy@`eLL=GX7(c}@Vfo?wCt_8z%*4uP*g#N+kj%@0|&eFfdt^b0Gp)CHYL&w4bmmAA@Y=35GU!P_S$#b!=REk~-c!vlgR#pSdn4Lj z9gOx0uV|LWg4UIO!Eh`c@7kf0af?2wo*d;f!kLfa0 zqZtSz7AJusPD=kl_3>M*18!oMm9$?a!TPF=CL}^j)0s<+tX%aEk*#P(;;6uxpYXc~Us*c!M$Er@?f&UppcxkxiM=9Zfn}Luya{^rN{J>{ODnW9epLoO>w&p% zOSrkTQCwV9Ks5!58X4 zG?GskQeiKlMQRa@o^G3Rw;s#9ZKJtq&1qv`gVvwU?8&*F)8rC>H~ZAfi^=eL(%Yp= ze>12W2qd``ys_GVt&Q}q3U(`a!M#{1HG1nWPTbQQ^2`Low~r}93h*Qx>K1I_I|3!F>AZ{Y^t zq0}oR=cD^1C{(aTyz;jV z)A7+9FG0wz@h~CaV@Nh=jKtIcd6J;N3=_G~{CC}n{anA4Kzr+?b};Hm$e zD1&=}L`-xh)UVC3W9jTCu*G&=(7|yBT}tS7Wq(wq;^B6 z$w(f|^~a2~51r7hZKl3)Dzy5dCUxNf6w4Z62{?07|fRx zoCS-zXDx#YoH_HbXL}@(V`?_}Ke6Al^0fY0Hl7_}~~dS#o76jfGEntEkYF6UY=&IeV?LL}J1W#Y9k*tdV3KggNpoj*R{ded&=>Sh_ zI|^KLj;H+BdO78E_U%($pbz;3k8b3*G*)blE!^EI>E|Y`L9K4RK@7wx8|BU#Un}QG_!$VvvKc(74?ovG9M@+ldsBnPHk#23Ky= z-L6s^e|G53@0hKFVN7Z(#$OWx*D$#!sHC6`uXTfWeV(=rMi^~GWJmkQ#S|D`{ylIi z&1kD`W3j(s9~yOCNp@u(0&tM8j*nnA2+pC0o}R6l-k3lND8>9eg+45@q4g~VGSj?* z*@h-t;oK1GX8vgtw+gFesB2NyO=qPp`LDKgs%xt}f^C^6S}ZhS#YSj6^Z*VQh*)Y0 zE`j4F(j)~v#{vQP;yioK*Hr}0%xRPe5+bO5`Q3;YpV(s)Wuy4%euq_#rSq>?XOdQk7wZ*Xi=R zwWiRr9p8bF53{S;0l*nUO9!cDP`uU5ZWZl*Ves|vz};om;=F{?`Udxy;t#8osK@`#rYjvPHSGF9XZVEd7xEGwPpM%@;j8<=dBYi9p&OWnTLCKR0W?40Yb7qT z2H6GZmD&t~?h{fo&>0XkeSV!~P#LXO~ER$mtc?72=+JnP&2EH;^Tb z9SnmZ;vSZ7cySpb&bqRaS(z9=d090;&j{~%-Xhr~s>FK->WeemwSTgGu~C|rcYVu` zQl{g-;e!vbF}(MsNR4HoLQK2TB92D|n-n7=WR>s|n$s*8zm17izNUSIe5U8L5KXP- zkwe&`?Kkw#J3ZFDD7t`!<3bbSoui8$F<*@OghbM?n#(RW_sOmui1UKJ0dc(8&en)-&g@z zS09;5U|U)ro_@gWZh8zeKD~+V_0`dMBy!P2VqWl0(#hMsF3*BC#tDuLR3>@d8&tCH zZ#GmU`G;JLWV^NBnpRvwX{0^>Na#UgJz_S7bSluh=Fx$SBp=H&;nITh%XQj4cOUf8 zI(iY9&H!M$)@u53Vn&F8FcjqVzpu6N6 z^7+i#1=Fu7ksMNMP9|#>d{NkiT==@Fv=zbf1s-Gh@}mRHUwU^$wN0-9?^IHi~P{Z!cnM*0cxIc*2{B<~&YR?L+yyxQyJB}F{K2IzApsSym zD&U-sDU4x~#SFN)xp?j?*>mFZ F{{d&g+;ac` literal 800938 zcmeFYc_38p`#($yrBW%97*e4yp$KE9QfMVAWSO#rY}rkgqok3&h-8_Rl87vkbyW6k zY-KmHjeVH0jhQ*;cSi5`=lgk{=da)2&)03{+;h&k?=$y(U-xxguh(_WGlOfoJGLFz z#>K_8reG3r!Xi)JJ7E+QPYF6>5MDo@_Y45Du;J%-4(Ry)SaEPj7=qRLi_gZe6u4Na-q7MbG7e27pX}+1s#%OY-`z zjIHC3%|it@1*vUK&qr~E8rCQ2x5OS>ydUaibK*>BR@`arkfgZNS3`1_7}Yfoqyjf_ znWm5uY`NaF@4(%vl;oLiyIWLs@zCDOk}JVIGHO2gyGBZO^`AkUK5CIky2d;!GwS-< zA^5d_V6Eh>@eaE&t~~SCKM5cZKMI(+L|NV0?%30%Vk@Q8n0$9I)kc4(k(E~{Mz7=0 zA*tWITs1X6(7=&<_l}(#xe0!ZJkuI-iswpbUA>1Dj_n^2gV@EJCsjT5A~|#+knqFP zEvAF-x1fR$WpPCEcks7MhXo_%R@J4F4yv4(Z}AjO=p7n&oVyZoS`wSQi#w0EdN*yh=Sv_V?(r3u>Y(T=yWcg}Y_dw!+cTTnQFp1+ z_N)>c)btqVDY2GOt|<=<^go4EQ9OV1`0TSFvIwSm%Z%{F(~CSBhZx@$9+^LR8+7L8 z{Ats}&!TTGeoH+`!svJ*U1VCGO|RCmFQ|XNG_-x>G%j$qs)B)g;Qnc8@sNY%jpSq3 z%2DBn1MkE5$O1pOMK*H@8&t*f9u1b4bea1^eQf+GRkDgtIfnauRT@F`n{-~T?xyIx zH(ac(&-v^5sC4SgzDNG`fcTGN>Wh*Y8X7@MAo~3!Ro`uHiu^q43%A=d4vR)ea-$wa ztRZ$U-W94k=zhm&1@a3FVz)k!6dEGQ^6J>M^P!$Ss^+rdR|>Tc7aK-@6Oq^%9r#6k z)M>z4GMWlL$#|mrL;A;#bDDoz54)u~>BU)})$9_S&eiXWUjF|1&4=Uj(SF)qA0t%U zc!q<@s@zV0Lmuqimp=f0dwKKjj&{(D7lTR*#DocLdB6SL+I6R=Lz#Co{%CxBo4p*p ze7)wis)_6T9a7t33FZctpLADSEAK)N_v}IMJ!L_s?k)#~h}RwXB0T$Xk6`OJnE(}+ zJB6<*ee=^=+tlgohGWO&d_K8Nd#=BoZW6lMWK`{BfBZGptOsG}7X6}pukX?5H^l%1HZc%p}@)3?Hp+z-Gn zXQY~p-M-Pz1Yvh-_%oLtDVYyC-9fij?eOKs?BYLn_HZcA#XE;0&_b;qqOZ2ydyIR- z9~U%!XNN3bQq?VkE#ATGHxefw#SY7V+nf_5HmsPeB|f}ml9yU#xB09d|Bkzo>!Dk% zp7lt#@{28=-SqsyVcv`944-d5|5!FAvEDy@v+1)qX|tI7HVF6q>d(y2^u=h_Yo`n0 zBK^-P-4OqEHqzj@=ix>jb^HAX@Yl|$w8`0XmvUKz#izZTR4m-7^~~~|>zlbrfkHl> zR|jgVuPE_FM7rha$%|gDv*~fl-haI2Sl;dI-DrxViRSN+fa+(bdF=k|e87tzUi`*I zcucBI7#{cCXNf1&=Kc{}bYY1-(m8RsM+mhQ_2cw8-n+-rLJcnUTswXKG!Oax&L5hG zp4T6~Ej0M2?A7_^L#>jEQZAD7QmK+fyAeWudWT=28&b!vh86NrAp$;WBnuiU$P=tiEl6FrTZElk~`Pv*{Iy8dP#a*`F$`g z@zaH`A08Twel+dEbt&IhSl+%Yu^jpO_3Omf_}hiAO`LOXC-zx>rQa9)h5qE2)t~9{ z%cyJL^yObZ9|;D;ci>ZJ2+T<2c5eVB0cLg%H}tcLF7&!%ZO6MFo;Xkl%~xLfJBa(?gmoN`;F zFx4@(@N*&0*N{Ge!s7dcj=<)s{S(_2wX0r{dTLMqoNSYtHkn!Q%=f(H={-|8?KyLQ zrgZY?ESaeRanJ9?f9;;7nez9j*I4cXW%+pE5sD?z;y5A&S0z>ityd zsmk`^14a8+_KS*b5xW@qTQo&^TKV1qrl_50t}6Q8fWwayi%PqbvQ^bxXndCwYVMAI zX*9_&9sKb0gVcv@oeCd5e;~AEw~VxGYgu_UsFv}%pry0LI7uzZ$Ly6!#Mf62*R2{sk`;7vL?LnrTEruTH+rhgvD-2tjG>1nhOt|78V!N@cz}~w>y6K zi_mqwT@B&p`*4^>jr*6np4(e_-tfGz)cNYVl8SX}jk1+Y&3r_F2nA6rKkrh0wfs<} z`lHmC7X~Q{XeCKETPxvvE&-YClD^ULiMkG%G3@n=1ys-1p+E+)RMC%}UhlP;zy$R>{~v*TBy` z&KHZumTX2FI*%4#oO^$vV?{32==YVW_>hL8rrnIqIPKJ(tajJyJ+gs@sOHs%+|0)*6Ha%K6^J66Z$h9Nyk6`2Z zA3KcI)}6BlZ3;7OIy2z?Rb0H;H8ZR5ll-Xy z%kz~_K`;kXefowuzUyl4Ob#jA)m87lz2?D(-%8rE7Tb2$No&5ol5{L;TEfCR;-S;` zyrI!8b$-|M^gUCWPcy#Z4C#YLqt`4j;sK@0S9%iZcEPQw8g=SEtnyXH2Z2+^R7o|*SO z;`fXButAKira4qv?mYi&8n>XhI!IZqK`dcz1lRzmRk_8^0+JCirZO(zE4yz^VYa_w zXkf@v4qHoQ?yCxNcZ}UxH6zZ|_JZq9Re-ct`F)_rF7&>BKfVh1@kz^uP{M5>08PCs z8z#3XaILuTRBfB?G~x<<%e{-j-PZn&ufNJN$CaFU^3Z^oQ`GwF_#|F1GIJ#zQ?0eM zJ?@j@ok<4Ps3v$sF;i-w06;Qo6YZkTwQT)m=U?dq&} z*T&V#R?*k_0jD1>l&=O{b++}qE9vX(>>t95AO4h^`@IgLCdxp9l9qt+pls|J$V zuI{#ys){ERPaHyTla!Q1x!c^+Fg&mGPjmQ_)**XO&j%Vvq>qn}qK}HAtGgXiNnKqX zc|sYftgHavq2PgY@x1G+;Nl_ux08SSIdAJ>?e6fv)4|n6lGE>9D_1X1twV=65BksF z-|uPb>+nBMa`E_QSnvRmoGVBr#S_T?^bI#fan5QOIQZH+nVxrWhUW}^23kq=q$+Bo z!T;yd|2*=)nwtDiQ{_|2r~kX@e_i^2H@)d$>#ptU3_sKp{XYx#Pvif-_)kL=k~8-I znv1^^y>S+vY4kP}@;|GF-j?(u|0ukW2OZAq-++&>m~sAi)ZjPSzel*v>&o}!rSu3F z*BP#h=g;2o<({qZi*Pmd?lvCm98{T~N?a`G6YPmVl%N0dIPzJfbFJ#p)4L7}3GrRn z|6Eo!>J0BsgcSdU=R${$?Bo@dyQQ~@Tkf&%xjk=R4cF}-<$Ka|D^x0c@c z?x6(SX)l4Csh?s&0Y6O}du7dku3Rm+cWth_&u@;c<(T_*C3Da#I_m8%{zw1&|GzWv zzccWEF$2E4cKME-H97Cd|A-mNBlj4zcwlXAd+(AnMMMdn2Nt&-B&xZms_RxWy1l0?WEe)CP- z;)6#@s}F1{-t@@S$8D1tzWMNu;o%Tnbc#A^4_k^Elh(%$}jlQGBpH~s1beVqb4Z+MVXnmIJvn>`hLje9}7b4c~hk<>o~Fil`yiXL8@JY-zd;wOM+zQFUn#`OULN3A;H zb$KIz>Lt%2AHLafif9rsi~M$GUZk9%xArjdD1__J>rlILZ*{%y^% zY||6F#TNFEX7yM2EFK6ZVox4r@+ihILugKB_ClJpg|jO9D|X+{J5^mq6<~T1p5L`> z0^48B3jX~<&i{U)-v5g)L|5%2*cP$3KN35C=BIn`p#$sOx@YW8l9N@bK%(^KE^DVu zLW8pP^SToljD+}p_F>uKBg|k;F!pxGv2``1W6{fVexi@lGH>2G(Cl= z0eFG#6nW+*6w0+1ZemQyZN>gQJwRGKhu|*vZ-}p=vj(W#&WXJ0Q^HZxy?odxEy9KO6)EO> z_Ri6#BS)h+-T3jt-30w8#ZFXcS1@Y>4tv9AT|vrH}UbVEE7AD<pI`I47a_S(=}HQ)s=eSB z@q&sksT#CiGAp|D%(gTUL(u2!xhqwnxKfNuR5O#v2l#24!hgJ#1e2@o>7Hv)a>}P99<>+q>LqVU zgs-bHvtF9ag`eu%*Vs$mhnUM+dv)L1nc!9!SvpI7dU+_v#qYFPBj zP5&!j^NL8P`*bW;e9lgk&gPy@cnS}H)8?KY)P9|alv@3tAGr@+)kM!I^y6tox#b5e zaI=oDSsUZ-+cW#9NSYb^(%il_mT zGUU#5t&wGV+}0hi?nQVvotu}*bJMp4@-cmeUYjDXW9v!F@pIaVtY&SA`;Y>x#!xjn z<$b^$X7z=J(u@GyLw>+m3a(yzj<|&{um}>C@7l3^1U69Z@gIfgfl`=mv!dv76+s-V zR)(ucv!ur%rD>HmoCoajvKm5;Q64s}JolN960`+`53VJ$O}`kZbtS;oOV{k}wPt1r z%iOgWO>0GsrNM1^Fa;O^;pwOAFW9)#bEHz0M%djLklnQ3OuUHK$1yZ9$loLBTC#@g zkNzAZ>G!P<4QF&#Y|N)$05YnSKf<7W+gt4^a@dxV74l)8>(!8zFdZdhrn`Oth+Bz zzYmc2-3wS8)ZGUN13us+>ldSdo&oNm_A<)oJ{0PasLlAfp-JY?u&b2ZeFE;2+tOQ; zH~NI&J_nr_FwN529_{*eZ}Z8B{aPu<4|#q%aADdWla=aS?;Xi2XM>)qGz7>&27@8N}V z;?X$!$&XYs<~@YZCF?7=z8N9c|>J{!}Dj%#Po(qWHbFjHr&#IFW>t{mG~P)Vg&Icv$#T z;5(l_?I+gay3f7Aw=P*KQ&^_!@8_^a64B&#&@Pl?5Ne1)+TiLntRd?Y7PH7tf$#!$?8S3EU%0fjVie`-y>NQU{jFQ+-?Ko_W`K<{cDpU9nrnjGP)x zU|X;>G^7>(Dm|+U;V|sul!Zu+XI|Y?d$BgQcJMd? z-ZK5ao%U%~FRUdg53ent{*?54K1ql5f}9{^d?J z28`qsG}<;?{0%H3IGSNG?8$n!=C~MJL&&6{t=R%eBH=oaXE$EeJd zJ7o2&XogjPed?i2d%?@+)f6L_9({aAs0~&YbIif7TGsmnnla)`2_A1zB%d;{ccC4> zjPV)3E2nR7T**kycOH51*Inr0bvn0U14YH|w#{OC#nw7l)ceQ3XTW}4)|!Wwc7%f4 z9&6G{@WaL$au&Oa~`8V6vF!=P9t;&aZt9Xp?J{XcP9bG#=V(|qnh+%Wex5{ z)gLClByBl2Gq{vPRt^3X{#y`B6Jc}PE%I~Nh2lQZFF{}S_3fX|$Ao`w1r;j|2Vu9? zPZ}y)+s%^m+x&VI$yRWNv8Uj28a!}LY4UJcq_lbo1A_Y_lr&)$gd?<_1zX7XzwSuE zXaZJZ9HBjWtxYGwiHzX7yKAL`?oGz7gVpHk8{-#QN~5p7<-5bZ%*;Ji%NyH@b##KK z?pI_}GO?;s#$HX$p$bjBrOcN`3wCVj@1}9tJJHsR(k6GLhwM=-F+g{RXWW- z5a)#r$sI&nWSA~IbR*_0!EdXAJHZy_(P}Ku0o5UWum$VZiiPg#%BNSfKw~h?v@8W9 zxnI|W0r^rciCUBOJ=q`Ko;t%!8Fn)4;iIU%us?fWr7&wU1T5Ov5RQX_v%6O>F6u7g z*Y8BUSEzY9ZRdO(MsMe^T>_rz@I9B4(y(WdVZ?Q|9TA#aCI2;Sx7lfnMR~Ed*0a3{ zkCXh=!kv_lax=>>AZ;O|L7r4Pj8(=F%~X#KjAu~+Z|jL@qU|=c;kGF zk)fLKoXcjK)1`*UiHWx@J5EOHVkG(wH>I~VlK^h_=l-=;sg2eL$26nlyb9%9ZG3DJ z_r7KbnnG9WSBd`W=h5^KDDX3equaki`54CsI3!zt19`Q8_kaQ-ozdhGF?BVCg9!;N zeNYC9g)xCVSws{1OuinD`AwZtTV$7POu}E?zTk|{`)oyWUcuQv4!HKka#iuSit0Y}}QT}6gZ=>)#YMv%JOdJs; zB-9P#2hzv>xNWD!Uz8d*QWeDDRF$nsHkj#TGLCj?+d^lzGQ)Ht83PXn?$dF&ZM#K= zf9+-Ptr?{P+CY9L;qVf#uCoy9aqzd_b$lF1sHh4Is@iPEvk%w{7kNL#RHsSS8q^p+?Cyf|h)I&)Aq8#WW?;MH=uT`6L_}F?<&lT5d}Zg!+{ZLT_9uu`0#w z`iBI`Xhyb5>7h+Q2P}4Qe=$-LKl|QRI)>0cj!*F3{=qBmx(&>}G?}T|qUxU7NsyJN zR2R}(mFfvHWL%XiqO`>UQM0wh?2pfD#H~S?#SCgC@WDErP|-MZ z+gO(w-Cr&(_#CKooJ4n1Z1yC#2IE${RqywveA4>G8p`+al>lzN13j1&~K2Aj9UpPyr5uqv8;9oe~ zO1>QNPj$Kc;{1D0Fwmvh2aUMfJln-?3wXBvaT)IfDzRe>{JQo$ z;(NwtpMduwl2uLNJ9Y15g|3`uNbY-;pVWr_u;A?GBh>zM4~Z?>*)spZAZpZU{HH5s zXSCC;@t>Fbub44B05~B5pQrcoB9{J}#LhiLW+=B_fODs4+;@S7qwdWuM_u+(L_Hi2XgnH=v-kYvHtbK zL$s>yExcN7ekQJ@@Ar3VS`j^u|K*z(P-pvK!day9?uS;wOv*w356tlxx*Bt;bd;(d zs5!>s!`QG${^beQfYF+Lk^>W@fVI09VlZPYDT#szn%}OT%1|x&n>#k&OTLj4(3q3| zqJz&;O$e77z#cmlqH8!*)co{y9U*dybClOdR-!Axzcx7T;vG8)FeyITNiVVZ0-BC{ z)tx(p%BB*RGoU#L-whT+{cvRkSR}1C(UMLBvyUOO{g5400QEw%zzT**)tzUNmjR#| zLh=t3Q3*Ae|1LA*kuxCM5%vWH`S(H!l`BOo5V{);RK&c5Fmn*4;*x)J<#J9aE?{%! z!^47XsYaDv5$xrm!2Yhh&&6bv2(CyD)q!Rd&WYhQ#+8ni?oJ8jlDt5X=F&MP-1u=M zt1V7yum0PsPB-t=e!2GULSp$cyv1E-ZhG5H`tE$GkEksR^It!c9^ru;r|S<%93w0% zsX5d_pJs>={$oe6OCoh|uHm6yE7*0PHP97;DJo(wc6U9Lt7Hpv;C?UHh_J&t+D12q z4Z87SLc1=7%zXvp3zp0gff-geBbSb)V0KT!HIfPS zCj|Ygb8ZZ>$*r*M%QG^@|nXXYI3 z=ZvU2IwjQ|C^_rqWtRta@pcj(p1qMXA9@;fk5*%U(20ADjxJA#GvyhD(#Gm>qCyW{ zP-D&+k@&nAeQ@p4SS=0YV8H6{UF~{%hdDIF!7n%Sy3O?{{S6gI~Dltp!G^$_#08?#qAh<9a@C91q z9TlAa<*O)lM0NbTxA`(CIO@t4wEh$>T^4&WZ2L?xO_b-Y1bSj@KxgGJwWm-!ZmukA zvTl>*>49fe*`Bgd=d~_9asT8m`%3I5Dqte;cl5N-kwTYSmulaW07SCg8SK9Uo4K@1X2Lu zG7j+=bOsjR@SS^s?8^3@DGd^k0>pcGfIf?wF#V7J#}`omWx*4wlBXdJ5WVCkHrT7xMMc~aZ-jPAYsx|ecVZxmRUL43 zWQ`|4eF-GpoTK{VCtTPVzdfaZ|kD)BR^@EyYj zRU4GxRzyo-+K&GOQvJKF9uCrww~6i-)0lDu^~2D^WvVh2!-8WmSSD42ja{LHL8LM{#yM{fbXGP zGVztP+u+~;P+|;{fUWLVR&`iNzj(gaRK(yML&Se#G3KoJW-xA1v}-O_KgEAY>Tv>k z7Y@-#du_OC5c@`}OERJ+m?!Lz#0S~^4AZ-^S-vpBE*SF6kr8z6p8%O-eqRO}eMVc@ z;z@B2CDyOUkENBjU=IWFUeEm(O0F?@qgt7kO+#2X@+lU%O*42~q$_gB>T*UXVS1?UAy0YFejBw;>StFJB z%s59A^oZ)7gX(Tjo7ghe8e^Ea^tW1Z;bi&OEt}Hzj+_&}MAW}NCfXvC&@vq2IJtX0-O_axvRy%phE7$oFC{$z8!ubXL~MQl?OT?(#VZ9) zpb(#)n6)8ad!;^zLiiTZ=4RI7rrvEICy5c1RvLT)BkqES81>6;3TBK5pHNm-Hnz7r z5A;(&lvhVE$c~Kq%ODr*x?})zL`^o?s|Q%QwE}3Z5ypW|;*#r->lj6uX)gv{r@TXE zkZz6;;W+5fAK*arMzVxxt=Fz1ZokaABQ4<0UA*HkysberCGsT&IZv`W8F;Nn&aL$x%9|OT-yX*W)(`}EdyL&+ z1Z$Lh@wuBC1u^ssw?goqa0zoshNJ2g3oq~yr&@0lQRz#MTz?aBSNiWU7SM5<`30q& zyDRkDZ%F!H*J)7RhN1j%Gp8Su2(Yspzb@E-6xSE(_zSqsU^N!)ufc0F015_X_+~HyaowupkVwR&t0#gxCrtV0ML=!j^wI&qV3XMZFU`G9= z7Pmt&4G@q3ySyDqbO7cyDxq)DT?s5;5e{=FaX4L0Ih!0Jp|>76g4}It=$ru-ZeYKe zSu*Cn?f{ZQdiEK}--oA>Qz%!f2|Wq@!@xp7_Y`E3FluoMwAnscI*at{QJ>>Yg_C%G zLo)(91E79-XuibS-UkRBtHEROxCgIh47Tm#4|!~#(TYBHz&VCpa+(h@H=(SS>z!H&Sn$^j&xU5rZN+M${Zig-h~7y268-* zcT`eVz_%na(7bYl*|};A0M8-Q)db2Y?4gKQ$in@~f+lm;i*>)Kgn`^O$KP0X|J7>1 zzQM~Mx|>|KNbGT95`3ViB^`m5tkIOT??t25=4%w6i()o|X*7z@U0`CVEv5=1FL0~Z zw;@~n!eU4k>W9TU?KW%5W2gdtT-fmLiJ&(1IC;fSp7XuCW zjwO!&)YlvxLNe?=6Bs?J`DI^|zXtx^Y+=i8{FbyV^Vc51jJGs?oiIxsWRm|w1&jfx zx-mdda|0(2%&kWMCHen-KQey|h82euOD9+L|I(saWE)ZtU#6e64Uz8JOSPyPy7z_pp0PlYsK;eS0I{_Daj!9yYbYZ4AwO2LT@Rq99L<^$R?mwpfuWQq~AUUeZ7IK&(QX# z@$r`H)_W4b!D^=NJt|P6#cB`zb@ZJ_!H@&~tD}!25c3jz56o+J&XV(~eE^)jL7iGd zplFzIQazLkfH(BJ5(6ltja;&wot%SpF1-5P9=Vx;M_}&Zg3JW9q@cn;KMWK9ssg6e zvkEFXG}8f}*TV2Y7|7AMGhq7(%Q0V^l02Hprw)3j6n_UF(Y<=e3_)89RdCTFyy;a( zCfPV#$bXDN=PTc}T&N8z4@^Gkg{#(RES_AhoS6{kDvm;}Yt4)Ul17hkk|M>XamWFY z@~bxwOs_s)KK47ic_9lWi{`s(AFoasPca%tYEfCZP=8y?TWAlXO7|j_FJShvk)Ys| z?RfA{7-=>|wZ1^cs~v&fF3UjoV4g7pl57L9{w=1U4AVyie&di08!1c(D>jSzmM`4c zgv6l}5Nd89@}D979T-Pm6v5h^dTj7LnfO3w@^3uEYG1EF4D$ykWdga*_M=e6*qoo@MRSpwad@C$I-&OTgM9s#9MZ;o|RKdlv9qiAH{a|mb@%o*-@EZA2W zZaR;f$(Va|l>6Zu5q06Z4+e`90`6nDhQhOPcH?P?IdoA{AKJtlH8S;WrC)}i3SJVI zqg_NGNEc`&7mgEX&u7+kyo-0*#?HqI!p<%jby>_>qtZH0aSWp*G2y_hx4ezEK1N{K zj%ku+UPRB1Awcja?Ac-1jvRP~>HGC3s&$!28;9b*Z7uJ?_y_?UhiCry(p34HaV6~e zMHdMCrDo$R9=xO?U?`ItxKE)G${}|bk;&DW9G$Xey{KM;{aYjrSS4#0MtMgz&q?<@ zzy+xSkdE1+&tkFLxB-5I`smT(S7tpK2#=i`9tRH*;Klf;k`8A(00T#%QFMhOR5ye_ zXe@qujO{_tDf_V>?+*p>iMH9!3i|j?sxg5kkwMHM?>C4kCn&k@Bif#=g77FVf9cA2 zHU9k)>I=#w>$dT`$EDo%ZY{^Q+s+s~`E01pn{>(c0jghCyT7ta>1e>k=W(lZ{y(Z(@?0F&@F zu0{VerEn{F#8_86OSdd)Vbbc1*-h!<}q{WP`^XS~s zepn1!AsF{=5SOC0o(7=ZcPWVDB7dFTVwFCU`%9Ixx&BQ~fWtHKWT4gWyUF*p2IclA zl<-Pul})5V6bK}BoM7dX-H!A{`~=0DX4eZau8Q*H zmy6?-ZM6KC@`lRi;z=*`HJuyZZSReCv-ca;tCA=T$y3Ct%2f;8kdn0y8rU8ug*}b) z9VhIwzO{FqN!c$d_;#m+gyJ_-Oq1O}0PUs9YyAe}*6fcFciHl~j0j9Oi6#mhCoHzc z3PQKgEMrq>()$uRAI7g3S2pEOboSgj@&%PJv&63tNQ379fx@@Td*W>|E9LTU)l0=Bcvx|wg>6)z6=VxCN0nFg*Crn15+N1L zgq+1qG?adParcvJcchW)ppIraz7Y>8gR95ZG*_jjJIKH*#8|OuckySt9lLy;yY-WN zV`v5xKdFE>^)+a{aKr1So!MW?A7I~Hl0?cmt3a};hP-_@UzbFdkA`N9l1AmQ?_V?L zVqLLoID=b2?`5p*b7QoeXDX{CMP1IWEO6$JF&ff2r6bTMLxvGlyRc(A32z%)zn_6+!Xv3UamW~_49 zT$TR%0NhE=ybsnQ!jG5+-q+1h0jqAQD0-T*ljcy?251tbf=1z|G5$GTHu@vJGxqqg zGQCQVWJUwlo2{8v=iZ7wxy(Na^stYG&>VrOmFp2W(=^gzdB|i$W6{6Z0CGK!ea5lx%hQ z%KHLEY_9*LEefG(vJc)5Tqcg{poR5Y1%knG7UHpi_z)9tIv7*BS6xeF_i{u#)Lf&RAJ3rB*PSButS`S0gN|NC2jgEXc{fLsxWhRcNmJEpL);M9=; zI+R@eDr+20IU!*uUp@3Tg?=VJV6r2W1+5dKW}_k!zq-+8V}Z%_Vmh&#_FRob&Uci4 zX`jRGVeP^w;eA@+I_b0qgnA8_ueY4B)PtC$69Ioa?8;Y-LRScz4y{~;gg5WZ!@yx91V1M`vHE6T+blI- zrYe|^91E#qz?(k2H#8feY|4=@-)kQ~qa=)wN1&11luTLhbdf+`8wca`2cZ}K##DrX z)K#`AS*f`uiW4tp2ka>2B&l<#OEMf7ce=|-6Mz#Wj@;UeuY@oMiO_=KfL9M@WNYYB z8@(=#CQ71|QxWy(^Of|ndPpjKaVHye|HukhRP%UT#EjPHzBZj4LHR?N%3da+kR|2A zBF z)y71k*JAJ%nC)9%u7`#VSBeZFFHT?LF>svxkOEuz+B_nArzwUVQ=wn!ew7r9S%u?| zsAg*U^6~B^jd7KGoU9>hnIR_oZ&LhUni^J4ngm4Xj?+#1SCfPxgg5Ag5q}8AlIhkP zY{zW0clSwH+i8t4v%tepLABQ`qE&r3j|~nm_?+cn2xiufu@D?TuuZJ%YR!Sh# z8Op5pb9Q3)=)g*YOr^RfdqJ7lv<~B9Q9R?>v(cze6*C!uN5?cj__oX;Gf@J*yX=|g zQ&e@OY{-@iXW zqxP}l3#vv63C)NoeyN{gT^8tj4~Cmqv|;Tds>?Xl3_>&NlPG?ntoHFA%ZOuyycfhu z>H^UOg1J!g1(@Y5n5>tAp+pk<)KERl{waoGHb{Qz6kW#K0}XK^xxP8NYB@A^FvzUL z*!&F*V={3a{Mz@kmCzJ8 zTpnV%a3+QLd%wUH4FI*DBIwC1oh7)9r;&-nm@cSQ2{c{z3H4uZtVza=HIQM0h2pQSGVU)NbV5`zw{_e^)g<@&A(@nZP4B z)^wD5*~sBfT5J9#f!xuUa|`W?x$fdXJoQgdU{S1br8@;(hd~3%aKc7 zoU0GQG78E~(d7mHbi2=pz;Tr#S|&LMh<8QQ0saf&&%M%jE#vF)kO2dZfqocs?WX$2 z_#l51SQm1uHCWU+@G`6bXCE?M+k;^vLb0sHY=lragd+T-A-=yqCR$t1U*GH`y;-sP zavbAn4NqcgURN5KFoA|m(ccUKi`h>~aPIhb>5bXt5Rsgya9(Pe2B5I`-9Ns3j-qc} zhHF*Bffl=Nw+c^&uVQyT$E;S=Lyt8b%lM)2-=u@%QXxf)1j-Zo5<#`jeLI|bmqM3X z>x^ccRAYa7}Xec5g~ahy;bSZlpqPaWTA{FH99onEB$ zTZ%Skrx86~ZeL)@%5`Knp1Qd+A7+ud7s#392GFQ(bt=Lc_PH_4;>L$S31!*VxQpXc0)a)Rls6h z*kw*eiBde%W=N$d&*$&Lz}bZuI2nPjhH%-*lvPn3J00w%DraMUH(+rUZUBQmrJ{cu zY-H$!6G`Dj=YG4(iZei-c0wK|3X@TwP>`yA8;FNI#O)d~h>N_a7~8QP!oxfRv@M}v ztRD}jVSS6j{RV?!v4XBw7*{Ui2Z-lZaI~7v<-|jyM=o4pz1O3c-`qUys}z3`C%Lai zb$a-{1TDny-a!f9>z=mlI=$hJ(q+=?Z@U^Z*!FzDh0*uOJUv5)~B7Mp~)S zsk#eQBOO_#_B9o<%VJbzWCRCEOCLtjy48v$6 zStdJ$DQjBDk|krtmYvB`c7vI*Gt6LS%=Z0wp7%Yz@B91f`@F~TJMK9gHRcb;J@HjY8L)o3+hV6|}jfrD-a1j}A${*l%f`X6BAoL^_HYm>N zmp?4INZJH^jauE0?iaetjscAbvf5&%UBQj9rMlCi3rXK~m%93j`Rzq+*gg;mxjuDs z<#~cBm>%;P8Zb}p?`<&+NrFp1la!yT^5!i)*w8K+p`v!ihN}bM+Oq_NxI~#T1y6F~ z4%G&mU0x3;w*O&u7InLzzIcxOvjsjInKP1nKSMJhf63FSfShuOlnhh*X~Z6d8eTFY ze>@XKyI|0iccn6yv2M!P=}E1UXE9syVvJl{{JmOFrc;%kYrg-=O?6@ehOWtj#5fSx zGe$cv##fx*>>^6V%saG^3b2}rlRD&a)L-q_V$6uDe~DlS9r?9uH1sGSBx>cW`)$PI z4QyT%zGqES;JeB)0LUyCkhJ%=JcYLGs~g|J6b%pCKumuxh>!TP<%W#HhR53wMmqKH zA=*V=w{1%&NSr?n2<3ptKzf3dnn44B zzQ&*p{L?}1Xek_TayQ96!>Bc{&^IUK66X&H6f6ZAR7HEarY{}Ct^leIfLAWDpuW{A z44(5J?!pBnyN*Lh$hq*TV&MOjaDgp{_G!IPBcmJ$!hWOY#?fU0OL#Gw!-KJwDyAk; z9Pe6XL69q#im%(U!500*a)_|ScmTD#lGrl5l;FiQB2erY0K~+G%F36+>#4~6m&(*> zL#Z*Y^i2r5=ky2czo;`WyZNEBwF48m&8%~*Z3+;Ta>v5~JA9!aV9 zj};Iu8kId%aj|adcm0WNJj9{MVB0+ap%bdZ*Jb=QAyn5JV4zksUj0 z_AYNN=ZY;Q5x$G4?(awlwg5R0d~p}?WXB6ebN%HZcO5U_eGMP;`i?tQ<~l1G<(5{K zQJiQME8orfQJ2Z|4L*2(OLZj;B~?0k&_z-`FmCF-`S88iFpdB z-T?6L0$C~nx*R2}py=3|XZ_+@VTUmtDFhfP42UK{7O924rvP9^I!@CRU8giw~wIh9{hA32ZAjN>@eCsT!z!yrWGEey!EVc{KLiZK%LTe$bWr46ghk zL&Q@`JpuHVs#k!}FH9wJ)v??!CrVIvoh}#!ClJyxjJq0f&;(cZ(lKxblDB3lhAMd3 zyMCNxOE*oH>!3?pvwH#6nNK;r%!MuC-UbiI1^`LlQLuCii6E#$pH<-5r3d{bsC5v_ z?;98Vy^|B5$IiJEqyy1FJq3YjZ1{pU7QGfwWGoU0<1UdvYKw&R1;pC}$;=c;X8y~} zJNq_*^uNulh2d;&OZvMxd%;0ZjmpRgnlVLtFaK@P#Z;R8J&A@)a5V3<8dYaATMzonduU5OXhLHP*%@n+|lv&R|#5lH0di3n(dWJurVwE-}%4rA6 zT1pR7ohui~w_~>sXP^^3W^qs@?LU9`5z+LEQ#8=ZNUJ}T)vgxLp9IB%ASk;#4_>ir zjcpxgk9haNKKYd(MV%7%jBz*MDY)2&qZ-Fj`)HHt z)aPyO9**)>Q~JeK%NG>`Tr)*!*O&5WwsSUkXe;guH+T-~(#Z~g|t z3efMLS&VrG`mZDE58UUu4F&k5_EegU>4v}h?ZWvf%xZfV+vDdm`+xV5(^olD8_IA4 z^yn~q-%yb5T3-qn=EeWQ0%t@{fY%I`5BW}16FH>HPFFETX}U5t&^?KUDx34?>mJAI zSLQ~}gK_PWA$=CePVYW%X?b@?*pnn?v~fCJD$?KQbA;Kb-<_B(BCI3Q`5+hJG37yf z8RRR?FGKjlbK^=x@>lEGH)p}}2fWps^q;%v>NaJAkd5CuFJBtqHZQ(9El;UB)mMm; zDyJtR-W7k$6X5s*7t@r{1z0M~sO6qmr?~!}NBLN4JeF#pIvcA*YhI)$Kq3irX)>U+ zoP*8roJ{cj@;~?#C!C-T+~G8RhzA$k2zvaA=Pvjz_y&Ov2u`l`PYH_73}8>@o^@Sf z_;TZU4$IB_f**CGXKl)sz5gQWTLgcrZY9uroj8ElQrvhyx=`~vplP@;g}JW!mwz4h zm~YP%!e=q2p4DehI2c;X4HPW?6$BOwSKbAj0%7f!zRVIK5sS-2@Fe z;$+k~tcqRN=a-Sn9NDD+AMC6j>z%Q3W3Nc?QE>)!{K69J&KD)BP(JPt=93)k=mP%n zI>*ZLi2VAS^-NPgn;TC7NI}zcZNUP>pSIBxJ9f#3yvyv?)93NH=1^?7j~oW7?lwJdeyh?%=|so;jf?YJ5d1U^(I8Kd0+qSK>GEx z(+N;GoJZt-=JGe34DglQ4Xb7+>GSc0zs3nP9ds=M%TpN1J_$v=Pv!-i2U;A&>5X5e z6Pd8G<>b|=7Hrd_(Z+`CUQZhK$Pn{l73FPg$5v0OHL+rdA?d=AK`+L``u$Li2Mc=G z*aPSjr-Cnn5{Wk%>oXz|wMZ5b*IYvM3S9;mf+@HmF59&Qe7PKxvgE0{Y4yShC#P=i zAtCJd6xHkQU&=cqn{GxKo4=FnzN$cdJ19w2Cgyxkg{xDQa%lD#+16uyfbi0n(;NAy z6@0x4UxL!j)f!i%u>fS7A1=j=SU#b_R>d$9oHXUvPZT868_r9Yp#FehI)&Cifs)RT zIcw-aD(71UH?8NF(2Uq+9jIPUDv{+)?dkizSnnjQtBhTaC)!moc+W4hNR@&S^qsAK zlV*@C!BQStA%*WENUDC1zT;g{SS%2cXoU4k72T$#sCMwvVj?>uVKr);$n7p0M1|7> zfT}eNpR=I@)_7pd2!hSO#{J%y)*v>x^RH1H?5exV%uLX{$hQ-C1sB3&zLbLKvA-P| z3tP+15^iy;oi~`F0h&{il-*D$O$UC9>j12df}3l=wOQq!mG$WXs0`Y%b>{rE|3z+- z{y2^Xu^V8C%paOFY0PUh9#O@#DGiKNe~@Q8Q+VL@vz!UY>TACR$P>;y1j^||FJYhX zvpRsRZ=2<*6cm?tg-t=GO#yqX=0w;fz=hnk++j(y7mEdvz8*e6Idvr_nG)$6651*9 z{_>LTR-*mrT6}n~q+2@Aq^G6ryqJ#KZt7Rmfd^O=M|(SO?CG1r`AV>7fpkdUnfoML zKHet{6D%DM4HwcFsYXHVi-Tr6yh9i=1iBiD??GBaVma)>kl!951J-cE)y5`lz{Gcq zA-_0J9zDODCy!j2?rL&e>sJE@ueczrPc)>kL?H5p^kyYf2%a_3m4z|-amiigXS|l@ zQj`F6%WC~N;wE9gKMo<=)=ajygA7!tZ<&w)583YC#>>{XoVX_w;%#~nhAMv2~eex2&g9pVoyfS>32L@ly?2R3rF~w1)SwkAYJeQY$_VQS~`hHr3SQ-pD!HdYCusEm80c z!g||>TR-WvQskO}UFt_bWc=A+!@z+y zN57Q@G6r1Dr9xnVbZsN@bW5Hia%I+rus)q{W5gad4Ox~%Pq+$}Ve3x`Ycc*PLC`28 z!$~UZku(j_l;ukd-$8c-AvH!kY2ex>9=N&c{HO>0N-PuOhHZN8J^4hP^##jzx53-( z0918TPwfX2Va5KiR6eDT#z1QsDfQWbL{9nEhBL=X%_X!ophrm%7=JJP>5o04_rArT1#@OjNCQ( z)r=GM$-#+Z8TRIq9NB!R*cYKrFWCBW!tW!UT6NKALA!(73p9k|2{ldBs=i>dEXHDaECBO2{?W@`X$u^>+|VV7?ka?>Unfk6 z#5fAp`vfK6bvyK&0iIJOm<5T7(`1NEO=M*pJ7%x;7$3w8!KqTJ4?(^Sm>@|!)kX$? zA9U2S7|TpF>4{luVaCM!J{31=e3({3>2U>EkGoM{xt8B$;`e6~=tq@6gRPR-oK*?# zK{#%I05ui6Qw3Cu9vYBrNcf~|t&*|A_= z(FjaU1o6L|Bwt~u7Qcl85nOiiTY2fknsem-;*bQA1m2LKgci71ImL2yuYNJbQ(oNc z19{a1T&=a*Il8sZ-DX!vYml{W1$Y?66M(cdK!b&)f@np!U4vNLns#O|O zsMfijYNXS%imh)@1z0T%qR!W&*^HF5bLT8~OTM*cN}kK6bjH%vut_Lt?`lG@`%qvL zxj0RLFMbl^iA*8_#w9$ek<<#PF|bmjSM^n`H9 zO9mjFawROE@lu}?ped$&!S?Xb*P&Mb<4eo^Sm^oFOntZ!qT}5QeZ!N$CfMUi0;l>Puw#f(07iE#w>Jf@O1sh(&Yx=W zM_FY6x5W<-L~3GA_WR$JW0b%cN}vIJf>$kE<*|(W_Gq>~eE->(;}?ualM;#-(w#G(FcT&W#Z^+&mSilXW$E-)1ig7?y^0rS51tLqE}-= z;4xFj(JbJWltUTIaIPJVTMItD{y3So{V*^j;~&P4VW({sFPOibR^MS9S9^h$4VJ&= z4fLemF=N6BFPh{O7Y}qWF(%8Dx>R5{z?ABvgHu5!6zL|8X{okKurdwYK@JeSGO!@V zxZ(wrksLr2V{8s?eDOsUgKBz@gX4K?BY+j|s8-4j1gqcw+KAJm+f09n$j7ytb?CXz zcD(7el^>`^t-Nd!@z#dbRNXt!xW=H=S0xgtt`FGFM0z4Mr@9O0q59;?(uv$Tl^id5 z|NZcUdzG8W0f(h>s8q<(IUoszY-UdFMfh zGuRgLjS=}0`@N<M?N}Eq`OwG z0Or-^3~I?}-sn=8F84K>Lt<}5&!E{(gsJ3^iGA2m$UhGYdnzsnL)nygQv$hMphg26 zG+h7So*gh&Emqz-=pJ;~_*sP#MeYy{jKnk>m}E1mmDX)@X(-~WQ?LA*6RJ#q;W=sP}2+6Cjjrw8$mHbCnjS)b=}XiNh@9 zmT4zA7pn{|81KUFGI_VF6${BuKP4~F?~668oIZs?II+vMr%e^4 zDM2>wybZ)lG;i^;U{M#%0CV%vtR50qM8GvPh2X~aJdXZM3YM2kH*EIcIP{>P!8&dkS8B!Eip@)3N z@C@iERx<%!jZgxl8S&qJmi;y{gb=10da4gyZxBK;MXx-;u3rUF$m4W~1_?`SzC*3MMyx*%c6N z=AdR5W%N@yr=FU9d%wQdoh~H2VxJpaAn7(6+~sS4Y+O@joU6Qi6hqHvQfn^RX2gzA zj~eGLsl^9Q6))rgr43ZK&9oERcw}+XygKECM)1-2NBdTvkd_JsG6b3{zl+G<0p?Ac zVjNLj`Iw~tB|O|vTxw>i1r!GUwl*cuMT`UhW<;~p(C!wCTgl^v-99!E24{bvFt0?; zj>=>@7%lDr!lqjZHu;qsmImt*!##1k{<5=h#+1Ut_V7UYS(G?sv*iT^p^K2#==qjQD=s}^1FlEE z^6s%?b`aIE%atd};dsfJd-@y1@h@BYc>G#Ro~I+2yA=CqGtD=INMK(kvEv1OBtbVk zB#vMr{l6s6d)pkBU)#v?A^{Y|?{s3*1aw^t67LTM%V3zVD%2WAlw0i|mW*;tv)?dt z0gJV@y!j|PvlA!~iE+drOZ!bLK+d?^qUuU( zr^{V9MO*$ZA?GnRq%)ELw%(M@wi-%vHR{AX-u|vEbyGZ^E<%T9KvznF)v%{#-?%u< zT|1S~3QT}1Ahy$3bbWuTNw+FrtI2i{XyMHqvl#3$=*XVbC9rJ>3nC%EnK)W74L!l0 zO1<;H;K_I50rN#oF{3NFx-brq;XxryoKYqotv9(IvD}`Ft}vj~j~p7TfHd%wntM6$ zQAj2+EzjXC4c6lNj+s0y(j}(YRK}pR8N=w!TCn0O{SNw9Yq8*FZ>qs|MhexNV|#Bn z$ovW`W0#>s*u1ntD_+=X%h7FMjDiC?ElFbI<0S1Sr z@KmkV0|gNYnz1`#lbec;^b|a>qAK}z4!K^#Mx7)PiXo`A=gH7)(V71=-?zj0VzdXj~x+Tb#0ki+!qYoQ?Dc#iEwT^=m}6;Kh{}rOTwtL&1m|XGaR!m zrpKh7fv#$&3ng%)&VpIjb~R>qo|%9(npW?THWMu6t-H6G%(3&|tLjrqQ0MYthR9URgaE=%P1)_+C? zq+t;P!vxosd)k0V_ z0fod-Lj0f|1W7I_EP{OC!V{x!{Bv+kz-|oYGZy!{uoi$FX&r?fqAqr$1n%;PMS!g4 z$&!2$X({dA84y(SLwhTvSvj-N6uZEl^CA#On*I+9Hcp$Q9cz$}@(c&fgZ-dQ0*rpEBIqc|N7`D} z9tNFIz(S)oFH0_kunPszPV15|`nVJKI+m}~6Z1a+B*$ICP(BM`S{O3>8^()=@%=++ zDTV0G7z1PID0pH67@dorA2ql#ng@hDpAWC9%!Xl^Bb=*%6Z|Z2C9G(g3-Lr~!Z;8S zW)+(0~&_Sn?(f5`x!#RFEl04%{A?Bn-fSwXP1XhbFqmI04y zGPq#BeFFamZSepI0!cXIhU&w}>MV*70Gk1)7?gp2DDUp*)@YS^tzj06uRQU9-4lbk33U0n37g%sa{L1@-B7$aN(!Sx0`nFwP$3P?UaS?_4EbL>p-jPgDGPfRP!^INPstIx1c*2P26F` zs-v^+1n+(na?pCcdNbd2G?*a9r{CKpK^tD#MO{A|3!ARveSVG(RLBzchoc)(*H zbzMdRvamoassW5z-)4*q`7jF2A+@VveWg1L^tn0E!7&>=)$++oZ-CL1E^5XGMFO}l zelmfTY23a4f5U+C(z?$^Sz)?HOf-K4%s!6DfazvnFio6G7U=-^HO|bax;TnH^b%)7 zkyFvAJ3H!qN0fE~DTpXuVCXrXc}wl2S3_K0%MPZ?ux;_o!pX{`ef!xf)}756w{%y3 zwPR4Ndlo2()Lp_6j^1GYrmtl)%O9wcz zEY?1BCT|1eR?X};Q&b;!F{{bp0*k?po+}wZn+^a=eG>su0!o09;1YgCEo7;h76gX= zMV8F(VJUkf+q(MrNrn3BvxVy&rdZwpHh5)Hw|aRxu@FUdd|ZL!2+IeXrbtXz;7XoV zfmOr&CQ+1z(r(vrCI8oc#xY=3tt;QhTG{XiNp4sNBuzj|&u9mXn;!817| z8c>=COpA{Z=m3z&i*aP67U~D`=0+c`v~KhSrj;;2PicBd8KRLf)iv%L zwhC>WEfsvY(dV1?4)x0|*yqLX!_Q~B#^3qjnqdCMc)ge%I!0RZ6uG<>SR-OghX0p+ ztwhRM{o_q_{rf6P&|{uWz@%>mEHbhKXoSx{xUk%J$6OPbu^8!dgfFl6n6F3SuFjVb z?ju7VWKH;w7xLMU(NBCrw*@jyW~HYfLR}${J0kba)5$bdfj)Fz%Wn7aKK| zMNXyd@X2e|Vuq)j%m>dj2MHn~y_e3lX`;+JhQRW4$7>A!0Te?{B>=GekCS~gTKx;M zW)gtIfv9aG_bXMY5q+;^Jep)L1bOs!_};eIsjquQm|$~Qs#ys%{p`@Uq;W;>f&I=x z((+EC$ctmuhGwbwH;6Z0)Xz6dHFKf9;HDdRT$E6Y2uU67MbeA`53P36)3u>7W+6#L zJ^LCCmAqw?w75n7;duZm>QQ0zcA`bEc&sP_ds$`aC0KK2du z4-5fkR^4)?r)w?ir}9Z9g`8kgew_Mo_c6QX8u%6$l_GU;xtg;*NBte{@3$mhQewV=jbzL(VqY+ zLr}z^+lDX?WMJTA4!;|rk3KGkX?l31rzcCEIkY6-mvKi(fYS!@*Ay}5a?^_}D;$FZ?}hi5Czwy=87 zmWrg1>r6x5)$P!qw7L~iC!#-!s=SiAGIef*OLx_e`3!j7pR{XDvO#6>m2oy=+@)oO zcsk%k4*D5jR7eQby}I#8iWvNw2Y!8;$ej^zI|+|<)rAGC(|bQ{+OOiGdE0kk%Lh+- ztk@`dw(@!m*~3m1+KbKXI?C4W&aB|B%8oXemsuLi2QDp7LCC>v<@};7n&2teK53W; zq|b1%r#85W1Ez$@KJMG)WLhra&uOs%gU=P(&oNOo0sS2a?Mm+IHRo;!RoKGn%IUe{|SK}dh8kN=~|iL#USOd zGDO4&qE`yJNVfa2?&Ogr&&j)hfd+f$hw=J!DR*=%n}J#7BHDD{0z)qJYwO8vr(TAKOIoCB&A5*G%)m1OsqbPwImqN|nJrwx+BO0w ziW61KtaPZ6IdWcc>5bA72Th_GuE(P%FyLk4n&-~vnIH6vuH_wzf#{{(u{YJv3UsMZ z@c#r8I>HtatCHNy|M)W!f_u2)DQH0lu1NB$2&kybX24+T`e!vBj*Pci==#aPi z_37xHDcdFXoV^qK$J5$r&xlZcrPbu-n^v2ilagI#Q_4U|a)4)cb*U2t2m-@w*hk8c z)S#A_%A-x}<~f{noBkl_RBMSvfFiqv5D4|=#6dW({qf9dUQh6*y)SF(U)6X^quGmu zb%&ZJseb_jn+a-k z1+~k`OQT3tvEKkm3VkEIluX03A_)N%sp9MM94U(ljaT@3f%>@w(7*}^0)LOzZ2%QVw_sOsIyS>#Vz?DCM z{n>mEy?lrp{{k==(5?!7WFcy6Z+>QZNFw&5#lBxvH7VN|D0Z3%hM?A8W?@+oVAwiE z6;|1g{f{gROyl?6mgJqo`I#|N=9$`R?I*ojF%h$F{WVDSp-FOWmFGYbQ_TNsVw2?3 zsL^%+o}(T>E$Z6tUjY*Cnp4pdf!nszP|JGrc1U^ywj522Mr z)=y$sX)MqeV}i0CoGw$BC-;n-@9DL835ZeDsaZuLu>QrFjGr++H$mSUT#Wlu*Q0<*2Ba9<%;^$K0g; z+YwjCk3+$G@_I%$`!%|u+orYb>Z&bH9ENe3b6|n&f(?41Pp+C7?4a(t!$fgOP~tDQ z>BfGus-$mslcFf1&q7m9AjDqz=SgASXN*c~24(nfKY^%`?UY3u?n_y1ICHfj;9{r# z5ow8=r-}s3>+p^_rr*vw4fS8&4SGg?|GqwQ(s0C3d-apQ%kG4iO;y#*#VGwRw=z@L zmE+9X_br0!bKdFd<ASQ z9lnzGORy5Ni|I5w{k*6?`s8iyPI6(#kt_SA#ZwS<+<2)A@m?7x1SYe>bC_@ZZe_Qd z=-FMP(UP}$a(_q>sbuC?Lf@B`1g8*bH8z{OvQNS7zn3$|Lm|*0N%rt{rBEakX%0O7xWzL}_+C&$ z#Q?PEXsPy{iw_}c4#V@TASBh0&S`6%6Yd`-aVADz`UKv#`Hb(tf^Ox9(R$%Y(+t5!a4^{zT}t zX$!r*qfTO88?SR z#rIXtADL0cee6=n%1lr^t}~(cSUSn`wz*%z%A@N4zuuijj|N=ws#u<^xcF+@?rpp0 z-yZzvM8KDN^j)#3#P0^lZg1Hhvr}`w^JY;Z;(o=Z!*x1=_l|G#Qc!e|rZ5n4f*A)4 zh*BEi69&pAi!WbAJ+plSUIDK=O@xe9?_DIE;J;W-4)aYrUB}%wN&3cLaut^J_xSXU zziW>8jW0$7=Pa{58ox*vJM*8_8Qaus{0;xP625F-F*LV4xv|H*j=_ebg;0<<;BH)_v;(< zJYTg}METTrtu@alwTnd{p|4br*XrEU5sfJMmFyjmr0uAJMds6^cNo)eH$M_JYtw3s z519BO+S88EA4H3%sAM>QNL1{kyi>0lc&j-k$#F6wYdRg;+vHfFH`3or?%>~x@IhAp&EO9Qc&lwZ#RC{f*82Q zPDnpSV!cDrPhNt5-f^`x@`>`@F}H)zv3!lXqi)XSJ!hU9uD$UNLmzc%eWYi$X~#aX z(>pKzJlyTmen>)Pm*i{xxafTnoo4@fM|I8 zfrq^Ztkra;Kgil5Y}uU>Z%Ijfy-n!i(AKKhBWhnw-@suqX9d$oKL}oOAW^W}+}~B9 zCDHG!|8+`)=L)~^Md!RVKy{38jkxSm7@A6 zTRngwRhb@ghzTm5c*i=o>6s2LW#nc?x1^B~IjEqC-9Wiw4G;oVauksZp9 z&bFCouI%2LVmhQeX=~I|YI*25sN|#;M-_&p+QyWbMfKch!S!l-I{Snr5VfKh-+rW` za;>Rb4-7e_qST0w8ZAd=BhQw}mvCA$-mw?6h0^HJlUG+;1l!iu)fv z8&~(#JN8oY5Z#O_ZfEy`_nWi_ZGw+w_}ZdRS18x^dtZa<;C%3id-HgMD+D zqD86gyaTnOa=2#33TSdIimv-&ru%HE zPV4%p79D=;+R@W#=K0${*%WFx{CK>atK?|g@07#LdsP|Mx2UynU(SBZMIy&=q~{DKROasm7+*e7ySx{^L3B zQ$bOayb`%FIvxb$?m5iuq*w-?tNv&@W{M`D2#RzSf9}SE+NAe*k1>jV$QT;S<7MNC z>ufs8NQKmDE#U(dRv|r1x|fl7lA{L0uz!l($iL${uUTp$e&J`4rQg#C?F%P5p~qsJ zOLa~ubta7WFb=UKh0Jmg($AKQBX5`HI(JLK!c?#;l(YQCwq)WDadoVsPh&lFfK4~U z9wQ}tx|mJ1sX{)(7)QcQU1U3)LzyloYM!fX0Ydn_g8|ExdDLd5A0K|p%Il#HZ;iG} z6W=8v+l)DS#)}m1(3RQ78GfC6;>*jBoz24Z=ltKo_vhA0-^P_FI1vqt#cPV+J=``S z>bJ|Ec;D9I2tihIH7`HCR&dkue(#rvqWa_Ik9--2ArSbDf?F@SI!CdNn@78+QBoSO z+Wy4dTfGt&_8k=4nm9XiqT+ssXlnV&CEH@UY0JR3Eu&{EDZ8%TI{7QxY@ho;v3`MW za%qa`3A22g)9ERDzfX$Rqgknm zJ}VgX{RKHEh>W_j>gAL7P+$q#Kq!zOPYc}jlV7k+Rjs_w<=m*_iYQ+N-R6BD5^nPj z{K4Mlb;QPHDK!bD?fHEzfZu0vXx z+`M(vXUt%CQ=sg%q=CblozF3j5_Ck$z%g<7`$M}^T&b+Hq3%gVbW!V>XpQyI_jJ^| zqhwPg<>#AHJc>NiR{mq1ZfQZ4F^t|39RuA-@u2epwTYBl4iQQaa#OLo@rhf>$3B$o z)KFYAi_QY<^q~<5zGFd$L^Kp3#qr z$NWxokH>u6(k2c+*m%_7y3uk{xSNHyPxm`}k*_=z(v;TYC|NmC~!fKWM2?a<3ycE5<-G zRWI8waQDNZWE{@ER9{g5oTcPfM0$-|n!!TPP9yK_q0f-gy6=`O_M4Dsz7X$M#J^RonjX;jKxv^oaH? z38#1e;y8T2|Jw)oaCIerz~LB6r+3FaM`FW)E7!0HQOOn@U8qZp%;KF{p;=B3nbvu^D zoiKHf#HMh*=OT|@Iz_;J(OAt+djB`L(3GXV=xDhqA*;_)YXA==OP;~o?mRiECql5cxGmeJp z;1}W&ZySNNkCPx%@~~Lxr(Gvz+7w22Op3o^Qsc{?CYmJ@QEINIEW?yW2c7A*rr@Zs zir$Lv9dxOKFoIWuq|CRy%0drtCqp0g3(JR@>g=?zy%Cmb)Tw&Ps6pDh`)%eI2McX4 z9o+ksBc{^%H6rE;(Lb%J98|Q4$oO6QW%*?l68%W>pVSbUuU_}Qw?Mo1(b{weB)T_Y z?0$*u-X8E*vfID=+NWz~_kVv&YYu5we*V~m2XEE0=NIdF|&^l~hcc8f7SX^|t#ZtG_m9u!6VMFDgU56b^`wtI$ zWedK0^tCt!(PZXS&ii@o{-ty=BqZZYhy8Ks-=ABh^U^g&;IkS#z>nWtqc>{ykvxaZ zycl$sHY!`Su{A+cx<&e?hQ9If@Z2eQE9W-dp%^uiGPVudd{oQry;9T9h+7}r4dO(W6`~ko1xj)a6b=C<05&yjwvYt-6 zYbZuRCfH(^pH_yl!r6=I)om9XSHwuFHdYd~KJz|JEg!<=K5_qiu~obN`9|XEz<`xl zr&Mba1SsAwC+m&|7(XhivJ(Ay#A&YO^-bS9ia#YIM3<&Fdv6yzIM&r4y7zLiH26eE z#lR_PxvSh46(HTdD>ws(dH+`njunvvT~ zwUU51C3W2AhTt08#5JJ%V2Z`0Es|`zzdCU!_t!Sheesv~mu+Y5&dXdlWS5mn{BhGb z!Zj`6*>X|jUGriT8GdVW;6mA>1XsPVeEQSZ)Dn3W5=9D}q`b#l@AKB4ZMm0|#x0B( z{oBbN3!BZUGLWq0p2p!^%dScBttI}y1TMD z_ENfz-9Tv3P+T;ZegCF!j{VEmRv%0ZrOFbzHhX(eRc(HMc9o4*GM~-MoZZgG>EQ3g zCBE)e(Kft~(THgj&tX^(84Eh>XfwaPr!YwnC&z=jUg`w?`saf)i`?Ub#S*{vq}p|O zHFw0u3;K;UX#SP+TWPK@f8;(n_AQ!oOIAEp%gB2BDmDfhHCIzLZb;uVk@y>P^F)7Z zCo$nR!T#BG8x1%AVf$|`w+4A1e>^de?Gx{NDX0h$!kOSk{Z{qADNB!zw<=xMI+?Lm zuB~F3cu&>FzAD<$*Usy+6f+7#KkZaZ{5x8{PW0=4kFPPbp zs^jxo{buRK8-=$zp4xq?|LmEyefL;bS^DDJhN%(#CI$n8)sQWW7CwaSEI=uoN>j?ewK$iQf_W7Ezj^4M~cjGcX z?TEKXsPNj;7wl~l(UOpz3n@{M9uwjlcX=a7yf?MEuRNmohpn`lH}{Kd&$dhPkXnkJ zgH&8t4YXwWP^TLTIH9d9dP}`qgzC2p37hji=@y%R{v=Kz63a}qFs-*wf7eVZQ;7Z( z_wQK%T7H|Q_qs}M>C(GwWa7OG@%D^Ri8_0oe%zD(Mvj57B{zw^ zY#b7`%~Q*}>1Wr0i){1j*~oJ1?6Z>GZfET`$DDe^4G14Gbh1%&WYzHHp2OxjRvtfI z)fu&7RP}7zsa|gz-9|ze=A7CNSoWK;m$#`#RstWBTIf_G{M5J`+T=98vM^*b+gAwr zY*U!jBp+n)=+UFSlJ1hxK3{CBRIJ~g^i;QT3eHLU!&q@cX$*&Jmx$cG?Dtmv=2Oj` z&*9Gxx@22Ek$dw#T}S$Hn@%b;zpBOV>6@su#bswjVD#UUww@UAh}A&v*Zow=%JZrSwjRd{KTWeY-eKBm4U| zE4AkeuD$^zx|VS~)x z`FSdPjNGcEjdHTv@SIk#V97LC0CQcGMY4a}ycm6hIC3~tcoVqbloCnY3tIxf5V6Ar z5!qJp4@6z2Ee^g<5kJm;-2h1kB~Lkqj(+vJHmxWkJ`sY9UIoz&StqZ zW8JmmjDg~2`{NrK(A_t~0>T>XkmQ9aCA&GeE#Q!8!OAbay(2ORdA3e)4}Pk ztQ{(2Tdzs3{Lpb}-EUj@NZDvVqfAZo_h*~%Cn(d7l#?Dw>d#ceJ%t#Les6MA5Y0eN zO528FY<})6$%Ah(5R=Y#HnupH;hwC^e22Na)(2KQTUv1ShK}>?z^&E0+zVWPWnOrS z>DSH^oj%R{apRM&SAOr}e(`{m^SyNSVf%;|+={P0U3ziOg+SFor=bYb}Io~roV|LiT>^#qNzpv|cT{kNY zWY+6o`Y*q?m_E+^2ibMZWGN$u;p`(9Qo7bSx_Gz|7vWMcC!kZ^qt3H&>3l7csJEjv z%>I8~Hxn{Lj@{;Ti(-?VyEh5ZFGZpi*Zh7rZs7>GJ}9(*9?S69PBsX(554E}uEeLf z=i0=EmT1yBth7ekSmPGAopu67sDbOj9-H4;9Uhk4x|m=CvHUxYZxt3TMz+KcB8AFJ z0FRWpn*@h*HLPo~l)e(po2}S84ptUPl=nJT$>O>tqZsoeu{v)ZxBvRr*_QyI% z?KghISe?k8c@m4GjV&U;A(KU?g>j*skfM)6XK=QGiQ7wqkryZ~ceuoIKFnS-{XNaZ ztY;vfg8#E~g5^}P#`gU=#2`ac8l|fkOWUDx%Q?11yfK|qqPjbt-SDg_k46e~lR~=2 z*lGk1vctrRpuBcuXB!5*AOFDUw@~Db*Zm0B1rHgwy#Da+O~;HTJK!VbDL5*r@2b{u zRHhx*DU~a!j|BV#ut|cTJo0R=mwKpNW0vj_D$BQ_nh}qAtE^)+^!oelJ0oot;`hgz zzf~FW5!PP+;=h$^qyNBM@Mzleq((8C(h)R(ixsMp$TCFb)^0gu%C~jj;_6ad?>K2f z3xZ>aZmoyHygjIm(~RhSKv_&Wy9$J+-TRoy+U`jU^q7!x`a8isu_wMdELL|5fX~hG zxDGTqUsRJYh`Z0!&%b`ys*(QL*l=iGA|8ws!k|N9dn$sP@(h zjE{o!o9WPbq4j*I^n>&8lUTFU+nj5I`yhJ;@mnGJ0!4!DWU}0qLg9AL@kgqywoWr+gL^D@w>Dci9OK|ZG|YUJ6#vOq2_?6>F|T^tZfnJ?m#D|$f=aj~`CU)xygEj&?@ff2_$VMF zBdIk?(J7h_cjiU56m$|Ff303!UPlr!fvy;6|HsIOHeLz@x(%cogO;IUzeahL=wA3I zfGDJ#)123>NG6&z-5h4{aDbu(6W4Vc~oibr4(B?In>EUZY|s>B>RK z5Tc3x4aK?_?!GRybCAR6QKbFShdZV^JvrUfJ@vYLfl7vG&Wi7>uQapHm|`rv)i~5L z*~9DgHigVMtSz?HrR1TDmIxzZb14{BUAo76gBbT6otH@RSY6~OKeDoBh-U%6N-706 z2_ev7bcde!qPE}XH-EG-(YE+e`%_Ugkm)FdV*K@oZKDqI45-F?Dd}G1*Qmts;RX?T z+ID-ER3ug#`M<>Ccj$+wQHq;H`sW;T&He>mP$2r8V{CuSi+oqS&0!;TuB>T8dBmd0sy~J#0Vf$EX{nGQqy6LpbAV zw};(?7L)%Q+t3P`Z?n?wf#F;<{89_zC(lG}EoqsEM+0 zt}TMr&%W;R-Fr+4JlECsmMouDU*iaLI8;UIW*sw{Y|i1Te&~DrU+ZCvkkIJhBGbKb zrqi~k1#ctXhdwPcDakwX>4}!vbK=cff!lJodhi(x`e^d35y+h|$!APEFKCJ7xPRY- zwTrx&G^U{Gyf^Srv~T#j|8KYG!{|F0Ps^atCQeO|XaxJet2ve;6&91$xAbh`(`hAiLdd ze#WS{{e{KLPPn^5uOfwV&E3g4^g9XbF#1+s6}}t3G$ThTW?KVE!113>#69U!iV-_V zD`dZ4)bvGw*S3akot;Dnz7deSH%|xicE(6KctDJ{Z61qV%LHsC2;jvqDvbW3(zf|$ z3S5(iAcB?r?;V5DVRWboe)4rKl_Gp%z{Fy*$D8Rp^XQ%Yco|ruZj3#rj9JD3(EI6JWW^m2HZ2#3il1XQ z->qDK4@|Fa=IFE?|#IqG~_-&Th(PdJZi$^G*|5fGrNd7$${`j zyVJtR$0y@_u>$UEcdMUX{s0u=30+}04&u@cHx+cUpCP%)*IU$x#$_@8?-z3o27tm< zHKB@3mZXM;!pD}F+Jqzi%C}g>jeNbqWkt0X{%1cY7_(qgLFbP7&&}7r0&rNDQXt>J zrn&-PBIij?-IsaN`q!3?%9R2zt!?W9LFg+b9(keu?{%qJq#0vLXFP$0tn*J-_ad31 z@9b08mBe!Ux9;xM!_5hI&I^9s@uaQe>MnEjN5|M|bV4E!3oMujCi0kiiAqV*4B9j< z?_b>sSTM*iAhgP|jDbp((y27L;g%vtV3a=$Amv`T5w;t~lBO>0>hZmfk2C{ROu*r~ zt=?%$KGGD2tfcA@%bOXo%r@z-!k32{1_ZQEA`wHWCnkFsr(NPdF=(ZScVXDJZ5INf zwZ_<@wccJ1`Xw>Cr6wv(5o)1CR1Kfva#?*vMIDnRe1@zjIyrPYhfTP3EbIV{CZZBu znSP}io0t{mcj4F`UrX>jE>`u5j0z64%d}gQLftLWJwCO~a+`b1_6`zMBX-Blnav++ z^*hN^ITOi>T~crL?6G_*Orb?rfqF%Xy&2k_9ttz&qI=<&BM}cCmjBW)D^8MMq>LbP zXNP~7d%X1z9Gb1Uss1{`6&Sh=yf=oJi^tcUcvKul-&2)wDljS zR2l&xuv(rm(hS(g^y7!6U0;Xxzhl15oDs&a7gp*Hc!gG%i+hJ}F6K%cCql^VY`P7? zMbj%LOJ)(7uNs4~QWzc_1($ThatK1Dl*$uUzGEqjTu188LdzZ#!=wokXFN-s0-PES z-uY+a6iB`HaqjR;pdPk(V=Wgec;2Yq$$nz?lMPcd{HLECw`Q1=*x*{qVHYpzbQA~J z{s%_=;e?S~3p#WC!i9|^Q^ZS{0Z`L9s=!h>a@Z9cg-+2R0+y$WjNjS}GcY2Nj_ zi(rf*D?f_;iMJZ%9$uItPF)_gb^%Qs#*HEX*Jc~W-_3LNb@3suijJi|bJLgFyVWJ%^)G8|BerDi@xG60Q&ZA! zFfW4kt>^A|>Od|CFV>k^{4thXG~~_8|EUw9hlUlwZb2s6I1Cec#JS;9YxiFIt=>eY zIldv*0#CyxY!@eyZ{4KzJl*V+#I`>Gfs=?vnoO&p0Z#idmLIF=!|dzepYC^7e?`v9 z@{*%TPgE9*ijV2(p6-*V>LfvV*0wU$Q!ZhhpdDTpM7q#BwvWaIcFH`o`0rU~9!3y4 z4o0g85KTPS8)btd3xapv{T6%dS?+D?ox#*F=QPu=#l8&aIsBYHJGscGMK_EB+&FYo z8*egTE`;N`4dg;q$D5px!Y;n$#94;@n#Zw()!jb){ zph}uZHo|a@k?}srRN;z)#QNkqJ-4vI$5Q=|AIktVW-b}3eU3AQ=*H55KVrXH*PeS~ zd2^Rc$bn4E2zztscE^)_QY%v)KktZIOI{ZehHPR~tf|~3CFkJkCs+H=B@fTA6$Ccp z-@Gg8T3_l`3mN%tmPc1ku7sMcGD4qaj2J_^08Dg`++80IQ~#J7mH8OHahPZc)-5yB zgWA6y%n5D%0<}^uz%;P4*>;O-NKZ!`rYRtngq>_=G^tbz1CvZBf4#$$a78IwlVeiy zjpj%K2q?WBG20m>*IUT+kIIg6TtEC^BC3{AT%F=(e8P6HR_KF+w~Qb%D+SWknr~!1 zqp|Lbr@fXN+woT|;peu)>E07;)k128r>r|1IS~$*w@f8$`5Xj9PuoMq^3N76_&~a& z4u@LW0{D?)dse;8N-x8|4x{|c7okY*0GX>Zfl+&z>_ql zi@D$jqYjIcgMOb2`pg!`u&jU`3O@S@lr{y<)kz?CoUHlI(17#;@yPAhVCp{x6#J`x zvZ#ZOKa*HTZnLWzEqfo^q)W4^4RCw}-u||MC4Pjs#x(NxF8qubE<|ef7)FoOLU9EI zZsrKU2C3I0b~A4g~ED%>=GZ*A{p(!@)8@%fo+g8@GudTIRqyk>nt zoN_@-DomZ)@42{YT#ete+ud`eJ+Ldvu1TT!@uG8`y!J(mbQxgc^Je;4tRzGo0a6NW zdFkJn_&u@Y?S>w6rl=mIlxu+6t598WK}7_A@Eq0S#)47~_7&(}T1B1ygT*8l#2m47 zahY*&cV7J9FmD;oBo$hDWY@2Jw|jxCOA5`q+j>8>HDcL&+%IeBajuDde{-_D3f8YV z)hUrXG3bS>hMcnh`e!f2u7Yfvy7z~EXC01Td70>CWP}(!=N<|{zQC)JjuG4ZvLE>O zY_WsR_h^j|yb(g&@z9p|;In-;M`izIDg08&5PVF12x&WQ*8^jD-(_Dbvovn3&hFOu zT^%G;)*$Nd=Gqg8iCMqUhpS%=MIRBOX zs!ERBZt$Qq`I+3#Wcbh?d2Qb4E-s&wz=$D#6q)q+ACBV``-p$_XAQ4P-?njX28a#Y z8JSBt0RJPM8i!b`COz8#byFU6FI0{XH2j|08d8K8*2TuK(3Pf*AB;;ti3Ue*sJO@8 zjVJ0gi}+GRMN29oYvXu5JuKq-16hIU@ z-)EgOdB=xpo=k{5sL+ui^O$Oes->A!zU>hQRH@#HL}9o}Y1AxpIfHb9lT`I5*^iy- zxmOhuk4RNtr>|#}&y7)zwE7=2vf>ynmjvPwZ=f6R;}$U{Fk=n~F6E&PgftP)sRafL zl-m2Ic82aBtCMWaQ={VPD{2e!-eI;^RJW=+q8$m{2FP!X(Ne8~!nXwQgYGu#u0VmW zB=30%fqtQTDyMITJvtJ2Bd)E(DR^JyAm@cQ)h{wiJ;h-Lb0rsnUxmv(U>1cqR9b7h zO+^`;iz+2`7K5^8L7efY?^Z@*;M0#&>>i=+hjLaZc^Bn4DnrEr@qVZb-9t z;HyM^vVN%@Nx~$&Z_5ud1KC zWWk8LdUfJN4`%-&=mHE-rDlqXb$M-C88mOgqnCtV#o5^&v12)$nJqD&9p z&0YdHfVM<;&6`aJ9#xas22FjI*=&cu^b;ZX5+PetdAV+9_c|}65tLufyXv3A1~ijO za=}ElBulO-)Azl*ix^FBM+nYy{k=IqqNchL=v6rK!>QcdHJw*<6hG;)j z7Hg&ZXIA;`HwTAW(*KJD{$Eh%j>wblr`86*2Xf%tv2)b&@}u`qzxZb%SHMm#CE7n? zYHynwY-; zrrT$&cv4Q|LAr+vRuPiYyfyV@HPE$lpLSFSKQJH&3nvGAYDa5aQed4Z-WqgxH^ptbJ;&MyIHKFW`tG2G!@QN zl|df&WPNS`4M+qSvqL5htn((xm~;6+$ilO2KtMFv{?9j+n|;FqR-Xy1x2qVuiPG)J z;@x-nAxX9bLSf|55ZtXZY}VCb;?q>?MQ%H?@l?%>=pj~`Z4!`_`W@Lws)N_rNc^nL zD@`W3E)ukAl-S>WLq3j3uZ{`@Oaz*gH~s1xfJzv?p)+r&G+Azrsdro;He0fnjP@~wND=4maXo@K8 z(RnG2a6}E7O5Z420kI8P!y_k}qrEgkOWL0rs%vJ}D%0NChk^L|eKVM5gk*KQ4(^Io z>U11cLmM^zjB!Sj2~V7G>1#5e_H9CL%P6&^L570^jX^()#}h?Qxl(7O$x4Y}LNisb zNx6of)G(Qa3p+sHR&x?iqm^6&wQD_Q$DpQw#$VAHwkW8vkpaJ%HA)D8VJLwxPjlMj! zrFfC(WXaY!SkF+vBMSePM2j3-s&67adCfrJ=MN(jz7LD;5ncl^$w$0w*y5t`a5hbB zQN6tq1JDNEY&2KBFnFW9W>;&PfqFU7?3y7F=-sMYMNUAi1vXKxVaQs@{~8)jup)uW z;r3m&Nj>>J$ys~ww~wAFBkC#B{&F4cA)Jzi= zL!;)}|FH8P8sd?VH~e|kYuLz-bFz=sWD7U1(E<_Y#slohpTrpH8i~iRUx^f&FOMb% zvR{{QB38xSRPV0PJ3=lJnj9}3FN-OeItK5tf4;?3^qpDXUkz$5h!vkqaKG7}h)uki zc%sSbPxH0oUHDc4Ie56&5Owt+tg_7ps$zt5h?7fC+|FJ)6h7XjdTuCm#EjR4(gxN~ z-0ReRu4P!}hjfq=5O4LXrjDY2L%QV`4u(iv%YCJjtNfV2%r2et@%?AklgDy4lj3jV zudZk5{Jr+*cmMWosJ8PrAFj%BLG~z!^RI+m7O|wiG(W?6FY0kf;{!vH;p?dG-JWvY z#&TnSH6^}&+^Gh~owlO4WPZ|5=+wULY9j9-Rg56x<aHU$u?oSpH%n8N1UTJhOVH4n5r`5YvT!SKR*Ga~bSYw|)ohMCXn-0#)|FLm+* z_UP^O|3ODfP$U?f26s&TRkex(0)%zRR-!vZN*0SjB0EM#o18hubcrew$JubJx7GaT z>N!Jy>dzQfQ;%U9EXul4NF*|0{&DPt zbt2dBr~CZ7adHpQDorWd4wcw=&_$zZb;YelfIY+792S^B! z*~iAwTkn)nf4hdQht}iE&`51;1&Vc-@(}S3TnT{~)3~|CSO=*1dySA!dl<21VB&DE zBkAX))oV)B!A++>PNck`%SLZ8aezgGQdufe#W3}M}w(-NV5jNvU`u zKY6s*N#d|}E>|}7`IJ#~*UoOJ+;=K|_r^xR_5C)Re!{52x$R8WP(oW^m2UOaC J z4qMAnvIPQ0w;z>eSY*9U2CB(^8e!XPv!$5G+58X3Gr8vIRS5t)JQFPxZ>En zs8nYBq6@XFZkt=O=J1`svp{$Skj{Xe8c$}s zF+AO>O5IX3c|OX96t+v=kG|_b%i0k$){0$ux>s@^XQ-MIJnXMqZM%l?>P7wg_{t0` zVszamOv;7qaq!rO-fdF3fQgG(7ZgZLi2vv^j=fJhW)NZo+bxDPD*PmcR?Ow{hIKQ0 zWA%m;kkGchn3(UB*vXlDIMoxqSr0WO?6swZKi@fiK0ZLf?KKu9;Ct4Nr`-^8$vHv_z>ta9ifuTg1Wm-O?-q$7={@+oo}B7^V=T01+L)m8ze~5x|7l8uxMPHyoGdn zr*BzHaYXob2w+AZe-wEz+;4q+(8i=Y-&go@w#n>)*0t5V$a(G$cODRZspdm4xJT3D z!`%=YuoKW}6;{nXA4s`1^{Ga?NEOka>Gq%GmOtha9^13>$IE!Bv1&$7d_=d>P&P*7 z{)^ECJ3jpO!~*SjcTYKm>+dl_!cH<212B<7k6-Y25#b8>^O(z#1KLkwz#K4Qk;8Ig zn6w;w#nUf*-=d|pN*8SUpj+E16=D(po66cBD?(G$$M#pKlmo%`<{mW!;Y~s ze~Egn=s|$D0VcGv#sNzDKWO2sy8DlobK}E-u`ZCaCa**N+EXc0o4y~(e9l|Smy~V@ zw+^HtPzy34X6k+{{fT!+#Ntu&GU)o~oZB@OsYLJy!ff9)ms$CHZ?Js+=&nS^IY8r? zgm%QU+HZ4(8|ZH4*37|$8#61WP1kcS!KdIo%Su>EKDR{_ddLK}6ba*!d0L{jNp&ny z6rA;wtY6MOzOJmoz`%#~(DBo$#}0VVz@OtCj3%|0_%Ux9Eg#CXXlOm%Zrc31sh$u5 z7YPlki2WY$&{hZs>EHj!J<=3l0M1!egx~(1`Y5R(=5F2<9|?F=Z?tC&rwlLDO30-K}^3Ss_g5igHdd|0+2UNsg?dF8b}sa$_o z4xindp}S1a^bK-vaz`2-z5BX&#Sh;{`8IHRkanGi0Jj4$VIS70>`ZhV zVZYuVX90x%hSu{V2qxlmDWOVL%&M?Let+g2D(=m(hvBVP10saO!u~Am@@T5;`+2Z$ zrFbv{p%clz5x2P%`t~`(I=%(y2-cQDd+dpBh{*FL7sU5EvBYA-9x}7asGg{H4NK=I zRL%qpIWh`JfpDhm4K!J9zEDiPLxi3-slX%W+kg%Zh+GAgFVcOa1Qgh}t-u@?BNJGL z5M&ZF%JF)IX4jNI3sg2u8Z9FPvLDgq$kH=n$9K zLYaGJrig@nJN(bGRL;Mist6D&a&;%N_+PU5x-P#)UPHZp@Ai`2yF8h#S^NHG`>#%h z>h?jhmyEZ*7u&p^4zlgGr%~oG;>SC<0(XR^^NFH3bri}Wp}{X&Lei#M;%e>4s%(vx z)gZ31q#?<1!n|{pqV(qhp;V+^H}wRX_V=e zqzDCUloLR&_obqB2uRxX(MoKSLd1y5c?KOHb3 zb$)G&YI5SSH8ec9>1b)uf%_nQmkJ73pXfnra>PE zR+3HF8GUfZGeAz+3rs<@C)0v=@Z_jAZvDald6w*fnAM0WS4v=R<*`J>g#mv@o!*k33%n|tJG`!-C@H8}dXCZ%QA=9T$iY1Ed z&+GpX|0oQXfpK(8=1HL3{@BFShKRgm=Fa(Utk+cXu|&Ri1c<4BB--a1D!Qd^9m-;C zL1aPhxn$f?rZOM&Ch=7ULM5V8izp}!jSv^xfCzr0BuLF6{&yxrqi_~Tll^Zo9drbT zrRuCmT`dz-!9PMy43$P(yp_p=duZpnQ+tzId_mr%+}~-n@|8} zh>FUu#fRralzgX^%SOlq`y8e)m4ia#4CQ_(1u8vS28Z^3A z*LVDG6gZg=X_&gTN6|}1U&@o&=v~zFqW%O{vID|$jGr_GoU@LnlxcD&-uD5_rGId` zd`iMFgXBmSp(iqTz4P;P%e}Ka^<1fd-PI89MH>@?IgaC)YMuV$sKku2j&G7Or&aOS zW~8>_?R;{&ZK5KD24&Sb3kbM&bhs(iy012da52I{4*6r+e$|Ws4&3d3gFw(M4)G!v zlV$m-`W??LEBie_>8qEBV7}ACSep$VBG5F_tX6sh!hhp))SlS=&ZEWoX`BCYnf8r^iRQg1k)AF)|g|8b^ zipmVx-zla%TVqVRKiAg%OBhK(kf~NuR~^R}kHKf8O(&qdC1?{cl^1JrfO(d`B`kSw zFl3eMDSlh#o?-zCpWgBSsX}jsHpwKk}a}swkPo*-?O_Cbd zZRWD?E=}|O-l6^3FK*9m7~P+&P3mutuE!fQ)wrpADhB3WF!Z$PwA@NKaPbWz$CC3k z`TF)??V3lS_6#4-Z3VsF?-faLlI^uX^n5YF6sw{KjNKxwEFy}LI#70I@+l~Xo%o*& z)U*ap`!{|(Hb$)f@-OnPTAU9d#R0;Dt|xxoUC6`z;h!$1`5_MM*|cSZ{T9>hu2rtd zJ`l77+SE&!{G5b!q}%^=pr$3oNlNnAbn=wXsM$XLLNpZzDE{TeqHBcGrFZ|Avg-Kax)aNXc4V8pD9c}YDjZ>5NaQ6V{V=7#gH}2(Y8aOkXCXjaH?Y_@Lf#_~gld@U? zw^`khv2<~RS-pM9t;U*P74p&tIMPM`0$RWE=nOBxWc ziNS=t1txG|`vqKY{)gB2GO{&%aAfS~&hp=L?zQN8G#)4YwzOosc6N6V@18FJk@UV+ zi2a4hi;)t1zt>xJySn$le5DAOI?#tdJ`kH6&Q=v@4!Tv6)INEA;;f6RVnG-i{vqgQK2y z&EKroN;2B4LLW&*jNgS`zaLpoKbee_kS+N0L7Q&Q?>ZdAEK|R=B5o-}h*3FTEk!dk zxI^6Qucs-6@9lnx&Bouo0KJX;Qu&bheqxm_(LUPP#$QDkt0vUTA+ydYrOK2MBAD^t zSj9$IbGqXi8U)Ce3N0g3Sse)#%p@X9B#GtO<;50-j6|U=v2N8-L&B8B>23&RH`}2^ z_Z{AGzCz|#1HI0rk>?}EqP<2^BXJQ8Ls0zZijaElwS#|gGGerSFJBv@u|c8jG-{`; z?K;cKh#6)*m4Auh7wzxRX}oRqmMt~v5q?*P@Zv8iwi&ijN^Fu-4`D)5g?6G(&)<&# zc?HCJ6LZ=*>aUD4@@7)qyV|$^M487R(u?o4-GWkMkM|yQtFrDpbg0U3QgaSmux6ck z9HzqS-rqh=;S6CZ#rJo}<7N}Ycq?;$gOMAQ+L{h51FbceAEF79%%%>1g!-_9A8CatPC4{IhA_W?aZ zGu*Isf&DKZJ%>sG0HFyKO;|5HhUVubKWcwOrcdG0TH#ki;jJuK*OJ0nq0MTDFZ}}H zY;<`%JI9@u3?*Sl3(h{LtI%58k>-T^cf2-(uhIn^pyMt_E&kuQBm?_0C0W?xV@ubj#nti^7;p3*4PVRu59E~@!XPR62iJZ7u) zdy8Mrvo-5ieAJhCZ^DOU-9up0n6uB7ao?dXQ*0V(HQDV;p(hwM)&ntr`&ub{++*(6 zLkYKbbHRQK;U=ynDAP{Pwo!g^8Clto`@UhGqC72 zb<54)7dAa|l>f51joJq=&>64zM}MS3nRyMD#QF*zA<%qS&)^~v-O^I59(s0TYhc3Z zG&|8vdORTO20V($S{qJgudvM&a^T=@zxW|>zWidokv7mT9(**ZH008>%J`GMMtJM^ z6CrS=b>Ct~!m4)0l^#)3x?_2-N3Hp-@NBrmd*LCy#r0k(Pau;J-dxicBu~EOsZZZr zS2OtwyvK6U_2u#GWIbB;OVjtC;$t7q{$l)0x;oq4Cd--q;pTj|5X`f4;yX--C+y13 zvxb6Wwy&caJ`L$;A`_QA=Ujd?aoVTfbig2icPC7C*{eDoLm98ks;S9s0^pMat(VGo z-Z!%JUxZgYGHpI1l*F+;Hjv=>7#eZ=_=ouiR~m`lRblu?Yb_h#w%{D5IlZ7Ik5Km# zo_F7Hvd4|(B>#(d?{X3L7Y} z#n4F8`NSzn%*&CgO=PrJJgI4of^jYIT0W{y8J&Kb{t~YkHyb!o;Jz}D8^~e~5;S=O z8|k`-{+ynVt>^B#&A8b2@^0^JL`XkeNc$dN3d1o&dkdAWN!EwfD3pw)nur3o{;+zz zNZ)LJ92dFN-SE2ooW$R~w2T5zNt56Jb^hqHA76LXfDhutJS7~^B^?S_%of3qEJ+3VO&3|%gy>%a8kSBSNmt@&S9^1wKB|US zxycer(DbuUkvPo`&0Wvx7Jq<}r{!~u#fdyxeZq0)a06~W!++m-e!PO&TWmdY}sJ;vzP0=(nuHHPS;eq!Lgxu zDoWjCe(|IC+vOH7M0C13eLw1^5wQMtj{-2IZ;n_AN41jY^vcGuAa9s2s7Q(jyA_<^ zh#3kzhFu?wL!YVr%dHJL>aP#=oh&Q9&X@iyk42MM`B>dblZ$ow2_6vFbK_fb0ZOBd6b#}0u{9_!38Ew=2s3G&s{h1Yl=Gg4zY%b!z38>>(y zHHg`8K57Jlc7$A>ZO=JQVK4nP+oLSLRIi`4a!P%`!))^plkip3uQb-VLXAilnJ||) z`JpmJFEr}=Rw|MYj~GnHkrDjguoANb*|$r`P7>}pK zwN|2Bf)D7DlVa>l%KKwKDpd!$l1SXVrvZE~oBXDjV(_MKe4bJL89Ulg66h2s==Tu- zF-}+yzgmW&pHedyC*Jw8;@%?3454fB|JAJRSht-YJr&)yyz=qU_|sbs0xBqU{k%z~ zQnY-r?M7zG(X}DpKxGM^5VQ!oKy#v#tZ9rh8GF1b$2@C+;&`jiA^rLz`v8|`Zq#aQ zg|aKj1}4SfU*;ZAIO%*|88$XH%GV?@sa-i>+Nk~Eo+oZWlW^}&xaekLbV!E2O zfYSgY>Z(UR$LUXQ{AfooH61>BKCA{|STXLT6;yR?gSoCSmfHT@K{UM>PYs2CL89S% z)fzOtV!hg$;JEl1=^ct;20Gq!7wdmJ?Emg%&E!!*zyO8l;jap7$pPtG?47J%^}K8U zUVVnqVgIYNZY3w#%EXaK#`<3Yyso`)ncwVDXxkSpKs|iDP3LpieBE{kL$4<8jA@F9 zj$eAU@VMS0 z7uUw6HN|?K#BSf5fyXi$JRT*(2;j>%5xh^%`}F3}M;iG>{@mIkFl@X<*PjX{F{Ed88t(&0_tsR<1Dhick{Iu zEl%d)|LzA_f+2TfFof0o!Vn&(zanO)${)y`sdBn9gq>JY&F&418pL!?sDb92FX67= zH;*2fLU7x^#mIB~kJ`OoZw1#$-Tz>z6^ARX!yWi6WWWLV8C@1q`0yNs#=F^}?L5N% z2obUMjgL5J?DBx$OLuUOQ{p)e(3A;n*yNzu&wC_&lQA4QVsVa$u5IqMf3cX@bTng`O4+4QgKfGmdKyvg`*3$M@0)Q7g{IQ%C({eEa4u`%pt zm=PX{P|$tVq%*agi3Gdz0oQZ4Hn)o^5kw0 zC8Fz^)MJM1I)@rSiEez6CF&^+w{;{$9Agq8MFB{C^N|vX3PN=D(E#1=6*DTF$%!7w zEgb~A|7$+dY$#`sI9ed3>mCtT*ksQ1_kCR^xAslWS8Gs0qD%hpX1SVs>s8apQxJw; za4gc{2K#a@v1GW9KV=8r};8OlkiegZ%h0#(O|pj&zhnF zbgMhiM-|CN;SLybD5A`od=eXiSLi+mE9%oK;mPZE@l?tir&hW#C{v^nUC&?Q0Q9Py zO0ui5ppH&lcqF$nWF5clkr-8R+R(zf+C6eB&3FLYQ--cxFI=yFD!3c`SUv7<2gTZO z0`l2@30IGI)Fe9+WaI~)tkPWPD%tcczjq`b(ndqJnq}Hue}=V9F`H~Q3CA-{3LkOq zXx~?%S3}rxM(lPxcascnrV^(*nbI)M?I!dur~fwZciYBoGy9u?a`*D|>yGWbRHJ-h zuky;^WzV7u!#O#`?9Ye(?jSxN0!a+3e;nqrV!b3*4T_v9`8oIlU6&#fK2|^3?zJBM zuUi#s{t)kdhow77CwAf&tJPtwt~~~J=$6Te199CtE>qOgczP1rOb11a_{{pj7d>~- zR?Z!ey~Xh6)0PWn@;@F@fA6QN-7_TIg;II6a@9N52V1UM4{dIKTWXoViv#@W&_GwS zo5VBjkyUfWg;ns_F>#aNfK4+~64`hz3ci)`d@hLio9r~(6Bq5FMpy4LWlS5ehavdI z5UW5W&~O!V>9=0FA(0upT(xL8x$v>dXK(`2^$8+$kv2zVW@!&^dAW+1?FovpHnDZK zRkEH?q75*SLOH*Sx_)5X&7J}vWCvU(X081j(Y;L8H1VwHrp{E`8yVED)b5D|Au!_5 zi#_x#YOdyqwAuRXO8e*@ml*xtCZ&^<&%V2!N<Ylz*#4B8w%%k4ku z#BJAu=PP11@of(ec^Q~j1Nv&=**+@~WK!6F>8Lqy33hWc1o@YR5VY42=|{Y!F3ltk zXFdP!hr3~3C7S)>cM}pg+`y^gF`3pUzISTo!0ui+CLxe+n1_6w_oV4@BDC%Alhdyj z*tEMALAZp#EQsR=9AE}fcCltIL%~LT437O+reHi%D@`%&ZQ7XVV<#@Hhncq*@ygA; zL5m!A%T76ap&6=m*q6EemVoXodNf0js@bnrGj$vq2=UGsKwdS9;~WTGFKb^Lr-Y6# zyd0*EIpm>QMWW+9%y*|vnw54b{s;TJznPDxfe$TDagvr#^mm<-=*~w(fcJNb1p6`4 zJLEu~WgXi^hv6g#c%iWRoUFgk$-4m>|ESM@?gK(;6MW}SfKI!QU)z25S5ZJ0r=lOp zZ^`De!lN=nhYjn_p8KLL8b0TLbBJC|>6WYczhM~*Q4grY)2O5QfC)DCAF5xD|2~u` zC(A^)?RNcscz%ffL2&q(0D5RS+I&$&v6F@laSwwd0vXaBM>~;cN@Gk&YY(Y81#830 z0}2n~{>5UTVz!9yk9Kt4P^>a}3!S@?*Cdf73AOiW$26uTQ>cf1!T{ z-J+me=S(BhUJb+W4JY21LOj4o2jaXM5c*05Ox#fT@1Kf(Z5Fd1(Jm4@p*D80 z1`ZKR?zTqfB+r;gPbx&9>6gpQnx9Q&f&Ob|29(D$#P{?Dhqz^X zmKn1LGPzm`o43serBWoxU%m2!fB79^j@>`!-%ia;b@oEdUqEq$Wbe=oy2cF&it{fA zf&dqjOf*fa>?)Y;tzL)2wyCDYR%)Y|If9NaylpC;=wtC#aW%f>6oDcM_ znc~I?yYl;{^&G2!wv}{sNd&?a8Tz=lsrjfA;)mXXk8Z+qv&Y zUDxBfPS3B1?=BHD7=IoV;I!}9Jh=P>ek!TH^W6dkId_;mz6HPWI#tm>u0!lthb098 z?l(Q_!2y^;_5I$hSK5n|ZyIDbKIgdA&Jke8f@a@y-pP>m4G^92N~kpT*8QCS^k)Bi zXyK#0z8~b6M;qtc=A0%O-}j<_8wWni-p?F-3EfRWiw3XNW3`8Wal+679n#a_%B&_k zjGB&7T9mi?2d)x91)AI=m zXFez5oZ(6hOOkAP$|L8FEK8F`AD%6Rv9!1lf`CZKEBP{0GnQbGLzK?BuUGp5Mq9F~ zs`b~RO2#Ma(4S$1rHLCS3ZCZ=nh#n!#6AZJKKFe-pKf^IsQyO``2!mHRam&MRb#Z( z139;`D&a*&PNlKhj5s4Gq|Prl96LlA~<0z4OZi-iGN4 zwZAwc1J_N5BTe-TuoZy-XGOx;0xLm^A5p!r1&R{tdXua4x(;?ZzgNeK7&IfVKaHRe zyw)rHqU?v#5mUQUGP{U>q5rL9)w%Mk;gQs*S>Z;KKTlpgdaKpC_%d2-nDQOP`;_#< z;2X;?61HDGc(g6JI?!_XUTv21mfh|8)c0eblkchfXlk5ZzfZHvaLGcDS^#_HbEI*R zO)gmHXyJv~x5)pE>OP1mrRVd5&b_dui=)LeV6Tk0Ou(uXkG`ko^Ijcl=%%L)i4G7h zxM>8{FAuE_!#G;jh8J^eVa%$+m3QdYsyHORh=~+`cX^MWCkRGmO*) zKT=Nao6ThYGySWL`~|g^2ozVWd?6mwhu^E*KN!Ow7eq>&rfs=B|u^9Nn=0_n6EBTqu%XsS83 z_1dN9FFCD_b6pMmwn>HMe7Usnr@03jd?#Z?KhVE_3_f*&KbN}n@Vxf7MeS_$`EN0L zifsF=+2}x-YtjXwSXwnhrHJg_q-=0k>sL^`YS4jN$a$^EZ7Id&M!HZ{D7w&vyzP3g zT5*X_yl8t$AhgEo=ZlX^Hn?X&p`$>@J z?c_H8Q25$*A_=TTp3WAehjf$Ff-MIeR-bpifoC$iFS8eK@3QX8u3S*hKP>?N7NAQY zi#*$*5QEAQVfW>qtsch9y)0e*@q?Z`{`%$|e6Y3nMy7dU&}6iYMhk73c*k6#pDH={ z2pWLrOy?dm#NW39uGvbSrY1`1yQBYnY~0Y?;~sx-yP(loIZn-e!Bydfp6rO9 zc2Coxtldwc2cy|!NU2aRk~@9$BXa8#%SIj{ocCZqJ9)Z3I;6NP@VMz7zs`kg5z$>-9ZzCHs{}{R)?r?Y$xf zW-m?aH|ofLov1}-CWk1f2+s!{e>HdO3EM9cx(aWFKPX%eF4l=IzR4w2U`_0@@luPgN*3w28zZayn9;j*i49CLA$Tg~*St)a z7IM|LZa}S8$+YV(CB|@z;2ZslaMDU4)^8P^%6!rAj7^uR%3VF-Kpxy(u}CiYcFSw^ zMIa|+ro-6xBc@2x4lyodtvN<=++#%B>SfPkd&jI8D(;Z9V+*&RStbIA?*hR)wp{N9 zUjr5KU!M4{yLlGsE``F6BL6*p7izQ@&cVdgxCZ)!-NN5iz ziIErT3qAU?}s6j=~PQ$H* z)NQ9bExrP}m_$3jrP`UfJ7=ec^JG@{W`$Vp&6JC9{ZgKput>A>6McoY=egtT>bj~a zXRWUIqE`?7G{%^Gg>yZ4^UbfNU`4)Hsc20KtoDtQ+n;9>km3|Rb(m@wze1a{R>_nx zANz1r{)OC2Wn*m<3!nE_$&$`mB*rs9+~-ASd`O5YFOq$OGA+j2GwLjx5qx$I#_p6b zreNr+30o4URB+{P0I9inH!AN&oZmupmR%VALbL)lDhOfwD9xLkNn(8Yw~V_@XYA5W z`L}MqO?4-hn(_)@yjqNpj~(!VgbuH`?2w_Zg7DC!Rx+lRu?a6Eid5s5_ju5uosr{+ zYnY`N$|X#-kYWg4`9yG(dI>3n*;lj*nW@O!4?+J&4w*hW*SvdI4NO!$*e+UU5jnQ4 z>@@keb#y55!A;=F-TVdoS-gNqcR$H}ID|w`6h4fmpif21e(QHvrKFm1uciL;i;0Jc^k_%+?B1qmFcme=Z1vi!KDD9L(($_R@VO}FT;tr6ATJnP zlkV#(Zvc`e`i~qUlnv6}p?k&-Jf$c~aq5+e$Q`yDdn8Vc9!(TueWA&?)h z*dbh9SNtk|Q`&)#B_>bp-+kExIHsD#RL|bm#eu_#JMO1ITQE_l_%(5B&G-vx_0=Cz zFn(<#SF44XwQ~x6U7~-eV`mFOO@lD=9}Dj?7@=w`B(B>NeU|xT1Fs!`s4;ZzT3P2r z`@F4=23pXHO|i|0S|s6SV*F~(yBPVk_>ewzwwrp|;rsln7w=xc^iI1z-v<^*7hmHQ zjp*m-efddX@RNb%k%>W9aKB37SB||@)Q2<{wz_BBbFBFa@6B5?`mm)jF46Pd;T3to zjrONS$({qu8(GRm7j;+Uqf3wcm_dIvJ>Tx%9Pc;W`q-zIFSzv}GnubnMl&#nA&1jW zX@2c*rrjJTz~tYn)>Ws)+?l_|xqdXieCZ-AO~IB=b5DP+X6gYHreG1?n$b{ImH%M z13JHH26iJ4pEvf3k>3p}37plaH6YWXS}XyRG$e}-BR4QFMZJn~1%nWb>ozB&8YV{8 z>O(e~U=OI(Bhy&iOPGl>d&xV$ooNL5U#B3nQ?()%bc98srAkpsX5BZB17;I`Jva z{%=(CwJsu=?Fr@HvMpzgPHdd_cC}`&jLP20 zBD+qQ&XmYDKm6=! zHoa1kxj*$N?@YeOv8#c<# z*K3<2IN$SE9rdyAZtCT4-%I7xpYCG_hTG&cHjELk+K0OrI`k@gtDcKaBj^z|1+j;5 zP@zL<^Vij+Q%`%gk140@r+yK+R(H2stBD)e>>X1a975atyrY}VAA zaG%xVT>YY589V25Z=hu_MQ0kSkMKDme`Fzok`6!QI+P0?C+88Z`Yf?80Nq_7!CFbP zW#J(m`wiV-v6j(L3W2^4-2}Q!%@QQw`uTZUy2bXbA+|&`kVlM4-|4D1pHZ~5%u^(1 zAcr53`t7z@?xr*FV!8EMAe}Bj$`~J7h%9Nz#3n+% zsqZ%35g?I#rnxP4!Xv5|i?d1G z{8-Z0_%A~+qp$Z09^q}!1a5Huz>cZwZ2#Uv7RZ`eFxnv23lwOLDvJzF0XrdO(B%L{ zxopQ+c^af6qZL(5LpUw$Gx3a?<|}__zf^v_7_u#z9pheTy*_Xtj_(?5<~-5PR8o{` zCxOO&om5d7H`-bNV0`IfID&tyaT^DKa_%oQrz6M>BCjX8h%0c*U(}wATy*=}DX0a~ z$7Ofex%JfO=Cf4aIa@BU`OA!$ygq`SqXRofO^tmbE&g?+Roj%>_m?(1$mdvZYj>q1 zw^sp(dt%Y8!Fko;JZunO3s%~z!9>SR1Ay@ z>wK~oNi99OKC0%M@!dcm(Tlav+2R+|(F^GMq>$y^j|PHiyMHoTdSg7j(y=eMX4`{* z3Rj5*n52Gd`R%3m_qpxoV%xcr%08v}>LKf~ksi85|C#a{E$Hmfu9;ky!-wo?VzK;J z4q}|4ohA3P;1V(O=y!O$E?RE$LpOtEuw@v~?zTN~_-%PSyTcpmise{3`8s=2uvYo< zO-;px&G!N$L-AHmzF5-Tya;W*9&n_#Yn~PH?=(G*Gx^%}uZj`mavA>sw?@7b%OX*c zQ>@m{0vog~{@xAei;r9i=mx(eYsXBTsMNaVj{1>mEh~84T>=I?nek`6vN51PKo9$l zp>^HNmz+`1-wcxEXgFPIjVLXN%iPR5<7n6~S8G+y5Y$a1N3NRyhgp3;%~7ZMXpP02 z*4>bU26;29Jf}5a2;5b8c1T2Z|LhyicB_c_QR7vp3_&IG<~?@?(4&%Z^E9 z?B*Vv;+i7vggzBSGW+na{Cqq3pHE(PYISdpi0~n z%GvdLNS!J52gJDfUoksMLzrNZ@|+9{sp_W6$N zAO*~2=0HpSti>-G?aCoBvCbmg(2T2+F`Ih9!TBA7%-xUn_)YB-A4eXpC=fB!q3 zKqtc;Rh+tC-&Yw`j8#=?N_}GFBt3K&oIhO?T#*n8Pd6kEc5|gJQGGhCiI`vZYM+~b zRc@-e4X~8btRtP)*B)7O^(92$8?Klc0~d;b!6a%=&9INdJ*P%=Gm`^U>^UrlQp9GS z#l-i16#@%xAI& zLcG?^ZTxdZ=13UHN2Ldswk-1K`dgn{SJcc&ryb@GKfQlI#LO`LwW$N}r8nQXuovqO zt?nX7op$)N`4Y3MI;Q;b{}_VhEA@gVPG@HA7O}`XwUd}l1bUWDN5JIC=%)2s2pkaF zd8nSMv1Bp=nuL5_wMQHn*o48b;^ zQpD>2Miwr`eruB*QKN%$PBO0jIske&y0o=hQY`5Jz^|YSp>CNtLtZr&yI`WSS2krZ zba84FFcGvMZAU3({ZE27-K9_rw?P@qB20m9r1Sz;Zqj$|1+?$+$-K=WWWEDWEs#W! z+0R!1-9MkD*Q_qMEQgYCPRn-mEfpBt=G@k4!(9EA`1C2*ce%iVy`^-J09fzlE7>KS zH94_jnl?7=N_f3mxWVFwcdq24UNe)PzK(ZgamO+1Sef2Q_3LFNHggX+P4Ji(crj1Mo+p{Q4=)0W?ti_DA!}b0SHr=KQ_-H@~@cF1MXotP0 z6`A>Lf^8-~WR?B+kJ{;gMqP+{LW$iY&q5ih9pn7h_5n8wJ?nkR7% zav&?|OXg47AE3hvf*mGW0JA%!JBv@CTRrf9K+( z67D5w0B`ea`0j!ng^p>!v}MPEY6c=ir=i|;cHoYu=H4$OxR0ts%EDg3{Yj~0*u5eH zSirdykhwmY0$REzf+#*quF+X4vnjijU*;CG$OUE%m7SOJP*%n3Nl5&e}{KMs%mDL09)CfFgIX_L} zO_P}iV!jB>@M!nu=Yb7&DX?Z$UWy8QPPFbPem2GXg=Xs_At3BH+@Vj@tr~cEpk@zc$)I8m$s=6DK?AC~w6D zhj>1}r&aj=*3H?3S~aL+xBtcWQxGn&iTg0}197wCou{G3sWW}27SyCB60H&82@ZcN zL7NDZ<+EN`0&+$q5*o(mtDFMQJ~8=E)3II)Uj18QLEBe%{Bn7kF`FqBh^t+(fExK;KEF&lBV z=ri3N@t9hd9J^ErhQLr{LXvr?I z%Jkyvv81>socr~8?66?NOuuxBm^CG)PQ%*yd^d zk1_1Dv2^xJzPhFLn9MSQ8gqAJ25e8$?Az!xZUEfl+uo23{!U8Q7U(7`*1u9*juZ(_ zLIW$Ut3m3cKtxD4LvZ+&vIhRZ*(GN3E=B~mby-#_u+`amY#y>{6eu_ zl>t#_bGTJr-bV6`-CR;1^+&))?Gr2CP`_MT^TfBZicMDLR~pT&`)O7uf%@K7JlMY8d$w$1pf*CHkD6x?+s|~Qg>`c@*!)Wq!!@g0 zxZ%Kooraa}v}#w7T@QUcP7{j-Q)wfhRZ` z_?}%u!UQNXKvJ2H_MLoYW`oMX!K*8|1=w&#ahs35mRPVyku&bb>B5VV1Cw``trDE z_5q))FS7WhoxJI%`-kVqEV{A#SqYV{1@~DZ-ruTXPQ`GUe!B`Naqt(c_I$w!l1V{j z4}3D<+xrDO=id4mnshg0)e@L>weE)QcX8aGUVMg=WoNjjeekM9cFr$9aVerzam9HZ zjagP_Vp-ilw#tX_KZhS<5^fk72)29`q3aj82$l&Rr}^xd+wuxGU{at{TCpw2K4qBy zx#jN-gh(p(&htF+a{fPz8QBq2nZf`1%hdwLAS!oWr}%m%Q@}*brYY3CPUpURw%d-^ zrht}S%aW3O+V7uo3WdHK<~Vu+0b>Tf#`;+*fBAZNeb2hAiA*z}ORH^Mh_z3t70L`q zDQ}s)V$qRWxi!bG1F4g=_NHK;)Nh@P3zc+kQ`@^=AG!K0NKNK^cF?hq9()*ER)b%O zFWO&d?L#0BPszPPz;uCIp1|_>eBh47c~Y2#lfEeD*xhn*u#2hN#rxWShH?RKNeYKCO5uR;mRGjHjogjy~E{YFRX0*Ln#n0=^8;NlZi%Q@l)VRO0{`i+Te zuHWQ`Fb=Q?&e!KjL~3FUXO|DQ8Eaxa5Xp>HTs-A4XJ(I|sw-2f58dD3*Q)*)>$# z1Cy zWou+k@-HH**pLyVx=V9Y+ghf9<<^%wGeHdMF$A zzm%GIFE*C%voAf%0j*LeR*Qg;I)J&M+M;#s9C(C;Mn~*Pu07?`^jqiy#t z8i;2bYGjXu0pk**()^9?eiOm{B`xX8eXijx{;y?_cgF8zgEVpdMTQQ%69rSLQ(J{W z5CS%#r@UA~@~Em6UHe?Jqs|ID$hJR8*rHRagiFIE4o`LF0Jpy7VX8$6YdP)0pG{CW zbWgRdX!Finy5UDc&etf()GORMdDW()QPLLTV^s*WdzF6IU>FBpw&Nr>f8d{VN^2w{ z63YB$k^rY(X`m9I!gw80z=q25`WP1IU6af^TL~kr1Y&&;7J*yLnOL^2DTn+g5A%Y z2~l{nlq{b>tvy+(FjQmOxg=jr7}ZieeRuf?5!zU|M#{8&=7KIjg|72^TK9Z{^nvTZkOw>*eb4viaqi zdC;@h|APhmhYNK2ojz1hmD2q|1v<8+-b6iB8&y{0bV5q<;hlP{Yp4o%S|Vf8qt`@tsp8Nb8Fq?})%y%f6Ur_A;7nl_WE-J{6I2`j}IqF`B+wI7-SsDh`=4hdKDR72n_J7YnN^mANR5!CtM6XpF%=KmJo{SH`$;b)Efzp+=() z_DOYsZt)=1Pn}Fxr`5jkD677wzl`T$$(ZODQ(t$n6ods^WI4Gc-S=&% z4i&wVqGHKmUm6i0b2y+eSQ~MZKVe3b=6F&{HN!ZfSQx_MXJ>d+mM%@<-IEzYt7aB1 zV3w#-8{niGSUxfv`bnxr`kSA_Mm*Ez-;8%1FIE_JY1(5uC|E`qV(#TEh|OxSgFi$d zIyJG-L)qFk59$vyqAmmj!ZR(^6;4!zqpT-1THV8a)a2z8K#%1pW*|NwZFkEp*=5WU z$X8!7)X)J`7^(sXj>wcQw*Wy7`7FB*`p6DlScP2+eTkg z@{ySKp1 knfr@W4A1FZ^SkQ-=vA2cQagg7n#uBM||JjPpiXe@coCPtU-XFfYq-nSaTGI%Xt#M9~gmb|`O`GKAMNg7WCRlNPjRN6Q67e-VV0||b z;6$qii7_Bg*(+7ZHx~WfOO6Km&K~6w67<_>lRk)vnD&@6H^qQkpRRw`UeqF1?=chB zyqH1_QqKliRL5g_DnSTHNIlu4&x35_V-NYPlWK>OftindQSMPd&2|w9=q)6pf$@+A zpmofk#h-b^cbgU8wqJ7zp*HV29(l2SkKD7iBk%lGjXSI^h-@Jlz7u5D>C<>K@JRIt zee84p=C2n7gWukJim`SWy&R=3W{vd+xbt+)Y1V-IG`TIm(D?X>ji8dR>()3XZkfq~ zNUSmr02#_x3rVC~9oCBax(OKkQ5R4{6dFAJ|}~gEWzo7bCsK81H&U|ati%!g@sk)F{P zAi|G_`A83_Fm^knIE44#%rn;W65Mi8c77L`xHpu4!PCC6AeS>6u zf;V3zc&Dick{hr7vsR1OWEK93Wp#Q%v1XFjyzdR%VOq;Yb7(Wk!-9YoMtG#Dqul5} z3!i`kD5$Ogj@7^~N3pz+dfEDi{nZ`BzN+&H`-j)gmM07}mK6Sykr#CIk^;3D(#5t* zo^M+WiP8)>UrV$O-aJ_Y~ET=LG&MBwmi>$sW&BQ|I zy7VxqSbx&G6S#>@VUhoW-(H*PZ z6V}+AQgHU?Ii{IkF@94hx8qQtGHGyB&xg?bcX6laC5#MrXq9qwyo8AhG7Bd0J|c+U z$dPI+xso6?Ei7VOpy~G3LQkYXZTz|Ika;#0O73WeCZi~l>U8_(n1MQ<@B5PdKiIC% zgRF)Tx=&1Oa~U#3I-+s+;4L-7eODOt`JoovBL>df1iYJJpbp>-5RJvZP73+}Y{Jp)JlB<$Fm z>>o=v+UHAE*|!C3S-09N)MHh>lcSn1+a>M|hf2tjqy+~E+PBLyrx3^Dbvi3<8jw>y z1&0JCuyffkZ`;Xf%ycHhbOQyo<%HKXzJId{$M^4#Ci`Uf-jPrgr{sKcEB3sD- ztY!VFs*=RpZ=G;^DV@98Z5Q6WN6Q%F*cm^@k zY9;!{#v?e+_`w_3`(_2ks@K9hpCInGd^ZSHP3vAsTQmJSgY zb6j;4%EbD6rgKxTaP>!ub+y|vu%%?8BN!{dOX!MPV32JlEy}@L#v(7l*%Q?bEh%4` zh6e^{v44f3v+t#VCo=jiFkWqq`sKiQFNiPH-c{jISQ9Nuhee2jMK5D*H&DQabI$GK zlFqg9!F_M$!p7a3bUU=Ra(i*=v5;&0CcRxVm3Fl+ehjYCox=#JH-zCQkE*Zj|EPW0 zJm9IxyDJdME9dUe(X}hIuw?b0SxPH;s0->#=6+O}wS&Jnt`Inohc1Seqvk+{=y=cV zXJ^B;qdJ)6)#SCCP)|G8AUx!qsq^8n%HBdWB&d4H@rg{Jsto{4oG^uuT{UlBcwBzf z#i8>3K}Rp$e?IU$Xn)dty2SFXg8N!9A>eC#4@iLOvUz-AfFZ2QP(%P+;f?6)j8|L= zWh94)c$Pu?*~wCqTA3l6JRrC|?cLXEaRVcPnBCx-#Z#Y2ohWq6UWJD>sIi#fu$7OI z2K)0Wc;=k$`q!eG*06zB%p}zI71j6i{uP=3&I?3Xf?xLspEUhQCz+6rpWm?s zYj9LEuZ=Fwk*6dFBg)kxkOU^gn9QtK{je&c*rL&E@^|&KJ^*J0T5N@FnH^Cg$)G_v zkqz5J1?_(l5r7&3FDkUBgK?HJr%IPiROnZ!q!b>7$3`=y)4%k2v-4%$B%{&5MzZ(Y zN*X24EA}RdijZU1W;2d6UkTa&Ot)=3(?jnbR!pLRj+$Ov-cmB^L|KtevOPff_g7a6Vs-ax2!VmY z963+hdA%-MBT^~omPorRX(?F3-?RtjAUE_Y7qyXG8|j~l2V(-|dvbOc7@fRFFNkmwhM+WJwo z9;FVVKu$UGon`VHA$kW&;Hb;Nz2;Ep=u4%DI-iFtO1 zoP^0V3d-QdHj-4iggcP@gUo4Npq>Bo z>;~$noHaw=A{7O`$Ru`YU+N1y{XfT|U7+*jM}LzMET0_d>_gE<(}|@B+-1<(ry}y^ z@4R)Hj5F6T@byE{Och3kq&hS?75@iVh32JjDa*Kz6d;a6XN+QIBbmgXr;L!>9{BNh zC9Wv=8)<`tO>XF8hvu98=Arir67O$>7-i}3^Cg2{-Td%HQgvPUsX<^bT;_QEzS@M6 zp~gI0D#W=EfOaoDnN595m5;brT(6f9Lj4OVob}oqC0xCK!?3mDxn8#2HxCxMhK7gy zwG%m8LNL+l46H7y&au1JQ7yqqRQZ>m?mqpur2TrnL3o$PpL(whk^Z}b1L+2C$7Dm- zlimPh-mWa_oj-$DOy;sRR{KT5^jr!<#$D`TWpo=EZW&K;nIVi;lcSDASO|74Q6=yN z!VDr!d^Nv2*^A?lOQ{qN9xyznEy2VlXZzo_iIFh70zNHXlzRhH2S&V`s??d0RIiD| zd0Bgv96+-I<~<`Ot5ZApTxcKFI0QfY(^0o^b+tUs$a?-t9Le_zchgz#w`$a7iO8HR zTFU0vsRzWi8T8h{-`cxAr2@u0pTcrz2lUnuje-i`;g_Wb1uh>>dst#}w807saT*%` zezlu75ABMmifOg{qD4xijvhZx7!s$rv=5Pq)B@Ut)uRz)-o_2P=~(7GrMsXuqmy(il#E{ZWBa}0fAF}~aX^T%@OUd_}3BP8kpia;j&p%Oap4|?U zjCJgw`MI-HmC@ez@B)xlAw;4_DL+Jlc;Q|IaaLNcEjBL$F2@ zdVYaqE#OzzxL@Ofyy}%K7w5^eEgCK_l(=pw_=j1uDf`??U$8T4XL!w&6tRy&Re(UE9SnoBiGk# zpuIsyypdC5UtF`TgZ=GY$%fnk{Vg7%Ai^oawHebAslqX#x=~mUT5p;S%A7`@$3fcB z*Ev;Yc1rSH2{m8zXw6bx9?TD1Bg=Bt5U>{?P=um3)`v9;RJ32hC^{c_I;sU@%;_V! zT*zDVP_hf(yk59-A^D>DMZxHU5xz@Ipmd6%I^cRcb4~0E#B*+Z+B(RV%q2SrSZIoA zL^x1qldZuksv&3VCWc`TNcJQ@c8ynHM{pbVlKtSvVvUPKj^TInm;MC*p)I~-;rHhZ znd0=A->qSH6`ah?mmz)ck{S?_FKa&&E^BI6-Qn!+Elag8C zp$Ky)uktSM9^_18N$(0GA3Or^EU7{uR&@AH?j(4j+gj$BW^8SJo@J>6TFcge@3p=)fNwYuam5U@lIZu- z|9WvJ@ZWC-4oDs8CirK6D8y@OoO*R&@BM}0Z^R;URqU6H=Ul58gh1f#<&$i~8!B8m zrtYd{QKhl2^+Z2eil+n1|Jf4uaNKAcRz%z^XNZgH%awJtLMKUfL9qVc8y77nlpO@cD-3JG@hrM9pXWCld@a$^pA_t(RZ+KvdDU14x9$zalryI$LYfhI5qb zw=WsRkc6=fEs7=11Gh!e8asw7{7jDdGX5d&b3anYQC(6GpF+aSrMVbVqBP>PV=4l_ zBLDr^etrE8jA;Ap3n}(pyhiV*&5mZ(tn*958Gv@dlOdAA!C05M$<}d6pM4v6HHF!| zV|nKb^BUkVvX^d=?DE2N56;A|q85H)Gcp6VqBL~7Tl|;$f6sCX9Rpgr?jB>|!=puB z3Se8<*gSOOi=g^E^LWD8h)ZY0^ex$hM}F&1%#U_q+~o?P9pw9tDsnZV|?ywyY- z2)|I{R2ry!+E0Z!KXRpKzJjcE3}0ZB3S#hm%upb#5y|JA8Df;$skXD~Rv?x7@^0bV z=N$L49Yx`v+rzW}( zC)}TUal2i|T)#I-&Y95->w-nkB`w8`tt`!6Dw)}(8pq@uv9jz)0|u!MdtH>Xl>SOj zJ##99d@xX_nToyG-A~dv5@-BlXscHHepb>~w46zFP=kyHdHy!|EX1ODGM>@!OG#ng zH+!*wOZFG0JL7#O(>cYcAoO5(55cwvt7+$5J%#3v&3?aKX!3Bqd2y( z^um1X3Ot)h-~V^tUp-jdQ%JkHn0gA0%-@^$KC@z!nxAPLXi=iApxK3sh7$0-cE7!q zWWPCaM_w2E*DeJFI0eBT%n5`?5dBK+%Wd~85QP;kdx3AZE-j_PBhHw&4vuu$xH}0w zAU{?MITootxWm;SY@_;+XVr1YUY8BvoHh3gTBI)mPA+>ctjqtf@R2dfhGTWyem%C2 zcO_;3${=}#+WeK$#d>=FG2v_(O0Ks(rGIi1-dT!<+`W&D8&fpZky(V4w$iqIfOdkA^>>sndS5VmaV0B!4UR@1qSy_U>BJh1=8-VtH(Gq!#8 zw%fm8t!u3-s=^%e?4v`CA50E&IW=E8wz|}71(rIA;3?kiRQc3eHyK4Sp&OZ%s3+bp+VF698jD4u)Wjg3l0GKR!)e0kf5#a`c>x~NHL)d^m zGaJ}Ci;XJZwLXDxI12ma7JV9GWaJN>r{cv`|@TZ5ANVL^Zp&sT-owHZ56A! zte-G%a0^`K7ejX4gDV#5xa2=n|0B|8+6R!iQ1Of;{cF&(_mN@O$aW4JXyO!feP;80 z7I?(^>@L-{J7j32l(Z6!^w$eK{JAG}jm=}=+~1rGO~m(-L6Cui793z`HFA7NAZ%S@ zeE^lPERbLQUdO7V)vH%D*wMoz%PII61w|zYr==KAZKmz}Hre_d%sr7K-^yaseI(R8 z$bl}1)J#_Z*X`(2M}N{OtWgIy<$;i z9JBK8u!@o65|RLAK$AriyJw+YFJGBnp8}MX)H*lB2as3ujitEwTzMF;q zfzBe<=wDUq3L4w%P?1U(<6IgKv{5>kE%K}%R)L$|8}KjgY9;wrN32_4i3{PQMj8Bp zH0P^;Ui{(Zyca|k@VWqS{#iq#4V1f7$b^CdFeT($FTQun`!{O@zgZ`u$CNyJAKRku zbaLroF}vtZe5Z5jb16Hj?meo3qdIDACD{k;^j5jO26IKtpxbd1c;UUEkoca9llH9P z!*K$gy1s^{*_z=3sfRslvxBI8hxf+n-f}$EdDUCI{xRtUZ*qx0(m>N-(ip^H;`nt04evx9)Wfx^Nx5oTgOdX_O~ahD`eXM1I!0BcfK;$Q&BLNQKdU zLks&_{?hVgYMnC9uiu$67^ijW!?$3Sl(pud+$SLIpeO%Id88;OKJ8wOp4!htV^NKS z^pO@zJG|aSlc;)Kk<3o4PW?wZQTPW#wV!Oxz>MgK-5(L-uW;wP+t}Q3jn`^;X`cHR zYifzj5p(P;uW7QJjGA8>4%N?wnEAbamvX1(JC%IgMpJj4h+BOH%=yC_ThMI9-WBj*Jj3l(VhcILbY%SCLqc)$xz6k~#k<*5+xcwCEn(>6GMU;L@T1=LoXS<>G9xa=1z#)CQW?B7AX>?ozS% zl)M-nu(}*b-864#) z37b!$QC40+`&i`V^MD&uCZ7pYe@Q6Cs{q}(OtU8r6q8+afMk{&@@Q@={)Ly$paX1* zt$|@lidk)}s)K0d@&4O`4m00pq>J8W><}q<#a~WSm*MkbYsOrp?e07?uiuxKozF4( zE1B3y_%SLoP02FqW^Xv=cLM=Z?&OAwMYdk!@(J9`b(<%!Xn5-9K`nO7J51WvGRl#l zcw{dKGB*#@mi<=sES;fZVS=?>Y+5UC*J1Zht#WcS1V@_u8JgKC@>NaN|fv1-idL;kJA!R;zY>NY`(^b!6ROo)2yIiCgvWk#L#o$m=J;Oz{}igzk3*FgR>9e8tS#z zBb(deD{aubK~ko5CK$L5L)Du>LG`8jW(l;qMZRJ?$wzfr{cLv8ymD%+d+RJ4*YU=Q zO)Y5lJ6-cYSZ(GG@5hqqUo~OAg^d2KQiL=1Jz^4drB?iy24^RWd3zWQf*~FU{(S=t z2C=S#8O+X#3WT)c=T8+E_cd-wP!zD#S|KTMC@0k)kwgBI!kJ*!2jS=RVdu5*+5ke1 zD520llN!5BXN~moW;%pZjz4WHbTT+PnHZfjw|HVybno!}TAK0z_3b(AF?m1bYqP&h z-uERO!Py&kmAQLrX30Uz*t^7e#(rxgf8V*`17`MyAy32)6;&A@sc8afV35f5IP2*D zFO-c)W09K^1jR*g&+l%5%uT@IDWIx$Uy%p=_lBU24&U19q4`V0qQkTpofhJe-DbOm zZC@c7f|gQ2m3~zFzo+Jw8msF}=+jZ%CvmZBRH{R1T=L^yZ5z|K3dX4l)9OTu)XWEN z449(O^=OUhMi29kgZmJKSN$goO2bi>vgfBQ471S$Dlf~;Y0Hw7Hu-NrAdIEAE88^r z&aHbcnVD{lv{tk+N}II4H?}D6bN@=#`5_tc&8YyNY##IKwUbInmfM!%F;dE>Bx%?$beC zIgXB7aZGDUMVWzsmtN1n!G)e&sDPV%B$J(hYKqlurpO#5oix;69hh0*s$WpDw7IAI zrlFisufg`QO&)oge&*1f3Pm<)3ZMW@rvH z_zdiVd84wZ)xo2aUG<(p$uN(;A6<74)~Z!a*t|u0bE@@5xL)0GNmXEP0{zWtn~peb zq*rVFd3|zx%yXTz+B<@qYoZ6pqCbR>zj7F)Hdj3mXrVT5iKnvpt<*d$KdMw3c<`n{ z5(Bm#|4J_RlvtubzxZ1<)-S5yfIDeON#^ko4G%Rj2M>+#Oen}n$<*St{p-;ge~oT7 zNI|1%A_;z6;^)W0xy+h*Wp26~G)LovAIWE%Jze+43L-T0;%sUbK6R4or6wTfCjf4M zG*QpO>kD<=>6Os4M^?+(Mk&_noRsrDbQ)Kj3L-B>t=`oeGvTL-_NWAeDIqp zQLm2c(0dyz7kMpw9vyNsTA7`B;cH>wUG`d^&hfK0gV@xutr^vmD*MaR9}VSe1_L6U zv>)d;Qx14!*;pI$GlR=58`BWyBx}`ChaZ@pnmvN30Xiq^sNNQdQiF zg%Av_;dH5ccc`ATIPLkBjc zGCzvOPj9f}LuE^!S9!m^vR@U$A4F^^ZBRt`UJHMm$1hzGsR>EpjO;nBm`|!NyaWbb z?5zSWHiuIidN1u*#)~H2@Lgy9^79Q6HkO$vv_R*pPuw_cZz{Doe;|?ss-%hay*H7e z%hJ&Ob9qRUT; z1?B|=#SE-WkQTLRvw7Y2K}a{oTf8wC&)_(t7@0eZeBzK{1z~%yS}l#rd#?}y9Iwmn zTwoQp2$xw)`P-YEJK&n2qNITCdx8Spr=@uUJcd~I<;gaguN>oQAWAc?+;pFkr!3)E z*4~Tu7%pf&e@|Mhj~n(_gB0_qNDtIMl7))bJxv8=V(4E`&(TGDKgcDh&T z!MXQSk!M2vE&fSQeZI2TNneYTa>z-L-b?TpP%P;v`ED}px4^_W{tfMR`bxrn`&Hw9 zS!oNfw9|u&aO%vTZcp_#leIJHlN8r-!CJeq-e!(O%A#l?br>t=%>c!qmkm&EN{-o` z>g6Vj;)zZCzL3D>ASpIEF;hagcXvOTMYTFo2rP=5q z7#pNx-zhukpW6)w5r}xs8>WlcR1BS4wG3Uq@0zre%g9T!`Fl3hPr*Dl)>F@qo|yNW zwOVfVKI%LmF{rcJNGaAT^0*`WqCz{#;7*+lgAObQ_q52mvUxJ_qg6o_VQ!jE+ix~4 zN}jHulNA5Tx!#6b>)MCW^}#<_rBbBJvOInS02IdM5`6Y1?LMeZ+1VYqUZ)D%&Mk6d z;_fB}l7;e0`*R|=^In%tTNEr@=&BUcR`Ab_}@=-mnh=> z=QqAH{*oa`N@FN}r6d^akfrs~^1Y2SHv7?Xvt9|3tm?vkB-i;Lc~Bk+I6w0XW(mG0ww#a978o(ly+VS>4C1~ zRPEBf-;U;@#p8ouI@tHx+fUKnQXafI)+7cEN=8b$5Ws#t6E+d++Xxi-ePxIdCvX1B z>`pjO#YK4Q2Jo*5Ca&t#fqOl1v3e(?VS*(e611o!btdzEd^V{8RCaJVX!=yQt2dqe z8}YfcD|LhIaqG!N{+15hUthY07?D(Zo@LK$rhnYznY2%Anyv8bdDqBPd0A=;>zpi< zik4XH+2LaFrT^yh2RLk2$CBlCV(Dqy#w5bzzr#HL!(pM4LTdVl9N!Ao1-#yq@_u6X z?X#OHr`x@`J()q_YHAthoQr;wkwv#XTTgr*0?dntL(t{w<)**YB*e3uil1wC?&ggX z#R%wtd7Ci5HM7cYuo%ORwZ51d-osITyK$`hS^Nu#JMRYDuZ;DBsR>lkM+M-V&Yy>0)J0K21?S+UdtEa&%|8IFq;>MZgMTX@_*d?Olg{4 zJcJvdt>+PJp-)a3jqTF>62(*=5?>L|PNYPnC9W#bTj`;p29iB}Q2O+uPnLn8l?o(r z5sqc!Qtu(2)yI6rbEbL(^6bzod>w5*BR?s9YL@L(Ph{PtM}&_>FC_%a?xjbaZ4W-4 zt#aRf1$%nDufn~3laAwxHCL4*SS*GqX=Hld8Etza6AvI-W!oD{bTefX} zI0H?OWm}jN02#*9%arXa{+8%iEvfiqj`u4m_nv05{_y+S+cop;zTh2$yW$f;E_ZcaZB<79Fyj-+d8kp^|Nt?)1S< z*XWvV4(mU5ca4buQ1dtKYgP^3(- zOn-SPgs5rPyC}DhFI<{w%GJnAxD)~GM`L}$A-i-wPsxs(te$_fymDlySrY_bep!pz zKQ7k*S0t7an*$?G04sey?Pv$u-~T3>YIqn46~>Z^WRKpG#E7+TWqak=)LA-X>1nGC zN$wqclzrCQvAsjMX-o}Y{j{MKIP;0m*TgCATI>vEx6}s0kL;emm+Y$BjmVu18E=pB zwLjr{ed+dfiR`41g4Yk|XrrQE4P;ARE|_L}Nf5(S|GmoUJCVM*M6c>5`o=jMss_Dy zVEwBda}(L^S(inBA|l9nCv{8eJ3UaPDq!E%b>7y9;->#lWU1>KM6kTGp8xE>%6WPSH&CCvc#NfZ~v+CHpI(x7{K$X4F*) zGpeEsAA;XLZ1)d;yj9X}_Q)dGaN~2Y8PBpk>8!C>p`6G?mkLp7F~EF~8dwrd_FUQw zUVV|zLlN#i7M{$ys+Yu!#3xu&4Bb~ylL)d%4PE~h_}r(Y2k|zq;VQm3hqmp458bCrv$5M}II6 zCA~ub!5#T1#$avQMXcxjl|!Q*5VKJ#3)*&89qZtCLJ~^tm!pxaj+*c3k`w)ml{vm#P8& zX87s;agX9A1J^)3xI$hg)t>jcajE1@{ zxJ1N6MPM5LU|MIKMHgSgYw~g2xN16qs;;U+$Q1r$BcXzX$MOt zD}1MYJq2TWCxG^)k&Qrzja>!OaT=~HF2|-?kV?zjyA4%RcMx6YS6oiT-S>5pBLhttvJlS{OlCePy-- z4}W;MPNnAjT8VMvg>H$&=NPw5l2uK87n93;O?fS5riy-^<=h(*Y=xf4Y6r(wx)diE zNhx>cIiHF8EWPpNdsqhDi3*A9#8Gi*;;VyHNac)wfLb_9-kSSRY&V$3JMvlqR@j}pm!MrsfVMIFhypp7c4 zjX7Vwp|0>s4mb>O)bTeWT)tpHL%B(}QcQ_Eo>19@M&1H|pH?@IVAKyg+}4NcbGX!e zu?9ZB0wtUn-YdXYejMct1K#4(DW3{KgFW?5e0P0!FrDYix4O5-MN2HAmwM;6P(yO8 zB+BkPwgtLFzm@Nf-DRe$V@vbt{BIxEe#O7C+?JsrY-xRQ7`)X~z0SSnr9bpN(HL zP{mmZTH_Ba*FmZd)vz3v*G4B@r(E(6R|_J{cXeJA+3;{>xlhLZOw|SDu_igQS<{Hk zV%yJ0u~nUgIBe)1I`P9jqFt~eXEA;}xquQZPkhQPGx_jQUea~g#z4%s;<^UQGK{Vf&$$<6j#QUMztC6L zjj60JSie}lK0BDTuBov$23nNm z)O7Hp^K|C<(LvvL%iocup0*?P2OOykRZ~s+T@4j(bUf~Vm2jB!j}*;M(5=E>Z!a#? z&$69v761NFMFPk|XLxxRZj<(|4>xpS;YFMe0#rb=k?Jr1CF9AVsviTu~dvn>zH)2N)u>xwkMYNFI@5O>Nb~CIQfW_eV zxoROeJe>GwU_X9=q1KMr-nqHNpK+FE3bB!NppMP2DL-UI1s==ger7l4rLvZ0i}JUQ z6ynJ8I?mMt^~Jtq-U#D_UyboF53EN?|9oMZDyV8N)rY8AExzw058n9JnvgAqg{E>@bX3j2J6#ym}2U^^c&zmy&-1?lcKv-M4-IM!!jBfY(*Kr`~a~J^h1c zuU^kx$=%}&4--IaGHgXCL-gA}tp7-%v?QCszWwL#+o@(i*0AR4pO?PfgQ@i!B6D)r zoaVabfKSCo1f-jDk(OFmsm)X^(0T8DD2vB8+gW!l>xmNW4`~v@O72Dop^!w>`&lNt zCSwE`StfNpB1?>$@?JGfq*lUtmm^k5D^Ghy*;;48b-`JeXDg{w%=zZd0bm6s?J|}} zbVTV!hkM+++3vVp`oiDlO0$Zki)F)GCWgxR=@9>Bt(6NMZB5vb8T5RNg|2A};(S|0 zX7n?3rSjiUZ;!DVn%=j5@n;0f`1Nz^*3p;r_gf|DC2W33p?XbES3>bLNm{vsj>V&( zmRG8O_h2y5c__W*4Ypg>@}?Ry2*oM@TiuacGkbWj+dmH_`yBpDpHo}fI!=ox=;*B% z;f(|=*vj5Nk3ZnZWyahBtM%tAcP>rRY4Eu|x@iS_Cadf3Yy^G{U1HnttvT|Bx|6KR zCLNw^nl=>n#TU&c8+m=K#Ht}xdw^-Qdf#{w?utL|Q|eNYtF>d5{``&Vq4s3#%e?z^!~C@O*U8cy+8 z!w~abwuBSqhxO`AQrB%+HNdMp2M**^9b|=`I=AV3nEUU9yf&k}f zCr+QV1sk2XS7;2%nZC|IFr295@TY++C{AmPOx{*7uF%tLk)|b(j>{p#L~E1xJK0x6 zR((pl-31>H(}9Z(u^*OiszcuD%7(mYXg=e9q}VvofoDi=w>aOZM`f2JZ2iWVMZ&2n z^OsAVZA(Lx^Q@Cr>4$NA7D6e~w~6iA)IBi`E1V&7MS+l7x?3c0U4F)_tmXGN#o&o@ z1A%gnhP!8<%r7IH=#_pL8bC=@=MBy#md zJ4P5WoIoDN6mGI8HpYdBr;-eN3XcoT46087J>km4vH7C=*3UuWc%52cMx|oy9hYfnMEV1^+#8$&qcD z4GT7&SD((T-mn0S3(Q6n2tDk%lSWHqsN}PTgsShH2(R=#OdDf+V|Z6gvqoL@kpnUQ z`k?#6W#m%YQS~Q5b$f2zAQh`y*NxlTmaEU#rzvY|@o^`m5kyBDPV4|ccY2^-lXy!B zL16Xnia^Hh1gX{|LKW4tXEW~+scS%ky~)y;^7l+^+Z7Z#YMpLvob8YI{9O)a^+Qit zI%2ajl`38|P;Lp|7r#m3jIk8{iUdCwU@B|;YT_;q?Fgj4I70KKb4Wf0du*MNyD845 zgzP*UJAxi6{q!K&jz-1|Khl8%bUzBsLs$q`MD}5_Z1^MIq z%(OY={fO6QW~Y-Y%#$l>)tEf3pWhliU&A)_3k`h^H(~y=TAEUnM*^>=333-ZZ+~F* zPAwU{7V{{Nx}Xi*uK_z&6nrbFHO{{9b-;%gAVReI0tDTlL9UZAycN`~5n$Bn|J|}~ zp8af78#MEI4)~iJ!C5cxR;4S#=D=SmiFR5q>;8^O|7Yq|LdwcOHIq&!hd5`(WBkl< zJ3@Dn7VY3g*dB=r1C7MGk=#X&I7p5hry$~#cQd$b&m--lhTzu04_{yH z`CSdT9)05pds&-)8c&kSscg=h%>s_CoY<>FS2)*>Z!_j<^v_L?RKWs&qOK6&N$h7l zYAvYP=@EwgUD@hdbfsZ;PT4*&9QCWj(+?*ZTZiORb8zVpSG)H)sfPH`%@>|e3G;T( z?HSj-zYWo+Cd6+l`0%bjQoYk<7o^~b^EKYvRs94yAB!e%RXFeaNprXOmS)Ix9@u2_ z8=VXQZ9}lJW6kd8ZT_WQn(wrPmn*{P(D%q+6)Ph8SDN$} zEd0kq2Nz(b)yY+K2P%CUL*m9L4`(l=Lg_)lVCR@uioaAh6y{wD$&u%BVc zYMY9nD35W%SzWeVx72%jfNrHYU5A83?=drK{VfZ|ISYMs60{)jdjT#tjFD@+Juoo> zX;pRfy}ijV3e?N+C6QW@Q%x;dYaM^IPd)AYHQlZSWD>-hgJhFj>E&S>q|T3Un-Hy6 z2eWT-MuXR5&~c&l`SNH^0n7D7NS|PobME#*u8k@40hM1ecK)g^mXR$pX4SJ>a6Xtw zHmZ_vewL3<1jl0)d>s1hCW_@D|IWzP#28>GPNiBw?U7t5^Vqp4o%BmX9Nnrny^vfAzheJ<8XS$_!5PiIkSV3b?;G^fHE(TByM5Z>P1@ zy8p?E!<>Cjg-$CZJ5P+9VmVKZwr|yy17Tf~5k;f)oJZ>p5UwoGTO)|&icy|V@W(#6 za>~VW4}9)}fD^7__*2n^bV_wy@%B;+ep`fgP2k8Im zoj`nYRY2MeGF)ZKpSG=BVD(N%-6!5RDUz;P&FIPW7Ti{>Y5RYn?%3Ryf1Tdh>U8s5 zRm=dO`=2}tGR$S3`jw)y%)M^%XVt5F4g0EeNVJ8=c%k)g(Ku(nP%QuBJF9Re!^L^bl+mNCJd~2gkI04b0dx z&jMHT&*)-LEy`?^M##n3`QwvtB7Hl+Z+f~0We@Y1({QcSnswbveV9p3Kmoyy#)iJ8 z$Y(Z29yPEuxhd?a$_ypeE4dK2pK5*jRga>sP4)$SC0HwEmhwXPTKNg%|2Rnah#lgyFrM_UjVyyq}C3n^z*s+rbRe^wx zNB+hftc~+D&(A~Gus%BBtHhMP-lM=hJ7lKs7P78tpPOTh^L-04dsY$W3Guv!kS`& zr5}0ne}R0hT?x~d(OV~{HH@zRa=q^B#CDqdx0g1#8yFeR{;mU0{)rmqQ(E`Z-&Abr z$>EVA0f_o93^ua7N!?t!G4szxT}i9oZ@$$J&uVSKSXD(aiuaeM{41mQk09~)xrG#P zuBFcq#gSmELX25-A}{aHX((HO2NY!FN3iBp?!TFPkfFy+x5JNo;> z9qpkMI_dr{sOYrkO^efJfQOA|uakJS+>(AWC^kSQA`O{hbn| zTctSqD~>i?9_$WR|LG^TW3oWJ&P5E|3f5wrbItt%JfSkVtYLUmcV6(X1tus~_qTx` zzbkMKP>c`!u}`ogvBS&b7WEXIA6RVGcwNFAQWl7+Wou4g?}cdXut7HSyu6vm2SkoF zBxBJYvDujsUh72=9NS_QNWi{U%(-G7`PeiCF7k0HOG&9yY)lP`CGb!$G>XdaOyh1_ zAn5O!`?G%dT^QAjI!w! zJMIr>Ty<^HOEy8H3`z&4$U=#1uf z9P0YqelrZS6E)=G_+<`1quCIApktD>-%vZq&H8c+$GMR$rLDKfD!`)ioZ%TY(VKRS zAHM&lGL=h~dseADWhCV0J7$-i!c&;uTpykJs+Xv9Vsf@-^~2-KLErQjtUW}pmQ42}U0X#k-1WS1(|7vK}vV8Rv*Dzu-mjlE$)Xr%32q z;{N{eb=8@}M~_wwl=>9jRm@2KT{15ED=c7L`yqe5y8iA%IG9&UM-1!#T?hu5+V;MJ*gbQVb(?H;=fj_wLHFNOy zW!VdXts$Y+Xv!>d^P77QS|86E{rHrd`Dv{9^pFll7NywwugK6$#3*9(VQI<7b1mun z27NC*b)=1dTAt_?D?1Y6t_93T1O_RO5;(lW{B7} zcJ^P8+0sJ%6{4kWF#!Vu&Afvs)FU-J<9ik_gzSGmV@IARs-!jxMd9skQjEfQtVwymc)2Xu-`7@!~4b zvt@I7p8{=XE028+UCD z^OM~NJfB~ItrAdF>M#*Q@VKnR0Db{{Z=I^B$w@KVeAi5=dG|$rZCQNRQ*>-HI`W_w zVm}sR!_RX$E-xW{Y90t4Fa6ouf;A1&1D+@X><5t_A_EOZASpWk9wpjY#Y%dpCXpRT zuwVN^4wVYzxF%NrO~(C~2Zn@X83}hD==X+kD?5hBC3YngbSav>kZ6nD|0T5EI5Bfe z*7EE8%fNp0FN`@08`s}$VEvg0JM;15+xlG-Ln;J2sgp4TVZvtiDQhY5*`udi=XlQw z2eWGS^{zCCwKkus6@?Gtr?SlsH>k<#e0a~|kjLgfWheJK5qk*L2AVDOY9(pi2CDz- zupo>5DdP6FD)!$F3Zumb9q6`%DTOrO{0q8=3Hvl%rVj_U*&sWSHOxxwhH!+>3k4)V z3^W8CyW(UrxaL?1ZjUHr=BXWS06>{PXceh(J(d11j0zUdxbEVpO`_Pe(mw}Te4{J_ zy;Uj}7^XvAa>l2ZXTg@Q>J4pf=iHLXrAXT(iDyGrQ=(;~-WgIM@qJJup@3C-wves)}}zFF?iI0MRV$l{ z7Wxh~(qMGW^=cgd&YixEFggJGn~DUo%(2}6E;h-a6p#M7O}wjZntCrNS?InW?Uc0I z1L%eVClvjg0;y6E;Z{K?FMm%xmSTnuHms%OWoS41wd~v+_-M=2+w?L&-sm7F!zuRR zbw2eYTt&&(yxa)E#}#!&4`7FVyf0B;4tEpRU;OW3cn2rKuhHw(k=%vTi{-qP3v=ue;wkmg;s>AKM31 ztKpwi4Nh~c=xs`;y@@E>D$uG{$k&SIwiS#HcToUQ_B3sGD2HH(;R7w4H8tnqT5s5&xK5>@1{MUmhk>BB)z`<1Jy_0=KbJd@>W z;7@R3kkZ>g&6jhhiC>xwC6p4A9CJ&8N>VZ!V{x=;A&O@v!z7SQKAJE;2o`JJpjww?+f)a9fUn zVm>{Gcf-yfYi$}?Xy9kA!PH>mY$;K`)BCg%-@v`0MTGamepBNp{3rII+uzGi_5bCZ zpIYv3s%O01=)@xxmQM4%xWpzCD#%0BRkc@k>*jE#HK%-Zm0b&iE$LAO_y33rO1n4^ z=t<*KJOSF38r*xfS_WKfm0?C{ckgm-rDQbZxY{4|cyZ|@SquJ!5s_p)?XA4IJ#I&W z8Ot$i3gXAwWN~gOHPx%eCEyD=3njMbV+FE$>M+_pc7DhUEToUI?BM2Veg;UuJK&j) zA>QTE0Gg-V16}uSe%Gr!QsL@(ZJXphW-e>{?y|38@Ht_UjROYZ zCo0Yz1rciNB;V9@9P;Br*)E+JIoZRDD3S=)jrBoc9$^s&rHgQ(J8De@HN422OuZ2E zIyt8t2i93omdF~|JfBp*!2qhUJZGo2^@HB~dG{aJ7x`O9y-+&{>O`H0sQuC*Qf^Tg=5iD!tV)o7$P0GfR_Y1kMb z^nPZ#+SGRXXytTO`L=HB78wx5D%E}Y5~KL9p7mHF>~PrfuU|VRty+@mY$nFiIE)CH z+d?`X{5uov3tRXUXDijeI~GE!kgBx7=UmEL7Kz z|JL3MjzLkaf0@cw9|7zsFjU*&c}FE@?22ay`ui{C5JXhDk6y0vzA=ei7}OWC?Kme9 zG4H>h9-T=;%fAjv$1*Pe^-&r^R1<2ct%I0+w3q00bB|UGB+sEKVp3X?uXL29f#kQ1Tz+RN#~EGMOgHFD#TSo^U-;$7;1x`yoDJnczst zdzt2AeISyhwPDVMQUOlfNuRy2evdn}(N71pq9w*@6BRkbvfTnu zPZAHqKtRAQhn-EfR~_NwH?+^CO78RYd(G1e$JURFNyNLc!WFa3MG`!SI|kx-BZj?- zu_d9H(35p`0sr&qkdqo&h8;Sny~G7v5Qv>jq6m|C4Vc01g9)GG_!u^WlG>vhbty7@ zo3K17+#^;M9Jiwv|AV6Y?}+>V|99;{JpDT`*Vmr-e|2DFg?GfeNw_Q71iNXeD*c`v z^K^#^%EJX;h8LfQg8+CJ_bc203&UcnxPbR-iKuy)Ei5({63OS3$I25V~OcMlgNo$@1jU>TYpF zw3IBpNLpM2odCGvcQ*67tQS>K_^_kLOPlS;+7=_EmG}PV>gHk0bQrrpqhVf8cJo%r z2HW;`>YgKR&*`$YNP&()>LY$H)LPa#(Zwz#_Js@^{y)3kSyGAJ(0qq#6ty%FlDiQ% z%Zqf)*u5~Kl6tXC<(at;k_i>)gm7Jj%cg`&>zxHMPYQKQ37+x`#sdXeGhGnlQ^1U# zD=8w86OHVqb>pbaX6yHG%;02CH;l<+k4d*gx{ATmPHyNrkrB@_l0_qJ3Tv#b>x`&C zxp$5to{50l&es+q!dN*ylgDRxLj_#cj$OA0RP4t58NFNY3EmY%iKHT~cFWbl5+?eb zlMPEGOzxCOBXQRRVT?vdl=IQy*?H=c;W}Yq%j{4O%xKsCA!2Q+ZFPV? zrVD6_Ge417Uv$*%qIW`?_1@1w}Uif;H92L11+c^p8786N& zdWCTUg*;6Ta(BIzq{42_O%91D)*8hCCO%W}ow;m=W^dzjkC*S^VtetfCW1R~l4v3i zdZfL=h76oAse$C zxPXD9g{>v0%iCeqjg>K6bOBI-4@RwLrcoN!^@Qqep4M4@L|+vC*}7x*2`}H@rO(nX zYAL~f^-%x>%^eKYi4l&9mey&H?dm>cl6Wd-LV3}kv_ zS{^0rj4s`%>PBFu%k02DlZTF`78*-UpwBy|`UcsCld>@>x6>a3fQnU=9qqkc?LQKT z%%f1Alf*4p`T*A&X}EjbliW;hxm^|>EsVxAO^Sv{S?8Z22}U>FkJ$zAn0&5(@07(v z(_a|=09y`2Bq>=IAyNhv^F|6u9{kUDe8oJP~9MUmnAU6yY-9In>Dnj(PUO_ zk}S+BZO&06Mz~{si!}iqh^{t>hdiDfm+swLtW6`8w0@C}4%ZxPw}IJQzgddUYMxgl z%4myYX4R|pL^@J2O$V7Wi|}{BC=L4`irAi~7G)2~MxwhdY$ibh$K9zBQr2)xS@`de z1vd*ss6c>#1boJ89^ttYN)APYva+c6%Z`|WCc$+!dsg$6Edi(Hq95nFA^-d~uvY~U zXL$Y*Kd^(Iw*bF!8flxll4Ihxsbnyzi|ig@HaVR!(v?&q@9`z=r?(|d9#XWwXGQPR zI1wMOo7xFb`>b<@daKnj!wqeYYH!?pX{yf|5BF!9?HcEcA)eN56sKWZsOW3&k+^sU zD5ARsDsKy-13=wFOhY*rJAb+$26Jc~1+F*lc<8PM9~<*MKi$NSRkfbnKUkcoO}Hek zxIo)?ht|0u_2ZiZ0CtR~$JH|wz&|D1pc|I%|L_8kZ4!9YLM(Dn(HC5KF^!D`5v4eX zLzZnk_u~F(JfPGw!HcZytEWZHLx0gh_P_=2Z4JCgpX5CsDM5RYIKW z93ft1b*VroYVz<5ljMHChY@(04(9Q|PY-Oi;DTCTQSI)94zoUXTHE5D=uQ54PKoen z@+l^i6bcaVncN}^JA>AzFUx-!*2OS0-`{EfVDaZbh9=1KeLKA=g-uIu9kaAqc`N`J zBwS756t+AlpofTB6k0~G=C%kty=+N>YTSPjqK9=y#WP_mn9Lrc8U@SKfDz6oz`fJk*+t zL!rw9qi-IbdP_|byP&;4+Uy^sn%Ld6w73uY8yVR(K|Jw&L(oG~Fu+oHSEp)54z9R{ zuSQPfVP8x|Wf4H+#gDRT5)vtL+m>@&suuTAYSZgC(Zef@zs9Cqhe$)KEL2rb-efmc z%0dWl!qDZNk=7aJ;HKRWPS)faMTBb{}Ij5+I5}ZT6|I4Z$&N%OvTJ0B0 zS5kV*5I4()NvWJNudG$IhDljtq9Z%A^$4$D5?R0Np_8^#JKc@45Fv62YWA6ACPN20 zf7cqoprkaj9Y2V+T0BR*@rEXQRH4zMsS(0AivZ}}nyG-Eov3eip5fL*R-ccWuBU$l zHgJMRfs4wNswzgmmZ;Yv+PR`kX+Jv;vg3Q{G4}_Ftd56dxd3n}V%J+MkL!xUg`Io0UXdT~hI0bYspV^B*^rH= z#4cTq%gU7#Zmh#WLy*S@83?_}HH)}#Y)2`31>KqV@FJv0m|%+s=E9uNc!^g^ea~}p zHSa@9ZfaL#${jJHB$}(xZEGZe(efIqwPMK{! znUPV0uB>)O!PDtK6hPE@Txb)DLom;xP?w}VnxYzFjhZy+E}C+uH9eNzzm>7ezHg5* z(g&tDYkI3XCb}PSfyBEVYtMMQbN0}6EE9)&)gpx1;cz_F`||{Gp`B0gUVPhC7M3V` zQeA!eN=6RxrfPb@RLBBY6zv5kp=l0)24s3oAIX;mFCu5QLl-d9n2i0tIRsoEC}l#{ z(&AsGNmreOMoYeL4x|z!I~f}P@gvLctPqS-sqnwZfWoP^u}5f$goKf_wZJ{~cCBr0 z8H9~5)wLqA_lst=W(m`g->&&NAkgutM6T?%WlhV)D3dJfUe!xG^`yp>%Pd~6GCQ?H zE9~I74AtQCuktAjv(<50EW&-}ks@mY&!)fUon1{oy!T~D7aZFtmLfqhz1N(RY%1Wj z>h+UJAScSIg|dLr0Y}Mba?|7`{@VQBs6DIot0jp#=E><|g#LHx(AbEy-q+-NwV>f& z9uIe`bPm1i;-@x$y`d1k#LQN+!{hLP*ninl?ua*sgzFmIW%9nM`_6kzn1+3h_c7th>n-> zIxp+TReTy^wv$gE-iHuXY_RRle6lnHt7Wncj>=NgR?BcST((3XuXCvxWCIq?VZQGj zV}Zx2quHI9&Cz5%n?ZQ4tI>dQOthG7_o_N`N7-8`A#%UJsbKo=|3fOc=(szrJ8{JG zp^-pJ?z+l1493AUeI)DkhFRn?_vmo#Ku*SPDbXIzcAceXGAP}eAk!qnYrpwio!L2s z;oSPnFe^`mGu`L>%^dTo@5W%W7JKpD#0$UEay9C1IRlDNx|S#NnQc_dk% zy&^_9gxPScP)Hhe)3%>G?s8{89u;XnnXJ!ZAqcvlv>7jGX{_3@P%+BRAg+d^TxDY1 z==RoR`H}7qz0mB0?S;_#3E>m`rU1%+9{mawmd~k=KD7P%8lv8oXVJIFjzxe>GCeBU zRMwcV?-LFWrbmR13dEytI8QgfZBVL1_Qz|&DOg&zDIL)sC$UWFCY1@onA+$i0;B6o z%=(L7>uef#j5Pl~JWqbGhc(>;F+Fv7t$*hF4r+1C;YhKM+jOTk8ToG3X)3gt&MYb` zf;3KQH6j@HWP0S1W6B{+sG)IiYHQycQ+F|n4)lDtXC!ty-XN&vi^6#7td4M=S9iaU zwDwLxn~G%LQs*Ff_pH37v;1`L|1WZXd=hN#&uS#?>5O$yuzBaWse>XLwJ=kEWw$pq zd&wYq9J!cW*Q|m`wi=Hu#4h5K!N5vuv^T5Gez`iIM=nav4)~gnh@B8<;aN1zGdmav z_zE+!K3SDKpo~-!dV1~&~Xq#77J6h^QRc(sV8c`yl>H&FLWNvq7HRB=gf!@Mw_ps9?4@2 zt*w2H8IK70FWCPf>BEMf#Oz;zbJ#D@gk5pnULST$=6%d(FB4{u>x>;flLhDy1&clC zq`@wn-fKF&G%1j>DBFG8(j;mdVN*#XnAL@8Znei$^(-Drk$O!2=~K<7aTFK_u?mLN ziI>Ny9mC*iybn{wr0G8J8=tZ@v(X(Bv@I!{S{#~>tnGE7YuU-YjVkN&45vRh)Ivli zx3NfRNOzY#+Z}xj#t3TBK@qP9R_2?_D}xs>>qtu%xa3If`-jj*y|c^N=roiblIA-d z1aqwJ^*c)Rqbcy8@AN zOo#3rAR$D?ak2tUP`^% z9vaGWT$SYwP-Ve{%iW;{eS7ZU_6~_ALVX#3zH~Usj!BpIGfc^tJ$7E2(>sGq?&LB| zO`SEh+}YRv{d_C^WoAoOTw2-j;npmLMSHZH+T_}nv<2ina{4(jk@L7kmHg!Rk8jum zFNCR~0LPB)3-F&&eprg|9SN1#qTgAD#L0xP%T!Klm@zV4N^{rNOE!kWcu3+X~eh(6Aebp>`Xbo{9 z_B`Q$Ya}zn-&7_A{+J3`f}4znQ@?(f-Pvi6!_V;unW8vo|Tk9(rriZaj zHYrxszWn~X?IpNV^o~e~#aObN(E}%MGV8;!9)oOT?aQioA{I2&TFk*8F;X8)T70X+-X3r-}!Q3;Ul0zL*da!gx-&{E_)`aW|RZXJbn9Ctn;CY*P93 zQ?)01`l6CBHho=xr}rC!9glE-*PxSb2s{Y)phd&Kf@t4Dy=3*WQ{Rg%5ubk*N=h|s zp{f#`w-y=}#kY_vQ^nq9`%*Q_oKny5m;pf>D1u&; zf~xt*ZzH`;Z-0Aw&qDQT^la-S$`4QvX_Y{VlP+L(dAyuLkJB=OMG1vbJ)xL&;{zKX zF9u?lASoB@(}f;3^Dp;21A48E=6(C;2LYB7ifY?UF!$Nei;P!fr77zp>HL zFswZqWe+!z9kg!Ra*hGq?1N|pr0fIkJ_`-q$^iw;ipK8DAq??>IO8WlGCtO*x}k!o z<(5KgRCA@kOCw*ffFLmj%ldljbB-UY4!rq=o+%XyNp(a)>R6f;Q5M~yf^P!}n?wu# zx0qM2-bOz?6DEhZs4aYc_f2}A8%GAYSsgR#lz!%k2!uK!rr7{~ChO}Nw{Jg2Bn4To z@-g}?eA9bwQ|A1A&zj{#W5Cfw9)rms_w|Z9u9GmSLRaroZJGX(JoWZoL#HBD0xmv_ zWAJ{nbuY4ec~z5y6~R~VoZh$SXjh#xhLW=<(Ycm{*!_Q;y?0bo=^8gWjs+YQL{yX( z5tVUNP?1g&6#*T^jKe4(B?3x>0FhqO22l`cDkDXN2q+x_BAtXzKuSPL=%KeHgpvXY zN$z&eIe*;me&?=rhW|Hf!G8DqJkPH^N8C5wG?pZm|6$^={($0wU6P|78?PBS1xy*m zSZr6uL@2bFq-um_4rbrLKGS&`eFe*&w25}kgz#Gcm?o09Y_wvw_kRa^q(eTLe{XvV zbK}^CxL_djI3V4sm3NFIts9&;*qhK41q#KTaQ_K>eNbg%-LHiA+v`0_I*D(+!00vg znGd@z@Jt=m$?WJ{)`IH53UfoQakGVOmD@uqx?n6T#$uO4#zC4L zo7?tm`?+U{l{@&0Hcs!tQ}=OKde0W z5huA?yo_DdD=+RMch6p211gj9UaV00lWIzj(Fb*U_n+nLx->l%gN8f*=)_0Vt!hkw ztGh6M(O{hgwe+K{kdriy!qAKh;Wgxu;_TZi1-JSWdohmoa8PyXBpow6?gT$=k(;=G_NxRwRta5DW?;=o_RSixaAt z^oi*!qL9w{dT@;b#p=nA{S@P_kNjpOYNV{wS>$Azk4GUHqKnz#=7|-K_GJxO5bnz$ zG2K9u`9?m4J6K}&!jV0cj{;+pIjXnEmh zslem|x05}+zbzbUVB;JRJw95hyp@kq!FGhEhP(;I*Xg2@0wlHz&!Ye5I`}sg zaOPhACs$pnYV;c!*l^*T+Al*GH=!4~|`Myt-1X(B@*ylZNor_PrErQwm~Q zH53x|1$SUoFh`b<2DvcEuFWDoS6>Njn(X(&BnuQQNDnqbOrPDzAE)d3a zMvC4xB;5}9qf6zHx0i$}%?m|p`JEY(2l}2S=8z@rY2yCyBlz^v(tNg3)UKKW0M>tH z`oFhDi+_`$)SNiDeJJt6r`i`+h_AFoCcM2D@(?Xy#1iC|9Wb6;F((}83~afmz2MaV zcP!`}-FUUVMzK<@ulE<`Ep1;VwySNryDaQ5WQ1;fjAx>aAfbg zsQ$Zlu@o>w#xnSk1oV( z6AL}+0GFt(JF$A`3+Lz%^&0#Qn(%C1RmsAngQIXkJ%80vH#0s|g@nDa@PZOM{)?NF zMlASN{?S2>7d5J)JToXU2d23Lx{G8fxK99!1yPiu@`Sx0UWc?n)U0M<64>XQ6ciKP zOtW5sojq}1S}ivGz%BeyP4{yg<>B@RCRteJH$fq?2cMPtb$lW`XkDx#!t9-kY^j2U z6-Tp<>B!g^op1C<#^cK4@p!{? z!+;(j2SIZr78VnCVJ-HeqwTbNt(xjwe2zw&6e0~c>XS&gyx|V0@1^F~p#TiIZ(!p> zKKq>wp3y61nh#l6y^>WBZ=#9m_PU3$PNuFOhy{hNS0bWsJHk}Gql9ttV}V%Y?|W9o z1NxaM6Xpjxtc=eBnt+4{)cS%RVH#p0Hs#7*L#585==Q+dTRS5IZUCHClD1Id?wZ!XC3uv&kSdElc&E%A)$`~IG+ zhYrZ2u>eb@nBRjw#acKr!=T<9skg#o{u(D3@7=1=^H0u5M1ye)QH=?XlBD@x`i~7D z?g>h(3_7Px=MG{Tgd=Ne8^vW1NPYq0oYP8kO!WQK_Kn}8yF&NXhn@ef z4H&THGmTbu{lhNd12AdT7;+Ek@CH7>TXDaj!`)*_%-e|m&0P;rTECw&U)=zvQ?muf z<1MMDdP_FtVvjYHvt=9UxU*9>+Uj#9WbmCqf$~g~Io^XA;Yhu8&UYDU zun>iCiHa1#o3wAwXsh}ppbwmV#!;BM%mg1nYUchBu8VD@LnLN+5xYcq;s)~Mvai~Gt8?;QkNdZ$FkSwMKHM~%EvE8!W=Fl>`x z=JGvS#bbJi2}<9)DNjbQ^}mWFzN5wmrIo?M_o%ml@tZdAVOuQuxYDTgh)I)s+eeshm3oY@)(=54$t9PJ4ovSu>n)>TKwAG8l8pAtNCS1maj zyGsq7ZtWaEt%`Mo!QU9T8QfQjR8f;MT-W9o&uMbAQw!t3LU2QCcg^YT{-*0&73o=%6TwqTT_N`v_w4l(U{#MvTV zblokczOr-87xX;&6cU)eo&{ebZXUl+_nCruy3ok_OdI)7*$d0XY6A!lnE}#obaWae zR{vS4E}+>~6Za1Ko(LYjIlP|@cV#@IfLs}z4qz6d~CPb(Y$VB<7 z#Rnd@&6#ySMsc>=CRCp`_i0zqk?U{}9byLcIlvGZ#6E@NRR@u>(n@n-bm{!XTF7{*U0Bs1tzRF{CT~YM$^R3$ z?Ea4UyHev!&MyGZu%u|bE%x4r)jPRqLqKf3vCVZc)0QVUYleg z1YT*Oc_NjV*x2|wwp1uz5Ye+d`-5BIeHnij->VJbI>j$ub<{_;C>r6I+`I7HJ1SG1 zv04pe1y&!=;>vB#!oj6YUqj!G#5gP=p-Or+AAANPGxc4kQg-^4$UPbu7@;d+8RPps z{#jwvzaI@nx@5W5Rp+)8DsuMp?7OCZ6l}^l0F?NckjDrQXH~L>;tZgXImz3oL|DiO z(^{it(F22WE)2ss1-Q2w0QRzGoGs2yiL7m7OZ@}_!MnJmcLRK8lls7eXe}UJcuusM zbp5&^e9aa0ojuDJ|*YLv2Ij)BuL8@EpYZ~w_L z*;eLG{r70M1WAMh4fMGs>;4f`IT?4Ys2$@a^MtEP7RPT%|jYTSG_ zdo!QXaXyQiDCa`W0Fh-dcGKp#9dvQ@ZERP%3Lp^xCPfy0T4na;Kl%g?>{wEI%sBHn zE7dBTRMnEI$l2ec@vIy4e6Z2iJ)lDhx(iacn!(Oy=cUi@27i|d3<5Cr6&U-C6Bw~} zJT+WLyi^dYS{%d8F~tIWhU8|opFo`Bt&~F88q6nxAfls#>H`yr zuodOg60Y#nE?`Swb9RbB~r!`+U1Px%tw< z+3wfL-{yFK>b{*+KZvnrv@;jr*VFE7Uy%+vx?BLO;o4+qq&hB(O_!*@YpT~eP>0$~ z92D7!hZwe&ByM*JPYiq?!|Or1z9iXTCqOs=F--k4pnjPoq<@J*{Il18Fl4qpp*$() zEtO~jzYDYh=)V%>1kV?AuDTz%YL0pf$oztz9aVxGv@=tU_X<*4QRjl+t`y54-CNQT ztnLJGx(exO0aP80(mK#sJ#^zDfP~{vH1F0 zpsUQnWPdUU#B>-|kWEoI5mu^DFk7VX0dbh@ml70eP2Wo04r2CEGF4P`m(rc@S+&<^ z)?QcuXCN9}u%gx8+xrw3@?pkK=a_TmSsy60_cIyW*y&g)8S-SST*p6}n9V)_<ENH zkDp>NZq~-l*PA&o^pD|rRZV3YV;=uJg zHUDUMe)%_?ST2Ko6phtc&~iG~!P%|mD_vY3@Dmuh3vAjk$f``2M2w$g4R)BL-jH=a z7hBm`_6i2Ofvn-poQzI~pM|ww(73fbaU>CZA-{Q)n3M4#OGdmGc^_oNm2(?JJ||Hb zDl?&yriLqXXO#aku3Pg~9UNVFKDm>lBLm00U}<%#!mn97jMsF`U62x|ZZDd<9L|~d zFOc1on=V!-Um5g~b#WGwbiNu(d(G(=DmE+5+ZPGV9$0810hVP~T_g{f6~o@C|IeBl zfIxV48N7|X`L~KJ*O4ywT|2;+Hp2cc==XlC>uiPqy~W;}sRPxI^X-Q)dPf-HIGD0H zwI25irjw#rjA|D&P0%Sm00zpxP#B-#Q{6&ygrKX9mC)?G=pjQvvDM5s8k;3Z;kZx6 z$>@iuhffyGt^HW>*}sUbHBleIaOP4JS|Ph*6s5`Jw4&aqmi(AN-;Jcac=e(MfT)JJ zAQKw}8$sqytNnDrdxezZe9BHb83LKn*3jJvck{;YNEY|KEAXmyt3z9M{_kJJ#xFnO z#jjIX+X*B6WZzD)zsN&sgxR;os|YW2jg?gCu)d-0)9#&x-id6t`V=vB@VnsTJ7_~J zuH7ZN$~oHux>mbii0ei?OHq))(ovU|W3?>&W-bCO-D9q5)jsK4fdFT zxEpV1si&t7(gWwbb)_!6K)Zwm6stmjk;em52}L_~Shf?_%=L-`UjroM2ZaZ7bzL)k z1H@G?I+656*QM^q%SRSEw2mON*;pH-hX1Gwmh*z#HNb}JV|s+g8Ij{giL{bfVFiUy z%1s*6jtf^7*%y?QaTJydG$vl3_}?eT0~JB@X*@K$>XWEPs=VC9x9a_6@nX4$yM$>( zbyFJXe&rtBUrb3vwGe>6tf;Nsrf<|T^GvtJMC+#9g&&&)hx*(gpW z)j#Y{xEtQh^!#*DNR%)nQ->2eUTnI^^A25=_hh`RtXXW{1_~J#nI~j zEpAA0z&xBDsOpo>rba@YRNNLLQ%k{j=5)#{yX9#&Q9jWrr9lD`;#SAGY1=Vn0OKvX!Fh%Sf`cO&ke9XoJ!hX^Z}AEZyUAu?NsV3tWfrgh$}xq z7D*u?gEFed`U2=ys(!3aNU2-@S6zE(TUQ^fthZN(_W#H8b`a`-^`+spvZHW3v;wv9 zWTrcP16{vKKYR3FO-{VwHi-Jv_8=(eT_H6BsNb-~QsDnP%wvww!r&l=c8N*2tnBn( zhwUe3&QERepXJ*Xr#ldH1jg(^L~u!OZ?wxZ?K?}`&NL$OHo<)liOW_J3HYuAPe`Ty zxhV;y^Vfz~EA^wV@K?;aCZXG)^wsszm7opRjm<7AP2&@H#(t0dh;U*p4fzvF^ypqi z_eB&5)*0Q7E~DQFNZ)4>2;IcakE+8OGA2FYBE_#8O%&)jMDm!J&aybk+z&7JPQo*x3x z{%<1WeM9EfE{aV1yyWOVZ0u1nLTiPp!ozTLKle}2gw70~p@+2X*AOz)urcESCc}oH zEkB~yW<%`DsG0jr*7_yLy{0!z%ipD`BsWX75e$6QK-2vkC{Ovjj7M+Rt|Y%qMvYzY zJ-V*6HmTRdl^^^=hji|+!IPElReGJOvbgTD0>>szzoxZOyS62L=8dzj4t(@PID58K=uf(#H) z<1|Du&c**Tu^nm`$e_T&v1wJE;%w$;fx#RH4a%-Uf%VZPYy(EfDaN1 z)*NOWbd~4$ziDhkbu>$AgKAeKdbL`!+7p)C^YKO!F+YadY}MaeemGP)KPz;#PFV~x z?1$35=qnY|ci~L1Jbra`WTaL?Vl3;g(5yvUvg75V43vXJr{-|iEz7axG4wDUv$CBf z0tMoQgXWS#EKi%Ds<^tG`?dRl<(M0%?JUEv)b*Mu(;VZ2ZqkE(2JE4L{8&Vp!Pjw&}gfOE9i{IbdVE9`BK>5xxT6@A(n zbTGKddb-E4F*a#yu&+3iyvj2ks(YrgI6XKW-YLizmdK+t-M37)>qI$6cPW1c#4QM> zbg+|gLh07-8X{5F>u-Lnb<(tx2I{`)WJ1MlbqkWEtjVr@0F}D7Kb8zn-mbEODdwE% z|2ZabYrhNi5d?nOdp|p<7@azv8C#kUUv4x21Y}yr%N$_&L5~O4Ei!JydD4J5I$LqY z0S~)0!K%RqRQpj_9_uY!57BV5B(DE*K5noQ39I%Kc9jJ+R+ZsYq!S8PKGp*Z4lAoj zs9gA8{^h{>)h|9>2Gt&;6|1*vyU&g(&CUF`CLuDq&Vw89)M$ylORoTKD`|aOYxW;n zuI}5hB1v7E|45g;M`Kl~M{ii^9{wnUaDqlh2J?$+K@ z{#cTEKY00thX-rekF^Th7~sulKtF-Gt}rDYa)~DYZuM~96R}Q7FJ>p}Z^aQT!Z9=n zP#jenV6QFoUjQ)8?0}^Q1uUJ07(zO<(#~kw9P3m7Z&w>9m7>8&s#)w`27O#^n+c9# zoA*cPlf%AE6B$P+qmlEU<3)&p1rfK$tRUhO5Zir2psXtMr``CTJy(siO@7OlyYg92 z^~jIscc~y9P7M5Hi0QY1qX~r4)g}YuGZ*Hrh99AdtbK4uIikIa*T(VTo=M7hAirZ6 zX^`LcyeqKlTBz!n^Za*3DJ)?7IIF*@1$3&*h@UUGL1py2#=lq*P0+>yeMFOP_O|8M z#K)S{t)N?zwI29QEBqK_vkg|7>^VH(S?wWQiEP#9-Q`Ah*&tH-yNuXm)^1oJ2L1ID z%u^OKv7IvZS@yrW*9?F=%3SREq&<_%Rl6>F{s_DOb2?cwCJB|gK!BXjYVwl#_p_Fl z|D;kko}_L*0o!{F(lk8FN6UORFfYtfHotlp`R{|J80Njpjh{leXjDm@TzBiN9GCDk2XlXIk`S4YP;n@V)bgg+h=?2sOJ;)470dHgh--w zz4_)%a~TkXCy|x?6w-F}df@04uN=-Tyz$gCdgv6PH_WcPia@Rj+#n}jtLR&}a4%75`wLYW^U*Zkuy z@S#YHjS?;=_t2#Y`@4XPs>0IgO1=F=Vx@%O5pFziMT}JPV7t z{!1n0IFyyuoRQAZQJ8&GAUl0b=%vMw-A2J5s|8!mG{jn8J6yOrtGOV@>S}W2-&z2N zLq5H;yM7Tq`T5WD3E?MD_-$G*#}u|zX zu2^t3bC+?KnPtBYjsC}bJsP8#l5z8Z++n4_ z+77k^mAlrTPNN|MYJ*wvZlUL7Gb>LSo1xO5PZj?ad`eaLO)F*@e=%|~=Mf7mnY^Mg zZHNGo``OwA@vUm+XIg1_tw?qxhBXqdyk%0D!F^W!Za6pi>lk)`=-JCXmfaXGTk6-F zH~jUHd7d2FW5gCdZDB&~aqDup+v&zysTXhqOpUC8y|j=%&(UHcD@Qd_@QB=wb}w=5 z&E!QPa3~=ezn0INkb(w2ZkUb;jJz@N8~lo}!LT<0$;`VV+27D%S^??2!uz$~dq3}m zE@n~dDs>pRg7!We5})94?BqjSr>3lMgZwf7b^_?Wx70#g9VeF_od(;Ny{1$dn?m4cds1XOE>(3K->pcLf2!dNef?RDkn2-N8Sm3 zsn(uEBGA&21>0gvR=KZ@BltKzxEi|j#=3XwOB%$={ulb!(i0zW(I#sTKdW#J&PV&K zzn(13)1a*GX!&#&W6Fz3X?9MPNV=t~9kGEc4%WYd<*DLNXNKSEeS`UVd-qgYvMeOa zQ*l0!8(O%|QL?i+ngXgNktRP&`XL-Wkg};vXF$JB33Fks%rQ8~2+8u*p`Ak+@tG)X zZEe;w6A6N%|#wlIp(w=%ZTpl5d0 z6bsBFeKAp4Qtu1ya0by+MepZJHNcx~9@Am_JVXL+2=Og?4~&CS}Xv z!cs{eL^woE`PR7dVumdwvpt}zTKJk2pRT0!;MCtA-%$O(-(CFQf2`&&Bg;MMHn7@} zS98_qMf5S+-_=n&;s-)r&$IFZ$og=N7uHtWNPC{qv)_LtW`vqe?RZvnL}^7|Npj@D zO_D>NMj)wXWHFWBhsY~`??@;}^$d#}nAV;+$L;UVLud&122#g^S!J~ODS6$++ri70 zhkzI(!pbW)Ch%-&Y6Jlbq;lGWSm?@+Po_3==${KoOQ!QFgZd%y#HY2~0oxI_cv<3} zKoa}0z7p*&xCJV4E6>6Q2Ku3E!*+0^>Z#T=x7<99-v+F{dS*+RuyS^N8+w~JJo(6c znEXv8M>9DoSYQwSi=<-g{ek@1?~zEocu`QWR#d?M{5}zbOyo%>ZuA@G-o|oe>ZRcEo@=w{0Snz z2$y4a^(=EE<;UrCl2FEO0953gb<4A6vrN#2bgL(;i~mybm5JC)6=1p9-+ZXUm%_83 z2aMI?@xmbj`VpF9G+w#V#y&OeE>fF)OT?H8Q`tDdSYY$NO5FcfBJl)us!kra@e-1{ zQu352i1@eCuI_+F9j#|MKkMP@p*X$)di_1h#}fOT)t7r0(T8xkYMs9?FmhHKY>?7{ zIfW|=zQ}jj3t7k3zIP?s2aayq8-P@AvPi4*ps^v`Vzk~DkyNd})eS5IDNLFlD+jY) zGuV6G8&o<2^yrwILKLu5cNi&|XMa)Q9;|uY=M~>0XGwyU^j|A4Yk4V{>rFCjszlPt z&LK00hl9T|eMOsba}|eX%PUjw=~+ex)5g7Rs|&>;gPlO)xH`A58m!~L(p3G`z;XYJ%2QzWu8H;l0wW{SceDRi&t@!7RZyfp zE~tBV%Rho2(hbfoS`GJeaqr+MY);7|WJE#6>9~PBh1)GE^=(B1|S8MAFDMPE5B$w z4qPZI$ZJN$ElAn`n{>(WN>Y0uf5u9npg2|`i>6LQ-rDD5Xd9;t7-F3;wR++6kIYu; z;YM8W_9}?Ehxz=cQ}ZT)+hz6z0#do)?NF~2naZ`{@34t`4!dXWXGEB?abUK6IV--5 zyXC_!-s3UiZ;4*L=`akjrw8C*ZIX3oNj_=jB((Tv+?~p-BOg8gOYTBl#BR*&JEbL1 zk!L>Yb)r!I>FxIyhX3tIubAJ>94jY|1+Me_dqm6H^NlP0f6aRi`I=!}PCaWL{xe|Z zH*99WbSF1yd=#$5_OF^hLnNg^Y{85u4B@?Jyib81o!_3s8&(nC!mLT~4bw3J6TdT) zHcFut#Uw6igk8~OpP$NYie|x~NJqh`$G+8znaLw4@f_ZjxS1kxfPEeTyWx}+r#9{n zy5)~tH0swaw7Cn*1dqn3LcWn7F)CTbvX$BPPYCP7Vfz>(FK4-&>c;S|{@Dd~I{gDE z2y)@Wke`s{0Rt~CuOSOPK!R@xBSMI9)*r1iT3}O|?{Qym#NTR9XY@$k6?R~P%>1I# z>g6Jr&Ud^F36oH+P_ts%|7W@Dk!eUk$kJcgIracK?Rl~mpjM|%AMctv+;u6c2i_Fb zHLlM3q_`V0Sb9OdgL867-yAZ~A?Wiy*j`0-#CDk`sJg%YPZj{~p>dZs-(YpMX6`b@ zrX~UMNpbTtMEq-v;@pafxvC3mhE44oSuG~(+|;Qm*Y%Z;c&_miM70kzh*2Hg{+SXx z8Ohv}8yocgMy%GDgCJ1>^pPm_fU|&k9d)MvgTnFPHNmOlTDsHu)8oM+@KQ*Cy}z*|@F!J^xdeAGzKb?h@+neFzXYN!-{9m?SDgjzjicJlX|I;_ zSB^?jIVo)6qd?Zu`n2|}vzOvwO(IpGA-ZL3yd0>f)hr>RDp(JynM6+y{Fa{4^4g6+ z=n6||B$DiW(+CM>onB8!-W(pHZQT}j(l@A$aqP#M>x({(RXn~ebgazN!BV7gX1Gh> z#@B!{w*lvggdef)e8Ql4cxrQZ)ZEp!^yvQsoSdtgQ0~j!2vW4ab}3Jv`Bjh(NvNQF_^!gY27(Jw&AUV)Cl4``{pM3r?;8 z{FN%K_|D|;tjSIZFYeKV9iY}Azl|GHL=Sj7`PjD`&0a;RFl@u^UR0vN7nW?|vdT-$C@ONx zvo@_rdl#O})RAf7@B4z+iwPyK0?7@g`a7h|cT7I&_t~cPl;9;gy3zw8>8=UQ>O3_$ z#{0Sya^r!Hdq>ADRrocLwSP`@j@lW$uoXySWx+dx;tEVZUU%QZ2ymX{{7J%8y|%2{nz<_?p6d$p^0B!KPv9E1q#>` zqq~H~lw2c1?z$$A-|b`oh&8Ah{>7vCE#>vfUW^lkT5QdW8+ZLy(fkBOj^S-5jP;WP z0TyUBT59+^5MT~@;)iZ%94KQ4HdXC3n(9h18Ubywp^qh-P;!<1=G!yNf6>O{&mpr$ z8maW|dsaSUX#&FyRK>zmUbJm_S+wmyd4GSPo>56=XQ6FxW+r0f>tcVS-sZmIcE%Z3 z#+eD%0s}i(hY_Jiz1bts1JcypbeoRNBD#$%GA+TxCfldhB z;^DdE4fNr)BcZaP`fS_wEBS1P!$5`ru`+S~q=UD^jbAFlO*Ca*a-=dtI<_PAx^Bu% z4_kM&{&3hppl9tNl^n!58DDCUh*j_N2GU<-04W3Y#@?x&#pH9ojI>`&X)gY4(!tF67L^S9R{z`cR*BhDUP(=q%F_EA_Ji}@(pI)g97E}$U# zALk~0E>)|Ugm$exVlkFZ`^^_5yINYF8F`+pS7r`gc~j=;f7jLuZe(QJ>7!kO%#A2y zYBPp&-Rf-b!J*aZWygX#wo&a=4(*2eUCAe+qkn$7j^Tl--`Jdhx=gVpK!mooae=r9O z6LJU0{yOOt*&k|t=ol1Q`(!klFQ(bhhH9{#5UmeFySXw=A5gohTFWSN^+JL{H)A?w zB?Hpnz85E5d}%^$5P`J&!mg{QfmS2)ir-%~u*6?57~@aLWmAKe*GFa(;9ft$3pPKA zdqA6$ytRZ{cifEwD*yM_t@gxhzy25=?{9Xw{p7z1v>pF?-=3#0+jImN-9^~C1tl~H zA76Oy1tBspP6~}+=e)tA%P$+(;Txf>W-W1BS9tQX4ElXeIeGl0w1r=V65MzKoJLws2r>mPL9 zx~N)ptMMe(v0J;M2;s;!MH&pYM##L92BMG_rwd>ZpCYr^Ku!29r{c*B5ZWnem2cO_ z>2$$5eV2iclY%;DD_gIeeHyDXRL!edSeYN)_?)>7#Sn*vYfksP%QETegWtM6Pg-aY zuL_2T_+++71JgzpGe866`D(&=VZO!;iH!w4rrG&)?iQW8H(<1+R6D6OoBxbnN^h(JQXy zT$mBQK>O@}?g=JiR;YKAT*j` zOCNRMekFJqmGy>RuHM7aE;Stg(|me#$?YS$+XgvO)t@)~+09VcA`lFj_YGD!de~Ou zJZvrD+l;iUt5Pv~WA`-SL-%fXetC4}o-R4v@9~tH74{J8Rc-vGiMvW>M!&%tMsSQ6 zUPvtFi@gnaKVfT&ZWY?u!;8rCbd`doXSp=CM6KdY3OLK-!jx`oxos-i=1U zX)^zZ!MkgKu|Td>_2h$ZS~Hlv?x%n4W1xr!(CDZ{DGbH$hmWsiRKy!^s);m;tpePq z-`iK!$68jYvMsGsF!1p(gADyiMck)85a^Sw)q89qLd~2VOW+oJX!&?Af0c3~~LW2mDkl%I;q5u(67Frr62b zkj)*YiE%<%Af~ArQ;FM5z@>?%@mn4Bx954`(5-S7ek+#l3d#+FG-#R8g(RvwbgdCO zs!85RzmscKGj*4B4uu_gOxMcH${IGJuk!qXb;$gse3So@ZMpnt$L)SP0ob9H?NPlL zU*|cA)&0?Jff?R$41#M zEgB&RrJoAy+9;WnXW_=9-V6^`W-{t1IgE|t8=-o176S(?bqGH#zxT_T1>eO`ztsF) z-i*4uB;xHXd;BIoyck6nd#zisHtqPkW6{3oxn6?dmUtsi`P3gB-%B7Xwi@`IBP@W< z;MWE+#>A--U?=9|TG2aNsgZl$s&jR|gv-dnO{)=9F|R8?WLoVe?D8KwHMGHG`6=1H+R;T|RG1z0&G-Tsk*zks zT1dSe6;wckCz(C1-MpKgobc)ixuF?wRc`B1V+z})>oZGK4~yp-VmyqsHU$bVu<%eF zuQ{5T1NXgDwV_*)ZUXL;qSK(W`AXUqs@@AAw5qd?PTyx~ZhOw$B4m)OQ(MV#ZV7u} zlIYr%9>7vv<{UX@>atsw)gFSW$Qx;Fn(;$S0Jp1H@il z2Rn$39?|N9amq)%Z=weq$%WvJE3$41c7az!lZ<>pGa!LvVT;85JMcC^(`6p4Gw{mK z*vWPHW4J)5Rf-a1qTHbT5@@gLZ?PUK2?63ZLK%J?C9d`2K9)qWH|wPh zhSHchANXUGurZ*FUBMX{E*}7$KmNTpJFoELmfG@m(8dGdltOJEISZ#U4L|*Vx+3Sy zAEZgd%sud}aGn)A2rsk)Z+nQ>Im-E5C@zfDz#DT0`TZN|III8fmhYOv zMlD46IIvj2Qd@Z_dik-Sr&t$M!Bu!WxUE4iY{@uaAsFjL+RPve>5Zhy1u6 zWXqAY2t$8OdB^1>J#=WTw)kDL>~y<-DE|I@Gz zL4k5yi>k9B^J6tZ&eMD{n#c4gXASm{y=VIa1f*3?-ycFTTa?P1LE#&I_J>6N-GRJM z$`X<0N{J}=mQYL9Y9az3i)Utx@WJcVPU&X>NcYR#{ukxBslgOlS6AWK=z!;_ z@uih>aB?o$(;q)#DWNilOG{LYeLtKdCYtou>1*4^?W z7C*UEHh=7#Zh)5V2nkrW{t3)7sx3+VHK?mQ(u;p*4-(L)fom^1+yR8SP2(rf;WaO? zw`+nHZZ`bevnKj=V?BAVsKcE3J=6A}&Y*fzBK>=AZF9`45~!8|r_lw=1tKV1c!FZH z7kW@bY8Z%rLgRbic?Dst?QF+{Hd;x%2yx?a57a)^?hkhXT=_mhJN3!Z3#1)BsO<+0 z6~|Z93G+GxzZZ>}AoRfA0ci$#*Rh_Y(4dqwe*)F-&I=QcGwh32v?aP7a#mH>CDBsP9&QhWyRLYQTAG zlfa^3he0t1Htv;BD-%PXvm^+7zr%`#*|h%JqNy82|0l%r9R15)kg<4~F+K{JeZ_Sdyd0*gll^#@A~l)R7~gNo@{*JmrXL#=A>LKvG%>Dwpx#2;xbBk zIArF^`px)-zqz#N9j8Q5kH1xj-Ozj%l87Bk9;QGy7ac@*k*N(nBRm!OC-$LB>syf^ zVf|!V5DE8&dv(;~O_hecPi|LP-&#zGfP;Y23v0zK{)=&BKOi8Ef;`(S!Z^@2o4ziM z;WtxxWzb**R%fo5y2eHme8OF9#KpUTsZCQV@5;hDSGJvg*9*S&4I0%!=RKp8&4Y!6 zy|NFFp4PDbyFSi>Iwjxm8{A2L$}|NSP%sW?W=8F!k7b)NSu?BiA=;JOV#C_uL0nW{ z@5p17Bs<)~bE+#WkeP7`_Qcp5LcDOgkSrMH5#i!*ym>q?OT)N58=h8WpSe^@`bd82 z-yYV_S`lMeyJaizBf-ma{=P#!WeE1N+Z&sqT-i*O!j`7eUTv1xmQB~J*bsYUl2iTN zg8jgztMUH*3KFutSMwoORWhp3g_Kn0+8E}44}66^x=uy5Tiq^~aD*tNd2SE8yQh&A zXXTD8XJ=5D%gx&2j4T`i-JFLjPJLQloMH*zhaLVXhTDLRI<2}LY#WImN)4j*UV^W6 z=Lx0ED)mkf7mF)AI<&#lDx1=X}SMkIV48)4vpf3 zKv`_rDcyXp6-Hio1<~^oMb?iiq*Sb0vlb{j?LkOSYz_+I1eWE>i2#e@D~k125i!TB zeq1D_HLXz4s}?8zh~}1lZ(zRJ<5^1>s<=@L0);unEnI8kiT1~qu#R}rhznDXp{%vaqHq zZrRALky4sH^rxXBoIP3)fHMcbo@WYj8@9971YfTz5(`PoVfFKAvbc#A8k&KR zy5SpKoB2nIN6swk%IXiX38FsgK3KP)7=*im=BR^ulG*)?zh|m^3goD3;GsiR78&Gy30K)-l*yRMgI7aAXmvcpWeN(3xc!Q*d&N@;&A&z zxRm+LQ6x1L%u2zpX|Nt?ZLXG~`OB+)jpK8=_u=>YEm@jCs*bJp-2(sqWBjq$!0RIw z!I`W=<1_IzOLk1*&I6{X{D_2!QqVucQb;@kT#M7Ke$jarz!sC>?rLy*q6ZRSQ>^d;EV3NFWSw$%@4fX@- zBBVa_%I)Eb-0K^D_6z%k$0KpV;`Dvb{8!qo{fGVm4 zwJ~ofs9Bmz^!pKVEAK94cgikyn73Ut(t^DoBbjU6|NJn=@^#Tz^$3 z82Y(My{hKH%2SPlVW3W@;;!&pFEZEU&25*4N(*3@qhSQFWn?kZ=R}OJt0lg*P(X`P zSsZDB32aR1uD_KBzqm#b(DW(qUd(Re{W(O}FY%t@XuwkcAGXedt<7%T)(OGg-5rX% zI|L~Xr4%bt+}(m}@j{`vyIXNB4#g=}+}+(yzO~lbXYX_EUy$U@^*(ZsG3L~O`iGFZ zWJ|?VBw5q{Fa*rFwRSUEA)u3)@@QARXSzH}*}3Ym8eu_HdvN*F5nkR*g2o=8~24v~>=ov+*Y`M#5x zvp73u{VvwzK0Lp!g-d@@fc6k^CsD_<6^5s3$+C0DHiBidyqK6r9K9W zw7*%J=z8~uthJZ&Ch;y?b5nqm$*W=rc3uCHha%CxVZXuThP3rkW`9uvMu^#eRJ`hXbXlg6No z6Nkj6>tage!FWIhTR!Xqg{zcG6T5ex*li)(?S@RkFQ6nDWHJ~HmV6N`e!K-h&Q(2@ z#&@$_mt^v$d`HXIFSh-ef~#bdu-V!dkb~eHpTHmjSf}&3IK0uP%#aRl7d!|XxF1_O zzi9_ZjHOpo?os+5J4eW;{NS@APVuGculd{~b+}TTt>m^d^1V=u96+eg{2a#xeZ%Gv z{LUksm|<^f0!5jSjc9evyt;AzdG(+n#f zy7jJYphI?c3^D(rys%!WJ`wXLfi9&xCJA6y$#VT!&L-=NTO?*o8GN^N{hv&OSZNCY zz(M})^cjXeZ1q`k4ji2-@8zI~?ZK22U9zSaReTlrz;I|QrD zza*fcb+uu50g&TV)IcRJn=P!6_X%Hz?+K~q6*;Bll}R$oqUG2<5^kdAGX47>lO*%4 ztWgyz3C}e9OqPMF*p5W>0m_c@8U!!j!k}mtIDklUFX=6O7^EpxdK9GG!;%}TT%))S zlB^!eK@UkHL~O8y*9<$xqqa{x+!OvMF)KGP>AN9G#Q)4ADe*sX`F2;e~C;i?4)=$6(o zucIKdwSfh=qSSF3_mc=@3pp4k`vf`Z*STovVr<7zkSb!KDSE!CSfOoKui7}j^P?+Z z_5xV=aSC445=<1+)HjjUl@XpfN$H@{n#(Cx&*v*zz2bAL_VO6>mv~imhF-Huzvb^H z8d4Dw4*k@E)0RQm*U@tHpD%U&CpANCc-}pf1Uk3kL53x+dbk*VPEJQ`i*a)}fUJ%R z-SpETFClgh*R&1Ev{W`x1dZeg?n}kEPv%;ltS(1?>{=mD_;jjS8S(f_I8yRECo6z@|*)FE(HJ@eILVfsi(= z>9bJS4&Mhw;JH9;0{9UA_CV1|@Ub^sQJKh9z*Yj|D=yQwiK6r9{Po78>F|NLh7Lbs&_!|W1yv~_M2xc_hB%U<*7&NQ6Wv(MFSiUC&`1Kx-D*daA-Hf+ zF!g&P=X$1bcopP;vrFgww|kny#llKgFa1{@7xI%G#FBG7Kc)ECKP;)41griI3(X0{ zf68S&jTi%jz2;*sKKo9O^QuT5fpu{PiT*S5j84&_k4&F3bu&*RjB8tg%QR!K~n^onDHNN0=?WkMy|w{v+( zpYQxK-M@Y_J4#V9P0K_?q(TW-2da zuUq%AA$d4YQiL?!PI-E_p*j@hv+7a^&=yP!DUl}NtBu2;LwxcCWo<4-rMM6hk}{j! z7LYIpU-d>*@69zi_^0vv2aaNWsQi@L>V9E6SE*FUMp$E#W8Fx6{d6{{?}+_7lRHZ6 zO{88)%!q^1;khp|@nAhy+V%9WAo}1_>~x{hsJJIlsqPFt{K7$;xQg0@VaHtD{TPur zf_HpG%ZF-pC4(Pxr3O)*k7Zgpxl(Vtta|(0=myLAKK%I(E3G#T)^pa6TYX5q%yrO* zuNH=SP%3+6emw=IAoA7d!MN%Tjj|L26Tq$`2XydQX=t8&;w@Fn4N9W3LGOROQq^R# zP|-6md)wtye z>JVn7M^$Hvi^qK1iD#?9>H-rTqQ-1ngKzR(6v9OTI_iS3?n@0;rDl=rr6&Ezx5v44 z?EG}{?_OkgqjODgpY#T=c|-+W+z8=Dhi;9xw4Bd zWA{vG6nr5c32L1 z$u2f+fjsfyv3`)!!Lo()#%(bgb$0W6yX=nVLoHo1Q~6*dCJYHC4ccN`-Fm3Ec87_&fI<6xh&WC7kIMDpzXf*ZxIk6 z>B}&p!#Mb5{VbjvunNsE%n7bTpSB_vTe1#|QP~IW+>PyF%|jQ*%|3-rj=gs-^niMe zqW6-&)A@HyKcOlYA?~GIK>zW&{`-1P=a7>y^&~P8&xpg>MhH2z+*f&oyR+|X+G%9z z#jo|^ouWRjn(7*H&}+SWbDC_YqM=teV_Mpt9{+7|2`^H4ij3PL7h_*~j@v?nD0tm` z>hMPUo+j`NgYwxScY@1;(|!n_{Szjw6wCA&xzKgFiNj3MccBRrggrZ721$W8HiJ6( zxg83P8I{aOoRfu?C^m!Ef;1qH!}#7!5|f5nOj@Hh$+RMwsL2d_9i!+?Ih)NK>wm3Y z|1}l*mXM$CJ}ibX%^aLhnKHu+O}>gUTF>T8Fl9WzF=>X!{9MrtmC>SD!PnT@OifU^ zB4911=_1Q-C>1YiZ7e%9C?n^VbB)8dgjYYu;GcC^N-m0~u(!tTctoSSxvcjA8}{w_ z0<+uPVL3EnW|;BEQkG|%S*Z5NYXF|(FQzx2$T^-!EIz1+bnc{N@<2g#qi_v>aN8C< zoX4B@wnv(PTUf;8JYAG#s)G{olXs!lGTXEM72M7iV=-^J_H3I-m5(rg9GW-fdU-9x z(%UUX7a+1i5_q&qs>59e_|SMTs|g{%p?fdU(fSjm_Gn;u#(b*h7kCcV$IVVPQe2VH zv(ElFH8rv1Mh;&H8VFXI5j42n$nSdh9iX~1o~m7#C|e+r2^(^kMBs)9z!80fxOYPD~=f(76<4 z0?;gvOXci&xh3xzcTe^RTFrCeY5n-@cZSx*bG3bc?q(!O6uy3ff)`@d7*i zYTt=Sz}W9?)N8Ojq5n!O%=!D_3;&o9-4kbUi&9gTR;w#fY(PrDnQ6YzcZ^7tdnQF% zf53Uw`E3OM=g0uz-Y^oK&yi-?<;eUYw;b&X;;SWxZpWsAwY*EtyN3zH0w>R^)N ze72{3Fj=dFMmVG)mxA`z&gaZ6fCAQVNJ89GHhW=@{+HOH3HUh>GL(;-$wv z0ohTrKNhGqRgbnBggZGX%u^-)>Q+k${1w)qKo*NzJS0;f(`LI)AogD0Bk84cfq=ZW z`Y1?jCH5GlI%&Np43b2-FyjxLWcc}68c`$c@U%dnyN{bg4)9bE zfLZnB34>1+g|1o)?X?@DUK_N!1^X$;>sz+bfNk54T?15VBdPlG*Fam1PAOT?U+j$W zRyP~XWxmSbqg&l4Xl*KG3+9Gaj@?OkfRrY^>b9jK5~4(d$OH1EF#Nu9CRgO;w%6OF zN}RP;#YZe+?j?6lYDFdgJJH~$@pn1OTXK9Hh!VOkyJI-X5_EoMgRx|IumB!oYA_z@ zkwDq!$~0cf$LLhWI8guw<*&5HLrjT~SjI0SNvJ^?3Y_=7QVbQ0VSg{S{P%y$iE5X{ zSv@y%2If^|3PIA+c&t<+WOgEu3D{(|24c~jowg(RX_qnm9+94m7Xl2Q)eKcCsjR3< zs`A19`HyHMPV%NK)Q<04oOfsg<}qK18(bHi5C2q#mx201<-Gv%i<$}4p>r3X2A*R} zL_tr`lK#atl?Vmk8H!B6?J7_nO)Qwv`CQlB!)1LHM<+C*{RT;e{mT6VWd7M7)#8V8K5`)oxU-lEo`8xtcDw=`aCqr1v zznQu})LV39FNdL#l$sWgqf*Pbnh(wvIMG=DsfgTCA*d8r`60hG@KVwY2+9x{zTK4X z1GH9Zw^c30485~PfAf}T9XehZyH^$O6eyN6;aD$JN{Olc0bK971BfGd#6r6h=Tfs( zeI1sdGp&%TW0&#SOmsF;m-5x#Z*_oGe&RcUJ77Da_54rXxl&ENx%mnM@X4}=)(x$~ zx5)uC8*Q>T%&%n5m%1E6FwAs>A*k8Gq|gcVo>!t#`~MQG|0<&&$?tPSKi@tOQKvUr zuNkl|jij=o%$1YjPVUBO#q_xqQq*)wZ3x?p95lt88|M@Lq6tZ1v z{FI`8I+UJ()o}{56=F0pV=*yPqb{z|+E7|*Fgh?zYI{&crV8|YZq~*^2uH-?+EQ}i z+8sP$_6aS&fJNwbp(CJ1|Ct2+8UT^cxBTN38O>&Ifksw`(Jj{e&DX*CgQ~e(46EWk zv4a!5K2DFrh#7V24DAe-Q&s8K%<2^!-=AJdI+nLun_R9Iau8rTiI>BRbUaewx@S7D znooZ_@zOjk*NR*I?aQ8}Jp5B3)#7Z1CIVgb;)5D>-i#H0d8{QBI4E}buWeO*;&#Da zSsnU{o@7Uq6ER!5SnsQXcKBhw4Q3A5`{Xq3O8j@i-ClZcOc2FtFYD!SrT>TV3+N(! zkyDtV-kEDa3=}>yXXDSsM#+V?0jGGo=ept2M9O2!lG$ZB+8YX|>N#N+Ha32=`+Iq| z$w4(uc=;CnZ>G&yjjys1JD3=G!c^4p6ICDcR~0l-cUu87L*w#TB8qwhjA-iOkH zwn3t?)3wJa?4tK_ks4pN1DHJy=qx6_lGBx;wd@cC_Bt;u@uPP7ydENndS3_Fue5^^ zJgF8=ubM2MI0w(TPF~C~ddoE$g?MdNKe38IkB>+e^@%v6;fV0RuYu|I8G#Q_g{c~0 z&xwV^ON6N9p}lwxN4C*!fRVmU|FlR9CFR=)MW2ErD+!*ARX$fPIeN)MxHUq!4n%mG zL^C`NRzr}KTME@_V(?v;6@UC}Wb34jbuWYNRvXTDk+Oi5NljCD{*|2RJCOUWFP=y@ zp=bR|0OJPi6XYD3;!x@lma-T$znv3+a3b(|^W%zf9)WMG!7490=~8W=&QKP?vWbzYGeFZG4=34m9SJ#)fZPLLCPTR`E{i9O&gTTv zd{xa=TRSOIJ@9=6tGO-4)l$z!TS#;GyU|ldRz8>LbWxow*3UCB5np)5;nvrr=j*71Im z_<%qnyYc7gIvNZ=PTYQPArxNJN2|qTvi8O z2{slGi%4xh#pvfnoFhshLc(>~htl`i&LKR2a`TBS>0*^k{14MWPe2Hd{of?_E6#2V zo0ms7CjU-ftGA9JO|(Bo`>5?7REA?V53pFn|ox?YR1PQSMsysU>)CMwQz!sX6J; zC4$jKN>D&?6O3aSOI>GEi8SL@~gWiZbI9;Ylctd%qX z^5>O0ZIY#4XG+qzRPG{#uctblQgqT5yJOkv2Jp@uo)6#taK)nxqK2HU#GdHIM5LEZ z{q|o4oR3BSu6QFQGs^H0--yUpCv<&=q@H;ePBht%FAapryO!%zbDEutj`k#=IGkH3 z#}OliO#;?$j`#z1$I~665%`-I>n(Hw%w9;*;C%pDx?RKr6<_}+-|U8Bj6jS9ka>3Y zO0!p#_cd9bxnW^1hF0@uLruebuRp#^^=Fi8>9RSszYy+Sr*hr_R*$`+4mNknec978 z;y;XGQRVgH`IRQqYb%y%bw-;=nswA?h@o0})?2(}e5f#-AROt|^0Y+W@Wh191hVY%Vp-$73UWL1KcXzivHKY0!v`ojj9bh#xbVX)Q>-M#*|M#~=Lp!$kc_p2Y7T(n^BA&ZzA)*Ex5EHtX#fTQ=TsjZC> z_Fj;`C~5Y>UTB+D7OQ4YO@FtsdKwq~+T`@|DQV~GeVP4jc9RRY%{-ale`J;snDv8I zME$$n=Cp*&9zd-DD(0^?F&WGHw@M5Vp@}=k@$MEHuR7Y<%KSY^&9N~Bxr3OBeTl^? z7YFa|vv1Dkd;NmwdCEuaw>SPE0LHwdwA>O*OA?D=$Vl?Tl3yD68HIprNYS&cPgfM8 zXGDla*ckcNJJQfDm)+fvk*rM(6K)3Mkmbr`-lj;OLd543y*2G==BV*5!#ii0KoaGorAaCqaVo3(1_h6nvBnTLfO`@?;R|cW%){ zA&@DC+d>)f`@YU-S+l9?Wdgx#(?m|$P47AjcEjJ_6A8|qlE$)JIT-LqvF8Z;@Xy{R5+k$*OZ{(q!j^4f8Xv5EIX{jgpx7O6BY`9e1ZCaA^R~S0q^xmN} zs~#W5w`p8JI}ilVq&-R~k{T8;xfF?X?k$F(v}nqWLook zigA5t>5WVc)!F4Sa`OaA%kFC__JsKPDXeT1QT$a<~Hj#BLp|C%3|U>1(Z$*l4d zsd0G>ak8Jty)^E%4{c;`HlljV{8)1uskO%nNR_|v%cv9 zvKDJoZ?a!3NOFv1{2Suh4^E#i$VQWCQZ96REztJFkQlmb?(D5+OG<%?H@pChL2ji# z$8tiJGHSABq5hzX{@0*SQG+lhCNAuCh#EsEtnj;C zH@`JWP!nF$5bzQ0GwozE76=b>B8i$mL?3wm$KkJ{(uWH5J3g9+{xV1i5=*kpa%l=o ziR+hQ+2yM1;|CXT9#4)A0Zl(^76^4` z$S0**-(?5|fSgAyht%BUGE~4zy)@JuIkTU&0;6a=oN=IOy;OtV#h8RIa&`Xq4bTxo z${%?OD}v%%{rkfc6z^HjRfzRZXHjICIBuK=xQ<2;w!BRmOTRa2@IIf<=h-P$Mz?Io}nn)g+}hM5W_8kfjB7U-r%(yLMs>R!(UR~*V-@RNq#u7X zsAAR(ie6fLHm1d(;Y}q=FUNZ6I_f{meW^_r6kWfoeu0nEYFqQWp~D+WS89d%ZY+3( zsp0XOGL*h$E$7}HKh>_bg^S*bdjO?*CO-g23YMY<(`v56c-mKUTBN*2A4byz9%~q6LLGNK4r)5ivvS^ zTv1^|Ty%;TO?_XV;m{Q|1649bu==XjKf)e|X)uDPL$1G+dAc4x8jL*Z5`V=VR|T$o zqf;3;Bh1(Igs&6xe~zD-5X&>dpfJH)$xdQXkWw5($wem@SEcCxs@SiTobxo#ruH6w zM^^PmM6V-93_-Qg^p*w20g(Mx;Tt8<_cNi0@zrKl^I+DSTBI3<18zr&oCD@&aGp$L z!D8{3?Fg)Mjax2QC-GwW4JaOSlP!G7b&l!{H{afbMk! z*&+hF{E~Xg!|2B;1gS_qs}!L}2@|8kJRH*?(Ije`+a8o&!q5-|I{9NorV}BG!y1ar zrUG`u&a5YT$~5eM_k`Lx(Oq= zlz3nUx8fkG1+UvJ{aNFsh|RJfD$v7P#r_E zP|0697#^MD@gJfe8imV$o5H3$G`NdnD&DNsH^Oo-HSaN=Jo?u)yf%KGI1o*Z%Y$U($c4I`RLeI-O`loGQv4PA_Swrw?OEB*|Rsc4VM6 zi8meq28yt->rr{00HrlTp2vQJ%bi%7pa)jy9zp&ugqsgcb(8D>ky+q3X2S|fNDtQF z`Q-_8!uImhn}wm1p|P1SLkis@P@xoAOBHZ~C)>SNu$10zh$fnznkk;JI(rRnuy~{D z58tzTue>)xu5|#Z<8unK|gST`%TRX{PrTc2RQABAAh88Hw$% z!#eB#_bh;G*o9j67)4TrGt<~ur#Kq$N#XCVg;Nhbr$b|zA26vmZxh^mrKZ7%0(gFm z%2qSJ6?r;jPoP2X^6959Q&L*5;dcqUZUAyyQ`CFk4Owf~SWiNJ67QQTX+yOGT&PYq_q6SE(#2U+v03tj9vxp(aNffoc_Rvu+T4E6! zir)u+8}9NHS063B*4Ivf^<7TpJAK)Y4(SbxDG`>sG28=v8)xF(LQ2V%MVW1PS4vXt z^setC%#kE2pJN4fomZ{h?Ma$!i)EpjkxtbOOj0aQW>)-SZA;z7TLnQE8BWpIdT4*Q zk|#Lg`s>83e`q_@WMWqP8F=;!E4N89^H61_-T62Cr$+bup5QaKJb*BbzV!NEAhBQp z277Exhrbhj{vA|L81kWcC#3e80`&X{m~H|4yZw%PqW((}ifdepjn5kRiLX?Z=pk)U zlglSsHB(I5D1}+>PM|wVr8#z>%_fP`D~|PK>VeFroI2Y@XpsSz!C2($*!(4Do?KA~ zYLWEz6@NA1=ht1<4iucMD*aA59WUe2;6YU;!|0N0g@K9Lr{RyJ+uL*HgRWO&M1K+@ z@&=+*9SBRWuIH4zd+(GmD7x~~K!Y`D-CgO=Up28lk;QQ4q;K}c=I4#c?d8xYJS;8G zhd9Z8CCtSpnD_J4c@Y?}46HFR=h7<7x)Z-Q%j#&@J@eK%*_LG4@s!M%L3t)pK^^q`8q=Jc227T-v{SM*& zKp-F&1J00qMmA=Xt%S^E^jc%y#{In`dgu!eD0=g4;g!(FL&QbV33OxWcz0+3c75o9bf>W2K3}QYS9d3nP?Wtu{S-I=DL^F^Ug^u> zt~epIMfv35jizX%@sw&Cym=hoJAEOs69QE0UL`lU9kE}3xiI0eo<%h1EAcp+N=#X7MUjD#O1f#+n!5o2GKnZw%x%<2PIf+5_R03-~qXcoP z3M%>)Q!u=}FMI%UeXt1S1FAK6oQXZ&%>Qx??y-sU)aL&=uBp-(&a>bF3{@Cl9gBeaT; z1c(47EZ>B=Ty|}Vc|0RFdo27<(zMH}Kn;NBzYR{A)+zpb6WPTMO8)F^4HkFkG}vY> zmv{$InO-g%@@4!u^}3(nr;8w<2cU$s7`#zs*kLZCEL|WfQ`$%B3dkB#ECn+s@i86E zJ6Ot`Ci2PDJ&U-QGk>fB;IV$9MZ8}~eE0#kZp>mnVE)Jd@j`ZKtx|7w?K#TGZ^H$h znhYK+M5z&XA2C~xC~mJ>{-M&m+k#;3*aonA$ZI3`-HYK1%DZqNX5-uO5v9hz7}e6m z;!@MU{I374uhfW~Q+anEUvZ1JPGA&vJ`o(fjaqRUrxsbjon0w=={5fu!C;^jPB1<`d;tFSbzlw1C#RLS ztOPgTI{a5A@dC(D-gE8Bd2B3KkF_;|J#1R*agml;l{RAn ztN{XWg4k24Kb22!7AYkv$}-Dj>%Ot;*J;S!gFNYv2m%9(P5m+y0h$ZNaWgg z#kD4M!jS|wHiL~JFU}I5V!r3i3kYrg-h>gO1dRr+e}W(mua%mTvMR#5v3(`<4C3pG z{r$5+tLK7jJcq8VOk57tlaFsK7|-B;YaOKB{q=+;9qF3oC>u|)`|h6AfkPi6vFX*A z%7NHFi*4rL3Q&B>CDQJSN$t=j$u)`VgQTod?uQh?L#fJnzSk0kT-$ho0cA<8dqw2j?18DwYvK(FzLLZA8N!tm$Ry->fC7 zcj$-uSfthY?$9+u^xtd77r^Q?p3Phy$vu@gxa_?>!v5EZD79%9MQ0t?okKS~EA?=! zjgDPpc()+Om&H0Oh>ms8b-L&P!+lzZ{6_nAP`(~YGx~`7yh4>tC_>b?!`(3nqHlCL z#b<_^GJYvU;oMREUk6Gpesvb@O&D_C#|Cm4_kQ!gk9bbU52YTA_#Kf^gBwb--2r(D z%j)tRDYc@Q2^MZT=wG{IvU+UTo(PmAzxbFX;-%oDYFOM;pIl2W;joGW5TJyFaEa-~ zo%k0-Bv`%_8O`!~)R_%mvt`dZkw*|xk=j#NpTh&l!|wS$Z%LhunsK1n?$0j+7NmvE zZkQB>`QKp+w#(p?tlw=ZAAd!kqB&8cyq$u7s>8@gS=cKp%TIEjH3o6jpggsbT?bAU zFNdncFTi9sNH!fSiF-=kZb^}N%64@?uG8s>;;rC-L6gD5`F((Xujz5+uie3ZsXX-b zc3hG}`?0$QjqK>s;)u@F?CxqXn8m^$2STxFZ>gftXjMWD8ggd?-MHlT35cw4Uj7z7 zQZiiOba0uU=NKJJ5IlAxeDgZGonrgh&EDQ@t#a|aQ!eOmg4u?74hL15O<3fsG4;~` z4g+7c{pAe;6BBeV%?+z;Z}+F7G{3XCjf81Mpb(6?jBFjL_^7El-U6OSvPAV9SH!Fk za*Dr{^T{!*f#qBQVfmN<01hLm^<0h`s!%oOmnQA@ofp)j2);8_A3N9yc36A?urvjlSh zX#ZB&S@aI7w?GH&5@nJ>elgQQt{*O&wBPAH?yATX!-bu{PMuPa^Tm>jChxL;ED138 z_ISL`R;xExE_KWe@~&4sy2OM4!av0l@W-m!ExrS%?XwxQl_HSbLLU7b0qt6)Vny2T zQjRL*tj&15VY<1wlO@8uij`9A8+=3ULXCY5``gVfqzuW37K*W*u$1NE^SOeX%$d-Vl|P~p%n*Ar6dd3i!nN}`}p+VlM4T-++s2qKOlZ# zHU~d5eJ-xT2d_EV&kz50h7Qj74@WI7xgINgbWIL4k_U=xD>)+sG`+1G!*~8h`WE(~ zFni|#YDj}@BLUa@w^J0QAMX%hDta@ZZe;nUvu8ZU=?s}{>5=Kxl~r&v0R^CDs(wuk zYK2kN!J|`tB>fImg=O%k9tKo?l;sui+Gv5(43bZmoZ!3lekF(`yU@nnx0k$Yu0VQ0 zh|5!Y*8eS*rtb){T`S}--t#V@UgOg!vbG9lG9OX6c@jUHfqJ4IzNvCcG~yND~|rtp8w%ZtX{4E1*Sz zrnwfDu&9_f_fol;F`M#V`|HsJS(j=Spp7WCjuXj+F*x8WhlaDX6B4|)EfCGKzTeR)bJ zi+H9QdB0+wvB1e>-M~nyeny@t=oH)Aj;6#(Em!mdwc_e7?tOv)2SQy}$L_wTs*zZ( z&Y7Wl5}~>PnjOnm;>18Nc+@U+_sK!D@M`X0WQE zVwg*{ks?cdtd=uIOL+!R&rJkcEk-7nSVJVls)-DcE(Upqx@O{oAq~dCEb;@ncfZ7z z`jZzVnIL&7>8P1`N&|6XnzT4vbflEDi3A3O84bn()9CK0IjE#hTwX&8u7bV+uq9y{ z^r!}xR6ur8G_TrWZCMk|<5ABLjFXaIoeP1KhwGt`eFThalw1rh%Inc^0$&ppNS@L4 zuxE(s0II=cFt*5gc!fQMom3vd6Q}3XKGd~&)p!+p{!qZN@ zDp;p^`nTmim!uequD-WMF0=zJf0)!r<*H&k$Aizk#O1j%|KS8+a*b}1Py8k z(F^cpVUz2hEj6a2lZwbgLlZ?xDQrx5%|8f*-Caup&TFVK2$q=$Np}thdS@P5Ho-~1 zHjR>DZ#C497itAtjmhB)3#mh}vjlC>q2Eva=7BiC!ky)j^v2TkBOOwAg-p`S1N3Y+ z`O4)6O=UnLHB6T1?=;?Yc=S3*5hg@MgJ#qNH-T zrl>}jx-}E?h84*eEV}YiD2CeZ9Shpz%7$Nk>3y^Q(SP;HjH2Q8YGtDcMr(qSpzA^I z<<3Z%`}6CD2WH3>vPS6Ba^>obq|-RSliT9Cf?A0A3-ImQb>d{{XOYk|5lrQV=|U$2 ztUd2<>Xzf`m<QPzeZ+?nI)Q| z_89zbrEv>2AiTsjVtkiHmLRX2k{Goc{zTBN`kjAe2QwDT%&VQCE@tlLGg5Kqcw-HO^%xRP$|2F~@8$C)XOw#Q z(S`=g>L#(PXXwyIf13HJe75n{nRVG?t6^Y*QQ&j7Xjh{Hl$vb+o0|M1jpxlDh&3Rr zuk5+*={22fUK!C#rCCuGjKK%6Tl{26;u!`{S11Bs#CGrc8z z>jBy!6Ab-2n=m4zhux+xoXXW9e8x|1LN+SMPl|-rs1ht95N6`$K$No6=0I_cFZ<2q zFiNXOB8_aPr}8UmZxk^vy=*K|l%Y#V+dOLf)fEPKD)nuyjR2QV|D*RXic*%izw8}_ zSPrjG>~tUA^8SgigcB(aK*%~ewoSV`Ge*yy(KitCv+A=L2b`fqhblduonr;#3oN#fK9pP%3-^wPl^Xck~%8DxZ;SeC$uIxrZ?oH!9Gn! zLT1%Xf>kh~w#!>t^48BdPeE_kFB*BOhm))YM-p8NeHrTDu7z+kqLh1?>mY&<_vndt zy%OzosJPx7gh>k=A8n;9aV&;lLv*&gQOJi5pz)i0qYS!4f(}O6xP3rZG$=wrKPxz|m2 z=QKN=eaP+cO1Va&nAdZNYj^7TeO@1EbMXpa)6Fnar5s^vnfx~ZAq?MJ{cr5XVihw7)cdz8~ zD2|ygviSj8R4>2zjb`F|e$Fja?Vhs07)~a@uH`*->ekcG7Sy6;;J1fV4w45ndChpI zjjdINqO1kmKmolKpfBS9B;mI5h&EfU;{b9!Vo@yQHb^XfzjHlpii;9p^mKcQo^<$S z{IAz+SJ&^s9^kp_OVvMYqbjyq4Bq4LcKs9{?NGfu`7GaHUEd(r|-@uxa( znfZTnnGgNTWgbJ)RATX#%RB<0PTdIoR$gMdS#C4$FqyMqs(mfYQYM3}^%N@FOQKOI z3=mn6I@BzXn46hYwEk3}C_AE+2^*l(pyv0FDQES|Y)aL~Usk0*%TR$sxPWgZp74o@ zBX>}eQmtR`;6^}*!0p)*eqHZmGDsbbz+U{9&f`P?v_AY-37=i+%c$?kj|K207FF2@Z(9ZJn4F$*OPtd@c? z!^4JF*ux#D8I$7a?HvHa)b(0$axm6g-k0szZKM+#aEd-^f4ocH3STvw!(u zDj8niP|rn>^dfM1_9gZ?Js>}X%C5cG%v{Cf*FQyc8fG19XEZZdanYdOsNFS`#ujvY zp<+-@rOgvCD|OFiY&_&J_^PICl)^GT6<@E=#9Zt6WolZx%zpRT;g%2zIKw($ieOhd z-9`yj9lM2}+?QWu37NCR1o1|bGB*37C2Iv>49x~qWukE-skv--PnPGex6cNzfAkDs zoQdY?I2bxLv@PI@Ydi18D8DA;PtDA$?xTTGAg`NrqCU4l1@YS{0&zoMXvPe$5Fbb(6%73x?Vm2+o4~+Z4${vF*UB6UpKCkhed1K5 zXsO=I7SRdN8yG(3fE_w|R`X6eT3 zLs95Mxnv<;k*o=cVhM0v=Ycx%OK#%(FTH#2Okpedj@=PGpKJ0^K)n)@C8J>w2n?6w z&_P` zDSiusp8Z9CiAKddn1Z19p}gg&Z|C4V%E%2cw^D|Sod@%CIYbf#@Mn*zQPnf7s1aol z$U$wFs~u0%FlhH!e>vhv#rChl!+RFxo;qKi1fA6&7A$2B(CfyM=tc?H9;Ci*6lePt zLGv%z8lO*>>!Ys9!Q5J=ZVo%lbNlxf;z5A(Zmr#?I@jGX-H~i@3b4m=p+*~w2*~^X zoN8xSFTi9VS^;VTq%25-Q^QCo4cT>SXc>H-geGrhC8>L;SWlY@?MfLLl%LfX12PIi zerG&z!`-4xl;ef~ew1ppFmF)97J$zA>{j1HuYTH~aL#ku8i23$SnrlB)2j}I(YZNV zUX~AzOe*}=iUnW-6uK@o`tbAGE_@7xv6x63A7qQV9KIzJ#?|Xb-gyY3a`d#8k&_N- zc%RBO9rVySc!$0lzMoR1Pb2afa8J);CE)+F=)wXuiCPx))ShS9}Z|=a?i6A>fsNih&~ag5~~p3B>u;a-BGdJyV&VG9gOwx`5R` zm0fD}yJx`8M=#KnAW*7pq$rVUn4|7VBT}v-sx*pD2X-}l_q9~^eEdqwevqZz;Q5(oSIGUmOl<_HOBx~w-K)9R~@$ zbOFyf_{e{jBt%i*dEi?Y{_x6Iu9?pxV`d z+d+Lakr|_5%H7$UGFj`5sp#4MXkI8H)|Chy6a$m|3j^Z=;{Fd|?-|wf*KG@jBA`eU z73odEj)-&;K&m1jHb6Q^krFxtLa5S9Komqu5TtkMy*KF{5~}nP2qggmf%oVCInO!w z+y#$-Yapa&_nRl0Sjc(E^gx}3~z@_CJntK<` zMg#Qh)dyi%gxh5C!n%Qu>?Ia4j=){Z$=*cwgVS39+lDgQO?52242-k&)S5Z1ZAu5e zbNI#pKhSV)#r3+R&Tm?e7aDs(__B{9L!&55t;-E8Cu`}*ra!MQh4^ZJjnrSlO4{F` z2iY~z{GgYKY52iOYGNQOr6fnaxM0`9z=aE1R7W@8`y_=9WXLF!r*d8Ue8qK=g>{QI z6p?K7xAO^7dPlE)eq}39b@SwQiM*g~2)Hn}W{vq|zTK;sfpw^LjOWx!MBQ|s*(Y*noSjnTPMAWzv9*;SmDBH zMR8H+=mY)jl7#>s((OQ%jkLKG6@qz+DK|Ddol`UWGh~ql_UJ0xU)Ly`*?vcm(CRIw z-};dQT&K%nvOiA*)l;4V=4#g*x4w<9UmlxZ`WxAR!vI89H0QzF9Q{zni?pfLn-k|B z95j5;4Q5%7GbrA*5sDZ1Z@hV8;1-}LmHVz0Bn;CVNBeO<(It#g;z zikSlO$ptiP7A2vb<8XXAA1rMjycNK>_vT_Es_?Pp!NQr{BmJ9o=(O1=S zJUa4Rm}VGKAxEj2D8o0|#_}mDI!_hL`VDG^W@_CfFQ~A+Z}1BJTn%LVhIt3AX&vt^ zXUJ1f-yj<2DfNsWtPSy757n`XT93*FZN~2P8@cDG4UlP!gdDXw_zrWP9?O?W{dnpX zu`g`AzY>{P_F?@MRW|8?fgc}v4f&mf(7!B&&~e%olsQOCz6z4BU;S9=66h)`^ZfIL zmJ8QtnC)I?krerrBOcd~Dc+5imF1P<0)3}3qkG;pUva!|@%r?r;_Fc13fC);jG_ib z)Ac!5##bY8ci;LC$le*#kAG-jp?H#~mnBxde2~tg0+K1?N7x+ieT9vM+nGzJDL*tU zlS9})TDg+ZAO;Fnbv7Vk>~C{r)pR%}h+0MsRT?+z|NbJ(|He~M96Fr}XkREllcjE% zr3_SHG3))wjS&!%mxY_H1!;BTh%MkC)hV(StDXNwa`5mOi)P1qRuL`?91S?TRvXO8 z=2Z_Csj{qw_%2J;7Yy5{t9NmNxL~)EE4#=(U6z}tgNUE)c5-h()QA8rWkI@2%pd-r zn)24)rcAc=`sIm3gTW(l2FoY6 z!Tz(Kmu-L(9#5q&K2f#-3 z#cOkg?xN5$*QZ|;6r~TY`UdZ4m5L=_>nb%d=s${Cb~Y%;U977AGmwTd(#hbC{EMX% z^Qn3${QfocoA$ZrORYi?;TKXO`3up!nnB~|WpB}$KW8vS1TsSQk9~mYVSbbxtbuB- zx$qyH%-jGazj3{>ljwgbqFwKOG3b1kP2{g<$?1%NUM_T?FFI!N zIC*^8I5$frZF?IF|lr6#Zmt1pY6VS{((^*R}kQ-4E8((*m3 zKfA8D{R!_fQrENZCq2AkhwuE{F4w+VxMC)EU6PmcYKR!f8Q?}=kf`Z0CQD3rYlmSi z8>LrvJot}QvRkMe79--nH>sIK-}Yl_DVDQp4MO;C$W2lsaX%;l{QIiOb5f=8;F&Zb zgRaJe<>#hSEpA<=B^XlHBQf~!rkii#-~21^eft{2p$9dC)RM^ukeqaGSJvPLAv1q2 z03Zg7l@v+!o(4R&e?}!l;SU+Q$2@qrAdwI;*`YW{50TL35X=C}mfnyd5K4p+C*w;@ zxM|owuIBy;M99ykGMo;Y_(WGfD^I`5Rl;D%NHCu!oD4<^J|{NEm2}4n9E3uL?wr;@ zlitRH;mshKgCOz*lJLdAA0Fl{@%!J~nLMeinLPd3t?E62F_+DuwiQ)Yr)@3QLU%$G zxYqqK=wXmZ93!9w&(}W=Q>MJB*wXr3i%c1D=3yb_c~B|Gl>Pw(isii}NHd>oQ~~|` z@a@JO-ten;Ui|f2jv{Znzs((gY5c@x{wZTjRrFn^Je^&N$uuQrs;M!Cn-f3GECDxn zUV;OiZA6I5N}i9Qyc?L%&6S6Sb-m`BR;R@?~To;`{a#7e*!L$ zm#+=+Q7#XDsDsRS_a=|`SvbB^IcTM29!rq}s_4nAQ5T6AUuE!T&hJ5&IWvcas0EqB zg-ijA%}V34c`5Z8&_g5EfgLMv%HPxR|3alZ^6?3#r9C75m+8(JGK+D%ZBCr=AC-<32XD7mA`4qT8W1vBv0u2(4 z#LSR@;I%%Nfq|9O$15hntQ_WX%%RXi=Pj&V1;C$+0fXmoEC+=VcL`x?&v$w%}Hd~X&aPvA=!DTCSY z;E%ZgjTF;`0oH2T2xB;y<+<(-&Y^q2>xm>Zi&x53+bI! zEnn78o05&XM04#FGh$=rOFz-L!h&>4-z$CXR|Cd=6X$jE06Cgd1L!geuKTZh;Y3c8 zAA3ChdY2VpaoT7yB2)%Dw#L7*2h<%`6GkjAn&gL=y07oOMUue=hvET3`Nq$Ln~r=N z(}fvizZAG#7}!Pq`u9o;57viYCSH#mv?arRVafN2qxL`iS0I{#a)kEWYlI@hl)CzNDG_>;FF&+W5*YDiM>)OlACJetZl-!2VSPiA`Ft+U5DaMM`-fji5nON*U z@X7|T!s!1R?^iGR20QXv z^$1D3?boiwKYo$^snKb*m(8|q)8~?}`~J!U@A$FsmHw2E5o5YHWdgdhabu8lvrCy8 z&u^9f6p&33oc$VT!q__!FEk3zaOjOr3J6j(pXZfxUO43+zPAm>6X{f{;T=OeDIz*M zboKkRDoDfn3`aGwkuf;KRR?Md-z>7GD5Ls3=NQi+ZewnRyw7REc*1E z2csmehReem1n7L-6YR*0L0(K^j6oOfe+8y;47M@-!BViHs4J=BFVxl5Y!-8^0VTx2 zx|z|zhEp-%`)u~snQar$rb~{dUVr?U-tx3KSba+&82XyfOfl2s@niHN;sy&1;t%Z| zlev^Ost@Y1w}lJjn6DZ}3Ez@xQ44&FO|lrF)_tveDus=p5cB*mMJm)c%A zuMjT)KaPmTcHxo2FK(vcODuOfSRNd8QE38XKn5qKl4@W+oh$zrb~as*g3s;7P##Fx z23>Zs-9%0wWjspy=^nKgknGrJa#1P{Mxv_w=O5oLY%qpv%*hh0XW72b7^V1$htlQsW}_7^)`%yT*Mfn^KITN1&~_6n&DfrrdR968M&zXRaG{E zdYs4CJ62Gw&~`!Q58XmX6>u)f66C9p+_LX-NBhhptvB>v)w+SlR@VL^4cECZw0UrcP_}@ZgMX&Bn3Se9gf(UtCWsr^}S1dnWIf^YQMu0G?&nT@MKQw z{ZmS|FTKd^2kRs3 zC|&^Vui-|EOeg*qBAO;=)v`+b{lNTBJO|m<1r=9!Wvz6@AAk!n?*syBcF^Qx z!73%wBvb5ZcoBEf+9jVCe+A)Y;p^-`>ao@b=} zv0Y@T;8Fb2z1MD;3sq`*4J`)dt2E>PVn`PB2ik@NMsve(Hc=H;v-u$otnL%7D-XI!WE(HfybRLNa`v*K(=F^)g?LWV(E7$MA7@{3!m-g1^W5 z5qH)aAGIS0m}a)R;BNeLmC%C*61es8>l2|r68x|GIcKUTJ|(e!TBV0xFcweNY_dlo zt_J^J?o(Z8b^NY-25((A=iVpDNi+~T;kDUy*|+Y`*&hck@`%BTID+^Wc6T@-Dq87B zrJuO#7uH~wg)?dE?1y*e``{=tQwo6ocP-+L*=ei59g~rD{u~t7$4*yMe?2R_OkMCS z6-U#uns;R}bcws+@n&N$I|z2;637J>^H5HzuI-E1sIV0X+!P*~rmpU%_K}5ai}s@I z^N%W=dy}bZMBmp}POL_-0h&unR5CnkWX+HbDQ<$WP{~EEob;;(^8tviH1&hje|kTI zf8Aso1kH?GWt}weBa?ck<-4+0cz)0)TE|IO_dFN)4hguF3)l_V`Myde2r8m+ji^Q zh)k?x#9jY3gU8Ypg9j)GON2X903z_xV=Go)iR6wbPEBS3jaTZ&`>W~Cn0-cTBc)ax zj`z&JvPs-*Ob10aAWov9|6oRTNV3b?t#{tF|G(H*?zSh-PZWyOCnRvlE%QRfTUr^w zjvql(e7oRbV5**XHMLrzCO}qp5yX4ty_FwMhHT!%7S`am%E9AX^Ioi=XoGN0=^G!_ ze3j*)!9`W(jjU}Y&_hbH=&>9-XYaEw646ISm&b2($vvslCts+(k)pY99E)CM(ZX-O zasBrBjj+}EG+753F6j2XP!AKUA}Ch$<6++Rq+i7p$1MxE+?N|${Ah!@l;qp;UKro^#a*1^4@(l>SbPd&o|fP2YTXn zMno<94|0A>@E%qJk$^JhU*o7b;QxvjjQH~qg~8Pde5Be%^z9v6zR8y3BHpyK?xb)X z^o&Gd?adf_W)ak5`^v>_%T3oJZ+uFW(Vbs)pl=JX+p~Z+-=+IO|1U>+?LL#x5p<*^ z%R2Yf0yVi@H(w$(U>lk3I{SqX?=v3+-`-WZnDcgoDpSrB)&cp5zJH-Eu<+Ew=~ZN| zJVjXQ0O#J{;9oxL-D0f@%X0&C<<0w5I-RsmafLeRpf`)kmuU##yR%;_tT1mg*xFkH z0N!W*B$$0PuknGIR=5EE_DI(HOoBHf*WZ42Xb;HOhkAi7mIK9Fd#P`D#eBu`(A=bg zSFAZp^h>_J^~3&G<`0~gUHIXKkR)lVbah~DCb5!i;!KQ(OJVJ*Aqd2-=n=`uFF+AI ziyqW9X&n+$85lwFVeq!O1(*k7(R366OBT;N*nF za>D6xYj*xdR}zV^Z=!=bgVbQq^QO#6mBh)F+&?jp$)^Te=|*TCisYyBC96u@=w?BJ zU*oUJ0rjv?DwRSAu6W|S%yoLkLD#N%%9{er*Hu(ypWFVqJu3f)W2=WOK%}jjFF7) zM}L_Q^#0PqZ>K|k%tV2^z9vWm-Dd?Lum^raG&1?o*N4KeyFV|AUy0nD;FGx_tY)#g zTv&hiZC>7!oWi5sJ)icyjHHdxikh)&KB@;ON$0rVaYb_W`ihMK1za4@3SMP|@tTYe zn|S!H^cuA=P!Sw*Bd%{W*DPQ8>p?zC=E{Eg<4TdT^bdjfq}N9-YlA8LqCemIZUCtt zgIiP1bkQ}4FC9KvD*3wqllbWocz$!$67+e&Jh(KT?Z<@{W)PR*(n4U$J#>W`L!Yj( zp4S_ck<@Y*Ay9#dZ2s%*ci$lATd%)&exxkYueZSQx!Sh>nj6Yu9cH!jyucIwpmFPG zEJqF2?r)A$1S;Fljyb*~SM+f6?8ar|wjH~~^x z&E5)8)hU^Fr)TN$*zobnjIqWZnh8c&AwdfZ8NzAr$Y2yr>)#egUlFGYZyFcU1+z)J z{M2`RQ-(fjPZfJ4J_n!rvgG^WbVJz1#g><^LXE!O@1M&$B$oo&%N0Gm8#sPqs8?XH zYIrcez<g#Ru_Usr)$fjm*aP z;WvK!m8Ho0g$qF!^cSz*`G&l-GEi{cBnj-JW#G;m#!3D`g71Tj4Uj$_#`gX5obYJ= zJHH}!hM|rJn5!qjlub6{nc?r{Vx=v`a`hV`($_u5Dx43!-F=d^Pp;_w|Aj!$V1V7kp5;>sP85ZeXsvzaAdU44(hNfb;wPgeE2KcOnSIH@s) zCG6HFiR!triMsiRDJDjb%mq=A!PdAT_dzgi7@WPM& zP3IqBoSCZT5+FZ;l!6IEM&$urkL~ZH45JQS87uLB&5_zZEYJ)EUJ0OFXO0d{GomNw z2$iD2{_!dcr!O<3_`&U29I6hQq%7!uJ0_?>-pC;r!+bIs4~ZG+3=}J&H5>)f?o{p& ze$dKTjXbkWRpb^+phka4$?l;hcV#>X)d1Q@;}41+*;rW*q8Hcj)lXC&&ck$(y9wnB zn;wxIl7KoXd1V~uwA59Yc7Ajs-O%Nr7Ml1XWbIvnr}{PFK29d^+f3=x>&Rulc^O|T z8?4mfyN}S5-7t&rzghZ6hn~QY<-zE$x0}9+IrFOtG1`p0M9yJaJs=(Y|3wN-=O}6~ z(rNDuD<%MkcK-QTk@-aMSy~L)3sJ9^MaCk6YoI!(IiK{Ph!89Ho!P7#r?13-6bwJP z*ZnJ>-UPsy0%>*^S{EHlPL?j+2v)Vm)*fVvpI)(<^i64Qxa?{^^pz9tp%__OuS2^y zDzFlj*gI+X(}@`a>L#_HA=yO3TFaVSER8(>`1H~W4aTHMXe8-uw5QfXN>5ukGe%OCy2K3LOLYB%*@l+a;a2cIJayfD-)d52l>$3-^QO%PniUXw+ zKX!sgr(KeH-yV)lLY~y~E)V$Ba@j}aiT}dgldAwN?#%e8RU;c;+u$K|vwho@CYZ-xD?ZkoDI=GYlqW|&%fsc^Iamzus7Rb;yYUC9% z4DDgMKc~_;uJg1mOxWQPdL#cx#(uzq0z$)%Q@VXY^QO+7X2!oWSynRXTa=J8TIGwb z(O;qi=oyz@2Gf6f{3!wl?7i?l*d%ypm#2RLPRl%X=))nw#g4j{odQzk^nCnvy{7Z| zsVt z)KF_d`D;%vf?I;6Qe@Wl>TGbS^nw8&yrReOKN#!=FBsbHH9wVBeO^MrRVJU+)de$; zuu|c?MI&X-ongCHIuR(wi00o9x?1LZ5X&ruP?}A0L5OBX4{mOHBujXF{{7Wi)=3`- z>HRqGdv;a!?0gc=AW>ghGkbnBHsRTnt@pUd$c&Nvw*UJOhMq(c3 z(C7RRka*-S3r|t|@i0>Q%Q4cB%k$7s`tcO+(Qsga#f|-;o>ykujrOla>OI-Mv(Qn@ z(zx}umA|B6>y9QHG)-DZh?;Mnv-i+yV<+myVZYDW1OXG@Py$|{<(f!w-_=G=|DG9R zm2@Nz`1{)`H~h33J0scLiwPe0v5lvja5Q}O5QW{ylNDuTq+ba?+kz**6?cbJAEgLblh<5h7v3%lsF?4Tlnx*W+L5mN$*!G}BN8Q}s~!DD@RT@i@X_4)ej}ABKV&r-jv_=F!Mh)E-(Gp?lAiK$ zv`W(eZUFDI@u@!}>-u9i9z49bKumf=SytrJ>>RYi5X>&UQJvi?OLM$0UY}FH25-ol z@mS?N`MO*D8o+-UBz8QE*=ROmj)kMTWXy^3a&^!m>}te_9k z5}nRP`sRkJAwdx&v%IgLBR8|E$QZ6r%MJ5o1t$rJUp%{#=IvMsxJz8DPya01*6H6o zTuL|G5mY?VF{;Jm9phA05H3f&{VT&AvpN=gB6;o)2A(6T?=L)so{VU4P_UPJB=2^v zG{mWS=c`<~6nSr@7+B`=GDM8cNJC;jwV&fMH=!QT62{K4O_qu1b+TNO4J?NsF1z9D zWowqbkA|PJxbglw3m_fe7dor6mC|^=8obt*RV3SwK}I?+daoZwUk4DU{@6B#Cv8hpgmKa9mDBa~^!*u0JLCF<#&GzGe9 zy++6WCmObMlVcP57>HxLAcmid5Y4A%x2^78yCQ-=hn@SBKVV6k>zCb0s>L@-2Wt&H zvF0G*j@PKqHe2mB#X{m#-u25Y9uOpvUTr3G(RM70N#PurjTdt#X**DRQeNYuZk~ex|>8D_ zNKMPCJ}LaxO4Th0>eMnBMNuLio_TuDtQT~b#KJIxi+c|g4zSVr~S zG=kZ9(=486V!|@=CC2%3SUudc65m7n;aS!)lQ$x_e zSo(YWjV$DLU{A&uy@$YTV9wAa;FO3rE(@U#5p#z-6Wcc43#;hZl!Nw2mFBZy8zaow z5%SzcRywgSQPWxz@%uG;5whcm)k2*}wu(n;I@i!%m{YA<-ZnTVZW9>Jas7lS_qud! z{%Qty)L`q}S)UQN7T^5BDAN8vZ;bys20(2BADY17P0vrywo;$34HM?72ndNWD;zNWDcJ2xe%*u6&vEP!yu|r}J+egKsoM5AZDPc6}U&m|pjJ z2$kII6`?XkTY~@mXf?BBh_ie{lCWeGbQ|?Xx=m+WvWae6p)99Q7gILJF;M$>1EMrG zL+Gq|eC`OA+Q9R@K({s%jPrL!Q|vgu!#r}=JJ}kT9Nu;&)MHM!Y%yLI^HCExRW6`^HJ}$q!A%qcDCW*j%ESIV(0DBVY&*e(n5Bpo^0p$ut#{TjGzTI z2S3QvqRGTm2t^}%=v4Y#^ysNjOUGrw(9XUq!NBhE5@G)Q1tr}?gc0h7X-TY#taaD< z;~BVvsu3r>xn1f&6 zgbR4}KFfy_*AVy;BWqKY0U$QLuYafRbi2X#>kddPS)8SGx^`q%l}!6WB-()t>}+dEPVQkJ0PH3GWns7~;RA?vmV==*k z8FtfEKOUM-O^@&0?@PbEnDjAeG9C7_m#~S>-ui zk7086yQmGug=vM$Va^$|3OSI+UPO8*!tIY!5W|14u7apv)df?f6{^B;bZ_B|EBowI zJ#Ar%?m}q2o_M>NWfq1=w~2wOdf~N$lBTb~_nrwdR7@RDxizPA&q3UPeVMNDByaeL zQC+zmD&c`oh+1nhT&*5o`RBNDCsfnZ>12o-ZayOc|Lt%xe zx{anj=yq}loaZPBR`}Tv7f`ISB(<(aZ???7K&$!e567`5xuG4kaGW|Sy-3Jq@|w%2 zN^p^wh24sricpFg>eYkeUjp2wJ4ZkG8A{#u4#9XguYCKyR}b*nbTg`^3o-tORCv0? zfeyQ9u=iz<{0?m{(j%$I92aPtiS*c&ALL&ny8)Imy1Dqg{LKh)39qgwL%Lzfc{r{x zfUXzubk<>JmmK2X#*Pq)#ho25B36y9=2>_<(`gE{<+kgYu&gE`z^7uWROi$xEdPY)1s0}3rS z*tw$|}IO`8lG&h9}YoADv`XZx~wMwe5Z+zU(oZ&>|bg~^dclRvsM5cT>fs@kl6 z{eivRISzR~%!QXk+9JJ2`7v?(1MIabTRdMkHdboYTluXp=wX(gm81brTd=pAdSa0e$aN7|kY3q9;zk>t z;W22R(^YCrGOe?Mcc|-ZROeaQh=$GFd4Le~e9_0tQTk-76b(?#1nJhH*}%d z$pxZSWSafa9D?tCU$+4YN5>O(@5@J;asqQ*5~o8Z@u;?0nR5LwVObGLyjf(Gr8>gN z)Y+hid3j?7s2J+CLZOzn*gcRdfGb%o-rdcYBAH zf}o_%HYVAl1!RT$DM_|m6FM^vt;Ua+z@@OGuQ7po{q{x&M*}vf<5cR1WTF44x4{3n zfpeTAU$6e>4ZMm6$C&=>27V{Z_223($JyW{XEP`ZWJs)Se7luUt`wp-!gZW*Xd`r7 zXm5vd9165E@ovD*mez)d!o!R!2Q9Yi>J83OJ0GPjD<{<5*wG)Dup7`?zO}K^XFcw) zH_pqGuU{mEdOpF99uOPosj`0;O&HFaak4~s^mQy=5I85uj z3C}K@YJOhHUz}c*&(aB~yRuql<1C=u*wEnS5>5Ix1iYG3x#UlXGX53OHx!~q#bXsd zF8sb%WNUPmUu5g-Ec4qF<<%W8lS6755Sq1h$Cgi2?40{?Tkm+gm()uy#FYDxDjIEH z<6rD6Ty8@*sAr1Hq zB9}WfOR{YFxp#$&6(^@;k=e1WN?zqy++kNey3;+=(Qv}i6#4eeKTq^dcCJqT>vhU1 z8~Qk&GwjR`w8*Qy2Qz+t_VUC?sH)1~^xA+`dt@H%hCp!V@9l?foRw%`+HJ$Lh^@kR zxM8VhU%yB_7SpOk7X(&mAF!!9AGHMQPS)GZKiJY084^ozc@?uQc8%3OSG_>!sUg!u zm$-0wVY1tTWkpV`rVX==;P1xUZqh$ku61WRm3ii4^~ZE3%QHz+iRZZ_w7tzwA8(|byr{^9LVw;EY8iFEKib0FRqY{|)Dk$*}(zcmy~4T6z< zE8)H^F6H%w>&Yg7?uw>XFRVf0s|$LjJAbK!2#dqLdd=w%h%kZEY~&;M0Pd&vDP<^6 zg4kI4`-Svt;FTG|oM2YG&(kPF6%~Q~=cvs??;QqokN3gyiKvm08Yb~p7~QBx24&`G1g3|E*IMqnVDD-cD3F?;zeK=69Yb{`-p@LNxbBsn4~I;0m?4Iyg5W zChDrzLNRTTTvLfx#n-bJ_WD)YdX0-IhdSZh)aO7&iE?aNCW%Bc+mOucxbQF1J2-7t zjb;a8WLS`Ch;#UPfq}#CH`4W7;SFt=v@tII zabl9fZ)<8qi$YwNR<+7|nU(Sq5>O8^HI@s|(wjl`?x!=gXub2ZWb6>q$MnR%Q}#!) z#|kUGQOo_6k;A(M@SqC+50fv`}e8pl&4quS+C;c^a_qb~EO zoheCmI!C42+C3)f4^4YBl56PA)XI&JOSfeGi@a{1C|Du}l)Zf}`ptMcb(e|ouNZ4` zudMHH1PfK;MdQ4cuZMA6(j02CYF-chPtZle+GeUdxc=7?avKSRo}mVf3(19lbX8Ay>?Ss+M>&Ga%I(RG}2uf(~F;|Oe~sxkNi0! zj1v$D`!qqgim*89kr1ACsw{*KCuWyGt$%SzOKTwuW+pZ6{Fymex1>YnBxpb-gb#7ow@#OwJ;4ZeiRX0Mg5L_LKB?z+wg5V z8)wxUr!R7#hG-F^m8*EhU|jI)PsQ$1e->R2NNID`KR1)IygJh~U@M z&I#3tFF!u<9^{`KOhid+|JvF#8-YF~oK|d}Vx=vN8iRzS?(ygqH54X07m1*kZbox+ zlVgbAH|=xJpGm=$7}~^RSsHLkSUVpQfwTbu!23rbM0Yr*TM$);@*eF2xbraIL-Syc z{_@NsZ@gxC7GznCK~f;<-`CW?TMVV&zpuDXadJ#}l0#2{d)fZB^Y|`eFzFxijgeC0 zHf14klnz_=THG1aYl2FgEFF-+RuOw&Fh;#4pMA=7tFU^z!|%wdsFPTS->}&%9TP$J z9CnvPk*ap$7qR8ETqliYoz477p`;R-N%}t+I`QdAw;4w>X@rwI)0V}ijS16g*kx*A z`Uc8rO8e}@MASWq{%-U5HWVHf?Y;@ngc$o;D9v>gtcIf?Ui{U|ae8cLb2vJqM%2!XU16P*9{l%fhDhJa!UnDSgAAdM zMx?h!9_}B_fN9JBMG61Ak|dfLCkZ*5n2&Pl3O~8d6#20;%wK<4-PhYYxdgyh>x){JDjc|+2#c)nu`#B*= zU`UI=_qL%$;3OUXwnXma`h`wOun~7Sm%OEnh*@=)Y^(P9G9V)yeKVr5g&&KFgk_ zW}ip?#Vj;!C>pQ!8(?#7?5z%SvLNacbQ0-Z$+Lf(bny7@(){^H2f~xjL z*=7Z=zfJ0*mP{Edq)ii6ynvx)Dw_Bb66tFCh4MZ;AF4Gn-bo6j`@%x(sU=zeD8_?hyBD!aZ9=EZpY zoH(xuwUBEa(jQ z2?aH*MMK0LN#V`2EXh^NCFmg`78gW*H9n)^IHa6=gP(|(#PK3aj!ahBYW6Kxu0PzT zWe!Sz0H9Pej2AGc-g}mJe!ULB9JAY1&Y8*Z9TB9Mt$X5mr2T0<;kPzv3FoyRAZY|! z2*f_HKPwGLV8}jS60EGqLQIL!TfO#}^;oR{&`{CG!^U&cTXXvVwbRg$qk@_WD(7?? zH8Df|k|(`2oJ~e{-rx29^D!2sOL>G#>HG$Td^D5Bf8Y`m{k~Pm&|Or!uu_o&9h9tg z;?#7ye+5@n5{**muN~0Mqqpu#$r@eFty|^07XXqintg|&05Xd@ViwBt1Y7N9%W8~j zr7KvtDp|P9&PW%zPG;2?UTn4gdHD{f3w`i(GfL0?_U9fij6}(igs!SR;{newc9!l| z=A}zc_OsP<-fW~{i35j}Vqp>7g3mC#Mc*!7;`L--Fhj{!WZrVIAd4rp&z8=1<2dU{N_ZWD-i!DiJ+=_eusiGPe*ApKS6eiA)!4{+Mjbm%yoLFIkk>2t z^>X5ip}~1TyAW+wRE)E}Bf#aV7@aL*jn45i)Sp~?;%L!Eb;|<`R?^=-Cm9hAgk)0_ z?B#@D&HLy|A53Kh9sAx|G==|F^Z$K-<4rT|gyC%E59`loSK5<6lTy0{{tg})DWe=I zc^qeSDr1s=9shJg-${?%ky#dY$;Ku{8N{d6xRvL>oeU!O?l9ZMXn79a8B$P`L0;=AfRj zG%gYQTyok?eA-i6e6hI$qt;_0SxSl$ldN~FB16{hL#Ijxx3hx_H0&lPHD>Fo?a(f^ z22x6g?BkjS`Xd!=j5x+B`Mp>on1jzl@pI4UdguMAsB-=Lu3v77!<}`*!NaRANTjDB z$KL0jZ|~_nhCVveW&LI=#LkiS^p})6i`^asdq&5tp>#;r)n$at4{$+Lklq#EcO{wl&~%7!KK4hPnmuTbQ6<9NM4_qH7Y!PY9s3Ajp21{Jz zK39Zyh@kKvy@BUdD+XD2a0@HX;5nZ)mG*CO$bWmM|HlXSz^1KfFQA3!ZN{T)j(k%g z)A_;%$g>G*pLna$|vjLNX4L@p%q*hHV2kEweX2VlybRstojBqAwNNsS4nB$Sl8xP%thVXZ&*@6{ zZG!Y~oif^X6f1W{a^v$ApcxbCBC-%d$gC$i$IS5bM#q88;%}KHo>^jkx7m3)hwWBh zApJUAca)<8b(KxKt9gyx(cYVFwNi)+9bj_!vQSNQ?Pdv?fSBp-HGK;gkpB!ZpEX28 z>@?DHoPk~P#*zYZrqK~SC`@da)N71WlN{1z2HX50!Zyu18)X^1$5oJ=oF0QB_Jxky zy<4Z7Q~71MfQ~-A?6oZC2dj5$9v>6<7-qdTvDgE?x!u-|lDp2%&e%Tt<8Zg*)*aUACicd4FaWrZr`Axa6Y;{0FTRUMpuopd>t`OMzMvg|0P=j$I4 ze@{p-x)Y#4Q=_I$;^P?YbHUd^CYf8y8NW_nQ~@DpW`YNI6NVe=6`nDBjoR9bMre~K z&E(Ig_+ABuWU zwcn15CTtm5?4BPh^ST!>@ z{8{HT!~IreCkYry2IdWlY*6=*(Bo~X4Ld{1jCdJ!^7trtoMbvl>(S4bIjnW0k_J4| zsAG!-vt0iyfBZd1{JRp|$%)ZRK;oiG>JK-xuZ_p%`d<0iV@4H6so5Qx*vAZ72I`+B zDLY-4(c~1w5}xty?3@Xp)$+g4xJ2$GzL8bsnChPikVm zxU-B!;wD{;I(eBrsy*=;ZwPhGI{lL8c0BNV;i~ShChVo59@keLWt2V3&9$+kv^p|^ zwNd3B@)|Egs8fH?8)h#fTt&ty0byEeOhMZzbPVq@#hM=cI8#vaVVzBnP$X}3rVa?s zJJi|3CrC7@ZtYGq3xTX;G)5XDoy(<|j+n7cZJ%zY5w{9K5JCtOY$l~ri!9tK6En#~ai6?i-^ z@D$7@(C5R{kah7NvghHQ)()-(d+$`DA_SK5dM1orehLKmd0LG7?Vb9#m$}KnG}&vr zXEEDVn!e{|ICUZc=oAz(+)9Wv^qX^*fu zl^)Kic#F~NRxWLQs>Ik0RdcN{%`kHZ3*!E|MbQ&SPQZNWtV7{3YaG$n1UUzgKp3fR z?a{g+l_&US1`C}SO1zv-u%^8OcJZslS#zn7gwJ(1fv(>%>0+NFR24dUlu2~1zvhB@ zl(mP-I((0pjnV#*WL%uBfBqWOVY%Y7T{^P|Y$dwrtai;cta;L8ZT3P@o`mmR#IbRm z@8ONF@0V(x2a59<7#iHIAAN{uH2l!nlIVZ8)$$HgT8K{X_Pjb0N#`utFVv*4dnvfG zt%0xb>wy@lc3fp(udtY;=?EVdMRQsW5JvI+?BLa*Z_vEwY;V(?(Rsmhh6U#Mh*l)Y8Zw;VIe*yg}QY(Vggr);hx$nP#)ptTv7hS;L4S_81 z3#3{p$hPPZMV>QL-lxwIVMD;X7{@TB>^EiXl>!l=+HIIF3fUMaP!Iz_L`XC*)xjS= zt-kyB{QCC>#Q*5C8NXvzw|^HUuNGy-9hyIOqeH@zB~ToAlQt0MVXh?L^viNY(r;G; ze6Hp@`D;IDIY;mNo`b9xqXfO-850#Ui0y(>h2~1a^dFVMlZ==)RqUJOr5M!Ed7nNu}?j;q-XILCy8APSlv7E9W#ulCp5eh6cXW=@+(^J;@`e=L}0 zXFns{QtCs(1=kHMHr|oc)$7Dz=A+IcSAK=bfSM9=QJxX(5XcSwjhY&ZN*3apKTl9) z(@)B7NzL)22(do|C49gG+cs|=q`a8wns%@dNjCgOA?|fnWG|z12RPxTU@HurHXmFu#~Gfs!Q}<~tva9dvhiuD#mFfzC1h zyL|l5g884npZcpBbRrK_4XBE;=1*t4`8IZ*(ZizMP118n-rz_tSaGDs3@>@A<2le~ zmS}k=ncI^}B2|s$PYQRP2N+%a=uG$SYo|j1Ifv^!2|XyI{8Fii`<5M@%594v7-1Hb z%A@sSIF|svxQc560!ft5J6%Cir~qx1IO6c0w{c7dW$uQ&($6z6y#Y#p4_h(^obMfz8qsBr+xqcoFek4O)&ul!K~n*FB7%S zPSI$8wVF#dZVNY1l$#QRIywld|Kh8|=WGxgB05KdMb=01eC3?JN!=4o;G7ovU0PMD z=~sl)1R-E@o3a45n5>Al;pe+jaaM%=#f|>YUAa<&LgW{Fy;!d$6(MQW-cmsleTX0@ zoS>u`LOAiPC)_v<&cZ0@vGT=wJ=A?@GrdfDC4TKRzjJC&%}B?sp}YV!xdV=#al8&x z;(++h&vSb9;K!?KPwU9PO2Gg3b5StD@r~BaF;j)+79yY1~zM9NH`d&a+3eoD1GapJl4*Hia}_8+>uzgODiep{UB z^!i6oCyTf44h+AY6#t5smq|+ZOOp4d^BN0AS5=7-z@<1`Y-7{r{)Gks_zflPisFu6 z`P$m&x99CD7MRA!6t_4c?1tjvd6+{d^ZtcZ%19is57LiPwVLc4z#ASmkam0Vtzht^ z&`>tSepp%=>D~3O-RplI|No{V_`h<-GhupnhKWmqq%uCwRRP23u36YaUTJFWA=fa)M`D@jG_KDZ0p8n#BuWg!#0Mm52723Y=#s#)n%cpFqE4 zoO+9qy6kcHP3KBToRe+-BUZ#`aTIpRWHdmwv%%sQzY-&Iw)AnDZ+iexRdk(3v#l%$ zWA~YD(*;?t4w^MtHUcLjWVN+#B_R@ z#0+if)E#I`4t}=9wR*uhNu)Bkp(Av+k-f0|=&Q18Qop=T8a4BM?F*ZHW-sg7lRU1t~;8?8Yq${a9Cgg=|v@BM6(vO<41?_cFGe#}xs zW5aM86`Mk?BN_9wloYhl^V|*MZ)p-YW=T$u(^@M;OUzOaI#qUSJGP|ZaS^Br3zCh9 z>j-4O4G5&5VQQr0hD36OjU2b{fH-caFxFF>4b~XR0o5lhg=(OT^#Fg!4lK(k0M>yQ zd5zkpHM;QfOTvZewskdc4!dU0w)qbZx^QfBps?U12EnO)E7~+MOJQb9Gk&cDj`izY z*%ePCQcJ7m_t8)QxCsO#_T>@?rVRXzuFeb-u_9CEeDoH=oTuskA2Z%xVUo*o!b>el z?*0z*NUq&jWjUfk>s;rYR)fA(feuAhi8wT8ATjWK{oFps3E+5*ZoB_p%}is|ZWF0F@BwC1ZwjkdrBNUy89LkQ!t*)OF~ZG+H&x zW2ZP9Nhp@DDk#xYYhyD3AM?pQi!m<^<3G<{kKlhK9zCO`FeM31Z=8LdOdN*D97 z03yhkrkRmH6Po!thj>yMQWjsX@xPV54RXCXdv;(sBE%Nv?%9@%=J98PLk>Tj;j1L-j&j(?VkMz@q};?J}Q9 z?T!#+qF2+VaJWD?AQ{_d(Q_j2v`~oBZimJ#DIbRgF`QZFTpvnSs}zJS(*vPT@D{3B zQQ~{UPb%Ec&V{6pMA}M_2dm+VJF41EhrYncvP*c{3H5|Ux zL`2Y;)We5tG8-A<@3`+v(<;oHRK1oiCc>H!hIE1Z0vVHp>9h&02Z)4Rz0e{z}3qJuz03` z8LRqwD0IH7dDaNgK%=2bWy(G{XPr!E3an%9RX$w#WwwkxhcC8R= zLn@*WIJ$j*OA}pJVS3PSyh0l>IN5j{-DL1-MgQj{|PX`+6#lu?h!MmpQ{Ccr96_evYhCDNP(28R( zeSGq*h#R?{d8rA;v!%exI8AG=%iAI?)!+fiqv5*V*Rj-sawhOgyZHX$#5pH@!;r1R ziDKhPnQ3bStMPuFja<~>BQ9kh9K#8yhwtKiwP(g}Bjj$I|XRqwe&chq*@B5!r}3ajd(34mP`~gEIF$2iqBN zQH%T_+m=q#*r`HRVz`nB&)4J5*1Drnb*j_QbqkcaDr9@t1Gl6g`lE979U!lxb3#MF zdLR2FU;@6%ZhBWG--#pfv$K|v3fhNlN@J6j@=pK{`yirqP{!4T+db}q*axKoE3=~Y zopW2-!hiS=;r8;_kC+wF+UO<)YVRavXmDEdx-$;!D@WKPq90r85l!}ds6$UEuH`+Q zwI{^v{}=eUsYxp-HQCF;{qR3B&o$2f|B!he@_TskX^{FJ4JLgjuE9oshc?Z!ahB}@ zk<+2&#x z6ZP4qqm!bOAu-I~2}b=2urasYA<0r}=*Aasmb)iVjY-VX3pOZJWv9OduqO~mYsM!7nBs%>EeOf2ZfUQFiO=Z}$aG_|q1};YDBL!Dh7byyu9B$V!WT_eJM+TjS>|E!&MlZV5q}lpmjMonF8!H#8uMLv5jK zLY#LY|0&^D7Ex@H#zQE+6YdGMa2@7W4AI^!6ocVOVQffBOPnlYjfCr2WvS89j$6N9 zIM{IvRrszb4z50xwXsuY{E)%u$xLIe)?C!CJ#zUp)FEvZ%h1eca866fjXbNjjoXKbEK~pF{bN%O;(T~m6=&e&r`P)@lSY# zK=#}^_@x7r3{M)6O2Jev>OBlly&b+kE@KJ=uQGd6ecRK4a)ex4FEkKK-w=0J!eA_oexS_`Ix_|n)-ZPwR)hvWwp zkT#CfMXE$@>EE3)*lB*IX)UtTOwGY2)-cu(b*GSvD593Ug5gj+FS-88%4ye9^O^gW z@<7mbYl)5XnRatr~2`~^4Y-fkiAni z9j*)(>A&At2vPrUIZH06p`?!ItI?or7<{17QUqfr4(EXP{(H*O!0o>%OMoe4pIRYh z(B;iqLLcWS{zi*$EdJ6$K_H{f?bm2EbcBm~;9s1jPjIoNbyZ{bQ_hI{4ot%0&IrVg zaat{e!0^SnMhIOP9qd0f3s5F{pSWO;6OWZ;0NU(u)5v);cV(?ng++g z+}5XY(#yuaB|1O@WyaW64eTNNRw4)+3N42LkY8aD8b_+6`F`b)x&L0qo<~_ zrBbGN2V=|idtD}t7w*CZUwORvzlwV^u9fkD-u{uwF~g#IH}y#m^amT0?hgxz;L@Y* ztht+-+hpJ`n|z%&DT)CXJ*$E*ON@5 z$vt`;5I&D47aNf;)0b#fW|Alnvd8rN?0uwypLCpJeBbGFAar{u2ZsD5fggB4l$D3! zn`FZC=0D_tlRDrFFEPE`a|*82`0|ZGSsBG|Qqu;eIYDNrOllJ!nH7U|db>Njz-6sx z0t-G@No=1Zc5YV|0+CXZZaFmN9(8vN>80{xa0!v@Rtt+7({yvX&xr31}G$G zf7opcmSRZSH_6BVLH1~J;Iq#92)7|lg48-`z8=^R$5Z)ep%?_h**XYry^uovOzvz7 zJBh6|W=Ppu=*QtVtl7Qwx16(jrl((rmqt9+Oo7mGooAm3pYX5q6{umd+n=CNjO%)| zvDio$B4x|6!1m5J@zas2a*&6b4Xr9TIVKpmjbXUWe}b|aaVc9%mDy`?kkt#S&infx z|Aw@5-&b+*i&Jag)@fm2W8I~m$t;}_VAwHmq&eg2%{3Iy9#JH+(rJ8;Bh$d^q{MRDe-!*4UI?@Q?!{=*l;X#&{=RbGud8 z`?@de;Vo!DCm?WPY&Hi7$x@?pR&{1Ys{de8m5Q$?`6b|ey63S^(m*`qtE(_DZce9w z2o<>t-Tg97`E#~iAjYn=6RNWTQKOs-ivlP8NorAeA&#f~1r^M(-@cpwbFlC~00;r< zs{UmF4P|#-*_ymlsL$F{y26{09EwlS(`-4mL8fy6H81V;txMdnT{KMjh2Q-xux-TDRH0SB$!FqK{!3AI4;}@Pd50%(>}CiHWQCp^FK9j9JrJNg3xkVYb3D zRm<#C&LpS`D8G=GkeJFzS}4ZKcpRXiQY}^+1peR@OGAD;L__D;k9jlg-#!cf+E~kL zVD)l(KgA|(*2w!oC0ifxIN=m1#_VE<7J2umNz*qbJCGIW^?+GAf3Ub5bdUuC%DL!1 zw<`0M2sR@>jvuf9Rqn{ISodWOr+o>TDr2{uxN5wKexj^E%DMD=PVSFVE7Q(N7pX zwe?v1@~TO$tw)>NOR3ibbY6iqEPJ?CpsI98eUTBq?(R@ts2XUMsIi#D3I;HRc}WtA zH+Bld;)v~*j&3uS$+bDwL9k9>oBj_RL1@*oF)sa^Cse@fB4mo4wiGf&u`>gEUys=LaME|m+oUeG zG0{X7V#lEwk$P5J()%$^YLK>)hZ8cLoxd3S2AI4@nJTZr?#JQf9W#f6?wnbF+s44t zdF%Dgik>VpXh^k03ZTS(_ddIuLvSsfl@8-%RX4|skKdq-C{7&6pb?x>wGRs0J!2-qe7k#ST0EVWBl!$CWf&}5Y{KDJ?U{Xoww5jmr#FH%CTY1IZHaIh z0V)x4TZ7{J&6e^E&3e>C|B(J#&V`zIj*Xw9#y(tEc77GU3IcI#{8 zslnOx6AsC>!Q$Pc^Ii-ZFB`kVyK1nynO3-Gk~azBat*<@iks_17n-K=kuHfXG;?bhBCStHgkQUL z50GeS(|cW0L!1Yo4xZg?4z4)r1qf8X@b=odnbayk9%ZV3PUBy7S@6r;_B~mRCA~uI zj_g{ahU8_4#K*`2Rn=YM79KCpOj`b1C28@uO48}JXaUXZy9|QQ=aa?z7)Fd+7scRl zv$gnvr*&N6r(3jUnbQ91#!Nlnm=HtL*v5 z*1Aw&HA6E|iP@V*0W4{!Br@#F{}0cl(}76A-YFFtEp{M2?}QHXZGPbS!XU!|_T8ar z_6C#Na~GsD`hh_Bv~W(VP9Ip!#=VJ_CuL||-?L!S`{eA2NsF#mbxl*K_>SS{O+xDl zymOgBv|1b8Ws88XMf2lNgw39jTXcli@lY^C=~lbK*B} z4<@NaIE#+M?IrxEx$oIjK#ai*2pP5!zOE5FwlurA zGum(KLqqBhXf9U0!D=H%hib>U<_Kc;NM89kP2RQBUFO^vfnMr0ubLRXcXtn4s(hj;lHdEco<>loEgQKHrwS;kp*2n}3 zqHS(dmb`3u_+i=;s&V{{80XK_YJq0X$DXYsD?GVrv~tOQcs9LaADphpUAIQgpqGbgqF<{hn3M# z=&EpYj(EaWkyzn0%6C7^?7Kz}8ns0hSzUA3PaT_B3I@`uEq%`gxol`8XixV7tfAA4 zbF;U<6(Hy)LOv z_Hw=P81ZS3?>X%`)3M)SMJQ1dDuv(C9$xR=hbSMrG`yH-Xg=yYk4I+L9$Y$Jyc=tn zFH~U1IfbkCha1UH3bIa%soeF-J(R0Sf?~5AuKhT;T=b^Dg~aQ*Q~Ks(P3UQQaXxz5 zXVii<8*O;+r=FNzuRT6GA{C;*&JSFu`-`bEQR<-THm}80*R(;{lpA)1Gd?K|DnH@% zcp^CW=u_tjw!nJK(Lxr@C&ha*JAqt9{Q&fu{(gM?(NNj=UzLCVHkO0Y`A7Pdm;Q8R z033*%qQCY{JTE=YbdXxuVgxt`G;5Ig;M%krY=Y)(Y6H6%)>MXPr}_>JHNN?UiPZ$T zaG-Xj7b>qIVMQQCO5*yKsJx2Qf<-}l=?}3#x(C3LI3bUh((P@htJGb+q}^yC@{q*B2=kc&6c<{6KRZGo7+Hv*kY6y ze(#Px?4rDHZDh?{38;_){Z8DMaXqVDU)=Re>utSrWIYpzJWZ;aL}*qYdH`V-NR9U| zJf}}CmiHT~l{$cyGpE6`6E33;YcZzfrInQk#@gka9MaPsA0O%$arlvQ!yI+6d+(h4bEPe~Yvb|v!LsK5rno}rh_Q(7F?2!k? z7TxfTs$tT#G~%nZXq4BG9c@+YDSvBv{{sQU{Th}xGm;z?q$MGVw^TcI?0fFB--~Uv0W!8|PqiYq7guV%pHdevNDJ8R zBFJUTEtH+Um4*H)*eFc!?17Q+5bh_&I;4@v*KwV*>L6N*f(t$q#7 z-v-X%h;Tz7?D(YOP6Go~m}w(2-&Mr`*)8WTd&z@uhG?2$X14$-NKkkpakY;t08khU ztccc00R_xXA8CAWekTAJfFl9`=lFd{9Z9%J6|A3tF-?Xk%)YfmEmiD2kt!AIoAvy? zC_pW67~8pcwhe87+%~BL=bEPWP!_hdS9cx)YpbwW*#c=5ZW_Pf3jIWu@YIEK(OmTY z<+Xmz!o=VCBtEkw-wsuQ$0~pBZD0qqEPii$O8s%%>en9R)+QZh1 z>uw(3_B8{_4GCJCoVhMcOGj|XHrjC(@bdZsw zV*8P%+hpMzj5U{D7b$3P`nk!Uy+Xbmvk}OBZh|6mm|vE(c{Hbw9G*CcgYNKHcV(ye z*il1))M*uZ`1SK#a1oKHv<$;0BLp!y0cqB(R`m8_m6^c={MWBp8{lp|wcMRp8eZ{&nfg`e0%8Iq^1|BU5MLCVSCE+Z>3|GwuPI7$!$6=4s39rl!HrH1w7U~PFzBc&T8fRcY`w^M}VG}QSdz4FhrQ*a!vdC1eG-J(e5tlL1`rx3tJsqT6 za?EH;>fzHKd(`pUR>5ti&9SN-(>iL4M{7#hWG-MYzQIaiQ0dEN0rfxay0QHaAxfO}FD|eLVEZO%vN%2*A)B4D*GLLbhJd6B2?Dr7K zv8utCjn%~yd&l8rWg%XBAgaY0Cp+veY)KQ4dBv4OVV!eo5yOj>6wGSv2C%4OnH;}i zT-&Be1h5|WjxtPi_^CMUo@BqwWG#qk$IV zw(D*v`8y_Grf&6u+BjJWlk7}+)2Q!(LMN@Rd-fp+wyV`gspV@ckk~daBXIG?!^Ou$ znblk{QIv>qt<8~P^3MoTXZF%z9l2;B%t#LQI5tNeq$VcY@6}Br2xZ61)0|TrnV7oi zma;dqEu><#{S3XjJ#tPOHH$O}q-xCqn?T2vVAV02z0rLN`GV=F1M$gw>K_j`I%N#N z>FbaGMOXZ9_mfZog_9>W@YdhiVyVnC0?C)W?rp}9wRs_mT286Gg`R8JCwhT5XD>Bc zYKHg+2Udv1y=CkEutg>j*G?m6^Pm{o7!zZ=Or_aQZk3vyvzojA5I?4{yKge9heUI( zbq|yv*GTE?l<4LkqT=7w+0Jq-Sbf#aRP$qMUJs*-LUZoY1$~xh@;UW3MTG@&`$bHi zNk@a&T{4xP&lW)%2`5l*+nU2ol6q)8Epcwpl273&8M&ZE^+iP!YS4>_sGj6b@>_Yu zuXgsse+>dxI74zDdYLs4d}$7&XcO=|1cPtqy#x*NLYj{NC15&fvf##YpyP`A5Ye6g!d@w)B zZM~aj3$I5FcnPf8#dsd|SJQmXNHEP&siPzAGMdFR{%8d=*>^OBn!L4S zv7e##1f1RTS_(PXQ{rG`?i$xR>(RaloJQ_r3krI94h|F1?DRZmv@(4$M|V3n5F4=3 zvvrHG;3wHB9?z*UYDbM(C6h;jlY&W8I32$qbZ~*FUF)7sq0h{JcG@Q4^G^+240uQ}lYcx-!wIM1@VuD-6edc?vu&mV43guer)&Qv_ zTjk9a0#$7@os>usOnQ6VRX#Sdu;QT-n0?Z0I~ij)7Ug;CRViGe8{d<$FL`(UKgzhnDE=YM1=9y0Nh)8jIl_?*Qe1(==D?G3@(O-rqv^*|W7u8d}! z;jqMU!0DRMgH_~)1SzTpNK;}v&h@;n8Dc*V(WeO)bR|ymi$HVt%uB+_*`Yctz#lZR zbHg(K8d0D(k?!p`%{l?CoiBJBN2{*p`+!5^on_iAck~hv=NCQ%EJT3pm)hP*HPU=d znue9gpGC8!Nf6YMiHzu+ThD5JnF_ZO<6#RQ&4#aN(2D^uS8a5B0O1e3jEy=tFg!FK zt=Q@Z3jegMBUU3{km=4_b$I#`4>vw-0r`7KG#e6Y7^4foLUK&&!^7cgW zuL7xXF1}pF1o|uwx_wmXigA zdO|%VowCjM5(ud)E8i1Gh7%^1C!h4hU-2|d5d-^H?(4(D>B$O|rHstuh{H^)X3evM z>|n(h!%v3aR*XF--Ls$M{*g<)iELG(3${26uIf~5!cyIhbm%8d?0w18I=n6&m-nYz z)5c7z87OX^!_{b2wfSfrK|kz%KpO(6dz7HW-0+%SDp1$#Upj_(>0@?GCh(W zE)o2)AMbs-nzgn=#DhELl(U;&b-($g71>F@^t04H_}6G$MV7F4Os(g!<$47Q;}#wz zxSg((=ES=}R~|7SKjyu2IBN*{6m2c`^Hj>~TUIU~dxGzadPs>BUsO8tK8USa7t>n& z;k)&tsSr`NIIgQku|C9=pU$mW$Kf$obsOME`%hg=Mmx-}?PYTtVczSNRaKOtO?HY# zHzsOxODap;Yb2hWk)pqkwjU~J;2qK^mil-_^X8O<=CDN^-4;sF6ZYH|f>$y(0PW9} z+{79G%9lSWEu6yQCr@68-rk}ZN?d;g)*vokt-uN`k(66H*2-Ip0>oBEAA(N}>4@_{ z1{9ulJ9tD2xINe|TyBfbnBDtip$fa3`%HrC>7nSJrrG;-Ybo8?rI!!i^cEDt54L>p zyDbDvlg#?Xn24Wxd-VDWMj3Zxt9>z8?6VgAkcfu;Je{CX*69Bxqn)33XRAf&uK`6-31MiFbJWz|U@ zAOF10>+-Bo#&taGgvzAyo(94)(mQ>uspDELrp|!vvXPvpHAqn#Az>hIGxcCwDfpMU z+79pgUR5oje|V;#=luoCqy}%ZFLI6h;#gNX*wg5;{W;&(OKG&A)*OzY>PoYIMsLw2 zM@s>=)TPE$sa8;6_;9&LG4$p$zNkpw&8PtMEpuE8mYAibmbI0~hW)wnF{=6G_(Iww zyW+@Yeaxq}ejDoZh>nLStp(%E?j)rIHdla-;^npxr({2M55Le$OhGL0G`QeqA5`vj zvB$k)Yv5IvI|KSH8=BQy2yd@Ym$sRVVfmEJJgGI013$WmsU%R0EI(*+#W$%(Q~Xf3 z_5>X?)*s+jrxnGHZJZv-PP@vTf;6}{8JFi}@wKN4tTuM+%ByvTKTxMECRG*IF>9#8 zyZ2^q+>;x?oDZ&>@YjERIZy983%`=_3Ql4uc;7kW^e5z1x{bb8?w_J438%i--j*_o zhb52CiNqYPQ>!vtBt#uO7ti};xrgNitzY!QA$^hk?zUdC|9ZLUII{OrNY4Vj4T`DFSO*_vKAD?IA zcZZ`1C;Ye--QMB0BDc6+j#VfpA6V>@3g){fC~YL(H2L}I+M@iiH9=TXd#^7p)7j1HiG}z4(>HzF zGYZuO7V1jtWUg`YtF|Z&7lVE=XV{Y;m5HJP@5*9W={AP5uD!%1GhM`>JKmkHH!WQ` zS()$3ZEmq8&dqf*Sn#t{7W|MXF9`wNUuPY^rRS0)7pIg^*I(y08K#^)c1iS3_%F0I z_2-vttGel9gVt1h;rS*n@dQ>NTnCo&JiGnf;(U$8B|;o`Pm9v4j@VDxe}JOnywXed z);u#*C`)kpQ|oZ^Z1`v!JKaVa{OH4B>UDDO{$lc_>b0`mnthz|kBx&v(zt22N`}n{ zw-NGJ79`Ebr|^c{BrSC3+8VD_#bt?2c%u#s!A>@HJEcZShbM_pJ+rX>2wsK!n(lNr ze9znWdc9mC9RKhLvhUhDMa4Xqb3v`q!kSty6+ z?uQPOyF4vF7n1}>rjpQG`rPnYlTfw$iSeM9IsC#*eQ{j}^1S__Y^$1B&`MPM<6o`! zc9UwJ&AJQ-6N2yGq#9fvMPB|XMGHO-#Hq}HRvV_E>kgz7(#m&~nG7rQ92x((jbrCq z+nt}Ya$uy^m#nmb?iQbj0pWV+?MZLShZQG5?#!be0+EGpfRkOIwL3$F?5&Y!!JXLB zew)_2g1p7;w5@vyheH;tb;M>6Gitl;5bONaee+}(M3ocn=@YTSHrCL5QBcByl-!wk z=yxi6Q^PCc4k}tVX5DRFz{6O38DEYPKpr?droB3!>b+pHtoDL-`^$W`cBZ5AqkE@+ ztVIWS(IzQB_D#?5a5@&dG+Aw$-@f+EIqlY~DzwGUd%{GWr{|UGNzlWm&D4{07AogY zKC@hoXRSN>qbEN$&MFo;BYafFj-Th~I_tL=NbktR!t;$+viw=p+HrENMQst&l(WRO zjNxDBGs!;QjI1d)-|Q2; z1+mb0C_;x>cq5x^r=CE-BWGfn`2~^!CEHP|WNcAL3=k?lW zJ??a0Hma4BPWX65T4Nxm-@S;CU){F9n3h(;Pn-RtB3?bxzZzA45N82x>oz|3_sh~& z*!$>R+{>S;h4&KNLV2?nP2 zWJTB6Rk5luYJsKZ4E5yG!uDN$=;}3Yizq5ZpnLG`dpA4PVY5T(LBJU@3c`ZtHiF9u#dq=RJYw)ZQa_>92I5#X6^Lf`b6}Vjewf*i- znV<{Tz`d>rNTqdW*N=_3w_hZjCAuMgGXLZA@qpR>r(d}RYA#M+ zhar}El_SgHpq}1UtNm0^D58-|*p?d9^(Z#xl}ni1ybn^WrU?-?Hbx8M5z1mO?~5ZGfNF4)7-?jot}=Xu&2Nv|QfISO@crV0 zCz~mPrVsr#ae36cULlP|C+>gfsXhh`drl&{-g)gWXQ#DSE}BoNd%5?ZGfd*{G>v|E z`bFizefVWs-j;e_`_dQsW+E3;m(#&HK0o$)wCY{*6Jj8}Yv?5zDtqXwjjP{Yh2A_l zrM(aTvKx91{mtVGsiQ+j42675XY+O7kxUkRvw^9Ix_%s+Z(e;5V^M34pQweko7l=4 zd|wC#`bI5uNu7%ocN`_%Oi;Crv?sp`Aaw!!g8hFboWR2Nt-l7v80El|&H6|) zAA{+bHzGqH&o49}W^VS|Oo(@+n$E}G=98(J5^F=ySqy%E`f_Fb@r+!K3U$?Lc`Pfb z!=mwM*j7F^DTp;IQR?a$Iskqj1)>b4NKrSya&dKP$J=2HJReLhCC$f>CvNOFz2xg) z;=Z6wz}KU>xG>mC2`*yRg9qE7p;6FW!?iHQZjdtdS$PaA^|Qtm%APn2Qav;)*7uq3Xs>|Nk@{1 zF z*sj=$O~qU$>D^1a->SS(L&Z8tGWf2KO`q8tl^vG;LyXJ@8>Zj9smgv}9r~+vV*{_a zu|t2IGWigBdgT5=8|k1+D|-X!oWED){LKj~%~pZkk(CTH|5BIx3=<98fIR?5g-5{N zOx}t6>M&N2FKKA1%pLM!@w-ZoXbhmf`r*j}`=b3hWVg2WUlF{f__8(Td$>#Ft8G#nsFMa5x{sHaM@Gp{c$`fN#UwyX}{)JzyzW&q+4h9J0<&Y1E8(J;+@1i8(mrJ%q z19?(e%Z%AC>lJq&%6EQvCTIfofD2*~FNH=Trf3ziL9t=dvR|;2hnZLgn(X`_n>|oq zyNwpPkk+ydE)R6dFStz7&-cLc(uOcC8-+)U`YG^W{WL{KwjxyWNlq-{vzWCHT1&No z!QSTPS8iTr5Mvr$W3Vmo1MzX}tSQHI2Hrq~G8(M)#^XL}IKXh6lotq9>J)SMs+XIO z8vfk1n#4jK%Gg~ihI*8&xE0j}I5Hhks4cuV!j$K^;kK&LmRIPpOzgoLDvGDa8*vqo?x=GcO%aguTLB+YKfUM_(-wkZ9 z)~Z~t+`v|zp{p{aW7z&WUx#s0LIx)v=_pj0Yf_`~z3ifBn( zlUCYYRGj~~@~a+pO)WU48NLWOxqID6y$45mfC_)Eyi`9HLji}?Z~@up&(K~5cC?aF$-PES2R7g; z&VTH}(`h9>`U)Ur*Y_yy?yzAo2hl^X0r%ZKs5q9*PiH|nGVAuc?VAoGs*mb48sR54 z@BJ!@3I%GHr!vg7rulxbdwNx`TF+EWE_;0P5uHkM5k#Jd*c;bLwJ3@DUY#ma$T*ne z8Wb+T$uO=IbYxmf(XK?V%{zKhe~osmJiV5udxp=iRqHxeQSaLSVe74axt*{r#Q& z!P!3?&iL$lU+*hkueIL(V&E(VK+d3j{>EjdVaD7~!ZEd!yUXd}V;EFm=5x59sCu@c zK4=v~o3?ex=JKJU>ZnNR2)pzNUVla6eKy0OU&JQZw)ve#n zSn#~|G-9EjMaX$Ynx&H0vK!VlmZrnbd$geZGmU<+0+c<78@uVK$~8wQ=9I+^%{xJS zaW$#0ogmxl*EA$_glzLG4yTiNCp=>7Ie6o6=f_DSFp13z$xUm%FgS%lPa8WmuMsj5 zdNaMK13ocV;Arnp_So(CsR7*epFOvq=A{?5PMa+DXtH)5l#`!K6X2Rj)!@iGXoyYd zxd#c!G~p?4DQ>;QY?<@p*wu#_02h@wg`@~NpYFQF3b%rqmJTe=R5Q_DUaUo(tjCdB z=Fj;nR6Gvc?cUT?VSJnrS;A^)vNXbndLWjSa2bBLimBf6X(m7a#c0F2ORIozuvx2b zElk62HI$>l{*eV^Z-Xpe3(`fAcSN`V@l@D)BsO0iIsnL(1zBZGd8^qWYJHJRd9E9S z0rlRkoV~&>7D{gi+!-B=ocf;_8$y%p4cfJoAsb(rRdCrx4M$w2tJNh0F#_WVBh0-(5fQMWZ2;7kJlDau*o8H ze?1~#FLBjsp~ntC`s$jsWMi+Q{c*zcc_;H>#-woU*}+yuxr%foi|IIfWvjb14T zvNt^QexT1MVDYGNllhD+?d^)+f4sT{AAm;XDDL3e24QdPr(1YE_A+*Qg|4??r-Ho% zFqGKP&#jCJ+V_Dmim1jpE9_8^pa<*?RNO@%G$X{p18z(Ioii zxX&=QKr`hPu*7J!Ku97`Q#|!J62(QbAshyUwYssmmmfBdE{*5f6A$l?T5QqbwKco# zYRnJ6o-T1~N-I>KVK|0IOr2h$#1O8f`r75(WyYqThB5qM*mr3&Nh>|j>2;sG>sfK8 zax3#_$mjOg-a9%Kg=x*^U{q~9kD=BmI>pr?#Quza=KRN27AJyA|HzApVE*{K(EmC; zvRIWNf&t0n^MVSvN=M5M0>4|qw-=~Aet<=9FZ|7H8tWyx4h?-SdS1qIa`ef@b=XoP zs%jOiA;%^eUEB0#4L4aCrL|sKKE>FyoXS)kB`xi)xUVRSs8?l@36S#eW_;T1k}R+- z(j4#E5`ShPoN>SdJJw{u8BqZlfp_hw_6vM)CsxWg@ z*(j~M9_8u>mgU<|nU_)9E{creAN+Z6yZ5bVcl4}6EwkEQ%Hp7PZ7&O!goj1g@Q*-r zCgV*JEyum715IjxP^Y#|u%BHYp6HR%y1jg7VVR2Yrg>#XxAuC4e8VHzd%@Z z2npLPr5Z3FEzMTux1{YvR{N{(_^Iuz9b=N(2 zt&Kh;t0Zm>#G3_RtW1Tl-W=p0E&&iTg@}}UgD6o`y0|VhP+EE9mz#AP$h(Dbq$-*% zMvWWfG!UCVe!WY694%mUSp&=4w9z2A7&@tu#XD@M(KPN`{cxTFHTxk(`y7M}m-Ki5 zp=~Dm{gNLWk(Bow#7vdL_pUD1iJCDjy#JG!)gWt8%Z{{I@&?Zv&fD9&j35zv9%D~A z;o)G%l=ddS~O+Dit`$YB(!dp?{ywdNa$|`K_l5-9J(AJ+; zKLSNAd+~_)P-YoIkmhi$#PrZ|&%ExWX!Yx8c!k7>7{UbR$X~3J{dFisf{!@qp1fPC z=s_Bqjv7!?Um5o?#nq7LHDmP8%q$QpMxjWwRD_)Hr`tZ$|Uhgt=5zqT_bG~j#f z{3xnMbOMbC6cEuW*${d`&gh(*=C#zA3hY_nt2owraxp^AbMKoW^|I9GLi}aSmcj>w zVTD~_1i|n;#!4`|<)AJ`XrsIt{HA58{J`ok?dysh%PF3Bk^h#`Ow7}eKJ&qW^~)Zu zx-}+jJoOVCe7)IbFwEY}g+J4Ccfj>nX{%9kbj}y`a90R%toJ#6u26M~DhgWb)Xqbi z@s1a|a|o7o3VJ(T2dg!Fuq_;$(?+u;V(onnXY(;52vsU} zAslt{5$(CdBf#|t)r@RYlqP0!8ya&(meMy0-Bre9WL+SoiAL@<{Qlnpm`>-D4*wO; zdB;Vy#cLh0#2*9}06_eD7#vFCexxcIi6dw8wqg!`#m=r`K&|GZFUaOG^xR*j^N{%i1*n+Sq$1G<&M7L+UC0jL9r11 z7t>mD{n*qrj4DgNe`g!`lXckmOjlb>Z8o&c8tQ3ZeLrIWb6&>8{9aDYTe?hI9-7q( zC1&eM2)H=rXtcec13x-#bvr&|n9A?@KI{sL$hpY4-MKec*=oQUC{O+RSoYD+0sJ#_ zLfp}B%(SuN&w49;qs9{-;;-);zpEugK48W&m4Rfcc%l~%zfTD?mA=eXiFBq<))0en zdN$PM5-5Q1?TVa|SUk>j$+MnW^lG5l8wRixbeKyi``{miG%{r{I>%i3igP{1YU0W~ zL>G2BJp`%aG|c{OB=+SDnwb@0PZQ70vF(}!HBFmFsW2Nqijr-6#_zUJsR9!*tP4eQ zlt@<|(fcf~^qEZb8xsviTDfZBv+l)3LhnFSh$w`7_G@R%gxvcd;e9^dvB?|&yKN5E z>AW(06d*Zp16bz+E-44r(?dHhUO5_7 zDl%R<7qni_VS}Sh)Vzpc&Uji-lohK{mFE=}4=oQa_!Esm8}uYRm-V>yE-b_v8wQ-PTJ_Yf#o7z`~xEZ;8Tbm z^+a(UAz48Zzl{V#@kh9Kt=cDbaxeu&XuW+2x?YPvmjy=AhMlu_`MYG+B&`>OMWvf` zDc@Z+5*TUE@{!hB2pYJ94Z*)=o(UIOuz5TZlYb|6&bBapA)xLi#{^1rmtmj1GD>py z6*ODGW#6+6|Fp^TAhwLhQTjC?|M_UXvTc=X<4_U-}R8 zYFE8*4(B=F7ly?UEZ zl~XU7HFb?c3Xsx%CW@op@Fr^inIgob!hwG@G@2VJ&U;W*Lnsp|+N`mj8Gxlf6obzS z=6>7%02!)i$Z5shMTJ{8Y7R*=Z%E<4S_@2hU8_3b#`r0ftmy8;=YK;F$`-Du0y`V+ zGSyZRA>zuB>D%G%O`EO~*#0hkh9P&7IhH`IQ4?w(c@~`zy01Z~aLHfvx;YYd5-e-x zD2ZNh%Nq>k*u+<2oeKlddk|wv36j3#NDZ(6i|V!c`=C2luJ4qqp0~a)Rki+&+Z^#Q z!g$R))L%HgmTwJj>|Zx9Hg|uLDk$*no>b<(*}Gx`uHm_sw}ILR+hWikzCenIqHPWR zv1D^=urJe}T^(BC-e>)&z7J~|AXhOs|+6VNhDak6XFx(qGv)XG1}v>z4F|F9*nazlxxU&P?Z(jL%3FsU#VgJLCA5XY(!clQ+f*@uO zv%}4NF`+NldFU#a6p?^XYtP{O!gwlI8JCNF9sF-s%zw!L_lqO~)P5tzr+_PB?hMup z!K3>TLE<)8=1x#;NypxPH=|Y;d-BGxZbC`Qn^WH7+EUu%GhNiUsQZQJP+e`RHah{L zB9}Jj7Md{l4lcUZh(+ybiT;xiQ~$zmrQL}Ds~_Un3u~ze5~rqvE36x4OGGg5QW7t- zqzzEszKBLd3ed1xl8EDuVxG$TgW_v&U`;V;%kXHWkaX#qRPe;!{26MzZ^o)=xP0g2 zYK*@;YR4L}p9^#E5Tlo3U;j;^n*v^cgvIX&`oz(yhe3#4O9X`mt*U8rci1kmL-dtQ zxpPwa%XD=p$c>o4Sl!Pm=3o?nnoo0^e|XQ8v|E_A>HchGv^$X6E%A9O}^Eqs8F!*&hz|z@}RPX59X#ofHM=|t&L$(BkEXtY@JZd(Y*1fc~2;mm*aEy zmay;8TePSB6!+`((rN}k828c|6RT2b4(S}NFv+kG3L$%g9t~?%U0B2JttAuuKS;Le zOLG_y64tG7_Q5*>VKpq)?B4yqSpa|Y^OC8XkZo`V7#$r40wgWdpYF-+L#6C5%61RZ zC-QagaIUs;!=d?ex0ZVS>nmnh)zX?jKHkkD{|r zt_o=J=V}@!zpQJDrV0&u6uE8jN-}qpp({H~!?Aa2CtQe)MY|tWvYI%J z11Rj<0-$goikOmjJ*p>Gvr37cme;&|`Kc*C)$ZiZyT+5BFw@2B%Jtp9*_E^^%>G9K z5*pBkkQ_j!KnWQ8T&mH~UR=9illg3en7xl4n|^G|ETL#eS=;^sS@jbyH*j?~tj5@u2XxZnzhQ4S8ZAL|}&@^|f17|b0kVKu8+FWxayl|S0F;Vdz# zRbn*HNAI`j!Q{rLznv)s_gDGtvvABI`JO|a&dmD{W;2+l>p#|O^t@5@ zUE`2iQTVXmr#5NKWOdW!`3G0i5FWiy+s)&Od}P*a?eZ$k7RY6(v5*T*%*1AGCMhmuJw0*wC$6EYH>DDxB zY3n{9qfUQH=9U}~;$FK3$oo6kT$8Y)#IQZv|74)>(2A`p;P^$(JpsI99MZy+5AP&1 z3Il2>zO&G*ZyvsEW_<=EyLQ7W(ia?8g~oSA5S(jF)kd*{^yno4b!zISbo>u}5saHA z<`-ullW`rn<+2yO4=tU*_XdA7xbIG@1k50cIbO>s%+*C&1+-!6Tu!b-_SPQ}%AW5p zjdhdO@b20Rjubu={+n^gm?JZVngH&KX`+7Tyb_ncyC}W7-5>znZrtB#sS(Kv{LHIi zF^L>NfXNucOfFddwDwrpSJot7gWtPZbw`b~`5Q;IV zZ2YuJNo2^-bn5OA5RMV&TZfBfyfI}mJrgvYjx?Pwt*COn_+fUY*q;-|ar`}Vo-~D$KOF`d^y=#98xn-Ha^-Ff@2e-2O(mDlqum8;AeI#uIKRbdi zCkyP)f3cgYh5w;?^@E~w|Ke(;GJDirCxkfJ{QSfC%(`YI7_0ZhDd59|mT0v$OSLvr z)pebduO<}pogDk3KS>kVwRqjB$lM;2Z}zU9;O64ABKhX3qDWUuFn83WQHHrdc%UWW zy7tqOM*ml+xi2mqZMFZ6%dzT~ygAOZY~w;YQFRbjaFaEXISDJtM37UicXM+{w8yqi zMU?U-{BqoTSkJ=*xdZ7Y;dtYg%YqWmUD-@Zx=ZpLzzhnI_;K{L-BuyMuPK`rVQ6eoHZN&69kll}1r$D4}e#gAl~ zJbwWEm)9hZ;yz2b%qvFOePy^(wc18VEZ)&yFW)j@lf+v>h?oHjsHvx_eecrs79+jO zyz>W4SqtYN>p$W7XP^%zvsmWN-yZjTf@Lsf!*IOC#|?9ZmV0imD`%TUC8LZ7LB|=C z=o!tK&W*o_)s@ivQwpP=eAje#E@XWX9gekp^4xt^Q^=y1m*dWFPr$=6N#A3KlN#AY z@1^M$MlzWwi=2Zy-nhK`n#g0N)Jxr4x zm}>UiD_2k9cSfZYPDLNDIeB^D&^@%~uhND08p%qI?%esuckew_?tzBSX;$<6PBSWd zS11+z9g|jiCO2vcl9oT5(vs|1RNonmwK1%B5+G*wmKXAf@zE_;hw|uL1E<_{sYGpF zyP2Cf^zq0VVDB|*eD~Y03>nI7r%%cZ4I-mf#|JqbX+9N!!3rHa4`*|u{_b1PZ+mQd z!_A>8=Oi87Ker6`Y(6Po50_c$o1LnWy_!P@^SjD74zDF|nR}}iEKoITo$bM24<2Od zBdz(8XY@4HI3_w8`z|PUr>aA0>>e}+6r@TRJp5d=zB73ggw77BFg> zw0a@Wy2{VuYddQ*HbtIg^*3`SD@AYZz?RcfhRXWWjoDLNG7dBqSNG) zRQspiy%8C##FgcnCtZ5nt8JLMhfV_@LYULeuhAzZ6{PT!tdSWrE){08u_@ABgbE9o z7p;-H*=sI$b*4{Vdl_8vrYwbw@vmH;6Y^JkYfc)15U(Ru5L|5izBp}dc2*VDn#Ct@ zG;oQD8bHbT0=rnQg=%=^Nc$6M+1a%k6ao9>fd^Y8@Srb&Zxo?2;cifzSBd7blvKk@ z%8X-D;nQ^ZE0JlgL7bfsh#AxzS2E-5h(B3cwzl=s_hf(&NXqOhG2LL2ZcLp1c3h`q zR~bc?Lz1~Ob$YJ&8C>Se^xCgC_cYD6oa)xn8H3gPM=l1?+uk@4xRF9n{o*9TXZXVJ za=oa0Y4xkMUdbj``A9oj?k$H{6y4VOLospvl;@E$hV&wivHxN^RijIOgAm!7zCc{J z6pcus&T&_5XaIdpc9}oa-)u5|hSwW~z71 z1npv*jQ2ERAKO$TaTvAp%xCU*2)Vs5F8=7Z5|er9U1o>b+zON!Q|}DBN&zubo3!ip zHo>23orksN;0*DC(%&G5e&KC~PY0~0a zu8kbKD%ugvQw6Ffivo$=1bu>D8vM^F&7NEw-UsJiP3}&efcLMv!Yq@igakX*eXHFB zoO3AT&LDoqVwEhgkm+J@fdv8U3Li$y<4KIwX_mp&C9%jgL2qPwd7M&Mh6~u3)#ziQ z>b^wNB-eAhbqBqA$Duk4>eIlW;D~5cQ_bp!2NW@mfZl{U2QHIPI9e``O2~fExNb{K zN*!t={mdZ~w<*J`EmJ)yL&hk#NrR!SX2WC|fLe?l>G}1M$(zqlmG`&`)1FKfzww~z z260gB04uS)wqi6lf13>2ir6*e+vDAHXumoSHGQJ_A1wh2TOp&@P4s;}wFB~&@jG{g z=~gYA=BZMZh4Gx;?U*?I#mY;Pyp|<)K#eBz9`HZ+fiyIXI5hLspRAI0JjIz-TW?*I zH~YpF46g%*Y1Apz7YoZTk6@se1rLNQg<@tdO4(1ct?3|oR?afjjs!pwr7ieB_$gvP z-QSav5XIIX{?>8-lc{Gq+jG2btkYGhh8akD9n@6mpRaA1C{wP-R%CSgygoiVQ=tnA ztI5dR(-V3)D%Y-7-po%_+H!NhJr=e~zQG-~Ldo`Lx;!_iS`pRz zQ^9xJdwmADiT7Hs07+fg_OmT0BNJ~l5U-1+xiXCz22+4Xl9sn^zJu}|4@ug5s)NN0 zbjHThK7c^W0^x&&KS}9r`!)2@Ly|&vlRxtMChHLqLQYFTdP>!Ezum>w2?*ctnm@6m zL=6zX!dh$tKzDIX{aR+i#r+A$$#|IB06Fw-JZp(w&u-%CdGaVA0Q3@}|7IX z!M-YuN{T#nWQe9Ig|Zk!iu-lyH#eXgz%k_tv*2c*yQj`}>WAoc(+%`fl4$=I2U^|T za;%g(_i(_U>$>8zx$|9BSSa&OrpU2|m$s7{wFmxzs00U- zs}PpJ*bFc+%=}KY74Q7zCA;hXn95+to~)-pjou5>@>aD-@k<@Uz_ZHlC;e-cwB5x9 zvRZSswno1YdpQj>Ztr(`$!fMd$n%>57(f+0O2Z=aZUP1yS;mf2Hb3Ym<4Gi9PDB<(S3!eTPqRdm)St(F2_Xqu*us3SX<#BwuTmHh`;Dq-5ch zMl9=NHm*m*Uf3kFYA4q@YL0cycEOd6Fr6gx)edJyAz~^5drw}V(0v-D6bL8+4xzqd zYk~6n)kYn^CPvSUANoc_@gDSc5qV5lxemI5XA7BL1RH^+6iQhni>e<-MNxW|4xb+= ziW*HgHEBe~ivAG&aUa5b?lpPPVIGJO*N1)7CM4|S;XPu)ThF%1U(<3{&rmi!?_Szg zM(_xI%)xlL0>fklGSP}xzd)mf3m}F8BTOAc@c)RN z6~H;jd}a+F4lN{DPIpzi3;lqX^`_{cq13V9Zp!zrPY-3bd{O)K=9?oIJA)2&OYb;J zUg^C%`IQG)Y)&G7_X&fjXEy}|*9q!=>JzoZJax6HJ3}fYXGrj58gB~Oy^$=hy2NlO z62#2A5Ae(7=I%5B!36xjq};bbW&xKyAs8&tO_qY9t0|RjP`|Smu0gP>q@J<)#)lmS zQEAT%#3=pwoC@{(zC{Jv1Tq5bgz{L|on3(K0jZHPeN`d@f*&anKyd1nuxp)jGZjbV z4BI}pk$#4iYU5J$7*X`XYX0beiZ9}O9U?%A-fv#VQ2Q1_P&NIPmHSSmzE*jTk(k!h zKzkafgzs*L@G?jimz8Z0_Za}KU9nGj^m1}Bo(=+W{HEpVWSWCloE8M}R{t@MVh3De zNuodNSdN-h`WH!gvOwxL^J!gMe}R^BPe@*;m&yeP>l&=l+qC?+0fJNKc;0=C9^bS| z#S&W27oKW6k@_-5{8_1wh;BYi+5KF73pZ^%Ke{~YB+^E#vwF*eeJgS=X+86bA7%|C zm-fHAiKzab_+2oP^pxjK+cJouD`Y9@{xcQ!0vj5EIJG`zHk;`Y3~pdjSa}ET^vfTe zdDHN@$WoJ!8@pRl;enZ)U$5-TbY=&HX-4|z&X5w7tAm6AOrp0xK+M!VWqP!V?Zq8@ zzGz49l&Ocx0juF>%1zZj)4wxLIUk=+Sv4H9X?@Yb|NE zl@spbvczwC-GYyLX}5h+Gtm2D0J{+aB>@S*eRQJHQvhq1YhENR`B~6JD*r2~s4o(2@{jTV`^6@KpMqDBk8Rfy19?Y(h$EAt zPNfY0P~;6!qmgn}t*Nf0K&;=bxTO`^G+-nJ7TYb*W?LX)dAP55CU{k+Z7a@WX&X{n z0apnb7_&Z)&{j1+O$Nv1l8+(Ix`YwYU6D+g2wK@&qgeeaw%C=?Xc5fI= z)gReKDF-mWU%w_I7)7^9E45kFssVu9p9sENt!-`|GQ~AEaICn=BfV?c!E^I3fO$gs zi&ZB;!TUQ&TlIyA6x!eP$sv|iV*CTXlEa$3&4v3qW#s4?|yn&en zThJv5%6`7y!wF6kzl8|A2{J+0{4U1H75Vk{vBY39+{P_O0bLu6qG8 zmCu6r?T&MYK9ZjMmk&+kH{ML-FlqB|3`krEeA&O?2^f6G#HT)*RbGeVnl!v`IU^p5 z-LJYUPv~-Jxtl3Wx5A>{?RY8dIRy6{y#;}WjtUEdz8|`Ld~wU((| ztbJ1>d+dQ-vKj4|)67eI?aQIdQDGnlgAMp~>}|r)-YC$1K4;%pRU9J`M)ppZbI@Za zTzFTU1!OXRl4p%u31Lb6(Bb}gH~RE$~07{h&`WbV-`76(Y_#u#3Lki;DaT~J|vC= zF1Nx=$&sY|?W^2Im8%j1=Y%l;G@eEX>ED!U7XY^UM-W+JR2!yX_HB>5v4r=LPW_oU zy)ZJ>t-@l97-Hi~>L+dC`Lk-sol)i$^as28`=$+Rsw@6*m*?%a_EY6g5&l#Jyc~09 z=thAGe@7q2zl4IYWymIE(-DJ;&7m#Q9CqRj)Z3;}OO;NhA7hAxZ} z{Kc-K)ip@Tu>I_(Mw5Nhgoooqub#QEBn{gYP+`;C8p56cKh-fO8ym-c%r2X`*XKW7 z1GWe|aLYjyfIdCy5`YP^1E`Vdb5ZLyGCd( zv-f+)ao+wj9unXQFigAB5}6*@lYT|qQN1>N)|NsBsSmjFEka~f>J!f1{;T^0(>`^% zWdYPpgjs|Dy5_ISNleDXpBZre{ixGsCel!~@d~!-oa%Q*Kq1EtQoFISl@(J3wOLrj zc0(xxu{$>Ovc4?@E638YY!1R;BhirKA5w&1zTOCT3!=HxCZd9-0A;-8jV-^g70Ss0 zhMKbR{|#~f-hXGryBe-l+&OqFdMvyMTE@F2u@=@?L&=|Ye{vSlE7vYtbn^#)8R%kJ)g%r>#6f@I+WlH?(8 zN}rDjaVDFTOPhc;^rpOApyl^Feus(aV<=x3pUQcd^+K`d_&~~cfm+ilLeoGnuX^eY z#HIU(?%`wYe6>DF`8WJQY)OCC)n*=In?sJ1c@C@`-v3dg^CKL&r>Kqn7``A4*1+XnVuQ*4K5`NFlph_2p!_72G`Sh}qJ(^ttKsaP7-0 zN*Ug#ZH;kY(;RhtbayX3Ms-Ho>R%DldMIgQ{XU+Nk4MIHjFxGyb2!ynQigeBC!S>~ zV#o+>w;4p&pDPYJ0vei6HIiO1Nt*B(?nxw(cpOZdW_UlT>mJ={8ro&@3WtpW69?L2 z=WNn;4h5gHnsHo``I5PXxyEhUpM#3F@M&%5JD^8#=1Tqxb@lDqwf0SXvIOyL4|G?Mh*{`=VF zh^3>e+!Q671uK68WC{a3>v07qrO@uZ2tYOiQr;4Y>6%1s7AN~lCZ8Nk>WEL)vh9DJ^!5BvxW31BFdF?C%+SH;=C1yN)m7OW8oUY)*@yVFtJ9aST*n zs1B+n``Sb~l7TOdLp!F6LQaD@NlYyH9q}BfWvm55I1a2#=Fq2<$3wjR5N_jtrSy6f zXvkcLur%_1*hx&)JZpT`JLV592b^r-DQ)urab>*o(6d87q$+X=%rt*fMg!nu&i~+} z=H;zBPMP*Z?{(ziX<=gLhl$Ur)*^zO5=K$qiF!Bd$qx!CSkY22m_H@hA2RfsSGWKkpot z41m1To?6yhpg?kAc@?dGXy#*$xa-r(9MCc*Anzga!nLP$DX`xevwteE{_81u+@7RK z%=jY87Z|N|Aay9&(g$=leugkIntO^GarEwn!w0s-1I~se0>U`rM&s+*%6l#n|4DDU z_(vzFGJj?);}4rtG-Qwd_kHxmtvgTg?{v%uG}9FOv^w&_i70QA#eC@_V7; z-2Y5snPAghEHXJ~@$9jp`FUC9n?>2C<@sPO@93R^y8r_l3FgIi$mym8?oVjRt=Ue+ z4B(nRJ;O~y&tICaC>+IznP17y5}JP}vpg@WKv`r;p2Q5qE5G?&lq+F@bq;SjcE}tj zj|>uPd$WdDnKcFtIt{V_?`Oe7h9aHfMAxLUHE)JweJhfiQ?zNuFhgekPL@X{R4<5%4rFxcI{!QaE^5 zp8!&uhUu3?=~Ah^{Q}3Y0V>1Ko+Ga%RI6tzyB8a`%$BQ2*zgf4qB4d_jFN{9YA@Iy z2THt@E#W~apnqX7txjjv7P72N6?m$60!Py}m*QNhs?N*Ij z6q<2Vxw*?Mt&@^IF?oPb^AvVlULf}+D8ni+Kb?$9|1gc3IDI5ZP(RqtQ}ihd;Fg$| z`z_2ox-89wUx&Xb^HrELnI1W)+Q0a@0kiC5^4XIA7MeI_@o~9RFTc(M9;N0-g$$#S z;iK4&wf@WRTXukG&ou5_5Ikc^wjK~C-5`ead4yVhqNirQ`{m-Zn*%o z>ZnU^0#kN&9?n>JrFSq$d6p8q&DV(uyAo(!inh(kGj+0FL_?&TS&4$#j5(JTIq5IR zuZQ5Lmd90FmN!@D3H<4EFs;;)kbeSLI9J5^v_?mnvDq@jw-=_JOaejzlxzmdJx79m zcqQ&mQp1I>Gs{Wu%`w=p47Z_$i7q`>{1Kj-gMakXRl4igfrJ~V z>>pxt#w@U%x{agKh8(uPi-ee=fA7p6p04)voxmI`Qr=E$4ntM?pKsCvWrQ@?|``t^T- zFwX%RwP~G9UN@eWueX*plU?f#D0o8I}(_ zMu}N`183U6$=di&P;?nxc?iI;xGE=uua-rHeV zna~r{9M9 zn9Q%cZKo;#XdG+JtMp#HPx>3izn2Td&@*a{m;#4`r-lRPwI{!ud4IMxE*W9I5V$O? z7_b#FtG5VNF-HWW1Ox9MjC1h3P*9+Z#1Pv@zJtI+X6q%12Sf0T{yHGYhbV}yE@jJe zuYr=kKdzu}zuL*8TAQ+rh2^%#+}|#u#}>F6i%g2YKLFp^94J=mq%dO{k~OQf<@P5+ znlM>Y7bFm7>=-eKGMFL0`1{^Y~ps4w~PF&nfCb6JE@0Ps0gngY&HB& zGb4Pq>hEs+3N)d(!_>Vwe@X%}dEf~VTBsGQ^xb%Hun=1bROHGRTyWm$@&0qQ$D@HA zuRim){Qhp-a}*SO?$I|s)jKU86$5+8#aaC=&dqdpmx6hZDvEWA#Sy2nj>igi$T5YwHUWBS5}5Tk z6UJSUPpmhE9iq3F;5H)D`@(*Aj8FxmY4lF1!ZwMFKn=#l6#fQCdp59~9n6n{6N$Jt zCAEnbfo?UF`Y3axBG$Wg#oNpm^P2FL2F&GCQHR&<%7rN^(oB~V+1p4O!sXUNkaU%k zNlr&|7Z3Al?@tNpEsH+(^9yFJWFfBdoq4CW*GGK}|I`20nPq&(HF? z7i2%x@#SjcEJXyh5muJYB7>5>0j5Hz_9#*$gfOSjqD2O0AN{MG_B9&BMQId^wg39= zf3YG-xODi7UX54{6{qb9aqiVHDY?#tL(ux~N5F2@PR!an9_11Ej~^%A=TMdv46x~> zKI!|bB$IIr<}UVCrB^wH&xjwm6OUL+4>gECF!D4ulYQ5;PG7(7Hi^6~y3h8DfShwH zQFb$*jzAO$<4+apcwhc&fo2$0Ezmzw^a&}MYeLBQ7_HaS2*gX*lgPWyW{13jMjH0Y z!CJ63bJsv?9+sTa8c|6!lVc|1L|K)2l1j$neJ{!e&yqPLcn@~}pZGc zs+F;}3%F8MA9Ev=x=xlY`?8SWC}-hcxU<3Q^kgX2soaA_Mqo2KAqiRtYGeja#$cO; zr#BJvrvx49Uf0U>$oOw=)BfvhuZ6;04<6-S-88DqO>0}eN)VF7L{hrOUm zmb8e3Wz{zlQ*?{%?Ra}gNo@Xldb#O8Ro`7p7xGV7)%GGE%dj)K2PBhGe)l(;f8Kog z|K-+l_(P}ArE&we+FQ{pVv8Ld^bKS>l&LGxrRBUTb!0sLScu@qFwK-6ECWk&;Lhfr zsKn=SWdKftU+1vAOobPcXOl{tB{7}RVf?)dSm>+oBKD1>JT(MdKTr2n7|S_$N^U!y z7v=U{&J^2QAl&~1`I~=Ci#>MLiT{jy;{`!bDQ~oD!8oIqf2z+Z zvLwg6J|ycuw~|dPyP?&TaCLx=Kv(JCC!t(ApgMG=D8Zq3674Z`QU%7!;c*ml?*z*D zCAGC=Bt(6z9lqX;8Bc3@Y@AsYjvXQ7QIP+Lx@F{H6ESF6XKH{pG}N5G~Gb%^%mY?C#dpedmV?|*u zAzO1DK(PvO^lPy4Od1M#OLPCp1Tma+;OFg_jdCTJ`s#az#1Ynq(=+CQYwVihi;|u# zZxm9XQa;zmpx6N)%SR(jBV*>&Sp!|WK-@>??a~e!$)W5Qq6iY^(MBG1!4={MkD?vAJ#Bs8f;YFI!C+T<%AI>gMOV+FEDv@+( z2rwF|irv=3#h$q3%UG-5OpSW9QK9heWP*VE!1GV*KUVa#6)XmReCFaaHeHoxADCOI zG~hDYC4-PU!K*f0r>17Qk-A6Wp7Rcd#4nz@5yao_ASfNa1+{tts97M+frZ9^D~`wm zf}{5@kD)_KmW>3j;(mhgA|FciTCEGySM`Xdtn)p~Pf5}K|77tAGx4;93u=!wR$W{j zk|f-k2=ty(C=EjlC)bjb>XmNVS;KSjlF&PTxuhePDlBTLm8q3HFvAzXr9D28&-?N7 zIj?U41VrSq5^f&_UR92Yh* znMP6R74QhV)>}LIS{%%4S$bV9P8uUgr4DK=iup0CaT41FsZOEhf%W6|$4h<(WdhQd zls5;Fc!`5VS$*DfoP$mRSmj1yP*v*l9W9%bQ{Vc<>jVFFS^xDImHv0bvBVEpf#QbM zK+6cy@pdzSzVSdEcHjVab8%otpE9tkRj?bYb>j{)i^th<1B?ZKOGY66`$-HjL`OpPRw$BpX`~ot_>^bl^u-hqvMJ* z-ZxiW$7x$7wMC<6%!f+0tNU;Hczf7QMU#$(S=rdMXMOtrjN~z}SpEf){tUE}USi5W z^630`uKnNp6%|Nh=J>qB{0lxoE)^o_Ecx@UAvN#ilnzSWT`D>bMJbPfyfGqOF&}4@ z{=e4J=21Hn)++t8)}o>!8^3|gZBN3|b|#BUjBUNS)`zuEL+;;fla4voU4hqdC!tpw zg_swC?r@h>@Mn6&Oo+c_=cj-H_awLN>i4q>Z&Q!?o?ZXBM>k<5$+=<_y`Lvf@iOo! zes_p;NB>o;IG~uo5b&giWs^?|_U893Z?9xibQ2)CIWm5|FC#zR=+|h=OPH`3 zPRQrU@NzsoKS*#8h*5mb^P-^pVJj6of@;)XMfp2F(|q&3VDfIiI{yPuQ~(+wr_HXJ zk&`)G=ol*Q4TOlAt?Nr3i=A!XGyix`_LjI)7QX76vUd-N^@M!f`X3X+JklkbhI9l6 zhHvm{&zdXSwF*ijv~M4@-&~KYaB#2$u9Eny$6y*k-e-}nfHdJ$T?n7KzOcxJeN6(7 z=Im9b2N+U82e>8o#`s!K4{<{NXWoS%N{wL#4j7p!7Sl>GZJV-out78Yu}>&w;D^|H zGn#pu{Uzv6jibjGYi1u^8rjy_P}*CdsG+R7a8Y$BtyVuZAw#{BB(iP5&f(Pq2}2Bi z>|L-yYg`deVJR=`@@d~VjGQZb@-Tl>R3hop=ckrGC?7afq7J^#!rx|Z}{9G zNMMJ+ad+IwvLeME>(uT=HwXQV@1E-*Fj2|FXgON_*76?$=i9R}A;;End&5~@2rP$Y zT}Eiv9k*Rt!ZZj_^SSv(Vhex57$Y}P-mzY|s zd*gObY=A^qLL$~wPOWcf;n_s@qQ~s%h4)K$nQ|`B<$<_<3u$}O!wkR@)wB;0&8h}x)A8Y&%i#C z{&27FZJZu|FkAFID)bxmw0D3QCNQ%sR)sko31ZlOFFm=RRxrMr6Slr^`Vq|`g|Hpn z^Zlt|h9IpXM|jLER$+T+7YRa@?{rvT&R(XJ31}So(VhqsvJWQYfeDt6Q;Tm=DSYd*}IOp3eoLa+KU%luJI_ug?2b zCVup}EH1OzFM|Cux@69_sSX>dL0hRrs7RKv11cn7q55@QwUrxgx!b<2h`ijwA*~MP zk#~%|DI|VaXnE=6nB+OG1ru*9GoLlwX@B2<)Z~dx%b;^IJx3Kix@7`-a>silwmcPfn`rUoC zm%#)Xgwhd~d}M1Wm3hkMOzZK;NxKK>X5CKUTq1EH z>3pagwUTMP_Njx=9FG&NS-$9Id&Lzw`AXz2o8wsAfz>r%S6X;+rYV~{( zCAP~qZsajPc4Xk$=SmHe=*PQPJ8Ij?f+7#5W8rgjbMGRM73Y#|@4$MKxt`x!>_%(0 zCN;T{@mb#TI_;#q;)8B6vEg~R71G_Mx1k$isor)5#QB$q41;QRwAuju)YgLxp9P9f z;^mT$(!w(aD74p?GasLy09!L~m)1=UtnhLN%L`1T~ za$k&-k0->qZbft6{hoFAS8*|Wd7+Vi;gRRTc+FD?GKVuk#WaC+td==xokw@ZE7Aca06wLQO+#pibZ zgfemai{8I8ozb;nP=H;^$IhuT^%c&e;eBeOOA1?u? zLxCP|pr9i;w7)FqZIK*|=P<-?XoM_&KH~$cetpe7%hdX^j(Q4qLibRoqeYPXPyOQA z9KM~N%0TMIDo6|lsZ6puVJn4zWN&AIvcH-}UH&6{J-*S%%sU;MH`)c-PzcyOEjcOY zUNpqN^axk{&N6a@gh<63`E6z!;Ix;n<@7nU@Rg+dyP6M|eluc%P`wNQ4;P&|P;&j< z!rb4aH6yGXp2gKHJtfWb*Hrq>`rLrG<=58!%;vtK#Cr93xv;HiCfm*{J!Fq1w6jyXT3^t2rw@I=1{G>)f5? zsm~6YAL+k8Jri&^%rSSrw^d^J{FkSue%|%54KrW<04xO0%;aE#^nQpxhtQeJyqks} zwEFX=$BwJHbvWT?^98}(lZ3F-?Yk0C0de=twv9&p^m<;N_0J5+J)La^sy|0o|8(Rt zOaEQ-18nl>??;0w4>w+Dkbrw*&m32LOVp^;8E|-jzr}AXoT<2!t}RX*)$lfY$&+eECEaj8Io4pWvT>yH*Cjj9 zh88sd(M6CGk+uLm$jfeDTrq*Eu=b3}zjhiP?90ZM*S=l@tY@bExtDGhL*@n`F^sW* zH-NNm>vtJ3E<-DV#U>&SV_nj~5hksI(0W{O8 z?MlzhoF_Dr!Z| ze>3?3RNj9Y)%9W=GJkq!KX$V)*FcV!mv7`b?QBJsyZ(E6Juo0f*U8ZNAmE7=)_&<# zn&?TPa%;(>p}E=PuI}#9UzTk*ivNsnYWzV{2Y=)8Rvq-4mDIa)3&MqoJmaz>q`5yI z8W{nT$3p7Q6DVoiilNY#pDb&*Y}lUWvEJ|*EU$Io3xMOlETA4z!XBJ3U+I(`+D<(d zY$y?zX##AV`zFWowf`A+*gJUOr_W}J&mxCfV`&9qWp@6TrJ>#6OB9 z9dB%eNFo|a-W|{yAAffe8N#6ktuz=3MK|nJHnh%AnTY9Dq>6iyeNyzZ_Sv8i@8>yk zXLvzAPptQ%S30CcWhBGY-}-2U_FKR0O{d>@J)9GDz%n(yh3cWz(U7yKEOYpXvtB&b z{nyHMGPm>G-iQvktj_DpV{w1B{o=N= zI5u%}?%*$yQXtJAs56x5M=mCJ_}Q61RRw?fc`R-VM63s@phh*3tC@gdOwQrmdw=*j zW3*z}z(FH3Dx%-@L)=9zMKKRc%!*Y6Pz8tjQRwr|i@le+g&ka8e6$=H@4r|BIc zibXCgYsKRvm^VK!Lvg>h<^<+}K$InOHQ40H#ccp>zh6TGDg$E>lMT?!X06NuAjHjVac;>yEKNJA{U3X3Sn7=}} zOpX8Bpp{I#6Qp%pd+q!>C?%AdVr2r@09wKOGJIgpt%P0lCjvoh>(@I|Sez*U^#ZsxD>>h`?e22gq5zqON{UN`MBZ{xOd zr=V7DtI)UU;FQ5*S4_p{H1(%%hfaw_0)Ok^4n+Zwoe717d6bucJLct3Hg5I)NNCDJ zreCJS=+`%2W434)jJB3ai#MP4E^?C z+LLAqA5-q_1!aN53@#nL7yqCxM6y;ibyx`GCSQ0!Z#-_b&q3a1{pdGCxJ?$#l?GZHit-si8}2Z1twb7F-f%PostV??V1rVJA!#TVxD8?0@##EtgVtF{`-~=Pdeu zS6UlM)@s!2;x3BuyOIoYGUo%>qPUYL>a9@W`5nwV*_s@`OM?h2evZw^dwT68c)dpc*+evM`H(@pu4Q~VHHP{ZS< z6PRJapTP;T)1jR!qYYGv--(bLLm_L*$NRN+)%LyFeVh#O0I~vK2+m)@s=s^}@uM`W zD@pckF>(H2hkpMgiiV0TcFS?C?mLldHm(H^WFxTD#P@C6{!$Rzpf+b?j!A#}nlg%l ziIXEn9hS=v@47iZT8T+~uVEg`2spOuv)Rt1K3~7;JzI-jngok)VGJkPn&hBo^(thW zGQoDeRi|B#G;7PMKBy@B*U9|nEArnxIdfSOu;WPm#2LCF)&E~!08V!X%GxkXfL=67d-geqH(N_1QV<@T8) z0y4fHbDQfxY+%>baN0ahMK`3j&jkJ}%Qy13FIeccxsI5AolNkBzl`MVp6#Ng;p1Bz z2IV_7P;B|!=m%~DB^fRC>0e)yuES4f9OzuCFe|n+$?;{c8^Z)ZW88s+Bi`l2Xz$J- z`<%9q1S4OzzqX&~e4a2K(O(35*J+m`y8v9IqiUqWyL>zG->vSyd%n|fTaL-dn+xd>-bzm3NUAKv zCtJs-x!iG1HeNFHPw#_$vJYRQFAdF||8*(82vWIU;vGrTyD0EL)|D2#bR5!Ff9=zu zK3QG@ZpxP}D%h37SKn-3x^_C}b63DP@9~g-F#Xd_^R?cibq0FRR9s{bn_p6I@2^WJ zm~2oxV@CFY-bFQ(NgQ?I;SEfd7D4^;AVmrUF!Ym63F{wLL9u(Z-^o9tk#f_h5IV$v5bpJ==&e`^V(E{+#r}^)m960({ z)4;oplt7!HV90v~=lwCzbGvn7+qD|CGx@vdifb98+3TCEB+W(_H31`}zp3KgtV9SK zv5{Wp7nuRI$yg0hWz*b9kV!yl_Q+u4y!6J1oyNnySJ5nAT&6k9J3Vcd)(~V~m39_N zM&tM2wTP!a+l9Zq=SiUY+9r@yECKRZt5=erO}acKY*~m4{o+qA?jvqWRYKkV434gM zAhvxd3`AthbvM+;4Ue2?y%ys~Lu@{ghGCQZZQiPMpR8_{u3fg%7ZnkOx86+xc2})4 zkFU9GAL(G3{7a7dU-8!e-LoC3_0MF(#pYOFSE>U&62xA|DL#?UZDo&i%SX%5cY9ar zoC((>%Dx)ONCSXwTaL!l`AIvl+vT5Vh<6!2?AD`BweNxd8Qoo^1tJ+9?oh^Q4HSCY z>6_63^MRoy63)BBL6n{Ay)dVfrA8<^4u8^U2DdoVDu^BmTI7Xx>YY99u_Jc7gr?`lea;%n=7N2 z@O4>%U!uEZ!&P_g`KP=4pWXHU?#YE$I%U5-i8~W?<=%lCHeKllZZw<~mwqCtD|ubU z#A^3i?37k`YqrJ#@7p?OBzO&lL;Y#Y+WF3Ox7MCr>~XAGR)JitP@LV$kIgX|dVSIS z+^@^#L(g^r(Q9F#$PpgW&6&+{n#`AXv1ttMGBU|GsPksz*iAxfLd7;~#apq}8j{#? znUd{{Gw|?$ds%M|^rP4SUte1eI>-w?K_mqs?&509V2zao>3oN`LrkB3H!jgsUS(?h$FX1FLW5ohtMp3_b5$YQypU^BWN z&9ffPHurx-oIJ&t$XB8G=GE%CpW=OqUgJ1zA0g%Zx#REl%iI>fX4j{g9=8l36L#Lw zu%>g{_D6d9dn8ZH$b8tXk@TkW-ra*G&kn_(`AuifJ>?g_C_Fo^c<^fbW8DwiZr(Q; ziG>=Ta;wyM5Psr>G(P8Pz$5aKSKQlU53|VQWP0@GMAR^UafQ5uWk2*@;9Awa30)bk zTZ$bGoJQFn#pRkyC1TfWcX5c&zD7GEf zEDF@P@@=Z)1QnR-$ON6O%kOVeBtkv}x^ovLyss462#aj;J_k%tYa`YbCa|9zN&`!R zeEx2s!k7YSp$5UNqLc5l=ULWeyq{AG;k+S<8oPah+F+rqIEqLqZY zc~-?0|M8}t3i?JtV~+qmm<)9hTmok6(S*S z{2lxa$>}QuJ@&B&HYeKC6c$hN8A`CjUt|>{`E)g7_|p;mu-XAeG8{dAJehNja0#hc z0D(rfLHAsVD>E-TG_Dm93yD%(NSERcGygd8$errOb!jLBU8-HT_FMbrxX)>kdcKJIS{VI0cIg_*&RdWyvx;`zz(H1V zySB?8=9We5`*JbaY#&?GVljWlN)j?drNcV2*!y~4Q?JoLduenY}i?eaGgNn_r0w`@0yfV%-xmo$wAMf zNmJyPUU~Qy4U6hdf{}3v+LcoSPaRMDTvQ=%wj}z)TqQDOW~tHjSK-{3q7l48`>Pln z{j~g)E(U=rSwiWzP}W664(!bY95L~d$gEAY$M3}mjxNA{#1p*VM$38=gmri@E4mhv}-fy%FI$Aj=wWx{Weym z#@QWi#%@)E_$@@QEAaAaC>w?4pHO16Nm;9ucYU#a<(Tg}@;Y-(`emzf;bCcxv%@?V zOg~fwdP=?s?VFTRy=X6p2s870&g$FWl3E67El$RfEf(VE4kTG zbL08w`a|O;wC||H^(h`|Bme3&KN)ka<*Nh2U;f}v?vT)kG|mrA`C*D@^Jcig&g-=hUE_d}xp1j@^K8t#T+JeP&-gt|v9EgXQn9{!no(~Rx zrr#tG&Ri>+&6zXSFCYGjT=`6kevtyUo(K_}t-S;q4(7^E?f+MI+P~lGy$7~Mv17wH zlfowFRYJ3WMq{w-c4JHvMNMa!Q@Jy&$weR6=2^6ON?=krKB6JyioZv@H9H$(2vrD# zOz3v-a@Xj~bhjK>XIJX%N7Qq(T5=n{7al#?+E_wa$2d{J5Z*P+b2IB(c41oOb8&Z9 z?{bqmP#m*Xu#NKZ&b7EHq~_}AE0Kx+Gh)R2iB8=~@ia{eA8hBL5 zSS@wh0iLVi>YI0PYtC4ST&NwxVqVMlp0f&num`D{)sc*G(lohi{!~I(-!AK`4=L5D7OWNA z^UF2D%Gql_Vx32|kDcHoYhjBbHAn2`pn)^ukc}=s-MSc=-j2lFQr)HaeY7_S#5P}j zB4lT|Ond-_EgB(aG+u48R7F8V*C5rF*yIBY(LfM&)0Jtd>whV4v8aORm$ca*!1O+Rl`DsT`GhUwiRmwX^cDu>P3eprMT!zCH5*Z8FuBo0(l#ZNnw-5eRS`f zgA+IuOKN_i7fl@=96vr+t}@f)MRgxjToQDMsz6hgTc&GcK}MX)uV9EWdgU15r866D zJ@PUa8d1!QJ~*F=KVxziWikHbqIY0+gRwd*kWAERp_VVTZc~QE{t>9rLyh>P)ZVAT z-;7J+{6TZn@OmG;a$45QNxs8{hGWD#mPHZ zl>h$Qe@W?e7=bn0=a(ncQl{E7cEal41|S1ZtFQ5ABcAuT_LA^k&k2J&QQXW=<<+gm zJtHOQLsdWEK3zSNF%OLGkk~yebDmjzuD#g66pfJTYY>a zAJ0h3dt9^7(#4}7=apX5;jk-BBsCr1MAfTE_FK3`f~NKZ)lg&$`tvBqK*@4ud}&u# zZ+>Y>V&qywPEadB5C-l4nc; zo-mF3mDLd!+tttP|1?og?kf3-&qabxU=jwSV0qCVbOMme&Ep5a@ggRYUn9G<2c$^ zFXe>g9RcU;Ox3VPkQ=tcl#mlm_q6sO*Tb9fu4P>%PY4g*5nLiVb2{>)voD`;l7;!k z0OPgOYZaEM1dWwb1c_a3pu=XT4Alz`saLe{9TpAN%c;pH%t4RRdAE?O4Kq_q`qDy$ zEsxflaw}Cv>zz0CjY4aE7~xTMod{Rv*N5ghtS|o2{?zO0k&DPWuc9i1*)(@7dfB;W z2s4YTxE?AQ@||#xzdKGBIWzI+;oOA}U5f!o<5-%j0@Y47JHj{2cc(f^86}1H&A~Xd zAnmfx_9HN;OuLv{qh~dFK|QL^OapThKdOKiUB{t7&eGt!Y5nA0mB;^%cgZzOGsLhhh48) zXTjzrnq~AXt}swD>U$SJD{fvc+&uklkUB8sv#D=C3SX(qfXyEXWn3BMFdL_4-|yZe zcU8Bb)2&TcBCg-tH>l`EpQQ|m1YQoU@YS>O8)Yu;*6{Kbx|0@cCzx}eV+JOk%hSScSk6S+b#Ve@TO_0bF(8&mh%;XdcA%rc zV`X1y6lf~+Lqv)Ak9W8pD53N?T;myZ*s?LCBOPLze6muhF|Y>hng}<$<($_G!=plj z7owZ4ccHoJbAgq!pW@B)VDWzcu?i1$;_$z&lH=Izft5C^*^<{E# zvop9)8r!LB;dAfrfMdApj4gK;yu%|=+chZy7>W@MBxMygmGr=jDkJ5E)FrBTK`@GZ2csV(99Tm zB#1D3U|}PR>(a&qj&VWp)euYcKzV;x(5`nd)}ZJoHnyoBw5+(n)evORoY%|Tp{x-7 z*_aV7e&4&;)8AHSKlf+qOK zKuc7N1EBYpa+S34b(Ol+v}Upb)Lxzl)4=DF^!@n;*z7}(q`562P-x;1R$x)#tx?PM z3Crvj{(#}3kOrRv9AV zMUXt5Wl#G!Q&PIz7N>ysSfvNb`A-Q?!PzH=VbTc9k?EvSiVX(vJ$V@A_8;+PFdFqr>9R*r~$K6~K=?A~? zw=uH=RnHR%KGSH|D38t5&6LkU8s;c=8lkr;$#{k8_Anc_V~3_(ez~yR>`w{B8JRGq z)u&Nte$=WbRCbJ;jdn{UH+3v`AaOIf#UOi*;J5`+7qqK^1{icMivQ4C0mrxYNJ$0qmECYmRxRD1UwR`lmmRe5$JqfnnBy-0nHe zb^s?yTt)-7DgE$pZS2;@k-yC~!*vuY{m*T83*p}r>faza1y`o!YdygHm>V#Z=Xuge z7JABHJ=2BR2RpC=dkDSS6zmIonE<)lp~^^xUim~tRQ={cWULE%bt8E<3+0#R(Q1uD zQ~)w_wT4CHHsltkvcFQDC{K!lz3ije9J=GIE$tWBR4u$o7KcKn8_U)XGVR_>X?S5g z(w(u1?F4x(7I2^YyM;wIvcp6DTQcKMBJT8p?{p^-OjnzSM4ZaD6vm@Tn36f|8U((% z7&S*lMDizF<8wD|BHh;1gWhpi(vaV$|0DS@Jh{zbwmPbcTO6dil@+(umGN!a!X>wH zVxp=i`iWN^-G!eVZvVOG?+A&x@ZFW`hn!pxT-_3m{tc(JFHW5%`U#bb?lN$FQ>M8m zN~$dm2!Tuy+~|veQaMI*X>jkDE91h=0Rra14x0eMBjQlRp{ZVdG{Y8VWcu^Vq5egR z#ZuGP*^)fi^mc3G+5yqh@6inWR$Sr}AWQAl5L!gpuw9NWa>S5^n6d(;-3W49ibAO% zpQH|1Up6%lV>VIKz_j!LL{2-FJ6_VM(un4+l*|sk1j6qHb{sqa_zDZwf_aCO49v!k z{;bu!cU7d+-%fA+Gt>BwA>pu~oDeTg)N{|$yG78osW&))+hFBkGJ{GuZth`N=fOV3DVQV;ob%>+{s>ajF9(Rb<3j)O<3YHYmiyf& ztfl61;hQG~ks9~^HcI@%FLBjhgn(_%EObX1-UTk-qnR_QbQXdT$!Lj86#2bCn^8TLYX9y4NomEmY3 zgHraA3%k>l38BhK^Dfm%+e@?RJ zO)58ZWAs(rX~VI^c1MkfWV@mOr`{JQ$Q$ZJBFeud@);_jT39qo0Nd~eQpOgB0+{Z}JnH4q$^IM!D?g^TEalMMXcQ5lcEG}(*MY{Ef4L|-X z$o*d*au0_cY2xoEh%6x2m?_Uz4|WF9U6+GWE!k>b@@;AdLzf5O(G1m5nk_zDFA4Sx z210xa3kQD3VzHbPG~+@fkehf=0*?eAbJS=T8gV)mgMt8Kd8=IzER5F}_#VMeUh5lZ z42v3i%L}^*PXry7|8-t0@fkfJUhqO`XBcCu&&|;?SY@B77%}7F7XZZqRS89du#iQ3 z0)VPGjc$-To8_bJ%m$s>cG2L36}im^7o4q5u}Y(wFSGQC%kwo}1_?p+)iX<9yDKzd zUXy>!LcVje6BJY>!i_YFhrgi%y0r1NCfiD=LxM$4LIBIS3@_*Y;K^_`ny%v_5tBsh z?IJZ=P2q1|f`FH&@i3!r2hjHlleDkt0x~yI=V7B03-ZSsP_Pc`gVT`JwP(1H;l+la z>RMq1Pd)7MP?G!}tL>T6s{CU&7N_vH_F~J{ZrE7eL1bjBEmf9;iF-LD1i6JtjrrD3 z^(peQh>4FI9o_Em7d^mc*yjOhmZ4D}PLXG!r7NCSr&$dU_2}f;TwXzi@}|fnHmniY z@;T`5tF9jd?Kt<(fI6#3?O=d3_b&nXL+so^4vsfQNFkI*py0NF<$5tTw@63Ny}|FVlt#S)Rs?Ok0S?hkJB-$^G(9(;B|51)+7ozCt^dlL8Y_F zPo4Hl(M{Z17swj5NY(xH;h|`phF{-lhAZz*T`o>66?UL(#v6TQt6CcgpiSV|PwrU^ zj%jgbs%`0DYg$(RA)Nm^-r;}m6M%k83#yN5m=vs(I})0)nTr=0d*nX*vUX6QKhhn) zHZp<@zkV9-6Y7PIDR8pS26uK?3Bp5BC8w<|6JUD5!4q^wFe^nwE)KG)dfql9G+L}i zE}jeYVZ;qRdQXCe@-8*jdV5{RDlRRB9n8;c+?jqK@7wEgto^6X9gWhHej2p`1#_Ez zJW}NW(cGvyf*x0g6JtfPDuQPEdleTB_b$IN;uZ8fgM>BJ_Pr?06YU!M>RCdptKE$A zurXuJLs5)Dlg*PBgzse={3KiW%<}~kK!xE=4}8&}$r#R?OL@_4@epg>VdgM{`@s;h)RLKnZRvek zmE4$QQ+tINGOb!4g_8)6xBtGJ8@#{FJT`3L#zyToc=I@2O`Abi>eyu+%Ef29*pd%> zITYF;1Sa_3H6bTsHhMoRHj-Rt$S<4>u~ml|Rvnuww+z<~NX0a{&aiZ(<{1nfebXXy z0*}NLmM4k&9#U5T z{+1X`9iqZR=BO;P1o(+jbZs1^8FDu?6lawaGeE1JeT|4@Oy-%fLI5Nhr1t;7E&z;* zQ)jMfYTjd?>-Va3LwysnRcy%)V~h*nyYi5YUd1Ju>c+^ya=%MVH*nR9RC+`g&wOnX zFIR(me5I&y@Ykwxbg15+;h3CV)@Ul-jM)pzLDdc@MOf&zz}im^#wB{=_vTb+FOYhq z>0#2X+;>*ntfTAqlB7Gzs z6TohpHW!WJfu5Q3VO+Dq7!Ax!A)%M2UVlw(h4@|Pn!i7;M*RJN!y;BfbMd4>0x3V@ zhFlHx7b*mWrPz5*ro(hmgx)S~vP+Xi-8dy2qvmA2QHDl6J6(q!9N(`=Ledw1++6X- z1=CGyI1Yi__r0hFZqZ&dm&!{q*NRT?7o&#dpO*SR=c z55Ah`yiuw)0p!2Ozb}rLy_9Sb8%{4+9ia7Z?zk%bHT%#QAFH@%PuBx3Gy}!Z3Gydi zqgz*=n>A{Ta_wUa`TlZO$MTDt@2TemTH`04Gb2_w4E3TEA}SO!>VWgYK~NJVt)4-> zietrXU~A(^ML!t+q+E!oh_JRHeOmtT_*_0WM|~-?w-dt-yc)A85MS^J0jf0-$qqJo z9dYvE(as{d&w7OLb%oG1lRSu4wdF<|YC~8Q2+v#Y;NUGL3J{SY7@VI6QfOE!J}Urj zuby=4zfD{J5#0dAauVRLQQ$ya_{N%ttX^NE?}mAB&+Va}HkfI}o+{MLp0(3)*j*c>T@VdRo!!QlR6^Ru7h!cmU>d0s(xj0Tg`^F%qCMJpkwP8|~XuX)+c zMp-~(-nhj)zudsIBEJanAmzYs+=t;iVEcUw?shU5yZ4~%Ee1C{Vozu`soo*SHMyM7 zKYoYRgP54`w?Z369Y~@Ebp=MxECERgcXePU>DK3RKYe}RAGx9qA0rqEr&ClzuoA-< z;PW{VzWenv>W6_kgYnh6uu`1VM7E2UV~TLUZ;A!nu89uN3@DW)JvNt)RK82GGVn90=f37zl$dFc z&Pv}PFIV{iHKkpYkohnE2p;uXo~z(-PV+u~uXC*gWp4 z7%4{X4AuDFqEU|wfMQEEtm|$X#N2(Lrp-<5rRWD={!>k7saH+IEA&hQs0Mn5tQa=d z8mB-bX%x2ToU#d3{stR3??}RrN%9R4Fnha??vkmpCiE&!>43ss zJoT_64?My#ugVLYlpsg3a=OxfNlg2lKPrf1LIAhAQ9Bde}e{{@q z-p!B7dN*w*Qx-k#91O88o1Xa&gT?V6%iw*;x|QTyDBRX@mT%}kP}QkDS*i&H;Do%#*2XM1B#^LJDK_3@=o!}~JhzF866DE$eBpV02ikntW&bSW zNJsQ1hq?0FP#%vnqXkBdEqFU()E;6Z5~S8Ub_ z238s$Y8D4MF12{AZpe!NFxgR9YU*1v(Pze6mwJ!X1(ZP*&X29Xvrc?uTQ_ifX;9#@ zEf*-5U-*li*%By~{`mtfrUbwDVW>=U`J-i4L(+BkWv*>0gA$#cY67Vx?_F2$a#<-Q z!rD&YycrYp-!}P8m09jvXsf~%ENue2Jl|K5F$ugM3+Q^TR}l*9NtMx^?VHoC~DFz%6Tu%9XX3YhmQeTU|e8tU>2GH#av`@5k2}z&iwH% z;yy-tK=P!((Ok0h<9JP|SD4p&*fUmX|XkTh1&#?C6QIWQ3 zd9$_6qS_r0%x)e9;p>j$KYY~Ng$Wfa4XRf^`h7GEU+1q{2%#3pN@ktuQZNHrkpk3V zkfi;S4dLZ&2Xe^AhZ-%GK?z2fGxChgAkBL9o?p_wm`r5zIPo4=Ixj-Nwf((sND|;0 zfgvvG7N?zrO|IeK2>?~mX0v*1V7|Q86o0F`!0e9n?p=_B;YK$Cd$DGL@q_b7amgCU za|9O+F??y%=qt)rfk;~4)vTZF5^AfN|D5xPrC%Cj-_%V+v*rV>m&i5M1?G5DAe35< z4Izq4L1F&SCr;lbgj0wE|CO8px7+ZstF<_TT5%>x z8$}M6g931-O1pML&PI9BiD8H~mycQMr8tcR=Ax}or`q<7cM_pv6zFnWO2?u_Zq}}v zkRoE8_2{>p9RL6e^ialRxbBB)exhb^J7egihTj_E=a<9S!PO)C5k+$fj~=7#6%d!L zL37#yHS^V2;^yR=Oty_ApKHtPQ52m>=UjzA#Hm>{P@;1}!`rGL+?+$J=MgV(8Wpqw z90D++X*X(Py22%<1VvGN`+^z48lail#Y}(gE_9C>mwEbqJHg%q2=PYj$k9n*2Xe?p z8G33l7K}n=XNLfiIPg5*YELy{Y7VN8IYZZ0!^_1iee$F|bTPO!X3pz4FE0s+8g(=< zTRWh6g2*n)TYFrx=uS1-TrnZ!49|NiqMSID_m*qAC2FT&Sv?{?em5lI`F`E-Bs;@> zC%H*#8dT5e7U4lJEA_KP1CLCJ=Tj|c>l_E`a&kw*45ZbfB$D5x-NHlVHEFGkcalQ@ zmSS>`Uq(*@Y`T9ir7NhU6bx>R=1;2DS4XeQFBK!ddk^d{Tm7G@2mlf?@V)QV0v*{F zWpg5mGbv(}3wB)PQpktL=(37bTiN3BpaF`DEm7gDY_&0`a%v9!Uyx0Ql+={O`@m zk>9fN;PKYX3F6zoWB_!f|B*5P3IZo$%^Q6{pZm_R=cao!`tC|%!Nfp|ml&~1%NMVD zbdf$o-vco53|aXOvk5{PE$JvQMv}|W!EXZmkQIwvVtmeT&}!FHBTH^oD{9c9*DAzqoiM+Kr5AdDCr_w8)_Syz~j zMb?-eBGmT1u&Yl!n(id5g|UP`+-adw-!==O*k$%g)g&A!TaJp4k7XX~7~;YTuEcWi zvBM5!Ota(p$dQisgNlnTcng0KdV)Tdc01QkY&Qkg>#`{>l*fNft6tG+ zequ*2&V%vA-4~3vngU}O@rs3j@TDt;k=P(=@nX;H1>e<-iJ~AU(}h1^6?p1?8expu zy=+|S=~Zy$UJoc2D6>t~P}eLpOQSW+k0+cmAm)s!atf++StLKNOLdmh8;v3WFT##q zQv#o@uC8V2OWSJP9fDSymc5uzpT??0OlSz`Z(hG_RDq0be5<#>zU#G*ONM6D11+AR zoEvLR&axxg0LaTb#wKY86Iw@2LPX_oe_Ef5K?p+=ZT|30r7p&CR`48^l=7ZoIT}9_ z@0f$~{iA5KZ?h(7;)$~5gEutvbezygq<p#m-;8NHMkac3+oxQzWM{x0vS`Bv5A(IxK?ATJiGL@qzuF<=ooJ zYcU$;ur3!RfIQ-c^N_TdXizlEfd~dibW&{siu`C|!~ZY9=BU)1U`M|aQV1yic4*Jg zcf$S$RMfkHR6XMJ()V$Z_8x`bAna9w2JC~_F!-CGA8JbnmuDaHdeFLNQG&6XBpv$5 zFzCVpHyQzq{*j0kyecE*K`o~+D+CI(N`d*w0S_+U1j=c!IfuCeEiQ)^T_6x1<}Jah z67JyR7&_(?H*3H;j(RVA-LX8;n~J!!US={ehd$QQ*YYBt0j*CMvm5NHp6emvnUCMj zvU+GDjNw8@$a@}-07`|!ZLRSml}M_x=^iW{8GyOH8gG@Ct}$869C8k}d=7kJ46RPa zooM&HB!y;N4N#y%-iZd1IDHtsg_L;IJfW-rnVSr3e8!J4p-mh7X@6O?0if|V48DD; z=qpxfwJ%U}YK=-=u?xgj>5>(_KJnl^-5_^<@AIHywCi>oj>R<)ctgPtjM>L2DUBF( zm~3dW{i~9^Xx2JocY^`X6`?P4r4`IUC8MDI*v`ec9idXb*LhW-)$=%!$LP!3c{o@W zq`_=U(Rk^UQGYQra03u=jGsUuBIva%1xDpELSQaEgx4qzuPV{t2>_Zg5U4I`(7qSY znr=g`Og!saO!a;F8%c!zP@PdRuu z_08NqH%=v~^kd-pF;bM5M(tNLE)l|mDgO^7JP%Kcelu;5P*MZ@BLn0PI?C)Cow!- z5K=2nBX8q9i<(cXuyl)nE-@CAwt(Xta)9TS>ZS!wZu3KrXXQk zJ{p!|(;b%mDX7tSBNVPTy$26Qf1~sQO9w(X3~v?Ac{azHXg==zwJJctCd77>;bL9g ze%fKiwm@n`apBebYmk_wCat?)N&+`C%C0HJU@Lj?3>!175a!$z=90HY#zU)$oa8YD zS$OoyGa$n$N7PpIA~EpO=lUlLW@&+aPuFE4=q>}u;(+=djJO)U5f z{|4fPTE3~yGGW|g1yoj9ho#g?*=YMupQ6kOF8lpPm~)D7OH8)I#?gSOf`ZzOqZ2;g z4kLdGb}3%<7M*%wJXp{svU{^~!m;V9;6)Cq{dFlL3LyySG2aTsapYeQbjIB+)LIaW zr$_}{-?&hG7ZeJa#^V{%yP@%#J?oxAss=)S#%75SOu2XjHTNY81@uxA!?w3vjbpXfOwzhN{LZ*t=V z2IR~}s$e#P)mENu6pZ+j^d!HZZkdmfO6fa<>vdrqp!CDx>?WYCLIZPJ{vAmg!knR- zzHq=FrP({qko#O1mVlgWIbC1Hv6n(S$L|i%T7yAffz3R8!+WMtlj2+SeWPfm=j@h6`=a7Owme*n>yS!dV6*4 ziVtq7e~ClrHHR-RUy8|xTho{4dwOgX__UV4c)M#Ybuu*L@5Qz0_1PO$H%|^_`ExP7~C%)r0FcEWk znCE#DCH#2T-j0_>^IR=?>krjMK4dfGd=JR|B;9Q;@MWI@&9B38aE#pNe(A`C$<$n`wR5A!AUG1}jSPAp zI@N6yF;{?U0+c#^uDxI4hb@BdGgYHZRe5~TM~6M8S{`Cq@a_u9|?*V_B6b)Iu^E(sTeMxs5<#aErg4 zD||h(*!)L6!@p?kx1r^WOYs{0eT694o-@hoC}l(o%}p6>uXX}7#}fZ9AiDqTWdCSa zv}F*jeSlI`J!0?f6n8EV(SRZ~h~FAvgi`i&T&>CzmiKtCDCI+W4yF{RSAzE6dL$-Y zmzV47yUp$F1Wy-riXX>vE5r7B5WYenSgQi8DnhyV-FmUjp4@H79`Q9{^Vqmqg4UM~ z(9a-%K+{sj;W&9vRg>@RJjMO?sqXcKl+UeUP~rv%Xz^8RAngm0E|rxV%2kv*P%^u3 zQo~B$6m}nF+eaDV_`{eGZ=rJhTXCK87iEILAK{}%1)!{-^5&Z6{ zIvLnv50KD9ZbWk75^B#nOD^POf#o)PZm!73Bqg^B!=t?UyD+Kwx-nIm2y$m{GAHTU zSaNyuWmd$hbEIs9YH{LXJ9sGn^V;l_%LI!4;p$ zGu#Gv>n%?F_I(HI9iVXY0MEAC39ihHFj?>LU1dE_4vesb*p-$nR<6ur7c^j}{%{ndHs2NQJ*fScc$I~1w9hQ+G7`CWl4Kyr<{}g_sob4JM&iwE? zu2?a=)j^MaV%#`rK8hv027F4oGngwl=Ege(@nyz{KH>z9oE$CMXIIqfawsv;i%y{e z0}9!Ha{5sLU|ql13S@^@wpvp=ml{+#GGYK$S07g+sq5eV_u0;jkxon~-&s4_EJx4s z-q7y3Dw78AC}6ONL~r$u>C&V0iBliBx1@RHLb$N+*wKqm`ejN1{0WW()R$gs0ATngw1mC~_Uz z7;bZyvw700}sj z73^MW6wJrdjrg*cl1vGnje3VpUdJ~l@ft>XkeisnwH^82$?f8wjy5g>Cm;QX z^Df-##{sC3`|c}hgzzf|YxL+`#it|gytx68KNZ>M6=D~Lj9QmF`kH~ZApk(DEGPN} z@xs{aX~;dvzH4wIlkGmAWRjxzt_{>OU$(^ivS|4^2SA`)x@Fu=M|(NX5LRRjfD|s+ zJ1|vH+2vd89?O-2pE>K~;Aib6J$IKoKB<)}`kTo^k^`g0z$I{q!*XY+R5$e6engGO zwwjiX?fNMHZ#dw@zLGK>>Zr`A#7G(bBPNv3`1iOp|H+9I){5CaTPE6GZGY`~c%rC{ zLhrZ;Hi7*B<_w|@swv6#hzoAE1ETcls_)|{A^`o5Iw6r$eBXrosEP}yL~R~~?RXa& zSf9cTR>Ql)SgSU4m0j}*=2N{WsNB}VPa+AjNxE>7*PzFG@8+)zcE_9bsxDZKX>S(D z6zmiHi)e#v@k>}`3|P$nBn*k=T3>|)xKH}y2Qm(N-^>`T*QW{II$lTEFK^F3Qki_7 z0(7Yki$KeLfwk=4S}+3&Oie2QqK(afhc|KM!VBLb`7gp}*VUElTYmydv!l&xA8r_w z&M1xbujS2{Ee}@>g5Zy_EeWMTVD)R=)B_n&#cWg$A-QTGErkoQy9SNH4W(}3lZzk_ z(uFg820e2voj3tLrFc*aXA+pb<=L3GiZT>;(ufhmebLi~urQA^q%^j>o`>GG|02?^ zKnEy`8QkE=K9+K1NA6h7V9h~^_|Q(vj`_X~a%0R-7zXGqNjn<(0f(N4Y3)za=m3bB zsg_$8_wVt;*aBC00AYhUrf#$fuCp%rJc`$7q36_D1n$lD-loIIqk__VJ;K&-|2Jt# zm)M}sKSs2*$GAL~{53HJP$1bOQ&fnLTL@CN5eq%dsM?`XG%%t}jC0^Bq6SfZW4w>P z)kD^IxjOVCG`57|A=ACe0PFjr&&^g9xd%F*?~D!m8UO(O&IFosEu-Yb+gf0agnosl z!l_?=JCIx|nW4{KB@Rx1Ufh158?m!DU1@}opR?7msT=HA&qGn3oK^PeW1BrV?Zt5C zUkq&B2lNPxFUD=Rp46dKo?J_#E(J34Pn|laBBNaIVo2sZOt7SWT*|fWh|epmwaK^b zep*z&+e}9)o4R2HTo5PeN*tZG0A#*aFyoEAm4q_o07FAFe}dbkfTtaWMuq$VhNCKP z0}K;xPVsq@0X`RxRvr*Oh-*|4-gsMsh)=?sJ?uH)4t+q=s02tSY*XZ$6BI8o<2vO* zv(al}?QWmoK=-XyEWVr#5Rx3%Cwc;7Ec_B68s$4n4mNab32L{+COr=qb9et{G|{LP9Ie?b)eZ^C~k%rbtOBplo+@rxrD)NpD!V3&V8MjQJIi zK2^@Ax>9Pl>X-I|Veuf}!%{X`X%BRlszLDS{1|grLiK0npUWsa9G@<#A&+^qA&->c zt2@&W<^8S{`1nNeS)z99HVQKEj#nC|+p$l04?cd-!xm{BD>uIxPf|5Ek z+tqAsLDe8mKuB5K->Tvg9;T*{>wbpG^^+*yijoiXt zuFZ=F5x#)Njx;a?-!0?KY8Yy`vt<903h6oi*(oDhA@B-i6achcXaR=0cP{H<<)f`9 zIb)9Myz@yNHtjF?ix<{Uoh{Yr5iJo;O$oOd)#CHVKGS)lD6&vIhe}mi$6t@sd`Ny? zSJf3bYb!PNrtNt{tMKwp(g7Si!65$)2cnbA2V9c(L?Kdk`PjDp#&ygz=;?U??wLLqD~TQt5@ag4&i-Jy?4QE2s| ztjBV-rt*F+jUgp7r`Vj{RZ_?@Pg0g4_8ydH*p31CJcHLL3KLlG@h|V7XHTfjB4!Rq zw)oBZC1db**#S&8js2l&`@`+0C0jmd^R>!ZRgy9K=khCw;VD zO_pROS!$s_t?&RA1N8y}nSd!pbX5H4PYbz|>w9R??#CW!ECdVXwVJGusr(j=JUmhv zvX@-%(U8&8atgh%cXxHnd@<49Wwd?MEDo}o-S(-LMHz0{^XM`7_w!RV^W(fj-w~dz zDb?+hNvhnD(DEKNXVhnWM9bx}m%A=^yc)?0$O`7Up~1*^{ffg8sVc{28LT?|>!+5t zA3uLF;vv6f2Jd5CR!pcW=!SH-X+_A$Bm8>o*!GF|%j9fSF;6g1(g2a@q0C|Z6fo3T zgbR7^p261?5t^1ds5`pJdySxmxv(V|wM#cOLwS8EvVKuJp|XL(hx_KeW9jpIcfN=a ziCa!}NI(&O>RN0<+l~=h+`4tiW4qh|i-TYT_dn|9Z3T{HOf0`>Kc{gfdO=8yuX!WO zADbotr493~Hz) z?-r3)cYU|~k1pc~Y=4sR?i(CiY zC2blWCuK=Ko>o&(zf8j4*;v9*28ymV?03`b2<4Wvf&<)X{;T*ZG@*ZKkhU!3Knqx%;0_%XqiffrC&Il0M?dkNL2kdVmj0M9+#ws`Z zuBB^5Tnd{`bT#w9D|Cm%C@WIbZ*Kmf;>1RB!Cz(-Mw%?YuhQCe)7tjn|3&RL#whGQ z0yR0Q!n(>#(Y#YDEh_Mt^qKwpPRQu*X$-8I;M0Pj$V{V2RLP3933!D$IJGT!BeVv@ z*D-uY$NlwfE|bzeUT5U)r{Ehtt@UK-H*H}k|EV{29hmy;6>t)O=s{qBNe)&v0r@`I zh!Je>cI42oyq)Fjr+DKv!VjSOsT?ledoZgXKqAEl;9HDR2>Soo2G# z1M+I$o!AOks+c6z0q(u3-4f7)((VRACC!x_j-W1(sEgG&2#l~wTOo97LAJsu$NBq7 zzO+q@C3UTcg7waz^(0Vsmb&W~S^MmL1AfU*dy;lh{^XIR))Z&ofWj@n0D>GaPhF9s z%rCJ*x8VGv)~!b`MKu4Z4^rdVw~ZPLw5h}PNldk0BVJD4Kjz@cIe*V1)dikz$S%Gd zh1dSUW1tJpFRZ$0Z2mR?%#7TdUJ!kY*_+uxc(mYalwN$8Pc8m0q72i25oNUcYTuE_ zmJZpY7~@NueOx7HZB=gEJ9Y0%3)s>DUZ*&t@RwbNAGVlZ&Mj6W>7d}AMBkp@IVEzA zR{jq55%fXc7tt`@QYb*uzGE3dG}dDC748TOT?{|ZBb*TZ`(w1J?O}#DKp-}5{gTAo z+wM_bLb5`55MzV=ShlmZbnJ`KNWep5P{(53uRD3?&_5mdGj&i(mSfFLjy47IVFU~_ z&UPSv^&OPFl;;Epg4IrbwrvG}QAJdYPuzTcH0J-~w4q9cUpD}_uA^?zQp=zgsB%PF zhwVczV+(S00J4gdT8jDRzZBOI5BA?UilGI6r2RfZu3-oxl~PhP)1nD3$jVu2|LzZG z{O4YZ4V$yyo@xA6KrgL2$5%!Mw^!vr*4me%4M>?#htlxPd!N9v(=>`Rm7*kqNDpD= zYa}&Lml`a>*$I}bAYt&qd$ei&QWAC7ZQTeO?aCF?cITflS4CL^F%4^}JMd2kl=Exf zk=Uhs%sw5;{y6jQ($t-yC2rjsY|u_gwZP|7oB}Q~0fw9`59=5h+XJA0;|KOH$BzKx z=5=<4=c(fTqUZVgXea*OBz_1 zF}&}&5k84kxniSsF$pTL2|wM}`pJ^Vdw3A!=`l3xAV~>(6+IWj*Az~tO1l*$EDF0o z-H&*rm4tvkL-smLQpQRI$JjloNfN72kNkxN`zy}=-)JA)@FL1OU+8K(4jHCG=iVBU zdmGB9ym2kia_09^#AdXmlOHt==`i<^^7v9e4xc^mH*k3}G(gv9pc#s8A*%E-EIrnv z%+$=(`7KzIOp~HcxgjUJEvu{2wzeZ_RHy`PR?FYU7MPkE=5>)>SSpnb0bC{^6>d>{ zy8*L3Ukk(f@fgUT+AO7o;y0fG&U$y7Vh&@Lv+ zSi_QOgRi1D2AMkpgLWR95k7su#{(Q+Lmz{Z#=$qK4NgVe!1jr@yLm*W?%Fr(U`8m& zi(GGY@jp?<)KzWjz^`?`L-&6UG9|DDPGX3COTWa6j8dsXte{l$lQ(CS{X-Y(fsvvk zZEu|wa&%aE+F*fJa_|J^p>~UVCcLqYY+k4P=xvI?A7?cA=;!}niPCe)8s>_)@RC=4 z?>>Id(rps%{Z#Fo7K9|5 z<`K~X$nXFf8Vjz9N#OUV;FKlsyDgW*KCiV?qq6e;Ljo7(bfPFGV4jk(Y-{8?oDIFc zxJZep`?}C05AeSMN2rs!ZZD5*l~7(Itbfk$H7x61YoJUzt1!1lQk&CEsqNzROT6X@ zqH=+d4$(v0-t849PO9q4o95M>QGh6ftA{)0x`NDV2ub0sGF3wOj$OWWjoCFm$yT|3SxY@dli1_or~Y zr96MUxMYJL;TI2WpFXm?!`l>ZNyTip%S#pcQfT#4o}@R9d%H^kyOARYkg#+A!=rI7 z5aT!aW~n8Wk{?RbLTejuLOou2law*#emz=d2(?rHnJZ{qt9~TBXPXwWrux>4RZ#^% z+@<0l6z`1P5q-g@W82=zE#yf9k^hk+R(c~c1gz}6GuQVZ_HX_#g3N9Zo}CEzlc^k; zBYVkLMqsG@gm6uH@y;Dj_x2Jrp<-=N7}7aage#3lQU^mwr<6OUdG{C`<5RS*62EqU zd0>Iw%t}7Dr+Fh&YGilz9Ima{USg3-_c_2hjhrRw2WWc_OU5*$LhA%C>TS5G2Y)R5Z)NE^{B!x&0Iceo0P ztO4iAs%wFgaL|TYY8DLz2M)&oqy6^)f+nY`N{4(Cl4ehBawDCf9$~_lT2PjiwY#Pb z1nag87bQ&P5VAcB`70ZV+dV|o!k=0*=;DXSUlPs)U26UqHOP^*)OJ6gc{K z+Sc{@KwrX6Qot*MVZ*jFTE-H7Fx+ilzopzx>)0%T@0eZyf`yEfn6t z8>4~lIVmjMpQc|J8eLHv?Uud`Y1{ix|&@r$cExDl>8s|~@XjcuU4rRRqL zF9ssIO4VCcU4T(q?T|e4bNjEhFA<}oM8JkrquBR(C6nBN zUrNZ9&{i@-T2;KK2Yz0o_79ChK~&d<{`9PB1$a~Pl;O>v2V>OJDi-4;Ua-_ajX4Ym z^_P_=wu(p)6lG_k=*ZrGSu38lpBCV8w*44SumeiOa__VhhU~Wc^+Z9Y_$JZ)KO20u+(Yim29;pL|chH5MS$wK1sXwnoqRX;`ezb}ISg8(ZjLr>e{nfc+j zxPyx_Bw3;?ZH~#IkuSU#Hk?f%R1T)?z8}?|XMYRQZ>2SoXf-}G#a*wjXSjm9BPy(ajBLcS z6v%=Ise$pYZhz{pBNcNqxx#yX7OLyaV~N-j2m(FA{MFS@Ai3myc33_aoUF#Hs9}DgD_<`-o3cA|!9kEB?Ki_`Z#=r9I zTY3`^*S5&h7}FMjIrf9R3_{X&KW6pN9+Re`8kCu4EQk`A`p1B*3*tVL!MU7gO}6* z0btg~{x>3Ig?2#Lc~zMnu99u7=c+K=$1$8)-wTfJPfPh{{8{8|6@>fD9;1ni2G3QM z_7-eW%LQ2}N<$qTcBc^N_S3_kgT2<^mr)ed!m9-*6{TmJOZm^iv~T@@$#s4e#}+or zl{$Iz|9cxEWnksa=esL%x&PRVEopAE*+nzh6t#hAT!^bf@9YTGO?r6FVPZX#wyD)y zdt=}tiWkOrcX3x%%A0@(m6JOr?7TP2!4-aJ1o=Sg!Hzg>sX;OT7eLVBNkfysP+vlB zQoYTeZ#jS*M}rZ31AwCG>fP2|?@t(m;veIdB@dhB8|xPBFxA_RUcbPEmbBX1#kPQ% zwZJ1wd>gHpyp2jB(QNm$pbLZXMabWVg^HjXua6ut1WI=j#;qf>QkM@yJ$h&vP%L=+ zL+$$cBD0yDKFs(cDG^0w=*Hl&2@acl|3gMs{gc_qpBfs}a*R}aatGVadIbPIe%e*E z=$~cMU)poPt<6q{#TD0}=c@B6)w#Lv)R`9N9!|mJ1BAuNq-sTw&*n*pBrLnkvEwn1 zCAnIy?xyy7*i0bG4umtnLG1^5K(PAlGNZ7`Oo2&MvR4t`*l0$*HM zr})8|dQc2eRXt5HI(Mm$-<=h-*wMHl55ce5J8h=EfpIIx@J#y2B@lYL%+s~P7J4?! zF;#{@tM;Xy0WlHws&~nEdjWMuFbmM4?B%Y2bxr=3v;X&~rJ?HbUMGC@nJhZN^7bww z_~sR>bb*2C=`XL{?;;SwR|lrQ2(TD^DSL8~O?UeD4e)tHg`aLS_;1$|N-2QDl5U^}C*mhs~Mx12IQr_qZw)?R}+3)?NEtlnT z3NfkodO+9xq+VPGbC5Om+mRB|6VWh=4@9)plUO(mhub6oAejy zqF>*+CH#e>pXLAhQALsE#S`P@@_o&Z14f}X-+igVvupLc&<_=U$?T8XDsOLGV5Fb9 z>M=V?n`H?^gfJuvxx7&@Fb|ezR8`PSW=`mw=-^@|_p9F>&`=qhZ{%Ib0P*c+pk=VX zwXU&{IzfC`!5;ASlhJg(EDm!Th36Jzpbm*(Bvz20D^{y5@x`3(H7on`*w-=Cs18MY z|GXj$QUp|FWV^jsEWKalviKzidF;+3FCm9?9G&mPTx-Fts+dn{ay`z`p95 z#i2#VOYO=DA+TavquO|hZC0|1hlx&#(j|GPsgHU&PwrQnzBTL6pRe~#_g$o(EZrU< zI&~kW`117@pI!}(Oz5c!IWe!DV-wn2@)R~gz9e_Ryj6GU<#?jWdC;UrcCe}2Ow z@XR**>?o4?{AT+3wcYynPwNc5d!zV9`ig(YKEpI&9#%#O2!3vI*ZOC{_V?HmFcJE4 z&n`Wom-DgMkK*PdP2eh;O#Rl{WF=xb$jpa<`Sg3>+0;&h)GbDwnM)a1fUPP8{r>9no_$6jo@xwdOX34>PlztdwxtPB& zuHXr`w~Vgk#C0~)F(#3bHs*7;6s>p61WZzoamL7mcnW5`3n&mhrY!Dy`taBZx&DP9 z4kK}^sBS-pxGL|tVoBcO??$7i_{i+wAjP$Zi~~F)&E8n8ZgQ^uJ_oZ>yD-0jX<>N9 zcBlXZmk5^Y0r5(sjAVx2o9O>Y)cp~D(cT+COnFauF|+Z1_^~8D+3&y8#tC>DYIz!&XE>S5YIpxtN;GnofFXW}r7N-~5^wzRP|4pedk5wEa@#qc-}r3s}qDl4ay>}C@j*Qc?h zf2%dmyfjR&$U@U1k`tXLaXF>$Jz6mWF06%$Q-tHXQ!BF;26hUlx6Z6Uqo>GU3(3|92Jodtm&jQC=rGBCb6# zb`KcF>OK_o548Ctl8Y!y^uVgslIEu+;*ro(me+QYi%B(kv&vR8ogv#tM zo8qiNJST0`vSGYs$-%0m7v9;0T}AUM@MdtWC_7WyQ|5LR5Vo>?NoD>P>fly?mMXls zO@+*!=D**@um*}Dv=pF7Q$fV2oB^|B#b!nbXNQYi&%=oyB*KDhmR`Cim zm^WF2Hv$+5SuUI4O##;#D9fJP!$d7Md^+0WOXz7^>zMlW7N#H>phlYZw8Rjs!y!oh z(fBm~#EvG}bTch6eLCm*SLG^AEGjXKwU!lI?>?8WO+FHp!Bt`o@72VlEVaIAaM-J7 zlFc=YqoWWz;pm;;J4@;OcQjwG4QHhZ2}tZZI+WZk$X$AUZvRf|)R`-EAlzuRxt8LW z+|AHGkD_r#wa|GF`7V)eFlgasOELi(9Bk5_bYr`y? z7?ymI+%0G-WyBGx9ckbgEmk~4n9S5px^oA`dsz{V-5zbrn-02^x0vTF=Ux6Ls_SOX zlg`%`DGupdQ+47GO%Ww4Cu?JMKg$-{4-%AbU8>?($Qq2`RF#9E0W2KC;Jx?o&M_-iFtAQP_*9hV6*8m&>#lDvO_^?&{?Xzs2 zHclta+bE?I$auiT+`zA%^?pKky;2J+wT^vV2`M6peNK(Hs8FAMe7rU`H}d3_S&qP( zkYJ=s*xl3xUhfC5e$C!!xC}Khe|lib{H8199joM;9tH&O-KEHwRWOq8=0AHImEFYpUp;#^a4-BGGX~v zm#U4fy;BOJvrksx)D;*zb8Vt==AJZ)fioT%#Q2Uo+*=_`BE)Ckn`$PG6?l=Jk&5h5 zOH4zyix{&>AQQnA?D_B2dCJ(acG`8rY{*6ChpOK%&t5&3>hea1v39G{;p6osv936A zLxyUxwzvKw3++++)pnN{Y$HeHHlVQwYx0lIXI_}xDljiMgIs%J=6LkBK_>l&)y%b` z#cxlubhXPbdMtjmTdRHKO!GbeD?v7bt&sn{TBFAI9}o)D#c!IUe$*IOWP8*_j`ZR8 ziON4@>{3MoUx(X|SJDJ*?eC=;8cpI-eRYV3n}X%`!`sWNZ(bi+rw8r!hB>Pey+0e( zTE#rRS7Lu;@#B#`_T=q5(Og33#XlZ(%jUYw+XN9lhsZ9&k`0BvA$be6^Z;j)Qno6P zkkD4tN^G=ap7}z!hsv{W6JHOG`Xx+SR>9fG^drps%Ln$=Rj5=2bI+~QIU|u>urzOj zYQ(EcpKfF#N)Iv{FQ6$*C<9afaDzO}rN;LRzPXkk>eqXR7kE4U1P+Y9!)tUeX;q9C zh-J_e*thv}!D^@YWz?t&yIEBb_QDR(Ru-hkohn=KGW-AOsl7=*Cm2WB>995~dr@NO zmugsJ=CLu*RrHmkj2Kv?$JmYMBd?t2 z&o>)gzh9qcQvSnzZQ^(czv0tKuaXJXSKG6K9O}&s6|5H|<1qm=b0o^=@rO&=K-4b2 ztM$fwoNtR9-@Vh`xZQaFEx75rtwk{|`95(QR9mvSOG+9=}p+2-Hz;blLWl zH7k^NG2k~y2@iMdY4OG{ygu#lJL|Lwaga$O#If^=drx_F-(X+Sg*PqYA|K}%uNa-P zg$EXA#C)-ef*ic?ezy`Kqo%=j45Vhp%X!#d3f{9?o0@r@6YgnyQ?O`!q{V4m4R02mh!J70{Ng(@m!tPv4IP11uLcAzv;IevS zi*Myrm0Q=0WdOXE>!X|yWA!snixBiZDGh|c=3q?qfxdeFh=5HgV)r_bUT?5!H) zN}KDU^sa4e32{X6kuDk6x)eU^{Scb_dLp<1{C*N)bV>DQE6~5$4I8F25<^xwGr{ut z=U>hCldRV~2`ji1>;qz1&Ud|?X6)F+y_||Eo%kV&$NVnF@Y_>#ATa6Ro$o}nzU6)j zv7dZ!-R`bd+~|c#CloJKKZfi*_1v(=NAs%jzD80XrU^Ca+4+$h?uZR#trv}6HK<%s zV3DKKr5w9kpIH8=p0om!?0ON&c~!*2Uhl`s{y&|L|K69(u4o9TeET6`S|97Vp-g0S z>^OAXosT3>OqEuh6=bbpjT1B1*|_6s$i%iR`dvHWI)nSlgn3_zvS{1e3-6UYUL_H4 zDc46lnQQu0oq4MZ5yinFQtPqS@ZM><+Lv6P?X~lDpvW2AaI(b3+}bgv5Mg9{o7va$ zNZ(z7x$X{(@f=-I%xA^#Z0y_H8{#Y%M2xL^q+SnKmNG$4zzz6Vd=rBU4kk@k<0jaN zfsw7e#mod23HPWbg`vEwu{_85cHydc`Y?k2=yJw)e&ph7kegA}qli#Nmc0y+s*QRg ztLKoQTt{-aM5~8+e^dO9`JOGrYA%SLZM&1h)oZ{=peZAD$2!k^A`z7dg@(Lo)TBuVZIB_H4}xx#bdJ z{H@Kr>jEmyKo9hZ^|0(Xom4cD-huzGq5L){ed^%(&Sb^dl8tBee$MyjZ@*cLA)cWE z!|QeDCL!Yzw{r4UfS2C1-EXpDyVT<;nEFj+#76w8?3zM-Aj1wz+|p|HFN;5Y_gIN- zH!$};>xePG?mBQz(QPq1t2lFpht3(BuXyJ`W^io4d#eud&9#O2LD<(b!|Z@UqIKpx z&3cxSJ0Nd2!5L%P@HPLS0$e#pjXmauq49^=3@*m%E-iLFjej5%dJ-uxecl@_CY5bT z{-zW6EBAwTf~5BEGvAl6y{2-iOxg5C+K!>7>FUNUpfU4mKjV6eXKByp8@g2TUSbmH zTxoss1;M!YTq9@ zJU3>zWzsRC=WXHSr@pIl>alDfqjuwD33LSOHU*O=3MS^$6Nh^1%Ohx7J} zBaX^B(ze91fsCj2O_<-szslEMt&Lk87Qoc*@=g`ywMKEY$e2l=@ZyxTh+iqaFeZkv zem{0tsatutOWq?(eOwqQfAYT$=CfCC0dam^oUX{ET?g>?Fhp7}Y??`Kb zTh)2XiUU=#1%&hrX-VJ`(EA6fA*_lylcHw>m+v>O4dev-?Yi2c?4nV8P)Uz9d4q3X z`!^=Nj;kfNBv5rM=Yz@&O&sBCx4&s8E4=SXC4@eE@{M1#30!dRX=c|pM@CBK!xVY? z8DH=@g9blE=ZUWjyMuT2%h8h~i2_D8GTY?^m&G>uREb%=MfWn82I@>< zNqsN-Yc=hSX}xzUuf7w?dhpqbU1sWX-27Y%?VB!!dL2+UZzGFSHc(GWHT;)2#3*7T?&UF;KiC%Cyq12U+#orux3sQ=Hb{ zhp%q1YlqWo}a^4yqUc$)ML7;p5O zOksn@%#Wj=7F)*d-*BoUu0~tGqusfEKti((8ETEj8`;DdzP6Z;aR|IBHTa)h+H>Z6+ zD0zr2_}2!jp^DLw^PR3M#Q_`$*Ws-km6W$vuEqaov7r{o^(g!T3oT z7XJ*L+M8VI*_Wznf6l$@onWvfl#8D_i6AxI4`$pv=h#0lAhptz z0U69qBhT~rc;5_@z5TGe%;nv!h%qds*^ zXgR!;>!lI!`x+l?avz#;1EeDA92zv)hxeQ3S(N_J_!P1`B+ zsi^L|ubL3ILFb8D%|{%4`e!aZxT1Xl9jkZsX|+yObVIVDDe*MddS+JhSvrvO{0y=| zy0@od54Q2$co5ZFlGV4V>igX!TFJ@M>@VEmU>V!hJGLvwPCwJ6(V)$(Y2Y45ChY#2 z8o$AKe$Ve7$^!XphOFuI9GDzG{;*TmcB|pW=R~}EkReXzjH#zQsed9XuV<+rmme>Y zDz!53-6ILEpR6~`m8X}tbhp{G&MhZ*>IDrQQ+d)$$5gZin{?QgaQ(%$v|+gnQuGN>ojQ6Vsj#;{vs%bndED zg@c7OB6G3lQwxzr@o?uT#~_8cdyAs&WIFBNdZ{>hK{LS1&<-8o-L8-P!KWEc?)YTxKglt>T69~{GSFO{ zuDL!tm(j>lpK<^4d(B3YTc6PQKE=Q}#}QuCj?{d6PRvS=?bJ77nnWW1e~Yev+y}{= z7Z*|fPcHzLkZ`>VSLmFZf4>rj_l207*kU@0R0H0yyJcDrSY z>|AH>XDJW3SX|BYTh`jf>%#nW3E6sObh30&TkmHBkLf*|s`>R=-MW8F0!R+pK(+^MmPL zflb@Vff_^5AQsq^Tz4OH8LvKoRed@6`IZZ1rZX1cdF5w(yZe5s%ue*$XcEM<(lJ(Q z2w{kSz<1Qh3anm$Ztz{^s`5Xf)q9=1{bVIY))*TpDuV~WStUXzIRvYf~ZR~_`O{J1I+d`mnleE@@t%`y?Xigk+Ow4)g2U3&O= zNUko6?(QSaw{db6JLMA}#f;4^#~jh3zYUL0p#B!ZvtQD$BikQ{yWhc>o>!8${ccom z6X%Z4kDMIpczE$%rR3q0)l?QQO$hN(=0n1iL|7iZX-56QCUfB{TNQY_-c@`PDF$w^ z)cM=iuDSIcjotJB>M(xg>eI~P+$eu(my=lg5B}|<)zb`3wSN%vV~w{o-BSu7H(lZi zS3gm2t4>ni4(^4WENa-8DTJ(hjbo(!$7LO-H8-8in?BjD#<3(^@=`T-v z87m5tTj{UPQDiF%wk!(@sdQ?Imkz!AQJ{XP$Xx#i%-1~i>7*;O(5Um&$39i&PYMEe zgbu7{-qo8sOb#fw`SY@PjmdE>Dm!QuYW}Y+>n&j`%|Em0Efz1Hp$h(3%ch>Eh5>mHvU ze7>n^;k9#|U^l7DU&(amaf~uz^P)cPZf=Vc51*3f88bwuwp817F*b`Tw_&cVN2ZME z&x#uJ9Ra;u3u(m`&iHjqz^%`IQ+khb*r1nnzI&=S721KokehCOc$?~4DnJNg62Ws2 zzNl#oA;!A>h`6VrPufvDXA4(-fmlt8>}Ntr(4$zqM2G0N@)l@Abm}|`>dV2p&s4v3 zs6eurVJGO7-D19Es5)4&@}D^<{{97|y3zkcEA_06T1R51E_nG$k8?TBgqzj>+?WPe zqy)T)xmm`9H{uO%PgeDvv>gDzQ~*cKwJ7ASJqMXLHn-9-KZ=QH3Kk8&pk7z*oKkw| zJy52}YDIUf={1|ooR(E$uuq-@G1<`Ely|}yHx7$bDYligKea4S7RraFlVF=-N!HTl zIpoF+huNlz?rESP`}oT@zx&9f6`4rrO4I*-^EzDq8pa84GLZeF&-(qz+#jRPtD{T? zYIa5Dla;yhYF-ZNjFVrnz9iKu&kZI0JCP?<^Wvr029xfS=`&xvx!%qrZYnLieY-K3 zuM_SCzvC_IWY&<&`nw*1p}X$er@|I3hbT<`Ve`p1PVwUL`;DaHyC*Up$Sr&+FwKhJ zUmG0E-5pQMuh`&I^847!wp4MnK6Rl`KKv9{T;d%qdj6TR1`^=iV+iFu@#*(-biDqf zD#>di4z22!RLNQ`VtCN<2v}~?##?CiVbb--z`}QIb+g2BIb+^!ck$|^3X3Y~aD6+n zjJT26yX!i5K`!8wK`!o6f{#=FnN!I@l+WMNTuE!s|2BM1(K;g?Yt1X+%w0Yi6Jk>@ z#Sv?8+YQ^ieR{CpqQQ5Mk%Ym;;3HO}hb_Z2Q>4p41sr^%-PC*UZr=0Lzy_GvG%Y6S zW=nGJqs*UrIkQyp`-6>IH~>_#Tfl-B!wVWZ9S;I^zkIlM&nD+-=?5#GiQ-?KJ5TMl zoYRZiyd<`M=af&pm9IlTLNU;RB3p|dmBPBN$>x5H#TR)OzF6H0DGU7P?27-WwT)*( zZ+YFdGoZH!W;);v;7yivG$Cxas53pUbejI~we9}NijSJ*)jJFA7jKKbtE=|dy6SsG zeKkf9n%$w-%hzkm{%Tly$75w`+~VhJIqR25j_=LE!zH#I-*l##f+X}yd>N{(E265LMrCX=zVhuhu{D<)i%-kQ*$&KH}jV3Fq37E~xJP}~5%?RL+wRvl`EEbqNnYMb`@Av#> z$%WoD+mGv>y&S^}#a0*j{=OEkX}UPFYH(`yrTtjZ$hCxgWA%F?KnHjwbik4APoK9_*G9 zA2Gz~7JLwg=`^Hy=cQ#)H!Y94mro4#th|c*b-(I~=AY=&Uo}9MHzmIstSwpey|GUT zRGia-(VC#o)^V1dNY+m?t6`Q#mkq!}b-Ta1+nH5?hdw^s=R!1r6&T?+xO{9^5~7^;v82Rn=2Mk*_O>YtcV!4Lg}XJU|*Ey$}bhvV=6^rEJkR z+`_=x+)U@KpHZXpDV4SXpZ|&E^j8=LE~EYygsGw;#dg=kM%6qwr!Ij526~otKdC&P z@mZ6|Km|~#Bhy8bcAwY* zyIxBmvuRgW=F|i_Uke~SDAPXEdtw3Kj z!wlm8II*g1-T8S~e27i^YVRdpA_bA7pI0bDeNGwupx`P5mwXo^f5zhW`>kThhmEX@ ztG7XET8y=^ugbGuGy8L}u_$PafL7BxxTb{i_=v@qKqtP*Z%1`1s3U%)!~F0OBav}qx{w%|pK?7n z*x)96uBx>PFJ7YJn|~%Vd}32fJd0DCPw{Zrmjd#2ec|h@TV4Z~ zlsLBk4`*)`73bD%?FI`F2u^Sb8ba{kZovWsDcmarhv4q+?rs4JcM0z94#C|W3O#SW zwfDt2?Qd)E|6IZatyM8)j6R;;r_1dDF|W44&w7% z_HcarX0RtT(R}BhCUChtb>zdF*ZLiwd9cnn%$KQTQ|s+SZDJuD$&A_>oGnZ}m7Bmj zjQ-lkTJ%fYm}eC;Yk;fop=F!A?srdJy-JZvZ51jBUpugI`aG2<4TldnPQ}_$Udwg3 z$xe_~EekPfubmiL9i9TTo*zOU zn@*z?_{W3WlW0{POja+zvYpj>1;77oZk_Q3o+89c6{0K^Tw3R2AOGo~dQ3V}QvY&i zBypYc%fR2ZNzm$Hz(O_3<(gk)sZ4=%c$*eH1|14tM0EBI<&tkJ z32;kq%hey^vx)dk{nXVbe&F*}Av#MX!N~_h^}!?Py!TUx92ni+ zKmVxk4zD*SVRIbi8h)C8FX)!tm1JgsTK4u5dYMrV1(C3H zgi$j-Y^vk+$95B6;s0h#xe4n+3Bvv*Xa821_)gU7nC-RQt4O?12Wi9m4l)Of8ZErd zbJ(2xh?}6k$5{dUvh$=&YbVUo^C&WxgA!;moGq7=4loPUXz>~Yl_t>Qd+&+0Yt}pD zE6j374MiV@KiXXGFr=DguJGr1{8{{EnXuSY8@bpy^Kt&!e03#VC4Tiu@R{oq^-#l$ zDJ2FhDMaCTrCOD-h-uGirJ1f?8R5P1h%nuEWo(hq^ZcR2KeKoQ@Xb(^cT%?*?#nj% zzgL91?S~Y*_ZC`0KbxuvM*Z}FioO0d5$(n4xB|Ps@H_Ku_1W?*QXKzWs!gBaQjho3 zgJfyS%m^QF-QnrF38RrM8ZF)(aABUA&OsRA?yt|cO@}uH>7KF9e7u#I|4Nl7a_uPp zfP8`7bf+>0a7Dfk4iDF12wld&+o`Y=#D*Kd1+EH8y`*8_y~4nlBd;{*jVsy=3`pLx z7YA7%PMTFLD=pEeQJd|AO;%XiOQm$T0ltXKF*s28DUo{hi6$6D&#dH&y_w{?B; z@=0N{U?5}lCe_7!eY{vkb0A5ewCHjs*c3M7(8Y4Kl~UJgp5lXH40F?gDBQYb?a4PsH8S=TevZ7`H)XLjjc6|lzRLh|8gBbHH zX!rfN6>4~R#u#R(j1g2UjB!FgNg2>!{RRBi^oCL3m@yDV$o9q&CHIuFD80s61b0i% zCkg}~oqm>{31{whI`{VB9~yat5oFGs#0`#TZ}S;+0#wrwcMV2eg}7T8vcPmUtPbn- zMvG*vMur}I4mOO{+)XBx$KxH0b~t)yTogdjm|R*c{+F(3=%xx*G<<2w4*|!Xr>y+}XzRbG8F+nRws@X<_o2(#I*p+!}Y{TIO zWKz~IVNL2&G?UP3G)(NT;=yme=2F5~O($8idUR3|jjlJIVixMH8`vC7n`jPmlxj#W zab(Beo zJ)-y7@CrG1oXkim=0ohevobDBmsJa^YBfC<^6N6vEvDibb<|8%>|a>CM*0mg%wb6r zt1TWFp>8QpZU)VFIjH+{AS@cBqbG9kp~}Ci2ITh?81eAU2q9|h%9tf*1glJfFL@u= z7aWrdHOsxT`nzMbU?Lr*v#6TSqE4e+uTyF#i&e?M1oWz(*jj(Hzh->-q}}wDQKyN@ zWGW9+nbQyFxv)?RB$)B#npe4_I>i3>0`5@aUqPKZ>d>OptKOhTQM{WRmy&A9^MzlT zSCF6fe4{6}fmC3rwrprsK+=g`wJavaw7x#+AaEO#4p{Kf#sWH(q!z-i(xnF{x$)jy zflMszO0a^+oXq!I7~YrgB)vzrCCW6}Vb4Jbyl?K;-V4v8KW$LPDT#Z|Yh2pOs(9|~ zYOn+*Rctq^&7qT+C+phFdZTkI^$*Q6SM*Ad)v1x)V~kdd%avtbY9U%=p{pfvt-Tt= zq(vdeM`3t}T$%Ao9_O+d=@phc($ybbP8I`wlvT}$Z0_xQACt6i*MW?z9YVPxhp?sn{<`AE^?C(pNU`Zt% zTkfwMDNz@5?*v0oVRgoI+zn42+kc)rZrhvAL_I&bJeZx#FhZEa0WCkM_0;+j+hw;Qc!rr9@IPWQqaKE#}8d~%mdzt|a#S5o;@{Zd*ZaHueo z$?sXD3E_1-9hlWU0-4b#-nPa=TjAPJbZ-q zLow%Mw&$4=l?(-(i@nWKOsCyNZuR#b4ba;$IfoLJqLMgz(DVqASSKKp4O+-tPkfic z8fsrjUlzczvvpA5V}u9ZE<5Smu6kZNHK+gd*ztR^Q0Hx`9Qwcc9*p5LNa1s0yy{)Y zNKKaSu;G@0?z{it6pz`v_2;@zT=_S3fPl?p#y*N&gSLVPa86)oiK#TXF^h zO8ffuPeeLzzWt$tjqWkA!O`qQ^>1ajnwD}2+QeXRUxdu|#~D}HIMVqntUW!a9nHliZalEUpUgmLEl|LK?;E0%k#mEMK8ns5%?G*{-s_5_*2r^aiWdCe2 zj@XY;2E@-hC4oQ9Z>)tQ@cS`bw!h}-&O@IYVi$=N&_FV<2}?lS(EJZ%|%Z9nvBk8?e{L9CR;7&O=d2X>c{1} ziSbFG?wLzOA32TCLu_!13EPA!<>pG2WbUu`O&~7C$3{lQ7RIH3e4<*eW&nczk?5)Y zs&3P?;7Ykxs?nmdXn#ZnP**Pk4UK{7m_PxgV>&d+ZF)G_kE7bDlGT`lHMJ+%ZrgNP zZ8Sz>rqUFv`PlN>a1a#Z8|YD=%vq=_;ZppfrjV9#*_Z5vhnkjV^JV6*#QX=@2~e2j z8gnXnhVdcWHJIHX#RO{`+_r#X7dldT?v zyYu|V^){~*vgfFZi9$CJLzAHYB&sV@M3!5(^2cz&<#xd+BYs7DN&4Q-#CXH;0VvP_ zD3Gn@WL`;#IWJE>RpZ{_v_0FB{a*}0z{X&O?-c#GRJF}(GS`~xJwHtsOI5U}F$>ah zdUm!oTLi>i$#bmyt(#+Bh|fYXt3fyOKrC-Pv7m>D%k>FmAgMdvh803HkNx40Hyk3h z^+q?V`#p|SGKIg{J#+Yfw5#|6e>EwmF-=pPF7I&-izt1K%?m7Cvp zh8KFzaw7%e7HdtVEJ0%8xY#k7%KEV|aEJu)CkBPuVjOPOqa~j?tybI!1PtQV=L+@V zOqTPa^$IYT5dje#7l-kKa$!~&0smwL@|KIB(^-3iM49$)Mqu<8AB^2AHJK;14ZwJ; z_6K&!fQXIhx-i)jBjC=H`_k~TdD!Z*JXb!q8}^Ee=peZ?|A%}r99feuFT5gbzsVYs zaJ#?HH^9~ObgMh#Pln(|jih-`Noq$NTmQWlOgzslxC>a6%%$>_7=VAuIdTycnvOA18$$YVQ=oyTtiYF<#~nig76u{%W2KyY};C2hS~ndFl2srma$7j zSk1ivxcOVDH@wi0S>Ojea4okL7K!s_(dSOhpp1zCHjs zv%R=lX80mrClbyqd*ZH(4SQeKW!6aoc+v94U9MA`9wxW#P07e~{3|Yx&Rx^rE$1Am zTLZBJ@~c)=`;R1Ps%^$j_3eR{JAeXJIIfzn!LT`!kvc^w4scvlqPx40;)hFo6@V3Jsn06#8{kJFkH88)I`4vWD@W7tWP0%}v zSB*EAKvtKma~HoiJdkU?v`ETpt>}V|3iay$teg%|;c9^%x6xx7QcTq@tI>3#8k{ez z)FF~b^LHb1TZ2K?N?U+mXoPA$z~R1o9n+_rK-ux%Z>F5Le`#EGWTzE5r@x$G&OPxP zpEstZOEqkeB>fVB9JY_8*|OP4b_Md8=f7cBqO!ZbuXpw!fh8}t2DXc9ivc&r;eSY^ zW`@^P%^Vg>M61+H+Ex8`8IuF8`nfa^p+S%RiI!C5!fz`B-Ap7wqM7yw6ssOY_vs8D z=d$m~Tfu%_Zgaql)%HPsZ*8s=!1U`a`2)Tn@Mz8bb`*73h1WkBBG66p?T(@9xd25{l;C**ER3Oz@pZe`VD{GNSGHRD#Q0<>{gU|C%@pDS+*^ zllmmhUQfN|nJ0gJAzE@i9tiaMZu66KJm{`(u7ft?G9C0yF+VhS;%kv_L`x!)puxgu z4xht%e+_U><6Fd=#=Lk#Y!jn0&Wx_RtaWELi1Mo`fc*6a8)Dp9HW|zhkKtHyqmf7f z_(o^afQ<=!Gb4{-rKmu>z+L}ZU|X~F*@^*nrQpjz5CN!|g$InIK?XJp;;0PXSR&_Y z|K_{C#J{8wm1`NNvh${=`7htsSMe$ABGT``2Hq}ROQjN4sj|aKEL-hXuG4sb+!`xn zT}h5ss^`e38wr8=3cLBFvetm@8NxuBg73Xzy(NP)gAU)^&$>$NY*tnzCpooz8KQGd zyd^nCFJWacp#m`MP1Yj+uf-^ZXX~GF5Z!Oa;c;-4{@`v)35>Ghn z!|<5~JKP&iOFaY3X-E<8BIRa@otHoAMBsC%eN=_$-E;HrMzZ~_54rh`6s}XY;vP&q zd()YNA%~b@59sKJ8`ML2wsWLAwxMVlQ=$*IudnX)P;f?tnUS1w1Fsa|@8*_O&@PB1 zf5zFFC`z@FzHiIPXB@u)d>lhQ)bti7Wrti>eV7EF4SYsuKE9?zyp8Eb#ujsdx{1Ynjk=RJ)p z_-rQtXaEG!fTGSQB0CrLM zg(izsh?dhbxjc;`K>CcNsxH=8=0h-PSS=QihpvC2x1wjVyG9)Sc_@}@4kZ(8tt7EL zUStnvurzsSsBb+f?sI=~0U}n{Y7YT7h|=K34JG|W+W5t*KBP3t8m@Nz&LlUAdFwE4 zn<%|dft_(5J@4Zm>xjHz>!CpReRb~t*%oX*f=+g4Kx%Cq_?M3lgc6WhM`t<=mn;A9 zxY9=?yPrSo1KS)Q zyOkJBqN2I@v!y@Md2fOi@HZWpIs0I8{XC0`W6)hVMkQh|q2;Fx3SMn7A_D}HXw3*f z63(ytBD4F;kz%L4&@lAJWVSXDr>kyA`frE7Hjw3E0EQzM4|V%~zzNZnb(omjvP0ouh;E=jV9}; zy@IM7=a{hAetb<8Q1jK(I}mH{VqdPl+-2@q6U!6x>L*`we*t)vtO;7nLrpGE2O(Uf z`qOzjcGDT#&|T>UdzVo%BUqjPh7A7DuOa*c35h-eenZKwUfDkxyHH!BL0+r2?O&17 zJpdv9XVU(Vcly`iOnzx)x|gg8ftD(n!&@S@fgDVN=_NK3ZqVQshb9`&EiskRnC{v) z);t+X_a^8w#+cpNqPX$#d! zn?k&W{ejY6Dg@(~Y*Mj{ZMR=k1pmzat2-~~8A*($Xc&)&eEbgpz>!<%*N2=TNq%Q) zJ`-v1I64CEov$UGzTup@%JIB_vai)>BaT%_(#2{xXskkiwG+r~9vBL7mU>*aW{5fr zx3G{;=dp-F6P^x>*f?wriP+7XBLGjXPtpE&Gut_W|7Q#5fP>7JOF!o@Wug1?QCgh8T(}p7(nuFIOug4>uxqb-jP3$HyT!nR{ zC5e9BdrxeeJ}gfZ#uE5WfDb(^S;9U%2_Gz2G<|^Hy?oZ{EcA^bk_i?lU1K;eTEGdr z+tR{>f591#HvQ~Ovrxs~RxJ;$%T3}~_CW|i9Bs!7>yooJz+y+S%4&tW)SA7?1e=!! zTU==wZgQGYi{4-Tx=*^F5sfy;A7SBTNa2i+AX&88bJVQ*>I@YH(2k7ztF8B+Lq?IIUTVfRS|Z;11kF@2=<@!k)KFV1uCW3((Fm}N+J zy*Z$_-CY`ZjYJ4EK|r%3w3D46^99zC>#qkY9ODvlD(U7b!qiJp-W8Eb1 z&z<1xGMcl&KA?0`042EflTz0Dk8Gwgmc~tgiubXzZ`K@+dOtFgYv9fc&ihP;KJMNM zYEq2^z21CzzWqj6zh~TXU}>KfeW@; z^McC##^An%ZhI|KdfJpGz1DVy3xckr_p+#{5p;mp!w1{%R#Lh{y@cA__@tR=tZ$FkNJ#_w^ z0r}1(Yvs9K1p~D1ERuVShzSXg?r!1-h*>BC|0T2FQ6tSfTOBCU`CvkV_>k{@e4Q9T z$I1}QzU$QBUwVp}gGhAO841-M z3x}3MlO!6Gp%e87jc9JU@mlfz+J%GPI=>8IhY4N2D>Z!LB>FR2;nBh~S)l63>8^&8 z0a=Y_QvCvW>`w3pgOfzN03RFhdi%=mxRI;s)0_M=32OM6@sb!CS<{7!(x)Mc6CiA+mhZFdLh=o1!-^?3eM{Gij~0K^L5gSwmXRGZI z%F-0}&wX;~?1!!K;zJ_APqoFMxR@RRJ7Be^mP*g~?&< z2CZ4ohx8&*!{uN~L)1J5nJ(gb#iR<8&ViYC$mHij=f-$GE1u@Z5WaP}(O%xBw^ilS!X_Ct@di^yfZ4^HS@q z+^n&As!{6o{V#C?*gKP_Z0wLVb{e>)>-yi+P4>+z&?xn!{lLPJ+84$-> zlNpi4I_uSpg!2-HR%RxhsuE(s^F)xvO*+s=YXlzHmt8z1y!EgW zn38b*&|a}fwm+PX@o;x(+E2$(nqem{Da()bi}%_cvlq)?`Y{{_AKO7Szx&$M;~YMcMKgq9JNe#s@i z@A{HshV7}VyEk1V)5%=+36IT` zaSiW2m{?xkY8v(u^A6lyf8EcQDBzGY0X*N!kGaDsR&D6j-$y_E5j5L&3=={XJY*3X z)kS(*7m0t9pD&WUAs~7@|5O~7`rVVv$IQzNv+!?x4l1!F?TyiBl8%c58d;rpnZ$$1 zzoy~9lflS-L}_{bpL6|NiQSmz-#CG1iOGaWBG|~fEdJbC``wAfcJxjdMof*L{_W`$ zfdf26IIj(sG>IrQkH2tjz+8oS>*fb6TuGUy-kZA)1cl{J0`LlI1&T~c9QW^;6Li;yb z`uAhi!xB@?Re&EhIxSah{8*<|FOw)olDAJQdnBERS+?pWEc(4Sv0D3wNI)x+6HrXY z9`iaZx}o6S3$>=5v|5zU^kXl4vd$4>^*s41RZv#V#O-_#7xw|AbF$iI#rCxJbo(73 z11*{=(0shI)jY1g+)#M=D3vbU} z>9t_5XTzpsT~j@~H^1F;Y%72n5L0#hd`g@x40klC{9i(~Gq4dgqRDrburfZ%l`oKYp=AQE|Mhn`imdYY9)B zVg1*>n)~{CJGaw+%O9_QX3Ja>C1>f^$m&2?a`pG!(eV&g6?zPpcf;v)&JL*CJS0!%e_pw!LCRF99VmWu`v z3mu95g$63J(Qh+cBO=L-#76-O=^xkYc)+KO4&u2=LvjMjf><{z+@D=!PWq)8L7wEi z_D9nol~SF7SAWvH z{iNBd_@^2U7!!Qk@HvFKP_Fs!@=yS8Mdof_4k&3WK@Mpz)B|rO8x-9824kI0c8AlM z;1JPme|uu0Zv7eKsk03|yh;;1f#*vT0}QEY9Zs?$I+Dy8*3BGOCri4dd`R!*!KqV~ zxe^T)f}|xzeE+amCvbeLQ*C!x+MFhT4wOu82KpkFYA&x~a5c{B7eMcrk~XiOyoy`u z&%N|Fw<0M$Q)o5=ZxfwNQ(F7%n$CoG zpioVAix18=&a`40>5Mwhn!O&+{`c1X>ctu{G*VPu_l}WvsOD1F|AYU$Qe>??x{bJ^bn9jenqX4y? z&hl@=LDdA{Wh@>>N@1Tn#atJVGruj3R1$f%R-?;Ig?5E;rB*Y36DWIzyShrd+NNmp zY4a*g0ufe6c@v(`7ie;p6`sO!KmGvPuAbVMjpFiFQ)NXrsg`GTYWy*$f2zQ>@Q?Y_ zAp6n3@Q(lLQD5jSWV%F0w(5twHWrnn-lHs+^@iUk#rRXN#MrnG3SVht@ee=a{vdgt zx|2E_wK>(1WS`*z9Q<3AzAe4n))zHbM}o^W1F`hK?ToL3xzWrJXIAe~i4BVj`|!_o zLygS4QaI)1f(h7O&(yu!{dqNytbRT78fx+Keu?-s`Ie*Ul2(=Bz!nGIM93Kspm5}H z%+_7!&oFoUwI5i6#!45G3<~h`DP&qqeC|fDQgY5 z#%v)v`8zdy*+?}OFUfPJrt93t(zruJxb1E|XJW&2x@9Gwtc#|1=o1dz{tIm^Gp#>Q zWHXX!gIQ^7cC@uo@G7Zs>yfSw!7kv(JOknjC}&J(t(SHpJz6!Q3{l>>t(L-O0!&L? zX3tH220ZRK5HhH*oSE_nb>d_*zh0_wrtdp2vg{SWA;)Lb;Zm&#w-A$LW=06kk$d{` zT9}n$w1cn_O8&k7v-B?l{7bjeE_-Vom|0lQuCU_fJqbO7o;@EWvJh#CQ=jk<-xVwsFC8;+!@HgC<} zrvDUY!0f&RVMp1Yl{!z_UvY;kYP9x{Gw&se#ZvPZ>${KpKV11^AuFkBI?hnT*genf z1N#NfGxSF5OBz`VhLzBI^F{K(I_xk2DaA+YY_nE74Da%a6|$lIm^931fZabjwCIr8Fr|21)?J|2Op5>usVd-7^6z12?abazrIBE94 zKEs&L{OFhQ&db!E2?Fr~f=sKD?I3M25zZ|rkNq5-9ulJffZ9wz*9sbMnE*xjTd z{Z{qppQPDYM$IZAz>K@}tBV|ejO*gROwrt@fFm&E0@W= z+cnu{qC9M-R?tL|v3))E9=4=Yro9Ubpb|fcesO1Pr)>7Q<*+wZPUu8feQWjMxcuK` zU3l_WKI1b)_0&?Ga~WRM$d5RTTCE?;d%`KLTQD%$RlGMJYFzGZb@@x@#cnS>fFaPk z8l#yG24g8XxV|7_8X$^eja*&IL{Cm_cMqKi2`UY!s|L9Uc*qXMn0P?p(boOA#X7Ni zAUYc`Mf~`FOG-bCc=j4-*#WUPDb`GENGqv}JI6o5!?^TZ>k=GZ;jK0|yt(rj(^>F7pd(YHgg0F&lSc&No!JH61RSzfctu1sIcZ9`Rx2zwGL{S z^Thh@!I1NwHUdvE6L{(!lmNX|3;jaW*eD!^s5_hKh&eJ7HE$Z8ul?NaO&#*_cx5#) z*Iw&e4K<9vNmF5j++SHCrku|qoCc#aW^>>7Dxx7+E39q7)|KEkDqu_=G$VCvc1N|9c1z)Mbho8(!%H=FL-FKUjYbG)U`Y++Q}|@RM3PvUBOfr}?N+dZ z0kk2{p_Gu-b~eom$!T{iGqDO6(ho$y5zLm#rp~g#p!fDgkR|RgEcPqdpZbYcWJAxyA3VnDEMGo&uj z;!jzwIcP~b5VYccYe69RBM)M}^(5H3l40v<`??sGbPf-fiv@2^_@yl+qn>;x! z?}Zb}?mueb!mSRx1WYT6bvl*zzMXUFJRrsdItjNd59&sP5zdS2fRT%{_b;aebu-^V zxNt;sKL>t_FTVCQ6jDYPC2>?XPmb>d)b-dSwdj1{>fAS~BL6t_n*^JDT_ zwW>T;2*}(&{&M#)!>#stU$lMo;b32Mhku+R{lBvS2Dml>3zEixxm?j^1W!A5Cq0s2 zJ1sYwiwoLqD~b3p)&(VNRKV2EJwRd9yAHwb|rz1t71b3Vy8f@Qo9Mzb64 z1({(kkY#6GBK?3+#MSK6S7t$XmeVGcJ@WCc471vMa;7^_g*Wiaec%|bKv%>6y!I-R zxDmg%t8=^{16;$$oyG@@0bxbP*Fs~feMHGJKKEkmRPJ;WUk6O&dM5oHVzV%hq>Zny z@o6ry3IdcPVh7)YF<`rx2JC!eDAuJcdf<^B=L0DZ=PGpXf< zazAGhy9VdWgyHnIcJg}d)<@16O9sfw^~r+lMJqIb`*sD<9|4$sY?z>E6u*TKg{Pi1 zny*}>_c5L7x}75w>6AihtmZVnvA^9AYo`a|m7oTTRAx?n&!w96s2i(C+?OP6ALLVK zd126n&jTL{N|%&zdz`DFzfYSj3qm0RhC^`)2@ENJqpH_Qi-4p3bftw}_oLz#5XP}R zz0XEE#*|I*uEuOi8UiY%7~{V!u^z+ua1~AD0Vr#d7?^X>DB`un3${B&yD#+TDwx=} z6lI3|wJo-z#0&c;wb#4cw}e8nfNg8B#`L|#lGCb7jJ0*!>na3>r-d&xa>M!-zUL|3 zj|%5uV|O+QsD!M$zFqEhK?4UbT}uNRS+M~po%)^--7N>q^Gt)W`VmS=otzeTD)tTyb=(oGl( zp8tl9hP@GU2v3A$p0!E*u%^s{_@E`&S5_H?!b3b<+SE(f{?d8BF2g&+{=jFnw`MjX zOjg#%&g9lfg@l3WYxy3eaK74T zM;CAlgoV}lcrE@L2$CSLDNMaw_q17Shq>#v)uA zpav}k?es@?kz*o+XsQKqlXH=9+bFwNx+}|N@=%t4$k9GfF2c#C_s^5hlxx}dU>P@T zfIdB(w%I)1A&cknFciq8tL)yTbq8T~&HrGlhG@N;z;&;9m9~0A!n>W*`49q;4j{g> zA=PyKB^wI_*DQ&26*buIMkv%C?`8IdnUMe(hx1+Ai`2n%5pHl!;p&7!=~)~E*70VU z+deH3FT+zOLsjChaY1|WbIfOx7$jQWyXpo#y*HCslDWX!eDSuBMe>UFCtp__iJ0!- zCv}%3bBY5VihYaglFYlqyfpsevh9WH*DP;vGb(1x0VZ#{B}oIAEMxz=<`3=#!kn0O zVoT;2SToPr4%CI+l%0n%7*eUemAgJm1AC-|VSbJhNW0ZRkMdABpSr()^$DwZj$N63 zB%RmD@0sDp%HFI`q4QBU9Z>WC;;}4Z7_=hv)D-^K9SN@kl9=ocrpia((6i&Un!C>6 z^_(CVfDHs}PepCCWBn};FZjFYs94>Rv;;G&J-eCp&$qqoA*BDl*NXPDh;y#oT+|jKZ~#=G_Q^LO~uOHG-%PGl?t)ww&B}&5MnsbZKJQmGh|)Oy;{$EQB?^%vh=Mng{2~>8tOqi zA@b`O!!;%rVfGf%o8Ju6CC$AC2wUghXt~(E>TJ4T`}O`ny-Vl$stO#A|9KPhCQS`09#3_xkN*|Mi4sSo(MH_?7+FH*5O=Hg^N3dHtMg z@#c6}MtieJPMgP3nq-qs?07MeEOg8{HI-PNHkH{#k&xHYjZfUboUhbeTEnMrw3p7X z_Dy6i$@6m`lulOrw_U{48P84vGSX#mz&A6yhY@6?v+3W#u{1jmrgnVk-=&A2<`=lv z2WwltWX#W&Y4ajE`R0ZPy_P^)!F(%+X_b=F$9x$uez}un-ypV~#Qj##MU0AnLth3g zdrpu`DF_}>H~RWX41AFbCQ*29TA0S4r<~uQEQ{Nq6XX~i17s#d+sA#}SW-`YZwtCX zZ@K4?f?8J3{iO|-fu)azs1^~O_{BeMBnw!)kZ~-;_+8kK4EuUzvLL&IOhnsEV9fI2 z+(z>muqaqAGD@C`Yo~+`kDF@#Lxc_eYg_I9-q|2;9cc1UViLuHaJwd}jvuF<9t&(W z77X^;59-BH!~fk<)q~$Lhj$`AP9nz%Cm`~xwceZr9>TapJh0s;yJKzx_n{S;?T!k6 zJi;lp_2AnJTSUnd?^gx;EOT<45en*e5{J%&b$-_g>T;hc0{2b(yM7FU{Ml$VMaj0+ zX*aiA0zV-;`GR$Gb35d*lEYcvdUN`X=laTbQyMq=f0vIeEKi+*u1Ul)u;7H^hhc8x zv;{jimT_&(fsH`um6e7O%wNu;b?OWS7W9XB%(hg^@PBm3d4$EIlU%PA^M%lnT~~pK zuh%tFKPXtN*z4ew!|vB&hD;I5EU+ZR5w(|7mFc5P&S&lVAkSkl_kaYh^>qg1Nj{rX z56fuwc1x(yTTw__P3PEe7XatM4vY0TUB=l53s9u_xp+`H`*zTML`D>@9$Vf!9mcH6x2-zH z<1kpRu{Gq9tm{!SrK~iE&xA|6rj6IqgEXuN|Fu0e|0i$q|Ke2q?{DEhhbJ>0TMg_;x&+otDJ`l7@%gx$J5dj8`C#^=b>a7S#-I3Yw*%Xh zd%@vqckizT$I|SN27n-w$`1KTY0vOV{SxA<3sv28rmr?0GhXPjm45LTN=o)m*$~;d z8jjN{$~nwQvM1a{7o1;|K-{e(Zk0+QHT1OEC9&AkRN>u(jqHh(|=b`)>+|Mlljq`-i0 zwlFXg%?%HGZ6*1=5&s7xjvot`=vh>^cTQq!Q=c3$<&p6oM)Z zDgRA~_Q3=uw&y}Ob7V5*!Fg`*3$>u#T`|Y@1kdwlb0AHF$OSqSK&qh2naZPDI&)ZM zrXasj7lLGHE+nE5QVLrcE0@J=^ohSEB`IPUfsp$Z>3c?5+wDG5et{q_Lq=`qXf;*2 zqe^{7BD1;UTWD;QYt#Z{~KLq8<=gmu=dJ3-A&hVJEWF6OC+&o%?SG zn-LdJ7Faftzef;Hx7`2hAO64jVVDvL9>ywg{$R}*;|%B%8FJnauVcR7ps7?jAU~=M zV34I~*}3oy%_E){708h&zz?Bx{{*_orEEL!-pzkx83w!T6U4%i*~DpmFbICkd(0lR z$G}!#Jj$bQG}IXDz2=w)?W#T=JYEzRsS2}mcypt`(KKA#Nyh{91~Hr3>`S0n5u zodr(Wg^jWoTca;`L9(W9pPZr`l;J$wKPYLH_9^P9 zk{+pdp-r?7J?_P$xGspa6JY>*B-9(&Bhr7@NW3v`;{Wv;si(kL&cq3{vLJdO!m?0) z5?IF;&WLTN_7Tj>u)mYqTf=4vP!f|D-BXW^yi+cDzh`nGA;AYva)Whc_&h1W9haE| zK~KMs86(U|3h~#0p3_5(?kFzk=FTO`wFX7Y*?ZoC%48eIi#=vdu`CK{c3o(3^VD!? zND!nW8#xL)lg%#g_U*VW$%D*GrmBB6G)Yw;7(dp&>-scU^azn~*dw49;1^*uACPx5 z4`R}ntt(Lqy`aad3n_Pk1Ui)r1gdps_q}$V1-=xjkfCPP8i8|)X5rA2@b(gswODyU z*)hILb6>mT9kWD^<)6NY{9`JY zRFV**Xt(G_1rw6kFy?uZv}Y-%1Rs6$X_Zoo&Sur?UPF&Z>MaoQkuu_qA?m)&O8f!& zyTcHA%|~1~!7HQ(MMkKJZ0r0Gnr847HQIL5k;XE;btnlTOCEj*=+m2=Z+?}8mo{)8 ziQ6VsZ{}ekaygWUKBbHw4x=Xb^1F2XczfP}%Ha5|zlUa2ntns;(PNw>;(>RCnx#KZ z%Mc$G5==B(s^Ep%ulwqFbW>%xDHj{8_YvOAJA}@1A~|s;dErT_{r_1JVeQ00Li{kN zr61hQKXZv-EUqE31js9MT$OZ@`BeJ_sftC)-OTHupi8-!Q&lCBwAkG-(Zgii@$+@DwUZ8<|#w+bsEovKNl2W#u5+Wb@8e2ZTG4CKdilnUz2T<_kD>dSm;$+ zC;}n^g7g-V5|kz&y+lA%x^xIlKza#Cm8w!AQUU@ZEucW?(t8gz^n?Hj1bE`^UY~uR z-M#nOy+7}ta31FzbIknaJ2O(K0@;MAf>N{8A8UUtY2K7_N#sgKaAY{Gnr5eqD7BKk zZG8yRCX&Z{Xp&YojYDp-wV z<5t1mt#Ytp*iplV$p0(D_zzd$??dVfB{@(iXplMvNlL=Beky#9;v)xB(g9-R3gyW; zrN0$`2KjKjTjH;*oQ5A{Bu=iV_x#wfH<|8Al)`0cHLwJ9ufqIQ` zZhn0hwp4m82~{YVN$kjaK^1@-W08AirYFWuu#3BI;xguGyQK!)rX4fR^MXyrmSh*i z&+!FjNL&)L+YtMwzWsTk+Q+=NGIwIv$rbVHlH|XiJ~mesb2W14WVOH~aX0^bK))W% z#rZ2U5{lQ#T85iq1@pH}?WkdoeZ8*(iH3@seEN=$m2uQ~So@yjqELO&|WZ z8;q*8RTZ*5W^0B@4YIgzu#7tu4 zdrTNgBXkRexPPcri4IT7cX#N_QMw~2%{C&;?6cBoa%y*Po=N-}`xfPSPdA5>@&?^1 zJxv_PaJK;a_oEvs(|6kkHJIS{o@T$GQaafDY!8=hcnMHQvk^hAT2LNDiUSjlx$tvnAKWnSEpYC`sE+QG5<% ztdpton2b~gATpLe=!=Ios@0trhAl`5y2-v@+ZBN0UvL>-=4PJZb)dN2y zmF5Y{uwrwJO#s611;*Z-q<9kg3LKkfHM#+)}ZRXJvZ~st>@8AhLc$Zj@%!>N@=uS#Y z*PAjPe5>jsNr7~7&K!P%oyD4o&SWo`U?l9+-fkQqv;~SPC)%0Pxqqt^gxlIZMZSs` zITY8ZsmNpf3f}svD!t*v%wHk*P?k*k;T>irb>7vhHTvV;bbq}U594a3#l?o^MONx^ zWO+P#&S3E%(qD($27coXaP?J%6d}#~lcBZqE#W-uh%m6KQpF_JW3XCdM0wC5Ki*sQ zzD6`G6E_(qBQCGL1tfK=Z-rlBCna6~Z_(wya*3X7WGbyQ;*P<5e^e9@WiVYcUJdmm zM)h5uceLso*zL(rET9h{xNMaH6k4%{UztG zFwH0gn_7oDDbPZiRBgoYDIjUbo?K)aJF{Mv_A(8=e|4nyU-6Kl$WfBO@kdRXj(+_n zYLP)jmqF&*IX!RC9BJ=19l9_S{_aag%MZ=0xVmT4$$+04gxU(?H+?Z)&fu^4;z!Z8 z4hi*v=ome*W+ck&F+hOHGP?YvCJ|6R%i`J5nJ3k6m$_35Tq|d$uQ6g&?J&HP{isG` zY3$ttmuE`sKO_Bx>~G@QO{m9fbm58(UnU>3_7>x8tWJixtZF&GkA5M>##kfDoGz07 z;@@D>``)9!DJ44bBv-d}ivz>GNP;hS6aFW<+kZZU%xc;@q|X+(%W~_cL9U+>j^9E1 zU3D?U8KWO(b2MRTdE340Ni()G()#-_>Agdb8qze~>1a!@B3B>>XKiLA*wTj+HE-$V z2v3bH7v$l;L2bfkS2?ngSi2ENo~IV-;x*!^7|p1};sl%CEK%AQ65~^fN>I-$rsOm9 zlH-`wH58__;kkI<=Nly)cQDEMe;Eglt0xH`JkaPW4|<_~mNQM#9Iaus z7b{61HRPs%KGE2T{!K(r29b9EDxSQFo(uX<9YJeO_(ONH`Nc1g7eT8ixuMdZ;`BBN z;v52NC8I4^VA9r( z)z~PSFoi$@SK)`qz*>iKaz=MLf|E6@{M6j~wd9y|pHaA|gdC$`vj@GZo#Uew@b6ld z)rq`HeeFOgSmLm;^w*4>vVvFl$nx}BZ`{B4&xHoMYJU<0=}j(r7ca>lD!jcvnZi8V zIjECy;(fn3=q4V2Z%=~bH70)<(z_@6@m~@vHe2Z}jMrc5ylP_=mPp*F9Aj%9XS~c= z`x^Z1no&o(IEHpCky9Qu=#-1M*IAX9?t$lg`a1eW%1bJSeqzOP?-_HM-(AZq5}k=x zxi`F3>3(}Macnk{<3W$@X0^3ZDqt&8HcBs^?_@OG$yPy(g$7j}%HAno=*Y!_5kPf?fN1itp z5eZMpBlyT3WvAs)z2=+jhL>GppDLJO!+7&mR+w(cB|c@j8z~2rCdTn}ZwWO&W|Di_Vk%tM$sqSIt$EB(Np*qYxa@ zA>x_teyJh8XtGBOd?Eqb*LPlYL76k<%;S*htPc{H7HV_T?upFsN^QP#@hee%xj z_K!MqGUaI#>i_&F+ob|ib3r&;{UD!xLc4w9b7AGwO;s2X%STP19Z%DwZ}WDC zk*#PVU9;@d_@&z_g{o0X-`hnG($0J0NV^~^4WPDn08Z@!k>jagx$cf1E1*wpd4c#I zuy`S~=-vi~N5cV13a>S+qH#rutX~sYrEdJ3xqCO>^ltp;XFohreHiuH^1RuUH=cYp z(>`EpmM*iFpJE92i*{wTy-N{f#^SS4qiZ=XXRmwywYfxDn|-vGi*D7v3}2Q8DgR^= zIIf^Bd{ABN-C;W~V%|b>4ORfLU##Zw4^_#LI;NjulSVkK4#<%@Pk7-6Ij%k) z?yBPZJeF%J&)-tUcH%F+OuI2v1lk-bdS%`;VOyfN$3Ofw;uN;Z3>Gc_fxlkj+4=i{ zXfogbydd~*hUa;Y3`051`59mLS*10ch1{1i>;n>q(yl^gB3V&S>jmbMiDs&c{6^3Z zBhfqo9yVGWtMK1+T2t_qN8QYvfug8xu}CvhLn6e8zXe;Rt23P)SSgsdJy_}!$Y?^a zXVGH%X^kmTn-Ji6PI9^WvY*L@c=~$#Dan(6KdG!Vxi@ZBnyA%;B@-9(ypPnw)M{9w zOQO8dT|Z5$Ua)-KZp-l|fenxbl@*XSQgXY5jt4p}Iia3jjuKAa-Y`=&Ro&p(NNxeu zoV(v#t;O)hf9jwd<=OAE7$|-~XCM}3QMtLILIa4Njx$@DNdR}RfN_P@2*%pJNfz)NnYcW~t- z$(YtXMQ!(aV)S~ukPphlrl7N}$2yRI`&NMoDcIu#1SwVXz>`&P-wtF1M#^1n#@hAD zKbrk!ZA(%=Rx|Rrz+-)uKJj!!CP1!Z8})hWk;zFcI70UvSK~-`anoYTWTwVX_w6kn z=eMTL?>~Pi^+Rs(zb%M+Yn}a3Y~ru$obO~h>=WAQIz$$F9bK%IXsE68%cef67JRM@`8Y(y|W-%Y%C7WF_#0M`jlwFMA6y8Whvue zw1q=>+C;wNV)FksWxB7&{Zui`$JE&r`jJVFDlu7B4aXbyQ1i}Xhc_`jQUts3X!vdR z?HCbddY?D%qvH~OSoMenrx2^sXvC9{5Zep8Q1t-=V4k?NgZ#IHfMi3sz-G(@b31y+~~@imGVz1_n)NeeJbNK?gIhg_!7}3P0(#u8X?X}u?+dhXFqMq9aDatn|&n>ADHfzj< zn!0>_JwK>-!lEZg(`0LgHW#$m;YVkI67yw3eP;i6g8lzaLPEvZLLp@HKKh-DuM0k_ zoV=an!J0ny3O{IPQ=(#*Rp+-6EoS=7xD^{kh3H!)DT;#35R%JRWz3fHiv5`xDS}b+ zGYmq7F9}-RtnNa@cZ6YkGY&V+hj=!sOv;OBynn)fUDXdJ^g!k8ww;)-l*>JAE{N4v zyl!`oR1KWw$j(rXWO_)>hH$PR2PscWdaC*Noq3C zgf2!^R){xyR0=2wPCJ0xMeLp%t_?SMP1=UH=(aYBBGdh8L){sWMKgKLd~=xXh2bQc zNXGU??&(?@Taz;(CxMy%U>T4A>WaRH1e79=(arx*ttmJTrv=1suAxETGnLKRs)KEl zAHx4*0O0SCFzT4AmuN!SZwDL5MXBEAO75~B?oPCRp@2l$J{H`i^XxDX zUDLc}=;>S-)uv|Yo?EF>sRENqSb8QDh5QOW*fd>v1Tx%ZU1M7e(FY>F#o5@GDHXKU z_3;4440BoXjjvsL`R=J{y%|%_Rk}4w&xENjU9ZTjJYCAjFSiT}7Mn%KfIooUQ}gSQ zJv7nS<*@rN6J#aH+561|fh*QH#R*x~rW~BL2QHm3Z0gU+q6>07~zf z$>t4IR>Uufz0I6>F)6rLn4R}SZtfh%>40s2oCfOu?zEr`oK7_yyXSe8EXTBKIZTj( z4w`a(#`|@C@Q*c`;c+LoG|~>_2d|ue8L|C$#L0gZ*+}vIsWARBgMN(2zwL3$k|)bg zlP&6Q99LT`7XXt}33{Srhe_S&HATH%8psr=p!cD4!rH_~d#Wq1iai!C;tJ^K)R6jY zqFkO5MV$Q79aWDcWh{xIBne9(aT97|Z6_MyrD>*>Tg(K0JZj8ywfvr%X9w&J<;&?B zX=HQZvTo=f9>?x~&f}2HlX#pp9&+nj z=Z+1#L+rzmas15cZrk{Fzy0Kkp~p_~7| zU~r88oxz!7Y**XQ*!V0YEj`(5T=l^z9;ky5FDpy4>o8F4cp>^pqsu+EyxzIjT&h^` zDnb3ni1`$B>f|Rg+?nb?`l%yr;)`tuYRSl}4Y2 z!?kO7)_QbwV?e_m^z$n*DTa-SJ0lIk*_WYr*h4C3ZExN$AcTs*e9cZ5CU43kWF|#|U3J z#^N^$ddpYooE^yHABs?JoW&iB&bJZIjc&vq{iBqnbvEK52O@2{)`{Yh+nXA?p+!o} zHF7EsO(K7Z1k~o-luRkabyyx?lxnwDbD}3vr+8K$=;o`~HeA8!U zDC(hEsn4-$d~>ZKDWRP1ax?ZphM2heX!zT@7fqCIt*sKreD}APZP3Fcvhf^)Y6%N8 z@pTkjX*^OH{nlqiseRppAGW0O>-6{C1>Hv1{kT!zp9s$hfoAr{u?rL~!eo`~ z@89{KbAy-sWQT%_REatN1+BAmtJ^x?_6sS5$A9TgXN^_AiH!D$U1)EzG~vKb(3uvG zt2#SlR9N}&ngeVI60Z{>fBH=$c=ZwVxgZeP6P1|x)hOu8U1e-qIqFO2cLAX|xX?pc z{if@M6Ibu(97jevi)N&OW2DO+ZNmj>>@WvD32?z>k0Ns6$Fu&m&BFhB)|m{ncxPg& zByVuU>gfI6?YO_99v#OomImzsN;>$-*4D| zJZU@`E#>aOQL>MwB$rCuM*h<_g-7k5Z2JH|i(uq*li@zX^4> z5506h2;D7(2fNMOUA`FQuAu@>g%`HtmWUny-~ifvZd5IFt9kwSSkt1sc2yA?bLnpx ze_x&ZFB^0<2CVjSy^JZ;I#>Ib(@lki-h@xKxpbM$wEL$M+ull+3I8aFeaZAMrWzZV z^Ogcexl5~KC#%Xk;Gm;eY}ykj;GVq5Y-2dROheF7L8WY$ zq6US5p5s-5Vzpm7uL3*no=G7it2_pK!9m`L``rYi%gT}+^u|4UI%9`XU#0bjr<-69 zBNnaD;cGX`rkY||Xg9BOvCCR8zrr z9gJp)*2+Clkw*#iQ-gdxrPe3IiQe|M`H6juV)ww8H)JX}2+dyXE;uPDe_BPV+70(A!UNAbUl}dNO(#i z^Y(VVn34~Q z)dr**^*WwLu~>pydWFSbG;&H0Lkd^74WNmc_+EiX|2__VD1eIWraa+O8@N^oI$l*| zLz)gTMLKd4RdqswC+i){tuw6RAoO)cYIp1|)5jV(GezfmkwwVaq0wXQUN1xkyLi^< z+#Rxnfkzt{74mzY=$^Rt1`k^(mFLvQk^V>#Xt;Wf*y<~5q>c8yRl!Kx0tPOuq06u^ z&^;9}BiqY!BV=`3hO}I7Yo<2E=`6Of{(9)hp8SKe9kjyo?V1<|#E5}|HSM)&KmUjK|7-P@!t-(`ZAfK>ror`y@XX6hF*@ShZ%SsmnH5c0%#py zB)MzfVAqu}Ur2;QZ;Te00nm7N21{3(s=9xMvd))D|7^-vf~T z&tZ<#PxmxAT0g=bh6)CK`S!f6LAoDVIC2#u6q@LecjNvzT`0V1lczoHFD*Uj9U$g) z^h16z`IGmiQDV|7=}@m&fR;ZMa7WMG=z(;ZFin-|e?XyDa-75~`*JB2vD0?wNsHio zWa6#ty|ANPd6LZJed9N2tX)O1`g4z*z^=!BRt-LnJBceBHM`g?ZKoIi?gQ?((Ji)D z(sW`Ae%R}(KVK46z5;bx5AfG*4!1gPif?^{IUlnM`H&U*Q1M`4edNQs^?SaGmfh(R z(D810?DRjBJ(K>j0leV=TExAmu@JAV9omBj7oFOVB} zwWRgiZ({I+kCe9dQwCLT+uVdj=S2=y3ji=BrmBM@D^OiP{Kq!yFhn2t+@8|w7m)Js9<4KD0v*0m41=9b8E6PeB(~0e!k$C#? zeHBv}^QwvHI3pPIj0R(xLQ@s33Z*(K%ODIrX3X%1zYapF`-L;l4FplrxZ%_Nu>a^8_KviPZOxWOqz>2SB-qWa&Y z$TeniKiqZ~)?}vM-tJ&f8Pe`%p&099&9cyYaKgEGHV{MES9T1yaBUPmJ4|eRa62Q{ z*L-vK3E3PUR4GmL$M)uS$S?7z;`6hU-!c0QFaN%g|M3_0`B1iB^P5rE5C5DHbG1d2 zc*i~Vkw64<^`@9tB?8`etO+1GRSg zW|#QI6@u;6Jt;*JxB*|v4P*3^no_G922S86j^l(G` za5OS~vc|_LhZcjh2>&)CZE<#|yzckJ0lxdydG_!6MXaKA;E?*TgCNHTV&1H|mx~+u zbmU)ZlbGc#R)bu5Z=6#l)f;Q?xqkE~P@ZPC8+NXygXU%5@##<1$f5@Wjgl>3z_$f1 zhouN+XVr-6`NO#(_YjOB!ah;`qajhC)~^nIfshRT^$s^Nv!|Q0jXOUD6c?QwKBm|` z*pl;E7>hWyuFz=rJxwgYMlJwg9cC!3DUA{po z)p-)R$1PqidO#+I!hMZ0crxRhL=ferb-9ti59_dI;;jsVmIC%Jwa?efrxKAk{=FyO z?;MT{EvHa$R{ST>7p?k1qfQ&DfGP0|O)%PDqkd{YE^6z)$<+38;+4-T<^p$y z>lJd-j4f?D9Fmqtn@_=hA3w7YTti)N+}5Oi5dLPbhPZ{GSxzwPcd_&`tl;CMS(P^7Bl%8!NoK;z&(dc@3`S6mGm$-Z`f;({>lwXQ_7h6%(l2hD#F zeCF8wB*cM%EJZ-)3Bxk^;1OnHhnf?&^FxOx+dFTJkR^hQ6M3|FMx*>>9qeH*(6{(z zHkqQRh~nNDFPL3Q?Ku&TL1zST<+M!r?v0CBdHwFDx`|9!2HYtcHGjXHP&b>ri$4vT z^6hj9c`tpwTX*n71ngK|l%CV3q4PL}EqJDczwhS32gVLXxi@Mgsmki4Csqk7M)BaD zA3Is|=@1?_yHzlpC48)X<2UeN0d8UFc#5a`>gF4q;AoD&bzBI{$*_hH#$xsJJ6N<} zTo*Gvfx3V`*JEr>;wy{Id@FFL%T!9xD{3+k|BJ8u)z|!LKfVO~L#qrV-@NAMre0h% zg!dwQ#LmHk+>hyrB$2+VZ_;VE@!_&c@>6!7%WfGE|Cr*fo5b=z` zX8aqqcybwGTVf&_wDD0+DIs&^DS~yaiqwuk#h5{XS(#u2DN&7ET1M4r? z2xmpG;Diczs=>i*a%DC}>lyf4?Kne(phWVjRtJSUd< z+w@W$bzOThKwPgc+q(6x@eqMI9Chnfc9@e*(1m_>iO~uFD3T+o-Wu=1mFRgCQM<=%vp5C)vRl3JzN$A%omqq5&L90@|6G!L_|d4rksIu9f4n zE9EMx!?!}3WWA&F?Wh%A!)qpaZ^*ow|6FVC zLsW#d4qpe;1OkC8Ul=^R7f#m99hUc8l9_Ik3W-wd23IlN2s#9W_DUthbeg*N)I0K0+o=U_?0*`& zNA6Vm#g9o%v19CNPd()edu!=XE`?U6H=DHt)34FvUk@Ib7zU3aISg`e2k}9L^Tkfi@2O|KF5+jnLZ*eAPj;OgwrWGNf}58r%<9^%D8QETsr6Vc zP{f*T+g|Coz1)jt;atpdb#|?TBWAImT06V!{H!>geS_yJ7o?32eRyo`X5h`W^7kx& zkNFt_Ilq4?4e@YQ`R)FG1rs~8^0%H2o<3f*8wTYEzCUg{8wk!hcPrS_uD(d0)LtGX zQ#T}6w3L(DIT!#H&o>9ua=+Ix4}VMP-n^C%%=JZL%H7MmeT>&jOEeYif6XyX5alTS z^z0>n0F_UP2a3{{;5#yu3r=hbR%V5D;B9<$%~IWjixICaZ$gKQ(MQPg_tD|$z-o2} z^k(CNp3K~Z$~-d9;_z{HV1chw-RPIIh!D=a-N2P)hjCX~*P>CSE}j1FO!t%#>Xrbx zlw{`ZF&-=b(Hg;fGV4I$@nX<(e_RY~S+c(rtJKro;K_i|#gk0;+oq!q4SM(e%)E|X ziz06VTN`}b8@tNX09y{0dN^|RtnK3To|WgosRKT0d1R$T6g}FUuA2mRr0Xi40UTf@ zD}coDM-FuW5#O}{rM62ftcn{P3<{`pLcVZYdR=^vKdUJCy4?BSmUbn_R*vQA0`05z$FQaF@x znooQc6V0_@c11q-#El`IcnAFR@Yjhgw%z%Gq>fcN0Lh6&re)&!il8XTSMaRVd{%qi z{wh9cMX?hD(-8{x|1F-(%)M+u7OndS?~N_Uu~!}|h*K2{fW)92sU$e%Qd7*;nuMMB zV2-!HJEkZ8Xnz(QSUawSRK6tkFq3`t=+#B~@1}#Y4_Lg}{^m@hUW4N?(0+p}cs1E; z@5b>uD2v+kM+lpYyX8su6i~|!34PovhOm@(nMpAm5asw`DhQ_zk>aA5;t{Ft8cw4b z)+5X~py${3G9JgBB!v6@=+Mi0z+S;AG-G2i*>=OkPlxTvh7tcnIp>QSqKB5A-86mn@HOmgl1-Z- zJWnZmF2Iw#Ny1tS2?)fyvynR0&22I2%cIQh@a!WF&hLOo8tC(#>ULWl_FxrZon&uw zgWtG73$5sE>n8NrGc9G?-**g>H=SGo{pH;)4e*XARy>c+4t)GayK~&$s>xguSKx;J zufjdoO6%!Gi><?d?hK8>SKwP85QnSQ4rxVBd{RQkeH$>)^ZLD?AuwV1si*Sc?zSP+#r+zQW3+;^ zB~MCJq&}bhAZK35LTh$v$J*6-VPquN{cI2ieWk3$snC~UZ2Hw{v(9uKA4O|8jJo0d z#3IBu*3r_Zr{4jt*6-G z?1Ev#%b?!S7Lh;xZqM-X(9k1jvC#w<|YJDKcu%Gp)AM%evuD~kF_I1`7 zjVs}wF%$vHvv2QFfHl?RWz~mC{UYQt*DTIW6DoF9lS?2|&jpi}NQw#u7L##%J_T!M zxYntAj{SL+hx!o-MC0^4D$1FBtqnJw{F(BLB^MR#Yh>FdAJ*a_0fLemhwJy%qlI#v zv5%ZuXbVZL>n_hQJ!G|y#|Iz4Ma_?5FPk>J9*($s!+jqFPGq{wxrnyy7JbG9Bvz?z z7-gW)WW!p50Vtsmx%3M8Jgjh{sO>E%aid81K$yZwawm>q|D-cYY(kAB$kNKL&mRnf zxh}M_6x|IRC#qB(7gXx{<7YPf6>?LIHy`X=zHww!$YnUHWb~K9N6Jvl}UZD~-3-+MOn% z`#5#=gpbWiKDR7}#*Osr%^Q5Ejv}C1^fW@U=Ff0*YRAPYlbE3!~t(A$8|G)Q^v0Ovz{1srgEh_sw3%Vs=Q zyKgd_zA!1Vb8x0K!?-uX-LE1GIgbcM=lX7O?aery=b>T1c|{R6D5WAH{=g&9D@5_^ zhl9sl@I(+g@ASe*&i^{u!tmvjBBPcX+iBZ_gzVcHn9RDyy;Be=fS0-J-{`fQlWyVj z@C55vTBsvE{qen%LExL3-d&0nIRJ0kFN*oOMsJ<ax_D3Yd8svha&D(ES#UJir;SGS3#-Tl%8*U^Kqt3$45GfHUm zt9-3q(GlRzx3=-L+6?Ppk%}eY$e_*M%Gtf9!7ztb1FhmilzS`qv}cn^fvN&=o{sBr zaw~QVI@oepWy;X=ojZMwI8TycvG7{LjY%2n00~3IC5EtuY1x>Kih%Rvy>h*&hoIU-H^T75lT*k~r-h8x^+=~r`5~m4Km5uG}aqENL4>|meYbWC??4(&E zkUv>utBG~53wA}wp@=EHe`1*(e6cBctn29?)qLREusB>=-JKk@n{s}1Ofej?96tO< zH;7=dzQ0T;=tlt5vX9U)u=A8Xi`^U1*_J5@i0a^z9=1}+tgzFyiU2Nc%ZsXIWYOyK zVeMvy@pVhY`|kWP-Bl^n(C?=26o?Z@l6of+9WGc%SgsoAYTOH=Jq;09$Z%_tx^uWY zCS2ao6YH?$x3GA)zX!_iIsR3laB!-k>foY7)eQSBT90ZV%5Kj2%!@9#E&7p`=DZ9i z4P=rPnQK{iw#*!F?Z1Mk<~&eW#9ovkYqv zNGjpspy4P?v;WE$eS&_s*3nLi*4p~}+`0<~t_*k`AN9QO9HdhTO~|m;RgI$7V|T%q z;|}oFqD!Zj_f`Yp9E^MGTF3zkaO_@CQ@-R;o&kb6-RkAT;Jskw(@9z@nFItO$) z9uYCPz;pEuxX4@_{>BmG!~_vCN9bzPzzZ``m&P$DTcDc>=h)fo8?l2g%TVR)OzInC zBMl6>x(qmyakZo4+=668n2u5Px9v$wO96~##1L{OUug^p{WH_&}St}p;u z%XK9kyN=f4QM${y9_feg8a}`3V{_+jOfn=43Hkni`-$39|FxfJI~8zlrEUy-zp6&nThfS>t%YoYx2%T42$Ms%Ma3l!H!><0LbaM zai)B^Lt#?;#e{?JryhAoIRk?NsX5UJ7Y%WafoJU}Cz758^5hldhKT1avZ&cNeh^fe zAgRiP5nzY1yG-P10qu$c)_2h#`>8dz;6JRXZwjFive%%U-NyO%1?jD!zm@KiW(p=w zqoQkm_AKb;UnL|M9+=>AQ~jZC~h2E%3A&CtuOICZUB`v z(+lpOt;IGA3mkJmUTqFmsItk}SjwXl4TrfF&b-abOxg^8akq22k0hg;2j<~;hlhcV zX6`Xeg*{5FM7MoUbm5F%%vsR*^YT9b6RTG*ITR=`@YGIl2yZU7ZsY+Ee6-G6QEoS; z8xy)cEnJbSJNNQ#Nm;FXr(R}KjENgU>4*LVJY=UAT|&|*C%8MUAl7qe0|^8sT_LQ= zH@|oUmsEK)x6Cqk|(w{vz3L8R0-xL1D)L}p90a00i)9JS8SNv-gFKszb*QhUL2*xRV5%fSJ=UyEh|%!S3DR9vU; zcDY*+KPCnS9F+SO&4guAxPLe2Zu8hV-#cA!sPrPeK(Bsr9*>nKA5_Z{D$TiX5qG06 zW3L${omSLi#Kr{te|K{RY&Y0(sXjYxlVdUA(y`pxCpmg8+IPjin?_m(DlZh4Mm;4; z%H>%Ol;gzG6XgOguK)ZZo^3!OxBN#zF;X06px3Mo3}|*MR1aJ9J8m( zG(lA9xn4ATiZy&5avCiNIQH6hqoG9EwWWl4B_QalxaZL|kKgCfToUWbpUvpZ*^j~z zq8;D>Sjj^~5WWgF9INs|X>%}$ebhorhl-3b1;iC1ADz?7Z(XWsLFt!tb)a#hN23ZA zJipnQ&99kMH0lB9i+56bV4LT26oC#IXi4oZ<(=F8e$4YB+RXMN2B0f1FT(t8XYJkI z0}vntB0bdHu6AsxwZO9P;2=_K$%m2==ub{xjDTj}m&<=7<3n7LBo??kd_Y(o&|u4& z3BNPB&%L@~-cro$oPst9tV-e{!;OYSKC-jxgM;S&Y>tMT)Ai_l8lD07CwaEir_Te~ z6oL(uF{N6t;usn4_58=-Un*j=Ka`(}TyB z*LGJOEh=`Bj*+XU5vSV6+)-!VyOa2{@cxg!oyDRyEowQM6Z8aG-OH!=gKLB=j}~bG zjPR2c_~{3`I8|_uKwS>8=vmf55JE9J$qG8a)3_g8}b zO6>#OnLB}Nr~1wMsEBS~c3#c9w}LlI?fT0m+(jk|8ondfnj-y0w!9S~+bg)=QOm`r z)-Y2M|AFlG!^8`)pQl&O+hZSd`wy<@cVL>Q(X%rCE$y490H_`yP@YGGeor_K86dnT zGiIREx||1)476+lcz5kR9y@aR5I*7Re!{sjr0QcTkj2cW0O zH+dT$oXY&ae4}Y5#zf@4t2(FrDqeMaWAR=$U`C?F@s~A;>n9Nb+Rn8Z--5j+dw`Kl zKS4P{wnEZZ?E{gM1^_#?tP_YuzjUqr^mAyK!`KL-YSJJs#LPGVe zmG9+YO%tpiK<>fVLjY_c(9Kt8L~me9AV~4+F8Cnsriq!e?fyxCTVYVeG!STOA}}ZK ztMzK{jfVNlp`xO!;t)cv$?&BK&YWw(=FSek1M(VWav|%06=~HIAx!9K;WdVlZ$TM4 z8GAmD`^5)ZR=(o*@#t9K$}L^v)BOTHY{{Ed2TxM&s8p=;8+?j&B#@`uv@PgBuZmyw z0AT018F#)dKeH7OOgr0ce=vLs2+W+2+i^~irFxmnU7>XROY6f%8Vjm-;5$*}L?s77 zE{dRUq z<0owk0l;Qj!6|J@=j7E4D|v}^C%+FMYLtGoHaS7CT2P%&gDp^j1hI7hov$dU40 z{lXQ3t6xrL)SKy1d5jHEuuvV7o;$jpG6G@wobMoD%>x6Y13J8)~zxjDQssNe^ zInl_dMHclO(jxV{IuWnK!wiYvV@4pxrokU1A-K#yC0QZLsk01)HN%BL&lVz|vTV~q z9>sx!g`yAZ(rxKVwLc|5+zVRu0I@;gvlAAD7dIC!77MgrG@hP^yv$ZTzR*D+{fFB# z(pQ$q`pW*%337+>E*6;2JE~ zu;sh+G`^921;pZ+;EFi>t-Wa(SfxHvrQ&l>&zkYlJ8s3#&IbuC>`;Ge0o|FcBrpwa zR${^_RPInu19RXDyk5cfx;n94}wBNq%Oh7v!ci79UivE1$d)>m{{=U7N{tIFdCC6K_o?&dx19kd4xM$~E#5Al24A^w$q{3z1 z&APRtbBWFpN?6X1I?%UKI$HBAl}?XEYOVk6^{M!A(CpOM(v4osd=8Ylcvy)D(!o%^6F>c}l;8b>wb%mSq7A1MIl*w+g&%$RtbFZI~ zdw`IWnEs3!y^0Z1NecWk}A9SjV0v z=ErcOFlQ@u6cf!bpTvAa$ZlnOl%*0GC#BI$TJKI9MckoLKe%o4gHoRBl0e60U zUEkYt^p30&eVEjqTp)DT7YZ(xYLP#znZ%xD9KQ;FiEeC15l*RIc%fqM9;Jv#_ag%H z@x42~u#1iXy)HMJd4>G@GaU5&bG_Kp{pxGz_^rsI&~S~;t)M3YwLwB$LQQD-8^wn3 zTUm&vN5@{X@T*;l$F$?W>m5uX(p+|mkee-Q#oW()G}+6?0@#KvtmDOGl=f9nUJb{} z6{jEQ9<4q(YbO$nX_=Q79kDKAgx{c>=FdAT|Z%)@PxfwSnI@NPcgS1ZC#QcPt_mLZ3 zII)bLJ)5Rte=83v6L3X<{PP)p!vR-}h9SR5&;YwQ#9$gTnIXJKWn^=AL>Ou zZvu6kaW$0v!|dTkCpxU<<^WV%89K6uIzvbekDi)%iU-%fBA&AW8_P+o4WY)xnb1fF zY~vAFv}Yy$!xpq^PBM(li!N3-wGmRo9VI5p1aiKA#YEFm=zRFLl2S-!>1lz}%}150 zVu|#2YDyT~#9bmQgI%Cx;0q9`LF`Z>L|ZsVto)N|C5TZA^GxQ{R@+c}M@9J?Rm$~& zC$f@jr8#8|+I2Gd}o%ejn+s)1eZQsaq=Tyao{t!quM|w7f z^HJ2t^^vf172SH~2>abfi=bEMw>9Mfopa*+-W$JKrq{n`%3;_27`MZen6+t|@K7(* zj$qy0$K~WrBj1(eg1lQzJStwzL!{kNV9#$PiUaoGdp?A0#@b{z`zqqV!>2@`&7Ez5 z0S^2S!`*wYK|4HU=lr~-kwI|$vF`KdxKy&lvPNyDeC(=@iygXM6}Nigd|b`1LlDcb-jkA#f8G&wTX)-zHSTQ*?nc&5QtD zzMNt2r70>se8J1y9;2Z57Cy0JBh^zu3vH+u9~wgL{}mc93kjmSX~59V-;EaJNMi<< zC4L+vZHYczdLgO&1@slzwcwsD5>BjEv0hd^>4hW2q5gf#RUi&l(&W`U1EqSRWdfu2 z1saHrcL3c!g_Ft>!RuV!vko5yK|wh`+DhzaX}SzmjucLby#@nZb0dUTd718H1t8SB zYHF39=`}%MpPERK@MCF;-LtK$Pz|Q~w=`$L7c-aHb3|o%D6=Uz&QG=AuXO;UC_6Fz%CMDgk&J~r>t?V-6N`P-z|i}Jt^p%dODuoQgasaU*sAnV|^nwGAW zlQluVl-#GYx{N7NJf~m6C0)#HC{R68W_(v3w>vtn846 zJMJyFt8z6G4@ejU;$qItspQf76}B_c|3lY%#QTyV?e%-08^ z6_hwE`vsx5=A5{)v8H{8o;~LKp&4#v_8J3SbiVDjX#j>E{Ib|5)4|ACk(5K^_e$mi z^Rw1xb8C)8I991z*xCynmUA!PrlUlHpGZE4>DOGeVH#Jy*QO*S;lXsLVA)XtNKNFlwCiA`>X zG%au|*2G{aaUrny0X*96>L?FVp)kZXzC6J^Zpy2uW=-30pQ!DI3r%G@7;1HU*SU-P zZi6|4>Ao1ed2ph<9UC@F(Jyp4uW)}TIJaERFQ%W0eP|y76s4px}y^31`DfxJd^d%4W|Y)4GoE zE^gWHGu;k4*0Sa+g^if_xZ#6e=7b-)aOCQx?qMD#KWh}@ zzUH9}yS4wTrTc|iTj)3Zxxlgn)$Qkx)O7PJ@w~*k!u5`}S)jj2H{emv6jPpsFa=R? zd_2d{Jbp8>KeE!~w26VUtIqj4e$4WJweS3*jWXIP@Ryj66*f17J4` zChjd!MnEGzaK~*4lPhdut=z_JhBMcmmQFq`*Lr2DH-rO5eP0s%s>f}f_u(IvnqOPF zv2Q|KzlvY+U!q7r=5P}Z%U3&mF?NQh6{0~7@#WJD7LKoiJJrM>N0BgcvTr1IMGjW2WU+Lj}mz}UmhhgCpEk*acA;@vMp+B7M>K*5N{LOR3==z{OK(5d=R@ zk@M3Pp=pmy_MM4j{AW48?b=dev|9xt@omJ^E=&F_R%_)Pi1yTi>}ka{VS6q3!_!5X%_PF zV&|CJe?i2aWv}t2-`hDyrV!bwjW#Z8tzu4RS%5ox@Zi*|ZeIf={7?euOt?QYs>gRo}+_N;%?>mcyQLlnFb;F@+D#(XyvR z24r(IT;w)OaVb2~a5`N(j6A6G%_jJqMrum2p8WJ3ShH|t91^&+^|UXRbzE5IIjsPC zGdMXOC<+c3MC2oV=GC|Us(uCF2IQYFT(-~o8kwY6FipQE7A9J);hAjr(Y_Eyd$vgMQ$k zMbmO)0?f6G(womWjN=Lb-+@a|Y@ALuLNb1OEn|gEIB1(G#M4Uhe(+K9L-a*wuXRs? z@5*W}9GMGBl6ShWTgsm)QcK)w3icjt3q(&I)AepV9@vWZBA6@9Y1=^zU52GGYoWZ}V1Js_ai)Vfc~6ut z%%V`G{19LlZwck-*q34}l~}AX0UE5@cSH{Z9=aVq{(*-8?*RBXq%5?FR!~Q#$`TNA z3?J!u%jdo-<$})cz3lfLlEs&GO*#+lMR67D=Um3@fqPjQFHQ8?0v0ww7&DpcI>=?d zDrJs}_giCmdlT~lRu2;6E-(wa;;TwyHu2oQcaP6Z-2WcxXXkb4YIj>n%OgR(jd>C4$1<#^2;|1CDazPlkjGYNIR{o9kszHeu6 zpT-pM9A6Zo@;0_9;Tof5YcKN%g)k@?0!UbOmmxXEq-t$NsW}AZa_-WY&I(-ISX$O+ znIJQGuZZdt)S6^yAC%z$@rL4z$``ve?g=WO+3G!fWS8U0O@u<{*;a(FE{+jZ`*M0$ z)5})3$5j(d@Ma~9Z|DYw{v&Xc3Sp1;Rh~v-@p)_IjZ3-+lmbu_u)pSmPNGDmt#h^n z2J2;ejwQ&de|RPDF>eQ#!`4*#{#)Y*x@lUvURDnMm(M`8GPT=>>okhzkL37S9|+MH zutR|`M5~yV4Ntbzm`yao{JIBtFf#I)_sc*E!9Sk=+xXP|agP6%1B;#?#d-G^1Gj)4 zuKxT#ZGF|7Z`>ig@`scHyUtO=u`ME0W^jIQL ze{3#&I97C}e|_`4&L7k6w5(|8EyOj7(`r*fUx)z_i|N!49^Y2tewWUv5cYTSmMRZq z)n4=$kVW(C$KA0qukjkquE|FNXC_J%esqc& z$^JX5I9`H+Q(XdE_FmN#igIzjnhV;PHwgD`p)rtOtV_m(ijjHab;SSLU62f$_A1$` ztRShTuOmGNIZWPV*2(#t9si18#ANC~MRKYJBh8dan8nSsG*Xjw-mk&4zX`s&B31pJ z&4s@>Z}cvUuUA6lL;=Trzs(S0Ci}taTbO`IMd$aH-nA#r4;N< zAW0T{g<8ojeOZQ;b816vQQ1bff#)i`!wEk^=1X#S;NLoGF00UjwbbIQXzg9C*J=R^5^DS=`01bc`>oq^v}{cEA6(*?x=(9m$WmnTToaxe zII^Us&QZ{^B_v$<@N5)$rP8TLGHrjrLriO!geQ^+%R!-k$J4?8(xxy*c>@Gj*zHiX0}}U zuv|?!UY!#&#T?QZ?_s(a&qvABXs;Y={4VYshCKSGy7^HvAt6kX?t6X0b1}63&6m$^ zGtsQ7n!n>g(`>SDa#5qzne=ZL6w$q?=8F2p6+uV$f>G;Z7%LaOAYax#d2rT4BA~i? z3fZhRxzaLxG(6A}G=vPOo&sbLb*G`6t$3Jz@G%Bbi0Y<~T&4GA-*o7@I_R{;z2L^W z(CbFccZkG*UR+AEs3WdOP5aN&=8(-XhXhVxu4mOiJ&M((%Z8r(b&i}vVEuJ;Q>vZL^A$5XW|N&a6d%R1O2 z9!}&|Ir6^}q&I<{AL3otN@N;8RX@z2JcB`@Pw-Hc?Br)j_gV8PT?xDsR~WjSiMd>@ zWh(-_y3*8pn6Cijpt-1Bj+)))kX0)(e_*fi+JTV@(Kx)l=r*|HGo+|Ip^T4V#<*X4 zOH$aFeY#)pI}RXq_SK}T?u2NOJ2V5f1ioDz?M`it(|%?iAhzt&i?GtcpKl{;-ejLp z+_W8B!9^s((XxHRr;|gjyKdw|X*Q80hV$v;;SoX|?=Jg9L@Ue06Bt`Z5$HpvRgdzL z{Gvx_V9j~4Tl@ZbXf+V3$fAa_S<197cWYgmOv!f<9}=SG0F1D~lT-LaqEweC`c;6nx^h?j8;0&LXbo`%iJ5x<^{LCV<5+_ z_g1xAm91)U{GnADi?BQUhq-IS{NcmnX2a#to(n}8QOmpeM!@Z?jDek_l15(&yQSJG z|DWtu%gqIRW30eJYy_}d%DZ3e_5#Dxtq>cU^@v2;^E*yGw_^wnA}+>1t6WLP(lhsZ z734UU4h-4fuRKft9c|z|ZWm-7(Fx=r>O)9kolM=?w91DDklDBs8mv@}0GyI}-$<9^OIID~QTTk>O ztL><|Lwn-$ydvD2GLB;&LsdDcVtzSExPTgV)jU8yXqTRImCxAe^ij}iUT{$)JHX@S zflEZAov7+-7u2VdsG#7NNY=U&^T{=K z$$PR`2I7z_Q12oTyI9lRrHX0I+D-OyCN2l~WW&x$qsXb+(#G|aGd{Y&0&vy(XNR&7 zr?+GG>vMDVpeG^dzu)DcSnuPj<~a;%ytNbGiW<8=z4O#(ic3iPXwubJU+Y%FmAZ>O z0}`XA5S+fYt~f=7SjI zh03Rw_fPBSX<805n^S*qaXx?k7b`rovfc+HiL2DCShOo+#dk4N^6v1`uv&|0eVLVFBe@H!-R)7ASwdu&jo~{`ygVOOKW9RrgM6%6! zJKn&?%du97pJs2aNI?Kw07$$QC?Ez z^Ugp|Bd&>)=TTW1UulY+${V;~HO5^vX&>;jI-jSG3QO$hp6UR z&*oaFJ>u{7>Cx%(jHS>hZatG< z&IFdblb)2DWi#0_mQSoq>)bre+@`g(p!Wsm5s|JU^L&FCw_Bt1Zi5?9{WxISgGy^= zi^g=yUjtFg@>2$_9%I6ry(~*Y$3e6OAcQ_Kw@fkUJzS)a`6OaFv*(N>KpAH0y_`{! zQk0o99Mgv8ptkaWO|07Y4MT4W3|$dyksArXZ#VBhfa0N|%{3=P1qFIvO|G3>5s%w1d7H}jINkY#sr5l6x}5jV zIMj=zy?g$J=Xw=7PCzLc)NnQ^R|2;>+J^nYBvVRKZjY(v4R$8VwDauQ@s`N&+lN#L z0Hk}@4{+=^c356$A#I@?5!o!3c86z*y?Nc;0poQB@`;*qUH0FFb>pT7EvGDo?X4(F zB=45EU4~F{OW_C9*8FigM}~&yOPRbo_2X;b^f|eIFTm{Q>C~J-xdFu53$(nMdui#o zS(puk`i)OE6l}PO6km@KYd7F!}YyS1p|J>?ZiypGmxS^ocFB?@J0O zwnSx|K(BV}uds^^Y zMU*bPiFE(TFYW$Av&I-!EXFxLc`tHA$+QHh>j4~p!26`(`}f5r0uO~Ejb@s}Z;>%N z2;|qoPOnb@f1K`7?P64cf4#Cm`8P6U#Gr7vwC0Tqu~B~*9tsV9SF#KBPSHc(hbYu; zRbPM@wZ%|!j}eq6QU;;)&7b^!Opbq|Bc(o+4bg(!z^COmb6f<;yJ!8zcyGH{G}X$Z zmWGwJQRIoTDR^n)5#yIapKjy~-^mX^D{TCJjrX{hJQd=Nc_ym~f4S`I&PkKcTod`e zY*s66@ z{c>G9logaJfBw}2?UbjnJ~_J_g?5e>)=oKS`we`NUH;`k%f+0-@(pD{!;*>qz9Ok4 z4)~zk)&n#gwC{;y6cQMFR9EZfee+;LMNMFhX?fh@j9E7;;>jKdYGK~@_l>vy)EvL? z-L-Yfaof%&5U*8F^wasFux7XAZaAmqDRQ(P1Ut@yS+T&=07)CgQwWlUXG`VdoL#Nn*^b`PJlPq*r$H*@sV)v>7h3W5&Jv zFvr(VM<%qi+O}VS)VGY`l(Oe3A`yv#p7dtK{B=y!utDyJ4h5Gv*c-28v(fqDS~WzF z=hdG+;^E=lwn=@Hj6^t4o#1WNvbGi>a%l5jn94PD?5-|+U#8*uV3;zUq({<6pEqFF zroL~5w(%0d@``{{R6~0e*8<>ply);47XKa%-Q`glLOZVy67aTV^QHU?$b+Q{&#uNh z21lRg6{JMQ2I%u`x?_joBj}l@;hbN`W0SQL$CaS=0#u+C5ugS*=*9fstaAbgEavYB z7BkmrQ#fvC!3gK^_m)k$A)Hfnn*+bQTOWd4ICFwo;EB5|@VKB_Sufp?=1#4MWdX_j ztRZs|kw4*3ewh?A^)?0Bawx}r_)km!l_-bLR1(UGr4A-oju-%0^2FE*YQAmQoO|bg zb*$k8ACEN~y-StsW#ZybDY%es`Nac_8+k|2?M7Mt+;B_Xt%Gw8I7==I{GR)+$i#e| zx>{Q^A>s~NyI+c|C@)+N3g#=GK&L zgj}*`*iB?qx|c=3_ZYabo?e~@H0oX4bpQoZQl$UirR=qp8YP&B#NZk~d3NC2)yX@= zgwkaaqyye$q;`$K%vWIBpqb-@3gZXo89D+f)|CWK4>hN?Q2_zzL7Qnl z7XLB*AkrA~d7tH0rOt4+VnL3aJo(4xpduFkSC$&%{t?SXmXukllz6Y^&mHV{q@OcO z#?jF^8~aOti(P;>RM7^m#9K)pZpVJKZ2aS48)@}3eeIM$_gdp{L!J9>$fWU!2q)>L z`_H?TJY7YM#1bX%%>(XK*)hay)>azsl|XwjE+fq!_X~>QV1o0_c8HCLc(71+&r^dbWA$eUkgds!H&VBl*4>A1AS{O3Ii}Ey`c0r1nkd!mO zp6@5+@RlF;w7Q*1D#^eCZ!@3V~63*LD@sphXz_A*om?m6ZgZt~M#N?g*1=AG9B-jD4? z;?DM=2@G)S8xCnkNwkI(EE@`7Xm+j6t3a5rau+uS-j zINt|zYHEj_1u|-mZ>Ow&KJu^qD=(H@5AE}UxZ7ok+tW)Ds^@QmRnGtXz5wobwZc0o zbTQa9r{>ro1#&OiR4pe-G2(&|(JGw=amRL|)z@iP`H;ZlBl$sJy=%_;dIV2)dz7;<;Y3XCiJ}I;Y&h^meo7Vz#5K=-!f9w$cz` zv%y&+%Qf}8C95E%qqEJFo4lAlVNn=R0ozlYOAkL`_a)FfEOlsA=X^AgZZGm>S`}?R z%p^ts0+rW$%P%F6wbSmdQ%-onLH+ETC(ZjAAzw}T|CQ>{)x)Ut)(WCMM&{&ifuxke z{(I`Ne63^&{X5s=6b>zj+H-HO$>hC{{pZse=U$_jCBDSsP%vm7fNQu<=S1R3bBclM zW}sJSTH=mJb+ZPGDF;rKY0?^Z_nM&`Bj5>eg)|x?;C`5!`yhCB`K&Y-AdE^c#|QnH zLP$Luh|2c3M1`1}_&FtG@<<`;BmNhm$l+oi07FQwys95AuYSo|p@tYOv9H(V3TZ=| z2`qSdQO}`Z>}kM@-UHd3VpnRTx)*TWS839!--s7^|ppF`3A zGK;;~Z)7&(620NuTRf$t07Z0HYPO?b$XquiSIGw{YY z-*s~Q(pj`a5eVTzygmHe=Y9f6-&yctKnax@oi%l*rXxGx4QV~;0x$vg&GK4x$aQ9@ z%KJ}mlxNZZ8a4-f!LIspskS{8qW2!?eDi6$gE8mc&A~{Od#k)T$197p+Xo4^!*4*3 ztC(dTayTxTY^7v9pi|oVELAx7qEHltDgkq)&!fxZVOpr?aBPR%iw zTG0{$h%E{47d5>M44y}>&=@robS8J?wx7W$P_=+}O* z+&vt1r{s1ebNC~x;H~6)Y5;wRSf=CH+8dF?*p?3QKG7@<>lKsnGatm60t0G7px{h& zTbhsIl;_xRA;w#=pm;^z1elWi)wW^gJSgB)<+Vv)W`7WmWz&SZ(HKM8&etyBy{vJL z2ID5*;cHdF$7im#x480C>Ry<6P)2eKy8=G(x_grb;x;SF7#wt(2T!v-yZjtFdM1kN zM5JeB%QyrqkSu&Cv0P@hSP_=S76wTvXNI$1aJoGT&Hx62Fe zR9@*QeIW7kkymEr(3a~0*KhA9ExDUFj|8Yvtzgzdjg1+zfU^4ptyqu88%@rkjfqTzs zRPS1NCVKWzLDC!w^U4X9_JdMrW;cTeCPnTALhZew^YWzpn%7`h(+1Bq`yaDDaR5nJ zI=q8|?dg89J@`B*tu;UCWKwiwYGv`4@}kZX!@H;QyH^hf7k0{v4_u{A0cL{5%I5$=FSz`nC2PDF!HPFHv5reM%$CrIGAU|0ZzX2J z-;b}mH^W!PC%P#aO-r2MoVojk+}WuD3pXuXK^>HnCHF!iennz99#1TZ6fPQ;-TW!k z%fN=L ze7NLzh0Je~dMM?fL_6b2KzKwef zDIvE;D+XWx0!m+`X}RX&D@7J5r=Ghg(OJjL_kCj&kj{@xW)oL&Kj%o90K!?NO;p1Q ze(B(~(>SXQGK%G4l=^mrV9Vg}C56`XPG2ivKH)Ge>kf1BnD_N@pLR*^JTz+7i;0bn zzea^XA~Zb$GBSXa8?I1W6P=hliEa~Irh8K_Dt3D8bIS)f8eSnhJ1YlK0vq@-8G%*I zTKdHk(v{Dsl};0Ze2cvR1rfCCIY}v{6(F!6SP0-n!hAa`-l`shfR?sxW8JkAN@*by zXC$E@Dc5UM@xuiIOEjCb7sPj&l0}EGncK?MZdgKn@7*lt>?@C}j|afcGXJ4Ff4upQ zmKqy?{JwbZsF(tIXF^c<5JsqMXn6i1wd0MD^MW3m*Z*U;x2&T`da-uf^(YD{z;6d?p8z(xZY@xQ{Xyosv_arZc+qC0-!0A~pa6Z=SsBjEf8OZ~)J%qE46UFlX}?{^tS?=h3P zs<#EdbbCFSlZWVIJ@`Yz+eAko!lVw}75%3HiK#qpfaAJZt(DB$z2M{;Ibg}00Q zaDOH(5#n?5iVbx-f#~GNgBZ_1HYhxLN|54{l)zzR$g-*1&{dEA;rF?<2HjS(Ynuqo?i+lIFge_1$eFyaS1+~?dz z%Z%Ln%HrozMN#X0@0a84?ppCj1h5naBhLyVIrU32 zqJVn(kOfjSLYLz6gVOa@*oz27UsZ7lO~CDUUu2b^Pu*}ZNH|Iu;#nZ`26Owaf`Su0 z_9|x6(9#ypxrqMHudehS^(+tfz;Bcx*S0plx$fNw>%3gOFEOkH6Q!?ufLI4A1j_AJ z%#NEWS1X&BbW2&lgYfOTYRgxbFSS-`nmfggEeTB!54CKSm*i44(X3QzN{oO*)25~Fi7o+=`K0`so^~?tM9uLzEoX;} z)KP(5s+st*p-x*#y}($`l&KiiKIa9=qy-h6f$=cl@jb|RavEEY<~$FCe3FcLa9-wG z2y(6f=1!a`rQbo|N_(bQsrEOLhX$Zx2l(IhCo>Ak7EbiJ_wzHA-(IFd)LK#03CHPj z(SO^-4`3%>Z?J1mb((?LVK+k7<)v`?AU3?IC!bLLX-890CC zxgePbXmF;No!@0t2mUN4k#RqyK!VN}N}LJZ%!JH+wOEv#+N~#Bo4ZWe9oBB3Q0oW^ z1AeAiSG&I7Go{sbc7&SKNju-FB?O49V)`3~nEe*8cnom@nYms|+3d&*&6|A|8k8x@ zo!lXSEio{YH_jD_*Z=erH#aFrWVHp_sC9Mt?@Q$NA05^-;=A>A^TG6)|L9(xh||pj!u3nSmh-0@)i#*>%J&luvsq2FppLP9XK-GaUyIm@BJwbJ z@vAyg!09ZT6)q6G+&pY=uxHHHb++!*zlMLx_a_;_nmTU+oBsxtcieCv`(s8~(z}jt z-O(wCe2Qa~lBM@(lmpRDc)#}T-{RtopkO2RXf4Xf(C23OfBBF+q2|0q!;1KJhbmt9 z9r1I8ulm3uQzz(yghOoQxE1lTl{)9z1D)$~TyK~{zwsJ_`8`W3e`DHVwVqE0J(eQ$ zMW>2NG%LUN5f4-}t;V|3zzMHMIpxRfUj=P(Pa4I8H_V)398UBfOG$|x^~DE9b(-Kd z;V#_z_H=%uw_~4*$?(1``fMdei7S9xIjXc54qoDGzxG|8Ak4we=oC^wcxiNoj@BwA zt#)UcYU~OZHWtpkF9yYINod|i)E)|@o$}CD(kT`9ntLop09};=Gk(8deL&N)ZBsK~ zN2ho+eSxlr2K#1;3o11)S^mkJAQ}BIwRiDa2SG*HD>{RTo<)pHuNov=0KxzzQlxas zf^DNjtGAt@?hN0r0dffDIMff&%VUEYIRWqu} z{i=PK-0VFG;P~>XhHa?Vgf=+OXl#y_Zy-s;ICJo;C&f{F!&Uoh7 zX Z+D*n=MdkKuR|zh^u4LRg)4U7*=E@`!Uz&SeraH6w(=&BF;EfeYWi8ko@@PAM zB33voUU_SQR4W3jV>&n>doYpq8u8~sBX`*ar1mPe88QO#&CTbdD_6~TUH||_Joe}I zNE$`)i6nP!236y)&z>k9&YVdR6&iB!ze;_}?A3?H>3o&XRuO1qEDg`W;x_h-a_8i4 zRR5%e-TpF_>s#dL5$o7VnU_8DL09m-39oJ~ADd+%bKqr*H_!GZMLiLny*}5DH&eSn z@6tm)`fSh70pkJPs9Irax6t^US`%}wWZge5O)lAvQ@&n>n!@6^;vzzcFk~G%}D08|C31W(?MW7^ z3Qhmul`ydVX6G7couehtycBvgKQlm4Z_i|pf25&%WcXJR{oMV>QBKd{wub^iE_J~d zo&$URPX`SsV>c3W7ui-*GOb@s?wk6#PPAS)p}O97PPhRO;U}Zxm3#{-NuNJz&Zb#q z^>EJ;X*wlN*s?)zK6?Pn&rYm3JPz|D&9dc?=sq5zYB1cDe5aC(tHh(#Wm>u>%3fmnYNQWJz znBY7~4eAu1u@w;W4xUE%j=4BopWr7OFzZ{c^+8TTIevYyB1SF?^w|ZyuM%e2ZpB`| zj{Y6X^v`1tPU`UUrHJE|3IWQM;|(H3m}}qGmGhtB#nf#F7HRbf-Y~?d`#`eK3G)G& z8%``Rh|Q5F$-6tB*epX{okW5zq;fpY8f*7N%9W8zaI_!(H{FJ#=^n79);I3>SEaoxTCi*1N)v zm-~mD48FMj!&Uy_`75o$Wl6qrr@vm^yO=}OD^igoOJju3L$lCR9sd(z8am6>2sjn0 zR=0Fj6)o>n#xXG+{GEPE-Hnz#_&J!>}sugPwJY&G`osw4bSfD-`sO+=BBJ1Ihq z*TkoUgb@iRu_Z=wQzc(h>3o^c|K1AjG}$u!5tYZ+I8IV7CykL&_&=eoiIK5JHoC#2 z>g}V*kd3;j!y}c~rzmtbg06K@roI3U^K0!rtAk`8c16CkfVx$CC+@!(y7P;c!#j}w zQlL^f`}x{jAft?BLu$H{MxyIZqt0pj8Z5`0g~yM72c>JS0)w`?=w3+-V6PcNJsM&L4Z z)N^xVxAB03mrZ~khJ^KF+${7vWsB_u_{=<2QF4kOD4i=o#A`zdm>{>U*`v)tS*=?k z3-w)&!tk=z3Nz-VwSld=lxMYMX^SqeUwUp%n-mr3kmG_3JI_RH1TC(<8N&c_*sCt-c`j|Npb-G%XNmg{+KYMN5GEPymJJTRJ zpqdpY*ziXKS^cD8GA&1-EcEVCrj_rIphMBav`4dV(>+$PK1)rIFhePp2t2oVH6H8) zyXL%EfJErK6lW+?t}ueUXFsE{0Sp6EKq6Ln6T99GXBz^GKq#TZCG>I*?_Yr{qmJV- zzw4&njp&*#6?ZJ3fJK8u>AaGJUHt%**7cr97JGf1;qTU2U&l#QXsOTX*l$CMQ`5in zNw^ikz})!-1?ktXIvIZiDl~{&>v95FN{O(liLRvgFR@~{-b!hZ`L^PVVA`FEf$ObNMeO!0RPjyFhV|BCm;g*$tVQ;* z6^0Pcj0KRig}d;wZcBUKZo2`yy@_Q(A`u_E*U=zE%j+*FeB*fPzJ1+wYfdO*J%1T8 z?T$=v`=}>wHxI)s7Ng^el6fdHjnWL}EUQ2KM7-TH&3q6M`WlxUK|EvLU&lX@?*X-h z9oW+@CSpw3EY z_>RT!843xp!3DBoApdR@W2yRKvONf}8ELeCd0Cl9w;yrjUm}{$FzfJ4NvmRDjG|hJ zr{Y&q+~gObOCC4e*YkTxOyUJ>L#84x`t>e?NDEM5*d5na3+|01`_5JW?y>6rd=O1W z!`D2~AVFA+5B8?;D-brBTq;{|oG4p%tWeoKTobZT(oh#C0KsVo#s;;3+Aye~x(KM) zj>Xab=ej*i@PD`NyP90V!7cV`H==2&Ih1KWD@Yck=Y<|{v3YQixENBTJxNS@*vW)1 zzK-jqem&e!#|0gZv68Zzg%83xrPW$D2$!jdw^=ZcC%>Zfjmi-Ilbc!rhS$$mk~#fx zz?j40R#N+`JERndwkP|oTi&lG@5S;uR@^lmyGhs5b9l$JLzu-|+9WG2{qVB&AaC1O zL!uq881c_?|08y(bm278^AsCX8_k178EXH~N5FuWLw&9pg%gH~UO1k96Jm-m*c}=( z$|DYb zHJ66rx%N28DsZ{Lb3ux>K5D@(0Ftfr^mXj}UBhZt_uQIA(YcC5yQ#Qi8XRy-^|B`A7ucyTE8tzkDx6|wT(;ud%D8>cWY2Wc)1Ho zc;m0oWA{Me`iRqauC$;BwqP)1Kp~7tDoRVUIuu5Tm*SDJ;bZ)0o z8uZkeoezcl5?m%JmEmIy(o6FGK$UUbV3EL;Au>0F_cZb4^kmBAUktp9#Zg7(loYS$ z*VLxPwP+w>VX2=i#C5_-jBef>O*bq)WWO$~6Zy}CR;%1w_tq# zj%LdKQ;qIkRG{lPrM(t1o@6Ja-dfS1S)ziBT0L=X^veELpDQ9yYuNKI8o1YPalXKP`t3{=9ka5!&5 zXj(j4rTE;IxZ!-kPn3Exuen(VY~PnZ&7d6-W0>uS->x%u1h*jO;+zs#7{%8=N%0}a z6-WfLZ8B+V<4%nx%+naGaA906U=1a`bl3c^cRF2xX~D;cV!_T)ne_%6G0Ej}3#If- z2xa>7AZ~#Xi_#~mh2l*R3BWv<4rQB)0*PI%{99lAJyOwViZRoYMe1; z0I|i)qDIQ3Nc9L_4RW!Pv~{JvD$YnpE+RQDTb}wE@`ue3bdlp0By6JlUBzff5-Gxunuq6ky`q`>L0UYg#;@2|fK2M3rgZH;|r+s!p%W> zNJ;^h*~sS`Tz_KUNf~*-M{t=a6LXhDDuJbX6m(W_^d&cWoVDR?xHioFWMtq+Zhl%!%$4p#de2@SgIV2h)d!Y6Qg3ZN8*=CuQJVPf&p?@{`sT!Yppk9tr%Mt~bv>6cb=~#c2sxv1NOiRn zQtLobLMl>f0tOao3%n-G^PF5KXW2qDXf&X*B6@4h9y)32AK5;n?e#1FUUSZv3LuWl z24OQ5=IPJ|@t$+s!ub!E<=^zY%l^<6`I>q8>a@+Wr$#wX-9R(l=&ge_OTM?mLzKr) zoXYj2MXCJ1BGyBO)V?Kt?8ez;M|>B4rw$CY>2MY1ig~gn!$LY}<}3L1P{=uog{T_% zkhlPH!6qK$UGc-dxdGL}b=nyywnlN&qO)Ut)f5HCM<1OTi8}sN3N9|ASof6t5DD3>;aGk8S)1!}`B0yvj+l68_*! z;Z#}Vy+cYCUSp&%tElC*H@+{AqD+Q|_)&%Yi(2|0ENUJZH+Ro#g?_5(ckl)ai%1SpW z;dWg0{FMDm$KlOTc9&^-C2zX)k1_#}B!6X8oZ@24F$Jv1H=_771ih)&n;w%C$i6u2 znlGeh7AP!3HTX?C)w9psakc+{Lo;oZUvSFwj&EU?V}y61$Grf3~>=KD7udh-eyyCe zSdebXM>&43;3eGI|q=a9dV@j&e1lJqF6#jZ5TVJX| zYuGivmJ)L!cOdB0E6UzVV49cVpalMLYxIMo+LWz)ALU?YBrqNH%ts2BsIBaCKKbmG z&+Ea=7n3Ep@XM%kKJpd}m7xL=@}68M+5A(+AZp}y-Vq^y(VyT{2n{wCTDwebr9|G# z6D;z9QQVynIhoRCetE!<je(W z8VX8yDtz~e2J=Hi<;RwHKK=Evn4@^tU+DWUL^7h2#o}~8jL{b{%&z1+sk=GjF(n#4 zXG^z=6!34%*BoeqgZ3?mQF93AR$tbNj%?(YKr3JFyV1jl%Uc9e6K^ZzY|Pbl|B2dq zj+X&z#Q>UpXqo1}_N*t=&Z=B4yboA&d6z>zhPU0grCbC)ioS-8IMz|vTy$rGB&CG@{e}n803>h`z9s8<1V{d4%`AbIIeF+`V~=<2mc+M#hBsiQ z#LgP|iQJK!7UM5tPK(NPbeqFya=0apU5sO^RKld%%{`=r4l|xjn6nB0;wq1cw7ctm z%VgYyW6Zv+aqH5LC0~_v8(v1nPx0fEMUZm>bJiAfe>N?r#wxe*kIZ7w16<^rat>?r zpi2qiveusY*J)Z*_!ll;^=Jftz;|vAY3@fE9u(#iKaI8-)f{+VF7n9S>p4*M^WK9&S^ zuWb>YKTPu@D0cXQ-b%BVPMYdBAJR1^tSq^lxz%gWJpkdHjz3huTIK%f!i!&|tIMAw z;i^5Es`3`zroTR*aS&Nqq~;BqjK*B*YxLc;!^$BmIMXsNk0XLZh3IHr9`Oq z^n;P#^7w-{UcnTTC{aoeiVLPUj6mL7kHmr%SITmPMRnz9vBiksF=eGmQ(+eQ{GEay z4&AWZTR#&*;qTR)D5%)~vKYTuW}y{dnT0FMQ8BYs60U+ZJpcJ*iOV?RVolM+#vK0E zVBk3X-Yxng>-~mrU#n?Jux^RmND+na=}5sA$FpC!D-(*8{C75bLUSu2ikCiRd)UOJ zHr@+?Ybd1*p|;y4NwJF#)1zNT%QV62YIcuL&XQSKJiGO(wmsb>C_=cvjX2+c!jyMd4 zI1K@^j)4D{N99RHBP$oPt-$@ntcig-VXwh|oRVMz9rP7bZI5;p5urQ_fiX8XN{11V z$^23Q(|%4C`y3Zor?x6eHsKprCzrbaPHi5brdhHV2dgNEb6Bce1JRB2fP6ZWg@}5S z#1IBsdV)Hg2l2N;yC#_5x?gd_OeX@PN|AW1*url>NVd@qQk?SGf}eRxV~lwOgQtVu zW1aCZyVj~|KzjAbW27-d-m*1cQ> zPcsHvTP7Ns{IQD9v)j{HSkrXTqD9-b)3T@1Q9UqAr<)@#1yst;q)!Wf zk1MOez> zh;jgruu)S(^K!N-PJV^S$!}3YaTGk2bu>DzmNz*u&wZ7b6DdR z9piY1gpdF)ww-$3;MJv^r4&$IRq*|pHMvd&Av*@=xUTdPH^&!nxo1~zJFD^f0|@=` zl(5FJawCXRF=UMgVy5XtbnFNZm*Ra6NL(9wI1a;!;89hivuE$<RIfHm8;4N-PyBoBG+sJn>H&Gu8de`4DB)RXik%n}xpZYhCz9 z_FokhI$eAsgy~)U>gtP-MLFE)KrZtG&1lu)C>tVg%U0qtQX<`9uBiUFTG+A$$BHB~ z+El&&w&&&7>2doH0qYa70AG=5y&KZzVS5?7jprLtC0#zlu?6I;8d05n+Xg{c`i3W> z7LyK_>Iypl3UirNGM+LkUZPPra7l_*Q>z$}A=J|#UBAS6j$ZijD0idG6;e%@;ET@v zzDa)0u1C!`0*Sb{k#!hu>;-$5p!CBm=H=GANI<~XD|A(ni))SUHF(022%FA$!ksewTkkv7+9gB>v;5KFGiO(xk`|>hY z#*;n(?Dq)6?*rwWyzP4!yN>#+d!zRuS#l8INTX;IHHCWTsB&?^V!~Y+4qlC?u&FbB z%2R@dA!aTgEL7%JA7=(Ls3{NGQrtrYuDw8_&GpslXf;<6R^&ZafoS7+mD*O$SzyL% zExNN4rJC98<3+R<-s7!so?DF}Y+lP#otN{e>{`9Rqul~ALefNabFEa+qiFIuJc|t;k(N1 zwJ8=$yi|~2xk;Dr(DHLDr{CqnQPT|-=@~9n7N1APg#JIlcvcR0F~@(%BDLJwLae|0 zgzR=h)J5Rlivfssw~GoNr_awYs5|TK67TkO$!*=oaw%F82j_e5g$5+5EmwRxx%s1z z>a(nFz-*9mZ^Ap$wfjui`lSInYlk3(hbc<^Se#?>^9z;Z>NW?l<14N9RR+Bg{ zEJmsBtqe(O-R+Z^M{p9iT>A{rLJ=7Ceb$?Ue_W9jx+waxo04Z2wLFD$=^udFv; zvoNI0Am#HP{6J3IS$dl5dx0;aG|Rpgv>PIANpEepgEsgomioC(^(^L13q5>b2Ee7W zx9!2f)9M;l&u@3Qx&%FTd`5|V)B4Xu^4}+C|8k}_A^YQGpsQAw;P}&!MRwdN{^`+} zNY!IESVSLbT}+&sPp0Eg(PErBrf5&`?6lCWqOKvd+L%9SFupq=Gc0gf+T8$9G0erA zlS7E#?Sys6vpMTS)_R-<^wXJ~CFGSC@m{sH1r^@dLO#T?pYyuVJ}Zu$ zV&$0|ExR!zRW9ZGz?}U)d}ySkb^QY&U%<4dIintv(pV#VKyS?8)aiV+wW8x}`qeIc z?wTlN*)BXlUQ=hONNZQNb3GNlOZ{|`vyV08NQHG?80t51s`BH4e!5XIwok`F@BdJMD5V1|eY=Y=hie{^Fg5&b#>ENpUz5 z5ieU^BTSOg*LDyS*=>#eShf#@(0uK&eU!j@hMRl1;+sOlrUxl_wpUCD8~^3<9K6AWKEluR z?xB|QMwsxaZBeFFgX}cyp9>;u$%B7bO1&36391kIow(-RQAWWlJr%!hGJxk?3+2ou z>?LcjsHFZue%Ih_+=1s;NR?$)QB%FyeGt4>vvIp1Z0!98s*CNn8-L-B`mY1}1EKRA z)&liX1q4IQ2hMbD4iV)%C3kN5g;yo|uQdb=tfiOR%7*-E;(}66(iJRkwdY0kQ~~&RV37i8|rHLq_TXyMr^O> zMm-~urFE;!V2>)%4a&hZP2<;V__|09nDsc!0uM}urb>=7{L*ZogQGS7AvWGjH48~i z6#Zxg5*0fz-Tx5rJ?)QB+PF6(~PLN-5uM=Bn~RCe4>vuH7zkjbpQVIR7yU5$;n7^(gM3ORlapz)Yk>cm-uR z$5d$(rwE|Do{3}2HCh;|ME#o@;pf>&-33#>NU+mLHcswFWqp75vyw-dWt{EW@SB zQMl*C?_HuuGhwv1W!^ZPmN;!KxB2$T-5)*WRCx^`0P5N=x611{{TF!j{$Hh03M(k` z>l3(N;8i`8kmiY3ho<0r@u|^l%co8Cq&dDSo z@08TjD#i9PwP%pS&+Wu!i1i&b8Fy{q)Mg`er4R**J>HmqYind%;GFvVa83c3#hc@5Xc{CN)GLuJIg81Fv_~I zdRkQLx!bE?1}{{1cP&$oK6$1%=$hkjj0h4(9y)K(Ux`?e)KjlfN4%vM;>l4^iJ3sf8G>%G z_Ht%0N$Ko;h=S@#uTfKmkl4g2$ctPz!N>LmZuI7iO6(diEwT8<6=hiLCg_M4F!ePT z4X}gldS-tF@D05h?wMAh9T6CWKR%x)&NN&E&q0}%LO+((<@!$3u7R8nfdy8F&gb5@ zWnZ&EQkn-_&WrA)2al=SF&oY*q6=Zm_<}DzLobAkgU$E6>KUyDF1`iTgnaFNEFjwO zoMl&YN$fenV!7{S7j|oBd#!>8?-pn(r=lMllKdJ?ZQ%@z}tp0ewV%Cribn@Y)fcJ48MC*y+Ho(HVKV8X(I z`CVE73Z-J5MoxEapWsGZ@SYadMXxB#uj7CzML%xD%+pWF< z8>WT~@UBySV8t6!l_vc0z210{t4!_#6A^z=Pyec^`Fo0cpn@}!I($3i>^N)47Cr>5 z1(We+?|kZ5CWglJ!y~}t{;a}It%9b?Kz&k76cFXqBGj5&-q_VLzp_JsLMq58RTi|AG z>&XYWZbq7v!>fj!K_?2=a6Jf|7f`9WNh-;{roUUlA7^`z$hDFVoW@djNDYqnBli49>m^DX_V!fr>7}TL%tZ#V`jQSxLadc}x2B&=zfzuHHbN|#7nx7gcZI(wpq&aBrcSO-jGiKoSO zCoKR@k=;-4HNV^&^Q{1z9d zZ)t8xs%Xwrd$E4EH!?H{q69sjP}&}_XunQG+F6l-iTX|vNqhLnATGO_V11x=vv0nb z4_i&Rtm9cJ*IO~iFBJAEPMcBldLKC8T0m2+aC&Q}fw=wXbX+#~dCR2ZEU!+6f_TuT zi;Z(^M+BCQd7_fF#nmzkx$mz!Aitb8ME7%7z&p8KxZO*+ymx838{h`8dBObEwWzeb zT!0YkYF3jJq{?)MNt)|e_qb}XgmfqTdL&E>smEVKCiml#KEZOMo`7svv0QGF6f(Fs z)MU^FT?ccNNmFpYs^!O`w)GG^HY{VzeB(Top0Nw8+a@5wcN3Cw=|0eF-&eOBF_txw z)_eyuj<qALIYdE( z2wxspf4y3-2|`C>NW<~akkpbJdQrfRWdN%23d-lNn!LZP%6}*N3Tq?)2;N!zF_S#W z+j1v*kzXyrM!G&t%XGB~CLF0N)63bZbzu~eL`*p%k*uvPI|xf;03(+{_c_9~^lcd- z9Z-a6dzwx76DUQGRHZL(-nC@6aw&!X9=fR-XN3;1vxsDe+^*TFb6#iI<2Fu=dn_+1 z^ePDba0XUC3`*eulsqK7yT*#FQ@g;hlpzH?OQJhFg=ZZ(U3?I)yzK#lt6)NR222QE z4kDO|6nnLGgnsdjm%sr8UvvEhA9N9H;?JZwC9ej!$FIh~R|5Q|V5ZJhv%XN|pWPx9F>keoVy1j#yC8RDPP!gsrBr^FzVus%}1Pn(pN6!Bj#&_0L{ z7#?tGN?g8?=8mS;mU3n)sw_K2G;?A&+Ai5nx64;!|JXrPlwp9k7MOg17^w)obF{KqE z4ECzctL8ge(slCg&nwY@qr}EX^?thd`g^UIXa&pH7v_QU@F$K{S$8N7JUT1ecgaGk zi@1vOPM&vhllHH@(7ApE21Tx=vvmdvt}(l((UwNsB7r3%!hR+p;8E26xyLrSN_%Ix zN>Ug!f_Lic6~O|^`iE&iZ4WooZc(G*&c!9eg6U3jG@HQ&y3D)Kg~V6bN> z+W%X%dt=u1Nwz9Md7N$TA*b+7$)WV!$5JzM2F=C(R-b`HVwEae^rd4=WaUQ-MZ_}f+M1AvDUFQE-6$3>;3EW%ert=>Jb@|6}ww%IJkh!cE z9-hhu5UdM6hqrpvDv}Uw#gM7bk>N1Zx;8{>nja0L83^F8iYEUY3Nc7zzV&b@;7-hQUG@qTBd$_FvbC? z4s-lus}UH4J3i0*M!-R%7USc_-aJ5HHk#Ntnogj3oygo|du91w%~h(^9Sb_bxFI%% z3HBm&j-2}FI`v`%$1Ks@dMAEv-F|oFg`kj>+G}RtS)BLF;b*t?qJ#tm>+w*N9lpOD z68$AG{5x0xGxdHu|MvOa_fjsRqMUMzxHHnp+|M7_6Qg>B$UB;hkVQk>bE1nsy<|`Y z%jLU*^X5)|tJ*8EGL@vzjyEI1xmyGqPQCf~5ryOVe!5*VvyE$Z~zc$%K&7fY}; zm|CjH-AY@OPyl+Q)v6cqP`6Y6Z3~i)A`xi(V_hj+-9_yEf&oKZ^rgqY15olFB5euQ3{KYyrx`%i)8N3j^x7$+-!Wl-k~10p7_r8H>+DIX@ynw<}1p+ z8KH-tjh4Ns9&sLMHjfAPKlAgbykk5a)NE8^05@k{^@1{kmhs)bM)|{Dj9|n}k zQ#Nl+CSQVSTN6AspRUgYX3=DK`wBmLyjYKE)exNalakZ9Zz^6_Wqqf`1V_1*S-`BK$ z4uzCb|Q0RVV4 z_DxEmLCY6!FIT#rduMBlTDC)-EgNtw*(nJXWi)Mrqw1xzfsF})R*$5q;R4}h*iNj( z-_|IW;;e&do*&b+`)mHp7`StD3VP4fA+w!^Qrc}ULSQ%bKPYUVQZKhV|Cw}Sai+@t zb|SPd%jF+4-=7T0st*e=6T4?V{(}7AJ~Nc%4>0J=*vbCKeFM31+QgzM*>@@ACW);_ z{}2H$0V3drA0l8xK+!Uu!+`&%HNaqzzGrU|jlgTQAhw8=zT`R$=pKnbKIl@Ewm%6f z6k1jxwmD@R)gCYmb`gaH!Z7rA88)&W*C&rS>O3{B1K+nD(N4f9ecZO+FyD&^GCymDt~=_ZCbY zkesPC6AJk$6;4FM7l?yagPZQDg=eDKAL6a1&ibm43wMI<>_`^Q%L-Ts85Kosl>;x@ zioFQAahRZv1`^43^D(1hdk%Ba&Ic`=DQi3pI!oE;4{&x*$Q)6%+8wCy1Lo|ra&4nU z+EUuD42#_-)joncB)TFsE;jz;^Y9OrA>PRU=qKOFuKGe=ZT938EmMGQ7A}31b}X~9 zML|@|^q-2ps8myT4Dpj)I5mfd(BL`r;Oq@4QHV`~x;hD)ju)&Z6!=ub&1d@tL{CmC zBsYyBTnj|0#w4tIgY)aX3a+*@wYcX2X+jQ968$bnB6sKjDbv$(EN~}2@Y<>1xoTVi zB|*j-8jG2fxOR(7;*V-|4Ceff*`sW;8;<<3`+D z_h0;4oBd3bDGAi^wqzR^#}kN~OWfXFOm{VeNxO2lKfsC6a2dp8?a!8`Pt`O~rQ77SG#f+LP8_C2v1IQqY{SIkkl6r0N|0 z9Gm6(t2rT(WmNM$23GPZg=*9TTRes$53Po1Z5_lPd-4tRAt z%8a1c+LCGt!c7hX#!L*CYv(G?PPl#Zy_|!0Sq*W}EpKP0BX?|S8J;eAzT>O$%D(dE z-)81y$}gKlz61*@Y1Wv(67LiAsM8kW-Low8txHP30!9oFPqS&`ls1$I>rdv~b`RV7 zcZiQRrNlA!!hJVqJ{|?`gNA!P-d=oBsYkrvV84qiF;E+wg<00zK12h<6YEQ3?rX|B zHv*GI@L%D`OHs|z|L_9%pYg;5F9cXnx;6P*ePK+2bim2~zbJ{Cy9K|XkEW&xjJT1# zAmh1kHyH-lFTo=@9&M&SEB9OJOo=@fGb0r?o0_LHGYBVmIs-PE7gvOdH3n!}<@c=X zLcaYaFp|4sb}-|7QSx!^5R!R|6IL+pO1YIUYN1tO43-`w*@SB}Kh?#Q2@$zp>2A60 z7NkBUbdYd^SgsYY^^j8}81nWiY|#EozsoMlWejJnK6ys2J`oYVNzeS+YqL9vg2P33 z62Fm80&Ia0s^yn515iAV0-+E^Oe8155fgpfCTIJ2xooPJH9g{@r2Bq+sspkGZp75@ zF|)oetA7}==uw@9wVN#C>I=l4K!0X&^1igSn>@A5B>hwM<$4^BWE}?@6wL9lg+&r*m2Ck4UH2+CNqE(zUw#VXBqS-_Q6^SPbng+YeW+L1){2_r zoEf}Q)K#D7Xt+F(sop0n@i$@3avU_+Zw679b-mZdf7FpvQ@WLc2d!3eJTEoN!V#C9a>0+;HFqkhtod!3D#9{qxICeXAJ zt|+}XefVzGEEsSR_?AV{4xLaa*pd&QC17x7L(rTb@m{>2=hpe*m-xJs#5yGFs51P%JEIo52Qt)nw|KzW zU0&!Q`^-AdI~^(W+=q+vGizU=mhJ1f^~_M}e0B;JOwo(?@iK)A?@bP80^*m))2V>^ z<>G%*zo=Krj!+KU3iUPc+{{WzT9Rwzg`Xh!RbO&7bgRDd2p{rbE%AP*c=d$O3lnQ1zAUoyx?p;FqFNDt67i4h)%*n0ze~XF*bu3Nl$Sw9N zMCuYtv~wj=K3?S}C|Euomsa6=BZ;{XL6+#oRYbE#gj{4%11z9jc9)>(dyOf0t!Ufb zOQ^wuXFJ9JFNG(6RUZB~CBf|PC1JmYnuuq92T(3*V{Y;+s5`NX61XG%^5LK23$)DX z)I!)MnTbg zs*3IgiSYvfap}@I_j+Z%Jf%;B7eZRNA6=g2%1)NcGx8X73p3aE)M@7PnmH5_-J$1F zV{ovFGX|aVT_f?cKKCILIDPjDr*qhm^-*Rm(AgW8DIV4;z-CWC3Abp1{q3n5gHQ*t z_xV)u-20k$)@Q0TgEz`2YX21b)zkp_p{Tjhq9ZBF60#Mw$VU~gU4lrEWj&OFz+W1d zMx;{QefxXO?ARF+Vrl@MT}d&poZVloY``vtR$(o-b8W*YGvcv=GW-c{l7>~-$^fxt zQwKJ~wF|c%Z@y}uWbS^wPeQsP{ezNxD(e>||#Dj<~ruP(MejLY(lSb+PBqk z94u_XT0S=$gw6ILyTDtqMAne`4_E#zE}AFqHhWS%9MEqx-J_d6{3v|~x5(*DBnX6p&HWM}1;>RV^WoIhp}4{q$jGi*xIqQiI~4i({yOpoHc1UXquIIeerT{lCjUZb}vgE!8FmkH!mhVnWNyQ*8(~o zh&Oux;GiQcb&+j?IKnr5s=8`_9gbantYj!y|T#7o#OrKmkwf(IWee7JoMm=ra7b9+?K(i(<~svoxF!3uMug4QRgpa!9J4d-rio7kSvs zYK|PC&~5IQo$6{w>8a1&e5@TjTM@g@B}>9XBl8b*q|Z*-7TMA!PDpW%(aue0nVY;ZuE6$0IB2sx&C_Us!lGFq+mS5ea}Ksk(yPHqo{3}}4eK(eUV{b&6|q!CdN zLa0j2OwuD?!eKI_1b4GD^;Mx8+|Z(W+G2&l7O<#}q}9(bw>K&^U~mWy@`Ti;MJtb7 zjwdx!tcz>SLioaS#%sOmJ2^+P{Yy_~JE{m4+eZIa1qGZPgzPL_kSJ5T0PkSAOX975 z!yHB%;@3y-77CJjT}m|rSq>61^Y(WvL>a3mC!aM}FZZcnCX|wMm+ce79977TON86+ zLymzCf0pImVq*Od0q?(3+x%4~S&d{l%e572w!!`3ffT5SJsFIqo32EO>M|s>EaF4V z5?7ZAoLyTFO9$bS5qrRAJ%JAJzG@vFur%T#`O^Lu1rVRUztUw>RjT=v1Z6&QWRvNr zUz3@wU!t%3^QaonkLni>KY#w5jrelo`)l0Wm^yyqEePw;?;F33cMR&sol!+!7s&Fj z`?z=gbLW@pZ`kcT^kT=8yYJ?UuUW7)9uilbfN&cgE)kyk*tVno`K_S;)y(mlh77$0 z1%&7k5lPq0mSZj|Sjbr$C81s3?iq7bo&DbAH2nQQL+Ce_*Et>RtRSWbM&e+WU-{#D z{C(~%t;jEDy0s$tx_COIT(nHKV!+fC0a!I`!b3{e1*C7H)GUgksLSc2*5a+)r3rZV z;P#}=ELelighd)4hwwZDN9M}!DYbbP4MH<9*5Q;jC2IpGD`F90$i_{Dp~x4h?%>dI zTr!{Rb9m1g)T{@^8xcenk88EMblC8kq09D8ZrEXG2L$YLcR;D#&Z(mwgsvUg=Zb6I z*Q6r+AOqEPftG%sR^vp9U(@pb;Bi&k9Z4C??+w=l9fo=c82%f-KF$cRhHc~@=KwSj zPXSGY_TMxS?IPiR|I|dd1hRyyU;s^oKt%r|!@aA6!YD1P=IvW*vIpn>DAD@x1Yt$8 zNz|(tSbzxS^WRh%#rgK{Daw4G3r8)`6Hk^@t^=Yk{qaGVy=PD>4n56PT2x1K%c zw;3Sfj{~likg#E&2RTAGOwRq{7jGm!;Rd*DBH# zlo=mN%`MGjN8vWT%PI)nAr{$D6{U<-8e=)F`>ExEIMH~>#_%`Ps9+km(5^Qxn=b7` z&F&=s=LCW3q)<@A%GE?sv7Pt;T$~xl+SSw(8(*Wu*?B#^iV`yUE6q;F<@7+=D70$xW42Rq>z70ye_a=E}!->eC@&qg>LeyEQLBm zaDS%P9iTc`7Swda9sd4sL&0wnzx@0IVHgDq=myue`phOsdByGT`UdU&QysyNlKxzh zny>9&f&H`VsRa?X1#5(eoe%Htk)6kNm*&zZ5vSHJr+acSCv$73i{)*0x<)mascfbd zgaVG)1)v-|SIUI1{>~CIopRTaYm+C=pj|Pe9N2dSFYooNO?O zP)G5Cv@UQV)t971bQfFEOz)K6#r{er_(ujgV_LY+@>;@u|Mu+4f09V-|6L;C9G-O9 zQ95lHc~y%7#wbq=V5Vn=e1ZoGZ?kKgbY-Wac2ELw*f;^rAmNS#Q&WH3Y0 zg^DAlbH%afZ-e6&tC9+t(~i0~ZL0Q5Hb?6x^xGj(O3ZT5v-3}k zRzP4=ot-jqMU}8I1&yu*GYjEYlW~<9U%xhb!NeXyX5(&)60`$}eHj+r&a04CQWU$6 zCkeh=ZN9VP4e|7`tiiWWIRi}M^j<%t<(qBvzw>x(oAk6BIypK5KdE3(eH8i>wuKX~ zz~z7#PG0tlwT9Z*msCR2F?k*+H4D zH`ZSz^u!Jk!9h7|Q=|8+YT^9qi0q#p?)z^bUi$bp^}{porgjgI zC2^?qjr2I}o#u4+rU{FRjIc#B1<|%0nFR@YKo$0tysX*~VVO#7f26N$;DdwS`#d+4 zM`%*W6w3)?dmyNoP!t2PG1Uola}j78T{~thi^}hx4#-vNkzAk@su7^wZo=KwLX@}C z&r(PaxWx8YudLi~2es=NhDX0~f!jF{sxI$6&U^^hgl`n{t<3A8U8KVO(o%O(aq4qr14WWor0qm;rc?ybM^b>MpWVt0U^_-Sp&KF5gKsbuQtI!!^-O7ram1 z%BbPeWHsPIlcD}^PGJ{%ZTm8{U7`&-*QgBkb0rB5u#2Bk+54am`#Cq>? zI>j48ZCjSpC9BCrO72~QDd~0OfDCt@ZIxNKCTvubq9X-iJn*C3sl^bNwb{&kKIEQn zS8fB}SnhpE70HMsw%2{*4D%9&R*zc2z|`TQET8mLfpvRs$?urjR{8F^=p;{ajatxh zTeEHF@>Nm&aLAS?vmUdQ^sk2@nT5^~^83BF1$(qlA6>QQz19RcR})3}?-$OqrzepsgHo>o z>IsbmJo`UR)5s2wJND<2Y}~$a0Y+^!d(otHPW|wt*5^*P?DDTu(C>$U7(Z$`6!zge0jpiRPl zM#TRpKe_B2$ zpsSOhTISll$z58OU^8GXQMI^>ezB!F<)veP)(_>yFhP5BGBu9R@Tv1MQDt69Lk;Zb zz=py+w(q1%RV&SZ40?!QG`!)vH)|ricjZM)fe-B#*UEgBU}Ji|fj=+4&A8Z1Lq1;j z<02SulG1S{9;N8KO`9&>vPE{y3>|eQ9&%Xg$k|Vj((l^gjdJQ1e`gg&p~9A-y0bXW z;%w7wd(qZV;Xtkx@%ngl_I$1j=4$50c|DyWY|E#KE<=D_H z1h#(+P4TA=qZHa`icao?=h9;R*J~L>yAwOjli7_@h9)%(pjw#pz_JSF8mz7JSK}m0 zS0uN_{xp1bTgv=ZqILY^_D?62?-n&R1Iak6l*MS^>#N}|x9PV0f$KS;vhUe%Kg!@4 zKJs(0*o(^IAZGl$6B<~F6gFn#Ki?s_eOpm=9*rvBuGCJYS2QX-kS1|QsLGa zAkM^kC6;a9TIXgH>z~pK4N76te>8v2ZGfeX468B-BtZ?y4>>*D_lPpn9W;ewsP&7v zdi6E=t${>7iO^P<}?9Xcv1UZ5P3GL7&*K6DZ7wk3L zb|e;q0{cuOZo^#UnI3)??{B$zrqgO;(Dd)!{jzZztM`dVW3cv&)n*{% zXG>zYI@6X(b#-+c8XUW?-Up?dlI43vBB7;DZzK`CyUqLvT$7f03)yHgE)|fwihNn% z(jCwIsswFISb6KIpHPGuh2#ii+hbRx`M>3g#crIPn zPHe?ZJeN>re^7wko5k*5dpf4}yCrsc^Q`jC(5Cz!&srixU`e{8A@7i$ea=a;*6U%q zftmMDJ!ccA!CUNh!L)SDIzLD+#Q08}cvh8-(n}unPWviMnDmjT`^XT@(os5PfKu@s z%6D7fg6~ zoAO_uSlFH$F}X6j(4?`9zs(qWrD2TqzVw@h6F19QA&~gt@AU14xuS2vbBgir#wcB8 zML!p;4shkW!?)oL`}W=9ivT5#(eVEC3xNr&X4j?LyCDBi!t(0uO$VeW z&~Ge|x@O8>qL|LcHXib9I+t+0mb_Myc_{f7Qt2lQo@6qYTC+e4Y}Unici{AhYb>;2ES z_DM-U0QyH!SNKFi?y#Lj)Z0Kn z2B}Wya+p}@N>FyCDT#Jf$1&nJX#xvic-MlOVJC9?*kMjBm;4jo)^&5{2zhxyPj z{hNw^fNl*I%=c+kp|!!uwgTU_>-K0K!Jj1k&?bf1_kW9;*CRG8VSBkFVbU~b>%gdO zqOdZ*#+`(KzFbaxt^$RZQ;3?e9H+cZES@#942<_20l29nZN#YWrZxLS<`*_PpJh|R zMe(dFnb7UB)?(NMs=);<<`adCVJ~LT(#25wE=p~?d`IhkL*b$lZ1s+pKsyIoT!itN z@1C0(fdsowsW8J0T+X6QLut9A=L-_6BjgSJhZ_VemE?3(#%j{*XxvA7f!Y!7vU0^b zEVyO*S$xi5kL-9^=vrg{v4~Ii@236)+B*#yK$L%u3#24 zt%v}~TMSm@+N9@8>@j{0Qei98dZ9yvB$Yi?CnUE1g4z}WyHB+J_Rb2OxI*9<_Eqp& zr>2?$4C0-Y7_VA74@a*hey%TTz8Lt=rf@{rKEbYq<8Cg2hl(-ptio3uEp9H16l7@c zL89;>t6BV$R_N8Iv}XcJ-FNY7lL~TS`}CCq(zxE2y|6}m?9OP36i1lLOWB*BK^=$R z#kQz|-W^stN1jZ8nu*Th3Z7mh zTeK^VDcv;~;MB)9Bb0Re9h6t8lh4u%vP;K5cp#e|wiFc$C?<#OsH@ELtL~8xnK$u7 z@#Puy#TuwV7&6bi6O!1!G&}kYtbZ7nL4M}@NbB-c$oD**agl#ntAEb9EwpZZnk$MS z`NsRDqe8}9lt_0Pi&_xq=J!&ZnDX%lzZuXAl-uuA@U@mZTmFcK&5vk=zWc3G=jWoq z%+$4);ppfHY~+#WRl65idUeT>_MpsjsL!(Rz+qZu*>M(Wf1X4y!SV5>a6P~FEPKrU z>W~c*MOou!vn^n(X2H|CRri&SePL;%$19bEkO)b%X@uxfud|+Fe`!C``AQBxpfI(Y z?5#3h@O7@;h8BB46oxNR-B-*No~q)!!equ~i+AV$(u`WtzF3A@$xNbsY>LnPIO*Kx z)3oGiiGOG#tu-*Jz^^U6AfFtd1Z3@@05s94fswdkVF}q4UmW|uxilsa-Es;Pxi!`N z$BkN9u-8i#;)X4{>z?hspJEr!GJ~q`01vznzie(COzEZLeETQSM@)s#h=; zm6X4DN! zFZe-Ovgj#*-a#Zec*EmOrltXZ7y;c7GeMNase#qCkJ}3$iBg^tQ%W3lltx5>Q|4Vf z19(~F4z}{ePb6@c1<6N<^50AHu3|14kCBga38X{B^8BdR67vnzy$!}ctdmTSI#Mog zNyhROGdW&$*Aw?KURWtUI^C?g32I|(EluSHWKaN-GK<)UT%01qg&E)#C#%uaBZjlk z2)~&d)?MrNXZoC}X-MVm1%+;(6zFy+c28}*EW3Oc%lsY~cLFVl0F!Zuw}Cl$DO0rx(Ekizj+vT+9hh z`%`?n{)vqrOyVjDoOefK_;2@v#Z!SWL5|5sfztH3;9t;?;4D6Iu%*vEY zp&poX+=s`Hlr_;%1VGu`a~imNb$(Py?#qH|2D{F;W{(m7#`w81M&h>C4z7$ryyzF$ z2g6odg{{aX(@?stNEY42FtPMi4fTgHBJVRBvfP63_X&tXByVw{+d29~(F+0ROXr=jcT&=h+#7MObn!o7t(9g0%OJRUDp@q?o)w?cXf7ho8Pa_I!$w zfXqf>d0Q1LB|nbhwC)>QJWzBGL&)^ThAO*ga^~^H+iBoFgu62 znC{^QV+v9E9jjhwPZ9LOLsx^T$!b~3*7QCPV%s2{lFodO(g?tNAlLf?Nc20a;#^Wg*wwiFF7mYGa$g36I2cRkqFf!(14!!t zj~aSHMOge`E+*bg*u}5$hQT->u6dexW2Yw1Fj~|1^y`c$Be1*6%g)4f5Yw2*gAje6 zKkllobNbJRR0J5y(wNy z(lF$_$?1v}u6Z0|Cmne}l$1kJyLphx=yh(_M}t?~wJ)6s zr=%AMS6gJstF*C%t@}Q_cn%h0f`h5Gxbck07|W@)9C}6KboJXB;jfE118r;x=`V8> z?(cCAI#f$j=w82G3k(l{kX);ImL}FoxjHCd`?h5{GjFFgsY+s;(CN3!*2g&ef3F0o z*FJNho7_pES>#Gvif2lYC7NFGgCqyyLoD07De+SI=|gvit6Une?nl1q86I%a6gh&c zk9^gO-O>JhAqb2Q?N3)eNO&L?79FIJ$v7*A+`JZ7XSy#OhXL}-t@NiaIj)^hi1p;f zN6PaQHQ@cb4)G=f&G|jQ!;ZR>DMxypG}A)QdACe0LHqJN+ZAUY;F&}(HvwKxH7I6cgpfr{CHOd=VgS|P_cewOfNgW4?teVjqRI*+ znde1KxkiO2rGO+eMyHsq{TwTC3S23>7{1=0yu+3Zj@HmJ*;(RV;SZxMarRy^Au1J{ z$=&m7jER%h*Wh|JlI)~|S>?7+4ySRmxejpo=Lg)It#+>F7u$sN+ts+y#RaDWAgKWH z^L7T9=ngumlS{N#HYXiVU2yY1bXPi7MLC%-#o+TtbSM&^p{(4)bic<4Zpi>82AnJS zeQLhrt}ij=vOz~!ufT1@!iBmiyHZ}a zX&R+5KQIbkFbt&~p#;hmxEYan5``K_Y;D3OQJcQ)Rdg$Cwe{pgcBg%PSyoqFU0dy# z-b(W&In~vY22)Fj8f`1|Bvv7>e){R# zH|W`dxwF?}Xj8`kw ziB{8So{lgrf_s_Gp+-9>r8iEAG!5gI{U=9MeoGNSuR1b^;b>cBPydtf2m0-_et~^K z$PTZZSdA=s0=^u_Ay%IdbA_Fkw;?jV;;D;~0pEjD<0Fz2DCVb3)^&WJ?ae0Lys-n% z(vYocu{?76z01%!Y4ifX6b#p22y=NgB<333*t?45s>^dV_GFaYt6OW2|G2HZL{ti2W2Y*?xoo8-#EX% zXqbY|%eKgOVR8bh6>chai+`}PK3(Nbkd-@8oY5`Dq`VuN?{Js)24CNTaF3|5ox0t* zXLxfuY3^p4Go&l)BM9H#vfkbO{@d*({kC)~^%Vz=vQ(ic$`#lw%T-kmNY5l2pR0 zByw6Pat_%XW+O@xOL7iL2r=i=*ve@+F6YBA=i_D!o0-}7+53C>d@kSL@ALZn=?|C7 z_T2M%f8HPW+x2$4^Jtr!E^*}66z$Q=;kLv7`%xR1kOGg_G5SEs0ZC5nH_nr3Fy60M zG{~pW7qm0{E|Poc7+0hg@bVVivE6<hR^dSjkGu51xA{YkLVT0TL#3R>iAxeUlCkaM#p?E zh#MZB)0sYQ&RkDmZ%&{j*2E(cFPNAFFz1Qhl<(Q7a=aw+9A(r(A$Nl?)W#1c|6}7l z?tk%^5F+eaxk0GP;4ReN_$|xZM}LbP4f9{l&n?T(%Wx|j5klufP`a@bIS0)0f2gG!re(%!h=!CAi;!QQsaVM4JJ}*aH zbJ9nh|13^&TH$WKdD(5zPup$td2l1FLR<~{o;rH+e0|i5=yOj2?nM<+KD||NW{>M; z+y7n;uX1tiac&TUlYb!+B(E!;llXjYXIcb^j7a0I=2aHjnAX0dBG!6*r0=eo6mmWB zDv#M6X3re6O#$hXQgZ!m_=ik{7d~12g1p9Z-^EkVS-j;+HtIj<7w=ws+i5-hMWHz$ zPe!Y^P43JfgXg;F#pXXZPO7N<6aAE5Z>IO_GqhG+*d;4q0w>MCx440I{Bl5d9GF`d zEJlK%yhY0objPn*FFiHWog=V%6I#s?Ej=ckGjUQ4F9Q*CPXI{9k*7Wu%Xbs}pHm6& z6KS)?HYi`CRoqXUSV(m@72BT8Uh1g1b@=pkuCTV#`=K?H#?PTO&+j=b@Wonv7KdV= zFArt6Hmf=w*)-#&W`pJbzLc=Sk57 z?Ga}WV(wS1seWC-$q@ff@kB8eJ7K`glv*0U>;*hJ%xOh55!ihsb-wFaCo zH_1P|j7|vu&o1vLi9bx9NAH;cj`{Z3j>m@(O)@C0fkGY(%;>JNs8;e!F*VjaEJ*^h zD~@65)?#}-ks5;>i1$UXw&&o0Wwj}W>ebh&?GoQFc!w)&K6W2+atXQCDO6#=-l+`I z``-Yt9Y--Rx7d1IzvWR6-}G(c_9&^4mX8w_3UWS^T5$lD**1Yu-?pA@GzAb0ekt0W z5{1fV{0)N!QhOGz2%tYU^;wKBbZm<*yn0*Gpe5>j?u~;H^RBhrCqiycULK6ue{}jR z?YfcFhehK*hp)YCM>BQxLzpvp#+B0s5ci(?X|-I$oXd~xQA)SP9izfPM@QfU?iPFM zezelMg|L1v0K|cSwWHIXxA_ddk@w3rL8&KV$V)zs&}3 zB_xenyF<|zOheMKyUU8K$#4P61_4)c#>K(GcjETpv>5l^WiQa4GJ zYiGu!H)!jZ>d1Ahy@# z#derU^l=7wc(c#Mg|Cy;Ys3Ik)A}4nJxJhUyd?i<6F() znCqKatGRNM1B^gGqmqg-?gdY%D{AekahMhM`rNif{2AstPWXVrG`+5iaPCPM~*IRne z_n;shHa0rHqUD{P6GIS;IrNPC$iFqu-}i+f%(ki(C2PxmxD-AzA9Y9*cN0^_TpwY! zK0tt9d}$ajv>bWS=TCm#VTWw6sPwXf>VE#@SymM%qGtL2+(;QR z*>`(~H)x;1AH_pK$`OInFBIhe1`jo)&2t~8*M-r{5v{555PK1wxt2uiv;r8IzVnH_ zti8aarph~j?T4j?aFk!Qu!A=3+~xnH+) zOr?;tsC0jNAbqk4HJs_Rb^7EF=gbfdqVtLp(GUe)+)~;mfLu*$ey@79TwMvRh#u z+lStpU6U-dPOU2<_-Q-N-VSCCXbJ~<&Zjtw=k-50J`u*+te8uD>?@Ahxd8K^#r+(Y)`6RmQgCP+sLci(LU3IhNVyNjk%W-wl$lRMrR>OI!(FEvy-Hhtu;3= z-Pq_4twrYlg(uhE|G)6$4(&L2r+E^cy&fl_1W4Np%n++txGTTJE4{B)@AB#%i-ah* z^o!2Q*k~%ye!T5~YeVJ$xZm-kaijRTiAP>G$@yz}T$YO&V{d;YgvX1dt~~zY%f)+6 zV&{S2Ns)&66Jn5-ud=b^MT3VO>=3JpEP>x|mzy+EcyS#^hmIV`rOmh2bH5HrsLo{v zS;z$KRPd^*=MJ>kx?Xz8yR)=A%{#hx;fD1oF5s=1Vg+on*Ce)2AXw?sT_YVZ-Ib64 zCNA`X=s?y+W3R#FpjC(kh%;8+*B#Jn2wE4a zA=4Bon`(qRAR%9IpM3G2g$o!~MzAL%12gK-z^|O1LB^B4t~$$Z8fD=&gOz^ zqBLDi9$(_Dy^}c@wcBg5%oz3oRMy+~iGGij*(TK!o*c#>r>cO3*F}UZR+3uj=LpRr zj{3%uJiYR zoxwFf!zbInr=Ts_mN~Q`>w1imU59E}lK#t-W2XcB%2wt;WMGNwRyi+yX|VrKoi@dRJ}R#d}=*eDWpwS z!#qhjAB>es_^|jYR8#+^Q?a)6PdO<-*#HG}Wik&6ajgo%&;53tmiq+((mdYp?I@f} zzq*znSVwbX3)IC0njvFNopN%CC=&dJ& zYj^csM0s6=9^WZz3rSAWuQsxDi&Rp-h;#f3$hFqs^VbdswZs?s&IWC5)Y|4rtPS5f z$~9qfSJ1QLKgC=)I+QW$jwXiMc$EWg{*DQTlcP&YpmQ*EQh3R#>n?Q=Mhc;VD4x&3 zoL%E1K5ICElJOv&{AWR?&*-ph!kf{yybLb^{mt8==zhUiDZ4 zw6)2<)bLapHd5lB<2la+nD|$`51Drjf3A!;+1R+pL~RIgbRnK>9C5=|j9=Is61#YS zx%xpLPc$2#&Q;Dqd`k@}Zw-zZC75||*&Adow55+7YK;$$iJuPSPP)UCG~T--J(uw& z%<#Xn06IpOwWuEpLwM>nJz__kEB#DCRT^r+t1Xt~X~iR%wPG`scHH&pRpX71tPm;I z8>X6+iWY|5`}PKE#nnb@pvV_#Rtw1kx4HL&dS|u-1TDHgboR!-oaO&`2yS}~!>U?R zY;uBvfAlobt%9q|Dy957eCWSKq_hq=9Ki%p6+LzaUsLa@VzQ4&&0ET2tqtzVLnVd;H44!IRWnb>mYr^o8|73-Uz>s^2U>8_*#3W(Glx#H=TV`^Jm6Emg^+ipublo?2WG$0yqOl? zdQ+>gsO6ND-Gs@WXms@XSc_sy$@xDWkAhlmsH9sjhaLSAFx;E;ByzGNXXjaVa`Rd6 zM|?Kwcg88H%I2g7STuA~i0NRijJ#4n72r|_aPWi21%D%aY1^ffA(!F8_4V4OPHacBnHcRiD4x-`h)Pk?SlXfqw z>M%u)0&TQVMq;0J@oYo7!8o)@RKrsqWsl{RGC4D5bLBjn63m&t+k5J{%LBPJ5l-!*=RSuINiaxVYUjeR6p%#f8#iBxU?4&12Wh z20Ai|yQh4tg*yMT&m=8&ODR2Vcm{Y@QvU=EXDx5~spOX)n0km^8KWXR9F#Gu6){EQ zAp^Dpi|mf#RhI+6#@v>3}_ySGZ3umPeXo}h7$ho>ruN9;Vpm^z7X(Ehp#nG4p@sc(hn z-s+Q22VO&G%infh)$$GoF^8840s^{j2fS43IS_bvn}!pyj%{??E@|-3Lam0cjVun6 zuw7!h`(ZR=V-)zd{=4^GJ%x`DRAX^5r|;V~MUYcCq)7rf$8w^??2tgI6k@vvW{^Rg zr}p;@+WQT>ga_L>K8eq`BkyCIO$$&}lWrl?W0 zwg!Y;o`^gJS$j}8|4yIdA=iv*}=V(JUUzBz` zy|1P|5Nj>Cu9+hKF8`5sRF=NFG>w3_j;6Vr3}2ALikcgFDT)mko6h(2i2&LsH4>mH zQd8G@ZFvLWr9;n{UK(!w&sRqMwZ$eu#7dgXa(i2eLz744>dLot8gv+817bGMxF!48 zQbHKx-UQs*M~KSlr$s00l)V-GZF=@lmQ-8l1vO{M3 zJfxODkd;Z9QqRjfuNdEDH3@)+0~a7q(GBal4V*n5ji#f0HVcL#rN=a_NYF6{OnrqT zr*;AI;>yexJ&fwOJ+hEV)TQhu6Iw*dyEKXYgKYe$Atrd0jk5FKs-#n@Nh3ofc>L4T~1>(eR#%9G>{a+(6b51I_Q~`@Tg+I(q;f? zF)PO^Zs`tAc($A*-$hTgB-vM?u{)zW(Bz>(`(P!fyk^%tPrX?0kdxwi9U=i+LS%v- zl}qe}-;_$snjSq_Mi{XbrB+FOg}+~6q68e~uVS}Kv&ZhsXSg;+auTus*m0!BJtgEv zx>Q+YZ2TaB-e`;-@r1GE!B+i%E1o|~7&Xd??6X;S%^<-2x&2fQW(buAKSGFxMFL&dWo zKbN*EL6LGV_Uce>2*CcRFqT#?^Xril+mq=^_nF8+z_-y$i%;@+i9fJvZfP27-)h4d zBs~e)A7=@;%>uoRF=Kjuya(b8y|6OPoqwg@$3A>mmH6ZJ(AAMgy^mob~7O$kIozHXe0f_HW{ zkL^dRW-L7LB?e2u$#`F^vlL>}bu`^Q>)?F(z;4aloZCox{7@K+t&NzP8#?OYoLXA+ zcl6P!9Qr}m@LYb>$DAR9jFY#s!Y5dNTDRTz5!!C>y`(L8jf;Z969$L9R<)z2ZpDfw z*dM@h_VAmCz)5|*q8Q|@YXN(!^$Z++U7k};c!P+WUr5Ju47xHYt><)x7=aP{f<19I z?jK4klj*=$V$-)RM}|yCK2;&}Ts~F~(QU72IyT?NFgTKTagpx>B{)D+x2xwQy7GXn zL+I`kB)Bl_*3ZWu*l$LSVY2wQ25woIQ@pWkuOO*8_8XV51((A}`XgJ!<1`{Exc!b3 z)@Z#px0s+>IlD3f?Jyx{u%xcq`)z;j{}t82r=o@PtX(?Px*D3(xUH1Pqs?hK`mTdifgY1dZ9bmiZZLD^;>o?HwLlJh zQ-1Lm=h6!kN-;`_=mYb<{j__Rl|D z6UWTx<%I>P63SIP9NLAo9Q|bRhfmb<%`wrZXgWFNm2dqeeCIrkIQfg-TlJc1;Jik? zpM=?a1F!P{^9DR~$j>^;Wq(Y|dh92TZ+JpvD+PjM9@M=3RJ-N|Jgc$hVqdW4;UI3Y z-KWM7?6jBzU)zml?ddsgT`9RZm2ll#8B$^qfl)NT$mv&+YJT)(|5yLERtrO$ot-Op zDxD%@wEzz)!rojTK(G|^3g4-_@!J`GZ9b`O37R{om~q51?0xABm*8eyR@r^=O0SO| zftnv;rX9n-82veLIp}5G9h#qoY93A45_c1bLEQahIyw~Yc%$gp43~LY^ow4UgJL1Y)3)N*hBr<@;9k{E0^m9Z8x49gNhG@q#vOYPtk0uNkcLF&1x@b?RM| zp0r>lz3nptdxj5w82V=jVUClGK^N~;Pdwvo&he52~eJIO_^LhE!C5!FMIDEm%WoNLA&< zF@u#VAr#Nl+h6O~Z-ejzurJE56g9lr8b);Z&GNI21Kpd3Md=={OY?})A;~Y(PP8D zm{x|Z{$77MbnBR=SxK`0E(4x)bfzsV)N(Z>^7U*)C7Ust(>i)K0rHaRzbEj5bItyo znpV%+wv2#+zCo&2C*%8$KED6U*0l%oBbP!TjfalgdxIN6@~!KlFLp*mh?>vz6=&4U zFtxkozpxq|oocH0J|ZW!e?nxmiZKrZ8nlY3(lhn^V{ldjJ(EXLLEUU7M$-zv%JOz7 z{v>F*SEFv?OE(Hw%-pO2O95)R9itG^0d z+}EbupoKBMUXzgBIG!KzQfiMN%qE!1axH6uzWLMTxWm)T21d!M`;UxRI=tOq1mgR6 z)WN$}xx*SKR=l3>bOe)IDwf6@Fgxbf(dD_KRJ}I-ZNADSGkC&OXYQ)lJgE6)GE6d< zwjOEzIO<9DXsWAARJ4k&Cgn=fP=~TVJ~QAQazrn^VfMT>G=DP2A9sNN%I`PiOIy?f z3}XzIP3uruS{w(h)`MPatqx~=QH*7n88>d+mM+=l%&D)suj_7t+4U5k<}XieObNy zaL+;%-;bD3&9#&TkD+n;JQUjnH^W@L~(Kxgs?brcm_woHGRghRwS?`gy zg+vh5^&)v3Ssv9(GZSm47M@yuhC=H$*dj-?v_Tk6AnrxSW@XRB%pig_&I(56stE zN{_np)BXK|wtV${Mj2M|M6Rd@qcuPX_=R!*Dd3nrtJKwouEfQ;pElvP?9DHD1KPNl$m&hv_ zoWRHV+do;qVg9p~=?v?^vWd}gVb!fB6xf8it_$EylGNENLQ`TJdIcXBPS+d$%qFmA zpnGTbIqGF9?yY1ZGiWZ{VP~TXgJcT;h@F8Z?g}SB5qkU#| z>ZaT4KXu`RJ2ZmW7>5Gq8GkL3O47Q!%P&8>qD60jt;9h)5=g>kU`u%B?8Yx0#MPHZ z99S@{0FJt%%(m$6>?eoFE!QU)F%&`RQ?_4jw(y6M11{ z8oYNP4-kU4t}A-{E110e>St(}CNW3A?vaRjnqO`$xyqoOvp(D8t?wv5?sIp?z;bVL z^Scsj6r8xT!m3!84G6?bc+_MLTZlZKFYEAVeU@07X^$A07{-+xZoD*JH}Y}eBot%$ z{yrq+8NvI}Hu8<@Li*678j6O=z$hSjJbM04`1()98$IVhdmJ{1*%)xzhA=QF9W4y-)`pudLs_3&szQ?hS^BVeYwRe8BJNqZm~{I$+E z#GZ%Q!fE#`wNz@36VR~T&X=Rg-ABaa@3#S7J(i`<#m-wl4S!YR$IoAS;Y1tX8?D?| z>MCHRBT`#)#xb^`hDWa@bYt?-TD>#I5Y^}VKcDK+MZDd8mZ!6R{h=_^zwcAD2CB*G ztM>GCVST5&sglmf98(mBjD=lai;NzQeu6M-8E z@1R`4wER5Jq>R^2W~k-h2+E*ek|<8AdK{4_F~R!%4Fe=-dCnlcl6SQCd&kFUmTeI9 z3g3|YH8;y=%(S$Z>;vcuY1u*5DUu+n^MTC3!8X{+NQ=ne?quy26qM`aR6XXX23mQ~ zHS%=wr%MrD8Iz-x6QPRzF#UTpn7wEVT?nQmEJUlnjc66Y!^WWHN>fJ7^H-cZt!#W# z=K6ZfLfGGJe!o0Eoe|Q_+mlp4dC@`sZZeae*tsgiH)`5n>5eiHy!yTLfHdaR zM}aHE-3|XTBdI-f8#w8+)8Rd&8@pO3V@^_9yipFHWGpOG)Uoh+5@}^gJ~Q!iAd`- zA;=*E53$TnkQoTHwAhsXwy=6_{V@u}(-xkdSR-!!EYXXRcU5Uv-@X)hqMl@(J>st>K@@h+b5?f4N^czt?cm@eV#27 zBeG}pfSl>*WBD%NoC&42!(!V}3$r!DY9R}kV$q3j>u)Mq+P}Od6z$8c%Ouwkq@&h; z`qYzak~%^-jFNHRg^(G+gp#mJ>&@l_*$s(mV*R0YIh1M^LYAPGOjyPTGKRgPZ+_7K zW;V6;?E%-sw}1@!h>qrD6{F3t^SzAiz8JfMvLAw>(2tKjjZ#hjtBa3u5*-OV@-ccg z;U<6Wm16`Q=J%V+4r}x;3`&KcvgytPENkF-c@Cyfer%{zUq|e2z4s*Q^uWNR{qC!?O#*KT!DM8B&S08T zk>*Rs;)qeNjhP~863qVPb(O8U`Vf+#a%bEwOPy>%c= z+%9uw0l;I<4}S_)?n#Q@fL9MCrJvP_nhU zKOHO6D2lIJ08N%UDL)0pKGDl%T#xF^wIbUFH!dy6pIgDfdD{Kc|B1djAN)|3psM~{ zZ&SL<*S0dkWn)p8P{BENW;s(Vv7AjGdu-ln+9-n%b2U~P85x$nBI2N#Ddi9{-4l5- zZ!<7l!jGAKsO00dPTg;W!>)Pbm5(4JL3{2X6Ir&VXLl&41%|k|au+BmteS?0U zsgi$5@0p}VUUL#$lMH70fTrm2yPVAvbc2-R;%e z4uwp}E8pOw^6{T!3U#$bKKiP!1f9)+THjQvokfp6jE9#JoI(wkXnn6vm% zFA2M&|E|l58I^N-@maRIgApR)5wp}_?R9A6WpEKBeHT2;%KB@gxT-#tQ!BW}ufO>M zfDBlz(oY5!R^3JPpadt82H&zaz#d`a-QbC#RuxJtJykysz+?gA169jFh{y{ziF1gU zx^m*Sa`kvGDG^e9?NgTha>gL6I(V+dB^ttwWOr#+^~A~hd6KC{gNDU#CG@7 zftHJP^>&C6Lv>y+!|b4!kL;X0S!1}x3HmwPqMy&XB@JlX|`GVaE6 zs-!lrYCSsC7bPrUAKZqsN|R1`P9bl?SVc3E$Bw$jWqVpaekQvDW2@<mw{fkAPd( z1|Px#=MpSKG_j3TF3{_%pF%aC6)L3jwsj!;?f~PDEgjlTrYifP7dhvcU(3xdu0A){0cVwBcQc5vFwn-gY`LfQQ2XY}+Rr7yg9=7TmD)Ss z%E{&=y}~L9*F;)+89yW2*)MQILY|&(a~9a6TnNv|7LzWUyNLn7Y*R1*$tl3@;Ps}< zr)eFd`-7?0PRaz>Qea-LUB%@;Nld|lm)u3-c%z?v>yhNDYR&}a+h>~lkE)LgXFeVR zQKdf|7rXm2?F7NkY05HF3()485E5QI;z6HqxilY!O4$3u3gw^wdxYW1NUyG5Ei8KI zbVkr3Xtl2c{D7q?jU~)PPd>e0a>qYN?@~msym@cFgZal*mlBGXy7(FHF{Nf}=LCqD%~lY*4b2?8+J&;JT|j-dw6R-U zSn2;|s#{>$^R0>@p*N!q6uJfaF!i#NX88fek~Y6|%$L#qz7`}QD0LiqH&FCHEobt% z3dz`a4U?V15A2vIo7EZ>%5%JGADsVtbcy@K$sxKKGQe+37RkX;;6iPO@4$CDV*>0T*R}% z1WS$BPlg#=*)B*1IH-^Y#@a0Hu{_(CsjJDX-9Z~lwqJLay99KkWu6#J?Uy2<&Q8V% zq&M0MuF1W>?^ijAng$qo!=E!@5z(`x_wvPpA=rmuirlU-RWBt?gY(M_tt@jyQOx$NL9(U3W7d$a($~}P^9_7x zHDyhYR7(<6wtyrPx1-Xr@4jB%VLDb^^UWFp!e3sSR$d;w0Z@q*0iic*gxcd-*)!)d z9RCkT^skVRacix6HR8GQr#j1qp)uskKJ0MzyM(6pNp^I--Syh;fqt>_6QBI(dlS^ z<<$R{|F{1m|CdR$zq{qXD82ydw4;K$Ow_vi>D_5)iweJizs#2an3i0G+p9x-T4Fvc zm;8%!ZB>ChT29uDc4>}(@bKlDP*l-dfjlDEHYG`no`Mv-;CA4Mp(_(CmlNlW-k)~0 z!xTBfh5XwL7e)@Ppp!O7RZ%h?Jo?P%>(Ltx485N|@be?PiXg{FZLM1Se{f8yzd1;n zov-+O^@3ETe5P-moqw0V>u)cgLUfhexxJ#g<%@_<{jaWw<*`R#F;6t>8Q|@+l$T9D zHR9DBK2^7+z}Eg|VA`VxhxdE`!B9tUiFwBX8?KRz(Q|w%-(IxPjY$PTa~4DQX7;nu z)n1ClA9k#RQR&bUVR&Bc18ru%8o8hlU0H0GRBpqwshD28v7O}5BpjF3%`f{V=K4>k zj04Z^k0t0V%>w4$RoZK+<@le2gE%iHvnIZ#(8S`b#UO3{?bc`k` z|U5vQ`xMM ziZ$RqKY=&x1P$H^xeYWCSk_)-g?ZNtq@Cf}gG%MIj)%i@60NRMbdu#n*Rr#KnhHEK zEgNI|eqV$Z#Vl?tarDa>pC2kuorXf67I@;z{_kL*_S4v-)vagf1Hodrp?bu+&YRD$ zbqhMp-8**=Tqffj--vv_HB@hu370$O_wmmNV)xQ8lu}l~4kqCy!sjfDyWD4Qk4PbR zv{U9lw1k~fr$MAtkZ%6Se)s$qP@dDzBrABFC}u8UXTW7Q8krk86Cc%c1xhrvhpYL^1c}_?@_+BMpYh=#1|5-niG9yB!zO5uf|>=N^kq<4Y011Osu2PFT7yLfR!M5_CBaQeEVK zySEFj(FjKaf2Mgg5Qh`4fLC{lU=!ti1SR;L7kg*$@?0-g4KlNT7(OK&_DQIhLo8!X zmaRznj;@FF76-e2U{79HbJ|6Te$a(DKUnaBzxl5A(BbsIuz+X(k>(;DV|7<)`4!HN zJH<#=;YTYu9MVrlMrpRU_8<?@mfyuOw+kAvtd(d?)^4rX{*6muNcUzrN!rZQ;I+72nw6LR`@GZbc=6JxEbTc< zQ{SGvQ(ak28Sw3Ph$>*qJ-@gveaj0aq1vNrWcPNnHuiKoDx~Gc+M9PrWD<{LUpQGT zUMtb!=RnXE(O*29G^c5}XI)~gS?GY0SQp%FGrBkTrE7)eklLr~lj4%3%~XVW7Nre- zPx}0p)@!+2FS*GJq(DjG^4aYhYI%Vzj=JfP4ILqeeMZpNK)L}yZE%eo?R~7wcj+=t zk2c9RJjtCe5xiNEiP*{it~j(*M!tgJcI#4lBNiPB>yb^$$$rqrS~TFeYz+B|Th!Kl zTfx$UGy>KHiNWY`%G)OXgt}Y7-GL&*uSM+K)L6yG0YS|+wc~I=_(YJW_^W+4F)fLg z$j*J7Rvd4DmeiEd=)|%S(W_!=2ikLRAvb{Nfs1e0>{YBHVS^u|4fyZsAWEVoF-rr6 z{44$?6bx+2STpVqeJndqczRDq<09&Sd&c>*~phU-zT4Cs;bcvkqt_k<_qi_^w=>3OkW`UTcZz6Nt^HIH zdERf;>7yS`Fe zkI4z`_s-rLtfEv;JY4SA_!Np4p~ClP8k-+q``yul9NNMuQTmgHdg`{Ww({Q+XWhj; zVCIAo{IY@K^lQUb!T#8Kp+JudJWx*VKg7W2u}5ADcLu8%IMy(_DRSuSRW;1S2LeJ*9k(F21afDqRu5`_3Ef8;OU^~0ij3`qn{xFDb4gf5B?75H z(ck3e;^^{UaJnIA6Ep*-Lqz z<3XQaeu$HnmC=?i{y5a^l7Spit(9)6TP^cDTJ|D;O&d-)z=sq}Tu`hm?9c)Zl?QW5 z{xw(dIWL#L?4%y&*Tx|1XAh!|TRim@x$2Rbf3#=h2xvGp8m1B}R=%;Zf(G17t1Bd# z*vg9>a45fCkX4$YNF{+<(}W11k9;aHS?I1JCs>Z2c(&JNZ*45Nc30>O4A?~Iqw0D` zlw;~A4`9e(=@( zgJ4NkW8($!`(cZMtxQMmSGQfXt%em(ZFDBI%Gx8sPcLXM&g5;U$`o(*H`TwK{ereC z^Ru8ibn3o3#;wPG^&6GESz9v1+5TwcH=*>ADGkfScut@(;xDlfL4`Pw_~K8$q8{-=&Qg zhr(0F$4bN~NcF}fCqAW`YjF`;(#KP$`(j1a+cV&9U-USQeDv9PGopOvo{EXVd_yBD z_vB##+BiUOCC|^Nq2v7_PU@tQ7pffJx|ptE=q(~NQqr|pl{Wxgzmw`&*~PCgA&k;n z#LxNPX7AzwY4~}Eznyk|aqaRIn{t*YV4tYu*{@<$y2t)c(Rj^_y-0r8r0S$|`~(gl zUb>Yrb(z#<+MOfi>_=&%w^q=4*bgTOrG65iVQFSDus}FqR9l2d44*JF$|+6s^=*j% zBZ=5`O(UU3K++&*bdK;^1Yo2KaYEy^VjC7PI}KA9x=*Kg*-y9xMGJhfx|eWmeXdq8 zW7{+2t^Q2me5K|@X}L=M7zsK0O-5wJxL6cIZVkxr^R)@#4amy~xvz65QDO-?F@;XA zrv)Jyq~N#s53z>yxn$Q^q`m8F59#D~;6`E6W-KYF^* zd42B^mPtQ5Gjg*4?lKroCpBC@U;pO#+Hf5CGave1CfYf}Rc>XA+Tf9Urh}TCh|aH& z;;w&ib6L~NiyP=ycbiRh8(!G5y*Q)YD6@skA@w-{PKS@Z`}TX=)zbrSutpX%adQV* z?)tbrCK3tW37-9Ze~BcNF7o(KqLqixOr^`tQm!#to(vs1&0UYiF$ekmeN}xog*c|O z^;dr*UhJx)k+)6X7S5{2jjNdHHk6cWBLn{8KrSgq#)qU1@_1Z}BFb3)5;h zC9WNb|JVG9Lw|wLiPCCu7Zh%zncJ^uFi;&7$ZEt5$UnCY`^71)Yd^%YFtuj3$#;wg zWSf8px^ubs9uqgN39W-B*Z#U^VAE2^_8hqqXG{SP&2yTRrtkAq#lP7vKHS59tAxR} zQ`%Q=PA z(sy|%doHcI!;6)?qj3H&f363Z+qS-)RuDjRw#BN3DDUvHb$NgllSi$U*<7v?=la?p zfn!%&T4Tkx&%IyIve2i>0RWHoCn=Kdo1Kd0r|h?GhDMnZK(dFyFp2o#)SI8*&ew11 zEuR*9vEeDlWv{?o6(q@00FPmj@H8Z3t5T{#XKWSA(8nxJck~LYu02}pgMrZJA35f#YT%dzc7kc0pS$l!9z{E10hXd)mE2-{);j%~JRgi&qK(&(o z3r;lqEfEzr9?8p0sp5H-GKuJs9u-RwG zpw9P)Q~cJq#^Q;&20vMUNbs+0N}fK^D=<2o=fP6!*Hstk>W2H?!CXDgjw{VCSSOwi zV2y683I?M>w$>>|E@%m__d#uZ8GVSHof^3*7oOiu-o^L^dwX#F_!2*EWbeDax68%y zKyF|O`{{AbQ)hNWL~ONo$vb#L;4)N7woayDPN>52OEcxE2n61C@?Gh`@<3tnP2bPn z+`3*@^p+nJq!6bNzf{enB+&I95>+o!^l!*Oz<$XI0;vj zX{7%UoYZ-6KZ@`+Pmf{PRFuM~V^J%zGhSFh+^le0=~QpdZkM;fN`|0jJmIE(WX8@9 zkwM5u4^Mo*OOM2gnyc-Om;fti1_3G~5ClQ59>8B+6XfN(ewG(dTm`xR?;lSzcz=*; zuo8@F@6&q|(~{M-!K?=2gga&l`Y9BaNveSbk4Rx(VzlRPv;hbAfDktS>`dl!o9b)f z$)8SYj-bbPm@3a%V-&A~VjuqfR8eVBZD88|%JJ8w?cmBC{Lje2u<9oOL?|Q2NsY%$6`rGkoXOxd4I%ivqyppz<&n^Vbuul7)C6+U%&YHc` zQ{O>!86I1iaWM&gT6IdJ`}g~9t$BSwR0?Y5Sz`I?xu(o#%6)bo)>xfi6aaW^@w+`D zdV9lGe96Jrj8NZKoJz~9DxB-fq9tMBVGQBeqHD-cLHyrLt3=R3Q+uoozsNLh05w>|XSW3MTQG zy5X_A3E?D`8Qc;yD+!Yt%-oAadYB>S{g#t9iyBrUs$;x@%g@}lH_~6dQzS_pvu7<^ zRv2-nvJdrn@CKZpl+*V56#P3}Y8dgT`UZT%hSO`$OhWbmxeBU@lJh_oOdlnMpzpkG zxb2z;e{vSL#Sd_WKEaG&IaPRblhmjeQxSJ1866ct2Xp*_Si2(FtJ@F!sHJHR8B8+R zEpxXYe6+b0#m*EEKyX&7V5fh_8j0^E)88d=TE1+c2#D1Uih>!C)+8Z6nZDKys~)Of zJ=WwY&7o7!)eZE~juHpN^nEjT$nJDfwX~MwHk$`r-yHkD243ynT52uV*g zXJ@25WYY<0i2|{97d0v-P-5>93(7E$G3Ro}gGsIS!L(HdP}{Z>kdjBnsEk#>8qf?B zo}JDGY`^}CWztauTZIWcKuB-oRu$tRK6+G@fM`$f`mjUgFcIVY8-roVJD=pmCsqR) zm{@)_(%}HJpw`Tzvn@Q}$%!rAaijO$Ez{-xGg9Bi*bLlK!sV&;Ko$5>;UUffn6Vi4 zr^aOM|1kHSVNIsp+VBVnag-*bNK0tSI2J^tNWu00|)w_-<$K{q8-__so8uXTCq*ACKey;gRFMSogWk zb*}STOU%c8lWic4%^i_}Q_g}YnRQ(Ub|D*zG`kIo8#$Mdav-qfe85{GX7U(AxcC@G zOlF;!&-Wr`qx^;*fP(1UlrV2(FgdQ}go8R}+kZY_COD@B1)mIxD&|?EcwNUu1|m-<(7ZSKKPDuKTDhWPpmQ;Y_3uOP#K& zhQ=n~gW6Zk4OMW^8S)~Xu$g1}2}Ni4w4AV?_Q*%_VxmG9a&~-?>C|*hpQUYAAM;4{ z+O^M|{JIUXh4o>#ho~jZr?TS}d3qs+V9h%7ZvzTb^MsSNX2}k1+TL~ZIl+n#U~}cz zd&I!D<)>rm0Q|{@jaxc@?S?L^EsC)ZeVc(Yj@l}-Fsnm5RG>GMsVuiNvJ|+C+UJqg zv3x~yLq9(*O@bMkpo1UT6UI&#j=MT=)zAa7`BtY2vOT+?r!@9FMJ^67a})J`3+l`R zQ^EIhOrwXNeN)_IiA($j0OA+QImpc3w2hDIK|cJzsIZS$cS5VTeOuvu8{N(wbO#^Q zWH$7oM>j>{i}5kSpCR!Nd@MVwRK|+fJ6NaLeOHQ2-|1lNPlO^L7FXRJcsH^qB2x?0 z`D6G|fzk2brxs)xo_$C&5wYh}8rz?5Y)fRSam_mSg_e!Cz@N&rER2S7B|1iHZi=D& zUIspsQgHS0n(b^(4@bf&+lAOH-G`O(=XPMy!VI~1bc5{!P{`I|CH5t-H!DfQD{ZXBy%32CvdJO_S=1^Zfnq8PV7TodVim|l}(skPD7uL zh&$qy+ucAajW=Z!Yg$(CUL~x}4ozV>PA&S6eW86W6@!Py&QzNYKdN4=y!IxcGfXJp z$oRKAL!qi>GWSJ7VNaED(=eh2in5H6Nz(9<(J@wmdMGBx&n_o$ zG?2>bSK@mxw}oBMm4Q56H>ys;81D5>p~4S)|>Y? zE2N2D%y38UT3*he54zX^h;C*lCtHe6x6)&qMtV1lYGt8ILBR5_OC}Ol9>4e-H%;Dn zas8NW=ljPp9~V0*dBq5Bf#F#qnpXjr$7pOP)!F;d(WP{1pZDE$*p!diMJRXPWTvyV zIXLw zK5~>3R+*Qx)jvHWp+S}oPhIv7W5$Y9n;T5+(u@u}0>_R8Y&p=sbn{ukfmfsU$#@;taiw0 z&=j*n5R6O8S%t^@Gv=^`@Wk-WZ|j9=p$cDGE&>7F5 z99s-#d-o#0AoTXRs&9<3Mr3i=IjzIC>#M>i3ouiYY^*X&$G|-~L+ik)sq(VnYfp^s zH;#+0m&nCaAg3CGN1B4&CAXhtKl%=u;2hLSj2cpBXQY0(2)fn04uMH^pHyb;@JR)- zJF~`fjG~NggCq(L7KVwQ?QPTlpIq`!#4^`B7h~Hxsmis~0tJDF6*nySV6o>0%I$aN z*W8l5$Tv?W>(`nublo|@xsdY(3Y-7F2)dV+^D#do*xP9WVc5 z4?Lz)z67eN@46}5+D{2`a?L-in!5L8`F5H1r(Kd95Q--Mo3x zSvbP!22_vbLEfXg^6DUj*VHXVZVlNA?QFC=gB^FLt0`u{fbV#t3F}QO9730|1l4n}$X2utq*R zgWfNu&un`B^dpv$Qi>aWh1UX={N|0~% zVycm0oA8)S@sKgWK?l0u*3V%?yLwJ0r_IpdeOB1Ey08|%q!3Pm-@po*&a%76L;{p+ zoJ0hj3%sOyCRDN7*w4o2s;!}l!7qpOm`z%X?~~|ooz9U5{bBQ8*v>)S8r}>ch=;f0 zglKhN-=qhvkMT(z8>)QYmN6nfJvXBN(7q9PUmNjlClB=r; zi$ckfxL;m{pELXk3!NzAthmAT?`85<)4O4|fPpn>_>-1R8ZcH}wd5O(MLal|mSe8@ zkyn>6d9aj5+=x=9SYbH8VTt;btsCu|r>pB2-o1pP_F8*wj?6|6y%%YI43CA|VXvIy z@}|pcM}>DQ&Ad_9pZ>L4-)Tghv{MiMvH{!%Hkd-KJ7DEv4O-miu{4Dp4rgR%o!+88 z)>tY2fnMyqliVB$Z&=;Sb#@LOc97LsfzEEP`@|UXBpZvet`Pge2Kv<5bj((*++de60IpcjkPhCk0RhZZm+1YGvQKy;j$*)aaq^&w`t%Q1nLan9p^?Zr?uP7IP zWL}u2?R?!MYI4LcXe5`LTW8^W^0qddVr%BZ*wp9Mh7F!{s`gPFFy>srIMbImzq!vas>Ty;8D$7*ayXC;-- zv&Pjao5Q>-QgY=u8Nc5Fs%4*}WpZ+>%`IzNeHMkTO<0+9^IoG?z#ewSLt0WX-i~Q8 z@+1d3W)TAMTIhN#Hit^4< z4#J!7oEK5-FQKG|>$ z(@f#bmglL6hq!0Y)r9d~$NJJ$_U;P@@ND4SomUqg;*rb2%bPLgQqUbN_8u0sAZZ)N zoK|*&GV~~j9cEfP8D#O{EH8}$?B%ZB?4sX=eO~(|sk7+^i$$)^&cn?i;^tJWu17kW zQB`Peu<&y6u{w9MxItlVZFwiRn@ixZ>)1;RpB@h{xa)Wm{b}{@$%ad9967U5#9)x#c^NV5FTrP%EKia#*N3F{T$}AGs8+Y!h5%8F} zH46RiOlHS=KkreIbz=P%2Pt0NH?mooZGQ7`4G-+$RqS<8%d)BD=B>Y;(8bW`QLBIT(pud{6 z97^Vl+gR6KZB)3YS=6rfTqjbX za#M}I&mZYv1SK*1nTl^4XBN%!YU9{XQm|_tpO*Fq$#XN~M>QZ;#G6 z2O_NvR(flmM&U(#M7BQB2v?$BcL={~k#lChsG=t#&v1>Fg6S3znN!cBgk&}zWsJP$ z-x{fTuu11uUMWpG{=Eox5E$*|g=Fu!QIS{+03F9~)&JwB)%Jy<%@CBR&KY)2@Uw_f zZgOCiC>xrxzV0TDnqq3bYc$aO+O@{0RjY0s|Ek`&e;^r?z0n{o-M*A!t2}mVGC4o2 z&;hzr+|6CBgG!AjRBwEB5Yy>ofd&@$=-l;Vdi41&z}6c7t0|W8Sfogt5JDZNFXoON&){|K+>Wq4~QoNU&lCwKMK4~4^+jm z4tanw8japha?XIOxA?qTs`;{s)gFue{qZ!`X$$AgvEAsDFu-3wbE4{a$&RcpcVzaOc^sQA(_1MI zAU0M$V#f#`@=uGD$x__NS5z};n22}x31!k~!wXJQlv7p7Dh@>Ll#R}I=a=SfzS9AC zB)u5n?spmfA*<@DXsv-brs1fhUumiDeg22B+dn;j{J5#qC}^Cj;p4;zW1+AAjKoIi zTp@Pq^VgQE5%G^a)D2#6L=1KF_-h4*a+q6d4B|H8VdUonL@(;{ygQh3b5TsFp?G!3 zUYj?Wk}k49++n77nn8y1tE+t84$TPb+|`k-e~v(HG;er3)=)Krpz5JSUxkO-$kD5$ z@~tv2qPf1I0m9aPIg=lv&iK^HNykdg z>`Z(JzuR@m!Pd-G9y|1$??uQ)35-sPp{|Ww)V8=b_`Ht0fWyxyEFw?xYxJJW{Uqt* zTR#%emNcyU?L_SkD~FE2qrVIZhqV=3qdq@xp(qaz1_8wmGNFA|n&J|t=X^KMJ$Q20T1_ii_>x^2`7=BWp=X-WSCks!; zViuN%q~|rh(p1f%+hybB4Ya8kbRaK%s$n(!k$DcS(r9d=oMYgbCifHGVw#8Qd&qj& znZ_OM$a9hYD*9aKmlvZ?x7J6sZfW?;Km?f;TkO5$NHGJKVT0kf9qYod;!#e%ZK4mQ z@rB#b{LQpB(TAZoPB=H*! zp^T5;O{h$?G0j5!AoY{@M8aq|5hLFq;u(rWqjB^ZWjLJNNa*IC>ep21OA;c3Gb#&T zj=6ym8Ig_ZQyi};BP5#B`r-@ygK^W@Tms0tMd@9cL@G8a#dm);zD)(Z-NVV(arBLk z;B^|iz?7TZjFmpK1bZGH-SYEe&tLbxH}XS(Q%C5QL0zfFuZjx;(v9Ki)UU>kBQBbH0IPe(nfE+(3+5{XiysH-D>n_axRn}g14 z4IWiP!#vw)Q(w8!ozR__MN$&%OlUWKVoY$T18xv3H5#h_5EGqhjlU5h`VW1L|AMQg zE#us6!cBqEJ72Z7RNK99GO@%$_wyn-vF1G=G(YFa_+}4ZYTZxnNs*sc7D15GS2Ft7 z16D6Xu0pgofsvLs#SreUeT*SmOTG*FJQ{JYg`!KPnwlGO<{jU@JQ?7|*1~EMG+z)l zWDXZ9rdJ!gi@QuNNb-*aCWUcCn(%6+%xih<^`oX7GZ>9&DG`68qDjw>|RN8 zjF7|5k%+bP>VqW|FFx>FE4iA$5N!e{PrV$pQTaVoA_W8dd=>hP*_K^4+&5Ql-%>gS z-=qGFnZ4OCQ*Dh|`O>oYo$UyiwY^R#9s!63+)n+nRfU5})1oS@icu%vYBrKz)i~5# z8qZs0ug=yr9nqRL6sRAft#*feB&=D(kr0DLWHk8+{JQveU3jS32J1kWeH9<$u-aXm zVT&41&M$zmVguIcwf^|-kZ{E^O#(RF#{+{Mu~#3_o5`j*uf4Ms|F#^qY&wYVQ;GLD zCcU%rBH)ubO#Ah?2L73cO1-+k%ob2MPq@Kpif@&MqXLuoKEs#?oWb680iWzCUmEdY z{ZO}MZa}LCb%`6SrB0W>_m|QFFsZr5(EQr$psYc}!Em+5ZS^lqAB(+u7UEuGw#16G zodN@s+sr9-)su87Y}?~P9q|h7Eho*ho_Z6u_o|PuzAuLP6t^NzU0$77&Q8NfQ1_8! zyJurn4E51*cd*%7(0j{_-$LA7O*P}Q6O>~_%8fG?GDOaaN5R#>scDhpYW=N}Ej{jC zEZ(=%0!fafy(cw&rB`+a}ydcHflDO9cD4_@g3$esbj&Cvpd2R-3?7rwUp1_TP#bj6XajCC7NMrD}Z z_?oAOPb5b!Uf5aXuL8!`LpdYT;UkNTU=PCQ6g-?x*zQ_Bb3uR7Z*13QHNB2sC6utY z;6jjLn({ac)SQP6aoo(JXOB)|$cQ^chVp%hy848YNiJqNYRfhu)+NX14)i@%NCrflC|&rI7pr(vU^|;@loAech3kV_&~I z^YtX};01@js;5%@h4Oux&KB?Y7X)W2*O>03-H%qK+)E-~%MYihN&^lCSfe598GY*L ztriIQCzAvOd!a-;tcVhm=txrPqFzzxy4)1jfgPdt zC=BXj^r<|XWm!2_G;R8~<7BS{Hp^`GN^guzd1(c26syI?+qzx)4*^KR`QTW5y2^>4 zg@Ue)@FHYIZ{37Gq*0CWF)l=&yrenQ8q~QiXDXh zO-sV3$-!m{YZFK|^nm{f%u);Z00-(1|2w^6_jQxZZ09fVKn9 zS1w#3HbfCS(z2N1!kl`Rs7H!wudxeQ`B{$A^mu&o_q{9slrogXD_<6BP${mgKrmCP zn2}=#H6%F9SczJT{t$&Is2BJ2Pwb_{$oSi$TjM7*@-$;*gD9{UMY2=a2t8cd z*NS{$jlS91%Tq6O?(naQqMu2XAH>Xu_@r@~gFlH7S-fco9yy%gE|-4gzVtb8lS{sF zhAsT9F|&E;C7RU}Y~&h}i#WTmTjH!Tm-=wJ`e$gPIT_!oR(OKMhF>*wo>((O98b+hns2|{PP>={sG)Qey!rl%P#e7%hOv!W~S8ghi zmecmhTqXCe#2#%sVwu8wPFy|JIn&$S0{b2BAQTXTpJ5#Ay|!0C)BI5eQ`>9!%nThq zch{B&KI2QSMRD!}E%X)AdyEQchZ?(E7g#O|M3W;XTw#DSOz>Vp&WjEX{wBH~^pHWPX zPW|FITVm}C65RW z>Y~K0GpjpT!VzuJSuz>H=%lf|JtRc&H%01u0)I9pyK*B<(sSGry)tQv*_}b?pZmz8 zexPklS3p*7X+}Fv-D(vHTR@{9JP96HcA9i&n+2t}cJ37k2T-INk(P8kRH!EFp4)RF zZJ)tDZu4F3t2=LBo`6^3PQVEXkTUlq&u-V%;4>bVkMtTCxx5U6QX*3nPY8!g3ixlZ zFMM`lp%!M#>;VhMsb$I34hk;Rxofl9RP4VD9sjShlu^1Irv4ykclPzk71^x`d(3Z{ zudXK6Sj|o;HfMc~NmEk4H`#X+BUM4{(-w1naZYD-Y;sV>IVt1;h}d^T4MpwTS8LVh z;f!@^9pnNjy6`0SuOskGMl}a(Wvbnwe@2Fda;8yTRBGtmm}Th z83o&KIcq&MG8|4XHE!=*w{?oRfHo#y(<9BW~X6tnUAMA9Wa@`NNd!~Md8 zoGozuYw#SwE2YLh;AFW)Dd33-fC_DOP8_km5d1}QdzV=CgOkPO$A+VzS)-G3e-*2W zr%*yqHvP}tv3Hn!QRKyZ%(cwNv{`)E?I)uw9@jxolqffkZ6RW5(azbwPt{))jc}er zxs1@3`GpAZ)`H*;EG7hV)GCy2?j57MI&aya7i)^We-iOh#VVtm%ZS0hBH-ym?4j|2 z4`=1e6wK3K+WYrPBr4++7B&U@b$!veZLYvmo!%>g%_-@ifD89J=VMdudz1pOk*kI! z%-Rn{YIQa{f0ol13Y)C7$-%ToLZB*3YJo|$W%1%6lWi6-w}r2cBp~fW}rVRTOuiN+<(_9tQK2h~r z_;tP0x7K==^syZC$=KUOpnu*2q{0H)Ne`zW&^|cUtaa!r-OYZL|8QkupnVyiedxo; ztB-7S@^X26%KO7?-9W<3`9Dlaw8H{?ibSZ7cUFJMo3PjZA7`$ktrjPCF5P!>O##sU zpJ%szC&^Uhu`K%;I6RWL72P9j9;+4l3X@CjhCgbtH(@6EM_Gl1G9Smh2E!j~h453q zO17jscH@eW`%oWwjl{f zPI!E~;y^~V(n=ala1FKRHrh!n9BkNhK-WVYp8x!=9G)_I3ypFUKWYVSPe{><6AfFN zRQD?qhE~8@C*#Yit69+6#$Itl(kL%usngqvE{|S<9^*7gFopL?4?~n1j@P7|5&2PI z^rs;$eT~2H9`7jr_PyFHwk2Fs-FYy<24lk29 z9F_8z`*!-Gu?t4|86|IHqwWpk&+qrAm;Hx_Y4Pur4p#>)Zsn@nJ^Z=(sOt$L2qrnK zT4Q!UuB^lVDqb9A7Us^z#idlg7R`Ra?q#!!?lm|b36)q;?DH7eET7p&C6To%YMFVk z@@#Bn!!f^pxqzr3#5;5AeIcZqD`kZ*t#X=u>%yMht}+o5_aqRE#p6Vwo2-1c4pv=J z-eLyB zK~S#6-&b(d_@Usag_iljLjphqlu4f>A?1e0h7;;59_8<&U$5<=Ob!G;qf=Q_K$YAMe_?qS%`2CVByP;DJDFH*aur3zw+YeG5-2;~XFCqGWHE zP)4^#18mmPaJ7YBoQ`Ks&eZXmSJpr7CfAnYove3UbeNreqIKc>poo2I>6-6s`H`_-P2pR4fm;tmW~)2L*;&kAkNim z>Mg+Q(X)}5R@ZSEwL+sNVUWMZ7uC;@rbyRyvmY){|JXH>AqW+0wgN|MDV4QTao=2| zRJYK(5-VUR?^ZVYWyMJXuFC`M&Pdt|dC+JVDFcK~f!^{n@uOlv@l4h5-*6DxxUD8wT?gQn+SHj=%%UU| z;U1N_l%~+%>i^QT2VdH(a@YF2Iq=3c@L#f%e~gZ%(x(8o9-R0X z4>*|zWmEbdofXOf`K1p7PK{Vz`^bT?Utik@!uR-UJD+@k3bt&7uq8urfX$buYx!EG zd)s~zn`$YCa!YHc;6^JAjIC>suw(kVq%=GS+8U93JwXpw}xGKeB2n zaIGi98je^Cp*5D!f(1vPd=lBU{L|js&br@=k^9aanW~`9!0)e5hc~Z5{;k(v2Mu-< z+qSzro1eO_vHn_PkB6<+q-8>0vS|aV_JSWSr14?dOPXyXu*}mx9};wBx+SGD0%CH! zWt**`rdNnv+n92kqg+hT++gFsX;*GSVME1O%KOLXfcFhLwPNwwl+1MDx~}eyxEP() zqPePT`^b#BXxw6T9C;EcspNuhpT|KT<^+g_!QBOmGNX}wG(mtH1I zll^<+*_Cdq2{=~ykr}dh`Sz60inUvj_^#!#;YYNViu+UmE;DJT)d09u_zsurwx{_2 z23#If=@|h8ZFcb7HT+6us>1yQRa|*=3&|NKiCOyQ{=4Vck!JG`N5bOBUHfAo@`qi^ zHB@lpX7(9qc+Mf$@+5OZPoVyf)}`*-YO_T1aqzdz-3e_&r>zWEZYAYjK%-MX<|Ri; z#EcprN9$))1JaCa`d$sJXi`$Xq&vIxtELp9fwTBAt&T#h|$)f4$+sP@ocCRY+98HMXwQf{pwofc^)Trsq2g#IJEbYNs#?r{M~MV z*{cg|7^D;NPWs{kf5j00kvF+u6ff(HDcr~^E%CJ%tucP_ZS2QpJy-FV3+NLfx3Fyw zKc~pIe$x3Mo&AEOx55@`7!-3oo&ht5Lm)!+5l?xu%&)DuF8SHnkN$HuZ=b6pR+KnT zA^Iz)5Ncs`8zh;`qaOcSXzo4hu6i*03iH}!dfA58u<*bn`3H$LLM|_rTdk0L?{A9(`yz9wv>2$iyQ_f+ ziqYrS){c3Y78L*Ad%M2Yw&u+T-qjT`;e z4i^j@#ud*PPsSPr*|FuDBF8)&>4Gp`9_>7a4(jiEoXr5CUwZ2GkVW!=W0{3s-pjYOeu50Ox*ta$Hpi zh?5I=_wM~d(>mYdgpP;T{Tp#YGtWIq*MC>Hbt_R+YwQqP=q%MQbxgn6+V#9+M~o}g zTmds3RUjnZuIt6kD-hEp+%GSTgX48{^dv$T9z)Cf7gBV?CCFw+Ebc+Pp%dXxR{Nxa=^|Oj#S=+9{ zc~3oDS6;Rqb=rj^dbPtCun&`h_zOvgNZG1g_T*Yhq*b|a@Zs)zwCRfp7&LluR&i4! z59nRFKt*_exIcD*)T{0Mld8yXf8V=s8z?tG0;{6CU|8jUBT8gJTdgJHqgt{S(tzUD z_nmRQX5{a05qE7m{Nfm}F<8t7XBD3NJ z6kSOxXd`I9zJ20syP#3S51swhDRK(19|==yU6CWa=|u!5IBw2AZK!T~ezWMAQtR+S ziSz~d^BOqxu~@Na$ZOERrYB=`KwVDYD_(*>h+iVYfUdCTzkWP)zi zTv&Nx*P;~heO^lNuvh`e7%O49uR^0z{sFh`jtMzC(>b=)+37@#R&A_CO2E8+;bZU| zN>v>t1mC#KiRtFGK930j1u)tVfAN9(mlcSwt_52{=YJpO$yyp}9(>aM_*smxO#-W> z|3O-`DeptB$9)&ntz~0`9)JmAijwVKq%{^*El1BT&wQanI?2w9JL_@6eQPm3oiKp2 zP5|;tYrPJ>b|GG#q|D7#JLv08oMjduL+wqQ&K81#)M)a5_aL&BE)VBa1+gYfix>Sp z9i0VX&*cx-0Hdceza9MD^EC}#x*w%?zSA$)uEiqaLX22gX!{6_FeXN@?f7y}~LXt&_vG2$VK{cjk`K$_(fo7@*<-lW#2GbFa-&*jhnhahEes`xW)0 z&|!y+pFN;PJ|@&o4L8#=rA~>pLZU}v>Q%sQ9=yMZ~NKba;osl2lf&L^V-f~+HICB%$Q zidlSF@Xpo>*?m7$vIhm49u>YktJsj10(FHkBw{WZa&R&@Nh(_O5m1=BM*;c2SO_4qoCTJb~*j97{DyzhaoxlmQM>eM6QAcO_cspp#EP^Wm-vK z1i-`+4qB*W>WuDrzt~h6ko@cH--J^Nt7Wj_%5cDi-+ltJ$57YeKkmGJ(~-gAHKvTJ zJXFBX)jnp+qKVV5qS>s9eCTP1y>cG6&wI%G=O7zk(22-3eqHwai>uaBR+?UNf&ObE z@9o{i-ps~>!@O|2JE6IG=6&q){s9LmLt5+pnfRCL`mZUM9CuvH*3Hy>3~rp|`5M#6 z=??Ju46NPeOV}%Tjv!>^P&|YK^~CMjC9eB#Bm$xT)?r+>l}-UVM1#IzeQTX8Gipr2 z0?df>xu0F8p~(!l>64oFJUemmmJS5AlAO>YeYQ4LVd`8=s)M0_zaU{Ma);ys~azBC9vmnV>(<(25Wae*|!GepBVx81;{)U>6KZ$SaB7N`sh(iljw__zU6U=c9j>7 z`BsMR?E$!Nu0=^G(x@ZV6}zT4GMNV!lM4Q(KOQ+2X_bM{y-vOFy|YC2zp_`MWw25{ z2CN}L*L>5XI8 zLZ~ahrEWUDs;j?i6m3{%%CWn9;G1m zBB~LvcksViw%<{%`tFD`$ut%Fy^5t-gJoFB(3vEq?`yF9Ad<$)KyC2930Ja=uIWQs{Dh!PD8x(w1N{aR5C z+j;|oX!}XVoN~y40{et4)w{V89;L8REf}t(*{fkSsL@Ymen?PbpMTu%?74dlJ6F3d z9@np!J@%?KfrGE2altf^lTRo=7+k2sz%z_hr^Tcg&vC=iwERBBv>^f zykgl-88+|aD>SHN>6hka5O-2t_dLpw+DCLw)KVHd@Z;Yje5b4>e-;>h`IV=qb+Tj^ z^1?gE6Cx*niqgoS(kO=Hu#()OAc6`L>4$cOSSrkNY5ES*5Sxw+K@ zyXae)J62bU{A}lry#B;um;PX!$5^B~0-c&ji}~)%b1JW<`PO63p0Nq4Qhu2r`16@N zK5``MtlTn>lI#JcFV7ouuLzDwuAClrfP}4)6a_k*opzLORUg^rmeEAAklLZa^2aA? zaTEdt==D+6VrqNiVthIIqr9nd7@-592;6^l??^sTaMIapHkShV*K6SaL45!akOH*j zz}uA}0ivLw|JCrJ1o^)iKDKWEe>Z$YOV9*y*)rv@jYA;)g+4R#uoREKjWGXw>PWVt$XP_!C*v}AU^hX3Ef0zgjL8x9;KbDoQnO`$!4s~Y}l zb*1RMquK+%XJb}#EuGI&-urreYq2+j$wDjpE{KpGz6!0xruEp3c8edpf}y|i84yW2q*aFJ6MP}uiShgBaO!^ zBEE$}*Vrr?O$Wp|pe2@`nyUMT07A(8T}6QKT@g@uJ5#B3GHqUgAmRA>AKegB8f?~J zn+oOEl@W45*?g^(%evfE;}*j}Me_Wa+h z5O4pmLeQjtI{W&J`$Ljtjizl;G^{7d9KMEIY?hsNQJ)i4h#;~Ci>!%L&DdeoqRL%x)Z&Mth_p^iuSx1cG~x zZ-i9<1_T^F=PaqI&u2ADgI|P%{={dy-7w#W@YAcvhXH*cd|U85fAOm$$8z6xY;9(V z*}jSFG-E4IJA87>U?|Wy0>^1kI9t74cE=4Sg$`U0i-~bN-?z>frQ)IQ37tRe{UIX! zX(nk;f>z%;0ar=$%P`=v18CiS&6JyHu?MjPZm_VsFj8o-lUJj?Q-eiO?xELkz023# zE&(FOZ|N$37Y0oM7$mFQrBTO#D&WnSf<_ClnkA~u+*Q0t%s2*%=>&yD*}ns$76$t& zY|VY?JT{DX%M=NjJ-}$nIIW{i^?Q||Q(fC5MYBZuCuUU!^BSSgW3*f|9ZyaG z0#HUte}m|AN&`5TZmGy%_<`2AyGon%P~6jr=Z1pN95Kd_9O{DayoGxM&H_+lAz{xg zwPw@U8en)-V`JiS`(h%7tHhzwA9(oq^QLG0m+i|%q95tFq#FLMfd3oM908L}U{ zrZHWsABK7d)8nNtu~c*n)Tf=x+ABXCIoRC?kw!?Ib<=21ka`e4y>g0g+~+GH_Cz$y zm<+%j=*TuNE$><+d>LCpIow_<<)aOXAhUiCD7utt$1^4T00eUvfgJ%e48{ReQPtAr=jr&$Fe`fRoj`z&BOBNNGu30UkE3^HnOcNomFG#14Ig$Tn&#wa5!T4E zy-OFxHfcT(UT#jgT~O&J=(C*=h{p?{r6Olh^A1}ToABfFPl<0u5x!A)U58BY^`ehtC(cSf<(-i)lu%t zlsuBG?~$kSAYWX2dAYC#4-mx2qcr?t?CKjJ5gEFkTpiGvaqT));Bo3a-A{&vYl}yt z%BiI3^vu4iWlAemA#{t5eLH7Z`&wd7`JD>6&pVHTio8GaNO8Ug8+q4xZLsqat~Rwj z4}ysGM2C8t!*IJ~$_-sNL;HK4?}bMrkFUj6JY*W1Te&UJz`Ygj=iBD82g1D#r1gdP z^S~tv4saPx@syO1w)bG4w$E^Xs*d;Q@ROc_DzDMcRTsVPIjB`tg@lPNw;cwIdO)FH zeb_SP{Ts`asyhjHI)+xhb$CWc%Kja?ka|+!zUGr8pk|~|YhDWvD{;>~`!aQ;8E(=C z*vPpy%2~49Ut=p+e$R(H9On6j*fBTsB9%tAS61-lP-FqK-eA96$3+a#QT}FMq@E&q za;nO3k)*-%FV`{L?jNT4G1o&E3Qqi#T9Vo_eeX9@rNO(QnfIrSv-Ci)1=O5>t{PFR z?4C!}Q}tgkKO)e)Lksh$um_VE?&myqSKO%GLN;W7Zp3IP?`9sYe#yJBTaJ0-8VneU zX{YEfQFBCy+e6q|=@$-?eV+ zJJ*;tZRz;$^U44np*r&(XJ?O;eZoan&IkOhWs~j)T-PL!bUpP*^(pbH+}K~;{PI&cOl2R`}gfml5P@w=cbQMJ$`pP3*lV`WxwxS`(Fg z(zp~)k$qV;bLb}MHs7O>W!6K>?mCD~NLjwZ17_Dyi4VVc(H4o$sPg>!_R6K$pyC^N z&tgk*h*En#?``AkO3C5`+hOR9+|8k~V8qaZ?UIT9U7!*Cf64aV_xQ=~A3vLUQ+UNo zjkYH}Y4FOz6O6E9KPCM6e>TZ0HGQ-I8Xs9sN7b`_-K(-|NuomVsbr>#yRiHb&Pp89 zUtOp8TBLfYs@F*;Zf4faaSJd<#$IIsk0nM_t9)v2a# zQa`UKx7O$MS#1vxd+xTP`-dXcPiu9~d0q0W$yXzBG0XP2jeq#h(8BRV5lATUbBq%mBu{o zshmRfuW{-2NHhD*60LH_R>x(R(MRmtgYC7WPpTWfl?*NVgvA7q&yE)TKg_*VR2yu! zHCiYXsNgMaaVw=*4T`%{ptwtM3m!Z;#R*cRXtClFB)Ge~CAgE|5*+@#-`;18_x<+2 z_dXZr;@mJs#vnIY&w8G@=9+7+g|nK2aTIzzU}g-XTtd~9XR)nk@nSZv2TRS;JpcIJ z&3MV4IVW^-?tGI&3&CQq1TqzEJ$d3uMafk1-wz=F$CKSUMbo+zE!GOx_Q7c^@XmER zGSz{{!j{}dB=#gZ>HZ014NHmg$q(_1Qmw6Z)dQ$`83#nBe3M(zwlr7T`0Z3}!Q3D% z@&OwKH(BDX-WifZE4~nj%@qX*y;^PeF)t#!Lxa4M%jtJE*+{Npfn;-WU+{9UkoR_P zM{(K>NU@2M8mUvMnoU)mnG&Pv_E(7t>e#GwAU6S1KNKFl_D2{~Z8^U3qD|Q`*7qVj zMT_Jl!NX*IwaSrJ+8K?_p&{oIM$jntV)TT8r}^n-`5P{$DaR1VBQ7MeBi&;V1VT+0 zY(&SQuWTIouU}JD4Fb36MGOO5e>@|H=O*f--9cO}Q)WMoHQ#J-Ksi7=;d>d)#~V=8 zZl&bG`$ey=0hWRq-KNMNHN;L$9WOF92X!Ee&YaKe+CSQ`35b90HE;Y5&tmK#cNt24 z2&X--m1@|cJuh~^O@P+kNg9m^plm$%>v|fSi0t+xB$^vctl>Tx5?$POfLq@g`^Foh z|1G5&Ffdt=91~0kj?R%LL+gek{cu<^a%L&x-)J{<)IJ&?a{)o-mQE|EmyXyEiDQVa8ZvB$>Y{ zjgxndJas_7*ILgEg}?f8?OOSn#|b0@8tn%CXz%t8FOnW}<@=P=0|NgH2N1!UQjV49+GI+`3xjq%sF82ENe&Hy4_zdmI*B15m=zThzMAL3okWz&S6ev z&>4MCM*yPHJ(p%l@7sNa!%%ZL-1Mwh%l1C}Kho;Ir$JlygCF>0G}lwfG@!^x02x!X zD|_AtzNy@QYn;!pV|JBrSG>C^@BZ<+oW#SQ(z^G>_6o1awINzBW3dgIT;;ndj#mHCQ&=eqbFD-Rba}I z5ZRE2<26{Fs5^>J0WWXmNf-;swOAT8+ zbhiusB7}8Xyv1S;ytTe8l~@~GA~euObr(G_rn@`ips!6Oh&<;MQV{qoa7}d=vsytXIYvI=R{G~pvZF|GwS?L!J+m1CzrBI>I zkXtx8hb=P9i|l^~Ugc6Thu#;Jp)U3UoQ&Y?p=;W|1xv)RlrYHyYmX=1Zb4PyLgXp# z6UQKi@<{md8%yK;TfIb&-XKar;+*>Qr){qVV|mSRc&=XWR(~)?f+m&1|5L-0{ht~h z0KU~I->22DptZ3`bT7aL-y`J{q}7JxF@w7%J;fiPXhHO9vz@(DI_ZmkD{(OO18Ieh z#hzregh!Sj8JIQ%pV>XZbj}!*))M%>75dLM%^F&6ee4%fQ_QBL-r0DS=XJJ-wmuQpORdQ@QvYdd8M8;T0I($I z0+hlJp-;sdfykMfXXIa=F*MebmOXapS$yu;LB5!O+m?M-E^svlw)|4pCl5caH?=#U zTiL7IO4s1tGb-ZM=DXb@0W5j^d_XN;cWF!J={NqDyOyw9}0-Fei-bYbR1owN3U!0bo8Ko z?TNOToL;Bv)`b-yf4}g^If!Z8B|){l=?-xZBc}e86%M`~Qj* zMGPPNJwGGc7izMwZm_(i-=FtStdaP8j9YDpe6t~cX{1<2(9M!Ej11{0;`JvFl&_Ar*Jbi~YF+@P0IMpNo|Me5ip>c{qUF0SgtTwR^Tk zH0wv2TFnfIAr0~RDNo%pHa)1<1sz2QP@);GI@1pLl~2AJ*7!xqZp=W}UWw?4y$ooY zLboy(VbT~t(CqFxZ=5lTFF?BLVm;Gxx5!y4B(po=PL||jev}n1$K8cicpo&A6+L%ls{NXjyUB5O+m=@G08D8j3kji)&W;i`KE$ ze5e&nE$jJjx~|t~U6;qdbX_Z31YK8I0V5KEYgRnCTqkI}cvcdemd>B@;UZ2^=oF<8 z;a*Z^@JrIa>`9kJmv*zA6(IUM23bQ+z`^1{Q z%)<*(l>NxsX-A`w_J@EA7B#L%vq%Izll7y!(~xgcDV_!^3me35>V{+>< z4QGn;CzDuo*seaVaC5_9dpHc6Om|eltp^T6KPgerW-4qx_V5>qi-tItwh{tHE*rf)e}2+FRn4!c@J$z z6mc&`G;;cQw{`7}53o}&R?VZQ5@QY-meo*Dqpm{K&piHIfwKas8pe3A&Y`V+fL?gu zx!smRRmxsve#utRm;V>3_S7%_jQlsXL3#Cpw~tTIr_E@<-=c-C%w|RY)sN4bA1Ovh zEGC7))gm_iLtpM{@HbmXKw@Cp%G&p{#4;?!&}wg3=z?bUmYk9pG4Y4ZvW@5ft@P*3 zvqX-l+gLFnn`w=auf+nDGhj~9#>=rea_`iolQYPjeblg067Lk8tyoFRMQ z!{~6a@z0(q=8^gs6b4wQRQ`1}7^J+ocAKW)q!HfE?-O7F>qpjsK!b-gW4{7^t&sOR zN&oq@$h*P2-VJ`;Nw*vN9jgDA<~;KCG!t}WCHYrsDm6sIxwsD9mAj(juiNak{qbPE zf%^WUXAf;RDd&0Kp!jxme${WVJJ@j{Z1xTG5M>FR&?8z*U}HaC7^j<^iq8eEEfk_( z_GZt6DU^OweRrWtlfZd?%2C1;@XzyaHFFNxtNrmT@P4%-^zB%(cU(WUpL*gmHf^^! z&)(n#LYLqM_$M4Q04s82w*6ecQGot|2f%phb|W{j28jIf%e2PomjjTAXjYI~?(~K~`#q{_n`+AJ5)@esE#LN|>>8 z9ln~Ic1aAl7&!a4=1UR}rV186m58V9GinhQo@bl>6m*+1qP+}E1x&eZj0iyYT0pPH zIF66wfK)q}+IEF&g}!Fs>Nq8$XXam?@_mibOkMi>Q?){z#o!F|MBbeCEI0ip-nFE? zXXplk6QWjMeGhfa)r%hnn0P!--&fn+OPEbwN#cj#NWB zFO9at@pqg^W?EkEg2qD0!BbJ*x}#^1&FRFeP5No?eDLdU7F%Evy54^Ew`FGoSn-x)lu$$ zp4;F}v~TM^n(T7IiSw2C2nDN@_K;|0c^PWA(O}fo4=oIF;Q!%rdlk7?F>X+CckFV< z!EPbMbC9<;pK+Iy)`aRgo1F^}&w*B#=r(1sv5ha9l5>s^YlKV%N?>7OVq*CD3JcTF5EA0z{@*{ghW&WpGkR&R9)Fux z(%cf!gORMrBT1+uP9}p3Np`NG+%)&e14pyf z72tMngmuXsMQQlWJH)qj11C-}V7h?1rq^QrQ6ZDnhl-vcNU3+V7GmA)7$L>^I7E0& zH$9agYI8eh?oTiHAkG-!Dmz7etk`hMK~9mNh&mdrmEGwV0(|2Jw>wN}_2cwRj)b`I za=^|2-+In-9nO>zc~i@9-Ne2T9CL{L&d*10BCB&*0-eKd&zGLH>zatwMuvK*ndZ`t zrsd`^_=zW4EmVAp*fIa5&qWe*0HaaX8!1h*iPRTBZyMuDh9MC+TX1$IynmtC9J^+}lnYArtlfKRu|_Ku~xc)E_=Xuk1A zl;s_>pLg!_#18-fnl?zk4*!9TlpJN`Ll#%=olcB6Gc-a0FirIrb-4o?&B@=sFTjy5 z2F=!Zix2%>$9xIZ|1-!CyMG%p10bl z%&Mm`71}Xk>H*S{2p(-+I*mGurlf9NCsJOT>i{pALXvx)wDa~@1mgtpS~;cOxnnR= z#Q6-Hrr`iJ`|-DA*H!L#z;`^sz!Hq9?MJ^Uhu0`_a~Ltoa5T&Pd~s;*o+&FUTRCkG zLi`?PROr|>yo%X*QLnej_0~n_`FIzdNt&D#{N1MoZBuitvQ%feAW1t!o=!0=x#9Z;|XE}L!2Q2PH_7^z~SmMR>cpOAAJFPpF%F!q9%5z_Jl~P#R zkUdYF{aG+!GiZReDoy&pg?ILIkd=k4tYYruN%4aMt8l_+cHi;L+I$>klj%=*x_>ut zzA*S832(SqmD@e+06(yNKLmqXTU!z!K&VhDWj9U{RXOZ_=XJToeRg}2 znSN85v9_B{iK-mz9(#_}nE5u~<_TevfG4!+Y#Qz|G4uttm7|w;SC8I!b9~%Ych4JzhBOV5@HXq`2YM)3lw9v=)=s+XP6V^XU6=e$*W(%B#^h1a&eYC+h!8{WF{%&jM} zQ{!PZZUlH9zW#e;{+l;f{S6i-hMj4>_V<#1gk4=1tG7$~>sJPh18NFv?p`9ggAg1Z zi5%_x$ilT}kc=Gs$T*(WnK>7mSOl@e&m1Yw$qf<8xx{BzGhRz?W`tw(uFR>oRC35I z*`Okz$3Pw_UFNwsAH?XR9_C|u{@G2hgo?h{lc1o@tbtIk^32PMybnu0ChGJ;J6>8{ zHJNd1?V2;~J7Sd3K2*BcptpQGwD|3j}-ft&;5(*aev0g&lPJ`?oGq( zYJwjCX-pC&@APwb+=5{-aWVT|Du9UjZR(6m*r2OhxY>RtCO_8fI| ziqNe-u^c{)k5`n^uFN6HiLuFMGSWCmT(=1C#3ZBV@6&yMRxw6=L_Yd~%dfOEi%BQ?9T=aV9r&&Ln_vOf^2` zFv#c4Oy7jC`|M`>498Q?O;W^<$5X~9z0T-W@~Wh-taW3H&Q%BuS4l}8H`ZItc(8TZ z$*D(*C|??Rwfpc*!*O1$;Ccol0YY{b1=Kq4bG~~+_aubu>)P>%@|_Y82>YI~i$`Ff zfsA3_QnoNKK31f>WWwhKJ5PH06LJO;js6wY!IUo}i*6@u4W|_YHZR6U5q7FZm{5jZ zdxk~ERl{EqdI@;SdbY@EX)!qLSawSXIY^2eD+xc_hGFlRJB>+V@sr)Mzalyur<`MZ zC0-*gULYs_iguaSlvUa-ev0TYmSv#iu{duN`j5hA7I{L(ebWtuaZ=s@$for^9S0Y(fdV5m!lcUQi- z?Mo|ObS{_els`@Q2hP5M6FoTJdTaO|4@YHGxi>Cr8&2ddM+4xdRg%7Coh#!y>s3-t zsjuqdy4E`HDL5bjuZ!JQbSN87YNX}jt7hN4iyUCuiaQr?|IMw$OK^Fk}N#2BBmUo#xDhkh*c*AffFj#j4*IW>RKjKNQ5DOw!$Uk%*@eo_USoRj!9B zDH>W+Z5@s#d39d}%aVSDt$O(l#GY6LpS(RT;dDq9tKKMbj*S^p_#^E@t# zU7L*aDUopE*}tCQk2)Dm{`lc2*#@R@u z9;bJkn3~cFQ$k-o^AFq#as4Wk;`@;HjF>o%^_h2U`3bRbuQ68R`0+;;mNM}$7()uD zYiZ=YIdN1UmwPvB3Xh#1{o;^*`KZ}&1~}MElUikzE|v<jn}6V=|4Uu;g8o}rhS#4B4XwMZcP6`sp(ZiB8Nf#c z0lM1IR#gr@F&W4x;{|Fa5+o#-eVnFNP4y}9b8_oVD3A3iWp=sU4pT%ghMNmF?_y7Q zqMFhAn@dqYoQ&`tc7k)hL5h7U4o5KpGn8f^>Ly=aFYHQd=F+-^BD>rq<4SGorNo_D zqI_xSou*aPjY?uWr)*9~EM3dHsRJZL;hu-P9tV@^n`V&d{=7Sv&Gxs3<;MH(QWDVj zLTxnQ8_qbNTQ%i98BtVRhgz_6~4ruO#@ygp5*EFFVYWn4Gio;24* z0J_PVSS`sQ^k)KKiGHIKB>69%{5NIre}L$V8X8}zSgwbi4RsP~)1_+u)gub;6GPUP zFoi#*GeOeSzL{1&DJqs%_XlDTaTvlQd^?32|g7 z=ms(owbBd`F`rcBNx#>u5flhPbJDpbb9@gCsU?8Jv{>-1((}-!nEL;FD^u%Q0@C`?uiwV!7blO}Su33DcbF+LG$-D7i8b zMoNyNkZ;{2(e_FeCD_V}Aj}}Z^wfxQa8i`blh0Q)horELOz4eD#%-z?QMpagNQ*Q@ zq9Q^i7_d{Wm=an46-RE&y-x_N<+X0u^*EeuWs#H0hY<{N6+Ky6iB|R=5dNu#JzY(+b#F%6y<|XP_b0PpBU5tG0<= z9RDcX{*bwhbnL9W$L6ZalFMh&i=|AMS8JV1TD*$CCRAirPC*g7jlHk=6;J;ig%Htt zgCk4eE%p;Ro8#g+D4|KCGU3@vErQSd;^Pw~Bm%jwpZ`%^1f2`)mNx7=C>`?BIT}13 zE?{INJk%!MTW0wmh!SDp&g0DYaaNX3q!2Xw7CmICr}9!|=pq zUupM;_3n+}D~fC?iLJeB^A;~9gL;PLGf}L@HdWjT1Z_Eu(2~CU<#WEZ$%*n$wTyJc zjLYBi)O-ik)q+mTLwvWmNL*y!;JWAux5|lj*4Z-WPV>@F)dTkeLtNe6e#cv=g&1j6 z*vFXCVgvfJjO4I0*#+39v}pkVTYYltfVb{Eb?ymas!&FnCAPr*DrObo_7vMo?8|-p z-hM07l8VX_HQUl^t4PC$f*sVvfw9eGnXyfGqZdmT7u#FrO6JNgk)^jzpt3-EL1u zwl)T-aXlArT-+lT@hH~ei0A|h(=2y^^^#uwvy>=*iE%glEWMLx`&VFgzDJ-zs&sl> zG`Hwov}{z|P%9cxYHop#Si2kz`#ua2WjxkXm>m&2nUnD(MJXAydoQ&JNud!RSG6Fj zujT42_ZydK`0eqCyWo9<6Laz!*h%nuL(W^%>Z{Ax#`GJ5-I*(%7m3?}tI4_oGEZXJ z*uR2we_s`pl1#SGP4_vax9d7Qj4A4HNT7(*0}vyKErw@a7Al~bm};sWNCt4uTqctP zF)p;H5{yEVHS9fgFD?@~5dF=&mI75hABHm7VBcjZ5l-{xBZ8s36$`JW$mRn(KELc& zd*ZkA$!yj%QQxZL5rGm)%hg{Algfo?qQjBge{qvb0n6|?`y_swnIPz7NS~wp&MM}(*3)wGL@bLdL{WJ9aDpdqH@X^nF{B55F9Vi=+(`^WNb(C z!lu)^JQ|P9=~3&iYhfqD6-z$1UGhA8jZbXOz3+i%ib7r^rOk(48VA$ac>>okxEv!k zSGV2hGh9{{%q6d*pxcYv^XXh24fsK{*xE-8eSLg=m)vmGTB;;`ke{s*RJi}>r_Yu^y32)7sSrHSDTQR#ef zJ-11VPh6)mK9=Mr8`HMe#uLZZCMLr~axyiWVHoHD{)GcSir_ zwvzomSyAV-4|-uxQ5I`lI05afX>+(-=cycaxXdFckxS}j2Qu$&T_woWMw>oo|LIcu zGJ(HVlZqIH_cYDdnG;+;xx#;+16-vb)8uuZGiBzh5CN40wDxD*STEREM=%DVPi$i8 zG~@m5Ow#G>ABzRn9Rm+USTah+C7_fTjTW)gdb)*^`d`l8|}e2e@A_;R0}Wm+=4{rsW!u_z1vm@e@4acj>I^~9f5o)wU)`hwBXRLj|v<8>TQoROE+7OSpH}X*T$}Jk~ zJ$@GKws$Nn6WU@-*jUXBgaz7dwvsN^DLS>Ig4Z5_k*{xqEO(MJ~$_^Jaz#HnLC;tYJ!b>#z6E8Lv|@ms8wIu+x9_C9nU_mImx%P7Uh0WFplp z*P0ALYyumJwV5uraysyZbLv{GioNf}z~v_#Egxa$V-0q2V4~j3xvDY!${E4SaS7ei z`qyd#$iVEqL~5ye9`l<6I=-i!LjArCb~WD>g*Fh4Hf5kj8*jQF?OTN*53)ZT8+HyQ zFhH8FuaKzA9%`*J!J;|lt<;IP7MGg?GZ{X%2hB(IF@ZJH^~gDgywvfx-|%H(mcY@2wxdX^yOfwQF;$yd1jETovg1*WsTy7;4X{Y+tkaJ+v< zeV^$u-E1t^gqsKYq|5Q=R(NziiR$I;{K8gCXvyzae~8DS>&N>&%oq=%)-4~1)8nDj&v8Ot_y?kxl;-+4;=A&lV z(rNGz+3aHgJ~0jU(8f6fkt5FCHMDV57x?Gm*|!EBZ9y{HPhvSxU9gpxXSqF4@moRs zyV}#&x>ich(!Yh%k#%(SCn)$979$PeLKtkRCpUHDdF*XU47^vrziE*DTw};p>(~{eSpLPpAKI1f4I~_S2$3Lqz3xma|cfRN;U>W0w

        Oo zX`6*`8g zokH9Lzo3T?>2N781LqY5k#b;-ssqx!uM+{ z&lc?Iqy4WWugkdaZLW{wz`7~x!waa(vJ&WKGL*01R7OIF48v|U@W|!vKFtu_Q>gI9 zp|By-1L`@mWfBt}5?$jlNOSR5k@gKLV;Hc=1n|uG=pwVse z>oG%)zoXmM7BW98%tb7kZxI23*u=12BBL}fx_d*Ro=b`FRK~|=ojgVvrv+kq$I+9D zdU(j)L@K#62Yh5zZY=O>h62iXe1NnrspxViMyQy`<$5{bO8^r1E#d^%38rwXe>@LC zSCLyCTwA^Pg>u`K9JXVjoqz`KWhoNspR_jL>8p$I_$gx8u3#!+wkewpfvsKcf&8)J56QVU@eN5#H-c2WP3z zskCncij8mwlRiugUoX|6#^pGsj3^y5lX%j+1Ok`$X?ex-*X3CeUCB*AA ztQ#RGD#J@4+I9ny>-F!%J!SJ*Yi`_6ATjR=Ts2b~DFz;X21EDi>8^`AK>n6rdH|4KA?}E*Oww(w`F`}5RTu5 zE))4%I_kzV{|ns4Tf~41lJizigR3{D%;z{B4sOOr2JhBY4y6h%05jZI7+tov5;;*8BVr-3Z^DYV_+zjw*v zMu6iTtL{G0VXc|uMmFm~B8GS?{C-pn5DvIon1i=jg(Xuarr(`ryDnAFRhrd*rM$)GegJ-s91dyQ60%#Jvy`z69oU9Q zwSdT5YTu-{g`D3APK=Mde(mx4>%$wS(yrIFFAA=J*_m+x`f0dWnEGj>f&bpQmZbAt zf+zXA5aa*(&1euN)CpmblFq?K9T}$N@IHo5#!$&UzGh~Xm^MyXd#xe_M`Q!8axYxw zI0Ou&JSdD?rrW$jZ=%02!YPc?mcDs4RIuq#tnnM%e3;@HuAg41seS|do|fgl>gb?9 zFKRsSPP_4ixMxKX$srs|fr);J9}lGhUVh9S54rjlis-yD*9pF{2H3=r=6S28vEPPs z_I*H1NbX8VCL+z5DKGQbg8(IbPxI21kz9&T7hnJSYP8W*QsfH%<+r2B2BDI$9iD2VY-i$ zyUlVKbjJL>VPuv96{2!|-)j88(b(8{F1e~ll?BhGx1v&sgvt(-(-8`7 z4yIW%n&u`1lKS*Xe@{t>5{^h}DX)48`5GtOOl~R^c{%YSo@sVgMg{OO#4|U;2W22Gqc29Jjgw2uRL*>TVss(2r(xD!vj;Se-~N_EOU<4Pjj3+iQ-X7?wob zdR77;IC}9zFJ8n>6GQS{D0#X1Kb6f4zM25+qqkspnVPAq2W&a*U$op+p>es6J{)>B z?0NUg54D_D!;>}yg>~D1b1l6xNRw1q_1IFxuG);lKfjPD(<%bK0a zz`jg6&)D)5(~Kh6r?WNe z?vjn!j$p;sk!NYfVqRTh)0QC%v%s$50RKv8y$!V|LII6m=Ix zvcUd(*B2MJ6a2v2oDRc|4qvjBz9j@FNJ#uLhZ7a9vwAHY-*ah{4z0A*VsctJ)4< zHS>S!`9yiy+s@O`JCGl~L8FsyA)>P*akngrY(d57b_Xc%V|~(OV!F+5YdlcYB~-lP z1j8i5#sWZ*XmELYYbj9A&6+!+OxN(5o*+zcJ#LG3HLZo~YVx&ZiibD#-uRyzr_$5D zLOi0w2knJ#!e6jexGs5);0vr05+aGM7?IIZ2m>xxxS$eFc3Td(IZCMw=92c-~il9Q8vq(wlWPx!%(){Bf@ z0w62Dn8` zYGP;aqqB1w=yNR@34b|79c(&%V>~zhk+y)~xgX@V7HPb|s)&e)Hx2W;_esA(CTq(3 zAEcZauJfg7hcjclve8-z-_+|ht|hr`MIEKrDP-ESdMdj)-D}%Bn>zMPS~U7?8f*6ap3gQB6#jy|j+R&! zl&R0M+cqOaNwxQw)9A6+ize6I z9|IgNC!S@^KLn2E2TF&*9oKudpJF6`IZiYYz;Z%;=ySJdQUrm8NO}jenI;s(iM_7f z(MrbstI@J=!$G-Sun*A!NuwaSU32d3`EN1Zou{0uYX=T%HiO$^H1Io16(&WDOGpWD zZ>)oB(Z)%~DGg{g~Sadd;l#hc|1jJH^hHZy%aMUwe1F21a!;QNy1ucZMX*2{;p_dpg20w8Ild7r zqviI8HQ!hh<5Gc>IUINZ5|-SfKS50p2-P~V4sw*=c;&2hgU0c&4EnW^#o?d(uEl{` zmV+Lj9fpgwx@%B9cb7O>)6ZAsZ*)^TV6z6EbB7~>p9G^1rp!6{Hd38F=MFoz-MEKv zxj*YIB8OoFQ=%mfxV+BGDp9^YNXOm#H03Q_pVpqj0#w`6-4e3G^A{?kjsQ|0pVLP% z$umxvD33e;%YA))9G}Dx3E4ram%R4Bj}Dem4ZBw4h8#Wp*LKa8K2euV-N4ruhaFME z1J}V{-pGV$NyjPhY_7+lP2qsvhl?wBcN;xQ?1d}`&;MX)8}C)G*u_c4ZPf}1x!;3a zIfhdOhi>I}Cv#c${ivYGbWbf0w)>&grJ)QTiXGI{><1ss56T^`+mmz9C3kZj^V_q% z70-Pa0%_K+}o^CxTKzTrA(eGJbS0+(T{Z9^!kWe#*@NLh; z{)Y(`K$=46{v~{TdXwa^-Wh3z-m9UMrb5+l@9i~1f$WAaUk(Oo=&R+~$~`N7iq-g7 zH*SgCL0K}?q95PB}`k`U($vZiomaVRb_=gT3E z`<=bw8=UJ?`sS<<(W*+v(Kmi$pkeEF{XE(cbLFf z3S%KSBs`&ccN_CKa0;!ngROX>u7Pug)NK=8u~hY0C)^nxqzT%IyE~W_su`!2ig&m5 zS4Mk%ExX%vSE%ibTg1uj08WqFcH;%oQSm1Fnzf&%h!FFVrkMZq@Ik{d;_i(2u#gzC zA?+(05`9psRO{e4{>df)IPJ1tpJnNz37`Hoo#(1Zc*v{Ct};NEtoz8h0^RGQTn}at z*IMh=t}371q~!$AX2qNOH;$rds)2s14P1A_#g!iqUlD%gw8vbC!E#ifqw{4G6>r22 zdIIR4zvS{h{yc#5%I+!^8#O;*r%ALKZ)_%kss4zV+Hu*a@2Vjz_tOxIc&>G)m#)(g z(B-f#SQ9O>VP*QENtz8?e$(gLLch>{BSCc;RY{r2N_-x5bf8OSdyXqwI%h-8$k^pF z9NOa_ab{g2=rRlZa=qI@F#l49{Q&>I`Nv}R`GRRchF7Cx#?q`yp5E>i-+>;T{I2o& z(i$$XxzvEEZMV%YK;*&hN$7{lYkt1fi#VGt`I)k@gD_R!rAO*1wSGxc?JVimV16QX^9gEo7@wX>zbK$$*9N@?@4rjrO3aM6DYA!_P>zF2Cb_QH%q^?dW!*`xtYn3oO`2V^NN#<0Au7|_t?769VB?aexd|vHI1BQ!Q-^^jK8IO=^kFzFuh4Tj%dcAGSRVX0qv5Kb8TBn2`*Tu=;j&I z&Fs|6abSe9iNYe&?7!c4tuIuJE4v=p4^{VZ9nKJVlfR4jc(v{uEbNx9g8Ye}#yf|X zm$r}V*X*B_dkHE$c(6*FU8|(Pd%`MJIHk#d-n_}>Iv0B`1Mn=(Ja=yN{9SOcv)N45 z=KWtVp@gWR!uR;+3CpxD@LnfqZpjeSveNnB6Lx2g-0tBN0jEC;z=_DQ{am8M{E;m% z0A2$gK4S6WsVXjh`syR`{D6^{yA_PoL`e7%p;_2yr5x(yn#SPw=71MugwqJmZPMVq zUHbJRjEDoTKk9%F+FVtw+(NqKV3{&vaA8E-;(BszX%eu3b0AgMp-Ys;`ZRqBcDt(`3;=`~m}gw^ zyxCWMg;-@DqmmF(Rta`-&u1r}Ji6{Qh*k6v_*MdW5jBR-qj1W6zZ++#YJFI}9qw^F z;((?a0J8ZcMFSsDDvEcP0nWuf&O9+u(~>k+oL>Kr7l467cuTEYD9WyS~F;xGvmbBq9nDWepq6yVuWjk!@y=h zFiCRkS%+X)w`CmYSWzz$l9QjqzGp3;nk^{ViuC7zjbuKpcue~qhd_?KrJ_Y3RN4Y4 z(dxudi-7wpZ4iQodwb;C_Xj1l=bp{zJqc`3P=CMi1+N|!YepO6~4w3e3G$n*6W(6yt zoA!xJsrFfV_H7b0OQr#V8a~>pKKgpV=8a48Ue`-a3Wc8fPsfz6+-vue?72i6*O+>L zbS5!~;D4!nZw1G(Yk76n9_&d@U;h%%xP|szDzyxIg7101lh|&0ie1R?f=f>tK#WlJ zjsL|l8U|_N;qw2y#pfBkbM2Z^5)g`H<&(jMtqQ^Gx6PNl&w`$>eWwc|AjNt5dXr8A za^FxEOy56iacyZ5h}9dM$aes#nON{>pq#I#u1C7eY{L4F9>j?fe-BoOQEku5@X17y zU-XKhCVg>q)2Km&U4WC4`?ahI5P^`_Z)q*NfMhgY1T`R3XXYYM~9CBf-b_+sJj-d$$&^!oI>z&$y1$Y#J;S>Q!bkHp<-W84TY z{ECJ*d7XOsn!7iMA4jqe{yNF|!DZ}iM3xlsQ&3D`p0qV&3)=TWXF1t6D8$K~oo)%P z`J_+lF2HRcnbj^TC2sQhv!oo~-u%h@M@@~%3b*MFYjGRyFBq0JuJb?*@l4$jiHMuq zL<2(59?3=Mjfmx248@C!TwFKnl7@6jSJ@7_f<5h;y7toa&SB(ZeDq_xFx5Ct9>Mj3 zJl#Nf$(4ERv7KowCD2%w(X~S-F8SpGZcQMF0Q1PMVXr#XV*pK?x|~RVTkyQUjf}aI z&bfO?^it^hP^{(;z!laf5%4n;{X=)_Q*ljlx+?dav%s{KV0|UqXFe%E@bN_`ls^7=9a}txGf>)smv&jb8=!OMN&YSdBw9i!g}* zaM~Hlx~$#;i8yaLM=vKKdzqQGH1T3EQwIJBhFJSp{jvm`%f)0;*e% zV})-`^vmFukyM&nEPY+mXOr?F$w|-0eXd^Vl}ybivR;^rN=#`c90ZhBpUl6yc4+mA zi!R*@Tr4w&ct&cmWR&TKCyreRY%SA++Xq4nRU+ zto!VF$2}4hv*bg``Iy706j{Nav)VNU3tXzpKPUMp@cz2(k6US60=}6cTRSzq)cs9m z8GmUxaOe@Pi`L! z@cP)Vld(CbYgUxh!?qorG_3?L6({4$6{v_M&U(SW!moR^#=Q_%chzsKtkL@L9QGit z0=fG;ui@|1Ku+qZeETSFl~g9U>fv6cf?g>Y7}l-k_)NQ{d#=Y}r(DQ3Gsg6JI;&qa zTS7g}9p1J$PieR?jaFW{!E&Vm*X&3@y8~>6HiMx&v?R2UoJ4wZ278hpJt$zDyj2zs zI+oL$HdVaSLeG9E1%sMJ|buxzI0QG7LoR8>GR z=D&Dj1^x|j^btEpFfG#_QwH6Xi$}wVh3Sl6!*)+UBOe~mKLX9v+{k3Jv2c#Ts{6Xe z9!aHFOTFua(#%$4#;_A%5!rJ6X-(mAN{|5}9TJ=Eq)r?qbE$i}zej z20i}p(qq0o1}HT>3>b0>`B_SI0)g8$z!zMXtbftm0>w#NOo{$9T|8rc@mMygbf(x^ zM|`V;=N*jFt_ExQbsaP0jVi@G`#6NP6qzP>+?o!z*`!KUatM&;s&1eLy}NoJRiMSe zgZwPDy5h!)ap0>51^-DCI89nRbU9>HbvoX`IhdOw%QzSg@?lwgb(fawmm@RhlelN2 z4?KNy)p&lCmrZo+eSsp+X%t|t|AQ{?=ka-0Exv%M1>MUylmkA>>H{jshOKF{-YLJN zjoPsX?bLKkt3U834~p5^r#N(TewOWhF+41=Q=5OaJhLPs+nrw8RE*V_I$eiao(Q1S zihSgAv#-N2%14tW1@qqsm@j`$xsJ)pup z*hXAkV01Pm{=jz_>HrJiU%w@e9AVP`AWK1gDl2W@xN$CliPfZAmjlDyhq zCUif)*xKRJZ#tuAKrg^SAK7%?O`edJW}K+!(=>4;w5mm*@|M8+SjPNEPUoJ>;@p=| z+<=4Go`WXjRRR-6SpiA}VDdIS6@}vyLG!)hle8JJU`Wf_6_Nr13@@pH+!FA86?6DM zWW9A<(|@}^E}?`15{lBLhzN*E$D{;AKt#GkK)PepHbSLaLQ)A4>25}+bPO0Uy2nPx z>bK8*pL2hI=bXRZfAC-rct7^KuIu%ziyr;r^3P2XH;f}eiLO?t?lP{)OzJESU|J(B z{!tx*?O46E&F<*Jb1ooe1YMgNdl#BmT%lKgFs}US6(EV|{DqW*$vF8{@UrEu+bhTT zg?*RNlWym2DO)|-QR+OAG?x5^nr z?mYWrN=geh$o1NpAKo0z*$UiTukrEO4)s`GQJwu{;=HlTv+OQ!fwtMCidu_tEtfRIo_&8cQt5BN(?SFQ_E^0bzO9eK%54c$rEOTu8_1B#?u0dvj z2PP{U)dZeqb!P_F@j%9w=s>iN>h!Nj<`8I|K{o4M_BG%kueKrfiHLLs+vDJ%dbXEz z!vDkMRgz1r%pIJ+`&O1y>A^e83L)2rsM)ZpEe-Fe%mIDsI4hnKc(h9%qh@LO_+C7Y2RFiB?<*c@j0AR|J)7c?*rdX^h$2)~-{(VLP zZEVl{N6s&}?~?wjH~o<%%nsL$1n9Y_$`B-&`En?>g^84-j@IWU@3QD0Q=ZOo_etCQ zAUBG4qqJP}--g*7zYj#Dz@_2r&ghB(mG-XC+*|o?-Eh1xsNkQkMfFv^}Sy{^} zHszr;ctk;g%}ld_2s21n>cM>_t|D#+b7?i{IWAGXT(kG@zCQA`A(H=7pM)P(xPsZ7 zyUhJ4fR-W29r}77sa>f5c7+y^0|S(WW5R)t9h*OZ6!_T0_x)tAY19%W8dJX}ezZMX z7|2s-6MS6iL5FLqQCOE*0P9imr%`elzT#az6!t=2t+(80jL_Ig)!{{!ti{ESfbffP zC02zaQ#I=~PC#IfM$C6{or_NMd1@ zNOHZ_A9!BgcIQD}5$da;a3$T6f0q~#ZfmgzSu166U?5#$ivJV4U#~i~Sy8`4p;Ks5 zGdvg-n$wZdIcbWBZARMfl|h4xMFdGu@p*C8)xxH4-sg{#0T;Q`KhAJMPt);dXT>5i z(7r7HuUWoVMrCDmzp9V~sHdrCb!lCt3@6xBsWv6B`FvhO*vFc?t?2J>=gMcSI+ve< zqlez}1d^rkJY(afHFr}X%nFp@ma~97a!A0Y>e7+A1D}#NYOcC>fdq&^^3ayi@odod zaaveK(<8GLUpo!nky!d%Gez%_O{wo#)*7qvU{CvKE0aQzGjH~i2O>`u?JCO1_$y$g zYtm4WaqD@=ecj4u{+#OXnTX)3EH3(yzRPV+zUPa6Ycyr*?>O@+)OUIJx|=x?@AzfS z*EriUoBI`*s%Xf+C;pSg?3Ye{4Cr(R&MB3z6Zj7=Uj0&zP2S4BzdnI3YuhyTS-o$o z9JUq_R5)--kCw+RlLZh;CCt9{9t*d=(aqhsg=KF&PsuRDN{h;|mC z@|}03yv?@cZ1#T);%B%N=aGTJE2@zr|7b#PrlYZ4j(87O3I7HI-24O@~Vh?>ms+Wj0)vd>VA*P z*NLS*Kvutp?yegYjU*~sm@*^nKzP|*_vnKCKU1=`KN+U2zF%BAE_q;SKqV%F`Ut?ouE%=Ubp>QP8I$f2f&$>*#Ntxc4BFMhTyNO!reK zj(r!^G$pdd+3VBwk$dDMbdY%U=GTfq>2MFYb90RM@5jo@E!N7gLFMk|Tfp_)>`+Re zJ(r^%H>cwrO5fxQ`nKDI${ewP*x~QbnFWjlg~Ey)6nMB-9#V9->W2sReOX@%9><1| zYN#qpzdBbR9<0EAc@X~Dz@^7m)xbG&>#!GLw-!Y_{c@>!zKpoCQ`c(V5 zVo#Jj`?}%tK@FvxT8vBUfZvDRxl{nwiOLm4{L6VM-I;QN&ga5Va6M+>hYgPuGhJWW zKbi&3sHCoTtW}=vgoQ@~xp~$U>`+SSi#J0l=E&+1t6pmJ{%5s7BD|nUPl8%I zUn1GrCACeme~h?Vh5yDC5EUaqz{^t!I0xpyplf)VIm@7EH>jog;(e_=M-c)R>pLXO*w9Fs?oB0!j=QF04AI=$4`or zt0R>W)-@w1DS>JGh0&+#4zLA(I0K!idb{Oo)0`Uq(4>c2FJA5CO}%O_b{-+0^}i)9 zPP~=#M^*TG2dJSU?ODyEC!yIW!9&?uRz@zvWrJgr%ive0%)pZs;b@G7b2M zD)rY_eEpJ(j1aH!5q_HPu{Zt8yg~CX7M~jo(hf2Jzn&<*(0%od{S?F}2Ymhdk6A## z=b$Y{U6IC37RRiNEu+ZyTRc1hd1UXfI2KeZXQlCZA*YeHu?(^;3|R-{D`>ddeVp3& zuX&G!7)18(dCwEa$CdPZ?yV(xeABz;s+r4^#C?}BhwP|W zb8ml5eIybod|HV?)l;qY&L7~e8kr-~Xt+{>3Q?B$+EFpG`8c((L8jU*Q#QX(Ta4&f$pc>#$XZMm2>g_+mtDdX zr4|53wP?KXcD91;GNLcofr!w%w$kC!jxP%;VZTToW(`(r%ep{uM;h<5Mwu>oJ~(%V zpX7nV1H(2Yd3$pL1`2A6=8H!Gw!B~I;$jceEyf6g{y7~g$r+6dl)l5a+@AhF-b(LQ zFa-y@9U}T(W4Dp_-u#?P%kHYNg{h&UlvhdBf8WsWuH3E+$(Qc?^jmn2t}2w#BgwG5 zIA3^c_vQ4Qo{3L)8h%xXWi?24%R-qjsA4HA0SCE~31TXn^h!x-viog}`UvkJG$ z;sKRvKR{|AU{*vK%v8}ZRM%mjf<~yg|La|~0KSaMQYHRZX0bb@32$DpXUl3Fg;75F z(j;%kwq@#4_MWZj!*A*FFW=~V1_4`CA1=2VC_UOBGXf`?X7llOW!P$=pV`8(BT;RxCH@ERbo77wcdm$q!&GNXIoD>p@u3CA>YUoZ6{`}yQHmt!% zR-wiQcQ`~@d>jGi%rPa^znL$ex}2_$RUx!Byfl!nryNI*R$l0xnKMWr~u;AGYF z>L=H)HZCgbb8~Nbe&@JL)FTR(kPC1$CO=o07;=R7wl1oBkn$puKROA&n;20V{9>IS zv`y(@`pM^Rxbq$T&v}m@47cG{m;=tf7&y7;R0=7+Z}TwL(zqhRP#763 zTdsY~;p>pa9kFWIVG}s z(}j(}iPWAW0vAssg8BlSV8aq#S_dCMqIr|Cz}CxI)|#P;L08L)8ewTj^0jeUHLl zBaKDW?yb{F${aMoC#IsuRVe_cd^~z1zja~6mo|

        aS!EL27I+%ohD=0AhxTPeBAjsO=#Rs zJ+r7JBYJR(O=iCmOYV)WEIw#h7(uy1`dyol*A@5x?-7}@A4RCYlsd7~96OX36!67* z?FGC#O#NXeVd9I~%^>Rl0GUmHI`q4_D(TuzbNayFe%%$O%Z%W0$W4GAhd)&MSZZ9m5#XYTpdOz!ifgg1 zr9ba9(gE#)=Vt4PP{_l@Z`g2%wJ#=00S`8#cbd~@W_$eZvqPlvpZ!D~f8NKcwy(4@hLw9PcItm#sV`_7Hv{&AZ>pG_BuZx?HJJ7pv zv~D0{rhV+1u5SGL>HW#ytg*|QIn8{!)Rn;AmFENw*zU6aV!iz`ffK%oY|>n;$WOoo zpm6;n8F{q1l~{Dq1HW%Mv~9xIV%i21GPVgoj*MKT1Gw7<{9^3xCfitU%HykBt3$~Z zJ^P+B75V<8Qzb=CW+`~E9MR?Cov?H5Xqqi9PbbPC{gN>*OW3?7EJLub92BUze`dOP0#{6tLEp`tJoZ%9&>u)z#MC#ktKd zqPX@}cw0r7xqd7puQ9c92&_&7`Y2K&BX`cTWK4Y{qWA#sD$%c?#@LEgsy=?X-f<07 z>Hmh&zOg-WuYi|{UEU>h8oh^k@BbiBRo(cgw6l6bi2O$XGC~g7O^R0P!5%zt6B_`G zb!V7X?KB3RTMbQ5O$b?!v|jzFxcqsW))(t@6Fc{Kb!?e~{!3{9R*Rhl;u zeJAgTkxJ6<=+Wb2&lmPaYN%wKtSN~rH{=w`q2bMT8Chw0k9M!H0_i$fOo zMRyuj!_C6|X09MZu?PoUS(%+eH6@vSI;8K4qtV;VD*+M$$W8n}P?^K&`6oJI603bq zk#b0SQGVw-)F?kshW{F5x!t;L`VHd7bVyRIpjXQfw?rs>UbNdrI_^qD zNaK^FRVglXcx`cnr^h6Gj|rPe2B999fLcgC^WO8Ks_T}K4XK;k8#AeP28Ba@kxT(% zwsQ<%olzH_Uz?2n7NkG&zu`@u|Aca1kv^L1+>}kvj@|Y_?un3;{a*m37}E-Qu%k|d zdd>FHqIal+UP#8}RvMT8aNQV^wDX*iB>-)tZ6}+4rQnuP2k&TsEZoj@dt;Yr(a7az z*`B9ON*;2Q)TA#mNWWU!Tz)d)w^R{_JU}puSXoK!iS}?2IZk zxZgmM8XJ9ninA=*nP0VWvUIK0RxM5L;6hIXRQD6qkhdlpfNM}AM^XX<@b<{1oo~3{UWFd}*01D#^6M>uf0N>G9nwIl&{@aVRL?iSPzrv)QQH8hx z5*<3EQ{A!ODmCgU4ejh26ZA$-iEo5u3|GhcPo@pN?U0DPe4!4z@=I%;8#lz~po-~S zXt2XqY4Wx6c6Bfavu`=*;rS)NT8Yy~N%tc8_g4Zr#O%|oRY-xlM!Z-}j$t~-h#ENw zb^F;hI%p(P%Z*nN3)#QcIFi>U#Gq?PZq?i;kal;2KE`$km9JyTxq9+Uo2{< zh8gT*obd)M*2dw%O@e$kSxAEF^>4-hlV$zE)?n9doj85o?$-;{*Pv!nWGchdci+)^ zEL{f=>#uVFia5YW2>r0^SP#APt zV$_$MHUUM`J4S)j)<64(qle|QL9i=!V+c|IE;_VejyI*9F|r)!wUE){2-FO!)w)os z1`TL-EhuhaI&Ua8bd8A|tT&w_1rC!_)DH?6J8}C&^y=aSW_c(N7yvb&TxEy7M{BC4 zRkV@qSHaoIJ7s%bBWd?*UkO0H6BzHq0E0Ff4BT9|*{c#;S>hhBTwfYu_;pWLALYXF zHBxt~yfJY`VA_2|Q?~r-y$vr_5~&03IN|##Y}6=VwUCiJyexm^L%eCj=C7G|N&+YH4s{lh{dA&HEh9mqbu!R|0O>_#`8N4MFD};n? z`aNxHvq`bwLNLNXXpWsmx@K4-CaJ@7SBPlaWg+6Qhq2R16UR}Ku~%`A#~fL1mqTgqtR*y#l8~S3M&mN*ZRc)f zPR00bgA{~U9d4Br5neYqZXO8k53E4g8ghysxaFDn&x`?;nc6Zu`J=qa=;zcZ?Sn*dknMz(nMjmxN%8^7FfLmncYaxgg)`vnTib< z%5{FPN!Uj1?~Btgb#iFfR9}X232OD?gk!AlZ0jfh+I3!Ot)Cd<78gF1Hx@X|mhy7F zZsK6dYuX46eG(QR*Ge$kOYJVmkPEkz=gVp8; zhM=_A53aUO77h26g^62+W|6RH`k5paWO8g`pHQpv!lL60Ft^eL}M6 z)~oF0kTdb!M)Pumci7~4J?-*JmSxxducVhXKfczus=L0ZR6Oz`cWxZa%O;3F>A1R} zufVRDigc0?SCI=h;{I6GY8{v=)uL1i;&g}DZs5bWBRa14x*J+Q#iL+iaN;XViD&qs zHX$^LP?J8~_vEoS72L|TN>KnK};{9t1C851ZrhQ#+j1-OvY0`^xzRY_0t>SqGIF`KB#Aey1~ zN0XgqZzIRTq7N^1m6G%L;N}46_?|#s+QTVTZ!F4sWbC)eyFOOnJY#C*-o8>h!e_Lr zhg?r#Jg!?>D-s!0deHs?QR)hWr*zsVq7>ogL%TTo^?-3%^L^yyhF|xFRVRjfz?=1e zYtx+>HwF?Yz^WDNwOw<5;cwgwB79jgc8e@DUB_&S(TASTEtR5RgV0j!);8fWw{I_J zx3vUhjSq;1yIx~}WCx)N1%}!mmLtl_03KCJ=tmcmK3A>r1UWSI8>(0Ay-)t+!*bdH zR_(wdp5ZkY{cN_;q4@8B1Sl>)>K8?@xBn_QLjzEK8HO%Qjs-{l9EJSl;fn_0$(x;U6Mwes}_4NfS;I z;OQAxnqRA!+uB$rdg#@*>4QNowXGl;w@k(tud!{Lv6=l<;~-MqYOSsE#d@LDxBZ50 zZm9mnQT`OS0u|5S{6mvi;&%tPOAhV?_N;*rR^aC^&}Wj#C;cKQ5+3uZ`)8lh`O4EF z@)bIX;QkKuPdz+zj=er!ZjCVPiw45PPGakBTP5`AyeUD*{x5G9z=J*-YP@ps+-r5ogXo`Ptaxs1LQ|7;?#W52p_=fRj= z#{*$E~etrU0nL z@U(HfR`nGqkDV5O_MD7R-`4|h&+#R{;kwEh=rb3TxYtJh=aj0Y%uVqj^lpVs)h`!i zGLUmdyM`*;1AxBAcZXp9Ca8bIAn=?T1l|14ADTp(tqzZ8o zoNni5`5Njqmfo5i43rc~H?xtJp|n$SzNA^pIUmc(#fi#*I(yPDL3`L`-_3Wmu}1U~ z6}VyD!a`xfH@?cQmLvxSatgGfCs0YnnbS5 zCj1VtTi(pv-|h%F_rx!{(7D&8QYoBB+m^B4>K{mGhG4HYAv%?q1d?Jc18xt%*7K(YJ17VTN16wotlyPV`jY9+|d!&nVEn8x*MvVFH;IX>OYMWxIaP)mkR}3SQjnoKPuC2r9Le_Yd1W9;j z^J&qw^i7Pn_|uzX>k7z90qn{T`dUzGtAx|R_RxW|T)>F_=tY~=51kc=#ptJQ0UfGi z#|}1Wj1H#%J>4n4>z z<&5?x7S~L_q+JfEc!XRkA&3gE^-Ag^nk@Y-0$$n}I01x)o`MZ%Yp*-rb4)&C*J`HX zL){Wxj&>||FRYnfLkOrvtyS1Ko1k7W0veg!Ub7wQ{Z#=Ad}EC+I}bG{s8ksTr!)So z2peb)#BFA0E3dH^y;?X?SwR4o?!Ve#R(0Y;s&>W~#ak`+{Y^4^4v7p#b8D;%K%Otz z>VwAP#1D)H%e)_C_v`~j$}^d1+2e3(Y29NxRYrdXqH%X{d30nj_~nX~WBRz=j;r*< zr?CBCw}3`5Mql<}a>FPltfm7Tq%Vv3t24g`%DAHo6GyyCx|0-267PJG(~`TZPStA( zp1;}#J!{R-Ch#KLpt+<8&@>VLXnkz*+B@&B!%ZIvv5hyZXKdkO#7+5uO_b@7#-*O< zLfL&>6E~ytjH8nuOxAC8N8jJpiDFd zX1lLGcE8j!7i6t&f5J!tp}>z$wTq=WD<~GS*28uMR!4OKoe3`Ly6_5)`aEa+pAlt; z-`BA4nbkZoR$Zi4EOaAMFe8KXYY&q0m6d)uXgMxdU=-9-8VYjWh-Ezf4BPH;Jfph2 zdwlG$Y85_diXE}7f4#JO{IV$NQ?&zDo0c0~&24R+k^S{a>&6(>yqbFXn$%kD{n>Zi z4FM^jwTQ_*68ee4k^OS){-7M9K4N+3O||$+I%8}iV_<&|3{*kt(~?Rlp~$rh*6OlI z6Rvf#%{{mD6w{3C2i3`wxd-cxF^}f_M}XuLQDT0_ZNn1oBa-2M^)Gxx(^K}_*Cx~M zH<%7*>V}6Z?jPw$MrWZj$*BSIneb!frQt$p45F>R#2Y`ClQazMei%2x9$X=jl}CdO;876D(gg_l5CRkSRr^(>$uiKB!h zjJxZuvB)N=f0tsOZBv08XO>=#DF7eB&bfyKOD^~2NB@{$`75H=L`!WV?TGan7FM^r z?rm-sRWCvsTtBYrY|LZSF%qd;{mwnA?v9^T>63d2g-ISx?ELqGrhq`&I>q^9vADue zb;WfDe=~0U%bK>tU#j96Lx48kI!a4Y*g7h^cb6_E-!G-r$YZa50-3zP^OWe=5tXT% z=sE-=)WR1=3Z)c%UqdhZ(fmYc%9?IslvC@yN{?K6%*Oa~8q1?Y#2c-dpyAXCMZ?Bw z>FF{ZdIfMfkJItyc+*Ry7vXR#x!z^h(~IjK$LPc(rcZjT8)Br}EBbb+V)NCCjBD-r zGKu?M1|FdhW?z_9fd-){dY^cPTI~AN$Yp{8++E?im$DS)dOJXwNkqI|<_E%+;Cup) zpyl_#YD_nwQ7nDjE31QN1QF7!cw5@|s3Cqz+$A96b~16f$Vw-hF`UnFLc z5k9wG@87xDPME+zb|tw*WhHn1dXQq8v{*>rasULGE+Eh27s||4pfm1ocomgnxFd3v zm{C-)y-rw}!zAqB4RSX+M}50;CJF*E0F*9QrT1?x!%|Z|R7zt6k@<8{rTW&Y zzXzkjW_N+-z>XVzy>1h`gf5)b>;21qZ6VIw;q*}*L>ZRKGmlw_e4|{jcMag()1piF zS!&7gk{RIq;ZSTAqyo?Yj8)GHp>ECV4wGf__8C|0f_T^@)fY)I5brB8iX}yNl~0ni7p!f#&n?V(qtH|J3QY7GB=k$B|$$c27d1)MMsNFoOlm3ZG+pAo@R zBeIktn#I2jQwBU8mIpAHD(?s%KMAru ztyUv{Z5c?Nys#pf@uK^^ES!SnMleft)&YSBHL5k)sz1J=<{Rrbm|3cUJ^xSage0LC z_R;KNSZ-FqHVwK)hw#m!Q%}Fwf};sLTSXfk1iRv`GREa}kqpR2N(OcnHTEE%Rjh*C z*4DF2^ut9d!}R?TExKZEO=Fe9D>21?%2oZla}*rm02XQ(=^RO>qA3?sh=Rl(Oc^JMLrd2A6&igXlA1W8`XS>V{Gy#zW_}3s&Do zUBzXibnaJTTnNNBI$A>_L!oM*LwI#ONpNVn_L*Z4denZ}iS4|uElZ0T{$vDQU?nSc zhv&OaVGZspN3rs~AfBFx)+;icE?$Ts4`sd+4CwVeAS(s!F+cVu30Mx{Kmg|w5yJV= z8sCf;YDH$Qrx)!#w~gi@B;tuJDS{V=iEAGhOH@C8v_%LVDpPb19ZyGIeDc3>JeimW z=?81J?9YXyp0wGq5zLB?{`maRegxIO9}KKU+(X^sRM*gt<=NB5Gx$a>KH}!}>v0mz z^1ju~g@xQI;)U;qKcDPK7Ci1enJorlLH6wIV$!JFYaC)PAoiDL%#}9nyRYPW_v(&a zO`=wuxlA_MPL2Z&x1CLB5wf4S?^d_v4mz(K8Ie=zoIF{1K@E z)*!vioujmSr-mJ_Bri}4?Uzz;F3OgpQL@k&3$Fbon)Zi|g5i`f5Ph^jiQn&8&w!@Q z+tsp1#kOISU1ez3C_RofDU=$rq!NznNZJ}5_J|nY6Hm!sgH_;fWX_#}`N&U?+zgAE zYA>6^vuS~Z$X4k|gxc@}ZPE*4?}c00e=&%S_^#F}osvLD=s8vIPXxz(hiSDNUHaeWy*E?%ils zw>7-4ku8L=bK`_Q^bqVHNo{*#U=Y5)N2*JlP_={I_Wx?4>sA=O@g~lbUgX-;C9?9P z&e@~5Uk;ytqcdmee?Q(|pYxwB5{16sV69L4=}VHr{BWkyCkL=!2nB3!#QmCS!PO#O zKCEYHPeC;DR?#nvDC^cY94V~|qIBiP_K`bSr>rz|(N6(qO-+*THICf;lKXR9RZ&Ek znW`5hyp;-G-AQJ8y5QYO$`XRs2#7q&LGNv_kzS$5bd7Y^{^~w zQgsb#UW&dOu3SwYy!pjDjU!o5?uo~K-+uFe~i~} zyWu9j4s$agiqs8zmZU4VGd+hWHBv3uq7dQkEn|-mB0}p!>i7rnCO&RWUdP1&aKF2-R$?RjZV5PY)lC*m;+TF%CDZaqmd}Tqapm zT`PcA#3#{~?2-(M^^{;sv*(%~RVLTMd$t^h$(y2L-Do_;v1u%;fd%!n`!^Kk+#w2s zdU8SaU!gF6*Dc`?-qa@JNGNz>Y8d>hdboz%YwQihvgq_aAZ7G)TmCqpd8y}HSXO=v z@ka#n^?H98ai`@lAgP|&!HLl#JsWE0 zBM#>j`PCC$BE4A=t-@2^@6A;TxdxjU$=s|Xgzou&MMC$-Gw|1S z(`}x^w8`+)Vv(@_i+Hrm&P%g?O`vni0D;dYGcLW;U1<+9&#>T9aiKoC(UG3mz!Qx< zd`b3GuuFu_#nS?Qzm~qPq4K)W!ae}F@Nlg1tfsP32KHfk3PF&X->QrnziTvf%f)pg zC*A3|9{fglYvy?z<MjB-2gHFZLix%4OXTTYnH&x zXVX*G7XxX)6D7sn-wz8C>yc(zx+}ZwdIrc^vWP4?BLJ;74c<5U^+0`9AyQ#(k zSq;Oyt)t=cu9918FGF~{TF!rN>FygdRs#|)p{>kCk#1+zRC%Nw9H<(Ce8SbQ{MKtK z;6+iBxlFEqWEg<38MVsQALtU}UH_m6g=0w|I*#l=CyYY(s44O93_9Z<)I6E$+Yqpm z{Y|!W^AH%{8o2vA{{PoE|1TGK(dW#gw9BVxmBQC1`vicFTTX|PBwEsR6wuEWt+|(k z(q(#v_9k5W=s-9f%9w45SDu&XHr5TYnK+&!tHP`e&$E$bo5FAL6?E>-&!i^Tr$C8( zMym9om{|Aj(g$J&KQeHp5szzw1G_F-MYZrA*9t3JmXkV~(&J}F{7Z9XDbQTGBU-cy zYJj)hGlHZRO0gkeKxx$+1|hR6UZZTYWJ$=IgUa%Bg4NP%Hzg4Wf0$DTUZ_Q=<#v$x z_VD}iN7&G{Pt3@&_(Qkgeim>G?*7jC;6LLQLYvw|R=i3a^9D1IaF;7}k|Y`7D8u^p zp8cO(cGZd)jEi;zVQhAM(DIAq9rOhcVsLQmDgxYQtEgU;D%D0?JQwPfnq&in{~^4! z>Ja-rP8aS<>{FlH^RwA0{6ExG=#tw%q4r3n4HqN2b%wfXrwD955IDj3ST~7Q1(1BL zx_vRlY@M~f7?28Q@f>?DFMa4D(LNU-e_}6yhN{hDqZJq5W@KW((c)6b@I)bY$W4@q zFji|XX`gtSanUIVQclxtiAg^@Z4Yxx_N>BXwBPy$?g8#et@)WLr&c%=HEy&4`NjdCY|1iV?rQW4Bio|Ttiid6q?ysWKIuB zih;W-fc!P~o4CjZ{R;1}wTugoORw*Ia{5o6HC5=%?D9_`F?N8)T%q?sdvD9xw5t>2 ztrO;!p((K_)E!B2_htZcW zfz{g2nsbkoUe~%|Yjy0`BW_k1RtvwY=>J*P{I}mHNge`C_s;?~bikYLNAw@%shS=S z3N&^(F8cXXJzM_R_M#57y&ziZul>g?fd4BkFfL}T0+v%(vsuEooxw%ji?>~giv)ZU zy3Lk{Ta2vu(Kj@vZ@8Vbi%E@&=t-rR1C#(zW>I%`Y~g5nYPJ-Y-@F3iZ(3jgprM~F z;lsZH8vY7(0t?$v_MZXrI}=h7nvt1f#O|JJ`U#rf&=}$A_sWG>I9E1ALSH~8tD+>AwnYc)It`xhX@S0Ks@Wd&9OH2glwK4YDQvHMW5%jX992nn*sU|U(r9rSGqdl zv;NFu>#z@WRgV^#S2#AQX5&sNPOd<0gw-@9(oVYgAK z7=;+mT0^7TzbQpex;@8R2TzZ~^2HE2jo+bBGs2APEvyjk+hvd|Gs%Qnyv(`@8;fNK z%B?H;cY(8k+rV_~c2YN>rZy0Lii^{ALqJBSBY7r3>o6Ev`H5i>SfR?Q(y`C@f0`;C zie|F_*J#vxhOQ?`7n5Y%DbF>&2?1fXm&&tCKS8S6>|@iP1;n5xe6%iUVcioUtt5qt z?D)97d+8~B0nBtq!AhCW$i&9jNG#G}K?B%KPvt|UHl?yX0pd3_FzcI_JUM;S zUe4Z!_ju)}2A|V@l2pId7Q7XQs@-B3cPq#Q$8%>KvM>nyj4Hw;d&~ZAwSsHOL!=E0;^4=Gq(D79WqY9iT!LLlQR|& zx=W^?%AE-Rq>%ge$dL-V#n6Ta7Mk~p@Dk4S`;KYWCC7A|i5 zxt}l2kg&sA+Gl^^PTG~S`89qycDS8W(B982;2^d|i<{RKV|>S9k?-NOz2aX$!9r<% z!>N+<-mbS(<`Opm2_3t_Por0)=AYf47%P`Puuzx>BEoqfB19cVgeVE?Tiky@jsDjE z|7W;G==5(9A+f?4U#Kzhs@nr2>i5o3FdH5YJ&Vjt9E|NDj=+M&Sj47oRnY)eMdF8{Q1bxSL|$@xod{z{ z#Sfr)llAKB?KOo2?wtQjLJkFtI>KsHPPU}$EW!bDMWC(B*XR|E1xRl*|@kE=dIxh0W!^!l8TMeMEuzqIbiXb-#z}KQA4#UI*NWcAG#f87GsR0QDrw^gP zCvUi>fOSusp*v#ob3v!I%u~kcKGhsfP;0}lKky-TQW94+>Dh9fI!eFkdm5zwvA}1i zF=`o~gs{Je;^^t_Of&a;^L?cQKb>BwQ2IO3gI8kUS zW`iww{hqT+tz%zS_JUlCh0Y=O@cIyYUCqz=%gBQN>=ORLH;Lfy2X`twwN)!{r}&J& z31kW6OEAvb-S8B$mpCD}ll43tVlQE`ye#BSt@yD0_(^ha-4ep~E4jl)vedn-f{VH% zxUkc3aq%=i88^ru0GkXGpR%6+LI9!4hq)}ZQG|Eu!%O@G>4tVL6T!P2?ZS~S&Y!fS z*-qFrwX80pFdh8w8zN#v*{h&;dYovn_2T z&*oWA+v;|Q@3hyomn$c5`|XA6siBGn&9>Y_AytKg#3F#C(_^uI9UlDOt|YRKELZ;M z{fyHu*wHatH(X&)YwtP%yr)UOB*{1>pWQDm;_^-NZftZG)(gL|0{ATW(5wu974;M{ z-4BUSh~JnF0_Z5X=TuM)+<_-fbRNhu71OuNF*^QHpkE*#ogyRh#4<%ArdB-g;Y{?` zj17cbu`I~;$Y~Bh#BFqC{?5eM2Sz;r;r5lNd(&=drGHWU>SVK}QTFS_1iP!Tce<`roXcGXMWjKTLWV+4gM=S2HVq9YdvExbh#^!el(} z4oh3;Rk?U*oQ z#u=&h5c~UoeE>A_Psh@sxY`Ry#8q{9X6jP8lp@L+kA31$dJ6vGiS)tyM3xDsNR3>v zOwVia3E$+hVj`ay_ml~!kg3?HE9JvIf;qxeKV%QnOmSr6J3xv(s;m?P-tixrX|)?l zH@UHV<*zsirs z8;)6dY}b3u`R{Wm0X)U;PH|=Uy6wi`eC4yDX_Ue1M#V!`*5vCqx^OlCsJxCzKQqJ- z=rhuC1JWh>3HQetael7Ei=&`IcyuF5KfN#SA^Ir_?Xln{$EV2d&a+mrL?e2#dD_n; zkC*|Vu+4JEXv0N&GZ8ZT{`|vOaS3{OEw%Mbn2IZF>!ZDp(_I(aRnjQDl~f_wyjD_=(cNXdI}~-9H?q zww7%=Ojcrpb1b({7*`h^IDZTOA7qW+JqP*>Fe4T4bpTaz#;36B$-U-uU}*KFwAsee z5lYZY$C0Q zz)i)^wq6-EI}F5w=%g@(J=5%MKqv2ovok0GCRdI>4Wi3m>XDW|ekz!Z=g=tE32r5^ zv2aYEW@f@T&kp^lawH4XNJjY&F=xnS_x;U~0)%KnI#yj#aTv0Rc`ub_^+ziJpfqC!tXfDELTO#7t7g$ZlH;>jSxY+xe&|NUyKa z(Ejx@opAVV2bU>>s9z8+zF(gWi#>QyhKV{XE2R$eg&7n5?mv?+cphev!!N!5|I#Y_ zvC>F92ILF<4&BM^03TK4uFdHeMv=(^cazRC6L>Zvy_I&IrP73%zwp5KXxbib6L;No z(MLtrk&n@?sjk1a5}4+&Sivq3gL#!N!yJp)DH=%VJS$*tnL*x?XClj$po~7PyuZmX{ zoucyi3k{V<%L5}OevO3_eqrFZl=*CSEH1yUn}C7tpYqIplQIM85UP*9%sq zZU;I_&!l#N*1@JtXNZhm<&Ff2%h1LJ7GNYK^rmNKo38p104)=lW$qU7dLUypv10c7K(^GlppOO^sLvuRero1n|4osGb|#XABy`G? zq-C{}nkYsW94W&ki%T;Ye0F3Kspu{zR*x>_?r?A-Bc+{N)$i@fT$GTVfz8|6k^2unB_&R< zB>z}n;{;M*9Vz1y6;X;@ptxentvx(q(lMMqzAVcAiC6Vl6P&oG>B3R6(@ZT6iulm9(qoM96qcxIq1cM8llTGcZsJ{ zFH%0ma#<1*As|*2=T+;`x6WVU6;^o=9b94n-XepxF$su?-tIOp=oE%%D#-%AFjXd% z`63!V#s5iMmGye>&UK7@jAs%@)wL8Sn3W3;o!#%dY+bVEm(ri(z}-ex0pTlo;(PcR zl0U_~&RfTg!xK=9(Zi98*BTY6U>L3gS*Bzp88EVb!qm zE@$>1R0n@N`F~s|O8({r2Y&nVjd251I4?YgSH@*VSrYI0d2I;bEq1TvBGEK5B?$lX=_WQF2F z8Auv+i!S-CLx@4?Y>kq|n$5PA42z@y#BF+t1Okpiys!uA&=T9~48Ueel+v_k(?Mo&2A=coOEZ}!cnvENvf3tINP@=PP0!9A zi4_v#^syZ9&WtVjpNbsKPc40pctvNEr=0s>`iZrw55$aDgDue>B>085gZJ)S8|1aL zGf;n{;=m@)6s1C7Ri(E?p3T}DSOq6F$oakh6zh}AT`@f>IGf|;(3Vusv`kU>773}1 z(r^VyTig4xSX^^Ald{TeOjXQ|ezK6SeUn0U)-n?PZsof~aK=xHDlTuulYP^o$H>%~ z??1*qa#_E+*>E^bwOd>SCd7hOBpm~Ub9g2o9@A$LZ`m$Tr~(EfNZrx;GxEK^ISj|X z=gY|ans1+W4**%eEI+j2MfinNPGvbo`_jkL&(YZ%wyrFibZLY|V{cQ4eEkAh<)*+( zGPvX)H3#+;o4pZBS2&RXc~QJ~XDF;^m&qIE&rY7NNWgop3k5-*3FgIGE_7N%6c;xP zfLtZN-DYCG{jY{8$C5_!-ufz;H78z9T2zId!XH8@D6i977b|#WlO> zE+NIy@{R-{n;b(i^$4j^XieH9rt8`9?R=XJq%k}w-tt?3`j9~rQa;(->|hyMei zO5pX4{Yvu+2b$Tto&xuKoXiNSah7*DS`yBDb8=&JtgwwFF6DsCH0zJkk`hy)mY?&= zDBV<&tHKq`J%r${NWj~qfe8yrGPP!#d&ZP98Hom_h$c#m^M$yCJ)Hq0(V&GJ1Dh&9 zDIuRLd(_6d{EEG~ptgAp*iZE(+?D`lk$8&AHV1}ZJIGOs43YLc+^cM%iSxEgi!EGf z zx)t$6$8I)w!Et2~`L0r1SN(4XK&P6-dH1s+r=7w`qpR{I+nB;^y=KzZPkpipJWqT> zB8`>ppHp}kdyj%``^~wJBVq16BaT+n8{FZjj35OxZZoQ8AwSIX*{rSWCE6{8tunG` zb0{k$;5uDO8o|mK2!GW9+JruIjdr_4O9X2wYbHANN*xF*R22>15jPLu9lCm`Xp1>i zw8a?7D*PEm8=fZ-XbkW9U9KU?0A?SziI)>1s)-{uA<-FOgCz7hs(H5efXB*%JDwAA z+FU8GR^-vLVS@Pij(E@D8WgszHwLs0g#Y2>5k!Y@^TZaVh*OoBS8ub72sov(mn4*J ze;`yf8ap~Z4FO2nn(xYM&T3aw`wUS|O>Xh@B9G1QbKIdg`hYGY+kEDmV*xy^!l6vZ zY!m!lM2{ezBOtIototc5CGU0^k@%X$CKv+61HjE`Dp)FPdzA*OagdhY)GazChB%xG z2Gy`U33L+R4)+4bEtm6W_QK-?1yJ{Tg{<*aD(3aU9&+=7Sl+SayWPr8c(2|sA<~9E z=UOIHwRe-)7pGI(Kj^o@_!{vV_a zb7%bP1O3<27B5jXM`e`Tv9e3OXF{e=dUHNLawGNCcgI#;f|qy6OP-**kx#d7d`MmI zLc-@Mc+ZKt6zpa#==$2cYYd23Q?>_X*?pRLPq1IAXFqzxZ3?wyKmYvtX&&~Y z-~X9k&v?(Do21S8vTiGos=HxyL>&)7%Ht};}`9OQRbJ!dPfGbU$Zy2;)=1abi{=(%qo=Y zWu)Gc_&K9~z?2JL5D}yAg;~3Y@;KclNgT|($LaE=B0FtJn*{8Iuk1)ptANBbhJ}PB zaUTPoJ>=x`)048l8d=>|{j+;1_*gz4p;Mlb|P~ zZth2rG9rr4(roLhAJruTaPlD%E2j2||5#Jgf|7$oyRQmN}ii0xoPyuM=XU!rlg?kyw z3w)Y3o-2=6Sxr?i#&LDM*{d}-tfnRNmkZ9Sgr0)PPlKmoXZ@Jd7y9OF+xpI=LlbIlZAlVOYD(~u zU-}goJ=QDH&D-5_jG^2!@>;kfA@Sg)T~Wid)h`}ArA&Hf_BK*!MDU`x*c(DlW`3Jg zNWsO~$-)eU5+Q6X@sqa|h;dTb$XC$V|E)rP($SAx%#UIn$Ju5<{2vR z|INuYysf$2Ht*XDis#AG7yW7Eb4Ns1aE8m)PZGsjcL(~^BKQPu`Cl+SSLaNIP51K2 z1Yp)o47-1T$Xiq|fMmX{`)`?=pSO5m%w-VcPgf{;FK4^fek97{0-LPL^I&e2$C);L z`mYz1pj%z0wL*nPY66^__zT}D7$lp=V*P%np316+n@3ozgdRDi$J%AN6!|ALIRaOm6oHMd0%+9 z{gB6g`8AGYP%lY;^73Jr{@YC5q>wPx{vW7z%cg=jbe%>x$=+fO-x0>x*bi8DP*?JeF{u+GC=b1#@4|Ze56JSa=76wiU#9{G?Ot|BG&M*nNYa-#hn( zoR=;=_QhH9wjoSyPS@s*TwqOVO{n_msi1V3+fDO<7fKiMpKaQs=9@!GgWZ?(Gj`dl zcBNm?aaIpaQ5J)nj~C+D($|01O`cn< z)91bI!7KN~DME_dJ=_^#NX*wroiFwAALz(6+eiYnm~H=TBkQ&MvyG?mB}RS2beX4< zVcFY{J6t}Sej<0fcoVPKWf>%^buJ7SCa^niEDl%uYS%wRm;~Qf80a~kn9uV1$#h$U zq8C*e(VO{P_QOpOV)U(nxWFZ$<)fb>;%@CGr;fh4VDja-M|1Kcy!5{hW|=DND@P19 z14=*Y&4h*&8cQLD-lBL9ZToMs0^gv(^{dJ+yfSU5fgJ&QQ(W%(-0+*T;E^_%hsiW( zD)Rbnlgy@!_*#n3E#gWTTL@2f13l`V#QxoMZjss_&&J&-WR@7#uH;?zG>+tU|NKiw zVQlPtw!%-=vW)t4?tU|s`Mm9!LbU=y>Sw~ly?cD8iY@3-=htTA9=-T->`DEcX4g3h zi{0<^prqnEC%gCx8?K+R_C5Lrw{_-Af8OORUt3MbKD|tay4x+4FJvGE1;Cnq=*nvsi7!{s0fHikroA&4$?wRf~a(eh!m;P zrH0-D3DS%7-aDa(4haeQ<-PZM-gEDF&N$y+jF3RaSbINf&o$>sib8X$pt-9a&)CjV11*@ao2p;yYt2&rxi74E*?3wKQ*A3|YQ~ZpcJ5K! zHy1nqcjKEulojBUw9sCZj2Q*|2E5Fa-b#vd;<8Y!>1mCkiK z7X=Mx62kTr_uDfGi_aY08q}QQ6ZUg;c!ydmQ^9ngS@#4PhjFO1mj9Eng*jObKa~xQ z@M}qsTD$%X@0onI_Cnu0^^j+V=;q|s-c}8T4X-f5N}eEh`AH*FV}W{T%y5l+o<;cD zV!rK0TME3mctK<|t-!?CQbpKf+^uduFJ5Z?|HSWKtqHp@&Dv1GLiXUdQA9edc)2Uy z7$qaYk+s@t`oFObJ2g$BQ!zrv^~+y(@(I^V%&T%X3aU0~HN>p*ZM<%j6_I&_TN4WT z7@BeIxX~m{J)65jur49wpidXP_W_$pnAU)QE7r#n;mI2ws0F0G3fJ}D4>kvV%aNYU?pCylh%s#!D*V8gg9S<%gyPfEU5`KcvU z5D&|7ZXUa;DPz%oS7YZ_}S4c^YattS6I|TbOF@8%|oE0xYSgVdFernUcv-+(9oQ?VwZ2~ zbt=CUAI-x$y*<~Mv!1DN_fFkaz4RAu{#SeapMH5v;;#>s zuhmeT&(01gDeFGvh<_;kA|){%pfD86%axYc@!9+!xD#*H zBoNZR*_3W5F_apuF_t=059#KED*6fsb)pWpk8y4F+P3Z1|8tj4$-oi>U7ioNa1G8(R zyx5q<=@J>p4j>j&BK`PVtW;P=_o+ZFxW(FziJDFLY0>KGSxDr&uH0JDM;-#L_k#ws zg9Y04<(C zyG=~IKX~y!$J}U^dHZOK9>-HzAsoISH-2slAAI4T(@N17fmy}SI^VUkr1%vMqQFji zlbDNslr%~7H8Va?>{u=3GCkxHSS4`$LY??5+lbr`xd<3xdII`3seiPr){SA?JN3afQC zzo`~lp$TB;12@l6&H#K``TGrO%}_&g<0V~2qBN7AzS7W0?bXhQpB%(M40@CRxgBE2U%(epHB{B}i9FJY2zlS{X z7(Xa9uk&u6+PV>yor@k^V!fc_puZbwwbJ|AMx_35b3*^RdbB0_s@!i6wB1_qm28PC?1 zlPpDF_PQ2Z@i9Q;02w(KB&)2yvsz~9+@VnR!1(ufjHtX0Il-Ke@CW4qzGUS(~U zAY%q3d4Xkb{2knXn{I9%(+%dCv<8snI*g^A-bt{3$7EODJYH$K^mj&oWk6@@v9NhK z41!wS_So!imy}z7W9gdoWd=yyUEt?;lmw0<`u{wW8lK>(7u;SPRP2NPR=YJ@j!W!_^2K#DUdQ+LpI=x)6JbApdmwSW%eF!}2ecPAR;aq)9 zyQ!Lk$!`S}JwI?7S+ZK!r0tD1O(XvoFT|LWdiF`Es_cQVVQ!m?vaW>Z~T(-ZexJ? z-aVi$kEdQocsN>4H^k6!Nma*GvRVteu^%l0u+v^lMTlyfO3vrr6v`{K-i>F*e>0?S zYZdsic!=;juEST%>!xKmM`-eBH!nmHPUioN*A$`e?BlesJ#%@hzEuIK9+q2Nc`$OY!>yA%_3FxsBel zY#$ZUGIG7{ygBUtE6MWr&A-zWJ10%D&yGHdluX<2OGt#&N)#LEB;2(r;qm@0w(3@` zC1W(gI1NXfdxw^a#3SyBQ91oEd`GKztZqv8CN!}uz!Xn-3kC&5QJr5ub~m*&oxpZG@F`eh9`8zcuQ&1CLr`u&nKpw9H8^ z){djm8q#~-@rYz@WBkCAZ-z2$ZiCOXhWY2slx1ygBNkhLBayL*xfCia!Ak{F@5*eO zaOs-jXpP6ZjA5t0n+P>;6Y89ort$Ix79G%>et_ull*ie8bCS1fc&F(HS*~oI6NaMe zK9KU&%#2@SRRLmu2kzftmsyXXduC+nqmi=#qq~|1M4m$B81BF6(Nfh{zek;iaqCV4 z!5*5x@+xV^!8QVPV8*fbfR{_zB1774eDD-D^tn0Qy_-BSbeMS}>oDHLIPHNbqo003 zHYFuEVM=w=Tjg|-f#oJ;oB17|(d_)QrXfmD`Lm=OaGHW3xA!3{pA>kL@^@u7=yr13IhCYVScX`cLa+6=i^v-seh?bE;$ofJ5v%hov?(Cj8UMHw?6pr* z@@lm<;ge!hde2G62gdDv${c(BX1VztHEU_$(g52d@g!n-po`#G&b`E0a8WAd`orQQS z=gDe4+7mpsPsV0r1I)12dyq|kNDn3m{5X30ppck>UN z1)ZfH?kX#+76*f*n@{E?Bbme|znlZ?L~dszxsMkWc4A+!fe9Vg>+(XpX61DC4%#K) zxR^ORU3!(FR!JVI!KhiiX$~&$fC9 zX|!8eNfaC9iwtFqA4s4VM-qb~BY3tIKvX#Jbikkh4PU~++K_9E`1~USNtW$vGWK$s zGw1s1YqOtz|H?^n^?4&1$5-clu;1zhWZsT>Pi_9_|HpyAcT1cGeSzBCKcMI4wD-}+ zL2#Ltorz1Zd8vQCv3DE2S^$HNyn(s1yj_2lbNR0N`#=BlSrlCum&&xZ@&dIbZEeV> zo)(Wu2>patU_mHqrX4pVJ6(+0@@W%(dXxDm!?1JJ1)J=gcCaz6pKEQ$PmLC1p{czO z(-Jk~ZIYMM-2OHz^6PpUkdY-(#4T)SWK>@)z+gw9F;y+-L*S>MI+7O@LaAN0b)d98%<&b8e53 zO!Ly7YIeHcFtVRb#=2jYv4yv@!zCztw~H7WPC!4vjH zOATlQfAoV_+BAwRIP3Khq{;vg`y}Q>Yw|m424%BFw0f=G+IOA`C+iiTX8k9S|30bJ z+f#^qI?oxHY_GX5KD_K}`LI#5!Exj5(wF*6TFl#rN{exqt0wz3$8AJ-^zlNjEIYG; zI^%)}l_bR;IXtIH3*vzOALSbRWtuIYSzVv`@7Mvi!|_eTaF)CH$>JVx^JGpiUlSWq zu^E$KlpVqIPJT+tvSmD~2W>sGPwqCZuzuYMtStMBtwJ5*D#zW(W}V0177&SVeL2}- zG>LwdNaVZ;Mi_riC5RrzQgHlW{z^s!j|Dq2edA@<(|R%!jXzo}u1l&XU-2q7yqp(LsY^u4g+`foDqLp# zGeZzhOq;haKV&TAPV`NyPCl0_?8n!i3S>&#O^em44%U}6-fcrDKPXq64pava{KBkZ zP0RSAR6!23X-#pjpshYFz-{qG*m9nHTDDH;7d=a3v(XN$YTys2HA5zH`ZDij{&Lz6 zV=UXpf{^%>BW-${f~@vfj5fY63xWTQBYgjU;2wWiR?`);4f+;qaPZmvy$w$(NL7~3 zbEp+``#)m=y1|>&^z>A?E)T-^f$VfLJEl{6A}h(mmi2;iDIK-BmcX^@|2f&%AJTNo z9kFuVvJN^}>+AB!1GTT!6Mx>5OFm3EJ!{|Aiz_fgRZ!Z{lnUJQVy<|yzmT1RA?t|a zCI(1HCDbOs@EE&Z`be?!(rY75X3-_TqO;SlFfD{;Hii^Bm-wp3+p)~6^yya-0{xHA zf-mUic{)elWp@%g8VC|C(apeb8L`b=oYX>Wj%< zRFYhwuUS|$0B(QHM;31f4HK8R{IgIrP`Ky8%gX{>Y(O2k0o9=rW?xS1SL{6<*igMN zs91UEKbd<^1l3p=Z$omN2y?e{<*JU5vEeHvxSv5DwqXiRtd1VMuPl`A$G;V{hE8> zleLSMqvw$O9FGO&yKI&2*XJ>#pPm1Au;K4#kr+TxR*`3vaeK6s=d_k3-R-~MtEc`@ ze<3^BP9==kr{HewWJNKqdlcI#57bV3t}CGy(6kOj&!k&xAWb~>6ojh^cffQlYnQM^ zXD}-?tLR|n$GJ8sPgGfr``WllVRc))jLmJm>1TtCG>O1eLF+N8$8T;ua-Y}lTh5ST z>3%mfuNfwZ%km6wR%dO!F_On9v%ec{Ufrvi9fN;=M;w6OzkbZ$u<$2lWdGLrF-O8fDIe!FP_^Q(57@ z{f|8>$B}w1-y~+k20X1(j~cGkRrWTacGizW`~mQj}IX2~4jKZA)|NS0$I z=51lEWP7zhhDu!u2^hgM{xVye=bZrUiwE_BjuhZvBlv+*yXb%$Ql|E#2(ePbGl-7O z{>&(M>q_g-g{}(z5aOo`GS=JA67J?S)p#eXPgE4{gkQRmXe9cl=A_b?9m9evKsX=K z*L`Dfa5A*Rc{u+nEf+h@?i7RUOwQcXO^AuZJD;rzJ>4GM2nCj8L-*UUk1P8Kb`$)x z^*tAJ!s)hsL10yyTIWo=%RRvc9NdCIf@P-f<2XZgKBctGzpK81Z_sEEK7Ag16x_(f zN>@Bexu<12?L~sKc?zdRag+vZkeRG0)zpV=K-3P#rmUfEjM=d4R9qHO*?rA+Ka#=% zU*VnBQswqGYr3sd-m#vWdx0(Yf-bLCT;kJfsnO=pRhwY_+KnsCwtb^Cm%Uh;?M!>w zdG|!FX?X!!;y)(8u@%iW9uf*9{Jx;;t2}J{0!*3SCm%c%=e3C5?eonE=23#OY+KMO z(x%HiR;N+i^rfXj!bk*Z*#5@;4vFMB*3244$&q7E(CGRs#OY{jjRQU1h{N>QH3@js z%;!m%wBUw+Yt3k%lL3lwjtcp%DB|Y7#fg8fKE*EMAUvxTC)c-yCcpMMIPf4w`Cm=B zvVFBV8MS3?;(&H$Y1^f#Js2??*s3A(C&)QJ-+kHCPP?98Ub9(=mAu0;Kka#<VA zWj}hPa(S=ZVQRc$(q3)CalI=t4ce!A8-?qw=Mgm$wZy zRQ?>xaUyiv-%lyo`n410=za%=abkMPHdfethwfIiivRBbj5e`?O#_@ z9K1o}yO5>?z5kJ95&EF&zCh=%EAuLE!seJCnzx|Shj87 zxCh0TcDcQvzRVk}LmGid`?3--T7~5__x4tObufX@^K&@@ps?H9p?&JBUCjd+GSo7> zf)(YexeRclV7|u%w@?1`r8|pJU=p7g_lJH)7re(kQ0AZc)m5cV}v`oMLaQ#)j!nBtB)xD_l zKr%DN$DkE5&t0<3|18Fp1u6^72AZby(hZ9X6M-|>YGGzgE5j&`YVv>SG zqSon#(TV$p-&JHu|5tYtNa;gO@TP}t=(U8V#E3KoYV+{>Ji(MKKI;)t|AGvC{`~gP zUu0fh*}={}m>y%fd`{6mc)I95luR1>(MymlWZ)XsG0E)-^^UyrXGQn!SfOtxuP` zUTanRbKcwnvdnsntDl1QLt!(Vn5aVZV&aRfbRA5QCX(Q@hAUa9fGuteH`~;be~Cbr z4$v1OI#bAHA2*9O*>ieuZD;`0mbn9{fPEn{)7)2jAl8FKv%TO?7TRL9Y@S2#qK+SjMYp2f%00=w&xr5SxSOQ|b+OQ!LA`ZJ zHRKs;1-mwYt6h~KtE*8Wl>-{tgmdQSrlBkB4MK5p z0(@mgt1tc7{Zr<5yqi+VvjknZ^zxWlRHuG{ zwg3`rH~6!UyV3?Z7?Lz;*pIVFxV;EBsMK|}D{2Dg!!#n|4iX$UG-U8mQN*F;N`MDM z_yA>Z#o*1o9`6$HJNvfTsT>wz3#ng#Ny2p~`RulJfYX1i$sNHnb6eTEmiGONtRlaz z(7g|TPA^vYfjn98Jq3HmkirWOkgOCxVZMsV$d{j+2QNHiC~#Ph3I1lNYr699(S=bj z%g+KD#fS){@}A}kr<4@aaf<6b8#d)V+K0tuYG5TWll_p69Sz}>M881lhF@r(4GSJn zMXAU1NiXjyPOlvq0nd8hj?Xs9j@S%O@{3T|d77}1!f^MnM_F5rfUNlaTvJG3>bmwb zPO0722g#@n|2z3=ClE1o8qYSGOK!AV5!e3)3{R5Y=>2&3*co>~8ZE4uTh6emL_?2` z_16ArPa;{WHVffndq9k%Zw0*b;PZ^Gj`E)W)JeTy&VD8~B@)JA%ezf=>ixore95Y$ zpz`n<pQdD+%8hOLMgYJq_m76 z%{IDCKaobuZRd;@&%B^;B!mt@rQ-eQj|Q?q9#Om?ib%4Q?Zx`hT6=ILD$96j?^aCP zLvst8x3O9hQoEh&oe_*B00{+(xr&5{KdEKNQKws^Q9QMNdjyhvWW$gsq#M=HR~n@v zHuc4@H>=Mz{phdsgwdlpPT$1#Svn+QQpa+e1y+rp{oqu3m*^}pKQn4Okc)r1 zxPIadZ|5c`a7L5u~ZQ#6(R};x0W!uTe*&`;?wu8#A!ed z7%DSPPknIjOzcbUJD>lu!8gGV!WETomJC$nz}utYl?as+fyjeX$d=7p7(gV@^QSxA zG5ICMvp^BgH92Tifwfni^#K3k?CNz$}zi&-I z!(6TW?MUL{M`c{7vnoA~p7F{7%h+W#aorSlm9^U*6mF&bGP2r6JEU2qhl){J*!Y1v zn{7XZb1w4pb>0=z`4p90O(*1LA)O||bY_R9*8(XjtKchi{8dku2{L3jUHdLMHcm0t zC9lwBX>aGt<@Cug{S?!V59Z3oY_LHMYkh#qC!=CyQ7Oh+hrBT7=%i-LLM=~)P;qf5 z-qh$BUIYYVV!}$kIyqJ3sFAVA8|3O`5B;Q;g8aF!fiFpi2`4|2asEfaTBq}uPRg4+ zN3p&E@gsBq?l*OU z(|8^_lS9E?a3hFKjScO~O##&5wY>4UzzwSd-+|;Wei0u;-igsIR@$Vwys z{CU5!hbGgK&(C^)GP1C~vM`m=7|4`UEEv|F!_dd6iJcm3jpbbWnp9Ks^D}Qd_K|rD z9eObrJZ>AFiD^dpy_&)*}=B%P5Ggoy_y<1Ll?G$5f0vCed9+j*i?D7Le%?u zIMN^M(bpw&?whXM=Ys*HgQb$wVP|$-1tHzX;wBiGH;5feTjr zE87~D;q6F0hmQI{`wm%;QKX*8vDsFo@#>TTaubl>cU#0HNqCCHC{Zk?hI5}m)w#`G z*UjGVE*!{6l3sDI8nP>Y9j;|p;*=L!WG>0Vh!vs2`H1A*JO46GgM;!DZTT=?Nr+jL zueZ_(4B9$o8~8!-4j#6_d2guhZIqHrEfFC8aG(7ZM;+xIqaEd#flwg&&C#?621+^@ zk+Eoc^wIRBKeXp%on4ty3dX*hV*e?Hq(4Ubmi`U{*oi8)o4B!gtMZ3h2P0Gv ze$63iyz)R$NvV!f;Zsvs#-?!|(n5m=@?*+#Lg|n~ zT*vO@Sr<{*TWv)`@0;8pzreW(-1%{>WT&>GxjUIgwT4Wfxt|zg`kBw7|9G_GV(Au9 zlf`;BK@Am7mDa^?w3Rj5SvI&q;xApxqc>L?nfh<>48VrHV#j)M^q865shtq*z8q<~ z?a$|D+&!7Vz04S4LUZ8fdC_0Xe!vVFkz0>|+;tL1>o_Rhe_G73- zN-R?pX8E4^hJ9U{=TNf#dg0q;O|1v+tKx8Fz&@SKeuoZsiURhaxV_LcEP*i8b;0;( z$pns)e8aDCk4CYL!<1sxSsC2lQ{2RQ6#jGySKDD2gFSk*puTYVcl;ZQjhX}@g@ zhAzFe8_05Z9@A0Ae@k+6aS~U;|M&^t94djStGQ8p01qR$UnY*Eg-RL|U+TXwC~oYj zw?o!VJ63PXoRqs^yD;3oUwGie;^+>!w`+H~6nrz>jmq4|NrlgUVN&m)W=Y!%qU+^9tfg(3fHrBoNPB2#~v93Z3x$bS{CP$uPgH`=XIltgut#aoO1grBFv;@O}wld|or zP5E@57rAe}FM=K}jT|l+f+sXmV7kPw>k4*-?=()`;nnI~e^T^sHX7|s*W&vM;Eb20 zWl?5`Ewj$S@5?D9@=0pzMvfJDzb7>{;5T!d2Q3a0C~bF<;Y|RMQkt82u9gRX8flY1 z%WX3;3YQHS)TT)U6eExuAPnE^{TF^9nqN<$#?Dzqeb_Xn6w%6Hj|@+HI$1DY*;3M_ zEyeiwtHwd+$a}qzMkX!+u-i7KEn5yJ{40x?nQH+ZYV1xdlWCr%ENtq?WU#LJP;5#< zh(BgmGq})LwPEcdz2$t6uo17(5DT3^($Xsyr0HmJbdP2-@q)$g>-8&a*~F4aLvP<= zO$`Q$W~5@6$=Nc>;>)+PdR~`Xe${oZhnr=sEvq>B4gLnkr5(Y}<zo&VpQNKQe!SHzYf;T7*oH8?yvF2`h?8fal z9{2s?L*gD#hzEt;tZF>080^=~j4=bKu`|+~77;_#S(i2|r!4FWs~?t&oNiXmjJMb6 zlmpSnB~J@GShx8+RMB?mM|yT+wJ*P$(l^e=7BARuR0R)bT6VE;aRj&nH(Y%QV;mc) z8Yx8;+H&aQ+B?e=F8+S9Ge06!|9LzAgHkWO_oIS!yAZR(=riDvq|vRi{$~B<6F$)$ z;1^!VzSu)h9?y1={AygIedd*z^n}GVE=MWIIn_~8gxNOwc#R7++i&;PaU`jtTxF}s zeQmGaN^q6V7>>+ym>8z$Aana)C=W#XLz2aU2;s4cB+o=85LWC;p^c1irIJrmii=Kq zuW%$q`_A+KK}KN0Oujw%`eF~!rZJW`#v&(bm!Ba%eBy9+ia%FExz7}t7k z*sI?^QaJ|u5LdDN0nC-;g%G!|rs}X%lPVU`DJmx?aI**Oe!W_g)-L(V_19rR*d|Gc zZ(CTBW@}>y*!MbdwNnRTp-FsVANd?4eKF&UYS=DHVd;lH)c1g2R(=ovRSh=!0_<&U zA#K&Nn~q>c5?AiZ5@&U6pkDdM`YV@pI`z$)R2mIWm!QkuPyOSW+3!iRw`W|n+uiTe zJfopQ?JeOiQ%QAMfzGL;lT%lDh@UZm$T@&bL-h98oe`pZ)l!PP$XZBUf{Lj(`b z2$WZ@nf(B*89EnjK@~TRYm2npaML1V zrze}BC>>FDUm6$cX$jdG>-GFnNVG^-56Wk&u16BJaZy}sj$HXRvxKHL1Ajh$$I)aIM z+EndI#J}9(dvqT@NBUJx-qsvj%gevTCg96nOyL?cdxZXr|0Gn$e(i}#aI^+FR%V7% zgx6j;0dM$N1w_r;y0y6on!4|6c?9B-?mRh-1$(|DumUu;czkxpl08&&+a*2o3Tpke z_JOP9leyN-%_HSU?u_F{JvQc-ZV1dO9WIhLz)UJJz9V2OtqBi=%F8=Q@-K~)v89pI zJF6ovUG-$>&vrYd}on(E_6%H4gCl@@q?}G+`Jom+2u5k-G z$5~f1$8pJvF$AbN>M1G*9Y5Lql`>iOK5{$#I#78Yl7p^#8q#CQib}iNop2i;q|p>* z@ig2Q-J#Af)T$#btzkUW&~nYDPb@;F#}KW&*Gk(yk_P+ryj|mZ{u`sK9!qT;Kim6D zM1y_%77*d+GXtExeS-Z<#iLjAgkfvqF>*>*chv(ItAjgJF12{~2a5y5L4;j@Nrb*5 z{y7*QH01je(FW}Kz~pr~6ac9xUuCCJoc(D=J(jP5*ixtFT|~tzc02S3Li1rL>3mr1 zChPkFnD3Nu9h4A;0#4b$#0i)H&8>F~-d9HP10r%S7fM|n2%q?yQIS0J$A(DKwJjgr za77m1QU=zGcFX>ra!5K)A}be>^yuWR=^PU=*-Rm0Vb6%JNs%s~_83Nwp9^H6AY~>P zaKDIM!ua=*SQrmzm||Oc#RGzrK{m&`q6kA~f~c;c0+XH^4_wUjk9LuEMz4p$80JzFnHE zeRhCtRk{tCl;fg2ND2Wy#pZR(*8oAaGkDU(Ps+6Wy%#8(Zb>Tm;3aOkHcXv~MV1~)!Fmo6%(7!ZkDg*=4J3)re(O6=oZaC>%7151*c(D*?p=tBfs&}bJ6)! zYw4?4MNcwn{NXxMFCW9_mPNpQ_|^E(XheIn;Qkdv+7j01ZSXpAQsa0G{PMe*5=lAd zX}5gWTgbsX{p=f3i}49nxy;+k!cO?|Z-|`7)aLlfCA(Na&#L?l9AM$kR{mf7$#`&m z!=w6ysXIG8c9PnF{Zi1>=UB6ZX^u9M7v{4iPFOqfZYR(7IH4V2*%DqZrnfJT3%eA^ zT@;JqkY4D_XTBs^vr+TlM%BO5<+S;6Kmgf}| zul?qlDB4@ss+_X?2&Jtv-BlDJFqVp2fqpN;`oI*gjq647Q&%9koe$G;(#+75Z6JUM z<__fTW|J|N^nK;M_(>kXF0VHl%>=NxD&CEuA41sV_Ouiyz4k^6*kE z+KFz{S^{K6j`Kr?HxGAR)dPP}h~X~FpY)iEfCmRx^5k0fcaSBbHqmU~&fDJZXl+{2 zL`oH~x6WrCIkGT+cz83k^OtTIdl#o}QmwGeYLwpU$F-` zG$=w@?guSzNZCM5TLQLT1bH3hc08|E3#mtqoc!fVYJ0~V;zr{T&azFUJ^Xf`X?zhu zetiHcd>d|{Jm&Fh&tW24r#u+Py@i@R5dU(;jpGE+@6KW46mE#=U%R`u;j!!{z6y`l z;@Qne->l3a5@Yi9FdqOfeX55XYD~*hE***ZMX)scv|o=c3Iurb&DHGQ$jhdAl}Nv5HwSuHcRDT}(>lL5`;lCd8GGX- zt2Ymcey73h_2S8|1T&x_IlsrXPjQL+M7*%fHuBlt>{-g^VvI|kUeZ`WA5EV;_8{)G zj(?!t0GIV3d_Gx#;iPag2>!|;ta;~<>ktPOBE?IC*Ex>Ir44M4gC3S5lnHXph5>%E zltzft01Hy}xV$5bW!tf4({YByh2q0q3#n+%;_A90ELR*gGiak%PzMLuJ1(s|5l&(@ zQ%-iSgC}NxH6|)f4kI*H-`OF{H9n#NUZ;KNgj6D7IOr#un6Ad4+bg<_^Cl`x9AdVDj|ed9o@3eO zKmz+N!?nT6W?zp9EuzVyxFq<{V~ND1NQvZ05(|pL_#STT0ViV7=gpn!d}}9CAVrR5 zs8Jv$tXP8=KCVoj7w1y)4s%}{orZVcq+HQm3muobm6A%2K5+0R z|EPL1RNqZ3djdC)l}?D7Ep>Nn_kqLH@GWH3JitDCvjV~@Nq!3ykFEyGsm^x$03Lnn zj*0-4{B~`^eb+3kn$9|o$f1bF#RaRaTZ_9*dgM}ycox4ESa&pfT~_@ca_^s-^{>j~ z6_wgwRfivb>PY1YXqt4__JwL)CWfi5C&i<}iiC5X?tB%Cf}28}OLkx^HdoDZwia*txQuPq(YdUF4=aJtsajq=7AuQ8}L1ds@Rft^Fkf z$r%FFyfP7~bq8DUF-lb|o_w2Xr!WwZ)YdBE(?r(f80Ia^e zF!hat(($ebmL41-N=v4M)~-~&m_X(5{-=ib7iaD~tKKdfXh+ul$dxNQ%b?60j{-@3*XxA@P zGnb!Y6HB_zS^in~BNf|=Dby!?84x}`YTn#0krO`x;dFI_&Rd2vmhiIn6ke-= z)=OH>ceaKV43PRvc2yhF2HCs`cMQyo?ojIWrob<^fpne&NpWZKj+38)wGDFCTe~6q z9C?`iwPVfS;OcQ{vAUq7@FP1O?>z%$;kEWB_`}s)NenWQ-Q+mSh!Qoj z_oFRaY_bP>3QopEIaV*lNYlARNBbUCoZwKc?ZV>U9v73TXva`EbgY|5^7}*{x84sq zJ>B2-2)wDiy{V1%$hspj)|+}e8&m?l5|xwId4BviO(ipyoS?6{>etifhdpzhbELpp@iq(^ky=%XG)QfV$yo|J|pon-H+;}*o zeMVCIjc(%6q+QArw(Tsf1jmm7_`>h#C=q0!d^=HKHpzYZI+|;V3HG#&P=Vb7_1GAz z`;14vUtt=qE5$usQ_02(;n3vNDYx~hQ$gS5l#ypS9^=sARaVxJ^5PWZQ>w!zB!#+Q~1=i!8B=Z@k+Dwb5l)H`I zWhc40DV%>Og&&t0d#^;1^G4p@sCebIm`XeTMEkiKUp;9(RU`DUw)8MQZ|v6zPXC2I zM49H4!muU5ccRf-;1I7to4(p=iFKzH49R@v3Cp%iEoO&_zU4Rqxs(};d*GY9kWOZL zh1?)DRBjyb~@<3wt^k8saki&G9w=tiDy9B@yR}elXmExg1L_P?VL&H}K*D z?;ag>FAFL5G{QN*Ly&n-BzE`k4HPrZ22Fs?DOzLV8s7e`_8z0ppAz61FBQa-v=Y@b zz*y*;%B^~=iL8CiM8pP{S=xcfm*zS!2VwzcUQ=3!Xfil(=KF+0xs3vWgiX;nDaL`b zfCylDlf|j|?(c-Bm)Ra<5A)5EM=Y%3QehMci6|7=IeXFh`bD+jBS%)A#t$P5-ZEX((SAOe?>&Vf>BKv#LOBzYsSX)NDB0pLUj+(%?tw zkKQaU^j<1a~F=)g7`9n_ip4%U|L8xWC17(zEF9@1Yr2Yr^5PUQWv zF4EdO{OKgt;gN*u8ESJ`6$}qGZv)q5SGBA-9vX_KSrLrnbsB)V_(!sBRq3tYwX@MO z*xYPwEyRATk#X3!((VPd!;%!0t1pw}s4GV#hl@t;!$f5ELC(2a-f&=o^0Ws)yeoR^ znT|2Ct3-PkRbTC`uW~zDx2)VSJj_>E~8IgXEhoUmpAMS-mqS$7LM-z+2bsp3yxAzKo!0~koeCP8N?1TqB@%#hveH)muVj%(~jMqO*yD4?kPkZP5Z>I8jVxf@ut(-*6HR86(N8n1?yfupPlAd zB3Ds*6hjGrhFUuXkn8@g?tdaa{!3dXaYF^3>?UyCnNH;+*b9HoZtG1-ClKg+vJwHZ zqV$0AnpD`^1o9k?T-N(eyTt^X#yUMT{OotsIl2SOe;7JLD0evhc0a>w%Y_n4r6Da!6PBGU7V0UZ4$ z_>Gw#Z;xv73Q5_xIN7e66I@T1jQPx{{MKK>+`1Fm@=N{~wg~0Pn3vwcgIKLoyHl9v zxK_kW@q~T#_hL&fC?w8jo4ScSxEGoA;N}a<7W@%Vi=!}3Q5vQ$qzf8pC!9bg3 zB!h~M4sp4w`Aw%MO?OriPV?IPz8lNJt2jH%@Al8N^4);t1c%xW*p1n^OGO&IKI6d- zmd_;~z4JzQA|1@ghg05PE|9tofQg>RI9h<#jH(kB)nw+`ZId%d5z?WCH9LQ)k_2rZ zAUI}p29BJT9awQ!xRGuATW_Uh=K`5k~SF^AOSamY4T zavLa_ zs68aOHiOE)k)My$pzjbroNT@f>jELsrv~G1O>2e>UiLAbbe>*2&Dz9$@Hgh%#hs943s&Y`bq=De6t4Flr)nH&r|1;awd5Yc19_i?8gOgo+@#j7pXjut z3>5ovut@Y?LJ?>+^-=Dg<60*s8L`6>8$7DW5;b#M*+HfqhX~lgG0_@Y1_{v?!^lC=zV1m!B$>cZt!ANiAK8ar6`w7Dp?EHaESgo*vTR#ZCT`V# z`1t%Qr8_&TBA01^Z-xQ?OZb@O>xRN`y530x@ui~~nNy{BOVMXFufp%d4M3P*PJO!1 zL>jB3e@-Q>qp(9`(tx=4%^uUJJ&YlH*m(Bdr@h>6Y-sANui(hmNFgxZLA#aj;1j)u z#}0ed$d92)lhBdP3JP7Ab`(>;~5GN-b?l&jvA1jseG z5sxp}xOH~Pjw`I^Cnany#e$0|xBFl+K5`Pq#esO|&~vK#7#Mg0;33Ja9<=!xduqkg z!NdPjcpq`WPuFLdM&+@IvG2NT$nIpN7Hxkzl+Gqxfp&8kvrmP4+9i6CITW$u9HH$W$Nu4OW;NYmOz;xKnDD-f?lnUb?zT zk#0pJhHQpPKAU;Zja}=m;K6EqD%G=Tg*d!h_n^=L6CTPb!`jBmd*2pF?zNBlQUpJq zn7+?pv(tzkvk7xIg_5+|osP^PiL0KbK|Yly#n;>TX}9zg1@4OEM3b4RSQq{uWA7af z_rCQFZz3TPJtEOYpNN*Cmk~h_F}CPkh=?AY!5|`97$r(D1PM_`?}q3ldhd1gKI$0b z`Q_Z_>}T)iKG%D_f6jIJ%gkEewbrLOfstR79jOO;Wj0^?LEc1>O6Yv%e0^3A-^M_7 zJo0I1n)**9E))!hRibF!2fU}3qF5@Yy4=UzRlm@FIjNep`aaes=r=u!csKFwZSCoS z?e-J_x^}W;=AE|ZXGxYCc#W#K!Pv=o^317k#=SxfSroEtyQHi&itHvAs(*7L^XKV| z^B37*fs5+T(%XGU@`MzZ*Si3q6J0Z|V+q-^+dD~iP?unHEUAYJUi#widINxVZ0>!4 zBZzRCRB1omMnX+zr;cZAD_`erTpWzY_VHwJwI4g@qn3TZStVEw zDVma{g-*D_b`12hLYc!3l8@jH-G^w{{nr_~gDeF$de!>mVNbLWi?LT{HT;H(Oiq}9 zABu`aNBoGGTdL7?-H#Mw`toxrdj6Y}j2~jPB>epIS*>Bk*~~Q}M>r?z(O>+oAO<2x zw>TExJxDxyBJ@)TV5A<`J4WuU(FL8R_tHfcR# z=ExuLSHhg61Tu6>6vz~i+UwG94(YNi{7m#Tz)@QL=qrSiK zJXJp2!u(Lg$woOF^5n)X0R;h=@o6_AX!S`PC=czUCEKTnu8V9t&<>|!urT-l-( z4u4Rg<#n4|Pl~R|_y*^|)O-`_XhhGj5K-U5grJnu&nx+3?ryeK;}3PRHNf|^4NhB| z9R8#>^BlU`^a9ZGW#RTeUHN#kG8Aq5CntE$4U63MjJrL$W^7{2$WTMc(A8w|o#AC5 zk*=|C#Ej=s5AV`SvZKwIk+1ef!^N?b`@Ec=%Ek8tlP&^wFEFQ}HGYa~@U9f5o`Bo5 zwr5W7)JQTt+O(3|t+PGYT<1y#r+M-pxjZtpo!ef^f83|6G9@8FR9?0z3!5%!I))bB6uuJdg3`usV2{rcE9_d6$6YZwf z?v`om=u1o-_P2+cUAjNLQ!;6jm$l@v-lqzHl&*GV`&q3lQ{p-v*+}vuDkxg_nA#?fq$Mlir(5^tSm+KOlmPeBdog>dgt>5QDYr;U%&M0~ zAL+yofKp)T?xz}1>gj(|#I8ksU2jIe>f5vui=P2UJxkRtE8M7u@o_a_UTTj51mP%f zl#m^~Msv5Ye)or$T$-j;n4Htkxxx~nz-!qe#iCr`9JyKZ?0TcafX0oyLc3trI!A|+ zKFDQPVGa6SpUGLJ3mwfZ;B}5Sb+{|lhKT9mMo66eiX9SkuQon%e#F+-ei;xdtG;!u zvG5NJ1|&9Tz3aE9!2xB}s;PZ~t~gN2qP=Vm0d0SBxv^~5@j9xDtCVwI+YPcce9|&> zS?bd+Gm?q9BnPL#O*p!>gZ$ffK4yR38BJKNKdbN_EUxIr?T#!VAi`gAVGTvtImHCy zSjgL&HkAZ?!!_sA>-Fb)@UTo2Y%LM7k~^xMBk11RrRz1k zXvp0OHvLY*+OjMnXCUx|&gxSK3eeE4kT(i}3m2%APrt5Srz?^$>&k=K%+#N@JQNc2 z;XX?lpaJqA4B>QgFblzwJV?QYx7blyd8M<)_gZOn#|kM6zBp=J^)*OL?)L>g>IpxI;Ft~*;XJSLp`0(#`;3%!Qob=*cCT#?y@nDwM% zax>rYH?>JYG4cy{`--6*5h1F;EuO#&v*RHoZ7``pP&ul zXR=%e6QWag+e%`B#wnyo22t8wEYgvvd=cf33oLMH^af$XhSkFFQ zmBn60z4swZv~Oe`cjXmU06mWTNNlFeoS3zi{n+<%#ubJ6iI6$2I)Y%zz8SQ5loFf1 zHlf|?@FSctOxB;wsE<`l+NjnZgf)r1I-c}4J>P3a#GuvFO6^W&ZYXqhL8v6W@*k1Z z48213@FM(RzmagQC^iEz$Wb1-cABgZm0ejj|?Te~}% zVCrMdY(+j``75#b_v&sArP=$F*|{Sfx|p)RB2d$do;m5_D|pRhUzTnUTz^N)-Y@C7 z+~nh!*FKg=cMt?-KVPZ0i2|bqns=oSQZVNn^XXREDA@}qDci*cM+k1&<$P7ZgU8(P zq|kWlmnK3zo%*i2_;+>5tWx`AQTL{Y!QAGz+TCYi?Y^uh`ZzDIu27}3fkv4yOt0iF z?WNaopnc82zmBF1M=nDPR0D)SbY-izYwCBY+G?c7eq3koj*~I|ESYJ5lsK=jE`tT$ zL7@LQ?bO$>T`o3Tf$tbk`Q|=D&(M2V;1lVKQ8seFa?4u1^Xv^%?GZaY&EEa6_0?*@ zqZDPuqw!Y6%!D&BEATY9EMR!w1j+Izr)CRxu#WFj2bg(5*MphPCJ)YdZ#wg|K)7Uk z6ZW@&DnRy?!xi@0)8G!J-jRjX3vbSsONH|9lhiRk9%b{IUufR~M4$I#OLI@iPxhR^ zX_iai7kgtsR9@XM?Rqme&|eJnB$D>8UMcX@zwd=Z?K#mo zz8l`E?ewx6;zx+Rcs0?)Lk#d#;T~k-CsvN8hkyh;L69}|7RPLyxYnAPh_X8Qf}90@ zp5FSCQ1zY6?6j%oG zaYi9FKNNwB`aoxbUfbIGWAFr4vam4e?NjY=L4{~}@&OW&PM-t+A6FL=!f(ImZrY<8 z599o(Dmub%I%gba78C9npsLF36(X-?=+XqGSQPeaUCM-rwgM)SG;M%0tWEJ!HZCdL z9B^i%4@RoGyni?{BRgI@HWg*?!Jo|2r@v?atv1iRgo;DgR|dPmsf6=LHw)EJ*Y8h8 zu*k^x>0ZWycRxU~Q#ChXL(lwdVr5U0)j(4HNAP4E%Y9mt3)bW_jWWW5HxdR<*+%Fb z98rk6ovOlpY=4SK&GY z;zPmPbyz{=Z?fwL@hpoW)+4#vFLmQzYmJDk0E773s6j3fxkih2Y4=_}q2HMQ@r2c7 z2JUFg1ls- z@OYV}L(PkOOUUj-mzxZCh-Vwqp<0_S-=vl@h4_yFlss2EzS@ZAsh&6q@8yTGk<)&s zrsSQ!I;$kSwzy;kU2+DO9)$*cXs3D1Y;R1sH@rc;*Kx7UJlZOTVSmgnW^`0pJxjEA z2w|8AiI&9`7bN3SDpmI}AXhw}Qh>7&C2*Z9Y&cjvEEPfIQ4%@k^@tS%&=^GB3g~&5 z#Lp@^Km9rV3Gg27&PUnhai_Z)J51kxci~v{<06Wp(B>P0B|L*TELH&aLEK|puA2p zZ~2X7kIm+E=Xq%FA08pyK*B@e=MI;WeRhyE&xhNlB=<=m)v}k-AMrdNNk#GW>Ys3f zeBkPNAR56^=%9q0yMP^qII*j$axaAV7RI@;vQ)ARA8JP;-^2PveIrF%e2Np|@@4%?SJa zg`{PQn&-M_vgof$yik2$nW6cN4zgf?vEAT;aDJh4hZ(2^*=M;1Hh!1?X@!DE!6DpdC!#8bG+guXuC=!Dym;eo1wcElS zqrR~=j|2n13pe}yR)!NtSJ6tT-I{jv`A)4?4zLd$OYM}Y3i576xo;IK8D0`Dwi_;e zr{j&BuX`Ux2h&MV#jrYW3W!a3p=%kd8;^kc;$sa+WX2OMu96GYy+ujpP;uy?UG6{t zn)SyS_>@2=64}M-x%YDzwe|{N;FQg{&v1XqEp78sYfK)Y^hC%KJ|L%S-w9imDke=x zLCuy$gi+T$|ER#|Oif0y%hS43^C_KH`jj)xwV@wRQHU8O*hy=xcs0s`5i?%x_7%Xm zl`i-kJv18%X0{?_aWxxw2EYtt1dkcF%H0($J@Tak=c3i!dB+rvsokR3x#l2m-|!wW z?2@P0{auG8r103U&`=8B;9r1tf~P(@8Dwmj?Z9Ga-AX@Hh_Ih3D_?<{(eTE-mLO8^ zJU_Qx>;$KkP(e=nA%s&4CfU@>p3X?-MLGE2kTI^vG`^73B$f!xwek8`2f7t2b<)d z%?aW4oYk+tOsmKKkzbojIJHjVnfdP8FQW&|`myz$jN^vj>+Y8d3SaH0ssB8lC3}yz zl+??3KW`>PWXYLFey_hihKJ=6TP-v(U|GSm9Jp&N3 zP(CxpqjUTJp6~;nc*{4+hR^nl{UXgPt^bLp*6$4tCBORW=KCwsTvpOt=?UnvcGQ!Q zd#6j`lmm%(JYRUR`uq?&NTJe9IT%<%O;@u5=7|Xis-Z-Qj8t((WQMumggNJYo#%FML<38 zL2YAAjyi#k6xP#n-Lsj2U+-P_0iOQL`NuLkfDXYbFfjg7*2= z1~u1B4-egT%<0o`HEzapDEb#lV5}f0Yny#35W9xl}(cQW@nXB|Yp6!m5+DUYk*=7)%9Y!4@9c#BM@-(_H z$wtI`BJ*SuxE<^E0ZSsnRp9(i1=dXks?@XWr>z82_ehLP;ai|v_M+rQAW)fY*Y?d5 z>!hXfM`WG}Ca`K_uaS|QWAxlyJ8Ii=j({6GAH+|)^i`lF_VcStW^qhes{yB+?aZ%8 znTt#x(vQ_T6k|jIL+P?_wjutyu7ylxqmQ4~;Po#%)!}xskW;1anD|7j?uem%eSuo4 zH1|a0$tv8@kHEcqYWht6U7WB&V{Am~uB>1E3FQ2&Pu-2QBSei-`sWnWyF zQW-XAp95wxm-(r(v71PR!^GGSagE*2bdmQb4WBkHl^c)Jm-#rJcP1_kjkJ)m6jj=n zy;_*dS|s+FzbyD%C?dqSX(U~|6Ipv{?pM9L8$pY#!qF2mk9}~ape*5!F)(DC?{OhM zPls#sp90GdRRU~8ee%y^OMP!!K_XQ3=74rl^96zy3R&o|`yL)F`K3@ow_g-PQnvyT z%6F|vv-3W@o^8M&TYuQm>}O|%^iYwMi;3l;fwnJwmhSi(wNp(v&NH1DMVGrYgCA#o zJ*EA7wf<-P=zl{E_)R5y@tXgm*vq^DJFoWOl%;yP#=w$4DnmX#2v+(K5*Hvaw!iSk zT-FoOpaAQkCuL9(+4JC0EEaST0o^_VjN+w^M1ldwY{2Fkwtg3I%-&crx;NtCR`O73 ztuyq;ZHaH3l`ADn;hzi1SM5RDIuhMsi>Mu=~#dzHWODaxZH zjPJ?!KknTGOr!A_az5M7epLol9u%l3%77=pq-u1X2%%Y-#6iAVXXUapJ#-t$6CuPu zrSyB>g`=$8nM!rEl=&!< zUl2FkTX1pUj~XA;+$O1m#?9n!ejGbv_w4rIpdo+%pmE)!K(Ub%48C|rVPC#lkiTZ$ zOiIO1z2~V^&E@KqaAsKWq|t)K?brG1;pm&B}cQ3%Lk-mU64Iv>*cEJ#vDP-0ff?UOZ5DlyND7(CO4VM%+OTqBc&^M{Kak4gg}S$ztx z!{YYABXs!fEK<&B26f1~Rc8fI(LSKlNobH}r;h%2gtoSJ_E_*PDMA{LdPD0nbg*qW zM<}evZP;2LRQK7xO_{$oL0`S!mb~@paUawIy-ZR^fAQ(h-QVXK(^K9EGO(Pp;?4uv z>(3A71F0rN#t4#Xq*RQrqiFK*xS{x#>l}4hDT2#0u67n)qP_&WFLH zB@blHgl{}R>y?utVNz zxmbK%@3+HypnA^G24lVG3qcvKQ)1!$-1TOz+#H+%0^k2Q3%xz*DE)wkCCrSb%3< zz~JpjpNXAF-|UKdoUD$te(PxGeX;50`(wtC66I~fhH@_q8T zw>oR!vfF&X`Bcqjp~X-Zw3M%~ZW8dQPxh&tb|$ag=;{u4>Xv%j$*Oye2;uv#XN#d> z?`pE7Tkgdeik<$9a&RG{q5kKnz7?`;251yDDY`r;WwA5Q{b0TxfS^E}|eq6C~{!b)zzK4yJ}*-s|K5^aoe^z$4!pYwRkAIH&pNIEO9-7;-&V-o5PoOEFhBKC+ruyF1;`LwU&CqG%)23b#lf>Mo_UcIFO^0dgRyPi z8819z?t$!tdQ;p_qmgh|V6@_Ddl{4Gllfm@8aC>;hQB=%?dw^Klm0HNntV)5sP1A# z6P#x8-?)_-72%)76$_ukR)l@b-ZUa(5O#~)BUKT_r)q~8O7|kEZrp9Yp~31Stb;Iy zxsn}qcBVX(Q3F9xR(F$@rz>2D z!{wM9kd9=U#Z9h5qoPbKEdI!HwA z@82G(9@Xz@Un}|0tXlSivG|=#M5?W;hVt0)m5Asr#&jHi!di%RAvVn29NM|a zKX{z2r{CAQ9M={m-?$X$08<8S`A%2u^8z@nMvmi7!d0l~olWpUPeJNxb+`R8HFO0V zgsaWpgDh@LG)epFDvuJ=psGa@z>#!yY}EDZU||t1KztH!8h8qOB%;uGK9sgo4481F z->F&n$i&r@cuT16G{bk-8*gYFl?v}-BB{sYHpWc-IFZhzXLi=a8k;4mLJy&8wz*}m z5qwGhVs_(2t{G|2AikNYoa|KdxeMq5PQ{Kd-2VjNVP_)UjwO!bU0UfAB;{Q4U^Q7# z6W=54CD%#`mlZ*pE^F`l3kCk@Za{Jy27gv|XLi?nr(B)m>2uvl>?arJG-!TcqQ_uo z_ATXd?p|Be_AaO)S09i_V29K%zt1@5#l|s3Z&zN18GHWpI+7Nwng>i=#>Pg5S$83>65;bal-ih{vx1dDq|K6Ld(66ShN6jmuN z#r4~$^;}=w;!Mi(Vmjt?di!q1I$5uz*y#KD>L}K3=W^N0BX}*qEeeO9g?_!qBzfH- zm+n*F;pUTxD@`XYk1pH8>p5gAMe9?PJy2;czzYrFQ%7=w zuj1$(nXX9j!{FAFfs*6VJHNe3a@+^4t(eBpoc-esMFZE|=i%O25~fKttmZr~e8zeu zFJm|cA}@K&E}}@iA^^I8E9_WDm2*{twuM(Me6fTk_#UU2rlz#vn%p{! zT*C7kcC3bSf=U$ss~=~7#lHpxxUad}KL!ObNlIxWDIZ;3Pp+XDXrocFiwV!JvJm*C z75~jZta13B&mFChW?4i6MZKraGCTC;X;J=z?y*L3RN6TWO8V5A<#bizTkwg351KM9 zOB@p?wBIGi4Ex}lb6axpwI)B|pjns0*F?6m+p*f4-ekxB8ngb*aBaccEl+9MY<^)W z-Y&FYiVxZu-kC{eWL|qOBto+lHMsV@S@(k!##tM1dzL;>?9;RTlLBKVILIVP;@8>@ z^&M4Z#p^xJ@Oq`w5oCP&RhL|c;NiA9raaF(oL|m_lj6WmYlcnT#pPMb+-Vaqm@ve`V3;ucE!9nl3jeH1ko!e1)k+X0i)@|5{p3%@f z-2SmuZy8`j)5+?+wXg7mYoRgV%GO>p)nn*J&0<*I%Lo?t@mWFf%W2q=xQJbML508u zrNpwC)N*@@q#pHg-TE6tMiFYLRPA9*lZwt&M3ZjE)duOMo3dB8_cMfUlj$?rA4*8A zTY+(*udiUEcp{Q(+vBPCeoN$Kf1>mDN+++*46l=>DCBil8mrWOF5 zx$xo$eLk3DRktcSZRRWMYflOm!aYvyY`DDmw2i&Eh{>u=6F=U~PUAPYJgz+7-s6mX z;S%EOSGy~u$P}n1I#UOD?2T)?Neh9MVg_N>dKc-t3>5 zxb%o@9S%XuRR!yRvHIadZ^5UF+s7g2TiP$mGty}2VMpa-TXoo8_05hsKi~7?@{8kh z^mhGNs^Vaj`OX>EbSp+xP<5BV)n{(Xp>})g!xEyrpz^F_dMj0S#u`vH!kh>R4fqj& z2L2q(5~)51dYSKc$tYp|IyWv>h`!~-s<0gMp{v-UojcrG z1@|-|?G5K}Txxu*Z9)Y#&7O|ii)?6e{Pd|w$BE1bt8=S%W(~xHc3w}T)f=JY0bkpA zEo184&nxW9TeFg~2=Q|>uP#0JqB9(xT*BSka>B1SE6R8J?;0BAbz6T&Ud%;fqR&}R z6J{83Sds4mo$YAeNs}sS+!uO!KDX)k{gP6dq|TRt zZqHLl%u?n#VUQ0sVeePPht#<@6SB~3hcIqf_x7G(Lx}|Yk5SJq2a{EnrKtIul$j_a zgF#1+lUL`YD#qme;@K&5sEwn~TherjNNS5y1uuC7l4@|CpZ%2nE!EZEVKbG}Oz5@!xCgg) zpG$n_{8()MITjZt2iCZlHnr6jEJ(P6r@_2LCAF|64GnduP>f(-G4iEtEOisU&}B+P zjG92krHVnx$i^$3=~+F1LBZ zPx48l8o23qRHV+dzZ;Lqc1lu>^K%=CZ;CV!j+G6ymULrkP2;e6t0RIXNkN1)szbh= zYuJFtj)C9Fvjw%KBnp3BXTV^L@d_Exll!i=S);gznYpm4kC zTF|#VithT}AL)TN6r|KUjy$7$6K8b3u?}IxV$lOy4zE8`Y#CQ1c>)kaXahG zhnwB*LAN9vrmGGmU1n@GQ!DAuKE1`{@6LG4m7if508~HlLb6}m(!hpF8OUG${A{f=TRp8~9CWGh)<~f- zkW6?4RsFF}$I#H$IK`*t*uYl&)pmCUpvV%6CV4tuPlX>c@mtz1bA)m+$vA(o$G7%P z=p;Lqe2^unXL3Btte;ol?NFjX63P{#__CmB81O((Wxz%Ju7WJazY1cHyP3S{=4DcK z&CTm7^XZ9;c7uCGri%Tx&v|15%7xe_ZMGW@F(~mvBb*ocb#nx_Wd>4?-o0Gds-e5% zjSGzhmAfvlVlvxAH~vd5Y=7$SYoRx++`Ql)@4Y<8gMa?+^0BcOP1Y zpD0;S>QlaoMBo7fVY2!Vw_nBGJTflp9csp0eSA0)cr^n5ZA`LXRg1JK#M#1vANqMQ zF4@FZfIDefG@`Rz&+DLiRDrcEWU-${-nJqt|9eKOt=zJvi9K6d_>=fCOS-lFD@H`w zCdnR}8n5{Z`i#_$%0*ZHo&hw-FrlrYE(B^_3V$#*`FwSGG!%ZyZjgLO$1HuiE0pq5 z+Cx1JK}MXK+5Zy&=ba{RW)CfchlT5A6h-|8OLZ>xyej6KD>rJzoeHovoCQ;F+70zl z=|}de$s;mIMyO@QyOquLTYzC9y6RLV-6_nf!=&eR5&+FzT3K!-)_DK%2Ln-viG||)6`m;LQ~!qAv_*N_ z$S88!*?bA@(Fqg_vxsZC!Y#cPv|fx@NVv6^o2PI#w53dqB>q{WEqPwhlQxm!RnvFr za!vB5tnV)82pid60_V3nD~f{knw0{d6wuLw(I){EC!6Kn$U9@V0`8DI6(rD=RZY6+ zzn2BK9T{83VGh6`-9+buwLxY5+)nFPbog^@(a$SL>hUt)drF6Y|H}W_EAwvxO|tUQ zpOODC)bo+1{=qpPft>-c6FdhaaUeUmAf2J|{)xpWl&5mkY>WS&2+AA_#o;CObWYO! zuJ7U-51$o1Tn&^yJ1a_z_2fcmq_*M9c}BoWCYmnz4vM~T2!kEYpC-BJPxXtJ8WiTq z0?!AxNc6utTR%Q~_RWIR?iLe)m_^FP{+ZdLkSyk%_CfbWF{WCfq?CvC~M)cV*D4>NW~m=~nh4>^WWF$*2I3?q^zKhNe z&6Pqj(XWwwx6{fvV_0O=xM~OMJ5$eZ#j6awe?pl5!1-=tC|f=A^j=mO`0~REr0j0# zD$mo7HAz}lI1DQg`o=mwu~La-@;=e-Z%-exv*%`E+B#bNV=C}%*YM)4zwhmTCo8P6{a)<@>!OMy{{APEe-QU3kIy7L z>;(eHf82<|%#(*IlV&SR?&r+&ERZLVA@5NR%9ohEi0w!-fwi>^wWv1z&OO@i++51` zY@H8`B29-ZO(P`EU#j^CXXy&!f2i|IVrX{nw_lTbT4(bJ*s)*=YhMxs4G3MC3{e!StIb@??5w^J9ZFaKYz9?$;r%um1n4QsjW^BY z32c2?9Wv6_J{Y&6>5CZ%Ph8D}z}63Nxd9PbzD~rm%3$i5HD6^?K+ZTDLeorFd=sF_ z6tl{}_%B-6D#z-4)3jwh3k7nM>Rq|mCPri;Lj6fQDODsvkJTb#S8pu!%8!=s7@BOU z8wUyGBCSW%(_UleybIszzR*Vzjk<-;jUVcli`uRTGZj5&*hF{j)qEg)+!q<-;+VCb z)k|v^y`_s88`06#owyIbp~)MKDy}Oj&JT@+9G3SveY#K+aV?6I5`|LnSItNLp`mcd zLKGmiQ`ZfZ-v3q>Co-xx<9c;lsa~wm@Z!K->Q=%}l~=(m?my%jZF{lCFKz`QD2RQ! zVeJjsM;j9}xI^3;YTfSs-s3kt75b%lc57b=`@h8K>-PTZP3Jdg6c_n~dQV4kS>qqU zij<*$kW!y5yfBiJ8b}TSy$e-<(}8a+UX755K@6xM)TVO`Kx4&0m_}3%lijr508#5X(c_l@g8cV!#)i<)IrF<#1>Aur6#nSb7ijd~+%I zZG_jw`|o#6v8^JU(m}s7z@uA8KKn-@Q+dAL0m79e9umvX-@oR6=L)UGb;;JRn!XcQ z{3m+#l%&z;H!Zdm-7!|ZIPJ9RgUvE2U2c~8t>qT=qy4xDRt<#ESvimSwmw}#@DM!xd$r8TkJo=rEnq^|9B#0I^0 zvI%n1xAfSonYgY4d7b>Z;27y$fa@&9Bg?;fK2J5zeYR^^>h0Tlje>C*eC(!1@CkU* zE_*vFINojB?BS09IcN)C&z0+rvvnH^O}1>V)mp#ZcdZ{=Wp96C6zxDclI#W%K3<86 ziu~A^uV1=VP&o^o%H1-sPQ$l=CtGf>{`z9ka6YqJ5S~UT$E^)ij2hTZ`V(E5Y?(Bt z*(N0_%n15WX>f@i?Md4`=FlF&Ze4T^*^PfCTF;$4F4@tu`uj}#_x|qV18nxQ?I-03 zJ9S_mw~0M8eNfX; zn94lf8TfTfayj;9&&AW2_#0+dJ~&%P1H`kh5$0pze?)zvIh?!)Gp9KeCXw=bn|nP# z%}x!(ll-K~ROsuXR$8@PSoc^E)NS7~-zQfcgr7ai&agNsqBKJJd!a+PL;=8wp{-! z;_2_5`(LQ<*KJN}lDdjZ#?~8uG2wwe{#J-g{I~JoX7a4-Re={*PZbXr=|cH1FFt0l zO0}^6JGH6h4&eLl%+~UdM=3%KNNrMY26>yzWh?e3*sW3jUSJ>v$-WP>c(aec-Z`sL zjke-uW(?C-vtx{nHK4T%@ieS<{5kjw^?dr*@6aX#N+`PDsPCFKT_g2+f5Q78b!(QI z4(4&;z)i;DriK9G#Cjn3AseRwsMrf)x7HCPq(*fcrcl2z9~hYuHUKMscKB(X#@Pmn z`dA>$AW0&_pBW8RsJX7F+%5;S@3n!7MB_xwVkCM!(Y zolrKyxv+m|nY~OuOM}e!Y2g_?!dm3#pGRrs;3m=xx0$GJ`GWflUYEyRv5#=POqy!~1?(*4eM~nS$S?qu6 zk!`;9|H-WAXC!O%+e`jKg2?f`7?k3DJ&``qUs+D2t)`0KVy~fTGfeguIjjX|U+yUR zl7L1MjE^vxCJK^^W$?CtWjVRD4#onna>QR*PMbiMlL1<2r3)b|+T)vuFPB|WyM3cf z>$7~gRl41c=!l>M+TJpaBRdk%O7*ftf2^rUQ70573Dek*eGm^|O~$xskZ}$Oov(2e zM^|rNYl3+b2buhX(z(jsE21yTZ}&3W0*~v$lA?}wX(J?2!!}U1p`oCp zP4sFl-F-bjXcTZ%2wzb@aYVRCBO8LcYxJ_iwCmwZTsM_HmEp9kV_`2#4J+f3$A?Xq zZ9u7afw<~ExcK}ooa4|Z9KR9Lln0g1cT;o96zEbe2UkvzJKu%*)!B!wGi~=e^Q;O7(8OvuVP=( zI#Xvd-V4=8`9sHdi=zW`beD5@6cUr+&^xIOs{J4db1D-W&A^pd46)u_%1qh<$toO? zmp19Pz624^-UH9ie3ojdy5Ritc_Y^LBOMV{)7|X(f)F~4!TZT!>mj?g!@B^JxxY*_ zaU!4IJmvCA@uy+J+Bsc=*@27>b`<6Fr#-TUvP94pKP-82*7V5yf+^HOo+5hB#@5z8 z-c+&HW)9u`$^I8RcwS_Mq2ga7<|H|>NIBNNtL$#uNEto+k+q^?wRYBQ`)q;}Zv93~ z5Ip8>gr8sGKHb^McQ`!BWyG!l?OO-A^rHK(p!WaN*SS0!ndkPdNI3mJp0(RF{#F_u zz`JHTw^bw3#Qk1M0o4`^dl$K8{Vp-_cSO_5|BYy(9qXYDPTMf!ByGB5^4aEb-zJ?r zzdH~)$GGUn`%%127~i4ldzORFi$Su|II21waDqf>ZsiDpU<(V)TrKIkobhhCx+c0J z>Uw|Lh8(>8x%_&7tp1QuRb4%Q(bDmrPI4R1*N*UeCfN5Cdm?`61D|mZ#uyJdH032m z@^~bK->8KwVyllcaFcY9E|vV1e9n_N#Hgy;*4o{0e~(gxyd*U-$9yq&h+Wh#w)g?I zBp@!*RwBfnk19$fcD6D%_db(|&1(Z)Uf#muIR4xuGxEGP1ARn!zWX#iu{f zwWe)-)akN(v@chr+OGj(L6;14XECqog&%W+bm@KX#!?MT?#nB&!X`S?P`s5(nYi5b z+(kx9`7wTtg*R8nu42e_AOc3@uOmSePx?2n#vu-VcqA;7PrQJ1g;Tv}m7{808(3F- znUWVKqMcR;3kk833Dach(Wa8I=o!h>r5tH_20aW}G05KN4wevwnU_(mI=5T^%j}Y$L1}2 z-%0s{xyd}ciC$Lyb65W_pY|Rq0aXFQlCo9&1Loml|D&%-g323K<1{Nyq@Kd=l=6cl zJLF>{)8e5R{_S2`i?Mm3IDWu_K{mAd;IxQUNkycCUA8S`#`PM<9d@+dNTje z?g`URb*D4Ny=Yn3L7@5h?6%1(Hh!az#VHzQdY!#Tzcq*V(YK803ER|87 zq}O7yia+J(qxR*hxS^IzYZqyuEq&VAcL1I7AE|?XN&B|y z=nu(6CVGUq+I>g?(dk#`_Jsp+~w zr6*`GfV$(lr=2RvZ9$Xy_xlBLKs@_=3Tfe28abl=1tK2+&-=}l)jLu-vT&?%STt>hN&R-J{#~(mPG_a9&Ds~+YC-dDE z`_HimheOD>E9`$hXB*=6l)R46++(YeYXlaGb0ugK9g*Yd-mCQ+lVM?DmW9>?Qp9;& zX`ubWud#v^jH;c+w%z7%c~gyp>z9V+)$uxAzgOWaYS<~O?t+8It9tsVBSzn#pI6og zzpGO3F)H5w^q-mZpZ~;vd@2Y6{?P{HogH+4``tITGZCG#!TY1hJdNbY8C2>x+TMlC z-;j&^DpcOg`?R04g;pMQ2gJhyS$vdk0fn-Jv>8c)vL054Xb4W^~Kwfb?^upj_mO}k#o1k$O8bc zI`a;83OF3pUa)A`BF_u$>C>dAB;!s@HbgJ(uP6|Jv~BvbOeKUt?(V^zMUpy<9Iwy+ zTJZkgJ^s}5_rixb*#y=8<1HX8*jad9 zixD#?%<1c$W|e=1hWG%XA>B*b45pZaS57ir>9Fw*HOdJsQ<0oj@l~bt<}_H#eG`dq z9-6d=Em52&?dnIx#exbrBPGg$2BTJp3?`&ZviPp4SDfq4<*J zrOrfW&8O*}nwwK|bJrDPgVhZt3r35MTh(fHoUIn}^W1TfUxqr^{cILg zSx1Bl7P4+7xTG(KQ$iTdZUM*6@y`uV?R*q$TtD_W>khsXEPH4m^{^`sci^I_v8M~? z9Vk~;9)J1Df}eSSc!2#Ewug))y4SgAPgihj{5dv8$S)vqRpidU!z)GujU{a!=m?%w z-*0`;9yxzSPMs=bv7y$W(= z{{015djNqg$rvu_6(hy&xH3>{DI4+Z{Lesf+HwuzS^Ras(v57P<4sE-xQ;bX4|9!F zqS!$x&ua;mcQ$8_?m2@m&LruaO+18lc#qi3)&0CJkZAdTSbOWRDBG=XSV{(wmXHn= zk-mYU2PqMe84(erMnI&yyBRt~knWU}kZw@vPU-F;XUOm3e)s*{?DyOI+0S=;&tDu2 zm&f6p*E-L&&b5A#R6|q(_{5m$*9(%~Q#d?W>A}aGA$0Y2a)!Iuv$PIO36pfSD5!OA9&^6*Cq>rJvN3fVbJ4n!@@Nx8{lr{K{m5= z-MUWY#iXC|b;VsL{6iZ+n1<7flag5IOGg43*DGu^f+O)DOhv*zyC>x^k>SJG&tG!p zAAW(+SNP1 zd+1BA7uM8>j3o2u=q7rOF-oP~tX}@_W9T0lz)%r;60p0jxT-fF)AH~+S|92R6J7aX zo1iEyH0?B&vV~+#E>CJKjW(vz;6hvujPrDb5! zbBxQGK)SA0M4}iM*ni@BSOBh*D4ys0D&8$vEuux=u26FZKaAvdJ}>2^ zcpr}?;w)1mMj>i5(gxFOC(WUhZdi*D6SP7HH*0c>SY?%#WpI<*I(@b70u;^VzK%+} z$+$Zay8g&eJ1;re1B-zin+8fhyaRCM4$O0bzPM~eUcRbIN~OaL$*S0|fi6xS>l|mI zg+TGN=|OUBFGWu=(!`+lUDY;M$-et0d2IRnNsq#f0p81nH1E!`aqIYG0=cdPx~JK z=oYE|iR#`T4;m)fJKh7xBR$C5Fc4wn4?W=l0zh)!nHpjlwCD9Qjmj!}?OJmF3wtlZ z2+DP6yd;BoEC{y!)g0$<73@jA zftLp9^-^7Z42}YeN@}H2WVmvKlpe+pnb??WJ2OyVkQla=RnyY88xD1ojQljwjfM!1 zxGA~qzlIC*6g(1%-`ZF%I9+-gAYEeevY2{2b5%xkJGc&bW&7%73J7jU+a}PYa-#)` zS2YTZ@WRhgd$tcbou3i8I|4qH3bj~snG5lsZ75^O20Or+t@m;P8^lH)F;)3Ykg zBs&SHw$7ul0c4+r|CD_${tiVkqEe$3^@LRN(@IB+os77Q(=zfZiH4}>JWAblmseXC z)Lfp)nQBY(s>6)5bmJd9FeK2?L4T}x1rFemi!?5g3AB}l|FC5sl z$sWGJH>P%kp=4FZ7*ZOE@Sn>Nw%<6wd{L4IDGf0~^|Svi{H#~ljA+Nb7JkO^BJu+6 z81H}vqJpJuB6s2((13cynz)WMa+8YyrGyR_{m3)b3ULiGmXo|qIrX`Z3%3f`^BPaS~7 zY~;9%8Vd#7OCg-_>6<=;(bt-dcQltlIi1-;*8M*agtY4&c0zirNsg}Kw$v?$e&oFIOMiR@b@fX(7Bc1}FX^OSS4`fx_!7UH6t z-SF{AC}uYf>2!On_D7GaGl}gORd_{jQkR(z!RR*&Hyg?+v$5T!B7!gn^k~uXK6~+G zOf1|KK53ue3;|%>QEq3owbwNCtpUWP()r!RiPcNJvCC7z<2AkTiS94oOe;oiPXe-| z#&Ti8-M5LTKUwchwARqLGW~98jr&ISs|%lDUi@UY(@Z}Sd(-UkjhOFeBC$-yQSFEB zWwRU3<1uZ_-}yhHnyod&IzTLNcp$Ud^qIkZKFQU-LIV5wkmEriQ`7=$0#Pu!Kag9N zt}t3?<#0g(%`>4QnnH$voN$LKLks;Jb;~VA3={`f(R&t^ugbI1Y1L`bR3#Jck(A-?!cz!4F$5^J@f?0WgBgVa8V8 z4nj1cF0F4}Z_+`h{RBF883V(jVeGzuweQIAa3=LvhIem7J3r1ggmWhTVP!?V;lT9` z%8}8{useLNbJEb2V_*IYMz_W~qh)^3DG@P~w9Fz{QM8$CDqwNhVLW^4=GaJS-dKFs}KvJ*>rDLCqEziIrfAU`32dEtK$jv_pmr*!)wCgH{h zwdZ31-_9ME_Jf9L!r~-xJ@&udxDy0S>_ytm zf7?M!xa-e@+)(pNwxA|X!OM3y zdGJqz@&2^qrrAr)UF?QvC}hOE4n2B^2DQ}+e_MUPoa}-9o-)zlvztw9QZSl^TGPH= z#r_h9a*9jT<2RSsRiZPOL5fR*764{GdXBJYIC{&x+!Mz;bellEXH?xr(dE*QG6bCi zLF1jZ?wUhW3ZC8-TboN6$7OIg|43N8=B~ovxLz;8Vw@1ndkEmuB@cV&z;5@J0&|7KZyNsL>t+41vAf{S0BejuU?)s zj*(&P+R&IsfE*((euTb}u&V5FIX?CuvOn&ePB9H|cq_=YIoVZX?pAZwSLM{F^#R|Y zaaDE1xk1t0T>rQKcwKDo!KTsd^GotgT3xN%Zlc?fcDBe(qiSyosX1U2D<*e<0{{k5 zS@H)CRFVIK?8qsbT7S+Z%sO{5Yf)4Y%+=5hOQ;ni>DxK$N*Oe=e?LHs5#C1*p0d_R z;9qx}vI*avSkFm*eXcnl@~u}fXW?kOHb@+~=Ckf_xI_Xx%2-shKzgw-fOx*8;PlK-)gCBQ+~dlzGLrYRHt$PW72RE0+5cI?a-!*h*Lp7SVVg zRO~YDQSyr4!&$~n=WPH}*dw_0V@hEvmV7pMvV-X&v0=n8LUEI+YUP@3 zt(zHZp-q&4EehT!_-u+|3oG47Bh${$NDNW}g+&Tkb85ymC5+o&h%Ii-X{RI=%q6WUTM&> z+}X-OAN}Ttyfwj|Gb_n;7gHM}8AW}g4f%Ja^iLm_=#m%~1AZQSsNN!%agWQhIybi* zx*>UU#t~u+qCr5YY4<~G()qCiYctZx+jnTbp=PM}_;k}^JPDczILF#W%VXC8*qp(l z#$)5^9QQuJE2xv+r6o+_`0?315#jTi)-a)8JC{Q#+v)hd6~IkbS^SDuj?Tnk+R4GE z(m4z=p;x>+wFnc_2dFttk%uP>3fxm;4wsdM^~dV=v+x}#lWSPXwmrOJL@vDSZ1>Ej zzLmHG7WZDm?0_7Y=4DhTl6E$W~RRO=O)=iFR~^MLaLz8-u(_ z(Y7k%lk0OP?$`&8r>(ZU2G_uLTyee8%sMAJRY4fQyP|B)7I=%xOl!SU&^|6Z3Y zO}2p^3eU8iL^@hgKw-01f#jt%3Ag2XAPbRIfU$|@nFKQ`|qGIkztz# zXfFm#`XgYFiRl^k>F+)HPyL6R7iR^=er=%P`(bO`s&a9x@r!$>JJN4;La^bo;x?Y6 z!?ayhsPMkp)Vc}0LV>&CJ>K0g(fJ3p+YTNjL+uC~|EQF%`6JXSI2iUFS?%9q*gT5v#q3cNSd^8)DVvf7hSe)e8Qd(^kh-9#6 z910UzK{=20C)@1c*e{Qa4YQp8wmT8GN5y3**NsN7>bdD9W_GpqSYT=l%<(1gaC`;grB>+E zJevPY9ZLJ?%e6YxS6OjL8=ES9F)t)U#YY>tp|Dx4kY6l7EUnC?lXdzv&-S9oI62qw zAe~Y!hU+uV3s#=Jj|b{?p0Bt|mV7*p{w98hpJlDI6zuwjDGH zAy9G)jZyv}?A)FUX#kmg`hlQV(mEPkbq~p#odO!avVcC6*IK|IZl`yz(yZePD<@MQ zMehMZ3%xOnFj}kWJWVQ08a(ew5u2z4{?7>I*v9WkRux260>5uo+!}w zMVZlE8Gn#L1mp$yx0@)P9`7qeQ<(kX{U2v{AZ&Htr!MI0DyV$&khAKt7mAu-1Ewr4 z7q;Koi_c>&jnbd2{_04_N$xq!q11^(g^XOjbZIgS$A#qIae6xIB_yx-9S1NFwJR( z{1%&#u>drBXh{Fk=;aau>CW*kJME=4{IG$%wE86%-e|q* z4Dd~~AwaTO32Ua38N_)5JoUM>E}3;y70;16Tnx6( z<9j0$lasLKzk775XrK<<+q`kXscxp%{4i`ciB=3_SExD{nu$k0%kx|7+fru-yZLF1(WneU4T zeP}a_hs{`Bxxmut#5aQ+YUa~Y`l8MxG5sI{dj7`_X8Ygk&j&Mq(gb_{o6K?Zpm-~N zUAs6LVT*YR&EeusNnE12r)-Bp&5o2ZwmK3l3gwz=FT!fKeq@AeY~VR|rZ|@UcAnbZ z9#(e$c(zq<&{D~UErto6F=b!;=0E#;UxQ}2Y4-$uAyI{Meg9py*a|NCx=cOU?1MW6 zoke{%t8V{j-+DAg(Q5m8COg4(pjTv(Qq~QUx?)^Fz(LOsG{9+-sQ!NYO+inauFiZK zJ*jqq!NU^4cUgX4VKHWz=?A9Oge`z5lFdHiun3wi^!<6hm&6ha&<{ux8?4P!W1u^# zpm)^H-)-g3j!otj2uOR@>&G1X1D3y=UruPvobQ)nyELk4?;1I1m)5F^R@l_Ds5F%9 zfxe=APT!Pja4qYi`mhK$EK05%GexXI75fn-o`mnbg;m zbZ*eEEEEjJ?9W7&9hA#RaxU14M?;A0N0=zV=fvBh#o^i&d$HWubxP2<8a$xv4ZP+1 z{XXBv$?h+FWauJ?UF}Qhk5#slG!o|mDva$+1SGrEEVFrp0m?_RGsx0n^s_c-vp}s(r?a-#+%d$k{#Go~n|4IN8Oms9ydP zbmJKPci~`2g1Noy@Ds47%tkR(STrsQngZNhS&n_OJ%HAuc=n4>bOO}qw6c40CEx~O zl7raHQBRF&pQZdpA~eh{j>Z(Svq|>|FMsOT@78;K>*B8Ow?E$?e39Y|sZ9+d#LYD@ zeZLP})Tgx1wo;1H=zw`3d(ml(mThx&<$<966X(X`#xXP8*#mWxLZcJ(PmipWDvmu3 z4`S$Gbbx2o#K(m3P(e*ryMH2cl;6QT7Yx5T>D@^-^{#4B@x+0UED7UXMPhn97tbU? z$*-Y^C_5~J){H>n;PwERAAuxHSxjV~>Hn?l!Cdz^$2v{bZNd8TerbTNwJ35;MZpe0 zcxtO=Rpe1P7cyvklc6zwYpE4Mk*Ue?QiS5M_|9Z1MXzQ8D>SDIc`GpYS-7IpQN$d6 ze_Pke|9@o^HFRc~`FyU_GH~LA>0=~KZ z|8+>D>VwK-XCDeaYr^uvy}TqkYnDXZYX%?@=R0mgJyoTEBRFG{Wv9GDluchP56Lv( ztxN8*FyN6jJE3O+usEJI9v^2aLlqil8!t|(CM{Xdn9c_-FeJprlig46i*B#7PRzJ$ zM;?Z{>C`7!96fZ|t(SLKfQ8!{HVwhV;-US@wAi(Zg0qtl)Sfg@iyl`khKs9b+m388 zA?R03)^}Z;OB`=C`4EYlp6y(orVBaBhqMQ#ce3^ca*Y8)Oy0<7VLj*g@6cg`ucuDh z#(z*=DWFI6hT^89#Bl9LKJD*^EYvb;28*pO&Zsqe_YA)0(HT!bL>ush~G1Dx!IXPm;J)HAE#Mr-F9Bhg%+Wkl;{#^M)fbn4zuNV6F*6 zQT}(Tg$p`M-Y1wy|7Ml=uM5eh7m|M_2w)D>G^kP*0ti|k#KN80?SGqbC-4~*6@o2O z-B$QgDpj@J1R|#aZeuyk)vohd;+0oJW*%@o!4g{dp|@33yDP8SP}F!?Gdd>k2D>`D z4>Ss$Pq*fKC1yT~J0HFZeC9%eWp#R8Lartrbv-&Fr{LO;_6ttx|6mRuw5) z56%Gh9M^sE&F-OX7eKFpcc)%H+BCSZA<_KuTFIsG+IH|LCN`@TGYHCi^SYFZb1fna zBTAVwd#go_lCq54e*`7vis&LnMhI=;_mbGih-HgugZBdr9`0-1$saOFEcUX}PI1Ju zi@}vB#JUng0Dj3YHW?}HZ!r5m|4r-KGJ+vHbKcS-31)Up;w=nz2BVCUwBFQ}cklASjdI{t8Qa*gHE3Syll!9wm}U2WE4 zV4Z55?9>UUKLU(k9&t|T%lw^v|Ml?zL`^xi*YSSsk{rEL_wmfhttsbC&h1l^Vspzb zn+u{jhiM~98bR~AB=?PHn5#lBoL)~tWDWPobWHn%=4|=C!4x2oRZ3?yo+e9^f|Ur|AC9>t zjCKebk16tU*K}v6^$kQ%f3z0D8{K7R^$BJi4-}`&&st)>RZZLa0BlrleyV*G8EjIZ zv0(=IkF3jZwHfsYyshGuJ0EVSX+2hGo3;>-o(~F)n2`PZw7iiO>0qwsQ=_q)4|1o*(ZTeY(v=#7xiIjf|0K6Yq!srcpH+KjAbK=&(ki#kjN4i0k{t z=(x$!&1LyF$A}?4CPU}!LmRivHit)(C27)|7iq2s#HK>V`%7%#D&ryoIw=B(x=Fm) z#bKkFs>E+|R7u+LoWw3Hg_r-cS0CpLJ>UjUNM%^>a)8uWY)QjT96)7Ja=ajZ|1u0MCpLTmDH~^EmStnTDI;-CT*xW04y}$+CX!38&FKuY^nOjeM;d}$&UkjKY`Xj! znI7`Rhz+1=D0rZ8stLWGcM_EnZw_aeJZGF{irAJJ%%D^vqA9gm>E?AOM!1euSs3{j zm8;3!{HLMJ0Gxql6$+@%eUb9LBP1M*Mrx4N+J9FE5!nN5Mgp4>jIs?RoN7L;kJsFM;ycKF!~JY zHn7I0%n7`*r^|yM_d}m|J{x}wKF1NUUzrSPYJKVN_Ni=F0!h;iF%dS)xjqPu!Aj9&y^Jy@?NqDIbWr&v zPcH-=e&c4lf1)GaKvA)$?6x&XA}x*w$!ZwyH<1XLhsTUMsF0q2Lhx3^bD|gG6CU)X zwFf@P_PYa`SU189;$^ms+w{Y@yU!RT*+~^arO=P})Ha{nB{`*ZAy9cpJy7Rs{g0ya z?sttFe5&qA_N)1s8L>%;s5}UO_-ENbK5QJ739(J|6a@5qtDG1}LFMw;Kpi(|WH)lK zGI2hM277olE<1WBJQg7@PET)n@`U|sLQ3vfp+?oCkMG=1P+33s^~jTNtlz&rs$Dfn z0%jk2Xu{Fs4mTIRF#PFn^72LTgXx+r;?+5hW@Yab?AU-(AsNf$e%>)P8&z^V{UFNw zgfvoj#U98kCJuNJ_C_rrdp1oJi?})p8b*Uc6H&(8=+lAu0$^T#lPwv0#QW@nDvYoY zZeJ)3Sxex2GQEXO4;sIfrg_Lg`tt@^@|J(9D&hYQS#r#3CVf-bjsBWpQ|S2==#7v+ z4Y~Ip*T>fKdhgPm&$hXt1tmlbYUWZ;vJ z#~5I{rXcx7`>>2nu=JNKj2_MFpZmG_7@aqc(-2@B+?w!V$Wr}IvB5v=w;esu4e@z?JR0!}k^qOKqJ{&k$($R%>JK+c#} zf=`UA-i#P_N{rP@fPH%ZdWsJ2qM2qw$wUmbDS9{hJ_p8*mrt0J`1fLnkAf&ECP`M3T`P>Xg%!4F3M|>R&0AMo&h>^^~nPK)Zlf)&0EG zXs30l_=4A>>{aUZAYBY!Upc^(qwbSsc4)o<3yP=jVV_s>dA^sTz4ORGa8QbGsp~$~ z*5K;p+KY=l{m}g4#5M9@tuqAnW65IIeU(tnVk`45I}wcH!2`*r+IKkV*MQ?uNk(_0 zK@p*6pZ_|)Z+^>v3K)?;Fp;%OVdoniGdE&`SgjiLLAC#_lYV3~<4B;YY)W*8jF5(U zI5)2`Dn@Ty>(hFRD9EmGRqb9$LBc&vBJ>laz^4!;v8$^xtm(C zJ)|=SfB^Epdw$KFGYk2XIcKDY(jCIb{&H6|A!k)Y)l>E_=G<8E#x--UJ|f>MimDy& z{YWR5x2ARquawy~3){xZSFNK`h1?8ExiekPd~Q+jb|fz(|K}xA`b{GbyQ>Pv5r7g8 zBHOce)TITL6JjEPTCbV6>_!Ou>lNvbygo}DmQ)3gZ|bWz{gP(9o)W4iX{o*wV|5k~ zddB>f*T1z*)0O$0pHi?(B`^V-0WSfiped+8>u&iep#51mk3VJBWcR^o8*y-w*nWmT z3LeB1#!Dap;NaYW-ra{Bxwfg-iRV8MirBIMQ%Tzq#e-+HHWHwpv=K9=(nCfuOr0*K z&LjMeUy8fFV{nM9z;S{mXe7H7@9{o!&{$n6r)v+~kUtC3U2(hq$M7rYQNBE3=sU7> zlxtCaZo{!}xHV~k@a7M<<&2}(WTMU;%yU3SBYgIp5daBZZxynhALRdWt8~g-Zxvqn z*tp8gC1b$BbjO_8(RT0#96{!82Xf%5f`GfHkj&s251x&TCM!Bhx^#hN9v>#(CcM9l zEtc{~i6dG}PMd)NyB3@7Xkeb5rrz|IS6GE1eBVlCAeI+RTu3KjyOb82bdHX<7KP*& z#}_>*QUcrdkdm7NEvr`z@0W*KDxR*O25w>3YrjH24tI8tZ;0qw%BVvz0wOoJLgu`CC`N!aY4i~RK!)1ca;`dZ{GyyTrj-{X5Ap@myzHUaGUzP0EzZ8(ju_x6&S&s>KiuP;cBnP)J zs|hhPmcLt{@C19OEbI%+v3MMoMZ$?%uD&@??7gP=%^;!6N&&_MGlHK4c_obp1^xbg zdOG>rkBW-Q_xEq_@!y3Yd-lP(%T>{nOZtx|J2T_8O>VnaiG2ofUjRkBFRLeQTz!{2 z_dAyH#n(Z0=~8?hozHG5FUqm{RfF0pZGV?F(>Eh@c~#ql3Z;*O`o7za^Tav@!5vM5 zQaY3qc{qb%q9Z1B-)>*Dkg-DR>Sghzs)aDao@Np6#XgFW8U!54!#r8$K>z+nzbna} z!_S_R>C;Hz8_)7&k$`?yIs3=K{r&*o6MDwh99Ajx(lTj|Rf)wom`IkBX1ydD=J;YS zfOAtbAT267=t^aaUAL314`zEEx=lg<3R^_+}XWExSI+{BN z<=Ooq>8Ooww@tHhLgDQ>=AYIWX_g!-=NYf5^3luqtJYLByto|B_sfN1s zW?hP}a#_xKW$-hRu@+<6{i6^*q5;+r?V8slyXfZxr~^XgPGp%YuJHbEU{@Z{{4@5Hq1+|>MzM^5*#-l z%ErVT(dc)lkqZAxNF)(}8T(w5iDdjv=NzX|h)9L1Xl@2~$Go&;eruI4*!97BuF76y zM`|&zF*5%H3tg$$}rDL~XT+GTJD z)DY_Y?uIP1Pn|8x*dDaV_W>j;ky7e`Mci9L7{eiy2cd*C@^|7F@;}e=f83x(D z#{#EjExJ?M&$3R9RA6X+>-xBmC~3ij-aP=p zQ{=c1Wu%E*@_}qdqzqfUGB9bcG8KqD`oxJ{=sSmKNq_8zn<0xxbBqw-U1Osy8I^+L zQpa1}OQ$aCwC>v8nc~|2EZk5_jm%fYm30GN@I%qyGL0Vf;y=hkZHW_sxNg1plGGF62N0c01n9{l2+>H!)3@5 zw-4&0+LX$K*`fLYxI^V!U1_@CyaK+SlKOYuOnZ)GZ}G)@E2#>BAJb?$bM2b)v!cZz zdx$mf<{aHuIh!qnNgc>8p?53%a1(A7+@ZQ7>yUtj!OtEYuj@PdyCfF*e4{!HUM}v- zdVGGR4oeh5R$7wzX9ol4$(uVE9!9U(9{djfZx5I2gQtfQ!y|UuwXcxj%gtw%sl7^Y z%=(BAHeWH$HRF4WVmH4uGq%d6%1}%ruzE~Kw)_0xKEN9yuUuE&V{*~e31(>L4k7Vh zsQZNfP{VewdN0Q*?YmMkB~_$8rT-tz+Lu`}V~?A4 z^!%{&<^w1K2-8yN0pjF32M)dqS~sy&su86CBfj9jZMO2Wv15;2d{akLM7RGl_XLhg zqI8NCHVw$R<|#i>N;%v3w`aaW)XH$yca{6x@Uo1LcXjTj`KQXAPe>V&4Zb1-3F;Wu z{O=sS4@q)+J*!Lt&~}fB_lT{c+vw8616E}yM3Dt01IHz0lyE$k$u$)zzFs=YjZfUN zcOxU>Sgz9UyS-wEREDsi6vu*zCU~<^gUWoWCfVGglc0lThNMw{x^p%^qNRwP&DcfSK3&~^;xwhkF4+z?~z2}lj5grbrj8|IYdv>?oz~#LZ{p?tmTu=PzZ8 z3I1Q~8AZuC#;j}h%zE64o=-sW1DY))Cxq1AGHNe4^t)CNw|n%8UV$*`X;3IH0|_h$ z!aI2Mi<0*qgJ}CObsl*zZ&)OC(uz{f<(y1@I`S;+$rgPuY$8y zQXiDbhKuW!E-5E{jX(-XSq&A z!pSNUk8VDjErvOQU8g0rq>~nM7blsRmN~NXbvjKVYez2IcoW+TJe#xxU`NGDn6_yQ zikaT;q^!6D8DQGy6h-$_m$WmSvlIcBqDJeO8U-62N zI4!(iH35qp{W7(n7)zn~y|xIeZN^-*laVW0$@SEj9l~f#&*}@-L!~i}=k^I9g}q2S z?xj=%C(ElYBAbUnd8lp{h>f8MLE0CsTPPiRoAQU8*mbg4_@j7^7$9KhL|yNk7wPK_ z|1v~werTBdXTEmQzR11#aoja_P&=GhRinQJMp}Khh*(zaL50tgph_LtK3ZgAiQH>( zGvudSW%z<2Zwgpe^WhdTP^5sFd&!aa7-pm1ghMY&2dD?wlRE;XT}|KcBN`^-Dc=m> z9+0Pi-ODfgL-Y;>80eykvR({%df*MKHRC?i3OL>GYhj98Pqlj=vY9$en4e1)sOT%O zqRVcXH-Hha;P=s#y~udfzkWrTFWU)~I!8pe$XsJ|m+qk!rCU2uPdBSby9_MB3CQXO zv}cEoCCaXcAsMYi&Kncb?}Ui=%<(J!Oi0An2}zRYcg)Qsb2A(NR|(v6?>Zs9gnecB zeDhgl3@^aH27hus%@AMRQ7XXryVQbw*7>83dB(sJ%J@=FmutAcuK5P8xEtQVo3^w; zwRthCFC{}%fY~%>!#%5V=t>~|!-hAn+O685XWi0$ViN_QlU$8C*S=&dzI7da;I=_@ zR_2!)N{;Sd*pt(^&^5z|rl)QC5$pOYgY5Zue+O%eYale>2)fj&gLuv8qdIPmz*Z$-_ zgLF4H#lPM_rhjgr=TO~M{q2F;P?F~mm-`qD!q zJLXBV%uesED6ufF&l73f(c6d7&>@Wq`h?6}nT*L8=oSMORF58^o9LTA3opF*nX;gl zfhs4LbL^)Ke*ww+!p%{lD9hV#)NpRZ5t`Cl=#VfM8Z(R_4D%ZpZ3$#bn!NSsl`Uib zK*4)%Q9?1C{E}i+nbP?%<>jEzM%P;b@V(Pv5K_iFqc2XEMA|#_{Bfmg|5zXg*q`Vy z2nM%7{s|?QZBcX-z5Qn`CwyJYEtlBB{$)hm{E%Pux|XvM|K_fF^W&FJ*!g^O1o)A1 zewY&SAHb9MuxE&+LJ1)xz-Ho$5*J9X$yXIXINh6AkZ#zMq)~c_OjyfV+?RGW6D>HJ zqtQ48nfVG2c7a1#MNRJ;grI`RVOhrXOf6#cD(*9+9gp1uUm&^S*;jA(efGF|sK)K?$xLSJ`d1)3|6-nuOI zdT52ACNhs)f*%_)n|=wNgX;x_hc5VFEu!MtK7j$k)o#=OYAx4vF(J@K zOMgeBpLs8n*ikM(=uJ7(9eEf*)pNJ4Ir6-4&W5#&oTMfLzvtW%!_=+XX2vo7 z-6$1m)t4)+F5Wzkp`XH}k;;wZ1+X4x;>mk5yl*n}=r0F;ey%>L+4~ob{P!i?>q1kS z3=}T(JMMohG0G`)PSkX`2t5X7=o9fK_N4&%Abkc3l{lcS-Q0262K@U; z&F^}g>zpw-23&|D;ee00g4w(uWl$Gqmc_5m{VOvw20+lB&ayuZycoha+2dB+*ZccQ zkT!k@3HGy5-$1LqfXkofblBtwi;Z=L(in)_PlzW6@j)fpML4HQqjIul8nQdk1t$yC zMvf+p81`3KMDGxUUE>o5$=ci&$_vSPV^ViQTCV&|594^jk3I=&RF+e4qAZ55{6Dpn z7o9o&2#QK1!Y*RD3>&Ut~AXRfP;qvHu7gO8%EWI zxN4n8u+6^$j+7YB)jqkJc#X@mzFHgloUAVUQtlKpl0cs=8{}5(6~AJxz4UJ&Xvyk?ijF(2Cf;AAwd+PA5r>@MS^lWrjYY%5 zHQrGxbPUIdMX!2gV(X04!N}=LlYQ{)U7C-ZMO9Xst3xn|ZZLPHnrZByAR6nGL31v5 zAY(D#AlWGU_JyJ2ylm{GfLl?x4NP>ov2vBZ_JWAs?J|l+O8Z9&x^bvr+g0$tVs0tt z&?cu^Y)m+eFzIbbj_%XO1k+Hi0@eNU;i<7t5RW5mHJrPBwSY;>&S}GF^}#RuRkMrD zWvds{d`Iffy#}y|Af|HkZkof%4msa&qK9x`1#OU00uJUW~2x#O~95?oa zj#t64+S%hgMLwfHrE{=8K=0VDbu`=>j>lNBv6P34cr%#1MnLem~zw*L0o2@@7TMQG=hbYI_DYCW5u(?G` zq+T`Sa1B{G(TLh7{s~&Wu%8+}1I=8`Nl#f^`Iw!q=Tu!@oI)!Yb~o$ioT;>FKz@|i zx=dfF5OG>{CUK)$eD$XZbJV+HR4l$nL`qDTjc zrF5)5WPhz3w#ltLLzS?ERU#Oix>u4M=+AZoJE!8cYR0#|^+Dd1^#*#5IY;`L?H$0z z?m%BOxoiX?%mUjfi$~n82}X~<$aGJZBx#yF8RLF%sR-UQhr1tDXt^B4R3e|zd?-rv zjFlYVpaHmLpSMefioo!Kx5v|b;Zq#nx(7MJhlqatbs!l+K`+;VwlSWl1jWr8DXo`0 zXs`1N6MD2)l27bYdgfIm!z21+7;llJkYOEJ(VL7fq1g zo#SeB5fbxIB(?03Dr~U1i!wMm4Ch67HQ_7#oMIn?#)XD^tDmr27kF7rrqbrf9B^?W?=^vd)#Deu?^`4ygbrHrzO7T$-W(mHOttYjkx z7LS<$2@zkzqXOcs3K4k2WP-D;TIl^pZ zPx`J#AybxnQ%}OH^w!ThJ#4`r*;*9X-0;*ie}k|O7f*x@lFVzj>Xd!NknN;KTvKMi zi_0IWI|k6%{Gi|~^2M6olVM0sR&sdOVN9EwvADzKSjr}}sbEP(ZCcd^(6=}|=o`)2 ztl>>44zumIfla0tY7|UmZcZjkXYDMS)0pZ?Bi!{|wq}N)5=WUoon5cGuSm2Bgegl5YK+_=9iH`V`K)(t`Q+LfO)|zRsXx#M+u;Rx z_#QH=L~)MI%f;ie>qUyGGmq^Q|B?n!X?$G7ORk=kNP<1%XW zv{KNlWZ@QK8EC#=pIeSqcVEJCDa3kD4ntO$pHgQ$+vC>JtW=L($QT2*f+^F=*w4K2oyKB^Z9dsr<^D^hPjor?<~emv~>7KP}v*}LD&H&xBDocpw@CSI@? zy&_F`Eiw0Y1GnP^TAt{=HLA_y&$nEYeOk#1Jr_I&<;%JCyj!N#5VkRXW)9ev#vOf8 zrerG6Dc~^IO0m0_@=jSp9_}~O#WWXFn_LrMPH?0VD?w+H)$8E4$i`*ow({xvWXQRs znJU_@9_l}6R{!-yd5o8T*g$%FGpNsT-pLe%QOvuUXJT%)T0CwwvRpi#Xl=XP#+Ilo zkExxuYaNz1E$miQ+uYl@7xnbJM%%}`Q^_8eXiEE~dBh|Mf?<#`wt^08%s}{R>`7fw zFlTP!YX6I*T3?At)DXa7rk&C`GYhURj5D_;-7{{j8^#zmfM!9W)ui1P$crixh5aDI zs`i~)4ii6nAqTd3dRlPInIF7YlK}%{W?t2f4k{8~P!_%Jr+Rf2@ixv0?&|gQc`oLt z1p2f26Dx4%*P+QRzMNvd{naqKly9?gFH6v^@#@2~ZVl0yl%HwFL}wF+Cdy@LFHcXf z6Le~fOvB#2C}y*wOnBdcEWg`1NSuf70c$VjSsaynhf%f!pbr=ELFSbyljl4@mlEYV7uoDf&L zRHs;|5!Z29>sw|wY6-ent$Gujq7z?ce-8ilUzGT|X&^K5({&8P`EH<5NUzZ}Z^kR4 z%Q#L-rbGLhy25rm$dVNG+QxkIruai!%zPMpj z+vS3Q26C=p!r)&1PJfwvJC}tpSmRR`!nNbw>Nt=9^b^c$O6gqZF4rS2fXkvin!J8{ z+hO(_OyZ*ZV}jXRlg94B%8BfR@uJ$pAKwZKGpJ0z)V8lAOk~BLlr?kTEoE>=HLrXz zpx3Yocpdu|^$KC}oSypKsFvb2}mxHCCZIp>YvVgF}l zO?uo24;{^xOBXqM}kF z-4YVgEv+ITT}q9Ru8nROh?LSO(jg!s;AlpNARVLG7~MHQnlX5O{O|j^?(2HqaU8s2 z<2=vr_ml2j3y1VQ&1IK74>@8bjzfQ9ydCFw+Vi$I8;DVpdMy{d#StCbFCAvIJtVrIo`vlvF3tskIqak`{w-mo?SzdYaSKzstqmJ2(D zeDq{ahgkPfe>G0kQktEbx;-8=i-hr8ZAY-PM>P+masCJ~ES+8QppR%HM<3G9`eJW1tV{$h zNE5@oXQAR?oJ27%S#wlE*sp`9+y$zAQ(u;7B;1x?gIvGzi3MKxG;DOr!ktb7Q&dcD zH{L{C+TgO!#+$EVydgI6qxDtU17c3Q2a#tvLwMCgky@Kdd2|MoKQcS1vOzLqU}**S7C)eUB+ zGp1J_-=W7dDW@i0pTcaa22~L@pi;qP-lo@=YnJs%Qv#1Q&-{UB0Kq1 zSp%1)WE7YG!O@CH0E0}!GCO`GfA_y;`F~iZZ#=h)?)#WU^jN;U?~M8Dbtgc2Sz$@xVrL6-os1WStnA2G^7rQHXupnt{!$1$~%6$X}CO*?nEf3 zrFp(@R|+L5TWcqYmch%x{1VpeTYY|G%JwScmNKSGEm=&=pe5bJd*`ia;A;)Y*en+~ zkD$jg9o9hiiv9KTFrll91C;#99NDKQv<+*s*d64OW;ENcnz;al&0m+B#ibBjj93(I zEz7rU3T`L@S0!av*$|FUppDP*+NiUoM-^cy?-r_jw&;vIj9_r}xX961Dq16yi=FdE zFrd!AN2H8H(|1_U6ePz9cm#sjOlDlyX7=%eR#hjAZ1J#S4?8so(1SZP@NDkH_BiQI zM!!>S%cf*AKkZo;i7jbdzk3_WFz(>uC!WOTorH#8%|>r{YbYL<2~&(3TYqN?LHS;>RNr7${x^rdGd!046MHW z;k|W~%qN+igJ-F6Rpm!|pegHMW7dUw$<36d$P)Z?VNJOXudTYMeoGkE0cf?Z&^PrR zxFlqQy#cs5#fG}wBd0}naqfMb={s>w!*x*fDuSlQFQcFH+hFIYj3G@zi zPjwjCs^fU?>2&Zn^g|Y^z>;mK=VL1~!*!wKx+|x3e|Ip+da`CKH$EAIzr0+;$id0s zmpB9Fo2ASr7-YF6WSq|tH5U~3G4$jbOXw`m_C2oi8Xdr~_?~tAM%ZMRuShqXMWfud zb|M2;2c?`T&N7e0mm4>-485i94CKSLJE;p)Wp^`Fc0>BYZ^< ztuX#2P7W-5=kxT`j94^I%6Zo;k>_h*Nu`1$+t5ptV7vwM5=Db7^Xh(GjcJW%g?%9+ zgcyk^xsOP&&;ipan?J~reKJqc5QpX+Zcah}Y`_i%Cs3PVMD==IpWOE$sxzy~3J+j{ zA#5K7MwzE)$;&!pk4n$x9GjW;X1qh5>uFfK$*?l{Unolf539vb;42wkEx8Q2+ffqp zesV1#duQ{x8aMlBnD~8YtetH!&sR+sxq5_v|LRUll=`Q7*knfEAQG|wzNiDzLRd=~ zD6u<~DZ@b5HdqXP=D@o%-DK2t8EYG4o*gLF`M84U$~q$fSEBV8U)E<;N9=&G@oAyS zNNrzLR*x*rpj3Cj0@A2DW027wS9%e=IeTA<*RH`Mox^!MVy+AAL=|Y?a?ykBN)uWG zk52Ih?@f9IiZTEE?7>@Yt~Ge}_||ftb+Q?%GltIDHcalp`|hp9e}S~mZmClNGc{k` zM(z@~`+v#E?C#wPe%}@Mp$zzx`T|N8ieAZSv!I-8!B3MoH4d(eB z3cD{?MLHl~uoQ{6auHJ58A(}sXF)U2^M*asyoW&KK=8LNVwXD^n=i5NKBLGx3rcfO zjp(3&^(exo>WQphsNnX#w$JB~r<;Y=d8bI0!)i>MZ1dM)5~){?s=_lpH36H8ub~IU zd$}5|QPk&hvCkDq?H=%}_cG7lYy)5*3yv%oaDSGl`9hFA^3K;-yHN{oX65iVv>c8uHrRu zBW^H0v&8vyA%L%8ZSZNvDXB^7a(Lru#ZEQiQp~(9G{qBAGvighBIWtO@U~p+pNAE9 z%Cj8(PAX!=ryfiFI&5~BEP*txB^z6OO35KyWV)=KiwAfJ>He7^#W1j>m2p7e5P>!V zr^qgHKU6=K;zN(}f?@f2QRYsz0RCspIJ6{cjq(u<>L~s^V^?P_(LZnwk2tnjq8aZP z&GDHQSs%C7Hc)d&LbKR8_84E(Bj#5n`S1Lc%dYIe3eky8$~cP8Y*syQoLZJje0C7e zmI#l}x#cSy*{YS%8}9frXsZtko55A*3f*PCSO)KK_hX9;w@!NwG^SxEO&vc*#x zF=(;y)YwW@y@L4?X!{dfqF;L;A=8g$P1WD5%Q6*ySf(Mp@C+njrL>qWeN&K{nB=p=O$e z8s;_iljw;ipq;qG_QKeGz&-?@i$zyz(` z3`BZi8TZ}m{+IqpP3!VnSUV5IVi+oBJ!=xoXQ=M}`U{ZOch5&G(aFlYy8 zJWm`Q6p-E0CqQ(f@%5loZSWzEEtDf-29p0(uk2*@s`dPcj(Rdw^L0lC!6yM2$;~(( z$9tj3mdkTAknCiK7Ktw-6&n1UUz*{_Bgwh1nSak`WtyL-kamW50VS(swbFT#u zZX_`pLMKGVPkrUHyzP#N3wqZo8~`AY3+%nieu|43;8=Z=QI3+EFP(A{S>|QVr?R~) z=AN?PDj>G-8SxbH&z-XbG+TZVJf2n|mQl!?96U}@gZc_>L0eG?@W~Fdu7}(_vQayg z%G@BUS(@!kekIfn;)?RV2cc}hgw90$+wqLVfKKY~;uX`?L{`%9hVi5tmU(me>AV_~ z){py|$i?bOJUNtOcC=MD@tof!wYZnVS%CmXW2+w$kJlBAo#d;-Dq-Jo?y?nImB%;j zc0(vXb}8#M9PD1mUSziu;-Ce*T$Qy7yBMlKYcrgH*euo`{Hzo9fQC7- z<;U~>Wc~rxtZnK%k^*Hwmvm+&`*|=SduqFyy`xKs7O6ezM&?Yj1)A_NjnY8 zrS6A3YWq;d$v}u7ziEeeL(~$G9u@x}qKT2L&O^|dJy z43iO?o|%+y>8UmeNHw^nU95+H&6?R@+X(nqQFq&3Ivw!Vd|G0bGMYtZVYiu%II`XR zeq;l&-6gmRZbc~4k9TymRUf%1;(ZaM(L3XRh39LTFDZ4ro(ki&Vk|bNghK{8<>7H) z>G->Ofni_u`aJBH`haZG)!?sI>*8Nru#0{C`Ga3aZ0{=2GFzHavVw7G1mAOL_0T(I z?o}v{1DKn6Ls{c~ndcj))L8C6`{_;_$uX`Ok~ILj$~;;;ywzJ=u@9@6(cU!hHu1;N zUh0Izf8vj2avdu#lms4?(&p9r_2SV7#beKopKpJhygAwSk(BkX1@DY`-7|hLZ)!nl zF&W$}`k<8^+>@S~+z{LUV&q;ZycVOYA;U@)_)JsLtxn`p7$Kb;^VOesaX!tlSYW%+ zZ?fNPYW~8l(GgY|$OkS?CGOa=4~Y?vTiSw@DbJ>0iUDk*7ie#gcIE*~q%Tl+llfW( zk0n_W3(DIRHI`Q*B;+g(fDo3ojg57~@(w-pI5oh47Nq=GJ3M<4QYjkFTj_YZ95^iV zNa(Tk(#kJwgc4@qjmm~UrrA5XY3?R|!D@LE!1i|tVk*yHpHDB;(Zav?r+1zqbFuJY z+wR#!@y<$P>S-XB!Pinc$~Q~c^fY>`P9=LwZ9=s24OXKrPWJp6f@#YD5>uVm^1NiA z(`V3;Xc|Av?Er?W+%J={S#asO>`eEJJD4!`Z<+>#1PQiO72j8D&B(>U!;GmJ_oSv+BUI2DA(b8e^$XfF>ePerFMl^&*=^phi>96pyLmI_=nd8 z6N1{EyT_8xn#y+vP(Dv~xg?0#+NS{k{Ev^c?Grz*y}Axh6V8pbbFPBSRB`&(J`ysB zJrf_u@g~$Wx=UCDCmVmhJheir5oRkjDOu~fQ^2A|kgb`Iv0N>w?cE&KNB)rYq(HA2 zTZ(3|MfR1hGgy`%^VZBZPgML?Ot*$-2kk2?<~L&Vr+4!tBl4R=$lJwaBEsgrN<1{t zpO4R)>p6;MTfNVbMZZ67Sqj~lh;J{UO#@-xpSa^6ol81{qjY6s&UrO)A}4EdWPdwn zFD|mDdm{oKcKOTgS&AJ`aa=8HG#sI)Q}LPyaM}WED{)G%{4Hiq7I#q@wsV)(QWRwGIBX9{~Ue*lAHV|^8o zsPq$uTGhRzH}k^fJ9nVZG!oBV1`~*Sdk*M5aw!D087&n*5#6V$(_Fje!wN^289V$Q zi+A^Xv!}}NBp!zf9v%`HhE&)_i@j^DUw)TQFu-}5FjvLPwEj*|NW7Y0=2sk}RH)I` zXSv0t5F<&HBW}!ID(35XdwAX7_WJlSren$S==^;Od07u*<0?p-WxgEQ|FYB~VJ$}V z=K}&;@XOBqZ`}flKgxA-37>*Z&i}@*Ii@6xhp8z5>tKq^(H~ZnPdU$H!jk4rNmsOr zQ2kLI+&ig`Hy!ytT!>^qZZ6<>B!2BLTr4r&v)wh2EcRqbp12B7?ywZ~^+Y_ z*{BY;@Ju7kM|yc#?OQnh6twJ|8gJq!Nwq5))ZbJ^f#5SX+zrdQ2TNLyUx)E(l~yZI zK_DSnP$AK{ojv24>d6@aCsEKRLZ6iqT~u@T)M&$`^)+8GX5c8;A;gdzXZT@IV#~ua zs^z@bpBZah&TH3aq6A&~;bk&uIMm(`cfB_ZRgtkRafqja~mBXMJ40T zE!{u+BdUC55csBPJHO##_i`BFx;Ph}XNIG`?y^w9#_YEnB@`!q#6En)Tx2Zdu$wZ`YfRdSdA%QG^AlR=zBb)65^ zD38D1EY&j8m&0w__v3U1Pll%e!qHn0Ji3)THy~~_S>m|Nz=FbWfM^{ttd~gLMLy*| zIC1$>A)xn{rm!{mwiB?^8TbE5a{`s_ThQz&hW>JMWWc%hyZHJc`MlEOX-c$+YZo2; zSC$ecJW;6aB6&0=@#K0$oFxd0jN92wAcM3F7@=}zeDQ6QY=Rp8#)}DB8prg!$RYHJ zir}@|mHF!Z{>*Lt?HrO|H?HhBYS60Y%KOvBZt!-Ka&;OC#SXKT|07Geh!?Uj+>scTB_fAzdW9>8|K`+4i-8iJG+GRFD&C!p2) z*RP+uKYy2GXj36!8!@^(lJRgJ2la_-RDJftS^lix96A5!cjjW3$kdq27tX_kDnJa_ z`6rW>X=;&gfyA8g15qHCLm$3ap~l6N4z)=#wS$Q^>cIJDq`LdVTwZpHbTOn+@I_%h z2KPO#-#>Ja%pH|8Gw zxup4fW*1R>2FUYV-WL%tkI2&fF*(S9ZC2z&Fa4AxWlWzObfVPYaD^%9i94ys$IjtA z-HXJ8Pei%2pbOoCgW>&GCY%?qp-MkZ0Db$n5BEgElG#@t?ja|(!?#LGf^UP)GhHX@ z;CpRAy7UW#)lx@bsFjx7@lbeZg%{GTOcg0q?l>t5DSUp{{^Q5fGK{1nN?qJk-=pZY z!%RKQ5?b0KHkGLA_f#Q;GoQcyn}hXv$achT6HU#D`i>k>7lQVPg5^2Pcuo?dRpA;D zme`3vJd4cF07JD49NkrR^Q~G(KQnDh;z&UL)t}|_cOw$~0)&xd&V|fE(`&~W9D#Km z=1I_1=dd=opT?=!+*(q?)KbpHp5JY>Qj%vtxPffm9iKF<(UimTIQ{N{XR#_?kky!W zhC?z=NYJ?~E2dHXFd&|PxQhwB3erp9U<^8Z0WeZ&a%xw5OL1_;NvGOKkceZS!HoV! zQrR%)MZ0S`j!kE~e#U(l2OgSd){B0RzrVAjDO)Z+>%;Ao-GBU@RWVwio3&d_c)*G& zXwM70l|41+UFiP6_3o_!b~adx>1-7eRuC3qZX}vux{NAfxlox8X_~*XZyLaRItz+JW zYxO0m7HbSaYZ>0=$h5;B(l7P8n<;AqX9VK|`0iO{TeuyTb0DE7aw+1aDVZM3!aqId z{IEz~&zXYBf%k!5fF0E$*U}jv+x#wdZe3q>37Vr2ySg9De{cZhm*k{ijHzsp%@(ZJ zkn}c1VH#mA8k(?bOzPpmFPAoyIl(rabA3mWsUMgBMFRe!%k_OHwLZkUz2B8xbYFy*^(-59%HxQ9_n$1epZ%aaf6cH}FFT21%!0K<$$;kWg9e?+;I#@WqaynN_qer~%NZge)9JVHbNF1Z83FC z&E>IoLM)V`&nIOsY&_`s6`f--mp(*Jd7y=NVI z_3-*mOTS0nO!(j0GDQ}xraL=j^EPj)xj(wQB+YaE*8Cv;3PjKHOmls`7#672Au*N~ z$G^>1b(EJpb^7^RNcQ(LP-}ks}YLx=5Q_%>&4z1HW z@2kGZywnTcYsmb^=<+D|M;YX~1ZarT$(&uSO8qhDTRwo@^L3((c0LgB_mn?jK|}Jx zcEH(ztEe$`7zBdzK2Nnxu41JWoWQ`%ZOAGN6-*Y6BZX2%Ktr*#qDDEDlJTGamMObF z1@qUb6@X_Yw;<$e*D=4TC1t;y-y?ij(eF6^D3wN-5*thQ>@=3W1!uq2{#P?rC|4Eby)y3(y71{Gs1wx{WZL^O|j(?FK_Npm?T|gM)&j_5M5Mkg*YZ{vG8ul{O#la0*|u7 zsP;_!?U0?s^OZQ4#ZD6lAimVJPi+0gp?AN)7uBF{JCtNu`)Pgf{72?Sr#RRcw7+o* z{>{3Pd6N3L`V;U|`eFU@%*iYwR&eG6{C_SH&p8UL+9Gu%z|OQ=Ox}^qY&lF7k;qDD zOWj5PAzZdA{JUuZ8X^wBOoEHwz;$88(KPzi5FT_nqyLP!=agA07?keRVpKcsSg!?n z;jh@@tm`=;TX|I@h&eVdo;rVR;_5Bk;LrzxkMSl_$z@b!V#=~Ppu0xclp=_WDvVUF zU{*-Fy-3Ee;Ri9PFb@qg1NKlyJ3xsx?ik<-fhLGE^qUFxQ6wU5&J0&8Kb_J`83AN8heW8|l*kJ|$r^J#dplOCU(-?iXf0AUgPYkH*7OZb_spbr~(CI zQ!7k;kKWRWtlzVGvC5p4&ldKl_YlwYf+ z#HOsG?6A|qng(dGs7|lKXodX4YM9(W;=wT1c@pWgdn7(v1t3s-gHmg1>BW9h^+ zjLVl?DbYqGx2;)n$?Shsh$sB!+;mwHLvZ4{HeTP!`+|uGR1SA;Q7g1w-56aPjA3qA z^JDI_&DqPaR@EDc1X`SS>#?TCBdVp;=pR|y7RB%2?$+FWPm&F$DM7zXJWO~R$nb#M zC_3Bww}RKq5%fR^wINZZm^|L5S0-+$Cx6SF-$w11Gkf)ihZP9OY-+|rw-=oh6p-)Vmw*;rP;iy=ZZKiwHQPYMV+OGWwh7fHM=In)fO|A(m z(kyTK&l)6RQZ+J@s`2G1Yb@H}Jyu{9;R|#9LjMP5IQ(gw;OAIkgK?&Q1RoP5iHAw)o(r>ew9Kgo2@d_rB(zOvB4hno+g&a3HILi09_H1 z9aJx->%WU50T)BOK8o4jZS0)oe+KS88LqzuxZovQA9!LJB=<|WgFxFo`_a)a+Tq?shmKD&h5j)!-4hEAXi=(Vt>FD8ZGCbgoNc#Hm3qYUKSks$)|7x|!^i@?#=Y)w9 zF@f2Jy5V}6vCr%V%&`jvvrJEg#2OYk`>~N^oJTbFN*29frzb}_7O2(_o^W4luqGrZyNBdok zV;X^F+5s`#&EPkcdew#H@^AW*JJ$=2PYd{)rWSRTnbd@g_h3i%8NTG5KUefckD~#f zW-7x@A-mBtg6{*tsv?R^GIts*MB$BfUo#y%3K{RRI)51+4yRClp+p4I@e|}MWd8NL z>Ww-`O^rIO${bwuoo4TyYf=18ETNA8-n;iBKU#_N_kQT_D7*yatJ~GU_@ctnDttIq zLo2L24JF4eid2J}rkE3Bb9g`|@8ExrgI2Uo6#~~>$o`2$2m_YXpz3F$z(*D$953${ zVn+QL>+X}WPo$h*eEaQ6 zY{=ZIqVv>Jo2zM+qS&m6Rd=vkJFh~`AvjU5UqPE8)zjdFJ>8pMGS;nK9sW@aL}k^g zdzZ7KmV#`1ANohT%cgy$MA%(x==5mPtWxdupL1Y6_{+1|EBnPZ!$ZYdRaNb8nkS4E zQCnZBZ~|eKHFvC`Z4c&2WvyiDO0;R^J~3i@4x!oW{@H${-pG;dSKsNUbzA2-eOLI> z*Y)P2H+Q8gj2?yj1^9}mYI;EVl&9-29hyD9=EJ}1aoaEQL$@Q%9p_UL$kN>=4W72Y z;gTu$ne_yCf?CB2@fkosUEZ{@3KBGSR?e1sXQ0-N;oR=o05l5eS(i zT-pFy6i)`|^E87dKk`3DsqXXdJ>Nt6!p?Zi}cf}=DdD&QCi7v)OzuK+OK zl#?yLai%IfFS+C0MfO_O7M`DBh$?&z$+A1ty^95f7IHy`z%A`vroid7z8N)-`Tu| zPOKl_z~@X9l{e%f7n;|eC;TM!idU92gXPkKJS)LRX_2{_sNO55Ro6%)aU$nqLzR}@ zmm^}+FGBO5u&;Du^n zJe(|?fnN9l)OEnFnBT;xT~0T#TJteH*No|xDMw+VA= z`^3@ZIq&U2x@RzYm(H1S^5({S*vNyG;VwpmiARrhod-dihZOu}+noa@ztiDuQ>6ZyGOoMYJl%8L)mF!2yHI$KNVX|F!Bj+t5Y|=D{mC>)x zk^ECm{Jf3|e+GZucBD@~Sibnc1s5Z3Uu){AGH(PNW49LEF(}42p1YM%M^{BGaCx{Z zH}F$_@<6$Qea^-HTJ}Dw?cm7_rkuJiwC?&%r(&I7(7)XPIB-6zD%&vyoN6o5TjBr_ zf_>DRk8hZxm==U-Wc)nX)EB;deze!y@v1Af#bOdvh{!p-$nP4o=xg#$C8&FILWB^X zsBY^mo@~8^cFUSMk6vJWs)$j)A4??RTyJaOEclY^q(L@hWG7LA`1_-iF`)5|Vc&vi z!~5<A+K+OMcTCP<0uup%&tFY6okO4pQ}^->Gks zuqJGH-2;_ZRD*M-_mGG>GAuFhUod&%`VnHMP=-FKNPD#vsCo71lkGt2d+)2L7TYeL zKHV1bmq`uY-QV{?c#NOx@A)7_4+FYuHf2s``AzYqgQD)w@t(=f|HrDJ%XGae_-^LS zbN@RK<)2s!JDyt?H{IrMeR^LLV5d8eUl{%oKkldeby5MN~Q~2OK}jzOB7d(UjuN@GzmTVxG;9R_CLBK=t*bkFkd_ zc#IsVtJ|&B;xhg@_Hgf~C$qbD4N<;{PSU-dC-Mt-bDWrZg~ml8PArj5MJq4;^R?Z_;(%qtD! zGX^}f31Y590KHsa&p?(ir@FEkn^iKMyMM?61C}GUn1ar^Vq<88*)R7Al;6gg-oxn|L{47*H7NDm`G(MPl7sqM-QV<1N5^5nU?{i2dr0`$|&Ic-ZDm z{CrEF-7Q}Pg8gF*!*1OD5G-{6gYvbY#xu)jq)?Eu>xQ|?^5cofpv6#_uzSXrH?K-^ z0=IU&BOj6J`d6zaRQH-hT>Ln~`0J5QC7IcePovEt0SVT)ct+i6-CL%0lPsx3rBObxM`Y{~~?JWZ@ zj>o7^Typ-0>%jyG=`K)ZKm5@BpaUxJ)%R8pBpmx}WY|o45#w$Z4i%7q&pbWr6ru=>X{NWzJEN772PnGp8iI=F= z0+#0L(;14~fO5GcuBwyff6*oL_tZ@P5y1EOhhk>_O91~47|fqNmwCyI$0%jlM(}~- zwvru6Yo6%$lg)<@E^_lfSNPcJQmQ)ajBqu7{`~PpZAjm%yV5`v$XPYx4?ZC3G zyUI&Ay7Tqn;m#HSyaeazUI#7hQ;!1q7SImB*a{st0?~dEJdbAHbj*z8r#p|0hd>R*d(9SPGfo)p&tC)p?FGax7pFM zGrAgpv?qL=!upL||6WrNC)1)sl2y*xYunfEmEw{OGEeE%)hvG}>{6T@uk;BR70bY5 z^)Av9A#)H~4XLyPM=;?aGe<=({^vbP;QbED;o+u(QTfjPhB-_fBR6-lj$7$W5CG->Q1te!(F(K1EU0g)*LjVaRyyc3K6xT1g#UqB0K0qRv#nuws-TH@>rkL>= z;;GhvPWqagcpNaA2HR{u=@MQ<*|&cS_N%W2`<=PE7|93IT^QgBFpr=QeB1%dXhU?4Yv_Ks9NA4r+l4QLPw9sa;;%l>vEBRNzL4!U^vILj6>GyrjN< zQ?knj@aw_jUwpDjobj4L4N5P)@w^uEUjr(RGJMY4*L>7-mQVF0bN<4+_3|_og~)He z<-s*s4an4j>_1qHoHz5OUl5i;q@~<_+5{B+fy~X z^tnK+j4byLl5Df3&bKo)#$Uuwng%B}dmDn&MpFDE5#7}jGmis_otjbX6M%?96pt+p z_{N7ZfbB5dd)9aRD;0hOwm5A3sIK{-#NXg?HL@AIZGBzSy*RLaUBM1%6DIIII7$X% z>U<{O`N}qUg1UfHq%~GBDH4eRIXUSYd%4n&$^n->7F38$@#Xf!Jjx!R$_k3zDZ|0t z-sU+0+?AzU^euvasL!Z1&Y{C$19>DIGdMP*m8@mhF=<{NG!yaLViy`uJ4uzpy#Tw4b z;Hg=ihIlQN4ft0H1*%f2`~dId;vto8NogvdGIKS;AgNsMcS*{&&oR~UMvW!7p~M{pz&938FFUj3ZJR`;27>%_6^K3#UOY|>^?AIol}fdQ0t&eVeO(uzll^MgE`A7ln~5z@X!;c5Kbh+ly=fiB8Q}Pgi$qk&j>!2 ztr1m(0{V$5b@7v^q8<3m6kqdRqX+Uov7&2uWcPCckaGF#zpl`Yqm5;+LS(Wmd|Vq|D0J%3%KX*trVDXBr1X}alZY(x-9k!;kZIv^eCv5Eh7 ztd9v-$nw_NshIeE2P;p7R$Qzr!wqNqeECwrRc&gj^aR1Fbst@obXqBD(skQke9^<< z8}EsnmF+E+)U$69e39K&jWkFV5bKy?>tkpssUp0i#{o6S5|Aw%=GB@h2#?8C^N9)- zL+u(xRM>gWu#a6+V5BMyn`y^7<2%+b)i)mYR*Z*N_Mm5y1I(|S0^9UBcy^cBemn4_jV#SaH|8n-ZY`BFT|u&7^et(v*N=G*QO z$XD##@#Fy?yoO6ypP~HF3>56ea%YE?DL54nPB7X12oOu#rh0V;=yI<7I>0gocJDM? zy$~GDoOo^XvSNp{G^H$T1GQ%Qu=0>o*W52Qa^QuM9)Abtv_^4;XJVv$(nI*oH#`m% zGHxcnS{8n22U*UgJE}RaS99XeztVeB5f-de?k?YG;)NEr@wAZ10AU#5zC6bgrP$53 zD89ETzt~wH$bQtXrC?E{=UxhOaPuIJij2)#4PMM3TQ6EPL z9j)F@=dUpuiuH(?N;vWy1@Po+E+s4w{Nl8daQOKhky+Y&E@>llTmEd>@7Z!0t0iT* zPIJ$LE_Z!H;Zy=sW8JAN@l4SFT(%ccd?md+dLTs+jC@65LPuP*);+Xz1^b2gt8Oi? zMdbn;(DY)++S(l|(?>NgCMsD6-g8_L0n731(Dh>c^?cfHy{Xu8zFCj`MV3^xvIN5E zf&v@8Ae_P*v*q4QFqt?jY{k1QtT`zp3ZQg0hUp@!St^z9DA7hW0(@PiM;nqwTke_I zND1SJur^QrAgjwS-(`mn3}1u;ZRXN)3xB>u$;Robt;E#>JevU&z{{3t+nogq0buWp zZ!OS%{eM(QN`MN<{ikjEgqnI%*Ho5r1#DUPQFegRs^p@SO%4DrYfoyNmvE==`Sh4v ztt0AW_%DTO{xZKsp}XHru5^>QC(mK!F~G%Tl{OyNd~EBqw8`Uw)am}F#QsdEWw@*0 zyDVz1Y-ZsXVrg1rDJwwB%xCSyH30igpQ(@=6KlR@GT}G7^F`>QXE%x|_M>Gq2?5RJ zgOxmI#TAWaUmvF>vf_#b^P0>1OcA{P5i7Hoxli#Rk_9Ez-SCWq-^Os%>V-Rk3d=|R z`nPNJ_HwWm%*9md-;$x$H!uGQN>GWwnExM+cAb>{H2V4cjTfz3k0O0uxP(iF-O~RF z<-DloyU59x57w`;@(gya^5KknOI7=NFA+!yFK#vafc|4v*5>?S^mf;$TO^T^D+&oa zv9i;gK5zC45^u&epXychcop2D;$E>EE@&P9(A7cR$meig)q(whA5M&+G6v+7<3BX% zq#S%~*MDvlhuTbN?BsVbGNnZ{Yk$a7xfd12%o$Wg>d<*f6o&UhQKZDT!dwk9(7|!% z2ea%SBjBu@CGfi2_u-4SYO~VXGUlFDj7p}4*s1@qWr)m^JPOfx32II)u8nq76O{zw z)JMJyq}8_mOl=Qqu&d2>{&%wERdI*%yU+IaKHZB7Ka%xer~Qx=&I7HqLhkrt3!AdD zRY&WCY6ptSh4GcIJcfB)(eN-TBTk!zqP{?fm^7nO^y%aRLJkK8vJJis$V$;)oGSyH@re$ybF!Q5HG8GSBY3KC#Vik? zXDsx}be|0m+t%ZK3IC};Y0733^AtYu(!_Gm`|$+oMDD^)xL*L;T~+nE(dGfJ0OvND za{f~j+gn^xuFAhfQ4)vRu1+@l*)6e9nj9Y1?`3rkvip6f?MUm&pSzh>;$K++OF(j3 znKrZ3A`1aOz3{^L8a1tDd*vrJhwh?cFSy}Lug;hEL!Yp2EoS)x4d@yYg)X&&vZ*&( za2Tm{ct@3@*SOA!BA3$9@9#R<^7#|*n{!V1CIcS->LASPV(?GA4x^~9Lv+%fZ`-h} z?Z?es0Uvxef8SJ+1lWr8;a^Ki)vO$=z9)F55FrUn;nbq~r*aF_=q*Eb>AsfxhLEcm zM3oMW2gllZZ&N4xTH10$&I!Q*?K!kcFk9Kk*5qh8Q1L0&xYr+M|?6H>Bm1RxR2LKRddRZ?D+=%6oFg^uN02@PGGOj`i7 z)=f4M=8A^ED^&R;Th>_;)ic!oQ?)1Hd7ZndOBED{0T7&jA=A&@Uq0Susd0anum_Wfi0&kLHDL9T_Pb%&&@ z-QrO2va0M*pJG=i!#=6Qz;9ynlGz)=gQedfcr-ad|5D`vakag{hS8^561xMFx&VYQ zaI%i;rVlQRYvpgbaF`K8K6BCz=>83;WX&5^uAJM%@|d}8rz=t+=BUMhaGFy*R^gA% z%)(zyP}nr&F2M0lKxRBG8VYfv)0c87rU8`(+a zzO1_R=Pfg(ADanl;07x)k|h5qM>k-gon-%ECxxc5Pz-lgz>qD&-!JDxn_$>!5^S|1 z3y6sQ`tU-_fINTiUDdh(If)L(U70Yv38VF`=kmg_3uFw>S>h+i{~vqr8P(+4t&J)o z;!?T-(mNtur8ku>0s=|^2?&TtQF<>CQ3+j|p+{=yAqXnHg(^r3T`3{708%8BK;V0D zE!XS&?)~jG_88~IbOht8BCU88h~2qu z7Rx+&V$!X4(ZGDQ>z09gKu`WT&TjQGgF8eA$GXKbyKkcdub+T$;>dx>x>=>dE!QUheXsSEBx_ z>E2V7$7`!^S@$RH0oBDG)0BOsp#(~wBTFQz!1w6RcRL&~LMB{oVZ8jEZqMw_X#AOA zKqS;r+K`D{{c5ABu(NVaK%aI8|1ZnAsNOim54xb|{r3z-z^EFJ9*~co6E&$IV12%5dSC(3t-=|8?HpL$r`ubtl39#r!ll#rfZa)D?Tl0QwI20YYhg=ZO@*fN zg&4_zSyh{GWD+_neKWhyN?&o_p*}#1^L5rcJ8ES^|CI}H$>CR8aQu2^TULcjtJbQC;%Wajq3)Y7`kq@d(FV)U@9PNq2TarSpAOM)eWy3_id{Zx7Uo*s zZ4XT2DWuNxU7lm6Yt0osip=$k%7j7Mv_=0Kz7HqGJ_r?!epcjIgLt@bOpH_AXtYeZ zexg|ZPU;^UnbEe=RWmwbHO+pOo+U#cPCt!*PytMLctSy$=0`LgMjkc#@VWOY!H&ng z4f`f0rZ&YUdQ&>(`s%`$OGXkw?N8l}#IN;S&t9!|r#V*LkN6j1Jq{BbWDA5ci$QW<^nednGL&ol{A*OoW`RI&;lo2?mxBFKzm0KP}F zX6?Iz)7~5`H6?Tzg*ZWWJd5mjCduxp=gF&MZ}wciSIwu887RH{7d3aC@pvw?33=de zbltIcq@{e&w|#yUsT%zJj5y_YTJmd^1+B@}kVFfLNk2+)#D3oxCXPtR*+(wX?(PHFMXKHd4i>S=r7#AxA1%Cli{Q2G~_mmDg% z`~=OQlQpzz=Zy8q4d{=cT3N3a)1QhIO*o_;?WHI0Ph6Y&vhqD(-^%-IuVY=|!;j&#Bbot1-gPv_Hzv$om3IuRLw-ly+^i&r~}Ii6y&HyB|^VzoOi0|K+qFynY1ZHwXLMAjYp)e`Z`OGou7!hlS6iCOkxqmyp!AUG8q zM5CJ~EBXE4^S6FElDQ=?4#%eP`JtJ0D#rwI2LmYmY!>^h_Bh1qwhRxZ!YoHg2jxL+ z^%9K{ZSc9?j*pW;3d#r5EsNi3yt`G70@Oi8Pw9eVR5&g=*Y7m2 zzD6S@^GV)^ajPG>I20 z=Nisl%XeVj?R&SxXCo1+2}(P_>1lyFVOgPCTDbfmLw70-f*_;Htsb{J%w0BR0xUh& zyd=2_+ef!~pEGq>gKZyk*k!Ji-<}tsQR+Z<6lu~5YVY1kBO}mC-w>7V%u06LSRCbl zo}Ky}ocd5C@Wd;s=2ZMu&3pQR9W4mi`9%lf-|3PLdzVNww>9q8G*{yBqJ&)iJv0|q zSm?EnLqv=kTN)ppp7$Ay7%`O-V4bK+l_STw2lX-RUNR^JRW4>8q6-ki9r+f!qrAM* zbCPcfh5PR{tlzlR4X`Sf92CANx#LJ*$}&e$X`&&`Zy@4@-N-yA(Q}erf#*ST1iZ?R zUJzV`TY7w%k=1Zm09kvf+jFq9=u0A}f8|4A_xle}TOcL3N)94#xUeIwD*GILXoF)l zG3ogkHb&mNmgEP0IrTo(DSy50zaRd6bYoXTz~kYFPt8sdjqyxK*@@DgbJu>}iQ_Ms zX*Bl6J!os=`2FaDlQrMPKL4oO#hg+qxdf2>p;|ap+#!1TlXg$mZaE`00VH;aue4SzV?b8E zl`EzSx+n=H3WI#R`zt}#4@9qw zndy64x|#7`$PX$T}L2NI1_58TWSqfiUy_Cn90=~A8Ap^+#zz`>G zVmsB%c1?D%m&`pIgK*Z%O^8EWmOEWbzC7+W#)#CJts=K*rfMk6c>@1NGulG?+)1Rf zbyLc7*z+>xU_YMePyvG4VCDbabbfyFl;Na`&a>2=p_;3IU!TZErr;Yq(@ztL_=^?m z@oHir!f1YA_R*uRtdTNnK}|(LZ0ta^SO&d~sScayW`7m>J`Z&hg3UuMO_*4qQpumo zo{DG4ma+z^>@BH6tUZK6t32lTjY@CU6SIvpm-QXCB|*y4Ip#Vcxfd<%uNU2-Ds|&d zDN;Tc`Y=z|(Pp<&XsI*dDGw^FOhXJs2BTwro)7qo(s~wC){QPZG(yqA1=#f)1kBHD zX}eziIcKK3da&cz>p_qKpnQEQyNSkW?&3+iiTxOKhxBE5bgPG%-Fgs<5G_y>KC*Cg39s@OJ&AhEE@05 zjqlC-@V7l&PwW+YLC$qRg)*7 zW;8JkR??Le8CezzOfes;-p`1{miS zXZD~ZJVett%C*l(1ZPD(L6=7Ow4yfX^YK+gVGYt}GmP;5lTwo?w2P#j+M*ymn|lCW zo#w1$VfJKUletW}9H&%Sk&64Ap^=&rrB4LHxq10)84y|TsvJAnAd~92|8%nd<{>oR zmGDg4bv`A0@w5ExgWUtVCyFPXpWqdx!GNJWR$aI?O~oBKI?b^0hnbH?xSiT{>24Oc zj#)zyse2JDi%`GtDRk{t5jBZ0ZdwvLj=rkdN9Xnk34$7= zrjsg_^0`G*2|`AtI#VyTE00e_{Pzy*J=rf z!jy_aRhUk=E%u4zc1cmpZeleW8Aiy1Pp^Glr1?);Y6A zr5?kP5+EhQ2ox?$7%@wTXjnli9+;aME#&Oz3QmJz|IauM0H(dp83q=GBLEl=^N>~L z>FpHcFmkh1j{l_P5&;#O?F>B-$e>ro&fMh2X~EK~h%J^^mS?gVeJQhv*V^?J15G0| ztUHWKu37@S-|$WO0Z~IFL#^*fsW&aTX3e)rrbYx}e1WvV;CMOW@qO{Pr@I6sppSo; z)jsdLTy{YjvIb+R0vA2W~UDbIF1G80yQNte1Zu)&QN2TQ5HwYe8fWQZu! z2(xCUBMe>kzZ9x>v^O}^PG0-+MJpxd(n*!;1=rq*+5PP#eqz&K9^=;!PeLenP2E^) z3nqUzs(LPR`jgH@7(btC4aB+0Hyv);J?57wZCqYYbBCR3z3flWN|V(`xj-5c%$s@t6jD^MbDT!ZpP(We)hurV)->Z{a|d>jqEdxyqLKGb5dBl z9yQOy*1qf_S%C#AKgy})D=~1E!YEyz%leM-U{XQ$A=*oe zsrjr=pn!gc;*;-Hi7Bgx*5r|mBFFLeJ>|Q>sQ=EF{yG^6GD|YRtM2Kz#Mi0+=4%7= zDEY`Hy$XiJYiS=+78+wB7PgWiOd}TOM@zE@rAu|lk6!7# zzZ4U7Xhx$bPSAH4zGSP3I3u@px#}*4eovbeFN6$9f%?%2KIjyUS2-ioMhp68NhsPE zM&=ouD-^2I%A$TKQGP?zV*63ot@A-o&17g&rM2|VdZf%(oj}J>1`viQxl74SyfoBE z1?{gMw&+_rMe?JlIVHD@qn#qn7?d|FRE82&s>&?`q3xP%S%EMTs)%VL{MGXjmGtM{ zq9+-TLrv&$sG-pT{Zpv9e;jH`CQa8q{~l_@$-?#-fM`=HGC0bvOox*@YtFN) z%Cga--%J6gWY?qPWom}%%VCXXRLk6jI9Um_PH3Gn80j+`;V#6%A#fC9=@kHVC}i{^ z2qJOt*oeyrU@9HB4ijpiJfxdfD@|xFCCnCSS7fHdvBp<$4Ov^2qi&3y9igannIBj5 zl?O-D(5guvMDE@Lanf6#ObOVFOHo%EvRpP`^YR!1VvV{8sX+fcfq(Zx1iUi8!H=$p zSco9prGdNUtFvoZL)$I4+XW23^WO%B6apD6#1WduClhjfGG{bF0FM1D!~0Jw`kCTY z*dCvZ=oEOZ=ig6eiM;lyVLSH{3ruWR9jh5;lyK)_DTB1@n`u3v*ReXaIcKA)cXcCi z++86szN}O{Eiah2R$vUpy`Gfc$(A0gV=f2;-GZ_*mPdqxg?=xzrI>IBS$Sy%U)#>)ql_DF5qPx507Qpy1q|BC%|I zKE;OFnZ`mm(eYdNoQ+z(coWj3M2Cd>45Wk5;T|nWYv<%Znp6TQ3{6Gz0oQ{hpYh)Oaq;@rL+*ym%%OPmA!R zwH$s^hXdQQW15lG;ry0T9WBvi;snEtfG&OuSM=>i;;xrT;i*doQFii~$u}5VtnWvh zM%^U`GyQNoWhU!uTZ#=keJ@>2ljfz#x4Q>#2AFMmEng}O-Oj6}Ucmrqp-0J0rF$V& zTF#@i*hFy^lBu{S)TReIPxbz_+3qVEuQ`Kwzpj3>`w@x(Xod-Xa0EZuBtc-BpHJj} zNOS)E#@t{%&TS?ZqX-{<`(XVvSD#j+zfvU!Tuk;B?f5ihW{cnz@s-^fnkLg*Xklw~ zo{u&3RVbf=Bz>!Jw1Ko+UqLQi`XPqrZIxOY;;Mz?ebEva8 zbNUYP^5Mdy0jYsdS;7^^hpHEJ(zY8rTF=}J(rDEJk?_ntmHLGC=;*+D4}v!GU7c9e zPd5TRHWs=&uzzwR2FJz{HEH7f%Z)VJy==_yx54&$PqH2z?C?qgyK5GKi5A7%m5DZ= z*PJgX`Fk8iR#&g2y#NxPjX%bJB9`^sX?DqGx)XmU=#f< zgls_fUL%kKC#K+dZKLsb#4Q{RAr1*jQi9Rr>$S`}O$cYcfaY7gq#|{tjuO**IrC)d zSq}Es<}@DJ@H$=K+#q9Daeu1ukRB;Jq?N}8YMT{y40{A3gX&6ENFNktXV|KgXv%~d zY(&xzCDL4FSHi>xLVZA`Q5j~um0`k9F}Zof_@doX?VYneXUQYz@@2?^o)|i-fqQ@R zq`w~jH;d`prd@xJ`{1o#$NMWn!!MHYPO@AIW%Ilx*3fOJgKj(woK4@EjA`e9T%Fh+ z3qukzx7mynu}Hzi~YQ6qE<6Ye$j7$T}gA@;3C8O=mF4=3rOfdWRHrF80XJ=8f2#A_~b|-2;9C9}T$jk$#?eyu3@=V!`3)1vo|^K-7;8aky*C8yZA!U1+mm zH4@Y}V|jl^KTiZ*KrLVA@Yc<>l2ORcBoNro~%-ugZj|rMcj%Hg1Kl4dlA7 zl#`72F4Ss=z1it1Lbjjb3`&Fgk*xdG88cp8l=IZP`EKK4h3cSRyL9O#EL$2su*f`q znm#i^m3-kWtNT)lpwX+lc>%FA>)g2O0kjA_CJt(p8({tU(2QZDF!vBh864<~>JpaQ zHHtUm&FEaqp$Mb{!`)#`!MB7=-c84x*Tdos!}$$gS(6%^P56Qb0%p5KO>lcfg6wt z)X#q~#Dvgs!nT8T_ti$ukg;cGI9#PaH;Gw%QyLU6pv!{Wc`o?Bj+74|HoyR~xliBQ zRMe3f-)ugne~9p%?}ww!EI(iRTFrXfd zWv)6#k@|ywEa)gZQEosT3NnU!>ieqh8TsFhwl>mwWv324=$R`NR9?d5z{ojyCXFvm zOc!hv{V|f1F__J^q24&lz(6fv9Nwu7WGF|}D<*RZV>7F<0G;_~GTvLO?@dJB z;~Gr@P!_R=i~Gq_g$#NM;ubzjiC^uGlpu7LmIPtAufEKm#gCJ`>%LqPe%(p3Tlowj z4C^Tj)W+ih@oPY9`o6{7mO?A($5afOlj0k_O}iBB&ZChId*60;PnWH=nooB)CYXWb zqGjO)sE=9)V6ir6uI;M58AR*8Xn5H%DUnLNuO@E_G@`O3ii^d~V?`5PiJ{z*c<}~+ zY|4guY+;D~VVd`Jl;^u_bCk1J23p_8DZRSqlKEj+P{r4Lu0E+qd1LpwzC-lLVbVvl zClWl7+BDEaAMmo) zrrE?I0k1ji$RYR1+hs)=)c?f`S9cHS=l6+`Clci7UhR|J^75 z*EIAUBl&!SUFVT6ZsXH>oG_xM^?rT%t(A`pVoPe(oB9t1bqhLu2RYZE6W?oPcI0N! z+19bIm=*_WzF zmN5R&Q<(o+T0@C$sm#^h28|u0!dh=vEmx7h<-E$v%Cb-lCT-{}W~XKcq8JGXZshi+=1j+*m>wS+BpDNgSC# z9RXV9f2V+h1jb__Xz6P`P*b`(H5! z0B+Ip-z%6EJ$%kDjtHh3duz#?e%RCf;WrMlU}bBWVy24_t9B8QD}#u9y76&7B%UxJ zjEsON?%u6PtpS_6ZkR45R51SW(F9ofaxxe|2buPD@)`z;f*Rm}6KW=^p)F|h03Pgh zCK=)6t1@Sm>6JHNKHo%q(M<+COq{$gsKsyBCBsOa+)OH-7c^-$8WL1Ffrw_D%~j^!Ne?09-Qg5^8`2!b@kk}Q>=c~C z7x^xe)+cpa=ooe|xgz{Itnp`o1UTvI1q&JAU&+G%_05=tHl}TgRPjxdo|TvSo*2i(9e5CW6kiHw%5}#nz<;=01&2Ip=lGq8%j48MNhE`_>}0#>7wbS&TYU zftUU@c-pWsU&(TIjK&=3hiDT1?bXA0eQQj2wjEgp;Db$?jDl* zY+Q%lrP_2Sp)O7-E_u(;NKeVuH*8RZJreZO3h~G0XuA&Y!O(-f^>2b`dfA!a-fkXC zU#sFAbDwg*(QBNLUwvXyz5Be8irzFDlHVj}{UuawJLj=gG;}$~#Nje1fY*BOOcK-` zBYf7!K1IFiP8W+U#G3Yi-f0T}69JK%1r*Z5S%E?V$yZQ|7}W|dY?(o*K@cA1c!h)p zm=ysd+o(;eB5lm4JX~9jTT>z8m1A&s*en_CN_A$q0eh4XU;8a-qewh`$V1JtQxaZI z)!JP;dAIcmh*D)W+f|z-HC_C6aYV^LU(uM(pLRQsq!C|;nbWAMUYDg84Pio}R zBtMum0HFoP*Plf_0L(R?;ird{e>!6O55}wUj^d|>6{TCRn0x=F;W`Iob4l^rQ^eER z3CBR*Wf)lQ@^{F(is_VhO#19*ku$X4rVY0@hG1ij5F1!0j)rmsDjx1G)XetKIU`hD zqz+7rbzooi)atU)2UU%nhP z1B`c}8aeWEBGwUX3nSk!i4jSh*gYnTXng^f=eI*dYWrTG7D^S+S9PemU$Z{jbN?DN zGKG6~l_PNUF!58&K+%zy9)U|Pp;?$5QuTQobx^L8_;~pj9!lYISqnUZ7M=MP_w*o0 zVIFiwZKSkMo`rn#o3nV0*`R%!u8f(=hr>?Biwc5S>8_J&*iHoe^9Rr2!^bPtv(gtE z5`qriL z+9kMrWnQU^q0vvG^&k$|_za9dWm!=Sks&6^4C(;$A^^3e^nsY@C?%d19mmX4;?=7o z>Kq_~Vsbf{00iL6ibc&DCgkTd$zMtfE3o!yK#eS_D6B8UfR*vfA zh0`XkbEFsC`a+-y@bEWQ0i;8t>oAph?H|Zsjfci`Nk$p`z0l|06X`o`x{zAl7S!BM z1Cz?6TYNE$yw;Z?_@RfZSq!C*zT%!!THs7>BEwdpB-l51Znm+`yCltHg#P3jB+R_= ztcrXXQZ8i1LQ1Y*kEycvh ze{$^|??9(I?^KWLn_bzBH6XF=b*FBT-AHQ5a+V+K{S~y{$&v4}d(H5JT3ce2V!thy zyf-W{Ym%ph<9<=dc6cc`kDgfGVmW?+Y-x&hBA2S}tynbIYnyxYD}Ak2FP6zw z!sueflrLmkKjPJsnh|PJHRJ$zk-^YdlTRjFe5Dmd(o(e66^!#Z?4Vz#W*Gx${Ih2t z=m2^3txpMmL1HCCi+aXz0!9Rnlyl@V_VU0Ns?3UnNz3V|8@ipPt~9x9D8`IUVialE ztPpa`5r#>*on(|casNZkW3cBVK_;*iGvTDR!-rWx8iRUlg`OL2iFS@0q2FYe{B6^xoOUgN!@0637)PpQJuL_+|pU_p3J_PB#W^X!|LxTAX3O#2~158}cbd*lYX{ zftr`8&(LyOL-T{oSycxd&0~M%Cy(po$T)Id22v}_!>!wwt!T!*Kbin*aIanZUg0hl z9=qfjw50+dzAVihb@z0~(gvyThZ7`I%f|)$)-bqpq9tLcv4Jz%(RtVA!+V;;eq}hsqHXQLicAny)`l?eK8-Ab-;j z&J|7G*83$vNuH2j#CIPX*_(APsLIiR@KWN+xwa|=-Jr&VjVqGoys9lWfvhQAuW5ndkAh; z7z~yiXK>xpWFCUczBH%wp$rPD-qr`G7YUQ&sKfauu3sHZ{Ku$M`7^W9A)DNx4~tYG zLgeQL0om6GHdB)$=16gKs@7BMS%bn_!t^7KoSz^@jd9fJiYefRd+V4HX`b8;35Wv; z&W+&?SzJED-C1E_F{aS(4VuHLywi!ET%T@w#3v|QoH{2*EjN$8_G8KWNB1@Tw7@P& z)HK<*1bPtI+x$bK zN%>~@(!~!dy{^nYr@6?Kj|twNPk8OtjfQ1;0mHpDaVIYCqq&Tuh~;NQVE#MlWp);* z_j}^iH``tl3uV(DBbD`4W-A-OnuN7aMqk2U18aExGutsXF|uX!&OnCUxWHBS!kAnU z$RL=sYk53m)m&b2l}H-zvmQ1LJkz{g}rKJqo>ObZ8Ha~Jzdf5o=y-E zpT*>rW6tZD%!@WWSDG*!s!K}LOn(hQOX2e2pB`-%!5t***b9w@b?3Xx3QA1o$}>`4 zG{E~v|;_?{>Iory99tRd+URF0zEmHj!7Ii*l1`I@8d!mnDA3J@%dqkw2xCf+;% zeK}gLDiZAo-ogNXqtgK5p|+P&RO(<4#&9ulYbYh_jQFAGdaJ|K7aD?yxsWZ()W1s6 z5A}SX7`BVnB>c}TZzE*|eX!h|sT(kX(>@~Y;m27ol`ulXdoOy{Fh~91F>-0;>94BLpcDEH)l9*+l z1&EzS(KNRV=uktE$ZEIqD^uQ&&1BpDVq>;a7yHqwK_;%d3;i_feXEUMN za*m<9Dgl_h*8zBB#?~$IJ%dpwg0rd%L^T#Ke9p@)-=K{FU=>Z6c>L|NUk__UrM$wv zzhcH*Ss}rg`>IIuQacu)X?oSEKg2zGn>W^;Pvw}PyMcMfkwtS}YA6I{&g43ZLx=_G zB^%WbPYxvAN-c&d@!%s$iMzLJ0!Ht1LP9+fNgJI=vu@uiZ}=AHr4U(`iDNuL`ZIrY zZvQ8aMS`qE9k?8C6_v<1&@~oy)e9q^gB*K?Qg7U)U;m=GwAi(5c@gdSm~(fe#kZ?d zk#_jD+;+};Y~l!o9fRPq=js4|%CX6J9XNoI34uFxJ2pox(LLW2L1sYixdt1`?D>Mw zY~-C88VN<`+UvJW1vsW0@KbC>glvzA&ch+~_5sqrXiZu&NHyvEr@apixTO)}z1wVM zBjV+UO`)8vCzrfOa@2S%AI-c1f&t`0Q4T2ghyP|Z>(RZvK;PY){;hv}7L9j*M*0D6 zdKKVadEX`m4B=Sqrt0*m7!qHq__jJQX>lxg1=_JfxstT)F4+CSDbFO2&KwY&jNRPe zUXLsEoHxhZRjh;NMiW6hTBT_qx6BI>RLV?*1QdP z6Xvo@SBlRxIBneki2^M97prJaZi*Kf%3NL90`g27#dMi50V&G@!p4OAIUKv;N>i+lcYEAG^6XsUCX zch^apK&CbJA73Ua$I_3Hq@7>-Db97I9N%>Mcp(>CT|Zl@e6g`X8fP#1X(}w`E0$q*-){*|QJodT_F-jlkCv7aXq$b)OdqH8N2x>)*)Y`xb)5S!C0W#?O%j<6gg#08l zI}8GQE)Bs=4k$f86AV>dcY(schFj(1`EXUu4p5+z8LR7x(Y~-digz@jx8uGj7EV{R zi%&|(=MR8@7C6%s+lCk0_Hz8yB^vrxQ^6xM zp<`O|=Tlt2IlXS9A7<4u)s3`R;HwD=WOByB(=|c3~%=-gZ1NIud z0%uehVoB}@8dzGeqqk_^@{a(Gd)msXm01Ygc6ED6@$LPrRYNv zmJ=tZ?dL!joovnGU4|~pax5l=e#Oq z9JBh7Xyu`cU{cz^y?348Yj7<7=pcX6xxIM*SXp~a5Cl7r2YGgPCZDJu_~Ub%)tMF3 z)za?J^Xwe@xeUg>bG|$3OwqP5i>%G@vD2h8L=Qn@Jt6qce&#HaH#%Jp=6|oxwls{%F9{sfxMJ@k{jxp|}g9 zXi^>Cxzp(=DZh&}<8(j3b-u-jgo``Q+=a|xkru+hAes#`$7EH@-TP=RJkoqlQd6-0 zu|a>zx$6QBl7;QfeYPWM2B|hb$^|RQpf`A7J&DtoHB%o)=j)F#z*pq*HzJ5eu*1UO z2TCZ{PNV?}uTS+-k-Wh}gU~3bAUJMsi4k?AHQJ7|l(r7zwmg;%di<$3{$FCXO*{3* zQ(}763QLjaUX0+R1ec3RJ)@qQhi|`f0fxO^8;4I*OqbUYmE?++^;vr|m7(%JS0y3W z=;fE1#Z8};FvMmpQ3ocLJ_`-mjy@z2@0pKGuD5?$MnaI?2GPn+M<$O8f;Tqu`&~N# zh@OO^demGs0H2k;sgI;c6O3i29)rZFy)miQt{42p`MhjAPA6#&mS+@SJ#X(U=~djn z73t&nNMyLiuDEUb(#a8 z&$=N-t9$^txURC({CRJy8fKyAIk4nSiJX{t_^tAXqrHMRKH(|xs{KIDF~76n!6Q?< zH#{-+wVtFXSq5oPBTmTsZ7-JgDMoW1X@A{nS9oEx*%r+T(++4qz&|%}=sY>r>-a>x zVg9wx_8!do7H=jkmK{lpyH_9AJ(5%Q_l=+@cNn<+M~A@?2695WSk()AAI@AtS3~U7=Oi*@>&SKI z3X3PZQEd)!rpuc_4By98ZKAm6%veN9c5i2!UUYCtJlAhdFqI|0_SB5E1*xm8pXbC7 zru$OLE$rf_$k7vOq_`AM!cfOJ6r{|nJZBIR;WxS-u_(YPUFrtz9#R3METb3(1$kfF zdg82L{Z|@Sd4gaUS9vOwQbbTT!}M z7Ij5_Z-I!B%icBA?g=7@E#RzxEAiu=ks~*pZS?`kG=9Za3G2w1@&zc+F={G#^rQ}+ zzEdUl+(2~bAzI+gR^~f_TlH!(x|Lzv7O27=bNM~PU6mD_*xkE47>w`}WDnyp?ey;1ao^ClcOKloaOy8l_wTRkM(VMk z&hBvdme{8s8T;7SBjroSY3`(wKf0iuQ_=`moxFzCI{qc_dgA1-Spdi2$5N53)|kCq z4yn5^G?$j+cXaAV4^cLmZ0T9Q*nF;a48ifhba9NyoaKl#HJH3!x1_P$I-mNCd9C5d zO7X|na~sEL5|AiI-Z!>D{mE$@op_^1_4>KYb#V5;X-&#WI;J$9PiiTGQa@gowFt#= ziWwAKTi}VIqtlM@L%Yow1$sDbX^ya|$XC)XZMDDVG&p)ahG9YTqT_f=6YvEplK7ZX z<>rtopL>O!TJ>dIA1)9Y^8$wAkt>$-Un=x|m?oCLmIeZ2rHfyO0DB{OxO5g>jTrV~ zdz;R?!Ua5%nIP_HfLzJ0vX-K6X-%WcgloBUZxk>o@uBmh{fa2uzje$9U>ZvgyAySE z>41W@Xh!{6q+sKp3GF&ivbI{f{ofz_uR>h#hw$fc{@#OhQhNwZYc9wFq&@lkAzw3m{$LtE=0-q`ZX(nB_-_1fF4L~PX@MspbpuQVJBzN zZ)8om)s}ZID6Ye4(VViD`z0M~01rSG^=fTILfc-Os#5!!hv&X_FgV3-pudrt1PdC< zRLM~eFr%rII+j{@#)46{DgpEdyNgJRO*(|42cf0SufjO0GhrVKDz(0^$%~TGuG&rc zBZm)IQGC?_kchggxdK{GhGO|Np6elj4t^?c@cE$c94_ z9ChR4-VY&VOR)W3vc6Z&FEA(lym2`sw5?w-E!Ml-3!r(zKZ`T)PI6rO_|4b(1IaqH zWL9CyESqWt^C16XFq$+bJx8s>gnXwyt<8-EhpE1z%6hXB=@M~WklG@49&H#Q=e0GU zAE2$6#mG~Gm*~>0_0Rxom#i1zK>C|AN;jD=2;SbmdsHsAk#en^gFOA50Zr6sN4Bzb zYuslx1$oD~hL!m4$}q-z54=_;tz## z$OI}om_9|~3_=yv>M8{ewz%|{LCTT?8$uv?M~x&vyy}S7Pa`^tcC}h=gE)f3N($Tu z_VXCl^A6W;bprjT8V`r*fJ^Wj0w2K`mn79>pTiz%;XJeT2Hg)^*AUua^-#!=g8;pFzvHn&T=?dX}# zKBJSgRor_sg*Ix|R8+kDl5MH{8VIthW2+Q^;i0j*2btduLx?-}Yn}Hkyg#oaNC8%2 zPDG-rE&u2wRZ_Tpx~F4OpyF6)0RgJ#4rULwF~#`S@*8916#Y&X5lpl!r{7vbo%Pn; zU2SsD@!c?HC-kS8sCjv;S~|9dN?6B(<(1V)xkY&$ZjoIE5No>O%LYJSMLmnH_-x;j z3goyq6?PXWpUd+C{SKZKn7MyC9opm536U9k@JqbAeu+l{Tk>%>-0@lXf`w1PKrT=Q zx2b`XB#cd-Ers`V!5DxxyNN5S0snua$iFv=z)zB`)g9f8yrdv4U$I83UqVw~A}el=wrGmL)Vz8U&oF5#K|=%3fPD6z<~FVn zD7iyQ&Sb!df>O(o<=KNFY<>ymmmR_mat=EaMsDh=)j{J+aBn-|A*?pgqVGuJ5GfHf zn16aG!JN5r&D#?{ z{h8{qKMTzj{-<8eE62T>#%skpzv(Q4dznsJ7^G28jmvwozb%!F`ZmLGGb6r{|Ak5p zoyq~9(|TCn%mqm|?#SH)Uge9*LEUbv?2QiT1TxPVeS6g9Xe7R3rc$4x#tL-QNNS%m6lD}(J(rN~^7QUGyV9O` z#NgcSiJOmFdZGHB1a5A|cbzct0#l%M7ihn;(gX!+ytF_Mz=`O)mM`>CyQUGuA|_zK zfu9)-VO=QH3}eOj+ULL);smTmniK`s4a&?A-2AQs_(k~`zXZB?T>KlqJls}$*u5*% zFGhl?Bd8A+TJJR}>(^9e+4z$dbV881y9LRjj-o?OaxEOZ5;o+Ix39_ZlbCkD>Z*LX zCib23@89z?MD+b}ETg~pP!99EQ2JptWezZEK>MWXz%j8NfsUa^Tu#1XF6e~iYDzae z&kOU>W?=E$NM-I+O*kX2ttKI!@u4f4YKDdi^C_Yj`MmK%kEITQuZte;`apHtmYY}UiQA;l%DZwQS+^W7Hj4z6A>7BYGWV8g(5{D zyGDMkkdC%|X#b<|bH04x&D!CUWq8D)nT-1$GaX)MUD$Zp5VEo<6fKwKd2PVbwfy6C zJ1ScU&@oFxc^JKfm$B_iSRRnEGW;pgJr_JSm)ZI9EW>fW)t{*vy7;xqsP4mp{C!HG z4sr%HA-)qX6pujfEo5Ab5FM_$lC`(=qql*!W)0=-u`()IT6-{%{Kc_;e8r{?H!#)y zZRbF0*vv6XcJVps$~nhQi?d~$uXxvO8#L`EH;um%7DG|QtKiw3bYj5F&TNE5W8zLd z>&U@W4QjNR9b2eMA#M8Qr8c~6zPszeBgG|ghCO7;UrN`;UqB3}mkRWX|iC%7I8 zXPurE$dfl@G|4F?6y%2$uEGJ&$LNTZuzWwK8I_tgvgv0wh+PU2oA~H1GG0QE&EE~_ zjSde9lDW>XDmLbPqqq+qQpx)r;&6}6Z>(=oqSxGY?BpryF=eXlx7hp6el|K%2-sj8 za(HcnZcRTj{Y!x8)aM^ND@>pH4;*5L130EgK868`ua6YdQ8!+$jMxz2otHrNsdS>> zYAyu|Ozk}}O!I3=-RPcny&0t(;RRKQwyb{o0tfy#7Z5N**)7%^*Wkicd*b(-8*Hk< zjrd)sqIda2Awac(PM z9ERFMFW)ES-zladnnFTx>2<_`_iSa709ZyZxo9VCt@&XcJr>M#f&S-+WZH*3Q;#L*p9nBEpO zR96fBojrx$^kxFlWeb<|@yFNxz>}mwr@RLN+`%;&Kl~Ioo0Cku=k~B^N<=BsmRV$E zSo#+qrHN;XZk;9qblr~ygB5=iP0>Ug)hh~oQpw%Y-C4v~ZiUS~xS1t?SS^E{Kck$V zP<8O`s+RxK6$;xn?IS_!<|3^v4ggrM|q+wD;A#rYihbs!Vr^IRl5* zcYi>XyNQzzwxD1ci|fmxt#%9N>nrZLQ`q-ZJCZmc%CWK^<(G!cf26cfwB0_n+nb*Z zGgFR1e3js#Ad%{l9m*SPSFxOSA~HrO%Mb6~e*dbUxA?lM_nhms&1F9HPrP=W+RZhKR6s&5MJ`@Yqt~kYtJ@ z9H2(n6*M1h{ocmaxU$}d+YmftQX!s2`Z&LFJaSPlu4DM!WDf6SAACQmV=N0Cf-ps`TV6&oTfoS-b=yGg<-jMpAaMUf9QJe zsHXaDYxogSz(x~L>0LUg^b!$}4kArjBA_B&dM7FowvLX1{mEMqbOLu-7PSg}IFEQ({0k@c7cXAh1b)*yR%zyY_VCRF^o|qj z&s#R!U2yMBSSHinf>^RvA)fQK*Xi1?BP!pvg$D4KdBn>=z4VThWQP%saxb;U;Zn2w$-hY=d z|JB43;SiTs&~~x5m-=r5>AwogA?v>*%To6Jzs9>aA06bMhWx|LLW&rploDM(zk1!n z=5BBJYxR2(Uur^^{$De5jxU@8Hx7ObG?$c{pVpGBq5?tVZa*AZ*DM`#?#SgRIBh{# z>jHmHmqn7wXajw(x=-$RKFmh@*U;{CU8(pu@ro7lOi*Hym_~Z!m&eHJFTN!??(^HS z`%v834<@B$)2g!!B)0U0J1w^>vJEZx&uPQnJIm>PsVk~?u;GT64TEm~9i97kJwrO> z6WJ|9Zx3mK_lubsYH+1mrr)_hQd80tCkNSLL@zt@oD;Ezub*^RKKvGZ9c?~YxFu;X z9;W;6Tk%)D^qiO}d8-p-o2d)m6f zceRy43*l6JxnEaR^~)Z*R(D&@Cc<7X3cuDAf&z@j#kzvu!k3aVYZ3`^S)JY%C;=yV z*IJDo43TY&lXkBl53Gi~_)X!~`9pd_AOX_z4JO|s(gt*B)<*M`v0tpO`5r0iCFxwg zojHYgkXi?e8qlJJv!B) z!jOB3dbx8-2@n0QiOL)}EZ4XO32kSTEsE$ZHtCn9EC4Z% z-fH$dTq@oqf3_;dFU%Sx@@N}b3Obxy+Wp@*+drRXmdy@tCBJX@U%1HfnS_h38s?(> zOPF{w>h!Z*PZUV@+tlm-HJeyz-}Uu1ii?6hNA|2FU*TNf4!ehpZltzDKHr%}TCUtg z6e688=KofII3ia{L9FNHL4@NM{a5evz;#6wO_EWOe=L7!7>PI+%!fNUg~qIK1Am}M z{GL*0g%pj{{~a~p8~9cvVMptqs^YIxUqN1fYIX`wHrB-jvkh{Z50wjY!~CnMY4-=} z#ta?vq}=jjn*SJq-5Ev$Y68iCWF*VzR!ln+@%Nj~P^zl)2gt}crE{4nkn2L@{^bRm zRkLS=I(x8qv*(_I;avHbdnVdrw;KBoJ+$Fqwcp)%JQ2bYPt>$ zsw)ot6(>VGedy@Yd{aS0Gt~U(o%h0|TOBsTV9`#wJ;Pvh3nl^O4QuUBEX<=HJT25Z zdg-{ZUMg89r9P7OUGHK~5|tO#7{xQ1)Vz~_xzxl@A6?oouZuIU`XDUd5VC?4n~ z4?B^9%={U!4~oAo%ekwp*C^ydm0A|G_fwOMvW%kG*Fb9d7zG78mx8=B2v}?arbS-; z9iFvUj5UbSInC1JT$g(#9ltn;zdWgr>aGI&a-${H+b4=YW;Xil_YbZsrVK+!oVQ*x zRA4n8avZ%ogU-Ri|GZXxx63`Br0)&;=AFM z7OyP+W^X~I4Yh=14a-2dyjN;VcdI{`Es9r7lP)BXf(mNB0XWQ!kN~H6kLBAQ1(c4Y zjb)nJ>ua+2Ol4ok88kx!zxr9Z)aj%i+kbrPxPLZ8h<4gsG=~1n1bHLm-7cJO11>Lu zyovh4lXfm+$8zo(Rpklh;DV7`Cgo-n0K^%56aG(O;0S^3d5ks$a@@3v)^mLGoOn7j z%?Vr27;WzUk6O-yiwtyJvnosb7&`MGm!JReBlTtCOjmDfnw|)~SIg7Z-#FCtR?tyF zUtyomJN_f)5mEV*yISaLlPZQJ86=K&tJt5N=6*f5RWSvxe222w&}?xWtBavh4OJ8) z5=M&5yT%}vP9-7#n%Jd0+v;bLKbxjK8NaHz)mM_2wE_2`4w#W%m{q{lO>?Pn@JT4gyo!*x2m)G317G)6fwwNh(@Yc1hl+ai?9)9(c>fi zs!cO41sKeGNA9%J3IA&{rI&1>SrXIW-KP63s^2vhAi)-}gIT)UweQ-jndvp+hiM0} zN7HgY?;@@5V{t5RdcM=Pzc|(gZsQVKL0I(NmH9J-~tk^yZJY}xx1>)be zRK6ak8>`?A5dGbm;=Vg5T;pl!H_5)Ttj-o=kgMKnORaeCrsQH2wGu&`l!JKKcvR7X zijiKtr3bbMD3?T8I6{-Kt!`0oV5Ewss|gKCRXVzi@IeMi`{VXlw=0fzWtKh$9pO4- zq!;Lp6;ZW`LPCEh2W|S|e^%jL+WP8*VxO-aKOPx5t*9AkSXsJ?b6u(M%6fcc*0?+B z)Ae>UV2iW^BBnt-R)?qF`|N0hEZsso@r$J1K!E2oCq?(QHkb^X-*MGFDJNgyhWTpD z3ACJ!Vy8j>T<3rhZ=WxTM2NK=IWu*4$?L`Q~y>=e@RyDjMcn^y%@mD1Do4r$3D zWfk;E2DRR>f-&uRlS9^3$8hd7@}}XPrd07x{$^4oj)2ScRfKupbyq>hdUQXE@`)va ze?K-cbDu>--3i7gdZsfMwoA6kJrN_N_o2^1P@vJ+*gDfpX_!qdcsauN{G_UCp&0sh zuCC3T%VY;BJICS4iD0jKGmkk4i)h5U^jv3Fg|k=Gz20e28x4HGDn)hjJ%CjIKiZ4q z6Mi0-L07Jr6=V2oYW}jx(!cjMQ-5l4Tu%TS{$ZO^lAm@LZ{X-1Hm12OtV55-wii<@ zq?{Cp;I}i_m?KNJI0+7r25Lgvb|+xAJI$EdLXKy`7U&;nj|*UiPuzmkX70)#ZF%I!kU^|bh} zEFQ$+j)67vmHn{X_F{z2ic1)aMJoS-`{A+D01Daji0ZcbaNDlr|1{4~1N* z90cHmdFq`RfeKyzBbeMuA^~qwNG@gSv48V=@5JVXFa$0pss;V+toK(*N#i)4Y7HaGDvpP20OzOA{cJb8FAs2u18X8-LSXZ$({hTy>ODl?{yY%-~Pno|C;p)P&mWc?j=sYY|(z z7;tcUv0Kc@gZ-joK|~06UdZ;Az)5rl^VXrqO)?&UUED%&l@6CE;>DEH@Mz!RqLs&V z`z!mWzeazpDW&^dM!-Sazv{&4g; zkq{c_YgiJ5y1L)J)WE+wYKd39XTcS;E_LqTFzuIH0C+sG|7+?(r<|d5;CewWVH3&T z1%TXVh%4Cl(n!kOYIZueI)Y6$cS~)e-*|NHXOLoLgGZK=hF*72<&}y&c6Dl6|GepA zJb_eMTZAgTd2N}hF+rVAZ@NkGE)aYnm=MXC1aupfPm3-=b`bqN!y$nIKd0eIUHKpa+YZVF}Pbw*!xBvfn1l|AdJc1C-33=Ls0(kDD`+sM(hvY~Pew9SfPQ9Jd ziA!RPbmYxZ0RJ7OkTX&I8gd)j{v(rc)%I8g@f=S>OM2IJ;7 zkWkldkoKK^pNqAMX}h+oN9;?2-4BwkF}~us@EyFZd%h%xZKOw)ltPQ|jCxSow6$z} zeuc_F7M()C7hk5|HYn2d@03TD8%ezaFEp;M+?ympRn~J6(K^EI-Zm-`bpB2?Got^^R|b#xL`fFF+5| znZflZ*fiCX5E1Foyyga^i_BSZ^zK-0!2Cs_#UnReZ>7h9-W=DJFvzes712-_)}ORW zgwO8+huTxY9e(O)aLH`cb6BAcnzX0zZ-HVlX zV(Mj4Od853#Y$ydF7;xjEL;bT?gwCZXtx9L7H+>{qy~dc)J!6+` zlAb>4757(8zK0=6m%Aq&6J0^X?b4n}Q-YG5kIOm5(Nr)<<#6F$3#&&^<>#jlXGCe= z!~ynF70RzkYgEebRg5j(!rgV7={$kOki z-IH`b614J?K~k5G>5-&5^3lclX|EfGbs~6l8ToIW;z4l1#c`M@txNh5+NH=cGv!F*e)?Z@L*T;s>_bJU?&TntR*~5szuby^Z z&A{tf)z2ihw!hx?G+&5{c=AVx_N$97v}CQekW}Qpt8D~aY=;a``A=|P7$am?BCXxf zzu1j4j#%8+=%LZW{-m)9sYda`8;k6$m+pL2#`KNv)`Jy}J2$3@nH^0l5O9sr@%Gr$ zgOH*6UccMeL(h)nm6Im4S8M!rPHRmU{X%-IE;4F(@{dr~8AC9sG%zB4Jk)20|!EMeEI1E8-DXcq|i@VC*uLdvLd0aR!Lvt4& zFBtZP4pY5(5pGZOho>1z^MF$za_J!exBG(~7kzVFz=I~U^vmegF1-ZgK`CD-a*7Zw zyl+K1``+VXda+W(uS_^WVa$$t&Wc~uiZktzI#8Q@oIMX=!o7n*Z%&T(eTt~`N7A#~ z!J5P@_&y)Hj*mKMo&`Cf0QaUSN~PP zkjMwL<3BF{ZH+yFe@+HWKOtZ^$o{6AupM^luf(A?6f)J&%dFi0$~PIYHd3k^pa|aB z?DuEfTnhm?eMtVU?=%B)%=vgY2}yVrn%?Cgwsu}cTS~|?31x9BD9WED|9&zS@iu59 zobX_?_+$|3_3(PYa88dTlSYISBZpB`f*RM_^;!c$Gu1y4v9FmtvHS> z0xKSX$4c!+`7(I1OfCEONlOQw#?AyGtZYI~5ZYi$2;C(Pho306MRc8FP_}iGa7O7n z&3x#oZz?PFmjRFHiArZYFg~9;XfFxv*yHhR;FSoO?Xn}ARr&p{k5`DOsSGGIld@OS zjoG>N{^sUtGo%|Hu%D!#9B^E9*|V&EAxB>%lfR#waeeI``~w*W|CMLL@~A(FwkMNq zY`?xz$8BFG z1M~-}N3)=Cv#ZyS;|jBbhK&+J3@%4 zy?~2!1Ploec)K#+%MNB~xWLrwDDdK@ZDS)@>yeC-gIy8y6X*|Nfm)oaeTv>l$;8^z zq03$PWfW--fdbO!^R{w(u8YXF)3Dt#DevN1p%T!C7~^Jde);UC$i0U7=>x?M%}+<8 zNJ6pK?eHgo3|HdrL(7#2l_9ny zhKo_<(*|&%s$0~1V3*Du`a1-enr)j%z^Y)TdzYp=m*t18*|;g-!z{k!3$d^-@^9$a z3$d0b4L*N6FMZH&u(OSPcTp(qq>z|eYG3T}+fpy4$lLH)5h6ruv+H-^^J}5ZeYPxhSH*FGtEu2odq4%zQy;r4s5-tA8}>~<(=yyfC&qv3z2SSjp4{u3^TFeBtcjxz@O9cn?RuLI+J1X$E`B`1Pf zg0fd$B)EYuS)cJ53*Nv6^dOnD0%KP5CdU!hwu^?P-GU-HopG5@b<}hPhYUV_!*Q)I zVj{oyHQ|Nh7uz;H=68ThLCK4Sr}#t!ZZ`OdjQSM(U{M@ZfjnH_$Q z)h!eI&+AWrxKYYnan;A2{t;914Q21T))qbmAO&%9y5$oRTXM4f!c{&L@=X84=_^D@ zq^g9`#NDF|K90b&fKK~jlWzvB9}$#v{LP2Q)GO8RYGZ0$uxb!(i8_k2zA4>E1)=2^ zBc`%xhLF_NZ{lG;xb!sj)`BTvbxUM-vB88^IA#?$%4slOM78Y zN`JVn^Zx3Wxfh{-&%H~Nn#rC%{{c1ZjcsD$sUCI=R<%1?A0|c>Rp|{_2(jk-&sV9> z{iI-j;0v`m4+t@_;yC>6 z-ibjkiyaPd@Y~mzz_GJ=YN_##Las_IWl(f~P5lIzY*fdwWZW|1ko~39A7snqy_-;S zAAUaWaaPYaJ4)r-Fz=h?CR|Id&@k^G0Ej&cnsXQwDMNQJJTac!mg8S?(-FrUBBVM> zyLWZ@&-Vh_J1&6Yv;J1W#q8>>=5FQmTdS*?E)?}OF`0L{K8bg_)zIv5Adj)Ax4dA| z?YZ`AQTJDFeFg%%;LE1VU}3EL`OWcG{@~q{t<}(oh0J?B1`SP?n0BAwybYYD*X*9N zQ&`;%b!(46ZdKa8+g)FHxIRT6{4Twgv+&cRUetsNr7>#jPp!d|dXy<#wRm_EH@EuG zSmTb-e8BRGn|dN06U)>V0Vv0Y{Q$-0=bCtQlCSc{vJb~?<`5d&$#kd{xkrCij7Vg$lR`zv8l$t{An{$Zx{5vgvR~Jsv1SD zHlHk}V4k+tFSC~zK3?NO6kJX+y))-fC%dz1H8-u})q5AMw06#%d7#X7=b26u@w=K~ zH~)-*M66&?n@k6N8qF2zmQTpIM|~DFKpINHrGGg2Qb;guPJhtIk6^F)FoXIwNPF-~ z%y^Mw<;Au5lJ8BP$0)Pn)_OQ#Zi%ZOgknCGNLIY_KsxMpFTov26K-u(tKv?_#Bktp z5cv2Vw2mV4w|@z}1#O9+a`iyIz^E--*hQTlUF(ogFQ+t1OMH3bM&p)G>!Lm!UKu;S zmE7um8NBvSz(|A#O#ldr>;{bZ03KRcLLiH0d+%bpq@Gq95|r$N0q!?Jsmu z`kIG{XLrYqtSeR;9q$wi0+repX4vNnL2+71*8^C`ICVE+_vYgcY#Y^nyn6%|$*MD* z^W+gaCwNUy;V@SlJx zK>Kf?4OcG{_|NN4f5?%aijKB9q9|uS1>Zi35>sBHSJpeyAO7|yNc+VfL~&G1xaZ4L z{(8+n0}$VhCycHF4HGHi(+}I$>qKXY7!qRh%mG0=wB6$@wrAsX5EK6sBK@qtKRcrv zXZ=(PemP@bC@xOXV*tHy7lgN+f6u9Gs3uYC%Q#R#GhFrIALZJP@#L7-AxbF<*Gb|a zg-3d!G24RC4$tx1M7+3IkV{;}pF0*)MTE!*AbiO2GX5Xl4F>)CfrRbJQM5a&1O}ZE zkG}P1+G2Iz>+B!58KYDtTLEGX-{^Oq%L=U1%{fiz ze$SaMabNJBb8%j1VT_#!eXX7^Psx`8@~?7+&lITPwX%$1H5o@Hv&&(uPFZnEkJM7XQTisu>cdwC7N^SbBwfTNYSxw-@S@tI zruFlD&4rVp@$JoEH~khuWT{ifwK=oPLN?~nIJ@9oFKI3H;i=CbO?Tx={TLmT+fkH@ zDcRt63YMboHpnEs0}IcDFS{6ZcCDjHc!dYqA}i6QuC1bV-1n@cJLaj8tg6wN#BIJq zl~ooEra-sR06kIk32}CB<1&}sY<4Jnui410B$>Q5IUC=!_r=yKimLT0?K>5ITjket z*1NL1wF|Qao6PL^4pDf^)7KxDDxs!JgQc!(5{F8T&)>Z_sn$fWZt`T=Ej~yVw6Y5N z^Q>PFpmeZhFAu@lKX~T6@WHg7Cd0+4sf1XbVXLnb~w5p7+NoWhn z*c_lL$Lbf|z65w}xi~xZ*4-pGTTee%pi?1B^O!JH(#g|~<%Jcjo)mK%H8rpdTL>Ci zhCB&-u}ocUWEeV-Y;>t|G3l7b_0yPKyyV_XwZ|#Fz{{D~mUpjTF1UAg*6%z!>5nv` z&#$%>z-UP@;K}hrie8^K>hVI{F5xouXqrL2HrymtEcQx=$SNfS>2uZbbO|Souh!dk`Le_77 z^^=Zp$#ef<6igtmJbVmwbv`5<)4JPg---xKf>e>qFR<)J)xBRxx6=#Ai;Hou2Co?g zn=+`uS0Q82J9>{A%Vn6eNVK?!iY#$kC6O9%J}tG-`eJOCq#ra$ny{OmY@UE&2_;5V z9r!)?uVgE%ST~IA!_rUes-b@2fSu7($8aOmQ3nP4>^s&5&1Hm@kF!OkRSV{&GM%dX zvq@7>kh6tTT{)59u{_=Wg>mckcGIOGm{`hg(Nr+}#PFu&78S!n(azTwinm)PO^6w$ z$L7BneX31t^M8`JQtY)jwhB70ng{2%<)8S#4g%+_@y>?lTI8(`SoxpC@Q)39a*i{% z5mr`HMqRxpQx?4yZR;g(9`n*3+?fW02lPX8$c0*yhC-1T*6>gGPo?G-`ohhy)j3R{DwYhsl z4jt$?S0AH@yzGAh+WpJrV0i5INr|w88Z*PK)-HTx#*DE z9=i59`<8=dd#*bpL+wDnvLc`%1<4MCcG85#Ex?-Z^RS0TKBe(6F)zz6Z82WB;gLqB$&LH+ zgxv38ibbo|%Z6q_%_bmGGBfn2mSNfDM(GXmXX_mv6Kx~ev0eEO7LWFC)%0E(<662( z-Q9LLRpqHBJ7jE_Wc?6l&S)=l`w|0kg_0+??d;J@yChbG;|F3RU<| zy4ekkq~c1+cfu`+_I?Htlw9W#jSXDeK)f_t{_XS9STt6$pqXp@54!3}Sgf=f zg#Pv0hB$TrzK5TC{KLZ94XD`g*h_0Y_15f_qIExT+DZl zWPVu|T27~MFF7}?XL|Rro$PNv4$i|Sz-~aRdRv4I%7%(FSNtn$(T+iWoI{X?DOxZhg%#sFiVALqf zMP;6Uh<)F*1d?EcP|C-254#&ze<9`Pi@1StHvv1}!(?qZj+fO0q)`e0rPD|HEHeoq zV$t8V9lJr82<_k*fwt1fvrXF+e1B}}PzR@NHX*WH;*9rH;Eo7N6bK zM)d*M9iaoG_d1?S97$~VIls+4*|JvC2a&fbkyBBTjy%gL-lX)TX{ocq`$Q5^7$dxq z1TR39mC7wMi874DlN=z!BT7fL&G&^&0P?3luI_}Qkc=2KRUC;l!O3(APE5 z`k`^{nK5-%>-gvgf+S+4h?!OazWuO_>8z+cbdd7gc;QHSh1#ypy~c%$Z{2(81L+#BhWiOe>q5?s~5r+*ExfK07(m z5xui8HCwxK3DmJvI^U9>!({4zTlUIgs!q!4OBoysF55PAC45@}`V2kmF3uD;h&XPS zsEs#?&lFF>D=mi#7(X)nK+7&E>MUE2b%$n#tyXc^y@)A0PMv`RBcR$=yztC}!xs8K z^(QE9*>`Tm*DPK^5*h0Vp|d?k?Lt=Ewte4PtPV8gX1$*=AXl~59tvu3u6HvP${S5j8cVT9{!g|%F%Jl3| zDN;G7RQ3I5g_~zJoYnh$9&-kBBhm&F=*(LGf!iUsI#Ho{ELWiOLBmwOYm^NEz~f>V zai%YlytN0eZqn?Nlx>Zbsp5WLHCB_t-qZ|h0|%}oEoo8Z8;L3$B`X87%Aa0zw`H#G ztDn^vp3e_9j0cpEaHLzyO?!@@Si{0u@ds$D7`K*vbtcp8h@%BT)j^Yp+&Dq!jo^TL ziW=mtFEib;f8)QnKWF|A4Xgcoc>C(Pu%A{J*VNtrxc-#m_Y?9~vc(EE>mMM3t8=4r zVB<{$r6{e4?WJl(5zd7!h%)+iaCN>I$h8wo&km_`6s}_T7-GLtp9cH$#4a-K;$K(l*Mmu)oL` zLzBwFo*sSw@stV3!-|GW8U|`aEk5OL3`Kcs!{8t{KN(RtvF># zB`6WOT|XfjkaxOIEU|jOS*AtD}UBt5;2!1Mk1+j3|+N0-QB88_F)?*4-6L%-{ zl^j@S#Zu2BjkQ)v@N-BPamVof3oc8XeHc_sc|rFBeKVq#C*zt-2Vo z+^Go*xcOdS;3mVIe`&0@W?V&+UlsU|MDP98>K?j-JMt?J@#tT1Q&CpCa#2wjJr&3o zP2KiVtk(h!sU7oSP$KgcXf?B6vwbi^HGez*!2{zlj<6GXzp-(9{$Rp7!(wn9X~BFW z?0B(q1ygE-&(Shdi7jB*EIqpgTpo!dMV)>yT50ZOpj0yI$$gehQtmBL44ozdhMYS{ z;5C=Hn*eRm6t>yLDKl@v4d1msMwS+QNFq+KKQox;!?x@VO%xzT;jm+T@!Z>;aP2Yw~n}buxn8xc^S$>CxSsD)QFMRu35` zPow|N0$5@^nzpux1s}g{!Yfy6t>$a3rf6ZgZs>;pFcje1rb)YbIAY5rys7@=(m;W$ zDURK~C7RtiBMOK*YDn*3lXZ;0RV8H3IbdCC@>w7MJTI-jz2M_RUW+dCGKi`bD3Mq27?IeoT>+Le}v+et0 z@h05`ObtTb?|vDN-P!hq3wVLs8J*2(e7QQ4Io$uJMlKfbBi8zrbYnfhXO|$1ZL7xp zNgyOSoqEH!#pmqL;+aielDwdaY;2qN4}dzr0`HfB-!JY?l)DUixu^J$()XFz?0;$K zq?goW(kBtZtFL|94g4Q%{a-)6LHXiGfmzMF7X15wY#W?cHp!DDqkCqkTkf#%D3IDiKhFQ>A)euH|Xuy+W@(;8|MA z9p*rc;l(&i0GzGwH(#C#39dlMotpgEO_i`cS62ORE+VV+#1Gqq&bo^ba9+u*(Q8=C zj5iTv4?ay`_37-_T)+CglxY|Kz;{c=88|whVSeVwrxbNw~a&YbJw9(sG zT(m>r^Jo@(Fwlh;9|!68p16(3v$Y=NbNu1n7tiTk!7h2z?UvtZM}Tub?;!Z+h=TDy z5b&~^{P6+zE&>!b$H(mY-t?q7x;SEBm1}A3rsGcVnh>2u0Dqq%O0~(ox;uGpHeet8 znq-@d%W^-Y>Q_w~ZbXtO(7tNqP!Q+Sy&B{vP01!o-;$RNori4z-+snOfP^CyHjZ)`cJ&;WQQh!at-@3Yk@10UYLy8F{K zSdW}1wlAyL@2t(uxY&Uc@D;oGm`SK?^8~Wn=y+XESPkYE+W`A;>HYkq)vC3bRh6W5 zFIbl!ss{i+;1N^%o9u>lh3KrM>1wsJlY}=1zX49U^Z=bRy*ZffOlre9rqyaY7EK}x z(f~}z0;;#jod**WoL3clV}waxt)@=C4PwOdv)>?HLuF5$_wc3OpZ-#B<7$KlNaTv^ zaq8tgXcXjYOclLP8UUu`o3++!R-ijc{Oy>ze8eR7wq_&`{5+;+7S*Z0i-g4Ks6GZt zYw*&UrkCLjVm~6jqb1^Wjpa*_ZlMz7GUY-IKf!wJ&~Ilu`kNc}2d*Wn(3yWX7Cxj8 zssa6u>I=W}Oy+SdNn#bN$6=+%I@M`kX%2j`GGu81zZ~uUu-i`1uF>qU$=OAyk};Yv zpFNhFMz%0{b)u{anHF82^t#n=%T~=?c2)S2JKG`+PnsQsP0S7L2Ol7c1E77SDeK;V zJIuS}(_;}YWIziND`*^X)&-Z_fKIdZ56Bt(MtWYg?V7RA*&(B=hfUKKM5m!v)&0x{|2J3ADK#LeuY8K)YPuXJeTc=RRZb!2>Y8# z&1e9Tec`!my#jx4GA+CA`nj)T=1ZO&SKZU4H(j5>QzW}i>| zK|DWc;hh|-=c_HyJdtbe-L{A!2*82ctpOFP3OD8=%dv0u}kYGuDcLBH9Fm*I!8?f6HVBRUxfYl6b>Sh9YwnlpSG1N0xY&&mP)YL0K3EbMe z==W)`@~NM(gNU4*s4xs9TVTb!_ZNIL6g#|&0npcNL~Mqa+-rdRS=YJx&pW4w+7>=U z-EUx#*dNY2!TgOMAa_ZP8Fw6xw1WYQ2fuG_Q)~vkpL2m3-{>DJv~Yn1Z6SR|v+8$1 zH`GITzg)^-Rws6_@)rqT6Qe%jM#I>ve#Oej8SCyK(C;klyBTU*|J)&-p;c>b+dW_# zTv0rVdAfp!oU->N1qh_*8AT^`7C)T_$tLacOYJJRhe(D$)|QL(($#OXVib33Z%Z$B z7Oke5B1*mg3Og_;e5%>Hkm`VoE)m8+wc_F;(9-GG#4~O6-#Is7?(< z8JXd1oGmnx%)>bVa%lq4E}oD%JayF(KG^oL?@1XtK-d_X1Jp}>FFAMYjTeZTlGkFa zMvS1rHpp9Nzt&Up(@yrK_9z$T8;Z$W!+`f4`0;LOl%Zu-+aJc+-XqVQLU+B!>@=^L z#d518#1T&y!a#W0lR@IW^X&~ISgdTgk2CQVvYY9>bw-6{yI0#DWM-Q^j^y>-Q}C)% ztsg=?&7NJ(jN2_`zo=YeN}F+Ux5*?YLo!3|G`xkCnCU&pTj5xJB)E6tp@Tk%G^5i< zZjmV{xsytNa5&&=w>vpiZx%#|tRWH}F5cXVUD*vXqOkDlH+#83YSxih7m1eIc5r<% z7^cyIvk+R0xjMHbW06y(!`62DR+n|>uby`f#l0_AUEzxTTa5{f=B|tb191)BC|dx} zxv()4I@KQ(XQ!Q@o@5!R|*?!r0t4}uzqW66)%+29#tU}QB_gU$zh4*xX`_<&uh z|6v;R{T8!qk1z6k7BtaE0>Ok*iT#A6J*#}X)YIFXOV+(($e_%ReG;`a2SxE_%~FD> za{twqh}R7R-$ZuPa~V799?C{Yfswds|B$aZzkdo5aU!CK>aLu0b zQ$NP+@CiA{iT8i?&Nx(l>`|J-AKnKRekEBHQZy_%8x2>)*E}|!sAtTT?r+_V@`Kkd zso2hiQ(I2z>SJZf&^v z*_eZ~A7B)EZ|TKjgU7Z>8(eFux6B_pbC(I`1Rx@${OUoT{7aj;K7|8XTR; z^cb=>s+_g%wb~_8E7dZJn7>Ln8gqfipCC0Bd621ol*s{@Bjv&7B3DI?G|0otC=pH}Ku^*xE%8?9ci<7Ua zLz64)?SEm)bljHrbCT;lk_Gsmp3>{<`PP#9fQr7C3!7;id_2|pm(@8jY>Km_8704M zFSSw6KSI6dK=7~Osk+|o;&je>5?)gDJ7ny7YpLHd#0nEpfruKU|qG;yP8^&yq;B__)u&)Q2FrDKa0eJ(=?us5|Q&8=wPu7w+O(g_|9wA;BC<$4)o-+i(4Cd3}` zf1Xqb7A}dsH{7phbUrf?L3wnp@a8(Hl>G1w+rervcYSd5-Gnqgk-g?jTP}DU`5-Y! z&t(D=)b-J`cGAJ4z}B?w)a85Da#xr%fOT1dAi1S(@BW78@JHewJz7m?JO1KwQ;s9$ z_A%PXHNkZOQvtu|R9WlK5JL{4kna)N zz$=w3O0sF8xr%Xf*1;A%5wgPt_(a(DJn&9fHEwv9X5XwDzG|lOz#Sl%kitiCMU4MdRWKI6ai)DYj`unL zn4_g_Hc=!iuV*_MmBrbt{5{jY2QX94FTBDqc!PXWp_lZn6WHuMi<@rM0PTSTM&V+~ zxV!$tA-(Dx73*5RT+y@o40aXL4goLlYW-0@N)Merd6|vhFx_@TG(?aOx>YOK$>lVS z2RsV~AkGKNHmB`lE7qE}S4JO0srpHw_LA%WCYrZuAYbVY7V++RyZ#r2pE>HNeb+j! z5xtTJvzdanpfjCg?dYAlkL71*vt2td^c-EPvRgtyQF!^!ryyQ3Hjfy;zku5xx)^nc zv^KxFugQMvxD5$8=Y$2nveP>yMxe*yetya8uj&iK<1d;AN7nZv-i@9Gxaot%z8>`A z7oGVTHdEE0iSI0R9_`{|(94$hTsDEKI705LPJ7 zPxS&%M^m_t&#+y9pW1nnv*Tx-Dg4)9`uw24@GE1t*~wYqff!YG>mdaNk)8Y6=!HMM zjHJXs1wXHTgs}jd)JAwIVVW*VZ03EMdLf~9Kwl};Z;d`BTH>fS+(w+QU}e?qZCH8W z5ux*H%k!I`95}nia$Y?o20otUX!^a~^8@{?uugpHIV@wn*6*WgBke#UJ{QH6ZSz|_ z?7dZU+UWq$I~tSU4cz7`WRqI!RX^M0K1957W6<8_x(=t58t8u&RL;bTEn~Jgr#YCF zzp^joszQ4B{P;>bK4~74Gz+MD&*o+v;QV#ffN7J+Z5ElnDWGfa6R-9Ag|mxZ#_Moq zh3Wb^YbN~pw(B^{8)?dS@s%``Iz~4_=6Q;HD3GE|UNwuRph9s0><9h{w2g{P?xvT`a}7h_>fdRu9a^+N5iHZ0fG2k zA5FFV_TYwvH%FtOqClP&t=-~6$mVLtT-3yB;1))`OeG9!Lc&!^yohL-jyid(@nwA^ zd(62>XEc8M@+w!t_J>cYK8UO!r_KE25~iOPIPINCA(9px@U`!BLSKd6V0Uy-*x9IG zg^!8k?NpeU+ile5ig@(Sl}3W|J(ogn3UGY5embz`$rLrE$DAzY`@q+};|cwJ(C15j z+NT&Z|6<;W3oW6gpp!{NJq(W_aKD!Rb!#G^yAA});#8z(u_B4im8JjcDu!GSdduum z-4yfSMBaX4+qP6hewJ6Uxd0OyY(&DwceWq|iG0vDJeVI*!UeW0_gH+;C+~M*vWh>a z$8);tk&LYL70mDBz8mRpdyI3{N7IkdgbT`NuN6fTjYP*pNU)YJ1Rr_`hhU z!b`==J#msHR~Z{+x=_j!uN*t$0>_kGH>p+!NRTbE0}T$y0PYx3=rbwKnRhY&vS;wP z^LmF6f?eIV)YVep{9^xywfBr_vfb831yN9>OOaj#RJus73K$Uq6%nLGi1a4CCWs)R zBLdR96e)%liu5kML+H{==#bC?oCnu>x4vtw{q1x1`Nqf(Mts2W%=@0#Y}cIANJT)~ z)rPg7$!X|<$6~%=^C7_Kxcr_2KtQ_Mm7CSw)wR4Ye<*0(ap)TB=-t$P_F)q5-ON_vC_0t>`U6{ona!O>sq0somRWr^Co#p2F9hbE&(Lk4r3Bun zl=4(93CaBesHil$xxd0)An!&)9y18!-H2nFng7dO{PoW*pm&=RCsN(|o+cl`o^EyU zpR>0Pvl^9(=)o!T$=Y{K46w6zgiJyUJ+Bk0Q7Yok3Wo7HxYbO6VQ#!)>ay+OjBL}7^(aCnhdhdK*%1nb!$O1((bS8+2LFr? zg}3K&wX1enM^aVQxp&{=t-er=ZR9Z1&b4xx1oKTD=W7ge-dPG=j~ z5;6GQyc+X~>Y2e&U^0SGrh(DDxi##}K6%MhZ8xwvrk`ZJs{aMp|1ui@!%w9MxG-=o zk4=wvGU%vI)@w3*buv_wMDwX$)!Ui*J0nr+*qXBI>vAV+!czM<;(V_&(;zVA^H(;9 z3#Ue=$xiM$FSPD`L%*176gaa))b=I8j$%tlDL!PsF5NfqKzS!(c|L7MZpPczA_scJ z$AO%B6no*-hQZk&K8sdo+4kJoe2xL5@t!bHb$=V=A|c704bzPZ-O(c(kFl@Z65EKk z69#>T_)K>e^_`oeoJS`2>4pYai31%!Q*9-=tv<7?{rP@QNyiw8Tsz+MD)>g5WGiJ= zYaN&MV4OzRCi=+s;92V7v)G|Em#QyLS1GpYoYG0e3W~dB5swlY-vFzD)m-zchvSSD z^iaskNuX06JLz(%VKliaZXk5rHae7Oqg>PQq~ZMqc00Ryo*{hBsJ%FW5sP&=vu6sE z%Ua*UlTRBL5mT-}?_1WAPmVLuO`qEQqQ^OoKMLCx=7HYsg5sWPR;Hl5Lx805G4uuu z$my*I8dSIDzJpJ~S)f+jhZI%hO;FQ zSYV+s7i;Nixl%fjYsP*kk^_1)Ws{ZQoQbp^Z%NubdvpKQesLiXVN-4qO>0j~?Rb=J z;=QP2h`94JzwpQcGpu9IYTtdCr_%%=Wu7^Cc0|Z&mr2zkUzsL#hrQPSZa{ZOUH_zK zbDa%gwl}^Bp^9ba{%MGtXQ-tEwLOmtz52pymqShks1zb3vaHuYan6`@5=}l5a41ZA z>8L$RmB-4EEKkww^elp>)Xym+9EH}mkI}wVL z3nNC4t|1&yZIvZLM6?z2H2{-@g5k;csl$+yEFg9^9p^F@qCmaIXD}Bv8i%_);u5a<^L?;omQKHVk+*|Pfxx*p61SV)=T$EAMm4W@zTe@ z5&%m!Q8b>LslFq;>66=H%oORmIKp}f(WqxnIg*&gXAu<5I2pXY3aT}21cj=`6ea8B zK$+Q$^G6S57#4;$?@;*cO0Oz(uA@QMYO#H9kB4(-*rYW+?vqaDIBl03j%vB9zh<^a zt%#8n(N3R<b$aNN;*u1VFu5qt{6?f~TG03_9SM9+Z(>SS^QaG0nnG z*VVXT_k>PAz)1A39Ofs45P@{)UNx>}v;VI8cy-A7Ptfsas?f3xH``SF)WxqgZtdT! z^9DGRxzpAtbbBlb4;%vK|4AyNcH`bNAn@K=^&(a4p#ecuSdDg0)jm|(v+%qnJCa`S zNk7|2mE>r!w2tD`IXc$Pb^l_&xKkZ{oXCpLOwFslcjsHhz4;UNvM|_hpOOGy<0=sB z7SG={o-PdijpXM(=NQM&OWN42?Brvhuf&$&Krl?;@nF_M2Sdn;gJCPJ_#vaDY*Un+ z15wqNepv{=(T^lX6eZ~JvBSZOokle7@U^=1 zXzIw=_A|YO=tOnuOCHV9l=>0A?^LNpTN)_%3a)D}P!LVL8NJGjqYiQt)uN|O#$6U# zqZid@5yrU(ft+$W zi{ys`4|+M|rV~o{??#qAyL9`!+rk1~H+Y)bwl&kZj<&5qE_Rs~I1}@JyyLHWEz!c$ zzs)Wa>?y>m`7+)#se=16m*%Z>{L$=b(CGX1v5Y_nl|vfkm^|XD=tzQtj)MJ@TT?*w zCGmo|v|)dd@!Ssvsz6ISQb9gbBTaTA0YfeAjeR3NT%DU)3e`%~#HEN5#h(BkPgc(=eCAL}BZ2Co)3~{RE z{VpqJ<&bGBqf4lDZN=4Kg`r>cSK3heIK4WOUX$bNHSw=s00?Wz%S|n}bG(cH%;ovj zFQTD=zS(tsNecuIsPWB}T49U60Rz>N)c9Y?itt+%OR;kn+}OLE+=?t?hY2q-AWt+3 zKCz@%>oBC@_QWK&FEU6wmaG?VPXw&N)$Gf(oTSjh2+9il9Ycjjj`Q!z3Au<5!h?lH z1j69pyf5Olp*3@mU^nrlfmY#z&^TpJz?nz~JgU<{Xpxv{G^oQ@20Cia3=VxZ zqX6OG^Hk0v3vWhzl7T2577oEPb~Ir|KSCuIqLXOA`LTs-%Nz$hvXc2EQaj`kqWi|d zDG_pfT3`LW{PNdStm&n>J7acBqAZ=i9ZW?f>R(IQi zs5u9(IP`&*mn1GwCK~nHhtsmGD@^0s!EO^@%-}LLM6d(1>h>PSn$B>A!zdM@t%%T= zJC>=)v~;;*FcVJ6HNNbZ2c$qSs}Mo|{zhtCu)GAmL4?mK8G#uQuv+wjA8PjIgA_(X zBgzalbJmR&x)(V+cG5Qdl4+kfoW8DU-C6j-o*^ofR7wG4d+DSwE#BA(sah_|aUPjy zf6u2gxQ(-w$bW^=z`32V<2wOBoO04Gz;vI-o}Q7zF2<~aT>O#5Z4&-x zvfN%)`9k$EQZAiTorEj;)8bpmn0KTS%T7LM; ziWo>($?`lX7b&C_mz;oNb%SAug+p*(--S5lntr1@yo}V=5#TU` zu|i-sIEqRNvk;VQ<7d^!=4OT4iLcidW2$`)?n)P+cC0`cb$rGJ!V$v?Fhys#YgYao z;I)`6M~zC>pLn20tWR~%B|kQMqc6@+9w-bn3J|#t&CnPO0fe+GRQuHj5s5H|)P_li z$!KPT`*bF^S4__KdW9j6lr#JYbXqu<`B5oHfwwC2CPC8HTvS-)Vuzxlkv-Me1iPABc#*{|Z z&AgmRuY*f}`2Jh9eszO8uXfHIwUOz!5nZy!YtFOViC@1x$G)5dM)F|$I}oU0U8j;E zEnQ@u>aB}^OKn($$ur^EiiP1az>O#Gxe4Hp<_i;+FE0g1=8ipH zBe{Fp6874%H{d%|(YV0+68p5d{wkf(J90wgIP%4zEKSnIFIj1cSfvT+%c5@lT`F)s z(Suxk1D4HSBq0)t7#-PrUuQmZ3|prJX6uXduyxktZDi}q#}zV~Hz z)`q4~%O2ybjhB^o9+Nz=HJyrNq<{SO?VG`D!hM5q*OODUnzuSu~-6+E3&ZXL3 zeMNBg@hgLOeDXp4_p`b2l7I{vD?@#(ttr!DVxe;Uk!_Pz|N92FB6h(FpmVY-*|SmJ zV>v20A~3zB(n+WHrLOzui7#y@nN?Y8%Gx3~{E7b5o4PY1e2os%ww^t&VeI5tildgA z_y!$7X;d@b>^%{A2&tFw2$Escff8Kk;;Ql9ahcMpUdW$8qd?~f910X zEJEs%PxrF)WftXYS%0#<^=VRXZ++|E#6el{L~^t*&DR5SOkac zy^Znb`9>v5B)WVrOE%%o!c#DMr2HODMX%lMGM54RpI(J9PvfOYBe2IqxNVYxtd6?5 zfhRpDLH37&0?%TdTMUYH9Kl1T>Fmi@97B+WjMs4XEG%4XTrf9S^D|h>Dvum%dlB9_YP?dDc}^SGp?=xA9I<8nev&$wMmwM z-v;XF@|uh(ysmRew;BX^$I`{BwhrBKXJ5t5u}7GX)9WMCEn|7YBE^SG{mFqJCelw2 z!p>RHB&?bu`xfdMcPF5=J9IzTcYDmbG8v{b2f14YNb$jk6fM(d(qoG|re%}TUF+&1 z>;c`1Gd+h&Oz#~(;i*o zgl_=;ue>B5OWfew4vIU!@Ae-M__r@p!v85l>C*D^Zl#O+r;R2Fg|JI|KxJ2)c|8|V zQz~k`h;WUxmY^dfIch)i*-jAM?Hr7bDY$myZj(-lnIWHUX+nWvh)HYk4a;fhzW$g- z#>e}0xxP=9e}iYrOQ2ymjKhrZD1*an<_ep|%+&zysNMJ&xX;aoBo_@Zc2*^z!`GIX zPzG`Z_8nM%srNOx{0YjORJS>u8XPFC!ws8#5FoISa}P0bNGG><&}NXoc3s2repnbb zAD5?mB+ZP~Bvy{U6PVge5mwW(aD>k_%~*Hqvr%sv)gx3dH`n`GVBJn(VZA|VV3#%& zS22&CoYkAs;%(M=(n2|WNkXkqQ|7BGKqc{pC>NlS(Nck@i{+97=d|Q3Y(sRw=-vR)#QM2R#)T+?n z*=9t&EMQZBl?c?(y*^&Aj81fJSH=h?lH+XxEhL5`dLGr)JMEUDdrQgIrK2WD&C~Bi z08Kinv}HASD9B-Sp?a-|=UWj(ip5y&WG`aUZb=_I7bcgHgYFP0O8|P=^mHeb-&M%J zN4t$KVCN&$$B$V&Uw6f++VbQT0HC-oTH2u|HJ@pGJZ@DMQN4dk=)6EJV+{<{$Ti*F zbeTe~yG#r%CRIjNZ>?$6gf?ioow?7co|Bx`KhT0pz_1%8z=qDTVLgZw+OsoU^vrWN zgAN!TSZJ)J-TW|w-gwV05q8v|?IG{?1x2aO= zcldh)5WR=kwqNfqJY;c(ask?+chJYqzCuB!%fEO%SypmqU?j%vsOiBVx18i6#ezU^ zOLHA_Jq?Rp#&z|>!e_9fb`EK}IrZF_k^^F5D~D&Kjyqb?T?>Z})0g*^r(U!{%p7=w zYiQI+R|W|Mz0*Rnl@P=pqlMdy+5Lq(9S;w8wVOJ2&3JW@sJB9yN>6#r=61PmVQPu0nN zftM_Qy?3MnE0OEM(<}PF0qlwSFVzcrS2i4Hi4p=x^HOV7l_5-0EjAS^NAB|#K=Tfn z>_M;dm=hU;=-SAOW}DGk+~^c^6MB4l%4R9#W}jDO7C z5p6VXQ|u%JtLR>+{#LXh<31*;YimyHQk$LB_CddLT(cUH50b>~757ly-dsxdDm+|_ zAED88eCBaHeJ0wX!dKyYG8ZcQRfnai&WBWD; zFsTc*))Fwj_FGw4$<6NJJ5g`dIJQ#2>eVS@Lu6_3ZHZEq2$TH*thmvZMDt9Sj@ol; z?h~KT^&q-EiiPX70d}$o@%fR$VjZ%=LgV0G&{nuXshjMmVTZKCycYi^SG^i+FN%x_ zU9aVKT|?HwI9J?a5-IsCZMBNnfY*Td%g{sZgcj}g(3+dm7hn>0Bp$%pa~ZKGb&KzA zf7|)$v}*(#uK$qlYiFa9d_d%IsL%xN$y3^GSI@;wsX}K{G^A(3$1P-vnrYc;0DH`^ zKuEY4Fw}s+LRv%D)6c%n&Hbv};{pB&oJ#~{;rrJ`_|pRY4T*s|KP3Pz#q&Vje>Y?V zD0K+zTR3RloE=R+^JLX5zWCmrK>CcieOTKAdW;?4wA!C^E_LXZOxM1@f#cWL(5wQe z+KmRV)LIeSDQULb_y)x$U28c8(PMrLdC7apo=0D;r|fi(0i@9LinT7<_EYxisoozI zYE6py0o|W)s^mj`)9;r9#(6rYL`-MyTezyroEGpE$d7*!*q=iqY70e1Udd^G@i-Zx z4YI6vPQ-|n3e+;1kxhA(Mc_r>z0;XjSq$K@=1y*9KM?&@_OoQ0R~k~ppN+wHmh1{gVm@P7_bSL2 zo(7T1&8A22)dcqqn5xG0?3RC*?0cWH%kN5|z|e<}{NcI%E}O(KI!N?MM@s<}YNrvd z;?VvoZdx_)H6^i^w@MI;-IhY6uBA~Dcgv1#}5(zSB8ocWevpediV%eq7vWVtk7 z#+^tIt>u|6IRW$#mWIilHf=b~PS|(w#gkvhvz>Gr0k~=F`eZ|s`(q;pp4-M!E54BR zI<@1h3XU+@;SH~!Y?WU?TIUpa%vzWPmY{NJ>bRqONO-T_#$(M|pcKX4q#zOtF< zGF{A9HZ?^9q@FzXlJ~izd*sd) zWU@%qw`t9xfKM-%WV&-53wfVPdV7n+kIY{3)$!(JSnIg5t2d#IxkSmz6S`v-%*QSR z1$IOklcp+hS08nX~EYDx`06BVJM@yjKGG8u62ddEBq;${Yl$aN7;Hw zo5EQA;o?@;SECf{q3b;RB2FOaN)r~hdlI@_iYJZXh z@Gea@eRwZ;*_4R+llaq;{^(Lv0K}JxR#Fk_`BP}Yu7Iufhr^UAED#h_ZM5X>*wh3T z1+cQkUk6v-boPlw5{DFB=#xIxL%mi3i!>UlkEDEVQl+M7N4@h^ zx?M`+pXiAHK?u5H?i8@{Lpvq>;!lcMd-FUTD!rAEq98bf~ zFvtwt-Xk8SkgN^RRhu7jOV4K^l@Yk6XD};bOl4R0yOHj*=;zZouf_6TBW~jSfiys> zGF91)jlTu>f10J=vQU+OZE?t3!H5@Ty}#}PPxM^9u|hNks*;?D(lYp4lu3E_ujrY{ zvlq{~!7i~?0S%PUb;~xQQL-MJhNcP5kK<_ZHht$p?P}F9p6+01zEefENBBE2_dPRR ztG3#~;@e`Vw?3GvB7KCthSH=z1&7r_ZN53+z?n+=eV#Ktcf$=lPtAc@1n4)pGSo~w zj*f5m1^}1)!t?Ck9%qWlxyvnASF=Zq&x~U&SJESbxGDl0$U7G#i99+DJ2-(stB3VU z&q>#2`1;Z`t~G~GWd$Dgg@e)FOBv^8PG@B$;v$RvyxuLN0I>|*x5sE!t~5QAGRP`K zB#iI*cYa6I9hf<6F_(rfd-Z}-XcOKw9hzHPUtBaPtzt$pM`IkvSY;)8WuHLsTBO;x zqO|yY%Nbv5!a}Gtf7~GgJCfWuH9(}H=A~Y z?X`cXwqpC~v~|_B%#i$?^NUmf&Z75=vsCD#{}(40qV((JfF|0Ljp-F~kJS}ZE6k7< z@`IFPf$s5ME~u{ZIO#ZV*N*#T-aD86+gZA`6aonEG7J$PY;*MLUpZ8EfGk+NykQ{l80uy zE)-e&3Si*zt?rUaEG3pXZU2~L{kgEL_{aDUi;#B?UY$X<>#KHzMgpud9ok94FvLmI*aqbelG_icmBh44(9iy9#@W}y*APr+tr`slO^t`^f0Ey z1b#3$+~$yz+Eyc$}Enwf1dpE4lBc{v0BBrr5(X{`A z>+_eYz3};!odY_g75uIhs)|mx`&~OMB)V^aw>hUSiwqH4HzO|9txNL68OFno?7+H! zyDZ8CIi7*DjLMuXo1S~afqmNeQ*3Y+^Dyb17=63Z=F&rxc$$&>aDnu;M)Rj1XSuip zst!J_7mmPI=*C2Wo%R5Q^1LOi6!VfP=o>ITz0i8q!@#OgY5f@jr$z758PlNU{h~ht zXrgbS&mGMd(-&|m`Sb1#Uc)* zfexBh3}RuIJFTPYQ?)C22Ilh$Rt_VbA>%T-o2lNBAxGb)4z$9l^V;8~IaAplx|?-c zF4x(T?=8W<@TO;PTLWf)zEaGtP^q`LhU*Hkc}~I8*#bK2&}Mt(UgB%k@})bCGz_>M zRm-_fVqR+lJ9BD~P{D}gg_nnsV6;h|gpMz8cEG&5+j8z*ZJ|PGP6MC7&iz{S#eULq z*rK6}4Y*(!a^K5w@Ae7Y8~uyobmf=PyJr|QL;u$a{r891t4NUfx#ttNV%^2}f06Gg zLK5B)9$Eu!$iKR9)SOkk z$Hq(N{lt^J#E6rRhK+usr-aN#z=+%LiO@y!(j{h3ZW%+vYRhlM-q78yGSLoRJ}U1` zWHk5@_1^rIdK=*XLe@`v+5WSKSX?zD-GoeP_7S*aq9*G!;Gp%*nQ3w{6e}gzJh)w| zl(qcl8$G>9kZ@dF3BR#CQt+N6181Z zbOTxSP4LANX)hai?dxCFsmm@&}t7V!ts?pAtqeU6dpA=9Fk*71cpt|{2?WbI^n^nh2 z>s9C^QKKdzxg2L%U7HHybzScDYG4I;TWQCoB~-W6#?!sy#c^9}U@mcq5TpgQR@`IK z!FNoHhAu1&rzr)csXG2?%+0O>HI}L#nHF1EJ;i%q?UcW)XBzH7k2H==T*cp2sbu+0 z7)j~Y$1kl9**!-49>d9?Mqe}3VZi)2ZT4;r8wB#s=iwkStiRD$O@2@E5c3LuWzvOR zn^hndfaHqIri(AE^=a}w)^obxa?_9BI+P|{c5}(W4IKZOkMDfzlsxDOjv(0nQSx~I zNRK-qsLuK#?`KlJqB`O}|qxLtv_st$m*zp zvzq|guFV*5Y+6zEgibkPF6$VvF}EeKnU~z`Q>mjL9DxpAxNW%pAQCP!7quw64Y3VB zFKJtsjgEz)JtL78Lpf$rh27lAFbf9j=i>IIo7Q5ZIbOOMc^xVOwMHX)Et zEMY@L0lfiw;tCiHaVit70Onfz`|MlQ2yZ@dDaZ}^WX~A3EH3$gJZezw%l=~ zZc0AJ>&Px1rTqK_@)#E+kcW}Z2QrS?UP6Yc7D(t^u%c+qIE(JvW9JGP2RGjEHTw&FxBZ4&s%CGQCaI(Qx>BQL@)hkw2xCJT z+uLLnt2#y=0+mn{YC&?AQsZztO2(-)9Y4tj@F553z0aD-R4qaboBl`PzSaS;0vNcn zAqZ+_cHNr6c1vxJRhT9lR&JJdM3()~e)cDj8lT@iPJhA!O?QHPf5*3h%Ryj*WFi~N z31Gi@XVB8kYAZUGH|jhxP+YTaKch6~0w{WkI}6ur+;EwV^a1Rsf(e36NkC<*=W3(E zS-|UIHLhAsy<;(;EiJW{9s&zz7JG&H^-I>M zL1G_C01EZZrg|3Wl-4!JcUkeAQd-m}Tdkz2L*K8fi+y}4IZCB|xLf0xu^kDvbEMjJ zod*f%CxInm=K5=ZIBAOK=j7^N)7lPtzxcg=_&fV6`KQkNJkcEe*cW6m&I z$Noy?W|EY(-wnqLLy^c~ZPhvKsSM(tKk5u&EB`iLID?B0}|T9)UZ?ett0HT&h0%_ zjt3vr->ZJ*b67^Q9Bm;U?^fQq;vA@utf#3`Q*PliFH|BP-c<4wFV#(lA5V#eLOj?B za=}O3-?O)m@a7SvBR+ZJj-_mvI{5TprC(<|6;W+wuzjN#wqTlfkmJ0R^Cf*qTBuM1 zW+eg&%5MIAphG3w{|pZiLbYYHFZzqi<1Y{3vw|SU|7>3eZs7x6OOZ~H^F$1Ts8tN# z%6z2)>FOKd9_igkWZmDTMI{gPGK~pLHuY4h^{H{xt3Pj61U(-2&-E1vIgARZ7eIfoB9Cl%`SV%wR8!_z@`>A5oR^!Q zrG;fT|A(Qpy!JKs;H34;&v=^$zK_yE`I`rs=Q(u6ZtvvzcX&#G7v88rjXtR~FtSg* zw9$?Ex|4;kwURX9UmxWYA#iV``2GR`xuWD=2J0Pu_paNbHGxVhjH7+}6X%w3TAK@4@g_ z2iSJ1@_Iq={~Yo@$t7wsZ5vok41xa1dk{3Ic)Jm%DmLlJcwed)VF;^ddaq6(p*nH% zK*fLWLtl9^d%yBU@ResgUUuQXrbu$gy${*3G&nR)f2k;mD}f!MI07>yT6QuxW%Kt| zgG@QAUV5&@4xlQ5O$h%wL~`qSL#${HFhsIZ{C_n>GV#vOuH|jk zpO|Ow&4BDiiYQSNoC{em^gqXw01b*9pnrF`h+%2|Fr0N?lvt(SJAW~yxpD1zqN`?! zg!vQS;>UcY2g^G)KK#G2L1{nW0jvxbF}pqsg!4hKI1|C{?XkD!|e z?YPeB0i_8RWK(pt3woiu6&OhurkeiY*F?G&e{OarNq*~Vx{HoJtPw&zi{=vD)UPS5 z9C~9~qv1hwT275s@rq*4C7#Z5$l>MTI)hlFm$Je>>K;D|{4Qjv1zY5t@9XNT(GJ?N zOp;g+mj(JzP74(xYX$G%A_WeCjEMhLR|#og#Fd55Ipi=fa{NoT_n#W^PyHFVdk#4z zo-PpEKQ-!!Btg+tSFrmq7=1TrNiml=G@QtCZ$|L<@T*y_dXSMCjx#jAnM_Lj@xfhC zP%oS|V{Fj{Z$Q$EicfFWTA6)-yF~ni z8_?F|Y2*Xx2uZ{HNb=^s_W^Bb6gn$I=QOfI%bEm)Xjj5Jc7ArR5aO|h9^Aw9+epJa zk!7xk^YK^QLW8EN{;$3Ed6m2AHPcaySjz)}pDTd(@;*;=I;N0e`vM z)H4#<14+lVujI_qi@?9#c{ZDqfKK?wP@qe9TSAHDd(nRF5A6oOD;IsR;$moSzI;C{ zh4A&>vSY;jQjU?@0{1s&cHFBlTqFpxpr8(hAeX5XBmjJOSA^ti92z&qNa%Q$khQeW zOzk22$umW@tijNdre+%~h!*%gCr}IAGb)&DTC`A4#KQ1=> z?vp~3uDJD$+k^*7m!$3dn(T~3-UgNfGfQ50HHH$OMwF`rFTiEo7n{|M^27lH{p>j@ zz!#KF6N2tgMMz+(bp>eL7oNe^kX&ojQX|3wGSJ!i-Mzj-kT2AnFYlR~`3-bKSgzw* z&KE7|mJk|zF-;Uv(CZohcfBSVrWePEoOe1#-i567S%x0ClgDWB?nQD8hV0n1hlO0o zN#0d&&=j$Kf_~`FwEw$U}_*~wbiVCsIs4lbCX@LD>DKdE(5gL%26p$ zyqr<5l6%iwsh5oKshag#C`DQFP4RtW`nO>VI|KjU zhAreXlW%g#>>jY~L?;dhkfn(P+{==-*cD&C*?wP-V(A`20(tO*zX##w`0>Q7?|z+b zZ;$r|`hVvRn(wu=l>Ql;##|#BWV$c)LxT*VLMG==%pYFf0ttxQlgBP%+7~e;khF z-q(W7-o6ao^B>NL4-jxb{RkDRDM4B4&kr_c;tp=fK^0HwdA=E$>o?WW)<2ZEk&D2j zH6}ShR9Ns0Jh*>OF8<%TCQU@*`>mPrHsAH7*I8>H9$iX)#K>6=bjA-hsC;@P;9(a< z7X(q{A-xV2S0-QSH4Nh`-1V%e-7(7529yLO6d5LAM5W-+j!2kKOWsZIHB^`NTtLwE zAHSg7J0RyMYgIdph3Nb5RfN*%FbL()ycg3f5i~M4{x>|odpB76t zz?d(ZcOEkNxcW2G{i8Q)t=BxMyi>zi?NrAjV^|fPA1%Y)4tTn;9hf);#6hRnK2J|i z!XkChIrcILn>+z~QMil!3J*S<+iISh9BTgwZvVts`~m)7w%WrMV*1-wZ=J0r62>Hg z+)7(lhl=J6ILGOTs-r*36Q!2*z7M&5g}~n~TU509olx^@B2IZ$M_7TX`a5}i@23jz z-rT~%g{i^HlGCMA=gqmk?Z?`cgi(`A)!+I$tDF{PEtMIoJ;6k4R`?j|k}!mbK(^0i z>7)0{OlkFQqC~aZw0rA1HHL1JI3=hE1&*Ef!7>_iF!8_WuwGTy{?5qVMYnGRn z*puy?Mz4tOhGn~B^5KcXZeoxvAlI`jBPFzmtbq*;QsKG~l#}JYzH`+4E%g*+{-lP} z1`mlu6Ojd5VzkayCvI&cF!{A{`n&+)TG5@HC27>qGaqEdUTzM*pNumB3;iArPbf4Y z@5X_{Ltn|UiDNdjCCp)^HJGH{PjDawbmHd3`zLlYd#p4Y zIsSk95wyE9UpXIeJi2J|`NE>lBv`Si)*j4fXQ-e zPaYo>Kitgj;CF^3j>B$SpnMgB579*(^;S^NLXLUs9u?A)f>&S};liZYYFHk{Y*$!! z@eJrJa^DiNj(A`yEu0QslWWvEgC#RmbJw%_5`PR*u{XmqCyBUU5{D5jR}(l`Uc4?z zKh@d6ER^iz-g zMq}1(?=piSKfHrYIG79717$?UcH@HRhg*B%lEO!IP~{xLl5;WRo+lUy4%tT@1|yB1 znQ%kCQgo$Jl@epb?%F2&8OuS;URHUR7MYiqDV(f%ow37BJ;=hQL&N1DQga8Y5g6Ut zNpAo;Y$&t_+>0z+9F9I(7E@+NZ&ZYDdPkR(;V$SlszCa8^n*#D+LI)abj z0qcMJ;bQmpjFzU58=AQN`x$3h@9@i2twZg!Lxq{7N50E!MQ(Z4j_FHR7=$mfxCf5; zReWE^JTVkwk;U@efD1U=3rYP5AQdWuEpA;q_!M@^ZPH^ZM`yPRoX^R)9$lU-FZQ$; zpnuP8z8a_Ne&|Il>yHT$36-(j4BP}(W4nkK2-G#kg!vS{+)NtnuyeyWjb3EGXH=m_ z+)5|V#ayVSOBH|AZ9Y$njsV`c&Pvts+IshqPBJ5r9g*`$=WtzS68D&!z)q>embs<5 z7F6oC(VO5e6pG{C6-=ja8D_+$0HiMYW9R^YBI}Bph{PAem?&s77mR=%6c9N*m z<5*E^i&!D3POJpfJyr~SJ zi7Qd{eJnT9BMxtkqp0FZBCJz%ys(s3C9xW`)@96xeH1?+BfDxY$%?2}J77IX8CZ-< zx?@?6#cdorJR@dm9CI2?^gb2nR?mYujp}-sIyRMx1aC{9I0cNdu>o4-gN(+c=#d+S z6}WUMtzV${?jbPT!1^uZ>$utvWj)<#>0#5&u_O6=p=7=yqC0}*o)eHPS(cRdT}Mqt zCO;dkn2o3{b&|zbsT#+G2aPug-$^%7%<-6;*GZ*`j()*Iy!ZF5W4*Gr0gmg{D>Iq& zD{?;ZD>6LEEEkn zQXVEFU&J24+Nl2!(!T*zgm>M>ss7HJgKPG!zeOH%i@@UIR3U~RSP*x5GrnV)+6V=o z2coKNk-X)A!k#N$UxtcH)dMQJjKgTQ^KM}8%)nm@`-vF!P-F7cZ8C<^h2>=6D5Jqa=b2o3)8+`ko0UKeujK9aO!&~~!suJ49 zjSOIbaaM6a7w`wSsriK^-)STGE0Io#5)7v;!Vuw5#%nvNjW+4=qK?5>y|sLBbaldV zUOI*KNaw2 zRg(5to?P&iC;I27j`>lF=+Et|V;N2dS9Okj$xYoqtVLKH#}^FTd);WD?`(Op9$ge2 zfD$Eh$6mD~^~f&4w2pT8CX0G@wOZ9)car9|!#)@l(9}$v99vHk-)mag%uAM#A$B*a zD#J)b9Eq}=LTCa*wK`{JezcCAm|51BL|+W9=&TP`dvs91#r>da7H(qWxivB}v8GSe zBUsAsQR-~XzZ)A--B4i`DqQ9P9WVZF!bOO&E+2TQsn5UZ!y*?+Bmup&KAOl?3%tg) z;JS^2jJEG%f@Kz6V@0sW%)4Gw33n|QgS{tQPW<9rFk^AH?y+(%YOykwf^LNN!rBu$n>z5PU*>styY8A>qRR@!+*P-?AICR#*a;3ZC(y6zU3_xOpy@{SMX!@` zSK=HmTPQSddXXKh+ge@IeISSu<`^u#5-KBV`Ang{ReD&I&_nJ=pVhp)Efm}GY2cv@ z{T6BN83l|E{)ou8?kCZj4LB|@o5cQJTUVZ{i*)`*7@M@Ft%7w+dWG$MrvCxh)~QgF zH7Zl5<`9xU1(f*9Nl0^VK|1v&zY%7zy!>FAydgLg#%^$5B{}@G(|>o%M%+)_uV!A5 zRzjO&xTH1!YAHsBfv)E*v5D2JQ4A9atzxXvD}cqY8Z3LM@BBX5E-xP*x=U`!=@ z&X&@nAO1_V{{4r#mjuqyo1e-gUx@zpt;q2`ZhDU$J9x?*^h>&4;(L&M{lPSa5gD~5 z{f9x}0o{3Kxud{|ITe2F@~bju+;|IzJ=CsRIVT4{2adfQs4mn(VT-Y${vR%@&tEV1Bcv!^rAu7J-s2jCi zTw^Lkk30RQUz6iO zz20zXw>|RS0qGVu&)0v&s6X5gE=upo8Nd;35_b7RTic$zp11gu_PyHCEMF3@qZD!@y3x%={8Ri>_0zTHe5_T+vTxApB+X;EjQ za4~O=`c%+wi2nC`Bu_N)v2J5ae}_b!TJKu_cixa zGrDwBf7zQJDKSI)JqM!@UzUqZvvG7sF=NsPPp21wXJ$KFgKH~vWhCt>5$XWuWBrBg zt{v9~D}bs@i$k4fZvfd%9Tt;0jN!usxXZ|s4JCfQ>9=k4FdHv9rWHJsA?>;8nxeuyzS?Fggd`fYWS5$DiPGVBcB&AL&eAZ zdQUSq(#~qiu8|CJRZ$x!AKe+dw7VD_Vb-AV$0hpL`}KO30yQ+vsV<#X@$9$Uo*3XG z@iw3URU2GYv9}U+fFLIbTE((SnS*#9$ zK+qnAM#TTius}<&*t_b3(V?WQ|ww% z&->~QZ^AXOjRRUYQg?b)eN|)K##4CGFC^X~NyNBzj7Z$$b9L>woJ!uG2==c(3%(*+ zYv26DO*}Ut{M#epx`;RRT#Kc~Nv|5+FF71M5es9FTe|KZu*_oLqUJ>@c@&^MpwZMR zA5(Y(B1bJsAk*mTIIqwP8kbNlbH1xk~^ zdB~-$a<%3w!ynG_Rx8KT%nf4SA229#o!wY&%91P+HZPHrqfpDe^B)fqUq$>UE2BC z1sL`J1gQV~^1?3xr?UJZUBPXl!KvgqbpGdIL#hiW5BAuRjY(f}Ht10?>k6}m;CtkS zpf!la95TFBmM4DmdkRH08hb5o{HTd%P=pMYbn#3SepI^I?(mVg(hb8o#n_YzDvw46 z5183KnPO8Lu0zzn(Uz^Pw7PSq&3-3Z-NcA@@9y zFC2($$qRL5*yz;MoRsK|0D<@NWPC(A>!&is9Ena_EVE>nILTlMH|*r97`i{`%Pxm- za32P5=Pk06GMpalFt;gKUYvptywg%veDL}mfparps1-({c)q=QY0{POsuc^~Kbi&~ zSsWhJo`Jreow$_A0*g^Pd^Wt2H$;l7oJ+x?)?<3GL-h0@_W~4&I}%&MbnaKRPPWf6 zAOCnTH-&uzh4xP!jn%pQtRY52Y!9t(0ciAZ;oR?U3V3Q%NHKrj`T*tEU+^~HyH{eI zdjB8p-aH)Y_5UAlSEm?qifmIU>L`?uZ6+z|6e>r^PK+8%k!6gbQX$K9QVqruin8y* zj3N6vgqgALOS4#K24jZrOTEwOeBbZ)r|)(BmOp;K>+;7mT)DjFzMuEw`B;*l^ z^=MM;dS*O$YO+<``9W<5MM6Z9*D(s35j^ zaj)an$E9&u7x#=N#ONB`{nnVRWMXn)N9wdwR#GGj%zayS-94xwWfOVe`cSr|WjW^y z_w?5Nn?9d2FdE(FD9FxIf-}8JO=bAE%Hc5DFf2<=K=Xnv55H9<2)vEi!u_NcNW`FK z@1R+k9i*JGIqrjWPny)m`aSr_dj5SQt%y$Vq}{~wX&E*p@@Iz7tf<5pt5ieWO_|jX z!LLzkJp)KEkMr5DIFZK?o8W_amn@3>ywb{7t!Mv8;9ameN<^2IRY>^QqkkF1YZMgE zio<`lcCYT;Qa)Nfe)+K)WzP>(e%au!_HGVn@7_;qIiwnd1RSafIKny8eQ0{F19LzZ zquiHSFH^3@W_16FE4zdfBLrk&0;ugMA=Yy*7guFHyp;EAF`eWrUeFUf^&dl5noPT2bb&7#08kT7&2MJdpZdJQPyINS{v9M7+$OgR_ynyNj_Bgx z&;BkJmG5MgzdZD@C!95|Od*CmYFFt}%StLKNoPAo2;s`}6q1x__e#+kwbx3mr)X10Om%_1I!3k6FQFb3 zY!T>Oi|=(wO?jqT8XV!n?D_EZKx2e$hOClCmT~5qCtcIHGD8>uo-SLoRX6s#b10l3M^!4-a>GzW?V=7uix| z_Rx%CZEmox;Ntc!B`u_ge~~5HfdgPX;R2QEc_Rmex)|up&I~OTb2qZ!1WQ>kat{fygru8Y99m)>KWR@QehE+!jBMdnJ@WhxmLr&cN(3$4h-(h>{ zw9TPlF;!dCIi*lRoz*oxIzk3|PBAlEQR@(Be!8znqkS_8bcL8s19H>g&y3QRDS?Je zqre3VqICwH1VaO2Ve!fbjE%MBkOWnHFid{T>;Czm{_S<+c{^AjR(pRo4_sN|I+B=l`0siu`lzz&qsc<$tI#=J z&Vap(ONja;!0v?6&2=0mmF}xW=cU3z29G=otb$XfyC_aMK6g#5`^qmso}7KM_S@>8 zR=BN+H(~29Rr?lST+xBMjwjWJ#*z(S%(DJ;+pt^97T|JChlY>CowH$rge7~!b<;q8 zI;}>SbJYbr`wa_V-6i7huovCR&5H>4mmY#zBRPyvC+fn%p5{1 zsn>T@D&e&_dGKQSN{?p%y+EC4T%M6`RG%3i2mBISx0Vo) zQ}#z1ad~B;T~Daj82}7wUGgkzv;8NdiH3>d|5*TjyknOyOzjyuig`+Z-VJXq;|{n3 zpZ50-!_GlC+Irm(S%udS9XnlGdvlww))<##;TN>GvkQz9eflW=?&Oo3Kw(W1g+ZTD_w z!ri5Md71MQ{+S}ow(&V$uTC&zy8gs|8PCTOJ6+F3hsEd}W^TtH^M-Cam#^Qxb&oDW zh_z>%7E+x2?oq3IYZ=4!{O2K1`&oJc#n}p__<&rCEn3MWxuQKrg0lC)l^q>@K@SF_ zilD-oA`3B52W)+#9QCEc)DeUJ?##zoe^DR|CBy7be#jA}-#h6UP6konb=K5G)~qiA z=GPP@V>aWB)ry={lN&gSwYg~&*iA2|21Ca;PaFc_XVn&6d-0{K$&;0QPEV@wp1)V> ze|fRdHZV5Y2Fm}|Hpo8eeYo_*Z+57AM8V~&NHQ^`C*UyZJ>$@MOnluTzqDU@?R_aV z68GgI0lGi4F)vTZ0k|=I7(>XiEg>W*xlIf6L_A|io}NnNJ)V97j;t(20z_fK0eq4i zOSOuMy7i0Nws<6qxyO-TTjLlZ-*%;ftFz@aphvq15h)wD3H@C=|7 z6E@(ZVt{k$LV8B?sH~7e zT0FNu%a!RoT?WA7358~R0VXBAKuXVTzAIt2cY4rW+B0uDvl?W5Lf8Ki^7J+fmLXgRP0+intE$(^(7<4vYE*t<=;7{Jn1#Iu?_Dl2xEAcM>j*^?esPsLuR zV61M~+*?pV1;EMKCrN=F2cDXBwM9b+_?d1c11>(OE5pw$;#q+Hf z-aW=O{{vbak!{C6_O>RJwc4HO?lG(FSBvPmSDbag)N_%;nv&KQf-wS&+R83BX$dFvQ4;xYT{LmHh;b!+{%_$HR?fiWh%s_rffhCO2CFqR?>%wHIN&@9(V5yh@k%W5`pp~*lSvZJ ztj(|cN|{_)f?k2|faK840MEe{wt5_)Nx{bZuEyL$K8n1~`;2Xphq6oE*Xs(}jxA2M zF?+aTSZk!A25l~g+ualVH&Xl07XWtq20$J>^c?xI{G*R-ifKU&d4q&`I;mj;bx8aR!dVyQK2(CPhkY) zp0Tnf9pe({E=mLFMdcw(3DKK&!xc5H0nI}5=Qb4I?Lk4}q|trJSKY}mvn zBC_VD8391U&FlQ-v%fl)i;n%kgk* z+zlb%7|miZ+#D6r$tzs^f7IqMnK%_E`$Ko&*6kcahUWHS&!69Q1SCL7nRiL zke$&`MD{;uov3H$nEc}=X+}B~Hp`zieYYg&=yA?gJx(~hA*&b%R%3M6qX<_R5!GNF z@6{+OE={q7c0GTG2Fo$x6U-3p;oxbFwVXJQkfx7qAPk?3`s@T%Q$DFb>hka5iUkN=WYHVShEkCuNgkJ?)hY4Lxw*4f<;Vgf^!l51_Y02Z99ySzY#ZSep}fM=7*cL!oV8 z(&q$o*95HZHl2X13LOD2=K5Xq{L%@p9xW}%o>6TRYi|eiQru=+c4i|SJ$XMAD`oal zqW|+DF@cM{TRYEAJ}Q!&dLMG%?F8)hrZA~albeup;5k};r=z^kDH|y1 z@}AKc*VuwcPn0F}aKaRN#gchTNa*lyS z49U44oAoCNG%p1#r=0ejY+0zIBwSB59_mG`JbyjGob?MVZM<&q#sE5c=>7V~XxkO8 zdNZYBp1JU;9+J;JQL6jMtb$`W@j2|xo2?)!5x?N1^y!gxZ7Nry-;1vHYU@&;f$0YI z`9FR|7k*#U`yVLE{NR709#%FexF}_tS*v(hbA!ZLdwUdaZ?z;wR2+3{$s*FzXFTlF zz|T`PJ%Ibw3~tmj4jNbn5!9Sl(^=OIPLjtjMt@yR{`!a;qUIRAk23jI5eCzb`v}Lw z7O&Qg8lUvMSNtdxD~>o1GL#|j6mwBZ108Ia&5AGBxy!a(qGL>86J(P!!!5J4qbUCP z$uo3KTuD~X)O60^&O@1-57AR_$Wgcj3 zmZ_oy93us{aqIpJ_S@-A@41pX;5TVU(rD?N%%TliG-l=G#lc$6cj)d!ic3B32s{9? zHXJz0w`*7Vlnb+;y-3e5_)}E+phzq^v$M`J(SOn|LT277AiBn(+5pO_IXyO8`r#`G z#}3Vdz=4x+QWZOOSRijFgnWCpcQLs-(Q~Xhb_c!|P-+;O1{+ZN(#DCG@5kik-)$|+ zCk-y@6KZ3N;LVqn&Jw!Jj4)h@Uek=5SW3l6*2Hs#90^sK2}Vyr(`Axo(h10DZk9jf zhAnipmdmvme>KH-)R>%>Ey*vzO(>XQS3F@@q^ENc?Po{ddAl2XH+nH|L&3Z#j^@fuxbCi2svhYaYLM0VbN#S7>R z*_~@16GWwuKT`j4H_js%!AY( z+gR7^2rsM+(ya$E@>miNA#2S)(Mos_9M1U_uL>u>F%IM`PSA&VMm>e0P=(;9L*N%~@`c%O4N!!*DLJuzkBKX$$&%O?_wb)<&z>FK+;ND}*SxbTwP64LwaL$s zSx}{wUJw8PgH-QNQuJ-uaRTL1LqTt& zTM>%<=)6NzVP^@}2U1G@eoFnd1nYko5S|0wcbWIam|K#4&Lj!GY9Zc;Q=67(q2}6e zz5$+X{Ar#|6=C}ahns*A&`MZq?~4>G^}sc}$Mhiq>~_@9-0M6^cmidu)3W)ZnC+Jd z-!)I;6Y7M<>*@_@4g*}l0nufSZQ;59Lq+cbNIPJtQ#DaYM$YG89rQ(RU(ORKoCP=)9Ms9BOlMM8$Hc7IM9q*7-pW ze!Lyn_T4I?^q3xcy~LqG-n6!4K!4|IQQox3gE|!zZta?iKYMnmv;(zw&-qWANo0;Y8R2~4hP03YeXMd+k^z+zJ`|= zc`-f43Dl5=QF3x7q{V$BDcG}7vA+~v*-rrJSWi$ z_&c!t;?7~tM9vyQV=5();f?|x>+7kw<-&XtL~BskU~zz0F%>i+4_&>8rIXfK*%P7l z>#g3$ZLB4?i77^70fq{DBm6%X@!#)6g;r)SD({1Fel0gLgswUN(eb2-f5hVxzBr#36yxu@SyCkmH;# z7ZP0Yt~nSA_tSTV+mA)IOouzVFS039;mZe^NNbR#_nevNj2-pn%%qFbw0%tJt7IiV zUS8h*Xw=&jgRY`HYLBHTlv1~MDmY0=^IfZ<)vA5&lAe4v^rjX!K$lV%YiUcvVa!Q- z=nF(O0m%5N{ZNJ{{j9d2?{LVIO1oVQVC_D8maSlBRgl>dt5F~%^FX7_e=ZL5I)^`7 zqBRED%~3QCY!YoYjD&bRn7Uqw_vT2?a?i~+`qXz(r*!B~PP@et1qYN}_|GDo_|F6< zD$!!(rMA_+E)Wrw1d0rbW2t2Bc&A=Z99%X zBTqC9C>0&V)~8k6I)_=Pg61}zwS=OGBt^dI@@z`@cAzc5qhC&-pAQE{eV0O@*_g1g?ypDeI_%9-S|j2*v_Zb zRnV1&OpaeVi~xw);y2!2%cFXD<4UcxY+2y1+Il26qvDK3k+XGaF=RW2f_JBPf3Ylf zJq|v*nlfQIv=ZPmMxY^f`IJ?=H3xy0%?9YsB~R^p@+T&CuP=53EC#y3b+9Ed;(fdS zQg|BQIz}B6Fxc@FI*rtsN#?T3frAh;^Q+sB)9pWL{;TJ=l+ys+DMZukA0*Q*87=+>X?%6F;@nbrjqw-J}aWNP64u0Upz28-B_T%^D|0YcmU;PR(>BQ)gP zb^vQQwN?iAXxIEkE`;3gl7ChN`_McH+Jp>|tuy-qh&>nFA}?>X*)Fo{k?!6Nji1W! zw&rI!&LVm86>clMz`#=fh0a6;Jw0Br@(BS3(YCa<6>)3hvcXA8YFQDS@_Ity=BuGN zAKlWqZWJtOW7IeqPEq~6U0~JT!mfOnM@N0ch8=bi`wvKgx`S(dANN9 z)$^hbJ<9S9d%6XKfn7l8FuRf<5FtluxmtF5nN$tH`yjOgt-S&EE=8}mU=Q4T*zA`G zvxX`c(C8pfDsG3060z&^s<|7ml$&_QxWv%8x$tnC?bzJ(etD-h&A zo!d8^DkzYyPmZW!E)?ZS}1Xhkt zMw~EHvg}Z8Z;cy4Y)!G9Sy0G6k;v{80#?NaQIo*SalD!H!Yqe<`3UVY*yK+zAXj_{}Dp$eJk z+7p8&cX?~8OiOnZ-SSP}05JO<4l^L-7kOVn=MSnDi2&XC)a&hm!*~2G4V-_Pl86eb z%myHt$F;VT|2V`(MTgyx>>|%{H3TrNk}-%WbG}2bM}lz zi{Mxd!Ae_kD;6m!5cm?+B5L=2L-Yfx2pu$=O?m` z7v}FKy~NcVtF|MBUn9w#>k z(EgmijD5E%tJOB@_D{a}+q{EkU#^l~p?|DLz}R>BoA0r^GbbwuFuM1cs|a(S2|GVv ziO&CWEA|%_&;|$lRG+Fj#X1^X+E68tm&!L}Se7F{%)((hpwf9KOs;;&^&EtyG1NcL zF{Ppi2ww2Q9o=*u#08tvqdUc6=+-eSy?VL*5|*rczXmToY_WM#U0QDfCI61vJlb2Q z%6s$#rBxGGe{cZ%fB%!ZOP*Xxkbx0Kh)D@Kz;J`<5*! zMJaFRN|6N^Ot0RoRqEWG=j-A!9VhM9_VNCP!dm998*Al>j@^UX{}z&_gnS@ij| z3!z2n%MP6^hhuYSHX7yks_@e8gMID`;y;$vf7!@eM1cS7O2WCbp09s^g6OVocV|iS z`zrs3{%o)k8$d%6YUwPs+iK^dw%Q1{p9me?OwtoDz4y9s!|iIo6Z73AN@7H}qJp zigqWX43ezY9QU`HvEfDDQ<7Qn+#ARSIN7834itW5B1E_1=PsoKZse|1qN&qhoCWY5 zwrea(fOPi2Pac|_(4&C~z+$U+M*Sa1s`1Kqi|v-bEw*>WbN|0*vF*dkDcsCCnL&%z z@YHvUOj+`t1Gs{+eEaIUjd(!*+sL0g!74es816$y5$lC{KZKfdI~i@?6DR&+l)N$_ z?ladn8O_;Z&!3(0dp50?FYw#~y&j&ZqrZHr{ZMvj66RxT5Qy!TkkPEz=HIf6EALK` zm7nK!Ih8nL&WhIOt~Z~3P=ivVyT~Uz0##(P?bU3+&NWD1AO2tgr;lBJUFB)Lg4(P5 zo1f~%^lcqYGdjkw$bflMzc$#obZyc;Z}SXAAHyVwU&v*27lHSB!$&b76uNz-`k7Kr z&_z6!-BW@D%u(ENWpz!Y_*74qWui8@-bY`0r}f!j1ONm3kDKgavQ~})4u-gG-t|g` zzWbQzs_XOKe zH0xXSv45I$?mV{`cV0<^uh&NXYJA=RDgyU=9(`b^ikc%M?env@FmX(z|4vQbK9(C_ ztq$mQ)28%bXttWh|7H8EF?LKKL|={3LT#agc2zu-v#|vDZbLdshTmSG230wK(*L7z zfPX`dU8k59EU%(yPL;T#4O+=Ppr^Q?JQf7y6hky?@eHx9`nX>pTp!mtewGR$*M}J)2)l42?NkbC&zk^??cqk{$mQegh+v zgb9sfSg5Elypkbsx}>q<-TadEW?mcME3mxdX;&iW;~X)-?V7VXeM+ffr(c`8;>f|V zeL}y>2vxTX=kD1auZ(|KQ8y9>y3c%1IO}bXL@u7j)k`g-geq?VCjky1zn}1a@kZ-l z*&XmsjLv9j%*UKWt{YQB&k`Jn=5MZo6nxXDrrse_UjjWhAbDQ~c)DKvdw6{mECIk)1JD5y>dIdi%$A zep1J02^kiZIT+Kb0Xn_)N>w z6!71(#yiAx;3PXi&)kxY8Ii>K-j5_?V-Ogo-w&F7=4p=w`HeMPhB#_xl!jD4gI0Lb z&K9Z-qt6QZzPg`MnWdeIDKM6$7eZ9r{>r&|wR8_NvL1!>Yh(QM+w9&vlHmh%kWp zKDr~Y#;T2cc*lKG%Rzb7%ng;upIlE-+3T3l!Rv^yIH5hcP4$HofONw@AShW`)~Gw^ zn9aL4*}s*QzyCPz8JCPL;*|COh6%_TC{pp7E4YcvX&`;*i*D-H@QU1!H-NPBnF9w~-u?13c4gP^2Z0jb4pO81^<&Vzk4!TtuK)^o z_XY**Zc*Uvh7Rgsc}!^y7W3G8GqysSa}S|6y59|$0Ml@_ZFI{Eg@9lf@mI7#3lOGL zdP2q2B&2F?lZJ3l$xe$n>88jnGW?5so+Km{-w`AbOo0fIKT|LH zYXn3V6&c-eDDyxKl{lW@>v_Ofho74_C2*5i#+W!FbH}lzKqruN8|_i3IxuG7&c#Pt zR!s(8qTU|4$`8ofk>|KSDqKTX)J0LL)8>M-*hn&UPE6CAW1}CvOov6L(|ET6U4iT~ z0Zz!ZJ2{LmLyYK@=Id7?kC|C} zx~;5%0{g!vtgwg*K7>W)y7@$u59r`E$+^gkdVFr=npu1AB?Ds-_-Yv7Pf`yZJnR>m z+c)*j2F!WB)&0jxn7+3mgKSN0YO_s2Mv$e=8N-ZYWKZ&Noj{ z`FG>!!vCAbQRB+hYw_PHyp4slQ{`t_xbt?8zbzzIP;1fO3+dc&nC+S$a=iykKb^Ri zJoOqURrD^?mYAf??@>CoK>{wVEkaKkBfsPYK54pKDlaT9Au+lu1P}v9HE&|#Vr&je zwlG40M^+_s2k?SA7W}Y+ZUg_r2^#9?rpPw!o;U*1G3qLWX!7YE838Bnj=<0iT1ZmD zV`HL{8f!3Em2bvp1Kbm@r8@SO;~UOBN5e0ZbNAFjk=JxxV9q9qk;xbxiJ7?0qYgZuj z+*l^b26vxX+HN6cO9leS1wd*7RCY77Dm-FDryXfbUOSho-vBdm_8&2fJm7U=5RY6e zMS^^f0u<=xy}?Q_EIGuP$@gZK zDOMMLG-*C00RH2RjsG1tj<~xZvPD+rhRoXVD*HDcKujs+tWO0pnIMhjN)KjHGti7k zY7TVuepo8OtmA-8&)OZ5d|2pZfcw-*8f5rv1lI#xrj;Cu6B}%fqe9vp(?}tM$G1aS zoMUIn38bYRIi(7*QrAz0WmV=(k+%E>aR1J5+r`X}s7Amsi4@itka^i03 z#{ovtz+QCyb%P42`Zk)yG3M&OKhJ-1MatKAT`it{Nhe-@y@Z}lnZPdw+RE_f1YT?P z&yWWU!q)nRR*CL}q2#9%(KsoM>(GUMg?|CN;>&jISk;MFoi?Vx9&-5{^je1VcJ+;c zHfu8>ZRqO~U_LG35j~;T$=QH7(Zs%s&o zg?Z|4Vt6ey>ps}~iZa%x7k!I&JXB!prhTl* zPKrd3whu9+>fD;+AzGuI}6C>WT zeX5={cO*exWnlUHidZWTWKZsW$5Qr5gv|^RQ|_IOhs=gk@E1=j z=|9#poz@>u#eZsD7U%eHX$91Pn!*F&shX?l(S50>B-@Hr$F78@D3<#!aSr!5cGI$g z1PK+i)~7b{DpMm$xc_vLu83LiV?yuC5!ZkO6w@0+a$(Q+*dOZft(CF~_gDLp(NW`v2CtshFU`r+d{UBBNOj% zo79tqu}+EvM=p(?AX6e+wesugWBb9-jll>bwh`|k8yVL14~?R8x6WGxS8m$LI1a$@ z;q=QQKjTaf0W}8I$h*VG8;a`OUbH;wssolTRi)$3$r z4z%17NgG;Fe)EN3G~1I_k(p^(Qo*ZD93t@eQIT|3dH&{EL$+$*MwF-}P9r7GyXl^& zozI62X8qfK)QYLR1B){a2<)hxXs8XQq;=~M85iXnj(w)zLB=v_u~s)ZLxDpcQ7La; zJzYH^Uh8Sj&R$A1so+K+D3dE6C(yILdg$MK)%GG(^!A{(Y+i$?E^Nbx(U9oyWVBI> zP{1ZvbH`TOUTUB5lSCA%AU&OK2;AY0<6ptMzd6gBzJ7SWq{`>mievBs1YK0`g!jU< zfgq6AJ`}0C6}kY}T7U>LV2zrCkFjLIYLdTxM7V!9qQ(Trn74g(9ZZ+N-FvGWg49;l z&`|!IISAyo9U>@@TbbB8xnm25>&n4oq4nN?b{8(1irN9aeK)$ZCwBZ^YmD$%AHgTD z!sl~+Tus@OR8|fo0UJy0C@9{n1f-0Vft1lD;G+P>OyNB}e)L5D>Bt3`H1TgcZEXj> zZ)oz(#5-5d=zElt6w?_7~!h~WUd)$v3uCZy%!Ppo*@EOS0}bk1>oD~ zvgaQ38fY^f0pSE*hNO0qw~1RwV729-MF4lv_Vsa;;qlq!DV659o&v#E?W&z!M9cYg zck^2U(1W~-&CVKrPp35;j6r{L%NS2|9CD(7Q5NI?S^uvl`S&CJ-L~2ccsrcHsTo)X zE-M99b4EUlc$y@N`^SjT9aRK0+eQhjkLfdO%ZJ+%q@jz-@F{I(%!ict1Cj;63GJir zHeGjQzYGvuzJ{_}MBW26$UqMzFKz9v*KT_!Ak*s1jTQrM(*Z^fPj{>wI$&lRZxb@z zNC%0`Q^N})QS>AjbMOE`BQrE2Zdzn1p_9wat*^TpzGR1pFJpM*Cz^cA*@9M}_muSk z7+Gg*XABI0;;9=x`@xw1H&!ZdFV&>t$_%1%tO9`?P-y!6RNcR~ZMSitp@rZ4dz~YE zL0@e*cbDn1nNUv@DUq@=K;3}{gwHpNboxDz4r|zBcx{z^H@w&!XbDSQz8-brb0a2l zX~dz5-6+Ap<(#41q|94Isdz3Maoo%rZ5X5K>8!Chp~SdxvL7~k+D&2|?@j0mG*%EJ z`zz4s{78+vmt(ZBfzIVgnKp#fOiN;t%86Tr#+049)gw+=+v`HwcIz|y9`~*KluDP5 z31%34HxuQ`i@M;b8@OU2UrgI41B!5|SjGCR6Wwg)tCony8Z)Orvpp+|Z1y@YXQCd; zznDf}S1Fx}u6=T_a>z8*DBjPX(DKx4Zksmh*)+}}qTQtC+_dEAR|Hj@1??%X89dAD za4dm_5|A{H44I?w7kW@~2#VY#FRw-cDybrioCjG;*cIqm;>Vy_M5PrK=+{e&%uHCE zP4SB9(F$>7&1R%`;xK%n-J$ggR!{Wq-Mb)cb5lob?(p&fO2TF^zXL8ygzluaK24|> z;p%ofnSsHZRif%aPtBhYktI`PfxstHoSP&_Dw~5;Bio8CX|zt-g-w~8}_M@spx~ZMv`|K&-kxj+d8ODT;wmzuFtQ`G$Q4O zd`3Qd5Lf#Pw3jz8UGHu^(?A&00W%UE^qz%w4m22 z7WwP+85VY_%mBF{D$|#RWHLN$mltLleYC4)9xV}kO8cy5t_5(KZLy>^3bv`6O_E5s zxAYtvX9e8EX)d<-KF2==KdT33lJR8DcKLYo$+iQ8M|jUBC6xA~-tqNiztBbc@VekR z%=JFI`q;^XES6?RVoms`VsJY9dN3Hi(4KYy{1O-o4cLT>W!ov@Bs-?;x#Hg zXJFD(Y9P&8iSeTQM&)WS2Ns+TH!vswt7uBhMSfUMne6||jJZ)u9-0}Y|Gbt+AK6$! z{lJuxqVbUPDFeVgZI)|aTd?lzKT4MZ=42-VE4ajo_8<@~;kT0eovB~chO?}S%CyHy zm1xH{>I%3!jWb8nj@|p>fQs|02uXEscmQ&AOvZX<3A@B#8v9*GqlaFb`JiI^Q@ber zy_@Qzrfk^xCe0$j(l^@p)U+lTbp5@JReA1ago(~Nz<(O7OymUi#iHN|FMXOk*OJuO z1BGdD$+^jv7;Bg4X{;7Gl`yq7W`d$g6C9P4!@mE4y9^#eXWRVwmd#3mo;H+B{$zp8 z;J|!6bkzwtfEygl0<&`ky3N`kZ+(`)ydmR_{wLdgooWCn)Mn`}G0D7@m1^*MX8V&i z6PqbA6nj_{caC4)cAxzWkd~asQ+eB;>ne$;5YDURviqhjztr_}%d=^UV&2>&mvq^Z z&#@A;Xz6hmcrK;R)%G=n_MtWwzf%Qm%er&{V0}eAF(FwzdD51x&l=yn3A{;#)8Ua)ZEz>ag3^O`YgJQv z+h;XdtmrA(EOV%?pD}+5tI@FD8TfY)WW%2na#8_xdW?~rY# zuJJEw=fBsK+>~vcSF-o%l+f-(0T6=daV0nnWYfw|nr&D?NB8Pvm^FZQlgWLUMJGQ)lJ{ zQAssc!t2mv6PK@|e;*9=DRYd3ln5P(M zW5IHHRA9V-PF~A0O7SkY+8OPTNs>4fL zmH##W&IF*KhhIni_A_1Lyq&-<#_^$}B>?=8o&k3Hy}=ctk`J+2x;fMsb;E}aSPXrd zwCEYP(hTEo4K5hxoFE0PU8x^_i zrTuHgCBKn;X`;;xi-IyVe<{~}^0;qS9B@qt{6!SSl62Q_Vggo?$K&{j&0%^b z1le~2nQ%ws#o>~Q)u6WZiK34q(8{AZ_pi=vT(RD~9wz^N!qK-zqx}Bq z|3jm3?5{?nS&^8GU)?(8ZHz`)x)tNJe2kVr>t{CgvyDoWNW5U8f-z*|-F@|8G_An) z7!c%IpU!Pd(8-V@+`bQ*@AaaWnT;fWLI9%&qi7i}$k_e@W3+`ui933#UcmuLBN-w* zZkKjSyIcCA-HEOln-N#g&s$84{R4c0tA#W^;8WEU3pbLZ8IBKULhE(X`)46bv=+Cm zgBi#H=14H-^I#ySzDW$A%iII&?#TO0^>k=)UOIj6eU%UG;;q8gGW>ZaiS!xo`o5u5 z?WG#xEV=nj&M}e>o5f|3PdX9NVz1@9peXl1oTazm{FMKLPp4$+#S$Jklujh}XNIke zr>z$#zbGGA5t?|C2Fbf>h`3bmn7npl9kToB7AX%AQaHiK2yH1PUVZNUB_2fjXHdCM`;gB-9 zCdO70**z9!Ev;&f+Ze~-Ky@^jOVTBQg~u8iV;@0b7e1u462SSuXeMkx3su;4r;4Co zSE5<{C|A6xV0C>6VhRTEoVdW|iZi9%hS&$|RTx>r^FJ}d0L_rxvCV6nr(o>zaZAeV zOCO)Fh)PTUnxqLZo$gFQP}@~E^>g>DE2ZIYFYnSxgDf4GAeZ1*&PmMqCd(L;SM@x~ zdmr9gC`cGA<Sqnp;Q~!#eTUJ77`F(%?Yg_+x}ngPZ$` z{KTuNg!U}{Q~6)!Zyy?8D_V)v-}w$WOw-JW?@+4lun)w!@k$ceZ0BLM;fRSy>&O2h zA(TgU78;l03_MY8WQg55-*3qkSA2cJ&wK5}%^8pSzSpq$x!WZJ3jMa+=ai*{ie89x z&eW^gCx?^)qG62wRB>ahbMJ^?tqsO zxH+JXHxrYEQSyF*XCfPuz-sgim>gN9fPzsyk6-CPs_{Oh0aKhiWT(Sn&a5y#Y?(GR z>zT52MEuFU%^vqJ3$+eb7wG3~st0W*VC~%99-cR-#sTNfWP#9qD$9`+TP0yXK;Cpj z(^FZ6w|PNEt@8jPp4K~2hmoi`%m}qF2BwgHmXTD=G#$LW_GxLEakwAdX zGG(+VpZz+&0M>e9b+%;oX7P~ir$QdjjChg=^s>#EKu+@w@THEPKFVY=_2yQYM3PA& z@^@f(tDeSm<<=&;tyk~O6(Z|3;?)MB8=sBtW<&y?^Hijz^fBCboT-yg`B$gyG}vD{ z5XAuc3+hdu(XW|cehsWCFkqzFX}W9#N_p^hW#+iCW^qfro@4_%-(ezsfkq*`hkwRt zIO;F`-eOE}yoPPN@^u#r_@ zrZk0!XPj?~*%zfzIs$@x1SZ-VAUmPGlWR}l<&UYDsIQ8W3b80Os ziYMs`NL{o2Q;SD}VQsuGYOvquDDtY$81MC~j!|Mx0ETHwi@90rRL&5;MF(b z)f9Y-kjG2#-^07X*PKc9GT_lQC~9i6JIpkdd2!3T_V?HqAqRgucI+mjE!lCiR@=5nYiN2}UnhDExR&1i2@!W_ynzGTBm%a-|(v6$T_{a7Xt<>vUI+5cbj!L?wC`-ZyrM`e54**@(Ro8aJ0w4 znnP5b0?Vy9zlx5wssAlyG4xQqAYntI9lP`p2pZ~2SM>RJM%15z|I`z5ZfEAnZSMGq zV$Bo9pH?xYvvks#-c2$(V01qUl~Xhpp$uN5h&E4xsF|p^dGX4zB0q#S?a67x+T+vq zpPzg#8Dz9W5A}V7k)U$rk zDTw^kS*4G3Kj!H+?oCyb|*iUV^_PQ~1$G zoTBkP!>8=lR(C5YQr1?u`F!ubSMp3g6_|{x;OASxWaAf=j$v()UOl&?BARDFeMPJK zct@H#{iIF)yQ_)CdPvePgREoP+@go)_>0ud>{FBE+D$T_U0*C-X2u^lJQX6PXp#ml zulA0Mue~wF5b^P}2-Ess+?{z;(s|$aZEUn@amks~T*$0!G0iMD6f!GoDy?Zu&4tua zDtA$E0ktf#QfXIn&&tXL36~UiO)3#J758010dYYPQSkX$GhK6C&wbB5b3gw*=Xg4F z^tAkb-{rHs->=VS`g}Yt)Fbi3X&pBvfu)>k(7b%TackPtU|59C+%o`#txgK1M6^N) z!Vb4-wtkjoah^-8Xufl&N72o-qZ)^3kleWSiQw9PeOcyAQcK0s<^3B+dJ;pYZl=^1 z@tWK)oU}aIW21s2MsAw28*0d4B$K;lZ&$9hHhc?&P1m?cc*(n+1<^~H%2W@lk{Hv7 zSAv~tlo*H)T5lj3{1YG-YIs;Z#oh8K*(cd{<^9Kt=q1cIOwfO$tqNTmj9{jC;&qd~ z%U!yI>+a+4u#Ee$GW)hxkNy;#ox0eO-)70?w*<5&%S;EEsY?d$aElp&LHq&?jap6* zs3JpJBpdZC%ky(>t8Psf_c9)9;xMSBs>>4&Gql$cO$Jv#3vX!{{?;#ygIZS3&ItFL z%W~X}reg6=d?Tizp(q)$ny8`H6S=r6=^>Q2IFK>8E;}^IBj&roC+^x&wc(FvEDDtClrwjQw-X_yk1yh=%YrV=P}bG#_>fsQ z<+ilA9J-G5ERAtSeF;ydHUOA{d&LPFP1ly6w>({MZ0D^x&}2QjF>$d4qJ#u}Lf8bE zV7nr3f3d8@%WUfc3>mlHxz!B@BSi)GqmD!7yVL^PqT@UG@B4+kuEyKcrxV5ih0y^7 z7Ef`9;F$TY*89?CODBT7VJppbxn-;3xrU_bapKCa#a&*bZ?B3JcmEIgY`J^Y`+3kI zabr`-2JAK`eg>n!C@kK^5Yl0paMK}`KNJ0*i^UY%Hx&5 z-wXx(`E0h6Oqgb(g<{$UO&Kzk(26o<}(eEOLfTp7pjOcC@M6uy>JeeWR za18B!++Q-7nf@#6r==3>h+h^i_3U}5#pJus7Op(>QknMNdDXs&(ctS zUw|uS|MKS-l>Hqw_aPC1OUqMjWxmnls`g<&w67_bWVJQrHQKfa?~YM(?;(DfLMtFW z?g@6fR<0Y)g(55kmoIeE%_A7PllNr9wc)Rrgok3IIcD}IOD+Mddt7a)5QG%Afk;Ix z0@n~4#u@~{tpXBpO6k4AF2KR_CX{`&_3%%KF4aY&Fwm5C0e@J+O$SksrSPEY$FXBE zw#zM)I9ajqX)*~uV&6b>Yo?_&xkC^EwiEYdv|+?>F3cLCbn;XWywUf87R6T)UgQ`)dwsnJqE1Kpo)9%n>o6<(ANzW{$1Gc} zEVh{(5I1ogoJ;za*Ni_G_Mpa}KeXNh1i{l~KyJc;H1BTCksJXgi=AE+9al_9_AM0rT3~zbStDlayVS0gnxVG`g*hz`V@ox+=pUzS4#AUseAbyoWPGM-pAVx` zx5umbpTwaBZwr#r^-Y)vetfEasa$irC030fZkeL03N!_qEyB@Ft081pH^Cb z3j06c`Z?&Af~NpnADg8|HL%(gl(uHikDz+BiVYE>;F&GIuJj9qc2!NsD~sb%nEqK8 zf4Jo=*FR`b1NFAYG2^`0)=-3v0^ND zi_TsL@5-x5zf{p7e{_z&KEnU})o*2If#2+d08w1YqfIZ*a0W60R(9UklKn$~Y3KAE zY=ytjsLXS)zrRqy^>)Wj6;DYu!MMUKl5G)GtcTl+4{ORyHG^`}*G5;Z@wLJTzYo$& zA3LA|-%{HrR~sK60zmj1Q|^n|F-tApyQ7Vse1Y&AY0?5KZ-=cy_?4M;9?&tqGp;`= zRf#7o<`wMeBAg$*)H9QdOr^~*}i;V?%klmyWy7(jZ<93M@sdIe79qeJ3TLv&$Jcd~Cqg;!xs``d9zgVKnjA1-`@!New2+t@bmAy+I(IxRm0 zY?P=$@6Ld!bi6L0_d0+$|p^JKjg3KfYHpW61@8L9_yXyl zX3t0Yd1%o5EG<ocD3r9Bum zGYZB2^#z6Y#H#S1$(kLCv$gJ8@uu|}v|=rG`!=dLj!Xu$|7LCawf$%siX5NLoBG{K zL}Xw6*=*VlSQ#Gut065)^ZNH26ceCM5pMRV{vcMBW0K=b+De&!MUd8$Alu=6)6)&b z4@~~D{5s^by&$mrZGa`_#pDg)lSjP_-8X~hh=pDy9dzEHtaVxP-d*3E!__@!B5h+U zmtfFebV`>$kxc0?lf4`VRyZXIdwA2CnhUV+>VSZow0THnCUK7|GG;s}NdwC$G$#Lg zw%_z2@g!x-aGOw}c_tb0bJq-9X1zuOF_c4thre#Z#yQq&uxX5VwFu_tyI@FtQcm1L ztSsEKKxKLWhA#``O$~+rR-E+%atkOI zuCb=ulr|f$`z(#v?2GS`Lk2R<+$;dGaEeSLK?MNR%ZL6t?_!zD%CF>&o)N{do<3Pq zzFLM@kh{LfgB7kG+xhSNE63u&Wf4l#nR9#ol4PObCo4Ck>q>+9RvdJn6S{wTUbf46 zugaMwSj?d0#DzcjMzm|+0TFlETb%Km-9aY=1DOOMW4J!GpWxw2aYnH{NVJ}ne+tpyECcpn==UoIFlN`IFryiEQBxD zZ&w2Eql-`A+yUyq@6IGqnOx->-yWbl?Qu5o@|Emn98d*Wv;Dvlu5+O*wNiAk0wMFC zr{|v~a{vC>6Lek0x2%)`E69*p#>0xcLmP{x*Km)yZ9gYHBa?p}!E}|tEpGF;Yqt(X zkCB5vEGROO;uj1z{?Z<17;nGBbEtVn9&Cb0w8R|dF|)ENMF$w}qEI%K%{0CcrF5;3 zcy25}@KI>f!85n2za)6=32!V!QR^TAUZ-J11ZK3Mu(u`gM)I~fiKtX5Z)c26&<$B6 zs7F>dRrchW4Q0+Gk_17swj>`c>A(Lnj~&DNNIu%)lC5LHM;6GaK-vvXsFBQEG^q@I zJpUS#O{)Q^gvT`Z(=2`WFZ0|bfO}Y~yv;9WwTHj!`o^J6bjFkXzpitxo{QhUE}O2K zxicahcaUy(M6jMhQyzwFk7oSnaXS$dK&GNMo6v6?>0hX)9_=D1kD9Im`5XTe$Uh~U z%Ik2mpj-vC4O;oBP|YoRFN+j#1D9wnogM>kn4!cip-W_gU9;C4el%76&4T_+FX+%K zbrh(jp>%1cesL;b`8z!T$gc(f`FDN=@{?DA{7bE}W^gW1v%NM!I7Y@UuQ$LD+V1l5 zZs8Z3;Lx!;kBy}t>f&X^UA@AIAGra8&-164(3{zw6o58$Ab9P;NWm3k>T0#B3dW@f54bVw7=}tSOml1><18mE_7g&O0n){4pR;L6`bgG=y2{^N zoze31^Cc&aYI^QH^t1X?7kI1oX>+ZOpg$P;nHWEI?c8uvqmMdb$QKk@l*XG%CK({V zn1H6fGW695zDOo3JN!5*^a^VfkFVO+rPXm5vp6@d&w}3MDXkX2kA0_Htx|8j-|X96 z_q7Z8SHD&ZE?b$4y|`wEPNidKGH2MCrSJR8`4WQHgCo_cO8$z(+BoxZJ25GF$l zS2)FM1#i4LwmV3sm*Kd3o3!j`c2epuyKbb|yVz)hyxsMYz24-kS0? zqM^^ozp4!X$CHUwxIVn5Jm*^3@gP0T`Xj&;gOnt#Yl@+4imV>-rjc!Zyj28x#$D!= z8RU*wNXXHQ)-UZdzL4%H2(V2Fxh9(GaO9uf2q<6sRw4AMsmE6#^y(zyDumwbKU_RI zpm??OgJ}*9Vf;*R%9gv=nkn)w-T;-mI56 z95fBd=CvYDRGoKf140-$&1|(hma)1AGC+oU70nXrH8CYw;i^V|Nr{Ui>Yr~& z?sc5F?fIf8q=DLPI@O={p-x$kYX8NU<8Xlxq5{C;F_CIb9zGraiY%f?B z0&E)2+sX=m_--q+kFlt0n^nXUOVF`5%z3s@38!1zKOmeQ0K#-sB$w4^%sxc1GYOyreK6-2;x z14pM?xK6|wYr^BZS~XJa>y4_$Qh&GI_`_eGstWzXcJuR2F8L1@z`=;Hw-Do=rvtN^ zh6rbN-em-BeX@4n>p@-GHYCOMfu7ct@0!Nz3T2Beu~a6LtY zqEgkjo@<`zV=KOL-uZw9Cm%`zEI1oiEjXswD3rHvd!c2(XeaZ-X)BgO&WaQ-#rG@c z{ln_3|B&t+`YnO@uT*{iaUdSnTD=or*?V+$tgOEzJ(;*?gpHQx9;58ibEwyrM>0~{ zS#?gW=}uZ{84C~F11z_w8;+H%_9B7+tE>Q3N0%Irs zJB-~2M(0ZYW}6LN%pFYY;4z4mAM>G}R@cCM z)al-TvIb<<0?2#kT~;Xoq7eVubHMLskK3vT5WDVl@7RKRZkBZc*VO$Q%cph-bz<;=-zg?B{heL*XWF+?whYSL6$Rt#3uIq*a z4jIn8FNQ;3=v{Tl5dLt;fJfqW7pHD31)(JekUk)#+?(+v__R%j%5MDu7bCBAdK3+fw2v<`+&lpARIiYKvuc)BV(T?l z-wD6EWQoPk^12k@Z)dXeOZ~5K5e*4qBh8-vk1i`cQx>3kw=ElR#^#&W8f>Gyw|aPT zNdoePV;=Aa$6OoWnA_2Qi)^~u6#9*0jsQ63y^1ERk;ZN`4PF8%oiXpcbGVB@K+6O| zwBQjMMw(;#THwl=U1VXPb^C76N999CcFg zGdWH-m!wZFi+~Rvz z&c0WLC@rc!w;<2e%)F;d*B?+us;8xPmVURTrsP(1s$F<#u;>lQ&I~yseRb2LdL^yP zEH~7V{Jdu6%;M(OJ<-$iJ{b1;pk+U_PAFiv@q%c=0Vp?j6l)hTVKCoj$JCEB)EtcL z9QkOxRtmRzB2Md{CjXNY(RuAt;9R|cpsG+=DGH>!%9_$NBmKJi{*dj<<=|vs29eih z?#Zqc*hmnuewZA)nb6fGPo*5UPY!cPS8^phw1i$WT5;d#pJFe#p8$Y1tKOJ^!6SW7 z{Dt>rlO^x8cVeB?d0jvFPdL?o&L)NAT=P0=F{(i)xCDGYRGU9Q3`Kr*CCJ8|JvVkd zb^-ESP1ya#mGG`N3Uu%=Wzy$tK=4bgdI6t9v>Sx4x)MUOaWq@d(u-Zl`4qM4M#CW+ zCBT;Y>+1V&x7NY@llL!>dj-e?jx-%A$p@-wDq{tz#G@2de|Ypsj2W_4&7XD(7NEo` zm#?JkF*dTSL`vYD!Fo?lCuim1WN$c`TVetQ*W5ZiWCG_$5R(^d%wW_p3$_|GaLlFC zN?e>xi^uWu>}@L4i!xOn+6AAfsWbPkqZ9pA#^OO6ey3Q60TgTH|Au0{b9-7iApA$M zG8ycCwLgUa)BLL#%sV$Xtp>)BPiiPTARzrx=lpnMLi(i@jbmSwF-KM(Mz!qz{r}`) z7_BA;?j!ZLr8@$NtPz!&6y<=1+dor&B*@XD1$@J0I||g8RNucUfk#1ZlR}vO^|22Q zf5-&E>%nm5Lxp5UsOtR<6+yYUDzjl<&P5y$O3W1^sT08`ZZh5~h8F68QHuV#;xNF4 zy?PjE%syQ&dsN|2{JL7KO|v90{#dz_ABhuB6x|<$t!2}XHg~Q{;N4aw@WihY_?qHk zU(Af<2bcY>YOzFF5nwh_gVb+^i^OnZxI?oEV5Cn+m+xL|2X;i% z$!(IsQG(Ym82=F!{nc-kpx^NtOJwr9^K(7@ohV90l0ete#g%q@aR;)V$UVmvzN%|Z zq3qGa{-$cM+u}Qo zaPP8$H;gmREF%8C;GXBB=TaqpAC708>^%_WW&nt|L3fmz8$N4p_#)y4suHUrZaAV~ zX~QqLRCORrofUR#>BX2C10wE)uOjXsKS0Ed`YPfk7l6PfQZvZh>Fa4W3#-!I$ju)l z1|q}#u7dwmBluP<_-{Tm+^(Kkjh80rve~~uV%}@tCmxjn6w8S~j5r_+`=VH;XDY2K zmXktu1hI7hXZkx&H&p)5prH1VGtM_tOLaY7y~175k9L~%l3{)Z4hSo!(W$1i*!Ss| z=ouyc3Lw|B3O$EHj5JM;EcprNWout&D{5pS-pHGUNK{K#$72fnCT7lGxLLr`8G8TIXZ)Z1 zpoR(%-n!D)(cy;r9jmMeV3oabW8?8dEYnA#Ok$<~Sf=`o{!r?Jt0ig1@7k~-J>@q2 ztjB%At*4=@1C+7%u*Watim`;rYfSaevQlPurHd6gkSk_LgMep}J8D~=2K5B99yY6{ zv}*Flv8S{R(DS2K+F&vN_}Pf=TX)j#r4Od;L)jG5yNBsgxah zC$TaS=#Tw0&(XZQ_);dJ^WTWa2=ISRJZ@EdR@rgCZs3EShsNU5J8}0L8?Jn6$ZHk0 znr?_-YrD1-MS1Xgy1Ou!Q9;6oQRtYe17n3!VZDms6NL{I!Gj0kP$${k!^67I{sjnxg~_%1&N-De*%lv}k50j<@9b z>jlM5>e0!&@gX{M%C@-F%laz?Z)^ucyCy%v^`#=_Cb0tpxApKmUe3$3A>Z)F6SR{j z-@UAjYBh3=nvmm6)vc?^{C5O#m_wBQR|N5V6riLu`l_US2Pi3Bjx@tom6S=hpk~|K zTj~9>_AqYpX(-Zbox#o2HD*j-yUuyx;YZmW5$jlbtEGgP)qFB0{Zi;ZDJ9Hm99Z5I z3>1@WI{<~ph}Q$6MV~wX&D{cKsB(SkEIT*cU%U|}TEbjhw7M}Xryl8O zy5lUOB!oKg(~v+TV?m?KK_#O_Z^px!6SJ6Wp=uy{hw$(}VN`Nh;x<*4tsQY4Erb0t z7?@LE;DA>L56Axw22M&%F@?I~Cycn8g7yCp8=e8K3d!Z+7ymZ1@UQL(Ao;elSas#D z*j-p$e+k=`s230&lX~kwRJ+Uzz0>VIv1Dm~=To5Nk5i_b!znxND}vyp+-dZ~S;5xd z6?ceV`d+v4e`opjXp)KwW@Fg^%hwlR`DR<9?-j$EEuM5NU#;!fs50ym&tK#HBo+J1 z{Ba!AfchO5h(BV=47Pw#o+FHIyOHGs^T)A;rMEqy8#&<<^*r)5%R$|V9y&u*w@1VfQv&IKIPk(Al6FzdD zRq+v=2HN%PgWf$d?#X#2oJqu=$`R(<4wy!wE>8tnIdNI8Rx!%kvE&|eLyxoq0&&LW z2At|9D)Ux39C*(Q=o+2bnfN)*EwXXd0&J}K_#JU zDeO2lgFNWms}$;1xgJz6Y}iUpB{tugzIOMNEx16p+Jj>0meLUhUl^5pHA5I^z(`U-_?j5JFPqK`dPEVD-6W_lBVm{ z4yQ>b=vj>cAV#)tUd=Gq{H;Rc#&y?E>r~{T`3TtVWUsfULRja0_bBWVbUJB*hS+#a z#WI`0c+7zM4!&JbP=|gF29-J?7k?U0YVIjv(f7fg+NkqBn31>?d-x+a9GFnP++y)* z))z{LeD?17)1$S~DxjLMRL@l~{)xtlm8$?*2bm}gq045{X1rDgmJsJRs5SQRx_H&g ziXw#^m>Hi6(Km7J-P+J)9pU79@$|_9>POwC>Uws|#`syj3!|H>K@`eRpsx&G{5J+~ zKk+Mr7Y;CZH3Y%m7`)?@T5SKn7`#NYcDHH8NYi@x(S28yt9uDnH69Z98!^Bv_SN_# zBRpX8FXI!bsA^pJa{Blcvs5TeM$+s({L@Pxw}NH3iGBDOfs}1{g(+>!r?k)sO6RLZ@dN#vCv#va?kn4JZt}GZ+wd&HAQGLs?nm_;}NaZo@a8OD2(qIh=pA zfRPfu6+GHLczV!@kS+^QXaYytMFRJd(Ufc(e75(5%B-!sMF8*+r?@GM$ER5(8`2Q` zgvL75VAI9lwPdU1_UgoS?P~xK6u3kO28a{nM*gJKQSHhhb8@S=zfcd#_tMRqoiwQ9 z8y^>ojo?W$ZPEC}F5t?D$82V3KjQvk)6t#RKXBW^Iz`M8Cbc=YD2yT;($oF`?E;y$ zfhB}GU{$xOr0+9g6+&QdQegLsqMxU9|eL;Ki{Ill!h%vkom1F3Jn~U)bVpnjd0;IPy zbicX|WI762v73@mZ{oadq>i(I*{YwPpVAD4JzirfH7FL4p^vAEdy%*BZ`JMx?o3Gb zDSMrJ0fr@Yzf6vwxm0l3ymazqa-$5`3wpHbZR4AbLx3Bm+!1KsJ5BFvyyZPR@_xLG zh1c!%Ex{xi5kxs8u%<2064s{Bo6})F6};lNz#soem@tdl;#4!)pyI3jP|I3J#jBuZ zz3H=Wcl$eCg`wsR3cJo+mhiQ5D(QS5D~GVu_P8UEyuA?0rboAMrN5t|Yz8i6?U62d z>?*T&L-L|A!0d%jcNst2Fni`Jv$vl^`NHg_{?6xgyEAE8Kz!jiG>I|6R5h~QxUkc@|@D)X}kV1p}9P@oB?FfX27U2H%(s(G&b@%_Hx7Tw5X?-OGU3pW)8ZNz@FJ9&po8b1kHcw2SRL`7LA z#cI%>OkH@6L+7GL9%es!ae8_}xVmIW5a;j-jd5>FPd;|;py zue4#6Bo>D>LWM~W3Q-@C6Q zRKDx9{8wu}%KWkbaL~5xKdAFcv0sO-LxAH<|Fb?#*Tkc9YW*79QZKxdJLY z*}Iq%{Sn#Es~NwsA^d_*>G+e{B;Qn$Sg7(TiBD_j8H4R>g2x$g4ikB*$C#-0Y zrp{v$9_`a5P2gpQoczZhkFS)EMRIz_UXdE9;DkXj2h}gilft<3#v|WwE_j^5NVTOm!_M)8>+2e~ zIC!1sV>rad4QVS2PU$&yx$YKCz)B9n7m9ek;k}zSKA16^HX*16SBE?KM5v;c!Jl61 zTkCF=I2ddgF|h0-hZ}w`iy6X<-_i}P%>P{s3Mdt%B9Eksj9(QSm*_Z~-#wsp>j3Je zk;VI@ZVeurvL%F!E8RW~7+Arf)I7Ba^p61=%%-~hO%cs(AhBq&y;`zsmSU!NVB*Z9 zW*3oxu6Uq(QhJzjGitQ>#o=4DIyhsq3_iY`VxMVw3s^` zuLfoH-X#F_{{|O$ciW@T0fIOa{Z)1KKi6LU6u$%744H2uR+h6HvCx135xo$nDD{~t zqIHro58gPTQa$R>l_q!ue*|4wEDLD4z64NEMsE(Z^o9*Ch&c|k2EATwbKLahci|3w zLe%TLXKDwRdaFW07sskn`zm^P&Ai72&0#fnNiLQ9i@VCvld(ze4fATGf`#%07;w@o zEzad)#QErvQP5!<`;IlH*C12A{5=5Bd_UflJwD!5qSi5P_x86_#xwUUSbqKAk4K7N zJs6T&bO|WJ)!3V^++Wh97E+&V0!v#dumw4X&)$V0XQ$-)?f|v)GT@{^=L{)AP(K@X zolMs%AMGEX*RT9leeRxgf^WpAr<3)vfY}Y(=L;Fh>pwDPTNQAk+rOuf$_M777nBQU zIv)qIN`^%Z2U9N8Mne(j*6F2nAW9(I)7}uTvF$Q0B@h%_a3R6DZ&riq=v@v+8#zSv z2QP?2J6`1Y%GMW9cJ5=fU5Hq*Icz|f=z2CC%k+IB)$xO*ulfM}`(Yhz%nayk0a0+- zY{L&9=!AF_TAr7J2@iW8U66HQT3N*v(@YPvi|RQ8Gk*KnH4+vm@k>0gR&FEB(+?hiyu^nDc6<`+4 z)g~_anmP9z+EM-;uX_nn<%sMaA7`7aEw;owX5V=ZER2ED!QEi!gt=K~iRvOPfM#1| z;CfPK)Hh;bX>M7u^111iZ0RS{5ep7xD>iD?Bql)C(HC>N-Ls{sy9dDw$(qi?CU8#Q zTzfW@NJ-SISSBx2wT+9(ofQQ15}5JCwuA@(d4W7() z44W!)pVor9)!$Ps2HyHokMZDcUo`i=Q<-7KaQfNaUTfh8av9fGS8yEjo_*py{CH_^ zo%$s)$9LtWDaRkT2NyD*Me=2_zLx=AJQN96cRoehOZlyCaKQ;Zj9-dYP3U0s6T|j% zeoAoeQrV6kbH+_Ow=F$Tta`;R5b-rHE%hl@c2&?89^;J)Rl_K)nqH;f#5sMaRdIim zC+hzL?ViQrRik77QsezM1@_e+$VjigA{i{8n20C=lwRuzXY-|0-_#3`+1o3&mBBr^ z0kyN_Cl)ZIUjjW!3-df>dDi+#XC?jdIFSB+PA@|*E2QrQ35KwZnJa#N#>4O2rd@4^ z?{z;v#p=``4!+{>NuCnT1C~FkjL*d(s7xu&f!VT7>(sdc7t?8nBi>olZ!4u;NZjcf{y`1QJvEW2H9|Qf58mKH_K4;F+9fxy zJ=%I-)*M@PqY@bHVOJ*{D})BpY;l|PvP)YW(v6r|Zt{1P+InsSYDiXrr@pTZFW_mT zm=JdgouT)=tn}gx{h9H9DK_kv-jz_bL-5_xU{4y*XDO@{O<>cAi{0|TL^#acs73hq z$(3D`?}fD5&Sg3gH0Pop?KtK_mW}|%G6dcUDfRuO6UhVBwjK8PdkUK;)pw+3W{lZ3 z*aVQ6jQcbY2CZZtaywxhM4!}@nh8FvjgN6^Eh(*->KY|w7NJsR_;YV9WUe*F8{xe^ zusK_+mp<9U6Ex#P9lDo(!0nq3no^uQ9RUkz-H<+*x=47oro6+w_@F`iB&gbAL7)XG0&)P}IK>{O-Rni%^hUlGaW?5- zsaNG9U3325H`|Jc&bkTjEGp2U-%Y^UYwsfGjvtPg=GGCOI}W{lc{FP*QyICX>Ftk!wKHqx56i&NF`l3vX|j$sXrP=;*OM0W*VwV_ z2P;cG-7Epjd}n86F3veQyib0~BfB!3X&ac0Ery7N!VNbtzc{re=)xcmp~wCQ!1?c6 z5ZGj&q-K1|XB&L(v4QNEd8-KM{sP0lAHgA>gKtL*)jr8qE=;}Ul!Spjik;l z=YWqd#&ckh3U(<&y+T!leY`2D-$^n!!779Z zkLL?X>SgHy>cS)4<)zo-rOhE1jTf`DcqyvYOP`gqA6riIUZsTxCFR9#I%TO+4PFlN z-95NSMKzM4$X`OJ#Pp7wrt4_5LHXz6l_X0e`Zs@xU;6fQE2!j^r!GEDC9;MM<#G|1 zui7q2D@HfUG42W8>Pp4D)1>MZ&Gvj4O?h00a%w3UK=ev7iXpS>gPNk!F++p&bAwc; zZt2p3^#fMtd|Jw>Wgi59#j1^tyPCiezC7U7Jyb5IhpU=r5owXMYBC*_sh?%;%H=WBDbo14! z-R^l#YnfFzqC~uY!@k+Gs835!zh4$hti@GtfojT=^p!D7_s=^j!LEV!-S@it4@Z(C z`v*tz@>rsz&(@cov^bYLf67`^C)+@CuMA#yb13AQ-j5LkUbXLB}hB zxg0Dp{icWYtSnL9H6u=0gGx~-+F*vHV-xL|twct+b-3G+nozXVGfFA;}3mC4<)r_S#c{dfCEV@eFqEvq%=0sRW>{eT!_m zy-TouQhY3uF?z0TSCHXF znlf<5nW>)_J1%+n$%G76mFKV*9w?$1vKT?uxSLkQvoN(OH_*}qP@I$9tLQwB^-1)e z8~ZrUCQ`LYkl+Mr0>~FCt`F#;=$9?kfhxm{FIOczlH^BRMZwfo-{@Q5jmCtuImGXU zff*`JRbiaPn78(7H%(U(s`eTVqEC01^27PI)ZIYM&Aih({9jSc0ua@h?qUFy`h8cD z5?nbksesh%mK@{$JN;j=8Nh&C@PJud#-P4Y+we(?b_jaBa7D0qA7QUc~pI8SB z-F>`LQg0s|=%XLCcHEcOq>rT1uTJxisZ(S8sR8na9va8KFRxPeY&ORY6b*ys0>_g+KF@NBM<^T{D)0D;l;o+3-$sFj}6&r$uNP4qoXD z@8Z+K+W;c|>xksAx~FhJcYEFF+wt?q3jMZJ|MlU(*6S2!dTWtM9?b=7)L`qF&% z3B;ZaTXeLWyBC0gZEWLlr)i@~RdmZ5&E?g!@yTikGIy8TtP9Mu*9AtQ?_UiqKe+&L zq3Pl&Yt>9$sj6vijraQ|?_V=+Dq>8W1_mS1)z zz@eU?{L~gr{8LfAmi1)iVcBt@z}C5Gs)FG(Js~w0ZHf&SkLwyfK~*ha#=(s65^ejp z&sF(z7L5e5YCpo>=F8gXU+BtVkuc8ls6Kzo#j5F*bBnDJV%yU4%DqaNgNl_yi{l?k z$_cA?aH)>1T z1ltB~8z#)Qx5=uYJf6-h>wz~{aE>3VqsF&8*VhAp{{eJ$FoHX7A0v9ycJV#tMdL9^5=|27@2e0GcU24-E?B;x^2*4Q892(CW4*UvC zGoQsnw4(g(D(V81_A_~v%ZCR}mTD#HZG3lm_y)ixK=K{JIlMdIlwhQtQDb&*O}Dva&o`7utfUUH0oj zIMGqW%ex*oj#$kXSrI=Wu6^<<8S@^X$`yP73)8|bt z2$|d6ueKEuiEH00%gdmkN|*0R>q)7>xA|Xe`9Us~S5&fStYV$g=zM#aO}t_VMG1jA z40p*J7#B0yRrF8+${NjyQ}ZV$Ec1`WngHf75}?OD@xOZjCocu43PqZ1oK1qA|wWp72&vMG_3n(=Pi3;edLN2vPixS`0x>=o*yuN82g3z|(GbB>> zPQUD$dnxks5*97Vl4cuftkjZ1)_?CuCdQh&w-P5Nt;hya{@2SgFY9mO?;nIXjx&_c(S^|`MT>*!Y>VUHHJ z2Cq~n$ug-?LvOgNCYAQU!|F>89H)@8!&(~~kDZhbqnd);n5Y0@etGoRVQ`dPCs(^S~tZ z)Ma7kXiU$PT6!yUl-P6h8Gu0$TpmN*lTmAwu2W0~$<_VV6%veeW~{ecJGf;l(sgls zgqIV3nb&n2^!)I-&2A}?dAR;Hz{q0w%^rwlwo+vqiAUJiK3g|iI`LlELs*PWnI-IM z22MXwW^aqN+v{eDfmpPp^IfffqR;&LWRz6DYcd>adhOJ#!s#>CLMrN?kjeG;h`vqY z9utJ1407I-0dM|(fpJwm%j0$(PI;#*fuNa^boZ^nLNP?I-c<`1-tH%ER2nfN&S>iL zc*Jm<$GqNBi=puqA04@)mEd{{kX}a(^4Sqbx zWUjzdE28&;Cz&jy<-T#o^|ZvD(l&iLG@McF!tH*yDS(XoUT!`-LzqaeC=0CIm^|s` zjFy{U7b=lu$-w^RXv4d9DZO00S>77jU{5CTS`d6r{D3O0{)E+h3~H&c64FN?06l!a z5-T&LajA8lr*Lk((K>HM?iub|%>4I1Y?QlhvUCA3_5`2v4naDhCDZgRs7AAg{=bke z|E-nqrcK*qN2d|k6&HK29(X9LPm;wDc+Dt3DVkud+^yDi3%Z}I^{WJtS0W49_> ze52j%cl0#>)J9ipnI?O3MN^a&K`KNor7gcHRY}w%>}l0w1G1Ghwvi;&e}!LqxMp|9CCc^hb-Jv5Q9fxaaZx z$K#8oP~L2+&16>mrIe3%3-lM>Z~TcT@7++aFRjVkDHLwm_u8|(qWd91aG_Ck-oR(X zBKPXi9f4MdpJ~ZT2qd})xF;%Vke@d+m2v3ap2Z<+`soKt zg1UR{IP3K2^mtq;<+?K{{Rb#hlijd-086Of!2Il_4_w)=cmMNK08qCdUyXaD+w<|S z@7lH;oE~$OhkL{%{^WWku40fw*&KS)&b2G5Lzvb=nD)fx*_MH%+yl zy7Hj0XKgPm+zUT2VQ*Sc;kRJUA`tH@sBM#vrscLZIHaTLL$T@vUFaEC!f+M{<=Q=4 zqI*r)_=OX!tT#XkX>x~+ZQD`<3#FPFAJ# zV`h_(_IwKi30bcuZr7v*BVOTOTD2%x#M3}fmRpwYF-(pow&K1U<>=hupHwsx;#wcY z0UX?{5Wo{=U!UPA-NY;+5|*ktUpcrDE+4LL;uq^Kw_MfIMOL~~gTr90&Q6x|jr!YZ z<6hxjdCn@KTsK%%elf&giar7<%D>w9WPh^FibgK^?<80MLBOoekbi~GFnh;G+c*I% zH^q9koTNuucWP2?L(==CnoJtKZCh#dvQ0lr_x+UCKpa&i277?hnnfhs|9lF%?;hc!7=DmZb4ye~k-n)x^ewAa; ztX%P(Ds=5UWNnzI+UtBL zpXFEP+O?@lNEVPc_7Tq43G0iEO^FX5GA!9YslkDi=!CPm!=8U03tyJ_;SfGUh0s6tVw`rBN(wL-o}*E$rUQ1%Lu zZTje$Zs;<>e@h}NBg?YAh|pE)pa5-d*v!CY>Y6-nI_tRP;ouw+TloYGwoe-jg6u9*7$FaF0f>o&>`so8C7TS{agKLfl>ir?fPQKTWyz!w(G>S8_3SD&uS9IqOi(rmyPYM;ACzMF(O$-IzrR z0h>F4(gv?ItQbJjk4g^5#+hob1xq{0FqpQd3y@35{Vln~zcxK^NB~fbRYFcr2|mLe@^Sc}$1OXmMo9h}t1s}u z6htlPDlaAVf~zmWIP176{0Z@Afks#CaI6vHxETu==gXU*;BaQoO45+bb0AQHUZ0tY zt&Nk+2!IeY<->5PairPb*@K~LHS7Lh0sIw*P}NRz3vBppmShZ%NdP-^rVh*)rl}?S zk6pemtA>>BFU)i+!uXejoACpl5qAMasiIjLIX+^^6kx8KAp^(En=8*d^>(f)w-3Vg z;nwvbm&)fz0Gv}177$Xp45&4l3Vnff4{iEZIr}ez?bsxVi0edgDC_Z_|HImQ zhQqnGZNrO55D_gQ(ME|L#M0YH^b&)p(I$vUbVjcc-2@S3bfWhf(R=Sf^xheSQO9WS zW!>e;dcO7C>wC+ev6=1i!+D)Y+mHR&kH~S5VPwxOb>?tkDE6Nw1Qv=(0HQQdd|F=* zPz%$yCB39y&zL%8-aaQ8^Qi~M)-a;ntB=V_t!NKt?l0*NsJ`0@hsEGaSfS&?XIjgQaFh?5Qe{*BiC+p#6rL0n|5B=k;a+;nY&RdMoU z_cKr2pI?$|7#N=x6!c4uWB5O% z<<1JT|G%K+8j9Na_Uryo-Qx+b=x?4Svge}`1{(FXr7I4q;XuxQEzq+}{IVARnqHcC z5en2I3){r%;PqVmRgm+z# zoiE>k-d8!<5_;1u`X&=SFX4Q0pgUM!bAlYfC4l<7Z}rBV<9$0u1bq>78?yFv+8PHY z28l!ty3>y;K%T)eUB&$vv<~Pl5SW~kREm9H{zLKSWdeSp<3J_B)+H;q+gv%p*4(GY z84tbc)o-q*9e4E*jx3n)tNI}Y^ML=B4*vPqnQ5FDEI#QIjjPkwpQ}tw zi)e}qlzu6dA(Dw`#Vvi7V3~lMM&t+O06!5W3P>plWemvdj|UdcDiJYP2T^bVP$m7{ z(r@BM*|+SDZN$LIr4P5_l1YB9l{bhwofp_}cNp7jQ3WQMs;DDfJ2AjK*B0$dIR5#` z-~cx?_B6B1mL6*7eHF>3&W!LD+GAQ(P;u!K$LtYMaB`Jjxp=yMKeXy~+u9E|`p=Pf z;S#bC1~6gnmlt!6RL<8tkE^@9ppi?K!1;GaNAgu7-W~57bKCJ@Hccj3z=&Xs*_#0B zYL%Am(2}>KyU?Pt@tv?>2WH!`>0BOyl zTFh8D@6oABewOKP#V>T=K&+5iZDsMU(RV>*TA*y)<9I6-bNALBq2yHVFzEb5P7&eP@}oKfYrz}mrmcwa zW(F|gsJhZsD6$u`@G)d8_v3PZg8!mmgfRc}76|bD1P=a6KC{IZsAv7j!uGX%P;pGkQfbfZ- zxK=S_ey%o%=4dBSnETrIywM(vqij3(J|4jC%gb|LR#JUdLO^^^TB4RfO}bf2^4>j? z`|Vnfx2^9SmXk<7Wx8Wo+D<1^dccd{-h^GMdUO9ALHW%j;SM7V(dCV=D*L`>N zOx*cykLP3{B@ac2K7&NAmnxIzCo(n8^9*>kX&K9a3>dvSrhPes3CaJF6Tp6-`ep>~ zlLzlq`;|Z%!3(|y31j_I*@UEIH)vwIb$>IK!)ZX8`w>&zcr4DChFMwuhlE~7tWF>y z$ecq~ME1xpRA@)V)s!f!tw;oI(n>Vcu#DNzB=A0!Y_cGSG*JckDj6}@o_$(89-avH zudcrR)4Wq_dMZM^M)OIY{ZDl>53}AMdOcb?)|)*{d#rLzB(^xzSpVUN&j;Cs&J^#` z$;Qh!7JRyysVAEWus{8Y4jK>VXSjcB<=s2cS^gFfH5s(@r}am+!3#w1+U`o=(|9nf z*@ir*CYH4fAxXJS^&wdawb2D|0iYkiMWD`{0A!^4#TRwY%~JZFT>TBrl&V;7*~e+I z6A&@C(HAtblTm^>pXW3P>M@;KY(u~y>fg%pcPERZ}Tm{z<%ysbWnjy zS73^AzIE90?xF zf*r$9l}-y%G`e1?^Wayh11VSSlY4_!#g{^1`+P(-UvO{H6*llAgC1@MUuBzQVAH{9TOGf6~jFs^) ztRP+?iZL%d56im4`O_L6=5kAH_UevE>4UsakvBfnL#pBj5(I5r&`fvK5t7miB_{6E zGu1p_s)?OnHi&bUwvh@{%~!0#21d4KuRM*Yibfv0K3R$DX{Gs3ckrL5M~u}_=gNI< zurIr~``O^Xowtt%3EoVKuVmP}#dw1#_|=LZ{2p}a(IR&B9TFmZdwd**u^^Y{c6F93 zB!h}8wU2V-fw`L-2UTDcDUzMY3wh&8DDaSHSJCqmLG6AI!ey22u6Rp>hLT+w8@c!C zB1Z(cgZ^7@@l5({glOtLx%e+HSJUVzWn#CCX>6W`l2LT_fS^xD6|P19MhV;RvW2RN zEXh=<7o{p|Y#E%oL84N?5rFi6_q#TDv{PH0G+iw7G(G=oj%_BH-&6aI;k5@Oo6D}2@b#&$9uKj| zf5W*2kl0yXX-Huv5Y^j8@zHW#r3SFjAI&NiOVk_0r%T!5PwY|8J|(Gv<2k&G!pEkv zk?Ce(UU9aCw7|%v*hj9LAx}>jA&clY#w(vrE0j zu;7i*zhP5jGx>`%^zrw5O1A*?X5TFW+2LO10u4_K$p>z~pzt=z7c?L4f=+oDHb`V6 zj&w{A%5G!B5eYT&i4^tc#-LLpsbcVVB@NuUD0>qVE=bf;v|jahG72Tj5o%G`YVbHR zSgenvJ-Am!Khyv9X-K@b)QY;H6`djcDfzf5*#_!{K329`0#TO6>)ygaT?8^;aO~4k z220#hdwg4f1ZF0IS|d1F4II)*VN^J0KfW>+?1iRBa)LJ@)zRvpFrkxSdM84b1*Qk& z+e9o2rt`YM$MPb_e{k~uG(I11A}p4L3-<|k(_bIHP3XgbJr`BN4QcX)w)r>lJs!0y|UdR-~+W6{p;2LYint0417ku;qels=)mB zxw(Kzbbxfj8-Afvjyu{W2a{dBRu(k(?rR5>1>IW1h>PP3hRA$r)i_ZlIrK>$q@5v` zbP5fUcdax|mu^)kSZ=&r7vS_>9U^?)I_&?B;hJ* z%f0^}{P4oO6z~UEw8w^jG7?G2S95i)TD4AAfFX+OH{RPJPE4#cITed++)Qi@O@wDvNJW7VaI4uBTJSbenxTT(ZhF!%1)uc z$4Po$DL=z(GyHd_=0oYzl=ieK;cOgwJU)+!FO;1jpU?Q$jZ*!N_t>yDhO@NlE&I*- zQOe5dH0|#YLaM8Zw+F=Q3y)DC*k0rUDGx;;-T;}%SiA*|2HThCD27%esUV*~zqb%B zd=ao^NT*;?aq^ya9Wwt~tx(%N_*$)Ssg>`(-L+bw{W9^oSs3>PkKF5V`MXElwU|#t z7)AJPZINeqIF|2Kxn$#|mk8gcPdJkO_E{L%$4z|LN>fsvoYhwQPCYD*i$FI>k zbx9+o!ZHMYCYfD>zV_>88lLuxzFg#^ui82?JyS=(aa%WGP#Q+wg zm4%SzV5-m~OI3a>oQS)gTtPi>LxELht?CEej1p_aqf6+L=bo`Qeowm$3Oz8Ak^^|m zhs~1VZ#8HsE&K?@7)_eiI0rWdu_5^`0k%7rD( z!u*e*7f-_#M6(x6mmQpd z)f<;uTz&eDX(L*tA&+E>KisMm!m==me@eGNsEu`0MxsEPu{a z3m6S=9WTY=kGWI?d{auGDcD4YlI^%Hr=B~6}=3?7n!9!eCGtadCjN*4})6sB3AO=G#S%299s z1p#5aXo9~0d&DX2Nd>LGxY}2P*sFqq4}xJ#-m=DgpP`pV@tUHB%j&wG9_)`F^=L;) zQ8A_jIc!vYuzyp)%wUhFX#;=TA&d>0-u zf5BpQ?75${+plq*X9cm|PIwYcMh@0}`k+~>#d)@?NiiA1@z}=u@-&;quH~VCO)~g% zu3kkfa45Pnw`^Me&Lv{W(a|m7h+RGSbE2wo6MG2XMO~@^8e%Uw^Io(qhafBh&!TVf zNhx^>oFRY zW1wL}F+t!W|FOH{OW^EkX7G1g|NiWN2z>eQ&navUJ5CF}3vPh^NXyMHH>^K(+1vUr zP?rWsJ@SlYZlNR@S7=yKEkMhnThvMI!aR7exF3_LJ%$U(>4QKxwKz0KLyH_#>6Se{ zVTND1PjNJny@?({Zk6x|UW-9eNCa2x`@JKV zQ{eBSmskrL>&sPvSjGpw)8abJOUIz|ShvO%}Ax`yOc28Y@<_36Qj+^TA=vh;d{)TXvsv!IGNDLb9 zmF)gT7BT#(CHyRg=n_v@1Fl1|{3GyO6IAPfCRR#BuK!d%T6W7LYZ=D$nbc!)K!>4M zmuI`~=Kk72HTRgYHD#JCDm%HxDqw*)89vToB@~^{<*|I5Tt_q4C(H?{CZOIIR&vR< zHT@TGXfBck(v{`%svzPBGi znA-Ca6Rx{t`YdRLk3nloQan9!BIi+L$)sYB+5vTYamNQJe<4ZbbK`pZ$Q#Xa^(D;Y z379`PSq0$$CkqWN<-SBRJs+7vEiypFfxI`bm|uK>LmalB2R1QGQ(lXHgwwh32`(E^ zWfWv$uH)4HPQC4Ik&fF6_GA0s@*Irf`=aICjN>?P)4_B`@f*N&AFH7kGV+16crahK z2<5Wa#-qGvh9v8+5z34_`|z#au)Ad-MiD$03%`@6;dtpvJ`AdwICZjwS`{2zA|o+6 z#`p>R7T?4#&XtarCW6PR)TE}Z*2lh$t|dIegLoV{)>dDAGKXjV-^Y{dWRU3Q+P(We zpthR`d3}14345!(nAavBFZhX&k0_kbs-KWuoJMy+3L>%wD?t_|F`;U8?5FZ_oNFsG z4;DR}zodZ~5{w@(#dF{~ZYGfo$s4ri3m#?YoabgzA8MJVDX%1`Dn|wix7=Fl?`A>Z z0mEf@j~sp*pajGy-%~XO)nAKIMzp2o7Rj!LT6DN#i40`U^?vt}Aqh-K+SZ@0kY{bG z{U6em>BcR5LyL@DKn}g~!{=>5Cc(&S2$yk`k`oe{M(+0LXGC2AiAQ_j3-1jL=pWjZ z21jj7kp@RmzWko7Dv5$QBZl3a(Dq@KO#d`Z`jy2rwxXH-oXuB?0=ZPa$#BAaim|D; zK%NYUSIXlI$0OTNc`D%5S7Eej(3-e5<5oGZf?(4&sHd7bNMMvj_9%`qWL(!ZTFEoQ zR|f}(!iCkCf5=x-V;hb&sl1+B z2ex2%wd%eMZVKEZ1jy4$*t{dy3yT3+Oa*uKJC`ewAh#pP$Njv9^ABwI&!eG=4zBq4 z2loYJmxCy!153gL8HuGu;LR=2>JpRQex(NVtTratyMDdyXc z-#Mnezs*c*>4_dZR2>U%ylhK$KNCJXUf(Skx*ck{6JRlUOIe^KpjYq{Jp3<@_s?I- z0BQB0#O*(Ssp<0+$O>`&^-}@~uxS~rKUYZ=kf0KU+9Buc9*1r^r*J@c6LwhB!WVqO z`;iA4LRmm!90j$I9qptLm7J@B+IJBpAe9E?3*6ptO040bdcq;~i@4s3XK<7DV##b5 z*&=zk*wJfzL(CX{-}@n?H!0=gw4?LgT-em33Fn233GtjQ41f**hJ13Oj`$_Sp10P zOzsDV$Xeq2@jmD?Dpl53FLiM0E>5g$XpX1&pIHyD2<~)v`I6(`OM0(;Iej?LD`hp~ z>$zPlabyPTp4d4N?G%_l4QktK+ftc|CW1yUN4d`M8)W8Ipa%uU%{`{c3fj*bbNf=G<#vE+HHTc?GydMLtVjFTs-A1u&n-V>O#?s~tUIVD0bir9GTbBnPMz2`th+U!q2Tk}E|U6@!XK zliuS}`*RS$-&aCA>kHJ+#7P%gEI#h^5nv|9=RNdxd>pXn&TWQL8vDNitK>??lWW>z z5ps8H79Q$7P7JEFnIE`@XJFb9sAcwaJ;qO{;~7imtrACEy(}(VyPCiBsK0)x%1dI4 zZP;J8+hFl4Y??<2z@~+^-Fq2YQwj2*Kl$kuBP*>4O{f*^q0DBw({MSP9^DGGq$~#u3Rpw!BP~g zjA_f=2t-CAFg-pm`G@Sfi_{wO{z1}P`<0Nd($Gb<-o#SG1f-ZtQgr}cNV^6g z>`fBSnr_rM&s}{ls=gE;DCR4=_gT-TI<8`_!M||Q!ErgdE5(~MW_^A;PqrTT*SQ>ofy3zAO>`?x5u1kH}lG4;Ar>I^f zO^q;#${u>-Z!Rq6z_W-)H*N zWHG^?BCDzz_H)1%{hA=+`<;YFVWDFBcwk+VY_Oo}2j!z+(*b{?^nGFuHK0ZUsDV$k ziHzdCe(RE==5b@<#Hr)QCIFyWtRTr~?~wPnUV|UKCV$eR-ZvL;75^wQm=4>VoYl21 zH_fFlt~(AmqH;l898olioB}YnqA_}mKx#X>vzUlwuAlwgU>DFDS zv1Lvz#E(&;>;;;+tUyQn*J2dEUfRDzK+H+8fx1A!dHMwT%X?{Rk)b2rs|mR6c9ZiF zK}7GuZM)#W3|CdAwDFQOmH_VKW$qIbaTqGEJd2MgPnv}^0nY-E4z+zagcbBh*U2FCFrabiVJTY}wf>4!pn+jpVED2oum&0BwWt2iHOR}qFPc+#yCPKHxg+;}=b zDWJpj%=X$rht>Wp6^40nQl!;&#EefWg3%k1PZtu*s0u2>G>*G+vUe^6Wiz)tm?2FZ zvNmgnCsuu3z1zK4%8#|QjK?nhngz@zHMe82I#;E)P^|nGew{?0t>!KJ`?uS~RZ1$T zijsKFRQ~oo+@=O@{e3jy@s98>eZD;+24cKxUZQT*;cZphtsJ>9yJ&`--zdKRZ0_2vWecad;g7Clv_>aU=4 zv?{~O501BiOq5q@pZ+*`7*|6NM0`>H8Ym{aLq9Kmx=pZnRBH2wGiNU9<*qE4wLNO@ zU~`%8KcB^;ueo(2%G`Jn6hO9>@jqxpy)Oy-%RXLtLhI9X= zLHzn9tMqkl9ppTEvhu5ONQD1p!(O17PmWWUy9j`(LXvx7RSWl;nT7!fbdK1qAqPRj zr6y(uNQ5vle5M6P6kD>+`-ap~s>decA_;~PF&ia}06KSny$RHecwmgw9 z-ozXgqRa`&E`rWLrD`e?DXZmYT%wcB1}Dl6g2z;^6N?bVK&ID{>x`JvOUGTmX{6*m=XY) z6~*GE#xDt$hVAr7dDc5=U3{W~j^V-l9&E0{@2Xw)v6pwqdX9eP{OMbbT$GdO$&3(c ze;dWkn8s6{*QP?c&cRoF>tO{}{75|Iz6n>b;8XqQfRg8@y=Q}jWFUecg3a zz*T$EC1IX%k)URB?;yJRA^3LQU=9YrExLUnr+#wV`CcnZk0re(H9(+ITwtAW9#v5m zAR$3T`_EbjosH*0yp5)=m~ew_&DiZ8Mt@yx|9T>fm=K&F=(C3cHnfe&=YlxYeTdN> zTI1kPdVg}5O185+PFu|P(ZZ$_Vf78BVo|lWcF>QSE!f>|<(4QDY;@^0JVoD65P|9L zt*dFo?A`e+ejqmGy8O+_2yxJR+qV91%O|)P5Hs{vY`)n1N-^>=_kFrxNqsMVvDXz) z!EB0@T%e&}Qsr5PyKX)_Z85YsU%3A+l)G9d-Hdh`HRv$}Vt#hG+IZO0%1U(^&x^c0 z5(QbDW-%Ps){IBg1vFUlXJ zeihOw2eS+rO-v>k>&eDYmM&*wkTRtc%b1YXfz0HX+XwtW{oUI7N5F{05qs8!TmEij z)apQ4;Er^irj`FHqC&(G*_9Y}v^A;}?AH3zlhxJA%KT2`?9{h!QZjMj7*yDl?D)3 z?H5%H+=haP?0W8ZT7(h7Mqg>vbRRcSV z9k6fM2o$f~^po{r0-Y<7ZR^kI^xq_<;|NE-4drGKhwVTCCg+18g<@d==_7t^NW|)c z`vAfV#Kg+FoX-b-TjHa=_O;7;Ut+^BEgVz4t+@p)vosG$M+ zpi!ws+rZRR^diHgK&@4iGjaHBcA{gc=T&R?s$JNwog3PJ<` z-QDj!V|q5T4m)K3gJ1hg&>tJC*rJOc=(zh4%mJXkQM~OJx{oLsF|kK>sSh#-X;32+ zXtdoIDL$54wCahtAS7IjB1<80pJ%Cfru2G2GD0Pm88#LqyHwS7^@3VtX*2=Z1rehF z#Fh|5=}W7vL2vsCLdKE&<6MpQq4x%~rCCjGkjB5T<_}77!1m{dZ9a4i-t5v%RlBi3 zvTy&c5Q9!>fDPqeU7XA_nvcGCn|1=a>G#x;c>xQy?s@#pb80715%Ka(RJ{AYyIUNl-f^k37Fp1bDJXqrF>Rf~YqiR}g;;&T zgi&d{{DBdlo@e$vH}9f2X!2_W{?$Z(@t=wB*Hix768FiIyiURc_0?N%Vuf>0 zFOu8Q7c7#{d+-eUbB;Zm7(pDzac}uD1Rcg{+EMF28f^mYM<9O(9H|DNWmc*VwQw=a z17&q5s=2NGpbMzE=CMu?TNaSW+B4+&r#SFbK0j`&?!s-H!Stl)LG7X`M^!UFq|@!c z9pTGa%S3R1Co0~}iaAWt@$h^%iYvI8>c)&%(hMY#)W1`LF_zXy(c!|OaYCk_4H}o7s`kbct#YmsS_mF|$MS6O7> z+MYR9D%E~~NFJ)7E6Itp%+tGqH1+PDT3XqEPiX=#i6UfUs!V<=(>*j@BNimY5)uy-m<8N8!(p* z@Mni;(WJEdi8x#&&^C+zkwANBDp3==?eo_RT0l{9nSosGxg`s2y?O3kpub0@@eTrX znkU$qrhxYc|M1myHBET)t*YBh#WVf^-2@g$b}tI+1F*kZjfxoo1|%i8@hbK*!KWztMw|o>V1qR>pS+=`*aI2pF>z0dYyZiTuf%Z`SR{DAY)$-q zzCX0Z{qRuFJ%$p~RdP?1(NzDg^$WcIFH#-yy6>2G zCBA?6SJ+KQgBYOtIug`F@W*WymwKI0>1}Mc^P;x=Ak>el)c1{6NVzu$)2h+RA2AG2 zyS>k`2TYCo3+dIe5x?oc==Wl~y5p-YmqdVq0my-JyLHdGSI2{tVfIQ()DxPK;=G+j zm>;Up7HL?jZyjldG+?jz9w}8nwY{ym#UMi1h@~T8nmlT zP|x2Akhu+*H=Ib3F(M zgtk0!WRu3p`}|%z8$u)cRd3yo6#*X|EPpfIBq}#Swb)kU@#yqXz#!xHwm&_8@cWbR zN4S%Ss{~bnk67z9M~F(N&KYaM1RJ$)^AfLI&5*TDPC~ghW5wl?{NhVXJR@!7Uk10_ zqjsYccI&TvDz-{&v`&DH1Eo9Foz~wlNM%b50ylr(6VbDR~qV zgp})3FR`capb_-DfDYplPdlnCLQae$V)t_@L;ac^QQtDAO(`c|44q4KzDzybS;uko zjBC4x1G*ILD|Co=_JXs$J4@$$HLzG3^B`~n2*%;;`aj>lxE8F8h6lX8XH*1tti$4m z=u>ledthm@45{5{))u@cn!zW#8AP!Nss6yec|+WF1)f~(rb@W_igTDs1joC*7vhOw zBJw)?_%`XKsl5>ec;mhtWS>p8o}I#OVz0B(u!<5FdrlnEL?C}JM}rBgc%9y$PUb_T^-tP5X1u#S7K`g&8%(da zeHq(;GSBBK$h&0U*|hS$Y*%nG?NxA3dV6M-pj^Pwe>U8EHj&!woSDUybW#CEK+P*G z4$!@L(u4VDhGvyVAlB$4uPHXC86LUJtzqWI^L-^D6pBL6bT!%v)qWJj-4DC0nfE%I z^}1Si)-yU??R7Xmp5C?ezaLY{6yi155^&34v2;`P#^o4Gt)PazO{ zXzBGRVb3hQKk>A_um;I4oW$)Cw>y`Yc6HPF<*;v!$6Ab@_2lOc`?uuMO^jDdN{_9N zVwMOGRuPRYnAm;Y|(h=aJR>x!?w5#Di6~ zevmJ6BG!M^Z>pZ*K zz;>-0Ur{~F^Ihw%d)M66o=HBa;kEThO(snVG_dU$;A~E}dtT~U4He+y)Jb?JSUD%p zPhFyq*7pwa8uv{TnXAT!E(%YxYPIs+`PY1ToPGu!^lk)qYP;BSR(zdx?h)5&w7&TL z{C8w)n9!7=2Ws`ldPLyQN@amLRs#!cHq-Ulr^z`j7vAfcLOKQKJbG^t zRreZtY?=b}QG|4(PGP&{5wo)8yr;<2mq4e=Rm5`t+@$@oa^;jsc(`J;N|@Ut*Y;H@ zA_?P2s5c|=w5!wbPy1yObqo{ zcy_kX8ou3Yi)6qavI15umDZn3jnDDi^&h$F(?raB8*_5Kln5VK+Jd?$cl*MBcBD>?=VG=(# zUIdq}Cpv!#ty*t*Bv*NZsHB&>o;B_uUGGF{r*`+vl;FHq!lhR_6xRPntCsv~(^LQ* zhBcO9IE85Dim$F^I%c;dWKLb6zX@W~UiX?Dx#{!8{x9F_Cd(<>*{n)$}SnD=Gy zy7D{zIoA{M<&%q@%6Wyoe7#C*G_}>+PHI=b3ai@4DW%TgWJ1&~d06ymfyOa-?ZCt5 zqsPhj#cs1LIGcLpeC92HvqGb{`zkxht;`cWB}F4A=w?#2l@uZi#ZM2DoK>%F3@9Uc0KtnD0?_Fo1)Hsz#cjT6>%VmVam zv{Y7%!dUOp@aRXAe_rJB^1v6-ucPYvZpX{KO6=V>jt>> zH z>T-G<0zUfs!ZqT|3Hg?|YRY+L+zbB-r5~^FvFPg5)r=ecB$W0djmEVP#io|+C#4#- z?$9{AMC*QzFB+T-?|PAWYDppgta8pliu@f1;x%lCUwf*09s0KM%5Xobl?kEW@{?NZ z34Pe=+Mu(I=I9k{@Z;|heqL9=?kie(qfe|%#H~eD+e@$U+1ATAiWGx{%Mb#RA$9v9 zO67RGnWtZRnHF~H$7vV6u2RHLe~e@Xe6=c%B&^z5BW;tHxBry0cH(N?@P@b6QzHJ7#a3=N0s!2q-~fxD>$M|5@gDHu8+w54C`z2f`T zKvHOD|8OpQ!jMWGFI{L(pY zUw5p5K_7*G4EpTJxIfpG;lfC2Q1jGQtzg(L5oWu}Y*dlKDk4K6F@ zxgZBizfj}W6helHmlnL(WZtK2a;njLe;V}3%m4p3=rf3V;Dv4Y+m}z7Kvs~QY@1%zo6I&OS(m@R|CgjNP>cb1fj zt!YG0ws}LfRk${eg5Igd+PZzG7k7(Mq=a9@0_z21oV4j8>@bm!5CxK;Op@;_ zL|E^DipBh;v7gdu51OYt*Y$TvS>#x~T$i55yemH!PL43__w3Q`lRPk@|Ky(d>ARJC z4UAzT)(x*YPp!W$-a4LOBzpVu!|NNteq>iYpED6fHj&I9``u{XHMr;ZT*{Dsz;o`i zW0`;rHh!}9Cz~wVa*rNm7vbDVcHgZmAFQVXM%hCJr&wJbQJo;~L>VoS!jo<%51|X& zXP=dt^oWyJMEMgxjBf#q{U095C%aSP2E2=pIz^PYUM|6^2Slz)vr}C7P!|inL{`Pe zNyAmMPP3DklUiW|-fpHIpe+08wADY(0#00TY6;Gcp(C(2Ul}a-8ffty!P=$b;bSUa zTjLyTppeFhl#bhVvw2T7K}2`0)mt`A4^OmjaaPz>;0RabpNt2NOT>MFjO0%KrnH4FO+gP=7FVxlH z#$*Y=f5meRk^>D!-=JC8eACUHGkh)2{9qKZzj^C-MHcVt-yZm+lDa2M-y4wCx&Rx3uhP=_9WW$a6N4wLz za;XnXxn@wyc`t-jG1neoR=Y=LxD)8WqD1Z)gF)9BE$gyo56?@hyAlv}sBStc?UH40;^%Dr7OH#CRxv0>fppOOYdmieYV zD-Awt8z#G7${aUdc_wP6j8jNvOwbW)fzb<$Tb>=0$Lbq0q+~#L=^FDa_7lyAxl9V^ z+oa=7;$zKmW)-j5FmRE!dEnQBHWQ-BnnlfY0#d`y?oCCW(qeZP&F$tzoQ95kenrDh zcTX3>4Hhhm?pC51Dnr*=g|a@T$yC3b4t%eCf0rOdg#HwZ_$t0=c8V2=VP()tZDrn1 zC{7((GwZN=i_5BTo>TD61w4&55cKd^kQ_$mF;8m~LS0R_whLzW4|$!%K~1z85L(JY8Pzd5&UHC~{joTDGYZpbu8x zf41l#>;-yMIqRmrFKp&H(qB2{I6nU<(u&eBcjhD>{OwrRf~k0KmA|GnU_N0=cy@P< zino||kZEBN=gm5fu$dC^4>9pvTO$b@)H=;|u1 z1OAgfo0AP%Wa+LM+y+ASjiUFSiwv61Y*PRnX6;b z;rWBUfnJrS<xK_ZqylDBEYH$lkcx@~L8ZGoLYR#5mV~IwZvvv0 zX5vIUx+AYp7v%I!^tix;!rJ|>Bdtg9A4d0@pC__5*slM3!ZJi%tIdD`BuV{&23o{mB>#-5cq^JfOOEl*!XB9O+CCrg+MDA7! zo@_n7PKt?%3b{n}b_IUxNVv&o>dgEzWcjNAMRxGhhM5hsAozQYVWH(-H>FVFK$^!b z1DU{z*P3{z+w@`YfcaI5wY;B-m5b#D7gKszy{6nRqC&Y?S9gxQo!^FJX>Qw<=g1vKNilY^gKOnC0_nBz|lW)Ldr5d zkxUTce$>7iA(Hr5bM0hFJc7Q|W&9Gg8eTo7D9o?1;C?3~xQkeE|KYy!OfiPB=_{6l zp!%{?|A;g^Dfe7)%2>fpNzJUO{fx(GcuzxuOHpH{RDS9Nv%;srSsq(_4Y(~3@cKC1 z2c_I$vhQn7cCEps11Zr`@2`XBLFb<*Zo~Z9Fni+PbaLF`xDKxWr7%}eSm5Zq9#_X)9@h-Z}{?U+Q?f)bI zqeBGSBYHo8(rUHK*o?ga@#<`+1A@cxxTeN>e)4NSO2F2#Y^R{dgxoI4w~4|HMPMo< zG2Ii>#gMzSPI!o-a9=qJP#Jy3Pc44*L-Tf%P(v`1A|1SQWTYEKm7C_2BYa}BF)q3S z7oXeowp%|=TJ;RBHlOICKB9R{fAAa>P-Rx7^Lctzk&l0uzBNWks8vzm2-RWo``AZo zWmaDGm^2vX-c)o~%?%N&X>)DAKA)yW*M+9X(YvCQ)2b0q7%6 z`Pn;i#46PkFzyBGrs>!%)igwFMd}K*N4a7{!=|XCP?H4Ld1)(^yiBSMGb?RpLxj{+sL-= zKYIREFTk@*Pn0}%_~4Rt^k9yoVdwtUOVm_hP3);qt-0NU1-)g#7$uRLIge}8&(u5I zRjL^W#t#TyFRI-4`ZF`k+Qf*vLY~3^Em{hB1GO;Wz#~YZb134T63F}bE@`F5FWt8e zDm0a%P3UkK^CZGrTTgho)MY}g6y6c@_r(3j_`1Azo+HDn!AI36NZi8JV&;*tevQ|bi_p}N6Co(Q z+gj4R3kvtQY1;UOBj_kQp*=|M264)}z&1h2IwX);LjfKq$lrmlD)kHC?xrm}$5C%D zgI0Q)_8_njCFgo~87@=Cgd*f8m+Z~@<%u+i1;kPQ>IjxjNSwQw`J(nHlX}S`1U6jU&+10R!noe%x(ndGe4m=aQGH*#OuDZBd`LxHce`hj@aW9i8}?A22CQ)(>znPrte)--!0& zV~(Dppu2mRyRk>9I204>6ire+2MqT3QD?r?iSjM8Rt=Vxa2=mG4hrY_OdYr9tFQXl zEUlZ5%*L!+j$ zblxXD#mbZB#r8_a4OfG2C(W+nWz*}1?gQ2SO%Z)hdjxV021-wjRHn(6Te*>iC5EWE z;<$7GYU}zkcZGNoV;d`!=7hE}Cy|JqVM@=iaOJcXcREN{^ zk+9D{Km8zs4LTfwoh@qJ_xD^&w-&T`&VZnm+BbkBpvNG>|Km|*G4v{D|SKvX7TH^8{}A{v*% z8%SCA=0c}Q>^auQDWA|SE=41YxFpxQRp?ym z2g%{4J1>a#L#Zkj6jn5**pCUlqcYoHosv1j&ps?Vk@gQ?* zCbM+=Ng?897?cpNQ#6&96qEk6GKn+ieU&t&YkyZLnaM%Z`P)fz)m5OK@Yn0Ad zF%ndCiFxng*jQZK_CPboaG#avN_U=#Ul~6@8`*g$;v#r4#bRocXd?hu(;JZa)cE6g z8S5ZqpsSEc%VJ7kqO&7+j`AYmWj0RfRP5m;AlF4qmiODHgU@Sf7Ce}$nvXXMmmLcl zn;JpU^5x4DHM;>*J6&z2dXX3mja`JJB+%;eW$d*Jl9j#yZP?icE5(G8 zZQ7UJN+oAArE{Ck!Mhqyv{%aiI&x9&2DxrvWPUCYZQ|r+3fP|lDAJ9Rt}Gs-agt!9 zup%{-i~l@%oB>p>p-qQv@+_ux%_grNJsR@v%QSf_2~7V2HmzZYgV0UxvU^< zlHyzk1h`DwTIGQ7%!EMIBAxJ!qK6?&=|RA{(3j@hc$$6L(kR|fzcF2t7GaDZFVw$a zA5wg&9hz^e1|;S&m8TC$^vcB*iFk21p3s87s$R!%#s$T+sJ(l`qN`0`+#{`x$Q456 zK@kO$x(B>W;y$dha`4|&3t&G7NNa`1fCX}0j4{!#*Z0Y zf0D__&C;Z%pU{$pVPI$AZiHJrqB?l?S%=$zp;i$c(~%>PV&Js5kW;UHLW!;_+k%lw+`jt=e|vJ8 zXWFLeiCfW3ypDw8gign0|OPOTfc-Xt|5^dmv^*6$B1JD^omO6BxQxqqyORd9cum7Bdhgc zVhV|jlQ8~)viEmqV4gg^otyfR_JZwS^{p zi0rbvxYa(2(r*0*U!<&Q_8_^Sfx_jxj>ooSPkoVzILCd{Lv+T=qV8g$bFQurwhy1L z4yn%SoL3Hs-qGSDEe3@Q35(8z3)LsS&?P{p>~XDnMgK{{Q{+%|II`T;gLZFr&$y98 z6S!5nRVW{+4*jdi+3Wf-5H#{YsWSc`^3Cx)btJ5xW+a1uT&Ak|pMx}k=0$KWYLJ=c zA!3@Xl>m-D*jRME6Hh)mt?5bLKAS04a52>Jd8M@;rm7@#>z<9kv-M;9T98m@D=wHD+swzprro%4Z^Wp^)e_lk#MIs&2gkFm7Vx1}{ zpUPgs78Uzh)V5#?pKzVE_t*U%tm)7y4$DV+7WHoY-6C+Np?N%1zD$kAz&t{|9hUkPGy+!3O#G zXr&q`LTh!iQ`uIU4-=R|Xqe(@QzL_E!b~p@UzeuE77Il9$+aZkv?n-ix(deP+#qp( zXq`VyXC2c`#hten7|-$GWyqDJbbs4sbHGejq)b^lakDn26sA)68|@HNK51~aVO|O^ z@8dAsYcEt@#4VMHi*-cTzC**<>n#lF!B;!08^_xk<;Uq`DE!2Y##tkcZIO+`#B52Z zI3>O_o^QCB;^<~-rBRQUS`QaIXiVOE`cS?3>TGu#M_wb`nCS8TgNpPjXcNBF8;h*%#4+`WBJ3XT})0r}XlEalk7$7HFV9(&fRjx&D6Lry50 zj#}(@=k~A~I8eZ+OeVe2F9H*%u~M`jYrL{)DXzAk<-^q>t z$TP@yUzBNH zr)8E;=nF6)*)isP!g5?~F>_`!`|H@%c&4yoc_Y^fa@7^lZ>k(2Uh%L&`-`CU98aGJ z6Zz0w>D}ITk72T9bl%dT(vL*t1`uA& zldbAy>nGPvUJpT{@ShOn-N$Vlm_bw;8Vvq(>J;-=E9(m)=jI}W9GWcwYCOZoyX)hk zHOItjX$s$Gss5@@dl(g8ilXaU-30Hm^NK9qY8{j{RW1Bdoh&p?cu)!gA)=zH0o%h- zwOr~QFhAkBIORnwTuII3F{QmyG>F}z=P#BgJ7!q2)g;MvlC7RGd)RQ)3@%pAl={ff zjCCy{1BkX;hT2*d6;-Lu`x=wbRgVWaE<%xwU)6%0(SxeQsVn60c5TaaY!>)6Ic&6J zv0b=$EQ)B;fmg|C#ukeV1p7{i0$r@DO`5@0Hj@-3+id|2M6R&4$2_Gap7k&Bs7XY1 zk?UtV;1*CR=h&T&40$Ul$|{RI%oJLK%(<(MZ1$~#ORBw`AAOc}U%Dlz?%YVuHU~ti ztfCia5mUJ}IJpqHk{x>uWG|A;s-8jlsL|7L1zx0fy3xQ(n1CgIx|aD*tMs4B4Jg>e zJh0hVFdK1VbZfNkKT10Int;QENO7@H((;_I+T1<2CIfQL5W&MUcPcpWmZo9uJyX=3 zDe3%7EWfny_bg^z>gV}15Mf!~V+w1V^&b>G&aw%ff5l(`Qvwa_lXJZi*2WCz#6W|p z1PB+;r!`3$F!mRca^w8k+_l*oIc5t0PdVeJT^f1OtH-~!J;D-g3IXf|GRJ1GG(zXSe zRXc#&wo2-x_ty_Vo}nDk1Q$R->V}5&QdeJ!1@wQc84X;u{YhEf4}fGw{2w7NKyE{VY{+hD)P2{3e4?3Ol2S@obM)LvVZ zo?VgBzwz~4zSv~_02`qWg>rVhn2I2BQ-?t>cvfAsREvR{|Wr( zTOT&>Sdbmeqh{Vp?VNqENeOm#wrE~DXqU`mS-)3pa&^KDO+DWQv}Q-i6_tMuAk8>?kntt&Sq<}Cs6nHq zzXt>|t4aN-f>YIVUmI);%r>ZImX3i@>&!=a;bzK;N*LDd;@guEq_>`z(@m>P1DQ<9_)H#sybH119_7A6BEjt^Kp3=wfoRL5Yb(8(d)uR)C@ z?`4z1y_yO^ti?2_+cONNA}2&;vu%B5RtBcfiol+;7;?s8qv4=B1pMrFZe+Vi2Y<_8 zEtFxgDXLJ2w2K?O|NpQ6{^MnJ#e6D>PHFVV0(F~c_l-a!;X&yZ)sM+yE!f~b*t@vu z>sYT(c_bZhWVyaGHNKj*suKp*l4DT}_nggDDRdIn*8Ft`h}99e07@L9gaDuZwvgNG z3rU)zoE^%KPz>7OxTK>QPkO!pHW4h7KXMkm)|fxi|JYa$fR?kd^BSwmWNbmy; zz(Bj)V5XbE!=Me~s!^|9dK|R+B&X*&1-f2z@VJLJgv+C055}@Y zM9>qXgzA|)Xdln6K-Yal-{DQre(vBqrSbgDs}$)V%)P90SGlQ8+wm={6ggHe6>(Ae zylR6!B;2St4$%96!u<@)4m^THHxZDb1rHvf=@XaUg>!u{qx#MIb0b!gsEPB6<{HJR zC+Q_|vrdJlTGPZ>y77e^M-QODj8l!XY3<#tOD3+0UN=E*x~-y|MN642-}2sw%_!L` zK&h)%;d6Z2O=TJC&new#|-+Mj8 zKhzbG{-ROh;)*0tip0wdo$4p-BY*MJYt@QMk?r4Dct)m#tqsyj|( zmEODQK7XAMGB#t*T>}6OxLi9~nO=xo!e0m;Bkac(jW2_grhnJ2JL{8TF#7{w;-eVY zB!qu4pDt7fOcqyyS>bE4ouzq6ixo5^KEa^RTlbiUevcO0(y4yyz$#^1n`l?girD!I z$vjm!M0z;BldSFLsm|IfLJo5Cs^jxOeoa9pc zBZcUeW}$NXb+qHy1X+L@7P3mO`Wo3sezkWlO1K`(%0Z<_r^%Mz2@MK57ovMi-u&aJ zs+jOL>S9OXGb?v`IVZN-wVk=W+~{w`|Jm|^09jFeFt={8zNSyJR@%i)#M!0R0eoK4 zC=y7ASqWB~J+ski>|N-{xc$chjhz*KxH-g*v0tgC+jmXjK1)$k(~d7f?d3l;m}Ym@ z+0)|;YDTAVo3*Sia~4H)O9`KXT)y5#rr0=}qF&c-KUauO+|(mC_X$`?=yxsN(`bs| zy-jgq*2Zk}ba%jSxMI`3hTUKDO8f%TCTFZwybgFkmr;j}6^e|)6J7Vs?MUbjZub{; z+j+V2kR;>>s?%+Kl4Jyxm+(@-0Ftk_LU2mFyDE~$daH&AX?CNDFgW~w!_8Po{tw}1 z%6hyCRd&Z^@!e9o2G5ND12+r58~Y-Gg=QUgXL2C4l*v}l;UOszYxXwyBijqwvxNq@ zd#f&l8ZK5uP5qM=PV7$d=?U>egSVY$ENAE}fx$1Rzi@uJ*%0l~U`)oPPku}Yb-xi# zN)oIYaOEMJ+eExaVVw*Q*Ry2+B}wU4m=2JJIzL|=`>KeusJ-O5A=$=yO?5Tn_%Y@Hg@U1xBVF*5%9>7H(Wn8ZP z?9}G|8l{+ms-q4pP2OxTvE?>Lnm~=1InfTzMQ_Uh<3tvAYxrV7)ofJ-C-izWN9nFa z9jT286pzlZ=+%%+X}`OC^I!ToH>Xp2#qIji&(DS2(Vt8;* zJu<$fXuiDn=nFdfYHhmu&TXGu^zzh7(}ZuvvCU_)WCh|X^wOrt`6!<2s!@Tp4;9`p zr~@dhb`CR7IMp&`4m$r~2T^!m9?R+tqoDMq36qMHq%7$* z|Kg-#dw~g8zFVJKtUR4ECAn>GbkK{``cTD|R|{Z!n6#xpX=yF^=93bq@35;M*~7)|bzOTp`0H$iwG^g*{#ps5wNFZD`0LBS)j@?;i`A@5i_3veL?(skbDliw zP3K($L}09(sZAXC$JJbgV%6;abFQ1u9x}zpeV9yGviN`m zTQu+?M^x=QoA?fWxy@nIaGokP(L6)8jb-tp?-6i9+aFn(6Oy5C0_@CnxqI$|XYiF$ zGlr4)9F!$HXqg*p;;hQ)PX&=51=%y=wUKI;1+q|hE?3L1Hi?iI)?&m8ep? ze8FS5&J=I(Ga+o!m*Rpza~+1)s-}0UpXNOEdD-*pK5lUzZ7?t@2ws3o#(j6bs!N_Z z5FL6^4{uY>e7c8-w3l8>Ddgx4=S?$8_qfs+v`Z*%2o;_IyA0NCrcqHi*8)KAxwWS8 zd|gz|nyL>+4TTe&Llt(L>O61Q#L2<;xe9Ld%bTLyU)V;E{yZBHz2ok^ZJ}GVtXVV# zw;%mFCUjzHFg>iQUd5Xo>MMe4pV|6%KJxZ9{A}HHabL?ZPW9E;G3|8sHxEo9L~ld& zJ=MFaDg0{Il13?cNc}QdNhBG~Pup0t+`(LuX$DTiM2FA1b#Xe*1H_X~1KdQG`&PhE zQ=-Y^P=Uv0ShbD_b8o+)swP(|yth9=qQ%{`zt0IUd45G~6#;>WGa0_%8hS4Yhb5W- z7{#7k`P*hwY8JcL&1iX!X9FxT-(l{OS32h`QYG1uBSYbpacWk?ZpR5AJ$s3b7Yjb< ziqnF*#wNn+S>cm6h>GAm*54NdjQ^Ma2`Pg1o?q*;T*vA$CBdpdH;)6{3+U(AEVgrq z&;ch1+inhrX5j)~kk6vApM z`!TI5?p}K|vSH!B@^k;BC6Tm$pcMia#!QXA2?tc78 zqxrH6``~G^)wfgu%2cn*rk7Ya-|y0;0FogwH1fja>up{;UZsu`oH6{M$+K4YW-bJ> zn7^tVHOJWgmZq!0OXj=w^FYkUt8ilLmN*~Fxm=YpxXFG_%2#W$`@_Ar=a9=GKh$(4Subi@Ztt?sa5PscteU2sGVG@BN>_cY59b;z4C&*K@`bK{ zC7WetB7e4biD?Ji4NT84cXc;Oz&RiIS&!J_g8nG=Ikb3(*{COOb-T=Zk%bOjtB$qGZ z(90>h5{VBS(hi2PMkMon!<`Q)Z>&C;m@!matji0#K9psB7uYVTtUVo~JfhFS@sanw zFv-Ku?4eb|!(sLv5?GPgyzg8;daeUy|FCpK9>@H9P*S^;Q|M84r>)D)Qxj9-}R7+Bre%CabaG&!nU^uCm4lC9uxbskYqJm%zo|8@s%tBe;t>#m;5=b)CBw_S^YC)`a=@Oj9l-)1NN z<@Cgdw!v`3q59`%w=%6(MfrMe*ER)8SL+&D8ZY15yDk39JryiQ&9KP4kRjJrh!~3Y zGtrm@Sc6Q6ZYL85`G}titA}?zse>%2xpG;)L5DAQl(x^KNg8GbaC{qPykv$?D~Z}S zKNL=%9DKdsHoJ58GGXl?Nz=`#G#jIt{~-4c9xnIj>BZO4@Ap-b;?OTNp{G#JLy zPU+f4>0Z9{+CT>d#(e8LkdWh-2ih4Ad-!h+HpyYt?aH;8=RySMm&$d_x#sB3V+q zMyvH}#4bum?Wy*Wg1vZ);5sU^E!>Tj^!)snbb1GU?;h`?PB9J|z!Ra_vJmdD~ z%~@!}@dUQ?)P}%9&G0Qc1RK-hx*xL z$qr?2!4sw0@mrEh!fj*D5<lKaxP) zzE>$ET>C@?fZJ|#2b5kDi(kGZmb49wnla41?pG$E1sBlyo6$)vygNh&KcI_$kokhR zggl?3(_ViFfT?VK%+Mh1;@4zXFLo$rx_|Vzg^r3V&WER%_0ej|Mo^znLw}E6Rl@lF zG1}8;B4ypn;Pgo!N`1Vhl~pxXZBvhpH>K*K{BsSiE`cJko-Z2MeqfWk%T1Nd^B=f# zL`LqD3gvzLo`=9!DA}!)3)#>H#|bz-fbu8x zdFXFZAJ`z+s4S`;!B%+8C)pnVVA%kB03%DFui7PjWthxk-a)6zY9F?)Guu{hmwOnt z7nJTviEVwSk<9%Wf3dn)E2(U~Us6F2bmYfvH46XXyNE?Wkup~69S0&q?J}z%8f*}j zH#QDkz4};^;jYDIZ3h>NUKX`R#SF){6f8sLcqx247Xf0JYg)4dKX|xhO5E3acd-p<5R}IK?q3?4`*EnGD$W+$u$GH8tI98z#iN2_5jwLNHH*VM7nh`@~`eoHKlb+-69%(As zG)n|O$C60kL(SKOlydA}Yw#&an_K!JWeK{r;LvpN8%qJKw|E)kqkG;^9(It^Cti@( zr9bPHbXyD7@|G~Rdp8Xh!qR=OS_NV5oPN1{oNdl=K-6vPHvTm#^bclz03KDr%F*;< z2B`CP!98)dQ~Xdda3_Os2)UN~&4Ba0=$YA(W@q@@ZxgDT8geZ@ht8(dJa4QjL6ys} zpXOHO&JQCZ*SFx+mYT4-SWIU#Sf=H1nHKdcVNmtxX`=|FSsP`S8BQ)?s{|+h;0v|N zO*PsruJ|luRZ~=(Qx_pv?z306_mqoDbZ~oQ5sH(}N;jhudAn=fXgRfLN1`Km9eG2` z^%Czo;4k^N1^w+30H>}Fpmb;HTCllsMD(jD1%ksxfDEwiQQbYk3`*B6v}zBO`%Bx= z1fI24X~U3ZR~@CQs!46S%STjPqqUI(JPR#~+b*%}`*V?ju#8JOA#nlPqP-BCw=F&- zn9ed;e3x4tNe1uJLqzan$M_wt+vRTiX%3^yuR`krY25Af3mfa~e7Cm}?6N-b3ZS$* zR4jjy`SEvhelkX~rcV|$B3sj3%Ee1(j+C|66Lb=LvCo1z8S3qD(E3=}LfZ(41M&1z zIHafp9lFplpPmJG3fWKF1|=*|cbVc{qL`r@fvmz8i3#E4C&cnjZ;8RAuOq&+tH?Ep zt>tpRVC1G<8%gP^?d3&(T`G-YjifeZ2Yj2qV%^7>JvHo zG3}D7_S1-1+QXyTBPW{xI`n+EecLy@3pT}7i^jR*{a63igA-yK#T@V~8nwIl&aBd< zzjopmf67g$YwQ`Ha_}(w4W>}I_j>n7=%dtqc>BIXy(jrZy&39N&Ke+HbPKh^`N`k* z?K^hUd4UdXXfA%j_)Xx?i`5_v{z67W;gm#_mF!>DaJPtY?CyNEDU^g~Z`tMof9lXI ziyetRzss-Z;X`Pvai*k1hI~)x(#Y3{k;&=f^B)Z1Y__Ud;C@pO{=hdt$7!w_8;x`7 zIADA;Q2Z>SVVZ!Np%u3l<$ajl*TuzQ&c|U<@V%&F^2g*&zluRR)i%V(#F2l5N1Zn% zD;lfBbpMtll?eJ1YQP9fJ;$xs)OFzxca3lR@tA2zlJxJdG|pSBzK??5VIe|Irh9(d zUGyHLf~_G=4scTm3+~0Pz6os@I%{+9qGXxsdcvs&<)25C{3j1D8 zVRmRi5(KeDhhh~GnDD3A9l!jjcY-Z&F=l5Rf--^kip=JW8=`;mE&Ia&A`|?zXk|My z;g4`DbT@Wyo>Yt%4v!a}ByeT8^!iZQmmB{6{@;lXpha#y@rjq`q%Ot~l(_Bn35UZ+ zRzhBO1$@4E$NRu=qx;wOG}n`e_{4j&(f!556jfyyx~!t!JU`2@``GohY^tT5xqvCd zK+!5!fa-%MzYFK3u^G7NHbG^GUrlgZ1%p-*arjT+({MSBb8orP)BOrdghY7ET5)0C zctKs3@Ra>0e`& z{>KjgU+Hm{2VT+L&H}AW;HAbFQHLy76>FdaHK4}b9)awZ%uf!A+^i+;ZwT&Ja4pMB zUf?v;LmJ3l-84L#JiQJvOb0&Mqy2t+_u0^-3iM~zs=Ky>+qPC4MF)GKWn>>r*H**~ z)cGTO?FbG>`KH%+4eUWwFci%m#znYJz$nEb51wzp7*QLBQ~pqiprwhl1Dwi{0Da-7 z&3o%r8*R>yzTc-f9v==S@}hB4X{(^?{z$$i_qtlk8*!jpZpU#UcyPD;XWy1hYol8# z-;VQc(VybWZbvFYvsyi0#shm5-=A(wTIAUK=8DQ8vJU-XAC)O+6fQK?ue2P9x=qj{ zlXa1wEFg}kT$gc7ki_>|!=ABj+W{62(h~6FhDY&9RJx(HzLk?T6^c~aT#LX3P}~+} zOg!w`^oVakA-INo3cZ{jG1n?oQD}Ap%fC_FiR7kD!IF6EFhzb zgw*uskhi056P$_6t4jCSGPMZoJ7q}n3`{j*C91a|CgIRO#z==p=ti@l{jWbOBE}Oq zJ?fv8O9o^?j^wTH8_qjimxH+@M6`ypp~03C?AZUX0NAyVtd!7#fa^fSC@K80G!)J? zloT}Z8_OM1(ullNZ#b%Ue>#6JUf+28?9|w%udlLP^iAE(oWkCDy2)Bmm2!xaQ+FMm z-JmMT`jL;|jBh@XU3`Of(>fxmf@+X|Q||AwF!=Y|0xwUzfl4N-WdnQ_)(6hY#YI6Z*<2>-Qy5>>lA^yHiVtk0YIH z_3TRM+djO`eeNbe=X{WV_fs87r61(k8`HUNGj@oCBD!wq7(+*rFcZA^3&xd>I{hH< z4;eVmU40qf-kOa4J|#pR2a+wd4?&eBlQ;CzNK*k7ZDac+M2`@sqzJPSWW&zP>&K7A zxj^~Xht~2=a%nDv1H!!czN%`<4DgIi=XYpAQ-nH29!XayT{vmNX{`CpD=rI?3{C9$ z=kJEG-B-3ZS4bKT8jl{V*8cg8y+fxIBs{WNuCZw)@)oB@CU)CyEeml;_xa(bWW>HC z@qae>lkwE2|r87R&An(3K5bR;>=Tok(`=ZhE7PgOY|y zh$*}&-6wurMv{0C^8_OM)I37B&5Pmj8c!f&MLQkHLnc1@GUJeiZK|6eC zY|G4t9Lab_*Bi58q5wg>j{&KL`p{b)sI>ZIh{ zoBKSb90T$J>^vxQtVWt&2jzjZhcLvn(}ZKq3@jZ~9avK4(5G2Au;V1PNz``NGR2W9 z&R@)OB_4Bib)f$`H*`qD5pWX0fdRxIznV_0yLNfa4H7oQ-)A{rSvBv}%g(>4{WnSf z0|Z;!>4KW{T2`NQ^1y6V9%}k_J|`+fbkI5|xdM;|55j-qDnS4s(K9WlB>yBJ&*<5+PpNsh zzMERJIFp9!%Y%)&Lc@Up)Nb0~g0i=F=dC zU1#O<=sBHcZ0g6i1NPt4yQY@CzX!D7u0(%(6d)r+8`YQ9{#k@}_7|{PRlqialr{dE zl+N^h7$k}kkH|KN0g$&YMobmKlyb}gmj!yO2=xw0SoYj6vg6jf3=fboNqrJ@G8Av| zO#tYVl9Mi|mmV_@`&XF*gyqv8ucb%}hu%qw5N$m-*Jmb0WsB&O`X!>WFNmcto)wl} ze}5rrg$>>aZ1?+;$#uN8d0#G3#RIf$uPOl(K+0I{;K~LWq6j+(Cu1ek)Le_vre!C8u;U~0(gG!?eJQDvSPLD zfvCy~ZFtj~W8v6O+n{4rSA(vh*L&Z+u;SHMcr0rmP>Rb~z5}9vias$%iKW~_o27Km zJIMW0GQJ*&z=Bxme{cEwOJIEfbd)i>s&0Lti_ zo>q=N*!`l4*YXoJ1}*N+RE_!lvmo1#=#=)6Sb))F^V{*xUDu4(fyeh57b)9;b?_@P z%vcF;R@UF|xO}fdDj;Jm+}Wh)c$|hMc2GRPe~5aw^aaN7Hw)h@SaPZ1+3UTOw1nRa zvWNp|m#y`(Li-0G@7wP?jq790bdePas%gNJPu7hZ7|5?~9pP^|7AP-7f9k^$9Ih`Jfqz%K(MBnIdeW(qpBkA? zu#GDdPmI9_16~*;vnYfipE7mDF!T8cYx+iyxQB&9PXOc+`LKW#!*e}XiF|^p-ZmU^ zJwjv3e(%StYkFl@KT>T|n&+${e&R33GOAu~RJ{QHw;c%sB7Iyvi+ddG0)Hq&hr__@ zs`8fbzVvwh3j&`Im#svS5e56L+R=JaR?n@k1{o@fCnrbpH*x8%h_TZzxz}4s($eH7 zm8Wf01}LidU%wnRItWNb46sd1rzx6 z;+S+P?}Bw+p0s_SwRR<3XnU|0Xo*)t)(cj|A~75-}8sC$F&Z_r)MK5CCd;6 z-pZJWbkPe%`7uQo);F3W0E@gMb>NL!>J0Fr^XplBL|jsBP zTy)zHAOC!?g;wH-r=snM3hB`)^$3NI8%54c>;Shyqz>Lc`^s4;y-4&t=B=8qyl6dD zo|ZyfuG^~1kNkjWRdT~ce}W#^vWcT^^!Ao);Ujgp(R8MH^O%#9QNYc1JzE<#01MLB zchw7!mmY2-dN+>zsUwshyVxOwzvc?qd*5vVyfJ|Ef2gqf(}b;6DS_|PkG?aa1RTKu z{X&<@75OM>#}!!OXHfod*l}-a_>p+}3=js+F>9rwD%QHlm%V&Lc?M|teXPO1RsyB< zR<*%sF&ubbp2%~38^NJ(dJ!13^qcW-VNsS)Z1DOsl_$rAztvZcJ=XXYW=2CCZlvea z;9`iynC3(-!~Kg>Plg}B=PJM38cxFS?mfj@cfD~`gyeIy>SXXqkn-7h-bhzX#;vH# z9z#Oq{OrM(tNm#Y=wf2gH=*C36ppp1X{Ocg$CX!;^ULb9mo1bGgKFzR=F+;>?YdO) zsu>H60PtjP%;{SVc(M`yUlg4G7`%b1@TUOvOOwI$vw<2F%k|Ifz3(#&0}}jCcQu;a z91Gh&+E1$gzUkO9p7cgzyKuKhl_9z+K2m2}R&?f6kKEslb)kZRU$v%@pEiPd^gqts zgjWJ}yRo2Uv#L-DDQ%k()e-G9j@A0g=Q<0*6r;TmHW~%!BHaII#&@N zzx4rS@lpMbP0K>ks?8B=(03TQ^vVL&3Wzj3`DSC*o6j*`cLo?92JcnCII4m1@XL^B z!ozB~LuPH^ViW$On%|RYgEG19ruJ&BnQARd#sv5RF#YDa%vLj`LVjBnTM(yKAa}Q$ zQoj<|o2=Y7Ng+JFUYZ_^)Q{*o($L3hi5&*yS>OU(0)ET>rmI^RS`8CA;}|;4T5}+i zG~GYTZrDgMsnshmm^&O~hS=LjHaWvx2mFPRMsw3uBX)hy1smi_8uy>NUp3*cD(|`b zZmzlqG;1t+-WkGi&tg!{rl%91gBrSf7iJ}i(4g-hJ4O3{=jHzms}6tMNXNk^X%qAY zZytrucp?Ov61oeN10$+)LrEFuh zxJY-UHh$3EcUw1M(=!Op157j7hw?6>_c`uFAG_>@)mZiyT6c(6haiJzt1Jy?E$U3K zC)e84O^iLiA^Xl3;W{K%Ix8Q^cyv3%Yq#nMHw%#+1XJY3F(w`qa%+2qwL&hF7?WB0 zt1Cn${~xgD|7m4@2Ge~2zD~7!eDIfFW=@_}uSHj_K#IvZwW5&6oXsC z1X>67DL;g5+&;yzt266oTyorT`ShN9_lk-ZQf4(TaFH|EXZ?0nPFV;Z@It-f>i}U; zyesj6;@<^C_PeE{s3FNV{;q^G{-MuilW!V1?+lqzofPMcohrh3%LbV!R0`CsD!1VIqgu!QZ>TjNHVaLe;p=u(dy-DaHN_Mzf83z zZg&#_?6B96AXxGg5xqtcU9F7;@f?M4?g6&n;5#CX)C8>>MGCF2N%yN~dW(w&o)=Ef zm{&nAA0BB%JX{4jj7x-p==)^#6-%L?voFo-d;Nj?sxv48dJ7krZ{s;@3?oj657Put zO8YD#%g_Hs3;CbF_-}!v01f@&YQ>t_AM#Z%AoS?ERWBAo{-%89#bW~)N~7Ho=PyOz zLK{rWhN{W3{4r<+EDglCqsVvpVb*GQpm2SraVz*OwT&kpeiRgsM0%L^FzfMANyo2u zSk5wTnv}ifp%jg@VGxF=h9@Uut_Vof7FzR3uy`RqVj_1!^3nB@kf|>JQNTH-{)dzo z#o`xZwQ%$I^4h*4BpKvpBg?th<((vCCnxzqT*szqFZ-1~eehVgr`s|7?$giU_aRt- zM$qu7@(cSTK`(YuQ0<%CluP;MPQ9g?Yki;}dLI4u`8nC|nk7-yy^+JeZzr*Pv}G?v-ngzWL(dkDYZ7XM!<t7ZQu9 z)~YitsV*n4X8*ZBq%4rOMKKG^*)SuL%9js+KnB=)63&~3<24IVQTv^tI*{%^&x4x2 z7veii+zHsCu=D2@1^X2)zx+p0p(6Mj5ZS$>fNRDyLi-MXEWf2p=t*cCutMQ^1iwKL zrdUX^uPdTQp4|-6ss#Dyc?$VeN?wUnOHSoX?6@vKqvGf!{M@UgFnx-p>XDIk;W~8M z%Mp*BO+>0*;X=$wJ^p}g`b)Ze;^s#ZRj5N~SDcv=IbaxL8Lk%@E)c@js_TJC-dG~%l@f$wP zT-SLXv5s}DC8clRZi?K6@misXsov{!f8SLo>p$bKhoSR%xOQSSs}|RAjH0uuUyof+ zzvB({Pxd$(3(y2we^|sfec&4O?7rUYpHk= ze0u*M?c7M9P0BBEt!lrznSA)F~thWmzMr; zVf?tRY>-Sbm?jnlLW=u0n=4cIuMGMD0@ZhXRdL zrE7c|5<5zsoo196n3AXA3m$=GI?-{)M&x5@bXgHGhcDGZ{PoeGsJO-04~wyL0w5&3 zV8X)N5s#!Jt*+kBk^ilEnVd6cUNo^lx1pn|qIY)u@N~(dUChk2fKAId_{#;N(euJm z@ss<%TMzxGcQAh6+wVlvt`e&|_tFjqJ}5A-YowI(ucGYpT4QP+WQX_u&o z)I|6Je@o{f{OSNag9lJtBHqAS6&wR7zvU>-$q0_)6LhPj5K?kryV~osT zXx{eT$hx?R>?5O0I3lYuwVz;szJMoYGcfQ4DP$yT?p43^iWmjr*Ac5H#1p+Xo}b!~ z_?QW9I{YLTo)yc?(`PYU=dxMx)?F#J{bkslRC5wkPXURT&i&HkiU8zeDBim+A(!Fd zY?#1$DP6UDW`^p=zU7<~=Hm5sl|*%F#Lss8;kwa_&1gKgX|WayVn|Cp!R?!-E|(9R zWWt{@rCD%9YC-8jW@3V3*LW9NUk4|t`O4rSvTHAR`h6vmt)c&rheut01}!1zzSF+W z(y;NL)+YYgcX|Wpz{N@{Q&)&5N47kNx7KT| zFEge2C`i!A6S0$u0iN5i97FtfgU`JjTx+2CZuc;+y|yzbdlWv5`^%%VOz;&ybcmH) zpt3Hw-HFhdN2m;Sj1)l53N9->+H^i8TGc}$tQr&qEttH8Adunlr zGIQeBdrLSSmt!n%dqUqzl6p9)vni!0zostyOI!hTXhvjbAm<4Oi@V>m|7D!46$My~ z0wXMCVHj9m1V)d~&NIcGvM$Y}sMGndZJZ6TgDR1|38krqgc@-)@gJypI~P2zcoMkK z;@bHOc2yWDx7p5mr!s{m^y>z?OB0LYscb`%+P^X!>T~KF`Iq}CpE@U;560wb_EPVP z%x#YsC$x8}{(GqS_b%{X5Bes4tlz{Bx{{GU*cho5xWF}QKLvVhXEP=fbKXE_ShQv)tr(G zGab8EB-e6>kf8>(P;pBPM$2?zB4JK)7KrZpt^sWKrhK2C+2QEjBHVptXq9 z$7EVxE!S=k$*kaswx6ULS`F|KmM}y85`n+e&`}^q?g>hEG532%zf^U5pnAXnCnVQe z3)w4=iRc{rvEHRuU_Uhyp7Xf^Y1JtN%tul$Z}Wh!#t>;6ub2)O~Jj| z96yj#!q$@~GwNe@tgi;r8q9h|OgniQK}IF}U4d@@OC3oECWe=j7) zDQl6MvaYaupiYTU!8tX1u%)~Zy^WhatYB*#+-$hyPi>&v& zQ)^X~JSsafr3W1>F(hA^J#<4x@8o{DPy$VZ@%Ux}!zgj9>eBke-)BVQdlBtDVa+w9 z+6-jSK0a3Uv3qeB9KJ9_H`NO|TFude>r3|sbl%DMrqKsx4X5D>WTF|**FbUk3s=ec zTXXc_@gAvkDi%>L3r&2(_1gKw+Ucl$ap7W`htK^{;(kM13gy5~sg_pGpHH2)UFCSX)e)#53

        8uM3Ouo5PbXP*>?{1Fp_YQ z-5h%}P;d-8dkfarmbXBb!w#{NNtqd$bl)TiWT_Q+tgnzH-<{+uiVyUi)M=rEu$OM<7pZSDQn^Kh2DawvU z=Uf@q`(H?8mES>(>4b6h0Ay$#r?ct$f1l7lSe^g(PpSaJCsh%-;sG+( z-9NAX9RT8>mLBq?;s{Ii*$9N^;hZNkRI6#jnlhJ-2P%m;KD(l#jX~)-D@biG44SBXV?1%tTed2p^JOW#S<9 zbir%wVP(;~L!@9^`PG39OEW%JGPMgIkbu@=2Qrz2{WSV1khjM>$&?b0u_K!`BKr)W zBIk@as$-))Qdd*-A*$M^aZ@wH1cDNkS%UM-RfgLg;hn`4?%KdErs1Y2P)JFp=DVBP z^__H0XKqEl*U@gw+Sa@lKcB8EnqVHze#I#AV730}yN zJwnwb`WR^Arh#2YlQ-sUpXJ!ns(W4h<1bElA!{eqch7+#c!;tkdMzfY+GkJz%MaJL zxrk>iA@3AT3evoEb+iK7?;FQ(K9TXiyhYpHIv5y|s{$jND)yTa%-G|3%Zqc8REm32 z+%YZ`=L6>x#k=H?r6#v1)`^BhR@T7=^SDJF$6Q-aivySc+@++_12+n2NLS;9V*ZB! z@{b_X()KR($JaB}-vjv02f;Oj)GaxgZ;s(=S&-v0VuE`k+O6%FT6O_!K@RuQcdt7^ zWvdDz(_CF-@{tHJ-p7xvS{p6TA+!CH*6+v~gszNtgbPb9(Pt@|%O|H<)r#e_g7fADZ#3C^ ztrx@tJ`D<8M?CZ}^}Pf{N~#tFEHtZ?BFw0rQMPXGtL0p+;r`V6yH0bEg>Lr=B3#@X z@{5$n`M1kMoa^Ew)*^M?X#j(4cw_m=t9Zms_5Q5|PL8JzjiKkO4e(t#0zZokG?!oAwUVOqL!>gto%*UF}KWjM0fW;*Dh>?*!evs-FQZ})MJ0< zQl%T=T5<8VlD23M?4kgNFF~8ZAnX)e>qi7@%a6E9aE?cMzn4jz0`*-NsNs2ktFn@( zgPEsY4@ig6k`PY2nv*ia_4#2>U?`>{$d3wrIF8xOP<}ApDfF$`?v)gjz*V9a)=nSh z@GJ1U@#VW8$opIspE~65#^`^F5AxNUPP2wt)8fT&IAjpwcpaO8xQ1>eTgM>2v8?!u zLU4<=m4xQsYHb-Q2(2lcj~I6;dv*+e{IC*E(+GTtHT^KT9YdUkm}P^b#xzF&RPnwq zadQdV4$CRUwRN0Xm)NC$#ZgtM;t0CLB6pFQrdd||Pwh+Qk#j|XwF_;TBig%O6OJXt zRfC;wX6Y)sfOLx?@4RP9Cf=^&rfeP|Gt2+mDbgN zrtw@Y+zX(Ps6xSm?Xh>GzFcZ)Q0dSU^}zz+bV8)yXS*4Z$^5oCSNA<^V*~t`{Ph_` zA}~STAM+o3$?{9;d}7-Q?4`6_;tN*>j1)y2f)6Tx`z0Z{IjKaL>24)hY9od%gpZd& z#v26rFY*;D!&z-)gL`>p$i+JXpJm^{!|flnyY~VU&|*+XahnYGZq+ADgm(CEwa_Tg zk(oON*`*L`-r?Ugk?zuA^5L>)P~)(2R`-)6RndB2U=onr__ZY1t6=IMQ8Hcl&iz;h zOWyx%`)>-O+P$rv-PTEJ7M-Mp`=-IYcMB}_nReaNi)sxM;E}|+KVLeg&!Z3@c_8p9 z!szOP3XVpP{*TT;TGEQ0mrp8qAqgzzbmAcA8&8#Km&Y{GaQ-FnVFRX;R@P`?x8S2=PskR;q#Vry0YmI4#E!MMI9*pMYaj8F1?kfhN<2S4z~ zZ_Qcq-kkG%FGZO1{%R^4t*T5ehXz=gFqoQ!?2fd*m6jZt6cH1i8T2NMoIcDtcp+Tj*tI}5Q*TxZ8S{X5c?~NPp9Xe z_eaZqfYXn4&u#uKnpqUw-_2QsmxMHw106=CsG$S>9@eQu`NZ&Z6x~jmkOgt#VsHbi81qHgn(DWHFaEp0c!H(6D;_CAa8kJ;;>^LOU~{|h^)9I{`YK`1#Q!_h zAvv$9jzfB4#!u0~inNji0QUFdlNixfCs%nhO!7O-Vqc$>YD~OcsS<$eB9kVHOnx7v zuvhoJn%IJ6v~g8{5uw!!?A*6XRPN!0((b6fR^(iaJ7T~euxZM4+|VXCd>_f3f-*i~ zF7S}mFxuI#^{NSV-ILU=RmH1EwOLP(dQUmVHlB9QPP{;Tb6PWQ4C;@SDoZsVj84#z z(bOA7qkb@?I7W}>ygnTa^W;Yu^0Do?I-Pu7h*G0dBFZcu(brZ=9w`)dOG9G_P4r5B zMws^vh?dxjRQ9tb5B|F~?Z4U_J}kV)-ub7R$TnD;{huXe6oL0a$og+WVD4&*&E7!o z8-wEoe;mk~<$tu<@%)?M^H%&uzV~+s2=E-HmU3{;QN#Z3$0jugvb$U0LHBsk2N}s~ z_QymBq7EgY@&39^duB#1*mav;Ra(NbCQ)o$t$TDN|4AS-n>a59XzD4a(+9O>wDgA4 zmA;IKDGN)oGU2_;6z5#p!u!xMlGur2Az`;IT}~(9BJ?olOh^smO;I~pj_m}?m(|ee zjKTb<6$^x>QW>({qd;%ca}A_9_s&P9b^D#2 zRdB6zKH*TZQEl*`4H<_9p}>CQOv`t=nvk6}oOKRN-H%uYf!}Ir`pdY%j_t zX9hSJ6ygg)KuT z3M3LnE^16R+fTQAWvfm|C}wYzfe3_8qsoF8&layuPj)76=&bFhi*CFYBQ>butUS(I zY2mYo&}+-|%fl|q`l}#MwPtFjFn^ElUYGrPUPn|E*IT~Mm*@Ll6Q561i>wkRxJ-QR zp4i6-SYbkz&LD*w0AJ{rG5PCKh((bB&VF^yr42&x6lno2QVotq_=55KQL$Bwlo}h# z8B!F|R|Co1U0NkGJu|>aBEh<%>5bJdF~-j`bo&J*&`=Rk|D=Zrck0#H6Qt+(*WYOO zn5XQ5;%x_;Ztw2cGy&|Fg$4YDW|VFBUtJ^BqcNmZE?e zX-Y;Gu~(|>9*}EuEtMzl*37F(8it&&a#J9ez*P>V{MQH$$#t^6ICP_~N4u4x*XNDL z^uug#FuT=@E5et~7bZM=k@rr4K*M zC!V6u&=CVYL00h_KW?8^btO|81L{jIHT&fN)1CP5!ua;-G<$|k}3?-Ej=`7`{%vHq{;3Zkj?@g3HW#)7ezFy z7qosYir~G>Q?4(znuSoz+J&-Po_sFasOMfN1bv=H*@%>#HMtL7@h*Q%5CYr1OQp9N zTvcg;qn&izx?b(OtH(Wys9A8|5uW|r`!TBrSjOGz?Y^6LzxEcr_N8kX0axC2iv>6( zLn_5%d2LF;i;d)^-%>@Zt3}TCqjL`&9jd@r+Ez_v?>r4jn=Li74Q}tuu2}Xm_H>il z(ZTAc%QuX4RC!@l08uH>x3bS@#B3t7OxI!I=hKL^Y+6g*F`G}c-dWdDtZ`OkxNf^M z#RetV^m722xsrM#k%O1@<43Y)u2bFmy==jD)^{a-A8-q_bHYxVme?#B#1u#9p7H#) zti`sQ`I!R=$rS649oO?Dp2v4v4SXBm%1B7RGYuquR#j9t$P4UKTs!^w@<3ev{NaSI zVADXw%2aPj<5Q?!F~#q6UOf*pu9TaBO*tom;=~7Y_Tt-aBEOebb8iWk-dU|tNA^cV zAqQ3Ot~dg?6~?Xj-x$<6mfv{pY2K06PjQjwOdyhRmG)clQ?`q{C~ig%$k@#rj)oR0 zcV%RT`Od3f^YTQT{*pC$no%e(awZOlD0-LnT6{lGV*hb4AY2eRp5Gz$+x~fqn^H14 z9eIvMh{w4{{b{x!0+`{xS-?>cIz8wk8c+Lx2^n{zUxF zBZ6;aU|lV;s=lqe?>@DE?-;d9Eck6Pm7U53<>cf@7TEsoXZ>VeX6-G|<=xX?GttAY zeJ$$YJ2&-6oE`*>cU$ForFTXW;V%a%E5U=VMB}nLz^E(Z-7)|88?$p>_L5Z5#{AwJ^M%x)FD&&(66&S z!P&aq8Ld!43aWY|Ky_eo__P7&XeJ)r@zT1A6P|TFYi`T-rMfnsC^Q3j84D9;)!BX- zz2YBN5P{)?05(B<(S1W;aJ3u9Hn23D8h+SDT00$Bav3(OS)Ltg)wThe5(kW4MX!$S zrw(oI?08&hJ~gDRf0R6X^r&qnY}VTB+)ww`wBy0(y_8uir$w7Zz`9Qd$4D%*@O0Sh z)&=VFOtf(Jjt4`yEnul$s;nTCt)dC6o7Fd>Pu=dKk(n!D0el|3V70lT-K`D15Uv6K z^2nk_wS=j`*so^_w8A%?ngLUn?ICJN*lB*4_Uw|PiTMb4U>&;Dfa2RAy+p6O`-@+% z_5@vezERcJTt0#XxC4`YdLn`bw6J*01BpuG7&F52XvvmdQf;Dx7cq;$_&B>@t4UKT zr&p9{1Rl@&I4@iPU(~3%Mj1@$OM{+^L{7v#I#}>LyIs$S;P@RDJZn?#N9D9i_Y-Vc z(6e7!ik$ePU9`IrjyozDSPQe!|NdC(){4YkHU^Ul~N9g1&c0)%Qi%eMZJR3>6~< zH~S07Np}tqdp!RwNgatRa#B+~&um`uk5v!B{brXWl$JvEQ=soFrsq14%6FLeP84oJghVvBUGBd|=ldshV(7M(Z~`|w zxJtSR{hg*bsSmZ(+}28d$9N%r_0n`%h*>uv;CO|@$PQ?C|3J6AK9!(THUBN2cKjLM zAFrH##}V33F(}O301y^cn*CLCmMeU*oVPeVLccg{i?|^ox+R%BKA!D67FXg*Q*Eq> z7Xn!VtuJi_^dZv#vy?5utb}@qLX{|w4X{6$%ElIg?1Ilk?v?zcCIwl8-*_z##T1 z2xImD9pszpqV=qZIaKyRKl5DyJ|(SK%Wo`TIgkVnqEuZNW*~nA+Yl?2-B9H$vNOyf zSEZLQdSzU%!mm^hQbYfGSS%70vK2#Rlwc!mBF?|JqP0Z*&gXWadAvF!84Cp)}g+06Z4c)`;MOE6pQj!77C46 zV69Cxp-^Do!DWEs1(qI9w;wY5V+s*Ou%1utepv_u%?1a<0A^kY-$I=w4GV zK4hx(Tq@EHEAWd7?c=Hk*tMRdNs+z%b!VFef@V_RGC5{H`F z0O~)FMf6(|04=M=(&`;{h@cFg{ojU76g>`$Ns3(sRJ)E3b9U3ZlJCP>N-b7^Eyczw zTAQ++WiNxS_84}xAnZzacb1(dA4Scw_MCh|fHfY20aQT&68oVCwk`{S(1o)zy9k9- zJSAa3s!Y>aX2Tn?79T#>lZVwai{9?l8^wZ}{`vN0!Il4+J&*up`KK}f6{DeU^CISew20H*3IKPIH4%}vwY%{t;0n=0zKO$R zBWS?z0Gj6%L=VVDnUdk7L6oVUpCko4arpsw3X`V&jKmcfR87jdM5S;=Y>y@$2SyHz zN_UYH!ShMrES&6MU6idc6rkM_Lv4ThwX6}7h!H&r!^LG+b0taj(`Ra~xNB(yi~(U? zdPhNi$@5DN8DhLghL2h*V8b6>f+Va zCdU!w=l~{_X$jp5pp)@?m&EO13}=(MX{8_PZ^$t&M7i=b@ekZC>FO{21QFHK&Ch!$ zX7A-!q{JE3ZMn~Ic30imjbIE78a==y0^n`((M>Ixh3EZpZ!KU*oXWZ@FSrVo+)_q^r#p0Pue+MaawO&=-+N_atlYFQ9s;tz@zkKJg?2i%1zs9YfhH+JL z1|wKqcd7p&5&VyApK3^in_xplL@$4TGVx2R^rO5G|6@V~Elw-zw_sm=298HnxM1vr zbb_;uP8G^^;$RYy2&AudAG8R`U2?Jc8>*kd7gA=x(a#_Z$)gq=f9HPK9EGFJ0Z=5| zOPAZAHL&m(&7FP5lafLm>FlwY-MxS;;1tnGr!MpOS0+&9Qikoj>c(D0+QZ{?KF1(vV+ z(RveG;Zw~wgul4`vOu~1h4;r~;%OjAE&$p9Y*HBb)YyuEWAIvR^w+LEQ$$3JT!kC4 z(HjVJWWd*I>2s>xA)nK5fl>2~hDOM2H$HzV3SXH_EIzM^y29d&&9HHCr$zmDd7+EYq5K&~BtnJJY1dF6e<;a!?A zmIc}$MbFTW4&EP;E8moUD+-f`0|M(Zk|RB_g`l&zIKRfNTo}p45Ag`||V+ z-$o^Ai?eWX`NOUMhB5&A!sEN;t9Nky{2_mgq5+zapY)LYJ%cF^98V%r9lA=PLjQ7X zlK?eWt@TpX0ujhI*uSOzTRZl&d>z2~M~||I*uy^QX?6DPM9A}Oj*1)-&b)4Rs6eJg z=PDG;ENO((D9Ul53wXw#fe@o)aIZAZYE$pEhneYt;xq=gw%|sQ5&a`B=0q}6SbX5) zsau4ce`&2NgF2-AL$S3D|B6TEtLk(H{p^f}zHGaTMaiEj=P}G+<~c6Tc1#XtQWRcQ zOHmW)@hd@cH>=cW`QeP6eV_OnW+3$5#-!boXy{sW9g%7h9AO+xOuS9hxSOS%$FbX+ zom*_25mPmbsh?Q@7(0#@lhMOiHU)UMY=DZcG6F*TxHfy2ylD5Lyx!<#0?n=c5!T{r zK>CXu>L#@2%fRhvwo&}n)a}$S)+$QU)&gwf{yC3#btpxN299#BVs;AR1S!2c} z4*`P+UH55KuGK?nM_gDlyu`2h8l7Mj5vr@jt7EfkxRoP+KCp0p0KVaco?c0>?Cv+C z%WXQXwHgOR3&^I63Qs#8#k@OQ@Lvf@!fEFy@5J|_q|q*C^m09lY;IF*r15STxG7<=~m1GjV)(tc)XUS33QrpH( z{nw4?u>O0QYs7$B^8R^qaz{Gb!2@;`Dysv)nN4_b=*#8QI@;khqJ zBt>;YNMtyUpA>bx^p~%EIia)J$#0l`TgI0nO(;)PfCJ8a*TW%Tn_iUbAi5Djw!%sS zELL9xyrVIYM;qrj2c?mSqRm66SU}q;#R{0?4jiHqNDb}MJn26p7KtCh$AxpGu-jUs z`flhwn;AfNG9E{ufqiS2W0$m!ttzfkqqx>;##MRNwZF)+QEg{{Vd7iDBQC~s)P#$1 zBCr6oGwr1Rx_0>n-1TgnqB-lv-Vr^RnJU?&Iv_78ZMa#dGSMVGZt82oU?^s-V!uRf zwc0~pB>|@uz%Fmv_sW=l^@^L~jT^FfYjTPyZtZrtU0$Wg0 zgIA3Ml_achSh?P7?#exg0%M86vwVuHMQ@uG&&OM6OpeM|Jdar#wC=!-dzZT^0~h@~ zSQR<}>KfoX@g>u#|M{-3{wSN3-i53GejuQS1$0f%mxPZuBMoq1iU2wQrucGrCr>V0 z)a{h={H)o_3fP8VsO17qtHo!V7^iHpr@P}Nv^6Iw>DvpMvh5u6c zMSp8aKhU(x`fE-0&%$p#@UOwvwoXQ>Z^M(z@l+frS@?@XT9Aj9ZRk+&T#OX~=RK-K z2DGpB_Z43n+qf>ZGE<`U18^bPahWl`K_R7?$a?9!98^eIj%3aSbIyAUMQSwb_v2RK zAUNS|?P*p5@Omy$xX3t>c%?x~HDNq>5j)!WXi42%N(S&nxc6Gw&0;x?G;FMyc~e6Rs7r;soqCoge@N^KV{VtN1;a)7P2 z#ROlB(TTbPdd4}%I1MBQPRVHqj@6sCgxJ3&{WPt+f+lAc#k^wGRuO1x(vTp5r za={b5GT9eiDL1Cmw(Uo?8&g!B_{MB%N{eH$P0iw0e5KXGL_CkBlI_y^)4V#u1C0eh zOpF*(Fq`}PJ>VC@P>-C^ZcDiEGPwF(laTZPkomo#ia>yh+)orcc>1TVz-NeD~l4@(u+9bu( zZqB8+@RUoI-}CMJRnIRvmI>qPmB5CJ5+VRT^8H!>=6WN#h{m6_G6U9V>H-S%MiHpV z^KZqrVHpCP4JhPPGatgJ#%^l(WwiD_xjCT2>8g^2-QcuvK2(e=cuH5R=YvQn~-;* zsH$=&Whu4mlFu9tV zXe<(N0wVAh#AbdtKq&M~%UQBwlgP4WNR}+P`k9w)gsHJY!ZsZZGl$3e(^2)Sq5d&( z(4mBmQW2^xCqfhw0VMjq9G40;WIjm|SLG=A5Z9oeJbJXwN8o<#ljcvvlWCrMMM1s2 zwL`La#<^I-bRnZ1xY*&n8c{86dS!7Y_-_e2vOd}nuDtd~JOSCmo>RLbhu=%%V}hR7 zr}nIRJ)|-FrxrjgJ3BUim5B-<7>S5VDTDi49}j=*Brr&viA;Gze@q0Y?HMHB_AOAQ z)tQU^=-M)LQv)ESTSQ-X)70NtWB#SY0skP&Puhv^Jf>8j#=hfxoL03^XVJkRb+eOE zj~+Ou&$FmCj^%=66llj*A7K5Yxdqi7nfi$*Hm@W%UiBC%JU3xI%jkaFkPFP)oUl)3 zD0+hAoUBvhoV)T-Bflr?-}m}(|0im*u-*Vzn(jrPrETdVpBw0>9Hxz&jU$Zy zR3t8!NnafNWkPg>^Z~!jl-ZBfixd+l!EZoiKXpgW=i*ptXee1%nl^l>DsM`Y1F*t0 z15}g>bWQ~o?yFibjFh3g!~4?E|9xfyAW%@&9}C#N2l0jW!rPZZqRUr=&&Rdl8 zzB)_h@~L9Z?P1RO>W5MOaedukTpk?r4**qg(YNoV<=8loh8gaw(iI$rrt**q6n!5T zBP0DQDi8OktT+M}Q8c3KrHUeJu@AWjAuZbc0Bf35`XAWmt?Qx8w$#GXx8r_atJi_j z^+*=fxgtjw^X><}V6+q^t(30A-qQ|T1HkKN`2k&?`ZX)UpT;YwEI^k5_PLrP(>f`u zXrtETGo&WCr;TRtPWoK=AT+RkTo%-{%&F5F#n*VdKs$NnBQ z=F4$2WT_*(g#_maZM#K0DUCJk-UokeR9D2a=-iY|Pt*Nn+L*j^?@aW9Y?hdu-G(%A zzJvDjduqxn2|hd2Pd;p@tM@1LPD!&QJ*a@BzkSaS1gKJd_5U_`w}eQKRp!*fH^XEQ z;r{JLTQhM(T0{iJzIiSm=3WX^^frK)OVQbL_0OJARFV!b^RQL#j1T6dh6Gs}DYscv zG++yD58})M#t*BkJHmOJz-kNpTD^?f0sM%QKjjA?d?D{rZVjJi7jRYzcxQeuwa@`X0Xna4T5$;M zg>)4)AT=jLFW9WTLGPQj8MPw)K7IDfW##T39f3)JQXH?v%v9KBX>$>v%GA-YR(~^6 zYCYdqwbTn@UX-uQNpayCyZ-4xD#L*bD*}YbW;qOUs-v}eV$B9fMkY5v?#8{}sm9|= z#@LG8HcO@3hr=^gYzs&sqQWccGw~?@rQarc0n$bCamSKVd7)k)VnVDuv$In{qu);V z<*A$&1lfvj|DyioOe$v{_Sej!_ z8`|XjCor%j&{4ezH4}OTk)Y)th(mjzZV#q>DZhKN(=mVT{PAr_Z_EwkS<)cFBmTta zckOOW!nFMIi$y#<(C9R_kYTAD+=D>Gkj9-)Br;g{LhWAH9JM{_9sj*}p!x6gFcGG# z)+Rv!#R9{6lub6dG}>;i1hIo{sb$-6~ z^m3#CaxP2&o98I0D^w4Egsf%4&izg9GPvuprP|36$I4@62rOlCM*Qf-2m1iQFPS-cJbxg!{%OH0yQsetz~<=5M;#X0=#w&pI&f z?BtT-(A8@tHMp@8Y`yXOs+#|7VezDCRcCyy@oa$rRC+bYqv6%46s3;|f`GEaC4Eo`jFLQF z%P7M&y+gpV(TSJ+)D067G@-^x%#y%YIuwYnt53{Xhf%MRC+Jg1j^mY_wQNCkVAyQjE3usmXp zHG=s#rW1Afi!$}3kZ6KN2r#X}+$foR^2SB^GZN#jUq^ld)aZsir3H^uJ>dD%MCMXc zwgm=0n8Wph1MoinM+w?y-Ctv+F(r}7AOpCwc zvDh6>073Q3<+@>MY%Jqo`3Zaz7YpqSMmZy!5iXJ|iIp1$E zJ86$C-(VWI^4M~axWqVFaiJ3u$!MtADEk!k&Ao0E@lg zEti)2T=)awh}Zt|f=hnZ-#4&9_q=_439eA4ly!=nVUKy>ubFvIbyi8eSZ48Q!cRBB zvFo2i>#5fst}Fib2?J1xw*=Q8_>FREUo#2ZFySyLz@dq2KpXcHk(dEURi2n?*J z(h#0h=<-T{*+2091-ek8alqv|lsjS#Lvm+x&JKlE_Q>0IzoX=kKtJW~!qj-f!jlYN zr6e)rrUQdnsA#$dOwkh&CC8H=SUZLT$S^HE?D)F^2DlX4r)jbsMRN>m!EZT$exi(} z$Ho;!gRuszD4dYsjTR0js>d?ccf7vQLKJAOV4I=WIO7-K;-z#v1SMksI^xAN39NX`2jOH4#_3P>S-@qqlz^cN>-mm!j%_ejd;rVp;z{{d~om;Drd^P zw;$Xh+jafy?WWi7WiHDpZQGH1&7pvARmpVx_VfFfPtGPS#o0fY?~d;~;C&5k2Mm?ls&S_ra@89dy+0jiXB|NYeWW@qde`%*(qP)sd3?dH%j*mEMBACKQx1`xv!6P@m}jNm zyz=7cEyfqsPJn>+dK@?`r7w9>)27{dD=T&-o1(Zs=Y0&G1)kz&PF1s=D0`^I&5M=` zsI&x3WCaZe8_z<=y_&Ri+=tQZf(rT*TKhBDcfG4;Wr<7yTSbkT3D2`sB$nU78(~=e|qdk%q!5VYF(K*Jw<%>F!zu*C2ts|AXfPLQLGQklcx@Z!{U3?vXaKk%hk8W>Y=2%jjMx>;pq&3AE=6443|^i69``)QY7`dceojlK?loF z_n0=COyqM{6@7R_TrvOn)}Z>(x9=Ue4zyS+y|Ii`HO4vSOjx3-SPPr`%}{OYde-9R zttymt#Z}mFjb`y{U2tVIGP?G$LLZIfN^=9(aSHXD+S)~ zMJ5p$s7da-krTp3AwX4akHQOmMAOxBoa#dm+^p*)j;Lsd*sc=!hZ)!e!_SZBS7&XS zAKMS`ON$uT=!O-?J59@;{5%k5ZO@%Kbs~l5f6i zt^P1uyHi;~^s!en8nZcWv243;(Vh198OWmCE%ROx+z&yAj5G^>wp)L|{eece&f%#^ zAXM~vmpOt^esnk^k2- zz*wa#XNx4ZYVRDW;|*Imiq?3Qbuvt zBS+g6wC!<*`VjB3{u6mV6Ms3jGdi5|k?LK`PQc>P@K!l`_gIrld$O3TTV1(7Q#-=Btop1JI6p(SxFMXNc!#;Lq`XGlFY~N9CH*fi z9k}KzC_iCFBNP`s6RyNDm(ClF1cvZH#`lv9eMI(s3(?K6%LuR9;4_#{jxJ0tT@;&s%=Y5vrK zgCgf_;cpnB3&Cs=fgW-kWzO8706G%_A>O+LO`KOp7f0y#I=F5-#pMu6*Wd5BwldfF zNr|AMhej8Na5*@LK!mK_9~vRnejFGVGS^ma#ev2zLnzct$|2`b0?A$8~JDIkcb{t(_>a z1e`4!%C#81cQMyeVRW3_HlaywIsd;CFw zhT&lcxTTv(V(^Ze%C^}j1>KIQOHC7kkR#3-(~vVm|J~})cKodrUCAePmlG5#xnO88 zQ?fJ5zU_pjNgzAV>}w27h1btlDepBKMJb)Hq5P*P-?QLAUjYHe6!%{m0=nLPmDNWB z+zRECm5k4&E(kCtDM#mDS7G~`cD)>r>j4|t!itfg=%Fh2yQU=y!dEgMc;_ql)r*|! zlrqhS;?J@w_mh>p4m(J>mc~ZG2aRVYhRpjX0v092(oDY&^9xEMapRRcBB8>G^RvH9 zummyXfgANx5xv=7P8dc}i-i?gCMzMF%|Pkvd3vrYWTN2G*#-Kz*8bQA3e8D&Wn3(V zeUuY+Wh3;bnGq$bQ}2nJw;yaQJJ)NL^@6ZH;nj2cI1w!hnFa5MT$V}G5X~O1eC{s` zPPVeR`jC549R3thQ+2j*z6aeHF?mcgCG2(@60N>XaXGrtz8a~pV0o(ueWCt!g12~3 z7+uecW%Vv~3lO7bJ}nrNkYAy3Se6F}ruH#2WS@ww>1%bR=x@3>j=?`Cg2p!heyz&Tp^gMPe zKfLxK<2gr^cYG6eg^dmhMFtu+lIXoCZo~wAW=h(v>D~J|HR(8^39bYrw+KWoUQ&BH z%ebG6tN*mDT5NJtpBN?wO}I?X`+$FEK-VwJn#{6)GU`68HTP3Vzf5$&e4R2{S)UxG z_JVf@&Oyu)f8hRTelH=Dd6R+hv1Xo{Bqzyw00t%I#`6#4`FBHVmfA!am6l6ZavAU~ zJ{KgvB@r}Pa=FErlKB{rd&QV=*{!OhB}Co5$_BJ-&qen_sPXzzaP5wal!%`7@UO=S zU%Bkh_seVhSUOJ=`@E8U1fP!ux&I7w-XfB!^}3m)P z&qc}Yh3i2aL;oZQp8Q86t6;WYU-U+EQankH1}BB}+%7};Fu&V@5a1Q+HnT5jwrKJh zIe&G&7wI@d@vN6X1oJXdgh^h4bwSjq*m@pbENE>7aaC`0v`^2cnOt;Mo^##VJsfH$ z=!yk}g>;baM0#?54tzKPsupW|qKIq9Y*gAos?A2kl2Sq_PWMBMF=}jP5eyY2(zZF; z`7q}r1LJmK3n!-ImQTRH;|w74EWW&Jd3%0D&78@P*E^6>4<<4 zk)U)bi4YNKB26HKCQ1z;AiYGINEd0+MIcn^y%TyTkU;3a56|vC>+U|g-B-ZZ{@x#N9L2&`HO0rt*G)jC#*$;T@=a@#03 zR1zW-u|Yz&I1?9tv~LMzxE!>xpmr5g5306x26(z>ivTtT^R>{L(_{`aYXPqW!=y_3rpdr=QBt>^*}X zUDU8kRQ~{by#k7~X=8*euVFNjasF!B80D2rTzWKme!kgdGUTydPenXu@#Ltho?6l9DlfmF!=XrO#biogJ(|o4AvpX8^7j;PvrEo ztwTEx$EC|B?g!r**lgxizNwIj*{jT5IJ%D4(Ep*A+;~Z($^dWSMS3@vpzN9fr?x{wbxa36=yOUNI!7aW^#i^ymW}gBaLd3 z)|;#;jc&&>G1N^deL}BzNSv5n!p)Fr+o)=i@uIk}^z%3MuZ9*InbRQpJ8xQJW2m8V z4xb^L%B|9#R5GhuO1o)6OsS1MMMDnxs_L3(r>#hh=Y7j_X_P+`!8JUSO5bNpyStQr zAkfK_9f@BGVdr6&Sw-kX(5xc#Au(u>{H!diid=O-RXUo8+uGU^-PVektz5T+Ce&sT zA0Cls5pArhwK_!}Z+!9W?(5~6%pz*csB<%2Ny>T6oWD^Iy(!fCI-WazV=2{&KQOhi67`<{lr zS%p+iD2TbcZ61+N)2{NZa>J5us(NQ+MS6GH`Z)FeYCWybnFr$$QUsj3h{d>>x^VC2 zy8DKNOz512d`&tDOy%0QwwnWAkdK=E?sQ}`pmb~%5)gZKC*v}Q%&i4A!7zz?`M1pd zlU&+Lor26%f4fu6-yL&xRL!hArUZ?(>s`q{-X4qPt8<#O*?~K*5wWhNAN%x7Jl1UN zZj;g8H!QI!THBFs`rt)EH19ra7&>EE4a7n`J$C*CV@86=_TKJWr<+e6?SX9G176k?ayiT&*~OT`M!B zXmsLtDlGwO@eymqF$;zjJ6f`W>e_|A0)AzX$E}&tx(5lm?MqJGxke{32|7-f-;S7v zziWhp0~Do^J!j#I{69$VERPrEZ&W#*EdedDK+@6 zP%J?yBf)-b{Gu?m8sGPnWsl^?gzyE6(=Y2 zIgwkvXBfCeG~9GC1^_fpcAdKq(P)gaR$C5&X9?;NbpV%`W4}$`@m*SE{~)UY12N9p zBR5z8zEdzp7~vFQ_N@Bqn0ZoZ`o!(ARnKY0c_j!iLM3EtV_)h+{s%wzUvtoB4k~om zBtI>u0*{Fp5>oMqSol!zm#U1(ZQh^6&oS`*1p_IQg`ht7qgenvuq?eu2Rc9ShVq5P zD92&~Z&EIE{RC2W{jllwQfu!yLx&JHy9)jt+0R}(-BD@gXY_@6G!^j=E3)lJP;0ZS z)&A9n_<@a&cs(SGSCk-Sr`K#629gmjnaW^7cslQomctN~+auVqe+=aXIZ@Z))9wd(cjt*yWy=66z${hxMXyB17`|;pi|9v{IoS%UE$@kuofvKy@~l4K zxw^3Og*n#CbL?gWRYu|c$^LhWDEZ}H<6}yeM;t3V zH|YUR2OL8KqkqTonx38KJ@{R+Ksc=oszr@~IjcRGRLp>0)FH2b>ndh_pVBtrgwKhr#8|&ZABTHdAqYGn-~oYaZ4hs; z1v-ocjqWz(rA7Q+>Yi3dTyA?RFEf8faLM#xkWv=Nq@^_Ri)BZk%N?<}9RHTU%g7x}Mcx+qOC(h&;m5iMnU{a@! z7P9@&x8JW8TT%(6i@bXP+g{6LRLD{Jzf-FJ_Q_9L?|T*`;W+DO`UaLIDABIh?yDwB zSrfelP9aO)+L{HkETi7NWj}bLdjqmH+j1Dw#z^Yw0LfF?OtDCD5mXVUYxSPk=QX8UB4b*)tdKimH@ypb46l@H)ChpY}nKBnPI z@4D;T+wy0Jo#xV^KWAne4IMguPA;H~yN%R;+>A=hlP4=c+RZ+GUz+H9q&}jhUs$p~ zkmwEUQO{n;Kqfx}yz2wY#KU3t+taKT4lpM?rl@?P^UOP| zq(=kM44YQfB0zkeTR=l6+S#o4>nvywY&$QwDiSQT-Jw5oj!nKU?6L<)rPx4RT@>uNXib4<4+C z51LVoygTFdQh=sQFAHER8hc$^`lc@0UjfPAwRG4A#@ph98)TQmowhR{D8j8aBVN6U zU7WsEhrpdY@a|Qa;gg#mJ67vlauJ7Cr=|D{sRG+rBb50)8QE{ell0%@$JY0z*7f#S zx}qELW{-U*`D>UZu>|o|etk4p!&n^k(eO~r3GhqUB}yEBN&Mm zC#+Z`tom5Wx#aDM3*iusgo4ozsBoyE)f8uWPKHEH9`}@qTfanq78_T}lY{SV1-V1- z5A4De3ssZQ6%$cM_ayly3(6+d=IwWQnu}v%>t&VJAfRia0~Yvh2cre;mQIigiIPoD7Uv&!+?M{tb?22fgDxSuSg z0XT-nl(1i(gU|V2;*b*_W^r5*l)EE^Krc;u z2C@kxAnogC&)T6`R?+nH40BJ@Kx|qg*JgM*-r_v3{7Nlmxvj<4LmoGi_PezJ9Z9=K z!SZ&_qTQE_3v^!IbJ3M$js=L5NRT*f1UB}33si&*5f7uIdMggQ`p}io-bmm5#v zoc1l5=oW9mUn6&{U8p z*q%}jyRJQl*E=fxUAjZJ2_g;pN<%6_%eYMx6Pje=UZdYhT;+LQ65~zT60u;vGHJ(_ zcJbtO%l1GmJT&;pxu;>qi2>JfF%e%@Dx)?dl)5B6@VG`d|9aDOXnfkF-- zyTP^c+=${qg@dT&c!d0k#DL*l#k3yF+2#UPE&(6sifEaH<)h17Uk6~a5#IWpl}*UE z!?vAOf>7Gr=vvrY)zT=6D&+2=vX>;V+&Txo@ud2&u!ER5y6t|vWPy=*V|KkZh7+}E zT4X3QoFDJ)-#c$)8woybCd_skLTzmF`nD~|rLC*26Opa5a*NAgwJsFQbo8}H?;R$JE0ka1R_s{**L40)O22%?C|szZ^zta4{d3yB*69QCA(n3 z`z>ubH2r(z`NWa-FARZP4vUj%TwiSpi3JWd5#IhLnHn5JCtX2`7gU)>pQru4xmQp# zZzoMT8^a89Elgdw38nX0uW^4fpqxLGtv>Z)jLkxze%57@0;LPE0tgOftqFq=iZg z56bU->WyEr)*u|#ZIc+F`9C(%KiT931ERD#Eza1N?2Lp1w|YW;z!8rTZaG*kYUrUZ zsNO;Lh_?c3=Z&T5i}{#QTQc9g?eLfKw@q=2L zfn0FkkU}mXbm-@&<3z_!Ys;+PHpIiYd(YK3M*gbD_u1_9wj3QMwc7Gy2c4!lj}5v9 zxBrUcH*h}mUm1KF$liIEp{&%?&)=m=rt`pjDRfnN6T}1!0fo|6rJV~p&#Xov_u~;A zo@;Cgm|^aUld`-#44sw5zDb)>vosD4pe(xxW2`3W#|JwJ<})PPFJ9 zfm-9!fJB8FB~^w9!l{9)f!;S6EH8=59(;nmE(p#R@j@=IkUftHkpjiOckR~|wh1zS zoNLpMn2UlrE`Rj>vfo;#F6*-IQ7uYj0$36mIv)!dl6Rl5I^lCIsr7%;g#5>?mSF=5 zQt3$W;i@x&x@QQ=U2!H#0PkZ20zr#e;}hO{2&zg54D5cZ`F{@@G!%ZNKN^qwX;wKh0+nTZ8@m^ z1#D|h9zE{^6uo0-|7~DGOZj1#O&}HXkmRsyz0@{AdwGYSi#`vRm5B))eO=DY1anPE zR92ignesJoISRo6t)R986SoY;86YWz`g2~p()+lVzlMZslbZg4!0C_LBq`_r*vgi| zeMKNn8=Glia;RLHxl9pE3sZs}YbK3Up?H~;!pf?TeaFvj+{a_ehV{xdE&RDi{%Awt ziVhiTxx?^~cBG22$C@*~QcN>AL~@L4w5L|%K?Tj-o(s<4;TMsOSJZDYiFMpj zPVb%Ens6r=aJ?pt>UL+S$NY3TKF8d$F@EX9E&JJPjZNvahW`Q15 zNL#^=n+XSmXX5*|C8~r`WSboP?T08{lTr46YpHUaR2{(8UKAXX1>dIyt5U_v>gkI(Evzo~c#4AEy9B?GqlpCZG_H z^Ah=j@vJaF6)Mp~uv?WI<(h{xp_N8FSG%ulVj5Jz&5vNC*FRd+`@um{?!E^!Y+u)wO;GsX30i8 zYOkJt{mBeGh_zf9N892rtw5kcs5m0G0)iV1B(a+xuSWVko7D`X=Dbiis|5-v6vJX* zo|dt@$~42>+_T;c8T&()*t-{$H$zS*xLKm_V5Ph(yTg7Kd%U4xS3k$JB5Nq(N_h@Lq`9n#3<&Z z!)v_lZAg-+e!h6S+gA}qCqp)5I+|OM$IBtRjw?yfV<^F!@;(!9m(RZ`O{Sv%b>LYB z8oc|$*UTEGAs_~qaSzQ?nMqU9tOiW&5?oNY*0ej^ExdVgG zI!yem;mnZ0+YRVm##eLMbHp$56 zdzqrCf8RoDF+CE>sxCq-8ZuwtNT7d#&)OCHJOFDVLbV}1|E9-qxKE`3mQSeL9mfQI zT;wK!PDaxZ)$rG%=gA5te-aMu&KRt zo8H#?C|Mb#07O4>+;=MHoc!-vtEDR)g}+a1Iq7ok%9kp@(I4}bL!Cq|kE=MH8Z!_> zMp^(;22@}nV@nOqQfufUGe8WI+4)6Z^yO*4T2IYdkuc?Z<=T%uj1ciJBBP{Oe-!<5 zi0&27RCU}cJo9|*g?zgEoyO$;fzl{mtoVBn9RHDPu?`#owQp|&y6qj(u|j}SSt2H6 z|4n?cFpBQ5!8ujIT1iLwc(M3=p1#ala5=8I&A@T%%^Slw5e-LZf76$-HdKVaEzUPoKylxtg~a4XvIj7KL84QsYX$ z?7ot>C`#;OG}Bc-9{Q@>&c5_1&+3r;UL@V3TfFBha;ldG9fhTJ5jQ>Ly!t)Kg_?! zSKl*`jHlIQen(TD`6%;!f3T|cZv9du26d>`F1sN&b2xt6F&d!i?#+4tKwuX!VwtHS zDDJS{Hk5H2Lx$)au#X0S?9L{Z&F*C?IJ2ej1ayfA^7YQ_FEQ^_>;v#Cj-UxmNsvhz z+O54xWouWp_cBMp?%7~L>9_)erKap$`Vgu}W2CANXqd1V(K~Fit5SgyIQNl?Co68d zhS}B$^j{xv(Qir#?1uD_YWb&V>m+a@Ry;i^2s90w*Je-sZ8LNdm`9$S7yBKcQWa~^ z^utT|a1CM<#(43QvNiAdr&U`~_Crw#?Aa+2;LIp%Uj#o7r{r?5OGXL3=H+)`TVROD zt=Jf#XHlIUlCN z^~yNe;@A`@vi!O4D0o`-m?pUJ{G&+ukBj$;k^ES=T=&j!mM`6uOsk2@q%0u2QTz?< zS@}#*G>oUdJIn+3tr*D`TIjvN{4kSM0Z)pw-_G+2V|!gC9l4c^Je;0NFAe>~ne!U5 zo|0_b50oEfvS}MY%u2Ec%8X<#PMG^R(SFesGH3m3qjDh>WxhrGthYSmo`tfvby4rh z)fAyuwT};cWmOpJG^%bcOA)nqKk*MCp&sfQV`aQ+s& zzn3+Du{IFw<(;FjFX|FMFK6z7Z4ETpYZg%?kaP|n73`A&y!=G=Ma$;D>lTEd@|Yq@ z0MVx*J1x|^=m~b{#b9isHLs-s8D%A|<=h$b%V)p~N(c*d*QI+n%YI^8$rFq#>SIq# zxkHx1TeGj7vHOPVtS>og_TkTTIN7YVJ@-YE?Mvjdw)R^JBxW)X4@J1fuaIpl_Zgi^ z9_~>bW~foVThjUCp#MSf-~$cvu2o-8r`-|!kq3WW{OoX{d|}Hu=v2}4y6QL{s{H!e z)*_;CVdCJt;3M5j`d2V6>l-ozf^0vja5?++^b9xE6 zU4Tdp6bveYDoRL>e8Xq2?#w#p(#O)#U(f%1baRa}`J>d+&G%C`0~tP0D+&6{3amdZ zF~M)91%xLZ20cY->8_H3id1Qq8PpNE`)Jkg>h-t2_cEw!d$4y|dzIku+=_`e8jJMu zOxz-~zca0=%H+i*O9A{Dt|UxUU$S(LQf)-YhUv*C^Qo|bRu4JgW_GU3M8GLSR$gt+T7bzPe5N@)ZI0)|{r`9Ub;pNiY9m6hi}Hlm z=D^#RCJ-oC8h!<$${-aA#rxR;>jE17`Wq~_N^6oc`_ne74>ar^&(sloWL79^>7wDzZ884?Rs(fOo61WEm8MgTokt2nC6{HD$}U5{)L{P3?)_JN zxxFsSP}+B)23uX$Xhp=~k}hYplo6pd(_l`!z_rmb`F_#IwA{49Wg*&*U#i6J8<=Gw z46ZMyX1?J{ebw*#?{Ll;ir%dMEz$qGktFFVnODr18fR{q`G0a_KAdDePUIj!d79;s6fgCZ zZtan0)Q?AtEW9O1lIkK}TfP3J42sS^aWj(cQj8k0(fXJF57A6qpOD^4gu(}jU|w1c zVj=J1r?bb*_&!K>Q;(&FdG2y{=Y@EOI|7-@LLiTX_Y`Z4bJv+KE1}EdK@>GZ6m%34 zs57C-*1G3z)dbc1(Y4ioK>1--NfFA{Pbbn_-P9FrvNh%N!d>TdZE4 z+rglqW7qP>?NB5qZ@l2DtnHTMO{w`1#Vw^3AFO|_fQp7eju-G%4!y!L)BAp;l%?h< zOw(cj0HY*eKU3Gd{C56(aQz33LjfC7mM7~=Zm6^lrep?!-ih;za=tTA6Y!LM4==J3 zocV!Tao*5^RgYxes(kA$aYV4j_6k!UeX1NeI`I}O{h1L8g@DzDn>B;B%*(PT{FO}1|J|DU?06c$WEUKX`F~ubO$66R=+Duc{T$IF&3#iB zl<0gdRD4DFI-W>JhroC^9IUFTu?z4dp!-5%_F3lD7sB*bC=OwG&j>&*ByzJ|naUa!t<2x?gw-eFFb1WAfe}j}d!M#vqY+VIZsP!|yLhIMiYfHf_J~c^;QXexart@4>t2Kr zsXgx87GbXR%t7BC17e0g8c8tB8TfpdomcXe<}L1%uPaBw^;D1yZc{sPCq;%pYSSlv zQjBw;>2IR-QaMYr%19=b|7}{=+9@PUKp|?E1$&6h1{I8@f3}=A1<3{e&r^jGGOX!3BY9u)H$C?^^R?p%T@JFc-M42dv&vGyE;ZZFTmj@t#tE;u6jsn zsOwXnwdqW7d5iB?rei}PnfECExIp%y&3X*`&{7m9?9(dgrvGXKchHTMnP7~{9$rZk zVZ7Y7zc|Woj^E+C$w}j8Ab!8#+zOeRW`We+!zS$2;85pOh9PoFw$!nbowPBYDv1Z; z$2#oQKl|dphQUg7;ItY@q!}G@zM+TLJVYyugN=uCbxuYX?%p-t)V_VebqTbX^YHoq z52?nTA{#KkDXK7d1%Z;oA6mAX0|E@fji&FtydTG=1e8i6g{g&%1(z1vzU;q=GoZZB zLBUo-SbT+(u}su?7Qj!ra_?$eEK9!yY(QVZOjo}eH>=E!$ctnR7|>r&>F(*k-0bQQ zXY6XOKTqfL`S*o8lHA{lP0!Q`e+;0{0aFW=t3d1X4dhuIKJ)rpS?0%3a;|1vX9ly* zq_ONp1n+0(jLqt>*JO7ZfDO~;hraqx6*%9Zl`;D&sA$GLm9_rKQVz~DWfG1&)$wx# zc-M+A-MjOz2%#=D`c0RXBtjk1=#SS$;^ggeI=7~mwfe2E<}r20M=5};7avq}jj!ka z1*NT}l1~N8A7(Ba<8Dq1O)z+p#A1Z0w_~ds7T;HWuR(qFNoH^Lg@P>&TJrWuQPxdx zB3`Lg+FBM8jHHthnLcxy4_E5l2U!vRlW z&9BY`K8Ji;;%?K#_d9>8?JLsT69Od#crISe1eRLB%NH#Jwx-kkAB0_J;_SZ%$L1)= zAGZeA!gK;$={73_$tR-z%)kF%bM6V4Jn(>l0l*;9e;o&u+Vi8-{Wt#NU;H)spyAEV zn;*rY_3b9Vm^rVDtvFJ->!xnethOhP>xT zt~;`V7gfaTYYjK+Gp~{b=H+(ACJu!=B((!9gguhw<0uP571~DVEba^JMOEYRj4xpxLZXR7pEjmRfN`Ijf@*c}S63IWgS(8{!5lJ9t ze%Z@E5D9QPfSAcvt7TBj*W3Rm_{t3^N(hJ`0bRVLfM7nh8gW-hkY;_m+Am74_x8hF zoHs-ehdMDJj^hjrPW^Qxt|9Zv!UcGG1+aa#9M-SpvARgNuT>ynNlm(m8PG_i@IsZ) z5awdt##1#0I1DJhfq~HKGa~M2YskiQo%C7gZjP~c5H%c`7nw{+!EgoMUq{Op0#*o^ zCr};t)rUeQzWP7Rlzz)o4->#n)6cFwuxj$aVKb3DC!S^fxuWvoAV$j_Ql-OwxC)NWn z;5D9g2U_NhU!SI#mFVg(T|K}H{C&L2E4@3RSbB&O?0=q55^w*-4%9t(#>uQ)Oy9FEQ+-=xe;wKDPb7Fd zy@Qo}kcFaQ7%r=TsFqoN*yf7uzkjrh>{rN3E(!>xll($m_-fuz4k4LIdHIJ;e9f3R zev#n4snq1hSU|j4<}jVM-vDm%muk#3WorCdGXRl8C*P4S1NDB?&D4moHRoL3hHVO6Wje)yK3>-I}cboRAoNpx!N2sH{5;lYW)^Yk= zxacE5KEY(!YnOSRjJD%rvn9Gw43Hwxp7Z)jQ0rZ#Yzh!ac=!@06@G~u5_d__foDiu zU!zeBvdP$_E`#ik2?257v*Y}pUG-0L4vz$Tj)=)SHi|unErKisYAbAA$2j5aEJIo{ z;%X1O25(=rE4U6RSGpZtgOb|nPb~zWzr5EI>>cfQ&0sjT4PO4W?MJQ%$MXnvE$o!C z$NrY-9p*(#13Y*17h?Yi^KsDa-7gi3EZS+gM%d4T62%!_(%1?9l5&lo>emg>_b7RR zlMr8eZjjjV2f+QuTX&HHo4FBj0O;K>v+d|5I{mUk9Pcd%y`}FSrgBYOEE{26X;|!@ zY+UoIm9FTN)hs$f{?TCf!LX8RP*mmhRQP?_F}K30)w$nSd8tfWK$X%IN+YZ#F^!f+ zT}PtkBK@Ka0Gk>PSjG~VrclMNLY!@5Pgn*+7N?a{Vsx6cd=D2}GNb(%g|8vzUZQEi z0Xq*o96niN!=#Za&R2tzq~_6cF@D70hyl)Fx%Rm8^H*%6VV*-QD?YD$ZJ=D; zy_>!DPidBP70X|Ei;JvmzlqY9z(Y1;G=S)pfF*r$MA18mrx#m8Y2ETs-~ipn&losX zv^8wd^aSk;N%%g0)x{70&DH;pXZFYKdqPV-)9cc*l3Qk41#IoJ@1-7mfKhe7JNnXs zcdD>lq=v*p@?W*gOe!6Q$^QX5e`+%N1Pa8zYAY^H$qIQ)4Wpy>jCfx-Pk0mHRFOys z@^R!dVttu>rHXgy8v`$Sg4825-K-R_WJrlHa+v{+#rac*Ym~IYz$7lfxSTAVYWyAe zS|{oaKSljKrVC&Q`|q)00uO%N@X{&)qCfqwU&YUvzJ3sW&?=31uMzM>pi5#9o8APc z4TZVsGH|%HsPzUqkboC!8QZkjtig@|1vuQvp873@BrMi`f&aRprLO%KU;tG91R&I{4od%VR{xX;9(?xv>jJLu zPgMhoA@B@Z3=8Iij!84CgBh1%?v~t|L~UzSozziw+jhJLxA5%?{ulwLLA*FO zYEL}dr5D&sI7U+PEI2kYB)sb{_i9dt29+qUjL*=PM~?^<5B&WENN}#ralrm73p8Yj z>Lowk?X2`ofdh*uTml4Wbfh2XM|Ay&U?iva>i!i5mRF!U9=hsFt<-7YrIc1WPZ(m% zDGzuw`>yxBiJQ54cCH{sg~+JPo{BUSbF|NxRlbFY$Ks6nb+KsJ0T*-4Y{YZz+jEV2 zp>w0lHDhmbe6!hGQqHxdmv3FVY8zjUE50$0rbmVk4gIiLJeQB0Bcs9w+>6eWfqpgx z7~v3NNeUeZmEkoO z@6O5^jVG(6A zo6DrURI=Cf2bC`g;?c$qcwpQ_2x8^-UAy_VSwOCbMuf^M?A65P`*Cmpoz-WzstHU;gx) zkq4*ToL1XT$g`Jm(xAhIsh6e5ouQEuaiOWezthW|39e0`YJ}`#&OUf7PwbQZqDrg2 zmebcjZ^ntHmr};v2wc?L4|IGl^7gQ>UN+S~^Zit&9AO9uH8&hnwR5)uCsjn?xKELV zTPZ?rT3g!V-<$lNK;A)#-Qbti=IqG5LIH|O3J&QdUHG;r=5Vyn8gF~?^+he3+cXl0 z-xAm``x|rfXC9Vs-tZ_ft-jh$KfiTWE_~qI4L`6#t4U~PAbyTEmSouUlOx<~)Y||V zRYpG|qy77h`QT}M8jki}>@Q_bO58>nSi#c;6t1%KlODbaX6gO7TcY@1BTW~1hTDRsa=uatGYW<=@fZUYgW=}nJiwYj|0_Z-18n5dJXCaWImTAP32)^*Bi5Fa9bIYu7A$|Fxy6@AYk zZXts_7|S=Q?D!D*S5{OyLk6L9uoI59-MzNsvC%sblIr|Y`SKH@;jkw zy_T-K>Ah3)k1~I8LqHxj#-5G3g$wJI4^Dh{I%S~9Vaq{zTsQ<2!b>A7Rk~EB%X1*n zU}c@lpzKc*oa8dXy=eK%@&;VDKUr@icfqG+b6Z~sXgk^*@*@lBkx>L-y6 zHI{L98Cb^R&2SX~U!eweQ}i8+%L`P$*sBkh=!rvgbDuNoRJB0Jy)2N&Qsfs#KvA|V zBkd5+-A_7Bk;0o=5s-Kh*{q_FDXve+l52{hX9|$RuJnX}b&>3DZ z#T#-}gDwX5vRh!qFU$Zo{=gr88lOM=KM~w)tIEzZZa=l^uk^4~s(=YpZf*PMtUwr1 zbrqoX0d{s^zvs@VcoU=sZJD9r93gYC#BZkfaoyk&k=`aUb6_px?u3-{dilb-G`=DI zub4qk73)1ne_h7^?;!b)Y2~vcZx;X?jqkd*X$(rZzdGP_eKYoE=6B(Wu&iEw?x{Wz z_a(tDWHQOk(586${O?0rsl|^fU6omJw!lE4;L+D7kRtZq@8SgtYL6e}0x|{g32J<% z!)uInuGWK^L-Lm1(cVaR^+6Swls{_y;chRWW+-{fAyR$#D7R=`WIGFW@?&j&%5b7k zt@>1iYtU(kEq$=^pD-VzKn~mq5BmwX1$ps2!uY9qnuZ=QPfyU@4}<+O$SbC&418#h z=59&xw9OyzK9%yv7%C_n9BvN*jxI$0>)&>fd)x41R*c8a-=?lvV`E?UpFSao zho07Xl^p`l60=izw&uy_#|n`T4e0-%HJM zS^NI_*%CX-up=vtY<5-GOe!8H4UW1rGMZ&X>9PBw_5b6o-K3I}_&Y;kc_~0%hj_{u zL#wRF-U#j~kKSS@lG0|>6jNXsML5kmo%~yyH^F^9-%@$cE0P|Pdc>IZ)yfOGaYA6d zi5~xo_7>%W#Qu`V8<*bZ>DRPovS;^Rjc^pj<`busQ7w}2p3Y5KVYW#+RB zWYnTOmPYx^rzQDcUCf5vy7URkb#c=Hzm+0#2yBp*B1k4AYS%i$cj7q;9Iv#xHjD2R&R9;(qZ@zFRv4=9efImz1 zXML^2%Fm7Q-HBiZC_9~Tj;z&H|KfD7uL-WH29}MC+Y;5MV|# znfb`_zt*mmj=nbbIwJ11^+JHo5^EKA_(IPe$9NT(?oEq21fF`CuE<5FrusECP26SXCb3t$^JyL|ebXIU)ZdlU(R=13>M6P&i>L6W@fg4H7VlmZdWf4w7Lj>l_eqR#)-6i3nmoX-9hqL7T zWS4FOuc-Je8DJJ5OIH3nj{HeG0GR6EgCPSIIRg(_7^D(4sXGJg)eFceIJ9n8I9Nr< ztpUZ}^)K;Ot+Bv_tEO-ACx@5tn;#*62|X>6-6TglrEKrnRJ1(6m#w@G@TF0>rDtqf z?sR4H0-_<6YuBd8Iiy9PS23pFDY%e+b9TH(W>#4dkmI_(X#V(Pqs9yCyks>V&I`fH zId(GcPB=nf!BnofODSIC`hHjlrw4o6ty-;i(YAK*YzpP~Jb8EaLBn{)-G;wwBbEX> zQZMG%sT(T0=A>ar5X`bCPX?&TAiDX@06KhddN2Dg(7T$e$9CjQ=+A%O7BPuWBk3qDjP;r zz~>khf37&2L*88fZt>aYpOFe#H$Q)~_eu4KT$Wi{A~Q^Q5lXxFNqb7jPkK)We#Y9Q zRTUlqU0AY}2HDiToyS;h^%Sy)kEHX5QOkqH)`5YlIhWa` zHl?oqC8s_Q{C+a$A^!@tIK8C6LdYj1^i4pgYPXkRb3sA{LA;?dl1VCe*BLgc#t<7G zGdrUj0h6?HLIXy-%)cG%-(4E~;_!yzMS1ir(4R-w8Y7?O)=r4v#vD6>nBhoi&%z16 z!l`%iI8LuxOEjrFZO@{ZK>H$cv(x-`8z5#ecOuF>GLrVQDQmT|o@c zDqfz>k^t3?Hq+m1aXd7qI;N{8scvE#ZrpTUq+eRZGpJFsrJ@ec<)EiU92QlU5&7&v zK4m(;X_X-$6g|=@C_^wNp3rB8{>WLmm4*lfJw;oY@`5UzvVEbFje@!v3Nm|N6?Q5< zs21xNtIe62_7nzc6;N9_wyS?um6;(6{OV`I^)Z;TG4Z72L!pDIwn@K^$5NI*6r8Q8 zF!#9r@ZA$m4kG_7_xYpQETC;VpGXMUV#tvI8sTe!awCFocT}i%I)79slsEf4jvJXZ zseHS(*CD%MEZ4#p`3>|J$>8mM!Ik4os`h_Az<rzEYmAAfIlFVaeVoDDaS30ubtfKnQL~1CAplUCHGgcv{Xm2T*`C-Xu*f5w z2qtbs(rmBhOs*JI?M0=tP)QgtlY+DY%oKZFxqj6jgnF`dq@ZVPSwfnsr$r2!yhQ_p zvf%jY+w{i(lAP3Wj7Ig0{dnz{Eilzz6k2;o+>*klYp3cLeCWC16$4DRdmKJkr~54@ zujZ}5sQgZItr;L)`@P>kU?4bwa(uwAO=h2`Y85UUH8a5Yy#p)5xtOfL7(P!rdE?ZG17L)! zQWFcOlqzd*424e^7-=6m#l!t3vcc$==3AS9~i=yQ~ zke=qM5?g|&+E_Skdc^c;8t>?P;8=M3KGMqAm`{l3P1XPSo!VF;t#q+Z;F&mpRo<|^ z3{Sq0@F07p>xSOFkC4x%%+Ep$eA36}5~WmDxM&nrBhEU?iGd+lWa zcbEbb#&iD}VX^Su*k)Nys(OsD^hsQ;tl+6yeh0`F8Hl@B-$p zEE#PkatFY^>s2f3L(aR^+cKwBwc)}8w^h!+&j+{`WKbH<=?~1H_3_Hx3zktEnUXgp z9$H_KQZ;Arq7tT;yI~)^>ECd^?BV|-?91bl%-+6d+H9w?vT|YCw6dbrU6{toX;CUG zYFx^jJOZ?4fNO6R{>bOyD_2vxbYfNhY{aA~jjvD{-NA2)N z(#JlAUPiSIH&~Aqo`;h8BZE0Mif2xSHD8XLWK} ztb;6$pxN{KmQ*_M!bB&)%lGjGealY^IJ((``0lO9@ol3jjatsbMJlyeW#Zrm8MYe=})L^#uHWy>3-Vm%G}cUt~A6drgq6FrcH)zODSvX)S&s z%W<2Ex~@r9UHu|X_HMZ3L(d4g&>acm_{jvfW>vijZEF%!g?>+LLJsI#L7W@uvNsah z#F0+1S@u8X_ z_1gM<#d@H5_CjVpvJsIV^@O_$SJObtu<4L~_q1c^*;#2%&+LD=UQutq^VQjj_14H~ zS}H}W^xn?Ndx_sN;5Gu$(4r@Z)BJEq+Y@xfA=P7I*5|(eWoFF#>4rG&I=$}afJv<_ zIs3(9E8|D|VVjLU-y%Md*R$5F?im_4Ye`F+E3dDkRhLUzl1NGcBX0q>mI>ABw+6T8 z?(7Ll;8rB|lwptfa6cyJApkUC#QP!k!sEO_Acl|r99tnf9dwAmdN8Z{!Rga%Bjk(WKa2G9${WP=HF?v{Aaqu zWl6&uo3=pd*AwLC`y6hP}aj0WCBly+gl2b&br>>7K z`r1>vN$mceO?k(?r@me&9k_R-sPjtML=oOYThS->Ygg-x;j8~@sQ>5Ke3*6pgW~rO zsXrOT7hn7@cKe2S&W$6O3MoErEb!DHqPpw=&DL_`_xrBK9%e4tzgHapHtxMKj&!N1 zZ`s=0`>2ccm4m48#jYd9w zOiR1{(SC2?_Mkoc$2Oc+w?7`HX9U!)7DOWF&*P84_73JVwju-a&QJ?R64TfJZ(wBp z4CC((oA6!gJv072j=$Ee`w&-%MliJXf^F|U??X!3$mjc-_^-dbj-$^a{$5VM_j}!{ z#dpI9O-ln3Z`r?%kFS0h^TBeNcU*~7fgHdbc=>n~*dekv!3_;OUpss%^EK7zV@!s@ ztF?yM+lQ)Lju>Dj7_Tt~x9Sp?P+w-WZ>zYxG#(L=29p-apkD$a59qf(`$XRv&oR!@ z+vMe^%=Fm$Q|H^D>h&{XjZ!b)xBST^xXl!?wr#BAB+V?FN|uQ+fsH!04zflA#h80v zW_Om6;R#c;r>)z$_NQwao|e2lw0-A+%N(SynKY$^_J-Tz@6XE8(v?M88syv6!2ADy zEPd{`-;hZ+Z{$)Wa~)^B*GpJp=4XqlD8ul?Je z+U+OVQ5_RXW}(CEc`uA7k;`&kxNpSlZAj}te2WKNHq^F_?Tg){<3Tz}G%y*@`tFpQ z5b#JJ2pXWca(zoiUZg^30~?8G**av; z*PK~LKlseNxcGk&1CE|UctGByuiYI=JXSdX^hRXQ4f>F z6^}<74QqB18tsqbPc92+x*yOaY->;SH7=tTZhgDJydhBiCN)*};2^U$*LKfd~Z zOqqWfId(inCSLE&>FNsNf26T@s2edcF=5|t=uG|**u0mGM$Yii+5GL(SLUUL`NFyD zj9k_#_T92@=--qKZXNGG`w?Av&_KK<(;m^p&sI|rKhTO9ghR4|b(&*oVR$bC>??Lx zcHB#>hqP;EU|g8fR90Q_0MK`YJPR22BA?%rvMoFR<%?;I?asL&z702WU7uA?9Qy5t zH~ZK~_Qx}oLrZTwwYg3YZuRiy%*g7>IJ)B30sDo@M>*J%u#VwXob~xfsJX8ZgPc-& z-kq>GsH5@mo$#HlJ{5{alSP5pATKg_H=l4vbi(${K4{nk@Ar5FIVZFTsgdDaCRv?} zP{)U(Q?(1RUE7)a9LuNvFAK3!+pEn}DEo&%)09M-k-l{dMvaPL$&GQg_oTMiZbYM78O`qr?M0 z1Ic2YOw!kI!xcZ>Z#uW;>dYf<-#)DI+~u_&wW8z7{#AWRW!V=g@65*fy8Xu1f7{GS ztYokhK^zp(+Lg?poFoQSWu~^=7nt)n-incdu@saJ3yfze;#o2(EXF}>ND}p3wj+@F zZfVC{lFbbD&%Jg0f-eal4xU^87Wv3`me~yb8~^iLMJsiBW_kMT|Mqj*>Kiy)sJH-b z<3Zm5H493@DU*0OU#KlW=68x`p}g|aKl46QXX>eIuorLsDcl(hI`{5c3fb37Y<>FSYh;f);&i7t6FO}ffGX4(w2OL^BV>K4b0VxvWyakGZn*{ZpE9FNcrT~1 zy%lU67T~H2 zGTuzFn3XYM{R>YeojA#JkQx4UuW7I>lj(DwuWw93&&aaN;AN_Q3E|+2MxybSq+oFT zKKNnZ4)w3cY;C8>+++u+&{e7tUf~>}ymhO6#iSY5jQ8E(~luKaJ)`ObCNdgBx; zRa1ontKcyjm;_Amz#f)56#m9vU(U1cfT!L=#HlEfMSH0ID0%nu@yK=8WM@??KgD{4 zk@5Gza}~$X*>|5Fh7`k9g`*9m7)F|2ctjiB1sDacZG0AcpXoQB=t`7)dw3cBOwXD5 zMG(8VLB1RGY*0Nw74>bXQg3<1CwhS&fA}aAn9}12_X8b0 zr80!i*&5GS-9U`!)7uZmv5mWtLsumC`tls;_u#m*w&5Y7R8QGP!;RM9tz62BC`K-- z0IhKE7sPG@u+{1#ENF}cIoCyLxbP4UOohcnwGS}CfWKfg_b`XhU*Ts(yPya9H)wU* ziHf6!lIzO;RsP`vB@q4#9C#FOlQ|3t$jXc*El~O(-lv zLsc+D1mgiQVBi5&@uyg6vTao1_0q&q{x>vfISchgq^`Z(puX_QobV}hAGFb`I#zf) zpK~xsJ^hmMU7m1v7b(l^6=t+E8Xr^1Qvaz(p?sOQ-hiS&MNPc+j*T5!)yEdHho@-N zOqD1ar}=73@VDtA9yK5lcl|Y^hOqDQ+r!IQ=M)xqddBU3e!@yEgaVD*g8w(=IGo1|{C1J_cA$6^K5u7V3?0ys=J5-jJe=1abV|Xvti#e(A{gS1} zv?3zIoXl4txo(07$yl;tsGX?P2l)PABp_oz$mef(sy94EAyHk(k~XryMnFseWCXZU zjCY4B#f(8sO{U@iacJ7zE&fx%be~+jf^lusfoXM^Qp8lJz&lm~e4fk2UK^j(14Hv4 zM|6qXj!zZHdRQqBNgWQ=C_{1u9jBVju5#}O20?##f~9Gt zsRLPIAS2y2Bz9bnBHrl_fF5v;04M*@XR9APi>9GLo68E=K_Vq~7WD*658$&T{xp^= z5TfbPc*}X$;+k=0a2FUT5!wRdN*^{Y66%$s)Q}esH=#Bc9+YeNc($4gD*<%{S`!O@ zB#KYVqp>om({|iY4ncV=V2|Eob9R?8ffabPqTYXoF@uZ=g(f6igKsi#E^X+yvD$)Z z7w;Fn1H~;Hv_I2y%IKEU1?7-|1jIwlETuU-wW^T{%UBQ>9(@lD!hxTKnqHxX#!{ED z)R8QSHA}*RIDiTd$mIYmhlTvr!^AQP>#S@dF=b6I_U4$!&%2&W{ivuB)%I*^!#fk& zwiDBuW0ZHUN`Um|)pzQQTX>6l$zE}NXJ1}mn=n&ViHfI?H=9r8l~Fz(=;Nso3|VzayaJf1p3fl|TV-V`o$MQ|x)U|Q+# zC%m0s6mrI1_S7Dj5=qt`BVEc2s$%#%(Tu{+kfeF8<)W!{ z_ga*?r}G}iu8;Oc;?GoHKlaUQD*)MzRM`~eN~fH0Rl=tq?MGHSlP`mZ&-g0+T#({6 zVw!Y{{b1cf{&q+_Ix}^L`0L$WfQ-LZAu>V!E7%pJ<;*K%G!X)TI`K$Qh7MQEX?>zo&s1*x%+e9!Q+o{0`Rl%4r znJ*>1yD|AiBsOoMp>s&-;|0B{!%o|faS`yuFC*~+|OgQX0~0n2J8&>=^q z?`%#PvX>Y?3O`X%Vh0S-G&z3Fg#%K4bKrL1T8a`{AATlTmlZ*I6FC8h?{A-Oxb>ze zpJ}T6;8ZFdgVo0fYxK*c9RtNXp9kJD+BKy@V@UZT&c`E;FC1&(f(V7m6YOI%n^jMz z`f(r_lgb{itYdK{tqR#pubdWRT2~vL6%HqPht_??&ziYetoTd~&HRbUu$%dkGy3V5 z1wWnr+2?aXx()8|4YTjk;fFspkT#X=RERP<2TajD*X=YldTHL2D({)ZxY*LQhnY*$ zUqZtkWPAp(NO~@o#tTBV+STb?3?;o+{^H>TPb%tB$vP`5b|^lvtJ!*K)=Vgdr|2{* zio=o7TTq8v9xO5prj#*|m@8Bb#&92@MVwvGS5T8_w)(_{oHW_c(TF}%6N;upCSh4Cab-0;g%FfTCnUvV>@gX@<(V3l!7e`gBL$PJRAiyvC*Fg-ivJFntB;T1 zO-5E1^1#l^6CFr4pbb?{;>zHn3x903Y7B>E;~FQ)1qoG~A>L27PbDA^rvg7720bLy zp~@k2D)0_@*bKIiHC5bhAh0HR!WNc3;cEk=L-5gnm3}%6BU34O)glAHI*a>ijOqQSf`z*5U&9I>OFZ%`4k3EQqYVl^||m zh6slpNgdD_xie#hHcm9DHQr&I(b1A?^M?xJEo{BX66@J8$7MB&64uB5DRwEv z3VgeWn2LrQoTu$&vsn>}1dr+BxQ}=X_ltNe;HgmdNA`1z2ZD~1ROHtO9~d~2kFOha zR*Zkj=tGaEtop3(P*heblJ4XVysU;!(jS3D+gR!H?>LBAf?5~^WMh6bFx0x~Q?Uq}dk6Zms!KD5i}1ZE*5 zR7JkYX+IOtg)B;Rpu2~C4B*E@tnwnM_rz{$Z1A$nTV$OM#M zyMQ- z#Nl>+rNiT+sR2!5j(t5HqrsR3eY!pKENo+JQ*A%p_np6y^McV+k*QutvmtpY8sg9w zR&~`#UNS2M0uRNAH(a6^UkR7OHH@&8sR?ikiwyO;!4Yl|ln_nHG)#R1mqC*d$EZLJ z58>X>-q4#9wCS}2NvNo?j|CF%u>)gu+H(46!O+Jc8o^*vNVGAZ$V&zMpf=Sdw}&X? z7yen;jDJ#Y!)9Al`++?Y`j0}(MsrIt13NNsxjfz*y_W`&xoAZyK+IDXL_j-o871(L zeGz*a?ZYmR)%Ets(akLE86U_2sE?pD!p0Pe=v+R-|M1BXC7j8hzuwlWS?(FuCpnVq zw{R}r+NNA({~{xOSza_dWdRm_v7bxCB3;%Py4Mg*b?FQ~NvtJ;CX`jue1g4a5T7m9 zv%Yo`cHiK1f#It;75a3?*S_V%Yhi~ecjC8)mtTrcu_eo_KeD}5q3P@^fg&T%bBkX7 z$_?KY6|gqSd|1)BSzNkrcC8L^b|y3w4=o&SC0&Z`Z2n|S+GvE9g{yL?GZMcXr!hs! z^YO&UQG;>4eyYEhBDs&A=?88CS2JpVqirwcC#_xOTUcX3(HJ+QSh^v0x^$(bScw@5MmtvaqYZ8Pcvm_ry^ISg42{J_U??DdAUD z0WmZ-`y*a(Rkn(Ct=32UcXIwF6LhEi0f+wGS8IcMZ)b*&hvnoD%{!5JWgBg~nHqT7(>}zo1>9Js5oRjQ z8}I5Zr2_xs9deU`3nu?M3jpcX2d(@k)hT3niX(+;)J_^@ngkI3K^w$%vSl>vV>WBr z0Iv2v5@UQ2YeIqFCzCsNuR!wP0M&qo4+cvBp8`VZlAay?;v4ri^SyB5Hkn61x>=7j z?S7gr{L)^hu$N`|gKg$kpP)u=H5c&{fYK=k2E?(~#TnU7=dNaDD)Zr3Dm_tgB6g?P z#Mscn{ciNqD_+q3uwf^qeFS}44{93`9#KA=>HF*9sC@$??U($(87~~#9dNHO=7C-J zy!Ed@l2bbhGfAI=TaSOKH)2wI?@Oz)-QX9DY$sk>9EqMv6;-`?jq3?gDUZi+6i6DF zV%+r$@$ci1W9a^Y;K)~bEt*EV<>+x-esvhXhx~moY7whT$wgHgKMJ`9_Mb^7sYd&% z=|@mrdTwU!E9^?e`O$cyHO^jkoZv|8qg#{TYF1$lst=O8D4VgkKoHyp)dB*Z(zn^W zy`WFY6A0&4?kj`FRb^_nwxvoNd+P0u?Y_rmITApO zR=39HRwwqO<`PU4YER;wrrTrCifK(@fvam*32f z`N>o>a76O(L3VV0y-APnClhRsYX6ILrWv~LUWqhe@rld)*c8-6P;%F>hoXL@c>7J~ z&NH9XpSP`!oaNKcj*P+a(TlC`8$wcNTjD?h&Ct@QKeH%bEZB_>5)XT)Qc69E4wjnB zI_QOCN1-(?q=}dMo}WW)RkIy>zR!;dF$=ojT=Bu6EhPfHdf&ENdE(i)GUm~?63Qm= zNHkGBId&|3SQ21@E{@)J(8QK<&w(aeWb|0k#bK7-qgwZf>4^~@OFGIAQC3Z zxQ3$*q(2hTVtKDsQV_owXqne_vA?d0rcl(PYkP*af#6+9ol)CqHX+z+YCO45KC#fY8nb0+ zR4Q0iFpp)H7RT0e14*W3urezuzaC%Ygt4)@<;XbZ@wF$h*HP(>@o~m9&OH)|?J|OF$u@zBKE$2Jx1FO7brg)6$o)|tRJm0Bjex2l-g|vSGFb3d7BFm}$x;(}E@9XV4aB#McmOOv5^~F^w;E6Pej8FcZp?%ywxmm^X5%V3 zjwU?iQ8(vDiyv8KSY2*Xj4DPpkJQqm%>AZZL6kTXD4@#LvS?9k)U$62_toYkUg?1R zB{oQvXq=jzUB)+bD#GOw(-D~kHR}x!a z*Qv*seU@*;j$UP67O)w@(iR}`H+2W+t zV}>x6f<4av5)zG2kNC458)zzfi5H3Ve%KLEwweb&f1QpC0lk5fXr^*Y%)lm?w4o}{ zi^hrrZlU*xcjlMzxy3uMG580x!{tcdTYM%n0p1JOc(kMp`3J1~rVMR)M24DfBXR}4 zxun(RRX0K$@p^z<%@8Rfx2WTZvV2?>S!?G~jbPLsKw#wI_E5JBPP6R3<1qI7;3P}S zO+-!8ILBx`797t&Q>0^KL`hGzF_v1*f?b?wdc-G;v#sIi9P*Xb7} z3~dXIrOjklbt7~|Ky7C5Z@y-*mEbmMMqIr%3qV^1w4t{)KanqMOk*R=VEXu^_Ylu> zX=)svU7GW*{itiO&Hn8}VbX6^iuGmc)`NZ71^WsXW}-SO>lw>x2oX@H!)hk8W$GgK z*7o`4&J)=*jh!-TVaySDxFDU6dyGOW*U~5*j$l^_;`E%z-cV7ub1<+axn* z?!6+rYAOurx@)ztv@fYoZ0S`<$CVNtf}tEkgBaz@KvFh0*KNnA^)`f=w;7(X_ZHlI z!U=wA99Q~X*1E>o%I|y^_~b0+y)Lf83GwBupkO=f`|?aeqw%rZjb63TN|~HRYPbB% zZ+6)ZCL~!Lum=~1kFCfNOLV7?le1$PsL|~wQ=9ML&T0;sv%1={jg z*~Fcmw*;?%k!nb6_s|N^ydqBPm!5q$S{D)DRn)^$ItS#(54E{QR_&=M_O=GsfQ{ERRz8ENt0@{TSTAX zYaNDJxRpHOVNi}YE;xzPs^_;H+hgr!=J|#zw~E{oJo1ZKTm48S0Uwhh#7 zIfjhv8S?FmwhXS)gX4%cipE$gw6v6{JUQjueLq(ffuJUg{+$6O=b(sF6KMwP+dq`% z#Nz2^3=m}m^sS^*hZOi0q!GFyJi@V0&$w|YH|^Tb@!SvZ%Jz-cOY9Gt;~G}KS2)F@ zPG-A(pTdciALvOA5uQPrB2GLm_*3bpHWRFyW@9Q=KXnc_3_24)PUoxvN_QysFd1(OYrt>47Dr*DZ z*)SR?a^rLAAEdFyzv7}9ELq8v`n!OCRXyC;PZX0w5bl9MdTebCGa)4==5Klso&?HZ zH+ADA3rV@=@cSYANP%{NktUQmmhb*mOA%tQkaY#&2UEHmjLw!Q1v1ioYhQ#LM8e7y zuFBAfwEyaFRC5u6T6gacMHV80Yf7h6npwH!2)z{O<_iVeq9+Vf0nJrq3c2(>fkIPA z>>aJdZR^TZQt<)FvtKs<4en7pI?{r#Zh8{NReyTS%7`vfU2w&|q4!S&&apif<> z-}X73<-2iTcn0_sSj5?bYzOj{?jTx!+`9oHBq? zWx7H~orN3OB&f0Xv)}-H`tCYl4^d`ljQ;%*yYn<2<63@byp$E>T6>2RK%2$^oW!48_BUo}x3i9XJXu_UOoPXRXk{>mJf`HLDO*M^%bDD?l48#BgVILaeWbY^jKZXdVR67&T2gG_ zTQ`{wda%sQO>?-G5FAmP29(yIx09x_fjww!a%VI>!MIlNT>vDanarag$g%6JVHJt*b+_S!ekB=yhh)E5=hx>;0PY!8BMYuDphkbuE_o@#3w zd@Wed&`V*wly%GKJm&z>@IgGZwe$1GM(8Eh_x>ix5U0O!{sN;fA#009awKOX`;(rM zUUF(eTThuyHblw(WF!s`#WveQT|o+lqkoq{b8O-XV9e)zvMj-^8bz))18WV9(?`Mm zZTj$TPz9}|cqp+7RUO<9$RU4_T~a0yMzlv#Y$K7>+S(x#jB#OCAoTABSG%P0^&aY^ zTmNW;Is>%0^39^8e_&+>zFM14m4!kgLI?e5WR;QsaDQ529;1dX@mQ{cIC%s-@OlgT z_AB5Jl)ebf?gida`q1;b13R0s^BdFE?uVc#jIE5EX^LDRJ!))Sr4hp4Z`1wyM= zC@h>C)XWkk_unp+D(E)LPbJZM;3j5vhwEYE97*AXWv_UsiLHgHfg{L z!B*LxLG|n2HHU)6@E&so?xK$eZLwu4MV^3#{hY2)bR}#CK(1c?ICYeJ{0Y&Ue746r zCsRECyy5oWyGFh{*iO9M*G}*&oncMxf8?92e6f4y$Wd!q5GOOLp8)Kj;&zbEgvxh| z_3boI<0}a${|6(R^d%JwX^UB%=AHLL!61F-5Jf@(b92>Ex6X&|PipCDicS-MP?qdx z)sRi#i3^SptY2rUUUH~{pR?f+v+Wb2HVN_3R?u#6Hqmg9bEZvl7N+$H%zMTwPvzr< zM??kApifc-5AH7&vxXj?83(OtJTerbxn$^vToXXmxrG1n;+u-rlglcDx7)hUM z;h0P7n*J`0{I=cL%lE!eHX2lAVdNWcJ+>*wh#9x36^O& zp(>XSIZX`(=ITa5OvmmF>Y=XlKY-?5JsV6U)GZOP`ASasn9mSPFzBSD3&uKC3j%Xl zgP7e=Y(rH@zvvXPt-#4FQK2*D&Y1YEtx8}GA7)CDgk2*sxQWFDLdCqXv-R}6d)Zu| zT$yKZXCSERwbpH5rmjbqdhquq#_`@)5uROD1Z_@T6Q26bu`nA;u`LmInePUbdG{=3MTsNG^#bE>Z=Yr8?_h zt19i8RbMaY!7s6+K~*NH3UZh|LdCB~AikK#6+6;wo>Y_)lC4 z-9r?W!C}55(deRl=&u91IM}~$?1<((V^ZY;T2iJjiWv{DfNUh7Wkb~@NUkjFKR}n!T!P`z5^))u^8AWre-m}_qD~= z;uG(QoeXiLauPq5Dx42M7;o|SkJr&f*ZK?W6~C9M1mAIYuwXXvu`kOLltpc`o|Xkp ziA)x+zRixoWCe(VVaSw~AUPJ^v1utqakv^EA``B)fIbH}P!y_NLbw&AoQ!4CQW_uQ z47a}Q>bcV}r|PgF@!0HF=QitaDv93?DDTkk&^-wvV;t`7JxN^0ho+PWa}~nh2Pp#A zmdbV-K!^=0$RxVvpy8kiX|S3*#5khwMW9V8x|GjpL_S^*hpSC@Abaq?#3X?)nO}v9 zNnC{@sI}T;LGdyybO%r<8%?mi zF^^^o3BI$%0v|CW(%4uZ4&2_X#B6_QS@5@f-cop8i%?$2m%$V(xDx>yIOVC5Tmf_al^+HSojqNb1Ha`sdbXu&~wVwAwnd)=IGBh`{pWHF6aKqJGj;8YIh>w`9vT zRZO5$j@M>gT>4l){u`pe+e8pv=K_PJatVq3yR32Ok+ZF;UU-%tA9A-Xs> zzPH}pjYu^mx?G#iI4Rh&Xx&1?mA_BSpqlH9X72W!p|{*C%F8sY3))yDeP`l`tuo2f zr7#QKw@AWI0-iG@w6vxgG--eD{a*F*2B1c8ZoqGCrb_Ct=%8HNZLi86}Z z6VO{3TL(Opi&yI^$)L_yP92;0RUyMyh;!C^97sU3#BK8NQaHgnO{!R%N-FANi#ntI z!O^~?wMBAe9k=>*F1VZm>2vBtk}`#Nxd5T_?LQGGYqXRe7C;l>5KVZ6o>1j8+g1*% zA?_M2tA|5WP?mQ_sgjo*c-Hz4lYiw_7B&RxMT`=7Vd%7`uEc**X*UN^x4nhv#+-jz zoPU(FY3oiV@V?jblVO+1kC-AsRzvPQ+?f^Z;8x2>3M|^jV~I2+Y@+vLYC13$SvrLl zJXb?0Zt4%^u&+KVg3mS~g@Ds;&z7OR%*7@bBKl~jO;*}IM~#w3Sfx4suF$ZZAtszM zp&V7cqLDT_on}v;vqgN8OK79pA0ECIJZJzL(zf$xyD3FW^-~}-NcD0dk|;$94Crpj zG4eLp4?Mgd1B*;>U@bx^tOQn#EKeFqnJhb&9;xSzTw<`}Fpx z6tf-v63xFhadkB63jzi;eJjQ@RnIsH=k$#%aa{wQ;=Tq3^h?pjeoj1*MTdQ>ym5n~ zPCQtKUUmFT0-VU6#x5>GSNVepDR|0-RO(x#A)sg$(_S;Hyt%;wuJCO#xXD%5IUU(g zs9k%_PNg^fSk1`*GiSqWR8g&tvc%h{M8Gf&-4fd+sY|w-Q1S!7E*_7%qbZnQ!KMv$reFb; zs9k9e*}^%z2_5C!REPwPto5+(Y^^&&bnaPEZ~ZPAd(+O>rNF@?a-(Jw7#Z2mVN<3t zpy+<9RJ|E|+c9d66R#mEx|WhG8pcQM6kVYtG4+K}MhNy@-xr#qULVlhVl+`BiVp9` z^;jB}BYz=Bz<-HVoq`Kl=55)+iQ%}YKP_~2&g}RgeM)(r(amEzv$X-Zfs_(=Xtf!6o z3QJXY2)q{*{%J>Wbpg1!ik_43f@MwNJO7BB5Q{;YRiB1joK_7B%tf`=_WNih=B?7iBkf9#=hY@J;Mi!WhazL9w zk-pW7$NGet)^M1BDm()I8kvQE1GL;7T$pYukn4HM<*1A-wK8ejGjve|Rv@vbva=gw za;Z&~u}ibixyw-5-nt=!7yZSFn`MQpFQrcf2);488naIH`!L zvb5MbG3OdX|M|X5Ra^6xRh~T$XXs*pX9RcIgIrfd@w2U!>rfUux`v zBs(WYxppIpB&sx7*@z_a5qrZv^9NmF>>(l;ju*Koq2-iS=qh@Ff*}L~#-K89vDpv9 zL0S7#>KnjzcNyd|R!7#Dbjm`xyhnhvdmIWJibf~^M63K~aoLZ37$SO4{$g}Iua(I) zhpjwL_}>593M8=989E!RMILg^n6jl*^Gx&Zn$}h_Za8H3wfnR7@zV3Bn*N<=n{G7Y z*sj%G@3lG#@iCA>Y!X~-ug|1Tu!1HfC}6gF3u!IY zG;%q241?>u$x$TrA-Q4+nc$a2iALzm`;KHsoXy5p8wfPTfbihY6{%Hyzti=9O1p9z ze5!i6^7WsIado-B_6^4So+u3qa?wT8{Lw8nb@AQD_CFA=e3Xr*s8E^indutxvJY}b zL60V{kAW>9&?t#Rjqeo>XmlI5tj9N&ZFINfUCr#h&?R#j{!M{@&@u8^e4c!G0WFJiG}gPM1J`gQng zh#MRs+~i5lz_b$a7SIqOnsP$P)~>j5#NdUzz&(-(v^Zl@RW>HnzQ9HjFZtbSy4ya# zTpkA3;e4EXxs_gn!p&pqT$Vi(Dt7vF$b9mrO8{grwdx$+Iod_0-_<|#sY%cbjL)mzp zUITcX{hEt0Qv`zIEmia+;bBUL{b;@Dg0t(^V~U!C&T0Cn^i80zsOp2-_@q56PEvJg z=B8hF|MXTrXrI$MQt2Wa+@E!eSx+2OqcnfX?w$&nk!WA6|G~|$FE%>?4UG%F*4gW# zsp-`5$G!t$x-3XiccI@WmdbeJe{qy=FTEGdXqsG&eKh8zKrmA1Mh&Sd_$etGSI6j$ zjqQKZOvSFpb`%^K4J$~XVJUnD%J;93Rmw*S(oLM-8a;HU1BoJ3xSL99hE`*H?|*EJ z(HPPui$B2KV$2W8QM|xHwxjQ zXW`0TA?~%BM443iCp@7JDV<=EH`I8*_E=Txa_5ur%Chr&gsiX+b7_tb?PVWhZ%{wI!mSd@V)_0Df=l;R?tJ;@ zt^j?5)#+EBJZb*$_K^Lft+a$XhYxniqgTJQIkG5&?7H(;mXTBgx4M&Qp30-W`!l)E z>q95(q<_*_B>CGd{4Dg)c&f_4PT@Pu#aIRP)mXp6Ow=xgs-IAeDdfiO>8g9sKrG%& zDNCBDrbne*@uR%rnrs|}^a$nI@wm)8^VuK0d1Pf8 z5;*1S<@^MA^^JaUmgGl|`GZvZ!zp7zTj^BRfoVexxh$@gl}GFD4UX(745)SD-Yxcp z#xA{o=}i~ZD}P8FA#h2{H`{Ht>m#9(^94e5OLt}WuZZ_9Jf>u+9~4}Z^>9-tY|FjZ z-u|!XBCvyDkfV9F_nL%lYL*JPS>6oKR|=B7{h-cR zNmg$O|b6r-*PU|_XXg~Cg5y11s=6Ut*)=q5X6>noma>T9Mz zXR-;d&kVZXrk`WR(~aG_#i-#>!nR0-a_;){OY(}bG{AJrrUonCx%=``il<%e!6&ma zuX{z&dmRw|=sf1C@sdbxH4Wp8?h6z^c3Ds&@qY!)6UC zG&T~frBmwglQS#FWqXfezm8-Ja+n(l&uZCo28p!cZm~Gu@)gG8xIKrZy2A>YzIv`j zVc0B`DxKs&?KKr6qrxm=0S&z$t4`C{Sq$_$!3i51SYMJWtR7E|_ppTVJWVR}!$>WZ zsc}VPLWw|m{yvLO zrHZ{mq8UuNDO}3Zb~}BR*R+i&Qt|`^=c1)Y-(e9yp7!nEx-)AU^a{0+*CF-*OAn=F zb-F25&Vzx|Y+BElJPjsMT9h+~oYnq3MmJxG6%oNU^@E!W#q-cT6XG#iw&kzUyQ==(h01>5{xHnWH;M1D^=wlkKcHh8xUVgLs+? zI|r?m)imbfw%99E<25w=NqAJUJFTrZ_&@in;5X{|z?Fw8@%@z3J~ea6Y+bJW@UfgE-H^uYX75_H?+6(;t)je*nIG8Dj?Ll?g%YCf$obswG_?tU(?G6htOPXzBc^rO^CL^ zV>z4tfzYw#*S50UQ!x_-4caBFxI}@!1^VVblXt=2tdS4g4}_9HQj?4TjI{gbEz0!& z{gXI3tOiC%4Y6b=*^E*uS_Qkx6wF{}+cLnbuN7Go+ z!g}fMqu4gFH=w`3IUght){&m4F-24MAzTmPW3vL5aU`F?kYo2|G}InI`>Ub=ZYtT) z4OeB=!$aJe zJbVHmW~iBBoS?V_Bn#jcTuu$0OCv+mN}rzWZmpTp6<`q&_7nm1WeAO$C!hry%C>em zeYQc~l_U7I<4vNQeS}O4Ek~vZ<#~R8I1(=3#b8Pu|I|4<_;qAiQ?teM7 zphE+^kYWEk=*%~)39MX28S@xyTK`qu;*~*A#pWxvWpwrx!mk9yX~|e(?x9fI{PQoc zvMTT0;*qrq8Nx$R6v(yjWk#-M3BageY&F(;f6SHw6p(0Au>;W^`?xr$lAd(M2J7Mk zsIu5~)h2bwX5>+XTMj*mwmOV38pEYighv(AWx5~y4=K6IIo%&7vu?bQyvEPIo|to; zuD|k8>g}%!URk}u=+eelQ?Te5H1s+6Bip3nYPZ68g>nGhtTPz;Kvh*lIi7aSZ;wg4 zAx>$C2Br^GSp3yi2iBx!Sv^*aPm%}hd_Pxv##UBPC1=4A0S!AJroe)S*kD*+SkY7$ zCsp|?5=Ihfn5j6L9_j0Qp%)(|_==o?0Iwkx#RIidM)EF%J4@Wd&V3YG`dtO6sN`_ivDaUm;h-^K^Ge>-|z_?2@%lo~r35_kfV5xZrn;@K~Vq}Y} zY;W3Gqke)y*<@C-3n$9V#)&!6USKGIY#G5>bzM|_O=Q;w*Rl1`fuOy_UA-0ZyozMF zBQci=Lv#i0j}!!GbG)1@#Qo8F*z~K3qoxt@@Zpgo`qx=2_CB1$`#}D+ZRRt_-sZOL zZ&haG&yDTybm2Uwb5rc?EYHr3sF^$*@!?`imTV&!CA;R-p}H+gNnAid2)d_L#t1c6 zyKhbbLWez6?G$&uf2PvMrk2@&wKWgYDK8K?SXrX>UcjRC4vv2|q-9Y4;_-pEMq~~P z>~C$xeXCs?A|2Au8?oTz0{v?IwfvR0REG|lvk+G_ZX8h$tLZdA7DscPDi+nVRzQL~ zzz?ruOK{EZZk6OmYsyuwZ>ZZ57Yj&^4ow)}0M70_5RP+gr5Y4s8d*GdM0k;UidZ z>+0WvyzH-EUx)(+ zE9`|+`N}djO$lK!Bv1eGl?D?XkxcC zAFAV}EhP4N(#c!(hAaF4esgY7)ErnY1$C?@DsL%-SqM>w*N!Nw2B`}AtXl_x` zM0h(s{KlQNZ}dvOe)v-vUsQ3V99W7KX}P(9`r+IPzjMwPJFyPH&SO%setif|oR8m| zoqBy^e#jWJ1J`#ua0CC7lNU(HX_@8%FjSDGNKLXbLr&qg>@H|W6WeEjk5 zP|8)#dD8K*(`ctVIe%j#M5`viafnNd12D-vy zIOtx?Q|&vio!uGJyD~xbo-2;TCv|{kt|k61 zc<<((LGDwyVT{AqVDRQ z$q$teSC(>AoW!+7HD_6i4l^1KYsE1T^ypua^ES&#EPXh zyW^PF^C0o=vdn}hKwWmWt8@nCg-aa?>NIV*NsfLGdBzt5v;|tA@OY|EeX3+HmBZ2{IDM$Q4<>C!t%NeZ|kL`q9L}8ETf6T zP}%#?P-`pz_lX|XSo~Ckk6?U+tS#?@69C5GOE?a=1B{QoQ1BT~>C?log}1+XEGc1_ zZNPBAjxQ>r7L&A5K7d8u(7cx#G;OpacACkQB1{i!q3X6Ql|AE`zb$Yx(TAmzP!+&lnu2)x2ZHA7Cu>-L@lG z$82 zn^p{qp2*A9C)JBcV&yejkC*i;hJSNrmZ#xoc zrdZACq~fzVvqy7~xMQ~BpD0lzD^_+n?0~l!j+?0d^SmlTvg;ln!;`rM0qYi}9fRw1 zxON!OUV8qE`?;r@t?yqdk2=0qxY@$qLa!+t(v|jsEfMDZO`MdS0JLcmJix>kWA=Jj zN)iL_>J3(ad(oFi(ABs)UEqIvgLpb?FShOwh^Uu#*d3}%q%~EEtMSq9$KicUtLX)$ zI)q@2FNnd8B@>3oRzUL0c3^BWe4n6ZJl4eVexePAyUq|{l9aq%JsZCCS>O#E89WC& zF|izoGiQ`$6tnrPT2@wrw8F_saBq$Si;4o9=fAsu#>U;FQti=GZX7QxR=EssH@i#^ z*kTOkvEN&TQ?`38kDZq2teJ9rikaf`Kh@DDUfbPUdk(H9;Kxgj%Xfv(fnC&~cX}@% z6$Jg8tDxY2SwE<_3^>wS_NIjKFK^vb1y&Bc`5kZKZI$6(ww*riz?#?~5gS}CPh-^v zVG5U2p|Fb+oz>&rv{bZ$6&1f1WH?lna;z4BAJ#jnHts<+i6*V1c$r8zoZM+xbHQAZ zu#WTjzIY1m-TiH`3nr7(cBu>U=rzM zMO0Y`#lX7uUq=$?WxQY!{@=j@I|O5ZF-oLFR%Qo(%PiKAQf!xj=*m4M!tst!{23?7 zvpHAoY-4lR)mT$UA>I9!=-8Z!oAm=&mY%x{`I(d56Bsr@`7p_JPw#ooU!aTLK0Qo zkSz8!Wf3oeP1)Sfd>d>$mCsm{G8S3W7#@&cWuc=g$Q<<^nkGFns()|P zrBo)`KLPqe)+VLNk30Mc zj*$<$9aR)5s0y~idOx97Z-)ZSue68K)I}Ub8+hs$O7W7hEUkrUZ+hTWNQt`3ue_=8 zSYl!Fv_U%=8{U|)nMPnbiK)jWa-4=@MtTX&R||YNRcnYR)l8JP^8YVRjY1@ zpAe4er%nd5PF>m!TGq+MBoe2hd}l;gw~_ft?QFP3(j85)L(%IgN$Xyz2c>%fTlKR0 z#P4J33!jS~{WHaqHq+t2*CiKy*ZpLy;YnKZGKM>zAR4Z8)$G2`HQCFm zTnz{-Ha@^!TT~$q_g9YW3wihcT09{;g1fiQy%2F_t-(&nXZm#AdlEsI8i6Ju%3#fj_7jD0Q0y5qt-vGpj+aEY-D`# zT}loz7}^H?fRRJNDnJEG@LZO1*j$C+69Djm;Y+^-AS2y?u=+vohLCu2^dejxT?J$f zbiAY^A$O`C4Fa8?B<;qH4UM za_r;3CK*tmde0#Ok?HFVRxDHW?v4}Mk%~5~CXwuzrB1mBIY0PLw`?KL79GA{ z&av=wUp#ml2yfM;G~>?lhGbrL8YCMMEW`I{%~(wB&m<@ZpIp??9dNJ_9V*R)xGG$~ zMLEY#(o(hOvfE)Un%;JBPc{6vs1M=_i6eIRC#hs1N6#?oorFTVP+WdSf8WCJ97GWE zp!J&;QyAzk1OS8HM{cTM;ssL3j_yACP2b03<+SNF2~R91+Mt@Wdmexv4y?QH0AoF1 zpPgodyil->KNhomaG^nx4QM_J&QYL^P=Rs9Ld?E%AMTQ{{j?w&f2s>^D!F%>XmYHW zbSUBC;!g9Wahn)QhJC4!h&P7;@$XjQSZDppZubZ|n19c9QOVP-(cuBPE9Z^kMqDC^ zLPx_er@EVdq@|pRvT!%N^8G%i22%4HWG6fo+c`=+Ulc!W|Am>hUe^wNa#_8va?%XA z+F9(fB1JT3kAVqq)(s+5G}gWWD||6{3ov2>cEuGhKAai6&U{VG-Y{m$BdzKV7e;Vz z%SDI#$F3!Jc2ga#XWNsM2M7MLCze_)8W77O*WrU^pfT-LYk<%AYq#t})91yJetC?$ z^+4En-BNa` z*_y*_&u$0eH_IomX2*jn283RE)~RKI9rz2FqmawB)80tLL(FSmDoyR!5%vFv-#rYD zRx*J9BzOH`>l)w#4AdJxt@S=ZJ;Jb6)lK{u)}IV*KQU?ZtxE{Q>_rg{FsDFC)@lue znU?jE9=t-{q!D`zlJF1LwA#3q=1Z$bK+T~0;J2T!$TbT>c^X;ag~SF{gI-Ro^O7g5!(BAR(I1!)|z?eoKJ z%yTO*THRugDdLV6E&enIZrO`o0Lcm65>tE-6#n-|P-zE#n;#!gaatl)qN=uoqY8T6 zd|^!{B=PDjXjZDawc>9SqJL(Rz7d^v*zT|(0Zx|9i_@3Bar?>_)kOe_bf85?Crx{= zO&;q_^gez2`mWIndlzIF0mq3oZbkUmCw3>TFmbTZzs-3zWHq`6eY)vkz=o2>y zK0rjb&a^J=)R0<9AKoMjk=i%(LcI|xo$ycT5M*-F5zLjrjKApE*}Cigw@mT?h-wh! zYtsLTl#@*vq{hfnSLU16(o!KMFTf?8cE3R+7&9Gx^UfLwfjW#Wbj_)0v`o$34#6d` z{zgBWvaG89=3C9=+v-jlEI8N~$%y6{6J+6Uz(_U1_*li&6oKc5&;>;QvlphFnf@&F zU6Zx)>XUW*#vd8ynlB~u&S*D;eX%M~yRc{1b7}3d9yc52H0~T$zdYtZO6rg1%&}qe zWZ4I~9HkA~a_R2HmU5xjK)025tra+LQ6o`MiAKH=bsX8I+;NTey9{Ksl$Ip~27&J? zzI3XGE!Zn1V`Uat)t8-v?XYt6#(ukmF`pQRQZ}Hsnk}%+z@I=}8wB!ZK;%Uxf5f^7 zH(olrtvrQ!D5Ax=TZ)C1_hz7J5A{bcTvDBrqjx8O=n8NMj}TgDU_*L!W0!04lkFqV zWI&nO1&DfO^ox*9lK)^wE|ON_{r{&IAwYP96AWrMd%8>lVsXXh`{KAqQF} z5%%>l>qvHZSG^BU%z^3oHux)&giqV~{uboN_c-sao3u^t{?$C$;L4W}opRfp7vwIaY+Ch5jdlsr zXH)ne$KS!cml8+2zfh#G_4<9kAn`x5(S$90n;Wa^sY&)%nzO;Vm>CS>F);7e zzgy|fos<5S8XyojxoBDz0HHEOk#)u&Xc^q_2}CozOq!j;dTCu>8otAtv}}{#;ZvOw zH_sC6xl^Z);`Vzg6}?pXCXL&2Y5{(h7iHrK48=NMd!UKtHAVu-S=}-?`i5`xN`~$8 z#d{cmW%SSh^we#LVIS1oV~DR~*bXq~l9DueYU;2RCOP`M@V{F}S2ck!i-&Iv7qP$T znoH|KMw1)}y@xZN^;qJK9eP=;;bb|bf{%>;;&ai5?f#-y^sgoJ zBwQi}oX&=vrLd5$8s=dIX~JYU;QJ3+3hA!JMev*=+kyHk+f08+7k*f^X)*Y8;`XY6 zN(0vH7f4K>E~PNLBys112i3Wsn@^{gbvq?_1$X|M&X+0f-nOcyitERqjh|{LtXO3X z=fWUaBOADLx|Ady`zV7(XnDNR4awi!cS8_MrcyTO=6y;&^!M&Sc2;!h?Wn?XSV?HU&{y=<^ z`b=D+@5!%X8FC_lQ$1>kEaS^S;#m>9GyE<~K^EV;;aQ*t5l`v_8`I6i`)BLo^84U` zwYnr&r1A9q+q;(p=7spBnaAK)#-~EV(1w(JV7>YPlP_ z7=3~ou9R1BO720Mw$o46X#np91B`mL_b>dRns%E=+}mBihU}h28rK`*nj~M%0O^dK zAkxV_Vl=45%)#50z!^4pVykw%{O-}Vs}Yi)?wlWYWqxctXe#Y9+*&+7*7p1LG#844 zc2IfaXh}ri0ixfkW4~+T_+vf|3F_Rc`4seVv!Raujw^L~{V|2`zbpXd6Fa{p&cQ8c z)@}7zz1IP_Z_AmajxtFR>9@4?luKb|_c~uR&}KL91qU&eJ3B`m4&O@dYLJL-{2d;u z9%M-Pp}J3*ndHHS31C$E?kIPc>L^9{o3wt`JHP9P~S0MxKOiZlY(2!*ePo*E8!bJaK@%w3F78X1ihF zp8h}6Niu(Anj)$6l~hU*N!ePg^X`5=x{>_!zt_Nd9nkn5m99Lk2@0i^z*&ci1F`Ft zs>G&+r?qT$D^N84!b^Y$t3uQE5+GtvCfJ8`=)?AW5hph<2Zk-u#aFbv;vn4E z-0!3QT$)%I-V(_k9PYmvM;rk<>VY-^q!jA+ebs!tGyP9Jbcv zYBvEECtk+)9oX>o#jKOt>aD)EI4M_cx#|JUlFznnHRCOPM)DKCr-li_MdeO;ojKc7 zRwhif89Lysix!nVVgwfcStT03&2=F>OTiYAjDE4eS{RM)-ZR7G1MPw^T0=au)|AD2 znUf)`defa=v@f)?*FC}SI=+ZS>d!uhjzc$z4=#dy1}E)0hNk(G?q^na=06;l-Y!mn z`_a3>z9{iYFnX>ogqNOR_uS?m%onqk{x(2$D^SoRlzHSvvB7>HRcnwZ;Y@|34Pgen!(yX=0S zb3p2(ln+Eei4G6-e;d_%cWrr*n6mk#5SN(zW;^m^P>*+j8&J6?*reJHK&9fYhL$Y7 zv|$9;aX&zCkb+D+raTJQX(V32uVSIvZ{^gO^7>6@yR4Oc{Ns*hGgF@Jqr%)$Q#Zc$ zF}O#YS=kIxIOA(tq~y^^3Uanv5jU50JzQ<&6$_+Rj9C=lp_EMyyf=tB=C+qh8lY^s zv;<0`S~aJ(ZuyINhENSN8#7_#@fO*@9+c6b?K>dh*?j!|yP;@n1JC8L<1_E&T`oM) zepr6~04t{`ZhRj}*o4Hbuclxp!i63DwIcUNzI}7tsIVXj%!nu4D7n(@MAA#{YbgjX zN>D4EkySvLh6qKTYW0a6CnTh)B7vdNEZ&USWL8LPTJpO%;^8lQjQwIefPs%SQ=I4x z3nb==Xorlt^hoGneVK%dIJx^y>J@-^?-=aG#r3-YFh<;W3pP2!^QRHJK0u_ht!tlt z;Qw7#knD?vIDlx8Nd>~BwCle~0>S+MGadw{7IUnnerdDqMgM?4SigZYxhm-B{y#s0 zWYP^rm7(W2+Iy&!O+)H)P*1CceCB~7O)bRfYz=5QNbeg$in=`$sCyHRG5jtG*ql8P zPGl^tmNo?Oc#V7@3QyY$6$#73Jt!nYc*3H1OtBEoYjEBBbm@yYysP9s-owv6{LXyt zuyka+@~P%|h8H7^bBVueMt}G(?>5_fTt=VnbbOZAwl!a-{NwdFdhpuJUrD>2&dIK} z_EbsUg{}xvM$BOb4Jti%vDYR7Bk~wRxK_eejj9p|YeOfvSgj+UP3i1-_w62J#qGt7&zTBHR`bgbu7PIWL z;ie$X*{*b`lpr~A0WIjx(e6h_1zi+X@V5X(Mab*qe_x#d!dRct`O(MVX`PSz%JpNy zBaquuON1WafT5hxg3|PW#m?eCVUK$q5cDjJ>y}?Vb=mUIs^12-3$I==eO$ddB71q!0J3{8z2!w(!|in1?oHb*c5}$Y zrn@dUu-JgW1Atm-U1^rGbU=wH*rHRMZgQQpgr)L?Zg(3wl!iOwUa3n{Kkdj5wFS{G zBI^;m&4)HAhpCV}$-cJYdD7m~n@(R65Zt0bdc-0jgS8%O^hBS+73#l^Z4|31SzmzN z9Ma3ohXJX=A^7ChHweKhQJJxji^9avus#IjLW$=? z$!={q5ARUneOG+M&@umq!YUqYBi^j`N#65`#a5USDVF#b=4?JYU+$8R9u`Y9z+skr z?FCrdV!!&uDcl1!y~}owjQJRXCGMw!xEyx4dWHKhn+!QgxSYEdp94>jll*l1on&%1 zZ7fM3nYHMcl6@NrQ3Ia^r0m~5a4wzRE^8JG$kzO37xbjR#lUNA-w*2WU#`vMCS+uo zP$-R3bjmNcT#Bds*57aPn$eXW&XKlsrg1MRmlHpSuY&-k9l;@lqAP<2JL}KseNi&0 znj!xj4z~c=CYo-3jMkZxz_fWpc*&u4MnYFRU(PXbVT@?*i6cDl*t?p>chnl3i88Fg zQcZ@;0t%%vJlb&)PnNT70Uppt@jj!qQEx~ohotYm`Eexrc$UfVvyl?v1Y~(e#R(wH zk8FpbBygHeq$W-}%lqDblkJ3LM(E|`YuJ;jxqQVAkxrMeaFYJ--!o|vh@W-wR^N6$ zd{(6uxH9J@`+PfXBt855e?$rx<2cV0`Ryal3P|#yF1cEZSb7wkk+9{}8)}?-;|K0N ziHGIZDzP2QW~OoB^Zm<+H=GV(kz#e43#ju|Y;$z%jCLNsZ09l;G$!DLd=|bJ@XTp~ zIK(iIB$g4H9KFP*tl|n|79;OZtp_F?byH9{N0GIe<@mgkGTeyd#V8cV4)$12E3h%V z72;MH5xk!HJ|%7KWhdo|1e9?)<@XhZA+lx=$&$z@Pbs}wJP8L2Pc?tcFp2*3!@!fh ztk))Gt6wqZmnEoOe!r;etXbIPs+&u)p#)rQaAc(PAdv=u;Y>F7?d>@oGZz;Euity? zxq*yT4EJv5otQ7$>5>5U)x5ce7R+Szc>OYc^fub7Fd`WhS-gX-u*qD>qU7deTyMGo zq)6!cVM+kr`oGW>;8tuiZ8eWRE&qT5F;2jTH|#fYW}wmcMFoHH(eJBsHlGG?z_R|) z3X}g_0s7m>t6LcT%wHiSY70jDJok7LkzgX>6WPG#F^d22MFjNtnjgZ&a-uh$dSw zHt`C(3?U#tm${y{3cfvmQPhP`&lE1Z1n}9b9`k0uDP;Zl!{E(XmBsUYW&4PQ3(G3r zQv)t>#;QEtdyBoN zIsqF%$xhOp^yJ7Jdb|yYMxq>9&W$RS#WHujYWl<{ee8QVuu+YYShfm`j2ht^P8@XK z%kabczw&Q@-1K%lLYOCmN~zja>f2o2&$tZ^Vqeesx2rj_FNi8scP{B%vKd&HNEP%< zZV{F!Y|P{by>7>Y@De#+KN!7^%i~T4HWa+pE6IV+AIYyBIAZ!={)U$nwSa;i-C24?pgfi%D| zPA`55`Aq#?KoOsTJ_9J;=>wo*wCyLupDUU*H{qc+>+8V{n|g+Gcf#19s2R7xfF43#x*lY!SjtRIv@fi)6oxz1EjeN* z#r%|U#a)V=-6_OQc~${KfmaafV}U8O79=2?OBROs)YXPG8vixAnKM?Oh&M#9_4Kb} zNkB&*MOzU`$QOyUCI6LCz_N35&gp>TxGleI+6V~C=_JuEB-rU!1g)A$4_wA1d8rTU z1?P^2wTI<|nRv|gz$QtN%B9sSCc$9cqrUA!e-<}IHUX;SsIcyT@mBz=i+EXxqyT!u zK94a=iq?gL;JWG+$-QFg&d@=|d92s*b#h6(U^D);cp;4XCgjUjlZfjJD+|-wHQ{lb zW+G`dNym8Wn3DmfNS~rJcs0LY0KFto8l+{1XxL{9D>H~XsBxdTl=`78jr~5&dIUVN>aUf$)W}cn?|b=K zzhf`h?og?4VxEH;XNmL*ms?(leNdAbVDJV@YT*kfzJI#_QbzK(G^T;zg*f5KL*i5@ zyIE8b?sPMi1;9QuOMOxqWBg5R0+wmXajoYAK9CCoR~g?O`>b~I&E2~|Ce6m~082xp_k z!Ecb00fO)yb!l6E$9(5Dm8QxVYgnw#@N%l`ZzsYT@5?bRU+!!E%q(+kei8F5fwIcP zXeOmZMrIWH?&HPwuR}F&g@oPTAl#NLNc{LB!66cTT$vjUIXL7g{;kUgC6iTW@S|@AE$SD^x~6ZK6HM znb#v8eO2))pxn$X7lu+pQm#IuYjnC~0T#NKy23$Lm76;VV7#VGl95ryv$X3Ci&IC- z$UqAcK_T8dZOLRgGlGF1Um`V$yp1bBs6`)cqYc8^C2b^JQadkBuMxH+?CT91;irl8 z_KRj6JZh7J;rXgFp67es=ADAZ2XMS2Y}7G){%NDSeHW^Ct*K(HTfN%A_)F)4t7{Kp zbd?>#>D{Q{a{_R4Z0!$!L**Q!fHNg(H+19Zkwx&|Pzij*b_26FUCOC}s-dlq(R9>D zbJxQH{|(V{nsASSBt5k71A7kUhx|TMJzi?3f}7;ABr3!&;`QCXydK+o{G8>@doDZj*!MOs_IBx|eJ+wS|E&$=j7Ag;zstQNgIXmI z7^+l;D61`%w`PIQw#*Tv+?f$8T%ve28aCmAeTJm!tCv!!=P9*J^6qL|N6CkdIQPJ<~_ zyjjeZS>W_#cn*J9nl5L9?0$n~W_a7yFVE2;trOye7}yw+va~dnST5CH+z`MBPTql0 zN;_1*3fHO_OqY-e?JSL{FhgB>w8E_3g~i_(@Ss}?eZ4}I zJA5+29T05i_1shj>qojXkGjoDvAm~{-ZDz`(j<8=#Up2{m}F9bI+!K0tCJ0XD(u;SEj9G1j#H8H>eVrJU(HW+NIdnDdFWo+cC^%Xa( z@3vn3?a%MFi+>R0c`rCBO8h!Yo|tBT>W?=@aZc0D5Nn}o_f&N3--<&eW-9`EQ)u!} z$vsDdpNsDa{~daby-JTA55Y1*o1s-btl0ceRY{Qv^q}-?U7dwV>{wA>JVWsH+E<&C zry+Z)eB>IzwwmtJTN*Hg%Cot<>JB!QiAf0Mt`teq8p+$)>Y`NY)&~+YmWxGxc1niT z(jfb+Kk)~6H717;u|wU0w0}@(bmYT*gLcX^m7EarHy*}2yLY&Ajn{P;a(nFEKP)&X#lA*9T>o;h*S(WPQCt zv0X_Yy?o=~`>@NgkKvC^dnsXwYw%A2vEU~oL0LXKkT{+jthtLuN}HfoJUh9^gjSA+ z$tAp_?0X7F@KsEUD$m0HavCd2U2M`@y0U6WN?6O5Bkdn*;XcH}8OfQ;&VE?a;UT`5 z&SMJyIqIxhPmti^5lh(nSMFlhBThG|UtZE4ZV))sOL@m?_9L0})g0uGJ!$F2z&XLM za!8C%t~}jn=|ukh1&Oo;8qRX!lCTTJtIjjbru=x}jxJWd_wqpZm9g*Q!+t=`0)9h| z#uO?%e5$ET_+cNKF_g_oVW`M6T#&{ju5Wb#b+GaxuY1YOu;#<-%N`|j=86hupNAg` zk5oI7Bq?(~=-vqoJd(vq&Rt=frx4eZL=)LmVQ! znm0hvgl8MJWl+rqIV=0!;7%h`d>44Rz;bsZ~ zBYZ4JMd2v0EOm}V)eajjYR3!l6SID@@j%@FyF{TPS5WsN)@@bj>KO30WskaB$Wr*h zvIt=ga9s*3C6*&>2m6&AYM;U`MrcbFa#&(^9WuVHb{om34sqkRi8GLZb#l6> z$4YT5(&i2LI388NszEI8Nxs5Wg*~?4t&(8x?gcLIO$e~%WEDWYIS+hFyEUeTnhBZp27| zIw7OqBaQ8?hf3Zs7rh!-67AY?Ps%;rd4gOU$gkdK^-Mzd9V)yhMFzqjPF=&vl_0cE z0)JDiu+0*gpq0ki#Qx;{aV0YL);x%KSGpu~S3LS`)^WxJTE2VuJ+9MO+&sBE9(x9B z>W67;eg)BQM{5<{19v3A&m9L3VEF(Etiu+;?rrOEGyJQ`7BPRZ`R$}$ivAj6#`#Z8 z2ZZif23feJ4Ir{riM`UaZlnNO6`kp+il*mF}5rzD$ z;!bkA!kiQ0mMNjP_lQ~8$+2d~Bep|}=Jq8$XvgC+V&Mni@{%l2@G?0Y3@s+_M{!0%iPEu3D&UYp`PE3Ja*BYmz;@p{%BOh6sGP9~8onrq2AmGd8-PG=9WP zmn_8#vuHnu{5EsLcYoXwK0NT}73I6CA&tXgnh|1|CADu&TS9m_nluD zS3E9A4iueevw1L9>mR&a@S?O7AdJ~Ug#iFq%eX_-x;_dnT~v)jaU?;_sDAagn8X@+bV2K ztb}x}n}5}|>KGVxU>a}AdwOkQ;iejth8Zr~SohdEX4nGz86I2OCmy`T`$1QUuRo9~ zObX0;bQ-h9BcuDNx#rH=&Z@~?c-o*PocFWV3|o8POl`dWHL^7IwdlpvH~QDC0q+CQ zIT5{lYVAAdXV~yJ%f7n8!ymHMp6CvzsGOGj&vavttr0P55xRW9`6C;Z{&8B<=3$ub z(FZH|{kK?$in8AjO~(6jbQVJ;?xZlcIFIgH%qV;{H=rMCfQ7^MyPLxM5XqzJG_sc< zp1Ld~zo*nPB9B?ynSwS;jqD-DJp1ADz8Fee5R)Imykxc0kEFe;DGnYF=`&>g>lVpwDVPDx$Ve1Aa z98l-jl85rUl0r{qHkd4qR#TU$=s_&i*Mh@T(B9%B{R@Pi^7eei*CJESMp9+k^;9$@ z+EadvQ&3G$)}C^yD5E5%q7i%r_>V@$bXPKd70Y_UVNE`IaDqO9E6vq0VHlZ*3g24* zq`r~&bQV=6mg$Qd_{3MGS%7l5m2hhgqc%P7FGO_n3UXQ{K5g0#oPOynoB`P7^S6qjjCer$de>G@y1>b94(K;aNb!PTTO`fS5DgPV|MAH1R>*5c-9 zd2S-PHE_+7Fu4&Y?6PR{;sl=+iak90F{0#?K%F?0+|H4AGJhqe&`Sosii!OrExp)GuZ&h-r=M*B2)G}+x3cg5XF<#o1^b^A@Vukbr zuCJC|WN?l^7sJ0y8Q59z1%O1trSE>(`2Zft(*ucifb88>!clPv+^=(%ax%TI6g)*z z{4Va28urANz+qyo^=oZA5-yZ4#05FV8H$lEi7KdY<=Kyy zIxT&qt9vHa7^h)Ia*uGr?;`irx+cjMWe=ql+O|C^nTd@lt|Uf!-Ljed@fZO&fE~^dOqpnxP``8lOgmUL^xpDqBh?~(yZ=*p=u{)U{NTB8s}elQfKf;r#brV zMPg7uL4C9^!(PSxtEudgnppqM-(KIvl|s39!40&ybcOJ{@_k|qYbYQw6roODro6{! z4hk|RCKk8oyoE~(;X6A5@nE5DYCBSm#z_7EnTxFSJsN6~E|_Lp19wu18Qc?mLDvLg8rgFR#V6h9(6zI;&bO5d=IZX zI%KDYigmKqIq>~NSsbh1wUUlk;8&!|EoSL5A(I|@73bo#8VA=F$+hneZ~f=P;#GwG zJDOk8stq_ZefdN6q`H{!kUR1hIV9ALM~H#jht0yX)`&~?BB1V#Zxlz>@Um} z5EJ@tBW#0HIaPQc9N_?tk#u}kFENbtF6^q46t3n672jI(b;sKG+~>~Y3e0cNWAc=( z!5+XzwL6%7IbzVH{)XD|BAkxHsE&qE#SnOmR?z&`{|@mU!Wdx!M~_31pp*m$!|gOS_* zhM4$9F;Z*0TSdDBA4Cu-JfV!hT)oDbQ zu;NjsaB&ZEtj52$G-Z!axR_aY#lSY1!&}4gzg6P+%CfgerTQv8f_`^rvniI$Vd-z# z=JKv!R&Ur%RV9_u^)7VYvrXm1qNKYWHth;R!_9^vn$#^aq$$U8@|KdLKt zKw97Ai_b5H&F{y~*DA?!J%} zVrKgF&B5&&%2el^ zyee&e>*#xH$pqY^^90Dwe9GkfN>^opf=3|LZ}CLi{jNP+vA&lmgz>*gvikg3_{pxw zYA`urv1qCIQ?W)H$<2mwr8OffY^rn5K$_Acvxv{hX z+SapLbWJ-~d!VUJQ6|>dpR* z7LbfXw6%s;DM*yfDC7Q&z7&Smq>5_%#{;Fa0A~JX?p^J)KCmW3lSft`t|@8gn`%MC z?%SyN2Q7MxoozG1SS_laFjmMNa#9E*R?1}tdQsXrOEZ?za-(O;FK7TCW~ z=XhIh)FZez=_n0!56?;dd&gQcFrscJEZ?p8;pBFNt|DBzs$EQEOe2b^FReXAHwxiE zTs}$)e5#d zqb1gyGa0+a93M3GrZHn_CS8mDZf#CwXrfin#O7TE527|YA!92!q~87XWfdT+X${e& zq95vj?mNv8`?^8ZX@tb~S*ynXBxO?oX_ViS6CLJ|%n5;RwzaXFKf+5ppG;Z5)nvxB z`a5lW#??{BGza3%-ETGWm#-?bXw_8WgqwWoW>!SakvA(ACXjkI5>K`%JtSsC6Tu5} zi5Vwk^qN8|^d{Zo+KZC3IRqqtAAmRB_X!z7UwwEK061VU=4j4WQHK{Im4yIjS|XmR zRt!9@Cch_=FA2P@ssuQG+A3JY8G}UlxHJz>nn-czr1S%e*02RmW$dR!Q2-7TdSG|K zLFlLkC^-xRJOF6jdRp`W47{jm`hCMFv1Wa(VIiEM%F@@FARJX{!$-yKV20tq_!n(> z2lNn%Co8dMDvJ_$KvzR%;a6FM+;NJu1pg}SlX{FI(5dz!*s_B3hPYcn9vt;Fdh>!) z<+O;exM192i9`z(v{y9kRt#?@3B;VY-C+0>mLMoH@^kmtCyDw{$s_6FXT`DkJ(d*$ z9qn^|o}yV1k2>+;6YFLmTokKO_(v0+zEd>Jc>6u!bRfTRg-PPyBaV3vAzzi>KW6-P zrFxo$!h<|b{thg5GOD27mDe_RrmV*SotDNBK4w(h30Y0_I-7i3^Sc??;smr^1G8l1 z4R?epq4MmT)_6FxgtVn03RGBaxKt=4U=PDq8!>6V?6UVcT@7M2pS{K4K(D*+nY;H0`|*k(M8~E#cw^_5^1RV)74i5D zX+LaQ;f5ckN3S5*_QAFB@^-MMvK@PC*V`I2*Y8KKJ~A@)QS~QJHr=Z!i@6#G&)2!a zkSqi9Bjoeis>fzcyf8GX8PtkEje|K8y7^_Cyh^om#`C=IFHTwi`hi&@N{Y%D`Xh52 ze`p_6*XcwVcXUGJIR;JpGM~*9+TZt2_fq!*Jg3R;`ku5zTZwJ$3h3sr1e@>}aA($1V!+qGi|_;t zi20~@^LuIs|AXCHJt?NY#&W-roaTLc{!D*e-HND2q{Mf9_oa9-{czBKi#Y-RBED7h zMBIr-d2=hNoH{$LZict!LQ}8JC+h&yzWOukgnk2$1QPh@RF>#aazI^|u!6NhB{|xA zB)N*ZCuHsWC3(k$I)5rDhHc+hNlPHzV)X|vYPrK`?0h!jB{8nJBP1;s?wVmEH4`h@ zJ}ahPgwvIdSm<+Nc2c^Z`oh{~^T5lC_7LB%_4vUA#3giY=qn9e7rb0D_SMKOa}}e` z)h75$T~1r!dgd6|VWeCvYKkRuCGMi^JP$j<&LdkZSZxJmd7SCq#&J`I&7A^C7T}k$GSJFM<63#l3Mq6Ags zd@UeyV6bOvCYpG&of_bJ_U(^U$nTcC7PpxWgRSQ^;SNJNUq4R-g6Uh29k*5N!>-VN z7iIroIMhp-HEZm$Sq-Ez_H>w^AeSyn&~Fb$0i&t^`ahK75%Im^Q?vD3Q0=kqwQ9Uc+B6Ir3^&L7gk9JK823xieDb$PdfHjS#tU@5-sj9eE#;l(t9xY9&X5 z+An|~N;>Y7J&{p?l3I|JRGo$k<}bzFDh)avFNp1rYW~0W-aRg+_3a-=w%86KTcR56 zHkHyyPMu~DqEZqPWhfbTl8jE8X-P;94LT?tMnZg~ktm&JqBNZ}MLMccGt+dQnyKcz z*7shu_wzizKYo9F|NH*&SYGL6M%KFLzOVbb-iPbnHeaJMUxPAuCH!KuvFo1^*XOtr zaf91&2mYYpDpSkbmj*Sv;z-KC6q}K@(nc&MXyG@K5r^`r{IR{P#-_%;nr4glbCMkw zUs_%RvQwIQHR+?)*tR&~3X<*o2~euyqCn*F=jYKal(YvB*cH|rv&9`paO7&v#1hjd zqhNDhuW~_x37b?dlLhB*G36-$#M)^iV%7?t8i0YPP99Kx`4h}>W)1V>)}4Hs$)15# z)z3#Cp@Z5tt4ZZUP3~kSI*+y}_DJX>guZL?lZ<<@=%7BwCHcfdkHE#%MS-jVc(><< zEtgR~6zm4fak&4Xo+tck)z@SK1$lz^O~*BVI7+T0g!1s^G_XOHLxZqAl1!GrP`(M% zms3UE21Imyvm_cd9XE4EXrnt=fOOx&5*G&uoMe-_fN`S@f{%tFIE3SlUYZkQ-X5P* zo8-5SvxU!#lCYMf!2LXGZRp->wNXzv>H@V%(|lVFPry2dJ6cJ3+2oxvg91E@;I`K8C|3qi!n0^WCxuc|9%a;hMNP~(ald>hh|`;2PNEX#9Vz z5YU2=E!2#P=r9f|%P!wIgIS`s3(6Wy z>yGiS05nUhj^?OjsyM;B(>WWDa+9EMA&y9D$eV5JdM+l3r-* z;w_&I9~&|Z5mSI>q?aPgrj-`c^wi+Ph=i$R2kREv0(>A-0VWkf_@#Q{Kf8kesk7YC z`QOPr@@=2fCg%vAssMS{aV$s`iDzn{0OJ2W`@2Pw6(!j40-)spA3Al31nAEII z6KTiA21#F#rJgh^<$L{se1WA|6uw_0TCTbG$!`fupQaMuLLzHtOIFsw&jB4vBLpAk z_^kYKghE=-q~G$0IKtli%TCWhC?9z=321u2FVf6owqO=~D!R13TV*O6iQcU5tH-9E z$KACfifp&qh^$!$!*c8tV19$Vmc98UCr*g_8KuY|??J;!&`h0-QOFtj&ZM?MlV~>6 z3yrCfZ{v3Xk`Lvc;2G->WCA|dbuOm#tVLocH2L#)+gVhuDo;sby#xt;r10vvev_Cf z<8T!&+}Jhpr}amdL&2Qex_>~onS9LA&wq;U0n*+cO+1%a>-!i@OeaE}Yu~DiogIgE zr{tOnR@DY z|1e{HX_`;J20uydll7SNZ<&2qJ~pKdc9Pv~JR`hMd=haJxoZy|{~?&mL6qJNi>iIX zC*U$BNsPZ3&OE>GWZPDaq;FJ>4!G@%zU(D!iFlJv=;5Vu*^X6nxEdWR++zow!&sCH zL++wvwf(=j;(($iYfKlcPV@Tq@jSC#7|cGs4nRV-$v&xjkGv7ziQ8g=%wLhE$|Lo&6b$0l)QzNqL{6| zQsLQWz?2wNi|j8wm=!AzJ|Fe2#JUHBn*u+($ww;N8b}a279e?L4~3r>Kq1+|R5y@v z4z(WuU+bg?;bO*L6=q~))0iwp-+&^_JHvIA3`j**mXWQ|ctYExw zr})$xqI9Ld^meaISZz207Rj|QKchrc1wgoKQiG)Txyn58_mFtfTF9rkCv!a}XrC;e z+$*oiqERB*Iw7>2`IsPuF=Uh5jla?QTH}j)ch^kJJ5IDYCS79*BkaOJ#0u`Gu~X|E z1daJFmY^z(6{Xql6a6R9^>eK<&-Oe(+BV;G=atvWNk~-)-VJW1=(9&6eg%PIDxH=a z7SRiUUp)aQj+vX*12$1WVIb#afNocE3^)@;6nN;kNV@^oLsNFjp1O5I{!m|?0lKT= z(^czLI|805*?Lq!H;gf*d92hPcI*vvb&Pjs$>LRyWdu;mW@3y1z%#Zm4oxK+X1)Zn zxmxl}uMHP|Sx7GBNng+Ak!U)EigQZ(rH_vv`=!H?n>t!SA+LC%KtchV~FK8bbvlRuT5wiN* z?Ue!5v{oAu%ud8hlF6I=m#}@8`oH}h>3{_;@0sI}`^XC2TavaBeYItIPz9m_L{?- zM2l7An?h^cYn5ys6Oz7E^-D}`J3L!L{Nl;H?yohxVhOwuhm(vD>OzJKb42|qB12e& zA}KCU>j6_O$WIl$v2fSTx&W%k@QBdofM%2=D?tSJAdQr($_)0mjkl!_)`bmmsrp;s ztR?%_YJAf0KRb(^L`>1B!^K}$-;^; zBILONQR1@aLMOhIIxR@_wF8V9pg7ghEU|`}NI(;fzoZ!6lSamN^b2 zJG22iz@X7O@ng5|6rnhQm&D~#5&av!Wp^#@9#R*n*NJc48kWejJeva9K4k0cWrQJF zU;^og36pa`WlpHu+VyEr_Qt|Ym!DTjOht?cmIXb+AwW}iQ>>rUxQY-tvf^k;Z90X+cR*v)qV_Cb&_-wk?MkB-4OuPGU(m`(w?Q6G>U7 zy!7f2{79rF*=D|KF&`wLX{5E7%srLsWi>^Hgmep8$2VpbQ7BeQcouVnAi4Ny0cI(* zN)Duim;|`^$d zA`(9I`1Vk_z_i);@G%AD=(yXXXse3HC$G&qw=90N(Cl~hvCPfVqw|+K$~?m-tzVFN z>!Qt@uOkrh+PXf8)VURze}r$HALMmwbDy;}o&vN+GN66I*4QuKl~S5l5H2d{u9bNp zL&_@R8zSFD$>u4zcFoTgb(SM}d{8oq!0;Z=m+DT^RKvL&kdQz`hAf=J?eT!c$zxkV zvOFpV^*9ZMW#`5t%K?bO5UA|`S?@#u{rz(R)CweQC`LG-D40+zxa5OVCO#1&c!@*{ zUe0?B4&B^HBSO$q#0O&IkZSw1LI6CS_X>fK&n4kwk2uOQ(x3#JK2|C!c#hDJJcn`(koL~y*YCa3vX{ka;e0(dB2@hy3ZE_HRwIRkTRysD^x~SZvx*tR zd0&%AuDD+Dsnm$7M+ru(c-BX9PB+=1w{VXCtu2_AT$hOUCa*`6@c~GnZhOs>%eHd; z-W^uaK%!u03GkRSR*}6;yq_goc!fpDV}wU@3PlzXYmv}JEf;a1_V%MBD!EqG99kNC zwek@oBcz?<8ql5o)YT)H_+V3Tuv;f#3oslQaQ`Ao(Bbi|D5?gW15JqKr>$x^i z9cFamtKLtSf19~Cw=}Bq6d^*)73AbdlOozSWI$EU4o6P@6xpsb-{1Lxyage?aqpqM zBkI`32?GxOVkSTaErmq5h0=Ki`J^FE60S_|4C`pP0YJ_Bg?DMyMDhT#J}m3&j2V{X zeYjz`(ya&4sMSE{5Go_g$wGgim!l;eas} z0}aHa_-$AfyuxL7vhptI3-yVmv$rkLEpj>QAthdeSwiJm)Z^}Jq*Z4@Ibk+PsWk9LNUN9!C?O0=LP&(Z^Ls^!rN}XvCF7lv)L(Ts3q_>9 zyI)3xFb4zb|L5{%(OsQdm5;cpUlw@4L^nJkvsc$ z_P$GGDTJ9~u|a{oOoMm|BN^g^|8Rx33=i83?Zyqr6D(wPQ5VvXW(AcvM)VJBiw@6( zdW3n;lm;>7%6^_&25-mFOJ=N>b}Vy@j%sBTIUaX1;gk6vRLjZ2d_VI_oA!q`@87tI zEaT{>&TXr=juYy6Nr1K^hXiyvK!-pT$7^WtQezO11nco_Wma=!wgn&-vr@quSVqF? z7V|1$dtx=HIKF68`hP&;$db5zJ(422-Q z^|J#Bqoq;4==^O^M5~ICD3_L$_9Is#l(q;Qxn|n3KRIk>hp(y zLR8*W3^bo=oTG41;JpB-Y}cxc?_1U!f^#pTr9|0skVD|d?(sP&jF%>GLqw`Lo9<$E zK+c{QJ5_(kh9qrD>I5wY%8~TJUr)%Y*z$a1L)#iAFN=IRBFuv(x0P8SH-HwIO3|&J z_-Vl%Hy7L`Xp;zavdk(wrE3Z!*Mt38ZAbE<)9vKYB%8ggUy=+9=MMGtSk?X8Pagi~ zubg4|=*B(wci@zFzgBS5l|Z)E8?nL-7c}YE&&n&Yhx6S zx*WoG1Ci#Z(IFKbD8^8}_YQNg>j;{(;!Tk&O1M->;-?5z@Tah8(X8|i&|;#)h1OoC z$hbtiB-0LahOwWLk35qwD?hTUAj^V58wITJkeys)`x(O^jz&il_vA!VLpUrY4f!x^ zGKpj>{o71r^_q5*YqzkghxSU-cHI~tTdYhqY-5US?p&hTw zvbk4AJI7U<|Dp}HbnGA#uW6> zfF?t zrYKcWlLx`@omzxKUmh@!3tS6`m&4~+yPb?CbSvYgp#u??oQ2x~oeGboY(oAzk(=Yk z?1AnE$u~@%!*EDCD*VQD73`D#AV^=bjWv{copBu2hSSBN5$!B-M{q3uTMDs6=e&aJ z;g2*v*BGMWDq2f!m#OhG^fdJ_di>n_jd@fV+4Fm#;@9Cu?Wm#ht5lJ8%Agx<#~Hs9 z_r9M&Qg1B11jP9vTWGc*y}~IjVTt0PzedNx_Tc>N(uL{d7U(i8sR3U=fvOmg#X$t* zGZLn71oj{$n=1{OheN*5z?72Y0doqfgh~McaXXL$`d!Ab5#<%+52gqaAwW>`UyxRa z?+QLS)EjUn8-E3+SJ^|i?AR4Fq*MBKcT8BpICbI-IdcSlWk*W26U~i!4pqA@8(6Hu z^%dUqiC>4|8evHvhrH*G?-+me*QiNUV5Je7F0LD`ypmjQvsd<>&HK(4q?0QX*j)+d zkmiXq+ne+&SC2iTtOayzJ&&}uQffpvpPy3@F(6g~QM@&t^yD~LrmuORRYDxH8C5qS zLwLZ!;i=3oOy5;#UG2`J{fnTYe-edL82IQyJ`KHU7vaP}r}ST`B=}Bp`!_Jk|Lz?< z>M&24!ufgeraJ_Qvyt);2f#q7;L~0BR7Ezj=0qWuXCqh5w_(HZP0A@Dn*n)asl2=v z3t4)()G@~M;>lRraoGN65_jeCiH+26fdkNQGpjfb>rypnqhTHYf}dcHClcc#j~%}S&AB2Iy#yY)zn6#mV>hQf-9^bZO{&n zNZaTYwV7QHIWoj267aGw)uknW(kvrv3Z4%#ZX?86t-%;11h_Vs1CW$6iSI}JV95gn zMW1~@p2CA-!+y5{3b5zGWcg*!tzd_(1}G5pqBIn!E>Qz!z;GG0nOZpv{ zCoRw8dh{!L#WuK>a5&(2&$~r7Y#bzgLgW`0#AH!wK&kBl+mF#yp%-f1m3YOks5)?< zisN0oNlUN~k6xyM6c{K$$+_hY9RL*t^q%%Aq4~pE!+F! zYx>k-ElM(u*vwDk=fTmIet%K+3oa7OfyiYn)juX+1sn(vN_(^ z`>JMwCE^>2G{1#g;%AMw==5D&jM?N6d95)Wzc@4Y(uO&W={4mxm8xwQ`nL@h!ADB7 zxjHrAa}d*;s#!|F-BWpDmw?aeOi{sro2Z*8v@+u70qnnH)R$Iw7^fib#tBlTY%%^J zc8~A@Glp^tajzi?sp*hNILJY5VSq5?=wZ6JNFI~Q!jqN4Tfhtih8jCXqA!QKLXh={ zF|tFwOAKd#g5>{mNdo8)atQVU7pmrMQ7|FY=AhIRyNpkUR3Q6@I)ul&OgN>?D~P=w z`*v8(ixL4MwOvG7E$uBiF5;7DO1-{DAyqnjpIl|P==8qMpw9ASWpy;UgDBEPsKY{I z@=1stQ}6P0)`o%P!zX7C5D%GmMhUehBtisHZl1IV zx`5g~GT~dS*K(l}B)!%H2LSY*j0hl5&6B6aHZt6PvDVdp9r@fE*tf8PT0G~a-BI> z^kfqtNe&}A-|xqY0f5CgappRjB~bwF#)Y3**mqb~9|TZzk4F*p zi7$$#4@tPC0h!{`r z1aUqFhjPxhH=`k{mo?4p^9j6o=`~{4RD@@UV5Tx2zzrhH(!X6HIm=k%Ss4`QCe=yThD?;!sfD-Fwf0G$@r56s%Uo@Dvd{c{- z2C8Z11ChWV>di`%eXEh0@-!WX8z<-fc1Zj5;lQ)yCd}JaA8&qMp~|tt|3$B<-?j^g zgM;-b4@u{~vsYG)@2&&%g3|BuiiAsjK6=A#$ZhgzMHrnt`HN97P+ZT}!~F?(;vi3| z$|j1bOy~Zg#B*hah&UZFky9hCQl!xcQAQgNC@>r{K@@&);9Ufi_&|ouHmGIh2r&{6 zqSz7+bjyVgg_nTVT%rWbj7u)mBH_}^t zm3e!`8y^G|)xDGhj5mY8mZgxSkIGM{w?u~@`di*_7qePsob}FY4hz%rfHQF_(0196 zAl;C38z2O2Ny3KryCrf*I|TChnh)1GW5WBwwpdZyU>-0Kpx~2wG>>2%G`_PWJIZY; zzQDe5TXxLrx35>yCohjfq;#8hoxsml7efK~J8=xgU?Q0{Gj($iHGZy~-50kda%?x0^&Fj3okA2*>O z36Sh`?2=$hc1q~(z|r9jbj8~kTajK$F=v<|fy;3bS>$>RneMD@y8R|SY}ZOcTlx+q z-R4(y#-ZgmH*JicZ@Ou@!?JrzuTiOcX46T0aqXKt%ed&xN%IRUlgUt!3C0G%RJ@=O z&lFs9^viO`jt@Fn*Ntp}W~2TA^~1**2R5<_>3{`c*VyaLM&hCQkaQ#sIV@v+umM|@ zKo*T}r@=%71YAT91uik*kIw~5u;o;@_C$;K@SnHkrIqA{7* z_wGu_46GJhsrgXi1R4i$P9K3SIi=<-*q9~ayMm7h1wo{@d4=sNAO=AU4D5#L9n z>OjsKza5129I;W$rG3Cbj>SKXeT^Lu+D~vMP*fs7|2}X}R@4FV{%_T8u%-x23vF(G zv`K+(Wks}H3ZwNvQwcnfTl-8rl6$nr^1%=f>>dMvquO$o1l#k>HaX;IB4j#yI`&Sk zc+E_LGo{5Nm1wAH-wlY?Xb!;4P-Pyyb+k)J`)Xc;Z?-D$q|SdV?O?5}#0TDINAQoGSl$8a@N3!R zW_i{vJEXQkrWze}opbkiCa}dmdwRejjuv#tDdC&t=<86?hCP%Tq8|Qk_z}2Lp3gDn z$g-ms?3In`12fCyYf-Yn382thWc!dhM8A&=$(Y9(No1Z3ABDKsBCZHy704`qBF`YI ziZB_SRf}jLM^2DTkSYW@E^`4h?2d~m;)-2_@3N5Bf!G-p2)w#IVHma%jp2UTuG5aGyr*ja`@jN}q;eJlPBJfjSW9AB^S z5He*NYONhaDTZBsEbfFQo~UW!aBHGh6^E;omLV<=e<|alG11G_6K1a2)m^_VYPQ#n zkaY6<OYY5U&J#VD z_z(H?$B+RMLkc}7H#@^07@##DG9jOqfh*Z{K>uWdM?(t33TP8hTmTd&*a8qg0qn%V zpdWPtL>X4FK@s=g*FPGCahNFq2Ue-n89s6i?mXEV)z8gU7H9Ed1r_RtHE<0T!aO$B z3t9^g{h%oB3Se8R4>-KDS4X8miNkRvF2Bl7d`ze| zr^6g^HcU61!V%|ks!cPLdktoyZ&d%a z?-g&s=JPKo^w=C77WC4@&qx5^WgqYYkh*{nO9E%0w46MJ!yFq~EY}p#WIDZGBY9oW zyLxviM7br*I3Iq~LP-fQ#`;%%E4&+5@ODeZHp>0N;lEYo&~H4<&0phvzc&6+HG75c z&IgB9haNJmeKQF1mdd}DEsMGYw1lC3q@i?j=##?AJW=6K6Ylv~A7O$p*%-*gYv_s0 zn2#}26prGUf(;7A$^<3y?M4sg#HmxL#`v+%fML@@9F-OD{0kq?S zPa6k5xYtyKuch~*dk@DKxQuFD9tTVZybz=TBTbK9y7AFF+Lm1&Aj9{MeUtujRo@+- zCUm`znxmPVRE@h|CYV!MR=&+~UcdV=79Iht`jGh%+hi*@rB}q94$E46pW<&M3efst zX8@sx%yc8%*4gW|p}8wgLt{2oY}#KivTe9;_RLRsZFyF)^ns2;=F^!sW1if0#LUJ} z)@A!U;O>)jGN~W>qvL%#1lKY=hTNnm7ti5(ui@0KKCc-+yH2ck8iyJ+=%Y*aTt+-07&g* z#e>S{5fVq49*0C|Bsce;{31n1n=qpr^EJ6~VYSe@JM+RSJz0`phc&~`-wqs(v%v^N zmiPD2A`+6(i!a-qRc4@6|131r4*4zvl68{QXG`KhCobtndV+@JdQHYS| zoo%$7wQk{>ZQXYdnJs(ph-hW>NAO_LegCmEWu05Dw)?ABdFju{QeBd6EjylS!_UJp zmq|)E`ULHGrW?E#CtEd#IVb}r+DAZ*C8Ke`d6q!>^ACij(v>j(@nZgyPB|{&-0RVz zK*|Im?SH&6jRS$sLrj2YMVx>qf|wAB5i0+qj0?RPu>)>CUAaxpv_q=i0J>-aBGQ&= z`K>6BQK)eE>#lhAiX}?XQhS*a46 z2%*NpsnNKz2CeF49BKsOq4Z!}XHpr^4d8$PFtPW%FC5`*ATIl@4k|)iv1OGMjzabI z^%yHOONX*$&?)(@<4_c}WYW!9R?n0uFrmtYnn4}ex}Do+jApXtJ~`_4>ZM)0rk%o& z$&DxJM4!Sajs7$I=E|#%{L>7FMeN3lD+Ey)M~P;Gph`s);!Dt^m zbLpMCh3Fz4*ePpy2gG0^I=zbd9{b)Yr54F)U7*(^)}6G+&3K?GH9e6)kKMqwJ-)HG z{rJS6(gxiG4|n1h z-IMEVmBFU6>@4o-{rvB2YzHDd^;2A~j@SruOBdp80564%hz*$ns7c~utzyFyntj(c zsUTQL8MF7igRiZ;TdS!tzCX3ewq`uQ-T;u&U2(|Y?%%umQvBaLF}%1aew(v!y10_0 z0Qj$g?hK_Moq-kf?LF_04F65)NlZOTtFho2*y$Xs!L0QG(W}4x^mZRfW*ZF&g-=oV(M6ekFjv{ zmIy$k*!ON?i8mTvnH8D2)5d&F;=-AK9Nutfo8oZKtCDr*q}Y$ItL}DR6p)*rY3SYC ziAtw<1(*oIm}mx2U6$P4Z&gDRr?GT!-xmWUQNI%G_F?hD2f_$1`(%1m^i~=`)u zidifEy#CbD=ws`_=uN*5l>Ak&-|Ix>OL4Ml^c~LcoOER)Di{kpK4C0VVu{J1Z;Wl| z7zJp-aDQ?Nv&GiD0B>ke2Bgf)@9;M!0HKcOW=X}WF+A9^(1=$9T)k82n+kw&|0Zw$ z{^^6vY7u5uJ$Sn?CW28A*(b5qQKZY@!7MUTp?w?qg7iQ@HHQMFh{qU*)3~@Cd9N&2 zJ%*A3WF4zIct!;xEXWYp*bDW(6h3I)WiQ-Srmn2--*3HoM!Ir!Y^_=lZspbImG2jN z-QD?o%O}zz@;a-M2G2P2mP?EH2C}<;o;6Q^+SZvSGER7t4Q!e9!iUV52-0eLI>x5V zVL=7|u#yuFqfWI)Dn69BhzGfwn!wp5UsA6>RQ4Q!4=X7IKrx}_gz4*4_L@Z09d&=z zOHB}~XwyWdm*95F9dh_1I31i>H8pjM@?ZT=yTSlmD5_=l!}kIt;W&r-UKT7AAsl1K zx|jb`tQ_Bg0aE{4$wBp%X|wTGlz#A`7|3VLvT5iOFPY)KY}K0OKJDv1?pdv&T6}ZH zn3_50E=Sey+kXPu+uOQDSt)3z^8Co7;=v2Iw2US(d;`sETDXNlH5s5wN&VB*DI=bC z#U8L!wM6(97>^X6NAW;3odh$D6k%f!b{Y8VfMA9y1jMYw=AVvcgBKcA;gb2N%}aAt zoe5CRk$3$=kE8u6PEi+z?%~c}(^@C|tuUbR1?>uODY0kKMZ$&G@6|9vfbiK2sodJ< zUdzOq_0VOinB4nrrv?|ZTj5NVriH$|TkM70&6~8n&8+MzT`KlbD}uA*jv^VydpP85Xj?uH}5%R?_fV)LDLc zc8wcDafTvKvS8Dcpvm6bSYUG#KStPySuv2mnm>~kUw*3e>E9)5xv=Wr&n^gf7O0qC z-+^EShpN4A*aBWPS0N|@PVk?Uy%P3wO;jQ96u^HWoQ8j!y`f_g0?fAMoJshL_@ded zM1nibF^3xyPf(B^8{ftw>6CnJ>ssaua_Cc+T{Fru>ASZ--}5`x`#`9}AII%li_Cl` zYyCDp&CrqY#U2}JmWzY%@A(wamtixX6t-*m8o!-G-;sxQZHeC_Q{S+DR@WB6D@KQu z|6-mzkRu;|`xDhxyTTvNfAakHPAM)_sD~!ICqQ)TeG;m#TPHG!T~G{-L_Agcwf!rR z(wdtTatxI~EXC-R0(iVjd>gHw-$suRcEzjigb#G$gYm#hbFWVoFfDpd#Ey2IYEy9) zBN*=s)tdTyY~v7@6Y1K1seF9SZrNcbathn1rT@!L@sxi&c=gq>NXe#W9;_;|UgFBc zo3)p6c3?=W6|;P(rH@VH>HiU^VeaJ z@p|C?Lc(XjC=+HDnD+-Z7H4 zCa!P+?k)6^q&iq9M_g{MWd>*0;2RTF`12@q@R;#*iZ~dAC2aKH@M+=ByK&u}L)jx?rgUfBA$jf35BRedQ1 zJL`MWi_>!bd$C1(g3l}vx1F*PZ3JY%(}h$ragdTvJ`GCAN%z*{6ZcxRRQCy1t`aAf z>dKe6H$d`~W@mZOBmZU4__EiVy4wAUrNxUuLa^=R){~#q zJJEHEURHO&t)@i%dd3+L8FOBePmHD5d<{N5si%r_a0E@=_B%m>!StTd*?5&alr$$P80kF!6uy4)9r zwQ}2JhI*q_kPY6)yLtsOdl+;YsrvvLkB!=8r=iQ#toLHB0cC0M0}z6NC=EO`n)8Qu zo$m7WfG0dbsaHt;dpbU$!FAa3jD*hDMDH9myJM~(Z&^3dc$6X0D1}D5hQhUKQ3nz~ zSqOzAO$x)s4b;m>7b$y$1F==B@GNmE9BUP$G`$!?kclK0_|YKJ7Ue@S&hhBY5D*)Fy*cf}Mr~CKC_7aCB38 zgz4g^hA6(*x=V(9Q=<@Nf(u&SJKIzNUzYm#q1M}J=(Lq|o_hoLPQi-ZFQM8-Z+9tz zhQgK?=_f!VA8*a`1*%fRz%Q)_r?@Ya|0-4N;y%Z{Q--r%fb;b-LIr-fi6I4nNwqI{ z=@ZgBI?&M^q~9SK7rHzU7TO-?Z#B5O5j^tD1<*?RqU*T5>N{Q;B(WQC&8N)77niMk z%#CNsn}dF^Qh8V9B=_j(3Wr! zws*8p0IhJ>Dj2}ZqZe(2fUCu_o>OG@41St75FmmkAmr2GCA0J|&YzjKV2$&2ja@NO z5BBEk%d`ue(N<7}?~_gFl18(rv0 z0_axz;-ZJh%p092UJN(TJI~sCqYjznP|on2@W>Yn&uwjA@_fte09bulPT*_{-2IO+ znXQe^NKRn!j7iM@_#yI#h{uu4(vz5G?Zyl54RSNnkha{VhUS`ffuz)f3%d6s+q+kS z|DN!(!gc6u7WDtzO_Z`>v$9D6QUB^Cdpu@l+I{B0M4_wv&PiyY6DBAvNtODr=$Ty} zHH=isEgCh1PR(_0sBlc}&(wqGV*+PlgYI3CtN(7jw(o0G){yWRKn$mf3SwnkKNdha ziO`ezd_v0@sdr^lEpvN@vNp8@1itXf?<1HNaE{EBQN0siLcDM71f7HaT{}TYNj&_L4%Yi<)O-1V8ArTIe|DzCm09$_>(5wR4q%e8cJ$s3Z&*1G1Dplaz(HWWe`7^P> zN;j@pcJA(7i#e9D+{w>A-Xv4Xx$TH{8%=q`Pb!q(U_66NcGOKNBL3KM8$Vy&8>Ho| z&qvL{UiI9d*JJ)061DkgQfTrzlW9(G<)9bh>JQ>XooTdnlAC5!t7d_SQ!=Rlj6+TQhoyd)K(b3JsBE|Pn-tfRcM8eo4gk@t#NYqvD_w>6)y1d zT?Xi7w-%JmstzT63qgC9{;1mG)vYVZ3+v{b%(thh^3&`T+uTn?F>LBTT-VTRd3@=i zhQpn;X5$UZE!w-GH<`cGK*Jn$_-_~QOlM!HczsND#T}5Dq^X9j5|F~?CH|&J)CbcV z#8jtgA;keaj-RQkVZ*ZF8{kdDI_*t{8bN>;y!eYAdi!1|XjMwff9C8&$-pW6t?j$2 z?R0^3dXe%gynOk2C-Ks3nlgYtH^_IAw=Mp`++TX1JFsfaX={}u0=g*GgA!hYu_Wb59RifAr*&p(m@hG`q^ibu z)LV2N*qNXF2x&9_O(XF6GQU8Z9`b7_<%&M*OUlxBx-jaq>+k?tj89v=HREL*Q0?3W zc4{xfCe2aHo}HM#E>s?OsM;b1xWJ2F`Z@9M^{0Qr*LFe7R&WDAJUSFmkOyj$sDO&K zMq(x)3p#IG6v$h$Dd}T3m%j6wqM3v7DBb*P71Ij#OuY#0Ts<3JKijFy>Aa=Nsq$<} zlPm4?#i#EhJY876criby4(DJbo3D29+GnWyqVlz#>oIrs+TejWF@Hajm>zj2)Kv?s z_=Z0qOK38180_bKJ~t36|LdA}0${xD!*|#>J$hv~P;dGJyvUkpGFK#H={}RLJF5vR zu4={uqnZx#AN%;`A9*opavnMCJ5$MVB{VFV@Ey2cWZ^h*>zh2#HmEM5w{|dz5`RD> zhWch)nZ-x67O|LM`wJRA@1139N$3I(4K-<9-bG2adNxvb(01wpbn|F3k<}T@ns}uW zZ*?_&y9~KeK1L7TbADhLEP7>~cZh2A2Giok8X_`EV%zNJ zt-&MIMNbS5z*CQ|>w2uEer<3&c=WHZ2(hR9|34fX$yDo`H~n~jgU9;-9&hq;D#3a- z7;fh!4H+BGKFN29&W?+WF5>1JXW2cDttuQZggrxY_#Y{88rq9}Vmn?q;f%o1XEuF6 zj^d(t9K6}TI#96|V>KH@n0qnm{P$Z2@`gW3ojt#-)ME{&knh@cW8i^k`F6{R^{V1Z zJMw$_Id@G*^rh^XXi$-7;0~ODp1d8btcZ$eZ*O`3I_5cdazC#5>N}>c&)AdHP&b-C z>q|(_y5`Ys7dSj0o!^mBcYKq2&8vWZ&St%yOv?V^$49NumlmS_@+OUm$c+lM8(v%2 z>WzPIX1ws)Z>n1mAj+K+uNq!)N1b1hB0q0!#?W-ny~#rFoqIqU%|vg*8RW=0V~a7v ze(gUhzM(JqZ3n=1R>Vt<_%@8uP?7oA6I%Y{=Hb7+`@w)vH$MU0$d1|=8Fn=hI|9ej zKHlDJ6Wg&>wj%m7XvqX_6*MTV|K#@@Ok-#B5<>`79_-!BpIp|jhn<)yUeRL;Rq-3e(tJ;kzlkix3A9AsXzEF(3xn8sSk?aJs&T(5`DL)Sov1+ z)5zm?cR#UL1np%Qrxcasgz&Pas;#$AJJa854LcM+Fa(Q=2Ze+;I)iwQyi$|yZtlIQ3qvFCg~n*A#0KhFCWbT)1w(%x(aiet0BL+tcGK!F=kJs6tsTwNl;h6&3BNRet9G2eJfHITIDZ1m{0su030fWz1JamG_bs%-3>Zy*m;WZ^Qo`2 z#;>x+b7dTr?*ggQ`LizTVAD-#$6i(Tq`B%Y?q+VAONTko7sVlsv?m&XGAUW)^sI-y zb0?)Sy1^Q}qqh~jLC_2K{{c-o5al9$s~V#BfduR36b`A<~Hnbb-!| zWG;^M*=Zi79;CTA*7?%RHZ0bLH1zqsO8-|wz_mZ|+-76qH*cm*wR+5MO&@dLzrc3) zY8CRzak5}0`YZz`)ZE{!QQ{A+2hF+afbLwgvc>Wy?na}C?stAywvq{;WT0gsc)-tz zC9ws3OiSpkgFyY_F3W1Z2;BT`+Ut>$$~_hTcGI0m;M1;D4w8XAZKZ}QnoyV`O)GOi zuD&i4x&#-}a*oZtzWslH|L+L=?+E-~jzAgyW*MT9UlTd6@5yVO8Q|Bx-OjsmcAmWU Fe*g<_%S!+N From 5c8a97a5fe7452d551f34b85a22db191f1faa6be Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 20:04:31 +0000 Subject: [PATCH 102/940] Clarified previewing GitHub builds. --- latest/ug/contribute/pr-preview.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 6620e1812..4a93df9fe 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -35,4 +35,4 @@ The preview is built as a single large HTML file. It will be displayed as multip *What doesn't work:* * Links to other {aws} content, using `type="documentation"`. This is because this content doesn't exist in the preview environment. -* The attribute `{aws}` will not display properly. The value of this changes based on the environment. +* The attribute `\{aws}` will not display properly. The value of this changes based on the environment. From d60cc06090c4721daabe9502824ca1176f5675ec Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 20:09:29 +0000 Subject: [PATCH 103/940] Case consistency for titles. --- latest/ug/contribute/asciidoc-syntax.adoc | 4 ++-- latest/ug/contribute/edit-single-web.adoc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 7dab4d7b4..0700755ca 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -1,7 +1,7 @@ [.topic] [#asciidoc-syntax] = AsciiDoc Syntax Reference -:info_titleabbrev: AsciiDoc Syntax +:info_titleabbrev: AsciiDoc syntax include::../attributes.txt[] @@ -15,7 +15,7 @@ For advanced syntax, review the https://docs.asciidoctor.org/asciidoc/latest/[As It's important to get the link syntax right for the {aws} docs. Review how to <>. You cannot use Markdown syntax for links. -== Basic Formatting +== Basic formatting [source,asciidoc] ---- diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index d70a16e95..091578f77 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -47,7 +47,7 @@ If you want to edit multiple pages from your web browser, see <>. You have created a pull request including the proposed changes. -== Pull Request Overview +== Pull request overview When you create a PR: From c1d78ee093c9b56de1e9213f67fdaa7b0ac20fd2 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 21:07:25 +0000 Subject: [PATCH 104/940] Brought back manual links for Edit this page on GitHub until automated fix. --- build-info.xml | 4 ++-- latest/ug/automode/associate-workload.adoc | 3 +++ latest/ug/automode/auto-configure-alb.adoc | 3 +++ latest/ug/automode/auto-configure-nlb.adoc | 3 +++ latest/ug/automode/auto-disable.adoc | 3 +++ latest/ug/automode/auto-elb-example.adoc | 3 +++ latest/ug/automode/auto-enable-existing.adoc | 3 +++ latest/ug/automode/auto-glossary.adoc | 3 +++ latest/ug/automode/auto-learn-iam.adoc | 3 +++ latest/ug/automode/auto-migrate-karpenter.adoc | 2 ++ latest/ug/automode/auto-migrate-mng.adoc | 3 +++ latest/ug/automode/auto-mng.adoc | 3 +++ latest/ug/automode/auto-net-pol.adoc | 3 +++ latest/ug/automode/auto-networking.adoc | 3 +++ latest/ug/automode/auto-reference.adoc | 3 +++ latest/ug/automode/auto-tag-subnets.adoc | 3 +++ latest/ug/automode/auto-troubleshoot.adoc | 5 ++++- latest/ug/automode/auto-upgrade.adoc | 3 +++ latest/ug/automode/auto-workloads.adoc | 3 +++ latest/ug/automode/automode-get-started-cli.adoc | 3 +++ latest/ug/automode/automode-get-started-console.adoc | 3 +++ latest/ug/automode/automode-get-started-eksctl.adoc | 3 +++ latest/ug/automode/automode-learn-instances.adoc | 3 +++ latest/ug/automode/automode-workload.adoc | 3 +++ latest/ug/automode/automode.adoc | 3 +++ latest/ug/automode/create-auto.adoc | 3 +++ latest/ug/automode/create-node-class.adoc | 3 +++ latest/ug/automode/create-node-pool.adoc | 3 +++ latest/ug/automode/create-storage-class.adoc | 3 +++ latest/ug/automode/critical-workload.adoc | 3 +++ latest/ug/automode/migrate-auto.adoc | 3 +++ latest/ug/automode/old/hpa_scaling.adoc | 3 +++ latest/ug/automode/sample-storage-workload.adoc | 3 +++ latest/ug/automode/set-builtin-node-pools.adoc | 2 ++ latest/ug/automode/settings-auto.adoc | 3 +++ latest/ug/automode/troubleshoot-lbc.adoc | 3 +++ latest/ug/automode/wip.adoc | 3 +++ latest/ug/automode/wip/create-vpc-console.adoc | 3 +++ latest/ug/automode/wip/eksctl-docs.adoc | 3 +++ latest/ug/automode/wip/tag-subnets.adoc | 3 +++ latest/ug/book.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 3 +++ latest/ug/clusters/cluster-endpoint.adoc | 3 +++ latest/ug/clusters/cluster-insights.adoc | 3 +++ latest/ug/clusters/clusters.adoc | 3 +++ latest/ug/clusters/create-cluster-auto.adoc | 3 +++ latest/ug/clusters/create-cluster.adoc | 3 +++ latest/ug/clusters/delete-cluster.adoc | 3 +++ latest/ug/clusters/disable-extended-support.adoc | 3 +++ latest/ug/clusters/disable-windows-support.adoc | 3 +++ latest/ug/clusters/enable-extended-support.adoc | 3 +++ latest/ug/clusters/kubernetes-versions-extended.adoc | 3 +++ latest/ug/clusters/kubernetes-versions-standard.adoc | 3 +++ latest/ug/clusters/kubernetes-versions.adoc | 3 +++ latest/ug/clusters/management/cost-monitoring-aws.adoc | 3 +++ .../management/cost-monitoring-kubecost-bundles.adoc | 3 +++ latest/ug/clusters/management/cost-monitoring-kubecost.adoc | 3 +++ latest/ug/clusters/management/cost-monitoring.adoc | 3 +++ latest/ug/clusters/management/eks-managing.adoc | 3 +++ latest/ug/clusters/management/eks-using-tags.adoc | 3 +++ latest/ug/clusters/management/helm.adoc | 3 +++ latest/ug/clusters/management/metrics-server.adoc | 3 +++ latest/ug/clusters/management/service-quotas.adoc | 3 +++ latest/ug/clusters/platform-versions.adoc | 3 +++ latest/ug/clusters/private-clusters.adoc | 3 +++ latest/ug/clusters/update-cluster.adoc | 3 +++ latest/ug/clusters/view-support-status.adoc | 3 +++ latest/ug/clusters/view-upgrade-policy.adoc | 3 +++ latest/ug/clusters/windows-support.adoc | 3 +++ latest/ug/clusters/zone-shift-enable.adoc | 3 +++ latest/ug/clusters/zone-shift.adoc | 3 +++ latest/ug/connector/connecting-cluster.adoc | 3 +++ latest/ug/connector/connector-grant-access.adoc | 3 +++ latest/ug/connector/deregister-connected-cluster.adoc | 3 +++ latest/ug/connector/eks-connector.adoc | 3 +++ latest/ug/connector/security-connector.adoc | 3 +++ latest/ug/connector/troubleshooting-connector.adoc | 3 +++ latest/ug/connector/tsc-faq.adoc | 3 +++ latest/ug/contribute/contribute.adoc | 1 + latest/ug/doc-history.adoc | 3 +++ latest/ug/getting-started/getting-started-automode.adoc | 3 +++ latest/ug/getting-started/getting-started-console.adoc | 3 +++ latest/ug/getting-started/getting-started-eksctl.adoc | 3 +++ latest/ug/getting-started/getting-started.adoc | 3 +++ latest/ug/getting-started/install-awscli.adoc | 3 +++ latest/ug/getting-started/install-kubectl.adoc | 3 +++ latest/ug/getting-started/learn-eks.adoc | 3 +++ latest/ug/getting-started/setting-up.adoc | 3 +++ .../integrations/creating-resources-with-cloudformation.adoc | 3 +++ latest/ug/integrations/eks-integrations.adoc | 3 +++ latest/ug/integrations/integration-detective.adoc | 3 +++ latest/ug/integrations/integration-guardduty.adoc | 3 +++ latest/ug/integrations/integration-resilience-hub.adoc | 3 +++ latest/ug/integrations/integration-securitylake.adoc | 3 +++ latest/ug/integrations/integration-vpc-lattice.adoc | 3 +++ latest/ug/integrations/local-zones.adoc | 3 +++ .../aws-access/associate-service-account-role.adoc | 5 ++++- .../ug/manage-access/aws-access/configure-sts-endpoint.adoc | 3 +++ latest/ug/manage-access/aws-access/cross-account-access.adoc | 5 ++++- .../aws-access/enable-iam-roles-for-service-accounts.adoc | 5 ++++- .../iam-roles-for-service-accounts-minimum-sdk.adoc | 3 +++ .../aws-access/iam-roles-for-service-accounts.adoc | 3 +++ latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc | 3 +++ latest/ug/manage-access/aws-access/pod-configuration.adoc | 5 ++++- latest/ug/manage-access/aws-access/pod-id-abac.adoc | 5 ++++- .../manage-access/aws-access/pod-id-agent-config-ipv6.adoc | 5 ++++- latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc | 3 +++ latest/ug/manage-access/aws-access/pod-id-association.adoc | 3 +++ .../ug/manage-access/aws-access/pod-id-configure-pods.adoc | 5 ++++- latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc | 5 ++++- latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 3 +++ latest/ug/manage-access/aws-access/pod-id-role.adoc | 1 + latest/ug/manage-access/aws-access/pod-identities.adoc | 2 ++ latest/ug/manage-access/aws-access/service-accounts.adoc | 1 + latest/ug/manage-access/cluster-auth.adoc | 3 +++ latest/ug/manage-access/create-kubeconfig.adoc | 3 +++ latest/ug/manage-access/k8s-access/access-entries.adoc | 2 ++ latest/ug/manage-access/k8s-access/access-policies.adoc | 5 ++++- .../ug/manage-access/k8s-access/access-policy-reference.adoc | 3 +++ latest/ug/manage-access/k8s-access/auth-configmap.adoc | 3 +++ .../k8s-access/authenticate-oidc-identity-provider.adoc | 5 ++++- .../ug/manage-access/k8s-access/creating-access-entries.adoc | 1 + .../ug/manage-access/k8s-access/deleting-access-entries.adoc | 2 ++ .../k8s-access/disassociate-oidc-identity-provider.adoc | 5 ++++- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 3 +++ .../manage-access/k8s-access/migrating-access-entries.adoc | 5 ++++- .../manage-access/k8s-access/setting-up-access-entries.adoc | 1 + .../ug/manage-access/k8s-access/updating-access-entries.adoc | 1 + latest/ug/manage-access/view-kubernetes-resources.adoc | 3 +++ latest/ug/ml/capacity-blocks-mng.adoc | 3 +++ latest/ug/ml/capacity-blocks.adoc | 3 +++ latest/ug/ml/inferentia-support.adoc | 3 +++ latest/ug/ml/machine-learning-on-eks.adoc | 3 +++ latest/ug/ml/ml-eks-optimized-ami.adoc | 3 +++ latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 3 +++ latest/ug/ml/ml-get-started.adoc | 3 +++ latest/ug/ml/ml-prepare-for-cluster.adoc | 3 +++ latest/ug/ml/ml-tutorials.adoc | 3 +++ latest/ug/ml/node-efa.adoc | 3 +++ latest/ug/ml/node-taints-managed-node-groups.adoc | 3 +++ latest/ug/networking/alternate-cni-plugins.adoc | 2 ++ latest/ug/networking/aws-load-balancer-controller.adoc | 1 + latest/ug/networking/cni-custom-network-tutorial.adoc | 3 +++ latest/ug/networking/cni-custom-network.adoc | 1 + latest/ug/networking/cni-iam-role.adoc | 1 + .../ug/networking/cni-increase-ip-addresses-procedure.adoc | 1 + latest/ug/networking/cni-increase-ip-addresses.adoc | 1 + latest/ug/networking/cni-ipv6.adoc | 1 + latest/ug/networking/cni-network-policy-configure.adoc | 2 ++ latest/ug/networking/cni-network-policy.adoc | 3 +++ latest/ug/networking/coredns-add-on-create.adoc | 1 + latest/ug/networking/coredns-add-on-self-managed-update.adoc | 1 + latest/ug/networking/coredns-add-on-update.adoc | 1 + latest/ug/networking/coredns-autoscaling.adoc | 2 ++ latest/ug/networking/coredns-metrics.adoc | 2 ++ latest/ug/networking/creating-a-vpc.adoc | 3 +++ latest/ug/networking/deploy-ipv6-cluster.adoc | 1 + latest/ug/networking/eks-networking-add-ons.adoc | 2 ++ latest/ug/networking/eks-networking.adoc | 3 +++ latest/ug/networking/external-snat.adoc | 2 ++ .../ug/networking/kube-proxy-add-on-self-managed-update.adoc | 2 ++ latest/ug/networking/lbc-helm.adoc | 2 ++ latest/ug/networking/lbc-manifest.adoc | 1 + latest/ug/networking/lbc-remove.adoc | 1 + latest/ug/networking/managing-coredns.adoc | 1 + latest/ug/networking/managing-kube-proxy.adoc | 1 + latest/ug/networking/managing-vpc-cni.adoc | 1 + latest/ug/networking/network-policies-troubleshooting.adoc | 3 +++ latest/ug/networking/network-policy-disable.adoc | 2 +- latest/ug/networking/network-policy-stars-demo.adoc | 3 +++ latest/ug/networking/network-reqs.adoc | 3 +++ latest/ug/networking/pod-multiple-network-interfaces.adoc | 1 + latest/ug/networking/pod-networking-use-cases.adoc | 2 ++ latest/ug/networking/sec-group-reqs.adoc | 3 +++ latest/ug/networking/security-groups-for-pods.adoc | 1 + latest/ug/networking/security-groups-pods-deployment.adoc | 1 + latest/ug/networking/sg-pods-example-deployment.adoc | 1 + latest/ug/networking/vpc-add-on-create.adoc | 1 + latest/ug/networking/vpc-add-on-self-managed-update.adoc | 1 + latest/ug/networking/vpc-add-on-update.adoc | 1 + latest/ug/nodes/al2023.adoc | 3 +++ latest/ug/nodes/auto-get-logs.adoc | 3 +++ latest/ug/nodes/bottlerocket-compliance-support.adoc | 3 +++ latest/ug/nodes/choosing-instance-type.adoc | 3 +++ latest/ug/nodes/create-managed-node-group.adoc | 3 +++ latest/ug/nodes/delete-fargate-profile.adoc | 3 +++ latest/ug/nodes/delete-managed-node-group.adoc | 3 +++ latest/ug/nodes/dockershim-deprecation.adoc | 3 +++ latest/ug/nodes/eks-ami-build-scripts.adoc | 3 +++ latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 3 +++ latest/ug/nodes/eks-ami-versions-windows.adoc | 3 +++ latest/ug/nodes/eks-compute.adoc | 3 +++ latest/ug/nodes/eks-custom-ami-windows.adoc | 3 +++ latest/ug/nodes/eks-linux-ami-versions.adoc | 3 +++ latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 3 +++ latest/ug/nodes/eks-optimized-ami.adoc | 3 +++ latest/ug/nodes/eks-optimized-amis.adoc | 3 +++ latest/ug/nodes/eks-optimized-windows-ami.adoc | 3 +++ latest/ug/nodes/eks-partner-amis.adoc | 3 +++ latest/ug/nodes/fargate-getting-started.adoc | 3 +++ latest/ug/nodes/fargate-logging.adoc | 3 +++ latest/ug/nodes/fargate-pod-configuration.adoc | 3 +++ latest/ug/nodes/fargate-pod-patching.adoc | 3 +++ latest/ug/nodes/fargate-profile.adoc | 3 +++ latest/ug/nodes/fargate.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-add-ons.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-cni.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-creds.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-join.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-networking.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-os.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-overview.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-prereqs.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-proxy.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-remove.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-tutorial.adoc | 3 +++ latest/ug/nodes/hybrid-nodes-upgrade.adoc | 3 +++ latest/ug/nodes/launch-node-bottlerocket.adoc | 3 +++ latest/ug/nodes/launch-node-ubuntu.adoc | 3 +++ latest/ug/nodes/launch-templates.adoc | 3 +++ latest/ug/nodes/launch-windows-workers.adoc | 3 +++ latest/ug/nodes/launch-workers.adoc | 3 +++ latest/ug/nodes/learn-status-conditions.adoc | 3 +++ latest/ug/nodes/managed-node-groups.adoc | 3 +++ latest/ug/nodes/managed-node-update-behavior.adoc | 3 +++ latest/ug/nodes/migrate-stack.adoc | 3 +++ latest/ug/nodes/monitoring-fargate-usage.adoc | 3 +++ latest/ug/nodes/node-health.adoc | 3 +++ latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 3 +++ latest/ug/nodes/retrieve-ami-id.adoc | 3 +++ latest/ug/nodes/retrieve-windows-ami-id.adoc | 3 +++ latest/ug/nodes/self-managed-windows-server-2022.adoc | 3 +++ latest/ug/nodes/update-managed-node-group.adoc | 3 +++ latest/ug/nodes/update-stack.adoc | 3 +++ latest/ug/nodes/update-workers.adoc | 3 +++ latest/ug/nodes/worker.adoc | 5 ++++- latest/ug/observability/cloudwatch.adoc | 3 +++ latest/ug/observability/control-plane-logs.adoc | 3 +++ latest/ug/observability/deploy-prometheus.adoc | 3 +++ latest/ug/observability/eks-observe.adoc | 3 +++ latest/ug/observability/enable-asg-metrics.adoc | 3 +++ latest/ug/observability/logging-using-cloudtrail.adoc | 3 +++ latest/ug/observability/observability-dashboard.adoc | 3 +++ latest/ug/observability/opentelemetry.adoc | 3 +++ latest/ug/observability/prometheus.adoc | 3 +++ latest/ug/observability/service-name-info-in-cloudtrail.adoc | 3 +++ .../ug/observability/understanding-service-name-entries.adoc | 3 +++ latest/ug/observability/view-raw-metrics.adoc | 3 +++ latest/ug/outposts/eks-outposts-capacity-considerations.adoc | 3 +++ latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 3 +++ latest/ug/outposts/eks-outposts-local-cluster-overview.adoc | 3 +++ latest/ug/outposts/eks-outposts-network-disconnects.adoc | 3 +++ latest/ug/outposts/eks-outposts-platform-versions.adoc | 3 +++ latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 3 +++ latest/ug/outposts/eks-outposts-troubleshooting.adoc | 3 +++ latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 3 +++ latest/ug/outposts/eks-outposts.adoc | 3 +++ latest/ug/quickstart.adoc | 2 ++ latest/ug/related-projects.adoc | 3 +++ latest/ug/roadmap.adoc | 3 +++ latest/ug/security/auto-security.adoc | 3 +++ latest/ug/security/cert-signing.adoc | 2 ++ latest/ug/security/compliance.adoc | 3 +++ latest/ug/security/configuration-vulnerability-analysis.adoc | 3 +++ latest/ug/security/default-roles-users.adoc | 1 + latest/ug/security/disaster-recovery-resiliency.adoc | 2 ++ latest/ug/security/enable-kms.adoc | 2 ++ latest/ug/security/iam-reference/auto-cluster-iam-role.adoc | 3 +++ latest/ug/security/iam-reference/auto-create-node-role.adoc | 3 +++ latest/ug/security/iam-reference/cluster-iam-role.adoc | 3 +++ latest/ug/security/iam-reference/connector-iam-role.adoc | 2 ++ latest/ug/security/iam-reference/create-node-role.adoc | 3 +++ latest/ug/security/iam-reference/pod-execution-role.adoc | 1 + latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 3 +++ .../iam-reference/security-iam-id-based-policy-examples.adoc | 1 + .../iam-reference/security-iam-service-with-iam.adoc | 2 ++ .../ug/security/iam-reference/security-iam-troubleshoot.adoc | 3 +++ latest/ug/security/iam-reference/security-iam.adoc | 3 +++ .../using-service-linked-roles-eks-connector.adoc | 2 ++ .../using-service-linked-roles-eks-fargate.adoc | 2 ++ .../using-service-linked-roles-eks-nodegroups.adoc | 2 ++ .../using-service-linked-roles-eks-outpost.adoc | 3 +-- .../iam-reference/using-service-linked-roles-eks.adoc | 2 ++ .../security/iam-reference/using-service-linked-roles.adoc | 2 ++ latest/ug/security/infrastructure-security.adoc | 2 ++ latest/ug/security/manage-secrets.adoc | 2 ++ latest/ug/security/pod-security-policy-removal-faq.adoc | 2 ++ latest/ug/security/pod-security-policy.adoc | 1 + latest/ug/security/security-best-practices.adoc | 1 + latest/ug/security/security-eks.adoc | 3 +++ latest/ug/security/security-k8s.adoc | 3 +++ latest/ug/security/security.adoc | 3 +++ latest/ug/security/vpc-interface-endpoints.adoc | 1 + latest/ug/storage/csi-snapshot-controller.adoc | 3 +++ latest/ug/storage/ebs-csi-migration-faq.adoc | 3 +++ latest/ug/storage/ebs-csi.adoc | 3 +++ latest/ug/storage/efs-csi.adoc | 3 +++ latest/ug/storage/file-cache-csi.adoc | 3 +++ latest/ug/storage/fsx-csi.adoc | 3 +++ latest/ug/storage/fsx-ontap.adoc | 3 +++ latest/ug/storage/fsx-openzfs-csi.adoc | 3 +++ latest/ug/storage/s3-csi.adoc | 3 +++ latest/ug/storage/storage.adoc | 3 +++ latest/ug/troubleshooting/troubleshooting.adoc | 3 +++ latest/ug/what-is/common-use-cases.adoc | 3 +++ latest/ug/what-is/eks-architecture.adoc | 3 +++ latest/ug/what-is/eks-deployment-options.adoc | 3 +++ latest/ug/what-is/kubernetes-concepts.adoc | 2 ++ latest/ug/what-is/what-is-eks.adoc | 3 +++ latest/ug/workloads/add-ons-iam.adoc | 3 +++ latest/ug/workloads/add-ons-images.adoc | 3 +++ latest/ug/workloads/addon-compat.adoc | 1 + latest/ug/workloads/addon-id-troubleshoot.adoc | 3 +++ latest/ug/workloads/alb-ingress.adoc | 3 +++ latest/ug/workloads/community-addons.adoc | 3 +++ latest/ug/workloads/copy-image-to-repository.adoc | 3 +++ latest/ug/workloads/creating-an-add-on.adoc | 3 +++ latest/ug/workloads/eks-add-ons.adoc | 2 ++ latest/ug/workloads/eks-workloads.adoc | 3 +++ latest/ug/workloads/horizontal-pod-autoscaler.adoc | 3 +++ latest/ug/workloads/image-verification.adoc | 3 +++ latest/ug/workloads/kubernetes-field-management.adoc | 3 +++ latest/ug/workloads/network-load-balancing.adoc | 3 +++ latest/ug/workloads/remove-addon-role.adoc | 3 +++ latest/ug/workloads/removing-an-addon.adoc | 3 +++ latest/ug/workloads/restrict-service-external-ip.adoc | 3 +++ latest/ug/workloads/retreive-iam-info.adoc | 3 +++ latest/ug/workloads/sample-deployment-windows.adoc | 3 +++ latest/ug/workloads/sample-deployment.adoc | 3 +++ latest/ug/workloads/update-addon-role.adoc | 1 + latest/ug/workloads/updating-an-add-on.adoc | 2 ++ latest/ug/workloads/vertical-pod-autoscaler.adoc | 3 +++ latest/ug/workloads/workloads-add-ons-available-eks.adoc | 3 +++ latest/ug/workloads/workloads-add-ons-available-vendors.adoc | 1 + 338 files changed, 916 insertions(+), 20 deletions(-) diff --git a/build-info.xml b/build-info.xml index a0d5e5d52..2b2ad2f2f 100755 --- a/build-info.xml +++ b/build-info.xml @@ -26,12 +26,12 @@ mesh-gs-eks - + Amazon EKS Document History diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 338282ac1..1ee3ef1b3 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -45,3 +45,6 @@ You can add this `nodeAffinity` to Deployments or other workloads to require Kub values: - auto ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[associate-workload,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 29d235253..d50bc6acc 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -213,3 +213,6 @@ The following tables provide a detailed comparison of changes in IngressClassPar | `spec.targetType` optional | `spec.targetType` required | Explicit target type specification | `spec.networking.ingress.from` | Not supported | No longer supports NLB without security groups |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-configure-alb,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index d02bebed5..026a116e4 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -161,3 +161,6 @@ This consolidated format provides a more consistent and flexible way to configur | `spec.targetType` optional | `spec.targetType` required | Explicit target type specification | `spec.networking.ingress.from` | Not supported | No longer supports NLB without security groups |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-configure-nlb,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index d0bbbe3b8..3f9ec0b4d 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -59,3 +59,6 @@ To then delete the Security Group: ---- aws ec2 delete-security-group --group-name= ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-disable,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 77b473a1d..a4a0b0ffd 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -241,3 +241,6 @@ If the game doesn't load: - Ensure all pods are running: `kubectl get pods -n game-2048` - Check ingress status: `kubectl describe ingress -n game-2048` - Verify ALB health checks: Check the target group health in {aws} Console + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-elb-example,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index b4e9108d0..c76168a3d 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -144,3 +144,6 @@ For more information, see <>. * To migrate Manage Node Group workloads, see <>. * To migrate from Self-Managed Karpenter, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-enable-existing,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index fe9d30bfc..2d0c24cb0 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -70,3 +70,6 @@ A feature that manages Amazon EBS volumes in Amazon EKS Auto Mode clusters. This EKS Auto Mode -- Load Balancing Capability:: A feature that manages Application Load Balancers and Network Load Balancers in Amazon EKS Auto Mode clusters. This capability automatically configures load balancers based on your service requirements. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-glossary,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 8b817e46e..25036d11e 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -190,3 +190,6 @@ By default, the managed policies related to EKS Auto Mode do not permit applying == Access Policy Reference For more information about the Kubernetes permissions used by EKS Auto Mode, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-learn-iam,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index c56e82bae..6fc3e2146 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -131,3 +131,5 @@ spec: The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-migrate-karpenter,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index d0d2cab9b..24d40b66a 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -23,3 +23,6 @@ Use the following `eksctl` CLI command to initiate draining pods from the existi ---- eksctl update auto-mode-config --drain-all-nodegroups ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-migrate-mng,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index bacf3f782..679fcf74d 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -145,3 +145,6 @@ include::../attributes.txt[] | When EKS Auto Mode is enabled in your cluster, you pay a separate fee, in addition to the standard EC2 instance charges, for the instances launched using Auto Mode's compute capability. The amount varies with the instance type launched and the {aws} region where your cluster is located. For more information, see link:eks/pricing/["Amazon EKS pricing",type="marketing"]. |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-mng,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index cce84df4d..31032e1ff 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -70,3 +70,6 @@ Once your nodes are using this Node Class, they will be able to enforce network ## Step 3: Create and test network policies Your EKS Auto Mode cluster is now configured to support Kubernetes network policies. You can test this with the <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-net-pol,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 91497c8a1..aab9d435e 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -64,3 +64,6 @@ For more information, see <> or <>. * The `networking.ingress.ipBlock` field in `TargetGroupBinding` spec is not supported. * If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. * You cannot bring your own target groups. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-networking,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 857923748..c18fad01e 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -33,3 +33,6 @@ include::auto-networking.adoc[leveloffset=+1] //include::term-reference.adoc[leveloffset=+1] //include::auto-glossary.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-reference,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index 511383171..cc8d61e67 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -76,3 +76,6 @@ aws ec2 create-tags \ ---- Replace `subnet-ID` with your actual subnet ID. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-tag-subnets-console,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index b20599f57..9b5521ee2 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -251,4 +251,7 @@ With these two pieces of information, you can perform the s analysis. First navi If you have a problem with a controller, you should research: * If the resources associated with that controller are properly formatted and valid. -* If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. \ No newline at end of file +* If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index f46e6f007..3ef6b6372 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -35,3 +35,6 @@ Learn link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for C == Start Cluster Update To start a cluster update, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-upgrade,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 94adaec1f..f016d7c51 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -27,3 +27,6 @@ include::automode-workload.adoc[leveloffset=+1] include::auto-elb-example.adoc[leveloffset=+1] include::sample-storage-workload.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-workloads,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index f90361f31..5ae05ea6c 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -323,3 +323,6 @@ kubectl get nodepools == Next Steps * Learn how to xref:automode-workload[deploy a sample workload] to your new EKS Auto Mode cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-cli,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index ab7d57a74..4c4380bc1 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -47,3 +47,6 @@ You must be logged into the {aws-management-console} with sufficent permissions * Learn how to xref:sample-storage-workload[Deploy a Sample Workload to your EKS Auto Mode cluster] //call out refactored IAM + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-console,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index b813d03e4..cc3a1c1fa 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -75,3 +75,6 @@ Save the `ClusterConfig` file as `cluster.yaml`, and use the following command t ---- eksctl create cluster -f cluster.yaml ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-eksctl,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 6ffab05b3..b7347e0a3 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -106,3 +106,6 @@ EKS Auto Mode supports the following instance types: * Amazon EKS Auto Mode does not support {aws} Fault Injection Service. For more information, see link:resilience-hub/latest/userguide/testing.html["Managing Fault Injection Service experiments",type="documentation"] in the {aws} Resilience Hub User Guide. * You do not need to install the `Neuron Device Plugin` on EKS Auto Mode nodes. ** If you have other types of nodes in your cluster, you need to configure the Neuron Device plugin to not run on auto mode nodes. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-learn-instances,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 72bdea10c..28ecd7e30 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -127,3 +127,6 @@ If you have no other workloads deployed to your cluster, the node created by EKS In the default configration, EKS Auto Mode detects nodes that have been empty for thirty seconds, and terminates them. Use `kubectl` or the EC2 console to confirm the associated instance has been deleted. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-workload,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index cfca93a55..320aec32c 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -92,3 +92,6 @@ include::auto-reference.adoc[leveloffset=+1] include::auto-troubleshoot.adoc[leveloffset=+1] //include::wip.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index f2ceb951d..e33d561a8 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -38,3 +38,6 @@ include::automode-get-started-eksctl.adoc[leveloffset=+1] include::automode-get-started-cli.adoc[leveloffset=+1] include::automode-get-started-console.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-auto,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index d701bf096..2f526631d 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -159,3 +159,6 @@ spec: * If you change the Node IAM Role associated with a NodeClass, you will need to create a new Access Entry. EKS automatically creates an Access Entry for the Node IAM Role during cluster creation. The Node IAM Role requires the `AmazonEKSAutoNodePolicy` EKS Access Policy. For more information, see <>. * EKS limits the maximum number of pods on a node to 110. This limit is applied after the existing max pods calculation. For more information, see <>. * If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-class,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index ff96ad406..873857d33 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -219,3 +219,6 @@ By default, EKS Auto Mode: - Consolidates underutilized instances. - Terminates instances after 720 hours. - Sets a single disruption budget of 10% of nodes. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-pool,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 68a3be308..8fbc6df82 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -235,3 +235,6 @@ For more information, see: ---- .. Select *Next* . Review the add-on configuration and then select *Create* + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-storage-class,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index bd07b15fc..0ea2acbc0 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -66,3 +66,6 @@ To update a workload to run on the `system` node pool, you need to: . Deploy the updated workload to your cluster with `kubectl apply` After updating the workload, it will run on dedicated nodes. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[critical-workload,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index c1c854962..171a2dfaa 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -74,3 +74,6 @@ include::auto-enable-existing.adoc[leveloffset=+1] include::auto-migrate-karpenter.adoc[leveloffset=+1] include::auto-migrate-mng.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrate-auto,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index dc23e3215..de510943e 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -237,3 +237,6 @@ helm uninstall metrics-server -n kube-system kubectl delete hpa retail-store-sample-ui-hpa kubectl delete load-generator ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-hpa-scaling,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 41a543386..7a379114e 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -224,3 +224,6 @@ deletionPolicy: Delete ---- https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Learn more about the Kubernetes CSI Snapshotter.] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-storage-workload,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 7234d75e0..dd72707d8 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -58,3 +58,5 @@ aws eks update-cluster-config \ --compute-config '{"nodePools": []}' ---- + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[set-builtin-node-pools,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 4b5aa72a1..dc0e899e6 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -110,3 +110,6 @@ include::critical-workload.adoc[leveloffset=+1] include::auto-net-pol.adoc[leveloffset=+1] include::auto-tag-subnets.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[settings-auto,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 0b4d5fb5b..3c7163b6d 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -100,3 +100,6 @@ For stuck resources: - link:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html[{aws} EKS Troubleshooting] - link:https://console.aws.amazon.com/support/home[{aws} Support Center] - link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshoot-lbc,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index f2ad32251..3af0153ce 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -16,3 +16,6 @@ This section contains in-progress revisions for existing pages in other chapters //include::wip/auto-cluster-iam-role.adoc[leveloffset=+1] //include::wip/auto-create-node-role.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-wip,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 32f2161e9..0f9598fbf 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -144,3 +144,6 @@ kubernetes.io/role/internal-elb = 1 - EKS Best Practices Guide - VPC Pricing Calculator - EKS Networking Documentation + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-vpc-console,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index 5ed8bfd4f..c0cc1d8dd 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -115,3 +115,6 @@ $ eksctl update auto-mode-config -f cluster.yaml == Further information - xref:automode[EKS Auto Mode] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eksctl-docs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 9686b770f..91e069f36 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -28,3 +28,6 @@ Your subnets require specific tags based on their intended use: - For private subnets: Key = `kubernetes.io/role/internal-elb`, Value = `1` - For public subnets: Key = `kubernetes.io/role/elb`, Value = `1` 7. Click **Save** + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tag-subnets,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index a29eacfe2..3c305004e 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -31,7 +31,7 @@ This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Ku *Help improve this page* [.banner.info] -Want to contribute to this user guide? Choose the *Edit this page on GitHub* link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone. +Want to contribute to this user guide? Choose the 📝 *Edit this page on GitHub* link that is located at the bottom of every page. Your contributions will help make our user guide better for everyone. include::what-is/what-is-eks.adoc[leveloffset=+1] diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index a650b459a..cd49ffa38 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -38,3 +38,6 @@ Karpenter is open-source software which {aws} customers are responsible for inst *Cluster Autoscaler*:: The [.noloc]`Kubernetes` Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[autoscaling,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 48de9ae67..310135d06 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -247,3 +247,6 @@ When you configure `kubectl` for your bastion host, be sure to use {aws} credent {aws} Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. You can create an {aws} Cloud9 IDE in your cluster's VPC and use the IDE to communicate with your cluster. For more information, see link:cloud9/latest/user-guide/create-environment.html[Creating an environment in {aws} Cloud9,type="documentation"]. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your IDE security group. For more information, see <>. + When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-endpoint,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 68147f723..dfc2065c6 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -198,3 +198,6 @@ An example output is as follows. }, } ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-insights,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 52b9ab701..a6e56f22b 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -89,3 +89,6 @@ include::autoscaling.adoc[leveloffset=+1] include::zone-shift.adoc[leveloffset=+1] include::zone-shift-enable.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[clusters,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index b1da7aa1f..4c77ef4d9 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -328,3 +328,6 @@ aws eks describe-cluster --region region-code --name my-cluster --query "cluster * <>. * <>. * <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-cluster-auto,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index ec41e44f6..8749d83b0 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -321,3 +321,6 @@ If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.no * <>. * <>. * <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 706cf38f8..d1dc98170 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -187,3 +187,6 @@ aws cloudformation list-stacks --query "StackSummaries[].StackName" ---- aws cloudformation delete-stack --stack-name my-vpc-stack ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index 7dfa2985a..3fef2d580 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -37,3 +37,6 @@ aws eks update-cluster-config \ --name \ --upgrade-policy supportType=STANDARD ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disable-extended-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index a1852e14e..1f4a1acf9 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -23,3 +23,6 @@ kubectl patch configmap/amazon-vpc-cni \ --type merge \ -p '{"data":{"enable-windows-ipam":"false"}}' ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disable-windows-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 6667544ae..684929587 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -41,3 +41,6 @@ aws eks update-cluster-config \ --name \ --upgrade-policy supportType=EXTENDED ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-extended-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index a23a1a0c7..154d94f09 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -159,3 +159,6 @@ The [.noloc]`PSP` admission controller enforces [.noloc]`Pod` security standards * The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.23` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions-extended,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 66f7f7ae4..6d4447a23 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -133,3 +133,6 @@ kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-syst ---- For the complete [.noloc]`Kubernetes` `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions-standard,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 9fcb33151..107c058c9 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -272,3 +272,6 @@ include::view-upgrade-policy.adoc[leveloffset=+1] include::enable-extended-support.adoc[leveloffset=+1] include::disable-extended-support.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index ca791c21d..7f3c02723 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -27,3 +27,6 @@ Use the following for _Split Cost Allocation Data_: . Opt in to Split Cost Allocation Data. For more information, see link:cur/latest/userguide/enabling-split-cost-allocation-data.html[Enabling split cost allocation data,type="documentation"] in the {aws} Cost and Usage Report User Guide. . Include the data in a new or existing report. . View the report. You can use the Billing and Cost Management console or view the report files in Amazon Simple Storage Service. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-aws,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index eb0adab99..423016dcb 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -326,3 +326,6 @@ image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest [.noloc]`Kubecost` data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write [.noloc]`Prometheus` queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example [.noloc]`Grafana` JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. * *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report*:: to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-kubecost-bundles,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 63062536d..8967534aa 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -112,3 +112,6 @@ image::images/kubecost.png[Kubecost dashboard,scaledwidth=100%] * *Cost allocation* – View monthly Amazon EKS costs and cumulative costs for each of your namespaces and other dimensions over the past seven days. This is helpful for understanding which parts of your application are contributing to Amazon EKS spend. * *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-kubecost,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index d377f8859..2befea777 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -22,3 +22,6 @@ include::cost-monitoring-aws.adoc[leveloffset=+1] include::cost-monitoring-kubecost.adoc[leveloffset=+1] include::cost-monitoring-kubecost-bundles.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index ca17693b9..73fc3f50d 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -34,3 +34,6 @@ include::eks-using-tags.adoc[leveloffset=+1] include::service-quotas.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-managing,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 2e573c2dc..4bc28669c 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -209,3 +209,6 @@ When you use some resource-creating actions, you can specify tags at the same ti |=== * If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-using-tags,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 4a546ea93..13cb893fb 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -71,3 +71,6 @@ v3.9.0 ** Experiment by installing an example chart. See https://helm.sh/docs/intro/quickstart#install-an-example-chart[Install an example chart] in the Helm https://helm.sh/docs/intro/quickstart/[Quickstart guide]. ** Create an example chart and push it to Amazon ECR. For more information, see link:AmazonECR/latest/userguide/push-oci-artifact.html[Pushing a Helm chart,type="documentation"] in the _Amazon Elastic Container Registry User Guide_. ** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts][.noloc]`GitHub` repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[helm,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index 677221587..beb257393 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -74,3 +74,6 @@ metrics-server 1/1 1 1 6m kubectl top nodes ---- . If you receive the error message `Error from server (Forbidden)`, you need to update your Kubernetes RBAC configuration. Your Kubernetes RBAC identity needs sufficent permissions to read cluster metrics. Review the https://github.com/kubernetes-sigs/metrics-server/blob/e285375a49e3bf77ddd78c08a05aaa44f2249ebd/manifests/base/rbac.yaml#L5C9-L5C41[minimum required Kubernetes API permissions for reading metrics] on GitHub. Learn how to <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[metrics-server,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 863630e93..8e9749c7a 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -89,3 +89,6 @@ To view default {aws} Fargate on EKS service quotas, see link:general/latest/gr/ Fargate additionally enforces Amazon ECS tasks and Amazon EKS [.noloc]`Pods` launch rate quotas. For more information, see link:AmazonECS/latest/developerguide/throttling.html[{aws} Fargate throttling quotas,type="documentation"] in the _Amazon ECS guide_. ==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-quotas,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 7660b77e9..51f81c67e 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -911,3 +911,6 @@ An example output is as follows. You cannot change the platform version of an EKS cluster. When new Amazon EKS platform versions become available for a [.noloc]`Kubernetes` version, EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding [.noloc]`Kubernetes` version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. You cannot use the {aws} Console or CLI to change the platform version. If you upgrade your [.noloc]`Kubernetes` version, your cluster will move onto the most recent platform version for the [.noloc]`Kubernetes` version. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[platform-versions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 2213c6cdd..bf71eb814 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -100,3 +100,6 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. * https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler [.noloc]`Pods`, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on [.noloc]`GitHub`. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint. * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[private-clusters,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index b2b577c6f..faa6aafcc 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -246,3 +246,6 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X == Downgrade the [.noloc]`Kubernetes` version for an Amazon EKS cluster You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index 17d152a59..eacbb636a 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -19,3 +19,6 @@ For more information about standard and extended support, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[windows-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 04864b8c3..1551eb740 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -65,3 +65,6 @@ If you want {aws} to detect and avoid impaired availability zones, you need to c * Learn how to link:r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html["enable zonal autoshift",type="documentation"] * Learn how to manually link:r53recovery/latest/dg/arc-zonal-shift.start-cancel.html["start a zonal shift",type="documentation"] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[zone-shift-enable,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index a956cd398..7b614a483 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -273,3 +273,6 @@ You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additi * link:blogs/containers/operating-resilient-workloads-on-amazon-eks/["Operating resilient workloads on Amazon EKS",type="marketing"] * link:blogs/containers/eliminate-kubernetes-node-scaling-lag-with-pod-priority-and-over-provisioning/["Eliminate Kubernetes node scaling lag with pod priority and over-provisioning",type="marketing"] * link:eks/latest/userguide/coredns-autoscaling.html["Scale CoreDNS Pods for high DNS traffic",type="documentation"] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[zone-shift,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index e3f43ee8c..76f8d3ac0 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -210,3 +210,6 @@ The output should include `status=ACTIVE`. If you have any issues with these steps, see <>. To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connecting-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 626c8af55..2106c2184 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -68,3 +68,6 @@ kubectl apply -f eks-connector-console-dashboard-full-access-group.yaml ---- To view [.noloc]`Kubernetes` resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connector-grant-access,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index f3d8ba68f..4e975778a 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -87,3 +87,6 @@ helm -n eks-connector uninstall eks-connector kubectl delete -f eks-connector.yaml ---- . If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deregister-connected-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index b7a9155d7..19500a868 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -82,3 +82,6 @@ include::tsc-faq.adoc[leveloffset=+1] include::security-connector.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-connector,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 8329a7264..78c0071d3 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -36,3 +36,6 @@ This topic describes the differences in the responsibility model if the connecte * Installing and upgrading Amazon EKS Connector. * Maintaining the hardware, software, and infrastructure that supports the connected [.noloc]`Kubernetes` cluster. * Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-connector,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index dcfe7f921..065a4f2dc 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -269,3 +269,6 @@ eks-connector-0 0/2 Init:ImagePullBackOff 0 4s ---- The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target [.noloc]`Kubernetes` cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshooting-connector,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 359530e1e..865ae79af 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -21,3 +21,6 @@ A: The Amazon EKS Connector sends technical information that's necessary for you .Q: Can I connect a cluster outside of an {aws} Region? A: Yes, you can connect a cluster from any location to Amazon EKS. Moreover, your Amazon EKS service can be located in any {aws} public commercial {aws} Region. This works with a valid network connection from your cluster to the target {aws} Region. We recommend that you pick an {aws} Region that is closest to your cluster location for UI performance optimization. For example, if you have a cluster running in Tokyo, connect your cluster to the {aws} Region in Tokyo (that is, the `ap-northeast-1` {aws} Region) for low latency. You can connect a cluster from any location to Amazon EKS in any of the public commercial {aws} Regions, except the China or GovCloud {aws} Regions. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tsc-faq,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 846e726c0..050561ad0 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -41,3 +41,4 @@ include::asciidoc-syntax.adoc[leveloffset=+1] //include::pr-status.adoc[leveloffset=+1] +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[contribute,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index d57dce6a3..718d86787 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1892,3 +1892,6 @@ Initial documentation for service launch [.update-history] |=== |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[doc-history,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 5b2709cbb..71b730f0c 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -24,3 +24,6 @@ that include setting up components to: * Choose default settings that determine things like the size and speed of node storage and Pod network configuration. For details on what you get with EKS Auto Mode clusters, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-automode,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index a0810064e..7485c74a0 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -286,3 +286,6 @@ The following documentation topics help you to extend the functionality of your * Deploy a <> to your cluster. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-console,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 5da9ce6e5..79b252fc0 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -171,3 +171,6 @@ The following documentation topics help you to extend the functionality of your * The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-eksctl,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index b0c416492..4280ca59c 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -40,3 +40,6 @@ include::getting-started-automode.adoc[leveloffset=+1] include::getting-started-eksctl.adoc[leveloffset=+1] include::getting-started-console.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 8d1798eae..4e2f8317c 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -107,3 +107,6 @@ This command returns the Amazon Resource Name (ARN) of the IAM entity that's con * <> * <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[install-awscli,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 54012ad22..697b03816 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -806,3 +806,6 @@ aws sts get-caller-identity == Next steps * <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[install-kubectl,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 66e58c097..ef557a893 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -152,3 +152,6 @@ While `eksctl` is a simple tool for creating a cluster, for more complex infrast * GitOps automation tools * Monitoring tools * Techniques for improving cost, efficiency, and resiliency + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[learn-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 371c239b5..d28596e13 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -42,3 +42,6 @@ include::install-awscli.adoc[leveloffset=+1] include::install-kubectl.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[setting-up,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 8e5935bc1..efa8ea20c 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -30,3 +30,6 @@ To learn more about {aws} CloudFormation, see the following resources: * link:cloudformation/[{aws} CloudFormation,type="marketing"] * link:AWSCloudFormation/latest/UserGuide/Welcome.html[{aws} CloudFormation User Guide,type="documentation"] * link:cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html[{aws} CloudFormation Command Line Interface User Guide,type="documentation"] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-resources-with-cloudformation,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index b27eabfff..5a0e5f1f1 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -29,3 +29,6 @@ include::integration-securitylake.adoc[leveloffset=+1] include::integration-vpc-lattice.adoc[leveloffset=+1] include::local-zones.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-integrations,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 08cb2b86d..75f0e08fd 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -33,3 +33,6 @@ Before you can review findings, Detective must be enabled for at least 48 hours . Select *Choose type* and then select *EKS cluster*. . Enter the cluster name or ARN and then choose *Search*. . In the search results, choose the name of the cluster that you want to view activity for. For more information about what you can view, see link:detective/latest/userguide/profile-panel-drilldown-kubernetes-api-volume.html[Overall Kubernetes API activity involving an Amazon EKS cluster,type="documentation"] in the _Amazon Detective User Guide_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-detective,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 285f3230a..d39ba58f8 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -32,3 +32,6 @@ When you enable _Runtime Monitoring_ and install the GuardDuty agent in your Ama To configure _Runtime Monitoring_, you install the GuardDuty agent to your cluster as an _Amazon EKS add-on_. For more information the add-on, see <>. + For more information, see link:guardduty/latest/ug/runtime-monitoring.html[Runtime Monitoring,type="documentation"] in the Amazon GuardDuty User Guide. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-guardduty,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 0a72cceea..bd80255c6 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -6,3 +6,6 @@ include::../attributes.txt[] :info_titleabbrev: {aws} Resilience Hub {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-resilience-hub,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 6a9e565dc..125d81b86 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -46,3 +46,6 @@ For more information about using Security Lake with Amazon EKS and setting up da Security Lake normalizes EKS log events to the OCSF format, making it easier to analyze and correlate the data with other security events. You can use various tools and services, such as Amazon Athena, Amazon QuickSight, or third-party security analytics tools, to query and visualize the normalized data. For more information about the OCSF mapping for EKS log events, refer to the https://github.com/ocsf/examples/tree/main/mappings/markdown/{aws}/v1.1.0/EKS Audit Logs[mapping reference] in the OCSF GitHub repository. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-securitylake,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index f8afb6d82..375f16bdf 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -6,3 +6,6 @@ include::../attributes.txt[] Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-vpc-lattice,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 3162b46d6..371b0a62a 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -13,3 +13,6 @@ Amazon EKS supports certain resources in Local Zones. This includes <>. * Unlike regional subnets, Amazon EKS can't place network interfaces into your Local Zone subnets. This means that you must not specify Local Zone subnets when you create your cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[local-zones,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 844c693a7..ede3a4b08 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -276,4 +276,7 @@ Tokens: my-service-account-token-qqjfl == Next steps -* <> \ No newline at end of file +* <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[associate-service-account-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 4fdc874a2..b2dd04ea9 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -150,3 +150,6 @@ An example output is as follows. ---- AWS_STS_REGIONAL_ENDPOINTS=regional ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[configure-sts-endpoint,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 93c730e2d..4564c02c2 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -107,4 +107,7 @@ role_arn={arn-aws}iam::111122223333:role/account-a-role To specify chained profiles for other {aws} SDKs, consult the documentation for the SDK that you're using. For more information, see link:developer/tools/[Tools to Build on {aws},type="marketing"]. -==== \ No newline at end of file +==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cross-account-access,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 5bc9a4b03..f6aef9a4a 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -82,4 +82,7 @@ To complete this step, you can run the command outside the VPC, for example in { Next step: -<> \ No newline at end of file +<> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-iam-roles-for-service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index 16de6aa3a..a52b10c52 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -30,3 +30,6 @@ When using <>, th Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[iam-roles-for-service-accounts-minimum-sdk,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 0b2118710..0153d5498 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -68,3 +68,6 @@ include::cross-account-access.adoc[leveloffset=+1] include::iam-roles-for-service-accounts-minimum-sdk.adoc[leveloffset=+1] include::irsa-fetch-keys.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[iam-roles-for-service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index a0f5229c8..0c73e0f11 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -39,3 +39,6 @@ IMPORTANT: Amazon EKS rotates the [.noloc]`OIDC` signing key every seven days. $ curl https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE/keys {"keys":[{"kty":"RSA","kid":"2284XXXX4a40","use":"sig","alg":"RS256","n":"wklbXXXXMVfQ","e":"AQAB"}]} ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[irsa-fetch-keys,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index a49aa9e17..4547fb678 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -124,4 +124,7 @@ An example output is as follows. ---- Service Account: my-service-account ---- -.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. \ No newline at end of file +.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-configuration,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 9938fa445..8566e691a 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -81,4 +81,7 @@ Tags added to the session through the `sts:AssumeRole` request take precedence i In this case, the former takes precedence and the value for the `eks-cluster-name` tag will be `my-cluster`. -==== \ No newline at end of file +==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-abac,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index c1382cee7..a252470eb 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -82,4 +82,7 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. \ No newline at end of file +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-agent-config-ipv6,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index 3115e2024..c26ddb237 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -113,3 +113,6 @@ eks-pod-identity-agent-prnsh 1/1 Ru ---- + You can now use EKS Pod Identity associations in your cluster. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-agent-setup,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 0a0dc4274..ba98e8b78 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -286,3 +286,6 @@ If you created the example policy in a previous step, then your output is the sa == Next Steps <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-association,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index 69c132390..264676a69 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -93,4 +93,7 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- Service Account: my-service-account ----- \ No newline at end of file +---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-configure-pods,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 805ebea06..04d906c12 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -56,4 +56,7 @@ In contrast, _IAM roles for service accounts_ provides a _web identity_ token th . You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. . The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. + -NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. \ No newline at end of file +NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-how-it-works,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 8200a51bd..399e67255 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -39,3 +39,6 @@ When using <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-minimum-sdk,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 1939440a1..7d79b435a 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -42,3 +42,4 @@ You can use these tags in the _condition keys_ in the trust policy to restrict w For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 8aa2dc94c..8df3f8d87 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -145,3 +145,5 @@ You can't use EKS Pod Identities with: * Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-identities,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index b7b3098ff..52d34add9 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -123,3 +123,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |=== +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 2abc65074..97a083418 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -76,3 +76,6 @@ include::create-kubeconfig.adoc[leveloffset=+1] include::aws-access/service-accounts.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-auth,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 90195c259..096d38732 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -60,3 +60,6 @@ svc/kubernetes ClusterIP 10.100.0.1 443/TCP 1m ---- + If you receive any authorization or resource type errors, see <> in the troubleshooting topic. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-kubeconfig,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index f60de6451..a01e308a4 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -65,3 +65,5 @@ include::updating-access-entries.adoc[leveloffset=+1] include::deleting-access-entries.adoc[leveloffset=+1] + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 6be46b093..3fe19b35e 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -151,4 +151,7 @@ aws eks disassociate-access-policy --cluster-name my-cluster --principal-arn {ar --policy-arn {arn-aws}eks::aws:cluster-access-policy/AmazonEKSAdminPolicy ---- -To list available access policies, see <>. \ No newline at end of file +To list available access policies, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-policies,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index b7011f458..6e5967804 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -581,3 +581,6 @@ View details about updates to access policies, since they were introduced. For a |Amazon EKS introduced access policies. |May 29, 2023 |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-policy-permissions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index c79464cbe..54ba41c54 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -367,3 +367,6 @@ kubectl get nodes --watch ---- + Enter `Ctrl`+``C`` to return to a shell prompt. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auth-configmap,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 8ed885575..41c2fb81e 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -188,4 +188,7 @@ Amazon EKS maintains relationships with a network of partners that offer support |=== Amazon EKS aims to give you a wide selection of options to cover all use cases. If you develop a commercially supported [.noloc]`OIDC` compatible identity provider that is not listed here, then contact our partner team at link:mailto:aws-container-partners@amazon.com[aws-container-partners@amazon. -com] for more information. \ No newline at end of file +com] for more information. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[authenticate-oidc-identity-provider,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index 5bdd8b810..21e2b01ae 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -128,3 +128,4 @@ aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index 1f7f83338..c3f20a4b8 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -29,3 +29,5 @@ Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable] aws eks delete-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role ---- + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deleting-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 6ff308d23..7e14ece6f 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -8,4 +8,7 @@ include::../../attributes.txt[] If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. \ No newline at end of file +. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disassociate-oidc-identity-provider,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 0ee2f8c84..6486e65a0 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -111,3 +111,6 @@ include::authenticate-oidc-identity-provider.adoc[leveloffset=+1] include::disassociate-oidc-identity-provider.adoc[leveloffset=+1] //include::access-policy-reference.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[grant-k8s-access,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 26c5f0d13..37292d45f 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -53,4 +53,7 @@ ARN [source,bash,subs="verbatim,attributes"] ---- eksctl delete iamidentitymapping --arn {arn-aws}iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --cluster my-cluster ----- \ No newline at end of file +---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index efc80a0c1..96917975f 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -72,3 +72,4 @@ To use _access entries_, the cluster must have a platform version that is the sa For more information, see <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[setting-up-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 1cf451fe8..211e221af 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -34,3 +34,4 @@ aws eks update-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[updating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index b89c7d525..b7cdda0ff 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -230,3 +230,6 @@ mapUsers: | + IMPORTANT: The role ARN can't include a path such as `role/my-team/developers/my-console-viewer-role`. The format of the ARN must be `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``my-console-viewer-role```. In this example, `my-team/developers/` needs to be removed. . Save the file and exit your text editor. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-kubernetes-resources,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index f0b5f43e5..b2f14776d 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -87,3 +87,6 @@ aws eks create-nodegroup \ . In order for your [.noloc]`Pods` to be gracefully drained before reservation ends, Amazon EKS uses a scheduled scaling policy to scale down the node group size to `0` . This scheduled scaling will be set with name titled `Amazon EKS Node Group Capacity Scaledown Before Reservation End` . We recommend not editing or deleting this action. + Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict [.noloc]`Pods`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[capacity-blocks-mng,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 0cd52c60c..fbfc813ae 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -101,3 +101,6 @@ If you want to instead scale up manually whenever the capacity reservation becom . In order for your [.noloc]`Pods` to be gracefully drained, we recommend that you set up {aws} Node Termination Handler. This handler will be able to watch for "ASG Scale-in" lifecycle events from Amazon EC2 Auto Scaling using EventBridge and allow the [.noloc]`Kubernetes` control plane to take required action before the instance becomes unavailable. Otherwise, your [.noloc]`Pods` and [.noloc]`Kubernetes` objects will get stuck in a pending state. For more information, see https://github.com/aws/aws-node-termination-handler[{aws} Node Termination Handler] on GitHub. + If you don't setup a Node Termination Handler, we recommend that you start draining your [.noloc]`Pods` manually before hitting the 30 minute window so that they have enough time to be gracefully drained. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[capacity-blocks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index b59bdfabf..21f1d2c14 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -245,3 +245,6 @@ An example output is as follows. ---- [[(u'n02123045', u'tabby', 0.68817204), (u'n02127052', u'lynx', 0.12701613), (u'n02123159', u'tiger_cat', 0.08736559), (u'n02124075', u'Egyptian_cat', 0.063844085), (u'n02128757', u'snow_leopard', 0.009240591)]] ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[inferentia-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 7e9939db9..adc39af0c 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -63,3 +63,6 @@ include::ml-get-started.adoc[leveloffset=+1] include::ml-prepare-for-cluster.adoc[leveloffset=+1] include::ml-tutorials.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[machine-learning-on-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 26986e44a..cc801ec8d 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -82,3 +82,6 @@ Mon Aug 6 20:23:31 20XX | No running processes found | +-----------------------------------------------------------------------------+ ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-eks-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index b8150c8b8..d19df2337 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -220,3 +220,6 @@ There is no EKS Windows GPU Optimized AMI or EC2 Image Builder managed component [[ml-eks-windows-ami-inferentia-tranium-support,ml-eks-windows-ami-inferentia-tranium-support.title]] === Inferentia and Trainium not supported {aws} link:ai/machine-learning/inferentia/[Inferentia,type="marketing"] and {aws} link:ai/machine-learning/trainium/[Trainium,type="marketing"] based workloads are not supported on Windows. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-eks-windows-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 3bf119c39..d0e353ffe 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -43,3 +43,6 @@ Along with choosing from the blueprints described on this page, there are other To improve your work with ML on EKS, refer to the following: * *Prepare for ML* – Learn how to prepare for ML on EKS with features like custom AMIs and GPU reservations. See <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-get-started,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 27bfb28a8..59bf1a1cc 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -40,3 +40,6 @@ include::node-taints-managed-node-groups.adoc[leveloffset=+1] include::node-efa.adoc[leveloffset=+1] include::inferentia-support.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-prepare-for-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index bebf0dfd2..31caa222b 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -69,3 +69,6 @@ https://aws.amazon.com/blogs/hpc/deploying-generative-ai-applications-with-nvidi * https://aws.amazon.com/blogs/machine-learning/amazon-ec2-p5e-instances-are-generally-available/[Amazon EC2 P5e instances are generally available] * https://aws.amazon.com/blogs/containers/deploying-managed-p4d-instances-in-amazon-elastic-kubernetes-service/[Deploying managed P4d Instances in Amazon Elastic Kubernetes Service with NVIDIA GPUDirectRDMA] * https://aws.amazon.com/blogs/machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-tutorials,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index b07aa637c..04ff37b94 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -306,3 +306,6 @@ kubectl logs -f nccl-tests-launcher-nbql9 ---- If the test completed successfully, you can deploy your applications that use the [.noloc]`Nvidia Collective Communication Library`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-efa,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 59a3d5044..a1efbb9ac 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -63,3 +63,6 @@ For more information and examples of usage, see https://kubernetes.io/docs/refer ==== You can use the link:cli/latest/reference/eks/update-nodegroup-config.html[aws eks update-nodegroup-config,type="documentation"] {aws} CLI command to add, remove, or replace taints for managed node groups. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-taints-managed-node-groups,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 6831002d2..f4b1c962d 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -56,3 +56,5 @@ If you use [.noloc]`Calico` network policy enforcement, we recommend that you se Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[alternate-cni-plugins,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 0355caad1..50b546c08 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -75,3 +75,4 @@ In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes ==== +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[aws-load-balancer-controller,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index d5b450a86..6c8cbfe07 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -620,3 +620,6 @@ aws ec2 delete-subnet --subnet-id $new_subnet_id_2 ---- aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-custom-network-tutorial,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 402010a2e..11f76c7ed 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -33,3 +33,4 @@ The following are considerations for using the feature. * For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-custom-network,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 13616c593..c9c9633df 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -267,3 +267,4 @@ aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 8ce155873..c8cf05838 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -229,3 +229,4 @@ vpc.amazonaws.com/PrivateIPv4Address: 144 In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-increase-ip-addresses-procedure,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 4810a36bf..cc7bc2db1 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -61,3 +61,4 @@ Consider the following when you use this feature: If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-increase-ip-addresses,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index b2f6b4eeb..ef724dfaa 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -73,3 +73,4 @@ aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConf ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-ipv6,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 997904c71..121f38eb5 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -311,3 +311,5 @@ To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernete Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-network-policy-configure,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index e2c119228..429fa01ab 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -62,3 +62,6 @@ Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't acces + ** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. ** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-network-policy,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index c26b54c9e..ebf7a58c7 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -63,3 +63,4 @@ v1.11.3-eksbuild.1 . If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-create,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 5f28b44dc..6577bf9dd 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -129,3 +129,4 @@ v1.11.3-eksbuild.1 ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index d5db97ba4..d7e29eb2b 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -76,3 +76,4 @@ An example output is as follows. ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-update,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index a4a1f234d..375d40318 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -273,3 +273,5 @@ If you see this line: `"status": "ACTIVE"`, then the rollout has completed and t ==== + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-autoscaling,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index 55b734716..9a05e9f96 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -14,3 +14,5 @@ Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 6826ccae6..401685391 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -123,3 +123,6 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. .. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-a-vpc,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 2fc549e7c..8ee10d2f4 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -504,3 +504,4 @@ aws cloudformation delete-stack --region $region_code --stack-name $vpc_stack_na ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deploy-ipv6-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index a0aa9b838..88180098d 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -57,3 +57,5 @@ This controller lets you connect services across multiple [.noloc]`Kubernetes` c For more information about add-ons, see <>. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-networking-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index ff5a5ed7f..7dd0961af 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -29,3 +29,6 @@ Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the A [.topiclist] [[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-networking,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 6520151fb..6e279c757 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -51,3 +51,5 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI {asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[external-snat,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index cc72d464d..4cf58e3fa 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -107,3 +107,5 @@ Add the following `Affinity Rule` to the [.noloc]`DaemonSet`spec`` section of th - fargate ---- + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kube-proxy-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index e3f264a7f..32bf7abd8 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -176,3 +176,5 @@ You receive the previous output if you deployed using Helm. If you deployed usin // GDC Must Fix + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-helm,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index efddec994..c5cd75e5a 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -350,3 +350,4 @@ You receive the previous output if you deployed using Helm. If you deployed usin . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-manifest,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index c0d095553..252d5b5c9 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -115,3 +115,4 @@ aws iam attach-role-policy \ ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-remove,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 307f311ac..c3425fbda 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -110,3 +110,4 @@ topologySpreadConstraints: * In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-coredns,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 72b83e1e3..18e692c86 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -93,3 +93,4 @@ The following table lists the latest available self-managed `kube-proxy` contain * When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-kube-proxy,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 46a929bdd..7f91c6815 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -83,3 +83,4 @@ The following are considerations for using the feature. * Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-vpc-cni,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index c49f44785..0eff047d6 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -258,3 +258,6 @@ sudo /opt/cni/bin/aws-eks-na-cli ebpf progs ---- To run this command, you can use any method to connect to the node. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policies-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 1e2e32435..ed0557f2b 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -39,4 +39,4 @@ kubectl edit daemonset -n kube-system aws-node ---- - +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policy-disable,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 3432fcef9..cc5cdf1dd 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -186,3 +186,6 @@ kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/s ---- + Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policy-stars-demo,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 85e70ab81..96d02dd6a 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -281,3 +281,6 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the * If you use the _custom networking_ feature of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, you need to use the Availability Zone ID mappings listed in the owner account to create each `ENIConfig`. For more information, see <>. For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-reqs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index fee6ff2af..0d038ddc5 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -31,3 +31,4 @@ In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amaz For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-multiple-network-interfaces,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 33e836ce3..acde06534 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -46,3 +46,5 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.nol |<> |=== + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-networking-use-cases,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 48a387a7d..18db6c923 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -143,3 +143,6 @@ Amazon EKS supports shared security groups. === Considerations for Amazon EKS * EKS has the same requirements of shared or multi-VPC security groups as standard security groups. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sec-group-reqs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 0eaeefaa9..d1f92b5cd 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -71,3 +71,4 @@ If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_E If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-groups-for-pods,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 7c2e16a01..cdd1ff08c 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -92,3 +92,4 @@ IMPORTANT: . To see how to use a security group policy for your [.noloc]`Pod`, see <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-groups-pods-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index be6ae3b9e..8b92eef49 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -209,3 +209,4 @@ aws ec2 delete-security-group --group-id $my_pod_security_group_id ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sg-pods-example-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 331570cb3..08cdc34e2 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -94,3 +94,4 @@ v1.19.0-eksbuild.1 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-create,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index fb0675187..62144e749 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -72,3 +72,4 @@ v1.19.0 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 7bdff484d..bd441fdcd 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -77,3 +77,4 @@ An example output is as follows. ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-update,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index b7b4d13f3..70166c24d 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -66,3 +66,6 @@ For previously existing managed node groups, you can either perform an in-place * If you're using managed node groups with either the standard launch template or with a custom launch template that doesn't specify the AMI ID, you're required to upgrade using a blue/green strategy. A blue/green upgrade is typically more complex and involves creating an entirely new node group where you would specify AL2023 as the AMI type. The new node group will need to then be carefully configured to ensure that all custom data from the AL2 node group is compatible with the new OS. Once the new node group has been tested and validated with your applications, [.noloc]`Pods` can be migrated from the old node group to the new node group. Once the migration is completed, you can delete the old node group. If you're using [.noloc]`Karpenter` and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in [.noloc]`Karpenter`. This means that once the `amiFamily` field has been changed, [.noloc]`Karpenter` will automatically update your worker nodes to the latest AMI when available. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[al2023,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index bb40d8620..fa4fec8f0 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -125,3 +125,6 @@ artifacts # Delete the NodeDiagnostic resource kubectl delete nodediagnostics.eks.amazonaws.com/[.replaceable]`node-name` ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-get-logs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index c3057cfb7..4f04f11b5 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -16,3 +16,6 @@ include::../attributes.txt[] * The optimized feature set and reduced attack surface means that [.noloc]`Bottlerocket` instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) [.noloc]`Bottlerocket` instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). * [.noloc]`Bottlerocket` is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. * [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[bottlerocket-compliance-support,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 47f89a1d0..ea409218e 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -111,3 +111,6 @@ EKS Auto Mode limits the number of pods on nodes to the lower of: * 110 pods hard cap * The result of the max pods calculation described above. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[choosing-instance-type,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index f0145489d..9d05e083c 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -249,3 +249,6 @@ For more information, see https://aws.github.io/aws-eks-best-practices/security/ * Configure the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] to automatically adjust the number of nodes in your node groups. * Deploy a <> to your cluster. * <> with important tools for managing your cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 2ea50acc6..3fbd71020 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -52,3 +52,6 @@ Use the following command to delete a profile from a cluster. Replace every [.re ---- aws eks delete-fargate-profile --fargate-profile-name my-profile --cluster-name my-cluster ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-fargate-profile,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index f4e989b63..3e8edce71 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -72,3 +72,6 @@ aws eks delete-nodegroup \ + For more options, see the `link:cli/latest/reference/eks/delete-nodegroup.html[delete-nodegroup,type="documentation"]` command in the _{aws} CLI Command Reference_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index cf025a233..4be5a5078 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -98,3 +98,6 @@ If you prefer to use a different tool to create your managed node group, you mus ---- /etc/eks/bootstrap.sh my-cluster --container-runtime containerd ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[dockershim-deprecation,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 52e758841..3ad3f1149 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -23,3 +23,6 @@ Additionally, the [.noloc]`GitHub` repository contains our Amazon EKS node {aws} For more information, see the repositories on [.noloc]`GitHub` at https://github.com/awslabs/amazon-eks-ami. Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-build-scripts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 981972c78..c79e26578 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -13,3 +13,6 @@ This topic gives resources for Amazon EKS optimized [.noloc]`Bottlerocket` AMIs Each [.noloc]`Bottlerocket` AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Bottlerocket` kernel, and https://containerd.io/[containerd]. Accelerated AMI variants also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://bottlerocket.dev/en/os/[OS] topic of the _Bottlerocket Documentation_. From this page, navigate to the applicable _Version Information_ sub-topic. The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on [.noloc]`GitHub`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-versions-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index acc36aafa..2138a1e19 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -4377,3 +4377,6 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== ==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-versions-windows,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index e4c32d7db..e532fc6f4 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -220,3 +220,6 @@ include::eks-optimized-amis.adoc[leveloffset=+1] include::node-health.adoc[leveloffset=+1] include::hybrid-nodes-overview.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-compute,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index bf92493eb..f061d5194 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -113,3 +113,6 @@ You can retrieve specific information regarding what is installed with each comp . Choose the *`eks-optimized-ami-windows`* link with a desired version. The *Description* in the resulting page shows the specific information. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-custom-ami-windows,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 747103ee6..e443734ae 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -18,3 +18,6 @@ k8s_major_version.k8s_minor_version.k8s_patch_version-release_date ---- Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Linux` kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-linux-ami-versions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index e8e94fe51..76cf9f4e4 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -60,3 +60,6 @@ include::eks-ami-versions-bottlerocket.adoc[leveloffset=+1] include::retrieve-ami-id-bottlerocket.adoc[leveloffset=+1] include::bottlerocket-compliance-support.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-ami-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 8f89e96c8..be28840ee 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -81,3 +81,6 @@ For more information about using Amazon EKS optimized Amazon Linux AMIs, see the * For version information, see <>. * To retrieve the latest IDs of the Amazon EKS optimized Amazon Linux AMIs, see <>. * For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index b2cba2371..0ab13e32b 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -28,3 +28,6 @@ include::eks-optimized-ami-bottlerocket.adoc[leveloffset=+1] include::eks-partner-amis.adoc[leveloffset=+1] include::eks-optimized-windows-ami.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-amis,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 1c4145815..9216dee3f 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -147,3 +147,6 @@ include::eks-ami-versions-windows.adoc[leveloffset=+1] include::retrieve-windows-ami-id.adoc[leveloffset=+1] include::eks-custom-ami-windows.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-windows-ami,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index 062300cd3..c696b628b 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -13,3 +13,6 @@ Canonical has partnered with Amazon EKS to create node AMIs that you can use in Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. https://www.canonical.com/[Canonical] delivers a built-for-purpose [.noloc]`Kubernetes` Node OS image. This minimized [.noloc]`Ubuntu` image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-partner-amis,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 16e2dfd23..006dbe55b 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -169,3 +169,6 @@ kubectl rollout restart -n kube-system deployment coredns * Deploy the <> to allow Ingress objects for your [.noloc]`Pods` running on Fargate. * You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. * You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-getting-started,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index b88ab40b7..1e38e6b72 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -416,3 +416,6 @@ Events: ---- The [.noloc]`Pod` events are ephemeral with a time period depending on the settings. You can also view a [.noloc]`Pod's` annotations using `kubectl describe pod [.replaceable]``pod-name```. In the [.noloc]`Pod` annotation, there is information about whether the logging feature is enabled or disabled and the reason. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-logging,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index a4840a6a1..f685f2620 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -105,3 +105,6 @@ The default usable storage for Amazon EKS [.noloc]`Pods` that run on Fargate is You can increase the total amount of ephemeral storage up to a maximum of 175 GiB. To configure the size with [.noloc]`Kubernetes`, specify the requests of `ephemeral-storage` resource to each container in a [.noloc]`Pod`. When [.noloc]`Kubernetes` schedules [.noloc]`Pods`, it ensures that the sum of the resource requests for each [.noloc]`Pod` is less than the capacity of the Fargate task. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Resource Management for Pods and Containers] in the [.noloc]`Kubernetes` documentation. Amazon EKS Fargate provisions more ephemeral storage than requested for the purposes of system use. For example, a request of 100 GiB will provision a Fargate task with 115 GiB ephemeral storage. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-pod-configuration,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 492b37523..4f9ffc428 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -72,3 +72,6 @@ You can create a desired action based on this event. For example, you can adjust A suitable target can be set for the event to capture it. For a complete list of available targets, see link:eventbridge/latest/userguide/eb-targets.html[Amazon EventBridge targets,type="documentation"] in the _Amazon EventBridge User Guide_. You can also create a notification configuration in {aws} User Notifications. When using the {aws-management-console} to create the notification, under *Event Rules*, choose *Elastic Kubernetes Service (EKS)* for *{aws} service name* and *EKS Fargate Pod Scheduled Termination* for *Event type*. For more information, see link:notifications/latest/userguide/getting-started.html[Getting started with {aws} User Notifications,type="documentation"] in the {aws} User Notifications User Guide. See https://repost.aws/knowledge-center/fargate-pod-eviction-notice[FAQs: Fargate Pod eviction notice] in _{aws} re:Post_ for frequently asked questions regarding EKS Pod Evictions. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-pod-patching,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 464dfde0a..bba7549b4 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -140,3 +140,6 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. . On the *Review and create* page, review the information for your Fargate profile and choose *Create*. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-profile,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 2f6180b65..a519f42c4 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -186,3 +186,6 @@ include::fargate-pod-patching.adoc[leveloffset=+1] include::monitoring-fargate-usage.adoc[leveloffset=+1] include::fargate-logging.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index c38c16b7c..82e576542 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -167,3 +167,6 @@ aws eks create-addon \ == CSI snapshot controller add-on Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 7514cdd18..7598c8093 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -337,3 +337,6 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h == Step 4: Cluster setup As a next step, see <> to enable access for your hybrid nodes to join your cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cluster-create,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 944955feb..acaa9b3e7 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -107,3 +107,6 @@ data: username: system:node:{{SessionName}} EOF ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cluster-prep,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index ce4054531..e25004ab2 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -524,3 +524,6 @@ kubectl get crds -oname | grep "calico" | xargs kubectl delete ---- kubectl get crds -oname | grep "tigera" | xargs kubectl delete ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cni,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 6dfae06b0..de4c81a5e 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -526,3 +526,6 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t .. For *Role name*, enter a unique name for your role, such as `AmazonEKSHybridNodesRole`. .. For *Description*, replace the current text with descriptive text such as `Amazon EKS - Hybrid Nodes role`. .. Choose *Create role*. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-creds,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 05d86d802..21273c3f5 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -143,3 +143,6 @@ Your nodes will have status `Not Ready`, which is expected and is due to the lac == Step 4: Configure a CNI for hybrid nodes To make your hybrid nodes ready to run applications, continue with the steps on <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-join,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index bd6116579..5159bdbd2 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -405,3 +405,6 @@ aws ec2 authorize-security-group-ingress \ --group-id [.replaceable]`SG_ID` \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "REMOTE_NODE_CIDR"}, {"CidrIp": "REMOTE_POD_CIDR"}]}]' ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-networking,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 74a51c77c..39d8501dd 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -585,3 +585,6 @@ spec: activationCode: # SSM hybrid activation code activationId: # SSM hybrid activation id ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-nodeadm,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 09e96ad47..98e7acc2b 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -361,3 +361,6 @@ govc vm.change -dc="YOUR_DATASTORE" -vm "$NODE_NAME" -e guestinfo.metadata.encod ---- govc vm.power -on "${NODE_NAME}" ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-os,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index b6b1ba030..b7229b421 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -94,3 +94,6 @@ include::hybrid-nodes-proxy.adoc[leveloffset=+1] include::hybrid-nodes-nodeadm.adoc[leveloffset=+1] include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-overview,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 9126a4b72..c9170f565 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -142,3 +142,6 @@ include::hybrid-nodes-cluster-create.adoc[leveloffset=+1] include::hybrid-nodes-cluster-prep.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-prereqs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 606bf0d5a..47e98bcda 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -143,3 +143,6 @@ containers: apiVersion: v1 fieldPath: spec.nodeName ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-proxy,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 13d57db79..58679d136 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -56,3 +56,6 @@ kubectl delete node == Step 5: Check for remaining artifacts Depending on your choice of CNI, there may be artifacts remaining on your hybrid nodes after running the above steps. See <> for more information. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-remove,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 5d2fe9827..2f50c10ab 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -667,3 +667,6 @@ ldd --version sudo apt update && apt install libc6 sudo apt install glibc-source ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 4a85248a0..4ea77da6a 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -24,3 +24,6 @@ include::hybrid-nodes-join.adoc[leveloffset=+1] include::hybrid-nodes-upgrade.adoc[leveloffset=+1] include::hybrid-nodes-remove.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-tutorial,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 84520238b..aef756a12 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -144,3 +144,6 @@ nodeadm upgrade K8S_VERSION -c file://nodeConfig.yaml ---- kubectl get nodes -o -w ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-upgrade,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index d3fca843c..be2f91ce8 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -127,3 +127,6 @@ Add `--conntrack-max-per-core` and `--conntrack-min` to the `kube-proxy` argumen + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-node-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 024205970..d097f4c14 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -100,3 +100,6 @@ Several lines are output while the nodes are created. One of the last lines of o + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-node-ubuntu,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index ba827d3ad..3d9b7ea2b 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -463,3 +463,6 @@ kubectl edit -n kube-system cm aws-auth - eks:kube-proxy-windows ---- .. Save the file and exit your text editor. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-templates,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index c17be3b8d..1d9a06f02 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -246,3 +246,6 @@ If nodes fail to join the cluster, then see <> in the Troubles + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-windows-workers,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 04b90d330..8ab84c742 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -243,3 +243,6 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-workers,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 53a7caadc..ce6a8c45a 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -124,3 +124,6 @@ kubectl get nodes -w # Get node metrics kubectl top node ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[learn-status-conditions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 175fb93b1..dc20cfb61 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -123,3 +123,6 @@ When deciding whether to deploy a node group with On-Demand or Spot capacity, yo ** Within a managed node group, if you're using the https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], we recommend using a flexible set of instance types with the same amount of vCPU and memory resources. This is to ensure that the nodes in your cluster scale as expected. For example, if you need four vCPUs and eight GiB memory, use `c3.xlarge`, `c4.xlarge`, `c5.xlarge`, `c5d.xlarge`, `c5a.xlarge`, `c5n.xlarge`, or other similar instance types. ** To enhance application availability, we recommend deploying multiple Spot managed node groups. For this, each group should use a flexible set of instance types that have the same vCPU and memory resources. For example, if you need 4 vCPUs and 8 GiB memory, we recommend that you create one managed node group with `c3.xlarge`, `c4.xlarge`, `c5.xlarge`, `c5d.xlarge`, `c5a.xlarge`, `c5n.xlarge`, or other similar instance types, and a second managed node group with `m3.xlarge`, `m4.xlarge`, `m5.xlarge`, `m5d.xlarge`, `m5a.xlarge`, `m5n.xlarge` or other similar instance types. ** When deploying your node group with the Spot capacity type that's using a custom launch template, use the API to pass multiple instance types. Don't pass a single instance type through the launch template. For more information about deploying a node group using a launch template, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managed-node-groups,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 6ffba17e5..3c0a5bdd6 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -113,3 +113,6 @@ Once every [.noloc]`Pod` is evicted, it's expected for the node to be empty beca The scale down phase decrements the Auto Scaling group maximum size and desired size by one to return to values before the update started. If the Upgrade workflow determines that the Cluster Autoscaler is scaling up the node group during the scale down phase of the workflow, it exits immediately without bringing the node group back to its original size. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managed-node-update-behavior,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 63f8dff83..55a52bf20 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -302,3 +302,6 @@ kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system ---- kubectl scale deployments/kube-dns --replicas=1 -n kube-system ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrate-stack,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index ecbef1c7e..9824f6070 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -79,3 +79,6 @@ Use the following steps to create a CloudWatch alarm based on the Fargate resour . In the Amazon CloudWatch alarms section, choose *Create*. . For *Alarm threshold*, choose the percentage of your applied quota value that you want to set as the alarm value. . For *Alarm name*, enter a name for the alarm and then choose *Create*. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[monitoring-fargate-usage,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 1d732cbd2..228fa78f2 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -391,3 +391,6 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |Kubelet is reporting slow disk usage while trying to access the filesystem, potentially indicating insufficient disk input-output or filesystem issues. |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-health,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index 90126ad75..1e9ab04da 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -47,3 +47,6 @@ An example output is as follows. ---- ami-[.replaceable]`1234567890abcdef0` ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-ami-id-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 20b91422c..7e32f0a86 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -46,3 +46,6 @@ An example output is as follows. ---- ami-[.replaceable]`1234567890abcdef0` ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-ami-id,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 8278553e4..9f862b791 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -45,3 +45,6 @@ An example output is as follows. ---- ami-[.replaceable]`1234567890abcdef0` ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-windows-ami-id,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 2b5d682bf..b0a7dc01c 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -48,3 +48,6 @@ The node groups can then be created using the following command. ---- eksctl create cluster -f test-windows-2022.yaml ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[self-managed-windows-server-2022,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 8007b9425..07390745e 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -125,3 +125,6 @@ IMPORTANT: When updating the node group configuration, modifying the link:eks/la Unlike the <> process (which drains nodes and respects PDBs during the upgrade phase), updating the scaling configuration causes nodes to be terminated immediately through an Auto Scaling Group (ASG) scale-down call. This happens without considering PDBs, regardless of the target size you're scaling down to. That means when you reduce the `desiredSize` of an Amazon EKS managed node group, [.noloc]`Pods` are evicted as soon as the nodes are terminated, without honoring any PDBs. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index d533a3583..53e951d52 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -106,3 +106,6 @@ kubectl scale deployments/kube-dns --replicas=1 -n kube-system kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system ---- . (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-stack,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index d82bc998f..da3a40785 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -30,3 +30,6 @@ Update the {aws} CloudFormation stack for an existing node group to use the new include::migrate-stack.adoc[leveloffset=+1] include::update-stack.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-workers,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index bc7bb4260..56ab26686 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -32,4 +32,7 @@ If you restrict access to the public endpoint of your cluster using CIDR blocks, To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[worker,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index ada31dd4b..81e89cf56 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -266,3 +266,6 @@ The topics below describe how to get started using CloudWatch Observability Oper * For instructions on installing this add-on, see link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent with the Amazon CloudWatch Observability EKS add-on or the Helm chart,type="documentation"] in the _Amazon CloudWatch User Guide_. * For more information about CloudWatch Application Signals, see link:AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html[Application Signals,type="documentation"] in the _Amazon CloudWatch User Guide_. * For more information about Container Insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cloudwatch,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index f5f87e7ed..39c652ada 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -157,3 +157,6 @@ For example, you should see the initial API server flags for the cluster when vi NOTE: If you don't see the API server logs at the beginning of the log stream, then it is likely that the API server log file was rotated on the server before you enabled API server logging on the server. Any log files that are rotated before API server logging is enabled can't be exported to CloudWatch. However, you can create a new cluster with the same [.noloc]`Kubernetes` version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[control-plane-logs,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index bf5f70d7e..f407005d9 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -75,3 +75,6 @@ image::images/prometheus-metric.png[Prometheus metrics,scaledwidth=100%] image::images/prometheus.png[Prometheus console,scaledwidth=100%] + All of the [.noloc]`Kubernetes` endpoints that are connected to [.noloc]`Prometheus` using service discovery are displayed. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deploy-prometheus,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 99c5fdaae..0812892dd 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -162,3 +162,6 @@ include::control-plane-logs.adoc[leveloffset=+1] include::logging-using-cloudtrail.adoc[leveloffset=+1] include::opentelemetry.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-observe,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index b544161bd..eb421a18b 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -15,3 +15,6 @@ Amazon EKS managed node groups have Amazon EC2 Auto Scaling group metrics enable With Auto Scaling group metrics collection, you're able to monitor the scaling of managed node groups. Auto Scaling group metrics report the minimum, maximum, and desired size of an Auto Scaling group. You can create an alarm if the number of nodes in a node group falls below the minimum size, which would indicate an unhealthy node group. Tracking node group size is also useful in adjusting the maximum count so that your data plane doesn't run out of capacity. If you would prefer to not have these metrics collected, you can choose to disable all or only some of them. For example, you can do this to avoid noise in your CloudWatch dashboards. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-cloudwatch-monitoring.html[Amazon CloudWatch metrics for Amazon EC2 Auto Scaling,type="documentation"]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-asg-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 981e4f99f..1c681d667 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -26,3 +26,6 @@ include::service-name-info-in-cloudtrail.adoc[leveloffset=+1] include::understanding-service-name-entries.adoc[leveloffset=+1] include::enable-asg-metrics.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[logging-using-cloudtrail,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index b4d1ce582..c6218b933 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -117,3 +117,6 @@ The Amazon EKS node monitoring agent automatically reads node logs to detect hea When you refresh the page, any resolved issues will disappear from the list. If auto repair is enabled, you could temporarily see some health issues that will be resolved without action from you. Issues that are not supported by auto repair may require manual action from you depending on the type. For node health issues to be reported, your cluster must use Amazon EKS Auto Mode or have the node monitoring agent add-on. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[observability-dashboard,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index e584004c8..f9bdd62ea 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -14,3 +14,6 @@ The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable you Amazon EKS supports using the {aws-management-console}, {aws} CLI and Amazon EKS API to install and manage the https://aws-otel.github.io/[{aws} Distro for OpenTelemetry (ADOT)] Operator. This makes it easier to enable your applications running on Amazon EKS to send metric and trace data to multiple monitoring service options like link:cloudwatch[Amazon CloudWatch,type="console"], link:prometheus[Prometheus,type="console"], and link:xray[X-Ray,type="console"]. For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[opentelemetry,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 29cc247a4..3011a7141 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -86,3 +86,6 @@ To see more details about a scraper, choose the scraper ID link. For example, yo include::deploy-prometheus.adoc[leveloffset=+1] include::view-raw-metrics.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[prometheus,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index e0428654c..2d99f1443 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -23,3 +23,6 @@ All Amazon EKS actions are logged by CloudTrail and are documented in the link:e Every event or log entry contains information about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the entry shows how the credentials were obtained. For more information, see the link:awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html[CloudTrail userIdentity element,type="documentation"]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-name-info-in-cloudtrail,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 1dd581cc6..762a68251 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -118,3 +118,6 @@ The following example shows a CloudTrail log entry that demonstrates a ` link:IA "recipientAccountId": "111122223333" } ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[understanding-service-name-entries,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 81ff84804..029c74d68 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -334,3 +334,6 @@ kubectl port-forward pods/prom-pod 9090:9090 ---- For your Amazon EKS cluster, the core Kubernetes control plane metrics are also ingested into Amazon CloudWatch Metrics under the `AWS/EKS` namespace. To view them, open the link:cloudwatch/home#logs:prefix=/aws/eks[CloudWatch console,type="console"] and select *All metrics* from the left navigation pane. On the *Metrics* selection page, choose the `AWS/EKS` namespace and a metrics dimension for your cluster. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-raw-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 75ba95c6c..286bfe026 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -64,3 +64,6 @@ You are responsible for creating the desired placement group. You specify the pl * When a placement group is specified, there must be available slotted capacity on your Outpost to successfully create a local Amazon EKS cluster. The capacity varies based on whether you use the host or rack spread type. If there isn't enough capacity, the cluster remains in the `Creating` state. You are able to check the `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity for the creation process to progress. * During Amazon EKS local cluster platform and version updates, the [.noloc]`Kubernetes` control plane instances from your cluster are replaced by new instances using a rolling update strategy. During this replacement process, each control plane instance is terminated, freeing up its respective slot. A new updated instance is provisioned in its place. The updated instance might be placed in the slot that was released. If the slot is consumed by another unrelated instance and there is no more capacity left that respects the required spread topology requirement, then the cluster remains in the `Updating` state. You are able to see the respective `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity so the update process can progress and reestablish prior high availability levels. * You can create a maximum of 500 placement groups per account in each {aws} Region. For more information, see link:AWSEC2/latest/UserGuide/placement-groups.html#placement-groups-limitations-general[General rules and limitations,type="documentation"] in the Amazon EC2 User Guide. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-capacity-considerations,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 413d1dfa7..28d62c0c9 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -266,3 +266,6 @@ Recommended next steps: * Familiarize yourself with what happens during <>. * <> * Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the [.noloc]`Kubernetes` documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-local-cluster-create,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 5d7c6a1f5..41f72d20b 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -37,3 +37,6 @@ You can create local clusters in the following {aws} Regions: US East (Ohio), US [.topiclist] [[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-local-cluster-overview,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 1513d1915..1ae47433b 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -178,3 +178,6 @@ kubectl config use-context admin@my-cluster --kubeconfig admin.kubeconfig + If you notice any issues with your local clusters while they're in a disconnected state, we recommend opening a support ticket. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-network-disconnects,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 7352337dd..27fd43431 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -224,3 +224,6 @@ The following admission controllers are enabled for all `1.27` platform versions |Initial release of Kubernetes version `1.27` for local Amazon EKS clusters on Outposts. |May 30, 2023 |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-platform-versions,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 0aa2814e3..2c3954837 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -221,3 +221,6 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X . (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. . If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-self-managed-nodes,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index f73ffd1a0..6e0b91852 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -273,3 +273,6 @@ Amazon EKS control plane instances are not reachable through SSM. Please verify To resolve this issue, make sure that your VPC and subnets meet the requirements in <> and that you completed the steps in link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the {aws} Systems Manager User Guide. ==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 07e181cc5..6550761af 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -109,3 +109,6 @@ You can create a VPC that meets the previous requirements using one of the follo * *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-09-20/amazon-eks-local-outposts-vpc-subnet.yaml[Template 1]* – This template creates a VPC with one private subnet on the Outpost and one public subnet in the {aws} Region. The private subnet has a route to an internet through a NAT Gateway that resides in the public subnet in the {aws} Region. This template can be used to create a local cluster in a subnet with egress internet access. * *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-03-20/amazon-eks-local-outposts-fully-private-vpc-subnet.yaml[Template 2]* – This template creates a VPC with one private subnet on the Outpost and the minimum set of VPC Endpoints required to create a local cluster in a subnet that doesn't have ingress or egress internet access (also referred to as a private subnet). + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-vpc-subnet-requirements,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 8058910d1..b59d5c5fc 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -154,3 +154,6 @@ include::eks-outposts-local-cluster-overview.adoc[leveloffset=+1] include::eks-outposts-self-managed-nodes.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index ff270ff1a..535db5ff5 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -280,3 +280,5 @@ eksctl delete cluster -f ./cluster-config.yaml EKS will automatically clean up any nodes it provisioned when the cluster is deleted. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[quickstart,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index ad08dc451..411bd160a 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -197,4 +197,7 @@ CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernet * https://jenkins-x.io/docs/[Project documentation] +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[related-projects,&type=code[Edit this page on GitHub] + + 📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[related-projects,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 0d782eb65..6894f60ad 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -18,3 +18,6 @@ Follow the What's New feed and public roadmap to help plan for new and future Am -- You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[roadmap,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index 6e817f183..2f4e55323 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -100,3 +100,6 @@ The following section describes security best practices for Amazon EKS Auto Mode * Monitor cluster activity through {aws} CloudTrail and Amazon CloudWatch. For more information, see link:eks/latest/userguide/logging-using-cloudtrail.html["Log API calls as CloudTrail events",type="documentation"] and link:eks/latest/userguide/cloudwatch.html["Monitor cluster data with Amazon CloudWatch",type="documentation"]. * Use {aws} Security Hub for security posture assessment. * Implement pod security standards appropriate for your workloads. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-security,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index 93b8ba658..4c8abdd94 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -137,3 +137,5 @@ kubectl certificate approve csr-7znmf To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cert-signing,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 9b2f26638..579e7fb4d 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -28,3 +28,6 @@ NOTE: Not all {aws} services are HIPAA eligible. For more information, see the l * link:securityhub/latest/userguide/what-is-securityhub.html[{aws} Security Hub,type="documentation"] – This {aws} service provides a comprehensive view of your security state within {aws}. Security Hub uses security controls to evaluate your {aws} resources and to check your compliance against security industry standards and best practices. For a list of supported services and controls, see link:securityhub/latest/userguide/securityhub-controls-reference.html[Security Hub controls reference,type="documentation"]. * link:guardduty/latest/ug/what-is-guardduty.html[Amazon GuardDuty,type="documentation"] – This {aws} service detects potential threats to your {aws} accounts, workloads, containers, and data by monitoring your environment for suspicious and malicious activities. GuardDuty can help you address various compliance requirements, like PCI DSS, by meeting intrusion detection requirements mandated by certain compliance frameworks. * link:audit-manager/latest/userguide/what-is.html[{aws} Audit Manager,type="documentation"] – This {aws} service helps you continuously audit your {aws} usage to simplify how you manage risk and compliance with regulations and industry standards. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[compliance,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 9ec6edbec..5143f7c73 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -57,3 +57,6 @@ You can use link:inspector/latest/userguide/inspector_introduction.html[Amazon Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your {aws} environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[configuration-vulnerability-analysis,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 4a2c036c8..a7fb7bccc 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -193,3 +193,4 @@ Subjects: ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[default-roles-users,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index e41df74fe..6533fed39 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -24,3 +24,5 @@ This control plane consists of at least two API server instances and three `etcd For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disaster-recovery-resiliency,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 7b223b2e1..13fc5a428 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -187,3 +187,5 @@ For clusters using KMS Envelope Encryption, `kms:CreateGrant` permissions are re ==== + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-kms,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index c4eb21165..c6bf0fae1 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -151,3 +151,6 @@ aws iam attach-role-policy \ --role-name AmazonEKSAutoClusterRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy ``` + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-cluster-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index bfb221e52..1dff3d1ac 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -115,3 +115,6 @@ aws iam attach-role-policy \ --role-name AmazonEKSAutoNodeRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ``` + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-create-node-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index b4d234ec5..c72d930ec 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -146,3 +146,6 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy \ --role-name eksClusterRole ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 2b3c733e1..e4f0b5615 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -168,3 +168,5 @@ Outputs: .. On the *Configure stack options* page, choose *Next*. .. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connector-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 71bc33965..dda133505 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -196,3 +196,6 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ --role-name AmazonEKSNodeRole ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 108750046..168f062eb 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -169,3 +169,4 @@ aws iam attach-role-policy \ ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-execution-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 294e9ebf9..516ad84a2 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -497,3 +497,6 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |June 17, 2021 |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-awsmanpol,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 8059b4d98..5ce7d6031 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -247,3 +247,4 @@ This example policy includes the minimum permissions required to list and descri ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-id-based-policy-examples,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 1048072c1..b32fbd638 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -151,3 +151,5 @@ Amazon EKS supports service roles. For more information, see < When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-service-with-iam,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 9e20eae63..d3694d681 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -75,3 +75,6 @@ Your containers receive this error if your application is explicitly making requ * Update your application code to remove explicit calls to the {aws} STS global endpoint. * Update your application code to make explicit calls to regional endpoints such as `https://sts.us-west-2.amazonaws.com`. Your application should have redundancy built in to pick a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. * Configure your service accounts to use the global endpoint. All versions earlier than `1.22` used the global endpoint by default, but version `1.22` and later clusters use the regional endpoint by default. For more information, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 0619d63a6..437aa2cc7 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -141,3 +141,6 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. === Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 10916e35e..64dd51a1c 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -72,3 +72,5 @@ If the Amazon EKS service is using the role when you try to delete the resources Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-connector,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 5820ece18..479d30da1 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -92,3 +92,5 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRol Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-fargate,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index 1b62b4c84..e96c83553 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -91,3 +91,5 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-nodegroups,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index d22daa5f7..61467e828 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -91,5 +91,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-outpost,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 36e33c778..b9548d9e9 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -86,3 +86,5 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index 12c5558aa..d9a304df1 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -25,3 +25,5 @@ Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM [.topiclist] [[Topic List]] + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 9d59895a1..4f277bbae 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -37,3 +37,5 @@ For more information about modifying cluster endpoint access, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[infrastructure-security,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 163fc203e..d5724d866 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -20,3 +20,5 @@ If you use Secrets Manager automatic rotation for your secrets, you can also use For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[manage-secrets,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 14dbb1d30..33b5211f1 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -113,3 +113,5 @@ When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows [.noloc]`Pods`. This uses [.noloc]`PSS` in [.noloc]`Kubernetes` `1.25`. For more information and best practices about enforcing [.noloc]`PSS` for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. ==== + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-security-policy-removal-faq,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index aee5127ae..778abeb1f 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -194,3 +194,4 @@ kubectl apply -f privileged-podsecuritypolicy.yaml ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-security-policy,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 73fd74d62..6d457c6c5 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -13,3 +13,4 @@ Learn how to secure your Amazon EKS clusters by following the best practices fro The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-best-practices,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index d0edcef13..589cf62c4 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -18,3 +18,6 @@ The following are considerations for security of the cloud, as they affect Amazo [.topiclist] [[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 98b11aaa9..47f923dfd 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -26,3 +26,6 @@ The following are considerations for security in the cloud, as they affect [.nol [.topiclist] [[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-k8s,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 59930a3fb..cef5f3edc 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -59,3 +59,6 @@ This documentation helps you understand how to apply the shared responsibility m [.topiclist] [[Topic List]] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index ec2ccdb4d..d527246ce 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -60,3 +60,4 @@ However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref * Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-interface-endpoints,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 0ee0691ea..0d5008232 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -24,3 +24,6 @@ Here are some things to consider when using the CSI snapshot controller. We recommend that you install the CSI snapshot controller through the Amazon EKS managed add-on. This add-on includes the custom resource definitions (CRDs) that are needed to create and manage snapshots on Amazon EKS. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream [.noloc]`Kubernetes` `external-snapshotter` on [.noloc]`GitHub`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[csi-snapshot-controller,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 0790b61b1..e71dc6745 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -137,3 +137,6 @@ The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/m == Is migration supported for Windows workloads? Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating `StorageClasses`, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ebs-csi-migration-faq,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 18e60cb78..d67f70911 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -361,3 +361,6 @@ Alternatively, if you want a self-managed installation of the Amazon EBS CSI dri == Step 3: Deploy a sample application You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ebs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 194193a47..6ede51eaf 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -192,3 +192,6 @@ To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws- == Step 4: Deploy a sample application You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[efs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index b2332e5eb..4ddfd550f 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -14,3 +14,6 @@ The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI in Amazon File Cache is a fully managed, high-speed cache on {aws} that's used to process file data, regardless of where the data is stored. Amazon File Cache automatically loads data into the cache when it's accessed for the first time and releases data when it's not used. For more information, see the link:fsx/latest/FileCacheGuide/what-is.html[Amazon File Cache User Guide,type="documentation"]. The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. Note that the Amazon File Cache CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the Amazon File Cache CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-file-cache-csi-driver[aws-file-cache-csi-driver] on GitHub. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[file-cache-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 73d3f8701..f21e8817a 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -299,3 +299,6 @@ This example output shows that the sample app successfully wrote the `out.txt` f Before deleting the cluster, make sure to delete the FSx for Lustre file system. For more information, see link:fsx/latest/LustreGuide/getting-started-step4.html[Clean up resources,type="documentation"] in the _FSx for Lustre User Guide_. ==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index a088bdd4a..a38cb6268 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -14,3 +14,6 @@ The [.noloc]`NetApp Trident` allows Amazon EKS clusters to manage the lifecycle The [.noloc]`NetApp Trident` provides dynamic storage orchestration using a Container Storage Interface (CSI) compliant driver. This allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. Note that the Amazon FSx for NetApp ONTAP CSI driver is not compatible with Amazon EKS Hybrid Nodes. To get started, see https://docs.netapp.com/us-en/trident/trident-use/trident-fsx.html[Use Trident with Amazon FSx for NetApp ONTAP] in the [.noloc]`NetApp Trident` documentation. Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed [.noloc]`ONTAP` file systems in the cloud. [.noloc]`ONTAP` is [.noloc]`NetApp's` file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises [.noloc]`NetApp` file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-ontap,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 63468505c..356f80352 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -14,3 +14,6 @@ The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a C Amazon FSx for OpenZFS is a fully managed file storage service that makes it easy to move data to {aws} from on-premises ZFS or other Linux-based file servers. You can do this without changing your application code or how you manage data. It offers highly reliable, scalable, efficient, and feature-rich file storage built on the open-source OpenZFS file system. It combines these capabilities with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/OpenZFSGuide/what-is-fsx.html[Amazon FSx for OpenZFS User Guide,type="documentation"]. The FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of FSx for OpenZFS volumes. Note that the Amazon FSx for OpenZFS CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the FSx for OpenZFS CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver[aws-fsx-openzfs-csi-driver] on GitHub. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-openzfs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index a1f521c0b..0b3318d42 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -414,3 +414,6 @@ Replace [.replaceable]`my-cluster` with the name of your cluster, and then run t ---- aws eks delete-addon --cluster-name my-cluster --addon-name aws-mountpoint-s3-csi-driver --preserve ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[s3-csi,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 808bdc63e..e061daabc 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -48,3 +48,6 @@ include::s3-csi.adoc[leveloffset=+1] include::csi-snapshot-controller.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[storage,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index fcd5f26fc..26aa9f3e4 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -713,3 +713,6 @@ The first two columns are what are needed for API response values. The third fie |The [.noloc]`KMS Key Arn` |No |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 1019ea1d7..f1b7225d6 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -45,3 +45,6 @@ Utilize link:ec2/spot/[Spot Instances,type="marketing"] to run your batch proces *Securing application and ensuring compliance*:: Implement strong security practices and maintain compliance with Amazon EKS, which integrates with {aws} security services such as link:iam/[{aws} Identity and Access Management,type="marketing"] (IAM), link:vpc/[Amazon Virtual Private Cloud,type="marketing"] (Amazon VPC), and link:kms/[{aws} Key Management Service,type="marketing"] ({aws} KMS). This ensures data privacy and protection as per industry standards. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[common-use-cases,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 745330e2c..3ab961efa 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -62,3 +62,6 @@ https://karpenter.sh/[Karpenter] is a flexible, high-performance [.noloc]`Kubern *Amazon EKS Hybrid Nodes*:: With <>, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. Amazon EKS Hybrid Nodes unifies Kubernetes management across environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-architecture,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 1a3ec54c4..37c9239c0 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -110,3 +110,6 @@ https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere] simplifies Kuberne You can use the <> to register and connect any conformant Kubernetes cluster to {aws} and view it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but the Amazon EKS Connector does not enable management or mutating operations for your connected clusters through the Amazon EKS console. https://aws.amazon.com/eks/eks-distro/[Amazon EKS Distro] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-deployment-options,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index cfba58970..3567230d9 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -258,3 +258,5 @@ Understanding basic [.noloc]`Kubernetes` concepts and how they relate to Amazon * <> * <> + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-concepts,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index d86a0929e..8320e00af 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -92,3 +92,6 @@ include::eks-architecture.adoc[leveloffset=+1] include::kubernetes-concepts.adoc[leveloffset=+1] include::eks-deployment-options.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[what-is-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 08fc1ee14..cae770cdc 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -34,3 +34,6 @@ Amazon EKS add-ons can help manage the life cycle of pod identity associations c * Pod identity associations created using the add-on APIs are owned by the respective add-on. If you delete the add-on, the pod identity association is also deleted. You can prevent this cascading delete by using the `preserve` option when deleting an addon using the {aws} CLI or API. You also can directly update or delete the pod identity association if necessary. Add-ons can't assume ownership of existing pod identity associations. You must delete the existing association and re-create it using an add-on create or update operation. * Amazon EKS recommends using pod identity associations to manage IAM permissions for add-ons. The previous method, IAM roles for service accounts (IRSA), is still supported. You can specify both an IRSA `serviceAccountRoleArn` and a pod identity association for an add-on. If the EKS pod identity agent is installed on the cluster, the `serviceAccountRoleArn` will be ignored, and EKS will use the provided pod identity association. If Pod Identity is not enabled, the `serviceAccountRoleArn` will be used. * If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[add-ons-iam,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 8883f15c2..f105e2441 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -120,3 +120,6 @@ When you deploy <> to |013241004608.dkr.ecr.us-gov-west-1.amazonaws.com |=== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[add-ons-images,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index a25d3c56d..dce1ecf4f 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -71,3 +71,4 @@ The `computeTypes` field in the `describe-addon-versions` output indicates an ad For more information, see <>. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[addon-compat,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 023301518..4baf77d8d 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -39,3 +39,6 @@ aws iam get-role --role-name --query Role.AssumeRolePolicyDocument * The service account name in the pod identity association matches the service account name used by the add-on. + ** For information about the available add-ons, see <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[addon-id-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 813463a84..df8bc8a31 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -245,3 +245,6 @@ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-bal ---- kubectl delete -f 2048_full.yaml ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[alb-ingress,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 8c2ca41d3..b9fd95578 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -72,3 +72,6 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re |=== link:samples/attributions-md.zip[View license attributions for this add-on. ] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[community-addons,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 600753767..398d66976 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -83,3 +83,6 @@ aws ecr get-login-password --region region-code | docker login --username {aws} docker push 111122223333.dkr.ecr.region-code.amazonaws.com/cni-metrics-helper:v1.12.6 ---- . Update the manifest file that you used to determine the image in a previous step with the `registry/repository:tag` for the image that you pushed. If you're installing with a Helm chart, there's often an option to specify the `registry/repository:tag`. When installing the chart, specify the `registry/repository:tag` for the image that you pushed to your repository. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[copy-image-to-repository,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 6d3967cc3..08cf533fc 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -326,3 +326,6 @@ For a full list of available options, see `link:cli/latest/reference/eks/create- ---- + If you receive an error similar to the error in the previous output, visit the URL in the output of a previous step to subscribe to the add-on. Once subscribed, run the `create-addon` command again. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index f5318b423..29dbef4fa 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -190,3 +190,5 @@ include::add-ons-iam.adoc[leveloffset=+1] include::kubernetes-field-management.adoc[leveloffset=+1] + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 3aa8ccc42..5349d9bc6 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -56,3 +56,6 @@ include::eks-add-ons.adoc[leveloffset=+1] include::image-verification.adoc[leveloffset=+1] + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-workloads,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 9253cd518..532f01bf3 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -121,3 +121,6 @@ NOTE: The default timeframe for scaling back down is five minutes, so it will ta ---- kubectl delete deployment.apps/php-apache service/php-apache horizontalpodautoscaler.autoscaling/php-apache ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[horizontal-pod-autoscaler,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 5b6ede70e..7b2a1dac2 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -24,3 +24,6 @@ If you use link:signer/latest/developerguide/Welcome.html[{aws} Signer,type="doc Before verifying container image signatures, configure the https://github.com/notaryproject/notation#readme[Notation] trust store and trust policy, as required by your selected admission controller. ==== + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[image-verification,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index b394a2355..61fa47058 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -147,3 +147,6 @@ NOTE: If you don't see `managedFields` in the output, add `--show-managed-fields == Next steps Customize the fields not owned by {aws} for you add-on. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-field-management,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 17d7eda8a..e0b479a57 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -276,3 +276,6 @@ An example output is as follows. ---- kubectl delete namespace nlb-sample-app ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-load-balancing,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index d0e009bcd..add0933f1 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -24,3 +24,6 @@ aws eks update-addon --cluster-name \ --addon-name \ --pod-identity-associations "[]" ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[remove-addon-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index 47edba46a..a8d4abb2f 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -151,3 +151,6 @@ After the add-on is removed, the example output is as follows. ---- An error occurred (ResourceNotFoundException) when calling the DescribeAddon operation: No addon: name-of-addon found in cluster: my-cluster ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[removing-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 302efaa2c..2751fbb31 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -86,3 +86,6 @@ kubectl apply -f externalip-webhook.yaml ---- + An attempt to deploy a service to your cluster with an IP address specified for `externalIPs` that is not contained in the blocks that you specified in the Specify CIDR blocks step will fail. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[restrict-service-external-ip,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index cd5c66b29..edfd69b2a 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -137,3 +137,6 @@ The following table indicates if certain Amazon EKS add-ons support EKS Pod Iden |=== This table was last updated on October 28, 2024. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retreive-iam-info,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 303bb12a2..68cc19ddb 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -273,3 +273,6 @@ After you deploy the sample application, you might want to try some of the follo * <> * <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-deployment-win,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 9ab1c42c2..0c97fb963 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -270,3 +270,6 @@ After you deploy the sample application, you might want to try some of the follo * <> * <> + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 342ff9dfa..2fd6b9db5 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -61,3 +61,4 @@ If successful, you should see output similar to the following. Note the OwnerARN ---- +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-addon-role,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 0e75cb64e..d25cf53fb 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -212,3 +212,5 @@ An example output is as follows. + The update is complete when the status is `ACTIVE`. + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[updating-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 2287c7bd9..09bb3949e 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -247,3 +247,6 @@ Events: ---- kubectl delete -f examples/hamster.yaml ---- + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vertical-pod-autoscaler,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 8bb2c43a0..d4b5f66c0 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -511,3 +511,6 @@ This add-on users permissions from the <>. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[workloads-add-ons-available-eks,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index cd889272b..cc10ea118 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -885,3 +885,4 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[workloads-add-ons-available-vendors,&type=code[Edit this page on GitHub] \ No newline at end of file From d66a57249b4c22ea03d4a57c0136872a10734a19 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 22:03:46 +0000 Subject: [PATCH 105/940] Fixed GitHub links for topics with different id title. --- latest/ug/automode/auto-tag-subnets.adoc | 2 +- latest/ug/book.adoc | 1 - latest/ug/contribute/asciidoc-syntax.adoc | 4 ++++ latest/ug/contribute/create-content-q.adoc | 4 ++++ latest/ug/contribute/create-page.adoc | 5 ++++- latest/ug/contribute/edit-single-web.adoc | 4 ++++ latest/ug/contribute/edit-web.adoc | 4 ++++ latest/ug/contribute/insert-link.adoc | 4 ++++ latest/ug/contribute/pr-preview.adoc | 4 ++++ latest/ug/contribute/pr-status.adoc | 4 ++++ latest/ug/contribute/vale-github.adoc | 5 ++++- latest/ug/contribute/vale-local.adoc | 4 ++++ latest/ug/related-projects.adoc | 3 --- 13 files changed, 41 insertions(+), 7 deletions(-) diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index cc8d61e67..385ed4e8a 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -78,4 +78,4 @@ aws ec2 create-tags \ Replace `subnet-ID` with your actual subnet ID. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-tag-subnets-console,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tag-subnets-auto,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 3c305004e..07b56d323 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -80,4 +80,3 @@ include::roadmap.adoc[leveloffset=+1] include::doc-history.adoc[leveloffset=+1] include::contribute/contribute.adoc[leveloffset=+1] - diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 0700755ca..d96083a08 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -135,3 +135,7 @@ NOTE: This is a note admonition. + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[asciidoc-syntax,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index c47512981..e9ae1a062 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -50,3 +50,7 @@ image::images/contribute-q.png["Amazon Q in VS Code"] To learn more about Amazon Q Developer, see link:amazonq/latest/qdeveloper-ug/q-in-IDE.html["Using Amazon Q Developer in the IDE",type="documentation"]. + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-content-q,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index 73e178ecc..68852d11c 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -27,4 +27,7 @@ image::images/contribute-new-page.png["New page metadata"] + _For example:_ + -`include::create-page.adoc[leveloffset=+1]` \ No newline at end of file +`include::create-page.adoc[leveloffset=+1]` + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-page,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 091578f77..c1b7acda0 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -60,3 +60,7 @@ Pull requests help ensure quality and provide a way to discuss changes before th https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews[Learn how pull requests are reviewed and approved in the GitHub Docs.] + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[edit-single-web,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index 070233a66..92ebeaf37 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -32,3 +32,7 @@ NOTE: The EKS Docs team has created a workspace file that includes suggested con ** https://code.visualstudio.com/docs/sourcecontrol/github#_creating-pull-requests[Create a pull request] After you create a pull request, it will be reviewed by the docs team. + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[edit-web,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index 7baec84fb..13f1d140a 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -35,3 +35,7 @@ This format creates a standard link out to the internet. Use this for Non-Amazon `link` `:https://example.com[Visit Example Site]` NOTE: We allowlist external domains. The allowlist is at `vale/styles/EksDocs/ExternalDomains.yml` + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[insert-link,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 4a93df9fe..56bf0d906 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -36,3 +36,7 @@ The preview is built as a single large HTML file. It will be displayed as multip * Links to other {aws} content, using `type="documentation"`. This is because this content doesn't exist in the preview environment. * The attribute `\{aws}` will not display properly. The value of this changes based on the environment. + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pr-preview,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index 843725055..841ee1e47 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -76,3 +76,7 @@ Use the GitHub CLI to pull the changes locally. The pull request will automatically update with your new changes. + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pr-status,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index 4b7fe4261..48a467488 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -26,4 +26,7 @@ The style check: When you update a pull request, the Vale check runs again. -Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. \ No newline at end of file +Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vale-github,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index 6f914ba45..de2cc3b4d 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -53,3 +53,7 @@ vale sync + + + +📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vale-local,&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 411bd160a..ad08dc451 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -197,7 +197,4 @@ CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernet * https://jenkins-x.io/docs/[Project documentation] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[related-projects,&type=code[Edit this page on GitHub] - - 📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[related-projects,&type=code[Edit this page on GitHub] \ No newline at end of file From 0102d21bde3d0967bdbc807a562df02a7e27b687 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 22:39:46 +0000 Subject: [PATCH 106/940] Simplified topic and section ID syntax. --- latest/ug/automode/associate-workload.adoc | 2 +- latest/ug/automode/auto-configure-alb.adoc | 4 +- latest/ug/automode/auto-configure-nlb.adoc | 2 +- latest/ug/automode/auto-disable.adoc | 2 +- latest/ug/automode/auto-elb-example.adoc | 4 +- latest/ug/automode/auto-enable-existing.adoc | 6 +- latest/ug/automode/auto-glossary.adoc | 2 +- latest/ug/automode/auto-learn-iam.adoc | 10 +- .../ug/automode/auto-migrate-karpenter.adoc | 2 +- latest/ug/automode/auto-migrate-mng.adoc | 2 +- latest/ug/automode/auto-mng.adoc | 2 +- latest/ug/automode/auto-net-pol.adoc | 2 +- latest/ug/automode/auto-networking.adoc | 4 +- latest/ug/automode/auto-reference.adoc | 2 +- latest/ug/automode/auto-tag-subnets.adoc | 2 +- latest/ug/automode/auto-troubleshoot.adoc | 20 +- latest/ug/automode/auto-upgrade.adoc | 2 +- latest/ug/automode/auto-workloads.adoc | 2 +- .../ug/automode/automode-get-started-cli.adoc | 10 +- .../automode-get-started-console.adoc | 2 +- .../automode/automode-get-started-eksctl.adoc | 2 +- .../ug/automode/automode-learn-instances.adoc | 2 +- latest/ug/automode/automode-workload.adoc | 2 +- latest/ug/automode/automode.adoc | 2 +- latest/ug/automode/create-auto.adoc | 2 +- latest/ug/automode/create-node-class.adoc | 2 +- latest/ug/automode/create-node-pool.adoc | 2 +- latest/ug/automode/create-storage-class.adoc | 4 +- latest/ug/automode/critical-workload.adoc | 2 +- latest/ug/automode/migrate-auto.adoc | 2 +- latest/ug/automode/old/hpa_scaling.adoc | 2 +- .../ug/automode/sample-storage-workload.adoc | 2 +- .../ug/automode/set-builtin-node-pools.adoc | 2 +- latest/ug/automode/settings-auto.adoc | 2 +- latest/ug/automode/troubleshoot-lbc.adoc | 2 +- latest/ug/automode/wip.adoc | 2 +- .../ug/automode/wip/create-vpc-console.adoc | 2 +- latest/ug/automode/wip/eksctl-docs.adoc | 2 +- latest/ug/automode/wip/tag-subnets.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 2 +- latest/ug/clusters/cluster-endpoint.adoc | 12 +- latest/ug/clusters/cluster-insights.adoc | 6 +- latest/ug/clusters/clusters.adoc | 2 +- latest/ug/clusters/create-cluster-auto.adoc | 2 +- latest/ug/clusters/create-cluster.adoc | 10 +- latest/ug/clusters/delete-cluster.adoc | 2 +- .../ug/clusters/disable-extended-support.adoc | 6 +- .../ug/clusters/disable-windows-support.adoc | 2 +- .../ug/clusters/enable-extended-support.adoc | 6 +- .../kubernetes-versions-extended.adoc | 14 +- .../kubernetes-versions-standard.adoc | 10 +- latest/ug/clusters/kubernetes-versions.adoc | 14 +- .../management/cost-monitoring-aws.adoc | 4 +- .../cost-monitoring-kubecost-bundles.adoc | 10 +- .../management/cost-monitoring-kubecost.adoc | 8 +- .../clusters/management/cost-monitoring.adoc | 2 +- .../ug/clusters/management/eks-managing.adoc | 2 +- .../clusters/management/eks-using-tags.adoc | 18 +- latest/ug/clusters/management/helm.adoc | 2 +- .../clusters/management/metrics-server.adoc | 2 +- .../clusters/management/service-quotas.adoc | 8 +- latest/ug/clusters/platform-versions.adoc | 42 +-- latest/ug/clusters/private-clusters.adoc | 2 +- latest/ug/clusters/update-cluster.adoc | 18 +- latest/ug/clusters/view-support-status.adoc | 2 +- latest/ug/clusters/view-upgrade-policy.adoc | 6 +- latest/ug/clusters/windows-support.adoc | 8 +- latest/ug/clusters/zone-shift-enable.adoc | 4 +- latest/ug/clusters/zone-shift.adoc | 2 +- latest/ug/connector/connecting-cluster.adoc | 12 +- .../ug/connector/connector-grant-access.adoc | 4 +- .../deregister-connected-cluster.adoc | 6 +- latest/ug/connector/eks-connector.adoc | 6 +- latest/ug/connector/security-connector.adoc | 6 +- .../connector/troubleshooting-connector.adoc | 28 +- latest/ug/connector/tsc-faq.adoc | 2 +- latest/ug/contribute/contribute.adoc | 2 +- latest/ug/doc-history.adoc | 26 +- .../getting-started-automode.adoc | 2 +- .../getting-started-console.adoc | 16 +- .../getting-started-eksctl.adoc | 12 +- .../ug/getting-started/getting-started.adoc | 2 +- latest/ug/getting-started/install-awscli.adoc | 12 +- .../ug/getting-started/install-kubectl.adoc | 8 +- latest/ug/getting-started/learn-eks.adoc | 18 +- latest/ug/getting-started/setting-up.adoc | 4 +- ...reating-resources-with-cloudformation.adoc | 6 +- latest/ug/integrations/eks-integrations.adoc | 2 +- .../integrations/integration-detective.adoc | 4 +- .../integrations/integration-guardduty.adoc | 2 +- .../integration-resilience-hub.adoc | 2 +- .../integration-securitylake.adoc | 8 +- .../integrations/integration-vpc-lattice.adoc | 2 +- latest/ug/integrations/local-zones.adoc | 2 +- .../associate-service-account-role.adoc | 6 +- .../aws-access/configure-sts-endpoint.adoc | 2 +- .../aws-access/cross-account-access.adoc | 2 +- ...enable-iam-roles-for-service-accounts.adoc | 2 +- ...oles-for-service-accounts-minimum-sdk.adoc | 2 +- .../iam-roles-for-service-accounts.adoc | 4 +- .../aws-access/irsa-fetch-keys.adoc | 2 +- .../aws-access/pod-configuration.adoc | 2 +- .../manage-access/aws-access/pod-id-abac.adoc | 8 +- .../aws-access/pod-id-agent-config-ipv6.adoc | 6 +- .../aws-access/pod-id-agent-setup.adoc | 8 +- .../aws-access/pod-id-association.adoc | 6 +- .../aws-access/pod-id-configure-pods.adoc | 2 +- .../aws-access/pod-id-how-it-works.adoc | 6 +- .../aws-access/pod-id-minimum-sdk.adoc | 4 +- .../manage-access/aws-access/pod-id-role.adoc | 2 +- .../aws-access/pod-identities.adoc | 12 +- .../aws-access/service-accounts.adoc | 10 +- latest/ug/manage-access/cluster-auth.adoc | 2 +- .../ug/manage-access/create-kubeconfig.adoc | 4 +- .../k8s-access/access-entries.adoc | 2 +- .../k8s-access/access-policies.adoc | 6 +- .../k8s-access/access-policy-reference.adoc | 16 +- .../k8s-access/auth-configmap.adoc | 10 +- .../authenticate-oidc-identity-provider.adoc | 12 +- .../k8s-access/creating-access-entries.adoc | 6 +- .../k8s-access/deleting-access-entries.adoc | 6 +- .../disassociate-oidc-identity-provider.adoc | 2 +- .../k8s-access/grant-k8s-access.adoc | 6 +- .../k8s-access/migrating-access-entries.adoc | 2 +- .../k8s-access/setting-up-access-entries.adoc | 6 +- .../k8s-access/updating-access-entries.adoc | 6 +- .../view-kubernetes-resources.adoc | 4 +- latest/ug/ml/capacity-blocks-mng.adoc | 6 +- latest/ug/ml/capacity-blocks.adoc | 6 +- latest/ug/ml/inferentia-support.adoc | 10 +- latest/ug/ml/machine-learning-on-eks.adoc | 4 +- latest/ug/ml/ml-eks-optimized-ami.adoc | 2 +- .../ug/ml/ml-eks-windows-optimized-ami.adoc | 26 +- latest/ug/ml/ml-get-started.adoc | 2 +- latest/ug/ml/ml-prepare-for-cluster.adoc | 2 +- latest/ug/ml/ml-tutorials.adoc | 2 +- latest/ug/ml/node-efa.adoc | 12 +- .../ml/node-taints-managed-node-groups.adoc | 2 +- .../ug/networking/alternate-cni-plugins.adoc | 4 +- .../aws-load-balancer-controller.adoc | 8 +- .../cni-custom-network-tutorial.adoc | 12 +- latest/ug/networking/cni-custom-network.adoc | 4 +- latest/ug/networking/cni-iam-role.adoc | 10 +- .../cni-increase-ip-addresses-procedure.adoc | 2 +- .../networking/cni-increase-ip-addresses.adoc | 6 +- latest/ug/networking/cni-ipv6.adoc | 4 +- .../cni-network-policy-configure.adoc | 38 +-- latest/ug/networking/cni-network-policy.adoc | 4 +- .../ug/networking/coredns-add-on-create.adoc | 2 +- .../coredns-add-on-self-managed-update.adoc | 2 +- .../ug/networking/coredns-add-on-update.adoc | 2 +- latest/ug/networking/coredns-autoscaling.adoc | 12 +- latest/ug/networking/coredns-metrics.adoc | 2 +- latest/ug/networking/creating-a-vpc.adoc | 2 +- latest/ug/networking/deploy-ipv6-cluster.adoc | 4 +- .../ug/networking/eks-networking-add-ons.adoc | 6 +- latest/ug/networking/eks-networking.adoc | 2 +- latest/ug/networking/external-snat.adoc | 4 +- ...kube-proxy-add-on-self-managed-update.adoc | 6 +- latest/ug/networking/lbc-helm.adoc | 10 +- latest/ug/networking/lbc-manifest.adoc | 12 +- latest/ug/networking/lbc-remove.adoc | 6 +- latest/ug/networking/managing-coredns.adoc | 8 +- latest/ug/networking/managing-kube-proxy.adoc | 6 +- latest/ug/networking/managing-vpc-cni.adoc | 6 +- .../network-policies-troubleshooting.adoc | 22 +- .../ug/networking/network-policy-disable.adoc | 2 +- .../networking/network-policy-stars-demo.adoc | 2 +- latest/ug/networking/network-reqs.adoc | 12 +- .../pod-multiple-network-interfaces.adoc | 2 +- .../networking/pod-networking-use-cases.adoc | 2 +- latest/ug/networking/sec-group-reqs.adoc | 6 +- .../networking/security-groups-for-pods.adoc | 6 +- .../security-groups-pods-deployment.adoc | 2 +- .../sg-pods-example-deployment.adoc | 2 +- latest/ug/networking/vpc-add-on-create.adoc | 6 +- .../vpc-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 2 +- latest/ug/nodes/al2023.adoc | 2 +- latest/ug/nodes/auto-get-logs.adoc | 2 +- .../bottlerocket-compliance-support.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 4 +- .../ug/nodes/create-managed-node-group.adoc | 2 +- latest/ug/nodes/delete-fargate-profile.adoc | 2 +- .../ug/nodes/delete-managed-node-group.adoc | 2 +- latest/ug/nodes/dockershim-deprecation.adoc | 4 +- latest/ug/nodes/eks-ami-build-scripts.adoc | 2 +- .../nodes/eks-ami-versions-bottlerocket.adoc | 2 +- latest/ug/nodes/eks-ami-versions-windows.adoc | 10 +- latest/ug/nodes/eks-compute.adoc | 2 +- latest/ug/nodes/eks-custom-ami-windows.adoc | 8 +- latest/ug/nodes/eks-linux-ami-versions.adoc | 2 +- .../nodes/eks-optimized-ami-bottlerocket.adoc | 8 +- latest/ug/nodes/eks-optimized-ami.adoc | 8 +- latest/ug/nodes/eks-optimized-amis.adoc | 2 +- .../ug/nodes/eks-optimized-windows-ami.adoc | 12 +- latest/ug/nodes/eks-partner-amis.adoc | 2 +- latest/ug/nodes/fargate-getting-started.adoc | 12 +- latest/ug/nodes/fargate-logging.adoc | 16 +- .../ug/nodes/fargate-pod-configuration.adoc | 6 +- latest/ug/nodes/fargate-pod-patching.adoc | 2 +- latest/ug/nodes/fargate-profile.adoc | 8 +- latest/ug/nodes/fargate.adoc | 4 +- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 16 +- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 20 +- .../ug/nodes/hybrid-nodes-cluster-prep.adoc | 4 +- latest/ug/nodes/hybrid-nodes-cni.adoc | 2 +- latest/ug/nodes/hybrid-nodes-creds.adoc | 4 +- latest/ug/nodes/hybrid-nodes-join.adoc | 2 +- latest/ug/nodes/hybrid-nodes-networking.adoc | 8 +- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 2 +- latest/ug/nodes/hybrid-nodes-os.adoc | 2 +- latest/ug/nodes/hybrid-nodes-overview.adoc | 4 +- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 18 +- latest/ug/nodes/hybrid-nodes-proxy.adoc | 2 +- latest/ug/nodes/hybrid-nodes-remove.adoc | 2 +- .../nodes/hybrid-nodes-troubleshooting.adoc | 14 +- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 2 +- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 2 +- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-node-ubuntu.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 20 +- latest/ug/nodes/launch-windows-workers.adoc | 2 +- latest/ug/nodes/launch-workers.adoc | 2 +- latest/ug/nodes/learn-status-conditions.adoc | 8 +- latest/ug/nodes/managed-node-groups.adoc | 10 +- .../nodes/managed-node-update-behavior.adoc | 10 +- latest/ug/nodes/migrate-stack.adoc | 2 +- latest/ug/nodes/monitoring-fargate-usage.adoc | 8 +- latest/ug/nodes/node-health.adoc | 20 +- .../nodes/retrieve-ami-id-bottlerocket.adoc | 2 +- latest/ug/nodes/retrieve-ami-id.adoc | 2 +- latest/ug/nodes/retrieve-windows-ami-id.adoc | 2 +- .../self-managed-windows-server-2022.adoc | 2 +- .../ug/nodes/update-managed-node-group.adoc | 6 +- latest/ug/nodes/update-stack.adoc | 2 +- latest/ug/nodes/update-workers.adoc | 2 +- latest/ug/nodes/worker.adoc | 2 +- latest/ug/observability/cloudwatch.adoc | 6 +- .../ug/observability/control-plane-logs.adoc | 10 +- .../ug/observability/deploy-prometheus.adoc | 2 +- latest/ug/observability/eks-observe.adoc | 6 +- .../ug/observability/enable-asg-metrics.adoc | 2 +- .../logging-using-cloudtrail.adoc | 2 +- .../observability-dashboard.adoc | 18 +- latest/ug/observability/opentelemetry.adoc | 2 +- latest/ug/observability/prometheus.adoc | 8 +- .../service-name-info-in-cloudtrail.adoc | 2 +- .../understanding-service-name-entries.adoc | 4 +- latest/ug/observability/view-raw-metrics.adoc | 14 +- .../eks-outposts-capacity-considerations.adoc | 4 +- .../eks-outposts-local-cluster-create.adoc | 4 +- .../eks-outposts-local-cluster-overview.adoc | 4 +- .../eks-outposts-network-disconnects.adoc | 4 +- .../eks-outposts-platform-versions.adoc | 10 +- .../eks-outposts-self-managed-nodes.adoc | 2 +- .../eks-outposts-troubleshooting.adoc | 16 +- .../eks-outposts-vpc-subnet-requirements.adoc | 14 +- latest/ug/outposts/eks-outposts.adoc | 6 +- latest/ug/quickstart.adoc | 2 +- latest/ug/related-projects.adoc | 40 +-- latest/ug/roadmap.adoc | 2 +- latest/ug/security/auto-security.adoc | 4 +- latest/ug/security/cert-signing.adoc | 6 +- latest/ug/security/compliance.adoc | 2 +- .../configuration-vulnerability-analysis.adoc | 16 +- latest/ug/security/default-roles-users.adoc | 6 +- .../disaster-recovery-resiliency.adoc | 2 +- latest/ug/security/enable-kms.adoc | 2 +- .../iam-reference/auto-cluster-iam-role.adoc | 2 +- .../iam-reference/auto-create-node-role.adoc | 2 +- .../iam-reference/cluster-iam-role.adoc | 6 +- .../iam-reference/connector-iam-role.adoc | 6 +- .../iam-reference/create-node-role.adoc | 6 +- .../iam-reference/pod-execution-role.adoc | 6 +- .../iam-reference/security-iam-awsmanpol.adoc | 40 +-- ...security-iam-id-based-policy-examples.adoc | 16 +- .../security-iam-service-with-iam.adoc | 26 +- .../security-iam-troubleshoot.adoc | 14 +- .../security/iam-reference/security-iam.adoc | 24 +- ...ng-service-linked-roles-eks-connector.adoc | 14 +- ...sing-service-linked-roles-eks-fargate.adoc | 18 +- ...g-service-linked-roles-eks-nodegroups.adoc | 18 +- ...sing-service-linked-roles-eks-outpost.adoc | 16 +- .../using-service-linked-roles-eks.adoc | 16 +- .../using-service-linked-roles.adoc | 2 +- .../ug/security/infrastructure-security.adoc | 2 +- latest/ug/security/manage-secrets.adoc | 2 +- .../pod-security-policy-removal-faq.adoc | 20 +- latest/ug/security/pod-security-policy.adoc | 8 +- .../ug/security/security-best-practices.adoc | 2 +- latest/ug/security/security-eks.adoc | 2 +- latest/ug/security/security-k8s.adoc | 2 +- latest/ug/security/security.adoc | 2 +- .../ug/security/vpc-interface-endpoints.adoc | 6 +- .../ug/storage/csi-snapshot-controller.adoc | 2 +- latest/ug/storage/ebs-csi-migration-faq.adoc | 30 +-- latest/ug/storage/ebs-csi.adoc | 12 +- latest/ug/storage/efs-csi.adoc | 14 +- latest/ug/storage/file-cache-csi.adoc | 2 +- latest/ug/storage/fsx-csi.adoc | 2 +- latest/ug/storage/fsx-ontap.adoc | 2 +- latest/ug/storage/fsx-openzfs-csi.adoc | 2 +- latest/ug/storage/s3-csi.adoc | 18 +- latest/ug/storage/storage.adoc | 2 +- .../ug/troubleshooting/troubleshooting.adoc | 40 +-- latest/ug/what-is/common-use-cases.adoc | 2 +- latest/ug/what-is/eks-architecture.adoc | 6 +- latest/ug/what-is/eks-deployment-options.adoc | 12 +- latest/ug/what-is/kubernetes-concepts.adoc | 42 +-- latest/ug/what-is/what-is-eks.adoc | 6 +- latest/ug/workloads/add-ons-iam.adoc | 2 +- latest/ug/workloads/add-ons-images.adoc | 2 +- latest/ug/workloads/addon-compat.adoc | 2 +- .../ug/workloads/addon-id-troubleshoot.adoc | 2 +- latest/ug/workloads/alb-ingress.adoc | 4 +- latest/ug/workloads/community-addons.adoc | 2 +- .../workloads/copy-image-to-repository.adoc | 2 +- latest/ug/workloads/creating-an-add-on.adoc | 8 +- latest/ug/workloads/eks-add-ons.adoc | 8 +- latest/ug/workloads/eks-workloads.adoc | 2 +- .../workloads/horizontal-pod-autoscaler.adoc | 4 +- latest/ug/workloads/image-verification.adoc | 2 +- .../kubernetes-field-management.adoc | 8 +- .../ug/workloads/network-load-balancing.adoc | 6 +- latest/ug/workloads/remove-addon-role.adoc | 2 +- latest/ug/workloads/removing-an-addon.adoc | 6 +- .../restrict-service-external-ip.adoc | 2 +- latest/ug/workloads/retreive-iam-info.adoc | 4 +- .../workloads/sample-deployment-windows.adoc | 6 +- latest/ug/workloads/sample-deployment.adoc | 6 +- latest/ug/workloads/update-addon-role.adoc | 2 +- latest/ug/workloads/updating-an-add-on.adoc | 6 +- .../ug/workloads/vertical-pod-autoscaler.adoc | 6 +- .../workloads-add-ons-available-eks.adoc | 80 +++--- .../workloads-add-ons-available-vendors.adoc | 242 +++++++++--------- 336 files changed, 1247 insertions(+), 1247 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 1ee3ef1b3..c87901095 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,5 +1,5 @@ [.topic] -[[associate-workload,associate-workload.title]] +[#associate-workload] = Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control deployment diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index d50bc6acc..408891bb2 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-configure-alb,auto-configure-alb.title]] +[#auto-configure-alb] = Create an IngressClass to configure an Application Load Balancer :info_titleabbrev: Create ingress class @@ -133,7 +133,7 @@ kubectl delete ingress EKS Auto Mode will automatically delete the associated load balancer in your {aws} account. -[[ingress-reference,ingress-reference.title]] +[#ingress-reference] == IngressClassParams Reference The table below is a quick reference for commonly used configuration options. diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 026a116e4..0245af4a9 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-configure-nlb,auto-configure-nlb.title]] +[#auto-configure-nlb] = Use Service Annotations to configure Network Load Balancers :info_titleabbrev: Create service diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index 3f9ec0b4d..aeb0c9657 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-disable,auto-disable.title]] +[#auto-disable] = Disable EKS Auto Mode include::../attributes.txt[] diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index a4a0b0ffd..b920586d5 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-elb-example,auto-elb-example.title]] +[#auto-elb-example] = Deploy a Sample Load Balancer Workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer @@ -233,7 +233,7 @@ This will delete all resources in the namespace, including the deployment, servi ** Configures target groups for the pods ** Sets up routing rules to direct traffic to the service -[[auto-elb-troubleshooting,auto-elb-troubleshooting.title]] +[#auto-elb-troubleshooting] == Troubleshooting If the game doesn't load: diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index c76168a3d..8f6a858b1 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-enable-existing,auto-enable-existing.title]] +[#auto-enable-existing] = Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster @@ -15,7 +15,7 @@ Verify you have the minimum required version of certain Amazon EKS Add-ons insta Before you begin, ensure you have administrator access to your Amazon EKS cluster and permissions to modify IAM roles. The steps in this topic guide you through enabling Auto Mode using either the {aws-management-console} or {aws} CLI. -[[auto-enable-existing-console,auto-enable-existing-console.title]] +[#auto-enable-existing-console] == {aws-management-console} You must be logged into the {aws} console with permission to manage IAM, EKS, and EC2 resources. @@ -100,7 +100,7 @@ aws eks update-cluster-config \ --storage-config '{"blockStorage":{"enabled": true}}' ---- -[[auto-addons-required,auto-addons-required.title]] +[#auto-addons-required] == Required Add-on Versions If you're planning to enable EKS Auto Mode on an existing cluster, you may need to update certain add-ons. Please note: diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 2d0c24cb0..61bb0bdde 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-glossary,auto-glossary.title]] +[#auto-glossary] = Glossary :info_titleabbrev: Glossary diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 25036d11e..7b658b0e6 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-learn-iam,auto-learn-iam.title]] +[#auto-learn-iam] = Learn about identity and access in EKS Auto Mode :info_titleabbrev: Identity and access @@ -11,7 +11,7 @@ When you configure EKS Auto Mode, you will need to set up these IAM roles with s In EKS Auto Mode, {aws} IAM roles are automatically mapped to Kubernetes permissions through EKS access entries, removing the need for manual configuration of `aws-auth` ConfigMaps or custom bindings. When you create a new auto mode cluster, EKS automatically creates the corresponding Kubernetes permissions using Access entries, ensuring that {aws} services and cluster components have the appropriate access levels within both the {aws} and Kubernetes authorization systems. This automated integration reduces configuration complexity and helps prevent permission-related issues that commonly occur when managing EKS clusters. -[[auto-learn-cluster-iam-role,auto-learn-cluster-iam-role.title]] +[#auto-learn-cluster-iam-role] == Cluster IAM role The Cluster IAM role is an {aws} Identity and Access Management (IAM) role used by Amazon EKS to manage permissions for Kubernetes clusters. This role grants Amazon EKS the necessary permissions to interact with other {aws} services on behalf of your cluster, and is automatically configured with Kubernetes permissions using EKS access entries. @@ -37,7 +37,7 @@ For more information about Kubernetes access, see: * <> -[[auto-learn-node-iam-role,auto-learn-node-iam-role.title]] +[#auto-learn-node-iam-role] == Node IAM role The Node IAM role is an {aws} Identity and Access Management (IAM) role used by Amazon EKS to manage permissions for worker nodes in Kubernetes clusters. This role grants EC2 instances running as Kubernetes nodes the necessary permissions to interact with {aws} services and resources, and is automatically configured with Kubernetes RBAC permissions using EKS access entries. @@ -74,12 +74,12 @@ For more information, see: * <> -[[tag-prop,tag-prop.title]] +[#tag-prop] == Custom {aws} tags for EKS Auto resources By default, the managed policies related to EKS Auto Mode do not permit applying user defined tags to Auto Mode provisioned {aws} resources. If you want to apply user defined tags to {aws} resources, you must attach additional permissions to the Cluster IAM Role with sufficient permissions to create and modify tags on {aws} resources. Below is an example of a policy that will allow unrestricted tagging access: -[[auto-tag-policy,auto-tag-policy.title]] +[#auto-tag-policy] .View custom tag policy example [%collapsible, expand-section="_collapse_all_"] ==== diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 6fc3e2146..778ea84be 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-migrate-karpenter,auto-migrate-karpenter.title]] +[#auto-migrate-karpenter] = Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 24d40b66a..196daaff0 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-migrate-mng,auto-migrate-mng.title]] +[#auto-migrate-mng] = Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from MNGs diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 679fcf74d..5fc589c65 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-mng,auto-mng.title]] +[#auto-mng] = Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 31032e1ff..a7b94c9f9 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-net-pol,auto-net-pol.title]] +[#auto-net-pol] = Use Network Policies with EKS Auto Mode :info_titleabbrev: Use network policies diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index aab9d435e..086c2b1bf 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-networking,auto-networking.title]] +[#auto-networking] = Learn about VPC Networking and Load Balancing in EKS Auto Mode :info_titleabbrev: Networking @@ -49,7 +49,7 @@ EKS Auto Mode does *not* support: * Exporting network event logs to CloudWatch. -[[auto-lb-consider,auto-lb-consider.title]] +[#auto-lb-consider] == Load balancing You configure {aws} Elastic Load Balancers provisioned by EKS Auto Mode using annotations on Service and Ingress resources. diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index c18fad01e..2d797108f 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-reference,auto-reference.title]] +[#auto-reference] = Learn how EKS Auto Mode works :icons: font :experimental: diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index 385ed4e8a..f45566e4e 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -45,7 +45,7 @@ Private subnets are used for internal load balancers. These subnets must have th Before you begin, identify which subnets are public (with Internet Gateway access) and which are private (using NAT Gateway). You'll need permissions to modify VPC resources. -[[auto-tag-subnets-console,auto-tag-subnets-console.title]] +[#auto-tag-subnets-console] === {aws-management-console} . Open the Amazon VPC console and navigate to Subnets diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 9b5521ee2..3c52e26fb 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-troubleshoot,auto-troubleshoot.title]] +[#auto-troubleshoot] = Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot @@ -32,12 +32,12 @@ You can use the following methods to troubleshoot EKS Auto Mode components: * <> * <> -[[auto-node-monitoring-agent,auto-node-monitoring-agent.title]] +[#auto-node-monitoring-agent] == Node monitoring agent EKS Auto Mode includes the Amazon EKS node monitoring agent. You can use this agent to view troubleshooting and debugging information about nodes. The node monitoring agent publishes Kubernetes `events` and node `conditions`. For more information, see <>. -[[auto-node-console,auto-node-console.title]] +[#auto-node-console] == Get console output from an EC2 managed instance by using the {aws} EC2 CLI This procedure helps with troubleshooting boot-time or kernel-level issues. @@ -64,7 +64,7 @@ kubectl get pod -o wide aws ec2 get-console-output --instance-id --latest --output text ---- -[[auto-node-debug-logs,auto-node-debug-logs.title]] +[#auto-node-debug-logs] == Get node logs by using __debug containers__ and the `kubectl` CLI The recommended way of retrieving logs from an EKS Auto Mode node is to use `NodeDiagnostic` resource. For these steps, see <>. @@ -118,7 +118,7 @@ Filename : /usr/bin/ps Provide : /bin/ps ---- -[[auto-node-ec2-web,auto-node-ec2-web.title]] +[#auto-node-ec2-web] == View resources associated with EKS Auto Mode in the {aws} Console You can use the {aws} console to view the status of resources associated with your EKS Auto Mode cluster. @@ -130,7 +130,7 @@ You can use the {aws} console to view the status of resources associated with yo * link:ec2/home#Instances["EC2 Instances",type="console"] ** View EKS Auto Mode instances by searching for the tag key `eks:eks-cluster-name` -[[auto-node-iam,auto-node-iam.title]] +[#auto-node-iam] == View IAM Errors in your {aws} account . Navigate to CloudTrail console @@ -144,12 +144,12 @@ Look for errors related to your EKS cluster. Use the error messages to update yo //Ensure you are running the latest version of the {aws} CLI, eksctl, etc. -[[auto-troubleshoot-schedule,auto-troubleshoot-schedule.title]] +[#auto-troubleshoot-schedule] == Troubleshoot Pod failing to schedule onto Auto Mode node If pods staying in the `Pending` state and aren't being scheduled onto an auto mode node, verify if your pod or deployment manifest has a `nodeSelector`. If a `nodeSelector` is present, ensure that it is using `eks.amazonaws.com/compute-type: auto` to be scheduled on nodes that are made by EKS Auto Mode. For more information about the node labels that are used by EKS Auto Mode, see <>. -[[auto-troubleshoot-join,auto-troubleshoot-join.title]] +[#auto-troubleshoot-join] == Troubleshoot node not joining the cluster EKS Auto Mode automatically configures new EC2 instances with the correct information to join the cluster, including the cluster endpoint and cluster certificate authority (CA). However, these instances can still fail to join the EKS cluster as a node. Run the following commands to identify instances that didn't join the cluster: @@ -177,7 +177,7 @@ You might receive this error if you are setting custom tags in the `NodeClass` w There might be some authorization issue with calling the `RunInstances` call from the EC2 API. Check {aws} CloudTrail for errors and see <> for the required IAM permissions. -[[auto-node-reachability,auto-node-reachability.title]] +[#auto-node-reachability] === Detect node connectivity issues with the `VPC Reachability Analyzer` [NOTE] @@ -245,7 +245,7 @@ With these two pieces of information, you can perform the s analysis. First navi . Click "Create and Analyze Path" . The analysis might take a few minutes to complete. If the analysis results indicates failed reachability, it will indicate where the failure was in the network path so you can resolve the issue. -[[auto-troubleshoot-controllers,auto-troubleshoot-controllers.title]] +[#auto-troubleshoot-controllers] == Troubleshoot included controllers in Auto Mode If you have a problem with a controller, you should research: diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 3ef6b6372..e33f056bb 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-upgrade,auto-upgrade.title]] +[#auto-upgrade] = Update the Kubernetes Version of an EKS Auto Mode cluster :info_titleabbrev: Update Kubernetes version diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index f016d7c51..05c701e5b 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-workloads,auto-workloads.title]] +[#auto-workloads] = Run sample workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 5ae05ea6c..08d498e85 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[automode-get-started-cli,automode-get-started-cli.title]] +[#automode-get-started-cli] = Create an EKS Auto Mode Cluster with the {aws} CLI :config: configuration :info_titleabbrev: {aws} CLI @@ -24,7 +24,7 @@ Amazon EKS Auto Mode deploy nodes to VPC subnets. When creating an EKS cluster, * The EKS Console assists with creating a new VPC. Learn how to <>. * Alternatively, you can use the default VPC of your {aws} account. Use the following instructions to find the Subnet IDs. -[[auto-find-subnet,auto-find-subnet.title]] +[#auto-find-subnet] .To find the Subnet IDs of your default VPC [%collapsible, expand-section="_collapse_all_"] ==== @@ -55,10 +55,10 @@ Sample output: ==== -[[auto-mode-create-roles,auto-mode-create-roles.title]] +[#auto-mode-create-roles] == IAM Roles for EKS Auto Mode Clusters -[[auto-roles-cluster-iam-role,auto-roles-cluster-iam-role.title]] +[#auto-roles-cluster-iam-role] === Cluster IAM Role EKS Auto Mode requires a Cluster IAM Role to perform actions in your {aws} account, such as provisioning new EC2 instances. You must create this role to grant EKS the necessary permissions. {aws} recommends attaching the following {aws} managed policies to the Cluster IAM Role: @@ -69,7 +69,7 @@ EKS Auto Mode requires a Cluster IAM Role to perform actions in your {aws} accou * xref:security-iam-awsmanpol-AmazonEKSNetworkingPolicy[AmazonEKSNetworkingPolicy] * xref:security-iam-awsmanpol-amazoneksclusterpolicy[AmazonEKSClusterPolicy] -[[auto-roles-node-iam-role,auto-roles-node-iam-role.title]] +[#auto-roles-node-iam-role] === Node IAM Role When you create an EKS Auto Mode cluster, you specify a Node IAM Role. When EKS Auto Mode creates nodes to process pending workloads, each new EC2 instance node is assigned the Node IAM Role. This role allows the node to communicate with EKS but is generally not accessed by workloads running on the node. diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 4c4380bc1..77cfee578 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[automode-get-started-console,automode-get-started-console.title]] +[#automode-get-started-console] = Create an EKS Auto Mode Cluster with the {aws-management-console} :info_titleabbrev: Management console diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index cc3a1c1fa..884b180cf 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -1,5 +1,5 @@ [.topic] -[[automode-get-started-eksctl,automode-get-started-eksctl.title]] +[#automode-get-started-eksctl] = Create an EKS Auto Mode Cluster with the eksctl CLI :config: configuration :info_titleabbrev: eksctl CLI diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index b7347e0a3..e1f607ca8 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -1,5 +1,5 @@ [.topic] -[[automode-learn-instances,automode-learn-instances.title]] +[#automode-learn-instances] = Learn about Amazon EKS Auto Mode Managed instances :am: EKS Auto Mode :aam: Amazon {am} diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 28ecd7e30..43f8bd8d6 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -1,5 +1,5 @@ [.topic] -[[automode-workload,automode-workload.title]] +[#automode-workload] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 320aec32c..311b9f8df 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -1,4 +1,4 @@ -[[automode,automode.title]] +[#automode] = Automate cluster infrastructure with EKS Auto Mode :toclevels: 2 :toc: diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index e33d561a8..b8efebe2d 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-auto,create-auto.title]] +[#create-auto] = Create a cluster with Amazon EKS Auto Mode :icons: font :experimental: diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 2f526631d..3cbebd778 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-node-class,create-node-class.title]] +[#create-node-class] = Create a Node Class for Amazon EKS :info_titleabbrev: Create node class diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 873857d33..f656ce2da 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-node-pool,create-node-pool.title]] +[#create-node-pool] = Create a Node Pool for EKS Auto Mode :info_titleabbrev: Create node pool diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 8fbc6df82..ba7f2cca4 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-storage-class,create-storage-class.title]] +[#create-storage-class] = Create a Storage Class :info_titleabbrev: Create storage class @@ -216,7 +216,7 @@ For more information, see: * <> -[[auto-install-snapshot-controller,auto-install-snapshot-controller.title]] +[#auto-install-snapshot-controller] === To install snapshot controller in system node pool . Open your EKS cluster in the {aws} console diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index 0ea2acbc0..a94fb41e9 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -1,5 +1,5 @@ [.topic] -[[critical-workload,critical-workload.title]] +[#critical-workload] = Run critical add-ons on dedicated instances :info_titleabbrev: Run critical add-ons diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 171a2dfaa..1d8ad8d9f 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,5 +1,5 @@ [.topic] -[[migrate-auto,migrate-auto.title]] +[#migrate-auto] = Enable EKS Auto Mode on existing EKS clusters :icons: font :experimental: diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index de510943e..5284c28c1 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-hpa-scaling,auto-hpa-scaling.title]] +[#auto-hpa-scaling] = End-to-end Compute Autoscaling with HPA include::../attributes.txt[] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 7a379114e..0494416d9 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -1,5 +1,5 @@ [.topic] -[[sample-storage-workload,sample-storage-workload.title]] +[#sample-storage-workload] = Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index dd72707d8..ca391332d 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -1,5 +1,5 @@ [.topic] -[[set-builtin-node-pools,set-builtin-node-pools.title]] +[#set-builtin-node-pools] = Enable or Disable Built-in NodePools :info_titleabbrev: Review built-in node pools diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index dc0e899e6..95d4951a4 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,5 +1,5 @@ [.topic] -[[settings-auto,settings-auto.title]] +[#settings-auto] = Configure EKS Auto Mode settings :icons: font :experimental: diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 3c7163b6d..3e2149819 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -1,5 +1,5 @@ [.topic] -[[troubleshoot-lbc,troubleshoot-lbc.title]] +[#troubleshoot-lbc] # Troubleshooting Amazon EKS Auto Mode Load Balancer Controller [NOTE] diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 3af0153ce..bd51d980c 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-wip,auto-wip.title]] +[#auto-wip] = EKS Auto Mode: Revisions to existing pages WIP :toc: left diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 0f9598fbf..1f537dd4d 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-vpc-console,create-vpc-console.title]] +[#create-vpc-console] = Create a VPC for Amazon EKS with the web console include::../../attributes.txt[] diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index c0cc1d8dd..574d6b497 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -1,5 +1,5 @@ [.topic] -[[eksctl-docs,eksctl-docs.title]] +[#eksctl-docs] = EKS Auto Mode include::../../attributes.txt[] diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 91e069f36..190ac2967 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -1,5 +1,5 @@ [.topic] -[[tag-subnets,tag-subnets.title]] +[#tag-subnets] = Tag VPC Subnets for Load Balancer Deployment include::../../attributes.txt[] diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index cd49ffa38..920453c85 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,5 +1,5 @@ [.topic] -[[autoscaling,autoscaling.title]] +[#autoscaling] = Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` :info_titleabbrev: Autoscaling diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 310135d06..e5c9cafdb 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -1,5 +1,5 @@ [.topic] -[[cluster-endpoint,cluster-endpoint.title]] +[#cluster-endpoint] = Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access @@ -14,7 +14,7 @@ This topic helps you to enable private access for your Amazon EKS cluster's [.no When you create a new cluster, Amazon EKS creates an endpoint for the managed [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). This endpoint is known as the _cluster public endpoint_. Also there is a _cluster private endpoint_. For more information about the cluster private endpoint, see the following section <>. -[[cluster-endpoint-ipv6,cluster-endpoint-ipv6.title]] +[#cluster-endpoint-ipv6] == `IPv6` cluster endpoint format EKS creates a unique dual-stack endpoint in the following format for new `IPv6` clusters that are made after October 2024. An _IPv6 cluster_ is a cluster that you select `IPv6` in the IP family (`ipFamily`) setting of the cluster. @@ -40,7 +40,7 @@ EKS cluster public/private endpoint: The dual-stack cluster endpoint was introduced in October 2024. For more information about `IPv6` clusters, see <>. Clusters made before October 2024, use following endpoint format instead. ==== -[[cluster-endpoint-ipv4,cluster-endpoint-ipv4.title]] +[#cluster-endpoint-ipv4] == `IPv4` cluster endpoint format EKS creates a unique endpoint in the following format for each cluster that select `IPv4` in the IP family (ipFamily) setting of the cluster: @@ -66,7 +66,7 @@ EKS cluster public/private endpoint Before October 2024, `IPv6` clusters used this endpoint format also. For those clusters, both the public endpoint and the private endpoint have only `IPv4` addresses resolve from this endpoint. ==== -[[cluster-endpoint-private,cluster-endpoint-private.title]] +[#cluster-endpoint-private] == Cluster private endpoint You can enable private access to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. @@ -82,7 +82,7 @@ When you enable endpoint private access for your cluster, Amazon EKS creates a R You can define your API server endpoint access requirements when you create a new cluster, and you can update the API server endpoint access for a cluster at any time. -[[modify-endpoint-access,modify-endpoint-access.title]] +[#modify-endpoint-access] == Modifying cluster endpoint access Use the procedures in this section to modify the endpoint access for an existing cluster. The following table shows the supported API server endpoint access combinations and their associated behavior. @@ -226,7 +226,7 @@ An example output is as follows. ---- -[[private-access,private-access.title]] +[#private-access] == Accessing a private only API server If you have disabled public access for your cluster's [.noloc]`Kubernetes` API server endpoint, you can only access the API server from within your VPC or a link:whitepapers/latest/aws-vpc-connectivity-options/introduction.html[connected network,type="documentation"]. Here are a few possible ways to access the [.noloc]`Kubernetes` API server endpoint: diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index dfc2065c6..60f906913 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,5 +1,5 @@ [.topic] -[[cluster-insights,cluster-insights.title]] +[#cluster-insights] = Prepare for [.noloc]`Kubernetes` version upgrades with cluster insights :info_titleabbrev: Cluster insights :keywords: cluster, upgrade, insights @@ -23,7 +23,7 @@ Amazon EKS upgrade insights speed up the testing and verification process for ne Cluster insights update periodically. You cannot manually refresh cluster insights. If you fix a cluster issue, it will take some time for cluster insights to update. To determine if a fix was successful, compare the time the change deployed to the "last refresh time" of the cluster insight. -[[cluster-insights-console,cluster-insights-console.title]] +[#cluster-insights-console] == View cluster insights (Console) . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . From the cluster list, choose the name of the Amazon EKS cluster for which you want to see the insights. @@ -39,7 +39,7 @@ Cluster insights update periodically. You cannot manually refresh cluster insigh ** *Description* – Information from the insight check, which includes the alert and recommended actions for remediation. -[[cluster-insights-cli,cluster-insights-cli.title]] +[#cluster-insights-cli] == View cluster insights ({aws} CLI) . Determine which cluster you would like to check for insights. The following command lists the insights for a specified cluster. Make the following modifications to the command as needed and then run the modified command: + diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index a6e56f22b..f51526227 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,4 +1,4 @@ -[[clusters,clusters.title]] +[#clusters] = Organize workloads with Amazon EKS clusters :doctype: book :sectnums: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 4c77ef4d9..7abacd212 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-cluster-auto,create-cluster-auto.title]] +[#create-cluster-auto] = Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster :idprefix: id_ diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 8749d83b0..3dd7f2a8d 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-cluster,create-cluster.title]] +[#create-cluster] = Create an Amazon EKS cluster :info_titleabbrev: Create a cluster @@ -86,7 +86,7 @@ You can create a cluster by using: * xref:step2-console[the {aws-management-console}] * xref:step2-cli[the {aws} CLI] -[[step2-eksctl,step2-eksctl.title]] +[#step2-eksctl] === Create cluster - eksctl . You need version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. @@ -137,7 +137,7 @@ You can only specify this option when using the `IPv4` address family and only a + [.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the xref:network-requirements-vpc[VPC requirements and considerations,linkend=network-requirements-vpc], xref:network-requirements-subnets[Subnet requirements and considerations,linkend=network-requirements-subnets], xref:sec-group-reqs[View Amazon EKS security group requirements for clusters,linkend=sec-group-reqs], and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). -[[step2-console,step2-console.title]] +[#step2-console] === Create cluster - {aws} console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -213,7 +213,7 @@ NOTE: You might receive an error that one of the Availability Zones in your requ Cluster provisioning takes several minutes. . Continue with <> -[[step2-cli,step2-cli.title]] +[#step2-cli] === Create cluster - {aws} CLI . Create your cluster with the command that follows. Before running the command, make the following replacements: + @@ -270,7 +270,7 @@ aws eks describe-cluster --region region-code --name my-cluster --query "cluster Don't proceed to the next step until the output returned is `ACTIVE`. . Continue with <> -[[step3,step3.title]] +[#step3] == Step 3: Update kubeconfig . If you created your cluster using `eksctl`, then you can skip this step. This is because `eksctl` already completed this step for you. Enable `kubectl` to communicate with your cluster by adding a new context to the `kubectl` `config` file. For more information about how to create and update the file, see <>. + diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index d1dc98170..c678bc09c 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[delete-cluster,delete-cluster.title]] +[#delete-cluster] = Delete a cluster :info_titleabbrev: Delete a cluster diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index 3fef2d580..5470e9dc2 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -1,5 +1,5 @@ [.topic] -[[disable-extended-support,disable-extended-support.title]] +[#disable-extended-support] = Prevent increased cluster costs by disabling EKS extended support :info_titleabbrev: Disable extended support @@ -18,14 +18,14 @@ You cannot disable extended support once your cluster has entered it. You can on ==== -[[disable-support-policy-console,disable-support-policy-console.title]] +[#disable-support-policy-console] == Disable EKS extended support ({aws} Console) . Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. . In the *Kubernetes version setting* section, select *Manage*. . Select *Standard support* and then *Save changes*. -[[disable-support-policy-cli,disable-support-policy-cli.title]] +[#disable-support-policy-cli] == Disable EKS extended support ({aws} CLI) . Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 1f4a1acf9..808d1f68e 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,5 +1,5 @@ [.topic] -[[disable-windows-support,disable-windows-support.title]] +[#disable-windows-support] = Disable [.noloc]`Windows` support include::../attributes.txt[] diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 684929587..8d43daf07 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -1,5 +1,5 @@ [.topic] -[[enable-extended-support,enable-extended-support.title]] +[#enable-extended-support] = Add flexibility to plan Kubernetes version upgrades by enabling EKS extended support :info_titleabbrev: Enable extended support @@ -22,14 +22,14 @@ If you do not enable extended support, your cluster will be automatically upgrad ==== -[[enable-support-policy-console,enable-support-policy-console.title]] +[#enable-support-policy-console] == Enable EKS extended support ({aws} Console) . Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. . In the *Kubernetes version settings* section, select *Manage*. . Select *Extended support* and then *Save changes*. -[[enable-support-policy-cli,enable-support-policy-cli.title]] +[#enable-support-policy-cli] == Enable EKS extended support ({aws} CLI) . Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 154d94f09..9b83d3c6f 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,5 +1,5 @@ [.topic] -[[kubernetes-versions-extended,kubernetes-versions-extended.title]] +[#kubernetes-versions-extended] = Review release notes for [.noloc]`Kubernetes` versions on extended support :info_titleabbrev: Extended support versions @@ -12,7 +12,7 @@ This topic gives important changes to be aware of for each [.noloc]`Kubernetes` This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. -[[kubernetes-1.28,kubernetes-1.28.title]] +[#kubernetes-1-28] == [.noloc]`Kubernetes` 1.28 [.noloc]`Kubernetes` `1.28` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.28`, see the https://kubernetes.io/blog/2023/08/15/kubernetes-v1-28-release/[official release announcement]. @@ -25,7 +25,7 @@ This topic gives important changes to be aware of for each [.noloc]`Kubernetes` For the complete [.noloc]`Kubernetes` `1.28` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270. -[[kubernetes-1.27,kubernetes-1.27.title]] +[#kubernetes-1-27] == [.noloc]`Kubernetes` 1.27 [.noloc]`Kubernetes` `1.27` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.27`, see the https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/[official release announcement]. @@ -51,7 +51,7 @@ kubectl get pods --all-namespaces -o json | grep -E 'seccomp.security.alpha.kube For the complete [.noloc]`Kubernetes` `1.27` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1260. -[[kubernetes-1.26,kubernetes-1.26.title]] +[#kubernetes-1-26] == [.noloc]`Kubernetes` 1.26 [.noloc]`Kubernetes` `1.26` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.26`, see the https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/[official release announcement]. @@ -68,7 +68,7 @@ For the complete [.noloc]`Kubernetes` `1.27` changelog, see https://github.com/k For the complete [.noloc]`Kubernetes` `1.26` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1250. -[[kubernetes-1.25,kubernetes-1.25.title]] +[#kubernetes-1-25] == [.noloc]`Kubernetes` 1.25 [.noloc]`Kubernetes` `1.25` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.25`, see the https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/[official release announcement]. @@ -97,7 +97,7 @@ Upon upgrading to Amazon EKS version `1.25` or higher, this updated behavior mig For the complete [.noloc]`Kubernetes` `1.25` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240. -[[kubernetes-1.24,kubernetes-1.24.title]] +[#kubernetes-1-24] == [.noloc]`Kubernetes` 1.24 [.noloc]`Kubernetes` `1.24` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.24`, see the https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/[official release announcement]. @@ -130,7 +130,7 @@ If you need to block `IPv6` for all [.noloc]`Pods` across all nodes, you might h For the complete [.noloc]`Kubernetes` `1.24` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230. -[[kubernetes-1.23,kubernetes-1.23.title]] +[#kubernetes-1-23] == [.noloc]`Kubernetes` 1.23 [.noloc]`Kubernetes` `1.23` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.23`, see the https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/[official release announcement]. diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 6d4447a23..56e4e4754 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,5 +1,5 @@ [.topic] -[[kubernetes-versions-standard,kubernetes-versions-standard.title]] +[#kubernetes-versions-standard] = Review release notes for [.noloc]`Kubernetes` versions on standard support :info_titleabbrev: Standard support versions @@ -18,7 +18,7 @@ This topic gives important changes to be aware of for each [.noloc]`Kubernetes` For `1.24` and later clusters, officially published Amazon EKS AMIs include `containerd` as the only runtime. [.noloc]`Kubernetes` versions earlier than `1.24` use [.noloc]`Docker` as the default runtime. These versions have a bootstrap flag option that you can use to test out your workloads on any supported cluster with `containerd`. For more information, see <>. ==== -[[kubernetes-1.32,kubernetes-1.32.title]] +[#kubernetes-1-32] == [.noloc]`Kubernetes` 1.32 [.noloc]`Kubernetes` `1.32` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.32`, see the https://kubernetes.io/blog/2024/12/13/kubernetes-v1-32-release/[official release announcement]. @@ -69,7 +69,7 @@ For Kubernetes versions 1.33 and later, EKS will not provide pre-built optimized NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about the operating system itself, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. -[[kubernetes-1.31,kubernetes-1.31.title]] +[#kubernetes-1-31] == [.noloc]`Kubernetes` 1.31 [.noloc]`Kubernetes` `1.31` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.31`, see the https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/[official release announcement]. @@ -89,7 +89,7 @@ NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about For the complete [.noloc]`Kubernetes` `1.31` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md -[[kubernetes-1.30,kubernetes-1.30.title]] +[#kubernetes-1-30] == [.noloc]`Kubernetes` 1.30 [.noloc]`Kubernetes` `1.30` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.30`, see the https://kubernetes.io/blog/2024/04/17/kubernetes-v1-30-release/[official release announcement]. @@ -111,7 +111,7 @@ For the complete [.noloc]`Kubernetes` `1.31` changelog, see https://github.com/k For the complete [.noloc]`Kubernetes` `1.30` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md. -[[kubernetes-1.29,kubernetes-1.29.title]] +[#kubernetes-1-29] == [.noloc]`Kubernetes` 1.29 [.noloc]`Kubernetes` `1.29` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.29`, see the https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/[official release announcement]. diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 107c058c9..6939981a7 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,5 +1,5 @@ [.topic] -[[kubernetes-versions,kubernetes-versions.title]] +[#kubernetes-versions] = Understand the [.noloc]`Kubernetes` version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes @@ -25,7 +25,7 @@ We recommend that you create your cluster with the latest available [.noloc]`Kub video::_dJdAZ_J_jw[youtube,align = center,height = 405,fileref = https://www.youtube.com/embed/_dJdAZ_J_jw,width = 720] -[[available-versions,available-versions.title]] +[#available-versions] == Available versions on standard support The following [.noloc]`Kubernetes` versions are currently available in Amazon EKS standard support: @@ -37,7 +37,7 @@ The following [.noloc]`Kubernetes` versions are currently available in Amazon EK For important changes to be aware of for each version in standard support, see <>. -[[available-versions-extended,available-versions-extended.title]] +[#available-versions-extended] == Available versions on extended support The following [.noloc]`Kubernetes` versions are currently available in Amazon EKS extended support: @@ -51,7 +51,7 @@ The following [.noloc]`Kubernetes` versions are currently available in Amazon EK For important changes to be aware of for each version in extended support, see <>. -[[kubernetes-release-calendar,kubernetes-release-calendar.title]] +[#kubernetes-release-calendar] == Amazon EKS [.noloc]`Kubernetes` release calendar The following table shows important release and support dates to consider for each [.noloc]`Kubernetes` version. Billing for extended support starts at the beginning of the day that the version reaches end of standard support. @@ -127,7 +127,7 @@ Dates with only a month and a year are approximate and are updated with an exact |=== -[[version-cli,version-cli.title]] +[#version-cli] == Get version information with {AWS} CLI You can use the {aws} CLI to get information about Kubernetes versions available on EKS, such as the end date of Standard Support. @@ -173,7 +173,7 @@ aws eks describe-cluster-versions * `status`: The current support status of the version, such as `STANDARD_SUPPORT` or `EXTENDED_SUPPORT` * `kubernetesPatchVersion`: The specific Kubernetes patch version -[[version-faqs,version-faqs.title]] +[#version-faqs] == Amazon EKS version FAQs *How many [.noloc]`Kubernetes` versions are available in standard support?*:: @@ -211,7 +211,7 @@ IMPORTANT: If you update the control plane, you must still update the Fargate no Amazon EKS Hybrid Nodes supports the same Kubernetes versions as Amazon EKS clusters with other node compute types, including standard and extended Kubernetes version support. Hybrid nodes are not automatically upgraded when you upgrade your control plane version and you are responsible for upgrading your hybrid nodes. For more information, see <>. -[[extended-support-faqs,extended-support-faqs.title]] +[#extended-support-faqs] == Amazon EKS extended support FAQs *The standard support and extended support terminology is new to me. What do those terms mean?*:: diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 7f3c02723..e2c6a19c2 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -1,7 +1,7 @@ include::../../attributes.txt[] [.topic] -[[cost-monitoring-aws,cost-monitoring-aws.title]] +[#cost-monitoring-aws] = View costs by Pod in {aws} billing with split cost allocation :info_titleabbrev: View costs by Pod @@ -17,7 +17,7 @@ You can use {aws} split cost allocation data for Amazon EKS to get granular cost For more information about using split cost allocation data, see link:cur/latest/userguide/split-cost-allocation-data.html[Understanding split cost allocation data,type="documentation"] in the {aws} Billing User Guide. -[[task-cur-setup,task-cur-setup.title]] +[#task-cur-setup] == Set up Cost and Usage Reports You can turn on Split Cost Allocation Data for EKS in the Cost Management Console, {aws} Command Line Interface, or the {aws} SDKs. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 423016dcb..9f2a681ce 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -1,5 +1,5 @@ [.topic] -[[cost-monitoring-kubecost-bundles,cost-monitoring-kubecost-bundles.title]] +[#cost-monitoring-kubecost-bundles] = Learn more about Kubecost include::../../attributes.txt[] @@ -14,7 +14,7 @@ As a [.noloc]`Kubernetes` platform administrator and finance leader, you can use {aws} and [.noloc]`Kubecost` collaborated to offer a customized version of [.noloc]`Kubecost`. This version includes a subset of commercial features at no additional charge. See the tables below for features that are included with in the custom bundle of [.noloc]`Kubecost`. -[[kubecost-v2,kubecost-v2.title]] +[#kubecost-v2] == Kubecost v2 *What is the difference between [.noloc]`Kubecost` v1 and v2?* @@ -163,7 +163,7 @@ The following features have metric limits: |No core limits |=== -[[kubecost-v1,kubecost-v1.title]] +[#kubecost-v1] == Kubecost v1 [cols="1,1,1,1", options="header"] @@ -250,7 +250,7 @@ The following features have metric limits: |Full-service training and [.noloc]`FinOps` onboarding |=== -[[cost-monitoring-faq,cost-monitoring-faq.title]] +[#cost-monitoring-faq] == Frequently asked questions See the following common questions and answers about using [.noloc]`Kubecost` with Amazon EKS. @@ -315,7 +315,7 @@ Kubecost provides a web dashboard that you can access through `kubectl` port for No. -[[kubecost-additional,kubecost-additional.title]] +[#kubecost-additional] == Additional [.noloc]`Kubecost` Features * The following features are available in both [.noloc]`Kubecost` v1 and v2. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 8967534aa..dc19be4bb 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -1,5 +1,5 @@ [.topic] -[[cost-monitoring-kubecost,cost-monitoring-kubecost.title]] +[#cost-monitoring-kubecost] = Install Kubecost and access dashboard :info_titleabbrev: Install Kubecost @@ -21,7 +21,7 @@ Kubecost v2 introduces several major new features. <>, such as Kubecost. -[[kubecost-helm,kubecost-helm.title]] +[#kubecost-helm] == Install Kubecost using Helm * An existing Amazon EKS cluster. To deploy one, see <>. The cluster must have Amazon EC2 nodes because you can't run [.noloc]`Kubecost` on Fargate nodes. @@ -71,7 +71,7 @@ kubectl delete ns kubecost -[[kubecost-dashboard,kubecost-dashboard.title]] +[#kubecost-dashboard] == Access Kubecost Dashboard . Make sure the required [.noloc]`Pods` are running. + diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 2befea777..a08a9419f 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -1,5 +1,5 @@ [.topic] -[[cost-monitoring,cost-monitoring.title]] +[#cost-monitoring] = Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 73fc3f50d..ca89a6562 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,4 +1,4 @@ -[[eks-managing,eks-managing.title]] +[#eks-managing] = Organize and monitor cluster resources :doctype: book :sectnums: diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 4bc28669c..d84ce1b32 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-using-tags,eks-using-tags.title]] +[#eks-using-tags] = Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources @@ -28,7 +28,7 @@ Tags are a type of metadata that's separate from [.noloc]`Kubernetes` labels and ==== -[[tag-basics,tag-basics.title]] +[#tag-basics] == Tag basics A tag is a label that you assign to an {aws} resource. Each tag consists of a _key_ and an optional _value_. @@ -41,7 +41,7 @@ Tags don't have any semantic meaning to Amazon EKS and are interpreted strictly If you use {aws} Identity and Access Management (IAM), you can control which users in your {aws} account have permission to manage tags. -[[tag-resources,tag-resources.title]] +[#tag-resources] == Tagging your resources The following Amazon EKS resources support tags: @@ -64,7 +64,7 @@ When you use some resource-creating actions, you can also specify tags for the r Tags don't propagate to other resources that are associated with the resource that you create. For example, Fargate profile tags don't propagate to other resources that are associated with the Fargate profile, such as the [.noloc]`Pods` that are scheduled with it. -[[tag-restrictions,tag-restrictions.title]] +[#tag-restrictions] == Tag restrictions The following restrictions apply to tags: @@ -78,7 +78,7 @@ The following restrictions apply to tags: * Don't use `aws:`, `{aws}:`, or any upper or lowercase combination of such as a prefix for either keys or values. These are reserved only for {aws} use. You can't edit or delete tag keys or values with this prefix. Tags with this prefix don't count against your tags-per-resource limit. -[[tag-resources-for-billing,tag-resources-for-billing.title]] +[#tag-resources-for-billing] == Tagging your resources for billing When you apply tags to Amazon EKS clusters, you can use them for cost allocation in your *Cost & Usage Reports*. The metering data in your *Cost & Usage Reports* shows usage across all of your Amazon EKS clusters. For more information, see link:awsaccountbilling/latest/aboutv2/billing-reports-costusage.html[{aws} cost and usage report,type="documentation"] in the _{aws} Billing User Guide_. @@ -96,7 +96,7 @@ If you just enabled reporting, data for the current month is available for viewi *Cost Explorer* is a reporting tool that's available as part of the {aws} Free Tier. You can use *Cost Explorer* to view charts of your Amazon EKS resources from the last 13 months. You can also forecast how much you're likely to spend for the next three months. You can see patterns in how much you spend on {aws} resources over time. For example, you can use it to identify areas that need further inquiry and see trends that you can use to understand your costs. You also can specify time ranges for the data, and view time data by day or by month. -[[tag-resources-console,tag-resources-console.title]] +[#tag-resources-console] == Working with tags using the console Using the Amazon EKS console, you can manage the tags that are associated with new or existing clusters and managed node groups. @@ -105,12 +105,12 @@ When you select a resource-specific page in the Amazon EKS console, the page dis You can also use *Tag Editor* in the {aws-management-console}, which provides a unified way to manage your tags. For more information, see link:ARG/latest/userguide/tag-editor.html[Tagging your {aws} resources with Tag Editor,type="documentation"] in the _{aws} Tag Editor User Guide_. -[[adding-tags-creation,adding-tags-creation.title]] +[#adding-tags-creation] === Adding tags on a resource on creation You can add tags to Amazon EKS clusters, managed node groups, and Fargate profiles when you create them. For more information, see <>. -[[adding-or-deleting-tags,adding-or-deleting-tags.title]] +[#adding-or-deleting-tags] === Adding and deleting tags on a resource You can add or delete the tags that are associated with your clusters directly from the resource's page. @@ -128,7 +128,7 @@ You can add or delete the tags that are associated with your clusters directly f . Choose *Update* to finish. -[[tag-resources-api-sdk,tag-resources-api-sdk.title]] +[#tag-resources-api-sdk] == Working with tags using the CLI, API, or `eksctl` Use the following {aws} CLI commands or Amazon EKS API operations to add, update, list, and delete the tags for your resources. You can only use `eksctl` to add tags while simultaneously creating the new resources with one command. diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 13cb893fb..d3dab98a3 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,5 +1,5 @@ [.topic] -[[helm,helm.title]] +[#helm] = Deploy applications with [.noloc]`Helm` on Amazon EKS :info_titleabbrev: Deploy apps with Helm diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index beb257393..a57b68066 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,5 +1,5 @@ [.topic] -[[metrics-server,metrics-server.title]] +[#metrics-server] = View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` :info_titleabbrev: Metrics server diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 8e9749c7a..b76f0611d 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,5 +1,5 @@ [.topic] -[[service-quotas,service-quotas.title]] +[#service-quotas] = View and manage Amazon EKS and [.noloc]`Fargate` service quotas :info_titleabbrev: Service quotas @@ -13,7 +13,7 @@ Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from t Amazon EKS has integrated with Service Quotas, an {aws} service that you can use to view and manage your quotas from a central location. For more information, see link:servicequotas/latest/userguide/intro.html[What Is Service Quotas?,type="documentation"] in the _Service Quotas User Guide_. With Service Quotas integration, you can quickly look up the value of your Amazon EKS and {aws} Fargate service quotas using the {aws-management-console} and {aws} CLI. -[[service-quotas-console,service-quotas-console.title]] +[#service-quotas-console] == View EKS service quotas in the {aws-management-console} . Open the link:servicequotas/home/services/eks/quotas["Service Quotas console",type="console"]. @@ -55,7 +55,7 @@ NOTE: The quota returned is the number of Amazon ECS tasks or Amazon EKS [.noloc To work more with service quotas using the {aws} CLI, see link:cli/latest/reference/service-quotas/index.html[service-quotas,type="documentation"] in the _{aws} CLI Command Reference_. To request a quota increase, see the link:cli/latest/reference/service-quotas/request-service-quota-increase.html[request-service-quota-increase,type="documentation"] command in the _{aws} CLI Command Reference_. -[[sq-text,sq-text.title]] +[#sq-text] == Amazon EKS service quotas {aws} recommends using the {aws-management-console} to view your current quotas. For more information, see <>. @@ -72,7 +72,7 @@ The following quotas aren't available in Service Quotas: * You can use up to 15 CIDRs for Remote Node Networks and 15 CIDRs for Remote Pod Networks per cluster for hybrid nodes. This quota isn't adjustable. ==== -[[service-quotas-eks-fargate,service-quotas-eks-fargate.title]] +[#service-quotas-eks-fargate] == {aws} Fargate service quotas The *{aws} Fargate* service in the Service Quotas console lists several service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information, see <>. diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 51f81c67e..13ecbbf16 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,5 +1,5 @@ [.topic] -[[platform-versions,platform-versions.title]] +[#platform-versions] = View Amazon EKS platform versions for each [.noloc]`Kubernetes` version :info_titleabbrev: Platform versions @@ -32,7 +32,7 @@ The current and recent Amazon EKS platform versions are described in the followi ==== -[[platform-versions-1.32,platform-versions-1.32.title]] +[#platform-versions-1-32] == [.noloc]`Kubernetes` version `1.32` The following admission controllers are enabled for all `1.32` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -46,12 +46,12 @@ The following admission controllers are enabled for all `1.32` platform versions | `1.32.0` | `eks.2` -| Initial release of Kubernetes version `1.32` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.32` for EKS. For more information, see <>. | January 2025 |=== -[[platform-versions-1.31,platform-versions-1.31.title]] +[#platform-versions-1-31] == [.noloc]`Kubernetes` version `1.31` The following admission controllers are enabled for all `1.31` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`, `ObjectCount`. @@ -80,13 +80,13 @@ The following admission controllers are enabled for all `1.31` platform versions | `1.31.0` | `eks.4` -| Initial release of Kubernetes version `1.31` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.31` for EKS. For more information, see <>. | September 26, 2024 |=== -[[platform-versions-1.30,platform-versions-1.30.title]] +[#platform-versions-1-30] == [.noloc]`Kubernetes` version `1.30` The following admission controllers are enabled for all `1.30` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -136,11 +136,11 @@ The following admission controllers are enabled for all `1.30` platform versions | `1.30.0` | `eks.2` -| Initial release of Kubernetes version `1.30` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.30` for EKS. For more information, see <>. | May 23, 2024 |=== -[[platform-versions-1.29,platform-versions-1.29.title]] +[#platform-versions-1-29] == [.noloc]`Kubernetes` version `1.29` The following admission controllers are enabled for all `1.29` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -215,11 +215,11 @@ The following admission controllers are enabled for all `1.29` platform versions | `1.29.0` | `eks.1` -| Initial release of Kubernetes version `1.29` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.29` for EKS. For more information, see <>. | January 23, 2024 |=== -[[platform-versions-1.28,platform-versions-1.28.title]] +[#platform-versions-1-28] == [.noloc]`Kubernetes` version `1.28` The following admission controllers are enabled for all `1.28` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -323,11 +323,11 @@ The following admission controllers are enabled for all `1.28` platform versions | `1.28.1` | `eks.1` -| Initial release of Kubernetes version `1.28` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.28` for EKS. For more information, see <>. | September 26, 2023 |=== -[[platform-versions-1.27,platform-versions-1.27.title]] +[#platform-versions-1-27] == [.noloc]`Kubernetes` version `1.27` The following admission controllers are enabled for all `1.27` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -451,11 +451,11 @@ The following admission controllers are enabled for all `1.27` platform versions | `1.27.1` | `eks.1` -| Initial release of Kubernetes version `1.27` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.27` for EKS. For more information, see <>. | May 24, 2023 |=== -[[platform-versions-1.26,platform-versions-1.26.title]] +[#platform-versions-1-26] == [.noloc]`Kubernetes` version `1.26` The following admission controllers are enabled for all `1.26` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -584,11 +584,11 @@ The following admission controllers are enabled for all `1.26` platform versions | `1.26.2` | `eks.1` -| Initial release of Kubernetes version `1.26` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.26` for EKS. For more information, see <>. | April 11, 2023 |=== -[[platform-versions-1.25,platform-versions-1.25.title]] +[#platform-versions-1-25] == [.noloc]`Kubernetes` version `1.25` The following admission controllers are enabled for all `1.25` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -723,11 +723,11 @@ The following admission controllers are enabled for all `1.25` platform versions | `1.25.6` | `eks.1` -| Initial release of Kubernetes version `1.25` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.25` for EKS. For more information, see <>. | February 21, 2023 |=== -[[platform-versions-1.24,platform-versions-1.24.title]] +[#platform-versions-1-24] == [.noloc]`Kubernetes` version `1.24` The following admission controllers are enabled for all `1.24` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurityPolicy`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, and `ValidatingAdmissionWebhook`. @@ -878,11 +878,11 @@ The following admission controllers are enabled for all `1.24` platform versions | `1.24.7` | `eks.1` -| Initial release of Kubernetes version `1.24` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.24` for EKS. For more information, see <>. | November 15, 2022 |=== -[[get-platform-version,get-platform-version.title]] +[#get-platform-version] == Get current platform version . Open the Amazon EKS console. . In the navigation pane, choose *Clusters*. @@ -905,7 +905,7 @@ An example output is as follows. ---- -[[change-platform-version,change-platform-version.title]] +[#change-platform-version] == Change platform version You cannot change the platform version of an EKS cluster. When new Amazon EKS platform versions become available for a [.noloc]`Kubernetes` version, EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding [.noloc]`Kubernetes` version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. You cannot use the {aws} Console or CLI to change the platform version. diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index bf71eb814..a3ae35cd0 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,5 +1,5 @@ [.topic] -[[private-clusters,private-clusters.title]] +[#private-clusters] = Deploy private clusters with limited internet access :info_titleabbrev: Private clusters diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index faa6aafcc..4cfc040f9 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[update-cluster,update-cluster.title]] +[#update-cluster] = Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version @@ -37,7 +37,7 @@ To ensure that the API server endpoint for your cluster is always accessible, Am * The compute capability of Amazon EKS Auto Mode controls the Kubernetes version of nodes. After you upgrade the control plane, EKS Auto Mode will begin incrementally updating managed nodes. EKS Auto Mode respects pod disruption budgets. * You do not have to manually upgrade the capabilities of Amazon EKS Auto Mode, including the compute autoscaling, block storage, and load balancing capabilities. -[[update-existing-cluster,update-existing-cluster.title]] +[#update-existing-cluster] == Step 1: Prepare for upgrade . Compare the [.noloc]`Kubernetes` version of your cluster control plane to the [.noloc]`Kubernetes` version of your nodes. + @@ -94,7 +94,7 @@ kubectl edit configmap coredns -n kube-system -o yaml Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. -* If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. +* If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. * Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. ** Because Amazon EKS runs a highly available control plane, you can update only one minor version at a time. For more information about this requirement, see https://kubernetes.io/docs/setup/version-skew-policy/#kube-apiserver[Kubernetes Version and Version Skew Support Policy]. Assume that your current cluster version is version `1.28` and you want to update it to version `1.30`. You must first update your version `1.28` cluster to version `1.29` and then update your version `1.29` cluster to version `1.30`. * Review the version skew between the [.noloc]`Kubernetes` `kube-apiserver` and the `kubelet` on your nodes. @@ -104,7 +104,7 @@ Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Dep ** If the `kubelet` on your managed and Fargate nodes is on [.noloc]`Kubernetes` version `1.24` or older, it may only be up to two minor versions older than the `kube-apiserver`. In other words, if the `kubelet` is version `1.24` or older, you can only update your cluster up to two versions ahead. For example, if the `kubelet` is on version `1.21`, you can update your Amazon EKS cluster version from `1.21` to `1.22`, and to `1.23`, but you will not be able to update the cluster to `1.24` while the `kubelet` remains on `1.21`. * As a best practice before starting an update, make sure that the `kubelet` on your nodes is at the same [.noloc]`Kubernetes` version as your control plane. * If your cluster is configured with a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that is earlier than `1.8.0`, then we recommend that you update the plugin to the latest version before updating your cluster. To update the plugin, see <>. -* If you're updating your cluster to version `1.25` or later and have the [.noloc]`{aws} Load Balancer Controller` deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the xref:kubernetes-1.25[Kubernetes 1.25,linkend=kubernetes-1.25] release notes. +* If you're updating your cluster to version `1.25` or later and have the [.noloc]`{aws} Load Balancer Controller` deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the xref:kubernetes-1-25[Kubernetes 1.25,linkend=kubernetes-1-25] release notes. == Step 3: Update cluster control plane @@ -114,7 +114,7 @@ You can submit the request to upgrade your EKS control plane version using: * xref:step3-console[the {aws} console] * xref:step3-cli[the {aws} cli] -[[step3-eksctl,step3-eksctl.title]] +[#step3-eksctl] === Update cluster - eksctl This procedure requires `eksctl` version `{eksctl-min-version}` or later. You can check your version with the following command: @@ -137,7 +137,7 @@ The update takes several minutes to complete. Continue to <> -[[step3-console,step3-console.title]] +[#step3-console] === Update cluster - {aws} console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -148,7 +148,7 @@ Continue to <> The update takes several minutes to complete. . Continue to <> -[[step3-cli,step3-cli.title]] +[#step3-cli] === Update cluster - {aws} CLI . Update your Amazon EKS cluster with the following {aws} CLI command. Replace the [.replaceable]`example values` with your own. Replace [.replaceable]`1.30` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. @@ -216,7 +216,7 @@ An example output is as follows. ---- . Continue to <> -[[step4,step4.title]] +[#step4] == Step 4: Update cluster components . After your cluster update is complete, update your nodes to the same [.noloc]`Kubernetes` minor version as your updated cluster. For more information, see <>, <>, and <>. Any new [.noloc]`Pods` that are launched on Fargate have a `kubelet` version that matches your cluster version. Existing Fargate [.noloc]`Pods` aren't changed. @@ -242,7 +242,7 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X . If necessary, update your version of `kubectl`. You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. -[[downgrade-cluster,downgrade-cluster.title]] +[#downgrade-cluster] == Downgrade the [.noloc]`Kubernetes` version for an Amazon EKS cluster You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index eacbb636a..995e9248d 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -1,5 +1,5 @@ [.topic] -[[view-support-status,view-support-status.title]] +[#view-support-status] = View current cluster support period :info_titleabbrev: View support period diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 42ecce833..286a5bea9 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -1,5 +1,5 @@ [.topic] -[[view-upgrade-policy,view-upgrade-policy.title]] +[#view-upgrade-policy] = View current cluster upgrade policy :info_titleabbrev: View upgrade policy @@ -31,13 +31,13 @@ You can only set the version support policy for your clusters while its running For example, if you have set your version support policy as `standard` then you will not be able to change this setting after the Kubernetes version running on your cluster reaches the end of standard support. If you have set your version support policy as `extended` then you will not be able to change this setting after the Kubernetes version running on your cluster reaches end of standard support. In order to change the version support policy setting, your cluster must be running on a standard supported Kubernetes version. -[[view-period-console,view-period-console.title]] +[#view-period-console] == View cluster upgrade policy ({aws} Console) . Navigate to the *Clusters* page in the EKS section of the {aws} Console. Confirm the console is set to the same {aws} region as the cluster you want to review. . Review the *Upgrade Policy* column. If the value is *Standard Support*, your cluster will not enter extended support. If the value is *Extended Support*, your cluster will enter extended support. -[[view-period-cli,view-period-cli.title]] +[#view-period-cli] == View cluster upgrade policy ({aws} CLI) . Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. Set the CLI to the same {aws} region as your EKS cluster. diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 2735f8cc2..47478b1fa 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,5 +1,5 @@ [.topic] -[[windows-support,windows-support.title]] +[#windows-support] = Deploy [.noloc]`Windows` nodes on EKS clusters :info_titleabbrev: Enable Windows support @@ -36,7 +36,7 @@ Before deploying [.noloc]`Windows` nodes, be aware of the following consideratio * An existing <>. -[[enable-windows-support,enable-windows-support.title]] +[#enable-windows-support] == Enable [.noloc]`Windows` support . If you don't have Amazon Linux nodes in your cluster and use security groups for [.noloc]`Pods`, skip to the next step. Otherwise, confirm that the `AmazonEKSVPCResourceController` managed policy is attached to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. + @@ -120,7 +120,7 @@ data: You should see `eks:kube-proxy-windows` listed under groups. If the group isn't specified, you need to update your `ConfigMap` or create it to include the required group. For more information about the `aws-auth` `ConfigMap`, see <>. -[[windows-support-pod-deployment,windows-support-pod-deployment.title]] +[#windows-support-pod-deployment] == Deploy Windows Pods When you deploy Pods to your cluster, you need to specify the operating system that they use if you're running a mixture of node types. @@ -145,7 +145,7 @@ nodeSelector: You can deploy a <> to see the node selectors in use. -[[windows-support-pod-density,windows-support-pod-density.title]] +[#windows-support-pod-density] == Support higher [.noloc]`Pod` density on Windows nodes In Amazon EKS, each [.noloc]`Pod` is allocated an `IPv4` address from your VPC. Due to this, the number of [.noloc]`Pods` that you can deploy to a node is constrained by the available IP addresses, even if there are sufficient resources to run more [.noloc]`Pods` on the node. Since only one elastic network interface is supported by a Windows node, by default, the maximum number of available IP addresses on a Windows node is equal to: diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 1551eb740..ed1ee0b6a 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,5 +1,5 @@ [.topic] -[[zone-shift-enable,zone-shift-enable.title]] +[#zone-shift-enable] = Enable EKS Zonal Shift to avoid impaired Availability Zones :info_titleabbrev: Enable Zonal Shift :aws: pass:q[[.shared]``AWS``] @@ -48,7 +48,7 @@ EKS updates networking configurations to avoid directing traffic to impaired AZs xref:zone-shift[Learn more about EKS Zonal Shift]. -[[zone-shift-enable-steps,zone-shift-enable-steps.title]] +[#zone-shift-enable-steps] == Register EKS cluster with Amazon Application Recovery Controller (ARC) ({aws} console) . Find the name and region of the EKS cluster you want to register with ARC. diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 7b614a483..845fa9e1c 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,5 +1,5 @@ [.topic] -[[zone-shift,zone-shift.title]] +[#zone-shift] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS :info_titleabbrev: Learn about Zonal Shift :aws: pass:q[[.shared]``AWS``] diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 76f8d3ac0..65cd3074d 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[connecting-cluster,connecting-cluster.title]] +[#connecting-cluster] = Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster @@ -19,12 +19,12 @@ You must complete the second step within 3 days of completing the first step, be ==== -[[connecting-cluster-considerations,connecting-cluster-considerations.title]] +[#connecting-cluster-considerations] == Considerations You can use YAML manifests when installing the agent. Alternatively, you can use Helm if you register the cluster with the {aws-management-console} or {aws} Command Line Interface. However, you cannot use Helm to install the agent if you register the cluster with `eksctl`. -[[connector-prereqs,connector-prereqs.title]] +[#connector-prereqs] == Prerequisites * Ensure the Amazon EKS Connector agent role was created. Follow the steps in <>. @@ -36,7 +36,7 @@ You can use YAML manifests when installing the agent. Alternatively, you can use ** `iam:PassRole` -[[connector-connecting,connector-connecting.title]] +[#connector-connecting] == Step 1: Registering the cluster To register a cluster to Amazon EKS connector, you can use one of these tools: @@ -133,7 +133,7 @@ kubectl apply -f eks-connector-binding.yaml ---- -[[eks-connector-apply,eks-connector-apply.title]] +[#eks-connector-apply] == Step 2: Installing the `eks-connector` agent To install the `eks-connector` agent, use one of the following tools: @@ -204,7 +204,7 @@ The output should include `status=ACTIVE`. . (Optional) Add tags to your cluster. For more information, see <>. -[[eks-connector-next,eks-connector-next.title]] +[#eks-connector-next] == Next steps If you have any issues with these steps, see <>. diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 2106c2184..c6c6985c5 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,5 +1,5 @@ [.topic] -[[connector-grant-access,connector-grant-access.title]] +[#connector-grant-access] = Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console :info_titleabbrev: Grant access to clusters @@ -12,7 +12,7 @@ Learn to grant IAM principals access to view Kubernetes cluster resources on an Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view information about [.noloc]`Kubernetes` resources running on your connected cluster. -[[connector-grant-access-prereqs,connector-grant-access-prereqs.title]] +[#connector-grant-access-prereqs] == Prerequisites The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use to access the {aws-management-console} must meet the following requirements: diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 4e975778a..8d6d869f0 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[deregister-connected-cluster,deregister-connected-cluster.title]] +[#deregister-connected-cluster] = Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster @@ -22,7 +22,7 @@ You must have the following permissions to call the deregisterCluster API: This process involves two steps: Deregistering the cluster with Amazon EKS and uninstalling the eks-connector agent in the cluster. -[[deregister-connected-cluster-eks,deregister-connected-cluster-eks.title]] +[#deregister-connected-cluster-eks] == Deregister the [.noloc]`Kubernetes` cluster To deregister a cluster from Amazon EKS connector, you can use one of these tools: @@ -62,7 +62,7 @@ eksctl deregister cluster --name my-cluster ---- -[[deregister-connected-cluster-k8s,deregister-connected-cluster-k8s.title]] +[#deregister-connected-cluster-k8s] == Clean up the resources in your [.noloc]`Kubernetes` cluster To uninstall the `eks-connector` agent, use one of the following tools: diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 19500a868..e4bd4563a 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,4 +1,4 @@ -[[eks-connector,eks-connector.title]] +[#eks-connector] = Connect a [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console with Amazon EKS Connector :doctype: book :sectnums: @@ -29,7 +29,7 @@ The Amazon EKS Connector can connect the following types of [.noloc]`Kubernetes` * Managed clusters from other cloud providers -[[connect-cluster-reqts,connect-cluster-reqts.title]] +[#connect-cluster-reqts] == Amazon EKS Connector considerations Before you use Amazon EKS Connector, understand the following: @@ -54,7 +54,7 @@ Before you use Amazon EKS Connector, understand the following: ** ssm:DeregisterManagedInstance -[[connector-iam-permissions,connector-iam-permissions.title]] +[#connector-iam-permissions] == Required IAM roles for Amazon EKS Connector Using the Amazon EKS Connector requires the following two IAM roles: diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 78c0071d3..3a9ae2c8d 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-connector,security-connector.title]] +[#security-connector] = Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations @@ -18,14 +18,14 @@ image::images/connector-model.png[EKS Connector Responsibilities,scaledwidth=100 This topic describes the differences in the responsibility model if the connected cluster is outside of {aws}. -[[connect-aws-resp,connect-aws-resp.title]] +[#connect-aws-resp] == {aws} responsibilities * Maintaining, building, and delivering Amazon EKS Connector, which is an https://github.com/aws/amazon-eks-connector[open source component] that runs on a customer's [.noloc]`Kubernetes` cluster and communicates with {aws}. * Maintaining transport and application layer communication security between the connected [.noloc]`Kubernetes` cluster and {aws} services. -[[connect-cust-resp,connect-cust-resp.title]] +[#connect-cust-resp] == Customer responsibilities * [.noloc]`Kubernetes` cluster specific security, specifically along the following lines: diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 065a4f2dc..816667919 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,5 +1,5 @@ [.topic] -[[troubleshooting-connector,troubleshooting-connector.title]] +[#troubleshooting-connector] = Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot EKS Connector @@ -12,12 +12,12 @@ Troubleshoot and resolve common issues when using Amazon EKS Connector to connec This topic covers some of the common errors that you might encounter while using the Amazon EKS Connector, including instructions on how to resolve them and workarounds. -[[tsc-steps,tsc-steps.title]] +[#tsc-steps] == Basic troubleshooting This section describes steps to diagnose Amazon EKS Connector issues. -[[tsc-check,tsc-check.title]] +[#tsc-check] === Check Amazon EKS Connector status To check the Amazon EKS Connector status, type: @@ -28,7 +28,7 @@ kubectl get pods -n eks-connector ---- -[[tsc-logs,tsc-logs.title]] +[#tsc-logs] === Inspect Amazon EKS Connector logs The Amazon EKS Connector [.noloc]`Pod` consists of three containers. To retrieve full logs for all of these containers so that you can inspect them, run the following commands: @@ -58,7 +58,7 @@ kubectl exec eks-connector-1 --container connector-agent -n eks-connector -- cat ---- -[[tsc-name,tsc-name.title]] +[#tsc-name] === Get the effective cluster name Amazon EKS clusters are uniquely identified by `clusterName` within a single {aws} account and {aws} Region. If you have multiple connected clusters in Amazon EKS, you can confirm which Amazon EKS cluster that the current [.noloc]`Kubernetes` cluster is registered to. To do this, enter the following to find out the `clusterName` of the current cluster. @@ -73,7 +73,7 @@ kubectl exec eks-connector-1 --container connector-agent -n eks-connector \ ---- -[[tsc-misc,tsc-misc.title]] +[#tsc-misc] === Miscellaneous commands The following commands are useful to retrieve information that you need to troubleshoot issues. @@ -123,12 +123,12 @@ docker logout public.ecr.aws ---- -[[symp-pending,symp-pending.title]] +[#symp-pending] == Console error: the cluster is stuck in the Pending state If the cluster gets stuck in the `Pending` state on the Amazon EKS console after you're registered it, it might be because the Amazon EKS Connector didn't successfully connect the cluster to {aws} yet. For a registered cluster, the `Pending` state means that the connection isn't successfully established. To resolve this issue, make sure that you have applied the manifest to the target [.noloc]`Kubernetes` cluster. If you applied it to the cluster, but the cluster is still in the `Pending` state, then the `eks-connector` statefulset might be unhealthy. To troubleshoot this issue, see <>in this topic. -[[symp-imp,symp-imp.title]] +[#symp-imp] == Console error: User system:serviceaccount:eks-connector:eks-connector can't impersonate resource users in API group at cluster scope The Amazon EKS Connector uses [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation] to act on behalf of link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] from the {aws-management-console}. Each principal that accesses the [.noloc]`Kubernetes` API from the {aws} `eks-connector` service account must be granted permission to impersonate the corresponding [.noloc]`Kubernetes` user with an IAM ARN as its [.noloc]`Kubernetes` user name. In the following examples, the IAM ARN is mapped to a [.noloc]`Kubernetes` user. @@ -151,7 +151,7 @@ The result is an IAM role ARN, instead of the {aws} STS session ARN. For instructions on how to configure the `ClusterRole` and `ClusterRoleBinding` to grant the `eks-connector` service account privilege to impersonate the mapped user, see <>. Make sure that in the template, `%IAM_ARN%` is replaced with the IAM ARN of the {aws-management-console} IAM principal. -[[symp-rbac,symp-rbac.title]] +[#symp-rbac] == Console error: [...] is forbidden: User [...] cannot list resource [...] in API group at the cluster scope Consider the following problem. The Amazon EKS Connector has successfully impersonated the requesting {aws-management-console} IAM principal in the target [.noloc]`Kubernetes` cluster. However, the impersonated principal doesn't have RBAC permission for [.noloc]`Kubernetes` API operations. @@ -167,7 +167,7 @@ helm upgrade eks-connector oci://public.ecr.aws/eks-connector/eks-connector-char Or, as the cluster administrator, grant the appropriate level of RBAC privileges to individual [.noloc]`Kubernetes` users. For more information and examples, see <>. -[[symp-con,symp-con.title]] +[#symp-con] == Console error: Amazon EKS can't communicate with your [.noloc]`Kubernetes` cluster API server. The cluster must be in an ACTIVE state for successful connection. Try again in few minutes. If the Amazon EKS service can't communicate with the Amazon EKS connector in the target cluster, it might be because of one of the following reasons: @@ -177,7 +177,7 @@ If the Amazon EKS service can't communicate with the Amazon EKS connector in the To resolve this problem, check the <>. If you don't see an error for the Amazon EKS Connector, retry the connection after a few minutes. If you regularly experience high latency or intermittent connectivity for the target cluster, consider re-registering the cluster to an {aws} Region that's located closer to you. -[[symp-loop,symp-loop.title]] +[#symp-loop] == Amazon EKS connector [.noloc]`Pods` are crash looping There are many reasons that can cause an Amazon EKS connector [.noloc]`Pod` to enter the `CrashLoopBackOff` status. This issue likely involves the `connector-init` container. Check the status of the Amazon EKS connector [.noloc]`Pod`. @@ -197,7 +197,7 @@ eks-connector-0 0/2 Init:CrashLoopBackOff 1 7s If your output is similar to the previous output, see <> to troubleshoot the issue. -[[symp-regis,symp-regis.title]] +[#symp-regis] == Failed to initiate eks-connector: InvalidActivation When you start the Amazon EKS Connector for the first time, it registers an `activationId` and `activationCode` with Amazon Web Services. The registration might fail, which can cause the `connector-init` container to crash with an error similar to the following error. @@ -245,12 +245,12 @@ In the following example response, the expiry date and time is recorded as `2021 If the `activationExpiry` passed, deregister the cluster and register it again. Doing this generates a new activation. -[[symp-out,symp-out.title]] +[#symp-out] == Cluster node is missing outbound connectivity To work properly, the Amazon EKS Connector requires outbound connectivity to several {aws} endpoints. You can't connect a private cluster without outbound connectivity to a target {aws} Region. To resolve this issue, you must add the necessary outbound connectivity. For information about connector requirements, see <>. -[[symp-img,symp-img.title]] +[#symp-img] == Amazon EKS connector [.noloc]`Pods` are in `ImagePullBackOff` state If you run the `get pods` command and [.noloc]`Pods` are in the `ImagePullBackOff` state, they can't work properly. If the Amazon EKS Connector [.noloc]`Pods` are in the `ImagePullBackOff` state, they can't work properly. Check the status of your Amazon EKS Connector [.noloc]`Pods`. diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 865ae79af..4e0f9101b 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[tsc-faq,tsc-faq.title]] +[#tsc-faq] = {aws} Connector frequently asked questions :info_titleabbrev: Frequently asked questions diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 050561ad0..5fe035089 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -1,4 +1,4 @@ -[[contribute,contribute.title]] +[#contribute] # Contribute to the EKS User Guide :info_titleabbrev: Contribute diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 718d86787..426c26ddd 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,5 +1,5 @@ [.topic] -[[doc-history,doc-history.title]] +[#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) = Document history :doctype: book @@ -35,7 +35,7 @@ You can now use update strategies to configure the version update process for ma [.update,date="2025-01-23"] === [.noloc]`Kubernetes` version `1.32` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.32 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-32 Added [.noloc]`Kubernetes` version `1.32` support for new clusters and version upgrades. @@ -285,7 +285,7 @@ EKS added a new {aws} managed policy. [.update,date="2024-09-24"] === [.noloc]`Kubernetes` version `1.31` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.31 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-31 Added [.noloc]`Kubernetes` version `1.31` support for new clusters and version upgrades. @@ -370,7 +370,7 @@ We made improvements to the AMI information references, in particular for [.nolo [.update,date="2024-06-12"] === [.noloc]`Kubernetes` version `1.26` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.26 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26 [.noloc]`Kubernetes` version `1.26` is now in extended support. @@ -378,7 +378,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubern [.update,date="2024-05-23"] === [.noloc]`Kubernetes` version `1.30` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.30 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-30 Added [.noloc]`Kubernetes` version `1.30` support for new clusters and version upgrades. @@ -450,7 +450,7 @@ Amazon Linux 2023 (AL2023) is a new Linux-based operating system designed to pro [.update,date="2024-02-26"] === EKS Pod Identity and IRSA support sidecars in [.noloc]`Kubernetes` `1.29` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.29 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29 In [.noloc]`Kubernetes` `1.29`, sidecar containers are available in Amazon EKS clusters. Sidecar containers are supported with IAM roles for service accounts or EKS Pod Identity. For more information about sidecars, see https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[Sidecar Containers] in the [.noloc]`Kubernetes` documentation. @@ -458,7 +458,7 @@ In [.noloc]`Kubernetes` `1.29`, sidecar containers are available in Amazon EKS c [.update,date="2024-01-23"] === [.noloc]`Kubernetes` version `1.29` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.29 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29 Added [.noloc]`Kubernetes` version `1.29` support for new clusters and version upgrades. @@ -617,7 +617,7 @@ Amazon EKS integrations with {aws} App Mesh remain for existing customers of App [.update,date="2023-09-26"] === [.noloc]`Kubernetes` version `1.28` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.28 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-28 Added [.noloc]`Kubernetes` version `1.28` support for new clusters and version upgrades. @@ -736,7 +736,7 @@ In the {aws} GovCloud (US) Regions, Amazon EKS managed node groups can now run [ [.update,date="2023-05-24"] === [.noloc]`Kubernetes` version `1.27` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.27 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-27 Added [.noloc]`Kubernetes` version `1.27` support for new clusters and version upgrades. @@ -744,7 +744,7 @@ Added [.noloc]`Kubernetes` version `1.27` support for new clusters and version u [.update,date="2023-04-11"] === [.noloc]`Kubernetes` version `1.26` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.26 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26 Added [.noloc]`Kubernetes` version `1.26` support for new clusters and version upgrades. @@ -781,7 +781,7 @@ You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kube [.update,date="2023-02-22"] === [.noloc]`Kubernetes` version `1.25` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.25 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-25 Added [.noloc]`Kubernetes` version `1.25` support for new clusters and version upgrades. @@ -842,7 +842,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-11-15"] === [.noloc]`Kubernetes` version `1.24` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.24 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-24 Added [.noloc]`Kubernetes` version `1.24` support for new clusters and version upgrades. @@ -935,7 +935,7 @@ Added support for Fargate profile wildcards in the selector criteria for namespa [.update,date="2022-08-11"] === [.noloc]`Kubernetes` version `1.23` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.23 +https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-23 Added [.noloc]`Kubernetes` version `1.23` support for new clusters and version upgrades. diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 71b730f0c..05f689f45 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,5 +1,5 @@ [.topic] -[[getting-started-automode,getting-started-automode.title]] +[#getting-started-automode] = Get started with Amazon EKS – EKS Auto Mode :info_titleabbrev: Create cluster (EKS Auto Mode) :keywords: using, Auto, getting, started, tutorial diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 7485c74a0..01d835cc1 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[getting-started-console,getting-started-console.title]] +[#getting-started-console] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI :info_titleabbrev: Create cluster (Console and CLI) :keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial @@ -23,7 +23,7 @@ This guide helps you to create all of the required resources to get started with The procedures in this guide give you complete visibility into how each resource is created and how the resources interact with each other. If you'd rather have most of the resources created for you automatically, use the `eksctl` CLI to create your cluster and nodes. For more information, see <>. -[[eks-prereqs,eks-prereqs.title]] +[#eks-prereqs] == Prerequisites Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. @@ -44,7 +44,7 @@ aws sts get-caller-identity We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -[[eks-create-cluster,eks-create-cluster.title]] +[#eks-create-cluster] == Step 1: Create your Amazon EKS cluster [IMPORTANT] @@ -125,7 +125,7 @@ To the right of the cluster's name, the cluster status is *Creating* for several NOTE: You might receive an error that one of the Availability Zones in your request doesn't have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see <>. -[[eks-configure-kubectl,eks-configure-kubectl.title]] +[#eks-configure-kubectl] == Step 2: Configure your computer to communicate with your cluster In this section, you create a `kubeconfig` file for your cluster. The settings in this file enable the `kubectl` CLI to communicate with your cluster. @@ -158,7 +158,7 @@ svc/kubernetes ClusterIP 10.100.0.1 443/TCP 1m ---- -[[eks-launch-workers,eks-launch-workers.title]] +[#eks-launch-workers] == Step 3: Create nodes [IMPORTANT] @@ -233,7 +233,7 @@ aws iam attach-role-policy \ . On the *Review and create* page, review your managed node group configuration and choose *Create*. . After several minutes, the *Status* in the *Node Group configuration* section will change from *Creating* to *Active*. Don't continue to the next step until the status is *Active*. -[[gs-view-resources,gs-view-resources.title]] +[#gs-view-resources] == Step 4: View resources @@ -248,7 +248,7 @@ You can view your nodes and [.noloc]`Kubernetes` workloads. – You see all of the [.noloc]`Kubernetes` resources that are deployed by default to an Amazon EKS cluster. Select any resource type in the console to learn more about it. -[[gs-console-clean-up,gs-console-clean-up.title]] +[#gs-console-clean-up] == Step 5: Delete resources After you've finished with the cluster and nodes that you created for this tutorial, you should delete the resources that you created. If you want to do more with this cluster before you delete the resources, see <>. @@ -277,7 +277,7 @@ After you've finished with the cluster and nodes that you created for this tutor .. Select each role you created from the list (*[.replaceable]`myAmazonEKSClusterRole`*, as well as [.replaceable]`myAmazonEKSNodeRole`). Choose *Delete*, enter the requested confirmation text, then choose *Delete*. -[[gs-console-next-steps,gs-console-next-steps.title]] +[#gs-console-next-steps] == Next steps The following documentation topics help you to extend the functionality of your cluster. diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 79b252fc0..d10fb8752 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,5 +1,5 @@ [.topic] -[[getting-started-eksctl,getting-started-eksctl.title]] +[#getting-started-eksctl] = Get started with Amazon EKS – `eksctl` :info_titleabbrev: Create cluster (eksctl) :keywords: using, eksctl, getting, started, tutorial @@ -23,12 +23,12 @@ This guide helps you to create all of the required resources to get started with The procedures in this guide create several resources for you automatically that you have to create manually when you create your cluster using the {aws-management-console}. If you'd rather manually create most of the resources to better understand how they interact with each other, then use the {aws-management-console} to create your cluster and compute. For more information, see <>. -[[eksctl-prereqs,eksctl-prereqs.title]] +[#eksctl-prereqs] == Prerequisites Before starting this tutorial, you must install and configure the {aws} CLI, kubectl, and eksctl tools as described in <>. -[[create-cluster-gs-eksctl,create-cluster-gs-eksctl.title]] +[#create-cluster-gs-eksctl] == Step 1: Create your Amazon EKS cluster and nodes [IMPORTANT] @@ -75,7 +75,7 @@ Cluster creation takes several minutes. During creation you'll see several lines After cluster creation is complete, view the {aws} CloudFormation stack named `eksctl-[.replaceable]``my-cluster``-cluster` in the {aws} CloudFormation link:cloudformation/[console,type="console"] to see all of the resources that were created. -[[gs-eksctl-view-resources,gs-eksctl-view-resources.title]] +[#gs-eksctl-view-resources] == Step 2: View [.noloc]`Kubernetes` resources @@ -148,7 +148,7 @@ kube-system kube-proxy-67890 1/1 Running 0 7m43s 19 For more information about what you see in the output, see <>. -[[gs-eksctl-clean-up,gs-eksctl-clean-up.title]] +[#gs-eksctl-clean-up] == Step 3: Delete your cluster and nodes @@ -160,7 +160,7 @@ eksctl delete cluster --name my-cluster --region region-code ---- -[[gs-eksctl-next-steps,gs-eksctl-next-steps.title]] +[#gs-eksctl-next-steps] == Next steps The following documentation topics help you to extend the functionality of your cluster. diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 4280ca59c..7c125e518 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,4 +1,4 @@ -[[getting-started,getting-started.title]] +[#getting-started] = Get started with Amazon EKS :doctype: book :sectnums: diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 4e2f8317c..6f71dd4d5 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[install-awscli,install-awscli.title]] +[#install-awscli] = Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI :keywords: setting up, setup @@ -13,7 +13,7 @@ Set up the {aws} CLI for managing {aws} resources needed to use Amazon EKS. Foll The link:cli/[{aws} CLI,type="marketing"] is a command line tool for working with {aws} services, including Amazon EKS. It is also used to authenticate IAM users or roles for access to the Amazon EKS cluster and other {aws} resources from your local machine. To provision resources in {aws} from the command line, you need to obtain an {aws} access key ID and secret key to use in the command line. Then you need to configure these credentials in the {aws} CLI. If you haven't already installed the {aws} CLI, see link:cli/latest/userguide/cli-chap-install.html[Install or update the latest version of the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. -[[create-access-key,create-access-key.title]] +[#create-access-key] == To create an access key . Sign into the https://console.aws.amazon.com/[{aws-management-console}]. . For single-user or multiple-user accounts: @@ -29,7 +29,7 @@ The link:cli/[{aws} CLI,type="marketing"] is a command line tool for working wit . Choose *Download .csv file*. -[[configure-cli,configure-cli.title]] +[#configure-cli] == To configure the {aws} CLI After installing the {aws} CLI, do the following steps to configure it. For more information, see link:cli/latest/userguide/cli-chap-configure.html[Configure the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. @@ -53,7 +53,7 @@ Default output format [None]: json ---- -[[security-token,security-token.title]] +[#security-token] == To get a security token If needed, run the following command to get a new security token for the {aws} CLI. For more information, see link:cli/latest/reference/sts/get-session-token.html[get-session-token,type="documentation"] in the _{aws} CLI Command Reference_. @@ -80,7 +80,7 @@ This command returns the temporary security credentials for an {aws} CLI session ---- -[[verify-identity,verify-identity.title]] +[#verify-identity] == To verify the user identity If needed, run the following command to verify the {aws} credentials for your IAM user identity (such as [.replaceable]`ClusterAdmin`) for the terminal session. @@ -102,7 +102,7 @@ This command returns the Amazon Resource Name (ARN) of the IAM entity that's con ---- -[[install-awscli-next-steps,install-awscli-next-steps.title]] +[#install-awscli-next-steps] == Next steps * <> diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 697b03816..14b0e8dd1 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -1,5 +1,5 @@ [.topic] -[[install-kubectl,install-kubectl.title]] +[#install-kubectl] = Set up `kubectl` and `eksctl` :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl @@ -21,7 +21,7 @@ Topics on this page help you install and set up these tools: * <> -[[kubectl-install-update,kubectl-install-update.title]] +[#kubectl-install-update] == Install or update `kubectl` This topic helps you to download and install, or update, the `kubectl` binary on your device. The binary is identical to the https://kubernetes.io/docs/tasks/tools/#kubectl[upstream community versions]. The binary is not unique to Amazon EKS or {aws}. Use the steps below to get the specific version of `kubectl` that you need, although many builders simply run `brew install kubectl` to install it. @@ -789,7 +789,7 @@ aws eks update-kubeconfig --region region-code --name my-cluster . Consider configuring auto completion, which lets you use the tab key to complete `kubectl` subcommands after typing the first few letters. See https://kubernetes.io/docs/reference/kubectl/quick-reference/#kubectl-autocomplete[Kubectl autocomplete] in the [.noloc]`Kubernetes` documentation for details. -[[eksctl-install-update,eksctl-install-update.title]] +[#eksctl-install-update] == Install `eksctl` The `eksctl` CLI is used to work with EKS clusters. It automates many individual tasks. See https://eksctl.io/installation[Installation] in the `eksctl` documentation for instructions on installing `eksctl`. @@ -802,7 +802,7 @@ aws sts get-caller-identity ---- -[[install-kubectl-next-steps,install-kubectl-next-steps.title]] +[#install-kubectl-next-steps] == Next steps * <> diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index ef557a893..cd6b956d4 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,5 +1,5 @@ [.topic] -[[learn-eks,learn-eks.title]] +[#learn-eks] = Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn @@ -18,7 +18,7 @@ include::../attributes.txt[] Find learning paths to extend your knowledge of Amazon EKS. -- -[[overview,overview.title]] +[#overview] == Overview This Amazon EKS User Guide contains general-purpose procedures to create your first EKS cluster from the <> or <> and a solid reference for all major Amazon EKS components. However, as an Amazon EKS cluster administrator or developer, you can gain a deeper understanding of Amazon EKS by following learning paths that exist in sites outside of this guide. These sites can help you: @@ -32,7 +32,7 @@ This Amazon EKS User Guide contains general-purpose procedures to create your fi To start out on your Amazon EKS learning path, I recommend that you visit some of the sites described on this page. If you run into problems along the way, there are also resources to help you get through them. For example, the https://repost.aws/search/content?globalSearch=EKS[Re:post Knowledge Center] lets you search the support database for Amazon EKS-related support issues. Also the https://aws.github.io/aws-eks-best-practices/[Amazon EKS Best Practices Guide] offers tips on the best ways to set up your production-grade clusters. -[[eks-workshop,eks-workshop.title]] +[#eks-workshop] == Amazon EKS Workshop Starting with a basic understanding of Kubernetes and containers, the https://www.eksworkshop.com/[Amazon EKS workshop] is a learning platform for walking a cluster administrator through important features of Amazon EKS. Here are ways you can engage with the Amazon EKS workshop: @@ -52,7 +52,7 @@ Starting with a basic understanding of Kubernetes and containers, the https://ww ** Automation: Labs on https://www.eksworkshop.com/docs/automation/[Automation] step you through https://www.eksworkshop.com/docs/automation/gitops/[GitOps] methods of managing your clusters and projects like https://www.eksworkshop.com/docs/automation/controlplanes/ack/[{aws} Controllers for Kubernetes] and https://www.eksworkshop.com/docs/automation/controlplanes/crossplane/[Crossplane] for managing Amazon EKS control planes. -[[eks-hands-on-cluster-setup-tutorials,eks-hands-on-cluster-setup-tutorials.title]] +[#eks-hands-on-cluster-setup-tutorials] == Amazon EKS hands-on cluster setup tutorials A set of https://community.aws/tags/eks-cluster-setup[Amazon EKS Cluster Setup tutorials] on the {aws} Community site can help you create special-purpose Amazon EKS clusters and enhance those clusters in various ways. The tutorials are divided into three different types: @@ -94,7 +94,7 @@ Using these tutorials, you can better integrate your clusters with {aws} service * https://community.aws/tutorials/navigating-amazon-eks/eks-fargate-mtls-nginx-controller[Set up mTLS with Fargate, NGINX, and ACM PCA] -[[eks-samples,eks-samples.title]] +[#eks-samples] == Amazon EKS Samples The https://github.com/aws-samples/aws-eks-se-samples[Amazon EKS Samples] repository stores manifests to use with Amazon EKS. These manifests give you the opportunity to try out different kinds of applications in Amazon EKS or create specific types of Amazon EKS clusters. Samples include manifests to: @@ -115,7 +115,7 @@ The https://github.com/aws-samples/aws-eks-se-samples[Amazon EKS Samples] reposi Keep in mind that these samples are for learning and testing purposes only and are not intended to be used in production. -[[aws-tutorials,aws-tutorials.title]] +[#aws-tutorials] == {aws} Tutorials The link:tutorials[{aws} Tutorials,type="marketing"] site publishes a few Amazon EKS tutorials, but also offers a search tool to find other tutorials published on {aws} sites (such as the {aws} Community site). Amazon EKS tutorials published directly on this site include: @@ -127,19 +127,19 @@ The link:tutorials[{aws} Tutorials,type="marketing"] site publishes a few Amazon * link:tutorials/cost-optimize-jenkins/[How to cost optimize Jenkins jobs on Kubernetes,type="marketing"] -[[developers-workshop,developers-workshop.title]] +[#developers-workshop] == Developers Workshop If you are a software developer, looking to create or refactor applications to run on Amazon EKS, the http://developers.eksworkshop.com[Amazon EKS Developers workshop]is a good place to start. The workshop not only helps you build containerized applications, but also helps you deploy those containers to a container registry (link:ecr/[ECR,type="marketing"]) and from there to an Amazon EKS cluster. Start with the https://developers.eksworkshop.com/docs/python/[Amazon EKS Python Workshop] to go through the process of refactoring a python application, then set up your development environment to prepare for deploying the application. Step through sections on Containers, Kubernetes, and Amazon EKS to prepare to run your containerized applications in those environments. -[[terraform-workshop,terraform-workshop.title]] +[#terraform-workshop] == Terraform Workshop While `eksctl` is a simple tool for creating a cluster, for more complex infrastructure-as-code types of Amazon EKS deployments, https://www.terraform.io/[Terraform] is a popular Amazon EKS cluster creation and management tool. The https://catalog.us-east-1.prod.workshops.aws/workshops/afee4679-89af-408b-8108-44f5b1065cc7/en-US[Terraform Amazon EKS Workshop] teaches how to use Terraform to build an {aws} VPC, create Amazon EKS clusters, and add optional enhancements to your cluster. In particular, there is a section for creating a https://catalog.us-east-1.prod.workshops.aws/workshops/afee4679-89af-408b-8108-44f5b1065cc7/en-US/500-eks-terraform-workshop[private Amazon EKS cluster] -[[aws-eks-training,aws-eks-training.title]] +[#aws-eks-training] == {aws} Amazon EKS Training {aws} offers formal training for learning about Amazon EKS. A three-day training course entitled link:training/classroom/running-containers-on-amazon-elastic-kubernetes-service-amazon-eks/[Running Containers on Amazon Elastic Kubernetes Service,type="marketing"] teaches: diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index d28596e13..3dbbf8863 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,4 +1,4 @@ -[[setting-up,setting-up.title]] +[#setting-up] = Set up to use Amazon EKS :doctype: book :sectnums: @@ -30,7 +30,7 @@ To prepare for the command-line management of your Amazon EKS clusters, you need ** *Package manager* – https://helm.sh/docs/intro/install/[Helm] is a popular package manager for [.noloc]`Kubernetes` that simplifies the installation and management of complex packages. With [.noloc]`Helm`, it's easier to install and manage packages like the {aws} Load Balancer Controller on your Amazon EKS cluster. -[[setting-up-next-steps,setting-up-next-steps.title]] +[#setting-up-next-steps] == Next steps * <> diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index efa8ea20c..eecc43c2c 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[creating-resources-with-cloudformation,creating-resources-with-cloudformation.title]] +[#creating-resources-with-cloudformation] = Create Amazon EKS resources with {aws} CloudFormation :info_titleabbrev: {aws} CloudFormation @@ -13,14 +13,14 @@ Amazon EKS is integrated with {aws} CloudFormation, a service that helps you mod When you use {aws} CloudFormation, you can reuse your template to set up your Amazon EKS resources consistently and repeatedly. Just describe your resources once, and then provision the same resources over and over in multiple {aws} accounts and Regions. -[[working-with-templates,working-with-templates.title]] +[#working-with-templates] == Amazon EKS and {aws} CloudFormation templates To provision and configure resources for Amazon EKS and related services, you must understand link:AWSCloudFormation/latest/UserGuide/template-guide.html[{aws} CloudFormation templates,type="documentation"]. Templates are formatted text files in JSON or YAML. These templates describe the resources that you want to provision in your {aws} CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use {aws} CloudFormation Designer to help you get started with {aws} CloudFormation templates. For more information, see link:AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer.html[What is {aws} CloudFormation Designer?,type="documentation"] in the _{aws} CloudFormation User Guide_. Amazon EKS supports creating clusters and node groups in {aws} CloudFormation. For more information, including examples of JSON and YAML templates for your Amazon EKS resources, see link:AWSCloudFormation/latest/UserGuide/AWS_EKS.html[Amazon EKS resource type reference,type="documentation"] in the _{aws} CloudFormation User Guide_. -[[learn-more-cloudformation,learn-more-cloudformation.title]] +[#learn-more-cloudformation] == Learn more about {aws} CloudFormation To learn more about {aws} CloudFormation, see the following resources: diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 5a0e5f1f1..4967f1d00 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,5 +1,5 @@ include::../attributes.txt[] -[[eks-integrations,eks-integrations.title]] +[#eks-integrations] = Enhance EKS with integrated {aws} services :doctype: book :sectnums: diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 75f0e08fd..40c24f881 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,5 +1,5 @@ [.topic] -[[integration-detective,integration-detective.title]] +[#integration-detective] = Analyze security events on EKS with Amazon Detective :info_titleabbrev: Amazon Detective :keywords: Amazon Detective @@ -23,7 +23,7 @@ Detective organizes [.noloc]`Kubernetes` and {aws} data into findings such as: Amazon EKS audit logs is an optional data source package that can be added to your Detective behavior graph. You can view the available optional source packages, and their status in your account. For more information, see link:detective/latest/adminguide/source-data-types-EKS.html[Amazon EKS audit logs for Detective,type="documentation"] in the _Amazon Detective User Guide_. -[[integration-detective-use,integration-detective-use.title]] +[#integration-detective-use] == Use Amazon Detective with Amazon EKS Before you can review findings, Detective must be enabled for at least 48 hours in the same {aws} Region that your cluster is in. For more information, see link:detective/latest/adminguide/detective-setup.html[Setting up Amazon Detective,type="documentation"] in the _Amazon Detective User Guide_. diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index d39ba58f8..54cc2ecfc 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,5 +1,5 @@ [.topic] -[[integration-guardduty,integration-guardduty.title]] +[#integration-guardduty] = Detect threats with Amazon GuardDuty :info_titleabbrev: Amazon GuardDuty diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index bd80255c6..204c24218 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[integration-resilience-hub,integration-resilience-hub.title]] +[#integration-resilience-hub] = Assess EKS cluster resiliency with {aws} Resilience Hub :info_titleabbrev: {aws} Resilience Hub diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 125d81b86..13b211da5 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,5 +1,5 @@ [.topic] -[[integration-securitylake,integration-securitylake.title]] +[#integration-securitylake] = Centralize and analyze EKS security data with Security Lake :info_titleabbrev: Amazon Security Lake @@ -21,7 +21,7 @@ For more information about using Security Lake with Amazon EKS and setting up da ==== -[[sl-benefits,sl-benefits.title]] +[#sl-benefits] == Benefits of using Security Lake with Amazon Amazon EKS *Centralized security data* -- Security Lake automatically collects and centralizes security data from your Amazon EKS clusters, along with data from other {aws} services, SaaS providers, on-premises sources, and third-party sources. This provides a comprehensive view of your security posture across your entire organization. @@ -32,7 +32,7 @@ For more information about using Security Lake with Amazon EKS and setting up da *Simplified data management* -- Security Lake manages the lifecycle of your security data with customizable retention and replication settings. This simplifies data management tasks and ensures that you retain the necessary data for compliance and auditing purposes. -[[sl-enable,sl-enable.title]] +[#sl-enable] == Enabling Security Lake for Amazon EKS . Enable Amazon EKS control plane logging for your EKS clusters. Refer to <> for detailed instructions. . link:security-lake/latest/userguide/internal-sources.html#add-internal-sources[Add Amazon EKS Audit Logs as a source in Security Lake.,type="documentation"] Security Lake will then start collecting in-depth information about the activities performed on the Kubernetes resources running in your EKS clusters. @@ -40,7 +40,7 @@ For more information about using Security Lake with Amazon EKS and setting up da . Use the normalized OCSF data stored in Security Lake for incident response, security analytics, and integration with other {aws} services or third-party tools. For example, you can link:big-data/generate-security-insights-from-amazon-security-lake-data-using-amazon-opensearch-ingestion[Generate security insights from Amazon Security Lake data using Amazon OpenSearch Ingestion,type="blog"]. -[[sl-format,sl-format.title]] +[#sl-format] == Analyzing EKS Logs in Security Lake Security Lake normalizes EKS log events to the OCSF format, making it easier to analyze and correlate the data with other security events. You can use various tools and services, such as Amazon Athena, Amazon QuickSight, or third-party security analytics tools, to query and visualize the normalized data. diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 375f16bdf..6685361f4 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,5 +1,5 @@ [.topic] -[[integration-vpc-lattice,integration-vpc-lattice.title]] +[#integration-vpc-lattice] = Enable secure cross-cluster connectivity with Amazon VPC Lattice :info_titleabbrev: Amazon VPC Lattice diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 371b0a62a..42715577d 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[local-zones,local-zones.title]] +[#local-zones] = Launch low-latency EKS clusters with {aws} Local Zones :info_titleabbrev: {aws} Local Zones diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index ede3a4b08..cfd34d0bc 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[associate-service-account-role,associate-service-account-role.title]] +[#associate-service-account-role] = Assign [.noloc]`IAM` roles to [.noloc]`Kubernetes` service accounts :info_titleabbrev: Assign IAM role @@ -21,7 +21,7 @@ This topic covers how to configure a [.noloc]`Kubernetes` service account to ass * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -[[irsa-associate-role-procedure,irsa-associate-role-procedure.title]] +[#irsa-associate-role-procedure] == Step 1: Create IAM Policy If you want to associate an existing IAM policy to your IAM role, skip to the next step. @@ -156,7 +156,7 @@ kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com . (Optional) <>. {aws} recommends using a regional {aws} STS endpoint instead of the global endpoint. This reduces latency, provides built-in redundancy, and increases session token validity. -[[irsa-confirm-role-configuration,irsa-confirm-role-configuration.title]] +[#irsa-confirm-role-configuration] == Step 3: Confirm configuration . Confirm that the IAM role's trust policy is configured correctly. + diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index b2dd04ea9..91f0eaa7e 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -1,6 +1,6 @@ include::../../attributes.txt[] [.topic] -[[configure-sts-endpoint,configure-sts-endpoint.title]] +[#configure-sts-endpoint] = Configure the {aws} Security Token Service endpoint for a service account :info_titleabbrev: STS endpoints diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 4564c02c2..0ac0c3e82 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -1,5 +1,5 @@ [.topic] -[[cross-account-access,cross-account-access.title]] +[#cross-account-access] = Authenticate to another account with IRSA :info_titleabbrev: Cross-account IAM diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index f6aef9a4a..adff0aee0 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -1,5 +1,5 @@ [.topic] -[[enable-iam-roles-for-service-accounts,enable-iam-roles-for-service-accounts.title]] +[#enable-iam-roles-for-service-accounts] = Create an IAM [.noloc]`OIDC` provider for your cluster :info_titleabbrev: IAM OIDC provider diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index a52b10c52..b5bd97c41 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -1,6 +1,6 @@ include::../../attributes.txt[] [.topic] -[[iam-roles-for-service-accounts-minimum-sdk,iam-roles-for-service-accounts-minimum-sdk.title]] +[#iam-roles-for-service-accounts-minimum-sdk] = Use IRSA with the {aws} SDK :info_titleabbrev: Supported SDKs diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 0153d5498..78fc360fc 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -1,5 +1,5 @@ [.topic] -[[iam-roles-for-service-accounts,iam-roles-for-service-accounts.title]] +[#iam-roles-for-service-accounts] = IAM roles for service accounts :info_titleabbrev: Credentials with IRSA @@ -44,7 +44,7 @@ To complete this step, you can run the command outside the VPC, for example in { . <> – Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. -[[irsa-oidc-background,irsa-oidc-background.title]] +[#irsa-oidc-background] == IAM, [.noloc]`Kubernetes`, and [.noloc]`OpenID Connect` ([.noloc]`OIDC`) background information In 2014, {aws} Identity and Access Management added support for federated identities using [.noloc]`OpenID Connect` ([.noloc]`OIDC`). This feature allows you to authenticate {aws} API calls with supported identity providers and receive a valid [.noloc]`OIDC` [.noloc]`JSON` web token ([.noloc]`JWT`). You can pass this token to the {aws} STS `AssumeRoleWithWebIdentity` API operation and receive IAM temporary role credentials. You can use these credentials to interact with any {aws} service, including Amazon S3 and DynamoDB. diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index 0c73e0f11..0b5b00316 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -1,5 +1,5 @@ [.topic] -[[irsa-fetch-keys,irsa-fetch-keys.title]] +[#irsa-fetch-keys] = Fetch signing keys to validate [.noloc]`OIDC` tokens :info_titleabbrev: Fetch signing keys diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index 4547fb678..07096efa0 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-configuration,pod-configuration.title]] +[#pod-configuration] = Configure [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account :info_titleabbrev: Assign to Pod diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 8566e691a..ea677de21 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-id-abac,pod-id-abac.title]] +[#pod-id-abac] = Grant Pods access to {aws} resources based on tags :info_titleabbrev: Grant Pods access @@ -44,7 +44,7 @@ For example, the following policy allows the `s3:GetObject` action if the object ---- -[[pod-id-abac-tags,pod-id-abac-tags.title]] +[#pod-id-abac-tags] == List of session tags added by EKS Pod Identity The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`. @@ -59,12 +59,12 @@ The following list contains all of the keys for tags that are added to the `Assu * `kubernetes-pod-uid` -[[pod-id-abac-chaining,pod-id-abac-chaining.title]] +[#pod-id-abac-chaining] == Cross-account tags All of the session tags that are added by EKS Pod Identity are _transitive_; the tag keys and values are passed to any `AssumeRole` actions that your workloads use to switch roles into another account. You can use these tags in policies in other accounts to limit access in cross-account scenarios. For more infromation, see link:IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining[Chaining roles with session tags,type="documentation"] in the _IAM User Guide_. -[[pod-id-abac-custom-tags,pod-id-abac-custom-tags.title]] +[#pod-id-abac-custom-tags] == Custom tags EKS Pod Identity can't add additional custom tags to the `AssumeRole` action that it performs. However, tags that you apply to the IAM role are always available though the same format: `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/MyCustomTag}`. diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index a252470eb..cb0cd2158 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -1,11 +1,11 @@ [.topic] -[[pod-id-agent-config-ipv6,pod-id-agent-config-ipv6.title]] +[#pod-id-agent-config-ipv6] = Disable `IPv6` in the EKS Pod Identity Agent :info_titleabbrev: Disable IPv6 include::../../attributes.txt[] -[[pod-id-console,pod-id-console.title]] +[#pod-id-console] == {aws-management-console} . To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *Optional configuration settings* of the EKS Add-on. + @@ -52,7 +52,7 @@ undo -- Undo a previous rollout If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. . If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the EKS Pod Identity Agent pods. -[[pod-id-cli,pod-id-cli.title]] +[#pod-id-cli] == {aws} CLI . To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *configuration values* of the EKS Add-on. + diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index c26ddb237..503df2e3c 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-id-agent-setup,pod-id-agent-setup.title]] +[#pod-id-agent-setup] = Set up the Amazon EKS Pod Identity Agent :info_titleabbrev: Set up the Agent @@ -20,17 +20,17 @@ You do not need to install the EKS Pod Identity Agent on EKS Auto Mode Clusters. ==== -[[pod-id-agent-considerations,pod-id-agent-considerations.title]] +[#pod-id-agent-considerations] == Considerations * By default, the EKS Pod Identity Agent listens on an `IPv4` and `IPv6` address for pods to request credentials. The agent uses the loopback (localhost) IP address `169.254.170.23` for `IPv4` and the localhost IP address `[fd00:ec2::23]` for `IPv6`. * If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. -[[pod-id-agent-add-on-create,pod-id-agent-add-on-create.title]] +[#pod-id-agent-add-on-create] == Creating the Amazon EKS Pod Identity Agent -[[pod-id-agent-prereqs,pod-id-agent-prereqs.title]] +[#pod-id-agent-prereqs] === Agent prerequisites * An existing Amazon EKS cluster. To deploy one, see <>. The cluster version and platform version must be the same or later than the versions listed in <>. diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index ba98e8b78..7f98d5d6f 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-id-association,pod-id-association.title]] +[#pod-id-association] = Assign an [.noloc]`IAM` role to a [.noloc]`Kubernetes` service account :info_titleabbrev: Assign IAM role @@ -21,7 +21,7 @@ To create an EKS Pod Identity association, there is only a single step; you crea * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -[[pod-id-association-create,pod-id-association-create.title]] +[#pod-id-association-create] == Create a Pod Identity association ({aws} Console) . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -187,7 +187,7 @@ An example output is as follows. NOTE: You can specify a namespace and service account by name that doesn't exist in the cluster. You must create the namespace, service account, and the workload that uses the service account for the EKS Pod Identity association to function. -[[pod-id-confirm-role-configuration,pod-id-confirm-role-configuration.title]] +[#pod-id-confirm-role-configuration] == Confirm configuration . Confirm that the IAM role's trust policy is configured correctly. + diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index 264676a69..46820e86b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -1,6 +1,6 @@ include::../../attributes.txt[] [.topic] -[[pod-id-configure-pods,pod-id-configure-pods.title]] +[#pod-id-configure-pods] = Configure [.noloc]`Pods` to access {aws} services with service accounts :info_titleabbrev: Pod service account diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 04d906c12..5c12c46ee 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-id-how-it-works,pod-id-how-it-works.title]] +[#pod-id-how-it-works] = Understand how [.noloc]`EKS Pod Identity` works :info_titleabbrev: How it works @@ -16,7 +16,7 @@ Amazon EKS Pod Identity provides credentials to your workloads with an additiona In your add-ons, such as _Amazon EKS add-ons_ and self-managed controller, operators, and other add-ons, the author needs to update their software to use the latest {aws} SDKs. For the list of compatibility between EKS Pod Identity and the add-ons produced by Amazon EKS, see the previous section <>. -[[pod-id-credentials,pod-id-credentials.title]] +[#pod-id-credentials] == Using EKS Pod Identities in your code In your code, you can use the {aws} SDKs to access {aws} services. You write code to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. @@ -27,7 +27,7 @@ The container credentials provider provides temporary credentials from an agent In contrast, _IAM roles for service accounts_ provides a _web identity_ token that the {aws} SDK must exchange with {aws} Security Token Service by using `AssumeRoleWithWebIdentity`. -[[pod-id-agent-pod,pod-id-agent-pod.title]] +[#pod-id-agent-pod] == How EKS Pod Identity Agent works with a [.noloc]`Pod` . When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following content to the [.noloc]`Pod` manifest: + diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 399e67255..3daf822d0 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -1,10 +1,10 @@ include::../../attributes.txt[] [.topic] -[[pod-id-minimum-sdk,pod-id-minimum-sdk.title]] +[#pod-id-minimum-sdk] = Use pod identity with the {aws} SDK :info_titleabbrev: Supported SDKs -[[pod-id-using-creds,pod-id-using-creds.title]] +[#pod-id-using-creds] == Using EKS Pod Identity credentials To use the credentials from a EKS Pod Identity association, your code can use any {aws} SDK to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. The EKS Pod Identity credentials will be used if you don't specify a credential provider when you create the client or otherwise initialized the SDK. diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 7d79b435a..1312b5eb4 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-id-role,pod-id-role.title]] +[#pod-id-role] = Create [.noloc]`IAM` role with trust policy required by [.noloc]`EKS Pod Identity` :info_titleabbrev: EKS Pod Identity role diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 8df3f8d87..f2c95a768 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -1,6 +1,6 @@ include::../../attributes.txt[] [.topic] -[[pod-identities,pod-identities.title]] +[#pod-identities] = Learn how [.noloc]`EKS Pod Identity` grants pods access to {aws} services :info_titleabbrev: Pod Identity @@ -35,7 +35,7 @@ Each EKS Pod Identity association maps a role to a service account in a namespac If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the {aws} SDKs, including the {aws} CLI, to use the EKS Pod Identity credentials. -[[pod-id-benefits,pod-id-benefits.title]] +[#pod-id-benefits] == Benefits of EKS Pod Identities EKS Pod Identities provide the following benefits: @@ -69,7 +69,7 @@ EKS Pod Identity is a simpler method than <>, as For more information to compare the two alternatives, see <>. -[[pod-id-setup-overview,pod-id-setup-overview.title]] +[#pod-id-setup-overview] == Overview of setting up EKS Pod Identities Turn on EKS Pod Identities by completing the following procedures: @@ -81,7 +81,7 @@ Turn on EKS Pod Identities by completing the following procedures: . <> -- Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. -[[pod-id-considerations,pod-id-considerations.title]] +[#pod-id-considerations] == EKS Pod Identity considerations * You can associate one IAM role to each [.noloc]`Kubernetes` service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. @@ -93,7 +93,7 @@ Turn on EKS Pod Identities by completing the following procedures: If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. -[[pod-id-cluster-versions,pod-id-cluster-versions.title]] +[#pod-id-cluster-versions] === EKS Pod Identity cluster versions To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. @@ -122,7 +122,7 @@ To use EKS Pod Identities, the cluster must have a platform version that is the |`eks.13` |=== -[[pod-id-restrictions,pod-id-restrictions.title]] +[#pod-id-restrictions] === EKS Pod Identity restrictions EKS Pod Identities are available on the following: diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 52d34add9..80be19a7e 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,7 +1,7 @@ include::../../attributes.txt[] [.topic] -[[service-accounts,service-accounts.title]] +[#service-accounts] = Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts :info_titleabbrev: Workload access to {aws} @@ -11,7 +11,7 @@ include::pod-identities.adoc[leveloffset=+1] A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. -[[service-account-tokens,service-account-tokens.title]] +[#service-account-tokens] == Service account tokens The https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume[BoundServiceAccountTokenVolume] feature is enabled by default in [.noloc]`Kubernetes` versions. This feature improves the security of service account tokens by allowing workloads running on [.noloc]`Kubernetes` to request JSON web tokens that are audience, time, and key bound. Service account tokens have an expiration of one hour. In earlier [.noloc]`Kubernetes` versions, the tokens didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following https://kubernetes.io/docs/reference/using-api/client-libraries/[Kubernetes client SDKs] refresh tokens automatically within the required time frame: @@ -55,7 +55,7 @@ kubectl rollout restart deployment/my-deployment ---- -[[boundserviceaccounttoken-validated-add-on-versions,boundserviceaccounttoken-validated-add-on-versions.title]] +[#boundserviceaccounttoken-validated-add-on-versions] == Cluster add-ons The following cluster add-ons have been updated to use the [.noloc]`Kubernetes` client SDKs that automatically refetch service account tokens. We recommend making sure that the listed versions, or later versions, are installed on your cluster. @@ -70,7 +70,7 @@ The following cluster add-ons have been updated to use the [.noloc]`Kubernetes` * Fluentd image version https://hub.docker.com/r/fluent/fluentd/tags?page=1&name=v1.14.6-1.2[1.14.6-1.2] or later and Fluentd filter plugin for Kubernetes metadata version https://rubygems.org/gems/fluent-plugin-kubernetes_metadata_filter/versions/2.11.1[2.11.1] or later. -[[service-accounts-iam,service-accounts-iam.title]] +[#service-accounts-iam] == Granting {aws} Identity and Access Management permissions to workloads on Amazon Elastic Kubernetes Service clusters Amazon EKS provides two ways to grant {aws} Identity and Access Management permissions to workloads that run in Amazon EKS clusters: _IAM roles for service accounts_, and _EKS Pod Identities_. @@ -85,7 +85,7 @@ _IAM roles for service accounts (IRSA)_ configures Kubernetes applications runni EKS Pod Identity offers cluster administrators a simplified workflow for authenticating applications to access various other {aws} resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. EKS Pod Identity is for EKS only, and as a result, it simplifies how cluster administrators can configure Kubernetes applications to obtain IAM permissions. These permissions can now be easily configured with fewer steps directly through {aws-management-console}, EKS API, and {aws} CLI, and there isn't any action to take inside the cluster in any [.noloc]`Kubernetes` objects. Cluster administrators don't need to switch between the EKS and IAM services, or use privileged IAM operations to configure permissions required by your applications. IAM roles can now be used across multiple clusters without the need to update the role trust policy when creating new clusters. IAM credentials supplied by EKS Pod Identity include role session tags, with attributes such as cluster name, namespace, service account name. Role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. For more information, see <>. -[[service-accounts-iam-compare,service-accounts-iam-compare.title]] +[#service-accounts-iam-compare] === Comparing EKS Pod Identity and IRSA At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permissions to applications running on Kubernetes clusters. But they are fundamentally different in how you configure them, the limits supported, and features enabled. Below, we compare some of the key facets of both solutions. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 97a083418..d82c97974 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,5 +1,5 @@ [.topic] -[[cluster-auth,cluster-auth.title]] +[#cluster-auth] = Learn how access control works in Amazon EKS :doctype: book :sectnums: diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 096d38732..cf11ed8d7 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-kubeconfig,create-kubeconfig.title]] +[#create-kubeconfig] = Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file :info_titleabbrev: Access cluster with kubectl @@ -27,7 +27,7 @@ aws sts get-caller-identity * An IAM user or role with permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. If you use an identity from your own [.noloc]`OpenID Connect` provider to access your cluster, then see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation to create or update your `kube config` file. -[[create-kubeconfig-automatically,create-kubeconfig-automatically.title]] +[#create-kubeconfig-automatically] == Create `kubeconfig` file automatically * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index a01e308a4..e883b3114 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[access-entries,access-entries.title]] +[#access-entries] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with EKS access entries :info_titleabbrev: Grant permissions diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 3fe19b35e..7d778a895 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,5 +1,5 @@ [.topic] -[[access-policies,access-policies.title]] +[#access-policies] = Associate access policies with access entries :info_titleabbrev: Associate access policies @@ -31,7 +31,7 @@ Before associating access policies with access entries, consider the following r You can associate an access policy to an access entry using the {aws-management-console} or the {aws} CLI. -[[access-associate-console,access-associate-console.title]] +[#access-associate-console] == {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that has an access entry that you want to associate an access policy to. @@ -42,7 +42,7 @@ You can associate an access policy to an access entry using the {aws-management- . For *Access scope*, choose an access scope. If you choose *Cluster*, the permissions in the access policy are granted to the IAM principal for resources in all [.noloc]`Kubernetes` namespaces. If you choose *[.noloc]`Kubernetes` namespace*, you can then choose *Add new namespace*. In the *Namespace* field that appears, you can enter the name of a [.noloc]`Kubernetes` namespace on your cluster. If you want the IAM principal to have the permissions across multiple namespaces, then you can enter multiple namespaces. . Choose *Add access policy*. -[[access-associate-cli,access-associate-cli.title]] +[#access-associate-cli] == {aws} CLI . Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 6e5967804..456ab6b3f 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,5 +1,5 @@ [.topic] -[[access-policy-permissions,access-policy-permissions.title]] +[#access-policy-permissions] = Review access policy permissions :info_titleabbrev: Review access policies @@ -10,7 +10,7 @@ Access policies include `rules` that contain [.noloc]`Kubernetes` `verbs` (permi Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule. -[[access-policy-permissions-amazoneksadminpolicy,access-policy-permissions-amazoneksadminpolicy.title]] +[#access-policy-permissions-amazoneksadminpolicy] == AmazonEKSAdminPolicy @@ -115,7 +115,7 @@ This access policy includes permissions that grant an IAM principal most permiss |=== -[[access-policy-permissions-amazoneksclusteradminpolicy,access-policy-permissions-amazoneksclusteradminpolicy.title]] +[#access-policy-permissions-amazoneksclusteradminpolicy] == AmazonEKSClusterAdminPolicy @@ -143,7 +143,7 @@ This access policy includes permissions that grant an IAM principal administrato |=== -[[access-policy-permissions-amazoneksadminviewpolicy,access-policy-permissions-amazoneksadminviewpolicy.title]] +[#access-policy-permissions-amazoneksadminviewpolicy] == AmazonEKSAdminViewPolicy This access policy includes permissions that grant an IAM principal access to list/view all resources in a cluster. Note this includes https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes Secrets.] @@ -163,7 +163,7 @@ This access policy includes permissions that grant an IAM principal access to li |=== -[[access-policy-permissions-amazonekseditpolicy,access-policy-permissions-amazonekseditpolicy.title]] +[#access-policy-permissions-amazonekseditpolicy] == AmazonEKSEditPolicy @@ -260,7 +260,7 @@ This access policy includes permissions that allow an IAM principal to edit most |=== -[[access-policy-permissions-amazoneksviewpolicy.json,access-policy-permissions-amazoneksviewpolicy.json.title]] +[#access-policy-permissions-amazoneksviewpolicy.json] == AmazonEKSViewPolicy This access policy includes permissions that allow an IAM principal to view most [.noloc]`Kubernetes` resources. @@ -531,7 +531,7 @@ The policy allows the networking components to interact with node-related resour Amazon EKS automatically creates an access entry with this access policy for the cluster IAM role when Auto Mode is enabled, ensuring that the necessary permissions are in place for the networking capability to function properly. -[[access-policy-permissions-amazonekshybridpolicy,access-policy-permissions-amazonekshybridpolicy.title]] +[#access-policy-permissions-amazonekshybridpolicy] == AmazonEKSHybridPolicy @@ -554,7 +554,7 @@ This access policy includes permissions that grant EKS access to the nodes of a |=== -[[access-policy-updates,access-policy-updates.title]] +[#access-policy-updates] == Access policy updates View details about updates to access policies, since they were introduced. For automatic alerts about changes to this page, subscribe to the RSS feed in <>. diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 54ba41c54..9b7c34cbf 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,5 +1,5 @@ [.topic] -[[auth-configmap,auth-configmap.title]] +[#auth-configmap] = Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with a [.noloc]`ConfigMap` :info_titleabbrev: aws-auth ConfigMap @@ -19,7 +19,7 @@ The `aws-auth ConfigMap` is deprecated. For the recommended method to manage ac Access to your cluster using link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] is enabled by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. The authenticator gets its configuration information from the `aws-auth` `ConfigMap`. For all `aws-auth` `ConfigMap` settings, see https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format[Full Configuration Format] on [.noloc]`GitHub`. -[[aws-auth-users,aws-auth-users.title]] +[#aws-auth-users] == Add IAM principals to your Amazon EKS cluster When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. @@ -184,7 +184,7 @@ IMPORTANT: We recommend using `eksctl`, or another tool, to edit the `ConfigMap` ** View steps to xref:configmap-eksctl[edit configmap with eksctl]. ** View steps to xref:configmap-manual[edit configmap manually]. -[[configmap-eksctl,configmap-eksctl.title]] +[#configmap-eksctl] === Edit Configmap with Eksctl . You need version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. @@ -254,7 +254,7 @@ ARN {arn-aws}iam::111122223333:user/my-user my-user eks-console-dashboard-restricted-access-group ---- -[[configmap-manual,configmap-manual.title]] +[#configmap-manual] === Edit Configmap manually . Open the `ConfigMap` for editing. + @@ -315,7 +315,7 @@ data: . Save the file and exit your text editor. -[[aws-auth-configmap,aws-auth-configmap.title]] +[#aws-auth-configmap] == Apply the `aws-auth`   `ConfigMap` to your cluster The `aws-auth` `ConfigMap` is automatically created and applied to your cluster when you create a managed node group or when you create a node group using `eksctl`. It is initially created to allow nodes to join your cluster, but you also use this `ConfigMap` to add role-based access control (RBAC) access to IAM principals. If you've launched self-managed nodes and haven't applied the `aws-auth` `ConfigMap` to your cluster, you can do so with the following procedure. diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 41c2fb81e..b3578954c 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,5 +1,5 @@ [.topic] -[[authenticate-oidc-identity-provider,authenticate-oidc-identity-provider.title]] +[#authenticate-oidc-identity-provider] = Grant users access to [.noloc]`Kubernetes` with an external [.noloc]`OIDC` provider :info_titleabbrev: Link OIDC provider @@ -23,7 +23,7 @@ Amazon EKS supports using [.noloc]`OpenID Connect` ([.noloc]`OIDC`) identity pro * You can't sign in to the {aws-management-console} with an account from an [.noloc]`OIDC` provider. You can only <> by signing into the {aws-management-console} with an {aws} Identity and Access Management account. -[[associate-oidc-identity-provider,associate-oidc-identity-provider.title]] +[#associate-oidc-identity-provider] == Associate an [.noloc]`OIDC` identity provider Before you can associate an [.noloc]`OIDC` identity provider with your cluster, you need the following information from your provider: @@ -40,7 +40,7 @@ The ID for the client application that makes authentication requests to the OIDC You can associate an identity provider using `eksctl` or the {aws-management-console}. -[[identity-associate-eksctl,identity-associate-eksctl.title]] +[#identity-associate-eksctl] === Associate an identity provider using eksctl . Create a file named [.replaceable]`associate-identity-provider.yaml` with the following contents. Replace the [.replaceable]`example values` with your own. The values in the `identityProviders` section are obtained from your [.noloc]`OIDC` identity provider. Values are only required for the `name`, `type`, `issuerUrl`, and `clientId` settings under `identityProviders`. @@ -79,7 +79,7 @@ eksctl associate identityprovider -f associate-identity-provider.yaml ---- . To use `kubectl` to work with your cluster and [.noloc]`OIDC` identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation. -[[identity-associate-console,identity-associate-console.title]] +[#identity-associate-console] === Associate an identity provider using the {aws} Console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Select your cluster, and then select the *Access* tab. @@ -99,7 +99,7 @@ eksctl associate identityprovider -f associate-identity-provider.yaml .. To use `kubectl` to work with your cluster and [.noloc]`OIDC` identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation. -[[oidc-identity-provider-iam-policy,oidc-identity-provider-iam-policy.title]] +[#oidc-identity-provider-iam-policy] == Example IAM policy If you want to prevent an [.noloc]`OIDC` identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] and link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console[Adding IAM identity permissions,type="documentation"] in the _IAM User Guide_ and link:service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. @@ -170,7 +170,7 @@ The following example policy allows [.noloc]`OIDC` identity provider association ---- -[[partner-validated-identity-providers,partner-validated-identity-providers.title]] +[#partner-validated-identity-providers] == Partner validated [.noloc]`OIDC` identity providers Amazon EKS maintains relationships with a network of partners that offer support for compatible [.noloc]`OIDC` identity providers. Refer to the following partners' documentation for details on how to integrate the identity provider with Amazon EKS. diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index 21e2b01ae..ec15206d3 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[creating-access-entries,creating-access-entries.title]] +[#creating-access-entries] = Create access entries :info_titleabbrev: Create access entries @@ -74,7 +74,7 @@ Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principa You can create an access entry using the {aws-management-console} or the {aws} CLI. -[[access-create-console,access-create-console.title]] +[#access-create-console] == {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that you want to create an access entry in. @@ -97,7 +97,7 @@ You can create an access entry using the {aws-management-console} or the {aws} C .. Choose *Next*. . Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. -[[access-create-cli,access-create-cli.title]] +[#access-create-cli] == {aws} CLI . Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index c3f20a4b8..edf44a32f 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[deleting-access-entries,deleting-access-entries.title]] +[#deleting-access-entries] = Delete access entries include::../../attributes.txt[] @@ -9,7 +9,7 @@ If you discover that you deleted an access entry in error, you can always recrea You can delete an access entry using the {aws-management-console} or the {aws} CLI. -[[access-delete-console,access-delete-console.title]] +[#access-delete-console] == {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that you want to delete an access entry from. @@ -18,7 +18,7 @@ You can delete an access entry using the {aws-management-console} or the {aws} C . Choose Delete. . In the confirmation dialog box, choose *Delete*. -[[access-delete-cli,access-delete-cli.title]] +[#access-delete-cli] == {aws} CLI . Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. . To delete an access entry diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 7e14ece6f..0d79180a0 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,5 +1,5 @@ [.topic] -[[disassociate-oidc-identity-provider,disassociate-oidc-identity-provider.title]] +[#disassociate-oidc-identity-provider] = Disassociate an [.noloc]`OIDC` identity provider from your cluster :info_titleabbrev: Unlink OIDC provider diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 6486e65a0..2c79d414f 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,5 +1,5 @@ [.topic] -[[grant-k8s-access,grant-k8s-access.title]] +[#grant-k8s-access] = Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` :info_titleabbrev: Kubernetes API access @@ -28,7 +28,7 @@ Your cluster has an [.noloc]`Kubernetes` API endpoint. Kubectl uses this API. Yo You can use both types of identities with your cluster. The IAM authentication method cannot be disabled. The OIDC authentication method is optional. -[[authentication-modes,authentication-modes.title]] +[#authentication-modes] == Associate IAM Identities with Kubernetes Permissions The https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes] is installed on your cluster's control plane. It enables link:IAM/latest/UserGuide/introduction.html[{aws} Identity and Access Management,type="documentation"] (IAM) principals (roles and users) that you allow to access [.noloc]`Kubernetes` resources on your cluster. You can allow IAM principals to access [.noloc]`Kubernetes` objects on your cluster using one of the following methods: @@ -47,7 +47,7 @@ To get started, follow link:eks/latest/userguide/setting-up-access-entries.html[ ** If you have to use the `aws-auth` `ConfigMap` option, you can add entries to the `ConfigMap` using the `eksctl create iamidentitymapping` command. For more information, see https://eksctl.io/usage/iam-identity-mappings/[Manage IAM users and roles] in the `eksctl` documentation. -[[set-cam,set-cam.title]] +[#set-cam] == Set Cluster Authentication Mode Each cluster has an _authentication mode_. The authentication mode determines which methods you can use to allow IAM principals to access [.noloc]`Kubernetes` objects on your cluster. There are three authentication modes. diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 37292d45f..e23e8a503 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[migrating-access-entries,migrating-access-entries.title]] +[#migrating-access-entries] = Migrating existing `aws-auth ConfigMap` entries to access entries :info_titleabbrev: Migrate to access entries diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index 96917975f..88c2bfc92 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[setting-up-access-entries,setting-up-access-entries.title]] +[#setting-up-access-entries] = Change authentication mode to use access entries :info_titleabbrev: Authentication mode @@ -7,7 +7,7 @@ include::../../attributes.txt[] To begin using access entries, you must change the authentication mode of the cluster to either the `API_AND_CONFIG_MAP` or `API` modes. This adds the API for access entries. -[[access-entries-setup-console,access-entries-setup-console.title]] +[#access-entries-setup-console] == {aws} Console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -19,7 +19,7 @@ To begin using access entries, you must change the authentication mode of the cl . Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. . Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. -[[access-setup-cli,access-setup-cli.title]] +[#access-setup-cli] == {aws} CLI . Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 211e221af..813b3c86b 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -1,5 +1,5 @@ [.topic] -[[updating-access-entries,updating-access-entries.title]] +[#updating-access-entries] = Update access entries include::../../attributes.txt[] @@ -7,7 +7,7 @@ include::../../attributes.txt[] You can update an access entry using the {aws-management-console} or the {aws} CLI. -[[access-update-console,access-update-console.title]] +[#access-update-console] == {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that you want to create an access entry in. @@ -20,7 +20,7 @@ You can update an access entry using the {aws-management-console} or the {aws} C . Choose *Save changes*. . If you want to associate an access policy to the entry, see <>. -[[access-update-cli,access-update-cli.title]] +[#access-update-cli] == {aws} CLI . Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. . To update an access entry diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index b7cdda0ff..7d8a688e3 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[view-kubernetes-resources,view-kubernetes-resources.title]] +[#view-kubernetes-resources] = View [.noloc]`Kubernetes` resources in the {aws-management-console} :info_titleabbrev: Access cluster resources @@ -28,7 +28,7 @@ To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {a ** Select the *Cluster* group and then select the *Nodes* resource type. You see a list of all nodes in your cluster. The nodes can be any <>. This is the same list that you see in the *Nodes* section when you select the *Compute* tab for your cluster. Select a node resource from the list. In *Structured view*, you also see a *Pods* section. This section shows you all [.noloc]`Pods` running on the node. -[[view-kubernetes-resources-permissions,view-kubernetes-resources-permissions.title]] +[#view-kubernetes-resources-permissions] == Required permissions To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific minimum IAM and [.noloc]`Kubernetes` permissions. Complete the following steps to assign the required permissions to your IAM principals. diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index b2f14776d..6e830723c 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,5 +1,5 @@ [.topic] -[[capacity-blocks-mng,capacity-blocks-mng.title]] +[#capacity-blocks-mng] = Create a managed node group with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for MNG @@ -12,7 +12,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve highly sought-aft Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on a future date to support your short duration ML workloads. For more information, see link:AWSEC2/latest/UserGuide/ec2-capacity-blocks.html[Capacity Blocks for ML,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. -[[capacity-blocks-mng-considerations,capacity-blocks-mng-considerations.title]] +[#capacity-blocks-mng-considerations] == Considerations [IMPORTANT] @@ -26,7 +26,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on ==== -[[capacity-blocks-mng-procedure,capacity-blocks-mng-procedure.title]] +[#capacity-blocks-mng-procedure] == Create a managed node group with Amazon EC2 Capacity Blocks You can use Capacity Blocks with Amazon EKS managed node groups for provisioning and scaling GPU-accelerated worker nodes. The {aws} CloudFormation template examples that follow don't cover every aspect needed in a production clusters. Typically, you'd also want a bootstrapping script to join the node to the cluster and specify an Amazon EKS accelerated AMI. For more information, see <>. diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index fbfc813ae..5b2f2efcd 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,5 +1,5 @@ [.topic] -[[capacity-blocks,capacity-blocks.title]] +[#capacity-blocks] = Create self-managed nodes with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for SMN @@ -12,7 +12,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve highly sought-aft Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on a future date to support your short duration ML workloads. For more information, see link:AWSEC2/latest/UserGuide/ec2-capacity-blocks.html[Capacity Blocks for ML,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. -[[capacity-blocks-considerations,capacity-blocks-considerations.title]] +[#capacity-blocks-considerations] == Considerations [IMPORTANT] @@ -27,7 +27,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on ==== -[[capacity-blocks-procedure,capacity-blocks-procedure.title]] +[#capacity-blocks-procedure] == Use Capacity Blocks with self-managed nodes You can use Capacity Blocks with Amazon EKS for provisioning and scaling your self-managed nodes. The following steps give a general example overview. The {aws} CloudFormation template examples don't cover every aspect needed in a production workload. Typically you'd also want a bootstrapping script to join the node to the cluster, specify an Amazon EKS accelerated AMI, and an appropriate instance profile for joining the cluster. For more information, see <>. diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index 21f1d2c14..db3af745c 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[inferentia-support,inferentia-support.title]] +[#inferentia-support] = Use {aws} [.noloc]`Inferentia` instances with Amazon EKS for Machine Learning :info_titleabbrev: Prepare Inferentia clusters @@ -19,7 +19,7 @@ Neuron device logical IDs must be contiguous. If a [.noloc]`Pod` requesting mult ==== -[[inferentia-prerequisites,inferentia-prerequisites.title]] +[#inferentia-prerequisites] == Prerequisites * Have `eksctl` installed on your computer. If you don't have it installed, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. @@ -27,7 +27,7 @@ Neuron device logical IDs must be contiguous. If a [.noloc]`Pod` requesting mult * (Optional) Have `python3` installed on your computer. If you don't have it installed, then see https://www.python.org/downloads/[Python downloads] for installation instructions. -[[create-cluster-inferentia,create-cluster-inferentia.title]] +[#create-cluster-inferentia] == Create a cluster . Create a cluster with Inf1 Amazon EC2 instance nodes. You can replace [.replaceable]`inf1.2xlarge` with any link:ec2/instance-types/inf1/[Inf1 instance type,type="marketing"]. The `eksctl` utility detects that you are launching a node group with an `Inf1` instance type and will start your nodes using one of the Amazon EKS optimized accelerated Amazon Linux AMIs. @@ -75,7 +75,7 @@ neuron-device-plugin-daemonset-hwjsj 1/1 Running 0 5m ---- -[[deploy-tensorflow-serving-application,deploy-tensorflow-serving-application.title]] +[#deploy-tensorflow-serving-application] == (Optional) Deploy a TensorFlow Serving application image A trained model must be compiled to an Inferentia target before it can be deployed on Inferentia instances. To continue, you will need a https://awsdocs-neuron.readthedocs-hosted.com/en/latest/neuron-guide/neuron-frameworks/tensorflow-neuron/index.html[Neuron optimized TensorFlow] model saved in Amazon S3. If you don't already have a SavedModel, please follow the tutorial for link:dlami/latest/devguide/tutorial-inferentia-tf-neuron.html[creating a Neuron compatible ResNet50 model,type="documentation"] and upload the resulting SavedModel to S3. ResNet-50 is a popular machine learning model used for image recognition tasks. For more information about compiling Neuron models, see link:dlami/latest/devguide/tutorial-inferentia.html[The {aws} Inferentia Chip With DLAMI,type="documentation"] in the {aws} Deep Learning AMIs Developer Guide. @@ -195,7 +195,7 @@ kubectl apply -f rn50_service.yaml ---- -[[make-predictions-against-tensorflow-service,make-predictions-against-tensorflow-service.title]] +[#make-predictions-against-tensorflow-service] == (Optional) Make predictions against your TensorFlow Serving service . To test locally, forward the gRPC port to the `eks-neuron-test` service. + diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index adc39af0c..74d80131f 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,5 +1,5 @@ [.topic] -[[machine-learning-on-eks,machine-learning-on-eks.title]] +[#machine-learning-on-eks] = Overview of Machine Learning on Amazon EKS :doctype: book :sectnums: @@ -19,7 +19,7 @@ include::../attributes.txt[] Complete guide for running Machine Learning applications on Amazon EKS. This includes everything from provisioning infrastructure to choosing and deploying Machine Learning workloads on Amazon EKS. -- -[[ml-features,ml-features.title]] +[#ml-features] Machine Learning (ML) is an area of Artificial Intelligence (AI) where machines process large amounts of data to look for patterns and make connections between the data. This can expose new relationships and help predict outcomes that might not have been apparent otherwise. diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index cc801ec8d..9ebfcd3da 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -1,5 +1,5 @@ [.topic] -[[ml-eks-optimized-ami,ml-eks-optimized-ami.title]] +[#ml-eks-optimized-ami] = Run GPU-accelerated containers (Linux on EC2) :info_titleabbrev: Run Linux GPU AMIs diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index d19df2337..f1186179c 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -1,5 +1,5 @@ [.topic] -[[ml-eks-windows-optimized-ami,ml-eks-windows-optimized-ami.title]] +[#ml-eks-windows-optimized-ami] = Run GPU-accelerated containers (Windows on EC2 G-Series) :info_titleabbrev: Run Windows GPU AMIs @@ -30,7 +30,7 @@ This guide provides steps to install and set up GPU-acceleration for your Window * There are some known limitations to be aware of before running GPU-accelerated Windows containers. Please see the <> section for more information. -[[ml-eks-windows-ami-prerequisites,ml-eks-windows-ami-prerequisites.title]] +[#ml-eks-windows-ami-prerequisites] == Prerequisites To enable GPU acceleration for your Windows containers on Amazon EKS, you'll need to prepare the following requirements before proceeding: @@ -40,7 +40,7 @@ To enable GPU acceleration for your Windows containers on Amazon EKS, you'll nee * Provision Windows nodes in the G-family of instance types, such as link:ec2/instance-types/g4/[G4,type="marketing"] or link:ec2/instance-types/g5/[G5,type="marketing"]. * Provision Windows nodes with a container runtime with containerd `1.7.x` or `2.x.x`. (See <> to verify the containerd version in your Amazon EKS Optimized AMI.) -[[ml-eks-windows-ami-install-gpu-driver,ml-eks-windows-ami-install-gpu-driver.title]] +[#ml-eks-windows-ami-install-gpu-driver] == Install the GPU driver on each Windows Windows node To install the NVIDIA GRID drivers on your EKS worker nodes, follow the steps outlined in link:AWSEC2/latest/UserGuide/install-nvidia-driver.html[NVIDIA drivers for your Amazon EC2 instance,type="documentation"]. @@ -68,7 +68,7 @@ nvidia-smi This command displays the NVIDIA driver version, as well as information about the GPU hardware. Ensure that the output of this command matches the NVIDIA GRID driver version you expected to be installed. -[[ml-eks-windows-ami-deploy-gpu-driver,ml-eks-windows-ami-deploy-gpu-driver.title]] +[#ml-eks-windows-ami-deploy-gpu-driver] == Deploy the GPU device plugin on each node To enable discovery and exposure of the GPU resources to containers on your Windows nodes, you will need a device plugin. @@ -107,7 +107,7 @@ kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-p ---- -[[ml-eks-windows-ami-verify-device-plugin,ml-eks-windows-ami-verify-device-plugin.title]] +[#ml-eks-windows-ami-verify-device-plugin] === Verifying the device plugin deployment After you have deployed the device plugin, replace `` and run the following command to verify the DirectX Device Plugin is running correctly on your all your Windows nodes. @@ -117,7 +117,7 @@ kubectl get ds device-plugin-wddm -n ---- -[[ml-eks-windows-ami-verify-container-deployment,ml-eks-windows-ami-verify-container-deployment.title]] +[#ml-eks-windows-ami-verify-container-deployment] === Verifying containers are ready for deployment Once the device plugin DaemonSet is running on the GPU-powered Windows worker nodes, use the following command to verify that each node has allocatable GPUs. The corresponding number should match the number of DirectX devices on each node. @@ -127,7 +127,7 @@ kubectl get nodes "-o=custom-columns=NAME:.metadata.name,DirectX:.status.allocat ---- -[[ml-eks-windows-ami-run-with-gpu-acceleration,ml-eks-windows-ami-run-with-gpu-acceleration.title]] +[#ml-eks-windows-ami-run-with-gpu-acceleration] == Running Windows containers with GPU-acceleration Before launching your pods, specify the resource name `directx.microsoft.com/display` in `.spec.containers[].resources`. @@ -160,10 +160,10 @@ EOF ---- -[[ml-eks-windows-ami-known-limitations,ml-eks-windows-ami-known-limitations.title]] +[#ml-eks-windows-ami-known-limitations] == Known limitations -[[ml-eks-windows-ami-gpus-usable,ml-eks-windows-ami-gpus-usable.title]] +[#ml-eks-windows-ami-gpus-usable] === All GPUs are usable All the GPUs on the instance will be usable by each running container on the host, even when you request a specific number of GPUs for a given container. Additionally, the default behavior is that all containers running on the host will use the GPU with index 0, even if there are multiple GPUs available on the node. Thus, for multi-GPU tasks to operate correctly, you must explicitly designate the specific GPU device to be utilized within your application's code. @@ -205,19 +205,19 @@ Consider a scenario whereby there is a single Windows node of EC2 instance type |4 |=== -[[ml-eks-windows-ami-device-plugin-support,ml-eks-windows-ami-device-plugin-support.title]] +[#ml-eks-windows-ami-device-plugin-support] === Kubernetes device plugin support NVIDIA's official implementation of the https://github.com/NVIDIA/k8s-device-plugin[Kubernetes device plugin] does not support Windows. You can track the progress on adding official Windows support in the https://github.com/NVIDIA/k8s-device-plugin/issues/419[NVIDIA/k8s-device-plugin issue #419]. -[[ml-eks-windows-ami-compute-instance-limitations,ml-eks-windows-ami-compute-instance-limitations.title]] +[#ml-eks-windows-ami-compute-instance-limitations] === GPU compute instance limitations Depending on your {aws} account configuration, you may have service limits on the number and types of Amazon EC2 GPU compute instances that you can launch. If you require additional capacity, you can link:servicequotas/latest/userguide/request-quota-increase.html[Request a quota increase,type="documentation"]. -[[ml-eks-windows-ami-build-gpu-ami,ml-eks-windows-ami-build-gpu-ami.title]] +[#ml-eks-windows-ami-build-gpu-ami] === Must build a Windows GPU Optimized AMI There is no EKS Windows GPU Optimized AMI or EC2 Image Builder managed component provided by Amazon EKS. You will need to follow the steps in this guide to build a custom EKS Windows Optimized AMI with the required GPU drivers pre-installed, or install the necessary GPU drivers on your EKS worker nodes after launching your instances. -[[ml-eks-windows-ami-inferentia-tranium-support,ml-eks-windows-ami-inferentia-tranium-support.title]] +[#ml-eks-windows-ami-inferentia-tranium-support] === Inferentia and Trainium not supported {aws} link:ai/machine-learning/inferentia/[Inferentia,type="marketing"] and {aws} link:ai/machine-learning/trainium/[Trainium,type="marketing"] based workloads are not supported on Windows. diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index d0e353ffe..393f4225d 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -1,5 +1,5 @@ [.topic] -[[ml-get-started,ml-get-started.title]] +[#ml-get-started] = Get started with ML :info_titleabbrev: Get started with ML diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 59bf1a1cc..4d9877dbd 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[ml-prepare-for-cluster,ml-prepare-for-cluster.title]] +[#ml-prepare-for-cluster] = Prepare for ML clusters :info_titleabbrev: Prepare for ML diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 31caa222b..f697284db 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -1,5 +1,5 @@ [.topic] -[[ml-tutorials,ml-tutorials.title]] +[#ml-tutorials] = Try tutorials for deploying Machine Learning workloads on EKS :info_titleabbrev: Try tutorials for ML on EKS diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 04ff37b94..968a2da62 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -1,7 +1,7 @@ :AWSEC2-latest-UserGuide-using-eni-html-network-cards: AWSEC2/latest/UserGuide/using-eni.html#network-cards [.topic] -[[node-efa,node-efa.title]] +[#node-efa] = Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` :info_titleabbrev: Training clusters with EFA @@ -14,14 +14,14 @@ Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machi This topic describes how to integrate Elastic Fabric Adapter (EFA) with [.noloc]`Pods` deployed in your Amazon EKS cluster. Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables you to run applications requiring high levels of inter-node communications at scale on {aws}. Its custom-built operating system bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling these applications. With EFA, High Performance Computing (HPC) applications using the Message Passing Interface (MPI) and Machine Learning (ML) applications using NVIDIA Collective Communications Library (NCCL) can scale to thousands of CPUs or GPUs. As a result, you get the application performance of on-premises HPC clusters with the on-demand elasticity and flexibility of the {aws} cloud. Integrating EFA with applications running on Amazon EKS clusters can reduce the time to complete large scale distributed training workloads without having to add additional instances to your cluster. For more information about EFA, link:hpc/efa/[Elastic Fabric Adapter,type="marketing"]. -[[efa-instances,efa-instances.title]] +[#efa-instances] == Instance types with EFA The _{aws} EFA Kubernetes Device Plugin_ supports all Amazon EC2 instance types that have EFA. To see a list of all instance types that have EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Supported instance types,type="documentation"] in the _Amazon EC2 User Guide_. However, to run ML applications quickly, we recommend that an instance has hardware acceleration chips such as [.noloc]`nVidia` GPUs, link:machine-learning/inferentia/[{aws} Inferentia,type="marketing"] chips, or link:machine-learning/trainium/[{aws} Trainium,type="marketing"] chips, in addition to the EFA. To see a list of instance types that have hardware acceleration chips and EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Accelerated computing,type="documentation"] in the _Amazon EC2 User Guide_. As you compare instance types to choose between them, consider the number of EFA network cards available for that instance type as well as the number of accelerator cards, amount of CPU, and amount of memory. You can assign up to one EFA per network card. An EFA counts as a network interface.. To see how many EFA are available for each instance types that have EFA, see the link:AWSEC2/latest/UserGuide/using-eni.html#network-cards[Network cards,type="documentation"] list in the _Amazon EC2 User Guide_. -[[efa-only-interfaces,efa-only-interfaces.title]] +[#efa-only-interfaces] == EFA and EFA-only interfaces An _Elastic Fabric Adapter (EFA)_ is a network interface that combines the capabilities of an Elastic Network Adapter (ENA) and an OS-bypass interface, powered by the {aws} Scalable Reliable Datagram (SRD) protocol. The EFA functionalities allow applications to communicate directly with the hardware for low-latency transport. You can choose to access only the EFA capabilities using _EFA-only_ interfaces, limiting communication to interfaces within the same Availability Zone. @@ -30,7 +30,7 @@ To create nodes that can have EFA-only interfaces, you must use a custom EC2 Lau The following procedure guides you to create an EKS cluster with `eksctl` with nodes that have [.noloc]`nVidia` GPUs and EFA interfaces. You can't use `eksctl` to create nodes and node groups that use EFA-only interfaces. -[[efa-prereqs,efa-prereqs.title]] +[#efa-prereqs] == Prerequisites * An existing Amazon EKS cluster. If you don't have an existing cluster, create one using <>.. Your cluster must be deployed in a VPC that has at least one private subnet with enough available IP addresses to deploy nodes in. The private subnet must have outbound internet access provided by an external device, such as a NAT gateway. @@ -48,7 +48,7 @@ An important consideration required for adopting EFA with [.noloc]`Kubernetes` i ==== -[[efa-create-nodegroup,efa-create-nodegroup.title]] +[#efa-create-nodegroup] == Create node group The following procedure helps you create a node group with a `p4d.24xlarge` backed node group with EFA interfaces and GPUDirect RDMA, and run an example NVIDIA Collective Communications Library (NCCL) test for multi-node NCCL Performance using EFAs. The example can be used a template for distributed deep learning training on Amazon EKS using EFAs. @@ -136,7 +136,7 @@ helm install aws-efa-k8s-device-plugin --namespace kube-system eks/aws-efa-k8s-d ---- -[[efa-application,efa-application.title]] +[#efa-application] == (Optional) Test the performance of the EFA We recommend that you test the EFA setup. You can use the https://github.com/aws-samples/awsome-distributed-training/tree/main/micro-benchmarks/nccl-tests[NCCL Tests] in the `aws-samples/awsome-distributed-training` repository on GitHub. https://github.com/NVIDIA/nccl-tests[NCCL Tests] evaluate the performance of the network using the Nvidia Collective Communication Library. The following steps submit NCCL tests on Amazon EKS. diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index a1efbb9ac..b17df0006 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,5 +1,5 @@ [.topic] -[[node-taints-managed-node-groups,node-taints-managed-node-groups.title]] +[#node-taints-managed-node-groups] = Prevent [.noloc]`Pods` from being scheduled on specific nodes :info_titleabbrev: Taint GPU nodes diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index f4b1c962d..edea34f3b 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -1,5 +1,5 @@ [.topic] -[[alternate-cni-plugins,alternate-cni-plugins.title]] +[#alternate-cni-plugins] = Alternate CNI plugins for Amazon EKS clusters :info_titleabbrev: Alternate CNI plugins @@ -43,7 +43,7 @@ Amazon EKS maintains relationships with a network of partners that offer support Amazon EKS aims to give you a wide selection of options to cover all use cases. -[[alternate-network-policy-plugins,alternate-network-policy-plugins.title]] +[#alternate-network-policy-plugins] == Alternate compatible network policy plugins https://www.tigera.io/project-calico[Calico] is a widely adopted solution for container networking and security. Using [.noloc]`Calico` on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use [.noloc]`Calico's` networking, which conserve IP addresses from your underlying VPC. https://www.tigera.io/tigera-products/calico-cloud/[Calico Cloud] enhances the features of [.noloc]`Calico Open Source`, providing advanced security and observability capabilities. diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 50b546c08..770c52b79 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[aws-load-balancer-controller,aws-load-balancer-controller.title]] +[#aws-load-balancer-controller] = Route internet traffic with {aws} Load Balancer Controller :info_titleabbrev: {aws} Load Balancer Controller @@ -38,7 +38,7 @@ The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-contro Before deploying the controller, we recommend that you review the prerequisites and considerations in <> and <>. In those topics, you will deploy a sample app that includes an {aws} load balancer. -[[lbc-overview,lbc-overview.title]] +[#lbc-overview] == Install the controller You can use one of the following procedures to install the [.noloc]`{aws} Load Balancer Controller`: @@ -49,7 +49,7 @@ You can use one of the following procedures to install the [.noloc]`{aws} Load B * For advanced configurations, such as clusters with restricted network access to public container registries, use [.noloc]`Kubernetes` Manifests. For more information, see <>. -[[lbc-deprecated,lbc-deprecated.title]] +[#lbc-deprecated] == Migrate from deprecated controller versions * If you have deprecated versions of the [.noloc]`{aws} Load Balancer Controller` installed, see <>. @@ -62,7 +62,7 @@ You can use one of the following procedures to install the [.noloc]`{aws} Load B ** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` -[[lbc-legacy,lbc-legacy.title]] +[#lbc-legacy] == Legacy cloud provider [.noloc]`Kubernetes` includes a legacy cloud provider for {aws}. The legacy cloud provider is capable of provisioning {aws} load balancers, similar to the [.noloc]`{aws} Load Balancer Controller`. The legacy cloud provider creates Classic Load Balancers. If you do not install the [.noloc]`{aws} Load Balancer Controller`, [.noloc]`Kubernetes` will default to using the legacy cloud provider. You should install the [.noloc]`{aws} Load Balancer Controller` and avoid using the legacy cloud provider. diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 6c8cbfe07..a28b2b43f 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-custom-network-tutorial,cni-custom-network-tutorial.title]] +[#cni-custom-network-tutorial] = Customize the secondary network interface in Amazon EKS nodes :info_titleabbrev: Secondary interface @@ -24,7 +24,7 @@ The commands in this topic are formatted using the conventions listed in link:cl When you want to deploy custom networking to your production cluster, skip to <>. -[[custom-networking-create-cluster,custom-networking-create-cluster.title]] +[#custom-networking-create-cluster] == Step 1: Create a test VPC and cluster The following procedures help you create a test VPC and cluster and configure custom networking for that cluster. We don't recommend using the test cluster for production workloads because several unrelated features that you might use on your production cluster aren't covered in this topic. For more information, see <>. @@ -135,7 +135,7 @@ aws eks update-kubeconfig --name my-custom-networking-cluster ---- -[[custom-networking-configure-vpc,custom-networking-configure-vpc.title]] +[#custom-networking-configure-vpc] == Step 2: Configure your VPC This tutorial requires the VPC created in <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the example values with your own. @@ -243,7 +243,7 @@ An example output is as follows. You can see the subnets in the `192.168.1.0` CIDR block that you created are in the same Availability Zones as the subnets in the `192.168.0.0` CIDR block. -[[custom-networking-configure-kubernetes,custom-networking-configure-kubernetes.title]] +[#custom-networking-configure-kubernetes] == Step 3: Configure [.noloc]`Kubernetes` resources . Set the `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` environment variable to `true` in the `aws-node` [.noloc]`DaemonSet`. + @@ -355,7 +355,7 @@ kubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=topology. ---- -[[custom-networking-deploy-nodes,custom-networking-deploy-nodes.title]] +[#custom-networking-deploy-nodes] == Step 4: Deploy Amazon EC2 nodes . Create a node IAM role. + @@ -533,7 +533,7 @@ You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the ` If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned 192.168.1.x addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. -[[custom-network-delete-resources,custom-network-delete-resources.title]] +[#custom-network-delete-resources] == Step 5: Delete tutorial resources After you complete the tutorial, we recommend that you delete the resources that you created. You can then adjust the steps to enable custom networking for a production cluster. diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 11f76c7ed..9eacb468c 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-custom-network,cni-custom-network.title]] +[#cni-custom-network] = Deploy [.noloc]`Pods` in alternate subnets with custom networking :info_titleabbrev: Custom networking @@ -21,7 +21,7 @@ By default, when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates seco * The nodes are configured in public subnets, and you want to place the [.noloc]`Pods` in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. -[[cni-custom-network-considerations,cni-custom-network-considerations.title]] +[#cni-custom-network-considerations] == Considerations The following are considerations for using the feature. diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index c9c9633df..c75076519 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-iam-role,cni-iam-role.title]] +[#cni-iam-role] = Configure Amazon VPC CNI plugin to use IRSA :info_titleabbrev: Configure for IRSA @@ -28,7 +28,7 @@ The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have a * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -[[cni-iam-role-create-role,cni-iam-role-create-role.title]] +[#cni-iam-role-create-role] == Step 1: Create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` IAM role . Determine the IP family of your cluster. + @@ -160,7 +160,7 @@ kubectl annotate serviceaccount \ . (Optional) Configure the {aws} Security Token Service endpoint type used by your [.noloc]`Kubernetes` service account. For more information, see <>. -[[cni-iam-role-redeploy-pods,cni-iam-role-redeploy-pods.title]] +[#cni-iam-role-redeploy-pods] == Step 2: Re-deploy [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` . Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The annotation is not applied to [.noloc]`Pods` that are currently running without the annotation. The following command deletes the existing `aws-node` [.noloc]`DaemonSet` [.noloc]`Pods` and deploys them with the service account annotation. + @@ -201,7 +201,7 @@ AWS_STS_REGIONAL_ENDPOINTS=regional ---- -[[remove-cni-policy-node-iam-role,remove-cni-policy-node-iam-role.title]] +[#remove-cni-policy-node-iam-role] == Step 3: Remove the CNI policy from the node IAM role If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. @@ -224,7 +224,7 @@ aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}i ---- -[[cni-iam-role-create-ipv6-policy,cni-iam-role-create-ipv6-policy.title]] +[#cni-iam-role-create-ipv6-policy] == Create IAM policy for clusters that use the `IPv6` family If you created a cluster that uses the `IPv6` family and the cluster has version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured, then you need to create an IAM policy that you can assign to an IAM role. If you have an existing cluster that you didn't configure with the `IPv6` family when you created it, then to use `IPv6`, you must create a new cluster. For more information about using `IPv6` with your cluster, see <>. diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index c8cf05838..ad96ecead 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-increase-ip-addresses-procedure,cni-increase-ip-addresses-procedure.title]] +[#cni-increase-ip-addresses-procedure] = Increase the available IP addresses for your Amazon EKS node :info_titleabbrev: Procedure diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index cc7bc2db1..e74844a07 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-increase-ip-addresses,cni-increase-ip-addresses.title]] +[#cni-increase-ip-addresses] = Assign more IP addresses to Amazon EKS nodes with prefixes :info_titleabbrev: Increase IP addresses @@ -20,7 +20,7 @@ Each Amazon EC2 instance supports a maximum number of elastic network interfaces You can increase the number of IP addresses that nodes can assign to `Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. Each prefix includes several IP addresses. If you don't configure your cluster for IP prefix assignment, your cluster must make more Amazon EC2 application programming interface (API) calls to configure network interfaces and IP addresses necessary for [.noloc]`Pod` connectivity. As clusters grow to larger sizes, the frequency of these API calls can lead to longer [.noloc]`Pod` and instance launch times. This results in scaling delays to meet the demand of large and spiky workloads, and adds cost and management overhead because you need to provision additional clusters and VPCs to meet scaling requirements. For more information, see https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes Scalability thresholds] on GitHub. -[[cni-increase-ip-addresses-compatability,cni-increase-ip-addresses-compatability.title]] +[#cni-increase-ip-addresses-compatability] == Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features You can use IP prefixes with the following features: @@ -40,7 +40,7 @@ The following list provides information about the Amazon VPC CNI plugin settings * `WARM_PREFIX_TARGET` -[[cni-increase-ip-addresses-considerations,cni-increase-ip-addresses-considerations.title]] +[#cni-increase-ip-addresses-considerations] == Considerations Consider the following when you use this feature: diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index ef724dfaa..27fbfd235 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-ipv6,cni-ipv6.title]] +[#cni-ipv6] = Learn about IPv6 addresses to clusters, [.noloc]`Pods`, and services :info_titleabbrev: IPv6 @@ -20,7 +20,7 @@ You select which IP family you want to use for your cluster when you create it. For a tutorial to deploy an Amazon EKS `IPv6` cluster, see <>. -//[[ipv6-considerations,ipv6-considerations.title]] +//[#ipv6-considerations] //===== Considerations The following are considerations for using the feature: diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 121f38eb5..3bddc5c98 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-network-policy-configure,cni-network-policy-configure.title]] +[#cni-network-policy-configure] = Restrict Pod network traffic with [.noloc]`Kubernetes` network policies :info_titleabbrev: Restrict traffic @@ -20,12 +20,12 @@ You must configure the following in order to use this feature: Before you begin, review the considerations. For more information, see <>. -[[cni-network-policy-prereqs,cni-network-policy-prereqs.title]] +[#cni-network-policy-prereqs] == Prerequisites The following are prerequisites for the feature: -[[cni-network-policy-minimum,cni-network-policy-minimum.title]] +[#cni-network-policy-minimum] === Minimum cluster version An existing Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: @@ -53,7 +53,7 @@ aws eks describe-cluster |=== -[[cni-network-policy-minimum-vpc,cni-network-policy-minimum-vpc.title]] +[#cni-network-policy-minimum-vpc] === Minimum VPC CNI version Version `1.14` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. You can see which version that you currently have with the following command. @@ -65,13 +65,13 @@ kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cn If your version is earlier than `1.14`, see <> to upgrade to version `1.14` or later. -[[cni-network-policy-minimum-linux,cni-network-policy-minimum-linux.title]] +[#cni-network-policy-minimum-linux] === Minimum Linux kernel version Your nodes must have Linux kernel version `5.10` or later. You can check your kernel version with `uname -r`. If you're using the latest versions of the Amazon EKS optimized Amazon Linux, Amazon EKS optimized accelerated Amazon Linux AMIs, and Bottlerocket AMIs, they already have the required kernel version. The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. -[[cni-network-policy-configure-policy,cni-network-policy-configure-policy.title]] +[#cni-network-policy-configure-policy] == Step 1: Set up policy enforcement at [.noloc]`Pod` startup The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. @@ -88,14 +88,14 @@ env: ---- -[[enable-network-policy-parameter,enable-network-policy-parameter.title]] +[#enable-network-policy-parameter] == Step 2: Enable the network policy parameter for the add-on The network policy feature uses port `8162` on the node for metrics by default. Also, the feature used port `8163` for health probes. If you run another application on the nodes or inside pods that needs to use these ports, the app fails to run. In VPC CNI version `v1.14.1` or later, you can change these ports. Use the following procedure to enable the network policy parameter for the add-on. -[[cni-network-policy-console,cni-network-policy-console.title]] +[#cni-network-policy-console] === {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -121,7 +121,7 @@ The following example has network policy feature enabled and metrics and health } ---- -[[cni-network-helm,cni-network-helm.title]] +[#cni-network-helm] === Helm If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to change the ports. @@ -133,7 +133,7 @@ If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through helm upgrade --set nodeAgent.metricsBindAddr=8162 --set nodeAgent.healthProbeBindAddr=8163 aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ---- -[[cni-network-policy-kubectl,cni-network-policy-kubectl.title]] +[#cni-network-policy-kubectl] === [.noloc]`kubectl` . Open the `aws-node` `DaemonSet` in your editor. + @@ -151,7 +151,7 @@ kubectl edit daemonset -n kube-system aws-node ---- -[[cni-mount-bpf,cni-mount-bpf.title]] +[#cni-mount-bpf] == Step 3: Mount the Berkeley Packet Filter (BPF) file system on your nodes You must mount the Berkeley Packet Filter (BPF) file system on each of your nodes. @@ -173,18 +173,18 @@ sudo mount -t bpf bpffs /sys/fs/bpf . Then, add the same command to your user data in your launch template for your Amazon EC2 Auto Scaling Groups. -[[cni-network-policy-setup,cni-network-policy-setup.title]] +[#cni-network-policy-setup] == Step 4: Configure your cluster to use [.noloc]`Kubernetes` network policies Configure the cluster to use [.noloc]`Kubernetes` network policies. You can set this for an Amazon EKS add-on or self-managed add-on. -[[cni-network-policy-setup-procedure-add-on,cni-network-policy-setup-procedure-add-on.title]] +[#cni-network-policy-setup-procedure-add-on] .Amazon EKS add-on [%collapsible] ==== -[[cni-network-policy-setup-console,cni-network-policy-setup-console.title]] +[#cni-network-policy-setup-console] [discrete] === {aws-management-console} @@ -207,7 +207,7 @@ The following screenshot shows an example of this scenario. + image::images/console-cni-config-network-policy.png[{aws-management-console} showing the VPC CNI add-on with network policy in the optional configuration.,scaledwidth=80%] -[[cni-network-policy-setup-cli,cni-network-policy-setup-cli.title]] +[#cni-network-policy-setup-cli] [discrete] === {aws} CLI @@ -222,12 +222,12 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers ==== -[[cni-network-policy-setup-procedure-self-managed-add-on,cni-network-policy-setup-procedure-self-managed-add-on.title]] +[#cni-network-policy-setup-procedure-self-managed-add-on] .Self-managed add-on [%collapsible] ==== -[[cni-network-policy-helm,cni-network-policy-helm.title]] +[#cni-network-policy-helm] [discrete] === Helm @@ -240,7 +240,7 @@ If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system eks/aws-vpc-cni ---- -[[cni-network-policy-setup-kubectl,cni-network-policy-setup-kubectl.title]] +[#cni-network-policy-setup-kubectl] [discrete] === [.noloc]`kubectl` @@ -285,7 +285,7 @@ kubectl edit daemonset -n kube-system aws-node ==== -[[cni-network-policy-setup-procedure-confirm,cni-network-policy-setup-procedure-confirm.title]] +[#cni-network-policy-setup-procedure-confirm] == Step 5. Next steps After you complete the configuration, confirm that the `aws-node` pods are running on your cluster. diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 429fa01ab..dd8f70099 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,5 +1,5 @@ [.topic] -[[cni-network-policy,cni-network-policy.title]] +[#cni-network-policy] = Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies :info_titleabbrev: Kubernetes policies @@ -33,7 +33,7 @@ Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are suppo * You can use network policies with _custom networking_ and _prefix delegation_. -[[cni-network-policy-considerations,cni-network-policy-considerations.title]] +[#cni-network-policy-considerations] == Considerations *Architecture* diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index ebf7a58c7..80494fafc 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,5 +1,5 @@ [.topic] -[[coredns-add-on-create,coredns-add-on-create.title]] +[#coredns-add-on-create] = Create the [.noloc]`CoreDNS` Amazon EKS add-on :info_titleabbrev: Create diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 6577bf9dd..b9b164369 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,5 +1,5 @@ [.topic] -[[coredns-add-on-self-managed-update,coredns-add-on-self-managed-update.title]] +[#coredns-add-on-self-managed-update] = Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on :info_titleabbrev: Update (self-managed) diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index d7e29eb2b..ef88d67ca 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,5 +1,5 @@ [.topic] -[[coredns-add-on-update,coredns-add-on-update.title]] +[#coredns-add-on-update] = Update the [.noloc]`CoreDNS` Amazon EKS add-on :info_titleabbrev: Update (EKS add-on) diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 375d40318..6d489f973 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,5 +1,5 @@ [.topic] -[[coredns-autoscaling,coredns-autoscaling.title]] +[#coredns-autoscaling] = Scale [.noloc]`CoreDNS Pods` for high DNS traffic :info_titleabbrev: Scale for high traffic @@ -16,7 +16,7 @@ To handle the increased load on the [.noloc]`CoreDNS` pods, consider an autoscal We recommend using this feature in conjunction with other https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/[EKS Cluster Autoscaling best practices] to improve overall application availability and cluster scalability. -[[coredns-autoscaling-prereqs,coredns-autoscaling-prereqs.title]] +[#coredns-autoscaling-prereqs] == Prerequisites For Amazon EKS to scale your [.noloc]`CoreDNS` deployment, there are three prerequisites: @@ -28,7 +28,7 @@ For Amazon EKS to scale your [.noloc]`CoreDNS` deployment, there are three prere * Your cluster must be running at least the minimum version of the EKS Add-on of [.noloc]`CoreDNS`. -[[coredns-autoscaling-cluster-version,coredns-autoscaling-cluster-version.title]] +[#coredns-autoscaling-cluster-version] === Minimum cluster version Autoscaling of [.noloc]`CoreDNS` is done by a new component in the cluster control plane, managed by Amazon EKS. Because of this, you must upgrade your cluster to an EKS release that supports the minimum platform version that has the new component. @@ -71,7 +71,7 @@ Every platform version of later [.noloc]`Kubernetes` versions are also supported ==== -[[coredns-autoscaling-coredns-version,coredns-autoscaling-coredns-version.title]] +[#coredns-autoscaling-coredns-version] === Minimum EKS Add-on version [cols="1,1,1,1,1,1", options="header"] @@ -93,7 +93,7 @@ Every platform version of later [.noloc]`Kubernetes` versions are also supported |=== -[[coredns-autoscaling-console,coredns-autoscaling-console.title]] +[#coredns-autoscaling-console] .Configuring [.noloc]`CoreDNS` autoscaling in the {aws-management-console} [%collapsible] ==== @@ -188,7 +188,7 @@ If the rollout takes too long, Amazon EKS will undo the rollout, and a message w ==== -[[coredns-autoscaling-cli,coredns-autoscaling-cli.title]] +[#coredns-autoscaling-cli] .Configuring [.noloc]`CoreDNS` autoscaling in the {aws} Command Line Interface [%collapsible] ==== diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index 9a05e9f96..f02f471b3 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,5 +1,5 @@ [.topic] -[[coredns-metrics,coredns-metrics.title]] +[#coredns-metrics] = Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics :info_titleabbrev: Monitor DNS resolution diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 401685391..20551e01d 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -1,5 +1,5 @@ [.topic] -[[creating-a-vpc,creating-a-vpc.title]] +[#creating-a-vpc] = Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 8ee10d2f4..0377562c7 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -1,5 +1,5 @@ [.topic] -[[deploy-ipv6-cluster,deploy-ipv6-cluster.title]] +[#deploy-ipv6-cluster] = Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes :info_titleabbrev: Deploy @@ -20,7 +20,7 @@ Install and configure the following tools and resources that you need to create * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. -//[[deploy-ipv6-cluster-procedure,deploy-ipv6-cluster-procedure.title]] +//[#deploy-ipv6-cluster-procedure] //====== Procedure You can use the [.noloc]`eksctl` or CLI to deploy an `IPv6` cluster. diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 88180098d..993366d7b 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-networking-add-ons,eks-networking-add-ons.title]] +[#eks-networking-add-ons] = Manage networking add-ons for Amazon EKS clusters :info_titleabbrev: Manage networking add-ons @@ -23,7 +23,7 @@ Learn how to manage networking add-ons for your Amazon EKS cluster, including bu Several networking add-ons are available for your Amazon EKS cluster. -[[eks-networking-add-ons-built-in,eks-networking-add-ons-built-in.title]] +[#eks-networking-add-ons-built-in] == Built-in add-ons [NOTE] @@ -45,7 +45,7 @@ This CNI add-on creates elastic network interfaces and attaches them to your Ama This add-on maintains network rules on your Amazon EC2 nodes and enables network communication to your [.noloc]`Pods`. This add-on is installed, by default, on your cluster. For more information, see <>. -[[eks-networking-add-ons-optional,eks-networking-add-ons-optional.title]] +[#eks-networking-add-ons-optional] == Optional {aws} networking add-ons *[.noloc]`{aws} Load Balancer Controller`*:: diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 7dd0961af..d6b9f56d5 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -1,4 +1,4 @@ -[[eks-networking,eks-networking.title]] +[#eks-networking] = Configure networking for Amazon EKS clusters :doctype: book :sectnums: diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 6e279c757..cadf22263 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,5 +1,5 @@ [.topic] -[[external-snat,external-snat.title]] +[#external-snat] = Enable outbound internet access for [.noloc]`Pods` :info_titleabbrev: Outbound traffic @@ -46,7 +46,7 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI ==== -[[snat-exception,snat-exception.title]] +[#snat-exception] == Host networking {asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 4cf58e3fa..22f805dd4 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -1,5 +1,5 @@ [.topic] -[[kube-proxy-add-on-self-managed-update,kube-proxy-add-on-self-managed-update.title]] +[#kube-proxy-add-on-self-managed-update] = Update the Kubernetes `kube-proxy` self-managed add-on :info_titleabbrev: Update @@ -12,13 +12,13 @@ We recommend adding the Amazon EKS type of the add-on to your cluster instead of ==== -[[managing-kube-proxy-prereqs,managing-kube-proxy-prereqs.title]] +[#managing-kube-proxy-prereqs] == Prerequisites * An existing Amazon EKS cluster. To deploy one, see <>. -[[managing-kube-proxy-considerations,managing-kube-proxy-considerations.title]] +[#managing-kube-proxy-considerations] == Considerations * `Kube-proxy` on an Amazon EKS cluster has the same https://kubernetes.io/releases/version-skew-policy/#kube-proxy[compatibility and skew policy as Kubernetes]. Learn how to <>. diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 32bf7abd8..5c62b9e57 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -1,7 +1,7 @@ [.topic] include::../attributes.txt[] -[[lbc-helm,lbc-helm.title]] +[#lbc-helm] = Install [.noloc]`{aws} Load Balancer Controller` with [.noloc]`Helm` :info_titleabbrev: Install with Helm @@ -21,7 +21,7 @@ This topic describes how to install the [.noloc]`{aws} Load Balancer Controller` In the following steps, replace the [.replaceable]`example values` with your own values. -[[lbc-prereqs,lbc-prereqs.title]] +[#lbc-prereqs] == Prerequisites Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. @@ -38,7 +38,7 @@ Before starting this tutorial, you must install and configure the following tool * https://helm.sh/docs/helm/helm_install/[Helm] installed locally. -[[lbc-helm-iam,lbc-helm-iam.title]] +[#lbc-helm-iam] == Step 1: Create IAM Role using `eksctl` [NOTE] @@ -104,7 +104,7 @@ eksctl create iamserviceaccount \ ---- -[[lbc-helm-install,lbc-helm-install.title]] +[#lbc-helm-install] == Step 2: Install [.noloc]`{aws} Load Balancer Controller` . Add the `eks-charts` Helm chart repository. {aws} maintains https://github.com/aws/eks-charts[this repository] on GitHub. @@ -154,7 +154,7 @@ kubectl apply -f crds.yaml ---- -[[lbc-helm-verify,lbc-helm-verify.title]] +[#lbc-helm-verify] == Step 3: Verify that the controller is installed . Verify that the controller is installed. + diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index c5cd75e5a..13589d880 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -1,5 +1,5 @@ [.topic] -[[lbc-manifest,lbc-manifest.title]] +[#lbc-manifest] include::../attributes.txt[] = Install [.noloc]`{aws} Load Balancer Controller` with manifests @@ -21,7 +21,7 @@ This topic describes how to install the controller by downloading and applying [ In the following steps, replace the [.replaceable]`example values` with your own values. -[[lbc-manifest-prereqs,lbc-manifest-prereqs.title]] +[#lbc-manifest-prereqs] == Prerequisites Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. @@ -35,7 +35,7 @@ Before starting this tutorial, you must install and configure the following tool * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. -[[lbc-iam,lbc-iam.title]] +[#lbc-iam] == Step 1: Configure IAM [NOTE] @@ -186,7 +186,7 @@ kubectl apply -f aws-load-balancer-controller-service-account.yaml ==== -[[lbc-cert,lbc-cert.title]] +[#lbc-cert] == Step 2: Install `cert-manager` // Not using `cert-manager` inline code in the cross-reference title because the underscore disrupts formatting. @@ -241,7 +241,7 @@ kubectl apply \ ==== -[[lbc-install,lbc-install.title]] +[#lbc-install] == Step 3: Install [.noloc]`{aws} Load Balancer Controller` . Download the controller specification. For more information about the controller, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[documentation] on [.noloc]`GitHub`. + @@ -329,7 +329,7 @@ kubectl apply -f v2_11_0_ingclass.yaml ---- -[[lbc-verify,lbc-verify.title]] +[#lbc-verify] == Step 4: Verify that the controller is installed . Verify that the controller is installed. + diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 252d5b5c9..59bbd590b 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,5 +1,5 @@ [.topic] -[[lbc-remove,lbc-remove.title]] +[#lbc-remove] = Migrate apps from deprecated ALB [.noloc]`Ingress Controller` :info_titleabbrev: Migrate from deprecated @@ -23,7 +23,7 @@ This topic describes how to migrate from deprecated controller versions. More sp ** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` -[[lbc-remove-desc,lbc-remove-desc.title]] +[#lbc-remove-desc] == Remove the deprecated controller version [NOTE] @@ -75,7 +75,7 @@ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingr ---- -[[lbc-migrate,lbc-migrate.title]] +[#lbc-migrate] == Migrate to [.noloc]`{aws} Load Balancer Controller` To migrate from the ALB Ingress Controller for [.noloc]`Kubernetes` to the [.noloc]`{aws} Load Balancer Controller`, you need to: diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index c3425fbda..d2846f007 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -1,5 +1,5 @@ [.topic] -[[managing-coredns,managing-coredns.title]] +[#managing-coredns] = Manage CoreDNS for DNS in Amazon EKS clusters :info_titleabbrev: CoreDNS @@ -29,7 +29,7 @@ For more information, see <>. [.noloc]`CoreDNS` is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. When you launch an Amazon EKS cluster with at least one node, two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` provide name resolution for all [.noloc]`Pods` in the cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` can be deployed to Fargate nodes if your cluster includes a Fargate Profile with a namespace that matches the namespace for the [.noloc]`CoreDNS` `deployment`. For more information on Fargate Profiles, see <>. For more information about [.noloc]`CoreDNS`, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] in the [.noloc]`Kubernetes` documentation. -[[coredns-versions,coredns-versions.title]] +[#coredns-versions] == [.noloc]`CoreDNS` versions The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. @@ -56,7 +56,7 @@ If you're self-managing this add-on, the versions in the table might not be the ==== -[[coredns-upgrade,coredns-upgrade.title]] +[#coredns-upgrade] == Important [.noloc]`CoreDNS` upgrade considerations * To improve the stability and availability of the [.noloc]`CoreDNS` [.noloc]`Deployment`, versions `v1.9.3-eksbuild.6` and later and `v1.10.1-eksbuild.3` are deployed with a `PodDisruptionBudget`. If you've deployed an existing `PodDisruptionBudget`, your upgrade to these versions might fail. If the upgrade fails, completing one of the following tasks should resolve the issue: @@ -104,7 +104,7 @@ topologySpreadConstraints: ---- -[[coredns-upgrade-1.11,coredns-upgrade-1.11.title]] +[#coredns-upgrade-1.11] === [.noloc]`CoreDNS` `v1.11` upgrade considerations * In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 18e692c86..df25b964a 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -1,5 +1,5 @@ [.topic] -[[managing-kube-proxy,managing-kube-proxy.title]] +[#managing-kube-proxy] = Manage `kube-proxy` in Amazon EKS clusters :info_titleabbrev: kube-proxy @@ -29,7 +29,7 @@ The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS c == Install as Amazon EKS Add-on -[[kube-proxy-versions,kube-proxy-versions.title]] +[#kube-proxy-versions] == `kube-proxy` versions The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. @@ -59,7 +59,7 @@ If you're self-managing this add-on, the versions in the table might not be the ==== -[[managing-kube-proxy-images,managing-kube-proxy-images.title]] +[#managing-kube-proxy-images] == `kube-proxy` container image migration There are two types of the `kube-proxy` container image available for each Amazon EKS cluster version: diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 7f91c6815..01e79c6c1 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,5 +1,5 @@ [.topic] -[[managing-vpc-cni,managing-vpc-cni.title]] +[#managing-vpc-cni] = Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI :info_titleabbrev: Amazon VPC CNI @@ -41,7 +41,7 @@ A version of the add-on is deployed with each Fargate node in your cluster, but The following table lists the latest available version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. -[[vpc-cni-latest-available-version,vpc-cni-latest-available-version.title]] +[#vpc-cni-latest-available-version] == [.noloc]`Amazon VPC CNI` versions [options="header"] @@ -74,7 +74,7 @@ To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first ==== -[[manage-vpc-cni-add-on-on-considerations,manage-vpc-cni-add-on-on-considerations.title]] +[#manage-vpc-cni-add-on-on-considerations] == Considerations The following are considerations for using the feature. diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index 0eff047d6..12a7d2c87 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,5 +1,5 @@ [.topic] -[[network-policies-troubleshooting,network-policies-troubleshooting.title]] +[#network-policies-troubleshooting] = Troubleshooting [.noloc]`Kubernetes` network policies For Amazon EKS :info_titleabbrev: Troubleshooting @@ -12,7 +12,7 @@ Learn how to troubleshoot and investigate network connections that use network p You can troubleshoot and investigate network connections that use network policies by reading the <> and by running tools from the <>. -[[network-policies-troubleshooting-flowlogs,network-policies-troubleshooting-flowlogs.title]] +[#network-policies-troubleshooting-flowlogs] == Network policy logs Whether connections are allowed or denied by a network policies is logged in _flow logs_. The network policy logs on each node include the flow logs for every pod that has a network policy. Network policy logs are stored at `/var/log/aws-routed-eni/network-policy-agent.log`. The following example is from a `network-policy-agent.log` file: @@ -33,7 +33,7 @@ Network policy logs require an additional 1 vCPU for the `aws-network-policy-age ==== -[[cni-network-policy-flowlogs-addon,cni-network-policy-flowlogs-addon.title]] +[#cni-network-policy-flowlogs-addon] === Amazon EKS add-on *{aws-management-console}*:: @@ -74,7 +74,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers ---- -[[cni-network-policy-flowlogs-selfmanaged,cni-network-policy-flowlogs-selfmanaged.title]] +[#cni-network-policy-flowlogs-selfmanaged] === Self-managed add-on Helm:: @@ -108,14 +108,14 @@ kubectl edit daemonset -n kube-system aws-node ---- -[[network-policies-cloudwatchlogs,network-policies-cloudwatchlogs.title]] +[#network-policies-cloudwatchlogs] == Send network policy logs to Amazon CloudWatch Logs You can monitor the network policy logs using services such as Amazon CloudWatch Logs. You can use the following methods to send the network policy logs to CloudWatch Logs. For EKS clusters, the policy logs will be located under `/aws/eks/[.replaceable]``cluster-name``/cluster/` and for self-managed K8S clusters, the logs will be placed under `/aws/k8s-cluster/cluster/`. -[[network-policies-cwl-agent,network-policies-cwl-agent.title]] +[#network-policies-cwl-agent] === Send network policy logs with [.noloc]`Amazon VPC CNI plugin for Kubernetes` If you enable network policy, a second container is add to the `aws-node` pods for a _node agent_. This node agent can send the network policy logs to CloudWatch Logs. @@ -127,7 +127,7 @@ Only the network policy logs are sent by the node agent. Other logs made by the ==== -[[cni-network-policy-cwl-agent-prereqs,cni-network-policy-cwl-agent-prereqs.title]] +[#cni-network-policy-cwl-agent-prereqs] ==== Prerequisites * Add the following permissions as a stanza or separate policy to the IAM role that you are using for the VPC CNI. @@ -153,7 +153,7 @@ Only the network policy logs are sent by the node agent. Other logs made by the ---- -[[cni-network-policy-cwl-agent-addon,cni-network-policy-cwl-agent-addon.title]] +[#cni-network-policy-cwl-agent-addon] ==== Amazon EKS add-on *{aws-management-console}*:: @@ -196,7 +196,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers ---- -[[cni-network-policy-cwl-agent-selfmanaged,cni-network-policy-cwl-agent-selfmanaged.title]] +[#cni-network-policy-cwl-agent-selfmanaged] ==== Self-managed add-on Helm:: @@ -228,7 +228,7 @@ kubectl edit daemonset -n kube-system aws-node ---- -[[network-policies-cwl-fluentbit,network-policies-cwl-fluentbit.title]] +[#network-policies-cwl-fluentbit] === Send network policy logs with a [.noloc]`Fluent Bit` daemonset If you are using [.noloc]`Fluent Bit` in a daemonset to send logs from your nodes, you can add configuration to include the network policy logs from network policies. You can use the following example configuration: @@ -247,7 +247,7 @@ If you are using [.noloc]`Fluent Bit` in a daemonset to send logs from your node ---- -[[network-policies-ebpf-sdk,network-policies-ebpf-sdk.title]] +[#network-policies-ebpf-sdk] == Included [.noloc]`eBPF` SDK The [.noloc]`Amazon VPC CNI plugin for Kubernetes` installs [.noloc]`eBPF` SDK collection of tools on the nodes. You can use the [.noloc]`eBPF` SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node. diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index ed0557f2b..4d2a6e731 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,5 +1,5 @@ [.topic] -[[network-policy-disable,network-policy-disable.title]] +[#network-policy-disable] = Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic :info_titleabbrev: Disable diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index cc5cdf1dd..ae4b2a558 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -1,5 +1,5 @@ [.topic] -[[network-policy-stars-demo,network-policy-stars-demo.title]] +[#network-policy-stars-demo] = Stars demo of network policy for Amazon EKS :info_titleabbrev: Stars policy demo diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 96d02dd6a..a89c10e65 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -1,5 +1,5 @@ [.topic] -[[network-reqs,network-reqs.title]] +[#network-reqs] = View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements @@ -12,7 +12,7 @@ Learn how to configure the VPC and subnets to meet networking requirements for c When you create a cluster, you specify a link:vpc/latest/userguide/configure-your-vpc.html[VPC,type="documentation"] and at least two subnets that are in different Availability Zones. This topic provides an overview of Amazon EKS specific requirements and considerations for the VPC and subnets that you use with your cluster. If you don't have a VPC to use with Amazon EKS, see <>. If you're creating a local or extended cluster on {aws} Outposts, see <> instead of this topic. The content in this topic applies for Amazon EKS clusters with hybrid nodes. For additional networking requirements for hybrid nodes, see <>. -[[network-requirements-vpc,network-requirements-vpc.title]] +[#network-requirements-vpc] == VPC requirements and considerations When you create a cluster, the VPC that you specify must meet the following requirements and considerations: @@ -53,14 +53,14 @@ If you created a cluster with [.noloc]`Kubernetes` `1.14` or earlier, Amazon EKS This tag was only used by Amazon EKS. You can remove the tag without impacting your services. It's not used with clusters that are version `1.15` or later. -[[network-requirements-subnets,network-requirements-subnets.title]] +[#network-requirements-subnets] == Subnet requirements and considerations When you create a cluster, Amazon EKS creates 2–4 link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] in the subnets that you specify. These network interfaces enable communication between your cluster and your VPC. These network interfaces also enable [.noloc]`Kubernetes` features such as `kubectl exec` and `kubectl logs`. Each Amazon EKS created network interface has the text `Amazon EKS [.replaceable]``cluster-name``` in its description. Amazon EKS can create its network interfaces in any subnet that you specify when you create a cluster. You can change which subnets Amazon EKS creates its network interfaces in after your cluster is created. When you update the [.noloc]`Kubernetes` version of a cluster, Amazon EKS deletes the original network interfaces that it created, and creates new network interfaces. These network interfaces might be created in the same subnets as the original network interfaces or in different subnets than the original network interfaces. To control which subnets network interfaces are created in, you can limit the number of subnets you specify to only two when you create a cluster or update the subnets after creating the cluster. -[[cluster-subnets,cluster-subnets.title]] +[#cluster-subnets] === Subnet requirements for clusters The link:vpc/latest/userguide/configure-subnets.html#subnet-types[subnets,type="documentation"] that you specify when you create or update a cluster must meet the following requirements: @@ -197,7 +197,7 @@ Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setti ==== -[[node-subnet-reqs,node-subnet-reqs.title]] +[#node-subnet-reqs] === Subnet requirements for nodes You can deploy nodes and [.noloc]`Kubernetes` resources to the same subnets that you specify when you create your cluster. However, this isn't necessary. This is because you can also deploy nodes and [.noloc]`Kubernetes` resources to subnets that you didn't specify when you created the cluster. If you deploy nodes to different subnets, Amazon EKS doesn't create cluster network interfaces in those subnets. Any subnet that you deploy nodes and [.noloc]`Kubernetes` resources to must meet the following requirements: @@ -263,7 +263,7 @@ This change impacts new node groups that are deployed to public subnets in the f * *link:eks/latest/userguide/launch-workers.html[Linux,type="documentation"], link:eks/latest/userguide/launch-windows-workers.html[Windows,type="documentation"], or link:eks/latest/userguide/arm-ami.html[Arm,type="documentation"] self-managed node groups* – If the node group is deployed to a public subnet on or after March 26, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. Otherwise, the nodes must be launched with a public IP address instead. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"] or link:vpc/latest/userguide/vpc-ip-addressing.html#vpc-public-ip[Assigning a public IPv4 address during instance launch,type="documentation"]. -[[network-requirements-shared,network-requirements-shared.title]] +[#network-requirements-shared] == Shared subnet requirements and considerations You can use _VPC sharing_ to share subnets with other {aws} accounts within the same {aws} Organizations. You can create Amazon EKS clusters in shared subnets, with the following considerations: diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 0d038ddc5..507ef93fb 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-multiple-network-interfaces,pod-multiple-network-interfaces.title]] +[#pod-multiple-network-interfaces] = Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` :info_titleabbrev: Multiple interfaces diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index acde06534..fc7d1549a 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-networking-use-cases,pod-networking-use-cases.title]] +[#pod-networking-use-cases] = Learn about VPC CNI modes and configuration :info_titleabbrev: Modes and configuration diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 18db6c923..1d52f1d01 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -1,5 +1,5 @@ [.topic] -[[sec-group-reqs,sec-group-reqs.title]] +[#sec-group-reqs] = View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements @@ -12,7 +12,7 @@ Learn how to manage security groups for Amazon EKS clusters, including default r This topic describes the security group requirements of an Amazon EKS cluster. -[[security-group-default-rules,security-group-default-rules.title]] +[#security-group-default-rules] == Default cluster security group When you create a cluster, Amazon EKS creates a security group that's named `eks-cluster-sg-[.replaceable]``my-cluster``-[.replaceable]``uniqueID```. This security group has the following default rules: @@ -81,7 +81,7 @@ aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.cl ---- -[[security-group-restricting-cluster-traffic,security-group-restricting-cluster-traffic.title]] +[#security-group-restricting-cluster-traffic] == Restricting cluster traffic If you need to limit the open ports between the cluster and nodes, you can remove the <> and add the following minimum rules that are required for the cluster. If you remove the <>, Amazon EKS recreates it whenever the cluster is updated. diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index d1f92b5cd..3420350fd 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-groups-for-pods,security-groups-for-pods.title]] +[#security-groups-for-pods] = Assign security groups to individual [.noloc]`Pods` :info_titleabbrev: Security groups for Pods @@ -20,7 +20,7 @@ Learn how to configure security groups for [.noloc]`Pods` on Amazon EKS, integra Security groups for [.noloc]`Pods` integrate Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods`. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from [.noloc]`Pods` that you deploy to nodes running on many Amazon EC2 instance types and Fargate. For a detailed explanation of this capability, see the link:containers/introducing-security-groups-for-pods[Introducing security groups for Pods,type="blog"] blog post. -[[security-groups-for-pods-compatability,security-groups-for-pods-compatability.title]] +[#security-groups-for-pods-compatability] == Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features You can use security groups for [.noloc]`Pods` with the following features: @@ -32,7 +32,7 @@ You can use security groups for [.noloc]`Pods` with the following features: * Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. -[[sg-pods-considerations,sg-pods-considerations.title]] +[#sg-pods-considerations] == Considerations Before deploying security groups for [.noloc]`Pods`, consider the following limitations and conditions: diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index cdd1ff08c..0c7957f15 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-groups-pods-deployment,security-groups-pods-deployment.title]] +[#security-groups-pods-deployment] = Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` :info_titleabbrev: Configure diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 8b92eef49..7e8b3a63c 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,5 +1,5 @@ [.topic] -[[sg-pods-example-deployment,sg-pods-example-deployment.title]] +[#sg-pods-example-deployment] = Use a security group policy for an Amazon EKS [.noloc]`Pod` :info_titleabbrev: SecurityGroupPolicy diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 08cdc34e2..151290053 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -1,5 +1,5 @@ [.topic] -[[vpc-add-on-create,vpc-add-on-create.title]] +[#vpc-add-on-create] = Create the Amazon VPC CNI (Amazon EKS add-on) :info_titleabbrev: Create @@ -10,7 +10,7 @@ Use the following steps to create the [.noloc]`Amazon VPC CNI plugin for Kuberne Before you begin, review the considerations. For more information, see <>. -[[vpc-add-on-create-prerequisites,vpc-add-on-create-prerequisites.title]] +[#vpc-add-on-create-prerequisites] == Prerequisites The following are prerequisites for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. @@ -30,7 +30,7 @@ The following are prerequisites for the [.noloc]`Amazon VPC CNI plugin for Kuber ==== -[[vpc-add-on-create-procedure,vpc-add-on-create-procedure.title]] +[#vpc-add-on-create-procedure] == Procedure After you complete the prerequisites, use the following steps to create the add-on. diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 62144e749..a65eeb6ce 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -1,5 +1,5 @@ [.topic] -[[vpc-add-on-self-managed-update,vpc-add-on-self-managed-update.title]] +[#vpc-add-on-self-managed-update] = Update the Amazon VPC CNI (self-managed add-on) :info_titleabbrev: Update (self-managed) diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index bd441fdcd..42605b93a 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,5 +1,5 @@ [.topic] -[[vpc-add-on-update,vpc-add-on-update.title]] +[#vpc-add-on-update] = Update the Amazon VPC CNI (Amazon EKS add-on) :info_titleabbrev: Update (EKS add-on) diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 70166c24d..23ed063be 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,5 +1,5 @@ [.topic] -[[al2023,al2023.title]] +[#al2023] = Upgrade from Amazon Linux 2 to Amazon Linux 2023 :info_titleabbrev: Upgrade to AL2023 diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index fa4fec8f0..b3004e420 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-get-logs,auto-get-logs.title]] +[#auto-get-logs] = Retrieve node logs for a managed node using kubectl and S3 :info_titleabbrev: Get node logs diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 4f04f11b5..37deb2cf7 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,5 +1,5 @@ [.topic] -[[bottlerocket-compliance-support,bottlerocket-compliance-support.title]] +[#bottlerocket-compliance-support] = Meet compliance requirements with [.noloc]`Bottlerocket` :info_titleabbrev: Compliance support diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index ea409218e..94ce89dd4 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,5 +1,5 @@ [.topic] -[[choosing-instance-type,choosing-instance-type.title]] +[#choosing-instance-type] = Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods @@ -60,7 +60,7 @@ Not all instance types are available in all {aws} Regions. If you're using security groups for [.noloc]`Pods`, only specific instance types are supported. For more information, see <>. -[[determine-max-pods,determine-max-pods.title]] +[#determine-max-pods] == Amazon EKS recommended maximum [.noloc]`Pods` for each Amazon EC2 instance type Since each [.noloc]`Pod` is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of [.noloc]`Pods` that can run on the instance. Amazon EKS provides a script that you can download and run to determine the Amazon EKS recommended maximum number of [.noloc]`Pods` to run on each instance type. The script uses hardware attributes of each instance, and configuration options, to determine the maximum [.noloc]`Pods` number. You can use the number returned in these steps to enable capabilities such as <> and <>. If you're using a managed node group with multiple instance types, use a value that would work for all instance types. diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index 9d05e083c..c054c55ce 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-managed-node-group,create-managed-node-group.title]] +[#create-managed-node-group] = Create a managed node group for your cluster :info_titleabbrev: Create diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 3fbd71020..84f494d15 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,5 +1,5 @@ [.topic] -[[delete-fargate-profile,delete-fargate-profile.title]] +[#delete-fargate-profile] = Delete a Fargate profile :info_titleabbrev: Delete profiles diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index 3e8edce71..abea8cbec 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,5 +1,5 @@ [.topic] -[[delete-managed-node-group,delete-managed-node-group.title]] +[#delete-managed-node-group] = Delete a managed node group from your cluster :info_titleabbrev: Delete diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index 4be5a5078..cf3010f34 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,5 +1,5 @@ [.topic] -[[dockershim-deprecation,dockershim-deprecation.title]] +[#dockershim-deprecation] = Migrate from `dockershim` to `containerd` :info_titleabbrev: Dockershim deprecation @@ -46,7 +46,7 @@ If the output is `0`, then run either of the following commands to activate the For the setting's activation on Amazon EKS AMIs for Amazon Linux 2 in the `containerd` runtime, see `https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/provisioners/install-worker.sh[install-worker.sh]` on [.noloc]`GitHub`. -[[containerd-bootstrap,containerd-bootstrap.title]] +[#containerd-bootstrap] == Test Amazon Linux 2 migration from [.noloc]`Docker` to `containerd` For [.noloc]`Kubernetes` version `1.23`, you can use an optional bootstrap flag to enable the `containerd` runtime for Amazon EKS optimized AL2 AMIs. This feature gives you a clear path to migrate to `containerd` when updating to version `1.24` or later. Amazon EKS ended support for [.noloc]`Docker` starting with the [.noloc]`Kubernetes` version `1.24` launch. The `containerd` runtime is widely adopted in the [.noloc]`Kubernetes` community and is a graduated project with the CNCF. You can test it by adding a node group to a new or existing cluster. diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 3ad3f1149..f1e78552b 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-ami-build-scripts,eks-ami-build-scripts.title]] +[#eks-ami-build-scripts] = Build a custom Amazon Linux AMI with a script :info_titleabbrev: Custom builds diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index c79e26578..8610760c0 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-ami-versions-bottlerocket,eks-ami-versions-bottlerocket.title]] +[#eks-ami-versions-bottlerocket] = Retrieve [.noloc]`Bottlerocket` AMI version information :info_titleabbrev: Get version information diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 2138a1e19..a7ba024a3 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-ami-versions-windows,eks-ami-versions-windows.title]] +[#eks-ami-versions-windows] = Retrieve [.noloc]`Windows` AMI version information :info_titleabbrev: Get version information @@ -35,7 +35,7 @@ Amazon EKS managed node groups support the November 2022 and later releases of t ==== -[[eks-ami-versions-windows-2022-core,eks-ami-versions-windows-2022-core.title]] +[#eks-ami-versions-windows-2022-core] == Amazon EKS optimized [.noloc]`Windows` Server 2022 Core AMI The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2022 Core AMI. @@ -1114,7 +1114,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== ==== -[[eks-ami-versions-windows-2022-full,eks-ami-versions-windows-2022-full.title]] +[#eks-ami-versions-windows-2022-full] == Amazon EKS optimized [.noloc]`Windows` Server 2022 Full AMI The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2022 Full AMI. @@ -2202,7 +2202,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== ==== -[[eks-ami-versions-windows-2019-core,eks-ami-versions-windows-2019-core.title]] +[#eks-ami-versions-windows-2019-core] == Amazon EKS optimized [.noloc]`Windows` Server 2019 Core AMI The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2019 Core AMI. @@ -3290,7 +3290,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== ==== -[[eks-ami-versions-windows-2019-full,eks-ami-versions-windows-2019-full.title]] +[#eks-ami-versions-windows-2019-full] == Amazon EKS optimized [.noloc]`Windows` Server 2019 Full AMI The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2019 Full AMI. diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index e532fc6f4..836ab339f 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -1,4 +1,4 @@ -[[eks-compute,eks-compute.title]] +[#eks-compute] = Manage compute resources by using nodes :doctype: book :sectnums: diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index f061d5194..309f4678c 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-custom-ami-windows,eks-custom-ami-windows.title]] +[#eks-custom-ami-windows] = Build a custom [.noloc]`Windows` AMI with Image Builder :info_titleabbrev: Custom builds @@ -34,7 +34,7 @@ The following *Amazon-managed* components for `eks` include patches for `CVE-202 ==== -[[custom-windows-ami-as-base,custom-windows-ami-as-base.title]] +[#custom-windows-ami-as-base] == Using an Amazon EKS optimized [.noloc]`Windows` AMI as a base This option is the recommended way to build your custom [.noloc]`Windows` AMIs. The Amazon EKS optimized [.noloc]`Windows` AMIs we provide are more frequently updated than the Amazon-managed build component. @@ -60,7 +60,7 @@ This option is the recommended way to build your custom [.noloc]`Windows` AMIs. . Use the new image recipe in a new or existing image pipeline. Once your image pipeline runs successfully, your custom AMI will be listed as an output image and is ready for use. For more information, see link:imagebuilder/latest/userguide/start-build-image-pipeline.html[Create an image pipeline using the EC2 Image Builder console wizard,type="documentation"]. -[[custom-windows-ami-build-component,custom-windows-ami-build-component.title]] +[#custom-windows-ami-build-component] == Using the Amazon-managed build component When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, you can use the Amazon-managed build component instead. This option may lag behind the most recent supported [.noloc]`Kubernetes` versions. @@ -100,7 +100,7 @@ NOTE: The following `eks-optimized-ami-windows` build component versions require . Use the new image recipe in a new or existing image pipeline. Once your image pipeline runs successfully, your custom AMI will be listed as an output image and is ready for use. For more information, see link:imagebuilder/latest/userguide/start-build-image-pipeline.html[Create an image pipeline using the EC2 Image Builder console wizard,type="documentation"]. -[[custom-windows-ami-component-versions,custom-windows-ami-component-versions.title]] +[#custom-windows-ami-component-versions] == Retrieving information about `eks-optimized-ami-windows` component versions You can retrieve specific information regarding what is installed with each component. For example, you can verify what `kubelet` version is installed. The components go through functional testing on the Amazon EKS supported [.noloc]`Windows` operating systems versions. For more information, see <>. Any other [.noloc]`Windows` OS versions that aren't listed as supported or have reached end of support might not be compatible with the component. diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index e443734ae..fd9d03e2f 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-linux-ami-versions,eks-linux-ami-versions.title]] +[#eks-linux-ami-versions] = Retrieve Amazon Linux AMI version information :info_titleabbrev: Get version information diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 76cf9f4e4..ab61883b4 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-optimized-ami-bottlerocket,eks-optimized-ami-bottlerocket.title]] +[#eks-optimized-ami-bottlerocket] = Create nodes with optimized [.noloc]`Bottlerocket` AMIs :info_titleabbrev: Bottlerocket @@ -12,7 +12,7 @@ include::../attributes.txt[] link:bottlerocket/[Bottlerocket,type="marketing"] is an open source [.noloc]`Linux` distribution that's sponsored and supported by {aws}. [.noloc]`Bottlerocket` is purpose-built for hosting container workloads. With [.noloc]`Bottlerocket`, you can improve the availability of containerized deployments and reduce operational costs by automating updates to your container infrastructure. [.noloc]`Bottlerocket` includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. The [.noloc]`Bottlerocket` AMI includes `containerd`, `kubelet`, and {aws} IAM Authenticator. In addition to managed node groups and self-managed nodes, [.noloc]`Bottlerocket` is also supported by https://karpenter.sh/[Karpenter]. -[[bottlerocket-advantages,bottlerocket-advantages.title]] +[#bottlerocket-advantages] == Advantages Using [.noloc]`Bottlerocket` with your Amazon EKS cluster has the following advantages: @@ -24,7 +24,7 @@ Using [.noloc]`Bottlerocket` with your Amazon EKS cluster has the following adva * *Premium support* – {aws} provided builds of [.noloc]`Bottlerocket` on Amazon EC2 is covered under the same {aws} Support plans that also cover {aws} services such as Amazon EC2, Amazon EKS, and Amazon ECR. -[[bottlerocket-considerations,bottlerocket-considerations.title]] +[#bottlerocket-considerations] == Considerations Consider the following when using [.noloc]`Bottlerocket` for your AMI type: @@ -43,7 +43,7 @@ Consider the following when using [.noloc]`Bottlerocket` for your AMI type: ** If an SSH key is given when creating the node group, an admin container is enabled. We recommend using the admin container only for development and testing scenarios. We don't recommend using it for production environments. For more information, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container[Admin container] on [.noloc]`GitHub`. -[[bottlerocket-more-information,bottlerocket-more-information.title]] +[#bottlerocket-more-information] == More information For more information about using Amazon EKS optimized [.noloc]`Bottlerocket` AMIs, see the following sections: diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index be28840ee..40a2f27c0 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-optimized-ami,eks-optimized-ami.title]] +[#eks-optimized-ami] = Create nodes with optimized Amazon Linux AMIs :info_titleabbrev: Amazon Linux @@ -37,7 +37,7 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A ==== -[[gpu-ami,gpu-ami.title]] +[#gpu-ami] == Amazon EKS optimized accelerated Amazon Linux AMIs The Amazon EKS optimized accelerated Amazon Linux AMIs are built on top of the standard Amazon EKS optimized Amazon Linux AMIs. They are configured to serve as optional images for Amazon EKS nodes to support GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. @@ -61,7 +61,7 @@ For a list of the latest components included in the accelerated AMIs, see the `a For details on running workloads on Amazon EKS optimized accelerated Amazon Linux AMIs, see <>. -[[arm-ami,arm-ami.title]] +[#arm-ami] == Amazon EKS optimized [.noloc]`Arm` Amazon Linux AMIs Arm instances deliver significant cost savings for scale-out and [.noloc]`Arm`-based applications such as web servers, containerized microservices, caching fleets, and distributed data stores. When adding [.noloc]`Arm` nodes to your cluster, review the following considerations. @@ -71,7 +71,7 @@ Arm instances deliver significant cost savings for scale-out and [.noloc]`Arm`-b * If you have [.noloc]`DaemonSets` that are deployed in an existing cluster, or you want to deploy them to a new cluster that you also want to deploy [.noloc]`Arm` nodes in, then verify that your [.noloc]`DaemonSet` can run on all hardware architectures in your cluster. * You can run [.noloc]`Arm` node groups and x86 node groups in the same cluster. If you do, consider deploying multi-architecture container images to a container repository such as Amazon Elastic Container Registry and then adding node selectors to your manifests so that [.noloc]`Kubernetes` knows what hardware architecture a [.noloc]`Pod` can be deployed to. For more information, see link:AmazonECR/latest/userguide/docker-push-multi-architecture-image.html[Pushing a multi-architecture image,type="documentation"] in the _Amazon ECR User Guide_ and the link:containers/introducing-multi-architecture-container-images-for-amazon-ecr[Introducing multi-architecture container images for Amazon ECR,type="blog"] blog post. -[[linux-more-information,linux-more-information.title]] +[#linux-more-information] == More information For more information about using Amazon EKS optimized Amazon Linux AMIs, see the following sections: diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 0ab13e32b..974fffdfd 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-optimized-amis,eks-optimized-amis.title]] +[#eks-optimized-amis] = Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 9216dee3f..3ed7bdcab 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-optimized-windows-ami,eks-optimized-windows-ami.title]] +[#eks-optimized-windows-ami] = Create nodes with optimized [.noloc]`Windows` AMIs :info_titleabbrev: Windows @@ -42,7 +42,7 @@ Amazon EKS offers AMIs that are optimized for [.noloc]`Windows` containers in th ==== -[[windows-ami-release-calendar,windows-ami-release-calendar.title]] +[#windows-ami-release-calendar] == Release calendar The following table lists the release and end of support dates for [.noloc]`Windows` versions on Amazon EKS. If an end date is blank, it's because the version is still supported. @@ -83,7 +83,7 @@ The following table lists the release and end of support dates for [.noloc]`Wind |[.noloc]`12/8/2020` |=== -[[bootstrap-script-configuration-parameters,bootstrap-script-configuration-parameters.title]] +[#bootstrap-script-configuration-parameters] == Bootstrap script configuration parameters When you create a [.noloc]`Windows` node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: `C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1`. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see <>. @@ -107,7 +107,7 @@ The script takes into account the following environment variables: * `EXCLUDED_SNAT_CIDRS` – Should be a comma separated string. Refer to the `ExcludedSnatCIDRs` command line parameter for the definition. -[[ad-and-gmsa-support,ad-and-gmsa-support.title]] +[#ad-and-gmsa-support] === [.noloc]`gMSA` authentication support Amazon EKS Windows [.noloc]`Pods` allow different types of group Managed Service Account ([.noloc]`gMSA`) authentication. @@ -116,7 +116,7 @@ Amazon EKS Windows [.noloc]`Pods` allow different types of group Managed Service * Amazon EKS offers a plugin that enables non-domain-joined [.noloc]`Windows` nodes to retrieve [.noloc]`gMSA` credentials with a portable user identity. For more information on domainless [.noloc]`gMSA`, see link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[Domainless Windows Authentication for Amazon EKS Windowspods,type="blog"] on the {aws} blog. -[[windows-cached-container-images,windows-cached-container-images.title]] +[#windows-cached-container-images] == Cached container images Amazon EKS Windows optimized AMIs have certain container images cached for the `containerd` runtime. Container images are cached when building custom AMIs using Amazon-managed build components. For more information, see <>. @@ -127,7 +127,7 @@ The following cached container images are for the `containerd` runtime: * `mcr.microsoft.com/windows/nanoserver` * `mcr.microsoft.com/windows/servercore` -[[windows-more-information,windows-more-information.title]] +[#windows-more-information] == More information For more information about using Amazon EKS optimized [.noloc]`Windows` AMIs, see the following sections: diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index c696b628b..bf8d63bb2 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-partner-amis,eks-partner-amis.title]] +[#eks-partner-amis] = Create nodes with optimized [.noloc]`Ubuntu Linux` AMIs :info_titleabbrev: Ubuntu Linux diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 006dbe55b..caa8436c3 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[fargate-getting-started,fargate-getting-started.title]] +[#fargate-getting-started] = Get started with {aws} Fargate for your cluster :info_titleabbrev: Get started @@ -16,7 +16,7 @@ If you restrict access to the public endpoint of your cluster using CIDR blocks, .Prerequisite An existing cluster. If you don't already have an Amazon EKS cluster, see <>. -[[fargate-gs-check-compatibility,fargate-gs-check-compatibility.title]] +[#fargate-gs-check-compatibility] == Step 1: Ensure that existing nodes can communicate with Fargate [.noloc]`Pods` If you're working with a new cluster with no nodes, or a cluster with only managed node groups (see <>), you can skip to <>. @@ -33,7 +33,7 @@ aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.cl ---- -[[fargate-sg-pod-execution-role,fargate-sg-pod-execution-role.title]] +[#fargate-sg-pod-execution-role] == Step 2: Create a Fargate [.noloc]`Pod` execution role When your cluster creates [.noloc]`Pods` on {aws} Fargate, the components that run on the Fargate infrastructure must make calls to {aws} APIs on your behalf. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. To create an {aws} Fargate [.noloc]`Pod` execution role, see <>. @@ -45,7 +45,7 @@ If you created your cluster with `eksctl` using the `--fargate` option, your clu ==== -[[fargate-gs-create-profile,fargate-gs-create-profile.title]] +[#fargate-gs-create-profile] == Step 3: Create a Fargate profile for your cluster Before you can schedule [.noloc]`Pods` that are running on Fargate in your cluster, you must define a Fargate profile that specifies which [.noloc]`Pods` use Fargate when they're launched. For more information, see <>. @@ -119,7 +119,7 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on . On the *Review and create* page, review the information for your Fargate profile and choose *Create*. -[[fargate-gs-coredns,fargate-gs-coredns.title]] +[#fargate-gs-coredns] == Step 4: Update [.noloc]`CoreDNS` By default, [.noloc]`CoreDNS` is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to _only_ run your [.noloc]`Pods` on Fargate in your cluster, complete the following steps. @@ -154,7 +154,7 @@ kubectl patch deployment coredns \ ---- -[[fargate-gs-next-steps,fargate-gs-next-steps.title]] +[#fargate-gs-next-steps] == Next steps * You can start migrating your existing applications to run on Fargate with the following workflow. diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 1e38e6b72..c4982daa7 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[fargate-logging,fargate-logging.title]] +[#fargate-logging] = Start {aws} Fargate logging for your cluster :info_titleabbrev: Logging @@ -22,7 +22,7 @@ The log router allows you to use the breadth of services at {aws} for log analyt * An existing Fargate profile that specifies an existing [.noloc]`Kubernetes` namespace that you deploy Fargate [.noloc]`Pods` to. For more information, see <>. * An existing Fargate [.noloc]`Pod` execution role. For more information, see <>. -[[fargate-logging-log-router-configuration,fargate-logging-log-router-configuration.title]] +[#fargate-logging-log-router-configuration] == Log router configuration In the following steps, replace every [.replaceable]`example value` with your own values. @@ -270,7 +270,7 @@ aws iam attach-role-policy \ --role-name [.replaceable]`AmazonEKSFargatePodExecutionRole` ---- -[[fargate-logging-kubernetes-filter,fargate-logging-kubernetes-filter.title]] +[#fargate-logging-kubernetes-filter] === [.noloc]`Kubernetes` filter support This feature requires the following minimum [.noloc]`Kubernetes` version and platform level, or later. @@ -306,7 +306,7 @@ filters.conf: | ==== -[[ship-fluent-bit-process-logs,ship-fluent-bit-process-logs.title]] +[#ship-fluent-bit-process-logs] === To ship [.noloc]`Fluent Bit` process logs to your account You can optionally ship [.noloc]`Fluent Bit` process logs to Amazon CloudWatch using the following `ConfigMap`. Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion and storage costs. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. @@ -344,7 +344,7 @@ The logs are in the {aws} Region that the cluster resides in under CloudWatch. T ==== -[[stop-fluent-bit-process-logs,stop-fluent-bit-process-logs.title]] +[#stop-fluent-bit-process-logs] === To stop shipping [.noloc]`Fluent Bit` process logs Shipping [.noloc]`Fluent Bit` process logs to CloudWatch requires additional log ingestion and storage costs. To exclude process logs in an existing `ConfigMap` setup, do the following steps. @@ -354,7 +354,7 @@ Shipping [.noloc]`Fluent Bit` process logs to CloudWatch requires additional log . Edit the `ConfigMap` and set `flb_log_cw: "false"`. . Restart any existing [.noloc]`Pods` in the cluster. -[[fargate-logging-test-application,fargate-logging-test-application.title]] +[#fargate-logging-test-application] == Test application . Deploy a sample [.noloc]`Pod`. + @@ -392,12 +392,12 @@ kubectl apply -f sample-app.yaml ---- . View the NGINX logs using the destination(s) that you configured in the `ConfigMap`. -[[fargate-logging-size-considerations,fargate-logging-size-considerations.title]] +[#fargate-logging-size-considerations] == Size considerations We suggest that you plan for up to 50 MB of memory for the log router. If you expect your application to generate logs at very high throughput then you should plan for up to 100 MB. -[[fargate-logging-troubleshooting,fargate-logging-troubleshooting.title]] +[#fargate-logging-troubleshooting] == Troubleshooting To confirm whether the logging feature is enabled or disabled for some reason, such as an invalid `ConfigMap`, and why it's invalid, check your [.noloc]`Pod` events with `kubectl describe pod [.replaceable]``pod-name```. The output might include [.noloc]`Pod` events that clarify whether logging is enabled or not, such as the following example output. diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index f685f2620..6a9944ea3 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,5 +1,5 @@ [.topic] -[[fargate-pod-configuration,fargate-pod-configuration.title]] +[#fargate-pod-configuration] = Understand Fargate [.noloc]`Pod` configuration details :info_titleabbrev: Pod configuration details @@ -12,7 +12,7 @@ This section describes some of the unique [.noloc]`Pod` configuration details fo This section describes some of the unique [.noloc]`Pod` configuration details for running [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. -[[fargate-cpu-and-memory,fargate-cpu-and-memory.title]] +[#fargate-cpu-and-memory] == [.noloc]`Pod` CPU and memory With [.noloc]`Kubernetes`, you can define requests, a minimum vCPU amount, and memory resources that are allocated to each container in a [.noloc]`Pod`. [.noloc]`Pods` are scheduled by [.noloc]`Kubernetes` to ensure that at least the requested resources for each [.noloc]`Pod` are available on the compute resource. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Managing compute resources for containers] in the [.noloc]`Kubernetes` documentation. @@ -88,7 +88,7 @@ annotations: The `CapacityProvisioned` annotation represents the enforced [.noloc]`Pod` capacity and it determines the cost of your [.noloc]`Pod` running on Fargate. For pricing information for the compute configurations, see link:fargate/pricing/[{aws} Fargate Pricing,type="marketing"]. -[[fargate-storage,fargate-storage.title]] +[#fargate-storage] == Fargate storage A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md[Amazon EFS CSI Driver] on GitHub. diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 4f9ffc428..bf9f96606 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[fargate-pod-patching,fargate-pod-patching.title]] +[#fargate-pod-patching] = Set actions for {aws} Fargate OS patching events :info_titleabbrev: OS patching events diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index bba7549b4..dc7bee446 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[fargate-profile,fargate-profile.title]] +[#fargate-profile] = Define which [.noloc]`Pods` use {aws} Fargate when launched :info_titleabbrev: Define profiles @@ -37,7 +37,7 @@ Fargate does not currently support [.noloc]`Kubernetes` https://kubernetes.io/do Amazon EKS and Fargate spread [.noloc]`Pods` across each of the subnets that's defined in the Fargate profile. However, you might end up with an uneven spread. If you must have an even spread, use two Fargate profiles. Even spread is important in scenarios where you want to deploy two replicas and don't want any downtime. We recommend that each profile has only one subnet. -[[fargate-profile-components,fargate-profile-components.title]] +[#fargate-profile-components] == Fargate profile components The following components are contained in a Fargate profile. @@ -61,7 +61,7 @@ The selectors to match for [.noloc]`Pods` to use this Fargate profile. You might ** *Labels* – You can optionally specify [.noloc]`Kubernetes` labels to match for the selector. The selector only matches [.noloc]`Pods` that have all of the labels that are specified in the selector. -[[fargate-profile-wildcards,fargate-profile-wildcards.title]] +[#fargate-profile-wildcards] == Fargate profile wildcards In addition to characters allowed by [.noloc]`Kubernetes`, you're allowed to use `{asterisk}` and `?` in the selector criteria for namespaces, label keys, and label values: @@ -83,7 +83,7 @@ If you want to migrate existing Fargate [.noloc]`Pods` to new profiles that use * If you want to migrate workloads but aren't sure what Fargate labels are on each Fargate [.noloc]`Pod`, you can use the following method. Create a new profile with a name that sorts alphanumerically first among the profiles on the same cluster. Then, recycle the Fargate [.noloc]`Pods` that need to be migrated to new profiles. -[[create-fargate-profile,create-fargate-profile.title]] +[#create-fargate-profile] == Create a Fargate profile This section describes how to create a Fargate profile. You also must have created a [.noloc]`Pod` execution role to use for your Fargate profile. For more information, see <>. [.noloc]`Pods` that are running on Fargate are only supported on private subnets with link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] access to {aws} services, but not a direct route to an Internet Gateway. This is so that your cluster's VPC must have private subnets available. diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index a519f42c4..9d400bf9a 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[fargate,fargate.title]] +[#fargate] = Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate :keywords: Fargate, nodes @@ -17,7 +17,7 @@ You can control which [.noloc]`Pods` start on Fargate and how they run with <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, it is recommended to have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. -[[hybrid-nodes-add-ons-cw,hybrid-nodes-add-ons-cw.title]] +[#hybrid-nodes-add-ons-cw] == CloudWatch Observability Agent add-on Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. @@ -83,7 +83,7 @@ items: ... ---- -[[hybrid-nodes-add-ons-amp,hybrid-nodes-add-ons-amp.title]] +[#hybrid-nodes-add-ons-amp] == Amazon Managed Prometheus managed collector for hybrid nodes An Amazon Managed Service for Prometheus (AMP) managed collector consists of a scraper that discovers and collects metrics from the resources in an Amazon EKS cluster. AMP manages the scraper for you, removing the need to manage any instances, agents, or scrapers yourself. @@ -92,14 +92,14 @@ You can use AMP managed collectors without any additional configuration specific Follow the steps in link:prometheus/latest/userguide/AMP-collector-how-to.html[Using an {aws} managed collector,type="documentation"] in the Amazon Managed Service for Prometheus User Guide. -[[hybrid-nodes-add-ons-adot,hybrid-nodes-add-ons-adot.title]] +[#hybrid-nodes-add-ons-adot] == {aws} Distro for OpenTelemetry (ADOT) add-on You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. Note, ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests and you must configure your remote pod network when creating your Amazon EKS cluster. Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. -[[hybrid-nodes-add-ons-lbc,hybrid-nodes-add-ons-lbc.title]] +[#hybrid-nodes-add-ons-lbc] == {aws} Load Balancer Controller You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure your remote pod network when creating your Amazon EKS cluster. @@ -119,7 +119,7 @@ service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" ---- -[[hybrid-nodes-add-ons-pod-id,hybrid-nodes-add-ons-pod-id.title]] +[#hybrid-nodes-add-ons-pod-id] == EKS Pod Identity Agent add-on The original Amazon EKS Pod Identity Agent [.noloc]`DaemonSet` relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second [.noloc]`DaemonSet` that specifically targets hybrid nodes. This [.noloc]`DaemonSet` mounts the required credentials to the pods created by the Pod Identity Agent add-on. @@ -163,7 +163,7 @@ aws eks create-addon \ {"daemonsets":{"hybrid":{"create": true}}} ---- -[[hybrid-nodes-add-ons-csi-snapshotter,hybrid-nodes-add-ons-csi-snapshotter.title]] +[#hybrid-nodes-add-ons-csi-snapshotter] == CSI snapshot controller add-on Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 7598c8093..46926bf9b 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-cluster-create,hybrid-nodes-cluster-create.title]] +[#hybrid-nodes-cluster-create] = Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid @@ -14,7 +14,7 @@ Create hybrid nodes cluster This topic provides an overview of the available options and describes what to consider when you create a hybrid nodes-enabled Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. -[[hybrid-nodes-cluster-create-prep,hybrid-nodes-cluster-create-prep.title]] +[#hybrid-nodes-cluster-create-prep] == Prerequisites * The <> completed. Before you create your hybrid nodes-enabled cluster, you must have your on-premises node and optionally pod CIDRs identified, your VPC and subnets created according to the EKS requirements, and hybrid nodes requirements, and your security group with inbound rules for your on-premises and optionally pod CIDRs. For more information on these prerequisites, see <>. @@ -22,7 +22,7 @@ This topic provides an overview of the available options and describes what to c * An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permissions to create IAM roles and attach policies, and create and describe EKS clusters -[[hybrid-nodes-cluster-create-consider,hybrid-nodes-cluster-create-consider.title]] +[#hybrid-nodes-cluster-create-consider] == Considerations * Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. @@ -31,7 +31,7 @@ This topic provides an overview of the available options and describes what to c * Currently, hybrid nodes must be enabled during cluster creation. You cannot change your `RemoteNodeNetwork` or `RemotePodNetwork` after cluster creation. -[[hybrid-nodes-cluster-create-iam,hybrid-nodes-cluster-create-iam.title]] +[#hybrid-nodes-cluster-create-iam] == Step 1: Create cluster IAM role If you already have a cluster IAM role, or you're going to create your cluster with `eksctl` or {aws} CloudFormation, then you can skip this step. By default, `eksctl` and the {aws} CloudFormation template create the cluster IAM role for you. @@ -75,7 +75,7 @@ aws iam attach-role-policy \ ---- -[[hybrid-nodes-cluster-create-cluster,hybrid-nodes-cluster-create-cluster.title]] +[#hybrid-nodes-cluster-create-cluster] == Step 2: Create hybrid nodes-enabled cluster You can create a cluster by using: @@ -86,7 +86,7 @@ You can create a cluster by using: * <> -[[hybrid-nodes-cluster-create-eksctl,hybrid-nodes-cluster-create-eksctl.title]] +[#hybrid-nodes-cluster-create-eksctl] === Create hybrid nodes-enabled cluster - eksctl You need to install the latest version of the `eksctl` command line tool. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. @@ -142,7 +142,7 @@ Cluster provisioning takes several minutes. While the cluster is being created, . Continue with <>. -[[hybrid-nodes-cluster-create-cfn,hybrid-nodes-cluster-create-cfn.title]] +[#hybrid-nodes-cluster-create-cfn] === Create hybrid nodes-enabled cluster - {aws} CloudFormation The CloudFormation stack creates the EKS cluster IAM role and an EKS cluster with the `RemoteNodeNetwork` and `RemotePodNetwork` you specify. Modify the CloudFormation template If you need to customize settings for your EKS cluster that are not exposed in the CloudFormation template. @@ -212,7 +212,7 @@ aws cloudformation describe-stacks \ . Continue with <>. -[[hybrid-nodes-cluster-create-cli,hybrid-nodes-cluster-create-cli.title]] +[#hybrid-nodes-cluster-create-cli] === Create hybrid nodes-enabled cluster - {aws} CLI . Run the following command to create a hybrid nodes-enabled EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the <> documentation. @@ -255,7 +255,7 @@ aws eks describe-cluster \ . Continue with <>. -[[hybrid-nodes-cluster-create-console,hybrid-nodes-cluster-create-console.title]] +[#hybrid-nodes-cluster-create-console] === Create hybrid nodes-enabled cluster - {aws-management-console} . Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -301,7 +301,7 @@ aws eks describe-cluster \ . On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. Cluster provisioning takes several minutes. . Continue with <>. -[[hybrid-nodes-cluster-create-kubeconfig,hybrid-nodes-cluster-create-kubeconfig.title]] +[#hybrid-nodes-cluster-create-kubeconfig] == Step 3: Update kubeconfig If you created your cluster using `eksctl`, then you can skip this step. This is because `eksctl` already completed this step for you. Enable `kubectl` to communicate with your cluster by adding a new context to the `kubectl` config file. For more information about how to create and update the file, see <>. diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index acaa9b3e7..2045e9ad0 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-cluster-prep,hybrid-nodes-cluster-prep.title]] +[#hybrid-nodes-cluster-prep] = Prepare cluster access for hybrid nodes :info_titleabbrev: Prepare cluster access @@ -31,7 +31,7 @@ aws eks create-access-entry --cluster-name CLUSTER_NAME \ --type HYBRID_LINUX ---- -[[hybrid-nodes-cluster-prep-console,hybrid-nodes-cluster-prep-console.title]] +[#hybrid-nodes-cluster-prep-console] === {aws-management-console} . Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index e25004ab2..094b0e336 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-cni,hybrid-nodes-cni.title]] +[#hybrid-nodes-cni] = Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index de4c81a5e..067e2ee10 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-creds,hybrid-nodes-creds.title]] +[#hybrid-nodes-creds] = Prepare credentials for hybrid nodes :info_titleabbrev: Prepare credentials @@ -378,7 +378,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ---- -[[hybrid-nodes-creds-console,hybrid-nodes-creds-console.title]] +[#hybrid-nodes-creds-console] === {aws-management-console} *Create EKS Describe Cluster Policy* diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 21273c3f5..88b2d7288 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-join,hybrid-nodes-join.title]] +[#hybrid-nodes-join] = Connect hybrid nodes :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 5159bdbd2..493d3969b 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-networking,hybrid-nodes-networking.title]] +[#hybrid-nodes-networking] = Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid @@ -16,7 +16,7 @@ This topic provides an overview of the networking setup you must have configured image::images/hybrid-prereq-diagram.png[Hybrid node network connectivity.,scaledwidth=50%] -[[hybrid-nodes-networking-on-prem,hybrid-nodes-networking-on-prem.title]] +[#hybrid-nodes-networking-on-prem] == On-premises networking configuration *Minimum network requirements* @@ -206,7 +206,7 @@ aws ec2 describe-network-interfaces \ ---- -[[hybrid-nodes-networking-vpc,hybrid-nodes-networking-vpc.title]] +[#hybrid-nodes-networking-vpc] == {aws} VPC and subnet setup The existing <> for Amazon EKS apply to clusters with hybrid nodes. Additionally, your VPC CIDR can't overlap with your on-premises node and pod CIDRs. You must configure routes in your VPC routing table for your on-premises node and optionally pod CIDRs. These routes must be setup to route traffic to the gateway you are using for your hybrid network connectivity, which is commonly a virtual private gateway (VGW) or transit gateway (TGW). If you are using TGW or VGW to connect your VPC with your on-premises environment, you must create a TGW or VGW attachment for your VPC. Your VPC must have DNS hostname and DNS resolution support. @@ -336,7 +336,7 @@ aws ec2 associate-route-table --route-table-id [.replaceable]`RT_ID` --subnet-id ---- -[[hybrid-nodes-networking-cluster-sg,hybrid-nodes-networking-cluster-sg.title]] +[#hybrid-nodes-networking-cluster-sg] == Cluster security group configuration The following access for your Amazon EKS cluster security group is required for ongoing cluster operations. diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 39d8501dd..ed8ac9fb0 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-nodeadm,hybrid-nodes-nodeadm.title]] +[#hybrid-nodes-nodeadm] = Hybrid nodes `nodeadm` reference :info_titleabbrev: Hybrid nodes nodeadm :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 98e7acc2b..2a40baeeb 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-os,hybrid-nodes-os.title]] +[#hybrid-nodes-os] = Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index b7229b421..31fd816f2 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-overview,hybrid-nodes-overview.title]] +[#hybrid-nodes-overview] = Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid @@ -20,7 +20,7 @@ With Amazon EKS Hybrid Nodes, there are no upfront commitments or minimum fees, For an overview of the other Amazon EKS options for on-premises and edge deployments, see <>. -[[hybrid-nodes-general,hybrid-nodes-general.title]] +[#hybrid-nodes-general] == General concepts of Amazon EKS Hybrid Nodes * Amazon EKS Hybrid Nodes must have a reliable connection between your on-premises environment and {aws}. Amazon EKS Hybrid Nodes aren't a fit for disconnected, disrupted, intermittent or limited (DDIL) environments. If you are running in a DDIL environment, consider link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"]. diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index c9170f565..e9cd1a2e3 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-prereqs,hybrid-nodes-prereqs.title]] +[#hybrid-nodes-prereqs] = Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites @@ -21,7 +21,7 @@ To use Amazon EKS Hybrid Nodes, you must have private connectivity from your on- image::images/hybrid-prereq-diagram.png[Hybrid node network connectivity.,scaledwidth=50%] -[[hybrid-nodes-prereqs-connect,hybrid-nodes-prereqs-connect.title]] +[#hybrid-nodes-prereqs-connect] == Hybrid network connectivity The communication between the Amazon EKS control plane and hybrid nodes is routed through the VPC and subnets you pass during cluster creation, which builds on the https://aws.github.io/aws-eks-best-practices/networking/subnets/[existing mechanism] in Amazon EKS for control plane to node networking. There are several https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html[documented options] available for you to connect your on-premises environment with your VPC including {aws} Site-to-Site VPN, {aws} Direct Connect, or your own VPN connection. Reference the https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html[{aws} Site-to-Site VPN] and https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect] user guides for more information on how to use those solutions for your hybrid network connection. @@ -29,7 +29,7 @@ The communication between the Amazon EKS control plane and hybrid nodes is route For an optimal experience, {aws} recommends reliable network connectivity of at least 100 Mbps and a maximum of 200ms round trip latency for the hybrid nodes connection to the {aws} Region. The bandwidth and latency requirements can vary depending on the number of hybrid nodes and your workload characteristics, such as application image size, application elasticity, monitoring and logging configurations, and application dependencies on accessing data stored in other {aws} services. We recommend that you test with your own applications and environments before deploying to production to validate that your networking setup meets the requirements for your workloads. -[[hybrid-nodes-prereqs-onprem,hybrid-nodes-prereqs-onprem.title]] +[#hybrid-nodes-prereqs-onprem] == On-premises network configuration You must enable inbound network access from the Amazon EKS control plane to your on-premises environment to allow the Amazon EKS control plane to communicate with the `kubelet` running on hybrid nodes and optionally with webhooks running on your hybrid nodes. Additionally, you must enable outbound network access for your hybrid nodes and components running on them to communicate with the Amazon EKS control plane. You can configure this communication to stay fully private to your {aws} Direct Connect, {aws} Site-to-Site VPN, or your own VPN connection. For a full list of the required ports and protocols that you must enable in your firewall and on-premises environment, see <>. @@ -38,7 +38,7 @@ The Classless Inter-Domain Routing (CIDR) ranges you use for your on-premises no -[[hybrid-nodes-prereqs-cluster,hybrid-nodes-prereqs-cluster.title]] +[#hybrid-nodes-prereqs-cluster] == EKS cluster configuration To minimize latency, it is recommended to create your Amazon EKS cluster in the {aws} Region closest to your on-premises or edge environment. You pass your on-premises node and pod CIDRs during Amazon EKS cluster creation via two API fields: `RemoteNodeNetwork` and `RemotePodNetwork`. You may need to discuss with your on-premises network team to identify your on-premises node and pod CIDRs. The node CIDR is allocated from your on-premises network and the pod CIDR is allocated from the Container Network Interface (CNI) you use if you are using an overlay network for your CNI. @@ -48,7 +48,7 @@ The on-premises node and pod CIDRs are used to configure the Amazon EKS control It is recommended to use either public or private endpoint access for the Amazon EKS Kubernetes API server endpoint. If you choose “Public and Private”, the Amazon EKS Kubernetes API server endpoint will always resolve to the public IPs for hybrid nodes running outside of your VPC, which can prevent your hybrid nodes from joining the cluster. You can use either public or private endpoint access for the Amazon EKS Kubernetes API server endpoint. You cannot choose “Public and Private”. When you use public endpoint access, the Kubernetes API server endpoint is resolved to public IPs and the communication from hybrid nodes to the Amazon EKS control plane will be routed over the internet. When you choose private endpoint access, the Kubernetes API server endpoint is resolved to private IPs and the communication from hybrid nodes to the Amazon EKS control plane will be routed over your private connectivity link, in most cases {aws} Direct Connect or {aws} Site-to-Site VPN. -[[hybrid-nodes-prereqs-vpc,hybrid-nodes-prereqs-vpc.title]] +[#hybrid-nodes-prereqs-vpc] == VPC configuration You must configure the VPC you pass during Amazon EKS cluster creation with routes in its routing table for your on-premises node and optionally pod networks with your virtual private gateway (VGW) or transit gateway (TGW) as the target. An example is shown below. Replace `REMOTE_NODE_CIDR` and `REMOTE_POD_CIDR` with the values for your on-premises network. @@ -74,7 +74,7 @@ You must configure the VPC you pass during Amazon EKS cluster creation with rout |=== -[[hybrid-nodes-prereqs-sg,hybrid-nodes-prereqs-sg.title]] +[#hybrid-nodes-prereqs-sg] == Security group configuration When you create a cluster, Amazon EKS creates a security group that's named `eks-cluster-sg--`. You cannot alter the inbound rules of this Cluster Security Group but you can restrict the outbound rules. You must add an additional security group to your cluster to enable the kubelet and optionally webhooks running on your hybrid nodes to contact the Amazon EKS control plane. The required inbound rules for this additional security group are shown below. Replace `REMOTE_NODE_CIDR` and `REMOTE_POD_CIDR` with the values for your on-premises network. @@ -107,13 +107,13 @@ When you create a cluster, Amazon EKS creates a security group that's named `eks |=== -[[hybrid-nodes-prereqs-infra,hybrid-nodes-prereqs-infra.title]] +[#hybrid-nodes-prereqs-infra] == Infrastructure You must have bare metal servers or virtual machines available to use as hybrid nodes. Hybrid nodes are agnostic to the underlying infrastructure and support x86 and ARM architectures. Amazon EKS Hybrid Nodes follows a “bring your own infrastructure” approach, where you are responsible for provisioning and managing the bare metal servers or virtual machines that you use for hybrid nodes. While there is not a strict minimum resource requirement, it is recommended to use hosts with at least 1 vCPU and 1GiB RAM for hybrid nodes. -[[hybrid-nodes-prereqs-os,hybrid-nodes-prereqs-os.title]] +[#hybrid-nodes-prereqs-os] == Operating system Amazon Linux 2023 (AL2023), Ubuntu, and RHEL are validated on an ongoing basis for use as the node operating system for hybrid nodes. {aws} supports the hybrid nodes integration with these operating systems but does not provide support for the operating systems itself. AL2023 is not covered by {aws} Support Plans when run outside of Amazon EC2. AL2023 can only be used in on-premises virtualized environments, see the link:linux/al2023/ug/outside-ec2.html[Amazon Linux 2023 User Guide,type="documentation"] for more information. @@ -121,7 +121,7 @@ Amazon Linux 2023 (AL2023), Ubuntu, and RHEL are validated on an ongoing basis f You are responsible for operating system provisioning and management. When you are testing hybrid nodes for the first time, it is easiest to run the Amazon EKS Hybrid Nodes CLI (`nodeadm`) on an already provisioned host. For production deployments, it is recommended to include `nodeadm` in your golden operating system images with it configured to run as a systemd service to automatically join hosts to Amazon EKS clusters at host startup. -[[hybrid-nodes-prereqs-iam,hybrid-nodes-prereqs-iam.title]] +[#hybrid-nodes-prereqs-iam] == On-premises IAM credentials provider Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by {aws} SSM hybrid activations or {aws} IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either {aws} SSM hybrid activations or {aws} IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (`nodeadm`). It is recommended to use {aws} SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use {aws} IAM Roles Anywhere. diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 47e98bcda..b74a6e1cc 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-proxy,hybrid-nodes-proxy.title]] +[#hybrid-nodes-proxy] = Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 58679d136..3de8ba7ce 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-remove,hybrid-nodes-remove.title]] +[#hybrid-nodes-remove] = Remove hybrid nodes :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 2f50c10ab..c9af00181 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-troubleshooting,hybrid-nodes-troubleshooting.title]] +[#hybrid-nodes-troubleshooting] = Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid @@ -16,7 +16,7 @@ This topic covers some common errors that you may see while using Amazon EKS Hyb You can run the `nodeadm debug` command from your hybrid nodes to validate networking and credential requirements are met. For more information on the `nodeadm debug` command, see <>. -[[hybrid-nodes-troubleshooting-install,hybrid-nodes-troubleshooting-install.title]] +[#hybrid-nodes-troubleshooting-install] == Installing hybrid nodes troubleshooting The troubleshooting topics in this section are related to installing the hybrid nodes dependencies on hosts with the `nodeadm install` command. @@ -59,7 +59,7 @@ nodeadm install K8S_VERSION --credential-provider CREDS_PROVIDER --timeout [.rep ---- -[[hybrid-nodes-troubleshooting-connect,hybrid-nodes-troubleshooting-connect.title]] +[#hybrid-nodes-troubleshooting-connect] == Connecting hybrid nodes troubleshooting The troubleshooting topics in this section are related to the process of connecting hybrid nodes to EKS clusters with the `nodeadm init` command. @@ -148,7 +148,7 @@ If you see these messages, check the following to ensure it meets the hybrid nod * Confirm that in your cluster you have an EKS access entry for your Hybrid Nodes IAM role or confirm that your `aws-auth` ConfigMap has an entry for your Hybrid Nodes IAM role. If you are using EKS access entries, confirm your access entry for your Hybrid Nodes IAM role has the `HYBRID_LINUX` access type. If you are using the `aws-auth` ConfigMap, confirm your entry for the Hybrid Nodes IAM role meets the requirements and formatting detailed in <>. -[[hybrid-nodes-troubleshooting-not-ready,hybrid-nodes-troubleshooting-not-ready.title]] +[#hybrid-nodes-troubleshooting-not-ready] === Hybrid nodes registered with EKS cluster but show status `Not Ready` If your hybrid nodes successfully registered with your EKS cluster, but the hybrid nodes show status `Not Ready`, the first thing to check is your Container Networking Interface (CNI) status. If you have not installed a CNI, then it is expected that your hybrid nodes have status `Not Ready`. Once a CNI is installed and running successfully, nodes transition to have the status Ready. If you attempted to install a CNI but it is not running successfully, see <> on this page. @@ -247,7 +247,7 @@ A common pod log message for this scenario is shown below the following where ip dial tcp :443: connect: no route to host ---- -[[hybrid-nodes-troubleshooting-cni,hybrid-nodes-troubleshooting-cni.title]] +[#hybrid-nodes-troubleshooting-cni] == Hybrid nodes CNI troubleshooting If you run into issues with initially starting Cilium or Calico with hybrid nodes, it is most often due to networking issues between hybrid nodes or the CNI pods running on hybrid nodes, and the EKS control plane. Make sure your environment meets the requirements in Prepare networking for hybrid nodes. It's useful to break down the problem into parts. @@ -432,7 +432,7 @@ installation: tolerationSeconds: 300 ---- -[[hybrid-nodes-troubleshooting-creds,hybrid-nodes-troubleshooting-creds.title]] +[#hybrid-nodes-troubleshooting-creds] == Credentials troubleshooting For both {aws} SSM hybrid activations and {aws} IAM Roles Anywhere, you can validate that credentials for the Hybrid Nodes IAM role are correctly configured on your hybrid nodes by running the following command from your hybrid nodes. Confirm the node name and Hybrid Nodes IAM Role name are what you expect. @@ -636,7 +636,7 @@ In the `kubelet` logs, if you see an access denied issue for setting the `roleSe AccessDeniedException: Not authorized to set roleSessionName ---- -[[hybrid-nodes-troubleshooting-os,hybrid-nodes-troubleshooting-os.title]] +[#hybrid-nodes-troubleshooting-os] == Operating system troubleshooting *RHEL* diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 4ea77da6a..3ce8d8347 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-tutorial,hybrid-nodes-tutorial.title]] +[#hybrid-nodes-tutorial] = Run on-premises workloads on hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index aef756a12..874a6aa05 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -1,5 +1,5 @@ [.topic] -[[hybrid-nodes-upgrade,hybrid-nodes-upgrade.title]] +[#hybrid-nodes-upgrade] = Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index be2f91ce8..9e8cabbd9 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,5 +1,5 @@ [.topic] -[[launch-node-bottlerocket,launch-node-bottlerocket.title]] +[#launch-node-bottlerocket] = Create self-managed [.noloc]`Bottlerocket` nodes :info_titleabbrev: Bottlerocket diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index d097f4c14..4a4de6377 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,5 +1,5 @@ [.topic] -[[launch-node-ubuntu,launch-node-ubuntu.title]] +[#launch-node-ubuntu] = Create self-managed [.noloc]`Ubuntu Linux` nodes :info_titleabbrev: Ubuntu Linux diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 3d9b7ea2b..c141f9747 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,5 +1,5 @@ [.topic] -[[launch-templates,launch-templates.title]] +[#launch-templates] = Customize managed nodes with launch templates :info_titleabbrev: Launch templates @@ -23,7 +23,7 @@ When you give your own launch template upon first creating a managed node group, Managed node groups are always deployed with a launch template to be used with the Amazon EC2 Auto Scaling group. When you don't provide a launch template, the Amazon EKS API creates one automatically with default values in your account. However, we don't recommend that you modify auto-generated launch templates. Furthermore, existing node groups that don't use a custom launch template can't be updated directly. Instead, you must create a new node group with a custom launch template to do so. -[[launch-template-basics,launch-template-basics.title]] +[#launch-template-basics] == Launch template configuration basics You can create an Amazon EC2 Auto Scaling launch template with the {aws-management-console}, {aws} CLI, or an {aws} SDK. For more information, see link:autoscaling/ec2/userguide/create-launch-template.html[Creating a Launch Template for an Auto Scaling group,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. Some of the settings in a launch template are similar to the settings used for managed node configuration. When deploying or updating a node group with a launch template, some settings must be specified in either the node group configuration or the launch template. Don't specify a setting in both places. If a setting exists where it shouldn't, then operations such as creating or updating a node group fail. @@ -89,12 +89,12 @@ a|*Application and OS Images (Amazon Machine Image)* under *Launch template con ==== -[[launch-template-tagging,launch-template-tagging.title]] +[#launch-template-tagging] == Tagging Amazon EC2 instances You can use the `TagSpecification` parameter of a launch template to specify which tags to apply to Amazon EC2 instances in your node group. The IAM entity calling the `CreateNodegroup` or `UpdateNodegroupVersion` APIs must have permissions for `ec2:RunInstances` and `ec2:CreateTags`, and the tags must be added to the launch template. -[[launch-template-security-groups,launch-template-security-groups.title]] +[#launch-template-security-groups] == Using custom security groups You can use a launch template to specify custom Amazon EC2 link:AWSEC2/latest/UserGuide/ec2-security-groups.html[security groups,type="documentation"] to apply to instances in your node group. This can be either in the instance level security groups parameter or as part of the network interface configuration parameters. However, you can't create a launch template that specifies both instance level and network interface security groups. Consider the following conditions that apply to using custom security groups with managed node groups: @@ -106,7 +106,7 @@ You can use a launch template to specify custom Amazon EC2 link:AWSEC2/latest/Us * If you need SSH access to the instances in your node group, include a security group that allows that access. -[[launch-template-user-data,launch-template-user-data.title]] +[#launch-template-user-data] == Amazon EC2 user data The launch template includes a section for custom user data. You can specify configuration settings for your node group in this section without manually creating individual custom AMIs. For more information about the settings available for [.noloc]`Bottlerocket`, see https://github.com/bottlerocket-os/bottlerocket#using-user-data[Using user data] on [.noloc]`GitHub`. @@ -237,13 +237,13 @@ Write-Host "Running custom user data script" ---- -[[launch-template-custom-ami,launch-template-custom-ami.title]] +[#launch-template-custom-ami] == Specifying an AMI If you have either of the following requirements, then specify an AMI ID in the `ImageId` field of your launch template. Select the requirement you have for additional information. -[[mng-specify-eks-ami,mng-specify-eks-ami.title]] +[#mng-specify-eks-ami] .Provide user data to pass arguments to the `bootstrap.sh` file included with an Amazon EKS optimized [.noloc]`Linux`/[.noloc]`Bottlerocket` AMI [%collapsible] ==== @@ -364,7 +364,7 @@ set -ex ==== -[[mng-specify-eks-ami-windows,mng-specify-eks-ami-windows.title]] +[#mng-specify-eks-ami-windows] .Provide user data to pass arguments to the `Start-EKSBootstrap.ps1` file included with an Amazon EKS optimized [.noloc]`Windows` AMI [%collapsible] ==== @@ -418,7 +418,7 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the ---- ==== -[[mng-specify-custom-ami,mng-specify-custom-ami.title]] +[#mng-specify-custom-ami] .Run a custom AMI due to specific security, compliance, or internal policy requirements [%collapsible] ==== @@ -433,7 +433,7 @@ When specifying an AMI, Amazon EKS doesn't merge any user data. Rather, you're r ==== -[[mng-ami-id-conditions,mng-ami-id-conditions.title]] +[#mng-ami-id-conditions] == Limits and conditions when specifying an AMI ID The following are the limits and conditions involved with specifying an AMI ID with managed node groups: diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 1d9a06f02..ac71c91da 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,5 +1,5 @@ [.topic] -[[launch-windows-workers,launch-windows-workers.title]] +[#launch-windows-workers] = Create self-managed [.noloc]`Microsoft Windows` nodes :info_titleabbrev: Windows diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 8ab84c742..9ae02ba56 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,5 +1,5 @@ [.topic] -[[launch-workers,launch-workers.title]] +[#launch-workers] = Create self-managed Amazon Linux nodes :info_titleabbrev: Amazon Linux diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index ce6a8c45a..233714761 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -1,5 +1,5 @@ [.topic] -[[learn-status-conditions,learn-status-conditions.title]] +[#learn-status-conditions] = View the health status of your nodes :info_titleabbrev: View node health @@ -14,7 +14,7 @@ This topic explains the tools and methods available for monitoring node health s You can get some node health information with [.noloc]`Kubernetes` commands for all nodes. And if you use the node monitoring agent through Amazon EKS Auto Mode or the Amazon EKS managed add-on, you will get a wider variety of node signals to help troubleshoot. Descriptions of detected health issues by the node monitoring agent are also made available in the observability dashboard. For more information, see <>. -[[status-node-conditions,status-node-conditions.title]] +[#status-node-conditions] == Node conditions Node conditions represent terminal issues requiring remediation actions like instance replacement or reboot. @@ -58,7 +58,7 @@ kubectl describe node [.replaceable]`node-name` type: NetworkingReady ---- -[[status-node-events,status-node-events.title]] +[#status-node-events] == Node events Node events indicate temporary issues or sub-optimal configurations. @@ -110,7 +110,7 @@ LAST SEEN TYPE REASON OBJECT MESSAGE 5m Normal NodeReady Node/node-1 Node became ready ---- -[[status-node-troubleshooting,status-node-troubleshooting.title]] +[#status-node-troubleshooting] == Common troubleshooting commands [source,bash,subs="verbatim,attributes,quotes"] diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index dc20cfb61..9b1799c1a 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -1,5 +1,5 @@ [.topic] -[[managed-node-groups,managed-node-groups.title]] +[#managed-node-groups] = Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG @@ -37,7 +37,7 @@ To get started with a new Amazon EKS cluster and managed node group, see <>. -[[managed-node-group-concepts,managed-node-group-concepts.title]] +[#managed-node-group-concepts] == Managed node groups concepts * Amazon EKS managed node groups create and manage Amazon EC2 instances for you. @@ -69,12 +69,12 @@ For other commonly-used services and endpoints, see <>. * If you want to encrypt Amazon EBS volumes for your nodes, you can deploy the nodes using a launch template. To deploy managed nodes with encrypted Amazon EBS volumes without using a launch template, encrypt all new Amazon EBS volumes created in your account. For more information, see link:AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default[Encryption by default,type="documentation"] in the _Amazon EC2 User Guide_. -[[managed-node-group-capacity-types,managed-node-group-capacity-types.title]] +[#managed-node-group-capacity-types] == Managed node group capacity types When creating a managed node group, you can choose either the On-Demand or Spot capacity type. Amazon EKS deploys a managed node group with an Amazon EC2 Auto Scaling group that either contains only On-Demand or only Amazon EC2 Spot Instances. You can schedule [.noloc]`Pods` for fault tolerant applications to Spot managed node groups, and fault intolerant applications to On-Demand node groups within a single [.noloc]`Kubernetes` cluster. By default, a managed node group deploys On-Demand Amazon EC2 instances. -[[managed-node-group-capacity-types-on-demand,managed-node-group-capacity-types-on-demand.title]] +[#managed-node-group-capacity-types-on-demand] === On-Demand With On-Demand Instances, you pay for compute capacity by the second, with no long-term commitments. @@ -88,7 +88,7 @@ By default, if you don't specify a *Capacity Type*, the managed node group is pr * Amazon EKS adds the following [.noloc]`Kubernetes` label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: ON_DEMAND`. You can use this label to schedule stateful or fault intolerant applications on On-Demand nodes. -[[managed-node-group-capacity-types-spot,managed-node-group-capacity-types-spot.title]] +[#managed-node-group-capacity-types-spot] === Spot Amazon EC2 Spot Instances are spare Amazon EC2 capacity that offers steep discounts off of On-Demand prices. Amazon EC2 Spot Instances can be interrupted with a two-minute interruption notice when EC2 needs the capacity back. For more information, see link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] in the _Amazon EC2 User Guide_. You can configure a managed node group with Amazon EC2 Spot Instances to optimize costs for the compute nodes running in your Amazon EKS cluster. diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 3c0a5bdd6..81dd52873 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,5 +1,5 @@ [.topic] -[[managed-node-update-behavior,managed-node-update-behavior.title]] +[#managed-node-update-behavior] = Understand each phase of node updates :info_titleabbrev: Update behavior details @@ -12,7 +12,7 @@ The Amazon EKS managed worker node upgrade strategy has four different phases. The Amazon EKS managed worker node upgrade strategy has four different phases described in the following sections. -[[managed-node-update-set-up,managed-node-update-set-up.title]] +[#managed-node-update-set-up] == Setup phase The setup phase has these steps: @@ -22,7 +22,7 @@ The setup phase has these steps: . It determines the maximum quantity of nodes to upgrade in parallel using the `updateConfig` property for the node group. The maximum unavailable has a quota of 100 nodes. The default value is one node. For more information, see the link:eks/latest/APIReference/API_UpdateNodegroupConfig.html#API_UpdateNodegroupConfig_RequestSyntax[updateConfig,type="documentation"] property in the _Amazon EKS API Reference_. -[[managed-node-update-scale-up,managed-node-update-scale-up.title]] +[#managed-node-update-scale-up] == Scale up phase When upgrading the nodes in a managed node group, the upgraded nodes are launched in the same Availability Zone as those that are being upgraded. To guarantee this placement, we use Amazon EC2's Availability Zone Rebalancing. For more information, see link:autoscaling/ec2/userguide/auto-scaling-benefits.html#AutoScalingBehavior.InstanceUsage[Availability Zone Rebalancing,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. To meet this requirement, it's possible that we'd launch up to two instances per Availability Zone in your managed node group. @@ -71,7 +71,7 @@ Custom user data can sometimes break the bootstrap process. This scenario can le Node disk pressure, memory pressure, and similar conditions can lead to a node not going to `Ready` state. -[[managed-node-update-upgrade,managed-node-update-upgrade.title]] +[#managed-node-update-upgrade] == Upgrade phase The upgrade phase behaves in two different ways, depending on the _update strategy_. There are two update strategies: *default* and *minimal*. @@ -107,7 +107,7 @@ Aggressive PDB is defined on the [.noloc]`Pod` or there are multiple PDBs pointi Once every [.noloc]`Pod` is evicted, it's expected for the node to be empty because the node is https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[tainted] in the earlier steps. However, if the deployment tolerates every taint, then the node is more likely to be non-empty, leading to [.noloc]`Pod` eviction failure. -[[managed-node-update-scale-down,managed-node-update-scale-down.title]] +[#managed-node-update-scale-down] == Scale down phase The scale down phase decrements the Auto Scaling group maximum size and desired size by one to return to values before the update started. diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 55a52bf20..3787bb3cf 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,5 +1,5 @@ [.topic] -[[migrate-stack,migrate-stack.title]] +[#migrate-stack] = Migrate applications to a new node group :info_titleabbrev: Migration diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 9824f6070..880d2d4f2 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[monitoring-fargate-usage,monitoring-fargate-usage.title]] +[#monitoring-fargate-usage] = Collect {aws} Fargate app and usage metrics :info_titleabbrev: Collect metrics @@ -11,12 +11,12 @@ You can collect system metrics and CloudWatch usage metrics for {aws} Fargate. You can collect system metrics and CloudWatch usage metrics for {aws} Fargate. -[[fargate-application-metrics,fargate-application-metrics.title]] +[#fargate-application-metrics] == Application metrics For applications running on Amazon EKS and {aws} Fargate, you can use the {aws} Distro for [.noloc]`OpenTelemetry` (ADOT). ADOT allows you to collect system metrics and send them to CloudWatch Container Insights dashboards. To get started with ADOT for applications running on Fargate, see https://aws-otel.github.io/docs/getting-started/container-insights[Using CloudWatch Container Insights with {aws} Distro for OpenTelemetry] in the ADOT documentation. -[[fargate-usage-metrics,fargate-usage-metrics.title]] +[#fargate-usage-metrics] == Usage metrics You can use CloudWatch usage metrics to provide visibility into your account's usage of resources. Use these metrics to visualize your current service usage on CloudWatch graphs and dashboards. @@ -65,7 +65,7 @@ Fargate On-Demand usage combines Amazon EKS [.noloc]`Pods` using Fargate, Amazon |The class of resource being tracked. Currently, {aws} Fargate doesn't use the class dimension. |=== -[[service-quota-alarm,service-quota-alarm.title]] +[#service-quota-alarm] === Creating a CloudWatch alarm to monitor Fargate resource usage metrics {aws} Fargate provides CloudWatch usage metrics that correspond to the {aws} service quotas for Fargate On-Demand resource usage. In the Service Quotas console, you can visualize your usage on a graph. You can also configure alarms that alert you when your usage approaches a service quota. For more information, see <>. diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 228fa78f2..8dfd3513f 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -1,5 +1,5 @@ [.topic] -[[node-health,node-health.title]] +[#node-health] = Enable node auto repair and investigate node health issues :info_titleabbrev: Node health @@ -18,14 +18,14 @@ Node health refers to the operational status and capability of a node to effecti To help with maintaining healthy nodes, Amazon EKS offers the node monitoring agent and node auto repair. -[[node-monitoring-agent,node-monitoring-agent.title]] +[#node-monitoring-agent] == Node monitoring agent The node monitoring agent automatically reads node logs to detect certain health issues. It parses through node logs to detect failures and surfaces various status information about worker nodes. A dedicated `NodeCondition` is applied on the worker nodes for each category of issues detected, such as storage and networking issues. Descriptions of detected health issues are made available in the observability dashboard. For more information, see <>. The node monitoring agent is included as a capability for all Amazon EKS Auto Mode clusters. For other cluster types, you can add the monitoring agent as an Amazon EKS add-on. For more information, see <>. -[[node-auto-repair,node-auto-repair.title]] +[#node-auto-repair] == Node auto repair Node auto repair is an additional feature that continuously monitors the health of nodes, automatically reacting to detected problems and replacing nodes when possible. This helps overall availability of the cluster with minimal manual intervention. If a health check fails, the node is automatically cordoned so that no new Pods are scheduled on the node. @@ -47,7 +47,7 @@ You can enable node auto repair when creating or editing a managed node group. * For an example `eksctl` `ClusterConfig` that uses a managed node group with node auto repair, see link:https://github.com/eksctl-io/eksctl/blob/main/examples/44-node-repair.yaml[44-node-repair.yaml] on GitHub. -[[node-health-issues,node-health-issues.title]] +[#node-health-issues] == Node health issues The following tables describe node health issues that can be detected by the node monitoring agent. There are two types of issues: @@ -56,7 +56,7 @@ The following tables describe node health issues that can be detected by the nod * Event – A temporary issue or sub-optimal node configuration. No auto repair action will take place. For more information, see <>. -[[node-health-kernel,node-health-kernel.title]] +[#node-health-kernel] === Kernel node health issues [cols="3", options="header"] @@ -112,7 +112,7 @@ The following tables describe node health issues that can be detected by the nod |=== -[[node-health-networking,node-health-networking.title]] +[#node-health-networking] === Networking node health issues [cols="3", options="header"] @@ -196,7 +196,7 @@ The following tables describe node health issues that can be detected by the nod |=== -[[node-health-neuron,node-health-neuron.title]] +[#node-health-neuron] === Neuron node health issues [cols="3", options="header"] @@ -224,7 +224,7 @@ The following tables describe node health issues that can be detected by the nod |=== -[[node-health-nvidia,node-health-nvidia.title]] +[#node-health-nvidia] === NVIDIA node health issues If auto repair is enabled, the repair actions that are listed start 10 minutes after the issue is detected. For more information on XID errors, see link:https://docs.nvidia.com/deploy/xid-errors/index.html#topic_5_1[Xid Errors] in the _NVIDIA GPU Deployment and Management Documentation_. For more information on the individual XID messages, see link:https://docs.nvidia.com/deploy/gpu-debug-guidelines/index.html#understanding-xid-messages[Understanding Xid Messages] in the _NVIDIA GPU Deployment and Management Documentation_. @@ -324,7 +324,7 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |=== -[[node-health-runtime,node-health-runtime.title]] +[#node-health-runtime] === Runtime node health issues [cols="3", options="header"] @@ -364,7 +364,7 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |=== -[[node-health-storage,node-health-storage.title]] +[#node-health-storage] === Storage node health issues [cols="3", options="header"] diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index 1e9ab04da..d9e4cd82e 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,5 +1,5 @@ [.topic] -[[retrieve-ami-id-bottlerocket,retrieve-ami-id-bottlerocket.title]] +[#retrieve-ami-id-bottlerocket] = Retrieve recommended [.noloc]`Bottlerocket` AMI IDs :info_titleabbrev: Get latest IDs diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 7e32f0a86..a3070fe6c 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -1,5 +1,5 @@ [.topic] -[[retrieve-ami-id,retrieve-ami-id.title]] +[#retrieve-ami-id] = Retrieve recommended Amazon Linux AMI IDs :info_titleabbrev: Get latest IDs diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 9f862b791..22ce081f5 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,5 +1,5 @@ [.topic] -[[retrieve-windows-ami-id,retrieve-windows-ami-id.title]] +[#retrieve-windows-ami-id] = Retrieve recommended [.noloc]`Microsoft Windows` AMI IDs :info_titleabbrev: Get latest IDs diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index b0a7dc01c..002ee2895 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,5 +1,5 @@ [.topic] -[[self-managed-windows-server-2022,self-managed-windows-server-2022.title]] +[#self-managed-windows-server-2022] = Create self-managed [.noloc]`Windows` Server 2022 nodes with `eksctl` :info_titleabbrev: Windows Server 2022 diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 07390745e..499d9c201 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -1,5 +1,5 @@ [.topic] -[[update-managed-node-group,update-managed-node-group.title]] +[#update-managed-node-group] = Update a managed node group for your cluster :info_titleabbrev: Update @@ -33,7 +33,7 @@ If there's a newer AMI release version for your managed node group's [.noloc]`Ku When a node in a managed node group is terminated due to a scaling operation or update, the [.noloc]`Pods` in that node are drained first. For more information, see <>. -[[mng-update,mng-update.title]] +[#mng-update] == Update a node group version You can update a node group version with either of the following: @@ -96,7 +96,7 @@ You won't see a notification for node groups that were deployed with a custom AM . Choose *Update*. -[[mng-edit,mng-edit.title]] +[#mng-edit] == Edit a node group configuration You can modify some of the configurations of a managed node group. diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index 53e951d52..a1cc8967f 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[update-stack,update-stack.title]] +[#update-stack] = Update an {aws} CloudFormation node stack :info_titleabbrev: CloudFormation stack diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index da3a40785..61820a8a5 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -1,5 +1,5 @@ [.topic] -[[update-workers,update-workers.title]] +[#update-workers] = Update self-managed nodes for your cluster :info_titleabbrev: Update methods diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 56ab26686..9fa5c9a39 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -1,5 +1,5 @@ [.topic] -[[worker,worker.title]] +[#worker] = Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 81e89cf56..4569ad09c 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -1,5 +1,5 @@ [.topic] -[[cloudwatch,cloudwatch.title]] +[#cloudwatch] = Monitor cluster data with Amazon CloudWatch :info_titleabbrev: Amazon CloudWatch :keywords: CloudWatch, observability, operator, add-on @@ -13,7 +13,7 @@ With Amazon CloudWatch, you can view metrics, real-time logs, and trace data. Amazon CloudWatch is a monitoring service that collects metrics and logs from your cloud resources. CloudWatch provides some basic Amazon EKS metrics for free when using a new cluster that is version `1.28` and above. However, when using the CloudWatch Observability Operator as an Amazon EKS add-on, you can gain enhanced observability features. -[[cloudwatch-basic-metrics,cloudwatch-basic-metrics.title]] +[#cloudwatch-basic-metrics] == Basic metrics in Amazon CloudWatch For clusters that are Kubernetes version `1.28` and above, you get CloudWatch vended metrics for free in the `AWS/EKS` namespace. The following table gives a list of the basic metrics that are available for the supported versions. Every metric listed has a frequency of one minute. @@ -254,7 +254,7 @@ For clusters that are Kubernetes version `1.28` and above, you get CloudWatch ve |=== -[[cloudwatch-operator,cloudwatch-operator.title]] +[#cloudwatch-operator] == Amazon CloudWatch Observability Operator Amazon CloudWatch Observability collects real-time logs, metrics, and trace data. It sends them to link:AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html[Amazon CloudWatch,type="documentation"] and link:xray/latest/devguide/aws-xray.html[{aws} X-Ray,type="documentation"]. You can install this add-on to enable both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS. This helps you monitor the health and performance of your infrastructure and containerized applications. The Amazon CloudWatch Observability Operator is designed to install and configure the necessary components. diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 39c652ada..55122e6e2 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,5 +1,5 @@ [.topic] -[[control-plane-logs,control-plane-logs.title]] +[#control-plane-logs] = Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs @@ -41,7 +41,7 @@ The controller manager manages the core control loops that are shipped with [.no The scheduler component manages when and where to run [.noloc]`Pods` in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler] in the [.noloc]`Kubernetes` documentation. -[[enabling-control-plane-log-export,enabling-control-plane-log-export.title]] +[#enabling-control-plane-log-export] == Enable or disable control plane logs By default, cluster control plane logs aren't sent to CloudWatch Logs. You must enable each log type individually to send logs for your cluster. CloudWatch Logs ingestion, archive storage, and data scanning rates apply to enabled control plane logs. For more information, see link:cloudwatch/pricing/[CloudWatch pricing,type="marketing"]. @@ -50,7 +50,7 @@ To update the control plane logging configuration, Amazon EKS requires up to fiv You can enable or disable control plane logs with either the <> or the <>. -[[control-plane-console,control-plane-console.title]] +[#control-plane-console] === {aws-management-console} . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster to display your cluster information. @@ -59,7 +59,7 @@ You can enable or disable control plane logs with either the <>. -[[observability-control-plane,observability-control-plane.title]] +[#observability-control-plane] == Control plane monitoring The *Control plane monitoring* tab is divided into three sections, each of which help you to monitor and troubleshoot your cluster's control plane. -[[observability-metrics,observability-metrics.title]] +[#observability-metrics] === Metrics For clusters that are [.noloc]`Kubernetes` version `1.28` and above, the *Metrics* section shows graphs of several metrics gathered for various control plane components. @@ -86,7 +86,7 @@ The following table describes available metrics. |=== -[[observability-log-insights,observability-log-insights.title]] +[#observability-log-insights] === CloudWatch Log Insights The *CloudWatch Log Insights* section shows various lists based on the control plane audit logs. The Amazon EKS control plane logs need to be turned on to use this feature, which you can do from the *View control plane logs in CloudWatch* section. @@ -94,13 +94,13 @@ When enough time has passed to collect data, you can *Run all queries* or choose For more information, see link:AmazonCloudWatch/latest/logs/AnalyzingLogData.html[Analyzing log data with CloudWatch Logs Insights,type="documentation"] in the Amazon CloudWatch Logs User Guide. -[[observability-cp-logs,observability-cp-logs.title]] +[#observability-cp-logs] === View control plane logs in CloudWatch Choose *Manage logging* to update the log types that are available. It takes several minutes for the logs to appear in CloudWatch Logs after you enable logging. When enough time has passed, choose any of the *View* links in this section to navigate to the applicable log. For more information, see <>. -[[observability-cluster-insights,observability-cluster-insights.title]] +[#observability-cluster-insights] == Cluster insights The *Upgrade insights* table both surfaces issues and recommends corrective actions, accelerating the validation process for upgrading to new Kubernetes versions. Amazon EKS automatically scans clusters against a list of potential Kubernetes version upgrade impacting issues. The *Upgrade insights* table lists the insight checks performed by Amazon EKS against this cluster, along with their associated statuses. @@ -109,7 +109,7 @@ Amazon EKS maintains and periodically refreshes the list of insight checks to be For more information, see <>. -[[observability-node-health-issues,observability-node-health-issues.title]] +[#observability-node-health-issues] == Node health issues The Amazon EKS node monitoring agent automatically reads node logs to detect health issues. Regardless of the auto repair setting, all node health issues are reported so that you can investigate as needed. If an issue type is listed without a description, you can read the description in its popover element. diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index f9bdd62ea..f0568e7b7 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -1,5 +1,5 @@ [.topic] -[[opentelemetry,opentelemetry.title]] +[#opentelemetry] = Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 3011a7141..63912db89 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,5 +1,5 @@ [.topic] -[[prometheus,prometheus.title]] +[#prometheus] = Monitor your cluster metrics with [.noloc]`Prometheus` :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane @@ -21,7 +21,7 @@ There are several different options for using [.noloc]`Prometheus` with Amazon E * You can deploy [.noloc]`Prometheus` using [.noloc]`Helm`. For more information, see <>. * You can view control plane raw metrics in [.noloc]`Prometheus` format. For more information, see <>. -[[turn-on-prometheus-metrics,turn-on-prometheus-metrics.title]] +[#turn-on-prometheus-metrics] == Step 1: Turn on [.noloc]`Prometheus` metrics [IMPORTANT] @@ -71,12 +71,12 @@ Amazon Managed Service for Prometheus refers to the agentless scraper that is cr ==== -[[use-prometheus-metrics,use-prometheus-metrics.title]] +[#use-prometheus-metrics] == Step 2: Use the [.noloc]`Prometheus` metrics For more information about how to use the [.noloc]`Prometheus` metrics after you turn them on for your cluster, see the link:prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html[Amazon Managed Service for Prometheus User Guide,type="documentation"]. -[[viewing-prometheus-scraper-details,viewing-prometheus-scraper-details.title]] +[#viewing-prometheus-scraper-details] == Step 3: Manage [.noloc]`Prometheus` scrapers To manage scrapers, choose the *Observability* tab in the Amazon EKS console. A table shows a list of scrapers for the cluster, including information such as the scraper ID, alias, status, and creation date. You can add more scrapers, delete scrapers, or view more information about the current scrapers. diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index 2d99f1443..65202092d 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[service-name-info-in-cloudtrail,service-name-info-in-cloudtrail.title]] +[#service-name-info-in-cloudtrail] = View helpful references for {aws} CloudTrail :info_titleabbrev: References diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 762a68251..aabee4fc6 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,6 +1,6 @@ include::../attributes.txt[] [.topic] -[[understanding-service-name-entries,understanding-service-name-entries.title]] +[#understanding-service-name-entries] = Analyze {aws} CloudTrail log file entries :info_titleabbrev: Log file entries @@ -69,7 +69,7 @@ The following example shows a CloudTrail log entry that demonstrates the link:e ---- -[[eks-service-linked-role-ct,eks-service-linked-role-ct.title]] +[#eks-service-linked-role-ct] == Log Entries for Amazon EKS Service Linked Roles The Amazon EKS service linked roles make API calls to {aws} resources. CloudTrail log entries with `username: AWSServiceRoleForAmazonEKS` and `username: AWSServiceRoleForAmazonEKSNodegroup` appears for calls made by the Amazon EKS service linked roles. For more information about Amazon EKS and service linked roles, see <>. diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 029c74d68..0cbbe652b 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,5 +1,5 @@ [.topic] -[[view-raw-metrics,view-raw-metrics.title]] +[#view-raw-metrics] = Fetch control plane raw metrics in [.noloc]`Prometheus` format :info_titleabbrev: Control plane @@ -27,7 +27,7 @@ This command allows you to pass any endpoint path and returns the raw response. metric_name{tag="value"[,...]} value ---- -[[fetch-metrics,fetch-metrics.title]] +[#fetch-metrics] == Fetch metrics from the API server The general API server endpoint is exposed on the Amazon EKS control plane. This endpoint is primarily useful when looking at a specific metric. @@ -61,7 +61,7 @@ ssh_tunnel_open_fail_count 0 This raw output returns verbatim what the API server exposes. -[[fetch-metrics-prometheus,fetch-metrics-prometheus.title]] +[#fetch-metrics-prometheus] == Fetch control plane metrics with `metrics.eks.amazonaws.com` For clusters that are [.noloc]`Kubernetes` version `1.28` and above, Amazon EKS also exposes metrics under the API group `metrics.eks.amazonaws.com`. These metrics include control plane components such as `kube-scheduler` and `kube-controller-manager`. @@ -71,7 +71,7 @@ For clusters that are [.noloc]`Kubernetes` version `1.28` and above, Amazon EKS If you have a webhook configuration that could block the creation of the new `APIService` resource `v1.metrics.eks.amazonaws.com` on your cluster, the metrics endpoint feature might not be available. You can verify that in the `kube-apiserver` audit log by searching for the `v1.metrics.eks.amazonaws.com` keyword. ==== -[[fetch-metrics-scheduler,fetch-metrics-scheduler.title]] +[#fetch-metrics-scheduler] === Fetch `kube-scheduler` metrics To retrieve `kube-scheduler` metrics, use the following command. @@ -101,7 +101,7 @@ scheduler_pod_scheduling_attempts_bucket{le="+Inf"} 81 [...] ---- -[[fetch-metrics-controller,fetch-metrics-controller.title]] +[#fetch-metrics-controller] === Fetch `kube-controller-manager` metrics To retrieve `kube-controller-manager` metrics, use the following command. @@ -133,7 +133,7 @@ workqueue_work_duration_seconds_sum{name="replicaset"} 4.265655885000002 [...] ---- -[[scheduler-controller-metrics,scheduler-controller-metrics.title]] +[#scheduler-controller-metrics] === Understand the scheduler and controller manager metrics The following table describes the scheduler and controller manager metrics that are made available for [.noloc]`Prometheus` style scraping. For more information about these metrics, see https://kubernetes.io/docs/reference/instrumentation/metrics/[Kubernetes Metrics Reference] in the [.noloc]`Kubernetes` documentation. @@ -202,7 +202,7 @@ The following table describes the scheduler and controller manager metrics that |=== -[[deploy-prometheus-scraper,deploy-prometheus-scraper.title]] +[#deploy-prometheus-scraper] == Deploy a Prometheus scraper to consistently scrape metrics To deploy a Prometheus scraper to consistently scrape the metrics, use the following configuration: diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 286bfe026..715540914 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-capacity-considerations,eks-outposts-capacity-considerations.title]] +[#eks-outposts-capacity-considerations] = Select instance types and placement groups for Amazon EKS clusters on {aws} Outposts based on capacity considerations :info_titleabbrev: Capacity considerations @@ -42,7 +42,7 @@ The instance sizes must be slotted on your Outposts. Make sure that you have eno The storage for the [.noloc]`Kubernetes` control plane requires 246 GB of Amazon EBS storage for each local cluster to meet the required IOPS for `etcd`. When the local cluster is created, the Amazon EBS volumes are provisioned automatically for you. -[[outpost-capacity-considerations-control-plane-placement,outpost-capacity-considerations-control-plane-placement.title]] +[#outpost-capacity-considerations-control-plane-placement] == Control plane placement When you don't specify a placement group with the `OutpostConfig.ControlPlanePlacement.GroupName` property, the Amazon EC2 instances provisioned for your [.noloc]`Kubernetes` control plane don't receive any specific hardware placement enforcement across the underlying capacity available on your Outpost. diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 28d62c0c9..515c171e0 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-local-cluster-create,eks-outposts-local-cluster-create.title]] +[#eks-outposts-local-cluster-create] = Deploy an Amazon EKS cluster on {aws} Outposts :info_titleabbrev: Deploy a local cluster @@ -228,7 +228,7 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h . (Optional) Test authentication to your local cluster when it's in a disconnected state from the {aws} Cloud. For instructions, see <>. -[[outposts-control-plan-internal-resources,outposts-control-plan-internal-resources.title]] +[#outposts-control-plan-internal-resources] === Internal resources Amazon EKS creates the following resources on your cluster. The resources are for Amazon EKS internal use. For proper functioning of your cluster, don't edit or modify these resources. diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 41f72d20b..034e4bcb9 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-local-cluster-overview,eks-outposts-local-cluster-overview.title]] +[#eks-outposts-local-cluster-overview] = Create local Amazon EKS clusters on {aws} Outposts for high availability :info_titleabbrev: Run local clusters @@ -30,7 +30,7 @@ image::images/outposts-local-cluster.png[Outpost local cluster,scaledwidth=100%] Local clusters are generally available for use with Outposts racks. -[[outposts-control-plane-supported-regions,outposts-control-plane-supported-regions.title]] +[#outposts-control-plane-supported-regions] == Supported {aws} Regions You can create local clusters in the following {aws} Regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Middle East (Bahrain), and South America (São Paulo). For detailed information about supported features, see <>. diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 1ae47433b..4cf34f1e7 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-network-disconnects,eks-outposts-network-disconnects.title]] +[#eks-outposts-network-disconnects] = Prepare local Amazon EKS clusters on {aws} Outposts for network disconnects :info_titleabbrev: Prepare for disconnects @@ -28,7 +28,7 @@ If your local network has lost connectivity with the {aws} Cloud, you can contin * The [.noloc]`Amazon VPC CNI plugin for Kubernetes` defaults to https://aws.github.io/aws-eks-best-practices/networking/vpc-cni/#overview[secondary IP mode]. It's configured with `WARM_ENI_TARGET`=``1``, which allows the plugin to keep "a full elastic network interface" of available IP addresses available. Consider changing `WARM_ENI_TARGET`, `WARM_IP_TARGET`, and `MINIMUM_IP_TARGET` values according to your scaling needs during a disconnected state. For more information, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[readme] file for the plugin on GitHub. For a list of the maximum number of [.noloc]`Pods` that's supported by each instance type, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/misc/eni-max-pods.txt[eni-max-pods.txt] file on GitHub. -[[outposts-network-disconnects-authentication,outposts-network-disconnects-authentication.title]] +[#outposts-network-disconnects-authentication] == Authenticating to your local cluster during a network disconnect [abstract] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 27fd43431..4a0f24924 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-platform-versions,eks-outposts-platform-versions.title]] +[#eks-outposts-platform-versions] = Learn [.noloc]`Kubernetes` and Amazon EKS platform versions for {aws} Outposts :info_titleabbrev: EKS platform versions @@ -28,7 +28,7 @@ Local clusters are always created with the latest available platform version (`e The current and recent platform versions are described in the following tables. -[[outposts-platform-versions-1.30,outposts-platform-versions-1.30.title]] +[#outposts-platform-versions-1-30] == [.noloc]`Kubernetes` version `1.30` The following admission controllers are enabled for all `1.30` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -51,7 +51,7 @@ The following admission controllers are enabled for all `1.30` platform versions |November 13, 2024 |=== -[[outposts-platform-versions-1.29,outposts-platform-versions-1.29.title]] +[#outposts-platform-versions-1-29] == [.noloc]`Kubernetes` version `1.29` The following admission controllers are enabled for all `1.29` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -89,7 +89,7 @@ The following admission controllers are enabled for all `1.29` platform versions |August 20, 2024 |=== -[[outposts-platform-versions-1.28,outposts-platform-versions-1.28.title]] +[#outposts-platform-versions-1-28] == [.noloc]`Kubernetes` version `1.28` The following admission controllers are enabled for all `1.28` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -157,7 +157,7 @@ The following admission controllers are enabled for all `1.28` platform versions |October 4, 2023 |=== -[[outposts-platform-versions-1.27,outposts-platform-versions-1.27.title]] +[#outposts-platform-versions-1-27] == [.noloc]`Kubernetes` version `1.27` The following admission controllers are enabled for all `1.27` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 2c3954837..44c56a1fb 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-self-managed-nodes,eks-outposts-self-managed-nodes.title]] +[#eks-outposts-self-managed-nodes] = Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes :keywords: launch, start, self-managed, Linux, node diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 6e0b91852..3a9d02e91 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-troubleshooting,eks-outposts-troubleshooting.title]] +[#eks-outposts-troubleshooting] = Troubleshoot local Amazon EKS clusters on {aws} Outposts :info_titleabbrev: Troubleshoot clusters @@ -13,7 +13,7 @@ Learn how to troubleshoot common issues with Amazon EKS local clusters on {aws} This topic covers some common errors that you might see while using local clusters and how to troubleshoot them. Local clusters are similar to Amazon EKS clusters in the cloud, but there are some differences in how they're managed by Amazon EKS. -[[outposts-troubleshooting-api-behavior,outposts-troubleshooting-api-behavior.title]] +[#outposts-troubleshooting-api-behavior] .API behavior [%collapsible] ==== @@ -23,7 +23,7 @@ Local clusters are created through the Amazon EKS API, but are run in an asynchr Local clusters don't transition to a `FAILED` status. Amazon EKS attempts to reconcile the cluster state with the user-requested desired state in a continuous manner. As a result, a local cluster might remain in the `CREATING` state for an extended period of time until the underlying issue is resolved. ==== -[[outposts-troubleshooting-describe-cluster-health-field,outposts-troubleshooting-describe-cluster-health-field.title]] +[#outposts-troubleshooting-describe-cluster-health-field] .Describe cluster health field [%collapsible] ==== @@ -196,7 +196,7 @@ The following table lists errors from other {aws} services that are presented in |=== ==== -[[outposts-troubleshooting-unable-to-create-or-modify-clusters,outposts-troubleshooting-unable-to-create-or-modify-clusters.title]] +[#outposts-troubleshooting-unable-to-create-or-modify-clusters] .Unable to create or modify clusters [%collapsible] ==== @@ -204,7 +204,7 @@ The following table lists errors from other {aws} services that are presented in Local clusters require different permissions and policies than Amazon EKS clusters that are hosted in the cloud. When a cluster fails to create and produces an `InvalidPermissions` error, double check that the cluster role that you're using has the <> managed policy attached to it. All other API calls require the same set of permissions as Amazon EKS clusters in the cloud. ==== -[[outposts-troubleshooting-cluster-stuck-in-creating-state,outposts-troubleshooting-cluster-stuck-in-creating-state.title]] +[#outposts-troubleshooting-cluster-stuck-in-creating-state] .Cluster is stuck in `CREATING` state [%collapsible] ==== @@ -229,7 +229,7 @@ The most common issues are the following: Review <>. ==== -[[outposts-troubleshooting-unable-to-join-nodes-to-a-cluster,outposts-troubleshooting-unable-to-join-nodes-to-a-cluster.title]] +[#outposts-troubleshooting-unable-to-join-nodes-to-a-cluster] .Can't join nodes to a cluster [%collapsible] ==== @@ -251,7 +251,7 @@ We don't recommend modifying the default pod security policy. For more informati ==== -[[outposts-troubleshooting-collecting-logs,outposts-troubleshooting-collecting-logs.title]] +[#outposts-troubleshooting-collecting-logs] .Collecting logs [%collapsible] ==== @@ -259,7 +259,7 @@ We don't recommend modifying the default pod security policy. For more informati When an Outpost gets disconnected from the {aws} Region that it's associated with, the [.noloc]`Kubernetes` cluster likely will continue working normally. However, if the cluster doesn't work properly, follow the troubleshooting steps in <>. If you encounter other issues, contact {aws} Support. {aws} Support can guide you on downloading and running a log collection tool. That way, you can collect logs from your [.noloc]`Kubernetes` cluster control plane instances and send them to {aws} Support support for further investigation. ==== -[[outposts-troubleshooting-control-plane-instances-ssm,outposts-troubleshooting-control-plane-instances-ssm.title]] +[#outposts-troubleshooting-control-plane-instances-ssm] .Control plane instances aren't reachable through {aws} Systems Manager [%collapsible] ==== diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 6550761af..ec6151e96 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[eks-outposts-vpc-subnet-requirements,eks-outposts-vpc-subnet-requirements.title]] +[#eks-outposts-vpc-subnet-requirements] = Create a VPC and subnets for Amazon EKS clusters on {aws} Outposts :info_titleabbrev: Create a VPC and subnets @@ -12,7 +12,7 @@ Learn about VPC and subnet requirements and considerations, then to create a VPC When you create a local cluster, you specify a VPC and at least one private subnet that runs on Outposts. This topic provides an overview of the VPC and subnets requirements and considerations for your local cluster. -[[outposts-vpc-requirements,outposts-vpc-requirements.title]] +[#outposts-vpc-requirements] == VPC requirements and considerations When you create a local cluster, the VPC that you specify must meet the following requirements and considerations: @@ -25,7 +25,7 @@ When you create a local cluster, the VPC that you specify must meet the followin * To access your local cluster over your local network, the VPC must be associated with your Outpost's local gateway route table. For more information, see link:outposts/latest/userguide/outposts-local-gateways.html#vpc-associations[VPC associations,type="documentation"] in the {aws} Outposts User Guide. -[[outposts-subnet-requirements,outposts-subnet-requirements.title]] +[#outposts-subnet-requirements] == Subnet requirements and considerations When you create the cluster, specify at least one private subnet. If you specify more than one subnet, the [.noloc]`Kubernetes` control plane instances are evenly distributed across the subnets. If more than one subnet is specified, the subnets must exist on the same Outpost. Moreover, the subnets must also have proper routes and security group permissions to communicate with each other. When you create a local cluster, the subnets that you specify must meet the following requirements: @@ -38,17 +38,17 @@ When you create the cluster, specify at least one private subnet. If you specify * The subnets must use IP address-based naming. Amazon EC2 link:AWSEC2/latest/UserGuide/ec2-instance-naming.html#instance-naming-rbn[resource-based naming,type="documentation"] isn't supported by Amazon EKS. -[[subnet-access-to-services,subnet-access-to-services.title]] +[#subnet-access-to-services] == Subnet access to {aws} services The local cluster's private subnets on Outposts must be able to communicate with Regional {aws} services. You can achieve this by using a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] for outbound internet access or, if you want to keep all traffic private within your VPC, using link:vpc/latest/privatelink/create-interface-endpoint.html[interface VPC endpoints,type="documentation"]. -[[subnet-access-nat-gateway,subnet-access-nat-gateway.title]] +[#subnet-access-nat-gateway] === Using a NAT gateway The local cluster's private subnets on Outposts must have an associated route table that has a route to a NAT gateway in a public subnet that is in the Outpost's parent Availability Zone. The public subnet must have a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. The NAT gateway enables outbound internet access and prevents unsolicited inbound connections from the internet to instances on the Outpost. -[[vpc-subnet-requirements-vpc-endpoints,vpc-subnet-requirements-vpc-endpoints.title]] +[#vpc-subnet-requirements-vpc-endpoints] === Using interface VPC endpoints If the local cluster's private subnets on Outposts don't have an outbound internet connection, or if you want to keep all traffic private within your VPC, then you must create the following interface VPC endpoints and link:vpc/latest/privatelink/gateway-endpoints.html[gateway endpoint,type="documentation"] in a Regional subnet before creating your cluster. @@ -100,7 +100,7 @@ The endpoints must meet the following requirements: Creating endpoints incurs charges. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. If your [.noloc]`Pods` need access to other {aws} services, then you need to create additional endpoints. For a comprehensive list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. -[[outposts-create-vpc,outposts-create-vpc.title]] +[#outposts-create-vpc] == Create a VPC You can create a VPC that meets the previous requirements using one of the following {aws} CloudFormation templates: diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index b59d5c5fc..5370bb469 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,5 +1,5 @@ include::../attributes.txt[] -[[eks-outposts,eks-outposts.title]] +[#eks-outposts] = Deploy Amazon EKS on-premises with {aws} Outposts :doctype: book :sectnums: @@ -33,7 +33,7 @@ The following diagram shows these deployment options. image::images/outposts-deployment-options.png[Outpost deployment options ,scaledwidth=100%] -[[outposts-overview-when-deployment-options,outposts-overview-when-deployment-options.title]] +[#outposts-overview-when-deployment-options] == When to use each deployment option Both local and extended clusters are general-purpose deployment options and can be used for a range of applications. @@ -42,7 +42,7 @@ With local clusters, you can run the entire Amazon EKS cluster locally on Outpos With extended clusters, you can conserve capacity on your Outpost because the [.noloc]`Kubernetes` control plane runs in the parent {aws} Region. This option is suitable if you can invest in reliable, redundant network connectivity from your Outpost to the {aws} Region. The quality of the network connection is critical for this option. The way that [.noloc]`Kubernetes` handles network disconnects between the [.noloc]`Kubernetes` control plane and nodes might lead to application downtime. For more information on the behavior of [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/scheduling-eviction/[Scheduling, Preemption, and Eviction] in the [.noloc]`Kubernetes` documentation. -[[outposts-overview-comparing-deployment-options,outposts-overview-comparing-deployment-options.title]] +[#outposts-overview-comparing-deployment-options] == Comparing the deployment options The following table compares the differences between the two options. diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 535db5ff5..9f28653e8 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,5 +1,5 @@ [.topic] -[[quickstart,quickstart.title]] +[#quickstart] = Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index ad08dc451..64bb8e038 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,5 +1,5 @@ include::attributes.txt[] -[[related-projects,related-projects.title]] +[#related-projects] = Extend Amazon EKS capabilities with open source projects :doctype: book :sectnums: @@ -18,12 +18,12 @@ Learn how to use open source projects to add features to Amazon EKS for manageme These open-source projects extend the functionality of [.noloc]`Kubernetes` clusters running on or outside of {aws}, including clusters managed by Amazon EKS. -[[related-management-tools,related-management-tools.title]] +[#related-management-tools] == Management tools Related management tools for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-eksctl,related-eksctl.title]] +[#related-eksctl] === eksctl `eksctl` is a simple CLI tool for creating clusters on Amazon EKS. @@ -35,7 +35,7 @@ Related management tools for Amazon EKS and [.noloc]`Kubernetes` clusters. * {aws} open source blog: link:opensource/eksctl-eks-cluster-one-command[eksctl: Amazon EKS cluster with one command,type="blog"] -[[related-aws-controllers,related-aws-controllers.title]] +[#related-aws-controllers] === {aws} controllers for [.noloc]`Kubernetes` With {aws} Controllers for [.noloc]`Kubernetes`, you can create and manage {aws} resources directly from your [.noloc]`Kubernetes` cluster. @@ -46,7 +46,7 @@ With {aws} Controllers for [.noloc]`Kubernetes`, you can create and manage {aws} * {aws} open source blog: link:opensource/aws-service-operator-kubernetes-available[{aws} service operator for Kubernetes now available,type="blog"] -[[related-flux-cd,related-flux-cd.title]] +[#related-flux-cd] === Flux CD Flux is a tool that you can use to manage your cluster configuration using Git. It uses an operator in the cluster to trigger deployments inside of [.noloc]`Kubernetes`. For more information about operators, see https://operatorhub.io/[OperatorHub.io] on [.noloc]`GitHub`. @@ -57,7 +57,7 @@ Flux is a tool that you can use to manage your cluster configuration using Git. * https://docs.fluxcd.io/[Project documentation] -[[related-cdk,related-cdk.title]] +[#related-cdk] === CDK for [.noloc]`Kubernetes` With the CDK for [.noloc]`Kubernetes` (cdk8s), you can define [.noloc]`Kubernetes` apps and components using familiar programming languages. cdk8s apps synthesize into standard [.noloc]`Kubernetes` manifests, which can be applied to any [.noloc]`Kubernetes` cluster. @@ -69,12 +69,12 @@ With the CDK for [.noloc]`Kubernetes` (cdk8s), you can define [.noloc]`Kubernete * {aws} containers blog: link:containers/introducing-cdk8s-intent-driven-apis-for-kubernetes-objects[Introducing cdk8s+: Intent-driven APIs for Kubernetes objects,type="blog"] -[[related-networking,related-networking.title]] +[#related-networking] == Networking Related networking projects for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-vpc-cni-k8s,related-vpc-cni-k8s.title]] +[#related-vpc-cni-k8s] === [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS supports native VPC networking through the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. The plugin assigns an IP address from your VPC to each [.noloc]`Pod`. @@ -85,7 +85,7 @@ Amazon EKS supports native VPC networking through the [.noloc]`Amazon VPC CNI pl * https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[Project documentation] -[[related-alb-ingress-controller,related-alb-ingress-controller.title]] +[#related-alb-ingress-controller] === [.noloc]`{aws} Load Balancer Controller` for [.noloc]`Kubernetes` The [.noloc]`{aws} Load Balancer Controller` helps manage {aws} Elastic Load Balancers for a [.noloc]`Kubernetes` cluster. It satisfies [.noloc]`Kubernetes` Ingress resources by provisioning {aws} Application Load Balancers. It satisfies [.noloc]`Kubernetes` service resources by provisioning {aws} Network Load Balancers. @@ -96,7 +96,7 @@ The [.noloc]`{aws} Load Balancer Controller` helps manage {aws} Elastic Load Bal * https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/[Project documentation] -[[related-externaldns,related-externaldns.title]] +[#related-externaldns] === ExternalDNS ExternalDNS synchronizes exposed [.noloc]`Kubernetes` services and ingresses with DNS providers including Amazon Route 53 and {aws} Service Discovery. @@ -107,12 +107,12 @@ ExternalDNS synchronizes exposed [.noloc]`Kubernetes` services and ingresses wit * https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws.md[Project documentation] -[[related-machine-learning,related-machine-learning.title]] +[#related-machine-learning] == Machine learning Related machine learning projects for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-kubeflow,related-kubeflow.title]] +[#related-kubeflow] === Kubeflow A machine learning toolkit for [.noloc]`Kubernetes`. @@ -124,12 +124,12 @@ A machine learning toolkit for [.noloc]`Kubernetes`. * {aws} open source blog: link:opensource/kubeflow-amazon-eks[Kubeflow on Amazon EKS,type="blog"] -[[related-auto-scaling,related-auto-scaling.title]] +[#related-auto-scaling] == Auto Scaling Related auto scaling projects for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-cluster-autoscaler,related-cluster-autoscaler.title]] +[#related-cluster-autoscaler] === Cluster autoscaler Cluster Autoscaler is a tool that automatically adjusts the size of the [.noloc]`Kubernetes` cluster based on CPU and memory pressure. @@ -141,7 +141,7 @@ Cluster Autoscaler is a tool that automatically adjusts the size of the [.noloc] * Amazon EKS workshop: https://www.eksworkshop.com/docs/autoscaling/compute/cluster-autoscaler/[Cluster Autoscaler] -[[related-karpenter,related-karpenter.title]] +[#related-karpenter] === Karpenter Karpenter is a [.noloc]`Kubernetes` Node Autoscaler built for flexibility, performance, and simplicity. @@ -153,7 +153,7 @@ Karpenter is a [.noloc]`Kubernetes` Node Autoscaler built for flexibility, perfo * Amazon EKS workshop: https://www.eksworkshop.com/docs/autoscaling/compute/karpenter/[Karpenter] -[[related-escalator,related-escalator.title]] +[#related-escalator] === Escalator Escalator is a batch or job optimized horizontal autoscaler for [.noloc]`Kubernetes`. @@ -164,12 +164,12 @@ Escalator is a batch or job optimized horizontal autoscaler for [.noloc]`Kuberne * https://github.com/atlassian/escalator/blob/master/docs/README.md[Project documentation] -[[related-monitoring,related-monitoring.title]] +[#related-monitoring] == Monitoring Related monitoring projects for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-prometheus,related-prometheus.title]] +[#related-prometheus] === [.noloc]`Prometheus` [.noloc]`Prometheus` is an open-source systems monitoring and alerting toolkit. @@ -181,12 +181,12 @@ Related monitoring projects for Amazon EKS and [.noloc]`Kubernetes` clusters. * Amazon EKS workshop: https://eksworkshop.com/intermediate/240_monitoring/[https://eksworkshop.com/intermediate/240_monitoring/] -[[related-cicd,related-cicd.title]] +[#related-cicd] == Continuous integration / continuous deployment Related CI/CD projects for Amazon EKS and [.noloc]`Kubernetes` clusters. -[[related-jenkinsx,related-jenkinsx.title]] +[#related-jenkinsx] === Jenkins X CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernetes` clusters. diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 6894f60ad..caa37a4a7 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,6 +1,6 @@ include::attributes.txt[] [.topic] -[[roadmap,roadmap.title]] +[#roadmap] = Learn about Amazon EKS new features and roadmap :doctype: book :sectnums: diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index 2f4e55323..cbb6d85ea 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-security,auto-security.title]] +[#auto-security] = Security considerations for Amazon EKS Auto Mode :info_titleabbrev: Considerations for EKS Auto @@ -90,7 +90,7 @@ Amazon EKS Auto Mode does not fully manage Amazon Elastic Block Store (Amazon EB * Security group automation for load balancer access control * For more information, see link:elasticloadbalancing/latest/userguide/security.html["Security in Elastic Load Balancing",type="documentation"]. -[[auto-security-bp,auto-security-bp.title]] +[#auto-security-bp] ## Security best practices The following section describes security best practices for Amazon EKS Auto Mode. diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index 4c8abdd94..b55621662 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,5 +1,5 @@ [.topic] -[[cert-signing,cert-signing.title]] +[#cert-signing] = Secure workloads with [.noloc]`Kubernetes` certificates :info_titleabbrev: Certificate signing @@ -28,7 +28,7 @@ NOTE: Client certificate signing is not supported. * CA bit allowed/disallowed: Not allowed -[[csr-example,csr-example.title]] +[#csr-example] == Example CSR generation with signerName These steps shows how to generate a serving certificate for DNS name `myserver.default.svc` using `signerName: beta.eks.amazonaws.com/app-serving`. Use this as a guide for your own environment. @@ -104,7 +104,7 @@ kubectl get csr myserver -o jsonpath='{.status.certificate}'| base64 -d > myserv ---- -[[csr-considerations,csr-considerations.title]] +[#csr-considerations] == Certificate signing considerations before upgrading your cluster to [.noloc]`Kubernetes` 1.24 In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working. diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 579e7fb4d..ccadd2e51 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -1,5 +1,5 @@ [.topic] -[[compliance,compliance.title]] +[#compliance] = Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 5143f7c73..f9a11dbb2 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -1,5 +1,5 @@ [.topic] -[[configuration-vulnerability-analysis,configuration-vulnerability-analysis.title]] +[#configuration-vulnerability-analysis] = Analyze vulnerabilities in Amazon EKS :info_titleabbrev: Analyze vulnerabilities @@ -12,7 +12,7 @@ Learn how to analyze the security configuration and vulnerabilities of your Amaz Security is a critical consideration for configuring and maintaining [.noloc]`Kubernetes` clusters and applications. The following lists resources for you to analyze the security configuration of your EKS clusters, resources for you to check for vulnerabilities, and integrations with {aws} services that can do that analysis for you. -[[configuration-vulnerability-analysis-cis,configuration-vulnerability-analysis-cis.title]] +[#configuration-vulnerability-analysis-cis] == The Center for Internet Security (CIS) benchmark for Amazon EKS The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Security (CIS) Kubernetes Benchmark] provides guidance for Amazon EKS security configurations. The benchmark: @@ -26,32 +26,32 @@ To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introduc For an automated `aws-sample` pipeline to update your node group with a CIS benchmarked AMI, see https://github.com/aws-samples/pipeline-for-hardening-eks-nodes-and-automating-updates[EKS-Optimized AMI Hardening Pipeline]. -[[configuration-vulnerability-analysis-pv,configuration-vulnerability-analysis-pv.title]] +[#configuration-vulnerability-analysis-pv] == Amazon EKS platform versions Amazon EKS _platform versions_ represent the capabilities of the cluster control plane, including which [.noloc]`Kubernetes` API server flags are enabled and the current [.noloc]`Kubernetes` patch version. New clusters are deployed with the latest platform version. For details, see <>. You can <> to newer [.noloc]`Kubernetes` versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. For more information about [.noloc]`Kubernetes` versions in EKS, see <>. -[[configuration-vulnerability-analysis-os,configuration-vulnerability-analysis-os.title]] +[#configuration-vulnerability-analysis-os] == Operating system vulnerability list -[[configuration-vulnerability-analysis-al2023,configuration-vulnerability-analysis-al2023.title]] +[#configuration-vulnerability-analysis-al2023] === AL2023 vulnerability list Track security or privacy events for Amazon Linux 2023 at the https://alas.aws.amazon.com/alas2023.html[Amazon Linux Security Center] or subscribe to the associated https://alas.aws.amazon.com/AL2023/alas.rss[RSS feed]. Security and privacy events include an overview of the issue affected, packages, and instructions for updating your instances to correct the issue. -[[configuration-vulnerability-analysis-al2,configuration-vulnerability-analysis-al2.title]] +[#configuration-vulnerability-analysis-al2] === Amazon Linux 2 vulnerability list Track security or privacy events for Amazon Linux 2 at the https://alas.aws.amazon.com/alas2.html[Amazon Linux Security Center] or subscribe to the associated https://alas.aws.amazon.com/AL2/alas.rss[RSS feed]. Security and privacy events include an overview of the issue affected, packages, and instructions for updating your instances to correct the issue. -[[configuration-vulnerability-analysis-inspector,configuration-vulnerability-analysis-inspector.title]] +[#configuration-vulnerability-analysis-inspector] == Node detection with Amazon Inspector You can use link:inspector/latest/userguide/inspector_introduction.html[Amazon Inspector,type="documentation"] to check for unintended network accessibility of your nodes and for vulnerabilities on those Amazon EC2 instances. -[[configuration-vulnerability-analysis-guardduty,configuration-vulnerability-analysis-guardduty.title]] +[#configuration-vulnerability-analysis-guardduty] == Cluster and node detection with Amazon GuardDuty Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your {aws} environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index a7fb7bccc..ebc2e89ac 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -1,5 +1,5 @@ [.topic] -[[default-roles-users,default-roles-users.title]] +[#default-roles-users] = Understand Amazon EKS created RBAC roles and users :info_titleabbrev: Default roles and users @@ -16,7 +16,7 @@ When you install optional <> to your cluster, additional [. You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. -[[default-role-users-console,default-role-users-console.title]] +[#default-role-users-console] == {aws-management-console} === Prerequisite @@ -42,7 +42,7 @@ In addition to the resources that you see in the console, the following special . Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. -[[default-role-users-kubectl,default-role-users-kubectl.title]] +[#default-role-users-kubectl] == Kubectl === Prerequisite diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index 6533fed39..c864c6303 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -1,5 +1,5 @@ [.topic] -[[disaster-recovery-resiliency,disaster-recovery-resiliency.title]] +[#disaster-recovery-resiliency] = Understand resilience in Amazon EKS clusters :info_titleabbrev: Resilience diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 13fc5a428..44e501124 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,5 +1,5 @@ [.topic] -[[enable-kms,enable-kms.title]] +[#enable-kms] = Encrypt Kubernetes secrets with {aws} KMS on existing clusters :info_titleabbrev: Enable secret encryption diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index c6bf0fae1..c42a407df 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-cluster-iam-role,auto-cluster-iam-role.title]] +[#auto-cluster-iam-role] = Amazon EKS Auto Mode cluster IAM role :idprefix: wip_ :info_titleabbrev: Auto Mode cluster IAM role diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index 1dff3d1ac..d17a152ae 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[auto-create-node-role,auto-create-node-role.title]] +[#auto-create-node-role] = Amazon EKS Auto Mode node IAM role :idprefix: id_ :info_titleabbrev: Auto Mode node IAM role diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index c72d930ec..60a1fc400 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[cluster-iam-role,cluster-iam-role.title]] +[#cluster-iam-role] = Amazon EKS cluster IAM role :info_titleabbrev: Cluster IAM role @@ -63,7 +63,7 @@ Prior to April 16, 2020, link:aws-managed-policy/latest/reference/AmazonEKSServi ==== -[[check-service-role,check-service-role.title]] +[#check-service-role] == Check for an existing cluster role You can use the following procedure to check and see if your account already has the Amazon EKS cluster role. @@ -93,7 +93,7 @@ You can use the following procedure to check and see if your account already has ---- -[[create-service-role,create-service-role.title]] +[#create-service-role] == Creating the Amazon EKS cluster role You can use the {aws-management-console} or the {aws} CLI to create the cluster role. diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index e4f0b5615..42d99c00d 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[connector-iam-role,connector-iam-role.title]] +[#connector-iam-role] = Amazon EKS connector IAM role :info_titleabbrev: Connector IAM role @@ -7,7 +7,7 @@ include::../../attributes.txt[] You can connect [.noloc]`Kubernetes` clusters to view them in your {aws-management-console}. To connect to a [.noloc]`Kubernetes` cluster, create an IAM role. -[[check-connector-role,check-connector-role.title]] +[#check-connector-role] == Check for an existing EKS connector role You can use the following procedure to check and see if your account already has the Amazon EKS connector role. @@ -39,7 +39,7 @@ You can use the following procedure to check and see if your account already has ---- -[[create-connector-role,create-connector-role.title]] +[#create-connector-role] == Creating the Amazon EKS connector agent role You can use the {aws-management-console} or {aws} CloudFormation to create the connector agent role. diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index dda133505..09a446e66 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[create-node-role,create-node-role.title]] +[#create-node-role] = Amazon EKS node IAM role :info_titleabbrev: Node IAM role @@ -27,7 +27,7 @@ Before you create nodes, you must create an IAM role with the following permissi The Amazon EC2 node groups must have a different IAM role than the Fargate profile. For more information, see <>. ==== -[[check-worker-node-role,check-worker-node-role.title]] +[#check-worker-node-role] == Check for an existing node role You can use the following procedure to check and see if your account already has the Amazon EKS node role. @@ -63,7 +63,7 @@ NOTE: If the *AmazonEKS_CNI_Policy* policy is attached to the role, we recommend ---- -[[create-worker-node-role,create-worker-node-role.title]] +[#create-worker-node-role] == Creating the Amazon EKS node IAM role You can create the node IAM role with the {aws-management-console} or the {aws} CLI. diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 168f062eb..2c678bf76 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-execution-role,pod-execution-role.title]] +[#pod-execution-role] = Amazon EKS [.noloc]`Pod` execution IAM role :info_titleabbrev: Pod execution IAM role @@ -26,7 +26,7 @@ The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permiss ==== Before you create a Fargate profile, you must create an IAM role with the link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"]. -[[check-pod-execution-role,check-pod-execution-role.title]] +[#check-pod-execution-role] == Check for a correctly configured existing [.noloc]`Pod` execution role You can use the following procedure to check and see if your account already has a correctly configured Amazon EKS [.noloc]`Pod` execution role. To avoid a confused deputy security problem, it's important that the role restricts access based on `SourceArn`. You can modify the execution role as needed to include support for Fargate profiles on other clusters. @@ -73,7 +73,7 @@ If the policy matches but doesn't have a line specifying the Fargate profiles on If the policy doesn't match, copy the full previous policy into the form and choose *Update policy*. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. -[[create-pod-execution-role,create-pod-execution-role.title]] +[#create-pod-execution-role] == Creating the Amazon EKS [.noloc]`Pod` execution role If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your cluster, you can use the {aws-management-console} or the {aws} CLI to create it. diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 516ad84a2..69df449ee 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,6 +1,6 @@ include::../../attributes.txt[] [.topic] -[[security-iam-awsmanpol,security-iam-awsmanpol.title]] +[#security-iam-awsmanpol] = {aws} managed policies for Amazon Elastic Kubernetes Service :info_titleabbrev: {aws} managed policies @@ -17,7 +17,7 @@ You cannot change the permissions defined in {aws} managed policies. If {aws} up For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] in the _IAM User Guide_. -[[security-iam-awsmanpol-amazoneks-cni-policy,security-iam-awsmanpol-amazoneks-cni-policy.title]] +[#security-iam-awsmanpol-amazoneks-cni-policy] == {aws} managed policy: AmazonEKS_CNI_Policy :info_titleabbrev: AmazonEKS_CNI_Policy @@ -32,7 +32,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html#AmazonEKS_CNI_Policy-json[AmazonEKS_CNI_Policy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksclusterpolicy,security-iam-awsmanpol-amazoneksclusterpolicy.title]] +[#security-iam-awsmanpol-amazoneksclusterpolicy] == {aws} managed policy: AmazonEKSClusterPolicy :info_titleabbrev: AmazonEKSClusterPolicy @@ -48,7 +48,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksfargatepodexecutionrolepolicy,security-iam-awsmanpol-amazoneksfargatepodexecutionrolepolicy.title]] +[#security-iam-awsmanpol-amazoneksfargatepodexecutionrolepolicy] == {aws} managed policy: AmazonEKSFargatePodExecutionRolePolicy :info_titleabbrev: AmazonEKSFargatePodExecutionRolePolicy @@ -64,7 +64,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html#AmazonEKSFargatePodExecutionRolePolicy-json[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksforfargateservicerolepolicy,security-iam-awsmanpol-amazoneksforfargateservicerolepolicy.title]] +[#security-iam-awsmanpol-amazoneksforfargateservicerolepolicy] == {aws} managed policy: AmazonEKSForFargateServiceRolePolicy :info_titleabbrev: AmazonEKSForFargateServiceRolePolicy @@ -80,7 +80,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html#AmazonEKSForFargateServiceRolePolicy-json[AmazonEKSForFargateServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-AmazonEKSComputePolicy,security-iam-awsmanpol-AmazonEKSComputePolicy.title]] +[#security-iam-awsmanpol-AmazonEKSComputePolicy] == {aws} managed policy: AmazonEKSComputePolicy :info_titleabbrev: AmazonEKSComputePolicy @@ -104,7 +104,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSComputePolicy.html#AmazonEKSComputePolicy-json[AmazonEKSComputePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-AmazonEKSNetworkingPolicy,security-iam-awsmanpol-AmazonEKSNetworkingPolicy.title]] +[#security-iam-awsmanpol-AmazonEKSNetworkingPolicy] == {aws} managed policy: AmazonEKSNetworkingPolicy :info_titleabbrev: AmazonEKSNetworkingPolicy @@ -132,7 +132,7 @@ To view the latest version of the JSON policy document, see link:aws-managed-p -[[security-iam-awsmanpol-AmazonEKSBlockStoragePolicy,security-iam-awsmanpol-AmazonEKSBlockStoragePolicy.title]] +[#security-iam-awsmanpol-AmazonEKSBlockStoragePolicy] == {aws} managed policy: AmazonEKSBlockStoragePolicy :info_titleabbrev: AmazonEKSBlockStoragePolicy @@ -160,7 +160,7 @@ This IAM policy grants the following permissions to allow Amazon EKS to manage E To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSBlockStoragePolicy.html#AmazonEKSBlockStoragePolicy-json[AmazonEKSBlockStoragePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy,security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy.title]] +[#security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy] == {aws} managed policy: AmazonEKSLoadBalancingPolicy :info_titleabbrev: AmazonEKSLoadBalancingPolicy @@ -188,7 +188,7 @@ The policy also includes several condition checks to ensure that the permissions To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLoadBalancingPolicy.html#AmazonEKSLoadBalancingPolicy-json[AmazonEKSLoadBalancingPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksservicepolicy,security-iam-awsmanpol-amazoneksservicepolicy.title]] +[#security-iam-awsmanpol-amazoneksservicepolicy] == {aws} managed policy: AmazonEKSServicePolicy :info_titleabbrev: AmazonEKSServicePolicy @@ -208,7 +208,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html#AmazonEKSServicePolicy-json[AmazonEKSServicePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksservicerolepolicy,security-iam-awsmanpol-amazoneksservicerolepolicy.title]] +[#security-iam-awsmanpol-amazoneksservicerolepolicy] == {aws} managed policy: AmazonEKSServiceRolePolicy :info_titleabbrev: AmazonEKSServiceRolePolicy @@ -234,7 +234,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html#AmazonEKSServiceRolePolicy-json[AmazonEKSServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksvpcresourcecontroller,security-iam-awsmanpol-amazoneksvpcresourcecontroller.title]] +[#security-iam-awsmanpol-amazoneksvpcresourcecontroller] == {aws} managed policy: AmazonEKSVPCResourceController :info_titleabbrev: AmazonEKSVPCResourceController @@ -250,7 +250,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html#AmazonEKSVPCResourceController-json[AmazonEKSVPCResourceController,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazoneksworkernodepolicy,security-iam-awsmanpol-amazoneksworkernodepolicy.title]] +[#security-iam-awsmanpol-amazoneksworkernodepolicy] == {aws} managed policy: AmazonEKSWorkerNodePolicy :info_titleabbrev: AmazonEKSWorkerNodePolicy @@ -269,7 +269,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html#AmazonEKSWorkerNodePolicy-json[AmazonEKSWorkerNodePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy,security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy.title]] +[#security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy] == {aws} managed policy: AmazonEKSWorkerNodeMinimalPolicy :info_titleabbrev: AmazonEKSWorkerNodeMinimalPolicy @@ -285,7 +285,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodeMinimalPolicy.html#AmazonEKSWorkerNodeMinimalPolicy-json["AmazonEKSWorkerNodePolicy", type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-awsserviceroleforamazoneksnodegroup,security-iam-awsmanpol-awsserviceroleforamazoneksnodegroup.title]] +[#security-iam-awsmanpol-awsserviceroleforamazoneksnodegroup] == {aws} managed policy: AWSServiceRoleForAmazonEKSNodegroup :info_titleabbrev: AWSServiceRoleForAmazonEKSNodegroup @@ -303,7 +303,7 @@ This policy includes the following permissions that allow Amazon EKS to complete To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html#AWSServiceRoleForAmazonEKSNodegroup-json[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazonebscsidriverservicerolepolicy,security-iam-awsmanpol-amazonebscsidriverservicerolepolicy.title]] +[#security-iam-awsmanpol-amazonebscsidriverservicerolepolicy] == {aws} managed policy: AmazonEBSCSIDriverPolicy :info_titleabbrev: AmazonEBSCSIDriverPolicy @@ -311,7 +311,7 @@ The `AmazonEBSCSIDriverPolicy` policy allows the Amazon EBS Container Storage In To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEBSCSIDriverPolicy.html#AmazonEBSCSIDriverPolicy-json[AmazonEBSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazonefscsidriverservicerolepolicy,security-iam-awsmanpol-amazonefscsidriverservicerolepolicy.title]] +[#security-iam-awsmanpol-amazonefscsidriverservicerolepolicy] == {aws} managed policy: AmazonEFSCSIDriverPolicy :info_titleabbrev: AmazonEFSCSIDriverPolicy @@ -319,7 +319,7 @@ The `AmazonEFSCSIDriverPolicy` policy allows the Amazon EFS Container Storage In To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEFSCSIDriverPolicy.html#AmazonEFSCSIDriverPolicy-json[AmazonEFSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazonekslocaloutpostclusterpolicy,security-iam-awsmanpol-amazonekslocaloutpostclusterpolicy.title]] +[#security-iam-awsmanpol-amazonekslocaloutpostclusterpolicy] == {aws} managed policy: AmazonEKSLocalOutpostClusterPolicy :info_titleabbrev: AmazonEKSLocalOutpostClusterPolicy @@ -335,7 +335,7 @@ The `AmazonEKSLocalOutpostClusterPolicy` includes the following permissions: To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostClusterPolicy.html#AmazonEKSLocalOutpostClusterPolicy-json[AmazonEKSLocalOutpostClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-amazonekslocaloutpostservicerolepolicy,security-iam-awsmanpol-amazonekslocaloutpostservicerolepolicy.title]] +[#security-iam-awsmanpol-amazonekslocaloutpostservicerolepolicy] == {aws} managed policy: AmazonEKSLocalOutpostServiceRolePolicy :info_titleabbrev: AmazonEKSLocalOutpostServiceRolePolicy @@ -351,7 +351,7 @@ The `AmazonEKSLocalOutpostServiceRolePolicy` includes the following permissions: To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostServiceRolePolicy.html#AmazonEKSLocalOutpostServiceRolePolicy-json[AmazonEKSLocalOutpostServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[security-iam-awsmanpol-updates,security-iam-awsmanpol-updates.title]] +[#security-iam-awsmanpol-updates] == Amazon EKS updates to {aws} managed policies :info_titleabbrev: Policy updates diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 5ce7d6031..29ae020f3 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-iam-id-based-policy-examples,security-iam-id-based-policy-examples.title]] +[#security-iam-id-based-policy-examples] = Amazon EKS identity-based policy examples :info_titleabbrev: Identity-based policies @@ -16,7 +16,7 @@ For more information about working with the ConfigMap, see <>. [.topiclist] [[Topic List]] -[[security-iam-service-with-iam-policy-best-practices,security-iam-service-with-iam-policy-best-practices.title]] +[#security-iam-service-with-iam-policy-best-practices] == Policy best practices Identity-based policies determine whether someone can create, access, or delete Amazon EKS resources in your account. These actions can incur costs for your {aws} account. When you create or edit identity-based policies, follow these guidelines and recommendations: @@ -31,7 +31,7 @@ Identity-based policies determine whether someone can create, access, or delete For more information about best practices in IAM, see link:IAM/latest/UserGuide/best-practices.html[Security best practices in IAM,type="documentation"] in the _IAM User Guide_. -[[security-iam-id-based-policy-examples-console,security-iam-id-based-policy-examples-console.title]] +[#security-iam-id-based-policy-examples-console] == Using the Amazon EKS console To access the Amazon EKS console, an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], must have a minimum set of permissions. These permissions allow the principal to list and view details about the Amazon EKS resources in your {aws} account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for principals with that policy attached to them. @@ -73,7 +73,7 @@ The following example policy allows a principal to view information on the *Conf You don't need to allow minimum console permissions for principals that are making calls only to the {aws} CLI or the {aws} API. Instead, allow access to only the actions that match the API operation that you're trying to perform. -[[security-iam-id-based-policy-examples-view-own-permissions,security-iam-id-based-policy-examples-view-own-permissions.title]] +[#security-iam-id-based-policy-examples-view-own-permissions] == Allow IAM users to view their own permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the {aws} CLI or {aws} API. @@ -115,7 +115,7 @@ This example shows how you might create a policy that allows IAM users to view t ---- -[[policy-create-cluster,policy-create-cluster.title]] +[#policy-create-cluster] == Create a [.noloc]`Kubernetes` cluster on the {aws} Cloud This example policy includes the minimum permissions required to create an Amazon EKS cluster named [.replaceable]`my-cluster` in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the [.replaceable]`AWSServiceRoleForAmazonEKS` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS cluster in your account then this role already exists, unless you deleted it. @@ -150,7 +150,7 @@ This example policy includes the minimum permissions required to create an Amazo ---- -[[policy-create-local-cluster,policy-create-local-cluster.title]] +[#policy-create-local-cluster] == Create a local [.noloc]`Kubernetes` cluster on an Outpost This example policy includes the minimum permissions required to create an Amazon EKS local cluster named [.replaceable]`my-cluster` on an Outpost in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the `AWSServiceRoleForAmazonEKSLocalOutpost` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS local cluster on an Outpost in your account then this role already exists, unless you deleted it. @@ -204,7 +204,7 @@ This example policy includes the minimum permissions required to create an Amazo ---- -[[policy-example1,policy-example1.title]] +[#policy-example1] == Update a [.noloc]`Kubernetes` cluster This example policy includes the minimum permission required to update a cluster named [.replaceable]`my-cluster` in the us-west-2 {aws} Region. @@ -224,7 +224,7 @@ This example policy includes the minimum permission required to update a cluster ---- -[[policy-example2,policy-example2.title]] +[#policy-example2] == List or describe all clusters This example policy includes the minimum permissions required to list and describe all clusters in your account. An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must be able to list and describe clusters to use the `update-kubeconfig` {aws} CLI command. diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index b32fbd638..fc25beeca 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-iam-service-with-iam,security-iam-service-with-iam.title]] +[#security-iam-service-with-iam] = How Amazon EKS works with IAM :info_titleabbrev: Amazon EKS and IAM @@ -10,12 +10,12 @@ Before you use IAM to manage access to Amazon EKS, you should understand what IA [.topiclist] [[Topic List]] -[[security-iam-service-with-iam-id-based-policies,security-iam-service-with-iam-id-based-policies.title]] +[#security-iam-service-with-iam-id-based-policies] == Amazon EKS identity-based policies With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon EKS supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see link:IAM/latest/UserGuide/reference_policies_elements.html[IAM JSON policy elements reference,type="documentation"] in the _IAM User Guide_. -[[security-iam-service-with-iam-id-based-policies-actions,security-iam-service-with-iam-id-based-policies-actions.title]] +[#security-iam-service-with-iam-id-based-policies-actions] === Actions Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. @@ -43,7 +43,7 @@ You can specify multiple actions using wildcards (*). For example, to specify al To see a list of Amazon EKS actions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. -[[security-iam-service-with-iam-id-based-policies-resources,security-iam-service-with-iam-id-based-policies-resources.title]] +[#security-iam-service-with-iam-id-based-policies-resources] === Resources Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. @@ -89,7 +89,7 @@ Some Amazon EKS actions, such as those for creating resources, can't be performe To see a list of Amazon EKS resource types and their ARNs, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-resources-for-iam-policies[Resources defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn with which actions you can specify the ARN of each resource, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. -[[security-iam-service-with-iam-id-based-policies-conditionkeys,security-iam-service-with-iam-id-based-policies-conditionkeys.title]] +[#security-iam-service-with-iam-id-based-policies-conditionkeys] === Condition keys Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. @@ -100,7 +100,7 @@ All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condit For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. -[[security-iam-service-with-iam-id-based-policies-examples,security-iam-service-with-iam-id-based-policies-examples.title]] +[#security-iam-service-with-iam-id-based-policies-examples] === Examples @@ -110,43 +110,43 @@ When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.h For more information about working with the ConfigMap, see <>. -[[security-iam-service-with-iam-resource-based-policies,security-iam-service-with-iam-resource-based-policies.title]] +[#security-iam-service-with-iam-resource-based-policies] == Amazon EKS resource-based policies Amazon EKS does not support resource-based policies. -[[security-iam-service-with-iam-tags,security-iam-service-with-iam-tags.title]] +[#security-iam-service-with-iam-tags] == Authorization based on Amazon EKS tags You can attach tags to Amazon EKS resources or pass tags in a request to Amazon EKS. To control access based on tags, you provide tag information in the link:IAM/latest/UserGuide/reference_policies_elements_condition.html[condition element,type="documentation"] of a policy using the `aws:ResourceTag/[.replaceable]``key-name```, `aws:RequestTag/[.replaceable]``key-name```, or `aws:TagKeys` condition keys. For more information about tagging Amazon EKS resources, see <>. For more information about which actions that you can use tags in condition keys with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon EKS,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. -[[security-iam-service-with-iam-roles,security-iam-service-with-iam-roles.title]] +[#security-iam-service-with-iam-roles] == Amazon EKS IAM roles An link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] is an entity within your {aws} account that has specific permissions. -[[security-iam-service-with-iam-roles-tempcreds,security-iam-service-with-iam-roles-tempcreds.title]] +[#security-iam-service-with-iam-roles-tempcreds] === Using temporary credentials with Amazon EKS You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling {aws} STS API operations such as link:STS/latest/APIReference/API_AssumeRole.html[AssumeRole,type="documentation"] or link:STS/latest/APIReference/API_GetFederationToken.html[GetFederationToken,type="documentation"]. Amazon EKS supports using temporary credentials. -[[security-iam-service-with-iam-roles-service-linked,security-iam-service-with-iam-roles-service-linked.title]] +[#security-iam-service-with-iam-roles-service-linked] === Service-linked roles link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[Service-linked roles,type="documentation"] allow {aws} services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An administrator can view but can't edit the permissions for service-linked roles. Amazon EKS supports service-linked roles. For details about creating or managing Amazon EKS service-linked roles, see <>. -[[security-iam-service-with-iam-roles-service,security-iam-service-with-iam-roles-service.title]] +[#security-iam-service-with-iam-roles-service] === Service roles This feature allows a service to assume a link:IAM/latest/UserGuide/id_roles.html#iam-term-service-role[service role,type="documentation"] on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. Amazon EKS supports service roles. For more information, see <> and <>. -[[security-iam-service-with-iam-roles-choose,security-iam-service-with-iam-roles-choose.title]] +[#security-iam-service-with-iam-roles-choose] === Choosing an IAM role in Amazon EKS When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index d3694d681..e62705ac2 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-iam-troubleshoot,security-iam-troubleshoot.title]] +[#security-iam-troubleshoot] = Troubleshooting IAM :info_titleabbrev: Troubleshooting @@ -7,7 +7,7 @@ include::../../attributes.txt[] This topic covers some common errors that you may see while using Amazon EKS with IAM and how to work around them. -[[iam-error,iam-error.title]] +[#iam-error] == AccessDeniedException If you receive an `AccessDeniedException` when calling an {aws} API operation, then the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] credentials that you're using don't have the required permissions to make that call. @@ -23,18 +23,18 @@ In the previous example message, the user does not have permissions to call the For more general information about IAM, see link:IAM/latest/UserGuide/access_controlling.html[Controlling access using policies,type="documentation"] in the _IAM User Guide_. -[[security-iam-troubleshoot-cannot-view-nodes-or-workloads,security-iam-troubleshoot-cannot-view-nodes-or-workloads.title]] +[#security-iam-troubleshoot-cannot-view-nodes-or-workloads] == Can't see *Nodes* on the *Compute* tab or anything on the *Resources* tab and you receive an error in the {aws-management-console} :info_titleabbrev: Can't see anything on Nodes or Compute tabs in console You may see a console error message that says `Your current user or role does not have access to Kubernetes objects on this EKS cluster`. Make sure that the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] user that you're using the {aws-management-console} with has the necessary permissions. For more information, see <>. -[[security-iam-troubleshoot-configmap,security-iam-troubleshoot-configmap.title]] +[#security-iam-troubleshoot-configmap] == aws-auth `ConfigMap` does not grant access to the cluster The https://github.com/kubernetes-sigs/aws-iam-authenticator[{aws} IAM Authenticator] doesn't permit a path in the role ARN used in the `ConfigMap`. Therefore, before you specify `rolearn`, remove the path. For example, change `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``team``/[.replaceable]``developers``/[.replaceable]``eks-admin``` to `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``eks-admin```. -[[security-iam-troubleshoot-passrole,security-iam-troubleshoot-passrole.title]] +[#security-iam-troubleshoot-passrole] == I am not authorized to perform iam:PassRole If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon EKS. @@ -52,7 +52,7 @@ In this case, Mary's policies must be updated to allow her to perform the `iam:P If you need help, contact your {aws} administrator. Your administrator is the person who provided you with your sign-in credentials. -[[security-iam-troubleshoot-cross-account-access,security-iam-troubleshoot-cross-account-access.title]] +[#security-iam-troubleshoot-cross-account-access] == I want to allow people outside of my {aws} account to access my Amazon EKS resources :info_titleabbrev: Allow external IAM principals to access resources @@ -66,7 +66,7 @@ To learn more, consult the following: * To learn how to provide access through identity federation, see link:IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html[Providing access to externally authenticated users (identity federation),type="documentation"] in the _IAM User Guide_. * To learn the difference between using roles and resource-based policies for cross-account access, see link:IAM/latest/UserGuide/access_policies-cross-account-resource-access.html[Cross account resource access in IAM,type="documentation"] in the _IAM User Guide_. -[[security-iam-troubleshoot-wrong-sts-endpoint,security-iam-troubleshoot-wrong-sts-endpoint.title]] +[#security-iam-troubleshoot-wrong-sts-endpoint] == Pod containers receive the following error: `An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Credential should be scoped to a valid region` :info_titleabbrev: Credential should be scoped to a valid region error diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 437aa2cc7..aa8b17cb5 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-iam,security-iam.title]] +[#security-iam] = Identity and access management for Amazon EKS :info_titleabbrev: IAM Reference @@ -34,7 +34,7 @@ How to authenticate requests and manage access your Amazon EKS resources. {aws} Identity and Access Management (IAM) is an {aws} service that helps an administrator securely control access to {aws} resources. IAM administrators control who can be _authenticated_ (signed in) and _authorized_ (have permissions) to use Amazon EKS resources. IAM is an {aws} service that you can use with no additional charge. -[[security-iam-audience,security-iam-audience.title]] +[#security-iam-audience] == Audience How you use {aws} Identity and Access Management (IAM) differs, depending on the work that you do in Amazon EKS. @@ -45,7 +45,7 @@ How you use {aws} Identity and Access Management (IAM) differs, depending on the *IAM administrator* – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon EKS. To view example Amazon EKS identity-based policies that you can use in IAM, see <>. -[[security-iam-authentication,security-iam-authentication.title]] +[#security-iam-authentication] == Authenticating with identities Authentication is how you sign in to {aws} using your identity credentials. You must be _authenticated_ (signed in to {aws}) as the {aws} account root user, as an IAM user, or by assuming an IAM role. @@ -58,12 +58,12 @@ If you access {aws} programmatically, {aws} provides a software development kit Regardless of the authentication method that you use, you might be required to provide additional security information. For example, {aws} recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see link:singlesignon/latest/userguide/enable-mfa.html[Multi-factor authentication,type="documentation"] in the _{aws} IAM Identity Center User Guide_ and link:IAM/latest/UserGuide/id_credentials_mfa.html[Using multi-factor authentication (MFA) in {aws},type="documentation"] in the _IAM User Guide_. -[[security-iam-authentication-rootuser,security-iam-authentication-rootuser.title]] +[#security-iam-authentication-rootuser] === {aws} account root user When you create an {aws} account, you begin with one sign-in identity that has complete access to all {aws} services and resources in the account. This identity is called the {aws} account _root user_ and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see link:IAM/latest/UserGuide/id_root-user.html#root-user-tasks[Tasks that require root user credentials,type="documentation"] in the _IAM User Guide_. -[[security-iam-authentication-iamuser,security-iam-authentication-iamuser.title]] +[#security-iam-authentication-iamuser] === IAM users and groups An _ link:IAM/latest/UserGuide/id_users.html[IAM user,type="documentation"]_ is an identity within your {aws} account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see link:IAM/latest/UserGuide/best-practices.html#rotate-credentials[Rotate access keys regularly for use cases that require long-term credentials,type="documentation"] in the _IAM User Guide_. @@ -72,7 +72,7 @@ An link:IAM/latest/UserGuide/id_groups.html[IAM group,type="documentation"] is Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see link:IAM/latest/UserGuide/id.html#id_which-to-choose[When to create an IAM user (instead of a role),type="documentation"] in the _IAM User Guide_. -[[security-iam-authentication-iamrole,security-iam-authentication-iamrole.title]] +[#security-iam-authentication-iamrole] === IAM roles An _ link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"]_ is an identity within your {aws} account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. You can temporarily assume an IAM role in the {aws-management-console} by link:IAM/latest/UserGuide/id_roles_use_switch-role-console.html[switching roles,type="documentation"]. You can assume a role by calling an {aws} CLI or {aws} API operation or by using a custom URL. For more information about methods for using roles, see link:IAM/latest/UserGuide/id_roles_use.html[Using IAM roles,type="documentation"] in the _IAM User Guide_. @@ -93,7 +93,7 @@ IAM roles with temporary credentials are useful in the following situations: To learn whether to use IAM roles or IAM users, see link:IAM/latest/UserGuide/id.html#id_which-to-choose_role[When to create an IAM role (instead of a user),type="documentation"] in the _IAM User Guide_. -[[security-iam-access-manage,security-iam-access-manage.title]] +[#security-iam-access-manage] == Managing access using policies You control access in {aws} by creating policies and attaching them to {aws} identities or resources. A policy is an object in {aws} that, when associated with an identity or resource, defines their permissions. {aws} evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in {aws} as JSON documents. For more information about the structure and contents of JSON policy documents, see link:IAM/latest/UserGuide/access_policies.html#access_policies-json[Overview of JSON policies,type="documentation"] in the _IAM User Guide_. @@ -104,28 +104,28 @@ By default, users and roles have no permissions. To grant users permission to pe IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, suppose that you have a policy that allows the `iam:GetRole` action. A user with that policy can get role information from the {aws-management-console}, the {aws} CLI, or the {aws} API. -[[security-iam-access-manage-id-based-policies,security-iam-access-manage-id-based-policies.title]] +[#security-iam-access-manage-id-based-policies] === Identity-based policies Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. Identity-based policies can be further categorized as _inline policies_ or _managed policies_. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your {aws} account. Managed policies include {aws} managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline[Choosing between managed policies and inline policies,type="documentation"] in the _IAM User Guide_. -[[security-iam-access-manage-resource-based-policies,security-iam-access-manage-resource-based-policies.title]] +[#security-iam-access-manage-resource-based-policies] === Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM _role trust policies_ and Amazon S3 _bucket policies_. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must link:IAM/latest/UserGuide/reference_policies_elements_principal.html[specify a principal,type="documentation"] in a resource-based policy. Principals can include accounts, users, roles, federated users, or {aws} services. Resource-based policies are inline policies that are located in that service. You can't use {aws} managed policies from IAM in a resource-based policy. -[[security-iam-access-manage-acl,security-iam-access-manage-acl.title]] +[#security-iam-access-manage-acl] === Access control lists (ACLs) Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see link:AmazonS3/latest/userguide/acl-overview.html[Access control list (ACL) overview,type="documentation"] in the _Amazon Simple Storage Service Developer Guide_. -[[security-iam-access-manage-other-policies,security-iam-access-manage-other-policies.title]] +[#security-iam-access-manage-other-policies] === Other policy types {aws} supports additional, less-common policy types. These policy types can set the maximum permissions granted to you by the more common policy types. @@ -137,7 +137,7 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. * *Session policies* – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The resulting session's permissions are the intersection of the user or role's identity-based policies and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. For more information, see link:IAM/latest/UserGuide/access_policies.html#policies_session[Session policies,type="documentation"] in the _IAM User Guide_. -[[security-iam-access-manage-multiple-policies,security-iam-access-manage-multiple-policies.title]] +[#security-iam-access-manage-multiple-policies] === Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 64dd51a1c..728fe50e6 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles-eks-connector,using-service-linked-roles-eks-connector.title]] +[#using-service-linked-roles-eks-connector] = Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS :info_titleabbrev: Cluster connector role @@ -18,7 +18,7 @@ You can delete a service-linked role only after first deleting their related res For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. -[[service-linked-role-permissions-eks-connector,service-linked-role-permissions-eks-connector.title]] +[#service-linked-role-permissions-eks-connector] == Service-linked role permissions for Amazon EKS Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSConnector`. The role allows Amazon EKS to connect [.noloc]`Kubernetes` clusters. The attached policies allow the role to manage necessary resources to connect to your registered [.noloc]`Kubernetes` cluster. @@ -33,24 +33,24 @@ The role permissions policy allows Amazon EKS to complete the following actions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. -[[create-service-linked-role-eks-connector,create-service-linked-role-eks-connector.title]] +[#create-service-linked-role-eks-connector] == Creating a service-linked role for Amazon EKS You don't need to manually create a service-linked role to connect a cluster. When you connect a cluster in the {aws-management-console}, the {aws} CLI, `eksctl`, or the {aws} API, Amazon EKS creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you connect a cluster, Amazon EKS creates the service-linked role for you again. -[[edit-service-linked-role-eks-connector,edit-service-linked-role-eks-connector.title]] +[#edit-service-linked-role-eks-connector] == Editing a service-linked role for Amazon EKS Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSConnector` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. -[[delete-service-linked-role-eks-connector,delete-service-linked-role-eks-connector.title]] +[#delete-service-linked-role-eks-connector] == Deleting a service-linked role for Amazon EKS If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. -[[service-linked-role-review-before-delete-eks-connector,service-linked-role-review-before-delete-eks-connector.title]] +[#service-linked-role-review-before-delete-eks-connector] === Cleaning up a service-linked role Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. @@ -67,7 +67,7 @@ If the Amazon EKS service is using the role when you try to delete the resources . Select the *Deregister* tab and then select the *Ok* tab. -[[slr-manual-delete-eks-connector,slr-manual-delete-eks-connector.title]] +[#slr-manual-delete-eks-connector] === Manually delete the service-linked role Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 479d30da1..4617dcd60 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles-eks-fargate,using-service-linked-roles-eks-fargate.title]] +[#using-service-linked-roles-eks-fargate] = Using roles for Amazon EKS Fargate profiles :info_titleabbrev: Fargate profile role @@ -18,7 +18,7 @@ You can delete a service-linked role only after first deleting their related res For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. -[[service-linked-role-permissions-eks-fargate,service-linked-role-permissions-eks-fargate.title]] +[#service-linked-role-permissions-eks-fargate] == Service-linked role permissions for Amazon EKS Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSForFargate`. The role allows Amazon EKS Fargate to configure VPC networking required for Fargate [.noloc]`Pods`. The attached policies allow the role to create and delete elastic network interfaces and describe elastic network Interfaces and resources. @@ -33,7 +33,7 @@ The role permissions policy allows Amazon EKS to complete the following actions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. -[[create-service-linked-role-eks-fargate,create-service-linked-role-eks-fargate.title]] +[#create-service-linked-role-eks-fargate] == Creating a service-linked role for Amazon EKS You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. @@ -45,24 +45,24 @@ This service-linked role can appear in your account if you completed an action i ==== -[[create-service-linked-role-service-api-eks-fargate,create-service-linked-role-service-api-eks-fargate.title]] +[#create-service-linked-role-service-api-eks-fargate] === Creating a service-linked role in Amazon EKS ({aws} API) You don't need to manually create a service-linked role. When you create a Fargate profile in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. -[[edit-service-linked-role-eks-fargate,edit-service-linked-role-eks-fargate.title]] +[#edit-service-linked-role-eks-fargate] == Editing a service-linked role for Amazon EKS Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSForFargate` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. -[[delete-service-linked-role-eks-fargate,delete-service-linked-role-eks-fargate.title]] +[#delete-service-linked-role-eks-fargate] == Deleting a service-linked role for Amazon EKS If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. -[[service-linked-role-review-before-delete-eks-fargate,service-linked-role-review-before-delete-eks-fargate.title]] +[#service-linked-role-review-before-delete-eks-fargate] === Cleaning up a service-linked role Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. @@ -82,12 +82,12 @@ If the Amazon EKS service is using the role when you try to delete the resources . Repeat this procedure for any other Fargate profiles in the cluster and for any other clusters in your account. -[[slr-manual-delete-eks-fargate,slr-manual-delete-eks-fargate.title]] +[#slr-manual-delete-eks-fargate] === Manually delete the service-linked role Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSForFargate service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. -[[slr-regions-eks-fargate,slr-regions-eks-fargate.title]] +[#slr-regions-eks-fargate] == Supported regions for Amazon EKS service-linked roles Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index e96c83553..34cc80a63 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles-eks-nodegroups,using-service-linked-roles-eks-nodegroups.title]] +[#using-service-linked-roles-eks-nodegroups] = Using roles for Amazon EKS node groups :info_titleabbrev: Node groups role @@ -18,7 +18,7 @@ You can delete a service-linked role only after first deleting their related res For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. -[[service-linked-role-permissions-eks-nodegroups,service-linked-role-permissions-eks-nodegroups.title]] +[#service-linked-role-permissions-eks-nodegroups] == Service-linked role permissions for Amazon EKS Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSNodegroup`. The role allows Amazon EKS to manage node groups in your account. The attached `AWSServiceRoleForAmazonEKSNodegroup` policy allows the role to manage the following resources: Auto Scaling groups, security groups, launch templates, and IAM instance profiles. For more information, see <>. @@ -33,7 +33,7 @@ The role permissions policy allows Amazon EKS to complete the following actions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. -[[create-service-linked-role-eks-nodegroups,create-service-linked-role-eks-nodegroups.title]] +[#create-service-linked-role-eks-nodegroups] == Creating a service-linked role for Amazon EKS You don't need to manually create a service-linked role. When you CreateNodegroup in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. @@ -45,24 +45,24 @@ This service-linked role can appear in your account if you completed an action i ==== -[[create-service-linked-role-service-api-eks-nodegroups,create-service-linked-role-service-api-eks-nodegroups.title]] +[#create-service-linked-role-service-api-eks-nodegroups] === Creating a service-linked role in Amazon EKS ({aws} API) You don't need to manually create a service-linked role. When you create a managed node group in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create another managed node group, Amazon EKS creates the service-linked role for you again. -[[edit-service-linked-role-eks-nodegroups,edit-service-linked-role-eks-nodegroups.title]] +[#edit-service-linked-role-eks-nodegroups] == Editing a service-linked role for Amazon EKS Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. -[[delete-service-linked-role-eks-nodegroups,delete-service-linked-role-eks-nodegroups.title]] +[#delete-service-linked-role-eks-nodegroups] == Deleting a service-linked role for Amazon EKS If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. -[[service-linked-role-review-before-delete-eks-nodegroups,service-linked-role-review-before-delete-eks-nodegroups.title]] +[#service-linked-role-review-before-delete-eks-nodegroups] === Cleaning up a service-linked role Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. @@ -81,12 +81,12 @@ If the Amazon EKS service is using the role when you try to delete the resources . Repeat this procedure for any other node groups in the cluster. Wait for all of the delete operations to finish. -[[slr-manual-delete-eks-nodegroups,slr-manual-delete-eks-nodegroups.title]] +[#slr-manual-delete-eks-nodegroups] === Manually delete the service-linked role Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. -[[slr-regions-eks-nodegroups,slr-regions-eks-nodegroups.title]] +[#slr-regions-eks-nodegroups] == Supported regions for Amazon EKS service-linked roles Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 61467e828..17a7a9b94 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles-eks-outpost,using-service-linked-roles-eks-outpost.title]] +[#using-service-linked-roles-eks-outpost] = Using roles for Amazon EKS local clusters on Outpost :info_titleabbrev: Local cluster role @@ -18,7 +18,7 @@ You can delete a service-linked role only after first deleting their related res For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. -[[service-linked-role-permissions,service-linked-role-permissions.title]] +[#service-linked-role-permissions] == Service-linked role permissions for Amazon EKS Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSLocalOutpost`. The role allows Amazon EKS to manage local clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and Amazon EC2 instances. @@ -44,24 +44,24 @@ The role permissions policy allows Amazon EKS to complete the following actions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. -[[create-service-linked-role-eks-outpost,create-service-linked-role-eks-outpost.title]] +[#create-service-linked-role-eks-outpost] == Creating a service-linked role for Amazon EKS You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. -[[edit-service-linked-role-eks-outpost,edit-service-linked-role-eks-outpost.title]] +[#edit-service-linked-role-eks-outpost] == Editing a service-linked role for Amazon EKS Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. -[[delete-service-linked-role-eks-outpost,delete-service-linked-role-eks-outpost.title]] +[#delete-service-linked-role-eks-outpost] == Deleting a service-linked role for Amazon EKS If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. -[[service-linked-role-review-before-delete-eks-outpost,service-linked-role-review-before-delete-eks-outpost.title]] +[#service-linked-role-review-before-delete-eks-outpost] === Cleaning up a service-linked role Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. @@ -80,12 +80,12 @@ If the Amazon EKS service is using the role when you try to delete the resources . Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. -[[slr-manual-delete-eks-outpost,slr-manual-delete-eks-outpost.title]] +[#slr-manual-delete-eks-outpost] === Manually delete the service-linked role Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. -[[slr-regions-eks-connector,slr-regions-eks-connector.title]] +[#slr-regions-eks-connector] == Supported regions for Amazon EKS service-linked roles Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index b9548d9e9..2d2eeaf39 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles-eks,using-service-linked-roles-eks.title]] +[#using-service-linked-roles-eks] = Using roles for Amazon EKS clusters :info_titleabbrev: Cluster role @@ -18,7 +18,7 @@ You can delete a service-linked role only after first deleting their related res For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. -[[service-linked-role-permissions-eks,service-linked-role-permissions-eks.title]] +[#service-linked-role-permissions-eks] == Service-linked role permissions for Amazon EKS Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKS`. The role allows Amazon EKS to manage clusters in your account. The attached policies allow the role to manage the following resources: network interfaces, security groups, logs, and VPCs. @@ -40,24 +40,24 @@ The role permissions policy allows Amazon EKS to complete the following actions You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. -[[create-service-linked-role-eks,create-service-linked-role-eks.title]] +[#create-service-linked-role-eks] == Creating a service-linked role for Amazon EKS You don't need to manually create a service-linked role. When you create a cluster in the {aws-management-console}, the {aws} CLI, or the {aws} API, Amazon EKS creates the service-linked role for you. If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a cluster, Amazon EKS creates the service-linked role for you again. -[[edit-service-linked-role-eks,edit-service-linked-role-eks.title]] +[#edit-service-linked-role-eks] == Editing a service-linked role for Amazon EKS Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKS` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. -[[delete-service-linked-role-eks,delete-service-linked-role-eks.title]] +[#delete-service-linked-role-eks] == Deleting a service-linked role for Amazon EKS If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it. -[[service-linked-role-review-before-delete-eks,service-linked-role-review-before-delete-eks.title]] +[#service-linked-role-review-before-delete-eks] === Cleaning up a service-linked role Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role. @@ -76,12 +76,12 @@ If the Amazon EKS service is using the role when you try to delete the resources . Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. -[[slr-manual-delete-eks,slr-manual-delete-eks.title]] +[#slr-manual-delete-eks] === Manually delete the service-linked role Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKS` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. -[[slr-regions-eks,slr-regions-eks.title]] +[#slr-regions-eks] == Supported regions for Amazon EKS service-linked roles Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index d9a304df1..a3033271c 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -1,5 +1,5 @@ [.topic] -[[using-service-linked-roles,using-service-linked-roles.title]] +[#using-service-linked-roles] = Using service-linked roles for Amazon EKS :info_titleabbrev: Service-linked roles diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 4f277bbae..b592712bb 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -1,5 +1,5 @@ [.topic] -[[infrastructure-security,infrastructure-security.title]] +[#infrastructure-security] = Infrastructure security in Amazon EKS :info_titleabbrev: Infrastructure security diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index d5724d866..440e4962f 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[manage-secrets,manage-secrets.title]] +[#manage-secrets] = Use {aws} Secrets Manager secrets with Amazon EKS Pods :info_titleabbrev: {aws} Secrets Manager diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 33b5211f1..9116eb0f6 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-security-policy-removal-faq,pod-security-policy-removal-faq.title]] +[#pod-security-policy-removal-faq] = Migrate from legacy [.noloc]`Pod` security policies (PSP) :info_titleabbrev: Migrate from legacy PSP @@ -13,7 +13,7 @@ Learn about the Pod Security Policy [.noloc]`(PSPs)` removal in [.noloc]`Kuberne `PodSecurityPolicy` was https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/[deprecated in Kubernetes1.21], and has been removed in [.noloc]`Kubernetes` `1.25`. If you are using PodSecurityPolicy in your cluster, *then you must migrate to the built-in [.noloc]`Kubernetes` Pod Security Standards [.noloc]`(PSS)` or to a policy-as-code solution before upgrading your cluster to version `*1.25*` to avoid interruptions to your workloads.* Select any frequently asked question to learn more. -[[pod-security-policy-removal-what-is,pod-security-policy-removal-what-is.title]] +[#pod-security-policy-removal-what-is] .What is a [.noloc]`PSP`? [%collapsible] ==== @@ -21,7 +21,7 @@ Learn about the Pod Security Policy [.noloc]`(PSPs)` removal in [.noloc]`Kuberne https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPolicy] is a built-in admission controller that allows a cluster administrator to control security-sensitive aspects of [.noloc]`Pod` specification. If a [.noloc]`Pod` meets the requirements of its [.noloc]`PSP`, the [.noloc]`Pod` is admitted to the cluster as usual. If a [.noloc]`Pod` doesn't meet the [.noloc]`PSP` requirements, the [.noloc]`Pod` is rejected and can't run. ==== -[[pod-security-policy-removal-specific,pod-security-policy-removal-specific.title]] +[#pod-security-policy-removal-specific] .Is the [.noloc]`PSP` removal specific to Amazon EKS or is it being removed in upstream [.noloc]`Kubernetes`? [%collapsible] ==== @@ -29,7 +29,7 @@ https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPol This is an upstream change in the [.noloc]`Kubernetes` project, and not a change made in Amazon EKS. [.noloc]`PSP` was deprecated in [.noloc]`Kubernetes` `1.21` and removed in [.noloc]`Kubernetes` `1.25`. The [.noloc]`Kubernetes` community identified serious usability problems with [.noloc]`PSP`. These included accidentally granting broader permissions than intended and difficulty in inspecting which [.noloc]`PSPs` apply in a given situation. These issues couldn't be addressed without making breaking changes. This is the primary reason why the [.noloc]`Kubernetes` community https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away[decided to remove PSP]. ==== -[[pod-security-policy-removal-check,pod-security-policy-removal-check.title]] +[#pod-security-policy-removal-check] .How can I check if I'm using [.noloc]`PSPs` in my Amazon EKS clusters? [%collapsible] ==== @@ -50,7 +50,7 @@ kubectl get pod -A -o jsonpath='{range.items[?(@.metadata.annotations.kubernetes ---- ==== -[[pod-security-policy-removal-what-can,pod-security-policy-removal-what-can.title]] +[#pod-security-policy-removal-what-can] .If I'm using [.noloc]`PSPs` in my Amazon EKS cluster, what can I do? [%collapsible] ==== @@ -73,7 +73,7 @@ Policy-as-code solutions provide guardrails to guide cluster users and prevents There are several open source policy-as-code solutions available for [.noloc]`Kubernetes`. To review best practices for migrating [.noloc]`PSPs` to a policy-as-code solution, see the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac[Policy-as-code] section of the Pod Security page on GitHub. ==== -[[pod-security-policy-removal-privileged,pod-security-policy-removal-privileged.title]] +[#pod-security-policy-removal-privileged] .I see a [.noloc]`PSP` called `eks.privileged` in my cluster. What is it and what can I do about it? [%collapsible] ==== @@ -81,7 +81,7 @@ There are several open source policy-as-code solutions available for [.noloc]`Ku Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`PSP` that's named `eks.privileged`. This policy is created in `1.24` and earlier clusters. It isn't used in `1.25` and later clusters. Amazon EKS automatically migrates this [.noloc]`PSP` to a [.noloc]`PSS`-based enforcement. No action is needed on your part. ==== -[[pod-security-policy-removal-prevent,pod-security-policy-removal-prevent.title]] +[#pod-security-policy-removal-prevent] .Will Amazon EKS make any changes to [.noloc]`PSPs` present in my existing cluster when I update my cluster to version `1.25`? [%collapsible] ==== @@ -89,7 +89,7 @@ Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a de No. Besides `eks.privileged`, which is a [.noloc]`PSP` created by Amazon EKS, no changes are made to other [.noloc]`PSPs` in your cluster when you upgrade to `1.25`. ==== -[[pod-security-policy-removal-migrate,pod-security-policy-removal-migrate.title]] +[#pod-security-policy-removal-migrate] .Will Amazon EKS prevent a cluster update to version `1.25` if I haven't migrated off of [.noloc]`PSP`? [%collapsible] ==== @@ -97,7 +97,7 @@ No. Besides `eks.privileged`, which is a [.noloc]`PSP` created by Amazon EKS, no No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't migrate off of [.noloc]`PSP` yet. ==== -[[pod-security-policy-removal-forget,pod-security-policy-removal-forget.title]] +[#pod-security-policy-removal-forget] .What if I forget to migrate my [.noloc]`PSPs` to [.noloc]`PSS/PSA` or to a policy-as-code solution before I update my cluster to version `1.25`? Can I migrate after updating my cluster? [%collapsible] ==== @@ -105,7 +105,7 @@ No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't mi When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` version `1.25`, the API server doesn't recognize the [.noloc]`PSP` resource in `1.25`. This might result in [.noloc]`Pods` getting incorrect security scopes. For an exhaustive list of implications, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller]. ==== -[[pod-security-policy-removal-impact,pod-security-policy-removal-impact.title]] +[#pod-security-policy-removal-impact] .How does this change impact pod security for Windows workloads? [%collapsible] ==== diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index 778abeb1f..6d1afacb9 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,5 +1,5 @@ [.topic] -[[pod-security-policy,pod-security-policy.title]] +[#pod-security-policy] = Understand Amazon EKS created [.noloc]`Pod` security policies [.noloc]`(PSP)` :info_titleabbrev: Legacy default PSP @@ -19,7 +19,7 @@ The `PodSecurityPolicy` ([.noloc]`PSP`) was deprecated in [.noloc]`Kubernetes` v ==== -[[default-psp,default-psp.title]] +[#default-psp] == Amazon EKS default [.noloc]`Pod` security policy Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`Pod` security policy named `eks.privileged`. This policy has no restriction on what kind of [.noloc]`Pod` can be accepted into the system, which is equivalent to running [.noloc]`Kubernetes` with the `PodSecurityPolicy` controller disabled. @@ -86,7 +86,7 @@ Settings: You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. -[[psp-delete-default,psp-delete-default.title]] +[#psp-delete-default] == Delete the default Amazon EKS [.noloc]`Pod` security policy If you create more restrictive policies for your [.noloc]`Pods`, then after doing so, you can delete the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy to enable your custom policies. @@ -106,7 +106,7 @@ kubectl delete -f privileged-podsecuritypolicy.yaml ---- -[[psp-install-or-restore-default,psp-install-or-restore-default.title]] +[#psp-install-or-restore-default] == Install or restore the default [.noloc]`Pod` security policy If you are upgrading from an earlier version of [.noloc]`Kubernetes`, or have modified or deleted the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy, you can restore it with the following steps. diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 6d457c6c5..c85687357 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-best-practices,security-best-practices.title]] +[#security-best-practices] = Secure Amazon EKS clusters with best practices :info_titleabbrev: Best practices diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 589cf62c4..e898a94fd 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-eks,security-eks.title]] +[#security-eks] = Security considerations for Amazon Elastic Kubernetes Service :info_titleabbrev: Considerations for EKS diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 47f923dfd..f8358ea0b 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,5 +1,5 @@ [.topic] -[[security-k8s,security-k8s.title]] +[#security-k8s] = Security considerations for [.noloc]`Kubernetes` :info_titleabbrev: Considerations for Kubernetes diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index cef5f3edc..eaabb81b7 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -1,5 +1,5 @@ [.topic] -[[security,security.title]] +[#security] = Security in Amazon EKS :doctype: book :sectnums: diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index d527246ce..20967f3dc 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[vpc-interface-endpoints,vpc-interface-endpoints.title]] +[#vpc-interface-endpoints] = Access the Amazon EKS using {aws} PrivateLink :info_titleabbrev: {aws} PrivateLink @@ -16,7 +16,7 @@ You establish this private connection by creating an interface endpoint powered For more information, see link:vpc/latest/privatelink/privatelink-access-aws-services.html[Access {aws} services through {aws} PrivateLink,type="documentation"] in the _{aws} PrivateLink Guide_. -[[vpc-endpoint-considerations,vpc-endpoint-considerations.title]] +[#vpc-endpoint-considerations] == Considerations for Amazon EKS * Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. @@ -31,7 +31,7 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser * {aws} PrivateLink support for the EKS API isn't available in the Asia Pacific (Malaysia) (`ap-southeast-5`), Asia Pacific (Thailand) (`ap-southeast-7`), and Mexico (Central) (`mx-central-1`) {aws} Regions. {aws} PrivateLink support for `eks-auth` for EKS Pod Identity is available in the the Asia Pacific (Malaysia) (`ap-southeast-5`) Region. -[[vpc-endpoint-create,vpc-endpoint-create.title]] +[#vpc-endpoint-create] == Create an interface endpoint for Amazon EKS You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the {aws} Command Line Interface ({aws} CLI). For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws[Create a VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 0d5008232..5c8c8d99a 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,5 +1,5 @@ [.topic] -[[csi-snapshot-controller,csi-snapshot-controller.title]] +[#csi-snapshot-controller] = Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index e71dc6745..2aab01088 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -1,5 +1,5 @@ [.topic] -[[ebs-csi-migration-faq,ebs-csi-migration-faq.title]] +[#ebs-csi-migration-faq] = Amazon EBS CSI migration frequently asked questions :info_titleabbrev: EBS CSI migration FAQ :keywords: Amazon EBS CSI driver, storage, CSI migration @@ -20,7 +20,7 @@ If you have [.noloc]`Pods` running on a version `1.22` or earlier cluster, then The Amazon EBS container storage interface (CSI) migration feature moves responsibility for handling storage operations from the Amazon EBS in-tree EBS storage provisioner to the Amazon EBS CSI driver (see <>). -[[csi-migration-faq-csi-drivers,csi-migration-faq-csi-drivers.title]] +[#csi-migration-faq-csi-drivers] == What are CSI drivers? CSI drivers: @@ -33,7 +33,7 @@ CSI drivers: For more information, see https://kubernetes-csi.github.io/docs/introduction.html[Introduction] in the [.noloc]`Kubernetes` CSI documentation. -[[csi-migration-faq-what-is,csi-migration-faq-what-is.title]] +[#csi-migration-faq-what-is] == What is CSI migration? The [.noloc]`Kubernetes` CSI Migration feature moves responsibility for handling storage operations from the existing in-tree storage plugins, such as `kubernetes.io/aws-ebs`, to corresponding CSI drivers. Existing `StorageClass`, `PersistentVolume` and `PersistentVolumeClaim` (PVC) objects continue to work, as long as the corresponding CSI driver is installed. When the feature is enabled: @@ -55,24 +55,24 @@ The in-tree `StorageClass` provisioner is named `kubernetes.io/aws-ebs`. The Ama ==== -[[csi-migration-faq-mounting-volumes,csi-migration-faq-mounting-volumes.title]] +[#csi-migration-faq-mounting-volumes] == Can I mount `kubernetes.io/aws-ebs StorageClass` volumes in version `1.23` and later clusters? Yes, as long as the <> is installed. For newly created version `1.23` and later clusters, we recommend installing the Amazon EBS CSI driver as part of your cluster creation process. We also recommend only using `StorageClasses` based on the `ebs.csi.aws.com` provisioner. If you've updated your cluster control plane to version `1.23` and haven't yet updated your nodes to `1.23`, then the `CSIMigration` and `CSIMigration{aws}` kubelet flags aren't enabled. In this case, the in-tree driver is used to mount `kubernetes.io/aws-ebs` based volumes. The Amazon EBS CSI driver must still be installed however, to ensure that [.noloc]`Pods` using `kubernetes.io/aws-ebs` based volumes can be scheduled. The driver is also required for other volume operations to succeed. -[[csi-migration-faq-aws-ebs-volumes,csi-migration-faq-aws-ebs-volumes.title]] +[#csi-migration-faq-aws-ebs-volumes] == Can I provision `kubernetes.io/aws-ebs StorageClass` volumes on Amazon EKS `1.23` and later clusters? Yes, as long as the <> is installed. -[[csi-migration-faq-aws-ebs-provisioner,csi-migration-faq-aws-ebs-provisioner.title]] +[#csi-migration-faq-aws-ebs-provisioner] == Will the `kubernetes.io/aws-ebs StorageClass` provisioner ever be removed from Amazon EKS? The `kubernetes.io/aws-ebs` `StorageClass` provisioner and `awsElasticBlockStore` volume type are no longer supported, but there are no plans to remove them. These resources are treated as a part of the [.noloc]`Kubernetes` API. -[[csi-migration-faq-ebs-csi-driver,csi-migration-faq-ebs-csi-driver.title]] +[#csi-migration-faq-ebs-csi-driver] == How do I install the Amazon EBS CSI driver? We recommend installing the <>. When an update is required to the Amazon EKS add-on, you initiate the update and Amazon EKS updates the add-on for you. If you want to manage the driver yourself, you can install it using the open source https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver[Helm chart]. @@ -84,7 +84,7 @@ The [.noloc]`Kubernetes` in-tree Amazon EBS driver runs on the [.noloc]`Kubernet ==== -[[csi-migration-faq-check-driver,csi-migration-faq-check-driver.title]] +[#csi-migration-faq-check-driver] == How can I check whether the Amazon EBS CSI driver is installed in my cluster? To determine whether the driver is installed on your cluster, run the following command: @@ -102,38 +102,38 @@ aws eks list-addons --cluster-name my-cluster ---- -[[csi-migration-faq-update-prevention,csi-migration-faq-update-prevention.title]] +[#csi-migration-faq-update-prevention] == Will Amazon EKS prevent a cluster update to version `1.23` if I haven't already installed the Amazon EBS CSI driver? No. -[[csi-migration-faq-driver-after-cluster-update,csi-migration-faq-driver-after-cluster-update.title]] +[#csi-migration-faq-driver-after-cluster-update] == What if I forget to install the Amazon EBS CSI driver before I update my cluster to version 1.23? Can I install the driver after updating my cluster? Yes, but volume operations requiring the Amazon EBS CSI driver will fail after your cluster update until the driver is installed. -[[csi-migration-faq-default-storageclass,csi-migration-faq-default-storageclass.title]] +[#csi-migration-faq-default-storageclass] == What is the default `StorageClass` applied in newly created Amazon EKS version `1.23` and later clusters? The default `StorageClass` behavior remains unchanged. With each new cluster, Amazon EKS applies a `kubernetes.io/aws-ebs` based `StorageClass` named `gp2`. We don't plan to ever remove this `StorageClass` from newly created clusters. Separate from the cluster default `StorageClass`, if you create an `ebs.csi.aws.com` based `StorageClass` without specifying a volume type, the Amazon EBS CSI driver will default to using `gp3`. -[[csi-migration-faq-existing-storageclasses,csi-migration-faq-existing-storageclasses.title]] +[#csi-migration-faq-existing-storageclasses] == Will Amazon EKS make any changes to `StorageClasses` already present in my existing cluster when I update my cluster to version `1.23`? No. -[[csi-migration-faq-migrate-using-snapshots,csi-migration-faq-migrate-using-snapshots.title]] +[#csi-migration-faq-migrate-using-snapshots] == How do I migrate a persistent volume from the `kubernetes.io/aws-ebs` `StorageClass` to `ebs.csi.aws.com` using snapshots? To migrate a persistent volume, see link:containers/migrating-amazon-eks-clusters-from-gp2-to-gp3-ebs-volumes[Migrating Amazon EKS clusters from gp2 to gp3 EBS volumes,type="blog"] on the {aws} blog. -[[csi-migration-faq-migrate-using-annotations,csi-migration-faq-migrate-using-annotations.title]] +[#csi-migration-faq-migrate-using-annotations] == How do I modify an Amazon EBS volume using annotations? Starting with `aws-ebs-csi-driver` `v1.19.0-eksbuild.2`, you can modify Amazon EBS volumes using annotations within each `PersistentVolumeClaim` (PVC). The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/modify-volume.md[volume modification] feature is implemented as an additional sidecar, called `volumemodifier`. For more information, see link:storage/simplifying-amazon-ebs-volume-migration-and-modification-using-the-ebs-csi-driver[Simplifying Amazon EBS volume migration and modification on Kubernetes using the EBS CSI Driver,type="blog"] on the {aws} blog. -[[csi-migration-faq-windows,csi-migration-faq-windows.title]] +[#csi-migration-faq-windows] == Is migration supported for Windows workloads? Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating `StorageClasses`, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index d67f70911..b14fab3bd 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[ebs-csi,ebs-csi.title]] +[#ebs-csi] = Store [.noloc]`Kubernetes` volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage @@ -19,7 +19,7 @@ The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) dr The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver] manages the lifecycle of Amazon EBS volumes as storage for the Kubernetes Volumes that you create. The Amazon EBS CSI driver makes Amazon EBS volumes for these types of [.noloc]`Kubernetes` volumes: generic https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[ephemeral volumes] and https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volumes]. -[[ebs-csi-considerations,ebs-csi-considerations.title]] +[#ebs-csi-considerations] == Considerations * You do not need to install the Amazon EBS CSI controller on EKS Auto Mode clusters. @@ -36,7 +36,7 @@ To use the snapshot functionality of the Amazon EBS CSI driver, you must first i ==== -[[ebs-csi-prereqs,ebs-csi-prereqs.title]] +[#ebs-csi-prereqs] == Prerequisites * An existing cluster. To see the required platform version, run the following command. @@ -51,7 +51,7 @@ aws eks describe-addon-versions --addon-name aws-ebs-csi-driver * If you're using a cluster wide restricted <>, make sure that the add-on is granted sufficient permissions to be deployed. For the permissions required by each add-on [.noloc]`Pod`, see the https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/deploy/kubernetes/base[relevant add-on manifest definition] on GitHub. -[[csi-iam-role,csi-iam-role.title]] +[#csi-iam-role] == Step 1: Create an IAM role The Amazon EBS CSI plugin requires IAM permissions to make calls to {aws} APIs on your behalf. If you don't do these steps, attempting to install the add-on and running `kubectl describe pvc` will show `failed to provision volume with StorageClass` along with a `could not create volume in EC2: UnauthorizedOperation` error. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permissions[Set up driver permission] on [.noloc]`GitHub`. @@ -343,7 +343,7 @@ aws iam attach-role-policy \ Now that you have created the Amazon EBS CSI driver IAM role, you can continue to the next section. When you deploy the add-on with this IAM role, it creates and is configured to use a service account that's named `ebs-csi-controller-sa`. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` that's assigned the required [.noloc]`Kubernetes` permissions. -[[managing-ebs-csi,managing-ebs-csi.title]] +[#managing-ebs-csi] == Step 2: Get the Amazon EBS CSI driver We recommend that you install the Amazon EBS CSI driver through the Amazon EKS add-on to improve security and reduce the amount of work. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. @@ -357,7 +357,7 @@ Before adding the Amazon EBS driver as an Amazon EKS add-on, confirm that you do Alternatively, if you want a self-managed installation of the Amazon EBS CSI driver, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md[Installation] on [.noloc]`GitHub`. -[[ebs-sample-app,ebs-sample-app.title]] +[#ebs-sample-app] == Step 3: Deploy a sample application You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 6ede51eaf..2c9d96765 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[efs-csi,efs-csi.title]] +[#efs-csi] = Store an elastic file system with Amazon EFS :info_titleabbrev: Amazon EFS :keywords: Amazon EFS CSI driver, storage @@ -13,7 +13,7 @@ The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation"] (Amazon EFS) provides serverless, fully elastic file storage so that you can share file data without provisioning or managing storage capacity and performance. The https://github.com/kubernetes-sigs/aws-efs-csi-driver[Amazon EFS Container Storage Interface (CSI) driver] provides a CSI interface that allows [.noloc]`Kubernetes` clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. This topic shows you how to deploy the Amazon EFS CSI driver to your Amazon EKS cluster. -[[efs-csi.considerations,efs-csi.considerations.title]] +[#efs-csi-considerations] == Considerations * The Amazon EFS CSI driver isn't compatible with Windows-based container images. @@ -26,7 +26,7 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation * The Amazon EFS CSI driver isn't compatible with Amazon EKS Hybrid Nodes. -[[efs-csi.prereqs,efs-csi.prereqs.title]] +[#efs-csi-prereqs] == Prerequisites * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. @@ -40,7 +40,7 @@ A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file syste ==== -[[efs-create-iam-resources,efs-create-iam-resources.title]] +[#efs-create-iam-resources] == Step 1: Create an IAM role The Amazon EFS CSI driver requires IAM permissions to interact with your file system. Create an IAM role and attach the required {aws} managed policy to it. To implement this procedure, you can use one of these tools: @@ -176,19 +176,19 @@ aws iam attach-role-policy \ ---- -[[efs-install-driver,efs-install-driver.title]] +[#efs-install-driver] == Step 2: Get the Amazon EFS CSI driver We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. -[[efs-create-filesystem,efs-create-filesystem.title]] +[#efs-create-filesystem] == Step 3: Create an Amazon EFS file system To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/efs-create-filesystem.md[Create an Amazon EFS file system for Amazon EKS] on [.noloc]`GitHub`. -[[efs-sample-app,efs-sample-app.title]] +[#efs-sample-app] == Step 4: Deploy a sample application You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 4ddfd550f..b48e97641 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[file-cache-csi,file-cache-csi.title]] +[#file-cache-csi] = Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index f21e8817a..217470b25 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[fsx-csi,fsx-csi.title]] +[#fsx-csi] = Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index a38cb6268..0714fa61f 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,5 +1,5 @@ [.topic] -[[fsx-ontap,fsx-ontap.title]] +[#fsx-ontap] = Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 356f80352..ba1d4e2cb 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[fsx-openzfs-csi,fsx-openzfs-csi.title]] +[#fsx-openzfs-csi] = Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 0b3318d42..101f79b8f 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,5 +1,5 @@ [.topic] -[[s3-csi,s3-csi.title]] +[#s3-csi] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage @@ -13,7 +13,7 @@ Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provid With the https://github.com/awslabs/mountpoint-s3-csi-driver[Mountpoint for Amazon S3 Container Storage Interface (CSI) driver], your [.noloc]`Kubernetes` applications can access Amazon S3 objects through a file system interface, achieving high aggregate throughput without changing any application code. Built on https://github.com/awslabs/mountpoint-s3[Mountpoint for Amazon S3], the CSI driver presents an Amazon S3 bucket as a volume that can be accessed by containers in Amazon EKS and self-managed [.noloc]`Kubernetes` clusters. This topic shows you how to deploy the [.noloc]`Mountpoint` for Amazon S3 CSI driver to your Amazon EKS cluster. -[[s3-csi-considerations,s3-csi-considerations.title]] +[#s3-csi-considerations] == Considerations * The [.noloc]`Mountpoint` for Amazon S3 CSI driver isn't presently compatible with Windows-based container images. @@ -25,7 +25,7 @@ NOTE: Static provisioning refers to using an existing Amazon S3 bucket that is s * Volumes mounted with the [.noloc]`Mountpoint` for Amazon S3 CSI driver don't support all POSIX file-system features. For details about file-system behavior, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/SEMANTICS.md[Mountpoint for Amazon S3 file system behavior] on [.noloc]`GitHub`. -[[s3-csi-prereqs,s3-csi-prereqs.title]] +[#s3-csi-prereqs] == Prerequisites * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. @@ -33,7 +33,7 @@ NOTE: Static provisioning refers to using an existing Amazon S3 bucket that is s * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -[[s3-create-iam-policy,s3-create-iam-policy.title]] +[#s3-create-iam-policy] == Create an IAM policy The [.noloc]`Mountpoint` for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM policy that grants the necessary permissions. @@ -104,7 +104,7 @@ Below is an example of least-privilege policy that you would use for a directory . Choose *Create policy*. -[[s3-create-iam-role,s3-create-iam-role.title]] +[#s3-create-iam-role] == Create an IAM role The [.noloc]`Mountpoint` for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM role to delegate these permissions. To create this role, you can use one of these tools: @@ -270,7 +270,7 @@ kubectl apply -f mountpoint-s3-service-account.yaml NOTE: When you deploy the plugin in this procedure, it creates and is configured to use a service account named `s3-csi-driver-sa`. -[[s3-install-driver,s3-install-driver.title]] +[#s3-install-driver] == Install the [.noloc]`Mountpoint` for Amazon S3 CSI driver You may install the [.noloc]`Mountpoint` for Amazon S3 CSI driver through the Amazon EKS add-on. You can use the following tools to add the add-on to your cluster: @@ -354,17 +354,17 @@ aws eks create-addon --cluster-name my-cluster --addon-name aws-mountpoint-s3-cs ---- -[[s3-configure-mountpoint,s3-configure-mountpoint.title]] +[#s3-configure-mountpoint] == Configure [.noloc]`Mountpoint` for Amazon S3 In most cases, you can configure [.noloc]`Mountpoint` for Amazon S3 with only a bucket name. For instructions on configuring [.noloc]`Mountpoint` for Amazon S3, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md[Configuring Mountpoint for Amazon S3] on [.noloc]`GitHub`. -[[s3-sample-app,s3-sample-app.title]] +[#s3-sample-app] == Deploy a sample application You can deploy static provisioning to the driver on an existing Amazon S3 bucket. For more information, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/README.md[Static provisioning] on [.noloc]`GitHub`. -[[removing-s3-csi-eks-add-on,removing-s3-csi-eks-add-on.title]] +[#removing-s3-csi-eks-add-on] == Remove [.noloc]`Mountpoint` for Amazon S3 CSI Driver You have two options for removing an Amazon EKS add-on. diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index e061daabc..b86bae2e4 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,4 +1,4 @@ -[[storage,storage.title]] +[#storage] = Store application data for your cluster :doctype: book :sectnums: diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 26aa9f3e4..52071c7c7 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -1,4 +1,4 @@ -[[troubleshooting,troubleshooting.title]] +[#troubleshooting] = Troubleshoot problems with Amazon EKS clusters and nodes :doctype: book :sectnums: @@ -22,7 +22,7 @@ This chapter covers some common errors that you may see while using Amazon EKS a For other troubleshooting information, see https://repost.aws/tags/knowledge-center/TA4IvCeWI1TE66q4jEj4Z9zg/amazon-elastic-kubernetes-service[Knowledge Center content about Amazon Elastic Kubernetes Service] on _{aws} re:Post_. -[[ice,ice.title]] +[#ice] == Insufficient capacity If you receive the following error while attempting to create an Amazon EKS cluster, then one of the Availability Zones you specified doesn't have sufficient capacity to support a cluster. @@ -33,7 +33,7 @@ Retry creating your cluster with subnets in your cluster VPC that are hosted in There are Availability Zones that a cluster can't reside in. Compare the Availability Zones that your subnets are in with the list of Availability Zones in the <>. -[[worker-node-fail,worker-node-fail.title]] +[#worker-node-fail] == Nodes fail to join cluster There are a few common reasons that prevent nodes from joining the cluster: @@ -62,7 +62,7 @@ If the nodes are self-managed, and you haven't created <>. -[[python-version,python-version.title]] +[#python-version] == `hostname doesn't match` Your system's Python version must be `2.7.9` or later. Otherwise, you receive `hostname doesn't match` errors with {aws} CLI calls to Amazon EKS. For more information, see https://requests.readthedocs.io/en/latest/community/faq.html#what-are-hostname-doesn-t-match-errors[What are "hostname doesn't match" errors?] in the _Python Requests Frequently Asked Questions_. -[[troubleshoot-docker-cidr,troubleshoot-docker-cidr.title]] +[#troubleshoot-docker-cidr] == `getsockopt: no route to host` [.noloc]`Docker` runs in the `172.17.0.0/16` CIDR range in Amazon EKS clusters. We recommend that your cluster's VPC subnets do not overlap this range. Otherwise, you will receive the following error: @@ -99,12 +99,12 @@ Error: : error upgrading connection: error dialing backend: dial tcp 172.17. ---- -[[instances-failed-to-join,instances-failed-to-join.title]] +[#instances-failed-to-join] == `Instances failed to join the Kubernetes cluster` If you receive the error `Instances failed to join the Kubernetes cluster` in the {aws-management-console}, ensure that either the cluster's private endpoint access is enabled, or that you have correctly configured CIDR blocks for public endpoint access. For more information, see <>. -[[troubleshoot-managed-node-groups,troubleshoot-managed-node-groups.title]] +[#troubleshoot-managed-node-groups] == Managed node group error codes If your managed node group encounters a hardware health issue, Amazon EKS returns an error code to help you to diagnose the issue. These health checks don't detect software issues because they are based on link:AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html[Amazon EC2 health checks,type="documentation"]. The following list describes the error codes. @@ -175,7 +175,7 @@ These errors are usually caused by an Amazon EKS server-side issue. -[[access-denied-managed-node-groups,access-denied-managed-node-groups.title]] +[#access-denied-managed-node-groups] .Fixing a common cause of `AccessDenied` errors for managed node groups [%collapsible] ==== @@ -311,19 +311,19 @@ kubectl apply -f eks-node-manager-role.yaml Retry the node group operation to see if that resolved your issue. ==== -[[not-authorized-for-images,not-authorized-for-images.title]] +[#not-authorized-for-images] == `Not authorized for images` One potential cause of a `Not authorized for images` error message is using a private Amazon EKS [.noloc]`Windows` AMI to launch [.noloc]`Windows` managed node groups. After releasing new [.noloc]`Windows` AMIs, {aws} makes AMIs that are older than 4 months private, which makes them no longer accessible. If your managed node group is using a private [.noloc]`Windows` AMI, consider <>. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. For more information, see link:AWSEC2/latest/WindowsGuide/aws-windows-ami.html#ami-patches-security-ID[Patches, security updates, and AMI IDs,type="documentation"] in the _Amazon EC2 User Guide_. -[[not-ready,not-ready.title]] +[#not-ready] == Node is in `NotReady` state If your node enters a `NotReady` status, this likely indicates that the node is unhealthy and unavailable to schedule new [.noloc]`Pods`. This can occur for various reasons, such as the node lacking sufficient resources for CPU, memory, or available disk space. For Amazon EKS optimized [.noloc]`Windows` AMIs, there's no reservation for compute resources specified by default in the `kubelet` configuration. To help prevent resource issues, you can reserve compute resources for system processes by providing the `kubelet` with configuration values for https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved[kube-reserved] and/or https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[system-reserved]. You do this using the `-KubeletExtraArgs` command-line parameter in the bootstrap script. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/[Reserve Compute Resources for System Daemons] in the [.noloc]`Kubernetes` documentation and <> in this user guide. -[[troubleshoot-cni,troubleshoot-cni.title]] +[#troubleshoot-cni] == CNI log collection tool The [.noloc]`Amazon VPC CNI plugin for Kubernetes` has its own troubleshooting script that is available on nodes at `/opt/cni/bin/aws-cni-support.sh`. You can use the script to collect diagnostic logs for support cases and general troubleshooting. @@ -382,7 +382,7 @@ The diagnostic information is collected and stored at: ---- -[[troubleshoot-container-runtime-network,troubleshoot-container-runtime-network.title]] +[#troubleshoot-container-runtime-network] == Container runtime network not ready You may receive a `Container runtime network not ready` error and authorization errors similar to the following: @@ -417,7 +417,7 @@ aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i ---- -[[troubleshoot-tls-handshake-timeout,troubleshoot-tls-handshake-timeout.title]] +[#troubleshoot-tls-handshake-timeout] == TLS handshake timeout When a node is unable to establish a connection to the public API server endpoint, you may see an error similar to the following error. @@ -431,7 +431,7 @@ The `kubelet` process will continually respawn and test the API server endpoint. To resolve the issue, check the route table and security groups to ensure that traffic from the nodes can reach the public endpoint. -[[default-region-env-variable,default-region-env-variable.title]] +[#default-region-env-variable] == InvalidClientTokenId If you're using IAM roles for service accounts for a [.noloc]`Pod` or [.noloc]`DaemonSet` deployed to a cluster in a China {aws} Region, and haven't set the `AWS_DEFAULT_REGION` environment variable in the spec, the [.noloc]`Pod` or [.noloc]`DaemonSet` may receive the following error: @@ -461,19 +461,19 @@ spec: ---- -[[troubleshoot-node-grups-must-match-kubernetes-version,troubleshoot-node-grups-must-match-kubernetes-version.title]] +[#troubleshoot-node-grups-must-match-kubernetes-version] == Node groups must match [.noloc]`Kubernetes` version before upgrading control plane Before you upgrade a control plane to a new [.noloc]`Kubernetes` version, the minor version of the managed and Fargate nodes in your cluster must be the same as the version of your control plane's current version. The Amazon EKS `update-cluster-version` API rejects requests until you upgrade all Amazon EKS managed nodes to the current cluster version. Amazon EKS provides APIs to upgrade managed nodes. For information on upgrading a managed node group's [.noloc]`Kubernetes` version, see <>. To upgrade the version of a Fargate node, delete the [.noloc]`pod` that's represented by the node and redeploy the [.noloc]`pod` after you upgrade your control plane. For more information, see <>. -[[too-many-requests,too-many-requests.title]] +[#too-many-requests] == When launching many nodes, there are `Too Many Requests` errors If you launch many nodes simultaneously, you may see an error message in the link:AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts[Amazon EC2 user data,type="documentation"] execution logs that says `Too Many Requests`. This can occur because the control plane is being overloaded with `describeCluster` calls. The overloading results in throttling, nodes failing to run the bootstrap script, and nodes failing to join the cluster altogether. Make sure that `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are being passed to the node's bootstrap script. When including these arguments, there's no need for the bootstrap script to make a `describeCluster` call, which helps prevent the control plane from being overloaded. For more information, see <>. -[[troubleshooting-boundservicetoken,troubleshooting-boundservicetoken.title]] +[#troubleshooting-boundservicetoken] == HTTP 401 unauthorized error response on [.noloc]`Kubernetes` API server requests You see these errors if a [.noloc]`Pod's` service account token has expired on a cluster. @@ -492,7 +492,7 @@ Your Amazon EKS cluster's [.noloc]`Kubernetes` API server rejects requests with You can identify all existing [.noloc]`Pods` in your cluster that are using stale tokens. For more information, see <>. -[[troubleshooting-platform-version,troubleshooting-platform-version.title]] +[#troubleshooting-platform-version] == Amazon EKS platform version is more than two versions behind the current platform version This can happen when Amazon EKS isn't able to automatically update your cluster's <>. Though there are many causes for this, some of the common causes follow. If any of these problems apply to your cluster, it may still function, its platform version just won't be updated by Amazon EKS. @@ -603,7 +603,7 @@ When you initiate a [.noloc]`Kubernetes` version update for your cluster, the up * You enabled <> when you created your cluster and the {aws} KMS key that you specified has been deleted. If you want Amazon EKS to update the cluster, you need to create a new cluster -[[cluster-health-status,cluster-health-status.title]] +[#cluster-health-status] == Cluster health FAQs and error codes with resolution paths Amazon EKS detects issues with your EKS clusters and the cluster infrastructure and stores it in the _cluster health_. You can detect, troubleshoot, and address cluster issues more rapidly with the aid of cluster health information. This enables you to create application environments that are more secure and up-to-date. Additionally, it may be impossible for you to upgrade to newer versions of [.noloc]`Kubernetes` or for Amazon EKS to install security updates on a degraded cluster as a result of issues with the necessary infrastructure or cluster configuration. Amazon EKS can take 3 hours to detect issues or detect that an issue is resolved. diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index f1b7225d6..9b5026f77 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,5 +1,5 @@ [.topic] -[[common-use-cases,common-use-cases.title]] +[#common-use-cases] = Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 3ab961efa..5d9e92513 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-architecture,eks-architecture.title]] +[#eks-architecture] = Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane @@ -13,7 +13,7 @@ Learn how Amazon EKS aligns with [.noloc]`Kubernetes` cluster architecture, offe Amazon EKS aligns with the general cluster architecture of [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/components/[Kubernetes Components] in the [.noloc]`Kubernetes` documentation. The following sections summarize some extra architecture details for Amazon EKS. -[[control-plane,control-plane.title]] +[#control-plane] == Control plane Amazon EKS ensures every cluster has its own unique [.noloc]`Kubernetes` control plane. This design keeps each cluster's infrastructure separate, with no overlaps between clusters or {aws} accounts. The setup includes: @@ -37,7 +37,7 @@ By running clusters across multiple Availability Zones, a reliable link:eks/sla Amazon EKS uses Amazon Virtual Private Cloud (Amazon VPC) to limit traffic between control plane components within a single cluster. Cluster components can't view or receive communication from other clusters or {aws} accounts, except when authorized by [.noloc]`Kubernetes` role-based access control (RBAC) policies. -[[nodes,nodes.title]] +[#nodes] == Compute In addition to the control plane, an Amazon EKS cluster has a set of worker machines called nodes. Selecting the appropriate Amazon EKS cluster node type is crucial for meeting your specific requirements and optimizing resource utilization. Amazon EKS offers the following primary node types: diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 37c9239c0..5384d0b71 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-deployment-options,eks-deployment-options.title]] +[#eks-deployment-options] = Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison @@ -11,7 +11,7 @@ include::../attributes.txt[] Learn to deploy [.noloc]`Kubernetes` clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. -- -[[understand-deployment-options,understand-deployment-options.title]] +[#understand-deployment-options] == Understand Amazon EKS deployment options Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes service that enables you to run Kubernetes seamlessly in the cloud and in your on-premises environments. @@ -20,7 +20,7 @@ In the cloud, Amazon EKS automates Kubernetes cluster infrastructure management To simplify running Kubernetes in your on-premises environments, you can use the same Amazon EKS clusters, features, and tools to <> or link:eks/latest/userguide/hybrid-nodes-overview.html[Amazon EKS Hybrid Nodes,type="documentation"] on your own infrastructure, or you can use https://anywhere.eks.amazonaws.com/[Amazon EKS Anywhere]for self-contained air-gapped environments. -[[eks-cloud-deployment-options,eks-cloud-deployment-options.title]] +[#eks-cloud-deployment-options] == Amazon EKS in the cloud You can use Amazon EKS with compute in {aws} Regions, {aws} Local Zones, and {aws} Wavelength Zones. With Amazon EKS in the cloud, the security, scalability, and availability of the Kubernetes control plane is fully managed by {aws} in the {aws} Region. When running applications with compute in {aws} Regions, you get the full breadth of {aws} and Amazon EKS features, including Amazon EKS Auto Mode, which fully automates Kubernetes cluster infrastructure management for compute, storage, and networking on {aws} with a single click. When running applications with compute in {aws} Local Zones and {aws} Wavelength Zones, you can use Amazon EKS self-managed nodes to connect Amazon EC2 instances for your cluster compute and can use the other available {aws} services in {aws} Local Zones and {aws} Wavelength Zones. For more information see https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[{aws} Local Zones features] and https://aws.amazon.com/wavelength/features/[{aws} Wavelength Zones features]. @@ -52,7 +52,7 @@ a|* Amazon EKS Managed Node Groups (Local Zones only) |{aws} Local or Wavelength Zones |=== -[[dc-or-edge-deployment-options,dc-or-edge-deployment-options.title]] +[#dc-or-edge-deployment-options] == Amazon EKS in your data center or edge environments If you need to run applications in your own data centers or edge environments, you can use <> or link:eks/latest/userguide/hybrid-nodes.html[Amazon EKS Hybrid Nodes,type="documentation"]. You can use self-managed nodes with Amazon EC2 instances on {aws} Outposts for your cluster compute, or you can use Amazon EKS Hybrid Nodes with your own on-premises or edge infrastructure for your cluster compute. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on your physical or virtual machines that you manage in your on-premises or edge environments. Amazon EKS on {aws} Outposts and Amazon EKS Hybrid Nodes require a reliable connection from your on-premises environments to an {aws} Region, and you can use the same Amazon EKS clusters, features, and tools you use to run applications in the cloud. When running on {aws} Outposts, you can alternatively deploy the entire Kubernetes cluster on {aws} Outposts with Amazon EKS local clusters on {aws} Outposts. @@ -81,7 +81,7 @@ If you need to run applications in your own data centers or edge environments, y |Customer data center or edge environment |=== -[[air-gapped-deployment-options,air-gapped-deployment-options.title]] +[#air-gapped-deployment-options] == Amazon EKS Anywhere for air-gapped environments https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere] simplifies Kubernetes cluster management through the automation of undifferentiated heavy lifting such as infrastructure setup and Kubernetes cluster lifecycle operations in on-premises and edge environments. Unlike Amazon EKS, Amazon EKS Anywhere is a customer-managed product and customers are responsible for cluster lifecycle operations and maintenance of Amazon EKS Anywhere clusters. Amazon EKS Anywhere is built on the Kubernetes sub-project Cluster API (CAPI) and supports a range of infrastructure including VMware vSphere, bare metal, Nutanix, Apache CloudStack, and {aws} Snow. Amazon EKS Anywhere can be run in air-gapped environments and offers optional integrations with regional {aws} services for observability and identity management. To receive support for Amazon EKS Anywhere and access to {aws}-vended Kubernetes add-ons, you can purchase https://aws.amazon.com/eks/eks-anywhere/pricing/[Amazon EKS Anywhere Enterprise Subscriptions]. @@ -104,7 +104,7 @@ https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere] simplifies Kuberne |Customer data center or edge environment |=== -[[tooling-deployment-options,tooling-deployment-options.title]] +[#tooling-deployment-options] == Amazon EKS tooling You can use the <> to register and connect any conformant Kubernetes cluster to {aws} and view it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but the Amazon EKS Connector does not enable management or mutating operations for your connected clusters through the Amazon EKS console. diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 3567230d9..5eb1e6eaa 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,5 +1,5 @@ [.topic] -[[kubernetes-concepts,kubernetes-concepts.title]] +[#kubernetes-concepts] = [.noloc]`Kubernetes` concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane @@ -20,7 +20,7 @@ This page divides [.noloc]`Kubernetes` concepts into three sections: <>. -[[why-kubernetes,why-kubernetes.title]] +[#why-kubernetes] == Why [.noloc]`Kubernetes`? [.noloc]`Kubernetes` was designed to improve availability and scalability when running mission-critical, production-quality containerized applications. Rather than just running [.noloc]`Kubernetes` on a single machine (although that is possible), [.noloc]`Kubernetes` achieves those goals by allowing you to run applications across sets of computers that can expand or contract to meet demand. [.noloc]`Kubernetes` includes features that make it easier for you to: @@ -36,7 +36,7 @@ As you go through this content, links will lead you to further descriptions of [ Having [.noloc]`Kubernetes` automate these types of complex tasks allows an application developer to focus on building and improving their application workloads, rather than worrying about infrastructure. The developer typically creates configuration files, formatted as YAML files, that describe the desired state of the application. This could include which containers to run, resource limits, number of Pod replicas, CPU/memory allocation, affinity rules, and more. -[[attributes-of-kubernetes,attributes-of-kubernetes.title]] +[#attributes-of-kubernetes] === Attributes of [.noloc]`Kubernetes` To achieve its goals, [.noloc]`Kubernetes` has the following attributes: @@ -52,7 +52,7 @@ To achieve its goals, [.noloc]`Kubernetes` has the following attributes: * *Portable* -- Many organizations have standardized their operations on [.noloc]`Kubernetes` because it allows them to manage all of their application needs in the same way. Developers can use the same pipelines to build and store containerized applications. Those applications can then be deployed to [.noloc]`Kubernetes` clusters running on-premises, in clouds, on point-of-sales terminals in restaurants, or on IOT devices dispersed across company's remote sites. Its open source nature makes it possible for people to develop these special [.noloc]`Kubernetes` distributions, along will tools needed to manage them. -[[managing-kubernetes,managing-kubernetes.title]] +[#managing-kubernetes] === Managing [.noloc]`Kubernetes` [.noloc]`Kubernetes` source code is freely available, so with your own equipment you could install and manage [.noloc]`Kubernetes` yourself. However, self-managing [.noloc]`Kubernetes` requires deep operational expertise and takes time and effort to maintain. For those reasons, most people deploying production workloads choose a cloud provider (such as Amazon EKS) or on-premises provider (such as Amazon EKS Anywhere) with its own tested [.noloc]`Kubernetes` distribution and support of [.noloc]`Kubernetes` experts. This allows you to offload much of the undifferentiated heavy lifting needed to maintain your clusters, including: @@ -65,7 +65,7 @@ To achieve its goals, [.noloc]`Kubernetes` has the following attributes: * *Add-ons* -- There are hundreds of projects built to extend and work with [.noloc]`Kubernetes` that you can add to your cluster's infrastructure or use to aid the running of your workloads. Instead of building and managing those add-ons yourself, {aws} provides <> that you can use with your clusters. Amazon EKS Anywhere provides https://anywhere.eks.amazonaws.com/docs/packages/[Curated Packages] that include builds of many popular open source projects. So you don't have to build the software yourself or manage critical security patches, bug fixes, or upgrades. Likewise, if the defaults meet your needs, it's typical for very little configuration of those add-ons to be needed. See <> for details on extending your cluster with add-ons. -[[kubernetes-in-action,kubernetes-in-action.title]] +[#kubernetes-in-action] === [.noloc]`Kubernetes` in action The following diagram shows key activities you would do as a [.noloc]`Kubernetes` Admin or Application Developer to create and use a [.noloc]`Kubernetes` cluster. In the process, it illustrates how [.noloc]`Kubernetes` components interact with each other, using the {aws} cloud as the example of the underlying cloud provider. @@ -84,14 +84,14 @@ To run the application, the developer can create YAML-formatted configuration fi The following sections go through details of each of these features, from the perspective of [.noloc]`Kubernetes` Clusters and Workloads. -[[concepts-clusters,concepts-clusters.title]] +[#concepts-clusters] == Clusters If your job is to start and manage [.noloc]`Kubernetes` clusters, you should know how [.noloc]`Kubernetes` clusters are created, enhanced, managed, and deleted. You should also know what the components are that make up a cluster and what you need to do to maintain those components. Tools for managing clusters handle the overlap between the [.noloc]`Kubernetes` services and the underlying hardware provider. For that reason, automation of these tasks tend to be done by the [.noloc]`Kubernetes` provider (such as Amazon EKS or Amazon EKS Anywhere) using tools that are specific to the provider. For example, to start an Amazon EKS cluster you can use `eksctl create cluster`, while for Amazon EKS Anywhere you can use `eksctl anywhere create cluster`. Note that while these commands create a [.noloc]`Kubernetes` cluster, they are specific to the provider and are not part of the [.noloc]`Kubernetes` project itself. -[[cluster-creation-and-management-tools,cluster-creation-and-management-tools.title]] +[#cluster-creation-and-management-tools] === Cluster creation and management tools The [.noloc]`Kubernetes` project offers tools for creating a [.noloc]`Kubernetes` cluster manually. So if you want to install [.noloc]`Kubernetes` on a single machine, or run the control plane on a machine and add nodes manually, you can use CLI tools like https://kind.sigs.k8s.io/[kind], https://kubernetes.io/docs/tutorials/hello-minikube/[minikube], or https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/[kubeadm] that are listed under [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/tools/[Install Tools]. To simplify and automate the full lifecycle of cluster creation and management, it is much easier to use tools supported by an established [.noloc]`Kubernetes` provider, such as Amazon EKS or Amazon EKS Anywhere. @@ -109,12 +109,12 @@ To run your clusters on your own on-premises computers and networks, Amazon offe Amazon EKS Anywhere is based on the same https://distro.eks.amazonaws.com/[Amazon EKS Distro] software that is used by Amazon EKS. However, Amazon EKS Anywhere relies on different implementations of the https://cluster-api.sigs.k8s.io/[Kubernetes Cluster API] (CAPI) interface to manage the full lifecycle of the machines in an Amazon EKS Anywhere cluster (such as https://github.com/kubernetes-sigs/cluster-api-provider-vsphere[CAPV] for vSphere and https://github.com/kubernetes-sigs/cluster-api-provider-cloudstack[CAPC] for CloudStack). Because the entire cluster is running on your equipment, you take on the added responsibility of managing the control plane and backing up its data (see `etcd` later in this document). -[[cluster-components,cluster-components.title]] +[#cluster-components] === Cluster components [.noloc]`Kubernetes` cluster components are divided into two major areas: control plane and worker nodes. https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Control Plane Components] manage the cluster and provide access to its APIs. Worker nodes (sometimes just referred to as Nodes) provide the places where the actual workloads are run. https://kubernetes.io/docs/concepts/overview/components/#node-components[Node Components] consist of services that run on each node to communicate with the control plane and run containers. The set of worker nodes for your cluster is referred to as the _Data Plane_. -[[concepts-control-plane,concepts-control-plane.title]] +[#concepts-control-plane] ==== Control plane The control plane consists of a set of services that manage the cluster. These services may all be running on a single computer or may be spread across multiple computers. Internally, these are referred to as Control Plane Instances (CPIs). How CPIs are run depends on the size of the cluster and requirements for high availability. As demand increase in the cluster, a control plane service can scale to provide more instances of that service, with requests being load balanced between the instances. @@ -130,7 +130,7 @@ Tasks that components of the [.noloc]`Kubernetes` control plane performs include * *Manage cloud resources (Cloud Controller Manager)* -- Interactions between [.noloc]`Kubernetes` and the cloud provider that carries out requests for the underlying data center resources are handled by the https://kubernetes.io/docs/concepts/architecture/cloud-controller/[Cloud Controller Manager] (https://github.com/kubernetes/kubernetes/tree/master/cmd/cloud-controller-manager[cloud-controller-manager]). Controllers managed by the Cloud Controller Manager can include a route controller (for setting up cloud network routes), service controller (for using cloud load balancing services), and node lifecycle controller (to keep nodes in sync with Kubernetes throughout their lifecycles). -[[worker-nodes-data-plane,worker-nodes-data-plane.title]] +[#worker-nodes-data-plane] ==== Worker Nodes (data plane) For a single-node [.noloc]`Kubernetes` cluster, workloads run on the same machine as the control plane. However, a more standard configuration is to have one or more separate computer systems (https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes]) that are dedicated to running [.noloc]`Kubernetes` workloads. @@ -144,7 +144,7 @@ When you first create a [.noloc]`Kubernetes` cluster, some cluster creation tool * *Manage networking between containers (kube-proxy)* -- To be able to support communication between Pods, [.noloc]`Kubernetes` uses a feature referred to as a https://kubernetes.io/docs/concepts/services-networking/service/[Service] to set up Pod networks that track IP addresses and ports associated with those Pods. The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] service runs on every node to allow that communication between Pods to take place. -[[extend-clusters,extend-clusters.title]] +[#extend-clusters] === Extend Clusters There are some services you can add to [.noloc]`Kubernetes` to support the cluster, but are not run in the control plane. These services often run directly on nodes in the kube-system namespace or in its own namespace (as is often done with third-party service providers). A common example is the CoreDNS service, which provides DNS services to the cluster. Refer to https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/[Discovering builtin services] for information on how to see which cluster services are running in kube-system on your cluster. @@ -153,12 +153,12 @@ There are different types of add-ons you can consider adding to your clusters. T For a more complete list of available Amazon EKS add-ons, see <>. -[[workloads,workloads.title]] +[#workloads] == Workloads [.noloc]`Kubernetes` defines a https://kubernetes.io/docs/concepts/workloads/[Workload] as "`an application running on [.noloc]`Kubernetes`.`" That application can consist of a set of microservices run as https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-container[Containers] in https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-pod[Pods], or could be run as a batch job or other type of applications. The job of [.noloc]`Kubernetes` is to make sure that the requests that you make for those objects to be set up or deployed are carried out. As someone deploying applications, you should learn about how containers are built, how Pods are defined, and what methods you can use for deploying them. -[[containers,containers.title]] +[#containers] === Containers The most basic element of an application workload that you deploy and manage in [.noloc]`Kubernetes` is a _https://kubernetes.io/docs/concepts/workloads/pods/[Pod]_. A Pod represents a way of holding the components of an application as well as defining specifications that describe the Pod's attributes. Contrast this to something like an RPM or Deb package, which packages together software for a Linux system, but does not itself run as an entity. @@ -169,7 +169,7 @@ Pod specifications (https://kubernetes.io/docs/reference/kubernetes-api/workload While a Pod is the smallest unit you deploy, a container is the smallest unit that you build and manage. -[[building-containers,building-containers.title]] +[#building-containers] ==== Building Containers The Pod is really just a structure around one or more containers, with each container itself holding the file system, executables, configuration files, libraries, and other components to actually run the application. Because a company called [.noloc]`Docker` Inc. first popularized containers, some people refer to containers as [.noloc]`Docker` Containers. However, the https://opencontainers.org/[Open Container Initiative] has since defined container runtimes, images, and distribution methods for the industry. Add to that the fact that containers were created from many existing Linux features, others often refer to containers as OCI Containers, Linux Containers, or just Containers. @@ -184,7 +184,7 @@ When you build a container, you typically start with a [.noloc]`Dockerfile` (lit While the `docker` command and service have traditionally been used to build containers (`docker build`), other tools that are available to build container images include https://docs.podman.io/en/stable/markdown/podman-build.1.html[podman] and https://github.com/containerd/nerdctl[nerdctl]. See link:containers/building-better-container-images[Building Better Container Images,type="blog"] or https://docs.docker.com/build/[Overview of Docker Build] to learn about building containers. -[[storing-containers,storing-containers.title]] +[#storing-containers] ==== Storing Containers Once you've built your container image, you can store it in a container https://distribution.github.io/distribution/[distribution registry] on your workstation or on a public container registry. Running a private container registry on your workstation allows you to store container images locally, making them readily available to you. @@ -193,19 +193,19 @@ To store container images in a more public manner, you can push them to a public When running containerized workloads on Amazon Elastic Kubernetes Service (Amazon EKS) we recommend pulling copies of [.noloc]`Docker` Official Images that are stored in Amazon Elastic Container Registry. Amazon ECR has been storing these images since 2021. You can search for popular container images in the https://gallery.ecr.aws/[Amazon ECR Public Gallery], and specifically for the [.noloc]`Docker` Hub images, you can search the https://gallery.ecr.aws/docker/[Amazon ECR Docker Gallery]. -[[running-containers,running-containers.title]] +[#running-containers] ==== Running containers Because containers are built in a standard format, a container can run on any machine that can run a container runtime (such as [.noloc]`Docker`) and whose contents match the local machine's architecture (such as `x86_64` or `arm`). To test a container or just run it on your local desktop, you can use `docker run` or `podman run` commands to start up a container on the localhost. For [.noloc]`Kubernetes`, however, each worker node has a container runtime deployed and it is up to [.noloc]`Kubernetes` to request that a node run a container. Once a container has been assigned to run on a node, the node looks to see if the requested version of the container image already exists on the node. If it doesn't, [.noloc]`Kubernetes` tells the container runtime to pull that container from the appropriate container registry, then run that container locally. Keep in mind that a _container image_ refers to the software package that is moved around between your laptop, the container registry, and [.noloc]`Kubernetes` nodes. A _container_ refers to a running instance of that image. -[[pods,pods.title]] +[#pods] === Pods Once your containers are ready, working with Pods includes configuring, deploying, and making the Pods accessible. -[[configuring-pods,configuring-pods.title]] +[#configuring-pods] ==== Configuring Pods When you define a Pod, you assign a set of attributes to it. Those attributes must include at least the Pod name and the container image to run. However, there are many other things you want to configure with your Pod definitions as well (see the https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec[PodSpec] page for details on what can go into a Pod). These include: @@ -222,7 +222,7 @@ The configuration just described is typically gathered together in a YAML file t The objects used to gather together and deploy Pod information is defined by one of the following deployment methods. -[[deploying-pods,deploying-pods.title]] +[#deploying-pods] ==== Deploying Pods The method you would choose for deploying Pods depends on the type of application you plan to run with those Pods. Here are some of your choices: @@ -235,7 +235,7 @@ The method you would choose for deploying Pods depends on the type of applicatio * *Applications run to completion* -- There are some applications you want to run to complete a particular task. This could include one that runs monthly status reports or cleans out old data. A https://kubernetes.io/docs/concepts/workloads/controllers/job/[Job] object can be used to set up an application to start up and run, then exit when the task is done. A https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/[CronJob] object lets you set up an application to run at a specific hour, minute, day of the month, month, or day of the week, using a structure defined by the Linux https://man7.org/linux/man-pages/man5/crontab.5.html[crontab] format. -[[making-applications-accessible-from-the-network,making-applications-accessible-from-the-network.title]] +[#making-applications-accessible-from-the-network] ==== Making applications accessible from the network With applications often deployed as a set of microservices that moved around to different places, [.noloc]`Kubernetes` needed a way for those microservices to be able to find each other. Also, for others to access an application outside of the [.noloc]`Kubernetes` cluster, [.noloc]`Kubernetes` needed a way to expose that application on outside addresses and ports. These networking-related features are done with Service and Ingress objects, respectively: @@ -246,7 +246,7 @@ With applications often deployed as a set of microservices that moved around to * *Ingress* -- https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress] is what can make applications represented by [.noloc]`Kubernetes` Services available to clients that are outside of the cluster. Basic features of Ingress include a load balancer (managed by Ingress), the Ingress controller, and rules for routing requests from the controller to the Service. There are several https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/[Ingress Controllers] that you can choose from with [.noloc]`Kubernetes`. -[[next-steps,next-steps.title]] +[#next-steps] == Next steps Understanding basic [.noloc]`Kubernetes` concepts and how they relate to Amazon EKS will help you navigate both the link:eks/[Amazon EKS documentation,type="documentation"] and https://kubernetes.io/docs[Kubernetes documentation] to find the information you need to manage Amazon EKS clusters and deploy workloads to those clusters. To begin using Amazon EKS, choose from the following: diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8320e00af..fcb6e220d 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,5 +1,5 @@ [.topic] -[[what-is-eks,what-is-eks.title]] +[#what-is-eks] = What is Amazon EKS? :doctype: book :sectnums: @@ -21,7 +21,7 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that eliminates the need to operate and maintain the availability and scalability of Kubernetes clusters in Amazon Web Services ({aws}) and in your own data centers. https://kubernetes.io/docs/concepts/overview/[Kubernetes] is an open source system that automates the management, scaling, and deployment of containerized applications. To get started, see the <> page in the Amazon EKS User Guide. -[[eks-features,eks-features.title]] +[#eks-features] == Features of Amazon EKS *Fully Managed Kubernetes* @@ -74,7 +74,7 @@ Amazon EKS supports a range of interfaces to provision, manage, and maintain clu Amazon EKS supports a range of operating systems and you can use pre-built, Amazon EKS-optimized Amazon Machine Images (AMIs) for the base images of your compute nodes. Amazon EKS maintains optimized images for Amazon Linux 2, Amazon Linux 2023, Bottlerocket, Windows, and there are Ubuntu images maintained by Canonical. You can also use your own custom AMIs for other operating system variants. The Amazon EKS AMIs for Amazon Linux have built-in support for NVIDIA and {aws} Neuron accelerated instance types. See <> for more information. -[[eks-pricing,eks-pricing.title]] +[#eks-pricing] == Amazon EKS Pricing Amazon EKS has per cluster pricing based on Kubernetes cluster version support, pricing for Amazon EKS Auto Mode, and per vCPU pricing for Amazon EKS Hybrid Nodes. When using Amazon EKS, you pay separately for the {aws} resources you use to run your applications on Kubernetes worker nodes. For example, if you are running Kubernetes worker nodes as Amazon EC2 instances with Amazon EBS volumes and public IPv4 addresses, you are charged for the instance capacity through Amazon EC2, the volume capacity through Amazon EBS, and the IPv4 address through Amazon VPC. Visit the respective pricing pages of the {aws} services you are using with your Kubernetes applications for detailed pricing information. diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index cae770cdc..bdb4aa487 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -1,5 +1,5 @@ [.topic] -[[add-ons-iam,add-ons-iam.title]] +[#add-ons-iam] = IAM roles for Amazon EKS add-ons :info_titleabbrev: IAM roles diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index f105e2441..289eb58e9 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,5 +1,5 @@ [.topic] -[[add-ons-images,add-ons-images.title]] +[#add-ons-images] = View Amazon container image registries for Amazon EKS add-ons :info_titleabbrev: View Amazon image registries diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index dce1ecf4f..ddd1e68b0 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -1,5 +1,5 @@ [.topic] -[[addon-compat,addon-compat.title]] +[#addon-compat] = Verify Amazon EKS add-on version compatibility with a cluster :info_titleabbrev: Verify compatibility diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 4baf77d8d..175b10235 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,5 +1,5 @@ [.topic] -[[addon-id-troubleshoot,addon-id-troubleshoot.title]] +[#addon-id-troubleshoot] = Troubleshoot Pod Identities for EKS add-ons :info_titleabbrev: Troubleshoot Identities diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index df8bc8a31..3a5a2e3d1 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,5 +1,5 @@ [.topic] -[[alb-ingress,alb-ingress.title]] +[#alb-ingress] = Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` :info_titleabbrev: Application load balancing @@ -137,7 +137,7 @@ Ensure that each ingress in the same ingress group has a unique priority number. ==== -[[application-load-balancer-sample-application,application-load-balancer-sample-application.title]] +[#application-load-balancer-sample-application] == (Optional) Deploy a sample application * At least one public or private subnet in your cluster VPC. diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index b9fd95578..68712721d 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -1,5 +1,5 @@ [.topic] -[[community-addons,community-addons.title]] +[#community-addons] = Community add-ons include::../attributes.txt[] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 398d66976..ffdb3e6c4 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,5 +1,5 @@ [.topic] -[[copy-image-to-repository,copy-image-to-repository.title]] +[#copy-image-to-repository] = Copy a container image from one repository to another repository :info_titleabbrev: Copy an image to a repository diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 08cf533fc..e12307ce0 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -1,5 +1,5 @@ [.topic] -[[creating-an-add-on,creating-an-add-on.title]] +[#creating-an-add-on] = Create an Amazon EKS add-on :info_titleabbrev: Create an add-on @@ -21,7 +21,7 @@ Amazon EKS add-ons are add-on software for Amazon EKS clusters. All Amazon EKS a You can create an Amazon EKS add-on using `eksctl`, the {aws-management-console}, or the {aws} CLI. If the add-on requires an IAM role, see the details for the specific add-on in <> for details about creating the role. -[[creating-an-add-on-prereq,creating-an-add-on-prereq.title]] +[#creating-an-add-on-prereq] == Prerequisites Complete the following before you create an add-on: @@ -34,7 +34,7 @@ Complete the following before you create an add-on: * Verify that version 0.190.0 or later of the `eksctl` command line tool installed on your computer or {aws} CloudShell. For more information, see https://eksctl.io/installation/[Installation] on the `eksctl` website. -[[creating-an-add-on-procedure,creating-an-add-on-procedure.title]] +[#creating-an-add-on-procedure] == Procedure You can create an Amazon EKS add-on using `eksctl`, the {aws-management-console}, or the {aws} CLI. If the add-on requires an IAM role, see the details for the specific add-on in <> for details about creating the role. @@ -122,7 +122,7 @@ eksctl create addon --help + For more information about available options see https://eksctl.io/usage/addons/[Addons] in the `eksctl` documentation. -[[_create_add_on_console, _create_add_on_console.title]] +[#_create_add_on_console] == Create add-on ({aws} Console) . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 29dbef4fa..447e9b5e3 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -1,5 +1,5 @@ [.topic] -[[eks-add-ons,eks-add-ons.title]] +[#eks-add-ons] = Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins @@ -21,7 +21,7 @@ You can use Amazon EKS add-ons with any Amazon EKS node type. For more informati You can add, update, or delete Amazon EKS add-ons using the Amazon EKS API, {aws-management-console}, {aws} CLI, and `eksctl`. You can also create Amazon EKS add-ons using link:AWSCloudFormation/latest/UserGuide/aws-resource-eks-addon.html[{aws} CloudFormation,type="documentation"]. -[[eks-add-ons-considerations,eks-add-ons-considerations.title]] +[#eks-add-ons-considerations] == Considerations Consider the following when you use Amazon EKS add-ons: @@ -65,7 +65,7 @@ Review the table to determine the minimum required platform version to use this |=== -[[addon-consider-auto,addon-consider-auto.title]] +[#addon-consider-auto] == Considerations for Amazon EKS Auto Mode Amazon EKS Auto mode includes capabilities that deliver essential cluster functionality, including: @@ -92,7 +92,7 @@ However, if your cluster combines Auto mode with other compute options like self If you are planning to enable EKS Auto Mode on an existing cluster, you may need to upgrade the version of certain addons. For more information, see <> for EKS Auto Mode. -[[addon-support,addon-support.title]] +[#addon-support] == Support {aws} publishes multiple types of add-ons with different levels of support. diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 5349d9bc6..ba41ffea1 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,4 +1,4 @@ -[[eks-workloads,eks-workloads.title]] +[#eks-workloads] = Learn how to deploy workloads and add-ons to Amazon EKS :doctype: book :sectnums: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 532f01bf3..75f196d10 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,5 +1,5 @@ [.topic] -[[horizontal-pod-autoscaler,horizontal-pod-autoscaler.title]] +[#horizontal-pod-autoscaler] = Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` :info_titleabbrev: Horizontal Pod Autoscaler @@ -28,7 +28,7 @@ This topic is based on the https://kubernetes.io/docs/tasks/run-application/hori * You are using a `kubectl` client that is <>. -[[hpa-sample-app,hpa-sample-app.title]] +[#hpa-sample-app] == Run a Horizontal Pod Autoscaler test application In this section, you deploy a sample application to verify that the Horizontal Pod Autoscaler is working. diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 7b2a1dac2..50d7c3324 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,5 +1,5 @@ [.topic] -[[image-verification,image-verification.title]] +[#image-verification] = Validate container image signatures during deployment :info_titleabbrev: Verify container images diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 61fa47058..460c4434e 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,5 +1,5 @@ [.topic] -[[kubernetes-field-management,kubernetes-field-management.title]] +[#kubernetes-field-management] = Determine fields you can customize for Amazon EKS add-ons :info_titleabbrev: Fields you can customize @@ -21,7 +21,7 @@ Modifying a field managed by Amazon EKS prevents Amazon EKS from managing the ad ==== -[[add-on-config-management-understanding-field-management,add-on-config-management-understanding-field-management.title]] +[#add-on-config-management-understanding-field-management] == Field management syntax When you view details for a [.noloc]`Kubernetes` object, both managed and unmanaged fields are returned in the output. Managed fields can be either of the following types: @@ -106,7 +106,7 @@ manager: eks ---- -[[view-field-management,view-field-management.title]] +[#view-field-management] == Procedure You can use `kubectl` to see which fields are managed by Amazon EKS for any Amazon EKS add-on. @@ -143,7 +143,7 @@ managedFields: NOTE: If you don't see `managedFields` in the output, add `--show-managed-fields` to the command and run it again. The version of `kubectl` that you're using determines whether managed fields are returned by default. -[[view-field-management-next-steps,view-field-management-next-steps.title]] +[#view-field-management-next-steps] == Next steps Customize the fields not owned by {aws} for you add-on. diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index e0b479a57..ba7764db5 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,5 +1,5 @@ [.topic] -[[network-load-balancing,network-load-balancing.title]] +[#network-load-balancing] = Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` :info_titleabbrev: Network load balancing @@ -86,7 +86,7 @@ service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxxx * We recommend only creating new Network Load Balancers with the [.noloc]`{aws} Load Balancer Controller`. Attempting to replace existing Network Load Balancers created with the {aws} cloud provider load balancer controller can result in multiple Network Load Balancers that might cause application downtime. -[[network-load-balancer,network-load-balancer.title]] +[#network-load-balancer] == Create a network load balancer You can create a network load balancer with IP or instance targets. @@ -150,7 +150,7 @@ service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" IMPORTANT: Do not edit the annotations after creating your service. If you need to modify it, delete the service object and create it again with the desired value for this annotation. -[[load-balancer-sample-application,load-balancer-sample-application.title]] +[#load-balancer-sample-application] == (Optional) Deploy a sample application * At least one public or private subnet in your cluster VPC. diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index add0933f1..72e9ab766 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[remove-addon-role,remove-addon-role.title]] +[#remove-addon-role] = Remove Pod Identity associations from an Amazon EKS add-on :info_titleabbrev: Remove Pod Identity diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index a8d4abb2f..c6be3eb1c 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -1,5 +1,5 @@ [.topic] -[[removing-an-add-on,removing-an-add-on.title]] +[#removing-an-add-on] = Remove an Amazon EKS add-on from a cluster :info_titleabbrev: Remove an add-on @@ -26,7 +26,7 @@ When you remove an Amazon EKS add-on from a cluster: * You can choose to leave the add-on software on your cluster so that you can self-manage it, or you can remove the add-on software from your cluster. You should only remove the add-on software from your cluster if there are no resources on your cluster are dependent on the functionality that the add-on provides. -[[removing-an-add-on-prereq,removing-an-add-on-prereq.title]] +[#removing-an-add-on-prereq] == Prerequisites Complete the following before you create an add-on: @@ -38,7 +38,7 @@ Complete the following before you create an add-on: * Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation.. -[[removing-an-add-on-procedure,removing-an-add-on-procedure.title]] +[#removing-an-add-on-procedure] == Procedure You have two options when removing an Amazon EKS add-on. diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 2751fbb31..31539908e 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,5 +1,5 @@ [.topic] -[[restrict-service-external-ip,restrict-service-external-ip.title]] +[#restrict-service-external-ip] = Restrict external IP addresses that can be assigned to services :info_titleabbrev: Restrict service external IPs diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index edfd69b2a..42c2c1f96 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -1,5 +1,5 @@ [.topic] -[[retreive-iam-info,retreive-iam-info.title]] +[#retreive-iam-info] = Retrieve IAM information about an Amazon EKS add-on :info_titleabbrev: Retrieve IAM information @@ -101,7 +101,7 @@ Review the following output. Note the `recommendedManagedPolicies`. ---- . Create an IAM role and attach the recommended Managed Policy. Alternatively, review the managed policy and scope down the permissions as appropriate. For more information see <>. -[[pod-id-add-on-versions,pod-id-add-on-versions.title]] +[#pod-id-add-on-versions] == Pod Identity Support Reference The following table indicates if certain Amazon EKS add-ons support EKS Pod Identity. diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 68cc19ddb..58f68cebb 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,5 +1,5 @@ [.topic] -[[sample-deployment-win,sample-deployment-win.title]] +[#sample-deployment-win] = Deploy a sample application on Windows :info_titleabbrev: Sample deployment (Windows) @@ -113,7 +113,7 @@ spec: kubectl apply -f eks-sample-service.yaml ---- -[[sample-app-view-namespace-win,sample-app-view-namespace-win.title]] +[#sample-app-view-namespace-win] == Review resources created . View all resources that exist in the `eks-sample-app` namespace. @@ -264,7 +264,7 @@ kubectl delete namespace eks-sample-app ---- -[[sample-deployment-win-next-steps,sample-deployment-win-next-steps.title]] +[#sample-deployment-win-next-steps] == Next Steps After you deploy the sample application, you might want to try some of the following exercises: diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 0c97fb963..438ae485d 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,5 +1,5 @@ [.topic] -[[sample-deployment,sample-deployment.title]] +[#sample-deployment] = Deploy a sample application on Linux :info_titleabbrev: Sample deployment (Linux) @@ -111,7 +111,7 @@ spec: kubectl apply -f eks-sample-service.yaml ---- -[[sample-app-view-namespace,sample-app-view-namespace.title]] +[#sample-app-view-namespace] == Review resources created . View all resources that exist in the `eks-sample-app` namespace. @@ -261,7 +261,7 @@ kubectl delete namespace eks-sample-app ---- -[[sample-deployment-next-steps,sample-deployment-next-steps.title]] +[#sample-deployment-next-steps] == Next Steps After you deploy the sample application, you might want to try some of the following exercises: diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 2fd6b9db5..4fd033704 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,5 +1,5 @@ [.topic] -[[update-addon-role,update-addon-role.title]] +[#update-addon-role] = Use Pod Identities to assign an IAM role to an Amazon EKS add-on :info_titleabbrev: Use Pod Identities diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index d25cf53fb..02f673aff 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -1,5 +1,5 @@ [.topic] -[[updating-an-add-on,updating-an-add-on.title]] +[#updating-an-add-on] = Update an Amazon EKS add-on :info_titleabbrev: Update an add-on @@ -13,7 +13,7 @@ Learn how to update your Amazon EKS add-on to a new version. Amazon EKS doesn't automatically update an add-on when new versions are released or after you update your cluster to a new [.noloc]`Kubernetes` minor version. To update an add-on for an existing cluster, you must initiate the update. After you initiate the update, Amazon EKS updates the add-on for you. Before updating an add-on, review the current documentation for the add-on. For a list of available add-ons, see <>. If the add-on requires an IAM role, see the details for the specific add-on in <> for details about creating the role. -[[updating-an-add-on-prereq,updating-an-add-on-prereq.title]] +[#updating-an-add-on-prereq] == Prerequisites Complete the following before you create an add-on: @@ -24,7 +24,7 @@ Complete the following before you create an add-on: * Verify that the Amazon EKS add-on version is compatible with your cluster. For more information, see <>. -[[updating-an-add-on-procedure,updating-an-add-on-procedure.title]] +[#updating-an-add-on-procedure] == Procedure You can update an Amazon EKS add-on using `eksctl`, the {aws-management-console}, or the {aws} CLI. diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 09bb3949e..54c65f9a9 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,5 +1,5 @@ [.topic] -[[vertical-pod-autoscaler,vertical-pod-autoscaler.title]] +[#vertical-pod-autoscaler] = Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` :info_titleabbrev: Vertical Pod Autoscaler @@ -20,7 +20,7 @@ The [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/tree/master/ve * OpenSSL `1.1.1` or later installed on your device. -[[vpa-deploy,vpa-deploy.title]] +[#vpa-deploy] == Deploy the Vertical Pod Autoscaler In this section, you deploy the Vertical Pod Autoscaler to your cluster. @@ -87,7 +87,7 @@ vpa-updater-786b96955c-bgp9d 1/1 Running 0 8s ---- -[[vpa-sample-app,vpa-sample-app.title]] +[#vpa-sample-app] == Test your Vertical Pod Autoscaler installation In this section, you deploy a sample application to verify that the Vertical Pod Autoscaler is working. diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index d4b5f66c0..48e36c3d0 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[workloads-add-ons-available-eks,workloads-add-ons-available-eks.title]] +[#workloads-add-ons-available-eks] = {aws} Add-ons :info_titleabbrev: {aws} Add-ons @@ -82,7 +82,7 @@ You can use any of the following Amazon EKS add-ons. |=== -[[add-ons-vpc-cni,add-ons-vpc-cni.title]] +[#add-ons-vpc-cni] == Amazon VPC CNI plugin for Kubernetes [abstract] @@ -100,7 +100,7 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. For mor The Amazon EKS add-on name is `vpc-cni`. -[[add-ons-vpc-cni-iam-permissions,add-ons-vpc-cni-iam-permissions.title]] +[#add-ons-vpc-cni-iam-permissions] === Required IAM permissions This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. @@ -116,12 +116,12 @@ eksctl create iamserviceaccount --name aws-node --namespace kube-system --cluste ---- -[[add-ons-vpc-cni-update-information,add-ons-vpc-cni-update-information.title]] +[#add-ons-vpc-cni-update-information] === Update information You can only update one minor version at a time. For example, if your current version is `1.28.[.replaceable]``x``-eksbuild.[.replaceable]``y``` and you want to update to `1.30.[.replaceable]``x``-eksbuild.[.replaceable]``y```, then you must update your current version to `1.29.[.replaceable]``x``-eksbuild.[.replaceable]``y``` and then update it again to `1.30.[.replaceable]``x``-eksbuild.[.replaceable]``y```. For more information about updating the add-on, see <>. -[[add-ons-coredns,add-ons-coredns.title]] +[#add-ons-coredns] == CoreDNS [abstract] @@ -138,17 +138,17 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. For mor The Amazon EKS add-on name is `coredns`. -[[add-ons-coredns-iam-permissions,add-ons-coredns-iam-permissions.title]] +[#add-ons-coredns-iam-permissions] === Required IAM permissions This add-on doesn't require any permissions. -[[add-ons-coredns-information,add-ons-coredns-information.title]] +[#add-ons-coredns-information] === Additional information To learn more about CoreDNS, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] and https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the [.noloc]`Kubernetes` documentation. -[[add-ons-kube-proxy,add-ons-kube-proxy.title]] +[#add-ons-kube-proxy] == `Kube-proxy` [abstract] @@ -165,12 +165,12 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. For mor The Amazon EKS add-on name is `kube-proxy`. -[[add-ons-kube-proxy-iam-permissions,add-ons-kube-proxy-iam-permissions.title]] +[#add-ons-kube-proxy-iam-permissions] === Required IAM permissions This add-on doesn't require any permissions. -[[add-ons-kube-proxy-update-information,add-ons-kube-proxy-update-information.title]] +[#add-ons-kube-proxy-update-information] === Update information Before updating your current version, consider the following requirements: @@ -180,12 +180,12 @@ Before updating your current version, consider the following requirements: * `Kube-proxy` on an Amazon EKS cluster has the same https://kubernetes.io/releases/version-skew-policy/#kube-proxy[compatibility and skew policy as Kubernetes]. -[[add-ons-kube-proxy-information,add-ons-kube-proxy-information.title]] +[#add-ons-kube-proxy-information] === Additional information To learn more about `kube-proxy`, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the [.noloc]`Kubernetes` documentation. -[[add-ons-aws-ebs-csi-driver,add-ons-aws-ebs-csi-driver.title]] +[#add-ons-aws-ebs-csi-driver] == Amazon EBS CSI driver [abstract] @@ -202,7 +202,7 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. Auto Mo The Amazon EKS add-on name is `aws-ebs-csi-driver`. -[[add-ons-aws-ebs-csi-driver-iam-permissions,add-ons-aws-ebs-csi-driver-iam-permissions.title]] +[#add-ons-aws-ebs-csi-driver-iam-permissions] === Required IAM permissions This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. The permissions in the link:aws-managed-policy/latest/reference/AmazonEBSCSIDriverPolicy.html[AmazonEBSCSIDriverPolicy,type="documentation"] {aws} managed policy are required. You can create an IAM role and attach the managed policy to it with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKS_EBS_CSI_DriverRole` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool or you need to use a custom link:kms/[KMS key,type="marketing"] for encryption, see <>. @@ -220,12 +220,12 @@ eksctl create iamserviceaccount \ ---- -[[add-ons-aws-ebs-csi-driver-information,add-ons-aws-ebs-csi-driver-information.title]] +[#add-ons-aws-ebs-csi-driver-information] === Additional information To learn more about the add-on, see <>. -[[add-ons-aws-efs-csi-driver,add-ons-aws-efs-csi-driver.title]] +[#add-ons-aws-efs-csi-driver] == Amazon EFS CSI driver [abstract] @@ -237,7 +237,7 @@ The Amazon EFS CSI driver Amazon EKS add-on is a [.noloc]`Kubernetes` Container The Amazon EKS add-on name is `aws-efs-csi-driver`. -[[add-ons-aws-efs-csi-driver-iam-permissions,add-ons-aws-efs-csi-driver-iam-permissions.title]] +[#add-ons-aws-efs-csi-driver-iam-permissions] === Required IAM permissions *Required IAM permissions* – This add-on utilizes the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. The permissions in the link:aws-managed-policy/latest/reference/AmazonEFSCSIDriverPolicy.html[AmazonEFSCSIDriverPolicy,type="documentation"] {aws} managed policy are required. You can create an IAM role and attach the managed policy to it with the following commands. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` with the name for your role. These commands require that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool, see <>. @@ -260,12 +260,12 @@ aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRU ---- -[[add-ons-aws-efs-csi-driver-information,add-ons-aws-efs-csi-driver-information.title]] +[#add-ons-aws-efs-csi-driver-information] === Additional information To learn more about the add-on, see <>. -[[mountpoint-for-s3-add-on,mountpoint-for-s3-add-on.title]] +[#mountpoint-for-s3-add-on] == [.noloc]`Mountpoint` for Amazon S3 CSI Driver [abstract] @@ -277,7 +277,7 @@ The [.noloc]`Mountpoint` for Amazon S3 CSI Driver Amazon EKS add-on is a [.noloc The Amazon EKS add-on name is `aws-mountpoint-s3-csi-driver`. -[[add-ons-mountpoint-for-s3-add-on-iam-permissions,add-ons-mountpoint-for-s3-add-on-iam-permissions.title]] +[#add-ons-mountpoint-for-s3-add-on-iam-permissions] === Required IAM permissions This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. @@ -304,12 +304,12 @@ eksctl create iamserviceaccount \ ---- -[[add-ons-mountpoint-for-s3-add-on-information,add-ons-mountpoint-for-s3-add-on-information.title]] +[#add-ons-mountpoint-for-s3-add-on-information] === Additional information To learn more about the add-on, see <>. -[[addons-csi-snapshot-controller,addons-csi-snapshot-controller.title]] +[#addons-csi-snapshot-controller] == CSI snapshot controller [abstract] @@ -321,18 +321,18 @@ The Container Storage Interface (CSI) snapshot controller enables the use of sna The Amazon EKS add-on name is `snapshot-controller`. -[[add-ons-csi-snapshot-controller-iam-permissions,add-ons-csi-snapshot-controller-iam-permissions.title]] +[#add-ons-csi-snapshot-controller-iam-permissions] === Required IAM permissions This add-on doesn't require any permissions. -[[add-ons-csi-snapshot-controller-information,add-ons-csi-snapshot-controller-information.title]] +[#add-ons-csi-snapshot-controller-information] === Additional information To learn more about the add-on, see <>. -[[addons-hyperpod,addons-hyperpod.title]] +[#addons-hyperpod] == Amazon SageMaker HyperPod task governance SageMaker HyperPod task governance is a robust management system designed to streamline resource allocation and ensure efficient utilization of compute resources across teams and projects for your Amazon EKS clusters. This provides administrators with the capability to set: @@ -354,7 +354,7 @@ This add-on doesn't require any permissions. To learn more about the add-on, see link:sagemaker/latest/dg/sagemaker-hyperpod-eks-operate-console-ui-governance.html["SageMaker HyperPod task governance",type="documentation"] -[[addons-network-flow,addons-network-flow.title]] +[#addons-network-flow] == {aws} Network Flow Monitor Agent The Amazon CloudWatch Network Flow Monitor Agent is a Kubernetes application that collects TCP connection statistics from all nodes in a cluster and publishes network flow reports to Amazon CloudWatch Network Flow Monitor Ingestion APIs. @@ -375,7 +375,7 @@ For more information about the managed policy, see link:AmazonCloudWatch/latest/ To learn more about the add-on, see the https://github.com/aws/network-flow-monitor-agent?tab=readme-ov-file[Amazon CloudWatch Network Flow Monitor Agent GitHub repo]. -[[add-ons-eks-node-monitoring-agent,add-ons-eks-node-monitoring-agent.title]] +[#add-ons-eks-node-monitoring-agent] == Node monitoring agent The node monitoring agent Amazon EKS add-on can detect additional node health issues. These extra health signals can also be leveraged by the optional node auto repair feature to automatically replace nodes as needed. @@ -387,18 +387,18 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. For mor The Amazon EKS add-on name is `eks-node-monitoring-agent`. -[[add-ons-eks-node-monitoring-agent-iam-permissions,add-ons-eks-node-monitoring-agent-iam-permissions.title]] +[#add-ons-eks-node-monitoring-agent-iam-permissions] === Required IAM permissions This add-on doesn't require additional permissions. -[[add-ons-eks-node-monitoring-agent-information,add-ons-eks-node-monitoring-agent-information.title]] +[#add-ons-eks-node-monitoring-agent-information] === Additional information For more information, see <>. -[[add-ons-adot,add-ons-adot.title]] +[#add-ons-adot] == {aws} Distro for OpenTelemetry [abstract] @@ -410,19 +410,19 @@ The {aws} Distro for OpenTelemetry Amazon EKS add-on is a secure, production-rea The Amazon EKS add-on name is `adot`. -[[add-ons-adot-iam-permissions,add-ons-adot-iam-permissions.title]] +[#add-ons-adot-iam-permissions] === Required IAM permissions This add-on only requires IAM permissions if you're using one of the preconfigured custom resources that can be opted into through advanced configuration. -[[add-ons-adot-information,add-ons-adot-information.title]] +[#add-ons-adot-information] === Additional information For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. ADOT requires that `cert-manager` is deployed on the cluster as a prerequisite, otherwise this add-on won't work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Amazon EKS Terraform]``cluster_addons`` property. For more requirements, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/requirements[Requirements for Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. -[[add-ons-guard-duty,add-ons-guard-duty.title]] +[#add-ons-guard-duty] == Amazon GuardDuty agent [abstract] @@ -434,12 +434,12 @@ The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service th The Amazon EKS add-on name is `aws-guardduty-agent`. -[[add-ons-guard-duty-iam-permissions,add-ons-guard-duty-iam-permissions.title]] +[#add-ons-guard-duty-iam-permissions] === Required IAM permissions This add-on doesn't require any permissions. -[[add-ons-guard-duty-information,add-ons-guard-duty-information.title]] +[#add-ons-guard-duty-information] === Additional information For more information, see link:guardduty/latest/ug/how-runtime-monitoring-works-eks.html[Runtime Monitoring for Amazon EKS clusters in Amazon GuardDuty,type="documentation"]. @@ -449,7 +449,7 @@ For more information, see link:guardduty/latest/ug/how-runtime-monitoring-works- * To detect potential security threats in your Amazon EKS clusters, enable Amazon GuardDuty runtime monitoring and deploy the GuardDuty security agent to your Amazon EKS clusters. -[[amazon-cloudwatch-observability,amazon-cloudwatch-observability.title]] +[#amazon-cloudwatch-observability] == Amazon CloudWatch Observability agent [abstract] @@ -461,7 +461,7 @@ The Amazon CloudWatch Observability agent Amazon EKS add-on the monitoring and o The Amazon EKS add-on name is `amazon-cloudwatch-observability`. -[[amazon-cloudwatch-observability-iam-permissions,amazon-cloudwatch-observability-iam-permissions.title]] +[#amazon-cloudwatch-observability-iam-permissions] === Required IAM permissions This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. The permissions in the link:iam/home#/policies/arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess[AWSXrayWriteOnlyAccess,type="console"] and link:iam/home#/policies/arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy[CloudWatchAgentServerPolicy,type="console"] {aws} managed policies are required. You can create an IAM role, attach the managed policies to it, and annotate the [.noloc]`Kubernetes` service account used by the add-on with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKS_Observability_role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -480,12 +480,12 @@ eksctl create iamserviceaccount \ ---- -[[amazon-cloudwatch-observability-information,amazon-cloudwatch-observability-information.title]] +[#amazon-cloudwatch-observability-information] === Additional information For more information, see link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent,type="documentation"]. -[[add-ons-pod-id,add-ons-pod-id.title]] +[#add-ons-pod-id] == EKS Pod Identity Agent [abstract] @@ -502,12 +502,12 @@ You do not need to install this add-on on Amazon EKS Auto Mode clusters. Amazon The Amazon EKS add-on name is `eks-pod-identity-agent`. -[[add-ons-pod-id-iam-permissions,add-ons-pod-id-iam-permissions.title]] +[#add-ons-pod-id-iam-permissions] === Required IAM permissions This add-on users permissions from the <>. -[[add-ons-pod-id-update-information,add-ons-pod-id-update-information.title]] +[#add-ons-pod-id-update-information] === Update information You can only update one minor version at a time. For example, if your current version is `1.28.x-eksbuild.y` and you want to update to `1.30.x-eksbuild.y`, then you must update your current version to `1.29.x-eksbuild.y` and then update it again to `1.30.x-eksbuild.y`. For more information about updating the add-on, see <>. diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index cc10ea118..084226d2d 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,7 +1,7 @@ include::../attributes.txt[] [.topic] -[[workloads-add-ons-available-vendors,workloads-add-ons-available-vendors.title]] +[#workloads-add-ons-available-vendors] = {aws} Marketplace add-ons :info_titleabbrev: Marketplace add-ons @@ -17,7 +17,7 @@ In addition to the previous list of Amazon EKS add-ons, you can also add a wide video::IIPj119mspc[youtube,align = center,height = 405,fileref = https://www.youtube.com/embed/IIPj119mspc,width = 720] -[[add-on-accuknox,add-on-accuknox.title]] +[#add-on-accuknox] == [.noloc]`Accuknox` [abstract] @@ -29,22 +29,22 @@ The add-on name is `accuknox_kubearmor` and the namespace is `kubearmor`. [.nolo For information about the add-on, see https://docs.kubearmor.io/kubearmor/quick-links/deployment_guide[Getting Started with KubeArmor] in the KubeArmor documentation. -[[add-on-accuknox-service-account-name,add-on-accuknox-service-account-name.title]] +[#add-on-accuknox-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-accuknox-managed-policy,add-on-accuknox-managed-policy.title]] +[#add-on-accuknox-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-accuknox-custom-permissions,add-on-accuknox-custom-permissions.title]] +[#add-on-accuknox-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-akuity,add-on-akuity.title]] +[#add-on-akuity] == [.noloc]`Akuity` [abstract] @@ -56,22 +56,22 @@ The add-on name is `akuity_agent` and the namespace is `akuity`. [.noloc]`Akuity For information about how the add-on, see https://docs.akuity.io/tutorials/eks-addon-agent-install/[Installing the Akuity Agent on Amazon EKS with the Akuity EKS add-on] in the Akuity Platform documentation. -[[add-on-akuity-service-account-name,add-on-akuity-service-account-name.title]] +[#add-on-akuity-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-akuity-managed-policy,add-on-akuity-managed-policy.title]] +[#add-on-akuity-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-akuity-custom-permissions,add-on-akuity-custom-permissions.title]] +[#add-on-akuity-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-calyptia,add-on-calyptia.title]] +[#add-on-calyptia] == [.noloc]`Calyptia` [abstract] @@ -83,17 +83,17 @@ The add-on name is `calyptia_fluent-bit` and the namespace is `calytia-fluentbit For information about the add-on, see https://docs.akuity.io/tutorials/eks-addon-agent-install/[Getting Started with Calyptia Core Agent] on the Calyptia documentation website. -[[add-on-calyptia-service-account-name,add-on-calyptia-service-account-name.title]] +[#add-on-calyptia-service-account-name] === Service account name The service account name is `clyptia-fluentbit`. -[[add-on-calyptia-managed-policy,add-on-calyptia-managed-policy.title]] +[#add-on-calyptia-managed-policy] === {aws} managed IAM policy This add-on uses the `AWSMarketplaceMeteringRegisterUsage` managed policy. For more information, see link:aws-managed-policy/latest/reference/AWSMarketplaceMeteringRegisterUsage.html[AWSMarketplaceMeteringRegisterUsage,type="documentation"] in the {aws} Managed Policy Reference Guide. -[[add-on-calyptia-custom-permissions,add-on-calyptia-custom-permissions.title]] +[#add-on-calyptia-custom-permissions] === Command to create required IAM role The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-calyptia-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -105,7 +105,7 @@ eksctl create iamserviceaccount --name service-account-name --namespace calypti ---- -[[add-on-cisco-collector,add-on-cisco-collector.title]] +[#add-on-cisco-collector] == [.noloc]`Cisco Observability Collector` [abstract] @@ -117,22 +117,22 @@ The add-on name is `cisco_cisco-cloud-observability-collectors` and the namespac For information about the add-on, see https://docs.appdynamics.com/observability/cisco-cloud-observability/en/kubernetes-and-app-service-monitoring/install-kubernetes-and-app-service-monitoring-with-amazon-elastic-kubernetes-service/use-the-cisco-cloud-observability-aws-marketplace-add-ons[Use the Cisco Cloud Observability {aws} Marketplace Add-Ons] in the Cisco AppDynamics documentation. -[[add-on-cisco-collector-service-account-name,add-on-cisco-collector-service-account-name.title]] +[#add-on-cisco-collector-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-cisco-collector-managed-policy,add-on-cisco-collector-managed-policy.title]] +[#add-on-cisco-collector-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-cisco-collector-custom-permissions,add-on-cisco-collector-custom-permissions.title]] +[#add-on-cisco-collector-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-cisco-operator,add-on-cisco-operator.title]] +[#add-on-cisco-operator] == [.noloc]`Cisco Observability Operator` [abstract] @@ -144,22 +144,22 @@ The add-on name is `cisco_cisco-cloud-observability-operators` and the namespace For information about the add-on, see https://docs.appdynamics.com/observability/cisco-cloud-observability/en/kubernetes-and-app-service-monitoring/install-kubernetes-and-app-service-monitoring-with-amazon-elastic-kubernetes-service/use-the-cisco-cloud-observability-aws-marketplace-add-ons[Use the Cisco Cloud Observability {aws} Marketplace Add-Ons] in the Cisco AppDynamics documentation. -[[add-on-cisco-operator-service-account-name,add-on-cisco-operator-service-account-name.title]] +[#add-on-cisco-operator-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-cisco-operator-managed-policy,add-on-cisco-operator-managed-policy.title]] +[#add-on-cisco-operator-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-cisco-operator-custom-permissions,add-on-cisco-operator-custom-permissions.title]] +[#add-on-cisco-operator-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-cloudsoft,add-on-cloudsoft.title]] +[#add-on-cloudsoft] == [.noloc]`CLOUDSOFT` [abstract] @@ -171,22 +171,22 @@ The add-on name is `cloudsoft_cloudsoft-amp` and the namespace is `cloudsoft-amp For information about the add-on, see https://docs.cloudsoft.io/operations/configuration/aws-eks-addon.html[Amazon EKS ADDON] in the CLOUDSOFT documentation. -[[add-on-cloudsoft-service-account-name,add-on-cloudsoft-service-account-name.title]] +[#add-on-cloudsoft-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-cloudsoft-managed-policy,add-on-cloudsoft-managed-policy.title]] +[#add-on-cloudsoft-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-cloudsoft-custom-permissions,add-on-cloudsoft-custom-permissions.title]] +[#add-on-cloudsoft-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-cribl,add-on-cribl.title]] +[#add-on-cribl] == [.noloc]`Cribl` [abstract] @@ -198,22 +198,22 @@ The add-on name is `cribl_cribledge` and the namespace is `cribledge`. [.noloc]` For information about the add-on, see https://docs.cribl.io/edge/usecase-edge-aws-eks/[Installing the Cribl Amazon EKS Add-on for Edge] in the Cribl documentation -[[add-on-cribl-service-account-name,add-on-cribl-service-account-name.title]] +[#add-on-cribl-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-cribl-managed-policy,add-on-cribl-managed-policy.title]] +[#add-on-cribl-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-cribl-custom-permissions,add-on-cribl-custom-permissions.title]] +[#add-on-cribl-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-dynatrace,add-on-dynatrace.title]] +[#add-on-dynatrace] == [.noloc]`Dynatrace` [abstract] @@ -225,22 +225,22 @@ The add-on name is `dynatrace_dynatrace-operator` and the namespace is `dynatrac For information about the add-on, see https://www.dynatrace.com/technologies/kubernetes-monitoring/[Kubernetes monitoring] in the [.noloc]`dynatrace` documentation. -[[add-on-dynatrace-service-account-name,add-on-dynatrace-service-account-name.title]] +[#add-on-dynatrace-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-dynatrace-managed-policy,add-on-dynatrace-managed-policy.title]] +[#add-on-dynatrace-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-dynatrace-custom-permissions,add-on-dynatrace-custom-permissions.title]] +[#add-on-dynatrace-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-datree-pro,add-on-datree-pro.title]] +[#add-on-datree-pro] == [.noloc]`Datree` [abstract] @@ -252,17 +252,17 @@ The add-on name is `datree_engine-pro` and the namespace is `datree`. [.noloc]`D For information about the add-on, see https://hub.datree.io/integrations/eks-integration[Amazon EKS-intergration] in the Datree documentation. -[[add-on-datree-pro-service-account-name,add-on-datree-pro-service-account-name.title]] +[#add-on-datree-pro-service-account-name] === Service account name The service account name is datree-webhook-server-awsmp. -[[add-on-datree-pro-managed-policy,add-on-datree-pro-managed-policy.title]] +[#add-on-datree-pro-managed-policy] === {aws} managed IAM policy The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, see link:aws-managed-policy/latest/reference/AWSLicenseManagerConsumptionPolicy.html[AWSLicenseManagerConsumptionPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide.. -[[add-on-datree-pro-iam-command,add-on-datree-pro-iam-command.title]] +[#add-on-datree-pro-iam-command] === Command to create required IAM role The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-datree-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -274,12 +274,12 @@ eksctl create iamserviceaccount --name datree-webhook-server-awsmp --namespace d ---- -[[add-on-datree-pro-custom-permissions,add-on-datree-pro-custom-permissions.title]] +[#add-on-datree-pro-custom-permissions] === Custom permissions Custom permissions aren't used with this add-on. -[[add-on-datadog,add-on-datadog.title]] +[#add-on-datadog] == [.noloc]`Datadog` [abstract] @@ -291,22 +291,22 @@ The add-on name is `datadog_operator` and the namespace is `datadog-agent`. [.no For information about the add-on, see https://docs.datadoghq.com/containers/guide/operator-eks-addon/?tab=console[Installing the Datadog Agent on Amazon EKS with the Datadog Operator Add-on] in the Datadog documentation. -[[add-on-datadog-service-account-name,add-on-datadog-service-account-name.title]] +[#add-on-datadog-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-datadog-managed-policy,add-on-datadog-managed-policy.title]] +[#add-on-datadog-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-datadog-custom-permissions,add-on-datadog-custom-permissions.title]] +[#add-on-datadog-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-groundcover,add-on-groundcover.title]] +[#add-on-groundcover] == [.noloc]`Groundcover` [abstract] @@ -318,22 +318,22 @@ The add-on name is `groundcover_agent` and the namespace is `groundcover`. [.nol For information about the add-on, see https://docs.groundcover.com/docs/~/changes/VhDDAl1gy1VIO3RIcgxD/configuration/customization-guide/customize-deployment/eks-add-on[Installing the groundcover Amazon EKS Add-on] in the groundcover documentation. -[[add-on-groundcover-service-account-name,add-on-groundcover-service-account-name.title]] +[#add-on-groundcover-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-groundcover-managed-policy,add-on-groundcover-managed-policy.title]] +[#add-on-groundcover-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-groundcover-custom-permissions,add-on-groundcover-custom-permissions.title]] +[#add-on-groundcover-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-grafana,add-on-grafana.title]] +[#add-on-grafana] == [.noloc]`Grafana Labs` [abstract] @@ -345,22 +345,22 @@ The add-on name is `grafana-labs_kubernetes-monitoring` and the namespace is `mo For information about the add-on, see https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Configure Kubernetes Monitoring as an Add-on with Amazon EKS] in the Grafana Labs documentation. -[[add-on-grafana-service-account-name,add-on-grafana-service-account-name.title]] +[#add-on-grafana-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-grafana-managed-policy,add-on-grafana-managed-policy.title]] +[#add-on-grafana-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-grafana-custom-permissions,add-on-grafana-custom-permissions.title]] +[#add-on-grafana-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-guance,add-on-guance.title]] +[#add-on-guance] == [.noloc]`Guance` * *Publisher* – [.noloc]`GUANCE` @@ -372,7 +372,7 @@ Custom permissions aren't used with this add-on. * *Setup and usage instructions* – See https://docs.guance.com/en/datakit/datakit-eks-deploy/#add-on-install[Using Amazon EKS add-on] in the Guance documentation. -[[add-on-ha-proxy,add-on-ha-proxy.title]] +[#add-on-ha-proxy] == [.noloc]`HA Proxy` [abstract] @@ -384,17 +384,17 @@ The name is `haproxy-technologies_kubernetes-ingress-ee` and the namespace is `h For information about the add-on, see https://hub.datree.io/integrations/eks-integration[Amazon EKS-intergration] in the Datree documentation. -[[add-on-ha-proxy-service-account-name,add-on-ha-proxy-service-account-name.title]] +[#add-on-ha-proxy-service-account-name] === Service account name The service account name is `customer defined`. -[[add-on-ha-proxy-managed-policy,add-on-ha-proxy-managed-policy.title]] +[#add-on-ha-proxy-managed-policy] === {aws} managed IAM policy The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, see link:aws-managed-policy/latest/reference/AWSLicenseManagerConsumptionPolicy.html[AWSLicenseManagerConsumptionPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide.. -[[add-on-ha-proxy-iam-command,add-on-ha-proxy-iam-command.title]] +[#add-on-ha-proxy-iam-command] === Command to create required IAM role The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-haproxy-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -406,12 +406,12 @@ eksctl create iamserviceaccount --name service-account-name --namespace haproxy ---- -[[add-on-ha-proxy-custom-permissions,add-on-ha-proxy-custom-permissions.title]] +[#add-on-ha-proxy-custom-permissions] === Custom permissions Custom permissions aren't used with this add-on. -[[add-on-kpow,add-on-kpow.title]] +[#add-on-kpow] == [.noloc]`Kpow` [abstract] @@ -423,17 +423,17 @@ The add-on name is `factorhouse_kpow` and the namespace is `factorhouse`. [.nolo For information about the add-on, see https://docs.kpow.io/installation/aws-marketplace-lm/[{aws} Marketplace LM] in the [.noloc]`Kpow` documentation. -[[add-on-kpow-service-account-name,add-on-kpow-service-account-name.title]] +[#add-on-kpow-service-account-name] === Service account name The service account name is `kpow`. -[[add-on-kpow-managed-policy,add-on-kpow-managed-policy.title]] +[#add-on-kpow-managed-policy] === {aws} managed IAM policy The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, see link:aws-managed-policy/latest/reference/AWSLicenseManagerConsumptionPolicy.html[AWSLicenseManagerConsumptionPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide.. -[[add-on-kpow-iam-command,add-on-kpow-iam-command.title]] +[#add-on-kpow-iam-command] === Command to create required IAM role The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kpow-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -445,12 +445,12 @@ eksctl create iamserviceaccount --name kpow --namespace factorhouse --cluster my ---- -[[add-on-kpow-custom-permissions,add-on-kpow-custom-permissions.title]] +[#add-on-kpow-custom-permissions] === Custom permissions Custom permissions aren't used with this add-on. -[[add-on-kubecost,add-on-kubecost.title]] +[#add-on-kubecost] == [.noloc]`Kubecost` [abstract] @@ -464,22 +464,22 @@ For information about the add-on, see https://docs.kubecost.com/install-and-conf If your cluster is version `1.23` or later, you must have the <> installed on your cluster. otherwise you will receive an error. -[[add-on-kubecost-service-account-name,add-on-kubecost-service-account-name.title]] +[#add-on-kubecost-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-kubecost-managed-policy,add-on-kubecost-managed-policy.title]] +[#add-on-kubecost-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-kubecost-custom-permissions,add-on-kubecost-custom-permissions.title]] +[#add-on-kubecost-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-kasten,add-on-kasten.title]] +[#add-on-kasten] == [.noloc]`Kasten` [abstract] @@ -493,17 +493,17 @@ For information about the add-on, see https://docs.kasten.io/latest/install/aws- If your Amazon EKS cluster is version [.noloc]`Kubernetes` `1.23` or later, you must have the Amazon EBS CSI driver installed on your cluster with a default `StorageClass`. -[[add-on-kasten-service-account-name,add-on-kasten-service-account-name.title]] +[#add-on-kasten-service-account-name] === Service account name The service account name is `k10-k10`. -[[add-on-kasten-managed-policy,add-on-kasten-managed-policy.title]] +[#add-on-kasten-managed-policy] === {aws} managed IAM policy The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, see link:aws-managed-policy/latest/reference/AWSLicenseManagerConsumptionPolicy.html[AWSLicenseManagerConsumptionPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide.. -[[add-on-kasten-iam-command,add-on-kasten-iam-command.title]] +[#add-on-kasten-iam-command] === Command to create required IAM role The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kasten-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -515,12 +515,12 @@ eksctl create iamserviceaccount --name k10-k10 --namespace kasten-io --cluster m ---- -[[add-on-kasten-custom-permissions,add-on-kasten-custom-permissions.title]] +[#add-on-kasten-custom-permissions] === Custom permissions Custom permissions aren't used with this add-on. -[[add-on-kong,add-on-kong.title]] +[#add-on-kong] == [.noloc]`Kong` [abstract] @@ -534,22 +534,22 @@ For information about the add-on, see https://kong.github.io/aws-marketplace-add If your cluster is version `1.23` or later, you must have the <> installed on your cluster. otherwise you will receive an error. -[[add-on-kong-service-account-name,add-on-kong-service-account-name.title]] +[#add-on-kong-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-kong-managed-policy,add-on-kong-managed-policy.title]] +[#add-on-kong-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-kong-custom-permissions,add-on-kong-custom-permissions.title]] +[#add-on-kong-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-leaksignal,add-on-leaksignal.title]] +[#add-on-leaksignal] == [.noloc]`LeakSignal` [abstract] @@ -563,22 +563,22 @@ For information about the add-on, see https://www.leaksignal.com/docs/LeakAgent/ If your cluster is version `1.23` or later, you must have the <> installed on your cluster. otherwise you will receive an error. -[[add-on-leaksignal-service-account-name,add-on-leaksignal-service-account-name.title]] +[#add-on-leaksignal-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-leaksignal-managed-policy,add-on-leaksignal-managed-policy.title]] +[#add-on-leaksignal-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-leaksignal-custom-permissions,add-on-leaksignal-custom-permissions.title]] +[#add-on-leaksignal-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-netapp,add-on-netapp.title]] +[#add-on-netapp] == [.noloc]`NetApp` [abstract] @@ -590,22 +590,22 @@ The add-on name is `netapp_trident-operator` and the namespace is `trident`. [.n For information about the add-on, see https://docs.netapp.com/us-en/trident/trident-use/trident-aws-addon.html[Configure the Trident EKS add-on] in the NetApp documentation. -[[add-on-netapp-service-account-name,add-on-netapp-service-account-name.title]] +[#add-on-netapp-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-netapp-managed-policy,add-on-netapp-managed-policy.title]] +[#add-on-netapp-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-netapp-custom-permissions,add-on-netapp-custom-permissions.title]] +[#add-on-netapp-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-new-relic,add-on-new-relic.title]] +[#add-on-new-relic] == [.noloc]`New Relic` [abstract] @@ -617,22 +617,22 @@ The add-on name is `new-relic_kubernetes-operator` and the namespace is `newreli For information about the add-on, see https://docs.newrelic.com/docs/infrastructure/amazon-integrations/connect/eks-add-on[Installing the New Relic Add-on for EKS] in the New Relic documentation. -[[add-on-new-relic-service-account-name,add-on-new-relic-service-account-name.title]] +[#add-on-new-relic-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-new-relic-managed-policy,add-on-new-relic-managed-policy.title]] +[#add-on-new-relic-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-new-relic-custom-permissions,add-on-new-relic-custom-permissions.title]] +[#add-on-new-relic-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-rafay,add-on-rafay.title]] +[#add-on-rafay] == [.noloc]`Rafay` [abstract] @@ -644,22 +644,22 @@ The add-on name is `rafay-systems_rafay-operator` and the namespace is `rafay-sy For information about the add-on, see https://docs.rafay.co/clusters/import/eksaddon/[Installing the Rafay Amazon EKS Add-on] in the Rafay documentation. -[[add-on-rafay-service-account-name,add-on-rafay-service-account-name.title]] +[#add-on-rafay-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-rafay-managed-policy,add-on-rafay-managed-policy.title]] +[#add-on-rafay-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-rafay-custom-permissions,add-on-rafay-custom-permissions.title]] +[#add-on-rafay-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-rad,add-on-rad.title]] +[#add-on-rad] == [.noloc]`Rad Security` * *Publisher* – [.noloc]`RAD SECURITY` @@ -671,7 +671,7 @@ Custom permissions aren't used with this add-on. * *Setup and usage instructions* – See https://docs.rad.security/docs/installing-ksoc-in-the-aws-marketplace[Installing Rad Through The {aws} Marketplace] in the Rad Security documentation. -[[add-on-solarwinds,add-on-solarwinds.title]] +[#add-on-solarwinds] == [.noloc]`SolarWinds` * *Publisher* – [.noloc]`SOLARWINDS` @@ -683,7 +683,7 @@ Custom permissions aren't used with this add-on. * *Setup and usage instructions* – See https://documentation.solarwinds.com/en/success_center/observability/content/configure/configure-kubernetes.htm#MonitorAmazonEKS[Monitor an Amazon EKS cluster] in the SolarWinds documentation. -[[add-on-solo,add-on-solo.title]] +[#add-on-solo] == [.noloc]`Solo` [abstract] @@ -695,22 +695,22 @@ The add-on name is `solo-io_istio-distro` and the namespace is `istio-system`. [ For information about the add-on, see https://docs.solo.io/gloo-mesh-enterprise/main/setup/install/eks_addon/[Installing Istio] in the Solo.io documentation.. -[[add-on-solo-service-account-name,add-on-solo-service-account-name.title]] +[#add-on-solo-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-solo-managed-policy,add-on-solo-managed-policy.title]] +[#add-on-solo-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-solo-custom-permissions,add-on-solo-custom-permissions.title]] +[#add-on-solo-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-snyk,add-on-snyk.title]] +[#add-on-snyk] == [.noloc]`Snyk` * *Publisher* – [.noloc]`SNYK` @@ -722,7 +722,7 @@ Custom permissions aren't used with this add-on. * *Setup and usage instructions* – See https://docs.snyk.io/integrate-with-snyk/snyk-runtime-sensor[Snyk runtime sensor] in the Snyk user docs. -[[add-on-stormforge,add-on-stormforge.title]] +[#add-on-stormforge] == [.noloc]`Stormforge` [abstract] @@ -734,22 +734,22 @@ The add-on name is `stormforge_optimize-Live` and the namespace is `stormforge-s For information about the add-on, see https://docs.stormforge.io/optimize-live/getting-started/install-v2/[Installing the StormForge Agent] in the StormForge documentation. -[[add-on-stormforge-service-account-name,add-on-stormforge-service-account-name.title]] +[#add-on-stormforge-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-stormforge-managed-policy,add-on-stormforge-managed-policy.title]] +[#add-on-stormforge-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-stormforge-custom-permissions,add-on-stormforge-custom-permissions.title]] +[#add-on-stormforge-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-splunk,add-on-splunk.title]] +[#add-on-splunk] == [.noloc]`Splunk` [abstract] @@ -761,22 +761,22 @@ The add-on name is `splunk_splunk-otel-collector-chart` and the namespace is `sp For information about the add-on, see https://docs.splunk.com/observability/en/gdi/opentelemetry/install-k8s-addon-eks.html[Install the Splunk add-on for Amazon EKS] in the Splunk documentation. -[[add-on-splunk-service-account-name,add-on-splunk-service-account-name.title]] +[#add-on-splunk-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-splunk-managed-policy,add-on-splunk-managed-policy.title]] +[#add-on-splunk-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-splunk-custom-permissions,add-on-splunk-custom-permissions.title]] +[#add-on-splunk-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-teleport,add-on-teleport.title]] +[#add-on-teleport] == [.noloc]`Teleport` [abstract] @@ -788,22 +788,22 @@ The add-on name is `teleport_teleport` and the namespace is `teleport`. [.noloc] For information about the add-on, see https://goteleport.com/how-it-works/[How Teleport Works] in the [.noloc]`Teleport` documentation. -[[add-on-teleport-service-account-name,add-on-teleport-service-account-name.title]] +[#add-on-teleport-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-teleport-managed-policy,add-on-teleport-managed-policy.title]] +[#add-on-teleport-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-teleport-custom-permissions,add-on-teleport-custom-permissions.title]] +[#add-on-teleport-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-tetrate,add-on-tetrate.title]] +[#add-on-tetrate] == [.noloc]`Tetrate` [abstract] @@ -815,22 +815,22 @@ The add-on name is `tetrate-io_istio-distro` and the namespace is `istio-system` For information about the add-on, see the https://tetratelabs.io/[Tetrate Istio Distro] website. -[[add-on-tetrate-service-account-name,add-on-tetrate-service-account-name.title]] +[#add-on-tetrate-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-tetrate-managed-policy,add-on-tetrate-managed-policy.title]] +[#add-on-tetrate-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-tetrate-custom-permissions,add-on-tetrate-custom-permissions.title]] +[#add-on-tetrate-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-upbound,add-on-upbound.title]] +[#add-on-upbound] == [.noloc]`Upbound Universal Crossplane` [abstract] @@ -842,22 +842,22 @@ The add-on name is `upbound_universal-crossplane` and the namespace is `upbound- For information about the add-on, see https://docs.upbound.io/uxp/[Upbound Universal Crossplane (UXP)] in the Upbound documentation. -[[add-on-upbound-service-account-name,add-on-upbound-service-account-name.title]] +[#add-on-upbound-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-upbound-managed-policy,add-on-upbound-managed-policy.title]] +[#add-on-upbound-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-upbound-custom-permissions,add-on-upbound-custom-permissions.title]] +[#add-on-upbound-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. -[[add-on-upwind,add-on-upwind.title]] +[#add-on-upwind] == [.noloc]`Upwind` [abstract] @@ -869,17 +869,17 @@ The add-on name is `upwind` and the namespace is `upwind`. [.noloc]`Upwind` publ For information about the add-on, see https://docs.upwind.io/install-sensor/kubernetes/install?installation-method=amazon-eks-addon[Upwind documentation]. -[[add-on-upwind-service-account-name,add-on-upwind-service-account-name.title]] +[#add-on-upwind-service-account-name] === Service account name A service account isn't used with this add-on. -[[add-on-upwind-managed-policy,add-on-upwind-managed-policy.title]] +[#add-on-upwind-managed-policy] === {aws} managed IAM policy A managed policy isn't used with this add-on. -[[add-on-upwind-custom-permissions,add-on-upwind-custom-permissions.title]] +[#add-on-upwind-custom-permissions] === Custom IAM permissions Custom permissions aren't used with this add-on. From aa2954610330a26d63393f1f16f30c82261ce42f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Feb 2025 23:09:15 +0000 Subject: [PATCH 107/940] Updated year. --- latest/ug/book.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 07b56d323..126759452 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -10,7 +10,7 @@ include::attributes.txt[] :info_subtitle: User Guide :info_corpauthor: Amazon Web Services :info_publisher: Amazon Web Services -:info_copyright: 2024 \ +:info_copyright: 2025 \ Amazon Web Services, Inc. and/or its affiliates. All rights reserved. :info_legalnotice: Amazon's trademarks and trade dress may not be used in \ connection with any product or service that is not Amazon's, \ From 9f22f8835a4b0019c614f9f542fd5f6d1fcdeaca Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Feb 2025 18:20:54 +0000 Subject: [PATCH 108/940] Replaced manual GitHub links with searches for new anchor format. --- latest/ug/automode/associate-workload.adoc | 2 +- latest/ug/automode/auto-configure-alb.adoc | 2 +- latest/ug/automode/auto-configure-nlb.adoc | 2 +- latest/ug/automode/auto-disable.adoc | 2 +- latest/ug/automode/auto-elb-example.adoc | 2 +- latest/ug/automode/auto-enable-existing.adoc | 2 +- latest/ug/automode/auto-glossary.adoc | 2 +- latest/ug/automode/auto-learn-iam.adoc | 2 +- latest/ug/automode/auto-migrate-karpenter.adoc | 2 +- latest/ug/automode/auto-migrate-mng.adoc | 2 +- latest/ug/automode/auto-mng.adoc | 2 +- latest/ug/automode/auto-net-pol.adoc | 2 +- latest/ug/automode/auto-networking.adoc | 2 +- latest/ug/automode/auto-reference.adoc | 2 +- latest/ug/automode/auto-tag-subnets.adoc | 2 +- latest/ug/automode/auto-troubleshoot.adoc | 2 +- latest/ug/automode/auto-upgrade.adoc | 2 +- latest/ug/automode/auto-workloads.adoc | 2 +- latest/ug/automode/automode-get-started-cli.adoc | 2 +- latest/ug/automode/automode-get-started-console.adoc | 2 +- latest/ug/automode/automode-get-started-eksctl.adoc | 2 +- latest/ug/automode/automode-learn-instances.adoc | 2 +- latest/ug/automode/automode-workload.adoc | 2 +- latest/ug/automode/automode.adoc | 2 +- latest/ug/automode/create-auto.adoc | 2 +- latest/ug/automode/create-node-class.adoc | 2 +- latest/ug/automode/create-node-pool.adoc | 2 +- latest/ug/automode/create-storage-class.adoc | 2 +- latest/ug/automode/critical-workload.adoc | 2 +- latest/ug/automode/migrate-auto.adoc | 2 +- latest/ug/automode/old/hpa_scaling.adoc | 2 +- latest/ug/automode/sample-storage-workload.adoc | 2 +- latest/ug/automode/set-builtin-node-pools.adoc | 2 +- latest/ug/automode/settings-auto.adoc | 2 +- latest/ug/automode/troubleshoot-lbc.adoc | 2 +- latest/ug/automode/wip.adoc | 2 +- latest/ug/automode/wip/create-vpc-console.adoc | 2 +- latest/ug/automode/wip/eksctl-docs.adoc | 2 +- latest/ug/automode/wip/tag-subnets.adoc | 2 +- latest/ug/book.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 2 +- latest/ug/clusters/cluster-endpoint.adoc | 2 +- latest/ug/clusters/cluster-insights.adoc | 2 +- latest/ug/clusters/clusters.adoc | 2 +- latest/ug/clusters/create-cluster-auto.adoc | 2 +- latest/ug/clusters/create-cluster.adoc | 2 +- latest/ug/clusters/delete-cluster.adoc | 2 +- latest/ug/clusters/disable-extended-support.adoc | 2 +- latest/ug/clusters/disable-windows-support.adoc | 2 +- latest/ug/clusters/enable-extended-support.adoc | 2 +- latest/ug/clusters/kubernetes-versions-extended.adoc | 2 +- latest/ug/clusters/kubernetes-versions-standard.adoc | 2 +- latest/ug/clusters/kubernetes-versions.adoc | 2 +- latest/ug/clusters/management/cost-monitoring-aws.adoc | 2 +- .../management/cost-monitoring-kubecost-bundles.adoc | 2 +- latest/ug/clusters/management/cost-monitoring-kubecost.adoc | 2 +- latest/ug/clusters/management/cost-monitoring.adoc | 2 +- latest/ug/clusters/management/eks-managing.adoc | 2 +- latest/ug/clusters/management/eks-using-tags.adoc | 2 +- latest/ug/clusters/management/helm.adoc | 2 +- latest/ug/clusters/management/metrics-server.adoc | 2 +- latest/ug/clusters/management/service-quotas.adoc | 2 +- latest/ug/clusters/platform-versions.adoc | 2 +- latest/ug/clusters/private-clusters.adoc | 2 +- latest/ug/clusters/update-cluster.adoc | 2 +- latest/ug/clusters/view-support-status.adoc | 2 +- latest/ug/clusters/view-upgrade-policy.adoc | 2 +- latest/ug/clusters/windows-support.adoc | 2 +- latest/ug/clusters/zone-shift-enable.adoc | 2 +- latest/ug/clusters/zone-shift.adoc | 2 +- latest/ug/connector/connecting-cluster.adoc | 2 +- latest/ug/connector/connector-grant-access.adoc | 2 +- latest/ug/connector/deregister-connected-cluster.adoc | 2 +- latest/ug/connector/eks-connector.adoc | 2 +- latest/ug/connector/security-connector.adoc | 2 +- latest/ug/connector/troubleshooting-connector.adoc | 2 +- latest/ug/connector/tsc-faq.adoc | 2 +- latest/ug/contribute/asciidoc-syntax.adoc | 6 +----- latest/ug/contribute/contribute.adoc | 2 +- latest/ug/contribute/create-content-q.adoc | 4 +--- latest/ug/contribute/create-page.adoc | 2 +- latest/ug/contribute/edit-single-web.adoc | 4 +--- latest/ug/contribute/edit-web.adoc | 3 +-- latest/ug/contribute/insert-link.adoc | 3 +-- latest/ug/contribute/pr-preview.adoc | 3 +-- latest/ug/contribute/pr-status.adoc | 4 +--- latest/ug/contribute/vale-github.adoc | 2 +- latest/ug/contribute/vale-local.adoc | 6 +----- latest/ug/doc-history.adoc | 2 +- latest/ug/getting-started/getting-started-automode.adoc | 2 +- latest/ug/getting-started/getting-started-console.adoc | 2 +- latest/ug/getting-started/getting-started-eksctl.adoc | 2 +- latest/ug/getting-started/getting-started.adoc | 2 +- latest/ug/getting-started/install-awscli.adoc | 2 +- latest/ug/getting-started/install-kubectl.adoc | 2 +- latest/ug/getting-started/learn-eks.adoc | 2 +- latest/ug/getting-started/setting-up.adoc | 2 +- .../creating-resources-with-cloudformation.adoc | 2 +- latest/ug/integrations/eks-integrations.adoc | 2 +- latest/ug/integrations/integration-detective.adoc | 2 +- latest/ug/integrations/integration-guardduty.adoc | 2 +- latest/ug/integrations/integration-resilience-hub.adoc | 2 +- latest/ug/integrations/integration-securitylake.adoc | 2 +- latest/ug/integrations/integration-vpc-lattice.adoc | 2 +- latest/ug/integrations/local-zones.adoc | 2 +- .../aws-access/associate-service-account-role.adoc | 2 +- .../ug/manage-access/aws-access/configure-sts-endpoint.adoc | 2 +- .../ug/manage-access/aws-access/cross-account-access.adoc | 2 +- .../aws-access/enable-iam-roles-for-service-accounts.adoc | 2 +- .../iam-roles-for-service-accounts-minimum-sdk.adoc | 2 +- .../aws-access/iam-roles-for-service-accounts.adoc | 2 +- latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc | 2 +- latest/ug/manage-access/aws-access/pod-configuration.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-abac.adoc | 2 +- .../manage-access/aws-access/pod-id-agent-config-ipv6.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-association.adoc | 2 +- .../ug/manage-access/aws-access/pod-id-configure-pods.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 2 +- latest/ug/manage-access/aws-access/pod-id-role.adoc | 2 +- latest/ug/manage-access/aws-access/pod-identities.adoc | 2 +- latest/ug/manage-access/aws-access/service-accounts.adoc | 2 +- latest/ug/manage-access/cluster-auth.adoc | 2 +- latest/ug/manage-access/create-kubeconfig.adoc | 2 +- latest/ug/manage-access/k8s-access/access-entries.adoc | 2 +- latest/ug/manage-access/k8s-access/access-policies.adoc | 2 +- .../manage-access/k8s-access/access-policy-reference.adoc | 2 +- latest/ug/manage-access/k8s-access/auth-configmap.adoc | 2 +- .../k8s-access/authenticate-oidc-identity-provider.adoc | 2 +- .../manage-access/k8s-access/creating-access-entries.adoc | 2 +- .../manage-access/k8s-access/deleting-access-entries.adoc | 2 +- .../k8s-access/disassociate-oidc-identity-provider.adoc | 2 +- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 2 +- .../manage-access/k8s-access/migrating-access-entries.adoc | 2 +- .../manage-access/k8s-access/setting-up-access-entries.adoc | 2 +- .../manage-access/k8s-access/updating-access-entries.adoc | 2 +- latest/ug/manage-access/view-kubernetes-resources.adoc | 2 +- latest/ug/ml/capacity-blocks-mng.adoc | 2 +- latest/ug/ml/capacity-blocks.adoc | 2 +- latest/ug/ml/inferentia-support.adoc | 2 +- latest/ug/ml/machine-learning-on-eks.adoc | 2 +- latest/ug/ml/ml-eks-optimized-ami.adoc | 2 +- latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 2 +- latest/ug/ml/ml-get-started.adoc | 2 +- latest/ug/ml/ml-prepare-for-cluster.adoc | 2 +- latest/ug/ml/ml-tutorials.adoc | 2 +- latest/ug/ml/node-efa.adoc | 2 +- latest/ug/ml/node-taints-managed-node-groups.adoc | 2 +- latest/ug/networking/alternate-cni-plugins.adoc | 2 +- latest/ug/networking/aws-load-balancer-controller.adoc | 2 +- latest/ug/networking/cni-custom-network-tutorial.adoc | 2 +- latest/ug/networking/cni-custom-network.adoc | 2 +- latest/ug/networking/cni-iam-role.adoc | 2 +- .../ug/networking/cni-increase-ip-addresses-procedure.adoc | 2 +- latest/ug/networking/cni-increase-ip-addresses.adoc | 2 +- latest/ug/networking/cni-ipv6.adoc | 2 +- latest/ug/networking/cni-network-policy-configure.adoc | 2 +- latest/ug/networking/cni-network-policy.adoc | 2 +- latest/ug/networking/coredns-add-on-create.adoc | 2 +- .../ug/networking/coredns-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/coredns-add-on-update.adoc | 2 +- latest/ug/networking/coredns-autoscaling.adoc | 2 +- latest/ug/networking/coredns-metrics.adoc | 2 +- latest/ug/networking/creating-a-vpc.adoc | 2 +- latest/ug/networking/deploy-ipv6-cluster.adoc | 2 +- latest/ug/networking/eks-networking-add-ons.adoc | 2 +- latest/ug/networking/eks-networking.adoc | 2 +- latest/ug/networking/external-snat.adoc | 2 +- .../networking/kube-proxy-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/networking/lbc-manifest.adoc | 2 +- latest/ug/networking/lbc-remove.adoc | 2 +- latest/ug/networking/managing-coredns.adoc | 2 +- latest/ug/networking/managing-kube-proxy.adoc | 2 +- latest/ug/networking/managing-vpc-cni.adoc | 2 +- latest/ug/networking/network-policies-troubleshooting.adoc | 2 +- latest/ug/networking/network-policy-disable.adoc | 2 +- latest/ug/networking/network-policy-stars-demo.adoc | 2 +- latest/ug/networking/network-reqs.adoc | 2 +- latest/ug/networking/pod-multiple-network-interfaces.adoc | 2 +- latest/ug/networking/pod-networking-use-cases.adoc | 2 +- latest/ug/networking/sec-group-reqs.adoc | 2 +- latest/ug/networking/security-groups-for-pods.adoc | 2 +- latest/ug/networking/security-groups-pods-deployment.adoc | 2 +- latest/ug/networking/sg-pods-example-deployment.adoc | 2 +- latest/ug/networking/vpc-add-on-create.adoc | 2 +- latest/ug/networking/vpc-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 2 +- latest/ug/nodes/al2023.adoc | 2 +- latest/ug/nodes/auto-get-logs.adoc | 2 +- latest/ug/nodes/bottlerocket-compliance-support.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 2 +- latest/ug/nodes/create-managed-node-group.adoc | 2 +- latest/ug/nodes/delete-fargate-profile.adoc | 2 +- latest/ug/nodes/delete-managed-node-group.adoc | 2 +- latest/ug/nodes/dockershim-deprecation.adoc | 2 +- latest/ug/nodes/eks-ami-build-scripts.adoc | 2 +- latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 2 +- latest/ug/nodes/eks-ami-versions-windows.adoc | 2 +- latest/ug/nodes/eks-compute.adoc | 2 +- latest/ug/nodes/eks-custom-ami-windows.adoc | 2 +- latest/ug/nodes/eks-linux-ami-versions.adoc | 2 +- latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 2 +- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- latest/ug/nodes/eks-optimized-amis.adoc | 2 +- latest/ug/nodes/eks-optimized-windows-ami.adoc | 2 +- latest/ug/nodes/eks-partner-amis.adoc | 2 +- latest/ug/nodes/fargate-getting-started.adoc | 2 +- latest/ug/nodes/fargate-logging.adoc | 2 +- latest/ug/nodes/fargate-pod-configuration.adoc | 2 +- latest/ug/nodes/fargate-pod-patching.adoc | 2 +- latest/ug/nodes/fargate-profile.adoc | 2 +- latest/ug/nodes/fargate.adoc | 2 +- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 2 +- latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 2 +- latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 2 +- latest/ug/nodes/hybrid-nodes-cni.adoc | 2 +- latest/ug/nodes/hybrid-nodes-creds.adoc | 2 +- latest/ug/nodes/hybrid-nodes-join.adoc | 2 +- latest/ug/nodes/hybrid-nodes-networking.adoc | 2 +- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 2 +- latest/ug/nodes/hybrid-nodes-os.adoc | 2 +- latest/ug/nodes/hybrid-nodes-overview.adoc | 2 +- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 2 +- latest/ug/nodes/hybrid-nodes-proxy.adoc | 2 +- latest/ug/nodes/hybrid-nodes-remove.adoc | 2 +- latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 2 +- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 2 +- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 2 +- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-node-ubuntu.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 2 +- latest/ug/nodes/launch-windows-workers.adoc | 2 +- latest/ug/nodes/launch-workers.adoc | 2 +- latest/ug/nodes/learn-status-conditions.adoc | 2 +- latest/ug/nodes/managed-node-groups.adoc | 2 +- latest/ug/nodes/managed-node-update-behavior.adoc | 2 +- latest/ug/nodes/migrate-stack.adoc | 2 +- latest/ug/nodes/monitoring-fargate-usage.adoc | 2 +- latest/ug/nodes/node-health.adoc | 2 +- latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 2 +- latest/ug/nodes/retrieve-ami-id.adoc | 2 +- latest/ug/nodes/retrieve-windows-ami-id.adoc | 2 +- latest/ug/nodes/self-managed-windows-server-2022.adoc | 2 +- latest/ug/nodes/update-managed-node-group.adoc | 2 +- latest/ug/nodes/update-stack.adoc | 2 +- latest/ug/nodes/update-workers.adoc | 2 +- latest/ug/nodes/worker.adoc | 2 +- latest/ug/observability/cloudwatch.adoc | 2 +- latest/ug/observability/control-plane-logs.adoc | 2 +- latest/ug/observability/deploy-prometheus.adoc | 2 +- latest/ug/observability/eks-observe.adoc | 2 +- latest/ug/observability/enable-asg-metrics.adoc | 2 +- latest/ug/observability/logging-using-cloudtrail.adoc | 2 +- latest/ug/observability/observability-dashboard.adoc | 2 +- latest/ug/observability/opentelemetry.adoc | 2 +- latest/ug/observability/prometheus.adoc | 2 +- .../ug/observability/service-name-info-in-cloudtrail.adoc | 2 +- .../observability/understanding-service-name-entries.adoc | 2 +- latest/ug/observability/view-raw-metrics.adoc | 2 +- .../ug/outposts/eks-outposts-capacity-considerations.adoc | 2 +- latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 2 +- latest/ug/outposts/eks-outposts-local-cluster-overview.adoc | 2 +- latest/ug/outposts/eks-outposts-network-disconnects.adoc | 2 +- latest/ug/outposts/eks-outposts-platform-versions.adoc | 2 +- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 2 +- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 2 +- .../ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 2 +- latest/ug/outposts/eks-outposts.adoc | 2 +- latest/ug/quickstart.adoc | 2 +- latest/ug/related-projects.adoc | 2 +- latest/ug/roadmap.adoc | 2 +- latest/ug/security/auto-security.adoc | 2 +- latest/ug/security/cert-signing.adoc | 2 +- latest/ug/security/compliance.adoc | 2 +- .../ug/security/configuration-vulnerability-analysis.adoc | 2 +- latest/ug/security/default-roles-users.adoc | 2 +- latest/ug/security/disaster-recovery-resiliency.adoc | 2 +- latest/ug/security/enable-kms.adoc | 2 +- latest/ug/security/iam-reference/auto-cluster-iam-role.adoc | 2 +- latest/ug/security/iam-reference/auto-create-node-role.adoc | 2 +- latest/ug/security/iam-reference/cluster-iam-role.adoc | 2 +- latest/ug/security/iam-reference/connector-iam-role.adoc | 2 +- latest/ug/security/iam-reference/create-node-role.adoc | 2 +- latest/ug/security/iam-reference/pod-execution-role.adoc | 2 +- .../ug/security/iam-reference/security-iam-awsmanpol.adoc | 2 +- .../security-iam-id-based-policy-examples.adoc | 2 +- .../iam-reference/security-iam-service-with-iam.adoc | 2 +- .../security/iam-reference/security-iam-troubleshoot.adoc | 2 +- latest/ug/security/iam-reference/security-iam.adoc | 2 +- .../using-service-linked-roles-eks-connector.adoc | 2 +- .../using-service-linked-roles-eks-fargate.adoc | 2 +- .../using-service-linked-roles-eks-nodegroups.adoc | 2 +- .../using-service-linked-roles-eks-outpost.adoc | 2 +- .../iam-reference/using-service-linked-roles-eks.adoc | 2 +- .../security/iam-reference/using-service-linked-roles.adoc | 2 +- latest/ug/security/infrastructure-security.adoc | 2 +- latest/ug/security/manage-secrets.adoc | 2 +- latest/ug/security/pod-security-policy-removal-faq.adoc | 2 +- latest/ug/security/pod-security-policy.adoc | 2 +- latest/ug/security/security-best-practices.adoc | 2 +- latest/ug/security/security-eks.adoc | 2 +- latest/ug/security/security-k8s.adoc | 2 +- latest/ug/security/security.adoc | 2 +- latest/ug/security/vpc-interface-endpoints.adoc | 2 +- latest/ug/storage/csi-snapshot-controller.adoc | 2 +- latest/ug/storage/ebs-csi-migration-faq.adoc | 2 +- latest/ug/storage/ebs-csi.adoc | 2 +- latest/ug/storage/efs-csi.adoc | 2 +- latest/ug/storage/file-cache-csi.adoc | 2 +- latest/ug/storage/fsx-csi.adoc | 2 +- latest/ug/storage/fsx-ontap.adoc | 2 +- latest/ug/storage/fsx-openzfs-csi.adoc | 2 +- latest/ug/storage/s3-csi.adoc | 2 +- latest/ug/storage/storage.adoc | 2 +- latest/ug/troubleshooting/troubleshooting.adoc | 2 +- latest/ug/what-is/common-use-cases.adoc | 2 +- latest/ug/what-is/eks-architecture.adoc | 2 +- latest/ug/what-is/eks-deployment-options.adoc | 2 +- latest/ug/what-is/kubernetes-concepts.adoc | 2 +- latest/ug/what-is/what-is-eks.adoc | 2 +- latest/ug/workloads/add-ons-iam.adoc | 2 +- latest/ug/workloads/add-ons-images.adoc | 2 +- latest/ug/workloads/addon-compat.adoc | 2 +- latest/ug/workloads/addon-id-troubleshoot.adoc | 2 +- latest/ug/workloads/alb-ingress.adoc | 2 +- latest/ug/workloads/community-addons.adoc | 2 +- latest/ug/workloads/copy-image-to-repository.adoc | 2 +- latest/ug/workloads/creating-an-add-on.adoc | 2 +- latest/ug/workloads/eks-add-ons.adoc | 2 +- latest/ug/workloads/eks-workloads.adoc | 2 +- latest/ug/workloads/horizontal-pod-autoscaler.adoc | 2 +- latest/ug/workloads/image-verification.adoc | 2 +- latest/ug/workloads/kubernetes-field-management.adoc | 2 +- latest/ug/workloads/network-load-balancing.adoc | 2 +- latest/ug/workloads/remove-addon-role.adoc | 2 +- latest/ug/workloads/removing-an-addon.adoc | 2 +- latest/ug/workloads/restrict-service-external-ip.adoc | 2 +- latest/ug/workloads/retreive-iam-info.adoc | 2 +- latest/ug/workloads/sample-deployment-windows.adoc | 2 +- latest/ug/workloads/sample-deployment.adoc | 2 +- latest/ug/workloads/update-addon-role.adoc | 2 +- latest/ug/workloads/updating-an-add-on.adoc | 2 +- latest/ug/workloads/vertical-pod-autoscaler.adoc | 2 +- latest/ug/workloads/workloads-add-ons-available-eks.adoc | 2 +- .../ug/workloads/workloads-add-ons-available-vendors.adoc | 2 +- 347 files changed, 347 insertions(+), 364 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index c87901095..ecc721574 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -47,4 +47,4 @@ You can add this `nodeAffinity` to Deployments or other workloads to require Kub ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[associate-workload,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 408891bb2..2a9be6cb4 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -215,4 +215,4 @@ The following tables provide a detailed comparison of changes in IngressClassPar |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-configure-alb,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-alb%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 0245af4a9..47541f30d 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -163,4 +163,4 @@ This consolidated format provides a more consistent and flexible way to configur |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-configure-nlb,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-nlb%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index aeb0c9657..635607516 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -61,4 +61,4 @@ aws ec2 delete-security-group --group-name= ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-disable,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-disable%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index b920586d5..b53658f7b 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -243,4 +243,4 @@ If the game doesn't load: - Verify ALB health checks: Check the target group health in {aws} Console -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-elb-example,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-elb-example%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 8f6a858b1..82bdcd84c 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -146,4 +146,4 @@ For more information, see <>. * To migrate from Self-Managed Karpenter, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-enable-existing,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-enable-existing%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 61bb0bdde..9f08dccdd 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -72,4 +72,4 @@ EKS Auto Mode -- Load Balancing Capability:: A feature that manages Application Load Balancers and Network Load Balancers in Amazon EKS Auto Mode clusters. This capability automatically configures load balancers based on your service requirements. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-glossary,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-glossary%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 7b658b0e6..80464836e 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -192,4 +192,4 @@ By default, the managed policies related to EKS Auto Mode do not permit applying For more information about the Kubernetes permissions used by EKS Auto Mode, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-learn-iam,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-learn-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 778ea84be..948a1fb67 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -132,4 +132,4 @@ spec: The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-migrate-karpenter,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-migrate-karpenter%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 196daaff0..6fdd033cf 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -25,4 +25,4 @@ eksctl update auto-mode-config --drain-all-nodegroups ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-migrate-mng,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-migrate-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 5fc589c65..68a32e5f4 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -147,4 +147,4 @@ include::../attributes.txt[] |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-mng,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index a7b94c9f9..51707a415 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -72,4 +72,4 @@ Once your nodes are using this Node Class, they will be able to enforce network Your EKS Auto Mode cluster is now configured to support Kubernetes network policies. You can test this with the <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-net-pol,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-net-pol%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 086c2b1bf..23455c3d0 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -66,4 +66,4 @@ For more information, see <> or <>. * You cannot bring your own target groups. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-networking,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 2d797108f..937425500 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -35,4 +35,4 @@ include::auto-networking.adoc[leveloffset=+1] //include::auto-glossary.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-reference,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-reference%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/auto-tag-subnets.adoc index f45566e4e..a27fd35aa 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/auto-tag-subnets.adoc @@ -78,4 +78,4 @@ aws ec2 create-tags \ Replace `subnet-ID` with your actual subnet ID. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tag-subnets-auto,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tag-subnets-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 3c52e26fb..853c955d0 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -254,4 +254,4 @@ If you have a problem with a controller, you should research: * If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index e33f056bb..43e06cabc 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -37,4 +37,4 @@ Learn link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for C To start a cluster update, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-upgrade,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-upgrade%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 05c701e5b..fe604025c 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -29,4 +29,4 @@ include::auto-elb-example.adoc[leveloffset=+1] include::sample-storage-workload.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-workloads,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-workloads%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 08d498e85..9a639e635 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -325,4 +325,4 @@ kubectl get nodepools * Learn how to xref:automode-workload[deploy a sample workload] to your new EKS Auto Mode cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-cli,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-cli%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 77cfee578..c63221e55 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -49,4 +49,4 @@ You must be logged into the {aws-management-console} with sufficent permissions //call out refactored IAM -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-console,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 884b180cf..961baa808 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -77,4 +77,4 @@ eksctl create cluster -f cluster.yaml ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-get-started-eksctl,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-eksctl%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index e1f607ca8..1a06b2dac 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -108,4 +108,4 @@ EKS Auto Mode supports the following instance types: ** If you have other types of nodes in your cluster, you need to configure the Neuron Device plugin to not run on auto mode nodes. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-learn-instances,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-learn-instances%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index 43f8bd8d6..be7503d57 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -129,4 +129,4 @@ In the default configration, EKS Auto Mode detects nodes that have been empty fo Use `kubectl` or the EC2 console to confirm the associated instance has been deleted. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode-workload,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 311b9f8df..45969f81a 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -94,4 +94,4 @@ include::auto-troubleshoot.adoc[leveloffset=+1] //include::wip.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[automode,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index b8efebe2d..5093c0f0b 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -40,4 +40,4 @@ include::automode-get-started-cli.adoc[leveloffset=+1] include::automode-get-started-console.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-auto,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 3cbebd778..f80423037 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -161,4 +161,4 @@ spec: * If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-class,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-class%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index f656ce2da..a2ed9910b 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -221,4 +221,4 @@ By default, EKS Auto Mode: - Sets a single disruption budget of 10% of nodes. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-pool,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-pool%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index ba7f2cca4..7fd036467 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -237,4 +237,4 @@ For more information, see: . Review the add-on configuration and then select *Create* -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-storage-class,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-storage-class%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index a94fb41e9..fe0377c57 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -68,4 +68,4 @@ To update a workload to run on the `system` node pool, you need to: After updating the workload, it will run on dedicated nodes. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[critical-workload,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23critical-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 1d8ad8d9f..80f6ee37b 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -76,4 +76,4 @@ include::auto-migrate-karpenter.adoc[leveloffset=+1] include::auto-migrate-mng.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrate-auto,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrate-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index 5284c28c1..9adcf2aba 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -239,4 +239,4 @@ kubectl delete load-generator ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-hpa-scaling,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-hpa-scaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 0494416d9..2b416050a 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -226,4 +226,4 @@ deletionPolicy: Delete https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Learn more about the Kubernetes CSI Snapshotter.] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-storage-workload,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-storage-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index ca391332d..2e55efded 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -59,4 +59,4 @@ aws eks update-cluster-config \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[set-builtin-node-pools,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23set-builtin-node-pools%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 95d4951a4..7a3459f80 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -112,4 +112,4 @@ include::auto-net-pol.adoc[leveloffset=+1] include::auto-tag-subnets.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[settings-auto,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23settings-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 3e2149819..7feeb3e0d 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -102,4 +102,4 @@ For stuck resources: - link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshoot-lbc,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshoot-lbc%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index bd51d980c..1fe4582fb 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -18,4 +18,4 @@ This section contains in-progress revisions for existing pages in other chapters //include::wip/auto-create-node-role.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-wip,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-wip%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 1f537dd4d..5dd91ceff 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -146,4 +146,4 @@ kubernetes.io/role/internal-elb = 1 - EKS Networking Documentation -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-vpc-console,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-vpc-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index 574d6b497..30c29fd33 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -117,4 +117,4 @@ $ eksctl update auto-mode-config -f cluster.yaml - xref:automode[EKS Auto Mode] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eksctl-docs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eksctl-docs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 190ac2967..d2094e5a9 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -30,4 +30,4 @@ Your subnets require specific tags based on their intended use: 7. Click **Save** -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tag-subnets,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tag-subnets%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 126759452..ed99b4360 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -31,7 +31,7 @@ This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Ku *Help improve this page* [.banner.info] -Want to contribute to this user guide? Choose the 📝 *Edit this page on GitHub* link that is located at the bottom of every page. Your contributions will help make our user guide better for everyone. +Want to contribute to this user guide? Choose the include::what-is/what-is-eks.adoc[leveloffset=+1] diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 920453c85..498c88620 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -40,4 +40,4 @@ Karpenter is open-source software which {aws} customers are responsible for inst The [.noloc]`Kubernetes` Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[autoscaling,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23autoscaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index e5c9cafdb..a83b2b645 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -249,4 +249,4 @@ When you configure `kubectl` for your bastion host, be sure to use {aws} credent When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-endpoint,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-endpoint%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 60f906913..a3b3ca6eb 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -200,4 +200,4 @@ An example output is as follows. ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-insights,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-insights%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index f51526227..c8333c56e 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -91,4 +91,4 @@ include::zone-shift.adoc[leveloffset=+1] include::zone-shift-enable.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[clusters,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23clusters%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 7abacd212..4c29b820c 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -330,4 +330,4 @@ aws eks describe-cluster --region region-code --name my-cluster --query "cluster * <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-cluster-auto,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-cluster-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 3dd7f2a8d..9cdbc6aa8 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -323,4 +323,4 @@ If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.no * <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index c678bc09c..52feac418 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -189,4 +189,4 @@ aws cloudformation delete-stack --stack-name my-vpc-stack ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index 5470e9dc2..a806f8689 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -39,4 +39,4 @@ aws eks update-cluster-config \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disable-extended-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disable-extended-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 808d1f68e..6dd20fb00 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -25,4 +25,4 @@ kubectl patch configmap/amazon-vpc-cni \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disable-windows-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disable-windows-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 8d43daf07..01a06c48e 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -43,4 +43,4 @@ aws eks update-cluster-config \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-extended-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-extended-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 9b83d3c6f..364e631fb 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -161,4 +161,4 @@ The [.noloc]`PSP` admission controller enforces [.noloc]`Pod` security standards For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions-extended,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-extended%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 56e4e4754..66e420144 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -135,4 +135,4 @@ kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-syst For the complete [.noloc]`Kubernetes` `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions-standard,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-standard%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 6939981a7..233224a3e 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -274,4 +274,4 @@ include::enable-extended-support.adoc[leveloffset=+1] include::disable-extended-support.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-versions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index e2c6a19c2..2bd0a1fae 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -29,4 +29,4 @@ Use the following for _Split Cost Allocation Data_: . View the report. You can use the Billing and Cost Management console or view the report files in Amazon Simple Storage Service. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-aws,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-aws%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 9f2a681ce..3e86d35f8 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -328,4 +328,4 @@ With https://prometheus.io/[Prometheus] pre-installed, you can write queries to to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-kubecost-bundles,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-kubecost-bundles%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index dc19be4bb..e2c59df34 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -114,4 +114,4 @@ image::images/kubecost.png[Kubecost dashboard,scaledwidth=100%] * *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring-kubecost,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-kubecost%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index a08a9419f..e5390ccf2 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -24,4 +24,4 @@ include::cost-monitoring-kubecost.adoc[leveloffset=+1] include::cost-monitoring-kubecost-bundles.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cost-monitoring,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index ca89a6562..3f98d9f70 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -36,4 +36,4 @@ include::eks-using-tags.adoc[leveloffset=+1] include::service-quotas.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-managing,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-managing%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index d84ce1b32..1ac0b37fc 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -211,4 +211,4 @@ When you use some resource-creating actions, you can specify tags at the same ti * If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-using-tags,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-using-tags%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index d3dab98a3..692088a56 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -73,4 +73,4 @@ v3.9.0 ** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts][.noloc]`GitHub` repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[helm,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23helm%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index a57b68066..f0b789f99 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -76,4 +76,4 @@ kubectl top nodes . If you receive the error message `Error from server (Forbidden)`, you need to update your Kubernetes RBAC configuration. Your Kubernetes RBAC identity needs sufficent permissions to read cluster metrics. Review the https://github.com/kubernetes-sigs/metrics-server/blob/e285375a49e3bf77ddd78c08a05aaa44f2249ebd/manifests/base/rbac.yaml#L5C9-L5C41[minimum required Kubernetes API permissions for reading metrics] on GitHub. Learn how to <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[metrics-server,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23metrics-server%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index b76f0611d..cc5443dab 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -91,4 +91,4 @@ Fargate additionally enforces Amazon ECS tasks and Amazon EKS [.noloc]`Pods` lau ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-quotas,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-quotas%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 13ecbbf16..2fb3a3c77 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -913,4 +913,4 @@ You cannot change the platform version of an EKS cluster. When new Amazon EKS pl If you upgrade your [.noloc]`Kubernetes` version, your cluster will move onto the most recent platform version for the [.noloc]`Kubernetes` version. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[platform-versions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23platform-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index a3ae35cd0..d60fd8b36 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -102,4 +102,4 @@ The controller supports network load balancers with IP targets, which are requir * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[private-clusters,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 4cfc040f9..f2360862e 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -248,4 +248,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index 995e9248d..e58315d88 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -21,4 +21,4 @@ The *Support Period* cannot be retrieved with the {aws} API or CLI. ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-support-status,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-support-status%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 286a5bea9..7a5fb7286 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -52,4 +52,4 @@ aws eks describe-cluster \ . If the value is `STANDARD`, your cluster will not enter extended support. If the value is `EXTENDED`, your cluster will enter extended support. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-upgrade-policy,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-upgrade-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 47478b1fa..a015e5f4a 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -167,4 +167,4 @@ You can enable higher [.noloc]`Pod` density on Windows nodes by enabling IP pref With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of [.noloc]`Pods` on your nodes. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[windows-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23windows-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index ed1ee0b6a..bc0049536 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -67,4 +67,4 @@ If you want {aws} to detect and avoid impaired availability zones, you need to c * Learn how to manually link:r53recovery/latest/dg/arc-zonal-shift.start-cancel.html["start a zonal shift",type="documentation"] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[zone-shift-enable,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23zone-shift-enable%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 845fa9e1c..1bcf1e0c8 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -275,4 +275,4 @@ You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additi * link:eks/latest/userguide/coredns-autoscaling.html["Scale CoreDNS Pods for high DNS traffic",type="documentation"] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[zone-shift,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23zone-shift%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 65cd3074d..6232103ad 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -212,4 +212,4 @@ If you have any issues with these steps, see <>. To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connecting-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connecting-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index c6c6985c5..f07c999da 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -70,4 +70,4 @@ kubectl apply -f eks-connector-console-dashboard-full-access-group.yaml To view [.noloc]`Kubernetes` resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connector-grant-access,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connector-grant-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 8d6d869f0..7117c7c16 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -89,4 +89,4 @@ kubectl delete -f eks-connector.yaml . If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deregister-connected-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deregister-connected-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index e4bd4563a..fb29f9564 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -84,4 +84,4 @@ include::tsc-faq.adoc[leveloffset=+1] include::security-connector.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-connector,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 3a9ae2c8d..c63e82495 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -38,4 +38,4 @@ This topic describes the differences in the responsibility model if the connecte * Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-connector,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 816667919..300763c01 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -271,4 +271,4 @@ eks-connector-0 0/2 Init:ImagePullBackOff 0 4s The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target [.noloc]`Kubernetes` cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshooting-connector,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshooting-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 4e0f9101b..6579a6cd3 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -23,4 +23,4 @@ A: The Amazon EKS Connector sends technical information that's necessary for you A: Yes, you can connect a cluster from any location to Amazon EKS. Moreover, your Amazon EKS service can be located in any {aws} public commercial {aws} Region. This works with a valid network connection from your cluster to the target {aws} Region. We recommend that you pick an {aws} Region that is closest to your cluster location for UI performance optimization. For example, if you have a cluster running in Tokyo, connect your cluster to the {aws} Region in Tokyo (that is, the `ap-northeast-1` {aws} Region) for low latency. You can connect a cluster from any location to Amazon EKS in any of the public commercial {aws} Regions, except the China or GovCloud {aws} Regions. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[tsc-faq,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tsc-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index d96083a08..331eb401d 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -134,8 +134,4 @@ NOTE: This is a note admonition. ---- - - - - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[asciidoc-syntax,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23asciidoc-syntax%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 5fe035089..2c79cebff 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -41,4 +41,4 @@ include::asciidoc-syntax.adoc[leveloffset=+1] //include::pr-status.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[contribute,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23contribute%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index e9ae1a062..dcf067310 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -51,6 +51,4 @@ image::images/contribute-q.png["Amazon Q in VS Code"] To learn more about Amazon Q Developer, see link:amazonq/latest/qdeveloper-ug/q-in-IDE.html["Using Amazon Q Developer in the IDE",type="documentation"]. - - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-content-q,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-content-q%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index 68852d11c..ffeb2e611 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -30,4 +30,4 @@ _For example:_ `include::create-page.adoc[leveloffset=+1]` -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-page,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-page%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index c1b7acda0..1a9f9138e 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -61,6 +61,4 @@ Pull requests help ensure quality and provide a way to discuss changes before th https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews[Learn how pull requests are reviewed and approved in the GitHub Docs.] - - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[edit-single-web,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23edit-single-web%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index 92ebeaf37..bce721937 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -34,5 +34,4 @@ NOTE: The EKS Docs team has created a workspace file that includes suggested con After you create a pull request, it will be reviewed by the docs team. - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[edit-web,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23edit-web%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index 13f1d140a..b76ec93bd 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -37,5 +37,4 @@ This format creates a standard link out to the internet. Use this for Non-Amazon NOTE: We allowlist external domains. The allowlist is at `vale/styles/EksDocs/ExternalDomains.yml` - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[insert-link,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23insert-link%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 56bf0d906..8cde9c7fd 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -38,5 +38,4 @@ The preview is built as a single large HTML file. It will be displayed as multip * The attribute `\{aws}` will not display properly. The value of this changes based on the environment. - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pr-preview,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pr-preview%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index 841ee1e47..810e4be5e 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -77,6 +77,4 @@ Use the GitHub CLI to pull the changes locally. The pull request will automatically update with your new changes. - - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pr-status,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pr-status%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index 48a467488..83d688432 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -29,4 +29,4 @@ When you update a pull request, the Vale check runs again. Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vale-github,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vale-github%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index de2cc3b4d..489297369 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -52,8 +52,4 @@ vale sync . Fix issues by following the suggestions or consulting the style guide - - - - -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vale-local,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vale-local%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 426c26ddd..a8e25145e 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1894,4 +1894,4 @@ Initial documentation for service launch |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[doc-history,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23doc-history%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 05f689f45..eac4dbfc6 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -26,4 +26,4 @@ that include setting up components to: For details on what you get with EKS Auto Mode clusters, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-automode,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-automode%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 01d835cc1..fe67dc780 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -288,4 +288,4 @@ The following documentation topics help you to extend the functionality of your * To increase security for your cluster, <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-console,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index d10fb8752..9cee79dec 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -173,4 +173,4 @@ The following documentation topics help you to extend the functionality of your * To increase security for your cluster, <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started-eksctl,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-eksctl%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 7c125e518..63f7b4d17 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -42,4 +42,4 @@ include::getting-started-eksctl.adoc[leveloffset=+1] include::getting-started-console.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[getting-started,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 6f71dd4d5..a06c0bae4 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -109,4 +109,4 @@ This command returns the Amazon Resource Name (ARN) of the IAM entity that's con * <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[install-awscli,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23install-awscli%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 14b0e8dd1..67de07284 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -808,4 +808,4 @@ aws sts get-caller-identity * <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[install-kubectl,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23install-kubectl%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index cd6b956d4..3fe20b225 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -154,4 +154,4 @@ While `eksctl` is a simple tool for creating a cluster, for more complex infrast * Techniques for improving cost, efficiency, and resiliency -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[learn-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23learn-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 3dbbf8863..5e7e16356 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -44,4 +44,4 @@ include::install-awscli.adoc[leveloffset=+1] include::install-kubectl.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[setting-up,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23setting-up%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index eecc43c2c..08ec90e3a 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -32,4 +32,4 @@ To learn more about {aws} CloudFormation, see the following resources: * link:cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html[{aws} CloudFormation Command Line Interface User Guide,type="documentation"] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-resources-with-cloudformation,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-resources-with-cloudformation%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 4967f1d00..ef4bcf0b8 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -31,4 +31,4 @@ include::integration-vpc-lattice.adoc[leveloffset=+1] include::local-zones.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-integrations,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-integrations%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 40c24f881..87eea6732 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -35,4 +35,4 @@ Before you can review findings, Detective must be enabled for at least 48 hours . In the search results, choose the name of the cluster that you want to view activity for. For more information about what you can view, see link:detective/latest/userguide/profile-panel-drilldown-kubernetes-api-volume.html[Overall Kubernetes API activity involving an Amazon EKS cluster,type="documentation"] in the _Amazon Detective User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-detective,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-detective%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 54cc2ecfc..f429fe533 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -34,4 +34,4 @@ To configure _Runtime Monitoring_, you install the GuardDuty agent to your clust For more information, see link:guardduty/latest/ug/runtime-monitoring.html[Runtime Monitoring,type="documentation"] in the Amazon GuardDuty User Guide. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-guardduty,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-guardduty%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 204c24218..90de97468 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -8,4 +8,4 @@ include::../attributes.txt[] {aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-resilience-hub,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-resilience-hub%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 13b211da5..ae5fc3ecb 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -48,4 +48,4 @@ Security Lake normalizes EKS log events to the OCSF format, making it easier to For more information about the OCSF mapping for EKS log events, refer to the https://github.com/ocsf/examples/tree/main/mappings/markdown/{aws}/v1.1.0/EKS Audit Logs[mapping reference] in the OCSF GitHub repository. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-securitylake,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-securitylake%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 6685361f4..cb56bf0db 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -8,4 +8,4 @@ include::../attributes.txt[] Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[integration-vpc-lattice,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-vpc-lattice%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 42715577d..69dec8df2 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -15,4 +15,4 @@ Amazon EKS supports certain resources in Local Zones. This includes <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[associate-service-account-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-service-account-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 91f0eaa7e..6808035ab 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -152,4 +152,4 @@ AWS_STS_REGIONAL_ENDPOINTS=regional ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[configure-sts-endpoint,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23configure-sts-endpoint%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 0ac0c3e82..1e0c69dc5 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -110,4 +110,4 @@ To specify chained profiles for other {aws} SDKs, consult the documentation for ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cross-account-access,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cross-account-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index adff0aee0..948a61387 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -85,4 +85,4 @@ Next step: <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-iam-roles-for-service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-iam-roles-for-service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index b5bd97c41..146344663 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -32,4 +32,4 @@ Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubern To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[iam-roles-for-service-accounts-minimum-sdk,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23iam-roles-for-service-accounts-minimum-sdk%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 78fc360fc..39adb7cbf 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -70,4 +70,4 @@ include::iam-roles-for-service-accounts-minimum-sdk.adoc[leveloffset=+1] include::irsa-fetch-keys.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[iam-roles-for-service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23iam-roles-for-service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index 0b5b00316..b80589aea 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -41,4 +41,4 @@ $ curl https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE/keys ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[irsa-fetch-keys,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23irsa-fetch-keys%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index 07096efa0..f5754a840 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -127,4 +127,4 @@ Service Account: my-service-account .. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-configuration,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-configuration%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index ea677de21..d829e9c3d 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -84,4 +84,4 @@ In this case, the former takes precedence and the value for the `eks-cluster-nam ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-abac,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-abac%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index cb0cd2158..0fd07152f 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -85,4 +85,4 @@ undo -- Undo a previous rollout If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-agent-config-ipv6,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-agent-config-ipv6%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index 503df2e3c..af991a928 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -115,4 +115,4 @@ eks-pod-identity-agent-prnsh 1/1 Ru You can now use EKS Pod Identity associations in your cluster. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-agent-setup,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-agent-setup%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 7f98d5d6f..96b4ad364 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -288,4 +288,4 @@ If you created the example policy in a previous step, then your output is the sa <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-association,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-association%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index 46820e86b..fcf389c2c 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -96,4 +96,4 @@ Service Account: my-service-account ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-configure-pods,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-configure-pods%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 5c12c46ee..2bb7318ee 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -59,4 +59,4 @@ In contrast, _IAM roles for service accounts_ provides a _web identity_ token th NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-how-it-works,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-how-it-works%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 3daf822d0..c1130bea2 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -41,4 +41,4 @@ To ensure that you're using a supported SDK, follow the installation instruction For a list of add-ons that support EKS Pod Identity, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-minimum-sdk,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-minimum-sdk%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 1312b5eb4..d676a813a 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -42,4 +42,4 @@ You can use these tags in the _condition keys_ in the trust policy to restrict w For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-id-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index f2c95a768..bc8895256 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -146,4 +146,4 @@ You can't use EKS Pod Identities with: * Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-identities,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-identities%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 80be19a7e..7ce3ea47b 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -123,4 +123,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-accounts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index d82c97974..3aa4f6732 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -78,4 +78,4 @@ include::create-kubeconfig.adoc[leveloffset=+1] include::aws-access/service-accounts.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-auth,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-auth%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index cf11ed8d7..8c08d713f 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -62,4 +62,4 @@ svc/kubernetes ClusterIP 10.100.0.1 443/TCP 1m If you receive any authorization or resource type errors, see <> in the troubleshooting topic. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-kubeconfig,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-kubeconfig%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index e883b3114..5affecdc2 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -66,4 +66,4 @@ include::updating-access-entries.adoc[leveloffset=+1] include::deleting-access-entries.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 7d778a895..e95aeef42 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -154,4 +154,4 @@ aws eks disassociate-access-policy --cluster-name my-cluster --principal-arn {ar To list available access policies, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-policies,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-policies%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 456ab6b3f..c19ce374d 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -583,4 +583,4 @@ View details about updates to access policies, since they were introduced. For a |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[access-policy-permissions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-policy-permissions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 9b7c34cbf..f6421b93a 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -369,4 +369,4 @@ kubectl get nodes --watch Enter `Ctrl`+``C`` to return to a shell prompt. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auth-configmap,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auth-configmap%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index b3578954c..e17b77b95 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -191,4 +191,4 @@ Amazon EKS aims to give you a wide selection of options to cover all use cases. com] for more information. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[authenticate-oidc-identity-provider,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23authenticate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index ec15206d3..edc38b77d 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -128,4 +128,4 @@ aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index edf44a32f..5b899bed5 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -30,4 +30,4 @@ aws eks delete-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deleting-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deleting-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 0d79180a0..a6388ccb4 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -11,4 +11,4 @@ If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users . In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disassociate-oidc-identity-provider,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disassociate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 2c79d414f..748a914e0 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -113,4 +113,4 @@ include::disassociate-oidc-identity-provider.adoc[leveloffset=+1] //include::access-policy-reference.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[grant-k8s-access,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23grant-k8s-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index e23e8a503..98ccb834e 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -56,4 +56,4 @@ eksctl delete iamidentitymapping --arn {arn-aws}iam::111122223333:role/EKS-my-cl ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index 88c2bfc92..70c74a441 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -72,4 +72,4 @@ To use _access entries_, the cluster must have a platform version that is the sa For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[setting-up-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23setting-up-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 813b3c86b..36bd4fcdd 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -34,4 +34,4 @@ aws eks update-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[updating-access-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23updating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 7d8a688e3..687dafd1f 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -232,4 +232,4 @@ IMPORTANT: The role ARN can't include a path such as `role/my-team/developers/my . Save the file and exit your text editor. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-kubernetes-resources,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-kubernetes-resources%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 6e830723c..ff44aa822 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -89,4 +89,4 @@ aws eks create-nodegroup \ Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict [.noloc]`Pods`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[capacity-blocks-mng,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23capacity-blocks-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 5b2f2efcd..4cc45d9b3 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -103,4 +103,4 @@ If you want to instead scale up manually whenever the capacity reservation becom If you don't setup a Node Termination Handler, we recommend that you start draining your [.noloc]`Pods` manually before hitting the 30 minute window so that they have enough time to be gracefully drained. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[capacity-blocks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23capacity-blocks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index db3af745c..f0a6c0145 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -247,4 +247,4 @@ An example output is as follows. ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[inferentia-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23inferentia-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 74d80131f..463d288f4 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -65,4 +65,4 @@ include::ml-prepare-for-cluster.adoc[leveloffset=+1] include::ml-tutorials.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[machine-learning-on-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23machine-learning-on-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 9ebfcd3da..5cd06c227 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -84,4 +84,4 @@ Mon Aug 6 20:23:31 20XX ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-eks-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-eks-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index f1186179c..c5a0445a0 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -222,4 +222,4 @@ There is no EKS Windows GPU Optimized AMI or EC2 Image Builder managed component {aws} link:ai/machine-learning/inferentia/[Inferentia,type="marketing"] and {aws} link:ai/machine-learning/trainium/[Trainium,type="marketing"] based workloads are not supported on Windows. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-eks-windows-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-eks-windows-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 393f4225d..1ef78c31f 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -45,4 +45,4 @@ To improve your work with ML on EKS, refer to the following: * *Prepare for ML* – Learn how to prepare for ML on EKS with features like custom AMIs and GPU reservations. See <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-get-started,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-get-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 4d9877dbd..992a98076 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -42,4 +42,4 @@ include::node-efa.adoc[leveloffset=+1] include::inferentia-support.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-prepare-for-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-prepare-for-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index f697284db..41a2880f5 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -71,4 +71,4 @@ https://aws.amazon.com/blogs/hpc/deploying-generative-ai-applications-with-nvidi * https://aws.amazon.com/blogs/machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ml-tutorials,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-tutorials%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 968a2da62..0a6b474da 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -308,4 +308,4 @@ kubectl logs -f nccl-tests-launcher-nbql9 If the test completed successfully, you can deploy your applications that use the [.noloc]`Nvidia Collective Communication Library`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-efa,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-efa%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index b17df0006..68c13bcd5 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -65,4 +65,4 @@ For more information and examples of usage, see https://kubernetes.io/docs/refer You can use the link:cli/latest/reference/eks/update-nodegroup-config.html[aws eks update-nodegroup-config,type="documentation"] {aws} CLI command to add, remove, or replace taints for managed node groups. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-taints-managed-node-groups,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-taints-managed-node-groups%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index edea34f3b..7f03086a4 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -57,4 +57,4 @@ If you use [.noloc]`Calico` network policy enforcement, we recommend that you se Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[alternate-cni-plugins,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23alternate-cni-plugins%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 770c52b79..6655dc0ce 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -75,4 +75,4 @@ In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[aws-load-balancer-controller,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23aws-load-balancer-controller%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index a28b2b43f..f06e90f39 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -622,4 +622,4 @@ aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-custom-network-tutorial,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-custom-network-tutorial%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 9eacb468c..6f0305142 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -33,4 +33,4 @@ The following are considerations for using the feature. * For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-custom-network,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-custom-network%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index c75076519..18cc4a98c 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -267,4 +267,4 @@ aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index ad96ecead..07da1572d 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -229,4 +229,4 @@ vpc.amazonaws.com/PrivateIPv4Address: 144 In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-increase-ip-addresses-procedure,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-increase-ip-addresses-procedure%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index e74844a07..e1a37f2ff 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -61,4 +61,4 @@ Consider the following when you use this feature: If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-increase-ip-addresses,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-increase-ip-addresses%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 27fbfd235..481ad403c 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -73,4 +73,4 @@ aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConf ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-ipv6,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-ipv6%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 3bddc5c98..7d3765d68 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -312,4 +312,4 @@ To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernete Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-network-policy-configure,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-network-policy-configure%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index dd8f70099..70e633edd 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -64,4 +64,4 @@ Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't acces ** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cni-network-policy,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-network-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index 80494fafc..e4e23f0cf 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -63,4 +63,4 @@ v1.11.3-eksbuild.1 . If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-create,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index b9b164369..09b56bdb6 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -129,4 +129,4 @@ v1.11.3-eksbuild.1 ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index ef88d67ca..20dcc0353 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -76,4 +76,4 @@ An example output is as follows. ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-add-on-update,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 6d489f973..98a9c1a7f 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -274,4 +274,4 @@ If you see this line: `"status": "ACTIVE"`, then the rollout has completed and t ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-autoscaling,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-autoscaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index f02f471b3..72edec825 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -15,4 +15,4 @@ Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[coredns-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 20551e01d..a166a7345 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -125,4 +125,4 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-a-vpc,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-a-vpc%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 0377562c7..c4f236cb0 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -504,4 +504,4 @@ aws cloudformation delete-stack --region $region_code --stack-name $vpc_stack_na ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deploy-ipv6-cluster,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deploy-ipv6-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 993366d7b..413c1ab02 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -58,4 +58,4 @@ This controller lets you connect services across multiple [.noloc]`Kubernetes` c For more information about add-ons, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-networking-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-networking-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index d6b9f56d5..015f8f64d 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -31,4 +31,4 @@ Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the A [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-networking,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index cadf22263..86a148420 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -52,4 +52,4 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI {asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[external-snat,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23external-snat%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 22f805dd4..26d8b1544 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -108,4 +108,4 @@ Add the following `Affinity Rule` to the [.noloc]`DaemonSet`spec`` section of th ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kube-proxy-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kube-proxy-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 5c62b9e57..64f0e9fac 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -177,4 +177,4 @@ You receive the previous output if you deployed using Helm. If you deployed usin // GDC Must Fix -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-helm,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-helm%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 13589d880..2c6982568 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -350,4 +350,4 @@ You receive the previous output if you deployed using Helm. If you deployed usin . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-manifest,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-manifest%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 59bbd590b..1d41ad99c 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -115,4 +115,4 @@ aws iam attach-role-policy \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[lbc-remove,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-remove%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index d2846f007..0d5184ad7 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -110,4 +110,4 @@ topologySpreadConstraints: * In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-coredns,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-coredns%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index df25b964a..ec051c585 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -93,4 +93,4 @@ The following table lists the latest available self-managed `kube-proxy` contain * When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-kube-proxy,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-kube-proxy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 01e79c6c1..d4960a39e 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -83,4 +83,4 @@ The following are considerations for using the feature. * Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managing-vpc-cni,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-vpc-cni%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index 12a7d2c87..db1909455 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -260,4 +260,4 @@ sudo /opt/cni/bin/aws-eks-na-cli ebpf progs To run this command, you can use any method to connect to the node. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policies-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policies-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 4d2a6e731..1ede8a3d3 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -39,4 +39,4 @@ kubectl edit daemonset -n kube-system aws-node ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policy-disable,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policy-disable%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index ae4b2a558..848aec558 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -188,4 +188,4 @@ kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/s Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-policy-stars-demo,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policy-stars-demo%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index a89c10e65..8524c9a7d 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -283,4 +283,4 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-reqs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-reqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 507ef93fb..a20f982b8 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -31,4 +31,4 @@ In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amaz For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-multiple-network-interfaces,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-multiple-network-interfaces%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index fc7d1549a..37d6b7f4c 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -47,4 +47,4 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.nol |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-networking-use-cases,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-networking-use-cases%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 1d52f1d01..3a2f71c0d 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -145,4 +145,4 @@ Amazon EKS supports shared security groups. * EKS has the same requirements of shared or multi-VPC security groups as standard security groups. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sec-group-reqs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sec-group-reqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 3420350fd..e2170e9aa 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -71,4 +71,4 @@ If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_E If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-groups-for-pods,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-groups-for-pods%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 0c7957f15..2ea18774c 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -92,4 +92,4 @@ IMPORTANT: . To see how to use a security group policy for your [.noloc]`Pod`, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-groups-pods-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-groups-pods-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 7e8b3a63c..3f8b2a0f3 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -209,4 +209,4 @@ aws ec2 delete-security-group --group-id $my_pod_security_group_id ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sg-pods-example-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sg-pods-example-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 151290053..4bdd9d965 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -94,4 +94,4 @@ v1.19.0-eksbuild.1 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-create,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index a65eeb6ce..d059dc683 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -72,4 +72,4 @@ v1.19.0 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-self-managed-update,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 42605b93a..f7fd435b5 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -77,4 +77,4 @@ An example output is as follows. ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-add-on-update,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 23ed063be..5d80f1373 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -68,4 +68,4 @@ For previously existing managed node groups, you can either perform an in-place If you're using [.noloc]`Karpenter` and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in [.noloc]`Karpenter`. This means that once the `amiFamily` field has been changed, [.noloc]`Karpenter` will automatically update your worker nodes to the latest AMI when available. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[al2023,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23al2023%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index b3004e420..483838bfd 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -127,4 +127,4 @@ kubectl delete nodediagnostics.eks.amazonaws.com/[.replaceable]`node-name` ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-get-logs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-get-logs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 37deb2cf7..1a8a20617 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -18,4 +18,4 @@ include::../attributes.txt[] * [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[bottlerocket-compliance-support,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23bottlerocket-compliance-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 94ce89dd4..266ef5ad1 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -113,4 +113,4 @@ EKS Auto Mode limits the number of pods on nodes to the lower of: * The result of the max pods calculation described above. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[choosing-instance-type,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23choosing-instance-type%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index c054c55ce..d1bafe3ec 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -251,4 +251,4 @@ For more information, see https://aws.github.io/aws-eks-best-practices/security/ * <> with important tools for managing your cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 84f494d15..f8fec0f97 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -54,4 +54,4 @@ aws eks delete-fargate-profile --fargate-profile-name my-profile --cluster-name ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-fargate-profile,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-fargate-profile%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index abea8cbec..26f2601a7 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -74,4 +74,4 @@ aws eks delete-nodegroup \ For more options, see the `link:cli/latest/reference/eks/delete-nodegroup.html[delete-nodegroup,type="documentation"]` command in the _{aws} CLI Command Reference_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[delete-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index cf3010f34..df3d816d6 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -100,4 +100,4 @@ If you prefer to use a different tool to create your managed node group, you mus ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[dockershim-deprecation,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23dockershim-deprecation%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index f1e78552b..91dffde79 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -25,4 +25,4 @@ For more information, see the repositories on [.noloc]`GitHub` at https://github Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-build-scripts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-build-scripts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 8610760c0..ad61c8b9a 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -15,4 +15,4 @@ Each [.noloc]`Bottlerocket` AMI release includes various versions of https://kub The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-versions-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-versions-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index a7ba024a3..8f0d4ad2c 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -4379,4 +4379,4 @@ The following tables list the current and previous versions of the Amazon EKS op ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-ami-versions-windows,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-versions-windows%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 836ab339f..a966abbd0 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -222,4 +222,4 @@ include::node-health.adoc[leveloffset=+1] include::hybrid-nodes-overview.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-compute,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-compute%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index 309f4678c..9cd221c5d 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -115,4 +115,4 @@ You can retrieve specific information regarding what is installed with each comp The *Description* in the resulting page shows the specific information. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-custom-ami-windows,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-custom-ami-windows%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index fd9d03e2f..3d2e3e910 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -20,4 +20,4 @@ k8s_major_version.k8s_minor_version.k8s_patch_version-release_date Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Linux` kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-linux-ami-versions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-linux-ami-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index ab61883b4..6aaf24387 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -62,4 +62,4 @@ include::retrieve-ami-id-bottlerocket.adoc[leveloffset=+1] include::bottlerocket-compliance-support.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-ami-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-ami-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 40a2f27c0..daa7479e3 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -83,4 +83,4 @@ For more information about using Amazon EKS optimized Amazon Linux AMIs, see the * For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-ami,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 974fffdfd..adc41c21f 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -30,4 +30,4 @@ include::eks-partner-amis.adoc[leveloffset=+1] include::eks-optimized-windows-ami.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-amis,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-amis%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 3ed7bdcab..5e7cc0dc5 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -149,4 +149,4 @@ include::retrieve-windows-ami-id.adoc[leveloffset=+1] include::eks-custom-ami-windows.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-optimized-windows-ami,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-windows-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index bf8d63bb2..fb568f5ca 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -15,4 +15,4 @@ Canonical has partnered with Amazon EKS to create node AMIs that you can use in https://www.canonical.com/[Canonical] delivers a built-for-purpose [.noloc]`Kubernetes` Node OS image. This minimized [.noloc]`Ubuntu` image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-partner-amis,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-partner-amis%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index caa8436c3..21f620e76 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -171,4 +171,4 @@ kubectl rollout restart -n kube-system deployment coredns * You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-getting-started,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-getting-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index c4982daa7..79bd7b893 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -418,4 +418,4 @@ Events: The [.noloc]`Pod` events are ephemeral with a time period depending on the settings. You can also view a [.noloc]`Pod's` annotations using `kubectl describe pod [.replaceable]``pod-name```. In the [.noloc]`Pod` annotation, there is information about whether the logging feature is enabled or disabled and the reason. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-logging,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-logging%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index 6a9944ea3..6470bfba4 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -107,4 +107,4 @@ You can increase the total amount of ephemeral storage up to a maximum of 175 Gi Amazon EKS Fargate provisions more ephemeral storage than requested for the purposes of system use. For example, a request of 100 GiB will provision a Fargate task with 115 GiB ephemeral storage. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-pod-configuration,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-pod-configuration%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index bf9f96606..18dbd2c22 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -74,4 +74,4 @@ A suitable target can be set for the event to capture it. For a complete list of See https://repost.aws/knowledge-center/fargate-pod-eviction-notice[FAQs: Fargate Pod eviction notice] in _{aws} re:Post_ for frequently asked questions regarding EKS Pod Evictions. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-pod-patching,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-pod-patching%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index dc7bee446..10714bd20 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -142,4 +142,4 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on . On the *Review and create* page, review the information for your Fargate profile and choose *Create*. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate-profile,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-profile%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 9d400bf9a..ee3cd1c0d 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -188,4 +188,4 @@ include::monitoring-fargate-usage.adoc[leveloffset=+1] include::fargate-logging.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fargate,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 2f6cceaf9..ce2d35bda 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -169,4 +169,4 @@ aws eks create-addon \ Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 46926bf9b..e5d3e16fc 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -339,4 +339,4 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h As a next step, see <> to enable access for your hybrid nodes to join your cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cluster-create,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cluster-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 2045e9ad0..f016a461d 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -109,4 +109,4 @@ EOF ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cluster-prep,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cluster-prep%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 094b0e336..1bf0e9a53 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -526,4 +526,4 @@ kubectl get crds -oname | grep "tigera" | xargs kubectl delete ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-cni,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cni%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 067e2ee10..0c2b7530b 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -528,4 +528,4 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t .. Choose *Create role*. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-creds,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-creds%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 88b2d7288..55a610664 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -145,4 +145,4 @@ Your nodes will have status `Not Ready`, which is expected and is due to the lac To make your hybrid nodes ready to run applications, continue with the steps on <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-join,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-join%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 493d3969b..60ca65ec3 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -407,4 +407,4 @@ aws ec2 authorize-security-group-ingress \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-networking,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index ed8ac9fb0..52f73f0f6 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -587,4 +587,4 @@ spec: ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-nodeadm,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-nodeadm%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 2a40baeeb..9d9ca9b32 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -363,4 +363,4 @@ govc vm.power -on "${NODE_NAME}" ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-os,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-os%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index 31fd816f2..d23845248 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -96,4 +96,4 @@ include::hybrid-nodes-nodeadm.adoc[leveloffset=+1] include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-overview,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-overview%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index e9cd1a2e3..dad30d8ca 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -144,4 +144,4 @@ include::hybrid-nodes-cluster-create.adoc[leveloffset=+1] include::hybrid-nodes-cluster-prep.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-prereqs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-prereqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index b74a6e1cc..162693316 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -145,4 +145,4 @@ containers: ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-proxy,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-proxy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 3de8ba7ce..d439d508f 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -58,4 +58,4 @@ kubectl delete node Depending on your choice of CNI, there may be artifacts remaining on your hybrid nodes after running the above steps. See <> for more information. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-remove,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-remove%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index c9af00181..cd12be2e1 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -669,4 +669,4 @@ sudo apt install glibc-source ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 3ce8d8347..521ba37c6 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -26,4 +26,4 @@ include::hybrid-nodes-upgrade.adoc[leveloffset=+1] include::hybrid-nodes-remove.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-tutorial,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-tutorial%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 874a6aa05..b7274341d 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -146,4 +146,4 @@ kubectl get nodes -o -w ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[hybrid-nodes-upgrade,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-upgrade%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 9e8cabbd9..6d7ee5032 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -129,4 +129,4 @@ Add `--conntrack-max-per-core` and `--conntrack-min` to the `kube-proxy` argumen For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-node-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-node-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 4a4de6377..fb085720e 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -102,4 +102,4 @@ Several lines are output while the nodes are created. One of the last lines of o For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-node-ubuntu,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-node-ubuntu%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index c141f9747..92794e1e9 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -465,4 +465,4 @@ kubectl edit -n kube-system cm aws-auth .. Save the file and exit your text editor. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-templates,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-templates%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index ac71c91da..1cb7cf2f0 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -248,4 +248,4 @@ If nodes fail to join the cluster, then see <> in the Troubles For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-windows-workers,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-windows-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 9ae02ba56..875406256 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -245,4 +245,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[launch-workers,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 233714761..192ae6607 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -126,4 +126,4 @@ kubectl top node ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[learn-status-conditions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23learn-status-conditions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 9b1799c1a..293ba9610 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -125,4 +125,4 @@ When deciding whether to deploy a node group with On-Demand or Spot capacity, yo ** When deploying your node group with the Spot capacity type that's using a custom launch template, use the API to pass multiple instance types. Don't pass a single instance type through the launch template. For more information about deploying a node group using a launch template, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managed-node-groups,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managed-node-groups%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 81dd52873..b56c721a7 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -115,4 +115,4 @@ The scale down phase decrements the Auto Scaling group maximum size and desired If the Upgrade workflow determines that the Cluster Autoscaler is scaling up the node group during the scale down phase of the workflow, it exits immediately without bringing the node group back to its original size. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[managed-node-update-behavior,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managed-node-update-behavior%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 3787bb3cf..16ff0f0dd 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -304,4 +304,4 @@ kubectl scale deployments/kube-dns --replicas=1 -n kube-system ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[migrate-stack,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrate-stack%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 880d2d4f2..0d62031a1 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -81,4 +81,4 @@ Use the following steps to create a CloudWatch alarm based on the Fargate resour . For *Alarm name*, enter a name for the alarm and then choose *Create*. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[monitoring-fargate-usage,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23monitoring-fargate-usage%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 8dfd3513f..8543d9e13 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -393,4 +393,4 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[node-health,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-health%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index d9e4cd82e..679a84153 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -49,4 +49,4 @@ ami-[.replaceable]`1234567890abcdef0` ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-ami-id-bottlerocket,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-ami-id-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index a3070fe6c..ef983b953 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -48,4 +48,4 @@ ami-[.replaceable]`1234567890abcdef0` ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-ami-id,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-ami-id%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 22ce081f5..c5d0eaa43 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -47,4 +47,4 @@ ami-[.replaceable]`1234567890abcdef0` ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retrieve-windows-ami-id,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-windows-ami-id%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 002ee2895..3a9340183 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -50,4 +50,4 @@ eksctl create cluster -f test-windows-2022.yaml ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[self-managed-windows-server-2022,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23self-managed-windows-server-2022%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 499d9c201..1f583e106 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -127,4 +127,4 @@ This happens without considering PDBs, regardless of the target size you're scal That means when you reduce the `desiredSize` of an Amazon EKS managed node group, [.noloc]`Pods` are evicted as soon as the nodes are terminated, without honoring any PDBs. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-managed-node-group,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index a1cc8967f..d646a1a2d 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -108,4 +108,4 @@ kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system . (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-stack,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-stack%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 61820a8a5..57f0e975c 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -32,4 +32,4 @@ include::migrate-stack.adoc[leveloffset=+1] include::update-stack.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-workers,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 9fa5c9a39..966c5eb01 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -35,4 +35,4 @@ To add self-managed nodes to your Amazon EKS cluster, see the topics that follow [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[worker,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23worker%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 4569ad09c..8035a790c 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -268,4 +268,4 @@ The topics below describe how to get started using CloudWatch Observability Oper * For more information about Container Insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cloudwatch,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cloudwatch%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 55122e6e2..4eb1a53c1 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -159,4 +159,4 @@ NOTE: If you don't see the API server logs at the beginning of the log stream, t However, you can create a new cluster with the same [.noloc]`Kubernetes` version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[control-plane-logs,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23control-plane-logs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index ea3b40bb6..151b2087f 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -77,4 +77,4 @@ image::images/prometheus.png[Prometheus console,scaledwidth=100%] All of the [.noloc]`Kubernetes` endpoints that are connected to [.noloc]`Prometheus` using service discovery are displayed. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[deploy-prometheus,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deploy-prometheus%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 1109a60fc..db6a4a739 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -164,4 +164,4 @@ include::logging-using-cloudtrail.adoc[leveloffset=+1] include::opentelemetry.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-observe,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-observe%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index ff8d35ccf..ffaeb8b3c 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -17,4 +17,4 @@ With Auto Scaling group metrics collection, you're able to monitor the scaling o If you would prefer to not have these metrics collected, you can choose to disable all or only some of them. For example, you can do this to avoid noise in your CloudWatch dashboards. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-cloudwatch-monitoring.html[Amazon CloudWatch metrics for Amazon EC2 Auto Scaling,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-asg-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-asg-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index a9128b7f2..cca499f23 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -28,4 +28,4 @@ include::understanding-service-name-entries.adoc[leveloffset=+1] include::enable-asg-metrics.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[logging-using-cloudtrail,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23logging-using-cloudtrail%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index f5ab29224..fbcf13752 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -119,4 +119,4 @@ When you refresh the page, any resolved issues will disappear from the list. If For node health issues to be reported, your cluster must use Amazon EKS Auto Mode or have the node monitoring agent add-on. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[observability-dashboard,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23observability-dashboard%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index f0568e7b7..bc11fa2bf 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -16,4 +16,4 @@ Amazon EKS supports using the {aws-management-console}, {aws} CLI and Amazon EKS For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[opentelemetry,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23opentelemetry%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 63912db89..21022875b 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -88,4 +88,4 @@ include::deploy-prometheus.adoc[leveloffset=+1] include::view-raw-metrics.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[prometheus,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23prometheus%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index 65202092d..e4f1ab621 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -25,4 +25,4 @@ Every event or log entry contains information about the type of IAM identity tha For more information, see the link:awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html[CloudTrail userIdentity element,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[service-name-info-in-cloudtrail,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-name-info-in-cloudtrail%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index aabee4fc6..0418fb251 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -120,4 +120,4 @@ The following example shows a CloudTrail log entry that demonstrates a ` link:IA ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[understanding-service-name-entries,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23understanding-service-name-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 0cbbe652b..9e8763117 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -336,4 +336,4 @@ kubectl port-forward pods/prom-pod 9090:9090 For your Amazon EKS cluster, the core Kubernetes control plane metrics are also ingested into Amazon CloudWatch Metrics under the `AWS/EKS` namespace. To view them, open the link:cloudwatch/home#logs:prefix=/aws/eks[CloudWatch console,type="console"] and select *All metrics* from the left navigation pane. On the *Metrics* selection page, choose the `AWS/EKS` namespace and a metrics dimension for your cluster. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[view-raw-metrics,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-raw-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 715540914..8f42dc574 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -66,4 +66,4 @@ You are responsible for creating the desired placement group. You specify the pl * You can create a maximum of 500 placement groups per account in each {aws} Region. For more information, see link:AWSEC2/latest/UserGuide/placement-groups.html#placement-groups-limitations-general[General rules and limitations,type="documentation"] in the Amazon EC2 User Guide. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-capacity-considerations,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-capacity-considerations%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 515c171e0..c49c15ddb 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -268,4 +268,4 @@ Recommended next steps: * Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the [.noloc]`Kubernetes` documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-local-cluster-create,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-local-cluster-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 034e4bcb9..79bd547c8 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -39,4 +39,4 @@ You can create local clusters in the following {aws} Regions: US East (Ohio), US [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-local-cluster-overview,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-local-cluster-overview%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 4cf34f1e7..9fd57495b 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -180,4 +180,4 @@ kubectl config use-context admin@my-cluster --kubeconfig admin.kubeconfig If you notice any issues with your local clusters while they're in a disconnected state, we recommend opening a support ticket. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-network-disconnects,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-network-disconnects%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 4a0f24924..20f630319 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -226,4 +226,4 @@ The following admission controllers are enabled for all `1.27` platform versions |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-platform-versions,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-platform-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 44c56a1fb..162b5283d 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -223,4 +223,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X . If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-self-managed-nodes,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-self-managed-nodes%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 3a9d02e91..2e03a3a36 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -275,4 +275,4 @@ To resolve this issue, make sure that your VPC and subnets meet the requirements ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index ec6151e96..fcd84384d 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -111,4 +111,4 @@ You can create a VPC that meets the previous requirements using one of the follo * *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-03-20/amazon-eks-local-outposts-fully-private-vpc-subnet.yaml[Template 2]* – This template creates a VPC with one private subnet on the Outpost and the minimum set of VPC Endpoints required to create a local cluster in a subnet that doesn't have ingress or egress internet access (also referred to as a private subnet). -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts-vpc-subnet-requirements,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-vpc-subnet-requirements%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 5370bb469..0338d132c 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -156,4 +156,4 @@ include::eks-outposts-local-cluster-overview.adoc[leveloffset=+1] include::eks-outposts-self-managed-nodes.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-outposts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 9f28653e8..34df546b7 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -281,4 +281,4 @@ eksctl delete cluster -f ./cluster-config.yaml EKS will automatically clean up any nodes it provisioned when the cluster is deleted. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[quickstart,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23quickstart%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 64bb8e038..6546e2118 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -197,4 +197,4 @@ CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernet * https://jenkins-x.io/docs/[Project documentation] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[related-projects,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23related-projects%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index caa37a4a7..24a164fc7 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -20,4 +20,4 @@ Follow the What's New feed and public roadmap to help plan for new and future Am You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[roadmap,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23roadmap%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index cbb6d85ea..bddc6c00c 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -102,4 +102,4 @@ The following section describes security best practices for Amazon EKS Auto Mode * Implement pod security standards appropriate for your workloads. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-security,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-security%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index b55621662..71aecf692 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -138,4 +138,4 @@ kubectl certificate approve csr-7znmf To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cert-signing,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cert-signing%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index ccadd2e51..81ea55434 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -30,4 +30,4 @@ NOTE: Not all {aws} services are HIPAA eligible. For more information, see the l * link:audit-manager/latest/userguide/what-is.html[{aws} Audit Manager,type="documentation"] – This {aws} service helps you continuously audit your {aws} usage to simplify how you manage risk and compliance with regulations and industry standards. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[compliance,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23compliance%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index f9a11dbb2..1b2b504a7 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -59,4 +59,4 @@ Amazon GuardDuty threat detection service that helps protect your accounts, cont For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[configuration-vulnerability-analysis,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23configuration-vulnerability-analysis%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index ebc2e89ac..16bf09e27 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -193,4 +193,4 @@ Subjects: ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[default-roles-users,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23default-roles-users%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index c864c6303..e097849eb 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -25,4 +25,4 @@ This control plane consists of at least two API server instances and three `etcd For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[disaster-recovery-resiliency,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disaster-recovery-resiliency%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 44e501124..2418637a7 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -188,4 +188,4 @@ For clusters using KMS Envelope Encryption, `kms:CreateGrant` permissions are re ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[enable-kms,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-kms%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index c42a407df..1d4bf5474 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -153,4 +153,4 @@ aws iam attach-role-policy \ ``` -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-cluster-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-cluster-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index d17a152ae..348041ecd 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -117,4 +117,4 @@ aws iam attach-role-policy \ ``` -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[auto-create-node-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-create-node-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 60a1fc400..51a7e242c 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -148,4 +148,4 @@ aws iam attach-role-policy \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[cluster-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 42d99c00d..863dc6508 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -169,4 +169,4 @@ Outputs: .. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[connector-iam-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connector-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 09a446e66..62eca7918 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -198,4 +198,4 @@ aws iam attach-role-policy \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[create-node-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 2c678bf76..2b84df770 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -169,4 +169,4 @@ aws iam attach-role-policy \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-execution-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-execution-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 69df449ee..e73a0b9f5 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -499,4 +499,4 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-awsmanpol,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-awsmanpol%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 29ae020f3..7255266f6 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -247,4 +247,4 @@ This example policy includes the minimum permissions required to list and descri ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-id-based-policy-examples,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-id-based-policy-examples%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index fc25beeca..95bf478dd 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -152,4 +152,4 @@ Amazon EKS supports service roles. For more information, see < When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-service-with-iam,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-service-with-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index e62705ac2..97003d036 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -77,4 +77,4 @@ Your containers receive this error if your application is explicitly making requ * Configure your service accounts to use the global endpoint. All versions earlier than `1.22` used the global endpoint by default, but version `1.22` and later clusters use the regional endpoint by default. For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index aa8b17cb5..bc2cc89a5 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -143,4 +143,4 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-iam,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 728fe50e6..cb8178637 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -73,4 +73,4 @@ If the Amazon EKS service is using the role when you try to delete the resources Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-connector,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 4617dcd60..81f4977dc 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -93,4 +93,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRol Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-fargate,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-fargate%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index 34cc80a63..f445a22b4 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -92,4 +92,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-nodegroups,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-nodegroups%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 17a7a9b94..0d24205fd 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -91,4 +91,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks-outpost,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-outpost%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 2d2eeaf39..71b5982a6 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -87,4 +87,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index a3033271c..b0b310c9d 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -26,4 +26,4 @@ Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[using-service-linked-roles,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index b592712bb..1b8304278 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -38,4 +38,4 @@ For more information about modifying cluster endpoint access, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[infrastructure-security,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23infrastructure-security%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 440e4962f..45a638db6 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -21,4 +21,4 @@ If you use Secrets Manager automatic rotation for your secrets, you can also use For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[manage-secrets,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23manage-secrets%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 9116eb0f6..ff8b98389 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -114,4 +114,4 @@ We don't expect any specific impact to Windows workloads. PodSecurityContext has ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-security-policy-removal-faq,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-security-policy-removal-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index 6d1afacb9..881210b20 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -194,4 +194,4 @@ kubectl apply -f privileged-podsecuritypolicy.yaml ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[pod-security-policy,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-security-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index c85687357..8b5d8db4a 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -13,4 +13,4 @@ Learn how to secure your Amazon EKS clusters by following the best practices fro The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-best-practices,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-best-practices%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index e898a94fd..3252411b0 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -20,4 +20,4 @@ The following are considerations for security of the cloud, as they affect Amazo [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index f8358ea0b..134e6ebc0 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -28,4 +28,4 @@ The following are considerations for security in the cloud, as they affect [.nol [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security-k8s,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-k8s%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index eaabb81b7..dac15f8a9 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -61,4 +61,4 @@ This documentation helps you understand how to apply the shared responsibility m [[Topic List]] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[security,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 20967f3dc..864dfd57a 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -60,4 +60,4 @@ However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref * Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vpc-interface-endpoints,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-interface-endpoints%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 5c8c8d99a..413dbbd8a 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -26,4 +26,4 @@ We recommend that you install the CSI snapshot controller through the Amazon EKS Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream [.noloc]`Kubernetes` `external-snapshotter` on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[csi-snapshot-controller,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23csi-snapshot-controller%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 2aab01088..2a0a36b3c 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -139,4 +139,4 @@ The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/m Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating `StorageClasses`, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ebs-csi-migration-faq,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi-migration-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index b14fab3bd..eeb92fd49 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -363,4 +363,4 @@ Alternatively, if you want a self-managed installation of the Amazon EBS CSI dri You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[ebs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 2c9d96765..40a93c04f 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -194,4 +194,4 @@ To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws- You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[efs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23efs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index b48e97641..21b8a7ceb 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -16,4 +16,4 @@ Amazon File Cache is a fully managed, high-speed cache on {aws} that's used to p The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. Note that the Amazon File Cache CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the Amazon File Cache CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-file-cache-csi-driver[aws-file-cache-csi-driver] on GitHub. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[file-cache-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23file-cache-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 217470b25..948668ea4 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -301,4 +301,4 @@ Before deleting the cluster, make sure to delete the FSx for Lustre file system. ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 0714fa61f..47008a902 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -16,4 +16,4 @@ The [.noloc]`NetApp Trident` provides dynamic storage orchestration using a Cont Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed [.noloc]`ONTAP` file systems in the cloud. [.noloc]`ONTAP` is [.noloc]`NetApp's` file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises [.noloc]`NetApp` file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-ontap,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-ontap%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index ba1d4e2cb..05ba5a6bb 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -16,4 +16,4 @@ Amazon FSx for OpenZFS is a fully managed file storage service that makes it eas The FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of FSx for OpenZFS volumes. Note that the Amazon FSx for OpenZFS CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the FSx for OpenZFS CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver[aws-fsx-openzfs-csi-driver] on GitHub. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[fsx-openzfs-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-openzfs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 101f79b8f..88300c2ae 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -416,4 +416,4 @@ aws eks delete-addon --cluster-name my-cluster --addon-name aws-mountpoint-s3-cs ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[s3-csi,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23s3-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index b86bae2e4..fc08fd089 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -50,4 +50,4 @@ include::s3-csi.adoc[leveloffset=+1] include::csi-snapshot-controller.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[storage,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23storage%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 52071c7c7..347a962e1 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -715,4 +715,4 @@ The first two columns are what are needed for API response values. The third fie |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[troubleshooting,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 9b5026f77..afb62f148 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -47,4 +47,4 @@ Utilize link:ec2/spot/[Spot Instances,type="marketing"] to run your batch proces Implement strong security practices and maintain compliance with Amazon EKS, which integrates with {aws} security services such as link:iam/[{aws} Identity and Access Management,type="marketing"] (IAM), link:vpc/[Amazon Virtual Private Cloud,type="marketing"] (Amazon VPC), and link:kms/[{aws} Key Management Service,type="marketing"] ({aws} KMS). This ensures data privacy and protection as per industry standards. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[common-use-cases,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23common-use-cases%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 5d9e92513..b49c88256 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -64,4 +64,4 @@ https://karpenter.sh/[Karpenter] is a flexible, high-performance [.noloc]`Kubern With <>, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. Amazon EKS Hybrid Nodes unifies Kubernetes management across environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-architecture,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-architecture%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 5384d0b71..b683a85f2 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -112,4 +112,4 @@ You can use the <> to register and connect a https://aws.amazon.com/eks/eks-distro/[Amazon EKS Distro] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-deployment-options,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-deployment-options%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 5eb1e6eaa..da9b231a3 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -259,4 +259,4 @@ Understanding basic [.noloc]`Kubernetes` concepts and how they relate to Amazon * <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-concepts,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-concepts%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index fcb6e220d..2a7860edd 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -94,4 +94,4 @@ include::kubernetes-concepts.adoc[leveloffset=+1] include::eks-deployment-options.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[what-is-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23what-is-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index bdb4aa487..8f8c28f7e 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -36,4 +36,4 @@ Amazon EKS add-ons can help manage the life cycle of pod identity associations c * If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[add-ons-iam,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23add-ons-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 289eb58e9..f2efd120c 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -122,4 +122,4 @@ When you deploy <> to |=== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[add-ons-images,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23add-ons-images%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index ddd1e68b0..967d9f3aa 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -71,4 +71,4 @@ The `computeTypes` field in the `describe-addon-versions` output indicates an ad For more information, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[addon-compat,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-compat%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 175b10235..2f47b0cf8 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -41,4 +41,4 @@ aws iam get-role --role-name --query Role.AssumeRolePolicyDocument ** For information about the available add-ons, see <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[addon-id-troubleshoot,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-id-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 3a5a2e3d1..bff2f4f6e 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -247,4 +247,4 @@ kubectl delete -f 2048_full.yaml ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[alb-ingress,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23alb-ingress%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 68712721d..e8a27375f 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -74,4 +74,4 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re link:samples/attributions-md.zip[View license attributions for this add-on. ] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[community-addons,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23community-addons%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index ffdb3e6c4..e3e6c5d89 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -85,4 +85,4 @@ docker push 111122223333.dkr.ecr.region-code.amazonaws.com/cni-metrics-helper:v1 . Update the manifest file that you used to determine the image in a previous step with the `registry/repository:tag` for the image that you pushed. If you're installing with a Helm chart, there's often an option to specify the `registry/repository:tag`. When installing the chart, specify the `registry/repository:tag` for the image that you pushed to your repository. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[copy-image-to-repository,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23copy-image-to-repository%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index e12307ce0..2447e3887 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -328,4 +328,4 @@ For a full list of available options, see `link:cli/latest/reference/eks/create- If you receive an error similar to the error in the previous output, visit the URL in the output of a previous step to subscribe to the add-on. Once subscribed, run the `create-addon` command again. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[creating-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 447e9b5e3..b29fe6f4f 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -191,4 +191,4 @@ include::add-ons-iam.adoc[leveloffset=+1] include::kubernetes-field-management.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-add-ons,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index ba41ffea1..4127acdf7 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -58,4 +58,4 @@ include::eks-add-ons.adoc[leveloffset=+1] include::image-verification.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[eks-workloads,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-workloads%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 75f196d10..5339087c2 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -123,4 +123,4 @@ kubectl delete deployment.apps/php-apache service/php-apache horizontalpodautosc ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[horizontal-pod-autoscaler,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23horizontal-pod-autoscaler%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 50d7c3324..17f54dcfb 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -26,4 +26,4 @@ Before verifying container image signatures, configure the https://github.com/no ==== -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[image-verification,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23image-verification%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 460c4434e..d991aa0b2 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -149,4 +149,4 @@ NOTE: If you don't see `managedFields` in the output, add `--show-managed-fields Customize the fields not owned by {aws} for you add-on. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[kubernetes-field-management,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-field-management%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index ba7764db5..62ffafa06 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -278,4 +278,4 @@ kubectl delete namespace nlb-sample-app ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[network-load-balancing,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-load-balancing%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index 72e9ab766..1787e346e 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -26,4 +26,4 @@ aws eks update-addon --cluster-name \ ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[remove-addon-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23remove-addon-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index c6be3eb1c..d6e2566cc 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -153,4 +153,4 @@ An error occurred (ResourceNotFoundException) when calling the DescribeAddon ope ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[removing-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23removing-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 31539908e..ea501e5cf 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -88,4 +88,4 @@ kubectl apply -f externalip-webhook.yaml An attempt to deploy a service to your cluster with an IP address specified for `externalIPs` that is not contained in the blocks that you specified in the Specify CIDR blocks step will fail. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[restrict-service-external-ip,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23restrict-service-external-ip%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 42c2c1f96..71ff54cb3 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -139,4 +139,4 @@ The following table indicates if certain Amazon EKS add-ons support EKS Pod Iden This table was last updated on October 28, 2024. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[retreive-iam-info,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retreive-iam-info%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 58f68cebb..ffe724281 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -275,4 +275,4 @@ After you deploy the sample application, you might want to try some of the follo * <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-deployment-win,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-deployment-win%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 438ae485d..b518c43a5 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -272,4 +272,4 @@ After you deploy the sample application, you might want to try some of the follo * <> -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[sample-deployment,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 4fd033704..308baa2bc 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -61,4 +61,4 @@ If successful, you should see output similar to the following. Note the OwnerARN ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[update-addon-role,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-addon-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 02f673aff..2baadb6be 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -213,4 +213,4 @@ An example output is as follows. The update is complete when the status is `ACTIVE`. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[updating-an-add-on,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23updating-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 54c65f9a9..9b79f7555 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -249,4 +249,4 @@ kubectl delete -f examples/hamster.yaml ---- -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[vertical-pod-autoscaler,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vertical-pod-autoscaler%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 48e36c3d0..981bc5547 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -513,4 +513,4 @@ This add-on users permissions from the <>. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[workloads-add-ons-available-eks,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23workloads-add-ons-available-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 084226d2d..11d939b68 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -885,4 +885,4 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. -📝 https://github.com/search?q=repo:awsdocs/amazon-eks-user-guide+[[workloads-add-ons-available-vendors,&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23workloads-add-ons-available-vendors%5D&type=code[Edit this page on GitHub] \ No newline at end of file From 6dcdaae3ff5639565e5da918dcadf3d667a52e59 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 6 Feb 2025 14:07:51 -0600 Subject: [PATCH 109/940] Update automode-learn-instances.adoc (#867) * Update automode-learn-instances.adoc * add minimum size requirements * add cross link * fixup --- latest/ug/automode/automode-learn-instances.adoc | 15 +++++++++++++-- latest/ug/automode/create-node-pool.adoc | 7 ++++--- latest/ug/clusters/update-cluster.adoc | 5 +---- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 1a06b2dac..240eb924d 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -67,7 +67,10 @@ The following functionality works for both Managed instances and Standard EC2 in With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes. {aws} monitors the rollout of new EKS Auto Mode AMI versions. If you experience workload issues related to an AMI version, create a support case. For more information, see link:awssupport/latest/user/case-management.html["Creating support cases and case management",type="documentation"] in the {aws} Support User Guide. -== Supported instance reference +[#auto-supported-instances] +== EKS Auto Mode supported instance reference + +EKS Auto Mode only creates instances of supported types, and that meet a minimum size requirement. EKS Auto Mode supports the following instance types: @@ -100,6 +103,14 @@ EKS Auto Mode supports the following instance types: |x2iezn, x2iedn, x2idn |=== +Additionally, EKS Auto Mode will only create EC2 instances that meet the following requirements: + +* More than 1 CPU +* Instance size is not nano, micro or small + +For more information, see link:ec2/latest/instancetypes/instance-type-names.html["Amazon EC2 instance type naming conventions",type="documentation"]. + + == Considerations * EKS Auto Mode automatically formats and configures NVMe local storage on supported instance types. For nodes with multiple NVMe drives, EKS sets up a RAID 0 array. This automation eliminates the need for manual formatting and RAID configuration of local NVMe storage in EKS clusters. @@ -108,4 +119,4 @@ EKS Auto Mode supports the following instance types: ** If you have other types of nodes in your cluster, you need to configure the Neuron Device plugin to not run on auto mode nodes. For more information, see <>. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-learn-instances%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-learn-instances%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index a2ed9910b..95cd9b81c 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -74,8 +74,7 @@ spec: memory: 1000Gi ---- - -== EKS Auto Mode Supported +== EKS Auto Mode Supported Labels EKS Auto Mode supports the following well known labels. @@ -169,7 +168,9 @@ EKS Auto Mode supports the following well known labels. |Number of gibibytes of local nvme storage on the instance |=== -== EKS Auto Mode Not Supported +NOTE: EKS Auto Mode only supports certain instances, and has minimum size requirements. For more information, see <>. + +== EKS Auto Mode Not Supported Labels EKS Auto Mode does not support the following labels. diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index f2360862e..2358873b7 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -25,12 +25,9 @@ The update process consists of Amazon EKS launching new API server nodes with th To update the cluster, Amazon EKS requires up to five available IP addresses from the subnets that you specified when you created your cluster. Amazon EKS creates new cluster elastic network interfaces (network interfaces) in any of the subnets that you specified. The network interfaces may be created in different subnets than your existing network interfaces are in, so make sure that your security group rules allow <> for any of the subnets that you specified when you created your cluster. If any of the subnets that you specified when you created the cluster don't exist, don't have enough available IP addresses, or don't have security group rules that allows necessary cluster communication, then the update can fail. -[NOTE] -==== - To ensure that the API server endpoint for your cluster is always accessible, Amazon EKS provides a highly available [.noloc]`Kubernetes` control plane and performs rolling updates of API server instances during update operations. In order to account for changing IP addresses of API server instances supporting your [.noloc]`Kubernetes` API server endpoint, you must ensure that your API server clients manage reconnects effectively. Recent versions of `kubectl` and the [.noloc]`Kubernetes` client https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api[libraries] that are officially supported, perform this reconnect process transparently. -==== +NOTE: To learn more about what goes into a cluster update, see link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for Cluster Upgrades",type="documentation"] in the EKS Best Practices Guide. This resource helps you plan an upgrade, and understand the strategy of upgrading a cluster. == Considerations for Amazon EKS Auto Mode From 41921ef8311ec64a6c1792a4a6e92e752d3d1ba9 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 6 Feb 2025 14:08:02 -0600 Subject: [PATCH 110/940] Update auto-elb-example.adoc (#866) * add callout for ECR pull role --- latest/ug/automode/auto-elb-example.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index b53658f7b..4b7285b50 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -68,6 +68,8 @@ spec: cpu: "0.5" ---- +NOTE: If you receive an error loading the image `public.ecr.aws/l6m2t8p7/docker-2048:latest`, confirm your Node IAM role has sufficent permissions to pull images from ECR. For more information, see <>. + **Key components:** - Deploys 5 replicas of the application @@ -243,4 +245,4 @@ If the game doesn't load: - Verify ALB health checks: Check the target group health in {aws} Console -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-elb-example%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-elb-example%5D&type=code[Edit this page on GitHub] From c5cb815f0fbcb55d9361f8411f897aa33c566852 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 6 Feb 2025 14:08:17 -0600 Subject: [PATCH 111/940] Update private-clusters.adoc (#864) Add callout for Route53 External DNS and PrivateLink --- latest/ug/clusters/private-clusters.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index d60fd8b36..eb9dd17d7 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -95,6 +95,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. * If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. +* Route53 does not support AWS PrivateLink. You cannot manage Route53 DNS records from a private EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. From 90ac5e4f78ea3a1cf6f9de3fde0efff1c4aeb9b4 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Feb 2025 23:00:58 +0000 Subject: [PATCH 112/940] Fix link that had AWS string: 44248 --- latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index c1130bea2..7dc708356 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -33,7 +33,7 @@ When using < Date: Thu, 6 Feb 2025 23:08:39 +0000 Subject: [PATCH 113/940] Edit rewrites for contributing chapter. --- latest/ug/contribute/create-content-q.adoc | 26 ++++++++-------- latest/ug/contribute/edit-single-web.adoc | 36 +++++++++++----------- latest/ug/contribute/edit-web.adoc | 4 +-- latest/ug/contribute/pr-status.adoc | 24 +++++++-------- latest/ug/contribute/vale-github.adoc | 2 +- latest/ug/contribute/vale-local.adoc | 26 ++++++++-------- 6 files changed, 59 insertions(+), 59 deletions(-) diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index dcf067310..e579c9b52 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -23,24 +23,24 @@ image::images/contribute-q.png["Amazon Q in VS Code"] == Login to Amazon Q -1. After installing, click the Amazon Q icon in the VS Code activity bar -2. Click "Sign in to Amazon Q" -3. Enter your {aws} credentials when prompted -4. Once authenticated, you'll see the Amazon Q chat interface +1. After installing, choose the Amazon Q icon in the VS Code activity bar. +2. Choose *Sign in to Amazon Q*. +3. Enter your {aws} credentials when prompted. +4. Once authenticated, you'll see the Amazon Q chat interface. == Use Amazon Q to create content -1. Open the file you want to edit in VS Code -2. Select the text you want to revise or the location for new content -3. Press *Ctrl+I* or *Cmd+I* +1. Open the file you want to edit in VS Code. +2. Select the text you want to revise or the location for new content. +3. Press *Ctrl+I* or *Cmd+I*. 4. In the prompt, be specific about: - * The type of content you need - * The target audience - * Key points to cover - * Desired tone and style -5. Review the generated content in the inline preview + * The type of content you need. + * The target audience. + * Key points to cover. + * Desired tone and style. +5. Review the generated content in the inline preview. 6. Use *enter* to accept the changes, or *esc* to reject them. -7. Edit further as needed +7. Edit further as needed. == Tips diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 1a9f9138e..8989d9680 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -14,23 +14,23 @@ If you want to edit multiple pages from your web browser, see <>. == Prerequisites -* Docs page to change opened in web browser -* Signed into GitHub +* Docs page to change opened in web browser. +* Signed into GitHub. == Procedure -. Navigate to the page you want to edit in the EKS User Guide documentation +. Navigate to the page you want to edit in the Amazon EKS User Guide. -. Look for the *Edit this page on GitHub* button located in the right sidebar of the page +. Choose the 📝 *Edit this page on GitHub* link located at the bottom of the page. . Once on GitHub, open the editor by either: -** Pressing the `e` key on your keyboard -** Clicking the pencil icon and selecting *Edit in Place* from the dropdown menu -** If you don't have the option to edit, you need to login to GitHub. Your GitHub account does not need any special permissions to suggest changes. However, internal Amazon contributors should link their GitHub profile. +** Pressing the `e` key on your keyboard. +** Clicking the pencil icon and selecting *Edit in Place* from the dropdown menu. +** If you don't have the option to edit, you need to login to GitHub. Your GitHub account does not need any special permissions to suggest changes. However, internal Amazon contributors should link their GitHub profile. -. Make your required changes to the content in the GitHub editor -** The editor provides syntax highlighting and preview capabilities -** You can use AsciiDoc markup to format your changes +. Make your required changes to the content in the GitHub editor. +** The editor provides syntax highlighting and preview capabilities. +** You can use AsciiDoc markup to format your changes. ** You can use `ctrl-f` to open a find/replace interface. . (Optional) Preview your changes. @@ -40,10 +40,10 @@ If you want to edit multiple pages from your web browser, see <>. . When finished editing, click the *Commit changes...* button at the top of the editor . In the commit dialog: -** Verify your email address is correct -** Add a brief but descriptive commit message explaining your changes -** Optionally add a longer description if needed -** Select to create a new branch and pull request +** Verify your email address is correct. +** Add a brief but descriptive commit message explaining your changes. +** Optionally add a longer description if needed. +** Select to create a new branch and pull request. You have created a pull request including the proposed changes. @@ -51,10 +51,10 @@ You have created a pull request including the proposed changes. When you create a PR: -* Your changes are submitted for review by repository maintainers -* Reviewers can comment on your changes and request modifications -* Automated tests may run to validate your changes -* Once approved, your changes can be merged into the main repository +* Your changes are submitted for review by repository maintainers. +* Reviewers can comment on your changes and request modifications. +* Automated tests may run to validate your changes. +* Once approved, your changes can be merged into the main repository. Pull requests help ensure quality and provide a way to discuss changes before they are integrated. diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index bce721937..1e269803e 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -20,11 +20,11 @@ image::images/contribute-web-dev.png["GitHub.dev web editor user interface] NOTE: The EKS Docs team has created a workspace file that includes suggested configurations for the editor, such as text wrapping and AsciiDoc syntax highlighting. We suggest you load this workspace file. -. Open the https://github.dev/awsdocs/amazon-eks-user-guide/blob/mainline/eks-docs.code-workspace?workspace=true[workspace] on GitHub.dev +. Open the https://github.dev/awsdocs/amazon-eks-user-guide/blob/mainline/eks-docs.code-workspace?workspace=true[workspace] on GitHub.dev. ** You can bookmark the URL `https://github.dev/awsdocs/amazon-eks-user-guide/blob/mainline/eks-docs.code-workspace?workspace=true` . (First time setup only) You may be prompted to create a fork of the repo in your own GitHub account. Accept this prompt. For more information, see https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks[About forks] in the GitHub docs. . (First time setup only) Accept the prompt in the bottom right to install the AsciiDoc extension. -. Navigate to the docs content at `latest/ug` +. Navigate to the docs content at `latest/ug`. ** Docs files are organized by their top level section. For example, pages in the "Security" chapter have source files under the "security/" directory. . To view a preview of a docs page, use the *Open preview to the Side* button in the top right. The icon includes a small magnifying glass. . Use the *Source Control* tab in the left to commit your changes. For more information, see the Visual Studio Code docs: diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index 810e4be5e..e225016ed 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -16,17 +16,17 @@ include::images/contribute-pr.png["View PR feedback"] To view pull requests you created: . Go to the GitHub repository -. Click the "Pull requests" tab -. Select *Filters* and then *Your pull requests* -. Review the list of your open pull requests +. Click the "Pull requests" tab. +. Select *Filters* and then *Your pull requests*. +. Review the list of your open pull requests. == View pull requests assigned to you To view pull requests assigned to you for review: . Go to the GitHub repository -. Click the "Pull requests" tab -. Select *filters* and then *assigned to you* -. Review the list of pull requests awaiting your review +. Click the "Pull requests" tab. +. Select *filters* and then *assigned to you*. +. Review the list of pull requests awaiting your review. == Review a pull request @@ -56,16 +56,16 @@ Use the GitHub CLI to pull the changes locally. * For Linux: Follow instructions at https://github.com/cli/cli#installation . Authenticate with GitHub: - * Run `gh auth login` - * Follow the prompts to complete authentication + * Run: `gh auth login` + * Follow the prompts to complete authentication. ==== Checkout pull request . Check out the pull request branch: - * Run `gh pr checkout ` - * Replace with your pull request number - * The pull request number is visible at the top of the PR - * This creates a local branch with the PR changes + * Run: `gh pr checkout ` + * Replace with your pull request number. + * The pull request number is visible at the top of the PR. + * This creates a local branch with the PR changes. . Make your changes locally using your preferred text editor diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index 83d688432..fbea99bee 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -20,7 +20,7 @@ The style check: . Open your Pull Request ** https://github.com/awsdocs/amazon-eks-user-guide/pulls[View a list of open pull requests] -. Select the *Files changed* tab +. Choose the *Files changed* tab. . Feedback from Vale is visible as line comments, that start with `[vale]`. ** Use the style feedback to identify typos, spelling errors, and awkward phrasing. diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index 489297369..8001938ee 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -22,19 +22,19 @@ Follow the instructions in the Vale CLI docs to https://vale.sh/docs/install#pac == Install VS Code Vale extension -. Open VS Code -. Click the Extensions icon in the Activity Bar (or press Ctrl+Shift+X) -. Search for "Vale" -. Click Install on the "Vale VSCode" extension by Chris Chinchilla -. Reload VS Code when prompted +. Open VS Code. +. Click the Extensions icon in the Activity Bar (or press Ctrl+Shift+X). +. Search for "Vale". +. Click Install on the "Vale VSCode" extension by Chris Chinchilla. +. Reload VS Code when prompted. == Sync Vale Vale uses the `.vale.ini` configuration file in your project root to determine which style rules to apply. -. Open VS Code -. Click *View* > *Terminal* (or press Ctrl+`) -. Navigate to your project root directory if needed +. Open VS Code. +. Click *View* > *Terminal* (or press Ctrl+`). +. Navigate to your project root directory if needed. . Run the command: + [source,bash] @@ -45,11 +45,11 @@ vale sync == View style feedback in VS Code -. Open a Markdown or AsciiDoc file in VS Code -. The Vale extension will automatically check your text against the style rules -. Style issues will be underlined in the editor -. Hover over underlined text to see the specific style suggestion -. Fix issues by following the suggestions or consulting the style guide +. Open a Markdown or AsciiDoc file in VS Code. +. The Vale extension will automatically check your text against the style rules. +. Style issues will be underlined in the editor. +. Hover over underlined text to see the specific style suggestion. +. Fix issues by following the suggestions or consulting the style guide. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vale-local%5D&type=code[Edit this page on GitHub] \ No newline at end of file From 4162e2685bc0d8ab09799638dbc431f04f44e40a Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Feb 2025 23:26:43 +0000 Subject: [PATCH 114/940] Fix AWS instance, convert some links to proper format. --- latest/ug/clusters/private-clusters.adoc | 2 +- .../ug/manage-access/k8s-access/migrating-access-entries.adoc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index eb9dd17d7..bf2079bc8 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -95,7 +95,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. * If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. -* Route53 does not support AWS PrivateLink. You cannot manage Route53 DNS records from a private EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. +* Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 98ccb834e..fd742912a 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -7,12 +7,12 @@ include::../../attributes.txt[] //GDC: problems with xrefs -If you've added entries to the `aws-auth` `ConfigMap` on your cluster, we recommend that you create access entries for the existing entries in your `aws-auth` `ConfigMap`. After creating the access entries, you can remove the entries from your `ConfigMap`. You can't associate link:eks/latest/userguide/access-policies.html[access policies,type="documentation"] to entries in the `aws-auth` `ConfigMap`. If you want to associate access polices to your IAM principals, create access entries. +If you've added entries to the `aws-auth` `ConfigMap` on your cluster, we recommend that you create access entries for the existing entries in your `aws-auth` `ConfigMap`. After creating the access entries, you can remove the entries from your `ConfigMap`. You can't associate <> to entries in the `aws-auth` `ConfigMap`. If you want to associate access polices to your IAM principals, create access entries. [IMPORTANT] ==== -Don't remove existing `aws-auth` `ConfigMap` entries that were created by Amazon EKS when you added a link:eks/latest/userguide/managed-node-groups.html[managed node group,type="documentation"] or a link:eks/latest/userguide/fargate-profile.html["Fargate profile",type="documentation"] to your cluster. If you remove entries that Amazon EKS created in the `ConfigMap`, your cluster won't function properly. You can however, remove any entries for link:eks/latest/userguide/worker.html["self-managed",type="documentation"] node groups after you've created access entries for them. +Don't remove existing `aws-auth` `ConfigMap` entries that were created by Amazon EKS when you added a <> or a <> to your cluster. If you remove entries that Amazon EKS created in the `ConfigMap`, your cluster won't function properly. You can however, remove any entries for <> node groups after you've created access entries for them. ==== From 58c324084b7f35428b3fd33379ee9c9e1b96375b Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Feb 2025 23:47:20 +0000 Subject: [PATCH 115/940] Converted links back to preferred format. --- latest/ug/clusters/create-cluster.adoc | 2 +- latest/ug/clusters/zone-shift.adoc | 8 ++++---- .../manage-access/k8s-access/creating-access-entries.adoc | 2 +- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 6 +++--- latest/ug/networking/network-reqs.adoc | 4 ++-- latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 2 +- latest/ug/nodes/hybrid-nodes-join.adoc | 2 +- latest/ug/security/auto-security.adoc | 6 +++--- latest/ug/what-is/eks-deployment-options.adoc | 4 ++-- latest/ug/what-is/kubernetes-concepts.adoc | 2 +- latest/ug/what-is/what-is-eks.adoc | 2 +- 11 files changed, 20 insertions(+), 20 deletions(-) diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 9cdbc6aa8..c762866d3 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -21,7 +21,7 @@ To get started with EKS Auto Mode, see <>. ==== -This topic provides an overview of the available options and describes what to consider when you create an Amazon EKS cluster. If you need to create a cluster with your on-premises infrastructure as the compute for nodes, see <>. If this is your first time creating an Amazon EKS cluster, we recommend that you follow one of our guides in <>. These guides help you to create a simple, default cluster without expanding into all of the available options. +This topic provides an overview of the available options and describes what to consider when you create an Amazon EKS cluster. If you need to create a cluster with your on-premises infrastructure as the compute for nodes, see <>. If this is your first time creating an Amazon EKS cluster, we recommend that you follow one of our guides in <>. These guides help you to create a simple, default cluster without expanding into all of the available options. == Prerequisites diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 1bcf1e0c8..fbd50f085 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -32,7 +32,7 @@ Once your EKS cluster zonal shift enabled with ARC, you can trigger a zonal shif During an EKS zonal shift, the following will automatically take place: * All the nodes in the impacted AZ will be cordoned. This will prevent the Kubernetes Scheduler from scheduling new Pods onto the nodes in the unhealthy AZ. -* If you're using link:eks/latest/userguide/managed-node-groups.html["Managed Node Groups",type="documentation"], link:autoscaling/ec2/userguide/auto-scaling-benefits.html#AutoScalingBehavior.InstanceUsage["_Availability Zone rebalancing_",type="documentation"] will be suspended, and your Auto Scaling Group (ASG) will be updated to ensure that new EKS Data Plane nodes are only launched in the healthy AZs. +* If you're using <>, link:autoscaling/ec2/userguide/auto-scaling-benefits.html#AutoScalingBehavior.InstanceUsage["_Availability Zone rebalancing_",type="documentation"] will be suspended, and your Auto Scaling Group (ASG) will be updated to ensure that new EKS Data Plane nodes are only launched in the healthy AZs. * The nodes in the unhealthy AZ will not be terminated and the Pods will not be evicted from these nodes. This is to ensure that when a zonal shift expires or gets cancelled, your traffic can be safely returned to the AZ which still has full capacity * The EndpointSlice controller will find all the Pod endpoints in the impaired AZ and remove them from the relevant EndpointSlices. This will ensure that only Pod endpoints in healthy AZs are targeted to receive network traffic. When a zonal shift is cancelled or expires, the EndpointSlice controller will update the EndpointSlices to include the endpoints in the restored AZ. @@ -122,7 +122,7 @@ spec: ---- -Most important, you should run multiple replicas of your DNS server software (CoreDNS/kube-dns) and apply similar topology spread constraints if they are not already configured by default. This will help ensure that you have enough DNS Pods in healthy AZs to continue handling service discovery requests for other communicating Pods in the cluster if there's a single AZ impairment. The link:eks/latest/userguide/managing-coredns.html["CoreDNS EKS add-on",type="documentation"] has default settings for the CoreDNS Pods to be spread across your cluster's Availability Zones if there are nodes in multiple AZs available. You can also replace these default settings with your own custom configurations. +Most important, you should run multiple replicas of your DNS server software (CoreDNS/kube-dns) and apply similar topology spread constraints if they are not already configured by default. This will help ensure that you have enough DNS Pods in healthy AZs to continue handling service discovery requests for other communicating Pods in the cluster if there's a single AZ impairment. The <> has default settings for the CoreDNS Pods to be spread across your cluster's Availability Zones if there are nodes in multiple AZs available. You can also replace these default settings with your own custom configurations. When installing https://github.com/coredns/helm/tree/master[CoreDNS with Helm], you can update the `replicaCount` in the https://github.com/coredns/helm/blob/master/charts/coredns/values.yaml[values.yaml file] to ensure that you have a sufficient number of replicas in each AZ. In addition, to ensure that these replicas are spread across the different AZs in your cluster environment, you should update the `topologySpreadConstraints` property in the same values.yaml file. The code snippet below demonstrates how to configure CoreDNS for this. @@ -163,7 +163,7 @@ spec: Alternatively, EKS can manage the autoscaling of the CoreDNS Deployment in the EKS add-on version of CoreDNS. This CoreDNS autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the CoreDNS deployment in an EKS cluster. -To enable the link:eks/latest/userguide/coredns-autoscaling.html["autoscaling configuration in the CoreDNS EKS add-on",type="documentation"], you should add the following optional configuration settings: +To enable the <>, you should add the following optional configuration settings: [source,json] @@ -272,7 +272,7 @@ You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additi * link:r53recovery/latest/dg/arc-zonal-shift.resource-types.html["Resources and scenarios supported for zonal shift and zonal autoshift",type="documentation"] * link:blogs/containers/operating-resilient-workloads-on-amazon-eks/["Operating resilient workloads on Amazon EKS",type="marketing"] * link:blogs/containers/eliminate-kubernetes-node-scaling-lag-with-pod-priority-and-over-provisioning/["Eliminate Kubernetes node scaling lag with pod priority and over-provisioning",type="marketing"] -* link:eks/latest/userguide/coredns-autoscaling.html["Scale CoreDNS Pods for high DNS traffic",type="documentation"] +* <> 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23zone-shift%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index edc38b77d..2ee53decf 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -104,7 +104,7 @@ You can create an access entry using the {aws-management-console} or the {aws} C . To create an access entry You can use any of the following examples to create access entries: + -** Create an access entry for a self-managed Amazon EC2 Linux node group. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-self-managed-ng-1` with the name of your link:eks/latest/userguide/create-node-role.html[node IAM role,type="documentation"]. If your node group is a Windows node group, then replace [.replaceable]`EC2_LINUX` with `EC2_Windows`. +** Create an access entry for a self-managed Amazon EC2 Linux node group. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-self-managed-ng-1` with the name of your <>. If your node group is a Windows node group, then replace [.replaceable]`EC2_LINUX` with `EC2_Windows`. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 748a914e0..765dd45cc 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -36,13 +36,13 @@ The https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Au * *Creating access entries* - – If your cluster is at or later than the platform version listed in the link:eks/latest/userguide/access-entries.html[Prerequisites,type="documentation"] section for your cluster's [.noloc]`Kubernetes` version, we recommend that you use this option. + – If your cluster is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, we recommend that you use this option. + Use _access entries_ to manage the [.noloc]`Kubernetes` permissions of IAM principals from outside the cluster. You can add and manage access to the cluster by using the EKS API, {aws} Command Line Interface, {aws} SDKs, {aws} CloudFormation, and {aws-management-console}. This means you can manage users with the same tools that you created the cluster with. + -To get started, follow link:eks/latest/userguide/setting-up-access-entries.html[Change authentication mode to use access entries,type="documentation"], then link:eks/latest/userguide/migrating-access-entries.html[Migrating existing aws-auth ConfigMap entries to access entries,type="documentation"]. +To get started, follow <>, then <>. * *Adding entries to the `aws-auth` `ConfigMap`* - – If your cluster's platform version is earlier than the version listed in the link:eks/latest/userguide/access-entries.html[Prerequisites,type="documentation"] section, then you must use this option. If your cluster's platform version is at or later than the platform version listed in the link:eks/latest/userguide/access-entries.html[Prerequisites,type="documentation"] section for your cluster's [.noloc]`Kubernetes` version, and you've added entries to the `ConfigMap`, then we recommend that you migrate those entries to access entries. You can't migrate entries that Amazon EKS added to the `ConfigMap` however, such as entries for IAM roles used with managed node groups or Fargate profiles. For more information, see <>. + – If your cluster's platform version is earlier than the version listed in the <> section, then you must use this option. If your cluster's platform version is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, and you've added entries to the `ConfigMap`, then we recommend that you migrate those entries to access entries. You can't migrate entries that Amazon EKS added to the `ConfigMap` however, such as entries for IAM roles used with managed node groups or Fargate profiles. For more information, see <>. + ** If you have to use the `aws-auth` `ConfigMap` option, you can add entries to the `ConfigMap` using the `eksctl create iamidentitymapping` command. For more information, see https://eksctl.io/usage/iam-identity-mappings/[Manage IAM users and roles] in the `eksctl` documentation. diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 8524c9a7d..066837cba 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -259,8 +259,8 @@ This change impacts new node groups that are deployed to public subnets in the f -* *link:eks/latest/userguide/create-managed-node-group.html[Managed node groups,type="documentation"]* – If the node group is deployed to a public subnet on or after April 22, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. -* *link:eks/latest/userguide/launch-workers.html[Linux,type="documentation"], link:eks/latest/userguide/launch-windows-workers.html[Windows,type="documentation"], or link:eks/latest/userguide/arm-ami.html[Arm,type="documentation"] self-managed node groups* – If the node group is deployed to a public subnet on or after March 26, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. Otherwise, the nodes must be launched with a public IP address instead. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"] or link:vpc/latest/userguide/vpc-ip-addressing.html#vpc-public-ip[Assigning a public IPv4 address during instance launch,type="documentation"]. +* *<>* – If the node group is deployed to a public subnet on or after April 22, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. +* *<>, <>, or <> self-managed node groups* – If the node group is deployed to a public subnet on or after March 26, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. Otherwise, the nodes must be launched with a public IP address instead. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"] or link:vpc/latest/userguide/vpc-ip-addressing.html#vpc-public-ip[Assigning a public IPv4 address during instance launch,type="documentation"]. [#network-requirements-shared] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index e5d3e16fc..10dc0927a 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -167,7 +167,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp ... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. .. `CLUSTER_AUTH`: the cluster authentication mode for your cluster. Valid values are `API` and `API_AND_CONFIG_MAP`. The default in the template is `API_AND_CONFIG_MAP`. .. `CLUSTER_ENDPOINT`: the cluster endpoint connectivity for your cluster. Valid values are “Public” and “Private”. The default in the template is Private, which means you will only be able to connect to the Kubernetes API endpoint from within your VPC. -.. `K8S_VERSION`: the Kubernetes version to use for your cluster. See <>. +.. `K8S_VERSION`: the Kubernetes version to use for your cluster. See <>. + [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 55a610664..a3a10f405 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -61,7 +61,7 @@ Run the command below to install the hybrid nodes dependencies on your on-premis The hybrid nodes CLI (`nodeadm`) must be run with a user that has sudo/root access on your host. ==== -* Replace `K8S_VERSION` with the Kubernetes minor version of your Amazon EKS cluster, for example `1.31`. See link:eks/latest/userguide/kubernetes-versions.html[Amazon EKS Kubernetes versions,type="documentation"] for a list of the supported Kubernetes versions. +* Replace `K8S_VERSION` with the Kubernetes minor version of your Amazon EKS cluster, for example `1.31`. See <> for a list of the supported Kubernetes versions. * Replace `CREDS_PROVIDER` with the on-premises credential provider you are using. Valid values are `ssm` for {aws} SSM and `iam-ra` for {aws} IAM Roles Anywhere. [source,bash,subs="verbatim,attributes,quotes"] diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index bddc6c00c..cd74dea11 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -16,7 +16,7 @@ Amazon EKS Auto Mode builds upon the existing security foundations of Amazon EKS Amazon EKS Auto Mode uses {aws} platform security mechanisms to secure and authenticate calls to the Amazon EKS API. * Access to the Kubernetes API is secured through EKS access entries, which integrate with {aws} IAM identities. -** For more information, see link:eks/latest/userguide/access-entries.html["Grant IAM users access to Kubernetes with EKS access entries",type="documentation"]. +** For more information, see <>. * Customers can implement fine-grained access control to the Kubernetes API endpoint through configuration of EKS access entries. ## Network security @@ -31,7 +31,7 @@ Amazon EKS Auto Mode supports multiple layers of network security: * **Network Policies** ** Native support for Kubernetes Network Policies ** Ability to define granular network traffic rules -** For more information, see link:eks/latest/userguide/cni-network-policy.html["Limit pod traffic with Kubernetes network policies",type="documentation"] +** For more information, see <> ## EC2 managed instance security @@ -97,7 +97,7 @@ The following section describes security best practices for Amazon EKS Auto Mode * Regularly review {aws} IAM policies and EKS access entries. * Implement least privilege access patterns for workloads. -* Monitor cluster activity through {aws} CloudTrail and Amazon CloudWatch. For more information, see link:eks/latest/userguide/logging-using-cloudtrail.html["Log API calls as CloudTrail events",type="documentation"] and link:eks/latest/userguide/cloudwatch.html["Monitor cluster data with Amazon CloudWatch",type="documentation"]. +* Monitor cluster activity through {aws} CloudTrail and Amazon CloudWatch. For more information, see <> and <>. * Use {aws} Security Hub for security posture assessment. * Implement pod security standards appropriate for your workloads. diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index b683a85f2..09d7f9546 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -18,7 +18,7 @@ Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes ser In the cloud, Amazon EKS automates Kubernetes cluster infrastructure management for the Kubernetes control plane and nodes. This is essential for scheduling containers, managing application availability, dynamically scaling resources, optimizing compute, storing cluster data, and performing other critical functions. With Amazon EKS, you get the robust performance, scalability, reliability, and availability of {aws} infrastructure, along with native integrations with {aws} networking, security, storage, and observability services. -To simplify running Kubernetes in your on-premises environments, you can use the same Amazon EKS clusters, features, and tools to <> or link:eks/latest/userguide/hybrid-nodes-overview.html[Amazon EKS Hybrid Nodes,type="documentation"] on your own infrastructure, or you can use https://anywhere.eks.amazonaws.com/[Amazon EKS Anywhere]for self-contained air-gapped environments. +To simplify running Kubernetes in your on-premises environments, you can use the same Amazon EKS clusters, features, and tools to <> or <> on your own infrastructure, or you can use https://anywhere.eks.amazonaws.com/[Amazon EKS Anywhere] for self-contained air-gapped environments. [#eks-cloud-deployment-options] == Amazon EKS in the cloud @@ -55,7 +55,7 @@ a|* Amazon EKS Managed Node Groups (Local Zones only) [#dc-or-edge-deployment-options] == Amazon EKS in your data center or edge environments -If you need to run applications in your own data centers or edge environments, you can use <> or link:eks/latest/userguide/hybrid-nodes.html[Amazon EKS Hybrid Nodes,type="documentation"]. You can use self-managed nodes with Amazon EC2 instances on {aws} Outposts for your cluster compute, or you can use Amazon EKS Hybrid Nodes with your own on-premises or edge infrastructure for your cluster compute. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on your physical or virtual machines that you manage in your on-premises or edge environments. Amazon EKS on {aws} Outposts and Amazon EKS Hybrid Nodes require a reliable connection from your on-premises environments to an {aws} Region, and you can use the same Amazon EKS clusters, features, and tools you use to run applications in the cloud. When running on {aws} Outposts, you can alternatively deploy the entire Kubernetes cluster on {aws} Outposts with Amazon EKS local clusters on {aws} Outposts. +If you need to run applications in your own data centers or edge environments, you can use <> or <>. You can use self-managed nodes with Amazon EC2 instances on {aws} Outposts for your cluster compute, or you can use Amazon EKS Hybrid Nodes with your own on-premises or edge infrastructure for your cluster compute. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on your physical or virtual machines that you manage in your on-premises or edge environments. Amazon EKS on {aws} Outposts and Amazon EKS Hybrid Nodes require a reliable connection from your on-premises environments to an {aws} Region, and you can use the same Amazon EKS clusters, features, and tools you use to run applications in the cloud. When running on {aws} Outposts, you can alternatively deploy the entire Kubernetes cluster on {aws} Outposts with Amazon EKS local clusters on {aws} Outposts. [cols="1,1,1", options="header"] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index da9b231a3..214fd083a 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -149,7 +149,7 @@ When you first create a [.noloc]`Kubernetes` cluster, some cluster creation tool There are some services you can add to [.noloc]`Kubernetes` to support the cluster, but are not run in the control plane. These services often run directly on nodes in the kube-system namespace or in its own namespace (as is often done with third-party service providers). A common example is the CoreDNS service, which provides DNS services to the cluster. Refer to https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/[Discovering builtin services] for information on how to see which cluster services are running in kube-system on your cluster. -There are different types of add-ons you can consider adding to your clusters. To keep your clusters healthy, you can add observability features (see <>) that allow you to do things like logging, auditing, and metrics. With this information, you can troubleshoot problems that occur, often through the same observability interfaces. Examples of these types of services include link:guardduty/latest/ug/runtime-monitoring.html[Amazon GuardDuty,type="documentation"], CloudWatch (see <>), https://aws-otel.github.io/[{aws} Distro for OpenTelemetry], Amazon VPC CNI plugin for [.noloc]`Kubernetes` (see <>), and https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Grafana Kubernetes Monitoring]. For storage (see <>), add-ons to Amazon EKS include Amazon Elastic Block Store CSI Driver (see <>), Amazon Elastic File System CSI Driver (see <>), and several third-party storage add-ons such as Amazon FSx for NetApp ONTAP CSI driver <>). +There are different types of add-ons you can consider adding to your clusters. To keep your clusters healthy, you can add observability features (see <>) that allow you to do things like logging, auditing, and metrics. With this information, you can troubleshoot problems that occur, often through the same observability interfaces. Examples of these types of services include link:guardduty/latest/ug/runtime-monitoring.html[Amazon GuardDuty,type="documentation"], CloudWatch (see <>), https://aws-otel.github.io/[{aws} Distro for OpenTelemetry], Amazon VPC CNI plugin for [.noloc]`Kubernetes` (see <>), and https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Grafana Kubernetes Monitoring]. For storage (see <>), add-ons to Amazon EKS include Amazon Elastic Block Store CSI Driver (see <>), Amazon Elastic File System CSI Driver (see <>), and several third-party storage add-ons such as Amazon FSx for NetApp ONTAP CSI driver <>). For a more complete list of available Amazon EKS add-ons, see <>. diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 2a7860edd..f04934152 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -40,7 +40,7 @@ Amazon EKS has become a cornerstone for deploying and managing AI/ML workloads i *Hybrid Deployments* -You can use the same Amazon EKS clusters to run nodes on {aws}-hosted infrastructure in {aws} https://aws.amazon.com/about-aws/global-infrastructure/regions_az/[Regions], https://aws.amazon.com/about-aws/global-infrastructure/localzones/[{aws} Local Zones], https://aws.amazon.com/wavelength/[{aws} Wavelength Zones], or in your own on-premises environments with https://aws.amazon.com/outposts/[{aws} Outposts] and link:eks/latest/userguide/hybrid-nodes-overview.html[Amazon EKS Hybrid Nodes,type="documentation"]. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere], which is {aws}-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The _Amazon EKS Connector_ can be used to view any Kubernetes cluster and their resources in the Amazon EKS console. _Amazon EKS Distro_ is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. +You can use the same Amazon EKS clusters to run nodes on {aws}-hosted infrastructure in {aws} https://aws.amazon.com/about-aws/global-infrastructure/regions_az/[Regions], https://aws.amazon.com/about-aws/global-infrastructure/localzones/[{aws} Local Zones], https://aws.amazon.com/wavelength/[{aws} Wavelength Zones], or in your own on-premises environments with https://aws.amazon.com/outposts/[{aws} Outposts] and <>. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere], which is {aws}-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The _Amazon EKS Connector_ can be used to view any Kubernetes cluster and their resources in the Amazon EKS console. _Amazon EKS Distro_ is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. *Compute* From 80334cfd656f384bd72ea1e9b47218f51c26b421 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 6 Feb 2025 16:28:05 -0800 Subject: [PATCH 116/940] Update core add-ons versions, VPC CNI to 1.19.2 --- latest/ug/networking/managing-coredns.adoc | 11 +++++------ latest/ug/networking/managing-kube-proxy.adoc | 9 +++------ latest/ug/networking/managing-vpc-cni.adoc | 17 ++++++++--------- latest/ug/networking/vpc-add-on-create.adoc | 6 +++--- .../vpc-add-on-self-managed-update.adoc | 8 ++++---- latest/ug/networking/vpc-add-on-update.adoc | 8 ++++---- vale/styles/EksDocs/ExternalDomains.yml | 2 +- 7 files changed, 28 insertions(+), 33 deletions(-) diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 0d5184ad7..a575a1f79 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -41,12 +41,11 @@ The following table lists the latest version of the Amazon EKS add-on type for e | 1.31 | v1.11.4-eksbuild.2 | 1.30 | v1.11.4-eksbuild.2 | 1.29 | v1.11.4-eksbuild.2 -| 1.28 | v1.10.1-eksbuild.17 -| 1.27 | v1.10.1-eksbuild.17 -| 1.26 | v1.9.3-eksbuild.21 -| 1.25 | v1.9.3-eksbuild.21 -| 1.24 | v1.9.3-eksbuild.21 -| 1.23 | v1.8.7-eksbuild.20 +| 1.28 | v1.10.1-eksbuild.18 +| 1.27 | v1.10.1-eksbuild.18 +| 1.26 | v1.9.3-eksbuild.22 +| 1.25 | v1.9.3-eksbuild.22 +| 1.24 | v1.9.3-eksbuild.22 |=== [IMPORTANT] diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index ec051c585..ddb4a1e48 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -39,7 +39,6 @@ The following table lists the latest version of the Amazon EKS add-on type for e | Kubernetes version | `kube-proxy` version | 1.32 | v1.32.0-eksbuild.2 | 1.31 | v1.31.3-eksbuild.2 -| 1.31 | v1.31.3-eksbuild.2 | 1.30 | v1.30.7-eksbuild.2 | 1.29 | v1.29.11-eksbuild.2 | 1.28 | v1.28.15-eksbuild.4 @@ -47,7 +46,6 @@ The following table lists the latest version of the Amazon EKS add-on type for e | 1.26 | v1.26.15-eksbuild.19 | 1.25 | v1.25.16-eksbuild.22 | 1.24 | v1.24.17-eksbuild.19 -| 1.23 | v1.23.17-eksbuild.20 |=== [NOTE] @@ -77,15 +75,14 @@ The following table lists the latest available self-managed `kube-proxy` contain |=== | Version | kube-proxy (default type) | kube-proxy (minimal type) | 1.32 | Only minimal type is available | v1.32.0-minimal-eksbuild.2 -| 1.31 | Only minimal type is available | v1.31.2-minimal-eksbuild.3 -| 1.30 | Only minimal type is available | v1.30.6-minimal-eksbuild.3 -| 1.29 | Only minimal type is available | v1.29.10-minimal-eksbuild.3 +| 1.31 | Only minimal type is available | v1.31.3-minimal-eksbuild.3 +| 1.30 | Only minimal type is available | v1.30.7-minimal-eksbuild.2 +| 1.29 | Only minimal type is available | v1.29.11-minimal-eksbuild.2 | 1.28 | Only minimal type is available | v1.28.15-minimal-eksbuild.4 | 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.14 | 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.19 | 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.22 | 1.24 | v1.24.10-eksbuild.2 | v1.24.17-minimal-eksbuild.19 -| 1.23 | v1.23.16-eksbuild.2 | v1.23.17-minimal-eksbuild.20 |=== diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index d4960a39e..eda4b9a23 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -48,15 +48,14 @@ The following table lists the latest available version of the Amazon EKS add-on |=== | Kubernetes version | Amazon EKS type of VPC CNI version | 1.32 | v1.19.2-eksbuild.1 -| 1.31 | v1.19.0-eksbuild.1 -| 1.30 | v1.19.0-eksbuild.1 -| 1.29 | v1.19.0-eksbuild.1 -| 1.28 | v1.19.0-eksbuild.1 -| 1.27 | v1.19.0-eksbuild.1 -| 1.26 | v1.19.0-eksbuild.1 -| 1.25 | v1.19.0-eksbuild.1 -| 1.24 | v1.19.0-eksbuild.1 -| 1.23 | v1.18.5-eksbuild.1 +| 1.31 | v1.19.2-eksbuild.1 +| 1.30 | v1.19.2-eksbuild.1 +| 1.29 | v1.19.2-eksbuild.1 +| 1.28 | v1.19.2-eksbuild.1 +| 1.27 | v1.19.2-eksbuild.1 +| 1.26 | v1.19.2-eksbuild.1 +| 1.25 | v1.19.2-eksbuild.1 +| 1.24 | v1.19.2-eksbuild.1 |=== [IMPORTANT] diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 4bdd9d965..ee4c4b95a 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -65,12 +65,12 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml . Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <> and specify `vpc-cni` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. + ** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <>. +** Replace [.replaceable]`v1.19.2-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <>. ** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <> that you've created. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + [source,bash,subs="verbatim,attributes"] ---- -aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ +aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.2-eksbuild.1 \ --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole ---- + @@ -88,7 +88,7 @@ An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -v1.19.0-eksbuild.1 +v1.19.2-eksbuild.1 ---- . If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the EKS add-on with your custom settings. Follow the steps in <>. . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index d059dc683..45c247295 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -30,7 +30,7 @@ An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -v1.16.4-eksbuild.2 +v1.19.2-eksbuild.1 ---- + Your output might not include the build number. @@ -43,11 +43,11 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml To review the available versions and familiarize yourself with the changes in the version that you want to update to, see https://github.com/aws/amazon-vpc-cni-k8s/releases[releases] on [.noloc]`GitHub`. Note that we recommend updating to the same `major`.``minor``.``patch`` version listed in the latest available versions table, even if later versions are available on GitHub. For the latest available version table, see <>. The build versions listed in the table aren't specified in the self-managed versions listed on GitHub. Update your version by completing the tasks in one of the following options: + ** If you don't have any custom settings for the add-on, then run the command under the `To apply this release:` heading on GitHub for the https://github.com/aws/amazon-vpc-cni-k8s/releases[release] that you're updating to. -** If you have custom settings, download the manifest file with the following command. Change [.replaceable]`https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml` to the URL for the release on GitHub that you're updating to. +** If you have custom settings, download the manifest file with the following command. Change [.replaceable]`https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.2/config/master/aws-k8s-cni.yaml` to the URL for the release on GitHub that you're updating to. + [source,bash,subs="verbatim,attributes"] ---- -curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml +curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.2/config/master/aws-k8s-cni.yaml ---- + If necessary, modify the manifest with the custom settings from the backup you made in a previous step and then apply the modified manifest to your cluster. If your nodes don't have access to the private Amazon EKS Amazon ECR repositories that the images are pulled from (see the lines that start with `image:` in the manifest), then you'll have to download the images, copy them to your own repository, and modify the manifest to pull the images from your repository. For more information, see <>. @@ -67,7 +67,7 @@ An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -v1.19.0 +v1.19.2 ---- . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index f7fd435b5..d024ddd3e 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -31,14 +31,14 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml . Update your add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to update the add-on, see <>. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command. + ** Replace [.replaceable]`my-cluster` with the name of your cluster. -** Replace [.replaceable]`v1.19.0-eksbuild.1` with the latest version listed in the latest version table for your cluster version. +** Replace [.replaceable]`v1.19.2-eksbuild.1` with the latest version listed in the latest version table for your cluster version. ** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an existing IAM role that you've created. To create an IAM role for the VPC CNI, see <>. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. ** The `--resolve-conflicts PRESERVE` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. -** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` with the setting that you want to set. In this example, the `AWS_VPC_K8S_CNI_EXTERNALSNAT` environment variable is set to `true`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name vpc-cni --addon-version [.replaceable]``v1.19.0-eksbuild.1```, replacing [.replaceable]`v1.19.0-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` from the command, so that you have empty `{}`. For an explanation of each setting, see https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables[CNI Configuration Variables] on GitHub. +** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` with the setting that you want to set. In this example, the `AWS_VPC_K8S_CNI_EXTERNALSNAT` environment variable is set to `true`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name vpc-cni --addon-version [.replaceable]``v1.19.2-eksbuild.1```, replacing [.replaceable]`v1.19.2-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` from the command, so that you have empty `{}`. For an explanation of each setting, see https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables[CNI Configuration Variables] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- -aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.0-eksbuild.1 \ +aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.19.2-eksbuild.1 \ --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole \ --resolve-conflicts PRESERVE --configuration-values '{"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}}' ---- @@ -62,7 +62,7 @@ An example output is as follows. "addonName": "vpc-cni", "clusterName": "my-cluster", "status": "ACTIVE", - "addonVersion": "v1.19.0-eksbuild.1", + "addonVersion": "v1.19.2-eksbuild.1", "health": { "issues": [] }, diff --git a/vale/styles/EksDocs/ExternalDomains.yml b/vale/styles/EksDocs/ExternalDomains.yml index 2f82ac779..6e31221db 100644 --- a/vale/styles/EksDocs/ExternalDomains.yml +++ b/vale/styles/EksDocs/ExternalDomains.yml @@ -143,7 +143,7 @@ exceptions: - https://raw.githubusercontent.com/aws-observability/ - https://raw.githubusercontent.com/aws-samples/ - https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.12.6/config/master/cni-metrics-helper.yaml - - https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.0/config/master/aws-k8s-cni.yaml + - https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.2/config/master/aws-k8s-cni.yaml - https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml - https://raw.githubusercontent.com/awslabs/amazon-eks-ami/ - https://raw.githubusercontent.com/awslabs/amazoneks-ami/ From 8f045eb6de0b99ba710576eb620b00dc98fa7488 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 16:06:22 +0000 Subject: [PATCH 117/940] Added missing contribute note back. --- latest/ug/book.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index ed99b4360..126759452 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -31,7 +31,7 @@ This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Ku *Help improve this page* [.banner.info] -Want to contribute to this user guide? Choose the +Want to contribute to this user guide? Choose the 📝 *Edit this page on GitHub* link that is located at the bottom of every page. Your contributions will help make our user guide better for everyone. include::what-is/what-is-eks.adoc[leveloffset=+1] From ff6db0ab183f99a64a7520af4e7507578e5e283c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 18:02:35 +0000 Subject: [PATCH 118/940] Updated link approach for doc history. --- latest/ug/automode/troubleshoot-lbc.adoc | 2 +- latest/ug/doc-history.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 7feeb3e0d..8993306fa 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -97,7 +97,7 @@ For stuck resources: ## Additional Resources -- link:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html[{aws} EKS Troubleshooting] +- <> - link:https://console.aws.amazon.com/support/home[{aws} Support Center] - link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a8e25145e..455743b4b 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -30,7 +30,7 @@ The following table describes the major updates and new features for the Amazon [.update-ulink] https://docs.aws.amazon.com/eks/latest/userguide/managed-node-update-behavior.html#managed-node-update-upgrade -You can now use update strategies to configure the version update process for managed node groups. This introduces the __minimal__ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The __default__ update strategy continues the existing behavior. +You can now use update strategies to configure the version update process for managed node groups. This introduces the _minimal_ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The _default_ update strategy continues the existing behavior. [.update,date="2025-01-23"] === [.noloc]`Kubernetes` version `1.32` From 9fd53d99af419103b21a458806f0740117505b25 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 18:50:20 +0000 Subject: [PATCH 119/940] Standardizing link formats. --- latest/ug/automode/create-node-pool.adoc | 4 +- latest/ug/automode/troubleshoot-lbc.adoc | 2 +- latest/ug/clusters/create-cluster-auto.adoc | 2 +- latest/ug/clusters/create-cluster.adoc | 6 +- .../kubernetes-versions-extended.adoc | 2 +- latest/ug/clusters/kubernetes-versions.adoc | 2 +- latest/ug/clusters/zone-shift.adoc | 4 +- latest/ug/doc-history.adoc | 416 +++++++++--------- .../getting-started-console.adoc | 6 +- latest/ug/manage-access/cluster-auth.adoc | 11 +- latest/ug/ml/ml-get-started.adoc | 2 +- latest/ug/ml/ml-tutorials.adoc | 52 +-- latest/ug/nodes/hybrid-nodes-creds.adoc | 2 +- latest/ug/nodes/hybrid-nodes-join.adoc | 2 +- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 2 +- latest/ug/nodes/hybrid-nodes-remove.adoc | 2 +- latest/ug/what-is/eks-deployment-options.adoc | 6 +- latest/ug/what-is/what-is-eks.adoc | 14 +- 18 files changed, 267 insertions(+), 270 deletions(-) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 95cd9b81c..98a8d1532 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -141,11 +141,11 @@ EKS Auto Mode supports the following well known labels. |eks.amazonaws.com/instance-ebs-bandwidth |9500 -|Number of link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-optimized.html#ebs-optimization-performance[maximum megabits] of EBS available on the instance +|Number of link:AWSEC2/latest/UserGuide/ebs-optimized.html#ebs-optimization-performance[maximum megabits,type="documentation"] of EBS available on the instance |eks.amazonaws.com/instance-network-bandwidth |131072 -|Number of link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html[baseline megabits] available on the instance +|Number of link:AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html[baseline megabits,type="documentation"] available on the instance |eks.amazonaws.com/instance-gpu-name |t4 diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 8993306fa..105ad3396 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -98,7 +98,7 @@ For stuck resources: ## Additional Resources - <> -- link:https://console.aws.amazon.com/support/home[{aws} Support Center] +- link:support/home[{aws} Support Center,type="console"] - link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 4c29b820c..fc4d82b26 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -63,7 +63,7 @@ This topic covers advanced configuration. If you are looking to get started with ** *Bootstrap cluster administrator access* -- The cluster creator is automatically a Kubernetes administrator. If you want to disable this, select *Disallow cluster administrator access*. ** *Cluster authentication mode* -- EKS Auto Mode requires EKS access entries, the EKS API authentication mode. You can optionally enable the `ConfigMap` authentication mode by selecting *EKS API and ConfigMap*. . Enter the remaining fields on the configure cluster page: -** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in xref:enable-kms[Encrypt Kubernetes secrets with {aws} KMS on existing clusters,linkend=enable-kms]. +** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in xref:enable-kms[Encrypt Kubernetes secrets with {aws} KMS on existing clusters,linkend=enable-kms]. ** *ARC Zonal shift* -- EKS Auto Mode does not support Arc Zonal shift. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. + diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index c762866d3..0df29549b 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -135,7 +135,7 @@ The CIDR block must meet the following requirements: You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. * If you're creating cluster and want the cluster to assign `IPv6` addresses to [.noloc]`Pods` and services instead of `IPv4` addresses, specify the https://eksctl.io/usage/schema/#kubernetesNetworkConfig-ipFamily[ipFamily] option. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the xref:network-requirements-vpc[VPC requirements and considerations,linkend=network-requirements-vpc], xref:network-requirements-subnets[Subnet requirements and considerations,linkend=network-requirements-subnets], xref:sec-group-reqs[View Amazon EKS security group requirements for clusters,linkend=sec-group-reqs], and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). [#step2-console] === Create cluster - {aws} console @@ -152,7 +152,7 @@ You can only specify this option when using the `IPv4` address family and only a ** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources on your behalf. ** *[.noloc]`Kubernetes` version* – The version of [.noloc]`Kubernetes` to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. ** *Support type* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard support*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended support*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. -** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in xref:enable-kms[Encrypt Kubernetes secrets with {aws} KMS on existing clusters,linkend=enable-kms]. +** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. ** *ARC Zonal shift* - (Optional) You can use Route53 Application Recovery controller to mitigate impaired availability zones. For more information, see <>. . In the *Cluster access* section of the configure cluster page, enter the following fields: @@ -162,7 +162,7 @@ You can only specify this option when using the `IPv4` address family and only a When you're done with this page, choose *Next*. . On the *Specify networking* page, select values for the following fields: + -** *VPC* – Choose an existing VPC that meets xref:network-requirements-vpc[Amazon EKS VPC requirements,linkend=network-requirements-vpc] to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in xref:network-reqs[View Amazon EKS networking requirements for VPC and subnets,linkend=network-reqs]. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. +** *VPC* – Choose an existing VPC that meets xref:network-requirements-vpc[Amazon EKS VPC requirements,linkend=network-requirements-vpc] to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in xref:network-reqs[View Amazon EKS networking requirements for VPC and subnets,linkend=network-reqs]. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. ** *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. You must select at least two. + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 364e631fb..da6eb141b 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -78,7 +78,7 @@ For the complete [.noloc]`Kubernetes` `1.26` changelog, see https://github.com/k * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. -* `PodSecurityPolicy` ([.noloc]`PSP`) is removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)] and Pod Security Standards [.noloc]`(PSS)`. [.noloc]`PSA` is a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[PSS]. [.noloc]`PSA` and [.noloc]`PSS` are graduated to stable in [.noloc]`Kubernetes` `1.25` and are enabled in Amazon EKS by default. If you have [.noloc]`PSPs` in your cluster, make sure to migrate from [.noloc]`PSP` to the built-in [.noloc]`Kubernetes` [.noloc]`PSS` or to a policy-as-code solution before upgrading your cluster to version `1.25`. If you don't migrate from PSP, you might encounter interruptions to your workloads. For more information, see the xref:pod-security-policy-removal-faq[Migrate from legacy pod security policies (PSP),linkend=pod-security-policy-removal-faq]. +* `PodSecurityPolicy` ([.noloc]`PSP`) is removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)] and Pod Security Standards [.noloc]`(PSS)`. [.noloc]`PSA` is a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[PSS]. [.noloc]`PSA` and [.noloc]`PSS` are graduated to stable in [.noloc]`Kubernetes` `1.25` and are enabled in Amazon EKS by default. If you have [.noloc]`PSPs` in your cluster, make sure to migrate from [.noloc]`PSP` to the built-in [.noloc]`Kubernetes` [.noloc]`PSS` or to a policy-as-code solution before upgrading your cluster to version `1.25`. If you don't migrate from PSP, you might encounter interruptions to your workloads. For more information, see the <>. * [.noloc]`Kubernetes` version `1.25` contains changes that alter the behavior of an existing feature known as API Priority and Fairness (APF). APF serves to shield the API server from potential overload during periods of heightened request volumes. It does this by placing restrictions on the number of concurrent requests that can be processed at any given time. This is achieved through the application of distinct priority levels and limits to requests originating from various workloads or users. This approach ensures that critical applications or high-priority requests receive preferential treatment, while simultaneously preventing lower priority requests from overwhelming the API server. For more information, see https://kubernetes.io/docs/concepts/cluster-administration/flow-control/[API Priority and Fairness] in the [.noloc]`Kubernetes` documentation or https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#api-priority-and-fairness[API Priority and Fairness] in the EKS Best Practices Guide. + These updates were introduced in https://github.com/kubernetes/kubernetes/pull/103521[PR #10352] and https://github.com/kubernetes/kubernetes/pull/118601[PR #118601]. Previously, APF treated all types of requests uniformly, with each request consuming a single unit of the concurrent request limit. The APF behavior change assigns higher units of concurrency to `LIST` requests due to the exceptionally heavy burden put on the API server by these requests. The API server estimates the number of objects that will be returned by a `LIST` request. It assigns a unit of concurrency that is proportional to the number of objects returned. diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 233224a3e..e9016010b 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -245,7 +245,7 @@ No. Cloud security at {aws} is the highest priority. Past a certain point (usual *Is there additional cost to get extended support?*:: -Yes, there is additional cost for Amazon EKS clusters running in extended support. For pricing details, see link:containers/amazon-eks-extended-support-for-kubernetes-versions-pricing[Amazon EKS extended support for Kubernetes version pricing,type="blog"] on the {aws} blog or our https://aws.amazon.com/eks/pricing/[pricing page]. +Yes, there is additional cost for Amazon EKS clusters running in extended support. For pricing details, see link:containers/amazon-eks-extended-support-for-kubernetes-versions-pricing[Amazon EKS extended support for Kubernetes version pricing,type="blog"] on the {aws} blog or our link:eks/pricing/[pricing page,type="marketing"]. *What is included in extended support?*:: diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index fbd50f085..46b017ae6 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -270,8 +270,8 @@ You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additi * link:r53recovery/latest/dg/arc-zonal-shift.how-it-works.html["How a zonal shift works",type="documentation"] * link:r53recovery/latest/dg/route53-arc-best-practices.zonal-shifts.html#zonalshift.route53-arc-best-practices.zonal-shifts["Best practices for zonal shifts in ARC",type="documentation"] * link:r53recovery/latest/dg/arc-zonal-shift.resource-types.html["Resources and scenarios supported for zonal shift and zonal autoshift",type="documentation"] -* link:blogs/containers/operating-resilient-workloads-on-amazon-eks/["Operating resilient workloads on Amazon EKS",type="marketing"] -* link:blogs/containers/eliminate-kubernetes-node-scaling-lag-with-pod-priority-and-over-provisioning/["Eliminate Kubernetes node scaling lag with pod priority and over-provisioning",type="marketing"] +* link:containers/operating-resilient-workloads-on-amazon-eks["Operating resilient workloads on Amazon EKS",type="blog"] +* link:containers/eliminate-kubernetes-node-scaling-lag-with-pod-priority-and-over-provisioning["Eliminate Kubernetes node scaling lag with pod priority and over-provisioning",type="blog"] * <> diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 455743b4b..3d59b302f 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -28,14 +28,14 @@ The following table describes the major updates and new features for the Amazon [.update,date="2025-01-27"] === Update strategies for managed node groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managed-node-update-behavior.html#managed-node-update-upgrade +link:eks/latest/userguide/managed-node-update-behavior.html#managed-node-update-upgrade[type="documentation"] You can now use update strategies to configure the version update process for managed node groups. This introduces the _minimal_ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The _default_ update strategy continues the existing behavior. [.update,date="2025-01-23"] === [.noloc]`Kubernetes` version `1.32` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-32 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-32[type="documentation"] Added [.noloc]`Kubernetes` version `1.32` support for new clusters and version upgrades. @@ -46,14 +46,14 @@ Amazon EKS is now available in the Asia Pacific (Thailand) Region (`ap-southeast [.update,date="2025-01-13"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added multiple permissions to `AmazonEBSCSIDriverPolicy` to allow the Amazon EBS CSI Driver restore all snapshots, enable Fast Snapshot Restore (FSR) on EBS volumes, and modify tags on volumes. [.update,date="2024-12-26"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added permissions to `AmazonEKSLoadBalancingPolicy`. @@ -61,7 +61,7 @@ Added permissions to `AmazonEKSLoadBalancingPolicy`. [.update,date="2024-12-20"] === Updated cluster insights [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-insights.html +link:eks/latest/userguide/cluster-insights.html[type="documentation"] Amazon EKS upgrade insights will now warn about more cluster health and version compatibility issues. It can detect issues between different [.noloc]`Kubernetes` and Amazon EKS components such as `kubelet`, `kube-proxy`, and Amazon EKS add-ons. @@ -69,7 +69,7 @@ Amazon EKS upgrade insights will now warn about more cluster health and version [.update,date="2024-12-16"] === Node monitoring agent and auto repair [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/node-health.html +link:eks/latest/userguide/node-health.html[type="documentation"] You can use the new `eks-node-monitoring-agent` as an Amazon EKS add-on to detect and show health issues. You can also enable node auto repair to automatically replace nodes when issues are detected. @@ -77,7 +77,7 @@ You can use the new `eks-node-monitoring-agent` as an Amazon EKS add-on to detec [.update,date="2024-12-01"] === Amazon EKS Hybrid Nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-overview.html +link:eks/latest/userguide/hybrid-nodes-overview.html[type="documentation"] You can now run node on-premises connected to Amazon EKS clusters. With Amazon EKS Hybrid Nodes, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. {aws} manages the {aws}-hosted Kubernetes control plane of the Amazon EKS cluster, and you manage the hybrid nodes that run in your on-premises or edge environments. @@ -85,7 +85,7 @@ You can now run node on-premises connected to Amazon EKS clusters. With Amazon E [.update,date="2024-12-01"] === Amazon EKS Auto Mode [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/automode.html +link:eks/latest/userguide/automode.html[type="documentation"] Amazon EKS Auto Mode fully automates Kubernetes cluster infrastructure management for compute, storage, and networking on {aws}. It simplifies Kubernetes management by automatically provisioning infrastructure, selecting optimal compute instances, dynamically scaling resources, continuously optimizing costs, patching operating systems, and integrating with {aws} security services. @@ -93,7 +93,7 @@ Amazon EKS Auto Mode fully automates Kubernetes cluster infrastructure managemen [.update,date="2024-11-22"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Updated `AWSServiceRoleForAmazonEKSNodegroup` for compatibility with China regions. @@ -101,7 +101,7 @@ Updated `AWSServiceRoleForAmazonEKSNodegroup` for compatibility with China regio [.update,date="2024-11-22"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] This is a new platform version with security fixes and enhancements. This includes new patch versions of Kubernetes `1.31.2`, `1.30.6`, `1.29.10`, and `1.28.15`. @@ -109,7 +109,7 @@ This is a new platform version with security fixes and enhancements. This includ [.update,date="2024-11-21"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS updated {aws} managed policy `AmazonEKSLocalOutpostClusterPolicy`. Added `ec2:DescribeAvailabilityZones` permission so the {aws} Cloud Controller Manager on the cluster control plane can identify the Availability Zone that each node is in. @@ -117,7 +117,7 @@ EKS updated {aws} managed policy `AmazonEKSLocalOutpostClusterPolicy`. Added `ec [.update,date="2024-11-21"] === [.noloc]`Kubernetes` version 1.30 is now available for local clusters on {aws} Outposts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-platform-versions.html +link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] You can now create an Amazon EKS local cluster on an {aws} Outposts using [.noloc]`Kubernetes` version 1.30. @@ -125,7 +125,7 @@ You can now create an Amazon EKS local cluster on an {aws} Outposts using [.nolo [.update,date="2024-11-20"] === [.noloc]`Bottlerocket` AMIs that use FIPS 140-3 [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id-bottlerocket.html +link:eks/latest/userguide/retrieve-ami-id-bottlerocket.html[type="documentation"] [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. @@ -133,7 +133,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id-bottlerocket.ht [.update,date="2024-11-20"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Updated `AWSServiceRoleForAmazonEKSNodegroup` policy to allow `ec2:RebootInstances` for instances created by Amazon EKS managed node groups. Restricted the `ec2:CreateTags` permissions for Amazon EC2 resources. @@ -141,7 +141,7 @@ Updated `AWSServiceRoleForAmazonEKSNodegroup` policy to allow `ec2:RebootInstanc [.update,date="2024-11-18"] === Observability dashboard [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/observability-dashboard.html +link:eks/latest/userguide/observability-dashboard.html[type="documentation"] The observability dashboard helps you to quickly detect, troubleshoot, and remediate issues. There are also new link:eks/latest/userguide/cloudwatch.html[CloudWatch vended metrics,type="documentation"] available in the `AWS/EKS` namespace. @@ -149,7 +149,7 @@ The observability dashboard helps you to quickly detect, troubleshoot, and remed [.update,date="2024-11-16"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS updated {aws} managed policy `AmazonEKSServiceRolePolicy`. Added permissions for EKS access policies, load balancer management, and automated cluster resource cleanup. @@ -157,7 +157,7 @@ EKS updated {aws} managed policy `AmazonEKSServiceRolePolicy`. Added permissions [.update,date="2024-11-15"] === New role creation in console for add-ons that support EKS Pod Identities [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/creating-an-add-on.html#_create_add_on_console +link:eks/latest/userguide/creating-an-add-on.html#_create_add_on_console[type="documentation"] There are new steps when using the console to create or update add-ons that support EKS Pod Identities where you can automatically generate IAM roles with the appropriate name, role policy, and trust policy for the add-on. @@ -165,7 +165,7 @@ There are new steps when using the console to create or update add-ons that supp [.update,date="2024-11-15"] === Managed node groups in {aws} Local Zones [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/local-zones.html +link:eks/latest/userguide/local-zones.html[type="documentation"] Managed node groups can now be created in {aws} Local Zones. @@ -173,7 +173,7 @@ Managed node groups can now be created in {aws} Local Zones. [.update,date="2024-11-11"] === New metrics are available [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/view-raw-metrics.html +link:eks/latest/userguide/view-raw-metrics.html[type="documentation"] There are new metrics available under the API group `metrics.eks.amazonaws.com`. @@ -181,7 +181,7 @@ There are new metrics available under the API group `metrics.eks.amazonaws.com`. [.update,date="2024-11-07"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS updated {aws} managed policy `AmazonEKSComputePolicy`. Updated resource permissions for the `iam:AddRoleToInstanceProfile` action. @@ -189,7 +189,7 @@ EKS updated {aws} managed policy `AmazonEKSComputePolicy`. Updated resource perm [.update,date="2024-11-01"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSComputePolicy` @@ -197,7 +197,7 @@ EKS added a new {aws} managed policy: `AmazonEKSComputePolicy` [.update,date="2024-11-01"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added permissions to `AmazonEKSClusterPolicy`. Added `ec2:DescribeInstanceTopology` permission to allow Amazon EKS to attach topology information to the node as labels. @@ -205,7 +205,7 @@ Added permissions to `AmazonEKSClusterPolicy`. Added `ec2:DescribeInstanceTopolo [.update,date="2024-10-30"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSBlockStoragePolicy` @@ -214,7 +214,7 @@ EKS added a new {aws} managed policy: `AmazonEKSBlockStoragePolicy` [.update,date="2024-10-30"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSLoadBalancingPolicy` @@ -223,7 +223,7 @@ EKS added a new {aws} managed policy: `AmazonEKSLoadBalancingPolicy` [.update,date="2024-10-29"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added `cloudwatch:PutMetricData` permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to publish metrics to Amazon CloudWatch. @@ -232,7 +232,7 @@ Added `cloudwatch:PutMetricData` permissions to `AmazonEKSServiceRolePolicy` to [.update,date="2024-10-28"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSNetworkingPolicy` @@ -241,7 +241,7 @@ EKS added a new {aws} managed policy: `AmazonEKSNetworkingPolicy` [.update,date="2024-10-21"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added `autoscaling:ResumeProcesses`, `autoscaling:SuspendProcesses`, and associated permissions to `AWSServiceRoleForAmazonEKSNodegroup` in China regions to integrate with Amazon Application Recovery Controller for EKS. No changes to other regions. @@ -256,7 +256,7 @@ Connect to new `IPv6` clusters with a `eks-cluster.[.replaceable]``region``.api. [.update,date="2024-10-10"] === {aws} managed policy updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added permissions to `AmazonEKSServicePolicy` and `AmazonEKSServiceRolePolicy`. Added `ec2:GetSecurityGroupsForVpc` and associated tag permissions to allow EKS to read security group information and update related tags. @@ -264,7 +264,7 @@ Added permissions to `AmazonEKSServicePolicy` and `AmazonEKSServiceRolePolicy`. [.update,date="2024-10-11"] === AL2023 accelerated AMIs [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html +link:eks/latest/userguide/retrieve-ami-id.html[type="documentation"] You can now use accelerated `NVIDIA` and {aws} Neuron instances for AMIs based on AL2023. @@ -278,14 +278,14 @@ We have switched over to a new source format with some layout changes. There are [.update,date="2024-10-03"] === {aws} managed policy updates - New policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] EKS added a new {aws} managed policy. [.update,date="2024-09-24"] === [.noloc]`Kubernetes` version `1.31` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-31 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-31[type="documentation"] Added [.noloc]`Kubernetes` version `1.31` support for new clusters and version upgrades. @@ -293,7 +293,7 @@ Added [.noloc]`Kubernetes` version `1.31` support for new clusters and version u [.update,date="2024-08-21"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -301,7 +301,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2024-08-20"] === [.noloc]`Kubernetes` version 1.29 is now available for local clusters on {aws} Outposts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-platform-versions.html +link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] You can now create an Amazon EKS local cluster on an {aws} Outposts using [.noloc]`Kubernetes` version 1.29. @@ -309,7 +309,7 @@ You can now create an Amazon EKS local cluster on an {aws} Outposts using [.nolo [.update,date="2024-08-14"] === EKS Pod Identity in {aws} GovCloud (US) [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/pod-identites.html +link:eks/latest/userguide/pod-identites.html[type="documentation"] Amazon EKS Pod Identities associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an [.noloc]`OIDC` identity provider. @@ -322,7 +322,7 @@ We renamed and updated topics to be more scenario-driven throughout the entire g [.update,date="2024-08-07"] === Dual-stack VPC interface endpoints for Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/vpc-interface-endpoints.html +link:eks/latest/userguide/vpc-interface-endpoints.html[type="documentation"] You can now create dual-stack VPC interface endpoints for Amazon EKS with both `IPv4` and `IPv6` IP addresses and DNS names. @@ -330,7 +330,7 @@ You can now create dual-stack VPC interface endpoints for Amazon EKS with both ` [.update,date="2024-08-01"] === New dual-stack endpoints for the Amazon EKS APIs with `IPv6` addresses [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html +link:eks/latest/userguide/network-reqs.html[type="documentation"] The EKS API for creating and managing clusters, and the OIDC issuer URLs for clusters have new dual-stack endpoints. The new DNS name for the Amazon EKS API is `eks.[.replaceable]``region``.api.aws` which resolves to `IPv4` addresses and `IPv6` addresses. New clusters have a new dual-stack OIDC issuer URL (`oidc-eks.[.replaceable]``region``.api.aws`). @@ -338,7 +338,7 @@ The EKS API for creating and managing clusters, and the OIDC issuer URLs for clu [.update,date="2024-07-01"] === Capacity Blocks for managed node groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/capacity-blocks-mng.html +link:eks/latest/userguide/capacity-blocks-mng.html[type="documentation"] You can now use Capacity Blocks for managed node groups. @@ -346,7 +346,7 @@ You can now use Capacity Blocks for managed node groups. [.update,date="2024-06-28"] === Auto Scaling Group metrics collection enabled by default [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/enable-asg-metrics.html +link:eks/latest/userguide/enable-asg-metrics.html[type="documentation"] Amazon EKS managed node groups now have Amazon EC2 Auto Scaling group metrics enabled by default with no additional charge. Previously, you had to do several steps to enable this feature. @@ -354,7 +354,7 @@ Amazon EKS managed node groups now have Amazon EC2 Auto Scaling group metrics en [.update,date="2024-06-27"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -362,7 +362,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2024-06-12"] === Improvements to AMI information references [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-amis.html +link:eks/latest/userguide/eks-optimized-amis.html[type="documentation"] We made improvements to the AMI information references, in particular for [.noloc]`Bottlerocket`. @@ -370,7 +370,7 @@ We made improvements to the AMI information references, in particular for [.nolo [.update,date="2024-06-12"] === [.noloc]`Kubernetes` version `1.26` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26[type="documentation"] [.noloc]`Kubernetes` version `1.26` is now in extended support. @@ -378,7 +378,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubern [.update,date="2024-05-23"] === [.noloc]`Kubernetes` version `1.30` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-30 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-30[type="documentation"] Added [.noloc]`Kubernetes` version `1.30` support for new clusters and version upgrades. @@ -386,7 +386,7 @@ Added [.noloc]`Kubernetes` version `1.30` support for new clusters and version u [.update,date="2024-05-14"] === [.noloc]`CoreDNS` Autoscaling [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/coredns-autoscaling.html +link:eks/latest/userguide/coredns-autoscaling.html[type="documentation"] [.noloc]`CoreDNS` autoscaler will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster based on the number of nodes and CPU cores. This feature works for [.noloc]`CoreDNS` `v1.9` and the latest platform version of EKS release version `1.25` and later. @@ -394,7 +394,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/coredns-autoscaling.html [.update,date="2024-05-14"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] This is a new platform version with security fixes and enhancements. This includes new patch versions of Kubernetes `1.29.4`, `1.28.9`, and `1.27.13`. @@ -402,7 +402,7 @@ This is a new platform version with security fixes and enhancements. This includ [.update,date="2024-04-10"] === CloudWatch [.noloc]`Container Insights` support for [.noloc]`Windows` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cloudwatch.html +link:eks/latest/userguide/cloudwatch.html[type="documentation"] The Amazon CloudWatch Observability Operator add-on now also allows [.noloc]`Container Insights` on [.noloc]`Windows` worker nodes in the cluster. @@ -410,7 +410,7 @@ The Amazon CloudWatch Observability Operator add-on now also allows [.noloc]`Con [.update,date="2024-04-05"] === [.noloc]`Kubernetes` concepts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-concepts.html +link:eks/latest/userguide/kubernetes-concepts.html[type="documentation"] Added new Kubernetes concepts topic. @@ -418,7 +418,7 @@ Added new Kubernetes concepts topic. [.update,date="2024-04-02"] === Restructure Access and IAM Content [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-auth.html +link:eks/latest/userguide/cluster-auth.html[type="documentation"] Move existing pages related to access and IAM topics, such as auth config map, access entries, Pod ID, and IRSA into new section. Revise overview content. @@ -426,7 +426,7 @@ Move existing pages related to access and IAM topics, such as auth config map, a [.update,date="2024-03-13"] === [.noloc]`Bottlerocket` OS support for Amazon S3 CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/s3-csi.html +link:eks/latest/userguide/s3-csi.html[type="documentation"] The Mountpoint for Amazon S3 CSI driver is now compatible with [.noloc]`Bottlerocket`. @@ -434,7 +434,7 @@ The Mountpoint for Amazon S3 CSI driver is now compatible with [.noloc]`Bottlero [.update,date="2024-03-04"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -442,7 +442,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2024-02-29"] === Amazon Linux 2023 [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/al2023.html +link:eks/latest/userguide/al2023.html[type="documentation"] Amazon Linux 2023 (AL2023) is a new Linux-based operating system designed to provide a secure, stable, and high-performance environment for your cloud applications. @@ -450,7 +450,7 @@ Amazon Linux 2023 (AL2023) is a new Linux-based operating system designed to pro [.update,date="2024-02-26"] === EKS Pod Identity and IRSA support sidecars in [.noloc]`Kubernetes` `1.29` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29[type="documentation"] In [.noloc]`Kubernetes` `1.29`, sidecar containers are available in Amazon EKS clusters. Sidecar containers are supported with IAM roles for service accounts or EKS Pod Identity. For more information about sidecars, see https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[Sidecar Containers] in the [.noloc]`Kubernetes` documentation. @@ -458,7 +458,7 @@ In [.noloc]`Kubernetes` `1.29`, sidecar containers are available in Amazon EKS c [.update,date="2024-01-23"] === [.noloc]`Kubernetes` version `1.29` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29[type="documentation"] Added [.noloc]`Kubernetes` version `1.29` support for new clusters and version upgrades. @@ -466,7 +466,7 @@ Added [.noloc]`Kubernetes` version `1.29` support for new clusters and version u [.update,date="2024-01-16"] === Full release: Amazon EKS Extended Support for [.noloc]`Kubernetes` versions [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html +link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] Extended [.noloc]`Kubernetes` version support allows you to stay at a specific [.noloc]`Kubernetes` version for longer than 14 months. @@ -474,7 +474,7 @@ Extended [.noloc]`Kubernetes` version support allows you to stay at a specific [ [.update,date="2023-12-28"] === Amazon EKS cluster health detection in the {aws} Cloud [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#cluster-health-status +link:eks/latest/userguide/troubleshooting.html#cluster-health-status[type="documentation"] Amazon EKS detects issues with your Amazon EKS clusters and the infrastructure of the cluster prerequisites in _cluster health_. You can view the issues with your EKS clusters in the {aws-management-console} and in the `health` of the cluster in the EKS API. These issues are in addition to the issues that are detected by and displayed by the console. Previously, cluster health was only available for local clusters on {aws} Outposts. @@ -487,7 +487,7 @@ Amazon EKS is now available in the Canada West (Calgary) (`ca-west-1`) {aws} Reg [.update,date="2023-12-20"] === Cluster insights [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-insights.html +link:eks/latest/userguide/cluster-insights.html[type="documentation"] You can now get recommendations on your cluster based on recurring checks. @@ -495,7 +495,7 @@ You can now get recommendations on your cluster based on recurring checks. [.update,date="2023-12-18"] === You can now grant IAM roles and users access to your cluster using access entries [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html +link:eks/latest/userguide/access-entries.html[type="documentation"] Before the introduction of access entries, you granted IAM roles and users access to your cluster by adding entries to the `aws-auth` `ConfigMap`. Now each cluster has an access mode, and you can switch to using access entries on your schedule. After you switch modes, you can add users by adding access entries in the {aws} CLI, {aws} CloudFormation, and the {aws} SDKs. @@ -503,7 +503,7 @@ Before the introduction of access entries, you granted IAM roles and users acces [.update,date="2023-12-12"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] This is a new platform version with security fixes and enhancements. This includes new patch versions of Kubernetes `1.28.4`, `1.27.8`, `1.26.11`, and `1.25.16`. @@ -511,7 +511,7 @@ This is a new platform version with security fixes and enhancements. This includ [.update,date="2023-11-27"] === [.noloc]`Mountpoint` for Amazon S3 CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/s3-csi.html +link:eks/latest/userguide/s3-csi.html[type="documentation"] You can now install the [.noloc]`Mountpoint` for Amazon S3 CSI driver on Amazon EKS clusters. @@ -519,7 +519,7 @@ You can now install the [.noloc]`Mountpoint` for Amazon S3 CSI driver on Amazon [.update,date="2023-11-26"] === Amazon EKS Pod Identities [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/pod-identites.html +link:eks/latest/userguide/pod-identites.html[type="documentation"] Amazon EKS Pod Identities associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an [.noloc]`OIDC` identity provider. @@ -527,7 +527,7 @@ Amazon EKS Pod Identities associate an IAM role with a [.noloc]`Kubernetes` serv [.update,date="2023-11-26"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -535,7 +535,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2023-11-26"] === Turn on [.noloc]`Prometheus` metrics when creating a cluster [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/prometheus.html +link:eks/latest/userguide/prometheus.html[type="documentation"] In the {aws-management-console}, you can now turn on [.noloc]`Prometheus` metrics when creating a cluster. You can also view [.noloc]`Prometheus` scraper details in the *Observability* tab. @@ -543,7 +543,7 @@ In the {aws-management-console}, you can now turn on [.noloc]`Prometheus` metric [.update,date="2023-11-17"] === CSI snapshot controller [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/csi-snapshot-controller.html +link:eks/latest/userguide/csi-snapshot-controller.html[type="documentation"] You can now install the CSI snapshot controller for use with compatible CSI drivers, such as the Amazon EBS CSI driver. @@ -551,7 +551,7 @@ You can now install the CSI snapshot controller for use with compatible CSI driv [.update,date="2023-11-14"] === ADOT Operator topic rewrite [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/opentelemetry.html +link:eks/latest/userguide/opentelemetry.html[type="documentation"] The Amazon EKS add-on support for ADOT Operator section was redundant with the {aws} Distro for [.noloc]`OpenTelemetry` documentation. We migrated remaining essential information to that resource to reduce outdated and inconsistent information. @@ -559,7 +559,7 @@ The Amazon EKS add-on support for ADOT Operator section was redundant with the { [.update,date="2023-11-10"] === [.noloc]`CoreDNS` EKS add-on support for Prometheus metrics [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html +link:eks/latest/userguide/managing-coredns.html[type="documentation"] The `v1.10.1-eksbuild.5`, `v1.9.3-eksbuild.9`, and `v1.8.7-eksbuild.8` versions of the EKS add-on for [.noloc]`CoreDNS` expose the port that [.noloc]`CoreDNS` published metrics to, in the `kube-dns` service. This makes it easier to include the [.noloc]`CoreDNS` metrics in your monitoring systems. @@ -567,7 +567,7 @@ The `v1.10.1-eksbuild.5`, `v1.9.3-eksbuild.9`, and `v1.8.7-eksbuild.8` versions [.update,date="2023-11-06"] === Amazon EKS CloudWatch Observability Operator add-on [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cloudwatch.html +link:eks/latest/userguide/cloudwatch.html[type="documentation"] Added Amazon EKS CloudWatch Observability Operator page. @@ -575,7 +575,7 @@ Added Amazon EKS CloudWatch Observability Operator page. [.update,date="2023-10-31"] === Capacity Blocks for self-managed P5 instances in US East (Ohio) [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/capacity-blocks.html +link:eks/latest/userguide/capacity-blocks.html[type="documentation"] In US East (Ohio), you can now use Capacity Blocks for self-managed P5 instances. @@ -583,7 +583,7 @@ In US East (Ohio), you can now use Capacity Blocks for self-managed P5 instances [.update,date="2023-10-24"] === Clusters support modifying subnets and security groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html +link:eks/latest/userguide/network-reqs.html[type="documentation"] You can update the cluster to change which subnets and security groups the cluster uses. You can update from the {aws-management-console}, the latest version of the {aws} CLI, {aws} CloudFormation, and `eksctl` version `v0.164.0-rc.0` or later. You might need to do this to provide subnets with more available IP addresses to successfully upgrade a cluster version. @@ -591,7 +591,7 @@ You can update the cluster to change which subnets and security groups the clust [.update,date="2023-10-23"] === Cluster role and managed node group role supports customer managed {aws} Identity and Access Management policies [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-iam-role.html +link:eks/latest/userguide/cluster-iam-role.html[type="documentation"] You can use a custom IAM policy on the cluster role, instead of the link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html[AmazonEKSClusterPolicy,type="documentation"] {aws} managed policy. Also, you can use a custom IAM policy on the node role in a managed node group, instead of the link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html[AmazonEKSWorkerNodePolicy,type="documentation"] {aws} managed policy. Do this to create a policy with the least privilege to meet strict compliance requirements. @@ -604,7 +604,7 @@ Fix install link for eksctl after the page was moved. [.update,date="2023-10-04"] === Preview release: Amazon EKS Extended Support for [.noloc]`Kubernetes` versions [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html +link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] Extended [.noloc]`Kubernetes` version support allows you to stay at a specific [.noloc]`Kubernetes` version for longer than 14 months. @@ -617,7 +617,7 @@ Amazon EKS integrations with {aws} App Mesh remain for existing customers of App [.update,date="2023-09-26"] === [.noloc]`Kubernetes` version `1.28` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-28 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-28[type="documentation"] Added [.noloc]`Kubernetes` version `1.28` support for new clusters and version upgrades. @@ -625,7 +625,7 @@ Added [.noloc]`Kubernetes` version `1.28` support for new clusters and version u [.update,date="2023-09-15"] === [.noloc]`CoreDNS` Amazon EKS add-on supports modifying PDB [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html +link:eks/latest/userguide/managing-coredns.html[type="documentation"] You can modify the `PodDisruptionBudget` of the EKS add-on for [.noloc]`CoreDNS` in versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later. @@ -633,7 +633,7 @@ You can modify the `PodDisruptionBudget` of the EKS add-on for [.noloc]`CoreDNS` [.update,date="2023-09-15"] === Existing clusters support [.noloc]`Kubernetes` network policy enforcement in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html +link:eks/latest/userguide/cni-network-policy.html[type="documentation"] You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. @@ -642,7 +642,7 @@ You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.update,date="2023-09-07"] === Amazon EKS support for shared subnets [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html#network-requirements-shared +link:eks/latest/userguide/network-reqs.html#network-requirements-shared[type="documentation"] New link:eks/latest/userguide/network-reqs.html#network-requirements-shared[Shared subnet requirements and considerations,type="documentation"] for making Amazon EKS clusters in shared subnets. @@ -650,7 +650,7 @@ New link:eks/latest/userguide/network-reqs.html#network-requirements-shared[Sha [.update,date="2023-09-06"] === Updates to What is Amazon EKS? [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html +link:eks/latest/userguide/what-is-eks.html[type="documentation"] Added new link:eks/latest/userguide/common-use-cases.html[Common use cases,type="documentation"] and link:eks/latest/userguide/eks-architecture.html[Architecture,type="documentation"] topics. Refreshed other topics. @@ -658,7 +658,7 @@ Added new link:eks/latest/userguide/common-use-cases.html[Common use cases,type= [.update,date="2023-08-29"] === [.noloc]`Kubernetes` network policy enforcement in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html +link:eks/latest/userguide/cni-network-policy.html[type="documentation"] You can use [.noloc]`Kubernetes` _network policy_ with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. You can use [.noloc]`Kubernetes` _network policy_ with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. @@ -672,7 +672,7 @@ Amazon EKS is now available in the Israel (Tel Aviv) (`il-central-1`) {aws} Regi [.update,date="2023-07-31"] === Configurable ephemeral storage for Fargate [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-configuration.html#fargate-storage +link:eks/latest/userguide/fargate-pod-configuration.html#fargate-storage[type="documentation"] You can increase the total amount of ephemeral storage for each [.noloc]`Pod` running on Amazon EKS Fargate. @@ -680,7 +680,7 @@ You can increase the total amount of ephemeral storage for each [.noloc]`Pod` ru [.update,date="2023-07-26"] === Add-on support for Amazon EFS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html#add-ons-aws-efs-csi-driver +link:eks/latest/userguide/eks-add-ons.html#add-ons-aws-efs-csi-driver[type="documentation"] You can now use the {aws-management-console}, {aws} CLI, and API to manage the Amazon EFS CSI driver. @@ -688,7 +688,7 @@ You can now use the {aws-management-console}, {aws} CLI, and API to manage the A [.update,date="2023-07-26"] === {aws} managed policy updates - New policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS added a new {aws} managed policy. @@ -696,7 +696,7 @@ Amazon EKS added a new {aws} managed policy. [.update,date="2023-07-20"] === [.noloc]`Kubernetes` version updates for 1.27, 1.26, 1.25, and 1.24 are now available for local clusters on {aws} Outposts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-platform-versions.html +link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] [.noloc]`Kubernetes` version updates to 1.27.3, 1.26.6, 1.25.11, and 1.24.15 are now available for local clusters on {aws} Outposts @@ -704,7 +704,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-platform-versions. [.update,date="2023-07-06"] === IP prefixes support for [.noloc]`Windows` nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html +link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] Assigning IP prefixes to your nodes can enable you to host a significantly higher number of [.noloc]`Pods` on your nodes than you can when assigning individual secondary IP addresses to your nodes. @@ -712,7 +712,7 @@ Assigning IP prefixes to your nodes can enable you to host a significantly highe [.update,date="2023-06-30"] === Amazon FSx for OpenZFS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fsx-openzfs-csi.html +link:eks/latest/userguide/fsx-openzfs-csi.html[type="documentation"] You can now install the Amazon FSx for OpenZFS CSI driver on Amazon EKS clusters. @@ -720,7 +720,7 @@ You can now install the Amazon FSx for OpenZFS CSI driver on Amazon EKS clusters [.update,date="2023-06-19"] === [.noloc]`Pods` on Linux nodes in `IPv4` clusters can now communicate with `IPv6` endpoints. [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-ipv6-egress.html +link:eks/latest/userguide/cni-ipv6-egress.html[type="documentation"] After assigning an IPv6 address to your node, your [.noloc]`Pods`' `IPv4` address is network address translated to the `IPv6` address of the node that it's running on. @@ -728,7 +728,7 @@ After assigning an IPv6 address to your node, your [.noloc]`Pods`' `IPv4` addres [.update,date="2023-05-30"] === [.noloc]`Windows` managed node groups in {aws} GovCloud (US) Regions [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/create-managed-node-group.html +link:eks/latest/userguide/create-managed-node-group.html[type="documentation"] In the {aws} GovCloud (US) Regions, Amazon EKS managed node groups can now run [.noloc]`Windows` containers. @@ -736,7 +736,7 @@ In the {aws} GovCloud (US) Regions, Amazon EKS managed node groups can now run [ [.update,date="2023-05-24"] === [.noloc]`Kubernetes` version `1.27` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-27 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-27[type="documentation"] Added [.noloc]`Kubernetes` version `1.27` support for new clusters and version upgrades. @@ -744,7 +744,7 @@ Added [.noloc]`Kubernetes` version `1.27` support for new clusters and version u [.update,date="2023-04-11"] === [.noloc]`Kubernetes` version `1.26` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26[type="documentation"] Added [.noloc]`Kubernetes` version `1.26` support for new clusters and version upgrades. @@ -752,7 +752,7 @@ Added [.noloc]`Kubernetes` version `1.26` support for new clusters and version u [.update,date="2023-03-27"] === Domainless [.noloc]`gMSA` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-windows-ami.html#ad-and-gmsa-support +link:eks/latest/userguide/eks-optimized-windows-ami.html#ad-and-gmsa-support[type="documentation"] You can now use domainless [.noloc]`gMSA` with [.noloc]`Windows` [.noloc]`Pods`. @@ -765,7 +765,7 @@ Amazon EKS is now available in the Asia Pacific (Melbourne) (`ap-southeast-4`) { [.update,date="2023-03-03"] === Amazon File Cache CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/file-cache-csi.html +link:eks/latest/userguide/file-cache-csi.html[type="documentation"] You can now install the Amazon File Cache CSI driver on Amazon EKS clusters. @@ -773,7 +773,7 @@ You can now install the Amazon File Cache CSI driver on Amazon EKS clusters. [.update,date="2023-03-01"] === [.noloc]`Kubernetes` version 1.25 is now available for local clusters on {aws} Outposts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-local-cluster-create.html +link:eks/latest/userguide/eks-outposts-local-cluster-create.html[type="documentation"] You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kubernetes` versions `1.22` – `1.25`. @@ -781,7 +781,7 @@ You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kube [.update,date="2023-02-22"] === [.noloc]`Kubernetes` version `1.25` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-25 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-25[type="documentation"] Added [.noloc]`Kubernetes` version `1.25` support for new clusters and version upgrades. @@ -789,7 +789,7 @@ Added [.noloc]`Kubernetes` version `1.25` support for new clusters and version u [.update,date="2023-02-07"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -802,7 +802,7 @@ Amazon EKS is now available in the Asia Pacific (Hyderabad) (`ap-south-2`), Euro [.update,date="2023-01-17"] === [.noloc]`Kubernetes` versions `1.21` – `1.24` are now available for local clusters on {aws} Outposts. [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-local-cluster-create.html +link:eks/latest/userguide/eks-outposts-local-cluster-create.html[type="documentation"] You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kubernetes` versions `1.21` – `1.24`. Previously, only version `1.21` was available. @@ -810,7 +810,7 @@ You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kube [.update,date="2022-12-16"] === Amazon EKS now supports {aws} PrivateLink [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/vpc-interface-endpoints.html +link:eks/latest/userguide/vpc-interface-endpoints.html[type="documentation"] You can use an {aws} PrivateLink to create a private connection between your VPC and Amazon EKS. @@ -818,7 +818,7 @@ You can use an {aws} PrivateLink to create a private connection between your VPC [.update,date="2022-12-15"] === Managed node group Windows support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html +link:eks/latest/userguide/managed-node-groups.html[type="documentation"] You can now use Windows for Amazon EKS managed node groups. @@ -826,7 +826,7 @@ You can now use Windows for Amazon EKS managed node groups. [.update,date="2022-11-28"] === Amazon EKS add-ons from independent software vendors are now available in the {aws} Marketplace [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html +link:eks/latest/userguide/eks-add-ons.html[type="documentation"] You can now browse and subscribe to Amazon EKS add-ons from independent software vendors through the {aws} Marketplace. @@ -834,7 +834,7 @@ You can now browse and subscribe to Amazon EKS add-ons from independent software [.update,date="2022-11-17"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -842,7 +842,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-11-15"] === [.noloc]`Kubernetes` version `1.24` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-24 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-24[type="documentation"] Added [.noloc]`Kubernetes` version `1.24` support for new clusters and version upgrades. @@ -855,7 +855,7 @@ Amazon EKS is now available in the Middle East (UAE) (`me-central-1`) {aws} Regi [.update,date="2022-10-24"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -863,7 +863,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-10-20"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -871,7 +871,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-09-19"] === Local clusters on {aws} Outposts are now available [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-outposts-local-cluster-create.html +link:eks/latest/userguide/eks-outposts-local-cluster-create.html[type="documentation"] You can now create an Amazon EKS local cluster on an Outpost. @@ -879,7 +879,7 @@ You can now create an Amazon EKS local cluster on an Outpost. [.update,date="2022-09-08"] === Fargate vCPU based quotas [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/service-quotas.html#service-quotas-eks-fargate +link:eks/latest/userguide/service-quotas.html#service-quotas-eks-fargate[type="documentation"] Fargate is transitioning from [.noloc]`Pod` based quotas to vCPU based quotas. @@ -887,7 +887,7 @@ Fargate is transitioning from [.noloc]`Pod` based quotas to vCPU based quotas. [.update,date="2022-08-31"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -895,7 +895,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-08-24"] === {aws} managed policy updates - New policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS added a new {aws} managed policy. @@ -903,7 +903,7 @@ Amazon EKS added a new {aws} managed policy. [.update,date="2022-08-24"] === Cost monitoring [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cost-monitoring +link:eks/latest/userguide/cost-monitoring[type="documentation"] Amazon EKS now supports [.noloc]`Kubecost`, which enables you to monitor costs broken down by [.noloc]`Kubernetes` resources including [.noloc]`Pods`, nodes, namespaces, and labels. @@ -911,7 +911,7 @@ Amazon EKS now supports [.noloc]`Kubecost`, which enables you to monitor costs b [.update,date="2022-08-23"] === {aws} managed policy updates - New policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS added a new {aws} managed policy. @@ -919,7 +919,7 @@ Amazon EKS added a new {aws} managed policy. [.update,date="2022-08-16"] === Tag resources for billing [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html#tag-resources-for-billing +link:eks/latest/userguide/eks-using-tags.html#tag-resources-for-billing[type="documentation"] Added `aws:eks:cluster-name` generated cost allocation tag support for all clusters. @@ -927,7 +927,7 @@ Added `aws:eks:cluster-name` generated cost allocation tag support for all clust [.update,date="2022-08-16"] === Fargate profile wildcards [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fargate-profile.html#fargate-profile-wildcards +link:eks/latest/userguide/fargate-profile.html#fargate-profile-wildcards[type="documentation"] Added support for Fargate profile wildcards in the selector criteria for namespaces, label keys, and label values. @@ -935,7 +935,7 @@ Added support for Fargate profile wildcards in the selector criteria for namespa [.update,date="2022-08-11"] === [.noloc]`Kubernetes` version `1.23` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1-23 +link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-23[type="documentation"] Added [.noloc]`Kubernetes` version `1.23` support for new clusters and version upgrades. @@ -943,7 +943,7 @@ Added [.noloc]`Kubernetes` version `1.23` support for new clusters and version u [.update,date="2022-05-03"] === View [.noloc]`Kubernetes` resources in the {aws-management-console} [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html +link:eks/latest/userguide/view-kubernetes-resources.html[type="documentation"] You can now view information about the [.noloc]`Kubernetes` resources deployed to your cluster using the {aws-management-console}. @@ -956,7 +956,7 @@ Amazon EKS is now available in the Asia Pacific (Jakarta) (`ap-southeast-3`) {aw [.update,date="2022-04-21"] === Observability page and ADOT add-on support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-observe.html +link:eks/latest/userguide/eks-observe.html[type="documentation"] Added Observability page and {aws} Distro for [.noloc]`OpenTelemetry` (ADOT). @@ -964,7 +964,7 @@ Added Observability page and {aws} Distro for [.noloc]`OpenTelemetry` (ADOT). [.update,date="2022-04-04"] === {aws} managed policy updates - New policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS added a new {aws} managed policy. @@ -977,7 +977,7 @@ Added [.noloc]`Kubernetes` version `1.22` support for new clusters and version u [.update,date="2022-04-01"] === Added Fargate [.noloc]`Pod` patching details [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-patching.html +link:eks/latest/userguide/fargate-pod-patching.html[type="documentation"] When upgrading Fargate [.noloc]`Pods`, Amazon EKS first tries to evict [.noloc]`Pods` based on your [.noloc]`Pod` disruption budgets. You can create event rules to react to failed evictions before the [.noloc]`Pods` are deleted. @@ -985,7 +985,7 @@ When upgrading Fargate [.noloc]`Pods`, Amazon EKS first tries to evict [.noloc]` [.update,date="2022-03-31"] === Full release: Add-on support for Amazon EBS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html +link:eks/latest/userguide/ebs-csi.html[type="documentation"] You can now use the {aws-management-console}, {aws} CLI, and API to manage the Amazon EBS CSI driver. @@ -993,7 +993,7 @@ You can now use the {aws-management-console}, {aws} CLI, and API to manage the A [.update,date="2022-03-22"] === {aws} Outposts content update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/outposts.html +link:eks/latest/userguide/outposts.html[type="documentation"] Instructions to deploy an Amazon EKS cluster on {aws} Outposts. @@ -1001,7 +1001,7 @@ Instructions to deploy an Amazon EKS cluster on {aws} Outposts. [.update,date="2022-03-21"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -1009,7 +1009,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-03-14"] === Windows `containerd` support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-windows-ami.html.html +link:eks/latest/userguide/eks-optimized-windows-ami.html.html[type="documentation"] You can now select the `containerd` runtime for [.noloc]`Windows` nodes. @@ -1017,7 +1017,7 @@ You can now select the `containerd` runtime for [.noloc]`Windows` nodes. [.update,date="2022-02-25"] === Added Amazon EKS Connector considerations to security documentation [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/connector-considerations.html +link:eks/latest/userguide/connector-considerations.html[type="documentation"] Describes the shared responsibility model as it relates to connected clusters. @@ -1025,7 +1025,7 @@ Describes the shared responsibility model as it relates to connected clusters. [.update,date="2022-01-06"] === Assign `IPv6` addresses to your [.noloc]`Pods` and services [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-ipv6.html +link:eks/latest/userguide/cni-ipv6.html[type="documentation"] You can now create a `1.21` or later cluster that assigns `IPv6` addresses to your [.noloc]`Pods` and services. @@ -1033,7 +1033,7 @@ You can now create a `1.21` or later cluster that assigns `IPv6` addresses to yo [.update,date="2021-12-13"] === {aws} managed policy updates - Update to an existing policy [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] Amazon EKS updated an existing {aws} managed policy. @@ -1041,7 +1041,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2021-12-09"] === Preview release: Add-on support for Amazon EBS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html +link:eks/latest/userguide/ebs-csi.html[type="documentation"] You can now preview using the {aws-management-console}, {aws} CLI, and API to manage the Amazon EBS CSI driver. @@ -1049,7 +1049,7 @@ You can now preview using the {aws-management-console}, {aws} CLI, and API to ma [.update,date="2021-11-29"] === Karpenter autoscaler support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/autoscaling.html#karpenter +link:eks/latest/userguide/autoscaling.html#karpenter[type="documentation"] You can now use the Karpenter open-source project to autoscale your nodes. @@ -1057,7 +1057,7 @@ You can now use the Karpenter open-source project to autoscale your nodes. [.update,date="2021-11-10"] === Fluent Bit [.noloc]`Kubernetes` filter support in Fargate logging [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html#fargate-logging-kubernetes-filter +link:eks/latest/userguide/fargate-logging.html#fargate-logging-kubernetes-filter[type="documentation"] You can now use the Fluent Bit [.noloc]`Kubernetes` filter with Fargate logging. @@ -1065,7 +1065,7 @@ You can now use the Fluent Bit [.noloc]`Kubernetes` filter with Fargate logging. [.update,date="2021-11-09"] === [.noloc]`Windows` support available in the control plane [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html +link:eks/latest/userguide/windows-support.html[type="documentation"] [.noloc]`Windows` support is now available in your control plane. You no longer need to enable it in your data plane. @@ -1073,7 +1073,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html [.update,date="2021-10-28"] === [.noloc]`Bottlerocket` added as an AMI type for managed node groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html +link:eks/latest/userguide/eks-optimized-ami-bottlerocket.html[type="documentation"] Previously, [.noloc]`Bottlerocket` was only available as a self-managed node option. Now it can be configured as a managed node group, reducing the effort that's required to meet node compliance requirements. @@ -1081,7 +1081,7 @@ Previously, [.noloc]`Bottlerocket` was only available as a self-managed node opt [.update,date="2021-10-25"] === DL1 driver support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html +link:eks/latest/userguide/eks-ami-build-scripts.html[type="documentation"] Custom Amazon Linux AMIs now support deep learning workloads for Amazon Linux 2. This enablement allows a generic on-premises or cloud baseline configuration. @@ -1089,7 +1089,7 @@ Custom Amazon Linux AMIs now support deep learning workloads for Amazon Linux 2. [.update,date="2021-09-13"] === VT1 video support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html +link:eks/latest/userguide/eks-ami-build-scripts.html[type="documentation"] Custom Amazon Linux AMIs now support VT1 for some distributions. This enablement advertises Xilinx U30 devices on your Amazon EKS cluster. @@ -1097,7 +1097,7 @@ Custom Amazon Linux AMIs now support VT1 for some distributions. This enablement [.update,date="2021-09-08"] === Amazon EKS Anywhere is now available [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-deployment-options.html +link:eks/latest/userguide/eks-deployment-options.html[type="documentation"] Amazon EKS Anywhere is a new deployment option for Amazon EKS that you can use to create and operate [.noloc]`Kubernetes` clusters on-premises. @@ -1105,7 +1105,7 @@ Amazon EKS Anywhere is a new deployment option for Amazon EKS that you can use t [.update,date="2021-09-08"] === Amazon EKS Connector is now available [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-connector.html +link:eks/latest/userguide/eks-connector.html[type="documentation"] You can use Amazon EKS Connector to register and connect any conformant [.noloc]`Kubernetes` cluster to {aws} and visualize it in the Amazon EKS console. @@ -1113,7 +1113,7 @@ You can use Amazon EKS Connector to register and connect any conformant [.noloc] [.update,date="2021-09-02"] === Amazon FSx for NetApp ONTAP CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fsx-ontap.html +link:eks/latest/userguide/fsx-ontap.html[type="documentation"] Added topic that summarizes the Amazon FSx for NetApp ONTAP CSI driver and gives links to other references. @@ -1121,7 +1121,7 @@ Added topic that summarizes the Amazon FSx for NetApp ONTAP CSI driver and gives [.update,date="2021-08-30"] === Managed node groups now auto-calculates the Amazon EKS recommended maximum [.noloc]`Pods` for nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html +link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] Managed node groups now auto-calculate the Amazon EKS maximum [.noloc]`Pods` for nodes that you deploy without a launch template, or with a launch template that you haven't specified an AMI ID in. @@ -1129,7 +1129,7 @@ Managed node groups now auto-calculate the Amazon EKS maximum [.noloc]`Pods` for [.update,date="2021-08-20"] === Remove Amazon EKS management of add-on settings without removing the Amazon EKS add-on software [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#removing-vpc-cni-eks-add-on +link:eks/latest/userguide/managing-vpc-cni.html#removing-vpc-cni-eks-add-on[type="documentation"] You can now remove an Amazon EKS add-on without removing the add-on software from your cluster. @@ -1137,7 +1137,7 @@ You can now remove an Amazon EKS add-on without removing the add-on software fro [.update,date="2021-08-02"] === Create multi-homed [.noloc]`Pods` using Multus [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/pod-multiple-network-interfaces.html +link:eks/latest/userguide/pod-multiple-network-interfaces.html[type="documentation"] You can now add multiple network interfaces to a [.noloc]`Pod` using Multus. @@ -1145,7 +1145,7 @@ You can now add multiple network interfaces to a [.noloc]`Pod` using Multus. [.update,date="2021-07-27"] === Add more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html +link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] You can now add significantly more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes. This means that you can run a higher density of [.noloc]`Pods` on each node. You can now add significantly more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes. This means that you can run a higher density of [.noloc]`Pods` on each node. @@ -1159,7 +1159,7 @@ Added [.noloc]`Kubernetes` version `1.21` support. [.update,date="2021-07-19"] === `containerd` runtime bootstrap [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html#containerd-bootstrap +link:eks/latest/userguide/eks-optimized-ami.html#containerd-bootstrap[type="documentation"] The Amazon EKS optimized accelerated Amazon Linux Amazon Machine Image (AMI) now contains a bootstrap flag that you can use to enable the `containerd` runtime in Amazon EKS optimized and [.noloc]`Bottlerocket` AMIs. This flag is available in all supported [.noloc]`Kubernetes` versions of the AMI. @@ -1167,7 +1167,7 @@ The Amazon EKS optimized accelerated Amazon Linux Amazon Machine Image (AMI) now [.update,date="2021-06-17"] === Added managed policies topic [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-iam-awsmanpol.html +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] A list of all Amazon EKS IAM managed policies and changes that were made to them since June 17, 2021. @@ -1175,7 +1175,7 @@ A list of all Amazon EKS IAM managed policies and changes that were made to them [.update,date="2021-06-01"] === Use security groups for [.noloc]`Pods` with Fargate [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html +link:eks/latest/userguide/security-groups-for-pods.html[type="documentation"] You can now use security groups for [.noloc]`Pods` with Fargate, in addition to using them with Amazon EC2 nodes. @@ -1183,7 +1183,7 @@ You can now use security groups for [.noloc]`Pods` with Fargate, in addition to [.update,date="2021-05-19"] === Added [.noloc]`CoreDNS` and `kube-proxy` Amazon EKS add-ons [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html +link:eks/latest/userguide/eks-add-ons.html[type="documentation"] Amazon EKS can now help you manage the [.noloc]`CoreDNS` and `kube-proxy` Amazon EKS add-ons for your cluster. @@ -1196,7 +1196,7 @@ Added [.noloc]`Kubernetes` version `1.20` support for new clusters and version u [.update,date="2021-05-14"] === [.noloc]`{aws} Load Balancer Controller` `2.2.0` released [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html +link:eks/latest/userguide/aws-load-balancer-controller.html[type="documentation"] You can now use the [.noloc]`{aws} Load Balancer Controller` to create Elastic Load Balancers using instance or IP targets. @@ -1204,7 +1204,7 @@ You can now use the [.noloc]`{aws} Load Balancer Controller` to create Elastic L [.update,date="2021-05-11"] === Node taints for managed node groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html +link:eks/latest/userguide/node-taints-managed-node-groups.html[type="documentation"] Amazon EKS now supports adding note taints to managed node groups. @@ -1212,7 +1212,7 @@ Amazon EKS now supports adding note taints to managed node groups. [.update,date="2021-02-26"] === Secrets encryption for existing clusters [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html#enable-kms +link:eks/latest/userguide/update-cluster.html#enable-kms[type="documentation"] Amazon EKS now supports adding https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] to existing clusters. @@ -1225,7 +1225,7 @@ Added [.noloc]`Kubernetes` version `1.19` support for new clusters and version u [.update,date="2021-02-12"] === Amazon EKS now supports [.noloc]`OpenID Connect` (OIDC) identity providers as a method to authenticate users to a version `1.16` or later cluster. [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html +link:eks/latest/userguide/authenticate-oidc-identity-provider.html[type="documentation"] OIDC identity providers can be used with, or as an alternative to {aws} Identity and Access Management (IAM). @@ -1233,7 +1233,7 @@ OIDC identity providers can be used with, or as an alternative to {aws} Identity [.update,date="2020-12-01"] === Amazon EKS can now manage specific add-ons for your cluster [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html +link:eks/latest/userguide/eks-add-ons.html[type="documentation"] You can manage add-ons yourself, or allow Amazon EKS to control the launch and version of an add-on through the Amazon EKS API. @@ -1241,7 +1241,7 @@ You can manage add-ons yourself, or allow Amazon EKS to control the launch and v [.update,date="2020-12-01"] === Deploy Spot Instance types in a managed node group [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html#managed-node-group-capacity-types +link:eks/latest/userguide/managed-node-groups.html#managed-node-group-capacity-types[type="documentation"] You can now deploy multiple Spot or On-Demand Instance types to a managed node group. @@ -1249,7 +1249,7 @@ You can now deploy multiple Spot or On-Demand Instance types to a managed node g [.update,date="2020-12-01"] === View node and workload resources in the {aws-management-console} [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html +link:eks/latest/userguide/view-kubernetes-resources.html[type="documentation"] You can now view details about your managed, self-managed, and Fargate nodes and your deployed [.noloc]`Kubernetes` workloads in the {aws-management-console}. @@ -1257,7 +1257,7 @@ You can now view details about your managed, self-managed, and Fargate nodes and [.update,date="2020-10-23"] === NLB IP target support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/networkg-load-balancing.html#network-load-balancer +link:eks/latest/userguide/networkg-load-balancing.html#network-load-balancer[type="documentation"] You can now deploy a Network Load Balancer with IP targets. This means that you can use an NLB to load balance network traffic to Fargate [.noloc]`Pods` and directly to [.noloc]`Pods` that are running on Amazon EC2 nodes. @@ -1265,7 +1265,7 @@ You can now deploy a Network Load Balancer with IP targets. This means that you [.update,date="2020-10-23"] === Share an ALB across multiple Ingresses [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html +link:eks/latest/userguide/alb-ingress.html[type="documentation"] You can now share an {aws} Application Load Balancer (ALB) across multiple [.noloc]`Kubernetes` Ingresses. In the past, you had to deploy a separate ALB for each Ingress. @@ -1278,7 +1278,7 @@ Added [.noloc]`Kubernetes` version `1.18` support for new clusters and version u [.update,date="2020-09-29"] === Specify a custom CIDR block for [.noloc]`Kubernetes` service IP address assignment. [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html +link:eks/latest/userguide/create-cluster.html[type="documentation"] You can now specify a custom CIDR block that [.noloc]`Kubernetes` assigns service IP addresses from. @@ -1286,7 +1286,7 @@ You can now specify a custom CIDR block that [.noloc]`Kubernetes` assigns servic [.update,date="2020-09-09"] === Assign security groups to individual [.noloc]`Pods` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html +link:eks/latest/userguide/security-groups-for-pods.html[type="documentation"] You can now associate different security groups to some of the individual [.noloc]`Pods` that are running on many Amazon EC2 instance types. @@ -1294,7 +1294,7 @@ You can now associate different security groups to some of the individual [.nolo [.update,date="2020-08-31"] === Deploy [.noloc]`Bottlerocket` on your nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/launch-node-bottlerocket.html +link:eks/latest/userguide/launch-node-bottlerocket.html[type="documentation"] You can now deploy nodes that are running link:bottlerocket/[Bottlerocket,type="marketing"]. @@ -1302,7 +1302,7 @@ You can now deploy nodes that are running link:bottlerocket/[Bottlerocket,type=" [.update,date="2020-08-17"] === Managed node group launch templates and custom AMI [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html +link:eks/latest/userguide/launch-templates.html[type="documentation"] You can now deploy a managed node group that uses an Amazon EC2 launch template. The launch template can specify a custom AMI, if you choose. @@ -1310,7 +1310,7 @@ You can now deploy a managed node group that uses an Amazon EC2 launch template. [.update,date="2020-08-17"] === The ability to launch Arm nodes is generally available [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html#arm-ami +link:eks/latest/userguide/eks-optimized-ami.html#arm-ami[type="documentation"] You can now launch Arm nodes in managed and self-managed node groups. @@ -1318,7 +1318,7 @@ You can now launch Arm nodes in managed and self-managed node groups. [.update,date="2020-08-17"] === EFS support for {aws} Fargate [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html +link:eks/latest/userguide/efs-csi.html[type="documentation"] You can now use Amazon EFS with {aws} Fargate. @@ -1326,7 +1326,7 @@ You can now use Amazon EFS with {aws} Fargate. [.update,date="2020-08-12"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] This is a new platform version with security fixes and enhancements. This includes UDP support for services of type `LoadBalancer` when using Network Load Balancers with [.noloc]`Kubernetes` version `1.15` or later. For more information, see the https://github.com/kubernetes/kubernetes/pull/92109[Allow UDP for {aws} Network Load Balancer] issue on [.noloc]`GitHub`. @@ -1339,7 +1339,7 @@ Amazon EKS is now available in the Africa (Cape Town) (`af-south-1`) and Europe [.update,date="2020-08-03"] === Fargate usage metrics [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/monitoring-fargate-usage.html +link:eks/latest/userguide/monitoring-fargate-usage.html[type="documentation"] {aws} Fargate provides CloudWatch usage metrics that provide visibility into your account's usage of Fargate On-Demand resources. @@ -1352,7 +1352,7 @@ Added [.noloc]`Kubernetes` version `1.17` support for new clusters and version u [.update,date="2020-06-18"] === Create and manage App Mesh resources from within [.noloc]`Kubernetes` with the App Mesh controller for [.noloc]`Kubernetes` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/mesh-k8s-integration.html +link:eks/latest/userguide/mesh-k8s-integration.html[type="documentation"] You can create and manage App Mesh resources from within [.noloc]`Kubernetes`. The controller also automatically injects the Envoy proxy and init containers into [.noloc]`Pods` that you deploy. @@ -1360,7 +1360,7 @@ You can create and manage App Mesh resources from within [.noloc]`Kubernetes`. T [.update,date="2020-06-04"] === Amazon EKS now supports Amazon EC2 Inf1 nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/inferentia-support.html +link:eks/latest/userguide/inferentia-support.html[type="documentation"] You can add Amazon EC2 Inf1 nodes to your cluster. @@ -1373,7 +1373,7 @@ Amazon EKS is now available in the {aws} GovCloud (US-East) (`us-gov-east-1`) an [.update,date="2020-05-12"] === [.noloc]`Kubernetes` `1.12` is no longer supported on Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html +link:eks/latest/userguide/update-cluster.html[type="documentation"] [.noloc]`Kubernetes` version `1.12` is no longer supported on Amazon EKS. Update any `1.12` clusters to version `1.13` or later to avoid service interruption. @@ -1386,7 +1386,7 @@ Added [.noloc]`Kubernetes` version `1.16` support for new clusters and version u [.update,date="2020-04-16"] === Added the *AWSServiceRoleForAmazonEKS* service-linked role [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks.html +link:eks/latest/userguide/using-service-linked-roles-eks.html[type="documentation"] Added the *AWSServiceRoleForAmazonEKS* service-linked role. @@ -1404,7 +1404,7 @@ Amazon EKS is now available in the Beijing (`cn-north-1`) and Ningxia (`cn-north [.update,date="2019-12-23"] === FSx for Lustre CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fsx-csi.html +link:eks/latest/userguide/fsx-csi.html[type="documentation"] Added topic for installing the FSx for Lustre CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. @@ -1412,7 +1412,7 @@ Added topic for installing the FSx for Lustre CSI driver on [.noloc]`Kubernetes` [.update,date="2019-12-20"] === Restrict network access to the public access endpoint of a cluster [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html +link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] With this update, you can use Amazon EKS to restrict the CIDR ranges that can communicate to the public access endpoint of the [.noloc]`Kubernetes` API server. @@ -1420,7 +1420,7 @@ With this update, you can use Amazon EKS to restrict the CIDR ranges that can co [.update,date="2019-12-13"] === Resolve the private access endpoint address for a cluster from outside of a VPC [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html +link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] With this update, you can use Amazon EKS to resolve the private access endpoint of the [.noloc]`Kubernetes` API server from outside of a VPC. @@ -1428,7 +1428,7 @@ With this update, you can use Amazon EKS to resolve the private access endpoint [.update,date="2019-12-04"] === (Beta) Amazon EC2 A1 Amazon EC2 instance nodes [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/arm-support.html +link:eks/latest/userguide/arm-support.html[type="documentation"] Launch link:ec2/instance-types/a1/[Amazon EC2 A1,type="marketing"] Amazon EC2 instance nodes that register with your Amazon EKS cluster. @@ -1436,7 +1436,7 @@ Launch link:ec2/instance-types/a1/[Amazon EC2 A1,type="marketing"] Amazon EC2 in [.update,date="2019-12-03"] === Creating a cluster on {aws} Outposts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-on-outposts.html +link:eks/latest/userguide/eks-on-outposts.html[type="documentation"] Amazon EKS now supports creating clusters on {aws} Outposts. @@ -1444,7 +1444,7 @@ Amazon EKS now supports creating clusters on {aws} Outposts. [.update,date="2019-12-03"] === {aws} Fargate on Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/fargate.html +link:eks/latest/userguide/fargate.html[type="documentation"] Amazon EKS [.noloc]`Kubernetes` clusters now support running [.noloc]`Pods` on Fargate. @@ -1457,7 +1457,7 @@ Amazon EKS is now available in the Canada (Central) (`ca-central-1`) {aws} Regio [.update,date="2019-11-18"] === Managed node groups [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html +link:eks/latest/userguide/managed-node-groups.html[type="documentation"] Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS [.noloc]`Kubernetes` clusters. @@ -1465,7 +1465,7 @@ Amazon EKS managed node groups automate the provisioning and lifecycle managemen [.update,date="2019-11-06"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform versions to address https://groups.google.com/forum/#!msg/kubernetes-security-announce/jk8polzSUxs/dfq6a-MnCQAJ[CVE-2019-11253]. @@ -1473,7 +1473,7 @@ New platform versions to address https://groups.google.com/forum/#!msg/kubernete [.update,date="2019-11-04"] === [.noloc]`Kubernetes` `1.11` is no longer supported on Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html +link:eks/latest/userguide/update-cluster.html[type="documentation"] [.noloc]`Kubernetes` version `1.11` is no longer supported on Amazon EKS. Please update any `1.11` clusters to version `1.12` or higher to avoid service interruption. @@ -1486,7 +1486,7 @@ Amazon EKS is now available in the South America (São Paulo) (`sa-east-1`) {aws [.update,date="2019-10-07"] === [.noloc]`Windows` support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html +link:eks/latest/userguide/windows-support.html[type="documentation"] Amazon EKS clusters running [.noloc]`Kubernetes` version `1.14` now support [.noloc]`Windows` workloads. @@ -1494,7 +1494,7 @@ Amazon EKS clusters running [.noloc]`Kubernetes` version `1.14` now support [.no [.update,date="2019-09-30"] === Autoscaling [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/autoscaling.html +link:eks/latest/userguide/autoscaling.html[type="documentation"] Added a chapter to cover some of the different types of [.noloc]`Kubernetes` autoscaling that are supported on Amazon EKS clusters. @@ -1502,7 +1502,7 @@ Added a chapter to cover some of the different types of [.noloc]`Kubernetes` aut [.update,date="2019-09-28"] === [.noloc]`Kubernetes` Dashboard update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html +link:eks/latest/userguide/dashboard-tutorial.html[type="documentation"] Updated topic for installing the [.noloc]`Kubernetes` Dashboard on Amazon EKS clusters to use the beta `2.0` version. @@ -1510,7 +1510,7 @@ Updated topic for installing the [.noloc]`Kubernetes` Dashboard on Amazon EKS cl [.update,date="2019-09-19"] === Amazon EFS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html +link:eks/latest/userguide/efs-csi.html[type="documentation"] Added topic for installing the Amazon EFS CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. @@ -1518,7 +1518,7 @@ Added topic for installing the Amazon EFS CSI driver on [.noloc]`Kubernetes` `1. [.update,date="2019-09-18"] === Amazon EC2 Systems Manager parameter for Amazon EKS optimized AMI ID [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html +link:eks/latest/userguide/retrieve-ami-id.html[type="documentation"] Added topic for retrieving the Amazon EKS optimized AMI ID using an Amazon EC2 Systems Manager parameter. The parameter eliminates the need for you to look up AMI IDs. @@ -1526,7 +1526,7 @@ Added topic for retrieving the Amazon EKS optimized AMI ID using an Amazon EC2 S [.update,date="2019-09-16"] === Amazon EKS resource tagging [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html +link:eks/latest/userguide/eks-using-tags.html[type="documentation"] You can manage the tagging of your Amazon EKS clusters. @@ -1534,7 +1534,7 @@ You can manage the tagging of your Amazon EKS clusters. [.update,date="2019-09-09"] === Amazon EBS CSI driver [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html +link:eks/latest/userguide/ebs-csi.html[type="documentation"] Added topic for installing the Amazon EBS CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. @@ -1542,7 +1542,7 @@ Added topic for installing the Amazon EBS CSI driver on [.noloc]`Kubernetes` `1. [.update,date="2019-09-06"] === New Amazon EKS optimized AMI patched for `CVE-2019-9512` and `CVE-2019-9514` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to address https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA[CVE-2019-9512 and CVE-2019-9514]. @@ -1550,7 +1550,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address https://groups.go [.update,date="2019-09-04"] === Announcing deprecation of [.noloc]`Kubernetes` `1.11` in Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html +link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] Amazon EKS discontinued support for [.noloc]`Kubernetes` version `1.11` on November 4, 2019. @@ -1558,7 +1558,7 @@ Amazon EKS discontinued support for [.noloc]`Kubernetes` version `1.11` on Novem [.update,date="2019-09-03"] === IAM roles for service accounts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html +link:eks/latest/userguide/iam-roles-for-service-accounts.html[type="documentation"] With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. @@ -1576,7 +1576,7 @@ Amazon EKS is now available in the Middle East (Bahrain) (`me-south-1`) {aws} Re [.update,date="2019-08-28"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform versions to address https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA[CVE-2019-9512 and CVE-2019-9514]. @@ -1584,7 +1584,7 @@ New platform versions to address https://groups.google.com/forum/#!topic/kuberne [.update,date="2019-08-05"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform versions to address https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM[CVE-2019-11247 and CVE-2019-11249]. @@ -1597,7 +1597,7 @@ Amazon EKS is now available in the Asia Pacific (Hong Kong) (`ap-east-1`) {aws} [.update,date="2019-07-30"] === [.noloc]`Kubernetes` `1.10` no longer supported on Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html +link:eks/latest/userguide/update-cluster.html[type="documentation"] [.noloc]`Kubernetes` version `1.10` is no longer supported on Amazon EKS. Update any `1.10` clusters to version `1.11` or higher to avoid service interruption. @@ -1605,7 +1605,7 @@ https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html [.update,date="2019-07-11"] === Added topic on ALB ingress controller [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html +link:eks/latest/userguide/alb-ingress.html[type="documentation"] The {aws} ALB Ingress Controller for [.noloc]`Kubernetes` is a controller that causes an ALB to be created when ingress resources are created. @@ -1613,7 +1613,7 @@ The {aws} ALB Ingress Controller for [.noloc]`Kubernetes` is a controller that c [.update,date="2019-07-03"] === New Amazon EKS optimized AMI [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Removing unnecessary `kubectl` binary from AMIs. @@ -1626,7 +1626,7 @@ Added [.noloc]`Kubernetes` version `1.13` support for new clusters and version u [.update,date="2019-06-17"] === New Amazon EKS optimized AMI patched for `{aws}-2019-005` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to address the vulnerabilities that are described in link:security/security-bulletins/{aws}-2019-005/[{aws}-2019-005,type="marketing"]. @@ -1634,7 +1634,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address the vulnerabiliti [.update,date="2019-05-21"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform version for [.noloc]`Kubernetes` `1.11` and `1.10` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. @@ -1642,7 +1642,7 @@ New platform version for [.noloc]`Kubernetes` `1.11` and `1.10` clusters to supp [.update,date="2019-05-21"] === Announcing discontinuation of support of [.noloc]`Kubernetes` `1.10` in Amazon EKS [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html +link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] Amazon EKS stopped supporting [.noloc]`Kubernetes` version `1.10` on July 22, 2019. @@ -1650,7 +1650,7 @@ Amazon EKS stopped supporting [.noloc]`Kubernetes` version `1.10` on July 22, 20 [.update,date="2019-05-10"] === Getting started with `eksctl` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html +link:eks/latest/userguide/getting-started-eksctl.html[type="documentation"] This getting started guide describes how you can install all of the required resources to get started with Amazon EKS using `eksctl`. This is a simple command line utility for creating and managing [.noloc]`Kubernetes` clusters on Amazon EKS. @@ -1663,7 +1663,7 @@ The `aws eks get-token` command was added to the {aws} CLI. You no longer need t [.update,date="2019-05-08"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform version for [.noloc]`Kubernetes` `1.12` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. This fixes a bug that caused node `kubelet` daemons to request a new certificate every few seconds. @@ -1671,7 +1671,7 @@ New platform version for [.noloc]`Kubernetes` `1.12` clusters to support custom [.update,date="2019-04-05"] === [.noloc]`Prometheus` tutorial [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/prometheus.html +link:eks/latest/userguide/prometheus.html[type="documentation"] Added topic for deploying [.noloc]`Prometheus` to your Amazon EKS cluster. @@ -1679,7 +1679,7 @@ Added topic for deploying [.noloc]`Prometheus` to your Amazon EKS cluster. [.update,date="2019-04-04"] === Amazon EKS control plane logging [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html +link:eks/latest/userguide/control-plane-logs.html[type="documentation"] With this update, you can get audit and diagnostic logs directly from the Amazon EKS control pane. You can use these CloudWatch logs in your account as reference for securing and running clusters. @@ -1692,7 +1692,7 @@ Added [.noloc]`Kubernetes` version `1.12` support for new clusters and version u [.update,date="2019-03-27"] === Added App Mesh getting started guide [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/mesh-gs-k8s.html +link:eks/latest/userguide/mesh-gs-k8s.html[type="documentation"] Added documentation for getting started with App Mesh and [.noloc]`Kubernetes`. @@ -1700,7 +1700,7 @@ Added documentation for getting started with App Mesh and [.noloc]`Kubernetes`. [.update,date="2019-03-19"] === Amazon EKS API server endpoint private access [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html +link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] Added documentation for disabling public access for your Amazon EKS cluster's [.noloc]`Kubernetes` API server endpoint. @@ -1708,7 +1708,7 @@ Added documentation for disabling public access for your Amazon EKS cluster's [. [.update,date="2019-03-18"] === Added topic for installing the [.noloc]`Kubernetes` Metrics Server [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/metrics-server.html +link:eks/latest/userguide/metrics-server.html[type="documentation"] The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster. @@ -1716,7 +1716,7 @@ The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data [.update,date="2019-03-15"] === Added list of related open source projects [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/metrics-server.html +link:eks/latest/userguide/metrics-server.html[type="documentation"] These open source projects extend the functionality of [.noloc]`Kubernetes` clusters running on {aws}, including clusters that are managed by Amazon EKS. @@ -1724,7 +1724,7 @@ These open source projects extend the functionality of [.noloc]`Kubernetes` clus [.update,date="2019-03-11"] === Added topic for installing Helm locally [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/helm.html +link:eks/latest/userguide/helm.html[type="documentation"] The `helm` package manager for [.noloc]`Kubernetes` helps you install and manage applications on your [.noloc]`Kubernetes` cluster. This topic shows how to install and run the `helm` and `tiller` binaries locally. That way, you can install and manage charts using the Helm CLI on your local system. @@ -1732,7 +1732,7 @@ The `helm` package manager for [.noloc]`Kubernetes` helps you install and manage [.update,date="2019-03-08"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform version that updates Amazon EKS [.noloc]`Kubernetes` `1.11` clusters to patch level `1.11.8` to address https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-11-8-1-12-6-1-13-4-released-to-address-medium-severity-cve-2019-1002100/5147[CVE-2019-1002100]. @@ -1745,7 +1745,7 @@ Amazon EKS is now available in the Europe (London) (`eu-west-2`), Europe (Paris) [.update,date="2019-02-13"] === Increased cluster limit [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/service_limits.html +link:eks/latest/userguide/service_limits.html[type="documentation"] Amazon EKS has increased the number of clusters that you can create in an {aws} Region from 3 to 50. @@ -1753,7 +1753,7 @@ Amazon EKS has increased the number of clusters that you can create in an {aws} [.update,date="2019-02-11"] === New Amazon EKS optimized AMI patched for `ALAS-2019-1156` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to address the vulnerability that's described in https://alas.aws.amazon.com/ALAS-2019-1156.html[ALAS-2019-1156]. @@ -1761,7 +1761,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address the vulnerability [.update,date="2019-01-09"] === New Amazon EKS optimized AMI patched for `ALAS2-2019-1141` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to address the CVEs that are referenced in https://alas.aws.amazon.com/AL2/ALAS-2019-1141.html[ALAS2-2019-1141]. @@ -1779,7 +1779,7 @@ Amazon EKS is now available in the following additional {aws} Regions: Europe (F [.update,date="2018-12-12"] === Amazon EKS cluster updates [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html +link:eks/latest/userguide/update-cluster.html[type="documentation"] Added documentation for Amazon EKS link:eks/latest/userguide/update-cluster.html[cluster Kubernetes version updates,type="documentation"] and link:eks/latest/userguide/update-workers.html[node replacement,type="documentation"]. @@ -1792,7 +1792,7 @@ Amazon EKS is now available in the Europe (Stockholm) (`eu-north-1`) {aws} Regio [.update,date="2018-12-04"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform version updating [.noloc]`Kubernetes` to patch level `1.10.11` to address link:security/security-bulletins/{aws}-2018-020/[CVE-2018-1002105,type="marketing"]. @@ -1808,7 +1808,7 @@ The ALB ingress controller releases version `1.0.0` with formal support from {aw [.update,date="2018-10-16"] === Added support for CNI network configuration [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html +link:eks/latest/userguide/cni-custom-network.html[type="documentation"] The [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.2.1` now supports custom network configuration for secondary [.noloc]`Pod` network interfaces. @@ -1816,7 +1816,7 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.2.1` now supports [.update,date="2018-10-10"] === Added support for `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] Amazon EKS platform version `1.10-eks.2` now supports `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers. @@ -1824,7 +1824,7 @@ Amazon EKS platform version `1.10-eks.2` now supports `MutatingAdmissionWebhook` [.update,date="2018-10-03"] === Added partner AMI information [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-partner-amis.html +link:eks/latest/userguide/eks-partner-amis.html[type="documentation"] Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. @@ -1832,7 +1832,7 @@ Canonical has partnered with Amazon EKS to create node AMIs that you can use in [.update,date="2018-09-21"] === Added instructions for {aws} CLI `update-kubeconfig` command [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html +link:eks/latest/userguide/create-kubeconfig.html[type="documentation"] Amazon EKS has added the `update-kubeconfig` to the {aws} CLI to simplify the process of creating a `kubeconfig` file for accessing your cluster. @@ -1840,7 +1840,7 @@ Amazon EKS has added the `update-kubeconfig` to the {aws} CLI to simplify the pr [.update,date="2018-09-13"] === New Amazon EKS optimized AMIs [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMIs (with and without GPU support) to provide various security fixes and AMI optimizations. @@ -1853,7 +1853,7 @@ Amazon EKS is now available in the Europe (Ireland) (`eu-west-1`) Region. [.update,date="2018-08-31"] === Amazon EKS platform version update [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +link:eks/latest/userguide/platform-versions.html[type="documentation"] New platform version with support for [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/[aggregation layer] and the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler](HPA). @@ -1861,7 +1861,7 @@ New platform version with support for [.noloc]`Kubernetes` https://kubernetes.io [.update,date="2018-08-22"] === New Amazon EKS optimized AMIs and GPU support [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to use a new {aws} CloudFormation node template and https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script]. In addition, a new link:eks/latest/userguide/eks-optimized-ami.html#gpu-ami[Amazon EKS optimized AMI with GPU support,type="documentation"] is available. @@ -1869,7 +1869,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to use a new {aws} CloudForm [.update,date="2018-08-14"] === New Amazon EKS optimized AMI patched for `ALAS2-2018-1058` [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has updated the Amazon EKS optimized AMI to address the CVEs that are referenced in https://alas.aws.amazon.com/AL2/ALAS-2018-1058.html[ALAS2-2018-1058]. @@ -1877,7 +1877,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address the CVEs that are [.update,date="2018-07-10"] === Amazon EKS optimized AMI build scripts [.update-ulink] -https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html +link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] Amazon EKS has open-sourced the build scripts that are used to build the Amazon EKS optimized AMI. These build scripts are now available on [.noloc]`GitHub`. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index fe67dc780..1566d781b 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -99,7 +99,7 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy \ --role-name myAmazonEKSClusterRole ---- -. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. +. Open the Amazon EKS console at link:eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters,type="console"]. + Make sure that the {aws} Region shown in the upper right of your console is the {aws} Region that you want to create your cluster in. If it's not, choose the dropdown next to the {aws} Region name and choose the {aws} Region that you want to use. . Choose *Create cluster*. If you don't see this option, then choose *Clusters* in the left navigation pane first. @@ -217,7 +217,7 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKS_CNI_Policy \ --role-name myAmazonEKSNodeRole ---- -.. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. +.. Open the Amazon EKS console at link:eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters,type="console"]. .. Choose the name of the cluster that you created in <>, such as [.replaceable]`my-cluster`. .. On the *[.replaceable]`my-cluster`* page, do the following: + @@ -255,7 +255,7 @@ After you've finished with the cluster and nodes that you created for this tutor . Delete any node groups profiles that you created. + -.. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters]. +.. Open the Amazon EKS console at link:eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters,type="console"]. .. In the left navigation pane, choose *Clusters*. In the list of clusters, choose [.replaceable]`my-cluster`. .. Choose the *Compute* tab. .. If you created a node group, choose the [.replaceable]`my-nodegroup` node group and then choose *Delete*. Enter [.replaceable]`my-nodegroup`, and then choose *Delete*. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 3aa4f6732..bdf0c744d 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -22,13 +22,13 @@ Learn how to manage access to your Amazon EKS cluster. Using Amazon EKS requires *This section includes:* -*xref:grant-k8s-access[Grant IAM users and roles access to Kubernetes APIs,linkend=grant-k8s-access]* -- Learn how to enable applications or users to authenticate to the [.noloc]`Kubernetes` API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider. +*<>* -- Learn how to enable applications or users to authenticate to the [.noloc]`Kubernetes` API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider. -*<>* -- Learn how to configure the {aws-management-console} to communicate with your Amazon EKS cluster. Use the console to view [.noloc]`Kubernetes` resources in the cluster, such as namespaces, nodes, and [.noloc]`Pods`. +*<>* -- Learn how to configure the {aws-management-console} to communicate with your Amazon EKS cluster. Use the console to view [.noloc]`Kubernetes` resources in the cluster, such as namespaces, nodes, and [.noloc]`Pods`. -*<>* -- Learn how to configure kubectl to communicate with your Amazon EKS cluster. Use the {aws} CLI to create a kubeconfig file. +*<>* -- Learn how to configure kubectl to communicate with your Amazon EKS cluster. Use the {aws} CLI to create a kubeconfig file. -*xref:service-accounts[Grant Kubernetes workloads access to {aws} using Kubernetes Service Accounts,linkend=service-accounts]* -- Learn how to associate a [.noloc]`Kubernetes` service account with {aws} IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA). +*<>* -- Learn how to associate a [.noloc]`Kubernetes` service account with {aws} IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA). == Common Tasks @@ -68,13 +68,10 @@ EKS Auto Mode integrates with EKS Pod Identity and EKS EKS access entries. include::k8s-access/grant-k8s-access.adoc[leveloffset=+1] - include::view-kubernetes-resources.adoc[leveloffset=+1] - include::create-kubeconfig.adoc[leveloffset=+1] - include::aws-access/service-accounts.adoc[leveloffset=+1] diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index 1ef78c31f..d95bd819d 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -19,7 +19,7 @@ To jump into Machine Learning on EKS, start by choosing from these prescriptive To get started, choose from the following selection of patterns that are designed to get you started setting up infrastructure to run your Machine Learning workloads: * *https://awslabs.github.io/data-on-eks/docs/blueprints/ai-ml/jupyterhub[JupyterHub on EKS]*: Explore the https://awslabs.github.io/data-on-eks/docs/blueprints/ai-ml/jupyterhub[JupyterHub blueprint], which showcases Time Slicing and MIG features, as well as multi-tenant configurations with profiles. This is ideal for deploying large-scale JupyterHub platforms on EKS. -* *https://aws.amazon.com/ai/machine-learning/neuron/[Large Language Models on {aws} Neuron and RayServe]*: Use https://aws.amazon.com/ai/machine-learning/neuron/[{aws} Neuron] to run large language models (LLMs) on Amazon EKS and {aws} Trainium and {aws} Inferentia accelerators. See https://awslabs.github.io/data-on-eks/docs/gen-ai/inference/Neuron/vllm-ray-inf2[Serving LLMs with RayServe and vLLM on {aws} Neuron] for instructions on setting up a platform for making inference requests, with components that include: +* *link:ai/machine-learning/neuron/[Large Language Models on {aws} Neuron and RayServe,type="marketing"]*: Use link:ai/machine-learning/neuron/[{aws} Neuron,type="marketing"] to run large language models (LLMs) on Amazon EKS and {aws} Trainium and {aws} Inferentia accelerators. See https://awslabs.github.io/data-on-eks/docs/gen-ai/inference/Neuron/vllm-ray-inf2[Serving LLMs with RayServe and vLLM on {aws} Neuron] for instructions on setting up a platform for making inference requests, with components that include: + ** {aws} Neuron SDK toolkit for deep learning ** {aws} Inferentia and Trainium accelerators diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 41a2880f5..6472ef3e7 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -10,65 +10,65 @@ These tutorials cover everything from patterns for making the best use of GPU pr == Build generative AI platforms on EKS -* https://aws.amazon.com/blogs/containers/deploy-generative-ai-models-on-amazon-eks/[Deploy Generative AI Models on Amazon EKS] -* https://aws.amazon.com/blogs/containers/building-multi-tenant-jupyterhub-platforms-on-amazon-eks/[Building multi-tenant JupyterHub Platforms on Amazon EKS] -* https://aws.amazon.com/blogs/containers/run-spark-rapids-ml-workloads-with-gpus-on-amazon-emr-on-eks/[Run Spark-RAPIDS ML workloads with GPUs on Amazon EMR on EKS] +* link:containers/deploy-generative-ai-models-on-amazon-eks/[Deploy Generative AI Models on Amazon EKS,type="blog"] +* link:containers/building-multi-tenant-jupyterhub-platforms-on-amazon-eks/[Building multi-tenant JupyterHub Platforms on Amazon EKS,type="blog"] +* link:containers/run-spark-rapids-ml-workloads-with-gpus-on-amazon-emr-on-eks/[Run Spark-RAPIDS ML workloads with GPUs on Amazon EMR on EKS,type="blog"] == Run specialized generative AI frameworks on EKS -* https://aws.amazon.com/blogs/hpc/accelerate-drug-discovery-with-nvidia-bionemo-framework-on-amazon-eks/[Accelerate drug discovery with NVIDIA BioNeMo Framework on Amazon EKS] -* https://aws.amazon.com/blogs/containers/host-the-whisper-model-with-streaming-mode-on-amazon-eks-and-ray-serve/[Host the Whisper Model with Streaming Mode on Amazon EKS and Ray Serve] -* https://aws.amazon.com/blogs/machine-learning/accelerate-your-generative-ai-distributed-training-workloads-with-the-nvidia-nemo-framework-on-amazon-eks/[Accelerate your generative AI distributed training workloads with the NVIDIA NeMo Framework on Amazon EKS] -* https://aws.amazon.com/blogs/publicsector/virtualizing-satcom-operations-aws/[Virtualizing satellite communication operations with {aws}] -* https://aws.amazon.com/blogs/opensource/running-torchserve-on-amazon-elastic-kubernetes-service/[Running TorchServe on Amazon Elastic Kubernetes Service] +* link:hpc/accelerate-drug-discovery-with-nvidia-bionemo-framework-on-amazon-eks/[Accelerate drug discovery with NVIDIA BioNeMo Framework on Amazon EKS,type="blog"] +* link:containers/host-the-whisper-model-with-streaming-mode-on-amazon-eks-and-ray-serve/[Host the Whisper Model with Streaming Mode on Amazon EKS and Ray Serve,type="blog"] +* link:machine-learning/accelerate-your-generative-ai-distributed-training-workloads-with-the-nvidia-nemo-framework-on-amazon-eks/[Accelerate your generative AI distributed training workloads with the NVIDIA NeMo Framework on Amazon EKS,type="blog"] +* link:publicsector/virtualizing-satcom-operations-aws/[Virtualizing satellite communication operations with {aws},type="blog"] +* link:opensource/running-torchserve-on-amazon-elastic-kubernetes-service/[Running TorchServe on Amazon Elastic Kubernetes Service,type="blog"] == Maximize NVIDIA GPU performance for ML on EKS * Implement GPU sharing to efficiently use NVIDIA GPUs for your EKS clusters: + -https://aws.amazon.com/blogs/containers/gpu-sharing-on-amazon-eks-with-nvidia-time-slicing-and-accelerated-ec2-instances/[GPU sharing on Amazon EKS with NVIDIA time-slicing and accelerated EC2 instances] +link:containers/gpu-sharing-on-amazon-eks-with-nvidia-time-slicing-and-accelerated-ec2-instances/[GPU sharing on Amazon EKS with NVIDIA time-slicing and accelerated EC2 instances,type="blog"] * Use Multi-Instance GPUs (MIGs) and NIM microservices to run more pods per GPU on your EKS clusters: + -https://aws.amazon.com/blogs/containers/maximizing-gpu-utilization-with-nvidias-multi-instance-gpu-mig-on-amazon-eks-running-more-pods-per-gpu-for-enhanced-performance/[Maximizing GPU utilization with NVIDIA's Multi-Instance GPU (MIG) on Amazon EKS: Running more pods per GPU for enhanced performance] +link:containers/maximizing-gpu-utilization-with-nvidias-multi-instance-gpu-mig-on-amazon-eks-running-more-pods-per-gpu-for-enhanced-performance/[Maximizing GPU utilization with NVIDIA's Multi-Instance GPU (MIG) on Amazon EKS: Running more pods per GPU for enhanced performance,type="blog"] * Leverage NVIDIA NIM microservices to optimize inference workloads using optimized microservices to deploy AI models at scale: + -https://aws.amazon.com/blogs/hpc/deploying-generative-ai-applications-with-nvidia-nims-on-amazon-eks/[Part 1: Deploying generative AI applications with NVIDIA NIMs on Amazon EKS] +link:hpc/deploying-generative-ai-applications-with-nvidia-nims-on-amazon-eks/[Part 1: Deploying generative AI applications with NVIDIA NIMs on Amazon EKS,type="blog"] + -https://aws.amazon.com/blogs/hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-amazon-elastic-kubernetes-service-amazon-eks-part-2/[Part 2: Deploying Generative AI Applications with NVIDIA NIM Microservices on Amazon Elastic Kubernetes Service (Amazon EKS)] +link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-amazon-elastic-kubernetes-service-amazon-eks-part-2/[Part 2: Deploying Generative AI Applications with NVIDIA NIM Microservices on Amazon Elastic Kubernetes Service (Amazon EKS),type="blog"] -* https://aws.amazon.com/blogs/containers/scaling-a-large-language-model-with-nvidia-nim-on-amazon-eks-with-karpenter/[Scaling a Large Language Model with NVIDIA NIM on Amazon EKS with Karpenter] +* link:containers/scaling-a-large-language-model-with-nvidia-nim-on-amazon-eks-with-karpenter/[Scaling a Large Language Model with NVIDIA NIM on Amazon EKS with Karpenter,type="blog"] -* https://aws.amazon.com/blogs/machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/[Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on {aws}] +* link:machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/[Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on {aws},type="blog"] == Run video encoding workloads on EKS -* https://aws.amazon.com/blogs/containers/delivering-video-content-with-fractional-gpus-in-containers-on-amazon-eks/[Delivering video content with fractional GPUs in containers on Amazon EKS] +* link:containers/delivering-video-content-with-fractional-gpus-in-containers-on-amazon-eks/[Delivering video content with fractional GPUs in containers on Amazon EKS,type="blog"] == Accelerate image loading for inference workloads -* https://aws.amazon.com/blogs/containers/how-h2o-ai-optimized-and-secured-their-ai-ml-infrastructure-with-karpenter-and-bottlerocket/[How H2O.ai optimized and secured their AI/ML infrastructure with Karpenter and Bottlerocket] +* link:containers/how-h2o-ai-optimized-and-secured-their-ai-ml-infrastructure-with-karpenter-and-bottlerocket/[How H2O.ai optimized and secured their AI/ML infrastructure with Karpenter and Bottlerocket,type="blog"] == Testimonials for ML on EKS -* https://aws.amazon.com/blogs/containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Quora achieved 3x lower latency and 25% lower Costs by modernizing model serving with Nvidia Triton on Amazon EKS] +* link:containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Quora achieved 3x lower latency and 25% lower Costs by modernizing model serving with Nvidia Triton on Amazon EKS,type="blog"] == Monitoring ML workloads -* https://aws.amazon.com/blogs/mt/monitoring-gpu-workloads-on-amazon-eks-using-aws-managed-open-source-services/[Monitoring GPU workloads on Amazon EKS using {aws} managed open-source services] -* https://aws.amazon.com/blogs/machine-learning/enable-pod-based-gpu-metrics-in-amazon-cloudwatch/[Enable pod-based GPU metrics in Amazon CloudWatch] +* link:mt/monitoring-gpu-workloads-on-amazon-eks-using-aws-managed-open-source-services/[Monitoring GPU workloads on Amazon EKS using {aws} managed open-source services,type="blog"] +* link:machine-learning/enable-pod-based-gpu-metrics-in-amazon-cloudwatch/[Enable pod-based GPU metrics in Amazon CloudWatch,type="blog"] == Announcements for ML on EKS -* https://aws.amazon.com/blogs/containers/bottlerocket-support-for-nvidia-gpus/[Bottlerocket support for NVIDIA GPUs] -* https://aws.amazon.com/blogs/aws/new-ec2-instances-g5-with-nvidia-a10g-tensor-core-gpus/[New – EC2 Instances (G5) with NVIDIA A10G Tensor Core GPUs] -* https://aws.amazon.com/blogs/containers/utilizing-nvidia-multi-instance-gpu-mig-in-amazon-ec2-p4d-instances-on-amazon-elastic-kubernetes-service-eks/[Utilizing NVIDIA Multi-Instance GPU (MIG) in Amazon EC2 P4d Instances on Amazon Elastic Kubernetes Service] -* https://aws.amazon.com/blogs/aws/new-gpu-equipped-ec2-p4-instances-for-machine-learning-hpc/[New – GPU-Equipped EC2 P4 Instances for Machine Learning & HPC] -* https://aws.amazon.com/blogs/machine-learning/amazon-ec2-p5e-instances-are-generally-available/[Amazon EC2 P5e instances are generally available] -* https://aws.amazon.com/blogs/containers/deploying-managed-p4d-instances-in-amazon-elastic-kubernetes-service/[Deploying managed P4d Instances in Amazon Elastic Kubernetes Service with NVIDIA GPUDirectRDMA] -* https://aws.amazon.com/blogs/machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence] +* link:containers/bottlerocket-support-for-nvidia-gpus/[Bottlerocket support for NVIDIA GPUs,type="blog"] +* link:aws/new-ec2-instances-g5-with-nvidia-a10g-tensor-core-gpus/[New – EC2 Instances (G5) with NVIDIA A10G Tensor Core GPUs,type="blog"] +* link:containers/utilizing-nvidia-multi-instance-gpu-mig-in-amazon-ec2-p4d-instances-on-amazon-elastic-kubernetes-service-eks/[Utilizing NVIDIA Multi-Instance GPU (MIG) in Amazon EC2 P4d Instances on Amazon Elastic Kubernetes Service,type="blog"] +* link:aws/new-gpu-equipped-ec2-p4-instances-for-machine-learning-hpc/[New – GPU-Equipped EC2 P4 Instances for Machine Learning & HPC,type="blog"] +* link:machine-learning/amazon-ec2-p5e-instances-are-generally-available/[Amazon EC2 P5e instances are generally available,type="blog"] +* link:containers/deploying-managed-p4d-instances-in-amazon-elastic-kubernetes-service/[Deploying managed P4d Instances in Amazon Elastic Kubernetes Service with NVIDIA GPUDirectRDMA,type="blog"] +* link:machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence,type="blog"] 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-tutorials%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 0c2b7530b..2418a3af8 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -39,7 +39,7 @@ Before setting up {aws} SSM hybrid activations, you must have a Hybrid Nodes IAM Systems Manager immediately returns the Activation Code and ID to the console or the command window, depending on how you created the activation. Copy this information and store it in a safe place. If you navigate away from the console or close the command window, you might lose this information. If you lose it, you must create a new activation. ==== -By default, {aws} SSM hybrid activations are active for 24 hours. You can alternatively specify an `--expiration-date` when you create your hybrid activation in timestamp format, such as `2024-08-01T00:00:00`. When you use {aws} SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by {aws} SSM. You can view and manage the {aws} SSM Managed Instances in the {aws} Systems Manager console under Fleet Manager. You can register up to 1,000 standard link:systems-manager/latest/userguide/activations.html[hybrid-activated nodes,type="documentation"] per account per {aws} Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the https://aws.amazon.com/eks/pricing/[Amazon EKS Hybrid Nodes pricing]. For more information, see https://aws.amazon.com/systems-manager/pricing/[{aws} Systems Manager Pricing]. +By default, {aws} SSM hybrid activations are active for 24 hours. You can alternatively specify an `--expiration-date` when you create your hybrid activation in timestamp format, such as `2024-08-01T00:00:00`. When you use {aws} SSM as your credential provider, the node name for your hybrid nodes is not configurable, and is auto-generated by {aws} SSM. You can view and manage the {aws} SSM Managed Instances in the {aws} Systems Manager console under Fleet Manager. You can register up to 1,000 standard link:systems-manager/latest/userguide/activations.html[hybrid-activated nodes,type="documentation"] per account per {aws} Region at no additional cost. However, registering more than 1,000 hybrid nodes requires that you activate the advanced-instances tier. There is a charge to use the advanced-instances tier that is not included in the link:eks/pricing/[Amazon EKS Hybrid Nodes pricing,type="marketing"]. For more information, see link:systems-manager/pricing/[{aws} Systems Manager Pricing,type="marketing"]. See the example below for how to create an {aws} SSM hybrid activation with your Hybrid Nodes IAM role. When you use {aws} SSM hybrid activations for your hybrid nodes credentials, the names of your hybrid nodes will have the format `mi-012345678abcdefgh` and the temporary credentials provisioned by {aws} SSM are valid for 1 hour. You cannot alter the node name or credential duration when using {aws} SSM as your credential provider. The temporary credentials are automatically rotated by {aws} SSM and the rotation does not impact the status of your nodes or applications. diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index a3a10f405..b3402ca45 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -133,7 +133,7 @@ spec: nodeadm init -c file://nodeConfig.yaml ---- -If the above command completes successfully, your hybrid node has joined your Amazon EKS cluster. You can verify this in the Amazon EKS console by navigating to the Compute tab for your cluster (https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions[ensure IAM principal has permissions to view]) or with `kubectl get nodes`. +If the above command completes successfully, your hybrid node has joined your Amazon EKS cluster. You can verify this in the Amazon EKS console by navigating to the Compute tab for your cluster (<>) or with `kubectl get nodes`. [IMPORTANT] ==== diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index dad30d8ca..fc3f32cc8 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -24,7 +24,7 @@ image::images/hybrid-prereq-diagram.png[Hybrid node network connectivity.,scaled [#hybrid-nodes-prereqs-connect] == Hybrid network connectivity -The communication between the Amazon EKS control plane and hybrid nodes is routed through the VPC and subnets you pass during cluster creation, which builds on the https://aws.github.io/aws-eks-best-practices/networking/subnets/[existing mechanism] in Amazon EKS for control plane to node networking. There are several https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html[documented options] available for you to connect your on-premises environment with your VPC including {aws} Site-to-Site VPN, {aws} Direct Connect, or your own VPN connection. Reference the https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html[{aws} Site-to-Site VPN] and https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect] user guides for more information on how to use those solutions for your hybrid network connection. +The communication between the Amazon EKS control plane and hybrid nodes is routed through the VPC and subnets you pass during cluster creation, which builds on the https://aws.github.io/aws-eks-best-practices/networking/subnets/[existing mechanism] in Amazon EKS for control plane to node networking. There are several link:whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html[documented options,type="documentation"] available for you to connect your on-premises environment with your VPC including {aws} Site-to-Site VPN, {aws} Direct Connect, or your own VPN connection. Reference the link:vpn/latest/s2svpn/VPC_VPN.html[{aws} Site-to-Site VPN,type="documentation"] and link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] user guides for more information on how to use those solutions for your hybrid network connection. For an optimal experience, {aws} recommends reliable network connectivity of at least 100 Mbps and a maximum of 200ms round trip latency for the hybrid nodes connection to the {aws} Region. The bandwidth and latency requirements can vary depending on the number of hybrid nodes and your workload characteristics, such as application image size, application elasticity, monitoring and logging configurations, and application dependencies on accessing data stored in other {aws} services. We recommend that you test with your own applications and environments before deploying to production to validate that your networking setup meets the requirements for your workloads. diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index d439d508f..8acacb6e2 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -11,7 +11,7 @@ include::../attributes.txt[] Delete hybrid nodes from your EKS cluster -- -This topic describes how to delete hybrid nodes from your Amazon EKS cluster. You must delete your hybrid nodes with your choice of Kubernetes-compatible tooling such as https://kubernetes.io/docs/reference/kubectl/[kubectl]. Charges for hybrid nodes stop when the node object is removed from the Amazon EKS cluster. For more information on hybrid nodes pricing, see https://aws.amazon.com/eks/pricing/[Amazon EKS Pricing]. +This topic describes how to delete hybrid nodes from your Amazon EKS cluster. You must delete your hybrid nodes with your choice of Kubernetes-compatible tooling such as https://kubernetes.io/docs/reference/kubectl/[kubectl]. Charges for hybrid nodes stop when the node object is removed from the Amazon EKS cluster. For more information on hybrid nodes pricing, see link:eks/pricing/[Amazon EKS Pricing,type="marketing"]. [IMPORTANT] ==== diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 09d7f9546..0f8236fd2 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -23,7 +23,7 @@ To simplify running Kubernetes in your on-premises environments, you can use the [#eks-cloud-deployment-options] == Amazon EKS in the cloud -You can use Amazon EKS with compute in {aws} Regions, {aws} Local Zones, and {aws} Wavelength Zones. With Amazon EKS in the cloud, the security, scalability, and availability of the Kubernetes control plane is fully managed by {aws} in the {aws} Region. When running applications with compute in {aws} Regions, you get the full breadth of {aws} and Amazon EKS features, including Amazon EKS Auto Mode, which fully automates Kubernetes cluster infrastructure management for compute, storage, and networking on {aws} with a single click. When running applications with compute in {aws} Local Zones and {aws} Wavelength Zones, you can use Amazon EKS self-managed nodes to connect Amazon EC2 instances for your cluster compute and can use the other available {aws} services in {aws} Local Zones and {aws} Wavelength Zones. For more information see https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[{aws} Local Zones features] and https://aws.amazon.com/wavelength/features/[{aws} Wavelength Zones features]. +You can use Amazon EKS with compute in {aws} Regions, {aws} Local Zones, and {aws} Wavelength Zones. With Amazon EKS in the cloud, the security, scalability, and availability of the Kubernetes control plane is fully managed by {aws} in the {aws} Region. When running applications with compute in {aws} Regions, you get the full breadth of {aws} and Amazon EKS features, including Amazon EKS Auto Mode, which fully automates Kubernetes cluster infrastructure management for compute, storage, and networking on {aws} with a single click. When running applications with compute in {aws} Local Zones and {aws} Wavelength Zones, you can use Amazon EKS self-managed nodes to connect Amazon EC2 instances for your cluster compute and can use the other available {aws} services in {aws} Local Zones and {aws} Wavelength Zones. For more information see link:about-aws/global-infrastructure/localzones/features/[{aws} Local Zones features,type="marketing"] and link:wavelength/features/[{aws} Wavelength Zones features,type="marketing"]. [cols="1,1,1", options="header"] |=== @@ -84,7 +84,7 @@ If you need to run applications in your own data centers or edge environments, y [#air-gapped-deployment-options] == Amazon EKS Anywhere for air-gapped environments -https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere] simplifies Kubernetes cluster management through the automation of undifferentiated heavy lifting such as infrastructure setup and Kubernetes cluster lifecycle operations in on-premises and edge environments. Unlike Amazon EKS, Amazon EKS Anywhere is a customer-managed product and customers are responsible for cluster lifecycle operations and maintenance of Amazon EKS Anywhere clusters. Amazon EKS Anywhere is built on the Kubernetes sub-project Cluster API (CAPI) and supports a range of infrastructure including VMware vSphere, bare metal, Nutanix, Apache CloudStack, and {aws} Snow. Amazon EKS Anywhere can be run in air-gapped environments and offers optional integrations with regional {aws} services for observability and identity management. To receive support for Amazon EKS Anywhere and access to {aws}-vended Kubernetes add-ons, you can purchase https://aws.amazon.com/eks/eks-anywhere/pricing/[Amazon EKS Anywhere Enterprise Subscriptions]. +link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"] simplifies Kubernetes cluster management through the automation of undifferentiated heavy lifting such as infrastructure setup and Kubernetes cluster lifecycle operations in on-premises and edge environments. Unlike Amazon EKS, Amazon EKS Anywhere is a customer-managed product and customers are responsible for cluster lifecycle operations and maintenance of Amazon EKS Anywhere clusters. Amazon EKS Anywhere is built on the Kubernetes sub-project Cluster API (CAPI) and supports a range of infrastructure including VMware vSphere, bare metal, Nutanix, Apache CloudStack, and {aws} Snow. Amazon EKS Anywhere can be run in air-gapped environments and offers optional integrations with regional {aws} services for observability and identity management. To receive support for Amazon EKS Anywhere and access to {aws}-vended Kubernetes add-ons, you can purchase link:eks/eks-anywhere/pricing/[Amazon EKS Anywhere Enterprise Subscriptions,type="marketing"]. [cols="1,1", options="header"] |=== @@ -109,7 +109,7 @@ https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere] simplifies Kuberne You can use the <> to register and connect any conformant Kubernetes cluster to {aws} and view it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but the Amazon EKS Connector does not enable management or mutating operations for your connected clusters through the Amazon EKS console. -https://aws.amazon.com/eks/eks-distro/[Amazon EKS Distro] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. +link:eks/eks-distro/[Amazon EKS Distro,type="marketing"] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-deployment-options%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index f04934152..5330917ec 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -36,11 +36,11 @@ Amazon EKS runs upstream Kubernetes and is certified Kubernetes-conformant, so y *Machine Learning* -Amazon EKS has become a cornerstone for deploying and managing AI/ML workloads in the cloud. With its ability to handle complex, resource-intensive tasks, Amazon EKS provides a scalable and flexible foundation for running AI/ML models, making it an ideal choice for organizations aiming to harness the full potential of machine learning. Whether you're training large language models that require vast amounts of compute power or deploying inference pipelines that need to handle unpredictable traffic patterns, Amazon EKS scales up and down efficiently, optimizing resource use and cost. Amazon EKS supports a wide range of compute options including GPU-powered instances and {aws} Neuron, allowing for high-performance training and low-latency inference, ensuring that models run efficiently in production environments. See the https://docs.aws.amazon.com/eks/latest/userguide/machine-learning-on-eks.html[Machine Learning on Amazon EKS Overview] for more information. +Amazon EKS has become a cornerstone for deploying and managing AI/ML workloads in the cloud. With its ability to handle complex, resource-intensive tasks, Amazon EKS provides a scalable and flexible foundation for running AI/ML models, making it an ideal choice for organizations aiming to harness the full potential of machine learning. Whether you're training large language models that require vast amounts of compute power or deploying inference pipelines that need to handle unpredictable traffic patterns, Amazon EKS scales up and down efficiently, optimizing resource use and cost. Amazon EKS supports a wide range of compute options including GPU-powered instances and {aws} Neuron, allowing for high-performance training and low-latency inference, ensuring that models run efficiently in production environments. For more information, see <>. *Hybrid Deployments* -You can use the same Amazon EKS clusters to run nodes on {aws}-hosted infrastructure in {aws} https://aws.amazon.com/about-aws/global-infrastructure/regions_az/[Regions], https://aws.amazon.com/about-aws/global-infrastructure/localzones/[{aws} Local Zones], https://aws.amazon.com/wavelength/[{aws} Wavelength Zones], or in your own on-premises environments with https://aws.amazon.com/outposts/[{aws} Outposts] and <>. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use https://aws.amazon.com/eks/eks-anywhere/[Amazon EKS Anywhere], which is {aws}-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The _Amazon EKS Connector_ can be used to view any Kubernetes cluster and their resources in the Amazon EKS console. _Amazon EKS Distro_ is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. +You can use the same Amazon EKS clusters to run nodes on {aws}-hosted infrastructure in {aws} link:about-aws/global-infrastructure/regions_az/[Regions,type="marketing"], link:about-aws/global-infrastructure/localzones/[{aws} Local Zones,type="marketing"], link:wavelength/[{aws} Wavelength Zones,type="marketing"], or in your own on-premises environments with link:outposts/[{aws} Outposts,type="marketing"] and <>. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"], which is {aws}-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The _Amazon EKS Connector_ can be used to view any Kubernetes cluster and their resources in the Amazon EKS console. _Amazon EKS Distro_ is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. *Compute* @@ -52,7 +52,7 @@ Amazon EKS integrates with Amazon VPC allowing you to use your own Amazon VPC se *Security* -Amazon EKS integrates with {aws} Identity and Access Management (IAM) for you to secure your clusters and applications. Amazon EKS makes it easy to map {aws} IAM permissions to Kubernetes Role Based Access Control (RBAC). You can use {aws} IAM for cluster authentication and authorization with Amazon EKS Cluster Access Management, for access and permissions of operational software running on your clusters, and for granular application access to other {aws} services with Amazon EKS Pod Identity. Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with https://aws.amazon.com/compliance/soc-faqs/[SOC], https://aws.amazon.com/compliance/pci-dss-level-1-faqs/[PCI], https://aws.amazon.com/compliance/iso-certified/[ISO], https://aws.amazon.com/compliance/fedramp/[FedRAMP-Moderate], https://aws.amazon.com/compliance/irap/[IRAP], https://aws.amazon.com/compliance/bsi-c5/[C5], https://aws.amazon.com/compliance/k-isms/[K-ISMS], https://aws.amazon.com/compliance/esquema-nacional-de-seguridad/[ENS High], https://aws.amazon.com/compliance/OSPAR/[OSPAR], https://aws.amazon.com/compliance/hitrust/[HITRUST CSF], and is a https://aws.amazon.com/compliance/hipaa-compliance/[HIPAA] eligible service. See <> for more information. +Amazon EKS integrates with {aws} Identity and Access Management (IAM) for you to secure your clusters and applications. Amazon EKS makes it easy to map {aws} IAM permissions to Kubernetes Role Based Access Control (RBAC). You can use {aws} IAM for cluster authentication and authorization with Amazon EKS Cluster Access Management, for access and permissions of operational software running on your clusters, and for granular application access to other {aws} services with Amazon EKS Pod Identity. Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with link:compliance/soc-faqs/[SOC,type="marketing"], link:compliance/pci-dss-level-1-faqs/[PCI,type="marketing"], link:compliance/iso-certified/[ISO,type="marketing"], link:compliance/fedramp/[FedRAMP-Moderate,type="marketing"], link:compliance/irap/[IRAP,type="marketing"], link:compliance/bsi-c5/[C5,type="marketing"], link:compliance/k-isms/[K-ISMS,type="marketing"], link:compliance/esquema-nacional-de-seguridad/[ENS High,type="marketing"], link:compliance/OSPAR/[OSPAR,type="marketing"], link:compliance/hitrust/[HITRUST CSF,type="marketing"], and is a link:compliance/hipaa-compliance/[HIPAA,type="marketing"] eligible service. See <> for more information. *Observability* @@ -79,10 +79,10 @@ Amazon EKS supports a range of operating systems and you can use pre-built, Amaz Amazon EKS has per cluster pricing based on Kubernetes cluster version support, pricing for Amazon EKS Auto Mode, and per vCPU pricing for Amazon EKS Hybrid Nodes. When using Amazon EKS, you pay separately for the {aws} resources you use to run your applications on Kubernetes worker nodes. For example, if you are running Kubernetes worker nodes as Amazon EC2 instances with Amazon EBS volumes and public IPv4 addresses, you are charged for the instance capacity through Amazon EC2, the volume capacity through Amazon EBS, and the IPv4 address through Amazon VPC. Visit the respective pricing pages of the {aws} services you are using with your Kubernetes applications for detailed pricing information. -* For Amazon EKS cluster, Amazon EKS Auto Mode, and Amazon EKS Hybrid Nodes pricing, see https://aws.amazon.com/eks/pricing/[Amazon EKS Pricing]. -* For Amazon EC2 pricing, see https://aws.amazon.com/ec2/pricing/on-demand/[Amazon EC2 On-Demand Pricing] and https://aws.amazon.com/ec2/spot/pricing/[Amazon EC2 Spot Pricing]. -* For {aws} Fargate pricing, see https://aws.amazon.com/fargate/pricing[{aws} Fargate Pricing]. -* You can use your savings plans for compute used in Amazon EKS clusters. For more information, see https://aws.amazon.com/savingsplans/pricing/[Pricing with Savings Plans]. +* For Amazon EKS cluster, Amazon EKS Auto Mode, and Amazon EKS Hybrid Nodes pricing, see link:eks/pricing/[Amazon EKS Pricing,type="marketing"]. +* For Amazon EC2 pricing, see link:ec2/pricing/on-demand/[Amazon EC2 On-Demand Pricing,type="marketing"] and link:ec2/spot/pricing/[Amazon EC2 Spot Pricing,type="marketing"]. +* For {aws} Fargate pricing, see link:fargate/pricing[{aws} Fargate Pricing,type="marketing"]. +* You can use your savings plans for compute used in Amazon EKS clusters. For more information, see link:savingsplans/pricing/[Pricing with Savings Plans,type="marketing"]. include::common-use-cases.adoc[leveloffset=+1] From c90a22862bdf0d44f8863c6d6deccfd2b5003cf0 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 18:50:55 +0000 Subject: [PATCH 120/940] Converted xref to angle bracket style. --- latest/ug/automode/auto-networking.adoc | 2 +- .../ug/automode/automode-get-started-cli.adoc | 20 +++++++++---------- .../automode-get-started-console.adoc | 2 +- latest/ug/automode/wip/eksctl-docs.adoc | 4 ++-- latest/ug/clusters/create-cluster-auto.adoc | 8 ++++---- latest/ug/clusters/create-cluster.adoc | 20 +++++++++---------- latest/ug/clusters/delete-cluster.adoc | 4 ++-- .../ug/clusters/disable-windows-support.adoc | 2 +- latest/ug/clusters/private-clusters.adoc | 2 +- latest/ug/clusters/update-cluster.adoc | 8 ++++---- latest/ug/clusters/windows-support.adoc | 4 ++-- latest/ug/clusters/zone-shift-enable.adoc | 2 +- latest/ug/contribute/asciidoc-syntax.adoc | 2 +- .../getting-started-console.adoc | 2 +- .../getting-started-eksctl.adoc | 2 +- .../k8s-access/auth-configmap.adoc | 4 ++-- .../k8s-access/updating-access-entries.adoc | 2 +- latest/ug/nodes/eks-compute.adoc | 8 ++++---- .../iam-reference/auto-cluster-iam-role.adoc | 20 +++++++++---------- .../iam-reference/auto-create-node-role.adoc | 4 ++-- .../iam-reference/security-iam-awsmanpol.adoc | 2 +- latest/ug/what-is/eks-architecture.adoc | 2 +- latest/ug/workloads/retreive-iam-info.adoc | 12 +++++------ 23 files changed, 69 insertions(+), 69 deletions(-) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 23455c3d0..1235fe73d 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -27,7 +27,7 @@ You can use a NodeClass to: * Set the Network Policy to Default Deny or Default Allow * Enable Network Event Logging to a file. -Learn how to xref:create-node-class[Create an Amazon EKS NodeClass]. +Learn how to <>. === Considerations diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 9a639e635..0439c10f8 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -63,11 +63,11 @@ Sample output: EKS Auto Mode requires a Cluster IAM Role to perform actions in your {aws} account, such as provisioning new EC2 instances. You must create this role to grant EKS the necessary permissions. {aws} recommends attaching the following {aws} managed policies to the Cluster IAM Role: -* xref:security-iam-awsmanpol-AmazonEKSComputePolicy[AmazonEKSComputePolicy] -* xref:security-iam-awsmanpol-AmazonEKSBlockStoragePolicy[AmazonEKSBlockStoragePolicy] -* xref:security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy[AmazonEKSLoadBalancingPolicy] -* xref:security-iam-awsmanpol-AmazonEKSNetworkingPolicy[AmazonEKSNetworkingPolicy] -* xref:security-iam-awsmanpol-amazoneksclusterpolicy[AmazonEKSClusterPolicy] +* <> +* <> +* <> +* <> +* <> [#auto-roles-node-iam-role] === Node IAM Role @@ -78,13 +78,13 @@ If you want to grant permissions to workloads running on a node, use EKS Pod Ide You must create this role and attach the following {aws} managed policy: -* xref:security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy[AmazonEKSWorkerNodeMinimalPolicy] +* <> * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] [discrete] #### **Service-Linked Role** -EKS Auto Mode also requires a Service-Linked Role, which is automatically created and configured by {aws}. For more information, see xref:using-service-linked-roles-eks[AWSServiceRoleForAmazonEKS]. +EKS Auto Mode also requires a Service-Linked Role, which is automatically created and configured by {aws}. For more information, see <>. ## **Create an EKS Auto Mode Cluster IAM Role** @@ -247,14 +247,14 @@ To create an EKS Auto Mode Cluster using the {aws} CLI, you will need the follow Review these default values and features before creating the cluster: -* `nodePools`: EKS Auto Mode includes general-purpose and system default Node Pools. Learn more about xref:create-node-pool[Node Pools]. +* `nodePools`: EKS Auto Mode includes general-purpose and system default Node Pools. Learn more about <>. **Note:** Node Pools in EKS Auto Mode differ from Amazon EKS Managed Node Groups but can coexist in the same cluster. * `computeConfig.enabled`: Automates routine compute tasks, such as creating and deleting EC2 instances. * `kubernetesNetworkConfig.elasticLoadBalancing.enabled`: Automates load balancing tasks, including creating and deleting Elastic Load Balancers. * `storageConfig.blockStorage.enabled`: Automates storage tasks, such as creating and deleting Amazon EBS volumes. -* `accessConfig.authenticationMode`: Requires EKS access entries. Learn more about xref:grant-k8s-access[EKS authentication modes]. +* `accessConfig.authenticationMode`: Requires EKS access entries. Learn more about <>. #### Run the Command @@ -322,7 +322,7 @@ kubectl get nodepools == Next Steps -* Learn how to xref:automode-workload[deploy a sample workload] to your new EKS Auto Mode cluster. +* Learn how to <> to your new EKS Auto Mode cluster. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-cli%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index c63221e55..ec3adbad2 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -44,7 +44,7 @@ You must be logged into the {aws-management-console} with sufficent permissions == Next Steps -* Learn how to xref:sample-storage-workload[Deploy a Sample Workload to your EKS Auto Mode cluster] +* Learn how to <> //call out refactored IAM diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index 30c29fd33..b977548c1 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -6,7 +6,7 @@ include::../../attributes.txt[] == Introduction -eksctl supports xref:automode[EKS Auto Mode], a feature that extends {aws} management of Kubernetes clusters beyond the cluster itself, +eksctl supports <>, a feature that extends {aws} management of Kubernetes clusters beyond the cluster itself, to allow {aws} to also set up and manage the infrastructure that enables the smooth operation of your workloads. This allows you to delegate key infrastructure decisions and leverage the expertise of {aws} for day-to-day operations. Cluster infrastructure managed by {aws} includes many Kubernetes capabilities as core components, as opposed to add-ons, @@ -114,7 +114,7 @@ $ eksctl update auto-mode-config -f cluster.yaml == Further information -- xref:automode[EKS Auto Mode] +- <> 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eksctl-docs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index fc4d82b26..2b906070f 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -63,14 +63,14 @@ This topic covers advanced configuration. If you are looking to get started with ** *Bootstrap cluster administrator access* -- The cluster creator is automatically a Kubernetes administrator. If you want to disable this, select *Disallow cluster administrator access*. ** *Cluster authentication mode* -- EKS Auto Mode requires EKS access entries, the EKS API authentication mode. You can optionally enable the `ConfigMap` authentication mode by selecting *EKS API and ConfigMap*. . Enter the remaining fields on the configure cluster page: -** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in xref:enable-kms[Encrypt Kubernetes secrets with {aws} KMS on existing clusters,linkend=enable-kms]. +** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. ** *ARC Zonal shift* -- EKS Auto Mode does not support Arc Zonal shift. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. + When you're done with this page, choose *Next*. . On the *Specify networking* page, select values for the following fields: + -** *VPC* – Choose an existing VPC that meets xref:network-requirements-vpc[Amazon EKS VPC requirements,linkend=network-requirements-vpc] to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in xref:network-reqs[View Amazon EKS networking requirements for VPC and subnets,linkend=network-reqs]. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. +** *VPC* – Choose an existing VPC that meets <> to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in <>. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. ** *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. You must select at least two. + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. @@ -272,12 +272,12 @@ aws iam attach-role-policy \ + ** Replace [.replaceable]`region-code` with the {aws} Region that you want to create your cluster in. ** Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -** Replace [.replaceable]`1.30` with any xref:kubernetes-versions[Amazon EKS supported version,linkend=kubernetes-versions]. +** Replace [.replaceable]`1.30` with any <>. ** Replace [.replaceable]`111122223333` with your account ID ** If you have created differently named IAM Roles for the Cluster and Node roles, replace the ARNs. ** Replace the values for `subnetIds` with your own. You can also add additional IDs. You must specify at least two subnet IDs. + -The subnets that you choose must meet the xref:network-requirements-subnets[Amazon EKS subnet requirements,linkend=network-requirements-subnets]. Before selecting subnets, we recommend that you're familiar with all of the xref:network-reqs[Amazon EKS VPC and subnet requirements and considerations,linkend=network-reqs]. +The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. ** If you don't want to specify a security group ID, remove `,securityGroupIds=sg-` from the command. If you want to specify one or more security group IDs, replace the values for `securityGroupIds` with your own. You can also add additional IDs. + Whether you choose any security groups or not, Amazon EKS creates a security group that enables communication between your cluster and your VPC. Amazon EKS associates this security group, and any that you choose, to the network interfaces that it creates. For more information about the cluster security group that Amazon EKS creates, see <>. You can modify the rules in the cluster security group that Amazon EKS creates. diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 0df29549b..40cd40233 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -82,9 +82,9 @@ If the service linked role doesn't already exist, and your current IAM role does You can create a cluster by using: -* xref:step2-eksctl[`eksctl`] -* xref:step2-console[the {aws-management-console}] -* xref:step2-cli[the {aws} CLI] +* <> +* <> +* <> [#step2-eksctl] === Create cluster - eksctl @@ -93,7 +93,7 @@ You can create a cluster by using: . Create an Amazon EKS `IPv4` cluster with the Amazon EKS default [.noloc]`Kubernetes` version in your default {aws} Region. Before running command, make the following replacements: . Replace [.replaceable]`region-code` with the {aws} Region that you want to create your cluster in. . Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -. Replace [.replaceable]`{k8s-n}` with any xref:kubernetes-versions[Amazon EKS supported version,linkend=kubernetes-versions]. +. Replace [.replaceable]`{k8s-n}` with any <>. . Change the values for `vpc-private-subnets` to meet your requirements. You can also add additional IDs. You must specify at least two subnet IDs. If you'd rather specify public subnets, you can change `--vpc-private-subnets` to `--vpc-public-subnets`. Public subnets have an associated route table with a route to an internet gateway, but private subnets don't have an associated route table. We recommend using private subnets whenever possible. + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. @@ -162,7 +162,7 @@ You can only specify this option when using the `IPv4` address family and only a When you're done with this page, choose *Next*. . On the *Specify networking* page, select values for the following fields: + -** *VPC* – Choose an existing VPC that meets xref:network-requirements-vpc[Amazon EKS VPC requirements,linkend=network-requirements-vpc] to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in xref:network-reqs[View Amazon EKS networking requirements for VPC and subnets,linkend=network-reqs]. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. +** *VPC* – Choose an existing VPC that meets <> to create your cluster in. Before choosing a VPC, we recommend that you're familiar with all of the requirements and considerations in <>. You can't change which VPC you want to use after cluster creation. If no VPCs are listed, then you need to create one first. For more information, see <>. ** *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. You must select at least two. + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. @@ -219,11 +219,11 @@ Cluster provisioning takes several minutes. + ** Replace [.replaceable]`region-code` with the {aws} Region that you want to create your cluster in. ** Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -** Replace [.replaceable]`{k8s-n}` with any xref:kubernetes-versions[Amazon EKS supported version,linkend=kubernetes-versions]. +** Replace [.replaceable]`{k8s-n}` with any <>. ** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`myAmazonEKSClusterRole` with the name of your cluster IAM role. ** Replace the values for `subnetIds` with your own. You can also add additional IDs. You must specify at least two subnet IDs. + -The subnets that you choose must meet the xref:network-requirements-subnets[Amazon EKS subnet requirements,linkend=network-requirements-subnets]. Before selecting subnets, we recommend that you're familiar with all of the xref:network-reqs[Amazon EKS VPC and subnet requirements and considerations,linkend=network-reqs]. +The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. ** If you don't want to specify a security group ID, remove `,securityGroupIds=sg-` from the command. If you want to specify one or more security group IDs, replace the values for `securityGroupIds` with your own. You can also add additional IDs. + Whether you choose any security groups or not, Amazon EKS creates a security group that enables communication between your cluster and your VPC. Amazon EKS associates this security group, and any that you choose, to the network interfaces that it creates. For more information about the cluster security group that Amazon EKS creates, see <>. You can modify the rules in the cluster security group that Amazon EKS creates. @@ -302,15 +302,15 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h == Step 4: Cluster setup -. (Recommended) To use some Amazon EKS add-ons, or to enable individual [.noloc]`Kubernetes` workloads to have specific {aws} Identity and Access Management (IAM) permissions, xref:enable-iam-roles-for-service-accounts[create an IAM OpenID Connect (OIDC) provider,linkend=enable-iam-roles-for-service-accounts] for your cluster. You only need to create an IAM [.noloc]`OIDC` provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. -. (Recommended) Configure your cluster for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an xref:cni-iam-role-create-ipv6-policy[IAM policy that you create,linkend=cni-iam-role-create-ipv6-policy]. +. (Recommended) To use some Amazon EKS add-ons, or to enable individual [.noloc]`Kubernetes` workloads to have specific {aws} Identity and Access Management (IAM) permissions, <> for your cluster. You only need to create an IAM [.noloc]`OIDC` provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. +. (Recommended) Configure your cluster for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an <>. + The IAM role that you attach the policy to can be the node IAM role, or a dedicated role used only for the plugin. We recommend attaching the policy to this role. For more information about creating the role, see <> or <>. . If you deployed your cluster using the {aws-management-console}, you can skip this step. The {aws-management-console} deploys the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` Amazon EKS add-ons, by default. + If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` self-managed add-ons are deployed. You can migrate the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` self-managed add-ons that are deployed with your cluster to Amazon EKS add-ons. For more information, see <>. . (Optional) If you haven't already done so, you can enable [.noloc]`Prometheus` metrics for your cluster. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-create[Create a scraper,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. -. If you plan to deploy workloads to your cluster that use Amazon EBS volumes , and you created a `1.23` or later cluster, then you must install the xref:ebs-csi[Amazon EBS CSI,linkend=ebs-csi] to your cluster before deploying the workloads. +. If you plan to deploy workloads to your cluster that use Amazon EBS volumes , and you created a `1.23` or later cluster, then you must install the <> to your cluster before deploying the workloads. == Next steps diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 52feac418..ffd3f42ca 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -92,7 +92,7 @@ kubectl delete svc service-name .. In the left navigation pane, choose Amazon EKS *Clusters*, and then in the tabbed list of clusters, choose the name of the cluster that you want to delete. .. Choose the *Compute* tab and choose a node group to delete. Choose *Delete*, enter the name of the node group, and then choose *Delete*. Delete all node groups in the cluster. + -NOTE: The node groups listed are xref:managed-node-groups[managed node groups,linkend=managed-node-groups] only. +NOTE: The node groups listed are <> only. .. Choose a *Fargate Profile* to delete, select *Delete*, enter the name of the profile, and then choose *Delete*. Delete all Fargate profiles in the cluster. . Delete all self-managed node {aws} CloudFormation stacks. + @@ -134,7 +134,7 @@ kubectl delete svc service-name aws eks list-nodegroups --cluster-name my-cluster ---- + -NOTE: The node groups listed are xref:managed-node-groups[managed node groups,linkend=managed-node-groups] only. +NOTE: The node groups listed are <> only. .. Delete each node group with the following command. Delete all node groups in the cluster. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 6dd20fb00..65298cd62 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -4,7 +4,7 @@ include::../attributes.txt[] -. If your cluster contains Amazon Linux nodes and you use xref:security-groups-for-pods[security groups for Pods,linkend=security-groups-for-pods] with them, then skip this step. +. If your cluster contains Amazon Linux nodes and you use <> with them, then skip this step. + Remove the `AmazonVPCResourceController` managed IAM policy from your <>. Replace [.replaceable]`eksClusterRole` with the name of your cluster role and [.replaceable]`111122223333` with your account ID. + diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index bf2079bc8..cc1af25cc 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -62,7 +62,7 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the + For additional arguments, see <>. * Your cluster's `aws-auth` `ConfigMap` must be created from within your VPC. For more information about creating and adding entries to the `aws-auth` `ConfigMap`, enter `eksctl create iamidentitymapping --help` in your terminal. If the `ConfigMap` doesn't exist on your server, `eksctl` will create it when you use the command to add an identity mapping. -* [.noloc]`Pods` configured with xref:iam-roles-for-service-accounts[IAM roles for service accounts,linkend=iam-roles-for-service-accounts] acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. +* [.noloc]`Pods` configured with <> acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. * Your cluster's VPC subnets must have a VPC interface endpoint for any {aws} services that your [.noloc]`Pods` need access to. For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html[Access an {aws} service using an interface VPC endpoint,type="documentation"]. Some commonly-used services and endpoints are listed in the following table. For a complete list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"] in the link:vpc/latest/privatelink/[{aws} PrivateLink Guide,type="documentation"]. + We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enable-private-dns-names[enable private DNS names,type="documentation"] for your VPC endpoints, that way workloads can continue using public {aws} service endpoints without issues. diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 2358873b7..c0f7c946d 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -101,15 +101,15 @@ Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Dep ** If the `kubelet` on your managed and Fargate nodes is on [.noloc]`Kubernetes` version `1.24` or older, it may only be up to two minor versions older than the `kube-apiserver`. In other words, if the `kubelet` is version `1.24` or older, you can only update your cluster up to two versions ahead. For example, if the `kubelet` is on version `1.21`, you can update your Amazon EKS cluster version from `1.21` to `1.22`, and to `1.23`, but you will not be able to update the cluster to `1.24` while the `kubelet` remains on `1.21`. * As a best practice before starting an update, make sure that the `kubelet` on your nodes is at the same [.noloc]`Kubernetes` version as your control plane. * If your cluster is configured with a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that is earlier than `1.8.0`, then we recommend that you update the plugin to the latest version before updating your cluster. To update the plugin, see <>. -* If you're updating your cluster to version `1.25` or later and have the [.noloc]`{aws} Load Balancer Controller` deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the xref:kubernetes-1-25[Kubernetes 1.25,linkend=kubernetes-1-25] release notes. +* If you're updating your cluster to version `1.25` or later and have the [.noloc]`{aws} Load Balancer Controller` deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the <> release notes. == Step 3: Update cluster control plane You can submit the request to upgrade your EKS control plane version using: -* xref:step3-eksctl[eksctl] -* xref:step3-console[the {aws} console] -* xref:step3-cli[the {aws} cli] +* <> +* <> +* <> [#step3-eksctl] === Update cluster - eksctl diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index a015e5f4a..0ee8d4383 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -17,8 +17,8 @@ Before deploying [.noloc]`Windows` nodes, be aware of the following consideratio * You can use host networking on Windows nodes using `HostProcess` Pods. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/[Create a Windows HostProcessPod] in the [.noloc]`Kubernetes` documentation. * Amazon EKS clusters must contain one or more [.noloc]`Linux` or Fargate nodes to run core system [.noloc]`Pods` that only run on [.noloc]`Linux`, such as [.noloc]`CoreDNS`. * The `kubelet` and `kube-proxy` event logs are redirected to the `EKS Windows` Event Log and are set to a 200 MB limit. -* You can't use xref:security-groups-for-pods[Assign security groups to individual pods,linkend=security-groups-for-pods] with [.noloc]`Pods` running on [.noloc]`Windows` nodes. -* You can't use xref:cni-custom-network[custom networking,linkend=cni-custom-network] with [.noloc]`Windows` nodes. +* You can't use <> with [.noloc]`Pods` running on [.noloc]`Windows` nodes. +* You can't use <> with [.noloc]`Windows` nodes. * You can't use `IPv6` with [.noloc]`Windows` nodes. * [.noloc]`Windows` nodes support one elastic network interface per node. By default, the number of [.noloc]`Pods` that you can run per [.noloc]`Windows` node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see link:AWSEC2/latest/WindowsGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. * In an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end [.noloc]`Pods`. Each [.noloc]`Pod` has its own unique IP address. The previous limit of 64 [.noloc]`Pods` is no longer the case, after https://github.com/microsoft/Windows-Containers/issues/93[a Windows Server update] starting with https://support.microsoft.com/en-us/topic/march-22-2022-kb5011551-os-build-17763-2746-preview-690a59cd-059e-40f4-87e8-e9139cc65de4[OS Build 17763.2746]. diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index bc0049536..72a7478f6 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -46,7 +46,7 @@ link:r53recovery/latest/dg/arc-zonal-autoshift.how-it-works.html["Learn more abo EKS updates networking configurations to avoid directing traffic to impaired AZs. Additionally, if you are using Managed Node Groups, EKS will only launch new nodes in the healthy AZs during a zonal shift. When the shift expires or gets cancelled, the networking configurations will be restored to include the AZ that was previously detected as unhealthy. -xref:zone-shift[Learn more about EKS Zonal Shift]. +<>. [#zone-shift-enable-steps] == Register EKS cluster with Amazon Application Recovery Controller (ARC) ({aws} console) diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 331eb401d..47ae104c7 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -66,7 +66,7 @@ Ordered Lists: ---- External link: https://example.com[Link text] Internal link: <> -Internal link: xref:page-id[Link text] +Internal link: <> ---- == Images diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 1566d781b..4e1e2a9db 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -16,7 +16,7 @@ Learn how to create your first Amazon EKS cluster with nodes using the {aws-mana ==== This topic covers getting started *without* EKS Auto Mode. It uses Managed Node Groups to deploy nodes. -EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. xref:getting-started-automode[Learn how to get started with Amazon EKS Auto Mode. ] EKS Auto Mode is the preferred method of deploying nodes. +EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. <> EKS Auto Mode is the preferred method of deploying nodes. ==== This guide helps you to create all of the required resources to get started with Amazon Elastic Kubernetes Service (Amazon EKS) using the {aws-management-console} and the {aws} CLI. In this guide, you manually create each resource. At the end of this tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 9cee79dec..4c67b7ddc 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -15,7 +15,7 @@ Learn how to create your first Amazon EKS cluster with nodes using the `eksctl` ==== This topic covers getting started *without* EKS Auto Mode. -EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. xref:getting-started-automode[Learn how to get started with Amazon EKS Auto Mode. ] +EKS Auto Mode automates routine tasks for cluster compute, storage, and networking. <> ==== diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index f6421b93a..3367ab856 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -181,8 +181,8 @@ roleRef: + IMPORTANT: We recommend using `eksctl`, or another tool, to edit the `ConfigMap`. For information about other tools you can use, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-tools-to-make-changes-to-the-aws-auth-configmap[Use tools to make changes to the aws-authConfigMap] in the Amazon EKS best practices guides. An improperly formatted `aws-auth` `ConfigMap` can cause you to lose access to your cluster. + -** View steps to xref:configmap-eksctl[edit configmap with eksctl]. -** View steps to xref:configmap-manual[edit configmap manually]. +** View steps to <>. +** View steps to <>. [#configmap-eksctl] === Edit Configmap with Eksctl diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 36bd4fcdd..0c84eb65a 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -15,7 +15,7 @@ You can update an access entry using the {aws-management-console} or the {aws} C . Choose the access entry that you want to update. . Choose *Edit*. . For *Username*, you can change the existing value. -. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an xref:access-policies[access policy,linkend=access-policies] in a later step. +. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an <> in a later step. . For *Tags*, you can assign labels to the access entry. For example, to make it easier to find all resources with the same tag. You can also remove existing tags. . Choose *Save changes*. . If you want to associate an access policy to the entry, see <>. diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index a966abbd0..bb3fce7fd 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -107,7 +107,7 @@ The following table provides several criteria to evaluate when deciding which op |Must deploy and manage Amazon EC2 instances |Yes -|No - Learn about xref:automode-learn-instances[EC2 managed instances] +|No - Learn about <> |Yes – the on-premises physical or virtual machines are managed by you with your choice of tooling. |Must secure, maintain, and patch the operating system of Amazon EC2 instances @@ -117,7 +117,7 @@ The following table provides several criteria to evaluate when deciding which op |Can provide bootstrap arguments at deployment of a node, such as extra https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] arguments. |Yes – Using `eksctl` or a <> with a custom AMI. -|No - xref:create-node-class[Use a `NodeClass` to configure nodes] +|No - <> |Yes - you can customize bootstrap arguments with nodeadm. See <>. |Can assign IP addresses to [.noloc]`Pods` from a different CIDR block than the IP address assigned to the node. @@ -127,7 +127,7 @@ The following table provides several criteria to evaluate when deciding which op |Can SSH into node |Yes -|No - xref:auto-troubleshoot[Learn how to troubleshoot nodes] +|No - <> |Yes |Can deploy your own custom AMI to nodes @@ -152,7 +152,7 @@ The following table provides several criteria to evaluate when deciding which op |Can use Amazon EBS storage with [.noloc]`Pods` |<> -|Yes, as an integrated capability. Learn how to xref:create-storage-class[create a storage class.] +|Yes, as an integrated capability. Learn how to <> |No |Can use Amazon EFS storage with [.noloc]`Pods` diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 1d4bf5474..8fe738ffa 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -15,11 +15,11 @@ An Amazon EKS cluster IAM role is required for each cluster. [.noloc]`Kubernetes Before you can create Amazon EKS clusters, you must create an IAM role with the policies required for EKS Auto Mode. You can either attach the suggested {aws} IAM managed policies, or create custom polices with equivalent permissions. -* xref:security-iam-awsmanpol-AmazonEKSComputePolicy[AmazonEKSComputePolicy] -* xref:security-iam-awsmanpol-AmazonEKSBlockStoragePolicy[AmazonEKSBlockStoragePolicy] -* xref:security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy[AmazonEKSLoadBalancingPolicy] -* xref:security-iam-awsmanpol-AmazonEKSNetworkingPolicy[AmazonEKSNetworkingPolicy] -* xref:security-iam-awsmanpol-amazoneksclusterpolicy[AmazonEKSClusterPolicy] +* <> +* <> +* <> +* <> +* <> == Check for an existing cluster role @@ -70,11 +70,11 @@ You can use the {aws-management-console} or the {aws} CLI to create the cluster . From the *Use cases for other {aws} services* dropdown list, choose *EKS*. . Choose *EKS - Cluster* for your use case, and then choose *Next*. . On the *Add permissions* tab, select the policies and then choose *Next*. -** xref:security-iam-awsmanpol-AmazonEKSComputePolicy[AmazonEKSComputePolicy] -** xref:security-iam-awsmanpol-AmazonEKSBlockStoragePolicy[AmazonEKSBlockStoragePolicy] -** xref:security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy[AmazonEKSLoadBalancingPolicy] -** xref:security-iam-awsmanpol-AmazonEKSNetworkingPolicy[AmazonEKSNetworkingPolicy] -** xref:security-iam-awsmanpol-amazoneksclusterpolicy[AmazonEKSClusterPolicy] +** <> +** <> +** <> +** <> +** <> . For *Role name*, enter a unique name for your role, such as `AmazonEKSAutoClusterRole`. . For *Description*, enter descriptive text such as `Amazon EKS - Cluster role`. . Choose *Create role*. diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index 348041ecd..e26d3090f 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -17,7 +17,7 @@ You can't use the same role that is used to create any clusters. Before you create nodes, you must create an IAM role with the following policies, or equivalent permissions: -* xref:security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy[AmazonEKSWorkerNodeMinimalPolicy] +* <> * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] @@ -66,7 +66,7 @@ You can create the node IAM role with the {aws-management-console} or the {aws} .. Under *Use case*, choose *EC2*. .. Choose *Next*. . On the *Add permissions* page, attach the following policies: -** xref:security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy[AmazonEKSWorkerNodeMinimalPolicy] +** <> ** link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] . On the *Name, review, and create* page, do the following: + diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index e73a0b9f5..18fb26209 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -424,7 +424,7 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |Added `ec2:GetSecurityGroupsForVpc` and associated tag permissions to allow EKS to read security group information and update related tags. |October 10, 2024 -|Introduced xref:security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy[AmazonEKSWorkerNodeMinimalPolicy]. +|Introduced <>. |{aws} introduced the `AmazonEKSWorkerNodeMinimalPolicy`. |October 3, 2024 diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index b49c88256..22c10f5a8 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -43,7 +43,7 @@ Amazon EKS uses Amazon Virtual Private Cloud (Amazon VPC) to limit traffic betwe In addition to the control plane, an Amazon EKS cluster has a set of worker machines called nodes. Selecting the appropriate Amazon EKS cluster node type is crucial for meeting your specific requirements and optimizing resource utilization. Amazon EKS offers the following primary node types: *EKS Auto Mode*:: -xref:automode[EKS Auto Mode] extends {aws} management beyond the control plane to include the data plane, automating cluster infrastructure management. It integrates core Kubernetes capabilities as built-in components, including compute autoscaling, networking, load balancing, DNS, storage, and GPU support. EKS Auto Mode dynamically manages nodes based on workload demands, using immutable AMIs with enhanced security features. It automates updates and upgrades while respecting Pod Disruption Budgets, and includes managed components that would otherwise require add-on management. This option is ideal for users who want to leverage {aws} expertise for day-to-day operations, minimize operational overhead, and focus on application development rather than infrastructure management. +<> extends {aws} management beyond the control plane to include the data plane, automating cluster infrastructure management. It integrates core Kubernetes capabilities as built-in components, including compute autoscaling, networking, load balancing, DNS, storage, and GPU support. EKS Auto Mode dynamically manages nodes based on workload demands, using immutable AMIs with enhanced security features. It automates updates and upgrades while respecting Pod Disruption Budgets, and includes managed components that would otherwise require add-on management. This option is ideal for users who want to leverage {aws} expertise for day-to-day operations, minimize operational overhead, and focus on application development rather than infrastructure management. *{aws} Fargate*:: <> is a serverless compute engine for containers that eliminates the need to manage the underlying instances. With Fargate, you specify your application's resource needs, and {aws} automatically provisions, scales, and maintains the infrastructure. This option is ideal for users who prioritize ease-of-use and want to concentrate on application development and deployment rather than managing infrastructure. diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 71ff54cb3..e52b30fde 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -110,27 +110,27 @@ The following table indicates if certain Amazon EKS add-ons support EKS Pod Iden |=== | Add-on Name | Pod Identity Support | Minimum Version Required -| xref:add-ons-aws-ebs-csi-driver[Amazon EBS CSI Driver] +| <> | Yes | v1.26.0-eksbuild.1 -| xref:add-ons-vpc-cni[Amazon VPC CNI] +| <> | Yes | v1.15.5-eksbuild.1 -| xref:add-ons-aws-efs-csi-driver[Amazon EFS CSI Driver] +| <> | Yes | v2.0.5-eksbuild.1 -| xref:add-ons-adot[{aws} Distro for OpenTelemetry] +| <> | Yes | v0.94.1-eksbuild.1 -| xref:mountpoint-for-s3-add-on[Mountpoint for Amazon S3 CSI Driver] +| <> | No | N/A -| xref:amazon-cloudwatch-observability[Amazon CloudWatch Observability agent] +| <> | Yes | v3.1.0-eksbuild.1 From c2c03e45d4f2297df3d8ef6297cdc0ed10ed0f65 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 7 Feb 2025 13:03:11 -0600 Subject: [PATCH 121/940] Update sample-storage-workload.adoc --- latest/ug/automode/sample-storage-workload.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 2b416050a..444ebb339 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -64,7 +64,7 @@ kubectl apply -f storage-class.yaml - `provisioner: ebs.csi.eks.amazonaws.com` - Uses EKS Auto Mode - `volumeBindingMode: WaitForFirstConsumer` - Delays volume creation until a pod needs it - `type: gp3` - Specifies the EBS volume type -- `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but recomended. +- `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but recommended. - `storageclass.kubernetes.io/is-default-class: "true"` - Kubernetes will use this storage class by default, unless you specify a different volume class on a persistent volume claim. Use caution when setting this value if you are migrating from another storage controller. (optional) ## Step 3: Create the persistent volume claim @@ -226,4 +226,4 @@ deletionPolicy: Delete https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Learn more about the Kubernetes CSI Snapshotter.] -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-storage-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-storage-workload%5D&type=code[Edit this page on GitHub] From 3daca3fa5745d1c5c77b4614c49ebafb8202cf0f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 20:00:48 +0000 Subject: [PATCH 122/940] Cleaned up spacing --- latest/ug/clusters/cluster-endpoint.adoc | 8 +-- latest/ug/clusters/create-cluster-auto.adoc | 22 ++++---- latest/ug/clusters/create-cluster.adoc | 36 ++++++------- latest/ug/clusters/delete-cluster.adoc | 10 ++-- .../ug/clusters/disable-extended-support.adoc | 10 ++-- .../ug/clusters/enable-extended-support.adoc | 10 ++-- .../kubernetes-versions-extended.adoc | 2 +- .../kubernetes-versions-standard.adoc | 4 +- latest/ug/clusters/kubernetes-versions.adoc | 2 +- .../cost-monitoring-kubecost-bundles.adoc | 4 +- .../management/cost-monitoring-kubecost.adoc | 4 +- .../clusters/management/eks-using-tags.adoc | 16 +++--- .../clusters/management/metrics-server.adoc | 2 +- .../clusters/management/service-quotas.adoc | 8 +-- latest/ug/clusters/platform-versions.adoc | 4 +- latest/ug/clusters/private-clusters.adoc | 6 +-- latest/ug/clusters/update-cluster.adoc | 10 ++-- latest/ug/clusters/view-support-status.adoc | 6 +-- latest/ug/clusters/view-upgrade-policy.adoc | 6 +-- latest/ug/clusters/windows-support.adoc | 6 +-- latest/ug/connector/connecting-cluster.adoc | 6 +-- .../ug/connector/connector-grant-access.adoc | 4 +- .../deregister-connected-cluster.adoc | 4 +- latest/ug/connector/eks-connector.adoc | 2 +- latest/ug/connector/security-connector.adoc | 4 +- .../connector/troubleshooting-connector.adoc | 6 +-- latest/ug/contribute/asciidoc-syntax.adoc | 2 +- latest/ug/doc-history.adoc | 6 +-- .../getting-started-automode.adoc | 2 +- .../getting-started-console.adoc | 34 ++++++------- .../getting-started-eksctl.adoc | 12 ++--- .../ug/getting-started/getting-started.adoc | 2 +- latest/ug/getting-started/install-awscli.adoc | 8 +-- .../ug/getting-started/install-kubectl.adoc | 2 +- latest/ug/getting-started/learn-eks.adoc | 2 +- ...reating-resources-with-cloudformation.adoc | 2 +- .../integrations/integration-detective.adoc | 2 +- .../integrations/integration-guardduty.adoc | 2 +- .../integration-securitylake.adoc | 4 +- .../associate-service-account-role.adoc | 4 +- .../aws-access/configure-sts-endpoint.adoc | 8 +-- .../aws-access/cross-account-access.adoc | 4 +- ...enable-iam-roles-for-service-accounts.adoc | 10 ++-- .../iam-roles-for-service-accounts.adoc | 2 +- .../aws-access/irsa-fetch-keys.adoc | 2 +- .../aws-access/pod-configuration.adoc | 8 +-- .../manage-access/aws-access/pod-id-abac.adoc | 2 +- .../aws-access/pod-id-agent-config-ipv6.adoc | 8 +-- .../aws-access/pod-id-agent-setup.adoc | 4 +- .../aws-access/pod-id-association.adoc | 12 ++--- .../aws-access/pod-id-configure-pods.adoc | 4 +- .../aws-access/pod-id-how-it-works.adoc | 6 +-- .../aws-access/pod-id-minimum-sdk.adoc | 2 +- .../manage-access/aws-access/pod-id-role.adoc | 2 +- .../aws-access/pod-identities.adoc | 4 +- .../aws-access/service-accounts.adoc | 4 +- .../ug/manage-access/create-kubeconfig.adoc | 6 +-- .../k8s-access/access-policies.adoc | 10 ++-- .../k8s-access/access-policy-reference.adoc | 6 +-- .../k8s-access/auth-configmap.adoc | 10 ++-- .../authenticate-oidc-identity-provider.adoc | 14 +++--- .../k8s-access/creating-access-entries.adoc | 28 +++++------ .../k8s-access/deleting-access-entries.adoc | 2 +- .../disassociate-oidc-identity-provider.adoc | 4 +- .../k8s-access/grant-k8s-access.adoc | 8 +-- .../k8s-access/migrating-access-entries.adoc | 2 +- .../k8s-access/setting-up-access-entries.adoc | 8 +-- .../k8s-access/updating-access-entries.adoc | 4 +- .../view-kubernetes-resources.adoc | 24 ++++----- latest/ug/ml/capacity-blocks-mng.adoc | 2 +- latest/ug/ml/capacity-blocks.adoc | 4 +- latest/ug/ml/ml-prepare-for-cluster.adoc | 2 +- latest/ug/ml/ml-tutorials.adoc | 14 +++--- latest/ug/ml/node-efa.adoc | 4 +- .../aws-load-balancer-controller.adoc | 2 +- .../cni-custom-network-tutorial.adoc | 4 +- latest/ug/networking/cni-iam-role.adoc | 6 +-- .../cni-increase-ip-addresses-procedure.adoc | 12 ++--- .../networking/cni-increase-ip-addresses.adoc | 2 +- latest/ug/networking/cni-ipv6.adoc | 6 +-- .../cni-network-policy-configure.adoc | 2 +- .../coredns-add-on-self-managed-update.adoc | 4 +- .../ug/networking/coredns-add-on-update.adoc | 4 +- latest/ug/networking/coredns-autoscaling.adoc | 24 ++++----- latest/ug/networking/creating-a-vpc.adoc | 50 +++++++++---------- latest/ug/networking/deploy-ipv6-cluster.adoc | 8 +-- latest/ug/networking/external-snat.adoc | 4 +- ...kube-proxy-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 4 +- latest/ug/networking/lbc-manifest.adoc | 4 +- latest/ug/networking/lbc-remove.adoc | 2 +- latest/ug/networking/managing-kube-proxy.adoc | 2 +- .../network-policies-troubleshooting.adoc | 4 +- .../networking/network-policy-stars-demo.adoc | 2 +- latest/ug/networking/network-reqs.adoc | 22 ++++---- latest/ug/networking/sec-group-reqs.adoc | 4 +- .../networking/security-groups-for-pods.adoc | 4 +- .../security-groups-pods-deployment.adoc | 4 +- .../sg-pods-example-deployment.adoc | 2 +- latest/ug/networking/vpc-add-on-create.adoc | 2 +- .../vpc-add-on-self-managed-update.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 4 +- .../ug/nodes/create-managed-node-group.adoc | 28 +++++------ latest/ug/nodes/delete-fargate-profile.adoc | 2 +- .../ug/nodes/delete-managed-node-group.adoc | 4 +- latest/ug/nodes/dockershim-deprecation.adoc | 2 +- latest/ug/nodes/eks-custom-ami-windows.adoc | 24 ++++----- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- latest/ug/nodes/fargate-getting-started.adoc | 12 ++--- latest/ug/nodes/fargate-pod-patching.adoc | 4 +- latest/ug/nodes/fargate-profile.adoc | 14 +++--- latest/ug/nodes/fargate.adoc | 10 ++-- latest/ug/nodes/launch-templates.adoc | 28 +++++------ latest/ug/nodes/launch-windows-workers.adoc | 20 ++++---- latest/ug/nodes/launch-workers.adoc | 26 +++++----- latest/ug/nodes/managed-node-groups.adoc | 8 +-- .../nodes/managed-node-update-behavior.adoc | 4 +- latest/ug/nodes/migrate-stack.adoc | 6 +-- latest/ug/nodes/monitoring-fargate-usage.adoc | 4 +- .../ug/nodes/update-managed-node-group.adoc | 8 +-- latest/ug/nodes/update-stack.adoc | 20 ++++---- latest/ug/nodes/worker.adoc | 2 +- .../ug/observability/control-plane-logs.adoc | 2 +- .../ug/observability/deploy-prometheus.adoc | 4 +- latest/ug/observability/prometheus.adoc | 4 +- .../service-name-info-in-cloudtrail.adoc | 8 +-- .../understanding-service-name-entries.adoc | 2 +- .../eks-outposts-capacity-considerations.adoc | 6 +-- .../eks-outposts-local-cluster-create.adoc | 30 +++++------ .../eks-outposts-network-disconnects.adoc | 4 +- .../eks-outposts-self-managed-nodes.adoc | 26 +++++----- .../eks-outposts-troubleshooting.adoc | 4 +- .../eks-outposts-vpc-subnet-requirements.adoc | 8 +-- latest/ug/outposts/eks-outposts.adoc | 2 +- latest/ug/roadmap.adoc | 2 +- .../configuration-vulnerability-analysis.adoc | 6 +-- latest/ug/security/default-roles-users.adoc | 10 ++-- latest/ug/security/enable-kms.adoc | 2 +- .../iam-reference/auto-cluster-iam-role.adoc | 14 +++--- .../iam-reference/auto-create-node-role.adoc | 12 ++--- .../iam-reference/cluster-iam-role.adoc | 14 +++--- .../iam-reference/connector-iam-role.adoc | 8 +-- .../iam-reference/create-node-role.adoc | 16 +++--- .../iam-reference/pod-execution-role.adoc | 20 ++++---- .../iam-reference/security-iam-awsmanpol.adoc | 42 ++++++++-------- ...security-iam-id-based-policy-examples.adoc | 20 ++++---- .../security-iam-service-with-iam.adoc | 28 +++++------ .../security-iam-troubleshoot.adoc | 18 +++---- .../security/iam-reference/security-iam.adoc | 46 ++++++++--------- ...ng-service-linked-roles-eks-connector.adoc | 10 ++-- ...sing-service-linked-roles-eks-fargate.adoc | 12 ++--- ...g-service-linked-roles-eks-nodegroups.adoc | 10 ++-- ...sing-service-linked-roles-eks-outpost.adoc | 10 ++-- .../using-service-linked-roles-eks.adoc | 10 ++-- .../using-service-linked-roles.adoc | 2 +- latest/ug/security/manage-secrets.adoc | 2 +- latest/ug/security/pod-security-policy.adoc | 2 +- .../ug/security/vpc-interface-endpoints.adoc | 10 ++-- latest/ug/storage/ebs-csi-migration-faq.adoc | 8 +-- latest/ug/storage/ebs-csi.adoc | 24 ++++----- latest/ug/storage/efs-csi.adoc | 14 +++--- latest/ug/storage/fsx-csi.adoc | 6 +-- latest/ug/storage/s3-csi.adoc | 18 +++---- .../ug/troubleshooting/troubleshooting.adoc | 24 ++++----- latest/ug/what-is/kubernetes-concepts.adoc | 6 +-- latest/ug/workloads/addon-compat.adoc | 2 +- latest/ug/workloads/alb-ingress.adoc | 2 +- .../workloads/copy-image-to-repository.adoc | 10 ++-- latest/ug/workloads/creating-an-add-on.adoc | 30 +++++------ latest/ug/workloads/eks-add-ons.adoc | 2 +- latest/ug/workloads/eks-workloads.adoc | 4 +- .../ug/workloads/network-load-balancing.adoc | 12 ++--- .../workloads/sample-deployment-windows.adoc | 10 ++-- latest/ug/workloads/sample-deployment.adoc | 8 +-- latest/ug/workloads/updating-an-add-on.adoc | 8 +-- .../workloads-add-ons-available-eks.adoc | 6 +-- 176 files changed, 779 insertions(+), 781 deletions(-) diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index a83b2b645..8b1649cac 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -78,7 +78,7 @@ Because this endpoint is for the [.noloc]`Kubernetes` API server and not a tradi ==== -When you enable endpoint private access for your cluster, Amazon EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC. This private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources. In order for the private hosted zone to properly route traffic to your API server, your VPC must have `enableDnsHostnames` and `enableDnsSupport` set to `true`, and the DHCP options set for your VPC must include `AmazonProvidedDNS` in its domain name servers list. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[Updating DNS support for your VPC,type="documentation"] in the _Amazon VPC User Guide_. +When you enable endpoint private access for your cluster, Amazon EKS creates a Route 53 private hosted zone on your behalf and associates it with your cluster's VPC. This private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources. In order for the private hosted zone to properly route traffic to your API server, your VPC must have `enableDnsHostnames` and `enableDnsSupport` set to `true`, and the DHCP options set for your VPC must include `AmazonProvidedDNS` in its domain name servers list. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[Updating DNS support for your VPC,type="documentation"] in the _Amazon VPC User Guide_. You can define your API server endpoint access requirements when you create a new cluster, and you can update the API server endpoint access for a cluster at any time. @@ -135,10 +135,10 @@ You can modify your cluster API server endpoint access using the {aws-management . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster to display your cluster information. -. Choose the *Networking* tab and choose *Manage endpoint access*. +. Choose the *Networking* tab and choose *Manage endpoint access*. . For *Private access*, choose whether to enable or disable private access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you enable private access, [.noloc]`Kubernetes` API requests that originate from within your cluster's VPC use the private VPC endpoint. You must enable private access to disable public access. . For *Public access*, choose whether to enable or disable public access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you disable public access, your cluster's [.noloc]`Kubernetes` API server can only receive requests from within the cluster VPC. -. (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. +. (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. . Choose *Update* to finish. @@ -240,7 +240,7 @@ Connect your network to the VPC with an link:vpc/latest/tgw/what-is-transit-gate *Amazon EC2 bastion host*:: You can launch an Amazon EC2 instance into a public subnet in your cluster's VPC and then log in via SSH into that instance to run `kubectl` commands. For more information, see link:quickstart/architecture/linux-bastion/[Linux bastion hosts on {aws},type="marketing"]. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your bastion host. For more information, see <>. + -When you configure `kubectl` for your bastion host, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that your bastion will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. +When you configure `kubectl` for your bastion host, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that your bastion will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. *{aws} Cloud9 IDE*:: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 2b906070f..45d4f4748 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -38,14 +38,14 @@ This topic covers advanced configuration. If you are looking to get started with * An existing VPC and subnets that meet <>. Before you deploy a cluster for production use, we recommend that you have a thorough understanding of the VPC and subnet requirements. If you don't have a VPC and subnets, you can create them using an <>. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version`. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. -* An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to create and modify EKS and IAM resources. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version`. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. +* An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to create and modify EKS and IAM resources. == Create cluster - {aws} console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose *Add cluster* and then choose *Create*. +. Choose *Add cluster* and then choose *Create*. . Under _Configuration options_, select *Custom configuration*. ** This topic covers custom configuration. For information about Quick configuration, see <>. . Confirm *Use EKS Auto Mode* is enabled. @@ -55,7 +55,7 @@ This topic covers advanced configuration. If you are looking to get started with ** *Name* – A name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. ** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources on your behalf. If you haven't previously created a Cluster IAM role for EKS Auto Mode, select the *Create recommended role* button to create the role with the required permissions in the IAM console. ** *[.noloc]`Kubernetes` version* – The version of [.noloc]`Kubernetes` to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. -** *Upgrade policy* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. +** *Upgrade policy* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. . In the *Auto Mode Compute* section of the configure cluster page, enter the following fields: ** *Node pools* -- Determine if you want to use the build in node pools. For more information, see <>. ** *Node IAM role* -- If you enable any of the built-in node pools, you need to select a Node IAM Role. EKS Auto Mode will assign this role to new nodes. You cannot change this value after the cluster is created. If you haven't previously created a Node IAM role for EKS Auto Mode, select the Create recommended role button to create the role with the required permissions. For more information about this role, see <>. @@ -78,11 +78,11 @@ The subnets that you choose must meet the <>. You can modify the rules in the cluster security group that Amazon EKS creates. -** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. +** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. + [.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). + -** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. +** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. + Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + @@ -97,20 +97,20 @@ You can only specify this option when using the `IPv4` address family and only a ** For *Cluster endpoint access*, select an option. After your cluster is created, you can change this option. Before selecting a non-default option, make sure to familiarize yourself with the options and their implications. For more information, see <>. + When you're done with this page, choose *Next*. -. (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. +. (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. + ** For more information about the [.noloc]`Prometheus` metrics option, see <>. ** For more information about the *Control plane logging* options, see <>. -** When you're done with this page, choose *Next*. -. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. You can choose as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. If the *{aws} Marketplace add-ons* that you want to install isn't listed, you can click the page numbering to view additional page results or search for available *{aws} Marketplace add-ons* by entering text in the search box. You can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. When creating a cluster, you can view, select, and install any add-on that supports EKS Pod Identities as detailed in <>. +** When you're done with this page, choose *Next*. +. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. You can choose as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. If the *{aws} Marketplace add-ons* that you want to install isn't listed, you can click the page numbering to view additional page results or search for available *{aws} Marketplace add-ons* by entering text in the search box. You can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. When creating a cluster, you can view, select, and install any add-on that supports EKS Pod Identities as detailed in <>. ** EKS Auto Mode automates the functionality of certain add-ons. If you plan to deploy EKS Managed Node Groups to your EKS Auto Mode Cluster, select *Additional Amazon EKS Add-ons* and review the options. You may need to install add-ons such as CoreDNS and kube-proxy. EKS will only install the add-ons in this section on self-managed nodes and node groups. -** When you're done with this page, choose *Next*. +** When you're done with this page, choose *Next*. . On the *Configure selected add-ons settings* page, select the version that you want to install. You can always update to a later version after cluster creation. + For add-ons that support EKS Pod Identities, you can use the console to automatically generate the role with the name, {aws} managed policy, and trust policy prepopulated specifically for the add-on. You can re-use existing roles or create new roles for supported add-ons. For the steps to use the console to create roles for add-ons that support EKS Pod Identities, see <<_create_add_on_console>>. If an add-on does not support EKS Pod Identity, a message displays with instructions to use the wizard to create the IAM roles for service accounts (IRSA) after the cluster is created. + You can update the configuration of each add-on after cluster creation. For more information about configuring add-ons, see <>. When you're done with this page, choose *Next*. -. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. +. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. + NOTE: You might receive an error that one of the Availability Zones in your request doesn't have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see <>. + diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 40cd40233..8e87b53fe 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -27,8 +27,8 @@ This topic provides an overview of the available options and describes what to c * An existing VPC and subnets that meet <>. Before you deploy a cluster for production use, we recommend that you have a thorough understanding of the VPC and subnet requirements. If you don't have a VPC and subnets, you can create them using an <>. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. == Step 1: Create cluster IAM role @@ -53,7 +53,7 @@ cat >eks-cluster-role-trust-policy.json <>. + -Attach the Amazon EKS managed policy named link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] to the role. To attach an IAM policy to an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], the principal that is attaching the policy must be assigned one of the following IAM actions (permissions): `iam:AttachUserPolicy` or `iam:AttachRolePolicy`. +Attach the Amazon EKS managed policy named link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] to the role. To attach an IAM policy to an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], the principal that is attaching the policy must be assigned one of the following IAM actions (permissions): `iam:AttachUserPolicy` or `iam:AttachRolePolicy`. + [source,bash,subs="verbatim,attributes"] ---- @@ -141,7 +141,7 @@ You can only specify this option when using the `IPv4` address family and only a === Create cluster - {aws} console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose *Add cluster* and then choose *Create*. +. Choose *Add cluster* and then choose *Create*. . Under *Configuration options* select *Custom configuration* ** For information about quickly creating a cluster wih EKS Auto Mode, see <>. . Under *EKS Auto Mode*, toggle *Use EKS Auto Mode* off. @@ -151,7 +151,7 @@ You can only specify this option when using the `IPv4` address family and only a ** *Name* – A name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. ** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources on your behalf. ** *[.noloc]`Kubernetes` version* – The version of [.noloc]`Kubernetes` to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. -** *Support type* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard support*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended support*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. +** *Support type* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard support*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended support*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. ** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. ** *ARC Zonal shift* - (Optional) You can use Route53 Application Recovery controller to mitigate impaired availability zones. For more information, see <>. @@ -170,11 +170,11 @@ The subnets that you choose must meet the <>. You can modify the rules in the cluster security group that Amazon EKS creates. -** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. +** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. + [.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). + -** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. +** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. + Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + @@ -189,16 +189,16 @@ You can only specify this option when using the `IPv4` address family and only a ** For *Cluster endpoint access*, select an option. After your cluster is created, you can change this option. Before selecting a non-default option, make sure to familiarize yourself with the options and their implications. For more information, see <>. + When you're done with this page, choose *Next*. -. (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. +. (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. + ** For more information about the [.noloc]`Prometheus` metrics option, see <>. ** For more information about the *Control plane logging* options, see <>. + -When you're done with this page, choose *Next*. -. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. Certain add-ons are pre-selected. You can choose as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. If the *{aws} Marketplace add-ons* that you want to install isn't listed, you can click the page numbering to view additional page results or search for available *{aws} Marketplace add-ons* by entering text in the search box. You can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. When creating a cluster, you can view, select, and install any add-on that supports EKS Pod Identities as detailed in <>. +When you're done with this page, choose *Next*. +. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. Certain add-ons are pre-selected. You can choose as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. If the *{aws} Marketplace add-ons* that you want to install isn't listed, you can click the page numbering to view additional page results or search for available *{aws} Marketplace add-ons* by entering text in the search box. You can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. When creating a cluster, you can view, select, and install any add-on that supports EKS Pod Identities as detailed in <>. + -When you're done with this page, choose *Next*. +When you're done with this page, choose *Next*. + Some add-ons, such as Amazon VPC CNI, CoreDNS, and kube-proxy, are installed by default. If you disable any of the default add-ons, this may affect your ability to run Kubernetes applications. . On the *Configure selected add-ons settings* page, select the version that you want to install. You can always update to a later version after cluster creation. @@ -206,7 +206,7 @@ Some add-ons, such as Amazon VPC CNI, CoreDNS, and kube-proxy, are installed by For add-ons that support EKS Pod Identities, you can use the console to automatically generate the role with the name, {aws} managed policy, and trust policy prepopulated specifically for the add-on. You can re-use existing roles or create new roles for supported add-ons. For the steps to use the console to create roles for add-ons that support EKS Pod Identities, see <<_create_add_on_console>>. If an add-on does not support EKS Pod Identity, a message displays with instructions to use the wizard to create the IAM roles for service accounts (IRSA) after the cluster is created. + You can update the configuration of each add-on after cluster creation. For more information about configuring add-ons, see <>. When you're done with this page, choose *Next*. -. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. +. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. + NOTE: You might receive an error that one of the Availability Zones in your request doesn't have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see <>. + @@ -241,7 +241,7 @@ The following are optional settings that, if required, must be added to the prev ** By default, EKS installs multiple networking add-ons during cluster creation. This includes the Amazon VPC CNI, CoreDNS, and kube-proxy. + -If you'd like to disable the installation of these default networking add-ons, use the parameter below. This may be used for alternate CNIs, such as Cilium. Review the link:eks/latest/APIReference/API_CreateCluster.html[EKS API reference,type="documentation"] for more information. +If you'd like to disable the installation of these default networking add-ons, use the parameter below. This may be used for alternate CNIs, such as Cilium. Review the link:eks/latest/APIReference/API_CreateCluster.html[EKS API reference,type="documentation"] for more information. + `aws eks create-cluster --bootstrapSelfManagedAddons false` ** If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block [.noloc]`Kubernetes` assigns service IP addresses from, you must specify it by adding the `--kubernetes-network-config serviceIpv4Cidr=` to the following command. @@ -302,8 +302,8 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h == Step 4: Cluster setup -. (Recommended) To use some Amazon EKS add-ons, or to enable individual [.noloc]`Kubernetes` workloads to have specific {aws} Identity and Access Management (IAM) permissions, <> for your cluster. You only need to create an IAM [.noloc]`OIDC` provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. -. (Recommended) Configure your cluster for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an <>. +. (Recommended) To use some Amazon EKS add-ons, or to enable individual [.noloc]`Kubernetes` workloads to have specific {aws} Identity and Access Management (IAM) permissions, <> for your cluster. You only need to create an IAM [.noloc]`OIDC` provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. +. (Recommended) Configure your cluster for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an <>. + The IAM role that you attach the policy to can be the node IAM role, or a dedicated role used only for the plugin. We recommend attaching the policy to this role. For more information about creating the role, see <> or <>. . If you deployed your cluster using the {aws-management-console}, you can skip this step. The {aws-management-console} deploys the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` Amazon EKS add-ons, by default. @@ -314,9 +314,9 @@ If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.no == Next steps -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that has access to the cluster. <> so they can access your cluster. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that has access to the cluster. <> so they can access your cluster. * If the IAM principal that created the cluster only has the minimum IAM permissions referenced in the prerequisites, then you might want to add additional Amazon EKS permissions for that principal. For more information about granting Amazon EKS permissions to IAM principals, see <>. -* If you want the IAM principal that created the cluster, or any other principals to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. +* If you want the IAM principal that created the cluster, or any other principals to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. * If you want nodes and IAM principals to access your cluster from within your VPC, enable the private endpoint for your cluster. The public endpoint is enabled by default. You can disable the public endpoint once you've enabled the private endpoint, if desired. For more information, see <>. * <>. * <>. diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index ffd3f42ca..9be904271 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -20,7 +20,7 @@ You can delete a cluster with `eksctl`, the {aws-management-console}, or the {aw * If you have active services in your cluster that are associated with a load balancer, you must delete those services before deleting the cluster so that the load balancers are deleted properly. Otherwise, you can have orphaned resources in your VPC that prevent you from being able to delete the VPC. * If you receive an error because the cluster creator has been removed, see link:premiumsupport/knowledge-center/eks-api-server-unauthorized-error[this article,type="marketing"] to resolve. -* Amazon Managed Service for Prometheus resources are outside of the cluster lifecycle and need to be maintained independent of the cluster. When you delete your cluster, make sure to also delete any applicable scrapers to stop applicable costs. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-list-delete[Find and delete scrapers,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +* Amazon Managed Service for Prometheus resources are outside of the cluster lifecycle and need to be maintained independent of the cluster. When you delete your cluster, make sure to also delete any applicable scrapers to stop applicable costs. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-list-delete[Find and delete scrapers,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. * To remove a connected cluster, see <> === Considerations for EKS Auto Mode @@ -90,15 +90,15 @@ kubectl delete svc service-name + .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. In the left navigation pane, choose Amazon EKS *Clusters*, and then in the tabbed list of clusters, choose the name of the cluster that you want to delete. -.. Choose the *Compute* tab and choose a node group to delete. Choose *Delete*, enter the name of the node group, and then choose *Delete*. Delete all node groups in the cluster. +.. Choose the *Compute* tab and choose a node group to delete. Choose *Delete*, enter the name of the node group, and then choose *Delete*. Delete all node groups in the cluster. + NOTE: The node groups listed are <> only. -.. Choose a *Fargate Profile* to delete, select *Delete*, enter the name of the profile, and then choose *Delete*. Delete all Fargate profiles in the cluster. +.. Choose a *Fargate Profile* to delete, select *Delete*, enter the name of the profile, and then choose *Delete*. Delete all Fargate profiles in the cluster. . Delete all self-managed node {aws} CloudFormation stacks. + .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. Choose the node stack to delete, and then choose *Delete*. -.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. Delete all self-managed node stacks in the cluster. +.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. Delete all self-managed node stacks in the cluster. . Delete the cluster. + .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. @@ -108,7 +108,7 @@ NOTE: The node groups listed are <> onl + .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. Select the VPC stack to delete, and then choose *Delete*. -.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. +.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. == Delete cluster ({aws} CLI) diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index a806f8689..d384b8865 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next [.noloc]`Kubernetes` version. +This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next [.noloc]`Kubernetes` version. For more information about upgrade policies, see <>. @@ -20,14 +20,14 @@ You cannot disable extended support once your cluster has entered it. You can on [#disable-support-policy-console] == Disable EKS extended support ({aws} Console) -. Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. -. In the *Kubernetes version setting* section, select *Manage*. -. Select *Standard support* and then *Save changes*. +. Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. +. In the *Kubernetes version setting* section, select *Manage*. +. Select *Standard support* and then *Save changes*. [#disable-support-policy-cli] == Disable EKS extended support ({aws} CLI) -. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] +. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. . Run the following command: + diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 01a06c48e..d66d56379 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -This topic describes how to set the _upgrade policy_ of an EKS cluster to enable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support enabled, it will enter the extended support period at the end of the standard support period. The cluster will not be automatically upgraded at the end of the standard support period. +This topic describes how to set the _upgrade policy_ of an EKS cluster to enable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support enabled, it will enter the extended support period at the end of the standard support period. The cluster will not be automatically upgraded at the end of the standard support period. Clusters actually in the _extended support period_ incur higher costs. If a cluster merely has the upgrade policy set to enable extended support, and is otherwise in the _standard support period_, it incurs standard costs. @@ -24,14 +24,14 @@ If you do not enable extended support, your cluster will be automatically upgrad [#enable-support-policy-console] == Enable EKS extended support ({aws} Console) -. Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. -. In the *Kubernetes version settings* section, select *Manage*. -. Select *Extended support* and then *Save changes*. +. Navigate to your EKS cluster in the {aws} Console. Select the *Overview* tab on the *Cluster Info* page. +. In the *Kubernetes version settings* section, select *Manage*. +. Select *Extended support* and then *Save changes*. [#enable-support-policy-cli] == Enable EKS extended support ({aws} CLI) -. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] +. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. . Run the following command: + diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index da6eb141b..c8d5eb4e0 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -108,7 +108,7 @@ For the complete [.noloc]`Kubernetes` `1.25` changelog, see https://github.com/k * Starting with [.noloc]`Kubernetes` `1.24`, new beta APIs aren't enabled in clusters by default. By default, existing beta APIs and new versions of existing beta APIs continue to be enabled. Amazon EKS follows the same behavior as upstream [.noloc]`Kubernetes` `1.24`. The feature gates that control new features for both new and existing API operations are enabled by default. This is in alignment with upstream [.noloc]`Kubernetes`. For more information, see https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/3136-beta-apis-off-by-default/README.md[KEP-3136: Beta APIs Are Off by Default] on GitHub. * Support for Container Runtime Interface (CRI) for [.noloc]`Docker` (also known as `dockershim`) is removed from [.noloc]`Kubernetes` `1.24`. Amazon EKS official AMIs have [.noloc]`containerd` as the only runtime. Before moving to Amazon EKS `1.24` or higher, you must remove any reference to bootstrap script flags that aren't supported anymore. You must also make sure that IP forwarding is enabled for your worker nodes. For more information, see <>. -* If you already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. +* If you already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. * In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version `1.24` and later clusters, `kubelet` serving certificates aren't issued if any SAN can't be verified. This prevents `kubectl` exec and `kubectl` logs commands from working. For more information, see <>. * When upgrading an Amazon EKS `1.23` cluster that uses [.noloc]`Fluent Bit`, you must make sure that it's running `k8s/1.3.12` or later. You can do this by reapplying the latest applicable [.noloc]`Fluent Bit` YAML file from [.noloc]`GitHub`. For more information, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 66e420144..6d5b9b558 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -100,12 +100,12 @@ For the complete [.noloc]`Kubernetes` `1.31` changelog, see https://github.com/k * Starting with Amazon EKS version `1.30` or newer, any newly created managed node groups will automatically default to using Amazon Linux 2023 (AL2023) as the node operating system. Previously, new node groups would default to Amazon Linux 2 (AL2). You can continue to use AL2 by choosing it as the AMI type when creating a new node group. ** For information about migrating from AL2 to AL2023, see <>. -** For more information about Amazon Linux, see link:linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023,type="documentation"] in the Amazon Linux User Guide. +** For more information about Amazon Linux, see link:linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023,type="documentation"] in the Amazon Linux User Guide. ** For more information about specifiying the operating system for a managed node group, see <>. ==== -* With Amazon EKS `1.30`, the `topology.k8s.aws/zone-id` label is added to worker nodes. You can use Availability Zone IDs (AZ IDs) to determine the location of resources in one account relative to the resources in another account. For more information, see link:ram/latest/userguide/working-with-az-ids.html[Availability Zone IDs for your {aws} resources,type="documentation"] in the _{aws} RAM User Guide_. +* With Amazon EKS `1.30`, the `topology.k8s.aws/zone-id` label is added to worker nodes. You can use Availability Zone IDs (AZ IDs) to determine the location of resources in one account relative to the resources in another account. For more information, see link:ram/latest/userguide/working-with-az-ids.html[Availability Zone IDs for your {aws} resources,type="documentation"] in the _{aws} RAM User Guide_. * Starting with `1.30`, Amazon EKS no longer includes the `default` annotation on the `gp2 StorageClass` resource applied to newly created clusters. This has no impact if you are referencing this storage class by name. You must take action if you were relying on having a default `StorageClass` in the cluster. You should reference the `StorageClass` by the name `gp2`. Alternatively, you can deploy the Amazon EBS recommended default storage class by setting the `defaultStorageClass.enabled` parameter to true when installing `v1.31.0` or later of the `aws-ebs-csi-driver add-on`. * The minimum required IAM policy for the Amazon EKS cluster IAM role has changed. The action `ec2:DescribeAvailabilityZones` is required. For more information, see <>. diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index e9016010b..33f392705 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -196,7 +196,7 @@ No. A managed node group creates Amazon EC2 instances in your account. These ins *Are self-managed node groups automatically updated along with the cluster control plane version?*:: -No. A self-managed node group includes Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update the control plane version on your behalf. A self-managed node group doesn't have any indication in the console that it needs updating. You can view the `kubelet` version installed on a node by selecting the node in the *Nodes* list on the *Overview* tab of your cluster to determine which nodes need updating. You must manually update the nodes. For more information, see <>. +No. A self-managed node group includes Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update the control plane version on your behalf. A self-managed node group doesn't have any indication in the console that it needs updating. You can view the `kubelet` version installed on a node by selecting the node in the *Nodes* list on the *Overview* tab of your cluster to determine which nodes need updating. You must manually update the nodes. For more information, see <>. + The [.noloc]`Kubernetes` project tests compatibility between the control plane and nodes for up to three minor versions. For example, `{k8s-n-3}` nodes continue to operate when orchestrated by a `{k8s-n}` control plane. However, running a cluster with nodes that are persistently three minor versions behind the control plane isn't recommended. For more information, see https://kubernetes.io/docs/setup/version-skew-policy/[Kubernetes version and version skew support policy] in the [.noloc]`Kubernetes` documentation. We recommend maintaining the same [.noloc]`Kubernetes` version on your control plane and nodes. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 3e86d35f8..e0d075657 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -6,7 +6,7 @@ include::../../attributes.txt[] Amazon EKS provides an {aws} optimized bundle of [.noloc]`Kubecost` for cluster cost visibility. Amazon EKS supports [.noloc]`Kubecost`, which you can use to monitor your costs broken down by [.noloc]`Kubernetes` resources including [.noloc]`Pods`, nodes, namespaces, and labels. -This topic covers the available versions of [.noloc]`Kubecost`, and the differences between the available tiers. EKS supports [.noloc]`Kubecost` Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized [.noloc]`Kubecost` custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. +This topic covers the available versions of [.noloc]`Kubecost`, and the differences between the available tiers. EKS supports [.noloc]`Kubecost` Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized [.noloc]`Kubecost` custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. As a [.noloc]`Kubernetes` platform administrator and finance leader, you can use [.noloc]`Kubecost` to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. For more information about [.noloc]`Kubecost`, see the https://guide.kubecost.com[Kubecost] documentation. @@ -324,7 +324,7 @@ No. image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] + With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest [.noloc]`Kubecost` data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write [.noloc]`Prometheus` queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example [.noloc]`Grafana` JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. -* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report*:: +* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report*:: to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index e2c59df34..afca64398 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -40,7 +40,7 @@ Amazon EKS Add-ons reduce the complexity of upgrading Kubecost, and managing lic aws eks create-addon --addon-name kubecost_kubecost --cluster-name $YOUR_CLUSTER_NAME --region $AWS_REGION ---- -Learn how to <>, such as Kubecost. +Learn how to <>, such as Kubecost. [#kubecost-helm] == Install Kubecost using Helm @@ -96,7 +96,7 @@ kubecost-prometheus-server-7d9967bfc8-9c8p7 2/2 Running 0 3h27m kubectl port-forward --namespace kubecost deployment/kubecost-cost-analyzer 9090 ---- + -Alternatively, you can use the <> to expose [.noloc]`Kubecost` and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"]. +Alternatively, you can use the <> to expose [.noloc]`Kubecost` and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"]. . On the same device that you completed the previous step on, open a web browser and enter the following address. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 1ac0b37fc..4f190c5c1 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -11,7 +11,7 @@ include::../../attributes.txt[] Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. -- -You can use _tags_ to help you manage your Amazon EKS resources. This topic provides an overview of the tags function and shows how you can create tags. +You can use _tags_ to help you manage your Amazon EKS resources. This topic provides an overview of the tags function and shows how you can create tags. [.topiclist] [[Topic List]] @@ -31,7 +31,7 @@ Tags are a type of metadata that's separate from [.noloc]`Kubernetes` labels and [#tag-basics] == Tag basics -A tag is a label that you assign to an {aws} resource. Each tag consists of a _key_ and an optional _value_. +A tag is a label that you assign to an {aws} resource. Each tag consists of a _key_ and an optional _value_. With tags, you can categorize your {aws} resources. For example, you can categorize resources by purpose, owner, or environment. When you have many resources of the same type, you can use the tags that you assigned to a specific resource to quickly identify that resource. For example, you can define a set of tags for your Amazon EKS clusters to help you track each cluster's owner and stack level. We recommend that you devise a consistent set of tag keys for each resource type. You can then search and filter the resources based on the tags that you add. @@ -58,7 +58,7 @@ You can tag these resources using the following: * If you're using the Amazon EKS console, you can apply tags to new or existing resources at any time. You can do this by using the *Tags* tab on the relevant resource page. For more information, see <>. * If you're using `eksctl`, you can apply tags to resources when they're created using the `--tags` option. -* If you're using the {aws} CLI, the Amazon EKS API, or an {aws} SDK, you can apply tags to new resources using the `tags` parameter on the relevant API action. You can apply tags to existing resources using the `TagResource` API action. For more information, see link:eks/latest/APIReference/API_TagResource.html[TagResource,type="documentation"]. +* If you're using the {aws} CLI, the Amazon EKS API, or an {aws} SDK, you can apply tags to new resources using the `tags` parameter on the relevant API action. You can apply tags to existing resources using the `TagResource` API action. For more information, see link:eks/latest/APIReference/API_TagResource.html[TagResource,type="documentation"]. When you use some resource-creating actions, you can also specify tags for the resource at the same time that you create it. If tags can't be applied while the resource is being created, the resource fails to be created. This mechanism ensures that resources that you intend to tag are either created with the tags that you specify or not created at all. If you tag resources when you create them, you don't need to run custom tagging scripts after you create the resource. @@ -81,7 +81,7 @@ The following restrictions apply to tags: [#tag-resources-for-billing] == Tagging your resources for billing -When you apply tags to Amazon EKS clusters, you can use them for cost allocation in your *Cost & Usage Reports*. The metering data in your *Cost & Usage Reports* shows usage across all of your Amazon EKS clusters. For more information, see link:awsaccountbilling/latest/aboutv2/billing-reports-costusage.html[{aws} cost and usage report,type="documentation"] in the _{aws} Billing User Guide_. +When you apply tags to Amazon EKS clusters, you can use them for cost allocation in your *Cost & Usage Reports*. The metering data in your *Cost & Usage Reports* shows usage across all of your Amazon EKS clusters. For more information, see link:awsaccountbilling/latest/aboutv2/billing-reports-costusage.html[{aws} cost and usage report,type="documentation"] in the _{aws} Billing User Guide_. The {aws} generated cost allocation tag, specifically `aws:eks:cluster-name`, lets you break down Amazon EC2 instance costs by individual Amazon EKS cluster in *Cost Explorer*. However, this tag doesn't capture the control plane expenses. The tag is automatically added to Amazon EC2 instances that participate in an Amazon EKS cluster. This behavior happens regardless of whether the instances are provisioned using Amazon EKS managed node groups, [.noloc]`Karpenter`, or directly with Amazon EC2. This specific tag doesn't count towards the 50 tags limit. To use the tag, the account owner must activate it in the {aws} Billing console or by using the API. When an {aws} Organizations management account owner activates the tag, it's also activated for all organization member accounts. @@ -94,14 +94,14 @@ If you just enabled reporting, data for the current month is available for viewi ==== -*Cost Explorer* is a reporting tool that's available as part of the {aws} Free Tier. You can use *Cost Explorer* to view charts of your Amazon EKS resources from the last 13 months. You can also forecast how much you're likely to spend for the next three months. You can see patterns in how much you spend on {aws} resources over time. For example, you can use it to identify areas that need further inquiry and see trends that you can use to understand your costs. You also can specify time ranges for the data, and view time data by day or by month. +*Cost Explorer* is a reporting tool that's available as part of the {aws} Free Tier. You can use *Cost Explorer* to view charts of your Amazon EKS resources from the last 13 months. You can also forecast how much you're likely to spend for the next three months. You can see patterns in how much you spend on {aws} resources over time. For example, you can use it to identify areas that need further inquiry and see trends that you can use to understand your costs. You also can specify time ranges for the data, and view time data by day or by month. [#tag-resources-console] == Working with tags using the console Using the Amazon EKS console, you can manage the tags that are associated with new or existing clusters and managed node groups. -When you select a resource-specific page in the Amazon EKS console, the page displays a list of those resources. For example, if you select *Clusters* from the left navigation pane, the console displays a list of Amazon EKS clusters. When you select a resource from one of these lists (for example, a specific cluster) that supports tags, you can view and manage its tags on the *Tags* tab. +When you select a resource-specific page in the Amazon EKS console, the page displays a list of those resources. For example, if you select *Clusters* from the left navigation pane, the console displays a list of Amazon EKS clusters. When you select a resource from one of these lists (for example, a specific cluster) that supports tags, you can view and manage its tags on the *Tags* tab. You can also use *Tag Editor* in the {aws-management-console}, which provides a unified way to manage your tags. For more information, see link:ARG/latest/userguide/tag-editor.html[Tagging your {aws} resources with Tag Editor,type="documentation"] in the _{aws} Tag Editor User Guide_. @@ -119,7 +119,7 @@ You can add or delete the tags that are associated with your clusters directly f . On the navigation bar, select the {aws} Region to use. . In the left navigation pane, choose *Clusters*. . Choose a specific cluster. -. Choose the *Tags* tab, and then choose *Manage tags*. +. Choose the *Tags* tab, and then choose *Manage tags*. . On the *Manage tags* page, add or delete your tags as necessary. + ** To add a tag, choose *Add tag*. Then specify the key and value for each tag. @@ -208,7 +208,7 @@ When you use some resource-creating actions, you can specify tags at the same ti |`create fargateprofile` |=== -* If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. +* If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-using-tags%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index f0b789f99..0113b7b6b 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -10,7 +10,7 @@ include::../../attributes.txt[] Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. -- -The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster, and it isn't deployed by default in Amazon EKS clusters. For more information, see https://github.com/kubernetes-sigs/metrics-server[Kubernetes Metrics Server] on [.noloc]`GitHub`. The Metrics Server is commonly used by other [.noloc]`Kubernetes` add ons, such as the <> or the <>. For more information, see https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/[Resource metrics pipeline] in the [.noloc]`Kubernetes` documentation. This topic explains how to deploy the [.noloc]`Kubernetes` Metrics Server on your Amazon EKS cluster. +The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster, and it isn't deployed by default in Amazon EKS clusters. For more information, see https://github.com/kubernetes-sigs/metrics-server[Kubernetes Metrics Server] on [.noloc]`GitHub`. The Metrics Server is commonly used by other [.noloc]`Kubernetes` add ons, such as the <> or the <>. For more information, see https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/[Resource metrics pipeline] in the [.noloc]`Kubernetes` documentation. This topic explains how to deploy the [.noloc]`Kubernetes` Metrics Server on your Amazon EKS cluster. [IMPORTANT] ==== diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index cc5443dab..effbbc878 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -18,11 +18,11 @@ Amazon EKS has integrated with Service Quotas, an {aws} service that you can use . Open the link:servicequotas/home/services/eks/quotas["Service Quotas console",type="console"]. . In the left navigation pane, choose *{aws} services*. -. From the *{aws} services* list, search for and select *Amazon Elastic Kubernetes Service (Amazon EKS)* or *{aws} Fargate*. +. From the *{aws} services* list, search for and select *Amazon Elastic Kubernetes Service (Amazon EKS)* or *{aws} Fargate*. + In the *Service quotas* list, you can see the service quota name, applied value (if it's available), {aws} default quota, and whether the quota value is adjustable. . To view additional information about a service quota, such as the description, choose the quota name. -. (Optional) To request a quota increase, select the quota that you want to increase, select *Request quota increase*, enter or select the required information, and select *Request*. +. (Optional) To request a quota increase, select the quota that you want to increase, select *Request quota increase*, enter or select the required information, and select *Request*. To work more with service quotas using the {aws-management-console}, see the link:servicequotas/latest/userguide/intro.html[Service Quotas User Guide,type="documentation"]. To request a quota increase, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a Quota Increase,type="documentation"] in the _Service Quotas User Guide_. @@ -62,7 +62,7 @@ To work more with service quotas using the {aws} CLI, see link:cli/latest/refere To view the default EKS service quotas, see link:general/latest/gr/eks.html#limits_eks["Amazon Elastic Kubernetes Service endpoints and quotas",type="documentation"] in the _{aws} General Reference_. -These service quotas are listed under *Amazon Elastic Kubernetes Service (Amazon EKS)* in the Service Quotas console. To request a quota increase for values that are shown as adjustable, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the _Service Quotas User Guide_. +These service quotas are listed under *Amazon Elastic Kubernetes Service (Amazon EKS)* in the Service Quotas console. To request a quota increase for values that are shown as adjustable, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the _Service Quotas User Guide_. [NOTE] ==== @@ -75,7 +75,7 @@ The following quotas aren't available in Service Quotas: [#service-quotas-eks-fargate] == {aws} Fargate service quotas -The *{aws} Fargate* service in the Service Quotas console lists several service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information, see <>. +The *{aws} Fargate* service in the Service Quotas console lists several service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information, see <>. New {aws} accounts might have lower initial quotas that can increase over time. Fargate constantly monitors the account usage within each {aws} Region, and then automatically increases the quotas based on the usage. You can also request a quota increase for values that are shown as adjustable. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the _Service Quotas User Guide_. diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 2fb3a3c77..e4413e5ce 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which [.noloc]`Kubernetes` API server flags are enabled, as well as the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated Amazon EKS platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. +Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which [.noloc]`Kubernetes` API server flags are enabled, as well as the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated Amazon EKS platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. When a new [.noloc]`Kubernetes` minor version is available in Amazon EKS, such as {k8s-n}, the initial Amazon EKS platform version for that [.noloc]`Kubernetes` minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new [.noloc]`Kubernetes` control plane settings and to provide security fixes. @@ -888,7 +888,7 @@ The following admission controllers are enabled for all `1.24` platform versions . In the navigation pane, choose *Clusters*. . In the list of clusters, choose the *Cluster Name* to check the platform version of. . Choose the *Overview* tab. -. The *Platform Version* is available under in the *Details* section. +. The *Platform Version* is available under in the *Details* section. . Determine the *Name* of the cluster you want to check the platform version of. . Run the following command: + diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index cc1af25cc..f78d6f150 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -62,8 +62,8 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the + For additional arguments, see <>. * Your cluster's `aws-auth` `ConfigMap` must be created from within your VPC. For more information about creating and adding entries to the `aws-auth` `ConfigMap`, enter `eksctl create iamidentitymapping --help` in your terminal. If the `ConfigMap` doesn't exist on your server, `eksctl` will create it when you use the command to add an identity mapping. -* [.noloc]`Pods` configured with <> acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. -* Your cluster's VPC subnets must have a VPC interface endpoint for any {aws} services that your [.noloc]`Pods` need access to. For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html[Access an {aws} service using an interface VPC endpoint,type="documentation"]. Some commonly-used services and endpoints are listed in the following table. For a complete list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"] in the link:vpc/latest/privatelink/[{aws} PrivateLink Guide,type="documentation"]. +* [.noloc]`Pods` configured with <> acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. +* Your cluster's VPC subnets must have a VPC interface endpoint for any {aws} services that your [.noloc]`Pods` need access to. For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html[Access an {aws} service using an interface VPC endpoint,type="documentation"]. Some commonly-used services and endpoints are listed in the following table. For a complete list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"] in the link:vpc/latest/privatelink/[{aws} PrivateLink Guide,type="documentation"]. + We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enable-private-dns-names[enable private DNS names,type="documentation"] for your VPC endpoints, that way workloads can continue using public {aws} service endpoints without issues. + @@ -94,7 +94,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. -* If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. +* If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index c0f7c946d..ee463d661 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -15,7 +15,7 @@ When a new [.noloc]`Kubernetes` version is available in Amazon EKS, you can upda [IMPORTANT] ==== -Once you upgrade a cluster, you can't downgrade to a previous version. We recommend that, before you update to a new [.noloc]`Kubernetes` version, you review the information in <> and also review in the update steps in this topic. +Once you upgrade a cluster, you can't downgrade to a previous version. We recommend that, before you update to a new [.noloc]`Kubernetes` version, you review the information in <> and also review in the update steps in this topic. ==== @@ -92,7 +92,7 @@ kubectl edit configmap coredns -n kube-system -o yaml Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. * If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. -* Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. +* Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. ** Because Amazon EKS runs a highly available control plane, you can update only one minor version at a time. For more information about this requirement, see https://kubernetes.io/docs/setup/version-skew-policy/#kube-apiserver[Kubernetes Version and Version Skew Support Policy]. Assume that your current cluster version is version `1.28` and you want to update it to version `1.30`. You must first update your version `1.28` cluster to version `1.29` and then update your version `1.29` cluster to version `1.30`. * Review the version skew between the [.noloc]`Kubernetes` `kube-apiserver` and the `kubelet` on your nodes. + @@ -139,8 +139,8 @@ Continue to <> . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the Amazon EKS cluster to update and choose *Update cluster version*. -. For *[.noloc]`Kubernetes` version*, select the version to update your cluster to and choose *Update*. -. For *Cluster name*, enter the name of your cluster and choose *Confirm*. +. For *[.noloc]`Kubernetes` version*, select the version to update your cluster to and choose *Update*. +. For *Cluster name*, enter the name of your cluster and choose *Confirm*. + The update takes several minutes to complete. . Continue to <> @@ -234,7 +234,7 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X ---- . Update the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` add-ons. We recommend updating the add-ons to the minimum versions listed in <>. + -** If you are using Amazon EKS add-ons, select *Clusters* in the Amazon EKS console, then select the name of the cluster that you updated in the left navigation pane. Notifications appear in the console. They inform you that a new version is available for each add-on that has an available update. To update an add-on, select the *Add-ons* tab. In one of the boxes for an add-on that has an update available, select *Update now*, select an available version, and then select *Update*. +** If you are using Amazon EKS add-ons, select *Clusters* in the Amazon EKS console, then select the name of the cluster that you updated in the left navigation pane. Notifications appear in the console. They inform you that a new version is available for each add-on that has an available update. To update an add-on, select the *Add-ons* tab. In one of the boxes for an add-on that has an update available, select *Update now*, select an available version, and then select *Update*. ** Alternately, you can use the {aws} CLI or `eksctl` to update add-ons. For more information, see <>. . If necessary, update your version of `kubectl`. You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index e58315d88..37269058e 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -5,18 +5,18 @@ include::../attributes.txt[] -The *cluster support period* section of the {aws} console indicates if your cluster is _currently_ on standard or extended support. If your cluster support period is *Extended support*, you are being charged for EKS extended support. +The *cluster support period* section of the {aws} console indicates if your cluster is _currently_ on standard or extended support. If your cluster support period is *Extended support*, you are being charged for EKS extended support. For more information about standard and extended support, see <>. . Navigate to the *Clusters* page in the EKS section of the {aws} Console. Confirm the console is set to the same {aws} region as the cluster you want to review. -. Review the *Support Period* column. If the value is *Standard support until...*, you are not currently being charged for extended support. You are within the standard support period. If the value is *Extended support...* this cluster is currently being charged for extended support. +. Review the *Support Period* column. If the value is *Standard support until...*, you are not currently being charged for extended support. You are within the standard support period. If the value is *Extended support...* this cluster is currently being charged for extended support. [NOTE] ==== -The *Support Period* cannot be retrieved with the {aws} API or CLI. +The *Support Period* cannot be retrieved with the {aws} API or CLI. ==== diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 7a5fb7286..c8257365e 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -The *cluster upgrade policy* determines what happens to your cluster when it leaves the standard support period. If your upgrade policy is `EXTENDED`, the cluster will not be automatically upgraded, and will enter extended support. If your upgrade policy is `STANDARD`, it will be automatically upgraded. +The *cluster upgrade policy* determines what happens to your cluster when it leaves the standard support period. If your upgrade policy is `EXTENDED`, the cluster will not be automatically upgraded, and will enter extended support. If your upgrade policy is `STANDARD`, it will be automatically upgraded. Amazon EKS controls for [.noloc]`Kubernetes` version policy allows you to choose the end of standard support behavior for your EKS clusters. With these controls you can decide which clusters should enter extended support and which clusters should be automatically upgraded at the end of standard support for a [.noloc]`Kubernetes` version. @@ -34,12 +34,12 @@ For example, if you have set your version support policy as `standard` then you [#view-period-console] == View cluster upgrade policy ({aws} Console) . Navigate to the *Clusters* page in the EKS section of the {aws} Console. Confirm the console is set to the same {aws} region as the cluster you want to review. -. Review the *Upgrade Policy* column. If the value is *Standard Support*, your cluster will not enter extended support. If the value is *Extended Support*, your cluster will enter extended support. +. Review the *Upgrade Policy* column. If the value is *Standard Support*, your cluster will not enter extended support. If the value is *Extended Support*, your cluster will enter extended support. [#view-period-cli] == View cluster upgrade policy ({aws} CLI) -. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] +. Verify the {aws} CLI is installed and you are logged in. link:cli/latest/userguide/getting-started-install.html[Learn how to update and install the {aws} CLI.,type="documentation"] . Determine the name of your EKS cluster. Set the CLI to the same {aws} region as your EKS cluster. . Run the following command: + diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 0ee8d4383..66c485da2 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -20,7 +20,7 @@ Before deploying [.noloc]`Windows` nodes, be aware of the following consideratio * You can't use <> with [.noloc]`Pods` running on [.noloc]`Windows` nodes. * You can't use <> with [.noloc]`Windows` nodes. * You can't use `IPv6` with [.noloc]`Windows` nodes. -* [.noloc]`Windows` nodes support one elastic network interface per node. By default, the number of [.noloc]`Pods` that you can run per [.noloc]`Windows` node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see link:AWSEC2/latest/WindowsGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. +* [.noloc]`Windows` nodes support one elastic network interface per node. By default, the number of [.noloc]`Pods` that you can run per [.noloc]`Windows` node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see link:AWSEC2/latest/WindowsGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. * In an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end [.noloc]`Pods`. Each [.noloc]`Pod` has its own unique IP address. The previous limit of 64 [.noloc]`Pods` is no longer the case, after https://github.com/microsoft/Windows-Containers/issues/93[a Windows Server update] starting with https://support.microsoft.com/en-us/topic/march-22-2022-kb5011551-os-build-17763-2746-preview-690a59cd-059e-40f4-87e8-e9139cc65de4[OS Build 17763.2746]. * Windows containers aren't supported for Amazon EKS [.noloc]`Pods` on Fargate. * You can't use Amazon EKS Hybrid Nodes with Windows as the operating system for the host. @@ -64,7 +64,7 @@ An example output is as follows. ---- + If the policy is attached, as it is in the previous output, skip the next step. -. Attach the *link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html[AmazonEKSVPCResourceController,type="documentation"]* managed policy to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. +. Attach the *link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html[AmazonEKSVPCResourceController,type="documentation"]* managed policy to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. + [source,bash,subs="verbatim,attributes"] ---- @@ -143,7 +143,7 @@ nodeSelector: kubernetes.io/arch: amd64 ---- -You can deploy a <> to see the node selectors in use. +You can deploy a <> to see the node selectors in use. [#windows-support-pod-density] == Support higher [.noloc]`Pod` density on Windows nodes diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 6232103ad..9452a64f4 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -82,11 +82,11 @@ You use the `aws-region`, `activationId`, and `activationCode` values in the nex === {aws-management-console} [[console_register_cluster_connect]] . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose *Add cluster* and select *Register* to bring up the configuration page. +. Choose *Add cluster* and select *Register* to bring up the configuration page. . On the *Configure cluster* section, fill in the following fields: + *** *Name* – A unique name for your cluster. -*** *Provider* – Choose to display the dropdown list of [.noloc]`Kubernetes` cluster providers. If you don't know the specific provider, select *Other*. +*** *Provider* – Choose to display the dropdown list of [.noloc]`Kubernetes` cluster providers. If you don't know the specific provider, select *Other*. *** *EKS Connector role* – Select the role to use for connecting the cluster. . Select *Register cluster*. . The Cluster overview page displays. If you want to use the Helm chart, copy the `helm install` command and continue to the next step. If you want to use the YAML manifest, choose *Download YAML file* to download the manifest file to your local drive. @@ -209,7 +209,7 @@ The output should include `status=ACTIVE`. If you have any issues with these steps, see <>. -To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. +To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connecting-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index f07c999da..b4defcffc 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -10,12 +10,12 @@ include::../attributes.txt[] Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. -- -Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view information about [.noloc]`Kubernetes` resources running on your connected cluster. +Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view information about [.noloc]`Kubernetes` resources running on your connected cluster. [#connector-grant-access-prereqs] == Prerequisites -The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use to access the {aws-management-console} must meet the following requirements: +The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use to access the {aws-management-console} must meet the following requirements: * It must have the `eks:AccessKubernetesApi` IAM permission. * The Amazon EKS Connector service account can impersonate the IAM principal in the cluster. This allows the Amazon EKS Connector to map the IAM principal to a [.noloc]`Kubernetes` user. diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 7117c7c16..2dd548cd1 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -47,7 +47,7 @@ aws eks deregister-cluster \ . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose *Clusters*. -. On the *Clusters* page, select the connected cluster and select *Deregister*. +. On the *Clusters* page, select the connected cluster and select *Deregister*. . Confirm that you want to deregister the cluster. === `eksctl` [[eksctl_deregister_cluster_connect]] @@ -86,7 +86,7 @@ helm -n eks-connector uninstall eks-connector ---- kubectl delete -f eks-connector.yaml ---- -. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. +. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deregister-connected-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index fb29f9564..b14ec0fa5 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -64,7 +64,7 @@ Using the Amazon EKS Connector requires the following two IAM roles: * The <> service-linked role is created when you register a cluster for the first time. * You must create the Amazon EKS Connector agent IAM role. See <> for details. -To enable cluster and workload view permission for link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"], apply the `eks-connector` and Amazon EKS Connector cluster roles to your cluster. Follow the steps in <>. +To enable cluster and workload view permission for link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"], apply the `eks-connector` and Amazon EKS Connector cluster roles to your cluster. Follow the steps in <>. include::connecting-cluster.adoc[leveloffset=+1] diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index c63e82495..7dea9668d 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -32,10 +32,10 @@ This topic describes the differences in the responsibility model if the connecte + ** [.noloc]`Kubernetes` secrets must be properly encrypted and protected. ** Lock down access to the `eks-connector` namespace. -* Configuring role-based access control (RBAC) permissions to manage link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] access from {aws}. For instructions, see <>. +* Configuring role-based access control (RBAC) permissions to manage link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] access from {aws}. For instructions, see <>. * Installing and upgrading Amazon EKS Connector. * Maintaining the hardware, software, and infrastructure that supports the connected [.noloc]`Kubernetes` cluster. -* Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). +* Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 300763c01..77a153292 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -131,10 +131,10 @@ If the cluster gets stuck in the `Pending` state on the Amazon EKS console after [#symp-imp] == Console error: User system:serviceaccount:eks-connector:eks-connector can't impersonate resource users in API group at cluster scope -The Amazon EKS Connector uses [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation] to act on behalf of link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] from the {aws-management-console}. Each principal that accesses the [.noloc]`Kubernetes` API from the {aws} `eks-connector` service account must be granted permission to impersonate the corresponding [.noloc]`Kubernetes` user with an IAM ARN as its [.noloc]`Kubernetes` user name. In the following examples, the IAM ARN is mapped to a [.noloc]`Kubernetes` user. +The Amazon EKS Connector uses [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation] to act on behalf of link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] from the {aws-management-console}. Each principal that accesses the [.noloc]`Kubernetes` API from the {aws} `eks-connector` service account must be granted permission to impersonate the corresponding [.noloc]`Kubernetes` user with an IAM ARN as its [.noloc]`Kubernetes` user name. In the following examples, the IAM ARN is mapped to a [.noloc]`Kubernetes` user. -* IAM user [.replaceable]`john` from {aws} account [.replaceable]`111122223333` is mapped to a [.noloc]`Kubernetes` user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. +* IAM user [.replaceable]`john` from {aws} account [.replaceable]`111122223333` is mapped to a [.noloc]`Kubernetes` user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. + [source,bash,subs="verbatim,attributes"] ---- @@ -175,7 +175,7 @@ If the Amazon EKS service can't communicate with the Amazon EKS connector in the * The Amazon EKS Connector in the target cluster is unhealthy. * Poor connectivity or an interrupted connection between the target cluster and the {aws} Region. -To resolve this problem, check the <>. If you don't see an error for the Amazon EKS Connector, retry the connection after a few minutes. If you regularly experience high latency or intermittent connectivity for the target cluster, consider re-registering the cluster to an {aws} Region that's located closer to you. +To resolve this problem, check the <>. If you don't see an error for the Amazon EKS Connector, retry the connection after a few minutes. If you regularly experience high latency or intermittent connectivity for the target cluster, consider re-registering the cluster to an {aws} Region that's located closer to you. [#symp-loop] == Amazon EKS connector [.noloc]`Pods` are crash looping diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 47ae104c7..57c2dc6f5 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -64,7 +64,7 @@ Ordered Lists: [source,asciidoc] ---- -External link: https://example.com[Link text] +External link: https://example.com[Link text] Internal link: <> Internal link: <> ---- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 3d59b302f..a99169150 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -537,7 +537,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update-ulink] link:eks/latest/userguide/prometheus.html[type="documentation"] -In the {aws-management-console}, you can now turn on [.noloc]`Prometheus` metrics when creating a cluster. You can also view [.noloc]`Prometheus` scraper details in the *Observability* tab. +In the {aws-management-console}, you can now turn on [.noloc]`Prometheus` metrics when creating a cluster. You can also view [.noloc]`Prometheus` scraper details in the *Observability* tab. [.update,date="2023-11-17"] @@ -644,7 +644,7 @@ You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.update-ulink] link:eks/latest/userguide/network-reqs.html#network-requirements-shared[type="documentation"] -New link:eks/latest/userguide/network-reqs.html#network-requirements-shared[Shared subnet requirements and considerations,type="documentation"] for making Amazon EKS clusters in shared subnets. +New link:eks/latest/userguide/network-reqs.html#network-requirements-shared[Shared subnet requirements and considerations,type="documentation"] for making Amazon EKS clusters in shared subnets. [.update,date="2023-09-06"] @@ -1384,7 +1384,7 @@ Added [.noloc]`Kubernetes` version `1.16` support for new clusters and version u [.update,date="2020-04-16"] -=== Added the *AWSServiceRoleForAmazonEKS* service-linked role +=== Added the *AWSServiceRoleForAmazonEKS* service-linked role [.update-ulink] link:eks/latest/userguide/using-service-linked-roles-eks.html[type="documentation"] diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index eac4dbfc6..be641dc57 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -12,7 +12,7 @@ However, EKS Auto Mode extends EKS automation by handing responsibility of many Choose from one of the following ways to create a cluster with EKS Auto Mode: * <>: Use the `aws` command line interface to create a cluster. -* <>: Use the {aws}} Management Console to create a cluster. +* <>: Use the {aws-management-console} to create a cluster. * <>: Use the `eksctl` command line interface to create a cluster. If you are comparing different approaches to creating your first EKS cluster, diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 4e1e2a9db..a69b5ca51 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -30,11 +30,11 @@ Before starting this tutorial, you must install and configure the following tool * *{aws} CLI* - – A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. Note that {aws} CLI v2 is required to use the *update-kubeconfig* option shown in this page. + – A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. Note that {aws} CLI v2 is required to use the *update-kubeconfig* option shown in this page. * *`kubectl`* – A command line tool for working with [.noloc]`Kubernetes` clusters. For more information, see <>. * *Required IAM permissions* - – The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. You must complete all steps in this guide as the same user. To check the current user, run the following command: + – The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. You must complete all steps in this guide as the same user. To check the current user, run the following command: + [source,bash,subs="verbatim,attributes"] ---- @@ -102,7 +102,7 @@ aws iam attach-role-policy \ . Open the Amazon EKS console at link:eks/home#/clusters[https://console.aws.amazon.com/eks/home#/clusters,type="console"]. + Make sure that the {aws} Region shown in the upper right of your console is the {aws} Region that you want to create your cluster in. If it's not, choose the dropdown next to the {aws} Region name and choose the {aws} Region that you want to use. -. Choose *Create cluster*. If you don't see this option, then choose *Clusters* in the left navigation pane first. +. Choose *Create cluster*. If you don't see this option, then choose *Clusters* in the left navigation pane first. . On the *Configure cluster* page, do the following: + .. Select *Custom configuration* and disable *Use EKS Auto Mode*. (If you prefer an EKS Auto Mode cluster, refer instead to <>.) @@ -113,14 +113,14 @@ Make sure that the {aws} Region shown in the upper right of your console is the + .. Choose the ID of the VPC that you created in a previous step from the *VPC* dropdown list. It is something like [.replaceable]`vpc-00x0000x000x0x000` | [.replaceable]`my-eks-vpc-stack-VPC`. .. Leave the remaining settings at their default values and choose *Next*. -. On the *Configure observability* page, choose *Next*. -. On the *Select add-ons* page, choose *Next*. +. On the *Configure observability* page, choose *Next*. +. On the *Select add-ons* page, choose *Next*. + For more information on add-ons, see <>. -. On the *Configure selected add-ons settings* page, choose *Next*. -. On the *Review and create* page, choose *Create*. +. On the *Configure selected add-ons settings* page, choose *Next*. +. On the *Review and create* page, choose *Create*. + -To the right of the cluster's name, the cluster status is *Creating* for several minutes until the cluster provisioning process completes. Don't continue to the next step until the status is *Active*. +To the right of the cluster's name, the cluster status is *Creating* for several minutes until the cluster provisioning process completes. Don't continue to the next step until the status is *Active*. + NOTE: You might receive an error that one of the Availability Zones in your request doesn't have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see <>. @@ -228,10 +228,10 @@ aws iam attach-role-policy \ .. For *Name*, enter a unique name for your managed node group, such as [.replaceable]`my-nodegroup`. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. .. For *Node IAM role name*, choose [.replaceable]`myAmazonEKSNodeRole` role that you created in a previous step. We recommend that each node group use its own unique IAM role. .. Choose *Next*. -. On the *Set compute and scaling configuration* page, accept the default values and choose *Next*. -. On the *Specify networking* page, accept the default values and choose *Next*. -. On the *Review and create* page, review your managed node group configuration and choose *Create*. -. After several minutes, the *Status* in the *Node Group configuration* section will change from *Creating* to *Active*. Don't continue to the next step until the status is *Active*. +. On the *Set compute and scaling configuration* page, accept the default values and choose *Next*. +. On the *Specify networking* page, accept the default values and choose *Next*. +. On the *Review and create* page, review your managed node group configuration and choose *Create*. +. After several minutes, the *Status* in the *Node Group configuration* section will change from *Creating* to *Active*. Don't continue to the next step until the status is *Active*. [#gs-view-resources] @@ -239,11 +239,11 @@ aws iam attach-role-policy \ You can view your nodes and [.noloc]`Kubernetes` workloads. -. In the left navigation pane, choose *Clusters*. In the list of *Clusters*, choose the name of the cluster that you created, such as [.replaceable]`my-cluster`. +. In the left navigation pane, choose *Clusters*. In the list of *Clusters*, choose the name of the cluster that you created, such as [.replaceable]`my-cluster`. . On the *[.replaceable]`my-cluster`* page, choose the following: + .. *Compute* - tab – You see the list of *Nodes* that were deployed for the cluster. You can choose the name of a node to see more information about it. + tab – You see the list of *Nodes* that were deployed for the cluster. You can choose the name of a node to see more information about it. .. *Resources* tab – You see all of the [.noloc]`Kubernetes` resources that are deployed by default to an Amazon EKS cluster. Select any resource type in the console to learn more about it. @@ -269,12 +269,12 @@ After you've finished with the cluster and nodes that you created for this tutor + .. Open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. .. Choose the [.replaceable]`my-eks-vpc-stack` stack, and then choose *Delete*. -.. In the *Delete [.replaceable]`my-eks-vpc-stack`* confirmation dialog box, choose *Delete stack*. +.. In the *Delete [.replaceable]`my-eks-vpc-stack`* confirmation dialog box, choose *Delete stack*. . Delete the IAM roles that you created. + .. Open the IAM console at https://console.aws.amazon.com/iam/. .. In the left navigation pane, choose *Roles*. -.. Select each role you created from the list (*[.replaceable]`myAmazonEKSClusterRole`*, as well as [.replaceable]`myAmazonEKSNodeRole`). Choose *Delete*, enter the requested confirmation text, then choose *Delete*. +.. Select each role you created from the list (*[.replaceable]`myAmazonEKSClusterRole`*, as well as [.replaceable]`myAmazonEKSNodeRole`). Choose *Delete*, enter the requested confirmation text, then choose *Delete*. [#gs-console-next-steps] @@ -282,7 +282,7 @@ After you've finished with the cluster and nodes that you created for this tutor The following documentation topics help you to extend the functionality of your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Deploy a <> to your cluster. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 4c67b7ddc..f3b18e504 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -26,7 +26,7 @@ The procedures in this guide create several resources for you automatically that [#eksctl-prereqs] == Prerequisites -Before starting this tutorial, you must install and configure the {aws} CLI, kubectl, and eksctl tools as described in <>. +Before starting this tutorial, you must install and configure the {aws} CLI, kubectl, and eksctl tools as described in <>. [#create-cluster-gs-eksctl] == Step 1: Create your Amazon EKS cluster and nodes @@ -41,8 +41,8 @@ To get started as simply and quickly as possible, this topic includes steps to c You can create a cluster with one of the following node types. To learn more about each type, see <>. After your cluster is deployed, you can add other node types. -* *Fargate – [.noloc]``Linux``* – Select this type of node if you want to run [.noloc]``Linux`` applications on <>. Fargate is a serverless compute engine that lets you deploy [.noloc]``Kubernetes`` [.noloc]``Pods`` without managing Amazon EC2 instances. -* *Managed nodes – [.noloc]``Linux``* – Select this type of node if you want to run Amazon Linux applications on Amazon EC2 instances. Though not covered in this guide, you can also add <> and <> nodes to your cluster. +* *Fargate – [.noloc]``Linux``* – Select this type of node if you want to run [.noloc]``Linux`` applications on <>. Fargate is a serverless compute engine that lets you deploy [.noloc]``Kubernetes`` [.noloc]``Pods`` without managing Amazon EC2 instances. +* *Managed nodes – [.noloc]``Linux``* – Select this type of node if you want to run Amazon Linux applications on Amazon EC2 instances. Though not covered in this guide, you can also add <> and <> nodes to your cluster. Create your Amazon EKS cluster with the following command. You can replace [.replaceable]`my-cluster` with your own value. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. @@ -109,7 +109,7 @@ ip-192-0-2-1.region-code.compute.internal Ready 6m4s v1.2.3-eks- ---- ==== + -For more information about what you see in the output, see <>. +For more information about what you see in the output, see <>. . View the workloads running on your cluster. + @@ -145,7 +145,7 @@ kube-system kube-proxy-67890 1/1 Running 0 7m43s 19 ---- ==== + -For more information about what you see in the output, see <>. +For more information about what you see in the output, see <>. [#gs-eksctl-clean-up] @@ -168,7 +168,7 @@ The following documentation topics help you to extend the functionality of your * Deploy a <> to your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 63f7b4d17..2085ce715 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -32,7 +32,7 @@ We also offer the following references: * For a collection of hands-on tutorials, see https://community.aws/tags/eks-cluster-setup[EKS Cluster Setup] on _{aws} Community_. -* For code examples, see link:code-library/latest/ug/eks_code_examples.html[Code examples for Amazon EKS using {aws} SDKs,type="documentation"]. +* For code examples, see link:code-library/latest/ug/eks_code_examples.html[Code examples for Amazon EKS using {aws} SDKs,type="documentation"]. include::getting-started-automode.adoc[leveloffset=+1] diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index a06c0bae4..000198154 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -19,12 +19,12 @@ The link:cli/[{aws} CLI,type="marketing"] is a command line tool for working wit . For single-user or multiple-user accounts: + ** *Single-user account –*:: - In the top right, choose your {aws} user name to open the navigation menu. For example, choose *`webadmin`*. + In the top right, choose your {aws} user name to open the navigation menu. For example, choose *`webadmin`*. ** *Multiple-user account –*:: - Choose IAM from the list of services. From the IAM Dashboard, select *Users*, and choose the name of the user. + Choose IAM from the list of services. From the IAM Dashboard, select *Users*, and choose the name of the user. . Choose *Security credentials*. -. Under *Access keys*, choose *Create access key*. -. Choose *Command Line Interface (CLI)*, then choose *Next*. +. Under *Access keys*, choose *Create access key*. +. Choose *Command Line Interface (CLI)*, then choose *Next*. . Choose *Create access key*. . Choose *Download .csv file*. diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 67de07284..ead31f99c 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -794,7 +794,7 @@ aws eks update-kubeconfig --region region-code --name my-cluster The `eksctl` CLI is used to work with EKS clusters. It automates many individual tasks. See https://eksctl.io/installation[Installation] in the `eksctl` documentation for instructions on installing `eksctl`. -When using `eksctl` the IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Container Service for Kubernetes,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. You must complete all steps in this guide as the same user. To check the current user, run the following command: +When using `eksctl` the IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Container Service for Kubernetes,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. You must complete all steps in this guide as the same user. To check the current user, run the following command: [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 3fe20b225..9c6b6d2b7 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -21,7 +21,7 @@ Find learning paths to extend your knowledge of Amazon EKS. [#overview] == Overview -This Amazon EKS User Guide contains general-purpose procedures to create your first EKS cluster from the <> or <> and a solid reference for all major Amazon EKS components. However, as an Amazon EKS cluster administrator or developer, you can gain a deeper understanding of Amazon EKS by following learning paths that exist in sites outside of this guide. These sites can help you: +This Amazon EKS User Guide contains general-purpose procedures to create your first EKS cluster from the <> or <> and a solid reference for all major Amazon EKS components. However, as an Amazon EKS cluster administrator or developer, you can gain a deeper understanding of Amazon EKS by following learning paths that exist in sites outside of this guide. These sites can help you: diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 08ec90e3a..117e5d22a 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -18,7 +18,7 @@ When you use {aws} CloudFormation, you can reuse your template to set up your Am To provision and configure resources for Amazon EKS and related services, you must understand link:AWSCloudFormation/latest/UserGuide/template-guide.html[{aws} CloudFormation templates,type="documentation"]. Templates are formatted text files in JSON or YAML. These templates describe the resources that you want to provision in your {aws} CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use {aws} CloudFormation Designer to help you get started with {aws} CloudFormation templates. For more information, see link:AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer.html[What is {aws} CloudFormation Designer?,type="documentation"] in the _{aws} CloudFormation User Guide_. -Amazon EKS supports creating clusters and node groups in {aws} CloudFormation. For more information, including examples of JSON and YAML templates for your Amazon EKS resources, see link:AWSCloudFormation/latest/UserGuide/AWS_EKS.html[Amazon EKS resource type reference,type="documentation"] in the _{aws} CloudFormation User Guide_. +Amazon EKS supports creating clusters and node groups in {aws} CloudFormation. For more information, including examples of JSON and YAML templates for your Amazon EKS resources, see link:AWSCloudFormation/latest/UserGuide/AWS_EKS.html[Amazon EKS resource type reference,type="documentation"] in the _{aws} CloudFormation User Guide_. [#learn-more-cloudformation] == Learn more about {aws} CloudFormation diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 87eea6732..2d2bc8e54 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -30,7 +30,7 @@ Before you can review findings, Detective must be enabled for at least 48 hours . Open the Detective console at https://console.aws.amazon.com/detective/. . From the left navigation pane, select *Search*. -. Select *Choose type* and then select *EKS cluster*. +. Select *Choose type* and then select *EKS cluster*. . Enter the cluster name or ARN and then choose *Search*. . In the search results, choose the name of the cluster that you want to view activity for. For more information about what you can view, see link:detective/latest/userguide/profile-panel-drilldown-kubernetes-api-volume.html[Overall Kubernetes API activity involving an Amazon EKS cluster,type="documentation"] in the _Amazon Detective User Guide_. diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index f429fe533..4d7324783 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -19,7 +19,7 @@ Among other features, GuardDuty offers the following two features that detect po *EKS Protection*:: This feature provides threat detection coverage to help you protect Amazon EKS clusters by monitoring the associated [.noloc]`Kubernetes` audit logs. [.noloc]`Kubernetes` audit logs capture sequential actions within your cluster, including activities from users, applications using the [.noloc]`Kubernetes` API, and the control plane. For example, GuardDuty can identify that APIs called to potentially tamper with resources in a [.noloc]`Kubernetes` cluster were invoked by an unauthenticated user. + -When you enable EKS Protection, GuardDuty will be able to access your Amazon EKS audit logs only for continuous threat detection. If GuardDuty identifies a potential threat to your cluster, it generates an associated [.noloc]`Kubernetes` audit log _finding_ of a specific type. For more information about the types of findings available from [.noloc]`Kubernetes` audit logs, see link:guardduty/latest/ug/guardduty_finding-types-kubernetes.html[Kubernetes audit logs finding types,type="documentation"] in the Amazon GuardDuty User Guide. +When you enable EKS Protection, GuardDuty will be able to access your Amazon EKS audit logs only for continuous threat detection. If GuardDuty identifies a potential threat to your cluster, it generates an associated [.noloc]`Kubernetes` audit log _finding_ of a specific type. For more information about the types of findings available from [.noloc]`Kubernetes` audit logs, see link:guardduty/latest/ug/guardduty_finding-types-kubernetes.html[Kubernetes audit logs finding types,type="documentation"] in the Amazon GuardDuty User Guide. + For more information, see link:guardduty/latest/ug/kubernetes-protection.html[EKS Protection,type="documentation"] in the Amazon GuardDuty User Guide. diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index ae5fc3ecb..7b796f111 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -17,7 +17,7 @@ Amazon Security Lake is a fully managed security data lake service that allows y [NOTE] ==== -For more information about using Security Lake with Amazon EKS and setting up data sources, refer to the link:security-lake/latest/userguide/internal-sources.html#eks-eudit-logs[Amazon Security Lake documentation,type="documentation"]. +For more information about using Security Lake with Amazon EKS and setting up data sources, refer to the link:security-lake/latest/userguide/internal-sources.html#eks-eudit-logs[Amazon Security Lake documentation,type="documentation"]. ==== @@ -35,7 +35,7 @@ For more information about using Security Lake with Amazon EKS and setting up da [#sl-enable] == Enabling Security Lake for Amazon EKS . Enable Amazon EKS control plane logging for your EKS clusters. Refer to <> for detailed instructions. -. link:security-lake/latest/userguide/internal-sources.html#add-internal-sources[Add Amazon EKS Audit Logs as a source in Security Lake.,type="documentation"] Security Lake will then start collecting in-depth information about the activities performed on the Kubernetes resources running in your EKS clusters. +. link:security-lake/latest/userguide/internal-sources.html#add-internal-sources[Add Amazon EKS Audit Logs as a source in Security Lake.,type="documentation"] Security Lake will then start collecting in-depth information about the activities performed on the Kubernetes resources running in your EKS clusters. . link:security-lake/latest/userguide/lifecycle-management.html[Configure retention and replication settings,type="documentation"] for your security data in Security Lake based on your requirements. . Use the normalized OCSF data stored in Security Lake for incident response, security analytics, and integration with other {aws} services or third-party tools. For example, you can link:big-data/generate-security-insights-from-amazon-security-lake-data-using-amazon-opensearch-ingestion[Generate security insights from Amazon Security Lake data using Amazon OpenSearch Ingestion,type="blog"]. diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 1d59b1bb0..82b135d20 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -16,7 +16,7 @@ This topic covers how to configure a [.noloc]`Kubernetes` service account to ass * An existing cluster. If you don't have one, you can create one by following one of the guides in <>. * An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. @@ -27,7 +27,7 @@ This topic covers how to configure a [.noloc]`Kubernetes` service account to ass If you want to associate an existing IAM policy to your IAM role, skip to the next step. -. Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. +. Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. + . Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. + diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 6808035ab..e97b0d62f 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -4,7 +4,7 @@ include::../../attributes.txt[] = Configure the {aws} Security Token Service endpoint for a service account :info_titleabbrev: STS endpoints -If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your [.noloc]`Kubernetes` or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. +If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your [.noloc]`Kubernetes` or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. [cols="1,1,1", options="header"] |=== @@ -50,15 +50,15 @@ If you're using a [.noloc]`Kubernetes` service account with <>. * An existing IAM OIDC provider for your cluster. For more information, see <>. -* An existing [.noloc]`Kubernetes` service account configured for use with the <> feature. +* An existing [.noloc]`Kubernetes` service account configured for use with the <> feature. -The following examples all use the aws-node [.noloc]`Kubernetes` service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, [.noloc]`Pods`, namespaces, and other resources. +The following examples all use the aws-node [.noloc]`Kubernetes` service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, [.noloc]`Pods`, namespaces, and other resources. . Select a [.noloc]`Pod` that uses a service account that you want to change the endpoint for. Determine which {aws} Region that the [.noloc]`Pod` runs in. Replace [.replaceable]`aws-node-6mfgv` with your [.noloc]`Pod` name and [.replaceable]`kube-system` with your [.noloc]`Pod's` namespace. + diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 1e0c69dc5..719ea7ac6 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -10,7 +10,7 @@ include::../../attributes.txt[] Learn how to configure cross-account IAM permissions for Amazon EKS clusters by creating an identity provider from another account's cluster or using chained AssumeRole operations, enabling secure access to {aws} resources across multiple accounts. -- -You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. [.noloc]`Pods` that are running on that cluster must assume IAM permissions from _Account B_. +You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. [.noloc]`Pods` that are running on that cluster must assume IAM permissions from _Account B_. .Create an identity provider from another account's cluster ==== @@ -19,7 +19,7 @@ You can configure cross-account IAM permissions either by creating an identity p ==== -In this example, Account A provides Account B with the OpenID Connect (OIDC) issuer URL from their cluster. Account B follows the instructions in <> and <> using the OIDC issuer URL from Account A's cluster. Then, a cluster administrator annotates the service account in Account A's cluster to use the role from Account B ([.replaceable]`444455556666`). +In this example, Account A provides Account B with the OpenID Connect (OIDC) issuer URL from their cluster. Account B follows the instructions in <> and <> using the OIDC issuer URL from Account A's cluster. Then, a cluster administrator annotates the service account in Account A's cluster to use the role from Account B ([.replaceable]`444455556666`). [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 948a61387..79364b1e9 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -15,7 +15,7 @@ Your cluster has an https://openid.net/connect/[OpenID Connect] ([.noloc]`OIDC`) * An existing Amazon EKS cluster. To deploy one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. @@ -69,12 +69,12 @@ To complete this step, you can run the command outside the VPC, for example in { == Create OIDC provider ({aws} Console) . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the left pane, select *Clusters*, and then select the name of your cluster on the *Clusters* page. -. In the *Details* section on the *Overview* tab, note the value of the *OpenID Connect provider URL*. +. In the left pane, select *Clusters*, and then select the name of your cluster on the *Clusters* page. +. In the *Details* section on the *Overview* tab, note the value of the *OpenID Connect provider URL*. . Open the IAM console at https://console.aws.amazon.com/iam/. -. In the left navigation pane, choose *Identity Providers* under *Access management*. If a *Provider* is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one. +. In the left navigation pane, choose *Identity Providers* under *Access management*. If a *Provider* is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one. . To create a provider, choose *Add provider*. -. For *Provider type*, select *[.noloc]`OpenID Connect`*. +. For *Provider type*, select *[.noloc]`OpenID Connect`*. . For *Provider URL*, enter the [.noloc]`OIDC` provider URL for your cluster. . For *Audience*, enter `sts.amazonaws.com`. . (Optional) Add any tags, for example a tag to identify which cluster is for this provider. diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 39adb7cbf..9ea11ceaa 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -17,7 +17,7 @@ IAM roles for service accounts provide the following benefits: * *Least privilege* – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. * *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using IAM roles for service accounts, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using IAM roles for service accounts, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. * *Auditability* – Access and event logging is available through {aws} CloudTrail to help ensure retrospective auditing. diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index b80589aea..b42481288 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -17,7 +17,7 @@ To validate a `ProjectedServiceAccountToken`, you need to fetch the [.noloc]`OID == Prerequisites * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* *{aws} CLI* -- A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. +* *{aws} CLI* -- A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. == Procedure diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index f5754a840..d6100000a 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -17,7 +17,7 @@ If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to * An existing cluster. If you don't have one, you can create one using one of the guides in <>. * An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. * An existing [.noloc]`Kubernetes` service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. . Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. @@ -103,10 +103,10 @@ The https://github.com/aws/amazon-eks-pod-identity-webhook#amazon-eks-pod-identi eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role ---- + -The webhook applies the previous environment variables to those [.noloc]`Pods`. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure [.noloc]`Pods` to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for [.noloc]`Pods` that meet this criteria. +The webhook applies the previous environment variables to those [.noloc]`Pods`. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure [.noloc]`Pods` to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for [.noloc]`Pods` that meet this criteria. . Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. + -NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. + @@ -124,7 +124,7 @@ An example output is as follows. ---- Service Account: my-service-account ---- -.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. +.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-configuration%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index d829e9c3d..69b272ff3 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -62,7 +62,7 @@ The following list contains all of the keys for tags that are added to the `Assu [#pod-id-abac-chaining] == Cross-account tags -All of the session tags that are added by EKS Pod Identity are _transitive_; the tag keys and values are passed to any `AssumeRole` actions that your workloads use to switch roles into another account. You can use these tags in policies in other accounts to limit access in cross-account scenarios. For more infromation, see link:IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining[Chaining roles with session tags,type="documentation"] in the _IAM User Guide_. +All of the session tags that are added by EKS Pod Identity are _transitive_; the tag keys and values are passed to any `AssumeRole` actions that your workloads use to switch roles into another account. You can use these tags in policies in other accounts to limit access in cross-account scenarios. For more infromation, see link:IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining[Chaining roles with session tags,type="documentation"] in the _IAM User Guide_. [#pod-id-abac-custom-tags] == Custom tags diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index 0fd07152f..1eae29736 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -49,8 +49,8 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. -. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the EKS Pod Identity Agent pods. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. +. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the EKS Pod Identity Agent pods. [#pod-id-cli] == {aws} CLI @@ -66,7 +66,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name eks-pod-identity-age + This configuration sets the `IPv4` address to be the only address used by the agent. + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -82,7 +82,7 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-agent-config-ipv6%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index af991a928..edcfcb021 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -65,8 +65,8 @@ Note that you can change the image location and provide `imagePullSecrets` for E . Choose the *Add-ons* tab. . Choose *Get more add-ons*. . Select the box in the top right of the add-on box for EKS Pod Identity Agent and then choose *Next*. -. On the *Configure selected add-ons settings* page, select any version in the *Version* dropdown list. -. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The [.noloc]`JSON Schema` with accepted keys is shown in *Add-on configuration schema*. +. On the *Configure selected add-ons settings* page, select any version in the *Version* dropdown list. +. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The [.noloc]`JSON Schema` with accepted keys is shown in *Add-on configuration schema*. + Enter the configuration keys and values in *Configuration values*. . Choose *Next*. diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 96b4ad364..9bade37e7 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -16,7 +16,7 @@ To create an EKS Pod Identity association, there is only a single step; you crea * An existing cluster. If you don't have one, you can create one by following one of the guides in <>. * The IAM principal that is creating the association must have `iam:PassRole`. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. @@ -27,7 +27,7 @@ To create an EKS Pod Identity association, there is only a single step; you crea . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity Agent add-on for. . Choose the *Access* tab. -. In the *Pod Identity associations*, choose *Create*. +. In the *Pod Identity associations*, choose *Create*. . For the *IAM role*, select the IAM role with the permissions that you want the workload to have. + NOTE: The list only contains roles that have the following trust policy which allows EKS Pod Identity to use them. @@ -58,10 +58,10 @@ NOTE: The list only contains roles that have the following trust policy which al + You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. + -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. . For the *[.noloc]`Kubernetes` namespace*, select the [.noloc]`Kubernetes` namespace that contains the service account and workload. Optionally, you can specify a namespace by name that doesn't exist in the cluster. . For the *[.noloc]`Kubernetes` service account*, select the [.noloc]`Kubernetes` service account to use. The manifest for your [.noloc]`Kubernetes` workload must specify this service account. Optionally, you can specify a service account by name that doesn't exist in the cluster. -. (Optional) For the *Tags*, choose *Add tag* to add metadata in a key and value pair. These tags are applied to the association and can be used in IAM policies. +. (Optional) For the *Tags*, choose *Add tag* to add metadata in a key and value pair. These tags are applied to the association and can be used in IAM policies. + You can repeat this step to add multiple tags. . Choose *Create*. @@ -70,9 +70,9 @@ You can repeat this step to add multiple tags. == Create a Pod Identity association ({aws} CLI) . If you want to associate an existing IAM policy to your IAM role, skip to the next step. + -Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. +Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. + -.. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. +.. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. + You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. + diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index fcf389c2c..af28c8f14 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -13,7 +13,7 @@ If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to * An existing cluster. If you don't have one, you can create one using one of the guides in <>. * An existing [.noloc]`Kubernetes` service account and an EKS Pod Identity association that associates the service account with an IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. . Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. @@ -76,7 +76,7 @@ AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE: /var/run/secrets/pods.eks.amazonaws.com ---- . Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. + -NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. + diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 2bb7318ee..f1868f57f 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -19,7 +19,7 @@ In your add-ons, such as _Amazon EKS add-ons_ and self-managed controller, opera [#pod-id-credentials] == Using EKS Pod Identities in your code -In your code, you can use the {aws} SDKs to access {aws} services. You write code to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. +In your code, you can use the {aws} SDKs to access {aws} services. You write code to create a client for an {aws} service with an SDK, and by default the SDK searches in a chain of locations for {aws} Identity and Access Management credentials to use. After valid credentials are found, the search is stopped. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. EKS Pod Identities have been added to the _Container credential provider_ which is searched in a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. This way you can safely migrate from other types of credentials by creating the association first, before removing the old credentials. @@ -51,9 +51,9 @@ In contrast, _IAM roles for service accounts_ provides a _web identity_ token th expirationSeconds: 86400 # 24 hours path: eks-pod-identity-token ---- -. [.noloc]`Kubernetes` selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. +. [.noloc]`Kubernetes` selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. . The EKS Pod Identity Agent makes these credentials available for the {aws} SDKs that you run inside your containers. -. You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. +. You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. . The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. + NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 7dc708356..b114954d1 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -13,7 +13,7 @@ This works because EKS Pod Identities have been added to the _Container credenti For more information about how EKS Pod Identities work, see <>. -When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: +When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index d676a813a..b90206e5c 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -39,7 +39,7 @@ EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to + You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. + -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index bc8895256..7fc03ec4f 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -45,7 +45,7 @@ EKS Pod Identities provide the following benefits: * *Least privilege* – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. * *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using Pod Identities, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using Pod Identities, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. * *Auditability* – Access and event logging is available through {aws} CloudTrail to help facilitate retrospective auditing. @@ -85,7 +85,7 @@ Turn on EKS Pod Identities by completing the following procedures: == EKS Pod Identity considerations * You can associate one IAM role to each [.noloc]`Kubernetes` service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. -* You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. +* You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. * The EKS Pod Identity Agent is required. It runs as a [.noloc]`Kubernetes` `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. * If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the {aws} VPC CNI. For more information on security group for pods considerations, see <>. * The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` clusters. diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 7ce3ea47b..f74c5b2e0 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -35,7 +35,7 @@ When the API server receives requests with tokens that are greater than one hour subject: system:serviceaccount:common:fluent-bit, seconds after warning threshold: 4185802. ---- -If your cluster has <> enabled, then the annotations are in the audit logs. You can use the following link:AmazonCloudWatch/latest/logs/AnalyzingLogData.html[CloudWatch Logs Insights,type="documentation"] query to identify all the [.noloc]`Pods` in your Amazon EKS cluster that are using stale tokens: +If your cluster has <> enabled, then the annotations are in the audit logs. You can use the following link:AmazonCloudWatch/latest/logs/AnalyzingLogData.html[CloudWatch Logs Insights,type="documentation"] query to identify all the [.noloc]`Pods` in your Amazon EKS cluster that are using stale tokens: [source,bash,subs="verbatim,attributes"] ---- @@ -73,7 +73,7 @@ The following cluster add-ons have been updated to use the [.noloc]`Kubernetes` [#service-accounts-iam] == Granting {aws} Identity and Access Management permissions to workloads on Amazon Elastic Kubernetes Service clusters -Amazon EKS provides two ways to grant {aws} Identity and Access Management permissions to workloads that run in Amazon EKS clusters: _IAM roles for service accounts_, and _EKS Pod Identities_. +Amazon EKS provides two ways to grant {aws} Identity and Access Management permissions to workloads that run in Amazon EKS clusters: _IAM roles for service accounts_, and _EKS Pod Identities_. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 8c08d713f..0b19bc319 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -23,14 +23,14 @@ aws sts get-caller-identity * An existing Amazon EKS cluster. To deploy one, see <>. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An IAM user or role with permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. If you use an identity from your own [.noloc]`OpenID Connect` provider to access your cluster, then see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation to create or update your `kube config` file. [#create-kubeconfig-automatically] == Create `kubeconfig` file automatically -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * Permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. . Create or update a `kubeconfig` file for your cluster. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in and replace [.replaceable]`my-cluster` with the name of your cluster. + @@ -41,7 +41,7 @@ aws eks update-kubeconfig --region region-code --name my-cluster + By default, the resulting configuration file is created at the default `kubeconfig` path (`.kube`) in your home directory or merged with an existing `config` file at that location. You can specify another path with the `--kubeconfig` option. + -You can specify an IAM role ARN with the `--role-arn` option to use for authentication when you issue `kubectl` commands. Otherwise, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] in your default {aws} CLI or SDK credential chain is used. You can view your default {aws} CLI or SDK identity by running the `aws sts get-caller-identity` command. +You can specify an IAM role ARN with the `--role-arn` option to use for authentication when you issue `kubectl` commands. Otherwise, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] in your default {aws} CLI or SDK credential chain is used. You can view your default {aws} CLI or SDK identity by running the `aws sts get-caller-identity` command. + For all available options, run the `aws eks update-kubeconfig help` command or see link:cli/latest/reference/eks/update-kubeconfig.html[update-kubeconfig,type="documentation"] in the _{aws} CLI Command Reference_. . Test your configuration. diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index e95aeef42..e34c08062 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -10,12 +10,12 @@ include::../../attributes.txt[] Learn how to associate and disassociate Amazon EKS access policies to and from access entries to grant Kubernetes permissions to IAM principals. -- -You can assign one or more access policies to _access entries_ of _type_ `STANDARD`. Amazon EKS automatically grants the other types of access entries the permissions required to function properly in your cluster. Amazon EKS access policies include [.noloc]`Kubernetes` permissions, not IAM permissions. Before associating an access policy to an access entry, make sure that you're familiar with the [.noloc]`Kubernetes` permissions included in each access policy. For more information, see <>. If none of the access policies meet your requirements, then don't associate an access policy to an access entry. Instead, specify one or more _group names_ for the access entry and create and manage [.noloc]`Kubernetes` role-based access control objects. For more information, see <>. +You can assign one or more access policies to _access entries_ of _type_ `STANDARD`. Amazon EKS automatically grants the other types of access entries the permissions required to function properly in your cluster. Amazon EKS access policies include [.noloc]`Kubernetes` permissions, not IAM permissions. Before associating an access policy to an access entry, make sure that you're familiar with the [.noloc]`Kubernetes` permissions included in each access policy. For more information, see <>. If none of the access policies meet your requirements, then don't associate an access policy to an access entry. Instead, specify one or more _group names_ for the access entry and create and manage [.noloc]`Kubernetes` role-based access control objects. For more information, see <>. * An existing access entry. To create one, see <>. -* An {aws} Identity and Access Management role or user with the following permissions: `ListAccessEntries`, `DescribeAccessEntry`, `UpdateAccessEntry`, `ListAccessPolicies`, `AssociateAccessPolicy`, and `DisassociateAccessPolicy`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. +* An {aws} Identity and Access Management role or user with the following permissions: `ListAccessEntries`, `DescribeAccessEntry`, `UpdateAccessEntry`, `ListAccessPolicies`, `AssociateAccessPolicy`, and `DisassociateAccessPolicy`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. Before associating access policies with access entries, consider the following requirements: @@ -36,15 +36,15 @@ You can associate an access policy to an access entry using the {aws-management- . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that has an access entry that you want to associate an access policy to. . Choose the *Access* tab. -. If the type of the access entry is *Standard*, you can associate or disassociate Amazon EKS *access policies*. If the type of your access entry is anything other than *Standard*, then this option isn't available. +. If the type of the access entry is *Standard*, you can associate or disassociate Amazon EKS *access policies*. If the type of your access entry is anything other than *Standard*, then this option isn't available. . Choose *Associate access policy*. . For *Policy name*, select the policy with the permissions you want the IAM principal to have. To view the permissions included in each policy, see <>. -. For *Access scope*, choose an access scope. If you choose *Cluster*, the permissions in the access policy are granted to the IAM principal for resources in all [.noloc]`Kubernetes` namespaces. If you choose *[.noloc]`Kubernetes` namespace*, you can then choose *Add new namespace*. In the *Namespace* field that appears, you can enter the name of a [.noloc]`Kubernetes` namespace on your cluster. If you want the IAM principal to have the permissions across multiple namespaces, then you can enter multiple namespaces. +. For *Access scope*, choose an access scope. If you choose *Cluster*, the permissions in the access policy are granted to the IAM principal for resources in all [.noloc]`Kubernetes` namespaces. If you choose *[.noloc]`Kubernetes` namespace*, you can then choose *Add new namespace*. In the *Namespace* field that appears, you can enter the name of a [.noloc]`Kubernetes` namespace on your cluster. If you want the IAM principal to have the permissions across multiple namespaces, then you can enter multiple namespaces. . Choose *Add access policy*. [#access-associate-cli] == {aws} CLI -. Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . View the available access policies. + diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index c19ce374d..2aa7437e1 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -5,7 +5,7 @@ include::../../attributes.txt[] -Access policies include `rules` that contain [.noloc]`Kubernetes` `verbs` (permissions) and `resources`. Access policies don't include IAM permissions or resources. Similar to [.noloc]`Kubernetes` `Role` and `ClusterRole` objects, access policies only include `allow` `rules`. You can't modify the contents of an access policy. You can't create your own access policies. If the permissions in the access policies don't meet your needs, then create [.noloc]`Kubernetes` RBAC objects and specify _group names_ for your access entries. For more information, see <>. The permissions contained in access policies are similar to the permissions in the [.noloc]`Kubernetes` user-facing cluster roles. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. +Access policies include `rules` that contain [.noloc]`Kubernetes` `verbs` (permissions) and `resources`. Access policies don't include IAM permissions or resources. Similar to [.noloc]`Kubernetes` `Role` and `ClusterRole` objects, access policies only include `allow` `rules`. You can't modify the contents of an access policy. You can't create your own access policies. If the permissions in the access policies don't meet your needs, then create [.noloc]`Kubernetes` RBAC objects and specify _group names_ for your access entries. For more information, see <>. The permissions contained in access policies are similar to the permissions in the [.noloc]`Kubernetes` user-facing cluster roles. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule. @@ -14,7 +14,7 @@ Choose any access policy to see its contents. Each row of each table in each acc == AmazonEKSAdminPolicy -This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more [.noloc]`Kubernetes` namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the <> access policy to your access entry instead. +This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more [.noloc]`Kubernetes` namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the <> access policy to your access entry instead. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSAdminPolicy` @@ -119,7 +119,7 @@ This access policy includes permissions that grant an IAM principal most permiss == AmazonEKSClusterAdminPolicy -This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a [.noloc]`Kubernetes` namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the <> access policy to your access entry instead. +This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a [.noloc]`Kubernetes` namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the <> access policy to your access entry instead. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy` diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 3367ab856..c9e667fb1 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -17,12 +17,12 @@ The `aws-auth ConfigMap` is deprecated. For the recommended method to manage ac ==== -Access to your cluster using link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] is enabled by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. The authenticator gets its configuration information from the `aws-auth` `ConfigMap`. For all `aws-auth` `ConfigMap` settings, see https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format[Full Configuration Format] on [.noloc]`GitHub`. +Access to your cluster using link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] is enabled by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. The authenticator gets its configuration information from the `aws-auth` `ConfigMap`. For all `aws-auth` `ConfigMap` settings, see https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format[Full Configuration Format] on [.noloc]`GitHub`. [#aws-auth-users] == Add IAM principals to your Amazon EKS cluster -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. [NOTE] ==== @@ -51,7 +51,7 @@ current-context: admin@my-cluster.region-code.eksctl.io [...] ---- + -In the previous example output, the credentials for a user named [.replaceable]`admin` are configured for a cluster named [.replaceable]`my-cluster`. If this is the user that created the cluster, then it already has access to your cluster. If it's not the user that created the cluster, then you need to complete the remaining steps to enable cluster access for other IAM principals. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. You can see which other principals currently have access to your cluster with the following command: +In the previous example output, the credentials for a user named [.replaceable]`admin` are configured for a cluster named [.replaceable]`my-cluster`. If this is the user that created the cluster, then it already has access to your cluster. If it's not the user that created the cluster, then you need to complete the remaining steps to enable cluster access for other IAM principals. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. You can see which other principals currently have access to your cluster with the following command: + [source,bash,subs="verbatim,attributes"] ---- @@ -221,7 +221,7 @@ An example output is as follows. [...] 2022-05-09 14:51:20 [ℹ] adding identity "{arn-aws}iam::111122223333:role/my-role" to auth ConfigMap ---- -. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. Replace [.replaceable]`my-user` with your user name. Replace [.replaceable]`eks-console-dashboard-restricted-access-group` with the name of the group specified in your [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`my-user` with any name you choose. +. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. Replace [.replaceable]`my-user` with your user name. Replace [.replaceable]`eks-console-dashboard-restricted-access-group` with the name of the group specified in your [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`my-user` with any name you choose. + [source,bash,subs="verbatim,attributes"] ---- @@ -266,7 +266,7 @@ kubectl edit -n kube-system configmap/aws-auth NOTE: If you receive an error stating "``Error from server (NotFound): configmaps "aws-auth" not found``", then use the procedure in <> to apply the stock `ConfigMap`. . Add your IAM principals to the `ConfigMap`. An IAM group isn't an IAM principal, so it can't be added to the `ConfigMap`. + -** *To add an IAM role (for example, for link:IAM/latest/UserGuide/id_roles_providers.html[federated users,type="documentation"]):* Add the role details to the `mapRoles` section of the `ConfigMap`, under `data`. Add this section if it does not already exist in the file. Each entry supports the following parameters: +** *To add an IAM role (for example, for link:IAM/latest/UserGuide/id_roles_providers.html[federated users,type="documentation"]):* Add the role details to the `mapRoles` section of the `ConfigMap`, under `data`. Add this section if it does not already exist in the file. Each entry supports the following parameters: + *** *rolearn*: The ARN of the IAM role to add. This value can't include a path. For example, you can't specify an ARN such as `{arn-aws}iam::[.replaceable]``111122223333``:role/my-team/developers/[.replaceable]``role-name```. The ARN needs to be `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` instead. *** *username*: The user name within [.noloc]`Kubernetes` to map to the IAM role. diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index e17b77b95..92e727c1c 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -18,9 +18,9 @@ Amazon EKS supports using [.noloc]`OpenID Connect` ([.noloc]`OIDC`) identity pro * [.noloc]`Kubernetes` doesn't provide an [.noloc]`OIDC` identity provider. You can use an existing public [.noloc]`OIDC` identity provider, or you can run your own identity provider. For a list of certified providers, see https://openid.net/certification/[OpenID Certification] on the OpenID site. * The issuer URL of the [.noloc]`OIDC` identity provider must be publicly accessible, so that Amazon EKS can discover the signing keys. Amazon EKS doesn't support [.noloc]`OIDC` identity providers with self-signed certificates. * You can't disable IAM authentication to your cluster, because it's still required for joining nodes to a cluster. -* An Amazon EKS cluster must still be created by an {aws} link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], rather than an [.noloc]`OIDC` identity provider user. This is because the cluster creator interacts with the Amazon EKS APIs, rather than the [.noloc]`Kubernetes` APIs. +* An Amazon EKS cluster must still be created by an {aws} link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], rather than an [.noloc]`OIDC` identity provider user. This is because the cluster creator interacts with the Amazon EKS APIs, rather than the [.noloc]`Kubernetes` APIs. * [.noloc]`OIDC` identity provider-authenticated users are listed in the cluster's audit log if CloudWatch logs are turned on for the control plane. For more information, see <>. -* You can't sign in to the {aws-management-console} with an account from an [.noloc]`OIDC` provider. You can only <> by signing into the {aws-management-console} with an {aws} Identity and Access Management account. +* You can't sign in to the {aws-management-console} with an account from an [.noloc]`OIDC` provider. You can only <> by signing into the {aws-management-console} with an {aws} Identity and Access Management account. [#associate-oidc-identity-provider] @@ -84,25 +84,25 @@ eksctl associate identityprovider -f associate-identity-provider.yaml . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Select your cluster, and then select the *Access* tab. . In the *[.noloc]`OIDC` Identity Providers* section, select** Associate Identity Provider**. -. On the *Associate [.noloc]`OIDC` Identity Provider* page, enter or select the following options, and then select *Associate*. +. On the *Associate [.noloc]`OIDC` Identity Provider* page, enter or select the following options, and then select *Associate*. + ** For *Name*, enter a unique name for the provider. ** For *Issuer URL*, enter the URL for your provider. This URL must be accessible over the internet. -** For *Client ID*, enter the [.noloc]`OIDC` identity provider's client ID (also known as *audience*). +** For *Client ID*, enter the [.noloc]`OIDC` identity provider's client ID (also known as *audience*). ** For *Username claim*, enter the claim to use as the username. ** For *Groups claim*, enter the claim to use as the user's group. ** (Optional) Select *Advanced options*, enter or select the following information. + *** *Username prefix* – Enter a prefix to prepend to username claims. The prefix is prepended to username claims to prevent clashes with existing names. If you do not provide a value, and the username is a value other than `email`, the prefix defaults to the value for *Issuer URL*. You can use the value`` -`` to disable all prefixing. Don't specify `system:` or any portion of that string. *** *Groups prefix* – Enter a prefix to prepend to groups claims. The prefix is prepended to group claims to prevent clashes with existing names (such as`` system: groups``). For example, the value `oidc:` creates group names like `oidc:engineering` and `oidc:infra`. Don't specify `system:` or any portion of that string.. -*** *Required claims* – Select *Add claim* and enter one or more key value pairs that describe required claims in the client ID token. The pairs describe required claims in the ID Token. If set, each claim is verified to be present in the ID token with a matching value. +*** *Required claims* – Select *Add claim* and enter one or more key value pairs that describe required claims in the client ID token. The pairs describe required claims in the ID Token. If set, each claim is verified to be present in the ID token with a matching value. .. To use `kubectl` to work with your cluster and [.noloc]`OIDC` identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation. [#oidc-identity-provider-iam-policy] == Example IAM policy -If you want to prevent an [.noloc]`OIDC` identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] and link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console[Adding IAM identity permissions,type="documentation"] in the _IAM User Guide_ and link:service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. +If you want to prevent an [.noloc]`OIDC` identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] and link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console[Adding IAM identity permissions,type="documentation"] in the _IAM User Guide_ and link:service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. [source,json,subs="verbatim,attributes"] ---- @@ -187,7 +187,7 @@ Amazon EKS maintains relationships with a network of partners that offer support |https://docs.pingidentity.com/r/en-us/solution-guides/htg_config_oidc_authn_aws_eks_custers[Installation instructions] |=== -Amazon EKS aims to give you a wide selection of options to cover all use cases. If you develop a commercially supported [.noloc]`OIDC` compatible identity provider that is not listed here, then contact our partner team at link:mailto:aws-container-partners@amazon.com[aws-container-partners@amazon. +Amazon EKS aims to give you a wide selection of options to cover all use cases. If you develop a commercially supported [.noloc]`OIDC` compatible identity provider that is not listed here, then contact our partner team at link:mailto:aws-container-partners@amazon.com[aws-container-partners@amazon. com] for more information. diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index 2ee53decf..435fc2d9e 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -10,7 +10,7 @@ Before creating access entries, consider the following: * A properly set authentication mode. See <>. * An _access entry_ includes the Amazon Resource Name (ARN) of one, and only one, existing IAM principal. An IAM principal can't be included in more than one access entry. Additional considerations for the ARN that you specify: + -** IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. +** IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. ** If the ARN is for an IAM role, it _can_ include a path. ARNs in `aws-auth` `ConfigMap` entries, _can't_ include a path. For example, your ARN can be `{arn-aws}iam::<111122223333>:role/` or `{arn-aws}iam::<111122223333>:role/`. ** If the type of the access entry is anything other than `STANDARD` (see next consideration about types), the ARN must be in the same {aws} account that your cluster is in. If the type is `STANDARD`, the ARN can be in the same, or different, {aws} account than the account that your cluster is in. ** You can't change the IAM principal after the access entry is created. @@ -62,13 +62,13 @@ If the ARN of the role that you specified contained a path, Amazon EKS removes i |=== + You can change the username after the access entry is created. -* If an access entry's type is `STANDARD`, and you want to use [.noloc]`Kubernetes` RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to [.noloc]`Kubernetes` objects on your cluster, you must create and manage [.noloc]`Kubernetes` role-based authorization (RBAC) objects. Create [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. [.noloc]`Kubernetes` authorizes the IAM principal access to any cluster objects that you've specified in a [.noloc]`Kubernetes` `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the [.noloc]`Kubernetes` role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +* If an access entry's type is `STANDARD`, and you want to use [.noloc]`Kubernetes` RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to [.noloc]`Kubernetes` objects on your cluster, you must create and manage [.noloc]`Kubernetes` role-based authorization (RBAC) objects. Create [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. [.noloc]`Kubernetes` authorizes the IAM principal access to any cluster objects that you've specified in a [.noloc]`Kubernetes` `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the [.noloc]`Kubernetes` role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. + IMPORTANT: Amazon EKS doesn't confirm that any [.noloc]`Kubernetes` RBAC objects that exist on your cluster include any of the group names that you specify. For example, if you create an access entry for group that currently doesn't exist, EKS will create the group instead of returning an error. + -Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principal access to [.noloc]`Kubernetes` objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access [.noloc]`Kubernetes` objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to [.noloc]`Kubernetes` namespaces that you specify. Use of access policies don't require you to manage [.noloc]`Kubernetes` RBAC objects. For more information, see <>. -* If you create an access entry with type `EC2_LINUX` or `EC2_Windows`, the IAM principal creating the access entry must have the `iam:PassRole` permission. For more information, see link:IAM/latest/UserGuide/id_roles_use_passrole.html[Granting a user permissions to pass a role to an {aws} service,type="documentation"] in the _IAM User Guide_. -* Similar to standard link:IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency[IAM behavior,type="documentation"], access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. +Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principal access to [.noloc]`Kubernetes` objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access [.noloc]`Kubernetes` objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to [.noloc]`Kubernetes` namespaces that you specify. Use of access policies don't require you to manage [.noloc]`Kubernetes` RBAC objects. For more information, see <>. +* If you create an access entry with type `EC2_LINUX` or `EC2_Windows`, the IAM principal creating the access entry must have the `iam:PassRole` permission. For more information, see link:IAM/latest/UserGuide/id_roles_use_passrole.html[Granting a user permissions to pass a role to an {aws} service,type="documentation"] in the _IAM User Guide_. +* Similar to standard link:IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency[IAM behavior,type="documentation"], access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. * Access entries do not support link:IAM/latest/UserGuide/using-service-linked-roles.html[service linked roles,type="documentation"]. You cannot create access entries where the principal ARN is a service linked role. You can identify service linked roles by their ARN, which is in the format `{arn-aws}iam::*:role/aws-service-role/*`. You can create an access entry using the {aws-management-console} or the {aws} CLI. @@ -80,27 +80,27 @@ You can create an access entry using the {aws-management-console} or the {aws} C . Choose the name of the cluster that you want to create an access entry in. . Choose the *Access* tab. . Choose *Create access entry*. -. For *IAM principal*, select an existing IAM role or user. IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. -. For *Type*, if the access entry is for the node role used for self-managed Amazon EC2 nodes, select *EC2 Linux* or *EC2 Windows*. Otherwise, accept the default (*Standard*). -. If the *Type* you chose is *Standard* and you want to specify a *Username*, enter the username. -. If the *Type* you chose is *Standard* and you want to use [.noloc]`Kubernetes` RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. +. For *IAM principal*, select an existing IAM role or user. IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. +. For *Type*, if the access entry is for the node role used for self-managed Amazon EC2 nodes, select *EC2 Linux* or *EC2 Windows*. Otherwise, accept the default (*Standard*). +. If the *Type* you chose is *Standard* and you want to specify a *Username*, enter the username. +. If the *Type* you chose is *Standard* and you want to use [.noloc]`Kubernetes` RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. . (Optional) For *Tags*, assign labels to the access entry. For example, to make it easier to find all resources with the same tag. . Choose *Next*. -. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the [.noloc]`Kubernetes` objects on your cluster, complete the following steps. Otherwise, choose *Next*. +. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the [.noloc]`Kubernetes` objects on your cluster, complete the following steps. Otherwise, choose *Next*. + .. For *Policy name*, choose an access policy. You can't view the permissions of the access policies, but they include similar permissions to those in the [.noloc]`Kubernetes` user-facing `ClusterRole` objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. .. Choose one of the following options: + *** *Cluster* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects on your cluster. -*** *[.noloc]`Kubernetes` namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects in a specific [.noloc]`Kubernetes` namespace on your cluster. For *Namespace*, enter the name of the [.noloc]`Kubernetes` namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. +*** *[.noloc]`Kubernetes` namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects in a specific [.noloc]`Kubernetes` namespace on your cluster. For *Namespace*, enter the name of the [.noloc]`Kubernetes` namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. .. If you want to add additional policies, choose *Add policy*. You can scope each policy differently, but you can add each policy only once. .. Choose *Next*. -. Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. +. Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. [#access-create-cli] == {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. . To create an access entry You can use any of the following examples to create access entries: + @@ -118,7 +118,7 @@ You can't use the `--kubernetes-groups` option when you specify a type other tha ---- aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role --type STANDARD --user Viewers --kubernetes-groups Viewers ---- -** Create an access entry that allows an IAM user to authenticate to your cluster. This example is provided because this is possible, though IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. +** Create an access entry that allows an IAM user to authenticate to your cluster. This example is provided because this is possible, though IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index 5b899bed5..b00264a34 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -20,7 +20,7 @@ You can delete an access entry using the {aws-management-console} or the {aws} C [#access-delete-cli] == {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. . To delete an access entry Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of the IAM role that you no longer want to have access to your cluster. + diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index a6388ccb4..66e1b4170 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -5,10 +5,10 @@ include::../../attributes.txt[] -If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. +If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. +. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disassociate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 765dd45cc..8a116b27b 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -15,10 +15,10 @@ Your cluster has an [.noloc]`Kubernetes` API endpoint. Kubectl uses this API. Yo * *An {aws} Identity and Access Management (IAM) _principal_ (role or user)* - – This type requires authentication to IAM. Users can sign in to {aws} as an link:IAM/latest/UserGuide/introduction.html[IAM,type="documentation"] user or with a link:identity/federation/[federated identity,type="marketing"] by using credentials provided through an identity source. Users can only sign in with a federated identity if your administrator previously set up identity federation using IAM roles. When users access {aws} by using federation, they're indirectly link:IAM/latest/UserGuide/when-to-use-iam.html#security-iam-authentication-iamrole[assuming a role,type="documentation"]. When users use this type of identity, you: + – This type requires authentication to IAM. Users can sign in to {aws} as an link:IAM/latest/UserGuide/introduction.html[IAM,type="documentation"] user or with a link:identity/federation/[federated identity,type="marketing"] by using credentials provided through an identity source. Users can only sign in with a federated identity if your administrator previously set up identity federation using IAM roles. When users access {aws} by using federation, they're indirectly link:IAM/latest/UserGuide/when-to-use-iam.html#security-iam-authentication-iamrole[assuming a role,type="documentation"]. When users use this type of identity, you: + ** Can assign them [.noloc]`Kubernetes` permissions so that they can work with [.noloc]`Kubernetes` objects on your cluster. For more information about how to assign permissions to your IAM principals so that they're able to access [.noloc]`Kubernetes` objects on your cluster, see <>. -** Can assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, {aws} CLI, {aws} CloudFormation, {aws-management-console}, or `eksctl`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. +** Can assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, {aws} CLI, {aws} CloudFormation, {aws-management-console}, or `eksctl`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. ** Nodes join your cluster by assuming an IAM role. The ability to access your cluster using IAM principals is provided by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. * *A user in your own [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider* – This type requires authentication to your https://openid.net/connect/[OIDC] provider. For more information about setting up your own [.noloc]`OIDC` provider with your Amazon EKS cluster, see <>. When users use this type of identity, you: @@ -36,7 +36,7 @@ The https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Au * *Creating access entries* - – If your cluster is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, we recommend that you use this option. + – If your cluster is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, we recommend that you use this option. + Use _access entries_ to manage the [.noloc]`Kubernetes` permissions of IAM principals from outside the cluster. You can add and manage access to the cluster by using the EKS API, {aws} Command Line Interface, {aws} SDKs, {aws} CloudFormation, and {aws-management-console}. This means you can manage users with the same tools that you created the cluster with. + @@ -50,7 +50,7 @@ To get started, follow <> topic. * Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. * [.noloc]`Kubernetes` permissions to modify the `aws-auth` `ConfigMap` in the `kube-system` namespace. -* An {aws} Identity and Access Management role or user with the following permissions: `CreateAccessEntry` and `ListAccessEntries`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. +* An {aws} Identity and Access Management role or user with the following permissions: `CreateAccessEntry` and `ListAccessEntries`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. == `eksctl` [[migrating_access_entries_eksctl]] diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index 70c74a441..a6dcc4bd0 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -16,13 +16,13 @@ To begin using access entries, you must change the authentication mode of the cl . The *Authentication mode* shows the current authentication mode of the cluster. If the mode says [.noloc]`EKS API`, you can already add access entries and you can skip the remaining steps. . Choose *Manage access*. . For *Cluster authentication mode*, select a mode with the [.noloc]`EKS API`. Note that you can't change the authentication mode back to a mode that removes the [.noloc]`EKS API` and access entries. -. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. +. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. +. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. [#access-setup-cli] == {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. . Run the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. If you want to disable the `ConfigMap` method permanently, replace `API_AND_CONFIG_MAP` with `API`. + Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`UPDATING`, and the change is recorded in the [command]*aws eks list-updates*. @@ -31,7 +31,7 @@ Amazon EKS begins to update the cluster, the status of the cluster changes to [. ---- aws eks update-cluster-config --name my-cluster --access-config authenticationMode=API_AND_CONFIG_MAP ---- -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. +. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. == Required platform version diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 0c84eb65a..b6af29f49 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -15,14 +15,14 @@ You can update an access entry using the {aws-management-console} or the {aws} C . Choose the access entry that you want to update. . Choose *Edit*. . For *Username*, you can change the existing value. -. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an <> in a later step. +. For *Groups*, you can remove existing group names or add new group names. If the following groups names exist, don't remove them: *system:nodes* or *system:bootstrappers*. Removing these groups can cause your cluster to function improperly. If you don't specify any group names and want to use Amazon EKS authorization, associate an <> in a later step. . For *Tags*, you can assign labels to the access entry. For example, to make it easier to find all resources with the same tag. You can also remove existing tags. . Choose *Save changes*. . If you want to associate an access policy to the entry, see <>. [#access-update-cli] == {aws} CLI -. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +. Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. . To update an access entry Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`EKS-my-cluster-my-namespace-Viewers` with the name of an IAM role. + diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 687dafd1f..834507e3c 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -10,30 +10,30 @@ include::../attributes.txt[] Learn how to view [.noloc]`Kubernetes` resources in the {aws-management-console}. -- -You can view the [.noloc]`Kubernetes` resources deployed to your cluster with the {aws-management-console}. You can't view [.noloc]`Kubernetes` resources with the {aws} CLI or https://eksctl.io/[eksctl]. To view [.noloc]`Kubernetes` resources using a command-line tool, use <>. +You can view the [.noloc]`Kubernetes` resources deployed to your cluster with the {aws-management-console}. You can't view [.noloc]`Kubernetes` resources with the {aws} CLI or https://eksctl.io/[eksctl]. To view [.noloc]`Kubernetes` resources using a command-line tool, use <>. [NOTE] ==== -To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific IAM and [.noloc]`Kubernetes` permissions. For more information, see <>. +To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific IAM and [.noloc]`Kubernetes` permissions. For more information, see <>. ==== . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the *Clusters* list, select the cluster that contains the [.noloc]`Kubernetes` resources that you want to view. . Select the *Resources* tab. -. Select a *Resource type* group that you want to view resources for, such as *Workloads*. You see a list of resource types in that group. -. Select a resource type, such as *Deployments*, in the *Workloads* group. You see a description of the resource type, a link to the [.noloc]`Kubernetes` documentation for more information about the resource type, and a list of resources of that type that are deployed on your cluster. If the list is empty, then there are no resources of that type deployed to your cluster. +. Select a *Resource type* group that you want to view resources for, such as *Workloads*. You see a list of resource types in that group. +. Select a resource type, such as *Deployments*, in the *Workloads* group. You see a description of the resource type, a link to the [.noloc]`Kubernetes` documentation for more information about the resource type, and a list of resources of that type that are deployed on your cluster. If the list is empty, then there are no resources of that type deployed to your cluster. . Select a resource to view more information about it. Try the following examples: + -** Select the *Workloads* group, select the *Deployments* resource type, and then select the *coredns* resource. When you select a resource, you are in *Structured view*, by default. For some resource types, you see a *Pods* section in *Structured view*. This section lists the [.noloc]`Pods` managed by the workload. You can select any [.noloc]`Pod` listed to view information about the [.noloc]`Pod`. Not all resource types display information in *Structured View*. If you select *Raw view* in the top right corner of the page for the resource, you see the complete JSON response from the [.noloc]`Kubernetes` API for the resource. -** Select the *Cluster* group and then select the *Nodes* resource type. You see a list of all nodes in your cluster. The nodes can be any <>. This is the same list that you see in the *Nodes* section when you select the *Compute* tab for your cluster. Select a node resource from the list. In *Structured view*, you also see a *Pods* section. This section shows you all [.noloc]`Pods` running on the node. +** Select the *Workloads* group, select the *Deployments* resource type, and then select the *coredns* resource. When you select a resource, you are in *Structured view*, by default. For some resource types, you see a *Pods* section in *Structured view*. This section lists the [.noloc]`Pods` managed by the workload. You can select any [.noloc]`Pod` listed to view information about the [.noloc]`Pod`. Not all resource types display information in *Structured View*. If you select *Raw view* in the top right corner of the page for the resource, you see the complete JSON response from the [.noloc]`Kubernetes` API for the resource. +** Select the *Cluster* group and then select the *Nodes* resource type. You see a list of all nodes in your cluster. The nodes can be any <>. This is the same list that you see in the *Nodes* section when you select the *Compute* tab for your cluster. Select a node resource from the list. In *Structured view*, you also see a *Pods* section. This section shows you all [.noloc]`Pods` running on the node. [#view-kubernetes-resources-permissions] == Required permissions -To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific minimum IAM and [.noloc]`Kubernetes` permissions. Complete the following steps to assign the required permissions to your IAM principals. +To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific minimum IAM and [.noloc]`Kubernetes` permissions. Complete the following steps to assign the required permissions to your IAM principals. -. Make sure that the `eks:AccessKubernetesApi`, and other necessary IAM permissions to view [.noloc]`Kubernetes` resources, are assigned to the IAM principal that you're using. For more information about how to edit permissions for an IAM principal, see link:IAM/latest/UserGuide/access_controlling.html#access_controlling-principals[Controlling access for principals,type="documentation"] in the IAM User Guide. For more information about how to edit permissions for a role, see link:IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy[Modifying a role permissions policy (console),type="documentation"] in the IAM User Guide. +. Make sure that the `eks:AccessKubernetesApi`, and other necessary IAM permissions to view [.noloc]`Kubernetes` resources, are assigned to the IAM principal that you're using. For more information about how to edit permissions for an IAM principal, see link:IAM/latest/UserGuide/access_controlling.html#access_controlling-principals[Controlling access for principals,type="documentation"] in the IAM User Guide. For more information about how to edit permissions for a role, see link:IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy[Modifying a role permissions policy (console),type="documentation"] in the IAM User Guide. + The following example policy includes the necessary permissions for a principal to view [.noloc]`Kubernetes` resources for all clusters in your account. Replace [.replaceable]`111122223333` with your {aws} account ID. + @@ -68,7 +68,7 @@ The following example policy includes the necessary permissions for a principal } ---- + -To view nodes in <>, the <> should be able to impersonate the principal in the cluster. This allows the <> to map the principal to a [.noloc]`Kubernetes` user. +To view nodes in <>, the <> should be able to impersonate the principal in the cluster. This allows the <> to map the principal to a [.noloc]`Kubernetes` user. . Create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` that is bound to a [.noloc]`Kubernetes` `role` or `clusterrole` that has the necessary permissions to view the [.noloc]`Kubernetes` resources. To learn more about [.noloc]`Kubernetes` roles and role bindings, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. You can apply one of the following manifests to your cluster that create a `role` and `rolebinding` or a `clusterrole` and `clusterrolebinding` with the necessary [.noloc]`Kubernetes` permissions: + View [.noloc]`Kubernetes` resources in all namespaces::: @@ -113,7 +113,7 @@ kubectl apply -f eks-console-full-access.yaml ---- kubectl apply -f eks-console-restricted-access.yaml ---- -. Map the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] to the [.noloc]`Kubernetes` user or group in the `aws-auth` `ConfigMap`. You can use a tool such as `eksctl` to update the `ConfigMap` or you can update it manually by editing it. +. Map the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] to the [.noloc]`Kubernetes` user or group in the `aws-auth` `ConfigMap`. You can use a tool such as `eksctl` to update the `ConfigMap` or you can update it manually by editing it. + IMPORTANT: We recommend using `eksctl`, or another tool, to edit the `ConfigMap`. For information about other tools you can use, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-tools-to-make-changes-to-the-aws-auth-configmap[Use tools to make changes to the aws-authConfigMap] in the Amazon EKS best practices guides. An improperly formatted `aws-auth` `ConfigMap` can cause you to lose access to your cluster. @@ -157,7 +157,7 @@ An example output is as follows. [...] 2022-05-09 14:51:20 [ℹ] adding identity "{arn-aws}iam::111122223333:role/my-console-viewer-role" to auth ConfigMap ---- -. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. This example assume that you attached the IAM permissions in the first step to a user named [.replaceable]`my-user`. Replace [.replaceable]`111122223333` with your account ID. +. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. This example assume that you attached the IAM permissions in the first step to a user named [.replaceable]`my-user`. Replace [.replaceable]`111122223333` with your account ID. + [source,bash,subs="verbatim,attributes"] ---- @@ -205,7 +205,7 @@ For more information about adding users or roles to the `aws-auth` `ConfigMap`, ---- kubectl edit -n kube-system configmap/aws-auth ---- -. Add the mappings to the `aws-auth` `ConfigMap`, but don't replace any of the existing mappings. The following example adds mappings between link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] with permissions added in the first step and the [.noloc]`Kubernetes` groups created in the previous step: +. Add the mappings to the `aws-auth` `ConfigMap`, but don't replace any of the existing mappings. The following example adds mappings between link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] with permissions added in the first step and the [.noloc]`Kubernetes` groups created in the previous step: + ** The [.replaceable]`my-console-viewer-role` role and the `eks-console-dashboard-full-access-group`. ** The [.replaceable]`my-user` user and the `eks-console-dashboard-restricted-access-group`. diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index ff44aa822..840d883c6 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -19,7 +19,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on ==== -* Capacity Blocks are only available for certain Amazon EC2 instance types and {aws} Regions. For compatibility information, see link:AWSEC2/latest/UserGuide/capacity-blocks-using.html#capacity-blocks-prerequisites[Work with Capacity Blocks Prerequisites,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. +* Capacity Blocks are only available for certain Amazon EC2 instance types and {aws} Regions. For compatibility information, see link:AWSEC2/latest/UserGuide/capacity-blocks-using.html#capacity-blocks-prerequisites[Work with Capacity Blocks Prerequisites,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. * For more information, see link:autoscaling/ec2/userguide/launch-template-capacity-blocks.html[Use Capacity Blocks for machine learning workloads,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. * Managed node groups with Capacity Blocks can only be created with custom launch templates. * When upgrading managed node groups with Capacity Blocks, make sure that the desired size of the node group is set to `0`. diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 4cc45d9b3..b20c02fb1 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -19,7 +19,7 @@ Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on ==== -* Capacity Blocks are only available for certain Amazon EC2 instance types and {aws} Regions. For compatibility information, see link:AWSEC2/latest/UserGuide/capacity-blocks-using.html#capacity-blocks-prerequisites[Work with Capacity Blocks Prerequisites,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. +* Capacity Blocks are only available for certain Amazon EC2 instance types and {aws} Regions. For compatibility information, see link:AWSEC2/latest/UserGuide/capacity-blocks-using.html#capacity-blocks-prerequisites[Work with Capacity Blocks Prerequisites,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. * Capacity Blocks currently cannot be used with [.noloc]`Karpenter`. * If you create a self-managed node group prior to the capacity reservation becoming active, then set the desired capacity to `0`. * To allow sufficient time to gracefully drain the node(s), we suggest that you schedule scaling to scale to zero more than 30 minutes before the Capacity Block reservation end time. @@ -91,7 +91,7 @@ NodeGroup: PropagateAtLaunch: true Value: owned ---- -. Once the node group is created successfully, make sure to record the `NodeInstanceRole` for the node group that was created. You need this in order to make sure that when node group is scaled, the new nodes join the cluster and [.noloc]`Kubernetes` is able to recognize the nodes. For more information, see the {aws-management-console} instructions in <>. +. Once the node group is created successfully, make sure to record the `NodeInstanceRole` for the node group that was created. You need this in order to make sure that when node group is scaled, the new nodes join the cluster and [.noloc]`Kubernetes` is able to recognize the nodes. For more information, see the {aws-management-console} instructions in <>. . We recommend that you create a scheduled scaling policy for the Auto Scaling group that aligns to the Capacity Block reservation times. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html[Scheduled scaling for Amazon EC2 Auto Scaling,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. + You can use all of the instances you reserved until 30 minutes before the end time of the Capacity Block. Instances that are still running at that time will start terminating. To allow sufficient time to gracefully drain the node(s), we suggest that you schedule scaling to scale to zero more than 30 minutes before the Capacity Block reservation end time. diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 992a98076..6191eff9b 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -18,7 +18,7 @@ Following pages in this section will help you: In particular, this will help you: -* *Choose AMIs*: {aws} offers multiple customized AMIs for running ML workloads on EKS. See <> and <>. +* *Choose AMIs*: {aws} offers multiple customized AMIs for running ML workloads on EKS. See <> and <>. * *Customize AMIs*: You can further modify {aws} custom AMIs to add other software and drivers needed for your particular use cases. See <>. * *Reserve GPUs*: Because of the demand for GPUs, to ensure that the GPUs you need are available when you need them, you can reserve the GPUs you need in advance. See <>. * *Add EFA*: Add the Elastic Fabric Adapter to improve network performance for inter-node cluster communications. See <>. diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 6472ef3e7..865d09521 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -10,17 +10,17 @@ These tutorials cover everything from patterns for making the best use of GPU pr == Build generative AI platforms on EKS -* link:containers/deploy-generative-ai-models-on-amazon-eks/[Deploy Generative AI Models on Amazon EKS,type="blog"] -* link:containers/building-multi-tenant-jupyterhub-platforms-on-amazon-eks/[Building multi-tenant JupyterHub Platforms on Amazon EKS,type="blog"] -* link:containers/run-spark-rapids-ml-workloads-with-gpus-on-amazon-emr-on-eks/[Run Spark-RAPIDS ML workloads with GPUs on Amazon EMR on EKS,type="blog"] +* link:containers/deploy-generative-ai-models-on-amazon-eks/[Deploy Generative AI Models on Amazon EKS,type="blog"] +* link:containers/building-multi-tenant-jupyterhub-platforms-on-amazon-eks/[Building multi-tenant JupyterHub Platforms on Amazon EKS,type="blog"] +* link:containers/run-spark-rapids-ml-workloads-with-gpus-on-amazon-emr-on-eks/[Run Spark-RAPIDS ML workloads with GPUs on Amazon EMR on EKS,type="blog"] == Run specialized generative AI frameworks on EKS * link:hpc/accelerate-drug-discovery-with-nvidia-bionemo-framework-on-amazon-eks/[Accelerate drug discovery with NVIDIA BioNeMo Framework on Amazon EKS,type="blog"] * link:containers/host-the-whisper-model-with-streaming-mode-on-amazon-eks-and-ray-serve/[Host the Whisper Model with Streaming Mode on Amazon EKS and Ray Serve,type="blog"] * link:machine-learning/accelerate-your-generative-ai-distributed-training-workloads-with-the-nvidia-nemo-framework-on-amazon-eks/[Accelerate your generative AI distributed training workloads with the NVIDIA NeMo Framework on Amazon EKS,type="blog"] -* link:publicsector/virtualizing-satcom-operations-aws/[Virtualizing satellite communication operations with {aws},type="blog"] -* link:opensource/running-torchserve-on-amazon-elastic-kubernetes-service/[Running TorchServe on Amazon Elastic Kubernetes Service,type="blog"] +* link:publicsector/virtualizing-satcom-operations-aws/[Virtualizing satellite communication operations with {aws},type="blog"] +* link:opensource/running-torchserve-on-amazon-elastic-kubernetes-service/[Running TorchServe on Amazon Elastic Kubernetes Service,type="blog"] == Maximize NVIDIA GPU performance for ML on EKS @@ -41,7 +41,7 @@ link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-a * link:containers/scaling-a-large-language-model-with-nvidia-nim-on-amazon-eks-with-karpenter/[Scaling a Large Language Model with NVIDIA NIM on Amazon EKS with Karpenter,type="blog"] -* link:machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/[Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on {aws},type="blog"] +* link:machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/[Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on {aws},type="blog"] == Run video encoding workloads on EKS @@ -53,7 +53,7 @@ link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-a == Testimonials for ML on EKS -* link:containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Quora achieved 3x lower latency and 25% lower Costs by modernizing model serving with Nvidia Triton on Amazon EKS,type="blog"] +* link:containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Quora achieved 3x lower latency and 25% lower Costs by modernizing model serving with Nvidia Triton on Amazon EKS,type="blog"] == Monitoring ML workloads diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 0a6b474da..0f8d94553 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -17,7 +17,7 @@ This topic describes how to integrate Elastic Fabric Adapter (EFA) with [.noloc] [#efa-instances] == Instance types with EFA -The _{aws} EFA Kubernetes Device Plugin_ supports all Amazon EC2 instance types that have EFA. To see a list of all instance types that have EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Supported instance types,type="documentation"] in the _Amazon EC2 User Guide_. However, to run ML applications quickly, we recommend that an instance has hardware acceleration chips such as [.noloc]`nVidia` GPUs, link:machine-learning/inferentia/[{aws} Inferentia,type="marketing"] chips, or link:machine-learning/trainium/[{aws} Trainium,type="marketing"] chips, in addition to the EFA. To see a list of instance types that have hardware acceleration chips and EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Accelerated computing,type="documentation"] in the _Amazon EC2 User Guide_. +The _{aws} EFA Kubernetes Device Plugin_ supports all Amazon EC2 instance types that have EFA. To see a list of all instance types that have EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Supported instance types,type="documentation"] in the _Amazon EC2 User Guide_. However, to run ML applications quickly, we recommend that an instance has hardware acceleration chips such as [.noloc]`nVidia` GPUs, link:machine-learning/inferentia/[{aws} Inferentia,type="marketing"] chips, or link:machine-learning/trainium/[{aws} Trainium,type="marketing"] chips, in addition to the EFA. To see a list of instance types that have hardware acceleration chips and EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Accelerated computing,type="documentation"] in the _Amazon EC2 User Guide_. As you compare instance types to choose between them, consider the number of EFA network cards available for that instance type as well as the number of accelerator cards, amount of CPU, and amount of memory. You can assign up to one EFA per network card. An EFA counts as a network interface.. To see how many EFA are available for each instance types that have EFA, see the link:AWSEC2/latest/UserGuide/using-eni.html#network-cards[Network cards,type="documentation"] list in the _Amazon EC2 User Guide_. @@ -36,7 +36,7 @@ The following procedure guides you to create an EKS cluster with `eksctl` with n * An existing Amazon EKS cluster. If you don't have an existing cluster, create one using <>.. Your cluster must be deployed in a VPC that has at least one private subnet with enough available IP addresses to deploy nodes in. The private subnet must have outbound internet access provided by an external device, such as a NAT gateway. + If you plan to use `eksctl` to create your node group, `eksctl` can also create a cluster for you. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * You must have the [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.7.10` or later installed before launching worker nodes that support multiple Elastic Fabric Adapters, such as the `p4d` or `p5`. For more information about updating your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version, see <>. diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 6655dc0ce..16188c188 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -31,7 +31,7 @@ The LBC creates an link:elasticloadbalancing/latest/application/introduction.htm *[.noloc]`Kubernetes` service of the `LoadBalancer` type*:: The LBC creates an link:elasticloadbalancing/latest/network/introduction.html[{aws} Network Load Balancer (NLB),type="documentation"]when you create a [.noloc]`Kubernetes` service of type `LoadBalancer`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Review the annotations you can apply to a Service resource.] + -In the past, the [.noloc]`Kubernetes` network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the [.noloc]`{aws} Load Balancer Controller` version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. +In the past, the [.noloc]`Kubernetes` network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the [.noloc]`{aws} Load Balancer Controller` version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-controller[open-source project] managed on [.noloc]`GitHub`. diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index f06e90f39..2bef26d35 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -427,7 +427,7 @@ If you've created a custom AMI that is not built off the Amazon EKS optimized AM ** *Self-managed* + -... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. ... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] @@ -439,7 +439,7 @@ If you've created a custom AMI that is not built off the Amazon EKS optimized AM + [NOTE] ==== -If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, `110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. +If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, `110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. ==== + . Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 18cc4a98c..e47b76a28 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -20,7 +20,7 @@ The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernet [NOTE] ==== -The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ==== @@ -97,7 +97,7 @@ An example output is as follows. https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ---- + -If no output is returned, then you must <>. +If no output is returned, then you must <>. ... Copy the following contents to a file named [.replaceable]`vpc-cni-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. + [source,json,subs="verbatim,attributes"] @@ -204,7 +204,7 @@ AWS_STS_REGIONAL_ENDPOINTS=regional [#remove-cni-policy-node-iam-role] == Step 3: Remove the CNI policy from the node IAM role -If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. +If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 07da1572d..9a93c0317 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -70,7 +70,7 @@ This can happen due to fragmentation of existing secondary IP addresses spread o + .. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. + -If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. +If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. + IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. .. If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. @@ -96,9 +96,9 @@ kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ---- kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 ---- -... Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. +... Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. + -**** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. +**** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. + [source,bash,subs="verbatim,attributes"] ---- @@ -113,8 +113,8 @@ eksctl create nodegroup --cluster my-cluster --managed=false --max-pods-per-node ---- **** *Managed* – Deploy your node group using one of the following options: + -***** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. -***** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. +***** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. +***** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. + [source,bash,subs="verbatim,attributes"] ---- @@ -188,7 +188,7 @@ kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml minimum-ip-target: "2" ---- ... Save the file and close the editor. -.. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. +.. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index e1a37f2ff..9bca05fae 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -50,7 +50,7 @@ Consider the following when you use this feature: * Each Amazon EC2 instance type supports a maximum number of [.noloc]`Pods`. If your managed node group consists of multiple instance types, the smallest number of maximum [.noloc]`Pods` for an instance in the cluster is applied to all nodes in the cluster. * By default, the maximum number of `Pods` that you can run on a node is 110, but you can change that number. If you change the number and have an existing managed node group, the next AMI or launch template update of your node group results in new nodes coming up with the changed value. * When transitioning from assigning IP addresses to assigning IP prefixes, we recommend that you create new node groups to increase the number of available IP addresses, rather than doing a rolling replacement of existing nodes. Running [.noloc]`Pods` on a node that has both IP addresses and prefixes assigned can lead to inconsistency in the advertised IP address capacity, impacting the future workloads on the node. For the recommended way of performing the transition, see https://github.com/aws/aws-eks-best-practices/blob/master/content/networking/prefix-mode/index_windows.md#replace-all-nodes-during-migration-from-secondary-ip-mode-to-prefix-delegation-mode-or-vice-versa[Replace all nodes during migration from Secondary IP mode to Prefix Delegation mode or vice versa] in the Amazon EKS best practices guide. -* The security group scope is at the node-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. +* The security group scope is at the node-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. * IP prefixes assigned to a network interface support high [.noloc]`Pod` density per node and have the best launch time. * IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix [.noloc]`Pods` getting IP addresses, or IP addresses from IP prefixes with [.noloc]`Pods` getting branch network interfaces on the same node. * For clusters with Linux nodes only. diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 481ad403c..e8ae4778a 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -40,7 +40,7 @@ The following are considerations for using the feature: * *Kubernetes services*: Kubernetes services are only assigned an `IPv6` addresses. They aren't assigned IPv4 addresses. * *Pods*: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node. -* *Pods and services*: [.noloc]`Pods` and [.noloc]`services` are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because [.noloc]`Pods` are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. +* *Pods and services*: [.noloc]`Pods` and [.noloc]`services` are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because [.noloc]`Pods` are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. * *Routing addresses*: The source `IPv6` address of a [.noloc]`Pod` isn't source network address translated to the `IPv6` address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. * *Nodes*: All nodes are assigned an `IPv4` and `IPv6` address. * *Fargate [.noloc]`Pods`*: Each Fargate [.noloc]`Pod` receives an `IPv6` address from the CIDR that's specified for the subnet that it's deployed in. The underlying hardware unit that runs Fargate [.noloc]`Pods` gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in. @@ -51,8 +51,8 @@ The following are considerations for using the feature: * *Create new cluster*: You must create a new cluster and specify that you want to use the `IPv6` family for that cluster. You can't enable the `IPv6` family for a cluster that you updated from a previous version. For instructions on how to create a new cluster, see Considerations . * *Use recent VPC CNI*: Deploy Amazon VPC CNI version `1.10.1` or later. This version or later is deployed by default. After you deploy the add-on, you can't downgrade your Amazon VPC CNI add-on to a version lower than `1.10.1` without first removing all nodes in all node groups in your cluster. * *Configure VPC CNI for `IPv6`*: If you use Amazon EC2 nodes, you must configure the Amazon VPC CNI add-on with IP prefix delegation and `IPv6`. If you choose the `IPv6` family when creating your cluster, the `1.10.1` version of the add-on defaults to this configuration. This is the case for both a self-managed or Amazon EKS add-on. For more information about IP prefix delegation, see <>. -* *Configure `IPv4` and `IPv6` addresses*: When you create a cluster, the VPC and subnets that you specify must have an `IPv6` CIDR block that's assigned to the VPC and subnets that you specify. They must also have an `IPv4` CIDR block assigned to them. This is because, even if you only want to use `IPv6`, a VPC still requires an `IPv4` CIDR block to function. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. -* *Auto-assign IPv6 addresses to nodes:* When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can't deploy your nodes. By default, this configuration is disabled. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the Amazon VPC User Guide. +* *Configure `IPv4` and `IPv6` addresses*: When you create a cluster, the VPC and subnets that you specify must have an `IPv6` CIDR block that's assigned to the VPC and subnets that you specify. They must also have an `IPv4` CIDR block assigned to them. This is because, even if you only want to use `IPv6`, a VPC still requires an `IPv4` CIDR block to function. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. +* *Auto-assign IPv6 addresses to nodes:* When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can't deploy your nodes. By default, this configuration is disabled. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the Amazon VPC User Guide. * *Set route tables to use `IPv6`*: The route tables that are assigned to your subnets must have routes for `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. * *Set security groups for `IPv6`*: Your security groups must allow `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. * *Set up load balancer*: Use version `2.3.1` or later of the {aws} Load Balancer Controller to load balance HTTP applications using the <> or network traffic using the <> to `IPv6` [.noloc]`Pods` with either load balancer in IP mode, but not instance mode. For more information, see <>. diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 7d3765d68..03c91f169 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -74,7 +74,7 @@ The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or lat [#cni-network-policy-configure-policy] == Step 1: Set up policy enforcement at [.noloc]`Pod` startup -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. +The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the [.noloc]`CoreDNS` pods. The default deny policy isn't configured for pods with Host networking. diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 09b56bdb6..1225bc7c4 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -21,7 +21,7 @@ Before you begin, review the upgrade considerations. For more information, see < aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ---- + -If an error message is returned, you have the self-managed type of the add-on installed on your cluster. Complete the remaining steps in this procedure. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update the Amazon EKS type of the add-on, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. +If an error message is returned, you have the self-managed type of the add-on installed on your cluster. Complete the remaining steps in this procedure. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update the Amazon EKS type of the add-on, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. . See which version of the container image is currently installed on your cluster. + [source,bash,subs="verbatim,attributes"] @@ -101,7 +101,7 @@ Add the following lines under the existing permissions lines in the `rules` sect - watch [...] ---- -. Update the [.noloc]`CoreDNS` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the [.noloc]`CoreDNS` version listed in the <> for your [.noloc]`Kubernetes` version. +. Update the [.noloc]`CoreDNS` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the [.noloc]`CoreDNS` version listed in the <> for your [.noloc]`Kubernetes` version. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 20dcc0353..84573985c 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -Update the Amazon EKS type of the add-on. If you haven't added the Amazon EKS add-on to your cluster, either <> or see <>. +Update the Amazon EKS type of the add-on. If you haven't added the Amazon EKS add-on to your cluster, either <> or see <>. Before you begin, review the upgrade considerations. For more information, see <>. @@ -23,7 +23,7 @@ An example output is as follows. v1.10.1-eksbuild.13 ---- + -If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. +If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. . Save the configuration of your currently installed add-on. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 98a9c1a7f..461f30e4e 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -103,7 +103,7 @@ Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kube + New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. + -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. +To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. . Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. + Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. @@ -113,7 +113,7 @@ Depending on the tool that you created your cluster with, you might not currentl aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query addon.addonVersion --output text ---- + -If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and you can continue with the next step. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. +If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and you can continue with the next step. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. . Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. + See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: @@ -130,13 +130,13 @@ An example output is as follows. v1.10.1-eksbuild.13 ---- + -Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. +Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. . Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. + .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. .. Choose the *Add-ons* tab. -.. Select the box in the top right of the [.noloc]`CoreDNS` add-on box and then choose *Edit*. +.. Select the box in the top right of the [.noloc]`CoreDNS` add-on box and then choose *Edit*. .. On the *Configure [.noloc]`CoreDNS`* page: + ... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. @@ -165,9 +165,9 @@ The following example shows autoscaling is enabled and all of the optional keys } } ---- -.. To apply the new configuration by replacing the [.noloc]`CoreDNS` pods, choose *Save changes*. +.. To apply the new configuration by replacing the [.noloc]`CoreDNS` pods, choose *Save changes*. + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -183,8 +183,8 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. -. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. +. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. ==== @@ -198,7 +198,7 @@ Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kube + New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. + -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. +To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. . Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. + Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. @@ -225,7 +225,7 @@ An example output is as follows. v1.10.1-eksbuild.13 ---- + -Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. +Compare this version with the minimum EKS Add-on version in the previous section. If needed, upgrade the EKS Add-on to a higher version by following the procedure <>. . Add the autoscaling configuration to the *Optional configuration settings* of the EKS Add-on. + Run the following {aws} CLI command. Replace `my-cluster` with the name of your cluster and the IAM role ARN with the role that you are using. @@ -236,7 +236,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name coredns \ --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true}}' ---- + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -252,7 +252,7 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. . (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. + The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index a166a7345..603e66cbf 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -16,7 +16,7 @@ An Amazon EKS cluster, nodes, and [.noloc]`Kubernetes` resources are deployed to == Prerequisites -To create a VPC for Amazon EKS, you must have the necessary IAM permissions to create Amazon VPC resources. These resources are VPCs, subnets, security groups, route tables and routes, and internet and NAT gateways. For more information, see link:vpc/latest/userguide/vpc-policy-examples.html#vpc-public-subnet-iam[Create a VPC with a public subnet example policy,type="documentation"] in the Amazon VPC User Guide and the full list of link:service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions[Actions, resources, and condition keys for Amazon EC2,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. +To create a VPC for Amazon EKS, you must have the necessary IAM permissions to create Amazon VPC resources. These resources are VPCs, subnets, security groups, route tables and routes, and internet and NAT gateways. For more information, see link:vpc/latest/userguide/vpc-policy-examples.html#vpc-public-subnet-iam[Create a VPC with a public subnet example policy,type="documentation"] in the Amazon VPC User Guide and the full list of link:service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions[Actions, resources, and condition keys for Amazon EC2,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. You can create a VPC with public and private subnets, only public subnets, or only private subnets. @@ -31,9 +31,9 @@ You can also assign `IPv6` addresses to nodes in public and private subnets. The .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. -.. Choose *Create stack*, *With new resources (standard)*. -.. Under *Prerequisite - Prepare template*, make sure that *Template is ready* is selected and then under *Specify template*, select *Amazon S3 URL*. -.. You can create a VPC that supports only `IPv4`, or a VPC that supports `IPv4` and `IPv6`. Paste one of the following URLs into the text area under *Amazon S3 URL* and choose *Next*: +.. Choose *Create stack*, *With new resources (standard)*. +.. Under *Prerequisite - Prepare template*, make sure that *Template is ready* is selected and then under *Specify template*, select *Amazon S3 URL*. +.. You can create a VPC that supports only `IPv4`, or a VPC that supports `IPv4` and `IPv6`. Paste one of the following URLs into the text area under *Amazon S3 URL* and choose *Next*: *** `IPv4` @@ -47,16 +47,16 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e ---- https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-ipv6-vpc-public-private-subnets.yaml ---- -.. On the *Specify stack details* page, enter the parameters, and then choose *Next*. +.. On the *Specify stack details* page, enter the parameters, and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can use the template name you used in the previous step. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose an `IPv4` CIDR range for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. If you're creating an `IPv6` VPC, `IPv6` CIDR ranges are automatically assigned for you from Amazon's Global Unicast Address space. +*** *VpcBlock*: Choose an `IPv4` CIDR range for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. If you're creating an `IPv6` VPC, `IPv6` CIDR ranges are automatically assigned for you from Amazon's Global Unicast Address space. *** *PublicSubnet01Block*: Specify an `IPv4` CIDR block for public subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. *** *PublicSubnet02Block*: Specify an `IPv4` CIDR block for public subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. *** *PrivateSubnet01Block*: Specify an `IPv4` CIDR block for private subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. *** *PrivateSubnet02Block*: Specify an `IPv4` CIDR block for private subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. -.. (Optional) On the *Configure stack options* page, tag your stack resources and then choose *Next*. -.. On the *Review* page, choose *Create stack*. +.. (Optional) On the *Configure stack options* page, tag your stack resources and then choose *Next*. +.. On the *Review* page, choose *Create stack*. .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created and whether you created them as public or private subnets. You need at least two of these when you create your cluster and nodes. @@ -64,33 +64,33 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e ... Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. ... In the left navigation pane, choose *Subnets* -... Select one of your public subnets (*[.replaceable]`stack-name`/SubnetPublic01* or *[.replaceable]`stack-name`/SubnetPublic02* contains the word *public*) and choose *Actions*, *Edit subnet settings*. +... Select one of your public subnets (*[.replaceable]`stack-name`/SubnetPublic01* or *[.replaceable]`stack-name`/SubnetPublic02* contains the word *public*) and choose *Actions*, *Edit subnet settings*. ... Choose the *Enable auto-assign `*IPv6*` address* check box and then choose *Save*. ... Complete the previous steps again for your other public subnet. == Only public subnets -This VPC has three public subnets that are deployed into different Availability Zones in an {aws} Region. All nodes are automatically assigned public `IPv4` addresses and can send and receive internet traffic through an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is deployed that denies all inbound traffic and allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy load balancers to them. +This VPC has three public subnets that are deployed into different Availability Zones in an {aws} Region. All nodes are automatically assigned public `IPv4` addresses and can send and receive internet traffic through an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is deployed that denies all inbound traffic and allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy load balancers to them. .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. -.. Choose *Create stack*, *With new resources (standard)*. -.. Under *Prepare template*, make sure that *Template is ready* is selected and then under *Template source*, select *Amazon S3 URL*. -.. Paste the following URL into the text area under *Amazon S3 URL* and choose *Next*: +.. Choose *Create stack*, *With new resources (standard)*. +.. Under *Prepare template*, make sure that *Template is ready* is selected and then under *Template source*, select *Amazon S3 URL*. +.. Paste the following URL into the text area under *Amazon S3 URL* and choose *Next*: [source,none,subs="verbatim,attributes"] ---- https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-sample.yaml ---- -.. On the *Specify Details* page, enter the parameters, and then choose *Next*. +.. On the *Specify Details* page, enter the parameters, and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`amazon-eks-vpc-sample`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. +*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. *** *Subnet01Block*: Specify a CIDR block for subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *Subnet02Block*: Specify a CIDR block for subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *Subnet03Block*: Specify a CIDR block for subnet 3. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. -.. (Optional) On the *Options* page, tag your stack resources. Choose *Next*. -.. On the *Review* page, choose *Create*. +.. (Optional) On the *Options* page, tag your stack resources. Choose *Next*. +.. On the *Review* page, choose *Create*. .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. @@ -98,27 +98,27 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e == Only private subnets -This VPC has three private subnets that are deployed into different Availability Zones in the {aws} Region. Resources that are deployed to the subnets can't access the internet, nor can the internet access resources in the subnets. The template creates link:vpc/latest/privatelink/privatelink-access-aws-services.html[VPC endpoints,type="documentation"] using {aws} PrivateLink for several {aws} services that nodes typically need to access. If your nodes need outbound internet access, you can add a public link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] in the Availability Zone of each subnet after the VPC is created. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is created that denies all inbound traffic, except from resources deployed into the subnets. A security group also allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy internal load balancers to them. If you're creating a VPC with this configuration, see <> for additional requirements and considerations. +This VPC has three private subnets that are deployed into different Availability Zones in the {aws} Region. Resources that are deployed to the subnets can't access the internet, nor can the internet access resources in the subnets. The template creates link:vpc/latest/privatelink/privatelink-access-aws-services.html[VPC endpoints,type="documentation"] using {aws} PrivateLink for several {aws} services that nodes typically need to access. If your nodes need outbound internet access, you can add a public link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] in the Availability Zone of each subnet after the VPC is created. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is created that denies all inbound traffic, except from resources deployed into the subnets. A security group also allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy internal load balancers to them. If you're creating a VPC with this configuration, see <> for additional requirements and considerations. .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. -.. Choose *Create stack*, *With new resources (standard)*. -.. Under *Prepare template*, make sure that *Template is ready* is selected and then under *Template source*, select *Amazon S3 URL*. -.. Paste the following URL into the text area under *Amazon S3 URL* and choose *Next*: +.. Choose *Create stack*, *With new resources (standard)*. +.. Under *Prepare template*, make sure that *Template is ready* is selected and then under *Template source*, select *Amazon S3 URL*. +.. Paste the following URL into the text area under *Amazon S3 URL* and choose *Next*: [source,none,subs="verbatim,attributes"] ---- https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-fully-private-vpc.yaml ---- -.. On the *Specify Details* page, enter the parameters and then choose *Next*. +.. On the *Specify Details* page, enter the parameters and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`amazon-eks-fully-private-vpc`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. +*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. *** *PrivateSubnet01Block*: Specify a CIDR block for subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *PrivateSubnet02Block*: Specify a CIDR block for subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *PrivateSubnet03Block*: Specify a CIDR block for subnet 3. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. -.. (Optional) On the *Options* page, tag your stack resources. Choose *Next*. -.. On the *Review* page, choose *Create*. +.. (Optional) On the *Options* page, tag your stack resources. Choose *Next*. +.. On the *Review* page, choose *Create*. .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index c4f236cb0..477357a0e 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -15,9 +15,9 @@ Install and configure the following tools and resources that you need to create * We recommend that you familiarize yourself with all settings and deploy a cluster with the settings that meet your requirements. For more information, see <>, <>, and the <> for this topic. You can only enable some settings when creating your cluster. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. +* The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. * If you use the [.noloc]`eksctl`, install version `{eksctl-min-version}` or later on your computer. To install or update to it, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. //[#deploy-ipv6-cluster-procedure] @@ -34,7 +34,7 @@ You can use the [.noloc]`eksctl` or CLI to deploy an `IPv6` cluster. *** Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. *** The value for `version` with the version of your cluster. For more information, see <>. *** Replace [.replaceable]`my-nodegroup` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. -*** Replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. +*** Replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. + [source,yaml,subs="verbatim,attributes"] ---- @@ -387,7 +387,7 @@ An example output is as follows. ---- subnet-0a1a56c486EXAMPLE,subnet-099e6ca77aEXAMPLE,subnet-0377963d69EXAMPLE,subnet-0c05f819d5EXAMPLE ---- -... Create the node group. Replace [.replaceable]`0a1a56c486EXAMPLE`, [.replaceable]`099e6ca77aEXAMPLE`, [.replaceable]`0377963d69EXAMPLE`, and [.replaceable]`0c05f819d5EXAMPLE` with the values returned in the output of the previous step. Be sure to remove the commas between subnet IDs from the previous output in the following command. You can replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. +... Create the node group. Replace [.replaceable]`0a1a56c486EXAMPLE`, [.replaceable]`099e6ca77aEXAMPLE`, [.replaceable]`0377963d69EXAMPLE`, and [.replaceable]`0c05f819d5EXAMPLE` with the values returned in the output of the previous step. Be sure to remove the commas between subnet IDs from the previous output in the following command. You can replace [.replaceable]`t3.medium` with any link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[{aws} Nitro System instance type,type="documentation"]. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 86a148420..cfe46fa74 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -14,7 +14,7 @@ Learn how Amazon EKS manages external communication for [.noloc]`Pods` using Sou If you deployed your cluster using the `IPv6` family, then the information in this topic isn't applicable to your cluster, because `IPv6` addresses are not network translated. For more information about using `IPv6` with your cluster, see <>. -By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"] `IPv4` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default <>. +By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"] `IPv4` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default <>. [NOTE] ==== @@ -25,7 +25,7 @@ For [.noloc]`Windows` nodes, there are additional details to consider. By defaul Due to this behavior: -* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. +* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. * For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your [.noloc]`Pods` behind secondary elastic network interfaces. Your [.noloc]`Pods` can initiate communication to those resources and receive responses from them, though. If either of the following statements are true in your environment, then change the default configuration with the command that follows. diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 26d8b1544..0c9b051e9 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -29,7 +29,7 @@ We recommend adding the Amazon EKS type of the add-on to your cluster instead of aws eks describe-addon --cluster-name my-cluster --addon-name kube-proxy --query addon.addonVersion --output text ---- + -If an error message is returned, you have the self-managed type of the add-on installed on your cluster. The remaining steps in this topic are for updating the self-managed type of the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using the procedure in this topic. If you're not familiar with the differences between the add-on types, see <>. +If an error message is returned, you have the self-managed type of the add-on installed on your cluster. The remaining steps in this topic are for updating the self-managed type of the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using the procedure in this topic. If you're not familiar with the differences between the add-on types, see <>. . See which version of the container image is currently installed on your cluster. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 64f0e9fac..15037ac7e 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -30,7 +30,7 @@ Before starting this tutorial, you must install and configure the following tool * An existing Amazon EKS cluster. To deploy one, see <>. * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. * Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. @@ -89,7 +89,7 @@ aws iam create-policy \ --policy-document file://iam_policy.json ---- + -NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. +NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. . Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. + [source,shell,subs="verbatim,attributes"] diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 2c6982568..b34e9821f 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -30,7 +30,7 @@ Before starting this tutorial, you must install and configure the following tool * An existing Amazon EKS cluster. To deploy one, see <>. * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. * Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. @@ -85,7 +85,7 @@ aws iam create-policy \ --policy-document file://iam_policy.json ---- + -NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. +NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. ==== [role="tablist"] diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 1d41ad99c..6c19491ba 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -105,7 +105,7 @@ aws iam create-policy \ ---- . Attach the IAM policy to the IAM role used by the [.noloc]`{aws} Load Balancer Controller`. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. + -If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. +If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. + [source,shell,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index ddb4a1e48..6933215eb 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -87,7 +87,7 @@ The following table lists the latest available self-managed `kube-proxy` contain * The default image type isn't available for [.noloc]`Kubernetes` version `1.25` and later. You must use the minimal image type. -* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. +* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-kube-proxy%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index db1909455..a4965bb9d 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -10,12 +10,12 @@ include::../attributes.txt[] Learn how to troubleshoot and investigate network connections that use network policies. -- -You can troubleshoot and investigate network connections that use network policies by reading the <> and by running tools from the <>. +You can troubleshoot and investigate network connections that use network policies by reading the <> and by running tools from the <>. [#network-policies-troubleshooting-flowlogs] == Network policy logs -Whether connections are allowed or denied by a network policies is logged in _flow logs_. The network policy logs on each node include the flow logs for every pod that has a network policy. Network policy logs are stored at `/var/log/aws-routed-eni/network-policy-agent.log`. The following example is from a `network-policy-agent.log` file: +Whether connections are allowed or denied by a network policies is logged in _flow logs_. The network policy logs on each node include the flow logs for every pod that has a network policy. Network policy logs are stored at `/var/log/aws-routed-eni/network-policy-agent.log`. The following example is from a `network-policy-agent.log` file: [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 848aec558..391d0b845 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -52,7 +52,7 @@ stars frontend-cscnf 1/1 Running 0 ---- kubectl get service/management-ui -n management-ui ---- -. Open the a browser to the location from the previous step. You should see the management user interface. The *C* node is the client service, the *F* node is the front-end service, and the *B* node is the back-end service. Each node has full communication access to all other nodes, as indicated by the bold, colored lines. +. Open the a browser to the location from the previous step. You should see the management user interface. The *C* node is the client service, the *F* node is the front-end service, and the *B* node is the back-end service. Each node has full communication access to all other nodes, as indicated by the bold, colored lines. + image::images/stars-default.png[Open network policy,scaledwidth=100%] . Apply the following network policy in both the `stars` and `client` namespaces to isolate the services from each other: diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 066837cba..23293db74 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] Learn how to configure the VPC and subnets to meet networking requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet types, and availability zones. Understand IP family usage by component and shared subnet considerations. -- -When you create a cluster, you specify a link:vpc/latest/userguide/configure-your-vpc.html[VPC,type="documentation"] and at least two subnets that are in different Availability Zones. This topic provides an overview of Amazon EKS specific requirements and considerations for the VPC and subnets that you use with your cluster. If you don't have a VPC to use with Amazon EKS, see <>. If you're creating a local or extended cluster on {aws} Outposts, see <> instead of this topic. The content in this topic applies for Amazon EKS clusters with hybrid nodes. For additional networking requirements for hybrid nodes, see <>. +When you create a cluster, you specify a link:vpc/latest/userguide/configure-your-vpc.html[VPC,type="documentation"] and at least two subnets that are in different Availability Zones. This topic provides an overview of Amazon EKS specific requirements and considerations for the VPC and subnets that you use with your cluster. If you don't have a VPC to use with Amazon EKS, see <>. If you're creating a local or extended cluster on {aws} Outposts, see <> instead of this topic. The content in this topic applies for Amazon EKS clusters with hybrid nodes. For additional networking requirements for hybrid nodes, see <>. [#network-requirements-vpc] == VPC requirements and considerations @@ -32,10 +32,10 @@ For example, assume that you made a cluster and specified four subnets. In the o ==== + -If you need more IP addresses than the CIDR blocks in the VPC have, you can add additional CIDR blocks by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private ([.noloc]`RFC 1918`) and public (non-[.noloc]`RFC 1918`) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to five hours for a CIDR block that you associated with a VPC to be recognized. +If you need more IP addresses than the CIDR blocks in the VPC have, you can add additional CIDR blocks by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private ([.noloc]`RFC 1918`) and public (non-[.noloc]`RFC 1918`) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to five hours for a CIDR block that you associated with a VPC to be recognized. + You can conserve IP address utilization by using a transit gateway with a shared services VPC. For more information, see link:vpc/latest/tgw/transit-gateway-isolated-shared.html[Isolated VPCs with shared services,type="documentation"] and link:containers/eks-vpc-routable-ip-address-conservation[Amazon EKS VPC routable IP address conservation patterns in a hybrid network,type="blog"]. -* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, associate an `IPv6` CIDR block with your VPC. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. You cannot use `IPv6` addresses with Pods and services running on hybrid nodes and you cannot use hybrid nodes with clusters configured with the `IPv6` IP address family. +* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, associate an `IPv6` CIDR block with your VPC. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. You cannot use `IPv6` addresses with Pods and services running on hybrid nodes and you cannot use hybrid nodes with clusters configured with the `IPv6` IP address family. * The VPC must have `DNS` hostname and `DNS` resolution support. Otherwise, nodes can't register to your cluster. For more information, see link:vpc/latest/userguide/vpc-dns.html[DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. * The VPC might require VPC endpoints using {aws} PrivateLink. For more information, see <>. @@ -70,7 +70,7 @@ The link:vpc/latest/userguide/configure-subnets.html#subnet-types[subnets,type=" * The subnets must each have at least six IP addresses for use by Amazon EKS. However, we recommend at least 16 IP addresses. * The subnets must be in at least two different Availability Zones. * The subnets can't reside in {aws} Outposts or {aws} Wavelength. However, if you have them in your VPC, you can deploy self-managed nodes and [.noloc]`Kubernetes` resources to these types of subnets. For more information about self-managed nodes, see <>. -* The subnets can be a public or private. However, we recommend that you specify private subnets, if possible. A public subnet is a subnet with a route table that includes a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"], whereas a private subnet is a subnet with a route table that doesn't include a route to an internet gateway. +* The subnets can be a public or private. However, we recommend that you specify private subnets, if possible. A public subnet is a subnet with a route table that includes a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"], whereas a private subnet is a subnet with a route table that doesn't include a route to an internet gateway. * The subnets can't reside in the following Availability Zones: + [cols="1,1,1", options="header"] @@ -205,9 +205,9 @@ You can deploy nodes and [.noloc]`Kubernetes` resources to the same subnets that * The subnets must have enough available IP addresses to deploy all of your nodes and [.noloc]`Kubernetes` resources to. -* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, then you must have one `IPv6` CIDR block and one `IPv4` CIDR block that are associated with your subnet. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-associate-ipv6-cidr[Associate an IPv6 CIDR block with your subnet,type="documentation"] in the Amazon VPC User Guide. The route tables that are associated with the subnets must include routes to `IPv4` and `IPv6` addresses. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#route-table-routes[Routes,type="documentation"] in the Amazon VPC User Guide. Pods are assigned only an `IPv6` address. However the network interfaces that Amazon EKS creates for your cluster and your nodes are assigned an `IPv4` and an `IPv6` address. +* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, then you must have one `IPv6` CIDR block and one `IPv4` CIDR block that are associated with your subnet. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-associate-ipv6-cidr[Associate an IPv6 CIDR block with your subnet,type="documentation"] in the Amazon VPC User Guide. The route tables that are associated with the subnets must include routes to `IPv4` and `IPv6` addresses. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#route-table-routes[Routes,type="documentation"] in the Amazon VPC User Guide. Pods are assigned only an `IPv6` address. However the network interfaces that Amazon EKS creates for your cluster and your nodes are assigned an `IPv4` and an `IPv6` address. * If you need inbound access from the internet to your [.noloc]`Pods`, make sure to have at least one public subnet with enough available IP addresses to deploy load balancers and ingresses to. You can deploy load balancers to public subnets. Load balancers can load balance to [.noloc]`Pods` in private or public subnets. We recommend deploying your nodes to private subnets, if possible. -* If you plan to deploy nodes to a public subnet, the subnet must auto-assign `IPv4` public addresses or `IPv6` addresses. If you deploy nodes to a private subnet that has an associated `IPv6` CIDR block, the private subnet must also auto-assign `IPv6` addresses. If you used the {aws} CloudFormation template provided by Amazon EKS to deploy your VPC after March 26, 2020, this setting is enabled. If you used the templates to deploy your VPC before this date or you use your own VPC, you must enable this setting manually. For the template, see <>. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-public-ip[Modify the public IPv4 addressing attribute for your subnet,type="documentation"] and link:vpc/latest/userguide/working-with-subnets.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the link:vpc/latest/userguide/[Amazon VPC User Guide,type="documentation"]. +* If you plan to deploy nodes to a public subnet, the subnet must auto-assign `IPv4` public addresses or `IPv6` addresses. If you deploy nodes to a private subnet that has an associated `IPv6` CIDR block, the private subnet must also auto-assign `IPv6` addresses. If you used the {aws} CloudFormation template provided by Amazon EKS to deploy your VPC after March 26, 2020, this setting is enabled. If you used the templates to deploy your VPC before this date or you use your own VPC, you must enable this setting manually. For the template, see <>. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-public-ip[Modify the public IPv4 addressing attribute for your subnet,type="documentation"] and link:vpc/latest/userguide/working-with-subnets.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the link:vpc/latest/userguide/[Amazon VPC User Guide,type="documentation"]. * If the subnet that you deploy a node to is a private subnet and its route table doesn't include a route to a network address translation link:vpc/latest/userguide/vpc-nat.html[(NAT) device,type="documentation"] (`IPv4`) or an link:vpc/latest/userguide/egress-only-internet-gateway.html[egress-only gateway,type="documentation"] (`IPv6`), add VPC endpoints using {aws} PrivateLink to your VPC. VPC endpoints are needed for all the {aws} services that your nodes and [.noloc]`Pods` need to communicate with. Examples include Amazon ECR, Elastic Load Balancing, Amazon CloudWatch, {aws} Security Token Service, and Amazon Simple Storage Service (Amazon S3). The endpoint must include the subnet that the nodes are in. Not all {aws} services support VPC endpoints. For more information, see link:vpc/latest/privatelink/what-is-privatelink.html[What is {aws} PrivateLink?,type="documentation"] and link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. For a list of more Amazon EKS requirements, see <>. * If you want to deploy load balancers to a subnet, the subnet must have the following tag: + @@ -259,14 +259,14 @@ This change impacts new node groups that are deployed to public subnets in the f -* *<>* – If the node group is deployed to a public subnet on or after April 22, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. -* *<>, <>, or <> self-managed node groups* – If the node group is deployed to a public subnet on or after March 26, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. Otherwise, the nodes must be launched with a public IP address instead. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"] or link:vpc/latest/userguide/vpc-ip-addressing.html#vpc-public-ip[Assigning a public IPv4 address during instance launch,type="documentation"]. +* *<>* – If the node group is deployed to a public subnet on or after April 22, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. +* *<>, <>, or <> self-managed node groups* – If the node group is deployed to a public subnet on or after March 26, 2020, automatic assignment of public IP addresses must be enabled for the public subnet. Otherwise, the nodes must be launched with a public IP address instead. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"] or link:vpc/latest/userguide/vpc-ip-addressing.html#vpc-public-ip[Assigning a public IPv4 address during instance launch,type="documentation"]. [#network-requirements-shared] == Shared subnet requirements and considerations -You can use _VPC sharing_ to share subnets with other {aws} accounts within the same {aws} Organizations. You can create Amazon EKS clusters in shared subnets, with the following considerations: +You can use _VPC sharing_ to share subnets with other {aws} accounts within the same {aws} Organizations. You can create Amazon EKS clusters in shared subnets, with the following considerations: @@ -277,10 +277,10 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the + ** Cluster IAM role and Node IAM roles must be created in that account. For more information, see <> and <>. ** All nodes must be made by the same participant, including managed node groups. -* The shared VPC owner cannot view, update or delete a cluster that a participant creates in the shared subnet. This is in addition to the VPC resources that each account has different access to. For more information, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Responsibilities and permissions for owners and participants,type="documentation"] in the _Amazon VPC User Guide_. +* The shared VPC owner cannot view, update or delete a cluster that a participant creates in the shared subnet. This is in addition to the VPC resources that each account has different access to. For more information, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Responsibilities and permissions for owners and participants,type="documentation"] in the _Amazon VPC User Guide_. * If you use the _custom networking_ feature of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, you need to use the Availability Zone ID mappings listed in the owner account to create each `ENIConfig`. For more information, see <>. -For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. +For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-reqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 3a2f71c0d..54b23c8e4 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -42,7 +42,7 @@ When you create a cluster, Amazon EKS creates a security group that's named `eks [IMPORTANT] ==== -If your cluster doesn't need the outbound rule, you can remove it. If you remove it, you must still have the minimum rules listed in <>. If you remove the inbound rule, Amazon EKS recreates it whenever the cluster is updated. +If your cluster doesn't need the outbound rule, you can remove it. If you remove it, you must still have the minimum rules listed in <>. If you remove the inbound rule, Amazon EKS recreates it whenever the cluster is updated. ==== @@ -84,7 +84,7 @@ aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.cl [#security-group-restricting-cluster-traffic] == Restricting cluster traffic -If you need to limit the open ports between the cluster and nodes, you can remove the <> and add the following minimum rules that are required for the cluster. If you remove the <>, Amazon EKS recreates it whenever the cluster is updated. +If you need to limit the open ports between the cluster and nodes, you can remove the <> and add the following minimum rules that are required for the cluster. If you remove the <>, Amazon EKS recreates it whenever the cluster is updated. [cols="1,1,1,1", options="header"] |=== diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index e2170e9aa..b1e7d468b 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -41,7 +41,7 @@ Before deploying security groups for [.noloc]`Pods`, consider the following limi * Security groups for [.noloc]`Pods` can't be used with [.noloc]`Windows` nodes. * Security groups for [.noloc]`Pods` can be used with clusters configured for the `IPv6` family that contain Amazon EC2 nodes by using version 1.16.0 or later of the Amazon VPC CNI plugin. You can use security groups for [.noloc]`Pods` with clusters configure `IPv6` family that contain only Fargate nodes by using version 1.7.7 or later of the Amazon VPC CNI plugin. For more information, see <> -* Security groups for [.noloc]`Pods` are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on [.noloc]`GitHub`. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. +* Security groups for [.noloc]`Pods` are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on [.noloc]`GitHub`. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. * If you're also using [.noloc]`Pod` security policies to restrict access to [.noloc]`Pod` mutation, then the `eks:vpc-resource-controller` [.noloc]`Kubernetes` user must be specified in the [.noloc]`Kubernetes` `ClusterRoleBinding` for the `role` that your `psp` is assigned to. If you're using the default Amazon EKS `psp`, `role`, and `ClusterRoleBinding`, this is the `eks:podsecuritypolicy:authenticated` `ClusterRoleBinding`. For example, you add the user to the `subjects:` section, as shown in the following example: + [source,yaml,subs="verbatim,attributes"] @@ -66,7 +66,7 @@ If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_E * To use [.noloc]`Calico` network policy with [.noloc]`Pods` that have associated security groups, you must use version `1.11.0` or later of the Amazon VPC CNI plugin and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. Otherwise, traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon EC2 security group enforcement only. To update your Amazon VPC CNI version, see <> * [.noloc]`Pods` running on Amazon EC2 nodes that use security groups in clusters that use https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/[NodeLocal DNSCache] are only supported with version `1.11.0` or later of the Amazon VPC CNI plugin and with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. To update your Amazon VPC CNI plugin version, see <> * Security groups for [.noloc]`Pods` might lead to higher [.noloc]`Pod` startup latency for [.noloc]`Pods` with high churn. This is due to rate limiting in the resource controller. -* The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. +* The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. + If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 2ea18774c..da0b99a07 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -45,7 +45,7 @@ aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCRes kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true ---- + -NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. +NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. . You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for` Kubernetes Pods`, which takes several seconds. + [source,shell,subs="verbatim,attributes"] @@ -66,7 +66,7 @@ kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true + Once the trunk network interface is created, [.noloc]`Pods` are assigned secondary IP addresses from the trunk or standard network interfaces. The trunk interface is automatically deleted if the node is deleted. + -When you deploy a security group for a [.noloc]`Pod` in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. +When you deploy a security group for a [.noloc]`Pod` in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. + If you are using liveness or readiness probes, then you also need to disable _TCP early demux_, so that the `kubelet` can connect to [.noloc]`Pods` on branch network interfaces using TCP. To disable _TCP early demux_, run the following command: + diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 3f8b2a0f3..74f01aa23 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -147,7 +147,7 @@ Failed to create Pod sandbox: rpc error: code = Unknown desc = failed to set up cni failed to set up Pod "my-deployment-5df6f7687b-4fbjm-c89wx_my-namespace" network: add cmd: failed to assign an IP address to container ---- + -You can't exceed the maximum number of [.noloc]`Pods` that can be run on the instance type. For a list of the maximum number of [.noloc]`Pods` that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on [.noloc]`GitHub`. When you delete a [.noloc]`Pod` that has associated security groups, or delete the node that the [.noloc]`Pod` is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with [.noloc]`Pods` using [.noloc]`Pods` for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. +You can't exceed the maximum number of [.noloc]`Pods` that can be run on the instance type. For a list of the maximum number of [.noloc]`Pods` that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on [.noloc]`GitHub`. When you delete a [.noloc]`Pod` that has associated security groups, or delete the node that the [.noloc]`Pod` is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with [.noloc]`Pods` using [.noloc]`Pods` for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. . In a separate terminal, shell into one of the [.noloc]`Pods`. For the remainder of this topic, this terminal is referred to as `TerminalB`. Replace [.replaceable]`5df6f7687b-4fbjm` with the ID of one of the [.noloc]`Pods` returned in your output from the previous step. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index ee4c4b95a..1ea2cb075 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -17,7 +17,7 @@ The following are prerequisites for the [.noloc]`Amazon VPC CNI plugin for Kuber * An existing Amazon EKS cluster. To deploy one, see <>. * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* An IAM role with the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] IAM policy (if your cluster uses the `IPv4` family) or an IPv6 policy (if your cluster uses the `IPv6` family) attached to it. For more information about the VPC CNI role, see <>. For information about the IPv6 policy, see <>. +* An IAM role with the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] IAM policy (if your cluster uses the `IPv4` family) or an IPv6 policy (if your cluster uses the `IPv6` family) attached to it. For more information about the VPC CNI role, see <>. For information about the IPv6 policy, see <>. * If you're using version `1.7.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` and you use custom [.noloc]`Pod` security policies, see <> and <>. [IMPORTANT] diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 45c247295..9e7be985d 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -18,7 +18,7 @@ We recommend adding the Amazon EKS type of the add-on to your cluster instead of aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni --query addon.addonVersion --output text ---- + -If an error message is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. To self-manage the add-on, complete the remaining steps in this procedure to update the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. +If an error message is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. To self-manage the add-on, complete the remaining steps in this procedure to update the add-on. If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. To update it, use the procedure in <>, rather than using this procedure. If you're not familiar with the differences between the add-on types, see <>. . See which version of the container image is currently installed on your cluster. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 266ef5ad1..0277669b8 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -29,11 +29,11 @@ In general, fewer, larger instances are better, especially if you have a lot of *Operating system*:: -Review the supported instance types for link:AWSEC2/latest/UserGuide/instance-types.html[Linux,type="documentation"], link:AWSEC2/latest/WindowsGuide/instance-types.html[Windows,type="documentation"], and link:bottlerocket/faqs/[Bottlerocket,type="marketing"]. Before creating [.noloc]`Windows` instances, review <>. +Review the supported instance types for link:AWSEC2/latest/UserGuide/instance-types.html[Linux,type="documentation"], link:AWSEC2/latest/WindowsGuide/instance-types.html[Windows,type="documentation"], and link:bottlerocket/faqs/[Bottlerocket,type="marketing"]. Before creating [.noloc]`Windows` instances, review <>. *Hardware architecture*:: -Do you need [.noloc]`x86` or [.noloc]`Arm`? Before deploying [.noloc]`Arm` instances, review <>. Do you need instances built on the [.noloc]`Nitro System` ( link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Linux,type="documentation"] or link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Windows,type="documentation"]) or that have link:AWSEC2/latest/WindowsGuide/accelerated-computing-instances.html[Accelerated,type="documentation"] capabilities? If you need accelerated capabilities, you can only use [.noloc]`Linux` with Amazon EKS. +Do you need [.noloc]`x86` or [.noloc]`Arm`? Before deploying [.noloc]`Arm` instances, review <>. Do you need instances built on the [.noloc]`Nitro System` ( link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Linux,type="documentation"] or link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Windows,type="documentation"]) or that have link:AWSEC2/latest/WindowsGuide/accelerated-computing-instances.html[Accelerated,type="documentation"] capabilities? If you need accelerated capabilities, you can only use [.noloc]`Linux` with Amazon EKS. *Maximum number of [.noloc]`Pods`*:: diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index d1bafe3ec..f1c6354ae 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -47,7 +47,7 @@ eksctl version For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. . Create a managed node group with or without using a custom launch template. Manually specifying a launch template allows for greater customization of a node group. For example, it can allow deploying a custom AMI or providing arguments to the `boostrap.sh` script in an Amazon EKS optimized AMI. For a complete list of every available option and default, enter the following command. + [source,bash,subs="verbatim,attributes"] @@ -99,7 +99,7 @@ eksctl create nodegroup \ Your instances can optionally assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, and be deployed to a cluster without internet access. For more information, see <>, <>, and <> for additional options to add to the previous command. -Managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. +Managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. *With a launch template* @@ -135,9 +135,9 @@ EOF + For a complete list of `eksctl` config file settings, see https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Your instances can optionally assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, use the `containerd` runtime, and be deployed to a cluster without outbound internet access. For more information, see <>, <>, <>, and <> for additional options to add to the config file. + -If you didn't specify an AMI ID in your launch template, managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. +If you didn't specify an AMI ID in your launch template, managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. + -If you specified an AMI ID in your launch template, specify the maximum number of [.noloc]`Pods` that can run on each node of your node group if you're using <> or want to <>. For more information, see <>. +If you specified an AMI ID in your launch template, specify the maximum number of [.noloc]`Pods` that can run on each node of your node group if you're using <> or want to <>. For more information, see <>. .. Deploy the nodegroup with the following command. + @@ -155,7 +155,7 @@ eksctl create nodegroup --config-file eks-nodegroup.yaml . Choose the name of the cluster that you want to create a managed node group in. . Select the *Compute* tab. . Choose *Add node group*. -. On the *Configure node group* page, fill out the parameters accordingly, and then choose *Next*. +. On the *Configure node group* page, fill out the parameters accordingly, and then choose *Next*. + ** *Name* – Enter a unique name for your managed node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. ** *Node IAM role* – Choose the node instance role to use with your node group. For more information, see <>. @@ -167,15 +167,15 @@ eksctl create nodegroup --config-file eks-nodegroup.yaml **** We recommend using a role that's not currently in use by any self-managed node group. Otherwise, you plan to use with a new self-managed node group. For more information, see <>. ==== -*** *Use launch template* – (Optional) Choose if you want to use an existing launch template. Select a *Launch Template Name*. Then, select a *Launch template version*. If you don't select a version, then Amazon EKS uses the template's default version. Launch templates allow for more customization of your node group, such as allowing you to deploy a custom AMI, assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, enable the `containerd` runtime for your instances, and deploying nodes to a cluster without outbound internet access. For more information, see <>, <>, <>, and <>. +*** *Use launch template* – (Optional) Choose if you want to use an existing launch template. Select a *Launch Template Name*. Then, select a *Launch template version*. If you don't select a version, then Amazon EKS uses the template's default version. Launch templates allow for more customization of your node group, such as allowing you to deploy a custom AMI, assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, enable the `containerd` runtime for your instances, and deploying nodes to a cluster without outbound internet access. For more information, see <>, <>, <>, and <>. + The launch template must meet the requirements in <>. If you don't use your own launch template, the Amazon EKS API creates a default Amazon EC2 launch template in your account and deploys the node group using the default launch template. + If you implement <>, assign necessary permissions directly to every [.noloc]`Pod` that requires access to {aws} services, and no [.noloc]`Pods` in your cluster require access to IMDS for other reasons, such as retrieving the current {aws} Region, then you can also disable access to IMDS for [.noloc]`Pods` that don't use host networking in a launch template. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. *** *[.noloc]`Kubernetes` labels* – (Optional) You can choose to apply [.noloc]`Kubernetes` labels to the nodes in your managed node group. -*** *[.noloc]`Kubernetes` taints* – (Optional) You can choose to apply [.noloc]`Kubernetes` taints to the nodes in your managed node group. The available options in the *Effect* menu are `*NoSchedule*`, `*NoExecute*`, and `*PreferNoSchedule*`. For more information, see <>. +*** *[.noloc]`Kubernetes` taints* – (Optional) You can choose to apply [.noloc]`Kubernetes` taints to the nodes in your managed node group. The available options in the *Effect* menu are `*NoSchedule*`, `*NoExecute*`, and `*PreferNoSchedule*`. For more information, see <>. *** *Tags* – (Optional) You can choose to tag your Amazon EKS managed node group. These tags don't propagate to other resources in the node group, such as Auto Scaling groups or instances. For more information, see <>. -. On the *Set compute and scaling configuration* page, fill out the parameters accordingly, and then choose *Next*. +. On the *Set compute and scaling configuration* page, fill out the parameters accordingly, and then choose *Next*. + *** *AMI type* – Select an AMI type.If you are deploying Arm instances, be sure to review the considerations in <> before deploying. + @@ -183,7 +183,7 @@ If you specified a launch template on the previous page, and specified an AMI in *** *Capacity type* – Select a capacity type. For more information about choosing a capacity type, see <>. You can't mix different capacity types within the same node group. If you want to use both capacity types, create separate node groups, each with their own capacity and instance types. See <> for information on provisioning and scaling GPU-accelerated worker nodes. *** *Instance types* – By default, one or more instance type is specified. To remove a default instance type, select the `X` on the right side of the instance type. Choose the instance types to use in your managed node group. For more information, see <>. + -The console displays a set of commonly used instance types. If you need to create a managed node group with an instance type that's not displayed, then use `eksctl`, the {aws} CLI, {aws} CloudFormation, or an SDK to create the node group. If you specified a launch template on the previous page, then you can't select a value because the instance type must be specified in the launch template. The value from the launch template is displayed. If you selected *Spot* for *Capacity type*, then we recommend specifying multiple instance types to enhance availability. +The console displays a set of commonly used instance types. If you need to create a managed node group with an instance type that's not displayed, then use `eksctl`, the {aws} CLI, {aws} CloudFormation, or an SDK to create the node group. If you specified a launch template on the previous page, then you can't select a value because the instance type must be specified in the launch template. The value from the launch template is displayed. If you selected *Spot* for *Capacity type*, then we recommend specifying multiple instance types to enhance availability. *** *Disk size* – Enter the disk size (in GiB) to use for your node's root volume. + If you specified a launch template on the previous page, then you can't select a value because it must be specified in the launch template. @@ -192,12 +192,12 @@ If you specified a launch template on the previous page, then you can't select a NOTE: Amazon EKS doesn't automatically scale your node group in or out. However, you can configure the [.noloc]`Kubernetes` Cluster Autoscaler to do this for you. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. *** *Minimum size* – Specify the minimum number of nodes that the managed node group can scale in to. *** *Maximum size* – Specify the maximum number of nodes that the managed node group can scale out to. -*** *Node group update configuration* – (Optional) You can select the number or percentage of nodes to be updated in parallel. These nodes will be unavailable during the update. For *Maximum unavailable*, select one of the following options and specify a *Value*: +*** *Node group update configuration* – (Optional) You can select the number or percentage of nodes to be updated in parallel. These nodes will be unavailable during the update. For *Maximum unavailable*, select one of the following options and specify a *Value*: + **** *Number* – Select and specify the number of nodes in your node group that can be updated in parallel. **** *Percentage* – Select and specify the percentage of nodes in your node group that can be updated in parallel. This is useful if you have a large number of nodes in your node group. *** *Node auto repair configuration* – (Optional) If you activate the *Enable node auto repair* checkbox, Amazon EKS will automatically replace nodes when detected issues occur. For more information, see <>. -. On the *Specify networking* page, fill out the parameters accordingly, and then choose *Next*. +. On the *Specify networking* page, fill out the parameters accordingly, and then choose *Next*. + *** *Subnets* – Choose the subnets to launch your managed nodes into. + @@ -208,7 +208,7 @@ If you are running a stateful application across multiple Availability Zones tha + [IMPORTANT] ==== -**** If you choose a public subnet, and your cluster has only the public API server endpoint enabled, then the subnet must have `MapPublicIPOnLaunch` set to `true` for the instances to successfully join a cluster. If the subnet was created using `eksctl` or the <> on or after March 26, 2020, then this setting is already set to `true`. If the subnets were created with `eksctl` or the {aws} CloudFormation templates before March 26, 2020, then you need to change the setting manually. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. +**** If you choose a public subnet, and your cluster has only the public API server endpoint enabled, then the subnet must have `MapPublicIPOnLaunch` set to `true` for the instances to successfully join a cluster. If the subnet was created using `eksctl` or the <> on or after March 26, 2020, then this setting is already set to `true`. If the subnets were created with `eksctl` or the {aws} CloudFormation templates before March 26, 2020, then you need to change the setting manually. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. **** If you use a launch template and specify multiple network interfaces, Amazon EC2 won't auto-assign a public `IPv4` address, even if `MapPublicIpOnLaunch` is set to `true`. For nodes to join the cluster in this scenario, you must either enable the cluster's private API server endpoint, or launch nodes in a private subnet with outbound internet access provided through an alternative method, such as a NAT Gateway. For more information, see link:AWSEC2/latest/UserGuide/using-instance-addressing.html[Amazon EC2 instance IP addressing,type="documentation"] in the _Amazon EC2 User Guide_. ==== @@ -219,7 +219,7 @@ If you chose to use a launch template, then this option isn't shown. To enable r NOTE: For [.noloc]`Windows`, this command doesn't enable SSH. Instead, it associates your Amazon EC2 key pair with the instance and allows you to RDP into the instance. *** For *SSH key pair* (Optional), choose an Amazon EC2 SSH key to use. For [.noloc]`Linux` information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Linux instances,type="documentation"] in the _Amazon EC2 User Guide_. For [.noloc]`Windows` information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Windows instances,type="documentation"] in the _Amazon EC2 User Guide_. If you chose to use a launch template, then you can't select one. When an Amazon EC2 SSH key is provided for node groups using [.noloc]`Bottlerocket` AMIs, the administrative container is also enabled. For more information, see https://github.com/bottlerocket-os/bottlerocket#admin-container[Admin container] on [.noloc]`GitHub`. *** For *Allow SSH remote access from*, if you want to limit access to specific instances, then select the security groups that are associated to those instances. If you don't select specific security groups, then SSH access is allowed from anywhere on the internet (`0.0.0.0/0`). -. On the *Review and create* page, review your managed node group configuration and choose *Create*. +. On the *Review and create* page, review your managed node group configuration and choose *Create*. + If nodes fail to join the cluster, then see <> in the Troubleshooting chapter. . Watch the status of your nodes and wait for them to reach the `Ready` status. @@ -238,7 +238,7 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X == Install Kubernetes add-ons Now that you have a working Amazon EKS cluster with nodes, you're ready to start installing [.noloc]`Kubernetes` add-ons and deploying applications to your cluster. The following documentation topics help you to extend the functionality of your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: + ** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index f8fec0f97..69cf08873 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -39,7 +39,7 @@ eksctl delete fargateprofile --name my-profile --cluster my-cluster . In the left navigation pane, choose *Clusters*. In the list of clusters, choose the cluster that you want to delete the Fargate profile from. . Choose the *Compute* tab. . Choose the Fargate profile to delete, and then choose *Delete*. -. On the *Delete Fargate profile* page, enter the name of the profile, and then choose *Delete*. +. On the *Delete Fargate profile* page, enter the name of the profile, and then choose *Delete*. == {aws} CLI [[awscli_delete_a_fargate_profile]] diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index 26f2601a7..0d8b9ede7 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -51,8 +51,8 @@ For more options, see https://eksctl.io/usage/nodegroups/#deleting-and-draining- . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . On the *Clusters* page, choose the cluster that contains the node group to delete. . On the selected cluster page, choose the *Compute* tab. -. In the *Node groups* section, choose the node group to delete. Then choose *Delete*. -. In the *Delete node group* confirmation dialog box, enter the name of the node group. Then choose *Delete*. +. In the *Node groups* section, choose the node group to delete. Then choose *Delete*. +. In the *Delete node group* confirmation dialog box, enter the name of the node group. Then choose *Delete*. == {aws} CLI [[awscli-delete-managed-nodegroup]] diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index df3d816d6..272ab136f 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -92,7 +92,7 @@ Run the following command to create the node group. eksctl create nodegroup -f my-nodegroup.yaml ---- + -If you prefer to use a different tool to create your managed node group, you must deploy the node group using a launch template. In your launch template, specify an <>, then <> and provide the following user data. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. +If you prefer to use a different tool to create your managed node group, you must deploy the node group using a launch template. In your launch template, specify an <>, then <> and provide the following user data. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index 9cd221c5d..d2affe9a2 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -44,8 +44,8 @@ This option is the recommended way to build your custom [.noloc]`Windows` AMIs. .. Open the EC2 Image Builder console at https://console.aws.amazon.com/imagebuilder. .. In the left navigation pane, choose *Image recipes*. .. Choose *Create image recipe*. -. In the *Recipe details* section, enter a *Name* and *Version*. -. Specify the ID of the Amazon EKS optimized [.noloc]`Windows` AMI in the *Base image* section. +. In the *Recipe details* section, enter a *Name* and *Version*. +. Specify the ID of the Amazon EKS optimized [.noloc]`Windows` AMI in the *Base image* section. + .. Choose *Enter custom AMI ID*. .. Retrieve the AMI ID for the [.noloc]`Windows` OS version that you require. For more information, see <>. @@ -55,7 +55,7 @@ This option is the recommended way to build your custom [.noloc]`Windows` AMIs. .. From the dropdown list to the right of the *Find components by name* search box, choose *Amazon-managed*. .. In the *Find components by name* search box, enter `update-windows`. .. Select the check box of the *`update-windows`* search result. This component includes the latest [.noloc]`Windows` patches for the operating system. -. Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. +. Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. . Choose *Create recipe*. . Use the new image recipe in a new or existing image pipeline. Once your image pipeline runs successfully, your custom AMI will be listed as an output image and is ready for use. For more information, see link:imagebuilder/latest/userguide/start-build-image-pipeline.html[Create an image pipeline using the EC2 Image Builder console wizard,type="documentation"]. @@ -70,24 +70,24 @@ When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, .. Open the EC2 Image Builder console at https://console.aws.amazon.com/imagebuilder. .. In the left navigation pane, choose *Image recipes*. .. Choose *Create image recipe*. -. In the *Recipe details* section, enter a *Name* and *Version*. +. In the *Recipe details* section, enter a *Name* and *Version*. . Determine which option you will be using to create your custom AMI in the *Base image* section: + -** *Select managed images* – Choose *Windows* for your *Image Operating System (OS)*. Then choose one of the following options for *Image origin*. +** *Select managed images* – Choose *Windows* for your *Image Operating System (OS)*. Then choose one of the following options for *Image origin*. + -*** *Quick start (Amazon-managed)* – In the *Image name* dropdown, choose an Amazon EKS supported [.noloc]`Windows` Server version. For more information, see <>. -*** *Images owned by me* – For *Image name*, choose the ARN of your own image with your own license. The image that you provide can't already have Amazon EKS components installed. +*** *Quick start (Amazon-managed)* – In the *Image name* dropdown, choose an Amazon EKS supported [.noloc]`Windows` Server version. For more information, see <>. +*** *Images owned by me* – For *Image name*, choose the ARN of your own image with your own license. The image that you provide can't already have Amazon EKS components installed. ** *Enter custom AMI ID* – For AMI ID, enter the ID for your AMI with your own license. The image that you provide can't already have Amazon EKS components installed. . In the *Build components - Windows* section, do the following: + -.. From the dropdown list to the right of the *Find components by name* search box, choose *Amazon-managed*. +.. From the dropdown list to the right of the *Find components by name* search box, choose *Amazon-managed*. .. In the *Find components by name* search box, enter `eks`. .. Select the check box of the *`eks-optimized-ami-windows`* search result, even though the result returned may not be the version that you want. .. In the *Find components by name* search box, enter `update-windows` . .. Select the check box of the *update-windows* search result. This component includes the latest [.noloc]`Windows` patches for the operating system. . In the *Selected components* section, do the following: + -.. Choose *Versioning options* for *`eks-optimized-ami-windows`*. +.. Choose *Versioning options* for *`eks-optimized-ami-windows`*. .. Choose *Specify component version*. .. In the *Component Version* field, enter [.replaceable]`version.x`, replacing [.replaceable]`version` with a supported [.noloc]`Kubernetes` version. Entering an [.replaceable]`x` for part of the version number indicates to use the latest component version that also aligns with the part of the version you explicitly define. Pay attention to the console output as it will advise you on whether your desired version is available as a managed component. Keep in mind that the most recent [.noloc]`Kubernetes` versions may not be available for the build component. For more information about available versions, see <>. + @@ -95,7 +95,7 @@ NOTE: The following `eks-optimized-ami-windows` build component versions require *** `1.24.0` -. Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. +. Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. . Choose *Create recipe*. . Use the new image recipe in a new or existing image pipeline. Once your image pipeline runs successfully, your custom AMI will be listed as an output image and is ready for use. For more information, see link:imagebuilder/latest/userguide/start-build-image-pipeline.html[Create an image pipeline using the EC2 Image Builder console wizard,type="documentation"]. @@ -107,12 +107,12 @@ You can retrieve specific information regarding what is installed with each comp . Open the EC2 Image Builder console at https://console.aws.amazon.com/imagebuilder. . In the left navigation pane, choose *Components*. -. From the dropdown list to the right of the *Find components by name* search box, change *Owned by me* to *Quick start (Amazon-managed)*. +. From the dropdown list to the right of the *Find components by name* search box, change *Owned by me* to *Quick start (Amazon-managed)*. . In the *Find components by name* box, enter `eks`. . (Optional) If you are using a recent version, sort the *Version* column in descending order by choosing it twice. . Choose the *`eks-optimized-ami-windows`* link with a desired version. -The *Description* in the resulting page shows the specific information. +The *Description* in the resulting page shows the specific information. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-custom-ami-windows%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index daa7479e3..3e1a5a42b 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -29,7 +29,7 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A ==== * You can track security or privacy events for Amazon Linux at the https://alas.aws.amazon.com/[Amazon Linux security center] by choosing the tab for your desired version. You can also subscribe to the applicable RSS feed. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue. -* Before deploying an accelerated or [.noloc]`Arm` AMI, review the information in <> and <>. +* Before deploying an accelerated or [.noloc]`Arm` AMI, review the information in <> and <>. * For [.noloc]`Kubernetes` version `1.23`, you can use an optional bootstrap flag to test migration from [.noloc]`Docker` to `containerd`. For more information, see <>. * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. * Any newly created managed node groups in clusters on version `1.30` or newer will automatically default to using AL2023 as the node operating system. Previously, new node groups would default to AL2. You can continue to use AL2 by choosing it as the AMI type when creating a new node group. diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 21f620e76..7173ce3f8 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -23,7 +23,7 @@ If you're working with a new cluster with no nodes, or a cluster with only manag Assume that you're working with an existing cluster that already has nodes that are associated with it. Make sure that [.noloc]`Pods` on these nodes can communicate freely with the [.noloc]`Pods` that are running on Fargate. [.noloc]`Pods` that are running on Fargate are automatically configured to use the cluster security group for the cluster that they're associated with. Ensure that any existing nodes in your cluster can send and receive traffic to and from the cluster security group. Managed node groups are automatically configured to use the cluster security group as well, so you don't need to modify or check them for this compatibility (see <>). -For existing node groups that were created with `eksctl` or the Amazon EKS managed {aws} CloudFormation templates, you can add the cluster security group to the nodes manually. Or, alternatively, you can modify the Auto Scaling group launch template for the node group to attach the cluster security group to the instances. For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership[Changing an instance's security groups,type="documentation"] in the _Amazon VPC User Guide_. +For existing node groups that were created with `eksctl` or the Amazon EKS managed {aws} CloudFormation templates, you can add the cluster security group to the nodes manually. Or, alternatively, you can modify the Auto Scaling group launch template for the node group to attach the cluster security group to the instances. For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership[Changing an instance's security groups,type="documentation"] in the _Amazon VPC User Guide_. You can check for a security group for your cluster in the {aws-management-console} under the *Networking* section for the cluster. Or, you can do this using the following {aws} CLI command. When using this command, replace [.replaceable]`my-cluster` with the name of your cluster. @@ -95,7 +95,7 @@ You can use certain wildcards for [.replaceable]`my-kubernetes-namespace` and [. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the cluster to create a Fargate profile for. . Choose the *Compute* tab. -. Under *Fargate profiles*, choose *Add Fargate profile*. +. Under *Fargate profiles*, choose *Add Fargate profile*. . On the *Configure Fargate profile* page, do the following: + .. For *Name*, enter a name for your Fargate profile. The name must be unique. @@ -116,13 +116,13 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on *** You can add the label `infrastructure: fargate` to the selector so that only [.noloc]`Pods` in the specified namespace that also have the `infrastructure: fargate` [.noloc]`Kubernetes` label match the selector. *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. -. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. +. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. [#fargate-gs-coredns] == Step 4: Update [.noloc]`CoreDNS` -By default, [.noloc]`CoreDNS` is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to _only_ run your [.noloc]`Pods` on Fargate in your cluster, complete the following steps. +By default, [.noloc]`CoreDNS` is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to _only_ run your [.noloc]`Pods` on Fargate in your cluster, complete the following steps. [NOTE] ==== @@ -132,7 +132,7 @@ If you created your cluster with `eksctl` using the `--fargate` option, then you ==== . Create a Fargate profile for [.noloc]`CoreDNS` with the following command. Replace [.replaceable]`my-cluster` with your cluster name, [.replaceable]`111122223333` with your account ID, [.replaceable]`AmazonEKSFargatePodExecutionRole` with the name of your [.noloc]`Pod` execution role, and [.replaceable]`0000000000000001`, [.replaceable]`0000000000000002`, and [.replaceable]`0000000000000003` with the IDs of your private subnets. If you don't have a [.noloc]`Pod` execution role, you must create one first (see <>). + -IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you need to change it to `my-role` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::111122223333:role/role-name`. +IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you need to change it to `my-role` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::111122223333:role/role-name`. + [source,bash,subs="verbatim,attributes"] ---- @@ -167,7 +167,7 @@ kubectl patch deployment coredns \ kubectl rollout restart -n kube-system deployment coredns ---- * Deploy the <> to allow Ingress objects for your [.noloc]`Pods` running on Fargate. -* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. +* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. * You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 18dbd2c22..ec6e54f5a 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -59,7 +59,7 @@ In addition, having multiple PDBs associated with a [.noloc]`Pod` can cause an e "evictErrorMessage": "This pod has multiple PodDisruptionBudget, which the eviction subresource does not support", ---- -You can create a desired action based on this event. For example, you can adjust your [.noloc]`Pod` disruption budget (PDB) to control how the [.noloc]`Pods` are evicted. More specifically, suppose that you start with a PDB that specifies the target percentage of [.noloc]`Pods` that are available. Before your [.noloc]`Pods` are force terminated during an upgrade, you can adjust the PDB to a different percentage of [.noloc]`Pods`. To receive this event, you must create an Amazon EventBridge rule in the {aws} account and {aws} Region that the cluster belongs to. The rule must use the following *Custom pattern*. For more information, see link:eventbridge/latest/userguide/eb-create-rule.html[Creating Amazon EventBridge rules that react to events,type="documentation"] in the _Amazon EventBridge User Guide_. +You can create a desired action based on this event. For example, you can adjust your [.noloc]`Pod` disruption budget (PDB) to control how the [.noloc]`Pods` are evicted. More specifically, suppose that you start with a PDB that specifies the target percentage of [.noloc]`Pods` that are available. Before your [.noloc]`Pods` are force terminated during an upgrade, you can adjust the PDB to a different percentage of [.noloc]`Pods`. To receive this event, you must create an Amazon EventBridge rule in the {aws} account and {aws} Region that the cluster belongs to. The rule must use the following *Custom pattern*. For more information, see link:eventbridge/latest/userguide/eb-create-rule.html[Creating Amazon EventBridge rules that react to events,type="documentation"] in the _Amazon EventBridge User Guide_. [source,json,subs="verbatim,attributes"] ---- @@ -69,7 +69,7 @@ You can create a desired action based on this event. For example, you can adjust } ---- -A suitable target can be set for the event to capture it. For a complete list of available targets, see link:eventbridge/latest/userguide/eb-targets.html[Amazon EventBridge targets,type="documentation"] in the _Amazon EventBridge User Guide_. You can also create a notification configuration in {aws} User Notifications. When using the {aws-management-console} to create the notification, under *Event Rules*, choose *Elastic Kubernetes Service (EKS)* for *{aws} service name* and *EKS Fargate Pod Scheduled Termination* for *Event type*. For more information, see link:notifications/latest/userguide/getting-started.html[Getting started with {aws} User Notifications,type="documentation"] in the {aws} User Notifications User Guide. +A suitable target can be set for the event to capture it. For a complete list of available targets, see link:eventbridge/latest/userguide/eb-targets.html[Amazon EventBridge targets,type="documentation"] in the _Amazon EventBridge User Guide_. You can also create a notification configuration in {aws} User Notifications. When using the {aws-management-console} to create the notification, under *Event Rules*, choose *Elastic Kubernetes Service (EKS)* for *{aws} service name* and *EKS Fargate Pod Scheduled Termination* for *Event type*. For more information, see link:notifications/latest/userguide/getting-started.html[Getting started with {aws} User Notifications,type="documentation"] in the {aws} User Notifications User Guide. See https://repost.aws/knowledge-center/fargate-pod-eviction-notice[FAQs: Fargate Pod eviction notice] in _{aws} re:Post_ for frequently asked questions regarding EKS Pod Evictions. diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 10714bd20..f87d5225a 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -13,7 +13,7 @@ Before you schedule [.noloc]`Pods` on Fargate in your cluster, you must define a As an administrator, you can use a Fargate profile to declare which [.noloc]`Pods` run on Fargate. You can do this through the profile's selectors. You can add up to five selectors to each profile. Each selector must contain a namespace. The selector can also include labels. The label field consists of multiple optional key-value pairs. Pods that match a selector are scheduled on Fargate. Pods are matched using a namespace and the labels that are specified in the selector. If a namespace selector is defined without labels, Amazon EKS attempts to schedule all the [.noloc]`Pods` that run in that namespace onto Fargate using the profile. If a to-be-scheduled [.noloc]`Pod` matches any of the selectors in the Fargate profile, then that [.noloc]`Pod` is scheduled on Fargate. -If a [.noloc]`Pod` matches multiple Fargate profiles, you can specify which profile a [.noloc]`Pod` uses by adding the following [.noloc]`Kubernetes` label to the [.noloc]`Pod` specification: `eks.amazonaws.com/fargate-profile: [.replaceable]``my-fargate-profile```. The [.noloc]`Pod` must match a selector in that profile to be scheduled onto Fargate. [.noloc]`Kubernetes` affinity/anti-affinity rules do not apply and aren't necessary with Amazon EKS Fargate [.noloc]`Pods`. +If a [.noloc]`Pod` matches multiple Fargate profiles, you can specify which profile a [.noloc]`Pod` uses by adding the following [.noloc]`Kubernetes` label to the [.noloc]`Pod` specification: `eks.amazonaws.com/fargate-profile: my-fargate-profile`. The [.noloc]`Pod` must match a selector in that profile to be scheduled onto Fargate. [.noloc]`Kubernetes` affinity/anti-affinity rules do not apply and aren't necessary with Amazon EKS Fargate [.noloc]`Pods`. When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role. This execution role is for the Amazon EKS components that run on the Fargate infrastructure using the profile. It's added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC) for authorization. That way, the `kubelet` that runs on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. The [.noloc]`Pod` execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see <>. @@ -77,8 +77,6 @@ If there are multiple matching profiles for the namespace and labels in the [.no If you want to migrate existing Fargate [.noloc]`Pods` to new profiles that use wildcards, there are two ways to do so: - - * Create a new profile with matching selectors, then delete the old profiles. Pods labeled with old profiles are rescheduled to new matching profiles. * If you want to migrate workloads but aren't sure what Fargate labels are on each Fargate [.noloc]`Pod`, you can use the following method. Create a new profile with a name that sorts alphanumerically first among the profiles on the same cluster. Then, recycle the Fargate [.noloc]`Pods` that need to be migrated to new profiles. @@ -97,7 +95,7 @@ You can create a profile with the following: *To create a Fargate profile with `eksctl`* -Create your Fargate profile with the following `eksctl` command, replacing every [.replaceable]`example value` with your own values. You're required to specify a namespace. However, the `--labels` option isn't required. +Create your Fargate profile with the following `eksctl` command, replacing every example value with your own values. You're required to specify a namespace. However, the `--labels` option isn't required. [source,bash,subs="verbatim,attributes"] ---- @@ -108,7 +106,7 @@ eksctl create fargateprofile \ --labels key=value ---- -You can use certain wildcards for [.replaceable]`my-kubernetes-namespace` and [.replaceable]`key=value` labels. For more information, see <>. +You can use certain wildcards for `my-kubernetes-namespace` and `key=value` labels. For more information, see <>. == {aws-management-console} [[console_create_a_fargate_profile]] @@ -118,10 +116,10 @@ You can use certain wildcards for [.replaceable]`my-kubernetes-namespace` and [. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the cluster to create a Fargate profile for. . Choose the *Compute* tab. -. Under *Fargate profiles*, choose *Add Fargate profile*. +. Under *Fargate profiles*, choose *Add Fargate profile*. . On the *Configure Fargate profile* page, do the following: + -.. For *Name*, enter a unique name for your Fargate profile, such as [.replaceable]`my-profile`. +.. For *Name*, enter a unique name for your Fargate profile, such as `my-profile`. .. For *Pod execution role*, choose the [.noloc]`Pod` execution role to use with your Fargate profile. Only the IAM roles with the `eks-fargate-pods.amazonaws.com` service principal are shown. If you don't see any roles listed, you must create one. For more information, see <>. .. Modify the selected *Subnets* as needed. + @@ -139,7 +137,7 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on *** You can add the label `infrastructure: fargate` to the selector so that only [.noloc]`Pods` in the specified namespace that also have the `infrastructure: fargate` [.noloc]`Kubernetes` label match the selector. *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. -. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. +. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-profile%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index ee3cd1c0d..e719e8802 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -13,7 +13,7 @@ This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. Fargate is a technology that provides on-demand, right-sized compute capacity for link:what-are-containers[containers,type="marketing"]. With Fargate, you don't have to provision, configure, or scale groups of virtual machines on your own to run containers. You also don't need to choose server types, decide when to scale your node groups, or optimize cluster packing. -You can control which [.noloc]`Pods` start on Fargate and how they run with <>. Fargate profiles are defined as part of your Amazon EKS cluster. Amazon EKS integrates [.noloc]`Kubernetes` with Fargate by using controllers that are built by {aws} using the upstream, extensible model provided by [.noloc]`Kubernetes`. These controllers run as part of the Amazon EKS managed [.noloc]`Kubernetes` control plane and are responsible for scheduling native [.noloc]`Kubernetes` [.noloc]`Pods` onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default [.noloc]`Kubernetes` scheduler in addition to several mutating and validating admission controllers. When you start a [.noloc]`Pod` that meets the criteria for running on Fargate, the Fargate controllers that are running in the cluster recognize, update, and schedule the [.noloc]`Pod` onto Fargate. +You can control which [.noloc]`Pods` start on Fargate and how they run with <>. Fargate profiles are defined as part of your Amazon EKS cluster. Amazon EKS integrates [.noloc]`Kubernetes` with Fargate by using controllers that are built by {aws} using the upstream, extensible model provided by [.noloc]`Kubernetes`. These controllers run as part of the Amazon EKS managed [.noloc]`Kubernetes` control plane and are responsible for scheduling native [.noloc]`Kubernetes` [.noloc]`Pods` onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default [.noloc]`Kubernetes` scheduler in addition to several mutating and validating admission controllers. When you start a [.noloc]`Pod` that meets the criteria for running on Fargate, the Fargate controllers that are running in the cluster recognize, update, and schedule the [.noloc]`Pod` onto Fargate. This topic describes the different components of [.noloc]`Pods` that run on Fargate, and calls out special considerations for using Fargate with Amazon EKS. @@ -34,13 +34,13 @@ Here are some things to consider about using Fargate on Amazon EKS. * The default `nofile` and `nproc` soft limit is 1024 and the hard limit is 65535 for Fargate [.noloc]`Pods`. * GPUs aren't currently available on Fargate. * Pods that run on Fargate are only supported on private subnets (with NAT gateway access to {aws} services, but not a direct route to an Internet Gateway), so your cluster's VPC must have private subnets available. For clusters without outbound internet access, see <>. -* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with larger CPU and memory combinations, set the mode for the Vertical Pod Autoscaler to either `Auto` or `Recreate` to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. -* DNS resolution and DNS hostnames must be enabled for your VPC. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[Viewing and updating DNS support for your VPC,type="documentation"]. +* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with larger CPU and memory combinations, set the mode for the Vertical Pod Autoscaler to either `Auto` or `Recreate` to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. +* DNS resolution and DNS hostnames must be enabled for your VPC. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[Viewing and updating DNS support for your VPC,type="documentation"]. * Amazon EKS Fargate adds defense-in-depth for [.noloc]`Kubernetes` applications by isolating each Pod within a Virtual Machine (VM). This VM boundary prevents access to host-based resources used by other Pods in the event of a container escape, which is a common method of attacking containerized applications and gain access to resources outside of the container. + Using Amazon EKS doesn't change your responsibilities under the <>. You should carefully consider the configuration of cluster security and governance controls. The safest way to isolate an application is always to run it in a separate cluster. -* Fargate profiles support specifying subnets from VPC secondary CIDR blocks. You might want to specify a secondary CIDR block. This is because there's a limited number of IP addresses available in a subnet. As a result, there's also a limited number of [.noloc]`Pods` that can be created in the cluster. By using different subnets for [.noloc]`Pods`, you can increase the number of available IP addresses. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#vpc-resize[Adding IPv4 CIDR blocks to a VPC.,type="documentation"] -* The Amazon EC2 instance metadata service (IMDS) isn't available to [.noloc]`Pods` that are deployed to Fargate nodes. If you have [.noloc]`Pods` that are deployed to Fargate that need IAM credentials, assign them to your [.noloc]`Pods` using <>. If your [.noloc]`Pods` need access to other information available through IMDS, then you must hard code this information into your [.noloc]`Pod` spec. This includes the {aws} Region or Availability Zone that a [.noloc]`Pod` is deployed to. +* Fargate profiles support specifying subnets from VPC secondary CIDR blocks. You might want to specify a secondary CIDR block. This is because there's a limited number of IP addresses available in a subnet. As a result, there's also a limited number of [.noloc]`Pods` that can be created in the cluster. By using different subnets for [.noloc]`Pods`, you can increase the number of available IP addresses. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#vpc-resize[Adding IPv4 CIDR blocks to a VPC.,type="documentation"] +* The Amazon EC2 instance metadata service (IMDS) isn't available to [.noloc]`Pods` that are deployed to Fargate nodes. If you have [.noloc]`Pods` that are deployed to Fargate that need IAM credentials, assign them to your [.noloc]`Pods` using <>. If your [.noloc]`Pods` need access to other information available through IMDS, then you must hard code this information into your [.noloc]`Pod` spec. This includes the {aws} Region or Availability Zone that a [.noloc]`Pod` is deployed to. * You can't deploy Fargate [.noloc]`Pods` to {aws} Outposts, {aws} Wavelength, or {aws} Local Zones. * Amazon EKS must periodically patch Fargate [.noloc]`Pods` to keep them secure. We attempt the updates in a way that reduces impact, but there are times when [.noloc]`Pods` must be deleted if they aren't successfully evicted. There are some actions you can take to minimize disruption. For more information, see <>. * The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Amazon EKS] is installed on Fargate nodes. You can't use <> with Fargate nodes. diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 92794e1e9..d65a5cc88 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -36,13 +36,13 @@ The following table lists the settings that are prohibited in a launch template. |Amazon EKS node group configuration -|*Subnet* under *Network interfaces* (*Add network interface*) -|*Subnets* under *Node group network configuration* on the *Specify networking* page +|*Subnet* under *Network interfaces* (*Add network interface*) +|*Subnets* under *Node group network configuration* on the *Specify networking* page -|*IAM instance profile* under *Advanced details* -|*Node IAM role* under *Node group configuration* on the *Configure Node group* page +|*IAM instance profile* under *Advanced details* +|*Node IAM role* under *Node group configuration* on the *Configure Node group* page -|*Shutdown behavior* and *Stop - Hibernate behavior* under *Advanced details*. Retain default *Don't include in launch template setting* in launch template for both settings. +|*Shutdown behavior* and *Stop - Hibernate behavior* under *Advanced details*. Retain default *Don't include in launch template setting* in launch template for both settings. |No equivalent. Amazon EKS must control the instance lifecycle, not the Auto Scaling group. |=== @@ -54,10 +54,10 @@ The following table lists the prohibited settings in a managed node group config |Launch template -|(Only if you specified a custom AMI in a launch template) *AMI type* under *Node group compute configuration* on *Set compute and scaling configuration* page – Console displays *Specified in launch template* and the AMI ID that was specified. +|(Only if you specified a custom AMI in a launch template) *AMI type* under *Node group compute configuration* on *Set compute and scaling configuration* page – Console displays *Specified in launch template* and the AMI ID that was specified. If *Application and OS Images (Amazon Machine Image)* wasn't specified in the launch template, you can select an AMI in the node group configuration. -a|*Application and OS Images (Amazon Machine Image)* under *Launch template contents* – You must specify an ID if you have either of the following requirements: +a|*Application and OS Images (Amazon Machine Image)* under *Launch template contents* – You must specify an ID if you have either of the following requirements: * Using a custom AMI. If you specify an AMI that doesn't meet the requirements listed in <>, the node group deployment will fail. @@ -70,21 +70,21 @@ a|*Application and OS Images (Amazon Machine Image)* under *Launch template con ** <> -|*Disk size* under *Node group compute configuration* on *Set compute and scaling configuration* page – Console displays *Specified in launch template*. -|*Size* under *Storage (Volumes)* (*Add new volume*). You must specify this in the launch template. +|*Disk size* under *Node group compute configuration* on *Set compute and scaling configuration* page – Console displays *Specified in launch template*. +|*Size* under *Storage (Volumes)* (*Add new volume*). You must specify this in the launch template. -|*SSH key pair* under *Node group configuration* on the *Specify Networking* page – The console displays the key that was specified in the launch template or displays *Not specified in launch template*. -|*Key pair name* under *Key pair (login)*. +|*SSH key pair* under *Node group configuration* on the *Specify Networking* page – The console displays the key that was specified in the launch template or displays *Not specified in launch template*. +|*Key pair name* under *Key pair (login)*. |You can't specify source security groups that are allowed remote access when using a launch template. -|*Security groups* under *Network settings* for the instance or *Security groups* under *Network interfaces* (*Add network interface*), but not both. For more information, see <>. +|*Security groups* under *Network settings* for the instance or *Security groups* under *Network interfaces* (*Add network interface*), but not both. For more information, see <>. |=== [NOTE] ==== -* If you deploy a node group using a launch template, specify zero or one *Instance type* under *Launch template contents* in a launch template. Alternatively, you can specify 0–20 instance types for *Instance types* on the *Set compute and scaling configuration* page in the console. Or, you can do so using other tools that use the Amazon EKS API. If you specify an instance type in a launch template, and use that launch template to deploy your node group, then you can't specify any instance types in the console or using other tools that use the Amazon EKS API. If you don't specify an instance type in a launch template, in the console, or using other tools that use the Amazon EKS API, the `t3.medium` instance type is used. If your node group is using the Spot capacity type, then we recommend specifying multiple instance types using the console. For more information, see <>. +* If you deploy a node group using a launch template, specify zero or one *Instance type* under *Launch template contents* in a launch template. Alternatively, you can specify 0–20 instance types for *Instance types* on the *Set compute and scaling configuration* page in the console. Or, you can do so using other tools that use the Amazon EKS API. If you specify an instance type in a launch template, and use that launch template to deploy your node group, then you can't specify any instance types in the console or using other tools that use the Amazon EKS API. If you don't specify an instance type in a launch template, in the console, or using other tools that use the Amazon EKS API, the `t3.medium` instance type is used. If your node group is using the Spot capacity type, then we recommend specifying multiple instance types using the console. For more information, see <>. * If any containers that you deploy to the node group use the Instance Metadata Service Version 2, make sure to set the *Metadata response hop limit* to `2` in your launch template. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the _Amazon EC2 User Guide_. If you deploy a managed node group without using a custom launch template, this value is automatically set for the node group in the default launch template. ==== @@ -375,7 +375,7 @@ If you want to specify a custom [.noloc]`Windows` AMI ID, keep in mind the follo -* You must use a launch template and give the required bootstrap commands in the user data section. To retrieve your desired [.noloc]`Windows` ID, you can use the table in <>. +* You must use a launch template and give the required bootstrap commands in the user data section. To retrieve your desired [.noloc]`Windows` ID, you can use the table in <>. * There are several limits and conditions. For example, you must add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <>. Specify the following information in the user data section of your launch template. Replace every [.replaceable]`example value` with your own values. The `-APIServerEndpoint`, `-Base64ClusterCA`, and `-DNSClusterIP` arguments are optional. However, defining them allows the `Start-EKSBootstrap.ps1` script to avoid making a `describeCluster` call. diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 1cb7cf2f0..92502e24a 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -46,7 +46,7 @@ This procedure only works for clusters that were created with `eksctl`. ==== . (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -. This procedure assumes that you have an existing cluster. If you don't already have an Amazon EKS cluster and an Amazon Linux node group to add a [.noloc]`Windows` node group to, we recommend that you follow <>. This guide provides a complete walkthrough for how to create an Amazon EKS cluster with Amazon Linux nodes. +. This procedure assumes that you have an existing cluster. If you don't already have an Amazon EKS cluster and an Amazon Linux node group to add a [.noloc]`Windows` node group to, we recommend that you follow <>. This guide provides a complete walkthrough for how to create an Amazon EKS cluster with Amazon Linux nodes. + Create your node group with the following command. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`my-cluster` with your cluster name. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`ng-windows` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. For [.noloc]`Kubernetes` version `1.24` or later, you can replace [.replaceable]`2019` with `2022` to use [.noloc]`Windows` Server 2022. Replace the rest of the [.replaceable]`example values` with your own values. + @@ -105,7 +105,7 @@ For more information, see https://aws.github.io/aws-eks-best-practices/security/ . Wait for your cluster status to show as `ACTIVE`. If you launch your nodes before the cluster is active, the nodes fail to register with the cluster and you need to relaunch them. . Open the link:cloudformation/[{aws} CloudFormation console,type="console"] . Choose *Create stack*. -. For *Specify template*, select *Amazon S3 URL*. +. For *Specify template*, select *Amazon S3 URL*. . Copy the following URL and paste it into *Amazon S3 URL*. + [source,none,subs="verbatim,attributes"] @@ -122,13 +122,13 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-02-09/amazon-e ==== This name must exactly match the name that you used in <>. Otherwise, your nodes can't join the cluster. ==== -** *ClusterControlPlaneSecurityGroup*: Choose the security group from the {aws} CloudFormation output that you generated when you created your <>. +** *ClusterControlPlaneSecurityGroup*: Choose the security group from the {aws} CloudFormation output that you generated when you created your <>. The following steps show one method to retrieve the applicable group. + .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. Choose the name of the cluster. .. Choose the *Networking* tab. -.. Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. +.. Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. ** *NodeGroupName*: Enter a name for your node group. This name can be used later to identify the Auto Scaling node group that's created for your nodes. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. ** *NodeAutoScalingGroupMinSize*: Enter the minimum number of nodes that your node Auto Scaling group can scale in to. ** *NodeAutoScalingGroupDesiredCapacity*: Enter the desired number of nodes to scale to when your stack is created. @@ -137,20 +137,20 @@ The following steps show one method to retrieve the applicable group. + NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are listed in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on [.noloc]`GitHub`. You might need to update your CNI version to use the latest supported instance types. For more information, see <>. ** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of the current recommended Amazon EKS optimized [.noloc]`Windows` Core AMI ID. To use the full version of [.noloc]`Windows`, replace [.replaceable]`Core` with `Full`. -** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value for this field, it overrides any values in the *NodeImageIdSSMParam* field. +** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value for this field, it overrides any values in the *NodeImageIdSSMParam* field. ** *NodeVolumeSize*: Specify a root volume size for your nodes, in GiB. ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. + NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack fails to be created. ** *BootstrapArguments*: Specify any optional arguments to pass to the node bootstrap script, such as extra `kubelet` arguments using `-KubeletExtraArgs`. -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. -** *VpcId*: Select the ID for the <> that you created. -** *NodeSecurityGroups*: Select the security group that was created for your [.noloc]`Linux` node group when you created your <>. If your [.noloc]`Linux` nodes have more than one security group attached to them, specify all of them. This for, for example, if the [.noloc]`Linux` node group was created with `eksctl`. -** *Subnets*: Choose the subnets that you created. If you created your VPC using the steps in <>, then specify only the private subnets within the VPC for your nodes to launch into. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. +** *VpcId*: Select the ID for the <> that you created. +** *NodeSecurityGroups*: Select the security group that was created for your [.noloc]`Linux` node group when you created your <>. If your [.noloc]`Linux` nodes have more than one security group attached to them, specify all of them. This for, for example, if the [.noloc]`Linux` node group was created with `eksctl`. +** *Subnets*: Choose the subnets that you created. If you created your VPC using the steps in <>, then specify only the private subnets within the VPC for your nodes to launch into. + [IMPORTANT] ==== -*** If any of the subnets are public subnets, then they must have the automatic public IP address assignment setting enabled. If the setting isn't enabled for the public subnet, then any nodes that you deploy to that public subnet won't be assigned a public IP address and won't be able to communicate with the cluster or other {aws} services. If the subnet was deployed before March 26, 2020 using either of the <>, or by using `eksctl`, then automatic public IP address assignment is disabled for public subnets. For information about how to enable public IP address assignment for a subnet, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. If the node is deployed to a private subnet, then it's able to communicate with the cluster and other {aws} services through a NAT gateway. +*** If any of the subnets are public subnets, then they must have the automatic public IP address assignment setting enabled. If the setting isn't enabled for the public subnet, then any nodes that you deploy to that public subnet won't be assigned a public IP address and won't be able to communicate with the cluster or other {aws} services. If the subnet was deployed before March 26, 2020 using either of the <>, or by using `eksctl`, then automatic public IP address assignment is disabled for public subnets. For information about how to enable public IP address assignment for a subnet, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. If the node is deployed to a private subnet, then it's able to communicate with the cluster and other {aws} services through a NAT gateway. *** If the subnets don't have internet access, then make sure that you're aware of the considerations and extra steps in <>. *** If you select {aws} Outposts, Wavelength, or Local Zone subnets, then the subnets must not have been passed in when you created the cluster. ==== diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 875406256..69e296ef5 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -28,7 +28,7 @@ You can launch self-managed Linux nodes using either of the following: . Install version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. . The following command creates a node group in an existing cluster. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace the remaining [.replaceable]`example value` with your own values. The nodes are created with the same [.noloc]`Kubernetes` version as the control plane, by default. + Before choosing a value for `--node-type`, review <>. @@ -101,22 +101,22 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-12-23/ ---- . Wait for your cluster status to show as `ACTIVE`. If you launch your nodes before the cluster is active, the nodes fail to register with the cluster and you will have to relaunch them. . Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. -. Choose *Create stack* and then select *With new resources (standard)*. -. For *Specify template*, select *Upload a template file* and then select *Choose file*. +. Choose *Create stack* and then select *With new resources (standard)*. +. For *Specify template*, select *Upload a template file* and then select *Choose file*. . Select the `amazon-eks-nodegroup.yaml` file that you downloaded. . Select *Next*. -. On the *Specify stack details* page, enter the following parameters accordingly, and then choose *Next*: +. On the *Specify stack details* page, enter the following parameters accordingly, and then choose *Next*: + ** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`my-cluster-nodes`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. ** *ClusterName*: Enter the name that you used when you created your Amazon EKS cluster. This name must equal the cluster name or your nodes can't join the cluster. -** *ClusterControlPlaneSecurityGroup*: Choose the *SecurityGroups* value from the {aws} CloudFormation output that you generated when you created your <>. +** *ClusterControlPlaneSecurityGroup*: Choose the *SecurityGroups* value from the {aws} CloudFormation output that you generated when you created your <>. + The following steps show one operation to retrieve the applicable group. + .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. Choose the name of the cluster. .. Choose the *Networking* tab. -.. Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. +.. Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. ** *NodeGroupName*: Enter a name for your node group. This name can be used later to identify the Auto Scaling node group that's created for your nodes. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. ** *NodeAutoScalingGroupMinSize*: Enter the minimum number of nodes that your node Auto Scaling group can scale in to. ** *NodeAutoScalingGroupDesiredCapacity*: Enter the desired number of nodes to scale to when your stack is created. @@ -127,7 +127,7 @@ The following steps show one operation to retrieve the applicable group. You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. + NOTE: The Amazon EKS node AMIs are based on Amazon Linux. You can track security or privacy events for Amazon Linux 2 at the https://alas.aws.amazon.com/alas2.html[Amazon Linux Security Center] or subscribe to the associated https://alas.aws.amazon.com/AL2/alas.rss[RSS feed]. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue. -** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. +** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. ** *NodeVolumeSize*: Specify a root volume size for your nodes, in GiB. ** *NodeVolumeType*: Specify a root volume type for your nodes. ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. @@ -142,18 +142,18 @@ To deploy a node group that: *** can assign `IPv6` addresses to [.noloc]`Pods` and services, see <>. *** use the `containerd` runtime, you must deploy the node group using a `config` file. For more information, see <>. *** don't have outbound internet access, see <>. -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -** *VpcId*: Enter the ID for the <> that you created. -** *Subnets*: Choose the subnets that you created for your VPC. If you created your VPC using the steps that are described in <>, specify only the private subnets within the VPC for your nodes to launch into. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +** *VpcId*: Enter the ID for the <> that you created. +** *Subnets*: Choose the subnets that you created for your VPC. If you created your VPC using the steps that are described in <>, specify only the private subnets within the VPC for your nodes to launch into. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. + [IMPORTANT] ==== -*** If any of the subnets are public subnets, then they must have the automatic public IP address assignment setting enabled. If the setting isn't enabled for the public subnet, then any nodes that you deploy to that public subnet won't be assigned a public IP address and won't be able to communicate with the cluster or other {aws} services. If the subnet was deployed before March 26, 2020 using either of the <>, or by using `eksctl`, then automatic public IP address assignment is disabled for public subnets. For information about how to enable public IP address assignment for a subnet, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. If the node is deployed to a private subnet, then it's able to communicate with the cluster and other {aws} services through a NAT gateway. +*** If any of the subnets are public subnets, then they must have the automatic public IP address assignment setting enabled. If the setting isn't enabled for the public subnet, then any nodes that you deploy to that public subnet won't be assigned a public IP address and won't be able to communicate with the cluster or other {aws} services. If the subnet was deployed before March 26, 2020 using either of the <>, or by using `eksctl`, then automatic public IP address assignment is disabled for public subnets. For information about how to enable public IP address assignment for a subnet, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. If the node is deployed to a private subnet, then it's able to communicate with the cluster and other {aws} services through a NAT gateway. *** If the subnets don't have internet access, make sure that you're aware of the considerations and extra steps in <>. *** If you select {aws} Outposts, Wavelength, or Local Zone subnets, the subnets must not have been passed in when you created the cluster. ==== -. Select your desired choices on the *Configure stack options* page, and then choose *Next*. -. Select the check box to the left of *I acknowledge that {aws} CloudFormation might create IAM resources.*, and then choose *Create stack*. +. Select your desired choices on the *Configure stack options* page, and then choose *Next*. +. Select the check box to the left of *I acknowledge that {aws} CloudFormation might create IAM resources.*, and then choose *Create stack*. . When your stack has finished creating, select it in the console and choose *Outputs*. . Record the *NodeInstanceRole* for the node group that was created. You need this when you configure your Amazon EKS nodes. diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 293ba9610..1e5b621d9 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -48,8 +48,8 @@ To add a managed node group to an existing cluster, see <>. If you don't use a custom launch template when first creating a managed node group, there is an auto-generated launch template. Don't manually modify this auto-generated template or errors occur. * Amazon EKS follows the shared responsibility model for CVEs and security patches on managed node groups. When managed nodes run an Amazon EKS optimized AMI, Amazon EKS is responsible for building patched versions of the AMI when bugs or issues are reported. We can publish a fix. However, you're responsible for deploying these patched AMI versions to your managed node groups. When managed nodes run a custom AMI, you're responsible for building patched versions of the AMI when bugs or issues are reported and then deploying the AMI. For more information, see <>. -* Amazon EKS managed node groups can be launched in both public and private subnets. If you launch a managed node group in a public subnet on or after April 22, 2020, the subnet must have `MapPublicIpOnLaunch` set to true for the instances to successfully join a cluster. If the public subnet was created using `eksctl` or the <> on or after March 26, 2020, then this setting is already set to true. If the public subnets were created before March 26, 2020, you must change the setting manually. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. -* When deploying a managed node group in private subnets, you must ensure that it can access Amazon ECR for pulling container images. You can do this by connecting a NAT gateway to the route table of the subnet or by adding the following link:AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create[{aws} PrivateLink VPC endpoints,type="documentation"]: +* Amazon EKS managed node groups can be launched in both public and private subnets. If you launch a managed node group in a public subnet on or after April 22, 2020, the subnet must have `MapPublicIpOnLaunch` set to true for the instances to successfully join a cluster. If the public subnet was created using `eksctl` or the <> on or after March 26, 2020, then this setting is already set to true. If the public subnets were created before March 26, 2020, you must change the setting manually. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. +* When deploying a managed node group in private subnets, you must ensure that it can access Amazon ECR for pulling container images. You can do this by connecting a NAT gateway to the route table of the subnet or by adding the following link:AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create[{aws} PrivateLink VPC endpoints,type="documentation"]: + ** Amazon ECR API endpoint interface – `com.amazonaws.[.replaceable]``region-code``.ecr.api` ** Amazon ECR Docker registry API endpoint interface – `com.amazonaws.[.replaceable]``region-code``.ecr.dkr` @@ -66,7 +66,7 @@ For other commonly-used services and endpoints, see <>. * In order to run the drain process correctly after receiving a Spot interruption notification or a capacity rebalance notification, `CapacityRebalance` must be set to `true`. * Updating managed node groups respects the [.noloc]`Pod` disruption budgets that you set for your [.noloc]`Pods`. For more information, see <>. * There are no additional costs to use Amazon EKS managed node groups. You only pay for the {aws} resources that you provision. -* If you want to encrypt Amazon EBS volumes for your nodes, you can deploy the nodes using a launch template. To deploy managed nodes with encrypted Amazon EBS volumes without using a launch template, encrypt all new Amazon EBS volumes created in your account. For more information, see link:AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default[Encryption by default,type="documentation"] in the _Amazon EC2 User Guide_. +* If you want to encrypt Amazon EBS volumes for your nodes, you can deploy the nodes using a launch template. To deploy managed nodes with encrypted Amazon EBS volumes without using a launch template, encrypt all new Amazon EBS volumes created in your account. For more information, see link:AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default[Encryption by default,type="documentation"] in the _Amazon EC2 User Guide_. [#managed-node-group-capacity-types] @@ -84,7 +84,7 @@ With On-Demand Instances, you pay for compute capacity by the second, with no lo By default, if you don't specify a *Capacity Type*, the managed node group is provisioned with On-Demand Instances. A managed node group configures an Amazon EC2 Auto Scaling group on your behalf with the following settings applied: -* The allocation strategy to provision On-Demand capacity is set to `prioritized`. Managed node groups use the order of instance types passed in the API to determine which instance type to use first when fulfilling On-Demand capacity. For example, you might specify three instance types in the following order: `c5.large`, `c4.large`, and `c3.large`. When your On-Demand Instances are launched, the managed node group fulfills On-Demand capacity by starting with `c5.large`, then `c4.large`, and then `c3.large`. For more information, see link:autoscaling/ec2/userguide/asg-purchase-options.html#asg-allocation-strategies[Amazon EC2 Auto Scaling group,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. +* The allocation strategy to provision On-Demand capacity is set to `prioritized`. Managed node groups use the order of instance types passed in the API to determine which instance type to use first when fulfilling On-Demand capacity. For example, you might specify three instance types in the following order: `c5.large`, `c4.large`, and `c3.large`. When your On-Demand Instances are launched, the managed node group fulfills On-Demand capacity by starting with `c5.large`, then `c4.large`, and then `c3.large`. For more information, see link:autoscaling/ec2/userguide/asg-purchase-options.html#asg-allocation-strategies[Amazon EC2 Auto Scaling group,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. * Amazon EKS adds the following [.noloc]`Kubernetes` label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: ON_DEMAND`. You can use this label to schedule stateful or fault intolerant applications on On-Demand nodes. diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index b56c721a7..c7b58de89 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -19,13 +19,13 @@ The setup phase has these steps: . It creates a new Amazon EC2 launch template version for the Auto Scaling group that's associated with your node group. The new launch template version uses the target AMI or a custom launch template version for the update. . It updates the Auto Scaling group to use the latest launch template version. -. It determines the maximum quantity of nodes to upgrade in parallel using the `updateConfig` property for the node group. The maximum unavailable has a quota of 100 nodes. The default value is one node. For more information, see the link:eks/latest/APIReference/API_UpdateNodegroupConfig.html#API_UpdateNodegroupConfig_RequestSyntax[updateConfig,type="documentation"] property in the _Amazon EKS API Reference_. +. It determines the maximum quantity of nodes to upgrade in parallel using the `updateConfig` property for the node group. The maximum unavailable has a quota of 100 nodes. The default value is one node. For more information, see the link:eks/latest/APIReference/API_UpdateNodegroupConfig.html#API_UpdateNodegroupConfig_RequestSyntax[updateConfig,type="documentation"] property in the _Amazon EKS API Reference_. [#managed-node-update-scale-up] == Scale up phase -When upgrading the nodes in a managed node group, the upgraded nodes are launched in the same Availability Zone as those that are being upgraded. To guarantee this placement, we use Amazon EC2's Availability Zone Rebalancing. For more information, see link:autoscaling/ec2/userguide/auto-scaling-benefits.html#AutoScalingBehavior.InstanceUsage[Availability Zone Rebalancing,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. To meet this requirement, it's possible that we'd launch up to two instances per Availability Zone in your managed node group. +When upgrading the nodes in a managed node group, the upgraded nodes are launched in the same Availability Zone as those that are being upgraded. To guarantee this placement, we use Amazon EC2's Availability Zone Rebalancing. For more information, see link:autoscaling/ec2/userguide/auto-scaling-benefits.html#AutoScalingBehavior.InstanceUsage[Availability Zone Rebalancing,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. To meet this requirement, it's possible that we'd launch up to two instances per Availability Zone in your managed node group. The scale up phase has these steps: diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 16ff0f0dd..f8fbe02a4 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -99,7 +99,7 @@ eksctl delete nodegroup --cluster my-cluster --name standard-nodes-old . Launch a new node group by following the steps that are outlined in <>. . When your stack has finished creating, select it in the console and choose *Outputs*. -. [[node-instance-role-step]]Record the *NodeInstanceRole* for the node group that was created. You need this to add the new Amazon EKS nodes to your cluster. +. [[node-instance-role-step]]Record the *NodeInstanceRole* for the node group that was created. You need this to add the new Amazon EKS nodes to your cluster. + NOTE: If you attached any additional IAM policies to your old node group IAM role, attach those same policies to your new node group IAM role to maintain that functionality on the new group. This applies to you if you added permissions for the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Kubernetes Cluster Autoscaler], for example. . Update the security groups for both node groups so that they can communicate with each other. For more information, see <>. @@ -157,7 +157,7 @@ data: - system:nodes ---- + -Replace the [.replaceable]`ARN of instance role (not instance profile)` snippet with the *NodeInstanceRole* value that you recorded in a <>. Then, save and close the file to apply the updated configmap. +Replace the [.replaceable]`ARN of instance role (not instance profile)` snippet with the *NodeInstanceRole* value that you recorded in a <>. Then, save and close the file to apply the updated configmap. . Watch the status of your nodes and wait for your new nodes to join your cluster and reach the `Ready` status. + [source,bash,subs="verbatim,attributes"] @@ -253,7 +253,7 @@ aws ec2 revoke-security-group-ingress --group-id $newSecGroup \ .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. Select your old node stack. .. Choose *Delete*. -.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. +.. In the *Delete stack* confirmation dialog box, choose *Delete stack*. . Edit the `aws-auth` configmap to remove the old node instance role from RBAC. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 0d62031a1..cc90b6e79 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -74,11 +74,11 @@ Use the following steps to create a CloudWatch alarm based on the Fargate resour . Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/. . In the left navigation pane, choose *{aws} services*. -. From the *{aws} services* list, search for and select *{aws} Fargate*. +. From the *{aws} services* list, search for and select *{aws} Fargate*. . In the *Service quotas* list, choose the Fargate usage quota you want to create an alarm for. . In the Amazon CloudWatch alarms section, choose *Create*. . For *Alarm threshold*, choose the percentage of your applied quota value that you want to set as the alarm value. -. For *Alarm name*, enter a name for the alarm and then choose *Create*. +. For *Alarm name*, enter a name for the alarm and then choose *Create*. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23monitoring-fargate-usage%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 1f583e106..240a3ee13 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] When you initiate a managed node group update, Amazon EKS automatically updates your nodes for you. -- -When you initiate a managed node group update, Amazon EKS automatically updates your nodes for you, completing the steps listed in <>. If you're using an Amazon EKS optimized AMI, Amazon EKS automatically applies the latest security patches and operating system updates to your nodes as part of the latest AMI release version. +When you initiate a managed node group update, Amazon EKS automatically updates your nodes for you, completing the steps listed in <>. If you're using an Amazon EKS optimized AMI, Amazon EKS automatically applies the latest security patches and operating system updates to your nodes as part of the latest AMI release version. There are several scenarios where it's useful to update your Amazon EKS managed node group's version or configuration: @@ -77,7 +77,7 @@ eksctl upgrade nodegroup \ . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the cluster that contains the node group to update. -. If at least one node group has an available update, a box appears at the top of the page notifying you of the available update. If you select the *Compute* tab, you'll see *Update now* in the *AMI release version* column in the *Node groups* table for the node group that has an available update. To update the node group, choose *Update now*. +. If at least one node group has an available update, a box appears at the top of the page notifying you of the available update. If you select the *Compute* tab, you'll see *Update now* in the *AMI release version* column in the *Node groups* table for the node group that has an available update. To update the node group, choose *Update now*. + You won't see a notification for node groups that were deployed with a custom AMI. If your nodes are deployed with a custom AMI, complete the following steps to deploy a new updated custom AMI. + @@ -88,7 +88,7 @@ You won't see a notification for node groups that were deployed with a custom AM . On the *Update node group version* dialog box, activate or deactivate the following options: + ** *Update node group version* – This option is unavailable if you deployed a custom AMI or your Amazon EKS optimized AMI is currently on the latest version for your cluster. -** *Change launch template version* – This option is unavailable if the node group is deployed without a custom launch template. You can only update the launch template version for a node group that has been deployed with a custom launch template. Select the *Launch template version* that you want to update the node group to. If your node group is configured with a custom AMI, then the version that you select must also specify an AMI. When you upgrade to a newer version of your launch template, every node is recycled to match the new configuration of the launch template version specified. +** *Change launch template version* – This option is unavailable if the node group is deployed without a custom launch template. You can only update the launch template version for a node group that has been deployed with a custom launch template. Select the *Launch template version* that you want to update the node group to. If your node group is configured with a custom AMI, then the version that you select must also specify an AMI. When you upgrade to a newer version of your launch template, every node is recycled to match the new configuration of the launch template version specified. . For *Update strategy*, select one of the following options: + ** *Rolling update* – This option respects the [.noloc]`Pod` disruption budgets for your cluster. Updates fail if there's a [.noloc]`Pod` disruption budget issue that causes Amazon EKS to be unable to gracefully drain the [.noloc]`Pods` that are running on this node group. @@ -115,7 +115,7 @@ You can modify some of the configurations of a managed node group. .. (Optional) Add or remove *[.noloc]`Kubernetes` labels* to the nodes in your node group. The labels shown here are only the labels that you have applied with Amazon EKS. Other labels may exist on your nodes that aren't shown here. .. (Optional) Add or remove *[.noloc]`Kubernetes` taints* to the nodes in your node group. Added taints can have the effect of either `*NoSchedule*`, `*NoExecute*`, or `*PreferNoSchedule*`. For more information, see <>. .. (Optional) Add or remove *Tags* from your node group resource. These tags are only applied to the Amazon EKS node group. They don't propagate to other resources, such as subnets or Amazon EC2 instances in the node group. -.. (Optional) Edit the *Node Group update configuration*. Select either *Number* or *Percentage*. +.. (Optional) Edit the *Node Group update configuration*. Select either *Number* or *Percentage*. + *** *Number* – Select and specify the number of nodes in your node group that can be updated in parallel. These nodes will be unavailable during update. *** *Percentage* – Select and specify the percentage of nodes in your node group that can be updated in parallel. These nodes will be unavailable during update. This is useful if you have many nodes in your node group. diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index d646a1a2d..68f9975e3 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -56,21 +56,21 @@ kubectl scale deployments/cluster-autoscaler --replicas=0 -n kube-system + .. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. .. In the left navigation pane, choose *Launch Configurations*, and note the instance type for your existing node launch configuration. -.. In the left navigation pane, choose *Auto Scaling Groups*, and note the *Desired* instance count for your existing node Auto Scaling group. +.. In the left navigation pane, choose *Auto Scaling Groups*, and note the *Desired* instance count for your existing node Auto Scaling group. . Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. . Select your node group stack, and then choose *Update*. -. Select *Replace current template* and select *Amazon S3 URL*. -. For *Amazon S3 URL*, paste the following URL into the text area to ensure that you're using the latest version of the node {aws} CloudFormation template. Then, choose *Next*: +. Select *Replace current template* and select *Amazon S3 URL*. +. For *Amazon S3 URL*, paste the following URL into the text area to ensure that you're using the latest version of the node {aws} CloudFormation template. Then, choose *Next*: + [source,none,subs="verbatim,attributes"] ---- https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-12-23/amazon-eks-nodegroup.yaml ---- -. On the *Specify stack details* page, fill out the following parameters, and choose *Next*: +. On the *Specify stack details* page, fill out the following parameters, and choose *Next*: + -** *NodeAutoScalingGroupDesiredCapacity* – Enter the desired instance count that you recorded in a <>. Or, enter your new desired number of nodes to scale to when your stack is updated. +** *NodeAutoScalingGroupDesiredCapacity* – Enter the desired instance count that you recorded in a <>. Or, enter your new desired number of nodes to scale to when your stack is updated. ** *NodeAutoScalingGroupMaxSize* – Enter the maximum number of nodes to which your node Auto Scaling group can scale out. This value must be at least one node more than your desired capacity. This is so that you can perform a rolling update of your nodes without reducing your node count during the update. -** *NodeInstanceType* – Choose the instance type your recorded in a <>. Alternatively, choose a different instance type for your nodes. Before choosing a different instance type, review <>. Each Amazon EC2 instance type supports a maximum number of elastic network interfaces (network interface) and each network interface supports a maximum number of IP addresses. Because each worker node and [.noloc]`Pod` ,is assigned its own IP address, it's important to choose an instance type that will support the maximum number of [.noloc]`Pods` that you want to run on each Amazon EC2 node. For a list of the number of network interfaces and IP addresses supported by instance types, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"]. For example, the `m5.large` instance type supports a maximum of 30 IP addresses for the worker node and [.noloc]`Pods`. +** *NodeInstanceType* – Choose the instance type your recorded in a <>. Alternatively, choose a different instance type for your nodes. Before choosing a different instance type, review <>. Each Amazon EC2 instance type supports a maximum number of elastic network interfaces (network interface) and each network interface supports a maximum number of IP addresses. Because each worker node and [.noloc]`Pod` ,is assigned its own IP address, it's important to choose an instance type that will support the maximum number of [.noloc]`Pods` that you want to run on each Amazon EC2 node. For a list of the number of network interfaces and IP addresses supported by instance types, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"]. For example, the `m5.large` instance type supports a maximum of 30 IP addresses for the worker node and [.noloc]`Pods`. + NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are shown in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on [.noloc]`GitHub`. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. + @@ -87,10 +87,10 @@ You can replace [.replaceable]`{k8s-n}` with a <>. -To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. +To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. [.topiclist] [[Topic List]] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 4eb1a53c1..27f753eb7 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -55,7 +55,7 @@ You can enable or disable control plane logs with either the <>, <>, and <>. * An existing Outpost. For more information, see link:outposts/latest/userguide/what-is-outposts.html[What is {aws} Outposts,type="documentation"]. * The `kubectl` command line tool is installed on your computer or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An IAM principal (user or role) with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. -When a local Amazon EKS cluster is created, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is permanently added. The principal is specifically added to the [.noloc]`Kubernetes` RBAC authorization table as the administrator. This entity has `system:masters` permissions. The identity of this entity isn't visible in your cluster configuration. So, it's important to note the entity that created the cluster and make sure that you never delete it. Initially, only the principal that created the server can make calls to the [.noloc]`Kubernetes` API server using `kubectl`. If you use the console to create the cluster, make sure that the same IAM credentials are in the {aws} SDK credential chain when you run `kubectl` commands on your cluster. After your cluster is created, you can grant other IAM principals access to your cluster. +When a local Amazon EKS cluster is created, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is permanently added. The principal is specifically added to the [.noloc]`Kubernetes` RBAC authorization table as the administrator. This entity has `system:masters` permissions. The identity of this entity isn't visible in your cluster configuration. So, it's important to note the entity that created the cluster and make sure that you never delete it. Initially, only the principal that created the server can make calls to the [.noloc]`Kubernetes` API server using `kubectl`. If you use the console to create the cluster, make sure that the same IAM credentials are in the {aws} SDK credential chain when you run `kubectl` commands on your cluster. After your cluster is created, you can grant other IAM principals access to your cluster. == Create an Amazon EKS local cluster You can create a local cluster with the following tools described in this page: @@ -133,13 +133,13 @@ cat >eks-local-cluster-role-trust-policy.json <>. -. Choose *Add cluster* and then choose *Create*. +. Choose *Add cluster* and then choose *Create*. . On the *Configure cluster* page, enter or select values for the following fields: + * *[.noloc]`Kubernetes` control plane location* – Choose {aws} Outposts. @@ -158,22 +158,22 @@ aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSLocalO * *Cluster service role* – Choose the Amazon EKS cluster IAM role that you created in a previous step to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources. * *[.noloc]`Kubernetes` cluster administrator access* – If you want the IAM principal (role or user) that's creating the cluster to have administrator access to the [.noloc]`Kubernetes` objects on the cluster, accept the default (allow). Amazon EKS creates an access entry for the IAM principal and grants cluster administrator permissions to the access entry. For more information about access entries, see <>. + -If you want a different IAM principal than the principal creating the cluster to have administrator access to [.noloc]`Kubernetes` cluster objects, choose the disallow option. After cluster creation, any IAM principal that has IAM permissions to create access entries can add an access entries for any IAM principals that need access to [.noloc]`Kubernetes` cluster objects. For more information about the required IAM permissions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. If you choose the disallow option and don't create any access entries, then no IAM principals will have access to the [.noloc]`Kubernetes` objects on the cluster. -* *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. When you're done with this page, choose *Next*. +If you want a different IAM principal than the principal creating the cluster to have administrator access to [.noloc]`Kubernetes` cluster objects, choose the disallow option. After cluster creation, any IAM principal that has IAM permissions to create access entries can add an access entries for any IAM principals that need access to [.noloc]`Kubernetes` cluster objects. For more information about the required IAM permissions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. If you choose the disallow option and don't create any access entries, then no IAM principals will have access to the [.noloc]`Kubernetes` objects on the cluster. +* *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. When you're done with this page, choose *Next*. . On the *Specify networking* page, select values for the following fields: + -* *VPC* – Choose an existing VPC. The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. Your VPC must meet the requirements in <>. -* *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. The subnets that you choose must meet the requirements in <>. +* *VPC* – Choose an existing VPC. The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. Your VPC must meet the requirements in <>. +* *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. The subnets that you choose must meet the requirements in <>. * *Security groups* – (Optional) Specify one or more security groups that you want Amazon EKS to associate to the network interfaces that it creates. Amazon EKS automatically creates a security group that enables communication between your cluster and your VPC. Amazon EKS associates this security group, and any that you choose, to the network interfaces that it creates. For more information about the cluster security group that Amazon EKS creates, see <>. You can modify the rules in the cluster security group that Amazon EKS creates. If you choose to add your own security groups, you can't change the ones that you choose after cluster creation. For on-premises hosts to communicate with the cluster endpoint, you must allow inbound traffic from the cluster security group. For clusters that don't have an ingress and egress internet connection (also knows as private clusters), you must do one of the following: + ** Add the security group associated with required VPC endpoints. For more information about the required endpoints, see <> in <>. + -** Modify the security group that Amazon EKS created to allow traffic from the security group associated with the VPC endpoints. When you're done with this page, choose *Next*. -. On the *Configure observability* page, you can optionally choose which *Metrics* and *Control plane logging* options that you want to turn on. By default, each log type is turned off. +** Modify the security group that Amazon EKS created to allow traffic from the security group associated with the VPC endpoints. When you're done with this page, choose *Next*. +. On the *Configure observability* page, you can optionally choose which *Metrics* and *Control plane logging* options that you want to turn on. By default, each log type is turned off. + **** For more information on the [.noloc]`Prometheus` metrics option, see <>. -**** For more information on the *Control plane logging* options, see <>. When you're done with this page, choose *Next*. -. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. +**** For more information on the *Control plane logging* options, see <>. When you're done with this page, choose *Next*. +. On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. + Cluster provisioning takes several minutes. @@ -211,7 +211,7 @@ Added new context {arn-aws}eks:region-code:111122223333:cluster/my-cluster to /h ---- . To connect to your local cluster's [.noloc]`Kubernetes` API server, have access to the local gateway for the subnet, or connect from within the VPC. For more information about connecting an Outpost rack to your on-premises network, see link:outposts/latest/userguide/how-racks-work.html[How local gateways for racks work,type="documentation"] in the {aws} Outposts User Guide. If you use Direct VPC Routing and the Outpost subnet has a route to your local gateway, the private IP addresses of the [.noloc]`Kubernetes` control plane instances are automatically broadcasted over your local network. The local cluster's [.noloc]`Kubernetes` API server endpoint is hosted in Amazon Route 53 (Route 53). The API service endpoint can be resolved by public DNS servers to the Kubernetes API servers' private IP addresses. + -Local clusters' [.noloc]`Kubernetes` control plane instances are configured with static elastic network interfaces with fixed private IP addresses that don't change throughout the cluster lifecycle. Machines that interact with the [.noloc]`Kubernetes` API server might not have connectivity to Route 53 during network disconnects. If this is the case, we recommend configuring `/etc/hosts` with the static private IP addresses for continued operations. We also recommend setting up local DNS servers and connecting them to your Outpost. For more information, see the link:outposts/latest/userguide/how-outposts-works.html#dns[{aws} Outposts documentation,type="documentation"]. Run the following command to confirm that communication's established with your cluster. +Local clusters' [.noloc]`Kubernetes` control plane instances are configured with static elastic network interfaces with fixed private IP addresses that don't change throughout the cluster lifecycle. Machines that interact with the [.noloc]`Kubernetes` API server might not have connectivity to Route 53 during network disconnects. If this is the case, we recommend configuring `/etc/hosts` with the static private IP addresses for continued operations. We also recommend setting up local DNS servers and connecting them to your Outpost. For more information, see the link:outposts/latest/userguide/how-outposts-works.html#dns[{aws} Outposts documentation,type="documentation"]. Run the following command to confirm that communication's established with your cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -261,7 +261,7 @@ Amazon EKS creates the following resources on your cluster. The resources are fo Recommended next steps: * <> -* <>. If you want the entities to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. +* <>. If you want the entities to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. * <> * Familiarize yourself with what happens during <>. * <> diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 9fd57495b..f832f7d59 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -15,9 +15,9 @@ If your local network has lost connectivity with the {aws} Cloud, you can contin * Local clusters enable stability and continued operations during temporary, unplanned network disconnects. {aws} Outposts remains a fully connected offering that acts as an extension of the {aws} Cloud in your data center. In the event of network disconnects between your Outpost and {aws} Cloud, we recommend attempting to restore your connection. For instruction, see link:outposts/latest/userguide/network-troubleshoot.html[{aws} Outposts rack network troubleshooting checklist,type="documentation"] in the _{aws} Outposts User Guide_. For more information about how to troubleshoot issues with local clusters, see <>. -* Outposts emit a `ConnectedStatus` metric that you can use to monitor the connectivity state of your Outpost. For more information, see link:outposts/latest/userguide/outposts-cloudwatch-metrics.html#outposts-metrics[Outposts Metrics,type="documentation"] in the _{aws} Outposts User Guide_. +* Outposts emit a `ConnectedStatus` metric that you can use to monitor the connectivity state of your Outpost. For more information, see link:outposts/latest/userguide/outposts-cloudwatch-metrics.html#outposts-metrics[Outposts Metrics,type="documentation"] in the _{aws} Outposts User Guide_. * Local clusters use IAM as the default authentication mechanism using the https://github.com/kubernetes-sigs/aws-iam-authenticator[{aws} Identity and Access Management authenticator for Kubernetes]. IAM isn't available during network disconnects. So, local clusters support an alternative authentication mechanism using `x.509` certificates that you can use to connect to your cluster during network disconnects. For information about how to obtain and use an `x.509` certificate for your cluster, see <>. -* If you can't access Route 53 during network disconnects, consider using local DNS servers in your on-premises environment. The [.noloc]`Kubernetes` control plane instances use static IP addresses. You can configure the hosts that you use to connect to your cluster with the endpoint hostname and IP addresses as an alternative to using local DNS servers. For more information, see link:outposts/latest/userguide/how-outposts-works.html#dns[DNS,type="documentation"] in the _{aws} Outposts User Guide_. +* If you can't access Route 53 during network disconnects, consider using local DNS servers in your on-premises environment. The [.noloc]`Kubernetes` control plane instances use static IP addresses. You can configure the hosts that you use to connect to your cluster with the endpoint hostname and IP addresses as an alternative to using local DNS servers. For more information, see link:outposts/latest/userguide/how-outposts-works.html#dns[DNS,type="documentation"] in the _{aws} Outposts User Guide_. * If you expect increases in application traffic during network disconnects, you can provision spare compute capacity in your cluster when connected to the cloud. Amazon EC2 instances are included in the price of {aws} Outposts. So, running spare instances doesn't impact your {aws} usage cost. * During network disconnects to enable create, update, and scale operations for workloads, your application's container images must be accessible over the local network and your cluster must have enough capacity. Local clusters don't host a container registry for you. If the [.noloc]`Pods` have previously run on those nodes, container images are cached on the nodes. If you typically pull your application's container images from Amazon ECR in the cloud, consider running a local cache or registry. A local cache or registry is helpful if you require create, update, and scale operations for workload resources during network disconnects. * Local clusters use Amazon EBS as the default storage class for persistent volumes and the Amazon EBS CSI driver to manage the lifecycle of Amazon EBS persistent volumes. During network disconnects, [.noloc]`Pods` that are backed by Amazon EBS can't be created, updated, or scaled. This is because these operations require calls to the Amazon EBS API in the cloud. If you're deploying stateful workloads on local clusters and require create, update, or scale operations during network disconnects, consider using an alternative storage mechanism. diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 162b5283d..56a11f89e 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -31,7 +31,7 @@ You can create a local cluster with the following tools described in this page: . Install version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. + -. If your cluster is on the {aws} Cloud and the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. If your cluster in on your Outpost, the policy must be attached to your node role. +. If your cluster is on the {aws} Cloud and the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. If your cluster in on your Outpost, the policy must be attached to your node role. . The following command creates a node group in an existing cluster. The cluster must have been created using `eksctl`. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. If your cluster exists on an Outpost, replace [.replaceable]`id` with the ID of an Outpost subnet. If your cluster exists on the {aws} Cloud, replace [.replaceable]`id` with the ID of a subnet that you didn't specify when you created your cluster. Replace [.replaceable]`instance-type` with an instance type supported by your Outpost. Replace the remaining [.replaceable]`example values` with your own values. The nodes are created with the same [.noloc]`Kubernetes` version as the control plane, by default. + Replace [.replaceable]`instance-type` with an instance type available on your Outpost. @@ -74,20 +74,20 @@ For a complete list of all available options and defaults, see https://eksctl.io curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-12-23/amazon-eks-nodegroup.yaml ---- . Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. -. Choose *Create stack* and then select *With new resources (standard)*. -. For *Specify template*, select *Upload a template file* and then select *Choose file*. Select the `amazon-eks-nodegroup.yaml` file that you downloaded in a previous step and then select *Next*. -. On the *Specify stack details* page, enter the following parameters accordingly, and then choose *Next*: +. Choose *Create stack* and then select *With new resources (standard)*. +. For *Specify template*, select *Upload a template file* and then select *Choose file*. Select the `amazon-eks-nodegroup.yaml` file that you downloaded in a previous step and then select *Next*. +. On the *Specify stack details* page, enter the following parameters accordingly, and then choose *Next*: + ** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`al-nodes`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. ** *ClusterName*: Enter the name of your cluster. If this name doesn't match your cluster name, your nodes can't join the cluster. -** *ClusterControlPlaneSecurityGroup*: Choose the *SecurityGroups* value from the {aws} CloudFormation output that you generated when you created your <>. +** *ClusterControlPlaneSecurityGroup*: Choose the *SecurityGroups* value from the {aws} CloudFormation output that you generated when you created your <>. + The following steps show one operation to retrieve the applicable group. + ... Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. ... Choose the name of the cluster. ... Choose the *Networking* tab. -... Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. +... Use the *Additional security groups* value as a reference when selecting from the *ClusterControlPlaneSecurityGroup* dropdown list. ** *NodeGroupName*: Enter a name for your node group. This name can be used later to identify the Auto Scaling node group that's created for your nodes. ** *NodeAutoScalingGroupMinSize*: Enter the minimum number of nodes that your node Auto Scaling group can scale in to. ** *NodeAutoScalingGroupDesiredCapacity*: Enter the desired number of nodes to scale to when your stack is created. @@ -98,7 +98,7 @@ The following steps show one operation to retrieve the applicable group. To use an Amazon EKS optimized accelerated AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-gpu`. To use an Amazon EKS optimized Arm AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-arm64`. + NOTE: The Amazon EKS node AMIs are based on Amazon Linux. You can track security or privacy events for Amazon Linux at the https://alas.aws.amazon.com/[Amazon Linux security center] by choosing the tab for your desired version. You can also subscribe to the applicable RSS feed. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue. -** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. +** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. ** *NodeVolumeSize*: Specify a root volume size for your nodes, in GiB. ** *NodeVolumeType*: Specify a root volume type for your nodes. ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. @@ -110,11 +110,11 @@ NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack creat ---- --b64-cluster-ca ${CLUSTER_CA} --apiserver-endpoint https://${APISERVER_ENDPOINT} --enable-local-outpost true --cluster-id ${CLUSTER_ID} ---- -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. -** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. -. Select your desired choices on the *Configure stack options* page, and then choose *Next*. -. Select the check box to the left of *I acknowledge that {aws} CloudFormation might create IAM resources.*, and then choose *Create stack*. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. +** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. +. Select your desired choices on the *Configure stack options* page, and then choose *Next*. +. Select the check box to the left of *I acknowledge that {aws} CloudFormation might create IAM resources.*, and then choose *Create stack*. . When your stack has finished creating, select it in the console and choose *Outputs*. . Record the *NodeInstanceRole* for the node group that was created. You need this when you configure your Amazon EKS nodes. @@ -220,7 +220,7 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X *Step3: Additional actions* . (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. -. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. +. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-self-managed-nodes%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 2e03a3a36..efce19ca8 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -256,7 +256,7 @@ We don't recommend modifying the default pod security policy. For more informati [%collapsible] ==== -When an Outpost gets disconnected from the {aws} Region that it's associated with, the [.noloc]`Kubernetes` cluster likely will continue working normally. However, if the cluster doesn't work properly, follow the troubleshooting steps in <>. If you encounter other issues, contact {aws} Support. {aws} Support can guide you on downloading and running a log collection tool. That way, you can collect logs from your [.noloc]`Kubernetes` cluster control plane instances and send them to {aws} Support support for further investigation. +When an Outpost gets disconnected from the {aws} Region that it's associated with, the [.noloc]`Kubernetes` cluster likely will continue working normally. However, if the cluster doesn't work properly, follow the troubleshooting steps in <>. If you encounter other issues, contact {aws} Support. {aws} Support can guide you on downloading and running a log collection tool. That way, you can collect logs from your [.noloc]`Kubernetes` cluster control plane instances and send them to {aws} Support support for further investigation. ==== [#outposts-troubleshooting-control-plane-instances-ssm] @@ -271,7 +271,7 @@ When the Amazon EKS control plane instances aren't reachable through {aws} Syste Amazon EKS control plane instances are not reachable through SSM. Please verify your SSM and network configuration, and reference the EKS on Outposts troubleshooting documentation. ---- -To resolve this issue, make sure that your VPC and subnets meet the requirements in <> and that you completed the steps in link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the {aws} Systems Manager User Guide. +To resolve this issue, make sure that your VPC and subnets meet the requirements in <> and that you completed the steps in link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the {aws} Systems Manager User Guide. ==== diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index fcd84384d..d229da00b 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -19,10 +19,10 @@ When you create a local cluster, the VPC that you specify must meet the followin -* Make sure that the VPC has enough IP addresses for the local cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. If the VPC that you want to use doesn't have enough IP addresses, increase the number of available IP addresses. You can do this by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private (RFC 1918) and public (non-RFC 1918) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to 5 hours for a CIDR block that you associated with a VPC to be recognized. +* Make sure that the VPC has enough IP addresses for the local cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. If the VPC that you want to use doesn't have enough IP addresses, increase the number of available IP addresses. You can do this by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private (RFC 1918) and public (non-RFC 1918) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to 5 hours for a CIDR block that you associated with a VPC to be recognized. * The VPC can't have assigned IP prefixes or IPv6 CIDR blocks. Because of these constraints, the information that's covered in <> and <> isn't applicable to your VPC. * The VPC has a DNS hostname and DNS resolution enabled. Without these features, the local cluster fails to create, and you need to enable the features and recreate your cluster. For more information, see link:vpc/latest/userguide/vpc-dns.html[DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. -* To access your local cluster over your local network, the VPC must be associated with your Outpost's local gateway route table. For more information, see link:outposts/latest/userguide/outposts-local-gateways.html#vpc-associations[VPC associations,type="documentation"] in the {aws} Outposts User Guide. +* To access your local cluster over your local network, the VPC must be associated with your Outpost's local gateway route table. For more information, see link:outposts/latest/userguide/outposts-local-gateways.html#vpc-associations[VPC associations,type="documentation"] in the {aws} Outposts User Guide. [#outposts-subnet-requirements] @@ -35,7 +35,7 @@ When you create the cluster, specify at least one private subnet. If you specify * The subnets are all on the same logical Outpost. * The subnets together have at least three available IP addresses for the [.noloc]`Kubernetes` control plane instances. If three subnets are specified, each subnet must have at least one available IP address. If two subnets are specified, each subnet must have at least two available IP addresses. If one subnet is specified, the subnet must have at least three available IP addresses. * The subnets have a route to the Outpost rack's link:outposts/latest/userguide/outposts-local-gateways.html[local gateway,type="documentation"] to access the [.noloc]`Kubernetes` API server over your local network. If the subnets don't have a route to the Outpost rack's local gateway, you must communicate with your [.noloc]`Kubernetes` API server from within the VPC. -* The subnets must use IP address-based naming. Amazon EC2 link:AWSEC2/latest/UserGuide/ec2-instance-naming.html#instance-naming-rbn[resource-based naming,type="documentation"] isn't supported by Amazon EKS. +* The subnets must use IP address-based naming. Amazon EC2 link:AWSEC2/latest/UserGuide/ec2-instance-naming.html#instance-naming-rbn[resource-based naming,type="documentation"] isn't supported by Amazon EKS. [#subnet-access-to-services] @@ -46,7 +46,7 @@ The local cluster's private subnets on Outposts must be able to communicate with [#subnet-access-nat-gateway] === Using a NAT gateway -The local cluster's private subnets on Outposts must have an associated route table that has a route to a NAT gateway in a public subnet that is in the Outpost's parent Availability Zone. The public subnet must have a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. The NAT gateway enables outbound internet access and prevents unsolicited inbound connections from the internet to instances on the Outpost. +The local cluster's private subnets on Outposts must have an associated route table that has a route to a NAT gateway in a public subnet that is in the Outpost's parent Availability Zone. The public subnet must have a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. The NAT gateway enables outbound internet access and prevents unsolicited inbound connections from the internet to instances on the Outpost. [#vpc-subnet-requirements-vpc-endpoints] === Using interface VPC endpoints diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 0338d132c..3bc6a60cd 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -63,7 +63,7 @@ The following table compares the differences between the two options. |Your account |Regional availability -|See link:general/latest/gr/eks.html#eks_region[Service endpoints,type="documentation"] +|see link:general/latest/gr/eks.html#eks_region[Service endpoints,type="documentation"] |US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Middle East (Bahrain), and South America (São Paulo) |Kubernetes minor versions diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 24a164fc7..1427dc553 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -17,7 +17,7 @@ include::attributes.txt[] Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. -- -You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. +You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23roadmap%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 1b2b504a7..91103b8ec 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -29,7 +29,7 @@ For an automated `aws-sample` pipeline to update your node group with a CIS benc [#configuration-vulnerability-analysis-pv] == Amazon EKS platform versions -Amazon EKS _platform versions_ represent the capabilities of the cluster control plane, including which [.noloc]`Kubernetes` API server flags are enabled and the current [.noloc]`Kubernetes` patch version. New clusters are deployed with the latest platform version. For details, see <>. +Amazon EKS _platform versions_ represent the capabilities of the cluster control plane, including which [.noloc]`Kubernetes` API server flags are enabled and the current [.noloc]`Kubernetes` patch version. New clusters are deployed with the latest platform version. For details, see <>. You can <> to newer [.noloc]`Kubernetes` versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. For more information about [.noloc]`Kubernetes` versions in EKS, see <>. @@ -49,12 +49,12 @@ Track security or privacy events for Amazon Linux 2 at the https://alas.aws.amaz [#configuration-vulnerability-analysis-inspector] == Node detection with Amazon Inspector -You can use link:inspector/latest/userguide/inspector_introduction.html[Amazon Inspector,type="documentation"] to check for unintended network accessibility of your nodes and for vulnerabilities on those Amazon EC2 instances. +You can use link:inspector/latest/userguide/inspector_introduction.html[Amazon Inspector,type="documentation"] to check for unintended network accessibility of your nodes and for vulnerabilities on those Amazon EC2 instances. [#configuration-vulnerability-analysis-guardduty] == Cluster and node detection with Amazon GuardDuty -Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your {aws} environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. +Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your {aws} environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. For more information, see <>. diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 16bf09e27..0ff30f03f 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -28,11 +28,11 @@ The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,typ . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the *Clusters* list, choose the cluster that contains the identities that you want to view. . Choose the *Resources* tab. -. Under *Resource types*, choose *Authorization*. -. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: +. Under *Resource types*, choose *Authorization*. +. Choose, *ClusterRoles*, *ClusterRoleBindings*, *Roles*, or *RoleBindings*. All resources prefaced with *eks* are created by Amazon EKS. Additional Amazon EKS created identity resources are: + -* The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. -* A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. +* The *ClusterRole* and *ClusterRoleBinding* named *aws-node*. The *aws-node* resources support the <>, which Amazon EKS installs on all clusters. +* A *ClusterRole* named *vpc-resource-controller-role* and a *ClusterRoleBinding* named *vpc-resource-controller-rolebinding*. These resources support the https://github.com/aws/amazon-vpc-resource-controller-k8s[Amazon VPC resource controller], which Amazon EKS installs on all clusters. + In addition to the resources that you see in the console, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: @@ -40,7 +40,7 @@ In addition to the resources that you see in the console, the following special * *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. * *`eks:support-engineer`* – Used for cluster management operations. -. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. +. Choose a specific resource to view details about it. By default, you're shown information in *Structured view*. In the top-right corner of the details page you can choose *Raw view* to see all information for the resource. [#default-role-users-kubectl] == Kubectl diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 2418637a7..7066f5a52 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -15,7 +15,7 @@ If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[ * Symmetric * Can encrypt and decrypt data * Created in the same {aws} Region as the cluster -* If the KMS key was created in a different account, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have access to the KMS key. +* If the KMS key was created in a different account, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have access to the KMS key. For more information, see link:kms/latest/developerguide/key-policy-modifying-external-accounts.html[Allowing IAM principals in other accounts to use a KMS key,type="documentation"] in the _link:kms/latest/developerguide/[{aws} Key Management Service Developer Guide,type="documentation"]_. diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 8fe738ffa..f6612ebdc 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -30,8 +30,8 @@ You can use the following procedure to check and see if your account already has . Search the list of roles for `AmazonEKSAutoClusterRole`. If a role that includes `AmazonEKSAutoClusterRole` doesn't exist, then see the instructions in the next section to create the role. If a role that includes `AmazonEKSAutoClusterRole` does exist, then select the role to view the attached policies. . Choose *Permissions*. . Ensure that the *AmazonEKSClusterPolicy* managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + [source,json,subs="verbatim,attributes"] ---- @@ -65,11 +65,11 @@ You can use the {aws-management-console} or the {aws} CLI to create the cluster === {aws-management-console} . Open the IAM console at https://console.aws.amazon.com/iam/. -. Choose *Roles*, then *Create role*. -. Under *Trusted entity type*, select *{aws} service*. -. From the *Use cases for other {aws} services* dropdown list, choose *EKS*. -. Choose *EKS - Cluster* for your use case, and then choose *Next*. -. On the *Add permissions* tab, select the policies and then choose *Next*. +. Choose *Roles*, then *Create role*. +. Under *Trusted entity type*, select *{aws} service*. +. From the *Use cases for other {aws} services* dropdown list, choose *EKS*. +. Choose *EKS - Cluster* for your use case, and then choose *Next*. +. On the *Add permissions* tab, select the policies and then choose *Next*. ** <> ** <> ** <> diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index e26d3090f..a746958d8 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -30,8 +30,8 @@ You can use the following procedure to check and see if your account already has . Search the list of roles for `AmazonEKSAutoNodeRole`. If a role with one of those names doesn't exist, then see instructions in the next section to create the role. If a role that contains `AmazonEKSAutoNodeRole` does exist, then select the role to view the attached policies. . Choose *Permissions*. . Ensure that the required policies above are attached, or equivalent custom policies. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + [source,json,subs="verbatim,attributes"] ---- @@ -59,11 +59,11 @@ You can create the node IAM role with the {aws-management-console} or the {aws} === {aws-management-console} . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. -. On the *Roles* page, choose *Create role*. +. On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: + -.. In the *Trusted entity type* section, choose *{aws} service*. -.. Under *Use case*, choose *EC2*. +.. In the *Trusted entity type* section, choose *{aws} service*. +.. Under *Use case*, choose *EC2*. .. Choose *Next*. . On the *Add permissions* page, attach the following policies: ** <> @@ -72,7 +72,7 @@ You can create the node IAM role with the {aws-management-console} or the {aws} + .. For *Role name*, enter a unique name for your role, such as `AmazonEKSAutoNodeRole`. .. For *Description*, replace the current text with descriptive text such as `Amazon EKS - Node role`. -.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 51a7e242c..8d58275f4 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -73,8 +73,8 @@ You can use the following procedure to check and see if your account already has . Search the list of roles for `eksClusterRole`. If a role that includes `eksClusterRole` doesn't exist, then see <> to create the role. If a role that includes `eksClusterRole` does exist, then select the role to view the attached policies. . Choose *Permissions*. . Ensure that the *AmazonEKSClusterPolicy* managed policy is attached to the role. If the policy is attached, your Amazon EKS cluster role is properly configured. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + [source,json,subs="verbatim,attributes"] ---- @@ -102,11 +102,11 @@ You can use the {aws-management-console} or the {aws} CLI to create the cluster {aws-management-console}:: .. Open the IAM console at https://console.aws.amazon.com/iam/. -.. Choose *Roles*, then *Create role*. -.. Under *Trusted entity type*, select *{aws} service*. -.. From the *Use cases for other {aws} services* dropdown list, choose *EKS*. -.. Choose *EKS - Cluster* for your use case, and then choose *Next*. -.. On the *Add permissions* tab, choose *Next*. +.. Choose *Roles*, then *Create role*. +.. Under *Trusted entity type*, select *{aws} service*. +.. From the *Use cases for other {aws} services* dropdown list, choose *EKS*. +.. Choose *EKS - Cluster* for your use case, and then choose *Next*. +.. On the *Add permissions* tab, choose *Next*. .. For *Role name*, enter a unique name for your role, such as `eksClusterRole`. .. For *Description*, enter descriptive text such as `Amazon EKS - Cluster role`. .. Choose *Create role*. diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 863dc6508..affea0128 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -17,8 +17,8 @@ You can use the following procedure to check and see if your account already has . Search the list of roles for `AmazonEKSConnectorAgentRole`. If a role that includes `AmazonEKSConnectorAgentRole` doesn't exist, then see <> to create the role. If a role that includes `AmazonEKSConnectorAgentRole` does exist, then select the role to view the attached policies. . Choose *Permissions*. . Ensure that the *AmazonEKSConnectorAgentPolicy* managed policy is attached to the role. If the policy is attached, your Amazon EKS connector role is properly configured. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + [source,json,subs="verbatim,attributes"] ---- @@ -165,8 +165,8 @@ Outputs: .. For *Specify template*, select *Upload a template file*, and then choose *Choose file*. .. Choose the file you created earlier, and then choose *Next*. .. For *Stack name*, enter a name for your role, such as `eksConnectorAgentRole`, and then choose *Next*. -.. On the *Configure stack options* page, choose *Next*. -.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. +.. On the *Configure stack options* page, choose *Next*. +.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connector-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 62eca7918..afc40ab87 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -36,11 +36,11 @@ You can use the following procedure to check and see if your account already has . In the left navigation pane, choose *Roles*. . Search the list of roles for `eksNodeRole`, `AmazonEKSNodeRole`, or `NodeInstanceRole`. If a role with one of those names doesn't exist, then see <> to create the role. If a role that contains `eksNodeRole`, `AmazonEKSNodeRole`, or `NodeInstanceRole` does exist, then select the role to view the attached policies. . Choose *Permissions*. -. Ensure that the *AmazonEKSWorkerNodePolicy* and *AmazonEC2ContainerRegistryPullOnly* managed policies are attached to the role or a custom policy is attached with the minimal permissions. +. Ensure that the *AmazonEKSWorkerNodePolicy* and *AmazonEC2ContainerRegistryPullOnly* managed policies are attached to the role or a custom policy is attached with the minimal permissions. + NOTE: If the *AmazonEKS_CNI_Policy* policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the `aws-node` [.noloc]`Kubernetes` service account instead. For more information, see <>. -. Choose *Trust relationships*, and then choose *Edit trust policy*. -. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. +. Choose *Trust relationships*, and then choose *Edit trust policy*. +. Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + [source,json,subs="verbatim,attributes"] ---- @@ -73,11 +73,11 @@ You can create the node IAM role with the {aws-management-console} or the {aws} {aws-management-console}:: .. Open the IAM console at https://console.aws.amazon.com/iam/. .. In the left navigation pane, choose *Roles*. -.. On the *Roles* page, choose *Create role*. +.. On the *Roles* page, choose *Create role*. .. On the *Select trusted entity* page, do the following: + -... In the *Trusted entity type* section, choose *{aws} service*. -... Under *Use case*, choose *EC2*. +... In the *Trusted entity type* section, choose *{aws} service*. +... Under *Use case*, choose *EC2*. ... Choose *Next*. .. On the *Add permissions* page, attach a custom policy or do the following: + @@ -87,13 +87,13 @@ You can create the node IAM role with the {aws-management-console} or the {aws} ... In the *Filter policies* box, enter `AmazonEC2ContainerRegistryPullOnly`. ... Select the check box to the left of *AmazonEC2ContainerRegistryPullOnly* in the search results. + -Either the *AmazonEKS_CNI_Policy* managed policy, or an <> that you create must also be attached to either this role or to a different role that's mapped to the `aws-node` [.noloc]`Kubernetes` service account. We recommend assigning the policy to the role associated to the [.noloc]`Kubernetes` service account instead of assigning it to this role. For more information, see <>. +Either the *AmazonEKS_CNI_Policy* managed policy, or an <> that you create must also be attached to either this role or to a different role that's mapped to the `aws-node` [.noloc]`Kubernetes` service account. We recommend assigning the policy to the role associated to the [.noloc]`Kubernetes` service account instead of assigning it to this role. For more information, see <>. ... Choose *Next*. .. On the *Name, review, and create* page, do the following: + ... For *Role name*, enter a unique name for your role, such as `AmazonEKSNodeRole`. ... For *Description*, replace the current text with descriptive text such as `Amazon EKS - Node role`. -... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. ... Choose *Create role*. diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 2b84df770..c0613c53c 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -21,7 +21,7 @@ The Fargate profile must have a different IAM role than Amazon EC2 node groups. [IMPORTANT] ==== -The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permissions associated with a [.noloc]`Pod` execution role. To give the containers in your Fargate [.noloc]`Pod` permissions to access other {aws} services, you must use <>. +The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permissions associated with a [.noloc]`Pod` execution role. To give the containers in your Fargate [.noloc]`Pod` permissions to access other {aws} services, you must use <>. ==== @@ -33,14 +33,14 @@ You can use the following procedure to check and see if your account already has . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. -. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. If the role doesn't exist, see <> to create the role. If the role does exist, choose the role. +. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. If the role doesn't exist, see <> to create the role. If the role does exist, choose the role. . On the *AmazonEKSFargatePodExecutionRole* page, do the following: + .. Choose *Permissions*. .. Ensure that the *AmazonEKSFargatePodExecutionRolePolicy* Amazon managed policy is attached to the role. .. Choose *Trust relationships*. .. Choose *Edit trust policy*. -. On the *Edit trust policy* page, verify that the trust relationship contains the following policy and has a line for Fargate profiles on your cluster. If so, choose *Cancel*. +. On the *Edit trust policy* page, verify that the trust relationship contains the following policy and has a line for Fargate profiles on your cluster. If so, choose *Cancel*. + [source,json,subs="verbatim,attributes"] ---- @@ -70,7 +70,7 @@ If the policy matches but doesn't have a line specifying the Fargate profiles on "aws:SourceArn": "{arn-aws}eks:region-code:111122223333:fargateprofile/my-cluster/*", ---- + -If the policy doesn't match, copy the full previous policy into the form and choose *Update policy*. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. +If the policy doesn't match, copy the full previous policy into the form and choose *Update policy*. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. If you want to use the same role in all {aws} Regions in your account, replace [.replaceable]`region-code` with `{asterisk}`. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-cluster` with the name of your cluster. If you want to use the same role for all clusters in your account, replace [.replaceable]`my-cluster` with `{asterisk}`. [#create-pod-execution-role] @@ -83,20 +83,20 @@ If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your c {aws-management-console}:: .. Open the IAM console at https://console.aws.amazon.com/iam/. .. In the left navigation pane, choose *Roles*. -.. On the *Roles* page, choose *Create role*. +.. On the *Roles* page, choose *Create role*. .. On the *Select trusted entity* page, do the following: + -... In the *Trusted entity type* section, choose *{aws} service*. -... From the *Use cases for other {aws} services* dropdown list, choose *EKS*. +... In the *Trusted entity type* section, choose *{aws} service*. +... From the *Use cases for other {aws} services* dropdown list, choose *EKS*. ... Choose *EKS - Fargate [.noloc]`Pod`*. ... Choose *Next*. -.. On the *Add permissions* page, choose *Next*. +.. On the *Add permissions* page, choose *Next*. .. On the *Name, review, and create* page, do the following: + ... For *Role name*, enter a unique name for your role, such as `AmazonEKSFargatePodExecutionRole`. -... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +... Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. ... Choose *Create role*. -.. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. Choose the role. +.. On the *Roles* page, search the list of roles for *AmazonEKSFargatePodExecutionRole*. Choose the role. .. On the *AmazonEKSFargatePodExecutionRole* page, do the following: + ... Choose *Trust relationships*. diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 18fb26209..564f6c4c3 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -11,11 +11,11 @@ Learn about {aws} managed policies for Amazon EKS and recent changes to those po An {aws} managed policy is a standalone policy that is created and administered by {aws}. {aws} managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. -Keep in mind that {aws} managed policies might not grant least-privilege permissions for your specific use cases because they're available for all {aws} customers to use. We recommend that you reduce permissions further by defining link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies[customer managed policies,type="documentation"] that are specific to your use cases. +Keep in mind that {aws} managed policies might not grant least-privilege permissions for your specific use cases because they're available for all {aws} customers to use. We recommend that you reduce permissions further by defining link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies[customer managed policies,type="documentation"] that are specific to your use cases. You cannot change the permissions defined in {aws} managed policies. If {aws} updates the permissions defined in an {aws} managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. {aws} is most likely to update an {aws} managed policy when a new {aws} service is launched or new API operations become available for existing services. -For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] in the _IAM User Guide_. +For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] in the _IAM User Guide_. [#security-iam-awsmanpol-amazoneks-cni-policy] == {aws} managed policy: AmazonEKS_CNI_Policy @@ -30,7 +30,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2:*NetworkInterface` and `ec2:*PrivateIpAddresses`* – Allows the Amazon VPC CNI plugin to perform actions such as provisioning Elastic Network Interfaces and IP addresses for [.noloc]`Pods` to provide networking for applications that run in Amazon EKS. * *`ec2` read actions* – Allows the Amazon VPC CNI plugin to perform actions such as describe instances and subnets to see the amount of free IP addresses in your Amazon VPC subnets. The VPC CNI can use the free IP addresses in each subnet to pick the subnets with the most free IP addresses to use when creating an elastic network interface. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html#AmazonEKS_CNI_Policy-json[AmazonEKS_CNI_Policy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html#AmazonEKS_CNI_Policy-json[AmazonEKS_CNI_Policy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksclusterpolicy] == {aws} managed policy: AmazonEKSClusterPolicy @@ -46,7 +46,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`iam`* – Create a service-linked role. This is required so that the [.noloc]`Kubernetes` control plane can dynamically provision Elastic Load Balancers that are requested by [.noloc]`Kubernetes` services. * *`kms`* – Read a key from {aws} KMS. This is required for the [.noloc]`Kubernetes` control plane to support https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] of [.noloc]`Kubernetes` secrets stored in `etcd`. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksfargatepodexecutionrolepolicy] == {aws} managed policy: AmazonEKSFargatePodExecutionRolePolicy @@ -62,7 +62,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ecr`* – Allows Pods that are running on Fargate to pull container images that are stored in Amazon ECR. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html#AmazonEKSFargatePodExecutionRolePolicy-json[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html#AmazonEKSFargatePodExecutionRolePolicy-json[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksforfargateservicerolepolicy] == {aws} managed policy: AmazonEKSForFargateServiceRolePolicy @@ -78,7 +78,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2`* – Create and delete Elastic Network Interfaces and describe Elastic Network Interfaces and resources. This is required so that the Amazon EKS Fargate service can configure the VPC networking that's required for Fargate Pods. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html#AmazonEKSForFargateServiceRolePolicy-json[AmazonEKSForFargateServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html#AmazonEKSForFargateServiceRolePolicy-json[AmazonEKSForFargateServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-AmazonEKSComputePolicy] == {aws} managed policy: AmazonEKSComputePolicy @@ -102,7 +102,7 @@ This policy includes the following permissions that allow Amazon EKS to complete - `iam:AddRoleToInstanceProfile` - Allows adding an IAM role to the EKS compute instance profile. - `iam:PassRole` - Allows passing the necessary IAM roles to the EC2 service. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSComputePolicy.html#AmazonEKSComputePolicy-json[AmazonEKSComputePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSComputePolicy.html#AmazonEKSComputePolicy-json[AmazonEKSComputePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-AmazonEKSNetworkingPolicy] == {aws} managed policy: AmazonEKSNetworkingPolicy @@ -128,7 +128,7 @@ This policy grants the following permissions to allow Amazon EKS to manage netwo -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSNetworkingPolicy.html#AmazonEKSNetworkingPolicy-json[AmazonEKSNetworkingPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSNetworkingPolicy.html#AmazonEKSNetworkingPolicy-json[AmazonEKSNetworkingPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -157,7 +157,7 @@ This IAM policy grants the following permissions to allow Amazon EKS to manage E -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSBlockStoragePolicy.html#AmazonEKSBlockStoragePolicy-json[AmazonEKSBlockStoragePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSBlockStoragePolicy.html#AmazonEKSBlockStoragePolicy-json[AmazonEKSBlockStoragePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-AmazonEKSLoadBalancingPolicy] @@ -186,7 +186,7 @@ The key permissions granted by this policy are: The policy also includes several condition checks to ensure that the permissions are scoped to the specific EKS cluster being managed, using the `eks:eks-cluster-name` tag. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLoadBalancingPolicy.html#AmazonEKSLoadBalancingPolicy-json[AmazonEKSLoadBalancingPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLoadBalancingPolicy.html#AmazonEKSLoadBalancingPolicy-json[AmazonEKSLoadBalancingPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksservicepolicy] == {aws} managed policy: AmazonEKSServicePolicy @@ -204,9 +204,9 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2`* – Work with Elastic Network Interfaces and other network resources and tags. This is required by Amazon EKS to configure networking that facilitates communication between nodes and the [.noloc]`Kubernetes` control plane. Read information about security groups. Update tags on security groups. * *`route53`* – Associate a VPC with a hosted zone. This is required by Amazon EKS to enable private endpoint networking for your [.noloc]`Kubernetes` cluster API server. * *`logs`* – Log events. This is required so that Amazon EKS can ship [.noloc]`Kubernetes` control plane logs to CloudWatch. -* *`iam`* – Create a service-linked role. This is required so that Amazon EKS can create the <> service-linked role on your behalf. +* *`iam`* – Create a service-linked role. This is required so that Amazon EKS can create the <> service-linked role on your behalf. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html#AmazonEKSServicePolicy-json[AmazonEKSServicePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html#AmazonEKSServicePolicy-json[AmazonEKSServicePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksservicerolepolicy] == {aws} managed policy: AmazonEKSServiceRolePolicy @@ -232,7 +232,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`pricing`* & *`shield`* - Access {aws} pricing information and Shield protection status, enabling cost management and advanced security features for EKS resources. * **Resource cleanup** - Safely delete EKS-tagged resources including volumes, snapshots, launch templates, and network interfaces during cluster cleanup operations. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html#AmazonEKSServiceRolePolicy-json[AmazonEKSServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html#AmazonEKSServiceRolePolicy-json[AmazonEKSServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksvpcresourcecontroller] == {aws} managed policy: AmazonEKSVPCResourceController @@ -248,7 +248,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2`* – Manage Elastic Network Interfaces and IP addresses to support [.noloc]`Pod` security groups and [.noloc]`Windows` nodes. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html#AmazonEKSVPCResourceController-json[AmazonEKSVPCResourceController,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html#AmazonEKSVPCResourceController-json[AmazonEKSVPCResourceController,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazoneksworkernodepolicy] == {aws} managed policy: AmazonEKSWorkerNodePolicy @@ -266,7 +266,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`eks`* – Optionally describe the cluster as part of node bootstrapping. * *`eks-auth:AssumeRoleForPodIdentity`* – Allow retrieving credentials for EKS workloads on the node. This is required for EKS Pod Identity to function properly. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html#AmazonEKSWorkerNodePolicy-json[AmazonEKSWorkerNodePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html#AmazonEKSWorkerNodePolicy-json[AmazonEKSWorkerNodePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-AmazonEKSWorkerNodeMinimalPolicy] @@ -301,7 +301,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`iam`* – Create a service-linked role and pass a role. This is required by Amazon EKS managed node groups to manage instance profiles for the role being passed when creating a managed node group. This instance profile is used by Amazon EC2 instances launched as part of a managed node group. Amazon EKS needs to create service-linked roles for other services such as Amazon EC2 Auto Scaling groups. These permissions are used in the creation of a managed node group. * *`autoscaling`* – Work with security Auto Scaling groups. This is required by Amazon EKS managed node groups to manage the Amazon EC2 Auto Scaling group that backs each managed node group. It's also used to support functionality such as evicting [.noloc]`Pods` when nodes are terminated or recycled during node group updates. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html#AWSServiceRoleForAmazonEKSNodegroup-json[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html#AWSServiceRoleForAmazonEKSNodegroup-json[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazonebscsidriverservicerolepolicy] == {aws} managed policy: AmazonEBSCSIDriverPolicy @@ -309,7 +309,7 @@ To view the latest version of the JSON policy document, see link:aws-managed-p The `AmazonEBSCSIDriverPolicy` policy allows the Amazon EBS Container Storage Interface (CSI) driver to create, modify, attach, detach, and delete volumes on your behalf. This includes modifying tags on existing volumes and enabling Fast Snapshot Restore (FSR) on EBS volumes. It also grants the EBS CSI driver permissions to create, restore, and delete snapshots, and to list your instances, volumes, and snapshots. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEBSCSIDriverPolicy.html#AmazonEBSCSIDriverPolicy-json[AmazonEBSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEBSCSIDriverPolicy.html#AmazonEBSCSIDriverPolicy-json[AmazonEBSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazonefscsidriverservicerolepolicy] == {aws} managed policy: AmazonEFSCSIDriverPolicy @@ -317,13 +317,13 @@ To view the latest version of the JSON policy document, see link:aws-managed-po The `AmazonEFSCSIDriverPolicy` policy allows the Amazon EFS Container Storage Interface (CSI) to create and delete access points on your behalf. It also grants the Amazon EFS CSI driver permissions to list your access points file systems, mount targets, and Amazon EC2 availability zones. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEFSCSIDriverPolicy.html#AmazonEFSCSIDriverPolicy-json[AmazonEFSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEFSCSIDriverPolicy.html#AmazonEFSCSIDriverPolicy-json[AmazonEFSCSIDriverServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazonekslocaloutpostclusterpolicy] == {aws} managed policy: AmazonEKSLocalOutpostClusterPolicy :info_titleabbrev: AmazonEKSLocalOutpostClusterPolicy -You can attach this policy to IAM entities. Before creating a local cluster, you must attach this policy to your <>. [.noloc]`Kubernetes` clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. +You can attach this policy to IAM entities. Before creating a local cluster, you must attach this policy to your <>. [.noloc]`Kubernetes` clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. The `AmazonEKSLocalOutpostClusterPolicy` includes the following permissions: @@ -333,7 +333,7 @@ The `AmazonEKSLocalOutpostClusterPolicy` includes the following permissions: * *`secretsmanager`* – Allows instances to get and delete bootstrap data for the control plane instances securely from {aws} Secrets Manager. * *`ecr`* – Allows [.noloc]`Pods` and containers that are running on the control plane instances to pull container images that are stored in Amazon Elastic Container Registry. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostClusterPolicy.html#AmazonEKSLocalOutpostClusterPolicy-json[AmazonEKSLocalOutpostClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostClusterPolicy.html#AmazonEKSLocalOutpostClusterPolicy-json[AmazonEKSLocalOutpostClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-amazonekslocaloutpostservicerolepolicy] == {aws} managed policy: AmazonEKSLocalOutpostServiceRolePolicy @@ -349,7 +349,7 @@ The `AmazonEKSLocalOutpostServiceRolePolicy` includes the following permissions: * *`secretsmanager`* - Allows Amazon EKS to put bootstrap data for the control plane instances into {aws} Secrets Manager so it can be securely referenced during instance bootstrapping. * *`outposts`* – Allows Amazon EKS to get Outpost information from your account to successfully launch a local cluster in an Outpost. -To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostServiceRolePolicy.html#AmazonEKSLocalOutpostServiceRolePolicy-json[AmazonEKSLocalOutpostServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. +To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostServiceRolePolicy.html#AmazonEKSLocalOutpostServiceRolePolicy-json[AmazonEKSLocalOutpostServiceRolePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. [#security-iam-awsmanpol-updates] == Amazon EKS updates to {aws} managed policies diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 7255266f6..ffe4da63f 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -7,9 +7,9 @@ include::../../attributes.txt[] By default, IAM users and roles don't have permission to create or modify Amazon EKS resources. They also can't perform tasks using the {aws-management-console}, {aws} CLI, or {aws} API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. -To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. +To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. For more information about working with the ConfigMap, see <>. @@ -23,25 +23,25 @@ Identity-based policies determine whether someone can create, access, or delete -* *Get started with {aws} managed policies and move toward least-privilege permissions* – To get started granting permissions to your users and workloads, use the _{aws} managed policies_ that grant permissions for many common use cases. They are available in your {aws} account. We recommend that you reduce permissions further by defining {aws} customer managed policies that are specific to your use cases. For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] or link:IAM/latest/UserGuide/access_policies_job-functions.html[{aws} managed policies for job functions,type="documentation"] in the _IAM User Guide_. -* *Apply least-privilege permissions* – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as _least-privilege permissions_. For more information about using IAM to apply permissions, see link:IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM,type="documentation"] in the _IAM User Guide_. -* *Use conditions in IAM policies to further restrict access* – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific {aws} service, such as {aws} CloudFormation. For more information, see link:IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM JSON policy elements: Condition,type="documentation"] in the _IAM User Guide_. +* *Get started with {aws} managed policies and move toward least-privilege permissions* – To get started granting permissions to your users and workloads, use the _{aws} managed policies_ that grant permissions for many common use cases. They are available in your {aws} account. We recommend that you reduce permissions further by defining {aws} customer managed policies that are specific to your use cases. For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies[{aws} managed policies,type="documentation"] or link:IAM/latest/UserGuide/access_policies_job-functions.html[{aws} managed policies for job functions,type="documentation"] in the _IAM User Guide_. +* *Apply least-privilege permissions* – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as _least-privilege permissions_. For more information about using IAM to apply permissions, see link:IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM,type="documentation"] in the _IAM User Guide_. +* *Use conditions in IAM policies to further restrict access* – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific {aws} service, such as {aws} CloudFormation. For more information, see link:IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM JSON policy elements: Condition,type="documentation"] in the _IAM User Guide_. * *Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions* – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see link:IAM/latest/UserGuide/access-analyzer-policy-validation.html[IAM Access Analyzer policy validation,type="documentation"] in the _IAM User Guide_. -* *Require multi-factor authentication (MFA)* – If you have a scenario that requires IAM users or a root user in your {aws} account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see link:IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html[Configuring MFA-protected API access,type="documentation"] in the _IAM User Guide_. +* *Require multi-factor authentication (MFA)* – If you have a scenario that requires IAM users or a root user in your {aws} account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see link:IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html[Configuring MFA-protected API access,type="documentation"] in the _IAM User Guide_. For more information about best practices in IAM, see link:IAM/latest/UserGuide/best-practices.html[Security best practices in IAM,type="documentation"] in the _IAM User Guide_. [#security-iam-id-based-policy-examples-console] == Using the Amazon EKS console -To access the Amazon EKS console, an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], must have a minimum set of permissions. These permissions allow the principal to list and view details about the Amazon EKS resources in your {aws} account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for principals with that policy attached to them. +To access the Amazon EKS console, an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], must have a minimum set of permissions. These permissions allow the principal to list and view details about the Amazon EKS resources in your {aws} account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for principals with that policy attached to them. -To ensure that your IAM principals can still use the Amazon EKS console, create a policy with your own unique name, such as `AmazonEKSAdminPolicy`. Attach the policy to the principals. For more information, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the _IAM User Guide_. +To ensure that your IAM principals can still use the Amazon EKS console, create a policy with your own unique name, such as `AmazonEKSAdminPolicy`. Attach the policy to the principals. For more information, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the _IAM User Guide_. [IMPORTANT] ==== -The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs [.noloc]`Kubernetes` permissions. For more information, see <>. +The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs [.noloc]`Kubernetes` permissions. For more information, see <>. ==== @@ -227,7 +227,7 @@ This example policy includes the minimum permission required to update a cluster [#policy-example2] == List or describe all clusters -This example policy includes the minimum permissions required to list and describe all clusters in your account. An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must be able to list and describe clusters to use the `update-kubeconfig` {aws} CLI command. +This example policy includes the minimum permissions required to list and describe all clusters in your account. An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must be able to list and describe clusters to use the `update-kubeconfig` {aws} CLI command. [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 95bf478dd..9748a52a3 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -5,7 +5,7 @@ include::../../attributes.txt[] -Before you use IAM to manage access to Amazon EKS, you should understand what IAM features are available to use with Amazon EKS. To get a high-level view of how Amazon EKS and other {aws} services work with IAM, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] in the _IAM User Guide_. +Before you use IAM to manage access to Amazon EKS, you should understand what IAM features are available to use with Amazon EKS. To get a high-level view of how Amazon EKS and other {aws} services work with IAM, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] in the _IAM User Guide_. [.topiclist] [[Topic List]] @@ -13,12 +13,12 @@ Before you use IAM to manage access to Amazon EKS, you should understand what IA [#security-iam-service-with-iam-id-based-policies] == Amazon EKS identity-based policies -With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon EKS supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see link:IAM/latest/UserGuide/reference_policies_elements.html[IAM JSON policy elements reference,type="documentation"] in the _IAM User Guide_. +With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon EKS supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see link:IAM/latest/UserGuide/reference_policies_elements.html[IAM JSON policy elements reference,type="documentation"] in the _IAM User Guide_. [#security-iam-service-with-iam-id-based-policies-actions] === Actions -Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. +Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated {aws} API operation. There are some exceptions, such as _permission-only actions_ that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called _dependent actions_. @@ -41,12 +41,12 @@ You can specify multiple actions using wildcards (*). For example, to specify al ---- -To see a list of Amazon EKS actions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. +To see a list of Amazon EKS actions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. [#security-iam-service-with-iam-id-based-policies-resources] === Resources -Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. +Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its link:IAM/latest/UserGuide/reference-arns.html[Amazon Resource Name (ARN),type="documentation"]. You can do this for actions that support a specific resource type, known as _resource-level permissions_. @@ -87,18 +87,18 @@ Some Amazon EKS actions, such as those for creating resources, can't be performe "Resource": "*" ---- -To see a list of Amazon EKS resource types and their ARNs, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-resources-for-iam-policies[Resources defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn with which actions you can specify the ARN of each resource, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +To see a list of Amazon EKS resource types and their ARNs, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-resources-for-iam-policies[Resources defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn with which actions you can specify the ARN of each resource, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. [#security-iam-service-with-iam-id-based-policies-conditionkeys] === Condition keys -Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. +Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. You can set condition keys when associating an [.noloc]`OpenID Connect` provider to your cluster. For more information, see <>. -All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see link:AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region[Example: Restricting Access to a Specific {aws} Region,type="documentation"]. +All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see link:AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region[Example: Restricting Access to a Specific {aws} Region,type="documentation"]. -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. [#security-iam-service-with-iam-id-based-policies-examples] === Examples @@ -106,7 +106,7 @@ For a list of Amazon EKS condition keys, see link:service-authorization/latest/ To view examples of Amazon EKS identity-based policies, see <>. -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. For more information about working with the ConfigMap, see <>. @@ -118,17 +118,17 @@ Amazon EKS does not support resource-based policies. [#security-iam-service-with-iam-tags] == Authorization based on Amazon EKS tags -You can attach tags to Amazon EKS resources or pass tags in a request to Amazon EKS. To control access based on tags, you provide tag information in the link:IAM/latest/UserGuide/reference_policies_elements_condition.html[condition element,type="documentation"] of a policy using the `aws:ResourceTag/[.replaceable]``key-name```, `aws:RequestTag/[.replaceable]``key-name```, or `aws:TagKeys` condition keys. For more information about tagging Amazon EKS resources, see <>. For more information about which actions that you can use tags in condition keys with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon EKS,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. +You can attach tags to Amazon EKS resources or pass tags in a request to Amazon EKS. To control access based on tags, you provide tag information in the link:IAM/latest/UserGuide/reference_policies_elements_condition.html[condition element,type="documentation"] of a policy using the `aws:ResourceTag/[.replaceable]``key-name```, `aws:RequestTag/[.replaceable]``key-name```, or `aws:TagKeys` condition keys. For more information about tagging Amazon EKS resources, see <>. For more information about which actions that you can use tags in condition keys with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon EKS,type="documentation"] in the link:service-authorization/latest/reference/reference.html[Service Authorization Reference,type="documentation"]. [#security-iam-service-with-iam-roles] == Amazon EKS IAM roles -An link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] is an entity within your {aws} account that has specific permissions. +An link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] is an entity within your {aws} account that has specific permissions. [#security-iam-service-with-iam-roles-tempcreds] === Using temporary credentials with Amazon EKS -You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling {aws} STS API operations such as link:STS/latest/APIReference/API_AssumeRole.html[AssumeRole,type="documentation"] or link:STS/latest/APIReference/API_GetFederationToken.html[GetFederationToken,type="documentation"]. +You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling {aws} STS API operations such as link:STS/latest/APIReference/API_AssumeRole.html[AssumeRole,type="documentation"] or link:STS/latest/APIReference/API_GetFederationToken.html[GetFederationToken,type="documentation"]. Amazon EKS supports using temporary credentials. @@ -142,7 +142,7 @@ Amazon EKS supports service-linked roles. For details about creating or managing [#security-iam-service-with-iam-roles-service] === Service roles -This feature allows a service to assume a link:IAM/latest/UserGuide/id_roles.html#iam-term-service-role[service role,type="documentation"] on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. +This feature allows a service to assume a link:IAM/latest/UserGuide/id_roles.html#iam-term-service-role[service role,type="documentation"] on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might break the functionality of the service. Amazon EKS supports service roles. For more information, see <> and <>. diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 97003d036..469106ae6 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -10,7 +10,7 @@ This topic covers some common errors that you may see while using Amazon EKS wit [#iam-error] == AccessDeniedException -If you receive an `AccessDeniedException` when calling an {aws} API operation, then the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] credentials that you're using don't have the required permissions to make that call. +If you receive an `AccessDeniedException` when calling an {aws} API operation, then the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] credentials that you're using don't have the required permissions to make that call. [source,bash,subs="verbatim,attributes"] ---- @@ -21,13 +21,13 @@ eks:DescribeCluster on resource: {arn-aws}eks:region:111122223333:cluster/my-clu In the previous example message, the user does not have permissions to call the Amazon EKS `DescribeCluster` API operation. To provide Amazon EKS admin permissions to an IAM principal, see <>. -For more general information about IAM, see link:IAM/latest/UserGuide/access_controlling.html[Controlling access using policies,type="documentation"] in the _IAM User Guide_. +For more general information about IAM, see link:IAM/latest/UserGuide/access_controlling.html[Controlling access using policies,type="documentation"] in the _IAM User Guide_. [#security-iam-troubleshoot-cannot-view-nodes-or-workloads] -== Can't see *Nodes* on the *Compute* tab or anything on the *Resources* tab and you receive an error in the {aws-management-console} +== Can't see *Nodes* on the *Compute* tab or anything on the *Resources* tab and you receive an error in the {aws-management-console} :info_titleabbrev: Can't see anything on Nodes or Compute tabs in console -You may see a console error message that says `Your current user or role does not have access to Kubernetes objects on this EKS cluster`. Make sure that the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] user that you're using the {aws-management-console} with has the necessary permissions. For more information, see <>. +You may see a console error message that says `Your current user or role does not have access to Kubernetes objects on this EKS cluster`. Make sure that the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] user that you're using the {aws-management-console} with has the necessary permissions. For more information, see <>. [#security-iam-troubleshoot-configmap] == aws-auth `ConfigMap` does not grant access to the cluster @@ -61,10 +61,10 @@ You can create a role that users in other accounts or people outside of your org To learn more, consult the following: * To learn whether Amazon EKS supports these features, see <>. -* To learn how to provide access to your resources across {aws} accounts that you own, see link:IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html[Providing access to an IAM user in another {aws} account that you own,type="documentation"] in the _IAM User Guide_. -* To learn how to provide access to your resources to third-party {aws} accounts, see link:IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html[Providing access to {aws} accounts owned by third parties,type="documentation"] in the _IAM User Guide_. -* To learn how to provide access through identity federation, see link:IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html[Providing access to externally authenticated users (identity federation),type="documentation"] in the _IAM User Guide_. -* To learn the difference between using roles and resource-based policies for cross-account access, see link:IAM/latest/UserGuide/access_policies-cross-account-resource-access.html[Cross account resource access in IAM,type="documentation"] in the _IAM User Guide_. +* To learn how to provide access to your resources across {aws} accounts that you own, see link:IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html[Providing access to an IAM user in another {aws} account that you own,type="documentation"] in the _IAM User Guide_. +* To learn how to provide access to your resources to third-party {aws} accounts, see link:IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html[Providing access to {aws} accounts owned by third parties,type="documentation"] in the _IAM User Guide_. +* To learn how to provide access through identity federation, see link:IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html[Providing access to externally authenticated users (identity federation),type="documentation"] in the _IAM User Guide_. +* To learn the difference between using roles and resource-based policies for cross-account access, see link:IAM/latest/UserGuide/access_policies-cross-account-resource-access.html[Cross account resource access in IAM,type="documentation"] in the _IAM User Guide_. [#security-iam-troubleshoot-wrong-sts-endpoint] == Pod containers receive the following error: `An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Credential should be scoped to a valid region` @@ -73,7 +73,7 @@ To learn more, consult the following: Your containers receive this error if your application is explicitly making requests to the {aws} STS global endpoint (`https://sts.amazonaws`) and your [.noloc]`Kubernetes` service account is configured to use a regional endpoint. You can resolve the issue with one of the following options: * Update your application code to remove explicit calls to the {aws} STS global endpoint. -* Update your application code to make explicit calls to regional endpoints such as `https://sts.us-west-2.amazonaws.com`. Your application should have redundancy built in to pick a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. +* Update your application code to make explicit calls to regional endpoints such as `https://sts.us-west-2.amazonaws.com`. Your application should have redundancy built in to pick a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. * Configure your service accounts to use the global endpoint. All versions earlier than `1.22` used the global endpoint by default, but version `1.22` and later clusters use the regional endpoint by default. For more information, see <>. diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index bc2cc89a5..768b8ff67 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -32,7 +32,7 @@ include::auto-create-node-role.adoc[leveloffset=+1] How to authenticate requests and manage access your Amazon EKS resources. -- -{aws} Identity and Access Management (IAM) is an {aws} service that helps an administrator securely control access to {aws} resources. IAM administrators control who can be _authenticated_ (signed in) and _authorized_ (have permissions) to use Amazon EKS resources. IAM is an {aws} service that you can use with no additional charge. +{aws} Identity and Access Management (IAM) is an {aws} service that helps an administrator securely control access to {aws} resources. IAM administrators control who can be _authenticated_ (signed in) and _authorized_ (have permissions) to use Amazon EKS resources. IAM is an {aws} service that you can use with no additional charge. [#security-iam-audience] == Audience @@ -48,55 +48,55 @@ How you use {aws} Identity and Access Management (IAM) differs, depending on the [#security-iam-authentication] == Authenticating with identities -Authentication is how you sign in to {aws} using your identity credentials. You must be _authenticated_ (signed in to {aws}) as the {aws} account root user, as an IAM user, or by assuming an IAM role. +Authentication is how you sign in to {aws} using your identity credentials. You must be _authenticated_ (signed in to {aws}) as the {aws} account root user, as an IAM user, or by assuming an IAM role. You can sign in to {aws} as a federated identity by using credentials provided through an identity source. {aws} IAM Identity Center (IAM Identity Center) users, your company's single sign-on authentication, and your Google or Facebook credentials are examples of federated identities. When you sign in as a federated identity, your administrator previously set up identity federation using IAM roles. When you access {aws} by using federation, you are indirectly assuming a role. Depending on the type of user you are, you can sign in to the {aws-management-console} or the {aws} access portal. For more information about signing in to {aws}, see link:signin/latest/userguide/how-to-sign-in.html[How to sign in to your {aws} account,type="documentation"] in the _{aws} Sign-In User Guide_. -If you access {aws} programmatically, {aws} provides a software development kit (SDK) and a command line interface (CLI) to cryptographically sign your requests by using your credentials. If you don't use {aws} tools, you must sign requests yourself. For more information about using the recommended method to sign requests yourself, see link:IAM/latest/UserGuide/reference_aws-signing.html[Signing {aws} API requests,type="documentation"] in the _IAM User Guide_. +If you access {aws} programmatically, {aws} provides a software development kit (SDK) and a command line interface (CLI) to cryptographically sign your requests by using your credentials. If you don't use {aws} tools, you must sign requests yourself. For more information about using the recommended method to sign requests yourself, see link:IAM/latest/UserGuide/reference_aws-signing.html[Signing {aws} API requests,type="documentation"] in the _IAM User Guide_. -Regardless of the authentication method that you use, you might be required to provide additional security information. For example, {aws} recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see link:singlesignon/latest/userguide/enable-mfa.html[Multi-factor authentication,type="documentation"] in the _{aws} IAM Identity Center User Guide_ and link:IAM/latest/UserGuide/id_credentials_mfa.html[Using multi-factor authentication (MFA) in {aws},type="documentation"] in the _IAM User Guide_. +Regardless of the authentication method that you use, you might be required to provide additional security information. For example, {aws} recommends that you use multi-factor authentication (MFA) to increase the security of your account. To learn more, see link:singlesignon/latest/userguide/enable-mfa.html[Multi-factor authentication,type="documentation"] in the _{aws} IAM Identity Center User Guide_ and link:IAM/latest/UserGuide/id_credentials_mfa.html[Using multi-factor authentication (MFA) in {aws},type="documentation"] in the _IAM User Guide_. [#security-iam-authentication-rootuser] === {aws} account root user -When you create an {aws} account, you begin with one sign-in identity that has complete access to all {aws} services and resources in the account. This identity is called the {aws} account _root user_ and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see link:IAM/latest/UserGuide/id_root-user.html#root-user-tasks[Tasks that require root user credentials,type="documentation"] in the _IAM User Guide_. +When you create an {aws} account, you begin with one sign-in identity that has complete access to all {aws} services and resources in the account. This identity is called the {aws} account _root user_ and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see link:IAM/latest/UserGuide/id_root-user.html#root-user-tasks[Tasks that require root user credentials,type="documentation"] in the _IAM User Guide_. [#security-iam-authentication-iamuser] === IAM users and groups -An _ link:IAM/latest/UserGuide/id_users.html[IAM user,type="documentation"]_ is an identity within your {aws} account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see link:IAM/latest/UserGuide/best-practices.html#rotate-credentials[Rotate access keys regularly for use cases that require long-term credentials,type="documentation"] in the _IAM User Guide_. +An link:IAM/latest/UserGuide/id_users.html[_IAM user_,type="documentation"] is an identity within your {aws} account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see link:IAM/latest/UserGuide/best-practices.html#rotate-credentials[Rotate access keys regularly for use cases that require long-term credentials,type="documentation"] in the _IAM User Guide_. -An link:IAM/latest/UserGuide/id_groups.html[IAM group,type="documentation"] is an identity that specifies a collection of IAM users. You can't sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named _IAMAdmins_ and give that group permissions to administer IAM resources. +An link:IAM/latest/UserGuide/id_groups.html[IAM group,type="documentation"] is an identity that specifies a collection of IAM users. You can't sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named _IAMAdmins_ and give that group permissions to administer IAM resources. -Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see link:IAM/latest/UserGuide/id.html#id_which-to-choose[When to create an IAM user (instead of a role),type="documentation"] in the _IAM User Guide_. +Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see link:IAM/latest/UserGuide/id.html#id_which-to-choose[When to create an IAM user (instead of a role),type="documentation"] in the _IAM User Guide_. [#security-iam-authentication-iamrole] === IAM roles -An _ link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"]_ is an identity within your {aws} account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. You can temporarily assume an IAM role in the {aws-management-console} by link:IAM/latest/UserGuide/id_roles_use_switch-role-console.html[switching roles,type="documentation"]. You can assume a role by calling an {aws} CLI or {aws} API operation or by using a custom URL. For more information about methods for using roles, see link:IAM/latest/UserGuide/id_roles_use.html[Using IAM roles,type="documentation"] in the _IAM User Guide_. +An link:IAM/latest/UserGuide/id_roles.html[_IAM role_,type="documentation"] is an identity within your {aws} account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. You can temporarily assume an IAM role in the {aws-management-console} by link:IAM/latest/UserGuide/id_roles_use_switch-role-console.html[switching roles,type="documentation"]. You can assume a role by calling an {aws} CLI or {aws} API operation or by using a custom URL. For more information about methods for using roles, see link:IAM/latest/UserGuide/id_roles_use.html[Using IAM roles,type="documentation"] in the _IAM User Guide_. IAM roles with temporary credentials are useful in the following situations: -* *Federated user access* – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see link:IAM/latest/UserGuide/id_roles_create_for-idp.html[Creating a role for a third-party Identity Provider,type="documentation"] in the _IAM User Guide_. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see link:singlesignon/latest/userguide/permissionsetsconcept.html[Permission sets,type="documentation"] in the _{aws} IAM Identity Center User Guide_. +* *Federated user access* – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see link:IAM/latest/UserGuide/id_roles_create_for-idp.html[Creating a role for a third-party Identity Provider,type="documentation"] in the _IAM User Guide_. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see link:singlesignon/latest/userguide/permissionsetsconcept.html[Permission sets,type="documentation"] in the _{aws} IAM Identity Center User Guide_. * *Temporary IAM user permissions* – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task. -* *Cross-account access* – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some {aws} services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see link:IAM/latest/UserGuide/access_policies-cross-account-resource-access.html[Cross account resource access in IAM,type="documentation"] in the _IAM User Guide_. +* *Cross-account access* – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some {aws} services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see link:IAM/latest/UserGuide/access_policies-cross-account-resource-access.html[Cross account resource access in IAM,type="documentation"] in the _IAM User Guide_. * *Cross-service access* – Some {aws} services use features in other {aws} services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role. + -** *Forward access sessions (FAS)* – When you use an IAM user or role to perform actions in {aws}, you are considered a principal. When you use some services, you might perform an action that then initiates another action in a different service. FAS uses the permissions of the principal calling an {aws} service, combined with the requesting {aws} service to make requests to downstream services. FAS requests are only made when a service receives a request that requires interactions with other {aws} services or resources to complete. In this case, you must have permissions to perform both actions. For policy details when making FAS requests, see link:IAM/latest/UserGuide/access_forward_access_sessions.html[Forward access sessions,type="documentation"]. -** *Service role* – A service role is an link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see link:IAM/latest/UserGuide/id_roles_create_for-service.html[Creating a role to delegate permissions to an {aws} service,type="documentation"] in the _IAM User Guide_. +** *Forward access sessions (FAS)* – When you use an IAM user or role to perform actions in {aws}, you are considered a principal. When you use some services, you might perform an action that then initiates another action in a different service. FAS uses the permissions of the principal calling an {aws} service, combined with the requesting {aws} service to make requests to downstream services. FAS requests are only made when a service receives a request that requires interactions with other {aws} services or resources to complete. In this case, you must have permissions to perform both actions. For policy details when making FAS requests, see link:IAM/latest/UserGuide/access_forward_access_sessions.html[Forward access sessions,type="documentation"]. +** *Service role* – A service role is an link:IAM/latest/UserGuide/id_roles.html[IAM role,type="documentation"] that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see link:IAM/latest/UserGuide/id_roles_create_for-service.html[Creating a role to delegate permissions to an {aws} service,type="documentation"] in the _IAM User Guide_. ** *Service-linked role* – A service-linked role is a type of service role that is linked to an {aws} service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your {aws} account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. -* *Applications running on Amazon EC2* – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making {aws} CLI or {aws} API requests. This is preferable to storing access keys within the EC2 instance. To assign an {aws} role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see link:IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html[Using an IAM role to grant permissions to applications running on Amazon EC2 instances,type="documentation"] in the _IAM User Guide_. +* *Applications running on Amazon EC2* – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making {aws} CLI or {aws} API requests. This is preferable to storing access keys within the EC2 instance. To assign an {aws} role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see link:IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html[Using an IAM role to grant permissions to applications running on Amazon EC2 instances,type="documentation"] in the _IAM User Guide_. -To learn whether to use IAM roles or IAM users, see link:IAM/latest/UserGuide/id.html#id_which-to-choose_role[When to create an IAM role (instead of a user),type="documentation"] in the _IAM User Guide_. +To learn whether to use IAM roles or IAM users, see link:IAM/latest/UserGuide/id.html#id_which-to-choose_role[When to create an IAM role (instead of a user),type="documentation"] in the _IAM User Guide_. [#security-iam-access-manage] == Managing access using policies -You control access in {aws} by creating policies and attaching them to {aws} identities or resources. A policy is an object in {aws} that, when associated with an identity or resource, defines their permissions. {aws} evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in {aws} as JSON documents. For more information about the structure and contents of JSON policy documents, see link:IAM/latest/UserGuide/access_policies.html#access_policies-json[Overview of JSON policies,type="documentation"] in the _IAM User Guide_. +You control access in {aws} by creating policies and attaching them to {aws} identities or resources. A policy is an object in {aws} that, when associated with an identity or resource, defines their permissions. {aws} evaluates these policies when a principal (user, root user, or role session) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in {aws} as JSON documents. For more information about the structure and contents of JSON policy documents, see link:IAM/latest/UserGuide/access_policies.html#access_policies-json[Overview of JSON policies,type="documentation"] in the _IAM User Guide_. Administrators can use {aws} JSON policies to specify who has access to what. That is, which *principal* can perform *actions* on what *resources*, and under what *conditions*. @@ -107,14 +107,14 @@ IAM policies define permissions for an action regardless of the method that you [#security-iam-access-manage-id-based-policies] === Identity-based policies -Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. +Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. -Identity-based policies can be further categorized as _inline policies_ or _managed policies_. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your {aws} account. Managed policies include {aws} managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline[Choosing between managed policies and inline policies,type="documentation"] in the _IAM User Guide_. +Identity-based policies can be further categorized as _inline policies_ or _managed policies_. Inline policies are embedded directly into a single user, group, or role. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your {aws} account. Managed policies include {aws} managed policies and customer managed policies. To learn how to choose between a managed policy or an inline policy, see link:IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline[Choosing between managed policies and inline policies,type="documentation"] in the _IAM User Guide_. [#security-iam-access-manage-resource-based-policies] === Resource-based policies -Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM _role trust policies_ and Amazon S3 _bucket policies_. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must link:IAM/latest/UserGuide/reference_policies_elements_principal.html[specify a principal,type="documentation"] in a resource-based policy. Principals can include accounts, users, roles, federated users, or {aws} services. +Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM _role trust policies_ and Amazon S3 _bucket policies_. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must link:IAM/latest/UserGuide/reference_policies_elements_principal.html[specify a principal,type="documentation"] in a resource-based policy. Principals can include accounts, users, roles, federated users, or {aws} services. Resource-based policies are inline policies that are located in that service. You can't use {aws} managed policies from IAM in a resource-based policy. @@ -132,15 +132,15 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. -* *Permissions boundaries* – A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity (IAM user or role). You can set a permissions boundary for an entity. The resulting permissions are the intersection of an entity's identity-based policies and its permissions boundaries. Resource-based policies that specify the user or role in the `Principal` field are not limited by the permissions boundary. An explicit deny in any of these policies overrides the allow. For more information about permissions boundaries, see link:IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities,type="documentation"] in the _IAM User Guide_. -* *Service control policies (SCPs)* – SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in {aws} Organizations. {aws} Organizations is a service for grouping and centrally managing multiple {aws} accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each {aws} account root user. For more information about Organizations and SCPs, see link:organizations/latest/userguide/orgs_manage_policies_scps.html[Service control policies,type="documentation"] in the _{aws} Organizations User Guide_. -* *Session policies* – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The resulting session's permissions are the intersection of the user or role's identity-based policies and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. For more information, see link:IAM/latest/UserGuide/access_policies.html#policies_session[Session policies,type="documentation"] in the _IAM User Guide_. +* *Permissions boundaries* – A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity (IAM user or role). You can set a permissions boundary for an entity. The resulting permissions are the intersection of an entity's identity-based policies and its permissions boundaries. Resource-based policies that specify the user or role in the `Principal` field are not limited by the permissions boundary. An explicit deny in any of these policies overrides the allow. For more information about permissions boundaries, see link:IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities,type="documentation"] in the _IAM User Guide_. +* *Service control policies (SCPs)* – SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in {aws} Organizations. {aws} Organizations is a service for grouping and centrally managing multiple {aws} accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each {aws} account root user. For more information about Organizations and SCPs, see link:organizations/latest/userguide/orgs_manage_policies_scps.html[Service control policies,type="documentation"] in the _{aws} Organizations User Guide_. +* *Session policies* – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The resulting session's permissions are the intersection of the user or role's identity-based policies and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. For more information, see link:IAM/latest/UserGuide/access_policies.html#policies_session[Session policies,type="documentation"] in the _IAM User Guide_. [#security-iam-access-manage-multiple-policies] === Multiple policy types -When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. +When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index cb8178637..5bf29f93d 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -16,7 +16,7 @@ A service-linked role makes setting up Amazon EKS easier because you don't have You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. [#service-linked-role-permissions-eks-connector] == Service-linked role permissions for Amazon EKS @@ -31,7 +31,7 @@ The role permissions policy allows Amazon EKS to complete the following actions * link:aws-managed-policy/latest/reference/AmazonEKSConnectorServiceRolePolicy.html[AmazonEKSConnectorServiceRolePolicy,type="documentation"] -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. [#create-service-linked-role-eks-connector] == Creating a service-linked role for Amazon EKS @@ -43,7 +43,7 @@ If you delete this service-linked role, and then need to create it again, you ca [#edit-service-linked-role-eks-connector] == Editing a service-linked role for Amazon EKS -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSConnector` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSConnector` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. [#delete-service-linked-role-eks-connector] == Deleting a service-linked role for Amazon EKS @@ -64,13 +64,13 @@ If the Amazon EKS service is using the role when you try to delete the resources . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the left navigation pane, choose *Clusters*. . On the *Clusters* page, select your cluster. -. Select the *Deregister* tab and then select the *Ok* tab. +. Select the *Deregister* tab and then select the *Ok* tab. [#slr-manual-delete-eks-connector] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. +Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 81f4977dc..bb27a1605 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -16,7 +16,7 @@ A service-linked role makes setting up Amazon EKS easier because you don't have You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. [#service-linked-role-permissions-eks-fargate] == Service-linked role permissions for Amazon EKS @@ -31,7 +31,7 @@ The role permissions policy allows Amazon EKS to complete the following actions * link:aws-managed-policy/latest/reference/AmazonEKSForFargateServiceRolePolicy.html[AmazonEKSForFargateServiceRolePolicy,type="documentation"] -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. [#create-service-linked-role-eks-fargate] == Creating a service-linked role for Amazon EKS @@ -41,7 +41,7 @@ You don't need to manually create a service-linked role. When you create a Farga [IMPORTANT] ==== -This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before December 13, 2019, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSForFargate role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A New role appeared in my IAM account,type="documentation"]. +This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before December 13, 2019, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSForFargate role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A New role appeared in my IAM account,type="documentation"]. ==== @@ -55,7 +55,7 @@ If you delete this service-linked role, and then need to create it again, you ca [#edit-service-linked-role-eks-fargate] == Editing a service-linked role for Amazon EKS -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSForFargate` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSForFargate` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. [#delete-service-linked-role-eks-fargate] == Deleting a service-linked role for Amazon EKS @@ -77,7 +77,7 @@ If the Amazon EKS service is using the role when you try to delete the resources . In the left navigation pane, choose *Clusters*. . On the *Clusters* page, select your cluster. . Select the *Compute* tab. -. If there are any Fargate profiles in the *Fargate profiles* section, select each one individually, and then choose *Delete*. +. If there are any Fargate profiles in the *Fargate profiles* section, select each one individually, and then choose *Delete*. . Type the name of the profile in the deletion confirmation window, and then choose *Delete*. . Repeat this procedure for any other Fargate profiles in the cluster and for any other clusters in your account. @@ -85,7 +85,7 @@ If the Amazon EKS service is using the role when you try to delete the resources [#slr-manual-delete-eks-fargate] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSForFargate service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. +Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSForFargate service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. [#slr-regions-eks-fargate] == Supported regions for Amazon EKS service-linked roles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index f445a22b4..5bc86935b 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -16,7 +16,7 @@ A service-linked role makes setting up Amazon EKS easier because you don't have You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. [#service-linked-role-permissions-eks-nodegroups] == Service-linked role permissions for Amazon EKS @@ -31,7 +31,7 @@ The role permissions policy allows Amazon EKS to complete the following actions * link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. [#create-service-linked-role-eks-nodegroups] == Creating a service-linked role for Amazon EKS @@ -41,7 +41,7 @@ You don't need to manually create a service-linked role. When you CreateNodegrou [IMPORTANT] ==== -This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before January 1, 2017, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSNodegroup role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A new role appeared in my IAM account,type="documentation"]. +This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. If you were using the Amazon EKS service before January 1, 2017, when it began supporting service-linked roles, then Amazon EKS created the AWSServiceRoleForAmazonEKSNodegroup role in your account. To learn more, see link:IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared[A new role appeared in my IAM account,type="documentation"]. ==== @@ -55,7 +55,7 @@ If you delete this service-linked role, and then need to create it again, you ca [#edit-service-linked-role-eks-nodegroups] == Editing a service-linked role for Amazon EKS -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. [#delete-service-linked-role-eks-nodegroups] == Deleting a service-linked role for Amazon EKS @@ -84,7 +84,7 @@ If the Amazon EKS service is using the role when you try to delete the resources [#slr-manual-delete-eks-nodegroups] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSNodegroup` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. [#slr-regions-eks-nodegroups] == Supported regions for Amazon EKS service-linked roles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 0d24205fd..a728b7057 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -16,7 +16,7 @@ A service-linked role makes setting up Amazon EKS easier because you don't have You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. [#service-linked-role-permissions] == Service-linked role permissions for Amazon EKS @@ -42,7 +42,7 @@ The role permissions policy allows Amazon EKS to complete the following actions * link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. [#create-service-linked-role-eks-outpost] == Creating a service-linked role for Amazon EKS @@ -54,7 +54,7 @@ If you delete this service-linked role, and then need to create it again, you ca [#edit-service-linked-role-eks-outpost] == Editing a service-linked role for Amazon EKS -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. [#delete-service-linked-role-eks-outpost] == Deleting a service-linked role for Amazon EKS @@ -75,7 +75,7 @@ If the Amazon EKS service is using the role when you try to delete the resources . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the left navigation pane, choose Amazon EKS *Clusters*. . If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. -. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. +. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. . Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. . Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. @@ -83,7 +83,7 @@ If the Amazon EKS service is using the role when you try to delete the resources [#slr-manual-delete-eks-outpost] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKSLocalOutpost` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. [#slr-regions-eks-connector] == Supported regions for Amazon EKS service-linked roles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 71b5982a6..61c77203b 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -16,7 +16,7 @@ A service-linked role makes setting up Amazon EKS easier because you don't have You can delete a service-linked role only after first deleting their related resources. This protects your Amazon EKS resources because you can't inadvertently remove permission to access the resources. -For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. +For information about other services that support service-linked roles, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] and look for the services that have *Yes* in the *Service-linked role* column. Choose a *Yes* with a link to view the service-linked role documentation for that service. [#service-linked-role-permissions-eks] == Service-linked role permissions for Amazon EKS @@ -38,7 +38,7 @@ The role permissions policy allows Amazon EKS to complete the following actions * link:aws-managed-policy/latest/reference/AmazonEKSServiceRolePolicy.html[AmazonEKSServiceRolePolicy,type="documentation"] -You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. +You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions[Service-linked role permissions,type="documentation"] in the _IAM User Guide_. [#create-service-linked-role-eks] == Creating a service-linked role for Amazon EKS @@ -50,7 +50,7 @@ If you delete this service-linked role, and then need to create it again, you ca [#edit-service-linked-role-eks] == Editing a service-linked role for Amazon EKS -Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKS` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. +Amazon EKS does not allow you to edit the `AWSServiceRoleForAmazonEKS` service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role[Editing a service-linked role,type="documentation"] in the _IAM User Guide_. [#delete-service-linked-role-eks] == Deleting a service-linked role for Amazon EKS @@ -71,7 +71,7 @@ If the Amazon EKS service is using the role when you try to delete the resources . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the left navigation pane, choose *Clusters*. . If your cluster has any node groups or Fargate profiles, you must delete them before you can delete the cluster. For more information, see <> and <>. -. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. +. On the *Clusters* page, choose the cluster that you want to delete and choose *Delete*. . Type the name of the cluster in the deletion confirmation window, and then choose *Delete*. . Repeat this procedure for any other clusters in your account. Wait for all of the delete operations to finish. @@ -79,7 +79,7 @@ If the Amazon EKS service is using the role when you try to delete the resources [#slr-manual-delete-eks] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKS` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. +Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRoleForAmazonEKS` service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. [#slr-regions-eks] == Supported regions for Amazon EKS service-linked roles diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index b0b310c9d..08db60208 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -20,7 +20,7 @@ include::using-service-linked-roles-eks-outpost.adoc[leveloffset=+1] How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. -- -Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. +Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. [.topiclist] [[Topic List]] diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 45a638db6..2ae33fe69 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -18,7 +18,7 @@ If you use Secrets Manager automatic rotation for your secrets, you can also use ==== -For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. +For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23manage-secrets%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index 881210b20..d2cc803fe 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -84,7 +84,7 @@ Settings: Ranges: ---- -You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. +You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. [#psp-delete-default] == Delete the default Amazon EKS [.noloc]`Pod` security policy diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 864dfd57a..5497508ee 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -19,8 +19,8 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser [#vpc-endpoint-considerations] == Considerations for Amazon EKS -* Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. -* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. +* Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. +* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. * You can't configure Amazon EKS to only be accessed through an interface endpoint. * Standard pricing for {aws} PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. * VPC endpoint policies are not supported for Amazon EKS. By default, full access to Amazon EKS is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. @@ -34,7 +34,7 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser [#vpc-endpoint-create] == Create an interface endpoint for Amazon EKS -You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the {aws} Command Line Interface ({aws} CLI). For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws[Create a VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. +You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the {aws} Command Line Interface ({aws} CLI). For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws[Create a VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. Create an interface endpoint for Amazon EKS using the following service names: @@ -49,11 +49,11 @@ com.amazonaws.region-code.eks com.amazonaws.region-code.eks-auth ---- -The private DNS feature is enabled by default when creating an interface endpoint for Amazon EKS and other {aws} services. To use the private DNS feature, you must ensure that the following VPC attributes are set to `true`: `enableDnsHostnames` and `enableDnsSupport`. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[View and update DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. With the private DNS feature enabled for the interface endpoint: +The private DNS feature is enabled by default when creating an interface endpoint for Amazon EKS and other {aws} services. To use the private DNS feature, you must ensure that the following VPC attributes are set to `true`: `enableDnsHostnames` and `enableDnsSupport`. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[View and update DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. With the private DNS feature enabled for the interface endpoint: -* You can make any API request to Amazon EKS using its default Regional DNS name. After August 2024, any new VPC interface endpoint for the Amazon EKS API have two default Regional DNS names and you can choose the `dualstack` for the IP address type. The first DNS name is `eks.[.replaceable]``region``.api.aws` which is dual-stack. It resolves to both `IPv4` addresses and `IPv6` addresses. Before August 2024, Amazon EKS only used `eks.[.replaceable]``region``.amazonaws.com` which resolved to `IPv4` addresses only. If you want to use `IPv6` and dual-stack IP addresses with an existing VPC interface endpoint, you can update the endpoint to use the `dualstack` type of IP address, but it will only have the `eks.[.replaceable]``region``.amazonaws.com` DNS name. In this configuration, the existing endpoint updates to point that name to both `IPv4` and `IPv6` IP addresses. For a list of APIs, see link:eks/latest/APIReference/API_Operations.html[Actions,type="documentation"] in the Amazon EKS API Reference. +* You can make any API request to Amazon EKS using its default Regional DNS name. After August 2024, any new VPC interface endpoint for the Amazon EKS API have two default Regional DNS names and you can choose the `dualstack` for the IP address type. The first DNS name is `eks.[.replaceable]``region``.api.aws` which is dual-stack. It resolves to both `IPv4` addresses and `IPv6` addresses. Before August 2024, Amazon EKS only used `eks.[.replaceable]``region``.amazonaws.com` which resolved to `IPv4` addresses only. If you want to use `IPv6` and dual-stack IP addresses with an existing VPC interface endpoint, you can update the endpoint to use the `dualstack` type of IP address, but it will only have the `eks.[.replaceable]``region``.amazonaws.com` DNS name. In this configuration, the existing endpoint updates to point that name to both `IPv4` and `IPv6` IP addresses. For a list of APIs, see link:eks/latest/APIReference/API_Operations.html[Actions,type="documentation"] in the Amazon EKS API Reference. * You don't need to make any changes to your applications that call the EKS APIs. + However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref/latest/guide/feature-endpoints.html[Dual-stack and FIPS endpoints,type="documentation"] configuration in the _{aws} SDKs and Tools Reference Guide_. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 2a0a36b3c..353e4f092 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -58,14 +58,14 @@ The in-tree `StorageClass` provisioner is named `kubernetes.io/aws-ebs`. The Ama [#csi-migration-faq-mounting-volumes] == Can I mount `kubernetes.io/aws-ebs StorageClass` volumes in version `1.23` and later clusters? -Yes, as long as the <> is installed. For newly created version `1.23` and later clusters, we recommend installing the Amazon EBS CSI driver as part of your cluster creation process. We also recommend only using `StorageClasses` based on the `ebs.csi.aws.com` provisioner. +Yes, as long as the <> is installed. For newly created version `1.23` and later clusters, we recommend installing the Amazon EBS CSI driver as part of your cluster creation process. We also recommend only using `StorageClasses` based on the `ebs.csi.aws.com` provisioner. If you've updated your cluster control plane to version `1.23` and haven't yet updated your nodes to `1.23`, then the `CSIMigration` and `CSIMigration{aws}` kubelet flags aren't enabled. In this case, the in-tree driver is used to mount `kubernetes.io/aws-ebs` based volumes. The Amazon EBS CSI driver must still be installed however, to ensure that [.noloc]`Pods` using `kubernetes.io/aws-ebs` based volumes can be scheduled. The driver is also required for other volume operations to succeed. [#csi-migration-faq-aws-ebs-volumes] == Can I provision `kubernetes.io/aws-ebs StorageClass` volumes on Amazon EKS `1.23` and later clusters? -Yes, as long as the <> is installed. +Yes, as long as the <> is installed. [#csi-migration-faq-aws-ebs-provisioner] == Will the `kubernetes.io/aws-ebs StorageClass` provisioner ever be removed from Amazon EKS? @@ -75,12 +75,12 @@ The `kubernetes.io/aws-ebs` `StorageClass` provisioner and `awsElasticBlockStore [#csi-migration-faq-ebs-csi-driver] == How do I install the Amazon EBS CSI driver? -We recommend installing the <>. When an update is required to the Amazon EKS add-on, you initiate the update and Amazon EKS updates the add-on for you. If you want to manage the driver yourself, you can install it using the open source https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver[Helm chart]. +We recommend installing the <>. When an update is required to the Amazon EKS add-on, you initiate the update and Amazon EKS updates the add-on for you. If you want to manage the driver yourself, you can install it using the open source https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver[Helm chart]. [IMPORTANT] ==== -The [.noloc]`Kubernetes` in-tree Amazon EBS driver runs on the [.noloc]`Kubernetes` control plane. It uses IAM permissions assigned to the <> to provision Amazon EBS volumes. The Amazon EBS CSI driver runs on nodes. The driver needs IAM permissions to provision volumes. For more information, see <>. +The [.noloc]`Kubernetes` in-tree Amazon EBS driver runs on the [.noloc]`Kubernetes` control plane. It uses IAM permissions assigned to the <> to provision Amazon EBS volumes. The Amazon EBS CSI driver runs on nodes. The driver needs IAM permissions to provision volumes. For more information, see <>. ==== diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index eeb92fd49..7a8b5feca 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -93,7 +93,7 @@ eksctl create iamserviceaccount \ ---- . If you use a custom link:kms/[KMS key,type="marketing"] for encryption on your Amazon EBS volumes, customize the IAM role as needed. For example, do the following: + -.. Copy and paste the following code into a new `kms-key-for-encryption-on-ebs.json` file. Replace [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. +.. Copy and paste the following code into a new `kms-key-for-encryption-on-ebs.json` file. Replace [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. + [source,json,subs="verbatim,attributes"] ---- @@ -148,11 +148,11 @@ aws iam attach-role-policy \ === {aws-management-console} [[console_store_app_data]] . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. -. On the *Roles* page, choose *Create role*. +. On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: + -.. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. In the *Trusted entity type* section, choose *Web identity*. +.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). .. For *Audience*, choose `sts.amazonaws.com`. .. Choose *Next*. . On the *Add permissions* page, do the following: @@ -163,10 +163,10 @@ aws iam attach-role-policy \ . On the *Name, review, and create* page, do the following: + .. For *Role name*, enter a unique name for your role, such as [.replaceable]`AmazonEKS_EBS_CSI_DriverRole`. -.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. . After the role is created, choose the role in the console to open it for editing. -. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. +. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. . Find the line that looks similar to the following line: + [source,json,subs="verbatim,attributes"] @@ -184,9 +184,9 @@ Add a comma to the end of the previous line, and then add the following line aft . If you use a custom link:kms/[KMS key,type="marketing"] for encryption on your Amazon EBS volumes, customize the IAM role as needed. For example, do the following: + .. In the left navigation pane, choose *Policies*. -.. On the *Policies* page, choose *Create Policy*. -.. On the *Create policy* page, choose the *JSON* tab. -.. Copy and paste the following code into the editor, replacing [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. +.. On the *Policies* page, choose *Create Policy*. +.. On the *Create policy* page, choose the *JSON* tab. +.. Copy and paste the following code into the editor, replacing [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. + [source,json,subs="verbatim,attributes"] ---- @@ -222,12 +222,12 @@ Add a comma to the end of the previous line, and then add the following line aft } ---- .. Choose *Next: Tags*. -.. On the *Add tags (Optional)* page, choose *Next: Review*. +.. On the *Add tags (Optional)* page, choose *Next: Review*. .. For *Name*, enter a unique name for your policy (for example, [.replaceable]`KMS_Key_For_Encryption_On_EBS_Policy`). .. Choose *Create policy*. .. In the left navigation pane, choose *Roles*. .. Choose the *[.replaceable]`AmazonEKS_EBS_CSI_DriverRole`* in the console to open it for editing. -.. From the *Add permissions* dropdown list, choose *Attach policies*. +.. From the *Add permissions* dropdown list, choose *Attach policies*. .. In the *Filter policies* box, enter [.replaceable]`KMS_Key_For_Encryption_On_EBS_Policy`. .. Select the check box to the left of the [.replaceable]`KMS_Key_For_Encryption_On_EBS_Policy` that was returned in the search. .. Choose *Attach policies*. @@ -289,7 +289,7 @@ aws iam attach-role-policy \ ---- . If you use a custom link:kms/[KMS key,type="marketing"] for encryption on your Amazon EBS volumes, customize the IAM role as needed. For example, do the following: + -.. Copy and paste the following code into a new `kms-key-for-encryption-on-ebs.json` file. Replace [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. +.. Copy and paste the following code into a new `kms-key-for-encryption-on-ebs.json` file. Replace [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. + [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 40a93c04f..b929b309b 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -21,7 +21,7 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation * https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/dynamic_provisioning/README.md[Dynamic provisioning] requires https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/CHANGELOG-1.x.md#v12[1.2] or later of the driver. You can use https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/examples/kubernetes/static_provisioning/README.md[static provisioning] for persistent volumes using version `1.1` of the driver on any supported Amazon EKS cluster version (see <>). * Version https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/CHANGELOG-1.x.md#v132[1.3.2] or later of this driver supports the Arm64 architecture, including Amazon EC2 Graviton-based instances. * Version https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/CHANGELOG-1.x.md#v142[1.4.2] or later of this driver supports using FIPS for mounting file systems. -* Take note of the resource quotas for Amazon EFS. For example, there's a quota of 1000 access points that can be created for each Amazon EFS file system. For more information, see link:efs/latest/ug/limits.html#limits-efs-resources-per-account-per-region[Amazon EFS resource quotas that you cannot change,type="documentation"]. +* Take note of the resource quotas for Amazon EFS. For example, there's a quota of 1000 access points that can be created for each Amazon EFS file system. For more information, see link:efs/latest/ug/limits.html#limits-efs-resources-per-account-per-region[Amazon EFS resource quotas that you cannot change,type="documentation"]. * Starting in version https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/CHANGELOG-2.x.md#v200[2.0.0], this driver switched from using `stunnel` to `efs-proxy` for TLS connections. When `efs-proxy` is used, it will open a number of threads equal to one plus the number of cores for the node it's running on. * The Amazon EFS CSI driver isn't compatible with Amazon EKS Hybrid Nodes. @@ -30,7 +30,7 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation == Prerequisites * An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. [NOTE] @@ -81,11 +81,11 @@ Run the following to create an IAM role with {aws-management-console}. . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. -. On the *Roles* page, choose *Create role*. +. On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: + -.. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. In the *Trusted entity type* section, choose *Web identity*. +.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). .. For *Audience*, choose `sts.amazonaws.com`. .. Choose *Next*. . On the *Add permissions* page, do the following: @@ -96,10 +96,10 @@ Run the following to create an IAM role with {aws-management-console}. . On the *Name, review, and create* page, do the following: + .. For *Role name*, enter a unique name for your role, such as [.replaceable]`AmazonEKS_EFS_CSI_DriverRole`. -.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. . After the role is created, choose the role in the console to open it for editing. -. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. +. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. . Find the line that looks similar to the following line: + [source,json,subs="verbatim,attributes"] diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 948668ea4..cf360b69b 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -29,7 +29,7 @@ For detailed descriptions of the available parameters and complete examples that You must have: -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. @@ -119,7 +119,7 @@ csidriver.storage.k8s.io/fsx.csi.aws.com created .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. Ensure that the console is set to the {aws} Region that you created your IAM role in and then select *Stacks*. .. Select the stack named `eksctl-my-csi-fsx-cluster-addon-iamserviceaccount-kube-system-fsx-csi-controller-sa`. -.. Select the *Outputs* tab. The *Role1* ARN is listed on the *Outputs (1)* page. +.. Select the *Outputs* tab. The *Role1* ARN is listed on the *Outputs (1)* page. . Patch the driver deployment to add the service account that you created earlier with the following command. Replace the ARN with the ARN that you noted. Replace [.replaceable]`111122223333` with your account ID. + [source,bash,subs="verbatim,attributes"] @@ -143,7 +143,7 @@ This procedure uses the https://github.com/kubernetes-sigs/aws-fsx-csi-driver[FS ---- aws eks describe-cluster --name $cluster_name --query cluster.resourcesVpcConfig.clusterSecurityGroupId ---- -. Create a security group for your Amazon FSx file system according to the criteria shown in link:fsx/latest/LustreGuide/limit-access-security-groups.html#fsx-vpc-security-groups[Amazon VPC Security Groups,type="documentation"] in the Amazon FSx for Lustre User Guide. For the *VPC*, select the VPC of your cluster as shown under the *Networking* section. For "the security groups associated with your Lustre clients", use your cluster security group. You can leave the outbound rules alone to allow *All traffic*. +. Create a security group for your Amazon FSx file system according to the criteria shown in link:fsx/latest/LustreGuide/limit-access-security-groups.html#fsx-vpc-security-groups[Amazon VPC Security Groups,type="documentation"] in the Amazon FSx for Lustre User Guide. For the *VPC*, select the VPC of your cluster as shown under the *Networking* section. For "the security groups associated with your Lustre clients", use your cluster security group. You can leave the outbound rules alone to allow *All traffic*. . Download the storage class manifest with the following command. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 88300c2ae..a70f4bcd9 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -147,11 +147,11 @@ eksctl create iamserviceaccount \ === {aws-management-console} [[console_s3_store_app_data]] . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. -. On the *Roles* page, choose *Create role*. +. On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: + -.. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. In the *Trusted entity type* section, choose *Web identity*. +.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). + If no URLs are shown, review the <>. .. For *Audience*, choose `sts.amazonaws.com`. @@ -166,10 +166,10 @@ NOTE: This policy was created in the previous section. . On the *Name, review, and create* page, do the following: + .. For *Role name*, enter a unique name for your role, such as [.noloc]`AmazonEKS_S3_CSI_DriverRole`. -.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. +.. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. . After the role is created, choose the role in the console to open it for editing. -. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. +. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. . Find the line that looks similar to the following: + [source,json,subs="verbatim,attributes"] @@ -321,16 +321,16 @@ addons: . Choose *Get more add-ons*. . On the *Select add-ons* page, do the following: + -.. In the *Amazon EKS-addons* section, select the *[.noloc]`Mountpoint` for Amazon S3 CSI Driver* check box. +.. In the *Amazon EKS-addons* section, select the *[.noloc]`Mountpoint` for Amazon S3 CSI Driver* check box. .. Choose *Next*. . On the *Configure selected add-ons settings* page, do the following: + .. Select the *Version* you'd like to use. .. For *Select IAM role*, select the name of an IAM role that you attached the [.noloc]`Mountpoint` for Amazon S3 CSI driver IAM policy to. -.. (Optional) Update the *Conflict resolution method* after expanding the *Optional configuration settings*. If you select *Override*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before selecting this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. -.. (Optional) Configure tolerations in the *Configuration values* field after expanding the *Optional configuration settings*. +.. (Optional) Update the *Conflict resolution method* after expanding the *Optional configuration settings*. If you select *Override*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before selecting this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. +.. (Optional) Configure tolerations in the *Configuration values* field after expanding the *Optional configuration settings*. .. Choose *Next*. -. On the *Review and add* page, choose *Create*. After the add-on installation is complete, you see your installed add-on. +. On the *Review and add* page, choose *Create*. After the add-on installation is complete, you see your installed add-on. === {aws} CLI [[awscli_s3_add_store_app_data]] diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 347a962e1..1f50032d0 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -18,7 +18,7 @@ include::../attributes.txt[] This chapter covers some common errors that you may see while using Amazon EKS and how to work around them. -- -This chapter covers some common errors that you may see while using Amazon EKS and how to work around them. If you need to troubleshoot specific Amazon EKS areas, see the separate <>, <>, and https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/troubleshooting[Troubleshooting for ADOT using EKS Add-Ons] topics. +This chapter covers some common errors that you may see while using Amazon EKS and how to work around them. If you need to troubleshoot specific Amazon EKS areas, see the separate <>, <>, and https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/troubleshooting[Troubleshooting for ADOT using EKS Add-Ons] topics. For other troubleshooting information, see https://repost.aws/tags/knowledge-center/TA4IvCeWI1TE66q4jEj4Z9zg/amazon-elastic-kubernetes-service[Knowledge Center content about Amazon Elastic Kubernetes Service] on _{aws} re:Post_. @@ -40,7 +40,7 @@ There are a few common reasons that prevent nodes from joining the cluster: -* If the nodes are managed nodes, Amazon EKS adds entries to the `aws-auth` `ConfigMap` when you create the node group. If the entry was removed or modified, then you need to re-add it. For more information, enter `eksctl create iamidentitymapping --help` in your terminal. You can view your current `aws-auth` `ConfigMap` entries by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `eksctl get iamidentitymapping --cluster [.replaceable]``my-cluster```. The ARN of the role that you specify can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you'd need to change it to `my-role` when specifying the ARN for the role. Make sure that you specify the node IAM role ARN (not the instance profile ARN). +* If the nodes are managed nodes, Amazon EKS adds entries to the `aws-auth` `ConfigMap` when you create the node group. If the entry was removed or modified, then you need to re-add it. For more information, enter `eksctl create iamidentitymapping --help` in your terminal. You can view your current `aws-auth` `ConfigMap` entries by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `eksctl get iamidentitymapping --cluster [.replaceable]``my-cluster```. The ARN of the role that you specify can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you'd need to change it to `my-role` when specifying the ARN for the role. Make sure that you specify the node IAM role ARN (not the instance profile ARN). + If the nodes are self-managed, and you haven't created <> for the ARN of the node's IAM role, then run the same commands listed for managed nodes. If you have created an access entry for the ARN for your node IAM role, then it might not be configured properly in the access entry. Make sure that the node IAM role ARN (not the instance profile ARN) is specified as the principal ARN in your `aws-auth` `ConfigMap` entry or access entry. For more information about access entries, see <>. * The *ClusterName* in your node {aws} CloudFormation template doesn't exactly match the name of the cluster you want your nodes to join. Passing an incorrect value to this field results in an incorrect configuration of the node's `/var/lib/kubelet/kubeconfig` file, and the nodes will not join the cluster. @@ -55,9 +55,9 @@ If the nodes are self-managed, and you haven't created <.compute.internal` and `domain-name-servers:AmazonProvidedDNS`. For more information, see link:vpc/latest/userguide/VPC_DHCP_Options.html#AmazonDNS[DHCP options sets,type="documentation"] in the _Amazon VPC User Guide_. +* The nodes may not be able to access the cluster using a public IP address. Ensure that nodes deployed in public subnets are assigned a public IP address. If not, you can associate an Elastic IP address to a node after it's launched. For more information, see link:AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating[Associating an Elastic IP address with a running instance or network interface,type="documentation"]. If the public subnet is not set to automatically assign public IP addresses to instances deployed to it, then we recommend enabling that setting. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. If the node is deployed to a private subnet, then the subnet must have a route to a NAT gateway that has a public IP address assigned to it. +* The {aws} STS endpoint for the {aws} Region that you're deploying the nodes to is not enabled for your account. To enable the region, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate[Activating and deactivating {aws} STS in an {aws} Region,type="documentation"]. +* The node doesn't have a private DNS entry, resulting in the `kubelet` log containing a `node "" not found` error. Ensure that the VPC where the node is created has values set for `domain-name` and `domain-name-servers` as `Options` in a `DHCP options set`. The default values are `domain-name:.compute.internal` and `domain-name-servers:AmazonProvidedDNS`. For more information, see link:vpc/latest/userguide/VPC_DHCP_Options.html#AmazonDNS[DHCP options sets,type="documentation"] in the _Amazon VPC User Guide_. * If the nodes in the managed node group do not connect to the cluster within 15 minutes, a health issue of "`NodeCreationFailure`" will be emitted and the console status will be set to `Create failed`. For [.noloc]`Windows` AMIs that have slow launch times, this issue can be resolved using link:AWSEC2/latest/WindowsGuide/win-ami-config-fast-launch.html[fast launch,type="documentation"]. To identify and troubleshoot common causes that prevent worker nodes from joining a cluster, you can use the `AWSSupport-TroubleshootEKSWorkerNode` runbook. For more information, see `link:systems-manager-automation-runbooks/latest/userguide/automation-awssupport-troubleshooteksworkernode.html[AWSSupport-TroubleshootEKSWorkerNode,type="documentation"]` in the _{aws} Systems Manager Automation runbook reference_. @@ -314,7 +314,7 @@ Retry the node group operation to see if that resolved your issue. [#not-authorized-for-images] == `Not authorized for images` -One potential cause of a `Not authorized for images` error message is using a private Amazon EKS [.noloc]`Windows` AMI to launch [.noloc]`Windows` managed node groups. After releasing new [.noloc]`Windows` AMIs, {aws} makes AMIs that are older than 4 months private, which makes them no longer accessible. If your managed node group is using a private [.noloc]`Windows` AMI, consider <>. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. For more information, see link:AWSEC2/latest/WindowsGuide/aws-windows-ami.html#ami-patches-security-ID[Patches, security updates, and AMI IDs,type="documentation"] in the _Amazon EC2 User Guide_. +One potential cause of a `Not authorized for images` error message is using a private Amazon EKS [.noloc]`Windows` AMI to launch [.noloc]`Windows` managed node groups. After releasing new [.noloc]`Windows` AMIs, {aws} makes AMIs that are older than 4 months private, which makes them no longer accessible. If your managed node group is using a private [.noloc]`Windows` AMI, consider <>. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. For more information, see link:AWSEC2/latest/WindowsGuide/aws-windows-ami.html#ami-patches-security-ID[Patches, security updates, and AMI IDs,type="documentation"] in the _Amazon EC2 User Guide_. [#not-ready] == Node is in `NotReady` state @@ -408,7 +408,7 @@ eksctl create iamidentitymapping --cluster my-cluster \ --username system:node:{{EC2PrivateDNSName}} ---- + -The ARN of the role that you specify can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you'd need to change it to `my-role` when specifying the ARN of the role. Make sure that you specify the node IAM role ARN (not the instance profile ARN). +The ARN of the role that you specify can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you'd need to change it to `my-role` when specifying the ARN of the role. Make sure that you specify the node IAM role ARN (not the instance profile ARN). . Your self-managed nodes are in a cluster with a platform version at the minimum version listed in the prerequisites in the <> topic, but an entry isn't listed in the `aws-auth` `ConfigMap` (see previous item) for the node's IAM role or an access entry doesn't exist for the role. To resolve the issue, view your existing access entries by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks list-access-entries --cluster-name [.replaceable]``my-cluster```. The following command adds an access entry for the node's IAM role. Replace [.replaceable]`111122223333` with the {aws} account ID for the IAM role and [.replaceable]`myAmazonEKSNodeRole` with the name of your node's role. If you have a Windows node, replace [.replaceable]`EC2_LINUX` with `EC2_Windows`. Make sure that you specify the node IAM role ARN (not the instance profile ARN). + [source,bash,subs="verbatim,attributes"] @@ -469,7 +469,7 @@ Before you upgrade a control plane to a new [.noloc]`Kubernetes` version, the mi [#too-many-requests] == When launching many nodes, there are `Too Many Requests` errors -If you launch many nodes simultaneously, you may see an error message in the link:AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts[Amazon EC2 user data,type="documentation"] execution logs that says `Too Many Requests`. This can occur because the control plane is being overloaded with `describeCluster` calls. The overloading results in throttling, nodes failing to run the bootstrap script, and nodes failing to join the cluster altogether. +If you launch many nodes simultaneously, you may see an error message in the link:AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts[Amazon EC2 user data,type="documentation"] execution logs that says `Too Many Requests`. This can occur because the control plane is being overloaded with `describeCluster` calls. The overloading results in throttling, nodes failing to run the bootstrap script, and nodes failing to join the cluster altogether. Make sure that `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are being passed to the node's bootstrap script. When including these arguments, there's no need for the bootstrap script to make a `describeCluster` call, which helps prevent the control plane from being overloaded. For more information, see <>. @@ -495,7 +495,7 @@ You can identify all existing [.noloc]`Pods` in your cluster that are using stal [#troubleshooting-platform-version] == Amazon EKS platform version is more than two versions behind the current platform version -This can happen when Amazon EKS isn't able to automatically update your cluster's <>. Though there are many causes for this, some of the common causes follow. If any of these problems apply to your cluster, it may still function, its platform version just won't be updated by Amazon EKS. +This can happen when Amazon EKS isn't able to automatically update your cluster's <>. Though there are many causes for this, some of the common causes follow. If any of these problems apply to your cluster, it may still function, its platform version just won't be updated by Amazon EKS. .Problem The <> was deleted – This role was specified when the cluster was created. You can see which role was specified with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. @@ -606,11 +606,11 @@ When you initiate a [.noloc]`Kubernetes` version update for your cluster, the up [#cluster-health-status] == Cluster health FAQs and error codes with resolution paths -Amazon EKS detects issues with your EKS clusters and the cluster infrastructure and stores it in the _cluster health_. You can detect, troubleshoot, and address cluster issues more rapidly with the aid of cluster health information. This enables you to create application environments that are more secure and up-to-date. Additionally, it may be impossible for you to upgrade to newer versions of [.noloc]`Kubernetes` or for Amazon EKS to install security updates on a degraded cluster as a result of issues with the necessary infrastructure or cluster configuration. Amazon EKS can take 3 hours to detect issues or detect that an issue is resolved. +Amazon EKS detects issues with your EKS clusters and the cluster infrastructure and stores it in the _cluster health_. You can detect, troubleshoot, and address cluster issues more rapidly with the aid of cluster health information. This enables you to create application environments that are more secure and up-to-date. Additionally, it may be impossible for you to upgrade to newer versions of [.noloc]`Kubernetes` or for Amazon EKS to install security updates on a degraded cluster as a result of issues with the necessary infrastructure or cluster configuration. Amazon EKS can take 3 hours to detect issues or detect that an issue is resolved. The health of an Amazon EKS cluster is a shared responsibility between Amazon EKS and its users. You are responsible for the prerequisite infrastructure of IAM roles and Amazon VPC subnets, as well as other necessary infrastructure, that must be provided in advance. Amazon EKS detects changes in the configuration of this infrastructure and the cluster. -To access your health of your cluster in the Amazon EKS console, look for a section called *Health Issues* in the *Overview* tab of the Amazon EKS cluster detail page. This data will be also be available by calling the `DescribeCluster` action in the EKS API, for example from within the {aws} Command Line Interface. +To access your health of your cluster in the Amazon EKS console, look for a section called *Health Issues* in the *Overview* tab of the Amazon EKS cluster detail page. This data will be also be available by calling the `DescribeCluster` action in the EKS API, for example from within the {aws} Command Line Interface. @@ -638,7 +638,7 @@ Yes. {aws} sends an email and Personal Health Dashboard notification when new Cl *Does the console give me warnings for health issues?*:: Yes, any cluster with health issues will include a banner at the top of the console. -The first two columns are what are needed for API response values. The third field of the link:eks/latest/APIReference/API_ClusterIssue.html[Health ClusterIssue,type="documentation"] object is [.noloc]`resourceIds`, the return of which is dependent on the issue type. +The first two columns are what are needed for API response values. The third field of the link:eks/latest/APIReference/API_ClusterIssue.html[Health ClusterIssue,type="documentation"] object is [.noloc]`resourceIds`, the return of which is dependent on the issue type. [cols="1,1,1,1", options="header"] |=== diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 214fd083a..f7d9ac906 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -43,7 +43,7 @@ To achieve its goals, [.noloc]`Kubernetes` has the following attributes: -* *Containerized* -- [.noloc]`Kubernetes` is a container orchestration tool. To use [.noloc]`Kubernetes`, you must first have your applications containerized. Depending on the type of application, this could be as a set of _microservices,_ as batch jobs or in other forms. Then, your applications can take advantage of a [.noloc]`Kubernetes` workflow that encompasses a huge ecosystem of tools, where containers can be stored as https://kubernetes.io/docs/concepts/containers/images/#multi-architecture-images-with-image-indexes[images in a container registry], deployed to a [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/architecture/[cluster], and run on an available https://kubernetes.io/docs/concepts/architecture/nodes/[node]. You can build and test individual containers on your local computer with [.noloc]`Docker` or another https://kubernetes.io/docs/setup/production-environment/container-runtimes/[container runtime], before deploying them to your [.noloc]`Kubernetes` cluster. +* *Containerized* -- [.noloc]`Kubernetes` is a container orchestration tool. To use [.noloc]`Kubernetes`, you must first have your applications containerized. Depending on the type of application, this could be as a set of _microservices,_ as batch jobs or in other forms. Then, your applications can take advantage of a [.noloc]`Kubernetes` workflow that encompasses a huge ecosystem of tools, where containers can be stored as https://kubernetes.io/docs/concepts/containers/images/#multi-architecture-images-with-image-indexes[images in a container registry], deployed to a [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/architecture/[cluster], and run on an available https://kubernetes.io/docs/concepts/architecture/nodes/[node]. You can build and test individual containers on your local computer with [.noloc]`Docker` or another https://kubernetes.io/docs/setup/production-environment/container-runtimes/[container runtime], before deploying them to your [.noloc]`Kubernetes` cluster. * *Scalable* -- If the demand for your applications exceeds the capacity of the running instances of those applications, [.noloc]`Kubernetes` is able to scale up. As needed, [.noloc]`Kubernetes` can tell if applications require more CPU or memory and respond by either automatically expanding available capacity or using more of existing capacity. Scaling can be done at the Pod level, if there is enough compute available to just run more instances of the application (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[horizontal Pod autoscaling]), or at the node level, if more nodes need to be brought up to handle the increased capacity (https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler] or https://karpenter.sh/[Karpenter]). As capacity is no longer needed, these services can delete unnecessary Pods and shut down unneeded nodes. * *Available* -- If an application or node becomes unhealthy or unavailable, [.noloc]`Kubernetes` can move running workloads to another available node. You can force the issue by simply deleting a running instance of a workload or node that's running your workloads. The bottom line here is that workloads can be brought up in other locations if they can no longer run where they are. * *Declarative* -- [.noloc]`Kubernetes` uses active reconciliation to constantly check that the state that you declare for your cluster matches the actual state. By applying https://kubernetes.io/docs/concepts/overview/working-with-objects/[Kubernetes objects] to a cluster, typically through YAML-formatted configuration files, you can, for example, ask to start up the workloads you want to run on your cluster. You can later change the configurations to do something like use a later version of a container or allocate more memory. [.noloc]`Kubernetes` will do what it needs to do to establish the desired state. This can include bringing nodes up or down, stopping and restarting workloads, or pulling updated containers. @@ -161,7 +161,7 @@ For a more complete list of available Amazon EKS add-ons, see <>. [#containers] === Containers -The most basic element of an application workload that you deploy and manage in [.noloc]`Kubernetes` is a _https://kubernetes.io/docs/concepts/workloads/pods/[Pod]_. A Pod represents a way of holding the components of an application as well as defining specifications that describe the Pod's attributes. Contrast this to something like an RPM or Deb package, which packages together software for a Linux system, but does not itself run as an entity. +The most basic element of an application workload that you deploy and manage in [.noloc]`Kubernetes` is a _https://kubernetes.io/docs/concepts/workloads/pods/[Pod]_. A Pod represents a way of holding the components of an application as well as defining specifications that describe the Pod's attributes. Contrast this to something like an RPM or Deb package, which packages together software for a Linux system, but does not itself run as an entity. Because the Pod is the smallest deployable unit, it typically holds a single container. However, multiple containers can be in a Pod in cases where the containers are tightly coupled. For example, a web server container might be packaged in a Pod with a https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[sidecar] type of container that may provide logging, monitoring, or other service that is closely tied to the web server container. In this case, being in the same Pod ensures that for each running instance of the Pod, both containers always run on the same node. Likewise, all containers in a Pod share the same environment, with the containers in a Pod running as though they are in the same isolated host. The effect of this is that the containers share a single IP address that provides access to the Pod and the containers can communicate with each other as though they were running on their own localhost. @@ -198,7 +198,7 @@ When running containerized workloads on Amazon Elastic Kubernetes Service (Amazo Because containers are built in a standard format, a container can run on any machine that can run a container runtime (such as [.noloc]`Docker`) and whose contents match the local machine's architecture (such as `x86_64` or `arm`). To test a container or just run it on your local desktop, you can use `docker run` or `podman run` commands to start up a container on the localhost. For [.noloc]`Kubernetes`, however, each worker node has a container runtime deployed and it is up to [.noloc]`Kubernetes` to request that a node run a container. -Once a container has been assigned to run on a node, the node looks to see if the requested version of the container image already exists on the node. If it doesn't, [.noloc]`Kubernetes` tells the container runtime to pull that container from the appropriate container registry, then run that container locally. Keep in mind that a _container image_ refers to the software package that is moved around between your laptop, the container registry, and [.noloc]`Kubernetes` nodes. A _container_ refers to a running instance of that image. +Once a container has been assigned to run on a node, the node looks to see if the requested version of the container image already exists on the node. If it doesn't, [.noloc]`Kubernetes` tells the container runtime to pull that container from the appropriate container registry, then run that container locally. Keep in mind that a _container image_ refers to the software package that is moved around between your laptop, the container registry, and [.noloc]`Kubernetes` nodes. A _container_ refers to a running instance of that image. [#pods] === Pods diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index 967d9f3aa..f317d447d 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -13,7 +13,7 @@ Learn how to verify the Amazon EKS add-on compatibility with your cluster before Before you create an Amazon EKS add-on you need to verify that the Amazon EKS add-on version is compatible with your cluster. -Use the link:eks/latest/APIReference/API_DescribeAddonVersions.html[describe-addon-verisions API,type="documentation"] to list the available versions of EKS add-ons, and which Kubernetes versions each addon version supports. +Use the link:eks/latest/APIReference/API_DescribeAddonVersions.html[describe-addon-verisions API,type="documentation"] to list the available versions of EKS add-ons, and which Kubernetes versions each addon version supports. . Verify the {aws} CLI is installed and working with `aws sts get-caller-identity`. If this command doesn't work, learn how to link:cli/latest/userguide/cli-chap-getting-started.html[Get started with the {aws} CLI.,type="documentation"] . Determine the name of the add-on you want to retrieve version compatibility information for, such as `amazon-cloudwatch-observability`. diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index bff2f4f6e..04ea9a585 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -183,7 +183,7 @@ curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-cont ---- kubectl apply -f 2048_full.yaml ---- -.. If you're deploying to [.noloc]`Pods` in a cluster that you created with the <>, complete the following steps. +.. If you're deploying to [.noloc]`Pods` in a cluster that you created with the <>, complete the following steps. + ... Download the manifest. + diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index e3e6c5d89..77d5f0c90 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -10,8 +10,8 @@ This topic describes how to pull a container image from a repository that your n * The [.noloc]`Docker` engine installed and configured on your computer. For instructions, see https://docs.docker.com/engine/install/[Install Docker Engine] in the [.noloc]`Docker` documentation. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* An interface VPC endpoint for Amazon ECR if you want your nodes to pull container images from or push container images to a private Amazon ECR repository over Amazon's network. For more information, see link:AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create[Create the VPC endpoints for Amazon ECR,type="documentation"] in the Amazon Elastic Container Registry User Guide. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* An interface VPC endpoint for Amazon ECR if you want your nodes to pull container images from or push container images to a private Amazon ECR repository over Amazon's network. For more information, see link:AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create[Create the VPC endpoints for Amazon ECR,type="documentation"] in the Amazon Elastic Container Registry User Guide. Complete the following steps to pull a container image from a repository and push it to your own repository. In the following examples that are provided in this topic, the image for the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[Amazon VPC CNI plugin for Kubernetes metrics helper] is pulled. When you follow these steps, make sure to replace the [.replaceable]`example values` with your own values. @@ -39,7 +39,7 @@ You may see the following variations for an image location: ** Only `repository-name:tag`. In this case, `docker.io` is usually the registry, but not specified since [.noloc]`Kubernetes` prepends it to a repository name by default if no registry is specified. ** `repository-name/repository-namespace/repository:tag`. A repository namespace is optional, but is sometimes specified by the repository owner for categorizing images. For example, all https://gallery.ecr.aws/aws-ec2/[Amazon EC2 images in the Amazon ECR Public Gallery] use the `aws-ec2` namespace. + -Before installing an image with Helm, view the Helm `values.yaml` file to determine the image location. For example, the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/charts/cni-metrics-helper/values.yaml#L5-L9[values.yaml] file for the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[Amazon VPC CNI plugin for Kubernetes metrics helper] includes the following lines. +Before installing an image with Helm, view the Helm `values.yaml` file to determine the image location. For example, the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/charts/cni-metrics-helper/values.yaml#L5-L9[values.yaml] file for the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[Amazon VPC CNI plugin for Kubernetes metrics helper] includes the following lines. + [source,yaml,subs="verbatim,attributes"] ---- @@ -52,7 +52,7 @@ image: . Pull the container image specified in the manifest file. + [loweralpha] -.. If you're pulling from a public registry, such as the https://gallery.ecr.aws/[Amazon ECR Public Gallery], you can skip to the next sub-step, because authentication isn't required. In this example, you authenticate to an Amazon ECR private registry that contains the repository for the CNI metrics helper image. Amazon EKS maintains the image in each registry listed in <>. You can authenticate to any of the registries by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the information for a different registry. A separate registry exists for each link:general/latest/gr/eks.html#eks_region[{aws} Region that Amazon EKS is supported in,type="documentation"]. +.. If you're pulling from a public registry, such as the https://gallery.ecr.aws/[Amazon ECR Public Gallery], you can skip to the next sub-step, because authentication isn't required. In this example, you authenticate to an Amazon ECR private registry that contains the repository for the CNI metrics helper image. Amazon EKS maintains the image in each registry listed in <>. You can authenticate to any of the registries by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the information for a different registry. A separate registry exists for each link:general/latest/gr/eks.html#eks_region[{aws} Region that Amazon EKS is supported in,type="documentation"]. + [source,bash,subs="verbatim,attributes"] ---- @@ -70,7 +70,7 @@ docker pull 602401143452.dkr.ecr.region-code.amazonaws.com/cni-metrics-helper:v1 ---- docker tag cni-metrics-helper:v1.12.6 111122223333.dkr.ecr.region-code.amazonaws.com/cni-metrics-helper:v1.12.6 ---- -. Authenticate to your registry. In this example, you authenticate to the Amazon ECR private registry that you created in the first step. For more information, see link:AmazonECR/latest/userguide/Registries.html#registry_auth[Registry authentication,type="documentation"] in the Amazon Elastic Container Registry User Guide. +. Authenticate to your registry. In this example, you authenticate to the Amazon ECR private registry that you created in the first step. For more information, see link:AmazonECR/latest/userguide/Registries.html#registry_auth[Registry authentication,type="documentation"] in the Amazon Elastic Container Registry User Guide. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 2447e3887..d40f55982 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -96,7 +96,7 @@ If no output is returned, then the add-on is an Amazon EKS. If output is returne "ProductUrl": "https://aws.amazon.com/marketplace/pp?sku=3bda70bb-566f-4976-806c-f96faef18b26" ---- + -You can learn more about the add-on in the {aws} Marketplace with the returned URL. If the add-on requires a subscription, you can subscribe to the add-on through the {aws} Marketplace. If you're going to create an add-on from the {aws} Marketplace, then the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using to create the add-on must have permission to create the link:license-manager/latest/userguide/license-manager-role-core.html[AWSServiceRoleForAWSLicenseManagerRole,type="documentation"] service-linked role. For more information about assigning permissions to an IAM entity, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the IAM User Guide. +You can learn more about the add-on in the {aws} Marketplace with the returned URL. If the add-on requires a subscription, you can subscribe to the add-on through the {aws} Marketplace. If you're going to create an add-on from the {aws} Marketplace, then the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using to create the add-on must have permission to create the link:license-manager/latest/userguide/license-manager-role-core.html[AWSServiceRoleForAWSLicenseManagerRole,type="documentation"] service-linked role. For more information about assigning permissions to an IAM entity, see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the IAM User Guide. . Create an Amazon EKS add-on. Copy the command and replace the [.replaceable]`user-data` as follows: + ** Replace [.replaceable]`my-cluster` with the name of your cluster. @@ -130,16 +130,16 @@ For more information about available options see https://eksctl.io/usage/addons/ . Choose the name of the cluster that you want to create the add-on for. . Choose the *Add-ons* tab. . Choose *Get more add-ons*. -. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. You can add as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. +. On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. You can add as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. + -For *{aws} Marketplace* add-ons the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using to create the add-on must have permissions to read entitlements for the add-on from the {aws} LicenseManager. {aws} LicenseManager requires link:license-manager/latest/userguide/license-manager-role-core.html[AWSServiceRoleForAWSLicenseManagerRole,type="documentation"] service-linked role (SLR) that allows {aws} resources to manage licenses on your behalf. The SLR is a one time requirement, per account, and you will not have to create separate SLR's for each add-on nor each cluster. For more information about assigning permissions to an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the IAM User Guide. +For *{aws} Marketplace* add-ons the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using to create the add-on must have permissions to read entitlements for the add-on from the {aws} LicenseManager. {aws} LicenseManager requires link:license-manager/latest/userguide/license-manager-role-core.html[AWSServiceRoleForAWSLicenseManagerRole,type="documentation"] service-linked role (SLR) that allows {aws} resources to manage licenses on your behalf. The SLR is a one time requirement, per account, and you will not have to create separate SLR's for each add-on nor each cluster. For more information about assigning permissions to an link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] see link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html[Adding and removing IAM identity permissions,type="documentation"] in the IAM User Guide. + -If the *{aws} Marketplace add-ons* that you want to install aren't listed, you can click the page numbering to view additional page results or search in the search box. In the *Filtering options*, you can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. Once you've selected the add-ons that you want to install, choose *Next*. +If the *{aws} Marketplace add-ons* that you want to install aren't listed, you can click the page numbering to view additional page results or search in the search box. In the *Filtering options*, you can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. Once you've selected the add-ons that you want to install, choose *Next*. . On the *Configure selected add-ons settings* page, do the following: + -.. Choose *View subscription options* to open the *Subscription options* form. Review the *Pricing details* and *Legal* sections, then choose the *Subscribe* button to continue. -.. For *Version*, choose the version that you want to install. We recommend the version marked *latest*, unless the individual add-on that you're creating recommends a different version. To determine whether an add-on has a recommended version, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. -.. You have two options for configuring roles for add-ons: EKS Pod Identities IAM role and IAM roles for service accounts (IRSA). Follow the appropriate step below for your preferred option. If all of the add-ons that you selected have *Requires subscription* under *Status*, choose *Next*. You can't <> further until you've subscribed to them after your cluster is created. For the add-ons that don't have *Requires subscription* under *Status*, do the following: +.. Choose *View subscription options* to open the *Subscription options* form. Review the *Pricing details* and *Legal* sections, then choose the *Subscribe* button to continue. +.. For *Version*, choose the version that you want to install. We recommend the version marked *latest*, unless the individual add-on that you're creating recommends a different version. To determine whether an add-on has a recommended version, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. +.. You have two options for configuring roles for add-ons: EKS Pod Identities IAM role and IAM roles for service accounts (IRSA). Follow the appropriate step below for your preferred option. If all of the add-ons that you selected have *Requires subscription* under *Status*, choose *Next*. You can't <> further until you've subscribed to them after your cluster is created. For the add-ons that don't have *Requires subscription* under *Status*, do the following: + ... For *Pod Identity IAM role for service account*, you can either use an existing EKS Pod Identity IAM role or create one using the *Create Recommended Role* button. This field will only provide options with the appropriate trust policy. If there's no role to select, then you don't have an existing role with a matching trust policy. To configure an EKS Pod Identity IAM role for service accounts of the selected add-on, choose *Create recommended role*. The role creation wizard opens in a separate window. The wizard will automatically populate the role information as follows. For each add-on where you want to create the EKS Pod Identity IAM role, complete the steps in the IAM wizard as follows. * On the *Select trusted entity* step, the {aws} service option for *EKS* and the use case for *EKS - Pod Identity* are preselected, and the appropriate trust policy will be automatically populated for the add-on. For example, the role will be created with the appropriate trust policy containing the pods.eks.amazonaws.com IAM Principal as detailed in <>. Choose *Next*. @@ -149,23 +149,23 @@ If the *{aws} Marketplace add-ons* that you want to install aren't listed, you c NOTE: Retaining the default role name enables EKS to pre-select the role for add-ons in new clusters or when adding add-ons to existing clusters. You can still override this name and the role will be available for the add-on across your clusters, but the role will need to be manually selected from the drop down. -... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. ... Choose *Optional configuration settings*. ... If the add-on requires configuration, enter it in the *Configuration values* box. To determine whether the add-on requires configuration information, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. -... Choose one of the available options for *Conflict resolution method*. If you choose *Override* for the *Conflict resolution method*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before choosing this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. +... Choose one of the available options for *Conflict resolution method*. If you choose *Override* for the *Conflict resolution method*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before choosing this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. ... Choose *Next*. -. On the *Review and add* page, choose *Create*. After the add-on installation is complete, you see your installed add-ons. +. On the *Review and add* page, choose *Create*. After the add-on installation is complete, you see your installed add-ons. . If any of the add-ons that you installed require a subscription, complete the following steps: + -.. Choose the *Subscribe* button in the lower right corner for the add-on. You're taken to the page for the add-on in the {aws} Marketplace. Read the information about the add-on such as its *Product Overview* and *Pricing Information*. +.. Choose the *Subscribe* button in the lower right corner for the add-on. You're taken to the page for the add-on in the {aws} Marketplace. Read the information about the add-on such as its *Product Overview* and *Pricing Information*. .. Select the *Continue to Subscribe* button on the top right of the add-on page. -.. Read through the *Terms and Conditions*. If you agree to them, choose *Accept Terms*. It may take several minutes to process the subscription. While the subscription is processing, the *Return to Amazon EKS Console* button is grayed out. -.. Once the subscription has finished processing, the *Return to Amazon EKS Console* button is no longer grayed out. Choose the button to go back to the Amazon EKS console *Add-ons* tab for your cluster. -.. For the add-on that you subscribed to, choose *Remove and reinstall* and then choose *Reinstall add-on*. Installation of the add-on can take several minutes. When Installation is complete, you can configure the add-on. +.. Read through the *Terms and Conditions*. If you agree to them, choose *Accept Terms*. It may take several minutes to process the subscription. While the subscription is processing, the *Return to Amazon EKS Console* button is grayed out. +.. Once the subscription has finished processing, the *Return to Amazon EKS Console* button is no longer grayed out. Choose the button to go back to the Amazon EKS console *Add-ons* tab for your cluster. +.. For the add-on that you subscribed to, choose *Remove and reinstall* and then choose *Reinstall add-on*. Installation of the add-on can take several minutes. When Installation is complete, you can configure the add-on. == Create add-on ({aws} CLI) -. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . Determine which add-ons are available. You can see all available add-ons, their type, and their publisher. You can also see the URL for add-ons that are available through the {aws} Marketplace. Replace [.replaceable]`{k8s-n}` with the version of your cluster. + diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index b29fe6f4f..518855811 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -28,7 +28,7 @@ Consider the following when you use Amazon EKS add-ons: -* To configure add-ons for the cluster your link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have IAM permissions to work with add-ons. For more information, see the actions with `Addon` in their name in link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. +* To configure add-ons for the cluster your link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have IAM permissions to work with add-ons. For more information, see the actions with `Addon` in their name in link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. * Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances, Fargate, and hybrid nodes. * You can modify fields that aren't managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see <>. * If you create a cluster with the {aws-management-console}, the Amazon EKS `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` Amazon EKS add-ons are automatically added to your cluster. If you use `eksctl` to create your cluster with a `config` file, `eksctl` can also create the cluster with Amazon EKS add-ons. If you create your cluster using `eksctl` without a `config` file or with any other tool, the self-managed `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn't install on hybrid nodes. diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 4127acdf7..312b6d82d 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -19,9 +19,9 @@ Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` * <> running on each of your clusters using the {aws-management-console}. * Vertically scale [.noloc]`Pods` up or down with the [.noloc]`Kubernetes` <>. * Horizontally scale the number of [.noloc]`Pods` needed to meet demand up or down with the [.noloc]`Kubernetes` <>. -* Create an external (for internet-accessible [.noloc]`Pods`) or an internal (for private [.noloc]`Pods`) <> to balance network traffic across [.noloc]`Pods`. The load balancer routes traffic at Layer 4 of the OSI model. +* Create an external (for internet-accessible [.noloc]`Pods`) or an internal (for private [.noloc]`Pods`) <> to balance network traffic across [.noloc]`Pods`. The load balancer routes traffic at Layer 4 of the OSI model. * Create an <> to balance application traffic across [.noloc]`Pods`. The application load balancer routes traffic at Layer 7 of the OSI model. -* If you're new to [.noloc]`Kubernetes`, this topic helps you <>. +* If you're new to [.noloc]`Kubernetes`, this topic helps you <>. * You can <> with `externalIPs`. diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 62ffafa06..16020d201 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -25,7 +25,7 @@ When you create a [.noloc]`Kubernetes` `Service` of type `LoadBalancer`, the {aw We recommend that you use version `2.7.2` or later of the <> instead of the {aws} cloud provider load balancer controller. The [.noloc]`{aws} Load Balancer Controller` creates {aws} Network Load Balancers, but doesn't create {aws} Classic Load Balancers. The remainder of this topic is about using the {aws} Load Balancer Controller. -An {aws} Network Load Balancer can load balance network traffic to [.noloc]`Pods` deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on [.noloc]`GitHub`. +An {aws} Network Load Balancer can load balance network traffic to [.noloc]`Pods` deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on [.noloc]`GitHub`. == Prerequisites @@ -63,7 +63,7 @@ If the subnet role tags aren't explicitly added, the [.noloc]`Kubernetes` servic == Considerations * The configuration of your load balancer is controlled by annotations that are added to the manifest for your service. Service annotations are different when using the [.noloc]`{aws} Load Balancer Controller` than they are when using the {aws} cloud provider load balancer controller. Make sure to review the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[annotations] for the [.noloc]`{aws} Load Balancer Controller` before deploying services. -* When using the <>, the [.noloc]`{aws} Load Balancer Controller` can load balance to Amazon EC2 IP or instance targets and Fargate IP targets. When using <>, the controller can only load balance to instance targets, unless you are load balancing to Amazon EKS Hybrid Nodes. For hybrid nodes, the controller can load balance IP targets. For more information about Network Load Balancer target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers +* When using the <>, the [.noloc]`{aws} Load Balancer Controller` can load balance to Amazon EC2 IP or instance targets and Fargate IP targets. When using <>, the controller can only load balance to instance targets, unless you are load balancing to Amazon EKS Hybrid Nodes. For hybrid nodes, the controller can load balance IP targets. For more information about Network Load Balancer target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers * If you want to add tags to the load balancer when or after it's created, add the following annotation in your service specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#aws-resource-tags[{aws} Resource Tags] in the [.noloc]`{aws} Load Balancer Controller` documentation. + [source,bash,subs="verbatim,attributes"] @@ -76,7 +76,7 @@ service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags ---- service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxxxxxxxxxxx,eipalloc-yyyyyyyyyyyyyyyyy ---- -* Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer subnet in the VPC for health checks for each Network Load Balancer that you create. Deployment of a service of type `LoadBalancer` can fail if Amazon EKS attempts to create rules that exceed the quota for the maximum number of rules allowed for a security group. For more information, see link:vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups[Security groups,type="documentation"] in Amazon VPC quotas in the Amazon VPC User Guide. Consider the following options to minimize the chances of exceeding the maximum number of rules for a security group: +* Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer subnet in the VPC for health checks for each Network Load Balancer that you create. Deployment of a service of type `LoadBalancer` can fail if Amazon EKS attempts to create rules that exceed the quota for the maximum number of rules allowed for a security group. For more information, see link:vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups[Security groups,type="documentation"] in Amazon VPC quotas in the Amazon VPC User Guide. Consider the following options to minimize the chances of exceeding the maximum number of rules for a security group: + ** Request an increase in your rules per security group quota. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the Service Quotas User Guide. ** Use IP targets, rather than instance targets. With IP targets, you can share rules for the same target ports. You can manually specify load balancer subnets with an annotation. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Annotations] on [.noloc]`GitHub`. @@ -95,7 +95,7 @@ You can create a network load balancer with IP or instance targets. * You can use IP targets with [.noloc]`Pods` deployed to Amazon EC2 nodes, Fargate, or Amazon EKS Hybrid Nodes. Your [.noloc]`Kubernetes` service must be created as type `LoadBalancer`. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer[Type LoadBalancer] in the [.noloc]`Kubernetes` documentation. + -To create a load balancer that uses IP targets, add the following annotations to a service manifest and deploy your service. The `external` value for `aws-load-balancer-type` is what causes the [.noloc]`{aws} Load Balancer Controller`, rather than the {aws} cloud provider load balancer controller, to create the Network Load Balancer. You can view a <> with the annotations. +To create a load balancer that uses IP targets, add the following annotations to a service manifest and deploy your service. The `external` value for `aws-load-balancer-type` is what causes the [.noloc]`{aws} Load Balancer Controller`, rather than the {aws} cloud provider load balancer controller, to create the Network Load Balancer. You can view a <> with the annotations. + [source,bash,subs="verbatim,attributes"] ---- @@ -251,8 +251,8 @@ sample-service LoadBalancer 10.100.240.137 k8s-nlbsampl-nlbsampl-xxxxxxxxxx ---- + NOTE: The values for [.replaceable]`10.100.240.137` and [.replaceable]`xxxxxxxxxx`-[.replaceable]`xxxxxxxxxxxxxxxx` will be different than the example output (they will be unique to your load balancer) and [.replaceable]`us-west-2` may be different for you, depending on which {aws} Region that your cluster is in. -. Open the link:ec2[Amazon EC2 {aws-management-console},type="console"]. Select *Target Groups* (under *Load Balancing*) in the left navigation pane. In the *Name* column, select the target group's name where the value in the *Load balancer* column matches a portion of the name in the `EXTERNAL-IP` column of the output in the previous step. For example, you'd select the target group named `k8s-default-samplese-[.replaceable]``xxxxxxxxxx``` if your output were the same as the previous output. The *Target type* is `IP` because that was specified in the sample service manifest. -. Select the *Target group* and then select the *Targets* tab. Under *Registered targets*, you should see three IP addresses of the three replicas deployed in a previous step. Wait until the status of all targets is *healthy* before continuing. It might take several minutes before all targets are `healthy`. The targets might be in an `unhealthy` state before changing to a `healthy` state. +. Open the link:ec2[Amazon EC2 {aws-management-console},type="console"]. Select *Target Groups* (under *Load Balancing*) in the left navigation pane. In the *Name* column, select the target group's name where the value in the *Load balancer* column matches a portion of the name in the `EXTERNAL-IP` column of the output in the previous step. For example, you'd select the target group named `k8s-default-samplese-[.replaceable]``xxxxxxxxxx``` if your output were the same as the previous output. The *Target type* is `IP` because that was specified in the sample service manifest. +. Select the *Target group* and then select the *Targets* tab. Under *Registered targets*, you should see three IP addresses of the three replicas deployed in a previous step. Wait until the status of all targets is *healthy* before continuing. It might take several minutes before all targets are `healthy`. The targets might be in an `unhealthy` state before changing to a `healthy` state. . Send traffic to the service replacing [.replaceable]`xxxxxxxxxx-xxxxxxxxxxxxxxxx` and [.replaceable]`us-west-2` with the values returned in the output for a <> for `EXTERNAL-IP`. If you deployed to a private subnet, then you'll need to view the page from a device within your VPC, such as a bastion host. For more information, see link:quickstart/architecture/linux-bastion/[Linux Bastion Hosts on {aws},type="marketing"]. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index ffe724281..93a332b7d 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -9,7 +9,7 @@ In this topic, you deploy a sample application to your cluster on Windows nodes. == Prerequisites -* An existing [.noloc]`Kubernetes` cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. You must have <> enabled for your cluster and at least one Amazon EC2 [.noloc]`Windows` node. +* An existing [.noloc]`Kubernetes` cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. You must have <> enabled for your cluster and at least one Amazon EC2 [.noloc]`Windows` node. * `Kubectl` installed on your computer. For more information, see <>. * `Kubectl` configured to communicate with your cluster. For more information, see <>. * If you plan to deploy your sample workload to Fargate, then you must have an existing <> that includes the same namespace created in this tutorial, which is `eks-sample-app`, unless you change the name. If you created a cluster with one of the gudes in <>, then you'll have to create a new profile, or add the namespace to your existing profile, because the profile created in the getting started guides doesn't specify the namespace used in this tutorial. Your VPC must also have at least one private subnet. @@ -18,7 +18,7 @@ Though many variables are changeable in the following steps, we recommend only c == Create a namespace -A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. +A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. [source,bash,subs="verbatim,attributes"] ---- @@ -87,7 +87,7 @@ kubectl apply -f eks-sample-deployment.yaml A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the [.noloc]`Kubernetes` documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create [.noloc]`Kubernetes` service accounts for your [.noloc]`Pods`, and associate them to {aws} IAM accounts. By specifying service accounts, your [.noloc]`Pods` have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. -. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. +. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. + [source,yaml,subs="verbatim,attributes"] ---- @@ -144,7 +144,7 @@ replicaset.apps/eks-sample-windows-deployment-776d8f8fd8 3 3 + In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three [.noloc]`Pods`. This is because `3` `replicas` were specified in the sample manifest. For more information about [.noloc]`Pods`, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the [.noloc]`Kubernetes` documentation. [.noloc]`Kubernetes` automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the [.noloc]`Kubernetes` documentation. + -NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. +NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. . View the details of the deployed service. + [source,bash,subs="verbatim,attributes"] @@ -173,7 +173,7 @@ Events: ---- + In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or [.noloc]`Pod` within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the [.noloc]`Pods` that are part of the service. -. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. +. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index b518c43a5..4b9b16a0d 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -18,7 +18,7 @@ Though many variables are changeable in the following steps, we recommend only c == Create a namespace -A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. +A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. [source,bash,subs="verbatim,attributes"] ---- @@ -85,7 +85,7 @@ kubectl apply -f eks-sample-deployment.yaml A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the [.noloc]`Kubernetes` documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create [.noloc]`Kubernetes` service accounts for your [.noloc]`Pods`, and associate them to {aws} IAM accounts. By specifying service accounts, your [.noloc]`Pods` have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. -. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. +. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. + [source,yaml,subs="verbatim,attributes"] ---- @@ -142,7 +142,7 @@ replicaset.apps/eks-sample-linux-deployment-776d8f8fd8 3 3 3 + In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three [.noloc]`Pods`. This is because `3` `replicas` were specified in the sample manifest. For more information about [.noloc]`Pods`, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the [.noloc]`Kubernetes` documentation. [.noloc]`Kubernetes` automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the [.noloc]`Kubernetes` documentation. + -NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. +NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. . View the details of the deployed service. + [source,bash,subs="verbatim,attributes"] @@ -171,7 +171,7 @@ Events: ---- + In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or [.noloc]`Pod` within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the [.noloc]`Pods` that are part of the service. -. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. +. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 2baadb6be..284f995ea 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -100,7 +100,7 @@ For more information about updating add-ons, see https://eksctl.io/usage/addons/ . On the *Configure [.replaceable]`name of addon`* page, do the following: + .. Choose the *Version* that you'd like to use. The add-on might have a recommended version. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>. -.. You have two options for configuring roles for add-ons: EKS Pod Identities IAM role and IAM roles for service accounts (IRSA). Follow the appropriate step below for your preferred option. If all of the add-ons that you selected have *Requires subscription* under *Status*, choose *Next*. For the add-ons that don't have *Requires subscription* under *Status*, do the following: +.. You have two options for configuring roles for add-ons: EKS Pod Identities IAM role and IAM roles for service accounts (IRSA). Follow the appropriate step below for your preferred option. If all of the add-ons that you selected have *Requires subscription* under *Status*, choose *Next*. For the add-ons that don't have *Requires subscription* under *Status*, do the following: + ... For *Pod Identity IAM role for service account*, you can either use an existing EKS Pod Identity IAM role or create one using the *Create Recommended Role* button. This field will only provide options with the appropriate trust policy. If there's no role to select, then you don't have an existing role with a matching trust policy. To configure an EKS Pod Identity IAM role for service accounts of the selected add-on, choose *Create recommended role*. The role creation wizard opens in a separate window. The wizard will automatically populate the role information as follows. For each add-on where you want to create the EKS Pod Identity IAM role, complete the steps in the IAM wizard as follows. * On the *Select trusted entity* step, the {aws} service option for *EKS* and the use case for *EKS - Pod Identity* are preselected, and the appropriate trust policy will be automatically populated for the add-on. For example, the role will be created with the appropriate trust policy containing the pods.eks.amazonaws.com IAM Principal as detailed in <>. Choose *Next*. @@ -109,14 +109,14 @@ For more information about updating add-ons, see https://eksctl.io/usage/addons/ + NOTE: Retaining the default role name enables EKS to pre-select the role for add-ons in new clusters or when adding add-ons to existing clusters. You can still override this name and the role will be available for the add-on across your clusters, but the role will need to be manually selected from the drop down. -... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. .. Expand the *Optional configuration settings*. -.. In *Configuration values*, enter any add-on specific configuration information. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>... For *Conflict resolution method*, select one of the options. If you have set custom values for add-on settings, we recommend the *Preserve* option. If you don't choose this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to overwrite, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to none, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. +.. In *Configuration values*, enter any add-on specific configuration information. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>... For *Conflict resolution method*, select one of the options. If you have set custom values for add-on settings, we recommend the *Preserve* option. If you don't choose this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to overwrite, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to none, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. . Choose *Save changes*. == Update add-on ({aws} CLI) -. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . See a list of installed add-ons. Replace [.replaceable]`my-cluster` with the name of your cluster. + diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 981bc5547..14c5aeda8 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -105,7 +105,7 @@ The Amazon EKS add-on name is `vpc-cni`. This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. -If your cluster uses the `IPv4` family, the permissions in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] are required. If your cluster uses the `IPv6` family, you must link:IAM/latest/UserGuide/access_policies_create.html[create an IAM policy,type="documentation"] with the permissions in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode[IPv6 mode]. You can create an IAM role, attach one of the policies to it, and annotate the [.noloc]`Kubernetes` service account used by the add-on with the following command. +If your cluster uses the `IPv4` family, the permissions in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] are required. If your cluster uses the `IPv6` family, you must link:IAM/latest/UserGuide/access_policies_create.html[create an IAM policy,type="documentation"] with the permissions in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode[IPv6 mode]. You can create an IAM role, attach one of the policies to it, and annotate the [.noloc]`Kubernetes` service account used by the add-on with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKSVPCCNIRole` with the name for your role. If your cluster uses the `IPv6` family, then replace [.replaceable]`AmazonEKS_CNI_Policy` with the name of the policy that you created. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the [.noloc]`Kubernetes` service account, see <>. @@ -430,7 +430,7 @@ ADOT requires that `cert-manager` is deployed on the cluster as a prerequisite, Learn about the Amazon GuardDuty agent Amazon EKS add-on. -- -The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes link:guardduty/latest/ug/guardduty_data-sources.html[foundational data sources,type="documentation"] including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes link:guardduty/latest/ug/guardduty-features-activation-model.html[features,type="documentation"], such as [.noloc]`Kubernetes` audit logs and runtime monitoring. +The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes link:guardduty/latest/ug/guardduty_data-sources.html[foundational data sources,type="documentation"] including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes link:guardduty/latest/ug/guardduty-features-activation-model.html[features,type="documentation"], such as [.noloc]`Kubernetes` audit logs and runtime monitoring. The Amazon EKS add-on name is `aws-guardduty-agent`. @@ -505,7 +505,7 @@ The Amazon EKS add-on name is `eks-pod-identity-agent`. [#add-ons-pod-id-iam-permissions] === Required IAM permissions -This add-on users permissions from the <>. +This add-on users permissions from the <>. [#add-ons-pod-id-update-information] === Update information From 5d411bd045a9a1938d58e4eb3cb941baef0dc162 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 21:11:36 +0000 Subject: [PATCH 123/940] Fixed double merge. --- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 37fe98b31..599a698a1 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -121,11 +121,7 @@ echo "APISERVER_ENDPOINT=$(aws eks describe-cluster --name cluster-name --region echo "CLUSTER_ID=$(aws eks describe-cluster --name cluster-name --region region --query cluster.id --output text)" ---- -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. -** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. -. Select your desired choices on the *Configure stack options* page, and then choose *Next*. -. Select the check box to the left of *I acknowledge that {aws} CloudFormation might create IAM resources.*, and then choose *Create stack*. + ** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. ** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. From b8d3c526fb4118cb99bf613995aff98005a66094 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 22:24:46 +0000 Subject: [PATCH 124/940] Replaced instances of AWS with {aws} --- latest/ug/clusters/kubernetes-versions.adoc | 2 +- .../cni-increase-ip-addresses-procedure.adoc | 27 ++++++++++--------- .../eks-outposts-self-managed-nodes.adoc | 2 +- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 33f392705..f764c2191 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -128,7 +128,7 @@ Dates with only a month and a year are approximate and are updated with an exact |=== [#version-cli] -== Get version information with {AWS} CLI +== Get version information with {aws} CLI You can use the {aws} CLI to get information about Kubernetes versions available on EKS, such as the end date of Standard Support. diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 9a93c0317..85fbe964e 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -7,11 +7,10 @@ include::../attributes.txt[] You can increase the number of IP addresses that nodes can assign to [.noloc]`Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. -Complete the following before you start the procedure: +== Prerequisites -* Review the considerations. * You need an existing cluster. To deploy one, see <>. -* The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend that following: +* The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend the following: ** Using a subnet CIDR reservation so that even if any IP addresses within the reserved range are still in use, upon their release, the IP addresses aren't reassigned. This ensures that prefixes are available for allocation without segmentation. ** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both [.noloc]`Windows` and [.noloc]`Linux` workloads can run in the same subnet when assigning IP prefixes. * To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to [.noloc]`Pods` than [.noloc]`Nitro-based` instances do. @@ -23,7 +22,7 @@ kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut - ---- + If your cluster is configured for the `IPv6` family, you must have version `1.10.1` of the add-on installed. If your plugin version is earlier than the required versions, you must update it. For more information, see the updating sections of <>. -* *For clusters with [.noloc]`Windows` nodes only*:: +* *For clusters with [.noloc]`Windows` nodes only* + ** Your cluster and its platform version must be at, or later than the versions in the following table. To upgrade your cluster version, see <>. If your cluster isn't at the minimum platform version, then you can't assign IP prefixes to your nodes until Amazon EKS has updated your platform version. @@ -45,10 +44,13 @@ If your cluster is configured for the `IPv6` family, you must have version `1.10 |=== + You can check your current [.noloc]`Kubernetes` and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. -** [.noloc]`Windows` support enabled for your cluster. For more information, see <>. -. Configure your cluster to assign IP address prefixes to nodes. Complete the procedure on the tab that matches your node's operating system. -+ -[.noloc]`Linux`::: +** You must have [.noloc]`Windows` support enabled for your cluster. For more information, see <>. + +== To increase the amount of available IP addresses for your Amazon EC2 nodes + +. Configure your cluster to assign IP address prefixes to nodes. Complete the procedure that matches your node's operating system. + +=== [.noloc]`Linux` .. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. + [source,bash,subs="verbatim,attributes"] @@ -96,7 +98,7 @@ kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ---- kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 ---- -... Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. +.. Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. + **** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. + @@ -134,11 +136,10 @@ If you've created a custom AMI that is not built off the Amazon EKS optimized AM + NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. - -[.noloc]`Windows`::: +=== [.noloc]`Windows` .. Enable assignment of IP prefixes. + -.... Open the `amazon-vpc-cni` `ConfigMap` for editing. +... Open the `amazon-vpc-cni` `ConfigMap` for editing. + [source,bash,subs="verbatim,attributes"] ---- @@ -171,7 +172,7 @@ InsufficientCidrBlocks: The specified subnet does not have enough free cidr bloc This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. ==== -... (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. +.. (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. + ... Open the `amazon-vpc-cni` `ConfigMap` for editing. + diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 599a698a1..5d1f871af 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -110,7 +110,7 @@ NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack creat ---- --b64-cluster-ca ${CLUSTER_CA} --apiserver-endpoint https://${APISERVER_ENDPOINT} --enable-local-outpost true --cluster-id ${CLUSTER_ID} ---- -To retrieve the values for `CLUSTER_CA`, `APISERVER_ENDPOINT`, and `CLUSTER_ID` of your Amazon EKS local cluster, run the following AWS CLI commands. Replace cluster-name with the name of your cluster and region (for example, us-east-1) with your cluster’s AWS Region. +To retrieve the values for `CLUSTER_CA`, `APISERVER_ENDPOINT`, and `CLUSTER_ID` of your Amazon EKS local cluster, run the following {aws} CLI commands. Replace cluster-name with the name of your cluster and region (for example, us-east-1) with your cluster's {aws} Region. + [source,bash,subs="verbatim,attributes"] ---- From 8837c58a0deb8e14ba544a5f915a5efd0fc2675f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 23:07:04 +0000 Subject: [PATCH 125/940] Format tweak: 44906 --- .../cni-increase-ip-addresses-procedure.adoc | 50 +++++++++++-------- latest/ug/what-is/kubernetes-concepts.adoc | 2 +- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 85fbe964e..d0135e75c 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -46,12 +46,13 @@ If your cluster is configured for the `IPv6` family, you must have version `1.10 You can check your current [.noloc]`Kubernetes` and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. ** You must have [.noloc]`Windows` support enabled for your cluster. For more information, see <>. -== To increase the amount of available IP addresses for your Amazon EC2 nodes +[#cni-increase-ip-procedure] +== Assign IP address prefixes to nodes -. Configure your cluster to assign IP address prefixes to nodes. Complete the procedure that matches your node's operating system. +Configure your cluster to assign IP address prefixes to nodes. Complete the procedure that matches your node's operating system. === [.noloc]`Linux` -.. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. +. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. + [source,bash,subs="verbatim,attributes"] ---- @@ -70,24 +71,24 @@ InsufficientCidrBlocks: The specified subnet does not have enough free cidr bloc This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. ==== + -.. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. +. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. + If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. + IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. -.. If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. +. If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. + Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on [.noloc]`GitHub`. + You can replace the [.replaceable]`example values` with a value greater than zero. + -**** `WARM_PREFIX_TARGET` +*** `WARM_PREFIX_TARGET` + [source,bash,subs="verbatim,attributes"] ---- kubectl set env ds aws-node -n kube-system WARM_PREFIX_TARGET=1 ---- -**** `WARM_IP_TARGET` or `MINIMUM_IP_TARGET` – If either value is set, it overrides any value set for `WARM_PREFIX_TARGET`. +*** `WARM_IP_TARGET` or `MINIMUM_IP_TARGET` – If either value is set, it overrides any value set for `WARM_PREFIX_TARGET`. + [source,bash,subs="verbatim,attributes"] ---- @@ -98,9 +99,9 @@ kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ---- kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 ---- -.. Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. +. Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. + -**** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. +*** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. + [source,bash,subs="verbatim,attributes"] ---- @@ -113,10 +114,10 @@ If you're using `eksctl` to create the node group, you can use the following com ---- eksctl create nodegroup --cluster my-cluster --managed=false --max-pods-per-node 110 ---- -**** *Managed* – Deploy your node group using one of the following options: +*** *Managed* – Deploy your node group using one of the following options: + -***** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. -***** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. +**** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. +**** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. + [source,bash,subs="verbatim,attributes"] ---- @@ -133,26 +134,27 @@ eksctl create nodegroup --cluster my-cluster --max-pods-per-node 110 ---- + If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. + + NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. === [.noloc]`Windows` -.. Enable assignment of IP prefixes. +. Enable assignment of IP prefixes. + -... Open the `amazon-vpc-cni` `ConfigMap` for editing. +.. Open the `amazon-vpc-cni` `ConfigMap` for editing. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- -... Add the following line to the `data` section. +.. Add the following line to the `data` section. + [source,yaml,subs="verbatim,attributes"] ---- enable-windows-prefix-delegation: "true" ---- -... Save the file and close the editor. -... Confirm that the line was added to the `ConfigMap`. +.. Save the file and close the editor. +.. Confirm that the line was added to the `ConfigMap`. + [source,bash,subs="verbatim,attributes"] ---- @@ -172,15 +174,15 @@ InsufficientCidrBlocks: The specified subnet does not have enough free cidr bloc This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. ==== -.. (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. +. (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. + -... Open the `amazon-vpc-cni` `ConfigMap` for editing. +.. Open the `amazon-vpc-cni` `ConfigMap` for editing. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- -... Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. +.. Replace the [.replaceable]`example values` with a value greater than zero and add the entries that you require to the `data` section of the `ConfigMap`. If you set a value for either `warm-ip-target` or `minimum-ip-target`, the value overrides any value set for `warm-prefix-target`. + [source,yaml,subs="verbatim,attributes"] ---- @@ -188,8 +190,8 @@ kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml warm-ip-target: "5" minimum-ip-target: "2" ---- -... Save the file and close the editor. -.. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. +.. Save the file and close the editor. +. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. + [source,bash,subs="verbatim,attributes"] ---- @@ -197,6 +199,10 @@ kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml ---- + If you're deploying managed node groups, this configuration needs to be added in the launch template. For more information, see <>. For more information about the configuration parameters for [.noloc]`Windows` bootstrap script, see <>. + +[#cni-increase-ip-verify] +== Determine max Pods and available IP addresses + . Once your nodes are deployed, view the nodes in your cluster. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index f7d9ac906..9aee63965 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -141,7 +141,7 @@ When you first create a [.noloc]`Kubernetes` cluster, some cluster creation tool * *Manage each node (`kubelet`)* -- The API server communicates with the https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] service running on each node to make sure that the node is properly registered and Pods requested by the Scheduler are running. The kubelet can read the Pod manifests and set up storage volumes or other features needed by the Pods on the local system. It can also check on the health of the locally running containers. * *Run containers on a node (container runtime)* -- The https://kubernetes.io/docs/setup/production-environment/container-runtimes/[Container Runtime] on each node manages the containers requested for each Pod assigned to the node. That means that it can pull container images from the appropriate registry, run the container, stop it, and responds to queries about the container. The default container runtime is https://github.com/containerd/containerd/blob/main/docs/getting-started.md[containerd]. As of [.noloc]`Kubernetes` 1.24, the special integration of [.noloc]`Docker` (`dockershim`) that could be used as the container runtime was dropped from [.noloc]`Kubernetes`. While you can still use [.noloc]`Docker` to test and run containers on your local system, to use [.noloc]`Docker` with [.noloc]`Kubernetes` you would now have to https://docs.docker.com/engine/install/#server[Install Docker Engine] on each node to use it with [.noloc]`Kubernetes`. -* *Manage networking between containers (kube-proxy)* -- To be able to support communication between Pods, [.noloc]`Kubernetes` uses a feature referred to as a https://kubernetes.io/docs/concepts/services-networking/service/[Service] to set up Pod networks that track IP addresses and ports associated with those Pods. The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] service runs on every node to allow that communication between Pods to take place. +* *Manage networking between containers (`kube-proxy`)* -- To be able to support communication between Pods, [.noloc]`Kubernetes` uses a feature referred to as a https://kubernetes.io/docs/concepts/services-networking/service/[Service] to set up Pod networks that track IP addresses and ports associated with those Pods. The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] service runs on every node to allow that communication between Pods to take place. [#extend-clusters] From 74b05f1d306296c42bebb12209f44368a3ab2a1d Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Feb 2025 23:23:17 +0000 Subject: [PATCH 126/940] Format consistency --- latest/ug/automode/auto-configure-alb.adoc | 2 +- latest/ug/automode/auto-elb-example.adoc | 6 ++-- .../ug/automode/automode-get-started-cli.adoc | 30 +++++++++---------- latest/ug/automode/automode.adoc | 14 ++++----- latest/ug/automode/wip/tag-subnets.adoc | 10 +++---- latest/ug/clusters/create-cluster-auto.adoc | 16 +++++----- latest/ug/clusters/zone-shift.adoc | 22 +++++++------- .../authenticate-oidc-identity-provider.adoc | 2 +- .../ug/ml/ml-eks-windows-optimized-ami.adoc | 12 ++++---- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/networking/lbc-manifest.adoc | 2 +- latest/ug/nodes/eks-custom-ami-windows.adoc | 4 +-- latest/ug/nodes/retrieve-ami-id.adoc | 2 +- .../eks-outposts-local-cluster-create.adoc | 2 +- latest/ug/quickstart.adoc | 8 ++--- latest/ug/security/auto-security.adoc | 4 +-- .../iam-reference/auto-cluster-iam-role.adoc | 10 +++---- 17 files changed, 73 insertions(+), 75 deletions(-) diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 2a9be6cb4..a30a37b33 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -11,7 +11,7 @@ EKS Auto Mode automates routine tasks for load balancing, including exposing clu EKS Auto Mode creates and configures Application Load Balancers (ALBs). For example, EKS Auto Mode creates a load balancer when you create an `Ingress` Kubernetes objects and configures it to route traffic to your cluster workload. -**Overview** +*Overview* . Create an `IngressClassParams` resource, specifying {aws} specific configuration values such as the certificate to use for SSL/TLS and VPC Subnets. . Create an `IngressClass` resource, specifying that EKS Auto Mode will be the controller for the resource. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 4b7285b50..1d46eae4e 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -70,7 +70,7 @@ spec: NOTE: If you receive an error loading the image `public.ecr.aws/l6m2t8p7/docker-2048:latest`, confirm your Node IAM role has sufficent permissions to pull images from ECR. For more information, see <>. -**Key components:** +*Key components:* - Deploys 5 replicas of the application - Uses a public ECR image @@ -107,7 +107,7 @@ spec: app.kubernetes.io/name: app-2048 ---- -**Key components:** +*Key components:* - Creates a NodePort service - Maps port 80 to the container's port 80 @@ -174,7 +174,7 @@ spec: number: 80 ---- -**Key components:** +*Key components:* - Creates an internet-facing ALB - Uses IP target type for direct pod routing diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 0439c10f8..993bcf4bd 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -37,7 +37,7 @@ Amazon EKS Auto Mode deploy nodes to VPC subnets. When creating an EKS cluster, aws ec2 describe-subnets --filters "Name=vpc-id,Values=$(aws ec2 describe-vpcs --query 'Vpcs[?IsDefault==`true`].VpcId' --output text)" --query 'Subnets[*].{ID:SubnetId,AZ:AvailabilityZone}' --output table ``` + -. Save the output and note the **Subnet IDs**. +. Save the output and note the *Subnet IDs*. + Sample output: + @@ -82,11 +82,11 @@ You must create this role and attach the following {aws} managed policy: * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] [discrete] -#### **Service-Linked Role** +#### *Service-Linked Role* EKS Auto Mode also requires a Service-Linked Role, which is automatically created and configured by {aws}. For more information, see <>. -## **Create an EKS Auto Mode Cluster IAM Role** +## *Create an EKS Auto Mode Cluster IAM Role* ### Step 1: Create the Trust Policy @@ -132,7 +132,7 @@ aws iam get-role --role-name AmazonEKSAutoClusterRole --query "Role.Arn" --outpu Attach the following {aws} managed policies to the Cluster IAM Role to grant the necessary permissions: -**AmazonEKSClusterPolicy**: +*AmazonEKSClusterPolicy*: ``` aws iam attach-role-policy \ @@ -140,7 +140,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy ``` -**AmazonEKSComputePolicy**: +*AmazonEKSComputePolicy*: ``` aws iam attach-role-policy \ @@ -148,7 +148,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSComputePolicy ``` -**AmazonEKSBlockStoragePolicy**: +*AmazonEKSBlockStoragePolicy*: ``` aws iam attach-role-policy \ @@ -156,7 +156,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy ``` -**AmazonEKSLoadBalancingPolicy**: +*AmazonEKSLoadBalancingPolicy*: ``` aws iam attach-role-policy \ @@ -164,7 +164,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy ``` -**AmazonEKSNetworkingPolicy**: +*AmazonEKSNetworkingPolicy*: ``` aws iam attach-role-policy \ @@ -172,7 +172,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy ``` -## **Create an EKS Auto Mode Node IAM Role** +## *Create an EKS Auto Mode Node IAM Role* ### Step 1: Create the Trust Policy @@ -195,7 +195,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav #### Step 2: Create the Node IAM Role -Use the **node-trust-policy.json** file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: +Use the *node-trust-policy.json* file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: ``` aws iam create-role \ @@ -215,7 +215,7 @@ aws iam get-role --role-name AmazonEKSAutoNodeRole --query "Role.Arn" --output t Attach the following {aws} managed policies to the Node IAM Role to provide the necessary permissions: -**AmazonEKSWorkerNodeMinimalPolicy**: +*AmazonEKSWorkerNodeMinimalPolicy*: ``` aws iam attach-role-policy \ @@ -223,7 +223,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy ``` -**AmazonEC2ContainerRegistryPullOnly**: +*AmazonEC2ContainerRegistryPullOnly*: ``` aws iam attach-role-policy \ @@ -231,7 +231,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ``` -## **Create an EKS Auto Mode Cluster** +## *Create an EKS Auto Mode Cluster* ### Overview @@ -249,7 +249,7 @@ Review these default values and features before creating the cluster: * `nodePools`: EKS Auto Mode includes general-purpose and system default Node Pools. Learn more about <>. -**Note:** Node Pools in EKS Auto Mode differ from Amazon EKS Managed Node Groups but can coexist in the same cluster. +*Note:* Node Pools in EKS Auto Mode differ from Amazon EKS Managed Node Groups but can coexist in the same cluster. * `computeConfig.enabled`: Automates routine compute tasks, such as creating and deleting EC2 instances. * `kubernetesNetworkConfig.elasticLoadBalancing.enabled`: Automates load balancing tasks, including creating and deleting Elastic Load Balancers. @@ -294,7 +294,7 @@ aws eks create-cluster \ } ``` -### **Check Cluster Status** +### *Check Cluster Status* #### Step 1: Verify Cluster Creation diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 45969f81a..ac73c32d3 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -24,20 +24,20 @@ With EKS Auto Mode, you can continue using your preferred Kubernetes-compatible EKS Auto Mode provides the following high-level features: -**Streamline Kubernetes Cluster Management**: EKS Auto Mode streamlines EKS management by providing production-ready clusters with minimal operational overhead. With EKS Auto Mode, you can run demanding, dynamic workloads confidently, without requiring deep EKS expertise. +*Streamline Kubernetes Cluster Management*: EKS Auto Mode streamlines EKS management by providing production-ready clusters with minimal operational overhead. With EKS Auto Mode, you can run demanding, dynamic workloads confidently, without requiring deep EKS expertise. -**Application Availability**: EKS Auto Mode dynamically adds or removes nodes in your EKS cluster based on the demands of your Kubernetes applications. This minimizes the need for manual capacity planning and ensures application availability. +*Application Availability*: EKS Auto Mode dynamically adds or removes nodes in your EKS cluster based on the demands of your Kubernetes applications. This minimizes the need for manual capacity planning and ensures application availability. //what? -**Efficiency**: EKS Auto Mode is designed to optimize compute costs while adhering to the flexibility defined by your NodePool and workload requirements. It also terminates unused instances and consolidates workloads onto other nodes to improve cost efficiency. +*Efficiency*: EKS Auto Mode is designed to optimize compute costs while adhering to the flexibility defined by your NodePool and workload requirements. It also terminates unused instances and consolidates workloads onto other nodes to improve cost efficiency. -**Security**: EKS Auto Mode uses AMIs that are treated as immutable for your nodes. These AMIs enforce locked-down software, enable SELinux mandatory access controls, and provide read-only root file systems. Additionally, nodes launched by EKS Auto Mode have a maximum lifetime of 21 days (which you can reduce), after which they are automatically replaced with new nodes. This approach enhances your security posture by regularly cycling nodes, aligning with best practices already adopted by many customers. +*Security*: EKS Auto Mode uses AMIs that are treated as immutable for your nodes. These AMIs enforce locked-down software, enable SELinux mandatory access controls, and provide read-only root file systems. Additionally, nodes launched by EKS Auto Mode have a maximum lifetime of 21 days (which you can reduce), after which they are automatically replaced with new nodes. This approach enhances your security posture by regularly cycling nodes, aligning with best practices already adopted by many customers. -**Automated Upgrades**: EKS Auto Mode keeps your Kubernetes cluster, nodes, and related components up to date with the latest patches, while respecting your configured Pod Disruption Budgets (PDBs) and NodePool Disruption Budgets (NDBs). Up to the 21-day maximum lifetime, intervention might be required if blocking PDBs or other configurations prevent updates. +*Automated Upgrades*: EKS Auto Mode keeps your Kubernetes cluster, nodes, and related components up to date with the latest patches, while respecting your configured Pod Disruption Budgets (PDBs) and NodePool Disruption Budgets (NDBs). Up to the 21-day maximum lifetime, intervention might be required if blocking PDBs or other configurations prevent updates. -**Managed Components**: EKS Auto Mode includes Kubernetes and {aws} cloud features as core components that would otherwise have to be managed as add-ons. This includes built-in support for Pod IP address assignments, Pod network policies, local DNS services, GPU plug-ins, health checkers, and EBS CSI storage. +*Managed Components*: EKS Auto Mode includes Kubernetes and {aws} cloud features as core components that would otherwise have to be managed as add-ons. This includes built-in support for Pod IP address assignments, Pod network policies, local DNS services, GPU plug-ins, health checkers, and EBS CSI storage. -**Customizable NodePools and NodeClasses**: If your workload requires changes to storage, compute, or networking configurations, you can create custom NodePools and NodeClasses using EKS Auto Mode. While default NodePools and NodeClasses can't be edited, you can add new custom NodePools or NodeClasses alongside the default configurations to meet your specific requirements. +*Customizable NodePools and NodeClasses*: If your workload requires changes to storage, compute, or networking configurations, you can create custom NodePools and NodeClasses using EKS Auto Mode. While default NodePools and NodeClasses can't be edited, you can add new custom NodePools or NodeClasses alongside the default configurations to meet your specific requirements. ## Automated Components diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index d2094e5a9..0381fb149 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -20,14 +20,14 @@ Your subnets require specific tags based on their intended use: == Adding Tags in the Console 1. Sign in to the {aws-management-console} -2. Navigate to **VPC** +>+ **Subnets** +2. Navigate to *VPC* +>+ *Subnets* 3. Select the subnet you want to tag -4. Select the **Tags** tab in the lower panel -5. Choose **Add/Edit Tags** -6. Click **Add Tag** and enter: +4. Select the *Tags* tab in the lower panel +5. Choose *Add/Edit Tags* +6. Click *Add Tag* and enter: - For private subnets: Key = `kubernetes.io/role/internal-elb`, Value = `1` - For public subnets: Key = `kubernetes.io/role/elb`, Value = `1` -7. Click **Save** +7. Click *Save* 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tag-subnets%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 45d4f4748..d20d1b0f0 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -167,7 +167,7 @@ aws iam get-role --role-name AmazonEKSAutoClusterRole --query "Role.Arn" --outpu Attach the following {aws} managed policies to the Cluster IAM Role to grant the necessary permissions: -**AmazonEKSClusterPolicy**: +*AmazonEKSClusterPolicy*: ``` aws iam attach-role-policy \ @@ -175,7 +175,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy ``` -**AmazonEKSComputePolicy**: +*AmazonEKSComputePolicy*: ``` aws iam attach-role-policy \ @@ -183,7 +183,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSComputePolicy ``` -**AmazonEKSBlockStoragePolicy**: +*AmazonEKSBlockStoragePolicy*: ``` aws iam attach-role-policy \ @@ -191,7 +191,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy ``` -**AmazonEKSLoadBalancingPolicy**: +*AmazonEKSLoadBalancingPolicy*: ``` aws iam attach-role-policy \ @@ -199,7 +199,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy ``` -**AmazonEKSNetworkingPolicy**: +*AmazonEKSNetworkingPolicy*: ``` aws iam attach-role-policy \ @@ -230,7 +230,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav #### Step 2: Create the Node IAM Role -Use the **node-trust-policy.json** file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: +Use the *node-trust-policy.json* file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: ``` aws iam create-role \ @@ -250,7 +250,7 @@ aws iam get-role --role-name AmazonEKSAutoNodeRole --query "Role.Arn" --output t Attach the following {aws} managed policies to the Node IAM Role to provide the necessary permissions: -**AmazonEKSWorkerNodeMinimalPolicy**: +*AmazonEKSWorkerNodeMinimalPolicy*: ``` aws iam attach-role-policy \ @@ -258,7 +258,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy ``` -**AmazonEC2ContainerRegistryPullOnly**: +*AmazonEC2ContainerRegistryPullOnly*: ``` aws iam attach-role-policy \ diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 46b017ae6..aa97b55c7 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -126,7 +126,7 @@ Most important, you should run multiple replicas of your DNS server software (Co When installing https://github.com/coredns/helm/tree/master[CoreDNS with Helm], you can update the `replicaCount` in the https://github.com/coredns/helm/blob/master/charts/coredns/values.yaml[values.yaml file] to ensure that you have a sufficient number of replicas in each AZ. In addition, to ensure that these replicas are spread across the different AZs in your cluster environment, you should update the `topologySpreadConstraints` property in the same values.yaml file. The code snippet below demonstrates how to configure CoreDNS for this. -**CoreDNS Helm values.yaml** +*CoreDNS Helm values.yaml* [source,yaml] ---- @@ -223,45 +223,45 @@ After completing the above requirements, the next important step is to test that ## Frequently Asked Questions -**Why should I use this feature?** +*Why should I use this feature?* By using ARC zonal shift or zonal autoshift in your EKS cluster, you can better maintain Kubernetes application availability by automating the quick recovery process of shifting in-cluster network traffic away from an impaired AZ. With ARC, you can avoid long and complicated steps which often lead to an extended recovery period during impaired AZ events. -**How does this feature work with other {aws} services?** +*How does this feature work with other {aws} services?* EKS integrates with ARC which provides the primary interface for you to accomplish recovery operations in {aws}. To ensure that in-cluster traffic is appropriately routed away from an impaired AZ, modifications are made to the list of network endpoints for Pods running in the Kubernetes data plane. If you're using {aws} Load Balancers for routing external traffic into the cluster, you can already register your load balancers with ARC and trigger a zonal shift on them to prevent traffic flowing into the degraded zone. This feature also interacts with Amazon EC2 Auto Scaling Groups (ASG) that are created by EKS Managed Node Groups (MNG). To prevent an impaired AZ from being used for new Kubernetes Pods or node launches, EKS removes the impaired AZ from the ASG. -**How is this feature different from default Kubernetes protections?** +*How is this feature different from default Kubernetes protections?* This feature works in tandem with several Kubernetes native built-in protections that help customers stay resilient. You can configure Pod readiness and liveness probes that decide when a Pod should take traffic. When these probes fail, Kubernetes removes these Pods as targets for a Service and traffic is no longer sent to the Pod. While this is useful, it's non-trivial for customers to configure these health checks so that they are guaranteed to fail when a zone is degraded. The ARC zonal shift feature provides you with an additional safety net that helps them isolate a degraded AZ entirely when Kubernetes' native protections have not sufficed. It also provides you with an easy way to test the operational readiness and resilience of your architecture. -**Can {aws} trigger a zonal shift on my behalf?** +*Can {aws} trigger a zonal shift on my behalf?* Yes, if you want a fully automated way of using ARC zonal shift, you can enable ARC zonal autoshift. With zonal autoshift, you can rely on {aws} to monitor the health of the AZs for your EKS cluster, and to automatically trigger a shift when an AZ impairment is detected. -**What happens if I use this feature and my worker nodes and workloads are not pre-scaled?** +*What happens if I use this feature and my worker nodes and workloads are not pre-scaled?* If you are not pre-scaled and rely on provisioning additional nodes or Pods during a zonal shift, then you risk experiencing a delayed recovery. The process of adding new nodes to the Kubernetes data plane will take some time which can have implications on the real-time performance and availability of your applications, especially in the event of a zonal impairment. Additionally, in the event of a zonal impairment, you may encounter a potential compute capacity constraint which would prevent newly required nodes from being added to the healthy AZs. If your workloads are not pre-scaled and spread across all AZs in your cluster, a zonal impairment may impact the availability of an application that is only running on worker nodes in an impacted AZ. To mitigate the risk of a complete availability outage for your application, EKS has a fail safe for traffic to be sent to Pod endpoints in an impaired zone if that workload has all of its endpoints in the unhealthy AZ. However, it's strongly recommended that you rather pre-scale and spread your applications across all AZs to maintain availability in the event of a zonal issue. -**What happens if I'm running a stateful application?** +*What happens if I'm running a stateful application?* If you are running a stateful application, you will need to assess its fault tolerance depending on the use case and the architecture. If you have an active/standby architecture or pattern, there may be instances where the active is in an impaired AZ. At the application level, if the standby is not activated, you may run into issues with your application. You may also run into issues when new Kubernetes Pods are launched in healthy AZs since they will not be able to attach to the persistent volumes bounded to the impaired AZ. -**Does this feature work with Karpenter?** +*Does this feature work with Karpenter?* Karpenter support is currently not available with ARC zonal shift and zonal autoshift in EKS. If an AZ is impaired, you can adjust the relevant Karpenter NodePool configuration by removing the unhealthy AZ so that new worker nodes are only launched in the healthy AZs. -**Does this feature work with EKS Fargate?** +*Does this feature work with EKS Fargate?* This feature does not work with EKS Fargate. By default, when EKS Fargate recognizes a zonal health event, Pods will prefer to run in the other AZs. -**Will the EKS managed Kubernetes control plane be impacted?** +*Will the EKS managed Kubernetes control plane be impacted?* No, by default Amazon EKS runs and scales the Kubernetes control plane across multiple AZs to ensure high availability. ARC zonal shift and zonal autoshift will only act on the Kubernetes data plane. -**Are there any costs associated with this new feature?** +*Are there any costs associated with this new feature?* You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additional charge. However, you will continue to pay for provisioned instances and it is strongly recommended that you pre-scale your Kubernetes data plane before using this feature. You should consider the right balance between cost and application availability. diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 92e727c1c..3b628df33 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -83,7 +83,7 @@ eksctl associate identityprovider -f associate-identity-provider.yaml === Associate an identity provider using the {aws} Console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Select your cluster, and then select the *Access* tab. -. In the *[.noloc]`OIDC` Identity Providers* section, select** Associate Identity Provider**. +. In the *[.noloc]`OIDC` Identity Providers* section, select* Associate Identity Provider*. . On the *Associate [.noloc]`OIDC` Identity Provider* page, enter or select the following options, and then select *Associate*. + ** For *Name*, enter a unique name for the provider. diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index c5a0445a0..0345e8c3d 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -14,9 +14,9 @@ Learn how to run GPU-accelerated Windows container workloads on Amazon EKS (Elas There are two main approaches to setting up GPU-acceleration for your Windows containers: -* **Option 1**: <> with the required GPU drivers pre-installed. +* *Option 1*: <> with the required GPU drivers pre-installed. ** Use this approach when you need a consistent, pre-configured environment ready to run GPU-accelerated Windows containers, and you're able to invest the additional effort to build and maintain the custom AMI. -* **Option 2**: Install the necessary GPU drivers on your EKS worker nodes after launching your instance. +* *Option 2*: Install the necessary GPU drivers on your EKS worker nodes after launching your instance. ** Use this approach when you want a simpler setup process and don't mind installing the GPU drivers on each new worker node. More suited to a development environment when you are evaluating or prototyping GPU-accelerated workloads. Both approaches can be leveraged using the steps detailed in this guide. @@ -46,7 +46,7 @@ To enable GPU acceleration for your Windows containers on Amazon EKS, you'll nee To install the NVIDIA GRID drivers on your EKS worker nodes, follow the steps outlined in link:AWSEC2/latest/UserGuide/install-nvidia-driver.html[NVIDIA drivers for your Amazon EC2 instance,type="documentation"]. Navigate to link:AWSEC2/latest/UserGuide/install-nvidia-driver#nvidia-GRID-driver[Installation options - Option 3: GRID drivers,type="documentation"] and follow the installation steps. -**Install for Windows Server Core** +*Install for Windows Server Core* For Windows Server Core, which doesn’t have a desktop experience, install NVIDIA GRID drivers silently by using the following commands: @@ -57,7 +57,7 @@ $installerArguments = "-s -clean -noreboot -noeula" Start-Process -FilePath $nvidiaInstallerFilePath -ArgumentList $installerArguments -Wait -NoNewWindow -PassThru ---- -**Verify your installation** +*Verify your installation* Run the following PowerShell command to show diagnostic information about the GPUs on the instance: @@ -85,14 +85,14 @@ The device plugin DaemonSet will run on every node as a host process container w When running GPU-accelerated containers, the device plugin supports two modes: -* **Single-tenancy mode**: This mode dedicates all GPU resources to a single container on the instance. Install the device plugins with single-tenancy support using the following command. See README.md for more information. +* *Single-tenancy mode*: This mode dedicates all GPU resources to a single container on the instance. Install the device plugins with single-tenancy support using the following command. See README.md for more information. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f "https://raw.githubusercontent.com/TensorWorks/directx-device-plugins/main/deployments/default-daemonsets.yml" ---- -* **Multi-tenancy mode**: This mode allows sharing GPU resources among multiple containers on the instance. Install the device plugins with multi-tenancy support using the following command. See README.md for more information. +* *Multi-tenancy mode*: This mode allows sharing GPU resources among multiple containers on the instance. Install the device plugins with multi-tenancy support using the following command. See README.md for more information. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 15037ac7e..dc61953fb 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -51,7 +51,7 @@ You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Control [NOTE] ==== -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. +Below example is referring to the [.noloc]`{aws} Load Balancer Controller` *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. ==== diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index b34e9821f..248852323 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -48,7 +48,7 @@ You only need to create a role for the [.noloc]`{aws} Load Balancer Controller` [NOTE] ==== -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` **v2.11.0** release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. +Below example is referring to the [.noloc]`{aws} Load Balancer Controller` *v2.11.0* release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. ==== diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index d2affe9a2..6d6723974 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -91,9 +91,7 @@ When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, .. Choose *Specify component version*. .. In the *Component Version* field, enter [.replaceable]`version.x`, replacing [.replaceable]`version` with a supported [.noloc]`Kubernetes` version. Entering an [.replaceable]`x` for part of the version number indicates to use the latest component version that also aligns with the part of the version you explicitly define. Pay attention to the console output as it will advise you on whether your desired version is available as a managed component. Keep in mind that the most recent [.noloc]`Kubernetes` versions may not be available for the build component. For more information about available versions, see <>. + -NOTE: The following `eks-optimized-ami-windows` build component versions require `eksctl` version `0.129` or lower: - -*** `1.24.0` +NOTE: The `1.24.0` `eks-optimized-ami-windows` build component versions require `eksctl` version `0.129` or lower. . Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. . Choose *Create recipe*. diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index ef983b953..1fb4ffc0d 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -23,7 +23,7 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama ** Use [.replaceable]`amazon-linux-2023/x86_64/neuron` for the latest AL2023 link:machine-learning/neuron/[{aws} Neuron,type="marketing"] instances. ** Use [.replaceable]`amazon-linux-2` for Amazon Linux 2 (AL2) `x86` based instances. ** Use [.replaceable]`amazon-linux-2-arm64` for AL2 ARM instances, such as link:ec2/graviton/[{aws} Graviton,type="marketing"] based instances. -** Use `amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for NVIDIA GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. +** Use [.replaceable]`amazon-linux-2-gpu` for AL2 link:AWSEC2/latest/UserGuide/accelerated-computing-instances.html[hardware accelerated,type="documentation"] `x86` based instances for NVIDIA GPU, link:machine-learning/inferentia/[Inferentia,type="marketing"], and link:machine-learning/trainium/[Trainium,type="marketing"] based workloads. * Replace `` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 0e92f5f8a..fcfe8c5d2 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -28,7 +28,7 @@ This topic provides an overview of what to consider when running a local cluster * Amazon EBS backed [.noloc]`Kubernetes` `PersistentVolumes` are supported using the Amazon EBS CSI driver. * The control plane instances of local clusters are set up in https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/[stacked highly available topology]. Two out of the three control plane instances must be healthy at all times to maintain quorum. If quorum is lost, contact {aws} support, as some service-side actions will be required to enable the new managed instances. -**Prerequisites** +*Prerequisites* * Familiarity with the <>, <>, and <>. * An existing Outpost. For more information, see link:outposts/latest/userguide/what-is-outposts.html[What is {aws} Outposts,type="documentation"]. diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 34df546b7..ccdc01d37 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -25,16 +25,16 @@ Overall, you'll deploy a sample workload with the custom annotations required to Using the `eksctl` cluster template that follows, you'll build a cluster with EKS Auto Mode for automated node provisioning. -**VPC Configuration** +*VPC Configuration* When using the eksctl cluster template that follows, eksctl automatically creates an IPv4 Virtual Private Cloud (VPC) for the cluster. By default, eksctl configures a VPC that addresses all networking requirements, in addition to creating both public and private endpoints. -**Instance Management** +*Instance Management* EKS Auto Mode dynamically adds or removes nodes in your EKS cluster based on the demands of your Kubernetes applications. -**Data Persistence** +*Data Persistence* Use the block storage capability of EKS Auto Mode to ensure the persistence of application data, even in scenarios involving pod restarts or failures. -**External App Access** +*External App Access* Use the load balancing capability of EKS Auto Mode to dynamically provision an Application Load Balancer (ALB). ## Prerequisites diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index cd74dea11..e01c67421 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -23,12 +23,12 @@ Amazon EKS Auto Mode uses {aws} platform security mechanisms to secure and authe Amazon EKS Auto Mode supports multiple layers of network security: -* **VPC integration** +* *VPC integration* ** Operates within your Amazon Virtual Private Cloud (VPC) ** Supports custom VPC configurations and subnet layouts ** Enables private networking between cluster components ** For more information, see link:vpc/latest/userguide/security.html["Managing security responsibilities for Amazon Virtual Private Cloud",type="documentation"] -* **Network Policies** +* *Network Policies* ** Native support for Kubernetes Network Policies ** Ability to define granular network traffic rules ** For more information, see <> diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index f6612ebdc..f08b2c7cd 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -112,7 +112,7 @@ aws iam create-role \ ---- . Attach the required IAM policies to the role: -**AmazonEKSClusterPolicy**: +*AmazonEKSClusterPolicy*: ``` aws iam attach-role-policy \ @@ -120,7 +120,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy ``` -**AmazonEKSComputePolicy**: +*AmazonEKSComputePolicy*: ``` aws iam attach-role-policy \ @@ -128,7 +128,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSComputePolicy ``` -**AmazonEKSBlockStoragePolicy**: +*AmazonEKSBlockStoragePolicy*: ``` aws iam attach-role-policy \ @@ -136,7 +136,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy ``` -**AmazonEKSLoadBalancingPolicy**: +*AmazonEKSLoadBalancingPolicy*: ``` aws iam attach-role-policy \ @@ -144,7 +144,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy ``` -**AmazonEKSNetworkingPolicy**: +*AmazonEKSNetworkingPolicy*: ``` aws iam attach-role-policy \ From f7b1759202bcd87ca3cb524145e9890bfe4ce727 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Sat, 8 Feb 2025 00:00:24 +0000 Subject: [PATCH 127/940] Spot check fixes. --- latest/ug/automode/auto-configure-nlb.adoc | 2 +- latest/ug/automode/settings-auto.adoc | 2 +- .../{auto-tag-subnets.adoc => tag-subnets-auto.adoc} | 6 ++++-- .../management/cost-monitoring-kubecost-bundles.adoc | 11 +++++------ latest/ug/clusters/update-cluster.adoc | 2 +- latest/ug/doc-history.adoc | 4 ++-- latest/ug/getting-started/getting-started-eksctl.adoc | 2 +- latest/ug/networking/cni-custom-network-tutorial.adoc | 2 +- latest/ug/networking/cni-iam-role.adoc | 2 +- latest/ug/networking/coredns-autoscaling.adoc | 6 +++--- latest/ug/networking/creating-a-vpc.adoc | 2 +- .../kube-proxy-add-on-self-managed-update.adoc | 2 +- .../networking/security-groups-pods-deployment.adoc | 2 +- latest/ug/nodes/choosing-instance-type.adoc | 2 +- latest/ug/nodes/fargate-logging.adoc | 2 +- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 2 +- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 2 +- latest/ug/nodes/launch-windows-workers.adoc | 2 +- latest/ug/nodes/node-health.adoc | 2 +- latest/ug/nodes/retrieve-ami-id.adoc | 2 +- latest/ug/observability/deploy-prometheus.adoc | 2 +- .../understanding-service-name-entries.adoc | 4 ++-- .../ug/outposts/eks-outposts-self-managed-nodes.adoc | 2 +- .../ug/security/iam-reference/create-node-role.adoc | 4 ++-- .../iam-reference/security-iam-awsmanpol.adoc | 4 ++-- latest/ug/storage/efs-csi.adoc | 2 +- latest/ug/workloads/creating-an-add-on.adoc | 2 +- latest/ug/workloads/network-load-balancing.adoc | 4 ++-- latest/ug/workloads/updating-an-add-on.adoc | 2 +- 30 files changed, 44 insertions(+), 43 deletions(-) rename latest/ug/automode/{auto-tag-subnets.adoc => tag-subnets-auto.adoc} (99%) diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 47541f30d..71e9999e0 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -9,7 +9,7 @@ Learn how to configure Network Load Balancers (NLB) in Amazon EKS using Kubernet When you create a Kubernetes service of type `LoadBalancer` in EKS Auto Mode, EKS automatically provisions and configures an {aws} Network Load Balancer based on the annotations you specify. This declarative approach allows you to manage load balancer configurations directly through your Kubernetes manifests, maintaining infrastructure as code practices. -EKS Auto Mode handles Network Load Balancer provisioning by default for all services of type LoadBalancer - no additional controller installation or configuration is required. The `loadBalancerClass: eks.amazonaws.com/nlb `specification is automatically set as the cluster default, streamlining the deployment process while maintaining compatibility with existing Kubernetes workloads. +EKS Auto Mode handles Network Load Balancer provisioning by default for all services of type LoadBalancer - no additional controller installation or configuration is required. The `loadBalancerClass: eks.amazonaws.com/nlb` specification is automatically set as the cluster default, streamlining the deployment process while maintaining compatibility with existing Kubernetes workloads. [NOTE] ==== diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 7a3459f80..b9fdc3c50 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -109,7 +109,7 @@ include::critical-workload.adoc[leveloffset=+1] include::auto-net-pol.adoc[leveloffset=+1] -include::auto-tag-subnets.adoc[leveloffset=+1] +include::tag-subnets-auto.adoc[leveloffset=+1] 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23settings-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/automode/auto-tag-subnets.adoc b/latest/ug/automode/tag-subnets-auto.adoc similarity index 99% rename from latest/ug/automode/auto-tag-subnets.adoc rename to latest/ug/automode/tag-subnets-auto.adoc index a27fd35aa..27961054d 100644 --- a/latest/ug/automode/auto-tag-subnets.adoc +++ b/latest/ug/automode/tag-subnets-auto.adoc @@ -25,7 +25,8 @@ At this time, subnets used for load balancing by EKS Auto Mode are required to h Public subnets are used for internet-facing load balancers. These subnets must have the following tags: |=== -|Key |Value +|Key +|Value |`kubernetes.io/role/elb` |`1` or `` @@ -35,7 +36,8 @@ Public subnets are used for internet-facing load balancers. These subnets must h Private subnets are used for internal load balancers. These subnets must have the following tags: |=== -|Key |Value +|Key +|Value |`kubernetes.io/role/internal-elb` |`1` or `` diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index e0d075657..3bb0baf03 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -269,7 +269,7 @@ Kubecost saved reports are predefined views of cost and efficiency metrics. They *What is cloud billing integration?* -Integration with {aws} billing APIs allows Kubecost to display out-of-cluster costs (such as Amazon S3). Additionally, it allows Kubecost to reconcile Kubecost`'s in-cluster predictions with actual billing data to account for spot usage, savings plans, and enterprise discounts. +Integration with {aws} billing APIs allows Kubecost to display out-of-cluster costs (such as Amazon S3). Additionally, it allows Kubecost to reconcile Kubecost's in-cluster predictions with actual billing data to account for spot usage, savings plans, and enterprise discounts. *What do savings recommendations include?* @@ -277,7 +277,7 @@ Kubecost provides insights and automation to help users optimize their Kubernete *Is there a charge for this functionality?* -No. You can use this version of Kubecost at no additional charge. If you want additional Kubecost capabilities that aren`'t included in this bundle, you can buy an enterprise license of Kubecost through the {aws} Marketplace, or from Kubecost directly. +No. You can use this version of Kubecost at no additional charge. If you want additional Kubecost capabilities that aren't included in this bundle, you can buy an enterprise license of Kubecost through the {aws} Marketplace, or from Kubecost directly. *Is support available?* @@ -297,13 +297,13 @@ No. This version is only compatible with Amazon EKS clusters. *Can Kubecost track costs for Amazon EKS on {aws} Fargate?* -Kubecost provides best effort to show cluster cost visibility for Amazon EKS on Fargate, but with lower accuracy than with Amazon EKS on Amazon EC2. This is primarily due to the difference in how you`'re billed for your usage. With Amazon EKS on Fargate, you`'re billed for consumed resources. With Amazon EKS on Amazon EC2 nodes, you`'re billed for provisioned resources. Kubecost calculates the cost of an Amazon EC2 node based on the node specification, which includes CPU, RAM, and ephemeral storage. With Fargate, costs are calculated based on the requested resources for the Fargate Pods. +Kubecost provides best effort to show cluster cost visibility for Amazon EKS on Fargate, but with lower accuracy than with Amazon EKS on Amazon EC2. This is primarily due to the difference in how you're billed for your usage. With Amazon EKS on Fargate, you're billed for consumed resources. With Amazon EKS on Amazon EC2 nodes, you're billed for provisioned resources. Kubecost calculates the cost of an Amazon EC2 node based on the node specification, which includes CPU, RAM, and ephemeral storage. With Fargate, costs are calculated based on the requested resources for the Fargate Pods. *How can I get updates and new versions of Kubecost?* You can upgrade your Kubecost version using standard Helm upgrade procedures. The latest versions are in the https://gallery.ecr.aws/kubecost/cost-analyzer[Amazon ECR Public Gallery]. -*Is the `*kubectl-cost*` CLI supported? How do I install it?* +*Is the `kubectl-cost` CLI supported? How do I install it?* Yes. `Kubectl-cost` is an open source tool by Kubecost (Apache 2.0 License) that provides CLI access to Kubernetes cost allocation metrics. To install `kubectl-cost`, see https://github.com/kubecost/kubectl-cost#installation[Installation] on GitHub. @@ -324,8 +324,7 @@ No. image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] + With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest [.noloc]`Kubecost` data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write [.noloc]`Prometheus` queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example [.noloc]`Grafana` JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. -* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report*:: - to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. +* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-kubecost-bundles%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index ee463d661..22041ff79 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -220,7 +220,7 @@ An example output is as follows. . (Optional) If you deployed the [.noloc]`Kubernetes` Cluster Autoscaler to your cluster before updating the cluster, update the Cluster Autoscaler to the latest version that matches the [.noloc]`Kubernetes` major and minor version that you updated to. + .. Open the Cluster Autoscaler https://github.com/kubernetes/autoscaler/releases[releases] page in a web browser and find the latest Cluster Autoscaler version that matches your cluster's [.noloc]`Kubernetes` major and minor version. For example, if your cluster's [.noloc]`Kubernetes` version is `1.30` find the latest Cluster Autoscaler release that begins with `1.30`. Record the semantic version number (``1.30.n``, for example) for that release to use in the next step. -.. Set the Cluster Autoscaler image tag to the version that you recorded in the previous step with the following command. If necessary, replace [.replaceable]`1.30`.[.replaceable]`n`` with your own value. +.. Set the Cluster Autoscaler image tag to the version that you recorded in the previous step with the following command. If necessary, replace [.replaceable]`1.30`.[.replaceable]`n` with your own value. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a99169150..d56117a13 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -722,7 +722,7 @@ You can now install the Amazon FSx for OpenZFS CSI driver on Amazon EKS clusters [.update-ulink] link:eks/latest/userguide/cni-ipv6-egress.html[type="documentation"] -After assigning an IPv6 address to your node, your [.noloc]`Pods`' `IPv4` address is network address translated to the `IPv6` address of the node that it's running on. +After assigning an IPv6 address to your node, your Pods' `IPv4` address is network address translated to the `IPv6` address of the node that it's running on. [.update,date="2023-05-30"] @@ -1739,7 +1739,7 @@ New platform version that updates Amazon EKS [.noloc]`Kubernetes` `1.11` cluster [.update,date="2019-02-13"] === Amazon EKS {aws} Region expansion -Amazon EKS is now available in the Europe (London) (`eu-west-2`), Europe (Paris) (`eu-west-3`), and Asia Pacific (Mumbai) (``ap-south-1`) {aws} Regions. +Amazon EKS is now available in the Europe (London) (`eu-west-2`), Europe (Paris) (`eu-west-3`), and Asia Pacific (Mumbai) (`ap-south-1`) {aws} Regions. [.update,date="2019-02-13"] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index f3b18e504..442482347 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -68,7 +68,7 @@ Cluster creation takes several minutes. During creation you'll see several lines ---- [...] -[✓] EKS cluster "my-cluster" in "`region-code`" region is ready +[✓] EKS cluster "my-cluster" in "region-code" region is ready ---- `eksctl` created a `kubectl` config file in `~/.kube/config` or added the new cluster's configuration within an existing config file in `~/.kube/config` on your computer. diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 2bef26d35..a5d49fb39 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -415,7 +415,7 @@ aws eks create-nodegroup --cluster-name my-custom-networking-cluster --nodegroup *** *With a launch template with a specified AMI ID* + -.... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods `for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +.... Determine the Amazon EKS recommended number of maximum Pods for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. .... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index e47b76a28..0fc6a758c 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -13,7 +13,7 @@ Learn how to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to use The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] is the networking plugin for [.noloc]`Pod` networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to [.noloc]`Kubernetes` nodes and configuring the necessary networking for [.noloc]`Pods` on each node. The plugin: -* Requires {aws} Identity and Access Management (IAM) permissions. If your cluster uses the `IPv4` family, the permissions are specified in the ` link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"]` {aws} managed policy.If your cluster uses the `IPv6` family, then the permissions must be added to an IAM policy that you create; for instructions, see <>. You can attach the policy to the Amazon EKS node IAM role, or to a separate IAM role. For instructions to attach the policy to the Amazon EKS node IAM role, see <>. We recommend that you assign it to a separate role, as detailed in this topic. +* Requires {aws} Identity and Access Management (IAM) permissions. If your cluster uses the `IPv4` family, the permissions are specified in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[`AmazonEKS_CNI_Policy`,type="documentation"] {aws} managed policy. If your cluster uses the `IPv6` family, then the permissions must be added to an IAM policy that you create; for instructions, see <>. You can attach the policy to the Amazon EKS node IAM role, or to a separate IAM role. For instructions to attach the policy to the Amazon EKS node IAM role, see <>. We recommend that you assign it to a separate role, as detailed in this topic. * Creates and is configured to use a [.noloc]`Kubernetes` service account named `aws-node` when it's deployed. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` named `aws-node`, which is assigned the required [.noloc]`Kubernetes` permissions. diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 461f30e4e..9d2de887d 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] Learn how the Amazon EKS add-on for [.noloc]`CoreDNS` autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. -- -When you launch an Amazon EKS cluster with at least one node, a [.noloc]`Deployment` of two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the [.noloc]`CoreDNS` pods can get overwhelmed and slow down, and reject requests that the pods can`'t handle. +When you launch an Amazon EKS cluster with at least one node, a [.noloc]`Deployment` of two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the [.noloc]`CoreDNS` pods can get overwhelmed and slow down, and reject requests that the pods can't handle. To handle the increased load on the [.noloc]`CoreDNS` pods, consider an autoscaling system for [.noloc]`CoreDNS`. Amazon EKS can manage the autoscaling of the [.noloc]`CoreDNS` Deployment in the EKS Add-on version of [.noloc]`CoreDNS`. This [.noloc]`CoreDNS` autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster. This feature works for [.noloc]`CoreDNS` `v1.9` and EKS release version `1.25` and later. For more information about which versions are compatible with [.noloc]`CoreDNS` Autoscaling, see the following section. @@ -99,7 +99,7 @@ Every platform version of later [.noloc]`Kubernetes` versions are also supported ==== . Ensure that your cluster is at or above the minimum cluster version. + -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. +Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. + New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. + @@ -194,7 +194,7 @@ If the rollout takes too long, Amazon EKS will undo the rollout, and a message w ==== . Ensure that your cluster is at or above the minimum cluster version. + -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can`'t start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. +Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. + New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. + diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 603e66cbf..9f63a7288 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -65,7 +65,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e ... Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. ... In the left navigation pane, choose *Subnets* ... Select one of your public subnets (*[.replaceable]`stack-name`/SubnetPublic01* or *[.replaceable]`stack-name`/SubnetPublic02* contains the word *public*) and choose *Actions*, *Edit subnet settings*. -... Choose the *Enable auto-assign `*IPv6*` address* check box and then choose *Save*. +... Choose the *Enable auto-assign IPv6 address* check box and then choose *Save*. ... Complete the previous steps again for your other public subnet. diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 0c9b051e9..428621981 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -97,7 +97,7 @@ Add the following node selector to the file in the editor and then save the file kubectl edit -n kube-system daemonset/kube-proxy ---- + -Add the following `Affinity Rule` to the [.noloc]`DaemonSet`spec`` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on [.noloc]`GitHub`. +Add the following `Affinity Rule` to the [.noloc]`DaemonSet` `spec` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on [.noloc]`GitHub`. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index da0b99a07..462ec4c33 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -46,7 +46,7 @@ kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true ---- + NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. -. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for` Kubernetes Pods`, which takes several seconds. +. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for Kubernetes Pods`, which takes several seconds. + [source,shell,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 0277669b8..7fd16c279 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -39,7 +39,7 @@ Do you need [.noloc]`x86` or [.noloc]`Arm`? Before deploying [.noloc]`Arm` insta *Maximum number of [.noloc]`Pods`*:: Since each [.noloc]`Pod` is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of [.noloc]`Pods` that can run on the instance. To manually determine how many [.noloc]`Pods` an instance type supports, see <>. + -NOTE: If you're using an Amazon EKS optimized Amazon Linux 2 AMI that's `v20220406` or newer, you can use a new instance type without upgrading to the latest AMI. For these AMIs, the AMI auto-calculates the necessary `max-pods` value if it isn't listed in the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] file. Instance types that are currently in preview may not be supported by Amazon EKS by default. Values for max-pods` for such types still need to be added to `eni-max-pods.txt` in our AMI. +NOTE: If you're using an Amazon EKS optimized Amazon Linux 2 AMI that's `v20220406` or newer, you can use a new instance type without upgrading to the latest AMI. For these AMIs, the AMI auto-calculates the necessary `max-pods` value if it isn't listed in the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] file. Instance types that are currently in preview may not be supported by Amazon EKS by default. Values for `max-pods` for such types still need to be added to `eni-max-pods.txt` in our AMI. + link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types optionally support significantly more IP addresses than non-Nitro System instance types. However, not all IP addresses assigned for an instance are available to [.noloc]`Pods`. To assign a significantly larger number of IP addresses to your instances, you must have version `1.9.0` or later of the Amazon VPC CNI add-on installed in your cluster and configured appropriately. For more information, see <>. To assign the largest number of IP addresses to your instances, you must have version `1.10.1` or later of the Amazon VPC CNI add-on installed in your cluster and deploy the cluster with the `IPv6` family. diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 79bd7b893..243c4e6a5 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -118,7 +118,7 @@ You have two output options when using CloudWatch: + The following example shows you how to use the `cloudwatch_logs` plugin to send logs to CloudWatch. -.. Save the following contents to a file named `[.replaceable]``aws-logging-cloudwatch-configmap``.yaml`. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. The parameters under `[OUTPUT]` are required. +.. Save the following contents to a file named `aws-logging-cloudwatch-configmap.yaml`. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. The parameters under `[OUTPUT]` are required. // Not using subs="quotes" here with [.replaceable]`region-code` because the ^ characters get dropped, even when using AsciiDoc's built-in {caret} character replacement attribute. + [source,yaml,subs="verbatim,attributes"] diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 52f73f0f6..108caf6ec 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -240,7 +240,7 @@ nodeadm init [flags] `install-validation` skips checking if the proceding install command ran successfully. -|`-h, `--help` +|`-h`, `--help` |FALSE |Displays help message with available flag, subcommand and positional value parameters. |=== diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 6d7ee5032..31f1a94e2 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -100,7 +100,7 @@ Several lines are output while the nodes are created. One of the last lines of o [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- . (Optional) Create a [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volume] on a [.noloc]`Bottlerocket` node using the https://github.com/kubernetes-sigs/aws-ebs-csi-driver[Amazon EBS CSI Plugin]. The default Amazon EBS driver relies on file system tools that aren't included with [.noloc]`Bottlerocket`. For more information about creating a storage class using the driver, see <>. -. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what [.noloc]`Bottlerocket` originally sets at boot. To keep [.noloc]`Bottlerocket`'s https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. +. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what [.noloc]`Bottlerocket` originally sets at boot. To keep Bottlerocket's https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index d65a5cc88..8ed8c54f6 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -195,7 +195,7 @@ kind: NodeConfig spec: [...] --BOUNDARY-- ---- + -In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see ` link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"]` in the _Amazon EKS API Reference_. +In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. *[.noloc]`Bottlerocket` user data*:: diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 92502e24a..2acceda2d 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -115,7 +115,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-02-09/amazon-e . Select *Next* twice. . On the *Quick create stack* page, enter the following parameters accordingly: + -** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`my-cluster`-nodes````. +** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it `my-cluster-nodes`. ** *ClusterName*: Enter the name that you used when you created your Amazon EKS cluster. + [IMPORTANT] diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 8543d9e13..4ecaf03e6 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -192,7 +192,7 @@ The following tables describe node health issues that can be detected by the nod |UnexpectedRejectRule |Event -|An unexpected `REJECT`` or `DROP` rule was found in the iptables, potentially blocking expected traffic. +|An unexpected `REJECT` or `DROP` rule was found in the iptables, potentially blocking expected traffic. |=== diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 1fb4ffc0d..604495892 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -28,7 +28,7 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama [source,bash,subs="verbatim,attributes"] ---- -aws ssm get-parameter --name /aws/service/eks/optimized-ami//`/recommended/image_id \ +aws ssm get-parameter --name /aws/service/eks/optimized-ami///recommended/image_id \ --region --query "Parameter.Value" --output text ---- diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index 093f2a0e8..cc3430bfa 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -36,7 +36,7 @@ helm upgrade -i prometheus prometheus-community/prometheus \ --set server.persistentVolume.storageClass="gp2" ---- + -NOTE: If you get the error `Error: failed to download "stable/prometheus" (hint: running `helm repo update` may help)` when executing this command, run `helm repo update prometheus-community`, and then try running the Step 2 command again. +NOTE: If you get the error `Error: failed to download "stable/prometheus" (hint: running helm repo update may help)` when executing this command, run `helm repo update prometheus-community`, and then try running the Step 2 command again. + If you get the error `Error: rendered manifests contain a resource that already exists`, run `helm uninstall [.replaceable]``your-release-name`` -n [.replaceable]``namespace```, then try running the Step 3 command again. + diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 77dbb58f1..6b4e2fd3c 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -11,7 +11,7 @@ A trail is a configuration that enables delivery of events as log files to an Am A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action. This include information such as the date and time of the action and the request parameters that were used. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. -The following example shows a CloudTrail log entry that demonstrates the link:eks/latest/APIReference/API_CreateCluster.html[CreateCluster,type="documentation"] action. +The following example shows a CloudTrail log entry that demonstrates the link:eks/latest/APIReference/API_CreateCluster.html[`CreateCluster`,type="documentation"] action. [source,json,subs="verbatim,attributes"] ---- @@ -74,7 +74,7 @@ The following example shows a CloudTrail log entry that demonstrates the link:ek The Amazon EKS service linked roles make API calls to {aws} resources. CloudTrail log entries with `username: AWSServiceRoleForAmazonEKS` and `username: AWSServiceRoleForAmazonEKSNodegroup` appears for calls made by the Amazon EKS service linked roles. For more information about Amazon EKS and service linked roles, see <>. -The following example shows a CloudTrail log entry that demonstrates a ` link:IAM/latest/APIReference/API_DeleteInstanceProfile.html[DeleteInstanceProfile,type="documentation"]` action that's made by the `AWSServiceRoleForAmazonEKSNodegroup` service linked role, noted in the `sessionContext`. +The following example shows a CloudTrail log entry that demonstrates a link:IAM/latest/APIReference/API_DeleteInstanceProfile.html[`DeleteInstanceProfile`,type="documentation"] action that's made by the `AWSServiceRoleForAmazonEKSNodegroup` service linked role, noted in the `sessionContext`. [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 5d1f871af..c729f97ef 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -65,7 +65,7 @@ For a complete list of all available options and defaults, see https://eksctl.io == {aws-management-console} [[console_create_nodes_outpost]] -*Step 1: Launch self-managed Linux nodes using {aws-management-console}*` +*Step 1: Launch self-managed Linux nodes using {aws-management-console}* . Download the latest version of the {aws} CloudFormation template. + diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index afc40ab87..8c5addc56 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -18,8 +18,8 @@ Before you create nodes, you must create an IAM role with the following permissi * Permissions for the `kubelet` to describe Amazon EC2 resources in the VPC, such as provided by the link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html[AmazonEKSWorkerNodePolicy,type="documentation"] policy. This policy also provides the permissions for the Amazon EKS Pod Identity Agent. * Permissions for the `kubelet` to use container images from Amazon Elastic Container Registry (Amazon ECR), such as provided by the link:aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html[AmazonEC2ContainerRegistryPullOnly,type="documentation"] policy. The permissions to use container images from Amazon Elastic Container Registry (Amazon ECR) are required because the built-in add-ons for networking run pods that use container images from Amazon ECR. -* (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the `eks-auth:AssumeRoleForPodIdentity` action to retrieve credentials for pods. If you don't use the link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html[AmazonEKSWorkerNodePolicy,type="documentation"], then you must provide this permission in addition to the EC2 permissions to use EKS Pod Identity.` -* (Optional) If you don't use IRSA or EKS Pod Identity to give permissions to the VPC CNI pods, then you must provide permissions for the VPC CNI on the instance role. You can use either the ` link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"]` managed policy (if you created your cluster with the IPv4` family) or an <> (if you created your cluster with the `IPv6` family). Rather than attaching the policy to this role however, we recommend that you attach the policy to a separate role used specifically for the Amazon VPC CNI add-on. For more information about creating a separate role for the Amazon VPC CNI add-on, see <>. +* (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the `eks-auth:AssumeRoleForPodIdentity` action to retrieve credentials for pods. If you don't use the link:aws-managed-policy/latest/reference/AmazonEKSWorkerNodePolicy.html[AmazonEKSWorkerNodePolicy,type="documentation"], then you must provide this permission in addition to the EC2 permissions to use EKS Pod Identity. +* (Optional) If you don't use IRSA or EKS Pod Identity to give permissions to the VPC CNI pods, then you must provide permissions for the VPC CNI on the instance role. You can use either the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[`AmazonEKS_CNI_Policy`,type="documentation"] managed policy (if you created your cluster with the `IPv4` family) or an <> (if you created your cluster with the `IPv6` family). Rather than attaching the policy to this role however, we recommend that you attach the policy to a separate role used specifically for the Amazon VPC CNI add-on. For more information about creating a separate role for the Amazon VPC CNI add-on, see <>. [NOTE] diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 564f6c4c3..3029131b1 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -367,9 +367,9 @@ View details about updates to {aws} managed policies for Amazon EKS since this s |Added permissions to <>. |Added a new statement authorizing the EBS CSI Driver to restore all snapshots. This was previously allowed by the existing policy but a new explicit statement is required due to a change in the handling of IAM for `CreateVolume`. -Added the ability for the EBS CSI Driver to modify tags on existing volumes. The EBS CSI Driver can modify tags of existing volumes via a parameters in Kubernetes `VolumeAttributesClass`es. +Added the ability for the EBS CSI Driver to modify tags on existing volumes. The EBS CSI Driver can modify tags of existing volumes via a parameters in Kubernetes VolumeAttributesClasses. -Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) on EBS volumes. The EBS CSI Driver can enable FSR on new volumes via parameters in Kubernetes `StorageClass`es. +Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) on EBS volumes. The EBS CSI Driver can enable FSR on new volumes via parameters in Kubernetes StorageClasses. |January 13, 2025 |Added permissions to <>. diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index b929b309b..f154a6e73 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -135,7 +135,7 @@ https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ---- . Create the IAM role that grants the `AssumeRoleWithWebIdentity` action. + -.. Copy the following contents to a file named [.replaceable]`aws-efs-csi-driver-trust-policy`.json``. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. +.. Copy the following contents to a file named `aws-efs-csi-driver-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. + [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index d40f55982..82f79ae7c 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -143,7 +143,7 @@ If the *{aws} Marketplace add-ons* that you want to install aren't listed, you c + ... For *Pod Identity IAM role for service account*, you can either use an existing EKS Pod Identity IAM role or create one using the *Create Recommended Role* button. This field will only provide options with the appropriate trust policy. If there's no role to select, then you don't have an existing role with a matching trust policy. To configure an EKS Pod Identity IAM role for service accounts of the selected add-on, choose *Create recommended role*. The role creation wizard opens in a separate window. The wizard will automatically populate the role information as follows. For each add-on where you want to create the EKS Pod Identity IAM role, complete the steps in the IAM wizard as follows. * On the *Select trusted entity* step, the {aws} service option for *EKS* and the use case for *EKS - Pod Identity* are preselected, and the appropriate trust policy will be automatically populated for the add-on. For example, the role will be created with the appropriate trust policy containing the pods.eks.amazonaws.com IAM Principal as detailed in <>. Choose *Next*. -* On the *Add permissions* step, the appropriate managed policy for the role policy is preselected for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the managed policy ` AmazonEKS_CNI_Policy` as detailed in <>. Choose *Next*. +* On the *Add permissions* step, the appropriate managed policy for the role policy is preselected for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the managed policy `AmazonEKS_CNI_Policy` as detailed in <>. Choose *Next*. * On the *Name, review, and create* step, in *Role name*, the default role name is automatically populated for the add-on. For example, for the *Amazon VPC CNI* add-on, the role will be created with the name *AmazonEKSPodIdentityAmazonVPCCNIRole*. In *Description*, the default description is automatically populated with the appropriate description for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the description *Allows pods running in Amazon EKS cluster* to access {aws} resources. In *Trust policy*, view the populated trust policy for the add-on. Choose *Create role*. + NOTE: diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 16020d201..d135262d2 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -173,7 +173,7 @@ eksctl create fargateprofile \ ---- kubectl create namespace nlb-sample-app ---- -.. Save the following contents to a file named [.replaceable]`sample-deployment`.yaml` file on your computer. +.. Save the following contents to a file named `sample-deployment.yaml` file on your computer. + [source,yaml,subs="verbatim,attributes"] ---- @@ -207,7 +207,7 @@ kubectl apply -f sample-deployment.yaml ---- . Create a service with an internet-facing Network Load Balancer that load balances to IP targets. + -.. [[network-load-balancing-service-sample-manifest]]Save the following contents to a file named [.replaceable]`sample-service`.yaml` file on your computer. If you're deploying to Fargate nodes, remove the `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` line. +.. [[network-load-balancing-service-sample-manifest]]Save the following contents to a file named `sample-service.yaml` file on your computer. If you're deploying to Fargate nodes, remove the `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` line. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 284f995ea..b7b604823 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -104,7 +104,7 @@ For more information about updating add-ons, see https://eksctl.io/usage/addons/ + ... For *Pod Identity IAM role for service account*, you can either use an existing EKS Pod Identity IAM role or create one using the *Create Recommended Role* button. This field will only provide options with the appropriate trust policy. If there's no role to select, then you don't have an existing role with a matching trust policy. To configure an EKS Pod Identity IAM role for service accounts of the selected add-on, choose *Create recommended role*. The role creation wizard opens in a separate window. The wizard will automatically populate the role information as follows. For each add-on where you want to create the EKS Pod Identity IAM role, complete the steps in the IAM wizard as follows. * On the *Select trusted entity* step, the {aws} service option for *EKS* and the use case for *EKS - Pod Identity* are preselected, and the appropriate trust policy will be automatically populated for the add-on. For example, the role will be created with the appropriate trust policy containing the pods.eks.amazonaws.com IAM Principal as detailed in <>. Choose *Next*. -* On the *Add permissions* step, the appropriate managed policy for the role policy is preselected for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the managed policy ` AmazonEKS_CNI_Policy` as detailed in <>. Choose *Next*. +* On the *Add permissions* step, the appropriate managed policy for the role policy is preselected for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the managed policy `AmazonEKS_CNI_Policy` as detailed in <>. Choose *Next*. * On the *Name, review, and create* step, in *Role name*, the default role name is automatically populated for the add-on. For example, for the *Amazon VPC CNI* add-on, the role will be created with the name *AmazonEKSPodIdentityAmazonVPCCNIRole*. In *Description*, the default description is automatically populated with the appropriate description for the add-on. For example, for the Amazon VPC CNI add-on, the role will be created with the description *Allows pods running in Amazon EKS cluster* to access {aws} resources. In *Trust policy*, view the populated trust policy for the add-on. Choose *Create role*. + NOTE: Retaining the default role name enables EKS to pre-select the role for add-ons in new clusters or when adding add-ons to existing clusters. You can still override this name and the role will be available for the add-on across your clusters, but the role will need to be manually selected from the drop down. From a88141ce098775f447d8fc5df75d03e37dd3d25d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 10 Feb 2025 13:13:56 -0600 Subject: [PATCH 128/940] Update authenticate-oidc-identity-provider.adoc (#870) * remove outdated broken links Co-authored-by: Donovan --- .../authenticate-oidc-identity-provider.adoc | 23 +------------------ 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 3b628df33..425563879 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -170,25 +170,4 @@ The following example policy allows [.noloc]`OIDC` identity provider association ---- -[#partner-validated-identity-providers] -== Partner validated [.noloc]`OIDC` identity providers - -Amazon EKS maintains relationships with a network of partners that offer support for compatible [.noloc]`OIDC` identity providers. Refer to the following partners' documentation for details on how to integrate the identity provider with Amazon EKS. - -[cols="1,1,1", options="header"] -|=== -|Partner -|Product -|Documentation - - -|PingIdentity -|https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_landing[PingOne for Enterprise] -|https://docs.pingidentity.com/r/en-us/solution-guides/htg_config_oidc_authn_aws_eks_custers[Installation instructions] -|=== - -Amazon EKS aims to give you a wide selection of options to cover all use cases. If you develop a commercially supported [.noloc]`OIDC` compatible identity provider that is not listed here, then contact our partner team at link:mailto:aws-container-partners@amazon.com[aws-container-partners@amazon. -com] for more information. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23authenticate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23authenticate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] From 6079d420ff23aa748d20459dcb1b074f903baac0 Mon Sep 17 00:00:00 2001 From: Donovan Date: Mon, 10 Feb 2025 11:17:07 -0800 Subject: [PATCH 129/940] Update auto-security.adoc Fix spelling --- latest/ug/security/auto-security.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index e01c67421..66e3f6180 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -78,7 +78,7 @@ Amazon EKS Auto Mode does not fully manage Amazon Elastic Block Store (Amazon EB ### Storage security -* {aws} recommends that you enable encryption for EBS Volumes provisionsed by Kubernetes persistent storage features. For more information, see <>. +* {aws} recommends that you enable encryption for EBS Volumes provisioned by Kubernetes persistent storage features. For more information, see <>. * Encryption at rest using {aws} KMS * You can configure your {aws} account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For more information, see link:ebs/latest/userguide/encryption-by-default.html["Enable Amazon EBS encryption by default",type="documentation"] in the Amazon EBS User Guide. * For more information, see link:ebs/latest/userguide/security.html["Security in Amazon EBS",type="documentation"]. @@ -102,4 +102,4 @@ The following section describes security best practices for Amazon EKS Auto Mode * Implement pod security standards appropriate for your workloads. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-security%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-security%5D&type=code[Edit this page on GitHub] From 794236cc831d9c0a9f20b9ca6c408c335b2088b5 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 10 Feb 2025 13:57:33 -0600 Subject: [PATCH 130/940] Update vpc-interface-endpoints.adoc (#873) * Update vpc-interface-endpoints.adoc * Update vpc-interface-endpoints.adoc --- latest/ug/security/vpc-interface-endpoints.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 5497508ee..a9dc8cabb 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -23,7 +23,7 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser * Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. * You can't configure Amazon EKS to only be accessed through an interface endpoint. * Standard pricing for {aws} PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. -* VPC endpoint policies are not supported for Amazon EKS. By default, full access to Amazon EKS is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. +* VPC endpoint policies are supported for Amazon EKS. You can use these policies to control access to Amazon EKS through the interface endpoint. Additionally, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. For more information, see link:vpc/latest/privatelink/vpc-endpoints-access.html["Control access to VPC endpoints using endpoint policies",type="documentation"] in the Amazon VPC docs. * You can use VPC flow logs to capture information about IP traffic going to and from network interfaces, including interface endpoints. You can publish flow log data to Amazon CloudWatch or Amazon S3. For more information, see link:vpc/latest/userguide/flow-logs.html[Logging IP traffic using VPC Flow Logs,type="documentation"] in the Amazon VPC User Guide. * You can access the Amazon EKS APIs from an on-premises data center by connecting it to a VPC that has an interface endpoint. You can use {aws} Direct Connect or {aws} Site-to-Site VPN to connect your on-premises sites to a VPC. * You can connect other VPCs to the VPC with an interface endpoint using an {aws} Transit Gateway or VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your VPCs, or with a VPC in another account. The VPCs can be in different {aws} Regions. Traffic between peered VPCs stays on the {aws} network. The traffic doesn't traverse the public internet. A Transit Gateway is a network transit hub that you can use to interconnect VPCs. Traffic between a VPC and a Transit Gateway remains on the {aws} global private network. The traffic isn't exposed to the public internet. @@ -60,4 +60,4 @@ However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref * Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-interface-endpoints%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-interface-endpoints%5D&type=code[Edit this page on GitHub] From 8aad0cb38839a05c71489fa9629a42251a9e3d1c Mon Sep 17 00:00:00 2001 From: Jackson West Date: Mon, 10 Feb 2025 15:05:41 -0600 Subject: [PATCH 131/940] adds armv8.2 warning to hybrid nodes setup --- latest/ug/nodes/hybrid-nodes-os.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 9d9ca9b32..18676a954 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -55,6 +55,15 @@ The table below represents the operating system versions that are compatible and * If you are using RHEL 8, you must use {aws} Systems Manager hybrid activations as your credential provider. {aws} IAM Roles Anywhere isn't supported on RHEL 8. +=== ARM + +* If you are using ARM hardware, an ARMv8.2 compliant processor with the Cryptography Extension (ARMv8.2+crypto) is required to run version 1.31 and above of the EKS kube-proxy addon. All Raspberry Pi systems prior to the Raspberry Pi 5, as well as Cortex-A72 based processors, do not meet this requirement. As a workaround, you can continue to use version 1.30 of the EKS kube-proxy addon until it reaches end of extended support in July of 2026, see <>, or use a custom kube-proxy image from upstream. +* The following error message in the kube-proxy log indicates this incompatibility: +[source,none] +==== +Fatal glibc error: This version of Amazon Linux requires a newer ARM64 processor compliant with at least ARM architecture 8.2-a with Cryptographic extensions. On EC2 this is Graviton 2 or later. +==== + == Building operating system images Amazon EKS provides https://github.com/aws/eks-hybrid/tree/main/example/packer[example Packer templates] you can use to create operating system images that include `nodeadm` and configure it to run at host-startup. This process is recommended to avoid pulling the hybrid nodes dependencies individually on each host and to automate the hybrid nodes bootstrap process. You can use the example Packer templates with an Ubuntu 22.04, Ubuntu 24.04, RHEL 8 or RHEL 9 ISO image and can output images with these formats: OVA, [.noloc]`Qcow2`, or raw. From 027034c12ca62a8920694aa49b0902869900a831 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 10 Feb 2025 16:09:39 -0800 Subject: [PATCH 132/940] Fix formatting for ARM hybrid error message --- latest/ug/nodes/hybrid-nodes-os.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 18676a954..a3be78eeb 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -57,12 +57,12 @@ The table below represents the operating system versions that are compatible and === ARM -* If you are using ARM hardware, an ARMv8.2 compliant processor with the Cryptography Extension (ARMv8.2+crypto) is required to run version 1.31 and above of the EKS kube-proxy addon. All Raspberry Pi systems prior to the Raspberry Pi 5, as well as Cortex-A72 based processors, do not meet this requirement. As a workaround, you can continue to use version 1.30 of the EKS kube-proxy addon until it reaches end of extended support in July of 2026, see <>, or use a custom kube-proxy image from upstream. +* If you are using ARM hardware, an ARMv8.2 compliant processor with the Cryptography Extension (ARMv8.2+crypto) is required to run version 1.31 and above of the EKS kube-proxy add-on. All Raspberry Pi systems prior to the Raspberry Pi 5, as well as Cortex-A72 based processors, do not meet this requirement. As a workaround, you can continue to use version 1.30 of the EKS kube-proxy add-on until it reaches end of extended support in July of 2026, see <>, or use a custom kube-proxy image from upstream. * The following error message in the kube-proxy log indicates this incompatibility: [source,none] -==== +---- Fatal glibc error: This version of Amazon Linux requires a newer ARM64 processor compliant with at least ARM architecture 8.2-a with Cryptographic extensions. On EC2 this is Graviton 2 or later. -==== +---- == Building operating system images From 1c7f65f4caa8954d8adcff19419f4d2972a82a3f Mon Sep 17 00:00:00 2001 From: Todd Neal Date: Tue, 11 Feb 2025 17:40:24 -0600 Subject: [PATCH 133/940] document how to share EBS volumes across Pods with EKS Auto Mode (#876) --- latest/ug/automode/auto-troubleshoot.adoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 853c955d0..ca9e9a017 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -23,6 +23,7 @@ You might have the following problems that have solutions specific to EKS Auto M * Pods stuck in the `Pending` state, that aren't being scheduled onto Auto Mode nodes. For solutions see <>. * EC2 managed instances that don't join the cluster as Kubernetes nodes. For solutions see <>. * Errors and issues with the `NodePools`, `PersistentVolumes`, and `Services` that use the controllers that are included in EKS Auto Mode. For solutions see <>. +* Enhanced Pod security prevents sharing volumes across Pods. For solutions see <>. You can use the following methods to troubleshoot EKS Auto Mode components: @@ -245,6 +246,22 @@ With these two pieces of information, you can perform the s analysis. First navi . Click "Create and Analyze Path" . The analysis might take a few minutes to complete. If the analysis results indicates failed reachability, it will indicate where the failure was in the network path so you can resolve the issue. +[#auto-troubleshoot-share-pod-volumes] +== Sharing Volumes Across Pods + +EKS Auto Mode Nodes are configured with SELinux in enforcing mode which provides more isolation between Pods that are running on the same Node. When SELinux is enabled, most non-privileged pods will automatically have their own multi-category security (MCS) label applied to them. This MCS label is unique per Pod, and is designed to ensure that a process in one Pod cannot manipulate a process in any other Pod or on the host. Even if a labeled Pod runs as root and has access to the host filesystem, it will be unable to manipulate files, make sensitive system calls on the host, access the container runtime, or obtain kubelet’s secret key material. + +Due to this, you may experience issues when trying to share data between Pods. For example, a `PersistentVolumeClaim` with an access mode of `ReadWriteOnce` will still not allow multiple Pods to access the volume concurrently. + +To enable this sharing between Pods, you can use the Pod's `seLinuxOptions` to configure the same MCS label on those Pods. In this example, we assign the three categories `c123,c124,c125` to the Pod. This will not conflict with any categories assigned to Pods on the node automatically, as they will only be assigned two categories. + +[source,bash,subs="verbatim,attributes"] +---- +securityContext: + seLinuxOptions: + level: "s0:c123,c456,c789" +---- + [#auto-troubleshoot-controllers] == Troubleshoot included controllers in Auto Mode From 256d794453f7a54a27fe01ed716a14ced3f2e1cd Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 12 Feb 2025 06:09:58 +0000 Subject: [PATCH 134/940] Fix title in vpc-interface-endpoints.adoc per awsdocs-45476 --- latest/ug/security/vpc-interface-endpoints.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index a9dc8cabb..e009d83e0 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -2,7 +2,7 @@ include::../attributes.txt[] [.topic] [#vpc-interface-endpoints] -= Access the Amazon EKS using {aws} PrivateLink += Access Amazon EKS using {aws} PrivateLink :info_titleabbrev: {aws} PrivateLink [abstract] From e9f027a17a3956373e66102b9cb127cef05e75e0 Mon Sep 17 00:00:00 2001 From: Parikshit Patel Date: Thu, 13 Feb 2025 08:59:33 +1100 Subject: [PATCH 135/940] Update deploy-ipv6-cluster.adoc (#865) updated file name from "vpc-cni-ipv6-policy" to "vpc-cni-ipv6-policy.json" --- latest/ug/networking/deploy-ipv6-cluster.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 477357a0e..50bf02634 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -283,7 +283,7 @@ By default, the `config` file is created in `~/.kube` or the new cluster's confi + [source,json,subs="verbatim,attributes"] ---- -cat >vpc-cni-ipv6-policy <vpc-cni-ipv6-policy.json < Date: Wed, 12 Feb 2025 15:59:49 -0600 Subject: [PATCH 136/940] Update private-clusters.adoc (#869) * Update private-clusters.adoc * add eks and eks-auth endpoints * Update private-clusters.adoc --- latest/ug/clusters/private-clusters.adoc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index f78d6f150..45880dc3a 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -90,12 +90,19 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |{aws} Security Token Service (required when using IAM roles for service accounts) |com.amazonaws.[.replaceable]`region-code`.sts -|=== + +|Amazon EKS Auth +|com.amazonaws.[.replaceable]`region-code`.eks-auth +|Amazon EKS +|com.amazonaws.[.replaceable]`region-code`.eks + +|=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. * If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. +* If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. @@ -103,4 +110,4 @@ The controller supports network load balancers with IP targets, which are requir * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub] From b4f44d604a08df917abe8af375b2a5c9a9350244 Mon Sep 17 00:00:00 2001 From: Christopher Farrenden Date: Thu, 13 Feb 2025 09:02:20 +1100 Subject: [PATCH 137/940] Fix typo on access entries page (#877) --- .../manage-access/k8s-access/access-entries.adoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 5affecdc2..55405f655 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -18,14 +18,14 @@ Learn how to manage access entries for IAM principals to your Amazon EKS cluster *What is EKS access entries?* -EKS access entries it the best way to grant users access to the Kubernetes API. For example, you can use access entries to grant developers access to use kubectl. +EKS access entries is the best way to grant users access to the Kubernetes API. For example, you can use access entries to grant developers access to use kubectl. -Fundamentally, an EKS access entry associates a set of Kubernetes permissions with an IAM identity, such as an IAM role. For example, a developer may assume an IAM role and use that to authenticate to an EKS Cluster. +Fundamentally, an EKS access entry associates a set of Kubernetes permissions with an IAM identity, such as an IAM role. For example, a developer may assume an IAM role and use that to authenticate to an EKS Cluster. -You can attach Kubernetes permissions to access entries in two ways: +You can attach Kubernetes permissions to access entries in two ways: -* Use an access policy. Access policies are pre-defined Kubernetes permissions templates maintained by {aws}. For more information, see <>. -* Reference a Kubernetes group. If you associate an IAM Identity with a Kubernetes group, you can create Kubernetes resources that grant the group permissions. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. +* Use an access policy. Access policies are pre-defined Kubernetes permissions templates maintained by {aws}. For more information, see <>. +* Reference a Kubernetes group. If you associate an IAM Identity with a Kubernetes group, you can create Kubernetes resources that grant the group permissions. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. *Advantages* @@ -35,13 +35,13 @@ The feature integrates with infrastructure as code (IaC) tools like {aws} CloudF == Get Started -. Determine the IAM Identity and Access policy you want to use. +. Determine the IAM Identity and Access policy you want to use. ** <> . Enable EKS Access Entries on your cluster. Confirm you have a supported platform version. ** <> . Create an access entry that associates an IAM Identity with Kubernetes permission. ** <> -. Authenticate to the cluster using the IAM identity. +. Authenticate to the cluster using the IAM identity. ** <> ** <> @@ -66,4 +66,4 @@ include::updating-access-entries.adoc[leveloffset=+1] include::deleting-access-entries.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-entries%5D&type=code[Edit this page on GitHub] From b30c7f830e6809bb7ad67a90477a79f1cab36724 Mon Sep 17 00:00:00 2001 From: Josh Parker <98215536+realjoshparker@users.noreply.github.com> Date: Wed, 12 Feb 2025 17:03:28 -0500 Subject: [PATCH 138/940] Update pod-identities.adoc (#878) Include considerations on using Pod Identity with proxied EKS environments --- latest/ug/manage-access/aws-access/pod-identities.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 7fc03ec4f..76b97706b 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -91,7 +91,7 @@ Turn on EKS Pod Identities by completing the following procedures: * The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` clusters. + If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. - +* If your Pods use a proxy, you must ensure you add `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` in the `no_proxy`/`NO_PROXY` environment variables injected into the pods. Otherwise requests from the application pods to the `eks-pod-identity-agent` DaemonSets would fail as the requests would be sent to the proxy and the proxy wouldn't be able to route the IP. [#pod-id-cluster-versions] === EKS Pod Identity cluster versions @@ -146,4 +146,4 @@ You can't use EKS Pod Identities with: * Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-identities%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-identities%5D&type=code[Edit this page on GitHub] From ef2e49fd7e8951a72ce4928f96e94fcec63c4932 Mon Sep 17 00:00:00 2001 From: Alessandro Germer Date: Wed, 12 Feb 2025 14:03:56 -0800 Subject: [PATCH 139/940] Adds updating-related information for EKS Local Clusters on Outposts (#871) * Adds updating-related information for EKS local-clusters on outposts Extends EKS local-clusters on outposts documentation with some clarification regarding the EKS Platform-Version update process and related troubleshooting information. * Use short links in outposts troubleshooting --------- Co-authored-by: Donovan Finch --- .../eks-outposts-platform-versions.adoc | 4 ++- .../eks-outposts-troubleshooting.adoc | 35 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 20f630319..03034c122 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -19,7 +19,9 @@ When new local cluster platform versions become available for a minor version: * The platform version number is incremented (`eks-local-outposts.n+1`). -* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process might take some time. If you need the latest platform version features immediately, we recommend that you create a new local cluster. +* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process consists of the replacement of the managed [.noloc]`Kubernetes` control-plane instances running on the Outpost, one at a time, until all 3 instances get replaced by new ones. +* The [.noloc]`Kubernetes` control-plane instance replacement process will stop progressing if there is risk of service interruption. Amazon EKS will only attempt to replace an instance in case the other 2 [.noloc]`Kubernetes` control-plane instances are healthy and passing all readiness conditions as a cluster node. +* A platform version rollout will typically take less than 30 minutes to complete. If a cluster remains on `UPDATING` state for an extended amount of time, see the <> and seek help from {aws} Support. Never manually terminate [.noloc]`Kubernetes` control-plane instances unless instructed by {aws} Support. * Amazon EKS might publish a new node AMI with a corresponding patch version. All patch versions are compatible between the [.noloc]`Kubernetes` control plane and node AMIs for a single [.noloc]`Kubernetes` minor version. New platform versions don't introduce breaking changes or cause service interruptions. diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index efce19ca8..31fb7b101 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -13,6 +13,14 @@ Learn how to troubleshoot common issues with Amazon EKS local clusters on {aws} This topic covers some common errors that you might see while using local clusters and how to troubleshoot them. Local clusters are similar to Amazon EKS clusters in the cloud, but there are some differences in how they're managed by Amazon EKS. +[IMPORTANT] +==== + +Never terminate any managed EKS local cluster `Kubernetes` control-plane instance running on Outpost unless explicitly instructed by {aws} Support. Terminating these instances impose a risk to local cluster service availability, including loss of the local cluster in case multiple instances are simultaneously terminated. EKS local cluster `Kubernetes` control-plane instances are identified by the tag `eks-local:controlplane-name` on the EC2 instance console. + +==== + + [#outposts-troubleshooting-api-behavior] .API behavior [%collapsible] @@ -229,6 +237,33 @@ The most common issues are the following: Review <>. ==== +[#outposts-troubleshooting-cluster-stuck-in-updating-state] +.Cluster is stuck in `UPDATING` state +[%collapsible] +==== + +Amazon EKS automatically updates all existing local clusters to the latest platform versions for their corresponding [.noloc]`Kubernetes` minor version. For more information about platform versions, please refer to <>. + +During an automatic platform-version rollout a cluster status changes to `UPDATING`. The update process consists of the replacement of all [.noloc]`Kubernetes` control-plane instances with new ones containing the latest security pathces and bugfixes released for the respective [.noloc]`Kubernetes` minor version. In general, a local cluster platform update process completes within less than 30 minutes and the cluster changes back to `ACTIVE` status. If a local cluster remains in the `UPDATING` state for an extended period of time, you may call `describe-cluster` to check for information about the cause in the `cluster.health` output field. + +Amazon EKS ensures at least 2 out of 3 [.noloc]`Kubernetes` control-plane instances are healthy and operational cluster nodes in order to maintain the local cluster availability and prevent service interruption. If a local cluster is stalled in `UPDATING` state it is usually because there is some infrastructure or configuration issue preventing the two-instances minimum availability to be guaranteed in case the process continues. So the update process stops progressing to protect the local cluster service interruption. + +It is important to troubleshoot a local cluster stuck in `UPDATING` status and address the root-cause so that the update process can complete and restore the local cluster back to `ACTIVE` with the high-availability of 3 [.noloc]`Kubernetes` control-plane instances. + +Do not terminate any managed EKS local cluster `Kubernetes` instances on Outposts unless explicitly instructed by {aws} Support. This is specially important for local clusters stuck in `UPDATING` state because there's a high probability that another control-plane nodes is not completely healthy and terminating the wrong instance could cause service interruption and risk local-cluster data loss. + +The most common issues are the following: + + + +* One or more control-plane instances are unable to connect to System Manager because of a networking configuration change since the local cluster was first created. You can verify this by calling `aws ssm start-session --target [.replaceable]``instance-id``` from an in-Region bastion host. If that command doesn't work, check if Systems Manager is running on the control plane instance. +* New control plane instances fail to be created due to KMS key permissions for EBS volumes. With user managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an {aws} managed KMS key or ensure that your user managed key policy grants the necessary permissions to the cluster role. +* Systems Manager control plane instances might have lost internet access. Check if the subnet that was provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. If your private networks don't have outbound internet connection, ensure that all the required VPC endpoints and gateway endpoint are still present in the Regional subnet from your cluster (see <>). +* The role ARN that you provided is missing policies. Check if the <> was not removed from the role. +* One of the new [.noloc]`Kubernetes` control-plane instances may have experienced an unexpected bootstrapping failure. Please file a ticket with link:support/home[{aws} Support Center,type="console"] for further guidance on troubleshooting and log-collection in this exceptional case. + +==== + [#outposts-troubleshooting-unable-to-join-nodes-to-a-cluster] .Can't join nodes to a cluster [%collapsible] From 2764c1eb4c426c3713aa8fef60bd2b363669d461 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 12 Feb 2025 16:12:39 -0600 Subject: [PATCH 140/940] Update auto-configure-nlb.adoc --- latest/ug/automode/auto-configure-nlb.adoc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 71e9999e0..0c0ee5779 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -142,12 +142,15 @@ To migrate from deprecated load balancer attribute annotations, consolidate thes ```yaml service.beta.kubernetes.io/aws-load-balancer-attributes: | - proxy_protocol.v2.enabled=true access_logs.s3.enabled=true access_logs.s3.bucket=my-bucket access_logs.s3.prefix=my-prefix load_balancing.cross_zone.enabled=true +``` +```yaml +service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: | + proxy_protocol_v2.enabled=true ``` This consolidated format provides a more consistent and flexible way to configure load balancer attributes while reducing the number of individual annotations needed. Review your existing Service configurations and update them to use this consolidated format. @@ -163,4 +166,4 @@ This consolidated format provides a more consistent and flexible way to configur |=== -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-nlb%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-nlb%5D&type=code[Edit this page on GitHub] From 73f2cfae7fcb9bcf41ccede834c9be003db56635 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 12 Feb 2025 16:15:09 -0600 Subject: [PATCH 141/940] Update associate-workload.adoc --- latest/ug/automode/associate-workload.adoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index ecc721574..d9e0c3267 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -25,8 +25,9 @@ You can add this `nodeSelector` to Deployments or other workloads to require Kub apiVersion: apps/v1 kind: Deployment spec: - nodeSelector: - eks.amazonaws.com/compute-type: auto + template: + nodeSelector: + eks.amazonaws.com/compute-type: auto ---- == Require a workload is not deployed to EKS Auto Mode nodes @@ -47,4 +48,4 @@ You can add this `nodeAffinity` to Deployments or other workloads to require Kub ---- -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-workload%5D&type=code[Edit this page on GitHub] From d59f37deaa1479d446fc2fbf45d8208b6f827b29 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 12 Feb 2025 16:21:29 -0600 Subject: [PATCH 142/940] Update addon-compat.adoc --- latest/ug/workloads/addon-compat.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index f317d447d..44c369ec2 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -13,7 +13,7 @@ Learn how to verify the Amazon EKS add-on compatibility with your cluster before Before you create an Amazon EKS add-on you need to verify that the Amazon EKS add-on version is compatible with your cluster. -Use the link:eks/latest/APIReference/API_DescribeAddonVersions.html[describe-addon-verisions API,type="documentation"] to list the available versions of EKS add-ons, and which Kubernetes versions each addon version supports. +Use the link:eks/latest/APIReference/API_DescribeAddonVersions.html[describe-addon-versions API,type="documentation"] to list the available versions of EKS add-ons, and which Kubernetes versions each addon version supports. . Verify the {aws} CLI is installed and working with `aws sts get-caller-identity`. If this command doesn't work, learn how to link:cli/latest/userguide/cli-chap-getting-started.html[Get started with the {aws} CLI.,type="documentation"] . Determine the name of the add-on you want to retrieve version compatibility information for, such as `amazon-cloudwatch-observability`. @@ -71,4 +71,4 @@ The `computeTypes` field in the `describe-addon-versions` output indicates an ad For more information, see <>. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-compat%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-compat%5D&type=code[Edit this page on GitHub] From 05294604ee249ef666218b8c690a174431216089 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 12 Feb 2025 23:52:04 +0000 Subject: [PATCH 143/940] update scope of support --- latest/ug/related-projects.adoc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 6546e2118..488c66aa6 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -18,6 +18,24 @@ Learn how to use open source projects to add features to Amazon EKS for manageme These open-source projects extend the functionality of [.noloc]`Kubernetes` clusters running on or outside of {aws}, including clusters managed by Amazon EKS. +[#oss-scope] +== Support for software deployed to EKS + +When reviewing the Amazon EKS docs, you'll encounter references to various open-source tools and software throughout our procedures and examples. These tools include the https://github.com/kubernetes-sigs/metrics-server[Kubernetes Metrics Server] and https://cert-manager.io/[Cert Manager.] + +Please note that any third-party or open-source software you choose to deploy falls outside the scope of your {aws} Support Agreements. A benefit of using Kubernetes is the active open source community. We recommend working directly with the relevant open-source communities and project maintainers to establish appropriate support channels for such components. For more information, see the https://www.cncf.io/projects/[graduated and incubating projects] associated with the Cloud Native Computing Foundation (CNCF). + +The Kubernetes ecosystem includes numerous projects and components that come with different levels of community support, response times, and intended use cases. When implementing these technologies alongside EKS, ensure you understand the support matrix for each component. + +{aws} maintains the open-source components we integrate into the EKS control plane. This includes our comprehensive security pipeline covering build verification, vulnerability scanning, validation testing, and patch management for all container images and binaries we distribute. For example, {aws} is responsible for the https://kubernetes.io/docs/concepts/architecture/#kube-apiserver[Kubernetes API Server]. The Kubernetes API server is covered by link:eks/sla/["Amazon EKS Service Level Agreement",type="marketing"]. You can use your link:premiumsupport/plans/["Amazon Web Services Support Plan",type="marketing"] to resolve issues with the Kubernetes API server, or get general guidance. + +You need to carefully review the support offered for various Amazon EKS Add-ons. {aws} add-ons are the only type of Amazon EKS add-on that are fully supported by {aws}. {aws} Marketplace add-ons are primarily supported by {aws} Partners. Community add-ons receive basic lifecycle support from {aws}. For more information, see xref:addon-support[add-on Support.] + +Every EKS add-ons, irrespective of the type, receives basic lifecycle support from EKS including Marketplace add-ons. Basic lifecycle support includes installing and uninstalling the add-on. For more information on the types of Amazon EKS Add-ons available and the associated levels of support, see xref:addon-support[Scope of Support for Amazon EKS add-ons.] To view add-ons fully supported by {aws}, see xref:workloads-add-ons-available-eks[Amazon Web Services add-ons.] + +* For more information about our security practices and support boundaries, see xref:security[Security in Amazon EKS.] +* For more information about community and {aws} marketplace add-ons available through Amazon EKS Add-ons, see xref:addon-support["EKS Add-ons Support",type="documentation"]. + [#related-management-tools] == Management tools From 884c35b778f707d701b77aba29203173f5987367 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Wed, 12 Feb 2025 15:33:47 -0800 Subject: [PATCH 144/940] Add new kube-proxy versions --- latest/ug/networking/managing-kube-proxy.adoc | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 6933215eb..08f530c19 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -39,12 +39,12 @@ The following table lists the latest version of the Amazon EKS add-on type for e | Kubernetes version | `kube-proxy` version | 1.32 | v1.32.0-eksbuild.2 | 1.31 | v1.31.3-eksbuild.2 -| 1.30 | v1.30.7-eksbuild.2 -| 1.29 | v1.29.11-eksbuild.2 -| 1.28 | v1.28.15-eksbuild.4 -| 1.27 | v1.27.16-eksbuild.14 -| 1.26 | v1.26.15-eksbuild.19 -| 1.25 | v1.25.16-eksbuild.22 +| 1.30 | v1.30.9-eksbuild.3 +| 1.29 | v1.29.13-eksbuild.3 +| 1.28 | v1.28.15-eksbuild.9 +| 1.27 | v1.27.16-eksbuild.19 +| 1.26 | v1.26.15-eksbuild.24 +| 1.25 | v1.25.16-eksbuild.27 | 1.24 | v1.24.17-eksbuild.19 |=== @@ -75,13 +75,13 @@ The following table lists the latest available self-managed `kube-proxy` contain |=== | Version | kube-proxy (default type) | kube-proxy (minimal type) | 1.32 | Only minimal type is available | v1.32.0-minimal-eksbuild.2 -| 1.31 | Only minimal type is available | v1.31.3-minimal-eksbuild.3 -| 1.30 | Only minimal type is available | v1.30.7-minimal-eksbuild.2 -| 1.29 | Only minimal type is available | v1.29.11-minimal-eksbuild.2 -| 1.28 | Only minimal type is available | v1.28.15-minimal-eksbuild.4 -| 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.14 -| 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.19 -| 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.22 +| 1.31 | Only minimal type is available | v1.31.3-minimal-eksbuild.2 +| 1.30 | Only minimal type is available | v1.30.9-minimal-eksbuild.3 +| 1.29 | Only minimal type is available | v1.29.13-minimal-eksbuild.3 +| 1.28 | Only minimal type is available | v1.28.15-minimal-eksbuild.9 +| 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.19 +| 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.24 +| 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.27 | 1.24 | v1.24.10-eksbuild.2 | v1.24.17-minimal-eksbuild.19 |=== From e9eb68d77f8ef4565b595ce56ce42f2dabaf608a Mon Sep 17 00:00:00 2001 From: Harsh Bahua Date: Thu, 13 Feb 2025 01:58:53 +0000 Subject: [PATCH 145/940] Fix backticks causing build failures cr: https://code.amazon.com/reviews/CR-177830334 --- latest/ug/networking/network-reqs.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 23293db74..b84a01e2b 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -47,7 +47,7 @@ If you created a cluster with [.noloc]`Kubernetes` `1.14` or earlier, Amazon EKS |Value -|``kubernetes.io/cluster/[.replaceable]`my-cluster``` +|`kubernetes.io/cluster/[.replaceable]``my-cluster``` |`owned` |=== @@ -242,7 +242,7 @@ When a [.noloc]`Kubernetes` cluster that's version `1.18` and earlier was create |Value -|``kubernetes.io/cluster/[.replaceable]`my-cluster``` +|`kubernetes.io/cluster/[.replaceable]``my-cluster``` |`shared` |=== @@ -283,4 +283,4 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-reqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-reqs%5D&type=code[Edit this page on GitHub] From 83a4258860cd6b2244f7240e48384bb137836580 Mon Sep 17 00:00:00 2001 From: Jenade Moodley Date: Thu, 13 Feb 2025 11:07:42 +0200 Subject: [PATCH 146/940] Update ebs-csi.adoc Only PVs created from a storage class referencing the `ebs.csi.eks.amazonaws.com` can be mounted on EKS Auto mode nodes. Updated docs to make this more clear --- latest/ug/storage/ebs-csi.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 7a8b5feca..000b3581d 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -27,7 +27,7 @@ The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block * You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node [.noloc]`DaemonSet` can only run on Amazon EC2 instances. * Amazon EBS volumes and the Amazon EBS CSI driver are not compatible with Amazon EKS Hybrid Nodes. * Support will be provided for the latest add-on version and one prior version. Bugs or vulnerabilities found in the latest version will be backported to the previous release in a new minor version. - +* Only PVs created from a Storage Class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto mode. Existing PVs must be migrated to the new Storage Class using a volume snapshot. [IMPORTANT] ==== @@ -363,4 +363,4 @@ Alternatively, if you want a self-managed installation of the Amazon EBS CSI dri You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] From 1c846f5f4eabee4bfdb963d921f822dae4205617 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Thu, 13 Feb 2025 15:21:24 +0000 Subject: [PATCH 147/940] Added in-place upgrade steps to hybrid-nodes-upgrade per https://t.corp.amazon.com/V1671470319 --- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index b7274341d..f544d18e3 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -137,6 +137,13 @@ kubectl drain NODE_NAME --ignore-daemonsets --delete-emptydir-data ---- nodeadm upgrade K8S_VERSION -c file://nodeConfig.yaml ---- +. To allow pods to be scheduled on the node after you have upgraded, type the following. Replace `NODE_NAME` with the name of the node. ++ +[source,yaml,subs="verbatim,attributes,quotes"] +---- +kubectl taint nodes NODE_NAME key=value:NoSchedule- +kubectl uncordon NODE_NAME +---- . Watch the status of your hybrid nodes and wait for your nodes to shutdown and restart on the new Kubernetes version with the Ready status. + @@ -146,4 +153,4 @@ kubectl get nodes -o -w ---- -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-upgrade%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-upgrade%5D&type=code[Edit this page on GitHub] From cb718853b1300190245c74ebbf0975d507480f1b Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 13 Feb 2025 16:34:52 +0000 Subject: [PATCH 148/940] Consistency edits. --- latest/ug/automode/create-storage-class.adoc | 44 ++++++++++++++----- latest/ug/automode/migrate-auto.adoc | 12 ++--- .../ug/automode/sample-storage-workload.adoc | 12 ++--- latest/ug/quickstart.adoc | 2 +- .../iam-reference/security-iam-awsmanpol.adoc | 2 +- latest/ug/storage/ebs-csi-migration-faq.adoc | 4 +- latest/ug/what-is/kubernetes-concepts.adoc | 2 +- 7 files changed, 49 insertions(+), 29 deletions(-) diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 7fd036467..8466e906e 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,15 +1,15 @@ [.topic] [#create-storage-class] -= Create a Storage Class -:info_titleabbrev: Create storage class += Create a storage class +:info_titleabbrev: Create StorageClass include::../attributes.txt[] -A StorageClass in Amazon EKS Auto Mode defines how Amazon EBS volumes are automatically provisioned when applications request persistent storage. This page explains how to create and configure a StorageClass that works with the Amazon EKS Auto Mode to provision EBS volumes. +A `StorageClass` in Amazon EKS Auto Mode defines how Amazon EBS volumes are automatically provisioned when applications request persistent storage. This page explains how to create and configure a `StorageClass` that works with the Amazon EKS Auto Mode to provision EBS volumes. -By configuring a StorageClass, you can specify default settings for your EBS volumes including volume type, encryption, IOPS, and other storage parameters. You can also configure the StorageClass to use {aws} KMS keys for encryption management. +By configuring a `StorageClass`, you can specify default settings for your EBS volumes including volume type, encryption, IOPS, and other storage parameters. You can also configure the `StorageClass` to use {aws} KMS keys for encryption management. -EKS Auto Mode does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. +EKS Auto Mode does not create a `StorageClass` for you. You must create a `StorageClass` referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. First, create a file named `storage-class.yaml`: @@ -40,7 +40,7 @@ kubectl apply -f storage-class.yaml - `provisioner: ebs.csi.eks.amazonaws.com` - Uses EKS Auto Mode - `volumeBindingMode: WaitForFirstConsumer` - Delays volume creation until a pod needs it - `type: gp3` - Specifies the EBS volume type -- `encrypted: "true"` - EBS will encrypt any volumes created using the StorageClass. EBS will use the default `aws/ebs` key alias. For more information, see link:ebs/latest/userguide/how-ebs-encryption-works.html["How Amazon EBS encryption works",type="documentation"] in the Amazon EBS User Guide. This value is optional but suggested. +- `encrypted: "true"` - EBS will encrypt any volumes created using the `StorageClass`. EBS will use the default `aws/ebs` key alias. For more information, see link:ebs/latest/userguide/how-ebs-encryption-works.html["How Amazon EBS encryption works",type="documentation"] in the Amazon EBS User Guide. This value is optional but suggested. - `storageclass.kubernetes.io/is-default-class: "true"` - Kubernetes will use this storage class by default, unless you specify a different volume class on a persistent volume claim. This value is optional. Use caution when setting this value if you are migrating from a different storage controller. == Use self-managed KMS key to encrypt EBS volumes @@ -60,8 +60,8 @@ link:IAM/latest/UserGuide/access_policies_job-functions_create-policies.html["Cr Update the following values in the policy below: -* `` -- Your {aws} account ID, such as `111122223333` -* `` -- The {aws} region of your cluster, such as `us-west-2` +* `` – Your {aws} account ID, such as `111122223333` +* `` – The {aws} region of your cluster, such as `us-west-2` [source,json] ---- @@ -104,7 +104,7 @@ Update the following values in the policy below: } ---- -=== Sample self-managed KMS StorageClass +=== Sample self-managed KMS `StorageClass` [source,yaml] ---- @@ -115,7 +115,7 @@ parameters: ---- -== StorageClass Parameters Reference +== `StorageClass` Parameters Reference For general information on the Kubernetes `StorageClass` resources, see https://kubernetes.io/docs/concepts/storage/storage-classes/[Storage Classes] in the Kubernetes Documentation. @@ -124,67 +124,87 @@ THe `parameters` section of the `StorageClass` resource is specific to {aws}. Us [role="no-scroll"] [cols="4*", options="header"] |=== -|Parameters |Values |Default |Description + +|Parameters +|Values +|Default +|Description + |"csi.storage.k8s.io/fstype" |xfs, ext2, ext3, ext4 |ext4 |File system type that will be formatted during volume creation. This parameter is case sensitive! + |"type" |io1, io2, gp2, gp3, sc1, st1, standard, sbp1, sbg1 |gp3 |EBS volume type. + |"iopsPerGB" | | |I/O operations per second per GiB. Can be specified for IO1, IO2, and GP3 volumes. + |"allowAutoIOPSPerGBIncrease" |true, false |false |When `"true"`, the CSI driver increases IOPS for a volume when `iopsPerGB * ` is too low to fit into IOPS range supported by {aws}. This allows dynamic provisioning to always succeed, even when user specifies too small PVC capacity or `iopsPerGB` value. On the other hand, it may introduce additional costs, as such volumes have higher IOPS than requested in `iopsPerGB`. + |"iops" | | |I/O operations per second. Can be specified for IO1, IO2, and GP3 volumes. + |"throughput" | |125 |Throughput in MiB/s. Only effective when gp3 volume type is specified. + |"encrypted" |true, false |false |Whether the volume should be encrypted or not. Valid values are "true" or "false". + |"blockExpress" |true, false |false |Enables the creation of io2 Block Express volumes. + |"kmsKeyId" | | |The full ARN of the key to use when encrypting the volume. If not specified, {aws} will use the default KMS key for the region the volume is in. This will be an auto-generated key called `/aws/ebs` if not changed. + |"blockSize" | | |The block size to use when formatting the underlying filesystem. Only supported on linux nodes and with fstype `ext2`, `ext3`, `ext4`, or `xfs`. + |"inodeSize" | | |The inode size to use when formatting the underlying filesystem. Only supported on linux nodes and with fstype `ext2`, `ext3`, `ext4`, or `xfs`. + |"bytesPerInode" | | |The `bytes-per-inode` to use when formatting the underlying filesystem. Only supported on linux nodes and with fstype `ext2`, `ext3`, `ext4`. + |"numberOfInodes" | | |The `number-of-inodes` to use when formatting the underlying filesystem. Only supported on linux nodes and with fstype `ext2`, `ext3`, `ext4`. + |"ext4BigAlloc" |true, false |false |Changes the `ext4` filesystem to use clustered block allocation by enabling the `bigalloc` formatting option. Warning: `bigalloc` may not be fully supported with your node's Linux kernel. + |"ext4ClusterSize" | | |The cluster size to use when formatting an `ext4` filesystem when the `bigalloc` feature is enabled. Note: The `ext4BigAlloc` parameter must be set to true. + |=== For more information, see the https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md[{aws} EBS CSI Driver] on GitHub. @@ -199,7 +219,7 @@ The block storage capability of EKS Auto Mode is different from the EBS CSI Driv ** You cannot use the node startup taint feature to prevent pod scheduling before storage capability readiness * Custom Tags on Dynamically Provisioned Volumes ** You cannot use the extra-tag CLI flag to configure custom tags on dynamically provisioned EBS volumes -** You can use StorageClass Tagging to add custom tags. EKS Auto Mode will add tags to the associated {aws} resources. You will need to update the Cluster IAM Role for custom tags. For more information, see <>. +** You can use `StorageClass` tagging to add custom tags. EKS Auto Mode will add tags to the associated {aws} resources. You will need to update the Cluster IAM Role for custom tags. For more information, see <>. * EBS Detailed Performance Metrics ** You cannot access Prometheus metrics for EBS detailed performance diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 80f6ee37b..bd7333fb5 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -47,19 +47,19 @@ Use the following migration reference to configure Kubernetes Resources to be ow | Capability | Resource | Field | Self Managed | EKS Auto Mode -| Block Storage | StorageClass | provisioner | kubernetes.io/aws-ebs | ebs.csi.eks.amazonaws.com +| Block Storage | `StorageClass` | `provisioner` | `kubernetes.io/aws-ebs` | `ebs.csi.eks.amazonaws.com` -| Load Balancing | Service | loadBalancerClass | service.k8s.aws/nlb | eks.amazonaws.com/nlb +| Load Balancing | `Service` | `loadBalancerClass` | `service.k8s.aws/nlb` | `eks.amazonaws.com/nlb` -| Load Balancing | IngressClass | controller | ingress.k8s.aws/alb | eks.amazonaws.com/alb +| Load Balancing | `IngressClass` | controller | `ingress.k8s.aws/alb` | `eks.amazonaws.com/alb` -|Load Balancing | IngressClassParams |apiversion |elbv2.k8s.aws/v1beta1 |eks.amazonaws.com/v1 +| Load Balancing | `IngressClassParams` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` -|Load Balancing | TargetGroupBinding |apiversion |elbv2.k8s.aws/v1beta1 |eks.amazonaws.com/v1 +| Load Balancing | `TargetGroupBinding` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` -| Compute | NodeClass | apiVersion | karpenter.sh/v1alpha5 | eks.amazonaws.com/v1 +| Compute | NodeClass | `apiVersion` | `karpenter.sh/v1alpha5` | `eks.amazonaws.com/v1` |=== diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 444ebb339..6081c4e68 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -32,9 +32,9 @@ aws eks update-kubeconfig --name "${CLUSTER_NAME}" ## Step 2: Create the storage class -The StorageClass defines how EKS Auto Mode will provision EBS volumes. +The `StorageClass` defines how EKS Auto Mode will provision EBS volumes. -EKS Auto Mode does not create a StorageClass for you. You must create a StorageClass referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. +EKS Auto Mode does not create a `StorageClass` for you. You must create a `StorageClass` referencing `ebs.csi.eks.amazonaws.com` to use the storage capability of EKS Auto Mode. . Create a file named `storage-class.yaml`: + @@ -52,7 +52,7 @@ parameters: type: gp3 encrypted: "true" ---- -. Apply the StorageClass: +. Apply the `StorageClass`: + [source,bash] ---- @@ -69,7 +69,7 @@ kubectl apply -f storage-class.yaml ## Step 3: Create the persistent volume claim -The PVC requests storage from the StorageClass. +The PVC requests storage from the `StorageClass`. . Create a file named `pvc.yaml`: + @@ -98,7 +98,7 @@ kubectl apply -f pvc.yaml - `accessModes: ReadWriteOnce` - Volume can be mounted by one node at a time - `storage: 8Gi` - Requests an 8 GiB volume -- `storageClassName: auto-ebs-sc` - References the StorageClass we created +- `storageClassName: auto-ebs-sc` - References the `StorageClass` we created ## Step 4: Deploy the Application @@ -200,7 +200,7 @@ kubectl delete deployment/inflate-stateful pvc/auto-ebs-claim storageclass/auto- ## What's Happening Behind the Scenes -. The PVC requests storage from the StorageClass +. The PVC requests storage from the `StorageClass` . When the Pod is scheduled: .. EKS Auto Mode provisions an EBS volume .. Creates a PersistentVolume diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index ccdc01d37..b3c9db8d3 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -182,7 +182,7 @@ parameters: type: gp3 encrypted: "true" ---- -. Apply the StorageClass: +. Apply the `StorageClass`: + [source,bash] ---- diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 3029131b1..d0415728d 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -369,7 +369,7 @@ View details about updates to {aws} managed policies for Amazon EKS since this s Added the ability for the EBS CSI Driver to modify tags on existing volumes. The EBS CSI Driver can modify tags of existing volumes via a parameters in Kubernetes VolumeAttributesClasses. -Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) on EBS volumes. The EBS CSI Driver can enable FSR on new volumes via parameters in Kubernetes StorageClasses. +Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) on EBS volumes. The EBS CSI Driver can enable FSR on new volumes via parameters in Kubernetes storage classes. |January 13, 2025 |Added permissions to <>. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index 353e4f092..ebe178967 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -118,7 +118,7 @@ Yes, but volume operations requiring the Amazon EBS CSI driver will fail after y The default `StorageClass` behavior remains unchanged. With each new cluster, Amazon EKS applies a `kubernetes.io/aws-ebs` based `StorageClass` named `gp2`. We don't plan to ever remove this `StorageClass` from newly created clusters. Separate from the cluster default `StorageClass`, if you create an `ebs.csi.aws.com` based `StorageClass` without specifying a volume type, the Amazon EBS CSI driver will default to using `gp3`. [#csi-migration-faq-existing-storageclasses] -== Will Amazon EKS make any changes to `StorageClasses` already present in my existing cluster when I update my cluster to version `1.23`? +== Will Amazon EKS make any changes to storage classes already present in my existing cluster when I update my cluster to version `1.23`? No. @@ -136,7 +136,7 @@ The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/m [#csi-migration-faq-windows] == Is migration supported for Windows workloads? -Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating `StorageClasses`, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. +Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating storage classes, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. 📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi-migration-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 9aee63965..4783f0de0 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -212,7 +212,7 @@ When you define a Pod, you assign a set of attributes to it. Those attributes mu -* *Storage* -- When a running container is stopped and deleted, data storage in that container will disappear, unless you set up more permanent storage. [.noloc]`Kubernetes` supports many different storage types and abstracts them under the umbrella of https://kubernetes.io/docs/concepts/storage/volumes/[Volumes]. Storage types include https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[CephFS], https://kubernetes.io/docs/concepts/storage/volumes/#nfs[NFS], https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[iSCSI], and others. You can even use a https://kubernetes.io/docs/concepts/storage/volumes/#local[local block device] from the local computer. With one of those storage types available from your cluster, you can mount the storage volume to a selected mount point in your container's file system. A https://kubernetes.io/docs/concepts/storage/persistent-volumes/[Persistent Volume] is one that continues to exist after the Pod is deleted, while an https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[Ephemeral Volume] is deleted when the Pod is deleted. If your cluster administrator created different https://kubernetes.io/docs/concepts/storage/storage-classes/[StorageClasses] for your cluster, you might have the option for choosing the attributes of the storage you use, such as whether the volume is deleted or reclaimed after use, whether it will expand if more space is needed, and even whether it meets certain performance requirements. +* *Storage* -- When a running container is stopped and deleted, data storage in that container will disappear, unless you set up more permanent storage. [.noloc]`Kubernetes` supports many different storage types and abstracts them under the umbrella of https://kubernetes.io/docs/concepts/storage/volumes/[Volumes]. Storage types include https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[CephFS], https://kubernetes.io/docs/concepts/storage/volumes/#nfs[NFS], https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[iSCSI], and others. You can even use a https://kubernetes.io/docs/concepts/storage/volumes/#local[local block device] from the local computer. With one of those storage types available from your cluster, you can mount the storage volume to a selected mount point in your container's file system. A https://kubernetes.io/docs/concepts/storage/persistent-volumes/[Persistent Volume] is one that continues to exist after the Pod is deleted, while an https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[Ephemeral Volume] is deleted when the Pod is deleted. If your cluster administrator created different https://kubernetes.io/docs/concepts/storage/storage-classes/[storage classes] for your cluster, you might have the option for choosing the attributes of the storage you use, such as whether the volume is deleted or reclaimed after use, whether it will expand if more space is needed, and even whether it meets certain performance requirements. * *Secrets* -- By making https://kubernetes.io/docs/concepts/configuration/secret/[Secrets] available to containers in Pod specs, you can provide the permissions those containers need to access file systems, data bases, or other protected assets. Keys, passwords, and tokens are among the items that can be stored as secrets. Using secrets makes it so you don't have to store this information in container images, but need only make the secrets available to running containers. Similar to Secrets are https://kubernetes.io/docs/concepts/configuration/configmap/[ConfigMaps]. A `ConfigMap` tends to hold less critical information, such as key-value pairs for configuring a service. * *Container resources* -- Objects for further configuring containers can take the form of resource configuration. For each container, you can request the amount of memory and CPU that it can use, as well as place limits of the total amount of those resources that the container can use. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers] for examples. * *Disruptions* -- Pods can be disrupted involuntarily (a node goes down) or voluntarily (an upgrade is desired). By configuring a https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets[Pod disruption budget], you can exert some control over how available your application remains when disruptions occur. See https://kubernetes.io/docs/tasks/run-application/configure-pdb/[Specifying a Disruption Budget] for your application for examples. From 70fe4ff53abd572c5d0773c83004c3e1ccb5ab55 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Thu, 13 Feb 2025 10:37:39 -0600 Subject: [PATCH 149/940] Consistency edits --- latest/ug/storage/ebs-csi.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 000b3581d..42c7fd8c8 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -24,10 +24,10 @@ The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block * You do not need to install the Amazon EBS CSI controller on EKS Auto Mode clusters. * You can't mount Amazon EBS volumes to Fargate [.noloc]`Pods`. -* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node [.noloc]`DaemonSet` can only run on Amazon EC2 instances. +* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node `DaemonSet` can only run on Amazon EC2 instances. * Amazon EBS volumes and the Amazon EBS CSI driver are not compatible with Amazon EKS Hybrid Nodes. * Support will be provided for the latest add-on version and one prior version. Bugs or vulnerabilities found in the latest version will be backported to the previous release in a new minor version. -* Only PVs created from a Storage Class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto mode. Existing PVs must be migrated to the new Storage Class using a volume snapshot. +* Only platform versions created from a storage class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto Mode. Existing platform versions must be migrated to the new storage class using a volume snapshot. [IMPORTANT] ==== From 36552b81ea0d9e4876b74f7d19dfa22c72864023 Mon Sep 17 00:00:00 2001 From: Jenade Moodley Date: Thu, 13 Feb 2025 11:07:42 +0200 Subject: [PATCH 150/940] Update ebs-csi.adoc Only PVs created from a storage class referencing the `ebs.csi.eks.amazonaws.com` can be mounted on EKS Auto mode nodes. Updated docs to make this more clear --- latest/ug/storage/ebs-csi.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 7a8b5feca..000b3581d 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -27,7 +27,7 @@ The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block * You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node [.noloc]`DaemonSet` can only run on Amazon EC2 instances. * Amazon EBS volumes and the Amazon EBS CSI driver are not compatible with Amazon EKS Hybrid Nodes. * Support will be provided for the latest add-on version and one prior version. Bugs or vulnerabilities found in the latest version will be backported to the previous release in a new minor version. - +* Only PVs created from a Storage Class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto mode. Existing PVs must be migrated to the new Storage Class using a volume snapshot. [IMPORTANT] ==== @@ -363,4 +363,4 @@ Alternatively, if you want a self-managed installation of the Amazon EBS CSI dri You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] From 7460870ee7633ac5778520824f33d775f611ac5f Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Thu, 13 Feb 2025 10:37:39 -0600 Subject: [PATCH 151/940] Consistency edits --- latest/ug/storage/ebs-csi.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 000b3581d..42c7fd8c8 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -24,10 +24,10 @@ The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block * You do not need to install the Amazon EBS CSI controller on EKS Auto Mode clusters. * You can't mount Amazon EBS volumes to Fargate [.noloc]`Pods`. -* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node [.noloc]`DaemonSet` can only run on Amazon EC2 instances. +* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node `DaemonSet` can only run on Amazon EC2 instances. * Amazon EBS volumes and the Amazon EBS CSI driver are not compatible with Amazon EKS Hybrid Nodes. * Support will be provided for the latest add-on version and one prior version. Bugs or vulnerabilities found in the latest version will be backported to the previous release in a new minor version. -* Only PVs created from a Storage Class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto mode. Existing PVs must be migrated to the new Storage Class using a volume snapshot. +* Only platform versions created from a storage class using `ebs.csi.eks.amazonaws.com` as the provisioner can be mounted on nodes created by EKS Auto Mode. Existing platform versions must be migrated to the new storage class using a volume snapshot. [IMPORTANT] ==== From 46d1ad15e706f66e9eccc3a6d2b6d03ca165be42 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 13 Feb 2025 22:20:56 +0000 Subject: [PATCH 152/940] Removed potential noloc formatting issue in metadata: 43848 --- latest/ug/networking/managing-vpc-cni.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index eda4b9a23..93da6f67c 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -25,7 +25,7 @@ include::pod-multiple-network-interfaces.adoc[leveloffset=+1] [abstract] -- -Discover how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on works to assign private IP addresses and create network interfaces for [.noloc]`Pods` and services in your Amazon EKS cluster. +Discover how the Amazon VPC CNI plugin for Kubernetes add-on works to assign private IP addresses and create network interfaces for Pods and services in your Amazon EKS cluster. -- [TIP] From f0ad66df8e3ee68698ac8977fbb61f1c3484f209 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 13 Feb 2025 22:32:25 +0000 Subject: [PATCH 153/940] Grammar: 44303 --- latest/ug/clusters/zone-shift.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index aa97b55c7..01f7bf934 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -24,11 +24,11 @@ image::images/zs-traffic-flow-before-2.png[Illustration of network traffic] . The network packets are then sent to the Products Pod in AZ 2 via the ENIs on the respective nodes (as depicted in the diagram above). -=== Understanding ARC Zonal Shift in EKS +=== Understanding ARC Zonal Shift in Amazon EKS In the case that there is an AZ impairment in your environment, you can initiate a zonal shift for your EKS cluster environment. Alternatively, you can allow {aws} to manage this for you with zonal autoshift. With zonal autoshift, {aws} will monitor the overall AZ health and respond to a potential AZ impairment by automatically shifting traffic away from the impaired AZ in your cluster environment. -Once your EKS cluster zonal shift enabled with ARC, you can trigger a zonal shift or enable zonal autoshift using the ARC Console, the {aws} CLI, or the zonal shift and zonal autoshift APIs. +Once your Amazon EKS cluster has zonal shift enabled with ARC, you can trigger a zonal shift or enable zonal autoshift using the ARC Console, the {aws} CLI, or the zonal shift and zonal autoshift APIs. During an EKS zonal shift, the following will automatically take place: * All the nodes in the impacted AZ will be cordoned. This will prevent the Kubernetes Scheduler from scheduling new Pods onto the nodes in the unhealthy AZ. From 79356c34ea4bc7b04ccdc09891ecd642ef33cd8c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 13 Feb 2025 23:33:49 +0000 Subject: [PATCH 154/940] Managed Node Group Update Behaviour is missing a possible cause for NodeCreationFailure #842: 45513 --- latest/ug/nodes/managed-node-update-behavior.adoc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index c7b58de89..9dbbd5314 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -17,8 +17,8 @@ The Amazon EKS managed worker node upgrade strategy has four different phases de The setup phase has these steps: -. It creates a new Amazon EC2 launch template version for the Auto Scaling group that's associated with your node group. The new launch template version uses the target AMI or a custom launch template version for the update. -. It updates the Auto Scaling group to use the latest launch template version. +. It creates a new Amazon EC2 launch template version for the Auto Scaling Group that's associated with your node group. The new launch template version uses the target AMI or a custom launch template version for the update. +. It updates the Auto Scaling Group to use the latest launch template version. . It determines the maximum quantity of nodes to upgrade in parallel using the `updateConfig` property for the node group. The maximum unavailable has a quota of 100 nodes. The default value is one node. For more information, see the link:eks/latest/APIReference/API_UpdateNodegroupConfig.html#API_UpdateNodegroupConfig_RequestSyntax[updateConfig,type="documentation"] property in the _Amazon EKS API Reference_. @@ -31,11 +31,11 @@ The scale up phase has these steps: . It increments the Auto Scaling Group's maximum size and desired size by the larger of either: + -** Up to twice the number of Availability Zones that the Auto Scaling group is deployed in. +** Up to twice the number of Availability Zones that the Auto Scaling Group is deployed in. ** The maximum unavailable of upgrade. + For example, if your node group has five Availability Zones and `maxUnavailable` as one, the upgrade process can launch a maximum of 10 nodes. However when `maxUnavailable` is 20 (or anything higher than 10), the process would launch 20 new nodes. -. After scaling the Auto Scaling group, it checks if the nodes using the latest configuration are present in the node group. This step succeeds only when it meets these criteria: +. After scaling the Auto Scaling Group, it checks if the nodes using the latest configuration are present in the node group. This step succeeds only when it meets these criteria: + ** At least one new node is launched in every Availability Zone where the node exists. ** Every new node should be in `Ready` state. @@ -70,6 +70,9 @@ Custom user data can sometimes break the bootstrap process. This scenario can le *Any changes which make a node unhealthy or not ready*:: Node disk pressure, memory pressure, and similar conditions can lead to a node not going to `Ready` state. +*Each node most bootstrap within 15 minutes*:: +If any node takes more than 15 minutes to bootstrap and join the cluster, it will cause the upgrade to time out. This is the total runtime for bootstrapping a new node measured from when a new node is required to when it joins the cluster. When upgrading a managed node group, the time counter starts as soon as the Auto Scaling Group size increases. + [#managed-node-update-upgrade] == Upgrade phase From cec59302fa783df46a3905ccb56bd6e3ed45bff3 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 5 Feb 2025 20:24:43 +0000 Subject: [PATCH 155/940] cluster-insights-rbac cr: https://code.amazon.com/reviews/CR-176364368 --- latest/ug/clusters/cluster-insights.adoc | 2 ++ .../k8s-access/access-policy-reference.adoc | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index a3b3ca6eb..e0a700793 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -23,6 +23,8 @@ Amazon EKS upgrade insights speed up the testing and verification process for ne Cluster insights update periodically. You cannot manually refresh cluster insights. If you fix a cluster issue, it will take some time for cluster insights to update. To determine if a fix was successful, compare the time the change deployed to the "last refresh time" of the cluster insight. +Amazon EKS automatically creates a cluster access entry. This entry gives EKS permission to view information about your cluster. This information is used to generate the insights. For more information, see <>. + [#cluster-insights-console] == View cluster insights (Console) . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 2aa7437e1..1c24dfc1f 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -554,6 +554,22 @@ This access policy includes permissions that grant EKS access to the nodes of a |=== +[[access-policy-permissions-AmazonEKSClusterInsightsPolicy,access-policy-permissions-AmazonEKSClusterInsightsPolicy.title]] +== AmazonEKSClusterInsightsPolicy + +*ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSClusterInsightsPolicy` + +This policy grants read-only permissions for Amazon EKS Cluster Insights functionality. The policy includes the following permissions: + +Node Access: +- List and view cluster nodes +- Read node status information + +DaemonSet Access: +- Read access to kube-proxy configuration + +This policy is automatically managed by the EKS service for Cluster Insights. For more information, see <>. + [#access-policy-updates] == Access policy updates @@ -565,6 +581,10 @@ View details about updates to access policies, since they were introduced. For a |Description |Date +|Add policy for EKS Cluster Insights +|Publish `AmazonEKSClusterInsightsPolicy` +|December 2, 2024 + |Add policies for Amazon EKS Hybrid |Publish `AmazonEKSHybridPolicy` |December 2, 2024 From 2e2a9cfde723dc1cd9c5a6e13ff7cc421ae5a091 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 14 Feb 2025 19:18:20 +0000 Subject: [PATCH 156/940] Corrected example in auto-troubleshoot.adoc per https://t.corp.amazon.com/V1674569946 --- latest/ug/automode/auto-troubleshoot.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index ca9e9a017..7e49e11ec 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -253,7 +253,7 @@ EKS Auto Mode Nodes are configured with SELinux in enforcing mode which provides Due to this, you may experience issues when trying to share data between Pods. For example, a `PersistentVolumeClaim` with an access mode of `ReadWriteOnce` will still not allow multiple Pods to access the volume concurrently. -To enable this sharing between Pods, you can use the Pod's `seLinuxOptions` to configure the same MCS label on those Pods. In this example, we assign the three categories `c123,c124,c125` to the Pod. This will not conflict with any categories assigned to Pods on the node automatically, as they will only be assigned two categories. +To enable this sharing between Pods, you can use the Pod's `seLinuxOptions` to configure the same MCS label on those Pods. In this example, we assign the three categories `c123,c456,c789` to the Pod. This will not conflict with any categories assigned to Pods on the node automatically, as they will only be assigned two categories. [source,bash,subs="verbatim,attributes"] ---- @@ -271,4 +271,4 @@ If you have a problem with a controller, you should research: * If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-troubleshoot%5D&type=code[Edit this page on GitHub] From 86040fb0aa27db68be5879b9e3b63acff76faf21 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 14 Feb 2025 21:12:45 +0000 Subject: [PATCH 157/940] Updated GitHub links back to auto build approach now that they are linking properly. --- build-info.xml | 4 ++-- latest/ug/automode/associate-workload.adoc | 3 --- latest/ug/automode/auto-configure-alb.adoc | 5 +---- latest/ug/automode/auto-configure-nlb.adoc | 3 --- latest/ug/automode/auto-disable.adoc | 5 +---- latest/ug/automode/auto-elb-example.adoc | 3 --- latest/ug/automode/auto-enable-existing.adoc | 5 +---- latest/ug/automode/auto-glossary.adoc | 5 +---- latest/ug/automode/auto-learn-iam.adoc | 5 +---- latest/ug/automode/auto-migrate-karpenter.adoc | 5 +---- latest/ug/automode/auto-migrate-mng.adoc | 5 +---- latest/ug/automode/auto-mng.adoc | 5 +---- latest/ug/automode/auto-net-pol.adoc | 5 +---- latest/ug/automode/auto-networking.adoc | 5 +---- latest/ug/automode/auto-reference.adoc | 5 +---- latest/ug/automode/auto-troubleshoot.adoc | 3 --- latest/ug/automode/auto-upgrade.adoc | 5 +---- latest/ug/automode/auto-workloads.adoc | 5 +---- latest/ug/automode/automode-get-started-cli.adoc | 5 +---- latest/ug/automode/automode-get-started-console.adoc | 5 +---- latest/ug/automode/automode-get-started-eksctl.adoc | 5 +---- latest/ug/automode/automode-learn-instances.adoc | 3 --- latest/ug/automode/automode-workload.adoc | 5 +---- latest/ug/automode/automode.adoc | 5 +---- latest/ug/automode/create-auto.adoc | 5 +---- latest/ug/automode/create-node-class.adoc | 5 +---- latest/ug/automode/create-node-pool.adoc | 5 +---- latest/ug/automode/create-storage-class.adoc | 5 +---- latest/ug/automode/critical-workload.adoc | 5 +---- latest/ug/automode/migrate-auto.adoc | 5 +---- latest/ug/automode/old/hpa_scaling.adoc | 5 +---- latest/ug/automode/sample-storage-workload.adoc | 3 --- latest/ug/automode/set-builtin-node-pools.adoc | 5 +---- latest/ug/automode/settings-auto.adoc | 5 +---- latest/ug/automode/tag-subnets-auto.adoc | 5 +---- latest/ug/automode/troubleshoot-lbc.adoc | 5 +---- latest/ug/automode/wip.adoc | 5 +---- latest/ug/automode/wip/create-vpc-console.adoc | 5 +---- latest/ug/automode/wip/eksctl-docs.adoc | 5 +---- latest/ug/automode/wip/tag-subnets.adoc | 5 +---- latest/ug/book.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 5 +---- latest/ug/clusters/cluster-endpoint.adoc | 5 +---- latest/ug/clusters/cluster-insights.adoc | 5 +---- latest/ug/clusters/clusters.adoc | 5 +---- latest/ug/clusters/create-cluster-auto.adoc | 5 +---- latest/ug/clusters/create-cluster.adoc | 5 +---- latest/ug/clusters/delete-cluster.adoc | 5 +---- latest/ug/clusters/disable-extended-support.adoc | 5 +---- latest/ug/clusters/disable-windows-support.adoc | 5 +---- latest/ug/clusters/enable-extended-support.adoc | 5 +---- latest/ug/clusters/kubernetes-versions-extended.adoc | 5 +---- latest/ug/clusters/kubernetes-versions-standard.adoc | 5 +---- latest/ug/clusters/kubernetes-versions.adoc | 5 +---- latest/ug/clusters/management/cost-monitoring-aws.adoc | 5 +---- .../management/cost-monitoring-kubecost-bundles.adoc | 5 +---- .../ug/clusters/management/cost-monitoring-kubecost.adoc | 5 +---- latest/ug/clusters/management/cost-monitoring.adoc | 5 +---- latest/ug/clusters/management/eks-managing.adoc | 5 +---- latest/ug/clusters/management/eks-using-tags.adoc | 5 +---- latest/ug/clusters/management/helm.adoc | 5 +---- latest/ug/clusters/management/metrics-server.adoc | 5 +---- latest/ug/clusters/management/service-quotas.adoc | 5 +---- latest/ug/clusters/platform-versions.adoc | 5 +---- latest/ug/clusters/private-clusters.adoc | 3 --- latest/ug/clusters/update-cluster.adoc | 5 +---- latest/ug/clusters/view-support-status.adoc | 5 +---- latest/ug/clusters/view-upgrade-policy.adoc | 5 +---- latest/ug/clusters/windows-support.adoc | 5 +---- latest/ug/clusters/zone-shift-enable.adoc | 5 +---- latest/ug/clusters/zone-shift.adoc | 5 +---- latest/ug/connector/connecting-cluster.adoc | 5 +---- latest/ug/connector/connector-grant-access.adoc | 5 +---- latest/ug/connector/deregister-connected-cluster.adoc | 5 +---- latest/ug/connector/eks-connector.adoc | 5 +---- latest/ug/connector/security-connector.adoc | 5 +---- latest/ug/connector/troubleshooting-connector.adoc | 5 +---- latest/ug/connector/tsc-faq.adoc | 5 +---- latest/ug/contribute/asciidoc-syntax.adoc | 5 +---- latest/ug/contribute/contribute.adoc | 5 +---- latest/ug/contribute/create-content-q.adoc | 5 +---- latest/ug/contribute/create-page.adoc | 5 +---- latest/ug/contribute/edit-single-web.adoc | 7 ++----- latest/ug/contribute/edit-web.adoc | 5 +---- latest/ug/contribute/insert-link.adoc | 5 +---- latest/ug/contribute/pr-preview.adoc | 5 +---- latest/ug/contribute/pr-status.adoc | 5 +---- latest/ug/contribute/vale-github.adoc | 5 +---- latest/ug/contribute/vale-local.adoc | 5 +---- latest/ug/doc-history.adoc | 5 +---- latest/ug/getting-started/getting-started-automode.adoc | 5 +---- latest/ug/getting-started/getting-started-console.adoc | 5 +---- latest/ug/getting-started/getting-started-eksctl.adoc | 5 +---- latest/ug/getting-started/getting-started.adoc | 5 +---- latest/ug/getting-started/install-awscli.adoc | 5 +---- latest/ug/getting-started/install-kubectl.adoc | 5 +---- latest/ug/getting-started/learn-eks.adoc | 5 +---- latest/ug/getting-started/setting-up.adoc | 5 +---- .../creating-resources-with-cloudformation.adoc | 5 +---- latest/ug/integrations/eks-integrations.adoc | 5 +---- latest/ug/integrations/integration-detective.adoc | 5 +---- latest/ug/integrations/integration-guardduty.adoc | 5 +---- latest/ug/integrations/integration-resilience-hub.adoc | 5 +---- latest/ug/integrations/integration-securitylake.adoc | 5 +---- latest/ug/integrations/integration-vpc-lattice.adoc | 5 +---- latest/ug/integrations/local-zones.adoc | 5 +---- .../aws-access/associate-service-account-role.adoc | 5 +---- .../manage-access/aws-access/configure-sts-endpoint.adoc | 5 +---- .../ug/manage-access/aws-access/cross-account-access.adoc | 5 +---- .../aws-access/enable-iam-roles-for-service-accounts.adoc | 5 +---- .../iam-roles-for-service-accounts-minimum-sdk.adoc | 5 +---- .../aws-access/iam-roles-for-service-accounts.adoc | 5 +---- latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-configuration.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-id-abac.adoc | 5 +---- .../manage-access/aws-access/pod-id-agent-config-ipv6.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-id-association.adoc | 5 +---- .../ug/manage-access/aws-access/pod-id-configure-pods.adoc | 5 +---- .../ug/manage-access/aws-access/pod-id-how-it-works.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-id-role.adoc | 5 +---- latest/ug/manage-access/aws-access/pod-identities.adoc | 3 --- latest/ug/manage-access/aws-access/service-accounts.adoc | 5 +---- latest/ug/manage-access/cluster-auth.adoc | 5 +---- latest/ug/manage-access/create-kubeconfig.adoc | 5 +---- latest/ug/manage-access/k8s-access/access-entries.adoc | 3 --- latest/ug/manage-access/k8s-access/access-policies.adoc | 5 +---- .../manage-access/k8s-access/access-policy-reference.adoc | 5 +---- latest/ug/manage-access/k8s-access/auth-configmap.adoc | 5 +---- .../k8s-access/authenticate-oidc-identity-provider.adoc | 3 --- .../manage-access/k8s-access/creating-access-entries.adoc | 5 +---- .../manage-access/k8s-access/deleting-access-entries.adoc | 5 +---- .../k8s-access/disassociate-oidc-identity-provider.adoc | 5 +---- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 5 +---- .../manage-access/k8s-access/migrating-access-entries.adoc | 5 +---- .../k8s-access/setting-up-access-entries.adoc | 5 +---- .../manage-access/k8s-access/updating-access-entries.adoc | 5 +---- latest/ug/manage-access/view-kubernetes-resources.adoc | 5 +---- latest/ug/ml/capacity-blocks-mng.adoc | 5 +---- latest/ug/ml/capacity-blocks.adoc | 5 +---- latest/ug/ml/inferentia-support.adoc | 5 +---- latest/ug/ml/machine-learning-on-eks.adoc | 5 +---- latest/ug/ml/ml-eks-optimized-ami.adoc | 5 +---- latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 5 +---- latest/ug/ml/ml-get-started.adoc | 5 +---- latest/ug/ml/ml-prepare-for-cluster.adoc | 5 +---- latest/ug/ml/ml-tutorials.adoc | 5 +---- latest/ug/ml/node-efa.adoc | 5 +---- latest/ug/ml/node-taints-managed-node-groups.adoc | 5 +---- latest/ug/networking/alternate-cni-plugins.adoc | 5 +---- latest/ug/networking/aws-load-balancer-controller.adoc | 5 +---- latest/ug/networking/cni-custom-network-tutorial.adoc | 5 +---- latest/ug/networking/cni-custom-network.adoc | 5 +---- latest/ug/networking/cni-iam-role.adoc | 5 +---- .../ug/networking/cni-increase-ip-addresses-procedure.adoc | 5 +---- latest/ug/networking/cni-increase-ip-addresses.adoc | 5 +---- latest/ug/networking/cni-ipv6.adoc | 5 +---- latest/ug/networking/cni-network-policy-configure.adoc | 5 +---- latest/ug/networking/cni-network-policy.adoc | 5 +---- latest/ug/networking/coredns-add-on-create.adoc | 5 +---- .../ug/networking/coredns-add-on-self-managed-update.adoc | 5 +---- latest/ug/networking/coredns-add-on-update.adoc | 5 +---- latest/ug/networking/coredns-autoscaling.adoc | 5 +---- latest/ug/networking/coredns-metrics.adoc | 5 +---- latest/ug/networking/creating-a-vpc.adoc | 5 +---- latest/ug/networking/deploy-ipv6-cluster.adoc | 5 +---- latest/ug/networking/eks-networking-add-ons.adoc | 5 +---- latest/ug/networking/eks-networking.adoc | 5 +---- latest/ug/networking/external-snat.adoc | 5 +---- .../networking/kube-proxy-add-on-self-managed-update.adoc | 5 +---- latest/ug/networking/lbc-helm.adoc | 5 +---- latest/ug/networking/lbc-manifest.adoc | 5 +---- latest/ug/networking/lbc-remove.adoc | 5 +---- latest/ug/networking/managing-coredns.adoc | 5 +---- latest/ug/networking/managing-kube-proxy.adoc | 5 +---- latest/ug/networking/managing-vpc-cni.adoc | 5 +---- latest/ug/networking/network-policies-troubleshooting.adoc | 5 +---- latest/ug/networking/network-policy-disable.adoc | 5 +---- latest/ug/networking/network-policy-stars-demo.adoc | 5 +---- latest/ug/networking/network-reqs.adoc | 3 --- latest/ug/networking/pod-multiple-network-interfaces.adoc | 5 +---- latest/ug/networking/pod-networking-use-cases.adoc | 5 +---- latest/ug/networking/sec-group-reqs.adoc | 5 +---- latest/ug/networking/security-groups-for-pods.adoc | 5 +---- latest/ug/networking/security-groups-pods-deployment.adoc | 5 +---- latest/ug/networking/sg-pods-example-deployment.adoc | 5 +---- latest/ug/networking/vpc-add-on-create.adoc | 5 +---- latest/ug/networking/vpc-add-on-self-managed-update.adoc | 5 +---- latest/ug/networking/vpc-add-on-update.adoc | 5 +---- latest/ug/nodes/al2023.adoc | 5 +---- latest/ug/nodes/auto-get-logs.adoc | 5 +---- latest/ug/nodes/bottlerocket-compliance-support.adoc | 5 +---- latest/ug/nodes/choosing-instance-type.adoc | 5 +---- latest/ug/nodes/create-managed-node-group.adoc | 5 +---- latest/ug/nodes/delete-fargate-profile.adoc | 5 +---- latest/ug/nodes/delete-managed-node-group.adoc | 5 +---- latest/ug/nodes/dockershim-deprecation.adoc | 5 +---- latest/ug/nodes/eks-ami-build-scripts.adoc | 5 +---- latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 5 +---- latest/ug/nodes/eks-ami-versions-windows.adoc | 5 +---- latest/ug/nodes/eks-compute.adoc | 5 +---- latest/ug/nodes/eks-custom-ami-windows.adoc | 5 +---- latest/ug/nodes/eks-linux-ami-versions.adoc | 5 +---- latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 5 +---- latest/ug/nodes/eks-optimized-ami.adoc | 5 +---- latest/ug/nodes/eks-optimized-amis.adoc | 5 +---- latest/ug/nodes/eks-optimized-windows-ami.adoc | 5 +---- latest/ug/nodes/eks-partner-amis.adoc | 5 +---- latest/ug/nodes/fargate-getting-started.adoc | 5 +---- latest/ug/nodes/fargate-logging.adoc | 5 +---- latest/ug/nodes/fargate-pod-configuration.adoc | 5 +---- latest/ug/nodes/fargate-pod-patching.adoc | 5 +---- latest/ug/nodes/fargate-profile.adoc | 5 +---- latest/ug/nodes/fargate.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-cni.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-creds.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-join.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-networking.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-os.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-overview.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-proxy.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-remove.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 5 +---- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 3 --- latest/ug/nodes/launch-node-bottlerocket.adoc | 5 +---- latest/ug/nodes/launch-node-ubuntu.adoc | 5 +---- latest/ug/nodes/launch-templates.adoc | 5 +---- latest/ug/nodes/launch-windows-workers.adoc | 5 +---- latest/ug/nodes/launch-workers.adoc | 5 +---- latest/ug/nodes/learn-status-conditions.adoc | 5 +---- latest/ug/nodes/managed-node-groups.adoc | 5 +---- latest/ug/nodes/managed-node-update-behavior.adoc | 5 +---- latest/ug/nodes/migrate-stack.adoc | 5 +---- latest/ug/nodes/monitoring-fargate-usage.adoc | 5 +---- latest/ug/nodes/node-health.adoc | 5 +---- latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 5 +---- latest/ug/nodes/retrieve-ami-id.adoc | 5 +---- latest/ug/nodes/retrieve-windows-ami-id.adoc | 5 +---- latest/ug/nodes/self-managed-windows-server-2022.adoc | 5 +---- latest/ug/nodes/update-managed-node-group.adoc | 5 +---- latest/ug/nodes/update-stack.adoc | 5 +---- latest/ug/nodes/update-workers.adoc | 5 +---- latest/ug/nodes/worker.adoc | 5 +---- latest/ug/observability/cloudwatch.adoc | 5 +---- latest/ug/observability/control-plane-logs.adoc | 5 +---- latest/ug/observability/deploy-prometheus.adoc | 5 +---- latest/ug/observability/eks-observe.adoc | 5 +---- latest/ug/observability/enable-asg-metrics.adoc | 5 +---- latest/ug/observability/logging-using-cloudtrail.adoc | 5 +---- latest/ug/observability/observability-dashboard.adoc | 5 +---- latest/ug/observability/opentelemetry.adoc | 5 +---- latest/ug/observability/prometheus.adoc | 5 +---- .../ug/observability/service-name-info-in-cloudtrail.adoc | 5 +---- .../observability/understanding-service-name-entries.adoc | 5 +---- latest/ug/observability/view-raw-metrics.adoc | 5 +---- .../ug/outposts/eks-outposts-capacity-considerations.adoc | 5 +---- latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 5 +---- .../ug/outposts/eks-outposts-local-cluster-overview.adoc | 5 +---- latest/ug/outposts/eks-outposts-network-disconnects.adoc | 5 +---- latest/ug/outposts/eks-outposts-platform-versions.adoc | 5 +---- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 5 +---- latest/ug/outposts/eks-outposts-troubleshooting.adoc | 5 +---- .../ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 5 +---- latest/ug/outposts/eks-outposts.adoc | 5 +---- latest/ug/quickstart.adoc | 5 +---- latest/ug/related-projects.adoc | 5 +---- latest/ug/roadmap.adoc | 5 +---- latest/ug/security/auto-security.adoc | 3 --- latest/ug/security/cert-signing.adoc | 5 +---- latest/ug/security/compliance.adoc | 5 +---- .../ug/security/configuration-vulnerability-analysis.adoc | 5 +---- latest/ug/security/default-roles-users.adoc | 5 +---- latest/ug/security/disaster-recovery-resiliency.adoc | 5 +---- latest/ug/security/enable-kms.adoc | 5 +---- .../ug/security/iam-reference/auto-cluster-iam-role.adoc | 5 +---- .../ug/security/iam-reference/auto-create-node-role.adoc | 5 +---- latest/ug/security/iam-reference/cluster-iam-role.adoc | 5 +---- latest/ug/security/iam-reference/connector-iam-role.adoc | 5 +---- latest/ug/security/iam-reference/create-node-role.adoc | 5 +---- latest/ug/security/iam-reference/pod-execution-role.adoc | 5 +---- .../ug/security/iam-reference/security-iam-awsmanpol.adoc | 5 +---- .../security-iam-id-based-policy-examples.adoc | 5 +---- .../iam-reference/security-iam-service-with-iam.adoc | 5 +---- .../security/iam-reference/security-iam-troubleshoot.adoc | 5 +---- latest/ug/security/iam-reference/security-iam.adoc | 5 +---- .../using-service-linked-roles-eks-connector.adoc | 5 +---- .../using-service-linked-roles-eks-fargate.adoc | 5 +---- .../using-service-linked-roles-eks-nodegroups.adoc | 5 +---- .../using-service-linked-roles-eks-outpost.adoc | 5 +---- .../iam-reference/using-service-linked-roles-eks.adoc | 5 +---- .../security/iam-reference/using-service-linked-roles.adoc | 5 +---- latest/ug/security/infrastructure-security.adoc | 5 +---- latest/ug/security/manage-secrets.adoc | 5 +---- latest/ug/security/pod-security-policy-removal-faq.adoc | 5 +---- latest/ug/security/pod-security-policy.adoc | 5 +---- latest/ug/security/security-best-practices.adoc | 5 +---- latest/ug/security/security-eks.adoc | 5 +---- latest/ug/security/security-k8s.adoc | 5 +---- latest/ug/security/security.adoc | 5 +---- latest/ug/security/vpc-interface-endpoints.adoc | 3 --- latest/ug/storage/csi-snapshot-controller.adoc | 5 +---- latest/ug/storage/ebs-csi-migration-faq.adoc | 5 +---- latest/ug/storage/ebs-csi.adoc | 3 --- latest/ug/storage/efs-csi.adoc | 5 +---- latest/ug/storage/file-cache-csi.adoc | 5 +---- latest/ug/storage/fsx-csi.adoc | 5 +---- latest/ug/storage/fsx-ontap.adoc | 5 +---- latest/ug/storage/fsx-openzfs-csi.adoc | 5 +---- latest/ug/storage/s3-csi.adoc | 5 +---- latest/ug/storage/storage.adoc | 5 +---- latest/ug/troubleshooting/troubleshooting.adoc | 5 +---- latest/ug/what-is/common-use-cases.adoc | 5 +---- latest/ug/what-is/eks-architecture.adoc | 5 +---- latest/ug/what-is/eks-deployment-options.adoc | 5 +---- latest/ug/what-is/kubernetes-concepts.adoc | 5 +---- latest/ug/what-is/what-is-eks.adoc | 5 +---- latest/ug/workloads/add-ons-iam.adoc | 5 +---- latest/ug/workloads/add-ons-images.adoc | 5 +---- latest/ug/workloads/addon-compat.adoc | 3 --- latest/ug/workloads/addon-id-troubleshoot.adoc | 5 +---- latest/ug/workloads/alb-ingress.adoc | 5 +---- latest/ug/workloads/community-addons.adoc | 5 +---- latest/ug/workloads/copy-image-to-repository.adoc | 5 +---- latest/ug/workloads/creating-an-add-on.adoc | 5 +---- latest/ug/workloads/eks-add-ons.adoc | 5 +---- latest/ug/workloads/eks-workloads.adoc | 5 +---- latest/ug/workloads/horizontal-pod-autoscaler.adoc | 5 +---- latest/ug/workloads/image-verification.adoc | 5 +---- latest/ug/workloads/kubernetes-field-management.adoc | 5 +---- latest/ug/workloads/network-load-balancing.adoc | 5 +---- latest/ug/workloads/remove-addon-role.adoc | 5 +---- latest/ug/workloads/removing-an-addon.adoc | 5 +---- latest/ug/workloads/restrict-service-external-ip.adoc | 5 +---- latest/ug/workloads/retreive-iam-info.adoc | 5 +---- latest/ug/workloads/sample-deployment-windows.adoc | 5 +---- latest/ug/workloads/sample-deployment.adoc | 5 +---- latest/ug/workloads/update-addon-role.adoc | 5 +---- latest/ug/workloads/updating-an-add-on.adoc | 5 +---- latest/ug/workloads/vertical-pod-autoscaler.adoc | 5 +---- latest/ug/workloads/workloads-add-ons-available-eks.adoc | 5 +---- .../ug/workloads/workloads-add-ons-available-vendors.adoc | 5 +---- 348 files changed, 334 insertions(+), 1372 deletions(-) diff --git a/build-info.xml b/build-info.xml index 2b2ad2f2f..a0d5e5d52 100755 --- a/build-info.xml +++ b/build-info.xml @@ -26,12 +26,12 @@ mesh-gs-eks - + Amazon EKS Document History diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index d9e0c3267..48a8f2d79 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -46,6 +46,3 @@ You can add this `nodeAffinity` to Deployments or other workloads to require Kub values: - auto ---- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-workload%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index a30a37b33..5da5bfd25 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -212,7 +212,4 @@ The following tables provide a detailed comparison of changes in IngressClassPar | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` | API version change | `spec.targetType` optional | `spec.targetType` required | Explicit target type specification | `spec.networking.ingress.from` | Not supported | No longer supports NLB without security groups -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-alb%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 0c0ee5779..d06be749a 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -164,6 +164,3 @@ This consolidated format provides a more consistent and flexible way to configur | `spec.targetType` optional | `spec.targetType` required | Explicit target type specification | `spec.networking.ingress.from` | Not supported | No longer supports NLB without security groups |=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-configure-nlb%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index 635607516..bec6d351c 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -58,7 +58,4 @@ To then delete the Security Group: [source,cli] ---- aws ec2 delete-security-group --group-name= ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-disable%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 1d46eae4e..a0cee3e00 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -243,6 +243,3 @@ If the game doesn't load: - Ensure all pods are running: `kubectl get pods -n game-2048` - Check ingress status: `kubectl describe ingress -n game-2048` - Verify ALB health checks: Check the target group health in {aws} Console - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-elb-example%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 82bdcd84c..917866a89 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -143,7 +143,4 @@ For more information, see <>. == Next Steps * To migrate Manage Node Group workloads, see <>. -* To migrate from Self-Managed Karpenter, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-enable-existing%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* To migrate from Self-Managed Karpenter, see <>. \ No newline at end of file diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 9f08dccdd..a6368f4ca 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -69,7 +69,4 @@ EKS Auto Mode -- Block Storage Capability:: A feature that manages Amazon EBS volumes in Amazon EKS Auto Mode clusters. This capability automatically handles volume provisioning and lifecycle management for pods that need persistent storage. EKS Auto Mode -- Load Balancing Capability:: -A feature that manages Application Load Balancers and Network Load Balancers in Amazon EKS Auto Mode clusters. This capability automatically configures load balancers based on your service requirements. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-glossary%5D&type=code[Edit this page on GitHub] \ No newline at end of file +A feature that manages Application Load Balancers and Network Load Balancers in Amazon EKS Auto Mode clusters. This capability automatically configures load balancers based on your service requirements. \ No newline at end of file diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 80464836e..4108a122a 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -189,7 +189,4 @@ By default, the managed policies related to EKS Auto Mode do not permit applying == Access Policy Reference -For more information about the Kubernetes permissions used by EKS Auto Mode, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-learn-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information about the Kubernetes permissions used by EKS Auto Mode, see <>. \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 948a1fb67..4b336cd34 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -129,7 +129,4 @@ spec: ## Step 8: Uninstall Karpenter from your cluster -The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-migrate-karpenter%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. \ No newline at end of file diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 6fdd033cf..de4369c60 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -22,7 +22,4 @@ Use the following `eksctl` CLI command to initiate draining pods from the existi [source,cli] ---- eksctl update auto-mode-config --drain-all-nodegroups ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-migrate-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 68a32e5f4..bf48954a3 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -144,7 +144,4 @@ include::../attributes.txt[] |Cost of Amazon EC2 instance that runs multiple Pods. For more information, see Amazon EC2 pricing. | When EKS Auto Mode is enabled in your cluster, you pay a separate fee, in addition to the standard EC2 instance charges, for the instances launched using Auto Mode's compute capability. The amount varies with the instance type launched and the {aws} region where your cluster is located. For more information, see link:eks/pricing/["Amazon EKS pricing",type="marketing"]. -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 51707a415..5db0e020c 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -69,7 +69,4 @@ Once your nodes are using this Node Class, they will be able to enforce network ## Step 3: Create and test network policies -Your EKS Auto Mode cluster is now configured to support Kubernetes network policies. You can test this with the <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-net-pol%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Your EKS Auto Mode cluster is now configured to support Kubernetes network policies. You can test this with the <>. \ No newline at end of file diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 1235fe73d..8a6cdbae2 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -63,7 +63,4 @@ For more information, see <> or <>. * {aws} does not support migrating load balancers from the self managed {aws} load balancer controller to management by EKS Auto Mode. * The `networking.ingress.ipBlock` field in `TargetGroupBinding` spec is not supported. * If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. -* You cannot bring your own target groups. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* You cannot bring your own target groups. \ No newline at end of file diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 937425500..ffe5741de 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -32,7 +32,4 @@ include::auto-networking.adoc[leveloffset=+1] //include::term-reference.adoc[leveloffset=+1] -//include::auto-glossary.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-reference%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//include::auto-glossary.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 7e49e11ec..d905725a4 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -269,6 +269,3 @@ If you have a problem with a controller, you should research: * If the resources associated with that controller are properly formatted and valid. * If the {aws} IAM and Kubernetes RBAC resources are properly configured for your cluster. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-troubleshoot%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 43e06cabc..45aea175a 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -34,7 +34,4 @@ Learn link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for C == Start Cluster Update -To start a cluster update, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-upgrade%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To start a cluster update, see <>. \ No newline at end of file diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index fe604025c..11e3a7dd3 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -26,7 +26,4 @@ include::automode-workload.adoc[leveloffset=+1] include::auto-elb-example.adoc[leveloffset=+1] -include::sample-storage-workload.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-workloads%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::sample-storage-workload.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 993bcf4bd..fc470337d 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -322,7 +322,4 @@ kubectl get nodepools == Next Steps -* Learn how to <> to your new EKS Auto Mode cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-cli%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Learn how to <> to your new EKS Auto Mode cluster. \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index ec3adbad2..b38c76d64 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -46,7 +46,4 @@ You must be logged into the {aws-management-console} with sufficent permissions * Learn how to <> -//call out refactored IAM - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//call out refactored IAM \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 961baa808..3646e6c59 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -74,7 +74,4 @@ Save the `ClusterConfig` file as `cluster.yaml`, and use the following command t [source,cli] ---- eksctl create cluster -f cluster.yaml ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-get-started-eksctl%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 240eb924d..3390aef3b 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -117,6 +117,3 @@ For more information, see link:ec2/latest/instancetypes/instance-type-names.html * Amazon EKS Auto Mode does not support {aws} Fault Injection Service. For more information, see link:resilience-hub/latest/userguide/testing.html["Managing Fault Injection Service experiments",type="documentation"] in the {aws} Resilience Hub User Guide. * You do not need to install the `Neuron Device Plugin` on EKS Auto Mode nodes. ** If you have other types of nodes in your cluster, you need to configure the Neuron Device plugin to not run on auto mode nodes. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-learn-instances%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index be7503d57..b5452a47b 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -126,7 +126,4 @@ If you have no other workloads deployed to your cluster, the node created by EKS In the default configration, EKS Auto Mode detects nodes that have been empty for thirty seconds, and terminates them. -Use `kubectl` or the EC2 console to confirm the associated instance has been deleted. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Use `kubectl` or the EC2 console to confirm the associated instance has been deleted. \ No newline at end of file diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index ac73c32d3..32a76af57 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -91,7 +91,4 @@ include::auto-reference.adoc[leveloffset=+1] include::auto-troubleshoot.adoc[leveloffset=+1] -//include::wip.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23automode%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//include::wip.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 5093c0f0b..6bdf815ea 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -37,7 +37,4 @@ include::automode-get-started-eksctl.adoc[leveloffset=+1] include::automode-get-started-cli.adoc[leveloffset=+1] -include::automode-get-started-console.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::automode-get-started-console.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index f80423037..ceb2af483 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -158,7 +158,4 @@ spec: * If you change the Node IAM Role associated with a NodeClass, you will need to create a new Access Entry. EKS automatically creates an Access Entry for the Node IAM Role during cluster creation. The Node IAM Role requires the `AmazonEKSAutoNodePolicy` EKS Access Policy. For more information, see <>. * EKS limits the maximum number of pods on a node to 110. This limit is applied after the existing max pods calculation. For more information, see <>. -* If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-class%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 98a8d1532..68d00ff0a 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -219,7 +219,4 @@ By default, EKS Auto Mode: - Consolidates underutilized instances. - Terminates instances after 720 hours. -- Sets a single disruption budget of 10% of nodes. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-pool%5D&type=code[Edit this page on GitHub] \ No newline at end of file +- Sets a single disruption budget of 10% of nodes. \ No newline at end of file diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 8466e906e..95b5a494d 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -254,7 +254,4 @@ For more information, see: } ---- .. Select *Next* -. Review the add-on configuration and then select *Create* - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-storage-class%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. Review the add-on configuration and then select *Create* \ No newline at end of file diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index fe0377c57..30c48f7bc 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -65,7 +65,4 @@ To update a workload to run on the `system` node pool, you need to: ** `tolerations` . Deploy the updated workload to your cluster with `kubectl apply` -After updating the workload, it will run on dedicated nodes. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23critical-workload%5D&type=code[Edit this page on GitHub] \ No newline at end of file +After updating the workload, it will run on dedicated nodes. \ No newline at end of file diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index bd7333fb5..c24bc551b 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -73,7 +73,4 @@ include::auto-enable-existing.adoc[leveloffset=+1] include::auto-migrate-karpenter.adoc[leveloffset=+1] -include::auto-migrate-mng.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrate-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::auto-migrate-mng.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index 9adcf2aba..d602f3260 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -236,7 +236,4 @@ kubectl delete service retail-store-sample-ui helm uninstall metrics-server -n kube-system kubectl delete hpa retail-store-sample-ui-hpa kubectl delete load-generator ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-hpa-scaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 6081c4e68..4dac9061d 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -224,6 +224,3 @@ deletionPolicy: Delete ---- https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Learn more about the Kubernetes CSI Snapshotter.] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-storage-workload%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 2e55efded..9c7fa27ea 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -56,7 +56,4 @@ Use the following command to disable both built-in NodePools: aws eks update-cluster-config \ --name \ --compute-config '{"nodePools": []}' ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23set-builtin-node-pools%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index b9fdc3c50..a3841eb77 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -109,7 +109,4 @@ include::critical-workload.adoc[leveloffset=+1] include::auto-net-pol.adoc[leveloffset=+1] -include::tag-subnets-auto.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23settings-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::tag-subnets-auto.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/tag-subnets-auto.adoc b/latest/ug/automode/tag-subnets-auto.adoc index 27961054d..9c5f2019f 100644 --- a/latest/ug/automode/tag-subnets-auto.adoc +++ b/latest/ug/automode/tag-subnets-auto.adoc @@ -77,7 +77,4 @@ aws ec2 create-tags \ --tags Key=kubernetes.io/role/internal-elb,Value=1 ---- -Replace `subnet-ID` with your actual subnet ID. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tag-subnets-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Replace `subnet-ID` with your actual subnet ID. \ No newline at end of file diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 105ad3396..7726a3fb5 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -99,7 +99,4 @@ For stuck resources: - <> - link:support/home[{aws} Support Center,type="console"] -- link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshoot-lbc%5D&type=code[Edit this page on GitHub] \ No newline at end of file +- link:https://status.aws.amazon.com/[{aws} Service Health Dashboard] \ No newline at end of file diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 1fe4582fb..03188b5bd 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -15,7 +15,4 @@ This section contains in-progress revisions for existing pages in other chapters //include::wip/auto-cluster-iam-role.adoc[leveloffset=+1] -//include::wip/auto-create-node-role.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-wip%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//include::wip/auto-create-node-role.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 5dd91ceff..8e1db8c26 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -143,7 +143,4 @@ kubernetes.io/role/internal-elb = 1 - EKS VPC Requirements Documentation - EKS Best Practices Guide - VPC Pricing Calculator -- EKS Networking Documentation - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-vpc-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file +- EKS Networking Documentation \ No newline at end of file diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index b977548c1..66059289a 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -114,7 +114,4 @@ $ eksctl update auto-mode-config -f cluster.yaml == Further information -- <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eksctl-docs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +- <> \ No newline at end of file diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 0381fb149..8041edbdd 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -27,7 +27,4 @@ Your subnets require specific tags based on their intended use: 6. Click *Add Tag* and enter: - For private subnets: Key = `kubernetes.io/role/internal-elb`, Value = `1` - For public subnets: Key = `kubernetes.io/role/elb`, Value = `1` -7. Click *Save* - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tag-subnets%5D&type=code[Edit this page on GitHub] \ No newline at end of file +7. Click *Save* \ No newline at end of file diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 126759452..86ae20f24 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -31,7 +31,7 @@ This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Ku *Help improve this page* [.banner.info] -Want to contribute to this user guide? Choose the 📝 *Edit this page on GitHub* link that is located at the bottom of every page. Your contributions will help make our user guide better for everyone. +Want to contribute to this user guide? Choose the *Edit this page on GitHub* link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone. include::what-is/what-is-eks.adoc[leveloffset=+1] diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 498c88620..ab653c51e 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -37,7 +37,4 @@ Karpenter is open-source software which {aws} customers are responsible for inst ==== *Cluster Autoscaler*:: -The [.noloc]`Kubernetes` Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23autoscaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The [.noloc]`Kubernetes` Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. \ No newline at end of file diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 8b1649cac..cf735fe1a 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -246,7 +246,4 @@ When you configure `kubectl` for your bastion host, be sure to use {aws} credent *{aws} Cloud9 IDE*:: {aws} Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. You can create an {aws} Cloud9 IDE in your cluster's VPC and use the IDE to communicate with your cluster. For more information, see link:cloud9/latest/user-guide/create-environment.html[Creating an environment in {aws} Cloud9,type="documentation"]. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your IDE security group. For more information, see <>. + -When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-endpoint%5D&type=code[Edit this page on GitHub] \ No newline at end of file +When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. \ No newline at end of file diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index e0a700793..cab8240c2 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -199,7 +199,4 @@ An example output is as follows. { "deprecationDetails": [], "addonCompatibilityDetails": [] }, }, } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-insights%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index c8333c56e..17af852a1 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -88,7 +88,4 @@ include::autoscaling.adoc[leveloffset=+1] include::zone-shift.adoc[leveloffset=+1] -include::zone-shift-enable.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23clusters%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::zone-shift-enable.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index d20d1b0f0..c2df00915 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -327,7 +327,4 @@ aws eks describe-cluster --region region-code --name my-cluster --query "cluster * <> * <>. * <>. -* <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-cluster-auto%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <>. \ No newline at end of file diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 8e87b53fe..bbb1a97dd 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -320,7 +320,4 @@ If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.no * If you want nodes and IAM principals to access your cluster from within your VPC, enable the private endpoint for your cluster. The public endpoint is enabled by default. You can disable the public endpoint once you've enabled the private endpoint, if desired. For more information, see <>. * <>. * <>. -* <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <>. \ No newline at end of file diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 9be904271..6e0ae3195 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -186,7 +186,4 @@ aws cloudformation list-stacks --query "StackSummaries[].StackName" [source,bash,subs="verbatim,attributes"] ---- aws cloudformation delete-stack --stack-name my-vpc-stack ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index d384b8865..337d808cb 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -36,7 +36,4 @@ You cannot disable extended support once your cluster has entered it. You can on aws eks update-cluster-config \ --name \ --upgrade-policy supportType=STANDARD ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disable-extended-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 65298cd62..76c7212f3 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -22,7 +22,4 @@ kubectl patch configmap/amazon-vpc-cni \ -n kube-system \ --type merge \ -p '{"data":{"enable-windows-ipam":"false"}}' ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disable-windows-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index d66d56379..aa3b43ea0 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -40,7 +40,4 @@ If you do not enable extended support, your cluster will be automatically upgrad aws eks update-cluster-config \ --name \ --upgrade-policy supportType=EXTENDED ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-extended-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index c8d5eb4e0..8bb962f9d 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -158,7 +158,4 @@ The [.noloc]`PSP` admission controller enforces [.noloc]`Pod` security standards * [.noloc]`Kubernetes` graduated the `HorizontalPodAutoscaler` `autoscaling/v2` stable API to general availability. The `HorizontalPodAutoscaler` `autoscaling/v2beta2` API is deprecated. It will be unavailable in `1.26`. * The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.23` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-extended%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 6d5b9b558..dd9a7652b 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -132,7 +132,4 @@ For the complete [.noloc]`Kubernetes` `1.30` changelog, see https://github.com/k kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system ---- -For the complete [.noloc]`Kubernetes` `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-standard%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For the complete [.noloc]`Kubernetes` `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index f764c2191..e2c96ae5f 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -271,7 +271,4 @@ include::view-upgrade-policy.adoc[leveloffset=+1] include::enable-extended-support.adoc[leveloffset=+1] -include::disable-extended-support.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::disable-extended-support.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 2bd0a1fae..fdd69ab0f 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -26,7 +26,4 @@ Use the following for _Split Cost Allocation Data_: . Opt in to Split Cost Allocation Data. For more information, see link:cur/latest/userguide/enabling-split-cost-allocation-data.html[Enabling split cost allocation data,type="documentation"] in the {aws} Cost and Usage Report User Guide. . Include the data in a new or existing report. -. View the report. You can use the Billing and Cost Management console or view the report files in Amazon Simple Storage Service. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-aws%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. View the report. You can use the Billing and Cost Management console or view the report files in Amazon Simple Storage Service. \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 3bb0baf03..bf85961f7 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -324,7 +324,4 @@ No. image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] + With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest [.noloc]`Kubecost` data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write [.noloc]`Prometheus` queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example [.noloc]`Grafana` JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. -* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-kubecost-bundles%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index afca64398..6a15d07f5 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -111,7 +111,4 @@ image::images/kubecost.png[Kubecost dashboard,scaledwidth=100%] * *Cost allocation* – View monthly Amazon EKS costs and cumulative costs for each of your namespaces and other dimensions over the past seven days. This is helpful for understanding which parts of your application are contributing to Amazon EKS spend. -* *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring-kubecost%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index e5390ccf2..34a6e9c7b 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -21,7 +21,4 @@ include::cost-monitoring-aws.adoc[leveloffset=+1] include::cost-monitoring-kubecost.adoc[leveloffset=+1] -include::cost-monitoring-kubecost-bundles.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cost-monitoring%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::cost-monitoring-kubecost-bundles.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 3f98d9f70..190ac8cce 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -33,7 +33,4 @@ include::helm.adoc[leveloffset=+1] include::eks-using-tags.adoc[leveloffset=+1] -include::service-quotas.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-managing%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::service-quotas.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 4f190c5c1..1d5d3868c 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -208,7 +208,4 @@ When you use some resource-creating actions, you can specify tags at the same ti |`create fargateprofile` |=== -* If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-using-tags%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* If you want to also tag the Amazon EC2 instances when you create a managed node group, create the managed node group using a launch template. For more information, see <>. If your instances already exist, you can manually tag the instances. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources[Tagging your resources,type="documentation"] in the Amazon EC2 User Guide. \ No newline at end of file diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 692088a56..87d7f7ee6 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -70,7 +70,4 @@ v3.9.0 + ** Experiment by installing an example chart. See https://helm.sh/docs/intro/quickstart#install-an-example-chart[Install an example chart] in the Helm https://helm.sh/docs/intro/quickstart/[Quickstart guide]. ** Create an example chart and push it to Amazon ECR. For more information, see link:AmazonECR/latest/userguide/push-oci-artifact.html[Pushing a Helm chart,type="documentation"] in the _Amazon Elastic Container Registry User Guide_. -** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts][.noloc]`GitHub` repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23helm%5D&type=code[Edit this page on GitHub] \ No newline at end of file +** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts][.noloc]`GitHub` repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. \ No newline at end of file diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index 0113b7b6b..a9a2494d0 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -73,7 +73,4 @@ metrics-server 1/1 1 1 6m ---- kubectl top nodes ---- -. If you receive the error message `Error from server (Forbidden)`, you need to update your Kubernetes RBAC configuration. Your Kubernetes RBAC identity needs sufficent permissions to read cluster metrics. Review the https://github.com/kubernetes-sigs/metrics-server/blob/e285375a49e3bf77ddd78c08a05aaa44f2249ebd/manifests/base/rbac.yaml#L5C9-L5C41[minimum required Kubernetes API permissions for reading metrics] on GitHub. Learn how to <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23metrics-server%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. If you receive the error message `Error from server (Forbidden)`, you need to update your Kubernetes RBAC configuration. Your Kubernetes RBAC identity needs sufficent permissions to read cluster metrics. Review the https://github.com/kubernetes-sigs/metrics-server/blob/e285375a49e3bf77ddd78c08a05aaa44f2249ebd/manifests/base/rbac.yaml#L5C9-L5C41[minimum required Kubernetes API permissions for reading metrics] on GitHub. Learn how to <>. \ No newline at end of file diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index effbbc878..222c03fca 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -88,7 +88,4 @@ To view default {aws} Fargate on EKS service quotas, see link:general/latest/gr/ Fargate additionally enforces Amazon ECS tasks and Amazon EKS [.noloc]`Pods` launch rate quotas. For more information, see link:AmazonECS/latest/developerguide/throttling.html[{aws} Fargate throttling quotas,type="documentation"] in the _Amazon ECS guide_. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-quotas%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index e4413e5ce..a4855afff 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -910,7 +910,4 @@ An example output is as follows. You cannot change the platform version of an EKS cluster. When new Amazon EKS platform versions become available for a [.noloc]`Kubernetes` version, EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding [.noloc]`Kubernetes` version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. You cannot use the {aws} Console or CLI to change the platform version. -If you upgrade your [.noloc]`Kubernetes` version, your cluster will move onto the most recent platform version for the [.noloc]`Kubernetes` version. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23platform-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you upgrade your [.noloc]`Kubernetes` version, your cluster will move onto the most recent platform version for the [.noloc]`Kubernetes` version. \ No newline at end of file diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 45880dc3a..ccee1646b 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -108,6 +108,3 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. * https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler [.noloc]`Pods`, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on [.noloc]`GitHub`. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint. * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23private-clusters%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 22041ff79..81990bd61 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -242,7 +242,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X [#downgrade-cluster] == Downgrade the [.noloc]`Kubernetes` version for an Amazon EKS cluster -You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. \ No newline at end of file diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index 37269058e..162465a7b 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -18,7 +18,4 @@ For more information about standard and extended support, see < \ --query "cluster.upgradePolicy.supportType" ---- -. If the value is `STANDARD`, your cluster will not enter extended support. If the value is `EXTENDED`, your cluster will enter extended support. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-upgrade-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. If the value is `STANDARD`, your cluster will not enter extended support. If the value is `EXTENDED`, your cluster will enter extended support. \ No newline at end of file diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 66c485da2..70ea2a131 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -164,7 +164,4 @@ You can enable higher [.noloc]`Pod` density on Windows nodes by enabling IP pref (Number of private IPv4 addresses assigned to the interface attached to the node - 1) * 16 ---- -With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of [.noloc]`Pods` on your nodes. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23windows-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of [.noloc]`Pods` on your nodes. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 72a7478f6..ba629073b 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -64,7 +64,4 @@ If you want {aws} to detect and avoid impaired availability zones, you need to c == Next Steps * Learn how to link:r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html["enable zonal autoshift",type="documentation"] -* Learn how to manually link:r53recovery/latest/dg/arc-zonal-shift.start-cancel.html["start a zonal shift",type="documentation"] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23zone-shift-enable%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Learn how to manually link:r53recovery/latest/dg/arc-zonal-shift.start-cancel.html["start a zonal shift",type="documentation"] \ No newline at end of file diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 01f7bf934..f633f5738 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -272,7 +272,4 @@ You can use ARC zonal shift and zonal autoshift in your EKS cluster at no additi * link:r53recovery/latest/dg/arc-zonal-shift.resource-types.html["Resources and scenarios supported for zonal shift and zonal autoshift",type="documentation"] * link:containers/operating-resilient-workloads-on-amazon-eks["Operating resilient workloads on Amazon EKS",type="blog"] * link:containers/eliminate-kubernetes-node-scaling-lag-with-pod-priority-and-over-provisioning["Eliminate Kubernetes node scaling lag with pod priority and over-provisioning",type="blog"] -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23zone-shift%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 9452a64f4..d243406be 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -209,7 +209,4 @@ The output should include `status=ACTIVE`. If you have any issues with these steps, see <>. -To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connecting-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. \ No newline at end of file diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index b4defcffc..0e6050a8f 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -67,7 +67,4 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/ek kubectl apply -f eks-connector-console-dashboard-full-access-group.yaml ---- -To view [.noloc]`Kubernetes` resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connector-grant-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To view [.noloc]`Kubernetes` resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. \ No newline at end of file diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 2dd548cd1..14d3ab89f 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -86,7 +86,4 @@ helm -n eks-connector uninstall eks-connector ---- kubectl delete -f eks-connector.yaml ---- -. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deregister-connected-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. \ No newline at end of file diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index b14ec0fa5..7416c0ce5 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -81,7 +81,4 @@ include::troubleshooting-connector.adoc[leveloffset=+1] include::tsc-faq.adoc[leveloffset=+1] -include::security-connector.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::security-connector.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 7dea9668d..546e59f85 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -35,7 +35,4 @@ This topic describes the differences in the responsibility model if the connecte * Configuring role-based access control (RBAC) permissions to manage link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] access from {aws}. For instructions, see <>. * Installing and upgrading Amazon EKS Connector. * Maintaining the hardware, software, and infrastructure that supports the connected [.noloc]`Kubernetes` cluster. -* Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). \ No newline at end of file diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 77a153292..dc168d7df 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -268,7 +268,4 @@ NAME READY STATUS RESTARTS AGE eks-connector-0 0/2 Init:ImagePullBackOff 0 4s ---- -The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target [.noloc]`Kubernetes` cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshooting-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target [.noloc]`Kubernetes` cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. \ No newline at end of file diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 6579a6cd3..698da85f0 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -20,7 +20,4 @@ A: No, you don't need to open any firewall ports. The [.noloc]`Kubernetes` clust A: The Amazon EKS Connector sends technical information that's necessary for your cluster to be registered on {aws}. It also sends cluster and workload metadata for the Amazon EKS console features that customers request. The Amazon EKS Connector only gathers or sends this data if you start an action from the Amazon EKS console or the Amazon EKS API that necessitates the data to be sent to {aws}. Other than the [.noloc]`Kubernetes` version number, {aws} doesn't store any data by default. It stores data only if you authorize it to. .Q: Can I connect a cluster outside of an {aws} Region? -A: Yes, you can connect a cluster from any location to Amazon EKS. Moreover, your Amazon EKS service can be located in any {aws} public commercial {aws} Region. This works with a valid network connection from your cluster to the target {aws} Region. We recommend that you pick an {aws} Region that is closest to your cluster location for UI performance optimization. For example, if you have a cluster running in Tokyo, connect your cluster to the {aws} Region in Tokyo (that is, the `ap-northeast-1` {aws} Region) for low latency. You can connect a cluster from any location to Amazon EKS in any of the public commercial {aws} Regions, except the China or GovCloud {aws} Regions. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23tsc-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file +A: Yes, you can connect a cluster from any location to Amazon EKS. Moreover, your Amazon EKS service can be located in any {aws} public commercial {aws} Region. This works with a valid network connection from your cluster to the target {aws} Region. We recommend that you pick an {aws} Region that is closest to your cluster location for UI performance optimization. For example, if you have a cluster running in Tokyo, connect your cluster to the {aws} Region in Tokyo (that is, the `ap-northeast-1` {aws} Region) for low latency. You can connect a cluster from any location to Amazon EKS in any of the public commercial {aws} Regions, except the China or GovCloud {aws} Regions. \ No newline at end of file diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 57c2dc6f5..99d3d076f 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -131,7 +131,4 @@ NOTE: This is a note admonition. [source,asciidoc] ---- include::filename.adoc[] ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23asciidoc-syntax%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 2c79cebff..9d872cbb7 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -38,7 +38,4 @@ include::pr-preview.adoc[leveloffset=+1] include::asciidoc-syntax.adoc[leveloffset=+1] -//include::pr-status.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23contribute%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//include::pr-status.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index e579c9b52..bc62a0235 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -48,7 +48,4 @@ image::images/contribute-q.png["Amazon Q in VS Code"] * Create a first draft of the page headings, then ask Q to fill them in. * Amazon Q might output Markdown. This is fine. The AsciiDoc tooling can understand most markdown syntax. -To learn more about Amazon Q Developer, see link:amazonq/latest/qdeveloper-ug/q-in-IDE.html["Using Amazon Q Developer in the IDE",type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-content-q%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To learn more about Amazon Q Developer, see link:amazonq/latest/qdeveloper-ug/q-in-IDE.html["Using Amazon Q Developer in the IDE",type="documentation"]. \ No newline at end of file diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index ffeb2e611..73e178ecc 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -27,7 +27,4 @@ image::images/contribute-new-page.png["New page metadata"] + _For example:_ + -`include::create-page.adoc[leveloffset=+1]` - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-page%5D&type=code[Edit this page on GitHub] \ No newline at end of file +`include::create-page.adoc[leveloffset=+1]` \ No newline at end of file diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 8989d9680..2479fce28 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -21,7 +21,7 @@ If you want to edit multiple pages from your web browser, see <>. . Navigate to the page you want to edit in the Amazon EKS User Guide. -. Choose the 📝 *Edit this page on GitHub* link located at the bottom of the page. +. In the right pane, choose the *Edit this page on GitHub* link. . Once on GitHub, open the editor by either: ** Pressing the `e` key on your keyboard. @@ -58,7 +58,4 @@ When you create a PR: Pull requests help ensure quality and provide a way to discuss changes before they are integrated. -https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews[Learn how pull requests are reviewed and approved in the GitHub Docs.] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23edit-single-web%5D&type=code[Edit this page on GitHub] \ No newline at end of file +https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews[Learn how pull requests are reviewed and approved in the GitHub Docs.] \ No newline at end of file diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index 1e269803e..4db5fc035 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -31,7 +31,4 @@ NOTE: The EKS Docs team has created a workspace file that includes suggested con ** https://code.visualstudio.com/docs/sourcecontrol/overview#_commit[Commit changes] ** https://code.visualstudio.com/docs/sourcecontrol/github#_creating-pull-requests[Create a pull request] -After you create a pull request, it will be reviewed by the docs team. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23edit-web%5D&type=code[Edit this page on GitHub] \ No newline at end of file +After you create a pull request, it will be reviewed by the docs team. \ No newline at end of file diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index b76ec93bd..4ec236f25 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -34,7 +34,4 @@ This format creates a standard link out to the internet. Use this for Non-Amazon `link` `:https://example.com[Visit Example Site]` -NOTE: We allowlist external domains. The allowlist is at `vale/styles/EksDocs/ExternalDomains.yml` - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23insert-link%5D&type=code[Edit this page on GitHub] \ No newline at end of file +NOTE: We allowlist external domains. The allowlist is at `vale/styles/EksDocs/ExternalDomains.yml` \ No newline at end of file diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 8cde9c7fd..8edb46725 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -35,7 +35,4 @@ The preview is built as a single large HTML file. It will be displayed as multip *What doesn't work:* * Links to other {aws} content, using `type="documentation"`. This is because this content doesn't exist in the preview environment. -* The attribute `\{aws}` will not display properly. The value of this changes based on the environment. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pr-preview%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* The attribute `\{aws}` will not display properly. The value of this changes based on the environment. \ No newline at end of file diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index e225016ed..7ce0bf8cf 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -74,7 +74,4 @@ Use the GitHub CLI to pull the changes locally. * Commit changes: `git commit -m "your commit message"` * Push to GitHub: `git push` -The pull request will automatically update with your new changes. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pr-status%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The pull request will automatically update with your new changes. \ No newline at end of file diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index fbea99bee..076817939 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -26,7 +26,4 @@ The style check: When you update a pull request, the Vale check runs again. -Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vale-github%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request#making-changes-to-files-in-your-pull-request[Make changes to files in your pull request] in the GitHub docs. \ No newline at end of file diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index 8001938ee..6fa1fd8bd 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -49,7 +49,4 @@ vale sync . The Vale extension will automatically check your text against the style rules. . Style issues will be underlined in the editor. . Hover over underlined text to see the specific style suggestion. -. Fix issues by following the suggestions or consulting the style guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vale-local%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. Fix issues by following the suggestions or consulting the style guide. \ No newline at end of file diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index d56117a13..d69ffd78a 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1891,7 +1891,4 @@ Initial documentation for service launch [.update-history] |=== -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23doc-history%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index be641dc57..b4aa086a9 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -23,7 +23,4 @@ that include setting up components to: * Regularly upgrade the cluster itself (control plane), node operating systems, and services running on nodes. * Choose default settings that determine things like the size and speed of node storage and Pod network configuration. -For details on what you get with EKS Auto Mode clusters, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-automode%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For details on what you get with EKS Auto Mode clusters, see <>. \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index a69b5ca51..285b01371 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -285,7 +285,4 @@ The following documentation topics help you to extend the functionality of your * The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Deploy a <> to your cluster. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. -* To increase security for your cluster, <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-console%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* To increase security for your cluster, <>. \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 442482347..464d4a64e 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -170,7 +170,4 @@ The following documentation topics help you to extend the functionality of your * Deploy a <> to your cluster. * The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. -* To increase security for your cluster, <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started-eksctl%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* To increase security for your cluster, <>. \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 2085ce715..ae31a654a 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -39,7 +39,4 @@ include::getting-started-automode.adoc[leveloffset=+1] include::getting-started-eksctl.adoc[leveloffset=+1] -include::getting-started-console.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23getting-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::getting-started-console.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 000198154..4b4e667d1 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -106,7 +106,4 @@ This command returns the Amazon Resource Name (ARN) of the IAM entity that's con == Next steps * <> -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23install-awscli%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index ead31f99c..18a09a66f 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -805,7 +805,4 @@ aws sts get-caller-identity [#install-kubectl-next-steps] == Next steps -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23install-kubectl%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 9c6b6d2b7..e07ce9632 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -151,7 +151,4 @@ While `eksctl` is a simple tool for creating a cluster, for more complex infrast * Securing Amazon EKS with {aws} IAM and Kubernetes RBAC authorization * GitOps automation tools * Monitoring tools -* Techniques for improving cost, efficiency, and resiliency - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23learn-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Techniques for improving cost, efficiency, and resiliency \ No newline at end of file diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 5e7e16356..65af5b777 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -41,7 +41,4 @@ To prepare for the command-line management of your Amazon EKS clusters, you need include::install-awscli.adoc[leveloffset=+1] -include::install-kubectl.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23setting-up%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::install-kubectl.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 117e5d22a..cfdcde846 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -29,7 +29,4 @@ To learn more about {aws} CloudFormation, see the following resources: * link:cloudformation/[{aws} CloudFormation,type="marketing"] * link:AWSCloudFormation/latest/UserGuide/Welcome.html[{aws} CloudFormation User Guide,type="documentation"] -* link:cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html[{aws} CloudFormation Command Line Interface User Guide,type="documentation"] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-resources-with-cloudformation%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* link:cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html[{aws} CloudFormation Command Line Interface User Guide,type="documentation"] \ No newline at end of file diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index ef4bcf0b8..8716e18d3 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -28,7 +28,4 @@ include::integration-securitylake.adoc[leveloffset=+1] include::integration-vpc-lattice.adoc[leveloffset=+1] -include::local-zones.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-integrations%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::local-zones.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 2d2bc8e54..85c41bab3 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -32,7 +32,4 @@ Before you can review findings, Detective must be enabled for at least 48 hours . From the left navigation pane, select *Search*. . Select *Choose type* and then select *EKS cluster*. . Enter the cluster name or ARN and then choose *Search*. -. In the search results, choose the name of the cluster that you want to view activity for. For more information about what you can view, see link:detective/latest/userguide/profile-panel-drilldown-kubernetes-api-volume.html[Overall Kubernetes API activity involving an Amazon EKS cluster,type="documentation"] in the _Amazon Detective User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-detective%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. In the search results, choose the name of the cluster that you want to view activity for. For more information about what you can view, see link:detective/latest/userguide/profile-panel-drilldown-kubernetes-api-volume.html[Overall Kubernetes API activity involving an Amazon EKS cluster,type="documentation"] in the _Amazon Detective User Guide_. \ No newline at end of file diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 4d7324783..dc52a22a3 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -31,7 +31,4 @@ When you enable _Runtime Monitoring_ and install the GuardDuty agent in your Ama + To configure _Runtime Monitoring_, you install the GuardDuty agent to your cluster as an _Amazon EKS add-on_. For more information the add-on, see <>. + -For more information, see link:guardduty/latest/ug/runtime-monitoring.html[Runtime Monitoring,type="documentation"] in the Amazon GuardDuty User Guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-guardduty%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see link:guardduty/latest/ug/runtime-monitoring.html[Runtime Monitoring,type="documentation"] in the Amazon GuardDuty User Guide. \ No newline at end of file diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 90de97468..d1159e62b 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -5,7 +5,4 @@ include::../attributes.txt[] = Assess EKS cluster resiliency with {aws} Resilience Hub :info_titleabbrev: {aws} Resilience Hub -{aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-resilience-hub%5D&type=code[Edit this page on GitHub] \ No newline at end of file +{aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. \ No newline at end of file diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 7b796f111..3fbcc917a 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -45,7 +45,4 @@ For more information about using Security Lake with Amazon EKS and setting up da Security Lake normalizes EKS log events to the OCSF format, making it easier to analyze and correlate the data with other security events. You can use various tools and services, such as Amazon Athena, Amazon QuickSight, or third-party security analytics tools, to query and visualize the normalized data. -For more information about the OCSF mapping for EKS log events, refer to the https://github.com/ocsf/examples/tree/main/mappings/markdown/{aws}/v1.1.0/EKS Audit Logs[mapping reference] in the OCSF GitHub repository. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-securitylake%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information about the OCSF mapping for EKS log events, refer to the https://github.com/ocsf/examples/tree/main/mappings/markdown/{aws}/v1.1.0/EKS Audit Logs[mapping reference] in the OCSF GitHub repository. \ No newline at end of file diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index cb56bf0db..be57d0531 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -5,7 +5,4 @@ include::../attributes.txt[] -Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23integration-vpc-lattice%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. \ No newline at end of file diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 69dec8df2..dc1ced287 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -12,7 +12,4 @@ Amazon EKS supports certain resources in Local Zones. This includes <>. -* Unlike regional subnets, Amazon EKS can't place network interfaces into your Local Zone subnets. This means that you must not specify Local Zone subnets when you create your cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23local-zones%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Unlike regional subnets, Amazon EKS can't place network interfaces into your Local Zone subnets. This means that you must not specify Local Zone subnets when you create your cluster. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 82b135d20..4adb29f70 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -276,7 +276,4 @@ Tokens: my-service-account-token-qqjfl == Next steps -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23associate-service-account-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index e97b0d62f..2eeea12c3 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -149,7 +149,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- AWS_STS_REGIONAL_ENDPOINTS=regional ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23configure-sts-endpoint%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 719ea7ac6..734483a00 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -107,7 +107,4 @@ role_arn={arn-aws}iam::111122223333:role/account-a-role To specify chained profiles for other {aws} SDKs, consult the documentation for the SDK that you're using. For more information, see link:developer/tools/[Tools to Build on {aws},type="marketing"]. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cross-account-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 79364b1e9..e1c03823c 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -82,7 +82,4 @@ To complete this step, you can run the command outside the VPC, for example in { Next step: -<> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-iam-roles-for-service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +<> \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index 146344663..ed6b1b8f3 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -29,7 +29,4 @@ When using <>, th Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. -To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23iam-roles-for-service-accounts-minimum-sdk%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 9ea11ceaa..6e2ab8fae 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -67,7 +67,4 @@ include::cross-account-access.adoc[leveloffset=+1] include::iam-roles-for-service-accounts-minimum-sdk.adoc[leveloffset=+1] -include::irsa-fetch-keys.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23iam-roles-for-service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::irsa-fetch-keys.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index b42481288..ad6878928 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -38,7 +38,4 @@ IMPORTANT: Amazon EKS rotates the [.noloc]`OIDC` signing key every seven days. ---- $ curl https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE/keys {"keys":[{"kty":"RSA","kid":"2284XXXX4a40","use":"sig","alg":"RS256","n":"wklbXXXXMVfQ","e":"AQAB"}]} ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23irsa-fetch-keys%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index d6100000a..e1ad2599d 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -124,7 +124,4 @@ An example output is as follows. ---- Service Account: my-service-account ---- -.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-configuration%5D&type=code[Edit this page on GitHub] \ No newline at end of file +.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 69b272ff3..50b1e4969 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -81,7 +81,4 @@ Tags added to the session through the `sts:AssumeRole` request take precedence i In this case, the former takes precedence and the value for the `eks-cluster-name` tag will be `my-cluster`. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-abac%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index 1eae29736..8cc86bc28 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -82,7 +82,4 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-agent-config-ipv6%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a EKS Pod Identity Agent pod to see the logs of EKS Pod Identity Agent. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index edcfcb021..484efb32b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -112,7 +112,4 @@ eks-pod-identity-agent-gmqp7 1/1 Ru eks-pod-identity-agent-prnsh 1/1 Running 1 (24h ago) 24h ---- + -You can now use EKS Pod Identity associations in your cluster. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-agent-setup%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can now use EKS Pod Identity associations in your cluster. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 9bade37e7..7562a080b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -285,7 +285,4 @@ If you created the example policy in a previous step, then your output is the sa == Next Steps -<> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-association%5D&type=code[Edit this page on GitHub] \ No newline at end of file +<> \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index af28c8f14..24a52ff92 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -93,7 +93,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- Service Account: my-service-account ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-configure-pods%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index f1868f57f..d72765a9c 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -56,7 +56,4 @@ In contrast, _IAM roles for service accounts_ provides a _web identity_ token th . You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. . The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. + -NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-how-it-works%5D&type=code[Edit this page on GitHub] \ No newline at end of file +NOTE: If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an EKS Pod Identity association for the same workload. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index b114954d1..688c63547 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -38,7 +38,4 @@ When using <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-minimum-sdk%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For a list of add-ons that support EKS Pod Identity, see <>. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index b90206e5c..490b098fb 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -39,7 +39,4 @@ EKS Pod Identity uses `TagSession` to include _session tags_ in the requests to + You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. + -For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-id-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 76b97706b..f0e16877a 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -144,6 +144,3 @@ You can't use EKS Pod Identities with: * Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-identities%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index f74c5b2e0..ff47c473f 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -120,7 +120,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |EKS versions supported |EKS [.noloc]`Kubernetes` versions `1.24` or later. For the specific platform versions, see <>. |All of the supported EKS cluster versions. -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-accounts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index bdf0c744d..bee9111d8 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -72,7 +72,4 @@ include::view-kubernetes-resources.adoc[leveloffset=+1] include::create-kubeconfig.adoc[leveloffset=+1] -include::aws-access/service-accounts.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-auth%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::aws-access/service-accounts.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 0b19bc319..1e3a5a10a 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -59,7 +59,4 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/kubernetes ClusterIP 10.100.0.1 443/TCP 1m ---- + -If you receive any authorization or resource type errors, see <> in the troubleshooting topic. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-kubeconfig%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you receive any authorization or resource type errors, see <> in the troubleshooting topic. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 55405f655..674f19d1a 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -64,6 +64,3 @@ include::creating-access-entries.adoc[leveloffset=+1] include::updating-access-entries.adoc[leveloffset=+1] include::deleting-access-entries.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-entries%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index e34c08062..67f269dd7 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -151,7 +151,4 @@ aws eks disassociate-access-policy --cluster-name my-cluster --principal-arn {ar --policy-arn {arn-aws}eks::aws:cluster-access-policy/AmazonEKSAdminPolicy ---- -To list available access policies, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-policies%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To list available access policies, see <>. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 1c24dfc1f..80702c29e 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -600,7 +600,4 @@ View details about updates to access policies, since they were introduced. For a |Access policies introduced. |Amazon EKS introduced access policies. |May 29, 2023 -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23access-policy-permissions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index c9e667fb1..14c193080 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -366,7 +366,4 @@ NOTE: If you receive any authorization or resource type errors, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index b00264a34..631cdaafc 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -27,7 +27,4 @@ Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable] [source,bash,subs="verbatim,attributes"] ---- aws eks delete-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/my-role ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deleting-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 66e1b4170..75125a018 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -8,7 +8,4 @@ include::../../attributes.txt[] If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disassociate-oidc-identity-provider%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 8a116b27b..85e98299d 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -110,7 +110,4 @@ include::authenticate-oidc-identity-provider.adoc[leveloffset=+1] include::disassociate-oidc-identity-provider.adoc[leveloffset=+1] -//include::access-policy-reference.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23grant-k8s-access%5D&type=code[Edit this page on GitHub] \ No newline at end of file +//include::access-policy-reference.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 5d37cf66c..94cc8cd56 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -53,7 +53,4 @@ ARN [source,bash,subs="verbatim,attributes"] ---- eksctl delete iamidentitymapping --arn {arn-aws}iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --cluster my-cluster ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index a6dcc4bd0..1e900ca04 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -69,7 +69,4 @@ To use _access entries_, the cluster must have a platform version that is the sa |`eks.17` |=== -For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23setting-up-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see <>. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index b6af29f49..3a18aab1d 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -31,7 +31,4 @@ Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable] aws eks update-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:role/EKS-my-cluster-my-namespace-Viewers --kubernetes-groups Viewers ---- + -You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23updating-access-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can't use the `--kubernetes-groups` option if the type of the access entry is a value other than `STANDARD`. You also can't associate an access policy to an access entry with a type other than `STANDARD`. \ No newline at end of file diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 834507e3c..9ea9e4cc3 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -229,7 +229,4 @@ mapUsers: | ---- + IMPORTANT: The role ARN can't include a path such as `role/my-team/developers/my-console-viewer-role`. The format of the ARN must be `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``my-console-viewer-role```. In this example, `my-team/developers/` needs to be removed. -. Save the file and exit your text editor. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-kubernetes-resources%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. Save the file and exit your text editor. \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 840d883c6..934f3c872 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -86,7 +86,4 @@ aws eks create-nodegroup \ . The node group is now ready for workloads and [.noloc]`Pods` to be scheduled. . In order for your [.noloc]`Pods` to be gracefully drained before reservation ends, Amazon EKS uses a scheduled scaling policy to scale down the node group size to `0` . This scheduled scaling will be set with name titled `Amazon EKS Node Group Capacity Scaledown Before Reservation End` . We recommend not editing or deleting this action. + -Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict [.noloc]`Pods`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23capacity-blocks-mng%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict [.noloc]`Pods`. \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index b20c02fb1..62f9f037e 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -100,7 +100,4 @@ If you want to instead scale up manually whenever the capacity reservation becom . The node group is now ready for workloads and [.noloc]`Pods` to be scheduled. . In order for your [.noloc]`Pods` to be gracefully drained, we recommend that you set up {aws} Node Termination Handler. This handler will be able to watch for "ASG Scale-in" lifecycle events from Amazon EC2 Auto Scaling using EventBridge and allow the [.noloc]`Kubernetes` control plane to take required action before the instance becomes unavailable. Otherwise, your [.noloc]`Pods` and [.noloc]`Kubernetes` objects will get stuck in a pending state. For more information, see https://github.com/aws/aws-node-termination-handler[{aws} Node Termination Handler] on GitHub. + -If you don't setup a Node Termination Handler, we recommend that you start draining your [.noloc]`Pods` manually before hitting the 30 minute window so that they have enough time to be gracefully drained. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23capacity-blocks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you don't setup a Node Termination Handler, we recommend that you start draining your [.noloc]`Pods` manually before hitting the 30 minute window so that they have enough time to be gracefully drained. \ No newline at end of file diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index f0a6c0145..8e1082409 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -244,7 +244,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- [[(u'n02123045', u'tabby', 0.68817204), (u'n02127052', u'lynx', 0.12701613), (u'n02123159', u'tiger_cat', 0.08736559), (u'n02124075', u'Egyptian_cat', 0.063844085), (u'n02128757', u'snow_leopard', 0.009240591)]] ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23inferentia-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 463d288f4..6637dac56 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -62,7 +62,4 @@ include::ml-get-started.adoc[leveloffset=+1] include::ml-prepare-for-cluster.adoc[leveloffset=+1] -include::ml-tutorials.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23machine-learning-on-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::ml-tutorials.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 5cd06c227..628d295c3 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -81,7 +81,4 @@ Mon Aug 6 20:23:31 20XX |=============================================================================| | No running processes found | +-----------------------------------------------------------------------------+ ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-eks-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index 0345e8c3d..f6c256584 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -219,7 +219,4 @@ There is no EKS Windows GPU Optimized AMI or EC2 Image Builder managed component [#ml-eks-windows-ami-inferentia-tranium-support] === Inferentia and Trainium not supported -{aws} link:ai/machine-learning/inferentia/[Inferentia,type="marketing"] and {aws} link:ai/machine-learning/trainium/[Trainium,type="marketing"] based workloads are not supported on Windows. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-eks-windows-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file +{aws} link:ai/machine-learning/inferentia/[Inferentia,type="marketing"] and {aws} link:ai/machine-learning/trainium/[Trainium,type="marketing"] based workloads are not supported on Windows. \ No newline at end of file diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index d95bd819d..b8d3f89d0 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -42,7 +42,4 @@ Along with choosing from the blueprints described on this page, there are other To improve your work with ML on EKS, refer to the following: -* *Prepare for ML* – Learn how to prepare for ML on EKS with features like custom AMIs and GPU reservations. See <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-get-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* *Prepare for ML* – Learn how to prepare for ML on EKS with features like custom AMIs and GPU reservations. See <>. \ No newline at end of file diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 6191eff9b..5893d103e 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -39,7 +39,4 @@ include::node-taints-managed-node-groups.adoc[leveloffset=+1] include::node-efa.adoc[leveloffset=+1] -include::inferentia-support.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-prepare-for-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::inferentia-support.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 865d09521..8e299284c 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -68,7 +68,4 @@ link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-a * link:aws/new-gpu-equipped-ec2-p4-instances-for-machine-learning-hpc/[New – GPU-Equipped EC2 P4 Instances for Machine Learning & HPC,type="blog"] * link:machine-learning/amazon-ec2-p5e-instances-are-generally-available/[Amazon EC2 P5e instances are generally available,type="blog"] * link:containers/deploying-managed-p4d-instances-in-amazon-elastic-kubernetes-service/[Deploying managed P4d Instances in Amazon Elastic Kubernetes Service with NVIDIA GPUDirectRDMA,type="blog"] -* link:machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence,type="blog"] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ml-tutorials%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* link:machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence,type="blog"] \ No newline at end of file diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 0f8d94553..743f1c750 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -305,7 +305,4 @@ View the log for the `nccl-tests-launcher` [.noloc]`Pod`. Replace [.replaceable] kubectl logs -f nccl-tests-launcher-nbql9 ---- -If the test completed successfully, you can deploy your applications that use the [.noloc]`Nvidia Collective Communication Library`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-efa%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If the test completed successfully, you can deploy your applications that use the [.noloc]`Nvidia Collective Communication Library`. \ No newline at end of file diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 68c13bcd5..1f77d3194 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -62,7 +62,4 @@ For more information and examples of usage, see https://kubernetes.io/docs/refer ==== -You can use the link:cli/latest/reference/eks/update-nodegroup-config.html[aws eks update-nodegroup-config,type="documentation"] {aws} CLI command to add, remove, or replace taints for managed node groups. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-taints-managed-node-groups%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can use the link:cli/latest/reference/eks/update-nodegroup-config.html[aws eks update-nodegroup-config,type="documentation"] {aws} CLI command to add, remove, or replace taints for managed node groups. \ No newline at end of file diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 7f03086a4..45b270850 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -54,7 +54,4 @@ If you use [.noloc]`Calico` network policy enforcement, we recommend that you se == Considerations for Amazon EKS Auto Mode -Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23alternate-cni-plugins%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS Auto Mode does not support alternate CNI plugins or network policy plugins. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 16188c188..1c04df343 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -72,7 +72,4 @@ You can use one of the following procedures to install the [.noloc]`{aws} Load B In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes the default controller for [.noloc]`Kubernetes` _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23aws-load-balancer-controller%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index a5d49fb39..c915439c3 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -619,7 +619,4 @@ aws ec2 delete-subnet --subnet-id $new_subnet_id_2 [source,bash,subs="verbatim,attributes"] ---- aws cloudformation delete-stack --stack-name my-eks-custom-networking-vpc ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-custom-network-tutorial%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 6f0305142..f1705eaf3 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -30,7 +30,4 @@ The following are considerations for using the feature. * If your cluster uses the `IPv6` family, you can't use custom networking. * If you plan to use custom networking only to help alleviate `IPv4` address exhaustion, you can create a cluster using the `IPv6` family instead. For more information, see <>. * Even though [.noloc]`Pods` deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. -* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-custom-network%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 0fc6a758c..a00539699 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -264,7 +264,4 @@ If you created a cluster that uses the `IPv6` family and the cluster has version [source,bash,subs="verbatim,attributes"] ---- aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index d0135e75c..835cf6103 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -233,7 +233,4 @@ pods: 110 vpc.amazonaws.com/PrivateIPv4Address: 144 ---- + -In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-increase-ip-addresses-procedure%5D&type=code[Edit this page on GitHub] \ No newline at end of file +In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 9bca05fae..814abf599 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -58,7 +58,4 @@ Consider the following when you use this feature: ** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. ** If you're also using security groups for [.noloc]`Pods`, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your [.noloc]`Pods` communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your [.noloc]`Pods`. + -If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-increase-ip-addresses%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. \ No newline at end of file diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index e8ae4778a..288ef1e7e 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -70,7 +70,4 @@ If you don't know the `IPv6` `CIDR` range for your cluster, you can see it with [source,bash,subs="verbatim,attributes"] ---- aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-ipv6%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 03c91f169..07e6ea3c4 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -309,7 +309,4 @@ You can now deploy [.noloc]`Kubernetes` network policies to your cluster. To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernetes` `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between [.noloc]`Pods` based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the [.noloc]`Kubernetes` documentation. -Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-network-policy-configure%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 70e633edd..e014de6e8 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -61,7 +61,4 @@ Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't acces * The [.noloc]`Amazon VPC CNI plugin for Kubernetes` doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: + ** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. -** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cni-network-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file +** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index e4e23f0cf..770f70387 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -60,7 +60,4 @@ An example output is as follows. ---- v1.11.3-eksbuild.1 ---- -. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the Amazon EKS add-on with your custom settings. For instructions to update the add-on, see <>. \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 1225bc7c4..a1966e3e6 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -126,7 +126,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- v1.11.3-eksbuild.1 ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 84573985c..6b652db2c 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -73,7 +73,4 @@ An example output is as follows. "configurationValues": "{\"replicaCount\":3}" } } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-add-on-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 9d2de887d..398106f46 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -271,7 +271,4 @@ aws eks describe-addon --cluster-name my-cluster --addon-name coredns \ + If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-autoscaling%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index 72edec825..e8d89732d 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -12,7 +12,4 @@ Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or [.noloc]`CoreDNS` as an EKS add-on exposes the metrics from [.noloc]`CoreDNS` on port `9153` in the Prometheus format in the `kube-dns` service. You can use Prometheus, the Amazon CloudWatch agent, or any other compatible system to scrape (collect) these metrics. -For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23coredns-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. \ No newline at end of file diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 9f63a7288..1984a0a27 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -122,7 +122,4 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. -.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-a-vpc%5D&type=code[Edit this page on GitHub] \ No newline at end of file +.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). \ No newline at end of file diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 50bf02634..39db40ebc 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -501,7 +501,4 @@ aws iam delete-role --role-name $node_role_name [source,bash,subs="verbatim,attributes"] ---- aws cloudformation delete-stack --region $region_code --stack-name $vpc_stack_name ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deploy-ipv6-cluster%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 413c1ab02..127982daf 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -55,7 +55,4 @@ When you deploy [.noloc]`Kubernetes` service objects of type `loadbalancer`, the *{aws} Gateway API Controller*:: This controller lets you connect services across multiple [.noloc]`Kubernetes` clusters using the https://gateway-api.sigs.k8s.io/[Kubernetes gateway API]. The controller connects [.noloc]`Kubernetes` services running on Amazon EC2 instances, containers, and serverless functions by using the link:vpc-lattice/latest/ug/what-is-vpc-service-network.html[Amazon VPC Lattice,type="documentation"] service. For more information, see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller] documentation. -For more information about add-ons, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-networking-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information about add-ons, see <>. \ No newline at end of file diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 015f8f64d..461f26cba 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -28,7 +28,4 @@ Learn how to configure networking for your Amazon EKS cluster using a VPC, subne Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the Amazon VPC Container Network Interface (CNI) plugin for nodes that run on {aws} infrastructure. If you are running nodes on your own infrastructure, see <>. This chapter includes the following topics for learning more about networking for your cluster. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index cfe46fa74..0e78eaf60 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -49,7 +49,4 @@ The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI [#snat-exception] == Host networking -{asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23external-snat%5D&type=code[Edit this page on GitHub] \ No newline at end of file +{asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. \ No newline at end of file diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index 428621981..bec538b0d 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -105,7 +105,4 @@ Add the following `Affinity Rule` to the [.noloc]`DaemonSet` `spec` section of t operator: NotIn values: - fargate ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kube-proxy-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index dc61953fb..85a7d82ee 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -174,7 +174,4 @@ aws-load-balancer-controller 2/2 2 2 84s You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. -// GDC Must Fix - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-helm%5D&type=code[Edit this page on GitHub] \ No newline at end of file +// GDC Must Fix \ No newline at end of file diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 248852323..c1b259d9a 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -347,7 +347,4 @@ aws-load-balancer-controller 2/2 2 2 84s ---- + You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. -. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-manifest%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. \ No newline at end of file diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 6c19491ba..0e393a2ee 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -112,7 +112,4 @@ If you created the role using `eksctl`, then to find the role name that was crea aws iam attach-role-policy \ --role-name your-role-name \ --policy-arn {arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerAdditionalIAMPolicy ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23lbc-remove%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index a575a1f79..47d84da6c 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -106,7 +106,4 @@ topologySpreadConstraints: [#coredns-upgrade-1.11] === [.noloc]`CoreDNS` `v1.11` upgrade considerations -* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-coredns%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. \ No newline at end of file diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 08f530c19..ec600a296 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -87,7 +87,4 @@ The following table lists the latest available self-managed `kube-proxy` contain * The default image type isn't available for [.noloc]`Kubernetes` version `1.25` and later. You must use the minimal image type. -* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-kube-proxy%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. \ No newline at end of file diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 93da6f67c..cf808ee68 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -79,7 +79,4 @@ To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first The following are considerations for using the feature. * Versions are specified as `major-version.minor-version.patch-version-eksbuild.build-number`. -* Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managing-vpc-cni%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. \ No newline at end of file diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index a4965bb9d..b21408150 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -257,7 +257,4 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` installs [.noloc]`eBPF` SDK c sudo /opt/cni/bin/aws-eks-na-cli ebpf progs ---- -To run this command, you can use any method to connect to the node. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policies-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To run this command, you can use any method to connect to the node. \ No newline at end of file diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 1ede8a3d3..81b648785 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -36,7 +36,4 @@ kubectl edit daemonset -n kube-system aws-node ---- - args: - --enable-network-policy=true ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policy-disable%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 391d0b845..b753e0497 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -185,7 +185,4 @@ kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/s kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/namespace.yaml ---- + -Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-policy-stars-demo%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. \ No newline at end of file diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index b84a01e2b..dca97cf2f 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -281,6 +281,3 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the * If you use the _custom networking_ feature of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, you need to use the Availability Zone ID mappings listed in the owner account to create each `ENIConfig`. For more information, see <>. For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-reqs%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index a20f982b8..7493645d4 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -28,7 +28,4 @@ In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amaz : `true` * Multus is compatible with network policies, but the policy has to be enriched to include ports and IP addresses that may be part of additional network interfaces attached to [.noloc]`Pods`. -For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-multiple-network-interfaces%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. \ No newline at end of file diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 37d6b7f4c..ca9867470 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -44,7 +44,4 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.nol |Use multiple network interfaces for [.noloc]`Pods` |<> -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-networking-use-cases%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 54b23c8e4..028ec43c9 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -142,7 +142,4 @@ Amazon EKS supports shared security groups. === Considerations for Amazon EKS -* EKS has the same requirements of shared or multi-VPC security groups as standard security groups. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sec-group-reqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* EKS has the same requirements of shared or multi-VPC security groups as standard security groups. \ No newline at end of file diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index b1e7d468b..ff4ecbce3 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -68,7 +68,4 @@ If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_E * Security groups for [.noloc]`Pods` might lead to higher [.noloc]`Pod` startup latency for [.noloc]`Pods` with high churn. This is due to rate limiting in the resource controller. * The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. + -If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-groups-for-pods%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. \ No newline at end of file diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 462ec4c33..729b84ff5 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -89,7 +89,4 @@ IMPORTANT: ** Outbound traffic from [.noloc]`Pods` to addresses outside of the VPC is network address translated to the IP address of the instance's primary network interface (unless you've also set `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`). For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. ** For this setting to apply to existing [.noloc]`Pods`, you must restart the [.noloc]`Pods` or the nodes that the [.noloc]`Pods` are running on. -. To see how to use a security group policy for your [.noloc]`Pod`, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-groups-pods-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. To see how to use a security group policy for your [.noloc]`Pod`, see <>. \ No newline at end of file diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 74f01aa23..14a7882ae 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -206,7 +206,4 @@ aws ec2 revoke-security-group-ingress --group-id $my_pod_security_group_id --sec wait sleep 45s aws ec2 delete-security-group --group-id $my_pod_security_group_id ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sg-pods-example-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 1ea2cb075..32bcf625a 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -91,7 +91,4 @@ An example output is as follows. v1.19.2-eksbuild.1 ---- . If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the EKS add-on with your custom settings. Follow the steps in <>. -. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 9e7be985d..5504c924c 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -69,7 +69,4 @@ An example output is as follows. ---- v1.19.2 ---- -. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-self-managed-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub. \ No newline at end of file diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index d024ddd3e..66f855172 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -74,7 +74,4 @@ An example output is as follows. "configurationValues": "{\"env\":{\"AWS_VPC_K8S_CNI_EXTERNALSNAT\":\"true\"}}" } } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-add-on-update%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 5d80f1373..8c4efff3b 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -65,7 +65,4 @@ For previously existing managed node groups, you can either perform an in-place * If you're using a custom AMI with a managed node group, you can perform an in-place upgrade by swapping the AMI ID in the launch template. You should ensure that your applications and any user data transfer over to AL2023 first before performing this upgrade strategy. * If you're using managed node groups with either the standard launch template or with a custom launch template that doesn't specify the AMI ID, you're required to upgrade using a blue/green strategy. A blue/green upgrade is typically more complex and involves creating an entirely new node group where you would specify AL2023 as the AMI type. The new node group will need to then be carefully configured to ensure that all custom data from the AL2 node group is compatible with the new OS. Once the new node group has been tested and validated with your applications, [.noloc]`Pods` can be migrated from the old node group to the new node group. Once the migration is completed, you can delete the old node group. -If you're using [.noloc]`Karpenter` and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in [.noloc]`Karpenter`. This means that once the `amiFamily` field has been changed, [.noloc]`Karpenter` will automatically update your worker nodes to the latest AMI when available. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23al2023%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you're using [.noloc]`Karpenter` and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in [.noloc]`Karpenter`. This means that once the `amiFamily` field has been changed, [.noloc]`Karpenter` will automatically update your worker nodes to the latest AMI when available. \ No newline at end of file diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index 483838bfd..f8644392c 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -124,7 +124,4 @@ artifacts ---- # Delete the NodeDiagnostic resource kubectl delete nodediagnostics.eks.amazonaws.com/[.replaceable]`node-name` ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-get-logs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 1a8a20617..acfaacba2 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -15,7 +15,4 @@ include::../attributes.txt[] * There is a https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark] defined for [.noloc]`Bottlerocket`. In a default configuration, [.noloc]`Bottlerocket` image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see link:containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark[Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark,type="blog"] on the {aws} blog. * The optimized feature set and reduced attack surface means that [.noloc]`Bottlerocket` instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) [.noloc]`Bottlerocket` instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). * [.noloc]`Bottlerocket` is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. -* [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23bottlerocket-compliance-support%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 7fd16c279..9ab3940f6 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -110,7 +110,4 @@ The max [.noloc]`Pods` calculator script limits the return value to `110` based EKS Auto Mode limits the number of pods on nodes to the lower of: * 110 pods hard cap -* The result of the max pods calculation described above. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23choosing-instance-type%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* The result of the max pods calculation described above. \ No newline at end of file diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index f1c6354ae..5b859e960 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -248,7 +248,4 @@ Now that you have a working Amazon EKS cluster with nodes, you're ready to start For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. * Configure the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] to automatically adjust the number of nodes in your node groups. * Deploy a <> to your cluster. -* <> with important tools for managing your cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> with important tools for managing your cluster. \ No newline at end of file diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 69cf08873..70c98b21f 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -51,7 +51,4 @@ Use the following command to delete a profile from a cluster. Replace every [.re [source,bash,subs="verbatim,attributes"] ---- aws eks delete-fargate-profile --fargate-profile-name my-profile --cluster-name my-cluster ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-fargate-profile%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index 0d8b9ede7..c3ef9f8f4 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -71,7 +71,4 @@ aws eks delete-nodegroup \ . Use the arrow keys on your keyboard to scroll through the response output. Press the `q` key when you're finished. + -For more options, see the `link:cli/latest/reference/eks/delete-nodegroup.html[delete-nodegroup,type="documentation"]` command in the _{aws} CLI Command Reference_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23delete-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more options, see the `link:cli/latest/reference/eks/delete-nodegroup.html[delete-nodegroup,type="documentation"]` command in the _{aws} CLI Command Reference_. \ No newline at end of file diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index 272ab136f..1fc9acae1 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -97,7 +97,4 @@ If you prefer to use a different tool to create your managed node group, you mus [source,bash,subs="verbatim,attributes"] ---- /etc/eks/bootstrap.sh my-cluster --container-runtime containerd ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23dockershim-deprecation%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 91dffde79..44006dcf8 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -22,7 +22,4 @@ Additionally, the [.noloc]`GitHub` repository contains our Amazon EKS node {aws} For more information, see the repositories on [.noloc]`GitHub` at https://github.com/awslabs/amazon-eks-ami. -Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-build-scripts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index ad61c8b9a..beaea4cba 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -12,7 +12,4 @@ This topic gives resources for Amazon EKS optimized [.noloc]`Bottlerocket` AMIs Each [.noloc]`Bottlerocket` AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Bottlerocket` kernel, and https://containerd.io/[containerd]. Accelerated AMI variants also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://bottlerocket.dev/en/os/[OS] topic of the _Bottlerocket Documentation_. From this page, navigate to the applicable _Version Information_ sub-topic. -The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-versions-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on [.noloc]`GitHub`. \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 8f0d4ad2c..bc333e3e2 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -4376,7 +4376,4 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.1.1` | |=== -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-ami-versions-windows%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index bb3fce7fd..802670630 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -219,7 +219,4 @@ include::eks-optimized-amis.adoc[leveloffset=+1] include::node-health.adoc[leveloffset=+1] -include::hybrid-nodes-overview.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-compute%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::hybrid-nodes-overview.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index 6d6723974..e85e55e5f 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -110,7 +110,4 @@ You can retrieve specific information regarding what is installed with each comp . (Optional) If you are using a recent version, sort the *Version* column in descending order by choosing it twice. . Choose the *`eks-optimized-ami-windows`* link with a desired version. -The *Description* in the resulting page shows the specific information. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-custom-ami-windows%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The *Description* in the resulting page shows the specific information. \ No newline at end of file diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 3d2e3e910..c8865f719 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -17,7 +17,4 @@ Amazon EKS optimized Amazon Linux AMIs are versioned by [.noloc]`Kubernetes` ver k8s_major_version.k8s_minor_version.k8s_patch_version-release_date ---- -Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Linux` kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-linux-ami-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Linux` kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 6aaf24387..d028a97cf 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -59,7 +59,4 @@ include::eks-ami-versions-bottlerocket.adoc[leveloffset=+1] include::retrieve-ami-id-bottlerocket.adoc[leveloffset=+1] -include::bottlerocket-compliance-support.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-ami-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::bottlerocket-compliance-support.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 3e1a5a42b..0cf98078d 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -80,7 +80,4 @@ For more information about using Amazon EKS optimized Amazon Linux AMIs, see the * To launch self-managed Amazon Linux nodes, see <>. * For version information, see <>. * To retrieve the latest IDs of the Amazon EKS optimized Amazon Linux AMIs, see <>. -* For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index adc41c21f..c61cdd245 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -27,7 +27,4 @@ include::eks-optimized-ami-bottlerocket.adoc[leveloffset=+1] include::eks-partner-amis.adoc[leveloffset=+1] -include::eks-optimized-windows-ami.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-amis%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::eks-optimized-windows-ami.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 5e7cc0dc5..90a4c0037 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -146,7 +146,4 @@ include::eks-ami-versions-windows.adoc[leveloffset=+1] include::retrieve-windows-ami-id.adoc[leveloffset=+1] -include::eks-custom-ami-windows.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-optimized-windows-ami%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::eks-custom-ami-windows.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index fb568f5ca..33ba77023 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -12,7 +12,4 @@ Canonical has partnered with Amazon EKS to create node AMIs that you can use in Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. -https://www.canonical.com/[Canonical] delivers a built-for-purpose [.noloc]`Kubernetes` Node OS image. This minimized [.noloc]`Ubuntu` image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-partner-amis%5D&type=code[Edit this page on GitHub] \ No newline at end of file +https://www.canonical.com/[Canonical] delivers a built-for-purpose [.noloc]`Kubernetes` Node OS image. This minimized [.noloc]`Ubuntu` image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 7173ce3f8..3d21919de 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -168,7 +168,4 @@ kubectl rollout restart -n kube-system deployment coredns ---- * Deploy the <> to allow Ingress objects for your [.noloc]`Pods` running on Fargate. * You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. -* You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-getting-started%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 243c4e6a5..4227b7630 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -415,7 +415,4 @@ Events: Warning LoggingDisabled fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found ---- -The [.noloc]`Pod` events are ephemeral with a time period depending on the settings. You can also view a [.noloc]`Pod's` annotations using `kubectl describe pod [.replaceable]``pod-name```. In the [.noloc]`Pod` annotation, there is information about whether the logging feature is enabled or disabled and the reason. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-logging%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The [.noloc]`Pod` events are ephemeral with a time period depending on the settings. You can also view a [.noloc]`Pod's` annotations using `kubectl describe pod [.replaceable]``pod-name```. In the [.noloc]`Pod` annotation, there is information about whether the logging feature is enabled or disabled and the reason. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index 6470bfba4..b269bd6ee 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -104,7 +104,4 @@ The default usable storage for Amazon EKS [.noloc]`Pods` that run on Fargate is You can increase the total amount of ephemeral storage up to a maximum of 175 GiB. To configure the size with [.noloc]`Kubernetes`, specify the requests of `ephemeral-storage` resource to each container in a [.noloc]`Pod`. When [.noloc]`Kubernetes` schedules [.noloc]`Pods`, it ensures that the sum of the resource requests for each [.noloc]`Pod` is less than the capacity of the Fargate task. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Resource Management for Pods and Containers] in the [.noloc]`Kubernetes` documentation. -Amazon EKS Fargate provisions more ephemeral storage than requested for the purposes of system use. For example, a request of 100 GiB will provision a Fargate task with 115 GiB ephemeral storage. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-pod-configuration%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS Fargate provisions more ephemeral storage than requested for the purposes of system use. For example, a request of 100 GiB will provision a Fargate task with 115 GiB ephemeral storage. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index ec6e54f5a..6dba9613f 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -71,7 +71,4 @@ You can create a desired action based on this event. For example, you can adjust A suitable target can be set for the event to capture it. For a complete list of available targets, see link:eventbridge/latest/userguide/eb-targets.html[Amazon EventBridge targets,type="documentation"] in the _Amazon EventBridge User Guide_. You can also create a notification configuration in {aws} User Notifications. When using the {aws-management-console} to create the notification, under *Event Rules*, choose *Elastic Kubernetes Service (EKS)* for *{aws} service name* and *EKS Fargate Pod Scheduled Termination* for *Event type*. For more information, see link:notifications/latest/userguide/getting-started.html[Getting started with {aws} User Notifications,type="documentation"] in the {aws} User Notifications User Guide. -See https://repost.aws/knowledge-center/fargate-pod-eviction-notice[FAQs: Fargate Pod eviction notice] in _{aws} re:Post_ for frequently asked questions regarding EKS Pod Evictions. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-pod-patching%5D&type=code[Edit this page on GitHub] \ No newline at end of file +See https://repost.aws/knowledge-center/fargate-pod-eviction-notice[FAQs: Fargate Pod eviction notice] in _{aws} re:Post_ for frequently asked questions regarding EKS Pod Evictions. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index f87d5225a..0b1cd0e8c 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -137,7 +137,4 @@ NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on *** You can add the label `infrastructure: fargate` to the selector so that only [.noloc]`Pods` in the specified namespace that also have the `infrastructure: fargate` [.noloc]`Kubernetes` label match the selector. *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. -. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate-profile%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. On the *Review and create* page, review the information for your Fargate profile and choose *Create*. \ No newline at end of file diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index e719e8802..e324dec8f 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -185,7 +185,4 @@ include::fargate-pod-patching.adoc[leveloffset=+1] include::monitoring-fargate-usage.adoc[leveloffset=+1] -include::fargate-logging.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fargate%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::fargate-logging.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index ce2d35bda..beeb9c034 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -166,7 +166,4 @@ aws eks create-addon \ [#hybrid-nodes-add-ons-csi-snapshotter] == CSI snapshot controller add-on -Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 10dc0927a..e2db7d847 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -336,7 +336,4 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h == Step 4: Cluster setup -As a next step, see <> to enable access for your hybrid nodes to join your cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cluster-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file +As a next step, see <> to enable access for your hybrid nodes to join your cluster. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index f016a461d..3fc165bf0 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -106,7 +106,4 @@ data: rolearn: HYBRID_NODES_ROLE_ARN username: system:node:{{SessionName}} EOF ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cluster-prep%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 1bf0e9a53..56ab53791 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -523,7 +523,4 @@ kubectl get crds -oname | grep "calico" | xargs kubectl delete [source,bash,subs="verbatim,attributes"] ---- kubectl get crds -oname | grep "tigera" | xargs kubectl delete ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-cni%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 2418a3af8..39ca2978d 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -525,7 +525,4 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t . On the *Name, review, and create* page, do the following: .. For *Role name*, enter a unique name for your role, such as `AmazonEKSHybridNodesRole`. .. For *Description*, replace the current text with descriptive text such as `Amazon EKS - Hybrid Nodes role`. -.. Choose *Create role*. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-creds%5D&type=code[Edit this page on GitHub] \ No newline at end of file +.. Choose *Create role*. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index b3402ca45..a4764b29a 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -142,7 +142,4 @@ Your nodes will have status `Not Ready`, which is expected and is due to the lac == Step 4: Configure a CNI for hybrid nodes -To make your hybrid nodes ready to run applications, continue with the steps on <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-join%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To make your hybrid nodes ready to run applications, continue with the steps on <>. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 60ca65ec3..a8d632e9f 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -404,7 +404,4 @@ aws ec2 create-security-group \ aws ec2 authorize-security-group-ingress \ --group-id [.replaceable]`SG_ID` \ --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "REMOTE_NODE_CIDR"}, {"CidrIp": "REMOTE_POD_CIDR"}]}]' ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-networking%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 108caf6ec..be3631e67 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -584,7 +584,4 @@ spec: ssm: activationCode: # SSM hybrid activation code activationId: # SSM hybrid activation id ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-nodeadm%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index a3be78eeb..3951c5262 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -369,7 +369,4 @@ govc vm.change -dc="YOUR_DATASTORE" -vm "$NODE_NAME" -e guestinfo.metadata.encod [source,yaml,subs="verbatim,attributes,quotes"] ---- govc vm.power -on "${NODE_NAME}" ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-os%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index d23845248..ab5c724fc 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -93,7 +93,4 @@ include::hybrid-nodes-proxy.adoc[leveloffset=+1] include::hybrid-nodes-nodeadm.adoc[leveloffset=+1] -include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-overview%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index fc3f32cc8..44358b5d9 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -141,7 +141,4 @@ include::hybrid-nodes-creds.adoc[leveloffset=+1] include::hybrid-nodes-cluster-create.adoc[leveloffset=+1] -include::hybrid-nodes-cluster-prep.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-prereqs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::hybrid-nodes-cluster-prep.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 162693316..8eafb5112 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -142,7 +142,4 @@ containers: fieldRef: apiVersion: v1 fieldPath: spec.nodeName ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-proxy%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 8acacb6e2..14d0c1aa5 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -55,7 +55,4 @@ kubectl delete node ---- == Step 5: Check for remaining artifacts -Depending on your choice of CNI, there may be artifacts remaining on your hybrid nodes after running the above steps. See <> for more information. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-remove%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Depending on your choice of CNI, there may be artifacts remaining on your hybrid nodes after running the above steps. See <> for more information. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index cd12be2e1..2b3eb2c61 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -666,7 +666,4 @@ Run the following commands to install the dependency: ldd --version sudo apt update && apt install libc6 sudo apt install glibc-source ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 521ba37c6..4c8d3125d 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -23,7 +23,4 @@ include::hybrid-nodes-join.adoc[leveloffset=+1] include::hybrid-nodes-upgrade.adoc[leveloffset=+1] -include::hybrid-nodes-remove.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-tutorial%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::hybrid-nodes-remove.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index f544d18e3..38b98c589 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -151,6 +151,3 @@ kubectl uncordon NODE_NAME ---- kubectl get nodes -o -w ---- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23hybrid-nodes-upgrade%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 31f1a94e2..da8c7be6b 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -126,7 +126,4 @@ Add `--conntrack-max-per-core` and `--conntrack-min` to the `kube-proxy` argumen ** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + -For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-node-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index fb085720e..5a1157026 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -99,7 +99,4 @@ Several lines are output while the nodes are created. One of the last lines of o ** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + -For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-node-ubuntu%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 8ed8c54f6..6c071b5e1 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -462,7 +462,4 @@ kubectl edit -n kube-system cm aws-auth ---- - eks:kube-proxy-windows ---- -.. Save the file and exit your text editor. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-templates%5D&type=code[Edit this page on GitHub] \ No newline at end of file +.. Save the file and exit your text editor. \ No newline at end of file diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 2acceda2d..21c3a7f57 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -245,7 +245,4 @@ If nodes fail to join the cluster, then see <> in the Troubles ** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + -For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-windows-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 69e296ef5..57d1229c4 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -242,7 +242,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X ** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + -For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23launch-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 192ae6607..14974dde6 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -123,7 +123,4 @@ kubectl get nodes -w # Get node metrics kubectl top node ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23learn-status-conditions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 1e5b621d9..08f8e3310 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -122,7 +122,4 @@ When deciding whether to deploy a node group with On-Demand or Spot capacity, yo + ** Within a managed node group, if you're using the https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], we recommend using a flexible set of instance types with the same amount of vCPU and memory resources. This is to ensure that the nodes in your cluster scale as expected. For example, if you need four vCPUs and eight GiB memory, use `c3.xlarge`, `c4.xlarge`, `c5.xlarge`, `c5d.xlarge`, `c5a.xlarge`, `c5n.xlarge`, or other similar instance types. ** To enhance application availability, we recommend deploying multiple Spot managed node groups. For this, each group should use a flexible set of instance types that have the same vCPU and memory resources. For example, if you need 4 vCPUs and 8 GiB memory, we recommend that you create one managed node group with `c3.xlarge`, `c4.xlarge`, `c5.xlarge`, `c5d.xlarge`, `c5a.xlarge`, `c5n.xlarge`, or other similar instance types, and a second managed node group with `m3.xlarge`, `m4.xlarge`, `m5.xlarge`, `m5d.xlarge`, `m5a.xlarge`, `m5n.xlarge` or other similar instance types. -** When deploying your node group with the Spot capacity type that's using a custom launch template, use the API to pass multiple instance types. Don't pass a single instance type through the launch template. For more information about deploying a node group using a launch template, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managed-node-groups%5D&type=code[Edit this page on GitHub] \ No newline at end of file +** When deploying your node group with the Spot capacity type that's using a custom launch template, use the API to pass multiple instance types. Don't pass a single instance type through the launch template. For more information about deploying a node group using a launch template, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 9dbbd5314..025850cd0 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -115,7 +115,4 @@ Once every [.noloc]`Pod` is evicted, it's expected for the node to be empty beca The scale down phase decrements the Auto Scaling group maximum size and desired size by one to return to values before the update started. -If the Upgrade workflow determines that the Cluster Autoscaler is scaling up the node group during the scale down phase of the workflow, it exits immediately without bringing the node group back to its original size. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23managed-node-update-behavior%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If the Upgrade workflow determines that the Cluster Autoscaler is scaling up the node group during the scale down phase of the workflow, it exits immediately without bringing the node group back to its original size. \ No newline at end of file diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index f8fbe02a4..3ab484ea0 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -301,7 +301,4 @@ kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system [source,bash,subs="verbatim,attributes"] ---- kubectl scale deployments/kube-dns --replicas=1 -n kube-system ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23migrate-stack%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index cc90b6e79..9306e5358 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -78,7 +78,4 @@ Use the following steps to create a CloudWatch alarm based on the Fargate resour . In the *Service quotas* list, choose the Fargate usage quota you want to create an alarm for. . In the Amazon CloudWatch alarms section, choose *Create*. . For *Alarm threshold*, choose the percentage of your applied quota value that you want to set as the alarm value. -. For *Alarm name*, enter a name for the alarm and then choose *Create*. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23monitoring-fargate-usage%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. For *Alarm name*, enter a name for the alarm and then choose *Create*. \ No newline at end of file diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 4ecaf03e6..2495750d3 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -390,7 +390,4 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |Event |Kubelet is reporting slow disk usage while trying to access the filesystem, potentially indicating insufficient disk input-output or filesystem issues. -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23node-health%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index 679a84153..e9ea22b7c 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -46,7 +46,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes,quotes"] ---- ami-[.replaceable]`1234567890abcdef0` ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-ami-id-bottlerocket%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 604495892..351d7216a 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -45,7 +45,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes,quotes"] ---- ami-[.replaceable]`1234567890abcdef0` ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-ami-id%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index c5d0eaa43..cf6544a02 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -44,7 +44,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes,quotes"] ---- ami-[.replaceable]`1234567890abcdef0` ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retrieve-windows-ami-id%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 3a9340183..019eaeae3 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -47,7 +47,4 @@ The node groups can then be created using the following command. [source,bash,subs="verbatim,attributes"] ---- eksctl create cluster -f test-windows-2022.yaml ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23self-managed-windows-server-2022%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 240a3ee13..820c88d65 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -124,7 +124,4 @@ You can modify some of the configurations of a managed node group. IMPORTANT: When updating the node group configuration, modifying the link:eks/latest/APIReference/API_NodegroupScalingConfig.html[`NodegroupScalingConfig`,type="documentation"] does not respect [.noloc]`Pod` disruption budgets (PDBs). Unlike the <> process (which drains nodes and respects PDBs during the upgrade phase), updating the scaling configuration causes nodes to be terminated immediately through an Auto Scaling Group (ASG) scale-down call. This happens without considering PDBs, regardless of the target size you're scaling down to. -That means when you reduce the `desiredSize` of an Amazon EKS managed node group, [.noloc]`Pods` are evicted as soon as the nodes are terminated, without honoring any PDBs. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-managed-node-group%5D&type=code[Edit this page on GitHub] \ No newline at end of file +That means when you reduce the `desiredSize` of an Amazon EKS managed node group, [.noloc]`Pods` are evicted as soon as the nodes are terminated, without honoring any PDBs. \ No newline at end of file diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index 68f9975e3..7b39d3b53 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -105,7 +105,4 @@ kubectl scale deployments/kube-dns --replicas=1 -n kube-system ---- kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system ---- -. (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-stack%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 57f0e975c..4cf8b0c8e 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -29,7 +29,4 @@ Update the {aws} CloudFormation stack for an existing node group to use the new include::migrate-stack.adoc[leveloffset=+1] -include::update-stack.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-workers%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::update-stack.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index a689baf43..0ce278c28 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -32,7 +32,4 @@ If you restrict access to the public endpoint of your cluster using CIDR blocks, To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23worker%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 8035a790c..172325a64 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -265,7 +265,4 @@ The topics below describe how to get started using CloudWatch Observability Oper * For instructions on installing this add-on, see link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent with the Amazon CloudWatch Observability EKS add-on or the Helm chart,type="documentation"] in the _Amazon CloudWatch User Guide_. * For more information about CloudWatch Application Signals, see link:AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Monitoring-Sections.html[Application Signals,type="documentation"] in the _Amazon CloudWatch User Guide_. -* For more information about Container Insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cloudwatch%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* For more information about Container Insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Using Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. \ No newline at end of file diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 27f753eb7..b2c098e48 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -156,7 +156,4 @@ For example, you should see the initial API server flags for the cluster when vi + NOTE: If you don't see the API server logs at the beginning of the log stream, then it is likely that the API server log file was rotated on the server before you enabled API server logging on the server. Any log files that are rotated before API server logging is enabled can't be exported to CloudWatch. -However, you can create a new cluster with the same [.noloc]`Kubernetes` version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23control-plane-logs%5D&type=code[Edit this page on GitHub] \ No newline at end of file +However, you can create a new cluster with the same [.noloc]`Kubernetes` version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. \ No newline at end of file diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index cc3430bfa..2f0c6f149 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -74,7 +74,4 @@ image::images/prometheus-metric.png[Prometheus metrics,scaledwidth=100%] + image::images/prometheus.png[Prometheus console,scaledwidth=100%] + -All of the [.noloc]`Kubernetes` endpoints that are connected to [.noloc]`Prometheus` using service discovery are displayed. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23deploy-prometheus%5D&type=code[Edit this page on GitHub] \ No newline at end of file +All of the [.noloc]`Kubernetes` endpoints that are connected to [.noloc]`Prometheus` using service discovery are displayed. \ No newline at end of file diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index db6a4a739..4605e1639 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -161,7 +161,4 @@ include::control-plane-logs.adoc[leveloffset=+1] include::logging-using-cloudtrail.adoc[leveloffset=+1] -include::opentelemetry.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-observe%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::opentelemetry.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index ffaeb8b3c..c9aaec5a0 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -14,7 +14,4 @@ Amazon EKS managed node groups have Amazon EC2 Auto Scaling group metrics enable With Auto Scaling group metrics collection, you're able to monitor the scaling of managed node groups. Auto Scaling group metrics report the minimum, maximum, and desired size of an Auto Scaling group. You can create an alarm if the number of nodes in a node group falls below the minimum size, which would indicate an unhealthy node group. Tracking node group size is also useful in adjusting the maximum count so that your data plane doesn't run out of capacity. -If you would prefer to not have these metrics collected, you can choose to disable all or only some of them. For example, you can do this to avoid noise in your CloudWatch dashboards. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-cloudwatch-monitoring.html[Amazon CloudWatch metrics for Amazon EC2 Auto Scaling,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-asg-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you would prefer to not have these metrics collected, you can choose to disable all or only some of them. For example, you can do this to avoid noise in your CloudWatch dashboards. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-cloudwatch-monitoring.html[Amazon CloudWatch metrics for Amazon EC2 Auto Scaling,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index cca499f23..b4b45b6db 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -25,7 +25,4 @@ include::service-name-info-in-cloudtrail.adoc[leveloffset=+1] include::understanding-service-name-entries.adoc[leveloffset=+1] -include::enable-asg-metrics.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23logging-using-cloudtrail%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::enable-asg-metrics.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index fbcf13752..7e9f23ce6 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -116,7 +116,4 @@ The Amazon EKS node monitoring agent automatically reads node logs to detect hea When you refresh the page, any resolved issues will disappear from the list. If auto repair is enabled, you could temporarily see some health issues that will be resolved without action from you. Issues that are not supported by auto repair may require manual action from you depending on the type. -For node health issues to be reported, your cluster must use Amazon EKS Auto Mode or have the node monitoring agent add-on. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23observability-dashboard%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For node health issues to be reported, your cluster must use Amazon EKS Auto Mode or have the node monitoring agent add-on. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index bc11fa2bf..ac678f3ae 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -13,7 +13,4 @@ The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable you Amazon EKS supports using the {aws-management-console}, {aws} CLI and Amazon EKS API to install and manage the https://aws-otel.github.io/[{aws} Distro for OpenTelemetry (ADOT)] Operator. This makes it easier to enable your applications running on Amazon EKS to send metric and trace data to multiple monitoring service options like link:cloudwatch[Amazon CloudWatch,type="console"], link:prometheus[Prometheus,type="console"], and link:xray[X-Ray,type="console"]. -For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23opentelemetry%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. \ No newline at end of file diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 6851badaf..186310952 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -85,7 +85,4 @@ To see more details about a scraper, choose the scraper ID link. For example, yo include::deploy-prometheus.adoc[leveloffset=+1] -include::view-raw-metrics.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23prometheus%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::view-raw-metrics.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index b914e0445..402ac3732 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -22,7 +22,4 @@ All Amazon EKS actions are logged by CloudTrail and are documented in the link:e Every event or log entry contains information about the type of IAM identity that made the request, and which credentials were used. If temporary credentials were used, the entry shows how the credentials were obtained. -For more information, see the link:awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html[CloudTrail userIdentity element,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23service-name-info-in-cloudtrail%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see the link:awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html[CloudTrail userIdentity element,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 6b4e2fd3c..6d4b5ff57 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -117,7 +117,4 @@ The following example shows a CloudTrail log entry that demonstrates a link:IAM/ "eventType": "AwsApiCall", "recipientAccountId": "111122223333" } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23understanding-service-name-entries%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 9e8763117..4aeb48020 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -333,7 +333,4 @@ Then you can view the [.noloc]`Prometheus` dashboard by proxying the port of the kubectl port-forward pods/prom-pod 9090:9090 ---- -For your Amazon EKS cluster, the core Kubernetes control plane metrics are also ingested into Amazon CloudWatch Metrics under the `AWS/EKS` namespace. To view them, open the link:cloudwatch/home#logs:prefix=/aws/eks[CloudWatch console,type="console"] and select *All metrics* from the left navigation pane. On the *Metrics* selection page, choose the `AWS/EKS` namespace and a metrics dimension for your cluster. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23view-raw-metrics%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For your Amazon EKS cluster, the core Kubernetes control plane metrics are also ingested into Amazon CloudWatch Metrics under the `AWS/EKS` namespace. To view them, open the link:cloudwatch/home#logs:prefix=/aws/eks[CloudWatch console,type="console"] and select *All metrics* from the left navigation pane. On the *Metrics* selection page, choose the `AWS/EKS` namespace and a metrics dimension for your cluster. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index eeb850789..71bb9b3cf 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -63,7 +63,4 @@ You are responsible for creating the desired placement group. You specify the pl * When a placement group is specified, there must be available slotted capacity on your Outpost to successfully create a local Amazon EKS cluster. The capacity varies based on whether you use the host or rack spread type. If there isn't enough capacity, the cluster remains in the `Creating` state. You are able to check the `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity for the creation process to progress. * During Amazon EKS local cluster platform and version updates, the [.noloc]`Kubernetes` control plane instances from your cluster are replaced by new instances using a rolling update strategy. During this replacement process, each control plane instance is terminated, freeing up its respective slot. A new updated instance is provisioned in its place. The updated instance might be placed in the slot that was released. If the slot is consumed by another unrelated instance and there is no more capacity left that respects the required spread topology requirement, then the cluster remains in the `Updating` state. You are able to see the respective `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity so the update process can progress and reestablish prior high availability levels. -* You can create a maximum of 500 placement groups per account in each {aws} Region. For more information, see link:AWSEC2/latest/UserGuide/placement-groups.html#placement-groups-limitations-general[General rules and limitations,type="documentation"] in the Amazon EC2 User Guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-capacity-considerations%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* You can create a maximum of 500 placement groups per account in each {aws} Region. For more information, see link:AWSEC2/latest/UserGuide/placement-groups.html#placement-groups-limitations-general[General rules and limitations,type="documentation"] in the Amazon EC2 User Guide. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index fcfe8c5d2..8fb28d715 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -265,7 +265,4 @@ Recommended next steps: * <> * Familiarize yourself with what happens during <>. * <> -* Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the [.noloc]`Kubernetes` documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-local-cluster-create%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the [.noloc]`Kubernetes` documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 79bd547c8..665424c14 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -36,7 +36,4 @@ Local clusters are generally available for use with Outposts racks. You can create local clusters in the following {aws} Regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Middle East (Bahrain), and South America (São Paulo). For detailed information about supported features, see <>. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-local-cluster-overview%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index f832f7d59..20c112d53 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -177,7 +177,4 @@ kubectl config use-context admin@my-cluster --kubeconfig admin.kubeconfig ---- + -If you notice any issues with your local clusters while they're in a disconnected state, we recommend opening a support ticket. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-network-disconnects%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you notice any issues with your local clusters while they're in a disconnected state, we recommend opening a support ticket. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 03034c122..873f80acd 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -225,7 +225,4 @@ The following admission controllers are enabled for all `1.27` platform versions |`eks-local-outposts.1` |Initial release of Kubernetes version `1.27` for local Amazon EKS clusters on Outposts. |May 30, 2023 -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-platform-versions%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index c729f97ef..9cfa2046d 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -232,7 +232,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X *Step3: Additional actions* . (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. -. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-self-managed-nodes%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 31fb7b101..b0ea37462 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -307,7 +307,4 @@ Amazon EKS control plane instances are not reachable through SSM. Please verify ---- To resolve this issue, make sure that your VPC and subnets meet the requirements in <> and that you completed the steps in link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the {aws} Systems Manager User Guide. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index d229da00b..483b71606 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -108,7 +108,4 @@ You can create a VPC that meets the previous requirements using one of the follo * *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-09-20/amazon-eks-local-outposts-vpc-subnet.yaml[Template 1]* – This template creates a VPC with one private subnet on the Outpost and one public subnet in the {aws} Region. The private subnet has a route to an internet through a NAT Gateway that resides in the public subnet in the {aws} Region. This template can be used to create a local cluster in a subnet with egress internet access. -* *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-03-20/amazon-eks-local-outposts-fully-private-vpc-subnet.yaml[Template 2]* – This template creates a VPC with one private subnet on the Outpost and the minimum set of VPC Endpoints required to create a local cluster in a subnet that doesn't have ingress or egress internet access (also referred to as a private subnet). - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts-vpc-subnet-requirements%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* *https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2023-03-20/amazon-eks-local-outposts-fully-private-vpc-subnet.yaml[Template 2]* – This template creates a VPC with one private subnet on the Outpost and the minimum set of VPC Endpoints required to create a local cluster in a subnet that doesn't have ingress or egress internet access (also referred to as a private subnet). \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 3bc6a60cd..ec8d57ddd 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -153,7 +153,4 @@ The following table compares the differences between the two options. include::eks-outposts-local-cluster-overview.adoc[leveloffset=+1] -include::eks-outposts-self-managed-nodes.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-outposts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::eks-outposts-self-managed-nodes.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index b3c9db8d3..ebeb7fc3a 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -278,7 +278,4 @@ After you've finished with the cluster that you created for this tutorial, you s eksctl delete cluster -f ./cluster-config.yaml ``` -EKS will automatically clean up any nodes it provisioned when the cluster is deleted. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23quickstart%5D&type=code[Edit this page on GitHub] \ No newline at end of file +EKS will automatically clean up any nodes it provisioned when the cluster is deleted. \ No newline at end of file diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 488c66aa6..f48fc80e1 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -212,7 +212,4 @@ CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernet * https://jenkins-x.io/[Project URL] -* https://jenkins-x.io/docs/[Project documentation] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23related-projects%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* https://jenkins-x.io/docs/[Project documentation] \ No newline at end of file diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 1427dc553..7c6a551e9 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -17,7 +17,4 @@ include::attributes.txt[] Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. -- -You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23roadmap%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. \ No newline at end of file diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index 66e3f6180..7afa48983 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -100,6 +100,3 @@ The following section describes security best practices for Amazon EKS Auto Mode * Monitor cluster activity through {aws} CloudTrail and Amazon CloudWatch. For more information, see <> and <>. * Use {aws} Security Hub for security posture assessment. * Implement pod security standards appropriate for your workloads. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-security%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index 71aecf692..a66cc2e5b 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -135,7 +135,4 @@ If the returned output shows a CSR with a https://kubernetes.io/docs/reference/a kubectl certificate approve csr-7znmf ---- -To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cert-signing%5D&type=code[Edit this page on GitHub] \ No newline at end of file +To auto-approve CSRs in the future, we recommend that you write an approving controller that can automatically validate and approve CSRs that contain IP or DNS SANs that Amazon EKS can't verify. \ No newline at end of file diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 81ea55434..8527c380a 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -27,7 +27,4 @@ NOTE: Not all {aws} services are HIPAA eligible. For more information, see the l * link:config/latest/developerguide/evaluate-config.html[Evaluating Resources with Rules,type="documentation"] in the _{aws} Config Developer Guide_ – The {aws} Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. * link:securityhub/latest/userguide/what-is-securityhub.html[{aws} Security Hub,type="documentation"] – This {aws} service provides a comprehensive view of your security state within {aws}. Security Hub uses security controls to evaluate your {aws} resources and to check your compliance against security industry standards and best practices. For a list of supported services and controls, see link:securityhub/latest/userguide/securityhub-controls-reference.html[Security Hub controls reference,type="documentation"]. * link:guardduty/latest/ug/what-is-guardduty.html[Amazon GuardDuty,type="documentation"] – This {aws} service detects potential threats to your {aws} accounts, workloads, containers, and data by monitoring your environment for suspicious and malicious activities. GuardDuty can help you address various compliance requirements, like PCI DSS, by meeting intrusion detection requirements mandated by certain compliance frameworks. -* link:audit-manager/latest/userguide/what-is.html[{aws} Audit Manager,type="documentation"] – This {aws} service helps you continuously audit your {aws} usage to simplify how you manage risk and compliance with regulations and industry standards. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23compliance%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* link:audit-manager/latest/userguide/what-is.html[{aws} Audit Manager,type="documentation"] – This {aws} service helps you continuously audit your {aws} usage to simplify how you manage risk and compliance with regulations and industry standards. \ No newline at end of file diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 91103b8ec..9e8c87b3d 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -56,7 +56,4 @@ You can use link:inspector/latest/userguide/inspector_introduction.html[Amazon I Amazon GuardDuty threat detection service that helps protect your accounts, containers, workloads, and the data within your {aws} environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. -For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23configuration-vulnerability-analysis%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see <>. \ No newline at end of file diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 0ff30f03f..3df2fcf9c 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -190,7 +190,4 @@ Subjects: Kind Name Namespace ---- ---- --------- User eks:k8s-metrics ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23default-roles-users%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index e097849eb..451ef9cd3 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -22,7 +22,4 @@ This control plane consists of at least two API server instances and three `etcd * Automatically detects and replaces unhealthy control plane instances, restarting them across the Availability Zones within the {aws} Region as needed. * Leverages the architecture of {aws} Regions in order to maintain high availability. Because of this, Amazon EKS is able to offer an link:eks/sla[SLA for API server endpoint availability,type="marketing"]. -For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23disaster-recovery-resiliency%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information about {aws} Regions and Availability Zones, see link:about-aws/global-infrastructure/[{aws} global infrastructure,type="marketing"]. \ No newline at end of file diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 7066f5a52..de14bb7b9 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -185,7 +185,4 @@ By default, the `create-key` command creates a link:kms/latest/developerguide/sy For clusters using KMS Envelope Encryption, `kms:CreateGrant` permissions are required. The condition `kms:GrantIsForAWSResource` is not supported for the CreateCluster action, and should not be used in KMS policies to control `kms:CreateGrant` permissions for users performing CreateCluster. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23enable-kms%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index f08b2c7cd..249844d18 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -150,7 +150,4 @@ aws iam attach-role-policy \ aws iam attach-role-policy \ --role-name AmazonEKSAutoClusterRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy -``` - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-cluster-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +``` \ No newline at end of file diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index a746958d8..cf5b819a1 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -114,7 +114,4 @@ To attach AmazonEC2ContainerRegistryPullOnly: aws iam attach-role-policy \ --role-name AmazonEKSAutoNodeRole \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly -``` - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23auto-create-node-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +``` \ No newline at end of file diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 8d58275f4..313fa3581 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -145,7 +145,4 @@ aws iam create-role \ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSClusterPolicy \ --role-name eksClusterRole ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23cluster-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index affea0128..913d9ccfb 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -166,7 +166,4 @@ Outputs: .. Choose the file you created earlier, and then choose *Next*. .. For *Stack name*, enter a name for your role, such as `eksConnectorAgentRole`, and then choose *Next*. .. On the *Configure stack options* page, choose *Next*. -.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23connector-iam-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +.. On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Create stack*. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 8c5addc56..6ae83893c 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -195,7 +195,4 @@ aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document aws iam attach-role-policy \ --policy-arn {arn-aws}iam::111122223333:policy/AmazonEKS_CNI_IPv6_Policy \ --role-name AmazonEKSNodeRole ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23create-node-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index c0613c53c..bf4767d17 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -166,7 +166,4 @@ aws iam create-role \ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy \ --role-name AmazonEKSFargatePodExecutionRole ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-execution-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index d0415728d..2c5c136d9 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -496,7 +496,4 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |Amazon EKS started tracking changes for its {aws} managed policies. |June 17, 2021 -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-awsmanpol%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index ffe4da63f..b8af17b79 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -244,7 +244,4 @@ This example policy includes the minimum permissions required to list and descri } ] } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-id-based-policy-examples%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 9748a52a3..dcd66a148 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -149,7 +149,4 @@ Amazon EKS supports service roles. For more information, see < [#security-iam-service-with-iam-roles-choose] === Choosing an IAM role in Amazon EKS -When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-service-with-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file +When you create a cluster resource in Amazon EKS, you must choose a role to allow Amazon EKS to access several other {aws} resources on your behalf. If you have previously created a service role, then Amazon EKS provides you with a list of roles to choose from. It's important to choose a role that has the Amazon EKS managed policies attached to it. For more information, see <> and <>. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 469106ae6..23ba72cf2 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -74,7 +74,4 @@ Your containers receive this error if your application is explicitly making requ * Update your application code to remove explicit calls to the {aws} STS global endpoint. * Update your application code to make explicit calls to regional endpoints such as `https://sts.us-west-2.amazonaws.com`. Your application should have redundancy built in to pick a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. -* Configure your service accounts to use the global endpoint. All versions earlier than `1.22` used the global endpoint by default, but version `1.22` and later clusters use the regional endpoint by default. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* Configure your service accounts to use the global endpoint. All versions earlier than `1.22` used the global endpoint by default, but version `1.22` and later clusters use the regional endpoint by default. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 768b8ff67..00d32d92b 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -140,7 +140,4 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. [#security-iam-access-manage-multiple-policies] === Multiple policy types -When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file +When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 5bf29f93d..5c8dbc205 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -70,7 +70,4 @@ If the Amazon EKS service is using the role when you try to delete the resources [#slr-manual-delete-eks-connector] === Manually delete the service-linked role -Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-connector%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRoleForAmazonEKSConnector service-linked role. For more information, see link:IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role[Deleting a service-linked role,type="documentation"] in the _IAM User Guide_. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index bb27a1605..13e290032 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -90,7 +90,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the AWSServiceRol [#slr-regions-eks-fargate] == Supported regions for Amazon EKS service-linked roles -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-fargate%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index 5bc86935b..db6dc69a6 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -89,7 +89,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo [#slr-regions-eks-nodegroups] == Supported regions for Amazon EKS service-linked roles -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-nodegroups%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index a728b7057..2b922305e 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -88,7 +88,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo [#slr-regions-eks-connector] == Supported regions for Amazon EKS service-linked roles -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks-outpost%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 61c77203b..63ac4dc83 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -84,7 +84,4 @@ Use the IAM console, the {aws} CLI, or the {aws} API to delete the `AWSServiceRo [#slr-regions-eks] == Supported regions for Amazon EKS service-linked roles -Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon EKS supports using service-linked roles in all of the regions where the service is available. For more information, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index 08db60208..54636c321 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -23,7 +23,4 @@ How to use service-linked roles to give Amazon EKS access to resources in your { Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23using-service-linked-roles%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 1b8304278..f1e64ed0c 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -35,7 +35,4 @@ You can enable private access to the [.noloc]`Kubernetes` API server so that all For more information about modifying cluster endpoint access, see <>. -You can implement [.noloc]`Kubernetes` _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23infrastructure-security%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can implement [.noloc]`Kubernetes` _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. \ No newline at end of file diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 2ae33fe69..7043c8e87 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -18,7 +18,4 @@ If you use Secrets Manager automatic rotation for your secrets, you can also use ==== -For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23manage-secrets%5D&type=code[Edit this page on GitHub] \ No newline at end of file +For more information, see link:secretsmanager/latest/userguide/integrating_csi_driver.html[Using Secrets Manager secrets in Amazon EKS,type="documentation"] in the {aws} Secrets Manager User Guide. \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index ff8b98389..aab055518 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -111,7 +111,4 @@ When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` ==== We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows [.noloc]`Pods`. This uses [.noloc]`PSS` in [.noloc]`Kubernetes` `1.25`. For more information and best practices about enforcing [.noloc]`PSS` for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-security-policy-removal-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index d2cc803fe..79186ad75 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -191,7 +191,4 @@ subjects: [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f privileged-podsecuritypolicy.yaml ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23pod-security-policy%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 8b5d8db4a..9abb7e229 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -10,7 +10,4 @@ include::../attributes.txt[] Learn how to secure your Amazon EKS clusters by following the best practices from the community. -- -The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-best-practices%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The Amazon EKS security best practices are in the link:eks/latest/best-practices/security.html[Best Practices for Security,type="documentation"] in the _Amazon EKS Best Practices Guide_. \ No newline at end of file diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 3252411b0..c4b82f4ee 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -17,7 +17,4 @@ Configure Amazon EKS clusters to meet your security and compliance objectives, a The following are considerations for security of the cloud, as they affect Amazon EKS. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 134e6ebc0..e7b6db4cc 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -25,7 +25,4 @@ Configure [.noloc]`Kubernetes` to meet your security and compliance objectives, The following are considerations for security in the cloud, as they affect [.noloc]`Kubernetes` in Amazon EKS clusters. For an in-depth review of security controls and practices in [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the [.noloc]`Kubernetes` documentation. [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security-k8s%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index dac15f8a9..42141ff30 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -58,7 +58,4 @@ This documentation helps you understand how to apply the shared responsibility m ==== [.topiclist] -[[Topic List]] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security%5D&type=code[Edit this page on GitHub] \ No newline at end of file +[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index e009d83e0..a9c78cf27 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -58,6 +58,3 @@ The private DNS feature is enabled by default when creating an interface endpoin + However, To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref/latest/guide/feature-endpoints.html[Dual-stack and FIPS endpoints,type="documentation"] configuration in the _{aws} SDKs and Tools Reference Guide_. * Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private {aws} network. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vpc-interface-endpoints%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 413dbbd8a..cd208d65f 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -23,7 +23,4 @@ Here are some things to consider when using the CSI snapshot controller. We recommend that you install the CSI snapshot controller through the Amazon EKS managed add-on. This add-on includes the custom resource definitions (CRDs) that are needed to create and manage snapshots on Amazon EKS. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. -Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream [.noloc]`Kubernetes` `external-snapshotter` on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23csi-snapshot-controller%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream [.noloc]`Kubernetes` `external-snapshotter` on [.noloc]`GitHub`. \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc index ebe178967..8def6ddb6 100644 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ b/latest/ug/storage/ebs-csi-migration-faq.adoc @@ -136,7 +136,4 @@ The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/m [#csi-migration-faq-windows] == Is migration supported for Windows workloads? -Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating storage classes, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi-migration-faq%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating storage classes, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 42c7fd8c8..81999cd21 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -361,6 +361,3 @@ Alternatively, if you want a self-managed installation of the Amazon EBS CSI dri == Step 3: Deploy a sample application You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23ebs-csi%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index f154a6e73..12149b02d 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -191,7 +191,4 @@ To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws- [#efs-sample-app] == Step 4: Deploy a sample application -You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23efs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. \ No newline at end of file diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 21b8a7ceb..20c399aa7 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -13,7 +13,4 @@ The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI in Amazon File Cache is a fully managed, high-speed cache on {aws} that's used to process file data, regardless of where the data is stored. Amazon File Cache automatically loads data into the cache when it's accessed for the first time and releases data when it's not used. For more information, see the link:fsx/latest/FileCacheGuide/what-is.html[Amazon File Cache User Guide,type="documentation"]. -The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. Note that the Amazon File Cache CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the Amazon File Cache CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-file-cache-csi-driver[aws-file-cache-csi-driver] on GitHub. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23file-cache-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. Note that the Amazon File Cache CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the Amazon File Cache CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-file-cache-csi-driver[aws-file-cache-csi-driver] on GitHub. \ No newline at end of file diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index cf360b69b..07b88da95 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -298,7 +298,4 @@ This example output shows that the sample app successfully wrote the `out.txt` f Before deleting the cluster, make sure to delete the FSx for Lustre file system. For more information, see link:fsx/latest/LustreGuide/getting-started-step4.html[Clean up resources,type="documentation"] in the _FSx for Lustre User Guide_. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 47008a902..d4a9daaaa 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -13,7 +13,4 @@ The [.noloc]`NetApp Trident` allows Amazon EKS clusters to manage the lifecycle The [.noloc]`NetApp Trident` provides dynamic storage orchestration using a Container Storage Interface (CSI) compliant driver. This allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. Note that the Amazon FSx for NetApp ONTAP CSI driver is not compatible with Amazon EKS Hybrid Nodes. To get started, see https://docs.netapp.com/us-en/trident/trident-use/trident-fsx.html[Use Trident with Amazon FSx for NetApp ONTAP] in the [.noloc]`NetApp Trident` documentation. -Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed [.noloc]`ONTAP` file systems in the cloud. [.noloc]`ONTAP` is [.noloc]`NetApp's` file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises [.noloc]`NetApp` file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-ontap%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed [.noloc]`ONTAP` file systems in the cloud. [.noloc]`ONTAP` is [.noloc]`NetApp's` file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises [.noloc]`NetApp` file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 05ba5a6bb..a267f39c4 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -13,7 +13,4 @@ The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a C Amazon FSx for OpenZFS is a fully managed file storage service that makes it easy to move data to {aws} from on-premises ZFS or other Linux-based file servers. You can do this without changing your application code or how you manage data. It offers highly reliable, scalable, efficient, and feature-rich file storage built on the open-source OpenZFS file system. It combines these capabilities with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/OpenZFSGuide/what-is-fsx.html[Amazon FSx for OpenZFS User Guide,type="documentation"]. -The FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of FSx for OpenZFS volumes. Note that the Amazon FSx for OpenZFS CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the FSx for OpenZFS CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver[aws-fsx-openzfs-csi-driver] on GitHub. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23fsx-openzfs-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of FSx for OpenZFS volumes. Note that the Amazon FSx for OpenZFS CSI driver is not compatible with Amazon EKS Hybrid Nodes. To deploy the FSx for OpenZFS CSI driver to your Amazon EKS cluster, see https://github.com/kubernetes-sigs/aws-fsx-openzfs-csi-driver[aws-fsx-openzfs-csi-driver] on GitHub. \ No newline at end of file diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index a70f4bcd9..e27d866d4 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -413,7 +413,4 @@ Replace [.replaceable]`my-cluster` with the name of your cluster, and then run t [source,bash,subs="verbatim,attributes"] ---- aws eks delete-addon --cluster-name my-cluster --addon-name aws-mountpoint-s3-csi-driver --preserve ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23s3-csi%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index fc08fd089..d702474bd 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -47,7 +47,4 @@ include::file-cache-csi.adoc[leveloffset=+1] include::s3-csi.adoc[leveloffset=+1] -include::csi-snapshot-controller.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23storage%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::csi-snapshot-controller.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 1f50032d0..7d8ce9f5f 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -712,7 +712,4 @@ The first two columns are what are needed for API response values. The third fie |Grants for the {aws} KMS Key associated with your cluster are revoked. You must delete and recreate the cluster. |The [.noloc]`KMS Key Arn` |No -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23troubleshooting%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index afb62f148..1e88adf6c 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -44,7 +44,4 @@ Utilize link:ec2/spot/[Spot Instances,type="marketing"] to run your batch proces *Securing application and ensuring compliance*:: -Implement strong security practices and maintain compliance with Amazon EKS, which integrates with {aws} security services such as link:iam/[{aws} Identity and Access Management,type="marketing"] (IAM), link:vpc/[Amazon Virtual Private Cloud,type="marketing"] (Amazon VPC), and link:kms/[{aws} Key Management Service,type="marketing"] ({aws} KMS). This ensures data privacy and protection as per industry standards. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23common-use-cases%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Implement strong security practices and maintain compliance with Amazon EKS, which integrates with {aws} security services such as link:iam/[{aws} Identity and Access Management,type="marketing"] (IAM), link:vpc/[Amazon Virtual Private Cloud,type="marketing"] (Amazon VPC), and link:kms/[{aws} Key Management Service,type="marketing"] ({aws} KMS). This ensures data privacy and protection as per industry standards. \ No newline at end of file diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 22c10f5a8..c34e91aa2 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -61,7 +61,4 @@ https://karpenter.sh/[Karpenter] is a flexible, high-performance [.noloc]`Kubern <> offer full control over your Amazon EC2 instances within an Amazon EKS cluster. You are in charge of managing, scaling, and maintaining the nodes, giving you total control over the underlying infrastructure. This option is suitable for users who need granular control and customization of their nodes and are ready to invest time in managing and maintaining their infrastructure. *Amazon EKS Hybrid Nodes*:: -With <>, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. Amazon EKS Hybrid Nodes unifies Kubernetes management across environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-architecture%5D&type=code[Edit this page on GitHub] \ No newline at end of file +With <>, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. Amazon EKS Hybrid Nodes unifies Kubernetes management across environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. \ No newline at end of file diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 0f8236fd2..d374b0d4d 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -109,7 +109,4 @@ link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"] simplifies Kubernet You can use the <> to register and connect any conformant Kubernetes cluster to {aws} and view it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but the Amazon EKS Connector does not enable management or mutating operations for your connected clusters through the Amazon EKS console. -link:eks/eks-distro/[Amazon EKS Distro,type="marketing"] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-deployment-options%5D&type=code[Edit this page on GitHub] \ No newline at end of file +link:eks/eks-distro/[Amazon EKS Distro,type="marketing"] is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. It includes the core components required for a functioning Kubernetes cluster such as Kubernetes control plane components (etcd, kube-apiserver, kube-scheduler, kube-controller-manager) and networking components (CoreDNS, kube-proxy, CNI plugins). Amazon EKS Distro can be used to self-manage Kubernetes clusters with your choice of tooling. Amazon EKS Distro deployments are not covered by {aws} Support Plans. \ No newline at end of file diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 4783f0de0..c3f0ea543 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -256,7 +256,4 @@ Understanding basic [.noloc]`Kubernetes` concepts and how they relate to Amazon * <> * <> * <> -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-concepts%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 5330917ec..a8772565e 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -91,7 +91,4 @@ include::eks-architecture.adoc[leveloffset=+1] include::kubernetes-concepts.adoc[leveloffset=+1] -include::eks-deployment-options.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23what-is-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::eks-deployment-options.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 8f8c28f7e..e3c74498e 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -33,7 +33,4 @@ Amazon EKS add-ons can help manage the life cycle of pod identity associations c * Pod identity associations created using the add-on APIs are owned by the respective add-on. If you delete the add-on, the pod identity association is also deleted. You can prevent this cascading delete by using the `preserve` option when deleting an addon using the {aws} CLI or API. You also can directly update or delete the pod identity association if necessary. Add-ons can't assume ownership of existing pod identity associations. You must delete the existing association and re-create it using an add-on create or update operation. * Amazon EKS recommends using pod identity associations to manage IAM permissions for add-ons. The previous method, IAM roles for service accounts (IRSA), is still supported. You can specify both an IRSA `serviceAccountRoleArn` and a pod identity association for an add-on. If the EKS pod identity agent is installed on the cluster, the `serviceAccountRoleArn` will be ignored, and EKS will use the provided pod identity association. If Pod Identity is not enabled, the `serviceAccountRoleArn` will be used. -* If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23add-ons-iam%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. \ No newline at end of file diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index f2efd120c..009d9bf65 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -119,7 +119,4 @@ When you deploy <> to |us-gov-west-1 |013241004608.dkr.ecr.us-gov-west-1.amazonaws.com -|=== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23add-ons-images%5D&type=code[Edit this page on GitHub] \ No newline at end of file +|=== \ No newline at end of file diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index 44c369ec2..4199c4fc1 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -69,6 +69,3 @@ This output shows that addon version `vX.X.X-eksbuild.X` is compatible with Kube The `computeTypes` field in the `describe-addon-versions` output indicates an add-on's compatibility with EKS Auto Mode Managed Nodes or Hybrid Nodes. Add-ons marked `auto` work with EKS Auto Mode's cloud-based, {aws}-managed infrastructure, while those marked `hybrid` can run on on-premises nodes connected to the EKS cloud control plane. For more information, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-compat%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 2f47b0cf8..dfd5e8487 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -38,7 +38,4 @@ aws iam get-role --role-name --query Role.AssumeRolePolicyDocument ** Use {aws} CloudTrail to review `AccessDenied` or `UnauthorizedOperation` events . * The service account name in the pod identity association matches the service account name used by the add-on. + -** For information about the available add-ons, see <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23addon-id-troubleshoot%5D&type=code[Edit this page on GitHub] \ No newline at end of file +** For information about the available add-ons, see <>. \ No newline at end of file diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 04ea9a585..1468c07f8 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -244,7 +244,4 @@ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-bal [source,bash,subs="verbatim,attributes"] ---- kubectl delete -f 2048_full.yaml ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23alb-ingress%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index e8a27375f..b16055d76 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -71,7 +71,4 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re |Custom IAM permissions | None |=== -link:samples/attributions-md.zip[View license attributions for this add-on. ] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23community-addons%5D&type=code[Edit this page on GitHub] \ No newline at end of file +link:samples/attributions-md.zip[View license attributions for this add-on. ] \ No newline at end of file diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 77d5f0c90..4073d8b96 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -82,7 +82,4 @@ aws ecr get-login-password --region region-code | docker login --username {aws} ---- docker push 111122223333.dkr.ecr.region-code.amazonaws.com/cni-metrics-helper:v1.12.6 ---- -. Update the manifest file that you used to determine the image in a previous step with the `registry/repository:tag` for the image that you pushed. If you're installing with a Helm chart, there's often an option to specify the `registry/repository:tag`. When installing the chart, specify the `registry/repository:tag` for the image that you pushed to your repository. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23copy-image-to-repository%5D&type=code[Edit this page on GitHub] \ No newline at end of file +. Update the manifest file that you used to determine the image in a previous step with the `registry/repository:tag` for the image that you pushed. If you're installing with a Helm chart, there's often an option to specify the `registry/repository:tag`. When installing the chart, specify the `registry/repository:tag` for the image that you pushed to your repository. \ No newline at end of file diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 82f79ae7c..bac15f8d5 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -325,7 +325,4 @@ For a full list of available options, see `link:cli/latest/reference/eks/create- ---- + -If you receive an error similar to the error in the previous output, visit the URL in the output of a previous step to subscribe to the add-on. Once subscribed, run the `create-addon` command again. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23creating-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file +If you receive an error similar to the error in the previous output, visit the URL in the output of a previous step to subscribe to the add-on. Once subscribed, run the `create-addon` command again. \ No newline at end of file diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 518855811..8f704449b 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -188,7 +188,4 @@ include::removing-an-addon.adoc[leveloffset=+1] include::add-ons-iam.adoc[leveloffset=+1] -include::kubernetes-field-management.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-add-ons%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::kubernetes-field-management.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 312b6d82d..e6c211b10 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -55,7 +55,4 @@ include::add-ons-images.adoc[leveloffset=+1] include::eks-add-ons.adoc[leveloffset=+1] -include::image-verification.adoc[leveloffset=+1] - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23eks-workloads%5D&type=code[Edit this page on GitHub] \ No newline at end of file +include::image-verification.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 5339087c2..c6769e013 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -120,7 +120,4 @@ NOTE: The default timeframe for scaling back down is five minutes, so it will ta [source,bash,subs="verbatim,attributes"] ---- kubectl delete deployment.apps/php-apache service/php-apache horizontalpodautoscaler.autoscaling/php-apache ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23horizontal-pod-autoscaler%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 17f54dcfb..afd92d8be 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -23,7 +23,4 @@ If you use link:signer/latest/developerguide/Welcome.html[{aws} Signer,type="doc Before verifying container image signatures, configure the https://github.com/notaryproject/notation#readme[Notation] trust store and trust policy, as required by your selected admission controller. -==== - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23image-verification%5D&type=code[Edit this page on GitHub] \ No newline at end of file +==== \ No newline at end of file diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index d991aa0b2..2d18d2f7e 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -146,7 +146,4 @@ NOTE: If you don't see `managedFields` in the output, add `--show-managed-fields [#view-field-management-next-steps] == Next steps -Customize the fields not owned by {aws} for you add-on. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-field-management%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Customize the fields not owned by {aws} for you add-on. \ No newline at end of file diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index d135262d2..ba9fc2286 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -275,7 +275,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes"] ---- kubectl delete namespace nlb-sample-app ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23network-load-balancing%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index 1787e346e..7ed778282 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -23,7 +23,4 @@ Remove the Pod Identity associations from an Amazon EKS add-on. aws eks update-addon --cluster-name \ --addon-name \ --pod-identity-associations "[]" ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23remove-addon-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index d6e2566cc..e0e60010f 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -150,7 +150,4 @@ After the add-on is removed, the example output is as follows. [source,bash,subs="verbatim,attributes"] ---- An error occurred (ResourceNotFoundException) when calling the DescribeAddon operation: No addon: name-of-addon found in cluster: my-cluster ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23removing-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index ea501e5cf..4528fe5bc 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -85,7 +85,4 @@ sed -i.bak -e 's|amazonaws.com||' externalip-webhook.yaml kubectl apply -f externalip-webhook.yaml ---- + -An attempt to deploy a service to your cluster with an IP address specified for `externalIPs` that is not contained in the blocks that you specified in the Specify CIDR blocks step will fail. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23restrict-service-external-ip%5D&type=code[Edit this page on GitHub] \ No newline at end of file +An attempt to deploy a service to your cluster with an IP address specified for `externalIPs` that is not contained in the blocks that you specified in the Specify CIDR blocks step will fail. \ No newline at end of file diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index e52b30fde..049eea58c 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -136,7 +136,4 @@ The following table indicates if certain Amazon EKS add-ons support EKS Pod Iden |=== -This table was last updated on October 28, 2024. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23retreive-iam-info%5D&type=code[Edit this page on GitHub] \ No newline at end of file +This table was last updated on October 28, 2024. \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index 93a332b7d..cf5f2355d 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -272,7 +272,4 @@ After you deploy the sample application, you might want to try some of the follo * <> -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-deployment-win%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 4b9b16a0d..e1a38b10f 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -269,7 +269,4 @@ After you deploy the sample application, you might want to try some of the follo * <> -* <> - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23sample-deployment%5D&type=code[Edit this page on GitHub] \ No newline at end of file +* <> \ No newline at end of file diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index 308baa2bc..b8f52daf8 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -58,7 +58,4 @@ If successful, you should see output similar to the following. Note the OwnerARN } ] } ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23update-addon-role%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index b7b604823..badedfd27 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -210,7 +210,4 @@ An example output is as follows. } ---- + -The update is complete when the status is `ACTIVE`. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23updating-an-add-on%5D&type=code[Edit this page on GitHub] \ No newline at end of file +The update is complete when the status is `ACTIVE`. \ No newline at end of file diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 9b79f7555..5fb9c6fe0 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -246,7 +246,4 @@ Events: [source,bash,subs="verbatim,attributes"] ---- kubectl delete -f examples/hamster.yaml ----- - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23vertical-pod-autoscaler%5D&type=code[Edit this page on GitHub] \ No newline at end of file +---- \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 14c5aeda8..7417bd2f1 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -510,7 +510,4 @@ This add-on users permissions from the <>. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23workloads-add-ons-available-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +You can only update one minor version at a time. For example, if your current version is `1.28.x-eksbuild.y` and you want to update to `1.30.x-eksbuild.y`, then you must update your current version to `1.29.x-eksbuild.y` and then update it again to `1.30.x-eksbuild.y`. For more information about updating the add-on, see <>. \ No newline at end of file diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 11d939b68..2c03b1be2 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -882,7 +882,4 @@ A managed policy isn't used with this add-on. [#add-on-upwind-custom-permissions] === Custom IAM permissions -Custom permissions aren't used with this add-on. - - -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23workloads-add-ons-available-vendors%5D&type=code[Edit this page on GitHub] \ No newline at end of file +Custom permissions aren't used with this add-on. \ No newline at end of file From b028d347859f243c40e52da483384ed60a1a74be Mon Sep 17 00:00:00 2001 From: Gaurav Priyolkar Date: Fri, 14 Feb 2025 16:26:31 -0500 Subject: [PATCH 158/940] Fix missing output format in command --- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index f544d18e3..0b458ec88 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -149,7 +149,7 @@ kubectl uncordon NODE_NAME + [source,yaml,subs="verbatim,attributes"] ---- -kubectl get nodes -o -w +kubectl get nodes -o wide -w ---- From da775bb03adb2f9674b86162ab2ae35b3bc088eb Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 14 Feb 2025 22:46:37 +0000 Subject: [PATCH 159/940] Remove EBS CSI migration FAQ when is no longer needed: 31643 --- .../kubernetes-versions-extended.adoc | 2 +- .../ug/storage/csi-snapshot-controller.adoc | 4 +- latest/ug/storage/ebs-csi-migration-faq.adoc | 139 ------------------ latest/ug/storage/storage.adoc | 10 -- latest/ug/zonbook.redirects.xml | 1 + 5 files changed, 3 insertions(+), 153 deletions(-) delete mode 100644 latest/ug/storage/ebs-csi-migration-faq.adoc diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 8bb962f9d..0c78097b5 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -141,7 +141,7 @@ For the complete [.noloc]`Kubernetes` `1.24` changelog, see https://github.com/k * The [.noloc]`Kubernetes` in-tree to container storage interface (CSI) volume migration feature is enabled. This feature enables the replacement of existing [.noloc]`Kubernetes` in-tree storage plugins for Amazon EBS with a corresponding Amazon EBS CSI driver. For more information, see https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/[Kubernetes 1.17 Feature: Kubernetes In-Tree to CSI Volume Migration Moves to Beta] on the [.noloc]`Kubernetes` blog. + -The feature translates in-tree APIs to equivalent CSI APIs and delegates operations to a replacement CSI driver. With this feature, if you use existing `StorageClass`, `PersistentVolume`, and `PersistentVolumeClaim` objects that belong to these workloads, there likely won't be any noticeable change. The feature enables [.noloc]`Kubernetes` to delegate all storage management operations from the in-tree plugin to the CSI driver. If you use Amazon EBS volumes in an existing cluster, install the Amazon EBS CSI driver in your cluster before you update your cluster to version `1.23`. If you don't install the driver before updating an existing cluster, interruptions to your workloads might occur. If you plan to deploy workloads that use Amazon EBS volumes in a new `1.23` cluster, install the Amazon EBS CSI driver in your cluster before deploying the workloads your cluster. For instructions on how to install the Amazon EBS CSI driver on your cluster, see <>. For frequently asked questions about the migration feature, see <>. +The feature translates in-tree APIs to equivalent CSI APIs and delegates operations to a replacement CSI driver. With this feature, if you use existing `StorageClass`, `PersistentVolume`, and `PersistentVolumeClaim` objects that belong to these workloads, there likely won't be any noticeable change. The feature enables [.noloc]`Kubernetes` to delegate all storage management operations from the in-tree plugin to the CSI driver. If you use Amazon EBS volumes in an existing cluster, install the Amazon EBS CSI driver in your cluster before you update your cluster to version `1.23`. If you don't install the driver before updating an existing cluster, interruptions to your workloads might occur. If you plan to deploy workloads that use Amazon EBS volumes in a new `1.23` cluster, install the Amazon EBS CSI driver in your cluster before deploying the workloads your cluster. For instructions on how to install the Amazon EBS CSI driver on your cluster, see <>. * Extended Support for Amazon EKS optimized [.noloc]`Windows` AMIs that are published by {aws} isn't available for [.noloc]`Kubernetes` version `1.23` but is available for [.noloc]`Kubernetes` version `1.24` and higher. ==== diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index cd208d65f..f28b250a8 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -15,10 +15,8 @@ Snapshot functionality allows for point-in-time copies of your data. For this ca Here are some things to consider when using the CSI snapshot controller. - - * The snapshot controller must be installed alongside a CSI driver with snapshot functionality. For installation instructions of the Amazon EBS CSI driver, see <>. -* [.noloc]`Kubernetes` doesn't support snapshots of volumes being served via CSI migration, such as Amazon EBS volumes using a `StorageClass` with provisioner `kubernetes.io/aws-ebs`. Volumes must be created with a `StorageClass` that references the CSI driver provisioner, `ebs.csi.aws.com`. For more information about CSI migration, see <>. +* [.noloc]`Kubernetes` doesn't support snapshots of volumes being served via CSI migration, such as Amazon EBS volumes using a `StorageClass` with provisioner `kubernetes.io/aws-ebs`. Volumes must be created with a `StorageClass` that references the CSI driver provisioner, `ebs.csi.aws.com`. * Amazon EKS Auto Mode does not include the snapshot controller. The storage capability of EKS Auto Mode is compatible with the snapshot controller. We recommend that you install the CSI snapshot controller through the Amazon EKS managed add-on. This add-on includes the custom resource definitions (CRDs) that are needed to create and manage snapshots on Amazon EKS. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. diff --git a/latest/ug/storage/ebs-csi-migration-faq.adoc b/latest/ug/storage/ebs-csi-migration-faq.adoc deleted file mode 100644 index 8def6ddb6..000000000 --- a/latest/ug/storage/ebs-csi-migration-faq.adoc +++ /dev/null @@ -1,139 +0,0 @@ -[.topic] -[#ebs-csi-migration-faq] -= Amazon EBS CSI migration frequently asked questions -:info_titleabbrev: EBS CSI migration FAQ -:keywords: Amazon EBS CSI driver, storage, CSI migration - -include::../attributes.txt[] - -[abstract] --- -The Amazon EBS container storage interface migration feature is enabled by default on Amazon EKS `1.23` and later clusters. Learn answers to frequently asked questions about the feature and how it works with `1.23` and later clusters. --- - -[IMPORTANT] -==== - -If you have [.noloc]`Pods` running on a version `1.22` or earlier cluster, then you must install the Amazon EBS CSI driver (see <>) before updating your cluster to version `1.23` to avoid service interruption. - -==== - -The Amazon EBS container storage interface (CSI) migration feature moves responsibility for handling storage operations from the Amazon EBS in-tree EBS storage provisioner to the Amazon EBS CSI driver (see <>). - -[#csi-migration-faq-csi-drivers] -== What are CSI drivers? - -CSI drivers: - - - -* Replace the [.noloc]`Kubernetes` "in-tree" storage drivers that exist in the [.noloc]`Kubernetes` project source code. -* Work with storage providers, such as Amazon EBS. -* Provide a simplified plugin model that make it easier for storage providers like {aws} to release features and maintain support without depending on the [.noloc]`Kubernetes` release cycle. - -For more information, see https://kubernetes-csi.github.io/docs/introduction.html[Introduction] in the [.noloc]`Kubernetes` CSI documentation. - -[#csi-migration-faq-what-is] -== What is CSI migration? - -The [.noloc]`Kubernetes` CSI Migration feature moves responsibility for handling storage operations from the existing in-tree storage plugins, such as `kubernetes.io/aws-ebs`, to corresponding CSI drivers. Existing `StorageClass`, `PersistentVolume` and `PersistentVolumeClaim` (PVC) objects continue to work, as long as the corresponding CSI driver is installed. When the feature is enabled: - - - -* Existing workloads that utilize PVCs continue to function as they always have. -* [.noloc]`Kubernetes` passes control of all storage management operations to CSI drivers. - -For more information, see https://kubernetes.io/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/[Kubernetes1.23: Kubernetes In-Tree to CSI Volume Migration Status Update] on the [.noloc]`Kubernetes` blog. - -To help you migrate from the in-tree plugin to CSI drivers, the `CSIMigration` and `CSIMigration{aws}` flags are enabled by default on Amazon EKS version `1.23` and later clusters. These flags enable your cluster to translate the in-tree APIs to their equivalent CSI APIs. These flags are set on the [.noloc]`Kubernetes` control plane managed by Amazon EKS and in the `kubelet` settings configured in Amazon EKS optimized AMIs. *If you have [.noloc]`Pods` using Amazon EBS volumes in your cluster, you must install the Amazon EBS CSI driver before updating your cluster to version `1.23`.* -If you don't, volume operations such as provisioning and mounting might not work as expected. For more information, see <>. - -[NOTE] -==== - -The in-tree `StorageClass` provisioner is named `kubernetes.io/aws-ebs`. The Amazon EBS CSI `StorageClass` provisioner is named `ebs.csi.aws.com`. - -==== - -[#csi-migration-faq-mounting-volumes] -== Can I mount `kubernetes.io/aws-ebs StorageClass` volumes in version `1.23` and later clusters? - -Yes, as long as the <> is installed. For newly created version `1.23` and later clusters, we recommend installing the Amazon EBS CSI driver as part of your cluster creation process. We also recommend only using `StorageClasses` based on the `ebs.csi.aws.com` provisioner. - -If you've updated your cluster control plane to version `1.23` and haven't yet updated your nodes to `1.23`, then the `CSIMigration` and `CSIMigration{aws}` kubelet flags aren't enabled. In this case, the in-tree driver is used to mount `kubernetes.io/aws-ebs` based volumes. The Amazon EBS CSI driver must still be installed however, to ensure that [.noloc]`Pods` using `kubernetes.io/aws-ebs` based volumes can be scheduled. The driver is also required for other volume operations to succeed. - -[#csi-migration-faq-aws-ebs-volumes] -== Can I provision `kubernetes.io/aws-ebs StorageClass` volumes on Amazon EKS `1.23` and later clusters? - -Yes, as long as the <> is installed. - -[#csi-migration-faq-aws-ebs-provisioner] -== Will the `kubernetes.io/aws-ebs StorageClass` provisioner ever be removed from Amazon EKS? - -The `kubernetes.io/aws-ebs` `StorageClass` provisioner and `awsElasticBlockStore` volume type are no longer supported, but there are no plans to remove them. These resources are treated as a part of the [.noloc]`Kubernetes` API. - -[#csi-migration-faq-ebs-csi-driver] -== How do I install the Amazon EBS CSI driver? - -We recommend installing the <>. When an update is required to the Amazon EKS add-on, you initiate the update and Amazon EKS updates the add-on for you. If you want to manage the driver yourself, you can install it using the open source https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver[Helm chart]. - -[IMPORTANT] -==== - -The [.noloc]`Kubernetes` in-tree Amazon EBS driver runs on the [.noloc]`Kubernetes` control plane. It uses IAM permissions assigned to the <> to provision Amazon EBS volumes. The Amazon EBS CSI driver runs on nodes. The driver needs IAM permissions to provision volumes. For more information, see <>. - -==== - -[#csi-migration-faq-check-driver] -== How can I check whether the Amazon EBS CSI driver is installed in my cluster? - -To determine whether the driver is installed on your cluster, run the following command: - -[source,bash,subs="verbatim,attributes"] ----- -kubectl get csidriver ebs.csi.aws.com ----- - -To check if that installation is managed by Amazon EKS, run the following command: - -[source,bash,subs="verbatim,attributes"] ----- -aws eks list-addons --cluster-name my-cluster ----- - - -[#csi-migration-faq-update-prevention] -== Will Amazon EKS prevent a cluster update to version `1.23` if I haven't already installed the Amazon EBS CSI driver? - -No. - -[#csi-migration-faq-driver-after-cluster-update] -== What if I forget to install the Amazon EBS CSI driver before I update my cluster to version 1.23? Can I install the driver after updating my cluster? - -Yes, but volume operations requiring the Amazon EBS CSI driver will fail after your cluster update until the driver is installed. - -[#csi-migration-faq-default-storageclass] -== What is the default `StorageClass` applied in newly created Amazon EKS version `1.23` and later clusters? - -The default `StorageClass` behavior remains unchanged. With each new cluster, Amazon EKS applies a `kubernetes.io/aws-ebs` based `StorageClass` named `gp2`. We don't plan to ever remove this `StorageClass` from newly created clusters. Separate from the cluster default `StorageClass`, if you create an `ebs.csi.aws.com` based `StorageClass` without specifying a volume type, the Amazon EBS CSI driver will default to using `gp3`. - -[#csi-migration-faq-existing-storageclasses] -== Will Amazon EKS make any changes to storage classes already present in my existing cluster when I update my cluster to version `1.23`? - -No. - -[#csi-migration-faq-migrate-using-snapshots] -== How do I migrate a persistent volume from the `kubernetes.io/aws-ebs` `StorageClass` to `ebs.csi.aws.com` using snapshots? - -To migrate a persistent volume, see link:containers/migrating-amazon-eks-clusters-from-gp2-to-gp3-ebs-volumes[Migrating Amazon EKS clusters from gp2 to gp3 EBS volumes,type="blog"] on the {aws} blog. - -[#csi-migration-faq-migrate-using-annotations] -== How do I modify an Amazon EBS volume using annotations? - -Starting with `aws-ebs-csi-driver` `v1.19.0-eksbuild.2`, you can modify Amazon EBS volumes using annotations within each `PersistentVolumeClaim` (PVC). -The new https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/modify-volume.md[volume modification] feature is implemented as an additional sidecar, called `volumemodifier`. For more information, see link:storage/simplifying-amazon-ebs-volume-migration-and-modification-using-the-ebs-csi-driver[Simplifying Amazon EBS volume migration and modification on Kubernetes using the EBS CSI Driver,type="blog"] on the {aws} blog. - -[#csi-migration-faq-windows] -== Is migration supported for Windows workloads? - -Yes. If you're installing the Amazon EBS CSI driver using the open source Helm chart, set `node.enableWindows` to `true`. This is set by default if installing the Amazon EBS CSI driver as an Amazon EKS add-on. When creating storage classes, set the `fsType` to a Windows file system, such as `ntfs`. Volume operations for Windows workloads are then migrated to the Amazon EBS CSI driver the same as they are for Linux workloads. \ No newline at end of file diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index d702474bd..518a5c210 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -25,26 +25,16 @@ This chapter covers storage options for Amazon EKS clusters. include::ebs-csi.adoc[leveloffset=+1] - -include::ebs-csi-migration-faq.adoc[leveloffset=+1] - - include::efs-csi.adoc[leveloffset=+1] - include::fsx-csi.adoc[leveloffset=+1] - include::fsx-ontap.adoc[leveloffset=+1] - include::fsx-openzfs-csi.adoc[leveloffset=+1] - include::file-cache-csi.adoc[leveloffset=+1] - include::s3-csi.adoc[leveloffset=+1] - include::csi-snapshot-controller.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/zonbook.redirects.xml b/latest/ug/zonbook.redirects.xml index 413eb381d..40dcda5eb 100644 --- a/latest/ug/zonbook.redirects.xml +++ b/latest/ug/zonbook.redirects.xml @@ -146,6 +146,7 @@ + From 2ea20882ffe889c95338dbaeb5246a009f02ead2 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Fri, 14 Feb 2025 16:13:29 -0800 Subject: [PATCH 160/940] eksctl v0.204.0: https://github.com/eksctl-io/eksctl/releases/tag/v0.204.0 --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 66a281a0f..79308971e 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,5 @@ // eksctl version -:eksctl-min-version: 0.203.0 +:eksctl-min-version: 0.204.0 // EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 From 2d73200a22f2d52edc8500c170cf4683130df63c Mon Sep 17 00:00:00 2001 From: Gaurav Priyolkar Date: Fri, 14 Feb 2025 21:48:41 -0500 Subject: [PATCH 161/940] cordon is sufficient to stop scheduling pods on a node - no need to taint --- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 0b458ec88..2ad662bd7 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -117,11 +117,11 @@ done The in-place upgrade process refers to using `nodeadm upgrade` to upgrade the Kubernetes version for hybrid nodes without using new physical or virtual hosts and a cutover migration strategy. The `nodeadm upgrade` process shuts down the existing older Kubernetes components running on the hybrid node, uninstalls the existing older Kubernetes components, installs the new target Kubernetes components, and starts the new target Kubernetes components. It is strongly recommend to upgrade one node at a time to minimize impact to applications running on the hybrid nodes. The duration of this process depends on your network bandwidth and latency. -. Use the following command to taint the node you are upgrading with `NoSchedule`. This is so that new pods aren't scheduled or rescheduled on the node that you are upgrading. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid node you are upgrading +. Use the following command to mark the node you are upgrading as unschedulable. This is so that new pods aren't scheduled or rescheduled on the node that you are upgrading. For more information, see https://kubernetes.io/docs/reference/kubectl/generated/kubectl_cordon/[kubectl cordon] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid node you are upgrading + [source,yaml,subs="verbatim,attributes"] ---- -kubectl taint nodes NODE_NAME key=value:NoSchedule +kubectl cordon NODE_NAME ---- . Drain the node you are upgrading with the following command. For more information on draining nodes, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid node you are upgrading. @@ -141,7 +141,6 @@ nodeadm upgrade K8S_VERSION -c file://nodeConfig.yaml + [source,yaml,subs="verbatim,attributes,quotes"] ---- -kubectl taint nodes NODE_NAME key=value:NoSchedule- kubectl uncordon NODE_NAME ---- From 061de812c0dc5d7e20d7d7af3162534a24ba013b Mon Sep 17 00:00:00 2001 From: Gaurav Priyolkar Date: Fri, 14 Feb 2025 23:14:51 -0500 Subject: [PATCH 162/940] Fix command to identify all nodes of a particular Kubernetes version --- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 2ad662bd7..4ee8c95a5 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -39,23 +39,22 @@ Cutover migration upgrades refer to the process of creating new hybrid nodes on . Connect your new hosts as hybrid nodes following the <> steps. When running the `nodeadm install` command, use your target Kubernetes version. . Enable communication between the new hybrid nodes on the target Kubernetes version and your hybrid nodes on the old Kubernetes version. This configuration allows pods to communicate with each other while you are migrating your workload to the hybrid nodes on the target Kubernetes version. . Confirm your hybrid nodes on your target Kubernetes version successfully joined your cluster and have status Ready. -. Use the following command to taint each of the nodes that you want to remove with `NoSchedule`. This is so that new pods aren't scheduled or rescheduled on the nodes that you are replacing. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid nodes on the old Kubernetes version. +. Use the following command to mark each of the nodes that you want to remove as unschedulable. This is so that new pods aren't scheduled or rescheduled on the nodes that you are replacing. For more information, see https://kubernetes.io/docs/reference/kubectl/generated/kubectl_cordon/[kubectl cordon] in the Kubernetes documentation. Replace `NODE_NAME` with the name of the hybrid nodes on the old Kubernetes version. + [source,yaml,subs="verbatim,attributes,quotes"] ---- -kubectl taint nodes [.replaceable]`NODE_NAME` key=value:NoSchedule +kubectl cordon [.replaceable]`NODE_NAME` ---- + -You can identify and taint all of the nodes of a particular Kubernetes version (in this case, `1.28`) with the following code snippet. +You can identify and cordon all of the nodes of a particular Kubernetes version (in this case, `1.28`) with the following code snippet. + [source,yaml,subs="verbatim,attributes"] ---- K8S_VERSION=1.28 -nodes=$(kubectl get nodes -o jsonpath="{.items[?(@.status.nodeInfo.kubeletVersion==\"v$K8S_VERSION\")].metadata.name}") -for node in ${nodes[@]} +for node in $(kubectl get nodes -o json | jq --arg K8S_VERSION "$K8S_VERSION" -r '.items[] | select(.status.nodeInfo.kubeletVersion | match("\($K8S_VERSION)")).metadata.name') do - echo "Tainting $node" - kubectl taint nodes $node key=value:NoSchedule + echo "Cordoning $node" + kubectl cordon $node done ---- . If your current deployment is running fewer than two CoreDNS replicas on your hybrid nodes, scale out the deployment to at least two replicas. It is recommended to run at least two CoreDNS replicas on hybrid nodes for resiliency during normal operations. @@ -76,8 +75,7 @@ You can identify and drain all of the nodes of a particular Kubernetes version ( [source,yaml,subs="verbatim,attributes"] ---- K8S_VERSION=1.28 -nodes=$(kubectl get nodes -o jsonpath="{.items[?(@.status.nodeInfo.kubeletVersion==\"v$K8S_VERSION\")].metadata.name}") -for node in ${nodes[@]} +for node in $(kubectl get nodes -o json | jq --arg K8S_VERSION "$K8S_VERSION" -r '.items[] | select(.status.nodeInfo.kubeletVersion | match("\($K8S_VERSION)")).metadata.name') do echo "Draining $node" kubectl drain $node --ignore-daemonsets --delete-emptydir-data @@ -103,11 +101,10 @@ You can identify and delete all of the nodes of a particular Kubernetes version [source,yaml,subs="verbatim,attributes"] ---- K8S_VERSION=1.28 -nodes=$(kubectl get nodes -o jsonpath="{.items[?(@.status.nodeInfo.kubeletVersion==\"v$K8S_VERSION\")].metadata.name}") -for node in ${nodes[@]} +for node in $(kubectl get nodes -o json | jq --arg K8S_VERSION "$K8S_VERSION" -r '.items[] | select(.status.nodeInfo.kubeletVersion | match("\($K8S_VERSION)")).metadata.name') do echo "Deleting $node" - kubectl delete node $node + kubectl delete node $node done ---- From 410939e2f393d46a9719916b70342e5c7e222868 Mon Sep 17 00:00:00 2001 From: Jeong Donghee Date: Mon, 17 Feb 2025 12:03:58 +0900 Subject: [PATCH 163/940] Correct networking documentation for hybrid EKS nodes --- latest/ug/nodes/hybrid-nodes-networking.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index a8d632e9f..99726bcf0 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -161,7 +161,7 @@ Depending on your choice of CNI, you need to configure additional network access |10250 |EKS cluster IPs ^1^ |Remote Node CIDR(s) -|[.noloc]`kubelet` to Kubernetes API server +|Kubernetes API server to [.noloc]`kubelet` |HTTPS |TCP From 2b91a2dae4236af0a3dba00827a504bcbea854bf Mon Sep 17 00:00:00 2001 From: Donovan Date: Mon, 17 Feb 2025 15:51:15 -0800 Subject: [PATCH 164/940] Enable URL validation (#885) * Enable URL validation Turn on ExternalDomain check during PR workflow. * fix GH Action. add ascidoctor * fix GH Action. Vale not allowed to fail. set continue-on-error, now that Vale completes on 2 rules. --- .github/workflows/vale.yml | 6 +++++- brand.vale.ini | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml index 08ddd6b0e..0ea1ba69d 100644 --- a/.github/workflows/vale.yml +++ b/.github/workflows/vale.yml @@ -11,6 +11,10 @@ jobs: - name: Check out uses: actions/checkout@v3 + # Vale uses asciidoctor + - name: Install Asciidoctor + run: sudo apt-get install -y asciidoctor + - name: Enforce AWS Brand Attribute uses: errata-ai/vale-action@reviewdog env: @@ -21,4 +25,4 @@ jobs: filter_mode: added files: latest/ug vale_flags: "--config brand.vale.ini" - continue-on-error: true + continue-on-error: false diff --git a/brand.vale.ini b/brand.vale.ini index b005e14b3..ad48fba7f 100644 --- a/brand.vale.ini +++ b/brand.vale.ini @@ -9,6 +9,6 @@ MinAlertLevel = error # Ignore files in dirs starting with `.` to avoid raising errors for `.vale/fixtures/*/testinvalid.adoc` files [[!.]*.adoc] BasedOnStyles = EksDocs -EksDocs.ExternalDomains = OFF +EksDocs.ExternalDomains = ON From 33061f13a11267adff63e24e8527f9dda1cd0e89 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 18 Feb 2025 13:10:27 -0800 Subject: [PATCH 165/940] JDK17 migration --- Config | 8 ++++---- build.xml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Config b/Config index 6a1d1ce19..18eff9542 100755 --- a/Config +++ b/Config @@ -12,7 +12,7 @@ package.AmazonEKSDocs = { }; scope = webservices; - build-system = happytrails; + build-system = zonbooktrails; build-environment = { chroot = basic; network-access = blocked; @@ -20,11 +20,11 @@ package.AmazonEKSDocs = { build-tools = { 3.0 = { - HappyTrails = 3.2; + ZonBookTrails = 1.0; AWSEC2ContainerChecklist = 1.0; AWSDevDocsQuotasShare = 1.0; - JavaBuildAndTestMin = jdk8; - ZonBook = 4.0; + + ZonBook = 5.0; AWSDevDocsChecklistBJS = 2.0; }; }; diff --git a/build.xml b/build.xml index d8c709f32..be3181b4e 100755 --- a/build.xml +++ b/build.xml @@ -1,6 +1,6 @@ - - + + This is the entry point for happy trails builds (package builder and eclipse). - + \ No newline at end of file From f9e1017a33126277ffaedb9d010c3632c6870328 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 18 Feb 2025 22:14:20 +0000 Subject: [PATCH 166/940] revise addon desc cr: https://code.amazon.com/reviews/CR-178941264 --- latest/ug/workloads/community-addons.adoc | 6 +++++- latest/ug/workloads/eks-add-ons.adoc | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index b16055d76..73b0a19c2 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -10,7 +10,11 @@ For example, you can use the {aws} API, CLI, or Management Console to install co You manage community add-ons just like existing Amazon EKS Add-ons. Community add-ons are different from existing add-ons in that they have a unique scope of support. -Community add-ons are built and validated by {aws}. Importantly, {aws} does not provide full support for community add-ons. {aws} supports only lifecycle operations done using {aws} APIs, such as installing add-ons or deleting add-ons. +NOTE: Using community add-ons is at your discretion. As part of the xref:security[shared responsibility model] between you and {aws}, you are expected to understand what you are installing into your workspace for these third party plugins. You are also responsible for the community add-ons meeting your security needs. + +Community add-ons are built by {aws}. {aws} only validates community add-ons for version compatibility. For example, if you install a community add-on on a cluster, {aws} checks if it is compatible with the Kubernetes version of your cluster. + +Importantly, {aws} does not provide full support for community add-ons. {aws} supports only lifecycle operations done using {aws} APIs, such as installing add-ons or deleting add-ons. If you require support for a community add-on, utilize the existing project resources. For example, you may create a GitHub issue on the repo for the project. diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 8f704449b..b91849fa6 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -105,6 +105,7 @@ If you are planning to enable EKS Auto Mode on an existing cluster, you may need ** For more information, see <>. * *Community Add-ons*: These add-ons are scanned by {aws} but supported by the open source community. ** Use a community add-on to reduce the complexity of installing common open source software, such as Kubernetes Metrics Server. +** Community add-ons are built by {aws}. {aws} only validates community add-ons for version compatibility. ** For more information, see <>. The following table details the scope of support for each add-on type: @@ -122,7 +123,7 @@ The following table details the scope of support for each add-on type: |Validated by {aws} |Yes |No -|Yes +|Yes* |Development |Validated by {aws} Partner |No @@ -170,6 +171,8 @@ The following table details the scope of support for each add-on type: |No |=== +`*`: Validation for community add-ons only includes Kubernetes version compatibility. For example, if you install a community add-on on a cluster, {aws} checks if it is compatible with the Kubernetes version of your cluster. + {aws} Marketplace add-ons can download additional software dependencies from external sources outside of {aws}. These external dependencies are not scanned or validated by {aws}. Consider your security requirements when deploying {aws} Marketplace add-ons that fetch external dependencies. include::workloads-add-ons-available-eks.adoc[leveloffset=+1] From d2c96ab509e26f657803413295c8dfdd600a9cdb Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Wed, 19 Feb 2025 15:03:02 -0800 Subject: [PATCH 167/940] add affinity and disable Envoy for Cilium on hybrid nodes --- latest/ug/nodes/hybrid-nodes-cni.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 56ab53791..7e240fd77 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -97,8 +97,19 @@ ipam: clusterPoolIPv4PodCIDRList: - POD_CIDR operator: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: In + values: + - hybrid unmanagedPodWatcher: restart: false +envoy: + enabled: false ---- . Install Cilium on your cluster. Replace `CILIUM_VERSION` with your desired Cilium version. It is recommended to run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. If you are enabling BGP for your deployment, add the `--set bgpControlPlane.enabled=true` flag in the command below. If you are using a specific kubeconfig file, use the `--kubeconfig` flag with the Helm install command. From 50bbfaa38dd9a106402d762f799119f5015fc308 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 19 Feb 2025 17:12:16 -0600 Subject: [PATCH 168/940] feb community addons --- latest/ug/workloads/community-addons.adoc | 66 ++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 73b0a19c2..b249a210d 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -75,4 +75,68 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re |Custom IAM permissions | None |=== -link:samples/attributions-md.zip[View license attributions for this add-on. ] \ No newline at end of file + +=== [.noloc]`kube-state-metrics` + +Add-on agent to generate and expose cluster-level metrics. + +The state of Kubernetes objects in the Kubernetes API can be exposed as metrics. An add-on agent called kube-state-metrics can connect to the Kubernetes API server and expose a HTTP endpoint with metrics generated from the state of individual objects in the cluster. It exposes various information about the state of objects like labels and annotations, startup and termination times, status or the phase the object currently is in. + +|=== +|Property | Value + +|Add-on name | `kube-state-metrics` + +|Namespace | `kube-system` + +|Documentation | https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/[Metrics for Kubernetes Object States] in Kubernetes Docs + +|Service account name | None + +|Managed IAM policy | None + +|Custom IAM permissions | None +|=== + + +=== [.noloc]`Prometheus Node exporter` + +Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. The Prometheus Node Exporter exposes a wide variety of hardware- and kernel-related metrics. + +|=== +|Property | Value + +|Add-on name | `node_exporter` + +|Namespace | `kube-system` + +|Documentation | https://prometheus.io/docs/guides/node-exporter/#monitoring-linux-host-metrics-with-the-node-exporter[Monitoring Linux host metrics with the Node Exporter] in Prometheus Docs + +|Service account name | None + +|Managed IAM policy | None + +|Custom IAM permissions | None +|=== + +== View Attributions + +You can download the open source attribtions and license information for community add-ons. + +. Determine the name and version of the add-on you want to download attributions for. +. Update the following command with the name and version: ++ +[source,cli] +---- +curl -O https://amazon-eks-docs.s3.amazonaws.com/attributions///attributions.zip +---- ++ +For example: ++ +[source,cli] +---- +curl -O https://amazon-eks-docs.s3.amazonaws.com/attributions/kube-state-metrics/v2.14.0-eksbuild.1/attributions.zip +---- +. Use the command to download the file. + +Use this zip file to view information about the license attributions. \ No newline at end of file From bcf57d8d0d10479eddd3017feff71739cf379a1c Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 19 Feb 2025 17:18:40 -0600 Subject: [PATCH 169/940] fixup --- latest/ug/workloads/community-addons.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index b249a210d..d78de933d 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -87,7 +87,7 @@ The state of Kubernetes objects in the Kubernetes API can be exposed as metrics. |Add-on name | `kube-state-metrics` -|Namespace | `kube-system` +|Namespace | `kube-state-metrics` |Documentation | https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/[Metrics for Kubernetes Object States] in Kubernetes Docs @@ -108,7 +108,7 @@ Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written |Add-on name | `node_exporter` -|Namespace | `kube-system` +|Namespace | `prometheus-node-exporter` |Documentation | https://prometheus.io/docs/guides/node-exporter/#monitoring-linux-host-metrics-with-the-node-exporter[Monitoring Linux host metrics with the Node Exporter] in Prometheus Docs From 461f52382f958b8d8e3c0c9a9e37f1c6f1a12d4e Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 20 Feb 2025 01:04:50 +0000 Subject: [PATCH 170/940] Removed inconsistent noloc tags to address potential translation inconsistencies. If needed, we can add them back globally on a per term basis. --- latest/ug/book.adoc | 2 +- latest/ug/clusters/autoscaling.adoc | 10 +- latest/ug/clusters/cluster-endpoint.adoc | 24 +- latest/ug/clusters/cluster-insights.adoc | 18 +- latest/ug/clusters/clusters.adoc | 8 +- latest/ug/clusters/create-cluster-auto.adoc | 30 +- latest/ug/clusters/create-cluster.adoc | 58 +-- latest/ug/clusters/delete-cluster.adoc | 6 +- .../ug/clusters/disable-extended-support.adoc | 2 +- .../ug/clusters/disable-windows-support.adoc | 4 +- .../ug/clusters/enable-extended-support.adoc | 2 +- .../kubernetes-versions-extended.adoc | 122 +++--- .../kubernetes-versions-standard.adoc | 38 +- latest/ug/clusters/kubernetes-versions.adoc | 66 ++-- .../management/cost-monitoring-aws.adoc | 2 +- .../cost-monitoring-kubecost-bundles.adoc | 42 +- .../management/cost-monitoring-kubecost.adoc | 28 +- .../clusters/management/cost-monitoring.adoc | 6 +- .../ug/clusters/management/eks-managing.adoc | 6 +- .../clusters/management/eks-using-tags.adoc | 6 +- latest/ug/clusters/management/helm.adoc | 10 +- .../clusters/management/metrics-server.adoc | 6 +- .../clusters/management/service-quotas.adoc | 8 +- latest/ug/clusters/platform-versions.adoc | 34 +- latest/ug/clusters/private-clusters.adoc | 18 +- latest/ug/clusters/update-cluster.adoc | 62 +-- latest/ug/clusters/view-upgrade-policy.adoc | 10 +- latest/ug/clusters/windows-support.adoc | 46 +-- latest/ug/connector/connecting-cluster.adoc | 18 +- .../ug/connector/connector-grant-access.adoc | 18 +- .../deregister-connected-cluster.adoc | 10 +- latest/ug/connector/eks-connector.adoc | 18 +- latest/ug/connector/security-connector.adoc | 12 +- .../connector/troubleshooting-connector.adoc | 40 +- latest/ug/connector/tsc-faq.adoc | 10 +- latest/ug/doc-history.adoc | 362 +++++++++--------- .../getting-started-console.adoc | 12 +- .../getting-started-eksctl.adoc | 22 +- .../ug/getting-started/getting-started.adoc | 4 +- .../ug/getting-started/install-kubectl.adoc | 220 +++++------ latest/ug/getting-started/setting-up.adoc | 4 +- .../integrations/integration-detective.adoc | 8 +- .../integrations/integration-guardduty.adoc | 4 +- .../integration-resilience-hub.adoc | 2 +- .../integration-securitylake.adoc | 4 +- .../integrations/integration-vpc-lattice.adoc | 2 +- latest/ug/integrations/local-zones.adoc | 4 +- .../associate-service-account-role.adoc | 30 +- .../aws-access/configure-sts-endpoint.adoc | 24 +- .../aws-access/cross-account-access.adoc | 6 +- ...enable-iam-roles-for-service-accounts.adoc | 28 +- ...oles-for-service-accounts-minimum-sdk.adoc | 6 +- .../iam-roles-for-service-accounts.adoc | 20 +- .../aws-access/irsa-fetch-keys.adoc | 16 +- .../aws-access/pod-configuration.adoc | 40 +- .../aws-access/pod-id-agent-config-ipv6.adoc | 4 +- .../aws-access/pod-id-agent-setup.adoc | 2 +- .../aws-access/pod-id-association.adoc | 26 +- .../aws-access/pod-id-configure-pods.adoc | 26 +- .../aws-access/pod-id-how-it-works.adoc | 8 +- .../aws-access/pod-id-minimum-sdk.adoc | 2 +- .../manage-access/aws-access/pod-id-role.adoc | 2 +- .../aws-access/pod-identities.adoc | 28 +- .../aws-access/service-accounts.adoc | 38 +- latest/ug/manage-access/cluster-auth.adoc | 18 +- .../ug/manage-access/create-kubeconfig.adoc | 12 +- .../k8s-access/access-entries.adoc | 2 +- .../k8s-access/access-policies.adoc | 20 +- .../k8s-access/access-policy-reference.adoc | 12 +- .../k8s-access/auth-configmap.adoc | 32 +- .../authenticate-oidc-identity-provider.adoc | 36 +- .../k8s-access/creating-access-entries.adoc | 20 +- .../disassociate-oidc-identity-provider.adoc | 6 +- .../k8s-access/grant-k8s-access.adoc | 24 +- .../k8s-access/migrating-access-entries.adoc | 2 +- .../k8s-access/setting-up-access-entries.adoc | 14 +- .../view-kubernetes-resources.adoc | 36 +- latest/ug/ml/capacity-blocks-mng.adoc | 8 +- latest/ug/ml/capacity-blocks.adoc | 12 +- latest/ug/ml/inferentia-support.adoc | 12 +- latest/ug/ml/ml-eks-optimized-ami.adoc | 10 +- latest/ug/ml/node-efa.adoc | 34 +- .../ml/node-taints-managed-node-groups.adoc | 12 +- .../ug/networking/alternate-cni-plugins.adoc | 10 +- .../aws-load-balancer-controller.adoc | 36 +- .../cni-custom-network-tutorial.adoc | 48 +-- latest/ug/networking/cni-custom-network.adoc | 18 +- latest/ug/networking/cni-iam-role.adoc | 32 +- .../cni-increase-ip-addresses-procedure.adoc | 46 +-- .../networking/cni-increase-ip-addresses.adoc | 22 +- latest/ug/networking/cni-ipv6.adoc | 20 +- .../cni-network-policy-configure.adoc | 38 +- latest/ug/networking/cni-network-policy.adoc | 28 +- .../ug/networking/coredns-add-on-create.adoc | 6 +- .../coredns-add-on-self-managed-update.adoc | 18 +- .../ug/networking/coredns-add-on-update.adoc | 6 +- latest/ug/networking/coredns-autoscaling.adoc | 70 ++-- latest/ug/networking/coredns-metrics.adoc | 6 +- latest/ug/networking/creating-a-vpc.adoc | 20 +- latest/ug/networking/deploy-ipv6-cluster.adoc | 22 +- .../ug/networking/eks-networking-add-ons.adoc | 18 +- latest/ug/networking/external-snat.adoc | 22 +- ...kube-proxy-add-on-self-managed-update.adoc | 6 +- latest/ug/networking/lbc-helm.adoc | 26 +- latest/ug/networking/lbc-manifest.adoc | 32 +- latest/ug/networking/lbc-remove.adoc | 22 +- latest/ug/networking/managing-coredns.adoc | 32 +- latest/ug/networking/managing-kube-proxy.adoc | 8 +- latest/ug/networking/managing-vpc-cni.adoc | 10 +- .../network-policies-troubleshooting.adoc | 22 +- .../ug/networking/network-policy-disable.adoc | 6 +- .../networking/network-policy-stars-demo.adoc | 2 +- latest/ug/networking/network-reqs.adoc | 54 +-- .../pod-multiple-network-interfaces.adoc | 14 +- .../networking/pod-networking-use-cases.adoc | 14 +- latest/ug/networking/sec-group-reqs.adoc | 8 +- .../networking/security-groups-for-pods.adoc | 44 +-- .../security-groups-pods-deployment.adoc | 36 +- .../sg-pods-example-deployment.adoc | 46 +-- latest/ug/networking/vpc-add-on-create.adoc | 16 +- .../vpc-add-on-self-managed-update.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 6 +- latest/ug/nodes/al2023.adoc | 8 +- .../bottlerocket-compliance-support.adoc | 14 +- latest/ug/nodes/choosing-instance-type.adoc | 34 +- .../ug/nodes/create-managed-node-group.adoc | 68 ++-- latest/ug/nodes/delete-fargate-profile.adoc | 4 +- .../ug/nodes/delete-managed-node-group.adoc | 2 +- latest/ug/nodes/dockershim-deprecation.adoc | 32 +- latest/ug/nodes/eks-ami-build-scripts.adoc | 10 +- .../nodes/eks-ami-versions-bottlerocket.adoc | 8 +- latest/ug/nodes/eks-ami-versions-windows.adoc | 192 +++++----- latest/ug/nodes/eks-compute.adoc | 38 +- latest/ug/nodes/eks-custom-ami-windows.adoc | 26 +- latest/ug/nodes/eks-linux-ami-versions.adoc | 4 +- .../nodes/eks-optimized-ami-bottlerocket.adoc | 36 +- latest/ug/nodes/eks-optimized-ami.adoc | 24 +- .../ug/nodes/eks-optimized-windows-ami.adoc | 82 ++-- latest/ug/nodes/eks-partner-amis.adoc | 4 +- latest/ug/nodes/fargate-getting-started.adoc | 50 +-- latest/ug/nodes/fargate-logging.adoc | 58 +-- .../ug/nodes/fargate-pod-configuration.adoc | 36 +- latest/ug/nodes/fargate-pod-patching.adoc | 20 +- latest/ug/nodes/fargate-profile.adoc | 54 +-- latest/ug/nodes/fargate.adoc | 74 ++-- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 2 +- latest/ug/nodes/hybrid-nodes-networking.adoc | 32 +- latest/ug/nodes/hybrid-nodes-os.adoc | 2 +- latest/ug/nodes/hybrid-nodes-overview.adoc | 16 +- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 2 +- .../nodes/hybrid-nodes-troubleshooting.adoc | 2 +- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 2 +- latest/ug/nodes/launch-node-bottlerocket.adoc | 28 +- latest/ug/nodes/launch-node-ubuntu.adoc | 22 +- latest/ug/nodes/launch-templates.adoc | 44 +-- latest/ug/nodes/launch-windows-workers.adoc | 48 +-- latest/ug/nodes/launch-workers.adoc | 48 +-- latest/ug/nodes/learn-status-conditions.adoc | 2 +- latest/ug/nodes/managed-node-groups.adoc | 32 +- .../nodes/managed-node-update-behavior.adoc | 16 +- latest/ug/nodes/migrate-stack.adoc | 20 +- latest/ug/nodes/monitoring-fargate-usage.adoc | 4 +- .../nodes/retrieve-ami-id-bottlerocket.adoc | 4 +- latest/ug/nodes/retrieve-windows-ami-id.adoc | 10 +- .../self-managed-windows-server-2022.adoc | 8 +- .../ug/nodes/update-managed-node-group.adoc | 28 +- latest/ug/nodes/update-stack.adoc | 22 +- latest/ug/nodes/update-workers.adoc | 4 +- latest/ug/nodes/worker.adoc | 4 +- .../ug/observability/control-plane-logs.adoc | 16 +- .../ug/observability/deploy-prometheus.adoc | 20 +- latest/ug/observability/eks-observe.adoc | 10 +- .../observability-dashboard.adoc | 4 +- latest/ug/observability/opentelemetry.adoc | 2 +- latest/ug/observability/prometheus.adoc | 46 +-- latest/ug/observability/view-raw-metrics.adoc | 12 +- .../eks-outposts-capacity-considerations.adoc | 16 +- .../eks-outposts-local-cluster-create.adoc | 46 +-- .../eks-outposts-local-cluster-overview.adoc | 2 +- .../eks-outposts-network-disconnects.adoc | 16 +- .../eks-outposts-platform-versions.adoc | 62 +-- .../eks-outposts-self-managed-nodes.adoc | 22 +- .../eks-outposts-troubleshooting.adoc | 20 +- .../eks-outposts-vpc-subnet-requirements.adoc | 10 +- latest/ug/outposts/eks-outposts.adoc | 24 +- latest/ug/related-projects.adoc | 48 +-- latest/ug/roadmap.adoc | 2 +- latest/ug/security/cert-signing.adoc | 12 +- .../configuration-vulnerability-analysis.adoc | 12 +- latest/ug/security/default-roles-users.adoc | 22 +- .../disaster-recovery-resiliency.adoc | 4 +- latest/ug/security/enable-kms.adoc | 2 +- .../iam-reference/auto-cluster-iam-role.adoc | 2 +- .../iam-reference/cluster-iam-role.adoc | 4 +- .../iam-reference/connector-iam-role.adoc | 2 +- .../iam-reference/create-node-role.adoc | 6 +- .../iam-reference/pod-execution-role.adoc | 22 +- .../iam-reference/security-iam-awsmanpol.adoc | 44 +-- ...security-iam-id-based-policy-examples.adoc | 10 +- .../security-iam-service-with-iam.adoc | 4 +- .../security-iam-troubleshoot.adoc | 2 +- ...ng-service-linked-roles-eks-connector.adoc | 4 +- ...sing-service-linked-roles-eks-fargate.adoc | 2 +- .../ug/security/infrastructure-security.adoc | 8 +- latest/ug/security/manage-secrets.adoc | 4 +- .../pod-security-policy-removal-faq.adoc | 54 +-- latest/ug/security/pod-security-policy.adoc | 26 +- latest/ug/security/security-k8s.adoc | 6 +- latest/ug/security/security.adoc | 4 +- .../ug/security/vpc-interface-endpoints.adoc | 2 +- .../ug/storage/csi-snapshot-controller.adoc | 6 +- latest/ug/storage/ebs-csi.adoc | 24 +- latest/ug/storage/efs-csi.adoc | 22 +- latest/ug/storage/fsx-csi.adoc | 14 +- latest/ug/storage/fsx-ontap.adoc | 6 +- latest/ug/storage/s3-csi.adoc | 74 ++-- .../ug/troubleshooting/troubleshooting.adoc | 88 ++--- latest/ug/what-is/common-use-cases.adoc | 4 +- latest/ug/what-is/eks-architecture.adoc | 12 +- latest/ug/what-is/eks-deployment-options.adoc | 2 +- latest/ug/what-is/kubernetes-concepts.adoc | 128 +++---- latest/ug/workloads/add-ons-iam.adoc | 2 +- latest/ug/workloads/alb-ingress.adoc | 54 +-- latest/ug/workloads/community-addons.adoc | 2 +- .../workloads/copy-image-to-repository.adoc | 6 +- latest/ug/workloads/creating-an-add-on.adoc | 8 +- latest/ug/workloads/eks-add-ons.adoc | 8 +- latest/ug/workloads/eks-workloads.adoc | 12 +- .../workloads/horizontal-pod-autoscaler.adoc | 22 +- latest/ug/workloads/image-verification.adoc | 2 +- .../kubernetes-field-management.adoc | 12 +- .../ug/workloads/network-load-balancing.adoc | 50 +-- .../restrict-service-external-ip.adoc | 12 +- latest/ug/workloads/retreive-iam-info.adoc | 2 +- .../workloads/sample-deployment-windows.adoc | 38 +- latest/ug/workloads/sample-deployment.adoc | 38 +- latest/ug/workloads/updating-an-add-on.adoc | 14 +- .../ug/workloads/vertical-pod-autoscaler.adoc | 24 +- .../workloads-add-ons-available-eks.adoc | 40 +- .../workloads-add-ons-available-vendors.adoc | 204 +++++----- 240 files changed, 2907 insertions(+), 2907 deletions(-) diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 86ae20f24..9bfc99f99 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -23,7 +23,7 @@ sponsored by Amazon. [abstract] -- -This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run [.noloc]`Kubernetes` on {aws} without needing to install and operate your own [.noloc]`Kubernetes` clusters. [.noloc]`Kubernetes` is an open source system for automating the deployment, scaling, and management of containerized applications. +This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate your own Kubernetes clusters. Kubernetes is an open source system for automating the deployment, scaling, and management of containerized applications. -- :sectnums: diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index ab653c51e..0ee62ccc8 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,6 +1,6 @@ [.topic] [#autoscaling] -= Scale cluster compute with [.noloc]`Karpenter` and [.noloc]`Cluster Autoscaler` += Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling include::../attributes.txt[] @@ -10,7 +10,7 @@ include::../attributes.txt[] Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. -- -Autoscaling is a function that automatically scales your resources out and in to meet changing demands. This is a major [.noloc]`Kubernetes` function that would otherwise require extensive human resources to perform manually. +Autoscaling is a function that automatically scales your resources out and in to meet changing demands. This is a major Kubernetes function that would otherwise require extensive human resources to perform manually. == EKS Auto Mode @@ -28,8 +28,8 @@ Amazon EKS supports two additional autoscaling products: -*[.noloc]`Karpenter`*:: -[.noloc]`Karpenter` is a flexible, high-performance [.noloc]`Kubernetes` cluster autoscaler that helps improve application availability and cluster efficiency. [.noloc]`Karpenter` launches right-sized compute resources (for example, Amazon EC2 instances) in response to changing application load in under a minute. Through integrating [.noloc]`Kubernetes` with {aws}, [.noloc]`Karpenter` can provision just-in-time compute resources that precisely meet the requirements of your workload. [.noloc]`Karpenter` automatically provisions new compute resources based on the specific requirements of cluster workloads. These include compute, storage, acceleration, and scheduling requirements. Amazon EKS supports clusters using [.noloc]`Karpenter`, although [.noloc]`Karpenter` works with any conformant [.noloc]`Kubernetes` cluster. For more information, see the https://karpenter.sh/docs/[Karpenter] documentation. +*Karpenter*:: +Karpenter is a flexible, high-performance Kubernetes cluster autoscaler that helps improve application availability and cluster efficiency. Karpenter launches right-sized compute resources (for example, Amazon EC2 instances) in response to changing application load in under a minute. Through integrating Kubernetes with {aws}, Karpenter can provision just-in-time compute resources that precisely meet the requirements of your workload. Karpenter automatically provisions new compute resources based on the specific requirements of cluster workloads. These include compute, storage, acceleration, and scheduling requirements. Amazon EKS supports clusters using Karpenter, although Karpenter works with any conformant Kubernetes cluster. For more information, see the https://karpenter.sh/docs/[Karpenter] documentation. + [IMPORTANT] ==== @@ -37,4 +37,4 @@ Karpenter is open-source software which {aws} customers are responsible for inst ==== *Cluster Autoscaler*:: -The [.noloc]`Kubernetes` Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. \ No newline at end of file +The Kubernetes Cluster Autoscaler automatically adjusts the number of nodes in your cluster when pods fail or are rescheduled onto other nodes. The Cluster Autoscaler uses Auto Scaling groups. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. \ No newline at end of file diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index cf735fe1a..491d99f27 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -10,9 +10,9 @@ include::../attributes.txt[] Learn how to enable private access and limit public access to the Amazon EKS cluster Kubernetes API server endpoint for enhanced security with your Amazon EKS cluster. -- -This topic helps you to enable private access for your Amazon EKS cluster's [.noloc]`Kubernetes` API server endpoint and limit, or completely disable, public access from the internet. +This topic helps you to enable private access for your Amazon EKS cluster's Kubernetes API server endpoint and limit, or completely disable, public access from the internet. -When you create a new cluster, Amazon EKS creates an endpoint for the managed [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). This endpoint is known as the _cluster public endpoint_. Also there is a _cluster private endpoint_. For more information about the cluster private endpoint, see the following section <>. +When you create a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). This endpoint is known as the _cluster public endpoint_. Also there is a _cluster private endpoint_. For more information about the cluster private endpoint, see the following section <>. [#cluster-endpoint-ipv6] == `IPv6` cluster endpoint format @@ -69,12 +69,12 @@ Before October 2024, `IPv6` clusters used this endpoint format also. For those c [#cluster-endpoint-private] == Cluster private endpoint -You can enable private access to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. +You can enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. [NOTE] ==== -Because this endpoint is for the [.noloc]`Kubernetes` API server and not a traditional {aws} PrivateLink endpoint for communicating with an {aws} API, it doesn't appear as an endpoint in the Amazon VPC console. +Because this endpoint is for the Kubernetes API server and not a traditional {aws} PrivateLink endpoint for communicating with an {aws} API, it doesn't appear as an endpoint in the Amazon VPC console. ==== @@ -99,15 +99,15 @@ Use the procedures in this section to modify the endpoint access for an existing a| * This is the default behavior for new Amazon EKS clusters. -* [.noloc]`Kubernetes` API requests that originate from within your cluster's VPC (such as node to control plane communication) leave the VPC but not Amazon's network. -* Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint. If you limit access to specific CIDR blocks, then it is recommended that you also enable the private endpoint, or ensure that the CIDR blocks that you specify include the addresses that nodes and Fargate [.noloc]`Pods` (if you use them) access the public endpoint from. +* Kubernetes API requests that originate from within your cluster's VPC (such as node to control plane communication) leave the VPC but not Amazon's network. +* Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint. If you limit access to specific CIDR blocks, then it is recommended that you also enable the private endpoint, or ensure that the CIDR blocks that you specify include the addresses that nodes and Fargate Pods (if you use them) access the public endpoint from. |Enabled |Enabled a| -* [.noloc]`Kubernetes` API requests within your cluster's VPC (such as node to control plane communication) use the private VPC endpoint. +* Kubernetes API requests within your cluster's VPC (such as node to control plane communication) use the private VPC endpoint. * Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint. * If you are using hybrid nodes with your Amazon EKS cluster, it is not recommended to have both Public and Private cluster endpoint access enabled. Because your hybrid nodes are running outside of your VPC, they will resolve the cluster endpoint to the public IP addresses. It is recommended to use either Public or Private cluster endpoint access for clusters with hybrid nodes. @@ -136,9 +136,9 @@ You can modify your cluster API server endpoint access using the {aws-management . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster to display your cluster information. . Choose the *Networking* tab and choose *Manage endpoint access*. -. For *Private access*, choose whether to enable or disable private access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you enable private access, [.noloc]`Kubernetes` API requests that originate from within your cluster's VPC use the private VPC endpoint. You must enable private access to disable public access. -. For *Public access*, choose whether to enable or disable public access for your cluster's [.noloc]`Kubernetes` API server endpoint. If you disable public access, your cluster's [.noloc]`Kubernetes` API server can only receive requests from within the cluster VPC. -. (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. +. For *Private access*, choose whether to enable or disable private access for your cluster's Kubernetes API server endpoint. If you enable private access, Kubernetes API requests that originate from within your cluster's VPC use the private VPC endpoint. You must enable private access to disable public access. +. For *Public access*, choose whether to enable or disable public access for your cluster's Kubernetes API server endpoint. If you disable public access, your cluster's Kubernetes API server can only receive requests from within the cluster VPC. +. (Optional) If you've enabled *Public access*, you can specify which addresses from the internet can communicate to the public endpoint. Select *Advanced Settings*. Enter a CIDR block, such as [.replaceable]`203.0.113.5/32`. The block cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. You can enter additional blocks by selecting *Add Source*. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you specify no blocks, then the public API server endpoint receives requests from all (`0.0.0.0/0`) IP addresses. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate Pods (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. . Choose *Update* to finish. @@ -146,7 +146,7 @@ You can modify your cluster API server endpoint access using the {aws-management Complete the following steps using the {aws} CLI version `1.27.160` or later. You can check your current version with `aws --version`. To install or upgrade the {aws} CLI, see link:cli/latest/userguide/cli-chap-install.html[Installing the {aws} CLI,type="documentation"]. -. Update your cluster API server endpoint access with the following {aws} CLI command. Substitute your cluster name and desired endpoint access values. If you set `endpointPublicAccess=true`, then you can (optionally) enter single CIDR block, or a comma-separated list of CIDR blocks for `publicAccessCidrs`. The blocks cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. If you specify CIDR blocks, then the public API server endpoint will only receive requests from the listed blocks. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate [.noloc]`Pods` (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. If you specify no CIDR blocks, then the public API server endpoint receives requests from all (0.0.0.0/0) IP addresses. +. Update your cluster API server endpoint access with the following {aws} CLI command. Substitute your cluster name and desired endpoint access values. If you set `endpointPublicAccess=true`, then you can (optionally) enter single CIDR block, or a comma-separated list of CIDR blocks for `publicAccessCidrs`. The blocks cannot include https://en.wikipedia.org/wiki/Reserved_IP_addresses[reserved addresses]. If you specify CIDR blocks, then the public API server endpoint will only receive requests from the listed blocks. There is a maximum number of CIDR blocks that you can specify. For more information, see <>. If you restrict access to your public endpoint using CIDR blocks, it is recommended that you also enable private endpoint access so that nodes and Fargate Pods (if you use them) can communicate with the cluster. Without the private endpoint enabled, your public access endpoint CIDR sources must include the egress sources from your VPC. For example, if you have a node in a private subnet that communicates to the internet through a NAT Gateway, you will need to add the outbound IP address of the NAT gateway as part of an allowed CIDR block on your public endpoint. If you specify no CIDR blocks, then the public API server endpoint receives requests from all (0.0.0.0/0) IP addresses. + NOTE: The following command enables private access and public access from a single IP address for the API server endpoint. Replace [.replaceable]`203.0.113.5/32` with a single CIDR block, or a comma-separated list of CIDR blocks that you want to restrict network access to. + @@ -229,7 +229,7 @@ An example output is as follows. [#private-access] == Accessing a private only API server -If you have disabled public access for your cluster's [.noloc]`Kubernetes` API server endpoint, you can only access the API server from within your VPC or a link:whitepapers/latest/aws-vpc-connectivity-options/introduction.html[connected network,type="documentation"]. Here are a few possible ways to access the [.noloc]`Kubernetes` API server endpoint: +If you have disabled public access for your cluster's Kubernetes API server endpoint, you can only access the API server from within your VPC or a link:whitepapers/latest/aws-vpc-connectivity-options/introduction.html[connected network,type="documentation"]. Here are a few possible ways to access the Kubernetes API server endpoint: diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index cab8240c2..b3c2c88e1 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,6 +1,6 @@ [.topic] [#cluster-insights] -= Prepare for [.noloc]`Kubernetes` version upgrades with cluster insights += Prepare for Kubernetes version upgrades with cluster insights :info_titleabbrev: Cluster insights :keywords: cluster, upgrade, insights @@ -8,18 +8,18 @@ include::../attributes.txt[] [abstract] -- -Discover how Amazon EKS cluster insights help monitor and resolve potential [.noloc]`Kubernetes` version upgrade issues for enhanced reliability and faster adoption of new capabilities. +Discover how Amazon EKS cluster insights help monitor and resolve potential Kubernetes version upgrade issues for enhanced reliability and faster adoption of new capabilities. -- -Amazon EKS cluster insights provide recommendations to help you follow Amazon EKS and [.noloc]`Kubernetes` best practices. Every Amazon EKS cluster undergoes automatic, recurring checks against an Amazon EKS curated list of insights. These insight checks are fully managed by Amazon EKS and offer recommendations on how to address any findings. +Amazon EKS cluster insights provide recommendations to help you follow Amazon EKS and Kubernetes best practices. Every Amazon EKS cluster undergoes automatic, recurring checks against an Amazon EKS curated list of insights. These insight checks are fully managed by Amazon EKS and offer recommendations on how to address any findings. -* Before updating your cluster [.noloc]`Kubernetes` version, check the *Cluster insights* tab of the observability dashboard in the link:eks/home#/clusters[Amazon EKS console.,type="console"] -* If your cluster has identified issues, review them and make appropriate fixes. The issues include links to Amazon EKS and [.noloc]`Kubernetes`. +* Before updating your cluster Kubernetes version, check the *Cluster insights* tab of the observability dashboard in the link:eks/home#/clusters[Amazon EKS console.,type="console"] +* If your cluster has identified issues, review them and make appropriate fixes. The issues include links to Amazon EKS and Kubernetes. * After fixing issues, wait for the cluster insights to refresh. If all issues have been resolved, <> -Amazon EKS returns insights related to [.noloc]`Kubernetes` version upgrade readiness. Upgrade insights identify possible issues that could impact [.noloc]`Kubernetes` cluster upgrades. This minimizes the effort that administrators spend preparing for upgrades and increases the reliability of applications on newer [.noloc]`Kubernetes` versions. Clusters are automatically scanned by Amazon EKS against a list of possible [.noloc]`Kubernetes` version upgrade impacting issues. Amazon EKS frequently updates the list of insight checks based on reviews of changes made in each [.noloc]`Kubernetes` version release. +Amazon EKS returns insights related to Kubernetes version upgrade readiness. Upgrade insights identify possible issues that could impact Kubernetes cluster upgrades. This minimizes the effort that administrators spend preparing for upgrades and increases the reliability of applications on newer Kubernetes versions. Clusters are automatically scanned by Amazon EKS against a list of possible Kubernetes version upgrade impacting issues. Amazon EKS frequently updates the list of insight checks based on reviews of changes made in each Kubernetes version release. -Amazon EKS upgrade insights speed up the testing and verification process for new versions. They also allow cluster administrators and application developers to leverage the newest [.noloc]`Kubernetes` capabilities by highlighting concerns and offering remediation advice. To see the list of insight checks performed and any relevant issues that Amazon EKS has identified, you can call the Amazon EKS `ListInsights` API operation or look in the Amazon EKS console. +Amazon EKS upgrade insights speed up the testing and verification process for new versions. They also allow cluster administrators and application developers to leverage the newest Kubernetes capabilities by highlighting concerns and offering remediation advice. To see the list of insight checks performed and any relevant issues that Amazon EKS has identified, you can call the Amazon EKS `ListInsights` API operation or look in the Amazon EKS console. Cluster insights update periodically. You cannot manually refresh cluster insights. If you fix a cluster issue, it will take some time for cluster insights to update. To determine if a fix was successful, compare the time the change deployed to the "last refresh time" of the cluster insight. @@ -34,8 +34,8 @@ Amazon EKS automatically creates a cluster access entry. This entry gives EKS pe . In the *Upgrade Insights* table, you will see the following columns: + ** *Name* – The check that was performed by Amazon EKS against the cluster. -** *Insight status* – An insight with a status of "Error" typically means the impacted [.noloc]`Kubernetes` version is N+1 of the current cluster version, while a status of "Warning" means the insight applies to a future [.noloc]`Kubernetes` version N+2 or more. An insight with status of "Passing" means Amazon EKS has not found any issues associated with this insight check in your cluster. An insight status of "Unknown" means Amazon EKS is unable to determine if your cluster is impacted by this insight check. -** *Version* – The [.noloc]`Kubernetes` version that the insight checked for possible issues. +** *Insight status* – An insight with a status of "Error" typically means the impacted Kubernetes version is N+1 of the current cluster version, while a status of "Warning" means the insight applies to a future Kubernetes version N+2 or more. An insight with status of "Passing" means Amazon EKS has not found any issues associated with this insight check in your cluster. An insight status of "Unknown" means Amazon EKS is unable to determine if your cluster is impacted by this insight check. +** *Version* – The Kubernetes version that the insight checked for possible issues. ** *Last refresh time* – The time the status of the insight was last refreshed for this cluster. ** *Last transition time* – The time the status of this insight last changed. ** *Description* – Information from the insight check, which includes the alert and recommended actions for remediation. diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 17af852a1..a18aec42b 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -17,19 +17,19 @@ An Amazon EKS cluster consists of two primary components: * The Amazon EKS control plane * Amazon EKS nodes that are registered with the control plane -The Amazon EKS control plane consists of control plane nodes that run the [.noloc]`Kubernetes` software, such as `etcd` and the [.noloc]`Kubernetes` API server. The control plane runs in an account managed by {aws}, and the [.noloc]`Kubernetes` API is exposed via the Amazon EKS endpoint associated with your cluster. Each Amazon EKS cluster control plane is single-tenant and unique, and runs on its own set of Amazon EC2 instances. +The Amazon EKS control plane consists of control plane nodes that run the Kubernetes software, such as `etcd` and the Kubernetes API server. The control plane runs in an account managed by {aws}, and the Kubernetes API is exposed via the Amazon EKS endpoint associated with your cluster. Each Amazon EKS cluster control plane is single-tenant and unique, and runs on its own set of Amazon EC2 instances. All of the data stored by the `etcd` nodes and associated Amazon EBS volumes is encrypted using {aws} KMS. The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support `kubectl exec` `logs` `proxy` data flows). [IMPORTANT] ==== -In the Amazon EKS environment, `etcd` storage is limited to 8 GiB as per https://etcd.io/docs/v3.5/dev-guide/limit/#storage-size-limit[upstream] guidance. You can monitor a metric for the current database size by running the following command. If your cluster has a [.noloc]`Kubernetes` version below `1.28`, replace [.replaceable]`apiserver_storage_size_bytes` with the following: +In the Amazon EKS environment, `etcd` storage is limited to 8 GiB as per https://etcd.io/docs/v3.5/dev-guide/limit/#storage-size-limit[upstream] guidance. You can monitor a metric for the current database size by running the following command. If your cluster has a Kubernetes version below `1.28`, replace [.replaceable]`apiserver_storage_size_bytes` with the following: -* [.noloc]`Kubernetes` version `1.27` and `1.26` – `apiserver_storage_db_total_size_in_bytes` -* [.noloc]`Kubernetes` version `1.25` and below – `etcd_db_total_size_in_bytes` +* Kubernetes version `1.27` and `1.26` – `apiserver_storage_db_total_size_in_bytes` +* Kubernetes version `1.25` and below – `etcd_db_total_size_in_bytes` [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index c2df00915..df688b671 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -37,7 +37,7 @@ This topic covers advanced configuration. If you are looking to get started with == Prerequisites * An existing VPC and subnets that meet <>. Before you deploy a cluster for production use, we recommend that you have a thorough understanding of the VPC and subnet requirements. If you don't have a VPC and subnets, you can create them using an <>. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version`. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. * An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to create and modify EKS and IAM resources. @@ -53,9 +53,9 @@ This topic covers advanced configuration. If you are looking to get started with . On the *Configure cluster* page, enter the following fields: + ** *Name* – A name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources on your behalf. If you haven't previously created a Cluster IAM role for EKS Auto Mode, select the *Create recommended role* button to create the role with the required permissions in the IAM console. -** *[.noloc]`Kubernetes` version* – The version of [.noloc]`Kubernetes` to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. -** *Upgrade policy* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. +** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the Kubernetes control plane to manage {aws} resources on your behalf. If you haven't previously created a Cluster IAM role for EKS Auto Mode, select the *Create recommended role* button to create the role with the required permissions in the IAM console. +** *Kubernetes version* – The version of Kubernetes to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. +** *Upgrade policy* -- The Kubernetes version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended*. If you select a Kubernetes version that is currently in extended support, you can not select standard support as an option. . In the *Auto Mode Compute* section of the configure cluster page, enter the following fields: ** *Node pools* -- Determine if you want to use the build in node pools. For more information, see <>. ** *Node IAM role* -- If you enable any of the built-in node pools, you need to select a Node IAM Role. EKS Auto Mode will assign this role to new nodes. You cannot change this value after the cluster is created. If you haven't previously created a Node IAM role for EKS Auto Mode, select the Create recommended role button to create the role with the required permissions. For more information about this role, see <>. @@ -63,7 +63,7 @@ This topic covers advanced configuration. If you are looking to get started with ** *Bootstrap cluster administrator access* -- The cluster creator is automatically a Kubernetes administrator. If you want to disable this, select *Disallow cluster administrator access*. ** *Cluster authentication mode* -- EKS Auto Mode requires EKS access entries, the EKS API authentication mode. You can optionally enable the `ConfigMap` authentication mode by selecting *EKS API and ConfigMap*. . Enter the remaining fields on the configure cluster page: -** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. +** *Secrets encryption* – (Optional) Choose to enable secrets encryption of Kubernetes secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. ** *ARC Zonal shift* -- EKS Auto Mode does not support Arc Zonal shift. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. + @@ -80,11 +80,11 @@ The subnets that you choose must meet the <>. You can modify the rules in the cluster security group that Amazon EKS creates. ** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +Kubernetes assigns `IPv4` addresses to Pods and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for Kubernetes to assign `IPv6` service addresses from like you can for the `IPv4` family. Kubernetes assigns service addresses from the unique local address range (`fc00::/7`). + -** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. +** (Optional) Choose *Configure Kubernetes Service IP address range* and specify a *Service `IPv4` range*. + -Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. +Specifying your own range can help prevent conflicts between Kubernetes services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + The CIDR block must meet the following requirements: + @@ -93,13 +93,13 @@ The CIDR block must meet the following requirements: *** Not overlap with the range of the VPC for your Amazon EKS resources. + -You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. +You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. ** For *Cluster endpoint access*, select an option. After your cluster is created, you can change this option. Before selecting a non-default option, make sure to familiarize yourself with the options and their implications. For more information, see <>. + When you're done with this page, choose *Next*. . (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. + -** For more information about the [.noloc]`Prometheus` metrics option, see <>. +** For more information about the Prometheus metrics option, see <>. ** For more information about the *Control plane logging* options, see <>. ** When you're done with this page, choose *Next*. . On the *Select add-ons* page, choose the add-ons that you want to add to your cluster. You can choose as many *Amazon EKS add-ons* and *{aws} Marketplace add-ons* as you require. If the *{aws} Marketplace add-ons* that you want to install isn't listed, you can click the page numbering to view additional page results or search for available *{aws} Marketplace add-ons* by entering text in the search box. You can also filter by *category*, *vendor*, or *pricing model* and then choose the add-ons from the search results. When creating a cluster, you can view, select, and install any add-on that supports EKS Pod Identities as detailed in <>. @@ -299,9 +299,9 @@ aws eks create-cluster \ NOTE: You might receive an error that one of the Availability Zones in your request doesn't have sufficient capacity to create an Amazon EKS cluster. If this happens, the error output contains the Availability Zones that can support a new cluster. Retry creating your cluster with at least two subnets that are located in the supported Availability Zones for your account. For more information, see <>. + The following are optional settings that, if required, must be added to the previous command. You can only enable these options when you create the cluster, not after. -** If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block [.noloc]`Kubernetes` assigns service IP addresses from, you must specify it by adding the `--kubernetes-network-config serviceIpv4Cidr=` to the following command. +** If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block Kubernetes assigns service IP addresses from, you must specify it by adding the `--kubernetes-network-config serviceIpv4Cidr=` to the following command. + -Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. +Specifying your own range can help prevent conflicts between Kubernetes services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + The CIDR block must meet the following requirements: + @@ -309,10 +309,10 @@ The CIDR block must meet the following requirements: *** Have a minimum size of `/24` and a maximum size of `/12`. *** Not overlap with the range of the VPC for your Amazon EKS resources. + -You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. -** If you're creating a cluster and want the cluster to assign `IPv6` addresses to [.noloc]`Pods` and services instead of `IPv4` addresses, add `--kubernetes-network-config ipFamily=ipv6` to the following command. +You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. +** If you're creating a cluster and want the cluster to assign `IPv6` addresses to Pods and services instead of `IPv4` addresses, add `--kubernetes-network-config ipFamily=ipv6` to the following command. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +Kubernetes assigns `IPv4` addresses to Pods and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for Kubernetes to assign `IPv6` service addresses from like you can for the `IPv4` family. Kubernetes assigns service addresses from the unique local address range (`fc00::/7`). + . It takes several minutes to provision the cluster. You can query the status of your cluster with the following command. + diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index bbb1a97dd..8ce87269b 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -26,8 +26,8 @@ This topic provides an overview of the available options and describes what to c == Prerequisites * An existing VPC and subnets that meet <>. Before you deploy a cluster for production use, we recommend that you have a thorough understanding of the VPC and subnet requirements. If you don't have a VPC and subnets, you can create them using an <>. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. To install or upgrade `kubectl`, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. == Step 1: Create cluster IAM role @@ -90,7 +90,7 @@ You can create a cluster by using: === Create cluster - eksctl . You need version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -. Create an Amazon EKS `IPv4` cluster with the Amazon EKS default [.noloc]`Kubernetes` version in your default {aws} Region. Before running command, make the following replacements: +. Create an Amazon EKS `IPv4` cluster with the Amazon EKS default Kubernetes version in your default {aws} Region. Before running command, make the following replacements: . Replace [.replaceable]`region-code` with the {aws} Region that you want to create your cluster in. . Replace [.replaceable]`my-cluster` with a name for your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. . Replace [.replaceable]`{k8s-n}` with any <>. @@ -115,16 +115,16 @@ Cluster provisioning takes several minutes. While the cluster is being created, ==== Optional Settings -To see the most options that you can specify when creating a cluster with `eksctl`, use the `eksctl create cluster --help` command. To see all the available options, you can use a `config` file. For more information, see https://eksctl.io/usage/creating-and-managing-clusters/#using-config-files[Using config files] and the https://eksctl.io/usage/schema/[config file schema] in the `eksctl` documentation. You can find https://github.com/weaveworks/eksctl/tree/master/examples[config file examples] on [.noloc]`GitHub`. +To see the most options that you can specify when creating a cluster with `eksctl`, use the `eksctl create cluster --help` command. To see all the available options, you can use a `config` file. For more information, see https://eksctl.io/usage/creating-and-managing-clusters/#using-config-files[Using config files] and the https://eksctl.io/usage/schema/[config file schema] in the `eksctl` documentation. You can find https://github.com/weaveworks/eksctl/tree/master/examples[config file examples] on GitHub. The following are optional settings that, if required, must be added to the previous command. You can only enable these options when you create the cluster, not after. If you need to specify these options, you must create the cluster with an https://eksctl.io/usage/creating-and-managing-clusters/#using-config-files[eksctl config file] and specify the settings, rather than using the previous command. * If you want to specify one or more security groups that Amazon EKS assigns to the network interfaces that it creates, specify the https://eksctl.io/usage/schema/#vpc-securityGroup[securityGroup] option. + Whether you choose any security groups or not, Amazon EKS creates a security group that enables communication between your cluster and your VPC. Amazon EKS associates this security group, and any that you choose, to the network interfaces that it creates. For more information about the cluster security group that Amazon EKS creates, see <>. You can modify the rules in the cluster security group that Amazon EKS creates. -* If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block [.noloc]`Kubernetes` assigns service IP addresses from, specify the https://eksctl.io/usage/schema/#kubernetesNetworkConfig-serviceIPv4CIDR[serviceIPv4CIDR] option. +* If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block Kubernetes assigns service IP addresses from, specify the https://eksctl.io/usage/schema/#kubernetesNetworkConfig-serviceIPv4CIDR[serviceIPv4CIDR] option. + -Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. +Specifying your own range can help prevent conflicts between Kubernetes services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + The CIDR block must meet the following requirements: + @@ -132,10 +132,10 @@ The CIDR block must meet the following requirements: ** Have a minimum size of `/24` and a maximum size of `/12`. ** Not overlap with the range of the VPC for your Amazon EKS resources. + -You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. -* If you're creating cluster and want the cluster to assign `IPv6` addresses to [.noloc]`Pods` and services instead of `IPv4` addresses, specify the https://eksctl.io/usage/schema/#kubernetesNetworkConfig-ipFamily[ipFamily] option. +You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. +* If you're creating cluster and want the cluster to assign `IPv6` addresses to Pods and services instead of `IPv4` addresses, specify the https://eksctl.io/usage/schema/#kubernetesNetworkConfig-ipFamily[ipFamily] option. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +Kubernetes assigns `IPv4` addresses to Pods and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for Kubernetes to assign `IPv6` service addresses from like you can for the `IPv4` family. Kubernetes assigns service addresses from the unique local address range (`fc00::/7`). [#step2-console] === Create cluster - {aws} console @@ -149,10 +149,10 @@ You can only specify this option when using the `IPv4` address family and only a . On the *Configure cluster* page, enter the following fields: + ** *Name* – A name for your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources on your behalf. -** *[.noloc]`Kubernetes` version* – The version of [.noloc]`Kubernetes` to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. -** *Support type* -- The [.noloc]`Kubernetes` version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard support*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended support*. If you select a [.noloc]`Kubernetes` version that is currently in extended support, you can not select standard support as an option. -** *Secrets encryption* – (Optional) Choose to enable secrets encryption of [.noloc]`Kubernetes` secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. +** *Cluster IAM role* – Choose the Amazon EKS cluster IAM role that you created to allow the Kubernetes control plane to manage {aws} resources on your behalf. +** *Kubernetes version* – The version of Kubernetes to use for your cluster. We recommend selecting the latest version, unless you need an earlier version. +** *Support type* -- The Kubernetes version policy you would like to set for your cluster. If you want your cluster to only run on a standard support version, you can choose *Standard support*. If you want your cluster to enter extended support at the end of standard support for a version, you can choose *Extended support*. If you select a Kubernetes version that is currently in extended support, you can not select standard support as an option. +** *Secrets encryption* – (Optional) Choose to enable secrets encryption of Kubernetes secrets using a KMS key. You can also enable this after you create your cluster. Before you enable this capability, make sure that you're familiar with the information in <>. ** *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. ** *ARC Zonal shift* - (Optional) You can use Route53 Application Recovery controller to mitigate impaired availability zones. For more information, see <>. . In the *Cluster access* section of the configure cluster page, enter the following fields: @@ -172,11 +172,11 @@ The subnets that you choose must meet the <>. You can modify the rules in the cluster security group that Amazon EKS creates. ** *Choose cluster IP address family* – You can choose either *IPv4* and *IPv6*. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +Kubernetes assigns `IPv4` addresses to Pods and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for Kubernetes to assign `IPv6` service addresses from like you can for the `IPv4` family. Kubernetes assigns service addresses from the unique local address range (`fc00::/7`). + -** (Optional) Choose *Configure [.noloc]`Kubernetes` Service IP address range* and specify a *Service `IPv4` range*. +** (Optional) Choose *Configure Kubernetes Service IP address range* and specify a *Service `IPv4` range*. + -Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. +Specifying your own range can help prevent conflicts between Kubernetes services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + The CIDR block must meet the following requirements: + @@ -185,13 +185,13 @@ The CIDR block must meet the following requirements: *** Not overlap with the range of the VPC for your Amazon EKS resources. + -You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. +You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. ** For *Cluster endpoint access*, select an option. After your cluster is created, you can change this option. Before selecting a non-default option, make sure to familiarize yourself with the options and their implications. For more information, see <>. + When you're done with this page, choose *Next*. . (Optional) On the *Configure observability* page, choose which *Metrics* and *Control plane logging* options to turn on. By default, each log type is turned off. + -** For more information about the [.noloc]`Prometheus` metrics option, see <>. +** For more information about the Prometheus metrics option, see <>. ** For more information about the *Control plane logging* options, see <>. + @@ -244,9 +244,9 @@ The following are optional settings that, if required, must be added to the prev If you'd like to disable the installation of these default networking add-ons, use the parameter below. This may be used for alternate CNIs, such as Cilium. Review the link:eks/latest/APIReference/API_CreateCluster.html[EKS API reference,type="documentation"] for more information. + `aws eks create-cluster --bootstrapSelfManagedAddons false` -** If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block [.noloc]`Kubernetes` assigns service IP addresses from, you must specify it by adding the `--kubernetes-network-config serviceIpv4Cidr=` to the following command. +** If you want to specify which `IPv4` Classless Inter-domain Routing (CIDR) block Kubernetes assigns service IP addresses from, you must specify it by adding the `--kubernetes-network-config serviceIpv4Cidr=` to the following command. + -Specifying your own range can help prevent conflicts between [.noloc]`Kubernetes` services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. +Specifying your own range can help prevent conflicts between Kubernetes services and other networks peered or connected to your VPC. Enter a range in CIDR notation. For example: `10.2.0.0/16`. + The CIDR block must meet the following requirements: + @@ -255,10 +255,10 @@ The CIDR block must meet the following requirements: *** Not overlap with the range of the VPC for your Amazon EKS resources. + -You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then [.noloc]`Kubernetes` assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. -** If you're creating a cluster and want the cluster to assign `IPv6` addresses to [.noloc]`Pods` and services instead of `IPv4` addresses, add `--kubernetes-network-config ipFamily=ipv6` to the following command. +You can only specify this option when using the `IPv4` address family and only at cluster creation. If you don't specify this, then Kubernetes assigns service IP addresses from either the `10.100.0.0/16` or `172.20.0.0/16` CIDR blocks. +** If you're creating a cluster and want the cluster to assign `IPv6` addresses to Pods and services instead of `IPv4` addresses, add `--kubernetes-network-config ipFamily=ipv6` to the following command. + -[.noloc]`Kubernetes` assigns `IPv4` addresses to [.noloc]`Pods` and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for [.noloc]`Kubernetes` to assign `IPv6` service addresses from like you can for the `IPv4` family. [.noloc]`Kubernetes` assigns service addresses from the unique local address range (`fc00::/7`). +Kubernetes assigns `IPv4` addresses to Pods and services, by default. Before deciding to use the `IPv6` family, make sure that you're familiar with all of the considerations and requirements in the <>, <>, <>, and <> topics. If you choose the `IPv6` family, you can't specify an address range for Kubernetes to assign `IPv6` service addresses from like you can for the `IPv4` family. Kubernetes assigns service addresses from the unique local address range (`fc00::/7`). + . It takes several minutes to provision the cluster. You can query the status of your cluster with the following command. + @@ -302,21 +302,21 @@ kubernetes ClusterIP 10.100.0.1 443/TCP 28h == Step 4: Cluster setup -. (Recommended) To use some Amazon EKS add-ons, or to enable individual [.noloc]`Kubernetes` workloads to have specific {aws} Identity and Access Management (IAM) permissions, <> for your cluster. You only need to create an IAM [.noloc]`OIDC` provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. -. (Recommended) Configure your cluster for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an <>. +. (Recommended) To use some Amazon EKS add-ons, or to enable individual Kubernetes workloads to have specific {aws} Identity and Access Management (IAM) permissions, <> for your cluster. You only need to create an IAM OIDC provider for your cluster once. To learn more about Amazon EKS add-ons, see <>. To learn more about assigning specific IAM permissions to your workloads, see <>. +. (Recommended) Configure your cluster for the Amazon VPC CNI plugin for Kubernetes plugin before deploying Amazon EC2 nodes to your cluster. By default, the plugin was installed with your cluster. When you add Amazon EC2 nodes to your cluster, the plugin is automatically deployed to each Amazon EC2 node that you add. The plugin requires you to attach one of the following IAM policies to an IAM role. If your cluster uses the `IPv4` family, use the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] managed IAM policy. If your cluster uses the `IPv6` family, use an <>. + The IAM role that you attach the policy to can be the node IAM role, or a dedicated role used only for the plugin. We recommend attaching the policy to this role. For more information about creating the role, see <> or <>. -. If you deployed your cluster using the {aws-management-console}, you can skip this step. The {aws-management-console} deploys the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` Amazon EKS add-ons, by default. +. If you deployed your cluster using the {aws-management-console}, you can skip this step. The {aws-management-console} deploys the Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy` Amazon EKS add-ons, by default. + -If you deploy your cluster using either `eksctl` or the {aws} CLI, then the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` self-managed add-ons are deployed. You can migrate the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` self-managed add-ons that are deployed with your cluster to Amazon EKS add-ons. For more information, see <>. -. (Optional) If you haven't already done so, you can enable [.noloc]`Prometheus` metrics for your cluster. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-create[Create a scraper,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +If you deploy your cluster using either `eksctl` or the {aws} CLI, then the Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy` self-managed add-ons are deployed. You can migrate the Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy` self-managed add-ons that are deployed with your cluster to Amazon EKS add-ons. For more information, see <>. +. (Optional) If you haven't already done so, you can enable Prometheus metrics for your cluster. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-create[Create a scraper,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. . If you plan to deploy workloads to your cluster that use Amazon EBS volumes , and you created a `1.23` or later cluster, then you must install the <> to your cluster before deploying the workloads. == Next steps * The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that has access to the cluster. <> so they can access your cluster. * If the IAM principal that created the cluster only has the minimum IAM permissions referenced in the prerequisites, then you might want to add additional Amazon EKS permissions for that principal. For more information about granting Amazon EKS permissions to IAM principals, see <>. -* If you want the IAM principal that created the cluster, or any other principals to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. +* If you want the IAM principal that created the cluster, or any other principals to view Kubernetes resources in the Amazon EKS console, grant the <> to the entities. * If you want nodes and IAM principals to access your cluster from within your VPC, enable the private endpoint for your cluster. The public endpoint is enabled by default. You can disable the public endpoint once you've enabled the private endpoint, if desired. For more information, see <>. * <>. * <>. diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 6e0ae3195..514092f53 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -47,7 +47,7 @@ For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/in ---- kubectl get svc --all-namespaces ---- -.. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in [.noloc]`Kubernetes` to allow the load balancer and associated resources to be properly released. +.. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. + [source,bash,subs="verbatim,attributes"] ---- @@ -80,7 +80,7 @@ Output: ---- kubectl get svc --all-namespaces ---- -. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in [.noloc]`Kubernetes` to allow the load balancer and associated resources to be properly released. +. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. + [source,bash,subs="verbatim,attributes"] ---- @@ -119,7 +119,7 @@ NOTE: The node groups listed are <> onl ---- kubectl get svc --all-namespaces ---- -. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in [.noloc]`Kubernetes` to allow the load balancer and associated resources to be properly released. +. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index 337d808cb..6b3b1c35a 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next [.noloc]`Kubernetes` version. +This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next Kubernetes version. For more information about upgrade policies, see <>. diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 76c7212f3..951b3d0cb 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,6 +1,6 @@ [.topic] [#disable-windows-support] -= Disable [.noloc]`Windows` support += Disable Windows support include::../attributes.txt[] @@ -14,7 +14,7 @@ aws iam detach-role-policy \ --role-name eksClusterRole \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController ---- -. Disable [.noloc]`Windows` IPAM in the `amazon-vpc-cni` ConfigMap. +. Disable Windows IPAM in the `amazon-vpc-cni` ConfigMap. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index aa3b43ea0..443ee5295 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -16,7 +16,7 @@ For more information about upgrade policies, see <>. [IMPORTANT] ==== -If you want your cluster to stay on its current [.noloc]`Kubernetes` version to take advantage of the extended support period, you must enable the extended support upgrade policy before the end of standard support period. +If you want your cluster to stay on its current Kubernetes version to take advantage of the extended support period, you must enable the extended support upgrade policy before the end of standard support period. If you do not enable extended support, your cluster will be automatically upgraded. diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 0c78097b5..b2142af45 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,34 +1,34 @@ [.topic] [#kubernetes-versions-extended] -= Review release notes for [.noloc]`Kubernetes` versions on extended support += Review release notes for Kubernetes versions on extended support :info_titleabbrev: Extended support versions include::../attributes.txt[] [abstract] -- -This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. +This topic gives important changes to be aware of for each Kubernetes version in extended support. -- -This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. +This topic gives important changes to be aware of for each Kubernetes version in extended support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. [#kubernetes-1-28] -== [.noloc]`Kubernetes` 1.28 +== Kubernetes 1.28 -[.noloc]`Kubernetes` `1.28` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.28`, see the https://kubernetes.io/blog/2023/08/15/kubernetes-v1-28-release/[official release announcement]. +Kubernetes `1.28` is now available in Amazon EKS. For more information about Kubernetes `1.28`, see the https://kubernetes.io/blog/2023/08/15/kubernetes-v1-28-release/[official release announcement]. -* [.noloc]`Kubernetes` `v1.28` expanded the supported skew between core node and control plane components by one minor version, from `n-2` to `n-3`, so that node components (``kubelet`` and `kube-proxy`) for the oldest supported minor version can work with control plane components (``kube-apiserver``, `kube-scheduler`, `kube-controller-manager`, `cloud-controller-manager`) for the newest supported minor version. +* Kubernetes `v1.28` expanded the supported skew between core node and control plane components by one minor version, from `n-2` to `n-3`, so that node components (``kubelet`` and `kube-proxy`) for the oldest supported minor version can work with control plane components (``kube-apiserver``, `kube-scheduler`, `kube-controller-manager`, `cloud-controller-manager`) for the newest supported minor version. * Metrics `force_delete_pods_total` and `force_delete_pod_errors_total` in the `Pod GC Controller` are enhanced to account for all forceful pods deletion. A reason is added to the metric to indicate whether the pod is forcefully deleted because it's terminated, orphaned, terminating with the out-of-service taint, or terminating and unscheduled. * The `PersistentVolume (PV)` controller has been modified to automatically assign a default `StorageClass` to any unbound `PersistentVolumeClaim` with the `storageClassName` not set. Additionally, the `PersistentVolumeClaim` admission validation mechanism within the API server has been adjusted to allow changing values from an unset state to an actual `StorageClass` name. -For the complete [.noloc]`Kubernetes` `1.28` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270. +For the complete Kubernetes `1.28` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#changelog-since-v1270. [#kubernetes-1-27] -== [.noloc]`Kubernetes` 1.27 +== Kubernetes 1.27 -[.noloc]`Kubernetes` `1.27` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.27`, see the https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/[official release announcement]. +Kubernetes `1.27` is now available in Amazon EKS. For more information about Kubernetes `1.27`, see the https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/[official release announcement]. [IMPORTANT] ==== @@ -44,118 +44,118 @@ kubectl get pods --all-namespaces -o json | grep -E 'seccomp.security.alpha.kube ==== -* The `kubelet` in [.noloc]`Kubernetes` `1.27` increased the default `kubeAPIQPS` to `50` and `kubeAPIBurst` to `100`. These enhancements allow the `kubelet` to handle a higher volume of API queries, improving response times and performance. When the demands for `Pods` increase, due to scaling requirements, the revised defaults ensure that the `kubelet` can efficiently manage the increased workload. As a result, `Pod` launches are quicker and cluster operations are more effective. +* The `kubelet` in Kubernetes `1.27` increased the default `kubeAPIQPS` to `50` and `kubeAPIBurst` to `100`. These enhancements allow the `kubelet` to handle a higher volume of API queries, improving response times and performance. When the demands for `Pods` increase, due to scaling requirements, the revised defaults ensure that the `kubelet` can efficiently manage the increased workload. As a result, `Pod` launches are quicker and cluster operations are more effective. * You can use more fine grained `Pod` topology to spread policies such as `minDomain`. This parameter gives you the ability to specify the minimum number of domains your `Pods` should be spread across. `nodeAffinityPolicy` and `nodeTaintPolicy` allow for an extra level of granularity in governing `Pod` distribution. This is in accordance to node affinities, taints, and the `matchLabelKeys` field in the `topologySpreadConstraints` of your `Pod's` specification. This permits the selection of `Pods` for spreading calculations following a rolling upgrade. -* [.noloc]`Kubernetes` `1.27` promoted to beta a new policy mechanism for `StatefulSets` that controls the lifetime of their `PersistentVolumeClaims`(`PVCs`). The new `PVC` retention policy lets you specify if the `PVCs` generated from the `StatefulSet` spec template will be automatically deleted or retained when the `StatefulSet` is deleted or replicas in the `StatefulSet` are scaled down. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.27` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. +* Kubernetes `1.27` promoted to beta a new policy mechanism for `StatefulSets` that controls the lifetime of their `PersistentVolumeClaims`(`PVCs`). The new `PVC` retention policy lets you specify if the `PVCs` generated from the `StatefulSet` spec template will be automatically deleted or retained when the `StatefulSet` is deleted or replicas in the `StatefulSet` are scaled down. +* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.27` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.27` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1260. +For the complete Kubernetes `1.27` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#changelog-since-v1260. [#kubernetes-1-26] -== [.noloc]`Kubernetes` 1.26 +== Kubernetes 1.26 -[.noloc]`Kubernetes` `1.26` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.26`, see the https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/[official release announcement]. +Kubernetes `1.26` is now available in Amazon EKS. For more information about Kubernetes `1.26`, see the https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/[official release announcement]. [IMPORTANT] ==== -[.noloc]`Kubernetes` `1.26` no longer supports [.noloc]`CRI` `v1alpha2`. This results in the `kubelet` no longer registering the node if the container runtime doesn't support [.noloc]`CRI` `v1`. This also means that [.noloc]`Kubernetes` `1.26` doesn't support containerd minor version `1.5` and earlier. If you're using containerd, you need to upgrade to containerd version `1.6.0` or later before you upgrade any nodes to [.noloc]`Kubernetes` `1.26`. You also need to upgrade any other container runtimes that only support the `v1alpha2`. For more information, defer to the container runtime vendor. By default, [.noloc]`Amazon Linux` and [.noloc]`Bottlerocket` AMIs include containerd version `1.6.6`. +Kubernetes `1.26` no longer supports CRI `v1alpha2`. This results in the `kubelet` no longer registering the node if the container runtime doesn't support CRI `v1`. This also means that Kubernetes `1.26` doesn't support containerd minor version `1.5` and earlier. If you're using containerd, you need to upgrade to containerd version `1.6.0` or later before you upgrade any nodes to Kubernetes `1.26`. You also need to upgrade any other container runtimes that only support the `v1alpha2`. For more information, defer to the container runtime vendor. By default, Amazon Linux and Bottlerocket AMIs include containerd version `1.6.6`. ==== -* Before you upgrade to [.noloc]`Kubernetes` `1.26`, upgrade your [.noloc]`Amazon VPC CNI plugin for Kubernetes` to version `1.12` or later. If you don't upgrade to [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.12` or later, the [.noloc]`Amazon VPC CNI plugin for Kubernetes` will crash. For more information, see <>. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.26` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. +* Before you upgrade to Kubernetes `1.26`, upgrade your Amazon VPC CNI plugin for Kubernetes to version `1.12` or later. If you don't upgrade to Amazon VPC CNI plugin for Kubernetes version `1.12` or later, the Amazon VPC CNI plugin for Kubernetes will crash. For more information, see <>. +* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.26` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.26` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1250. +For the complete Kubernetes `1.26` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#changelog-since-v1250. [#kubernetes-1-25] -== [.noloc]`Kubernetes` 1.25 +== Kubernetes 1.25 -[.noloc]`Kubernetes` `1.25` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.25`, see the https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/[official release announcement]. +Kubernetes `1.25` is now available in Amazon EKS. For more information about Kubernetes `1.25`, see the https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/[official release announcement]. [IMPORTANT] ==== * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. -* `PodSecurityPolicy` ([.noloc]`PSP`) is removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)] and Pod Security Standards [.noloc]`(PSS)`. [.noloc]`PSA` is a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[PSS]. [.noloc]`PSA` and [.noloc]`PSS` are graduated to stable in [.noloc]`Kubernetes` `1.25` and are enabled in Amazon EKS by default. If you have [.noloc]`PSPs` in your cluster, make sure to migrate from [.noloc]`PSP` to the built-in [.noloc]`Kubernetes` [.noloc]`PSS` or to a policy-as-code solution before upgrading your cluster to version `1.25`. If you don't migrate from PSP, you might encounter interruptions to your workloads. For more information, see the <>. -* [.noloc]`Kubernetes` version `1.25` contains changes that alter the behavior of an existing feature known as API Priority and Fairness (APF). APF serves to shield the API server from potential overload during periods of heightened request volumes. It does this by placing restrictions on the number of concurrent requests that can be processed at any given time. This is achieved through the application of distinct priority levels and limits to requests originating from various workloads or users. This approach ensures that critical applications or high-priority requests receive preferential treatment, while simultaneously preventing lower priority requests from overwhelming the API server. For more information, see https://kubernetes.io/docs/concepts/cluster-administration/flow-control/[API Priority and Fairness] in the [.noloc]`Kubernetes` documentation or https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#api-priority-and-fairness[API Priority and Fairness] in the EKS Best Practices Guide. +* `PodSecurityPolicy` (PSP) is removed in Kubernetes `1.25`. PSPs are replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)] and Pod Security Standards (PSS). PSA is a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[PSS]. PSA and PSS are graduated to stable in Kubernetes `1.25` and are enabled in Amazon EKS by default. If you have PSPs in your cluster, make sure to migrate from PSP to the built-in Kubernetes PSS or to a policy-as-code solution before upgrading your cluster to version `1.25`. If you don't migrate from PSP, you might encounter interruptions to your workloads. For more information, see the <>. +* Kubernetes version `1.25` contains changes that alter the behavior of an existing feature known as API Priority and Fairness (APF). APF serves to shield the API server from potential overload during periods of heightened request volumes. It does this by placing restrictions on the number of concurrent requests that can be processed at any given time. This is achieved through the application of distinct priority levels and limits to requests originating from various workloads or users. This approach ensures that critical applications or high-priority requests receive preferential treatment, while simultaneously preventing lower priority requests from overwhelming the API server. For more information, see https://kubernetes.io/docs/concepts/cluster-administration/flow-control/[API Priority and Fairness] in the Kubernetes documentation or https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#api-priority-and-fairness[API Priority and Fairness] in the EKS Best Practices Guide. + These updates were introduced in https://github.com/kubernetes/kubernetes/pull/103521[PR #10352] and https://github.com/kubernetes/kubernetes/pull/118601[PR #118601]. Previously, APF treated all types of requests uniformly, with each request consuming a single unit of the concurrent request limit. The APF behavior change assigns higher units of concurrency to `LIST` requests due to the exceptionally heavy burden put on the API server by these requests. The API server estimates the number of objects that will be returned by a `LIST` request. It assigns a unit of concurrency that is proportional to the number of objects returned. + Upon upgrading to Amazon EKS version `1.25` or higher, this updated behavior might cause workloads with heavy `LIST` requests (that previously functioned without issue) to encounter rate limiting. This would be indicated by an HTTP 429 response code. To avoid potential workload disruption due to `LIST` requests being rate limited, we strongly encourage you to restructure your workloads to reduce the rate of these requests. Alternatively, you can address this issue by adjusting the APF settings to allocate more capacity for essential requests while reducing the capacity allocated to non-essential ones. For more information about these mitigation techniques, see https://aws.github.io/aws-eks-best-practices/scalability/docs/control-plane/#preventing-dropped-requests[Preventing Dropped Requests] in the EKS Best Practices Guide. -* Amazon EKS `1.25` includes enhancements to cluster authentication that contain updated [.noloc]`YAML` libraries. If a [.noloc]`YAML` value in the `aws-auth` `ConfigMap` found in the `kube-system` namespace starts with a macro, where the first character is a curly brace, you should add quotation marks (`" "`) before and after the curly braces (`{ }`). This is required to ensure that `aws-iam-authenticator` version `v0.6.3` accurately parses the `aws-auth` `ConfigMap` in Amazon EKS `1.25`. -* The beta API version (`discovery.k8s.io/v1beta1`) of `EndpointSlice` was deprecated in [.noloc]`Kubernetes` `1.21` and is no longer served as of [.noloc]`Kubernetes` `1.25`. This API has been updated to `discovery.k8s.io/v1`. For more information, see https://kubernetes.io/docs/reference/using-api/deprecation-guide/#endpointslice-v125[EndpointSlice] in the [.noloc]`Kubernetes` documentation. The [.noloc]`{aws} Load Balancer Controller` `v2.4.6` and earlier used the `v1beta1` endpoint to communicate with `EndpointSlices`. If you're using the `EndpointSlices` configuration for the [.noloc]`{aws} Load Balancer Controller`, you must upgrade to [.noloc]`{aws} Load Balancer Controller` `v2.4.7` _before_ upgrading your Amazon EKS cluster to `1.25`. If you upgrade to `1.25` while using the `EndpointSlices` configuration for the [.noloc]`{aws} Load Balancer Controller`, the controller will crash and result in interruptions to your workloads. To upgrade the controller, see <>. +* Amazon EKS `1.25` includes enhancements to cluster authentication that contain updated YAML libraries. If a YAML value in the `aws-auth` `ConfigMap` found in the `kube-system` namespace starts with a macro, where the first character is a curly brace, you should add quotation marks (`" "`) before and after the curly braces (`{ }`). This is required to ensure that `aws-iam-authenticator` version `v0.6.3` accurately parses the `aws-auth` `ConfigMap` in Amazon EKS `1.25`. +* The beta API version (`discovery.k8s.io/v1beta1`) of `EndpointSlice` was deprecated in Kubernetes `1.21` and is no longer served as of Kubernetes `1.25`. This API has been updated to `discovery.k8s.io/v1`. For more information, see https://kubernetes.io/docs/reference/using-api/deprecation-guide/#endpointslice-v125[EndpointSlice] in the Kubernetes documentation. The {aws} Load Balancer Controller `v2.4.6` and earlier used the `v1beta1` endpoint to communicate with `EndpointSlices`. If you're using the `EndpointSlices` configuration for the {aws} Load Balancer Controller, you must upgrade to {aws} Load Balancer Controller `v2.4.7` _before_ upgrading your Amazon EKS cluster to `1.25`. If you upgrade to `1.25` while using the `EndpointSlices` configuration for the {aws} Load Balancer Controller, the controller will crash and result in interruptions to your workloads. To upgrade the controller, see <>. * The beta API version (`autoscaling/v2beta1`) of HorizontalPodAutoscaler is no longer served as of Kubernetes `1.25`. This API was deprecated in version `1.23`. Migrate manifests and API clients to use the `autoscaling/v2` HorizontalPodAutoscaler API version. For more information, see https://kubernetes.io/docs/reference/using-api/deprecation-guide/#horizontalpodautoscaler-v125[the Kubernetes documentation]. ==== -* `SeccompDefault` is promoted to beta in [.noloc]`Kubernetes` `1.25`. By setting the `--seccomp-default` flag when you configure `kubelet`, the container runtime uses its `RuntimeDefaultseccomp` profile, rather than the unconfined (`seccomp disabled`) mode. The default profiles provide a strong set of security defaults, while preserving the functionality of the workload. Although this flag is available, Amazon EKS doesn't enable this flag by default, so Amazon EKS behavior is effectively unchanged. If you want to, you can start enabling this on your nodes. For more details, see the tutorial https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads/[Restrict a Container's Syscalls with seccomp] in the [.noloc]`Kubernetes` documentation. -* Support for the Container Runtime Interface (CRI) for [.noloc]`Docker` (also known as [.noloc]`dockershim`) was removed from [.noloc]`Kubernetes` `1.24` and later. The only container runtime in Amazon EKS official [.noloc]`AMIs` for [.noloc]`Kubernetes` `1.24` and later clusters is [.noloc]`containerd`. Before upgrading to Amazon EKS `1.24` or later, remove any reference to bootstrap script flags that aren't supported anymore. For more information, see <>. -* The support for wildcard queries was deprecated in [.noloc]`CoreDNS` `1.8.7` and removed in [.noloc]`CoreDNS` `1.9`. This was done as a security measure. Wildcard queries no longer work and return [.noloc]`NXDOMAIN` instead of an IP address. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.25` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. +* `SeccompDefault` is promoted to beta in Kubernetes `1.25`. By setting the `--seccomp-default` flag when you configure `kubelet`, the container runtime uses its `RuntimeDefaultseccomp` profile, rather than the unconfined (`seccomp disabled`) mode. The default profiles provide a strong set of security defaults, while preserving the functionality of the workload. Although this flag is available, Amazon EKS doesn't enable this flag by default, so Amazon EKS behavior is effectively unchanged. If you want to, you can start enabling this on your nodes. For more details, see the tutorial https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads/[Restrict a Container's Syscalls with seccomp] in the Kubernetes documentation. +* Support for the Container Runtime Interface (CRI) for Docker (also known as dockershim) was removed from Kubernetes `1.24` and later. The only container runtime in Amazon EKS official AMIs for Kubernetes `1.24` and later clusters is containerd. Before upgrading to Amazon EKS `1.24` or later, remove any reference to bootstrap script flags that aren't supported anymore. For more information, see <>. +* The support for wildcard queries was deprecated in CoreDNS `1.8.7` and removed in CoreDNS `1.9`. This was done as a security measure. Wildcard queries no longer work and return NXDOMAIN instead of an IP address. +* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.25` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.25` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240. +For the complete Kubernetes `1.25` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240. [#kubernetes-1-24] -== [.noloc]`Kubernetes` 1.24 +== Kubernetes 1.24 -[.noloc]`Kubernetes` `1.24` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.24`, see the https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/[official release announcement]. +Kubernetes `1.24` is now available in Amazon EKS. For more information about Kubernetes `1.24`, see the https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/[official release announcement]. [IMPORTANT] ==== -* Starting with [.noloc]`Kubernetes` `1.24`, new beta APIs aren't enabled in clusters by default. By default, existing beta APIs and new versions of existing beta APIs continue to be enabled. Amazon EKS follows the same behavior as upstream [.noloc]`Kubernetes` `1.24`. The feature gates that control new features for both new and existing API operations are enabled by default. This is in alignment with upstream [.noloc]`Kubernetes`. For more information, see https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/3136-beta-apis-off-by-default/README.md[KEP-3136: Beta APIs Are Off by Default] on GitHub. -* Support for Container Runtime Interface (CRI) for [.noloc]`Docker` (also known as `dockershim`) is removed from [.noloc]`Kubernetes` `1.24`. Amazon EKS official AMIs have [.noloc]`containerd` as the only runtime. Before moving to Amazon EKS `1.24` or higher, you must remove any reference to bootstrap script flags that aren't supported anymore. You must also make sure that IP forwarding is enabled for your worker nodes. For more information, see <>. -* If you already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. -* In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version `1.24` and later clusters, `kubelet` serving certificates aren't issued if any SAN can't be verified. This prevents `kubectl` exec and `kubectl` logs commands from working. For more information, see <>. -* When upgrading an Amazon EKS `1.23` cluster that uses [.noloc]`Fluent Bit`, you must make sure that it's running `k8s/1.3.12` or later. You can do this by reapplying the latest applicable [.noloc]`Fluent Bit` YAML file from [.noloc]`GitHub`. For more information, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. +* Starting with Kubernetes `1.24`, new beta APIs aren't enabled in clusters by default. By default, existing beta APIs and new versions of existing beta APIs continue to be enabled. Amazon EKS follows the same behavior as upstream Kubernetes `1.24`. The feature gates that control new features for both new and existing API operations are enabled by default. This is in alignment with upstream Kubernetes. For more information, see https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/3136-beta-apis-off-by-default/README.md[KEP-3136: Beta APIs Are Off by Default] on GitHub. +* Support for Container Runtime Interface (CRI) for Docker (also known as `dockershim`) is removed from Kubernetes `1.24`. Amazon EKS official AMIs have containerd as the only runtime. Before moving to Amazon EKS `1.24` or higher, you must remove any reference to bootstrap script flags that aren't supported anymore. You must also make sure that IP forwarding is enabled for your worker nodes. For more information, see <>. +* If you already have Fluentd configured for Container Insights, then you must migrate Fluentd to Fluent Bit before updating your cluster. The Fluentd parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to Fluent Bit, some of the configured Fluentd's parsers will generate a massive amount of errors inside the Fluentd container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. +* In Kubernetes `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version `1.24` and later clusters, `kubelet` serving certificates aren't issued if any SAN can't be verified. This prevents `kubectl` exec and `kubectl` logs commands from working. For more information, see <>. +* When upgrading an Amazon EKS `1.23` cluster that uses Fluent Bit, you must make sure that it's running `k8s/1.3.12` or later. You can do this by reapplying the latest applicable Fluent Bit YAML file from GitHub. For more information, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. ==== -* You can use Topology Aware Hints to indicate your preference for keeping traffic in zone when cluster worker nodes are deployed across multiple availability zones. Routing traffic within a zone can help reduce costs and improve network performance. By default, Topology Aware Hints are enabled in Amazon EKS `1.24`. For more information, see https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/[Topology Aware Hints] in the [.noloc]`Kubernetes` documentation. -* The `PodSecurityPolicy` ([.noloc]`PSP`) is scheduled for removal in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. PSA is a built-in admission controller that uses the security controls that are outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS are both beta features and are enabled in Amazon EKS by default. To address the removal of [.noloc]`PSP` in version `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. -* The `client.authentication.k8s.io/v1alpha1` ExecCredential is removed in [.noloc]`Kubernetes` `1.24`. The ExecCredential API was generally available in [.noloc]`Kubernetes` `1.22`. If you use a client-go credential plugin that relies on the `v1alpha1` API, contact the distributor of your plugin on how to migrate to the `v1` API. -* For [.noloc]`Kubernetes` `1.24`, we contributed a feature to the upstream Cluster Autoscaler project that simplifies scaling Amazon EKS managed node groups to and from zero nodes. Previously, for the Cluster Autoscaler to understand the resources, labels, and taints of a managed node group that was scaled to zero nodes, you needed to tag the underlying Amazon EC2 Auto Scaling group with the details of the nodes that it was responsible for. Now, when there are no running nodes in the managed node group, the Cluster Autoscaler calls the Amazon EKS `DescribeNodegroup` API operation. This API operation provides the information that the Cluster Autoscaler requires of the managed node group's resources, labels, and taints. This feature requires that you add the `eks:DescribeNodegroup` permission to the Cluster Autoscaler service account IAM policy. When the value of a Cluster Autoscaler tag on the Auto Scaling group powering an Amazon EKS managed node group conflicts with the node group itself, the Cluster Autoscaler prefers the value of the Auto Scaling group tag. This is so that you can override values as needed. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler]. -* If you intend to use [.noloc]`Inferentia` or [.noloc]`Trainium` instance types with Amazon EKS `1.24`, you must upgrade to the {aws} [.noloc]`Neuron` device plugin version 1.9.3.0 or later. For more information, see https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/containers/neuron-k8.html#id46[Neuron K8 release [1.9.3.0]] in the {aws} [.noloc]`Neuron` Documentation. -* `Containerd` has `IPv6` enabled for [.noloc]`Pods`, by default. It applies node kernel settings to [.noloc]`Pod` network namespaces. Because of this, containers in a [.noloc]`Pod` bind to both `IPv4` (`127.0.0.1`) and `IPv6` (`::1`) loopback addresses. `IPv6` is the default protocol for communication. Before updating your cluster to version `1.24`, we recommend that you test your multi-container [.noloc]`Pods`. Modify apps so that they can bind to all IP addresses on loopback interfaces. The majority of libraries enable `IPv6` binding, which is backward compatible with `IPv4`. When it's not possible to modify your application code, you have two options: +* You can use Topology Aware Hints to indicate your preference for keeping traffic in zone when cluster worker nodes are deployed across multiple availability zones. Routing traffic within a zone can help reduce costs and improve network performance. By default, Topology Aware Hints are enabled in Amazon EKS `1.24`. For more information, see https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/[Topology Aware Hints] in the Kubernetes documentation. +* The `PodSecurityPolicy` (PSP) is scheduled for removal in Kubernetes `1.25`. PSPs are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. PSA is a built-in admission controller that uses the security controls that are outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS are both beta features and are enabled in Amazon EKS by default. To address the removal of PSP in version `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. +* The `client.authentication.k8s.io/v1alpha1` ExecCredential is removed in Kubernetes `1.24`. The ExecCredential API was generally available in Kubernetes `1.22`. If you use a client-go credential plugin that relies on the `v1alpha1` API, contact the distributor of your plugin on how to migrate to the `v1` API. +* For Kubernetes `1.24`, we contributed a feature to the upstream Cluster Autoscaler project that simplifies scaling Amazon EKS managed node groups to and from zero nodes. Previously, for the Cluster Autoscaler to understand the resources, labels, and taints of a managed node group that was scaled to zero nodes, you needed to tag the underlying Amazon EC2 Auto Scaling group with the details of the nodes that it was responsible for. Now, when there are no running nodes in the managed node group, the Cluster Autoscaler calls the Amazon EKS `DescribeNodegroup` API operation. This API operation provides the information that the Cluster Autoscaler requires of the managed node group's resources, labels, and taints. This feature requires that you add the `eks:DescribeNodegroup` permission to the Cluster Autoscaler service account IAM policy. When the value of a Cluster Autoscaler tag on the Auto Scaling group powering an Amazon EKS managed node group conflicts with the node group itself, the Cluster Autoscaler prefers the value of the Auto Scaling group tag. This is so that you can override values as needed. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler]. +* If you intend to use Inferentia or Trainium instance types with Amazon EKS `1.24`, you must upgrade to the {aws} Neuron device plugin version 1.9.3.0 or later. For more information, see https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/containers/neuron-k8.html#id46[Neuron K8 release [1.9.3.0]] in the {aws} Neuron Documentation. +* `Containerd` has `IPv6` enabled for Pods, by default. It applies node kernel settings to Pod network namespaces. Because of this, containers in a Pod bind to both `IPv4` (`127.0.0.1`) and `IPv6` (`::1`) loopback addresses. `IPv6` is the default protocol for communication. Before updating your cluster to version `1.24`, we recommend that you test your multi-container Pods. Modify apps so that they can bind to all IP addresses on loopback interfaces. The majority of libraries enable `IPv6` binding, which is backward compatible with `IPv4`. When it's not possible to modify your application code, you have two options: + ** Run an `init` container and set `disable ipv6` to `true` (`sysctl -w net.ipv6.conf.all.disable_ipv6=1`). -** Configure a https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook[mutating admission webhook] to inject an `init` container alongside your application [.noloc]`Pods`. +** Configure a https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook[mutating admission webhook] to inject an `init` container alongside your application Pods. + -If you need to block `IPv6` for all [.noloc]`Pods` across all nodes, you might have to disable `IPv6` on your instances. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.24` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. +If you need to block `IPv6` for all Pods across all nodes, you might have to disable `IPv6` on your instances. +* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.24` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.24` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230. +For the complete Kubernetes `1.24` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230. [#kubernetes-1-23] -== [.noloc]`Kubernetes` 1.23 +== Kubernetes 1.23 -[.noloc]`Kubernetes` `1.23` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.23`, see the https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/[official release announcement]. +Kubernetes `1.23` is now available in Amazon EKS. For more information about Kubernetes `1.23`, see the https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/[official release announcement]. [IMPORTANT] ==== -* The [.noloc]`Kubernetes` in-tree to container storage interface (CSI) volume migration feature is enabled. This feature enables the replacement of existing [.noloc]`Kubernetes` in-tree storage plugins for Amazon EBS with a corresponding Amazon EBS CSI driver. For more information, see https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/[Kubernetes 1.17 Feature: Kubernetes In-Tree to CSI Volume Migration Moves to Beta] on the [.noloc]`Kubernetes` blog. +* The Kubernetes in-tree to container storage interface (CSI) volume migration feature is enabled. This feature enables the replacement of existing Kubernetes in-tree storage plugins for Amazon EBS with a corresponding Amazon EBS CSI driver. For more information, see https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/[Kubernetes 1.17 Feature: Kubernetes In-Tree to CSI Volume Migration Moves to Beta] on the Kubernetes blog. + -The feature translates in-tree APIs to equivalent CSI APIs and delegates operations to a replacement CSI driver. With this feature, if you use existing `StorageClass`, `PersistentVolume`, and `PersistentVolumeClaim` objects that belong to these workloads, there likely won't be any noticeable change. The feature enables [.noloc]`Kubernetes` to delegate all storage management operations from the in-tree plugin to the CSI driver. If you use Amazon EBS volumes in an existing cluster, install the Amazon EBS CSI driver in your cluster before you update your cluster to version `1.23`. If you don't install the driver before updating an existing cluster, interruptions to your workloads might occur. If you plan to deploy workloads that use Amazon EBS volumes in a new `1.23` cluster, install the Amazon EBS CSI driver in your cluster before deploying the workloads your cluster. For instructions on how to install the Amazon EBS CSI driver on your cluster, see <>. -* Extended Support for Amazon EKS optimized [.noloc]`Windows` AMIs that are published by {aws} isn't available for [.noloc]`Kubernetes` version `1.23` but is available for [.noloc]`Kubernetes` version `1.24` and higher. +The feature translates in-tree APIs to equivalent CSI APIs and delegates operations to a replacement CSI driver. With this feature, if you use existing `StorageClass`, `PersistentVolume`, and `PersistentVolumeClaim` objects that belong to these workloads, there likely won't be any noticeable change. The feature enables Kubernetes to delegate all storage management operations from the in-tree plugin to the CSI driver. If you use Amazon EBS volumes in an existing cluster, install the Amazon EBS CSI driver in your cluster before you update your cluster to version `1.23`. If you don't install the driver before updating an existing cluster, interruptions to your workloads might occur. If you plan to deploy workloads that use Amazon EBS volumes in a new `1.23` cluster, install the Amazon EBS CSI driver in your cluster before deploying the workloads your cluster. For instructions on how to install the Amazon EBS CSI driver on your cluster, see <>. +* Extended Support for Amazon EKS optimized Windows AMIs that are published by {aws} isn't available for Kubernetes version `1.23` but is available for Kubernetes version `1.24` and higher. ==== -* [.noloc]`Kubernetes` stopped supporting `dockershim` in version `1.20` and removed `dockershim` in version `1.24`. For more information, see https://kubernetes.io/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/[Kubernetes is Moving on From Dockershim: Commitments and Next Steps] in the [.noloc]`Kubernetes` blog. Amazon EKS will end support for `dockershim` starting in Amazon EKS version `1.24`. Starting with Amazon EKS version `1.24`, Amazon EKS official AMIs will have `containerd` as the only runtime. +* Kubernetes stopped supporting `dockershim` in version `1.20` and removed `dockershim` in version `1.24`. For more information, see https://kubernetes.io/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/[Kubernetes is Moving on From Dockershim: Commitments and Next Steps] in the Kubernetes blog. Amazon EKS will end support for `dockershim` starting in Amazon EKS version `1.24`. Starting with Amazon EKS version `1.24`, Amazon EKS official AMIs will have `containerd` as the only runtime. + -Even though Amazon EKS version `1.23` continues to support `dockershim`, we recommend that you start testing your applications now to identify and remove any [.noloc]`Docker` dependencies. This way, you are prepared to update your cluster to version `1.24`. For more information about `dockershim` removal, see <>. -* [.noloc]`Kubernetes` graduated `IPv4`/``IPv6`` dual-stack networking for [.noloc]`Pods`, services, and nodes to general availability. However, Amazon EKS and the [.noloc]`Amazon VPC CNI plugin for Kubernetes` don't support dual-stack networking. Your clusters can assign `IPv4` or `IPv6` addresses to [.noloc]`Pods` and services, but can't assign both address types. -* [.noloc]`Kubernetes` graduated the Pod Security Admission (PSA) feature to beta. The feature is enabled by default. For more information, see https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] in the [.noloc]`Kubernetes` documentation. PSA replaces the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-solutions[Pod Security Policy] ([.noloc]`PSP`) admission controller. The PSP admission controller isn't supported and is scheduled for removal in [.noloc]`Kubernetes` version `1.25`. +Even though Amazon EKS version `1.23` continues to support `dockershim`, we recommend that you start testing your applications now to identify and remove any Docker dependencies. This way, you are prepared to update your cluster to version `1.24`. For more information about `dockershim` removal, see <>. +* Kubernetes graduated `IPv4`/``IPv6`` dual-stack networking for Pods, services, and nodes to general availability. However, Amazon EKS and the Amazon VPC CNI plugin for Kubernetes don't support dual-stack networking. Your clusters can assign `IPv4` or `IPv6` addresses to Pods and services, but can't assign both address types. +* Kubernetes graduated the Pod Security Admission (PSA) feature to beta. The feature is enabled by default. For more information, see https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] in the Kubernetes documentation. PSA replaces the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-solutions[Pod Security Policy] (PSP) admission controller. The PSP admission controller isn't supported and is scheduled for removal in Kubernetes version `1.25`. + -The [.noloc]`PSP` admission controller enforces [.noloc]`Pod` security standards on [.noloc]`Pods` in a namespace based on specific namespace labels that set the enforcement level. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[Pod Security Standards (PSS) and Pod Security Admission (PSA)] in the Amazon EKS best practices guide. +The PSP admission controller enforces Pod security standards on Pods in a namespace based on specific namespace labels that set the enforcement level. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[Pod Security Standards (PSS) and Pod Security Admission (PSA)] in the Amazon EKS best practices guide. * The `kube-proxy` image deployed with clusters is now the https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables[minimal base image] maintained by Amazon EKS Distro (EKS-D). The image contains minimal packages and doesn't have shells or package managers. -* [.noloc]`Kubernetes` graduated ephemeral containers to beta. Ephemeral containers are temporary containers that run in the same namespace as an existing [.noloc]`Pod`. You can use them to observe the state of [.noloc]`Pods` and containers for troubleshooting and debugging purposes. This is especially useful for interactive troubleshooting when `kubectl exec` is insufficient because either a container has crashed or a container image doesn't include debugging utilities. An example of a container that includes a debugging utility is https://github.com/GoogleContainerTools/distroless#distroless-container-images[distroless images]. For more information, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container[Debugging with an ephemeral debug container] in the [.noloc]`Kubernetes` documentation. -* [.noloc]`Kubernetes` graduated the `HorizontalPodAutoscaler` `autoscaling/v2` stable API to general availability. The `HorizontalPodAutoscaler` `autoscaling/v2beta2` API is deprecated. It will be unavailable in `1.26`. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the [.noloc]`Kubernetes` API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.23` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. +* Kubernetes graduated ephemeral containers to beta. Ephemeral containers are temporary containers that run in the same namespace as an existing Pod. You can use them to observe the state of Pods and containers for troubleshooting and debugging purposes. This is especially useful for interactive troubleshooting when `kubectl exec` is insufficient because either a container has crashed or a container image doesn't include debugging utilities. An example of a container that includes a debugging utility is https://github.com/GoogleContainerTools/distroless#distroless-container-images[distroless images]. For more information, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container[Debugging with an ephemeral debug container] in the Kubernetes documentation. +* Kubernetes graduated the `HorizontalPodAutoscaler` `autoscaling/v2` stable API to general availability. The `HorizontalPodAutoscaler` `autoscaling/v2beta2` API is deprecated. It will be unavailable in `1.26`. +* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.23` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. -For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. \ No newline at end of file +For the complete Kubernetes `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index dd9a7652b..88f400723 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,27 +1,27 @@ [.topic] [#kubernetes-versions-standard] -= Review release notes for [.noloc]`Kubernetes` versions on standard support += Review release notes for Kubernetes versions on standard support :info_titleabbrev: Standard support versions include::../attributes.txt[] [abstract] -- -This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in standard support. +This topic gives important changes to be aware of for each Kubernetes version in standard support. -- -This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in standard support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. +This topic gives important changes to be aware of for each Kubernetes version in standard support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. [NOTE] ==== -For `1.24` and later clusters, officially published Amazon EKS AMIs include `containerd` as the only runtime. [.noloc]`Kubernetes` versions earlier than `1.24` use [.noloc]`Docker` as the default runtime. These versions have a bootstrap flag option that you can use to test out your workloads on any supported cluster with `containerd`. For more information, see <>. +For `1.24` and later clusters, officially published Amazon EKS AMIs include `containerd` as the only runtime. Kubernetes versions earlier than `1.24` use Docker as the default runtime. These versions have a bootstrap flag option that you can use to test out your workloads on any supported cluster with `containerd`. For more information, see <>. ==== [#kubernetes-1-32] -== [.noloc]`Kubernetes` 1.32 +== Kubernetes 1.32 -[.noloc]`Kubernetes` `1.32` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.32`, see the https://kubernetes.io/blog/2024/12/13/kubernetes-v1-32-release/[official release announcement]. +Kubernetes `1.32` is now available in Amazon EKS. For more information about Kubernetes `1.32`, see the https://kubernetes.io/blog/2024/12/13/kubernetes-v1-32-release/[official release announcement]. [IMPORTANT] ==== @@ -39,7 +39,7 @@ For `1.24` and later clusters, officially published Amazon EKS AMIs include `con * Custom Resource Field Selector functionality has been introduced, allowing developers to add field selectors to custom resources. This feature provides the same filtering capabilities available for built-in Kubernetes objects to custom resources, enabling more precise and efficient resource filtering and promoting better API design practices. -For the complete [.noloc]`Kubernetes` `1.32` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md +For the complete Kubernetes `1.32` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md === Anonymous authentication changes @@ -70,9 +70,9 @@ NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about [#kubernetes-1-31] -== [.noloc]`Kubernetes` 1.31 +== Kubernetes 1.31 -[.noloc]`Kubernetes` `1.31` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.31`, see the https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/[official release announcement]. +Kubernetes `1.31` is now available in Amazon EKS. For more information about Kubernetes `1.31`, see the https://kubernetes.io/blog/2024/08/13/kubernetes-v1-31-release/[official release announcement]. [IMPORTANT] ==== @@ -87,12 +87,12 @@ NOTE: This update applies to EKS-optimized AL2 AMIs. For more information about * Kubernetes support for https://apparmor.net/[AppArmor] has graduated to stable and is now generally available for public use. This feature allows you to protect your containers with AppArmor by setting the `appArmorProfile.type` field in the container's `securityContext`. Prior to Kubernetes `v1.30`, AppArmor was controlled by annotations. Starting with `v1.30`, it is controlled using fields. To leverage this feature, we recommend migrating away from annotations and using the `appArmorProfile.type` field to ensure that your workloads are compatible. * The PersistentVolume last phase transition time feature has graduated to stable and is now generally available for public use in Kubernetes `v1.31`. This feature introduces a new field, `.status.lastTransitionTime`, in the PersistentVolumeStatus, which provides a timestamp of when a PersistentVolume last transitioned to a different phase. This enhancement allows for better tracking and management of PersistentVolumes, particularly in scenarios where understanding the lifecycle of volumes is important. -For the complete [.noloc]`Kubernetes` `1.31` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md +For the complete Kubernetes `1.31` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md [#kubernetes-1-30] -== [.noloc]`Kubernetes` 1.30 +== Kubernetes 1.30 -[.noloc]`Kubernetes` `1.30` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.30`, see the https://kubernetes.io/blog/2024/04/17/kubernetes-v1-30-release/[official release announcement]. +Kubernetes `1.30` is now available in Amazon EKS. For more information about Kubernetes `1.30`, see the https://kubernetes.io/blog/2024/04/17/kubernetes-v1-30-release/[official release announcement]. [IMPORTANT] ==== @@ -109,27 +109,27 @@ For the complete [.noloc]`Kubernetes` `1.31` changelog, see https://github.com/k * Starting with `1.30`, Amazon EKS no longer includes the `default` annotation on the `gp2 StorageClass` resource applied to newly created clusters. This has no impact if you are referencing this storage class by name. You must take action if you were relying on having a default `StorageClass` in the cluster. You should reference the `StorageClass` by the name `gp2`. Alternatively, you can deploy the Amazon EBS recommended default storage class by setting the `defaultStorageClass.enabled` parameter to true when installing `v1.31.0` or later of the `aws-ebs-csi-driver add-on`. * The minimum required IAM policy for the Amazon EKS cluster IAM role has changed. The action `ec2:DescribeAvailabilityZones` is required. For more information, see <>. -For the complete [.noloc]`Kubernetes` `1.30` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md. +For the complete Kubernetes `1.30` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md. [#kubernetes-1-29] -== [.noloc]`Kubernetes` 1.29 +== Kubernetes 1.29 -[.noloc]`Kubernetes` `1.29` is now available in Amazon EKS. For more information about [.noloc]`Kubernetes` `1.29`, see the https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/[official release announcement]. +Kubernetes `1.29` is now available in Amazon EKS. For more information about Kubernetes `1.29`, see the https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/[official release announcement]. [IMPORTANT] ==== -* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in [.noloc]`Kubernetes` `v1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to `v1.29`. +* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes `v1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to `v1.29`. ==== -* The `.status.kubeProxyVersion` field for node objects is now deprecated, and the [.noloc]`Kubernetes` project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` - which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you've been using this field in client software, stop - the information isn't reliable and the field is now deprecated. -* In [.noloc]`Kubernetes` `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run: +* The `.status.kubeProxyVersion` field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` - which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you've been using this field in client software, stop - the information isn't reliable and the field is now deprecated. +* In Kubernetes `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run: + [source,bash,subs="verbatim,attributes"] ---- kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system ---- -For the complete [.noloc]`Kubernetes` `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. \ No newline at end of file +For the complete Kubernetes `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index e2c96ae5f..36ca40e77 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,6 +1,6 @@ [.topic] [#kubernetes-versions] -= Understand the [.noloc]`Kubernetes` version lifecycle on EKS += Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions :keywords: Amazon EKS, available, Kubernetes, version, release notes @@ -12,13 +12,13 @@ include::../attributes.txt[] Learn how Amazon EKS supports Kubernetes versions with standard and extended support periods, allowing you to proactively update clusters with the latest versions, features, and security patches.. -- -[.noloc]`Kubernetes` rapidly evolves with new features, design updates, and bug fixes. The community releases new [.noloc]`Kubernetes` minor versions (such as `{k8s-n}`) on average once every four months. Amazon EKS follows the upstream release and deprecation cycle for minor versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. +Kubernetes rapidly evolves with new features, design updates, and bug fixes. The community releases new Kubernetes minor versions (such as `{k8s-n}`) on average once every four months. Amazon EKS follows the upstream release and deprecation cycle for minor versions. As new Kubernetes versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. -A minor version is under standard support in Amazon EKS for the first 14 months after it's released. Once a version is past the end of standard support date, it enters extended support for the next 12 months. Extended support allows you to stay at a specific [.noloc]`Kubernetes` version for longer at an additional cost per cluster hour. If you haven't updated your cluster before the extended support period ends, your cluster is auto-upgraded to the oldest currently supported extended version. +A minor version is under standard support in Amazon EKS for the first 14 months after it's released. Once a version is past the end of standard support date, it enters extended support for the next 12 months. Extended support allows you to stay at a specific Kubernetes version for longer at an additional cost per cluster hour. If you haven't updated your cluster before the extended support period ends, your cluster is auto-upgraded to the oldest currently supported extended version. Extended support is enabled by default. <> -We recommend that you create your cluster with the latest available [.noloc]`Kubernetes` version supported by Amazon EKS. If your application requires a specific version of [.noloc]`Kubernetes`, you can select older versions. You can create new Amazon EKS clusters on any version offered in standard or extended support. +We recommend that you create your cluster with the latest available Kubernetes version supported by Amazon EKS. If your application requires a specific version of Kubernetes, you can select older versions. You can create new Amazon EKS clusters on any version offered in standard or extended support. @@ -28,7 +28,7 @@ video::_dJdAZ_J_jw[youtube,align = center,height = 405,fileref = https://www.you [#available-versions] == Available versions on standard support -The following [.noloc]`Kubernetes` versions are currently available in Amazon EKS standard support: +The following Kubernetes versions are currently available in Amazon EKS standard support: * `1.32` * `1.31` @@ -40,7 +40,7 @@ For important changes to be aware of for each version in standard support, see < [#available-versions-extended] == Available versions on extended support -The following [.noloc]`Kubernetes` versions are currently available in Amazon EKS extended support: +The following Kubernetes versions are currently available in Amazon EKS extended support: * `1.28` @@ -52,9 +52,9 @@ The following [.noloc]`Kubernetes` versions are currently available in Amazon EK For important changes to be aware of for each version in extended support, see <>. [#kubernetes-release-calendar] -== Amazon EKS [.noloc]`Kubernetes` release calendar +== Amazon EKS Kubernetes release calendar -The following table shows important release and support dates to consider for each [.noloc]`Kubernetes` version. Billing for extended support starts at the beginning of the day that the version reaches end of standard support. +The following table shows important release and support dates to consider for each Kubernetes version. Billing for extended support starts at the beginning of the day that the version reaches end of standard support. [NOTE] ==== @@ -176,35 +176,35 @@ aws eks describe-cluster-versions [#version-faqs] == Amazon EKS version FAQs -*How many [.noloc]`Kubernetes` versions are available in standard support?*:: -In line with the [.noloc]`Kubernetes` community support for [.noloc]`Kubernetes` versions, Amazon EKS is committed to offering support for three [.noloc]`Kubernetes` versions at any given time. We will announce the end of standard support date of a given [.noloc]`Kubernetes` minor version at least 60 days in advance. Because of the Amazon EKS qualification and release process for new [.noloc]`Kubernetes` versions, the end of standard support date of a [.noloc]`Kubernetes` version on Amazon EKS will be after the date that the [.noloc]`Kubernetes` project stops supporting the version upstream. +*How many Kubernetes versions are available in standard support?*:: +In line with the Kubernetes community support for Kubernetes versions, Amazon EKS is committed to offering support for three Kubernetes versions at any given time. We will announce the end of standard support date of a given Kubernetes minor version at least 60 days in advance. Because of the Amazon EKS qualification and release process for new Kubernetes versions, the end of standard support date of a Kubernetes version on Amazon EKS will be after the date that the Kubernetes project stops supporting the version upstream. -*How long does a [.noloc]`Kubernetes` receive standard support by Amazon EKS?*:: -A [.noloc]`Kubernetes` version received standard support for 14 months after first being available on Amazon EKS. This is true even if upstream [.noloc]`Kubernetes` no longer support a version that's available on Amazon EKS. We backport security patches that are applicable to the [.noloc]`Kubernetes` versions that are supported on Amazon EKS. +*How long does a Kubernetes receive standard support by Amazon EKS?*:: +A Kubernetes version received standard support for 14 months after first being available on Amazon EKS. This is true even if upstream Kubernetes no longer support a version that's available on Amazon EKS. We backport security patches that are applicable to the Kubernetes versions that are supported on Amazon EKS. -*Am I notified when standard support is ending for a [.noloc]`Kubernetes` version on Amazon EKS?*:: -Yes. If any clusters in your account are running the version nearing the end of support, Amazon EKS sends out a notice through the {aws} Health Dashboard approximately 12 months after the [.noloc]`Kubernetes` version was released on Amazon EKS. The notice includes the end of support date. This is at least 60 days from the date of the notice. +*Am I notified when standard support is ending for a Kubernetes version on Amazon EKS?*:: +Yes. If any clusters in your account are running the version nearing the end of support, Amazon EKS sends out a notice through the {aws} Health Dashboard approximately 12 months after the Kubernetes version was released on Amazon EKS. The notice includes the end of support date. This is at least 60 days from the date of the notice. -*Which [.noloc]`Kubernetes` features are supported by Amazon EKS?*:: -Amazon EKS supports all generally available (GA) features of the [.noloc]`Kubernetes` API. Starting with [.noloc]`Kubernetes` version `1.24`, new beta APIs aren't enabled in clusters by default. However, previously existing beta APIs and new versions of existing beta APIs continue to be enabled by default. Alpha features aren't supported. +*Which Kubernetes features are supported by Amazon EKS?*:: +Amazon EKS supports all generally available (GA) features of the Kubernetes API. Starting with Kubernetes version `1.24`, new beta APIs aren't enabled in clusters by default. However, previously existing beta APIs and new versions of existing beta APIs continue to be enabled by default. Alpha features aren't supported. *Are Amazon EKS managed node groups automatically updated along with the cluster control plane version?*:: -No. A managed node group creates Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update your control plane. For more information, see <>. We recommend maintaining the same [.noloc]`Kubernetes` version on your control plane and nodes. +No. A managed node group creates Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update your control plane. For more information, see <>. We recommend maintaining the same Kubernetes version on your control plane and nodes. *Are self-managed node groups automatically updated along with the cluster control plane version?*:: No. A self-managed node group includes Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update the control plane version on your behalf. A self-managed node group doesn't have any indication in the console that it needs updating. You can view the `kubelet` version installed on a node by selecting the node in the *Nodes* list on the *Overview* tab of your cluster to determine which nodes need updating. You must manually update the nodes. For more information, see <>. + -The [.noloc]`Kubernetes` project tests compatibility between the control plane and nodes for up to three minor versions. For example, `{k8s-n-3}` nodes continue to operate when orchestrated by a `{k8s-n}` control plane. However, running a cluster with nodes that are persistently three minor versions behind the control plane isn't recommended. For more information, see https://kubernetes.io/docs/setup/version-skew-policy/[Kubernetes version and version skew support policy] in the [.noloc]`Kubernetes` documentation. We recommend maintaining the same [.noloc]`Kubernetes` version on your control plane and nodes. +The Kubernetes project tests compatibility between the control plane and nodes for up to three minor versions. For example, `{k8s-n-3}` nodes continue to operate when orchestrated by a `{k8s-n}` control plane. However, running a cluster with nodes that are persistently three minor versions behind the control plane isn't recommended. For more information, see https://kubernetes.io/docs/setup/version-skew-policy/[Kubernetes version and version skew support policy] in the Kubernetes documentation. We recommend maintaining the same Kubernetes version on your control plane and nodes. -*Are [.noloc]`Pods` running on Fargate automatically upgraded with an automatic cluster control plane version upgrade?*:: -No. We strongly recommend running Fargate [.noloc]`Pods` as part of a replication controller, such as a [.noloc]`Kubernetes` deployment. Then do a rolling restart of all Fargate [.noloc]`Pods`. The new version of the Fargate [.noloc]`Pod` is deployed with a `kubelet` version that's the same version as your updated cluster control plane version. For more information, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment[Deployments] in the [.noloc]`Kubernetes` documentation. +*Are Pods running on Fargate automatically upgraded with an automatic cluster control plane version upgrade?*:: +No. We strongly recommend running Fargate Pods as part of a replication controller, such as a Kubernetes deployment. Then do a rolling restart of all Fargate Pods. The new version of the Fargate Pod is deployed with a `kubelet` version that's the same version as your updated cluster control plane version. For more information, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment[Deployments] in the Kubernetes documentation. + -IMPORTANT: If you update the control plane, you must still update the Fargate nodes yourself. To update Fargate nodes, delete the Fargate [.noloc]`Pod` represented by the node and redeploy the [.noloc]`Pod`. The new [.noloc]`Pod` is deployed with a `kubelet` version that's the same version as your cluster. +IMPORTANT: If you update the control plane, you must still update the Fargate nodes yourself. To update Fargate nodes, delete the Fargate Pod represented by the node and redeploy the Pod. The new Pod is deployed with a `kubelet` version that's the same version as your cluster. *What Kubernetes versions are supported for hybrid nodes?*:: @@ -215,23 +215,23 @@ Amazon EKS Hybrid Nodes supports the same Kubernetes versions as Amazon EKS clus == Amazon EKS extended support FAQs *The standard support and extended support terminology is new to me. What do those terms mean?*:: -Standard support for a [.noloc]`Kubernetes` version in Amazon EKS begins when a [.noloc]`Kubernetes` version is released on Amazon EKS, and will end 14 months after the release date. Extended support for a [.noloc]`Kubernetes` version will begin immediately after the end of standard support, and will end after the next 12 months. For example, standard support for version `1.23` in Amazon EKS ended on October 11, 2023. Extended support for version `1.23` began on October 12, 2023 and ended on October 11, 2024. +Standard support for a Kubernetes version in Amazon EKS begins when a Kubernetes version is released on Amazon EKS, and will end 14 months after the release date. Extended support for a Kubernetes version will begin immediately after the end of standard support, and will end after the next 12 months. For example, standard support for version `1.23` in Amazon EKS ended on October 11, 2023. Extended support for version `1.23` began on October 12, 2023 and ended on October 11, 2024. *What do I need to do to get extended support for Amazon EKS clusters?*:: -You will need to enable extended support (see <>) for your cluster by changing the cluster upgrade policy to EXTENDED. By default, for all new and existing clusters, the upgrade policy is set to EXTENDED, unless specified otherwise. See <> to view the upgrade policy for your cluster. Standard support will begin when a [.noloc]`Kubernetes` version is released on Amazon EKS, and will end 14 months after the release date. Extended support for a [.noloc]`Kubernetes` version will begin immediately after the end of standard support, and will end after the next 12 months. +You will need to enable extended support (see <>) for your cluster by changing the cluster upgrade policy to EXTENDED. By default, for all new and existing clusters, the upgrade policy is set to EXTENDED, unless specified otherwise. See <> to view the upgrade policy for your cluster. Standard support will begin when a Kubernetes version is released on Amazon EKS, and will end 14 months after the release date. Extended support for a Kubernetes version will begin immediately after the end of standard support, and will end after the next 12 months. -*For which [.noloc]`Kubernetes` versions can I get extended support?*:: -Extended support is available for [.noloc]`Kubernetes` versions `1.23` and higher. You can run clusters on any version for up to 12 months after the end of standard support for that version. This means that each version will be supported for 26 months in Amazon EKS (14 months of standard support plus 12 months of extended support). +*For which Kubernetes versions can I get extended support?*:: +Extended support is available for Kubernetes versions `1.23` and higher. You can run clusters on any version for up to 12 months after the end of standard support for that version. This means that each version will be supported for 26 months in Amazon EKS (14 months of standard support plus 12 months of extended support). *What if I don't want to use extended support?*:: -If you don't want to be automatically enrolled in extended support, you can upgrade your cluster to a [.noloc]`Kubernetes` version that's in standard Amazon EKS support. See <> to learn how to disable extended support. Note: If you disable extended support, your cluster will be auto upgraded at the end of standard support. +If you don't want to be automatically enrolled in extended support, you can upgrade your cluster to a Kubernetes version that's in standard Amazon EKS support. See <> to learn how to disable extended support. Note: If you disable extended support, your cluster will be auto upgraded at the end of standard support. *What will happen at the end of 12 months of extended support?*:: -Clusters running on a [.noloc]`Kubernetes` version that has completed its 26-month lifecycle (14 months of standard support plus 12 months of extended support) will be auto-upgraded to the next version. The auto-upgrade includes only the Kubernetes control plane. If you have EKS Auto Mode nodes, they may automatically update. Self managed nodes and EKS Managed Node Groups will remain on the previous version. +Clusters running on a Kubernetes version that has completed its 26-month lifecycle (14 months of standard support plus 12 months of extended support) will be auto-upgraded to the next version. The auto-upgrade includes only the Kubernetes control plane. If you have EKS Auto Mode nodes, they may automatically update. Self managed nodes and EKS Managed Node Groups will remain on the previous version. + On the end of extended support date, you can no longer create new Amazon EKS clusters with the unsupported version. Existing control planes are automatically updated by Amazon EKS to the earliest supported version through a gradual deployment process after the end of support date. After the automatic control plane update, make sure to manually update cluster add-ons and Amazon EC2 nodes. For more information, see <>. @@ -240,8 +240,8 @@ On the end of extended support date, you can no longer create new Amazon EKS clu Amazon EKS can't provide specific time frames. Automatic updates can happen at any time after the end of extended support date. You won't receive any notification before the update. We recommend that you proactively update your control plane without relying on the Amazon EKS automatic update process. For more information, see <>. -*Can I leave my control plane on a [.noloc]`Kubernetes` version indefinitely?*:: -No. Cloud security at {aws} is the highest priority. Past a certain point (usually one year), the [.noloc]`Kubernetes` community stops releasing common vulnerabilities and exposures ([.noloc]`CVE`) patches and discourages CVE submission for unsupported versions. This means that vulnerabilities specific to an older version of [.noloc]`Kubernetes` might not even be reported. This leaves clusters exposed with no notice and no remediation options in the event of a vulnerability. Given this, Amazon EKS doesn't allow control planes to stay on a version that reached end of extended support. +*Can I leave my control plane on a Kubernetes version indefinitely?*:: +No. Cloud security at {aws} is the highest priority. Past a certain point (usually one year), the Kubernetes community stops releasing common vulnerabilities and exposures (CVE) patches and discourages CVE submission for unsupported versions. This means that vulnerabilities specific to an older version of Kubernetes might not even be reported. This leaves clusters exposed with no notice and no remediation options in the event of a vulnerability. Given this, Amazon EKS doesn't allow control planes to stay on a version that reached end of extended support. *Is there additional cost to get extended support?*:: @@ -249,13 +249,13 @@ Yes, there is additional cost for Amazon EKS clusters running in extended suppor *What is included in extended support?*:: -Amazon EKS clusters in Extended Support receive ongoing security patches for the [.noloc]`Kubernetes` control plane. Additionally, Amazon EKS will release patches for the Amazon VPC CNI, `kube-proxy`, and [.noloc]`CoreDNS` add-ons for Extended Support versions. Amazon EKS will also release patches for {aws}-published Amazon EKS optimized AMIs for Amazon Linux, [.noloc]`Bottlerocket`, and Windows, as well as Amazon EKS Fargate nodes for those versions. All clusters in Extended Support will continue to get access to technical support from {aws}. +Amazon EKS clusters in Extended Support receive ongoing security patches for the Kubernetes control plane. Additionally, Amazon EKS will release patches for the Amazon VPC CNI, `kube-proxy`, and CoreDNS add-ons for Extended Support versions. Amazon EKS will also release patches for {aws}-published Amazon EKS optimized AMIs for Amazon Linux, Bottlerocket, and Windows, as well as Amazon EKS Fargate nodes for those versions. All clusters in Extended Support will continue to get access to technical support from {aws}. + -NOTE: Extended Support for Amazon EKS optimized [.noloc]`Windows` AMIs that are published by {aws} isn't available for [.noloc]`Kubernetes` version `1.23` but is available for [.noloc]`Kubernetes` version `1.24` and higher. +NOTE: Extended Support for Amazon EKS optimized Windows AMIs that are published by {aws} isn't available for Kubernetes version `1.23` but is available for Kubernetes version `1.24` and higher. -*Are there any limitations to patches for non-[.noloc]`Kubernetes` components in extended support?*:: -While Extended Support covers all of the [.noloc]`Kubernetes` specific components from {aws}, it will only provide support for {aws}-published Amazon EKS optimized AMIs for Amazon Linux, [.noloc]`Bottlerocket`, and Windows at all times. This means, you will potentially have newer components (such as OS or kernel) on your Amazon EKS optimized AMI while using Extended Support. For example, once Amazon Linux 2 reaches the link:amazon-linux-2/faqs/[end of its lifecycle in 2025,type="marketing"], the Amazon EKS optimized Amazon Linux AMIs will be built using a newer Amazon Linux OS. Amazon EKS will announce and document important support lifecycle discrepancies such as this for each [.noloc]`Kubernetes` version. +*Are there any limitations to patches for non-Kubernetes components in extended support?*:: +While Extended Support covers all of the Kubernetes specific components from {aws}, it will only provide support for {aws}-published Amazon EKS optimized AMIs for Amazon Linux, Bottlerocket, and Windows at all times. This means, you will potentially have newer components (such as OS or kernel) on your Amazon EKS optimized AMI while using Extended Support. For example, once Amazon Linux 2 reaches the link:amazon-linux-2/faqs/[end of its lifecycle in 2025,type="marketing"], the Amazon EKS optimized Amazon Linux AMIs will be built using a newer Amazon Linux OS. Amazon EKS will announce and document important support lifecycle discrepancies such as this for each Kubernetes version. *Can I create new clusters using a version on extended support?*:: diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index fdd69ab0f..cf3ae47bc 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -6,7 +6,7 @@ include::../../attributes.txt[] :info_titleabbrev: View costs by Pod == Cost monitoring using {aws} split cost allocation data for Amazon EKS -You can use {aws} split cost allocation data for Amazon EKS to get granular cost visibility for your Amazon EKS clusters. This enables you to analyze, optimize, and chargeback cost and usage for your [.noloc]`Kubernetes` applications. You allocate application costs to individual business units and teams based on Amazon EC2 CPU and memory resources consumed by your [.noloc]`Kubernetes` application. Split cost allocation data for Amazon EKS gives visibility into cost per Pod, and enables you to aggregate the cost data per Pod using namespace, cluster, and other [.noloc]`Kubernetes` primitives. The following are examples of [.noloc]`Kubernetes` primitives that you can use to analyze Amazon EKS cost allocation data. +You can use {aws} split cost allocation data for Amazon EKS to get granular cost visibility for your Amazon EKS clusters. This enables you to analyze, optimize, and chargeback cost and usage for your Kubernetes applications. You allocate application costs to individual business units and teams based on Amazon EC2 CPU and memory resources consumed by your Kubernetes application. Split cost allocation data for Amazon EKS gives visibility into cost per Pod, and enables you to aggregate the cost data per Pod using namespace, cluster, and other Kubernetes primitives. The following are examples of Kubernetes primitives that you can use to analyze Amazon EKS cost allocation data. * Cluster name * Deployment diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index bf85961f7..cc84bd7f9 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -4,20 +4,20 @@ include::../../attributes.txt[] -Amazon EKS provides an {aws} optimized bundle of [.noloc]`Kubecost` for cluster cost visibility. Amazon EKS supports [.noloc]`Kubecost`, which you can use to monitor your costs broken down by [.noloc]`Kubernetes` resources including [.noloc]`Pods`, nodes, namespaces, and labels. +Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. Amazon EKS supports Kubecost, which you can use to monitor your costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. -This topic covers the available versions of [.noloc]`Kubecost`, and the differences between the available tiers. EKS supports [.noloc]`Kubecost` Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized [.noloc]`Kubecost` custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. +This topic covers the available versions of Kubecost, and the differences between the available tiers. EKS supports Kubecost Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized Kubecost custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. -As a [.noloc]`Kubernetes` platform administrator and finance leader, you can use [.noloc]`Kubecost` to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. For more information about [.noloc]`Kubecost`, see the https://guide.kubecost.com[Kubecost] documentation. +As a Kubernetes platform administrator and finance leader, you can use Kubecost to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. For more information about Kubecost, see the https://guide.kubecost.com[Kubecost] documentation. -*What is the difference between the custom bundle of [.noloc]`Kubecost` and the free version of [.noloc]`Kubecost` (also known as [.noloc]`OpenCost`)?* +*What is the difference between the custom bundle of Kubecost and the free version of Kubecost (also known as OpenCost)?* -{aws} and [.noloc]`Kubecost` collaborated to offer a customized version of [.noloc]`Kubecost`. This version includes a subset of commercial features at no additional charge. See the tables below for features that are included with in the custom bundle of [.noloc]`Kubecost`. +{aws} and Kubecost collaborated to offer a customized version of Kubecost. This version includes a subset of commercial features at no additional charge. See the tables below for features that are included with in the custom bundle of Kubecost. [#kubecost-v2] == Kubecost v2 -*What is the difference between [.noloc]`Kubecost` v1 and v2?* +*What is the difference between Kubecost v1 and v2?* Kubecost 2.0 is a major upgrade from previous versions and includes major new features including a brand new API Backend. Note the https://docs.kubecost.com/apis/monitoring-apis/api-allocation[Allocation] and https://docs.kubecost.com/apis/monitoring-apis/assets-api[Assets] APIs are fully backwards compatible. https://docs.kubecost.com/install-and-configure/install/kubecostv2[Please review the Kubecost documentation to ensure a smooth transition.] For the full list of enhancements, https://github.com/kubecost/cost-analyzer-helm-chart/releases/tag/v2.0.0[please see the Kubecost release notes] @@ -177,7 +177,7 @@ The following features have metric limits: |*Deployment* |User hosted |User hosted -|User hosted or [.noloc]`Kubecost` hosted (SaaS) +|User hosted or Kubecost hosted (SaaS) |*Number of clusters supported* |Unlimited @@ -185,16 +185,16 @@ The following features have metric limits: |Unlimited |*Databases supported* -|Local [.noloc]`Prometheus` -|Local [.noloc]`Prometheus` or Amazon Managed Service for Prometheus -|[.noloc]`Prometheus`, Amazon Managed Service for Prometheus, [.noloc]`Cortex`, or [.noloc]`Thanos` +|Local Prometheus +|Local Prometheus or Amazon Managed Service for Prometheus +|Prometheus, Amazon Managed Service for Prometheus, Cortex, or Thanos |*Database retention support* |15 days |Unlimited historical data |Unlimited historical data -|*[.noloc]`Kubecost` API retention (ETL)* +|*Kubecost API retention (ETL)* |15 days |15 days |Unlimited historical data @@ -237,23 +237,23 @@ The following features have metric limits: |*Single sign-on (SSO) support* |- |Amazon Cognito supported -|[.noloc]`Okta`, [.noloc]`Auth0`, [.noloc]`PingID`, KeyCloak +|Okta, Auth0, PingID, KeyCloak |*Role-based access control (RBAC) with SAML `2.0`* |- |- -|[.noloc]`Okta`, [.noloc]`Auth0`, [.noloc]`PingID`, [.noloc]`Keycloak` +|Okta, Auth0, PingID, Keycloak |*Enterprise training and onboarding* |- |- -|Full-service training and [.noloc]`FinOps` onboarding +|Full-service training and FinOps onboarding |=== [#cost-monitoring-faq] == Frequently asked questions -See the following common questions and answers about using [.noloc]`Kubecost` with Amazon EKS. +See the following common questions and answers about using Kubecost with Amazon EKS. *What is the Kubecost API retention (ETL) feature?* @@ -309,19 +309,19 @@ Yes. `Kubectl-cost` is an open source tool by Kubecost (Apache 2.0 License) that *Is the Kubecost user interface supported? How do I access it?* -Kubecost provides a web dashboard that you can access through `kubectl` port forwarding, an ingress, or a load balancer. You can also use the {aws} Load Balancer Controller to expose [.noloc]`Kubecost` and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"] on the {aws} blog. +Kubecost provides a web dashboard that you can access through `kubectl` port forwarding, an ingress, or a load balancer. You can also use the {aws} Load Balancer Controller to expose Kubecost and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"] on the {aws} blog. *Is Amazon EKS Anywhere supported?* No. [#kubecost-additional] -== Additional [.noloc]`Kubecost` Features +== Additional Kubecost Features -* The following features are available in both [.noloc]`Kubecost` v1 and v2. -* *Export cost metrics* – Amazon EKS optimized cost monitoring is deployed with [.noloc]`Kubecost` and [.noloc]`Prometheus`, which is an open-source monitoring system and time series database. [.noloc]`Kubecost` reads metric from [.noloc]`Prometheus` and then performs cost allocation calculations and writes the metrics back to [.noloc]`Prometheus`. The [.noloc]`Kubecost` front-end reads metrics from [.noloc]`Prometheus` and shows them on the [.noloc]`Kubecost` user interface. The architecture is illustrated in the following diagram. +* The following features are available in both Kubecost v1 and v2. +* *Export cost metrics* – Amazon EKS optimized cost monitoring is deployed with Kubecost and Prometheus, which is an open-source monitoring system and time series database. Kubecost reads metric from Prometheus and then performs cost allocation calculations and writes the metrics back to Prometheus. The Kubecost front-end reads metrics from Prometheus and shows them on the Kubecost user interface. The architecture is illustrated in the following diagram. + image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] + -With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest [.noloc]`Kubecost` data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write [.noloc]`Prometheus` queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example [.noloc]`Grafana` JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. -* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, [.noloc]`Kubecost` retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate [.noloc]`Kubecost` with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. \ No newline at end of file +With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest Kubecost data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write Prometheus queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example Grafana JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. +* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, Kubecost retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate Kubecost with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the Kubecost documentation. \ No newline at end of file diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 6a15d07f5..d06e8b306 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -5,11 +5,11 @@ include::../../attributes.txt[] -Amazon EKS supports [.noloc]`Kubecost`, which you can use to monitor your costs broken down by [.noloc]`Kubernetes` resources including [.noloc]`Pods`, nodes, namespaces, and labels. This topic covers installing [.noloc]`Kubecost`, and accessing the [.noloc]`Kubecost` dashboard. +Amazon EKS supports Kubecost, which you can use to monitor your costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. This topic covers installing Kubecost, and accessing the Kubecost dashboard. -Amazon EKS provides an {aws} optimized bundle of [.noloc]`Kubecost` for cluster cost visibility. You can use your existing {aws} support agreements to obtain support. For more information about the available versions of [.noloc]`Kubecost`, see <>. +Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. You can use your existing {aws} support agreements to obtain support. For more information about the available versions of Kubecost, see <>. -As a [.noloc]`Kubernetes` platform administrator and finance leader, you can use [.noloc]`Kubecost` to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. +As a Kubernetes platform administrator and finance leader, you can use Kubecost to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. [NOTE] ==== @@ -18,7 +18,7 @@ Kubecost v2 introduces several major new features. <>, such as Kubecost. [#kubecost-helm] == Install Kubecost using Helm -* An existing Amazon EKS cluster. To deploy one, see <>. The cluster must have Amazon EC2 nodes because you can't run [.noloc]`Kubecost` on Fargate nodes. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing Amazon EKS cluster. To deploy one, see <>. The cluster must have Amazon EC2 nodes because you can't run Kubecost on Fargate nodes. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * Helm version 3.9.0 or later configured on your device or {aws} CloudShell. To install or update Helm, see <>. * If your cluster is version `1.23` or later, you must have the <> installed on your cluster. -. Determine the version of [.noloc]`Kubecost` to install. You can see the available versions at https://gallery.ecr.aws/kubecost/cost-analyzer[kubecost/cost-analyzer] in the Amazon ECR Public Gallery. For more information about the compatibility of [.noloc]`Kubecost` versions and Amazon EKS, see the https://docs.kubecost.com/install-and-configure/install/environment[Environment Requirements] in the Kubecost documentation. -. Install [.noloc]`Kubecost` with the following command. Replace [.replaceable]`kubecost-version` with the value retrieved from ECR, such as [.replaceable]`1.108.1`. +. Determine the version of Kubecost to install. You can see the available versions at https://gallery.ecr.aws/kubecost/cost-analyzer[kubecost/cost-analyzer] in the Amazon ECR Public Gallery. For more information about the compatibility of Kubecost versions and Amazon EKS, see the https://docs.kubecost.com/install-and-configure/install/environment[Environment Requirements] in the Kubecost documentation. +. Install Kubecost with the following command. Replace [.replaceable]`kubecost-version` with the value retrieved from ECR, such as [.replaceable]`1.108.1`. + [source,bash,subs="verbatim,attributes"] ---- @@ -59,9 +59,9 @@ helm upgrade -i kubecost oci://public.ecr.aws/kubecost/cost-analyzer --version k -f https://raw.githubusercontent.com/kubecost/cost-analyzer-helm-chart/develop/cost-analyzer/values-eks-cost-monitoring.yaml ---- + -[.noloc]`Kubecost` releases new versions regularly. You can update your version using https://helm.sh/docs/helm/helm_upgrade/[helm upgrade]. By default, the installation includes a local https://prometheus.io/[Prometheus] server and `kube-state-metrics`. You can customize your deployment to use link:mt/integrating-kubecost-with-amazon-managed-service-for-prometheus[Amazon Managed Service for Prometheus,type="blog"] by following the documentation in link:prometheus/latest/userguide/integrating-kubecost.html[Integrating with Amazon EKS cost monitoring,type="documentation"]. For a list of all other settings that you can configure, see the https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/values-eks-cost-monitoring.yaml[sample configuration file] on GitHub. +Kubecost releases new versions regularly. You can update your version using https://helm.sh/docs/helm/helm_upgrade/[helm upgrade]. By default, the installation includes a local https://prometheus.io/[Prometheus] server and `kube-state-metrics`. You can customize your deployment to use link:mt/integrating-kubecost-with-amazon-managed-service-for-prometheus[Amazon Managed Service for Prometheus,type="blog"] by following the documentation in link:prometheus/latest/userguide/integrating-kubecost.html[Integrating with Amazon EKS cost monitoring,type="documentation"]. For a list of all other settings that you can configure, see the https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/values-eks-cost-monitoring.yaml[sample configuration file] on GitHub. + -You can remove [.noloc]`Kubecost` from your cluster with the following commands. +You can remove Kubecost from your cluster with the following commands. + [source,bash,subs="verbatim,attributes"] ---- @@ -73,7 +73,7 @@ kubectl delete ns kubecost [#kubecost-dashboard] == Access Kubecost Dashboard -. Make sure the required [.noloc]`Pods` are running. +. Make sure the required Pods are running. + [source,bash,subs="verbatim,attributes"] ---- @@ -89,14 +89,14 @@ kubecost-cost-analyzer-b9788c99f-5vj5b 2/2 Running 0 3h27m kubecost-kube-state-metrics-99bb8c55b-bn2br 1/1 Running 0 3h27m kubecost-prometheus-server-7d9967bfc8-9c8p7 2/2 Running 0 3h27m ---- -. On your device, enable port-forwarding to expose the [.noloc]`Kubecost` dashboard. +. On your device, enable port-forwarding to expose the Kubecost dashboard. + [source,bash,subs="verbatim,attributes"] ---- kubectl port-forward --namespace kubecost deployment/kubecost-cost-analyzer 9090 ---- + -Alternatively, you can use the <> to expose [.noloc]`Kubecost` and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"]. +Alternatively, you can use the <> to expose Kubecost and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"]. . On the same device that you completed the previous step on, open a web browser and enter the following address. + [source,bash,subs="verbatim,attributes"] @@ -104,7 +104,7 @@ Alternatively, you can use the <>. diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 34a6e9c7b..6362c3ca9 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -11,11 +11,11 @@ include::../../attributes.txt[] Learn how to monitor and optimize costs for your Amazon EKS clusters using {aws} Billing split cost allocation data or Kubecost, a Kubernetes-native cost monitoring tool integrated with {aws}. -- -Cost monitoring is an essential aspect of managing your [.noloc]`Kubernetes` clusters on Amazon EKS. By gaining visibility into your cluster costs, you can optimize resource utilization, set budgets, and make data-driven decisions about your deployments. Amazon EKS provides two cost monitoring solutions, each with its own unique advantages, to help you track and allocate your costs effectively: +Cost monitoring is an essential aspect of managing your Kubernetes clusters on Amazon EKS. By gaining visibility into your cluster costs, you can optimize resource utilization, set budgets, and make data-driven decisions about your deployments. Amazon EKS provides two cost monitoring solutions, each with its own unique advantages, to help you track and allocate your costs effectively: -*{aws} Billing split cost allocation data for Amazon EKS* -- This native feature integrates seamlessly with the {aws} Billing Console, allowing you to analyze and allocate costs using the same familiar interface and workflows you use for other {aws} services. With split cost allocation, you can gain insights into your [.noloc]`Kubernetes` costs directly alongside your other {aws} spend, making it easier to optimize costs holistically across your {aws} environment. You can also leverage existing {aws} Billing features like Cost Categories and Cost Anomaly Detection to further enhance your cost management capabilities. For more information, see link:cur/latest/userguide/split-cost-allocation-data.html[Understanding split cost allocation data,type="documentation"] in the {aws} Billing User Guide. +*{aws} Billing split cost allocation data for Amazon EKS* -- This native feature integrates seamlessly with the {aws} Billing Console, allowing you to analyze and allocate costs using the same familiar interface and workflows you use for other {aws} services. With split cost allocation, you can gain insights into your Kubernetes costs directly alongside your other {aws} spend, making it easier to optimize costs holistically across your {aws} environment. You can also leverage existing {aws} Billing features like Cost Categories and Cost Anomaly Detection to further enhance your cost management capabilities. For more information, see link:cur/latest/userguide/split-cost-allocation-data.html[Understanding split cost allocation data,type="documentation"] in the {aws} Billing User Guide. -*[.noloc]`Kubecost`* -- Amazon EKS supports Kubecost, a Kubernetes cost monitoring tool. Kubecost offers a feature-rich, Kubernetes-native approach to cost monitoring, providing granular cost breakdowns by Kubernetes resources, cost optimization recommendations, and out-of-the-box dashboards and reports. Kubecost also retrieves accurate pricing data by integrating with the {aws} Cost and Usage Report, ensuring you get a precise view of your Amazon EKS costs. Learn how to <>. +*Kubecost* -- Amazon EKS supports Kubecost, a Kubernetes cost monitoring tool. Kubecost offers a feature-rich, Kubernetes-native approach to cost monitoring, providing granular cost breakdowns by Kubernetes resources, cost optimization recommendations, and out-of-the-box dashboards and reports. Kubecost also retrieves accurate pricing data by integrating with the {aws} Cost and Usage Report, ensuring you get a precise view of your Amazon EKS costs. Learn how to <>. include::cost-monitoring-aws.adoc[leveloffset=+1] diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 190ac8cce..1de372393 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -14,9 +14,9 @@ include::../../attributes.txt[] This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. -* The [.noloc]`Kubernetes` Dashboard is a general purpose, web-based UI for [.noloc]`Kubernetes` clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. For more information, see The https://github.com/kubernetes/dashboard[Kubernetes Dashboard] GitHub repository. -* <> – The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster. It isn't deployed by default in your cluster, but is used by [.noloc]`Kubernetes` add-ons, such as the [.noloc]`Kubernetes` Dashboard and <>. In this topic you learn how to install the Metrics Server. -* <> – The Helm package manager for [.noloc]`Kubernetes` helps you install and manage applications on your [.noloc]`Kubernetes` cluster. This topic helps you install and run the Helm binaries so that you can install and manage charts using the Helm CLI on your local computer. +* The Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. For more information, see The https://github.com/kubernetes/dashboard[Kubernetes Dashboard] GitHub repository. +* <> – The Kubernetes Metrics Server is an aggregator of resource usage data in your cluster. It isn't deployed by default in your cluster, but is used by Kubernetes add-ons, such as the Kubernetes Dashboard and <>. In this topic you learn how to install the Metrics Server. +* <> – The Helm package manager for Kubernetes helps you install and manage applications on your Kubernetes cluster. This topic helps you install and run the Helm binaries so that you can install and manage charts using the Helm CLI on your local computer. * <> – To help you manage your Amazon EKS resources, you can assign your own metadata to each resource in the form of _tags_. This topic describes tags and shows you how to create them. * <> – Your {aws} account has default quotas, formerly referred to as limits, for each {aws} service. Learn about the quotas for Amazon EKS and how to increase them. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 1d5d3868c..81051e781 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -19,7 +19,7 @@ You can use _tags_ to help you manage your Amazon EKS resources. This topic prov [NOTE] ==== -Tags are a type of metadata that's separate from [.noloc]`Kubernetes` labels and annotations. For more information about these other metadata types, see the following sections in the [.noloc]`Kubernetes` documentation: +Tags are a type of metadata that's separate from Kubernetes labels and annotations. For more information about these other metadata types, see the following sections in the Kubernetes documentation: @@ -62,7 +62,7 @@ You can tag these resources using the following: When you use some resource-creating actions, you can also specify tags for the resource at the same time that you create it. If tags can't be applied while the resource is being created, the resource fails to be created. This mechanism ensures that resources that you intend to tag are either created with the tags that you specify or not created at all. If you tag resources when you create them, you don't need to run custom tagging scripts after you create the resource. -Tags don't propagate to other resources that are associated with the resource that you create. For example, Fargate profile tags don't propagate to other resources that are associated with the Fargate profile, such as the [.noloc]`Pods` that are scheduled with it. +Tags don't propagate to other resources that are associated with the resource that you create. For example, Fargate profile tags don't propagate to other resources that are associated with the Fargate profile, such as the Pods that are scheduled with it. [#tag-restrictions] == Tag restrictions @@ -83,7 +83,7 @@ The following restrictions apply to tags: When you apply tags to Amazon EKS clusters, you can use them for cost allocation in your *Cost & Usage Reports*. The metering data in your *Cost & Usage Reports* shows usage across all of your Amazon EKS clusters. For more information, see link:awsaccountbilling/latest/aboutv2/billing-reports-costusage.html[{aws} cost and usage report,type="documentation"] in the _{aws} Billing User Guide_. -The {aws} generated cost allocation tag, specifically `aws:eks:cluster-name`, lets you break down Amazon EC2 instance costs by individual Amazon EKS cluster in *Cost Explorer*. However, this tag doesn't capture the control plane expenses. The tag is automatically added to Amazon EC2 instances that participate in an Amazon EKS cluster. This behavior happens regardless of whether the instances are provisioned using Amazon EKS managed node groups, [.noloc]`Karpenter`, or directly with Amazon EC2. This specific tag doesn't count towards the 50 tags limit. To use the tag, the account owner must activate it in the {aws} Billing console or by using the API. When an {aws} Organizations management account owner activates the tag, it's also activated for all organization member accounts. +The {aws} generated cost allocation tag, specifically `aws:eks:cluster-name`, lets you break down Amazon EC2 instance costs by individual Amazon EKS cluster in *Cost Explorer*. However, this tag doesn't capture the control plane expenses. The tag is automatically added to Amazon EC2 instances that participate in an Amazon EKS cluster. This behavior happens regardless of whether the instances are provisioned using Amazon EKS managed node groups, Karpenter, or directly with Amazon EC2. This specific tag doesn't count towards the 50 tags limit. To use the tag, the account owner must activate it in the {aws} Billing console or by using the API. When an {aws} Organizations management account owner activates the tag, it's also activated for all organization member accounts. You can also organize your billing information based on resources that have the same tag key values. For example, you can tag several resources with a specific application name, and then organize your billing information. That way, you can see the total cost of that application across several services. For more information about setting up a cost allocation report with tags, see link:awsaccountbilling/latest/aboutv2/configurecostallocreport.html[The Monthly Cost Allocation Report,type="documentation"] in the _{aws} Billing User Guide_. diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index 87d7f7ee6..fc56d7eb0 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,6 +1,6 @@ [.topic] [#helm] -= Deploy applications with [.noloc]`Helm` on Amazon EKS += Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm include::../../attributes.txt[] @@ -10,7 +10,7 @@ include::../../attributes.txt[] Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. -- -The Helm package manager for [.noloc]`Kubernetes` helps you install and manage applications on your [.noloc]`Kubernetes` cluster. For more information, see the https://docs.helm.sh/[Helm documentation]. This topic helps you install and run the Helm binaries so that you can install and manage charts using the Helm CLI on your local system. +The Helm package manager for Kubernetes helps you install and manage applications on your Kubernetes cluster. For more information, see the https://docs.helm.sh/[Helm documentation]. This topic helps you install and run the Helm binaries so that you can install and manage charts using the Helm CLI on your local system. [IMPORTANT] ==== @@ -31,13 +31,13 @@ kubectl get svc ---- brew install helm ---- -** If you're using [.noloc]`Windows` with https://chocolatey.org/[Chocolatey], install the binaries with the following command. +** If you're using Windows with https://chocolatey.org/[Chocolatey], install the binaries with the following command. + [source,bash,subs="verbatim,attributes"] ---- choco install kubernetes-helm ---- -** If you're using [.noloc]`Linux`, install the binaries with the following commands. +** If you're using Linux, install the binaries with the following commands. + [source,bash,subs="verbatim,attributes"] ---- @@ -70,4 +70,4 @@ v3.9.0 + ** Experiment by installing an example chart. See https://helm.sh/docs/intro/quickstart#install-an-example-chart[Install an example chart] in the Helm https://helm.sh/docs/intro/quickstart/[Quickstart guide]. ** Create an example chart and push it to Amazon ECR. For more information, see link:AmazonECR/latest/userguide/push-oci-artifact.html[Pushing a Helm chart,type="documentation"] in the _Amazon Elastic Container Registry User Guide_. -** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts][.noloc]`GitHub` repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. \ No newline at end of file +** Install an Amazon EKS chart from the https://github.com/aws/eks-charts#eks-charts[eks-charts]GitHub repo or from https://artifacthub.io/packages/search?page=1&repo=aws[ArtifactHub]. \ No newline at end of file diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index a9a2494d0..cb504dc7c 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,6 +1,6 @@ [.topic] [#metrics-server] -= View resource usage with the [.noloc]`Kubernetes` [.noloc]`Metrics Server` += View resource usage with the Kubernetes Metrics Server :info_titleabbrev: Metrics server include::../../attributes.txt[] @@ -10,7 +10,7 @@ include::../../attributes.txt[] Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. -- -The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster, and it isn't deployed by default in Amazon EKS clusters. For more information, see https://github.com/kubernetes-sigs/metrics-server[Kubernetes Metrics Server] on [.noloc]`GitHub`. The Metrics Server is commonly used by other [.noloc]`Kubernetes` add ons, such as the <> or the <>. For more information, see https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/[Resource metrics pipeline] in the [.noloc]`Kubernetes` documentation. This topic explains how to deploy the [.noloc]`Kubernetes` Metrics Server on your Amazon EKS cluster. +The Kubernetes Metrics Server is an aggregator of resource usage data in your cluster, and it isn't deployed by default in Amazon EKS clusters. For more information, see https://github.com/kubernetes-sigs/metrics-server[Kubernetes Metrics Server] on GitHub. The Metrics Server is commonly used by other Kubernetes add ons, such as the <> or the <>. For more information, see https://kubernetes.io/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/[Resource metrics pipeline] in the Kubernetes documentation. This topic explains how to deploy the Kubernetes Metrics Server on your Amazon EKS cluster. [IMPORTANT] ==== @@ -53,7 +53,7 @@ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/late ---- + If you are using Fargate, you will need to change this file. In the default configuration, the metrics server uses port 10250. This port is reserved on Fargate. Replace references to port 10250 in components.yaml with another port, such as 10251. -. Verify that the `metrics-server` deployment is running the desired number of [.noloc]`Pods` with the following command. +. Verify that the `metrics-server` deployment is running the desired number of Pods with the following command. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 222c03fca..78fe8a77f 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,6 +1,6 @@ [.topic] [#service-quotas] -= View and manage Amazon EKS and [.noloc]`Fargate` service quotas += View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas include::../../attributes.txt[] @@ -50,7 +50,7 @@ aws service-quotas list-aws-default-service-quotas \ --output table ---- -NOTE: The quota returned is the number of Amazon ECS tasks or Amazon EKS [.noloc]`Pods` that can run concurrently on Fargate in this account in the current {aws} Region. +NOTE: The quota returned is the number of Amazon ECS tasks or Amazon EKS Pods that can run concurrently on Fargate in this account in the current {aws} Region. To work more with service quotas using the {aws} CLI, see link:cli/latest/reference/service-quotas/index.html[service-quotas,type="documentation"] in the _{aws} CLI Command Reference_. To request a quota increase, see the link:cli/latest/reference/service-quotas/request-service-quota-increase.html[request-service-quota-increase,type="documentation"] command in the _{aws} CLI Command Reference_. @@ -68,7 +68,7 @@ These service quotas are listed under *Amazon Elastic Kubernetes Service (Amazon ==== The following quotas aren't available in Service Quotas: -* Pod Identity associations per cluster is [.noloc]`1000` in each supported region and this quota isn't adjustable. +* Pod Identity associations per cluster is 1000 in each supported region and this quota isn't adjustable. * You can use up to 15 CIDRs for Remote Node Networks and 15 CIDRs for Remote Pod Networks per cluster for hybrid nodes. This quota isn't adjustable. ==== @@ -86,6 +86,6 @@ To view default {aws} Fargate on EKS service quotas, see link:general/latest/gr/ [NOTE] ==== -Fargate additionally enforces Amazon ECS tasks and Amazon EKS [.noloc]`Pods` launch rate quotas. For more information, see link:AmazonECS/latest/developerguide/throttling.html[{aws} Fargate throttling quotas,type="documentation"] in the _Amazon ECS guide_. +Fargate additionally enforces Amazon ECS tasks and Amazon EKS Pods launch rate quotas. For more information, see link:AmazonECS/latest/developerguide/throttling.html[{aws} Fargate throttling quotas,type="documentation"] in the _Amazon ECS guide_. ==== \ No newline at end of file diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index a4855afff..a5e28966b 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,27 +1,27 @@ [.topic] [#platform-versions] -= View Amazon EKS platform versions for each [.noloc]`Kubernetes` version += View Amazon EKS platform versions for each Kubernetes version :info_titleabbrev: Platform versions include::../attributes.txt[] -Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which [.noloc]`Kubernetes` API server flags are enabled, as well as the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated Amazon EKS platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. +Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which Kubernetes API server flags are enabled, as well as the current Kubernetes patch version. Each Kubernetes minor version has one or more associated Amazon EKS platform versions. The platform versions for different Kubernetes minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. -When a new [.noloc]`Kubernetes` minor version is available in Amazon EKS, such as {k8s-n}, the initial Amazon EKS platform version for that [.noloc]`Kubernetes` minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new [.noloc]`Kubernetes` control plane settings and to provide security fixes. +When a new Kubernetes minor version is available in Amazon EKS, such as {k8s-n}, the initial Amazon EKS platform version for that Kubernetes minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. When new Amazon EKS platform versions become available for a minor version: * The Amazon EKS platform version number is incremented (`eks.`). -* Amazon EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. The roll-out process might take some time. If you need the latest Amazon EKS platform version features immediately, you should create a new Amazon EKS cluster. +* Amazon EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding Kubernetes minor version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. The roll-out process might take some time. If you need the latest Amazon EKS platform version features immediately, you should create a new Amazon EKS cluster. + If your cluster is more than two platform versions behind the current platform version, then it's possible that Amazon EKS wasn't able to automatically update your cluster. For details of what may cause this, see <>. -* Amazon EKS might publish a new node AMI with a corresponding patch version. However, all patch versions are compatible between the EKS control plane and node AMIs for a given [.noloc]`Kubernetes` minor version. +* Amazon EKS might publish a new node AMI with a corresponding patch version. However, all patch versions are compatible between the EKS control plane and node AMIs for a given Kubernetes minor version. New Amazon EKS platform versions don't introduce breaking changes or cause service interruptions. -Clusters are always created with the latest available Amazon EKS platform version (`eks.`) for the specified [.noloc]`Kubernetes` version. If you update your cluster to a new [.noloc]`Kubernetes` minor version, your cluster receives the current Amazon EKS platform version for the [.noloc]`Kubernetes` minor version that you updated to. +Clusters are always created with the latest available Amazon EKS platform version (`eks.`) for the specified Kubernetes version. If you update your cluster to a new Kubernetes minor version, your cluster receives the current Amazon EKS platform version for the Kubernetes minor version that you updated to. The current and recent Amazon EKS platform versions are described in the following tables. @@ -33,7 +33,7 @@ The current and recent Amazon EKS platform versions are described in the followi ==== [#platform-versions-1-32] -== [.noloc]`Kubernetes` version `1.32` +== Kubernetes version `1.32` The following admission controllers are enabled for all `1.32` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -52,7 +52,7 @@ The following admission controllers are enabled for all `1.32` platform versions |=== [#platform-versions-1-31] -== [.noloc]`Kubernetes` version `1.31` +== Kubernetes version `1.31` The following admission controllers are enabled for all `1.31` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`, `ObjectCount`. @@ -87,7 +87,7 @@ The following admission controllers are enabled for all `1.31` platform versions [#platform-versions-1-30] -== [.noloc]`Kubernetes` version `1.30` +== Kubernetes version `1.30` The following admission controllers are enabled for all `1.30` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -141,7 +141,7 @@ The following admission controllers are enabled for all `1.30` platform versions |=== [#platform-versions-1-29] -== [.noloc]`Kubernetes` version `1.29` +== Kubernetes version `1.29` The following admission controllers are enabled for all `1.29` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -220,7 +220,7 @@ The following admission controllers are enabled for all `1.29` platform versions |=== [#platform-versions-1-28] -== [.noloc]`Kubernetes` version `1.28` +== Kubernetes version `1.28` The following admission controllers are enabled for all `1.28` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -328,7 +328,7 @@ The following admission controllers are enabled for all `1.28` platform versions |=== [#platform-versions-1-27] -== [.noloc]`Kubernetes` version `1.27` +== Kubernetes version `1.27` The following admission controllers are enabled for all `1.27` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -456,7 +456,7 @@ The following admission controllers are enabled for all `1.27` platform versions |=== [#platform-versions-1-26] -== [.noloc]`Kubernetes` version `1.26` +== Kubernetes version `1.26` The following admission controllers are enabled for all `1.26` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -589,7 +589,7 @@ The following admission controllers are enabled for all `1.26` platform versions |=== [#platform-versions-1-25] -== [.noloc]`Kubernetes` version `1.25` +== Kubernetes version `1.25` The following admission controllers are enabled for all `1.25` platform versions: `NodeRestriction`, `ExtendedResourceToleration`, `NamespaceLifecycle`, `LimitRanger`, `ServiceAccount`, `TaintNodesByCondition`, `PodSecurity`, `Priority`, `DefaultTolerationSeconds`, `DefaultStorageClass`, `StorageObjectInUseProtection`, `PersistentVolumeClaimResize`, `RuntimeClass`, `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `MutatingAdmissionWebhook`, `ValidatingAdmissionWebhook`, `ResourceQuota`. @@ -728,7 +728,7 @@ The following admission controllers are enabled for all `1.25` platform versions |=== [#platform-versions-1-24] -== [.noloc]`Kubernetes` version `1.24` +== Kubernetes version `1.24` The following admission controllers are enabled for all `1.24` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurityPolicy`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, and `ValidatingAdmissionWebhook`. @@ -908,6 +908,6 @@ An example output is as follows. [#change-platform-version] == Change platform version -You cannot change the platform version of an EKS cluster. When new Amazon EKS platform versions become available for a [.noloc]`Kubernetes` version, EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding [.noloc]`Kubernetes` version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. You cannot use the {aws} Console or CLI to change the platform version. +You cannot change the platform version of an EKS cluster. When new Amazon EKS platform versions become available for a Kubernetes version, EKS automatically upgrades all existing clusters to the latest Amazon EKS platform version for their corresponding Kubernetes version. Automatic upgrades of existing Amazon EKS platform versions are rolled out incrementally. You cannot use the {aws} Console or CLI to change the platform version. -If you upgrade your [.noloc]`Kubernetes` version, your cluster will move onto the most recent platform version for the [.noloc]`Kubernetes` version. \ No newline at end of file +If you upgrade your Kubernetes version, your cluster will move onto the most recent platform version for the Kubernetes version. \ No newline at end of file diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index ccee1646b..ebb68f434 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -18,7 +18,7 @@ If you're not familiar with Amazon EKS networking, see link:containers/de-mystif * Your cluster must pull images from a container registry that's in your VPC. You can create an Amazon Elastic Container Registry in your VPC and copy container images to it for your nodes to pull from. For more information, see <>. * Your cluster must have endpoint private access enabled. This is required for nodes to register with the cluster endpoint. Endpoint public access is optional. For more information, see <>. -* Self-managed [.noloc]`Linux` and [.noloc]`Windows` nodes must include the following bootstrap arguments before they're launched. These arguments bypass Amazon EKS introspection and don't require access to the Amazon EKS API from within the VPC. +* Self-managed Linux and Windows nodes must include the following bootstrap arguments before they're launched. These arguments bypass Amazon EKS introspection and don't require access to the Amazon EKS API from within the VPC. + .. Determine the value of your cluster's endpoint with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. + @@ -43,17 +43,17 @@ aws eks describe-cluster --name my-cluster --query cluster.certificateAuthority The returned output is a long string. .. Replace [.replaceable]`cluster-endpoint` and [.replaceable]`certificate-authority` in the following commands with the values returned in the output from the previous commands. For more information about specifying bootstrap arguments when launching self-managed nodes, see <> and <>. + -** For [.noloc]`Linux` nodes: +** For Linux nodes: + [source,bash,subs="verbatim,attributes"] ---- --apiserver-endpoint cluster-endpoint --b64-cluster-ca certificate-authority ---- + -For additional arguments, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] on [.noloc]`GitHub`. -** For [.noloc]`Windows` nodes: +For additional arguments, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] on GitHub. +** For Windows nodes: + -NOTE: If you're using custom service CIDR, then you need to specify it using the `-ServiceCIDR` parameter. Otherwise, the DNS resolution for [.noloc]`Pods` in the cluster will fail. +NOTE: If you're using custom service CIDR, then you need to specify it using the `-ServiceCIDR` parameter. Otherwise, the DNS resolution for Pods in the cluster will fail. + [source,bash,subs="verbatim,attributes"] ---- @@ -62,8 +62,8 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the + For additional arguments, see <>. * Your cluster's `aws-auth` `ConfigMap` must be created from within your VPC. For more information about creating and adding entries to the `aws-auth` `ConfigMap`, enter `eksctl create iamidentitymapping --help` in your terminal. If the `ConfigMap` doesn't exist on your server, `eksctl` will create it when you use the command to add an identity mapping. -* [.noloc]`Pods` configured with <> acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. -* Your cluster's VPC subnets must have a VPC interface endpoint for any {aws} services that your [.noloc]`Pods` need access to. For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html[Access an {aws} service using an interface VPC endpoint,type="documentation"]. Some commonly-used services and endpoints are listed in the following table. For a complete list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"] in the link:vpc/latest/privatelink/[{aws} PrivateLink Guide,type="documentation"]. +* Pods configured with <> acquire credentials from an {aws} Security Token Service ({aws} STS) API call. If there is no outbound internet access, you must create and use an {aws} STS VPC endpoint in your VPC. Most {aws} `v1` SDKs use the global {aws} STS endpoint by default (`sts.amazonaws.com`), which doesn't use the {aws} STS VPC endpoint. To use the {aws} STS VPC endpoint, you might need to configure your SDK to use the regional {aws} STS endpoint (``sts.[.replaceable]`region-code`.amazonaws.com``). For more information, see <>. +* Your cluster's VPC subnets must have a VPC interface endpoint for any {aws} services that your Pods need access to. For more information, see link:vpc/latest/privatelink/create-interface-endpoint.html[Access an {aws} service using an interface VPC endpoint,type="documentation"]. Some commonly-used services and endpoints are listed in the following table. For a complete list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"] in the link:vpc/latest/privatelink/[{aws} PrivateLink Guide,type="documentation"]. + We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enable-private-dns-names[enable private DNS names,type="documentation"] for your VPC endpoints, that way workloads can continue using public {aws} service endpoints without issues. + @@ -100,11 +100,11 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. -* If your [.noloc]`Pods` use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. +* If your Pods use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. * If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <> and <>. -* https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler [.noloc]`Pods`, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on [.noloc]`GitHub`. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint. +* https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler Pods, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on GitHub. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint. * Some container software products use API calls that access the {aws} Marketplace Metering Service to monitor usage. Private clusters do not allow these calls, so you can't use these container types in private clusters. diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 81990bd61..5a1b6f984 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -10,22 +10,22 @@ include::../attributes.txt[] Learn how to update your Amazon EKS cluster to the latest Kubernetes version, ensuring compatibility with nodes and add-ons, and maintaining high availability during the process. -- -When a new [.noloc]`Kubernetes` version is available in Amazon EKS, you can update your Amazon EKS cluster to the latest version. +When a new Kubernetes version is available in Amazon EKS, you can update your Amazon EKS cluster to the latest version. [IMPORTANT] ==== -Once you upgrade a cluster, you can't downgrade to a previous version. We recommend that, before you update to a new [.noloc]`Kubernetes` version, you review the information in <> and also review in the update steps in this topic. +Once you upgrade a cluster, you can't downgrade to a previous version. We recommend that, before you update to a new Kubernetes version, you review the information in <> and also review in the update steps in this topic. ==== -New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications against a new [.noloc]`Kubernetes` version before you update your production clusters. You can do this by building a continuous integration workflow to test your application behavior before moving to a new [.noloc]`Kubernetes` version. +New Kubernetes versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications against a new Kubernetes version before you update your production clusters. You can do this by building a continuous integration workflow to test your application behavior before moving to a new Kubernetes version. -The update process consists of Amazon EKS launching new API server nodes with the updated [.noloc]`Kubernetes` version to replace the existing ones. Amazon EKS performs standard infrastructure and readiness health checks for network traffic on these new nodes to verify that they're working as expected. However, once you've started the cluster upgrade, you can't pause or stop it. If any of these checks fail, Amazon EKS reverts the infrastructure deployment, and your cluster remains on the prior [.noloc]`Kubernetes` version. Running applications aren't affected, and your cluster is never left in a non-deterministic or unrecoverable state. Amazon EKS regularly backs up all managed clusters, and mechanisms exist to recover clusters if necessary. We're constantly evaluating and improving our [.noloc]`Kubernetes` infrastructure management processes. +The update process consists of Amazon EKS launching new API server nodes with the updated Kubernetes version to replace the existing ones. Amazon EKS performs standard infrastructure and readiness health checks for network traffic on these new nodes to verify that they're working as expected. However, once you've started the cluster upgrade, you can't pause or stop it. If any of these checks fail, Amazon EKS reverts the infrastructure deployment, and your cluster remains on the prior Kubernetes version. Running applications aren't affected, and your cluster is never left in a non-deterministic or unrecoverable state. Amazon EKS regularly backs up all managed clusters, and mechanisms exist to recover clusters if necessary. We're constantly evaluating and improving our Kubernetes infrastructure management processes. To update the cluster, Amazon EKS requires up to five available IP addresses from the subnets that you specified when you created your cluster. Amazon EKS creates new cluster elastic network interfaces (network interfaces) in any of the subnets that you specified. The network interfaces may be created in different subnets than your existing network interfaces are in, so make sure that your security group rules allow <> for any of the subnets that you specified when you created your cluster. If any of the subnets that you specified when you created the cluster don't exist, don't have enough available IP addresses, or don't have security group rules that allows necessary cluster communication, then the update can fail. -To ensure that the API server endpoint for your cluster is always accessible, Amazon EKS provides a highly available [.noloc]`Kubernetes` control plane and performs rolling updates of API server instances during update operations. In order to account for changing IP addresses of API server instances supporting your [.noloc]`Kubernetes` API server endpoint, you must ensure that your API server clients manage reconnects effectively. Recent versions of `kubectl` and the [.noloc]`Kubernetes` client https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api[libraries] that are officially supported, perform this reconnect process transparently. +To ensure that the API server endpoint for your cluster is always accessible, Amazon EKS provides a highly available Kubernetes control plane and performs rolling updates of API server instances during update operations. In order to account for changing IP addresses of API server instances supporting your Kubernetes API server endpoint, you must ensure that your API server clients manage reconnects effectively. Recent versions of `kubectl` and the Kubernetes client https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#programmatic-access-to-the-api[libraries] that are officially supported, perform this reconnect process transparently. NOTE: To learn more about what goes into a cluster update, see link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for Cluster Upgrades",type="documentation"] in the EKS Best Practices Guide. This resource helps you plan an upgrade, and understand the strategy of upgrading a cluster. @@ -36,15 +36,15 @@ NOTE: To learn more about what goes into a cluster update, see link:eks/latest/b [#update-existing-cluster] == Step 1: Prepare for upgrade -. Compare the [.noloc]`Kubernetes` version of your cluster control plane to the [.noloc]`Kubernetes` version of your nodes. +. Compare the Kubernetes version of your cluster control plane to the Kubernetes version of your nodes. + -** Get the [.noloc]`Kubernetes` version of your cluster control plane. +** Get the Kubernetes version of your cluster control plane. + [source,bash,subs="verbatim,attributes"] ---- kubectl version ---- -** Get the [.noloc]`Kubernetes` version of your nodes. This command returns all self-managed and managed Amazon EC2, Fargate, and hybrid nodes. Each Fargate [.noloc]`Pod` is listed as its own node. +** Get the Kubernetes version of your nodes. This command returns all self-managed and managed Amazon EC2, Fargate, and hybrid nodes. Each Fargate Pod is listed as its own node. + [source,bash,subs="verbatim,attributes"] ---- @@ -52,10 +52,10 @@ kubectl get nodes ---- + -Before updating your control plane to a new [.noloc]`Kubernetes` version, make sure that the [.noloc]`Kubernetes` minor version of both the managed nodes and Fargate nodes in your cluster are the same as your control plane's version. For example, if your control plane is running version `1.29` and one of your nodes is running version `1.28`, then you must update your nodes to version `1.29` before updating your control plane to 1.30. We also recommend that you update your self-managed nodes and hybrid nodes to the same version as your control plane before updating the control plane. For more information, see <>, <>, and <>. If you have Fargate nodes with a minor version lower than the control plane version, first delete the [.noloc]`Pod` that's represented by the node. Then update your control plane. Any remaining [.noloc]`Pods` will update to the new version after you redeploy them. -. If the [.noloc]`Kubernetes` version that you originally deployed your cluster with was [.noloc]`Kubernetes` `1.25` or later, skip this step. +Before updating your control plane to a new Kubernetes version, make sure that the Kubernetes minor version of both the managed nodes and Fargate nodes in your cluster are the same as your control plane's version. For example, if your control plane is running version `1.29` and one of your nodes is running version `1.28`, then you must update your nodes to version `1.29` before updating your control plane to 1.30. We also recommend that you update your self-managed nodes and hybrid nodes to the same version as your control plane before updating the control plane. For more information, see <>, <>, and <>. If you have Fargate nodes with a minor version lower than the control plane version, first delete the Pod that's represented by the node. Then update your control plane. Any remaining Pods will update to the new version after you redeploy them. +. If the Kubernetes version that you originally deployed your cluster with was Kubernetes `1.25` or later, skip this step. + -By default, the [.noloc]`Pod` security policy admission controller is enabled on Amazon EKS clusters. Before updating your cluster, ensure that the proper [.noloc]`Pod` security policies are in place. This is to avoid potential security issues. You can check for the default policy with the `kubectl get psp eks.privileged` command. +By default, the Pod security policy admission controller is enabled on Amazon EKS clusters. Before updating your cluster, ensure that the proper Pod security policies are in place. This is to avoid potential security issues. You can check for the default policy with the `kubectl get psp eks.privileged` command. + [source,bash,subs="verbatim,attributes"] ---- @@ -68,11 +68,11 @@ If you receive the following error, see <> before proceeding. ---- Error from server (NotFound): podsecuritypolicies.extensions "eks.privileged" not found ---- -. If the [.noloc]`Kubernetes` version that you originally deployed your cluster with was [.noloc]`Kubernetes` `1.18` or later, skip this step. +. If the Kubernetes version that you originally deployed your cluster with was Kubernetes `1.18` or later, skip this step. + -You might need to remove a discontinued term from your [.noloc]`CoreDNS` manifest. +You might need to remove a discontinued term from your CoreDNS manifest. + -.. Check to see if your [.noloc]`CoreDNS` manifest has a line that only has the word `upstream`. +.. Check to see if your CoreDNS manifest has a line that only has the word `upstream`. + [source,bash,subs="verbatim,attributes"] ---- @@ -92,16 +92,16 @@ kubectl edit configmap coredns -n kube-system -o yaml Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. * If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. -* Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before updating your cluster. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. +* Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have Fluentd configured for Container Insights, then you must migrate Fluentd to Fluent Bit before updating your cluster. The Fluentd parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to Fluent Bit, some of the configured Fluentd's parsers will generate a massive amount of errors inside the Fluentd container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. ** Because Amazon EKS runs a highly available control plane, you can update only one minor version at a time. For more information about this requirement, see https://kubernetes.io/docs/setup/version-skew-policy/#kube-apiserver[Kubernetes Version and Version Skew Support Policy]. Assume that your current cluster version is version `1.28` and you want to update it to version `1.30`. You must first update your version `1.28` cluster to version `1.29` and then update your version `1.29` cluster to version `1.30`. -* Review the version skew between the [.noloc]`Kubernetes` `kube-apiserver` and the `kubelet` on your nodes. +* Review the version skew between the Kubernetes `kube-apiserver` and the `kubelet` on your nodes. + -** Starting from [.noloc]`Kubernetes` version `1.28`, `kubelet` may be up to three minor versions older than `kube-apiserver`. See https://kubernetes.io/releases/version-skew-policy/#kubelet[Kubernetes upstream version skew policy]. -** If the `kubelet` on your managed and Fargate nodes is on [.noloc]`Kubernetes` version `1.25` or newer, you can update your cluster up to three versions ahead without updating the `kubelet` version. For example, if the `kubelet` is on version `1.25`, you can update your Amazon EKS cluster version from `1.25` to `1.26`, to `1.27`, and to `1.28` while the `kubelet` remains on version `1.25`. -** If the `kubelet` on your managed and Fargate nodes is on [.noloc]`Kubernetes` version `1.24` or older, it may only be up to two minor versions older than the `kube-apiserver`. In other words, if the `kubelet` is version `1.24` or older, you can only update your cluster up to two versions ahead. For example, if the `kubelet` is on version `1.21`, you can update your Amazon EKS cluster version from `1.21` to `1.22`, and to `1.23`, but you will not be able to update the cluster to `1.24` while the `kubelet` remains on `1.21`. -* As a best practice before starting an update, make sure that the `kubelet` on your nodes is at the same [.noloc]`Kubernetes` version as your control plane. -* If your cluster is configured with a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that is earlier than `1.8.0`, then we recommend that you update the plugin to the latest version before updating your cluster. To update the plugin, see <>. -* If you're updating your cluster to version `1.25` or later and have the [.noloc]`{aws} Load Balancer Controller` deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the <> release notes. +** Starting from Kubernetes version `1.28`, `kubelet` may be up to three minor versions older than `kube-apiserver`. See https://kubernetes.io/releases/version-skew-policy/#kubelet[Kubernetes upstream version skew policy]. +** If the `kubelet` on your managed and Fargate nodes is on Kubernetes version `1.25` or newer, you can update your cluster up to three versions ahead without updating the `kubelet` version. For example, if the `kubelet` is on version `1.25`, you can update your Amazon EKS cluster version from `1.25` to `1.26`, to `1.27`, and to `1.28` while the `kubelet` remains on version `1.25`. +** If the `kubelet` on your managed and Fargate nodes is on Kubernetes version `1.24` or older, it may only be up to two minor versions older than the `kube-apiserver`. In other words, if the `kubelet` is version `1.24` or older, you can only update your cluster up to two versions ahead. For example, if the `kubelet` is on version `1.21`, you can update your Amazon EKS cluster version from `1.21` to `1.22`, and to `1.23`, but you will not be able to update the cluster to `1.24` while the `kubelet` remains on `1.21`. +* As a best practice before starting an update, make sure that the `kubelet` on your nodes is at the same Kubernetes version as your control plane. +* If your cluster is configured with a version of the Amazon VPC CNI plugin for Kubernetes that is earlier than `1.8.0`, then we recommend that you update the plugin to the latest version before updating your cluster. To update the plugin, see <>. +* If you're updating your cluster to version `1.25` or later and have the {aws} Load Balancer Controller deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the <> release notes. == Step 3: Update cluster control plane @@ -123,7 +123,7 @@ eksctl version For instructions on how to install and update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -Update the [.noloc]`Kubernetes` version of your Amazon EKS control plane. Replace [.replaceable]`my-cluster` with your cluster name. Replace [.replaceable]`1.30` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. +Update the Kubernetes version of your Amazon EKS control plane. Replace [.replaceable]`my-cluster` with your cluster name. Replace [.replaceable]`1.30` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -139,7 +139,7 @@ Continue to <> . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the Amazon EKS cluster to update and choose *Update cluster version*. -. For *[.noloc]`Kubernetes` version*, select the version to update your cluster to and choose *Update*. +. For *Kubernetes version*, select the version to update your cluster to and choose *Update*. . For *Cluster name*, enter the name of your cluster and choose *Confirm*. + The update takes several minutes to complete. @@ -216,23 +216,23 @@ An example output is as follows. [#step4] == Step 4: Update cluster components -. After your cluster update is complete, update your nodes to the same [.noloc]`Kubernetes` minor version as your updated cluster. For more information, see <>, <>, and <>. Any new [.noloc]`Pods` that are launched on Fargate have a `kubelet` version that matches your cluster version. Existing Fargate [.noloc]`Pods` aren't changed. -. (Optional) If you deployed the [.noloc]`Kubernetes` Cluster Autoscaler to your cluster before updating the cluster, update the Cluster Autoscaler to the latest version that matches the [.noloc]`Kubernetes` major and minor version that you updated to. +. After your cluster update is complete, update your nodes to the same Kubernetes minor version as your updated cluster. For more information, see <>, <>, and <>. Any new Pods that are launched on Fargate have a `kubelet` version that matches your cluster version. Existing Fargate Pods aren't changed. +. (Optional) If you deployed the Kubernetes Cluster Autoscaler to your cluster before updating the cluster, update the Cluster Autoscaler to the latest version that matches the Kubernetes major and minor version that you updated to. + -.. Open the Cluster Autoscaler https://github.com/kubernetes/autoscaler/releases[releases] page in a web browser and find the latest Cluster Autoscaler version that matches your cluster's [.noloc]`Kubernetes` major and minor version. For example, if your cluster's [.noloc]`Kubernetes` version is `1.30` find the latest Cluster Autoscaler release that begins with `1.30`. Record the semantic version number (``1.30.n``, for example) for that release to use in the next step. +.. Open the Cluster Autoscaler https://github.com/kubernetes/autoscaler/releases[releases] page in a web browser and find the latest Cluster Autoscaler version that matches your cluster's Kubernetes major and minor version. For example, if your cluster's Kubernetes version is `1.30` find the latest Cluster Autoscaler release that begins with `1.30`. Record the semantic version number (``1.30.n``, for example) for that release to use in the next step. .. Set the Cluster Autoscaler image tag to the version that you recorded in the previous step with the following command. If necessary, replace [.replaceable]`1.30`.[.replaceable]`n` with your own value. + [source,bash,subs="verbatim,attributes"] ---- kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster-autoscaler=registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.n ---- -. (Clusters with GPU nodes only) If your cluster has node groups with GPU support (for example, `p3.2xlarge`), you must update the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes][.noloc]`DaemonSet` on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. (Clusters with GPU nodes only) If your cluster has node groups with GPU support (for example, `p3.2xlarge`), you must update the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes]DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X.X/deployments/static/nvidia-device-plugin.yml ---- -. Update the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy` add-ons. We recommend updating the add-ons to the minimum versions listed in <>. +. Update the Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy` add-ons. We recommend updating the add-ons to the minimum versions listed in <>. + ** If you are using Amazon EKS add-ons, select *Clusters* in the Amazon EKS console, then select the name of the cluster that you updated in the left navigation pane. Notifications appear in the console. They inform you that a new version is available for each add-on that has an available update. To update an add-on, select the *Add-ons* tab. In one of the boxes for an add-on that has an update available, select *Update now*, select an available version, and then select *Update*. ** Alternately, you can use the {aws} CLI or `eksctl` to update add-ons. For more information, see <>. @@ -240,6 +240,6 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X [#downgrade-cluster] -== Downgrade the [.noloc]`Kubernetes` version for an Amazon EKS cluster +== Downgrade the Kubernetes version for an Amazon EKS cluster -You cannot downgrade the [.noloc]`Kubernetes` of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. \ No newline at end of file +You cannot downgrade the Kubernetes of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. \ No newline at end of file diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 03024358e..0ab6b2940 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -7,23 +7,23 @@ include::../attributes.txt[] The *cluster upgrade policy* determines what happens to your cluster when it leaves the standard support period. If your upgrade policy is `EXTENDED`, the cluster will not be automatically upgraded, and will enter extended support. If your upgrade policy is `STANDARD`, it will be automatically upgraded. -Amazon EKS controls for [.noloc]`Kubernetes` version policy allows you to choose the end of standard support behavior for your EKS clusters. With these controls you can decide which clusters should enter extended support and which clusters should be automatically upgraded at the end of standard support for a [.noloc]`Kubernetes` version. +Amazon EKS controls for Kubernetes version policy allows you to choose the end of standard support behavior for your EKS clusters. With these controls you can decide which clusters should enter extended support and which clusters should be automatically upgraded at the end of standard support for a Kubernetes version. -A minor version is under standard support in Amazon EKS for the first 14 months after it's released. Once a version is past the end of standard support date, it enters extended support for the next 12 months. Extended support allows you to stay at a specific [.noloc]`Kubernetes` version for longer at an additional cost per cluster hour. You can enable or disable extended support for an EKS Cluster. If you disable extended support, {aws} will automatically upgrade your cluster to the next version at the end of standard support. If you enable extended support, you can stay at the current version for an additional cost for a limited period of time. Plan to regularly upgrade your [.noloc]`Kubernetes` cluster, even if you use extended support. +A minor version is under standard support in Amazon EKS for the first 14 months after it's released. Once a version is past the end of standard support date, it enters extended support for the next 12 months. Extended support allows you to stay at a specific Kubernetes version for longer at an additional cost per cluster hour. You can enable or disable extended support for an EKS Cluster. If you disable extended support, {aws} will automatically upgrade your cluster to the next version at the end of standard support. If you enable extended support, you can stay at the current version for an additional cost for a limited period of time. Plan to regularly upgrade your Kubernetes cluster, even if you use extended support. You can set the version policy for both new and existing clusters, using the `supportType` property. There are two options that can be used to set the version support policy: -* `*STANDARD*` -- Your EKS cluster eligible for automatic upgrade at the end of standard support. You will not incur extended support charges with this setting but you EKS cluster will automatically upgrade to the next supported [.noloc]`Kubernetes` version in standard support. -* `*EXTENDED*` -- Your EKS cluster will enter into extended support once the [.noloc]`Kubernetes` version reaches end of standard support. You will incur extended support charges with this setting. You can upgrade your cluster to a standard supported [.noloc]`Kubernetes` version to stop incurring extended support charges. Clusters running on extended support will be eligible for automatic upgrade at the end of extended support. +* `*STANDARD*` -- Your EKS cluster eligible for automatic upgrade at the end of standard support. You will not incur extended support charges with this setting but you EKS cluster will automatically upgrade to the next supported Kubernetes version in standard support. +* `*EXTENDED*` -- Your EKS cluster will enter into extended support once the Kubernetes version reaches end of standard support. You will incur extended support charges with this setting. You can upgrade your cluster to a standard supported Kubernetes version to stop incurring extended support charges. Clusters running on extended support will be eligible for automatic upgrade at the end of extended support. Extended support is enabled by default for new clusters, and existing clusters. You can view if extended support is enabled for a cluster in the {aws-management-console}, or by using the {aws} CLI. [IMPORTANT] ==== -If you want your cluster to stay on its current [.noloc]`Kubernetes` version to take advantage of the extended support period, you must enable the extended support upgrade policy before the end of standard support period. +If you want your cluster to stay on its current Kubernetes version to take advantage of the extended support period, you must enable the extended support upgrade policy before the end of standard support period. ==== diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 70ea2a131..6b7e4f176 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,6 +1,6 @@ [.topic] [#windows-support] -= Deploy [.noloc]`Windows` nodes on EKS clusters += Deploy Windows nodes on EKS clusters :info_titleabbrev: Enable Windows support include::../attributes.txt[] @@ -10,35 +10,35 @@ include::../attributes.txt[] Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers. -- -Before deploying [.noloc]`Windows` nodes, be aware of the following considerations. +Before deploying Windows nodes, be aware of the following considerations. * EKS Auto Mode does not support Windows nodes -* You can use host networking on Windows nodes using `HostProcess` Pods. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/[Create a Windows HostProcessPod] in the [.noloc]`Kubernetes` documentation. -* Amazon EKS clusters must contain one or more [.noloc]`Linux` or Fargate nodes to run core system [.noloc]`Pods` that only run on [.noloc]`Linux`, such as [.noloc]`CoreDNS`. +* You can use host networking on Windows nodes using `HostProcess` Pods. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/[Create a Windows HostProcessPod] in the Kubernetes documentation. +* Amazon EKS clusters must contain one or more Linux or Fargate nodes to run core system Pods that only run on Linux, such as CoreDNS. * The `kubelet` and `kube-proxy` event logs are redirected to the `EKS Windows` Event Log and are set to a 200 MB limit. -* You can't use <> with [.noloc]`Pods` running on [.noloc]`Windows` nodes. -* You can't use <> with [.noloc]`Windows` nodes. -* You can't use `IPv6` with [.noloc]`Windows` nodes. -* [.noloc]`Windows` nodes support one elastic network interface per node. By default, the number of [.noloc]`Pods` that you can run per [.noloc]`Windows` node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see link:AWSEC2/latest/WindowsGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. -* In an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end [.noloc]`Pods`. Each [.noloc]`Pod` has its own unique IP address. The previous limit of 64 [.noloc]`Pods` is no longer the case, after https://github.com/microsoft/Windows-Containers/issues/93[a Windows Server update] starting with https://support.microsoft.com/en-us/topic/march-22-2022-kb5011551-os-build-17763-2746-preview-690a59cd-059e-40f4-87e8-e9139cc65de4[OS Build 17763.2746]. -* Windows containers aren't supported for Amazon EKS [.noloc]`Pods` on Fargate. +* You can't use <> with Pods running on Windows nodes. +* You can't use <> with Windows nodes. +* You can't use `IPv6` with Windows nodes. +* Windows nodes support one elastic network interface per node. By default, the number of Pods that you can run per Windows node is equal to the number of IP addresses available per elastic network interface for the node's instance type, minus one. For more information, see link:AWSEC2/latest/WindowsGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. +* In an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end Pods. Each Pod has its own unique IP address. The previous limit of 64 Pods is no longer the case, after https://github.com/microsoft/Windows-Containers/issues/93[a Windows Server update] starting with https://support.microsoft.com/en-us/topic/march-22-2022-kb5011551-os-build-17763-2746-preview-690a59cd-059e-40f4-87e8-e9139cc65de4[OS Build 17763.2746]. +* Windows containers aren't supported for Amazon EKS Pods on Fargate. * You can't use Amazon EKS Hybrid Nodes with Windows as the operating system for the host. * You can't retrieve logs from the `vpc-resource-controller` Pod. You previously could when you deployed the controller to the data plane. * There is a cool down period before an `IPv4` address is assigned to a new Pod. This prevents traffic from flowing to an older Pod with the same `IPv4` address due to stale `kube-proxy` rules. -* The source for the controller is managed on [.noloc]`GitHub`. To contribute to, or file issues against the controller, visit the https://github.com/aws/amazon-vpc-resource-controller-k8s[project] on [.noloc]`GitHub`. -* When specifying a custom AMI ID for [.noloc]`Windows` managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <>. +* The source for the controller is managed on GitHub. To contribute to, or file issues against the controller, visit the https://github.com/aws/amazon-vpc-resource-controller-k8s[project] on GitHub. +* When specifying a custom AMI ID for Windows managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <>. * If preserving your available IPv4 addresses is crucial for your subnet, refer to https://aws.github.io/aws-eks-best-practices/windows/docs/networking/#ip-address-management[EKS Best Practices Guide - Windows Networking IP Address Management] for guidance. * An existing cluster. -* Your cluster must have at least one (we recommend at least two) [.noloc]`Linux` node or Fargate [.noloc]`Pod` to run [.noloc]`CoreDNS`. If you enable legacy [.noloc]`Windows` support, you must use a [.noloc]`Linux` node (you can't use a Fargate [.noloc]`Pod`) to run [.noloc]`CoreDNS`. +* Your cluster must have at least one (we recommend at least two) Linux node or Fargate Pod to run CoreDNS. If you enable legacy Windows support, you must use a Linux node (you can't use a Fargate Pod) to run CoreDNS. * An existing <>. [#enable-windows-support] -== Enable [.noloc]`Windows` support -. If you don't have Amazon Linux nodes in your cluster and use security groups for [.noloc]`Pods`, skip to the next step. Otherwise, confirm that the `AmazonEKSVPCResourceController` managed policy is attached to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. +== Enable Windows support +. If you don't have Amazon Linux nodes in your cluster and use security groups for Pods, skip to the next step. Otherwise, confirm that the `AmazonEKSVPCResourceController` managed policy is attached to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. + [source,bash,subs="verbatim,attributes"] ---- @@ -90,7 +90,7 @@ data: ---- kubectl apply -f vpc-resource-controller-configmap.yaml ---- -. Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the [.noloc]`Windows` node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command. +. Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -125,7 +125,7 @@ You should see `eks:kube-proxy-windows` listed under groups. If the group isn't When you deploy Pods to your cluster, you need to specify the operating system that they use if you're running a mixture of node types. -For [.noloc]`Linux` [.noloc]`Pods`, use the following node selector text in your manifests. +For Linux Pods, use the following node selector text in your manifests. [source,yaml,subs="verbatim,attributes"] ---- @@ -134,7 +134,7 @@ nodeSelector: kubernetes.io/arch: amd64 ---- -For [.noloc]`Windows` [.noloc]`Pods`, use the following node selector text in your manifests. +For Windows Pods, use the following node selector text in your manifests. [source,yaml,subs="verbatim,attributes"] ---- @@ -146,22 +146,22 @@ nodeSelector: You can deploy a <> to see the node selectors in use. [#windows-support-pod-density] -== Support higher [.noloc]`Pod` density on Windows nodes +== Support higher Pod density on Windows nodes -In Amazon EKS, each [.noloc]`Pod` is allocated an `IPv4` address from your VPC. Due to this, the number of [.noloc]`Pods` that you can deploy to a node is constrained by the available IP addresses, even if there are sufficient resources to run more [.noloc]`Pods` on the node. Since only one elastic network interface is supported by a Windows node, by default, the maximum number of available IP addresses on a Windows node is equal to: +In Amazon EKS, each Pod is allocated an `IPv4` address from your VPC. Due to this, the number of Pods that you can deploy to a node is constrained by the available IP addresses, even if there are sufficient resources to run more Pods on the node. Since only one elastic network interface is supported by a Windows node, by default, the maximum number of available IP addresses on a Windows node is equal to: [source,bash,subs="verbatim,attributes"] ---- Number of private IPv4 addresses for each interface on the node - 1 ---- -One IP address is used as the primary IP address of the network interface, so it can't be allocated to [.noloc]`Pods`. +One IP address is used as the primary IP address of the network interface, so it can't be allocated to Pods. -You can enable higher [.noloc]`Pod` density on Windows nodes by enabling IP prefix delegation. This feature enables you to assign a `/28` `IPv4` prefix to the primary network interface, instead of assigning secondary `IPv4` addresses. Assigning an IP prefix increases the maximum available `IPv4` addresses on the node to: +You can enable higher Pod density on Windows nodes by enabling IP prefix delegation. This feature enables you to assign a `/28` `IPv4` prefix to the primary network interface, instead of assigning secondary `IPv4` addresses. Assigning an IP prefix increases the maximum available `IPv4` addresses on the node to: [source,bash,subs="verbatim,attributes"] ---- (Number of private IPv4 addresses assigned to the interface attached to the node - 1) * 16 ---- -With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of [.noloc]`Pods` on your nodes. For more information, see <>. \ No newline at end of file +With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of Pods on your nodes. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index d243406be..ab7e300d9 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,16 +1,16 @@ [.topic] [#connecting-cluster] -= Connect an external [.noloc]`Kubernetes` cluster to the Amazon EKS Management Console += Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster include::../attributes.txt[] [abstract] -- -Learn to connect an external [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. +Learn to connect an external Kubernetes cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. -- -You can connect an external [.noloc]`Kubernetes` cluster to Amazon EKS by using multiple methods in the following process. This process involves two steps: Registering the cluster with Amazon EKS and installing the `eks-connector` agent in the cluster. +You can connect an external Kubernetes cluster to Amazon EKS by using multiple methods in the following process. This process involves two steps: Registering the cluster with Amazon EKS and installing the `eks-connector` agent in the cluster. [IMPORTANT] ==== @@ -86,7 +86,7 @@ You use the `aws-region`, `activationId`, and `activationCode` values in the nex . On the *Configure cluster* section, fill in the following fields: + *** *Name* – A unique name for your cluster. -*** *Provider* – Choose to display the dropdown list of [.noloc]`Kubernetes` cluster providers. If you don't know the specific provider, select *Other*. +*** *Provider* – Choose to display the dropdown list of Kubernetes cluster providers. If you don't know the specific provider, select *Other*. *** *EKS Connector role* – Select the role to use for connecting the cluster. . Select *Register cluster*. . The Cluster overview page displays. If you want to use the Helm chart, copy the `helm install` command and continue to the next step. If you want to use the YAML manifest, choose *Download YAML file* to download the manifest file to your local drive. @@ -96,9 +96,9 @@ You use the `aws-region`, `activationId`, and `activationCode` values in the nex This is your only opportunity to copy the `helm install` command or download this file. Don't navigate away from this page, as the link will not be accessible and you must deregister the cluster and start the steps from the beginning. ==== + -The command or manifest file can be used only once for the registered cluster. If you delete resources from the [.noloc]`Kubernetes` cluster, you must re-register the cluster and obtain a new manifest file. +The command or manifest file can be used only once for the registered cluster. If you delete resources from the Kubernetes cluster, you must re-register the cluster and obtain a new manifest file. -Continue to the next step to apply the manifest file to your [.noloc]`Kubernetes` cluster. +Continue to the next step to apply the manifest file to your Kubernetes cluster. === `eksctl` [[eksctl_register_cluster_connect]] . `eksctl` version `0.68` or later must be installed. To install or upgrade it, see <>. @@ -164,7 +164,7 @@ If you used the {aws-management-console} in the previous step, use the command t . Check the healthiness of the installed `eks-connector` deployment and wait for the status of the registered cluster in Amazon EKS to be `ACTIVE`. === yaml [[yaml_agent_cluster_connect]] -Complete the connection by applying the Amazon EKS Connector manifest file to your [.noloc]`Kubernetes` cluster. To do this, you must use the methods described previously. If the manifest isn't applied within three days, the Amazon EKS Connector registration expires. If the cluster connection expires, the cluster must be deregistered before connecting the cluster again. +Complete the connection by applying the Amazon EKS Connector manifest file to your Kubernetes cluster. To do this, you must use the methods described previously. If the manifest isn't applied within three days, the Amazon EKS Connector registration expires. If the cluster connection expires, the cluster must be deregistered before connecting the cluster again. . Download the Amazon EKS Connector YAML file. + @@ -191,7 +191,7 @@ Ensure that your activation code is in the base64 format. ---- kubectl apply -f eks-connector.yaml ---- -. After the Amazon EKS Connector manifest and role binding YAML files are applied to your [.noloc]`Kubernetes` cluster, confirm that the cluster is now connected. +. After the Amazon EKS Connector manifest and role binding YAML files are applied to your Kubernetes cluster, confirm that the cluster is now connected. + [source,bash,subs="verbatim,attributes"] ---- @@ -209,4 +209,4 @@ The output should include `status=ACTIVE`. If you have any issues with these steps, see <>. -To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view [.noloc]`Kubernetes` resources in a connected cluster, see <>. \ No newline at end of file +To grant additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view Kubernetes resources in a connected cluster, see <>. \ No newline at end of file diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 0e6050a8f..97e126e5a 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,6 +1,6 @@ [.topic] [#connector-grant-access] -= Grant access to view [.noloc]`Kubernetes` cluster resources on an Amazon EKS console += Grant access to view Kubernetes cluster resources on an Amazon EKS console :info_titleabbrev: Grant access to clusters include::../attributes.txt[] @@ -10,7 +10,7 @@ include::../attributes.txt[] Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. -- -Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view information about [.noloc]`Kubernetes` resources running on your connected cluster. +Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] access to the Amazon EKS console to view information about Kubernetes resources running on your connected cluster. [#connector-grant-access-prereqs] == Prerequisites @@ -18,7 +18,7 @@ Grant link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals, The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use to access the {aws-management-console} must meet the following requirements: * It must have the `eks:AccessKubernetesApi` IAM permission. -* The Amazon EKS Connector service account can impersonate the IAM principal in the cluster. This allows the Amazon EKS Connector to map the IAM principal to a [.noloc]`Kubernetes` user. +* The Amazon EKS Connector service account can impersonate the IAM principal in the cluster. This allows the Amazon EKS Connector to map the IAM principal to a Kubernetes user. *To create and apply the Amazon EKS Connector cluster role* @@ -29,21 +29,21 @@ The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,typ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/eks-connector-console-roles/eks-connector-clusterrole.yaml ---- . Edit the cluster role template YAML file. Replace references of `%IAM_ARN%` with the Amazon Resource Name (ARN) of your IAM principal. -. Apply the Amazon EKS Connector cluster role YAML to your [.noloc]`Kubernetes` cluster. +. Apply the Amazon EKS Connector cluster role YAML to your Kubernetes cluster. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f eks-connector-clusterrole.yaml ---- -For an IAM principal to view [.noloc]`Kubernetes` resources in Amazon EKS console, the principal must be associated with a [.noloc]`Kubernetes` `role` or `clusterrole` with necessary permissions to read the resources. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +For an IAM principal to view Kubernetes resources in Amazon EKS console, the principal must be associated with a Kubernetes `role` or `clusterrole` with necessary permissions to read the resources. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. *To configure an IAM principal to access the connected cluster* . You can download either of these example manifest files to create a `clusterrole` and `clusterrolebinding` or a `role` and `rolebinding`, respectively: + -*View [.noloc]`Kubernetes` resources in all namespaces*::: +*View Kubernetes resources in all namespaces*::: ** The `eks-connector-console-dashboard-full-access-clusterrole` cluster role gives access to all namespaces and resources that can be visualized in the console. You can change the name of the `role`, `clusterrole` and their corresponding binding before applying it to your cluster. Use the following command to download a sample file. + [source,bash,subs="verbatim,attributes"] @@ -52,7 +52,7 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/ek ---- -*View [.noloc]`Kubernetes` resources in a specific namespace*::: +*View Kubernetes resources in a specific namespace*::: ** The namespace in this file is `default`, so if you want to specify a different namespace, edit the file before applying it to your cluster. Use the following command to download a sample file. + [source,bash,subs="verbatim,attributes"] @@ -60,11 +60,11 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/ek curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/eks-connector/manifests/eks-connector-console-roles/eks-connector-console-dashboard-restricted-access-group.yaml ---- . Edit the full access or restricted access YAML file to replace references of `%IAM_ARN%` with the Amazon Resource Name (ARN) of your IAM principal. -. Apply the full access or restricted access YAML files to your [.noloc]`Kubernetes` cluster. Replace the YAML file value with your own. +. Apply the full access or restricted access YAML files to your Kubernetes cluster. Replace the YAML file value with your own. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f eks-connector-console-dashboard-full-access-group.yaml ---- -To view [.noloc]`Kubernetes` resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. \ No newline at end of file +To view Kubernetes resources in your connected cluster, see <>. Data for some resource types on the *Resources* tab isn't available for connected clusters. \ No newline at end of file diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 14d3ab89f..2577ad400 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -7,7 +7,7 @@ include::../attributes.txt[] [abstract] -- -Learn to deregister a [.noloc]`Kubernetes` cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. +Learn to deregister a Kubernetes cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. -- If you are finished using a connected cluster, you can deregister it. After it's deregistered, the cluster is no longer visible in the Amazon EKS console. @@ -23,7 +23,7 @@ You must have the following permissions to call the deregisterCluster API: This process involves two steps: Deregistering the cluster with Amazon EKS and uninstalling the eks-connector agent in the cluster. [#deregister-connected-cluster-eks] -== Deregister the [.noloc]`Kubernetes` cluster +== Deregister the Kubernetes cluster To deregister a cluster from Amazon EKS connector, you can use one of these tools: * <> @@ -63,7 +63,7 @@ eksctl deregister cluster --name my-cluster [#deregister-connected-cluster-k8s] -== Clean up the resources in your [.noloc]`Kubernetes` cluster +== Clean up the resources in your Kubernetes cluster To uninstall the `eks-connector` agent, use one of the following tools: * <> @@ -80,10 +80,10 @@ helm -n eks-connector uninstall eks-connector === yaml [[yaml_agent_cluster_deregister]] -. Delete the Amazon EKS Connector YAML file from your [.noloc]`Kubernetes` cluster. +. Delete the Amazon EKS Connector YAML file from your Kubernetes cluster. + [source,bash,subs="verbatim,attributes"] ---- kubectl delete -f eks-connector.yaml ---- -. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your [.noloc]`Kubernetes` cluster. \ No newline at end of file +. If you created `clusterrole` or `clusterrolebindings` for additional link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] to access the cluster, delete them from your Kubernetes cluster. \ No newline at end of file diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 7416c0ce5..67759d9c8 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,5 +1,5 @@ [#eks-connector] -= Connect a [.noloc]`Kubernetes` cluster to an Amazon EKS Management Console with Amazon EKS Connector += Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector :doctype: book :sectnums: :toc: left @@ -14,17 +14,17 @@ include::../attributes.txt[] [abstract] -- -Discover how to connect conformant [.noloc]`Kubernetes` clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. +Discover how to connect conformant Kubernetes clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. -- -You can use Amazon EKS Connector to register and connect any conformant [.noloc]`Kubernetes` cluster to {aws} and visualize it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but you can't manage them. The Amazon EKS Connector requires an agent that is an https://github.com/aws/amazon-eks-connector[open source project on Github]. For additional technical content, including frequently asked questions and troubleshooting, see <>. +You can use Amazon EKS Connector to register and connect any conformant Kubernetes cluster to {aws} and visualize it in the Amazon EKS console. After a cluster is connected, you can see the status, configuration, and workloads for that cluster in the Amazon EKS console. You can use this feature to view connected clusters in Amazon EKS console, but you can't manage them. The Amazon EKS Connector requires an agent that is an https://github.com/aws/amazon-eks-connector[open source project on Github]. For additional technical content, including frequently asked questions and troubleshooting, see <>. -The Amazon EKS Connector can connect the following types of [.noloc]`Kubernetes` clusters to Amazon EKS. +The Amazon EKS Connector can connect the following types of Kubernetes clusters to Amazon EKS. -* On-premises [.noloc]`Kubernetes` clusters +* On-premises Kubernetes clusters * Self-managed clusters that are running on Amazon EC2 * Managed clusters from other cloud providers @@ -36,11 +36,11 @@ Before you use Amazon EKS Connector, understand the following: -* You must have administrative privileges to the [.noloc]`Kubernetes` cluster to connect the cluster to Amazon EKS. -* The [.noloc]`Kubernetes` cluster must have [.noloc]`Linux` 64-bit (x86) worker nodes present before connecting. ARM worker nodes aren't supported. -* You must have worker nodes in your [.noloc]`Kubernetes` cluster that have outbound access to the `ssm.` and `ssmmessages.` Systems Manager endpoints. For more information, see link:general/latest/gr/ssm.html[Systems Manager endpoints,type="documentation"] in the _{aws} General Reference_. +* You must have administrative privileges to the Kubernetes cluster to connect the cluster to Amazon EKS. +* The Kubernetes cluster must have Linux 64-bit (x86) worker nodes present before connecting. ARM worker nodes aren't supported. +* You must have worker nodes in your Kubernetes cluster that have outbound access to the `ssm.` and `ssmmessages.` Systems Manager endpoints. For more information, see link:general/latest/gr/ssm.html[Systems Manager endpoints,type="documentation"] in the _{aws} General Reference_. * By default, you can connect up to 10 clusters in a Region. You can request an increase through the link:servicequotas/latest/userguide/request-quota-increase.html[service quota console,type="documentation"]. See link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] for more information. -* Only the Amazon EKS `RegisterCluster`, `ListClusters`, `DescribeCluster`, and `DeregisterCluster` APIs are supported for external [.noloc]`Kubernetes` clusters. +* Only the Amazon EKS `RegisterCluster`, `ListClusters`, `DescribeCluster`, and `DeregisterCluster` APIs are supported for external Kubernetes clusters. * You must have the following permissions to register a cluster: + ** eks:RegisterCluster diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 546e59f85..ffdda5503 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] Learn how the open-source EKS Connector affects security, and understand {aws} and customer security responsibilities for connectivity, cluster management, and IAM access control. -- -The Amazon EKS Connector is an open source component that runs on your [.noloc]`Kubernetes` cluster. This cluster can be located outside of the {aws} environment. This creates additional considerations for security responsibilities. This configuration can be illustrated by the following diagram. Orange represents {aws} responsibilities, and blue represents customer responsibilities: +The Amazon EKS Connector is an open source component that runs on your Kubernetes cluster. This cluster can be located outside of the {aws} environment. This creates additional considerations for security responsibilities. This configuration can be illustrated by the following diagram. Orange represents {aws} responsibilities, and blue represents customer responsibilities: @@ -21,18 +21,18 @@ This topic describes the differences in the responsibility model if the connecte [#connect-aws-resp] == {aws} responsibilities -* Maintaining, building, and delivering Amazon EKS Connector, which is an https://github.com/aws/amazon-eks-connector[open source component] that runs on a customer's [.noloc]`Kubernetes` cluster and communicates with {aws}. -* Maintaining transport and application layer communication security between the connected [.noloc]`Kubernetes` cluster and {aws} services. +* Maintaining, building, and delivering Amazon EKS Connector, which is an https://github.com/aws/amazon-eks-connector[open source component] that runs on a customer's Kubernetes cluster and communicates with {aws}. +* Maintaining transport and application layer communication security between the connected Kubernetes cluster and {aws} services. [#connect-cust-resp] == Customer responsibilities -* [.noloc]`Kubernetes` cluster specific security, specifically along the following lines: +* Kubernetes cluster specific security, specifically along the following lines: + -** [.noloc]`Kubernetes` secrets must be properly encrypted and protected. +** Kubernetes secrets must be properly encrypted and protected. ** Lock down access to the `eks-connector` namespace. * Configuring role-based access control (RBAC) permissions to manage link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] access from {aws}. For instructions, see <>. * Installing and upgrading Amazon EKS Connector. -* Maintaining the hardware, software, and infrastructure that supports the connected [.noloc]`Kubernetes` cluster. +* Maintaining the hardware, software, and infrastructure that supports the connected Kubernetes cluster. * Securing their {aws} accounts (for example, through safeguarding your link:IAM/latest/UserGuide/best-practices.html#lock-away-credentials[root user credentials,type="documentation"]). \ No newline at end of file diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index dc168d7df..62b634d12 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -7,7 +7,7 @@ include::../attributes.txt[] [abstract] -- -Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your [.noloc]`Kubernetes` clusters to Amazon EKS. +Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your Kubernetes clusters to Amazon EKS. -- This topic covers some of the common errors that you might encounter while using the Amazon EKS Connector, including instructions on how to resolve them and workarounds. @@ -31,7 +31,7 @@ kubectl get pods -n eks-connector [#tsc-logs] === Inspect Amazon EKS Connector logs -The Amazon EKS Connector [.noloc]`Pod` consists of three containers. To retrieve full logs for all of these containers so that you can inspect them, run the following commands: +The Amazon EKS Connector Pod consists of three containers. To retrieve full logs for all of these containers so that you can inspect them, run the following commands: @@ -61,7 +61,7 @@ kubectl exec eks-connector-1 --container connector-agent -n eks-connector -- cat [#tsc-name] === Get the effective cluster name -Amazon EKS clusters are uniquely identified by `clusterName` within a single {aws} account and {aws} Region. If you have multiple connected clusters in Amazon EKS, you can confirm which Amazon EKS cluster that the current [.noloc]`Kubernetes` cluster is registered to. To do this, enter the following to find out the `clusterName` of the current cluster. +Amazon EKS clusters are uniquely identified by `clusterName` within a single {aws} account and {aws} Region. If you have multiple connected clusters in Amazon EKS, you can confirm which Amazon EKS cluster that the current Kubernetes cluster is registered to. To do this, enter the following to find out the `clusterName` of the current cluster. // Not using subs="quotes" here with [.replaceable]`region-code` because the * characters get dropped. [source,bash,subs="verbatim,attributes"] @@ -78,7 +78,7 @@ kubectl exec eks-connector-1 --container connector-agent -n eks-connector \ The following commands are useful to retrieve information that you need to troubleshoot issues. -* Use the following command to gather images that's used by [.noloc]`Pods` in Amazon EKS Connector. +* Use the following command to gather images that's used by Pods in Amazon EKS Connector. // Not using subs="quotes" here with [.replaceable]`region-code` because the * characters get dropped. + [source,bash,subs="verbatim,attributes"] @@ -91,7 +91,7 @@ kubectl get pods -n eks-connector -o jsonpath="{.items[*].spec.containers[*].ima ---- kubectl get pods -n eks-connector -o jsonpath="{.items[*].spec.nodeName}" | tr -s '[[:space:]]' '\n' ---- -* Run the following command to get your [.noloc]`Kubernetes` client and server versions. +* Run the following command to get your Kubernetes client and server versions. + [source,bash,subs="verbatim,attributes"] ---- @@ -126,21 +126,21 @@ docker logout public.ecr.aws [#symp-pending] == Console error: the cluster is stuck in the Pending state -If the cluster gets stuck in the `Pending` state on the Amazon EKS console after you're registered it, it might be because the Amazon EKS Connector didn't successfully connect the cluster to {aws} yet. For a registered cluster, the `Pending` state means that the connection isn't successfully established. To resolve this issue, make sure that you have applied the manifest to the target [.noloc]`Kubernetes` cluster. If you applied it to the cluster, but the cluster is still in the `Pending` state, then the `eks-connector` statefulset might be unhealthy. To troubleshoot this issue, see <>in this topic. +If the cluster gets stuck in the `Pending` state on the Amazon EKS console after you're registered it, it might be because the Amazon EKS Connector didn't successfully connect the cluster to {aws} yet. For a registered cluster, the `Pending` state means that the connection isn't successfully established. To resolve this issue, make sure that you have applied the manifest to the target Kubernetes cluster. If you applied it to the cluster, but the cluster is still in the `Pending` state, then the `eks-connector` statefulset might be unhealthy. To troubleshoot this issue, see <>in this topic. [#symp-imp] == Console error: User system:serviceaccount:eks-connector:eks-connector can't impersonate resource users in API group at cluster scope -The Amazon EKS Connector uses [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation] to act on behalf of link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] from the {aws-management-console}. Each principal that accesses the [.noloc]`Kubernetes` API from the {aws} `eks-connector` service account must be granted permission to impersonate the corresponding [.noloc]`Kubernetes` user with an IAM ARN as its [.noloc]`Kubernetes` user name. In the following examples, the IAM ARN is mapped to a [.noloc]`Kubernetes` user. +The Amazon EKS Connector uses Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[user impersonation] to act on behalf of link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] from the {aws-management-console}. Each principal that accesses the Kubernetes API from the {aws} `eks-connector` service account must be granted permission to impersonate the corresponding Kubernetes user with an IAM ARN as its Kubernetes user name. In the following examples, the IAM ARN is mapped to a Kubernetes user. -* IAM user [.replaceable]`john` from {aws} account [.replaceable]`111122223333` is mapped to a [.noloc]`Kubernetes` user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. +* IAM user [.replaceable]`john` from {aws} account [.replaceable]`111122223333` is mapped to a Kubernetes user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. + [source,bash,subs="verbatim,attributes"] ---- {arn-aws}iam::111122223333:user/john ---- -* IAM role [.replaceable]`admin` from {aws} account [.replaceable]`111122223333` is mapped to a [.noloc]`Kubernetes` user: +* IAM role [.replaceable]`admin` from {aws} account [.replaceable]`111122223333` is mapped to a Kubernetes user: + [source,bash,subs="verbatim,attributes"] ---- @@ -154,9 +154,9 @@ For instructions on how to configure the `ClusterRole` and `ClusterRoleBinding` [#symp-rbac] == Console error: [...] is forbidden: User [...] cannot list resource [...] in API group at the cluster scope -Consider the following problem. The Amazon EKS Connector has successfully impersonated the requesting {aws-management-console} IAM principal in the target [.noloc]`Kubernetes` cluster. However, the impersonated principal doesn't have RBAC permission for [.noloc]`Kubernetes` API operations. +Consider the following problem. The Amazon EKS Connector has successfully impersonated the requesting {aws-management-console} IAM principal in the target Kubernetes cluster. However, the impersonated principal doesn't have RBAC permission for Kubernetes API operations. -To resolve this issue, there are two methods to give permissions to additional users. If you previously installed eks-connector via helm chart, you can easily grant users access by running the following command. Replace the `userARN1` and `userARN2` with a list of the ARNs of the IAM roles to give access to view the [.noloc]`Kubernetes` resources: +To resolve this issue, there are two methods to give permissions to additional users. If you previously installed eks-connector via helm chart, you can easily grant users access by running the following command. Replace the `userARN1` and `userARN2` with a list of the ARNs of the IAM roles to give access to view the Kubernetes resources: [source,shell,subs="verbatim,attributes"] ---- @@ -165,10 +165,10 @@ helm upgrade eks-connector oci://public.ecr.aws/eks-connector/eks-connector-char --set 'authentication.allowedUserARNs={userARN1,userARN2}' ---- -Or, as the cluster administrator, grant the appropriate level of RBAC privileges to individual [.noloc]`Kubernetes` users. For more information and examples, see <>. +Or, as the cluster administrator, grant the appropriate level of RBAC privileges to individual Kubernetes users. For more information and examples, see <>. [#symp-con] -== Console error: Amazon EKS can't communicate with your [.noloc]`Kubernetes` cluster API server. The cluster must be in an ACTIVE state for successful connection. Try again in few minutes. +== Console error: Amazon EKS can't communicate with your Kubernetes cluster API server. The cluster must be in an ACTIVE state for successful connection. Try again in few minutes. If the Amazon EKS service can't communicate with the Amazon EKS connector in the target cluster, it might be because of one of the following reasons: @@ -178,9 +178,9 @@ If the Amazon EKS service can't communicate with the Amazon EKS connector in the To resolve this problem, check the <>. If you don't see an error for the Amazon EKS Connector, retry the connection after a few minutes. If you regularly experience high latency or intermittent connectivity for the target cluster, consider re-registering the cluster to an {aws} Region that's located closer to you. [#symp-loop] -== Amazon EKS connector [.noloc]`Pods` are crash looping +== Amazon EKS connector Pods are crash looping -There are many reasons that can cause an Amazon EKS connector [.noloc]`Pod` to enter the `CrashLoopBackOff` status. This issue likely involves the `connector-init` container. Check the status of the Amazon EKS connector [.noloc]`Pod`. +There are many reasons that can cause an Amazon EKS connector Pod to enter the `CrashLoopBackOff` status. This issue likely involves the `connector-init` container. Check the status of the Amazon EKS connector Pod. [source,bash,subs="verbatim,attributes"] ---- @@ -211,8 +211,8 @@ To troubleshoot this issue, consider the following causes and recommended fixes: -* Registration might have failed because the `activationId` and `activationCode` aren't in your manifest file. If this is the case, make sure that they are the correct values that were returned from the `RegisterCluster` API operation, and that the `activationCode` is in the manifest file. The `activationCode` is added to [.noloc]`Kubernetes` secrets, so it must be `base64` encoded. For more information, see <>. -* Registration might have failed because your activation expired. This is because, for security reasons, you must activate the Amazon EKS Connector within three days after registering the cluster. To resolve this issue, make sure that the Amazon EKS Connector manifest is applied to the target [.noloc]`Kubernetes` cluster before the expiry date and time. To confirm your activation expiry date, call the `DescribeCluster` API operation. +* Registration might have failed because the `activationId` and `activationCode` aren't in your manifest file. If this is the case, make sure that they are the correct values that were returned from the `RegisterCluster` API operation, and that the `activationCode` is in the manifest file. The `activationCode` is added to Kubernetes secrets, so it must be `base64` encoded. For more information, see <>. +* Registration might have failed because your activation expired. This is because, for security reasons, you must activate the Amazon EKS Connector within three days after registering the cluster. To resolve this issue, make sure that the Amazon EKS Connector manifest is applied to the target Kubernetes cluster before the expiry date and time. To confirm your activation expiry date, call the `DescribeCluster` API operation. + [source,bash,subs="verbatim,attributes"] ---- @@ -251,9 +251,9 @@ If the `activationExpiry` passed, deregister the cluster and register it again. To work properly, the Amazon EKS Connector requires outbound connectivity to several {aws} endpoints. You can't connect a private cluster without outbound connectivity to a target {aws} Region. To resolve this issue, you must add the necessary outbound connectivity. For information about connector requirements, see <>. [#symp-img] -== Amazon EKS connector [.noloc]`Pods` are in `ImagePullBackOff` state +== Amazon EKS connector Pods are in `ImagePullBackOff` state -If you run the `get pods` command and [.noloc]`Pods` are in the `ImagePullBackOff` state, they can't work properly. If the Amazon EKS Connector [.noloc]`Pods` are in the `ImagePullBackOff` state, they can't work properly. Check the status of your Amazon EKS Connector [.noloc]`Pods`. +If you run the `get pods` command and Pods are in the `ImagePullBackOff` state, they can't work properly. If the Amazon EKS Connector Pods are in the `ImagePullBackOff` state, they can't work properly. Check the status of your Amazon EKS Connector Pods. [source,bash,subs="verbatim,attributes"] ---- @@ -268,4 +268,4 @@ NAME READY STATUS RESTARTS AGE eks-connector-0 0/2 Init:ImagePullBackOff 0 4s ---- -The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target [.noloc]`Kubernetes` cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. \ No newline at end of file +The default Amazon EKS Connector manifest file references images from the https://gallery.ecr.aws/[Amazon ECR Public Gallery]. It's possible that the target Kubernetes cluster can't pull images from the Amazon ECR Public Gallery. Either resolve the Amazon ECR Public Gallery image pull issue, or consider mirroring the images in the private container registry of your choice. \ No newline at end of file diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 698da85f0..388f1afc1 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -7,17 +7,17 @@ include::../attributes.txt[] [abstract] -- -Learn to connect and manage [.noloc]`Kubernetes` clusters outside {aws} with Amazon EKS Connector, enabling unified cluster visibility and management across environments using a secure, outbound-only connection. +Learn to connect and manage Kubernetes clusters outside {aws} with Amazon EKS Connector, enabling unified cluster visibility and management across environments using a secure, outbound-only connection. -- .Q: How does the underlying technology behind the Amazon EKS Connector work? -A: The Amazon EKS Connector is based on the {aws} Systems Manager (Systems Manager) agent. The Amazon EKS Connector runs as a `StatefulSet` on your [.noloc]`Kubernetes` cluster. It establishes a connection and proxies the communication between the API server of your cluster and Amazon Web Services. It does this to display cluster data in the Amazon EKS console until you disconnect the cluster from {aws}. The Systems Manager agent is an open source project. For more information about this project, see the https://github.com/aws/amazon-ssm-agent[GitHub project page]. +A: The Amazon EKS Connector is based on the {aws} Systems Manager (Systems Manager) agent. The Amazon EKS Connector runs as a `StatefulSet` on your Kubernetes cluster. It establishes a connection and proxies the communication between the API server of your cluster and Amazon Web Services. It does this to display cluster data in the Amazon EKS console until you disconnect the cluster from {aws}. The Systems Manager agent is an open source project. For more information about this project, see the https://github.com/aws/amazon-ssm-agent[GitHub project page]. -.Q: I have an on-premises [.noloc]`Kubernetes` cluster that I want to connect. Do I need to open firewall ports to connect it? -A: No, you don't need to open any firewall ports. The [.noloc]`Kubernetes` cluster only requires outbound connection to {aws} Regions. {aws} services never access resources in your on-premises network. The Amazon EKS Connector runs on your cluster and initiates the connection to {aws}. When the cluster registration completes, {aws} only issues commands to the Amazon EKS Connector after you start an action from the Amazon EKS console that requires information from the [.noloc]`Kubernetes` API server on your cluster. +.Q: I have an on-premises Kubernetes cluster that I want to connect. Do I need to open firewall ports to connect it? +A: No, you don't need to open any firewall ports. The Kubernetes cluster only requires outbound connection to {aws} Regions. {aws} services never access resources in your on-premises network. The Amazon EKS Connector runs on your cluster and initiates the connection to {aws}. When the cluster registration completes, {aws} only issues commands to the Amazon EKS Connector after you start an action from the Amazon EKS console that requires information from the Kubernetes API server on your cluster. .Q: What data is sent from my cluster to {aws} by the Amazon EKS Connector? -A: The Amazon EKS Connector sends technical information that's necessary for your cluster to be registered on {aws}. It also sends cluster and workload metadata for the Amazon EKS console features that customers request. The Amazon EKS Connector only gathers or sends this data if you start an action from the Amazon EKS console or the Amazon EKS API that necessitates the data to be sent to {aws}. Other than the [.noloc]`Kubernetes` version number, {aws} doesn't store any data by default. It stores data only if you authorize it to. +A: The Amazon EKS Connector sends technical information that's necessary for your cluster to be registered on {aws}. It also sends cluster and workload metadata for the Amazon EKS console features that customers request. The Amazon EKS Connector only gathers or sends this data if you start an action from the Amazon EKS console or the Amazon EKS API that necessitates the data to be sent to {aws}. Other than the Kubernetes version number, {aws} doesn't store any data by default. It stores data only if you authorize it to. .Q: Can I connect a cluster outside of an {aws} Region? A: Yes, you can connect a cluster from any location to Amazon EKS. Moreover, your Amazon EKS service can be located in any {aws} public commercial {aws} Region. This works with a valid network connection from your cluster to the target {aws} Region. We recommend that you pick an {aws} Region that is closest to your cluster location for UI performance optimization. For example, if you have a cluster running in Tokyo, connect your cluster to the {aws} Region in Tokyo (that is, the `ap-northeast-1` {aws} Region) for low latency. You can connect a cluster from any location to Amazon EKS in any of the public commercial {aws} Regions, except the China or GovCloud {aws} Regions. \ No newline at end of file diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index d69ffd78a..a97cde451 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -33,11 +33,11 @@ link:eks/latest/userguide/managed-node-update-behavior.html#managed-node-update- You can now use update strategies to configure the version update process for managed node groups. This introduces the _minimal_ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The _default_ update strategy continues the existing behavior. [.update,date="2025-01-23"] -=== [.noloc]`Kubernetes` version `1.32` +=== Kubernetes version `1.32` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-32[type="documentation"] -Added [.noloc]`Kubernetes` version `1.32` support for new clusters and version upgrades. +Added Kubernetes version `1.32` support for new clusters and version upgrades. [.update,date="2025-01-14"] === Amazon EKS {aws} Region expansion @@ -63,7 +63,7 @@ Added permissions to `AmazonEKSLoadBalancingPolicy`. [.update-ulink] link:eks/latest/userguide/cluster-insights.html[type="documentation"] -Amazon EKS upgrade insights will now warn about more cluster health and version compatibility issues. It can detect issues between different [.noloc]`Kubernetes` and Amazon EKS components such as `kubelet`, `kube-proxy`, and Amazon EKS add-ons. +Amazon EKS upgrade insights will now warn about more cluster health and version compatibility issues. It can detect issues between different Kubernetes and Amazon EKS components such as `kubelet`, `kube-proxy`, and Amazon EKS add-ons. [.update,date="2024-12-16"] @@ -115,19 +115,19 @@ EKS updated {aws} managed policy `AmazonEKSLocalOutpostClusterPolicy`. Added `ec [.update,date="2024-11-21"] -=== [.noloc]`Kubernetes` version 1.30 is now available for local clusters on {aws} Outposts +=== Kubernetes version 1.30 is now available for local clusters on {aws} Outposts [.update-ulink] link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] -You can now create an Amazon EKS local cluster on an {aws} Outposts using [.noloc]`Kubernetes` version 1.30. +You can now create an Amazon EKS local cluster on an {aws} Outposts using Kubernetes version 1.30. [.update,date="2024-11-20"] -=== [.noloc]`Bottlerocket` AMIs that use FIPS 140-3 +=== Bottlerocket AMIs that use FIPS 140-3 [.update-ulink] link:eks/latest/userguide/retrieve-ami-id-bottlerocket.html[type="documentation"] -[.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. +Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. [.update,date="2024-11-20"] @@ -283,11 +283,11 @@ link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-upd EKS added a new {aws} managed policy. [.update,date="2024-09-24"] -=== [.noloc]`Kubernetes` version `1.31` +=== Kubernetes version `1.31` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-31[type="documentation"] -Added [.noloc]`Kubernetes` version `1.31` support for new clusters and version upgrades. +Added Kubernetes version `1.31` support for new clusters and version upgrades. [.update,date="2024-08-21"] @@ -299,11 +299,11 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2024-08-20"] -=== [.noloc]`Kubernetes` version 1.29 is now available for local clusters on {aws} Outposts +=== Kubernetes version 1.29 is now available for local clusters on {aws} Outposts [.update-ulink] link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] -You can now create an Amazon EKS local cluster on an {aws} Outposts using [.noloc]`Kubernetes` version 1.29. +You can now create an Amazon EKS local cluster on an {aws} Outposts using Kubernetes version 1.29. [.update,date="2024-08-14"] @@ -311,7 +311,7 @@ You can now create an Amazon EKS local cluster on an {aws} Outposts using [.nolo [.update-ulink] link:eks/latest/userguide/pod-identites.html[type="documentation"] -Amazon EKS Pod Identities associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an [.noloc]`OIDC` identity provider. +Amazon EKS Pod Identities associate an IAM role with a Kubernetes service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, Pods on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an OIDC identity provider. [.update,date="2024-08-09"] @@ -364,31 +364,31 @@ Amazon EKS updated an existing {aws} managed policy. [.update-ulink] link:eks/latest/userguide/eks-optimized-amis.html[type="documentation"] -We made improvements to the AMI information references, in particular for [.noloc]`Bottlerocket`. +We made improvements to the AMI information references, in particular for Bottlerocket. [.update,date="2024-06-12"] -=== [.noloc]`Kubernetes` version `1.26` +=== Kubernetes version `1.26` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26[type="documentation"] -[.noloc]`Kubernetes` version `1.26` is now in extended support. +Kubernetes version `1.26` is now in extended support. [.update,date="2024-05-23"] -=== [.noloc]`Kubernetes` version `1.30` +=== Kubernetes version `1.30` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-30[type="documentation"] -Added [.noloc]`Kubernetes` version `1.30` support for new clusters and version upgrades. +Added Kubernetes version `1.30` support for new clusters and version upgrades. [.update,date="2024-05-14"] -=== [.noloc]`CoreDNS` Autoscaling +=== CoreDNS Autoscaling [.update-ulink] link:eks/latest/userguide/coredns-autoscaling.html[type="documentation"] -[.noloc]`CoreDNS` autoscaler will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster based on the number of nodes and CPU cores. This feature works for [.noloc]`CoreDNS` `v1.9` and the latest platform version of EKS release version `1.25` and later. +CoreDNS autoscaler will dynamically adapt the number of replicas of the CoreDNS deployment in an EKS cluster based on the number of nodes and CPU cores. This feature works for CoreDNS `v1.9` and the latest platform version of EKS release version `1.25` and later. [.update,date="2024-05-14"] @@ -400,15 +400,15 @@ This is a new platform version with security fixes and enhancements. This includ [.update,date="2024-04-10"] -=== CloudWatch [.noloc]`Container Insights` support for [.noloc]`Windows` +=== CloudWatch Container Insights support for Windows [.update-ulink] link:eks/latest/userguide/cloudwatch.html[type="documentation"] -The Amazon CloudWatch Observability Operator add-on now also allows [.noloc]`Container Insights` on [.noloc]`Windows` worker nodes in the cluster. +The Amazon CloudWatch Observability Operator add-on now also allows Container Insights on Windows worker nodes in the cluster. [.update,date="2024-04-05"] -=== [.noloc]`Kubernetes` concepts +=== Kubernetes concepts [.update-ulink] link:eks/latest/userguide/kubernetes-concepts.html[type="documentation"] @@ -424,11 +424,11 @@ Move existing pages related to access and IAM topics, such as auth config map, a [.update,date="2024-03-13"] -=== [.noloc]`Bottlerocket` OS support for Amazon S3 CSI driver +=== Bottlerocket OS support for Amazon S3 CSI driver [.update-ulink] link:eks/latest/userguide/s3-csi.html[type="documentation"] -The Mountpoint for Amazon S3 CSI driver is now compatible with [.noloc]`Bottlerocket`. +The Mountpoint for Amazon S3 CSI driver is now compatible with Bottlerocket. [.update,date="2024-03-04"] @@ -448,27 +448,27 @@ Amazon Linux 2023 (AL2023) is a new Linux-based operating system designed to pro [.update,date="2024-02-26"] -=== EKS Pod Identity and IRSA support sidecars in [.noloc]`Kubernetes` `1.29` +=== EKS Pod Identity and IRSA support sidecars in Kubernetes `1.29` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29[type="documentation"] -In [.noloc]`Kubernetes` `1.29`, sidecar containers are available in Amazon EKS clusters. Sidecar containers are supported with IAM roles for service accounts or EKS Pod Identity. For more information about sidecars, see https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[Sidecar Containers] in the [.noloc]`Kubernetes` documentation. +In Kubernetes `1.29`, sidecar containers are available in Amazon EKS clusters. Sidecar containers are supported with IAM roles for service accounts or EKS Pod Identity. For more information about sidecars, see https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[Sidecar Containers] in the Kubernetes documentation. [.update,date="2024-01-23"] -=== [.noloc]`Kubernetes` version `1.29` +=== Kubernetes version `1.29` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-29[type="documentation"] -Added [.noloc]`Kubernetes` version `1.29` support for new clusters and version upgrades. +Added Kubernetes version `1.29` support for new clusters and version upgrades. [.update,date="2024-01-16"] -=== Full release: Amazon EKS Extended Support for [.noloc]`Kubernetes` versions +=== Full release: Amazon EKS Extended Support for Kubernetes versions [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] -Extended [.noloc]`Kubernetes` version support allows you to stay at a specific [.noloc]`Kubernetes` version for longer than 14 months. +Extended Kubernetes version support allows you to stay at a specific Kubernetes version for longer than 14 months. [.update,date="2023-12-28"] @@ -509,11 +509,11 @@ This is a new platform version with security fixes and enhancements. This includ [.update,date="2023-11-27"] -=== [.noloc]`Mountpoint` for Amazon S3 CSI driver +=== Mountpoint for Amazon S3 CSI driver [.update-ulink] link:eks/latest/userguide/s3-csi.html[type="documentation"] -You can now install the [.noloc]`Mountpoint` for Amazon S3 CSI driver on Amazon EKS clusters. +You can now install the Mountpoint for Amazon S3 CSI driver on Amazon EKS clusters. [.update,date="2023-11-26"] @@ -521,7 +521,7 @@ You can now install the [.noloc]`Mountpoint` for Amazon S3 CSI driver on Amazon [.update-ulink] link:eks/latest/userguide/pod-identites.html[type="documentation"] -Amazon EKS Pod Identities associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an [.noloc]`OIDC` identity provider. +Amazon EKS Pod Identities associate an IAM role with a Kubernetes service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, Pods on that node can call {aws} APIs. Unlike IAM roles for service accounts, EKS Pod Identities are completely inside EKS; you don't need an OIDC identity provider. [.update,date="2023-11-26"] @@ -533,11 +533,11 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2023-11-26"] -=== Turn on [.noloc]`Prometheus` metrics when creating a cluster +=== Turn on Prometheus metrics when creating a cluster [.update-ulink] link:eks/latest/userguide/prometheus.html[type="documentation"] -In the {aws-management-console}, you can now turn on [.noloc]`Prometheus` metrics when creating a cluster. You can also view [.noloc]`Prometheus` scraper details in the *Observability* tab. +In the {aws-management-console}, you can now turn on Prometheus metrics when creating a cluster. You can also view Prometheus scraper details in the *Observability* tab. [.update,date="2023-11-17"] @@ -553,15 +553,15 @@ You can now install the CSI snapshot controller for use with compatible CSI driv [.update-ulink] link:eks/latest/userguide/opentelemetry.html[type="documentation"] -The Amazon EKS add-on support for ADOT Operator section was redundant with the {aws} Distro for [.noloc]`OpenTelemetry` documentation. We migrated remaining essential information to that resource to reduce outdated and inconsistent information. +The Amazon EKS add-on support for ADOT Operator section was redundant with the {aws} Distro for OpenTelemetry documentation. We migrated remaining essential information to that resource to reduce outdated and inconsistent information. [.update,date="2023-11-10"] -=== [.noloc]`CoreDNS` EKS add-on support for Prometheus metrics +=== CoreDNS EKS add-on support for Prometheus metrics [.update-ulink] link:eks/latest/userguide/managing-coredns.html[type="documentation"] -The `v1.10.1-eksbuild.5`, `v1.9.3-eksbuild.9`, and `v1.8.7-eksbuild.8` versions of the EKS add-on for [.noloc]`CoreDNS` expose the port that [.noloc]`CoreDNS` published metrics to, in the `kube-dns` service. This makes it easier to include the [.noloc]`CoreDNS` metrics in your monitoring systems. +The `v1.10.1-eksbuild.5`, `v1.9.3-eksbuild.9`, and `v1.8.7-eksbuild.8` versions of the EKS add-on for CoreDNS expose the port that CoreDNS published metrics to, in the `kube-dns` service. This makes it easier to include the CoreDNS metrics in your monitoring systems. [.update,date="2023-11-06"] @@ -602,11 +602,11 @@ Fix install link for eksctl after the page was moved. [.update,date="2023-10-04"] -=== Preview release: Amazon EKS Extended Support for [.noloc]`Kubernetes` versions +=== Preview release: Amazon EKS Extended Support for Kubernetes versions [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] -Extended [.noloc]`Kubernetes` version support allows you to stay at a specific [.noloc]`Kubernetes` version for longer than 14 months. +Extended Kubernetes version support allows you to stay at a specific Kubernetes version for longer than 14 months. [.update,date="2023-09-29"] @@ -615,28 +615,28 @@ Amazon EKS integrations with {aws} App Mesh remain for existing customers of App [.update,date="2023-09-26"] -=== [.noloc]`Kubernetes` version `1.28` +=== Kubernetes version `1.28` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-28[type="documentation"] -Added [.noloc]`Kubernetes` version `1.28` support for new clusters and version upgrades. +Added Kubernetes version `1.28` support for new clusters and version upgrades. [.update,date="2023-09-15"] -=== [.noloc]`CoreDNS` Amazon EKS add-on supports modifying PDB +=== CoreDNS Amazon EKS add-on supports modifying PDB [.update-ulink] link:eks/latest/userguide/managing-coredns.html[type="documentation"] -You can modify the `PodDisruptionBudget` of the EKS add-on for [.noloc]`CoreDNS` in versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later. +You can modify the `PodDisruptionBudget` of the EKS add-on for CoreDNS in versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later. [.update,date="2023-09-15"] -=== Existing clusters support [.noloc]`Kubernetes` network policy enforcement in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` +=== Existing clusters support Kubernetes network policy enforcement in the Amazon VPC CNI plugin for Kubernetes [.update-ulink] link:eks/latest/userguide/cni-network-policy.html[type="documentation"] -You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. -You can use [.noloc]`Kubernetes` _network policy_ in existing clusters with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. +You can use Kubernetes _network policy_ in existing clusters with the Amazon VPC CNI plugin for Kubernetes, instead of requiring a third party solution. +You can use Kubernetes _network policy_ in existing clusters with the Amazon VPC CNI plugin for Kubernetes, instead of requiring a third party solution. [.update,date="2023-09-07"] @@ -656,12 +656,12 @@ Added new link:eks/latest/userguide/common-use-cases.html[Common use cases,type= [.update,date="2023-08-29"] -=== [.noloc]`Kubernetes` network policy enforcement in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` +=== Kubernetes network policy enforcement in the Amazon VPC CNI plugin for Kubernetes [.update-ulink] link:eks/latest/userguide/cni-network-policy.html[type="documentation"] -You can use [.noloc]`Kubernetes` _network policy_ with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. -You can use [.noloc]`Kubernetes` _network policy_ with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, instead of requiring a third party solution. +You can use Kubernetes _network policy_ with the Amazon VPC CNI plugin for Kubernetes, instead of requiring a third party solution. +You can use Kubernetes _network policy_ with the Amazon VPC CNI plugin for Kubernetes, instead of requiring a third party solution. [.update,date="2023-08-01"] @@ -674,7 +674,7 @@ Amazon EKS is now available in the Israel (Tel Aviv) (`il-central-1`) {aws} Regi [.update-ulink] link:eks/latest/userguide/fargate-pod-configuration.html#fargate-storage[type="documentation"] -You can increase the total amount of ephemeral storage for each [.noloc]`Pod` running on Amazon EKS Fargate. +You can increase the total amount of ephemeral storage for each Pod running on Amazon EKS Fargate. [.update,date="2023-07-26"] @@ -694,19 +694,19 @@ Amazon EKS added a new {aws} managed policy. [.update,date="2023-07-20"] -=== [.noloc]`Kubernetes` version updates for 1.27, 1.26, 1.25, and 1.24 are now available for local clusters on {aws} Outposts +=== Kubernetes version updates for 1.27, 1.26, 1.25, and 1.24 are now available for local clusters on {aws} Outposts [.update-ulink] link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] -[.noloc]`Kubernetes` version updates to 1.27.3, 1.26.6, 1.25.11, and 1.24.15 are now available for local clusters on {aws} Outposts +Kubernetes version updates to 1.27.3, 1.26.6, 1.25.11, and 1.24.15 are now available for local clusters on {aws} Outposts [.update,date="2023-07-06"] -=== IP prefixes support for [.noloc]`Windows` nodes +=== IP prefixes support for Windows nodes [.update-ulink] link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] -Assigning IP prefixes to your nodes can enable you to host a significantly higher number of [.noloc]`Pods` on your nodes than you can when assigning individual secondary IP addresses to your nodes. +Assigning IP prefixes to your nodes can enable you to host a significantly higher number of Pods on your nodes than you can when assigning individual secondary IP addresses to your nodes. [.update,date="2023-06-30"] @@ -718,7 +718,7 @@ You can now install the Amazon FSx for OpenZFS CSI driver on Amazon EKS clusters [.update,date="2023-06-19"] -=== [.noloc]`Pods` on Linux nodes in `IPv4` clusters can now communicate with `IPv6` endpoints. +=== Pods on Linux nodes in `IPv4` clusters can now communicate with `IPv6` endpoints. [.update-ulink] link:eks/latest/userguide/cni-ipv6-egress.html[type="documentation"] @@ -726,35 +726,35 @@ After assigning an IPv6 address to your node, your Pods' `IPv4` address is netwo [.update,date="2023-05-30"] -=== [.noloc]`Windows` managed node groups in {aws} GovCloud (US) Regions +=== Windows managed node groups in {aws} GovCloud (US) Regions [.update-ulink] link:eks/latest/userguide/create-managed-node-group.html[type="documentation"] -In the {aws} GovCloud (US) Regions, Amazon EKS managed node groups can now run [.noloc]`Windows` containers. +In the {aws} GovCloud (US) Regions, Amazon EKS managed node groups can now run Windows containers. [.update,date="2023-05-24"] -=== [.noloc]`Kubernetes` version `1.27` +=== Kubernetes version `1.27` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-27[type="documentation"] -Added [.noloc]`Kubernetes` version `1.27` support for new clusters and version upgrades. +Added Kubernetes version `1.27` support for new clusters and version upgrades. [.update,date="2023-04-11"] -=== [.noloc]`Kubernetes` version `1.26` +=== Kubernetes version `1.26` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-26[type="documentation"] -Added [.noloc]`Kubernetes` version `1.26` support for new clusters and version upgrades. +Added Kubernetes version `1.26` support for new clusters and version upgrades. [.update,date="2023-03-27"] -=== Domainless [.noloc]`gMSA` +=== Domainless gMSA [.update-ulink] link:eks/latest/userguide/eks-optimized-windows-ami.html#ad-and-gmsa-support[type="documentation"] -You can now use domainless [.noloc]`gMSA` with [.noloc]`Windows` [.noloc]`Pods`. +You can now use domainless gMSA with Windows Pods. [.update,date="2023-03-10"] @@ -771,19 +771,19 @@ You can now install the Amazon File Cache CSI driver on Amazon EKS clusters. [.update,date="2023-03-01"] -=== [.noloc]`Kubernetes` version 1.25 is now available for local clusters on {aws} Outposts +=== Kubernetes version 1.25 is now available for local clusters on {aws} Outposts [.update-ulink] link:eks/latest/userguide/eks-outposts-local-cluster-create.html[type="documentation"] -You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kubernetes` versions `1.22` – `1.25`. +You can now create an Amazon EKS local cluster on an Outpost using Kubernetes versions `1.22` – `1.25`. [.update,date="2023-02-22"] -=== [.noloc]`Kubernetes` version `1.25` +=== Kubernetes version `1.25` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-25[type="documentation"] -Added [.noloc]`Kubernetes` version `1.25` support for new clusters and version upgrades. +Added Kubernetes version `1.25` support for new clusters and version upgrades. [.update,date="2023-02-07"] @@ -800,11 +800,11 @@ Amazon EKS is now available in the Asia Pacific (Hyderabad) (`ap-south-2`), Euro [.update,date="2023-01-17"] -=== [.noloc]`Kubernetes` versions `1.21` – `1.24` are now available for local clusters on {aws} Outposts. +=== Kubernetes versions `1.21` – `1.24` are now available for local clusters on {aws} Outposts. [.update-ulink] link:eks/latest/userguide/eks-outposts-local-cluster-create.html[type="documentation"] -You can now create an Amazon EKS local cluster on an Outpost using [.noloc]`Kubernetes` versions `1.21` – `1.24`. Previously, only version `1.21` was available. +You can now create an Amazon EKS local cluster on an Outpost using Kubernetes versions `1.21` – `1.24`. Previously, only version `1.21` was available. [.update,date="2022-12-16"] @@ -840,11 +840,11 @@ Amazon EKS updated an existing {aws} managed policy. [.update,date="2022-11-15"] -=== [.noloc]`Kubernetes` version `1.24` +=== Kubernetes version `1.24` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-24[type="documentation"] -Added [.noloc]`Kubernetes` version `1.24` support for new clusters and version upgrades. +Added Kubernetes version `1.24` support for new clusters and version upgrades. [.update,date="2022-11-03"] @@ -881,7 +881,7 @@ You can now create an Amazon EKS local cluster on an Outpost. [.update-ulink] link:eks/latest/userguide/service-quotas.html#service-quotas-eks-fargate[type="documentation"] -Fargate is transitioning from [.noloc]`Pod` based quotas to vCPU based quotas. +Fargate is transitioning from Pod based quotas to vCPU based quotas. [.update,date="2022-08-31"] @@ -905,7 +905,7 @@ Amazon EKS added a new {aws} managed policy. [.update-ulink] link:eks/latest/userguide/cost-monitoring[type="documentation"] -Amazon EKS now supports [.noloc]`Kubecost`, which enables you to monitor costs broken down by [.noloc]`Kubernetes` resources including [.noloc]`Pods`, nodes, namespaces, and labels. +Amazon EKS now supports Kubecost, which enables you to monitor costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. [.update,date="2022-08-23"] @@ -933,19 +933,19 @@ Added support for Fargate profile wildcards in the selector criteria for namespa [.update,date="2022-08-11"] -=== [.noloc]`Kubernetes` version `1.23` +=== Kubernetes version `1.23` [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html#kubernetes-1-23[type="documentation"] -Added [.noloc]`Kubernetes` version `1.23` support for new clusters and version upgrades. +Added Kubernetes version `1.23` support for new clusters and version upgrades. [.update,date="2022-05-03"] -=== View [.noloc]`Kubernetes` resources in the {aws-management-console} +=== View Kubernetes resources in the {aws-management-console} [.update-ulink] link:eks/latest/userguide/view-kubernetes-resources.html[type="documentation"] -You can now view information about the [.noloc]`Kubernetes` resources deployed to your cluster using the {aws-management-console}. +You can now view information about the Kubernetes resources deployed to your cluster using the {aws-management-console}. [.update,date="2022-05-02"] @@ -958,7 +958,7 @@ Amazon EKS is now available in the Asia Pacific (Jakarta) (`ap-southeast-3`) {aw [.update-ulink] link:eks/latest/userguide/eks-observe.html[type="documentation"] -Added Observability page and {aws} Distro for [.noloc]`OpenTelemetry` (ADOT). +Added Observability page and {aws} Distro for OpenTelemetry (ADOT). [.update,date="2022-04-04"] @@ -970,16 +970,16 @@ Amazon EKS added a new {aws} managed policy. [.update,date="2022-04-04"] -=== [.noloc]`Kubernetes` version `1.22` -Added [.noloc]`Kubernetes` version `1.22` support for new clusters and version upgrades. +=== Kubernetes version `1.22` +Added Kubernetes version `1.22` support for new clusters and version upgrades. [.update,date="2022-04-01"] -=== Added Fargate [.noloc]`Pod` patching details +=== Added Fargate Pod patching details [.update-ulink] link:eks/latest/userguide/fargate-pod-patching.html[type="documentation"] -When upgrading Fargate [.noloc]`Pods`, Amazon EKS first tries to evict [.noloc]`Pods` based on your [.noloc]`Pod` disruption budgets. You can create event rules to react to failed evictions before the [.noloc]`Pods` are deleted. +When upgrading Fargate Pods, Amazon EKS first tries to evict Pods based on your Pod disruption budgets. You can create event rules to react to failed evictions before the Pods are deleted. [.update,date="2022-03-31"] @@ -1011,7 +1011,7 @@ Amazon EKS updated an existing {aws} managed policy. [.update-ulink] link:eks/latest/userguide/eks-optimized-windows-ami.html.html[type="documentation"] -You can now select the `containerd` runtime for [.noloc]`Windows` nodes. +You can now select the `containerd` runtime for Windows nodes. [.update,date="2022-02-25"] @@ -1023,11 +1023,11 @@ Describes the shared responsibility model as it relates to connected clusters. [.update,date="2022-01-06"] -=== Assign `IPv6` addresses to your [.noloc]`Pods` and services +=== Assign `IPv6` addresses to your Pods and services [.update-ulink] link:eks/latest/userguide/cni-ipv6.html[type="documentation"] -You can now create a `1.21` or later cluster that assigns `IPv6` addresses to your [.noloc]`Pods` and services. +You can now create a `1.21` or later cluster that assigns `IPv6` addresses to your Pods and services. [.update,date="2021-12-13"] @@ -1055,27 +1055,27 @@ You can now use the Karpenter open-source project to autoscale your nodes. [.update,date="2021-11-10"] -=== Fluent Bit [.noloc]`Kubernetes` filter support in Fargate logging +=== Fluent Bit Kubernetes filter support in Fargate logging [.update-ulink] link:eks/latest/userguide/fargate-logging.html#fargate-logging-kubernetes-filter[type="documentation"] -You can now use the Fluent Bit [.noloc]`Kubernetes` filter with Fargate logging. +You can now use the Fluent Bit Kubernetes filter with Fargate logging. [.update,date="2021-11-09"] -=== [.noloc]`Windows` support available in the control plane +=== Windows support available in the control plane [.update-ulink] link:eks/latest/userguide/windows-support.html[type="documentation"] -[.noloc]`Windows` support is now available in your control plane. You no longer need to enable it in your data plane. +Windows support is now available in your control plane. You no longer need to enable it in your data plane. [.update,date="2021-10-28"] -=== [.noloc]`Bottlerocket` added as an AMI type for managed node groups +=== Bottlerocket added as an AMI type for managed node groups [.update-ulink] link:eks/latest/userguide/eks-optimized-ami-bottlerocket.html[type="documentation"] -Previously, [.noloc]`Bottlerocket` was only available as a self-managed node option. Now it can be configured as a managed node group, reducing the effort that's required to meet node compliance requirements. +Previously, Bottlerocket was only available as a self-managed node option. Now it can be configured as a managed node group, reducing the effort that's required to meet node compliance requirements. [.update,date="2021-10-25"] @@ -1099,7 +1099,7 @@ Custom Amazon Linux AMIs now support VT1 for some distributions. This enablement [.update-ulink] link:eks/latest/userguide/eks-deployment-options.html[type="documentation"] -Amazon EKS Anywhere is a new deployment option for Amazon EKS that you can use to create and operate [.noloc]`Kubernetes` clusters on-premises. +Amazon EKS Anywhere is a new deployment option for Amazon EKS that you can use to create and operate Kubernetes clusters on-premises. [.update,date="2021-09-08"] @@ -1107,7 +1107,7 @@ Amazon EKS Anywhere is a new deployment option for Amazon EKS that you can use t [.update-ulink] link:eks/latest/userguide/eks-connector.html[type="documentation"] -You can use Amazon EKS Connector to register and connect any conformant [.noloc]`Kubernetes` cluster to {aws} and visualize it in the Amazon EKS console. +You can use Amazon EKS Connector to register and connect any conformant Kubernetes cluster to {aws} and visualize it in the Amazon EKS console. [.update,date="2021-09-02"] @@ -1119,11 +1119,11 @@ Added topic that summarizes the Amazon FSx for NetApp ONTAP CSI driver and gives [.update,date="2021-08-30"] -=== Managed node groups now auto-calculates the Amazon EKS recommended maximum [.noloc]`Pods` for nodes +=== Managed node groups now auto-calculates the Amazon EKS recommended maximum Pods for nodes [.update-ulink] link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] -Managed node groups now auto-calculate the Amazon EKS maximum [.noloc]`Pods` for nodes that you deploy without a launch template, or with a launch template that you haven't specified an AMI ID in. +Managed node groups now auto-calculate the Amazon EKS maximum Pods for nodes that you deploy without a launch template, or with a launch template that you haven't specified an AMI ID in. [.update,date="2021-08-20"] @@ -1135,25 +1135,25 @@ You can now remove an Amazon EKS add-on without removing the add-on software fro [.update,date="2021-08-02"] -=== Create multi-homed [.noloc]`Pods` using Multus +=== Create multi-homed Pods using Multus [.update-ulink] link:eks/latest/userguide/pod-multiple-network-interfaces.html[type="documentation"] -You can now add multiple network interfaces to a [.noloc]`Pod` using Multus. +You can now add multiple network interfaces to a Pod using Multus. [.update,date="2021-07-27"] -=== Add more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes +=== Add more IP addresses to your Linux Amazon EC2 nodes [.update-ulink] link:eks/latest/userguide/cni-increase-ip-addresses.html[type="documentation"] -You can now add significantly more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes. This means that you can run a higher density of [.noloc]`Pods` on each node. -You can now add significantly more IP addresses to your [.noloc]`Linux` Amazon EC2 nodes. This means that you can run a higher density of [.noloc]`Pods` on each node. +You can now add significantly more IP addresses to your Linux Amazon EC2 nodes. This means that you can run a higher density of Pods on each node. +You can now add significantly more IP addresses to your Linux Amazon EC2 nodes. This means that you can run a higher density of Pods on each node. [.update,date="2021-07-19"] -=== [.noloc]`Kubernetes` version `1.21` -Added [.noloc]`Kubernetes` version `1.21` support. +=== Kubernetes version `1.21` +Added Kubernetes version `1.21` support. [.update,date="2021-07-19"] @@ -1161,7 +1161,7 @@ Added [.noloc]`Kubernetes` version `1.21` support. [.update-ulink] link:eks/latest/userguide/eks-optimized-ami.html#containerd-bootstrap[type="documentation"] -The Amazon EKS optimized accelerated Amazon Linux Amazon Machine Image (AMI) now contains a bootstrap flag that you can use to enable the `containerd` runtime in Amazon EKS optimized and [.noloc]`Bottlerocket` AMIs. This flag is available in all supported [.noloc]`Kubernetes` versions of the AMI. +The Amazon EKS optimized accelerated Amazon Linux Amazon Machine Image (AMI) now contains a bootstrap flag that you can use to enable the `containerd` runtime in Amazon EKS optimized and Bottlerocket AMIs. This flag is available in all supported Kubernetes versions of the AMI. [.update,date="2021-06-17"] @@ -1173,32 +1173,32 @@ A list of all Amazon EKS IAM managed policies and changes that were made to them [.update,date="2021-06-01"] -=== Use security groups for [.noloc]`Pods` with Fargate +=== Use security groups for Pods with Fargate [.update-ulink] link:eks/latest/userguide/security-groups-for-pods.html[type="documentation"] -You can now use security groups for [.noloc]`Pods` with Fargate, in addition to using them with Amazon EC2 nodes. +You can now use security groups for Pods with Fargate, in addition to using them with Amazon EC2 nodes. [.update,date="2021-05-19"] -=== Added [.noloc]`CoreDNS` and `kube-proxy` Amazon EKS add-ons +=== Added CoreDNS and `kube-proxy` Amazon EKS add-ons [.update-ulink] link:eks/latest/userguide/eks-add-ons.html[type="documentation"] -Amazon EKS can now help you manage the [.noloc]`CoreDNS` and `kube-proxy` Amazon EKS add-ons for your cluster. +Amazon EKS can now help you manage the CoreDNS and `kube-proxy` Amazon EKS add-ons for your cluster. [.update,date="2021-05-18"] -=== [.noloc]`Kubernetes` version `1.20` -Added [.noloc]`Kubernetes` version `1.20` support for new clusters and version upgrades. +=== Kubernetes version `1.20` +Added Kubernetes version `1.20` support for new clusters and version upgrades. [.update,date="2021-05-14"] -=== [.noloc]`{aws} Load Balancer Controller` `2.2.0` released +=== {aws} Load Balancer Controller `2.2.0` released [.update-ulink] link:eks/latest/userguide/aws-load-balancer-controller.html[type="documentation"] -You can now use the [.noloc]`{aws} Load Balancer Controller` to create Elastic Load Balancers using instance or IP targets. +You can now use the {aws} Load Balancer Controller to create Elastic Load Balancers using instance or IP targets. [.update,date="2021-05-11"] @@ -1218,12 +1218,12 @@ Amazon EKS now supports adding https://kubernetes.io/docs/tasks/administer-clust [.update,date="2021-02-16"] -=== [.noloc]`Kubernetes` version `1.19` -Added [.noloc]`Kubernetes` version `1.19` support for new clusters and version upgrades. +=== Kubernetes version `1.19` +Added Kubernetes version `1.19` support for new clusters and version upgrades. [.update,date="2021-02-12"] -=== Amazon EKS now supports [.noloc]`OpenID Connect` (OIDC) identity providers as a method to authenticate users to a version `1.16` or later cluster. +=== Amazon EKS now supports OpenID Connect (OIDC) identity providers as a method to authenticate users to a version `1.16` or later cluster. [.update-ulink] link:eks/latest/userguide/authenticate-oidc-identity-provider.html[type="documentation"] @@ -1251,7 +1251,7 @@ You can now deploy multiple Spot or On-Demand Instance types to a managed node g [.update-ulink] link:eks/latest/userguide/view-kubernetes-resources.html[type="documentation"] -You can now view details about your managed, self-managed, and Fargate nodes and your deployed [.noloc]`Kubernetes` workloads in the {aws-management-console}. +You can now view details about your managed, self-managed, and Fargate nodes and your deployed Kubernetes workloads in the {aws-management-console}. [.update,date="2020-10-23"] @@ -1259,7 +1259,7 @@ You can now view details about your managed, self-managed, and Fargate nodes and [.update-ulink] link:eks/latest/userguide/networkg-load-balancing.html#network-load-balancer[type="documentation"] -You can now deploy a Network Load Balancer with IP targets. This means that you can use an NLB to load balance network traffic to Fargate [.noloc]`Pods` and directly to [.noloc]`Pods` that are running on Amazon EC2 nodes. +You can now deploy a Network Load Balancer with IP targets. This means that you can use an NLB to load balance network traffic to Fargate Pods and directly to Pods that are running on Amazon EC2 nodes. [.update,date="2020-10-23"] @@ -1267,32 +1267,32 @@ You can now deploy a Network Load Balancer with IP targets. This means that you [.update-ulink] link:eks/latest/userguide/alb-ingress.html[type="documentation"] -You can now share an {aws} Application Load Balancer (ALB) across multiple [.noloc]`Kubernetes` Ingresses. In the past, you had to deploy a separate ALB for each Ingress. +You can now share an {aws} Application Load Balancer (ALB) across multiple Kubernetes Ingresses. In the past, you had to deploy a separate ALB for each Ingress. [.update,date="2020-10-13"] -=== [.noloc]`Kubernetes` version `1.18` -Added [.noloc]`Kubernetes` version `1.18` support for new clusters and version upgrades. +=== Kubernetes version `1.18` +Added Kubernetes version `1.18` support for new clusters and version upgrades. [.update,date="2020-09-29"] -=== Specify a custom CIDR block for [.noloc]`Kubernetes` service IP address assignment. +=== Specify a custom CIDR block for Kubernetes service IP address assignment. [.update-ulink] link:eks/latest/userguide/create-cluster.html[type="documentation"] -You can now specify a custom CIDR block that [.noloc]`Kubernetes` assigns service IP addresses from. +You can now specify a custom CIDR block that Kubernetes assigns service IP addresses from. [.update,date="2020-09-09"] -=== Assign security groups to individual [.noloc]`Pods` +=== Assign security groups to individual Pods [.update-ulink] link:eks/latest/userguide/security-groups-for-pods.html[type="documentation"] -You can now associate different security groups to some of the individual [.noloc]`Pods` that are running on many Amazon EC2 instance types. +You can now associate different security groups to some of the individual Pods that are running on many Amazon EC2 instance types. [.update,date="2020-08-31"] -=== Deploy [.noloc]`Bottlerocket` on your nodes +=== Deploy Bottlerocket on your nodes [.update-ulink] link:eks/latest/userguide/launch-node-bottlerocket.html[type="documentation"] @@ -1328,7 +1328,7 @@ You can now use Amazon EFS with {aws} Fargate. [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -This is a new platform version with security fixes and enhancements. This includes UDP support for services of type `LoadBalancer` when using Network Load Balancers with [.noloc]`Kubernetes` version `1.15` or later. For more information, see the https://github.com/kubernetes/kubernetes/pull/92109[Allow UDP for {aws} Network Load Balancer] issue on [.noloc]`GitHub`. +This is a new platform version with security fixes and enhancements. This includes UDP support for services of type `LoadBalancer` when using Network Load Balancers with Kubernetes version `1.15` or later. For more information, see the https://github.com/kubernetes/kubernetes/pull/92109[Allow UDP for {aws} Network Load Balancer] issue on GitHub. [.update,date="2020-08-06"] @@ -1345,16 +1345,16 @@ link:eks/latest/userguide/monitoring-fargate-usage.html[type="documentation"] [.update,date="2020-07-10"] -=== [.noloc]`Kubernetes` version `1.17` -Added [.noloc]`Kubernetes` version `1.17` support for new clusters and version upgrades. +=== Kubernetes version `1.17` +Added Kubernetes version `1.17` support for new clusters and version upgrades. [.update,date="2020-06-18"] -=== Create and manage App Mesh resources from within [.noloc]`Kubernetes` with the App Mesh controller for [.noloc]`Kubernetes` +=== Create and manage App Mesh resources from within Kubernetes with the App Mesh controller for Kubernetes [.update-ulink] link:eks/latest/userguide/mesh-k8s-integration.html[type="documentation"] -You can create and manage App Mesh resources from within [.noloc]`Kubernetes`. The controller also automatically injects the Envoy proxy and init containers into [.noloc]`Pods` that you deploy. +You can create and manage App Mesh resources from within Kubernetes. The controller also automatically injects the Envoy proxy and init containers into Pods that you deploy. [.update,date="2020-06-04"] @@ -1371,16 +1371,16 @@ Amazon EKS is now available in the {aws} GovCloud (US-East) (`us-gov-east-1`) an [.update,date="2020-05-12"] -=== [.noloc]`Kubernetes` `1.12` is no longer supported on Amazon EKS +=== Kubernetes `1.12` is no longer supported on Amazon EKS [.update-ulink] link:eks/latest/userguide/update-cluster.html[type="documentation"] -[.noloc]`Kubernetes` version `1.12` is no longer supported on Amazon EKS. Update any `1.12` clusters to version `1.13` or later to avoid service interruption. +Kubernetes version `1.12` is no longer supported on Amazon EKS. Update any `1.12` clusters to version `1.13` or later to avoid service interruption. [.update,date="2020-04-30"] -=== [.noloc]`Kubernetes` version `1.16` -Added [.noloc]`Kubernetes` version `1.16` support for new clusters and version upgrades. +=== Kubernetes version `1.16` +Added Kubernetes version `1.16` support for new clusters and version upgrades. [.update,date="2020-04-16"] @@ -1392,8 +1392,8 @@ Added the *AWSServiceRoleForAmazonEKS* service-linked role. [.update,date="2020-03-10"] -=== [.noloc]`Kubernetes` version `1.15` -Added [.noloc]`Kubernetes` version `1.15` support for new clusters and version upgrades. +=== Kubernetes version `1.15` +Added Kubernetes version `1.15` support for new clusters and version upgrades. [.update,date="2020-02-26"] @@ -1406,7 +1406,7 @@ Amazon EKS is now available in the Beijing (`cn-north-1`) and Ningxia (`cn-north [.update-ulink] link:eks/latest/userguide/fsx-csi.html[type="documentation"] -Added topic for installing the FSx for Lustre CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. +Added topic for installing the FSx for Lustre CSI driver on Kubernetes `1.14` Amazon EKS clusters. [.update,date="2019-12-20"] @@ -1414,7 +1414,7 @@ Added topic for installing the FSx for Lustre CSI driver on [.noloc]`Kubernetes` [.update-ulink] link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] -With this update, you can use Amazon EKS to restrict the CIDR ranges that can communicate to the public access endpoint of the [.noloc]`Kubernetes` API server. +With this update, you can use Amazon EKS to restrict the CIDR ranges that can communicate to the public access endpoint of the Kubernetes API server. [.update,date="2019-12-13"] @@ -1422,7 +1422,7 @@ With this update, you can use Amazon EKS to restrict the CIDR ranges that can co [.update-ulink] link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] -With this update, you can use Amazon EKS to resolve the private access endpoint of the [.noloc]`Kubernetes` API server from outside of a VPC. +With this update, you can use Amazon EKS to resolve the private access endpoint of the Kubernetes API server from outside of a VPC. [.update,date="2019-12-04"] @@ -1446,7 +1446,7 @@ Amazon EKS now supports creating clusters on {aws} Outposts. [.update-ulink] link:eks/latest/userguide/fargate.html[type="documentation"] -Amazon EKS [.noloc]`Kubernetes` clusters now support running [.noloc]`Pods` on Fargate. +Amazon EKS Kubernetes clusters now support running Pods on Fargate. [.update,date="2019-11-21"] @@ -1459,7 +1459,7 @@ Amazon EKS is now available in the Canada (Central) (`ca-central-1`) {aws} Regio [.update-ulink] link:eks/latest/userguide/managed-node-groups.html[type="documentation"] -Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS [.noloc]`Kubernetes` clusters. +Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. [.update,date="2019-11-06"] @@ -1471,11 +1471,11 @@ New platform versions to address https://groups.google.com/forum/#!msg/kubernete [.update,date="2019-11-04"] -=== [.noloc]`Kubernetes` `1.11` is no longer supported on Amazon EKS +=== Kubernetes `1.11` is no longer supported on Amazon EKS [.update-ulink] link:eks/latest/userguide/update-cluster.html[type="documentation"] -[.noloc]`Kubernetes` version `1.11` is no longer supported on Amazon EKS. Please update any `1.11` clusters to version `1.12` or higher to avoid service interruption. +Kubernetes version `1.11` is no longer supported on Amazon EKS. Please update any `1.11` clusters to version `1.12` or higher to avoid service interruption. [.update,date="2019-10-16"] @@ -1484,11 +1484,11 @@ Amazon EKS is now available in the South America (São Paulo) (`sa-east-1`) {aws [.update,date="2019-10-07"] -=== [.noloc]`Windows` support +=== Windows support [.update-ulink] link:eks/latest/userguide/windows-support.html[type="documentation"] -Amazon EKS clusters running [.noloc]`Kubernetes` version `1.14` now support [.noloc]`Windows` workloads. +Amazon EKS clusters running Kubernetes version `1.14` now support Windows workloads. [.update,date="2019-09-30"] @@ -1496,15 +1496,15 @@ Amazon EKS clusters running [.noloc]`Kubernetes` version `1.14` now support [.no [.update-ulink] link:eks/latest/userguide/autoscaling.html[type="documentation"] -Added a chapter to cover some of the different types of [.noloc]`Kubernetes` autoscaling that are supported on Amazon EKS clusters. +Added a chapter to cover some of the different types of Kubernetes autoscaling that are supported on Amazon EKS clusters. [.update,date="2019-09-28"] -=== [.noloc]`Kubernetes` Dashboard update +=== Kubernetes Dashboard update [.update-ulink] link:eks/latest/userguide/dashboard-tutorial.html[type="documentation"] -Updated topic for installing the [.noloc]`Kubernetes` Dashboard on Amazon EKS clusters to use the beta `2.0` version. +Updated topic for installing the Kubernetes Dashboard on Amazon EKS clusters to use the beta `2.0` version. [.update,date="2019-09-19"] @@ -1512,7 +1512,7 @@ Updated topic for installing the [.noloc]`Kubernetes` Dashboard on Amazon EKS cl [.update-ulink] link:eks/latest/userguide/efs-csi.html[type="documentation"] -Added topic for installing the Amazon EFS CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. +Added topic for installing the Amazon EFS CSI driver on Kubernetes `1.14` Amazon EKS clusters. [.update,date="2019-09-18"] @@ -1536,7 +1536,7 @@ You can manage the tagging of your Amazon EKS clusters. [.update-ulink] link:eks/latest/userguide/ebs-csi.html[type="documentation"] -Added topic for installing the Amazon EBS CSI driver on [.noloc]`Kubernetes` `1.14` Amazon EKS clusters. +Added topic for installing the Amazon EBS CSI driver on Kubernetes `1.14` Amazon EKS clusters. [.update,date="2019-09-06"] @@ -1548,11 +1548,11 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address https://groups.go [.update,date="2019-09-04"] -=== Announcing deprecation of [.noloc]`Kubernetes` `1.11` in Amazon EKS +=== Announcing deprecation of Kubernetes `1.11` in Amazon EKS [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] -Amazon EKS discontinued support for [.noloc]`Kubernetes` version `1.11` on November 4, 2019. +Amazon EKS discontinued support for Kubernetes version `1.11` on November 4, 2019. [.update,date="2019-09-03"] @@ -1560,12 +1560,12 @@ Amazon EKS discontinued support for [.noloc]`Kubernetes` version `1.11` on Novem [.update-ulink] link:eks/latest/userguide/iam-roles-for-service-accounts.html[type="documentation"] -With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a [.noloc]`Kubernetes` service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, [.noloc]`Pods` on that node can call {aws} APIs. +With IAM roles for service accounts on Amazon EKS clusters, you can associate an IAM role with a Kubernetes service account. With this feature, you no longer need to provide extended permissions to the node IAM role. This way, Pods on that node can call {aws} APIs. [.update,date="2019-09-03"] -=== [.noloc]`Kubernetes` version `1.14` -Added [.noloc]`Kubernetes` version `1.14` support for new clusters and version upgrades. +=== Kubernetes version `1.14` +Added Kubernetes version `1.14` support for new clusters and version upgrades. [.update,date="2019-08-29"] @@ -1595,11 +1595,11 @@ Amazon EKS is now available in the Asia Pacific (Hong Kong) (`ap-east-1`) {aws} [.update,date="2019-07-30"] -=== [.noloc]`Kubernetes` `1.10` no longer supported on Amazon EKS +=== Kubernetes `1.10` no longer supported on Amazon EKS [.update-ulink] link:eks/latest/userguide/update-cluster.html[type="documentation"] -[.noloc]`Kubernetes` version `1.10` is no longer supported on Amazon EKS. Update any `1.10` clusters to version `1.11` or higher to avoid service interruption. +Kubernetes version `1.10` is no longer supported on Amazon EKS. Update any `1.10` clusters to version `1.11` or higher to avoid service interruption. [.update,date="2019-07-11"] @@ -1607,7 +1607,7 @@ link:eks/latest/userguide/update-cluster.html[type="documentation"] [.update-ulink] link:eks/latest/userguide/alb-ingress.html[type="documentation"] -The {aws} ALB Ingress Controller for [.noloc]`Kubernetes` is a controller that causes an ALB to be created when ingress resources are created. +The {aws} ALB Ingress Controller for Kubernetes is a controller that causes an ALB to be created when ingress resources are created. [.update,date="2019-07-03"] @@ -1619,8 +1619,8 @@ Removing unnecessary `kubectl` binary from AMIs. [.update,date="2019-06-18"] -=== [.noloc]`Kubernetes` version `1.13` -Added [.noloc]`Kubernetes` version `1.13` support for new clusters and version upgrades. +=== Kubernetes version `1.13` +Added Kubernetes version `1.13` support for new clusters and version upgrades. [.update,date="2019-06-17"] @@ -1636,15 +1636,15 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address the vulnerabiliti [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -New platform version for [.noloc]`Kubernetes` `1.11` and `1.10` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. +New platform version for Kubernetes `1.11` and `1.10` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. [.update,date="2019-05-21"] -=== Announcing discontinuation of support of [.noloc]`Kubernetes` `1.10` in Amazon EKS +=== Announcing discontinuation of support of Kubernetes `1.10` in Amazon EKS [.update-ulink] link:eks/latest/userguide/kubernetes-versions.html[type="documentation"] -Amazon EKS stopped supporting [.noloc]`Kubernetes` version `1.10` on July 22, 2019. +Amazon EKS stopped supporting Kubernetes version `1.10` on July 22, 2019. [.update,date="2019-05-10"] @@ -1652,12 +1652,12 @@ Amazon EKS stopped supporting [.noloc]`Kubernetes` version `1.10` on July 22, 20 [.update-ulink] link:eks/latest/userguide/getting-started-eksctl.html[type="documentation"] -This getting started guide describes how you can install all of the required resources to get started with Amazon EKS using `eksctl`. This is a simple command line utility for creating and managing [.noloc]`Kubernetes` clusters on Amazon EKS. +This getting started guide describes how you can install all of the required resources to get started with Amazon EKS using `eksctl`. This is a simple command line utility for creating and managing Kubernetes clusters on Amazon EKS. [.update,date="2019-05-10"] === {aws} CLI `get-token` command -The `aws eks get-token` command was added to the {aws} CLI. You no longer need to install the {aws} IAM Authenticator for [.noloc]`Kubernetes` to create client security tokens for cluster API server communication. Upgrade your {aws} CLI installation to the latest version to use this new functionality. For more information, see link:cli/latest/userguide/installing.html[Installing the {aws} Command Line Interface,type="documentation"] in the _{aws} Command Line Interface User Guide_. +The `aws eks get-token` command was added to the {aws} CLI. You no longer need to install the {aws} IAM Authenticator for Kubernetes to create client security tokens for cluster API server communication. Upgrade your {aws} CLI installation to the latest version to use this new functionality. For more information, see link:cli/latest/userguide/installing.html[Installing the {aws} Command Line Interface,type="documentation"] in the _{aws} Command Line Interface User Guide_. [.update,date="2019-05-08"] @@ -1665,15 +1665,15 @@ The `aws eks get-token` command was added to the {aws} CLI. You no longer need t [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -New platform version for [.noloc]`Kubernetes` `1.12` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. This fixes a bug that caused node `kubelet` daemons to request a new certificate every few seconds. +New platform version for Kubernetes `1.12` clusters to support custom DNS names in the `kubelet` certificate and improve `etcd` performance. This fixes a bug that caused node `kubelet` daemons to request a new certificate every few seconds. [.update,date="2019-04-05"] -=== [.noloc]`Prometheus` tutorial +=== Prometheus tutorial [.update-ulink] link:eks/latest/userguide/prometheus.html[type="documentation"] -Added topic for deploying [.noloc]`Prometheus` to your Amazon EKS cluster. +Added topic for deploying Prometheus to your Amazon EKS cluster. [.update,date="2019-04-04"] @@ -1685,8 +1685,8 @@ With this update, you can get audit and diagnostic logs directly from the Amazon [.update,date="2019-03-28"] -=== [.noloc]`Kubernetes` version `1.12` -Added [.noloc]`Kubernetes` version `1.12` support for new clusters and version upgrades. +=== Kubernetes version `1.12` +Added Kubernetes version `1.12` support for new clusters and version upgrades. [.update,date="2019-03-27"] @@ -1694,7 +1694,7 @@ Added [.noloc]`Kubernetes` version `1.12` support for new clusters and version u [.update-ulink] link:eks/latest/userguide/mesh-gs-k8s.html[type="documentation"] -Added documentation for getting started with App Mesh and [.noloc]`Kubernetes`. +Added documentation for getting started with App Mesh and Kubernetes. [.update,date="2019-03-19"] @@ -1702,15 +1702,15 @@ Added documentation for getting started with App Mesh and [.noloc]`Kubernetes`. [.update-ulink] link:eks/latest/userguide/cluster-endpoint.html[type="documentation"] -Added documentation for disabling public access for your Amazon EKS cluster's [.noloc]`Kubernetes` API server endpoint. +Added documentation for disabling public access for your Amazon EKS cluster's Kubernetes API server endpoint. [.update,date="2019-03-18"] -=== Added topic for installing the [.noloc]`Kubernetes` Metrics Server +=== Added topic for installing the Kubernetes Metrics Server [.update-ulink] link:eks/latest/userguide/metrics-server.html[type="documentation"] -The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data in your cluster. +The Kubernetes Metrics Server is an aggregator of resource usage data in your cluster. [.update,date="2019-03-15"] @@ -1718,7 +1718,7 @@ The [.noloc]`Kubernetes` Metrics Server is an aggregator of resource usage data [.update-ulink] link:eks/latest/userguide/metrics-server.html[type="documentation"] -These open source projects extend the functionality of [.noloc]`Kubernetes` clusters running on {aws}, including clusters that are managed by Amazon EKS. +These open source projects extend the functionality of Kubernetes clusters running on {aws}, including clusters that are managed by Amazon EKS. [.update,date="2019-03-11"] @@ -1726,7 +1726,7 @@ These open source projects extend the functionality of [.noloc]`Kubernetes` clus [.update-ulink] link:eks/latest/userguide/helm.html[type="documentation"] -The `helm` package manager for [.noloc]`Kubernetes` helps you install and manage applications on your [.noloc]`Kubernetes` cluster. This topic shows how to install and run the `helm` and `tiller` binaries locally. That way, you can install and manage charts using the Helm CLI on your local system. +The `helm` package manager for Kubernetes helps you install and manage applications on your Kubernetes cluster. This topic shows how to install and run the `helm` and `tiller` binaries locally. That way, you can install and manage charts using the Helm CLI on your local system. [.update,date="2019-03-08"] @@ -1734,7 +1734,7 @@ The `helm` package manager for [.noloc]`Kubernetes` helps you install and manage [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -New platform version that updates Amazon EKS [.noloc]`Kubernetes` `1.11` clusters to patch level `1.11.8` to address https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-11-8-1-12-6-1-13-4-released-to-address-medium-severity-cve-2019-1002100/5147[CVE-2019-1002100]. +New platform version that updates Amazon EKS Kubernetes `1.11` clusters to patch level `1.11.8` to address https://discuss.kubernetes.io/t/kubernetes-security-announcement-v1-11-8-1-12-6-1-13-4-released-to-address-medium-severity-cve-2019-1002100/5147[CVE-2019-1002100]. [.update,date="2019-02-13"] @@ -1794,7 +1794,7 @@ Amazon EKS is now available in the Europe (Stockholm) (`eu-north-1`) {aws} Regio [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -New platform version updating [.noloc]`Kubernetes` to patch level `1.10.11` to address link:security/security-bulletins/{aws}-2018-020/[CVE-2018-1002105,type="marketing"]. +New platform version updating Kubernetes to patch level `1.10.11` to address link:security/security-bulletins/{aws}-2018-020/[CVE-2018-1002105,type="marketing"]. [.update,date="2018-11-20"] @@ -1810,7 +1810,7 @@ The ALB ingress controller releases version `1.0.0` with formal support from {aw [.update-ulink] link:eks/latest/userguide/cni-custom-network.html[type="documentation"] -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.2.1` now supports custom network configuration for secondary [.noloc]`Pod` network interfaces. +The Amazon VPC CNI plugin for Kubernetes version `1.2.1` now supports custom network configuration for secondary Pod network interfaces. [.update,date="2018-10-10"] @@ -1855,7 +1855,7 @@ Amazon EKS is now available in the Europe (Ireland) (`eu-west-1`) Region. [.update-ulink] link:eks/latest/userguide/platform-versions.html[type="documentation"] -New platform version with support for [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/[aggregation layer] and the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler](HPA). +New platform version with support for Kubernetes https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/[aggregation layer] and the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler](HPA). [.update,date="2018-08-22"] @@ -1879,7 +1879,7 @@ Amazon EKS has updated the Amazon EKS optimized AMI to address the CVEs that are [.update-ulink] link:eks/latest/userguide/eks-optimized-ami.html[type="documentation"] -Amazon EKS has open-sourced the build scripts that are used to build the Amazon EKS optimized AMI. These build scripts are now available on [.noloc]`GitHub`. +Amazon EKS has open-sourced the build scripts that are used to build the Amazon EKS optimized AMI. These build scripts are now available on GitHub. [.update,date="2018-06-05"] diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 285b01371..003c10706 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -32,7 +32,7 @@ Before starting this tutorial, you must install and configure the following tool * *{aws} CLI* – A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. Note that {aws} CLI v2 is required to use the *update-kubeconfig* option shown in this page. * *`kubectl`* - – A command line tool for working with [.noloc]`Kubernetes` clusters. For more information, see <>. + – A command line tool for working with Kubernetes clusters. For more information, see <>. * *Required IAM permissions* – The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. You must complete all steps in this guide as the same user. To check the current user, run the following command: + @@ -64,7 +64,7 @@ aws cloudformation create-stack \ ---- + TIP: For a list of all the resources the previous command creates, open the {aws} CloudFormation console at https://console.aws.amazon.com/cloudformation/. Choose the [.replaceable]`my-eks-vpc-stack` stack and then choose the *Resources* tab. -. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. [.noloc]`Kubernetes` clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. +. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. Kubernetes clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. + .. Copy the following contents to a file named [.replaceable]`eks-cluster-role-trust-policy.json`. + @@ -174,7 +174,7 @@ It lets you run Amazon Linux applications on Amazon EC2 instances. To learn more about different ways to configure nodes in EKS, see <>. After your cluster is deployed, you can add other node types. Though not covered in this guide, you can also add <> and <> nodes to your cluster. -*To create your EC2 [.noloc]`Linux` managed node group* +*To create your EC2 Linux managed node group* . Create a node IAM role and attach the required Amazon EKS IAM managed policy to it. The Amazon EKS node `kubelet` daemon makes calls to {aws} APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. @@ -237,7 +237,7 @@ aws iam attach-role-policy \ == Step 4: View resources -You can view your nodes and [.noloc]`Kubernetes` workloads. +You can view your nodes and Kubernetes workloads. . In the left navigation pane, choose *Clusters*. In the list of *Clusters*, choose the name of the cluster that you created, such as [.replaceable]`my-cluster`. . On the *[.replaceable]`my-cluster`* page, choose the following: @@ -245,7 +245,7 @@ You can view your nodes and [.noloc]`Kubernetes` workloads. .. *Compute* tab – You see the list of *Nodes* that were deployed for the cluster. You can choose the name of a node to see more information about it. .. *Resources* tab - – You see all of the [.noloc]`Kubernetes` resources that are deployed by default to an Amazon EKS cluster. Select any resource type in the console to learn more about it. + – You see all of the Kubernetes resources that are deployed by default to an Amazon EKS cluster. Select any resource type in the console to learn more about it. [#gs-console-clean-up] @@ -282,7 +282,7 @@ After you've finished with the cluster and nodes that you created for this tutor The following documentation topics help you to extend the functionality of your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the Kubernetes API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Deploy a <> to your cluster. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 464d4a64e..f4d898d0a 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -19,7 +19,7 @@ EKS Auto Mode automates routine tasks for cluster compute, storage, and networki ==== -This guide helps you to create all of the required resources to get started with Amazon Elastic Kubernetes Service (Amazon EKS) using `eksctl`, a simple command line utility for creating and managing [.noloc]`Kubernetes` clusters on Amazon EKS. At the end of this tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. +This guide helps you to create all of the required resources to get started with Amazon Elastic Kubernetes Service (Amazon EKS) using `eksctl`, a simple command line utility for creating and managing Kubernetes clusters on Amazon EKS. At the end of this tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. The procedures in this guide create several resources for you automatically that you have to create manually when you create your cluster using the {aws-management-console}. If you'd rather manually create most of the resources to better understand how they interact with each other, then use the {aws-management-console} to create your cluster and compute. For more information, see <>. @@ -41,21 +41,21 @@ To get started as simply and quickly as possible, this topic includes steps to c You can create a cluster with one of the following node types. To learn more about each type, see <>. After your cluster is deployed, you can add other node types. -* *Fargate – [.noloc]``Linux``* – Select this type of node if you want to run [.noloc]``Linux`` applications on <>. Fargate is a serverless compute engine that lets you deploy [.noloc]``Kubernetes`` [.noloc]``Pods`` without managing Amazon EC2 instances. -* *Managed nodes – [.noloc]``Linux``* – Select this type of node if you want to run Amazon Linux applications on Amazon EC2 instances. Though not covered in this guide, you can also add <> and <> nodes to your cluster. +* *Fargate – Linux* – Select this type of node if you want to run Linux applications on <>. Fargate is a serverless compute engine that lets you deploy Kubernetes Pods without managing Amazon EC2 instances. +* *Managed nodes – Linux* – Select this type of node if you want to run Amazon Linux applications on Amazon EC2 instances. Though not covered in this guide, you can also add <> and <> nodes to your cluster. Create your Amazon EKS cluster with the following command. You can replace [.replaceable]`my-cluster` with your own value. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`region-code` with any {aws} Region that is supported by Amazon EKS. For a list of {aws} Regions, see link:general/latest/gr/eks.html[Amazon EKS endpoints and quotas,type="documentation"] in the {aws} General Reference guide. ==== [role="tablist"] -Fargate - [.noloc]`Linux`:: +Fargate - Linux:: + [source,bash,subs="verbatim,attributes"] ---- eksctl create cluster --name my-cluster --region region-code --fargate ---- -Managed nodes - [.noloc]`Linux`:: +Managed nodes - Linux:: + [source,bash,subs="verbatim,attributes"] ---- @@ -78,7 +78,7 @@ After cluster creation is complete, view the {aws} CloudFormation stack named `e [#gs-eksctl-view-resources] -== Step 2: View [.noloc]`Kubernetes` resources +== Step 2: View Kubernetes resources . View your cluster nodes. + [source,bash,subs="verbatim,attributes"] @@ -90,7 +90,7 @@ An example output is as follows. + ==== [role="tablist"] -Fargate - [.noloc]`Linux`:: +Fargate - Linux:: + [source,none,subs="verbatim,attributes"] ---- @@ -99,7 +99,7 @@ fargate-ip-192-0-2-0.region-code.compute.internal Ready 8m3s v1 fargate-ip-192-0-2-1.region-code.compute.internal Ready 7m30s v1.2.3-eks-1234567 192-0-2-1 Amazon Linux 2 1.23.456-789.012.amzn2.x86_64 containerd://1.2.3 ---- -Managed nodes - [.noloc]`Linux`:: +Managed nodes - Linux:: + [source,none,subs="verbatim,attributes"] ---- @@ -122,7 +122,7 @@ An example output is as follows. + ==== [role="tablist"] -Fargate - [.noloc]`Linux`:: +Fargate - Linux:: + [source,none,subs="verbatim,attributes"] ---- @@ -131,7 +131,7 @@ kube-system coredns-1234567890-abcde 1/1 Running 0 18m 192. kube-system coredns-1234567890-12345 1/1 Running 0 18m 192.0.2.1 fargate-ip-192-0-2-1.region-code.compute.internal ---- -Managed nodes - [.noloc]`Linux`:: +Managed nodes - Linux:: + [source,none,subs="verbatim,attributes"] ---- @@ -168,6 +168,6 @@ The following documentation topics help you to extend the functionality of your * Deploy a <> to your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the Kubernetes API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. * Before deploying a cluster for production use, we recommend familiarizing yourself with all of the settings for <> and <>. Some settings (such as enabling SSH access to Amazon EC2 nodes) must be made when the cluster is created. * To increase security for your cluster, <>. \ No newline at end of file diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index ae31a654a..6c1fcec38 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -20,11 +20,11 @@ Learn about the tools needed for creating and working with an Amazon EKS cluster Make sure that you are set up to use Amazon EKS before going through the getting started guides. For more information, see <>. -There are two getting started guides available for creating a new [.noloc]`Kubernetes` cluster with nodes in Amazon EKS: +There are two getting started guides available for creating a new Kubernetes cluster with nodes in Amazon EKS: -* <> – This getting started guide helps you to install all of the required resources to get started with Amazon EKS using `eksctl`, a simple command line utility for creating and managing [.noloc]`Kubernetes` clusters on Amazon EKS. At the end of the tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. This is the fastest and simplest way to get started with Amazon EKS. +* <> – This getting started guide helps you to install all of the required resources to get started with Amazon EKS using `eksctl`, a simple command line utility for creating and managing Kubernetes clusters on Amazon EKS. At the end of the tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. This is the fastest and simplest way to get started with Amazon EKS. * <> – This getting started guide helps you to create all of the required resources to get started with Amazon EKS using the {aws-management-console} and {aws} CLI. At the end of the tutorial, you will have a running Amazon EKS cluster that you can deploy applications to. In this guide, you manually create each resource required for an Amazon EKS cluster. The procedures give you visibility into how each resource is created and how they interact with each other. We also offer the following references: diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 18a09a66f..b2613ce87 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -8,10 +8,10 @@ include::../attributes.txt[] [abstract] -- -Learn how to install or update the `kubectl` and `eksctl` command line tools to work with [.noloc]`Kubernetes` and Amazon EKS features. +Learn how to install or update the `kubectl` and `eksctl` command line tools to work with Kubernetes and Amazon EKS features. -- -`Kubectl` is a command line tool that you use to communicate with the [.noloc]`Kubernetes` API server. The `kubectl` binary is available in many operating system package managers. Using a package manager for your installation is often easier than a manual download and install process. The `eksctl` command lets you create and modify Amazon EKS clusters. +`Kubectl` is a command line tool that you use to communicate with the Kubernetes API server. The `kubectl` binary is available in many operating system package managers. Using a package manager for your installation is often easier than a manual download and install process. The `eksctl` command lets you create and modify Amazon EKS clusters. Topics on this page help you install and set up these tools: @@ -29,7 +29,7 @@ This topic helps you to download and install, or update, the `kubectl` binary on [NOTE] ==== -You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. For example, a `{k8s-n-1}` `kubectl` client works with [.noloc]`Kubernetes` `{k8s-n-2}`, `{k8s-n-1}`, and `{k8s-n}` clusters. +You must use a `kubectl` version that is within one minor version difference of your Amazon EKS cluster control plane. For example, a `{k8s-n-1}` `kubectl` client works with Kubernetes `{k8s-n-2}`, `{k8s-n-1}`, and `{k8s-n}` clusters. ==== @@ -62,75 +62,75 @@ Install or update `kubectl` on one of the following operating systems: === macOS [[macos_kubectl]] -. Download the binary for your cluster's [.noloc]`Kubernetes` version from Amazon S3. +. Download the binary for your cluster's Kubernetes version from Amazon S3. + -**** [.noloc]`Kubernetes` `1.32` +**** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.31` +**** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.4/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.30` +**** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.8/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.29` +**** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.12/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.28` +**** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.27` +**** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2025-01-10/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.26` +**** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.25` +**** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.24` +**** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.23` +**** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.22` +**** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/darwin/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.21` +**** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -138,75 +138,75 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.14/2024-09-11/bin/dar ---- . (Optional) Verify the downloaded binary with the `SHA-256` checksum for your binary. + -.. Download the `SHA-256` checksum for your cluster's [.noloc]`Kubernetes` version. +.. Download the `SHA-256` checksum for your cluster's Kubernetes version. + -***** [.noloc]`Kubernetes` `1.32` +***** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.31` +***** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.4/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.30` +***** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.8/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.29` +***** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.12/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.28` +***** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.27` +***** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2025-01-10/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.26` +***** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.25` +***** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.24` +***** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.23` +***** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.22` +***** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/darwin/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.21` +***** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -240,75 +240,75 @@ echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile === Linux (amd64) [[linux_amd64_kubectl]] -. Download the `kubectl` binary for your cluster's [.noloc]`Kubernetes` version from Amazon S3. +. Download the `kubectl` binary for your cluster's Kubernetes version from Amazon S3. + -**** [.noloc]`Kubernetes` `1.32` +**** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.31` +**** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.30` +**** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.29` +**** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.28` +**** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.27` +**** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.26` +**** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.25` +**** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.24` +**** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.23` +**** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.22` +**** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/linux/amd64/kubectl ---- -**** [.noloc]`Kubernetes` `1.21` +**** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -316,75 +316,75 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.14/2024-09-11/bin/lin ---- . (Optional) Verify the downloaded binary with the `SHA-256` checksum for your binary. + -.. Download the `SHA-256` checksum for your cluster's [.noloc]`Kubernetes` version from Amazon S3using the command for your device's hardware platform. +.. Download the `SHA-256` checksum for your cluster's Kubernetes version from Amazon S3using the command for your device's hardware platform. + -***** [.noloc]`Kubernetes` `1.32` +***** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.31` +***** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.30` +***** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.29` +***** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.28` +***** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.27` +***** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.26` +***** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.25` +***** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.24` +***** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.23` +***** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.22` +***** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/linux/amd64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.21` +***** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -425,75 +425,75 @@ echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc === Linux (arm64) [[linux_arm64_kubectl]] -. Download the `kubectl` binary for your cluster's [.noloc]`Kubernetes` version from Amazon S3. +. Download the `kubectl` binary for your cluster's Kubernetes version from Amazon S3. + -**** [.noloc]`Kubernetes` `1.32` +**** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.31` +**** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.30` +**** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.29` +**** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.28` +**** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.27` +**** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.26` +**** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.25` +**** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.24` +**** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.23` +**** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.22` +**** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/linux/arm64/kubectl ---- -**** [.noloc]`Kubernetes` `1.21` +**** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -501,75 +501,75 @@ curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.14/2024-09-11/bin/lin ---- . (Optional) Verify the downloaded binary with the `SHA-256` checksum for your binary. + -.. Download the `SHA-256` checksum for your cluster's [.noloc]`Kubernetes` version from Amazon S3using the command for your device's hardware platform. +.. Download the `SHA-256` checksum for your cluster's Kubernetes version from Amazon S3using the command for your device's hardware platform. + -***** [.noloc]`Kubernetes` `1.32` +***** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.31` +***** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.30` +***** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.29` +***** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.28` +***** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.27` +***** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.26` +***** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.25` +***** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.24` +***** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.23` +***** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.22` +***** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/linux/arm64/kubectl.sha256 ---- -***** [.noloc]`Kubernetes` `1.21` +***** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -610,76 +610,76 @@ echo 'export PATH=$HOME/bin:$PATH' >> ~/.bashrc === Windows [[windows_kubectl]] -. Open a [.noloc]`PowerShell` terminal. -. Download the `kubectl` binary for your cluster's [.noloc]`Kubernetes` version from Amazon S3. +. Open a PowerShell terminal. +. Download the `kubectl` binary for your cluster's Kubernetes version from Amazon S3. + -**** [.noloc]`Kubernetes` `1.32` +**** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.31` +**** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.30` +**** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.29` +**** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.28` +**** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.27` +**** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.26` +**** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.25` +**** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.24` +**** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.23` +**** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.22` +**** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/windows/amd64/kubectl.exe ---- -**** [.noloc]`Kubernetes` `1.21` +**** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -687,75 +687,75 @@ curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.14/2024-09-11/bin ---- . (Optional) Verify the downloaded binary with the `SHA-256` checksum for your binary. + -.. Download the `SHA-256` checksum for your cluster's [.noloc]`Kubernetes` version for [.noloc]`Windows`. +.. Download the `SHA-256` checksum for your cluster's Kubernetes version for Windows. + -***** [.noloc]`Kubernetes` `1.32` +***** Kubernetes `1.32` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.31` +***** Kubernetes `1.31` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.31.3/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.30` +***** Kubernetes `1.30` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.7/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.29` +***** Kubernetes `1.29` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.10/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.28` +***** Kubernetes `1.28` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.28.15/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.27` +***** Kubernetes `1.27` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.27.16/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.26` +***** Kubernetes `1.26` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.26.15/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.25` +***** Kubernetes `1.25` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.16/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.24` +***** Kubernetes `1.24` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.24.17/2024-12-12/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.23` +***** Kubernetes `1.23` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.23.17/2024-09-11/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.22` +***** Kubernetes `1.22` + [source,bash,subs="verbatim,attributes"] ---- curl.exe -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.22.17/2024-09-11/bin/windows/amd64/kubectl.exe.sha256 ---- -***** [.noloc]`Kubernetes` `1.21` +***** Kubernetes `1.21` + [source,bash,subs="verbatim,attributes"] ---- @@ -773,7 +773,7 @@ Get-FileHash kubectl.exe .. Create a new directory for your command line binaries, such as `C:\bin`. .. Copy the `kubectl.exe` binary to your new directory. .. Edit your user or system `PATH` environment variable to add the new directory to your `PATH`. -.. Close your [.noloc]`PowerShell` terminal and open a new one to pick up the new `PATH` variable. +.. Close your PowerShell terminal and open a new one to pick up the new `PATH` variable. . After you install `kubectl`, you can verify its version. + [source,bash,subs="verbatim,attributes"] @@ -786,7 +786,7 @@ kubectl version --client ---- aws eks update-kubeconfig --region region-code --name my-cluster ---- -. Consider configuring auto completion, which lets you use the tab key to complete `kubectl` subcommands after typing the first few letters. See https://kubernetes.io/docs/reference/kubectl/quick-reference/#kubectl-autocomplete[Kubectl autocomplete] in the [.noloc]`Kubernetes` documentation for details. +. Consider configuring auto completion, which lets you use the tab key to complete `kubectl` subcommands after typing the first few letters. See https://kubernetes.io/docs/reference/kubectl/quick-reference/#kubectl-autocomplete[Kubectl autocomplete] in the Kubernetes documentation for details. [#eksctl-install-update] diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 65af5b777..2901237b4 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -26,8 +26,8 @@ To prepare for the command-line management of your Amazon EKS clusters, you need * <> – The `eksctl` CLI interacts with {aws} to create, modify, and delete Amazon EKS clusters. Once a cluster is up, use the open source `kubectl` command to manage Kubernetes objects within your Amazon EKS clusters. * Set up a development environment (optional)– Consider adding the following tools: + -** *Local deployment tool* – If you're new to [.noloc]`Kubernetes`, consider installing a local deployment tool like https://minikube.sigs.k8s.io/docs/[minikube] or https://kind.sigs.k8s.io/[kind]. These tools allow you to have an Amazon EKS cluster on your local machine for testing applications. -** *Package manager* – https://helm.sh/docs/intro/install/[Helm] is a popular package manager for [.noloc]`Kubernetes` that simplifies the installation and management of complex packages. With [.noloc]`Helm`, it's easier to install and manage packages like the {aws} Load Balancer Controller on your Amazon EKS cluster. +** *Local deployment tool* – If you're new to Kubernetes, consider installing a local deployment tool like https://minikube.sigs.k8s.io/docs/[minikube] or https://kind.sigs.k8s.io/[kind]. These tools allow you to have an Amazon EKS cluster on your local machine for testing applications. +** *Package manager* – https://helm.sh/docs/intro/install/[Helm] is a popular package manager for Kubernetes that simplifies the installation and management of complex packages. With Helm, it's easier to install and manage packages like the {aws} Load Balancer Controller on your Amazon EKS cluster. [#setting-up-next-steps] diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 85c41bab3..472cbe7d9 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -13,13 +13,13 @@ Amazon Detective helps you analyze, investigate, and quickly identify the root c link:detective/[Amazon Detective,type="marketing"] helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your {aws} resources. It then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you to conduct faster and more efficient security investigations. The Detective prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues. For more information, see the link:detective/latest/adminguide/what-is-detective.html[Amazon Detective User Guide,type="documentation"]. -Detective organizes [.noloc]`Kubernetes` and {aws} data into findings such as: +Detective organizes Kubernetes and {aws} data into findings such as: -* Amazon EKS cluster details, including the IAM identity that created the cluster and the service role of the cluster. You can investigate the {aws} and [.noloc]`Kubernetes` API activity of these IAM identities with Detective. -* Container details, such as the image and security context. You can also review details for terminated [.noloc]`Pods`. -* [.noloc]`Kubernetes` API activity, including both overall trends in API activity and details on specific API calls. For example, you can show the number of successful and failed [.noloc]`Kubernetes` API calls that were issued during a selected time range. Additionally, the section on newly observed API calls might be helpful to identify suspicious activity. +* Amazon EKS cluster details, including the IAM identity that created the cluster and the service role of the cluster. You can investigate the {aws} and Kubernetes API activity of these IAM identities with Detective. +* Container details, such as the image and security context. You can also review details for terminated Pods. +* Kubernetes API activity, including both overall trends in API activity and details on specific API calls. For example, you can show the number of successful and failed Kubernetes API calls that were issued during a selected time range. Additionally, the section on newly observed API calls might be helpful to identify suspicious activity. Amazon EKS audit logs is an optional data source package that can be added to your Detective behavior graph. You can view the available optional source packages, and their status in your account. For more information, see link:detective/latest/adminguide/source-data-types-EKS.html[Amazon EKS audit logs for Detective,type="documentation"] in the _Amazon Detective User Guide_. diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index dc52a22a3..45646af20 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -17,9 +17,9 @@ Among other features, GuardDuty offers the following two features that detect po *EKS Protection*:: -This feature provides threat detection coverage to help you protect Amazon EKS clusters by monitoring the associated [.noloc]`Kubernetes` audit logs. [.noloc]`Kubernetes` audit logs capture sequential actions within your cluster, including activities from users, applications using the [.noloc]`Kubernetes` API, and the control plane. For example, GuardDuty can identify that APIs called to potentially tamper with resources in a [.noloc]`Kubernetes` cluster were invoked by an unauthenticated user. +This feature provides threat detection coverage to help you protect Amazon EKS clusters by monitoring the associated Kubernetes audit logs. Kubernetes audit logs capture sequential actions within your cluster, including activities from users, applications using the Kubernetes API, and the control plane. For example, GuardDuty can identify that APIs called to potentially tamper with resources in a Kubernetes cluster were invoked by an unauthenticated user. + -When you enable EKS Protection, GuardDuty will be able to access your Amazon EKS audit logs only for continuous threat detection. If GuardDuty identifies a potential threat to your cluster, it generates an associated [.noloc]`Kubernetes` audit log _finding_ of a specific type. For more information about the types of findings available from [.noloc]`Kubernetes` audit logs, see link:guardduty/latest/ug/guardduty_finding-types-kubernetes.html[Kubernetes audit logs finding types,type="documentation"] in the Amazon GuardDuty User Guide. +When you enable EKS Protection, GuardDuty will be able to access your Amazon EKS audit logs only for continuous threat detection. If GuardDuty identifies a potential threat to your cluster, it generates an associated Kubernetes audit log _finding_ of a specific type. For more information about the types of findings available from Kubernetes audit logs, see link:guardduty/latest/ug/guardduty_finding-types-kubernetes.html[Kubernetes audit logs finding types,type="documentation"] in the Amazon GuardDuty User Guide. + For more information, see link:guardduty/latest/ug/kubernetes-protection.html[EKS Protection,type="documentation"] in the Amazon GuardDuty User Guide. diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index d1159e62b..66414c241 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -5,4 +5,4 @@ include::../attributes.txt[] = Assess EKS cluster resiliency with {aws} Resilience Hub :info_titleabbrev: {aws} Resilience Hub -{aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the [.noloc]`Kubernetes` role-based access control (RBAC) configuration to assess the [.noloc]`Kubernetes` workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. \ No newline at end of file +{aws} Resilience Hub assesses the resiliency of an Amazon EKS cluster by analyzing its infrastructure. {aws} Resilience Hub uses the Kubernetes role-based access control (RBAC) configuration to assess the Kubernetes workloads deployed to your cluster. For more information, see link:resilience-hub/latest/userguide/enabling-eks-in-arh.html[Enabling {aws} Resilience Hub access to your Amazon EKS cluster,type="documentation"] in the {aws} Resilience Hub User Guide. \ No newline at end of file diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 3fbcc917a..71c5356ac 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -9,10 +9,10 @@ include::../attributes.txt[] [abstract] -- -Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized solution for collecting, storing, and analyzing security data from clusters. By enabling EKS control plane logging and adding EKS logs as a source in Security Lake, users can gain valuable insights, detect potential threats, and enhance the security posture of their [.noloc]`Kubernetes` environments. +Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized solution for collecting, storing, and analyzing security data from clusters. By enabling EKS control plane logging and adding EKS logs as a source in Security Lake, users can gain valuable insights, detect potential threats, and enhance the security posture of their Kubernetes environments. -- -Amazon Security Lake is a fully managed security data lake service that allows you to centralize security data from various sources, including Amazon EKS. By integrating Amazon EKS with Security Lake, you can gain deeper insights into the activities performed on your [.noloc]`Kubernetes` resources and enhance the security posture of your Amazon EKS clusters. +Amazon Security Lake is a fully managed security data lake service that allows you to centralize security data from various sources, including Amazon EKS. By integrating Amazon EKS with Security Lake, you can gain deeper insights into the activities performed on your Kubernetes resources and enhance the security posture of your Amazon EKS clusters. [NOTE] ==== diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index be57d0531..5ba199fd9 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -5,4 +5,4 @@ include::../attributes.txt[] -Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard [.noloc]`Kubernetes` semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. \ No newline at end of file +Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard Kubernetes semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. \ No newline at end of file diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index dc1ced287..7d0a06942 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -10,6 +10,6 @@ An link:about-aws/global-infrastructure/localzones/[{aws} Local Zone,type="marke Amazon EKS supports certain resources in Local Zones. This includes <>, <>, Amazon EBS volumes, and Application Load Balancers (ALBs). We recommend that you consider the following when using Local Zones as part of your Amazon EKS cluster. * You can't create Fargate nodes in Local Zones with Amazon EKS. -* The Amazon EKS managed [.noloc]`Kubernetes` control plane always runs in the {aws} Region. The Amazon EKS managed [.noloc]`Kubernetes` control plane can't run in the Local Zone. Because Local Zones appear as a subnet within your VPC, [.noloc]`Kubernetes` sees your Local Zone resources as part of that subnet. -* The Amazon EKS [.noloc]`Kubernetes` cluster communicates with the Amazon EC2 instances you run in the {aws} Region or Local Zone using Amazon EKS managed link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"]. To learn more about Amazon EKS networking architecture, see <>. +* The Amazon EKS managed Kubernetes control plane always runs in the {aws} Region. The Amazon EKS managed Kubernetes control plane can't run in the Local Zone. Because Local Zones appear as a subnet within your VPC, Kubernetes sees your Local Zone resources as part of that subnet. +* The Amazon EKS Kubernetes cluster communicates with the Amazon EC2 instances you run in the {aws} Region or Local Zone using Amazon EKS managed link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"]. To learn more about Amazon EKS networking architecture, see <>. * Unlike regional subnets, Amazon EKS can't place network interfaces into your Local Zone subnets. This means that you must not specify Local Zone subnets when you create your cluster. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 4adb29f70..41d9ff6ca 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -1,6 +1,6 @@ [.topic] [#associate-service-account-role] -= Assign [.noloc]`IAM` roles to [.noloc]`Kubernetes` service accounts += Assign IAM roles to Kubernetes service accounts :info_titleabbrev: Assign IAM role include::../../attributes.txt[] @@ -10,14 +10,14 @@ include::../../attributes.txt[] Discover how to configure a Kubernetes service account to assume an IAM role, enabling Pods to securely access {aws} services with granular permissions. -- -This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. +This topic covers how to configure a Kubernetes service account to assume an {aws} Identity and Access Management (IAM) role. Any Pods that are configured to use the service account can then access any {aws} service that the role has permissions to access. == Prerequisites * An existing cluster. If you don't have one, you can create one by following one of the guides in <>. -* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing IAM OpenID Connect (OIDC) provider for your cluster. To learn if you already have one or how to create one, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. @@ -29,9 +29,9 @@ If you want to associate an existing IAM policy to your IAM role, skip to the ne . Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. + -. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. +. Create a file that includes the permissions for the {aws} services that you want your Pods to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. + -You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. +You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your Pod can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. + [source,json,subs="verbatim,attributes"] ---- @@ -57,13 +57,13 @@ aws iam create-policy --policy-name my-policy --policy-document file://my-policy == Step 2: Create and associate IAM Role -Create an IAM role and associate it with a [.noloc]`Kubernetes` service account. You can use either `eksctl` or the {aws} CLI. +Create an IAM role and associate it with a Kubernetes service account. You can use either `eksctl` or the {aws} CLI. === Create and associate role (eksctl) Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -Replace [.replaceable]`my-service-account` with the name of the [.noloc]`Kubernetes` service account that you want `eksctl` to create and associate with an IAM role. Replace [.replaceable]`default` with the namespace that you want `eksctl` to create the service account in. Replace [.replaceable]`my-cluster` with the name of your cluster. Replace [.replaceable]`my-role` with the name of the role that you want to associate the service account to. If it doesn't already exist, `eksctl` creates it for you. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-policy` with the name of an existing policy. +Replace [.replaceable]`my-service-account` with the name of the Kubernetes service account that you want `eksctl` to create and associate with an IAM role. Replace [.replaceable]`default` with the namespace that you want `eksctl` to create the service account in. Replace [.replaceable]`my-cluster` with the name of your cluster. Replace [.replaceable]`my-role` with the name of the role that you want to associate the service account to. If it doesn't already exist, `eksctl` creates it for you. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`my-policy` with the name of an existing policy. [source,bash,subs="verbatim,attributes"] ---- @@ -76,9 +76,9 @@ IMPORTANT: If the role or service account already exist, the previous command mi === Create and associate role ({aws} CLI) -If you have an existing [.noloc]`Kubernetes` service account that you want to assume an IAM role, then you can skip this step. +If you have an existing Kubernetes service account that you want to assume an IAM role, then you can skip this step. -. Create a [.noloc]`Kubernetes` service account. Copy the following contents to your device. Replace [.replaceable]`my-service-account` with your desired name and [.replaceable]`default` with a different namespace, if necessary. If you change [.replaceable]`default`, the namespace must already exist. +. Create a Kubernetes service account. Copy the following contents to your device. Replace [.replaceable]`my-service-account` with your desired name and [.replaceable]`default` with a different namespace, if necessary. If you change [.replaceable]`default`, the namespace must already exist. + [source,yaml,subs="verbatim,attributes"] ---- @@ -97,13 +97,13 @@ kubectl apply -f my-service-account.yaml ---- account_id=$(aws sts get-caller-identity --query "Account" --output text) ---- -. Set your cluster's [.noloc]`OIDC` identity provider to an environment variable with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. +. Set your cluster's OIDC identity provider to an environment variable with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. + [source,bash,subs="verbatim,attributes"] ---- oidc_provider=$(aws eks describe-cluster --name my-cluster --region $AWS_REGION --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///") ---- -. Set variables for the namespace and name of the service account. Replace [.replaceable]`my-service-account` with the [.noloc]`Kubernetes` service account that you want to assume the role. Replace [.replaceable]`default` with the namespace of the service account. +. Set variables for the namespace and name of the service account. Replace [.replaceable]`my-service-account` with the Kubernetes service account that you want to assume the role. Replace [.replaceable]`default` with the namespace of the service account. + [source,bash,subs="verbatim,attributes"] ---- @@ -229,7 +229,7 @@ An example output is as follows. } } ---- -. View the policy contents to make sure that the policy includes all the permissions that your [.noloc]`Pod` needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. +. View the policy contents to make sure that the policy includes all the permissions that your Pod needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. + [source,bash,subs="verbatim,attributes"] ---- @@ -253,7 +253,7 @@ An example output is as follows. ---- + If you created the example policy in a previous step, then your output is the same. If you created a different policy, then the [.replaceable]`example` content is different. -. Confirm that the [.noloc]`Kubernetes` service account is annotated with the role. +. Confirm that the Kubernetes service account is annotated with the role. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 2eeea12c3..85e1b92ff 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -4,7 +4,7 @@ include::../../attributes.txt[] = Configure the {aws} Security Token Service endpoint for a service account :info_titleabbrev: STS endpoints -If you're using a [.noloc]`Kubernetes` service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your [.noloc]`Kubernetes` or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. +If you're using a Kubernetes service account with <>, then you can configure the type of {aws} Security Token Service endpoint that's used by the service account if your cluster and platform version are the same or later than those listed in the following table. If your Kubernetes or platform version are earlier than those listed in the table, then your service accounts can only use the global endpoint. [cols="1,1,1", options="header"] |=== @@ -50,17 +50,17 @@ If you're using a [.noloc]`Kubernetes` service account with <>. * An existing IAM OIDC provider for your cluster. For more information, see <>. -* An existing [.noloc]`Kubernetes` service account configured for use with the <> feature. +* An existing Kubernetes service account configured for use with the <> feature. -The following examples all use the aws-node [.noloc]`Kubernetes` service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, [.noloc]`Pods`, namespaces, and other resources. +The following examples all use the aws-node Kubernetes service account used by the <>. You can replace the [.replaceable]`example values` with your own service accounts, Pods, namespaces, and other resources. -. Select a [.noloc]`Pod` that uses a service account that you want to change the endpoint for. Determine which {aws} Region that the [.noloc]`Pod` runs in. Replace [.replaceable]`aws-node-6mfgv` with your [.noloc]`Pod` name and [.replaceable]`kube-system` with your [.noloc]`Pod's` namespace. +. Select a Pod that uses a service account that you want to change the endpoint for. Determine which {aws} Region that the Pod runs in. Replace [.replaceable]`aws-node-6mfgv` with your Pod name and [.replaceable]`kube-system` with your Pod's namespace. + [source,bash,subs="verbatim,attributes"] ---- @@ -74,8 +74,8 @@ An example output is as follows. ip-192-168-79-166.us-west-2/192.168.79.166 ---- + -In the previous output, the [.noloc]`Pod` is running on a node in the us-west-2 {aws} Region. -. Determine the endpoint type that the [.noloc]`Pod's` service account is using. +In the previous output, the Pod is running on a node in the us-west-2 {aws} Region. +. Determine the endpoint type that the Pod's service account is using. + [source,bash,subs="verbatim,attributes"] ---- @@ -98,7 +98,7 @@ If the current endpoint is global, then `global` is returned in the output. If n ---- kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-regional-endpoints=true ---- -// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. +// Not using Pods' because the ' character seems to mess up the processing. + If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for regional endpoints is similar to the following example: + @@ -114,7 +114,7 @@ kubectl annotate serviceaccount -n kube-system aws-node eks.amazonaws.com/sts-re ---- + If your application is explicitly making requests to {aws} STS global endpoints and you don't override the default behavior of using regional endpoints in Amazon EKS clusters, then requests will fail with an error. For more information, see <>. -// Not using [.noloc]`Pods'` because the ' character seems to mess up the processing. +// Not using Pods' because the ' character seems to mess up the processing. + If you're using <> to generate pre-signed S3 URLs in your application running in Pods' containers, the format of the URL for global endpoints is similar to the following example: + @@ -125,19 +125,19 @@ https://bucket.s3.amazonaws.com/path?...&X-Amz-Credential=your-access-key-id/dat + If you have automation that expects the pre-signed URL in a certain format or if your application or downstream dependencies that use pre-signed URLs have expectations for the {aws} Region targeted, then make the necessary changes to use the appropriate {aws} STS endpoint. -. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The mutating web hook doesn't apply them to [.noloc]`Pods` that are already running. You can replace [.replaceable]`Pods`, [.replaceable]`kube-system`, and [.replaceable]`-l k8s-app=aws-node` with the information for the [.noloc]`Pods` that you set your annotation for. +. Delete and re-create any existing Pods that are associated with the service account to apply the credential environment variables. The mutating web hook doesn't apply them to Pods that are already running. You can replace [.replaceable]`Pods`, [.replaceable]`kube-system`, and [.replaceable]`-l k8s-app=aws-node` with the information for the Pods that you set your annotation for. + [source,bash,subs="verbatim,attributes"] ---- kubectl delete Pods -n kube-system -l k8s-app=aws-node ---- -. Confirm that the all [.noloc]`Pods` restarted. +. Confirm that the all Pods restarted. + [source,bash,subs="verbatim,attributes"] ---- kubectl get Pods -n kube-system -l k8s-app=aws-node ---- -. View the environment variables for one of the [.noloc]`Pods`. Verify that the `AWS_STS_REGIONAL_ENDPOINTS` value is what you set it to in a previous step. +. View the environment variables for one of the Pods. Verify that the `AWS_STS_REGIONAL_ENDPOINTS` value is what you set it to in a previous step. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 734483a00..71383add4 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -10,7 +10,7 @@ include::../../attributes.txt[] Learn how to configure cross-account IAM permissions for Amazon EKS clusters by creating an identity provider from another account's cluster or using chained AssumeRole operations, enabling secure access to {aws} resources across multiple accounts. -- -You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. [.noloc]`Pods` that are running on that cluster must assume IAM permissions from _Account B_. +You can configure cross-account IAM permissions either by creating an identity provider from another account's cluster or by using chained `AssumeRole` operations. In the following examples, _Account A_ owns an Amazon EKS cluster that supports IAM roles for service accounts. Pods that are running on that cluster must assume IAM permissions from _Account B_. .Create an identity provider from another account's cluster ==== @@ -39,7 +39,7 @@ metadata: ==== -In this example, Account B creates an IAM policy with the permissions to give to [.noloc]`Pods` in Account A's cluster. Account B ([.replaceable]`444455556666`) attaches that policy to an IAM role with a trust relationship that allows `AssumeRole` permissions to Account A ([.replaceable]`111122223333`). +In this example, Account B creates an IAM policy with the permissions to give to Pods in Account A's cluster. Account B ([.replaceable]`444455556666`) attaches that policy to an IAM role with a trust relationship that allows `AssumeRole` permissions to Account A ([.replaceable]`111122223333`). [source,json,subs="verbatim,attributes"] ---- @@ -92,7 +92,7 @@ Account A attaches a policy to that role with the following permissions to assum } ---- -The application code for [.noloc]`Pods` to assume Account B's role uses two profiles: `account_b_role` and `account_a_role`. The `account_b_role` profile uses the `account_a_role` profile as its source. For the {aws} CLI, the `~/.aws/config` file is similar to the following. +The application code for Pods to assume Account B's role uses two profiles: `account_b_role` and `account_a_role`. The `account_b_role` profile uses the `account_a_role` profile as its source. For the {aws} CLI, the `~/.aws/config` file is similar to the following. [source,none,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index e1c03823c..ed41762b8 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -1,33 +1,33 @@ [.topic] [#enable-iam-roles-for-service-accounts] -= Create an IAM [.noloc]`OIDC` provider for your cluster += Create an IAM OIDC provider for your cluster :info_titleabbrev: IAM OIDC provider include::../../attributes.txt[] [abstract] -- -Learn how to create an {aws} Identity and Access Management [.noloc]`OpenID Connect` provider for your cluster. +Learn how to create an {aws} Identity and Access Management OpenID Connect provider for your cluster. -- -Your cluster has an https://openid.net/connect/[OpenID Connect] ([.noloc]`OIDC`) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM [.noloc]`OIDC` provider must exist for your cluster's [.noloc]`OIDC` issuer URL. +Your cluster has an https://openid.net/connect/[OpenID Connect] (OIDC) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL. * An existing Amazon EKS cluster. To deploy one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -You can create an IAM [.noloc]`OIDC` provider for your cluster using `eksctl` or the {aws-management-console}. +You can create an IAM OIDC provider for your cluster using `eksctl` or the {aws-management-console}. == Create OIDC provider (eksctl) . Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. + -. Determine the [.noloc]`OIDC` issuer ID for your cluster. +. Determine the OIDC issuer ID for your cluster. + -Retrieve your cluster's [.noloc]`OIDC` issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. +Retrieve your cluster's OIDC issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. + [source,bash,subs="verbatim,attributes"] ---- @@ -41,15 +41,15 @@ oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identit ---- echo $oidc_id ---- -. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's issuer ID is already in your account. +. Determine whether an IAM OIDC provider with your cluster's issuer ID is already in your account. + [source,bash,subs="verbatim,attributes"] ---- aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 ---- + -If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. -. Create an IAM [.noloc]`OIDC` identity provider for your cluster with the following command. +If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster. +. Create an IAM OIDC identity provider for your cluster with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -63,7 +63,7 @@ NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn' ** server cant find oidc.eks.region.amazonaws.com: NXDOMAIN ---- -To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. +To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in CoreDNS, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on GitHub. == Create OIDC provider ({aws} Console) @@ -74,8 +74,8 @@ To complete this step, you can run the command outside the VPC, for example in { . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Identity Providers* under *Access management*. If a *Provider* is listed that matches the URL for your cluster, then you already have a provider for your cluster. If a provider isn't listed that matches the URL for your cluster, then you must create one. . To create a provider, choose *Add provider*. -. For *Provider type*, select *[.noloc]`OpenID Connect`*. -. For *Provider URL*, enter the [.noloc]`OIDC` provider URL for your cluster. +. For *Provider type*, select *OpenID Connect*. +. For *Provider URL*, enter the OIDC provider URL for your cluster. . For *Audience*, enter `sts.amazonaws.com`. . (Optional) Add any tags, for example a tag to identify which cluster is for this provider. . Choose *Add provider*. diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index ed6b1b8f3..91e70f495 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -9,9 +9,9 @@ To use the credentials from IAM roles for service accounts (IRSA), your code can This works because IAM roles for service accounts have been added as a step in the default credential chain. If your workloads currently use credentials that are earlier in the chain of credentials, those credentials will continue to be used even if you configure an IAM roles for service accounts for the same workload. -The SDK automatically exchanges the service account [.noloc]`OIDC` token for temporary credentials from {aws} Security Token Service by using the `AssumeRoleWithWebIdentity` action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire. +The SDK automatically exchanges the service account OIDC token for temporary credentials from {aws} Security Token Service by using the `AssumeRoleWithWebIdentity` action. Amazon EKS and this SDK action continue to rotate the temporary credentials by renewing them before they expire. -When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. Make sure that you're using the following versions, or later, for your {aws} SDK: +When using <>, the containers in your Pods must use an {aws} SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. Make sure that you're using the following versions, or later, for your {aws} SDK: @@ -27,6 +27,6 @@ When using <>, th * .NET – https://github.com/aws/aws-sdk-net/releases/tag/3.3.659.1[3.3.659.1] – You must also include `AWSSDK.SecurityToken`. * PHP – https://github.com/aws/aws-sdk-php/releases/tag/3.110.7[3.110.7] -Many popular [.noloc]`Kubernetes` add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. +Many popular Kubernetes add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index 6e2ab8fae..e1b8001f0 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -7,17 +7,17 @@ include::../../attributes.txt[] [abstract] -- -Learn how applications in your [.noloc]`Pods` can access {aws} services. +Learn how applications in your Pods can access {aws} services. -- -Applications in a [.noloc]`Pod's` containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. IAM roles for service accounts (IRSA) provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. You can't use IAM roles for service accounts with <>. +Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. IAM roles for service accounts (IRSA) provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. You can't use IAM roles for service accounts with <>. IAM roles for service accounts provide the following benefits: * *Least privilege* - – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. + – You can scope IAM permissions to a service account, and only Pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. * *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using IAM roles for service accounts, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + – A Pod's containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. When using IAM roles for service accounts, the Pod's containers also have the permissions assigned to the <>, unless you block Pod access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service (IMDS),type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. * *Auditability* – Access and event logging is available through {aws} CloudTrail to help ensure retrospective auditing. @@ -34,26 +34,26 @@ If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be a server cant find oidc.eks.region.amazonaws.com: NXDOMAIN ---- -To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in [.noloc]`CoreDNS`, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on [.noloc]`GitHub`. +To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in CoreDNS, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on GitHub. ==== . <> – Complete this procedure for each unique set of permissions that you want an application to have. -. <> – Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. +. <> – Complete this procedure for each Pod that needs access to {aws} services. . <> – Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. [#irsa-oidc-background] -== IAM, [.noloc]`Kubernetes`, and [.noloc]`OpenID Connect` ([.noloc]`OIDC`) background information +== IAM, Kubernetes, and OpenID Connect (OIDC) background information -In 2014, {aws} Identity and Access Management added support for federated identities using [.noloc]`OpenID Connect` ([.noloc]`OIDC`). This feature allows you to authenticate {aws} API calls with supported identity providers and receive a valid [.noloc]`OIDC` [.noloc]`JSON` web token ([.noloc]`JWT`). You can pass this token to the {aws} STS `AssumeRoleWithWebIdentity` API operation and receive IAM temporary role credentials. You can use these credentials to interact with any {aws} service, including Amazon S3 and DynamoDB. +In 2014, {aws} Identity and Access Management added support for federated identities using OpenID Connect (OIDC). This feature allows you to authenticate {aws} API calls with supported identity providers and receive a valid OIDC JSON web token (JWT). You can pass this token to the {aws} STS `AssumeRoleWithWebIdentity` API operation and receive IAM temporary role credentials. You can use these credentials to interact with any {aws} service, including Amazon S3 and DynamoDB. Each JWT token is signed by a signing key pair. The keys are served on the OIDC provider managed by Amazon EKS and the private key rotates every 7 days. Amazon EKS keeps the public keys until they expire. If you connect external OIDC clients, be aware that you need to refresh the signing keys before the public key expires. Learn how to <>. -[.noloc]`Kubernetes` has long used service accounts as its own internal identity system. [.noloc]`Pods` can authenticate with the [.noloc]`Kubernetes` API server using an auto-mounted token (which was a non-[.noloc]`OIDC` [.noloc]`JWT`) that only the [.noloc]`Kubernetes` API server could validate. These legacy service account tokens don't expire, and rotating the signing key is a difficult process. In [.noloc]`Kubernetes` version `1.12`, support was added for a new `ProjectedServiceAccountToken` feature. This feature is an [.noloc]`OIDC` [.noloc]`JSON` web token that also contains the service account identity and supports a configurable audience. +Kubernetes has long used service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token (which was a non-OIDC JWT) that only the Kubernetes API server could validate. These legacy service account tokens don't expire, and rotating the signing key is a difficult process. In Kubernetes version `1.12`, support was added for a new `ProjectedServiceAccountToken` feature. This feature is an OIDC JSON web token that also contains the service account identity and supports a configurable audience. -Amazon EKS hosts a public [.noloc]`OIDC` discovery endpoint for each cluster that contains the signing keys for the `ProjectedServiceAccountToken` [.noloc]`JSON` web tokens so external systems, such as IAM, can validate and accept the [.noloc]`OIDC` tokens that are issued by [.noloc]`Kubernetes`. +Amazon EKS hosts a public OIDC discovery endpoint for each cluster that contains the signing keys for the `ProjectedServiceAccountToken` JSON web tokens so external systems, such as IAM, can validate and accept the OIDC tokens that are issued by Kubernetes. include::enable-iam-roles-for-service-accounts.adoc[leveloffset=+1] diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index ad6878928..4afac47fa 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -1,6 +1,6 @@ [.topic] [#irsa-fetch-keys] -= Fetch signing keys to validate [.noloc]`OIDC` tokens += Fetch signing keys to validate OIDC tokens :info_titleabbrev: Fetch signing keys include::../../attributes.txt[] @@ -10,29 +10,29 @@ include::../../attributes.txt[] Discover how to fetch the OIDC public signing keys (JSON Web Key Set) required to validate the ProjectedServiceAccountToken for Amazon EKS clusters, enabling external systems to authenticate with IAM roles for Kubernetes service accounts. -- -[.noloc]`Kubernetes` issues a `ProjectedServiceAccountToken` to each [.noloc]`Kubernetes` [.noloc]`Service Account`. This token is an [.noloc]`OIDC` token, which is further a type of [.noloc]`JSON web token (JWT)`. Amazon EKS hosts a public [.noloc]`OIDC` endpoint for each cluster that contains the signing keys for the token so external systems can validate it. +Kubernetes issues a `ProjectedServiceAccountToken` to each Kubernetes Service Account. This token is an OIDC token, which is further a type of JSON web token (JWT). Amazon EKS hosts a public OIDC endpoint for each cluster that contains the signing keys for the token so external systems can validate it. -To validate a `ProjectedServiceAccountToken`, you need to fetch the [.noloc]`OIDC` public signing keys, also called the [.noloc]`JSON Web Key Set (JWKS)`. Use these keys in your application to validate the token. For example, you can use the https://pyjwt.readthedocs.io/en/latest/[PyJWT Python library] to validate tokens using these keys. For more information on the `ProjectedServiceAccountToken`, see <>. +To validate a `ProjectedServiceAccountToken`, you need to fetch the OIDC public signing keys, also called the JSON Web Key Set (JWKS). Use these keys in your application to validate the token. For example, you can use the https://pyjwt.readthedocs.io/en/latest/[PyJWT Python library] to validate tokens using these keys. For more information on the `ProjectedServiceAccountToken`, see <>. == Prerequisites -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. * *{aws} CLI* -- A command line tool for working with {aws} services, including Amazon EKS. For more information, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. After installing the {aws} CLI, we recommend that you also configure it. For more information, see link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. == Procedure -. Retrieve the [.noloc]`OIDC` URL for your Amazon EKS cluster using the {aws} CLI. +. Retrieve the OIDC URL for your Amazon EKS cluster using the {aws} CLI. + [source,bash,subs="verbatim,attributes"] ---- $ aws eks describe-cluster --name my-cluster --query 'cluster.identity.oidc.issuer' "https://oidc.eks.us-west-2.amazonaws.com/id/8EBDXXXX00BAE" ---- -. Retrieve the public signing key using [.noloc]`curl`, or a similar tool. The result is a https://www.rfc-editor.org/rfc/rfc7517#section-5[JSON Web Key Set (JWKS)]. +. Retrieve the public signing key using curl, or a similar tool. The result is a https://www.rfc-editor.org/rfc/rfc7517#section-5[JSON Web Key Set (JWKS)]. + -IMPORTANT: Amazon EKS throttles calls to the [.noloc]`OIDC` endpoint. You should cache the public signing key. Respect the `cache-control` header included in the response. +IMPORTANT: Amazon EKS throttles calls to the OIDC endpoint. You should cache the public signing key. Respect the `cache-control` header included in the response. + -IMPORTANT: Amazon EKS rotates the [.noloc]`OIDC` signing key every seven days. +IMPORTANT: Amazon EKS rotates the OIDC signing key every seven days. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index e1ad2599d..3dbd61923 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -1,26 +1,26 @@ [.topic] [#pod-configuration] -= Configure [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account += Configure Pods to use a Kubernetes service account :info_titleabbrev: Assign to Pod include::../../attributes.txt[] [abstract] -- -Learn how to configure your [.noloc]`Pods` to use a [.noloc]`Kubernetes` service account that you allowed to assume an {aws} Identity and Access Management role. +Learn how to configure your Pods to use a Kubernetes service account that you allowed to assume an {aws} Identity and Access Management role. -- -If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. +If a Pod needs to access {aws} services, then you must configure it to use a Kubernetes service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. * An existing cluster. If you don't have one, you can create one using one of the guides in <>. -* An existing IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To learn if you already have one or how to create one, see <>. -* An existing [.noloc]`Kubernetes` service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing IAM OpenID Connect (OIDC) provider for your cluster. To learn if you already have one or how to create one, see <>. +* An existing Kubernetes service account that's associated with an IAM role. The service account must be annotated with the Amazon Resource Name (ARN) of the IAM role. The role must have an associated IAM policy that contains the permissions that you want your Pods to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. +. Use the following command to create a deployment manifest that you can deploy a Pod to confirm configuration with. Replace the [.replaceable]`example values` with your own values. + [source,yaml,subs="verbatim,attributes"] ---- @@ -50,9 +50,9 @@ EOF ---- kubectl apply -f my-deployment.yaml ---- -. Confirm that the required environment variables exist for your [.noloc]`Pod`. +. Confirm that the required environment variables exist for your Pod. + -.. View the [.noloc]`Pods` that were deployed with the deployment in the previous step. +.. View the Pods that were deployed with the deployment in the previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -65,7 +65,7 @@ An example output is as follows. ---- my-app-6f4dfff6cb-76cv9 1/1 Running 0 3m28s ---- -.. View the ARN of the IAM role that the [.noloc]`Pod` is using. +.. View the ARN of the IAM role that the Pod is using. + [source,bash,subs="verbatim,attributes"] ---- @@ -80,7 +80,7 @@ AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/my-role ---- + The role ARN must match the role ARN that you annotated the existing service account with. For more about annotating the service account, see <>. -.. Confirm that the [.noloc]`Pod` has a web identity token file mount. +.. Confirm that the Pod has a web identity token file mount. + [source,bash,subs="verbatim,attributes"] ---- @@ -94,23 +94,23 @@ An example output is as follows. AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token ---- + -The `kubelet` requests and stores the token on behalf of the [.noloc]`Pod`. By default, the `kubelet` refreshes the token if the token is older than 80 percent of its total time to live or older than 24 hours. You can modify the expiration duration for any account other than the default service account by using the settings in your [.noloc]`Pod` spec. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection[Service Account Token Volume Projection] in the [.noloc]`Kubernetes` documentation. +The `kubelet` requests and stores the token on behalf of the Pod. By default, the `kubelet` refreshes the token if the token is older than 80 percent of its total time to live or older than 24 hours. You can modify the expiration duration for any account other than the default service account by using the settings in your Pod spec. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection[Service Account Token Volume Projection] in the Kubernetes documentation. + -The https://github.com/aws/amazon-eks-pod-identity-webhook#amazon-eks-pod-identity-webhook[Amazon EKS Pod Identity Webhook] on the cluster watches for [.noloc]`Pods` that use a service account with the following annotation: +The https://github.com/aws/amazon-eks-pod-identity-webhook#amazon-eks-pod-identity-webhook[Amazon EKS Pod Identity Webhook] on the cluster watches for Pods that use a service account with the following annotation: + [source,bash,subs="verbatim,attributes"] ---- eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/my-role ---- + -The webhook applies the previous environment variables to those [.noloc]`Pods`. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure [.noloc]`Pods` to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for [.noloc]`Pods` that meet this criteria. -. Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. +The webhook applies the previous environment variables to those Pods. Your cluster doesn't need to use the webhook to configure the environment variables and token file mounts. You can manually configure Pods to have these environment variables. The <> look for these environment variables first in the credential chain provider. The role credentials are used for Pods that meet this criteria. +. Confirm that your Pods can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. + -NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +NOTE: When a Pod uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that Pod use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the Pod still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + -If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. +If your Pods can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. + -.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an [.noloc]`OpenID Connect` web identity token file. For more information, see <>. +.. Confirm that your Pods use an {aws} SDK version that supports assuming an IAM role through an OpenID Connect web identity token file. For more information, see <>. .. Confirm that the deployment is using the service account. + [source,bash,subs="verbatim,attributes"] @@ -124,4 +124,4 @@ An example output is as follows. ---- Service Account: my-service-account ---- -.. If your [.noloc]`Pods` still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. \ No newline at end of file +.. If your Pods still can't access services, review the <> that are described in <> to confirm that your role and service account are configured properly. \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index 8cc86bc28..5815b984f 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -33,7 +33,7 @@ include::../../attributes.txt[] This configuration sets the `IPv4` address to be the only address used by the agent. .. To apply the new configuration by replacing the EKS Pod Identity Agent pods, choose *Save changes*. + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` `DaemonSet` for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the Kubernetes `DaemonSet` for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -66,7 +66,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name eks-pod-identity-age + This configuration sets the `IPv4` address to be the only address used by the agent. + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the Kubernetes DaemonSet for EKS Pod Identity Agent. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status daemonset/eks-pod-identity-agent --namespace kube-system`. + `kubectl rollout` has the following commands: + diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index 484efb32b..a8a340d99 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -66,7 +66,7 @@ Note that you can change the image location and provide `imagePullSecrets` for E . Choose *Get more add-ons*. . Select the box in the top right of the add-on box for EKS Pod Identity Agent and then choose *Next*. . On the *Configure selected add-ons settings* page, select any version in the *Version* dropdown list. -. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The [.noloc]`JSON Schema` with accepted keys is shown in *Add-on configuration schema*. +. (Optional) Expand *Optional configuration settings* to enter additional configuration. For example, you can provide an alternative container image location and `ImagePullSecrets`. The JSON Schema with accepted keys is shown in *Add-on configuration schema*. + Enter the configuration keys and values in *Configuration values*. . Choose *Next*. diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 7562a080b..500c2eb6b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -1,6 +1,6 @@ [.topic] [#pod-id-association] -= Assign an [.noloc]`IAM` role to a [.noloc]`Kubernetes` service account += Assign an IAM role to a Kubernetes service account :info_titleabbrev: Assign IAM role include::../../attributes.txt[] @@ -10,14 +10,14 @@ include::../../attributes.txt[] Learn how to configure a Kubernetes service account to assume an {aws} IAM role with Amazon EKS Pod Identity for securely accessing {aws} services from your pods. -- -This topic covers how to configure a [.noloc]`Kubernetes` service account to assume an {aws} Identity and Access Management (IAM) role with EKS Pod Identity. Any [.noloc]`Pods` that are configured to use the service account can then access any {aws} service that the role has permissions to access. +This topic covers how to configure a Kubernetes service account to assume an {aws} Identity and Access Management (IAM) role with EKS Pod Identity. Any Pods that are configured to use the service account can then access any {aws} service that the role has permissions to access. -To create an EKS Pod Identity association, there is only a single step; you create the association in EKS through the {aws-management-console}, {aws} CLI, {aws} SDKs, {aws} CloudFormation and other tools. There isn't any data or metadata about the associations inside the cluster in any [.noloc]`Kubernetes` objects and you don't add any annotations to the service accounts. +To create an EKS Pod Identity association, there is only a single step; you create the association in EKS through the {aws-management-console}, {aws} CLI, {aws} SDKs, {aws} CloudFormation and other tools. There isn't any data or metadata about the associations inside the cluster in any Kubernetes objects and you don't add any annotations to the service accounts. * An existing cluster. If you don't have one, you can create one by following one of the guides in <>. * The IAM principal that is creating the association must have `iam:PassRole`. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. @@ -59,8 +59,8 @@ NOTE: The list only contains roles that have the following trust policy which al You can use these tags in the _condition keys_ in the trust policy to restrict which service accounts, namespaces, and clusters can use this role. + For a list of Amazon EKS condition keys, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys[Conditions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the _Service Authorization Reference_. To learn which actions and resources you can use a condition key with, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. -. For the *[.noloc]`Kubernetes` namespace*, select the [.noloc]`Kubernetes` namespace that contains the service account and workload. Optionally, you can specify a namespace by name that doesn't exist in the cluster. -. For the *[.noloc]`Kubernetes` service account*, select the [.noloc]`Kubernetes` service account to use. The manifest for your [.noloc]`Kubernetes` workload must specify this service account. Optionally, you can specify a service account by name that doesn't exist in the cluster. +. For the *Kubernetes namespace*, select the Kubernetes namespace that contains the service account and workload. Optionally, you can specify a namespace by name that doesn't exist in the cluster. +. For the *Kubernetes service account*, select the Kubernetes service account to use. The manifest for your Kubernetes workload must specify this service account. Optionally, you can specify a service account by name that doesn't exist in the cluster. . (Optional) For the *Tags*, choose *Add tag* to add metadata in a key and value pair. These tags are applied to the association and can be used in IAM policies. + You can repeat this step to add multiple tags. @@ -72,9 +72,9 @@ You can repeat this step to add multiple tags. + Create an IAM policy. You can create your own policy, or copy an {aws} managed policy that already grants some of the permissions that you need and customize it to your specific requirements. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] in the _IAM User Guide_. + -.. Create a file that includes the permissions for the {aws} services that you want your [.noloc]`Pods` to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. +.. Create a file that includes the permissions for the {aws} services that you want your Pods to access. For a list of all actions for all {aws} services, see the link:service-authorization/latest/reference/[Service Authorization Reference,type="documentation"]. + -You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your [.noloc]`Pod` can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. +You can run the following command to create an example policy file that allows read-only access to an Amazon S3 bucket. You can optionally store configuration information or a bootstrap script in this bucket, and the containers in your Pod can read the file from the bucket and load it into your application. If you want to create this example policy, copy the following contents to your device. Replace [.replaceable]`my-pod-secrets-bucket` with your bucket name and run the command. + [source,json,subs="verbatim,attributes"] ---- @@ -97,11 +97,11 @@ EOF ---- aws iam create-policy --policy-name my-policy --policy-document file://my-policy.json ---- -. Create an IAM role and associate it with a [.noloc]`Kubernetes` service account. +. Create an IAM role and associate it with a Kubernetes service account. + -.. If you have an existing [.noloc]`Kubernetes` service account that you want to assume an IAM role, then you can skip this step. +.. If you have an existing Kubernetes service account that you want to assume an IAM role, then you can skip this step. + -Create a [.noloc]`Kubernetes` service account. Copy the following contents to your device. Replace [.replaceable]`my-service-account` with your desired name and [.replaceable]`default` with a different namespace, if necessary. If you change [.replaceable]`default`, the namespace must already exist. +Create a Kubernetes service account. Copy the following contents to your device. Replace [.replaceable]`my-service-account` with your desired name and [.replaceable]`default` with a different namespace, if necessary. If you change [.replaceable]`default`, the namespace must already exist. + [source,yaml,subs="verbatim,attributes"] ---- @@ -258,7 +258,7 @@ An example output is as follows. } } ---- -. View the policy contents to make sure that the policy includes all the permissions that your [.noloc]`Pod` needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. +. View the policy contents to make sure that the policy includes all the permissions that your Pod needs. If necessary, replace [.replaceable]`1` in the following command with the version that's returned in the previous output. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index 24a52ff92..ed4502aa6 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -1,7 +1,7 @@ include::../../attributes.txt[] [.topic] [#pod-id-configure-pods] -= Configure [.noloc]`Pods` to access {aws} services with service accounts += Configure Pods to access {aws} services with service accounts :info_titleabbrev: Pod service account [abstract] @@ -9,14 +9,14 @@ include::../../attributes.txt[] Learn how to configure Pods to use a Kubernetes service account with an associated IAM role for accessing {aws} services on Amazon EKS. -- -If a [.noloc]`Pod` needs to access {aws} services, then you must configure it to use a [.noloc]`Kubernetes` service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. +If a Pod needs to access {aws} services, then you must configure it to use a Kubernetes service account. The service account must be associated to an {aws} Identity and Access Management (IAM) role that has permissions to access the {aws} services. * An existing cluster. If you don't have one, you can create one using one of the guides in <>. -* An existing [.noloc]`Kubernetes` service account and an EKS Pod Identity association that associates the service account with an IAM role. The role must have an associated IAM policy that contains the permissions that you want your [.noloc]`Pods` to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. -* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing Kubernetes service account and an EKS Pod Identity association that associates the service account with an IAM role. The role must have an associated IAM policy that contains the permissions that you want your Pods to have to use {aws} services. For more information about how to create the service account and role, and configure them, see <>. +* The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * An existing `kubectl` `config` file that contains your cluster configuration. To create a `kubectl` `config` file, see <>. -. Use the following command to create a deployment manifest that you can deploy a [.noloc]`Pod` to confirm configuration with. Replace the [.replaceable]`example values` with your own values. +. Use the following command to create a deployment manifest that you can deploy a Pod to confirm configuration with. Replace the [.replaceable]`example values` with your own values. + [source,yaml,subs="verbatim,attributes"] ---- @@ -46,9 +46,9 @@ EOF ---- kubectl apply -f my-deployment.yaml ---- -. Confirm that the required environment variables exist for your [.noloc]`Pod`. +. Confirm that the required environment variables exist for your Pod. + -.. View the [.noloc]`Pods` that were deployed with the deployment in the previous step. +.. View the Pods that were deployed with the deployment in the previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -61,7 +61,7 @@ An example output is as follows. ---- my-app-6f4dfff6cb-76cv9 1/1 Running 0 3m28s ---- -.. Confirm that the [.noloc]`Pod` has a service account token file mount. +.. Confirm that the Pod has a service account token file mount. + [source,bash,subs="verbatim,attributes"] ---- @@ -74,13 +74,13 @@ An example output is as follows. ---- AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token ---- -. Confirm that your [.noloc]`Pods` can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. +. Confirm that your Pods can interact with the {aws} services using the permissions that you assigned in the IAM policy attached to your role. + -NOTE: When a [.noloc]`Pod` uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that [.noloc]`Pod` use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the [.noloc]`Pod` still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +NOTE: When a Pod uses {aws} credentials from an IAM role that's associated with a service account, the {aws} CLI or other SDKs in the containers for that Pod use the credentials that are provided by that role. If you don't restrict access to the credentials that are provided to the <>, the Pod still has access to these credentials. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + -If your [.noloc]`Pods` can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. +If your Pods can't interact with the services as you expected, complete the following steps to confirm that everything is properly configured. + -.. Confirm that your [.noloc]`Pods` use an {aws} SDK version that supports assuming an IAM role through an EKS Pod Identity association. For more information, see <>. +.. Confirm that your Pods use an {aws} SDK version that supports assuming an IAM role through an EKS Pod Identity association. For more information, see <>. .. Confirm that the deployment is using the service account. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index d72765a9c..3625c63d9 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -1,6 +1,6 @@ [.topic] [#pod-id-how-it-works] -= Understand how [.noloc]`EKS Pod Identity` works += Understand how EKS Pod Identity works :info_titleabbrev: How it works include::../../attributes.txt[] @@ -28,8 +28,8 @@ The container credentials provider provides temporary credentials from an agent In contrast, _IAM roles for service accounts_ provides a _web identity_ token that the {aws} SDK must exchange with {aws} Security Token Service by using `AssumeRoleWithWebIdentity`. [#pod-id-agent-pod] -== How EKS Pod Identity Agent works with a [.noloc]`Pod` -. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following content to the [.noloc]`Pod` manifest: +== How EKS Pod Identity Agent works with a Pod +. When Amazon EKS starts a new pod that uses a service account with an EKS Pod Identity association, the cluster adds the following content to the Pod manifest: + [source,yaml,subs="verbatim,attributes"] ---- @@ -51,7 +51,7 @@ In contrast, _IAM roles for service accounts_ provides a _web identity_ token th expirationSeconds: 86400 # 24 hours path: eks-pod-identity-token ---- -. [.noloc]`Kubernetes` selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. +. Kubernetes selects which node to run the pod on. Then, the Amazon EKS Pod Identity Agent on the node uses the link:eks/latest/APIReference/API_auth_AssumeRoleForPodIdentity.html[AssumeRoleForPodIdentity,type="documentation"] action to retrieve temporary credentials from the EKS Auth API. . The EKS Pod Identity Agent makes these credentials available for the {aws} SDKs that you run inside your containers. . You use the SDK in your application without specifying a credential provider to use the default credential chain. Or, you specify the container credential provider. For more information about the default locations used, see the link:sdkref/latest/guide/standardized-credentials.html#credentialProviderChain[Credential provider chain,type="documentation"] in the {aws} SDKs and Tools Reference Guide. . The SDK uses the environment variables to connect to the EKS Pod Identity Agent and retrieve the credentials. diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 688c63547..11ac22905 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -13,7 +13,7 @@ This works because EKS Pod Identities have been added to the _Container credenti For more information about how EKS Pod Identities work, see <>. -When using <>, the containers in your [.noloc]`Pods` must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: +When using <>, the containers in your Pods must use an {aws} SDK version that supports assuming an IAM role from the EKS Pod Identity Agent. Make sure that you're using the following versions, or later, for your {aws} SDK: diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 490b098fb..449829b99 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -1,6 +1,6 @@ [.topic] [#pod-id-role] -= Create [.noloc]`IAM` role with trust policy required by [.noloc]`EKS Pod Identity` += Create IAM role with trust policy required by EKS Pod Identity :info_titleabbrev: EKS Pod Identity role include::../../attributes.txt[] diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index f0e16877a..3dc2f3e97 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -1,7 +1,7 @@ include::../../attributes.txt[] [.topic] [#pod-identities] -= Learn how [.noloc]`EKS Pod Identity` grants pods access to {aws} services += Learn how EKS Pod Identity grants pods access to {aws} services :info_titleabbrev: Pod Identity include::pod-id-how-it-works.adoc[leveloffset=+1] @@ -27,7 +27,7 @@ Learn how to provide {aws} service access to your Kubernetes workloads with Amaz Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. -_EKS Pod Identities_ provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a [.noloc]`Kubernetes` service account and configure your [.noloc]`Pods` to use the service account. +_EKS Pod Identities_ provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. video::aUjJSorBE70[youtube,align = center,height = 405,fileref = https://www.youtube.com/embed/aUjJSorBE70,width = 720] @@ -43,18 +43,18 @@ EKS Pod Identities provide the following benefits: * *Least privilege* - – You can scope IAM permissions to a service account, and only [.noloc]`Pods` that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. + – You can scope IAM permissions to a service account, and only Pods that use that service account have access to those permissions. This feature also eliminates the need for third-party solutions such as `kiam` or `kube2iam`. * *Credential isolation* - – A [.noloc]`Pod's` containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other [.noloc]`Pods`. When using Pod Identities, the [.noloc]`Pod's` containers also have the permissions assigned to the <>, unless you block [.noloc]`Pod` access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + – A Pod's containers can only retrieve credentials for the IAM role that's associated with the service account that the container uses. A container never has access to credentials that are used by other containers in other Pods. When using Pod Identities, the Pod's containers also have the permissions assigned to the <>, unless you block Pod access to the link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html["Amazon EC2 Instance Metadata Service (IMDS)", type="documentation"]. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. * *Auditability* – Access and event logging is available through {aws} CloudTrail to help facilitate retrospective auditing. -EKS Pod Identity is a simpler method than <>, as this method doesn't use [.noloc]`OIDC` identity providers. EKS Pod Identity has the following enhancements: +EKS Pod Identity is a simpler method than <>, as this method doesn't use OIDC identity providers. EKS Pod Identity has the following enhancements: * *Independent operations* - – In many organizations, creating [.noloc]`OIDC` identity providers is a responsibility of different teams than administering the [.noloc]`Kubernetes` clusters. EKS Pod Identity has clean separation of duties, where all configuration of EKS Pod Identity associations is done in Amazon EKS and all configuration of the IAM permissions is done in IAM. + – In many organizations, creating OIDC identity providers is a responsibility of different teams than administering the Kubernetes clusters. EKS Pod Identity has clean separation of duties, where all configuration of EKS Pod Identity associations is done in Amazon EKS and all configuration of the IAM permissions is done in IAM. * *Reusability* – EKS Pod Identity uses a single IAM principal instead of the separate principals for each cluster that IAM roles for service accounts use. Your IAM administrator adds the following principal to the trust policy of any role to make it usable by EKS Pod Identities. + @@ -65,7 +65,7 @@ EKS Pod Identity is a simpler method than <>, as } ---- * *Scalability* - -- Each set of temporary credentials are assumed by the [.noloc]`EKS Auth` service in EKS Pod Identity, instead of each {aws} SDK that you run in each pod. Then, the Amazon EKS Pod Identity Agent that runs on each node issues the credentials to the SDKs. Thus the load is reduced to once for each node and isn't duplicated in each pod. For more details of the process, see <>. + -- Each set of temporary credentials are assumed by the EKS Auth service in EKS Pod Identity, instead of each {aws} SDK that you run in each pod. Then, the Amazon EKS Pod Identity Agent that runs on each node issues the credentials to the SDKs. Thus the load is reduced to once for each node and isn't duplicated in each pod. For more details of the process, see <>. For more information to compare the two alternatives, see <>. @@ -77,26 +77,26 @@ Turn on EKS Pod Identities by completing the following procedures: . <> -- You only complete this procedure once for each cluster. You do not need to complete this step if EKS Auto Mode is enabled on your cluster. . <> -- Complete this procedure for each unique set of permissions that you want an application to have. + -. <> -- Complete this procedure for each [.noloc]`Pod` that needs access to {aws} services. +. <> -- Complete this procedure for each Pod that needs access to {aws} services. . <> -- Confirm that the workload uses an {aws} SDK of a supported version and that the workload uses the default credential chain. [#pod-id-considerations] == EKS Pod Identity considerations -* You can associate one IAM role to each [.noloc]`Kubernetes` service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. +* You can associate one IAM role to each Kubernetes service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. * You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. -* The EKS Pod Identity Agent is required. It runs as a [.noloc]`Kubernetes` `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. +* The EKS Pod Identity Agent is required. It runs as a Kubernetes `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. * If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the {aws} VPC CNI. For more information on security group for pods considerations, see <>. -* The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` clusters. +* The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 clusters. + If you disable `IPv6` addresses, or otherwise prevent localhost `IPv6` IP addresses, the agent can't start. To start the agent on nodes that can't use `IPv6`, follow the steps in <> to disable the `IPv6` configuration. -* If your Pods use a proxy, you must ensure you add `169.254.170.23` for [.noloc]`IPv4` and `[fd00:ec2::23]` for [.noloc]`IPv6` in the `no_proxy`/`NO_PROXY` environment variables injected into the pods. Otherwise requests from the application pods to the `eks-pod-identity-agent` DaemonSets would fail as the requests would be sent to the proxy and the proxy wouldn't be able to route the IP. +* If your Pods use a proxy, you must ensure you add `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 in the `no_proxy`/`NO_PROXY` environment variables injected into the pods. Otherwise requests from the application pods to the `eks-pod-identity-agent` DaemonSets would fail as the requests would be sent to the proxy and the proxy wouldn't be able to route the IP. [#pod-id-cluster-versions] === EKS Pod Identity cluster versions -To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. +To use EKS Pod Identities, the cluster must have a platform version that is the same or later than the version listed in the following table, or a Kubernetes version that is later than the versions listed in the table. [cols="1,1", options="header"] |=== @@ -138,7 +138,7 @@ EKS Pod Identities aren't available on the following: * {aws} Outposts. * Amazon EKS Anywhere. -* [.noloc]`Kubernetes` clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS. +* Kubernetes clusters that you create and run on Amazon EC2. The EKS Pod Identity components are only available on Amazon EKS. You can't use EKS Pod Identities with: diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index ff47c473f..268c21724 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -2,19 +2,19 @@ include::../../attributes.txt[] [.topic] [#service-accounts] -= Grant Kubernetes workloads access to {aws} using [.noloc]`Kubernetes` Service Accounts += Grant Kubernetes workloads access to {aws} using Kubernetes Service Accounts :info_titleabbrev: Workload access to {aws} include::iam-roles-for-service-accounts.adoc[leveloffset=+1] include::pod-identities.adoc[leveloffset=+1] -A [.noloc]`Kubernetes` service account provides an identity for processes that run in a [.noloc]`Pod`. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the [.noloc]`Kubernetes` documentation. If your [.noloc]`Pod` needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. +A Kubernetes service account provides an identity for processes that run in a Pod. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the Kubernetes documentation. If your Pod needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. [#service-account-tokens] == Service account tokens -The https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume[BoundServiceAccountTokenVolume] feature is enabled by default in [.noloc]`Kubernetes` versions. This feature improves the security of service account tokens by allowing workloads running on [.noloc]`Kubernetes` to request JSON web tokens that are audience, time, and key bound. Service account tokens have an expiration of one hour. In earlier [.noloc]`Kubernetes` versions, the tokens didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following https://kubernetes.io/docs/reference/using-api/client-libraries/[Kubernetes client SDKs] refresh tokens automatically within the required time frame: +The https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume[BoundServiceAccountTokenVolume] feature is enabled by default in Kubernetes versions. This feature improves the security of service account tokens by allowing workloads running on Kubernetes to request JSON web tokens that are audience, time, and key bound. Service account tokens have an expiration of one hour. In earlier Kubernetes versions, the tokens didn't have an expiration. This means that clients that rely on these tokens must refresh the tokens within an hour. The following https://kubernetes.io/docs/reference/using-api/client-libraries/[Kubernetes client SDKs] refresh tokens automatically within the required time frame: @@ -24,9 +24,9 @@ The https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-adm * JavaScript version `0.10.3` and later * Ruby `master` branch * Haskell version `0.3.0.0` -* [.noloc]`C#` version `7.0.5` and later +* C# version `7.0.5` and later -If your workload is using an earlier client version, then you must update it. To enable a smooth migration of clients to the newer time-bound service account tokens, [.noloc]`Kubernetes` adds an extended expiry period to the service account token over the default one hour. For Amazon EKS clusters, the extended expiry period is 90 days. Your Amazon EKS cluster's [.noloc]`Kubernetes` API server rejects requests with tokens that are greater than 90 days old. We recommend that you check your applications and their dependencies to make sure that the Kubernetes client SDKs are the same or later than the versions listed previously. +If your workload is using an earlier client version, then you must update it. To enable a smooth migration of clients to the newer time-bound service account tokens, Kubernetes adds an extended expiry period to the service account token over the default one hour. For Amazon EKS clusters, the extended expiry period is 90 days. Your Amazon EKS cluster's Kubernetes API server rejects requests with tokens that are greater than 90 days old. We recommend that you check your applications and their dependencies to make sure that the Kubernetes client SDKs are the same or later than the versions listed previously. When the API server receives requests with tokens that are greater than one hour old, it annotates the API audit log event with `annotations.authentication.k8s.io/stale-token`. The value of the annotation looks like the following example: @@ -35,7 +35,7 @@ When the API server receives requests with tokens that are greater than one hour subject: system:serviceaccount:common:fluent-bit, seconds after warning threshold: 4185802. ---- -If your cluster has <> enabled, then the annotations are in the audit logs. You can use the following link:AmazonCloudWatch/latest/logs/AnalyzingLogData.html[CloudWatch Logs Insights,type="documentation"] query to identify all the [.noloc]`Pods` in your Amazon EKS cluster that are using stale tokens: +If your cluster has <> enabled, then the annotations are in the audit logs. You can use the following link:AmazonCloudWatch/latest/logs/AnalyzingLogData.html[CloudWatch Logs Insights,type="documentation"] query to identify all the Pods in your Amazon EKS cluster that are using stale tokens: [source,bash,subs="verbatim,attributes"] ---- @@ -45,9 +45,9 @@ fields @timestamp |parse @message "subject: *, seconds after warning threshold:*\"" as subject, elapsedtime ---- -The `subject` refers to the service account that the [.noloc]`Pod` used. The `elapsedtime` indicates the elapsed time (in seconds) after reading the latest token. The requests to the API server are denied when the `elapsedtime` exceeds 90 days (7,776,000 seconds). You should proactively update your applications' [.noloc]`Kubernetes` client SDK to use one of the version listed previously that automatically refresh the token. If the service account token used is close to 90 days and you don't have sufficient time to update your client SDK versions before token expiration, then you can terminate existing [.noloc]`Pods` and create new ones. This results in refetching of the service account token, giving you an additional 90 days to update your client version SDKs. +The `subject` refers to the service account that the Pod used. The `elapsedtime` indicates the elapsed time (in seconds) after reading the latest token. The requests to the API server are denied when the `elapsedtime` exceeds 90 days (7,776,000 seconds). You should proactively update your applications' Kubernetes client SDK to use one of the version listed previously that automatically refresh the token. If the service account token used is close to 90 days and you don't have sufficient time to update your client SDK versions before token expiration, then you can terminate existing Pods and create new ones. This results in refetching of the service account token, giving you an additional 90 days to update your client version SDKs. -If the [.noloc]`Pod` is part of a deployment, the suggested way to terminate [.noloc]`Pods` while keeping high availability is to perform a roll out with the following command. Replace [.replaceable]`my-deployment` with the name of your deployment. +If the Pod is part of a deployment, the suggested way to terminate Pods while keeping high availability is to perform a roll out with the following command. Replace [.replaceable]`my-deployment` with the name of your deployment. [source,bash,subs="verbatim,attributes"] ---- @@ -58,15 +58,15 @@ kubectl rollout restart deployment/my-deployment [#boundserviceaccounttoken-validated-add-on-versions] == Cluster add-ons -The following cluster add-ons have been updated to use the [.noloc]`Kubernetes` client SDKs that automatically refetch service account tokens. We recommend making sure that the listed versions, or later versions, are installed on your cluster. +The following cluster add-ons have been updated to use the Kubernetes client SDKs that automatically refetch service account tokens. We recommend making sure that the listed versions, or later versions, are installed on your cluster. -* [.noloc]`Amazon VPC CNI plugin for Kubernetes` and metrics helper plugins version `1.8.0` and later. To check your current version or update it, see <> and https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper]. -* [.noloc]`CoreDNS` version `1.8.4` and later. To check your current version or update it, see <>. -* [.noloc]`{aws} Load Balancer Controller` version `2.0.0` and later. To check your current version or update it, see <>. +* Amazon VPC CNI plugin for Kubernetes and metrics helper plugins version `1.8.0` and later. To check your current version or update it, see <> and https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper]. +* CoreDNS version `1.8.4` and later. To check your current version or update it, see <>. +* {aws} Load Balancer Controller version `2.0.0` and later. To check your current version or update it, see <>. * A current `kube-proxy` version. To check your current version or update it, see <>. -* {aws} for Fluent Bit version `2.25.0` or later. To update your current version, see https://github.com/aws/aws-for-fluent-bit/releases[Releases] on [.noloc]`GitHub`. +* {aws} for Fluent Bit version `2.25.0` or later. To update your current version, see https://github.com/aws/aws-for-fluent-bit/releases[Releases] on GitHub. * Fluentd image version https://hub.docker.com/r/fluent/fluentd/tags?page=1&name=v1.14.6-1.2[1.14.6-1.2] or later and Fluentd filter plugin for Kubernetes metadata version https://rubygems.org/gems/fluent-plugin-kubernetes_metadata_filter/versions/2.11.1[2.11.1] or later. @@ -78,11 +78,11 @@ Amazon EKS provides two ways to grant {aws} Identity and Access Management permi *IAM roles for service accounts*:: -_IAM roles for service accounts (IRSA)_ configures Kubernetes applications running on {aws} with fine-grained IAM permissions to access various other {aws} resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. You can run multiple applications together in the same Amazon EKS cluster, and ensure each application has only the minimum set of permissions that it needs. IRSA was build to support various [.noloc]`Kubernetes` deployment options supported by {aws} such as Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on {aws}, and self managed [.noloc]`Kubernetes` clusters on Amazon EC2 instances. Thus, IRSA was build using foundational {aws} service like IAM, and did not take any direct dependency on the Amazon EKS service and the EKS API. For more information, see <>. +_IAM roles for service accounts (IRSA)_ configures Kubernetes applications running on {aws} with fine-grained IAM permissions to access various other {aws} resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. You can run multiple applications together in the same Amazon EKS cluster, and ensure each application has only the minimum set of permissions that it needs. IRSA was build to support various Kubernetes deployment options supported by {aws} such as Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on {aws}, and self managed Kubernetes clusters on Amazon EC2 instances. Thus, IRSA was build using foundational {aws} service like IAM, and did not take any direct dependency on the Amazon EKS service and the EKS API. For more information, see <>. *EKS Pod Identities*:: -EKS Pod Identity offers cluster administrators a simplified workflow for authenticating applications to access various other {aws} resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. EKS Pod Identity is for EKS only, and as a result, it simplifies how cluster administrators can configure Kubernetes applications to obtain IAM permissions. These permissions can now be easily configured with fewer steps directly through {aws-management-console}, EKS API, and {aws} CLI, and there isn't any action to take inside the cluster in any [.noloc]`Kubernetes` objects. Cluster administrators don't need to switch between the EKS and IAM services, or use privileged IAM operations to configure permissions required by your applications. IAM roles can now be used across multiple clusters without the need to update the role trust policy when creating new clusters. IAM credentials supplied by EKS Pod Identity include role session tags, with attributes such as cluster name, namespace, service account name. Role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. For more information, see <>. +EKS Pod Identity offers cluster administrators a simplified workflow for authenticating applications to access various other {aws} resources such as Amazon S3 buckets, Amazon DynamoDB tables, and more. EKS Pod Identity is for EKS only, and as a result, it simplifies how cluster administrators can configure Kubernetes applications to obtain IAM permissions. These permissions can now be easily configured with fewer steps directly through {aws-management-console}, EKS API, and {aws} CLI, and there isn't any action to take inside the cluster in any Kubernetes objects. Cluster administrators don't need to switch between the EKS and IAM services, or use privileged IAM operations to configure permissions required by your applications. IAM roles can now be used across multiple clusters without the need to update the role trust policy when creating new clusters. IAM credentials supplied by EKS Pod Identity include role session tags, with attributes such as cluster name, namespace, service account name. Role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. For more information, see <>. [#service-accounts-iam-compare] @@ -99,11 +99,11 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |Role extensibility |You have to setup each role once to establish trust with the newly-introduced Amazon EKS service principal `pods.eks.amazonaws.com`. After this one-time step, you don't need to update the role's trust policy each time that it is used in a new cluster. -|You have to update the IAM role's trust policy with the new EKS cluster [.noloc]`OIDC` provider endpoint each time you want to use the role in a new cluster. +|You have to update the IAM role's trust policy with the new EKS cluster OIDC provider endpoint each time you want to use the role in a new cluster. |Cluster scalability |EKS Pod Identity doesn't require users to setup IAM OIDC provider, so this limit doesn't apply. -|Each EKS cluster has an [.noloc]`OpenID Connect` ([.noloc]`OIDC`) issuer URL associated with it. To use IRSA, a unique [.noloc]`OpenID Connect` provider needs to be created for each EKS cluster in IAM. IAM has a default global limit of 100 [.noloc]`OIDC` providers for each {aws} account. If you plan to have more than 100 EKS clusters for each {aws} account with IRSA, then you will reach the IAM [.noloc]`OIDC` provider limit. +|Each EKS cluster has an OpenID Connect (OIDC) issuer URL associated with it. To use IRSA, a unique OpenID Connect provider needs to be created for each EKS cluster in IAM. IAM has a default global limit of 100 OIDC providers for each {aws} account. If you plan to have more than 100 EKS clusters for each {aws} account with IRSA, then you will reach the IAM OIDC provider limit. |Role scalability |EKS Pod Identity doesn't require users to define trust relationship between IAM role and service account in the trust policy, so this limit doesn't apply. @@ -115,9 +115,9 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |Environments supported |EKS Pod Identity is only available on Amazon EKS. -|IRSA can be used such as Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on {aws}, and self managed [.noloc]`Kubernetes` clusters on Amazon EC2 instances. +|IRSA can be used such as Amazon EKS, Amazon EKS Anywhere, Red Hat OpenShift Service on {aws}, and self managed Kubernetes clusters on Amazon EC2 instances. |EKS versions supported -|EKS [.noloc]`Kubernetes` versions `1.24` or later. For the specific platform versions, see <>. +|EKS Kubernetes versions `1.24` or later. For the specific platform versions, see <>. |All of the supported EKS cluster versions. |=== \ No newline at end of file diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index bee9111d8..668e59d4d 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -18,33 +18,33 @@ include::../attributes.txt[] Learn how to manage access to your EKS cluster. First, this includes granting developers or external services access to Kubernetes. Second, this includes granting Kubernetes workloads access to {aws} services. -- -Learn how to manage access to your Amazon EKS cluster. Using Amazon EKS requires knowledge of how both [.noloc]`Kubernetes` and {aws} Identity and Access Management ({aws} IAM) handle access control. +Learn how to manage access to your Amazon EKS cluster. Using Amazon EKS requires knowledge of how both Kubernetes and {aws} Identity and Access Management ({aws} IAM) handle access control. *This section includes:* -*<>* -- Learn how to enable applications or users to authenticate to the [.noloc]`Kubernetes` API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider. +*<>* -- Learn how to enable applications or users to authenticate to the Kubernetes API. You can use access entries, the aws-auth ConfigMap, or an external OIDC provider. -*<>* -- Learn how to configure the {aws-management-console} to communicate with your Amazon EKS cluster. Use the console to view [.noloc]`Kubernetes` resources in the cluster, such as namespaces, nodes, and [.noloc]`Pods`. +*<>* -- Learn how to configure the {aws-management-console} to communicate with your Amazon EKS cluster. Use the console to view Kubernetes resources in the cluster, such as namespaces, nodes, and Pods. *<>* -- Learn how to configure kubectl to communicate with your Amazon EKS cluster. Use the {aws} CLI to create a kubeconfig file. -*<>* -- Learn how to associate a [.noloc]`Kubernetes` service account with {aws} IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA). +*<>* -- Learn how to associate a Kubernetes service account with {aws} IAM Roles. You can use Pod Identity or IAM Roles for Service Accounts (IRSA). == Common Tasks -* Grant developers access to the [.noloc]`Kubernetes` API. View [.noloc]`Kubernetes` resources in the {aws-management-console}. +* Grant developers access to the Kubernetes API. View Kubernetes resources in the {aws-management-console}. + -** Solution: <> to associate [.noloc]`Kubernetes` RBAC permissions with {aws} IAM Users or Roles. +** Solution: <> to associate Kubernetes RBAC permissions with {aws} IAM Users or Roles. * Configure kubectl to talk to an Amazon EKS cluster using {aws} Credentials. + ** Solution: Use the {aws} CLI to <>. -* Use an external identity provider, such as Ping Identity, to authenticate users to the [.noloc]`Kubernetes` API. +* Use an external identity provider, such as Ping Identity, to authenticate users to the Kubernetes API. + ** Solution: <>. -* Grant workloads on your [.noloc]`Kubernetes` cluster the ability to call {aws} APIs. +* Grant workloads on your Kubernetes cluster the ability to call {aws} APIs. + -** Solution: <> to associate an {aws} IAM Role to a [.noloc]`Kubernetes` Service Account. +** Solution: <> to associate an {aws} IAM Role to a Kubernetes Service Account. == Background diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 1e3a5a10a..873a57aee 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,6 +1,6 @@ [.topic] [#create-kubeconfig] -= Connect [.noloc]`kubectl` to an EKS cluster by creating a [.noloc]`kubeconfig` file += Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl include::../attributes.txt[] @@ -12,7 +12,7 @@ Learn how to create or update a kubeconfig file for authenticating with your Ama In this topic, you create a `kubeconfig` file for your cluster (or update an existing one). -The `kubectl` command-line tool uses configuration information in `kubeconfig` files to communicate with the API server of a cluster. For more information, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/[Organizing Cluster Access Using kubeconfig Files] in the [.noloc]`Kubernetes` documentation. +The `kubectl` command-line tool uses configuration information in `kubeconfig` files to communicate with the API server of a cluster. For more information, see https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/[Organizing Cluster Access Using kubeconfig Files] in the Kubernetes documentation. Amazon EKS uses the `aws eks get-token` command with `kubectl` for cluster authentication. By default, the {aws} CLI uses the same credentials that are returned with the following command: @@ -22,15 +22,15 @@ aws sts get-caller-identity ---- * An existing Amazon EKS cluster. To deploy one, see <>. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* An IAM user or role with permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. If you use an identity from your own [.noloc]`OpenID Connect` provider to access your cluster, then see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation to create or update your `kube config` file. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* An IAM user or role with permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. If you use an identity from your own OpenID Connect provider to access your cluster, then see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the Kubernetes documentation to create or update your `kube config` file. [#create-kubeconfig-automatically] == Create `kubeconfig` file automatically -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * Permission to use the `eks:DescribeCluster` API action for the cluster that you specify. For more information, see <>. . Create or update a `kubeconfig` file for your cluster. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in and replace [.replaceable]`my-cluster` with the name of your cluster. + diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 674f19d1a..1c95693c4 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,6 +1,6 @@ [.topic] [#access-entries] -= Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with EKS access entries += Grant IAM users access to Kubernetes with EKS access entries :info_titleabbrev: Grant permissions include::../../attributes.txt[] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 67f269dd7..3b45c1e00 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -10,7 +10,7 @@ include::../../attributes.txt[] Learn how to associate and disassociate Amazon EKS access policies to and from access entries to grant Kubernetes permissions to IAM principals. -- -You can assign one or more access policies to _access entries_ of _type_ `STANDARD`. Amazon EKS automatically grants the other types of access entries the permissions required to function properly in your cluster. Amazon EKS access policies include [.noloc]`Kubernetes` permissions, not IAM permissions. Before associating an access policy to an access entry, make sure that you're familiar with the [.noloc]`Kubernetes` permissions included in each access policy. For more information, see <>. If none of the access policies meet your requirements, then don't associate an access policy to an access entry. Instead, specify one or more _group names_ for the access entry and create and manage [.noloc]`Kubernetes` role-based access control objects. For more information, see <>. +You can assign one or more access policies to _access entries_ of _type_ `STANDARD`. Amazon EKS automatically grants the other types of access entries the permissions required to function properly in your cluster. Amazon EKS access policies include Kubernetes permissions, not IAM permissions. Before associating an access policy to an access entry, make sure that you're familiar with the Kubernetes permissions included in each access policy. For more information, see <>. If none of the access policies meet your requirements, then don't associate an access policy to an access entry. Instead, specify one or more _group names_ for the access entry and create and manage Kubernetes role-based access control objects. For more information, see <>. @@ -22,11 +22,11 @@ Before associating access policies with access entries, consider the following r * You can associate multiple access policies to each access entry, but you can only associate each policy to an access entry once. If you associate multiple access policies, the access entry's IAM principal has all permissions included in all associated access policies. -* You can scope an access policy to all resources on a cluster or by specifying the name of one or more [.noloc]`Kubernetes` namespaces. You can use wildcard characters for a namespace name. For example, if you want to scope an access policy to all namespaces that start with `dev-`, you can specify `dev-*` as a namespace name. Make sure that the namespaces exist on your cluster and that your spelling matches the actual namespace name on the cluster. Amazon EKS doesn't confirm the spelling or existence of the namespaces on your cluster. -* You can change the _access scope_ for an access policy after you associate it to an access entry. If you've scoped the access policy to [.noloc]`Kubernetes` namespaces, you can add and remove namespaces for the association, as necessary. -* If you associate an access policy to an access entry that also has _group names_ specified, then the IAM principal has all the permissions in all associated access policies. It also has all the permissions in any [.noloc]`Kubernetes` `Role` or `ClusterRole` object that is specified in any [.noloc]`Kubernetes` `Role` and `RoleBinding` objects that specify the group names. -* If you run the `kubectl auth can-i --list` command, you won't see any [.noloc]`Kubernetes` permissions assigned by access policies associated with an access entry for the IAM principal you're using when you run the command. The command only shows [.noloc]`Kubernetes` permissions if you've granted them in [.noloc]`Kubernetes` `Role` or `ClusterRole` objects that you've bound to the group names or username that you specified for an access entry. -* If you impersonate a [.noloc]`Kubernetes` user or group when interacting with [.noloc]`Kubernetes` objects on your cluster, such as using the `kubectl` command with `--as [.replaceable]``username``` or `--as-group [.replaceable]``group-name```, you're forcing the use of [.noloc]`Kubernetes` RBAC authorization. As a result, the IAM principal has no permissions assigned by any access policies associated to the access entry. The only [.noloc]`Kubernetes` permissions that the user or group that the IAM principal is impersonating has are the [.noloc]`Kubernetes` permissions that you've granted them in [.noloc]`Kubernetes` `Role` or `ClusterRole` objects that you've bound to the group names or user name. For your IAM principal to have the permissions in associated access policies, don't impersonate a [.noloc]`Kubernetes` user or group. The IAM principal will still also have any permissions that you've granted them in the [.noloc]`Kubernetes` `Role` or `ClusterRole` objects that you've bound to the group names or user name that you specified for the access entry. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[User impersonation] in the [.noloc]`Kubernetes` documentation. +* You can scope an access policy to all resources on a cluster or by specifying the name of one or more Kubernetes namespaces. You can use wildcard characters for a namespace name. For example, if you want to scope an access policy to all namespaces that start with `dev-`, you can specify `dev-*` as a namespace name. Make sure that the namespaces exist on your cluster and that your spelling matches the actual namespace name on the cluster. Amazon EKS doesn't confirm the spelling or existence of the namespaces on your cluster. +* You can change the _access scope_ for an access policy after you associate it to an access entry. If you've scoped the access policy to Kubernetes namespaces, you can add and remove namespaces for the association, as necessary. +* If you associate an access policy to an access entry that also has _group names_ specified, then the IAM principal has all the permissions in all associated access policies. It also has all the permissions in any Kubernetes `Role` or `ClusterRole` object that is specified in any Kubernetes `Role` and `RoleBinding` objects that specify the group names. +* If you run the `kubectl auth can-i --list` command, you won't see any Kubernetes permissions assigned by access policies associated with an access entry for the IAM principal you're using when you run the command. The command only shows Kubernetes permissions if you've granted them in Kubernetes `Role` or `ClusterRole` objects that you've bound to the group names or username that you specified for an access entry. +* If you impersonate a Kubernetes user or group when interacting with Kubernetes objects on your cluster, such as using the `kubectl` command with `--as [.replaceable]``username``` or `--as-group [.replaceable]``group-name```, you're forcing the use of Kubernetes RBAC authorization. As a result, the IAM principal has no permissions assigned by any access policies associated to the access entry. The only Kubernetes permissions that the user or group that the IAM principal is impersonating has are the Kubernetes permissions that you've granted them in Kubernetes `Role` or `ClusterRole` objects that you've bound to the group names or user name. For your IAM principal to have the permissions in associated access policies, don't impersonate a Kubernetes user or group. The IAM principal will still also have any permissions that you've granted them in the Kubernetes `Role` or `ClusterRole` objects that you've bound to the group names or user name that you specified for the access entry. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation[User impersonation] in the Kubernetes documentation. You can associate an access policy to an access entry using the {aws-management-console} or the {aws} CLI. @@ -39,12 +39,12 @@ You can associate an access policy to an access entry using the {aws-management- . If the type of the access entry is *Standard*, you can associate or disassociate Amazon EKS *access policies*. If the type of your access entry is anything other than *Standard*, then this option isn't available. . Choose *Associate access policy*. . For *Policy name*, select the policy with the permissions you want the IAM principal to have. To view the permissions included in each policy, see <>. -. For *Access scope*, choose an access scope. If you choose *Cluster*, the permissions in the access policy are granted to the IAM principal for resources in all [.noloc]`Kubernetes` namespaces. If you choose *[.noloc]`Kubernetes` namespace*, you can then choose *Add new namespace*. In the *Namespace* field that appears, you can enter the name of a [.noloc]`Kubernetes` namespace on your cluster. If you want the IAM principal to have the permissions across multiple namespaces, then you can enter multiple namespaces. +. For *Access scope*, choose an access scope. If you choose *Cluster*, the permissions in the access policy are granted to the IAM principal for resources in all Kubernetes namespaces. If you choose *Kubernetes namespace*, you can then choose *Add new namespace*. In the *Namespace* field that appears, you can enter the name of a Kubernetes namespace on your cluster. If you want the IAM principal to have the permissions across multiple namespaces, then you can enter multiple namespaces. . Choose *Add access policy*. [#access-associate-cli] == {aws} CLI -. Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . View the available access policies. + @@ -91,7 +91,7 @@ An example output is as follows. ] } ---- -. Associate an access policy to an access entry. The following example associates the `AmazonEKSViewPolicy` access policy to an access entry. Whenever the [.replaceable]`my-role` IAM role attempts to access [.noloc]`Kubernetes` objects on the cluster, Amazon EKS will authorize the role to use the permissions in the policy to access [.noloc]`Kubernetes` objects in the [.replaceable]`my-namespace1` and [.replaceable]`my-namespace2` [.noloc]`Kubernetes` namespaces only. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of the IAM role that you want Amazon EKS to authorize access to [.noloc]`Kubernetes` cluster objects for. +. Associate an access policy to an access entry. The following example associates the `AmazonEKSViewPolicy` access policy to an access entry. Whenever the [.replaceable]`my-role` IAM role attempts to access Kubernetes objects on the cluster, Amazon EKS will authorize the role to use the permissions in the policy to access Kubernetes objects in the [.replaceable]`my-namespace1` and [.replaceable]`my-namespace2` Kubernetes namespaces only. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of the IAM role that you want Amazon EKS to authorize access to Kubernetes cluster objects for. + [source,bash,subs="verbatim,attributes"] ---- @@ -142,7 +142,7 @@ An example output is as follows. } ---- + -In the previous example, the IAM principal for this access entry has view permissions across all namespaces on the cluster, and administrator permissions to two [.noloc]`Kubernetes` namespaces. +In the previous example, the IAM principal for this access entry has view permissions across all namespaces on the cluster, and administrator permissions to two Kubernetes namespaces. . Disassociate an access policy from an access entry. In this example, the `AmazonEKSAdminPolicy` policy is disassociated from an access entry. The IAM principal retains the permissions in the `AmazonEKSViewPolicy` access policy for objects in the [.replaceable]`my-namespace1` and [.replaceable]`my-namespace2` namespaces however, because that access policy is not disassociated from the access entry. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 80702c29e..49f6deab2 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -5,7 +5,7 @@ include::../../attributes.txt[] -Access policies include `rules` that contain [.noloc]`Kubernetes` `verbs` (permissions) and `resources`. Access policies don't include IAM permissions or resources. Similar to [.noloc]`Kubernetes` `Role` and `ClusterRole` objects, access policies only include `allow` `rules`. You can't modify the contents of an access policy. You can't create your own access policies. If the permissions in the access policies don't meet your needs, then create [.noloc]`Kubernetes` RBAC objects and specify _group names_ for your access entries. For more information, see <>. The permissions contained in access policies are similar to the permissions in the [.noloc]`Kubernetes` user-facing cluster roles. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. +Access policies include `rules` that contain Kubernetes `verbs` (permissions) and `resources`. Access policies don't include IAM permissions or resources. Similar to Kubernetes `Role` and `ClusterRole` objects, access policies only include `allow` `rules`. You can't modify the contents of an access policy. You can't create your own access policies. If the permissions in the access policies don't meet your needs, then create Kubernetes RBAC objects and specify _group names_ for your access entries. For more information, see <>. The permissions contained in access policies are similar to the permissions in the Kubernetes user-facing cluster roles. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the Kubernetes documentation. Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule. @@ -14,7 +14,7 @@ Choose any access policy to see its contents. Each row of each table in each acc == AmazonEKSAdminPolicy -This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more [.noloc]`Kubernetes` namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the <> access policy to your access entry instead. +This access policy includes permissions that grant an IAM principal most permissions to resources. When associated to an access entry, its access scope is typically one or more Kubernetes namespaces. If you want an IAM principal to have administrator access to all resources on your cluster, associate the <> access policy to your access entry instead. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSAdminPolicy` @@ -119,7 +119,7 @@ This access policy includes permissions that grant an IAM principal most permiss == AmazonEKSClusterAdminPolicy -This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a [.noloc]`Kubernetes` namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the <> access policy to your access entry instead. +This access policy includes permissions that grant an IAM principal administrator access to a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a Kubernetes namespace. If you want an IAM principal to have a more limited administrative scope, consider associating the <> access policy to your access entry instead. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy` @@ -167,7 +167,7 @@ This access policy includes permissions that grant an IAM principal access to li == AmazonEKSEditPolicy -This access policy includes permissions that allow an IAM principal to edit most [.noloc]`Kubernetes` resources. +This access policy includes permissions that allow an IAM principal to edit most Kubernetes resources. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSEditPolicy` @@ -263,7 +263,7 @@ This access policy includes permissions that allow an IAM principal to edit most [#access-policy-permissions-amazoneksviewpolicy.json] == AmazonEKSViewPolicy -This access policy includes permissions that allow an IAM principal to view most [.noloc]`Kubernetes` resources. +This access policy includes permissions that allow an IAM principal to view most Kubernetes resources. *ARN* – `{arn-aws}eks::aws:cluster-access-policy/AmazonEKSViewPolicy` @@ -535,7 +535,7 @@ Amazon EKS automatically creates an access entry with this access policy for the == AmazonEKSHybridPolicy -This access policy includes permissions that grant EKS access to the nodes of a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a [noloc]``Kubernetes`` namespace. This policy is used by Amazon EKS hybrid nodes. +This access policy includes permissions that grant EKS access to the nodes of a cluster. When associated to an access entry, its access scope is typically the cluster, rather than a Kubernetes namespace. This policy is used by Amazon EKS hybrid nodes. *ARN* – `arn:aws:eks::aws:cluster-access-policy/AmazonEKSHybridPolicy` diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 14c193080..9aa3c38d2 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,6 +1,6 @@ [.topic] [#auth-configmap] -= Grant [.noloc]`IAM` users access to [.noloc]`Kubernetes` with a [.noloc]`ConfigMap` += Grant IAM users access to Kubernetes with a ConfigMap :info_titleabbrev: aws-auth ConfigMap include::../../attributes.txt[] @@ -13,21 +13,21 @@ Learn how to manage IAM principal access to your Amazon EKS cluster using the aw [IMPORTANT] ==== -The `aws-auth ConfigMap` is deprecated. For the recommended method to manage access to [.noloc]`Kubernetes` APIs, see <>. +The `aws-auth ConfigMap` is deprecated. For the recommended method to manage access to Kubernetes APIs, see <>. ==== -Access to your cluster using link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] is enabled by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. The authenticator gets its configuration information from the `aws-auth` `ConfigMap`. For all `aws-auth` `ConfigMap` settings, see https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format[Full Configuration Format] on [.noloc]`GitHub`. +Access to your cluster using link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] is enabled by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. The authenticator gets its configuration information from the `aws-auth` `ConfigMap`. For all `aws-auth` `ConfigMap` settings, see https://github.com/kubernetes-sigs/aws-iam-authenticator#full-configuration-format[Full Configuration Format] on GitHub. [#aws-auth-users] == Add IAM principals to your Amazon EKS cluster -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within Kubernetes and create a Kubernetes `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. [NOTE] ==== -For more information about [.noloc]`Kubernetes` role-based access control (RBAC) configuration, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +For more information about Kubernetes role-based access control (RBAC) configuration, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. ==== . Determine which credentials `kubectl` is using to access your cluster. On your computer, you can see which credentials `kubectl` uses with the following command. Replace [.replaceable]`~/.kube/config` with the path to your `kubeconfig` file if you don't use the default path. @@ -85,9 +85,9 @@ Events: .... + The previous example is a default `aws-auth` `ConfigMap`. Only the node instance role has access to the cluster. -. Make sure that you have existing [.noloc]`Kubernetes` `roles` and `rolebindings` or `clusterroles` and `clusterrolebindings` that you can map IAM principals to. For more information about these resources, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +. Make sure that you have existing Kubernetes `roles` and `rolebindings` or `clusterroles` and `clusterrolebindings` that you can map IAM principals to. For more information about these resources, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. + -.. View your existing [.noloc]`Kubernetes` `roles` or `clusterroles`. `Roles` are scoped to a `namespace`, but `clusterroles` are scoped to the cluster. +.. View your existing Kubernetes `roles` or `clusterroles`. `Roles` are scoped to a `namespace`, but `clusterroles` are scoped to the cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -113,7 +113,7 @@ Replace [.replaceable]`cluster-role-name` with a `clusterrole` name returned in ---- kubectl describe clusterrole cluster-role-name ---- -.. View your existing [.noloc]`Kubernetes` `rolebindings` or `clusterrolebindings`. `Rolebindings` are scoped to a `namespace`, but `clusterrolebindings` are scoped to the cluster. +.. View your existing Kubernetes `rolebindings` or `clusterrolebindings`. `Rolebindings` are scoped to a `namespace`, but `clusterrolebindings` are scoped to the cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -203,7 +203,7 @@ An example output is as follows. ARN USERNAME GROUPS ACCOUNT {arn-aws}iam::111122223333:role/eksctl-my-cluster-my-nodegroup-NodeInstanceRole-1XLS7754U3ZPA system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes ---- -. Add a mapping for a role. Replace [.replaceable]`my-role` with your role name. Replace [.replaceable]`eks-console-dashboard-full-access-group` with the name of the group specified in your [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`admin` with any name you choose. +. Add a mapping for a role. Replace [.replaceable]`my-role` with your role name. Replace [.replaceable]`eks-console-dashboard-full-access-group` with the name of the group specified in your Kubernetes `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`admin` with any name you choose. + [source,bash,subs="verbatim,attributes"] ---- @@ -221,7 +221,7 @@ An example output is as follows. [...] 2022-05-09 14:51:20 [ℹ] adding identity "{arn-aws}iam::111122223333:role/my-role" to auth ConfigMap ---- -. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. Replace [.replaceable]`my-user` with your user name. Replace [.replaceable]`eks-console-dashboard-restricted-access-group` with the name of the group specified in your [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`my-user` with any name you choose. +. Add a mapping for a user. link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. Replace [.replaceable]`my-user` with your user name. Replace [.replaceable]`eks-console-dashboard-restricted-access-group` with the name of the group specified in your Kubernetes `RoleBinding` or `ClusterRoleBinding` object. Replace [.replaceable]`111122223333` with your account ID. You can replace [.replaceable]`my-user` with any name you choose. + [source,bash,subs="verbatim,attributes"] ---- @@ -269,18 +269,18 @@ NOTE: If you receive an error stating "``Error from server (NotFound): configmap ** *To add an IAM role (for example, for link:IAM/latest/UserGuide/id_roles_providers.html[federated users,type="documentation"]):* Add the role details to the `mapRoles` section of the `ConfigMap`, under `data`. Add this section if it does not already exist in the file. Each entry supports the following parameters: + *** *rolearn*: The ARN of the IAM role to add. This value can't include a path. For example, you can't specify an ARN such as `{arn-aws}iam::[.replaceable]``111122223333``:role/my-team/developers/[.replaceable]``role-name```. The ARN needs to be `{arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` instead. -*** *username*: The user name within [.noloc]`Kubernetes` to map to the IAM role. -*** *groups*: The group or list of [.noloc]`Kubernetes` groups to map the role to. The group can be a default group, or a group specified in a `clusterrolebinding` or `rolebinding`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings[Default roles and role bindings] in the [.noloc]`Kubernetes` documentation. +*** *username*: The user name within Kubernetes to map to the IAM role. +*** *groups*: The group or list of Kubernetes groups to map the role to. The group can be a default group, or a group specified in a `clusterrolebinding` or `rolebinding`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings[Default roles and role bindings] in the Kubernetes documentation. ** *To add an IAM user:* link:IAM/latest/UserGuide/id_users.html[IAM best practices,type="documentation"] recommend that you grant permissions to roles instead of users. Add the user details to the `mapUsers` section of the `ConfigMap`, under `data`. Add this section if it does not already exist in the file. Each entry supports the following parameters: + *** *userarn*: The ARN of the IAM user to add. -*** *username*: The user name within [.noloc]`Kubernetes` to map to the IAM user. -*** *groups*: The group, or list of [.noloc]`Kubernetes` groups to map the user to. The group can be a default group, or a group specified in a `clusterrolebinding` or `rolebinding`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings[Default roles and role bindings] in the [.noloc]`Kubernetes` documentation. +*** *username*: The user name within Kubernetes to map to the IAM user. +*** *groups*: The group, or list of Kubernetes groups to map the user to. The group can be a default group, or a group specified in a `clusterrolebinding` or `rolebinding`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings[Default roles and role bindings] in the Kubernetes documentation. + . For example, the following YAML block contains: -** A `mapRoles` section that maps the IAM node instance to [.noloc]`Kubernetes` groups so that nodes can register themselves with the cluster and the `my-console-viewer-role` IAM role that is mapped to a [.noloc]`Kubernetes` group that can view all [.noloc]`Kubernetes` resources for all clusters. For a list of the IAM and [.noloc]`Kubernetes` group permissions required for the `my-console-viewer-role` IAM role, see <>. -** A `mapUsers` section that maps the `admin` IAM user from the default {aws} account to the `system:masters` [.noloc]`Kubernetes` group and the `my-user` user from a different {aws} account that is mapped to a [.noloc]`Kubernetes` group that can view [.noloc]`Kubernetes` resources for a specific namespace. For a list of the IAM and [.noloc]`Kubernetes` group permissions required for the `my-user` IAM user, see <>. +** A `mapRoles` section that maps the IAM node instance to Kubernetes groups so that nodes can register themselves with the cluster and the `my-console-viewer-role` IAM role that is mapped to a Kubernetes group that can view all Kubernetes resources for all clusters. For a list of the IAM and Kubernetes group permissions required for the `my-console-viewer-role` IAM role, see <>. +** A `mapUsers` section that maps the `admin` IAM user from the default {aws} account to the `system:masters` Kubernetes group and the `my-user` user from a different {aws} account that is mapped to a Kubernetes group that can view Kubernetes resources for a specific namespace. For a list of the IAM and Kubernetes group permissions required for the `my-user` IAM user, see <>. + Add or remove lines as necessary and replace all [.replaceable]`example values` with your own values. + diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 1d426afbe..9e6481e06 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,6 +1,6 @@ [.topic] [#authenticate-oidc-identity-provider] -= Grant users access to [.noloc]`Kubernetes` with an external [.noloc]`OIDC` provider += Grant users access to Kubernetes with an external OIDC provider :info_titleabbrev: Link OIDC provider include::../../attributes.txt[] @@ -10,23 +10,23 @@ include::../../attributes.txt[] Learn how to authenticate users for your Amazon EKS cluster using OpenID Connect (OIDC) identity providers to manage access and permissions with roles, bindings, and RBAC authorization. -- -Amazon EKS supports using [.noloc]`OpenID Connect` ([.noloc]`OIDC`) identity providers as a method to authenticate users to your cluster. [.noloc]`OIDC` identity providers can be used with, or as an alternative to {aws} Identity and Access Management (IAM). For more information about using IAM, see <>. After configuring authentication to your cluster, you can create [.noloc]`Kubernetes` `roles` and `clusterroles` to assign permissions to the roles, and then bind the roles to the identities using [.noloc]`Kubernetes` `rolebindings` and `clusterrolebindings`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +Amazon EKS supports using OpenID Connect (OIDC) identity providers as a method to authenticate users to your cluster. OIDC identity providers can be used with, or as an alternative to {aws} Identity and Access Management (IAM). For more information about using IAM, see <>. After configuring authentication to your cluster, you can create Kubernetes `roles` and `clusterroles` to assign permissions to the roles, and then bind the roles to the identities using Kubernetes `rolebindings` and `clusterrolebindings`. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. -* You can associate one [.noloc]`OIDC` identity provider to your cluster. -* [.noloc]`Kubernetes` doesn't provide an [.noloc]`OIDC` identity provider. You can use an existing public [.noloc]`OIDC` identity provider, or you can run your own identity provider. For a list of certified providers, see https://openid.net/certification/[OpenID Certification] on the OpenID site. -* The issuer URL of the [.noloc]`OIDC` identity provider must be publicly accessible, so that Amazon EKS can discover the signing keys. Amazon EKS doesn't support [.noloc]`OIDC` identity providers with self-signed certificates. +* You can associate one OIDC identity provider to your cluster. +* Kubernetes doesn't provide an OIDC identity provider. You can use an existing public OIDC identity provider, or you can run your own identity provider. For a list of certified providers, see https://openid.net/certification/[OpenID Certification] on the OpenID site. +* The issuer URL of the OIDC identity provider must be publicly accessible, so that Amazon EKS can discover the signing keys. Amazon EKS doesn't support OIDC identity providers with self-signed certificates. * You can't disable IAM authentication to your cluster, because it's still required for joining nodes to a cluster. -* An Amazon EKS cluster must still be created by an {aws} link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], rather than an [.noloc]`OIDC` identity provider user. This is because the cluster creator interacts with the Amazon EKS APIs, rather than the [.noloc]`Kubernetes` APIs. -* [.noloc]`OIDC` identity provider-authenticated users are listed in the cluster's audit log if CloudWatch logs are turned on for the control plane. For more information, see <>. -* You can't sign in to the {aws-management-console} with an account from an [.noloc]`OIDC` provider. You can only <> by signing into the {aws-management-console} with an {aws} Identity and Access Management account. +* An Amazon EKS cluster must still be created by an {aws} link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"], rather than an OIDC identity provider user. This is because the cluster creator interacts with the Amazon EKS APIs, rather than the Kubernetes APIs. +* OIDC identity provider-authenticated users are listed in the cluster's audit log if CloudWatch logs are turned on for the control plane. For more information, see <>. +* You can't sign in to the {aws-management-console} with an account from an OIDC provider. You can only <> by signing into the {aws-management-console} with an {aws} Identity and Access Management account. [#associate-oidc-identity-provider] -== Associate an [.noloc]`OIDC` identity provider +== Associate an OIDC identity provider -Before you can associate an [.noloc]`OIDC` identity provider with your cluster, you need the following information from your provider: +Before you can associate an OIDC identity provider with your cluster, you need the following information from your provider: @@ -43,7 +43,7 @@ You can associate an identity provider using `eksctl` or the {aws-management-con [#identity-associate-eksctl] === Associate an identity provider using eksctl -. Create a file named [.replaceable]`associate-identity-provider.yaml` with the following contents. Replace the [.replaceable]`example values` with your own. The values in the `identityProviders` section are obtained from your [.noloc]`OIDC` identity provider. Values are only required for the `name`, `type`, `issuerUrl`, and `clientId` settings under `identityProviders`. +. Create a file named [.replaceable]`associate-identity-provider.yaml` with the following contents. Replace the [.replaceable]`example values` with your own. The values in the `identityProviders` section are obtained from your OIDC identity provider. Values are only required for the `name`, `type`, `issuerUrl`, and `clientId` settings under `identityProviders`. + [source,yaml,subs="verbatim,attributes"] ---- @@ -77,18 +77,18 @@ IMPORTANT: Don't specify `system:`, or any portion of that string, for `groupsPr ---- eksctl associate identityprovider -f associate-identity-provider.yaml ---- -. To use `kubectl` to work with your cluster and [.noloc]`OIDC` identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation. +. To use `kubectl` to work with your cluster and OIDC identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the Kubernetes documentation. [#identity-associate-console] === Associate an identity provider using the {aws} Console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Select your cluster, and then select the *Access* tab. -. In the *[.noloc]`OIDC` Identity Providers* section, select* Associate Identity Provider*. -. On the *Associate [.noloc]`OIDC` Identity Provider* page, enter or select the following options, and then select *Associate*. +. In the *OIDC Identity Providers* section, select* Associate Identity Provider*. +. On the *Associate OIDC Identity Provider* page, enter or select the following options, and then select *Associate*. + ** For *Name*, enter a unique name for the provider. ** For *Issuer URL*, enter the URL for your provider. This URL must be accessible over the internet. -** For *Client ID*, enter the [.noloc]`OIDC` identity provider's client ID (also known as *audience*). +** For *Client ID*, enter the OIDC identity provider's client ID (also known as *audience*). ** For *Username claim*, enter the claim to use as the username. ** For *Groups claim*, enter the claim to use as the user's group. ** (Optional) Select *Advanced options*, enter or select the following information. @@ -96,13 +96,13 @@ eksctl associate identityprovider -f associate-identity-provider.yaml *** *Username prefix* – Enter a prefix to prepend to username claims. The prefix is prepended to username claims to prevent clashes with existing names. If you do not provide a value, and the username is a value other than `email`, the prefix defaults to the value for *Issuer URL*. You can use the value`` -`` to disable all prefixing. Don't specify `system:` or any portion of that string. *** *Groups prefix* – Enter a prefix to prepend to groups claims. The prefix is prepended to group claims to prevent clashes with existing names (such as`` system: groups``). For example, the value `oidc:` creates group names like `oidc:engineering` and `oidc:infra`. Don't specify `system:` or any portion of that string.. *** *Required claims* – Select *Add claim* and enter one or more key value pairs that describe required claims in the client ID token. The pairs describe required claims in the ID Token. If set, each claim is verified to be present in the ID token with a matching value. -.. To use `kubectl` to work with your cluster and [.noloc]`OIDC` identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the [.noloc]`Kubernetes` documentation. +.. To use `kubectl` to work with your cluster and OIDC identity provider, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl[Using kubectl] in the Kubernetes documentation. [#oidc-identity-provider-iam-policy] == Example IAM policy -If you want to prevent an [.noloc]`OIDC` identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] and link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console[Adding IAM identity permissions,type="documentation"] in the _IAM User Guide_ and link:service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. +If you want to prevent an OIDC identity provider from being associated with a cluster, create and associate the following IAM policy to the IAM accounts of your Amazon EKS administrators. For more information, see link:IAM/latest/UserGuide/access_policies_create.html[Creating IAM policies,type="documentation"] and link:IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console[Adding IAM identity permissions,type="documentation"] in the _IAM User Guide_ and link:service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. [source,json,subs="verbatim,attributes"] ---- @@ -130,7 +130,7 @@ If you want to prevent an [.noloc]`OIDC` identity provider from being associated } ---- -The following example policy allows [.noloc]`OIDC` identity provider association if the `clientID` is `kubernetes` and the `issuerUrl` is `https://cognito-idp.us-west-2amazonaws.com/*`. +The following example policy allows OIDC identity provider association if the `clientID` is `kubernetes` and the `issuerUrl` is `https://cognito-idp.us-west-2amazonaws.com/*`. [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index eeaae1cad..b140eaa5d 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -62,11 +62,11 @@ If the ARN of the role that you specified contained a path, Amazon EKS removes i |=== + You can change the username after the access entry is created. -* If an access entry's type is `STANDARD`, and you want to use [.noloc]`Kubernetes` RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to [.noloc]`Kubernetes` objects on your cluster, you must create and manage [.noloc]`Kubernetes` role-based authorization (RBAC) objects. Create [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. [.noloc]`Kubernetes` authorizes the IAM principal access to any cluster objects that you've specified in a [.noloc]`Kubernetes` `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the [.noloc]`Kubernetes` role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +* If an access entry's type is `STANDARD`, and you want to use Kubernetes RBAC authorization, you can add one or more _group names_ to the access entry. After you create an access entry you can add and remove group names. For the IAM principal to have access to Kubernetes objects on your cluster, you must create and manage Kubernetes role-based authorization (RBAC) objects. Create Kubernetes `RoleBinding` or `ClusterRoleBinding` objects on your cluster that specify the group name as a `subject` for `kind: Group`. Kubernetes authorizes the IAM principal access to any cluster objects that you've specified in a Kubernetes `Role` or `ClusterRole` object that you've also specified in your binding's `roleRef`. If you specify group names, we recommend that you're familiar with the Kubernetes role-based authorization (RBAC) objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. + -IMPORTANT: Amazon EKS doesn't confirm that any [.noloc]`Kubernetes` RBAC objects that exist on your cluster include any of the group names that you specify. For example, if you create an access entry for group that currently doesn't exist, EKS will create the group instead of returning an error. +IMPORTANT: Amazon EKS doesn't confirm that any Kubernetes RBAC objects that exist on your cluster include any of the group names that you specify. For example, if you create an access entry for group that currently doesn't exist, EKS will create the group instead of returning an error. + -Instead of, or in addition to, [.noloc]`Kubernetes` authorizing the IAM principal access to [.noloc]`Kubernetes` objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access [.noloc]`Kubernetes` objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to [.noloc]`Kubernetes` namespaces that you specify. Use of access policies don't require you to manage [.noloc]`Kubernetes` RBAC objects. For more information, see <>. +Instead of, or in addition to, Kubernetes authorizing the IAM principal access to Kubernetes objects on your cluster, you can associate Amazon EKS _access policies_ to an access entry. Amazon EKS authorizes IAM principals to access Kubernetes objects on your cluster with the permissions in the access policy. You can scope an access policy's permissions to Kubernetes namespaces that you specify. Use of access policies don't require you to manage Kubernetes RBAC objects. For more information, see <>. * If you create an access entry with type `EC2_LINUX` or `EC2_Windows`, the IAM principal creating the access entry must have the `iam:PassRole` permission. For more information, see link:IAM/latest/UserGuide/id_roles_use_passrole.html[Granting a user permissions to pass a role to an {aws} service,type="documentation"] in the _IAM User Guide_. * Similar to standard link:IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency[IAM behavior,type="documentation"], access entry creation and updates are eventually consistent, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include access entry creates or updates in the critical, high- availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them. * Access entries do not support link:IAM/latest/UserGuide/using-service-linked-roles.html[service linked roles,type="documentation"]. You cannot create access entries where the principal ARN is a service linked role. You can identify service linked roles by their ARN, which is in the format `{arn-aws}iam::*:role/aws-service-role/*`. @@ -83,16 +83,16 @@ You can create an access entry using the {aws-management-console} or the {aws} C . For *IAM principal*, select an existing IAM role or user. IAM best practices recommend accessing your cluster using IAM _roles_ that have short-term credentials, rather than IAM _users_ that have long-term credentials. For more information, see link:IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp[Require human users to use federation with an identity provider to access {aws} using temporary credentials,type="documentation"] in the _IAM User Guide_. . For *Type*, if the access entry is for the node role used for self-managed Amazon EC2 nodes, select *EC2 Linux* or *EC2 Windows*. Otherwise, accept the default (*Standard*). . If the *Type* you chose is *Standard* and you want to specify a *Username*, enter the username. -. If the *Type* you chose is *Standard* and you want to use [.noloc]`Kubernetes` RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. +. If the *Type* you chose is *Standard* and you want to use Kubernetes RBAC authorization for the IAM principal, specify one or more names for *Groups*. If you don't specify any group names and want to use Amazon EKS authorization, you can associate an access policy in a later step, or after the access entry is created. . (Optional) For *Tags*, assign labels to the access entry. For example, to make it easier to find all resources with the same tag. . Choose *Next*. -. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the [.noloc]`Kubernetes` objects on your cluster, complete the following steps. Otherwise, choose *Next*. +. On the *Add access policy* page, if the type you chose was *Standard* and you want Amazon EKS to authorize the IAM principal to have permissions to the Kubernetes objects on your cluster, complete the following steps. Otherwise, choose *Next*. + -.. For *Policy name*, choose an access policy. You can't view the permissions of the access policies, but they include similar permissions to those in the [.noloc]`Kubernetes` user-facing `ClusterRole` objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the [.noloc]`Kubernetes` documentation. +.. For *Policy name*, choose an access policy. You can't view the permissions of the access policies, but they include similar permissions to those in the Kubernetes user-facing `ClusterRole` objects. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the Kubernetes documentation. .. Choose one of the following options: + -*** *Cluster* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects on your cluster. -*** *[.noloc]`Kubernetes` namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all [.noloc]`Kubernetes` objects in a specific [.noloc]`Kubernetes` namespace on your cluster. For *Namespace*, enter the name of the [.noloc]`Kubernetes` namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. +*** *Cluster* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all Kubernetes objects on your cluster. +*** *Kubernetes namespace* – Choose this option if you want Amazon EKS to authorize the IAM principal to have the permissions in the access policy for all Kubernetes objects in a specific Kubernetes namespace on your cluster. For *Namespace*, enter the name of the Kubernetes namespace on your cluster. If you want to add additional namespaces, choose *Add new namespace* and enter the namespace name. .. If you want to add additional policies, choose *Add policy*. You can scope each policy differently, but you can add each policy only once. .. Choose *Next*. . Review the configuration for your access entry. If anything looks incorrect, choose *Previous* to go back through the steps and correct the error. If the configuration is correct, choose *Create*. @@ -112,7 +112,7 @@ aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i ---- + You can't use the `--kubernetes-groups` option when you specify a type other than `STANDARD`. You can't associate an access policy to this access entry, because its type is a value other than `STANDARD`. -** Create an access entry that allows an IAM role that's not used for an Amazon EC2 self-managed node group, that you want [.noloc]`Kubernetes` to authorize access to your cluster with. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of your IAM role. Replace [.replaceable]`Viewers` with the name of a group that you've specified in a [.noloc]`Kubernetes` `RoleBinding` or `ClusterRoleBinding` object on your cluster. +** Create an access entry that allows an IAM role that's not used for an Amazon EC2 self-managed node group, that you want Kubernetes to authorize access to your cluster with. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your {aws} account ID, and [.replaceable]`my-role` with the name of your IAM role. Replace [.replaceable]`Viewers` with the name of a group that you've specified in a Kubernetes `RoleBinding` or `ClusterRoleBinding` object on your cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -125,4 +125,4 @@ aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}i aws eks create-access-entry --cluster-name my-cluster --principal-arn {arn-aws}iam::111122223333:user/my-user --type STANDARD --username my-user ---- + -If you want this user to have more access to your cluster than the permissions in the [.noloc]`Kubernetes` API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the [.noloc]`Kubernetes` documentation. \ No newline at end of file +If you want this user to have more access to your cluster than the permissions in the Kubernetes API discovery roles, then you need to associate an access policy to the access entry, since the `--kubernetes-groups` option isn't used. For more information, see <> and https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles[API discovery roles] in the Kubernetes documentation. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 75125a018..221dd3ff9 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,11 +1,11 @@ [.topic] [#disassociate-oidc-identity-provider] -= Disassociate an [.noloc]`OIDC` identity provider from your cluster += Disassociate an OIDC identity provider from your cluster :info_titleabbrev: Unlink OIDC provider include::../../attributes.txt[] -If you disassociate an [.noloc]`OIDC` identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. +If you disassociate an OIDC identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the *[.noloc]`OIDC` Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. \ No newline at end of file +. In the *OIDC Identity Providers* section, select *Disassociate*, enter the identity provider name, and then select `Disassociate`. \ No newline at end of file diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 85e98299d..5ba4180b1 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,6 +1,6 @@ [.topic] [#grant-k8s-access] -= Grant [.noloc]`IAM` users and roles access to Kubernetes [.noloc]`APIs` += Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Kubernetes API access include::../../attributes.txt[] @@ -10,20 +10,20 @@ include::../../attributes.txt[] Learn how to grant access to Kubernetes APIs on Amazon EKS clusters using IAM roles, users, or OpenID Connect providers, and manage permissions with access entries or the aws-auth ConfigMap. -- -Your cluster has an [.noloc]`Kubernetes` API endpoint. Kubectl uses this API. You can authenticate to this API using two types of identities: +Your cluster has an Kubernetes API endpoint. Kubectl uses this API. You can authenticate to this API using two types of identities: * *An {aws} Identity and Access Management (IAM) _principal_ (role or user)* – This type requires authentication to IAM. Users can sign in to {aws} as an link:IAM/latest/UserGuide/introduction.html[IAM,type="documentation"] user or with a link:identity/federation/[federated identity,type="marketing"] by using credentials provided through an identity source. Users can only sign in with a federated identity if your administrator previously set up identity federation using IAM roles. When users access {aws} by using federation, they're indirectly link:IAM/latest/UserGuide/when-to-use-iam.html#security-iam-authentication-iamrole[assuming a role,type="documentation"]. When users use this type of identity, you: + -** Can assign them [.noloc]`Kubernetes` permissions so that they can work with [.noloc]`Kubernetes` objects on your cluster. For more information about how to assign permissions to your IAM principals so that they're able to access [.noloc]`Kubernetes` objects on your cluster, see <>. +** Can assign them Kubernetes permissions so that they can work with Kubernetes objects on your cluster. For more information about how to assign permissions to your IAM principals so that they're able to access Kubernetes objects on your cluster, see <>. ** Can assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, {aws} CLI, {aws} CloudFormation, {aws-management-console}, or `eksctl`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. ** Nodes join your cluster by assuming an IAM role. The ability to access your cluster using IAM principals is provided by the https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes], which runs on the Amazon EKS control plane. -* *A user in your own [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider* - – This type requires authentication to your https://openid.net/connect/[OIDC] provider. For more information about setting up your own [.noloc]`OIDC` provider with your Amazon EKS cluster, see <>. When users use this type of identity, you: +* *A user in your own OpenID Connect (OIDC) provider* + – This type requires authentication to your https://openid.net/connect/[OIDC] provider. For more information about setting up your own OIDC provider with your Amazon EKS cluster, see <>. When users use this type of identity, you: + -** Can assign them [.noloc]`Kubernetes` permissions so that they can work with [.noloc]`Kubernetes` objects on your cluster. +** Can assign them Kubernetes permissions so that they can work with Kubernetes objects on your cluster. ** Can't assign them IAM permissions so that they can work with your Amazon EKS cluster and its resources using the Amazon EKS API, {aws} CLI, {aws} CloudFormation, {aws-management-console}, or `eksctl`. You can use both types of identities with your cluster. The IAM authentication method cannot be disabled. The OIDC authentication method is optional. @@ -31,18 +31,18 @@ You can use both types of identities with your cluster. The IAM authentication m [#authentication-modes] == Associate IAM Identities with Kubernetes Permissions -The https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes] is installed on your cluster's control plane. It enables link:IAM/latest/UserGuide/introduction.html[{aws} Identity and Access Management,type="documentation"] (IAM) principals (roles and users) that you allow to access [.noloc]`Kubernetes` resources on your cluster. You can allow IAM principals to access [.noloc]`Kubernetes` objects on your cluster using one of the following methods: +The https://github.com/kubernetes-sigs/aws-iam-authenticator#readme[{aws} IAM Authenticator for Kubernetes] is installed on your cluster's control plane. It enables link:IAM/latest/UserGuide/introduction.html[{aws} Identity and Access Management,type="documentation"] (IAM) principals (roles and users) that you allow to access Kubernetes resources on your cluster. You can allow IAM principals to access Kubernetes objects on your cluster using one of the following methods: * *Creating access entries* - – If your cluster is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, we recommend that you use this option. + – If your cluster is at or later than the platform version listed in the <> section for your cluster's Kubernetes version, we recommend that you use this option. + -Use _access entries_ to manage the [.noloc]`Kubernetes` permissions of IAM principals from outside the cluster. You can add and manage access to the cluster by using the EKS API, {aws} Command Line Interface, {aws} SDKs, {aws} CloudFormation, and {aws-management-console}. This means you can manage users with the same tools that you created the cluster with. +Use _access entries_ to manage the Kubernetes permissions of IAM principals from outside the cluster. You can add and manage access to the cluster by using the EKS API, {aws} Command Line Interface, {aws} SDKs, {aws} CloudFormation, and {aws-management-console}. This means you can manage users with the same tools that you created the cluster with. + To get started, follow <>, then <>. * *Adding entries to the `aws-auth` `ConfigMap`* - – If your cluster's platform version is earlier than the version listed in the <> section, then you must use this option. If your cluster's platform version is at or later than the platform version listed in the <> section for your cluster's [.noloc]`Kubernetes` version, and you've added entries to the `ConfigMap`, then we recommend that you migrate those entries to access entries. You can't migrate entries that Amazon EKS added to the `ConfigMap` however, such as entries for IAM roles used with managed node groups or Fargate profiles. For more information, see <>. + – If your cluster's platform version is earlier than the version listed in the <> section, then you must use this option. If your cluster's platform version is at or later than the platform version listed in the <> section for your cluster's Kubernetes version, and you've added entries to the `ConfigMap`, then we recommend that you migrate those entries to access entries. You can't migrate entries that Amazon EKS added to the `ConfigMap` however, such as entries for IAM roles used with managed node groups or Fargate profiles. For more information, see <>. + ** If you have to use the `aws-auth` `ConfigMap` option, you can add entries to the `ConfigMap` using the `eksctl create iamidentitymapping` command. For more information, see https://eksctl.io/usage/iam-identity-mappings/[Manage IAM users and roles] in the `eksctl` documentation. @@ -50,7 +50,7 @@ To get started, follow <> and <>. * An existing cluster with a platform version that is at or later than the versions listed in the Prerequisites of the <> topic. * Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -* [.noloc]`Kubernetes` permissions to modify the `aws-auth` `ConfigMap` in the `kube-system` namespace. +* Kubernetes permissions to modify the `aws-auth` `ConfigMap` in the `kube-system` namespace. * An {aws} Identity and Access Management role or user with the following permissions: `CreateAccessEntry` and `ListAccessEntries`. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index 1e900ca04..ae9df7147 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -13,11 +13,11 @@ To begin using access entries, you must change the authentication mode of the cl . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose the name of the cluster that you want to create an access entry in. . Choose the *Access* tab. -. The *Authentication mode* shows the current authentication mode of the cluster. If the mode says [.noloc]`EKS API`, you can already add access entries and you can skip the remaining steps. +. The *Authentication mode* shows the current authentication mode of the cluster. If the mode says EKS API, you can already add access entries and you can skip the remaining steps. . Choose *Manage access*. -. For *Cluster authentication mode*, select a mode with the [.noloc]`EKS API`. Note that you can't change the authentication mode back to a mode that removes the [.noloc]`EKS API` and access entries. -. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`Updating`, and the change is recorded in the *Update history* tab. -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. +. For *Cluster authentication mode*, select a mode with the EKS API. Note that you can't change the authentication mode back to a mode that removes the EKS API and access entries. +. Choose *Save changes*. Amazon EKS begins to update the cluster, the status of the cluster changes to Updating, and the change is recorded in the *Update history* tab. +. Wait for the status of the cluster to return to Active. When the cluster is Active, you can follow the steps in <> to add access to the cluster for IAM principals. [#access-setup-cli] == {aws} CLI @@ -25,18 +25,18 @@ To begin using access entries, you must change the authentication mode of the cl . Install the {aws} CLI, as described in link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. . Run the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. If you want to disable the `ConfigMap` method permanently, replace `API_AND_CONFIG_MAP` with `API`. + -Amazon EKS begins to update the cluster, the status of the cluster changes to [.noloc]`UPDATING`, and the change is recorded in the [command]*aws eks list-updates*. +Amazon EKS begins to update the cluster, the status of the cluster changes to UPDATING, and the change is recorded in the [command]*aws eks list-updates*. + [source,bash] ---- aws eks update-cluster-config --name my-cluster --access-config authenticationMode=API_AND_CONFIG_MAP ---- -. Wait for the status of the cluster to return to [.noloc]`Active`. When the cluster is [.noloc]`Active`, you can follow the steps in <> to add access to the cluster for IAM principals. +. Wait for the status of the cluster to return to Active. When the cluster is Active, you can follow the steps in <> to add access to the cluster for IAM principals. == Required platform version -To use _access entries_, the cluster must have a platform version that is the same or later than the version listed in the following table, or a [.noloc]`Kubernetes` version that is later than the versions listed in the table. If your Kubernetes version is not listed, all platform versions support access entries. +To use _access entries_, the cluster must have a platform version that is the same or later than the version listed in the following table, or a Kubernetes version that is later than the versions listed in the table. If your Kubernetes version is not listed, all platform versions support access entries. [cols="1,1", options="header"] |=== diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 9ea9e4cc3..9702d0e57 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -2,40 +2,40 @@ include::../attributes.txt[] [.topic] [#view-kubernetes-resources] -= View [.noloc]`Kubernetes` resources in the {aws-management-console} += View Kubernetes resources in the {aws-management-console} :info_titleabbrev: Access cluster resources [abstract] -- -Learn how to view [.noloc]`Kubernetes` resources in the {aws-management-console}. +Learn how to view Kubernetes resources in the {aws-management-console}. -- -You can view the [.noloc]`Kubernetes` resources deployed to your cluster with the {aws-management-console}. You can't view [.noloc]`Kubernetes` resources with the {aws} CLI or https://eksctl.io/[eksctl]. To view [.noloc]`Kubernetes` resources using a command-line tool, use <>. +You can view the Kubernetes resources deployed to your cluster with the {aws-management-console}. You can't view Kubernetes resources with the {aws} CLI or https://eksctl.io/[eksctl]. To view Kubernetes resources using a command-line tool, use <>. [NOTE] ==== -To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific IAM and [.noloc]`Kubernetes` permissions. For more information, see <>. +To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific IAM and Kubernetes permissions. For more information, see <>. ==== . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. In the *Clusters* list, select the cluster that contains the [.noloc]`Kubernetes` resources that you want to view. +. In the *Clusters* list, select the cluster that contains the Kubernetes resources that you want to view. . Select the *Resources* tab. . Select a *Resource type* group that you want to view resources for, such as *Workloads*. You see a list of resource types in that group. -. Select a resource type, such as *Deployments*, in the *Workloads* group. You see a description of the resource type, a link to the [.noloc]`Kubernetes` documentation for more information about the resource type, and a list of resources of that type that are deployed on your cluster. If the list is empty, then there are no resources of that type deployed to your cluster. +. Select a resource type, such as *Deployments*, in the *Workloads* group. You see a description of the resource type, a link to the Kubernetes documentation for more information about the resource type, and a list of resources of that type that are deployed on your cluster. If the list is empty, then there are no resources of that type deployed to your cluster. . Select a resource to view more information about it. Try the following examples: + -** Select the *Workloads* group, select the *Deployments* resource type, and then select the *coredns* resource. When you select a resource, you are in *Structured view*, by default. For some resource types, you see a *Pods* section in *Structured view*. This section lists the [.noloc]`Pods` managed by the workload. You can select any [.noloc]`Pod` listed to view information about the [.noloc]`Pod`. Not all resource types display information in *Structured View*. If you select *Raw view* in the top right corner of the page for the resource, you see the complete JSON response from the [.noloc]`Kubernetes` API for the resource. -** Select the *Cluster* group and then select the *Nodes* resource type. You see a list of all nodes in your cluster. The nodes can be any <>. This is the same list that you see in the *Nodes* section when you select the *Compute* tab for your cluster. Select a node resource from the list. In *Structured view*, you also see a *Pods* section. This section shows you all [.noloc]`Pods` running on the node. +** Select the *Workloads* group, select the *Deployments* resource type, and then select the *coredns* resource. When you select a resource, you are in *Structured view*, by default. For some resource types, you see a *Pods* section in *Structured view*. This section lists the Pods managed by the workload. You can select any Pod listed to view information about the Pod. Not all resource types display information in *Structured View*. If you select *Raw view* in the top right corner of the page for the resource, you see the complete JSON response from the Kubernetes API for the resource. +** Select the *Cluster* group and then select the *Nodes* resource type. You see a list of all nodes in your cluster. The nodes can be any <>. This is the same list that you see in the *Nodes* section when you select the *Compute* tab for your cluster. Select a node resource from the list. In *Structured view*, you also see a *Pods* section. This section shows you all Pods running on the node. [#view-kubernetes-resources-permissions] == Required permissions -To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific minimum IAM and [.noloc]`Kubernetes` permissions. Complete the following steps to assign the required permissions to your IAM principals. +To view the *Resources* tab and *Nodes* section on the *Compute* tab in the {aws-management-console}, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you're using must have specific minimum IAM and Kubernetes permissions. Complete the following steps to assign the required permissions to your IAM principals. -. Make sure that the `eks:AccessKubernetesApi`, and other necessary IAM permissions to view [.noloc]`Kubernetes` resources, are assigned to the IAM principal that you're using. For more information about how to edit permissions for an IAM principal, see link:IAM/latest/UserGuide/access_controlling.html#access_controlling-principals[Controlling access for principals,type="documentation"] in the IAM User Guide. For more information about how to edit permissions for a role, see link:IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy[Modifying a role permissions policy (console),type="documentation"] in the IAM User Guide. +. Make sure that the `eks:AccessKubernetesApi`, and other necessary IAM permissions to view Kubernetes resources, are assigned to the IAM principal that you're using. For more information about how to edit permissions for an IAM principal, see link:IAM/latest/UserGuide/access_controlling.html#access_controlling-principals[Controlling access for principals,type="documentation"] in the IAM User Guide. For more information about how to edit permissions for a role, see link:IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy[Modifying a role permissions policy (console),type="documentation"] in the IAM User Guide. + -The following example policy includes the necessary permissions for a principal to view [.noloc]`Kubernetes` resources for all clusters in your account. Replace [.replaceable]`111122223333` with your {aws} account ID. +The following example policy includes the necessary permissions for a principal to view Kubernetes resources for all clusters in your account. Replace [.replaceable]`111122223333` with your {aws} account ID. + [source,json,subs="verbatim,attributes"] ---- @@ -68,10 +68,10 @@ The following example policy includes the necessary permissions for a principal } ---- + -To view nodes in <>, the <> should be able to impersonate the principal in the cluster. This allows the <> to map the principal to a [.noloc]`Kubernetes` user. -. Create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` that is bound to a [.noloc]`Kubernetes` `role` or `clusterrole` that has the necessary permissions to view the [.noloc]`Kubernetes` resources. To learn more about [.noloc]`Kubernetes` roles and role bindings, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. You can apply one of the following manifests to your cluster that create a `role` and `rolebinding` or a `clusterrole` and `clusterrolebinding` with the necessary [.noloc]`Kubernetes` permissions: +To view nodes in <>, the <> should be able to impersonate the principal in the cluster. This allows the <> to map the principal to a Kubernetes user. +. Create a Kubernetes `rolebinding` or `clusterrolebinding` that is bound to a Kubernetes `role` or `clusterrole` that has the necessary permissions to view the Kubernetes resources. To learn more about Kubernetes roles and role bindings, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. You can apply one of the following manifests to your cluster that create a `role` and `rolebinding` or a `clusterrole` and `clusterrolebinding` with the necessary Kubernetes permissions: + -View [.noloc]`Kubernetes` resources in all namespaces::: +View Kubernetes resources in all namespaces::: ** The group name in the file is `eks-console-dashboard-full-access-group`. Apply the manifest to your cluster with the following command: + [source,bash,subs="verbatim,attributes"] @@ -80,7 +80,7 @@ kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console- ---- -View [.noloc]`Kubernetes` resources in a specific namespace::: +View Kubernetes resources in a specific namespace::: ** The namespace in this file is `default`. The group name in the file is `eks-console-dashboard-restricted-access-group`. Apply the manifest to your cluster with the following command: + [source,bash,subs="verbatim,attributes"] @@ -88,7 +88,7 @@ View [.noloc]`Kubernetes` resources in a specific namespace::: kubectl apply -f https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml ---- + -If you need to change the [.noloc]`Kubernetes` group name, namespace, permissions, or any other configuration in the file, then download the file and edit it before applying it to your cluster: +If you need to change the Kubernetes group name, namespace, permissions, or any other configuration in the file, then download the file and edit it before applying it to your cluster: + .. Download the file with one of the following commands: + @@ -113,7 +113,7 @@ kubectl apply -f eks-console-full-access.yaml ---- kubectl apply -f eks-console-restricted-access.yaml ---- -. Map the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] to the [.noloc]`Kubernetes` user or group in the `aws-auth` `ConfigMap`. You can use a tool such as `eksctl` to update the `ConfigMap` or you can update it manually by editing it. +. Map the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] to the Kubernetes user or group in the `aws-auth` `ConfigMap`. You can use a tool such as `eksctl` to update the `ConfigMap` or you can update it manually by editing it. + IMPORTANT: We recommend using `eksctl`, or another tool, to edit the `ConfigMap`. For information about other tools you can use, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-tools-to-make-changes-to-the-aws-auth-configmap[Use tools to make changes to the aws-authConfigMap] in the Amazon EKS best practices guides. An improperly formatted `aws-auth` `ConfigMap` can cause you to lose access to your cluster. @@ -205,7 +205,7 @@ For more information about adding users or roles to the `aws-auth` `ConfigMap`, ---- kubectl edit -n kube-system configmap/aws-auth ---- -. Add the mappings to the `aws-auth` `ConfigMap`, but don't replace any of the existing mappings. The following example adds mappings between link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] with permissions added in the first step and the [.noloc]`Kubernetes` groups created in the previous step: +. Add the mappings to the `aws-auth` `ConfigMap`, but don't replace any of the existing mappings. The following example adds mappings between link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"] with permissions added in the first step and the Kubernetes groups created in the previous step: + ** The [.replaceable]`my-console-viewer-role` role and the `eks-console-dashboard-full-access-group`. ** The [.replaceable]`my-user` user and the `eks-console-dashboard-restricted-access-group`. diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 934f3c872..64955b216 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -82,8 +82,8 @@ aws eks create-nodegroup \ + ** Create a scheduled scaling policy for the ASG that aligns to the Capacity Block reservation start time. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html[Scheduled scaling for Amazon EC2 Auto Scaling,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. ** Use the Amazon EKS console or `eks update-nodegroup-config` to update the scaling config and set the desired size of the node group. -** Use the [.noloc]`Kubernetes` Cluster Autoscaler. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. -. The node group is now ready for workloads and [.noloc]`Pods` to be scheduled. -. In order for your [.noloc]`Pods` to be gracefully drained before reservation ends, Amazon EKS uses a scheduled scaling policy to scale down the node group size to `0` . This scheduled scaling will be set with name titled `Amazon EKS Node Group Capacity Scaledown Before Reservation End` . We recommend not editing or deleting this action. +** Use the Kubernetes Cluster Autoscaler. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. +. The node group is now ready for workloads and Pods to be scheduled. +. In order for your Pods to be gracefully drained before reservation ends, Amazon EKS uses a scheduled scaling policy to scale down the node group size to `0` . This scheduled scaling will be set with name titled `Amazon EKS Node Group Capacity Scaledown Before Reservation End` . We recommend not editing or deleting this action. + -Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict [.noloc]`Pods`. \ No newline at end of file +Amazon EC2 starts shutting down the instances 30 minutes before reservation end time. As a result, Amazon EKS will setup a scheduled scale down on the node group 40 minutes prior to their reservation end in order to safely and gracefully evict Pods. \ No newline at end of file diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 62f9f037e..c0a2e01e9 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -20,10 +20,10 @@ Capacity Blocks for machine learning (ML) allow you to reserve GPU instances on * Capacity Blocks are only available for certain Amazon EC2 instance types and {aws} Regions. For compatibility information, see link:AWSEC2/latest/UserGuide/capacity-blocks-using.html#capacity-blocks-prerequisites[Work with Capacity Blocks Prerequisites,type="documentation"] in the _Amazon EC2 User Guide for Linux Instances_. -* Capacity Blocks currently cannot be used with [.noloc]`Karpenter`. +* Capacity Blocks currently cannot be used with Karpenter. * If you create a self-managed node group prior to the capacity reservation becoming active, then set the desired capacity to `0`. * To allow sufficient time to gracefully drain the node(s), we suggest that you schedule scaling to scale to zero more than 30 minutes before the Capacity Block reservation end time. -* In order for your [.noloc]`Pods` to be gracefully drained, we recommend that you set up {aws} Node Termination Handler as explained in the example steps. +* In order for your Pods to be gracefully drained, we recommend that you set up {aws} Node Termination Handler as explained in the example steps. ==== @@ -91,13 +91,13 @@ NodeGroup: PropagateAtLaunch: true Value: owned ---- -. Once the node group is created successfully, make sure to record the `NodeInstanceRole` for the node group that was created. You need this in order to make sure that when node group is scaled, the new nodes join the cluster and [.noloc]`Kubernetes` is able to recognize the nodes. For more information, see the {aws-management-console} instructions in <>. +. Once the node group is created successfully, make sure to record the `NodeInstanceRole` for the node group that was created. You need this in order to make sure that when node group is scaled, the new nodes join the cluster and Kubernetes is able to recognize the nodes. For more information, see the {aws-management-console} instructions in <>. . We recommend that you create a scheduled scaling policy for the Auto Scaling group that aligns to the Capacity Block reservation times. For more information, see link:autoscaling/ec2/userguide/ec2-auto-scaling-scheduled-scaling.html[Scheduled scaling for Amazon EC2 Auto Scaling,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. + You can use all of the instances you reserved until 30 minutes before the end time of the Capacity Block. Instances that are still running at that time will start terminating. To allow sufficient time to gracefully drain the node(s), we suggest that you schedule scaling to scale to zero more than 30 minutes before the Capacity Block reservation end time. + If you want to instead scale up manually whenever the capacity reservation becomes `Active`, then you need to update the Auto Scaling group's desired capacity at the start time of the Capacity Block reservation. Then you would need to also scale down manually more than 30 minutes before the Capacity Block reservation end time. -. The node group is now ready for workloads and [.noloc]`Pods` to be scheduled. -. In order for your [.noloc]`Pods` to be gracefully drained, we recommend that you set up {aws} Node Termination Handler. This handler will be able to watch for "ASG Scale-in" lifecycle events from Amazon EC2 Auto Scaling using EventBridge and allow the [.noloc]`Kubernetes` control plane to take required action before the instance becomes unavailable. Otherwise, your [.noloc]`Pods` and [.noloc]`Kubernetes` objects will get stuck in a pending state. For more information, see https://github.com/aws/aws-node-termination-handler[{aws} Node Termination Handler] on GitHub. +. The node group is now ready for workloads and Pods to be scheduled. +. In order for your Pods to be gracefully drained, we recommend that you set up {aws} Node Termination Handler. This handler will be able to watch for "ASG Scale-in" lifecycle events from Amazon EC2 Auto Scaling using EventBridge and allow the Kubernetes control plane to take required action before the instance becomes unavailable. Otherwise, your Pods and Kubernetes objects will get stuck in a pending state. For more information, see https://github.com/aws/aws-node-termination-handler[{aws} Node Termination Handler] on GitHub. + -If you don't setup a Node Termination Handler, we recommend that you start draining your [.noloc]`Pods` manually before hitting the 30 minute window so that they have enough time to be gracefully drained. \ No newline at end of file +If you don't setup a Node Termination Handler, we recommend that you start draining your Pods manually before hitting the 30 minute window so that they have enough time to be gracefully drained. \ No newline at end of file diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index 8e1082409..6bfb4e48e 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -2,7 +2,7 @@ include::../attributes.txt[] [.topic] [#inferentia-support] -= Use {aws} [.noloc]`Inferentia` instances with Amazon EKS for Machine Learning += Use {aws} Inferentia instances with Amazon EKS for Machine Learning :info_titleabbrev: Prepare Inferentia clusters [abstract] @@ -15,7 +15,7 @@ This topic describes how to create an Amazon EKS cluster with nodes running link [NOTE] ==== -Neuron device logical IDs must be contiguous. If a [.noloc]`Pod` requesting multiple Neuron devices is scheduled on an `inf1.6xlarge` or `inf1.24xlarge` instance type (which have more than one Neuron device), that [.noloc]`Pod` will fail to start if the [.noloc]`Kubernetes` scheduler selects non-contiguous device IDs. For more information, see https://github.com/aws/aws-neuron-sdk/issues/110[Device logical IDs must be contiguous] on [.noloc]`GitHub`. +Neuron device logical IDs must be contiguous. If a Pod requesting multiple Neuron devices is scheduled on an `inf1.6xlarge` or `inf1.24xlarge` instance type (which have more than one Neuron device), that Pod will fail to start if the Kubernetes scheduler selects non-contiguous device IDs. For more information, see https://github.com/aws/aws-neuron-sdk/issues/110[Device logical IDs must be contiguous] on GitHub. ==== @@ -56,8 +56,8 @@ NOTE: Note the value of the following line of the output. It's used in a later ( [9] adding identity "{arn-aws}iam::111122223333:role/eksctl-inferentia-nodegroup-ng-in-NodeInstanceRole-FI7HIYS3BS09" to auth ConfigMap ---- + -When launching a node group with `Inf1` instances, `eksctl` automatically installs the {aws} Neuron [.noloc]`Kubernetes` device plugin. This plugin advertises Neuron devices as a system resource to the [.noloc]`Kubernetes` scheduler, which can be requested by a container. In addition to the default Amazon EKS node IAM policies, the Amazon S3 read only access policy is added so that the sample application, covered in a later step, can load a trained model from Amazon S3. -. Make sure that all [.noloc]`Pods` have started correctly. +When launching a node group with `Inf1` instances, `eksctl` automatically installs the {aws} Neuron Kubernetes device plugin. This plugin advertises Neuron devices as a system resource to the Kubernetes scheduler, which can be requested by a container. In addition to the default Amazon EKS node IAM policies, the Amazon S3 read only access policy is added so that the sample application, covered in a later step, can load a trained model from Amazon S3. +. Make sure that all Pods have started correctly. + [source,bash,subs="verbatim,attributes"] ---- @@ -80,7 +80,7 @@ neuron-device-plugin-daemonset-hwjsj 1/1 Running 0 5m A trained model must be compiled to an Inferentia target before it can be deployed on Inferentia instances. To continue, you will need a https://awsdocs-neuron.readthedocs-hosted.com/en/latest/neuron-guide/neuron-frameworks/tensorflow-neuron/index.html[Neuron optimized TensorFlow] model saved in Amazon S3. If you don't already have a SavedModel, please follow the tutorial for link:dlami/latest/devguide/tutorial-inferentia-tf-neuron.html[creating a Neuron compatible ResNet50 model,type="documentation"] and upload the resulting SavedModel to S3. ResNet-50 is a popular machine learning model used for image recognition tasks. For more information about compiling Neuron models, see link:dlami/latest/devguide/tutorial-inferentia.html[The {aws} Inferentia Chip With DLAMI,type="documentation"] in the {aws} Deep Learning AMIs Developer Guide. -The sample deployment manifest manages a pre-built inference serving container for TensorFlow provided by {aws} Deep Learning Containers. Inside the container is the {aws} Neuron Runtime and the TensorFlow Serving application. A complete list of pre-built Deep Learning Containers optimized for Neuron is maintained on [.noloc]`GitHub` under https://github.com/aws/deep-learning-containers/blob/master/available_images.md#neuron-inference-containers[Available Images]. At start-up, the DLC will fetch your model from Amazon S3, launch Neuron TensorFlow Serving with the saved model, and wait for prediction requests. +The sample deployment manifest manages a pre-built inference serving container for TensorFlow provided by {aws} Deep Learning Containers. Inside the container is the {aws} Neuron Runtime and the TensorFlow Serving application. A complete list of pre-built Deep Learning Containers optimized for Neuron is maintained on GitHub under https://github.com/aws/deep-learning-containers/blob/master/available_images.md#neuron-inference-containers[Available Images]. At start-up, the DLC will fetch your model from Amazon S3, launch Neuron TensorFlow Serving with the saved model, and wait for prediction requests. The number of Neuron devices allocated to your serving application can be adjusted by changing the `aws.amazon.com/neuron` resource in the deployment yaml. Please note that communication between TensorFlow Serving and the Neuron runtime happens over GRPC, which requires passing the `IPC_LOCK` capability to the container. @@ -187,7 +187,7 @@ spec: app: eks-neuron-test role: master ---- -. Create a [.noloc]`Kubernetes` service for your TensorFlow model Serving application. +. Create a Kubernetes service for your TensorFlow model Serving application. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 628d295c3..662f62670 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -9,15 +9,15 @@ The Amazon EKS optimized accelerated Amazon Linux AMIs are built on top of the s The following text describes how to enable {aws} Neuron-based workloads. .To enable {aws} Neuron (ML accelerator) based workloads -For details on training and inference workloads using [.noloc]`Neuron` in Amazon EKS, see the following references: +For details on training and inference workloads using Neuron in Amazon EKS, see the following references: -* https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/kubernetes-getting-started.html[Containers - Kubernetes - Getting Started] in the _{aws} [.noloc]`Neuron` Documentation_ -* https://github.com/aws-neuron/aws-neuron-eks-samples/blob/master/README.md#training[Training] in {aws} [.noloc]`Neuron` EKS Samples on GitHub +* https://awsdocs-neuron.readthedocs-hosted.com/en/latest/containers/kubernetes-getting-started.html[Containers - Kubernetes - Getting Started] in the _{aws} Neuron Documentation_ +* https://github.com/aws-neuron/aws-neuron-eks-samples/blob/master/README.md#training[Training] in {aws} Neuron EKS Samples on GitHub * <> The following procedure describes how to run a workload on a GPU based instance with the Amazon EKS optimized accelerated AMIs. -. After your GPU nodes join your cluster, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a [.noloc]`DaemonSet` on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. After your GPU nodes join your cluster, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -54,7 +54,7 @@ spec: ---- kubectl apply -f nvidia-smi.yaml ---- -. After the [.noloc]`Pod` has finished running, view its logs with the following command. +. After the Pod has finished running, view its logs with the following command. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 743f1c750..3ac9f58c3 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -2,22 +2,22 @@ [.topic] [#node-efa] -= Run machine learning training on Amazon EKS with [.noloc]`Elastic Fabric Adapter` += Run machine learning training on Amazon EKS with Elastic Fabric Adapter :info_titleabbrev: Training clusters with EFA include::../attributes.txt[] [abstract] -- -Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine learning training workloads requiring high inter-node communications at scale using p4d instances with [.noloc]`GPUDirect RDMA` and [.noloc]`NVIDIA Collective Communications Library (NCCL)`. +Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine learning training workloads requiring high inter-node communications at scale using p4d instances with GPUDirect RDMA and NVIDIA Collective Communications Library (NCCL). -- -This topic describes how to integrate Elastic Fabric Adapter (EFA) with [.noloc]`Pods` deployed in your Amazon EKS cluster. Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables you to run applications requiring high levels of inter-node communications at scale on {aws}. Its custom-built operating system bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling these applications. With EFA, High Performance Computing (HPC) applications using the Message Passing Interface (MPI) and Machine Learning (ML) applications using NVIDIA Collective Communications Library (NCCL) can scale to thousands of CPUs or GPUs. As a result, you get the application performance of on-premises HPC clusters with the on-demand elasticity and flexibility of the {aws} cloud. Integrating EFA with applications running on Amazon EKS clusters can reduce the time to complete large scale distributed training workloads without having to add additional instances to your cluster. For more information about EFA, link:hpc/efa/[Elastic Fabric Adapter,type="marketing"]. +This topic describes how to integrate Elastic Fabric Adapter (EFA) with Pods deployed in your Amazon EKS cluster. Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables you to run applications requiring high levels of inter-node communications at scale on {aws}. Its custom-built operating system bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling these applications. With EFA, High Performance Computing (HPC) applications using the Message Passing Interface (MPI) and Machine Learning (ML) applications using NVIDIA Collective Communications Library (NCCL) can scale to thousands of CPUs or GPUs. As a result, you get the application performance of on-premises HPC clusters with the on-demand elasticity and flexibility of the {aws} cloud. Integrating EFA with applications running on Amazon EKS clusters can reduce the time to complete large scale distributed training workloads without having to add additional instances to your cluster. For more information about EFA, link:hpc/efa/[Elastic Fabric Adapter,type="marketing"]. [#efa-instances] == Instance types with EFA -The _{aws} EFA Kubernetes Device Plugin_ supports all Amazon EC2 instance types that have EFA. To see a list of all instance types that have EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Supported instance types,type="documentation"] in the _Amazon EC2 User Guide_. However, to run ML applications quickly, we recommend that an instance has hardware acceleration chips such as [.noloc]`nVidia` GPUs, link:machine-learning/inferentia/[{aws} Inferentia,type="marketing"] chips, or link:machine-learning/trainium/[{aws} Trainium,type="marketing"] chips, in addition to the EFA. To see a list of instance types that have hardware acceleration chips and EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Accelerated computing,type="documentation"] in the _Amazon EC2 User Guide_. +The _{aws} EFA Kubernetes Device Plugin_ supports all Amazon EC2 instance types that have EFA. To see a list of all instance types that have EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Supported instance types,type="documentation"] in the _Amazon EC2 User Guide_. However, to run ML applications quickly, we recommend that an instance has hardware acceleration chips such as nVidia GPUs, link:machine-learning/inferentia/[{aws} Inferentia,type="marketing"] chips, or link:machine-learning/trainium/[{aws} Trainium,type="marketing"] chips, in addition to the EFA. To see a list of instance types that have hardware acceleration chips and EFA, see link:AWSEC2/latest/UserGuide/efa.html#efa-instance-types[Accelerated computing,type="documentation"] in the _Amazon EC2 User Guide_. As you compare instance types to choose between them, consider the number of EFA network cards available for that instance type as well as the number of accelerator cards, amount of CPU, and amount of memory. You can assign up to one EFA per network card. An EFA counts as a network interface.. To see how many EFA are available for each instance types that have EFA, see the link:AWSEC2/latest/UserGuide/using-eni.html#network-cards[Network cards,type="documentation"] list in the _Amazon EC2 User Guide_. @@ -28,7 +28,7 @@ An _Elastic Fabric Adapter (EFA)_ is a network interface that combines the capab To create nodes that can have EFA-only interfaces, you must use a custom EC2 Launch Template and set the `InterfaceType` to `efa-only`. In your custom Launch Template, you can't set the network card `0` to an EFA-only interface, as that is the primary network card and network interface of the EC2 instance. You must have VPC CNI version `1.18.5` or later for EFA-only interfaces. If you are using Amazon Linux 2, ami version has to be `v20240928` or later for EfA-only interfaces. -The following procedure guides you to create an EKS cluster with `eksctl` with nodes that have [.noloc]`nVidia` GPUs and EFA interfaces. You can't use `eksctl` to create nodes and node groups that use EFA-only interfaces. +The following procedure guides you to create an EKS cluster with `eksctl` with nodes that have nVidia GPUs and EFA interfaces. You can't use `eksctl` to create nodes and node groups that use EFA-only interfaces. [#efa-prereqs] == Prerequisites @@ -36,15 +36,15 @@ The following procedure guides you to create an EKS cluster with `eksctl` with n * An existing Amazon EKS cluster. If you don't have an existing cluster, create one using <>.. Your cluster must be deployed in a VPC that has at least one private subnet with enough available IP addresses to deploy nodes in. The private subnet must have outbound internet access provided by an external device, such as a NAT gateway. + If you plan to use `eksctl` to create your node group, `eksctl` can also create a cluster for you. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* You must have the [.noloc]`Amazon VPC CNI plugin for Kubernetes` version `1.7.10` or later installed before launching worker nodes that support multiple Elastic Fabric Adapters, such as the `p4d` or `p5`. For more information about updating your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* You must have the Amazon VPC CNI plugin for Kubernetes version `1.7.10` or later installed before launching worker nodes that support multiple Elastic Fabric Adapters, such as the `p4d` or `p5`. For more information about updating your Amazon VPC CNI plugin for Kubernetes version, see <>. [IMPORTANT] ==== -An important consideration required for adopting EFA with [.noloc]`Kubernetes` is configuring and managing [.noloc]`Huge Pages` as a resource in the cluster. For more information, see https://kubernetes.io/docs/tasks/manage-hugepages/scheduling-hugepages/[Manage Huge Pages] in the [.noloc]`Kubernetes` documentation. Amazon EC2 instances with the EFA driver installed pre-allocate 5128 2MiB Huge Pages, which you can request as resources to consume in your job specifications. +An important consideration required for adopting EFA with Kubernetes is configuring and managing Huge Pages as a resource in the cluster. For more information, see https://kubernetes.io/docs/tasks/manage-hugepages/scheduling-hugepages/[Manage Huge Pages] in the Kubernetes documentation. Amazon EC2 instances with the EFA driver installed pre-allocate 5128 2MiB Huge Pages, which you can request as resources to consume in your job specifications. ==== @@ -127,7 +127,7 @@ eksctl create cluster -f efa-cluster.yaml NOTE: Because the instance type used in this example has GPUs, `eksctl` automatically installs the NVIDIA Kubernetes device plugin on each instance for you. . Deploy the EFA Kubernetes device plugin. + -The EFA Kubernetes device plugin detects and advertises EFA interfaces as allocatable resources to Kubernetes. An application can consume the extended resource type `vpc.amazonaws.com/efa` in a [.noloc]`Pod` request spec just like CPU and memory. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#consuming-extended-resources[Consuming extended resources] in the [.noloc]`Kubernetes` documentation. Once requested, the plugin automatically assigns and mounts an EFA interface to the [.noloc]`Pod`. Using the device plugin simplifies EFA setup and does not require a [.noloc]`Pod` to run in privileged mode. +The EFA Kubernetes device plugin detects and advertises EFA interfaces as allocatable resources to Kubernetes. An application can consume the extended resource type `vpc.amazonaws.com/efa` in a Pod request spec just like CPU and memory. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#consuming-extended-resources[Consuming extended resources] in the Kubernetes documentation. Once requested, the plugin automatically assigns and mounts an EFA interface to the Pod. Using the device plugin simplifies EFA setup and does not require a Pod to run in privileged mode. + [source,bash,subs="verbatim,attributes"] ---- @@ -143,12 +143,12 @@ We recommend that you test the EFA setup. You can use the https://github.com/aws . Deploy the Kubeflow MPI Operator: + -For the NCCL tests you can apply the Kubeflow MPI Operator. The MPI Operator makes it easy to run Allreduce-style distributed training on Kubernetes. For more information, see https://github.com/kubeflow/mpi-operator[MPI Operator] on [.noloc]`GitHub`. +For the NCCL tests you can apply the Kubeflow MPI Operator. The MPI Operator makes it easy to run Allreduce-style distributed training on Kubernetes. For more information, see https://github.com/kubeflow/mpi-operator[MPI Operator] on GitHub. . Run the multi-node NCCL Performance Test to verify GPUDirectRDMA/EFA: + -To verify NCCL performance with [.noloc]`GPUDirectRDMA` over EFA, run the standard NCCL Performance test. For more information, see the official https://github.com/NVIDIA/nccl-tests.git[NCCL-Tests] repo on [.noloc]`GitHub`. +To verify NCCL performance with GPUDirectRDMA over EFA, run the standard NCCL Performance test. For more information, see the official https://github.com/NVIDIA/nccl-tests.git[NCCL-Tests] repo on GitHub. + -Complete the following steps to run a two node [.noloc]`NCCL Performance Test`. In the example [.noloc]`NCCL` test job, each worker requests eight GPUs, 5210Mi of `hugepages-2Mi`, four EFAs, and 8000Mi of memory, which effectively means each worker consumes all the resources of a `p5.48xlarge` instance. +Complete the following steps to run a two node NCCL Performance Test. In the example NCCL test job, each worker requests eight GPUs, 5210Mi of `hugepages-2Mi`, four EFAs, and 8000Mi of memory, which effectively means each worker consumes all the resources of a `p5.48xlarge` instance. + .. Create the MPIJob manifest: + @@ -278,7 +278,7 @@ mpijob.kubeflow.org/nccl-tests created ---- .. Verify that the job started pods: + -View your running [.noloc]`Pods`. +View your running Pods. + [source,bash,subs="verbatim,attributes"] ---- @@ -295,14 +295,14 @@ nccl-tests-worker-0 1/1 Running 0 2m49s nccl-tests-worker-1 1/1 Running 0 2m49s ---- + -The MPI Operator creates a launcher [.noloc]`Pod` and 2 worker [.noloc]`Pods` (one on each node). +The MPI Operator creates a launcher Pod and 2 worker Pods (one on each node). .. Verify that the job is running successfully with the logs: + -View the log for the `nccl-tests-launcher` [.noloc]`Pod`. Replace [.replaceable]`nbql9` with the value from your output. +View the log for the `nccl-tests-launcher` Pod. Replace [.replaceable]`nbql9` with the value from your output. + [source,bash,subs="verbatim,attributes"] ---- kubectl logs -f nccl-tests-launcher-nbql9 ---- -If the test completed successfully, you can deploy your applications that use the [.noloc]`Nvidia Collective Communication Library`. \ No newline at end of file +If the test completed successfully, you can deploy your applications that use the Nvidia Collective Communication Library. \ No newline at end of file diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 1f77d3194..72bd156a1 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,22 +1,22 @@ [.topic] [#node-taints-managed-node-groups] -= Prevent [.noloc]`Pods` from being scheduled on specific nodes += Prevent Pods from being scheduled on specific nodes :info_titleabbrev: Taint GPU nodes include::../attributes.txt[] [abstract] -- -Taints and tolerations work together to ensure that [.noloc]`Pods` aren't scheduled onto inappropriate nodes. This can be particularly useful for nodes running on GPU hardware. +Taints and tolerations work together to ensure that Pods aren't scheduled onto inappropriate nodes. This can be particularly useful for nodes running on GPU hardware. -- Nodes with specialized processors, such as GPUs, can be more expensive to run than nodes running on more standard machines. For that reason, you may want to protect those nodes from having workloads that don't require special hardware from being deployed to those nodes. One way to do that is with taints. -Amazon EKS supports configuring [.noloc]`Kubernetes` taints through managed node groups. Taints and tolerations work together to ensure that [.noloc]`Pods` aren't scheduled onto inappropriate nodes. One or more taints can be applied to a node. This marks that the node shouldn't accept any [.noloc]`Pods` that don't tolerate the taints. Tolerations are applied to [.noloc]`Pods` and allow, but don't require, the [.noloc]`Pods` to schedule onto nodes with matching taints. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the [.noloc]`Kubernetes` documentation. +Amazon EKS supports configuring Kubernetes taints through managed node groups. Taints and tolerations work together to ensure that Pods aren't scheduled onto inappropriate nodes. One or more taints can be applied to a node. This marks that the node shouldn't accept any Pods that don't tolerate the taints. Tolerations are applied to Pods and allow, but don't require, the Pods to schedule onto nodes with matching taints. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. -[.noloc]`Kubernetes` node taints can be applied to new and existing managed node groups using the {aws-management-console} or through the Amazon EKS API. +Kubernetes node taints can be applied to new and existing managed node groups using the {aws-management-console} or through the Amazon EKS API. @@ -46,7 +46,7 @@ aws eks create-nodegroup \ }' ---- -For more information and examples of usage, see https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#taint[taint] in the [.noloc]`Kubernetes` reference documentation. +For more information and examples of usage, see https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#taint[taint] in the Kubernetes reference documentation. [NOTE] ==== @@ -56,7 +56,7 @@ For more information and examples of usage, see https://kubernetes.io/docs/refer * The taint key must begin with a letter or number. It can contain letters, numbers, hyphens (`-`), periods (`.`), and underscores (`_`). It can be up to 63 characters long. * Optionally, the taint key can begin with a DNS subdomain prefix and a single `/`. If it begins with a DNS subdomain prefix, it can be 253 characters long. * The value is optional and must begin with a letter or number. It can contain letters, numbers, hyphens (`-`), periods (`.`), and underscores (`_`). It can be up to 63 characters long. -* When using [.noloc]`Kubernetes` directly or the {aws-management-console}, the taint effect must be `NoSchedule`, `PreferNoSchedule`, or `NoExecute`. However, when using the {aws} CLI or API, the taint effect must be `NO_SCHEDULE`, `PREFER_NO_SCHEDULE`, or `NO_EXECUTE`. +* When using Kubernetes directly or the {aws-management-console}, the taint effect must be `NoSchedule`, `PreferNoSchedule`, or `NoExecute`. However, when using the {aws} CLI or API, the taint effect must be `NO_SCHEDULE`, `PREFER_NO_SCHEDULE`, or `NO_EXECUTE`. * A maximum of 50 taints are allowed per node group. * If taints that were created using a managed node group are removed manually from a node, then Amazon EKS doesn't add the taints back to the node. This is true even if the taints are specified in the managed node group configuration. diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 45b270850..5d49d94fd 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -7,10 +7,10 @@ include::../attributes.txt[] [abstract] -- -Learn how to use alternate network and security plugins on Amazon EKS to customize networking for your [.noloc]`Kubernetes` clusters on Amazon EC2 nodes. +Learn how to use alternate network and security plugins on Amazon EKS to customize networking for your Kubernetes clusters on Amazon EC2 nodes. -- -The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Kubernetes] is the only CNI plugin supported by Amazon EKS with Amazon EC2 nodes. Amazon EKS supports the core capabilities of Cilium and Calico for Amazon EKS Hybrid Nodes. Amazon EKS runs upstream [.noloc]`Kubernetes`, so you can install alternate compatible CNI plugins to Amazon EC2 nodes in your cluster. If you have Fargate nodes in your cluster, the [.noloc]`Amazon VPC CNI plugin for Kubernetes` is already on your Fargate nodes. It's the only CNI plugin you can use with Fargate nodes. An attempt to install an alternate CNI plugin on Fargate nodes fails. +The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Kubernetes] is the only CNI plugin supported by Amazon EKS with Amazon EC2 nodes. Amazon EKS supports the core capabilities of Cilium and Calico for Amazon EKS Hybrid Nodes. Amazon EKS runs upstream Kubernetes, so you can install alternate compatible CNI plugins to Amazon EC2 nodes in your cluster. If you have Fargate nodes in your cluster, the Amazon VPC CNI plugin for Kubernetes is already on your Fargate nodes. It's the only CNI plugin you can use with Fargate nodes. An attempt to install an alternate CNI plugin on Fargate nodes fails. If you plan to use an alternate CNI plugin on Amazon EC2 nodes, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project. @@ -46,11 +46,11 @@ Amazon EKS aims to give you a wide selection of options to cover all use cases. [#alternate-network-policy-plugins] == Alternate compatible network policy plugins -https://www.tigera.io/project-calico[Calico] is a widely adopted solution for container networking and security. Using [.noloc]`Calico` on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use [.noloc]`Calico's` networking, which conserve IP addresses from your underlying VPC. https://www.tigera.io/tigera-products/calico-cloud/[Calico Cloud] enhances the features of [.noloc]`Calico Open Source`, providing advanced security and observability capabilities. +https://www.tigera.io/project-calico[Calico] is a widely adopted solution for container networking and security. Using Calico on EKS provides a fully compliant network policy enforcement for your EKS clusters. Additionally, you can opt to use Calico's networking, which conserve IP addresses from your underlying VPC. https://www.tigera.io/tigera-products/calico-cloud/[Calico Cloud] enhances the features of Calico Open Source, providing advanced security and observability capabilities. -Traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon VPC security group enforcement only. +Traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon VPC security group enforcement only. -If you use [.noloc]`Calico` network policy enforcement, we recommend that you set the environment variable `ANNOTATE_POD_IP` to `true` to avoid a known issue with [.noloc]`Kubernetes`. To use this feature, you must add `patch` permission for pods to the `aws-node` [.noloc]`ClusterRole`. Note that adding patch permissions to the `aws-node` [.noloc]`DaemonSet` increases the security scope for the plugin. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/?tab=readme-ov-file#annotate_pod_ip-v193[ANNOTATE_POD_IP] in the VPC CNI repo on GitHub. +If you use Calico network policy enforcement, we recommend that you set the environment variable `ANNOTATE_POD_IP` to `true` to avoid a known issue with Kubernetes. To use this feature, you must add `patch` permission for pods to the `aws-node` ClusterRole. Note that adding patch permissions to the `aws-node` DaemonSet increases the security scope for the plugin. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/?tab=readme-ov-file#annotate_pod_ip-v193[ANNOTATE_POD_IP] in the VPC CNI repo on GitHub. == Considerations for Amazon EKS Auto Mode diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 1c04df343..c78d6db86 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -13,27 +13,27 @@ include::lbc-remove.adoc[leveloffset=+1] [abstract] -- -Learn how to configure and use the [.noloc]`{aws} Load Balancer Controller` to expose [.noloc]`Kubernetes` cluster apps to the internet with {aws} Elastic Load Balancing for [.noloc]`Kubernetes` [.noloc]`services` and [.noloc]`ingresses`. +Learn how to configure and use the {aws} Load Balancer Controller to expose Kubernetes cluster apps to the internet with {aws} Elastic Load Balancing for Kubernetes services and ingresses. -- -The [.noloc]`{aws} Load Balancer Controller` manages {aws} Elastic Load Balancers for a [.noloc]`Kubernetes` cluster. You can use the controller to expose your cluster apps to the internet. The controller provisions {aws} load balancers that point to cluster Service or Ingress resources. In other words, the controller creates a single IP address or DNS name that points to multiple pods in your cluster. +The {aws} Load Balancer Controller manages {aws} Elastic Load Balancers for a Kubernetes cluster. You can use the controller to expose your cluster apps to the internet. The controller provisions {aws} load balancers that point to cluster Service or Ingress resources. In other words, the controller creates a single IP address or DNS name that points to multiple pods in your cluster. image::images/lbc-overview.png["Architecture diagram. Illustration of traffic coming from internet users, to Amazon Load Balancer. Amazon Load Balancer distributes traffic to pods in the cluster.",scaledwidth=50%] -The controller watches for [.noloc]`Kubernetes` [.noloc]`Ingress` or [.noloc]`Service` resources. In response, it creates the appropriate {aws} Elastic Load Balancing resources. You can configure the specific behavior of the load balancers by applying annotations to the [.noloc]`Kubernetes` resources. For example, you can attach {aws} security groups to load balancers using annotations. +The controller watches for Kubernetes Ingress or Service resources. In response, it creates the appropriate {aws} Elastic Load Balancing resources. You can configure the specific behavior of the load balancers by applying annotations to the Kubernetes resources. For example, you can attach {aws} security groups to load balancers using annotations. The controller provisions the following resources: -*[.noloc]`Kubernetes` `Ingress`*:: -The LBC creates an link:elasticloadbalancing/latest/application/introduction.html[{aws} Application Load Balancer (ALB),type="documentation"] when you create a [.noloc]`Kubernetes` `Ingress`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Review the annotations you can apply to an Ingress resource.] +*Kubernetes `Ingress`*:: +The LBC creates an link:elasticloadbalancing/latest/application/introduction.html[{aws} Application Load Balancer (ALB),type="documentation"] when you create a Kubernetes `Ingress`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Review the annotations you can apply to an Ingress resource.] -*[.noloc]`Kubernetes` service of the `LoadBalancer` type*:: -The LBC creates an link:elasticloadbalancing/latest/network/introduction.html[{aws} Network Load Balancer (NLB),type="documentation"]when you create a [.noloc]`Kubernetes` service of type `LoadBalancer`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Review the annotations you can apply to a Service resource.] +*Kubernetes service of the `LoadBalancer` type*:: +The LBC creates an link:elasticloadbalancing/latest/network/introduction.html[{aws} Network Load Balancer (NLB),type="documentation"]when you create a Kubernetes service of type `LoadBalancer`. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Review the annotations you can apply to a Service resource.] + -In the past, the [.noloc]`Kubernetes` network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the [.noloc]`{aws} Load Balancer Controller` version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. +In the past, the Kubernetes network load balancer was used for _instance_ targets, but the LBC was used for _IP_ targets. With the {aws} Load Balancer Controller version `2.3.0` or later, you can create NLBs using either target type. For more information about NLB target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers. -The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-controller[open-source project] managed on [.noloc]`GitHub`. +The controller is an https://github.com/kubernetes-sigs/aws-load-balancer-controller[open-source project] managed on GitHub. Before deploying the controller, we recommend that you review the prerequisites and considerations in <> and <>. In those topics, you will deploy a sample app that includes an {aws} load balancer. @@ -41,35 +41,35 @@ Before deploying the controller, we recommend that you review the prerequisites [#lbc-overview] == Install the controller -You can use one of the following procedures to install the [.noloc]`{aws} Load Balancer Controller`: +You can use one of the following procedures to install the {aws} Load Balancer Controller: -* If you are new to Amazon EKS we recommend that you use Helm for the installation because it simplifies the [.noloc]`{aws} Load Balancer Controller` installation. For more information, see <>. -* For advanced configurations, such as clusters with restricted network access to public container registries, use [.noloc]`Kubernetes` Manifests. For more information, see <>. +* If you are new to Amazon EKS we recommend that you use Helm for the installation because it simplifies the {aws} Load Balancer Controller installation. For more information, see <>. +* For advanced configurations, such as clusters with restricted network access to public container registries, use Kubernetes Manifests. For more information, see <>. [#lbc-deprecated] == Migrate from deprecated controller versions -* If you have deprecated versions of the [.noloc]`{aws} Load Balancer Controller` installed, see <>. -* Deprecated versions cannot be upgraded. They must be removed and a current version of the [.noloc]`{aws} Load Balancer Controller` installed. +* If you have deprecated versions of the {aws} Load Balancer Controller installed, see <>. +* Deprecated versions cannot be upgraded. They must be removed and a current version of the {aws} Load Balancer Controller installed. + [[lbc-deprecated-list]] * Deprecated versions include: + -** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. -** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` +** {aws} ALB Ingress Controller for Kubernetes ("Ingress Controller"), a predecessor to the {aws} Load Balancer Controller. +** Any `0.1.[.replaceable]``x``` version of the {aws} Load Balancer Controller [#lbc-legacy] == Legacy cloud provider -[.noloc]`Kubernetes` includes a legacy cloud provider for {aws}. The legacy cloud provider is capable of provisioning {aws} load balancers, similar to the [.noloc]`{aws} Load Balancer Controller`. The legacy cloud provider creates Classic Load Balancers. If you do not install the [.noloc]`{aws} Load Balancer Controller`, [.noloc]`Kubernetes` will default to using the legacy cloud provider. You should install the [.noloc]`{aws} Load Balancer Controller` and avoid using the legacy cloud provider. +Kubernetes includes a legacy cloud provider for {aws}. The legacy cloud provider is capable of provisioning {aws} load balancers, similar to the {aws} Load Balancer Controller. The legacy cloud provider creates Classic Load Balancers. If you do not install the {aws} Load Balancer Controller, Kubernetes will default to using the legacy cloud provider. You should install the {aws} Load Balancer Controller and avoid using the legacy cloud provider. [IMPORTANT] ==== -In versions 2.5 and newer, the [.noloc]`{aws} Load Balancer Controller` becomes the default controller for [.noloc]`Kubernetes` _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. +In versions 2.5 and newer, the {aws} Load Balancer Controller becomes the default controller for Kubernetes _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. ==== \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index c915439c3..b7ce4e652 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -7,14 +7,14 @@ include::../attributes.txt[] [abstract] -- -Learn how your [.noloc]`Pods` can use different security groups and subnets than the primary elastic network interface of the Amazon EC2 node that they run on. +Learn how your Pods can use different security groups and subnets than the primary elastic network interface of the Amazon EC2 node that they run on. -- Complete the following before you start the tutorial: * Review the considerations -* Familiarity with how the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary network interfaces and assigns IP addresses to [.noloc]`Pods`. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on [.noloc]`GitHub`. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Familiarity with how the Amazon VPC CNI plugin for Kubernetes creates secondary network interfaces and assigns IP addresses to Pods. For more information, see https://github.com/aws/amazon-vpc-cni-k8s#eni-allocation[ENI Allocation] on GitHub. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. To install or upgrade `kubectl`, see <>. * We recommend that you complete the steps in this topic in a Bash shell. If you aren't using a Bash shell, some script commands such as line continuation characters and the way variables are set and used require adjustment for your shell. Additionally, the quoting and escaping rules for your shell might be different. For more information, see link:cli/latest/userguide/cli-usage-parameters-quoting-strings.html[Using quotation marks with strings in the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. @@ -140,7 +140,7 @@ aws eks update-kubeconfig --name my-custom-networking-cluster This tutorial requires the VPC created in <>. For a production cluster, adjust the steps accordingly for your VPC by replacing all of the example values with your own. -. Confirm that your currently-installed [.noloc]`Amazon VPC CNI plugin for Kubernetes` is the latest version. To determine the latest version for the Amazon EKS add-on type and update your version to it, see <>. To determine the latest version for the self-managed add-on type and update your version to it, see <>. +. Confirm that your currently-installed Amazon VPC CNI plugin for Kubernetes is the latest version. To determine the latest version for the Amazon EKS add-on type and update your version to it, see <>. To determine the latest version for the self-managed add-on type and update your version to it, see <>. . Retrieve the ID of your cluster VPC and store it in a variable for use in later steps. + [source,bash,subs="verbatim,attributes"] @@ -244,8 +244,8 @@ You can see the subnets in the `192.168.1.0` CIDR block that you created are in [#custom-networking-configure-kubernetes] -== Step 3: Configure [.noloc]`Kubernetes` resources -. Set the `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` environment variable to `true` in the `aws-node` [.noloc]`DaemonSet`. +== Step 3: Configure Kubernetes resources +. Set the `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` environment variable to `true` in the `aws-node` DaemonSet. + [source,bash,subs="verbatim,attributes"] ---- @@ -257,7 +257,7 @@ kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK ---- cluster_security_group_id=$(aws eks describe-cluster --name my-custom-networking-cluster --query cluster.resourcesVpcConfig.clusterSecurityGroupId --output text) ---- -. [[custom-networking-create-eniconfig]]Create an `ENIConfig` custom resource for each subnet that you want to deploy [.noloc]`Pods` in. +. [[custom-networking-create-eniconfig]]Create an `ENIConfig` custom resource for each subnet that you want to deploy Pods in. + .. Create a unique file for each network interface configuration. + @@ -300,14 +300,14 @@ If your `ENIConfig` names aren't all the same as Availability Zone names, then r + NOTE: If you don't specify a valid security group for use with a production cluster and you're using: -*** version `1.8.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, then the security groups associated with the node's primary elastic network interface are used. -*** a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` that's earlier than `1.8.0`, then the default security group for the VPC is assigned to secondary network interfaces. +*** version `1.8.0` or later of the Amazon VPC CNI plugin for Kubernetes, then the security groups associated with the node's primary elastic network interface are used. +*** a version of the Amazon VPC CNI plugin for Kubernetes that's earlier than `1.8.0`, then the default security group for the VPC is assigned to secondary network interfaces. + [IMPORTANT] ==== -* `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for [.noloc]`Kubernetes`. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. -* If you also use security groups for [.noloc]`Pods`, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. +* `AWS_VPC_K8S_CNI_EXTERNALSNAT=false` is a default setting in the configuration for the Amazon VPC CNI plugin for Kubernetes. If you're using the default setting, then traffic that is destined for IP addresses that aren't within one of the CIDR blocks associated with your VPC use the security groups and subnets of your node's primary network interface. The subnets and security groups defined in your `ENIConfigs` that are used to create secondary network interfaces aren't used for this traffic. For more information about this setting, see <>. +* If you also use security groups for Pods, the security group that's specified in a `SecurityGroupPolicy` is used instead of the security group that's specified in the `ENIConfigs`. For more information, see <>. ==== + @@ -335,11 +335,11 @@ us-west-2d 105s ---- . If you're enabling custom networking on a production cluster and named your `ENIConfigs` something other than the Availability Zone that you're using them for, then skip to the <> to deploy Amazon EC2 nodes. + -Enable [.noloc]`Kubernetes` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. +Enable Kubernetes to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. + .. For the test cluster in this tutorial, skip to the <>. + -For a production cluster, check to see if an [.noloc]`annotation` with the key `k8s.amazonaws.com/eniConfig` for the `https://github.com/aws/amazon-vpc-cni-k8s#eni_config_annotation_def[ENI_CONFIG_ANNOTATION_DEF]` environment variable exists in the container spec for the `aws-node` [.noloc]`DaemonSet`. +For a production cluster, check to see if an annotation with the key `k8s.amazonaws.com/eniConfig` for the `https://github.com/aws/amazon-vpc-cni-k8s#eni_config_annotation_def[ENI_CONFIG_ANNOTATION_DEF]` environment variable exists in the container spec for the `aws-node` DaemonSet. + [source,bash,subs="verbatim,attributes"] ---- @@ -347,7 +347,7 @@ kubectl describe daemonset aws-node -n kube-system | grep ENI_CONFIG_ANNOTATION_ ---- + If output is returned, the annotation exists. If no output is returned, then the variable is not set. For a production cluster, you can use either this setting or the setting in the following step. If you use this setting, it overrides the setting in the following step. In this tutorial, the setting in the next step is used. -.. [[custom-networking-automatically-apply-eniconfig]]Update your `aws-node` [.noloc]`DaemonSet` to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. +.. [[custom-networking-automatically-apply-eniconfig]]Update your `aws-node` DaemonSet to automatically apply the `ENIConfig` for an Availability Zone to any new Amazon EC2 nodes created in your cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -400,7 +400,7 @@ aws iam attach-role-policy \ --role-name myCustomNetworkingNodeRole ---- + -IMPORTANT: For simplicity in this tutorial, the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] policy is attached to the node IAM role. In a production cluster however, we recommend attaching the policy to a separate IAM role that is used only with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. For more information, see <>. +IMPORTANT: For simplicity in this tutorial, the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] policy is attached to the node IAM role. In a production cluster however, we recommend attaching the policy to a separate IAM role that is used only with the Amazon VPC CNI plugin for Kubernetes. For more information, see <>. . Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the managed node group <> and self-managed node group <> options before deploying the node group. + ** *Managed* – Deploy your node group using one of the following options: @@ -416,7 +416,7 @@ aws eks create-nodegroup --cluster-name my-custom-networking-cluster --nodegroup + .... Determine the Amazon EKS recommended number of maximum Pods for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. -.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. You can replace `20` with either the value from the previous step (recommended) or your own value. +.... In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on GitHub. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] ---- @@ -427,7 +427,7 @@ If you've created a custom AMI that is not built off the Amazon EKS optimized AM ** *Self-managed* + -... Determine the Amazon EKS recommended number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. +... Determine the Amazon EKS recommended number of maximum Pods for your nodes. Follow the instructions in <>, adding `--cni-custom-networking-enabled` to step 3 in that topic. Note the output for use in the next step. ... Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. You can replace `20` with either the value from the previous step (recommended) or your own value. + [source,bash,subs="verbatim,attributes"] @@ -439,7 +439,7 @@ If you've created a custom AMI that is not built off the Amazon EKS optimized AM + [NOTE] ==== -If you want nodes in a production cluster to support a significantly higher number of [.noloc]`Pods`, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, `110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. +If you want nodes in a production cluster to support a significantly higher number of Pods, run the script in <> again. Also, add the `--cni-prefix-delegation-enabled` option to the command. For example, `110` is returned for an `m5.large` instance type. For instructions on how to enable this capability, see <>. You can use this capability with custom networking. ==== + . Node group creation takes several minutes. You can check the status of the creation of a managed node group with the following command. @@ -452,7 +452,7 @@ aws eks describe-nodegroup --cluster-name my-custom-networking-cluster --nodegro Don't continue to the next step until the output returned is `ACTIVE`. . [[custom-networking-annotate-eniconfig]]For the tutorial, you can skip this step. + -For a production cluster, if you didn't name your `ENIConfigs` the same as the Availability Zone that you're using them for, then you must annotate your nodes with the `ENIConfig` name that should be used with the node. This step isn't necessary if you only have one subnet in each Availability Zone and you named your `ENIConfigs` with the same names as your Availability Zones. This is because the [.noloc]`Amazon VPC CNI plugin for Kubernetes` automatically associates the correct `ENIConfig` with the node for you when you enabled it to do so in a <>. +For a production cluster, if you didn't name your `ENIConfigs` the same as the Availability Zone that you're using them for, then you must annotate your nodes with the `ENIConfig` name that should be used with the node. This step isn't necessary if you only have one subnet in each Availability Zone and you named your `ENIConfigs` with the same names as your Availability Zones. This is because the Amazon VPC CNI plugin for Kubernetes automatically associates the correct `ENIConfig` with the node for you when you enabled it to do so in a <>. + .. Get the list of nodes in your cluster. + @@ -495,10 +495,10 @@ An example output is as follows. kubectl annotate node ip-192-168-0-126.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName1 kubectl annotate node ip-192-168-0-92.us-west-2.compute.internal k8s.amazonaws.com/eniConfig=EniConfigName2 ---- -. [[custom-networking-terminate-existing-nodes]]If you had nodes in a production cluster with running [.noloc]`Pods` before you switched to using the custom networking feature, complete the following tasks: +. [[custom-networking-terminate-existing-nodes]]If you had nodes in a production cluster with running Pods before you switched to using the custom networking feature, complete the following tasks: + .. Make sure that you have available nodes that are using the custom networking feature. -.. Cordon and drain the nodes to gracefully shut down the [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the [.noloc]`Kubernetes` documentation. +.. Cordon and drain the nodes to gracefully shut down the Pods. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/[Safely Drain a Node] in the Kubernetes documentation. .. Terminate the nodes. If the nodes are in an existing managed node group, you can delete the node group. Run the following command. + [source,bash,subs="verbatim,attributes"] @@ -508,7 +508,7 @@ aws eks delete-nodegroup --cluster-name my-custom-networking-cluster --nodegroup + Only new nodes that are registered with the `k8s.amazonaws.com/eniConfig` label use the custom networking feature. -. Confirm that [.noloc]`Pods` are assigned an IP address from a CIDR block that's associated to one of the subnets that you created in a previous step. +. Confirm that Pods are assigned an IP address from a CIDR block that's associated to one of the subnets that you created in a previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -528,9 +528,9 @@ kube-system kube-proxy-jgshq 1/1 Running 0 7m19s 19 kube-system kube-proxy-wx9vk 1/1 Running 0 7m15s 192.168.0.126 ip-192-168-0-126.us-west-2.compute.internal ---- + -You can see that the coredns [.noloc]`Pods` are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. +You can see that the coredns Pods are assigned IP addresses from the `192.168.1.0` CIDR block that you added to your VPC. Without custom networking, they would have been assigned addresses from the `192.168.0.0` CIDR block, because it was the only CIDR block originally associated with the VPC. + -If a [.noloc]`Pod's` `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` (`aws-node`) [.noloc]`Pods` that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` [.noloc]`Pods` aren't assigned 192.168.1.x addresses in the previous output. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. +If a Pod's `spec` contains `hostNetwork=true`, it's assigned the primary IP address of the node. It isn't assigned an address from the subnets that you added. By default, this value is set to `false`. This value is set to `true` for the `kube-proxy` and Amazon VPC CNI plugin for Kubernetes (`aws-node`) Pods that run on your cluster. This is why the `kube-proxy` and the plugin's `aws-node` Pods aren't assigned 192.168.1.x addresses in the previous output. For more information about a Pod's `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the Kubernetes API reference. [#custom-network-delete-resources] diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index f1705eaf3..ac8a5d42f 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,6 +1,6 @@ [.topic] [#cni-custom-network] -= Deploy [.noloc]`Pods` in alternate subnets with custom networking += Deploy Pods in alternate subnets with custom networking :info_titleabbrev: Custom networking include::../attributes.txt[] @@ -9,16 +9,16 @@ include::cni-custom-network-tutorial.adoc[leveloffset=+1] [abstract] -- -Learn how to enable custom networking for Amazon EKS [.noloc]`Pods` to deploy them in different subnets or use different security groups than the node's primary network interface, increasing IP address availability and network isolation. +Learn how to enable custom networking for Amazon EKS Pods to deploy them in different subnets or use different security groups than the node's primary network interface, increasing IP address availability and network isolation. -- -*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances +*Applies to*: Linux `IPv4` Fargate nodes, Linux nodes with Amazon EC2 instances -By default, when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates secondary link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node's primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both: +By default, when the Amazon VPC CNI plugin for Kubernetes creates secondary link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node's primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both: -* There's a limited number of `IPv4` addresses that are available in the subnet that the primary network interface is in. This might limit the number of [.noloc]`Pods` that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available `IPv4` addresses available for [.noloc]`Pods`. -* For security reasons, your [.noloc]`Pods` might need to use a different subnet or security groups than the node's primary network interface. -* The nodes are configured in public subnets, and you want to place the [.noloc]`Pods` in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. +* There's a limited number of `IPv4` addresses that are available in the subnet that the primary network interface is in. This might limit the number of Pods that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available `IPv4` addresses available for Pods. +* For security reasons, your Pods might need to use a different subnet or security groups than the node's primary network interface. +* The nodes are configured in public subnets, and you want to place the Pods in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. [#cni-custom-network-considerations] @@ -26,8 +26,8 @@ By default, when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` creates seco The following are considerations for using the feature. -* With custom networking enabled, no IP addresses assigned to the primary network interface are assigned to [.noloc]`Pods`. Only IP addresses from secondary network interfaces are assigned to [.noloc]`Pods`. +* With custom networking enabled, no IP addresses assigned to the primary network interface are assigned to Pods. Only IP addresses from secondary network interfaces are assigned to Pods. * If your cluster uses the `IPv6` family, you can't use custom networking. * If you plan to use custom networking only to help alleviate `IPv4` address exhaustion, you can create a cluster using the `IPv6` family instead. For more information, see <>. -* Even though [.noloc]`Pods` deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. +* Even though Pods deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. * For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index a00539699..820a5987c 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -7,29 +7,29 @@ include::../attributes.txt[] [abstract] -- -Learn how to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to use IAM roles for service accounts (IRSA) for [.noloc]`Pod` networking in Amazon EKS clusters. +Learn how to configure the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts (IRSA) for Pod networking in Amazon EKS clusters. -- -The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] is the networking plugin for [.noloc]`Pod` networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to [.noloc]`Kubernetes` nodes and configuring the necessary networking for [.noloc]`Pods` on each node. The plugin: +The https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] is the networking plugin for Pod networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring the necessary networking for Pods on each node. The plugin: * Requires {aws} Identity and Access Management (IAM) permissions. If your cluster uses the `IPv4` family, the permissions are specified in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[`AmazonEKS_CNI_Policy`,type="documentation"] {aws} managed policy. If your cluster uses the `IPv6` family, then the permissions must be added to an IAM policy that you create; for instructions, see <>. You can attach the policy to the Amazon EKS node IAM role, or to a separate IAM role. For instructions to attach the policy to the Amazon EKS node IAM role, see <>. We recommend that you assign it to a separate role, as detailed in this topic. -* Creates and is configured to use a [.noloc]`Kubernetes` service account named `aws-node` when it's deployed. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` named `aws-node`, which is assigned the required [.noloc]`Kubernetes` permissions. +* Creates and is configured to use a Kubernetes service account named `aws-node` when it's deployed. The service account is bound to a Kubernetes `clusterrole` named `aws-node`, which is assigned the required Kubernetes permissions. [NOTE] ==== -The [.noloc]`Pods` for the [.noloc]`Amazon VPC CNI plugin for Kubernetes` have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +The Pods for the Amazon VPC CNI plugin for Kubernetes have access to the permissions assigned to the <>, unless you block access to IMDS. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ==== * An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. [#cni-iam-role-create-role] -== Step 1: Create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` IAM role +== Step 1: Create the Amazon VPC CNI plugin for Kubernetes IAM role . Determine the IP family of your cluster. + [source,bash,subs="verbatim,attributes"] @@ -48,7 +48,7 @@ The output may return `ipv6` instead. . Create the IAM role. You can use `eksctl` or `kubectl` and the {aws} CLI to create your IAM role. + eksctl::: -** Create an IAM role and attach the IAM policy to the role with the command that matches the IP family of your cluster. The command creates and deploys an {aws} CloudFormation stack that creates an IAM role, attaches the policy that you specify to it, and annotates the existing `aws-node` [.noloc]`Kubernetes` service account with the ARN of the IAM role that is created. +** Create an IAM role and attach the IAM policy to the role with the command that matches the IP family of your cluster. The command creates and deploys an {aws} CloudFormation stack that creates an IAM role, attaches the policy that you specify to it, and annotates the existing `aws-node` Kubernetes service account with the ARN of the IAM role that is created. + *** `IPv4` + @@ -157,24 +157,24 @@ kubectl annotate serviceaccount \ -n kube-system aws-node \ eks.amazonaws.com/role-arn={arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole ---- -. (Optional) Configure the {aws} Security Token Service endpoint type used by your [.noloc]`Kubernetes` service account. For more information, see <>. +. (Optional) Configure the {aws} Security Token Service endpoint type used by your Kubernetes service account. For more information, see <>. [#cni-iam-role-redeploy-pods] -== Step 2: Re-deploy [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` -. Delete and re-create any existing [.noloc]`Pods` that are associated with the service account to apply the credential environment variables. The annotation is not applied to [.noloc]`Pods` that are currently running without the annotation. The following command deletes the existing `aws-node` [.noloc]`DaemonSet` [.noloc]`Pods` and deploys them with the service account annotation. +== Step 2: Re-deploy Amazon VPC CNI plugin for Kubernetes Pods +. Delete and re-create any existing Pods that are associated with the service account to apply the credential environment variables. The annotation is not applied to Pods that are currently running without the annotation. The following command deletes the existing `aws-node` DaemonSet Pods and deploys them with the service account annotation. + [source,bash,subs="verbatim,attributes"] ---- kubectl delete Pods -n kube-system -l k8s-app=aws-node ---- -. Confirm that the [.noloc]`Pods` all restarted. +. Confirm that the Pods all restarted. + [source,bash,subs="verbatim,attributes"] ---- kubectl get pods -n kube-system -l k8s-app=aws-node ---- -. Describe one of the [.noloc]`Pods` and verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist. Replace [.replaceable]`cpjw7` with the name of one of your [.noloc]`Pods` returned in the output of the previous step. +. Describe one of the Pods and verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist. Replace [.replaceable]`cpjw7` with the name of one of your Pods returned in the output of the previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -191,9 +191,9 @@ AWS_ROLE_ARN: {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRol AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token ---- + -Two sets of duplicate results are returned because the [.noloc]`Pod` contains two containers. Both containers have the same values. +Two sets of duplicate results are returned because the Pod contains two containers. Both containers have the same values. + -If your [.noloc]`Pod` is using the {aws} Regional endpoint, then the following line is also returned in the previous output. +If your Pod is using the {aws} Regional endpoint, then the following line is also returned in the previous output. + [source,bash,subs="verbatim,attributes"] ---- @@ -204,7 +204,7 @@ AWS_STS_REGIONAL_ENDPOINTS=regional [#remove-cni-policy-node-iam-role] == Step 3: Remove the CNI policy from the node IAM role -If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` [.noloc]`Kubernetes` service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. +If your <> currently has the `AmazonEKS_CNI_Policy` IAM (`IPv4`) policyor an <>attached to it, and you've created a separate IAM role, attached the policy to it instead, and assigned it to the `aws-node` Kubernetes service account, then we recommend that you remove the policy from your node role with the {aws} CLI command that matches the IP family of your cluster. Replace [.replaceable]`AmazonEKSNodeRole` with the name of your node role. @@ -227,7 +227,7 @@ aws iam detach-role-policy --role-name AmazonEKSNodeRole --policy-arn {arn-aws}i [#cni-iam-role-create-ipv6-policy] == Create IAM policy for clusters that use the `IPv6` family -If you created a cluster that uses the `IPv6` family and the cluster has version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured, then you need to create an IAM policy that you can assign to an IAM role. If you have an existing cluster that you didn't configure with the `IPv6` family when you created it, then to use `IPv6`, you must create a new cluster. For more information about using `IPv6` with your cluster, see <>. +If you created a cluster that uses the `IPv6` family and the cluster has version `1.10.1` or later of the Amazon VPC CNI plugin for Kubernetes add-on configured, then you need to create an IAM policy that you can assign to an IAM role. If you have an existing cluster that you didn't configure with the `IPv6` family when you created it, then to use `IPv6`, you must create a new cluster. For more information about using `IPv6` with your cluster, see <>. . Copy the following text and save it to a file named `vpc-cni-ipv6-policy.json`. + diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 835cf6103..9911cc269 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -5,16 +5,16 @@ include::../attributes.txt[] -You can increase the number of IP addresses that nodes can assign to [.noloc]`Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. +You can increase the number of IP addresses that nodes can assign to Pods by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. == Prerequisites * You need an existing cluster. To deploy one, see <>. * The subnets that your Amazon EKS nodes are in must have sufficient contiguous `/28` (for `IPv4` clusters) or `/80` (for `IPv6` clusters) Classless Inter-Domain Routing (CIDR) blocks. You can only have Linux nodes in an `IPv6` cluster. Using IP prefixes can fail if IP addresses are scattered throughout the subnet CIDR. We recommend the following: ** Using a subnet CIDR reservation so that even if any IP addresses within the reserved range are still in use, upon their release, the IP addresses aren't reassigned. This ensures that prefixes are available for allocation without segmentation. -** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both [.noloc]`Windows` and [.noloc]`Linux` workloads can run in the same subnet when assigning IP prefixes. -* To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to [.noloc]`Pods` than [.noloc]`Nitro-based` instances do. -* *For clusters with [.noloc]`Linux` nodes only* – If your cluster is configured for the `IPv4` family, you must have version `1.9.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on installed. You can check your current version with the following command. +** Use new subnets that are specifically used for running the workloads that IP prefixes are assigned to. Both Windows and Linux workloads can run in the same subnet when assigning IP prefixes. +* To assign IP prefixes to your nodes, your nodes must be {aws} Nitro-based. Instances that aren't Nitro-based continue to allocate individual secondary IP addresses, but have a significantly lower number of IP addresses to assign to Pods than Nitro-based instances do. +* *For clusters with Linux nodes only* – If your cluster is configured for the `IPv4` family, you must have version `1.9.0` or later of the Amazon VPC CNI plugin for Kubernetes add-on installed. You can check your current version with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -22,7 +22,7 @@ kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut - ---- + If your cluster is configured for the `IPv6` family, you must have version `1.10.1` of the add-on installed. If your plugin version is earlier than the required versions, you must update it. For more information, see the updating sections of <>. -* *For clusters with [.noloc]`Windows` nodes only* +* *For clusters with Windows nodes only* + ** Your cluster and its platform version must be at, or later than the versions in the following table. To upgrade your cluster version, see <>. If your cluster isn't at the minimum platform version, then you can't assign IP prefixes to your nodes until Amazon EKS has updated your platform version. @@ -43,16 +43,16 @@ If your cluster is configured for the `IPv6` family, you must have version `1.10 |`eks.5` |=== + -You can check your current [.noloc]`Kubernetes` and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. -** You must have [.noloc]`Windows` support enabled for your cluster. For more information, see <>. +You can check your current Kubernetes and platform version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `aws eks describe-cluster --name [.replaceable]``my-cluster`` --query 'cluster.{"Kubernetes Version": version, "Platform Version": platformVersion}'`. +** You must have Windows support enabled for your cluster. For more information, see <>. [#cni-increase-ip-procedure] == Assign IP address prefixes to nodes Configure your cluster to assign IP address prefixes to nodes. Complete the procedure that matches your node's operating system. -=== [.noloc]`Linux` -. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI [.noloc]`DaemonSet`. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. +=== Linux +. Enable the parameter to assign prefixes to network interfaces for the Amazon VPC CNI DaemonSet. When you deploy a `1.21` or later cluster, version `1.10.1` or later of the Amazon VPC CNI plugin for Kubernetes add-on is deployed with it. If you created the cluster with the `IPv6` family, this setting was set to `true` by default. If you created the cluster with the `IPv4` family, this setting was set to `false` by default. + [source,bash,subs="verbatim,attributes"] ---- @@ -61,24 +61,24 @@ kubectl set env daemonset aws-node -n kube-system ENABLE_PREFIX_DELEGATION=true + [IMPORTANT] ==== -Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. +Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the Amazon VPC CNI plugin for Kubernetes logs. [source,bash,subs="verbatim,attributes"] ---- InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request ---- -This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. +This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch Pods there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. ==== + -. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of [.noloc]`Pods` for you. +. If you plan to deploy a managed node group without a launch template, or with a launch template that you haven't specified an AMI ID in, and you're using a version of the Amazon VPC CNI plugin for Kubernetes at or later than the versions listed in the prerequisites, then skip to the next step. Managed node groups automatically calculates the maximum number of Pods for you. + -If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum [.noloc]`Pods` for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. +If you're deploying a self-managed node group or a managed node group with a launch template that you have specified an AMI ID in, then you must determine the Amazon EKS recommend number of maximum Pods for your nodes. Follow the instructions in <>, adding `--cni-prefix-delegation-enabled` to step 3. Note the output for use in a later step. + IMPORTANT: Managed node groups enforces a maximum number on the value of `maxPods`. For instances with less than 30 vCPUs the maximum number is 110 and for all other instances the maximum number is 250. This maximum number is applied whether prefix delegation is enabled or not. . If you're using a `1.21` or later cluster configured for `IPv6`, skip to the next step. + -Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on [.noloc]`GitHub`. +Specify the parameters in one of the following options. To determine which option is right for you and what value to provide for it, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/prefix-and-ip-target.md[WARM_PREFIX_TARGET, WARM_IP_TARGET, and MINIMUM_IP_TARGET] on GitHub. + You can replace the [.replaceable]`example values` with a value greater than zero. + @@ -99,7 +99,7 @@ kubectl set env ds aws-node -n kube-system WARM_IP_TARGET=5 ---- kubectl set env ds aws-node -n kube-system MINIMUM_IP_TARGET=2 ---- -. Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on [.noloc]`Windows`. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. +. Create one of the following types of node groups with at least one Amazon EC2 Nitro Amazon Linux 2 instance type. For a list of Nitro instance types, see link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. This capability is not supported on Windows. For the options that include [.replaceable]`110`, replace it with either the value from step 3 (recommended), or your own value. + *** *Self-managed* – Deploy the node group using the instructions in <>. Specify the following text for the *BootstrapArguments* parameter. + @@ -117,7 +117,7 @@ eksctl create nodegroup --cluster my-cluster --managed=false --max-pods-per-node *** *Managed* – Deploy your node group using one of the following options: + **** *Without a launch template or with a launch template without an AMI ID specified* – Complete the procedure in <>. Managed node groups automatically calculates the Amazon EKS recommended `max-pods` value for you. -**** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. +**** *With a launch template with a specified AMI ID* – In your launch template, specify an Amazon EKS optimized AMI ID, or a custom AMI built off the Amazon EKS optimized AMI, then <> and provide the following user data in the launch template. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -136,9 +136,9 @@ eksctl create nodegroup --cluster my-cluster --max-pods-per-node 110 If you've created a custom AMI that is not built off the Amazon EKS optimized AMI, then you need to custom create the configuration yourself. + -NOTE: If you also want to assign IP addresses to [.noloc]`Pods` from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. +NOTE: If you also want to assign IP addresses to Pods from a different subnet than the instance's, then you need to enable the capability in this step. For more information, see <>. -=== [.noloc]`Windows` +=== Windows . Enable assignment of IP prefixes. + .. Open the `amazon-vpc-cni` `ConfigMap` for editing. @@ -165,14 +165,14 @@ If the returned output isn't `true`, then there might have been an error. Try co + [IMPORTANT] ==== -Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` logs. +Even if your subnet has available IP addresses, if the subnet does not have any contiguous `/28` blocks available, you will see the following error in the Amazon VPC CNI plugin for Kubernetes logs. [source,bash,subs="verbatim,attributes"] ---- InsufficientCidrBlocks: The specified subnet does not have enough free cidr blocks to satisfy the request ---- -This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch [.noloc]`Pods` there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. +This can happen due to fragmentation of existing secondary IP addresses spread out across a subnet. To resolve this error, either create a new subnet and launch Pods there, or use an Amazon EC2 subnet CIDR reservation to reserve space within a subnet for use with prefix assignment. For more information, see link:vpc/latest/userguide/subnet-cidr-reservation.html[Subnet CIDR reservations,type="documentation"] in the Amazon VPC User Guide. ==== . (Optional) Specify additional configuration for controlling the pre-scaling and dynamic scaling behavior for your cluster. For more information, see https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/docs/windows/prefix_delegation_config_options.md[Configuration options with Prefix Delegation mode on Windows] on GitHub. + @@ -191,14 +191,14 @@ kubectl edit configmap -n kube-system amazon-vpc-cni -o yaml minimum-ip-target: "2" ---- .. Save the file and close the editor. -. Create [.noloc]`Windows` node groups with at least one Amazon EC2 [.noloc]`Nitro` instance type. For a list of [.noloc]`Nitro` instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of [.noloc]`Pods` that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. +. Create Windows node groups with at least one Amazon EC2 Nitro instance type. For a list of Nitro instance types, see link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Instances built on the Nitro System,type="documentation"] in the Amazon EC2 User Guide. By default, the maximum number of Pods that you can deploy to a node is 110. If you want to increase or decrease that number, specify the following in the user data for the bootstrap configuration. Replace [.replaceable]`max-pods-quantity` with your max pods value. + [source,bash,subs="verbatim,attributes"] ---- -KubeletExtraArgs '--max-pods=max-pods-quantity' ---- + -If you're deploying managed node groups, this configuration needs to be added in the launch template. For more information, see <>. For more information about the configuration parameters for [.noloc]`Windows` bootstrap script, see <>. +If you're deploying managed node groups, this configuration needs to be added in the launch template. For more information, see <>. For more information about the configuration parameters for Windows bootstrap script, see <>. [#cni-increase-ip-verify] == Determine max Pods and available IP addresses @@ -233,4 +233,4 @@ pods: 110 vpc.amazonaws.com/PrivateIPv4Address: 144 ---- + -In the previous output, `110` is the maximum number of [.noloc]`Pods` that [.noloc]`Kubernetes` will deploy to the node, even though [.replaceable]`144` IP addresses are available. \ No newline at end of file +In the previous output, `110` is the maximum number of Pods that Kubernetes will deploy to the node, even though [.replaceable]`144` IP addresses are available. \ No newline at end of file diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 814abf599..7f0cdebc2 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -9,7 +9,7 @@ include::cni-increase-ip-addresses-procedure.adoc[leveloffset=+1] [abstract] -- -Learn how to significantly increase the number of IP addresses that you can assign to [.noloc]`Pods` by assigning IP prefixes with Amazon EKS, improving scalability and reducing launch delays for large and spiky workloads. +Learn how to significantly increase the number of IP addresses that you can assign to Pods by assigning IP prefixes with Amazon EKS, improving scalability and reducing launch delays for large and spiky workloads. -- *Applies to*: Linux and Windows nodes with Amazon EC2 instances @@ -18,10 +18,10 @@ Learn how to significantly increase the number of IP addresses that you can assi Each Amazon EC2 instance supports a maximum number of elastic network interfaces and a maximum number of IP addresses that can be assigned to each network interface. Each node requires one IP address for each network interface. All other available IP addresses can be assigned to `Pods`. Each `Pod` requires its own IP address. As a result, you might have nodes that have available compute and memory resources, but can't accommodate additional `Pods` because the node has run out of IP addresses to assign to `Pods`. -You can increase the number of IP addresses that nodes can assign to `Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. Each prefix includes several IP addresses. If you don't configure your cluster for IP prefix assignment, your cluster must make more Amazon EC2 application programming interface (API) calls to configure network interfaces and IP addresses necessary for [.noloc]`Pod` connectivity. As clusters grow to larger sizes, the frequency of these API calls can lead to longer [.noloc]`Pod` and instance launch times. This results in scaling delays to meet the demand of large and spiky workloads, and adds cost and management overhead because you need to provision additional clusters and VPCs to meet scaling requirements. For more information, see https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes Scalability thresholds] on GitHub. +You can increase the number of IP addresses that nodes can assign to `Pods` by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. Each prefix includes several IP addresses. If you don't configure your cluster for IP prefix assignment, your cluster must make more Amazon EC2 application programming interface (API) calls to configure network interfaces and IP addresses necessary for Pod connectivity. As clusters grow to larger sizes, the frequency of these API calls can lead to longer Pod and instance launch times. This results in scaling delays to meet the demand of large and spiky workloads, and adds cost and management overhead because you need to provision additional clusters and VPCs to meet scaling requirements. For more information, see https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes Scalability thresholds] on GitHub. [#cni-increase-ip-addresses-compatability] -== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features +== Compatibility with Amazon VPC CNI plugin for Kubernetes features You can use IP prefixes with the following features: @@ -29,9 +29,9 @@ You can use IP prefixes with the following features: * IPv4 Source Network Address Translation - For more information, see <>. * IPv6 addresses to clusters, Pods, and services - For more information, see <>. -* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. +* Restricting traffic using Kubernetes network policies - For more information, see <>. -The following list provides information about the Amazon VPC CNI plugin settings that apply. For more information about each setting, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[amazon-vpc-cni-k8s] on [.noloc]`GitHub`. +The following list provides information about the Amazon VPC CNI plugin settings that apply. For more information about each setting, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[amazon-vpc-cni-k8s] on GitHub. @@ -47,15 +47,15 @@ Consider the following when you use this feature: -* Each Amazon EC2 instance type supports a maximum number of [.noloc]`Pods`. If your managed node group consists of multiple instance types, the smallest number of maximum [.noloc]`Pods` for an instance in the cluster is applied to all nodes in the cluster. +* Each Amazon EC2 instance type supports a maximum number of Pods. If your managed node group consists of multiple instance types, the smallest number of maximum Pods for an instance in the cluster is applied to all nodes in the cluster. * By default, the maximum number of `Pods` that you can run on a node is 110, but you can change that number. If you change the number and have an existing managed node group, the next AMI or launch template update of your node group results in new nodes coming up with the changed value. -* When transitioning from assigning IP addresses to assigning IP prefixes, we recommend that you create new node groups to increase the number of available IP addresses, rather than doing a rolling replacement of existing nodes. Running [.noloc]`Pods` on a node that has both IP addresses and prefixes assigned can lead to inconsistency in the advertised IP address capacity, impacting the future workloads on the node. For the recommended way of performing the transition, see https://github.com/aws/aws-eks-best-practices/blob/master/content/networking/prefix-mode/index_windows.md#replace-all-nodes-during-migration-from-secondary-ip-mode-to-prefix-delegation-mode-or-vice-versa[Replace all nodes during migration from Secondary IP mode to Prefix Delegation mode or vice versa] in the Amazon EKS best practices guide. +* When transitioning from assigning IP addresses to assigning IP prefixes, we recommend that you create new node groups to increase the number of available IP addresses, rather than doing a rolling replacement of existing nodes. Running Pods on a node that has both IP addresses and prefixes assigned can lead to inconsistency in the advertised IP address capacity, impacting the future workloads on the node. For the recommended way of performing the transition, see https://github.com/aws/aws-eks-best-practices/blob/master/content/networking/prefix-mode/index_windows.md#replace-all-nodes-during-migration-from-secondary-ip-mode-to-prefix-delegation-mode-or-vice-versa[Replace all nodes during migration from Secondary IP mode to Prefix Delegation mode or vice versa] in the Amazon EKS best practices guide. * The security group scope is at the node-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. -* IP prefixes assigned to a network interface support high [.noloc]`Pod` density per node and have the best launch time. -* IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix [.noloc]`Pods` getting IP addresses, or IP addresses from IP prefixes with [.noloc]`Pods` getting branch network interfaces on the same node. +* IP prefixes assigned to a network interface support high Pod density per node and have the best launch time. +* IP prefixes and IP addresses are associated with standard Amazon EC2 elastic network interfaces. Pods requiring specific security groups are assigned the primary IP address of a branch network interface. You can mix Pods getting IP addresses, or IP addresses from IP prefixes with Pods getting branch network interfaces on the same node. * For clusters with Linux nodes only. + -** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. -** If you're also using security groups for [.noloc]`Pods`, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your [.noloc]`Pods` communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your [.noloc]`Pods`. +** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your Amazon VPC CNI plugin for Kubernetes add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. +** If you're also using security groups for Pods, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your Pods communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your Pods. + If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. \ No newline at end of file diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 288ef1e7e..651631d33 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,6 +1,6 @@ [.topic] [#cni-ipv6] -= Learn about IPv6 addresses to clusters, [.noloc]`Pods`, and services += Learn about IPv6 addresses to clusters, Pods, and services :info_titleabbrev: IPv6 include::../attributes.txt[] @@ -9,12 +9,12 @@ include::deploy-ipv6-cluster.adoc[leveloffset=+1] [abstract] -- -Learn how to deploy an `IPv6` cluster and nodes with Amazon EKS for assigning `IPv6` addresses to [.noloc]`Pods` and [.noloc]`services` instead of `IPv4`, leveraging IP prefix delegation and the latest [.noloc]`Amazon VPC CNI` plugin. +Learn how to deploy an `IPv6` cluster and nodes with Amazon EKS for assigning `IPv6` addresses to Pods and services instead of `IPv4`, leveraging IP prefix delegation and the latest Amazon VPC CNI plugin. -- -*Applies to*: [.noloc]`Pods` with Amazon EC2 instances and Fargate [.noloc]`Pods` +*Applies to*: Pods with Amazon EC2 instances and Fargate Pods -By default, [.noloc]`Kubernetes` assigns `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. Instead of assigning `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`, you can configure your cluster to assign `IPv6` addresses to them. Amazon EKS doesn't support dual-stacked [.noloc]`Pods` or [.noloc]`services`, even though [.noloc]`Kubernetes` does in version `1.23` and later. As a result, you can't assign both `IPv4` and `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`. +By default, Kubernetes assigns `IPv4` addresses to your Pods and services. Instead of assigning `IPv4` addresses to your Pods and services, you can configure your cluster to assign `IPv6` addresses to them. Amazon EKS doesn't support dual-stacked Pods or services, even though Kubernetes does in version `1.23` and later. As a result, you can't assign both `IPv4` and `IPv6` addresses to your Pods and services. You select which IP family you want to use for your cluster when you create it. You can't change the family after you create the cluster. @@ -27,7 +27,7 @@ The following are considerations for using the feature: == `IPv6` Feature support -* *No [.noloc]`Windows` support*: [.noloc]`Windows` [.noloc]`Pods` and [.noloc]`services` aren't supported. +* *No Windows support*: Windows Pods and services aren't supported. * *Nitro-based EC2 nodes required*: You can only use `IPv6` with {aws} Nitro-based Amazon EC2 or Fargate nodes. * *EC2 and Fargate nodes supported*: You can use `IPv6` with <> with Amazon EC2 nodes and Fargate nodes. * *Outposts not supported*: You can't use `IPv6` with <>. @@ -40,10 +40,10 @@ The following are considerations for using the feature: * *Kubernetes services*: Kubernetes services are only assigned an `IPv6` addresses. They aren't assigned IPv4 addresses. * *Pods*: Pods are assigned an IPv6 address and a host-local IPv4 address. The host-local IPv4 address is assigned by using a host-local CNI plugin chained with VPC CNI and the address is not reported to the Kubernetes control plane. It is only used when a pod needs to communicate with an external IPv4 resources in another Amazon VPC or the internet. The host-local IPv4 address gets SNATed (by VPC CNI) to the primary IPv4 address of the primary ENI of the worker node. -* *Pods and services*: [.noloc]`Pods` and [.noloc]`services` are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because [.noloc]`Pods` are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. -* *Routing addresses*: The source `IPv6` address of a [.noloc]`Pod` isn't source network address translated to the `IPv6` address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. +* *Pods and services*: Pods and services are only assigned an `IPv6` address. They aren't assigned an `IPv4` address. Because Pods are able to communicate to `IPv4` endpoints through NAT on the instance itself, link:vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-nat64-dns64[DNS64 and NAT64,type="documentation"] aren't needed. If the traffic needs a public IP address, the traffic is then source network address translated to a public IP. +* *Routing addresses*: The source `IPv6` address of a Pod isn't source network address translated to the `IPv6` address of the node when communicating outside of the VPC. It is routed using an internet gateway or egress-only internet gateway. * *Nodes*: All nodes are assigned an `IPv4` and `IPv6` address. -* *Fargate [.noloc]`Pods`*: Each Fargate [.noloc]`Pod` receives an `IPv6` address from the CIDR that's specified for the subnet that it's deployed in. The underlying hardware unit that runs Fargate [.noloc]`Pods` gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in. +* *Fargate Pods*: Each Fargate Pod receives an `IPv6` address from the CIDR that's specified for the subnet that it's deployed in. The underlying hardware unit that runs Fargate Pods gets a unique `IPv4` and `IPv6` address from the CIDRs that are assigned to the subnet that the hardware unit is deployed in. == How to use `IPv6` with EKS @@ -55,10 +55,10 @@ The following are considerations for using the feature: * *Auto-assign IPv6 addresses to nodes:* When you create your nodes, you must specify subnets that are configured to auto-assign `IPv6` addresses. Otherwise, you can't deploy your nodes. By default, this configuration is disabled. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the Amazon VPC User Guide. * *Set route tables to use `IPv6`*: The route tables that are assigned to your subnets must have routes for `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. * *Set security groups for `IPv6`*: Your security groups must allow `IPv6` addresses. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate to IPv6,type="documentation"] in the Amazon VPC User Guide. -* *Set up load balancer*: Use version `2.3.1` or later of the {aws} Load Balancer Controller to load balance HTTP applications using the <> or network traffic using the <> to `IPv6` [.noloc]`Pods` with either load balancer in IP mode, but not instance mode. For more information, see <>. +* *Set up load balancer*: Use version `2.3.1` or later of the {aws} Load Balancer Controller to load balance HTTP applications using the <> or network traffic using the <> to `IPv6` Pods with either load balancer in IP mode, but not instance mode. For more information, see <>. * *Add `IPv6` IAM policy*: You must attach an `IPv6` IAM policy to your node IAM or CNI IAM role. Between the two, we recommend that you attach it to a CNI IAM role. For more information, see <> and <>. * *Evaluate all components*: Perform a thorough evaluation of your applications, Amazon EKS add-ons, and {aws} services that you integrate with before deploying `IPv6` clusters. This is to ensure that everything works as expected with `IPv6`. -* *Add `BootstrapArguments` self-managed node groups*: When creating a self-managed node group in a cluster that uses the `IPv6` family, user-data must include the following `BootstrapArguments` for the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file that runs at node start up. Replace [.replaceable]`your-cidr` with the `IPv6` [.noloc]`CIDR` range of your cluster's VPC. +* *Add `BootstrapArguments` self-managed node groups*: When creating a self-managed node group in a cluster that uses the `IPv6` family, user-data must include the following `BootstrapArguments` for the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file that runs at node start up. Replace [.replaceable]`your-cidr` with the `IPv6` CIDR range of your cluster's VPC. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index 07e6ea3c4..a3d88e495 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,22 +1,22 @@ [.topic] [#cni-network-policy-configure] -= Restrict Pod network traffic with [.noloc]`Kubernetes` network policies += Restrict Pod network traffic with Kubernetes network policies :info_titleabbrev: Restrict traffic include::../attributes.txt[] [abstract] -- -Learn how to deploy [.noloc]`Kubernetes` network policies on your Amazon EKS cluster. +Learn how to deploy Kubernetes network policies on your Amazon EKS cluster. -- -You can use a [.noloc]`Kubernetes` network policy to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. +You can use a Kubernetes network policy to restrict network traffic to and from your Pods. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the Kubernetes documentation. You must configure the following in order to use this feature: -. Set up policy enforcement at [.noloc]`Pod` startup. You do this in the `aws-node` container of the VPC CNI `DaemonSet`. +. Set up policy enforcement at Pod startup. You do this in the `aws-node` container of the VPC CNI `DaemonSet`. . Enable the network policy parameter for the add-on. -. Configure your cluster to use the [.noloc]`Kubernetes` network policy +. Configure your cluster to use the Kubernetes network policy Before you begin, review the considerations. For more information, see <>. @@ -27,7 +27,7 @@ The following are prerequisites for the feature: [#cni-network-policy-minimum] === Minimum cluster version -An existing Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: +An existing Amazon EKS cluster. To deploy one, see <>. The cluster must be Kubernetes version `1.25` or later. The cluster must be running one of the Kubernetes versions and platform versions listed in the following table. Note that any Kubernetes and platform versions later than those listed are also supported. You can check your current Kubernetes version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: [source,bash,subs="verbatim,attributes"] ---- @@ -56,7 +56,7 @@ aws eks describe-cluster [#cni-network-policy-minimum-vpc] === Minimum VPC CNI version -Version `1.14` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. You can see which version that you currently have with the following command. +Version `1.14` or later of the Amazon VPC CNI plugin for Kubernetes on your cluster. You can see which version that you currently have with the following command. [source,shell,subs="verbatim,attributes"] ---- @@ -72,11 +72,11 @@ Your nodes must have Linux kernel version `5.10` or later. You can check your ke The Amazon EKS optimized accelerated Amazon Linux AMI version `v20231116` or later have kernel version `5.10`. [#cni-network-policy-configure-policy] -== Step 1: Set up policy enforcement at [.noloc]`Pod` startup +== Step 1: Set up policy enforcement at Pod startup -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. +The Amazon VPC CNI plugin for Kubernetes configures network policies for pods in parallel with the pod provisioning. Until all of the policies are configured for the new pod, containers in the new pod will start with a _default allow policy_. This is called _standard mode_. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. For example, the pods will not have any firewall rules enforced (all traffic is allowed) until the new pod is updated with the active policies. -With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the [.noloc]`CoreDNS` pods. The default deny policy isn't configured for pods with Host networking. +With the `NETWORK_POLICY_ENFORCING_MODE` variable set to `strict`, pods that use the VPC CNI start with a _default deny policy_, then policies are configured. This is called _strict mode_. In strict mode, you must have a network policy for every endpoint that your pods need to access in your cluster. Note that this requirement applies to the CoreDNS pods. The default deny policy isn't configured for pods with Host networking. You can change the default network policy by setting the environment variable `NETWORK_POLICY_ENFORCING_MODE` to `strict` in the `aws-node` container of the VPC CNI `DaemonSet`. @@ -124,7 +124,7 @@ The following example has network policy feature enabled and metrics and health [#cni-network-helm] === Helm -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to change the ports. +If you have installed the Amazon VPC CNI plugin for Kubernetes through `helm`, you can update the configuration to change the ports. . Run the following command to change the ports. Set the port number in the value for either key `nodeAgent.metricsBindAddr` or key `nodeAgent.healthProbeBindAddr`, respectively. + @@ -134,7 +134,7 @@ helm upgrade --set nodeAgent.metricsBindAddr=8162 --set nodeAgent.healthProbeBin ---- [#cni-network-policy-kubectl] -=== [.noloc]`kubectl` +=== kubectl . Open the `aws-node` `DaemonSet` in your editor. + [source,bash,subs="verbatim,attributes"] @@ -174,9 +174,9 @@ sudo mount -t bpf bpffs /sys/fs/bpf [#cni-network-policy-setup] -== Step 4: Configure your cluster to use [.noloc]`Kubernetes` network policies +== Step 4: Configure your cluster to use Kubernetes network policies -Configure the cluster to use [.noloc]`Kubernetes` network policies. You can set this for an Amazon EKS add-on or self-managed add-on. +Configure the cluster to use Kubernetes network policies. You can set this for an Amazon EKS add-on or self-managed add-on. [#cni-network-policy-setup-procedure-add-on] @@ -231,7 +231,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers [discrete] === Helm -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to enable network policy. +If you have installed the Amazon VPC CNI plugin for Kubernetes through `helm`, you can update the configuration to enable network policy. . Run the following command to enable network policy. + @@ -242,7 +242,7 @@ helm upgrade --set enableNetworkPolicy=true aws-vpc-cni --namespace kube-system [#cni-network-policy-setup-kubectl] [discrete] -=== [.noloc]`kubectl` +=== kubectl . Open the `amazon-vpc-cni` `ConfigMap` in your editor. + @@ -305,8 +305,8 @@ aws-node-prnsh 2/2 Running 1 (24h There are 2 containers in the `aws-node` pods in versions `1.14` and later. In previous versions and if network policy is disabled, there is only a single container in the `aws-node` pods. -You can now deploy [.noloc]`Kubernetes` network policies to your cluster. +You can now deploy Kubernetes network policies to your cluster. -To implement [.noloc]`Kubernetes` network policies you create [.noloc]`Kubernetes` `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between [.noloc]`Pods` based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the [.noloc]`Kubernetes` documentation. +To implement Kubernetes network policies you create Kubernetes `NetworkPolicy` objects and deploy them to your cluster. `NetworkPolicy` objects are scoped to a namespace. You implement policies to allow or deny traffic between Pods based on label selectors, namespaces, and IP address ranges. For more information about creating `NetworkPolicy` objects, see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource[Network Policies] in the Kubernetes documentation. -Enforcement of [.noloc]`Kubernetes` `NetworkPolicy` objects is implemented using the [.noloc]`Extended Berkeley Packet Filter` ([.noloc]`eBPF`). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, [.noloc]`eBPF` probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an [.noloc]`eBPF`-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. \ No newline at end of file +Enforcement of Kubernetes `NetworkPolicy` objects is implemented using the Extended Berkeley Packet Filter (eBPF). Relative to `iptables` based implementations, it offers lower latency and performance characteristics, including reduced CPU utilization and avoiding sequential lookups. Additionally, eBPF probes provide access to context rich data that helps debug complex kernel level issues and improve observability. Amazon EKS supports an eBPF-based exporter that leverages the probes to log policy results on each node and export the data to external log collectors to aid in debugging. For more information, see the https://ebpf.io/what-is-ebpf/#what-is-ebpf[eBPF documentation]. \ No newline at end of file diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index e014de6e8..9256e93b1 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,6 +1,6 @@ [.topic] [#cni-network-policy] -= Limit [.noloc]`Pod` traffic with [.noloc]`Kubernetes` network policies += Limit Pod traffic with Kubernetes network policies :info_titleabbrev: Kubernetes policies include::../attributes.txt[] @@ -15,21 +15,21 @@ include::network-policy-stars-demo.adoc[leveloffset=+1] [abstract] -- -Learn how to configure your Amazon EKS cluster to use [.noloc]`Kubernetes` network policies with the [.noloc]`Amazon VPC CNI` plugin. Control network traffic to and from pods using network policies for enhanced security. Covers network policy considerations, requirements, setup instructions, and troubleshooting tips. +Learn how to configure your Amazon EKS cluster to use Kubernetes network policies with the Amazon VPC CNI plugin. Control network traffic to and from pods using network policies for enhanced security. Covers network policy considerations, requirements, setup instructions, and troubleshooting tips. -- -By default, there are no restrictions in [.noloc]`Kubernetes` for IP addresses, ports, or connections between any [.noloc]`Pods` in your cluster or between your [.noloc]`Pods` and resources in any other network. You can use [.noloc]`Kubernetes` _network policy_ to restrict network traffic to and from your [.noloc]`Pods`. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the [.noloc]`Kubernetes` documentation. +By default, there are no restrictions in Kubernetes for IP addresses, ports, or connections between any Pods in your cluster or between your Pods and resources in any other network. You can use Kubernetes _network policy_ to restrict network traffic to and from your Pods. For more information, see https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] in the Kubernetes documentation. -If you have version `1.13` or earlier of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster, you need to implement a third party solution to apply [.noloc]`Kubernetes` network policies to your cluster. Version `1.14` or later of the plugin can implement network policies, so you don't need to use a third party solution. In this topic, you learn how to configure your cluster to use [.noloc]`Kubernetes` network policy on your cluster without using a third party add-on. +If you have version `1.13` or earlier of the Amazon VPC CNI plugin for Kubernetes on your cluster, you need to implement a third party solution to apply Kubernetes network policies to your cluster. Version `1.14` or later of the plugin can implement network policies, so you don't need to use a third party solution. In this topic, you learn how to configure your cluster to use Kubernetes network policy on your cluster without using a third party add-on. -Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are supported in the following configurations. +Network policies in the Amazon VPC CNI plugin for Kubernetes are supported in the following configurations. * Amazon EKS clusters of version `1.25` and later. -* Version 1.14 or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` on your cluster. +* Version 1.14 or later of the Amazon VPC CNI plugin for Kubernetes on your cluster. * Cluster configured for `IPv4` or `IPv6` addresses. -* You can use network policies with <>. With network policies, you can control all in-cluster communication. With security groups for [.noloc]`Pods`, you can control access to {aws} services from applications within a [.noloc]`Pod`. +* You can use network policies with <>. With network policies, you can control all in-cluster communication. With security groups for Pods, you can control access to {aws} services from applications within a Pod. * You can use network policies with _custom networking_ and _prefix delegation_. @@ -38,19 +38,19 @@ Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are suppo *Architecture* -* When applying [.noloc]`Amazon VPC CNI plugin for Kubernetes` network policies to your cluster with the [.noloc]`Amazon VPC CNI plugin for Kubernetes` , you can apply the policies to Amazon EC2 Linux nodes only. You can't apply the policies to Fargate or Windows nodes. +* When applying Amazon VPC CNI plugin for Kubernetes network policies to your cluster with the Amazon VPC CNI plugin for Kubernetes , you can apply the policies to Amazon EC2 Linux nodes only. You can't apply the policies to Fargate or Windows nodes. * Network policies only apply either `IPv4` or `IPv6` addresses, but not both. In an `IPv4` cluster, the VPC CNI assigns `IPv4` address to pods and applies `IPv4` policies. In an `IPv6` cluster, the VPC CNI assigns `IPv6` address to pods and applies `IPv6` policies. Any `IPv4` network policy rules applied to an `IPv6` cluster are ignored. Any `IPv6` network policy rules applied to an `IPv4` cluster are ignored. *Network Policies* -* Network Policies are only applied to [.noloc]`Pods` that are part of a [.noloc]`Deployment`. Standalone [.noloc]`Pods` that don't have a `metadata.ownerReferences` set can't have network policies applied to them. -* You can apply multiple network policies to the same [.noloc]`Pod`. When two or more policies that select the same [.noloc]`Pod` are configured, all policies are applied to the [.noloc]`Pod`. +* Network Policies are only applied to Pods that are part of a Deployment. Standalone Pods that don't have a `metadata.ownerReferences` set can't have network policies applied to them. +* You can apply multiple network policies to the same Pod. When two or more policies that select the same Pod are configured, all policies are applied to the Pod. * The maximum number of unique combinations of ports for each protocol in each `ingress:` or `egress:` selector in a network policy is 24. -* For any of your [.noloc]`Kubernetes` services, the service port must be the same as the container port. If you're using named ports, use the same name in the service spec too. +* For any of your Kubernetes services, the service port must be the same as the container port. If you're using named ports, use the same name in the service spec too. *Migration* -* If your cluster is currently using a third party solution to manage [.noloc]`Kubernetes` network policies, you can use those same policies with the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. However you must remove your existing solution so that it isn't managing the same policies. +* If your cluster is currently using a third party solution to manage Kubernetes network policies, you can use those same policies with the Amazon VPC CNI plugin for Kubernetes. However you must remove your existing solution so that it isn't managing the same policies. *Installation* @@ -58,7 +58,7 @@ Network policies in the [.noloc]`Amazon VPC CNI plugin for Kubernetes` are suppo * If you run pods that use the instance role IAM credentials or connect to the EC2 IMDS, be careful to check for network policies that would block access to the EC2 IMDS. You may need to add a network policy to allow access to EC2 IMDS. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the Amazon EC2 User Guide. + Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't access EC2 IMDS. -* The [.noloc]`Amazon VPC CNI plugin for Kubernetes` doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: +* The Amazon VPC CNI plugin for Kubernetes doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: + ** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. -** When using chained network plugins such as [.noloc]`Multus`. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. \ No newline at end of file +** When using chained network plugins such as Multus. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. \ No newline at end of file diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index 770f70387..e9cc777ae 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,11 +1,11 @@ [.topic] [#coredns-add-on-create] -= Create the [.noloc]`CoreDNS` Amazon EKS add-on += Create the CoreDNS Amazon EKS add-on :info_titleabbrev: Create include::../attributes.txt[] -Create the [.noloc]`CoreDNS` Amazon EKS add-on. You must have a cluster before you create the add-on. For more information, see <>. +Create the CoreDNS Amazon EKS add-on. You must have a cluster before you create the add-on. For more information, see <>. . See which version of the add-on is installed on your cluster. + @@ -45,7 +45,7 @@ aws eks create-addon --cluster-name my-cluster --addon-name coredns --addon-vers ---- + If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. -. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. +. Confirm that the latest version of the add-on for your cluster's Kubernetes version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index a1966e3e6..477d7a6d3 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,6 +1,6 @@ [.topic] [#coredns-add-on-self-managed-update] -= Update the [.noloc]`CoreDNS` Amazon EKS self-managed add-on += Update the CoreDNS Amazon EKS self-managed add-on :info_titleabbrev: Update (self-managed) include::../attributes.txt[] @@ -35,7 +35,7 @@ An example output is as follows. ---- v1.8.7-eksbuild.2 ---- -. If your current [.noloc]`CoreDNS` version is `v1.5.0` or later, but earlier than the version listed in the <> table, then skip this step. If your current version is earlier than `1.5.0`, then you need to modify the `ConfigMap` for [.noloc]`CoreDNS` to use the forward add-on, rather than the proxy add-on. +. If your current CoreDNS version is `v1.5.0` or later, but earlier than the version listed in the <> table, then skip this step. If your current version is earlier than `1.5.0`, then you need to modify the `ConfigMap` for CoreDNS to use the forward add-on, rather than the proxy add-on. + .. Open the `ConfigMap` with the following command. + @@ -49,25 +49,25 @@ kubectl edit configmap coredns -n kube-system ---- proxy . /etc/resolv.conf ---- -. If you originally deployed your cluster on [.noloc]`Kubernetes` `1.17` or earlier, then you may need to remove a discontinued line from your [.noloc]`CoreDNS` manifest. +. If you originally deployed your cluster on Kubernetes `1.17` or earlier, then you may need to remove a discontinued line from your CoreDNS manifest. + -IMPORTANT: You must complete this step before updating to [.noloc]`CoreDNS` version `1.7.0`, but it's recommended that you complete this step even if you're updating to an earlier version. +IMPORTANT: You must complete this step before updating to CoreDNS version `1.7.0`, but it's recommended that you complete this step even if you're updating to an earlier version. + -.. Check to see if your [.noloc]`CoreDNS` manifest has the line. +.. Check to see if your CoreDNS manifest has the line. + [source,bash,subs="verbatim,attributes"] ---- kubectl get configmap coredns -n kube-system -o jsonpath='{$.data.Corefile}' | grep upstream ---- + -If no output is returned, your manifest doesn't have the line and you can skip to the next step to update [.noloc]`CoreDNS`. If output is returned, then you need to remove the line. +If no output is returned, your manifest doesn't have the line and you can skip to the next step to update CoreDNS. If output is returned, then you need to remove the line. .. Edit the `ConfigMap` with the following command, removing the line in the file that has the word `upstream` in it. Do not change anything else in the file. Once the line is removed, save the changes. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit configmap coredns -n kube-system -o yaml ---- -. Retrieve your current [.noloc]`CoreDNS` image version: +. Retrieve your current CoreDNS image version: + [source,bash,subs="verbatim,attributes"] ---- @@ -80,7 +80,7 @@ An example output is as follows. ---- 602401143452.dkr.ecr.region-code.amazonaws.com/eks/coredns:v1.8.7-eksbuild.2 ---- -. If you're updating to [.noloc]`CoreDNS` `1.8.3` or later, then you need to add the `endpointslices` permission to the `system:coredns` [.noloc]`Kubernetes` `clusterrole`. +. If you're updating to CoreDNS `1.8.3` or later, then you need to add the `endpointslices` permission to the `system:coredns` Kubernetes `clusterrole`. + [source,bash,subs="verbatim,attributes"] ---- @@ -101,7 +101,7 @@ Add the following lines under the existing permissions lines in the `rules` sect - watch [...] ---- -. Update the [.noloc]`CoreDNS` add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the [.noloc]`CoreDNS` version listed in the <> for your [.noloc]`Kubernetes` version. +. Update the CoreDNS add-on by replacing [.replaceable]`602401143452` and [.replaceable]`region-code` with the values from the output returned in a previous step. Replace [.replaceable]`v1.11.3-eksbuild.1` with the CoreDNS version listed in the <> for your Kubernetes version. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 6b652db2c..9313f9298 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,6 +1,6 @@ [.topic] [#coredns-add-on-update] -= Update the [.noloc]`CoreDNS` Amazon EKS add-on += Update the CoreDNS Amazon EKS add-on :info_titleabbrev: Update (EKS add-on) include::../attributes.txt[] @@ -23,7 +23,7 @@ An example output is as follows. v1.10.1-eksbuild.13 ---- + -If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. +If the version returned is the same as the version for your cluster's Kubernetes version in the <>, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to <> before you can update it with this procedure. . Save the configuration of your currently installed add-on. + [source,bash,subs="verbatim,attributes"] @@ -35,7 +35,7 @@ kubectl get deployment coredns -n kube-system -o yaml > aws-k8s-coredns-old.yaml ** Replace [.replaceable]`my-cluster` with the name of your cluster. ** Replace [.replaceable]`v1.11.3-eksbuild.1` with the latest version listed in the <> for your cluster version. ** The `--resolve-conflicts[.replaceable]``PRESERVE``` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. -** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"replicaCount":3``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"replicaCount":3` with the setting that you want to set. In this example, the number of replicas of [.noloc]`CoreDNS` is set to `3`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name coredns --addon-version [.replaceable]``v1.11.3-eksbuild.1```, replacing [.replaceable]`v1.11.3-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"replicaCount":3` from the command, so that you have empty `{}`. For more information about [.noloc]`CoreDNS` settings, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the [.noloc]`Kubernetes` documentation. +** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"replicaCount":3``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"replicaCount":3` with the setting that you want to set. In this example, the number of replicas of CoreDNS is set to `3`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name coredns --addon-version [.replaceable]``v1.11.3-eksbuild.1```, replacing [.replaceable]`v1.11.3-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"replicaCount":3` from the command, so that you have empty `{}`. For more information about CoreDNS settings, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the Kubernetes documentation. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 398106f46..66463bdf7 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,39 +1,39 @@ [.topic] [#coredns-autoscaling] -= Scale [.noloc]`CoreDNS Pods` for high DNS traffic += Scale CoreDNS Pods for high DNS traffic :info_titleabbrev: Scale for high traffic include::../attributes.txt[] [abstract] -- -Learn how the Amazon EKS add-on for [.noloc]`CoreDNS` autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. +Learn how the Amazon EKS add-on for CoreDNS autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. -- -When you launch an Amazon EKS cluster with at least one node, a [.noloc]`Deployment` of two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the [.noloc]`CoreDNS` pods can get overwhelmed and slow down, and reject requests that the pods can't handle. +When you launch an Amazon EKS cluster with at least one node, a Deployment of two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. Applications use name resolution to connect to pods and services in the cluster as well as connecting to services outside the cluster. As the number of requests for name resolution (queries) from pods increase, the CoreDNS pods can get overwhelmed and slow down, and reject requests that the pods can't handle. -To handle the increased load on the [.noloc]`CoreDNS` pods, consider an autoscaling system for [.noloc]`CoreDNS`. Amazon EKS can manage the autoscaling of the [.noloc]`CoreDNS` Deployment in the EKS Add-on version of [.noloc]`CoreDNS`. This [.noloc]`CoreDNS` autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the [.noloc]`CoreDNS` deployment in an EKS cluster. This feature works for [.noloc]`CoreDNS` `v1.9` and EKS release version `1.25` and later. For more information about which versions are compatible with [.noloc]`CoreDNS` Autoscaling, see the following section. +To handle the increased load on the CoreDNS pods, consider an autoscaling system for CoreDNS. Amazon EKS can manage the autoscaling of the CoreDNS Deployment in the EKS Add-on version of CoreDNS. This CoreDNS autoscaler continuously monitors the cluster state, including the number of nodes and CPU cores. Based on that information, the controller will dynamically adapt the number of replicas of the CoreDNS deployment in an EKS cluster. This feature works for CoreDNS `v1.9` and EKS release version `1.25` and later. For more information about which versions are compatible with CoreDNS Autoscaling, see the following section. We recommend using this feature in conjunction with other https://aws.github.io/aws-eks-best-practices/cluster-autoscaling/[EKS Cluster Autoscaling best practices] to improve overall application availability and cluster scalability. [#coredns-autoscaling-prereqs] == Prerequisites -For Amazon EKS to scale your [.noloc]`CoreDNS` deployment, there are three prerequisites: +For Amazon EKS to scale your CoreDNS deployment, there are three prerequisites: -* You must be using the _EKS Add-on_ version of [.noloc]`CoreDNS`. +* You must be using the _EKS Add-on_ version of CoreDNS. * Your cluster must be running at least the minimum cluster versions and platform versions. -* Your cluster must be running at least the minimum version of the EKS Add-on of [.noloc]`CoreDNS`. +* Your cluster must be running at least the minimum version of the EKS Add-on of CoreDNS. [#coredns-autoscaling-cluster-version] === Minimum cluster version -Autoscaling of [.noloc]`CoreDNS` is done by a new component in the cluster control plane, managed by Amazon EKS. Because of this, you must upgrade your cluster to an EKS release that supports the minimum platform version that has the new component. +Autoscaling of CoreDNS is done by a new component in the cluster control plane, managed by Amazon EKS. Because of this, you must upgrade your cluster to an EKS release that supports the minimum platform version that has the new component. -A new Amazon EKS cluster. To deploy one, see <>. The cluster must be [.noloc]`Kubernetes` version `1.25` or later. The cluster must be running one of the [.noloc]`Kubernetes` versions and platform versions listed in the following table or a later version. Note that any [.noloc]`Kubernetes` and platform versions later than those listed are also supported. You can check your current [.noloc]`Kubernetes` version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: +A new Amazon EKS cluster. To deploy one, see <>. The cluster must be Kubernetes version `1.25` or later. The cluster must be running one of the Kubernetes versions and platform versions listed in the following table or a later version. Note that any Kubernetes and platform versions later than those listed are also supported. You can check your current Kubernetes version by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: [source,bash,subs="verbatim,attributes"] ---- @@ -67,7 +67,7 @@ aws eks describe-cluster [NOTE] ==== -Every platform version of later [.noloc]`Kubernetes` versions are also supported, for example [.noloc]`Kubernetes` version `1.30` from `eks.1` and on. +Every platform version of later Kubernetes versions are also supported, for example Kubernetes version `1.30` from `eks.1` and on. ==== @@ -94,17 +94,17 @@ Every platform version of later [.noloc]`Kubernetes` versions are also supported [#coredns-autoscaling-console] -.Configuring [.noloc]`CoreDNS` autoscaling in the {aws-management-console} +.Configuring CoreDNS autoscaling in the {aws-management-console} [%collapsible] ==== . Ensure that your cluster is at or above the minimum cluster version. + -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. +Amazon EKS upgrades clusters between platform versions of the same Kubernetes version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next Kubernetes version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. + -New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. +New Kubernetes versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new Kubernetes version before you update your production clusters. + -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. -. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. +To upgrade a cluster to a new Kubernetes version, follow the procedure in <>. +. Ensure that you have the EKS Add-on for CoreDNS, not the self-managed CoreDNS Deployment. + Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. + @@ -114,7 +114,7 @@ aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query ad ---- + If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster and you can continue with the next step. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. -. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. +. Ensure that your EKS Add-on for CoreDNS is at a version the same or higher than the minimum EKS Add-on version. + See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: + @@ -136,8 +136,8 @@ Compare this version with the minimum EKS Add-on version in the previous section .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the add-on for. .. Choose the *Add-ons* tab. -.. Select the box in the top right of the [.noloc]`CoreDNS` add-on box and then choose *Edit*. -.. On the *Configure [.noloc]`CoreDNS`* page: +.. Select the box in the top right of the CoreDNS add-on box and then choose *Edit*. +.. On the *Configure CoreDNS* page: + ... Select the *Version* that you'd like to use. We recommend that you keep the same version as the previous step, and update the version and configuration in separate actions. ... Expand the *Optional configuration settings*. @@ -151,9 +151,9 @@ Compare this version with the minimum EKS Add-on version in the previous section } } ---- -... (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. +... (Optional) You can provide minimum and maximum values that autoscaling can scale the number of CoreDNS pods to. + -The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. +The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of CoreDNS pods is always greater than 2 to provide resilience for the DNS service in the cluster. + [source,json,subs="verbatim,attributes"] ---- @@ -165,9 +165,9 @@ The following example shows autoscaling is enabled and all of the optional keys } } ---- -.. To apply the new configuration by replacing the [.noloc]`CoreDNS` pods, choose *Save changes*. +.. To apply the new configuration by replacing the CoreDNS pods, choose *Save changes*. + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the Kubernetes Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -183,23 +183,23 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. -. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a CoreDNS pod to see the logs of CoreDNS. +. If the new entry in the *Update history* has a status of *Successful*, then the rollout has completed and the add-on is using the new configuration in all of the CoreDNS pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the CoreDNS deployment. ==== [#coredns-autoscaling-cli] -.Configuring [.noloc]`CoreDNS` autoscaling in the {aws} Command Line Interface +.Configuring CoreDNS autoscaling in the {aws} Command Line Interface [%collapsible] ==== . Ensure that your cluster is at or above the minimum cluster version. + -Amazon EKS upgrades clusters between platform versions of the same [.noloc]`Kubernetes` version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next [.noloc]`Kubernetes` version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. +Amazon EKS upgrades clusters between platform versions of the same Kubernetes version automatically, and you can't start this process yourself. Instead, you can upgrade your cluster to the next Kubernetes version, and the cluster will be upgraded to that K8s version and the latest platform version. For example, if you upgrade from `1.25` to `1.26`, the cluster will upgrade to `1.26.15 eks.18`. + -New [.noloc]`Kubernetes` versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new [.noloc]`Kubernetes` version before you update your production clusters. +New Kubernetes versions sometimes introduce significant changes. Therefore, we recommend that you test the behavior of your applications by using a separate cluster of the new Kubernetes version before you update your production clusters. + -To upgrade a cluster to a new [.noloc]`Kubernetes` version, follow the procedure in <>. -. Ensure that you have the EKS Add-on for [.noloc]`CoreDNS`, not the self-managed [.noloc]`CoreDNS` Deployment. +To upgrade a cluster to a new Kubernetes version, follow the procedure in <>. +. Ensure that you have the EKS Add-on for CoreDNS, not the self-managed CoreDNS Deployment. + Depending on the tool that you created your cluster with, you might not currently have the Amazon EKS add-on type installed on your cluster. To see which type of the add-on is installed on your cluster, you can run the following command. Replace `my-cluster` with the name of your cluster. + @@ -209,7 +209,7 @@ aws eks describe-addon --cluster-name my-cluster --addon-name coredns --query ad ---- + If a version number is returned, you have the Amazon EKS type of the add-on installed on your cluster. If an error is returned, you don't have the Amazon EKS type of the add-on installed on your cluster. Complete the remaining steps of the procedure <> to replace the self-managed version with the Amazon EKS add-on. -. Ensure that your EKS Add-on for [.noloc]`CoreDNS` is at a version the same or higher than the minimum EKS Add-on version. +. Ensure that your EKS Add-on for CoreDNS is at a version the same or higher than the minimum EKS Add-on version. + See which version of the add-on is installed on your cluster. You can check in the {aws-management-console} or run the following command: + @@ -236,7 +236,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name coredns \ --resolve-conflicts PRESERVE --configuration-values '{"autoScaling":{"enabled":true}}' ---- + -Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the [.noloc]`Kubernetes` Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. +Amazon EKS applies changes to the EKS Add-ons by using a _rollout_ of the Kubernetes Deployment for CoreDNS. You can track the status of the rollout in the *Update history* of the add-on in the {aws-management-console} and with `kubectl rollout status deployment/coredns --namespace kube-system`. + `kubectl rollout` has the following commands: + @@ -252,10 +252,10 @@ status -- Show the status of the rollout undo -- Undo a previous rollout ---- + -If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a [.noloc]`CoreDNS` pod to see the logs of [.noloc]`CoreDNS`. -. (Optional) You can provide minimum and maximum values that autoscaling can scale the number of [.noloc]`CoreDNS` pods to. +If the rollout takes too long, Amazon EKS will undo the rollout, and a message with the type of *Addon Update* and a status of *Failed* will be added to the *Update history* of the add-on. To investigate any issues, start from the history of the rollout, and run `kubectl logs` on a CoreDNS pod to see the logs of CoreDNS. +. (Optional) You can provide minimum and maximum values that autoscaling can scale the number of CoreDNS pods to. + -The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of [.noloc]`CoreDNS` pods is always greater than 2 to provide resilience for the DNS service in the cluster. +The following example shows autoscaling is enabled and all of the optional keys have values. We recommend that the minimum number of CoreDNS pods is always greater than 2 to provide resilience for the DNS service in the cluster. + [source,shell,subs="verbatim,attributes"] ---- @@ -269,6 +269,6 @@ aws eks update-addon --cluster-name my-cluster --addon-name coredns \ aws eks describe-addon --cluster-name my-cluster --addon-name coredns \ ---- + -If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the [.noloc]`CoreDNS` pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the [.noloc]`CoreDNS` deployment. +If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the CoreDNS pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the CoreDNS deployment. ==== \ No newline at end of file diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index e8d89732d..b12bfd556 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,15 +1,15 @@ [.topic] [#coredns-metrics] -= Monitor [.noloc]`Kubernetes` DNS resolution with [.noloc]`CoreDNS` metrics += Monitor Kubernetes DNS resolution with CoreDNS metrics :info_titleabbrev: Monitor DNS resolution include::../attributes.txt[] [abstract] -- -Learn how to collect [.noloc]`CoreDNS` metrics in Amazon EKS using Prometheus or CloudWatch Agent, enabling monitoring and observability for your [.noloc]`Kubernetes` DNS resolution. +Learn how to collect CoreDNS metrics in Amazon EKS using Prometheus or CloudWatch Agent, enabling monitoring and observability for your Kubernetes DNS resolution. -- -[.noloc]`CoreDNS` as an EKS add-on exposes the metrics from [.noloc]`CoreDNS` on port `9153` in the Prometheus format in the `kube-dns` service. You can use Prometheus, the Amazon CloudWatch agent, or any other compatible system to scrape (collect) these metrics. +CoreDNS as an EKS add-on exposes the metrics from CoreDNS on port `9153` in the Prometheus format in the `kube-dns` service. You can use Prometheus, the Amazon CloudWatch agent, or any other compatible system to scrape (collect) these metrics. For an example _scrape configuration_ that is compatible with both Prometheus and the CloudWatch agent, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-Setup-configure.html[CloudWatch agent configuration for Prometheus,type="documentation"] in the _Amazon CloudWatch User Guide_. \ No newline at end of file diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 1984a0a27..ae742831b 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -12,7 +12,7 @@ Learn how to create an Amazon VPC for your cluster using an Amazon EKS provided You can use Amazon Virtual Private Cloud (Amazon VPC) to launch {aws} resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you might operate in your own data center. However, it comes with the benefits of using the scalable infrastructure of Amazon Web Services. We recommend that you have a thorough understanding of the Amazon VPC service before deploying production Amazon EKS clusters. For more information, see the link:vpc/latest/userguide/[Amazon VPC User Guide,type="documentation"]. -An Amazon EKS cluster, nodes, and [.noloc]`Kubernetes` resources are deployed to a VPC. If you want to use an existing VPC with Amazon EKS, that VPC must meet the requirements that are described in <>. This topic describes how to create a VPC that meets Amazon EKS requirements using an Amazon EKS provided {aws} CloudFormation template. Once you've deployed a template, you can view the resources created by the template to know exactly what resources it created, and the configuration of those resources. If you are using hybrid nodes, your VPC must have routes in its route table for your on-premises network. For more information about the network requirements for hybrid nodes, see <>. +An Amazon EKS cluster, nodes, and Kubernetes resources are deployed to a VPC. If you want to use an existing VPC with Amazon EKS, that VPC must meet the requirements that are described in <>. This topic describes how to create a VPC that meets Amazon EKS requirements using an Amazon EKS provided {aws} CloudFormation template. Once you've deployed a template, you can view the resources created by the template to know exactly what resources it created, and the configuration of those resources. If you are using hybrid nodes, your VPC must have routes in its route table for your on-premises network. For more information about the network requirements for hybrid nodes, see <>. == Prerequisites @@ -25,9 +25,9 @@ You can create a VPC with public and private subnets, only public subnets, or on This VPC has two public and two private subnets. A public subnet's associated route table has a route to an internet gateway. However, the route table of a private subnet doesn't have a route to an internet gateway. One public and one private subnet are deployed to the same Availability Zone. The other public and private subnets are deployed to a second Availability Zone in the same {aws} Region. We recommend this option for most deployments. -With this option, you can deploy your nodes to private subnets. This option allows [.noloc]`Kubernetes` to deploy load balancers to the public subnets that can load balance traffic to [.noloc]`Pods` that run on nodes in the private subnets. Public `IPv4` addresses are automatically assigned to nodes that are deployed to public subnets, but public `IPv4` addresses aren't assigned to nodes deployed to private subnets. +With this option, you can deploy your nodes to private subnets. This option allows Kubernetes to deploy load balancers to the public subnets that can load balance traffic to Pods that run on nodes in the private subnets. Public `IPv4` addresses are automatically assigned to nodes that are deployed to public subnets, but public `IPv4` addresses aren't assigned to nodes deployed to private subnets. -You can also assign `IPv6` addresses to nodes in public and private subnets. The nodes in private subnets can communicate with the cluster and other {aws} services. [.noloc]`Pods` can communicate to the internet through a NAT gateway using `IPv4` addresses or outbound-only Internet gateway using `IPv6` addresses deployed in each Availability Zone. A security group is deployed that has rules that deny all inbound traffic from sources other than the cluster or nodes but allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy load balancers to them. +You can also assign `IPv6` addresses to nodes in public and private subnets. The nodes in private subnets can communicate with the cluster and other {aws} services. Pods can communicate to the internet through a NAT gateway using `IPv4` addresses or outbound-only Internet gateway using `IPv6` addresses deployed in each Availability Zone. A security group is deployed that has rules that deny all inbound traffic from sources other than the cluster or nodes but allows all outbound traffic. The subnets are tagged so that Kubernetes can deploy load balancers to them. .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. @@ -50,7 +50,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. On the *Specify stack details* page, enter the parameters, and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can use the template name you used in the previous step. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose an `IPv4` CIDR range for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. If you're creating an `IPv6` VPC, `IPv6` CIDR ranges are automatically assigned for you from Amazon's Global Unicast Address space. +*** *VpcBlock*: Choose an `IPv4` CIDR range for your VPC. Each node, Pod, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. If you're creating an `IPv6` VPC, `IPv6` CIDR ranges are automatically assigned for you from Amazon's Global Unicast Address space. *** *PublicSubnet01Block*: Specify an `IPv4` CIDR block for public subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. *** *PublicSubnet02Block*: Specify an `IPv4` CIDR block for public subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. *** *PrivateSubnet01Block*: Specify an `IPv4` CIDR block for private subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. If you're creating an `IPv6` VPC, this block is specified for you within the template. @@ -70,7 +70,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e == Only public subnets -This VPC has three public subnets that are deployed into different Availability Zones in an {aws} Region. All nodes are automatically assigned public `IPv4` addresses and can send and receive internet traffic through an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is deployed that denies all inbound traffic and allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy load balancers to them. +This VPC has three public subnets that are deployed into different Availability Zones in an {aws} Region. All nodes are automatically assigned public `IPv4` addresses and can send and receive internet traffic through an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"]. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is deployed that denies all inbound traffic and allows all outbound traffic. The subnets are tagged so that Kubernetes can deploy load balancers to them. .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. @@ -85,7 +85,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. On the *Specify Details* page, enter the parameters, and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`amazon-eks-vpc-sample`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. +*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, Pod, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. *** *Subnet01Block*: Specify a CIDR block for subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *Subnet02Block*: Specify a CIDR block for subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *Subnet03Block*: Specify a CIDR block for subnet 3. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. @@ -94,11 +94,11 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. -.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want to deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign` `IPv6` addresses option enabled. By default, it's disabled. +.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your Pods and services. If you want to deploy clusters to this VPC to assign private `IPv6` addresses to your Pods and services, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign` `IPv6` addresses option enabled. By default, it's disabled. == Only private subnets -This VPC has three private subnets that are deployed into different Availability Zones in the {aws} Region. Resources that are deployed to the subnets can't access the internet, nor can the internet access resources in the subnets. The template creates link:vpc/latest/privatelink/privatelink-access-aws-services.html[VPC endpoints,type="documentation"] using {aws} PrivateLink for several {aws} services that nodes typically need to access. If your nodes need outbound internet access, you can add a public link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] in the Availability Zone of each subnet after the VPC is created. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is created that denies all inbound traffic, except from resources deployed into the subnets. A security group also allows all outbound traffic. The subnets are tagged so that [.noloc]`Kubernetes` can deploy internal load balancers to them. If you're creating a VPC with this configuration, see <> for additional requirements and considerations. +This VPC has three private subnets that are deployed into different Availability Zones in the {aws} Region. Resources that are deployed to the subnets can't access the internet, nor can the internet access resources in the subnets. The template creates link:vpc/latest/privatelink/privatelink-access-aws-services.html[VPC endpoints,type="documentation"] using {aws} PrivateLink for several {aws} services that nodes typically need to access. If your nodes need outbound internet access, you can add a public link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] in the Availability Zone of each subnet after the VPC is created. A link:vpc/latest/userguide/VPC_SecurityGroups.html[security group,type="documentation"] is created that denies all inbound traffic, except from resources deployed into the subnets. A security group also allows all outbound traffic. The subnets are tagged so that Kubernetes can deploy internal load balancers to them. If you're creating a VPC with this configuration, see <> for additional requirements and considerations. .. Open the link:cloudformation/[{aws} CloudFormation console,type="console"]. .. From the navigation bar, select an {aws} Region that supports Amazon EKS. @@ -113,7 +113,7 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. On the *Specify Details* page, enter the parameters and then choose *Next*. *** *Stack name*: Choose a stack name for your {aws} CloudFormation stack. For example, you can call it [.replaceable]`amazon-eks-fully-private-vpc`. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, [.noloc]`Pod`, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. +*** *VpcBlock*: Choose a CIDR block for your VPC. Each node, Pod, and load balancer that you deploy is assigned an `IPv4` address from this block. The default `IPv4` values provide enough IP addresses for most implementations, but if it doesn't, then you can change it. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing[VPC and subnet sizing,type="documentation"] in the Amazon VPC User Guide. You can also add additional CIDR blocks to the VPC once it's created. *** *PrivateSubnet01Block*: Specify a CIDR block for subnet 1. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *PrivateSubnet02Block*: Specify a CIDR block for subnet 2. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. *** *PrivateSubnet03Block*: Specify a CIDR block for subnet 3. The default value provides enough IP addresses for most implementations, but if it doesn't, then you can change it. @@ -122,4 +122,4 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-e .. When your stack is created, select it in the console and choose *Outputs*. .. Record the *VpcId* for the VPC that was created. You need this when you create your cluster and nodes. .. Record the *SubnetIds* for the subnets that were created. You need at least two of these when you create your cluster and nodes. -.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your [.noloc]`Pods` and [.noloc]`services`. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your [.noloc]`Pods` and [.noloc]`services`, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). \ No newline at end of file +.. (Optional) Any cluster that you deploy to this VPC can assign private `IPv4` addresses to your Pods and services. If you want deploy clusters to this VPC to assign private `IPv6` addresses to your Pods and services, make updates to your VPC, subnet, route tables, and security groups. For more information, see link:vpc/latest/userguide/vpc-migrate-ipv6.html[Migrate existing VPCs from IPv4 to IPv6,type="documentation"] in the Amazon VPC User Guide. Amazon EKS requires that your subnets have the `Auto-assign IPv6` addresses option enabled (it's disabled by default). \ No newline at end of file diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 39db40ebc..586a54843 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -In this tutorial, you deploy an `IPv6` Amazon VPC, an Amazon EKS cluster with the `IPv6` family, and a managed node group with Amazon EC2 Amazon Linux nodes. You can't deploy Amazon EC2 [.noloc]`Windows` nodes in an `IPv6` cluster. You can also deploy Fargate nodes to your cluster, though those instructions aren't provided in this topic for simplicity. +In this tutorial, you deploy an `IPv6` Amazon VPC, an Amazon EKS cluster with the `IPv6` family, and a managed node group with Amazon EC2 Amazon Linux nodes. You can't deploy Amazon EC2 Windows nodes in an `IPv6` cluster. You can also deploy Fargate nodes to your cluster, though those instructions aren't provided in this topic for simplicity. == Prerequisites @@ -14,19 +14,19 @@ Complete the following before you start the tutorial: Install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. * We recommend that you familiarize yourself with all settings and deploy a cluster with the settings that meet your requirements. For more information, see <>, <>, and the <> for this topic. You can only enable some settings when creating your cluster. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * The IAM security principal that you're using must have permissions to work with Amazon EKS IAM roles, service linked roles, {aws} CloudFormation, a VPC, and related resources. For more information, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html[Actions, resources, and condition keys for Amazon Elastic Kubernetes Service,type="documentation"] and link:IAM/latest/UserGuide/using-service-linked-roles.html[Using service-linked roles,type="documentation"] in the IAM User Guide. -* If you use the [.noloc]`eksctl`, install version `{eksctl-min-version}` or later on your computer. To install or update to it, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. +* If you use the eksctl, install version `{eksctl-min-version}` or later on your computer. To install or update to it, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. If you use the {aws} CloudShell, you may need to link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[install version 2.12.3 or later or 1.27.160 or later of the {aws} CLI,type="documentation"], because the default {aws} CLI version installed in the {aws} CloudShell may be an earlier version. //[#deploy-ipv6-cluster-procedure] //====== Procedure -You can use the [.noloc]`eksctl` or CLI to deploy an `IPv6` cluster. +You can use the eksctl or CLI to deploy an `IPv6` cluster. -== Deploy an IPv6 cluster with [.noloc]`eksctl` +== Deploy an IPv6 cluster with eksctl .. Create the `ipv6-cluster.yaml` file. Copy the command that follows to your device. Make the following modifications to the command as needed and then run the modified command: + @@ -81,7 +81,7 @@ Cluster creation takes several minutes. Don't proceed until you see the last lin [...] [✓] EKS cluster "my-cluster" in "region-code" region is ready ---- -.. Confirm that default [.noloc]`Pods` are assigned `IPv6` addresses. +.. Confirm that default Pods are assigned `IPv6` addresses. + [source,bash,subs="verbatim,attributes"] ---- @@ -114,7 +114,7 @@ An example output is as follows. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns ---- -.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. +.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` Pods. .. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following command. + [source,bash,subs="verbatim,attributes"] @@ -207,7 +207,7 @@ private_subnets=$(aws cloudformation describe-stacks --region $region_code --sta subnets=${public_subnets},${private_subnets} ---- -.. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. [.noloc]`Kubernetes` clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. +.. Create a cluster IAM role and attach the required Amazon EKS IAM managed policy to it. Kubernetes clusters managed by Amazon EKS make calls to other {aws} services on your behalf to manage the resources that you use with the service. + ... Run the following command to create the `eks-cluster-role-trust-policy.json` file. + @@ -403,7 +403,7 @@ The node group takes a few minutes to create. Run the following command. Don't p aws eks describe-nodegroup --region $region_code --cluster-name $cluster_name --nodegroup-name $nodegroup_name \ --query nodegroup.status --output text ---- -.. Confirm that the default [.noloc]`Pods` are assigned `IPv6` addresses in the `IP` column. +.. Confirm that the default Pods are assigned `IPv6` addresses in the `IP` column. + [source,bash,subs="verbatim,attributes"] ---- @@ -436,7 +436,7 @@ An example output is as follows. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kube-dns ClusterIP fd30:3087:b6c2::a 53/UDP,53/TCP 57m k8s-app=kube-dns ---- -.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` [.noloc]`Pods`. +.. (Optional) <> or deploy the <> and a sample application to load balance HTTP applications with <> or network traffic with <> to `IPv6` Pods. .. After you've finished with the cluster and nodes that you created for this tutorial, you should clean up the resources that you created with the following commands. Make sure that you're not using any of the resources outside of this tutorial before deleting them. + ... If you're completing this step in a different shell than you completed the previous steps in, set the values of all the variables used in previous steps, replacing the [.replaceable]`example values` with the values you specified when you completed the previous steps. If you're completing this step in the same shell that you completed the previous steps in, skip to the next step. diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 127982daf..d8c866046 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -17,7 +17,7 @@ include::managing-kube-proxy.adoc[leveloffset=+1] [abstract] -- -Learn how to manage networking add-ons for your Amazon EKS cluster, including built-in components like [.noloc]`Amazon VPC CNI plugin for Kubernetes`, [.noloc]`CoreDNS`, and `kube-proxy`, as well as optional {aws} add-ons for load balancing and service mesh. +Learn how to manage networking add-ons for your Amazon EKS cluster, including built-in components like Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy`, as well as optional {aws} add-ons for load balancing and service mesh. -- Several networking add-ons are available for your Amazon EKS cluster. @@ -33,26 +33,26 @@ If you create clusters in any way except by using the console, each cluster come We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you create clusters in the console, the Amazon EKS type of these add-ons is installed. ==== -*[.noloc]`Amazon VPC CNI plugin for Kubernetes`*:: -This CNI add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each [.noloc]`Pod` and service. This add-on is installed, by default, on your cluster. For more information, see <>. If you are using hybrid nodes, the VPC CNI is still installed by default but it is prevented from running on your hybrid nodes with an anti-affinity rule. For more information about your CNI options for hybrid nodes, see <>. +*Amazon VPC CNI plugin for Kubernetes*:: +This CNI add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each Pod and service. This add-on is installed, by default, on your cluster. For more information, see <>. If you are using hybrid nodes, the VPC CNI is still installed by default but it is prevented from running on your hybrid nodes with an anti-affinity rule. For more information about your CNI options for hybrid nodes, see <>. -*[.noloc]`CoreDNS`*:: -[.noloc]`CoreDNS` is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. [.noloc]`CoreDNS` provides name resolution for all [.noloc]`Pods` in the cluster. This add-on is installed, by default, on your cluster. For more information, see <>. +*CoreDNS*:: +CoreDNS is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. CoreDNS provides name resolution for all Pods in the cluster. This add-on is installed, by default, on your cluster. For more information, see <>. *`kube-proxy`*:: -This add-on maintains network rules on your Amazon EC2 nodes and enables network communication to your [.noloc]`Pods`. This add-on is installed, by default, on your cluster. For more information, see <>. +This add-on maintains network rules on your Amazon EC2 nodes and enables network communication to your Pods. This add-on is installed, by default, on your cluster. For more information, see <>. [#eks-networking-add-ons-optional] == Optional {aws} networking add-ons -*[.noloc]`{aws} Load Balancer Controller`*:: -When you deploy [.noloc]`Kubernetes` service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create [.noloc]`Kubernetes` ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to [.noloc]`Kubernetes`. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation. +*{aws} Load Balancer Controller*:: +When you deploy Kubernetes service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create Kubernetes ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to Kubernetes. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation. *{aws} Gateway API Controller*:: -This controller lets you connect services across multiple [.noloc]`Kubernetes` clusters using the https://gateway-api.sigs.k8s.io/[Kubernetes gateway API]. The controller connects [.noloc]`Kubernetes` services running on Amazon EC2 instances, containers, and serverless functions by using the link:vpc-lattice/latest/ug/what-is-vpc-service-network.html[Amazon VPC Lattice,type="documentation"] service. For more information, see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller] documentation. +This controller lets you connect services across multiple Kubernetes clusters using the https://gateway-api.sigs.k8s.io/[Kubernetes gateway API]. The controller connects Kubernetes services running on Amazon EC2 instances, containers, and serverless functions by using the link:vpc-lattice/latest/ug/what-is-vpc-service-network.html[Amazon VPC Lattice,type="documentation"] service. For more information, see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller] documentation. For more information about add-ons, see <>. \ No newline at end of file diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 0e78eaf60..36ff4c5b3 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,37 +1,37 @@ [.topic] [#external-snat] -= Enable outbound internet access for [.noloc]`Pods` += Enable outbound internet access for Pods :info_titleabbrev: Outbound traffic include::../attributes.txt[] [abstract] -- -Learn how Amazon EKS manages external communication for [.noloc]`Pods` using Source Network Address Translation (SNAT), allowing Pods to access internet resources or networks connected via VPC peering, Transit Gateway, or {aws} Direct Connect. +Learn how Amazon EKS manages external communication for Pods using Source Network Address Translation (SNAT), allowing Pods to access internet resources or networks connected via VPC peering, Transit Gateway, or {aws} Direct Connect. -- -*Applies to*: [.noloc]`Linux` `IPv4` Fargate nodes, [.noloc]`Linux` nodes with Amazon EC2 instances +*Applies to*: Linux `IPv4` Fargate nodes, Linux nodes with Amazon EC2 instances If you deployed your cluster using the `IPv6` family, then the information in this topic isn't applicable to your cluster, because `IPv6` addresses are not network translated. For more information about using `IPv6` with your cluster, see <>. -By default, each [.noloc]`Pod` in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"] `IPv4` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the [.noloc]`Pod` is deployed in. [.noloc]`Pods` in the same VPC communicate with each other using these private IP addresses as end points. When a [.noloc]`Pod` communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the [.noloc]`Pod's` `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the [.noloc]`Pod` is running on, by default <>. +By default, each Pod in your cluster is assigned a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses[private,type="documentation"] `IPv4` address from a classless inter-domain routing (CIDR) block that is associated with the VPC that the Pod is deployed in. Pods in the same VPC communicate with each other using these private IP addresses as end points. When a Pod communicates to any `IPv4` address that isn't within a CIDR block that's associated to your VPC, the Amazon VPC CNI plugin (for both https://github.com/aws/amazon-vpc-cni-k8s#amazon-vpc-cni-k8s[Linux] or https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[Windows]) translates the Pod's `IPv4` address to the primary private `IPv4` address of the primary link:AWSEC2/latest/UserGuide/using-eni.html#eni-basics[elastic network interface,type="documentation"] of the node that the Pod is running on, by default <>. [NOTE] ==== -For [.noloc]`Windows` nodes, there are additional details to consider. By default, the https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[VPC CNI plugin for Windows] is defined with a networking configuration in which the traffic to a destination within the same VPC is excluded for SNAT. This means that internal VPC communication has SNAT disabled and the IP address allocated to a [.noloc]`Pod` is routable inside the VPC. But traffic to a destination outside of the VPC has the source [.noloc]`Pod` IP SNAT'ed to the instance ENI's primary IP address. This default configuration for [.noloc]`Windows` ensures that the pod can access networks outside of your VPC in the same way as the host instance. +For Windows nodes, there are additional details to consider. By default, the https://github.com/aws/amazon-vpc-cni-plugins/tree/master/plugins/vpc-bridge[VPC CNI plugin for Windows] is defined with a networking configuration in which the traffic to a destination within the same VPC is excluded for SNAT. This means that internal VPC communication has SNAT disabled and the IP address allocated to a Pod is routable inside the VPC. But traffic to a destination outside of the VPC has the source Pod IP SNAT'ed to the instance ENI's primary IP address. This default configuration for Windows ensures that the pod can access networks outside of your VPC in the same way as the host instance. ==== Due to this behavior: -* Your [.noloc]`Pods` can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. -* For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your [.noloc]`Pods` behind secondary elastic network interfaces. Your [.noloc]`Pods` can initiate communication to those resources and receive responses from them, though. +* Your Pods can communicate with internet resources only if the node that they're running on has a link:AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses[public,type="documentation"] or link:vpc/latest/userguide/vpc-eips.html[elastic,type="documentation"] IP address assigned to it and is in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[public subnet,type="documentation"]. A public subnet's associated link:vpc/latest/userguide/VPC_Route_Tables.html[route table,type="documentation"] has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible. +* For versions of the plugin earlier than `1.8.0`, resources that are in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] can't initiate communication to your Pods behind secondary elastic network interfaces. Your Pods can initiate communication to those resources and receive responses from them, though. If either of the following statements are true in your environment, then change the default configuration with the command that follows. -* You have resources in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] that need to initiate communication with your [.noloc]`Pods` using an `IPv4` address and your plugin version is earlier than `1.8.0`. -* Your [.noloc]`Pods` are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. +* You have resources in networks or VPCs that are connected to your cluster VPC using link:vpc/latest/peering/what-is-vpc-peering.html[VPC peering,type="documentation"], a link:whitepapers/latest/aws-vpc-connectivity-options/transit-vpc-option.html[transit VPC,type="documentation"], or link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"] that need to initiate communication with your Pods using an `IPv4` address and your plugin version is earlier than `1.8.0`. +* Your Pods are in a link:vpc/latest/userguide/configure-subnets.html#subnet-basics[private subnet,type="documentation"] and need to communicate outbound to the internet. The subnet has a route to a link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"]. [source,bash,subs="verbatim,attributes"] @@ -42,11 +42,11 @@ kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=t [NOTE] ==== -The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI configuration variables aren't applicable to [.noloc]`Windows` nodes. Disabling SNAT isn't supported for [.noloc]`Windows`. As for excluding a list of `IPv4` CIDRs from SNAT, you can define this by specifying the `ExcludedSnatCIDRs` parameter in the [.noloc]`Windows` bootstrap script. For more information on using this parameter, see <>. +The `AWS_VPC_K8S_CNI_EXTERNALSNAT` and `AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS` CNI configuration variables aren't applicable to Windows nodes. Disabling SNAT isn't supported for Windows. As for excluding a list of `IPv4` CIDRs from SNAT, you can define this by specifying the `ExcludedSnatCIDRs` parameter in the Windows bootstrap script. For more information on using this parameter, see <>. ==== [#snat-exception] == Host networking -{asterisk} If a [.noloc]`Pod's` spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` [.noloc]`Pods` that run on your cluster, by default. For these [.noloc]`Pods`, the IP address is the same as the node's primary IP address, so the [.noloc]`Pod's` IP address isn't translated. For more information about a [.noloc]`Pod's` `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the [.noloc]`Kubernetes` API reference. \ No newline at end of file +{asterisk} If a Pod's spec contains `hostNetwork=true` (default is `false`), then its IP address isn't translated to a different address. This is the case for the `kube-proxy` and Amazon VPC CNI plugin for Kubernetes Pods that run on your cluster, by default. For these Pods, the IP address is the same as the node's primary IP address, so the Pod's IP address isn't translated. For more information about a Pod's `hostNetwork` setting, see https://kubernetes.io/docs/reference/generated/kubernetes-api/v{k8s-n}/#podspec-v1-core[PodSpec v1 core] in the Kubernetes API reference. \ No newline at end of file diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index bec538b0d..a0577ec31 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -80,7 +80,7 @@ v1.30.0-eksbuild.3 kubectl edit -n kube-system daemonset/kube-proxy ---- + -Add the following node selector to the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L265-#L269[CNI manifest] file on [.noloc]`GitHub`. This enables [.noloc]`Kubernetes` to pull the correct hardware image based on the node's hardware architecture. +Add the following node selector to the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L265-#L269[CNI manifest] file on GitHub. This enables Kubernetes to pull the correct hardware image based on the node's hardware architecture. + [source,yaml,subs="verbatim,attributes"] ---- @@ -90,14 +90,14 @@ Add the following node selector to the file in the editor and then save the file - amd64 - arm64 ---- -. If your cluster was originally created with [.noloc]`Kubernetes` version `1.14` or later, then you can skip this step because `kube-proxy` already includes this `Affinity Rule`. If you originally created an Amazon EKS cluster with [.noloc]`Kubernetes` version `1.13` or earlier and intend to use Fargate nodes in your cluster, then edit your `kube-proxy` manifest to include a `NodeAffinity` rule to prevent `kube-proxy` [.noloc]`Pods` from scheduling on Fargate nodes. This is a one-time edit. Once you've added the `Affinity Rule` to your manifest, you don't need to add it each time that you update the add-on. Edit your `kube-proxy` [.noloc]`DaemonSet`. +. If your cluster was originally created with Kubernetes version `1.14` or later, then you can skip this step because `kube-proxy` already includes this `Affinity Rule`. If you originally created an Amazon EKS cluster with Kubernetes version `1.13` or earlier and intend to use Fargate nodes in your cluster, then edit your `kube-proxy` manifest to include a `NodeAffinity` rule to prevent `kube-proxy` Pods from scheduling on Fargate nodes. This is a one-time edit. Once you've added the `Affinity Rule` to your manifest, you don't need to add it each time that you update the add-on. Edit your `kube-proxy` DaemonSet. + [source,bash,subs="verbatim,attributes"] ---- kubectl edit -n kube-system daemonset/kube-proxy ---- + -Add the following `Affinity Rule` to the [.noloc]`DaemonSet` `spec` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on [.noloc]`GitHub`. +Add the following `Affinity Rule` to the DaemonSet `spec` section of the file in the editor and then save the file. For an example of where to include this text in the editor, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.11/config/master/aws-k8s-cni.yaml#L270-#L273[CNI manifest] file on GitHub. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 85a7d82ee..addd2bd5d 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -2,12 +2,12 @@ include::../attributes.txt[] [#lbc-helm] -= Install [.noloc]`{aws} Load Balancer Controller` with [.noloc]`Helm` += Install {aws} Load Balancer Controller with Helm :info_titleabbrev: Install with Helm [abstract] -- -Learn how to install the [.noloc]`{aws} Load Balancer Controller` on Amazon EKS using Helm to manage K8s load balancing with {aws} Cloud. Discover the prerequisites and steps for creating an IAM role, installing with Helm, and verifying the controller deployment. +Learn how to install the {aws} Load Balancer Controller on Amazon EKS using Helm to manage K8s load balancing with {aws} Cloud. Discover the prerequisites and steps for creating an IAM role, installing with Helm, and verifying the controller deployment. -- [TIP] @@ -17,7 +17,7 @@ With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-o For more information, see <>. ==== -This topic describes how to install the [.noloc]`{aws} Load Balancer Controller` using Helm, a package manager for [.noloc]`Kubernetes`, and `eksctl`. The controller is installed with default options. For more information about the controller, including details on configuring it with annotations, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[{aws} Load Balancer Controller Documentation] on [.noloc]`GitHub`. +This topic describes how to install the {aws} Load Balancer Controller using Helm, a package manager for Kubernetes, and `eksctl`. The controller is installed with default options. For more information about the controller, including details on configuring it with annotations, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[{aws} Load Balancer Controller Documentation] on GitHub. In the following steps, replace the [.replaceable]`example values` with your own values. @@ -29,8 +29,8 @@ Before starting this tutorial, you must install and configure the following tool * An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Make sure that your Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS add-ons are at the minimum versions listed in <>. * Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. @@ -44,18 +44,18 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -You only need to create an IAM Role for the [.noloc]`{aws} Load Balancer Controller` once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. +You only need to create an IAM Role for the {aws} Load Balancer Controller once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. ==== [NOTE] ==== -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. +Below example is referring to the {aws} Load Balancer Controller *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. ==== -. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. +. Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. + ==== [role="tablist"] @@ -105,7 +105,7 @@ eksctl create iamserviceaccount \ [#lbc-helm-install] -== Step 2: Install [.noloc]`{aws} Load Balancer Controller` +== Step 2: Install {aws} Load Balancer Controller . Add the `eks-charts` Helm chart repository. {aws} maintains https://github.com/aws/eks-charts[this repository] on GitHub. + @@ -119,14 +119,14 @@ helm repo add eks https://aws.github.io/eks-charts ---- helm repo update eks ---- -. Install the [.noloc]`{aws} Load Balancer Controller`. +. Install the {aws} Load Balancer Controller. + If you're deploying the controller to Amazon EC2 nodes that have https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[restricted access to the Amazon EC2 instance metadata service (IMDS)], or if you're deploying to Fargate or Amazon EKS Hybrid Nodes, then add the following flags to the `helm` command that follows: + *** `--set region=[.replaceable]``region-code``` *** `--set vpcId=[.replaceable]``vpc-xxxxxxxx``` + -Replace [.replaceable]`my-cluster` with the name of your cluster. In the following command, `aws-load-balancer-controller` is the [.noloc]`Kubernetes` service account that you created in a previous step. +Replace [.replaceable]`my-cluster` with the name of your cluster. In the following command, `aws-load-balancer-controller` is the Kubernetes service account that you created in a previous step. + For more information about configuring the helm chart, see https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/values.yaml[values.yaml] on GitHub. + @@ -145,7 +145,7 @@ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ The deployed chart doesn't receive security updates automatically. You need to manually upgrade to a newer chart when it becomes available. When upgrading, change [.replaceable]`install` to `upgrade` in the previous command. ==== -The `helm install` command automatically installs the custom resource definitions ([.noloc]`CRDs`) for the controller. The `helm upgrade` command does not. If you use `helm upgrade,` you must manually install the [.noloc]`CRDs`. Run the following command to install the [.noloc]`CRDs`: +The `helm install` command automatically installs the custom resource definitions (CRDs) for the controller. The `helm upgrade` command does not. If you use `helm upgrade,` you must manually install the CRDs. Run the following command to install the CRDs: [source,shell,subs="verbatim,attributes"] ---- @@ -171,7 +171,7 @@ NAME READY UP-TO-DATE AVAILABLE AGE aws-load-balancer-controller 2/2 2 2 84s ---- + -You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. +You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica. . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. // GDC Must Fix \ No newline at end of file diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index c1b259d9a..b7914eec8 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -2,12 +2,12 @@ [#lbc-manifest] include::../attributes.txt[] -= Install [.noloc]`{aws} Load Balancer Controller` with manifests += Install {aws} Load Balancer Controller with manifests :info_titleabbrev: Install with manifests [abstract] -- -Install the [.noloc]`{aws} Load Balancer Controller` add-on for Amazon EKS using [.noloc]`Kubernetes` manifests to provision Elastic Load Balancing resources. Configure IAM role and install `cert-manager` before applying controller manifest. +Install the {aws} Load Balancer Controller add-on for Amazon EKS using Kubernetes manifests to provision Elastic Load Balancing resources. Configure IAM role and install `cert-manager` before applying controller manifest. -- [TIP] @@ -17,7 +17,7 @@ With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-o For more information, see <>. ==== -This topic describes how to install the controller by downloading and applying [.noloc]`Kubernetes` manifests. You can view the full https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/[documentation] for the controller on [.noloc]`GitHub`. +This topic describes how to install the controller by downloading and applying Kubernetes manifests. You can view the full https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/[documentation] for the controller on GitHub. In the following steps, replace the [.replaceable]`example values` with your own values. @@ -29,8 +29,8 @@ Before starting this tutorial, you must install and configure the following tool * An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` add-ons are at the minimum versions listed in <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Make sure that your Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS add-ons are at the minimum versions listed in <>. * Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. @@ -41,18 +41,18 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -You only need to create a role for the [.noloc]`{aws} Load Balancer Controller` one per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. +You only need to create a role for the {aws} Load Balancer Controller one per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. ==== [NOTE] ==== -Below example is referring to the [.noloc]`{aws} Load Balancer Controller` *v2.11.0* release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on [.noloc]`GitHub`. +Below example is referring to the {aws} Load Balancer Controller *v2.11.0* release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. ==== -. Download an IAM policy for the [.noloc]`{aws} Load Balancer Controller` that allows it to make calls to {aws} APIs on your behalf. +. Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. + ==== [role="tablist"] @@ -105,20 +105,20 @@ eksctl create iamserviceaccount \ {aws} CLI and kubectl::: -.. Retrieve your cluster's [.noloc]`OIDC` provider ID and store it in a variable. +.. Retrieve your cluster's OIDC provider ID and store it in a variable. + [source,bash,subs="verbatim,attributes"] ---- oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) ---- -.. Determine whether an IAM [.noloc]`OIDC` provider with your cluster's ID is already in your account. You need [.noloc]`OIDC` configured for both the cluster and IAM. +.. Determine whether an IAM OIDC provider with your cluster's ID is already in your account. You need OIDC configured for both the cluster and IAM. + [source,bash,subs="verbatim,attributes"] ---- aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 ---- + -If output is returned, then you already have an IAM [.noloc]`OIDC` provider for your cluster. If no output is returned, then you must create an IAM [.noloc]`OIDC` provider for your cluster. For more information, see <>. +If output is returned, then you already have an IAM OIDC provider for your cluster. If no output is returned, then you must create an IAM OIDC provider for your cluster. For more information, see <>. .. Copy the following contents to your device. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with the output returned in the previous step. + [source,json,subs="verbatim,attributes"] @@ -177,7 +177,7 @@ metadata: eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/AmazonEKSLoadBalancerControllerRole EOF ---- -.. Create the [.noloc]`Kubernetes` service account on your cluster. The [.noloc]`Kubernetes` service account named `aws-load-balancer-controller` is annotated with the IAM role that you created named [.replaceable]`AmazonEKSLoadBalancerControllerRole`. +.. Create the Kubernetes service account on your cluster. The Kubernetes service account named `aws-load-balancer-controller` is annotated with the IAM role that you created named [.replaceable]`AmazonEKSLoadBalancerControllerRole`. + [source,shell,subs="verbatim,attributes"] ---- @@ -197,7 +197,7 @@ We recommend using the `quay.io` container registry to install `cert-manager`. I ==== [role="tablist"] -[.noloc]`Quay.io`::: +Quay.io::: .. If your nodes have access to the `quay.io` container registry, install `cert-manager` to inject certificate configuration into the webhooks. + [source,shell,subs="verbatim,attributes"] @@ -242,8 +242,8 @@ kubectl apply \ [#lbc-install] -== Step 3: Install [.noloc]`{aws} Load Balancer Controller` -. Download the controller specification. For more information about the controller, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[documentation] on [.noloc]`GitHub`. +== Step 3: Install {aws} Load Balancer Controller +. Download the controller specification. For more information about the controller, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller/[documentation] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -346,5 +346,5 @@ NAME READY UP-TO-DATE AVAILABLE AGE aws-load-balancer-controller 2/2 2 2 84s ---- + -You receive the previous output if you deployed using Helm. If you deployed using the [.noloc]`Kubernetes` manifest, you only have one replica. +You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica. . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. \ No newline at end of file diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index 0e393a2ee..bf3f8b1e9 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,16 +1,16 @@ [.topic] [#lbc-remove] -= Migrate apps from deprecated ALB [.noloc]`Ingress Controller` += Migrate apps from deprecated ALB Ingress Controller :info_titleabbrev: Migrate from deprecated include::../attributes.txt[] [abstract] -- -Learn how to migrate from the deprecated ALB Ingress Controller to the latest [.noloc]`{aws} Load Balancer Controller` release, ensuring smooth transition and uninterrupted load balancing capabilities. +Learn how to migrate from the deprecated ALB Ingress Controller to the latest {aws} Load Balancer Controller release, ensuring smooth transition and uninterrupted load balancing capabilities. -- -This topic describes how to migrate from deprecated controller versions. More specifically, it describes how to remove deprecated versions of the [.noloc]`{aws} Load Balancer Controller`. +This topic describes how to migrate from deprecated controller versions. More specifically, it describes how to remove deprecated versions of the {aws} Load Balancer Controller. @@ -19,8 +19,8 @@ This topic describes how to migrate from deprecated controller versions. More sp [[lbc-deprecated-list]] * Deprecated versions include: + -** {aws} ALB Ingress Controller for [.noloc]`Kubernetes` ("Ingress Controller"), a predecessor to the [.noloc]`{aws} Load Balancer Controller`. -** Any `0.1.[.replaceable]``x``` version of the [.noloc]`{aws} Load Balancer Controller` +** {aws} ALB Ingress Controller for Kubernetes ("Ingress Controller"), a predecessor to the {aws} Load Balancer Controller. +** Any `0.1.[.replaceable]``x``` version of the {aws} Load Balancer Controller [#lbc-remove-desc] @@ -29,7 +29,7 @@ This topic describes how to migrate from deprecated controller versions. More sp [NOTE] ==== -You may have installed the deprecated version using Helm or manually with [.noloc]`Kubernetes` manifests. Complete the procedure using the tool that you originally installed it with. +You may have installed the deprecated version using Helm or manually with Kubernetes manifests. Complete the procedure using the tool that you originally installed it with. ==== . If you installed the `incubator/aws-alb-ingress-controller` Helm chart, uninstall it. @@ -76,14 +76,14 @@ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingr [#lbc-migrate] -== Migrate to [.noloc]`{aws} Load Balancer Controller` +== Migrate to {aws} Load Balancer Controller -To migrate from the ALB Ingress Controller for [.noloc]`Kubernetes` to the [.noloc]`{aws} Load Balancer Controller`, you need to: +To migrate from the ALB Ingress Controller for Kubernetes to the {aws} Load Balancer Controller, you need to: . Remove the ALB Ingress Controller (see above). . <> -. Add an additional policy to the IAM Role used by the [.noloc]`{aws} Load Balancer Controller`. This policy permits the LBC to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. -. Download the IAM policy. This policy permits the [.noloc]`{aws} Load Balancer Controller` to manage resources created by the ALB Ingress Controller for [.noloc]`Kubernetes`. You can also https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json[view the policy]. +. Add an additional policy to the IAM Role used by the {aws} Load Balancer Controller. This policy permits the LBC to manage resources created by the ALB Ingress Controller for Kubernetes. +. Download the IAM policy. This policy permits the {aws} Load Balancer Controller to manage resources created by the ALB Ingress Controller for Kubernetes. You can also https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy_v1_to_v2_additional.json[view the policy]. + [source,shell,subs="verbatim,attributes"] ---- @@ -103,7 +103,7 @@ aws iam create-policy \ --policy-name AWSLoadBalancerControllerAdditionalIAMPolicy \ --policy-document file://iam_policy_v1_to_v2_additional.json ---- -. Attach the IAM policy to the IAM role used by the [.noloc]`{aws} Load Balancer Controller`. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. +. Attach the IAM policy to the IAM role used by the {aws} Load Balancer Controller. Replace [.replaceable]`your-role-name` with the name of the role, such as `AmazonEKSLoadBalancerControllerRole`. + If you created the role using `eksctl`, then to find the role name that was created, open the link:cloudformation[{aws} CloudFormation console,type="console"] and select the *eksctl-[.replaceable]`my-cluster`-addon-iamserviceaccount-kube-system-aws-load-balancer-controller* stack. Select the *Resources* tab. The role name is in the *Physical ID* column. + diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 47d84da6c..56917a147 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -17,7 +17,7 @@ include::coredns-metrics.adoc[leveloffset=+1] [abstract] -- -Learn how to manage the [.noloc]`CoreDNS` Amazon EKS add-on for DNS service discovery in [.noloc]`Kubernetes` clusters with configuration updates and version upgrades. +Learn how to manage the CoreDNS Amazon EKS add-on for DNS service discovery in Kubernetes clusters with configuration updates and version upgrades. -- [TIP] @@ -27,16 +27,16 @@ With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-o For more information, see <>. ==== -[.noloc]`CoreDNS` is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. When you launch an Amazon EKS cluster with at least one node, two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` provide name resolution for all [.noloc]`Pods` in the cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` can be deployed to Fargate nodes if your cluster includes a Fargate Profile with a namespace that matches the namespace for the [.noloc]`CoreDNS` `deployment`. For more information on Fargate Profiles, see <>. For more information about [.noloc]`CoreDNS`, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] in the [.noloc]`Kubernetes` documentation. +CoreDNS is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. The CoreDNS Pods can be deployed to Fargate nodes if your cluster includes a Fargate Profile with a namespace that matches the namespace for the CoreDNS `deployment`. For more information on Fargate Profiles, see <>. For more information about CoreDNS, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] in the Kubernetes documentation. [#coredns-versions] -== [.noloc]`CoreDNS` versions +== CoreDNS versions -The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. +The following table lists the latest version of the Amazon EKS add-on type for each Kubernetes version. [options="header"] |=== -| Kubernetes version | [.noloc]`CoreDNS` version +| Kubernetes version | CoreDNS version | 1.32 | v1.11.4-eksbuild.2 | 1.31 | v1.11.4-eksbuild.2 | 1.30 | v1.11.4-eksbuild.2 @@ -56,15 +56,15 @@ If you're self-managing this add-on, the versions in the table might not be the ==== [#coredns-upgrade] -== Important [.noloc]`CoreDNS` upgrade considerations +== Important CoreDNS upgrade considerations -* To improve the stability and availability of the [.noloc]`CoreDNS` [.noloc]`Deployment`, versions `v1.9.3-eksbuild.6` and later and `v1.10.1-eksbuild.3` are deployed with a `PodDisruptionBudget`. If you've deployed an existing `PodDisruptionBudget`, your upgrade to these versions might fail. If the upgrade fails, completing one of the following tasks should resolve the issue: +* To improve the stability and availability of the CoreDNS Deployment, versions `v1.9.3-eksbuild.6` and later and `v1.10.1-eksbuild.3` are deployed with a `PodDisruptionBudget`. If you've deployed an existing `PodDisruptionBudget`, your upgrade to these versions might fail. If the upgrade fails, completing one of the following tasks should resolve the issue: + -** When doing the upgrade of the Amazon EKS add-on, choose to override the existing settings as your conflict resolution option. If you've made other custom settings to the [.noloc]`Deployment`, make sure to back up your settings before upgrading so that you can reapply your other custom settings after the upgrade. +** When doing the upgrade of the Amazon EKS add-on, choose to override the existing settings as your conflict resolution option. If you've made other custom settings to the Deployment, make sure to back up your settings before upgrading so that you can reapply your other custom settings after the upgrade. ** Remove your existing `PodDisruptionBudget` and try the upgrade again. -* In EKS add-on versions `v1.9.3-eksbuild.3` and later and `v1.10.1-eksbuild.6` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets the `readinessProbe` to use the `/ready` endpoint. This endpoint is enabled in the `Corefile` configuration file for [.noloc]`CoreDNS`. +* In EKS add-on versions `v1.9.3-eksbuild.3` and later and `v1.10.1-eksbuild.6` and later, the CoreDNS Deployment sets the `readinessProbe` to use the `/ready` endpoint. This endpoint is enabled in the `Corefile` configuration file for CoreDNS. + -If you use a custom `Corefile`, you must add the `ready` plugin to the config, so that the `/ready` endpoint is active in [.noloc]`CoreDNS` for the probe to use. +If you use a custom `Corefile`, you must add the `ready` plugin to the config, so that the `/ready` endpoint is active in CoreDNS for the probe to use. * In EKS add-on versions `v1.9.3-eksbuild.7` and later and `v1.10.1-eksbuild.4` and later, you can change the `PodDisruptionBudget`. You can edit the add-on and change these settings in the *Optional configuration settings* using the fields in the following example. This example shows the default `PodDisruptionBudget`. + [source,json,subs="verbatim,attributes"] @@ -76,7 +76,7 @@ If you use a custom `Corefile`, you must add the `ready` plugin to the config, s } } ---- -// Not using [.noloc]`Kubernetes` here because the _ causes issues with the rendering. +// Not using Kubernetes here because the _ causes issues with the rendering. + You can set `maxUnavailable` or `minAvailable`, but you can't set both in a single `PodDisruptionBudget`. For more information about `PodDisruptionBudgets`, see https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget[Specifying a PodDisruptionBudget] in the _Kubernetes documentation_. + @@ -86,10 +86,10 @@ Note that if you set `enabled` to `false`, the `PodDisruptionBudget` isn't remov ---- kubectl delete poddisruptionbudget coredns -n kube-system ---- -* In EKS add-on versions `v1.10.1-eksbuild.5` and later, change the default toleration from `node-role.kubernetes.io/master:NoSchedule` to `node-role.kubernetes.io/control-plane:NoSchedule` to comply with KEP 2067. For more information about KEP 2067, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint#renaming-the-node-rolekubernetesiomaster-node-taint[KEP-2067: Rename the kubeadm "master" label and taint] in the _Kubernetes Enhancement Proposals (KEPs)_ on [.noloc]`GitHub`. +* In EKS add-on versions `v1.10.1-eksbuild.5` and later, change the default toleration from `node-role.kubernetes.io/master:NoSchedule` to `node-role.kubernetes.io/control-plane:NoSchedule` to comply with KEP 2067. For more information about KEP 2067, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint#renaming-the-node-rolekubernetesiomaster-node-taint[KEP-2067: Rename the kubeadm "master" label and taint] in the _Kubernetes Enhancement Proposals (KEPs)_ on GitHub. + -In EKS add-on versions `v1.8.7-eksbuild.8` and later and `v1.9.3-eksbuild.9` and later, both tolerations are set to be compatible with every [.noloc]`Kubernetes` version. -* In EKS add-on versions `v1.9.3-eksbuild.11` and `v1.10.1-eksbuild.7` and later, the [.noloc]`CoreDNS` [.noloc]`Deployment` sets a default value for `topologySpreadConstraints`. The default value ensures that the [.noloc]`CoreDNS` [.noloc]`Pods` are spread across the Availability Zones if there are nodes in multiple Availability Zones available. You can set a custom value that will be used instead of the default value. The default value follows: +In EKS add-on versions `v1.8.7-eksbuild.8` and later and `v1.9.3-eksbuild.9` and later, both tolerations are set to be compatible with every Kubernetes version. +* In EKS add-on versions `v1.9.3-eksbuild.11` and `v1.10.1-eksbuild.7` and later, the CoreDNS Deployment sets a default value for `topologySpreadConstraints`. The default value ensures that the CoreDNS Pods are spread across the Availability Zones if there are nodes in multiple Availability Zones available. You can set a custom value that will be used instead of the default value. The default value follows: + [source,yaml,subs="verbatim,attributes"] ---- @@ -104,6 +104,6 @@ topologySpreadConstraints: [#coredns-upgrade-1.11] -=== [.noloc]`CoreDNS` `v1.11` upgrade considerations +=== CoreDNS `v1.11` upgrade considerations -* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the [.noloc]`CoreDNS` image remains the same. \ No newline at end of file +* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the CoreDNS image remains the same. \ No newline at end of file diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index ec600a296..46537f7a0 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -24,7 +24,7 @@ For more information, see <>. We recommend adding the Amazon EKS type of the add-on to your cluster instead of using the self-managed type of the add-on. If you're not familiar with the difference between the types, see <>. For more information about adding an Amazon EKS add-on to your cluster, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. -The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. It maintains network rules on your nodes and enables network communication to your [.noloc]`Pods`. The add-on isn't deployed to Fargate nodes in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the [.noloc]`Kubernetes` documentation. +The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. It maintains network rules on your nodes and enables network communication to your Pods. The add-on isn't deployed to Fargate nodes in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the Kubernetes documentation. == Install as Amazon EKS Add-on @@ -32,7 +32,7 @@ The `kube-proxy` add-on is deployed on each Amazon EC2 node in your Amazon EKS c [#kube-proxy-versions] == `kube-proxy` versions -The following table lists the latest version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. +The following table lists the latest version of the Amazon EKS add-on type for each Kubernetes version. [options="header"] |=== @@ -64,7 +64,7 @@ There are two types of the `kube-proxy` container image available for each Amazo -* *Default* – This image type is based on a Debian-based Docker image that is maintained by the [.noloc]`Kubernetes` upstream community. +* *Default* – This image type is based on a Debian-based Docker image that is maintained by the Kubernetes upstream community. * *Minimal* – This image type is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The following table lists the latest available self-managed `kube-proxy` container image version for each Amazon EKS cluster version. @@ -86,5 +86,5 @@ The following table lists the latest available self-managed `kube-proxy` contain |=== -* The default image type isn't available for [.noloc]`Kubernetes` version `1.25` and later. You must use the minimal image type. +* The default image type isn't available for Kubernetes version `1.25` and later. You must use the minimal image type. * When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. \ No newline at end of file diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index cf808ee68..38c1ec223 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,6 +1,6 @@ [.topic] [#managing-vpc-cni] -= Assign IPs to [.noloc]`Pods` with the Amazon VPC CNI += Assign IPs to Pods with the Amazon VPC CNI :info_titleabbrev: Amazon VPC CNI include::../attributes.txt[] @@ -35,14 +35,14 @@ With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-o For more information, see <>. ==== -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each [.noloc]`Pod`. +The Amazon VPC CNI plugin for Kubernetes add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] and attaches them to your Amazon EC2 nodes. The add-on also assigns a private `IPv4` or `IPv6` address from your VPC to each Pod. A version of the add-on is deployed with each Fargate node in your cluster, but you don't update it on Fargate nodes. Other compatible CNI plugins are available for use on Amazon EKS clusters, but this is the only CNI plugin supported by Amazon EKS for nodes that run on {aws} infrastructure. For more information about the other compatible CNI plugins, see <>. The VPC CNI isn't supported for use with hybrid nodes. For more information about your CNI options for hybrid nodes, see <>. -The following table lists the latest available version of the Amazon EKS add-on type for each [.noloc]`Kubernetes` version. +The following table lists the latest available version of the Amazon EKS add-on type for each Kubernetes version. [#vpc-cni-latest-available-version] -== [.noloc]`Amazon VPC CNI` versions +== Amazon VPC CNI versions [options="header"] |=== @@ -79,4 +79,4 @@ To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first The following are considerations for using the feature. * Versions are specified as `major-version.minor-version.patch-version-eksbuild.build-number`. -* Check version compatibility for each feature. Some features of each release of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` require certain [.noloc]`Kubernetes` versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. \ No newline at end of file +* Check version compatibility for each feature. Some features of each release of the Amazon VPC CNI plugin for Kubernetes require certain Kubernetes versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. \ No newline at end of file diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index b21408150..1a14561cb 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,6 +1,6 @@ [.topic] [#network-policies-troubleshooting] -= Troubleshooting [.noloc]`Kubernetes` network policies For Amazon EKS += Troubleshooting Kubernetes network policies For Amazon EKS :info_titleabbrev: Troubleshooting include::../attributes.txt[] @@ -79,7 +79,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers Helm:: -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to write the network policy logs. +If you have installed the Amazon VPC CNI plugin for Kubernetes through `helm`, you can update the configuration to write the network policy logs. .. Run the following command to enable network policy. + @@ -89,9 +89,9 @@ helm upgrade --set nodeAgent.enablePolicyEventLogs=true aws-vpc-cni --namespace ---- -[.noloc]`kubectl`:: +kubectl:: -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `kubectl`, you can update the configuration to write the network policy logs. +If you have installed the Amazon VPC CNI plugin for Kubernetes through `kubectl`, you can update the configuration to write the network policy logs. .. Open the `aws-node` `DaemonSet` in your editor. + @@ -116,7 +116,7 @@ You can monitor the network policy logs using services such as Amazon CloudWatch For EKS clusters, the policy logs will be located under `/aws/eks/[.replaceable]``cluster-name``/cluster/` and for self-managed K8S clusters, the logs will be placed under `/aws/k8s-cluster/cluster/`. [#network-policies-cwl-agent] -=== Send network policy logs with [.noloc]`Amazon VPC CNI plugin for Kubernetes` +=== Send network policy logs with Amazon VPC CNI plugin for Kubernetes If you enable network policy, a second container is add to the `aws-node` pods for a _node agent_. This node agent can send the network policy logs to CloudWatch Logs. @@ -201,7 +201,7 @@ aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers Helm:: -If you have installed the [.noloc]`Amazon VPC CNI plugin for Kubernetes` through `helm`, you can update the configuration to send network policy logs to CloudWatch Logs. +If you have installed the Amazon VPC CNI plugin for Kubernetes through `helm`, you can update the configuration to send network policy logs to CloudWatch Logs. .. Run the following command to enable network policy logs and send them to CloudWatch Logs. + @@ -211,7 +211,7 @@ helm upgrade --set nodeAgent.enablePolicyEventLogs=true --set nodeAgent.enableCl ---- -[.noloc]`kubectl`:: +kubectl:: .. Open the `aws-node` `DaemonSet` in your editor. + [source,bash,subs="verbatim,attributes"] @@ -229,9 +229,9 @@ kubectl edit daemonset -n kube-system aws-node [#network-policies-cwl-fluentbit] -=== Send network policy logs with a [.noloc]`Fluent Bit` daemonset +=== Send network policy logs with a Fluent Bit daemonset -If you are using [.noloc]`Fluent Bit` in a daemonset to send logs from your nodes, you can add configuration to include the network policy logs from network policies. You can use the following example configuration: +If you are using Fluent Bit in a daemonset to send logs from your nodes, you can add configuration to include the network policy logs from network policies. You can use the following example configuration: [source,toml,subs="verbatim,attributes"] ---- @@ -248,9 +248,9 @@ If you are using [.noloc]`Fluent Bit` in a daemonset to send logs from your node [#network-policies-ebpf-sdk] -== Included [.noloc]`eBPF` SDK +== Included eBPF SDK -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` installs [.noloc]`eBPF` SDK collection of tools on the nodes. You can use the [.noloc]`eBPF` SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node. +The Amazon VPC CNI plugin for Kubernetes installs eBPF SDK collection of tools on the nodes. You can use the eBPF SDK tools to identify issues with network policies. For example, the following command lists the programs that are running on the node. [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 81b648785..36b0b74c0 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,16 +1,16 @@ [.topic] [#network-policy-disable] -= Disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic += Disable Kubernetes network policies for Amazon EKS Pod network traffic :info_titleabbrev: Disable include::../attributes.txt[] [abstract] -- -Learn how to disable [.noloc]`Kubernetes` network policies for Amazon EKS Pod network traffic. +Learn how to disable Kubernetes network policies for Amazon EKS Pod network traffic. -- -Disable [.noloc]`Kubernetes` network policies to stop restricting Amazon EKS Pod network traffic +Disable Kubernetes network policies to stop restricting Amazon EKS Pod network traffic . List all Kubernetes network policies. + diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index b753e0497..c6a951395 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -24,7 +24,7 @@ kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/st kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/frontend.yaml kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/client.yaml ---- -. View all [.noloc]`Pods` on the cluster. +. View all Pods on the cluster. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index dca97cf2f..57e875ffd 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -19,7 +19,7 @@ When you create a cluster, the VPC that you specify must meet the following requ -* The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. If the VPC that you want to use doesn't have a sufficient number of IP addresses, try to increase the number of available IP addresses. +* The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other Kubernetes resources that you want to create. If the VPC that you want to use doesn't have a sufficient number of IP addresses, try to increase the number of available IP addresses. + You can do this by updating the cluster configuration to change which subnets and security groups the cluster uses. You can update from the {aws-management-console}, the latest version of the {aws} CLI, {aws} CloudFormation, and `eksctl` version `v0.164.0-rc.0` or later. You might need to do this to provide subnets with more available IP addresses to successfully upgrade a cluster version. + @@ -32,14 +32,14 @@ For example, assume that you made a cluster and specified four subnets. In the o ==== + -If you need more IP addresses than the CIDR blocks in the VPC have, you can add additional CIDR blocks by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private ([.noloc]`RFC 1918`) and public (non-[.noloc]`RFC 1918`) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to five hours for a CIDR block that you associated with a VPC to be recognized. +If you need more IP addresses than the CIDR blocks in the VPC have, you can add additional CIDR blocks by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private (RFC 1918) and public (non-RFC 1918) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to five hours for a CIDR block that you associated with a VPC to be recognized. + You can conserve IP address utilization by using a transit gateway with a shared services VPC. For more information, see link:vpc/latest/tgw/transit-gateway-isolated-shared.html[Isolated VPCs with shared services,type="documentation"] and link:containers/eks-vpc-routable-ip-address-conservation[Amazon EKS VPC routable IP address conservation patterns in a hybrid network,type="blog"]. -* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, associate an `IPv6` CIDR block with your VPC. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. You cannot use `IPv6` addresses with Pods and services running on hybrid nodes and you cannot use hybrid nodes with clusters configured with the `IPv6` IP address family. +* If you want Kubernetes to assign `IPv6` addresses to Pods and services, associate an `IPv6` CIDR block with your VPC. For more information, see link:vpc/latest/userguide/working-with-vpcs.html#vpc-associate-ipv6-cidr[Associate an IPv6 CIDR block with your VPC,type="documentation"] in the Amazon VPC User Guide. You cannot use `IPv6` addresses with Pods and services running on hybrid nodes and you cannot use hybrid nodes with clusters configured with the `IPv6` IP address family. * The VPC must have `DNS` hostname and `DNS` resolution support. Otherwise, nodes can't register to your cluster. For more information, see link:vpc/latest/userguide/vpc-dns.html[DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. * The VPC might require VPC endpoints using {aws} PrivateLink. For more information, see <>. -If you created a cluster with [.noloc]`Kubernetes` `1.14` or earlier, Amazon EKS added the following tag to your VPC: +If you created a cluster with Kubernetes `1.14` or earlier, Amazon EKS added the following tag to your VPC: [cols="1,1", options="header"] |=== @@ -56,9 +56,9 @@ This tag was only used by Amazon EKS. You can remove the tag without impacting y [#network-requirements-subnets] == Subnet requirements and considerations -When you create a cluster, Amazon EKS creates 2–4 link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] in the subnets that you specify. These network interfaces enable communication between your cluster and your VPC. These network interfaces also enable [.noloc]`Kubernetes` features such as `kubectl exec` and `kubectl logs`. Each Amazon EKS created network interface has the text `Amazon EKS [.replaceable]``cluster-name``` in its description. +When you create a cluster, Amazon EKS creates 2–4 link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] in the subnets that you specify. These network interfaces enable communication between your cluster and your VPC. These network interfaces also enable Kubernetes features such as `kubectl exec` and `kubectl logs`. Each Amazon EKS created network interface has the text `Amazon EKS [.replaceable]``cluster-name``` in its description. -Amazon EKS can create its network interfaces in any subnet that you specify when you create a cluster. You can change which subnets Amazon EKS creates its network interfaces in after your cluster is created. When you update the [.noloc]`Kubernetes` version of a cluster, Amazon EKS deletes the original network interfaces that it created, and creates new network interfaces. These network interfaces might be created in the same subnets as the original network interfaces or in different subnets than the original network interfaces. To control which subnets network interfaces are created in, you can limit the number of subnets you specify to only two when you create a cluster or update the subnets after creating the cluster. +Amazon EKS can create its network interfaces in any subnet that you specify when you create a cluster. You can change which subnets Amazon EKS creates its network interfaces in after your cluster is created. When you update the Kubernetes version of a cluster, Amazon EKS deletes the original network interfaces that it created, and creates new network interfaces. These network interfaces might be created in the same subnets as the original network interfaces or in different subnets than the original network interfaces. To control which subnets network interfaces are created in, you can limit the number of subnets you specify to only two when you create a cluster or update the subnets after creating the cluster. [#cluster-subnets] === Subnet requirements for clusters @@ -69,7 +69,7 @@ The link:vpc/latest/userguide/configure-subnets.html#subnet-types[subnets,type=" * The subnets must each have at least six IP addresses for use by Amazon EKS. However, we recommend at least 16 IP addresses. * The subnets must be in at least two different Availability Zones. -* The subnets can't reside in {aws} Outposts or {aws} Wavelength. However, if you have them in your VPC, you can deploy self-managed nodes and [.noloc]`Kubernetes` resources to these types of subnets. For more information about self-managed nodes, see <>. +* The subnets can't reside in {aws} Outposts or {aws} Wavelength. However, if you have them in your VPC, you can deploy self-managed nodes and Kubernetes resources to these types of subnets. For more information about self-managed nodes, see <>. * The subnets can be a public or private. However, we recommend that you specify private subnets, if possible. A public subnet is a subnet with a route table that includes a route to an link:vpc/latest/userguide/VPC_Internet_Gateway.html[internet gateway,type="documentation"], whereas a private subnet is a subnet with a route table that doesn't include a route to an internet gateway. * The subnets can't reside in the following Availability Zones: + @@ -97,9 +97,9 @@ The link:vpc/latest/userguide/configure-subnets.html#subnet-types[subnets,type=" [[network-requirements-ip-table]] === IP address family usage by component -The following table contains the IP address family used by each component of Amazon EKS. You can use a network address translation (NAT) or other compatibility system to connect to these components from source IP addresses in families with the [.noloc]`"No"` value for a table entry. +The following table contains the IP address family used by each component of Amazon EKS. You can use a network address translation (NAT) or other compatibility system to connect to these components from source IP addresses in families with the "No" value for a table entry. -Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setting of the cluster. This setting changes the type of IP addresses used for the [.noloc]`CIDR` block that [.noloc]`Kubernetes` assigns to [.noloc]`Services`. A cluster with the setting value of [.noloc]`IPv4` is referred to as an _IPv4 cluster_, and a cluster with the setting value of [.noloc]`IPv6` is referred to as an _IPv6 cluster_. +Functionality can differ depending on the IP family (`ipFamily`) setting of the cluster. This setting changes the type of IP addresses used for the CIDR block that Kubernetes assigns to Services. A cluster with the setting value of IPv4 is referred to as an _IPv4 cluster_, and a cluster with the setting value of IPv6 is referred to as an _IPv6 cluster_. [cols="1,1,1,1", options="header"] |=== @@ -129,27 +129,27 @@ Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setti |Yes^1^ |Yes^1^ -|`IPv4` [.noloc]`Kubernetes` cluster public endpoint^2^ +|`IPv4` Kubernetes cluster public endpoint^2^ |Yes |No |No -|`IPv4` [.noloc]`Kubernetes` cluster private endpoint^2^ +|`IPv4` Kubernetes cluster private endpoint^2^ |Yes |No |No -|`IPv6` [.noloc]`Kubernetes` cluster public endpoint^2^ +|`IPv6` Kubernetes cluster public endpoint^2^ |Yes^1,4^ |Yes^1,4^ |Yes^4^ -|`IPv6` [.noloc]`Kubernetes` cluster private endpoint^2^ +|`IPv6` Kubernetes cluster private endpoint^2^ |Yes^1,4^ |Yes^1,4^ |Yes^4^ -|[.noloc]`Kubernetes` cluster subnets +|Kubernetes cluster subnets |Yes^2^ |No |Yes^2^ @@ -159,17 +159,17 @@ Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setti |No |Yes^2^ -|Cluster [.noloc]`CIDR` range for [.noloc]`Service` IP addresses +|Cluster CIDR range for Service IP addresses |Yes^2^ |Yes^2^ |No -|[.noloc]`Pod` IP addresses from the VPC CNI +|Pod IP addresses from the VPC CNI |Yes^2^ |Yes^2^ |No -|IRSA [.noloc]`OIDC` Issuer URLs +|IRSA OIDC Issuer URLs |Yes^1,3^ |Yes^1,3^ |Yes^1,3^ @@ -180,14 +180,14 @@ Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setti ^1^ The endpoint is dual stack with both `IPv4` and `IPv6` addresses. Your applications outside of {aws}, your nodes for the cluster, and your pods inside the cluster can reach this endpoint by either `IPv4` or `IPv6`. -^2^ You choose between an `IPv4` cluster and `IPv6` cluster in the [.noloc]`IP family` (`ipFamily`) setting of the cluster when you create a cluster and this can't be changed. Instead, you must choose a different setting when you create another cluster and migrate your workloads. +^2^ You choose between an `IPv4` cluster and `IPv6` cluster in the IP family (`ipFamily`) setting of the cluster when you create a cluster and this can't be changed. Instead, you must choose a different setting when you create another cluster and migrate your workloads. ^3^ The dual-stack endpoint was introduced in August 2024. To use the dual-stack endpoints with the {aws} CLI, see the link:sdkref/latest/guide/feature-endpoints.html[Dual-stack and FIPS endpoints,type="documentation"] configuration in the _{aws} SDKs and Tools Reference Guide_. The following lists the new endpoints: *EKS API public endpoint*:: `eks.[.replaceable]``region``.api.aws` -*IRSA [.noloc]`OIDC` Issuer URLs*:: +*IRSA OIDC Issuer URLs*:: `oidc-eks.[.replaceable]``region``.api.aws` ^4^ The dual-stack cluster endpoint was introduced in October 2024. EKS creates the following endpoint for new clusters that are made after this date and that select `IPv6` in the IP family (ipFamily) setting of the cluster: @@ -200,15 +200,15 @@ Functionality can differ depending on the [.noloc]`IP family` (`ipFamily`) setti [#node-subnet-reqs] === Subnet requirements for nodes -You can deploy nodes and [.noloc]`Kubernetes` resources to the same subnets that you specify when you create your cluster. However, this isn't necessary. This is because you can also deploy nodes and [.noloc]`Kubernetes` resources to subnets that you didn't specify when you created the cluster. If you deploy nodes to different subnets, Amazon EKS doesn't create cluster network interfaces in those subnets. Any subnet that you deploy nodes and [.noloc]`Kubernetes` resources to must meet the following requirements: +You can deploy nodes and Kubernetes resources to the same subnets that you specify when you create your cluster. However, this isn't necessary. This is because you can also deploy nodes and Kubernetes resources to subnets that you didn't specify when you created the cluster. If you deploy nodes to different subnets, Amazon EKS doesn't create cluster network interfaces in those subnets. Any subnet that you deploy nodes and Kubernetes resources to must meet the following requirements: -* The subnets must have enough available IP addresses to deploy all of your nodes and [.noloc]`Kubernetes` resources to. -* If you want [.noloc]`Kubernetes` to assign `IPv6` addresses to [.noloc]`Pods` and services, then you must have one `IPv6` CIDR block and one `IPv4` CIDR block that are associated with your subnet. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-associate-ipv6-cidr[Associate an IPv6 CIDR block with your subnet,type="documentation"] in the Amazon VPC User Guide. The route tables that are associated with the subnets must include routes to `IPv4` and `IPv6` addresses. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#route-table-routes[Routes,type="documentation"] in the Amazon VPC User Guide. Pods are assigned only an `IPv6` address. However the network interfaces that Amazon EKS creates for your cluster and your nodes are assigned an `IPv4` and an `IPv6` address. -* If you need inbound access from the internet to your [.noloc]`Pods`, make sure to have at least one public subnet with enough available IP addresses to deploy load balancers and ingresses to. You can deploy load balancers to public subnets. Load balancers can load balance to [.noloc]`Pods` in private or public subnets. We recommend deploying your nodes to private subnets, if possible. +* The subnets must have enough available IP addresses to deploy all of your nodes and Kubernetes resources to. +* If you want Kubernetes to assign `IPv6` addresses to Pods and services, then you must have one `IPv6` CIDR block and one `IPv4` CIDR block that are associated with your subnet. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-associate-ipv6-cidr[Associate an IPv6 CIDR block with your subnet,type="documentation"] in the Amazon VPC User Guide. The route tables that are associated with the subnets must include routes to `IPv4` and `IPv6` addresses. For more information, see link:vpc/latest/userguide/VPC_Route_Tables.html#route-table-routes[Routes,type="documentation"] in the Amazon VPC User Guide. Pods are assigned only an `IPv6` address. However the network interfaces that Amazon EKS creates for your cluster and your nodes are assigned an `IPv4` and an `IPv6` address. +* If you need inbound access from the internet to your Pods, make sure to have at least one public subnet with enough available IP addresses to deploy load balancers and ingresses to. You can deploy load balancers to public subnets. Load balancers can load balance to Pods in private or public subnets. We recommend deploying your nodes to private subnets, if possible. * If you plan to deploy nodes to a public subnet, the subnet must auto-assign `IPv4` public addresses or `IPv6` addresses. If you deploy nodes to a private subnet that has an associated `IPv6` CIDR block, the private subnet must also auto-assign `IPv6` addresses. If you used the {aws} CloudFormation template provided by Amazon EKS to deploy your VPC after March 26, 2020, this setting is enabled. If you used the templates to deploy your VPC before this date or you use your own VPC, you must enable this setting manually. For the template, see <>. For more information, see link:vpc/latest/userguide/working-with-subnets.html#subnet-public-ip[Modify the public IPv4 addressing attribute for your subnet,type="documentation"] and link:vpc/latest/userguide/working-with-subnets.html#subnet-ipv6[Modify the IPv6 addressing attribute for your subnet,type="documentation"] in the link:vpc/latest/userguide/[Amazon VPC User Guide,type="documentation"]. -* If the subnet that you deploy a node to is a private subnet and its route table doesn't include a route to a network address translation link:vpc/latest/userguide/vpc-nat.html[(NAT) device,type="documentation"] (`IPv4`) or an link:vpc/latest/userguide/egress-only-internet-gateway.html[egress-only gateway,type="documentation"] (`IPv6`), add VPC endpoints using {aws} PrivateLink to your VPC. VPC endpoints are needed for all the {aws} services that your nodes and [.noloc]`Pods` need to communicate with. Examples include Amazon ECR, Elastic Load Balancing, Amazon CloudWatch, {aws} Security Token Service, and Amazon Simple Storage Service (Amazon S3). The endpoint must include the subnet that the nodes are in. Not all {aws} services support VPC endpoints. For more information, see link:vpc/latest/privatelink/what-is-privatelink.html[What is {aws} PrivateLink?,type="documentation"] and link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. For a list of more Amazon EKS requirements, see <>. +* If the subnet that you deploy a node to is a private subnet and its route table doesn't include a route to a network address translation link:vpc/latest/userguide/vpc-nat.html[(NAT) device,type="documentation"] (`IPv4`) or an link:vpc/latest/userguide/egress-only-internet-gateway.html[egress-only gateway,type="documentation"] (`IPv6`), add VPC endpoints using {aws} PrivateLink to your VPC. VPC endpoints are needed for all the {aws} services that your nodes and Pods need to communicate with. Examples include Amazon ECR, Elastic Load Balancing, Amazon CloudWatch, {aws} Security Token Service, and Amazon Simple Storage Service (Amazon S3). The endpoint must include the subnet that the nodes are in. Not all {aws} services support VPC endpoints. For more information, see link:vpc/latest/privatelink/what-is-privatelink.html[What is {aws} PrivateLink?,type="documentation"] and link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. For a list of more Amazon EKS requirements, see <>. * If you want to deploy load balancers to a subnet, the subnet must have the following tag: + ** Private subnets @@ -234,7 +234,7 @@ You can deploy nodes and [.noloc]`Kubernetes` resources to the same subnets that |`1` |=== -When a [.noloc]`Kubernetes` cluster that's version `1.18` and earlier was created, Amazon EKS added the following tag to all of the subnets that were specified. +When a Kubernetes cluster that's version `1.18` and earlier was created, Amazon EKS added the following tag to all of the subnets that were specified. [cols="1,1", options="header"] |=== @@ -246,7 +246,7 @@ When a [.noloc]`Kubernetes` cluster that's version `1.18` and earlier was create |`shared` |=== -When you create a new [.noloc]`Kubernetes` cluster now, Amazon EKS doesn't add the tag to your subnets. If the tag was on subnets that were used by a cluster that was previously a version earlier than `1.19`, the tag wasn't automatically removed from the subnets when the cluster was updated to a newer version. Version `2.1.1` or earlier of the {aws} Load Balancer Controller requires this tag. If you are using a newer version of the Load Balancer Controller, you can remove the tag without interrupting your services. For more information about the controller, see <>. +When you create a new Kubernetes cluster now, Amazon EKS doesn't add the tag to your subnets. If the tag was on subnets that were used by a cluster that was previously a version earlier than `1.19`, the tag wasn't automatically removed from the subnets when the cluster was updated to a newer version. Version `2.1.1` or earlier of the {aws} Load Balancer Controller requires this tag. If you are using a newer version of the Load Balancer Controller, you can remove the tag without interrupting your services. For more information about the controller, see <>. If you deployed a VPC by using `eksctl` or any of the Amazon EKS {aws} CloudFormation VPC templates, the following applies: @@ -278,6 +278,6 @@ You can use _VPC sharing_ to share subnets with other {aws} accounts within the ** Cluster IAM role and Node IAM roles must be created in that account. For more information, see <> and <>. ** All nodes must be made by the same participant, including managed node groups. * The shared VPC owner cannot view, update or delete a cluster that a participant creates in the shared subnet. This is in addition to the VPC resources that each account has different access to. For more information, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Responsibilities and permissions for owners and participants,type="documentation"] in the _Amazon VPC User Guide_. -* If you use the _custom networking_ feature of the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, you need to use the Availability Zone ID mappings listed in the owner account to create each `ENIConfig`. For more information, see <>. +* If you use the _custom networking_ feature of the Amazon VPC CNI plugin for Kubernetes, you need to use the Availability Zone ID mappings listed in the owner account to create each `ENIConfig`. For more information, see <>. For more information about VPC subnet sharing, see link:vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations[Share your VPC with other accounts,type="documentation"] in the _Amazon VPC User Guide_. diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 7493645d4..474455e2a 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,31 +1,31 @@ [.topic] [#pod-multiple-network-interfaces] -= Attach multiple network interfaces to [.noloc]`Pods` with [.noloc]`Multus` += Attach multiple network interfaces to Pods with Multus :info_titleabbrev: Multiple interfaces include::../attributes.txt[] [abstract] -- -Learn how to use Multus CNI to attach multiple network interfaces to a [.noloc]`Pod` in Amazon EKS for advanced networking scenarios, while leveraging the [.noloc]`Amazon VPC CNI` plugin for primary networking. +Learn how to use Multus CNI to attach multiple network interfaces to a Pod in Amazon EKS for advanced networking scenarios, while leveraging the Amazon VPC CNI plugin for primary networking. -- -Multus CNI is a container network interface (CNI) plugin for Amazon EKS that enables attaching multiple network interfaces to a [.noloc]`Pod`. For more information, see the https://github.com/k8snetworkplumbingwg/multus-cni[Multus-CNI] documentation on [.noloc]`GitHub`. +Multus CNI is a container network interface (CNI) plugin for Amazon EKS that enables attaching multiple network interfaces to a Pod. For more information, see the https://github.com/k8snetworkplumbingwg/multus-cni[Multus-CNI] documentation on GitHub. -In Amazon EKS, each [.noloc]`Pod` has one network interface assigned by the Amazon VPC CNI plugin. With Multus, you can create a multi-homed [.noloc]`Pod` that has multiple interfaces. This is accomplished by Multus acting as a "meta-plugin"; a CNI plugin that can call multiple other CNI plugins. {aws} support for Multus comes configured with the Amazon VPC CNI plugin as the default delegate plugin. +In Amazon EKS, each Pod has one network interface assigned by the Amazon VPC CNI plugin. With Multus, you can create a multi-homed Pod that has multiple interfaces. This is accomplished by Multus acting as a "meta-plugin"; a CNI plugin that can call multiple other CNI plugins. {aws} support for Multus comes configured with the Amazon VPC CNI plugin as the default delegate plugin. * Amazon EKS won't be building and publishing single root I/O virtualization (SR-IOV) and Data Plane Development Kit (DPDK) CNI plugins. However, you can achieve packet acceleration by connecting directly to Amazon EC2 Elastic Network Adapters (ENA) through Multus managed host-device and `ipvlan` plugins. * Amazon EKS is supporting Multus, which provides a generic process that enables simple chaining of additional CNI plugins. Multus and the process of chaining is supported, but {aws} won't provide support for all compatible CNI plugins that can be chained, or issues that may arise in those CNI plugins that are unrelated to the chaining configuration. * Amazon EKS is providing support and life cycle management for the Multus plugin, but isn't responsible for any IP address or additional management associated with the additional network interfaces. The IP address and management of the default network interface utilizing the Amazon VPC CNI plugin remains unchanged. * Only the Amazon VPC CNI plugin is officially supported as the default delegate plugin. You need to modify the published Multus installation manifest to reconfigure the default delegate plugin to an alternate CNI if you choose not to use the Amazon VPC CNI plugin for primary networking. * Multus is only supported when using the Amazon VPC CNI as the primary CNI. We do not support the Amazon VPC CNI when used for higher order interfaces, secondary or otherwise. -* To prevent the Amazon VPC CNI plugin from trying to manage additional network interfaces assigned to [.noloc]`Pods`, add the following tag to the network interface: +* To prevent the Amazon VPC CNI plugin from trying to manage additional network interfaces assigned to Pods, add the following tag to the network interface: + *key*:: : `node.k8s.amazonaws.com/no_manage` + *value*:: : `true` -* Multus is compatible with network policies, but the policy has to be enriched to include ports and IP addresses that may be part of additional network interfaces attached to [.noloc]`Pods`. +* Multus is compatible with network policies, but the policy has to be enriched to include ports and IP addresses that may be part of additional network interfaces attached to Pods. -For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on [.noloc]`GitHub`. \ No newline at end of file +For an implementation walk through, see the https://github.com/aws-samples/eks-install-guide-for-multus/blob/main/README.md[Multus Setup Guide] on GitHub. \ No newline at end of file diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index ca9867470..820b6d198 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -13,10 +13,10 @@ include::cni-network-policy.adoc[leveloffset=+1] [abstract] -- -Discover how [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides pod networking capabilities and settings for different Amazon EKS node types and use cases, including security groups, [.noloc]`Kubernetes` network policies, custom networking, IPv4, and IPv6 support. +Discover how Amazon VPC CNI plugin for Kubernetes provides pod networking capabilities and settings for different Amazon EKS node types and use cases, including security groups, Kubernetes network policies, custom networking, IPv4, and IPv6 support. -- -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.noloc]`Pods`. Use the following table to learn more about the available networking features. +The Amazon VPC CNI plugin for Kubernetes provides networking for Pods. Use the following table to learn more about the available networking features. [cols="1,1", options="header"] |=== @@ -24,13 +24,13 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.nol |Learn more -|Configure your cluster to assign IPv6 addresses to clusters, [.noloc]`Pods`, and services +|Configure your cluster to assign IPv6 addresses to clusters, Pods, and services |<> -|Use IPv4 Source Network Address Translation for [.noloc]`Pods` +|Use IPv4 Source Network Address Translation for Pods |<> -|Restrict network traffic to and from your [.noloc]`Pods` +|Restrict network traffic to and from your Pods |<> |Customize the secondary network interface in nodes @@ -39,9 +39,9 @@ The [.noloc]`Amazon VPC CNI plugin for Kubernetes` provides networking for [.nol |Increase IP addresses for your node |<> -|Use security groups for [.noloc]`Pod` network traffic +|Use security groups for Pod network traffic |<> -|Use multiple network interfaces for [.noloc]`Pods` +|Use multiple network interfaces for Pods |<> |=== \ No newline at end of file diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 028ec43c9..7102ea9ce 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -7,7 +7,7 @@ include::../attributes.txt[] [abstract] -- -Learn how to manage security groups for Amazon EKS clusters, including default rules, restricting traffic, and required outbound access for nodes to function properly with your cluster. Understand key security group considerations for secure operation of your [.noloc]`Kubernetes` cluster on {aws}. +Learn how to manage security groups for Amazon EKS clusters, including default rules, restricting traffic, and required outbound access for nodes to function properly with your cluster. Understand key security group considerations for secure operation of your Kubernetes cluster on {aws}. -- This topic describes the security group requirements of an Amazon EKS cluster. @@ -116,14 +116,14 @@ You must also add rules for the following traffic: * Any protocol and ports that you expect your nodes to use for inter-node communication. * Outbound internet access so that nodes can access the Amazon EKS APIs for cluster introspection and node registration at launch time. If your nodes don't have internet access, review <> for additional considerations. -* Node access to pull container images from Amazon ECR or other container registries APIs that they need to pull images from, such as [.noloc]`DockerHub`. For more information, see link:general/latest/gr/aws-ip-ranges.html[{aws} IP address ranges,type="documentation"] in the {aws} General Reference. +* Node access to pull container images from Amazon ECR or other container registries APIs that they need to pull images from, such as DockerHub. For more information, see link:general/latest/gr/aws-ip-ranges.html[{aws} IP address ranges,type="documentation"] in the {aws} General Reference. * Node access to Amazon S3. * Separate rules are required for `IPv4` and `IPv6` addresses. * If you are using hybrid nodes, you must add an additional security group to your cluster to allow communication with your on-premises nodes and pods. For more information, see <>. -If you're considering limiting the rules, we recommend that you thoroughly test all of your [.noloc]`Pods` before you apply your changed rules to a production cluster. +If you're considering limiting the rules, we recommend that you thoroughly test all of your Pods before you apply your changed rules to a production cluster. -If you originally deployed a cluster with [.noloc]`Kubernetes` `1.14` and a platform version of `eks.3` or earlier, then consider the following: +If you originally deployed a cluster with Kubernetes `1.14` and a platform version of `eks.3` or earlier, then consider the following: diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index ff4ecbce3..736b8f2d6 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,6 +1,6 @@ [.topic] [#security-groups-for-pods] -= Assign security groups to individual [.noloc]`Pods` += Assign security groups to individual Pods :info_titleabbrev: Security groups for Pods include::../attributes.txt[] @@ -11,38 +11,38 @@ include::sg-pods-example-deployment.adoc[leveloffset=+1] [abstract] -- -Learn how to configure security groups for [.noloc]`Pods` on Amazon EKS, integrating Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods` to define network traffic rules. Discover the considerations, setup process, and deploy a sample application with assigned security groups. +Learn how to configure security groups for Pods on Amazon EKS, integrating Amazon EC2 security groups with Kubernetes Pods to define network traffic rules. Discover the considerations, setup process, and deploy a sample application with assigned security groups. -- -*Applies to*: [.noloc]`Linux` nodes with Amazon EC2 instances +*Applies to*: Linux nodes with Amazon EC2 instances *Applies to*: Private subnets -Security groups for [.noloc]`Pods` integrate Amazon EC2 security groups with [.noloc]`Kubernetes` [.noloc]`Pods`. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from [.noloc]`Pods` that you deploy to nodes running on many Amazon EC2 instance types and Fargate. For a detailed explanation of this capability, see the link:containers/introducing-security-groups-for-pods[Introducing security groups for Pods,type="blog"] blog post. +Security groups for Pods integrate Amazon EC2 security groups with Kubernetes Pods. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from Pods that you deploy to nodes running on many Amazon EC2 instance types and Fargate. For a detailed explanation of this capability, see the link:containers/introducing-security-groups-for-pods[Introducing security groups for Pods,type="blog"] blog post. [#security-groups-for-pods-compatability] -== Compatibility with [.noloc]`Amazon VPC CNI plugin for Kubernetes` features +== Compatibility with Amazon VPC CNI plugin for Kubernetes features -You can use security groups for [.noloc]`Pods` with the following features: +You can use security groups for Pods with the following features: * IPv4 Source Network Address Translation - For more information, see <>. * IPv6 addresses to clusters, Pods, and services - For more information, see <>. -* Restricting traffic using [.noloc]`Kubernetes` network policies - For more information, see <>. +* Restricting traffic using Kubernetes network policies - For more information, see <>. [#sg-pods-considerations] == Considerations -Before deploying security groups for [.noloc]`Pods`, consider the following limitations and conditions: +Before deploying security groups for Pods, consider the following limitations and conditions: -* Security groups for [.noloc]`Pods` can't be used with [.noloc]`Windows` nodes. -* Security groups for [.noloc]`Pods` can be used with clusters configured for the `IPv6` family that contain Amazon EC2 nodes by using version 1.16.0 or later of the Amazon VPC CNI plugin. You can use security groups for [.noloc]`Pods` with clusters configure `IPv6` family that contain only Fargate nodes by using version 1.7.7 or later of the Amazon VPC CNI plugin. For more information, see <> -* Security groups for [.noloc]`Pods` are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on [.noloc]`GitHub`. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. -* If you're also using [.noloc]`Pod` security policies to restrict access to [.noloc]`Pod` mutation, then the `eks:vpc-resource-controller` [.noloc]`Kubernetes` user must be specified in the [.noloc]`Kubernetes` `ClusterRoleBinding` for the `role` that your `psp` is assigned to. If you're using the default Amazon EKS `psp`, `role`, and `ClusterRoleBinding`, this is the `eks:podsecuritypolicy:authenticated` `ClusterRoleBinding`. For example, you add the user to the `subjects:` section, as shown in the following example: +* Security groups for Pods can't be used with Windows nodes. +* Security groups for Pods can be used with clusters configured for the `IPv6` family that contain Amazon EC2 nodes by using version 1.16.0 or later of the Amazon VPC CNI plugin. You can use security groups for Pods with clusters configure `IPv6` family that contain only Fargate nodes by using version 1.7.7 or later of the Amazon VPC CNI plugin. For more information, see <> +* Security groups for Pods are supported by most link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Nitro-based,type="documentation"] Amazon EC2 instance families, though not by all generations of a family. For example, the `m5`, `c5`, `r5`, `m6g`, `c6g`, and `r6g` instance family and generations are supported. No instance types in the `t` family are supported. For a complete list of supported instance types, see the https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/v1.5.0/pkg/aws/vpc/limits.go[limits.go] file on GitHub. Your nodes must be one of the listed instance types that have `IsTrunkingCompatible: true` in that file. +* If you're also using Pod security policies to restrict access to Pod mutation, then the `eks:vpc-resource-controller` Kubernetes user must be specified in the Kubernetes `ClusterRoleBinding` for the `role` that your `psp` is assigned to. If you're using the default Amazon EKS `psp`, `role`, and `ClusterRoleBinding`, this is the `eks:podsecuritypolicy:authenticated` `ClusterRoleBinding`. For example, you add the user to the `subjects:` section, as shown in the following example: + [source,yaml,subs="verbatim,attributes"] ---- @@ -57,15 +57,15 @@ subjects: - kind: ServiceAccount name: eks-vpc-resource-controller ---- -* If you're using custom networking and security groups for [.noloc]`Pods` together, the security group specified by security groups for [.noloc]`Pods` is used instead of the security group specified in the `ENIConfig`. -* If you're using version `1.10.2` or earlier of the Amazon VPC CNI plugin and you include the `terminationGracePeriodSeconds` setting in your [.noloc]`Pod` spec, the value for the setting can't be zero. -* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin, or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, then [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` aren't supported with [.noloc]`Pods` that you assign security groups to. For more information about using a load balancer with instance targets, see <>. -* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, source NAT is disabled for outbound traffic from [.noloc]`Pods` with assigned security groups so that outbound security group rules are applied. To access the internet, [.noloc]`Pods` with assigned security groups must be launched on nodes that are deployed in a private subnet configured with a NAT gateway or instance. [.noloc]`Pods` with assigned security groups deployed to public subnets are not able to access the internet. +* If you're using custom networking and security groups for Pods together, the security group specified by security groups for Pods is used instead of the security group specified in the `ENIConfig`. +* If you're using version `1.10.2` or earlier of the Amazon VPC CNI plugin and you include the `terminationGracePeriodSeconds` setting in your Pod spec, the value for the setting can't be zero. +* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin, or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, then Kubernetes services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` aren't supported with Pods that you assign security groups to. For more information about using a load balancer with instance targets, see <>. +* If you're using version `1.10` or earlier of the Amazon VPC CNI plugin or version `1.11` with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, which is the default setting, source NAT is disabled for outbound traffic from Pods with assigned security groups so that outbound security group rules are applied. To access the internet, Pods with assigned security groups must be launched on nodes that are deployed in a private subnet configured with a NAT gateway or instance. Pods with assigned security groups deployed to public subnets are not able to access the internet. + -If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, then [.noloc]`Pod` traffic destined for outside of the VPC is translated to the IP address of the instance's primary network interface. For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. -* To use [.noloc]`Calico` network policy with [.noloc]`Pods` that have associated security groups, you must use version `1.11.0` or later of the Amazon VPC CNI plugin and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. Otherwise, traffic flow to and from [.noloc]`Pods` with associated security groups are not subjected to [.noloc]`Calico` network policy enforcement and are limited to Amazon EC2 security group enforcement only. To update your Amazon VPC CNI version, see <> -* [.noloc]`Pods` running on Amazon EC2 nodes that use security groups in clusters that use https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/[NodeLocal DNSCache] are only supported with version `1.11.0` or later of the Amazon VPC CNI plugin and with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. To update your Amazon VPC CNI plugin version, see <> -* Security groups for [.noloc]`Pods` might lead to higher [.noloc]`Pod` startup latency for [.noloc]`Pods` with high churn. This is due to rate limiting in the resource controller. -* The EC2 security group scope is at the [.noloc]`Pod`-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. +If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, then Pod traffic destined for outside of the VPC is translated to the IP address of the instance's primary network interface. For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the Pod's security groups. +* To use Calico network policy with Pods that have associated security groups, you must use version `1.11.0` or later of the Amazon VPC CNI plugin and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. Otherwise, traffic flow to and from Pods with associated security groups are not subjected to Calico network policy enforcement and are limited to Amazon EC2 security group enforcement only. To update your Amazon VPC CNI version, see <> +* Pods running on Amazon EC2 nodes that use security groups in clusters that use https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/[NodeLocal DNSCache] are only supported with version `1.11.0` or later of the Amazon VPC CNI plugin and with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``. To update your Amazon VPC CNI plugin version, see <> +* Security groups for Pods might lead to higher Pod startup latency for Pods with high churn. This is due to rate limiting in the resource controller. +* The EC2 security group scope is at the Pod-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. + -If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the [.noloc]`Pod's` security groups. \ No newline at end of file +If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the Pod's security groups. \ No newline at end of file diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 729b84ff5..b1879b6cf 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,15 +1,15 @@ [.topic] [#security-groups-pods-deployment] -= Configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups for Amazon EKS [.noloc]`Pods` += Configure the Amazon VPC CNI plugin for Kubernetes for security groups for Amazon EKS Pods :info_titleabbrev: Configure include::../attributes.txt[] -If you use [.noloc]`Pods` with Amazon EC2 instances, you need to configure the [.noloc]`Amazon VPC CNI plugin for Kubernetes` for security groups +If you use Pods with Amazon EC2 instances, you need to configure the Amazon VPC CNI plugin for Kubernetes for security groups -If you use Fargate [.noloc]`Pods` only, and don't have any Amazon EC2 nodes in your cluster, see <>. +If you use Fargate Pods only, and don't have any Amazon EC2 nodes in your cluster, see <>. -. Check your current [.noloc]`Amazon VPC CNI plugin for Kubernetes` version with the following command: +. Check your current Amazon VPC CNI plugin for Kubernetes version with the following command: + [source,bash,subs="verbatim,attributes"] ---- @@ -23,7 +23,7 @@ An example output is as follows. v1.7.6 ---- + -If your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version is earlier than `1.7.7`, then update the plugin to version `1.7.7` or later. For more information, see <> +If your Amazon VPC CNI plugin for Kubernetes version is earlier than `1.7.7`, then update the plugin to version `1.7.7` or later. For more information, see <> . Add the link:iam/home#/policies/arn:aws:iam::aws:policy/AmazonEKSVPCResourceController[AmazonEKSVPCResourceController,type="console"] managed IAM policy to the <> that is associated with your Amazon EKS cluster. The policy allows the role to manage network interfaces, their private IP addresses, and their attachment and detachment to and from network instances. + .. Retrieve the name of your cluster IAM role and store it in a variable. Replace [.replaceable]`my-cluster` with the name of your cluster. @@ -38,15 +38,15 @@ cluster_role=$(aws eks describe-cluster --name my-cluster --query cluster.roleAr ---- aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController --role-name $cluster_role ---- -. Enable the Amazon VPC CNI add-on to manage network interfaces for [.noloc]`Pods` by setting the `ENABLE_POD_ENI` variable to `true` in the `aws-node` [.noloc]`DaemonSet`. Once this setting is set to `true`, for each node in the cluster the add-on creates a `cninode` custom resource. The VPC resource controller creates and attaches one special network interface called a _trunk network interface_ with the description `aws-k8s-trunk-eni`. +. Enable the Amazon VPC CNI add-on to manage network interfaces for Pods by setting the `ENABLE_POD_ENI` variable to `true` in the `aws-node` DaemonSet. Once this setting is set to `true`, for each node in the cluster the add-on creates a `cninode` custom resource. The VPC resource controller creates and attaches one special network interface called a _trunk network interface_ with the description `aws-k8s-trunk-eni`. + [source,bash,subs="verbatim,attributes"] ---- kubectl set env daemonset aws-node -n kube-system ENABLE_POD_ENI=true ---- + -NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running [.noloc]`Pods` enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. -. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for Kubernetes Pods`, which takes several seconds. +NOTE: The trunk network interface is included in the maximum number of network interfaces supported by the instance type. For a list of the maximum number of network interfaces supported by each instance type, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"] in the _Amazon EC2 User Guide_. If your node already has the maximum number of standard network interfaces attached to it then the VPC resource controller will reserve a space. You will have to scale down your running Pods enough for the controller to detach and delete a standard network interface, create the trunk network interface, and attach it to the instance. +. You can see which of your nodes have a `CNINode` custom resource with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the Amazon VPC CNI plugin for Kubernetes Pods, which takes several seconds. + [source,shell,subs="verbatim,attributes"] ---- @@ -56,7 +56,7 @@ kubectl get cninode -A ip-192-168-7-203.us-west-2.compute.internal [{"name":"SecurityGroupsForPods"}] ---- + -If you are using VPC CNI versions older than `1.15`, node labels were used instead of the `CNINode` custom resource. You can see which of your nodes have the node label `aws-k8s-trunk-eni` set to `true` with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the [.noloc]`Amazon VPC CNI plugin for Kubernetes Pods`, which takes several seconds. +If you are using VPC CNI versions older than `1.15`, node labels were used instead of the `CNINode` custom resource. You can see which of your nodes have the node label `aws-k8s-trunk-eni` set to `true` with the following command. If `No resources found` is returned, then wait several seconds and try again. The previous step requires restarting the Amazon VPC CNI plugin for Kubernetes Pods, which takes several seconds. + [source,bash,subs="verbatim,attributes"] ---- @@ -64,11 +64,11 @@ kubectl get nodes -o wide -l vpc.amazonaws.com/has-trunk-attached=true - ---- + -Once the trunk network interface is created, [.noloc]`Pods` are assigned secondary IP addresses from the trunk or standard network interfaces. The trunk interface is automatically deleted if the node is deleted. +Once the trunk network interface is created, Pods are assigned secondary IP addresses from the trunk or standard network interfaces. The trunk interface is automatically deleted if the node is deleted. + -When you deploy a security group for a [.noloc]`Pod` in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. +When you deploy a security group for a Pod in a later step, the VPC resource controller creates a special network interface called a _branch network interface_ with a description of `aws-k8s-branch-eni` and associates the security groups to it. Branch network interfaces are created in addition to the standard and trunk network interfaces attached to the node. + -If you are using liveness or readiness probes, then you also need to disable _TCP early demux_, so that the `kubelet` can connect to [.noloc]`Pods` on branch network interfaces using TCP. To disable _TCP early demux_, run the following command: +If you are using liveness or readiness probes, then you also need to disable _TCP early demux_, so that the `kubelet` can connect to Pods on branch network interfaces using TCP. To disable _TCP early demux_, run the following command: + [source,bash,subs="verbatim,attributes"] ---- @@ -76,8 +76,8 @@ kubectl patch daemonset aws-node -n kube-system \ -p '{"spec": {"template": {"spec": {"initContainers": [{"env":[{"name":"DISABLE_TCP_EARLY_DEMUX","value":"true"}],"name":"aws-vpc-cni-init"}]}}}}' ---- + -NOTE: If you're using `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, as described in the next step, then you don't need to run the previous command. -. If your cluster uses `NodeLocal DNSCache`, or you want to use [.noloc]`Calico` network policy with your [.noloc]`Pods` that have their own security groups, or you have [.noloc]`Kubernetes` services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` for [.noloc]`Pods` that you want to assign security groups to, then you must be using version `1.11.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on, and you must enable the following setting: +NOTE: If you're using `1.11.0` or later of the Amazon VPC CNI plugin for Kubernetes add-on and set `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard``, as described in the next step, then you don't need to run the previous command. +. If your cluster uses `NodeLocal DNSCache`, or you want to use Calico network policy with your Pods that have their own security groups, or you have Kubernetes services of type `NodePort` and `LoadBalancer` using instance targets with an `externalTrafficPolicy` set to `Local` for Pods that you want to assign security groups to, then you must be using version `1.11.0` or later of the Amazon VPC CNI plugin for Kubernetes add-on, and you must enable the following setting: + [source,bash,subs="verbatim,attributes"] ---- @@ -85,8 +85,8 @@ kubectl set env daemonset aws-node -n kube-system POD_SECURITY_GROUP_ENFORCING_M ---- + IMPORTANT: -** [.noloc]`Pod` security group rules aren't applied to traffic between [.noloc]`Pods` or between [.noloc]`Pods` and [.noloc]`services`, such as `kubelet` or `nodeLocalDNS`, that are on the same node. Pods using different security groups on the same node can't communicate because they are configured in different subnets, and routing is disabled between these subnets. -** Outbound traffic from [.noloc]`Pods` to addresses outside of the VPC is network address translated to the IP address of the instance's primary network interface (unless you've also set `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`). For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the [.noloc]`Pod's` security groups. -** For this setting to apply to existing [.noloc]`Pods`, you must restart the [.noloc]`Pods` or the nodes that the [.noloc]`Pods` are running on. +** Pod security group rules aren't applied to traffic between Pods or between Pods and services, such as `kubelet` or `nodeLocalDNS`, that are on the same node. Pods using different security groups on the same node can't communicate because they are configured in different subnets, and routing is disabled between these subnets. +** Outbound traffic from Pods to addresses outside of the VPC is network address translated to the IP address of the instance's primary network interface (unless you've also set `AWS_VPC_K8S_CNI_EXTERNALSNAT=true`). For this traffic, the rules in the security groups for the primary network interface are used, rather than the rules in the Pod's security groups. +** For this setting to apply to existing Pods, you must restart the Pods or the nodes that the Pods are running on. -. To see how to use a security group policy for your [.noloc]`Pod`, see <>. \ No newline at end of file +. To see how to use a security group policy for your Pod, see <>. \ No newline at end of file diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 14a7882ae..5034d0b76 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,15 +1,15 @@ [.topic] [#sg-pods-example-deployment] -= Use a security group policy for an Amazon EKS [.noloc]`Pod` += Use a security group policy for an Amazon EKS Pod :info_titleabbrev: SecurityGroupPolicy include::../attributes.txt[] -To use security groups for [.noloc]`Pods`, you must have an existing security group. The following steps show you how to use the security group policy for a [.noloc]`Pod`. Unless otherwise noted, complete all steps from the same terminal because variables are used in the following steps that don't persist across terminals. +To use security groups for Pods, you must have an existing security group. The following steps show you how to use the security group policy for a Pod. Unless otherwise noted, complete all steps from the same terminal because variables are used in the following steps that don't persist across terminals. -If you have a [.noloc]`Pod` with Amazon EC2 instances, you must configure the plugin before you use this procedure. For more information, see <>. +If you have a Pod with Amazon EC2 instances, you must configure the plugin before you use this procedure. For more information, see <>. -. Create a [.noloc]`Kubernetes` namespace to deploy resources to. You can replace [.replaceable]`my-namespace` with the name of a namespace that you want to use. +. Create a Kubernetes namespace to deploy resources to. You can replace [.replaceable]`my-namespace` with the name of a namespace that you want to use. + [source,bash,subs="verbatim,attributes"] ---- @@ -17,9 +17,9 @@ kubectl create namespace my-namespace ---- . [[deploy-securitygrouppolicy]]Deploy an Amazon EKS `SecurityGroupPolicy` to your cluster. + -.. Copy the following contents to your device. You can replace [.replaceable]`podSelector` with `serviceAccountSelector` if you'd rather select [.noloc]`Pods` based on service account labels. You must specify one selector or the other. An empty `podSelector` (example: `podSelector: {}`) selects all [.noloc]`Pods` in the namespace. You can change [.replaceable]`my-role` to the name of your role. An empty `serviceAccountSelector` selects all service accounts in the namespace. You can replace [.replaceable]`my-security-group-policy` with a name for your `SecurityGroupPolicy` and [.replaceable]`my-namespace` with the namespace that you want to create the `SecurityGroupPolicy` in. +.. Copy the following contents to your device. You can replace [.replaceable]`podSelector` with `serviceAccountSelector` if you'd rather select Pods based on service account labels. You must specify one selector or the other. An empty `podSelector` (example: `podSelector: {}`) selects all Pods in the namespace. You can change [.replaceable]`my-role` to the name of your role. An empty `serviceAccountSelector` selects all service accounts in the namespace. You can replace [.replaceable]`my-security-group-policy` with a name for your `SecurityGroupPolicy` and [.replaceable]`my-namespace` with the namespace that you want to create the `SecurityGroupPolicy` in. + -You must replace [.replaceable]`my_pod_security_group_id` with the ID of an existing security group. If you don't have an existing security group, then you must create one. For more information, see link:AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances,type="documentation"] in the link:AWSEC2/latest/UserGuide/[Amazon EC2 User Guide,type="documentation"]. You can specify 1-5 security group IDs. If you specify more than one ID, then the combination of all the rules in all the security groups are effective for the selected [.noloc]`Pods`. +You must replace [.replaceable]`my_pod_security_group_id` with the ID of an existing security group. If you don't have an existing security group, then you must create one. For more information, see link:AWSEC2/latest/UserGuide/ec2-security-groups.html[Amazon EC2 security groups for Linux instances,type="documentation"] in the link:AWSEC2/latest/UserGuide/[Amazon EC2 User Guide,type="documentation"]. You can specify 1-5 security group IDs. If you specify more than one ID, then the combination of all the rules in all the security groups are effective for the selected Pods. + [source,yaml,subs="verbatim,attributes"] ---- @@ -41,15 +41,15 @@ EOF + [IMPORTANT] ==== -The security group or groups that you specify for your [.noloc]`Pods` must meet the following criteria: +The security group or groups that you specify for your Pods must meet the following criteria: -* They must exist. If they don't exist, then, when you deploy a [.noloc]`Pod` that matches the selector, your [.noloc]`Pod` remains stuck in the creation process. If you describe the [.noloc]`Pod`, you'll see an error message similar to the following one: `An error occurred (InvalidSecurityGroupID.NotFound) when calling the CreateNetworkInterface operation: The securityGroup ID '[.replaceable]``sg-05b1d815d1EXAMPLE``' does not exist`. +* They must exist. If they don't exist, then, when you deploy a Pod that matches the selector, your Pod remains stuck in the creation process. If you describe the Pod, you'll see an error message similar to the following one: `An error occurred (InvalidSecurityGroupID.NotFound) when calling the CreateNetworkInterface operation: The securityGroup ID '[.replaceable]``sg-05b1d815d1EXAMPLE``' does not exist`. * They must allow inbound communication from the security group applied to your nodes (for `kubelet`) over any ports that you've configured probes for. -* They must allow outbound communication over `TCP` and `UDP` ports 53 to a security group assigned to the [.noloc]`Pods` (or nodes that the [.noloc]`Pods` run on) running [.noloc]`CoreDNS`. The security group for your [.noloc]`CoreDNS` [.noloc]`Pods` must allow inbound `TCP` and `UDP` port 53 traffic from the security group that you specify. -* They must have necessary inbound and outbound rules to communicate with other [.noloc]`Pods` that they need to communicate with. -* They must have rules that allow the [.noloc]`Pods` to communicate with the [.noloc]`Kubernetes` control plane if you're using the security group with Fargate. The easiest way to do this is to specify the cluster security group as one of the security groups. +* They must allow outbound communication over `TCP` and `UDP` ports 53 to a security group assigned to the Pods (or nodes that the Pods run on) running CoreDNS. The security group for your CoreDNS Pods must allow inbound `TCP` and `UDP` port 53 traffic from the security group that you specify. +* They must have necessary inbound and outbound rules to communicate with other Pods that they need to communicate with. +* They must have rules that allow the Pods to communicate with the Kubernetes control plane if you're using the security group with Fargate. The easiest way to do this is to specify the cluster security group as one of the security groups. -Security group policies only apply to newly scheduled [.noloc]`Pods`. They do not affect running [.noloc]`Pods`. +Security group policies only apply to newly scheduled Pods. They do not affect running Pods. ==== .. Deploy the policy. @@ -106,13 +106,13 @@ spec: targetPort: 80 EOF ---- -.. Deploy the application with the following command. When you deploy the application, the [.noloc]`Amazon VPC CNI plugin for Kubernetes` matches the `role` label and the security groups that you specified in the previous step are applied to the [.noloc]`Pod`. +.. Deploy the application with the following command. When you deploy the application, the Amazon VPC CNI plugin for Kubernetes matches the `role` label and the security groups that you specified in the previous step are applied to the Pod. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f sample-application.yaml ---- -. View the [.noloc]`Pods` deployed with the sample application. For the remainder of this topic, this terminal is referred to as `TerminalA`. +. View the Pods deployed with the sample application. For the remainder of this topic, this terminal is referred to as `TerminalA`. + [source,bash,subs="verbatim,attributes"] ---- @@ -132,14 +132,14 @@ my-deployment-5df6f7687b-zmb42 1/1 Running 0 7m51s 192.168.63 + [NOTE] ==== -Try these tips if any [.noloc]`Pods` are stuck. +Try these tips if any Pods are stuck. -* If any [.noloc]`Pods` are stuck in the `Waiting` state, then run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace```. If you see `Insufficient permissions: Unable to create Elastic Network Interface.`, confirm that you added the IAM policy to the IAM cluster role in a previous step. -* If any [.noloc]`Pods` are stuck in the `Pending` state, confirm that your node instance type is listed in https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/pkg/aws/vpc/limits.go[limits.go] and that the product of the maximum number of branch network interfaces supported by the instance type multiplied times the number of nodes in your node group hasn't already been met. For example, an `m5.large` instance supports nine branch network interfaces. If your node group has five nodes, then a maximum of 45 branch network interfaces can be created for the node group. The 46th [.noloc]`Pod` that you attempt to deploy will sit in `Pending` state until another [.noloc]`Pod` that has associated security groups is deleted. +* If any Pods are stuck in the `Waiting` state, then run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace```. If you see `Insufficient permissions: Unable to create Elastic Network Interface.`, confirm that you added the IAM policy to the IAM cluster role in a previous step. +* If any Pods are stuck in the `Pending` state, confirm that your node instance type is listed in https://github.com/aws/amazon-vpc-resource-controller-k8s/blob/master/pkg/aws/vpc/limits.go[limits.go] and that the product of the maximum number of branch network interfaces supported by the instance type multiplied times the number of nodes in your node group hasn't already been met. For example, an `m5.large` instance supports nine branch network interfaces. If your node group has five nodes, then a maximum of 45 branch network interfaces can be created for the node group. The 46th Pod that you attempt to deploy will sit in `Pending` state until another Pod that has associated security groups is deleted. ==== + -If you run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace``` and see a message similar to the following message, then it can be safely ignored. This message might appear when the [.noloc]`Amazon VPC CNI plugin for Kubernetes` tries to set up host networking and fails while the network interface is being created. The plugin logs this event until the network interface is created. +If you run `kubectl describe pod [.replaceable]``my-deployment-xxxxxxxxxx-xxxxx`` -n [.replaceable]``my-namespace``` and see a message similar to the following message, then it can be safely ignored. This message might appear when the Amazon VPC CNI plugin for Kubernetes tries to set up host networking and fails while the network interface is being created. The plugin logs this event until the network interface is created. + [source,bash,subs="verbatim,attributes"] ---- @@ -147,8 +147,8 @@ Failed to create Pod sandbox: rpc error: code = Unknown desc = failed to set up cni failed to set up Pod "my-deployment-5df6f7687b-4fbjm-c89wx_my-namespace" network: add cmd: failed to assign an IP address to container ---- + -You can't exceed the maximum number of [.noloc]`Pods` that can be run on the instance type. For a list of the maximum number of [.noloc]`Pods` that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on [.noloc]`GitHub`. When you delete a [.noloc]`Pod` that has associated security groups, or delete the node that the [.noloc]`Pod` is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with [.noloc]`Pods` using [.noloc]`Pods` for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. -. In a separate terminal, shell into one of the [.noloc]`Pods`. For the remainder of this topic, this terminal is referred to as `TerminalB`. Replace [.replaceable]`5df6f7687b-4fbjm` with the ID of one of the [.noloc]`Pods` returned in your output from the previous step. +You can't exceed the maximum number of Pods that can be run on the instance type. For a list of the maximum number of Pods that you can run on each instance type, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] on GitHub. When you delete a Pod that has associated security groups, or delete the node that the Pod is running on, the VPC resource controller deletes the branch network interface. If you delete a cluster with Pods using Pods for security groups, then the controller doesn't delete the branch network interfaces, so you'll need to delete them yourself. For information about how to delete network interfaces, see link:AWSEC2/latest/UserGuide/using-eni.html#delete_eni[Delete a network interface,type="documentation"] in the Amazon EC2 User Guide. +. In a separate terminal, shell into one of the Pods. For the remainder of this topic, this terminal is referred to as `TerminalB`. Replace [.replaceable]`5df6f7687b-4fbjm` with the ID of one of the Pods returned in your output from the previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -172,7 +172,7 @@ An example output is as follows. [...] ---- + -You received the output because all [.noloc]`Pods` running the application are associated with the security group that you created. That group contains a rule that allows all traffic between all [.noloc]`Pods` that the security group is associated to. DNS traffic is allowed outbound from that security group to the cluster security group, which is associated with your nodes. The nodes are running the [.noloc]`CoreDNS` [.noloc]`Pods`, which your [.noloc]`Pods` did a name lookup to. +You received the output because all Pods running the application are associated with the security group that you created. That group contains a rule that allows all traffic between all Pods that the security group is associated to. DNS traffic is allowed outbound from that security group to the cluster security group, which is associated with your nodes. The nodes are running the CoreDNS Pods, which your Pods did a name lookup to. . From `TerminalA`, remove the security group rules that allow DNS communication to the cluster security group from your security group. If you didn't add the DNS rules to the cluster security group in a previous step, then replace [.replaceable]`$my_cluster_security_group_id` with the ID of the security group that you created the rules in. + [source,bash,subs="verbatim,attributes"] @@ -194,9 +194,9 @@ An example output is as follows. curl: (6) Could not resolve host: my-app ---- + -The attempt fails because the [.noloc]`Pod` is no longer able to access the [.noloc]`CoreDNS` [.noloc]`Pods`, which have the cluster security group associated to them. The cluster security group no longer has the security group rules that allow DNS communication from the security group associated to your [.noloc]`Pod`. +The attempt fails because the Pod is no longer able to access the CoreDNS Pods, which have the cluster security group associated to them. The cluster security group no longer has the security group rules that allow DNS communication from the security group associated to your Pod. + -If you attempt to access the application using the IP addresses returned for one of the [.noloc]`Pods` in a previous step, you still receive a response because all ports are allowed between [.noloc]`Pods` that have the security group associated to them and a name lookup isn't required. +If you attempt to access the application using the IP addresses returned for one of the Pods in a previous step, you still receive a response because all ports are allowed between Pods that have the security group associated to them and a name lookup isn't required. . Once you've finished experimenting, you can remove the sample security group policy, application, and security group that you created. Run the following commands from `TerminalA`. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index 32bcf625a..ed163d701 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -Use the following steps to create the [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on. +Use the following steps to create the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on. Before you begin, review the considerations. For more information, see <>. @@ -13,19 +13,19 @@ Before you begin, review the considerations. For more information, see <>. -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. * An IAM role with the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] IAM policy (if your cluster uses the `IPv4` family) or an IPv6 policy (if your cluster uses the `IPv6` family) attached to it. For more information about the VPC CNI role, see <>. For information about the IPv6 policy, see <>. -* If you're using version `1.7.0` or later of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` and you use custom [.noloc]`Pod` security policies, see <> and <>. +* If you're using version `1.7.0` or later of the Amazon VPC CNI plugin for Kubernetes and you use custom Pod security policies, see <> and <>. [IMPORTANT] ==== -[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` removed compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier. VPC CNI version `v1.16.2` restores compatibility with [.noloc]`Kubernetes` versions `1.23` and earlier and CNI spec `v0.4.0`. +Amazon VPC CNI plugin for Kubernetes versions `v1.16.0` to `v1.16.1` removed compatibility with Kubernetes versions `1.23` and earlier. VPC CNI version `v1.16.2` restores compatibility with Kubernetes versions `1.23` and earlier and CNI spec `v0.4.0`. -[.noloc]`Amazon VPC CNI plugin for Kubernetes` versions `v1.16.0` to `v1.16.1` implement CNI specification version `v1.0.0`. CNI spec `v1.0.0` is supported on EKS clusters that run the [.noloc]`Kubernetes` versions `v1.24` or later. VPC CNI version `v1.16.0` to `v1.16.1` and CNI spec `v1.0.0` aren't supported on [.noloc]`Kubernetes` version `v1.23` or earlier. For more information about `v1.0.0` of the CNI spec, see https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md[Container Network Interface (CNI) Specification] on [.noloc]`GitHub`. +Amazon VPC CNI plugin for Kubernetes versions `v1.16.0` to `v1.16.1` implement CNI specification version `v1.0.0`. CNI spec `v1.0.0` is supported on EKS clusters that run the Kubernetes versions `v1.24` or later. VPC CNI version `v1.16.0` to `v1.16.1` and CNI spec `v1.0.0` aren't supported on Kubernetes version `v1.23` or earlier. For more information about `v1.0.0` of the CNI spec, see https://github.com/containernetworking/cni/blob/spec-v1.0.0/SPEC.md[Container Network Interface (CNI) Specification] on GitHub. ==== @@ -66,7 +66,7 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml + ** Replace [.replaceable]`my-cluster` with the name of your cluster. ** Replace [.replaceable]`v1.19.2-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <>. -** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <> that you've created. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <> that you've created. Specifying a role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + [source,bash,subs="verbatim,attributes"] ---- @@ -75,7 +75,7 @@ aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-vers ---- + If you've applied custom settings to your current add-on that conflict with the default settings of the Amazon EKS add-on, creation might fail. If creation fails, you receive an error that can help you resolve the issue. Alternatively, you can add `--resolve-conflicts OVERWRITE` to the previous command. This allows the add-on to overwrite any existing custom settings. Once you've created the add-on, you can update it with your custom settings. -. Confirm that the latest version of the add-on for your cluster's [.noloc]`Kubernetes` version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. +. Confirm that the latest version of the add-on for your cluster's Kubernetes version was added to your cluster. Replace [.replaceable]`my-cluster` with the name of your cluster. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 5504c924c..4fbb68a59 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -40,7 +40,7 @@ Your output might not include the build number. ---- kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml ---- -To review the available versions and familiarize yourself with the changes in the version that you want to update to, see https://github.com/aws/amazon-vpc-cni-k8s/releases[releases] on [.noloc]`GitHub`. Note that we recommend updating to the same `major`.``minor``.``patch`` version listed in the latest available versions table, even if later versions are available on GitHub. For the latest available version table, see <>. The build versions listed in the table aren't specified in the self-managed versions listed on GitHub. Update your version by completing the tasks in one of the following options: +To review the available versions and familiarize yourself with the changes in the version that you want to update to, see https://github.com/aws/amazon-vpc-cni-k8s/releases[releases] on GitHub. Note that we recommend updating to the same `major`.``minor``.``patch`` version listed in the latest available versions table, even if later versions are available on GitHub. For the latest available version table, see <>. The build versions listed in the table aren't specified in the self-managed versions listed on GitHub. Update your version by completing the tasks in one of the following options: + ** If you don't have any custom settings for the add-on, then run the command under the `To apply this release:` heading on GitHub for the https://github.com/aws/amazon-vpc-cni-k8s/releases[release] that you're updating to. ** If you have custom settings, download the manifest file with the following command. Change [.replaceable]`https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.19.2/config/master/aws-k8s-cni.yaml` to the URL for the release on GitHub that you're updating to. diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 66f855172..90c402216 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -5,7 +5,7 @@ include::../attributes.txt[] -Update the Amazon EKS type of the [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on. If you haven't added the Amazon EKS type of the add-on to your cluster, you can install it by following <>. Or, update the other type of VPC CNI installation by following <>. +Update the Amazon EKS type of the Amazon VPC CNI plugin for Kubernetes add-on. If you haven't added the Amazon EKS type of the add-on to your cluster, you can install it by following <>. Or, update the other type of VPC CNI installation by following <>. . See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. + @@ -21,7 +21,7 @@ An example output is as follows. v1.16.4-eksbuild.2 ---- + -Compare the version with the table of latest versions at <>. If the version returned is the same as the version for your cluster's [.noloc]`Kubernetes` version in the latest version table, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to create the add-on before you can update it with this procedure. To create the Amazon EKS type of the VPC CNI add-on, you can follow <>. +Compare the version with the table of latest versions at <>. If the version returned is the same as the version for your cluster's Kubernetes version in the latest version table, then you already have the latest version installed on your cluster and don't need to complete the rest of this procedure. If you receive an error, instead of a version number in your output, then you don't have the Amazon EKS type of the add-on installed on your cluster. You need to create the add-on before you can update it with this procedure. To create the Amazon EKS type of the VPC CNI add-on, you can follow <>. . Save the configuration of your currently installed add-on. + [source,bash,subs="verbatim,attributes"] @@ -32,7 +32,7 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml + ** Replace [.replaceable]`my-cluster` with the name of your cluster. ** Replace [.replaceable]`v1.19.2-eksbuild.1` with the latest version listed in the latest version table for your cluster version. -** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an existing IAM role that you've created. To create an IAM role for the VPC CNI, see <>. Specifying a role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an existing IAM role that you've created. To create an IAM role for the VPC CNI, see <>. Specifying a role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. ** The `--resolve-conflicts PRESERVE` option preserves existing configuration values for the add-on. If you've set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend testing any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. ** If you're not updating a configuration setting, remove `--configuration-values '{[.replaceable]``"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}``}'` from the command. If you're updating a configuration setting, replace [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` with the setting that you want to set. In this example, the `AWS_VPC_K8S_CNI_EXTERNALSNAT` environment variable is set to `true`. The value that you specify must be valid for the configuration schema. If you don't know the configuration schema, run `aws eks describe-addon-configuration --addon-name vpc-cni --addon-version [.replaceable]``v1.19.2-eksbuild.1```, replacing [.replaceable]`v1.19.2-eksbuild.1` with the version number of the add-on that you want to see the configuration for. The schema is returned in the output. If you have any existing custom configuration, want to remove it all, and set the values for all settings back to Amazon EKS defaults, remove [.replaceable]`"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}` from the command, so that you have empty `{}`. For an explanation of each setting, see https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables[CNI Configuration Variables] on GitHub. + diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index 8c4efff3b..deb8e088c 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -31,7 +31,7 @@ spec: cidr: 10.100.0.0/16 ---- + -In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. +In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using Karpenter. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. * For AL2023, `nodeadm` also changes the format to apply parameters to the `kubelet` for each node using https://awslabs.github.io/amazon-eks-ami/nodeadm/doc/api/#nodeconfigspec[`NodeConfigSpec`]. In AL2, this was done with the `--kubelet-extra-args` parameter. This is commonly used to add labels and taints to nodes. An example below shows applying `maxPods` and `--node-labels` to the node. + [source,yaml,subs="verbatim,attributes"] @@ -52,7 +52,7 @@ spec: - --node-labels=karpenter.sh/capacity-type=on-demand,karpenter.sh/nodepool=test ---- + -* [.noloc]`Docker` isn't supported in AL2023 for all supported Amazon EKS versions. Support for [.noloc]`Docker` has ended and been removed with Amazon EKS version `1.24` or greater in AL2. For more information on deprecation, see <>. +* Docker isn't supported in AL2023 for all supported Amazon EKS versions. Support for Docker has ended and been removed with Amazon EKS version `1.24` or greater in AL2. For more information on deprecation, see <>. * Amazon VPC CNI version `1.16.2` or greater is required for AL2023. * AL2023 requires `IMDSv2` by default. `IMDSv2` has several benefits that help improve security posture. It uses a session-oriented authentication method that requires the creation of a secret token in a simple HTTP PUT request to start the session. A session's token can be valid for anywhere between 1 second and 6 hours. For more information on how to transition from `IMDSv1` to `IMDSv2`, see link:AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html[Transition to using Instance Metadata Service Version 2,type="documentation"] and link:security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure[Get the full benefits of IMDSv2 and disable IMDSv1 across your {aws} infrastructure,type="blog"]. If you would like to use `IMDSv1`, you can still do so by manually overriding the settings using instance metadata option launch properties. + @@ -63,6 +63,6 @@ NOTE: For `IMDSv2`, the default hop count for managed node groups is set to 1. T For previously existing managed node groups, you can either perform an in-place upgrade or a blue/green upgrade depending on how you're using a launch template: * If you're using a custom AMI with a managed node group, you can perform an in-place upgrade by swapping the AMI ID in the launch template. You should ensure that your applications and any user data transfer over to AL2023 first before performing this upgrade strategy. -* If you're using managed node groups with either the standard launch template or with a custom launch template that doesn't specify the AMI ID, you're required to upgrade using a blue/green strategy. A blue/green upgrade is typically more complex and involves creating an entirely new node group where you would specify AL2023 as the AMI type. The new node group will need to then be carefully configured to ensure that all custom data from the AL2 node group is compatible with the new OS. Once the new node group has been tested and validated with your applications, [.noloc]`Pods` can be migrated from the old node group to the new node group. Once the migration is completed, you can delete the old node group. +* If you're using managed node groups with either the standard launch template or with a custom launch template that doesn't specify the AMI ID, you're required to upgrade using a blue/green strategy. A blue/green upgrade is typically more complex and involves creating an entirely new node group where you would specify AL2023 as the AMI type. The new node group will need to then be carefully configured to ensure that all custom data from the AL2 node group is compatible with the new OS. Once the new node group has been tested and validated with your applications, Pods can be migrated from the old node group to the new node group. Once the migration is completed, you can delete the old node group. -If you're using [.noloc]`Karpenter` and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in [.noloc]`Karpenter`. This means that once the `amiFamily` field has been changed, [.noloc]`Karpenter` will automatically update your worker nodes to the latest AMI when available. \ No newline at end of file +If you're using Karpenter and want to use AL2023, you'll need to modify the `EC2NodeClass` `amiFamily` field with AL2023. By default, Drift is enabled in Karpenter. This means that once the `amiFamily` field has been changed, Karpenter will automatically update your worker nodes to the latest AMI when available. \ No newline at end of file diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index acfaacba2..7c142a00a 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,18 +1,18 @@ [.topic] [#bottlerocket-compliance-support] -= Meet compliance requirements with [.noloc]`Bottlerocket` += Meet compliance requirements with Bottlerocket :info_titleabbrev: Compliance support include::../attributes.txt[] [abstract] -- -[.noloc]`Bottlerocket` complies with recommendations defined by various organizations. +Bottlerocket complies with recommendations defined by various organizations. -- -[.noloc]`Bottlerocket` complies with recommendations defined by various organizations: +Bottlerocket complies with recommendations defined by various organizations: -* There is a https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark] defined for [.noloc]`Bottlerocket`. In a default configuration, [.noloc]`Bottlerocket` image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see link:containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark[Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark,type="blog"] on the {aws} blog. -* The optimized feature set and reduced attack surface means that [.noloc]`Bottlerocket` instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) [.noloc]`Bottlerocket` instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). -* [.noloc]`Bottlerocket` is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. -* [.noloc]`Bottlerocket` AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. \ No newline at end of file +* There is a https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark] defined for Bottlerocket. In a default configuration, Bottlerocket image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see link:containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark[Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark,type="blog"] on the {aws} blog. +* The optimized feature set and reduced attack surface means that Bottlerocket instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) Bottlerocket instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). +* Bottlerocket is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. +* Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 9ab3940f6..9556d08aa 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -16,56 +16,56 @@ Amazon EC2 provides a wide selection of instance types for worker nodes. Each in * All Amazon EKS AMIs don't currently support the `g5g` and `mac` families. -* [.noloc]`Arm` and non-accelerated Amazon EKS AMIs don't support the `g3`, `g4`, `inf`, and `p` families. +* Arm and non-accelerated Amazon EKS AMIs don't support the `g3`, `g4`, `inf`, and `p` families. * Accelerated Amazon EKS AMIs don't support the `a`, `c`, `hpc`, `m`, and `t` families. -* For Arm-based instances, Amazon Linux 2023 (AL2023) only supports instance types that use [.noloc]`Graviton2` or later processors. AL2023 doesn't support `A1` instances. +* For Arm-based instances, Amazon Linux 2023 (AL2023) only supports instance types that use Graviton2 or later processors. AL2023 doesn't support `A1` instances. When choosing between instance types that are supported by Amazon EKS, consider the following capabilities of each type. *Number of instances in a node group*:: -In general, fewer, larger instances are better, especially if you have a lot of [.noloc]`Daemonsets`. Each instance requires API calls to the API server, so the more instances you have, the more load on the API server. +In general, fewer, larger instances are better, especially if you have a lot of Daemonsets. Each instance requires API calls to the API server, so the more instances you have, the more load on the API server. *Operating system*:: -Review the supported instance types for link:AWSEC2/latest/UserGuide/instance-types.html[Linux,type="documentation"], link:AWSEC2/latest/WindowsGuide/instance-types.html[Windows,type="documentation"], and link:bottlerocket/faqs/[Bottlerocket,type="marketing"]. Before creating [.noloc]`Windows` instances, review <>. +Review the supported instance types for link:AWSEC2/latest/UserGuide/instance-types.html[Linux,type="documentation"], link:AWSEC2/latest/WindowsGuide/instance-types.html[Windows,type="documentation"], and link:bottlerocket/faqs/[Bottlerocket,type="marketing"]. Before creating Windows instances, review <>. *Hardware architecture*:: -Do you need [.noloc]`x86` or [.noloc]`Arm`? Before deploying [.noloc]`Arm` instances, review <>. Do you need instances built on the [.noloc]`Nitro System` ( link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Linux,type="documentation"] or link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Windows,type="documentation"]) or that have link:AWSEC2/latest/WindowsGuide/accelerated-computing-instances.html[Accelerated,type="documentation"] capabilities? If you need accelerated capabilities, you can only use [.noloc]`Linux` with Amazon EKS. +Do you need x86 or Arm? Before deploying Arm instances, review <>. Do you need instances built on the Nitro System ( link:AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances[Linux,type="documentation"] or link:AWSEC2/latest/WindowsGuide/instance-types.html#ec2-nitro-instances[Windows,type="documentation"]) or that have link:AWSEC2/latest/WindowsGuide/accelerated-computing-instances.html[Accelerated,type="documentation"] capabilities? If you need accelerated capabilities, you can only use Linux with Amazon EKS. -*Maximum number of [.noloc]`Pods`*:: -Since each [.noloc]`Pod` is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of [.noloc]`Pods` that can run on the instance. To manually determine how many [.noloc]`Pods` an instance type supports, see <>. +*Maximum number of Pods*:: +Since each Pod is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of Pods that can run on the instance. To manually determine how many Pods an instance type supports, see <>. + NOTE: If you're using an Amazon EKS optimized Amazon Linux 2 AMI that's `v20220406` or newer, you can use a new instance type without upgrading to the latest AMI. For these AMIs, the AMI auto-calculates the necessary `max-pods` value if it isn't listed in the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/shared/runtime/eni-max-pods.txt[eni-max-pods.txt] file. Instance types that are currently in preview may not be supported by Amazon EKS by default. Values for `max-pods` for such types still need to be added to `eni-max-pods.txt` in our AMI. + -link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types optionally support significantly more IP addresses than non-Nitro System instance types. However, not all IP addresses assigned for an instance are available to [.noloc]`Pods`. To assign a significantly larger number of IP addresses to your instances, you must have version `1.9.0` or later of the Amazon VPC CNI add-on installed in your cluster and configured appropriately. For more information, see <>. To assign the largest number of IP addresses to your instances, you must have version `1.10.1` or later of the Amazon VPC CNI add-on installed in your cluster and deploy the cluster with the `IPv6` family. +link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types optionally support significantly more IP addresses than non-Nitro System instance types. However, not all IP addresses assigned for an instance are available to Pods. To assign a significantly larger number of IP addresses to your instances, you must have version `1.9.0` or later of the Amazon VPC CNI add-on installed in your cluster and configured appropriately. For more information, see <>. To assign the largest number of IP addresses to your instances, you must have version `1.10.1` or later of the Amazon VPC CNI add-on installed in your cluster and deploy the cluster with the `IPv6` family. *IP family*:: -You can use any supported instance type when using the `IPv4` family for a cluster, which allows your cluster to assign private `IPv4` addresses to your [.noloc]`Pods` and Services. But if you want to use the `IPv6` family for your cluster, then you must use link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types or bare metal instance types. Only `IPv4` is supported for [.noloc]`Windows` instances. Your cluster must be running version `1.10.1` or later of the Amazon VPC CNI add-on. For more information about using `IPv6`, see <>. +You can use any supported instance type when using the `IPv4` family for a cluster, which allows your cluster to assign private `IPv4` addresses to your Pods and Services. But if you want to use the `IPv6` family for your cluster, then you must use link:ec2/nitro/[{aws} Nitro System,type="marketing"] instance types or bare metal instance types. Only `IPv4` is supported for Windows instances. Your cluster must be running version `1.10.1` or later of the Amazon VPC CNI add-on. For more information about using `IPv6`, see <>. *Version of the Amazon VPC CNI add-on that you're running*:: -The latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] supports https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[these instance types]. You may need to update your Amazon VPC CNI add-on version to take advantage of the latest supported instance types. For more information, see <>. The latest version supports the latest features for use with Amazon EKS. Earlier versions don't support all features. You can view features supported by different versions in the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. +The latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] supports https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[these instance types]. You may need to update your Amazon VPC CNI add-on version to take advantage of the latest supported instance types. For more information, see <>. The latest version supports the latest features for use with Amazon EKS. Earlier versions don't support all features. You can view features supported by different versions in the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/CHANGELOG.md[Changelog] on GitHub. *{aws} Region that you're creating your nodes in*:: Not all instance types are available in all {aws} Regions. -*Whether you're using security groups for [.noloc]`Pods`*:: -If you're using security groups for [.noloc]`Pods`, only specific instance types are supported. For more information, see <>. +*Whether you're using security groups for Pods*:: +If you're using security groups for Pods, only specific instance types are supported. For more information, see <>. [#determine-max-pods] -== Amazon EKS recommended maximum [.noloc]`Pods` for each Amazon EC2 instance type +== Amazon EKS recommended maximum Pods for each Amazon EC2 instance type -Since each [.noloc]`Pod` is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of [.noloc]`Pods` that can run on the instance. Amazon EKS provides a script that you can download and run to determine the Amazon EKS recommended maximum number of [.noloc]`Pods` to run on each instance type. The script uses hardware attributes of each instance, and configuration options, to determine the maximum [.noloc]`Pods` number. You can use the number returned in these steps to enable capabilities such as <> and <>. If you're using a managed node group with multiple instance types, use a value that would work for all instance types. +Since each Pod is assigned its own IP address, the number of IP addresses supported by an instance type is a factor in determining the number of Pods that can run on the instance. Amazon EKS provides a script that you can download and run to determine the Amazon EKS recommended maximum number of Pods to run on each instance type. The script uses hardware attributes of each instance, and configuration options, to determine the maximum Pods number. You can use the number returned in these steps to enable capabilities such as <> and <>. If you're using a managed node group with multiple instance types, use a value that would work for all instance types. -. Download a script that you can use to calculate the maximum number of [.noloc]`Pods` for each instance type. +. Download a script that you can use to calculate the maximum number of Pods for each instance type. + [source,bash,subs="verbatim,attributes"] ---- @@ -91,7 +91,7 @@ An example output is as follows. 29 ---- + -You can add the following options to the script to see the maximum [.noloc]`Pods` supported when using optional capabilities. +You can add the following options to the script to see the maximum Pods supported when using optional capabilities. + ** `--cni-custom-networking-enabled` – Use this option when you want to assign IP addresses from a different subnet than your instance's. For more information, see <>. Adding this option to the previous script with the same example values yields `20`. ** `--cni-prefix-delegation-enabled` – Use this option when you want to assign significantly more IP addresses to each elastic network interface. This capability requires an Amazon Linux instance that run on the Nitro System and version `1.9.0` or later of the Amazon VPC CNI add-on. For more information, see <>. Adding this option to the previous script with the same example values yields `110`. @@ -101,7 +101,7 @@ You can also run the script with the `--help` option to see all available option [NOTE] ==== -The max [.noloc]`Pods` calculator script limits the return value to `110` based on https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes scalability thresholds] and recommended settings. If your instance type has greater than 30 vCPUs, this limit jumps to `250`, a number based on internal Amazon EKS scalability team testing. For more information, see the link:containers/amazon-vpc-cni-increases-pods-per-node-limits[Amazon VPC CNI plugin increases pods per node limits,type="blog"] blog post. +The max Pods calculator script limits the return value to `110` based on https://github.com/kubernetes/community/blob/master/sig-scalability/configs-and-limits/thresholds.md[Kubernetes scalability thresholds] and recommended settings. If your instance type has greater than 30 vCPUs, this limit jumps to `250`, a number based on internal Amazon EKS scalability team testing. For more information, see the link:containers/amazon-vpc-cni-increases-pods-per-node-limits[Amazon VPC CNI plugin increases pods per node limits,type="blog"] blog post. ==== diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index 5b859e960..f8f4068ec 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] This topic describes how you can launch Amazon EKS managed node groups of nodes that register with your Amazon EKS cluster. -- -This topic describes how you can launch Amazon EKS managed node groups of nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy [.noloc]`Kubernetes` applications to them. +This topic describes how you can launch Amazon EKS managed node groups of nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy Kubernetes applications to them. If this is your first time launching an Amazon EKS managed node group, we recommend that you instead follow one of our guides in <>. These guides provide walkthroughs for creating an Amazon EKS cluster with nodes. @@ -25,9 +25,9 @@ If this is your first time launching an Amazon EKS managed node group, we recomm * An existing Amazon EKS cluster. To deploy one, see <>. * An existing IAM role for the nodes to use. To create one, see <>. If this role doesn't have either of the policies for the VPC CNI, the separate role that follows is required for the VPC CNI pods. -* (Optional, but recommended) The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. +* (Optional, but recommended) The Amazon VPC CNI plugin for Kubernetes add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. * Familiarity with the considerations listed in <>. Depending on the instance type you choose, there may be additional prerequisites for your cluster and VPC. -* To add a [.noloc]`Windows` managed node group, you must first enable [.noloc]`Windows` support for your cluster. For more information, see <>. +* To add a Windows managed node group, you must first enable Windows support for your cluster. For more information, see <>. You can create a managed node group with either of the following: @@ -47,7 +47,7 @@ eksctl version For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. . Create a managed node group with or without using a custom launch template. Manually specifying a launch template allows for greater customization of a node group. For example, it can allow deploying a custom AMI or providing arguments to the `boostrap.sh` script in an Amazon EKS optimized AMI. For a complete list of every available option and default, enter the following command. + [source,bash,subs="verbatim,attributes"] @@ -68,19 +68,19 @@ If you don't use a custom launch template when first creating a managed node gro Replace [.replaceable]`ami-family` with an allowed keyword. For more information, see https://eksctl.io/usage/custom-ami-support/#setting-the-node-ami-family[Setting the node AMI Family] in the `eksctl` documentation. Replace [.replaceable]`my-key` with the name of your Amazon EC2 key pair or public key. This key is used to SSH into your nodes after they launch. -NOTE: For [.noloc]`Windows`, this command doesn't enable SSH. Instead, it associates your Amazon EC2 key pair with the instance and allows you to RDP into the instance. +NOTE: For Windows, this command doesn't enable SSH. Instead, it associates your Amazon EC2 key pair with the instance and allows you to RDP into the instance. -If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For [.noloc]`Linux` information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Linux instances,type="documentation"] in the _Amazon EC2 User Guide_. For [.noloc]`Windows` information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Windows instances,type="documentation"] in the _Amazon EC2 User Guide_. +If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For Linux information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Linux instances,type="documentation"] in the _Amazon EC2 User Guide_. For Windows information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Windows instances,type="documentation"] in the _Amazon EC2 User Guide_. -We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +We recommend blocking Pod access to IMDS if the following conditions are true: -* You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. +* You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. -* No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +* No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -If you want to block [.noloc]`Pod` access to IMDS, then add the `--disable-pod-imds` option to the following command. +If you want to block Pod access to IMDS, then add the `--disable-pod-imds` option to the following command. [source,bash,subs="verbatim,attributes"] ---- @@ -97,22 +97,22 @@ eksctl create nodegroup \ --ssh-public-key my-key ---- -Your instances can optionally assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, and be deployed to a cluster without internet access. For more information, see <>, <>, and <> for additional options to add to the previous command. +Your instances can optionally assign a significantly higher number of IP addresses to Pods, assign IP addresses to Pods from a different CIDR block than the instance's, and be deployed to a cluster without internet access. For more information, see <>, <>, and <> for additional options to add to the previous command. -Managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. +Managed node groups calculates and applies a single value for the maximum number of Pods that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of Pods that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. *With a launch template* The launch template must already exist and must meet the requirements specified in <>. -We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +We recommend blocking Pod access to IMDS if the following conditions are true: -* You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. +* You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. -* No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +* No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -If you want to block [.noloc]`Pod` access to IMDS, then specify the necessary settings in the launch template. +If you want to block Pod access to IMDS, then specify the necessary settings in the launch template. [loweralpha] .. Copy the following contents to your device. Replace the [.replaceable]`example values` and then run the modified command to create the `eks-nodegroup.yaml` file. Several settings that you specify when deploying without a launch template are moved into the launch template. If you don't specify a `version`, the template's default version is used. @@ -133,11 +133,11 @@ managedNodeGroups: EOF ---- + -For a complete list of `eksctl` config file settings, see https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Your instances can optionally assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, use the `containerd` runtime, and be deployed to a cluster without outbound internet access. For more information, see <>, <>, <>, and <> for additional options to add to the config file. +For a complete list of `eksctl` config file settings, see https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Your instances can optionally assign a significantly higher number of IP addresses to Pods, assign IP addresses to Pods from a different CIDR block than the instance's, use the `containerd` runtime, and be deployed to a cluster without outbound internet access. For more information, see <>, <>, <>, and <> for additional options to add to the config file. + -If you didn't specify an AMI ID in your launch template, managed node groups calculates and applies a single value for the maximum number of [.noloc]`Pods` that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of [.noloc]`Pods` that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. +If you didn't specify an AMI ID in your launch template, managed node groups calculates and applies a single value for the maximum number of Pods that can run on each node of your node group, based on instance type. If you create a node group with different instance types, the smallest value calculated across all instance types is applied as the maximum number of Pods that can run on every instance type in the node group. Managed node groups calculates the value using the script referenced in <>. + -If you specified an AMI ID in your launch template, specify the maximum number of [.noloc]`Pods` that can run on each node of your node group if you're using <> or want to <>. For more information, see <>. +If you specified an AMI ID in your launch template, specify the maximum number of Pods that can run on each node of your node group if you're using <> or want to <>. For more information, see <>. .. Deploy the nodegroup with the following command. + @@ -167,13 +167,13 @@ eksctl create nodegroup --config-file eks-nodegroup.yaml **** We recommend using a role that's not currently in use by any self-managed node group. Otherwise, you plan to use with a new self-managed node group. For more information, see <>. ==== -*** *Use launch template* – (Optional) Choose if you want to use an existing launch template. Select a *Launch Template Name*. Then, select a *Launch template version*. If you don't select a version, then Amazon EKS uses the template's default version. Launch templates allow for more customization of your node group, such as allowing you to deploy a custom AMI, assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, enable the `containerd` runtime for your instances, and deploying nodes to a cluster without outbound internet access. For more information, see <>, <>, <>, and <>. +*** *Use launch template* – (Optional) Choose if you want to use an existing launch template. Select a *Launch Template Name*. Then, select a *Launch template version*. If you don't select a version, then Amazon EKS uses the template's default version. Launch templates allow for more customization of your node group, such as allowing you to deploy a custom AMI, assign a significantly higher number of IP addresses to Pods, assign IP addresses to Pods from a different CIDR block than the instance's, enable the `containerd` runtime for your instances, and deploying nodes to a cluster without outbound internet access. For more information, see <>, <>, <>, and <>. + The launch template must meet the requirements in <>. If you don't use your own launch template, the Amazon EKS API creates a default Amazon EC2 launch template in your account and deploys the node group using the default launch template. + -If you implement <>, assign necessary permissions directly to every [.noloc]`Pod` that requires access to {aws} services, and no [.noloc]`Pods` in your cluster require access to IMDS for other reasons, such as retrieving the current {aws} Region, then you can also disable access to IMDS for [.noloc]`Pods` that don't use host networking in a launch template. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -*** *[.noloc]`Kubernetes` labels* – (Optional) You can choose to apply [.noloc]`Kubernetes` labels to the nodes in your managed node group. -*** *[.noloc]`Kubernetes` taints* – (Optional) You can choose to apply [.noloc]`Kubernetes` taints to the nodes in your managed node group. The available options in the *Effect* menu are `*NoSchedule*`, `*NoExecute*`, and `*PreferNoSchedule*`. For more information, see <>. +If you implement <>, assign necessary permissions directly to every Pod that requires access to {aws} services, and no Pods in your cluster require access to IMDS for other reasons, such as retrieving the current {aws} Region, then you can also disable access to IMDS for Pods that don't use host networking in a launch template. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +*** *Kubernetes labels* – (Optional) You can choose to apply Kubernetes labels to the nodes in your managed node group. +*** *Kubernetes taints* – (Optional) You can choose to apply Kubernetes taints to the nodes in your managed node group. The available options in the *Effect* menu are `*NoSchedule*`, `*NoExecute*`, and `*PreferNoSchedule*`. For more information, see <>. *** *Tags* – (Optional) You can choose to tag your Amazon EKS managed node group. These tags don't propagate to other resources in the node group, such as Auto Scaling groups or instances. For more information, see <>. . On the *Set compute and scaling configuration* page, fill out the parameters accordingly, and then choose *Next*. + @@ -189,7 +189,7 @@ The console displays a set of commonly used instance types. If you need to creat If you specified a launch template on the previous page, then you can't select a value because it must be specified in the launch template. *** *Desired size* – Specify the current number of nodes that the managed node group should maintain at launch. + -NOTE: Amazon EKS doesn't automatically scale your node group in or out. However, you can configure the [.noloc]`Kubernetes` Cluster Autoscaler to do this for you. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. +NOTE: Amazon EKS doesn't automatically scale your node group in or out. However, you can configure the Kubernetes Cluster Autoscaler to do this for you. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler on {aws}]. *** *Minimum size* – Specify the minimum number of nodes that the managed node group can scale in to. *** *Maximum size* – Specify the maximum number of nodes that the managed node group can scale out to. *** *Node group update configuration* – (Optional) You can select the number or percentage of nodes to be updated in parallel. These nodes will be unavailable during the update. For *Maximum unavailable*, select one of the following options and specify a *Value*: @@ -203,7 +203,7 @@ NOTE: Amazon EKS doesn't automatically scale your node group in or out. However, + [IMPORTANT] ==== -If you are running a stateful application across multiple Availability Zones that is backed by Amazon EBS volumes and using the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], you should configure multiple node groups, each scoped to a single Availability Zone. In addition, you should enable the `--balance-similar-node-groups` feature. +If you are running a stateful application across multiple Availability Zones that is backed by Amazon EBS volumes and using the Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], you should configure multiple node groups, each scoped to a single Availability Zone. In addition, you should enable the `--balance-similar-node-groups` feature. ==== + [IMPORTANT] @@ -216,8 +216,8 @@ If you are running a stateful application across multiple Availability Zones tha + If you chose to use a launch template, then this option isn't shown. To enable remote access to your nodes, specify a key pair in the launch template and ensure that the proper port is open to the nodes in the security groups that you specify in the launch template. For more information, see <>. + -NOTE: For [.noloc]`Windows`, this command doesn't enable SSH. Instead, it associates your Amazon EC2 key pair with the instance and allows you to RDP into the instance. -*** For *SSH key pair* (Optional), choose an Amazon EC2 SSH key to use. For [.noloc]`Linux` information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Linux instances,type="documentation"] in the _Amazon EC2 User Guide_. For [.noloc]`Windows` information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Windows instances,type="documentation"] in the _Amazon EC2 User Guide_. If you chose to use a launch template, then you can't select one. When an Amazon EC2 SSH key is provided for node groups using [.noloc]`Bottlerocket` AMIs, the administrative container is also enabled. For more information, see https://github.com/bottlerocket-os/bottlerocket#admin-container[Admin container] on [.noloc]`GitHub`. +NOTE: For Windows, this command doesn't enable SSH. Instead, it associates your Amazon EC2 key pair with the instance and allows you to RDP into the instance. +*** For *SSH key pair* (Optional), choose an Amazon EC2 SSH key to use. For Linux information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Linux instances,type="documentation"] in the _Amazon EC2 User Guide_. For Windows information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs and Windows instances,type="documentation"] in the _Amazon EC2 User Guide_. If you chose to use a launch template, then you can't select one. When an Amazon EC2 SSH key is provided for node groups using Bottlerocket AMIs, the administrative container is also enabled. For more information, see https://github.com/bottlerocket-os/bottlerocket#admin-container[Admin container] on GitHub. *** For *Allow SSH remote access from*, if you want to limit access to specific instances, then select the security groups that are associated to those instances. If you don't select specific security groups, then SSH access is allowed from anywhere on the internet (`0.0.0.0/0`). . On the *Review and create* page, review your managed node group configuration and choose *Create*. + @@ -228,7 +228,7 @@ If nodes fail to join the cluster, then see <> in the Troubles ---- kubectl get nodes --watch ---- -. (GPU nodes only) If you chose a GPU instance type and an Amazon EKS optimized accelerated AMI, then you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a [.noloc]`DaemonSet` on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. (GPU nodes only) If you chose a GPU instance type and an Amazon EKS optimized accelerated AMI, then you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -236,16 +236,16 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X ---- == Install Kubernetes add-ons -Now that you have a working Amazon EKS cluster with nodes, you're ready to start installing [.noloc]`Kubernetes` add-ons and deploying applications to your cluster. The following documentation topics help you to extend the functionality of your cluster. +Now that you have a working Amazon EKS cluster with nodes, you're ready to start installing Kubernetes add-ons and deploying applications to your cluster. The following documentation topics help you to extend the functionality of your cluster. -* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the [.noloc]`Kubernetes` API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. -* We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +* The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that created the cluster is the only principal that can make calls to the Kubernetes API server with `kubectl` or the {aws-management-console}. If you want other IAM principals to have access to your cluster, then you need to add them. For more information, see <> and <>. +* We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. -* Configure the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] to automatically adjust the number of nodes in your node groups. +* Configure the Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] to automatically adjust the number of nodes in your node groups. * Deploy a <> to your cluster. * <> with important tools for managing your cluster. \ No newline at end of file diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 70c98b21f..8d9edbc2a 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -7,10 +7,10 @@ include::../attributes.txt[] [abstract] -- -When you delete a Fargate profile, any [.noloc]`Pods` that were scheduled onto Fargate with the profile are deleted. +When you delete a Fargate profile, any Pods that were scheduled onto Fargate with the profile are deleted. -- -This topic describes how to delete a Fargate profile. When you delete a Fargate profile, any [.noloc]`Pods` that were scheduled onto Fargate with the profile are deleted. If those [.noloc]`Pods` match another Fargate profile, then they're scheduled on Fargate with that profile. If they no longer match any Fargate profiles, then they aren't scheduled onto Fargate and might remain as pending. +This topic describes how to delete a Fargate profile. When you delete a Fargate profile, any Pods that were scheduled onto Fargate with the profile are deleted. If those Pods match another Fargate profile, then they're scheduled on Fargate with that profile. If they no longer match any Fargate profiles, then they aren't scheduled onto Fargate and might remain as pending. Only one Fargate profile in a cluster can be in the `DELETING` status at a time. Wait for a Fargate profile to finish deleting before you can delete any other profiles in that cluster. diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index c3ef9f8f4..6043c4748 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -12,7 +12,7 @@ This topic describes how you can delete an Amazon EKS managed node group. This topic describes how you can delete an Amazon EKS managed node group. When you delete a managed node group, Amazon EKS first sets the minimum, maximum, and desired size of your Auto Scaling group to zero. This then causes your node group to scale down. -Before each instance is terminated, Amazon EKS sends a signal to drain the [.noloc]`Pods` from that node. If the [.noloc]`Pods` haven't drained after a few minutes, Amazon EKS lets Auto Scaling continue the termination of the instance. After every instance is terminated, the Auto Scaling group is deleted. +Before each instance is terminated, Amazon EKS sends a signal to drain the Pods from that node. If the Pods haven't drained after a few minutes, Amazon EKS lets Auto Scaling continue the termination of the instance. After every instance is terminated, the Auto Scaling group is deleted. [IMPORTANT] ==== diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index 1fc9acae1..c8b3bea7d 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -7,31 +7,31 @@ include::../attributes.txt[] [abstract] -- -Starting with [.noloc]`Kubernetes` version `1.24`, Amazon EKS AMIs that are officially published only include the `containerd` runtime. +Starting with Kubernetes version `1.24`, Amazon EKS AMIs that are officially published only include the `containerd` runtime. -- -[.noloc]`Kubernetes` no longer supports `dockershim`. The [.noloc]`Kubernetes` team removed the runtime in [.noloc]`Kubernetes` version `1.24`. For more information, see https://kubernetes.io/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/[Kubernetes is Moving on From Dockershim: Commitments and Next Steps] on the [.noloc]`Kubernetes` Blog. +Kubernetes no longer supports `dockershim`. The Kubernetes team removed the runtime in Kubernetes version `1.24`. For more information, see https://kubernetes.io/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/[Kubernetes is Moving on From Dockershim: Commitments and Next Steps] on the Kubernetes Blog. -Amazon EKS also ended support for `dockershim` starting with the [.noloc]`Kubernetes` version `1.24` release. Amazon EKS AMIs that are officially published have `containerd` as the only runtime starting with version `1.24`. This topic covers some details, but more information is available in link:containers/all-you-need-to-know-about-moving-to-containerd-on-amazon-eks[All you need to know about moving to containerd on Amazon EKS,type="blog"]. +Amazon EKS also ended support for `dockershim` starting with the Kubernetes version `1.24` release. Amazon EKS AMIs that are officially published have `containerd` as the only runtime starting with version `1.24`. This topic covers some details, but more information is available in link:containers/all-you-need-to-know-about-moving-to-containerd-on-amazon-eks[All you need to know about moving to containerd on Amazon EKS,type="blog"]. -There's a `kubectl` plugin that you can use to see which of your [.noloc]`Kubernetes` workloads mount the [.noloc]`Docker` socket volume. For more information, see https://github.com/aws-containers/kubectl-detector-for-docker-socket[Detector for Docker Socket (DDS)] on [.noloc]`GitHub`. Amazon EKS AMIs that run [.noloc]`Kubernetes` versions that are earlier than `1.24` use [.noloc]`Docker` as the default runtime. However, these Amazon EKS AMIs have a bootstrap flag option that you can use to test out your workloads on any supported cluster using `containerd`. For more information, see <>. +There's a `kubectl` plugin that you can use to see which of your Kubernetes workloads mount the Docker socket volume. For more information, see https://github.com/aws-containers/kubectl-detector-for-docker-socket[Detector for Docker Socket (DDS)] on GitHub. Amazon EKS AMIs that run Kubernetes versions that are earlier than `1.24` use Docker as the default runtime. However, these Amazon EKS AMIs have a bootstrap flag option that you can use to test out your workloads on any supported cluster using `containerd`. For more information, see <>. -We will continue to publish AMIs for existing [.noloc]`Kubernetes` versions until the end of their support date. For more information, see <>. If you require more time to test your workloads on `containerd`, use a supported version before `1.24`. But, when you want to upgrade official Amazon EKS AMIs to version `1.24` or later, make sure to validate that your workloads run on `containerd`. +We will continue to publish AMIs for existing Kubernetes versions until the end of their support date. For more information, see <>. If you require more time to test your workloads on `containerd`, use a supported version before `1.24`. But, when you want to upgrade official Amazon EKS AMIs to version `1.24` or later, make sure to validate that your workloads run on `containerd`. -The `containerd` runtime provides more reliable performance and security. `containerd` is the runtime that's being standardized on across Amazon EKS. Fargate and [.noloc]`Bottlerocket` already use `containerd` only. `containerd` helps to minimize the number of Amazon EKS AMI releases that are required to address `dockershim` https://cve.mitre.org/[Common Vulnerabilities and Exposures] (CVEs). Because `dockershim` already uses `containerd` internally, you might not need to make any changes. However, there are some situations where changes might or must be required: +The `containerd` runtime provides more reliable performance and security. `containerd` is the runtime that's being standardized on across Amazon EKS. Fargate and Bottlerocket already use `containerd` only. `containerd` helps to minimize the number of Amazon EKS AMI releases that are required to address `dockershim` https://cve.mitre.org/[Common Vulnerabilities and Exposures] (CVEs). Because `dockershim` already uses `containerd` internally, you might not need to make any changes. However, there are some situations where changes might or must be required: -* You must make changes to applications that mount the [.noloc]`Docker` socket. For example, container images that are built with a container are impacted. Many monitoring tools also mount the [.noloc]`Docker` socket. You might need to wait for updates or re-deploy workloads for runtime monitoring. -* You might need to make changes for applications that are reliant on specific [.noloc]`Docker` settings. For example, the `HTTPS_PROXY` protocol is no longer supported. You must update applications that use this protocol. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/[dockerd] in the [.noloc]`Docker` Documentation. -* If you use the Amazon ECR credential helper to pull images, you must switch to the `kubelet` image credential provider. For more information, see https://kubernetes.io/docs/tasks/kubelet-credential-provider/kubelet-credential-provider/[Configure a kubelet image credential provider] in the [.noloc]`Kubernetes` documentation. -* Because Amazon EKS `1.24` no longer supports [.noloc]`Docker`, some flags that the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[Amazon EKS bootstrap script] previously supported are no longer supported. Before moving to Amazon EKS `1.24` or later, you must remove any reference to flags that are now unsupported: +* You must make changes to applications that mount the Docker socket. For example, container images that are built with a container are impacted. Many monitoring tools also mount the Docker socket. You might need to wait for updates or re-deploy workloads for runtime monitoring. +* You might need to make changes for applications that are reliant on specific Docker settings. For example, the `HTTPS_PROXY` protocol is no longer supported. You must update applications that use this protocol. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/[dockerd] in the Docker Documentation. +* If you use the Amazon ECR credential helper to pull images, you must switch to the `kubelet` image credential provider. For more information, see https://kubernetes.io/docs/tasks/kubelet-credential-provider/kubelet-credential-provider/[Configure a kubelet image credential provider] in the Kubernetes documentation. +* Because Amazon EKS `1.24` no longer supports Docker, some flags that the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[Amazon EKS bootstrap script] previously supported are no longer supported. Before moving to Amazon EKS `1.24` or later, you must remove any reference to flags that are now unsupported: + ** `--container-runtime dockerd` (``containerd`` is the only supported value) ** `--enable-docker-bridge` ** `--docker-config-json` -* If you already have [.noloc]`Fluentd` configured for [.noloc]`Container Insights`, then you must migrate [.noloc]`Fluentd` to [.noloc]`Fluent Bit` before changing to `containerd`. The [.noloc]`Fluentd` parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to [.noloc]`Fluent Bit`, some of the configured [.noloc]`Fluentd's` parsers will generate a massive amount of errors inside the [.noloc]`Fluentd` container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. -* If you use a custom AMI and you are upgrading to Amazon EKS `1.24`, then you must make sure that IP forwarding is enabled for your worker nodes. This setting wasn't needed with [.noloc]`Docker` but is required for `containerd`. It is needed to troubleshoot [.noloc]`Pod`-to-[.noloc]`Pod`, [.noloc]`Pod`-to-external, or [.noloc]`Pod`-to-[.noloc]`apiserver` network connectivity. +* If you already have Fluentd configured for Container Insights, then you must migrate Fluentd to Fluent Bit before changing to `containerd`. The Fluentd parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to Fluent Bit, some of the configured Fluentd's parsers will generate a massive amount of errors inside the Fluentd container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. +* If you use a custom AMI and you are upgrading to Amazon EKS `1.24`, then you must make sure that IP forwarding is enabled for your worker nodes. This setting wasn't needed with Docker but is required for `containerd`. It is needed to troubleshoot Pod-to-Pod, Pod-to-external, or Pod-to-apiserver network connectivity. + To verify this setting on a worker node, run either of the following commands: @@ -44,12 +44,12 @@ If the output is `0`, then run either of the following commands to activate the ** `sysctl -w net.ipv4.ip_forward=1` ** `echo 1 > /proc/sys/net/ipv4/ip_forward` -For the setting's activation on Amazon EKS AMIs for Amazon Linux 2 in the `containerd` runtime, see `https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/provisioners/install-worker.sh[install-worker.sh]` on [.noloc]`GitHub`. +For the setting's activation on Amazon EKS AMIs for Amazon Linux 2 in the `containerd` runtime, see `https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/provisioners/install-worker.sh[install-worker.sh]` on GitHub. [#containerd-bootstrap] -== Test Amazon Linux 2 migration from [.noloc]`Docker` to `containerd` +== Test Amazon Linux 2 migration from Docker to `containerd` -For [.noloc]`Kubernetes` version `1.23`, you can use an optional bootstrap flag to enable the `containerd` runtime for Amazon EKS optimized AL2 AMIs. This feature gives you a clear path to migrate to `containerd` when updating to version `1.24` or later. Amazon EKS ended support for [.noloc]`Docker` starting with the [.noloc]`Kubernetes` version `1.24` launch. The `containerd` runtime is widely adopted in the [.noloc]`Kubernetes` community and is a graduated project with the CNCF. You can test it by adding a node group to a new or existing cluster. +For Kubernetes version `1.23`, you can use an optional bootstrap flag to enable the `containerd` runtime for Amazon EKS optimized AL2 AMIs. This feature gives you a clear path to migrate to `containerd` when updating to version `1.24` or later. Amazon EKS ended support for Docker starting with the Kubernetes version `1.24` launch. The `containerd` runtime is widely adopted in the Kubernetes community and is a graduated project with the CNCF. You can test it by adding a node group to a new or existing cluster. You can enable the boostrap flag by creating one of the following types of node groups. @@ -92,7 +92,7 @@ Run the following command to create the node group. eksctl create nodegroup -f my-nodegroup.yaml ---- + -If you prefer to use a different tool to create your managed node group, you must deploy the node group using a launch template. In your launch template, specify an <>, then <> and provide the following user data. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on [.noloc]`GitHub`. +If you prefer to use a different tool to create your managed node group, you must deploy the node group using a launch template. In your launch template, specify an <>, then <> and provide the following user data. This user data passes arguments into the `bootstrap.sh` file. For more information about the bootstrap file, see https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 44006dcf8..3eec924b5 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -12,14 +12,14 @@ Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are used to build the Amazon EKS optimized AMI. These build scripts are available https://github.com/awslabs/amazon-eks-ami[on GitHub]. -The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023), specifically for use as a node in Amazon EKS clusters. You can use this repository to view the specifics of how the Amazon EKS team configures `kubelet`, the runtime, the {aws} IAM Authenticator for [.noloc]`Kubernetes`, and build your own Amazon Linux based AMI from scratch. +The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023), specifically for use as a node in Amazon EKS clusters. You can use this repository to view the specifics of how the Amazon EKS team configures `kubelet`, the runtime, the {aws} IAM Authenticator for Kubernetes, and build your own Amazon Linux based AMI from scratch. -The build scripts repository includes a https://www.packer.io/[HashiCorp packer] template and build scripts to generate an AMI. These scripts are the source of truth for Amazon EKS optimized AMI builds, so you can follow the [.noloc]`GitHub` repository to monitor changes to our AMIs. For example, perhaps you want your own AMI to use the same version of [.noloc]`Docker` that the Amazon EKS team uses for the official AMI. +The build scripts repository includes a https://www.packer.io/[HashiCorp packer] template and build scripts to generate an AMI. These scripts are the source of truth for Amazon EKS optimized AMI builds, so you can follow the GitHub repository to monitor changes to our AMIs. For example, perhaps you want your own AMI to use the same version of Docker that the Amazon EKS team uses for the official AMI. -The [.noloc]`GitHub` repository also contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time to configure your instance's certificate data, control plane endpoint, cluster name, and more. +The GitHub repository also contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time to configure your instance's certificate data, control plane endpoint, cluster name, and more. -Additionally, the [.noloc]`GitHub` repository contains our Amazon EKS node {aws} CloudFormation templates. These templates make it easier to spin up an instance running an Amazon EKS optimized AMI and register it with a cluster. +Additionally, the GitHub repository contains our Amazon EKS node {aws} CloudFormation templates. These templates make it easier to spin up an instance running an Amazon EKS optimized AMI and register it with a cluster. -For more information, see the repositories on [.noloc]`GitHub` at https://github.com/awslabs/amazon-eks-ami. +For more information, see the repositories on GitHub at https://github.com/awslabs/amazon-eks-ami. Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index beaea4cba..049f957e8 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,15 +1,15 @@ [.topic] [#eks-ami-versions-bottlerocket] -= Retrieve [.noloc]`Bottlerocket` AMI version information += Retrieve Bottlerocket AMI version information :info_titleabbrev: Get version information include::../attributes.txt[] [abstract] -- -This topic gives resources for Amazon EKS optimized [.noloc]`Bottlerocket` AMIs version information. +This topic gives resources for Amazon EKS optimized Bottlerocket AMIs version information. -- -Each [.noloc]`Bottlerocket` AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Bottlerocket` kernel, and https://containerd.io/[containerd]. Accelerated AMI variants also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://bottlerocket.dev/en/os/[OS] topic of the _Bottlerocket Documentation_. From this page, navigate to the applicable _Version Information_ sub-topic. +Each Bottlerocket AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the Bottlerocket kernel, and https://containerd.io/[containerd]. Accelerated AMI variants also include various versions of the NVIDIA driver. You can find this version information in the https://bottlerocket.dev/en/os/[OS] topic of the _Bottlerocket Documentation_. From this page, navigate to the applicable _Version Information_ sub-topic. -The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on [.noloc]`GitHub`. \ No newline at end of file +The _Bottlerocket Documentation_ can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the https://github.com/bottlerocket-os/bottlerocket/releases[releases] on GitHub. \ No newline at end of file diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index bc333e3e2..7a69187d1 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,27 +1,27 @@ [.topic] [#eks-ami-versions-windows] -= Retrieve [.noloc]`Windows` AMI version information += Retrieve Windows AMI version information :info_titleabbrev: Get version information include::../attributes.txt[] [abstract] -- -This topic lists versions of the Amazon EKS optimized [.noloc]`Windows` AMIs and their corresponding versions of `kubelet`, `containerd`, and `csi-proxy`. +This topic lists versions of the Amazon EKS optimized Windows AMIs and their corresponding versions of `kubelet`, `containerd`, and `csi-proxy`. -- [IMPORTANT] ==== -Extended Support for Amazon EKS optimized [.noloc]`Windows` AMIs that are published by {aws} isn't available for [.noloc]`Kubernetes` version `1.23` but is available for [.noloc]`Kubernetes` version `1.24` and higher. +Extended Support for Amazon EKS optimized Windows AMIs that are published by {aws} isn't available for Kubernetes version `1.23` but is available for Kubernetes version `1.24` and higher. ==== -This topic lists versions of the Amazon EKS optimized [.noloc]`Windows` AMIs and their corresponding versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], https://containerd.io/[containerd], and https://github.com/kubernetes-csi/csi-proxy[csi-proxy]. +This topic lists versions of the Amazon EKS optimized Windows AMIs and their corresponding versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], https://containerd.io/[containerd], and https://github.com/kubernetes-csi/csi-proxy[csi-proxy]. The Amazon EKS optimized AMI metadata, including the AMI ID, for each variant can be retrieved programmatically. For more information, see <>. -AMIs are versioned by [.noloc]`Kubernetes` version and the release date of the AMI in the following format: +AMIs are versioned by Kubernetes version and the release date of the AMI in the following format: [source,none,subs="verbatim,attributes"] ---- @@ -31,18 +31,18 @@ k8s_major_version.k8s_minor_version-release_date [NOTE] ==== -Amazon EKS managed node groups support the November 2022 and later releases of the [.noloc]`Windows` AMIs. +Amazon EKS managed node groups support the November 2022 and later releases of the Windows AMIs. ==== [#eks-ami-versions-windows-2022-core] -== Amazon EKS optimized [.noloc]`Windows` Server 2022 Core AMI +== Amazon EKS optimized Windows Server 2022 Core AMI -The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2022 Core AMI. +The following tables list the current and previous versions of the Amazon EKS optimized Windows Server 2022 Core AMI. ==== [role="tablist"] -*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: +*Kubernetes version 1.32*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -59,7 +59,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.31`*:: +*Kubernetes version 1.31*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -112,7 +112,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.30`*:: +*Kubernetes version 1.30*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -183,7 +183,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.29`*:: +*Kubernetes version 1.29*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -281,10 +281,10 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.29.0` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |=== -*[.noloc]`Kubernetes` version [.noloc]`1.28`*:: +*Kubernetes version 1.28*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -376,7 +376,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.28.5` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |`1.28-2023.12.12` |`1.28.3` @@ -409,7 +409,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.27`*:: +*Kubernetes version 1.27*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -501,7 +501,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.9` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |`1.27-2023.12.12` |`1.27.7` @@ -531,7 +531,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.4` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.27-2023.08.17` |`1.27.4` @@ -576,7 +576,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.26`*:: +*Kubernetes version 1.26*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -662,7 +662,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.12` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |`1.26-2023.12.12` |`1.26.10` @@ -686,7 +686,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.7` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.26-2023.08.17` |`1.26.7` @@ -716,7 +716,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.4` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.26-2023.05.09` |`1.26.2` @@ -743,7 +743,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.25`*:: +*Kubernetes version 1.25*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -829,7 +829,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.16` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |`1.25-2023.12.12` |`1.25.15` @@ -853,7 +853,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.12` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.25-2023.08.17` |`1.25.12` @@ -883,7 +883,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.9` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.25-2023.05.09` |`1.25.7` @@ -901,7 +901,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.6` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.25-2023.03.20` |`1.25.6` @@ -916,7 +916,7 @@ The following tables list the current and previous versions of the Amazon EKS op | |=== -*[.noloc]`Kubernetes` version [.noloc]`1.24`*:: +*Kubernetes version 1.24*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1002,7 +1002,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.17` |`1.6.18` |`1.1.2` -|Excluded Standalone [.noloc]`Windows` Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on [.noloc]`Windows` Server 2022 Core AMIs. The KB applies only to [.noloc]`Windows` installations with a separate [.noloc]`WinRE` partition, which aren't included with any of our Amazon EKS Optimized [.noloc]`Windows` AMIs. +|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. |`1.24-2023.12.12` |`1.24.17` @@ -1026,7 +1026,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.16` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.24-2023.08.17` |`1.24.16` @@ -1056,7 +1056,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.13` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.24-2023.05.09` |`1.24.7` @@ -1074,13 +1074,13 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.7` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.24-2023.03.20` |`1.24.7` |`1.6.6` |`1.1.1` -|[.noloc]`Kubernetes` version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. +|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. |`1.24-2023.02.14` |`1.24.10` @@ -1115,13 +1115,13 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [#eks-ami-versions-windows-2022-full] -== Amazon EKS optimized [.noloc]`Windows` Server 2022 Full AMI +== Amazon EKS optimized Windows Server 2022 Full AMI -The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2022 Full AMI. +The following tables list the current and previous versions of the Amazon EKS optimized Windows Server 2022 Full AMI. ==== [role="tablist"] -*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: +*Kubernetes version 1.32*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1140,7 +1140,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.31`*:: +*Kubernetes version 1.31*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1194,7 +1194,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.30`*:: +*Kubernetes version 1.30*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1266,7 +1266,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.29`*:: +*Kubernetes version 1.29*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1368,7 +1368,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.28`*:: +*Kubernetes version 1.28*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1494,7 +1494,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.27`*:: +*Kubernetes version 1.27*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1616,7 +1616,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.4` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.27-2023.08.17` |`1.27.4` @@ -1662,7 +1662,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.26`*:: +*Kubernetes version 1.26*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1772,7 +1772,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.7` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.26-2023.08.17` |`1.26.7` @@ -1802,7 +1802,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.4` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.26-2023.05.09` |`1.26.2` @@ -1830,7 +1830,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.25`*:: +*Kubernetes version 1.25*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -1940,7 +1940,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.12` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.25-2023.08.17` |`1.25.12` @@ -1970,7 +1970,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.9` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.25-2023.05.09` |`1.25.7` @@ -1988,7 +1988,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.6` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.25-2023.03.20` |`1.25.6` @@ -2004,7 +2004,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.24`*:: +*Kubernetes version 1.24*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2114,7 +2114,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.16` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.24-2023.08.17` |`1.24.16` @@ -2144,7 +2144,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.13` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.24-2023.05.09` |`1.24.7` @@ -2162,13 +2162,13 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.7` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.24-2023.03.20` |`1.24.7` |`1.6.6` |`1.1.1` -|[.noloc]`Kubernetes` version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. +|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. |`1.24-2023.02.14` |`1.24.10` @@ -2203,13 +2203,13 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [#eks-ami-versions-windows-2019-core] -== Amazon EKS optimized [.noloc]`Windows` Server 2019 Core AMI +== Amazon EKS optimized Windows Server 2019 Core AMI -The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2019 Core AMI. +The following tables list the current and previous versions of the Amazon EKS optimized Windows Server 2019 Core AMI. ==== [role="tablist"] -*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: +*Kubernetes version 1.32*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2228,7 +2228,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.31`*:: +*Kubernetes version 1.31*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2282,7 +2282,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.30`*:: +*Kubernetes version 1.30*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2354,7 +2354,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.29`*:: +*Kubernetes version 1.29*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2456,7 +2456,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.28`*:: +*Kubernetes version 1.28*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2582,7 +2582,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.27`*:: +*Kubernetes version 1.27*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2704,7 +2704,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.4` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.27-2023.08.17` |`1.27.4` @@ -2750,7 +2750,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.26`*:: +*Kubernetes version 1.26*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -2860,7 +2860,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.7` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.26-2023.08.17` |`1.26.7` @@ -2890,7 +2890,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.4` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.26-2023.05.09` |`1.26.2` @@ -2918,7 +2918,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.25`*:: +*Kubernetes version 1.25*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3028,7 +3028,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.12` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.25-2023.08.17` |`1.25.12` @@ -3058,7 +3058,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.9` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.25-2023.05.09` |`1.25.7` @@ -3076,7 +3076,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.6` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.25-2023.03.20` |`1.25.6` @@ -3092,7 +3092,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.24`*:: +*Kubernetes version 1.24*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3202,7 +3202,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.16` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.24-2023.08.17` |`1.24.16` @@ -3232,7 +3232,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.13` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.24-2023.05.09` |`1.24.7` @@ -3250,13 +3250,13 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.7` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.24-2023.03.20` |`1.24.7` |`1.6.6` |`1.1.1` -|[.noloc]`Kubernetes` version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. +|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. |`1.24-2023.02.14` |`1.24.10` @@ -3291,13 +3291,13 @@ The following tables list the current and previous versions of the Amazon EKS op ==== [#eks-ami-versions-windows-2019-full] -== Amazon EKS optimized [.noloc]`Windows` Server 2019 Full AMI +== Amazon EKS optimized Windows Server 2019 Full AMI -The following tables list the current and previous versions of the Amazon EKS optimized [.noloc]`Windows` Server 2019 Full AMI. +The following tables list the current and previous versions of the Amazon EKS optimized Windows Server 2019 Full AMI. ==== [role="tablist"] -*[.noloc]`Kubernetes` version [.noloc]`1.32`*:: +*Kubernetes version 1.32*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3316,7 +3316,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.31`*:: +*Kubernetes version 1.31*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3370,7 +3370,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.30`*:: +*Kubernetes version 1.30*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3442,7 +3442,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.29`*:: +*Kubernetes version 1.29*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3544,7 +3544,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.28`*:: +*Kubernetes version 1.28*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3670,7 +3670,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.27`*:: +*Kubernetes version 1.27*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3792,7 +3792,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.4` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.27-2023.08.17` |`1.27.4` @@ -3838,7 +3838,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.26`*:: +*Kubernetes version 1.26*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3948,7 +3948,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.7` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.26-2023.08.17` |`1.26.7` @@ -3978,7 +3978,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.4` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.26-2023.05.09` |`1.26.2` @@ -4006,7 +4006,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.25`*:: +*Kubernetes version 1.25*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -4116,7 +4116,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.12` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.25-2023.08.17` |`1.25.12` @@ -4146,7 +4146,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.9` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.25-2023.05.09` |`1.25.7` @@ -4164,7 +4164,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.6` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.25-2023.03.20` |`1.25.6` @@ -4180,7 +4180,7 @@ The following tables list the current and previous versions of the Amazon EKS op |=== -*[.noloc]`Kubernetes` version [.noloc]`1.24`*:: +*Kubernetes version 1.24*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -4290,7 +4290,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.16` |`1.6.6` |`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the [.noloc]`Kubernetes` connector binary, which gets the [.noloc]`Pod` IP address from the [.noloc]`Kubernetes` API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. +|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. |`1.24-2023.08.17` |`1.24.16` @@ -4320,7 +4320,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.13` |`1.6.6` |`1.1.1` -|Upgraded [.noloc]`Kubernetes` to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. |`1.24-2023.05.09` |`1.24.7` @@ -4338,13 +4338,13 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.24.7` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate [.noloc]`gMSA` authentication for [.noloc]`Windows` containers on Amazon EKS. +|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. |`1.24-2023.03.20` |`1.24.7` |`1.6.6` |`1.1.1` -|[.noloc]`Kubernetes` version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. +|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. |`1.24-2023.02.14` |`1.24.10` diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 802670630..9bcd613b9 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -15,18 +15,18 @@ include::../attributes.txt[] [abstract] -- -Your Amazon EKS cluster can schedule [.noloc]`Pods` on any combination of self-managed nodes, Amazon EKS managed node groups, Fargate, and Amazon EKS Hybrid Nodes in the {aws} Cloud and hybrid nodes on-premises. +Your Amazon EKS cluster can schedule Pods on any combination of self-managed nodes, Amazon EKS managed node groups, Fargate, and Amazon EKS Hybrid Nodes in the {aws} Cloud and hybrid nodes on-premises. -- -A [.noloc]`Kubernetes` node is a machine that runs containerized applications. Each node has the following components: +A Kubernetes node is a machine that runs containerized applications. Each node has the following components: * *https://kubernetes.io/docs/setup/production-environment/container-runtimes/[Container runtime]* – Software that's responsible for running the containers. -* *https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet]* – Makes sure that containers are healthy and running within their associated [.noloc]`Pod`. -* *https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy]* – Maintains network rules that allow communication to your [.noloc]`Pods`. +* *https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet]* – Makes sure that containers are healthy and running within their associated Pod. +* *https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy]* – Maintains network rules that allow communication to your Pods. -For more information, see https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes] in the [.noloc]`Kubernetes` documentation. +For more information, see https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes] in the Kubernetes documentation. -Your Amazon EKS cluster can schedule [.noloc]`Pods` on any combination of <>, <>, <>, <>, and <>. To learn more about nodes deployed in your cluster, see <>. +Your Amazon EKS cluster can schedule Pods on any combination of <>, <>, <>, <>, and <>. To learn more about nodes deployed in your cluster, see <>. [NOTE] @@ -43,7 +43,7 @@ The following table provides several criteria to evaluate when deciding which op [NOTE] ==== -[.noloc]`Bottlerocket` has some specific differences from the general information in this table. For more information, see the [.noloc]`Bottlerocket` https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md[documentation] on [.noloc]`GitHub`. +Bottlerocket has some specific differences from the general information in this table. For more information, see the Bottlerocket https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md[documentation] on GitHub. ==== @@ -66,12 +66,12 @@ The following table provides several criteria to evaluate when deciding which op |No |No -|Can run containers that require [.noloc]`Windows` +|Can run containers that require Windows |Yes |No |No -|Can run containers that require [.noloc]`Linux` +|Can run containers that require Linux |Yes |Yes |Yes @@ -120,7 +120,7 @@ The following table provides several criteria to evaluate when deciding which op |No - <> |Yes - you can customize bootstrap arguments with nodeadm. See <>. -|Can assign IP addresses to [.noloc]`Pods` from a different CIDR block than the IP address assigned to the node. +|Can assign IP addresses to Pods from a different CIDR block than the IP address assigned to the node. |Yes – Using a launch template with a custom AMI. For more information, see <>. |No |Yes - see <>. @@ -145,22 +145,22 @@ The following table provides several criteria to evaluate when deciding which op |No |Yes - the operating system running on your physical or virtual machines is managed by you with your choice of tooling. See <>. -|Must update node [.noloc]`Kubernetes` version on your own +|Must update node Kubernetes version on your own |<> – If you deployed an Amazon EKS optimized AMI, you're notified in the Amazon EKS console when updates are available. You can perform the update with one-click in the console. If you deployed a custom AMI, you're not notified in the Amazon EKS console when updates are available. You must perform the update on your own. |No |Yes - you manage hybrid nodes upgrades with your own choice of tooling or with `nodeadm`. See <>. -|Can use Amazon EBS storage with [.noloc]`Pods` +|Can use Amazon EBS storage with Pods |<> |Yes, as an integrated capability. Learn how to <> |No -|Can use Amazon EFS storage with [.noloc]`Pods` +|Can use Amazon EFS storage with Pods |<> |Yes |No -|Can use Amazon FSx for Lustre storage with [.noloc]`Pods` +|Can use Amazon FSx for Lustre storage with Pods |<> |Yes |No @@ -175,17 +175,17 @@ The following table provides several criteria to evaluate when deciding which op |Yes |No - pods run in on-premises environment. -|Can assign different VPC security groups to individual [.noloc]`Pods` -|<> – [.noloc]`Linux` nodes only +|Can assign different VPC security groups to individual Pods +|<> – Linux nodes only |No |No -|Can run [.noloc]`Kubernetes` [.noloc]`DaemonSets` +|Can run Kubernetes DaemonSets |Yes |Yes |Yes -|Support `HostPort` and `HostNetwork` in the [.noloc]`Pod` manifest +|Support `HostPort` and `HostNetwork` in the Pod manifest |Yes |Yes |Yes @@ -201,7 +201,7 @@ The following table provides several criteria to evaluate when deciding which op |No |Pricing -|Cost of Amazon EC2 instance that runs multiple [.noloc]`Pods`. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. +|Cost of Amazon EC2 instance that runs multiple Pods. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. | When EKS Auto Mode is enabled in your cluster, you pay a separate fee, in addition to the standard EC2 instance charges, for the instances launched using Auto Mode's compute capability. The amount varies with the instance type launched and the {aws} region where your cluster is located. For more information, see link:eks/pricing/["Amazon EKS pricing",type="marketing"]. |Cost of hybrid nodes vCPU per hour. For more information, see link:eks/pricing/[Amazon EKS pricing,type="marketing"]. diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index e85e55e5f..00fb4938c 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,16 +1,16 @@ [.topic] [#eks-custom-ami-windows] -= Build a custom [.noloc]`Windows` AMI with Image Builder += Build a custom Windows AMI with Image Builder :info_titleabbrev: Custom builds include::../attributes.txt[] [abstract] -- -You can use EC2 Image Builder to create custom Amazon EKS optimized [.noloc]`Windows` AMIs. +You can use EC2 Image Builder to create custom Amazon EKS optimized Windows AMIs. -- -You can use EC2 Image Builder to create custom Amazon EKS optimized [.noloc]`Windows` AMIs with one of the following options: +You can use EC2 Image Builder to create custom Amazon EKS optimized Windows AMIs with one of the following options: @@ -35,9 +35,9 @@ The following *Amazon-managed* components for `eks` include patches for `CVE-202 ==== [#custom-windows-ami-as-base] -== Using an Amazon EKS optimized [.noloc]`Windows` AMI as a base +== Using an Amazon EKS optimized Windows AMI as a base -This option is the recommended way to build your custom [.noloc]`Windows` AMIs. The Amazon EKS optimized [.noloc]`Windows` AMIs we provide are more frequently updated than the Amazon-managed build component. +This option is the recommended way to build your custom Windows AMIs. The Amazon EKS optimized Windows AMIs we provide are more frequently updated than the Amazon-managed build component. . Start a new Image Builder recipe. + @@ -45,16 +45,16 @@ This option is the recommended way to build your custom [.noloc]`Windows` AMIs. .. In the left navigation pane, choose *Image recipes*. .. Choose *Create image recipe*. . In the *Recipe details* section, enter a *Name* and *Version*. -. Specify the ID of the Amazon EKS optimized [.noloc]`Windows` AMI in the *Base image* section. +. Specify the ID of the Amazon EKS optimized Windows AMI in the *Base image* section. + .. Choose *Enter custom AMI ID*. -.. Retrieve the AMI ID for the [.noloc]`Windows` OS version that you require. For more information, see <>. +.. Retrieve the AMI ID for the Windows OS version that you require. For more information, see <>. .. Enter the custom *AMI ID*. If the AMI ID isn't found, make sure that the {aws} Region for the AMI ID matches the {aws} Region shown in the upper right of your console. . (Optional) To get the latest security updates, add the `update-windows` component in the *Build components -* section. + .. From the dropdown list to the right of the *Find components by name* search box, choose *Amazon-managed*. .. In the *Find components by name* search box, enter `update-windows`. -.. Select the check box of the *`update-windows`* search result. This component includes the latest [.noloc]`Windows` patches for the operating system. +.. Select the check box of the *`update-windows`* search result. This component includes the latest Windows patches for the operating system. . Complete the remaining image recipe inputs with your required configurations. For more information, see link:imagebuilder/latest/userguide/create-image-recipes.html#create-image-recipe-version-console[Create a new image recipe version (console),type="documentation"] in the Image Builder User Guide. . Choose *Create recipe*. . Use the new image recipe in a new or existing image pipeline. Once your image pipeline runs successfully, your custom AMI will be listed as an output image and is ready for use. For more information, see link:imagebuilder/latest/userguide/start-build-image-pipeline.html[Create an image pipeline using the EC2 Image Builder console wizard,type="documentation"]. @@ -63,7 +63,7 @@ This option is the recommended way to build your custom [.noloc]`Windows` AMIs. [#custom-windows-ami-build-component] == Using the Amazon-managed build component -When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, you can use the Amazon-managed build component instead. This option may lag behind the most recent supported [.noloc]`Kubernetes` versions. +When using an Amazon EKS optimized Windows AMI as a base isn't viable, you can use the Amazon-managed build component instead. This option may lag behind the most recent supported Kubernetes versions. . Start a new Image Builder recipe. + @@ -75,7 +75,7 @@ When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, + ** *Select managed images* – Choose *Windows* for your *Image Operating System (OS)*. Then choose one of the following options for *Image origin*. + -*** *Quick start (Amazon-managed)* – In the *Image name* dropdown, choose an Amazon EKS supported [.noloc]`Windows` Server version. For more information, see <>. +*** *Quick start (Amazon-managed)* – In the *Image name* dropdown, choose an Amazon EKS supported Windows Server version. For more information, see <>. *** *Images owned by me* – For *Image name*, choose the ARN of your own image with your own license. The image that you provide can't already have Amazon EKS components installed. ** *Enter custom AMI ID* – For AMI ID, enter the ID for your AMI with your own license. The image that you provide can't already have Amazon EKS components installed. . In the *Build components - Windows* section, do the following: @@ -84,12 +84,12 @@ When using an Amazon EKS optimized [.noloc]`Windows` AMI as a base isn't viable, .. In the *Find components by name* search box, enter `eks`. .. Select the check box of the *`eks-optimized-ami-windows`* search result, even though the result returned may not be the version that you want. .. In the *Find components by name* search box, enter `update-windows` . -.. Select the check box of the *update-windows* search result. This component includes the latest [.noloc]`Windows` patches for the operating system. +.. Select the check box of the *update-windows* search result. This component includes the latest Windows patches for the operating system. . In the *Selected components* section, do the following: + .. Choose *Versioning options* for *`eks-optimized-ami-windows`*. .. Choose *Specify component version*. -.. In the *Component Version* field, enter [.replaceable]`version.x`, replacing [.replaceable]`version` with a supported [.noloc]`Kubernetes` version. Entering an [.replaceable]`x` for part of the version number indicates to use the latest component version that also aligns with the part of the version you explicitly define. Pay attention to the console output as it will advise you on whether your desired version is available as a managed component. Keep in mind that the most recent [.noloc]`Kubernetes` versions may not be available for the build component. For more information about available versions, see <>. +.. In the *Component Version* field, enter [.replaceable]`version.x`, replacing [.replaceable]`version` with a supported Kubernetes version. Entering an [.replaceable]`x` for part of the version number indicates to use the latest component version that also aligns with the part of the version you explicitly define. Pay attention to the console output as it will advise you on whether your desired version is available as a managed component. Keep in mind that the most recent Kubernetes versions may not be available for the build component. For more information about available versions, see <>. + NOTE: The `1.24.0` `eks-optimized-ami-windows` build component versions require `eksctl` version `0.129` or lower. @@ -101,7 +101,7 @@ NOTE: The `1.24.0` `eks-optimized-ami-windows` build component versions require [#custom-windows-ami-component-versions] == Retrieving information about `eks-optimized-ami-windows` component versions -You can retrieve specific information regarding what is installed with each component. For example, you can verify what `kubelet` version is installed. The components go through functional testing on the Amazon EKS supported [.noloc]`Windows` operating systems versions. For more information, see <>. Any other [.noloc]`Windows` OS versions that aren't listed as supported or have reached end of support might not be compatible with the component. +You can retrieve specific information regarding what is installed with each component. For example, you can verify what `kubelet` version is installed. The components go through functional testing on the Amazon EKS supported Windows operating systems versions. For more information, see <>. Any other Windows OS versions that aren't listed as supported or have reached end of support might not be compatible with the component. . Open the EC2 Image Builder console at https://console.aws.amazon.com/imagebuilder. . In the left navigation pane, choose *Components*. diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index c8865f719..0a6596c8e 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -10,11 +10,11 @@ include::../attributes.txt[] This topic gives the location of Amazon EKS optimized Amazon Linux AMIs version information. -- -Amazon EKS optimized Amazon Linux AMIs are versioned by [.noloc]`Kubernetes` version and the release date of the AMI in the following format: +Amazon EKS optimized Amazon Linux AMIs are versioned by Kubernetes version and the release date of the AMI in the following format: [source,none,subs="verbatim,attributes"] ---- k8s_major_version.k8s_minor_version.k8s_patch_version-release_date ---- -Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the [.noloc]`Linux` kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the [.noloc]`NVIDIA` driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on [.noloc]`GitHub`. \ No newline at end of file +Each AMI release includes various versions of https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet], the Linux kernel, and https://containerd.io/[containerd]. The accelerated AMIs also include various versions of the NVIDIA driver. You can find this version information in the https://github.com/awslabs/amazon-eks-ami/blob/main/CHANGELOG.md[Changelog] on GitHub. \ No newline at end of file diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index d028a97cf..a8f15b93a 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,58 +1,58 @@ [.topic] [#eks-optimized-ami-bottlerocket] -= Create nodes with optimized [.noloc]`Bottlerocket` AMIs += Create nodes with optimized Bottlerocket AMIs :info_titleabbrev: Bottlerocket include::../attributes.txt[] [abstract] -- -[.noloc]`Bottlerocket` is an open source [.noloc]`Linux` distribution that's sponsored and supported by {aws}. [.noloc]`Bottlerocket` includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. +Bottlerocket is an open source Linux distribution that's sponsored and supported by {aws}. Bottlerocket includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. -- -link:bottlerocket/[Bottlerocket,type="marketing"] is an open source [.noloc]`Linux` distribution that's sponsored and supported by {aws}. [.noloc]`Bottlerocket` is purpose-built for hosting container workloads. With [.noloc]`Bottlerocket`, you can improve the availability of containerized deployments and reduce operational costs by automating updates to your container infrastructure. [.noloc]`Bottlerocket` includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. The [.noloc]`Bottlerocket` AMI includes `containerd`, `kubelet`, and {aws} IAM Authenticator. In addition to managed node groups and self-managed nodes, [.noloc]`Bottlerocket` is also supported by https://karpenter.sh/[Karpenter]. +link:bottlerocket/[Bottlerocket,type="marketing"] is an open source Linux distribution that's sponsored and supported by {aws}. Bottlerocket is purpose-built for hosting container workloads. With Bottlerocket, you can improve the availability of containerized deployments and reduce operational costs by automating updates to your container infrastructure. Bottlerocket includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. The Bottlerocket AMI includes `containerd`, `kubelet`, and {aws} IAM Authenticator. In addition to managed node groups and self-managed nodes, Bottlerocket is also supported by https://karpenter.sh/[Karpenter]. [#bottlerocket-advantages] == Advantages -Using [.noloc]`Bottlerocket` with your Amazon EKS cluster has the following advantages: +Using Bottlerocket with your Amazon EKS cluster has the following advantages: -* *Higher uptime with lower operational cost and lower management complexity* – [.noloc]`Bottlerocket` has a smaller resource footprint, shorter boot times, and is less vulnerable to security threats than other [.noloc]`Linux` distributions. [.noloc]`Bottlerocket's` smaller footprint helps to reduce costs by using less storage, compute, and networking resources. -* *Improved security from automatic OS updates* – Updates to [.noloc]`Bottlerocket` are applied as a single unit which can be rolled back, if necessary. This removes the risk of corrupted or failed updates that can leave the system in an unusable state. With [.noloc]`Bottlerocket`, security updates can be automatically applied as soon as they're available in a minimally disruptive manner and be rolled back if failures occur. -* *Premium support* – {aws} provided builds of [.noloc]`Bottlerocket` on Amazon EC2 is covered under the same {aws} Support plans that also cover {aws} services such as Amazon EC2, Amazon EKS, and Amazon ECR. +* *Higher uptime with lower operational cost and lower management complexity* – Bottlerocket has a smaller resource footprint, shorter boot times, and is less vulnerable to security threats than other Linux distributions. Bottlerocket's smaller footprint helps to reduce costs by using less storage, compute, and networking resources. +* *Improved security from automatic OS updates* – Updates to Bottlerocket are applied as a single unit which can be rolled back, if necessary. This removes the risk of corrupted or failed updates that can leave the system in an unusable state. With Bottlerocket, security updates can be automatically applied as soon as they're available in a minimally disruptive manner and be rolled back if failures occur. +* *Premium support* – {aws} provided builds of Bottlerocket on Amazon EC2 is covered under the same {aws} Support plans that also cover {aws} services such as Amazon EC2, Amazon EKS, and Amazon ECR. [#bottlerocket-considerations] == Considerations -Consider the following when using [.noloc]`Bottlerocket` for your AMI type: +Consider the following when using Bottlerocket for your AMI type: -* [.noloc]`Bottlerocket` supports Amazon EC2 instances with `x86_64` and `arm64` processors. The [.noloc]`Bottlerocket` AMI isn't recommended for use with Amazon EC2 instances with an Inferentia chip. -* [.noloc]`Bottlerocket` images don't include an SSH server or a shell. You can employ out-of-band access methods to allow SSH. These approaches enable the admin container and to pass some bootstrapping configuration steps with user data. For more information, refer to the following sections in https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md[Bottlerocket OS] on [.noloc]`GitHub`: +* Bottlerocket supports Amazon EC2 instances with `x86_64` and `arm64` processors. The Bottlerocket AMI isn't recommended for use with Amazon EC2 instances with an Inferentia chip. +* Bottlerocket images don't include an SSH server or a shell. You can employ out-of-band access methods to allow SSH. These approaches enable the admin container and to pass some bootstrapping configuration steps with user data. For more information, refer to the following sections in https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md[Bottlerocket OS] on GitHub: + ** https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#exploration[Exploration] ** https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container[Admin container] ** https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#kubernetes-settings[Kubernetes settings] -* [.noloc]`Bottlerocket` uses different container types: +* Bottlerocket uses different container types: + -** By default, a https://github.com/bottlerocket-os/bottlerocket-control-container[control container] is enabled. This container runs the https://github.com/aws/amazon-ssm-agent[{aws} Systems Manager agent] that you can use to run commands or start shell sessions on Amazon EC2 [.noloc]`Bottlerocket` instances. For more information, see link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the _{aws} Systems Manager User Guide_. -** If an SSH key is given when creating the node group, an admin container is enabled. We recommend using the admin container only for development and testing scenarios. We don't recommend using it for production environments. For more information, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container[Admin container] on [.noloc]`GitHub`. +** By default, a https://github.com/bottlerocket-os/bottlerocket-control-container[control container] is enabled. This container runs the https://github.com/aws/amazon-ssm-agent[{aws} Systems Manager agent] that you can use to run commands or start shell sessions on Amazon EC2 Bottlerocket instances. For more information, see link:systems-manager/latest/userguide/session-manager-getting-started.html[Setting up Session Manager,type="documentation"] in the _{aws} Systems Manager User Guide_. +** If an SSH key is given when creating the node group, an admin container is enabled. We recommend using the admin container only for development and testing scenarios. We don't recommend using it for production environments. For more information, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container[Admin container] on GitHub. [#bottlerocket-more-information] == More information -For more information about using Amazon EKS optimized [.noloc]`Bottlerocket` AMIs, see the following sections: +For more information about using Amazon EKS optimized Bottlerocket AMIs, see the following sections: -* For details about [.noloc]`Bottlerocket`, see the https://bottlerocket.dev/en/[Bottlerocket Documentation]. +* For details about Bottlerocket, see the https://bottlerocket.dev/en/[Bottlerocket Documentation]. * For version information resources, see <>. -* To use [.noloc]`Bottlerocket` with managed node groups, see <>. -* To launch self-managed [.noloc]`Bottlerocket` nodes, see <>. -* To retrieve the latest IDs of the Amazon EKS optimized [.noloc]`Bottlerocket` AMIs, see <>. +* To use Bottlerocket with managed node groups, see <>. +* To launch self-managed Bottlerocket nodes, see <>. +* To retrieve the latest IDs of the Amazon EKS optimized Bottlerocket AMIs, see <>. * For details on compliance support, see <>. include::eks-ami-versions-bottlerocket.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 0cf98078d..6e027cee2 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -22,15 +22,15 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A * `kubelet` * {aws} IAM Authenticator -* [.noloc]`Docker` (Amazon EKS version `1.23` and earlier) +* Docker (Amazon EKS version `1.23` and earlier) * `containerd` [NOTE] ==== * You can track security or privacy events for Amazon Linux at the https://alas.aws.amazon.com/[Amazon Linux security center] by choosing the tab for your desired version. You can also subscribe to the applicable RSS feed. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue. -* Before deploying an accelerated or [.noloc]`Arm` AMI, review the information in <> and <>. -* For [.noloc]`Kubernetes` version `1.23`, you can use an optional bootstrap flag to test migration from [.noloc]`Docker` to `containerd`. For more information, see <>. +* Before deploying an accelerated or Arm AMI, review the information in <> and <>. +* For Kubernetes version `1.23`, you can use an optional bootstrap flag to test migration from Docker to `containerd`. For more information, see <>. * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. * Any newly created managed node groups in clusters on version `1.30` or newer will automatically default to using AL2023 as the node operating system. Previously, new node groups would default to AL2. You can continue to use AL2 by choosing it as the AMI type when creating a new node group. * Support for AL2 will end on June 30th, 2025. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. @@ -44,11 +44,11 @@ The Amazon EKS optimized accelerated Amazon Linux AMIs are built on top of the s In addition to the standard Amazon EKS optimized AMI configuration, the accelerated AMIs include the following: -* [.noloc]`NVIDIA` drivers +* NVIDIA drivers * `nvidia-container-toolkit` -* {aws} [.noloc]`Neuron` driver +* {aws} Neuron driver -For a list of the latest components included in the accelerated AMIs, see the `amazon-eks-ami` https://github.com/awslabs/amazon-eks-ami/releases[Releases] on [.noloc]`GitHub`. +For a list of the latest components included in the accelerated AMIs, see the `amazon-eks-ami` https://github.com/awslabs/amazon-eks-ami/releases[Releases] on GitHub. [NOTE] ==== @@ -62,14 +62,14 @@ For a list of the latest components included in the accelerated AMIs, see the `a For details on running workloads on Amazon EKS optimized accelerated Amazon Linux AMIs, see <>. [#arm-ami] -== Amazon EKS optimized [.noloc]`Arm` Amazon Linux AMIs +== Amazon EKS optimized Arm Amazon Linux AMIs -Arm instances deliver significant cost savings for scale-out and [.noloc]`Arm`-based applications such as web servers, containerized microservices, caching fleets, and distributed data stores. When adding [.noloc]`Arm` nodes to your cluster, review the following considerations. +Arm instances deliver significant cost savings for scale-out and Arm-based applications such as web servers, containerized microservices, caching fleets, and distributed data stores. When adding Arm nodes to your cluster, review the following considerations. -* If your cluster was deployed before August 17, 2020, you must do a one-time upgrade of critical cluster add-on manifests. This is so that [.noloc]`Kubernetes` can pull the correct image for each hardware architecture in use in your cluster. For more information about updating cluster add-ons, see <>. If you deployed your cluster on or after August 17, 2020, then your [.noloc]`CoreDNS`, `kube-proxy`, and [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-ons are already multi-architecture capable. -* Applications deployed to [.noloc]`Arm` nodes must be compiled for Arm. -* If you have [.noloc]`DaemonSets` that are deployed in an existing cluster, or you want to deploy them to a new cluster that you also want to deploy [.noloc]`Arm` nodes in, then verify that your [.noloc]`DaemonSet` can run on all hardware architectures in your cluster. -* You can run [.noloc]`Arm` node groups and x86 node groups in the same cluster. If you do, consider deploying multi-architecture container images to a container repository such as Amazon Elastic Container Registry and then adding node selectors to your manifests so that [.noloc]`Kubernetes` knows what hardware architecture a [.noloc]`Pod` can be deployed to. For more information, see link:AmazonECR/latest/userguide/docker-push-multi-architecture-image.html[Pushing a multi-architecture image,type="documentation"] in the _Amazon ECR User Guide_ and the link:containers/introducing-multi-architecture-container-images-for-amazon-ecr[Introducing multi-architecture container images for Amazon ECR,type="blog"] blog post. +* If your cluster was deployed before August 17, 2020, you must do a one-time upgrade of critical cluster add-on manifests. This is so that Kubernetes can pull the correct image for each hardware architecture in use in your cluster. For more information about updating cluster add-ons, see <>. If you deployed your cluster on or after August 17, 2020, then your CoreDNS, `kube-proxy`, and Amazon VPC CNI plugin for Kubernetes add-ons are already multi-architecture capable. +* Applications deployed to Arm nodes must be compiled for Arm. +* If you have DaemonSets that are deployed in an existing cluster, or you want to deploy them to a new cluster that you also want to deploy Arm nodes in, then verify that your DaemonSet can run on all hardware architectures in your cluster. +* You can run Arm node groups and x86 node groups in the same cluster. If you do, consider deploying multi-architecture container images to a container repository such as Amazon Elastic Container Registry and then adding node selectors to your manifests so that Kubernetes knows what hardware architecture a Pod can be deployed to. For more information, see link:AmazonECR/latest/userguide/docker-push-multi-architecture-image.html[Pushing a multi-architecture image,type="documentation"] in the _Amazon ECR User Guide_ and the link:containers/introducing-multi-architecture-container-images-for-amazon-ecr[Introducing multi-architecture container images for Amazon ECR,type="blog"] blog post. [#linux-more-information] == More information diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 90a4c0037..75c589ae2 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,16 +1,16 @@ [.topic] [#eks-optimized-windows-ami] -= Create nodes with optimized [.noloc]`Windows` AMIs += Create nodes with optimized Windows AMIs :info_titleabbrev: Windows include::../attributes.txt[] [abstract] -- -[.noloc]`Windows` Amazon EKS optimized AMIs are built on top of [.noloc]`Windows` Server 2019. +Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019. -- -[.noloc]`Windows` Amazon EKS optimized AMIs are built on top of [.noloc]`Windows` Server 2019 and [.noloc]`Windows` Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components: +Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019 and Windows Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components: * https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] * https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] @@ -22,30 +22,30 @@ include::../attributes.txt[] [NOTE] ==== -You can track security or privacy events for [.noloc]`Windows` Server with the https://portal.msrc.microsoft.com/en-us/security-guidance[Microsoft security update guide]. +You can track security or privacy events for Windows Server with the https://portal.msrc.microsoft.com/en-us/security-guidance[Microsoft security update guide]. ==== -Amazon EKS offers AMIs that are optimized for [.noloc]`Windows` containers in the following variants: +Amazon EKS offers AMIs that are optimized for Windows containers in the following variants: -* Amazon EKS-optimized [.noloc]`Windows` Server 2019 Core AMI -* Amazon EKS-optimized [.noloc]`Windows` Server 2019 Full AMI -* Amazon EKS-optimized [.noloc]`Windows` Server 2022 Core AMI -* Amazon EKS-optimized [.noloc]`Windows` Server 2022 Full AMI +* Amazon EKS-optimized Windows Server 2019 Core AMI +* Amazon EKS-optimized Windows Server 2019 Full AMI +* Amazon EKS-optimized Windows Server 2022 Core AMI +* Amazon EKS-optimized Windows Server 2022 Full AMI [IMPORTANT] ==== -* The Amazon EKS-optimized [.noloc]`Windows` Server [.noloc]`20H2` Core AMI is deprecated. No new versions of this AMI will be released. -* To ensure that you have the latest security updates by default, Amazon EKS maintains optimized [.noloc]`Windows` AMIs for the last 4 months. Each new AMI will be available for 4 months from the time of initial release. After this period, older AMIs are made private and are no longer accessible. We encourage using the latest AMIs to avoid security vulnerabilities and losing access to older AMIs which have reached the end of their supported lifetime. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. +* The Amazon EKS-optimized Windows Server 20H2 Core AMI is deprecated. No new versions of this AMI will be released. +* To ensure that you have the latest security updates by default, Amazon EKS maintains optimized Windows AMIs for the last 4 months. Each new AMI will be available for 4 months from the time of initial release. After this period, older AMIs are made private and are no longer accessible. We encourage using the latest AMIs to avoid security vulnerabilities and losing access to older AMIs which have reached the end of their supported lifetime. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. ==== [#windows-ami-release-calendar] == Release calendar -The following table lists the release and end of support dates for [.noloc]`Windows` versions on Amazon EKS. If an end date is blank, it's because the version is still supported. +The following table lists the release and end of support dates for Windows versions on Amazon EKS. If an end date is blank, it's because the version is still supported. [cols="1,1,1", options="header"] |=== @@ -54,39 +54,39 @@ The following table lists the release and end of support dates for [.noloc]`Wind |Amazon EKS end of support -|[.noloc]`Windows` Server 2022 Core -|[.noloc]`10/17/2022` +|Windows Server 2022 Core +|10/17/2022 | -|[.noloc]`Windows` Server 2022 Full -|[.noloc]`10/17/2022` +|Windows Server 2022 Full +|10/17/2022 | -|[.noloc]`Windows` Server [.noloc]`20H2` Core -|[.noloc]`8/12/2021` -|[.noloc]`8/9/2022` +|Windows Server 20H2 Core +|8/12/2021 +|8/9/2022 -|[.noloc]`Windows` Server 2004 Core -|[.noloc]`8/19/2020` -|[.noloc]`12/14/2021` +|Windows Server 2004 Core +|8/19/2020 +|12/14/2021 -|[.noloc]`Windows` Server 2019 Core -|[.noloc]`10/7/2019` +|Windows Server 2019 Core +|10/7/2019 | -|[.noloc]`Windows` Server 2019 Full -|[.noloc]`10/7/2019` +|Windows Server 2019 Full +|10/7/2019 | -|[.noloc]`Windows` Server 1909 Core -|[.noloc]`10/7/2019` -|[.noloc]`12/8/2020` +|Windows Server 1909 Core +|10/7/2019 +|12/8/2020 |=== [#bootstrap-script-configuration-parameters] == Bootstrap script configuration parameters -When you create a [.noloc]`Windows` node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: `C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1`. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see <>. +When you create a Windows node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: `C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1`. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see <>. The script includes the following command-line parameters: @@ -96,8 +96,8 @@ The script includes the following command-line parameters: * `-APIServerEndpoint` – Specifies the Amazon EKS cluster API server endpoint (optional). Only valid when used with `-Base64ClusterCA`. Bypasses calling `Get-EKSCluster`. * `-Base64ClusterCA` – Specifies the base64 encoded cluster CA content (optional). Only valid when used with `-APIServerEndpoint`. Bypasses calling `Get-EKSCluster`. * `-DNSClusterIP` – Overrides the IP address to use for DNS queries within the cluster (optional). Defaults to `10.100.0.10` or `172.20.0.10` based on the IP address of the primary interface. -* `-ServiceCIDR` – Overrides the [.noloc]`Kubernetes` service IP address range from which cluster services are addressed. Defaults to `172.20.0.0/16` or `10.100.0.0/16` based on the IP address of the primary interface. -* `-ExcludedSnatCIDRs` – A list of `IPv4` CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn't be translated to the IP address of the instance ENI's primary `IPv4` address for outbound traffic. By default, the `IPv4` CIDR of the VPC for the Amazon EKS [.noloc]`Windows` node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see <>. +* `-ServiceCIDR` – Overrides the Kubernetes service IP address range from which cluster services are addressed. Defaults to `172.20.0.0/16` or `10.100.0.0/16` based on the IP address of the primary interface. +* `-ExcludedSnatCIDRs` – A list of `IPv4` CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn't be translated to the IP address of the instance ENI's primary `IPv4` address for outbound traffic. By default, the `IPv4` CIDR of the VPC for the Amazon EKS Windows node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see <>. In addition to the command line parameters, you can also specify some environment variable parameters. When specifying a command line parameter, it takes precedence over the respective environment variable. The environment variable(s) should be defined as machine (or system) scoped as the bootstrap script will only read machine-scoped variables. @@ -108,12 +108,12 @@ The script takes into account the following environment variables: [#ad-and-gmsa-support] -=== [.noloc]`gMSA` authentication support +=== gMSA authentication support -Amazon EKS Windows [.noloc]`Pods` allow different types of group Managed Service Account ([.noloc]`gMSA`) authentication. +Amazon EKS Windows Pods allow different types of group Managed Service Account (gMSA) authentication. -* Amazon EKS supports [.noloc]`Active Directory` domain identities for authentication. For more information on domain-joined [.noloc]`gMSA`, see link:containers/windows-authentication-on-amazon-eks-windows-pods[Windows Authentication on Amazon EKS Windowspods,type="blog"] on the {aws} blog. -* Amazon EKS offers a plugin that enables non-domain-joined [.noloc]`Windows` nodes to retrieve [.noloc]`gMSA` credentials with a portable user identity. For more information on domainless [.noloc]`gMSA`, see link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[Domainless Windows Authentication for Amazon EKS Windowspods,type="blog"] on the {aws} blog. +* Amazon EKS supports Active Directory domain identities for authentication. For more information on domain-joined gMSA, see link:containers/windows-authentication-on-amazon-eks-windows-pods[Windows Authentication on Amazon EKS Windowspods,type="blog"] on the {aws} blog. +* Amazon EKS offers a plugin that enables non-domain-joined Windows nodes to retrieve gMSA credentials with a portable user identity. For more information on domainless gMSA, see link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[Domainless Windows Authentication for Amazon EKS Windowspods,type="blog"] on the {aws} blog. [#windows-cached-container-images] @@ -130,14 +130,14 @@ The following cached container images are for the `containerd` runtime: [#windows-more-information] == More information -For more information about using Amazon EKS optimized [.noloc]`Windows` AMIs, see the following sections: +For more information about using Amazon EKS optimized Windows AMIs, see the following sections: * For details on running workloads on Amazon EKS optimized accelerated Windows AMIs, see <>. -* To use [.noloc]`Windows` with managed node groups, see <>. -* To launch self-managed [.noloc]`Windows` nodes, see <>. +* To use Windows with managed node groups, see <>. +* To launch self-managed Windows nodes, see <>. * For version information, see <>. -* To retrieve the latest IDs of the Amazon EKS optimized [.noloc]`Windows` AMIs, see <>. -* To use Amazon EC2 Image Builder to create custom Amazon EKS optimized [.noloc]`Windows` AMIs, see <>. +* To retrieve the latest IDs of the Amazon EKS optimized Windows AMIs, see <>. +* To use Amazon EC2 Image Builder to create custom Amazon EKS optimized Windows AMIs, see <>. * For best practices, see https://aws.github.io/aws-eks-best-practices/windows/docs/ami/[Amazon EKS optimized Windows AMI management] in the _EKS Best Practices Guide_. include::self-managed-windows-server-2022.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index 33ba77023..14d3df942 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,6 +1,6 @@ [.topic] [#eks-partner-amis] -= Create nodes with optimized [.noloc]`Ubuntu Linux` AMIs += Create nodes with optimized Ubuntu Linux AMIs :info_titleabbrev: Ubuntu Linux include::../attributes.txt[] @@ -12,4 +12,4 @@ Canonical has partnered with Amazon EKS to create node AMIs that you can use in Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. -https://www.canonical.com/[Canonical] delivers a built-for-purpose [.noloc]`Kubernetes` Node OS image. This minimized [.noloc]`Ubuntu` image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. \ No newline at end of file +https://www.canonical.com/[Canonical] delivers a built-for-purpose Kubernetes Node OS image. This minimized Ubuntu image is optimized for Amazon EKS and includes the custom {aws} kernel that is jointly developed with {aws}. For more information, see https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] and <> . For information about support, see the link:premiumsupport/faqs/#Third-party_software[Third-party software,type="marketing"] section of the _{aws} Premium Support FAQs_. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 3d21919de..ce2cf7703 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -6,22 +6,22 @@ include::../attributes.txt[] [abstract] -- -This topic describes how to get started running [.noloc]`Pods` on {aws} Fargate with your Amazon EKS cluster. +This topic describes how to get started running Pods on {aws} Fargate with your Amazon EKS cluster. -- -This topic describes how to get started running [.noloc]`Pods` on {aws} Fargate with your Amazon EKS cluster. +This topic describes how to get started running Pods on {aws} Fargate with your Amazon EKS cluster. -If you restrict access to the public endpoint of your cluster using CIDR blocks, we recommend that you also enable private endpoint access. This way, Fargate [.noloc]`Pods` can communicate with the cluster. Without the private endpoint enabled, the CIDR blocks that you specify for public access must include the outbound sources from your VPC. For more information, see <>. +If you restrict access to the public endpoint of your cluster using CIDR blocks, we recommend that you also enable private endpoint access. This way, Fargate Pods can communicate with the cluster. Without the private endpoint enabled, the CIDR blocks that you specify for public access must include the outbound sources from your VPC. For more information, see <>. .Prerequisite An existing cluster. If you don't already have an Amazon EKS cluster, see <>. [#fargate-gs-check-compatibility] -== Step 1: Ensure that existing nodes can communicate with Fargate [.noloc]`Pods` +== Step 1: Ensure that existing nodes can communicate with Fargate Pods If you're working with a new cluster with no nodes, or a cluster with only managed node groups (see <>), you can skip to <>. -Assume that you're working with an existing cluster that already has nodes that are associated with it. Make sure that [.noloc]`Pods` on these nodes can communicate freely with the [.noloc]`Pods` that are running on Fargate. [.noloc]`Pods` that are running on Fargate are automatically configured to use the cluster security group for the cluster that they're associated with. Ensure that any existing nodes in your cluster can send and receive traffic to and from the cluster security group. Managed node groups are automatically configured to use the cluster security group as well, so you don't need to modify or check them for this compatibility (see <>). +Assume that you're working with an existing cluster that already has nodes that are associated with it. Make sure that Pods on these nodes can communicate freely with the Pods that are running on Fargate. Pods that are running on Fargate are automatically configured to use the cluster security group for the cluster that they're associated with. Ensure that any existing nodes in your cluster can send and receive traffic to and from the cluster security group. Managed node groups are automatically configured to use the cluster security group as well, so you don't need to modify or check them for this compatibility (see <>). For existing node groups that were created with `eksctl` or the Amazon EKS managed {aws} CloudFormation templates, you can add the cluster security group to the nodes manually. Or, alternatively, you can modify the Auto Scaling group launch template for the node group to attach the cluster security group to the instances. For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership[Changing an instance's security groups,type="documentation"] in the _Amazon VPC User Guide_. @@ -34,26 +34,26 @@ aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.cl [#fargate-sg-pod-execution-role] -== Step 2: Create a Fargate [.noloc]`Pod` execution role +== Step 2: Create a Fargate Pod execution role -When your cluster creates [.noloc]`Pods` on {aws} Fargate, the components that run on the Fargate infrastructure must make calls to {aws} APIs on your behalf. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. To create an {aws} Fargate [.noloc]`Pod` execution role, see <>. +When your cluster creates Pods on {aws} Fargate, the components that run on the Fargate infrastructure must make calls to {aws} APIs on your behalf. The Amazon EKS Pod execution role provides the IAM permissions to do this. To create an {aws} Fargate Pod execution role, see <>. [NOTE] ==== -If you created your cluster with `eksctl` using the `--fargate` option, your cluster already has a [.noloc]`Pod` execution role that you can find in the IAM console with the pattern `eksctl-my-cluster-FargatePodExecutionRole-ABCDEFGHIJKL`. Similarly, if you use `eksctl` to create your Fargate profiles, `eksctl` creates your [.noloc]`Pod` execution role if one isn't already created. +If you created your cluster with `eksctl` using the `--fargate` option, your cluster already has a Pod execution role that you can find in the IAM console with the pattern `eksctl-my-cluster-FargatePodExecutionRole-ABCDEFGHIJKL`. Similarly, if you use `eksctl` to create your Fargate profiles, `eksctl` creates your Pod execution role if one isn't already created. ==== [#fargate-gs-create-profile] == Step 3: Create a Fargate profile for your cluster -Before you can schedule [.noloc]`Pods` that are running on Fargate in your cluster, you must define a Fargate profile that specifies which [.noloc]`Pods` use Fargate when they're launched. For more information, see <>. +Before you can schedule Pods that are running on Fargate in your cluster, you must define a Fargate profile that specifies which Pods use Fargate when they're launched. For more information, see <>. [NOTE] ==== -If you created your cluster with `eksctl` using the `--fargate` option, then a Fargate profile is already created for your cluster with selectors for all [.noloc]`Pods` in the `kube-system` and `default` namespaces. Use the following procedure to create Fargate profiles for any other namespaces you would like to use with Fargate. +If you created your cluster with `eksctl` using the `--fargate` option, then a Fargate profile is already created for your cluster with selectors for all Pods in the `kube-system` and `default` namespaces. Use the following procedure to create Fargate profiles for any other namespaces you would like to use with Fargate. ==== @@ -99,30 +99,30 @@ You can use certain wildcards for [.replaceable]`my-kubernetes-namespace` and [. . On the *Configure Fargate profile* page, do the following: + .. For *Name*, enter a name for your Fargate profile. The name must be unique. -.. For *Pod execution role*, choose the [.noloc]`Pod` execution role to use with your Fargate profile. Only the IAM roles with the `eks-fargate-pods.amazonaws.com` service principal are shown. If you don't see any roles listed, you must create one. For more information, see <>. +.. For *Pod execution role*, choose the Pod execution role to use with your Fargate profile. Only the IAM roles with the `eks-fargate-pods.amazonaws.com` service principal are shown. If you don't see any roles listed, you must create one. For more information, see <>. .. Modify the selected *Subnets* as needed. + -NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on Fargate. -.. For *Tags*, you can optionally tag your Fargate profile. These tags don't propagate to other resources that are associated with the profile such as [.noloc]`Pods`. +NOTE: Only private subnets are supported for Pods that are running on Fargate. +.. For *Tags*, you can optionally tag your Fargate profile. These tags don't propagate to other resources that are associated with the profile such as Pods. .. Choose *Next*. -. On the *Configure [.noloc]`Pod` selection* page, do the following: +. On the *Configure Pod selection* page, do the following: + -.. For *Namespace*, enter a namespace to match for [.noloc]`Pods`. +.. For *Namespace*, enter a namespace to match for Pods. + *** You can use specific namespaces to match, such as `kube-system` or `default`. *** You can use certain wildcards (for example, `prod-*`) to match multiple namespaces (for example, `prod-deployment` and `prod-test`). For more information, see <>. -.. (Optional) Add [.noloc]`Kubernetes` labels to the selector. Specifically add them to the one that the [.noloc]`Pods` in the specified namespace need to match. +.. (Optional) Add Kubernetes labels to the selector. Specifically add them to the one that the Pods in the specified namespace need to match. + -*** You can add the label `infrastructure: fargate` to the selector so that only [.noloc]`Pods` in the specified namespace that also have the `infrastructure: fargate` [.noloc]`Kubernetes` label match the selector. +*** You can add the label `infrastructure: fargate` to the selector so that only Pods in the specified namespace that also have the `infrastructure: fargate` Kubernetes label match the selector. *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. . On the *Review and create* page, review the information for your Fargate profile and choose *Create*. [#fargate-gs-coredns] -== Step 4: Update [.noloc]`CoreDNS` +== Step 4: Update CoreDNS -By default, [.noloc]`CoreDNS` is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to _only_ run your [.noloc]`Pods` on Fargate in your cluster, complete the following steps. +By default, CoreDNS is configured to run on Amazon EC2 infrastructure on Amazon EKS clusters. If you want to _only_ run your Pods on Fargate in your cluster, complete the following steps. [NOTE] ==== @@ -130,7 +130,7 @@ By default, [.noloc]`CoreDNS` is configured to run on Amazon EC2 infrastructure If you created your cluster with `eksctl` using the `--fargate` option, then you can skip to <>. ==== -. Create a Fargate profile for [.noloc]`CoreDNS` with the following command. Replace [.replaceable]`my-cluster` with your cluster name, [.replaceable]`111122223333` with your account ID, [.replaceable]`AmazonEKSFargatePodExecutionRole` with the name of your [.noloc]`Pod` execution role, and [.replaceable]`0000000000000001`, [.replaceable]`0000000000000002`, and [.replaceable]`0000000000000003` with the IDs of your private subnets. If you don't have a [.noloc]`Pod` execution role, you must create one first (see <>). +. Create a Fargate profile for CoreDNS with the following command. Replace [.replaceable]`my-cluster` with your cluster name, [.replaceable]`111122223333` with your account ID, [.replaceable]`AmazonEKSFargatePodExecutionRole` with the name of your Pod execution role, and [.replaceable]`0000000000000001`, [.replaceable]`0000000000000002`, and [.replaceable]`0000000000000003` with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first (see <>). + IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you need to change it to `my-role` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::111122223333:role/role-name`. + @@ -143,7 +143,7 @@ aws eks create-fargate-profile \ --selectors namespace=kube-system,labels={k8s-app=kube-dns} \ --subnets subnet-0000000000000001 subnet-0000000000000002 subnet-0000000000000003 ---- -. Run the following command to remove the `eks.amazonaws.com/compute-type : ec2` annotation from the [.noloc]`CoreDNS` [.noloc]`Pods`. +. Run the following command to remove the `eks.amazonaws.com/compute-type : ec2` annotation from the CoreDNS Pods. + [source,bash,subs="verbatim,attributes"] ---- @@ -159,13 +159,13 @@ kubectl patch deployment coredns \ * You can start migrating your existing applications to run on Fargate with the following workflow. + -.. <> that matches your application's [.noloc]`Kubernetes` namespace and [.noloc]`Kubernetes` labels. -.. Delete and re-create any existing [.noloc]`Pods` so that they're scheduled on Fargate. For example, the following command triggers a rollout of the `coredns` deployment. You can modify the namespace and deployment type to update your specific [.noloc]`Pods`. +.. <> that matches your application's Kubernetes namespace and Kubernetes labels. +.. Delete and re-create any existing Pods so that they're scheduled on Fargate. For example, the following command triggers a rollout of the `coredns` deployment. You can modify the namespace and deployment type to update your specific Pods. + [source,bash,subs="verbatim,attributes"] ---- kubectl rollout restart -n kube-system deployment coredns ---- -* Deploy the <> to allow Ingress objects for your [.noloc]`Pods` running on Fargate. -* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. +* Deploy the <> to allow Ingress objects for your Pods running on Fargate. +* You can use the <> to set the initial correct size of CPU and memory for your Fargate Pods, and then use the <> to scale those Pods. If you want the Vertical Pod Autoscaler to automatically re-deploy Pods to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on GitHub. * You can set up the link:otel[{aws} Distro for OpenTelemetry,type="marketing"] (ADOT) collector for application monitoring by following link:AmazonCloudWatch/latest/monitoring/Container-Insights-EKS-otel.html[these instructions,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 4227b7630..09e512bda 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -6,28 +6,28 @@ include::../attributes.txt[] [abstract] -- -Amazon EKS on Fargate offers a built-in log router based on [.noloc]`Fluent Bit`. +Amazon EKS on Fargate offers a built-in log router based on Fluent Bit. -- -Amazon EKS on Fargate offers a built-in log router based on [.noloc]`Fluent Bit`. This means that you don't explicitly run a [.noloc]`Fluent Bit` container as a sidecar, but Amazon runs it for you. All that you have to do is configure the log router. The configuration happens through a dedicated `ConfigMap` that must meet the following criteria: +Amazon EKS on Fargate offers a built-in log router based on Fluent Bit. This means that you don't explicitly run a Fluent Bit container as a sidecar, but Amazon runs it for you. All that you have to do is configure the log router. The configuration happens through a dedicated `ConfigMap` that must meet the following criteria: * Named `aws-logging` * Created in a dedicated namespace called `aws-observability` * Can't exceed 5300 characters. -Once you've created the `ConfigMap`, Amazon EKS on Fargate automatically detects it and configures the log router with it. Fargate uses a version of {aws} for [.noloc]`Fluent Bit`, an upstream compliant distribution of [.noloc]`Fluent Bit` managed by {aws}. For more information, see https://github.com/aws/aws-for-fluent-bit[{aws} for Fluent Bit] on GitHub. +Once you've created the `ConfigMap`, Amazon EKS on Fargate automatically detects it and configures the log router with it. Fargate uses a version of {aws} for Fluent Bit, an upstream compliant distribution of Fluent Bit managed by {aws}. For more information, see https://github.com/aws/aws-for-fluent-bit[{aws} for Fluent Bit] on GitHub. The log router allows you to use the breadth of services at {aws} for log analytics and storage. You can stream logs from Fargate directly to Amazon CloudWatch, Amazon OpenSearch Service. You can also stream logs to destinations such as link:s3/[Amazon S3,type="marketing"], link:kinesis/data-streams/[Amazon Kinesis Data Streams,type="marketing"], and partner tools through link:kinesis/data-firehose/[Amazon Data Firehose,type="marketing"]. -* An existing Fargate profile that specifies an existing [.noloc]`Kubernetes` namespace that you deploy Fargate [.noloc]`Pods` to. For more information, see <>. -* An existing Fargate [.noloc]`Pod` execution role. For more information, see <>. +* An existing Fargate profile that specifies an existing Kubernetes namespace that you deploy Fargate Pods to. For more information, see <>. +* An existing Fargate Pod execution role. For more information, see <>. [#fargate-logging-log-router-configuration] == Log router configuration In the following steps, replace every [.replaceable]`example value` with your own values. -. Create a dedicated [.noloc]`Kubernetes` namespace named `aws-observability`. +. Create a dedicated Kubernetes namespace named `aws-observability`. + .. Save the following contents to a file named `aws-observability-namespace.yaml` on your computer. The value for `name` must be `aws-observability` and the `aws-observability: enabled` label is required. + @@ -46,7 +46,7 @@ metadata: ---- kubectl apply -f aws-observability-namespace.yaml ---- -. Create a `ConfigMap` with a `Fluent Conf` data value to ship container logs to a destination. Fluent Conf is [.noloc]`Fluent Bit`, which is a fast and lightweight log processor configuration language that's used to route container logs to a log destination of your choice. For more information, see https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file[Configuration File] in the [.noloc]`Fluent Bit` documentation. +. Create a `ConfigMap` with a `Fluent Conf` data value to ship container logs to a destination. Fluent Conf is Fluent Bit, which is a fast and lightweight log processor configuration language that's used to route container logs to a log destination of your choice. For more information, see https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file[Configuration File] in the Fluent Bit documentation. + [IMPORTANT] ==== @@ -86,12 +86,12 @@ When creating the `ConfigMap`, take into account the following rules that Fargat * At least one supported `Output` plugin has to be provided in the `ConfigMap` to enable logging. `Filter` and `Parser` aren't required to enable logging. + -You can also run [.noloc]`Fluent Bit` on Amazon EC2 using the desired configuration to troubleshoot any issues that arise from validation. Create your `ConfigMap` using one of the following examples. +You can also run Fluent Bit on Amazon EC2 using the desired configuration to troubleshoot any issues that arise from validation. Create your `ConfigMap` using one of the following examples. + [IMPORTANT] ==== -Amazon EKS Fargate logging doesn't support dynamic configuration of a `ConfigMap`. Any changes to a `ConfigMap` are applied to new [.noloc]`Pods` only. Changes aren't applied to existing [.noloc]`Pods`. +Amazon EKS Fargate logging doesn't support dynamic configuration of a `ConfigMap`. Any changes to a `ConfigMap` are applied to new Pods only. Changes aren't applied to existing Pods. ==== + @@ -176,7 +176,7 @@ curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging- Amazon OpenSearch Service:: *To create a `ConfigMap` for Amazon OpenSearch Service* + -If you want to send logs to Amazon OpenSearch Service, you can use https://docs.fluentbit.io/manual/v/1.5/pipeline/outputs/elasticsearch[es] output, which is a plugin written in [.noloc]`C`. The following example shows you how to use the plugin to send logs to OpenSearch. +If you want to send logs to Amazon OpenSearch Service, you can use https://docs.fluentbit.io/manual/v/1.5/pipeline/outputs/elasticsearch[es] output, which is a plugin written in C. The following example shows you how to use the plugin to send logs to OpenSearch. + .. Save the following contents to a file named `aws-logging-opensearch-configmap.yaml`. Replace every [.replaceable]`example value` with your own values. + @@ -213,7 +213,7 @@ kubectl apply -f aws-logging-opensearch-configmap.yaml curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json ---- + -Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate [.noloc]`Pod` execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"]. +Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"]. Firehose:: *To create a `ConfigMap` for Firehose* @@ -261,7 +261,7 @@ curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging- ---- aws iam create-policy --policy-name eks-fargate-logging-policy --policy-document file://permissions.json ---- -. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your [.noloc]`Pod` execution role (for more information, see <>). +. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see <>). + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -271,9 +271,9 @@ aws iam attach-role-policy \ ---- [#fargate-logging-kubernetes-filter] -=== [.noloc]`Kubernetes` filter support +=== Kubernetes filter support -This feature requires the following minimum [.noloc]`Kubernetes` version and platform level, or later. +This feature requires the following minimum Kubernetes version and platform level, or later. [cols="1,1", options="header"] |=== @@ -285,7 +285,7 @@ This feature requires the following minimum [.noloc]`Kubernetes` version and pla |eks.1 |=== -The [.noloc]`Fluent Bit` [.noloc]`Kubernetes` filter allows you to add [.noloc]`Kubernetes` metadata to your log files. For more information about the filter, see https://docs.fluentbit.io/manual/pipeline/filters/kubernetes[Kubernetes] in the [.noloc]`Fluent Bit` documentation. You can apply a filter using the API server endpoint. +The Fluent Bit Kubernetes filter allows you to add Kubernetes metadata to your log files. For more information about the filter, see https://docs.fluentbit.io/manual/pipeline/filters/kubernetes[Kubernetes] in the Fluent Bit documentation. You can apply a filter using the API server endpoint. [source,yaml,subs="verbatim,attributes,quotes"] ---- @@ -302,14 +302,14 @@ filters.conf: | ==== * `Kube_URL`, `Kube_CA_File`, `Kube_Token_Command`, and `Kube_Token_File` are service owned configuration parameters and must not be specified. Amazon EKS Fargate populates these values. -* `Kube_Meta_Cache_TTL` is the time [.noloc]`Fluent Bit` waits until it communicates with the API server for the latest metadata. If `Kube_Meta_Cache_TTL` isn't specified, Amazon EKS Fargate appends a default value of 30 minutes to lessen the load on the API server. +* `Kube_Meta_Cache_TTL` is the time Fluent Bit waits until it communicates with the API server for the latest metadata. If `Kube_Meta_Cache_TTL` isn't specified, Amazon EKS Fargate appends a default value of 30 minutes to lessen the load on the API server. ==== [#ship-fluent-bit-process-logs] -=== To ship [.noloc]`Fluent Bit` process logs to your account +=== To ship Fluent Bit process logs to your account -You can optionally ship [.noloc]`Fluent Bit` process logs to Amazon CloudWatch using the following `ConfigMap`. Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion and storage costs. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. +You can optionally ship Fluent Bit process logs to Amazon CloudWatch using the following `ConfigMap`. Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion and storage costs. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. [source,yaml,subs="verbatim,attributes,quotes"] ---- @@ -334,29 +334,29 @@ data: auto_create_group true ---- -The logs are in the {aws} Region that the cluster resides in under CloudWatch. The log group name is `[.replaceable]``my-cluster``-fluent-bit-logs` and the [.noloc]`Fluent Bit` logstream name is `fluent-bit-[.replaceable]``podname``-[.replaceable]``pod-namespace```. +The logs are in the {aws} Region that the cluster resides in under CloudWatch. The log group name is `[.replaceable]``my-cluster``-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-[.replaceable]``podname``-[.replaceable]``pod-namespace```. [NOTE] ==== -* The process logs are shipped only when the [.noloc]`Fluent Bit` process successfully starts. If there is a failure while starting [.noloc]`Fluent Bit`, the process logs are missed. You can only ship process logs to CloudWatch. -* To debug shipping process logs to your account, you can apply the previous `ConfigMap` to get the process logs. [.noloc]`Fluent Bit` failing to start is usually due to your `ConfigMap` not being parsed or accepted by [.noloc]`Fluent Bit` while starting. +* The process logs are shipped only when the Fluent Bit process successfully starts. If there is a failure while starting Fluent Bit, the process logs are missed. You can only ship process logs to CloudWatch. +* To debug shipping process logs to your account, you can apply the previous `ConfigMap` to get the process logs. Fluent Bit failing to start is usually due to your `ConfigMap` not being parsed or accepted by Fluent Bit while starting. ==== [#stop-fluent-bit-process-logs] -=== To stop shipping [.noloc]`Fluent Bit` process logs +=== To stop shipping Fluent Bit process logs -Shipping [.noloc]`Fluent Bit` process logs to CloudWatch requires additional log ingestion and storage costs. To exclude process logs in an existing `ConfigMap` setup, do the following steps. +Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion and storage costs. To exclude process logs in an existing `ConfigMap` setup, do the following steps. -. Locate the CloudWatch log group automatically created for your Amazon EKS cluster's [.noloc]`Fluent Bit` process logs after enabling Fargate logging. It follows the format `{cluster_name}-fluent-bit-logs`. -. Delete the existing CloudWatch log streams created for each [.noloc]`Pod's` process logs in the CloudWatch log group. +. Locate the CloudWatch log group automatically created for your Amazon EKS cluster's Fluent Bit process logs after enabling Fargate logging. It follows the format `{cluster_name}-fluent-bit-logs`. +. Delete the existing CloudWatch log streams created for each Pod's process logs in the CloudWatch log group. . Edit the `ConfigMap` and set `flb_log_cw: "false"`. -. Restart any existing [.noloc]`Pods` in the cluster. +. Restart any existing Pods in the cluster. [#fargate-logging-test-application] == Test application -. Deploy a sample [.noloc]`Pod`. +. Deploy a sample Pod. + .. Save the following contents to a file named `sample-app.yaml` on your computer. + @@ -400,7 +400,7 @@ We suggest that you plan for up to 50 MB of memory for the log router. If you ex [#fargate-logging-troubleshooting] == Troubleshooting -To confirm whether the logging feature is enabled or disabled for some reason, such as an invalid `ConfigMap`, and why it's invalid, check your [.noloc]`Pod` events with `kubectl describe pod [.replaceable]``pod-name```. The output might include [.noloc]`Pod` events that clarify whether logging is enabled or not, such as the following example output. +To confirm whether the logging feature is enabled or disabled for some reason, such as an invalid `ConfigMap`, and why it's invalid, check your Pod events with `kubectl describe pod [.replaceable]``pod-name```. The output might include Pod events that clarify whether logging is enabled or not, such as the following example output. [source,bash,subs="verbatim,attributes"] ---- @@ -415,4 +415,4 @@ Events: Warning LoggingDisabled fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found ---- -The [.noloc]`Pod` events are ephemeral with a time period depending on the settings. You can also view a [.noloc]`Pod's` annotations using `kubectl describe pod [.replaceable]``pod-name```. In the [.noloc]`Pod` annotation, there is information about whether the logging feature is enabled or disabled and the reason. \ No newline at end of file +The Pod events are ephemeral with a time period depending on the settings. You can also view a Pod's annotations using `kubectl describe pod [.replaceable]``pod-name```. In the Pod annotation, there is information about whether the logging feature is enabled or disabled and the reason. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index b269bd6ee..a56fd5a84 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,43 +1,43 @@ [.topic] [#fargate-pod-configuration] -= Understand Fargate [.noloc]`Pod` configuration details += Understand Fargate Pod configuration details :info_titleabbrev: Pod configuration details include::../attributes.txt[] [abstract] -- -This section describes some of the unique [.noloc]`Pod` configuration details for running [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. +This section describes some of the unique Pod configuration details for running Kubernetes Pods on {aws} Fargate. -- -This section describes some of the unique [.noloc]`Pod` configuration details for running [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. +This section describes some of the unique Pod configuration details for running Kubernetes Pods on {aws} Fargate. [#fargate-cpu-and-memory] -== [.noloc]`Pod` CPU and memory +== Pod CPU and memory -With [.noloc]`Kubernetes`, you can define requests, a minimum vCPU amount, and memory resources that are allocated to each container in a [.noloc]`Pod`. [.noloc]`Pods` are scheduled by [.noloc]`Kubernetes` to ensure that at least the requested resources for each [.noloc]`Pod` are available on the compute resource. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Managing compute resources for containers] in the [.noloc]`Kubernetes` documentation. +With Kubernetes, you can define requests, a minimum vCPU amount, and memory resources that are allocated to each container in a Pod. Pods are scheduled by Kubernetes to ensure that at least the requested resources for each Pod are available on the compute resource. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Managing compute resources for containers] in the Kubernetes documentation. [NOTE] ==== -Since Amazon EKS Fargate runs only one [.noloc]`Pod` per node, the scenario of evicting [.noloc]`Pods` in case of fewer resources doesn't occur. All Amazon EKS Fargate [.noloc]`Pods` run with guaranteed priority, so the requested CPU and memory must be equal to the limit for all of the containers. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/[Configure Quality of Service for Pods] in the [.noloc]`Kubernetes` documentation. +Since Amazon EKS Fargate runs only one Pod per node, the scenario of evicting Pods in case of fewer resources doesn't occur. All Amazon EKS Fargate Pods run with guaranteed priority, so the requested CPU and memory must be equal to the limit for all of the containers. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/[Configure Quality of Service for Pods] in the Kubernetes documentation. ==== -When [.noloc]`Pods` are scheduled on Fargate, the vCPU and memory reservations within the [.noloc]`Pod` specification determine how much CPU and memory to provision for the [.noloc]`Pod`. +When Pods are scheduled on Fargate, the vCPU and memory reservations within the Pod specification determine how much CPU and memory to provision for the Pod. * The maximum request out of any Init containers is used to determine the Init request vCPU and memory requirements. * Requests for all long-running containers are added up to determine the long-running request vCPU and memory requirements. -* The larger of the previous two values is chosen for the vCPU and memory request to use for your [.noloc]`Pod`. -* Fargate adds 256 MB to each [.noloc]`Pod's` memory reservation for the required [.noloc]`Kubernetes` components (``kubelet``, `kube-proxy`, and `containerd`). +* The larger of the previous two values is chosen for the vCPU and memory request to use for your Pod. +* Fargate adds 256 MB to each Pod's memory reservation for the required Kubernetes components (``kubelet``, `kube-proxy`, and `containerd`). -Fargate rounds up to the following compute configuration that most closely matches the sum of vCPU and memory requests in order to ensure [.noloc]`Pods` always have the resources that they need to run. +Fargate rounds up to the following compute configuration that most closely matches the sum of vCPU and memory requests in order to ensure Pods always have the resources that they need to run. If you don't specify a vCPU and memory combination, then the smallest available combination is used (.25 vCPU and 0.5 GB memory). -The following table shows the vCPU and memory combinations that are available for [.noloc]`Pods` running on Fargate. +The following table shows the vCPU and memory combinations that are available for Pods running on Fargate. [cols="1,1", options="header"] |=== @@ -67,9 +67,9 @@ The following table shows the vCPU and memory combinations that are available fo |Between 32 GB and 120 GB in 8-GB increments |=== -The additional memory reserved for the [.noloc]`Kubernetes` components can cause a Fargate task with more vCPUs than requested to be provisioned. For example, a request for 1 vCPU and 8 GB memory will have 256 MB added to its memory request, and will provision a Fargate task with 2 vCPUs and 9 GB memory, since no task with 1 vCPU and 9 GB memory is available. +The additional memory reserved for the Kubernetes components can cause a Fargate task with more vCPUs than requested to be provisioned. For example, a request for 1 vCPU and 8 GB memory will have 256 MB added to its memory request, and will provision a Fargate task with 2 vCPUs and 9 GB memory, since no task with 1 vCPU and 9 GB memory is available. -There is no correlation between the size of the [.noloc]`Pod` running on Fargate and the node size reported by [.noloc]`Kubernetes` with `kubectl get nodes`. The reported node size is often larger than the [.noloc]`Pod's` capacity. You can verify [.noloc]`Pod` capacity with the following command. Replace [.replaceable]`default` with your [.noloc]`Pod's` namespace and [.replaceable]`pod-name` with the name of your [.noloc]`Pod`. +There is no correlation between the size of the Pod running on Fargate and the node size reported by Kubernetes with `kubectl get nodes`. The reported node size is often larger than the Pod's capacity. You can verify Pod capacity with the following command. Replace [.replaceable]`default` with your Pod's namespace and [.replaceable]`pod-name` with the name of your Pod. [source,bash,subs="verbatim,attributes"] ---- @@ -86,22 +86,22 @@ annotations: [...] ---- -The `CapacityProvisioned` annotation represents the enforced [.noloc]`Pod` capacity and it determines the cost of your [.noloc]`Pod` running on Fargate. For pricing information for the compute configurations, see link:fargate/pricing/[{aws} Fargate Pricing,type="marketing"]. +The `CapacityProvisioned` annotation represents the enforced Pod capacity and it determines the cost of your Pod running on Fargate. For pricing information for the compute configurations, see link:fargate/pricing/[{aws} Fargate Pricing,type="marketing"]. [#fargate-storage] == Fargate storage -A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md[Amazon EFS CSI Driver] on GitHub. +A Pod running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md[Amazon EFS CSI Driver] on GitHub. -When provisioned, each [.noloc]`Pod` running on Fargate receives a default 20 GiB of ephemeral storage. This type of storage is deleted after a [.noloc]`Pod` stops. New [.noloc]`Pods` launched onto Fargate have encryption of the ephemeral storage volume enabled by default. The ephemeral [.noloc]`Pod` storage is encrypted with an AES-256 encryption algorithm using {aws} Fargate managed keys. +When provisioned, each Pod running on Fargate receives a default 20 GiB of ephemeral storage. This type of storage is deleted after a Pod stops. New Pods launched onto Fargate have encryption of the ephemeral storage volume enabled by default. The ephemeral Pod storage is encrypted with an AES-256 encryption algorithm using {aws} Fargate managed keys. [NOTE] ==== -The default usable storage for Amazon EKS [.noloc]`Pods` that run on Fargate is less than 20 GiB. This is because some space is used by the `kubelet` and other [.noloc]`Kubernetes` modules that are loaded inside the [.noloc]`Pod`. +The default usable storage for Amazon EKS Pods that run on Fargate is less than 20 GiB. This is because some space is used by the `kubelet` and other Kubernetes modules that are loaded inside the Pod. ==== -You can increase the total amount of ephemeral storage up to a maximum of 175 GiB. To configure the size with [.noloc]`Kubernetes`, specify the requests of `ephemeral-storage` resource to each container in a [.noloc]`Pod`. When [.noloc]`Kubernetes` schedules [.noloc]`Pods`, it ensures that the sum of the resource requests for each [.noloc]`Pod` is less than the capacity of the Fargate task. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Resource Management for Pods and Containers] in the [.noloc]`Kubernetes` documentation. +You can increase the total amount of ephemeral storage up to a maximum of 175 GiB. To configure the size with Kubernetes, specify the requests of `ephemeral-storage` resource to each container in a Pod. When Kubernetes schedules Pods, it ensures that the sum of the resource requests for each Pod is less than the capacity of the Fargate task. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/[Resource Management for Pods and Containers] in the Kubernetes documentation. Amazon EKS Fargate provisions more ephemeral storage than requested for the purposes of system use. For example, a request of 100 GiB will provision a Fargate task with 115 GiB ephemeral storage. \ No newline at end of file diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 6dba9613f..297acb80b 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -9,24 +9,24 @@ include::../attributes.txt[] Amazon EKS periodically patches the OS for {aws} Fargate nodes to keep them secure. -- -Amazon EKS periodically patches the OS for {aws} Fargate nodes to keep them secure. As part of the patching process, we recycle the nodes to install OS patches. Updates are attempted in a way that creates the least impact on your services. However, if [.noloc]`Pods` aren't successfully evicted, there are times when they must be deleted. The following are actions that you can take to minimize potential disruptions: +Amazon EKS periodically patches the OS for {aws} Fargate nodes to keep them secure. As part of the patching process, we recycle the nodes to install OS patches. Updates are attempted in a way that creates the least impact on your services. However, if Pods aren't successfully evicted, there are times when they must be deleted. The following are actions that you can take to minimize potential disruptions: -* Set appropriate [.noloc]`Pod` disruption budgets (PDBs) to control the number of [.noloc]`Pods` that are down simultaneously. -* Create Amazon EventBridge rules to handle failed evictions before the [.noloc]`Pods` are deleted. +* Set appropriate Pod disruption budgets (PDBs) to control the number of Pods that are down simultaneously. +* Create Amazon EventBridge rules to handle failed evictions before the Pods are deleted. * Manually restart your affected pods before the eviction date posted in the notification you receive. * Create a notification configuration in {aws} User Notifications. -Amazon EKS works closely with the [.noloc]`Kubernetes` community to make bug fixes and security patches available as quickly as possible. All Fargate [.noloc]`Pods` start on the most recent [.noloc]`Kubernetes` patch version, which is available from Amazon EKS for the [.noloc]`Kubernetes` version of your cluster. If you have a [.noloc]`Pod` with an older patch version, Amazon EKS might recycle it to update it to the latest version. This ensures that your [.noloc]`Pods` are equipped with the latest security updates. That way, if there's a critical https://cve.mitre.org/[Common Vulnerabilities and Exposures] (CVE) issue, you're kept up to date to reduce security risks. +Amazon EKS works closely with the Kubernetes community to make bug fixes and security patches available as quickly as possible. All Fargate Pods start on the most recent Kubernetes patch version, which is available from Amazon EKS for the Kubernetes version of your cluster. If you have a Pod with an older patch version, Amazon EKS might recycle it to update it to the latest version. This ensures that your Pods are equipped with the latest security updates. That way, if there's a critical https://cve.mitre.org/[Common Vulnerabilities and Exposures] (CVE) issue, you're kept up to date to reduce security risks. When the {aws} Fargate OS is updated, Amazon EKS will send you a notification that includes your affected resources and the date of upcoming pod evictions. If the provided eviction date is inconvenient, you have the option to manually restart your affected pods before the eviction date posted in the notification. Any pods created before the time at which you receive the notification are subject to eviction. Refer to the https://kubernetes.io/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_restart[Kubernetes Documentation] for further instructions on how to manually restart your pods. -To limit the number of [.noloc]`Pods` that are down at one time when [.noloc]`Pods` are recycled, you can set [.noloc]`Pod` disruption budgets (PDBs). You can use PDBs to define minimum availability based on the requirements of each of your applications while still allowing updates to occur. Your PDB's minimum availability must be less than 100%. For more information, see https://kubernetes.io/docs/tasks/run-application/configure-pdb/[Specifying a Disruption Budget for your Application] in the [.noloc]`Kubernetes` Documentation. +To limit the number of Pods that are down at one time when Pods are recycled, you can set Pod disruption budgets (PDBs). You can use PDBs to define minimum availability based on the requirements of each of your applications while still allowing updates to occur. Your PDB's minimum availability must be less than 100%. For more information, see https://kubernetes.io/docs/tasks/run-application/configure-pdb/[Specifying a Disruption Budget for your Application] in the Kubernetes Documentation. -Amazon EKS uses the https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#eviction-api[Eviction API] to safely drain the [.noloc]`Pod` while respecting the PDBs that you set for the application. Pods are evicted by Availability Zone to minimize impact. If the eviction succeeds, the new [.noloc]`Pod` gets the latest patch and no further action is required. +Amazon EKS uses the https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/#eviction-api[Eviction API] to safely drain the Pod while respecting the PDBs that you set for the application. Pods are evicted by Availability Zone to minimize impact. If the eviction succeeds, the new Pod gets the latest patch and no further action is required. -When the eviction for a [.noloc]`Pod` fails, Amazon EKS sends an event to your account with details about the [.noloc]`Pods` that failed eviction. You can act on the message before the scheduled termination time. The specific time varies based on the urgency of the patch. When it's time, Amazon EKS attempts to evict the [.noloc]`Pods` again. However, this time a new event isn't sent if the eviction fails. If the eviction fails again, your existing [.noloc]`Pods` are deleted periodically so that the new [.noloc]`Pods` can have the latest patch. +When the eviction for a Pod fails, Amazon EKS sends an event to your account with details about the Pods that failed eviction. You can act on the message before the scheduled termination time. The specific time varies based on the urgency of the patch. When it's time, Amazon EKS attempts to evict the Pods again. However, this time a new event isn't sent if the eviction fails. If the eviction fails again, your existing Pods are deleted periodically so that the new Pods can have the latest patch. -The following is a sample event received when the [.noloc]`Pod` eviction fails. It contains details about the cluster, [.noloc]`Pod` name, [.noloc]`Pod` namespace, Fargate profile, and the scheduled termination time. +The following is a sample event received when the Pod eviction fails. It contains details about the cluster, Pod name, Pod namespace, Fargate profile, and the scheduled termination time. [source,json,subs="verbatim,attributes"] ---- @@ -52,14 +52,14 @@ The following is a sample event received when the [.noloc]`Pod` eviction fails. } ---- -In addition, having multiple PDBs associated with a [.noloc]`Pod` can cause an eviction failure event. This event returns the following error message. +In addition, having multiple PDBs associated with a Pod can cause an eviction failure event. This event returns the following error message. [source,json,subs="verbatim,attributes"] ---- "evictErrorMessage": "This pod has multiple PodDisruptionBudget, which the eviction subresource does not support", ---- -You can create a desired action based on this event. For example, you can adjust your [.noloc]`Pod` disruption budget (PDB) to control how the [.noloc]`Pods` are evicted. More specifically, suppose that you start with a PDB that specifies the target percentage of [.noloc]`Pods` that are available. Before your [.noloc]`Pods` are force terminated during an upgrade, you can adjust the PDB to a different percentage of [.noloc]`Pods`. To receive this event, you must create an Amazon EventBridge rule in the {aws} account and {aws} Region that the cluster belongs to. The rule must use the following *Custom pattern*. For more information, see link:eventbridge/latest/userguide/eb-create-rule.html[Creating Amazon EventBridge rules that react to events,type="documentation"] in the _Amazon EventBridge User Guide_. +You can create a desired action based on this event. For example, you can adjust your Pod disruption budget (PDB) to control how the Pods are evicted. More specifically, suppose that you start with a PDB that specifies the target percentage of Pods that are available. Before your Pods are force terminated during an upgrade, you can adjust the PDB to a different percentage of Pods. To receive this event, you must create an Amazon EventBridge rule in the {aws} account and {aws} Region that the cluster belongs to. The rule must use the following *Custom pattern*. For more information, see link:eventbridge/latest/userguide/eb-create-rule.html[Creating Amazon EventBridge rules that react to events,type="documentation"] in the _Amazon EventBridge User Guide_. [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 0b1cd0e8c..87d7802f0 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,28 +1,28 @@ include::../attributes.txt[] [.topic] [#fargate-profile] -= Define which [.noloc]`Pods` use {aws} Fargate when launched += Define which Pods use {aws} Fargate when launched :info_titleabbrev: Define profiles [abstract] -- -Before you schedule [.noloc]`Pods` on Fargate in your cluster, you must define at least one Fargate profile that specifies which [.noloc]`Pods` use Fargate when launched. +Before you schedule Pods on Fargate in your cluster, you must define at least one Fargate profile that specifies which Pods use Fargate when launched. -- -Before you schedule [.noloc]`Pods` on Fargate in your cluster, you must define at least one Fargate profile that specifies which [.noloc]`Pods` use Fargate when launched. +Before you schedule Pods on Fargate in your cluster, you must define at least one Fargate profile that specifies which Pods use Fargate when launched. -As an administrator, you can use a Fargate profile to declare which [.noloc]`Pods` run on Fargate. You can do this through the profile's selectors. You can add up to five selectors to each profile. Each selector must contain a namespace. The selector can also include labels. The label field consists of multiple optional key-value pairs. Pods that match a selector are scheduled on Fargate. Pods are matched using a namespace and the labels that are specified in the selector. If a namespace selector is defined without labels, Amazon EKS attempts to schedule all the [.noloc]`Pods` that run in that namespace onto Fargate using the profile. If a to-be-scheduled [.noloc]`Pod` matches any of the selectors in the Fargate profile, then that [.noloc]`Pod` is scheduled on Fargate. +As an administrator, you can use a Fargate profile to declare which Pods run on Fargate. You can do this through the profile's selectors. You can add up to five selectors to each profile. Each selector must contain a namespace. The selector can also include labels. The label field consists of multiple optional key-value pairs. Pods that match a selector are scheduled on Fargate. Pods are matched using a namespace and the labels that are specified in the selector. If a namespace selector is defined without labels, Amazon EKS attempts to schedule all the Pods that run in that namespace onto Fargate using the profile. If a to-be-scheduled Pod matches any of the selectors in the Fargate profile, then that Pod is scheduled on Fargate. -If a [.noloc]`Pod` matches multiple Fargate profiles, you can specify which profile a [.noloc]`Pod` uses by adding the following [.noloc]`Kubernetes` label to the [.noloc]`Pod` specification: `eks.amazonaws.com/fargate-profile: my-fargate-profile`. The [.noloc]`Pod` must match a selector in that profile to be scheduled onto Fargate. [.noloc]`Kubernetes` affinity/anti-affinity rules do not apply and aren't necessary with Amazon EKS Fargate [.noloc]`Pods`. +If a Pod matches multiple Fargate profiles, you can specify which profile a Pod uses by adding the following Kubernetes label to the Pod specification: `eks.amazonaws.com/fargate-profile: my-fargate-profile`. The Pod must match a selector in that profile to be scheduled onto Fargate. Kubernetes affinity/anti-affinity rules do not apply and aren't necessary with Amazon EKS Fargate Pods. -When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role. This execution role is for the Amazon EKS components that run on the Fargate infrastructure using the profile. It's added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC) for authorization. That way, the `kubelet` that runs on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. The [.noloc]`Pod` execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see <>. +When you create a Fargate profile, you must specify a Pod execution role. This execution role is for the Amazon EKS components that run on the Fargate infrastructure using the profile. It's added to the cluster's Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC) for authorization. That way, the `kubelet` that runs on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. The Pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see <>. Fargate profiles can't be changed. However, you can create a new updated profile to replace an existing profile, and then delete the original. [NOTE] ==== -Any [.noloc]`Pods` that are running using a Fargate profile are stopped and put into a pending state when the profile is deleted. +Any Pods that are running using a Fargate profile are stopped and put into a pending state when the profile is deleted. ==== @@ -31,11 +31,11 @@ If any Fargate profiles in a cluster are in the `DELETING` status, you must wait [NOTE] ==== -Fargate does not currently support [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/[topologySpreadConstraints]. +Fargate does not currently support Kubernetes https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/[topologySpreadConstraints]. ==== -Amazon EKS and Fargate spread [.noloc]`Pods` across each of the subnets that's defined in the Fargate profile. However, you might end up with an uneven spread. If you must have an even spread, use two Fargate profiles. Even spread is important in scenarios where you want to deploy two replicas and don't want any downtime. We recommend that each profile has only one subnet. +Amazon EKS and Fargate spread Pods across each of the subnets that's defined in the Fargate profile. However, you might end up with an uneven spread. If you must have an even spread, use two Fargate profiles. Even spread is important in scenarios where you want to deploy two replicas and don't want any downtime. We recommend that each profile has only one subnet. [#fargate-profile-components] == Fargate profile components @@ -45,26 +45,26 @@ The following components are contained in a Fargate profile. *Pod execution role*:: -When your cluster creates [.noloc]`Pods` on {aws} Fargate, the `kubelet` that's running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. For example, it needs to make calls to pull container images from Amazon ECR. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. +When your cluster creates Pods on {aws} Fargate, the `kubelet` that's running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. For example, it needs to make calls to pull container images from Amazon ECR. The Amazon EKS Pod execution role provides the IAM permissions to do this. + -When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role to use with your [.noloc]`Pods`. This role is added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role-based access control] (RBAC) for authorization. This is so that the `kubelet` that's running on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. For more information, see <>. +When you create a Fargate profile, you must specify a Pod execution role to use with your Pods. This role is added to the cluster's Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role-based access control] (RBAC) for authorization. This is so that the `kubelet` that's running on the Fargate infrastructure can register with your Amazon EKS cluster and appear in your cluster as a node. For more information, see <>. *Subnets*:: -The IDs of subnets to launch [.noloc]`Pods` into that use this profile. At this time, [.noloc]`Pods` that are running on Fargate aren't assigned public IP addresses. Therefore, only private subnets with no direct route to an Internet Gateway are accepted for this parameter. +The IDs of subnets to launch Pods into that use this profile. At this time, Pods that are running on Fargate aren't assigned public IP addresses. Therefore, only private subnets with no direct route to an Internet Gateway are accepted for this parameter. *Selectors*:: -The selectors to match for [.noloc]`Pods` to use this Fargate profile. You might specify up to five selectors in a Fargate profile. The selectors have the following components: +The selectors to match for Pods to use this Fargate profile. You might specify up to five selectors in a Fargate profile. The selectors have the following components: + -** *Namespace* – You must specify a namespace for a selector. The selector only matches [.noloc]`Pods` that are created in this namespace. However, you can create multiple selectors to target multiple namespaces. -** *Labels* – You can optionally specify [.noloc]`Kubernetes` labels to match for the selector. The selector only matches [.noloc]`Pods` that have all of the labels that are specified in the selector. +** *Namespace* – You must specify a namespace for a selector. The selector only matches Pods that are created in this namespace. However, you can create multiple selectors to target multiple namespaces. +** *Labels* – You can optionally specify Kubernetes labels to match for the selector. The selector only matches Pods that have all of the labels that are specified in the selector. [#fargate-profile-wildcards] == Fargate profile wildcards -In addition to characters allowed by [.noloc]`Kubernetes`, you're allowed to use `{asterisk}` and `?` in the selector criteria for namespaces, label keys, and label values: +In addition to characters allowed by Kubernetes, you're allowed to use `{asterisk}` and `?` in the selector criteria for namespaces, label keys, and label values: @@ -73,18 +73,18 @@ In addition to characters allowed by [.noloc]`Kubernetes`, you're allowed to use These wildcard characters can be used in any position and in combination (for example, `prod*`, `\*dev`, and `frontend*?`). Other wildcards and forms of pattern matching, such as regular expressions, aren't supported. -If there are multiple matching profiles for the namespace and labels in the [.noloc]`Pod` spec, Fargate picks up the profile based on alphanumeric sorting by profile name. For example, if both profile A (with the name `beta-workload`) and profile B (with the name `prod-workload`) have matching selectors for the [.noloc]`Pods` to be launched, Fargate picks profile A (`beta-workload`) for the [.noloc]`Pods`. The [.noloc]`Pods` have labels with profile A on the [.noloc]`Pods` (for example, `eks.amazonaws.com/fargate-profile=beta-workload`). +If there are multiple matching profiles for the namespace and labels in the Pod spec, Fargate picks up the profile based on alphanumeric sorting by profile name. For example, if both profile A (with the name `beta-workload`) and profile B (with the name `prod-workload`) have matching selectors for the Pods to be launched, Fargate picks profile A (`beta-workload`) for the Pods. The Pods have labels with profile A on the Pods (for example, `eks.amazonaws.com/fargate-profile=beta-workload`). -If you want to migrate existing Fargate [.noloc]`Pods` to new profiles that use wildcards, there are two ways to do so: +If you want to migrate existing Fargate Pods to new profiles that use wildcards, there are two ways to do so: * Create a new profile with matching selectors, then delete the old profiles. Pods labeled with old profiles are rescheduled to new matching profiles. -* If you want to migrate workloads but aren't sure what Fargate labels are on each Fargate [.noloc]`Pod`, you can use the following method. Create a new profile with a name that sorts alphanumerically first among the profiles on the same cluster. Then, recycle the Fargate [.noloc]`Pods` that need to be migrated to new profiles. +* If you want to migrate workloads but aren't sure what Fargate labels are on each Fargate Pod, you can use the following method. Create a new profile with a name that sorts alphanumerically first among the profiles on the same cluster. Then, recycle the Fargate Pods that need to be migrated to new profiles. [#create-fargate-profile] == Create a Fargate profile -This section describes how to create a Fargate profile. You also must have created a [.noloc]`Pod` execution role to use for your Fargate profile. For more information, see <>. [.noloc]`Pods` that are running on Fargate are only supported on private subnets with link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] access to {aws} services, but not a direct route to an Internet Gateway. This is so that your cluster's VPC must have private subnets available. +This section describes how to create a Fargate profile. You also must have created a Pod execution role to use for your Fargate profile. For more information, see <>. Pods that are running on Fargate are only supported on private subnets with link:vpc/latest/userguide/vpc-nat-gateway.html[NAT gateway,type="documentation"] access to {aws} services, but not a direct route to an Internet Gateway. This is so that your cluster's VPC must have private subnets available. You can create a profile with the following: @@ -120,21 +120,21 @@ You can use certain wildcards for `my-kubernetes-namespace` and `key=value` labe . On the *Configure Fargate profile* page, do the following: + .. For *Name*, enter a unique name for your Fargate profile, such as `my-profile`. -.. For *Pod execution role*, choose the [.noloc]`Pod` execution role to use with your Fargate profile. Only the IAM roles with the `eks-fargate-pods.amazonaws.com` service principal are shown. If you don't see any roles listed, you must create one. For more information, see <>. +.. For *Pod execution role*, choose the Pod execution role to use with your Fargate profile. Only the IAM roles with the `eks-fargate-pods.amazonaws.com` service principal are shown. If you don't see any roles listed, you must create one. For more information, see <>. .. Modify the selected *Subnets* as needed. + -NOTE: Only private subnets are supported for [.noloc]`Pods` that are running on Fargate. -.. For *Tags*, you can optionally tag your Fargate profile. These tags don't propagate to other resources that are associated with the profile, such as [.noloc]`Pods`. +NOTE: Only private subnets are supported for Pods that are running on Fargate. +.. For *Tags*, you can optionally tag your Fargate profile. These tags don't propagate to other resources that are associated with the profile, such as Pods. .. Choose *Next*. -. On the *Configure [.noloc]`Pod` selection* page, do the following: +. On the *Configure Pod selection* page, do the following: + -.. For *Namespace*, enter a namespace to match for [.noloc]`Pods`. +.. For *Namespace*, enter a namespace to match for Pods. + *** You can use specific namespaces to match, such as `kube-system` or `default`. *** You can use certain wildcards (for example, `prod-*`) to match multiple namespaces (for example, `prod-deployment` and `prod-test`). For more information, see <>. -.. (Optional) Add [.noloc]`Kubernetes` labels to the selector. Specifically, add them to the one that the [.noloc]`Pods` in the specified namespace need to match. +.. (Optional) Add Kubernetes labels to the selector. Specifically, add them to the one that the Pods in the specified namespace need to match. + -*** You can add the label `infrastructure: fargate` to the selector so that only [.noloc]`Pods` in the specified namespace that also have the `infrastructure: fargate` [.noloc]`Kubernetes` label match the selector. +*** You can add the label `infrastructure: fargate` to the selector so that only Pods in the specified namespace that also have the `infrastructure: fargate` Kubernetes label match the selector. *** You can use certain wildcards (for example, `key?: value?`) to match multiple namespaces (for example, `keya: valuea` and `keyb: valueb`). For more information, see <>. .. Choose *Next*. . On the *Review and create* page, review the information for your Fargate profile and choose *Create*. \ No newline at end of file diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index e324dec8f..3c146c2df 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -8,14 +8,14 @@ include::../attributes.txt[] [abstract] -- -This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. +This topic discusses using Amazon EKS to run Kubernetes Pods on {aws} Fargate. -- -This topic discusses using Amazon EKS to run [.noloc]`Kubernetes` [.noloc]`Pods` on {aws} Fargate. Fargate is a technology that provides on-demand, right-sized compute capacity for link:what-are-containers[containers,type="marketing"]. With Fargate, you don't have to provision, configure, or scale groups of virtual machines on your own to run containers. You also don't need to choose server types, decide when to scale your node groups, or optimize cluster packing. +This topic discusses using Amazon EKS to run Kubernetes Pods on {aws} Fargate. Fargate is a technology that provides on-demand, right-sized compute capacity for link:what-are-containers[containers,type="marketing"]. With Fargate, you don't have to provision, configure, or scale groups of virtual machines on your own to run containers. You also don't need to choose server types, decide when to scale your node groups, or optimize cluster packing. -You can control which [.noloc]`Pods` start on Fargate and how they run with <>. Fargate profiles are defined as part of your Amazon EKS cluster. Amazon EKS integrates [.noloc]`Kubernetes` with Fargate by using controllers that are built by {aws} using the upstream, extensible model provided by [.noloc]`Kubernetes`. These controllers run as part of the Amazon EKS managed [.noloc]`Kubernetes` control plane and are responsible for scheduling native [.noloc]`Kubernetes` [.noloc]`Pods` onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default [.noloc]`Kubernetes` scheduler in addition to several mutating and validating admission controllers. When you start a [.noloc]`Pod` that meets the criteria for running on Fargate, the Fargate controllers that are running in the cluster recognize, update, and schedule the [.noloc]`Pod` onto Fargate. +You can control which Pods start on Fargate and how they run with <>. Fargate profiles are defined as part of your Amazon EKS cluster. Amazon EKS integrates Kubernetes with Fargate by using controllers that are built by {aws} using the upstream, extensible model provided by Kubernetes. These controllers run as part of the Amazon EKS managed Kubernetes control plane and are responsible for scheduling native Kubernetes Pods onto Fargate. The Fargate controllers include a new scheduler that runs alongside the default Kubernetes scheduler in addition to several mutating and validating admission controllers. When you start a Pod that meets the criteria for running on Fargate, the Fargate controllers that are running in the cluster recognize, update, and schedule the Pod onto Fargate. -This topic describes the different components of [.noloc]`Pods` that run on Fargate, and calls out special considerations for using Fargate with Amazon EKS. +This topic describes the different components of Pods that run on Fargate, and calls out special considerations for using Fargate with Amazon EKS. [#fargate-considerations] == {aws} Fargate considerations @@ -24,33 +24,33 @@ Here are some things to consider about using Fargate on Amazon EKS. -* Each [.noloc]`Pod` that runs on Fargate has its own isolation boundary. They don't share the underlying kernel, CPU resources, memory resources, or elastic network interface with another [.noloc]`Pod`. +* Each Pod that runs on Fargate has its own isolation boundary. They don't share the underlying kernel, CPU resources, memory resources, or elastic network interface with another Pod. * Network Load Balancers and Application Load Balancers (ALBs) can be used with Fargate with IP targets only. For more information, see <> and <>. * Fargate exposed services only run on target type IP mode, and not on node IP mode. The recommended way to check the connectivity from a service running on a managed node and a service running on Fargate is to connect via service name. -* Pods must match a Fargate profile at the time that they're scheduled to run on Fargate. Pods that don't match a Fargate profile might be stuck as `Pending`. If a matching Fargate profile exists, you can delete pending [.noloc]`Pods` that you have created to reschedule them onto Fargate. -* Daemonsets aren't supported on Fargate. If your application requires a daemon, reconfigure that daemon to run as a sidecar container in your [.noloc]`Pods`. +* Pods must match a Fargate profile at the time that they're scheduled to run on Fargate. Pods that don't match a Fargate profile might be stuck as `Pending`. If a matching Fargate profile exists, you can delete pending Pods that you have created to reschedule them onto Fargate. +* Daemonsets aren't supported on Fargate. If your application requires a daemon, reconfigure that daemon to run as a sidecar container in your Pods. * Privileged containers aren't supported on Fargate. -* Pods running on Fargate can't specify `HostPort` or `HostNetwork` in the [.noloc]`Pod` manifest. -* The default `nofile` and `nproc` soft limit is 1024 and the hard limit is 65535 for Fargate [.noloc]`Pods`. +* Pods running on Fargate can't specify `HostPort` or `HostNetwork` in the Pod manifest. +* The default `nofile` and `nproc` soft limit is 1024 and the hard limit is 65535 for Fargate Pods. * GPUs aren't currently available on Fargate. * Pods that run on Fargate are only supported on private subnets (with NAT gateway access to {aws} services, but not a direct route to an Internet Gateway), so your cluster's VPC must have private subnets available. For clusters without outbound internet access, see <>. -* You can use the <> to set the initial correct size of CPU and memory for your Fargate [.noloc]`Pods`, and then use the <> to scale those [.noloc]`Pods`. If you want the Vertical Pod Autoscaler to automatically re-deploy [.noloc]`Pods` to Fargate with larger CPU and memory combinations, set the mode for the Vertical Pod Autoscaler to either `Auto` or `Recreate` to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on [.noloc]`GitHub`. +* You can use the <> to set the initial correct size of CPU and memory for your Fargate Pods, and then use the <> to scale those Pods. If you want the Vertical Pod Autoscaler to automatically re-deploy Pods to Fargate with larger CPU and memory combinations, set the mode for the Vertical Pod Autoscaler to either `Auto` or `Recreate` to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on GitHub. * DNS resolution and DNS hostnames must be enabled for your VPC. For more information, see link:vpc/latest/userguide/vpc-dns.html#vpc-dns-updating[Viewing and updating DNS support for your VPC,type="documentation"]. -* Amazon EKS Fargate adds defense-in-depth for [.noloc]`Kubernetes` applications by isolating each Pod within a Virtual Machine (VM). This VM boundary prevents access to host-based resources used by other Pods in the event of a container escape, which is a common method of attacking containerized applications and gain access to resources outside of the container. +* Amazon EKS Fargate adds defense-in-depth for Kubernetes applications by isolating each Pod within a Virtual Machine (VM). This VM boundary prevents access to host-based resources used by other Pods in the event of a container escape, which is a common method of attacking containerized applications and gain access to resources outside of the container. + Using Amazon EKS doesn't change your responsibilities under the <>. You should carefully consider the configuration of cluster security and governance controls. The safest way to isolate an application is always to run it in a separate cluster. -* Fargate profiles support specifying subnets from VPC secondary CIDR blocks. You might want to specify a secondary CIDR block. This is because there's a limited number of IP addresses available in a subnet. As a result, there's also a limited number of [.noloc]`Pods` that can be created in the cluster. By using different subnets for [.noloc]`Pods`, you can increase the number of available IP addresses. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#vpc-resize[Adding IPv4 CIDR blocks to a VPC.,type="documentation"] -* The Amazon EC2 instance metadata service (IMDS) isn't available to [.noloc]`Pods` that are deployed to Fargate nodes. If you have [.noloc]`Pods` that are deployed to Fargate that need IAM credentials, assign them to your [.noloc]`Pods` using <>. If your [.noloc]`Pods` need access to other information available through IMDS, then you must hard code this information into your [.noloc]`Pod` spec. This includes the {aws} Region or Availability Zone that a [.noloc]`Pod` is deployed to. -* You can't deploy Fargate [.noloc]`Pods` to {aws} Outposts, {aws} Wavelength, or {aws} Local Zones. -* Amazon EKS must periodically patch Fargate [.noloc]`Pods` to keep them secure. We attempt the updates in a way that reduces impact, but there are times when [.noloc]`Pods` must be deleted if they aren't successfully evicted. There are some actions you can take to minimize disruption. For more information, see <>. +* Fargate profiles support specifying subnets from VPC secondary CIDR blocks. You might want to specify a secondary CIDR block. This is because there's a limited number of IP addresses available in a subnet. As a result, there's also a limited number of Pods that can be created in the cluster. By using different subnets for Pods, you can increase the number of available IP addresses. For more information, see link:vpc/latest/userguide/VPC_Subnets.html#vpc-resize[Adding IPv4 CIDR blocks to a VPC.,type="documentation"] +* The Amazon EC2 instance metadata service (IMDS) isn't available to Pods that are deployed to Fargate nodes. If you have Pods that are deployed to Fargate that need IAM credentials, assign them to your Pods using <>. If your Pods need access to other information available through IMDS, then you must hard code this information into your Pod spec. This includes the {aws} Region or Availability Zone that a Pod is deployed to. +* You can't deploy Fargate Pods to {aws} Outposts, {aws} Wavelength, or {aws} Local Zones. +* Amazon EKS must periodically patch Fargate Pods to keep them secure. We attempt the updates in a way that reduces impact, but there are times when Pods must be deleted if they aren't successfully evicted. There are some actions you can take to minimize disruption. For more information, see <>. * The https://github.com/aws/amazon-vpc-cni-plugins[Amazon VPC CNI plugin for Amazon EKS] is installed on Fargate nodes. You can't use <> with Fargate nodes. -* A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. +* A Pod running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. You can't use dynamic persistent volume provisioning with Fargate nodes, but you can use static provisioning. * Amazon EKS doesn't support Fargate Spot. -* You can't mount Amazon EBS volumes to Fargate [.noloc]`Pods`. -* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node [.noloc]`DaemonSet` can only run on Amazon EC2 instances. -* After a https://kubernetes.io/docs/concepts/workloads/controllers/job/[Kubernetes Job] is marked `Completed` or `Failed`, the [.noloc]`Pods` that the [.noloc]`Job` creates normally continue to exist. This behavior allows you to view your logs and results, but with Fargate you will incur costs if you don't clean up the [.noloc]`Job` afterwards. +* You can't mount Amazon EBS volumes to Fargate Pods. +* You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node DaemonSet can only run on Amazon EC2 instances. +* After a https://kubernetes.io/docs/concepts/workloads/controllers/job/[Kubernetes Job] is marked `Completed` or `Failed`, the Pods that the Job creates normally continue to exist. This behavior allows you to view your logs and results, but with Fargate you will incur costs if you don't clean up the Job afterwards. + -To automatically delete the related [.noloc]`Pods` after a [.noloc]`Job` completes or fails, you can specify a time period using the time-to-live (TTL) controller. The following example shows specifying `.spec.ttlSecondsAfterFinished` in your [.noloc]`Job` manifest. +To automatically delete the related Pods after a Job completes or fails, you can specify a time period using the time-to-live (TTL) controller. The following example shows specifying `.spec.ttlSecondsAfterFinished` in your Job manifest. + [source,yaml,subs="verbatim,attributes"] ---- @@ -82,10 +82,10 @@ spec: |Can be deployed to an <> |No -|Can run containers that require [.noloc]`Windows` +|Can run containers that require Windows |No -|Can run containers that require [.noloc]`Linux` +|Can run containers that require Linux |Yes |Can run workloads that require the Inferentia chip @@ -100,14 +100,14 @@ spec: |Can run {aws} link:bottlerocket/[Bottlerocket,type="marketing"] |No -|Pods share a kernel runtime environment with other [.noloc]`Pods` -|No – Each [.noloc]`Pod` has a dedicated kernel +|Pods share a kernel runtime environment with other Pods +|No – Each Pod has a dedicated kernel -|Pods share CPU, memory, storage, and network resources with other [.noloc]`Pods`. -|No – Each [.noloc]`Pod` has dedicated resources and can be sized independently to maximize resource utilization. +|Pods share CPU, memory, storage, and network resources with other Pods. +|No – Each Pod has dedicated resources and can be sized independently to maximize resource utilization. -|Pods can use more hardware and memory than requested in [.noloc]`Pod` specs -|No – The [.noloc]`Pod` can be re-deployed using a larger vCPU and memory configuration though. +|Pods can use more hardware and memory than requested in Pod specs +|No – The Pod can be re-deployed using a larger vCPU and memory configuration though. |Must deploy and manage Amazon EC2 instances |No @@ -118,7 +118,7 @@ spec: |Can provide bootstrap arguments at deployment of a node, such as extra https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] arguments. |No -|Can assign IP addresses to [.noloc]`Pods` from a different CIDR block than the IP address assigned to the node. +|Can assign IP addresses to Pods from a different CIDR block than the IP address assigned to the node. |No |Can SSH into node @@ -133,16 +133,16 @@ spec: |Must update node AMI on your own |No -|Must update node [.noloc]`Kubernetes` version on your own +|Must update node Kubernetes version on your own |No – You don't manage nodes. -|Can use Amazon EBS storage with [.noloc]`Pods` +|Can use Amazon EBS storage with Pods |No -|Can use Amazon EFS storage with [.noloc]`Pods` +|Can use Amazon EFS storage with Pods |<> -|Can use Amazon FSx for Lustre storage with [.noloc]`Pods` +|Can use Amazon FSx for Lustre storage with Pods |No |Can use Network Load Balancer for services @@ -151,13 +151,13 @@ spec: |Pods can run in a public subnet |No -|Can assign different VPC security groups to individual [.noloc]`Pods` +|Can assign different VPC security groups to individual Pods |Yes -|Can run [.noloc]`Kubernetes` [.noloc]`DaemonSets` +|Can run Kubernetes DaemonSets |No -|Support `HostPort` and `HostNetwork` in the [.noloc]`Pod` manifest +|Support `HostPort` and `HostNetwork` in the Pod manifest |No |{aws} Region availability @@ -167,7 +167,7 @@ spec: |No |Pricing -|Cost of an individual Fargate memory and CPU configuration. Each [.noloc]`Pod` has its own cost. For more information, see link:fargate/pricing/[{aws} Fargate pricing,type="marketing"]. +|Cost of an individual Fargate memory and CPU configuration. Each Pod has its own cost. For more information, see link:fargate/pricing/[{aws} Fargate pricing,type="marketing"]. |=== diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index beeb9c034..922077a5f 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -122,7 +122,7 @@ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" [#hybrid-nodes-add-ons-pod-id] == EKS Pod Identity Agent add-on -The original Amazon EKS Pod Identity Agent [.noloc]`DaemonSet` relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second [.noloc]`DaemonSet` that specifically targets hybrid nodes. This [.noloc]`DaemonSet` mounts the required credentials to the pods created by the Pod Identity Agent add-on. +The original Amazon EKS Pod Identity Agent DaemonSet relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second DaemonSet that specifically targets hybrid nodes. This DaemonSet mounts the required credentials to the pods created by the Pod Identity Agent add-on. . To use the Pod Identity agent on hybrid nodes, set `enableCredentialsFile: true` in the hybrid section of `nodeadm` config as shown below: + diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index a8d632e9f..bd9f94c1a 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Learn about and configure the VPC and on-premises networking for joining nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters with Amazon EKS Hybrid Nodes. +Learn about and configure the VPC and on-premises networking for joining nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. -- This topic provides an overview of the networking setup you must have configured before creating your Amazon EKS cluster and attaching hybrid nodes. This guide assumes you have met the prerequisite requirements for hybrid network connectivity using link:vpn/latest/s2svpn/SetUpVPNConnections.html[{aws} Site-to-Site VPN,type="documentation"], link:directconnect/latest/UserGuide/Welcome.html[{aws} Direct Connect,type="documentation"], or your own VPN solution. @@ -113,15 +113,15 @@ Depending on your choice of CNI, you need to configure additional network access |443 |Remote Node CIDR(s) |EKS cluster IPs ^1^ -|[.noloc]`kubelet` to Kubernetes API server +|kubelet to Kubernetes API server |HTTPS |TCP |Outbound |443 -|Remote [.noloc]`Pod` CIDR(s) +|Remote Pod CIDR(s) |EKS cluster IPs ^1^ -|[.noloc]`Pod` to Kubernetes API server +|Pod to Kubernetes API server |HTTPS |TCP @@ -143,9 +143,9 @@ Depending on your choice of CNI, you need to configure additional network access |TCP |Outbound |443 -|Remote [.noloc]`Pod` CIDR(s) +|Remote Pod CIDR(s) |link:general/latest/gr/sts.html[STS Regional Endpoint,type="documentation"] -|[.noloc]`Pod` to STS endpoint, only required for IRSA +|Pod to STS endpoint, only required for IRSA |HTTPS |TCP @@ -153,7 +153,7 @@ Depending on your choice of CNI, you need to configure additional network access |443 |Remote Node CIDR(s) |link:general/latest/gr/eks.html[Amazon EKS Auth service endpoint,type="documentation"] -|Node to Amazon EKS Auth endpoint, only required for Amazon EKS [.noloc]`Pod` Identity +|Node to Amazon EKS Auth endpoint, only required for Amazon EKS Pod Identity |HTTPS |TCP @@ -161,31 +161,31 @@ Depending on your choice of CNI, you need to configure additional network access |10250 |EKS cluster IPs ^1^ |Remote Node CIDR(s) -|[.noloc]`kubelet` to Kubernetes API server +|kubelet to Kubernetes API server |HTTPS |TCP |Inbound |Webhook ports |EKS cluster IPs ^1^ -|Remote [.noloc]`Pod` CIDR(s) +|Remote Pod CIDR(s) |Kubernetes API server to webhooks |HTTPS |TCP,UDP |Inbound,Outbound |53 -|Remote [.noloc]`Pod` CIDR(s) -|Remote [.noloc]`Pod` CIDR(s) -|[.noloc]`Pod` to CoreDNS. If you run at least 1 replica of CoreDNS in the cloud, you must allow DNS traffic to the VPC where CoreDNS is running. +|Remote Pod CIDR(s) +|Remote Pod CIDR(s) +|Pod to CoreDNS. If you run at least 1 replica of CoreDNS in the cloud, you must allow DNS traffic to the VPC where CoreDNS is running. |User-defined |User-defined |Inbound,Outbound |App ports -|Remote [.noloc]`Pod` CIDR(s) -|Remote [.noloc]`Pod` CIDR(s) -|[.noloc]`Pod` to [.noloc]`Pod` +|Remote Pod CIDR(s) +|Remote Pod CIDR(s) +|Pod to Pod |=== [NOTE] @@ -313,7 +313,7 @@ aws ec2 create-route \ ---- -*Remote [.noloc]`Pod` network* +*Remote Pod network* [source,cli,subs="verbatim,attributes,quotes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 3951c5262..742577468 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -66,7 +66,7 @@ Fatal glibc error: This version of Amazon Linux requires a newer ARM64 processor == Building operating system images -Amazon EKS provides https://github.com/aws/eks-hybrid/tree/main/example/packer[example Packer templates] you can use to create operating system images that include `nodeadm` and configure it to run at host-startup. This process is recommended to avoid pulling the hybrid nodes dependencies individually on each host and to automate the hybrid nodes bootstrap process. You can use the example Packer templates with an Ubuntu 22.04, Ubuntu 24.04, RHEL 8 or RHEL 9 ISO image and can output images with these formats: OVA, [.noloc]`Qcow2`, or raw. +Amazon EKS provides https://github.com/aws/eks-hybrid/tree/main/example/packer[example Packer templates] you can use to create operating system images that include `nodeadm` and configure it to run at host-startup. This process is recommended to avoid pulling the hybrid nodes dependencies individually on each host and to automate the hybrid nodes bootstrap process. You can use the example Packer templates with an Ubuntu 22.04, Ubuntu 24.04, RHEL 8 or RHEL 9 ISO image and can output images with these formats: OVA, Qcow2, or raw. === Prerequisites diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index ab5c724fc..7d15b6665 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -8,12 +8,12 @@ include::../attributes.txt[] [abstract] -- -Join nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters with Amazon EKS Hybrid Nodes. +Join nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. -- With _Amazon EKS Hybrid Nodes_, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. {aws} manages the {aws}-hosted Kubernetes control plane of the Amazon EKS cluster, and you manage the hybrid nodes that run in your on-premises or edge environments. This unifies Kubernetes management across your environments and offloads Kubernetes control plane management to {aws} for your on-premises and edge applications. -Amazon EKS Hybrid Nodes works with any on-premises hardware or virtual machines, bringing the efficiency, scalability, and availability of Amazon EKS to wherever your applications need to run. You can use a wide range of Amazon EKS features with Amazon EKS Hybrid Nodes including Amazon EKS add-ons, Amazon EKS [.noloc]`Pod` Identity, cluster access entries, cluster insights, and extended Kubernetes version support. Amazon EKS Hybrid Nodes natively integrates with {aws} services including {aws} Systems Manager, {aws} IAM Roles Anywhere, Amazon Managed Service for Prometheus, Amazon CloudWatch, and Amazon GuardDuty for centralized monitoring, logging, and identity management. +Amazon EKS Hybrid Nodes works with any on-premises hardware or virtual machines, bringing the efficiency, scalability, and availability of Amazon EKS to wherever your applications need to run. You can use a wide range of Amazon EKS features with Amazon EKS Hybrid Nodes including Amazon EKS add-ons, Amazon EKS Pod Identity, cluster access entries, cluster insights, and extended Kubernetes version support. Amazon EKS Hybrid Nodes natively integrates with {aws} services including {aws} Systems Manager, {aws} IAM Roles Anywhere, Amazon Managed Service for Prometheus, Amazon CloudWatch, and Amazon GuardDuty for centralized monitoring, logging, and identity management. With Amazon EKS Hybrid Nodes, there are no upfront commitments or minimum fees, and you are charged per hour for the vCPU resources of your hybrid nodes when they are attached to your Amazon EKS clusters. For more pricing information, see link:eks/pricing/[Amazon EKS Pricing,type="marketing"]. @@ -51,7 +51,7 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym * The communication between the Amazon EKS control plane and hybrid nodes is routed through the VPC and subnets you pass during cluster creation, which builds on the link:eks/latest/best-practices/subnets.html[existing mechanism,type="documentation"] in Amazon EKS for control plane to node networking. * Amazon EKS Hybrid Nodes is flexible to your preferred method of connecting your on-premises networks to a VPC in {aws}. There are several link:whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html[documented options,type="documentation"] available including {aws} Site-to-Site VPN and {aws} Direct Connect, and you can choose the method that best fits your use case. -* *IP address family*: Hybrid nodes can be used with Amazon EKS clusters configured with the `IPv4` IP address family only. You can't use Amazon EKS clusters configured with the `IPv6` IP address family. Similarly, your on-premises node and [.noloc]`Pod` CIDRs must be `IPv4` RFC1918 CIDR blocks. +* *IP address family*: Hybrid nodes can be used with Amazon EKS clusters configured with the `IPv4` IP address family only. You can't use Amazon EKS clusters configured with the `IPv6` IP address family. Similarly, your on-premises node and Pod CIDRs must be `IPv4` RFC1918 CIDR blocks. * You must enable the required domains, protocols, and ports for Amazon EKS Hybrid Nodes in your on-premises environments and firewalls. For more information, including minimum networking requirements, see <>. * *Cluster endpoint access*: You can use “Public” or “Private” cluster endpoint access. You should not use “Public and Private” cluster endpoint access, as the endpoint DNS resolution will always resolve to the public addresses for queries originating from your on-premises environment. * For information and best practices during scenarios where there are network disconnections between hybrid nodes and the {aws} Region, see the link:eks/latest/best-practices/hybrid-nodes.html[hybrid nodes,type="documentation"] section of the _Amazon EKS Best Practices Guide_. @@ -62,23 +62,23 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym * Amazon EKS Hybrid Nodes use temporary IAM credentials to authenticate with your Amazon EKS cluster. You can use either {aws} IAM Roles Anywhere or {aws} Systems Manager (SSM) hybrid activations for provisioning the on-premises IAM credentials for hybrid nodes. It is recommended to use {aws} SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use {aws} IAM Roles Anywhere. * You can use `API` or `API_AND_CONFIG_MAP` cluster authentication modes for your hybrid nodes-enabled Amazon EKS clusters. Use the cluster access entry type called `HYBRID_LINUX` with your hybrid nodes IAM role to enable hybrid nodes to join the Amazon EKS cluster. * OIDC authentication is supported for hybrid nodes-enabled Amazon EKS clusters. -* You can use Amazon EKS [.noloc]`Pod` Identities and IAM Roles for Service Accounts (IRSA) with applications running on hybrid nodes to enable granular access for your [.noloc]`Pods` running on hybrid nodes with other {aws} services. +* You can use Amazon EKS Pod Identities and IAM Roles for Service Accounts (IRSA) with applications running on hybrid nodes to enable granular access for your Pods running on hybrid nodes with other {aws} services. * You can use Amazon GuardDuty EKS Protection with hybrid nodes-enabled Amazon EKS clusters to analyze activities of users and applications accessing your cluster. *Add-ons for hybrid nodes* For detailed information, see <>. -* *Container Networking Interface (CNI)*: The {aws} VPC CNI can't be used with hybrid nodes. The core capabilities of [.noloc]`Cilium` and [.noloc]`Calico` are supported for use with hybrid nodes. You can manage your CNI with your choice of tooling such as [.noloc]`Helm`. For more information, see <>. +* *Container Networking Interface (CNI)*: The {aws} VPC CNI can't be used with hybrid nodes. The core capabilities of Cilium and Calico are supported for use with hybrid nodes. You can manage your CNI with your choice of tooling such as Helm. For more information, see <>. * *`kube-proxy` and CoreDNS*: `kube-proxy` and CoreDNS are installed automatically when hybrid nodes join the Amazon EKS cluster. These add-ons can be managed as Amazon EKS add-ons after cluster creation. * *Ingress and Load Balancing*: You can use the {aws} Load Balancer Controller and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type `ip` for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. You can alternatively use your choice of Ingress controller or load balancer for application traffic that stays local to your on-premises environment. -* *Metrics*: You can use Amazon Managed Prometheus (AMP) agent-less scrapers, {aws} Distro for Open Telemetry (ADOT), and the Amazon CloudWatch Observability Agent with hybrid nodes. To use AMP agent-less scrapers for [.noloc]`Pod` metrics on hybrid nodes, your [.noloc]`Pods` must be accessible from the VPC that you use for the Amazon EKS cluster. -* *Logs*: You can enable Amazon EKS control plane logging for hybrid nodes-enabled clusters. You can use the ADOT EKS add-on and the Amazon CloudWatch Observability Agent EKS add-on for hybrid node and [.noloc]`Pod` logging. +* *Metrics*: You can use Amazon Managed Prometheus (AMP) agent-less scrapers, {aws} Distro for Open Telemetry (ADOT), and the Amazon CloudWatch Observability Agent with hybrid nodes. To use AMP agent-less scrapers for Pod metrics on hybrid nodes, your Pods must be accessible from the VPC that you use for the Amazon EKS cluster. +* *Logs*: You can enable Amazon EKS control plane logging for hybrid nodes-enabled clusters. You can use the ADOT EKS add-on and the Amazon CloudWatch Observability Agent EKS add-on for hybrid node and Pod logging. *User interfaces* * *Node management*: The Amazon EKS Hybrid Nodes CLI is called `nodeadm` and is run on each on-premises host to simplify the installation, configuration, registration, and uninstall of the hybrid nodes components. The hybrid nodes `nodeadm` version is different than the `nodeadm` version used in the AL2023 Amazon EKS-optimized AMIs. You should not use the hybrid nodes `nodeadm` version for nodes running in Amazon EC2. -* *Cluster management*: The Amazon EKS user interfaces for cluster management are the same with hybrid nodes-enabled Amazon EKS clusters. This includes the {aws-management-console}, {aws} API, {aws} SDKs, {aws} CLI, [.noloc]`eksctl` CLI, {aws} CloudFormation, and Terraform. +* *Cluster management*: The Amazon EKS user interfaces for cluster management are the same with hybrid nodes-enabled Amazon EKS clusters. This includes the {aws-management-console}, {aws} API, {aws} SDKs, {aws} CLI, eksctl CLI, {aws} CloudFormation, and Terraform. include::hybrid-nodes-prereqs.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 44358b5d9..fefe553db 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Learn about the prerequisites and requirements for joining nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters with Amazon EKS Hybrid Nodes. +Learn about the prerequisites and requirements for joining nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. -- To use Amazon EKS Hybrid Nodes, you must have private connectivity from your on-premises environment to/from {aws}, bare metal servers or virtual machines with a supported operating system, and {aws} IAM Roles Anywhere or {aws} Systems Manager (SSM) hybrid activations configured. You are responsible for managing these prerequisites throughout the hybrid nodes lifecycle. diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 2b3eb2c61..9f04ad87b 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Troubleshoot, diagnose, and repair hybrid nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters. +Troubleshoot, diagnose, and repair hybrid nodes from your data centers to Amazon EKS Kubernetes clusters. -- This topic covers some common errors that you may see while using Amazon EKS Hybrid Nodes and how to fix them. For other troubleshooting information, see <> and https://repost.aws/tags/knowledge-center/TA4IvCeWI1TE66q4jEj4Z9zg/amazon-elastic-kubernetes-service[Knowledge Center tag for Amazon EKS] on _{aws} re:Post_. If you cannot resolve the issue, contact {aws} Support. diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 4c8d3125d..68cee9140 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Join nodes from your data centers to Amazon EKS [.noloc]`Kubernetes` clusters with Amazon EKS Hybrid Nodes. +Join nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. -- In an EKS cluster with hybrid nodes enabled, you can run on-premises and edge applications on your own infrastructure with the same Amazon EKS clusters, features, and tools that you use in {aws} Cloud. diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index da8c7be6b..a58a03629 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,13 +1,13 @@ [.topic] [#launch-node-bottlerocket] -= Create self-managed [.noloc]`Bottlerocket` nodes += Create self-managed Bottlerocket nodes :info_titleabbrev: Bottlerocket include::../attributes.txt[] [abstract] -- -This topic describes how to launch Auto Scaling groups of [.noloc]`Bottlerocket` nodes that register with your Amazon EKS cluster +This topic describes how to launch Auto Scaling groups of Bottlerocket nodes that register with your Amazon EKS cluster -- [NOTE] @@ -17,9 +17,9 @@ Managed node groups might offer some advantages for your use case. For more info ==== -This topic describes how to launch Auto Scaling groups of link:bottlerocket/[Bottlerocket,type="marketing"] nodes that register with your Amazon EKS cluster. [.noloc]`Bottlerocket` is a [.noloc]`Linux`-based open-source operating system from {aws} that you can use for running containers on virtual machines or bare metal hosts. After the nodes join the cluster, you can deploy [.noloc]`Kubernetes` applications to them. For more information about [.noloc]`Bottlerocket`, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-EKS.md[Using a Bottlerocket AMI with Amazon EKS] on [.noloc]`GitHub` and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. +This topic describes how to launch Auto Scaling groups of link:bottlerocket/[Bottlerocket,type="marketing"] nodes that register with your Amazon EKS cluster. Bottlerocket is a Linux-based open-source operating system from {aws} that you can use for running containers on virtual machines or bare metal hosts. After the nodes join the cluster, you can deploy Kubernetes applications to them. For more information about Bottlerocket, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-EKS.md[Using a Bottlerocket AMI with Amazon EKS] on GitHub and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. -For information about in-place upgrades, see https://github.com/bottlerocket-os/bottlerocket-update-operator[Bottlerocket Update Operator] on [.noloc]`GitHub`. +For information about in-place upgrades, see https://github.com/bottlerocket-os/bottlerocket-update-operator[Bottlerocket Update Operator] on GitHub. [IMPORTANT] ==== @@ -27,9 +27,9 @@ For information about in-place upgrades, see https://github.com/bottlerocket-os/ * Amazon EKS nodes are standard Amazon EC2 instances, and you are billed for them based on normal Amazon EC2 instance prices. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. * You can launch Bottlerocket nodes in Amazon EKS extended clusters on {aws} Outposts, but you can't launch them in local clusters on {aws} Outposts. For more information, see <>. -* You can deploy to Amazon EC2 instances with `x86` or [.noloc]`Arm` processors. However, you can't deploy to instances that have [.noloc]`Inferentia` chips. -* [.noloc]`Bottlerocket` is compatible with {aws} CloudFormation. However, there is no official CloudFormation template that can be copied to deploy [.noloc]`Bottlerocket` nodes for Amazon EKS. -* [.noloc]`Bottlerocket` images don't come with an [.noloc]`SSH` server or a shell. You can use out-of-band access methods to allow [.noloc]`SSH` enabling the admin container and to pass some bootstrapping configuration steps with user data. For more information, see these sections in the https://github.com/bottlerocket-os/bottlerocket[bottlerocket README.md] on [.noloc]`GitHub`: +* You can deploy to Amazon EC2 instances with `x86` or Arm processors. However, you can't deploy to instances that have Inferentia chips. +* Bottlerocket is compatible with {aws} CloudFormation. However, there is no official CloudFormation template that can be copied to deploy Bottlerocket nodes for Amazon EKS. +* Bottlerocket images don't come with an SSH server or a shell. You can use out-of-band access methods to allow SSH enabling the admin container and to pass some bootstrapping configuration steps with user data. For more information, see these sections in the https://github.com/bottlerocket-os/bottlerocket[bottlerocket README.md] on GitHub: + ** https://github.com/bottlerocket-os/bottlerocket#exploration[Exploration] ** https://github.com/bottlerocket-os/bottlerocket#admin-container[Admin container] @@ -48,7 +48,7 @@ For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/in . Copy the following contents to your device. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`ng-bottlerocket` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. To deploy on Arm instances, replace [.replaceable]`m5.large` with an Arm instance type. Replace [.replaceable]`my-ec2-keypair-name` with the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. Replace all remaining [.replaceable]`example values` with your own values. Once you've made the replacements, run the modified command to create the `bottlerocket.yaml` file. + -If specifying an Arm Amazon EC2 instance type, then review the considerations in <> before deploying. For instructions on how to deploy using a custom AMI, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/BUILDING.md[Building Bottlerocket] on [.noloc]`GitHub` and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. To deploy a managed node group, deploy a custom AMI using a launch template. For more information, see <>. +If specifying an Arm Amazon EC2 instance type, then review the considerations in <> before deploying. For instructions on how to deploy using a custom AMI, see https://github.com/bottlerocket-os/bottlerocket/blob/develop/BUILDING.md[Building Bottlerocket] on GitHub and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. To deploy a managed node group, deploy a custom AMI using a launch template. For more information, see <>. + IMPORTANT: To deploy a node group to {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets, don't pass {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets when you create the cluster. You must specify the subnets in the following example. For more information see https://eksctl.io/usage/nodegroups/#creating-a-nodegroup-from-a-config-file[Create a nodegroup from a config file] and https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. + @@ -99,8 +99,8 @@ Several lines are output while the nodes are created. One of the last lines of o ---- [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- -. (Optional) Create a [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volume] on a [.noloc]`Bottlerocket` node using the https://github.com/kubernetes-sigs/aws-ebs-csi-driver[Amazon EBS CSI Plugin]. The default Amazon EBS driver relies on file system tools that aren't included with [.noloc]`Bottlerocket`. For more information about creating a storage class using the driver, see <>. -. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what [.noloc]`Bottlerocket` originally sets at boot. To keep Bottlerocket's https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. +. (Optional) Create a Kubernetes https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volume] on a Bottlerocket node using the https://github.com/kubernetes-sigs/aws-ebs-csi-driver[Amazon EBS CSI Plugin]. The default Amazon EBS driver relies on file system tools that aren't included with Bottlerocket. For more information about creating a storage class using the driver, see <>. +. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. To keep Bottlerocket's https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -119,11 +119,11 @@ Add `--conntrack-max-per-core` and `--conntrack-min` to the `kube-proxy` argumen - --conntrack-max-per-core=0 - --conntrack-min=0 ---- -. (Optional) Deploy a <> to test your [.noloc]`Bottlerocket` nodes. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your Bottlerocket nodes. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 5a1157026..0cef5e2b6 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,13 +1,13 @@ [.topic] [#launch-node-ubuntu] -= Create self-managed [.noloc]`Ubuntu Linux` nodes += Create self-managed Ubuntu Linux nodes :info_titleabbrev: Ubuntu Linux include::../attributes.txt[] [abstract] -- -This topic describes how to launch Auto Scaling groups of [.noloc]`Ubuntu` nodes that register with your Amazon EKS cluster +This topic describes how to launch Auto Scaling groups of Ubuntu nodes that register with your Amazon EKS cluster -- [NOTE] @@ -17,7 +17,7 @@ Managed node groups might offer some advantages for your use case. For more info ==== -This topic describes how to launch Auto Scaling groups of https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] or https://ubuntu.com/blog/ubuntu-pro-for-eks-is-now-generally-available[Ubuntu Pro on Amazon Elastic Kubernetes Service (EKS)] nodes that register with your Amazon EKS cluster. [.noloc]`Ubuntu` and [.noloc]`Ubuntu Pro` for EKS are based on the official [.noloc]`Ubuntu` Minimal LTS, include the custom {aws} kernel that is jointly developed with {aws}, and have been built specifically for EKS. [.noloc]`Ubuntu Pro` adds additional security coverage by supporting EKS extended support periods, kernel [.noloc]`livepatch`, FIPS compliance and the ability to run unlimited [.noloc]`Pro` containers. +This topic describes how to launch Auto Scaling groups of https://cloud-images.ubuntu.com/aws-eks/[Ubuntu on Amazon Elastic Kubernetes Service (EKS)] or https://ubuntu.com/blog/ubuntu-pro-for-eks-is-now-generally-available[Ubuntu Pro on Amazon Elastic Kubernetes Service (EKS)] nodes that register with your Amazon EKS cluster. Ubuntu and Ubuntu Pro for EKS are based on the official Ubuntu Minimal LTS, include the custom {aws} kernel that is jointly developed with {aws}, and have been built specifically for EKS. Ubuntu Pro adds additional security coverage by supporting EKS extended support periods, kernel livepatch, FIPS compliance and the ability to run unlimited Pro containers. After the nodes join the cluster, you can deploy containerized applications to them. For more information, visit the documentation for https://documentation.ubuntu.com/aws/en/latest/[Ubuntu on {aws}] and https://eksctl.io/usage/custom-ami-support/[Custom AMI support] in the `eksctl` documentation. @@ -26,8 +26,8 @@ After the nodes join the cluster, you can deploy containerized applications to t * Amazon EKS nodes are standard Amazon EC2 instances, and you are billed for them based on normal Amazon EC2 instance prices. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. -* You can launch [.noloc]`Ubuntu` nodes in Amazon EKS extended clusters on {aws} Outposts, but you can't launch them in local clusters on {aws} Outposts. For more information, see <>. -* You can deploy to Amazon EC2 instances with `x86` or [.noloc]`Arm` processors. However, instances that have [.noloc]`Inferentia` chips might need to install the https://awsdocs-neuron.readthedocs-hosted.com/en/latest/[Neuron SDK] first. +* You can launch Ubuntu nodes in Amazon EKS extended clusters on {aws} Outposts, but you can't launch them in local clusters on {aws} Outposts. For more information, see <>. +* You can deploy to Amazon EC2 instances with `x86` or Arm processors. However, instances that have Inferentia chips might need to install the https://awsdocs-neuron.readthedocs-hosted.com/en/latest/[Neuron SDK] first. ==== @@ -40,7 +40,7 @@ eksctl version For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation.NOTE: This procedure only works for clusters that were created with `eksctl`. -. Copy the following contents to your device. Replace `my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 100 characters. Replace `ng-ubuntu` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. To deploy on [.noloc]`Arm` instances, replace `m5.large` with an [.noloc]`Arm` instance type. Replace `my-ec2-keypair-name` with the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the Amazon EC2 User Guide. Replace all remaining [.replaceable]`example values` with your own values. Once you've made the replacements, run the modified command to create the `ubuntu.yaml` file. +. Copy the following contents to your device. Replace `my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphabetic character and can't be longer than 100 characters. Replace `ng-ubuntu` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. To deploy on Arm instances, replace `m5.large` with an Arm instance type. Replace `my-ec2-keypair-name` with the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the Amazon EC2 User Guide. Replace all remaining [.replaceable]`example values` with your own values. Once you've made the replacements, run the modified command to create the `ubuntu.yaml` file. + IMPORTANT: To deploy a node group to {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets, don't pass {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets when you create the cluster. You must specify the subnets in the following example. For more information see https://eksctl.io/usage/nodegroups/#creating-a-nodegroup-from-a-config-file[Create a nodegroup from a config file] and https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. + @@ -76,7 +76,7 @@ nodeGroups: EOF ---- + -To create an [.noloc]`Ubuntu Pro` node group, just change the `amiFamily` value to `UbuntuPro2204`. +To create an Ubuntu Pro node group, just change the `amiFamily` value to `UbuntuPro2204`. . Deploy your nodes with the following command. + [source,bash,subs="verbatim,attributes"] @@ -92,11 +92,11 @@ Several lines are output while the nodes are created. One of the last lines of o ---- [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- -. (Optional) Deploy a <> to test your [.noloc]`Ubuntu` nodes. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your Ubuntu nodes. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 6c071b5e1..caa0a3fc6 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -15,7 +15,7 @@ For the highest level of customization, you can deploy managed nodes using your * Provide bootstrap arguments at deployment of a node, such as extra https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] arguments. -* Assign IP addresses to [.noloc]`Pods` from a different CIDR block than the IP address assigned to the node. +* Assign IP addresses to Pods from a different CIDR block than the IP address assigned to the node. * Deploy your own custom AMI to nodes. * Deploy your own custom CNI to nodes. @@ -61,7 +61,7 @@ a|*Application and OS Images (Amazon Machine Image)* under *Launch template cont * Using a custom AMI. If you specify an AMI that doesn't meet the requirements listed in <>, the node group deployment will fail. -* Want to provide user data to provide arguments to the `bootstrap.sh` file included with an Amazon EKS optimized AMI. You can enable your instances to assign a significantly higher number of IP addresses to [.noloc]`Pods`, assign IP addresses to [.noloc]`Pods` from a different CIDR block than the instance's, or deploy a private cluster without outbound internet access. For more information, see the following topics: +* Want to provide user data to provide arguments to the `bootstrap.sh` file included with an Amazon EKS optimized AMI. You can enable your instances to assign a significantly higher number of IP addresses to Pods, assign IP addresses to Pods from a different CIDR block than the instance's, or deploy a private cluster without outbound internet access. For more information, see the following topics: + ** <> @@ -109,7 +109,7 @@ You can use a launch template to specify custom Amazon EC2 link:AWSEC2/latest/Us [#launch-template-user-data] == Amazon EC2 user data -The launch template includes a section for custom user data. You can specify configuration settings for your node group in this section without manually creating individual custom AMIs. For more information about the settings available for [.noloc]`Bottlerocket`, see https://github.com/bottlerocket-os/bottlerocket#using-user-data[Using user data] on [.noloc]`GitHub`. +The launch template includes a section for custom user data. You can specify configuration settings for your node group in this section without manually creating individual custom AMIs. For more information about the settings available for Bottlerocket, see https://github.com/bottlerocket-os/bottlerocket#using-user-data[Using user data] on GitHub. You can supply Amazon EC2 user data in your launch template using `cloud-init` when launching your instances. For more information, see the https://cloudinit.readthedocs.io/en/latest/index.html[cloud-init] documentation. Your user data can be used to perform common configuration operations. This includes the following operations: @@ -118,7 +118,7 @@ You can supply Amazon EC2 user data in your launch template using `cloud-init` w * https://cloudinit.readthedocs.io/en/latest/topics/examples.html#including-users-and-groups[Including users or groups] * https://cloudinit.readthedocs.io/en/latest/topics/examples.html#install-arbitrary-packages[Installing packages] -Amazon EC2 user data in launch templates that are used with managed node groups must be in the https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive[MIME multi-part archive] format for Amazon Linux AMIs and TOML format for [.noloc]`Bottlerocket` AMIs. This is because your user data is merged with Amazon EKS user data required for nodes to join the cluster. Don't specify any commands in your user data that starts or modifies `kubelet`. This is performed as part of the user data merged by Amazon EKS. Certain `kubelet` parameters, such as setting labels on nodes, can be configured directly through the managed node groups API. +Amazon EC2 user data in launch templates that are used with managed node groups must be in the https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive[MIME multi-part archive] format for Amazon Linux AMIs and TOML format for Bottlerocket AMIs. This is because your user data is merged with Amazon EKS user data required for nodes to join the cluster. Don't specify any commands in your user data that starts or modifies `kubelet`. This is performed as part of the user data merged by Amazon EKS. Certain `kubelet` parameters, such as setting labels on nodes, can be configured directly through the managed node groups API. [NOTE] ==== @@ -132,7 +132,7 @@ The following details provide more information about the user data section. *Amazon Linux 2 user data*:: -You can combine multiple user data blocks together into a single MIME multi-part file. For example, you can combine a cloud boothook that configures the [.noloc]`Docker` daemon with a user data shell script that installs a custom package. A MIME multi-part file consists of the following components: +You can combine multiple user data blocks together into a single MIME multi-part file. For example, you can combine a cloud boothook that configures the Docker daemon with a user data shell script that installs a custom package. A MIME multi-part file consists of the following components: + ** The content type and part boundary declaration – `Content-Type: multipart/mixed; boundary="==MYBOUNDARY=="` ** The MIME version declaration – `MIME-Version: 1.0` @@ -195,11 +195,11 @@ kind: NodeConfig spec: [...] --BOUNDARY-- ---- + -In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using [.noloc]`Karpenter`. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. +In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using Karpenter. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. -*[.noloc]`Bottlerocket` user data*:: -[.noloc]`Bottlerocket` structures user data in the TOML format. You can provide user data to be merged with the user data provided by Amazon EKS. For example, you can provide additional `kubelet` settings. +*Bottlerocket user data*:: +Bottlerocket structures user data in the TOML format. You can provide user data to be merged with the user data provided by Amazon EKS. For example, you can provide additional `kubelet` settings. + [source,none,subs="verbatim,attributes"] ---- @@ -222,8 +222,8 @@ Amazon EKS doesn't support all valid TOML. The following is a list of known unsu ** Bracketed headers with quoted keys: `[foo."bar.baz"]` -*[.noloc]`Windows` user data*:: -Windows user data uses [.noloc]`PowerShell` commands. When creating a managed node group, your custom user data combines with Amazon EKS managed user data. Your [.noloc]`PowerShell` commands come first, followed by the managed user data commands, all within one `` tag. +*Windows user data*:: +Windows user data uses PowerShell commands. When creating a managed node group, your custom user data combines with Amazon EKS managed user data. Your PowerShell commands come first, followed by the managed user data commands, all within one `` tag. + NOTE: When no AMI ID is specified in the launch template, don't use the Windows Amazon EKS Bootstrap script in user data to configure Amazon EKS. + @@ -244,7 +244,7 @@ If you have either of the following requirements, then specify an AMI ID in the [#mng-specify-eks-ami] -.Provide user data to pass arguments to the `bootstrap.sh` file included with an Amazon EKS optimized [.noloc]`Linux`/[.noloc]`Bottlerocket` AMI +.Provide user data to pass arguments to the `bootstrap.sh` file included with an Amazon EKS optimized Linux/Bottlerocket AMI [%collapsible] ==== @@ -252,8 +252,8 @@ Bootstrapping is a term used to describe adding commands that can be run when an -*[.noloc]`eksctl` without specifying a launch template*:: -Create a file named [.replaceable]`my-nodegroup.yaml` with the following contents. Replace every [.replaceable]`example value` with your own values. The `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are optional. However, defining them allows the `bootstrap.sh` script to avoid making a `describeCluster` call. This is useful in private cluster setups or clusters where you're scaling in and out nodes frequently. For more information on the `bootstrap.sh` script, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file on [.noloc]`GitHub`. +*eksctl without specifying a launch template*:: +Create a file named [.replaceable]`my-nodegroup.yaml` with the following contents. Replace every [.replaceable]`example value` with your own values. The `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are optional. However, defining them allows the `bootstrap.sh` script to avoid making a `describeCluster` call. This is useful in private cluster setups or clusters where you're scaling in and out nodes frequently. For more information on the `bootstrap.sh` script, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file on GitHub. + ** The only required argument is the cluster name ([.replaceable]`my-cluster`). ** To retrieve an optimized AMI ID for `ami-[.replaceable]``1234567890abcdef0```, you can use the tables in the following sections: @@ -319,7 +319,7 @@ eksctl create nodegroup --config-file=my-nodegroup.yaml *User data in a launch template*:: -Specify the following information in the user data section of your launch template. Replace every [.replaceable]`example value` with your own values. The `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are optional. However, defining them allows the `bootstrap.sh` script to avoid making a `describeCluster` call. This is useful in private cluster setups or clusters where you're scaling in and out nodes frequently. For more information on the `bootstrap.sh` script, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file on [.noloc]`GitHub`. +Specify the following information in the user data section of your launch template. Replace every [.replaceable]`example value` with your own values. The `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are optional. However, defining them allows the `bootstrap.sh` script to avoid making a `describeCluster` call. This is useful in private cluster setups or clusters where you're scaling in and out nodes frequently. For more information on the `bootstrap.sh` script, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file on GitHub. + ** The only required argument is the cluster name ([.replaceable]`my-cluster`). ** To retrieve the [.replaceable]`certificate-authority` for your cluster, run the following command. @@ -365,17 +365,17 @@ set -ex ==== [#mng-specify-eks-ami-windows] -.Provide user data to pass arguments to the `Start-EKSBootstrap.ps1` file included with an Amazon EKS optimized [.noloc]`Windows` AMI +.Provide user data to pass arguments to the `Start-EKSBootstrap.ps1` file included with an Amazon EKS optimized Windows AMI [%collapsible] ==== Bootstrapping is a term used to describe adding commands that can be run when an instance starts. You can pass arguments to the `Start-EKSBootstrap.ps1` script by using `eksctl` without specifying a launch template. Or you can do so by specifying the information in the user data section of a launch template. -If you want to specify a custom [.noloc]`Windows` AMI ID, keep in mind the following considerations: +If you want to specify a custom Windows AMI ID, keep in mind the following considerations: -* You must use a launch template and give the required bootstrap commands in the user data section. To retrieve your desired [.noloc]`Windows` ID, you can use the table in <>. +* You must use a launch template and give the required bootstrap commands in the user data section. To retrieve your desired Windows ID, you can use the table in <>. * There are several limits and conditions. For example, you must add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <>. Specify the following information in the user data section of your launch template. Replace every [.replaceable]`example value` with your own values. The `-APIServerEndpoint`, `-Base64ClusterCA`, and `-DNSClusterIP` arguments are optional. However, defining them allows the `Start-EKSBootstrap.ps1` script to avoid making a `describeCluster` call. @@ -403,7 +403,7 @@ aws eks describe-cluster --query "cluster.kubernetesNetworkConfig.serviceIpv4Cid ---- * For additional arguments, see <>. + -NOTE: If you're using custom service CIDR, then you need to specify it using the `-ServiceCIDR` parameter. Otherwise, the DNS resolution for [.noloc]`Pods` in the cluster will fail. +NOTE: If you're using custom service CIDR, then you need to specify it using the `-ServiceCIDR` parameter. Otherwise, the DNS resolution for Pods in the cluster will fail. [source,xml,subs="verbatim,attributes"] @@ -423,7 +423,7 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the [%collapsible] ==== -For more information, see link:AWSEC2/latest/UserGuide/AMIs.html[Amazon Machine Images (AMI),type="documentation"] in the _Amazon EC2 User Guide_. The Amazon EKS AMI build specification contains resources and configuration scripts for building a custom Amazon EKS AMI based on Amazon Linux. For more information, see https://github.com/awslabs/amazon-eks-ami/[Amazon EKS AMI Build Specification] on [.noloc]`GitHub`. To build custom AMIs installed with other operating systems, see https://github.com/aws-samples/amazon-eks-custom-amis[Amazon EKS Sample Custom AMIs] on [.noloc]`GitHub`. +For more information, see link:AWSEC2/latest/UserGuide/AMIs.html[Amazon Machine Images (AMI),type="documentation"] in the _Amazon EC2 User Guide_. The Amazon EKS AMI build specification contains resources and configuration scripts for building a custom Amazon EKS AMI based on Amazon Linux. For more information, see https://github.com/awslabs/amazon-eks-ami/[Amazon EKS AMI Build Specification] on GitHub. To build custom AMIs installed with other operating systems, see https://github.com/aws-samples/amazon-eks-custom-amis[Amazon EKS Sample Custom AMIs] on GitHub. ==== [IMPORTANT] @@ -447,8 +447,8 @@ The following are the limits and conditions involved with specifying an AMI ID w ** `amiType` ** `releaseVersion` ** `version` -* Any `taints` set in the API are applied asynchronously if you specify an AMI ID. To apply taints prior to a node joining the cluster, you must pass the taints to `kubelet` in your user data using the `--register-with-taints` command line flag. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] in the [.noloc]`Kubernetes` documentation. -* When specifying a custom AMI ID for [.noloc]`Windows` managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. This is required for DNS to function properly. +* Any `taints` set in the API are applied asynchronously if you specify an AMI ID. To apply taints prior to a node joining the cluster, you must pass the taints to `kubelet` in your user data using the `--register-with-taints` command line flag. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] in the Kubernetes documentation. +* When specifying a custom AMI ID for Windows managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. This is required for DNS to function properly. + .. Open the {aws} IAM Authenticator configuration map for editing. + @@ -456,7 +456,7 @@ The following are the limits and conditions involved with specifying an AMI ID w ---- kubectl edit -n kube-system cm aws-auth ---- -.. Add this entry to the `groups` list under each `rolearn` associated with [.noloc]`Windows` nodes. Your configuration map should look similar to https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm-windows.yaml[aws-auth-cm-windows.yaml]. +.. Add this entry to the `groups` list under each `rolearn` associated with Windows nodes. Your configuration map should look similar to https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/aws-auth-cm-windows.yaml[aws-auth-cm-windows.yaml]. + [source,yaml,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 21c3a7f57..7564b636e 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,16 +1,16 @@ [.topic] [#launch-windows-workers] -= Create self-managed [.noloc]`Microsoft Windows` nodes += Create self-managed Microsoft Windows nodes :info_titleabbrev: Windows include::../attributes.txt[] [abstract] -- -This topic describes how to launch Auto Scaling groups of [.noloc]`Windows` nodes that register with your Amazon EKS cluster. +This topic describes how to launch Auto Scaling groups of Windows nodes that register with your Amazon EKS cluster. -- -This topic describes how to launch Auto Scaling groups of [.noloc]`Windows` nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy [.noloc]`Kubernetes` applications to them. +This topic describes how to launch Auto Scaling groups of Windows nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy Kubernetes applications to them. [IMPORTANT] ==== @@ -20,9 +20,9 @@ This topic describes how to launch Auto Scaling groups of [.noloc]`Windows` node ==== -Enable [.noloc]`Windows` support for your cluster. We recommend that you review important considerations before you launch a [.noloc]`Windows` node group. For more information, see <>. +Enable Windows support for your cluster. We recommend that you review important considerations before you launch a Windows node group. For more information, see <>. -You can launch self-managed [.noloc]`Windows` nodes with either of the following: +You can launch self-managed Windows nodes with either of the following: * <> * <> @@ -45,10 +45,10 @@ For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/in This procedure only works for clusters that were created with `eksctl`. ==== -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -. This procedure assumes that you have an existing cluster. If you don't already have an Amazon EKS cluster and an Amazon Linux node group to add a [.noloc]`Windows` node group to, we recommend that you follow <>. This guide provides a complete walkthrough for how to create an Amazon EKS cluster with Amazon Linux nodes. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. +. This procedure assumes that you have an existing cluster. If you don't already have an Amazon EKS cluster and an Amazon Linux node group to add a Windows node group to, we recommend that you follow <>. This guide provides a complete walkthrough for how to create an Amazon EKS cluster with Amazon Linux nodes. + -Create your node group with the following command. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`my-cluster` with your cluster name. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`ng-windows` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. For [.noloc]`Kubernetes` version `1.24` or later, you can replace [.replaceable]`2019` with `2022` to use [.noloc]`Windows` Server 2022. Replace the rest of the [.replaceable]`example values` with your own values. +Create your node group with the following command. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`my-cluster` with your cluster name. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace [.replaceable]`ng-windows` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. For Kubernetes version `1.24` or later, you can replace [.replaceable]`2019` with `2022` to use Windows Server 2022. Replace the rest of the [.replaceable]`example values` with your own values. + IMPORTANT: To deploy a node group to {aws} Outposts, {aws} Wavelength, or {aws} Local Zone subnets, don't pass the {aws} Outposts, Wavelength, or Local Zone subnets when you create the cluster. Create the node group with a config file, specifying the {aws} Outposts, Wavelength, or Local Zone subnets. For more information, see https://eksctl.io/usage/nodegroups/#creating-a-nodegroup-from-a-config-file[Create a nodegroup from a config file] and https://eksctl.io/usage/schema/[Config file schema] in the `eksctl` documentation. + @@ -83,11 +83,11 @@ An example output is as follows. Several lines are output while the nodes are cr ---- [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- -. (Optional) Deploy a <> to test your cluster and [.noloc]`Windows` nodes. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your cluster and Windows nodes. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. @@ -96,7 +96,7 @@ For more information, see https://aws.github.io/aws-eks-best-practices/security/ *Prerequisites* -** An existing Amazon EKS cluster and a [.noloc]`Linux` node group. If you don't have these resources, we recommend that you create them using one of our guides in <>. These guides describe how to create an Amazon EKS cluster with [.noloc]`Linux` nodes. +** An existing Amazon EKS cluster and a Linux node group. If you don't have these resources, we recommend that you create them using one of our guides in <>. These guides describe how to create an Amazon EKS cluster with Linux nodes. ** An existing VPC and security group that meet the requirements for an Amazon EKS cluster. For more information, see <> and <>. The guides in <> create a VPC that meets the requirements. Alternatively, you can also follow <> to create one manually. ** An existing Amazon EKS cluster that uses a VPC and security group that meets the requirements of an Amazon EKS cluster. For more information, see <>. If you have subnets in the {aws} Region where you have {aws} Outposts, {aws} Wavelength, or {aws} Local Zones enabled, those subnets must not have been passed in when you created the cluster. @@ -135,17 +135,17 @@ The following steps show one method to retrieve the applicable group. ** *NodeAutoScalingGroupMaxSize*: Enter the maximum number of nodes that your node Auto Scaling group can scale out to. ** *NodeInstanceType*: Choose an instance type for your nodes. For more information, see <>. + -NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are listed in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on [.noloc]`GitHub`. You might need to update your CNI version to use the latest supported instance types. For more information, see <>. -** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of the current recommended Amazon EKS optimized [.noloc]`Windows` Core AMI ID. To use the full version of [.noloc]`Windows`, replace [.replaceable]`Core` with `Full`. +NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are listed in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on GitHub. You might need to update your CNI version to use the latest supported instance types. For more information, see <>. +** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of the current recommended Amazon EKS optimized Windows Core AMI ID. To use the full version of Windows, replace [.replaceable]`Core` with `Full`. ** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value for this field, it overrides any values in the *NodeImageIdSSMParam* field. ** *NodeVolumeSize*: Specify a root volume size for your nodes, in GiB. ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/WindowsGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. + NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack fails to be created. ** *BootstrapArguments*: Specify any optional arguments to pass to the node bootstrap script, such as extra `kubelet` arguments using `-KubeletExtraArgs`. -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and Pods in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. ** *VpcId*: Select the ID for the <> that you created. -** *NodeSecurityGroups*: Select the security group that was created for your [.noloc]`Linux` node group when you created your <>. If your [.noloc]`Linux` nodes have more than one security group attached to them, specify all of them. This for, for example, if the [.noloc]`Linux` node group was created with `eksctl`. +** *NodeSecurityGroups*: Select the security group that was created for your Linux node group when you created your <>. If your Linux nodes have more than one security group attached to them, specify all of them. This for, for example, if the Linux node group was created with `eksctl`. ** *Subnets*: Choose the subnets that you created. If you created your VPC using the steps in <>, then specify only the private subnets within the VPC for your nodes to launch into. + [IMPORTANT] @@ -156,7 +156,7 @@ NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack fails ==== . Acknowledge that the stack might create IAM resources, and then choose *Create stack*. . When your stack has finished creating, select it in the console and choose *Outputs*. -. Record the *NodeInstanceRole* for the node group that was created. You need this when you configure your Amazon EKS [.noloc]`Windows` nodes. +. Record the *NodeInstanceRole* for the node group that was created. You need this when you configure your Amazon EKS Windows nodes. *Step 2: Enable nodes to join your cluster* @@ -214,7 +214,7 @@ sed -i.bak -e 's||my-node-lin [IMPORTANT] ==== *** Don't modify any other lines in this file. -*** Don't use the same IAM role for both [.noloc]`Windows` and [.noloc]`Linux` nodes. +*** Don't use the same IAM role for both Windows and Linux nodes. ==== .. Apply the configuration. This command might take a few minutes to finish. + @@ -237,12 +237,12 @@ If nodes fail to join the cluster, then see <> in the Troubles *Step 3: Additional actions* -. (Optional) Deploy a <> to test your cluster and [.noloc]`Windows` nodes. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your cluster and Windows nodes. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 57d1229c4..0dda3a2c4 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -7,14 +7,14 @@ include::../attributes.txt[] [abstract] -- -This topic describes how you can launch Auto Scaling groups of [.noloc]`Linux` nodes that register with your Amazon EKS cluster. +This topic describes how you can launch Auto Scaling groups of Linux nodes that register with your Amazon EKS cluster. -- -This topic describes how you can launch Auto Scaling groups of [.noloc]`Linux` nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy [.noloc]`Kubernetes` applications to them. You can also launch self-managed Amazon Linux nodes with `eksctl` or the {aws-management-console}. If you need to launch nodes on {aws} Outposts, see <>. +This topic describes how you can launch Auto Scaling groups of Linux nodes that register with your Amazon EKS cluster. After the nodes join the cluster, you can deploy Kubernetes applications to them. You can also launch self-managed Amazon Linux nodes with `eksctl` or the {aws-management-console}. If you need to launch nodes on {aws} Outposts, see <>. * An existing Amazon EKS cluster. To deploy one, see <>. If you have subnets in the {aws} Region where you have {aws} Outposts, {aws} Wavelength, or {aws} Local Zones enabled, those subnets must not have been passed in when you created your cluster. * An existing IAM role for the nodes to use. To create one, see <>. If this role doesn't have either of the policies for the VPC CNI, the separate role that follows is required for the VPC CNI pods. -* (Optional, but recommended) The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. +* (Optional, but recommended) The Amazon VPC CNI plugin for Kubernetes add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. * Familiarity with the considerations listed in <>. Depending on the instance type you choose, there may be additional prerequisites for your cluster and VPC. You can launch self-managed Linux nodes using either of the following: @@ -28,8 +28,8 @@ You can launch self-managed Linux nodes using either of the following: . Install version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -. The following command creates a node group in an existing cluster. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace the remaining [.replaceable]`example value` with your own values. The nodes are created with the same [.noloc]`Kubernetes` version as the control plane, by default. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. +. The following command creates a node group in an existing cluster. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. Replace the remaining [.replaceable]`example value` with your own values. The nodes are created with the same Kubernetes version as the control plane, by default. + Before choosing a value for `--node-type`, review <>. + @@ -59,9 +59,9 @@ eksctl create nodegroup \ --ssh-public-key my-key ---- To deploy a node group that: -**** can assign a significantly higher number of IP addresses to [.noloc]`Pods` than the default configuration, see <>. -**** can assign `IPv4` addresses to [.noloc]`Pods` from a different [.noloc]`CIDR` block than that of the instance, see <>. -**** can assign `IPv6` addresses to [.noloc]`Pods` and services, see <>. +**** can assign a significantly higher number of IP addresses to Pods than the default configuration, see <>. +**** can assign `IPv4` addresses to Pods from a different CIDR block than that of the instance, see <>. +**** can assign `IPv6` addresses to Pods and services, see <>. **** use the `containerd` runtime, you must deploy the node group using a `config` file. For more information, see <>. **** don't have outbound internet access, see <>. + @@ -80,11 +80,11 @@ An example output is as follows. Several lines are output while the nodes are cr ---- [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- -. (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your cluster and Linux nodes. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -*** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -*** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +*** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +*** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. @@ -122,7 +122,7 @@ The following steps show one operation to retrieve the applicable group. ** *NodeAutoScalingGroupDesiredCapacity*: Enter the desired number of nodes to scale to when your stack is created. ** *NodeAutoScalingGroupMaxSize*: Enter the maximum number of nodes that your node Auto Scaling group can scale out to. ** *NodeInstanceType*: Choose an instance type for your nodes. For more information, see <>. -** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of a recent Amazon EKS optimized AMI for a variable [.noloc]`Kubernetes` version. To use a different [.noloc]`Kubernetes` minor version supported with Amazon EKS, replace [.replaceable]`1.XX` with a different <>. We recommend specifying the same [.noloc]`Kubernetes` version as your cluster. +** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of a recent Amazon EKS optimized AMI for a variable Kubernetes version. To use a different Kubernetes minor version supported with Amazon EKS, replace [.replaceable]`1.XX` with a different <>. We recommend specifying the same Kubernetes version as your cluster. + You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. + @@ -133,16 +133,16 @@ NOTE: The Amazon EKS node AMIs are based on Amazon Linux. You can track security ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. + NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack creation fails. -** *BootstrapArguments*: Specify any optional arguments to pass to the node bootstrap script, such as extra `kubelet` arguments. For more information, view the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script usage information] on [.noloc]`GitHub`. +** *BootstrapArguments*: Specify any optional arguments to pass to the node bootstrap script, such as extra `kubelet` arguments. For more information, view the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script usage information] on GitHub. + To deploy a node group that: + -*** can assign a significantly higher number of IP addresses to [.noloc]`Pods` than the default configuration, see <>. -*** can assign `IPv4` addresses to [.noloc]`Pods` from a different [.noloc]`CIDR` block than that of the instance, see <>. -*** can assign `IPv6` addresses to [.noloc]`Pods` and services, see <>. +*** can assign a significantly higher number of IP addresses to Pods than the default configuration, see <>. +*** can assign `IPv4` addresses to Pods from a different CIDR block than that of the instance, see <>. +*** can assign `IPv6` addresses to Pods and services, see <>. *** use the `containerd` runtime, you must deploy the node group using a `config` file. For more information, see <>. *** don't have outbound internet access, see <>. -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and Pods in the node group from using MDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ** *VpcId*: Enter the ID for the <> that you created. ** *Subnets*: Choose the subnets that you created for your VPC. If you created your VPC using the steps that are described in <>, specify only the private subnets within the VPC for your nodes to launch into. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. + @@ -225,7 +225,7 @@ Enter `Ctrl`+``C`` to return to a shell prompt. NOTE: If you receive any authorization or resource type errors, see <> in the troubleshooting topic. + If nodes fail to join the cluster, then see <> in the Troubleshooting chapter. -. (GPU nodes only) If you chose a GPU instance type and the Amazon EKS optimized accelerated AMI, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a [.noloc]`DaemonSet` on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. (GPU nodes only) If you chose a GPU instance type and the Amazon EKS optimized accelerated AMI, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -234,12 +234,12 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X *Step 3: Additional actions* -. (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. -. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. -. We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +. (Optional) Deploy a <> to test your cluster and Linux nodes. +. (Optional) If the *AmazonEKS_CNI_Policy* managed IAM policy (if you have an `IPv4` cluster) or the [.replaceable]`AmazonEKS_CNI_IPv6_Policy` (that you <> if you have an `IPv6` cluster) is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. +. We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. \ No newline at end of file diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 14974dde6..1723f7d49 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -12,7 +12,7 @@ This topic explains the tools and methods available for monitoring node health s This topic explains the tools and methods available for monitoring node health status in Amazon EKS clusters. The information covers node conditions, events, and detection cases that help you identify and diagnose node-level issues. Use the commands and patterns described here to inspect node health resources, interpret status conditions, and analyze node events for operational troubleshooting. -You can get some node health information with [.noloc]`Kubernetes` commands for all nodes. And if you use the node monitoring agent through Amazon EKS Auto Mode or the Amazon EKS managed add-on, you will get a wider variety of node signals to help troubleshoot. Descriptions of detected health issues by the node monitoring agent are also made available in the observability dashboard. For more information, see <>. +You can get some node health information with Kubernetes commands for all nodes. And if you use the node monitoring agent through Amazon EKS Auto Mode or the Amazon EKS managed add-on, you will get a wider variety of node signals to help troubleshoot. Descriptions of detected health issues by the node monitoring agent are also made available in the observability dashboard. For more information, see <>. [#status-node-conditions] == Node conditions diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 08f8e3310..8374f6c79 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -18,18 +18,18 @@ include::delete-managed-node-group.adoc[leveloffset=+1] [abstract] -- -Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS [.noloc]`Kubernetes` clusters. +Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. -- -Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS [.noloc]`Kubernetes` clusters. +Amazon EKS managed node groups automate the provisioning and lifecycle management of nodes (Amazon EC2 instances) for Amazon EKS Kubernetes clusters. -With Amazon EKS managed node groups, you don't need to separately provision or register the Amazon EC2 instances that provide compute capacity to run your [.noloc]`Kubernetes` applications. You can create, automatically update, or terminate nodes for your cluster with a single operation. Node updates and terminations automatically drain nodes to ensure that your applications stay available. +With Amazon EKS managed node groups, you don't need to separately provision or register the Amazon EC2 instances that provide compute capacity to run your Kubernetes applications. You can create, automatically update, or terminate nodes for your cluster with a single operation. Node updates and terminations automatically drain nodes to ensure that your applications stay available. Every managed node is provisioned as part of an Amazon EC2 Auto Scaling group that's managed for you by Amazon EKS. Every resource including the instances and Auto Scaling groups runs within your {aws} account. Each node group runs across multiple Availability Zones that you define. Managed node groups can also optionally leverage node auto repair, which continuously monitors the health of nodes. It automatically reacts to detected problems and replaces nodes when possible. This helps overall availability of the cluster with minimal manual intervention. For more information, see <>. -You can add a managed node group to new or existing clusters using the Amazon EKS console, `eksctl`, {aws} CLI, {aws} API, or infrastructure as code tools including {aws} CloudFormation. Nodes launched as part of a managed node group are automatically tagged for auto-discovery by the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler]. You can use the node group to apply [.noloc]`Kubernetes` labels to nodes and update them at any time. +You can add a managed node group to new or existing clusters using the Amazon EKS console, `eksctl`, {aws} CLI, {aws} API, or infrastructure as code tools including {aws} CloudFormation. Nodes launched as part of a managed node group are automatically tagged for auto-discovery by the Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler]. You can use the node group to apply Kubernetes labels to nodes and update them at any time. There are no additional costs to use Amazon EKS managed node groups, you only pay for the {aws} resources you provision. These include Amazon EC2 instances, Amazon EBS volumes, Amazon EKS cluster hours, and any other {aws} infrastructure. There are no minimum fees and no upfront commitments. @@ -43,9 +43,9 @@ To add a managed node group to an existing cluster, see <>. If you don't use a custom launch template when first creating a managed node group, there is an auto-generated launch template. Don't manually modify this auto-generated template or errors occur. * Amazon EKS follows the shared responsibility model for CVEs and security patches on managed node groups. When managed nodes run an Amazon EKS optimized AMI, Amazon EKS is responsible for building patched versions of the AMI when bugs or issues are reported. We can publish a fix. However, you're responsible for deploying these patched AMI versions to your managed node groups. When managed nodes run a custom AMI, you're responsible for building patched versions of the AMI when bugs or issues are reported and then deploying the AMI. For more information, see <>. * Amazon EKS managed node groups can be launched in both public and private subnets. If you launch a managed node group in a public subnet on or after April 22, 2020, the subnet must have `MapPublicIpOnLaunch` set to true for the instances to successfully join a cluster. If the public subnet was created using `eksctl` or the <> on or after March 26, 2020, then this setting is already set to true. If the public subnets were created before March 26, 2020, you must change the setting manually. For more information, see link:vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip[Modifying the public IPv4 addressing attribute for your subnet,type="documentation"]. @@ -60,11 +60,11 @@ For other commonly-used services and endpoints, see <>. * Managed node groups can't be deployed on <> or in link:wavelength/[{aws} Wavelength,type="documentation"]. Managed node groups can be created on link:about-aws/global-infrastructure/localzones/[{aws} Local Zones,type="marketing"]. For more information, see <>. * You can create multiple managed node groups within a single cluster. For example, you can create one node group with the standard Amazon EKS optimized Amazon Linux AMI for some workloads and another with the GPU variant for workloads that require GPU support. * If your managed node group encounters an link:AWSEC2/latest/UserGuide/monitoring-system-instance-status-check.html[Amazon EC2 instance status check,type="documentation"] failure, Amazon EKS returns an error code to help you to diagnose the issue. For more information, see <>. -* Amazon EKS adds [.noloc]`Kubernetes` labels to managed node group instances. These Amazon EKS provided labels are prefixed with `eks.amazonaws.com`. -* Amazon EKS automatically drains nodes using the [.noloc]`Kubernetes` API during terminations or updates. -* Pod disruption budgets aren't respected when terminating a node with `AZRebalance` or reducing the desired node count. These actions try to evict [.noloc]`Pods` on the node. But if it takes more than 15 minutes, the node is terminated regardless of whether all [.noloc]`Pods` on the node are terminated. To extend the period until the node is terminated, add a lifecycle hook to the Auto Scaling group. For more information, see link:autoscaling/ec2/userguide/adding-lifecycle-hooks.html[Add lifecycle hooks,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. +* Amazon EKS adds Kubernetes labels to managed node group instances. These Amazon EKS provided labels are prefixed with `eks.amazonaws.com`. +* Amazon EKS automatically drains nodes using the Kubernetes API during terminations or updates. +* Pod disruption budgets aren't respected when terminating a node with `AZRebalance` or reducing the desired node count. These actions try to evict Pods on the node. But if it takes more than 15 minutes, the node is terminated regardless of whether all Pods on the node are terminated. To extend the period until the node is terminated, add a lifecycle hook to the Auto Scaling group. For more information, see link:autoscaling/ec2/userguide/adding-lifecycle-hooks.html[Add lifecycle hooks,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. * In order to run the drain process correctly after receiving a Spot interruption notification or a capacity rebalance notification, `CapacityRebalance` must be set to `true`. -* Updating managed node groups respects the [.noloc]`Pod` disruption budgets that you set for your [.noloc]`Pods`. For more information, see <>. +* Updating managed node groups respects the Pod disruption budgets that you set for your Pods. For more information, see <>. * There are no additional costs to use Amazon EKS managed node groups. You only pay for the {aws} resources that you provision. * If you want to encrypt Amazon EBS volumes for your nodes, you can deploy the nodes using a launch template. To deploy managed nodes with encrypted Amazon EBS volumes without using a launch template, encrypt all new Amazon EBS volumes created in your account. For more information, see link:AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default[Encryption by default,type="documentation"] in the _Amazon EC2 User Guide_. @@ -72,7 +72,7 @@ For other commonly-used services and endpoints, see <>. [#managed-node-group-capacity-types] == Managed node group capacity types -When creating a managed node group, you can choose either the On-Demand or Spot capacity type. Amazon EKS deploys a managed node group with an Amazon EC2 Auto Scaling group that either contains only On-Demand or only Amazon EC2 Spot Instances. You can schedule [.noloc]`Pods` for fault tolerant applications to Spot managed node groups, and fault intolerant applications to On-Demand node groups within a single [.noloc]`Kubernetes` cluster. By default, a managed node group deploys On-Demand Amazon EC2 instances. +When creating a managed node group, you can choose either the On-Demand or Spot capacity type. Amazon EKS deploys a managed node group with an Amazon EC2 Auto Scaling group that either contains only On-Demand or only Amazon EC2 Spot Instances. You can schedule Pods for fault tolerant applications to Spot managed node groups, and fault intolerant applications to On-Demand node groups within a single Kubernetes cluster. By default, a managed node group deploys On-Demand Amazon EC2 instances. [#managed-node-group-capacity-types-on-demand] === On-Demand @@ -85,7 +85,7 @@ With On-Demand Instances, you pay for compute capacity by the second, with no lo By default, if you don't specify a *Capacity Type*, the managed node group is provisioned with On-Demand Instances. A managed node group configures an Amazon EC2 Auto Scaling group on your behalf with the following settings applied: * The allocation strategy to provision On-Demand capacity is set to `prioritized`. Managed node groups use the order of instance types passed in the API to determine which instance type to use first when fulfilling On-Demand capacity. For example, you might specify three instance types in the following order: `c5.large`, `c4.large`, and `c3.large`. When your On-Demand Instances are launched, the managed node group fulfills On-Demand capacity by starting with `c5.large`, then `c4.large`, and then `c3.large`. For more information, see link:autoscaling/ec2/userguide/asg-purchase-options.html#asg-allocation-strategies[Amazon EC2 Auto Scaling group,type="documentation"] in the _Amazon EC2 Auto Scaling User Guide_. -* Amazon EKS adds the following [.noloc]`Kubernetes` label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: ON_DEMAND`. You can use this label to schedule stateful or fault intolerant applications on On-Demand nodes. +* Amazon EKS adds the following Kubernetes label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: ON_DEMAND`. You can use this label to schedule stateful or fault intolerant applications on On-Demand nodes. [#managed-node-group-capacity-types-spot] @@ -100,8 +100,8 @@ To use Spot Instances inside a managed node group, create a managed node group b * To ensure that your Spot nodes are provisioned in the optimal Spot capacity pools, the allocation strategy is set to one of the following: + -** `price-capacity-optimized` (PCO) – When creating new node groups in a cluster with [.noloc]`Kubernetes` version `1.28` or higher, the allocation strategy is set to `price-capacity-optimized`. However, the allocation strategy won't be changed for node groups already created with `capacity-optimized` before Amazon EKS managed node groups started to support PCO. -** `capacity-optimized` (CO) – When creating new node groups in a cluster with [.noloc]`Kubernetes` version `1.27` or lower, the allocation strategy is set to `capacity-optimized`. +** `price-capacity-optimized` (PCO) – When creating new node groups in a cluster with Kubernetes version `1.28` or higher, the allocation strategy is set to `price-capacity-optimized`. However, the allocation strategy won't be changed for node groups already created with `capacity-optimized` before Amazon EKS managed node groups started to support PCO. +** `capacity-optimized` (CO) – When creating new node groups in a cluster with Kubernetes version `1.27` or lower, the allocation strategy is set to `capacity-optimized`. + To increase the number of Spot capacity pools available for allocating capacity from, configure a managed node group to use multiple instance types. @@ -109,8 +109,8 @@ To increase the number of Spot capacity pools available for allocating capacity + ** When a Spot node receives a rebalance recommendation, Amazon EKS automatically attempts to launch a new replacement Spot node. ** If a Spot two-minute interruption notice arrives before the replacement Spot node is in a `Ready` state, Amazon EKS starts draining the Spot node that received the rebalance recommendation. Amazon EKS drains the node on a best-effort basis. As a result, there's no guarantee that Amazon EKS will wait for the replacement node to join the cluster before draining the existing node. -** When a replacement Spot node is bootstrapped and in the `Ready` state on [.noloc]`Kubernetes`, Amazon EKS cordons and drains the Spot node that received the rebalance recommendation. Cordoning the Spot node ensures that the service controller doesn't send any new requests to this Spot node. It also removes it from its list of healthy, active Spot nodes. Draining the Spot node ensures that running [.noloc]`Pods` are evicted gracefully. -* Amazon EKS adds the following [.noloc]`Kubernetes` label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: SPOT`. You can use this label to schedule fault tolerant applications on Spot nodes. +** When a replacement Spot node is bootstrapped and in the `Ready` state on Kubernetes, Amazon EKS cordons and drains the Spot node that received the rebalance recommendation. Cordoning the Spot node ensures that the service controller doesn't send any new requests to this Spot node. It also removes it from its list of healthy, active Spot nodes. Draining the Spot node ensures that running Pods are evicted gracefully. +* Amazon EKS adds the following Kubernetes label to all nodes in your managed node group that specifies the capacity type: `eks.amazonaws.com/capacityType: SPOT`. You can use this label to schedule fault tolerant applications on Spot nodes. diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 025850cd0..7c9b7e8d4 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -54,7 +54,7 @@ These are the Amazon EKS applied labels on the worker nodes in a custom launch t *** `eks.amazonaws.com/nodegroup=$nodeGroupName` *** `eks.amazonaws.com/sourceLaunchTemplateId=$launchTemplateId` *** `eks.amazonaws.com/sourceLaunchTemplateVersion=$launchTemplateVersion` -. It marks nodes as unschedulable to avoid scheduling new [.noloc]`Pods`. It also labels nodes with `node.kubernetes.io/exclude-from-external-load-balancers=true` to remove the nodes from load balancers before terminating the nodes. +. It marks nodes as unschedulable to avoid scheduling new Pods. It also labels nodes with `node.kubernetes.io/exclude-from-external-load-balancers=true` to remove the nodes from load balancers before terminating the nodes. The following are known reasons which lead to a `NodeCreationFailure` error in this phase: @@ -62,7 +62,7 @@ The following are known reasons which lead to a `NodeCreationFailure` error in t There is a possibility that the Availability Zone might not have capacity of requested instance types. It's recommended to configure multiple instance types while creating a managed node group. *EC2 instance limits in your account*:: -You may need to increase the number of Amazon EC2 instances your account can run simultaneously using Service Quotas. For more information, see link:AWSEC2/latest/UserGuide/ec2-resource-limits.html[EC2 Service Quotas,type="documentation"] in the _Amazon Elastic Compute Cloud User Guide for [.noloc]`Linux` Instances_. +You may need to increase the number of Amazon EC2 instances your account can run simultaneously using Service Quotas. For more information, see link:AWSEC2/latest/UserGuide/ec2-resource-limits.html[EC2 Service Quotas,type="documentation"] in the _Amazon Elastic Compute Cloud User Guide for Linux Instances_. *Custom user data*:: Custom user data can sometimes break the bootstrap process. This scenario can lead to the `kubelet` not starting on the node or nodes not getting expected Amazon EKS labels on them. For more information, see <>. @@ -86,16 +86,16 @@ The _default_ update strategy has these steps: . It increases the quantity of nodes (desired count) in the Auto Scaling Group, causing the node group to create additional nodes. . It randomly selects a node that needs to be upgraded, up to the maximum unavailable configured for the node group. -. It drains the [.noloc]`Pods` from the node. If the [.noloc]`Pods` don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the [.noloc]`Pods`. -. It cordons the node after every [.noloc]`Pod` is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. +. It drains the Pods from the node. If the Pods don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the Pods. +. It cordons the node after every Pod is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. . It sends a termination request to the Auto Scaling Group for the cordoned node. . It repeats the previous upgrade steps until there are no nodes in the node group that are deployed with the earlier version of the launch template. The _minimal_ update strategy has these steps: . It randomly selects a node that needs to be upgraded, up to the maximum unavailable configured for the node group. -. It drains the [.noloc]`Pods` from the node. If the [.noloc]`Pods` don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the [.noloc]`Pods`. -. It cordons the node after every [.noloc]`Pod` is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. +. It drains the Pods from the node. If the Pods don't leave the node within 15 minutes and there's no force flag, the upgrade phase fails with a `PodEvictionFailure` error. For this scenario, you can apply the force flag with the `update-nodegroup-version` request to delete the Pods. +. It cordons the node after every Pod is evicted and waits for 60 seconds. This is done so that the service controller doesn't send any new requests to this node and removes this node from its list of active nodes. . It sends a termination request to the Auto Scaling Group for the cordoned node. The Auto Scaling Group creates a new node to replace the missing capacity. . It repeats the previous upgrade steps until there are no nodes in the node group that are deployed with the earlier version of the launch template. @@ -104,10 +104,10 @@ The _minimal_ update strategy has these steps: The following are known reasons which lead to a `PodEvictionFailure` error in this phase: *Aggressive PDB*:: -Aggressive PDB is defined on the [.noloc]`Pod` or there are multiple PDBs pointing to the same [.noloc]`Pod`. +Aggressive PDB is defined on the Pod or there are multiple PDBs pointing to the same Pod. *Deployment tolerating all the taints*:: -Once every [.noloc]`Pod` is evicted, it's expected for the node to be empty because the node is https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[tainted] in the earlier steps. However, if the deployment tolerates every taint, then the node is more likely to be non-empty, leading to [.noloc]`Pod` eviction failure. +Once every Pod is evicted, it's expected for the node to be empty because the node is https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[tainted] in the earlier steps. However, if the deployment tolerates every taint, then the node is more likely to be non-empty, leading to Pod eviction failure. [#managed-node-update-scale-down] diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index 3ab484ea0..c3091da4a 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -50,17 +50,17 @@ An example output is as follows. CLUSTER NODEGROUP CREATED MIN SIZE MAX SIZE DESIRED CAPACITY INSTANCE TYPE IMAGE ID default standard-nodes 2019-05-01T22:26:58Z 1 4 3 t3.medium ami-05a71d034119ffc12 ---- -. Launch a new node group with `eksctl` with the following command. In the command, replace every [.replaceable]`example value` with your own values. The version number can't be later than the [.noloc]`Kubernetes` version for your control plane. Also, it can't be more than two minor versions earlier than the [.noloc]`Kubernetes` version for your control plane. We recommend that you use the same version as your control plane. +. Launch a new node group with `eksctl` with the following command. In the command, replace every [.replaceable]`example value` with your own values. The version number can't be later than the Kubernetes version for your control plane. Also, it can't be more than two minor versions earlier than the Kubernetes version for your control plane. We recommend that you use the same version as your control plane. + -We recommend blocking [.noloc]`Pod` access to IMDS if the following conditions are true: +We recommend blocking Pod access to IMDS if the following conditions are true: + -** You plan to assign IAM roles to all of your [.noloc]`Kubernetes` service accounts so that [.noloc]`Pods` only have the minimum permissions that they need. -** No [.noloc]`Pods` in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. +** You plan to assign IAM roles to all of your Kubernetes service accounts so that Pods only have the minimum permissions that they need. +** No Pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current {aws} Region. + For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. + -To block [.noloc]`Pod` access to IMDS, add the `--disable-pod-imds` option to the following command. +To block Pod access to IMDS, add the `--disable-pod-imds` option to the following command. + [NOTE] ==== @@ -122,7 +122,7 @@ newSecGroup=$(aws cloudformation describe-stack-resources --stack-name $newNodes ---- .. Add ingress rules to each node security group so that they accept traffic from each other. + -The following {aws} CLI commands add inbound rules to each security group that allow all traffic on all protocols from the other security group. This configuration allows [.noloc]`Pods` in each node group to communicate with each other while you're migrating your workload to the new group. +The following {aws} CLI commands add inbound rules to each security group that allow all traffic on all protocols from the other security group. This configuration allows Pods in each node group to communicate with each other while you're migrating your workload to the new group. + [source,bash,subs="verbatim,attributes"] ---- @@ -170,14 +170,14 @@ kubectl get nodes --watch ---- kubectl scale deployments/cluster-autoscaler --replicas=0 -n kube-system ---- -. Use the following command to taint each of the nodes that you want to remove with `NoSchedule`. This is so that new [.noloc]`Pods` aren't scheduled or rescheduled on the nodes that you're replacing. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the [.noloc]`Kubernetes` documentation. +. Use the following command to taint each of the nodes that you want to remove with `NoSchedule`. This is so that new Pods aren't scheduled or rescheduled on the nodes that you're replacing. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. + [source,bash,subs="verbatim,attributes"] ---- kubectl taint nodes node_name key=value:NoSchedule ---- + -If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, you can identify and taint all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, `{k8s-n-2}`) with the following code snippet. The version number can't be later than the [.noloc]`Kubernetes` version of your control plane. It also can't be more than two minor versions earlier than the [.noloc]`Kubernetes` version of your control plane. We recommend that you use the same version as your control plane. +If you're upgrading your nodes to a new Kubernetes version, you can identify and taint all of the nodes of a particular Kubernetes version (in this case, `{k8s-n-2}`) with the following code snippet. The version number can't be later than the Kubernetes version of your control plane. It also can't be more than two minor versions earlier than the Kubernetes version of your control plane. We recommend that you use the same version as your control plane. + [source,bash,subs="verbatim,attributes"] ---- @@ -196,7 +196,7 @@ done kubectl get deployments -l k8s-app=kube-dns -n kube-system ---- + -An example output is as follows. This cluster is using [.noloc]`CoreDNS` for DNS resolution, but your cluster can return `kube-dns` instead): +An example output is as follows. This cluster is using CoreDNS for DNS resolution, but your cluster can return `kube-dns` instead): + [source,bash,subs="verbatim,attributes"] ---- @@ -216,7 +216,7 @@ kubectl scale deployments/coredns --replicas=2 -n kube-system kubectl drain node_name --ignore-daemonsets --delete-local-data ---- + -If you're upgrading your nodes to a new [.noloc]`Kubernetes` version, identify and drain all of the nodes of a particular [.noloc]`Kubernetes` version (in this case, [.replaceable]`{k8s-n-2}`) with the following code snippet. +If you're upgrading your nodes to a new Kubernetes version, identify and drain all of the nodes of a particular Kubernetes version (in this case, [.replaceable]`{k8s-n-2}`) with the following code snippet. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 9306e5358..d91c9ec3d 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -14,7 +14,7 @@ You can collect system metrics and CloudWatch usage metrics for {aws} Fargate. [#fargate-application-metrics] == Application metrics -For applications running on Amazon EKS and {aws} Fargate, you can use the {aws} Distro for [.noloc]`OpenTelemetry` (ADOT). ADOT allows you to collect system metrics and send them to CloudWatch Container Insights dashboards. To get started with ADOT for applications running on Fargate, see https://aws-otel.github.io/docs/getting-started/container-insights[Using CloudWatch Container Insights with {aws} Distro for OpenTelemetry] in the ADOT documentation. +For applications running on Amazon EKS and {aws} Fargate, you can use the {aws} Distro for OpenTelemetry (ADOT). ADOT allows you to collect system metrics and send them to CloudWatch Container Insights dashboards. To get started with ADOT for applications running on Fargate, see https://aws-otel.github.io/docs/getting-started/container-insights[Using CloudWatch Container Insights with {aws} Distro for OpenTelemetry] in the ADOT documentation. [#fargate-usage-metrics] == Usage metrics @@ -57,7 +57,7 @@ Currently, {aws} Fargate returns information on your Fargate On-Demand usage. Th [NOTE] ==== -Fargate On-Demand usage combines Amazon EKS [.noloc]`Pods` using Fargate, Amazon ECS tasks using the Fargate launch type and Amazon ECS tasks using the `FARGATE` capacity provider. +Fargate On-Demand usage combines Amazon EKS Pods using Fargate, Amazon ECS tasks using the Fargate launch type and Amazon ECS tasks using the `FARGATE` capacity provider. ==== diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index e9ea22b7c..5ec4b050e 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,6 +1,6 @@ [.topic] [#retrieve-ami-id-bottlerocket] -= Retrieve recommended [.noloc]`Bottlerocket` AMI IDs += Retrieve recommended Bottlerocket AMI IDs :info_titleabbrev: Get latest IDs include::../attributes.txt[] @@ -12,7 +12,7 @@ You can retrieve the Amazon Machine Image (AMI) ID for Amazon EKS optimized AMIs When deploying nodes, you can specify an ID for a pre-built Amazon EKS optimized Amazon Machine Image (AMI). To retrieve an AMI ID that fits your desired configuration, query the {aws} Systems Manager Parameter Store API. Using this API eliminates the need to manually look up Amazon EKS optimized AMI IDs. For more information, see link:systems-manager/latest/APIReference/API_GetParameter.html[GetParameter,type="documentation"]. The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the `ssm:GetParameter` IAM permission to retrieve the Amazon EKS optimized AMI metadata. -You can retrieve the image ID of the latest recommended Amazon EKS optimized [.noloc]`Bottlerocket` AMI with the following {aws} CLI command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command: +You can retrieve the image ID of the latest recommended Amazon EKS optimized Bottlerocket AMI with the following {aws} CLI command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command: * Replace [.replaceable]`kubernetes-version` with a supported <>. * Replace [.replaceable]`-flavor` with one of the following options. diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index cf6544a02..a0a1726a6 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,6 +1,6 @@ [.topic] [#retrieve-windows-ami-id] -= Retrieve recommended [.noloc]`Microsoft Windows` AMI IDs += Retrieve recommended Microsoft Windows AMI IDs :info_titleabbrev: Get latest IDs include::../attributes.txt[] @@ -12,16 +12,16 @@ You can programmatically retrieve the Amazon Machine Image (AMI) ID for Amazon E When deploying nodes, you can specify an ID for a pre-built Amazon EKS optimized Amazon Machine Image (AMI). To retrieve an AMI ID that fits your desired configuration, query the {aws} Systems Manager Parameter Store API. Using this API eliminates the need to manually look up Amazon EKS optimized AMI IDs. For more information, see link:systems-manager/latest/APIReference/API_GetParameter.html[GetParameter,type="documentation"]. The link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that you use must have the `ssm:GetParameter` IAM permission to retrieve the Amazon EKS optimized AMI metadata. -You can retrieve the image ID of the latest recommended Amazon EKS optimized [.noloc]`Windows` AMI with the following command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command: +You can retrieve the image ID of the latest recommended Amazon EKS optimized Windows AMI with the following command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command: * Replace [.replaceable]`release` with one of the following options. + -** Use [.replaceable]`2022` for [.noloc]`Windows` Server 2022, but only if you're using [.noloc]`Kubernetes` version `1.24` or later. -** Use [.replaceable]`2019` for [.noloc]`Windows` Server 2019. +** Use [.replaceable]`2022` for Windows Server 2022, but only if you're using Kubernetes version `1.24` or later. +** Use [.replaceable]`2019` for Windows Server 2019. * Replace [.replaceable]`installation-option` with one of the following options. For more information, see https://learn.microsoft.com/en-us/windows-server/administration/server-core/what-is-server-core[What is the Server Core installation option in Windows Server]. + ** Use [.replaceable]`Core` for a minimal installation with a smaller attack surface. -** Use [.replaceable]`Full` to include the [.noloc]`Windows` desktop experience. +** Use [.replaceable]`Full` to include the Windows desktop experience. * Replace [.replaceable]`kubernetes-version` with a supported <>. * Replace [.replaceable]`region-code` with an link:general/latest/gr/eks.html[Amazon EKS supported {aws} Region,type="documentation"] for which you want the AMI ID. diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 019eaeae3..b70a7948c 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,21 +1,21 @@ [.topic] [#self-managed-windows-server-2022] -= Create self-managed [.noloc]`Windows` Server 2022 nodes with `eksctl` += Create self-managed Windows Server 2022 nodes with `eksctl` :info_titleabbrev: Windows Server 2022 include::../attributes.txt[] [abstract] -- -This topic includes a YAML file as reference for creating self-managed [.noloc]`Windows` Server 2022 nodes. +This topic includes a YAML file as reference for creating self-managed Windows Server 2022 nodes. -- -You can use the following `test-windows-2022.yaml` as reference for creating self-managed [.noloc]`Windows` Server 2022 nodes. Replace every [.replaceable]`example value` with your own values. +You can use the following `test-windows-2022.yaml` as reference for creating self-managed Windows Server 2022 nodes. Replace every [.replaceable]`example value` with your own values. [NOTE] ==== -You must use `eksctl` version https://github.com/weaveworks/eksctl/releases/tag/v0.116.0[0.116.0] or later to run self-managed [.noloc]`Windows` Server 2022 nodes. +You must use `eksctl` version https://github.com/weaveworks/eksctl/releases/tag/v0.116.0[0.116.0] or later to run self-managed Windows Server 2022 nodes. ==== diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 820c88d65..75d815595 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -16,22 +16,22 @@ There are several scenarios where it's useful to update your Amazon EKS managed -* You have updated the [.noloc]`Kubernetes` version for your Amazon EKS cluster and want to update your nodes to use the same [.noloc]`Kubernetes` version. +* You have updated the Kubernetes version for your Amazon EKS cluster and want to update your nodes to use the same Kubernetes version. * A new AMI release version is available for your managed node group. For more information about AMI versions, see these sections: + ** <> ** <> ** <> * You want to adjust the minimum, maximum, or desired count of the instances in your managed node group. -* You want to add or remove [.noloc]`Kubernetes` labels from the instances in your managed node group. +* You want to add or remove Kubernetes labels from the instances in your managed node group. * You want to add or remove {aws} tags from your managed node group. * You need to deploy a new version of a launch template with configuration changes, such as an updated custom AMI. -* You have deployed version `1.9.0` or later of the Amazon VPC CNI add-on, enabled the add-on for prefix delegation, and want new {aws} [.noloc]`Nitro System` instances in a node group to support a significantly increased number of [.noloc]`Pods`. For more information, see <>. -* You have enabled IP prefix delegation for Windows nodes and want new {aws} Nitro System instances in a node group to support a significantly increased number of [.noloc]`Pods`. For more information, see <>. +* You have deployed version `1.9.0` or later of the Amazon VPC CNI add-on, enabled the add-on for prefix delegation, and want new {aws} Nitro System instances in a node group to support a significantly increased number of Pods. For more information, see <>. +* You have enabled IP prefix delegation for Windows nodes and want new {aws} Nitro System instances in a node group to support a significantly increased number of Pods. For more information, see <>. -If there's a newer AMI release version for your managed node group's [.noloc]`Kubernetes` version, you can update your node group's version to use the newer AMI version. Similarly, if your cluster is running a [.noloc]`Kubernetes` version that's newer than your node group, you can update the node group to use the latest AMI release version to match your cluster's [.noloc]`Kubernetes` version. +If there's a newer AMI release version for your managed node group's Kubernetes version, you can update your node group's version to use the newer AMI version. Similarly, if your cluster is running a Kubernetes version that's newer than your node group, you can update the node group to use the latest AMI release version to match your cluster's Kubernetes version. -When a node in a managed node group is terminated due to a scaling operation or update, the [.noloc]`Pods` in that node are drained first. For more information, see <>. +When a node in a managed node group is terminated due to a scaling operation or update, the Pods in that node are drained first. For more information, see <>. [#mng-update] == Update a node group version @@ -47,7 +47,7 @@ The version that you update to can't be greater than the control plane's version *Update a managed node group using `eksctl`* -Update a managed node group to the latest AMI release of the same [.noloc]`Kubernetes` version that's currently deployed on the nodes with the following command. Replace every [.replaceable]`example value` with your own values. +Update a managed node group to the latest AMI release of the same Kubernetes version that's currently deployed on the nodes with the following command. Replace every [.replaceable]`example value` with your own values. [source,bash,subs="verbatim,attributes"] ---- @@ -61,7 +61,7 @@ NOTE: If you're upgrading a node group that's deployed with a launch template to You can't directly upgrade a node group that's deployed without a launch template to a new launch template version. Instead, you must deploy a new node group using the launch template to update the node group to a new launch template version. -You can upgrade a node group to the same version as the control plane's [.noloc]`Kubernetes` version. For example, if you have a cluster running [.noloc]`Kubernetes` `{k8s-n}`, you can upgrade nodes currently running [.noloc]`Kubernetes` `{k8s-n-1}` to version `{k8s-n}` with the following command. +You can upgrade a node group to the same version as the control plane's Kubernetes version. For example, if you have a cluster running Kubernetes `{k8s-n}`, you can upgrade nodes currently running Kubernetes `{k8s-n-1}` to version `{k8s-n}` with the following command. [source,bash,subs="verbatim,attributes"] ---- @@ -91,8 +91,8 @@ You won't see a notification for node groups that were deployed with a custom AM ** *Change launch template version* – This option is unavailable if the node group is deployed without a custom launch template. You can only update the launch template version for a node group that has been deployed with a custom launch template. Select the *Launch template version* that you want to update the node group to. If your node group is configured with a custom AMI, then the version that you select must also specify an AMI. When you upgrade to a newer version of your launch template, every node is recycled to match the new configuration of the launch template version specified. . For *Update strategy*, select one of the following options: + -** *Rolling update* – This option respects the [.noloc]`Pod` disruption budgets for your cluster. Updates fail if there's a [.noloc]`Pod` disruption budget issue that causes Amazon EKS to be unable to gracefully drain the [.noloc]`Pods` that are running on this node group. -** *Force update* – This option doesn't respect [.noloc]`Pod` disruption budgets. Updates occur regardless of [.noloc]`Pod` disruption budget issues by forcing node restarts to occur. +** *Rolling update* – This option respects the Pod disruption budgets for your cluster. Updates fail if there's a Pod disruption budget issue that causes Amazon EKS to be unable to gracefully drain the Pods that are running on this node group. +** *Force update* – This option doesn't respect Pod disruption budgets. Updates occur regardless of Pod disruption budget issues by forcing node restarts to occur. . Choose *Update*. @@ -112,8 +112,8 @@ You can modify some of the configurations of a managed node group. *** *Desired size* – Specify the current number of nodes that the managed node group should maintain. *** *Minimum size* – Specify the minimum number of nodes that the managed node group can scale in to. *** *Maximum size* – Specify the maximum number of nodes that the managed node group can scale out to. For the maximum number of nodes supported in a node group, see <>. -.. (Optional) Add or remove *[.noloc]`Kubernetes` labels* to the nodes in your node group. The labels shown here are only the labels that you have applied with Amazon EKS. Other labels may exist on your nodes that aren't shown here. -.. (Optional) Add or remove *[.noloc]`Kubernetes` taints* to the nodes in your node group. Added taints can have the effect of either `*NoSchedule*`, `*NoExecute*`, or `*PreferNoSchedule*`. For more information, see <>. +.. (Optional) Add or remove *Kubernetes labels* to the nodes in your node group. The labels shown here are only the labels that you have applied with Amazon EKS. Other labels may exist on your nodes that aren't shown here. +.. (Optional) Add or remove *Kubernetes taints* to the nodes in your node group. Added taints can have the effect of either `*NoSchedule*`, `*NoExecute*`, or `*PreferNoSchedule*`. For more information, see <>. .. (Optional) Add or remove *Tags* from your node group resource. These tags are only applied to the Amazon EKS node group. They don't propagate to other resources, such as subnets or Amazon EC2 instances in the node group. .. (Optional) Edit the *Node Group update configuration*. Select either *Number* or *Percentage*. + @@ -121,7 +121,7 @@ You can modify some of the configurations of a managed node group. *** *Percentage* – Select and specify the percentage of nodes in your node group that can be updated in parallel. These nodes will be unavailable during update. This is useful if you have many nodes in your node group. .. When you're finished editing, choose *Save changes*. -IMPORTANT: When updating the node group configuration, modifying the link:eks/latest/APIReference/API_NodegroupScalingConfig.html[`NodegroupScalingConfig`,type="documentation"] does not respect [.noloc]`Pod` disruption budgets (PDBs). +IMPORTANT: When updating the node group configuration, modifying the link:eks/latest/APIReference/API_NodegroupScalingConfig.html[`NodegroupScalingConfig`,type="documentation"] does not respect Pod disruption budgets (PDBs). Unlike the <> process (which drains nodes and respects PDBs during the upgrade phase), updating the scaling configuration causes nodes to be terminated immediately through an Auto Scaling Group (ASG) scale-down call. This happens without considering PDBs, regardless of the target size you're scaling down to. -That means when you reduce the `desiredSize` of an Amazon EKS managed node group, [.noloc]`Pods` are evicted as soon as the nodes are terminated, without honoring any PDBs. \ No newline at end of file +That means when you reduce the `desiredSize` of an Amazon EKS managed node group, Pods are evicted as soon as the nodes are terminated, without honoring any PDBs. \ No newline at end of file diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index 7b39d3b53..bcbb90d55 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -9,7 +9,7 @@ include::../attributes.txt[] This topic describes how you can update an existing {aws} CloudFormation self-managed node stack with a new AMI. -- -This topic describes how you can update an existing {aws} CloudFormation self-managed node stack with a new AMI. You can use this procedure to update your nodes to a new version of [.noloc]`Kubernetes` following a cluster update. Otherwise, you can update to the latest Amazon EKS optimized AMI for an existing [.noloc]`Kubernetes` version. +This topic describes how you can update an existing {aws} CloudFormation self-managed node stack with a new AMI. You can use this procedure to update your nodes to a new version of Kubernetes following a cluster update. Otherwise, you can update to the latest Amazon EKS optimized AMI for an existing Kubernetes version. [IMPORTANT] ==== @@ -33,7 +33,7 @@ This method isn't supported for node groups that were created with `eksctl`. If kubectl get deployments -l k8s-app=kube-dns -n kube-system ---- + -An example output is as follows. This cluster is using [.noloc]`CoreDNS` for DNS resolution, but your cluster might return `kube-dns` instead. Your output might look different depending on the version of `kubectl` that you're using. +An example output is as follows. This cluster is using CoreDNS for DNS resolution, but your cluster might return `kube-dns` instead. Your output might look different depending on the version of `kubectl` that you're using. + [source,bash,subs="verbatim,attributes"] ---- @@ -46,7 +46,7 @@ coredns 1 1 1 1 31m ---- kubectl scale deployments/coredns --replicas=2 -n kube-system ---- -. (Optional) If you're using the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], scale the deployment down to zero (0) replicas to avoid conflicting scaling actions. +. (Optional) If you're using the Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], scale the deployment down to zero (0) replicas to avoid conflicting scaling actions. + [source,bash,subs="verbatim,attributes"] ---- @@ -70,25 +70,25 @@ https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2022-12-23/amazon-e + ** *NodeAutoScalingGroupDesiredCapacity* – Enter the desired instance count that you recorded in a <>. Or, enter your new desired number of nodes to scale to when your stack is updated. ** *NodeAutoScalingGroupMaxSize* – Enter the maximum number of nodes to which your node Auto Scaling group can scale out. This value must be at least one node more than your desired capacity. This is so that you can perform a rolling update of your nodes without reducing your node count during the update. -** *NodeInstanceType* – Choose the instance type your recorded in a <>. Alternatively, choose a different instance type for your nodes. Before choosing a different instance type, review <>. Each Amazon EC2 instance type supports a maximum number of elastic network interfaces (network interface) and each network interface supports a maximum number of IP addresses. Because each worker node and [.noloc]`Pod` ,is assigned its own IP address, it's important to choose an instance type that will support the maximum number of [.noloc]`Pods` that you want to run on each Amazon EC2 node. For a list of the number of network interfaces and IP addresses supported by instance types, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"]. For example, the `m5.large` instance type supports a maximum of 30 IP addresses for the worker node and [.noloc]`Pods`. +** *NodeInstanceType* – Choose the instance type your recorded in a <>. Alternatively, choose a different instance type for your nodes. Before choosing a different instance type, review <>. Each Amazon EC2 instance type supports a maximum number of elastic network interfaces (network interface) and each network interface supports a maximum number of IP addresses. Because each worker node and Pod ,is assigned its own IP address, it's important to choose an instance type that will support the maximum number of Pods that you want to run on each Amazon EC2 node. For a list of the number of network interfaces and IP addresses supported by instance types, see link:AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI[IP addresses per network interface per instance type,type="documentation"]. For example, the `m5.large` instance type supports a maximum of 30 IP addresses for the worker node and Pods. + -NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are shown in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on [.noloc]`GitHub`. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. +NOTE: The supported instance types for the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes] are shown in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/pkg/vpc/vpc_ip_resource_limit.go[vpc_ip_resource_limit.go] on GitHub. You might need to update your Amazon VPC CNI plugin for Kubernetes version to use the latest supported instance types. For more information, see <>. + IMPORTANT: Some instance types might not be available in all {aws} Regions. -** *NodeImageIdSSMParam* – The Amazon EC2 Systems Manager parameter of the AMI ID that you want to update to. The following value uses the latest Amazon EKS optimized AMI for [.noloc]`Kubernetes` version `{k8s-n}`. +** *NodeImageIdSSMParam* – The Amazon EC2 Systems Manager parameter of the AMI ID that you want to update to. The following value uses the latest Amazon EKS optimized AMI for Kubernetes version `{k8s-n}`. + [source,none,subs="verbatim,attributes"] ---- /aws/service/eks/optimized-ami/{k8s-n}/amazon-linux-2/recommended/image_id ---- + -You can replace [.replaceable]`{k8s-n}` with a <> that's the same. Or, it should be up to one version earlier than the [.noloc]`Kubernetes` version running on your control plane. We recommend that you keep your nodes at the same version as your control plane. You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. +You can replace [.replaceable]`{k8s-n}` with a <> that's the same. Or, it should be up to one version earlier than the Kubernetes version running on your control plane. We recommend that you keep your nodes at the same version as your control plane. You can also replace [.replaceable]`amazon-linux-2` with a different AMI type. For more information, see <>. + -NOTE: Using the Amazon EC2 Systems Manager parameter enables you to update your nodes in the future without having to look up and specify an AMI ID. If your {aws} CloudFormation stack is using this value, any stack update always launches the latest recommended Amazon EKS optimized AMI for your specified [.noloc]`Kubernetes` version. This is even the case even if you don't change any values in the template. +NOTE: Using the Amazon EC2 Systems Manager parameter enables you to update your nodes in the future without having to look up and specify an AMI ID. If your {aws} CloudFormation stack is using this value, any stack update always launches the latest recommended Amazon EKS optimized AMI for your specified Kubernetes version. This is even the case even if you don't change any values in the template. ** *NodeImageId* – To use your own custom AMI, enter the ID for the AMI to use. + IMPORTANT: This value overrides any value specified for *NodeImageIdSSMParam*. If you want to use the *NodeImageIdSSMParam* value, ensure that the value for *NodeImageId* is blank. -** *DisableIMDSv1* – By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. However, you can disable IMDSv1. Select *true* if you don't want any nodes or any [.noloc]`Pods` scheduled in the node group to use IMDSv1. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. If you've implemented IAM roles for service accounts, assign necessary permissions directly to all [.noloc]`Pods` that require access to {aws} services. This way, no [.noloc]`Pods` in your cluster require access to IMDS for other reasons, such as retrieving the current {aws} Region. Then, you can also disable access to IMDSv2 for [.noloc]`Pods` that don't use host networking. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +** *DisableIMDSv1* – By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. However, you can disable IMDSv1. Select *true* if you don't want any nodes or any Pods scheduled in the node group to use IMDSv1. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. If you've implemented IAM roles for service accounts, assign necessary permissions directly to all Pods that require access to {aws} services. This way, no Pods in your cluster require access to IMDS for other reasons, such as retrieving the current {aws} Region. Then, you can also disable access to IMDSv2 for Pods that don't use host networking. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. . (Optional) On the *Options* page, tag your stack resources. Choose *Next*. . On the *Review* page, review your information, acknowledge that the stack might create IAM resources, and then choose *Update stack*. + @@ -99,10 +99,10 @@ NOTE: The update of each node in the cluster takes several minutes. Wait for the ---- kubectl scale deployments/kube-dns --replicas=1 -n kube-system ---- -. (Optional) If you are using the [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], scale the deployment back to your desired amount of replicas. +. (Optional) If you are using the Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler], scale the deployment back to your desired amount of replicas. + [source,bash,subs="verbatim,attributes"] ---- kubectl scale deployments/cluster-autoscaler --replicas=1 -n kube-system ---- -. (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your [.noloc]`Amazon VPC CNI plugin for Kubernetes` version to use the latest supported instance types. For more information, see <>. \ No newline at end of file +. (Optional) Verify that you're using the latest version of the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC CNI plugin for Kubernetes]. You might need to update your Amazon VPC CNI plugin for Kubernetes version to use the latest supported instance types. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 4cf8b0c8e..231cb2e7e 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] When a new Amazon EKS optimized AMI is released, consider replacing the nodes in your self-managed node group with the new AMI. -- -When a new Amazon EKS optimized AMI is released, consider replacing the nodes in your self-managed node group with the new AMI. Likewise, if you have updated the [.noloc]`Kubernetes` version for your Amazon EKS cluster, update the nodes to use nodes with the same [.noloc]`Kubernetes` version. +When a new Amazon EKS optimized AMI is released, consider replacing the nodes in your self-managed node group with the new AMI. Likewise, if you have updated the Kubernetes version for your Amazon EKS cluster, update the nodes to use nodes with the same Kubernetes version. [IMPORTANT] ==== @@ -22,7 +22,7 @@ This topic covers node updates for self-managed nodes. If you are using <>*:: -Create a new node group and migrate your [.noloc]`Pods` to that group. Migrating to a new node group is more graceful than simply updating the AMI ID in an existing {aws} CloudFormation stack. This is because the migration process https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[taints] the old node group as `NoSchedule` and drains the nodes after a new stack is ready to accept the existing [.noloc]`Pod` workload. +Create a new node group and migrate your Pods to that group. Migrating to a new node group is more graceful than simply updating the AMI ID in an existing {aws} CloudFormation stack. This is because the migration process https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[taints] the old node group as `NoSchedule` and drains the nodes after a new stack is ready to accept the existing Pod workload. *<>*:: Update the {aws} CloudFormation stack for an existing node group to use the new AMI. This method isn't supported for node groups that were created with `eksctl`. diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 0ce278c28..1b1a03c86 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -18,10 +18,10 @@ include::update-workers.adoc[leveloffset=+1] [abstract] -- -A cluster contains one or more Amazon EC2 nodes that [.noloc]`Pods` are scheduled on. +A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. -- -A cluster contains one or more Amazon EC2 nodes that [.noloc]`Pods` are scheduled on. Amazon EKS nodes run in your {aws} account and connect to the control plane of your cluster through the cluster API server endpoint. You're billed for them based on Amazon EC2 prices. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. +A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. Amazon EKS nodes run in your {aws} account and connect to the control plane of your cluster through the cluster API server endpoint. You're billed for them based on Amazon EC2 prices. For more information, see link:ec2/pricing/[Amazon EC2 pricing,type="marketing"]. A cluster can contain several node groups. Each node group contains one or more nodes that are deployed in an link:autoscaling/ec2/userguide/AutoScalingGroup.html[Amazon EC2 Auto Scaling group,type="documentation"]. The instance type of the nodes within the group can vary, such as when using link:AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html[attribute-based instance type selection,type="documentation"] with https://karpenter.sh/[Karpenter]. All instances in a node group must use the <>. diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index b2c098e48..755a829ae 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -17,28 +17,28 @@ You can start using Amazon EKS control plane logging by choosing which log types When you use Amazon EKS control plane logging, you're charged standard Amazon EKS pricing for each cluster that you run. You are charged the standard CloudWatch Logs data ingestion and storage costs for any logs sent to CloudWatch Logs from your clusters. You are also charged for any {aws} resources, such as Amazon EC2 instances or Amazon EBS volumes, that you provision as part of your cluster. -The following cluster control plane log types are available. Each log type corresponds to a component of the [.noloc]`Kubernetes` control plane. To learn more about these components, see https://kubernetes.io/docs/concepts/overview/components/[Kubernetes Components] in the [.noloc]`Kubernetes` documentation. +The following cluster control plane log types are available. Each log type corresponds to a component of the Kubernetes control plane. To learn more about these components, see https://kubernetes.io/docs/concepts/overview/components/[Kubernetes Components] in the Kubernetes documentation. *API server (`api`)*:: -Your cluster's API server is the control plane component that exposes the [.noloc]`Kubernetes` API. If you enable API server logs when you launch the cluster, or shortly thereafter, the logs include API server flags that were used to start the API server. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[kube-apiserver] and the https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L1129-L1255[audit policy] in the [.noloc]`Kubernetes` documentation. +Your cluster's API server is the control plane component that exposes the Kubernetes API. If you enable API server logs when you launch the cluster, or shortly thereafter, the logs include API server flags that were used to start the API server. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[kube-apiserver] and the https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L1129-L1255[audit policy] in the Kubernetes documentation. *Audit (`audit`)*:: -[.noloc]`Kubernetes` audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/[Auditing] in the [.noloc]`Kubernetes` documentation. +Kubernetes audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see https://kubernetes.io/docs/tasks/debug-application-cluster/audit/[Auditing] in the Kubernetes documentation. *Authenticator (`authenticator`)*:: -Authenticator logs are unique to Amazon EKS. These logs represent the control plane component that Amazon EKS uses for [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC) authentication using IAM credentials. For more information, see <>. +Authenticator logs are unique to Amazon EKS. These logs represent the control plane component that Amazon EKS uses for Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC) authentication using IAM credentials. For more information, see <>. *Controller manager (`controllerManager`)*:: -The controller manager manages the core control loops that are shipped with [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/[kube-controller-manager] in the [.noloc]`Kubernetes` documentation. +The controller manager manages the core control loops that are shipped with Kubernetes. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/[kube-controller-manager] in the Kubernetes documentation. *Scheduler (`scheduler`)*:: -The scheduler component manages when and where to run [.noloc]`Pods` in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler] in the [.noloc]`Kubernetes` documentation. +The scheduler component manages when and where to run Pods in your cluster. For more information, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler] in the Kubernetes documentation. [#enabling-control-plane-log-export] @@ -145,7 +145,7 @@ To learn more about viewing, analyzing, and managing logs in CloudWatch, see the + NOTE: As log stream data grows, the log stream names are rotated. When multiple log streams exist for a particular log type, you can view the latest log stream by looking for the log stream name with the latest *Last event time*. + -** *[.noloc]`Kubernetes` API server component logs (`api`)* – `kube-apiserver-[.replaceable]``1234567890abcdef01234567890abcde``` +** *Kubernetes API server component logs (`api`)* – `kube-apiserver-[.replaceable]``1234567890abcdef01234567890abcde``` ** *Audit (`audit`)* – `kube-apiserver-audit-[.replaceable]``1234567890abcdef01234567890abcde``` ** *Authenticator (`authenticator`)* – `authenticator-[.replaceable]``1234567890abcdef01234567890abcde``` ** *Controller manager (`controllerManager`)* – `kube-controller-manager-[.replaceable]``1234567890abcdef01234567890abcde``` @@ -156,4 +156,4 @@ For example, you should see the initial API server flags for the cluster when vi + NOTE: If you don't see the API server logs at the beginning of the log stream, then it is likely that the API server log file was rotated on the server before you enabled API server logging on the server. Any log files that are rotated before API server logging is enabled can't be exported to CloudWatch. -However, you can create a new cluster with the same [.noloc]`Kubernetes` version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. \ No newline at end of file +However, you can create a new cluster with the same Kubernetes version and enable the API server logging when you create the cluster. Clusters with the same platform version have the same flags enabled, so your flags should match the new cluster's flags. When you finish viewing the flags for the new cluster in CloudWatch, you can delete the new cluster. \ No newline at end of file diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index 2f0c6f149..48fb31cf9 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,20 +1,20 @@ [.topic] [#deploy-prometheus] -= Deploy [.noloc]`Prometheus` using [.noloc]`Helm` += Deploy Prometheus using Helm :info_titleabbrev: Deploy using Helm include::../attributes.txt[] [abstract] -- -As an alternative to using Amazon Managed Service for Prometheus, you can deploy [.noloc]`Prometheus` into your cluster with [.noloc]`Helm` V3. +As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm V3. -- -As an alternative to using Amazon Managed Service for Prometheus, you can deploy [.noloc]`Prometheus` into your cluster with [.noloc]`Helm` V3. If you already have [.noloc]`Helm` installed, you can check your version with the `helm version` command. [.noloc]`Helm` is a package manager for [.noloc]`Kubernetes` clusters. For more information about [.noloc]`Helm` and how to install it, see <>. +As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm V3. If you already have Helm installed, you can check your version with the `helm version` command. Helm is a package manager for Kubernetes clusters. For more information about Helm and how to install it, see <>. -After you configure [.noloc]`Helm` for your Amazon EKS cluster, you can use it to deploy [.noloc]`Prometheus` with the following steps. +After you configure Helm for your Amazon EKS cluster, you can use it to deploy Prometheus with the following steps. -. Create a [.noloc]`Prometheus` namespace. +. Create a Prometheus namespace. + [source,bash,subs="verbatim,attributes"] ---- @@ -26,7 +26,7 @@ kubectl create namespace prometheus ---- helm repo add prometheus-community https://prometheus-community.github.io/helm-charts ---- -. Deploy [.noloc]`Prometheus`. +. Deploy Prometheus. + [source,bash,subs="verbatim,attributes"] ---- @@ -40,7 +40,7 @@ NOTE: If you get the error `Error: failed to download "stable/prometheus" (hint: + If you get the error `Error: rendered manifests contain a resource that already exists`, run `helm uninstall [.replaceable]``your-release-name`` -n [.replaceable]``namespace```, then try running the Step 3 command again. + -. Verify that all of the [.noloc]`Pods` in the `prometheus` namespace are in the `READY` state. +. Verify that all of the Pods in the `prometheus` namespace are in the `READY` state. + [source,bash,subs="verbatim,attributes"] ---- @@ -60,13 +60,13 @@ prometheus-node-exporter-vbdks 1/1 Running 0 48 prometheus-pushgateway-76c444b68c-82tnw 1/1 Running 0 48s prometheus-server-775957f748-mmht9 1/2 Running 0 48s ---- -. Use `kubectl` to port forward the [.noloc]`Prometheus` console to your local machine. +. Use `kubectl` to port forward the Prometheus console to your local machine. + [source,bash,subs="verbatim,attributes"] ---- kubectl --namespace=prometheus port-forward deploy/prometheus-server 9090 ---- -. Point a web browser to `http://localhost:9090` to view the [.noloc]`Prometheus` console. +. Point a web browser to `http://localhost:9090` to view the Prometheus console. . Choose a metric from the *- insert metric at cursor* menu, then choose *Execute*. Choose the *Graph* tab to show the metric over time. The following image shows `container_memory_usage_bytes` over time. + image::images/prometheus-metric.png[Prometheus metrics,scaledwidth=100%] @@ -74,4 +74,4 @@ image::images/prometheus-metric.png[Prometheus metrics,scaledwidth=100%] + image::images/prometheus.png[Prometheus console,scaledwidth=100%] + -All of the [.noloc]`Kubernetes` endpoints that are connected to [.noloc]`Prometheus` using service discovery are displayed. \ No newline at end of file +All of the Kubernetes endpoints that are connected to Prometheus using service discovery are displayed. \ No newline at end of file diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 4605e1639..cdae45d75 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -20,7 +20,7 @@ You can observe your data in Amazon EKS using many available monitoring or loggi You can observe your data in Amazon EKS using many available monitoring or logging tools. Your Amazon EKS log data can be streamed to {aws} services or to partner tools for data analysis. There are many services available in the {aws-management-console} that provide data for troubleshooting your Amazon EKS issues. You can also use an {aws}-supported open-source solution for link:grafana/latest/userguide/solution-eks.html[monitoring Amazon EKS infrastructure,type="documentation"]. -After selecting *Clusters* in the left navigation pane of the Amazon EKS console, you can view cluster health and details by choosing your cluster's name and choosing the *Observability* tab. To view details about any existing [.noloc]`Kubernetes` resources that are deployed to your cluster, see <>. +After selecting *Clusters* in the left navigation pane of the Amazon EKS console, you can view cluster health and details by choosing your cluster's name and choosing the *Observability* tab. To view details about any existing Kubernetes resources that are deployed to your cluster, see <>. Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon EKS and your {aws} solutions. We recommend that you collect monitoring data from all of the parts of your {aws} solution. That way, you can more easily debug a multi-point failure if one occurs. Before you start monitoring Amazon EKS, make sure that your monitoring plan addresses the following questions. @@ -58,9 +58,9 @@ For low-level, customizable logging, then https://kubernetes.io/docs/concepts/cl Amazon EKS is integrated with {aws} CloudTrail, a service that provides a record of actions taken by a user, role, or an {aws} service in Amazon EKS. CloudTrail captures all API calls for Amazon EKS as events. The calls captured include calls from the Amazon EKS console and code calls to the Amazon EKS API operations. For more information, see <>. -The [.noloc]`Kubernetes` API server exposes a number of metrics that are useful for monitoring and analysis. For more information, see <>. +The Kubernetes API server exposes a number of metrics that are useful for monitoring and analysis. For more information, see <>. -To configure [.noloc]`Fluent Bit` for custom Amazon CloudWatch logs, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. +To configure Fluent Bit for custom Amazon CloudWatch logs, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. [#eks-monitor-tools] == Amazon EKS monitoring and logging tools @@ -84,7 +84,7 @@ The following table describes various monitoring tool options. |Applications / control plane |link:prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html[Prometheus,type="documentation"] -|[.noloc]`Prometheus` can be used to monitor metrics and alerts for applications and the control plane. +|Prometheus can be used to monitor metrics and alerts for applications and the control plane. |<> |Applications @@ -104,7 +104,7 @@ The following table describes various monitoring tool options. |Applications |link:xray/latest/devguide/aws-xray.html[{aws} X-Ray,type="documentation"] -|{aws} X-Ray receives trace data about your application. This trace data includes ingoing and outgoing requests and metadata about the requests. For Amazon EKS, the implementation requires the [.noloc]`OpenTelemetry` add-on. +|{aws} X-Ray receives trace data about your application. This trace data includes ingoing and outgoing requests and metadata about the requests. For Amazon EKS, the implementation requires the OpenTelemetry add-on. |link:xray/latest/devguide/xray-instrumenting-your-app.html[Setup procedure,type="documentation"] |Applications diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index 7e9f23ce6..ba7683066 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -35,11 +35,11 @@ The *Control plane monitoring* tab is divided into three sections, each of which [#observability-metrics] === Metrics -For clusters that are [.noloc]`Kubernetes` version `1.28` and above, the *Metrics* section shows graphs of several metrics gathered for various control plane components. +For clusters that are Kubernetes version `1.28` and above, the *Metrics* section shows graphs of several metrics gathered for various control plane components. You can set the time period used by the X-axis of every graph by making selections at the top of the section. You can refresh data with the refresh button ( ↻ ). For each separate graph, the vertical ellipses button ( ⋮ ) opens a menu with options from CloudWatch. -These metrics and more are automatically available as basic monitoring metrics in CloudWatch under the `AWS/EKS` namespace. For more information, see link:AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-basic-detailed.html[Basic monitoring and detailed monitoring,type="documentation"] in the _Amazon CloudWatch User Guide_. To get more detailed metrics, visualization, and insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. Or if you prefer [.noloc]`Prometheus` based monitoring, see <>. +These metrics and more are automatically available as basic monitoring metrics in CloudWatch under the `AWS/EKS` namespace. For more information, see link:AmazonCloudWatch/latest/monitoring/cloudwatch-metrics-basic-detailed.html[Basic monitoring and detailed monitoring,type="documentation"] in the _Amazon CloudWatch User Guide_. To get more detailed metrics, visualization, and insights, see link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[Container Insights,type="documentation"] in the _Amazon CloudWatch User Guide_. Or if you prefer Prometheus based monitoring, see <>. The following table describes available metrics. diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index ac678f3ae..f869f68c0 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -13,4 +13,4 @@ The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable you Amazon EKS supports using the {aws-management-console}, {aws} CLI and Amazon EKS API to install and manage the https://aws-otel.github.io/[{aws} Distro for OpenTelemetry (ADOT)] Operator. This makes it easier to enable your applications running on Amazon EKS to send metric and trace data to multiple monitoring service options like link:cloudwatch[Amazon CloudWatch,type="console"], link:prometheus[Prometheus,type="console"], and link:xray[X-Ray,type="console"]. -For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. \ No newline at end of file +For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for OpenTelemetry documentation. \ No newline at end of file diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 186310952..215577315 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,6 +1,6 @@ [.topic] [#prometheus] -= Monitor your cluster metrics with [.noloc]`Prometheus` += Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane @@ -8,34 +8,34 @@ include::../attributes.txt[] [abstract] -- -This topic explains how to deploy [.noloc]`Prometheus` and some of the ways that you can use it to view and analyze what your cluster is doing. +This topic explains how to deploy Prometheus and some of the ways that you can use it to view and analyze what your cluster is doing. -- -https://prometheus.io/[Prometheus] is a monitoring and time series database that scrapes endpoints. It provides the ability to query, aggregate, and store collected data. You can also use it for alerting and alert aggregation. This topic explains how to set up [.noloc]`Prometheus` as either a managed or open source option. Monitoring Amazon EKS control plane metrics is a common use case. +https://prometheus.io/[Prometheus] is a monitoring and time series database that scrapes endpoints. It provides the ability to query, aggregate, and store collected data. You can also use it for alerting and alert aggregation. This topic explains how to set up Prometheus as either a managed or open source option. Monitoring Amazon EKS control plane metrics is a common use case. -Amazon Managed Service for Prometheus is a [.noloc]`Prometheus`-compatible monitoring and alerting service that makes it easy to monitor containerized applications and infrastructure at scale. It is a fully-managed service that automatically scales the ingestion, storage, querying, and alerting of your metrics. It also integrates with {aws} security services to enable fast and secure access to your data. You can use the open-source PromQL query language to query your metrics and alert on them. Also, you can use alert manager in Amazon Managed Service for Prometheus to set up alerting rules for critical alerts. You can then send these critical alerts as notifications to an Amazon SNS topic. +Amazon Managed Service for Prometheus is a Prometheus-compatible monitoring and alerting service that makes it easy to monitor containerized applications and infrastructure at scale. It is a fully-managed service that automatically scales the ingestion, storage, querying, and alerting of your metrics. It also integrates with {aws} security services to enable fast and secure access to your data. You can use the open-source PromQL query language to query your metrics and alert on them. Also, you can use alert manager in Amazon Managed Service for Prometheus to set up alerting rules for critical alerts. You can then send these critical alerts as notifications to an Amazon SNS topic. -There are several different options for using [.noloc]`Prometheus` with Amazon EKS: +There are several different options for using Prometheus with Amazon EKS: -* You can turn on [.noloc]`Prometheus` metrics when first creating an Amazon EKS cluster or you can create your own [.noloc]`Prometheus` scraper for existing clusters. Both of these options are covered by this topic. -* You can deploy [.noloc]`Prometheus` using [.noloc]`Helm`. For more information, see <>. -* You can view control plane raw metrics in [.noloc]`Prometheus` format. For more information, see <>. +* You can turn on Prometheus metrics when first creating an Amazon EKS cluster or you can create your own Prometheus scraper for existing clusters. Both of these options are covered by this topic. +* You can deploy Prometheus using Helm. For more information, see <>. +* You can view control plane raw metrics in Prometheus format. For more information, see <>. [#turn-on-prometheus-metrics] -== Step 1: Turn on [.noloc]`Prometheus` metrics +== Step 1: Turn on Prometheus metrics [IMPORTANT] ==== -Amazon Managed Service for [.noloc]`Prometheus` resources are outside of the cluster lifecycle and need to be maintained independent of the cluster. When you delete your cluster, make sure to also delete any applicable scrapers to stop applicable costs. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-list-delete[Find and delete scrapers,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +Amazon Managed Service for Prometheus resources are outside of the cluster lifecycle and need to be maintained independent of the cluster. When you delete your cluster, make sure to also delete any applicable scrapers to stop applicable costs. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-list-delete[Find and delete scrapers,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. ==== -[.noloc]`Prometheus` discovers and collects metrics from your cluster through a pull-based model called scraping. Scrapers are set up to gather data from your cluster infrastructure and containerized applications. When you turn on the option to send [.noloc]`Prometheus` metrics, Amazon Managed Service for [.noloc]`Prometheus` provides a fully managed agentless scraper. +Prometheus discovers and collects metrics from your cluster through a pull-based model called scraping. Scrapers are set up to gather data from your cluster infrastructure and containerized applications. When you turn on the option to send Prometheus metrics, Amazon Managed Service for Prometheus provides a fully managed agentless scraper. -If you haven't created the cluster yet, you can turn on the option to send metrics to [.noloc]`Prometheus` when first creating the cluster. In the Amazon EKS console, this option is in the *Configure observability* step of creating a new cluster. For more information, see <>. +If you haven't created the cluster yet, you can turn on the option to send metrics to Prometheus when first creating the cluster. In the Amazon EKS console, this option is in the *Configure observability* step of creating a new cluster. For more information, see <>. -If you already have an existing cluster, you can create your own [.noloc]`Prometheus` scraper. To do this in the Amazon EKS console, navigate to your cluster's *Observability* tab and choose the *Add scraper* button. If you would rather do so with the {aws} API or {aws} CLI, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-create[Create a scraper,type="documentation"] in the _Amazon Managed Service for [.noloc]`Prometheus` User Guide_. +If you already have an existing cluster, you can create your own Prometheus scraper. To do this in the Amazon EKS console, navigate to your cluster's *Observability* tab and choose the *Add scraper* button. If you would rather do so with the {aws} API or {aws} CLI, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-create[Create a scraper,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. The following options are available when creating the scraper with the Amazon EKS console. @@ -43,16 +43,16 @@ The following options are available when creating the scraper with the Amazon EK (Optional) Enter a unique alias for the scraper. *Destination*:: -Choose an Amazon Managed Service for [.noloc]`Prometheus` workspace. A workspace is a logical space dedicated to the storage and querying of [.noloc]`Prometheus` metrics. With this workspace, you will be able to view [.noloc]`Prometheus` metrics across the accounts that have access to it. The *Create new workspace* option tells Amazon EKS to create a workspace on your behalf using the *Workspace alias* you provide. With the *Select existing workspace* option, you can select an existing workspace from a dropdown list. For more information about workspaces, see link:prometheus/latest/userguide/AMP-manage-ingest-query.html[Managing workspaces,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +Choose an Amazon Managed Service for Prometheus workspace. A workspace is a logical space dedicated to the storage and querying of Prometheus metrics. With this workspace, you will be able to view Prometheus metrics across the accounts that have access to it. The *Create new workspace* option tells Amazon EKS to create a workspace on your behalf using the *Workspace alias* you provide. With the *Select existing workspace* option, you can select an existing workspace from a dropdown list. For more information about workspaces, see link:prometheus/latest/userguide/AMP-manage-ingest-query.html[Managing workspaces,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. *Service access*:: -This section summarizes the permissions you grant when sending [.noloc]`Prometheus` metrics: +This section summarizes the permissions you grant when sending Prometheus metrics: + ** Allow Amazon Managed Service for Prometheus to describe the scraped Amazon EKS cluster -** Allow remote writing to the Amazon Managed [.noloc]`Prometheus` workspace +** Allow remote writing to the Amazon Managed Prometheus workspace + -If the `AmazonManagedScraperRole` already exists, the scraper uses it. Choose the `AmazonManagedScraperRole` link to see the *Permission details*. If the `AmazonManagedScraperRole` doesn't exist already, choose the *View permission details* link to see the specific permissions you are granting by sending [.noloc]`Prometheus` metrics. +If the `AmazonManagedScraperRole` already exists, the scraper uses it. Choose the `AmazonManagedScraperRole` link to see the *Permission details*. If the `AmazonManagedScraperRole` doesn't exist already, choose the *View permission details* link to see the specific permissions you are granting by sending Prometheus metrics. *Subnets*:: Modify the subnets that the scraper will inherit as needed. If you need to add a grayed out subnet option, go back to the create cluster *Specify networking* step. @@ -65,23 +65,23 @@ Amazon Managed Service for Prometheus refers to the agentless scraper that is cr [IMPORTANT] ==== -* If you create a [.noloc]`Prometheus` scraper using the {aws} CLI or {aws} API, you need to adjust its configuration to give the scraper in-cluster permissions. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-eks-setup[Configuring your Amazon EKS cluster,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +* If you create a Prometheus scraper using the {aws} CLI or {aws} API, you need to adjust its configuration to give the scraper in-cluster permissions. For more information, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-eks-setup[Configuring your Amazon EKS cluster,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. -* If you have a [.noloc]`Prometheus` scraper created before November 11, 2024 that uses the `aws-auth` `ConfigMap` instead of access entries, you need to update it to access additional metrics from the Amazon EKS cluster control plane. For the updated configuration, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-eks-manual-setup[Manually configuring Amazon EKS for scraper access,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. +* If you have a Prometheus scraper created before November 11, 2024 that uses the `aws-auth` `ConfigMap` instead of access entries, you need to update it to access additional metrics from the Amazon EKS cluster control plane. For the updated configuration, see link:prometheus/latest/userguide/AMP-collector-how-to.html#AMP-collector-eks-manual-setup[Manually configuring Amazon EKS for scraper access,type="documentation"] in the _Amazon Managed Service for Prometheus User Guide_. ==== [#use-prometheus-metrics] -== Step 2: Use the [.noloc]`Prometheus` metrics +== Step 2: Use the Prometheus metrics -For more information about how to use the [.noloc]`Prometheus` metrics after you turn them on for your cluster, see the link:prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html[Amazon Managed Service for Prometheus User Guide,type="documentation"]. +For more information about how to use the Prometheus metrics after you turn them on for your cluster, see the link:prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html[Amazon Managed Service for Prometheus User Guide,type="documentation"]. [#viewing-prometheus-scraper-details] -== Step 3: Manage [.noloc]`Prometheus` scrapers +== Step 3: Manage Prometheus scrapers To manage scrapers, choose the *Observability* tab in the Amazon EKS console. A table shows a list of scrapers for the cluster, including information such as the scraper ID, alias, status, and creation date. You can add more scrapers, delete scrapers, or view more information about the current scrapers. -To see more details about a scraper, choose the scraper ID link. For example, you can view the ARN, environment, workspace ID, IAM role, configuration, and networking information. You can use the scraper ID as input to Amazon Managed Service for Prometheus API operations like `DescribeScraper` and `DeleteScraper`. For more information on using the [.noloc]`Prometheus` API, see the link:prometheus/latest/userguide/AMP-APIReference.html[Amazon Managed Service for Prometheus API Reference,type="documentation"]. +To see more details about a scraper, choose the scraper ID link. For example, you can view the ARN, environment, workspace ID, IAM role, configuration, and networking information. You can use the scraper ID as input to Amazon Managed Service for Prometheus API operations like `DescribeScraper` and `DeleteScraper`. For more information on using the Prometheus API, see the link:prometheus/latest/userguide/AMP-APIReference.html[Amazon Managed Service for Prometheus API Reference,type="documentation"]. include::deploy-prometheus.adoc[leveloffset=+1] diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index 4aeb48020..f3c4d4e91 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,6 +1,6 @@ [.topic] [#view-raw-metrics] -= Fetch control plane raw metrics in [.noloc]`Prometheus` format += Fetch control plane raw metrics in Prometheus format :info_titleabbrev: Control plane include::../attributes.txt[] @@ -9,10 +9,10 @@ include::../attributes.txt[] [abstract] -- -The [.noloc]`Kubernetes` control plane exposes a number of metrics that are represented in a [.noloc]`Prometheus` format. +The Kubernetes control plane exposes a number of metrics that are represented in a Prometheus format. -- -The [.noloc]`Kubernetes` control plane exposes a number of metrics that are represented in a https://github.com/prometheus/docs/blob/master/content/docs/instrumenting/exposition_formats.md[Prometheus format]. These metrics are useful for monitoring and analysis. They are exposed internally through metrics endpoints, and can be accessed without fully deploying [.noloc]`Prometheus`. However, deploying [.noloc]`Prometheus` more easily allows analyzing metrics over time. +The Kubernetes control plane exposes a number of metrics that are represented in a https://github.com/prometheus/docs/blob/master/content/docs/instrumenting/exposition_formats.md[Prometheus format]. These metrics are useful for monitoring and analysis. They are exposed internally through metrics endpoints, and can be accessed without fully deploying Prometheus. However, deploying Prometheus more easily allows analyzing metrics over time. To view the raw metrics output, replace `endpoint` and run the following command. [source,bash,subs="verbatim,attributes"] @@ -64,7 +64,7 @@ This raw output returns verbatim what the API server exposes. [#fetch-metrics-prometheus] == Fetch control plane metrics with `metrics.eks.amazonaws.com` -For clusters that are [.noloc]`Kubernetes` version `1.28` and above, Amazon EKS also exposes metrics under the API group `metrics.eks.amazonaws.com`. These metrics include control plane components such as `kube-scheduler` and `kube-controller-manager`. +For clusters that are Kubernetes version `1.28` and above, Amazon EKS also exposes metrics under the API group `metrics.eks.amazonaws.com`. These metrics include control plane components such as `kube-scheduler` and `kube-controller-manager`. [NOTE] ==== @@ -136,7 +136,7 @@ workqueue_work_duration_seconds_sum{name="replicaset"} 4.265655885000002 [#scheduler-controller-metrics] === Understand the scheduler and controller manager metrics -The following table describes the scheduler and controller manager metrics that are made available for [.noloc]`Prometheus` style scraping. For more information about these metrics, see https://kubernetes.io/docs/reference/instrumentation/metrics/[Kubernetes Metrics Reference] in the [.noloc]`Kubernetes` documentation. +The following table describes the scheduler and controller manager metrics that are made available for Prometheus style scraping. For more information about these metrics, see https://kubernetes.io/docs/reference/instrumentation/metrics/[Kubernetes Metrics Reference] in the Kubernetes documentation. [cols="1,1,1", options="header"] |=== @@ -327,7 +327,7 @@ kubectl patch clusterrole --type=json -p='[ ]' ---- -Then you can view the [.noloc]`Prometheus` dashboard by proxying the port of the [.noloc]`Prometheus` scraper to your local port. +Then you can view the Prometheus dashboard by proxying the port of the Prometheus scraper to your local port. [source,bash,subs="verbatim,attributes"] ---- kubectl port-forward pods/prom-pod 9090:9090 diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 71bb9b3cf..1bdeb0576 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -10,9 +10,9 @@ include::../attributes.txt[] Learn how to select instance types and optionally use placement groups to meet high availability requirements for your Amazon EKS local cluster on {aws} Outposts. -- -This topic provides guidance for selecting the [.noloc]`Kubernetes` control plane instance type and (optionally) using placement groups to meet high-availability requirements for your local Amazon EKS cluster on an Outpost. +This topic provides guidance for selecting the Kubernetes control plane instance type and (optionally) using placement groups to meet high-availability requirements for your local Amazon EKS cluster on an Outpost. -Before you select an instance type (such as `m5`, `c5`, or `r5`) to use for your local cluster's [.noloc]`Kubernetes` control plane on Outposts, confirm the instance types that are available on your Outpost configuration. After you identify the available instance types, select the instance size (such as `large`, `xlarge`, or `2xlarge`) based on the number of nodes that your workloads require. The following table provides recommendations for choosing an instance size. +Before you select an instance type (such as `m5`, `c5`, or `r5`) to use for your local cluster's Kubernetes control plane on Outposts, confirm the instance types that are available on your Outpost configuration. After you identify the available instance types, select the instance size (such as `large`, `xlarge`, or `2xlarge`) based on the number of nodes that your workloads require. The following table provides recommendations for choosing an instance size. [NOTE] ==== @@ -40,27 +40,27 @@ The instance sizes must be slotted on your Outposts. Make sure that you have eno |`4xlarge` |=== -The storage for the [.noloc]`Kubernetes` control plane requires 246 GB of Amazon EBS storage for each local cluster to meet the required IOPS for `etcd`. When the local cluster is created, the Amazon EBS volumes are provisioned automatically for you. +The storage for the Kubernetes control plane requires 246 GB of Amazon EBS storage for each local cluster to meet the required IOPS for `etcd`. When the local cluster is created, the Amazon EBS volumes are provisioned automatically for you. [#outpost-capacity-considerations-control-plane-placement] == Control plane placement -When you don't specify a placement group with the `OutpostConfig.ControlPlanePlacement.GroupName` property, the Amazon EC2 instances provisioned for your [.noloc]`Kubernetes` control plane don't receive any specific hardware placement enforcement across the underlying capacity available on your Outpost. +When you don't specify a placement group with the `OutpostConfig.ControlPlanePlacement.GroupName` property, the Amazon EC2 instances provisioned for your Kubernetes control plane don't receive any specific hardware placement enforcement across the underlying capacity available on your Outpost. -You can use placement groups to meet the high-availability requirements for your local Amazon EKS cluster on an Outpost. By specifying a placement group during cluster creation, you influence the placement of the [.noloc]`Kubernetes` control plane instances. The instances are spread across independent underlying hardware (racks or hosts), minimizing correlated instance impact on the event of hardware failures. +You can use placement groups to meet the high-availability requirements for your local Amazon EKS cluster on an Outpost. By specifying a placement group during cluster creation, you influence the placement of the Kubernetes control plane instances. The instances are spread across independent underlying hardware (racks or hosts), minimizing correlated instance impact on the event of hardware failures. The type of spread that you can configure depends on the number of Outpost racks you have in your deployment. -* *Deployments with one or two physical racks in a single logical Outpost* – You must have at least three hosts that are configured with the instance type that you choose for your [.noloc]`Kubernetes` control plane instances. A _spread_ placement group using _host-level spread_ ensures that all [.noloc]`Kubernetes` control plane instances run on distinct hosts within the underlying racks available in your Outpost deployment. -* *Deployments with three or more physical racks in a single logical Outpost* – You must have at least three hosts configured with the instance type you choose for your [.noloc]`Kubernetes` control plane instances. A _spread_ placement group using _rack-level spread_ ensures that all [.noloc]`Kubernetes` control plane instances run on distinct racks in your Outpost deployment. You can alternatively use the _host-level spread_ placement group as described in the previous option. +* *Deployments with one or two physical racks in a single logical Outpost* – You must have at least three hosts that are configured with the instance type that you choose for your Kubernetes control plane instances. A _spread_ placement group using _host-level spread_ ensures that all Kubernetes control plane instances run on distinct hosts within the underlying racks available in your Outpost deployment. +* *Deployments with three or more physical racks in a single logical Outpost* – You must have at least three hosts configured with the instance type you choose for your Kubernetes control plane instances. A _spread_ placement group using _rack-level spread_ ensures that all Kubernetes control plane instances run on distinct racks in your Outpost deployment. You can alternatively use the _host-level spread_ placement group as described in the previous option. You are responsible for creating the desired placement group. You specify the placement group when calling the `CreateCluster` API. For more information about placement groups and how to create them, see link:AWSEC2/latest/UserGuide/placement-groups.html[Placement Groups,type="documentation"] in the Amazon EC2 User Guide. * When a placement group is specified, there must be available slotted capacity on your Outpost to successfully create a local Amazon EKS cluster. The capacity varies based on whether you use the host or rack spread type. If there isn't enough capacity, the cluster remains in the `Creating` state. You are able to check the `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity for the creation process to progress. -* During Amazon EKS local cluster platform and version updates, the [.noloc]`Kubernetes` control plane instances from your cluster are replaced by new instances using a rolling update strategy. During this replacement process, each control plane instance is terminated, freeing up its respective slot. A new updated instance is provisioned in its place. The updated instance might be placed in the slot that was released. If the slot is consumed by another unrelated instance and there is no more capacity left that respects the required spread topology requirement, then the cluster remains in the `Updating` state. You are able to see the respective `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity so the update process can progress and reestablish prior high availability levels. +* During Amazon EKS local cluster platform and version updates, the Kubernetes control plane instances from your cluster are replaced by new instances using a rolling update strategy. During this replacement process, each control plane instance is terminated, freeing up its respective slot. A new updated instance is provisioned in its place. The updated instance might be placed in the slot that was released. If the slot is consumed by another unrelated instance and there is no more capacity left that respects the required spread topology requirement, then the cluster remains in the `Updating` state. You are able to see the respective `Insufficient Capacity Error` on the health field of the link:eks/latest/APIReference/API_DescribeCluster.html[DescribeCluster,type="documentation"] API response. You must free capacity so the update process can progress and reestablish prior high availability levels. * You can create a maximum of 500 placement groups per account in each {aws} Region. For more information, see link:AWSEC2/latest/UserGuide/placement-groups.html#placement-groups-limitations-general[General rules and limitations,type="documentation"] in the Amazon EC2 User Guide. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 8fb28d715..af80858c9 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -21,22 +21,22 @@ This topic provides an overview of what to consider when running a local cluster ==== * Local clusters support Outpost racks only. A single local cluster can run across multiple physical Outpost racks that comprise a single logical Outpost. A single local cluster can't run across multiple logical Outposts. Each logical Outpost has a single Outpost ARN. -* Local clusters run and manage the [.noloc]`Kubernetes` control plane in your account on the Outpost. You can't run workloads on the [.noloc]`Kubernetes` control plane instances or modify the [.noloc]`Kubernetes` control plane components. These nodes are managed by the Amazon EKS service. Changes to the [.noloc]`Kubernetes` control plane don't persist through automatic Amazon EKS management actions, such as patching. +* Local clusters run and manage the Kubernetes control plane in your account on the Outpost. You can't run workloads on the Kubernetes control plane instances or modify the Kubernetes control plane components. These nodes are managed by the Amazon EKS service. Changes to the Kubernetes control plane don't persist through automatic Amazon EKS management actions, such as patching. * Local clusters support self-managed add-ons and self-managed Amazon Linux node groups. The <>, <>, and <> add-ons are automatically installed on local clusters. -* Local clusters require the use of Amazon EBS on Outposts. Your Outpost must have Amazon EBS available for the [.noloc]`Kubernetes` control plane storage. -* Local clusters use Amazon EBS on Outposts. Your Outpost must have Amazon EBS available for the [.noloc]`Kubernetes` control plane storage. Outposts support Amazon EBS `gp2` volumes only. -* Amazon EBS backed [.noloc]`Kubernetes` `PersistentVolumes` are supported using the Amazon EBS CSI driver. +* Local clusters require the use of Amazon EBS on Outposts. Your Outpost must have Amazon EBS available for the Kubernetes control plane storage. +* Local clusters use Amazon EBS on Outposts. Your Outpost must have Amazon EBS available for the Kubernetes control plane storage. Outposts support Amazon EBS `gp2` volumes only. +* Amazon EBS backed Kubernetes `PersistentVolumes` are supported using the Amazon EBS CSI driver. * The control plane instances of local clusters are set up in https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/[stacked highly available topology]. Two out of the three control plane instances must be healthy at all times to maintain quorum. If quorum is lost, contact {aws} support, as some service-side actions will be required to enable the new managed instances. *Prerequisites* * Familiarity with the <>, <>, and <>. * An existing Outpost. For more information, see link:outposts/latest/userguide/what-is-outposts.html[What is {aws} Outposts,type="documentation"]. -* The `kubectl` command line tool is installed on your computer or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your computer or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An IAM principal (user or role) with permissions to `create` and `describe` an Amazon EKS cluster. For more information, see <> and <>. -When a local Amazon EKS cluster is created, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is permanently added. The principal is specifically added to the [.noloc]`Kubernetes` RBAC authorization table as the administrator. This entity has `system:masters` permissions. The identity of this entity isn't visible in your cluster configuration. So, it's important to note the entity that created the cluster and make sure that you never delete it. Initially, only the principal that created the server can make calls to the [.noloc]`Kubernetes` API server using `kubectl`. If you use the console to create the cluster, make sure that the same IAM credentials are in the {aws} SDK credential chain when you run `kubectl` commands on your cluster. After your cluster is created, you can grant other IAM principals access to your cluster. +When a local Amazon EKS cluster is created, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is permanently added. The principal is specifically added to the Kubernetes RBAC authorization table as the administrator. This entity has `system:masters` permissions. The identity of this entity isn't visible in your cluster configuration. So, it's important to note the entity that created the cluster and make sure that you never delete it. Initially, only the principal that created the server can make calls to the Kubernetes API server using `kubectl`. If you use the console to create the cluster, make sure that the same IAM credentials are in the {aws} SDK credential chain when you run `kubectl` commands on your cluster. After your cluster is created, you can grant other IAM principals access to your cluster. == Create an Amazon EKS local cluster You can create a local cluster with the following tools described in this page: @@ -103,10 +103,10 @@ Cluster provisioning takes several minutes. While the cluster is being created, + [TIP] ==== -To see the most options that you can specify when creating a cluster with `eksctl`, use the `eksctl create cluster --help` command. To see all the available options, you can use a `config` file. For more information, see https://eksctl.io/usage/creating-and-managing-clusters/#using-config-files[Using config files] and the https://eksctl.io/usage/schema/[config file schema] in the `eksctl` documentation. You can find https://github.com/weaveworks/eksctl/tree/master/examples[config file examples] on [.noloc]`GitHub`. +To see the most options that you can specify when creating a cluster with `eksctl`, use the `eksctl create cluster --help` command. To see all the available options, you can use a `config` file. For more information, see https://eksctl.io/usage/creating-and-managing-clusters/#using-config-files[Using config files] and the https://eksctl.io/usage/schema/[config file schema] in the `eksctl` documentation. You can find https://github.com/weaveworks/eksctl/tree/master/examples[config file examples] on GitHub. ==== + -The `eksctl` command automatically created an <> for the IAM principal (user or role) that created the cluster and granted the IAM principal administrator permissions to [.noloc]`Kubernetes` objects on the cluster. If you don't want the cluster creator to have administrator access to [.noloc]`Kubernetes` objects on the cluster, add the following text to the previous configuration file: `bootstrapClusterCreatorAdminPermissions: false` (at the same level as `metadata`, `vpc`, and `outpost`). If you added the option, then after cluster creation, you need to create an access entry for at least one IAM principal, or no IAM principals will have access to [.noloc]`Kubernetes` objects on the cluster. +The `eksctl` command automatically created an <> for the IAM principal (user or role) that created the cluster and granted the IAM principal administrator permissions to Kubernetes objects on the cluster. If you don't want the cluster creator to have administrator access to Kubernetes objects on the cluster, add the following text to the previous configuration file: `bootstrapClusterCreatorAdminPermissions: false` (at the same level as `metadata`, `vpc`, and `outpost`). If you added the option, then after cluster creation, you need to create an access entry for at least one IAM principal, or no IAM principals will have access to Kubernetes objects on the cluster. === {aws-management-console} [[console_create_cluster_outpost]] @@ -150,19 +150,19 @@ aws iam attach-role-policy --policy-arn {arn-aws}iam::aws:policy/AmazonEKSLocalO . Choose *Add cluster* and then choose *Create*. . On the *Configure cluster* page, enter or select values for the following fields: + -* *[.noloc]`Kubernetes` control plane location* – Choose {aws} Outposts. +* *Kubernetes control plane location* – Choose {aws} Outposts. * *Outpost ID* – Choose the ID of the Outpost that you want to create your control plane on. * *Instance type* – Select an instance type. Only the instance types available in your Outpost are displayed. In the dropdown list, each instance type describes how many nodes the instance type is recommended for. Before choosing an instance type, see <>. All replicas are deployed using the same instance type. You can't change the instance type after your cluster is created. Three control plane instances are deployed. You can't change this number. * *Name* – A name for your cluster. It must be unique in your {aws} account. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. -* *[.noloc]`Kubernetes` version* – Choose the [.noloc]`Kubernetes` version that you want to use for your cluster. We recommend selecting the latest version, unless you need to use an earlier version. -* *Cluster service role* – Choose the Amazon EKS cluster IAM role that you created in a previous step to allow the [.noloc]`Kubernetes` control plane to manage {aws} resources. -* *[.noloc]`Kubernetes` cluster administrator access* – If you want the IAM principal (role or user) that's creating the cluster to have administrator access to the [.noloc]`Kubernetes` objects on the cluster, accept the default (allow). Amazon EKS creates an access entry for the IAM principal and grants cluster administrator permissions to the access entry. For more information about access entries, see <>. +* *Kubernetes version* – Choose the Kubernetes version that you want to use for your cluster. We recommend selecting the latest version, unless you need to use an earlier version. +* *Cluster service role* – Choose the Amazon EKS cluster IAM role that you created in a previous step to allow the Kubernetes control plane to manage {aws} resources. +* *Kubernetes cluster administrator access* – If you want the IAM principal (role or user) that's creating the cluster to have administrator access to the Kubernetes objects on the cluster, accept the default (allow). Amazon EKS creates an access entry for the IAM principal and grants cluster administrator permissions to the access entry. For more information about access entries, see <>. + -If you want a different IAM principal than the principal creating the cluster to have administrator access to [.noloc]`Kubernetes` cluster objects, choose the disallow option. After cluster creation, any IAM principal that has IAM permissions to create access entries can add an access entries for any IAM principals that need access to [.noloc]`Kubernetes` cluster objects. For more information about the required IAM permissions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. If you choose the disallow option and don't create any access entries, then no IAM principals will have access to the [.noloc]`Kubernetes` objects on the cluster. +If you want a different IAM principal than the principal creating the cluster to have administrator access to Kubernetes cluster objects, choose the disallow option. After cluster creation, any IAM principal that has IAM permissions to create access entries can add an access entries for any IAM principals that need access to Kubernetes cluster objects. For more information about the required IAM permissions, see link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"] in the Service Authorization Reference. If you choose the disallow option and don't create any access entries, then no IAM principals will have access to the Kubernetes objects on the cluster. * *Tags* – (Optional) Add any tags to your cluster. For more information, see <>. When you're done with this page, choose *Next*. . On the *Specify networking* page, select values for the following fields: + -* *VPC* – Choose an existing VPC. The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. Your VPC must meet the requirements in <>. +* *VPC* – Choose an existing VPC. The VPC must have a sufficient number of IP addresses available for the cluster, any nodes, and other Kubernetes resources that you want to create. Your VPC must meet the requirements in <>. * *Subnets* – By default, all available subnets in the VPC specified in the previous field are preselected. The subnets that you choose must meet the requirements in <>. * *Security groups* – (Optional) Specify one or more security groups that you want Amazon EKS to associate to the network interfaces that it creates. Amazon EKS automatically creates a security group that enables communication between your cluster and your VPC. Amazon EKS associates this security group, and any that you choose, to the network interfaces that it creates. For more information about the cluster security group that Amazon EKS creates, see <>. You can modify the rules in the cluster security group that Amazon EKS creates. If you choose to add your own security groups, you can't change the ones that you choose after cluster creation. For on-premises hosts to communicate with the cluster endpoint, you must allow inbound traffic from the cluster security group. For clusters that don't have an ingress and egress internet connection (also knows as private clusters), you must do one of the following: + @@ -171,7 +171,7 @@ If you want a different IAM principal than the principal creating the cluster to ** Modify the security group that Amazon EKS created to allow traffic from the security group associated with the VPC endpoints. When you're done with this page, choose *Next*. . On the *Configure observability* page, you can optionally choose which *Metrics* and *Control plane logging* options that you want to turn on. By default, each log type is turned off. + -**** For more information on the [.noloc]`Prometheus` metrics option, see <>. +**** For more information on the Prometheus metrics option, see <>. **** For more information on the *Control plane logging* options, see <>. When you're done with this page, choose *Next*. . On the *Review and create* page, review the information that you entered or selected on the previous pages. If you need to make changes, choose *Edit*. When you're satisfied, choose *Create*. The *Status* field shows *CREATING* while the cluster is provisioned. + @@ -195,7 +195,7 @@ An example output is as follows. "Name": "my-cluster-control-plane-id3" ---- + -Each instance is tainted with `node-role.eks-local.amazonaws.com/control-plane` so that no workloads are ever scheduled on the control plane instances. For more information about taints, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the [.noloc]`Kubernetes` documentation. Amazon EKS continuously monitors the state of local clusters. We perform automatic management actions, such as security patches and repairing unhealthy instances. When local clusters are disconnected from the cloud, we complete actions to ensure that the cluster is repaired to a healthy state upon reconnect. +Each instance is tainted with `node-role.eks-local.amazonaws.com/control-plane` so that no workloads are ever scheduled on the control plane instances. For more information about taints, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. Amazon EKS continuously monitors the state of local clusters. We perform automatic management actions, such as security patches and repairing unhealthy instances. When local clusters are disconnected from the cloud, we complete actions to ensure that the cluster is repaired to a healthy state upon reconnect. . If you created your cluster using `eksctl`, then you can skip this step. `eksctl` completes this step for you. Enable `kubectl` to communicate with your cluster by adding a new context to the `kubectl` `config` file. For instructions on how to create and update the file, see <>. + [source,bash,subs="verbatim,attributes"] @@ -209,9 +209,9 @@ An example output is as follows. ---- Added new context {arn-aws}eks:region-code:111122223333:cluster/my-cluster to /home/username/.kube/config ---- -. To connect to your local cluster's [.noloc]`Kubernetes` API server, have access to the local gateway for the subnet, or connect from within the VPC. For more information about connecting an Outpost rack to your on-premises network, see link:outposts/latest/userguide/how-racks-work.html[How local gateways for racks work,type="documentation"] in the {aws} Outposts User Guide. If you use Direct VPC Routing and the Outpost subnet has a route to your local gateway, the private IP addresses of the [.noloc]`Kubernetes` control plane instances are automatically broadcasted over your local network. The local cluster's [.noloc]`Kubernetes` API server endpoint is hosted in Amazon Route 53 (Route 53). The API service endpoint can be resolved by public DNS servers to the Kubernetes API servers' private IP addresses. +. To connect to your local cluster's Kubernetes API server, have access to the local gateway for the subnet, or connect from within the VPC. For more information about connecting an Outpost rack to your on-premises network, see link:outposts/latest/userguide/how-racks-work.html[How local gateways for racks work,type="documentation"] in the {aws} Outposts User Guide. If you use Direct VPC Routing and the Outpost subnet has a route to your local gateway, the private IP addresses of the Kubernetes control plane instances are automatically broadcasted over your local network. The local cluster's Kubernetes API server endpoint is hosted in Amazon Route 53 (Route 53). The API service endpoint can be resolved by public DNS servers to the Kubernetes API servers' private IP addresses. + -Local clusters' [.noloc]`Kubernetes` control plane instances are configured with static elastic network interfaces with fixed private IP addresses that don't change throughout the cluster lifecycle. Machines that interact with the [.noloc]`Kubernetes` API server might not have connectivity to Route 53 during network disconnects. If this is the case, we recommend configuring `/etc/hosts` with the static private IP addresses for continued operations. We also recommend setting up local DNS servers and connecting them to your Outpost. For more information, see the link:outposts/latest/userguide/how-outposts-works.html#dns[{aws} Outposts documentation,type="documentation"]. Run the following command to confirm that communication's established with your cluster. +Local clusters' Kubernetes control plane instances are configured with static elastic network interfaces with fixed private IP addresses that don't change throughout the cluster lifecycle. Machines that interact with the Kubernetes API server might not have connectivity to Route 53 during network disconnects. If this is the case, we recommend configuring `/etc/hosts` with the static private IP addresses for continued operations. We also recommend setting up local DNS servers and connecting them to your Outpost. For more information, see the link:outposts/latest/userguide/how-outposts-works.html#dns[{aws} Outposts documentation,type="documentation"]. Run the following command to confirm that communication's established with your cluster. + [source,bash,subs="verbatim,attributes"] ---- @@ -247,7 +247,7 @@ Amazon EKS creates the following resources on your cluster. The resources are fo + ** `kube-system/coredns` ** `kube-system/` `kube-proxy` (not created until you add your first node) -** `kube-system/aws-node` (not created until you add your first node). Local clusters use the [.noloc]`Amazon VPC CNI plugin for Kubernetes` plugin for cluster networking. Do not change the configuration for control plane instances (Pods named `aws-node-controlplane-*`). There are configuration variables that you can use to change the default value for when the plugin creates new network interfaces. For more information, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[documentation] on GitHub. +** `kube-system/aws-node` (not created until you add your first node). Local clusters use the Amazon VPC CNI plugin for Kubernetes plugin for cluster networking. Do not change the configuration for control plane instances (Pods named `aws-node-controlplane-*`). There are configuration variables that you can use to change the default value for when the plugin creates new network interfaces. For more information, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[documentation] on GitHub. * The following services: + ** `default/kubernetes` @@ -256,13 +256,13 @@ Amazon EKS creates the following resources on your cluster. The resources are fo * A `ClusterRole` named `eks:system:podsecuritypolicy` * A `ClusterRoleBinding` named `eks:system` * A default <> -* In addition to the <>, Amazon EKS creates a security group in your {aws} account that's named `eks-local-internal-do-not-use-or-edit-[.replaceable]``cluster-name``-[.replaceable]``uniqueid```. This security group allows traffic to flow freely between [.noloc]`Kubernetes` components running on the control plane instances. +* In addition to the <>, Amazon EKS creates a security group in your {aws} account that's named `eks-local-internal-do-not-use-or-edit-[.replaceable]``cluster-name``-[.replaceable]``uniqueid```. This security group allows traffic to flow freely between Kubernetes components running on the control plane instances. Recommended next steps: * <> -* <>. If you want the entities to view [.noloc]`Kubernetes` resources in the Amazon EKS console, grant the <> to the entities. +* <>. If you want the entities to view Kubernetes resources in the Amazon EKS console, grant the <> to the entities. * <> * Familiarize yourself with what happens during <>. * <> -* Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the [.noloc]`Kubernetes` documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. \ No newline at end of file +* Consider setting up a backup plan for your `etcd`. Amazon EKS doesn't support automated backup and restore of `etcd` for local clusters. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster[Backing up an etcd cluster] in the Kubernetes documentation. The two main options are using `etcdctl` to automate taking snapshots or using Amazon EBS storage volume backup. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 665424c14..01b31ae90 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -22,7 +22,7 @@ include::eks-outposts-troubleshooting.adoc[leveloffset=+1] Learn to create and manage local Amazon EKS clusters on {aws} Outposts for high availability across multiple regions. -- -You can use local clusters to run your entire Amazon EKS cluster locally on {aws} Outposts. This helps mitigate the risk of application downtime that might result from temporary network disconnects to the cloud. These disconnects can be caused by fiber cuts or weather events. Because the entire [.noloc]`Kubernetes` cluster runs locally on Outposts, applications remain available. You can perform cluster operations during network disconnects to the cloud. For more information, see <>. The following diagram shows a local cluster deployment. +You can use local clusters to run your entire Amazon EKS cluster locally on {aws} Outposts. This helps mitigate the risk of application downtime that might result from temporary network disconnects to the cloud. These disconnects can be caused by fiber cuts or weather events. Because the entire Kubernetes cluster runs locally on Outposts, applications remain available. You can perform cluster operations during network disconnects to the cloud. For more information, see <>. The following diagram shows a local cluster deployment. diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index 20c112d53..d6992a9dd 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -17,15 +17,15 @@ If your local network has lost connectivity with the {aws} Cloud, you can contin * Local clusters enable stability and continued operations during temporary, unplanned network disconnects. {aws} Outposts remains a fully connected offering that acts as an extension of the {aws} Cloud in your data center. In the event of network disconnects between your Outpost and {aws} Cloud, we recommend attempting to restore your connection. For instruction, see link:outposts/latest/userguide/network-troubleshoot.html[{aws} Outposts rack network troubleshooting checklist,type="documentation"] in the _{aws} Outposts User Guide_. For more information about how to troubleshoot issues with local clusters, see <>. * Outposts emit a `ConnectedStatus` metric that you can use to monitor the connectivity state of your Outpost. For more information, see link:outposts/latest/userguide/outposts-cloudwatch-metrics.html#outposts-metrics[Outposts Metrics,type="documentation"] in the _{aws} Outposts User Guide_. * Local clusters use IAM as the default authentication mechanism using the https://github.com/kubernetes-sigs/aws-iam-authenticator[{aws} Identity and Access Management authenticator for Kubernetes]. IAM isn't available during network disconnects. So, local clusters support an alternative authentication mechanism using `x.509` certificates that you can use to connect to your cluster during network disconnects. For information about how to obtain and use an `x.509` certificate for your cluster, see <>. -* If you can't access Route 53 during network disconnects, consider using local DNS servers in your on-premises environment. The [.noloc]`Kubernetes` control plane instances use static IP addresses. You can configure the hosts that you use to connect to your cluster with the endpoint hostname and IP addresses as an alternative to using local DNS servers. For more information, see link:outposts/latest/userguide/how-outposts-works.html#dns[DNS,type="documentation"] in the _{aws} Outposts User Guide_. +* If you can't access Route 53 during network disconnects, consider using local DNS servers in your on-premises environment. The Kubernetes control plane instances use static IP addresses. You can configure the hosts that you use to connect to your cluster with the endpoint hostname and IP addresses as an alternative to using local DNS servers. For more information, see link:outposts/latest/userguide/how-outposts-works.html#dns[DNS,type="documentation"] in the _{aws} Outposts User Guide_. * If you expect increases in application traffic during network disconnects, you can provision spare compute capacity in your cluster when connected to the cloud. Amazon EC2 instances are included in the price of {aws} Outposts. So, running spare instances doesn't impact your {aws} usage cost. -* During network disconnects to enable create, update, and scale operations for workloads, your application's container images must be accessible over the local network and your cluster must have enough capacity. Local clusters don't host a container registry for you. If the [.noloc]`Pods` have previously run on those nodes, container images are cached on the nodes. If you typically pull your application's container images from Amazon ECR in the cloud, consider running a local cache or registry. A local cache or registry is helpful if you require create, update, and scale operations for workload resources during network disconnects. -* Local clusters use Amazon EBS as the default storage class for persistent volumes and the Amazon EBS CSI driver to manage the lifecycle of Amazon EBS persistent volumes. During network disconnects, [.noloc]`Pods` that are backed by Amazon EBS can't be created, updated, or scaled. This is because these operations require calls to the Amazon EBS API in the cloud. If you're deploying stateful workloads on local clusters and require create, update, or scale operations during network disconnects, consider using an alternative storage mechanism. +* During network disconnects to enable create, update, and scale operations for workloads, your application's container images must be accessible over the local network and your cluster must have enough capacity. Local clusters don't host a container registry for you. If the Pods have previously run on those nodes, container images are cached on the nodes. If you typically pull your application's container images from Amazon ECR in the cloud, consider running a local cache or registry. A local cache or registry is helpful if you require create, update, and scale operations for workload resources during network disconnects. +* Local clusters use Amazon EBS as the default storage class for persistent volumes and the Amazon EBS CSI driver to manage the lifecycle of Amazon EBS persistent volumes. During network disconnects, Pods that are backed by Amazon EBS can't be created, updated, or scaled. This is because these operations require calls to the Amazon EBS API in the cloud. If you're deploying stateful workloads on local clusters and require create, update, or scale operations during network disconnects, consider using an alternative storage mechanism. * Amazon EBS snapshots can't be created or deleted if {aws} Outposts can't access the relevant {aws} in-region APIs (such as the APIs for Amazon EBS or Amazon S3). * When integrating ALB (Ingress) with {aws} Certificate Manager (ACM), certificates are pushed and stored in memory of the {aws} Outposts ALB Compute instance. Current TLS termination will continue to operate in the event of a disconnect from the {aws} Region. Mutating operations in this context will fail (such as new ingress definitions, new ACM based certificates API operations, ALB compute scale, or certificate rotation). For more information, see link:acm/latest/userguide/troubleshooting-renewal.html[Troubleshooting managed certificate renewal,type="documentation"] in the _{aws} Certificate Manager User Guide_. -* The Amazon EKS control plane logs are cached locally on the [.noloc]`Kubernetes` control plane instances during network disconnects. Upon reconnect, the logs are sent to CloudWatch Logs in the parent {aws} Region. You can use https://prometheus.io/[Prometheus], https://grafana.com/[Grafana], or Amazon EKS partner solutions to monitor the cluster locally using the [.noloc]`Kubernetes` API server's metrics endpoint or using [.noloc]`Fluent Bit` for logs. -* If you're using the [.noloc]`{aws} Load Balancer Controller` on Outposts for application traffic, existing [.noloc]`Pods` fronted by the [.noloc]`{aws} Load Balancer Controller` continue to receive traffic during network disconnects. New [.noloc]`Pods` created during network disconnects don't receive traffic until the Outpost is reconnected to the {aws} Cloud. Consider setting the replica count for your applications while connected to the {aws} Cloud to accommodate your scaling needs during network disconnects. -* The [.noloc]`Amazon VPC CNI plugin for Kubernetes` defaults to https://aws.github.io/aws-eks-best-practices/networking/vpc-cni/#overview[secondary IP mode]. It's configured with `WARM_ENI_TARGET`=``1``, which allows the plugin to keep "a full elastic network interface" of available IP addresses available. Consider changing `WARM_ENI_TARGET`, `WARM_IP_TARGET`, and `MINIMUM_IP_TARGET` values according to your scaling needs during a disconnected state. For more information, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[readme] file for the plugin on GitHub. For a list of the maximum number of [.noloc]`Pods` that's supported by each instance type, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/misc/eni-max-pods.txt[eni-max-pods.txt] file on GitHub. +* The Amazon EKS control plane logs are cached locally on the Kubernetes control plane instances during network disconnects. Upon reconnect, the logs are sent to CloudWatch Logs in the parent {aws} Region. You can use https://prometheus.io/[Prometheus], https://grafana.com/[Grafana], or Amazon EKS partner solutions to monitor the cluster locally using the Kubernetes API server's metrics endpoint or using Fluent Bit for logs. +* If you're using the {aws} Load Balancer Controller on Outposts for application traffic, existing Pods fronted by the {aws} Load Balancer Controller continue to receive traffic during network disconnects. New Pods created during network disconnects don't receive traffic until the Outpost is reconnected to the {aws} Cloud. Consider setting the replica count for your applications while connected to the {aws} Cloud to accommodate your scaling needs during network disconnects. +* The Amazon VPC CNI plugin for Kubernetes defaults to https://aws.github.io/aws-eks-best-practices/networking/vpc-cni/#overview[secondary IP mode]. It's configured with `WARM_ENI_TARGET`=``1``, which allows the plugin to keep "a full elastic network interface" of available IP addresses available. Consider changing `WARM_ENI_TARGET`, `WARM_IP_TARGET`, and `MINIMUM_IP_TARGET` values according to your scaling needs during a disconnected state. For more information, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/README.md[readme] file for the plugin on GitHub. For a list of the maximum number of Pods that's supported by each instance type, see the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/misc/eni-max-pods.txt[eni-max-pods.txt] file on GitHub. [#outposts-network-disconnects-authentication] @@ -47,7 +47,7 @@ Learn how to work with your cluster during a network disconnect. openssl req -new -newkey rsa:4096 -nodes -days 365 \ -keyout admin.key -out admin.csr -subj "/CN=admin" ---- -.. Create a certificate signing request in [.noloc]`Kubernetes`. +.. Create a certificate signing request in Kubernetes. + [source,bash,subs="verbatim,attributes"] ---- @@ -85,7 +85,7 @@ NAME AGE REQUESTOR CONDITION admin-csr 11m kubernetes-admin Pending ---- + -[.noloc]`Kubernetes` created the certificate signing request. +Kubernetes created the certificate signing request. . Approve the certificate signing request. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 873f80acd..83d140669 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -2,36 +2,36 @@ include::../attributes.txt[] [.topic] [#eks-outposts-platform-versions] -= Learn [.noloc]`Kubernetes` and Amazon EKS platform versions for {aws} Outposts += Learn Kubernetes and Amazon EKS platform versions for {aws} Outposts :info_titleabbrev: EKS platform versions [abstract] -- -Learn the relationship between Amazon EKS and [.noloc]`Kubernetes` versions available on {aws} Outposts. +Learn the relationship between Amazon EKS and Kubernetes versions available on {aws} Outposts. -- -Local cluster platform versions represent the capabilities of the Amazon EKS cluster on {aws} Outposts. The versions include the components that run on the [.noloc]`Kubernetes` control plane, which [.noloc]`Kubernetes` API server flags are enabled. They also include the current [.noloc]`Kubernetes` patch version. Each [.noloc]`Kubernetes` minor version has one or more associated platform versions. The platform versions for different [.noloc]`Kubernetes` minor versions are independent. The platform versions for local clusters and Amazon EKS clusters in the cloud are independent. +Local cluster platform versions represent the capabilities of the Amazon EKS cluster on {aws} Outposts. The versions include the components that run on the Kubernetes control plane, which Kubernetes API server flags are enabled. They also include the current Kubernetes patch version. Each Kubernetes minor version has one or more associated platform versions. The platform versions for different Kubernetes minor versions are independent. The platform versions for local clusters and Amazon EKS clusters in the cloud are independent. -When a new [.noloc]`Kubernetes` minor version is available for local clusters, such as `1.30`, the initial platform version for that [.noloc]`Kubernetes` minor version starts at `eks-local-outposts.1`. However, Amazon EKS releases new platform versions periodically to enable new [.noloc]`Kubernetes` control plane settings and to provide security fixes. +When a new Kubernetes minor version is available for local clusters, such as `1.30`, the initial platform version for that Kubernetes minor version starts at `eks-local-outposts.1`. However, Amazon EKS releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. When new local cluster platform versions become available for a minor version: * The platform version number is incremented (`eks-local-outposts.n+1`). -* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding [.noloc]`Kubernetes` minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process consists of the replacement of the managed [.noloc]`Kubernetes` control-plane instances running on the Outpost, one at a time, until all 3 instances get replaced by new ones. -* The [.noloc]`Kubernetes` control-plane instance replacement process will stop progressing if there is risk of service interruption. Amazon EKS will only attempt to replace an instance in case the other 2 [.noloc]`Kubernetes` control-plane instances are healthy and passing all readiness conditions as a cluster node. -* A platform version rollout will typically take less than 30 minutes to complete. If a cluster remains on `UPDATING` state for an extended amount of time, see the <> and seek help from {aws} Support. Never manually terminate [.noloc]`Kubernetes` control-plane instances unless instructed by {aws} Support. -* Amazon EKS might publish a new node AMI with a corresponding patch version. All patch versions are compatible between the [.noloc]`Kubernetes` control plane and node AMIs for a single [.noloc]`Kubernetes` minor version. +* Amazon EKS automatically updates all existing local clusters to the latest platform version for their corresponding Kubernetes minor version. Automatic updates of existing platform versions are rolled out incrementally. The roll-out process consists of the replacement of the managed Kubernetes control-plane instances running on the Outpost, one at a time, until all 3 instances get replaced by new ones. +* The Kubernetes control-plane instance replacement process will stop progressing if there is risk of service interruption. Amazon EKS will only attempt to replace an instance in case the other 2 Kubernetes control-plane instances are healthy and passing all readiness conditions as a cluster node. +* A platform version rollout will typically take less than 30 minutes to complete. If a cluster remains on `UPDATING` state for an extended amount of time, see the <> and seek help from {aws} Support. Never manually terminate Kubernetes control-plane instances unless instructed by {aws} Support. +* Amazon EKS might publish a new node AMI with a corresponding patch version. All patch versions are compatible between the Kubernetes control plane and node AMIs for a single Kubernetes minor version. New platform versions don't introduce breaking changes or cause service interruptions. -Local clusters are always created with the latest available platform version (`eks-local-outposts.n`) for the specified [.noloc]`Kubernetes` version. +Local clusters are always created with the latest available platform version (`eks-local-outposts.n`) for the specified Kubernetes version. The current and recent platform versions are described in the following tables. [#outposts-platform-versions-1-30] -== [.noloc]`Kubernetes` version `1.30` +== Kubernetes version `1.30` The following admission controllers are enabled for all `1.30` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -44,7 +44,7 @@ The following admission controllers are enabled for all `1.30` platform versions |`1.30.7` |`eks-local-outposts.2` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.30.7`. {aws} IAM Authenticator updated to `v0.6.28`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.30.7`. {aws} IAM Authenticator updated to `v0.6.28`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. |January 10, 2025 |`1.30.5` @@ -54,7 +54,7 @@ The following admission controllers are enabled for all `1.30` platform versions |=== [#outposts-platform-versions-1-29] -== [.noloc]`Kubernetes` version `1.29` +== Kubernetes version `1.29` The following admission controllers are enabled for all `1.29` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -67,22 +67,22 @@ The following admission controllers are enabled for all `1.29` platform versions |`v1.29.11` |`eks-local-outposts.12` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.11`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated CoreDNS image to `v1.11.3`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.11`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated CoreDNS image to `v1.11.3`. Updated Bottlerocket version to `v1.29.0`. |January 10, 2025 |`1.29.9` |`eks-local-outposts.4` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.9`. {aws} IAM Authenticator updated to `v0.6.26`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.9`. {aws} IAM Authenticator updated to `v0.6.26`. Updated Bottlerocket version to `v1.26.0`. |November 8, 2024 |`1.29.6` |`eks-local-outposts.3` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.22.0`. |October 22, 2024 |`1.29.6` |`eks-local-outposts.2` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.21.0`. |August 27, 2024 |`1.29.6` @@ -92,7 +92,7 @@ The following admission controllers are enabled for all `1.29` platform versions |=== [#outposts-platform-versions-1-28] -== [.noloc]`Kubernetes` version `1.28` +== Kubernetes version `1.28` The following admission controllers are enabled for all `1.28` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -105,22 +105,22 @@ The following admission controllers are enabled for all `1.28` platform versions |`1.28.15` |`eks-local-outposts.12` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.15`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.15`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. |January 10, 2025 |`1.28.14` |`eks-local-outposts.11` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.14`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.14`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated Bottlerocket version to `v1.26.0`. |November 8, 2024 |`1.28.10` |`eks-local-outposts.10` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.22.0`. |October 22, 2024 |`1.28.10` |`eks-local-outposts.9` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.21.0`. |August 27, 2024 |`1.28.10` @@ -130,7 +130,7 @@ The following admission controllers are enabled for all `1.28` platform versions |`1.28.10` |`eks-local-outposts.6` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.10`. {aws} IAM Authenticator updated to `v0.6.20`. Updated [.noloc]`Bottlerocket` version to `v1.20.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.10`. {aws} IAM Authenticator updated to `v0.6.20`. Updated Bottlerocket version to `v1.20.2`. |June 19, 2024 |`1.28.6` @@ -140,7 +140,7 @@ The following admission controllers are enabled for all `1.28` platform versions |`1.28.6` |`eks-local-outposts.4` -|New platform version with security fixes and enhancements. Restored support or local boot in Outposts. Downgraded [.noloc]`Bottlerocket` version to `v1.15.1` for compatibility. +|New platform version with security fixes and enhancements. Restored support or local boot in Outposts. Downgraded Bottlerocket version to `v1.15.1` for compatibility. |April 2, 2024 |`1.28.6` @@ -150,7 +150,7 @@ The following admission controllers are enabled for all `1.28` platform versions |`1.28.6` |`eks-local-outposts.2` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.6`. {aws} IAM Authenticator updated to `v0.6.17`. Amazon VPC CNI plugin for Kubernetes downgraded to `v1.13.2` for compatibility reasons. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.6`. {aws} IAM Authenticator updated to `v0.6.17`. Amazon VPC CNI plugin for Kubernetes downgraded to `v1.13.2` for compatibility reasons. Updated Bottlerocket version to `v1.19.2`. |March 8, 2024 |`1.28.1` @@ -160,7 +160,7 @@ The following admission controllers are enabled for all `1.28` platform versions |=== [#outposts-platform-versions-1-27] -== [.noloc]`Kubernetes` version `1.27` +== Kubernetes version `1.27` The following admission controllers are enabled for all `1.27` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. @@ -173,22 +173,22 @@ The following admission controllers are enabled for all `1.27` platform versions |`1.27.16` |`eks-local-outposts.12` -|New platform version with security fixes and enhancements. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated [.noloc]`Bottlerocket` version to `v1.29.0`. +|New platform version with security fixes and enhancements. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. |January 10, 2025 |`1.27.16` |`eks-local-outposts.11` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.16`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated [.noloc]`Bottlerocket` version to `v1.26.0`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.16`. {aws} IAM Authenticator updated to `v0.6.26`. Updated CoreDNS image to `v1.11.1`. Updated Bottlerocket version to `v1.26.0`. |November 8, 2024 |`1.27.14` |`eks-local-outposts.10` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.22.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.22.0`. |October 22, 2024 |`1.27.14` |`eks-local-outposts.9` -|New platform version with security fixes and enhancements. Updated [.noloc]`Bottlerocket` version to `v1.21.0`. +|New platform version with security fixes and enhancements. Updated Bottlerocket version to `v1.21.0`. |August 27, 2024 |`1.27.14` @@ -198,7 +198,7 @@ The following admission controllers are enabled for all `1.27` platform versions |`1.27.14` |`eks-local-outposts.6` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.14`. {aws} IAM Authenticator updated to `v0.6.20`. Updated [.noloc]`Bottlerocket` version to `v1.20.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.14`. {aws} IAM Authenticator updated to `v0.6.20`. Updated Bottlerocket version to `v1.20.2`. |June 19, 2024 |`1.27.10` @@ -208,7 +208,7 @@ The following admission controllers are enabled for all `1.27` platform versions |`1.27.10` |`eks-local-outposts.4` -|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.10`. {aws} IAM Authenticator updated to `v0.6.17`. Updated [.noloc]`Bottlerocket` version to `v1.19.2`. +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.27.10`. {aws} IAM Authenticator updated to `v0.6.17`. Updated Bottlerocket version to `v1.19.2`. |March 22, 2024 |`1.27.3` diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 9cfa2046d..c34a3fad7 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -16,7 +16,7 @@ This topic describes how you can launch Auto Scaling groups of Amazon Linux node * An existing Outpost. For more information, see link:outposts/latest/userguide/what-is-outposts.html[What is {aws} Outposts,type="documentation"]. * An existing Amazon EKS cluster. To deploy a cluster on the {aws} Cloud, see <>. To deploy a cluster on an Outpost, see <>. * Suppose that you're creating your nodes in a cluster on the {aws} Cloud and you have subnets in the {aws} Region where you have {aws} Outposts, {aws} Wavelength, or {aws} Local Zones enabled. Then, those subnets must not have been passed in when you created your cluster. If you're creating your nodes in a cluster on an Outpost, you must have passed in an Outpost subnet when creating your cluster. -* (Recommended for clusters on the {aws} Cloud) The [.noloc]`Amazon VPC CNI plugin for Kubernetes` add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. Local clusters do not support IAM roles for service accounts. +* (Recommended for clusters on the {aws} Cloud) The Amazon VPC CNI plugin for Kubernetes add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. Local clusters do not support IAM roles for service accounts. You can create a self-managed Amazon Linux node group with `eksctl` or the {aws-management-console} (with an {aws} CloudFormation template). You can also use https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Terraform]. @@ -31,8 +31,8 @@ You can create a local cluster with the following tools described in this page: . Install version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. + -. If your cluster is on the {aws} Cloud and the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. If your cluster in on your Outpost, the policy must be attached to your node role. -. The following command creates a node group in an existing cluster. The cluster must have been created using `eksctl`. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. If your cluster exists on an Outpost, replace [.replaceable]`id` with the ID of an Outpost subnet. If your cluster exists on the {aws} Cloud, replace [.replaceable]`id` with the ID of a subnet that you didn't specify when you created your cluster. Replace [.replaceable]`instance-type` with an instance type supported by your Outpost. Replace the remaining [.replaceable]`example values` with your own values. The nodes are created with the same [.noloc]`Kubernetes` version as the control plane, by default. +. If your cluster is on the {aws} Cloud and the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. If your cluster in on your Outpost, the policy must be attached to your node role. +. The following command creates a node group in an existing cluster. The cluster must have been created using `eksctl`. Replace [.replaceable]`al-nodes` with a name for your node group. The node group name can't be longer than 63 characters. It must start with letter or digit, but can also include hyphens and underscores for the remaining characters. Replace [.replaceable]`my-cluster` with the name of your cluster. The name can contain only alphanumeric characters (case-sensitive) and hyphens. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the {aws} Region and {aws} account that you're creating the cluster in. If your cluster exists on an Outpost, replace [.replaceable]`id` with the ID of an Outpost subnet. If your cluster exists on the {aws} Cloud, replace [.replaceable]`id` with the ID of a subnet that you didn't specify when you created your cluster. Replace [.replaceable]`instance-type` with an instance type supported by your Outpost. Replace the remaining [.replaceable]`example values` with your own values. The nodes are created with the same Kubernetes version as the control plane, by default. + Replace [.replaceable]`instance-type` with an instance type available on your Outpost. + @@ -48,7 +48,7 @@ eksctl create nodegroup --cluster my-cluster --name al-nodes --node-type instanc + If your cluster is deployed on the {aws} Cloud: + -** The node group that you deploy can assign `IPv4` addresses to [.noloc]`Pods` from a different [.noloc]`CIDR` block than that of the instance. For more information, see <>. +** The node group that you deploy can assign `IPv4` addresses to Pods from a different CIDR block than that of the instance. For more information, see <>. ** The node group that you deploy doesn't require outbound internet access. For more information, see <>. + @@ -60,7 +60,7 @@ For a complete list of all available options and defaults, see https://eksctl.io ---- [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- -. (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. +. (Optional) Deploy a <> to test your cluster and Linux nodes. == {aws-management-console} [[console_create_nodes_outpost]] @@ -93,7 +93,7 @@ The following steps show one operation to retrieve the applicable group. ** *NodeAutoScalingGroupDesiredCapacity*: Enter the desired number of nodes to scale to when your stack is created. ** *NodeAutoScalingGroupMaxSize*: Enter the maximum number of nodes that your node Auto Scaling group can scale out to. ** *NodeInstanceType*: Choose an instance type for your nodes. If your cluster is running on the {aws} Cloud, then for more information, see <>. If your cluster is running on an Outpost, then you can only select an instance type that is available on your Outpost. -** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of a recent Amazon EKS optimized AMI for a variable [.noloc]`Kubernetes` version. To use a different [.noloc]`Kubernetes` minor version supported with Amazon EKS, replace [.replaceable]`1.XX` with a different <>. We recommend specifying the same [.noloc]`Kubernetes` version as your cluster. +** *NodeImageIdSSMParam*: Pre-populated with the Amazon EC2 Systems Manager parameter of a recent Amazon EKS optimized AMI for a variable Kubernetes version. To use a different Kubernetes minor version supported with Amazon EKS, replace [.replaceable]`1.XX` with a different <>. We recommend specifying the same Kubernetes version as your cluster. + To use an Amazon EKS optimized accelerated AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-gpu`. To use an Amazon EKS optimized Arm AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-arm64`. + @@ -104,7 +104,7 @@ NOTE: The Amazon EKS node AMIs are based on Amazon Linux. You can track security ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. + NOTE: If you don't provide a key pair here, the {aws} CloudFormation stack creation fails. -** *BootstrapArguments*: There are several optional arguments that you can pass to your nodes. For more information, view the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script usage information] on [.noloc]`GitHub`. If you're adding nodes to an Amazon EKS Local Cluster on {aws} Outposts (where the [.noloc]`Kubernetes` control plane instances run on {aws} Outposts) and the cluster doesn't have ingress and egress internet connection (also known as private clusters), then you must provide the following bootstrap arguments (as a single line). +** *BootstrapArguments*: There are several optional arguments that you can pass to your nodes. For more information, view the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script usage information] on GitHub. If you're adding nodes to an Amazon EKS Local Cluster on {aws} Outposts (where the Kubernetes control plane instances run on {aws} Outposts) and the cluster doesn't have ingress and egress internet connection (also known as private clusters), then you must provide the following bootstrap arguments (as a single line). + [source,bash,subs="verbatim,attributes"] ---- @@ -122,7 +122,7 @@ echo "CLUSTER_ID=$(aws eks describe-cluster --name cluster-name --region region ---- -** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and [.noloc]`Pods` in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. +** *DisableIMDSv1*: By default, each node supports the Instance Metadata Service Version 1 (IMDSv1) and IMDSv2. You can disable IMDSv1. To prevent future nodes and Pods in the node group from using IMDSv1, set *DisableIMDSv1* to *true*. For more information about IMDS, see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Configuring the instance metadata service,type="documentation"]. For more information about restricting access to it on your nodes, see https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node[Restrict access to the instance profile assigned to the worker node]. ** *VpcId*: Enter the ID for the <> that you created. Before choosing a VPC, review <>. ** *Subnets*: If your cluster is on an Outpost, then choose at least one private subnet in your VPC. Before choosing subnets, review <>. You can see which subnets are private by opening each subnet link from the *Networking* tab of your cluster. . Select your desired choices on the *Configure stack options* page, and then choose *Next*. @@ -222,7 +222,7 @@ EOF ---- kubectl apply -f gp2-storage-class.yaml ---- -. (GPU nodes only) If you chose a GPU instance type and an Amazon EKS optimized accelerated AMI, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a [.noloc]`DaemonSet` on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. (GPU nodes only) If you chose a GPU instance type and an Amazon EKS optimized accelerated AMI, you must apply the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes] as a DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -231,5 +231,5 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X *Step3: Additional actions* -. (Optional) Deploy a <> to test your cluster and [.noloc]`Linux` nodes. -. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the [.noloc]`Kubernetes` `aws-node` service account instead. For more information, see <>. \ No newline at end of file +. (Optional) Deploy a <> to test your cluster and Linux nodes. +. If your cluster is deployed on an Outpost, then skip this step. If your cluster is deployed on the {aws} Cloud, the following information is optional. If the *AmazonEKS_CNI_Policy* managed IAM policy is attached to your <>, we recommend assigning it to an IAM role that you associate to the Kubernetes `aws-node` service account instead. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index b0ea37462..4e08bc1bc 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -26,7 +26,7 @@ Never terminate any managed EKS local cluster `Kubernetes` control-plane instanc [%collapsible] ==== -Local clusters are created through the Amazon EKS API, but are run in an asynchronous manner. This means that requests to the Amazon EKS API return immediately for local clusters. However, these requests might succeed, fail fast because of input validation errors, or fail and have descriptive validation errors. This behavior is similar to the [.noloc]`Kubernetes` API. +Local clusters are created through the Amazon EKS API, but are run in an asynchronous manner. This means that requests to the Amazon EKS API return immediately for local clusters. However, these requests might succeed, fail fast because of input validation errors, or fail and have descriptive validation errors. This behavior is similar to the Kubernetes API. Local clusters don't transition to a `FAILED` status. Amazon EKS attempts to reconcile the cluster state with the user-requested desired state in a continuous manner. As a result, a local cluster might remain in the `CREATING` state for an extended period of time until the underlying issue is resolved. ==== @@ -242,13 +242,13 @@ Review <>. +Amazon EKS automatically updates all existing local clusters to the latest platform versions for their corresponding Kubernetes minor version. For more information about platform versions, please refer to <>. -During an automatic platform-version rollout a cluster status changes to `UPDATING`. The update process consists of the replacement of all [.noloc]`Kubernetes` control-plane instances with new ones containing the latest security pathces and bugfixes released for the respective [.noloc]`Kubernetes` minor version. In general, a local cluster platform update process completes within less than 30 minutes and the cluster changes back to `ACTIVE` status. If a local cluster remains in the `UPDATING` state for an extended period of time, you may call `describe-cluster` to check for information about the cause in the `cluster.health` output field. +During an automatic platform-version rollout a cluster status changes to `UPDATING`. The update process consists of the replacement of all Kubernetes control-plane instances with new ones containing the latest security pathces and bugfixes released for the respective Kubernetes minor version. In general, a local cluster platform update process completes within less than 30 minutes and the cluster changes back to `ACTIVE` status. If a local cluster remains in the `UPDATING` state for an extended period of time, you may call `describe-cluster` to check for information about the cause in the `cluster.health` output field. -Amazon EKS ensures at least 2 out of 3 [.noloc]`Kubernetes` control-plane instances are healthy and operational cluster nodes in order to maintain the local cluster availability and prevent service interruption. If a local cluster is stalled in `UPDATING` state it is usually because there is some infrastructure or configuration issue preventing the two-instances minimum availability to be guaranteed in case the process continues. So the update process stops progressing to protect the local cluster service interruption. +Amazon EKS ensures at least 2 out of 3 Kubernetes control-plane instances are healthy and operational cluster nodes in order to maintain the local cluster availability and prevent service interruption. If a local cluster is stalled in `UPDATING` state it is usually because there is some infrastructure or configuration issue preventing the two-instances minimum availability to be guaranteed in case the process continues. So the update process stops progressing to protect the local cluster service interruption. -It is important to troubleshoot a local cluster stuck in `UPDATING` status and address the root-cause so that the update process can complete and restore the local cluster back to `ACTIVE` with the high-availability of 3 [.noloc]`Kubernetes` control-plane instances. +It is important to troubleshoot a local cluster stuck in `UPDATING` status and address the root-cause so that the update process can complete and restore the local cluster back to `ACTIVE` with the high-availability of 3 Kubernetes control-plane instances. Do not terminate any managed EKS local cluster `Kubernetes` instances on Outposts unless explicitly instructed by {aws} Support. This is specially important for local clusters stuck in `UPDATING` state because there's a high probability that another control-plane nodes is not completely healthy and terminating the wrong instance could cause service interruption and risk local-cluster data loss. @@ -260,7 +260,7 @@ The most common issues are the following: * New control plane instances fail to be created due to KMS key permissions for EBS volumes. With user managed KMS keys for encrypted EBS volumes, the control plane instances will terminate if the key is not accessible. If the instances are terminated, either switch to an {aws} managed KMS key or ensure that your user managed key policy grants the necessary permissions to the cluster role. * Systems Manager control plane instances might have lost internet access. Check if the subnet that was provided when you created the cluster has a NAT gateway and a VPC with an internet gateway. Use VPC reachability analyzer to verify that the control plane instance can reach the internet gateway. For more information, see link:vpc/latest/reachability/getting-started.html[Getting started with VPC Reachability Analyzer,type="documentation"]. If your private networks don't have outbound internet connection, ensure that all the required VPC endpoints and gateway endpoint are still present in the Regional subnet from your cluster (see <>). * The role ARN that you provided is missing policies. Check if the <> was not removed from the role. -* One of the new [.noloc]`Kubernetes` control-plane instances may have experienced an unexpected bootstrapping failure. Please file a ticket with link:support/home[{aws} Support Center,type="console"] for further guidance on troubleshooting and log-collection in this exceptional case. +* One of the new Kubernetes control-plane instances may have experienced an unexpected bootstrapping failure. Please file a ticket with link:support/home[{aws} Support Center,type="console"] for further guidance on troubleshooting and log-collection in this exceptional case. ==== @@ -276,10 +276,10 @@ The most common issues are the following: * Missing the {aws} IAM Authenticator `ConfigMap` – If it's missing, you must create it. For more information, see <> . * The wrong security group is used – Make sure to use `eks-cluster-sg-[.replaceable]``cluster-name``-[.replaceable]``uniqueid``` for your worker nodes' security group. The selected security group is changed by {aws} CloudFormation to allow a new security group each time the stack is used. * Following unexpected private link VPC steps – Wrong CA data (`--b64-cluster-ca`) or API Endpoint (`--apiserver-endpoint`) are passed. -* Misconfigured [.noloc]`Pod` security policy: +* Misconfigured Pod security policy: + -** The [.noloc]`CoreDNS` and [.noloc]`Amazon VPC CNI plugin for Kubernetes` Daemonsets must run on nodes for nodes to join and communicate with the cluster. -** The [.noloc]`Amazon VPC CNI plugin for Kubernetes` requires some privileged networking features to work properly. You can view the privileged networking features with the following command: `kubectl describe psp eks.privileged`. +** The CoreDNS and Amazon VPC CNI plugin for Kubernetes Daemonsets must run on nodes for nodes to join and communicate with the cluster. +** The Amazon VPC CNI plugin for Kubernetes requires some privileged networking features to work properly. You can view the privileged networking features with the following command: `kubectl describe psp eks.privileged`. + We don't recommend modifying the default pod security policy. For more information, see <>. @@ -291,7 +291,7 @@ We don't recommend modifying the default pod security policy. For more informati [%collapsible] ==== -When an Outpost gets disconnected from the {aws} Region that it's associated with, the [.noloc]`Kubernetes` cluster likely will continue working normally. However, if the cluster doesn't work properly, follow the troubleshooting steps in <>. If you encounter other issues, contact {aws} Support. {aws} Support can guide you on downloading and running a log collection tool. That way, you can collect logs from your [.noloc]`Kubernetes` cluster control plane instances and send them to {aws} Support support for further investigation. +When an Outpost gets disconnected from the {aws} Region that it's associated with, the Kubernetes cluster likely will continue working normally. However, if the cluster doesn't work properly, follow the troubleshooting steps in <>. If you encounter other issues, contact {aws} Support. {aws} Support can guide you on downloading and running a log collection tool. That way, you can collect logs from your Kubernetes cluster control plane instances and send them to {aws} Support support for further investigation. ==== [#outposts-troubleshooting-control-plane-instances-ssm] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 483b71606..f13a8b106 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -19,7 +19,7 @@ When you create a local cluster, the VPC that you specify must meet the followin -* Make sure that the VPC has enough IP addresses for the local cluster, any nodes, and other [.noloc]`Kubernetes` resources that you want to create. If the VPC that you want to use doesn't have enough IP addresses, increase the number of available IP addresses. You can do this by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private (RFC 1918) and public (non-RFC 1918) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to 5 hours for a CIDR block that you associated with a VPC to be recognized. +* Make sure that the VPC has enough IP addresses for the local cluster, any nodes, and other Kubernetes resources that you want to create. If the VPC that you want to use doesn't have enough IP addresses, increase the number of available IP addresses. You can do this by link:vpc/latest/userguide/working-with-vpcs.html#add-ipv4-cidr[associating additional Classless Inter-Domain Routing (CIDR) blocks,type="documentation"] with your VPC. You can associate private (RFC 1918) and public (non-RFC 1918) CIDR blocks to your VPC either before or after you create your cluster. It can take a cluster up to 5 hours for a CIDR block that you associated with a VPC to be recognized. * The VPC can't have assigned IP prefixes or IPv6 CIDR blocks. Because of these constraints, the information that's covered in <> and <> isn't applicable to your VPC. * The VPC has a DNS hostname and DNS resolution enabled. Without these features, the local cluster fails to create, and you need to enable the features and recreate your cluster. For more information, see link:vpc/latest/userguide/vpc-dns.html[DNS attributes for your VPC,type="documentation"] in the Amazon VPC User Guide. * To access your local cluster over your local network, the VPC must be associated with your Outpost's local gateway route table. For more information, see link:outposts/latest/userguide/outposts-local-gateways.html#vpc-associations[VPC associations,type="documentation"] in the {aws} Outposts User Guide. @@ -28,13 +28,13 @@ When you create a local cluster, the VPC that you specify must meet the followin [#outposts-subnet-requirements] == Subnet requirements and considerations -When you create the cluster, specify at least one private subnet. If you specify more than one subnet, the [.noloc]`Kubernetes` control plane instances are evenly distributed across the subnets. If more than one subnet is specified, the subnets must exist on the same Outpost. Moreover, the subnets must also have proper routes and security group permissions to communicate with each other. When you create a local cluster, the subnets that you specify must meet the following requirements: +When you create the cluster, specify at least one private subnet. If you specify more than one subnet, the Kubernetes control plane instances are evenly distributed across the subnets. If more than one subnet is specified, the subnets must exist on the same Outpost. Moreover, the subnets must also have proper routes and security group permissions to communicate with each other. When you create a local cluster, the subnets that you specify must meet the following requirements: * The subnets are all on the same logical Outpost. -* The subnets together have at least three available IP addresses for the [.noloc]`Kubernetes` control plane instances. If three subnets are specified, each subnet must have at least one available IP address. If two subnets are specified, each subnet must have at least two available IP addresses. If one subnet is specified, the subnet must have at least three available IP addresses. -* The subnets have a route to the Outpost rack's link:outposts/latest/userguide/outposts-local-gateways.html[local gateway,type="documentation"] to access the [.noloc]`Kubernetes` API server over your local network. If the subnets don't have a route to the Outpost rack's local gateway, you must communicate with your [.noloc]`Kubernetes` API server from within the VPC. +* The subnets together have at least three available IP addresses for the Kubernetes control plane instances. If three subnets are specified, each subnet must have at least one available IP address. If two subnets are specified, each subnet must have at least two available IP addresses. If one subnet is specified, the subnet must have at least three available IP addresses. +* The subnets have a route to the Outpost rack's link:outposts/latest/userguide/outposts-local-gateways.html[local gateway,type="documentation"] to access the Kubernetes API server over your local network. If the subnets don't have a route to the Outpost rack's local gateway, you must communicate with your Kubernetes API server from within the VPC. * The subnets must use IP address-based naming. Amazon EC2 link:AWSEC2/latest/UserGuide/ec2-instance-naming.html#instance-naming-rbn[resource-based naming,type="documentation"] isn't supported by Amazon EKS. @@ -98,7 +98,7 @@ The endpoints must meet the following requirements: * Have private DNS names enabled * Have an attached security group that permits inbound HTTPS traffic from the CIDR range of the private outpost subnet. -Creating endpoints incurs charges. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. If your [.noloc]`Pods` need access to other {aws} services, then you need to create additional endpoints. For a comprehensive list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. +Creating endpoints incurs charges. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. If your Pods need access to other {aws} services, then you need to create additional endpoints. For a comprehensive list of endpoints, see link:vpc/latest/privatelink/aws-services-privatelink-support.html[{aws} services that integrate with {aws} PrivateLink,type="documentation"]. [#outposts-create-vpc] == Create a VPC diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index ec8d57ddd..593b94324 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -14,17 +14,17 @@ include::../attributes.txt[] [abstract] -- -Learn to deploy Amazon EKS on {aws} Outposts for local or extended clusters to run on-premises [.noloc]`Kubernetes` applications with a fully managed control plane. +Learn to deploy Amazon EKS on {aws} Outposts for local or extended clusters to run on-premises Kubernetes applications with a fully managed control plane. -- -You can use Amazon EKS to run on-premises [.noloc]`Kubernetes` applications on {aws} Outposts. You can deploy Amazon EKS on Outposts in the following ways: +You can use Amazon EKS to run on-premises Kubernetes applications on {aws} Outposts. You can deploy Amazon EKS on Outposts in the following ways: -* *Extended clusters* – Run the [.noloc]`Kubernetes` control plane in an {aws} Region and nodes on your Outpost. -* *Local clusters* – Run the [.noloc]`Kubernetes` control plane and nodes on your Outpost. +* *Extended clusters* – Run the Kubernetes control plane in an {aws} Region and nodes on your Outpost. +* *Local clusters* – Run the Kubernetes control plane and nodes on your Outpost. -For both deployment options, the [.noloc]`Kubernetes` control plane is fully managed by {aws}. You can use the same Amazon EKS APIs, tools, and console that you use in the cloud to create and run Amazon EKS on Outposts. +For both deployment options, the Kubernetes control plane is fully managed by {aws}. You can use the same Amazon EKS APIs, tools, and console that you use in the cloud to create and run Amazon EKS on Outposts. The following diagram shows these deployment options. @@ -40,7 +40,7 @@ Both local and extended clusters are general-purpose deployment options and can With local clusters, you can run the entire Amazon EKS cluster locally on Outposts. This option can mitigate the risk of application downtime that might result from temporary network disconnects to the cloud. These network disconnects can be caused by fiber cuts or weather events. Because the entire Amazon EKS cluster runs locally on Outposts, applications remain available. You can perform cluster operations during network disconnects to the cloud. For more information, see <>. If you're concerned about the quality of the network connection from your Outposts to the parent {aws} Region and require high availability through network disconnects, use the local cluster deployment option. -With extended clusters, you can conserve capacity on your Outpost because the [.noloc]`Kubernetes` control plane runs in the parent {aws} Region. This option is suitable if you can invest in reliable, redundant network connectivity from your Outpost to the {aws} Region. The quality of the network connection is critical for this option. The way that [.noloc]`Kubernetes` handles network disconnects between the [.noloc]`Kubernetes` control plane and nodes might lead to application downtime. For more information on the behavior of [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/scheduling-eviction/[Scheduling, Preemption, and Eviction] in the [.noloc]`Kubernetes` documentation. +With extended clusters, you can conserve capacity on your Outpost because the Kubernetes control plane runs in the parent {aws} Region. This option is suitable if you can invest in reliable, redundant network connectivity from your Outpost to the {aws} Region. The quality of the network connection is critical for this option. The way that Kubernetes handles network disconnects between the Kubernetes control plane and nodes might lead to application downtime. For more information on the behavior of Kubernetes, see https://kubernetes.io/docs/concepts/scheduling-eviction/[Scheduling, Preemption, and Eviction] in the Kubernetes documentation. [#outposts-overview-comparing-deployment-options] == Comparing the deployment options @@ -54,11 +54,11 @@ The following table compares the differences between the two options. |Local cluster -|[.noloc]`Kubernetes` control plane location +|Kubernetes control plane location |{aws} Region |Outpost -|[.noloc]`Kubernetes` control plane account +|Kubernetes control plane account |{aws} account |Your account @@ -94,8 +94,8 @@ The following table compares the differences between the two options. |Public or private or both |Private only -|[.noloc]`Kubernetes` API server authentication -|{aws} Identity and Access Management (IAM) and [.noloc]`OIDC` +|Kubernetes API server authentication +|{aws} Identity and Access Management (IAM) and OIDC |IAM and `x.509` certificates |Node types @@ -123,8 +123,8 @@ The following table compares the differences between the two options. |Self-managed add-ons only |Default Container Network Interface -|[.noloc]`Amazon VPC CNI plugin for Kubernetes` -|[.noloc]`Amazon VPC CNI plugin for Kubernetes` +|Amazon VPC CNI plugin for Kubernetes +|Amazon VPC CNI plugin for Kubernetes |Kubernetes control plane logs |Amazon CloudWatch Logs diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index f48fc80e1..24416bd1b 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -16,7 +16,7 @@ include::attributes.txt[] Learn how to use open source projects to add features to Amazon EKS for management, networking, machine learning, auto-scaling, monitoring, and CI/CD. -- -These open-source projects extend the functionality of [.noloc]`Kubernetes` clusters running on or outside of {aws}, including clusters managed by Amazon EKS. +These open-source projects extend the functionality of Kubernetes clusters running on or outside of {aws}, including clusters managed by Amazon EKS. [#oss-scope] == Support for software deployed to EKS @@ -39,7 +39,7 @@ Every EKS add-ons, irrespective of the type, receives basic lifecycle support fr [#related-management-tools] == Management tools -Related management tools for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related management tools for Amazon EKS and Kubernetes clusters. [#related-eksctl] === eksctl @@ -54,9 +54,9 @@ Related management tools for Amazon EKS and [.noloc]`Kubernetes` clusters. [#related-aws-controllers] -=== {aws} controllers for [.noloc]`Kubernetes` +=== {aws} controllers for Kubernetes -With {aws} Controllers for [.noloc]`Kubernetes`, you can create and manage {aws} resources directly from your [.noloc]`Kubernetes` cluster. +With {aws} Controllers for Kubernetes, you can create and manage {aws} resources directly from your Kubernetes cluster. @@ -67,7 +67,7 @@ With {aws} Controllers for [.noloc]`Kubernetes`, you can create and manage {aws} [#related-flux-cd] === Flux CD -Flux is a tool that you can use to manage your cluster configuration using Git. It uses an operator in the cluster to trigger deployments inside of [.noloc]`Kubernetes`. For more information about operators, see https://operatorhub.io/[OperatorHub.io] on [.noloc]`GitHub`. +Flux is a tool that you can use to manage your cluster configuration using Git. It uses an operator in the cluster to trigger deployments inside of Kubernetes. For more information about operators, see https://operatorhub.io/[OperatorHub.io] on GitHub. @@ -76,9 +76,9 @@ Flux is a tool that you can use to manage your cluster configuration using Git. [#related-cdk] -=== CDK for [.noloc]`Kubernetes` +=== CDK for Kubernetes -With the CDK for [.noloc]`Kubernetes` (cdk8s), you can define [.noloc]`Kubernetes` apps and components using familiar programming languages. cdk8s apps synthesize into standard [.noloc]`Kubernetes` manifests, which can be applied to any [.noloc]`Kubernetes` cluster. +With the CDK for Kubernetes (cdk8s), you can define Kubernetes apps and components using familiar programming languages. cdk8s apps synthesize into standard Kubernetes manifests, which can be applied to any Kubernetes cluster. @@ -90,12 +90,12 @@ With the CDK for [.noloc]`Kubernetes` (cdk8s), you can define [.noloc]`Kubernete [#related-networking] == Networking -Related networking projects for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related networking projects for Amazon EKS and Kubernetes clusters. [#related-vpc-cni-k8s] -=== [.noloc]`Amazon VPC CNI plugin for Kubernetes` +=== Amazon VPC CNI plugin for Kubernetes -Amazon EKS supports native VPC networking through the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. The plugin assigns an IP address from your VPC to each [.noloc]`Pod`. +Amazon EKS supports native VPC networking through the Amazon VPC CNI plugin for Kubernetes. The plugin assigns an IP address from your VPC to each Pod. @@ -104,9 +104,9 @@ Amazon EKS supports native VPC networking through the [.noloc]`Amazon VPC CNI pl [#related-alb-ingress-controller] -=== [.noloc]`{aws} Load Balancer Controller` for [.noloc]`Kubernetes` +=== {aws} Load Balancer Controller for Kubernetes -The [.noloc]`{aws} Load Balancer Controller` helps manage {aws} Elastic Load Balancers for a [.noloc]`Kubernetes` cluster. It satisfies [.noloc]`Kubernetes` Ingress resources by provisioning {aws} Application Load Balancers. It satisfies [.noloc]`Kubernetes` service resources by provisioning {aws} Network Load Balancers. +The {aws} Load Balancer Controller helps manage {aws} Elastic Load Balancers for a Kubernetes cluster. It satisfies Kubernetes Ingress resources by provisioning {aws} Application Load Balancers. It satisfies Kubernetes service resources by provisioning {aws} Network Load Balancers. @@ -117,7 +117,7 @@ The [.noloc]`{aws} Load Balancer Controller` helps manage {aws} Elastic Load Bal [#related-externaldns] === ExternalDNS -ExternalDNS synchronizes exposed [.noloc]`Kubernetes` services and ingresses with DNS providers including Amazon Route 53 and {aws} Service Discovery. +ExternalDNS synchronizes exposed Kubernetes services and ingresses with DNS providers including Amazon Route 53 and {aws} Service Discovery. @@ -128,12 +128,12 @@ ExternalDNS synchronizes exposed [.noloc]`Kubernetes` services and ingresses wit [#related-machine-learning] == Machine learning -Related machine learning projects for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related machine learning projects for Amazon EKS and Kubernetes clusters. [#related-kubeflow] === Kubeflow -A machine learning toolkit for [.noloc]`Kubernetes`. +A machine learning toolkit for Kubernetes. @@ -145,12 +145,12 @@ A machine learning toolkit for [.noloc]`Kubernetes`. [#related-auto-scaling] == Auto Scaling -Related auto scaling projects for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related auto scaling projects for Amazon EKS and Kubernetes clusters. [#related-cluster-autoscaler] === Cluster autoscaler -Cluster Autoscaler is a tool that automatically adjusts the size of the [.noloc]`Kubernetes` cluster based on CPU and memory pressure. +Cluster Autoscaler is a tool that automatically adjusts the size of the Kubernetes cluster based on CPU and memory pressure. @@ -162,7 +162,7 @@ Cluster Autoscaler is a tool that automatically adjusts the size of the [.noloc] [#related-karpenter] === Karpenter -Karpenter is a [.noloc]`Kubernetes` Node Autoscaler built for flexibility, performance, and simplicity. +Karpenter is a Kubernetes Node Autoscaler built for flexibility, performance, and simplicity. @@ -174,7 +174,7 @@ Karpenter is a [.noloc]`Kubernetes` Node Autoscaler built for flexibility, perfo [#related-escalator] === Escalator -Escalator is a batch or job optimized horizontal autoscaler for [.noloc]`Kubernetes`. +Escalator is a batch or job optimized horizontal autoscaler for Kubernetes. @@ -185,12 +185,12 @@ Escalator is a batch or job optimized horizontal autoscaler for [.noloc]`Kuberne [#related-monitoring] == Monitoring -Related monitoring projects for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related monitoring projects for Amazon EKS and Kubernetes clusters. [#related-prometheus] -=== [.noloc]`Prometheus` +=== Prometheus -[.noloc]`Prometheus` is an open-source systems monitoring and alerting toolkit. +Prometheus is an open-source systems monitoring and alerting toolkit. @@ -202,12 +202,12 @@ Related monitoring projects for Amazon EKS and [.noloc]`Kubernetes` clusters. [#related-cicd] == Continuous integration / continuous deployment -Related CI/CD projects for Amazon EKS and [.noloc]`Kubernetes` clusters. +Related CI/CD projects for Amazon EKS and Kubernetes clusters. [#related-jenkinsx] === Jenkins X -CI/CD solution for modern cloud applications on Amazon EKS and [.noloc]`Kubernetes` clusters. +CI/CD solution for modern cloud applications on Amazon EKS and Kubernetes clusters. diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 7c6a551e9..e0491c3dd 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -17,4 +17,4 @@ include::attributes.txt[] Follow the What's New feed and public roadmap to help plan for new and future Amazon EKS developments. -- -You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on [.noloc]`GitHub`, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. \ No newline at end of file +You can learn about new Amazon EKS features by scrolling to the What's New feed on the link:new/?whats-new-content-all.sort-by=item.additionalFields.postDateTime&whats-new-content-all.sort-order=desc&awsf.whats-new-compute=*all&awsf.whats-new-containers=general-products%23amazon-eks[What's New with {aws},type="marketing"] page. You can also review the https://github.com/aws/containers-roadmap/projects/1?card_filter_query=eks[roadmap] on GitHub, which lets you know about upcoming features and priorities so that you can plan how you want to use Amazon EKS in the future. You can provide direct feedback to us about the roadmap priorities. \ No newline at end of file diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index a66cc2e5b..cda8868ec 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,6 +1,6 @@ [.topic] [#cert-signing] -= Secure workloads with [.noloc]`Kubernetes` certificates += Secure workloads with Kubernetes certificates :info_titleabbrev: Certificate signing include::../attributes.txt[] @@ -10,15 +10,15 @@ include::../attributes.txt[] Learn how to request and obtain X.509 certificates from the Certificate Authority (CA) using Certificate Signing Requests (CSRs) in Amazon EKS, including details on migrating from legacy signers, generating CSRs, approving requests, and handling certificate signing considerations before upgrading to Kubernetes 1.24. -- -The [.noloc]`Kubernetes` Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.509] credential provisioning. The API features a command line interface for [.noloc]`Kubernetes` API clients to request and obtain https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/[X.509 certificates] from a Certificate Authority (CA). You can use the `CertificateSigningRequest` (CSR) resource to request that a denoted signer sign the certificate. Your requests are either approved or denied before they're signed. [.noloc]`Kubernetes` supports both built-in signers and custom signers with well-defined behaviors. This way, clients can predict what happens to their CSRs. To learn more about certificate signing, see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[signing requests]. +The Kubernetes Certificates API automates https://www.itu.int/rec/T-REC-X.509[X.509] credential provisioning. The API features a command line interface for Kubernetes API clients to request and obtain https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/[X.509 certificates] from a Certificate Authority (CA). You can use the `CertificateSigningRequest` (CSR) resource to request that a denoted signer sign the certificate. Your requests are either approved or denied before they're signed. Kubernetes supports both built-in signers and custom signers with well-defined behaviors. This way, clients can predict what happens to their CSRs. To learn more about certificate signing, see https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/[signing requests]. One of the built-in signers is `kubernetes.io/legacy-unknown`. The `v1beta1` API of CSR resource honored this legacy-unknown signer. However, the stable `v1` API of CSR doesn't allow the `signerName` to be set to `kubernetes.io/legacy-unknown`. -Amazon EKS version `1.21` and earlier allowed the `legacy-unknown` value as the `signerName` in `v1beta1` CSR API. This API enables the Amazon EKS Certificate Authority (CA) to generate certificates. However, in [.noloc]`Kubernetes` version `1.22`, the `v1beta1` CSR API was replaced by the `v1` CSR API. This API doesn't support the signerName of "`legacy-unknown.`" If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. It was introduced in Amazon EKS version `1.22`. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: +Amazon EKS version `1.21` and earlier allowed the `legacy-unknown` value as the `signerName` in `v1beta1` CSR API. This API enables the Amazon EKS Certificate Authority (CA) to generate certificates. However, in Kubernetes version `1.22`, the `v1beta1` CSR API was replaced by the `v1` CSR API. This API doesn't support the signerName of "`legacy-unknown.`" If you want to use Amazon EKS CA for generating certificates on your clusters, you must use a custom signer. It was introduced in Amazon EKS version `1.22`. To use the CSR `v1` API version and generate a new certificate, you must migrate any existing manifests and API clients. Existing certificates that were created with the existing `v1beta1` API are valid and function until the certificate expires. This includes the following: -* Trust distribution: None. There's no standard trust or distribution for this signer in a [.noloc]`Kubernetes` cluster. +* Trust distribution: None. There's no standard trust or distribution for this signer in a Kubernetes cluster. * Permitted subjects: Any * Permitted x509 extensions: Honors subjectAltName and key usage extensions and discards other extensions * Permitted key usages: Must not include usages beyond ["key encipherment", "digital signature", "server auth"] @@ -105,9 +105,9 @@ kubectl get csr myserver -o jsonpath='{.status.certificate}'| base64 -d > myserv [#csr-considerations] -== Certificate signing considerations before upgrading your cluster to [.noloc]`Kubernetes` 1.24 +== Certificate signing considerations before upgrading your cluster to Kubernetes 1.24 -In [.noloc]`Kubernetes` `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working. +In Kubernetes `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. The SANs are omitted from the provisioned certificate. In `1.24` and later clusters, `kubelet` serving certificates aren't issued if a SAN can't be verified. This prevents the `kubectl exec` and `kubectl logs` commands from working. Before upgrading your cluster to `1.24`, determine whether your cluster has certificate signing requests (CSR) that haven't been approved by completing the following steps: diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 9e8c87b3d..dab61a383 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -10,17 +10,17 @@ include::../attributes.txt[] Learn how to analyze the security configuration and vulnerabilities of your Amazon EKS clusters and resources using tools like the CIS EKS Benchmark, platform versions, vulnerability lists, Amazon Inspector, and Amazon GuardDuty for comprehensive threat detection and protection. -- -Security is a critical consideration for configuring and maintaining [.noloc]`Kubernetes` clusters and applications. The following lists resources for you to analyze the security configuration of your EKS clusters, resources for you to check for vulnerabilities, and integrations with {aws} services that can do that analysis for you. +Security is a critical consideration for configuring and maintaining Kubernetes clusters and applications. The following lists resources for you to analyze the security configuration of your EKS clusters, resources for you to check for vulnerabilities, and integrations with {aws} services that can do that analysis for you. [#configuration-vulnerability-analysis-cis] == The Center for Internet Security (CIS) benchmark for Amazon EKS The https://www.cisecurity.org/benchmark/kubernetes/[Center for Internet Security (CIS) Kubernetes Benchmark] provides guidance for Amazon EKS security configurations. The benchmark: -* Is applicable to Amazon EC2 nodes (both managed and self-managed) where you are responsible for security configurations of [.noloc]`Kubernetes` components. -* Provides a standard, community-approved way to ensure that you have configured your [.noloc]`Kubernetes` cluster and nodes securely when using Amazon EKS. +* Is applicable to Amazon EC2 nodes (both managed and self-managed) where you are responsible for security configurations of Kubernetes components. +* Provides a standard, community-approved way to ensure that you have configured your Kubernetes cluster and nodes securely when using Amazon EKS. * Consists of four sections; control plane logging configuration, node security configurations, policies, and managed services. -* Supports all of the [.noloc]`Kubernetes` versions currently available in Amazon EKS and can be run using https://github.com/aquasecurity/kube-bench[kube-bench], a standard open source tool for checking configuration using the CIS benchmark on [.noloc]`Kubernetes` clusters. +* Supports all of the Kubernetes versions currently available in Amazon EKS and can be run using https://github.com/aquasecurity/kube-bench[kube-bench], a standard open source tool for checking configuration using the CIS benchmark on Kubernetes clusters. To learn more, see link:containers/introducing-cis-amazon-eks-benchmark[Introducing The CIS Amazon EKS Benchmark,type="blog"]. @@ -29,9 +29,9 @@ For an automated `aws-sample` pipeline to update your node group with a CIS benc [#configuration-vulnerability-analysis-pv] == Amazon EKS platform versions -Amazon EKS _platform versions_ represent the capabilities of the cluster control plane, including which [.noloc]`Kubernetes` API server flags are enabled and the current [.noloc]`Kubernetes` patch version. New clusters are deployed with the latest platform version. For details, see <>. +Amazon EKS _platform versions_ represent the capabilities of the cluster control plane, including which Kubernetes API server flags are enabled and the current Kubernetes patch version. New clusters are deployed with the latest platform version. For details, see <>. -You can <> to newer [.noloc]`Kubernetes` versions. As new [.noloc]`Kubernetes` versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. For more information about [.noloc]`Kubernetes` versions in EKS, see <>. +You can <> to newer Kubernetes versions. As new Kubernetes versions become available in Amazon EKS, we recommend that you proactively update your clusters to use the latest available version. For more information about Kubernetes versions in EKS, see <>. [#configuration-vulnerability-analysis-os] == Operating system vulnerability list diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 3df2fcf9c..7f2874e79 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -10,11 +10,11 @@ include::../attributes.txt[] Learn about the Kubernetes roles and users that Amazon EKS creates for cluster components and add-ons. Amazon EKS uses these role-based authorization control (RBAC) identities to operate the cluster. -- -When you create a [.noloc]`Kubernetes` cluster, several default [.noloc]`Kubernetes` identities are created on that cluster for the proper functioning of [.noloc]`Kubernetes`. Amazon EKS creates [.noloc]`Kubernetes` identities for each of its default components. The identities provide [.noloc]`Kubernetes` role-based authorization control (RBAC) for the cluster components. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the [.noloc]`Kubernetes` documentation. +When you create a Kubernetes cluster, several default Kubernetes identities are created on that cluster for the proper functioning of Kubernetes. Amazon EKS creates Kubernetes identities for each of its default components. The identities provide Kubernetes role-based authorization control (RBAC) for the cluster components. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] in the Kubernetes documentation. -When you install optional <> to your cluster, additional [.noloc]`Kubernetes` identities might be added to your cluster. For more information about identities not addressed by this topic, see the documentation for the add-on. +When you install optional <> to your cluster, additional Kubernetes identities might be added to your cluster. For more information about identities not addressed by this topic, see the documentation for the add-on. -You can view the list of Amazon EKS created [.noloc]`Kubernetes` identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. +You can view the list of Amazon EKS created Kubernetes identities on your cluster using the {aws-management-console} or `kubectl` command line tool. All of the user identities appear in the `kube` audit logs available to you through Amazon CloudWatch. [#default-role-users-console] == {aws-management-console} @@ -47,7 +47,7 @@ In addition to the resources that you see in the console, the following special === Prerequisite -The entity that you use ({aws} Identity and Access Management (IAM) or [.noloc]`OpenID Connect` ([.noloc]`OIDC`)) to list the [.noloc]`Kubernetes` resources on the cluster must be authenticated by IAM or your [.noloc]`OIDC` identity provider. The entity must be granted permissions to use the [.noloc]`Kubernetes` `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <>. For more information about granting entities authenticated by your own [.noloc]`OIDC` provider access to your cluster, see <>. +The entity that you use ({aws} Identity and Access Management (IAM) or OpenID Connect (OIDC)) to list the Kubernetes resources on the cluster must be authenticated by IAM or your OIDC identity provider. The entity must be granted permissions to use the Kubernetes `get` and `list` verbs for the `Role`, `ClusterRole`, `RoleBinding`, and `ClusterRoleBinding` resources on your cluster that you want the entity to work with. For more information about granting IAM entities access to your cluster, see <>. For more information about granting entities authenticated by your own OIDC provider access to your cluster, see <>. === To view Amazon EKS created identities using `kubectl` Run the command for the type of resource that you want to see. All returned resources that are prefaced with *eks* are created by Amazon EKS. In addition to the resources returned in the output from the commands, the following special user identities exist on your cluster, though they're not visible in the cluster's configuration: @@ -55,9 +55,9 @@ Run the command for the type of resource that you want to see. All returned reso * *`eks:cluster-bootstrap`* – Used for `kubectl` operations during cluster bootstrap. * *`eks:support-engineer`* – Used for cluster management operations. -*ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any [.noloc]`Kubernetes` namespace on the cluster. +*ClusterRoles* – `ClusterRoles` are scoped to your cluster, so any permission granted to a role applies to resources in any Kubernetes namespace on the cluster. -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoles` on your cluster. +The following command returns all of the Amazon EKS created Kubernetes `ClusterRoles` on your cluster. [source,bash,subs="verbatim,attributes"] ---- @@ -95,7 +95,7 @@ PolicyRule: *ClusterRoleBindings* – `ClusterRoleBindings` are scoped to your cluster. -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `ClusterRoleBindings` on your cluster. +The following command returns all of the Amazon EKS created Kubernetes `ClusterRoleBindings` on your cluster. [source,bash,subs="verbatim,attributes"] ---- @@ -130,9 +130,9 @@ Subjects: User eks:k8s-metrics ---- -*Roles* – `Roles` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace. +*Roles* – `Roles` are scoped to a Kubernetes namespace. All Amazon EKS created `Roles` are scoped to the `kube-system` namespace. -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `Roles` on your cluster. +The following command returns all of the Amazon EKS created Kubernetes `Roles` on your cluster. [source,bash,subs="verbatim,attributes"] ---- @@ -160,9 +160,9 @@ PolicyRule: deployments.apps [] [vpc-resource-controller] [get] ---- -*RoleBindings* – `RoleBindings` are scoped to a [.noloc]`Kubernetes` namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace. +*RoleBindings* – `RoleBindings` are scoped to a Kubernetes namespace. All Amazon EKS created `RoleBindings` are scoped to the `kube-system` namespace. -The following command returns all of the Amazon EKS created [.noloc]`Kubernetes` `RoleBindings` on your cluster. +The following command returns all of the Amazon EKS created Kubernetes `RoleBindings` on your cluster. [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index 451ef9cd3..0b246ca30 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -7,12 +7,12 @@ include::../attributes.txt[] [abstract] -- -Learn how Amazon EKS ensures high availability, data resilience, and fault tolerance for your [.noloc]`Kubernetes` control plane by leveraging {aws} infrastructure across multiple Availability Zones . +Learn how Amazon EKS ensures high availability, data resilience, and fault tolerance for your Kubernetes control plane by leveraging {aws} infrastructure across multiple Availability Zones . -- The {aws} global infrastructure is built around {aws} Regions and Availability Zones. {aws} Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. -Amazon EKS runs and scales the [.noloc]`Kubernetes` control plane across multiple {aws} Availability Zones to ensure high availability. Amazon EKS automatically scales control plane instances based on load, detects and replaces unhealthy control plane instances, and automatically patches the control plane. After you initiate a version update, Amazon EKS updates your control plane for you, maintaining high availability of the control plane during the update. +Amazon EKS runs and scales the Kubernetes control plane across multiple {aws} Availability Zones to ensure high availability. Amazon EKS automatically scales control plane instances based on load, detects and replaces unhealthy control plane instances, and automatically patches the control plane. After you initiate a version update, Amazon EKS updates your control plane for you, maintaining high availability of the control plane during the update. This control plane consists of at least two API server instances and three `etcd` instances that run across three Availability Zones within an {aws} Region. Amazon EKS: diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index de14bb7b9..ddec19653 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -10,7 +10,7 @@ include::../attributes.txt[] Learn how to enable Kubernetes secrets encryption with {aws} KMS on an existing Amazon EKS cluster, ensuring secure storage of sensitive data. -- -If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption], the [.noloc]`Kubernetes` secrets are encrypted using the {aws} KMS key that you select. The KMS key must meet the following conditions: +If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption], the Kubernetes secrets are encrypted using the {aws} KMS key that you select. The KMS key must meet the following conditions: * Symmetric * Can encrypt and decrypt data diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 249844d18..7a6a32115 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -11,7 +11,7 @@ include::../../attributes.txt[] Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS Auto Mode clusters to automate routine tasks for storage, networking, and compute autoscaling. -- -An Amazon EKS cluster IAM role is required for each cluster. [.noloc]`Kubernetes` clusters managed by Amazon EKS use this role to automate routine tasks for storage, networking, and compute autoscaling. +An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to automate routine tasks for storage, networking, and compute autoscaling. Before you can create Amazon EKS clusters, you must create an IAM role with the policies required for EKS Auto Mode. You can either attach the suggested {aws} IAM managed policies, or create custom polices with equivalent permissions. diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 313fa3581..1acf4739b 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -10,14 +10,14 @@ include::../../attributes.txt[] Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS clusters to manage nodes and load balancers using managed or custom IAM policies. -- -An Amazon EKS cluster IAM role is required for each cluster. [.noloc]`Kubernetes` clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services. +An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services. Before you can create Amazon EKS clusters, you must create an IAM role with either of the following IAM policies: * link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html[AmazonEKSClusterPolicy,type="documentation"] -* A custom IAM policy. The minimal permissions that follow allows the [.noloc]`Kubernetes` cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions: +* A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions: + [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 913d9ccfb..6852b6913 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -5,7 +5,7 @@ include::../../attributes.txt[] -You can connect [.noloc]`Kubernetes` clusters to view them in your {aws-management-console}. To connect to a [.noloc]`Kubernetes` cluster, create an IAM role. +You can connect Kubernetes clusters to view them in your {aws-management-console}. To connect to a Kubernetes cluster, create an IAM role. [#check-connector-role] == Check for an existing EKS connector role diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 6ae83893c..41da07f54 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -38,7 +38,7 @@ You can use the following procedure to check and see if your account already has . Choose *Permissions*. . Ensure that the *AmazonEKSWorkerNodePolicy* and *AmazonEC2ContainerRegistryPullOnly* managed policies are attached to the role or a custom policy is attached with the minimal permissions. + -NOTE: If the *AmazonEKS_CNI_Policy* policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the `aws-node` [.noloc]`Kubernetes` service account instead. For more information, see <>. +NOTE: If the *AmazonEKS_CNI_Policy* policy is attached to the role, we recommend removing it and attaching it to an IAM role that is mapped to the `aws-node` Kubernetes service account instead. For more information, see <>. . Choose *Trust relationships*, and then choose *Edit trust policy*. . Verify that the trust relationship contains the following policy. If the trust relationship matches the following policy, choose *Cancel*. If the trust relationship doesn't match, copy the policy into the *Edit trust policy* window and choose *Update policy*. + @@ -87,7 +87,7 @@ You can create the node IAM role with the {aws-management-console} or the {aws} ... In the *Filter policies* box, enter `AmazonEC2ContainerRegistryPullOnly`. ... Select the check box to the left of *AmazonEC2ContainerRegistryPullOnly* in the search results. + -Either the *AmazonEKS_CNI_Policy* managed policy, or an <> that you create must also be attached to either this role or to a different role that's mapped to the `aws-node` [.noloc]`Kubernetes` service account. We recommend assigning the policy to the role associated to the [.noloc]`Kubernetes` service account instead of assigning it to this role. For more information, see <>. +Either the *AmazonEKS_CNI_Policy* managed policy, or an <> that you create must also be attached to either this role or to a different role that's mapped to the `aws-node` Kubernetes service account. We recommend assigning the policy to the role associated to the Kubernetes service account instead of assigning it to this role. For more information, see <>. ... Choose *Next*. .. On the *Name, review, and create* page, do the following: + @@ -140,7 +140,7 @@ aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/AmazonEC2ContainerRegistryPullOnly \ --role-name AmazonEKSNodeRole ---- -.. Attach one of the following IAM policies to the IAM role depending on which IP family you created your cluster with. The policy must be attached to this role or to a role associated to the [.noloc]`Kubernetes` `aws-node` service account that's used for the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. We recommend assigning the policy to the role associated to the [.noloc]`Kubernetes` service account. To assign the policy to the role associated to the [.noloc]`Kubernetes` service account, see <>. +.. Attach one of the following IAM policies to the IAM role depending on which IP family you created your cluster with. The policy must be attached to this role or to a role associated to the Kubernetes `aws-node` service account that's used for the Amazon VPC CNI plugin for Kubernetes. We recommend assigning the policy to the role associated to the Kubernetes service account. To assign the policy to the role associated to the Kubernetes service account, see <>. + *** IPv4 + diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index bf4767d17..529c3a893 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,15 +1,15 @@ [.topic] [#pod-execution-role] -= Amazon EKS [.noloc]`Pod` execution IAM role += Amazon EKS Pod execution IAM role :info_titleabbrev: Pod execution IAM role include::../../attributes.txt[] -The Amazon EKS [.noloc]`Pod` execution role is required to run [.noloc]`Pods` on {aws} Fargate infrastructure. +The Amazon EKS Pod execution role is required to run Pods on {aws} Fargate infrastructure. -When your cluster creates [.noloc]`Pods` on {aws} Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS [.noloc]`Pod` execution role provides the IAM permissions to do this. +When your cluster creates Pods on {aws} Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS Pod execution role provides the IAM permissions to do this. -When you create a Fargate profile, you must specify a [.noloc]`Pod` execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. This role is added to the cluster's [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role based access control] (RBAC) for authorization. This allows the `kubelet` that's running on the Fargate infrastructure to register with your Amazon EKS cluster so that it can appear in your cluster as a node. +When you create a Fargate profile, you must specify a Pod execution role for the Amazon EKS components that run on the Fargate infrastructure using the profile. This role is added to the cluster's Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role based access control] (RBAC) for authorization. This allows the `kubelet` that's running on the Fargate infrastructure to register with your Amazon EKS cluster so that it can appear in your cluster as a node. [NOTE] ==== @@ -21,15 +21,15 @@ The Fargate profile must have a different IAM role than Amazon EC2 node groups. [IMPORTANT] ==== -The containers running in the Fargate [.noloc]`Pod` can't assume the IAM permissions associated with a [.noloc]`Pod` execution role. To give the containers in your Fargate [.noloc]`Pod` permissions to access other {aws} services, you must use <>. +The containers running in the Fargate Pod can't assume the IAM permissions associated with a Pod execution role. To give the containers in your Fargate Pod permissions to access other {aws} services, you must use <>. ==== Before you create a Fargate profile, you must create an IAM role with the link:aws-managed-policy/latest/reference/AmazonEKSFargatePodExecutionRolePolicy.html[AmazonEKSFargatePodExecutionRolePolicy,type="documentation"]. [#check-pod-execution-role] -== Check for a correctly configured existing [.noloc]`Pod` execution role +== Check for a correctly configured existing Pod execution role -You can use the following procedure to check and see if your account already has a correctly configured Amazon EKS [.noloc]`Pod` execution role. To avoid a confused deputy security problem, it's important that the role restricts access based on `SourceArn`. You can modify the execution role as needed to include support for Fargate profiles on other clusters. +You can use the following procedure to check and see if your account already has a correctly configured Amazon EKS Pod execution role. To avoid a confused deputy security problem, it's important that the role restricts access based on `SourceArn`. You can modify the execution role as needed to include support for Fargate profiles on other clusters. . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. @@ -74,9 +74,9 @@ If the policy doesn't match, copy the full previous policy into the form and cho [#create-pod-execution-role] -== Creating the Amazon EKS [.noloc]`Pod` execution role +== Creating the Amazon EKS Pod execution role -If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your cluster, you can use the {aws-management-console} or the {aws} CLI to create it. +If you don't already have the Amazon EKS Pod execution role for your cluster, you can use the {aws-management-console} or the {aws} CLI to create it. @@ -88,7 +88,7 @@ If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your c + ... In the *Trusted entity type* section, choose *{aws} service*. ... From the *Use cases for other {aws} services* dropdown list, choose *EKS*. -... Choose *EKS - Fargate [.noloc]`Pod`*. +... Choose *EKS - Fargate Pod*. ... Choose *Next*. .. On the *Add permissions* page, choose *Next*. .. On the *Name, review, and create* page, do the following: @@ -151,7 +151,7 @@ If you don't already have the Amazon EKS [.noloc]`Pod` execution role for your c ] } ---- -.. Create a [.noloc]`Pod` execution IAM role. +.. Create a Pod execution IAM role. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 2c5c136d9..a33712587 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -21,13 +21,13 @@ For more information, see link:IAM/latest/UserGuide/access_policies_managed-vs-i == {aws} managed policy: AmazonEKS_CNI_Policy :info_titleabbrev: AmazonEKS_CNI_Policy -You can attach the `AmazonEKS_CNI_Policy` to your IAM entities. Before you create an Amazon EC2 node group, this policy must be attached to either the <>, or to an IAM role that's used specifically by the [.noloc]`Amazon VPC CNI plugin for Kubernetes`. This is so that it can perform actions on your behalf. We recommend that you attach the policy to a role that's used only by the plugin. For more information, see <> and <>. +You can attach the `AmazonEKS_CNI_Policy` to your IAM entities. Before you create an Amazon EC2 node group, this policy must be attached to either the <>, or to an IAM role that's used specifically by the Amazon VPC CNI plugin for Kubernetes. This is so that it can perform actions on your behalf. We recommend that you attach the policy to a role that's used only by the plugin. For more information, see <> and <>. *Permissions details* This policy includes the following permissions that allow Amazon EKS to complete the following tasks: -* *`ec2:*NetworkInterface` and `ec2:*PrivateIpAddresses`* – Allows the Amazon VPC CNI plugin to perform actions such as provisioning Elastic Network Interfaces and IP addresses for [.noloc]`Pods` to provide networking for applications that run in Amazon EKS. +* *`ec2:*NetworkInterface` and `ec2:*PrivateIpAddresses`* – Allows the Amazon VPC CNI plugin to perform actions such as provisioning Elastic Network Interfaces and IP addresses for Pods to provide networking for applications that run in Amazon EKS. * *`ec2` read actions* – Allows the Amazon VPC CNI plugin to perform actions such as describe instances and subnets to see the amount of free IP addresses in your Amazon VPC subnets. The VPC CNI can use the free IP addresses in each subnet to pick the subnets with the most free IP addresses to use when creating an elastic network interface. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html#AmazonEKS_CNI_Policy-json[AmazonEKS_CNI_Policy,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -36,15 +36,15 @@ To view the latest version of the JSON policy document, see link:aws-managed-pol == {aws} managed policy: AmazonEKSClusterPolicy :info_titleabbrev: AmazonEKSClusterPolicy -You can attach `AmazonEKSClusterPolicy` to your IAM entities. Before creating a cluster, you must have a <> with this policy attached. [.noloc]`Kubernetes` clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. +You can attach `AmazonEKSClusterPolicy` to your IAM entities. Before creating a cluster, you must have a <> with this policy attached. Kubernetes clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. This policy includes the following permissions that allow Amazon EKS to complete the following tasks: * *`autoscaling`* – Read and update the configuration of an Auto Scaling group. These permissions aren't used by Amazon EKS but remain in the policy for backwards compatibility. -* *`ec2`* – Work with volumes and network resources that are associated to Amazon EC2 nodes. This is required so that the [.noloc]`Kubernetes` control plane can join instances to a cluster and dynamically provision and manage Amazon EBS volumes that are requested by [.noloc]`Kubernetes` persistent volumes. -* *`elasticloadbalancing`* – Work with Elastic Load Balancers and add nodes to them as targets. This is required so that the [.noloc]`Kubernetes` control plane can dynamically provision Elastic Load Balancers requested by [.noloc]`Kubernetes` services. -* *`iam`* – Create a service-linked role. This is required so that the [.noloc]`Kubernetes` control plane can dynamically provision Elastic Load Balancers that are requested by [.noloc]`Kubernetes` services. -* *`kms`* – Read a key from {aws} KMS. This is required for the [.noloc]`Kubernetes` control plane to support https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] of [.noloc]`Kubernetes` secrets stored in `etcd`. +* *`ec2`* – Work with volumes and network resources that are associated to Amazon EC2 nodes. This is required so that the Kubernetes control plane can join instances to a cluster and dynamically provision and manage Amazon EBS volumes that are requested by Kubernetes persistent volumes. +* *`elasticloadbalancing`* – Work with Elastic Load Balancers and add nodes to them as targets. This is required so that the Kubernetes control plane can dynamically provision Elastic Load Balancers requested by Kubernetes services. +* *`iam`* – Create a service-linked role. This is required so that the Kubernetes control plane can dynamically provision Elastic Load Balancers that are requested by Kubernetes services. +* *`kms`* – Read a key from {aws} KMS. This is required for the Kubernetes control plane to support https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] of Kubernetes secrets stored in `etcd`. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html#AmazonEKSClusterPolicy-json[AmazonEKSClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -52,9 +52,9 @@ To view the latest version of the JSON policy document, see link:aws-managed-pol == {aws} managed policy: AmazonEKSFargatePodExecutionRolePolicy :info_titleabbrev: AmazonEKSFargatePodExecutionRolePolicy -You can attach `AmazonEKSFargatePodExecutionRolePolicy` to your IAM entities. Before you can create a Fargate profile, you must create a Fargate [.noloc]`Pod` execution role and attach this policy to it. For more information, see <> and <>. +You can attach `AmazonEKSFargatePodExecutionRolePolicy` to your IAM entities. Before you can create a Fargate profile, you must create a Fargate Pod execution role and attach this policy to it. For more information, see <> and <>. -This policy grants the role the permissions that provide access to other {aws} service resources that are required to run Amazon EKS [.noloc]`Pods` on Fargate. +This policy grants the role the permissions that provide access to other {aws} service resources that are required to run Amazon EKS Pods on Fargate. *Permissions details* @@ -200,10 +200,10 @@ This policy allows Amazon EKS to create and manage the necessary resources to op This policy includes the following permissions that allow Amazon EKS to complete the following tasks. -* *`eks`* – Update the [.noloc]`Kubernetes` version of your cluster after you initiate an update. This permission isn't used by Amazon EKS but remains in the policy for backwards compatibility. -* *`ec2`* – Work with Elastic Network Interfaces and other network resources and tags. This is required by Amazon EKS to configure networking that facilitates communication between nodes and the [.noloc]`Kubernetes` control plane. Read information about security groups. Update tags on security groups. -* *`route53`* – Associate a VPC with a hosted zone. This is required by Amazon EKS to enable private endpoint networking for your [.noloc]`Kubernetes` cluster API server. -* *`logs`* – Log events. This is required so that Amazon EKS can ship [.noloc]`Kubernetes` control plane logs to CloudWatch. +* *`eks`* – Update the Kubernetes version of your cluster after you initiate an update. This permission isn't used by Amazon EKS but remains in the policy for backwards compatibility. +* *`ec2`* – Work with Elastic Network Interfaces and other network resources and tags. This is required by Amazon EKS to configure networking that facilitates communication between nodes and the Kubernetes control plane. Read information about security groups. Update tags on security groups. +* *`route53`* – Associate a VPC with a hosted zone. This is required by Amazon EKS to enable private endpoint networking for your Kubernetes cluster API server. +* *`logs`* – Log events. This is required so that Amazon EKS can ship Kubernetes control plane logs to CloudWatch. * *`iam`* – Create a service-linked role. This is required so that Amazon EKS can create the <> service-linked role on your behalf. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSServicePolicy.html#AmazonEKSServicePolicy-json[AmazonEKSServicePolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -222,9 +222,9 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2`* – Create and describe Elastic Network Interfaces and Amazon EC2 instances, the cluster security group, and VPC that are required to create a cluster. For more information, see <>. Read information about security groups. Update tags on security groups. * *`iam`* – List all of the managed policies that attached to an IAM role. This is required so that Amazon EKS can list and validate all managed policies and permissions required to create a cluster. -* *Associate a VPC with a hosted zone* – This is required by Amazon EKS to enable private endpoint networking for your [.noloc]`Kubernetes` cluster API server. -* *Log event* – This is required so that Amazon EKS can ship [.noloc]`Kubernetes` control plane logs to CloudWatch. -* *Put metric* – This is required so that Amazon EKS can ship [.noloc]`Kubernetes` control plane logs to CloudWatch. +* *Associate a VPC with a hosted zone* – This is required by Amazon EKS to enable private endpoint networking for your Kubernetes cluster API server. +* *Log event* – This is required so that Amazon EKS can ship Kubernetes control plane logs to CloudWatch. +* *Put metric* – This is required so that Amazon EKS can ship Kubernetes control plane logs to CloudWatch. * *`eks`* - Manage cluster access entries and policies, allowing fine-grained control over who can access EKS resources and what actions they can perform. This includes associating standard access policies for compute, networking, load balancing, and storage operations. * *`elasticloadbalancing`* - Create, manage, and delete load balancers and their components (listeners, target groups, certificates) that are associated with EKS clusters. View load balancer attributes and health status. * *`events`* - Create and manage EventBridge rules for monitoring EC2 and {aws} Health events related to EKS clusters, enabling automated responses to infrastructure changes and health alerts. @@ -246,7 +246,7 @@ This policy grants the cluster role permissions to manage Elastic Network Interf This policy includes the following permissions that allow Amazon EKS to complete the following tasks: -* *`ec2`* – Manage Elastic Network Interfaces and IP addresses to support [.noloc]`Pod` security groups and [.noloc]`Windows` nodes. +* *`ec2`* – Manage Elastic Network Interfaces and IP addresses to support Pod security groups and Windows nodes. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSVPCResourceController.html#AmazonEKSVPCResourceController-json[AmazonEKSVPCResourceController,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -262,7 +262,7 @@ This policy grants Amazon EKS Amazon EC2 nodes permissions to connect to Amazon This policy includes the following permissions that allow Amazon EKS to complete the following tasks: -* *`ec2`* – Read instance volume and network information. This is required so that [.noloc]`Kubernetes` nodes can describe information about Amazon EC2 resources that are required for the node to join the Amazon EKS cluster. +* *`ec2`* – Read instance volume and network information. This is required so that Kubernetes nodes can describe information about Amazon EC2 resources that are required for the node to join the Amazon EKS cluster. * *`eks`* – Optionally describe the cluster as part of node bootstrapping. * *`eks-auth:AssumeRoleForPodIdentity`* – Allow retrieving credentials for EKS workloads on the node. This is required for EKS Pod Identity to function properly. @@ -299,7 +299,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`ec2`* – Work with security groups, tags, capacity reservations, and launch templates. This is required for Amazon EKS managed node groups to enable remote access configuration and to describe capacity reservations that can be used in managed node groups. Additionally, Amazon EKS managed node groups create a launch template on your behalf. This is to configure the Amazon EC2 Auto Scaling group that backs each managed node group. * *`iam`* – Create a service-linked role and pass a role. This is required by Amazon EKS managed node groups to manage instance profiles for the role being passed when creating a managed node group. This instance profile is used by Amazon EC2 instances launched as part of a managed node group. Amazon EKS needs to create service-linked roles for other services such as Amazon EC2 Auto Scaling groups. These permissions are used in the creation of a managed node group. -* *`autoscaling`* – Work with security Auto Scaling groups. This is required by Amazon EKS managed node groups to manage the Amazon EC2 Auto Scaling group that backs each managed node group. It's also used to support functionality such as evicting [.noloc]`Pods` when nodes are terminated or recycled during node group updates. +* *`autoscaling`* – Work with security Auto Scaling groups. This is required by Amazon EKS managed node groups to manage the Amazon EC2 Auto Scaling group that backs each managed node group. It's also used to support functionality such as evicting Pods when nodes are terminated or recycled during node group updates. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AWSServiceRoleForAmazonEKSNodegroup.html#AWSServiceRoleForAmazonEKSNodegroup-json[AWSServiceRoleForAmazonEKSNodegroup,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -323,7 +323,7 @@ To view the latest version of the JSON policy document, see link:aws-managed-pol == {aws} managed policy: AmazonEKSLocalOutpostClusterPolicy :info_titleabbrev: AmazonEKSLocalOutpostClusterPolicy -You can attach this policy to IAM entities. Before creating a local cluster, you must attach this policy to your <>. [.noloc]`Kubernetes` clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. +You can attach this policy to IAM entities. Before creating a local cluster, you must attach this policy to your <>. Kubernetes clusters that are managed by Amazon EKS make calls to other {aws} services on your behalf. They do this to manage the resources that you use with the service. The `AmazonEKSLocalOutpostClusterPolicy` includes the following permissions: @@ -331,7 +331,7 @@ The `AmazonEKSLocalOutpostClusterPolicy` includes the following permissions: * *`ssm`* – Allows Amazon EC2 Systems Manager connection to the control plane instance, which is used by Amazon EKS to communicate and manage the local cluster in your account. * *`logs`* – Allows instances to push logs to Amazon CloudWatch. * *`secretsmanager`* – Allows instances to get and delete bootstrap data for the control plane instances securely from {aws} Secrets Manager. -* *`ecr`* – Allows [.noloc]`Pods` and containers that are running on the control plane instances to pull container images that are stored in Amazon Elastic Container Registry. +* *`ecr`* – Allows Pods and containers that are running on the control plane instances to pull container images that are stored in Amazon Elastic Container Registry. To view the latest version of the JSON policy document, see link:aws-managed-policy/latest/reference/AmazonEKSLocalOutpostClusterPolicy.html#AmazonEKSLocalOutpostClusterPolicy-json[AmazonEKSLocalOutpostClusterPolicy,type="documentation"] in the {aws} Managed Policy Reference Guide. @@ -437,7 +437,7 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |June 27, 2024 |<> – Update to an existing policy -|Amazon EKS added new `ec2:DescribeSubnets` permissions to allow the [.noloc]`Amazon VPC CNI plugin for Kubernetes` to see the amount of free IP addresses in your Amazon VPC subnets. The VPC CNI can use the free IP addresses in each subnet to pick the subnets with the most free IP addresses to use when creating an elastic network interface. +|Amazon EKS added new `ec2:DescribeSubnets` permissions to allow the Amazon VPC CNI plugin for Kubernetes to see the amount of free IP addresses in your Amazon VPC subnets. The VPC CNI can use the free IP addresses in each subnet to pick the subnets with the most free IP addresses to use when creating an elastic network interface. |March 4, 2024 |<> – Update to an existing policy diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index b8af17b79..29b16a33a 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -9,7 +9,7 @@ By default, IAM users and roles don't have permission to create or modify Amazon To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within Kubernetes and create a Kubernetes `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. For more information about working with the ConfigMap, see <>. @@ -41,7 +41,7 @@ To ensure that your IAM principals can still use the Amazon EKS console, create [IMPORTANT] ==== -The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs [.noloc]`Kubernetes` permissions. For more information, see <>. +The following example policy allows a principal to view information on the *Configuration* tab in the console. To view information on the *Overview* and *Resources* tabs in the {aws-management-console}, the principal also needs Kubernetes permissions. For more information, see <>. ==== @@ -116,7 +116,7 @@ This example shows how you might create a policy that allows IAM users to view t [#policy-create-cluster] -== Create a [.noloc]`Kubernetes` cluster on the {aws} Cloud +== Create a Kubernetes cluster on the {aws} Cloud This example policy includes the minimum permissions required to create an Amazon EKS cluster named [.replaceable]`my-cluster` in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the [.replaceable]`AWSServiceRoleForAmazonEKS` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS cluster in your account then this role already exists, unless you deleted it. @@ -151,7 +151,7 @@ This example policy includes the minimum permissions required to create an Amazo [#policy-create-local-cluster] -== Create a local [.noloc]`Kubernetes` cluster on an Outpost +== Create a local Kubernetes cluster on an Outpost This example policy includes the minimum permissions required to create an Amazon EKS local cluster named [.replaceable]`my-cluster` on an Outpost in the [.replaceable]`us-west-2` {aws} Region. You can replace the {aws} Region with the {aws} Region that you want to create a cluster in. If you see a warning that says *The actions in your policy do not support resource-level permissions and require you to choose `All resources`* in the {aws-management-console}, it can be safely ignored. If your account already has the `AWSServiceRoleForAmazonEKSLocalOutpost` role, you can remove the `iam:CreateServiceLinkedRole` action from the policy. If you've ever created an Amazon EKS local cluster on an Outpost in your account then this role already exists, unless you deleted it. @@ -205,7 +205,7 @@ This example policy includes the minimum permissions required to create an Amazo [#policy-example1] -== Update a [.noloc]`Kubernetes` cluster +== Update a Kubernetes cluster This example policy includes the minimum permission required to update a cluster named [.replaceable]`my-cluster` in the us-west-2 {aws} Region. diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index dcd66a148..9a99538d2 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -94,7 +94,7 @@ To see a list of Amazon EKS resource types and their ARNs, see link:service-auth Amazon EKS defines its own set of condition keys and also supports using some global condition keys. To see all {aws} global condition keys, see link:IAM/latest/UserGuide/reference_policies_condition-keys.html[{aws} Global Condition Context Keys,type="documentation"] in the _IAM User Guide_. -You can set condition keys when associating an [.noloc]`OpenID Connect` provider to your cluster. For more information, see <>. +You can set condition keys when associating an OpenID Connect provider to your cluster. For more information, see <>. All Amazon EC2 actions support the `aws:RequestedRegion` and `ec2:Region` condition keys. For more information, see link:AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region[Example: Restricting Access to a Specific {aws} Region,type="documentation"]. @@ -106,7 +106,7 @@ For a list of Amazon EKS condition keys, see link:service-authorization/latest/r To view examples of Amazon EKS identity-based policies, see <>. -When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within [.noloc]`Kubernetes` and create a [.noloc]`Kubernetes` `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. +When you create an Amazon EKS cluster, the link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] that creates the cluster is automatically granted `system:masters` permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster. To grant additional IAM principals the ability to interact with your cluster, edit the `aws-auth ConfigMap` within Kubernetes and create a Kubernetes `rolebinding` or `clusterrolebinding` with the name of a `group` that you specify in the `aws-auth ConfigMap`. For more information about working with the ConfigMap, see <>. diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 23ba72cf2..35c2b5558 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -70,7 +70,7 @@ To learn more, consult the following: == Pod containers receive the following error: `An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Credential should be scoped to a valid region` :info_titleabbrev: Credential should be scoped to a valid region error -Your containers receive this error if your application is explicitly making requests to the {aws} STS global endpoint (`https://sts.amazonaws`) and your [.noloc]`Kubernetes` service account is configured to use a regional endpoint. You can resolve the issue with one of the following options: +Your containers receive this error if your application is explicitly making requests to the {aws} STS global endpoint (`https://sts.amazonaws`) and your Kubernetes service account is configured to use a regional endpoint. You can resolve the issue with one of the following options: * Update your application code to remove explicit calls to the {aws} STS global endpoint. * Update your application code to make explicit calls to regional endpoints such as `https://sts.us-west-2.amazonaws.com`. Your application should have redundancy built in to pick a different {aws} Region in the event of a failure of the service in the {aws} Region. For more information, see link:IAM/latest/UserGuide/id_credentials_temp_enable-regions.html[Managing {aws} STS in an {aws} Region,type="documentation"] in the IAM User Guide. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index 5c8dbc205..df6c0176f 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,6 +1,6 @@ [.topic] [#using-service-linked-roles-eks-connector] -= Using roles to connect a [.noloc]`Kubernetes` cluster to Amazon EKS += Using roles to connect a Kubernetes cluster to Amazon EKS :info_titleabbrev: Cluster connector role include::../../attributes.txt[] @@ -21,7 +21,7 @@ For information about other services that support service-linked roles, see link [#service-linked-role-permissions-eks-connector] == Service-linked role permissions for Amazon EKS -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSConnector`. The role allows Amazon EKS to connect [.noloc]`Kubernetes` clusters. The attached policies allow the role to manage necessary resources to connect to your registered [.noloc]`Kubernetes` cluster. +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSConnector`. The role allows Amazon EKS to connect Kubernetes clusters. The attached policies allow the role to manage necessary resources to connect to your registered Kubernetes cluster. The `AWSServiceRoleForAmazonEKSConnector` service-linked role trusts the following services to assume the role: diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 13e290032..19f262dbb 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -21,7 +21,7 @@ For information about other services that support service-linked roles, see link [#service-linked-role-permissions-eks-fargate] == Service-linked role permissions for Amazon EKS -Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSForFargate`. The role allows Amazon EKS Fargate to configure VPC networking required for Fargate [.noloc]`Pods`. The attached policies allow the role to create and delete elastic network interfaces and describe elastic network Interfaces and resources. +Amazon EKS uses the service-linked role named `AWSServiceRoleForAmazonEKSForFargate`. The role allows Amazon EKS Fargate to configure VPC networking required for Fargate Pods. The attached policies allow the role to create and delete elastic network interfaces and describe elastic network Interfaces and resources. The `AWSServiceRoleForAmazonEKSForFargate` service-linked role trusts the following services to assume the role: diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index f1e64ed0c..5cfdfe1c0 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -21,7 +21,7 @@ You use {aws} published API calls to access Amazon EKS through the network. Clie Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the link:STS/latest/APIReference/welcome.html[{aws} Security Token Service,type="documentation"] ({aws} STS) to generate temporary security credentials to sign requests. -When you create an Amazon EKS cluster, you specify the VPC subnets for your cluster to use. Amazon EKS requires subnets in at least two Availability Zones. We recommend a VPC with public and private subnets so that [.noloc]`Kubernetes` can create public load balancers in the public subnets that load balance traffic to [.noloc]`Pods` running on nodes that are in private subnets. +When you create an Amazon EKS cluster, you specify the VPC subnets for your cluster to use. Amazon EKS requires subnets in at least two Availability Zones. We recommend a VPC with public and private subnets so that Kubernetes can create public load balancers in the public subnets that load balance traffic to Pods running on nodes that are in private subnets. For more information about VPC considerations, see <>. @@ -29,10 +29,10 @@ If you create your VPC and node groups with the {aws} CloudFormation templates p For more information about security group considerations, see <>. -When you create a new cluster, Amazon EKS creates an endpoint for the managed [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native [.noloc]`Kubernetes` https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). +When you create a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as `kubectl`). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of {aws} Identity and Access Management (IAM) and native Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Role Based Access Control] (RBAC). -You can enable private access to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. +You can enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server. For more information about modifying cluster endpoint access, see <>. -You can implement [.noloc]`Kubernetes` _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project [.noloc]`Calico` is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. \ No newline at end of file +You can implement Kubernetes _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project Calico is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. \ No newline at end of file diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 7043c8e87..b66e0fee4 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -5,9 +5,9 @@ include::../attributes.txt[] = Use {aws} Secrets Manager secrets with Amazon EKS Pods :info_titleabbrev: {aws} Secrets Manager -To show secrets from Secrets Manager and parameters from Parameter Store as files mounted in Amazon EKS [.noloc]`Pods`, you can use the {aws} Secrets and Configuration Provider (ASCP) for the https://secrets-store-csi-driver.sigs.k8s.io/[Kubernetes Secrets Store CSI Driver]. +To show secrets from Secrets Manager and parameters from Parameter Store as files mounted in Amazon EKS Pods, you can use the {aws} Secrets and Configuration Provider (ASCP) for the https://secrets-store-csi-driver.sigs.k8s.io/[Kubernetes Secrets Store CSI Driver]. -With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. You can use IAM roles and policies to limit access to your secrets to specific [.noloc]`Kubernetes` [.noloc]`Pods` in a cluster. The ASCP retrieves the [.noloc]`Pod` identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the [.noloc]`Pod`, and then it can retrieve secrets from Secrets Manager that are authorized for that role. +With the ASCP, you can store and manage your secrets in Secrets Manager and then retrieve them through your workloads running on Amazon EKS. You can use IAM roles and policies to limit access to your secrets to specific Kubernetes Pods in a cluster. The ASCP retrieves the Pod identity and exchanges the identity for an IAM role. ASCP assumes the IAM role of the Pod, and then it can retrieve secrets from Secrets Manager that are authorized for that role. If you use Secrets Manager automatic rotation for your secrets, you can also use the Secrets Store CSI Driver rotation reconciler feature to ensure you are retrieving the latest secret from Secrets Manager. diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index aab055518..2b4479dd5 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,47 +1,47 @@ [.topic] [#pod-security-policy-removal-faq] -= Migrate from legacy [.noloc]`Pod` security policies (PSP) += Migrate from legacy Pod security policies (PSP) :info_titleabbrev: Migrate from legacy PSP include::../attributes.txt[] [abstract] -- -Learn about the Pod Security Policy [.noloc]`(PSPs)` removal in [.noloc]`Kubernetes` `1.25`. Migrate to Pod Security Standards (PSS) or policy-as-code solutions before upgrading Amazon EKS clusters to [.noloc]`Kubernetes` 1.25 to avoid workload interruptions and maintain pod security controls. +Learn about the Pod Security Policy (PSPs) removal in Kubernetes `1.25`. Migrate to Pod Security Standards (PSS) or policy-as-code solutions before upgrading Amazon EKS clusters to Kubernetes 1.25 to avoid workload interruptions and maintain pod security controls. -- -`PodSecurityPolicy` was https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/[deprecated in Kubernetes1.21], and has been removed in [.noloc]`Kubernetes` `1.25`. If you are using PodSecurityPolicy in your cluster, *then you must migrate to the built-in [.noloc]`Kubernetes` Pod Security Standards [.noloc]`(PSS)` or to a policy-as-code solution before upgrading your cluster to version `*1.25*` to avoid interruptions to your workloads.* Select any frequently asked question to learn more. +`PodSecurityPolicy` was https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/[deprecated in Kubernetes1.21], and has been removed in Kubernetes `1.25`. If you are using PodSecurityPolicy in your cluster, *then you must migrate to the built-in Kubernetes Pod Security Standards (PSS) or to a policy-as-code solution before upgrading your cluster to version `*1.25*` to avoid interruptions to your workloads.* Select any frequently asked question to learn more. [#pod-security-policy-removal-what-is] -.What is a [.noloc]`PSP`? +.What is a PSP? [%collapsible] ==== -https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPolicy] is a built-in admission controller that allows a cluster administrator to control security-sensitive aspects of [.noloc]`Pod` specification. If a [.noloc]`Pod` meets the requirements of its [.noloc]`PSP`, the [.noloc]`Pod` is admitted to the cluster as usual. If a [.noloc]`Pod` doesn't meet the [.noloc]`PSP` requirements, the [.noloc]`Pod` is rejected and can't run. +https://kubernetes.io/docs/concepts/security/pod-security-policy/[PodSecurityPolicy] is a built-in admission controller that allows a cluster administrator to control security-sensitive aspects of Pod specification. If a Pod meets the requirements of its PSP, the Pod is admitted to the cluster as usual. If a Pod doesn't meet the PSP requirements, the Pod is rejected and can't run. ==== [#pod-security-policy-removal-specific] -.Is the [.noloc]`PSP` removal specific to Amazon EKS or is it being removed in upstream [.noloc]`Kubernetes`? +.Is the PSP removal specific to Amazon EKS or is it being removed in upstream Kubernetes? [%collapsible] ==== -This is an upstream change in the [.noloc]`Kubernetes` project, and not a change made in Amazon EKS. [.noloc]`PSP` was deprecated in [.noloc]`Kubernetes` `1.21` and removed in [.noloc]`Kubernetes` `1.25`. The [.noloc]`Kubernetes` community identified serious usability problems with [.noloc]`PSP`. These included accidentally granting broader permissions than intended and difficulty in inspecting which [.noloc]`PSPs` apply in a given situation. These issues couldn't be addressed without making breaking changes. This is the primary reason why the [.noloc]`Kubernetes` community https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away[decided to remove PSP]. +This is an upstream change in the Kubernetes project, and not a change made in Amazon EKS. PSP was deprecated in Kubernetes `1.21` and removed in Kubernetes `1.25`. The Kubernetes community identified serious usability problems with PSP. These included accidentally granting broader permissions than intended and difficulty in inspecting which PSPs apply in a given situation. These issues couldn't be addressed without making breaking changes. This is the primary reason why the Kubernetes community https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/#why-is-podsecuritypolicy-going-away[decided to remove PSP]. ==== [#pod-security-policy-removal-check] -.How can I check if I'm using [.noloc]`PSPs` in my Amazon EKS clusters? +.How can I check if I'm using PSPs in my Amazon EKS clusters? [%collapsible] ==== -To check if you're using [.noloc]`PSPs` in your cluster, you can run the following command: +To check if you're using PSPs in your cluster, you can run the following command: [source,bash,subs="verbatim,attributes"] ---- kubectl get psp ---- -To see the [.noloc]`Pods` that the [.noloc]`PSPs` in your cluster are impacting, run the following command. This command outputs the [.noloc]`Pod` name, namespace, and [.noloc]`PSPs`: +To see the Pods that the PSPs in your cluster are impacting, run the following command. This command outputs the Pod name, namespace, and PSPs: [source,bash,subs="verbatim,attributes"] ---- @@ -51,58 +51,58 @@ kubectl get pod -A -o jsonpath='{range.items[?(@.metadata.annotations.kubernetes ==== [#pod-security-policy-removal-what-can] -.If I'm using [.noloc]`PSPs` in my Amazon EKS cluster, what can I do? +.If I'm using PSPs in my Amazon EKS cluster, what can I do? [%collapsible] ==== -Before upgrading your cluster to `1.25`, you must migrate your [.noloc]`PSPs` to either one of these alternatives: +Before upgrading your cluster to `1.25`, you must migrate your PSPs to either one of these alternatives: -* [.noloc]`Kubernetes` [.noloc]`PSS`. +* Kubernetes PSS. -* Policy-as-code solutions from the [.noloc]`Kubernetes` environment. +* Policy-as-code solutions from the Kubernetes environment. -In response to the [.noloc]`PSP` deprecation and the ongoing need to control [.noloc]`Pod` security from the start, the [.noloc]`Kubernetes` community created a built-in solution with https://kubernetes.io/docs/concepts/security/pod-security-standards/[(PSS)] and https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. The PSA webhook implements the controls that are defined in the [.noloc]`PSS`. +In response to the PSP deprecation and the ongoing need to control Pod security from the start, the Kubernetes community created a built-in solution with https://kubernetes.io/docs/concepts/security/pod-security-standards/[(PSS)] and https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. The PSA webhook implements the controls that are defined in the PSS. -You can review best practices for migrating [.noloc]`PSPs` to the built-in [.noloc]`PSS` in the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[EKS Best Practices Guide]. We also recommend reviewing our blog on link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"]. Additional references include https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller] and https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/[Mapping PodSecurityPolicies to Pod Security Standards]. +You can review best practices for migrating PSPs to the built-in PSS in the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[EKS Best Practices Guide]. We also recommend reviewing our blog on link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"]. Additional references include https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller] and https://kubernetes.io/docs/reference/access-authn-authz/psp-to-pod-security-standards/[Mapping PodSecurityPolicies to Pod Security Standards]. -Policy-as-code solutions provide guardrails to guide cluster users and prevents unwanted behaviors through prescribed automated controls. Policy-as-code solutions typically use https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/[Kubernetes Dynamic Admission Controllers] to intercept the [.noloc]`Kubernetes` API server request flow using a webhook call. Policy-as-code solutions mutate and validate request payloads based on policies written and stored as code. +Policy-as-code solutions provide guardrails to guide cluster users and prevents unwanted behaviors through prescribed automated controls. Policy-as-code solutions typically use https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/[Kubernetes Dynamic Admission Controllers] to intercept the Kubernetes API server request flow using a webhook call. Policy-as-code solutions mutate and validate request payloads based on policies written and stored as code. -There are several open source policy-as-code solutions available for [.noloc]`Kubernetes`. To review best practices for migrating [.noloc]`PSPs` to a policy-as-code solution, see the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac[Policy-as-code] section of the Pod Security page on GitHub. +There are several open source policy-as-code solutions available for Kubernetes. To review best practices for migrating PSPs to a policy-as-code solution, see the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac[Policy-as-code] section of the Pod Security page on GitHub. ==== [#pod-security-policy-removal-privileged] -.I see a [.noloc]`PSP` called `eks.privileged` in my cluster. What is it and what can I do about it? +.I see a PSP called `eks.privileged` in my cluster. What is it and what can I do about it? [%collapsible] ==== -Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`PSP` that's named `eks.privileged`. This policy is created in `1.24` and earlier clusters. It isn't used in `1.25` and later clusters. Amazon EKS automatically migrates this [.noloc]`PSP` to a [.noloc]`PSS`-based enforcement. No action is needed on your part. +Amazon EKS clusters with Kubernetes version `1.13` or higher have a default PSP that's named `eks.privileged`. This policy is created in `1.24` and earlier clusters. It isn't used in `1.25` and later clusters. Amazon EKS automatically migrates this PSP to a PSS-based enforcement. No action is needed on your part. ==== [#pod-security-policy-removal-prevent] -.Will Amazon EKS make any changes to [.noloc]`PSPs` present in my existing cluster when I update my cluster to version `1.25`? +.Will Amazon EKS make any changes to PSPs present in my existing cluster when I update my cluster to version `1.25`? [%collapsible] ==== -No. Besides `eks.privileged`, which is a [.noloc]`PSP` created by Amazon EKS, no changes are made to other [.noloc]`PSPs` in your cluster when you upgrade to `1.25`. +No. Besides `eks.privileged`, which is a PSP created by Amazon EKS, no changes are made to other PSPs in your cluster when you upgrade to `1.25`. ==== [#pod-security-policy-removal-migrate] -.Will Amazon EKS prevent a cluster update to version `1.25` if I haven't migrated off of [.noloc]`PSP`? +.Will Amazon EKS prevent a cluster update to version `1.25` if I haven't migrated off of PSP? [%collapsible] ==== -No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't migrate off of [.noloc]`PSP` yet. +No. Amazon EKS won't prevent a cluster update to version `1.25` if you didn't migrate off of PSP yet. ==== [#pod-security-policy-removal-forget] -.What if I forget to migrate my [.noloc]`PSPs` to [.noloc]`PSS/PSA` or to a policy-as-code solution before I update my cluster to version `1.25`? Can I migrate after updating my cluster? +.What if I forget to migrate my PSPs to PSS/PSA or to a policy-as-code solution before I update my cluster to version `1.25`? Can I migrate after updating my cluster? [%collapsible] ==== -When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` version `1.25`, the API server doesn't recognize the [.noloc]`PSP` resource in `1.25`. This might result in [.noloc]`Pods` getting incorrect security scopes. For an exhaustive list of implications, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller]. +When a cluster that contains a PSP is upgraded to Kubernetes version `1.25`, the API server doesn't recognize the PSP resource in `1.25`. This might result in Pods getting incorrect security scopes. For an exhaustive list of implications, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/[Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller]. ==== [#pod-security-policy-removal-impact] @@ -110,5 +110,5 @@ When a cluster that contains a [.noloc]`PSP` is upgraded to [.noloc]`Kubernetes` [%collapsible] ==== -We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows [.noloc]`Pods`. This uses [.noloc]`PSS` in [.noloc]`Kubernetes` `1.25`. For more information and best practices about enforcing [.noloc]`PSS` for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. +We don't expect any specific impact to Windows workloads. PodSecurityContext has a field called `windowsOptions` in the `PodSpec v1` API for Windows Pods. This uses PSS in Kubernetes `1.25`. For more information and best practices about enforcing PSS for Windows workloads, see the https://aws.github.io/aws-eks-best-practices/windows/docs/security/#pod-security-contexts[EKS Best Practices Guide] and Kubernetes https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/[documentation]. ==== \ No newline at end of file diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index 79186ad75..b40d61870 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,28 +1,28 @@ [.topic] [#pod-security-policy] -= Understand Amazon EKS created [.noloc]`Pod` security policies [.noloc]`(PSP)` += Understand Amazon EKS created Pod security policies (PSP) :info_titleabbrev: Legacy default PSP include::../attributes.txt[] [abstract] -- -Learn about the Pod Security Policies [.noloc]`(PSP)` that Amazon EKS creates by default. PSP was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. +Learn about the Pod Security Policies (PSP) that Amazon EKS creates by default. PSP was deprecated in Kubernetes version `1.21` and removed in Kubernetes `1.25`. -- -The [.noloc]`Kubernetes` [.noloc]`Pod` security policy admission controller validates [.noloc]`Pod` creation and update requests against a set of rules. By default, Amazon EKS clusters ship with a fully permissive security policy with no restrictions. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/[Pod Security Policies] in the [.noloc]`Kubernetes` documentation. +The Kubernetes Pod security policy admission controller validates Pod creation and update requests against a set of rules. By default, Amazon EKS clusters ship with a fully permissive security policy with no restrictions. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/[Pod Security Policies] in the Kubernetes documentation. [NOTE] ==== -The `PodSecurityPolicy` ([.noloc]`PSP`) was deprecated in [.noloc]`Kubernetes` version `1.21` and removed in [.noloc]`Kubernetes` `1.25`. [.noloc]`PSPs` are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)], a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS have both reached beta feature states, and are enabled in Amazon EKS by default. To address [.noloc]`PSP` removal in `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. +The `PodSecurityPolicy` (PSP) was deprecated in Kubernetes version `1.21` and removed in Kubernetes `1.25`. PSPs are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)], a built-in admission controller that implements the security controls outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS have both reached beta feature states, and are enabled in Amazon EKS by default. To address PSP removal in `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. ==== [#default-psp] -== Amazon EKS default [.noloc]`Pod` security policy +== Amazon EKS default Pod security policy -Amazon EKS clusters with [.noloc]`Kubernetes` version `1.13` or higher have a default [.noloc]`Pod` security policy named `eks.privileged`. This policy has no restriction on what kind of [.noloc]`Pod` can be accepted into the system, which is equivalent to running [.noloc]`Kubernetes` with the `PodSecurityPolicy` controller disabled. +Amazon EKS clusters with Kubernetes version `1.13` or higher have a default Pod security policy named `eks.privileged`. This policy has no restriction on what kind of Pod can be accepted into the system, which is equivalent to running Kubernetes with the `PodSecurityPolicy` controller disabled. [NOTE] ==== @@ -84,21 +84,21 @@ Settings: Ranges: ---- -You can view the full YAML file for the `eks.privileged` [.noloc]`Pod` security policy, its cluster role, and cluster role binding in <>. +You can view the full YAML file for the `eks.privileged` Pod security policy, its cluster role, and cluster role binding in <>. [#psp-delete-default] -== Delete the default Amazon EKS [.noloc]`Pod` security policy +== Delete the default Amazon EKS Pod security policy -If you create more restrictive policies for your [.noloc]`Pods`, then after doing so, you can delete the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy to enable your custom policies. +If you create more restrictive policies for your Pods, then after doing so, you can delete the default Amazon EKS `eks.privileged` Pod security policy to enable your custom policies. [IMPORTANT] ==== -If you are using version `1.7.0` or later of the CNI plugin and you assign a custom [.noloc]`Pod` security policy to the `aws-node` [.noloc]`Kubernetes` service account used for the `aws-node` [.noloc]`Pods` deployed by the Daemonset, then the policy must have `NET_ADMIN` in its `allowedCapabilities` section along with `hostNetwork: true` and `privileged: true` in the policy's `spec`. +If you are using version `1.7.0` or later of the CNI plugin and you assign a custom Pod security policy to the `aws-node` Kubernetes service account used for the `aws-node` Pods deployed by the Daemonset, then the policy must have `NET_ADMIN` in its `allowedCapabilities` section along with `hostNetwork: true` and `privileged: true` in the policy's `spec`. ==== . Create a file named [.replaceable]`privileged-podsecuritypolicy.yaml` with the contents in the example file in <>. -. Delete the YAML with the following command. This deletes the default [.noloc]`Pod` security policy, the `ClusterRole`, and the `ClusterRoleBinding` associated with it. +. Delete the YAML with the following command. This deletes the default Pod security policy, the `ClusterRole`, and the `ClusterRoleBinding` associated with it. + [source,bash,subs="verbatim,attributes"] ---- @@ -107,9 +107,9 @@ kubectl delete -f privileged-podsecuritypolicy.yaml [#psp-install-or-restore-default] -== Install or restore the default [.noloc]`Pod` security policy +== Install or restore the default Pod security policy -If you are upgrading from an earlier version of [.noloc]`Kubernetes`, or have modified or deleted the default Amazon EKS `eks.privileged` [.noloc]`Pod` security policy, you can restore it with the following steps. +If you are upgrading from an earlier version of Kubernetes, or have modified or deleted the default Amazon EKS `eks.privileged` Pod security policy, you can restore it with the following steps. . Create a file called `privileged-podsecuritypolicy.yaml` with the following contents. + diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index e7b6db4cc..22b119af9 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,6 +1,6 @@ [.topic] [#security-k8s] -= Security considerations for [.noloc]`Kubernetes` += Security considerations for Kubernetes :info_titleabbrev: Considerations for Kubernetes include::../attributes.txt[] @@ -19,10 +19,10 @@ include::manage-secrets.adoc[leveloffset=+1] [abstract] -- -Configure [.noloc]`Kubernetes` to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your [.noloc]`Kubernetes` resources. +Configure Kubernetes to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Kubernetes resources. -- -The following are considerations for security in the cloud, as they affect [.noloc]`Kubernetes` in Amazon EKS clusters. For an in-depth review of security controls and practices in [.noloc]`Kubernetes`, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the [.noloc]`Kubernetes` documentation. +The following are considerations for security in the cloud, as they affect Kubernetes in Amazon EKS clusters. For an in-depth review of security controls and practices in Kubernetes, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the Kubernetes documentation. [.topiclist] [[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 42141ff30..c75b1fb1c 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -36,7 +36,7 @@ Cloud security at {aws} is the highest priority. As an {aws} customer, you benef Security is a shared responsibility between {aws} and you. The link:compliance/shared-responsibility-model/[shared responsibility model,type="marketing"] describes this as security _of_ the cloud and security _in_ the cloud: -* *Security of the cloud* – {aws} is responsible for protecting the infrastructure that runs {aws} services in the {aws} Cloud. For Amazon EKS, {aws} is responsible for the [.noloc]`Kubernetes` control plane, which includes the control plane nodes and `etcd` database. Third-party auditors regularly test and verify the effectiveness of our security as part of the link:compliance/programs/[{aws} compliance programs,type="marketing"]. To learn about the compliance programs that apply to Amazon EKS, see link:compliance/services-in-scope/[{aws} Services in Scope by Compliance Program,type="marketing"]. +* *Security of the cloud* – {aws} is responsible for protecting the infrastructure that runs {aws} services in the {aws} Cloud. For Amazon EKS, {aws} is responsible for the Kubernetes control plane, which includes the control plane nodes and `etcd` database. Third-party auditors regularly test and verify the effectiveness of our security as part of the link:compliance/programs/[{aws} compliance programs,type="marketing"]. To learn about the compliance programs that apply to Amazon EKS, see link:compliance/services-in-scope/[{aws} Services in Scope by Compliance Program,type="marketing"]. * *Security in the cloud* – Your responsibility includes the following areas. + ** The security configuration of the data plane, including the configuration of the security groups that allow traffic to pass from the Amazon EKS control plane into the customer VPC @@ -53,7 +53,7 @@ This documentation helps you understand how to apply the shared responsibility m [NOTE] ==== -[.noloc]`Linux` containers are made up of control groups (cgroups) and namespaces that help limit what a container can access, but all containers share the same [.noloc]`Linux` kernel as the host Amazon EC2 instance. Running a container as the root user (UID 0) or granting a container access to host resources or namespaces such as the host network or host PID namespace are strongly discouraged, because doing so reduces the effectiveness of the isolation that containers provide. +Linux containers are made up of control groups (cgroups) and namespaces that help limit what a container can access, but all containers share the same Linux kernel as the host Amazon EC2 instance. Running a container as the root user (UID 0) or granting a container access to host resources or namespaces such as the host network or host PID namespace are strongly discouraged, because doing so reduces the effectiveness of the isolation that containers provide. ==== diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index a9c78cf27..fac0fd579 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -20,7 +20,7 @@ For more information, see link:vpc/latest/privatelink/privatelink-access-aws-ser == Considerations for Amazon EKS * Before you set up an interface endpoint for Amazon EKS, review link:vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints[Considerations,type="documentation"] in the _{aws} PrivateLink Guide_. -* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the [.noloc]`Kubernetes` APIs. The [.noloc]`Kubernetes` API server already supports a <>. The [.noloc]`Kubernetes` API server private endpoint creates a private endpoint for the [.noloc]`Kubernetes` API server that you use to communicate with your cluster (using [.noloc]`Kubernetes` management tools such as `kubectl`). You can enable <> to the [.noloc]`Kubernetes` API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. +* Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the Kubernetes APIs. The Kubernetes API server already supports a <>. The Kubernetes API server private endpoint creates a private endpoint for the Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as `kubectl`). You can enable <> to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. {aws} PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. * You can't configure Amazon EKS to only be accessed through an interface endpoint. * Standard pricing for {aws} PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see link:privatelink/pricing/[{aws} PrivateLink pricing,type="marketing"]. * VPC endpoint policies are supported for Amazon EKS. You can use these policies to control access to Amazon EKS through the interface endpoint. Additionally, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint. For more information, see link:vpc/latest/privatelink/vpc-endpoints-access.html["Control access to VPC endpoints using endpoint policies",type="documentation"] in the Amazon VPC docs. diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index f28b250a8..d55bd0a04 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -11,14 +11,14 @@ include::../attributes.txt[] The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver. -- -Snapshot functionality allows for point-in-time copies of your data. For this capability to work in [.noloc]`Kubernetes`, you need both a CSI driver with snapshot support (such as the Amazon EBS CSI driver) and a CSI snapshot controller. The snapshot controller is available either as an Amazon EKS managed add-on or as a self-managed installation. +Snapshot functionality allows for point-in-time copies of your data. For this capability to work in Kubernetes, you need both a CSI driver with snapshot support (such as the Amazon EBS CSI driver) and a CSI snapshot controller. The snapshot controller is available either as an Amazon EKS managed add-on or as a self-managed installation. Here are some things to consider when using the CSI snapshot controller. * The snapshot controller must be installed alongside a CSI driver with snapshot functionality. For installation instructions of the Amazon EBS CSI driver, see <>. -* [.noloc]`Kubernetes` doesn't support snapshots of volumes being served via CSI migration, such as Amazon EBS volumes using a `StorageClass` with provisioner `kubernetes.io/aws-ebs`. Volumes must be created with a `StorageClass` that references the CSI driver provisioner, `ebs.csi.aws.com`. +* Kubernetes doesn't support snapshots of volumes being served via CSI migration, such as Amazon EBS volumes using a `StorageClass` with provisioner `kubernetes.io/aws-ebs`. Volumes must be created with a `StorageClass` that references the CSI driver provisioner, `ebs.csi.aws.com`. * Amazon EKS Auto Mode does not include the snapshot controller. The storage capability of EKS Auto Mode is compatible with the snapshot controller. We recommend that you install the CSI snapshot controller through the Amazon EKS managed add-on. This add-on includes the custom resource definitions (CRDs) that are needed to create and manage snapshots on Amazon EKS. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. -Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream [.noloc]`Kubernetes` `external-snapshotter` on [.noloc]`GitHub`. \ No newline at end of file +Alternatively, if you want a self-managed installation of the CSI snapshot controller, see https://github.com/kubernetes-csi/external-snapshotter/blob/master/README.md#usage[Usage] in the upstream Kubernetes `external-snapshotter` on GitHub. \ No newline at end of file diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 81999cd21..997171410 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,6 +1,6 @@ [.topic] [#ebs-csi] -= Store [.noloc]`Kubernetes` volumes with Amazon EBS += Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage @@ -17,13 +17,13 @@ The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) dr ==== -The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver] manages the lifecycle of Amazon EBS volumes as storage for the Kubernetes Volumes that you create. The Amazon EBS CSI driver makes Amazon EBS volumes for these types of [.noloc]`Kubernetes` volumes: generic https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[ephemeral volumes] and https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volumes]. +The https://github.com/kubernetes-sigs/aws-ebs-csi-driver/[Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver] manages the lifecycle of Amazon EBS volumes as storage for the Kubernetes Volumes that you create. The Amazon EBS CSI driver makes Amazon EBS volumes for these types of Kubernetes volumes: generic https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[ephemeral volumes] and https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volumes]. [#ebs-csi-considerations] == Considerations * You do not need to install the Amazon EBS CSI controller on EKS Auto Mode clusters. -* You can't mount Amazon EBS volumes to Fargate [.noloc]`Pods`. +* You can't mount Amazon EBS volumes to Fargate Pods. * You can run the Amazon EBS CSI controller on Fargate nodes, but the Amazon EBS CSI node `DaemonSet` can only run on Amazon EC2 instances. * Amazon EBS volumes and the Amazon EBS CSI driver are not compatible with Amazon EKS Hybrid Nodes. * Support will be provided for the latest add-on version and one prior version. Bugs or vulnerabilities found in the latest version will be backported to the previous release in a new minor version. @@ -48,18 +48,18 @@ aws eks describe-addon-versions --addon-name aws-ebs-csi-driver * The EBS CSI driver needs {aws} IAM Permissions. ** {aws} suggests using EKS Pod Identities. For more information, see <>. ** For information about IAM Roles for Service Accounts, see <>. -* If you're using a cluster wide restricted <>, make sure that the add-on is granted sufficient permissions to be deployed. For the permissions required by each add-on [.noloc]`Pod`, see the https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/deploy/kubernetes/base[relevant add-on manifest definition] on GitHub. +* If you're using a cluster wide restricted <>, make sure that the add-on is granted sufficient permissions to be deployed. For the permissions required by each add-on Pod, see the https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/deploy/kubernetes/base[relevant add-on manifest definition] on GitHub. [#csi-iam-role] == Step 1: Create an IAM role -The Amazon EBS CSI plugin requires IAM permissions to make calls to {aws} APIs on your behalf. If you don't do these steps, attempting to install the add-on and running `kubectl describe pvc` will show `failed to provision volume with StorageClass` along with a `could not create volume in EC2: UnauthorizedOperation` error. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permissions[Set up driver permission] on [.noloc]`GitHub`. +The Amazon EBS CSI plugin requires IAM permissions to make calls to {aws} APIs on your behalf. If you don't do these steps, attempting to install the add-on and running `kubectl describe pvc` will show `failed to provision volume with StorageClass` along with a `could not create volume in EC2: UnauthorizedOperation` error. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permissions[Set up driver permission] on GitHub. [NOTE] ==== -[.noloc]`Pods` will have access to the permissions that are assigned to the IAM role unless you block access to IMDS. For more information, see <>. +Pods will have access to the permissions that are assigned to the IAM role unless you block access to IMDS. For more information, see <>. ==== @@ -73,7 +73,7 @@ The following procedure shows you how to create an IAM role and attach the {aws} [NOTE] ==== -The specific steps in this procedure are written for using the driver as an Amazon EKS add-on. Different steps are needed to use the driver as a self-managed add-on. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permissions[Set up driver permissions] on [.noloc]`GitHub`. +The specific steps in this procedure are written for using the driver as an Amazon EKS add-on. Different steps are needed to use the driver as a self-managed add-on. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#set-up-driver-permissions[Set up driver permissions] on GitHub. ==== @@ -152,7 +152,7 @@ aws iam attach-role-policy \ . On the *Select trusted entity* page, do the following: + .. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). .. For *Audience*, choose `sts.amazonaws.com`. .. Choose *Next*. . On the *Add permissions* page, do the following: @@ -341,7 +341,7 @@ aws iam attach-role-policy \ --role-name AmazonEKS_EBS_CSI_DriverRole ---- -Now that you have created the Amazon EBS CSI driver IAM role, you can continue to the next section. When you deploy the add-on with this IAM role, it creates and is configured to use a service account that's named `ebs-csi-controller-sa`. The service account is bound to a [.noloc]`Kubernetes` `clusterrole` that's assigned the required [.noloc]`Kubernetes` permissions. +Now that you have created the Amazon EBS CSI driver IAM role, you can continue to the next section. When you deploy the add-on with this IAM role, it creates and is configured to use a service account that's named `ebs-csi-controller-sa`. The service account is bound to a Kubernetes `clusterrole` that's assigned the required Kubernetes permissions. [#managing-ebs-csi] == Step 2: Get the Amazon EBS CSI driver @@ -351,13 +351,13 @@ We recommend that you install the Amazon EBS CSI driver through the Amazon EKS a [IMPORTANT] ==== -Before adding the Amazon EBS driver as an Amazon EKS add-on, confirm that you don't have a self-managed version of the driver installed on your cluster. If so, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#uninstalling-the-ebs-csi-driver[Uninstalling a self-managed Amazon EBS CSI driver] on [.noloc]`GitHub`. +Before adding the Amazon EBS driver as an Amazon EKS add-on, confirm that you don't have a self-managed version of the driver installed on your cluster. If so, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md#uninstalling-the-ebs-csi-driver[Uninstalling a self-managed Amazon EBS CSI driver] on GitHub. ==== -Alternatively, if you want a self-managed installation of the Amazon EBS CSI driver, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md[Installation] on [.noloc]`GitHub`. +Alternatively, if you want a self-managed installation of the Amazon EBS CSI driver, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md[Installation] on GitHub. [#ebs-sample-app] == Step 3: Deploy a sample application -You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on [.noloc]`GitHub`. +You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes[Kubernetes Examples] on GitHub. diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 12149b02d..fbaf6c54d 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -8,10 +8,10 @@ include::../attributes.txt[] [abstract] -- -The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface that allows [.noloc]`Kubernetes` clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. +The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface that allows Kubernetes clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. -- -link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation"] (Amazon EFS) provides serverless, fully elastic file storage so that you can share file data without provisioning or managing storage capacity and performance. The https://github.com/kubernetes-sigs/aws-efs-csi-driver[Amazon EFS Container Storage Interface (CSI) driver] provides a CSI interface that allows [.noloc]`Kubernetes` clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. This topic shows you how to deploy the Amazon EFS CSI driver to your Amazon EKS cluster. +link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation"] (Amazon EFS) provides serverless, fully elastic file storage so that you can share file data without provisioning or managing storage capacity and performance. The https://github.com/kubernetes-sigs/aws-efs-csi-driver[Amazon EFS Container Storage Interface (CSI) driver] provides a CSI interface that allows Kubernetes clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. This topic shows you how to deploy the Amazon EFS CSI driver to your Amazon EKS cluster. [#efs-csi-considerations] == Considerations @@ -29,14 +29,14 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation [#efs-csi-prereqs] == Prerequisites -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. [NOTE] ==== -A [.noloc]`Pod` running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. +A Pod running on Fargate automatically mounts an Amazon EFS file system, without needing manual driver installation steps. ==== @@ -52,7 +52,7 @@ The Amazon EFS CSI driver requires IAM permissions to interact with your file sy [NOTE] ==== -The specific steps in this procedure are written for using the driver as an Amazon EKS add-on. For details on self-managed installations, see https://github.com/kubernetes-sigs/aws-efs-csi-driver#set-up-driver-permission[Set up driver permission] on [.noloc]`GitHub`. +The specific steps in this procedure are written for using the driver as an Amazon EKS add-on. For details on self-managed installations, see https://github.com/kubernetes-sigs/aws-efs-csi-driver#set-up-driver-permission[Set up driver permission] on GitHub. ==== @@ -85,7 +85,7 @@ Run the following to create an IAM role with {aws-management-console}. . On the *Select trusted entity* page, do the following: + .. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). .. For *Audience*, choose `sts.amazonaws.com`. .. Choose *Next*. . On the *Add permissions* page, do the following: @@ -181,14 +181,14 @@ aws iam attach-role-policy \ We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. -Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on [.noloc]`GitHub`. +Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on GitHub. [#efs-create-filesystem] == Step 3: Create an Amazon EFS file system -To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/efs-create-filesystem.md[Create an Amazon EFS file system for Amazon EKS] on [.noloc]`GitHub`. +To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/efs-create-filesystem.md[Create an Amazon EFS file system for Amazon EKS] on GitHub. [#efs-sample-app] == Step 4: Deploy a sample application -You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on [.noloc]`GitHub`. \ No newline at end of file +You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on GitHub. \ No newline at end of file diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 07b88da95..9aaaabf5c 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -22,16 +22,16 @@ The driver isn't supported on Fargate or Amazon EKS Hybrid Nodes. ==== -For detailed descriptions of the available parameters and complete examples that demonstrate the driver's features, see the https://github.com/kubernetes-sigs/aws-fsx-csi-driver[FSx for Lustre Container Storage Interface (CSI) driver] project on [.noloc]`GitHub`. +For detailed descriptions of the available parameters and complete examples that demonstrate the driver's features, see the https://github.com/kubernetes-sigs/aws-fsx-csi-driver[FSx for Lustre Container Storage Interface (CSI) driver] project on GitHub. You must have: -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * Version `{eksctl-min-version}` or later of the `eksctl` command line tool installed on your device or {aws} CloudShell. To install or update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. The following procedures help you create a simple test cluster with the FSx for Lustre CSI driver so that you can see how it works. We don't recommend using the testing cluster for production workloads. For this tutorial, we recommend using the [.replaceable]`example values`, except where it's noted to replace them. You can replace any [.replaceable]`example value` when completing the steps for your production cluster. We recommend completing all steps in the same terminal because variables are set and used throughout the steps and won't exist in different terminals. @@ -60,7 +60,7 @@ Cluster provisioning takes several minutes. During cluster creation, you'll see ---- [✓] EKS cluster "my-csi-fsx-cluster" in "region-code" region is ready ---- -. Create a [.noloc]`Kubernetes` service account for the driver and attach the `AmazonFSxFullAccess` {aws}-managed policy to the service account with the following command. +. Create a Kubernetes service account for the driver and attach the `AmazonFSxFullAccess` {aws}-managed policy to the service account with the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -93,7 +93,7 @@ Note the name of the {aws} CloudFormation stack that was deployed. In the previo . Deploy the driver with the following command. Replace [.replaceable]`release-X.XX` with your desired branch. The master branch isn't supported because it may contain upcoming features incompatible with the currently released stable version of the driver. We recommend using the latest released version. For a list of branches, see `aws-fsx-csi-driver` https://github.com/kubernetes-sigs/aws-fsx-csi-driver/branches/all[Branches] on GitHub. + -NOTE: You can view the content being applied in https://github.com/kubernetes-sigs/aws-fsx-csi-driver/tree/master/deploy/kubernetes/overlays/stable[aws-fsx-csi-driver/deploy/kubernetes/overlays/stable] on [.noloc]`GitHub`. +NOTE: You can view the content being applied in https://github.com/kubernetes-sigs/aws-fsx-csi-driver/tree/master/deploy/kubernetes/overlays/stable[aws-fsx-csi-driver/deploy/kubernetes/overlays/stable] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -135,7 +135,7 @@ An example output is as follows. serviceaccount/fsx-csi-controller-sa annotated ---- -This procedure uses the https://github.com/kubernetes-sigs/aws-fsx-csi-driver[FSx for Lustre Container Storage Interface (CSI) driver][.noloc]`GitHub` repository to consume a dynamically-provisioned FSx for Lustre volume. +This procedure uses the https://github.com/kubernetes-sigs/aws-fsx-csi-driver[FSx for Lustre Container Storage Interface (CSI) driver]GitHub repository to consume a dynamically-provisioned FSx for Lustre volume. . Note the security group for your cluster. You can see it in the {aws-management-console} under the *Networking* section or by using the following {aws} CLI command. + @@ -173,7 +173,7 @@ parameters: *** If the subnet that you specify isn't the same subnet that you have nodes in, then your VPCs must be link:whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html[connected,type="documentation"], and you must ensure that you have the necessary ports open in your security groups. ** *`securityGroupIds`* – The ID of the security group you created for the file system. ** *`deploymentType` (optional)* – The file system deployment type. Valid values are `SCRATCH_1`, `SCRATCH_2`, `PERSISTENT_1`, and `PERSISTENT_2`. For more information about deployment types, see link:fsx/latest/LustreGuide/getting-started-step1.html[Create your Amazon FSx for Lustre file system,type="documentation"]. -** *other parameters (optional)* – For information about the other parameters, see https://github.com/kubernetes-sigs/aws-fsx-csi-driver/tree/master/examples/kubernetes/dynamic_provisioning#edit-storageclass[Edit StorageClass] on [.noloc]`GitHub`. +** *other parameters (optional)* – For information about the other parameters, see https://github.com/kubernetes-sigs/aws-fsx-csi-driver/tree/master/examples/kubernetes/dynamic_provisioning#edit-storageclass[Edit StorageClass] on GitHub. . Create the storage class manifest. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index d4a9daaaa..a23a19341 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -8,9 +8,9 @@ include::../attributes.txt[] [abstract] -- -The [.noloc]`NetApp Trident` allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. +The NetApp Trident allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. -- -The [.noloc]`NetApp Trident` provides dynamic storage orchestration using a Container Storage Interface (CSI) compliant driver. This allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. Note that the Amazon FSx for NetApp ONTAP CSI driver is not compatible with Amazon EKS Hybrid Nodes. To get started, see https://docs.netapp.com/us-en/trident/trident-use/trident-fsx.html[Use Trident with Amazon FSx for NetApp ONTAP] in the [.noloc]`NetApp Trident` documentation. +The NetApp Trident provides dynamic storage orchestration using a Container Storage Interface (CSI) compliant driver. This allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. Note that the Amazon FSx for NetApp ONTAP CSI driver is not compatible with Amazon EKS Hybrid Nodes. To get started, see https://docs.netapp.com/us-en/trident/trident-use/trident-fsx.html[Use Trident with Amazon FSx for NetApp ONTAP] in the NetApp Trident documentation. -Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed [.noloc]`ONTAP` file systems in the cloud. [.noloc]`ONTAP` is [.noloc]`NetApp's` file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises [.noloc]`NetApp` file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. \ No newline at end of file +Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed ONTAP file systems in the cloud. ONTAP is NetApp's file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises NetApp file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. \ No newline at end of file diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index e27d866d4..c651f38c5 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -11,36 +11,36 @@ include::../attributes.txt[] Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a CSI interface for managing Amazon S3 files and buckets. -- -With the https://github.com/awslabs/mountpoint-s3-csi-driver[Mountpoint for Amazon S3 Container Storage Interface (CSI) driver], your [.noloc]`Kubernetes` applications can access Amazon S3 objects through a file system interface, achieving high aggregate throughput without changing any application code. Built on https://github.com/awslabs/mountpoint-s3[Mountpoint for Amazon S3], the CSI driver presents an Amazon S3 bucket as a volume that can be accessed by containers in Amazon EKS and self-managed [.noloc]`Kubernetes` clusters. This topic shows you how to deploy the [.noloc]`Mountpoint` for Amazon S3 CSI driver to your Amazon EKS cluster. +With the https://github.com/awslabs/mountpoint-s3-csi-driver[Mountpoint for Amazon S3 Container Storage Interface (CSI) driver], your Kubernetes applications can access Amazon S3 objects through a file system interface, achieving high aggregate throughput without changing any application code. Built on https://github.com/awslabs/mountpoint-s3[Mountpoint for Amazon S3], the CSI driver presents an Amazon S3 bucket as a volume that can be accessed by containers in Amazon EKS and self-managed Kubernetes clusters. This topic shows you how to deploy the Mountpoint for Amazon S3 CSI driver to your Amazon EKS cluster. [#s3-csi-considerations] == Considerations -* The [.noloc]`Mountpoint` for Amazon S3 CSI driver isn't presently compatible with Windows-based container images. +* The Mountpoint for Amazon S3 CSI driver isn't presently compatible with Windows-based container images. * The Mountpoint for Amazon S3 CSI driver isn't presently compatible with Amazon EKS Hybrid Nodes. -* The [.noloc]`Mountpoint` for Amazon S3 CSI driver doesn't support {aws} Fargate. However, containers that are running in Amazon EC2 (either with Amazon EKS or a custom [.noloc]`Kubernetes` installation) are supported. -* The [.noloc]`Mountpoint` for Amazon S3 CSI driver supports only static provisioning. Dynamic provisioning, or creation of new buckets, isn't supported. +* The Mountpoint for Amazon S3 CSI driver doesn't support {aws} Fargate. However, containers that are running in Amazon EC2 (either with Amazon EKS or a custom Kubernetes installation) are supported. +* The Mountpoint for Amazon S3 CSI driver supports only static provisioning. Dynamic provisioning, or creation of new buckets, isn't supported. + -NOTE: Static provisioning refers to using an existing Amazon S3 bucket that is specified as the `bucketName` in the `volumeAttributes` in the `PersistentVolume` object. For more information, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/README.md[Static Provisioning] on [.noloc]`GitHub`. -* Volumes mounted with the [.noloc]`Mountpoint` for Amazon S3 CSI driver don't support all POSIX file-system features. For details about file-system behavior, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/SEMANTICS.md[Mountpoint for Amazon S3 file system behavior] on [.noloc]`GitHub`. +NOTE: Static provisioning refers to using an existing Amazon S3 bucket that is specified as the `bucketName` in the `volumeAttributes` in the `PersistentVolume` object. For more information, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/README.md[Static Provisioning] on GitHub. +* Volumes mounted with the Mountpoint for Amazon S3 CSI driver don't support all POSIX file-system features. For details about file-system behavior, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/SEMANTICS.md[Mountpoint for Amazon S3 file system behavior] on GitHub. [#s3-csi-prereqs] == Prerequisites -* An existing {aws} Identity and Access Management (IAM) [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. * Version 2.12.3 or later of the {aws} CLI installed and configured on your device or {aws} CloudShell. -* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the [.noloc]`Kubernetes` version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. +* The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. [#s3-create-iam-policy] == Create an IAM policy -The [.noloc]`Mountpoint` for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM policy that grants the necessary permissions. +The Mountpoint for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM policy that grants the necessary permissions. -The following example policy follows the IAM permission recommendations for [.noloc]`Mountpoint`. Alternatively, you can use the {aws} managed policy link:iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor[AmazonS3FullAccess,type="console"], but this managed policy grants more permissions than are needed for [.noloc]`Mountpoint`. +The following example policy follows the IAM permission recommendations for Mountpoint. Alternatively, you can use the {aws} managed policy link:iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor[AmazonS3FullAccess,type="console"], but this managed policy grants more permissions than are needed for Mountpoint. -For more information about the recommended permissions for [.noloc]`Mountpoint`, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions[Mountpoint IAM permissions] on [.noloc]`GitHub`. +For more information about the recommended permissions for Mountpoint, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions[Mountpoint IAM permissions] on GitHub. . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Policies*. @@ -107,7 +107,7 @@ Below is an example of least-privilege policy that you would use for a directory [#s3-create-iam-role] == Create an IAM role -The [.noloc]`Mountpoint` for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM role to delegate these permissions. To create this role, you can use one of these tools: +The Mountpoint for Amazon S3 CSI driver requires Amazon S3 permissions to interact with your file system. This section shows how to create an IAM role to delegate these permissions. To create this role, you can use one of these tools: * <> * <> @@ -120,11 +120,11 @@ The IAM policy `AmazonS3CSIDriverPolicy` was created in the previous section. ==== -=== [.noloc]`eksctl` [[eksctl_s3_store_app_data]] +=== eksctl [[eksctl_s3_store_app_data]] -*To create your [.noloc]`Mountpoint` for Amazon S3 CSI driver IAM role with `eksctl`* +*To create your Mountpoint for Amazon S3 CSI driver IAM role with `eksctl`* -To create the IAM role and the [.noloc]`Kubernetes` service account, run the following commands. These commands also attach the `AmazonS3CSIDriverPolicy` IAM policy to the role, annotate the [.noloc]`Kubernetes` service account (`s3-csi-controller-sa`) with the IAM role's Amazon Resource Name (ARN), and add the [.noloc]`Kubernetes` service account name to the trust policy for the IAM role. +To create the IAM role and the Kubernetes service account, run the following commands. These commands also attach the `AmazonS3CSIDriverPolicy` IAM policy to the role, annotate the Kubernetes service account (`s3-csi-controller-sa`) with the IAM role's Amazon Resource Name (ARN), and add the Kubernetes service account name to the trust policy for the IAM role. [source,bash,subs="verbatim,attributes"] ---- @@ -151,21 +151,21 @@ eksctl create iamserviceaccount \ . On the *Select trusted entity* page, do the following: + .. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *[.noloc]`OpenID Connect` provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +.. For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). + If no URLs are shown, review the <>. .. For *Audience*, choose `sts.amazonaws.com`. .. Choose *Next*. . On the *Add permissions* page, do the following: + -.. In the *Filter policies* box, enter [.noloc]`AmazonS3CSIDriverPolicy`. +.. In the *Filter policies* box, enter AmazonS3CSIDriverPolicy. + NOTE: This policy was created in the previous section. .. Select the check box to the left of the `AmazonS3CSIDriverPolicy` result that was returned in the search. .. Choose *Next*. . On the *Name, review, and create* page, do the following: + -.. For *Role name*, enter a unique name for your role, such as [.noloc]`AmazonEKS_S3_CSI_DriverRole`. +.. For *Role name*, enter a unique name for your role, such as AmazonEKS_S3_CSI_DriverRole. .. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. . After the role is created, choose the role in the console to open it for editing. @@ -200,7 +200,7 @@ An example output is as follows. ---- https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE ---- -. Create the IAM role, granting the [.noloc]`Kubernetes` service account the `AssumeRoleWithWebIdentity` action. +. Create the IAM role, granting the Kubernetes service account the `AssumeRoleWithWebIdentity` action. + .. Copy the following contents to a file named `aws-s3-csi-driver-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. + @@ -243,7 +243,7 @@ aws iam attach-role-policy \ ---- + NOTE: The IAM policy `AmazonS3CSIDriverPolicy` was created in the previous section. -. Skip this step if you're installing the driver as an Amazon EKS add-on. For self-managed installations of the driver, create [.noloc]`Kubernetes` service accounts that are annotated with the ARN of the IAM role that you created. +. Skip this step if you're installing the driver as an Amazon EKS add-on. For self-managed installations of the driver, create Kubernetes service accounts that are annotated with the ARN of the IAM role that you created. + .. Save the following contents to a file named `mountpoint-s3-service-account.yaml`. Replace [.replaceable]`111122223333` with your account ID. + @@ -260,7 +260,7 @@ metadata: annotations: eks.amazonaws.com/role-arn: {arn-aws}iam::111122223333:role/AmazonEKS_S3_CSI_DriverRole ---- -.. Create the [.noloc]`Kubernetes` service account on your cluster. The [.noloc]`Kubernetes` service account (`mountpoint-s3-csi-controller-sa`) is annotated with the IAM role that you created named [.replaceable]`AmazonEKS_S3_CSI_DriverRole`. +.. Create the Kubernetes service account on your cluster. The Kubernetes service account (`mountpoint-s3-csi-controller-sa`) is annotated with the IAM role that you created named [.replaceable]`AmazonEKS_S3_CSI_DriverRole`. + [source,bash,subs="verbatim,attributes"] ---- @@ -271,20 +271,20 @@ NOTE: When you deploy the plugin in this procedure, it creates and is configured [#s3-install-driver] -== Install the [.noloc]`Mountpoint` for Amazon S3 CSI driver +== Install the Mountpoint for Amazon S3 CSI driver -You may install the [.noloc]`Mountpoint` for Amazon S3 CSI driver through the Amazon EKS add-on. You can use the following tools to add the add-on to your cluster: +You may install the Mountpoint for Amazon S3 CSI driver through the Amazon EKS add-on. You can use the following tools to add the add-on to your cluster: * <> * <> * <> -Alternatively, you may install [.noloc]`Mountpoint` for Amazon S3 CSI driver as a self-managed installation. For instructions on doing a self-managed installation, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/install.md#deploy-driver[Installation] on [.noloc]`GitHub`. +Alternatively, you may install Mountpoint for Amazon S3 CSI driver as a self-managed installation. For instructions on doing a self-managed installation, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/docs/install.md#deploy-driver[Installation] on GitHub. -Starting from `v1.8.0`, you can configure taints to tolerate for the CSI driver's [.noloc]`Pods`. To do this, either specify a custom set of taints to tolerate with `node.tolerations` or tolorate all taints with `node.tolerateAllTaints`. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the [.noloc]`Kubernetes` documentation. +Starting from `v1.8.0`, you can configure taints to tolerate for the CSI driver's Pods. To do this, either specify a custom set of taints to tolerate with `node.tolerations` or tolorate all taints with `node.tolerateAllTaints`. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/[Taints and Tolerations] in the Kubernetes documentation. -=== [.noloc]`eksctl` [[eksctl_s3_add_store_app_data]] +=== eksctl [[eksctl_s3_add_store_app_data]] *To add the Amazon S3 CSI add-on using `eksctl`* @@ -296,7 +296,7 @@ eksctl create addon --name aws-mountpoint-s3-csi-driver --cluster my-cluster \ --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKS_S3_CSI_DriverRole --force ---- -If you remove the [.replaceable]`--force` option and any of the Amazon EKS add-on settings conflict with your existing settings, then updating the Amazon EKS add-on fails, and you receive an error message to help you resolve the conflict. Before specifying this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to manage, because those settings are overwritten with this option. For more information about other options for this setting, see https://eksctl.io/usage/addons/[Addons] in the `eksctl` documentation. For more information about Amazon EKS [.noloc]`Kubernetes` field management, see <>. +If you remove the [.replaceable]`--force` option and any of the Amazon EKS add-on settings conflict with your existing settings, then updating the Amazon EKS add-on fails, and you receive an error message to help you resolve the conflict. Before specifying this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to manage, because those settings are overwritten with this option. For more information about other options for this setting, see https://eksctl.io/usage/addons/[Addons] in the `eksctl` documentation. For more information about Amazon EKS Kubernetes field management, see <>. You can customize `eksctl` through configuration files. For more information, see https://eksctl.io/usage/addons/#working-with-configuration-values[Working with configuration values] in the `eksctl` documentation. The following example shows how to tolerate all taints. @@ -316,17 +316,17 @@ addons: === {aws-management-console} [[console_s3_add_store_app_data]] . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . In the left navigation pane, choose *Clusters*. -. Choose the name of the cluster that you want to configure the [.noloc]`Mountpoint` for Amazon S3 CSI add-on for. +. Choose the name of the cluster that you want to configure the Mountpoint for Amazon S3 CSI add-on for. . Choose the *Add-ons* tab. . Choose *Get more add-ons*. . On the *Select add-ons* page, do the following: + -.. In the *Amazon EKS-addons* section, select the *[.noloc]`Mountpoint` for Amazon S3 CSI Driver* check box. +.. In the *Amazon EKS-addons* section, select the *Mountpoint for Amazon S3 CSI Driver* check box. .. Choose *Next*. . On the *Configure selected add-ons settings* page, do the following: + .. Select the *Version* you'd like to use. -.. For *Select IAM role*, select the name of an IAM role that you attached the [.noloc]`Mountpoint` for Amazon S3 CSI driver IAM policy to. +.. For *Select IAM role*, select the name of an IAM role that you attached the Mountpoint for Amazon S3 CSI driver IAM policy to. .. (Optional) Update the *Conflict resolution method* after expanding the *Optional configuration settings*. If you select *Override*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before selecting this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. .. (Optional) Configure tolerations in the *Configuration values* field after expanding the *Optional configuration settings*. .. Choose *Next*. @@ -334,7 +334,7 @@ addons: === {aws} CLI [[awscli_s3_add_store_app_data]] -*To add the [.noloc]`Mountpoint` for Amazon S3 CSI add-on using the {aws} CLI* +*To add the Mountpoint for Amazon S3 CSI add-on using the {aws} CLI* Run the following command. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and [.replaceable]`AmazonEKS_S3_CSI_DriverRole` with the name of the role that was created earlier. @@ -355,17 +355,17 @@ aws eks create-addon --cluster-name my-cluster --addon-name aws-mountpoint-s3-cs [#s3-configure-mountpoint] -== Configure [.noloc]`Mountpoint` for Amazon S3 +== Configure Mountpoint for Amazon S3 -In most cases, you can configure [.noloc]`Mountpoint` for Amazon S3 with only a bucket name. For instructions on configuring [.noloc]`Mountpoint` for Amazon S3, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md[Configuring Mountpoint for Amazon S3] on [.noloc]`GitHub`. +In most cases, you can configure Mountpoint for Amazon S3 with only a bucket name. For instructions on configuring Mountpoint for Amazon S3, see https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md[Configuring Mountpoint for Amazon S3] on GitHub. [#s3-sample-app] == Deploy a sample application -You can deploy static provisioning to the driver on an existing Amazon S3 bucket. For more information, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/README.md[Static provisioning] on [.noloc]`GitHub`. +You can deploy static provisioning to the driver on an existing Amazon S3 bucket. For more information, see https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/README.md[Static provisioning] on GitHub. [#removing-s3-csi-eks-add-on] -== Remove [.noloc]`Mountpoint` for Amazon S3 CSI Driver +== Remove Mountpoint for Amazon S3 CSI Driver You have two options for removing an Amazon EKS add-on. @@ -380,7 +380,7 @@ You can use the following tools to remove the Amazon S3 CSI add-on: * <> * <> -=== [.noloc]`eksctl` [[eksctl_s3_remove_store_app_data]] +=== eksctl [[eksctl_s3_remove_store_app_data]] *To remove the Amazon S3 CSI add-on using `eksctl`* @@ -396,7 +396,7 @@ eksctl delete addon --cluster my-cluster --name aws-mountpoint-s3-csi-driver --p . In the left navigation pane, choose *Clusters*. . Choose the name of the cluster that you want to remove the Amazon EBS CSI add-on for. . Choose the *Add-ons* tab. -. Choose *[.noloc]`Mountpoint` for Amazon S3 CSI Driver*. +. Choose *Mountpoint for Amazon S3 CSI Driver*. . Choose *Remove*. . In the *Remove: aws-mountpoint-s3-csi-driver* confirmation dialog box, do the following: + diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 7d8ce9f5f..3f44ce014 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -58,14 +58,14 @@ If the nodes are self-managed, and you haven't created <.compute.internal` and `domain-name-servers:AmazonProvidedDNS`. For more information, see link:vpc/latest/userguide/VPC_DHCP_Options.html#AmazonDNS[DHCP options sets,type="documentation"] in the _Amazon VPC User Guide_. -* If the nodes in the managed node group do not connect to the cluster within 15 minutes, a health issue of "`NodeCreationFailure`" will be emitted and the console status will be set to `Create failed`. For [.noloc]`Windows` AMIs that have slow launch times, this issue can be resolved using link:AWSEC2/latest/WindowsGuide/win-ami-config-fast-launch.html[fast launch,type="documentation"]. +* If the nodes in the managed node group do not connect to the cluster within 15 minutes, a health issue of "`NodeCreationFailure`" will be emitted and the console status will be set to `Create failed`. For Windows AMIs that have slow launch times, this issue can be resolved using link:AWSEC2/latest/WindowsGuide/win-ami-config-fast-launch.html[fast launch,type="documentation"]. To identify and troubleshoot common causes that prevent worker nodes from joining a cluster, you can use the `AWSSupport-TroubleshootEKSWorkerNode` runbook. For more information, see `link:systems-manager-automation-runbooks/latest/userguide/automation-awssupport-troubleshooteksworkernode.html[AWSSupport-TroubleshootEKSWorkerNode,type="documentation"]` in the _{aws} Systems Manager Automation runbook reference_. [#unauthorized] == Unauthorized or access denied (`kubectl`) -If you receive one of the following errors while running `kubectl` commands, then you don't have `kubectl` configured properly for Amazon EKS or the credentials for the IAM principal (role or user) that you're using don't map to a [.noloc]`Kubernetes` username that has sufficient permissions to [.noloc]`Kubernetes` objects on your Amazon EKS cluster. +If you receive one of the following errors while running `kubectl` commands, then you don't have `kubectl` configured properly for Amazon EKS or the credentials for the IAM principal (role or user) that you're using don't map to a Kubernetes username that has sufficient permissions to Kubernetes objects on your Amazon EKS cluster. @@ -78,10 +78,10 @@ This could be due to one of the following reasons: * The cluster was created with credentials for one IAM principal and `kubectl` is configured to use credentials for a different IAM principal. To resolve this, update your `kube config` file to use the credentials that created the cluster. For more information, see <>. -* If your cluster meets the minimum platform requirements in the prerequisites section of <>, an access entry doesn't exist with your IAM principal. If it exists, it doesn't have the necessary [.noloc]`Kubernetes` group names defined for it, or doesn't have the proper access policy associated to it. For more information, see <>. -* If your cluster doesn't meet the minimum platform requirements in <>, an entry with your IAM principal doesn't exist in the `aws-auth` `ConfigMap`. If it exists, it's not mapped to [.noloc]`Kubernetes` group names that are bound to a [.noloc]`Kubernetes` `Role` or `ClusterRole` with the necessary permissions. For more information about [.noloc]`Kubernetes` role-based authorization (RBAC) objects, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC authorization] in the [.noloc]`Kubernetes` documentation. You can view your current `aws-auth` `ConfigMap` entries by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `eksctl get iamidentitymapping --cluster [.replaceable]``my-cluster```. If an entry for with the ARN of your IAM principal isn't in the `ConfigMap`, enter `eksctl create iamidentitymapping --help` in your terminal to learn how to create one. +* If your cluster meets the minimum platform requirements in the prerequisites section of <>, an access entry doesn't exist with your IAM principal. If it exists, it doesn't have the necessary Kubernetes group names defined for it, or doesn't have the proper access policy associated to it. For more information, see <>. +* If your cluster doesn't meet the minimum platform requirements in <>, an entry with your IAM principal doesn't exist in the `aws-auth` `ConfigMap`. If it exists, it's not mapped to Kubernetes group names that are bound to a Kubernetes `Role` or `ClusterRole` with the necessary permissions. For more information about Kubernetes role-based authorization (RBAC) objects, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC authorization] in the Kubernetes documentation. You can view your current `aws-auth` `ConfigMap` entries by replacing [.replaceable]`my-cluster` in the following command with the name of your cluster and then running the modified command: `eksctl get iamidentitymapping --cluster [.replaceable]``my-cluster```. If an entry for with the ARN of your IAM principal isn't in the `ConfigMap`, enter `eksctl create iamidentitymapping --help` in your terminal to learn how to create one. -If you install and configure the {aws} CLI, you can configure the IAM credentials that you use. For more information, see link:cli/latest/userguide/cli-chap-getting-started.html[Configuring the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. You can also configure `kubectl` to use an IAM role, if you assume an IAM role to access [.noloc]`Kubernetes` objects on your cluster. For more information, see <>. +If you install and configure the {aws} CLI, you can configure the IAM credentials that you use. For more information, see link:cli/latest/userguide/cli-chap-getting-started.html[Configuring the {aws} CLI,type="documentation"] in the _{aws} Command Line Interface User Guide_. You can also configure `kubectl` to use an IAM role, if you assume an IAM role to access Kubernetes objects on your cluster. For more information, see <>. [#python-version] == `hostname doesn't match` @@ -91,7 +91,7 @@ Your system's Python version must be `2.7.9` or later. Otherwise, you receive `h [#troubleshoot-docker-cidr] == `getsockopt: no route to host` -[.noloc]`Docker` runs in the `172.17.0.0/16` CIDR range in Amazon EKS clusters. We recommend that your cluster's VPC subnets do not overlap this range. Otherwise, you will receive the following error: +Docker runs in the `172.17.0.0/16` CIDR range in Amazon EKS clusters. We recommend that your cluster's VPC subnets do not overlap this range. Otherwise, you will receive the following error: [source,bash,subs="verbatim,attributes"] ---- @@ -112,7 +112,7 @@ If your managed node group encounters a hardware health issue, Amazon EKS return *AccessDenied*:: -Amazon EKS or one or more of your managed nodes is failing to authenticate or authorize with your [.noloc]`Kubernetes` cluster API server. For more information about resolving a common cause, see <>. Private [.noloc]`Windows` AMIs can also cause this error code alongside the `Not authorized for images` error message. For more information, see <>. +Amazon EKS or one or more of your managed nodes is failing to authenticate or authorize with your Kubernetes cluster API server. For more information about resolving a common cause, see <>. Private Windows AMIs can also cause this error code alongside the `Not authorized for images` error message. For more information, see <>. *AmiIdNotFound*:: @@ -124,7 +124,7 @@ We couldn't find the Auto Scaling group associated with the managed node group. *ClusterUnreachable*:: -Amazon EKS or one or more of your managed nodes is unable to communicate with your [.noloc]`Kubernetes` cluster API server. This can happen if there are network disruptions or if API servers are timing out processing requests. +Amazon EKS or one or more of your managed nodes is unable to communicate with your Kubernetes cluster API server. This can happen if there are network disruptions or if API servers are timing out processing requests. *Ec2SecurityGroupNotFound*:: @@ -314,19 +314,19 @@ Retry the node group operation to see if that resolved your issue. [#not-authorized-for-images] == `Not authorized for images` -One potential cause of a `Not authorized for images` error message is using a private Amazon EKS [.noloc]`Windows` AMI to launch [.noloc]`Windows` managed node groups. After releasing new [.noloc]`Windows` AMIs, {aws} makes AMIs that are older than 4 months private, which makes them no longer accessible. If your managed node group is using a private [.noloc]`Windows` AMI, consider <>. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. For more information, see link:AWSEC2/latest/WindowsGuide/aws-windows-ami.html#ami-patches-security-ID[Patches, security updates, and AMI IDs,type="documentation"] in the _Amazon EC2 User Guide_. +One potential cause of a `Not authorized for images` error message is using a private Amazon EKS Windows AMI to launch Windows managed node groups. After releasing new Windows AMIs, {aws} makes AMIs that are older than 4 months private, which makes them no longer accessible. If your managed node group is using a private Windows AMI, consider <>. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with {aws} Support. For more information, see link:AWSEC2/latest/WindowsGuide/aws-windows-ami.html#ami-patches-security-ID[Patches, security updates, and AMI IDs,type="documentation"] in the _Amazon EC2 User Guide_. [#not-ready] == Node is in `NotReady` state -If your node enters a `NotReady` status, this likely indicates that the node is unhealthy and unavailable to schedule new [.noloc]`Pods`. This can occur for various reasons, such as the node lacking sufficient resources for CPU, memory, or available disk space. +If your node enters a `NotReady` status, this likely indicates that the node is unhealthy and unavailable to schedule new Pods. This can occur for various reasons, such as the node lacking sufficient resources for CPU, memory, or available disk space. -For Amazon EKS optimized [.noloc]`Windows` AMIs, there's no reservation for compute resources specified by default in the `kubelet` configuration. To help prevent resource issues, you can reserve compute resources for system processes by providing the `kubelet` with configuration values for https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved[kube-reserved] and/or https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[system-reserved]. You do this using the `-KubeletExtraArgs` command-line parameter in the bootstrap script. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/[Reserve Compute Resources for System Daemons] in the [.noloc]`Kubernetes` documentation and <> in this user guide. +For Amazon EKS optimized Windows AMIs, there's no reservation for compute resources specified by default in the `kubelet` configuration. To help prevent resource issues, you can reserve compute resources for system processes by providing the `kubelet` with configuration values for https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved[kube-reserved] and/or https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[system-reserved]. You do this using the `-KubeletExtraArgs` command-line parameter in the bootstrap script. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/[Reserve Compute Resources for System Daemons] in the Kubernetes documentation and <> in this user guide. [#troubleshoot-cni] == CNI log collection tool -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` has its own troubleshooting script that is available on nodes at `/opt/cni/bin/aws-cni-support.sh`. You can use the script to collect diagnostic logs for support cases and general troubleshooting. +The Amazon VPC CNI plugin for Kubernetes has its own troubleshooting script that is available on nodes at `/opt/cni/bin/aws-cni-support.sh`. You can use the script to collect diagnostic logs for support cases and general troubleshooting. Use the following command to run the script on your node: @@ -434,14 +434,14 @@ To resolve the issue, check the route table and security groups to ensure that t [#default-region-env-variable] == InvalidClientTokenId -If you're using IAM roles for service accounts for a [.noloc]`Pod` or [.noloc]`DaemonSet` deployed to a cluster in a China {aws} Region, and haven't set the `AWS_DEFAULT_REGION` environment variable in the spec, the [.noloc]`Pod` or [.noloc]`DaemonSet` may receive the following error: +If you're using IAM roles for service accounts for a Pod or DaemonSet deployed to a cluster in a China {aws} Region, and haven't set the `AWS_DEFAULT_REGION` environment variable in the spec, the Pod or DaemonSet may receive the following error: [source,bash,subs="verbatim,attributes"] ---- An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid ---- -To resolve the issue, you need to add the `AWS_DEFAULT_REGION` environment variable to your [.noloc]`Pod` or [.noloc]`DaemonSet` spec, as shown in the following example [.noloc]`Pod` spec. +To resolve the issue, you need to add the `AWS_DEFAULT_REGION` environment variable to your Pod or DaemonSet spec, as shown in the following example Pod spec. [source,yaml,subs="verbatim,attributes"] ---- @@ -462,9 +462,9 @@ spec: [#troubleshoot-node-grups-must-match-kubernetes-version] -== Node groups must match [.noloc]`Kubernetes` version before upgrading control plane +== Node groups must match Kubernetes version before upgrading control plane -Before you upgrade a control plane to a new [.noloc]`Kubernetes` version, the minor version of the managed and Fargate nodes in your cluster must be the same as the version of your control plane's current version. The Amazon EKS `update-cluster-version` API rejects requests until you upgrade all Amazon EKS managed nodes to the current cluster version. Amazon EKS provides APIs to upgrade managed nodes. For information on upgrading a managed node group's [.noloc]`Kubernetes` version, see <>. To upgrade the version of a Fargate node, delete the [.noloc]`pod` that's represented by the node and redeploy the [.noloc]`pod` after you upgrade your control plane. For more information, see <>. +Before you upgrade a control plane to a new Kubernetes version, the minor version of the managed and Fargate nodes in your cluster must be the same as the version of your control plane's current version. The Amazon EKS `update-cluster-version` API rejects requests until you upgrade all Amazon EKS managed nodes to the current cluster version. Amazon EKS provides APIs to upgrade managed nodes. For information on upgrading a managed node group's Kubernetes version, see <>. To upgrade the version of a Fargate node, delete the pod that's represented by the node and redeploy the pod after you upgrade your control plane. For more information, see <>. [#too-many-requests] == When launching many nodes, there are `Too Many Requests` errors @@ -474,11 +474,11 @@ If you launch many nodes simultaneously, you may see an error message in the lin Make sure that `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are being passed to the node's bootstrap script. When including these arguments, there's no need for the bootstrap script to make a `describeCluster` call, which helps prevent the control plane from being overloaded. For more information, see <>. [#troubleshooting-boundservicetoken] -== HTTP 401 unauthorized error response on [.noloc]`Kubernetes` API server requests +== HTTP 401 unauthorized error response on Kubernetes API server requests -You see these errors if a [.noloc]`Pod's` service account token has expired on a cluster. +You see these errors if a Pod's service account token has expired on a cluster. -Your Amazon EKS cluster's [.noloc]`Kubernetes` API server rejects requests with tokens older than 90 days. In previous [.noloc]`Kubernetes` versions, tokens did not have an expiration. This means that clients that rely on these tokens must refresh them within an hour. To prevent the [.noloc]`Kubernetes` API server from rejecting your request due to an invalid token, the https://kubernetes.io/docs/reference/using-api/client-libraries/[Kubernetes client SDK] version used by your workload must be the same, or later than the following versions: +Your Amazon EKS cluster's Kubernetes API server rejects requests with tokens older than 90 days. In previous Kubernetes versions, tokens did not have an expiration. This means that clients that rely on these tokens must refresh them within an hour. To prevent the Kubernetes API server from rejecting your request due to an invalid token, the https://kubernetes.io/docs/reference/using-api/client-libraries/[Kubernetes client SDK] version used by your workload must be the same, or later than the following versions: @@ -488,9 +488,9 @@ Your Amazon EKS cluster's [.noloc]`Kubernetes` API server rejects requests with * JavaScript version `0.10.3` and later * Ruby `master` branch * Haskell version `0.3.0.0` -* [.noloc]`C#` version `7.0.5` and later +* C# version `7.0.5` and later -You can identify all existing [.noloc]`Pods` in your cluster that are using stale tokens. For more information, see <>. +You can identify all existing Pods in your cluster that are using stale tokens. For more information, see <>. [#troubleshooting-platform-version] == Amazon EKS platform version is more than two versions behind the current platform version @@ -554,7 +554,7 @@ An example output is as follows. If the subnet IDs returned in the output don't match the subnet IDs that were specified when the cluster was created, then if you want Amazon EKS to update the cluster, you need to change the subnets used by the cluster. This is because if you specified more than two subnets when you created your cluster, Amazon EKS randomly selects subnets that you specified to create new elastic network interfaces in. These network interfaces enable the control plane to communicate with your nodes. Amazon EKS won't update the cluster if the subnet it selects doesn't exist. You have no control over which of the subnets that you specified at cluster creation that Amazon EKS chooses to create a new network interface in. -When you initiate a [.noloc]`Kubernetes` version update for your cluster, the update can fail for the same reason. +When you initiate a Kubernetes version update for your cluster, the update can fail for the same reason. .Problem A security group specified during cluster creation was deleted – If you specified security groups during cluster creation, you can see their IDs with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster. @@ -595,7 +595,7 @@ An example output is as follows. If the security group IDs returned in the output don't match the security group IDs that were specified when the cluster was created, then if you want Amazon EKS to update the cluster, you need to change the security groups used by the cluster. Amazon EKS won't update a cluster if the security group IDs specified at cluster creation don't exist. -When you initiate a [.noloc]`Kubernetes` version update for your cluster, the update can fail for the same reason. +When you initiate a Kubernetes version update for your cluster, the update can fail for the same reason. @@ -606,7 +606,7 @@ When you initiate a [.noloc]`Kubernetes` version update for your cluster, the up [#cluster-health-status] == Cluster health FAQs and error codes with resolution paths -Amazon EKS detects issues with your EKS clusters and the cluster infrastructure and stores it in the _cluster health_. You can detect, troubleshoot, and address cluster issues more rapidly with the aid of cluster health information. This enables you to create application environments that are more secure and up-to-date. Additionally, it may be impossible for you to upgrade to newer versions of [.noloc]`Kubernetes` or for Amazon EKS to install security updates on a degraded cluster as a result of issues with the necessary infrastructure or cluster configuration. Amazon EKS can take 3 hours to detect issues or detect that an issue is resolved. +Amazon EKS detects issues with your EKS clusters and the cluster infrastructure and stores it in the _cluster health_. You can detect, troubleshoot, and address cluster issues more rapidly with the aid of cluster health information. This enables you to create application environments that are more secure and up-to-date. Additionally, it may be impossible for you to upgrade to newer versions of Kubernetes or for Amazon EKS to install security updates on a degraded cluster as a result of issues with the necessary infrastructure or cluster configuration. Amazon EKS can take 3 hours to detect issues or detect that an issue is resolved. The health of an Amazon EKS cluster is a shared responsibility between Amazon EKS and its users. You are responsible for the prerequisite infrastructure of IAM roles and Amazon VPC subnets, as well as other necessary infrastructure, that must be provided in advance. Amazon EKS detects changes in the configuration of this infrastructure and the cluster. @@ -615,7 +615,7 @@ To access your health of your cluster in the Amazon EKS console, look for a sect *Why should I use this feature?*:: -You will get increased visibility into the health of your Amazon EKS cluster, quickly diagnose and fix any issues, without needing to spend time debugging or opening {aws} support cases. For example: you accidentally deleted a subnet for the Amazon EKS cluster, Amazon EKS won't be able to create cross account network interfaces and [.noloc]`Kubernetes` {aws} CLI commands such as `kubectl` exec or `kubectl` logs. These will fail with the error: `Error from server: error dialing backend: remote error: tls: internal error.` Now you will see an Amazon EKS health issue that says: `subnet-da60e280 was deleted: could not create network interface`. +You will get increased visibility into the health of your Amazon EKS cluster, quickly diagnose and fix any issues, without needing to spend time debugging or opening {aws} support cases. For example: you accidentally deleted a subnet for the Amazon EKS cluster, Amazon EKS won't be able to create cross account network interfaces and Kubernetes {aws} CLI commands such as `kubectl` exec or `kubectl` logs. These will fail with the error: `Error from server: error dialing backend: remote error: tls: internal error.` Now you will see an Amazon EKS health issue that says: `subnet-da60e280 was deleted: could not create network interface`. *How does this feature relate or work with other {aws} services?*:: @@ -638,7 +638,7 @@ Yes. {aws} sends an email and Personal Health Dashboard notification when new Cl *Does the console give me warnings for health issues?*:: Yes, any cluster with health issues will include a banner at the top of the console. -The first two columns are what are needed for API response values. The third field of the link:eks/latest/APIReference/API_ClusterIssue.html[Health ClusterIssue,type="documentation"] object is [.noloc]`resourceIds`, the return of which is dependent on the issue type. +The first two columns are what are needed for API response values. The third field of the link:eks/latest/APIReference/API_ClusterIssue.html[Health ClusterIssue,type="documentation"] object is resourceIds, the return of which is dependent on the issue type. [cols="1,1,1,1", options="header"] |=== @@ -648,68 +648,68 @@ The first two columns are what are needed for API response values. The third fie |Cluster Recoverable? -|[.noloc]`SUBNET_NOT_FOUND` -|We couldn't find one or more subnets currently associated with your cluster. Call Amazon EKS [.noloc]`update-cluster-config` API to update subnets. +|SUBNET_NOT_FOUND +|We couldn't find one or more subnets currently associated with your cluster. Call Amazon EKS update-cluster-config API to update subnets. |Subnet Ids |Yes -|[.noloc]`SECURITY_GROUP_NOT_FOUND` +|SECURITY_GROUP_NOT_FOUND |We couldn't find one or more security groups currently associated with your cluster. Call Amazon EKS update-cluster-config API to update security groups |Security group Ids |Yes -|[.noloc]`IP_NOT_AVAILABLE` +|IP_NOT_AVAILABLE |One or more of the subnets associated with your cluster does not have enough available IP addresses for Amazon EKS to perform cluster management operations. Free up addresses in the subnet(s), or associate different subnets to your cluster using the Amazon EKS update-cluster-config API. |Subnet Ids |Yes -|[.noloc]`VPC_NOT_FOUND` +|VPC_NOT_FOUND |We couldn't find the VPC associated with your cluster. You must delete and recreate your cluster. |VPC id |No -|[.noloc]`ASSUME_ROLE_ACCESS_DENIED` +|ASSUME_ROLE_ACCESS_DENIED |Your cluster is not using the Amazon EKS service-linked-role. We couldn't assume the role associated with your cluster to perform required Amazon EKS management operations. Check the role exists and has the required trust policy. |The cluster IAM role |Yes -|[.noloc]`PERMISSION_ACCESS_DENIED` +|PERMISSION_ACCESS_DENIED |Your cluster is not using the Amazon EKS service-linked-role. The role associated with your cluster does not grant sufficient permissions for Amazon EKS to perform required management operations. Check the policies attached to the cluster role and if any separate deny policies are applied. |The cluster IAM role |Yes -|[.noloc]`ASSUME_ROLE_ACCESS_DENIED_USING_SLR` +|ASSUME_ROLE_ACCESS_DENIED_USING_SLR |We couldn't assume the Amazon EKS cluster management service-linked-role. Check the role exists and has the required trust policy. |The Amazon EKS service-linked-role |Yes -|[.noloc]`PERMISSION_ACCESS_DENIED_USING_SLR` +|PERMISSION_ACCESS_DENIED_USING_SLR |The Amazon EKS cluster management service-linked-role does not grant sufficient permissions for Amazon EKS to perform required management operations. Check the policies attached to the cluster role and if any separate deny policies are applied. |The Amazon EKS service-linked-role |Yes -|[.noloc]`OPT_IN_REQUIRED` +|OPT_IN_REQUIRED |Your account doesn't have an Amazon EC2 service subscription. Update your account subscriptions in your account settings page. |N/A |Yes -|[.noloc]`STS_REGIONAL_ENDPOINT_DISABLED` -|The [.noloc]`STS` regional endpoint is disabled. Enable the endpoint for Amazon EKS to perform required cluster management operations. +|STS_REGIONAL_ENDPOINT_DISABLED +|The STS regional endpoint is disabled. Enable the endpoint for Amazon EKS to perform required cluster management operations. |N/A |Yes -|[.noloc]`KMS_KEY_DISABLED` +|KMS_KEY_DISABLED |The {aws} KMS Key associated with your cluster is disabled. Re-enable the key to recover your cluster. -|The [.noloc]`KMS Key Arn` +|The KMS Key Arn |Yes -|[.noloc]`KMS_KEY_NOT_FOUND` +|KMS_KEY_NOT_FOUND |We couldn't find the {aws} KMS key associated with your cluster. You must delete and recreate the cluster. -|The [.noloc]`KMS Key ARN` +|The KMS Key ARN |No -|[.noloc]`KMS_GRANT_REVOKED` +|KMS_GRANT_REVOKED |Grants for the {aws} KMS Key associated with your cluster are revoked. You must delete and recreate the cluster. -|The [.noloc]`KMS Key Arn` +|The KMS Key Arn |No |=== \ No newline at end of file diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 1e88adf6c..4fcf8adce 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -11,7 +11,7 @@ include::../attributes.txt[] Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. -- -Amazon EKS offers robust managed [.noloc]`Kubernetes` services on {aws}, designed to optimize containerized applications. The following are a few of the most common use cases of Amazon EKS, helping you leverage its strengths for your specific needs. +Amazon EKS offers robust managed Kubernetes services on {aws}, designed to optimize containerized applications. The following are a few of the most common use cases of Amazon EKS, helping you leverage its strengths for your specific needs. @@ -20,7 +20,7 @@ Using link:elasticloadbalancing/[Elastic Load Balancing,type="marketing"], you c *Building microservices architectures*:: -Use [.noloc]`Kubernetes` service discovery features with link:cloud-map/[{aws} Cloud Map,type="marketing"] or link:vpc/lattice/[Amazon VPC Lattice,type="marketing"] to build resilient systems. +Use Kubernetes service discovery features with link:cloud-map/[{aws} Cloud Map,type="marketing"] or link:vpc/lattice/[Amazon VPC Lattice,type="marketing"] to build resilient systems. *Automating software release process*:: diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index c34e91aa2..f0c0ec7c6 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -8,15 +8,15 @@ include::../attributes.txt[] [abstract] -- -Learn how Amazon EKS aligns with [.noloc]`Kubernetes` cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, [.noloc]`Karpenter`, managed node groups, and self-managed nodes to meet diverse workload requirements. +Learn how Amazon EKS aligns with Kubernetes cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, Karpenter, managed node groups, and self-managed nodes to meet diverse workload requirements. -- -Amazon EKS aligns with the general cluster architecture of [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/components/[Kubernetes Components] in the [.noloc]`Kubernetes` documentation. The following sections summarize some extra architecture details for Amazon EKS. +Amazon EKS aligns with the general cluster architecture of Kubernetes. For more information, see https://kubernetes.io/docs/concepts/overview/components/[Kubernetes Components] in the Kubernetes documentation. The following sections summarize some extra architecture details for Amazon EKS. [#control-plane] == Control plane -Amazon EKS ensures every cluster has its own unique [.noloc]`Kubernetes` control plane. This design keeps each cluster's infrastructure separate, with no overlaps between clusters or {aws} accounts. The setup includes: +Amazon EKS ensures every cluster has its own unique Kubernetes control plane. This design keeps each cluster's infrastructure separate, with no overlaps between clusters or {aws} accounts. The setup includes: @@ -35,7 +35,7 @@ If a control plane instance falters, Amazon EKS quickly replaces it, using diffe *Consistent uptime*:: By running clusters across multiple Availability Zones, a reliable link:eks/sla[API server endpoint availability Service Level Agreement (SLA),type="marketing"] is achieved. -Amazon EKS uses Amazon Virtual Private Cloud (Amazon VPC) to limit traffic between control plane components within a single cluster. Cluster components can't view or receive communication from other clusters or {aws} accounts, except when authorized by [.noloc]`Kubernetes` role-based access control (RBAC) policies. +Amazon EKS uses Amazon Virtual Private Cloud (Amazon VPC) to limit traffic between control plane components within a single cluster. Cluster components can't view or receive communication from other clusters or {aws} accounts, except when authorized by Kubernetes role-based access control (RBAC) policies. [#nodes] == Compute @@ -49,8 +49,8 @@ In addition to the control plane, an Amazon EKS cluster has a set of worker mach <> is a serverless compute engine for containers that eliminates the need to manage the underlying instances. With Fargate, you specify your application's resource needs, and {aws} automatically provisions, scales, and maintains the infrastructure. This option is ideal for users who prioritize ease-of-use and want to concentrate on application development and deployment rather than managing infrastructure. -*[.noloc]`Karpenter`*:: -https://karpenter.sh/[Karpenter] is a flexible, high-performance [.noloc]`Kubernetes` cluster autoscaler that helps improve application availability and cluster efficiency. [.noloc]`Karpenter` launches right-sized compute resources in response to changing application load. This option can provision just-in-time compute resources that meet the requirements of your workload. +*Karpenter*:: +https://karpenter.sh/[Karpenter] is a flexible, high-performance Kubernetes cluster autoscaler that helps improve application availability and cluster efficiency. Karpenter launches right-sized compute resources in response to changing application load. This option can provision just-in-time compute resources that meet the requirements of your workload. *Managed node groups*:: diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index d374b0d4d..aa202a8f6 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -8,7 +8,7 @@ include::../attributes.txt[] [abstract] -- -Learn to deploy [.noloc]`Kubernetes` clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. +Learn to deploy Kubernetes clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. -- [#understand-deployment-options] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index c3f0ea543..2a3f489c5 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,6 +1,6 @@ [.topic] [#kubernetes-concepts] -= [.noloc]`Kubernetes` concepts += Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane @@ -8,22 +8,22 @@ include::../attributes.txt[] [abstract] -- -Learn core [.noloc]`Kubernetes` concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. +Learn core Kubernetes concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. -- -Amazon Elastic Kubernetes Service (Amazon EKS) is an {aws} managed service based on the open source https://kubernetes.io/[Kubernetes] project. While there are things you need to know about how the Amazon EKS service integrates with {aws} Cloud (particularly when you first create an Amazon EKS cluster), once it's up and running, you use your Amazon EKS cluster in much that same way as you would any other [.noloc]`Kubernetes` cluster. So to begin managing [.noloc]`Kubernetes` clusters and deploying workloads, you need at least a basic understanding of [.noloc]`Kubernetes` concepts. +Amazon Elastic Kubernetes Service (Amazon EKS) is an {aws} managed service based on the open source https://kubernetes.io/[Kubernetes] project. While there are things you need to know about how the Amazon EKS service integrates with {aws} Cloud (particularly when you first create an Amazon EKS cluster), once it's up and running, you use your Amazon EKS cluster in much that same way as you would any other Kubernetes cluster. So to begin managing Kubernetes clusters and deploying workloads, you need at least a basic understanding of Kubernetes concepts. -This page divides [.noloc]`Kubernetes` concepts into three sections: <>, <>, and <>. The first section describes the value of running a [.noloc]`Kubernetes` service, in particular as a managed service like Amazon EKS. The Workloads section covers how [.noloc]`Kubernetes` applications are built, stored, run, and managed. The Clusters section lays out the different components that make up [.noloc]`Kubernetes` clusters and what your responsibilities are for creating and maintaining [.noloc]`Kubernetes` clusters. +This page divides Kubernetes concepts into three sections: <>, <>, and <>. The first section describes the value of running a Kubernetes service, in particular as a managed service like Amazon EKS. The Workloads section covers how Kubernetes applications are built, stored, run, and managed. The Clusters section lays out the different components that make up Kubernetes clusters and what your responsibilities are for creating and maintaining Kubernetes clusters. [.topiclist] [[Topic List]] -As you go through this content, links will lead you to further descriptions of [.noloc]`Kubernetes` concepts in both Amazon EKS and [.noloc]`Kubernetes` documentation, in case you want to take deep dives into any of the topics we cover here. For details about how Amazon EKS implements [.noloc]`Kubernetes` control plane and compute features, see <>. +As you go through this content, links will lead you to further descriptions of Kubernetes concepts in both Amazon EKS and Kubernetes documentation, in case you want to take deep dives into any of the topics we cover here. For details about how Amazon EKS implements Kubernetes control plane and compute features, see <>. [#why-kubernetes] -== Why [.noloc]`Kubernetes`? +== Why Kubernetes? -[.noloc]`Kubernetes` was designed to improve availability and scalability when running mission-critical, production-quality containerized applications. Rather than just running [.noloc]`Kubernetes` on a single machine (although that is possible), [.noloc]`Kubernetes` achieves those goals by allowing you to run applications across sets of computers that can expand or contract to meet demand. [.noloc]`Kubernetes` includes features that make it easier for you to: +Kubernetes was designed to improve availability and scalability when running mission-critical, production-quality containerized applications. Rather than just running Kubernetes on a single machine (although that is possible), Kubernetes achieves those goals by allowing you to run applications across sets of computers that can expand or contract to meet demand. Kubernetes includes features that make it easier for you to: @@ -34,76 +34,76 @@ As you go through this content, links will lead you to further descriptions of [ * Allocate resources between containers * Balance traffic across machines -Having [.noloc]`Kubernetes` automate these types of complex tasks allows an application developer to focus on building and improving their application workloads, rather than worrying about infrastructure. The developer typically creates configuration files, formatted as YAML files, that describe the desired state of the application. This could include which containers to run, resource limits, number of Pod replicas, CPU/memory allocation, affinity rules, and more. +Having Kubernetes automate these types of complex tasks allows an application developer to focus on building and improving their application workloads, rather than worrying about infrastructure. The developer typically creates configuration files, formatted as YAML files, that describe the desired state of the application. This could include which containers to run, resource limits, number of Pod replicas, CPU/memory allocation, affinity rules, and more. [#attributes-of-kubernetes] -=== Attributes of [.noloc]`Kubernetes` +=== Attributes of Kubernetes -To achieve its goals, [.noloc]`Kubernetes` has the following attributes: +To achieve its goals, Kubernetes has the following attributes: -* *Containerized* -- [.noloc]`Kubernetes` is a container orchestration tool. To use [.noloc]`Kubernetes`, you must first have your applications containerized. Depending on the type of application, this could be as a set of _microservices,_ as batch jobs or in other forms. Then, your applications can take advantage of a [.noloc]`Kubernetes` workflow that encompasses a huge ecosystem of tools, where containers can be stored as https://kubernetes.io/docs/concepts/containers/images/#multi-architecture-images-with-image-indexes[images in a container registry], deployed to a [.noloc]`Kubernetes` https://kubernetes.io/docs/concepts/architecture/[cluster], and run on an available https://kubernetes.io/docs/concepts/architecture/nodes/[node]. You can build and test individual containers on your local computer with [.noloc]`Docker` or another https://kubernetes.io/docs/setup/production-environment/container-runtimes/[container runtime], before deploying them to your [.noloc]`Kubernetes` cluster. -* *Scalable* -- If the demand for your applications exceeds the capacity of the running instances of those applications, [.noloc]`Kubernetes` is able to scale up. As needed, [.noloc]`Kubernetes` can tell if applications require more CPU or memory and respond by either automatically expanding available capacity or using more of existing capacity. Scaling can be done at the Pod level, if there is enough compute available to just run more instances of the application (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[horizontal Pod autoscaling]), or at the node level, if more nodes need to be brought up to handle the increased capacity (https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler] or https://karpenter.sh/[Karpenter]). As capacity is no longer needed, these services can delete unnecessary Pods and shut down unneeded nodes. -* *Available* -- If an application or node becomes unhealthy or unavailable, [.noloc]`Kubernetes` can move running workloads to another available node. You can force the issue by simply deleting a running instance of a workload or node that's running your workloads. The bottom line here is that workloads can be brought up in other locations if they can no longer run where they are. -* *Declarative* -- [.noloc]`Kubernetes` uses active reconciliation to constantly check that the state that you declare for your cluster matches the actual state. By applying https://kubernetes.io/docs/concepts/overview/working-with-objects/[Kubernetes objects] to a cluster, typically through YAML-formatted configuration files, you can, for example, ask to start up the workloads you want to run on your cluster. You can later change the configurations to do something like use a later version of a container or allocate more memory. [.noloc]`Kubernetes` will do what it needs to do to establish the desired state. This can include bringing nodes up or down, stopping and restarting workloads, or pulling updated containers. -* *Composable* -- Because an application typically consists of multiple components, you want to be able to manage a set of these components (often represented by multiple containers) together. While [.noloc]`Docker` Compose offers a way to do this directly with [.noloc]`Docker`, the [.noloc]`Kubernetes` http://kompose.io/[Kompose] command can help you do that with [.noloc]`Kubernetes`. See https://kubernetes.io/docs/tasks/configure-pod-container/translate-compose-kubernetes/[Translate a Docker Compose File to Kubernetes Resources] for an example of how to do this. -* *Extensible* -- Unlike proprietary software, the open source [.noloc]`Kubernetes` project is designed to be open to you extending [.noloc]`Kubernetes` any way that you like to meet your needs. APIs and configuration files are open to direct modifications. Third-parties are encouraged to write their own https://kubernetes.io/docs/concepts/architecture/controller/[Controllers], to extend both infrastructure and end-user [.noloc]`Kubernetes` featues. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/[Webhooks] let you set up cluster rules to enforce policies and adapt to changing conditions. For more ideas on how to extend [.noloc]`Kubernetes` clusters, see https://kubernetes.io/docs/concepts/extend-kubernetes/[Extending Kubernetes]. -* *Portable* -- Many organizations have standardized their operations on [.noloc]`Kubernetes` because it allows them to manage all of their application needs in the same way. Developers can use the same pipelines to build and store containerized applications. Those applications can then be deployed to [.noloc]`Kubernetes` clusters running on-premises, in clouds, on point-of-sales terminals in restaurants, or on IOT devices dispersed across company's remote sites. Its open source nature makes it possible for people to develop these special [.noloc]`Kubernetes` distributions, along will tools needed to manage them. +* *Containerized* -- Kubernetes is a container orchestration tool. To use Kubernetes, you must first have your applications containerized. Depending on the type of application, this could be as a set of _microservices,_ as batch jobs or in other forms. Then, your applications can take advantage of a Kubernetes workflow that encompasses a huge ecosystem of tools, where containers can be stored as https://kubernetes.io/docs/concepts/containers/images/#multi-architecture-images-with-image-indexes[images in a container registry], deployed to a Kubernetes https://kubernetes.io/docs/concepts/architecture/[cluster], and run on an available https://kubernetes.io/docs/concepts/architecture/nodes/[node]. You can build and test individual containers on your local computer with Docker or another https://kubernetes.io/docs/setup/production-environment/container-runtimes/[container runtime], before deploying them to your Kubernetes cluster. +* *Scalable* -- If the demand for your applications exceeds the capacity of the running instances of those applications, Kubernetes is able to scale up. As needed, Kubernetes can tell if applications require more CPU or memory and respond by either automatically expanding available capacity or using more of existing capacity. Scaling can be done at the Pod level, if there is enough compute available to just run more instances of the application (https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[horizontal Pod autoscaling]), or at the node level, if more nodes need to be brought up to handle the increased capacity (https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler] or https://karpenter.sh/[Karpenter]). As capacity is no longer needed, these services can delete unnecessary Pods and shut down unneeded nodes. +* *Available* -- If an application or node becomes unhealthy or unavailable, Kubernetes can move running workloads to another available node. You can force the issue by simply deleting a running instance of a workload or node that's running your workloads. The bottom line here is that workloads can be brought up in other locations if they can no longer run where they are. +* *Declarative* -- Kubernetes uses active reconciliation to constantly check that the state that you declare for your cluster matches the actual state. By applying https://kubernetes.io/docs/concepts/overview/working-with-objects/[Kubernetes objects] to a cluster, typically through YAML-formatted configuration files, you can, for example, ask to start up the workloads you want to run on your cluster. You can later change the configurations to do something like use a later version of a container or allocate more memory. Kubernetes will do what it needs to do to establish the desired state. This can include bringing nodes up or down, stopping and restarting workloads, or pulling updated containers. +* *Composable* -- Because an application typically consists of multiple components, you want to be able to manage a set of these components (often represented by multiple containers) together. While Docker Compose offers a way to do this directly with Docker, the Kubernetes http://kompose.io/[Kompose] command can help you do that with Kubernetes. See https://kubernetes.io/docs/tasks/configure-pod-container/translate-compose-kubernetes/[Translate a Docker Compose File to Kubernetes Resources] for an example of how to do this. +* *Extensible* -- Unlike proprietary software, the open source Kubernetes project is designed to be open to you extending Kubernetes any way that you like to meet your needs. APIs and configuration files are open to direct modifications. Third-parties are encouraged to write their own https://kubernetes.io/docs/concepts/architecture/controller/[Controllers], to extend both infrastructure and end-user Kubernetes featues. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/[Webhooks] let you set up cluster rules to enforce policies and adapt to changing conditions. For more ideas on how to extend Kubernetes clusters, see https://kubernetes.io/docs/concepts/extend-kubernetes/[Extending Kubernetes]. +* *Portable* -- Many organizations have standardized their operations on Kubernetes because it allows them to manage all of their application needs in the same way. Developers can use the same pipelines to build and store containerized applications. Those applications can then be deployed to Kubernetes clusters running on-premises, in clouds, on point-of-sales terminals in restaurants, or on IOT devices dispersed across company's remote sites. Its open source nature makes it possible for people to develop these special Kubernetes distributions, along will tools needed to manage them. [#managing-kubernetes] -=== Managing [.noloc]`Kubernetes` +=== Managing Kubernetes -[.noloc]`Kubernetes` source code is freely available, so with your own equipment you could install and manage [.noloc]`Kubernetes` yourself. However, self-managing [.noloc]`Kubernetes` requires deep operational expertise and takes time and effort to maintain. For those reasons, most people deploying production workloads choose a cloud provider (such as Amazon EKS) or on-premises provider (such as Amazon EKS Anywhere) with its own tested [.noloc]`Kubernetes` distribution and support of [.noloc]`Kubernetes` experts. This allows you to offload much of the undifferentiated heavy lifting needed to maintain your clusters, including: +Kubernetes source code is freely available, so with your own equipment you could install and manage Kubernetes yourself. However, self-managing Kubernetes requires deep operational expertise and takes time and effort to maintain. For those reasons, most people deploying production workloads choose a cloud provider (such as Amazon EKS) or on-premises provider (such as Amazon EKS Anywhere) with its own tested Kubernetes distribution and support of Kubernetes experts. This allows you to offload much of the undifferentiated heavy lifting needed to maintain your clusters, including: -* *Hardware* -- If you don't have hardware available to run [.noloc]`Kubernetes` per your requirements, a cloud provider such as {aws} Amazon EKS can save you on upfront costs. With Amazon EKS, this means that you can consume the best cloud resources offered by {aws}, including computer instances (Amazon Elastic Compute Cloud), your own private environment (Amazon VPC), central identity and permissions management (IAM), and storage (Amazon EBS). {aws} manages the computers, networks, data centers, and all the other physical components needed to run [.noloc]`Kubernetes`. Likewise, you don't have to plan your datacenter to handle the maximum capacity on your highest-demand days. For Amazon EKS Anywhere, or other on premises [.noloc]`Kubernetes` clusters, you are responsible for managing the infrastructure used in your [.noloc]`Kubernetes` deployments, but you can still rely on {aws} to help you keep [.noloc]`Kubernetes` up to date. -* *Control plane management* -- Amazon EKS manages the security and availability of the {aws}-hosted [.noloc]`Kubernetes` control plane, which is responsible for scheduling containers, managing the availability of applications, and other key tasks, so you can focus on your application workloads. If your cluster breaks, {aws} should have the means to restore your cluster to a running state. For Amazon EKS Anywhere, you would manage the control plane yourself. -* *Tested upgrades* -- When you upgrade your clusters, you can rely on Amazon EKS or Amazon EKS Anywhere to provide tested versions of their [.noloc]`Kubernetes` distributions. -* *Add-ons* -- There are hundreds of projects built to extend and work with [.noloc]`Kubernetes` that you can add to your cluster's infrastructure or use to aid the running of your workloads. Instead of building and managing those add-ons yourself, {aws} provides <> that you can use with your clusters. Amazon EKS Anywhere provides https://anywhere.eks.amazonaws.com/docs/packages/[Curated Packages] that include builds of many popular open source projects. So you don't have to build the software yourself or manage critical security patches, bug fixes, or upgrades. Likewise, if the defaults meet your needs, it's typical for very little configuration of those add-ons to be needed. See <> for details on extending your cluster with add-ons. +* *Hardware* -- If you don't have hardware available to run Kubernetes per your requirements, a cloud provider such as {aws} Amazon EKS can save you on upfront costs. With Amazon EKS, this means that you can consume the best cloud resources offered by {aws}, including computer instances (Amazon Elastic Compute Cloud), your own private environment (Amazon VPC), central identity and permissions management (IAM), and storage (Amazon EBS). {aws} manages the computers, networks, data centers, and all the other physical components needed to run Kubernetes. Likewise, you don't have to plan your datacenter to handle the maximum capacity on your highest-demand days. For Amazon EKS Anywhere, or other on premises Kubernetes clusters, you are responsible for managing the infrastructure used in your Kubernetes deployments, but you can still rely on {aws} to help you keep Kubernetes up to date. +* *Control plane management* -- Amazon EKS manages the security and availability of the {aws}-hosted Kubernetes control plane, which is responsible for scheduling containers, managing the availability of applications, and other key tasks, so you can focus on your application workloads. If your cluster breaks, {aws} should have the means to restore your cluster to a running state. For Amazon EKS Anywhere, you would manage the control plane yourself. +* *Tested upgrades* -- When you upgrade your clusters, you can rely on Amazon EKS or Amazon EKS Anywhere to provide tested versions of their Kubernetes distributions. +* *Add-ons* -- There are hundreds of projects built to extend and work with Kubernetes that you can add to your cluster's infrastructure or use to aid the running of your workloads. Instead of building and managing those add-ons yourself, {aws} provides <> that you can use with your clusters. Amazon EKS Anywhere provides https://anywhere.eks.amazonaws.com/docs/packages/[Curated Packages] that include builds of many popular open source projects. So you don't have to build the software yourself or manage critical security patches, bug fixes, or upgrades. Likewise, if the defaults meet your needs, it's typical for very little configuration of those add-ons to be needed. See <> for details on extending your cluster with add-ons. [#kubernetes-in-action] -=== [.noloc]`Kubernetes` in action +=== Kubernetes in action -The following diagram shows key activities you would do as a [.noloc]`Kubernetes` Admin or Application Developer to create and use a [.noloc]`Kubernetes` cluster. In the process, it illustrates how [.noloc]`Kubernetes` components interact with each other, using the {aws} cloud as the example of the underlying cloud provider. +The following diagram shows key activities you would do as a Kubernetes Admin or Application Developer to create and use a Kubernetes cluster. In the process, it illustrates how Kubernetes components interact with each other, using the {aws} cloud as the example of the underlying cloud provider. image::images/k8sinaction.png[A Kubernetes cluster in action.,scaledwidth=100%] -A [.noloc]`Kubernetes` Admin creates the [.noloc]`Kubernetes` cluster using a tool specific to the type of provider on which the cluster will be built. This example uses the {aws} cloud as the provider, which offers the managed [.noloc]`Kubernetes` service called Amazon EKS. The managed service automatically allocates the resources needed to create the cluster, including creating two new Virtual Private Clouds (Amazon VPCs) for the cluster, setting up networking, and mapping [.noloc]`Kubernetes` permissions directly into the new VPCs for cloud asset management. The managed service also sees that the control plane services have places to run and allocates zero or more Amazon EC2 instances as [.noloc]`Kubernetes` nodes for running workloads. {aws} manages one Amazon VPC itself for the control plane, while the other Amazon VPC contains the customer nodes that run workloads. +A Kubernetes Admin creates the Kubernetes cluster using a tool specific to the type of provider on which the cluster will be built. This example uses the {aws} cloud as the provider, which offers the managed Kubernetes service called Amazon EKS. The managed service automatically allocates the resources needed to create the cluster, including creating two new Virtual Private Clouds (Amazon VPCs) for the cluster, setting up networking, and mapping Kubernetes permissions directly into the new VPCs for cloud asset management. The managed service also sees that the control plane services have places to run and allocates zero or more Amazon EC2 instances as Kubernetes nodes for running workloads. {aws} manages one Amazon VPC itself for the control plane, while the other Amazon VPC contains the customer nodes that run workloads. -Many of the [.noloc]`Kubernetes` Admin's tasks going forward are done using [.noloc]`Kubernetes` tools such as `kubectl`. That tool makes requests for services directly to the cluster's control plane. The ways that queries and changes are made to the cluster are then very similar to the ways you would do them on any [.noloc]`Kubernetes` cluster. +Many of the Kubernetes Admin's tasks going forward are done using Kubernetes tools such as `kubectl`. That tool makes requests for services directly to the cluster's control plane. The ways that queries and changes are made to the cluster are then very similar to the ways you would do them on any Kubernetes cluster. -An application developer wanting to deploy workloads to this cluster can perform several tasks. The developer needs to build the application into one or more container images, then push those images to a container registry that is accessible to the [.noloc]`Kubernetes` cluster. {aws} offers the Amazon Elastic Container Registry (Amazon ECR) for that purpose. +An application developer wanting to deploy workloads to this cluster can perform several tasks. The developer needs to build the application into one or more container images, then push those images to a container registry that is accessible to the Kubernetes cluster. {aws} offers the Amazon Elastic Container Registry (Amazon ECR) for that purpose. To run the application, the developer can create YAML-formatted configuration files that tell the cluster how to run the application, including which containers to pull from the registry and how to wrap those containers in Pods. The control plane (scheduler) schedules the containers to one or more nodes and the container runtime on each node actually pulls and runs the needed containers. The developer can also set up an application load balancer to balance traffic to available containers running on each node and expose the application so it is available on a public network to the outside world. With that all done, someone wanting to use the application can connect to the application endpoint to access it. -The following sections go through details of each of these features, from the perspective of [.noloc]`Kubernetes` Clusters and Workloads. +The following sections go through details of each of these features, from the perspective of Kubernetes Clusters and Workloads. [#concepts-clusters] == Clusters -If your job is to start and manage [.noloc]`Kubernetes` clusters, you should know how [.noloc]`Kubernetes` clusters are created, enhanced, managed, and deleted. You should also know what the components are that make up a cluster and what you need to do to maintain those components. +If your job is to start and manage Kubernetes clusters, you should know how Kubernetes clusters are created, enhanced, managed, and deleted. You should also know what the components are that make up a cluster and what you need to do to maintain those components. -Tools for managing clusters handle the overlap between the [.noloc]`Kubernetes` services and the underlying hardware provider. For that reason, automation of these tasks tend to be done by the [.noloc]`Kubernetes` provider (such as Amazon EKS or Amazon EKS Anywhere) using tools that are specific to the provider. For example, to start an Amazon EKS cluster you can use `eksctl create cluster`, while for Amazon EKS Anywhere you can use `eksctl anywhere create cluster`. Note that while these commands create a [.noloc]`Kubernetes` cluster, they are specific to the provider and are not part of the [.noloc]`Kubernetes` project itself. +Tools for managing clusters handle the overlap between the Kubernetes services and the underlying hardware provider. For that reason, automation of these tasks tend to be done by the Kubernetes provider (such as Amazon EKS or Amazon EKS Anywhere) using tools that are specific to the provider. For example, to start an Amazon EKS cluster you can use `eksctl create cluster`, while for Amazon EKS Anywhere you can use `eksctl anywhere create cluster`. Note that while these commands create a Kubernetes cluster, they are specific to the provider and are not part of the Kubernetes project itself. [#cluster-creation-and-management-tools] === Cluster creation and management tools -The [.noloc]`Kubernetes` project offers tools for creating a [.noloc]`Kubernetes` cluster manually. So if you want to install [.noloc]`Kubernetes` on a single machine, or run the control plane on a machine and add nodes manually, you can use CLI tools like https://kind.sigs.k8s.io/[kind], https://kubernetes.io/docs/tutorials/hello-minikube/[minikube], or https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/[kubeadm] that are listed under [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/tools/[Install Tools]. To simplify and automate the full lifecycle of cluster creation and management, it is much easier to use tools supported by an established [.noloc]`Kubernetes` provider, such as Amazon EKS or Amazon EKS Anywhere. +The Kubernetes project offers tools for creating a Kubernetes cluster manually. So if you want to install Kubernetes on a single machine, or run the control plane on a machine and add nodes manually, you can use CLI tools like https://kind.sigs.k8s.io/[kind], https://kubernetes.io/docs/tutorials/hello-minikube/[minikube], or https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/[kubeadm] that are listed under Kubernetes https://kubernetes.io/docs/tasks/tools/[Install Tools]. To simplify and automate the full lifecycle of cluster creation and management, it is much easier to use tools supported by an established Kubernetes provider, such as Amazon EKS or Amazon EKS Anywhere. -In {aws} Cloud, you can create link:eks/[Amazon EKS,type="documentation"] clusters using CLI tools, such as https://eksctl.io/[eksctl], or more declarative tools, such as Terraform (see https://github.com/aws-ia/terraform-aws-eks-blueprints[Amazon EKS Blueprints for Terraform]). You can also create a cluster from the {aws-management-console}. See link:eks/features/[Amazon EKS features,type="marketing"] for a list what you get with Amazon EKS. [.noloc]`Kubernetes` responsibilities that Amazon EKS takes on for you include: +In {aws} Cloud, you can create link:eks/[Amazon EKS,type="documentation"] clusters using CLI tools, such as https://eksctl.io/[eksctl], or more declarative tools, such as Terraform (see https://github.com/aws-ia/terraform-aws-eks-blueprints[Amazon EKS Blueprints for Terraform]). You can also create a cluster from the {aws-management-console}. See link:eks/features/[Amazon EKS features,type="marketing"] for a list what you get with Amazon EKS. Kubernetes responsibilities that Amazon EKS takes on for you include: * *Managed control plane* -- {aws} makes sure that the Amazon EKS cluster is available and scalable because it manages the control plane for you and makes it available across {aws} Availability Zones. -* *Node management* -- Instead of manually adding nodes, you can have Amazon EKS create nodes automatically as needed, using Managed Node Groups (see <>) or https://karpenter.sh/[Karpenter]. Managed Node Groups have integrations with [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaling]. Using node management tools, you can take advantage of cost savings, with things like link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] and node consolidation, and availability, using https://karpenter.sh/docs/concepts/scheduling/[Scheduling]features to set how workloads are deployed and nodes are selected. -* *Cluster networking* -- Using CloudFormation templates, `eksctl` sets up networking between control plane and data plane (node) components in the [.noloc]`Kubernetes` cluster. It also sets up endpoints through which internal and external communications can take place. See link:containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes[De-mystifying cluster networking for Amazon EKS worker nodes,type="blog"] for details. Communications between Pods in Amazon EKS is done using Amazon EKS Pod Identities (see <>), which provides a means of letting Pods tap into {aws} cloud methods of managing credentials and permissions. -* *Add-Ons* -- Amazon EKS saves you from having to build and add software components that are commonly used to support [.noloc]`Kubernetes` clusters. For example, when you create an Amazon EKS cluster from the {aws-management-console}, it automatically adds the Amazon EKS kube-proxy (<>), Amazon VPC CNI plugin for [.noloc]`Kubernetes` (<>), and CoreDNS (<>) add-ons. See <> for more on these add-ons, including a list of which are available. +* *Node management* -- Instead of manually adding nodes, you can have Amazon EKS create nodes automatically as needed, using Managed Node Groups (see <>) or https://karpenter.sh/[Karpenter]. Managed Node Groups have integrations with Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaling]. Using node management tools, you can take advantage of cost savings, with things like link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] and node consolidation, and availability, using https://karpenter.sh/docs/concepts/scheduling/[Scheduling]features to set how workloads are deployed and nodes are selected. +* *Cluster networking* -- Using CloudFormation templates, `eksctl` sets up networking between control plane and data plane (node) components in the Kubernetes cluster. It also sets up endpoints through which internal and external communications can take place. See link:containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes[De-mystifying cluster networking for Amazon EKS worker nodes,type="blog"] for details. Communications between Pods in Amazon EKS is done using Amazon EKS Pod Identities (see <>), which provides a means of letting Pods tap into {aws} cloud methods of managing credentials and permissions. +* *Add-Ons* -- Amazon EKS saves you from having to build and add software components that are commonly used to support Kubernetes clusters. For example, when you create an Amazon EKS cluster from the {aws-management-console}, it automatically adds the Amazon EKS kube-proxy (<>), Amazon VPC CNI plugin for Kubernetes (<>), and CoreDNS (<>) add-ons. See <> for more on these add-ons, including a list of which are available. To run your clusters on your own on-premises computers and networks, Amazon offers https://anywhere.eks.amazonaws.com/[Amazon EKS Anywhere]. Instead of the {aws} Cloud being the provider, you have the choice of running Amazon EKS Anywhere on https://anywhere.eks.amazonaws.com/docs/getting-started/vsphere/[VMWare vSphere], https://anywhere.eks.amazonaws.com/docs/getting-started/baremetal/[bare metal] (https://tinkerbell.org[Tinkerbell provider]), https://anywhere.eks.amazonaws.com/docs/getting-started/snow/[Snow], https://anywhere.eks.amazonaws.com/docs/getting-started/cloudstack/[CloudStack], or https://anywhere.eks.amazonaws.com/docs/getting-started/nutanix/[Nutanix] platforms using your own equipment. @@ -112,56 +112,56 @@ Amazon EKS Anywhere is based on the same https://distro.eks.amazonaws.com/[Amazo [#cluster-components] === Cluster components -[.noloc]`Kubernetes` cluster components are divided into two major areas: control plane and worker nodes. https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Control Plane Components] manage the cluster and provide access to its APIs. Worker nodes (sometimes just referred to as Nodes) provide the places where the actual workloads are run. https://kubernetes.io/docs/concepts/overview/components/#node-components[Node Components] consist of services that run on each node to communicate with the control plane and run containers. The set of worker nodes for your cluster is referred to as the _Data Plane_. +Kubernetes cluster components are divided into two major areas: control plane and worker nodes. https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Control Plane Components] manage the cluster and provide access to its APIs. Worker nodes (sometimes just referred to as Nodes) provide the places where the actual workloads are run. https://kubernetes.io/docs/concepts/overview/components/#node-components[Node Components] consist of services that run on each node to communicate with the control plane and run containers. The set of worker nodes for your cluster is referred to as the _Data Plane_. [#concepts-control-plane] ==== Control plane The control plane consists of a set of services that manage the cluster. These services may all be running on a single computer or may be spread across multiple computers. Internally, these are referred to as Control Plane Instances (CPIs). How CPIs are run depends on the size of the cluster and requirements for high availability. As demand increase in the cluster, a control plane service can scale to provide more instances of that service, with requests being load balanced between the instances. -Tasks that components of the [.noloc]`Kubernetes` control plane performs include: +Tasks that components of the Kubernetes control plane performs include: -* *Communicating with cluster components (API server)* -- The API server (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[kube-apiserver]) exposes the [.noloc]`Kubernetes` API so requests to the cluster can be made from both inside and outside of the cluster. In other words, requests to add or change a cluster's objects (Pods, Services, Nodes, and so on) can come from outside commands, such as requests from `kubectl` to run a Pod. Likewise, requests can be made from the API server to components within the cluster, such as a query to the `kubelet` service for the status of a Pod. +* *Communicating with cluster components (API server)* -- The API server (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[kube-apiserver]) exposes the Kubernetes API so requests to the cluster can be made from both inside and outside of the cluster. In other words, requests to add or change a cluster's objects (Pods, Services, Nodes, and so on) can come from outside commands, such as requests from `kubectl` to run a Pod. Likewise, requests can be made from the API server to components within the cluster, such as a query to the `kubelet` service for the status of a Pod. * *Store data about the cluster (`etcd` key value store)* -- The `etcd` service provides the critical role of keeping track of the current state of the cluster. If the `etcd` service became inaccessible, you would be unable to update or query the status of the cluster, though workloads would continue to run for a while. For that reason, critical clusters typically have multiple, load-balanced instances of the `etcd` service running at a time and do periodic backups of the `etcd` key value store in case of data loss or corruption. Keep in mind that, in Amazon EKS, this is all handled for you automatically by default. Amazon EKS Anywhere provides instruction for https://anywhere.eks.amazonaws.com/docs/clustermgmt/etcd-backup-restore/[etcd backup and restore]. See the https://etcd.io/docs/v3.5/learning/data_model/[etcd Data Model] to learn how `etcd` manages data. -* *Schedule Pods to nodes (Scheduler)* -- Requests to start or stop a Pod in [.noloc]`Kubernetes` are directed to the https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/[Kubernetes Scheduler] (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler]). Because a cluster could have multiple nodes that are capable of running the Pod, it is up to the Scheduler to choose which node (or nodes, in the case of replicas) the Pod should run on. If there is not enough available capacity to run the requested Pod on an existing node, the request will fail, unless you have made other provisions. Those provisions could include enabling services such as Managed Node Groups (<>) or https://karpenter.sh/[Karpenter] that can automatically start up new nodes to handle the workloads. -* *Keep components in desired state (Controller Manager)* -- The [.noloc]`Kubernetes` Controller Manager runs as a daemon process (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/[kube-controller-manager]) to watch the state of the cluster and make changes to the cluster to reestablish the expected states. In particular, there are several controllers that watch over different [.noloc]`Kubernetes` objects, which includes a `statefulset-controller`, `endpoint-controller`, `cronjob-controller`, `node-controller`, and others. -* *Manage cloud resources (Cloud Controller Manager)* -- Interactions between [.noloc]`Kubernetes` and the cloud provider that carries out requests for the underlying data center resources are handled by the https://kubernetes.io/docs/concepts/architecture/cloud-controller/[Cloud Controller Manager] (https://github.com/kubernetes/kubernetes/tree/master/cmd/cloud-controller-manager[cloud-controller-manager]). Controllers managed by the Cloud Controller Manager can include a route controller (for setting up cloud network routes), service controller (for using cloud load balancing services), and node lifecycle controller (to keep nodes in sync with Kubernetes throughout their lifecycles). +* *Schedule Pods to nodes (Scheduler)* -- Requests to start or stop a Pod in Kubernetes are directed to the https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/[Kubernetes Scheduler] (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler]). Because a cluster could have multiple nodes that are capable of running the Pod, it is up to the Scheduler to choose which node (or nodes, in the case of replicas) the Pod should run on. If there is not enough available capacity to run the requested Pod on an existing node, the request will fail, unless you have made other provisions. Those provisions could include enabling services such as Managed Node Groups (<>) or https://karpenter.sh/[Karpenter] that can automatically start up new nodes to handle the workloads. +* *Keep components in desired state (Controller Manager)* -- The Kubernetes Controller Manager runs as a daemon process (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/[kube-controller-manager]) to watch the state of the cluster and make changes to the cluster to reestablish the expected states. In particular, there are several controllers that watch over different Kubernetes objects, which includes a `statefulset-controller`, `endpoint-controller`, `cronjob-controller`, `node-controller`, and others. +* *Manage cloud resources (Cloud Controller Manager)* -- Interactions between Kubernetes and the cloud provider that carries out requests for the underlying data center resources are handled by the https://kubernetes.io/docs/concepts/architecture/cloud-controller/[Cloud Controller Manager] (https://github.com/kubernetes/kubernetes/tree/master/cmd/cloud-controller-manager[cloud-controller-manager]). Controllers managed by the Cloud Controller Manager can include a route controller (for setting up cloud network routes), service controller (for using cloud load balancing services), and node lifecycle controller (to keep nodes in sync with Kubernetes throughout their lifecycles). [#worker-nodes-data-plane] ==== Worker Nodes (data plane) -For a single-node [.noloc]`Kubernetes` cluster, workloads run on the same machine as the control plane. However, a more standard configuration is to have one or more separate computer systems (https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes]) that are dedicated to running [.noloc]`Kubernetes` workloads. +For a single-node Kubernetes cluster, workloads run on the same machine as the control plane. However, a more standard configuration is to have one or more separate computer systems (https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes]) that are dedicated to running Kubernetes workloads. -When you first create a [.noloc]`Kubernetes` cluster, some cluster creation tools allow you to configure a certain number nodes to be added to the cluster (either by identifying existing computer systems or by having the provider create new ones). Before any workloads are added to those systems, services are added to each node to implement these features: +When you first create a Kubernetes cluster, some cluster creation tools allow you to configure a certain number nodes to be added to the cluster (either by identifying existing computer systems or by having the provider create new ones). Before any workloads are added to those systems, services are added to each node to implement these features: * *Manage each node (`kubelet`)* -- The API server communicates with the https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/[kubelet] service running on each node to make sure that the node is properly registered and Pods requested by the Scheduler are running. The kubelet can read the Pod manifests and set up storage volumes or other features needed by the Pods on the local system. It can also check on the health of the locally running containers. -* *Run containers on a node (container runtime)* -- The https://kubernetes.io/docs/setup/production-environment/container-runtimes/[Container Runtime] on each node manages the containers requested for each Pod assigned to the node. That means that it can pull container images from the appropriate registry, run the container, stop it, and responds to queries about the container. The default container runtime is https://github.com/containerd/containerd/blob/main/docs/getting-started.md[containerd]. As of [.noloc]`Kubernetes` 1.24, the special integration of [.noloc]`Docker` (`dockershim`) that could be used as the container runtime was dropped from [.noloc]`Kubernetes`. While you can still use [.noloc]`Docker` to test and run containers on your local system, to use [.noloc]`Docker` with [.noloc]`Kubernetes` you would now have to https://docs.docker.com/engine/install/#server[Install Docker Engine] on each node to use it with [.noloc]`Kubernetes`. -* *Manage networking between containers (`kube-proxy`)* -- To be able to support communication between Pods, [.noloc]`Kubernetes` uses a feature referred to as a https://kubernetes.io/docs/concepts/services-networking/service/[Service] to set up Pod networks that track IP addresses and ports associated with those Pods. The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] service runs on every node to allow that communication between Pods to take place. +* *Run containers on a node (container runtime)* -- The https://kubernetes.io/docs/setup/production-environment/container-runtimes/[Container Runtime] on each node manages the containers requested for each Pod assigned to the node. That means that it can pull container images from the appropriate registry, run the container, stop it, and responds to queries about the container. The default container runtime is https://github.com/containerd/containerd/blob/main/docs/getting-started.md[containerd]. As of Kubernetes 1.24, the special integration of Docker (`dockershim`) that could be used as the container runtime was dropped from Kubernetes. While you can still use Docker to test and run containers on your local system, to use Docker with Kubernetes you would now have to https://docs.docker.com/engine/install/#server[Install Docker Engine] on each node to use it with Kubernetes. +* *Manage networking between containers (`kube-proxy`)* -- To be able to support communication between Pods, Kubernetes uses a feature referred to as a https://kubernetes.io/docs/concepts/services-networking/service/[Service] to set up Pod networks that track IP addresses and ports associated with those Pods. The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] service runs on every node to allow that communication between Pods to take place. [#extend-clusters] === Extend Clusters -There are some services you can add to [.noloc]`Kubernetes` to support the cluster, but are not run in the control plane. These services often run directly on nodes in the kube-system namespace or in its own namespace (as is often done with third-party service providers). A common example is the CoreDNS service, which provides DNS services to the cluster. Refer to https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/[Discovering builtin services] for information on how to see which cluster services are running in kube-system on your cluster. +There are some services you can add to Kubernetes to support the cluster, but are not run in the control plane. These services often run directly on nodes in the kube-system namespace or in its own namespace (as is often done with third-party service providers). A common example is the CoreDNS service, which provides DNS services to the cluster. Refer to https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster-services/[Discovering builtin services] for information on how to see which cluster services are running in kube-system on your cluster. -There are different types of add-ons you can consider adding to your clusters. To keep your clusters healthy, you can add observability features (see <>) that allow you to do things like logging, auditing, and metrics. With this information, you can troubleshoot problems that occur, often through the same observability interfaces. Examples of these types of services include link:guardduty/latest/ug/runtime-monitoring.html[Amazon GuardDuty,type="documentation"], CloudWatch (see <>), https://aws-otel.github.io/[{aws} Distro for OpenTelemetry], Amazon VPC CNI plugin for [.noloc]`Kubernetes` (see <>), and https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Grafana Kubernetes Monitoring]. For storage (see <>), add-ons to Amazon EKS include Amazon Elastic Block Store CSI Driver (see <>), Amazon Elastic File System CSI Driver (see <>), and several third-party storage add-ons such as Amazon FSx for NetApp ONTAP CSI driver <>). +There are different types of add-ons you can consider adding to your clusters. To keep your clusters healthy, you can add observability features (see <>) that allow you to do things like logging, auditing, and metrics. With this information, you can troubleshoot problems that occur, often through the same observability interfaces. Examples of these types of services include link:guardduty/latest/ug/runtime-monitoring.html[Amazon GuardDuty,type="documentation"], CloudWatch (see <>), https://aws-otel.github.io/[{aws} Distro for OpenTelemetry], Amazon VPC CNI plugin for Kubernetes (see <>), and https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Grafana Kubernetes Monitoring]. For storage (see <>), add-ons to Amazon EKS include Amazon Elastic Block Store CSI Driver (see <>), Amazon Elastic File System CSI Driver (see <>), and several third-party storage add-ons such as Amazon FSx for NetApp ONTAP CSI driver <>). For a more complete list of available Amazon EKS add-ons, see <>. [#workloads] == Workloads -[.noloc]`Kubernetes` defines a https://kubernetes.io/docs/concepts/workloads/[Workload] as "`an application running on [.noloc]`Kubernetes`.`" That application can consist of a set of microservices run as https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-container[Containers] in https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-pod[Pods], or could be run as a batch job or other type of applications. The job of [.noloc]`Kubernetes` is to make sure that the requests that you make for those objects to be set up or deployed are carried out. As someone deploying applications, you should learn about how containers are built, how Pods are defined, and what methods you can use for deploying them. +Kubernetes defines a https://kubernetes.io/docs/concepts/workloads/[Workload] as "`an application running on Kubernetes.`" That application can consist of a set of microservices run as https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-container[Containers] in https://kubernetes.io/docs/reference/glossary/?fundamental=true#term-pod[Pods], or could be run as a batch job or other type of applications. The job of Kubernetes is to make sure that the requests that you make for those objects to be set up or deployed are carried out. As someone deploying applications, you should learn about how containers are built, how Pods are defined, and what methods you can use for deploying them. [#containers] === Containers -The most basic element of an application workload that you deploy and manage in [.noloc]`Kubernetes` is a _https://kubernetes.io/docs/concepts/workloads/pods/[Pod]_. A Pod represents a way of holding the components of an application as well as defining specifications that describe the Pod's attributes. Contrast this to something like an RPM or Deb package, which packages together software for a Linux system, but does not itself run as an entity. +The most basic element of an application workload that you deploy and manage in Kubernetes is a _https://kubernetes.io/docs/concepts/workloads/pods/[Pod]_. A Pod represents a way of holding the components of an application as well as defining specifications that describe the Pod's attributes. Contrast this to something like an RPM or Deb package, which packages together software for a Linux system, but does not itself run as an entity. Because the Pod is the smallest deployable unit, it typically holds a single container. However, multiple containers can be in a Pod in cases where the containers are tightly coupled. For example, a web server container might be packaged in a Pod with a https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/[sidecar] type of container that may provide logging, monitoring, or other service that is closely tied to the web server container. In this case, being in the same Pod ensures that for each running instance of the Pod, both containers always run on the same node. Likewise, all containers in a Pod share the same environment, with the containers in a Pod running as though they are in the same isolated host. The effect of this is that the containers share a single IP address that provides access to the Pod and the containers can communicate with each other as though they were running on their own localhost. @@ -172,9 +172,9 @@ While a Pod is the smallest unit you deploy, a container is the smallest unit th [#building-containers] ==== Building Containers -The Pod is really just a structure around one or more containers, with each container itself holding the file system, executables, configuration files, libraries, and other components to actually run the application. Because a company called [.noloc]`Docker` Inc. first popularized containers, some people refer to containers as [.noloc]`Docker` Containers. However, the https://opencontainers.org/[Open Container Initiative] has since defined container runtimes, images, and distribution methods for the industry. Add to that the fact that containers were created from many existing Linux features, others often refer to containers as OCI Containers, Linux Containers, or just Containers. +The Pod is really just a structure around one or more containers, with each container itself holding the file system, executables, configuration files, libraries, and other components to actually run the application. Because a company called Docker Inc. first popularized containers, some people refer to containers as Docker Containers. However, the https://opencontainers.org/[Open Container Initiative] has since defined container runtimes, images, and distribution methods for the industry. Add to that the fact that containers were created from many existing Linux features, others often refer to containers as OCI Containers, Linux Containers, or just Containers. -When you build a container, you typically start with a [.noloc]`Dockerfile` (literally named that). Inside that Dockerfile, you identify: +When you build a container, you typically start with a Dockerfile (literally named that). Inside that Dockerfile, you identify: @@ -191,14 +191,14 @@ Once you've built your container image, you can store it in a container https:// To store container images in a more public manner, you can push them to a public container registry. Public container registries provide a central location for storing and distributing container images. Examples of public container registries include the link:ecr/[Amazon Elastic Container Registry,type="marketing"], https://quay.io/[Red Hat Quay] registry, and https://hub.docker.com/[Docker Hub] registry. -When running containerized workloads on Amazon Elastic Kubernetes Service (Amazon EKS) we recommend pulling copies of [.noloc]`Docker` Official Images that are stored in Amazon Elastic Container Registry. Amazon ECR has been storing these images since 2021. You can search for popular container images in the https://gallery.ecr.aws/[Amazon ECR Public Gallery], and specifically for the [.noloc]`Docker` Hub images, you can search the https://gallery.ecr.aws/docker/[Amazon ECR Docker Gallery]. +When running containerized workloads on Amazon Elastic Kubernetes Service (Amazon EKS) we recommend pulling copies of Docker Official Images that are stored in Amazon Elastic Container Registry. Amazon ECR has been storing these images since 2021. You can search for popular container images in the https://gallery.ecr.aws/[Amazon ECR Public Gallery], and specifically for the Docker Hub images, you can search the https://gallery.ecr.aws/docker/[Amazon ECR Docker Gallery]. [#running-containers] ==== Running containers -Because containers are built in a standard format, a container can run on any machine that can run a container runtime (such as [.noloc]`Docker`) and whose contents match the local machine's architecture (such as `x86_64` or `arm`). To test a container or just run it on your local desktop, you can use `docker run` or `podman run` commands to start up a container on the localhost. For [.noloc]`Kubernetes`, however, each worker node has a container runtime deployed and it is up to [.noloc]`Kubernetes` to request that a node run a container. +Because containers are built in a standard format, a container can run on any machine that can run a container runtime (such as Docker) and whose contents match the local machine's architecture (such as `x86_64` or `arm`). To test a container or just run it on your local desktop, you can use `docker run` or `podman run` commands to start up a container on the localhost. For Kubernetes, however, each worker node has a container runtime deployed and it is up to Kubernetes to request that a node run a container. -Once a container has been assigned to run on a node, the node looks to see if the requested version of the container image already exists on the node. If it doesn't, [.noloc]`Kubernetes` tells the container runtime to pull that container from the appropriate container registry, then run that container locally. Keep in mind that a _container image_ refers to the software package that is moved around between your laptop, the container registry, and [.noloc]`Kubernetes` nodes. A _container_ refers to a running instance of that image. +Once a container has been assigned to run on a node, the node looks to see if the requested version of the container image already exists on the node. If it doesn't, Kubernetes tells the container runtime to pull that container from the appropriate container registry, then run that container locally. Keep in mind that a _container image_ refers to the software package that is moved around between your laptop, the container registry, and Kubernetes nodes. A _container_ refers to a running instance of that image. [#pods] === Pods @@ -212,13 +212,13 @@ When you define a Pod, you assign a set of attributes to it. Those attributes mu -* *Storage* -- When a running container is stopped and deleted, data storage in that container will disappear, unless you set up more permanent storage. [.noloc]`Kubernetes` supports many different storage types and abstracts them under the umbrella of https://kubernetes.io/docs/concepts/storage/volumes/[Volumes]. Storage types include https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[CephFS], https://kubernetes.io/docs/concepts/storage/volumes/#nfs[NFS], https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[iSCSI], and others. You can even use a https://kubernetes.io/docs/concepts/storage/volumes/#local[local block device] from the local computer. With one of those storage types available from your cluster, you can mount the storage volume to a selected mount point in your container's file system. A https://kubernetes.io/docs/concepts/storage/persistent-volumes/[Persistent Volume] is one that continues to exist after the Pod is deleted, while an https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[Ephemeral Volume] is deleted when the Pod is deleted. If your cluster administrator created different https://kubernetes.io/docs/concepts/storage/storage-classes/[storage classes] for your cluster, you might have the option for choosing the attributes of the storage you use, such as whether the volume is deleted or reclaimed after use, whether it will expand if more space is needed, and even whether it meets certain performance requirements. +* *Storage* -- When a running container is stopped and deleted, data storage in that container will disappear, unless you set up more permanent storage. Kubernetes supports many different storage types and abstracts them under the umbrella of https://kubernetes.io/docs/concepts/storage/volumes/[Volumes]. Storage types include https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[CephFS], https://kubernetes.io/docs/concepts/storage/volumes/#nfs[NFS], https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[iSCSI], and others. You can even use a https://kubernetes.io/docs/concepts/storage/volumes/#local[local block device] from the local computer. With one of those storage types available from your cluster, you can mount the storage volume to a selected mount point in your container's file system. A https://kubernetes.io/docs/concepts/storage/persistent-volumes/[Persistent Volume] is one that continues to exist after the Pod is deleted, while an https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/[Ephemeral Volume] is deleted when the Pod is deleted. If your cluster administrator created different https://kubernetes.io/docs/concepts/storage/storage-classes/[storage classes] for your cluster, you might have the option for choosing the attributes of the storage you use, such as whether the volume is deleted or reclaimed after use, whether it will expand if more space is needed, and even whether it meets certain performance requirements. * *Secrets* -- By making https://kubernetes.io/docs/concepts/configuration/secret/[Secrets] available to containers in Pod specs, you can provide the permissions those containers need to access file systems, data bases, or other protected assets. Keys, passwords, and tokens are among the items that can be stored as secrets. Using secrets makes it so you don't have to store this information in container images, but need only make the secrets available to running containers. Similar to Secrets are https://kubernetes.io/docs/concepts/configuration/configmap/[ConfigMaps]. A `ConfigMap` tends to hold less critical information, such as key-value pairs for configuring a service. * *Container resources* -- Objects for further configuring containers can take the form of resource configuration. For each container, you can request the amount of memory and CPU that it can use, as well as place limits of the total amount of those resources that the container can use. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[Resource Management for Pods and Containers] for examples. * *Disruptions* -- Pods can be disrupted involuntarily (a node goes down) or voluntarily (an upgrade is desired). By configuring a https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets[Pod disruption budget], you can exert some control over how available your application remains when disruptions occur. See https://kubernetes.io/docs/tasks/run-application/configure-pdb/[Specifying a Disruption Budget] for your application for examples. -* *Namespaces* -- [.noloc]`Kubernetes` provides different ways to isolate [.noloc]`Kubernetes` components and workloads from each other. Running all the Pods for a particular application in the same https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespace] is a common way to secure and manage those Pods together. You can create your own namespaces to use or choose to not indicate a namespace (which causes [.noloc]`Kubernetes` to use the `default` namespace). [.noloc]`Kubernetes` control plane components typically run in the https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[kube-system] namespace. +* *Namespaces* -- Kubernetes provides different ways to isolate Kubernetes components and workloads from each other. Running all the Pods for a particular application in the same https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespace] is a common way to secure and manage those Pods together. You can create your own namespaces to use or choose to not indicate a namespace (which causes Kubernetes to use the `default` namespace). Kubernetes control plane components typically run in the https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[kube-system] namespace. -The configuration just described is typically gathered together in a YAML file to be applied to the [.noloc]`Kubernetes` cluster. For personal [.noloc]`Kubernetes` clusters, you might just store these YAML files on your local system. However, with more critical clusters and workloads, https://www.eksworkshop.com/docs/automation/gitops/[GitOps] is a popular way to automate storage and updates to both workload and [.noloc]`Kubernetes` infrastructure resources. +The configuration just described is typically gathered together in a YAML file to be applied to the Kubernetes cluster. For personal Kubernetes clusters, you might just store these YAML files on your local system. However, with more critical clusters and workloads, https://www.eksworkshop.com/docs/automation/gitops/[GitOps] is a popular way to automate storage and updates to both workload and Kubernetes infrastructure resources. The objects used to gather together and deploy Pod information is defined by one of the following deployment methods. @@ -230,26 +230,26 @@ The method you would choose for deploying Pods depends on the type of applicatio * *Stateless applications* -- A stateless application doesn't save a client's session data, so another session doesn't need to refer back to what happened to a previous session. This makes is easier to just replace Pods with new ones if they become unhealthy or move them around without saving state. If you are running a stateless application (such as a web server), you can use a https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployment] to deploy https://kubernetes.io/docs/concepts/workloads/pods/[Pods]and https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSets]. A ReplicaSet defines how many instances of a Pod that you want running concurrently. Although you can run a ReplicaSet directly, it is common to run replicas directly within a Deployment, to define how many replicas of a Pod should be running at a time. -* *Stateful applications* -- A stateful application is one where the identity of the Pod and the order in which Pods are launched are important. These applications need persistent storage that is stable and need to be deployed and scaled in a consistent manner. To deploy a stateful application in [.noloc]`Kubernetes`, you can use https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/[StatefulSets]. An example of an application that is typically run as a StatefulSet is a database. Within a StatefulSet, you could define replicas, the Pod and its containers, storage volumes to mount, and locations in the container where data are stored. See https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/[Run a Replicated Stateful Application] for an example of a database being deployed as a ReplicaSet. -* *Per-node applications* -- There are times when you want to run an application on every node in your [.noloc]`Kubernetes` cluster. For example, your data center might require that every computer run a monitoring application or a particular remote access service. For [.noloc]`Kubernetes`, you can use a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] to ensure that the selected application runs on every node in your cluster. +* *Stateful applications* -- A stateful application is one where the identity of the Pod and the order in which Pods are launched are important. These applications need persistent storage that is stable and need to be deployed and scaled in a consistent manner. To deploy a stateful application in Kubernetes, you can use https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/[StatefulSets]. An example of an application that is typically run as a StatefulSet is a database. Within a StatefulSet, you could define replicas, the Pod and its containers, storage volumes to mount, and locations in the container where data are stored. See https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/[Run a Replicated Stateful Application] for an example of a database being deployed as a ReplicaSet. +* *Per-node applications* -- There are times when you want to run an application on every node in your Kubernetes cluster. For example, your data center might require that every computer run a monitoring application or a particular remote access service. For Kubernetes, you can use a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] to ensure that the selected application runs on every node in your cluster. * *Applications run to completion* -- There are some applications you want to run to complete a particular task. This could include one that runs monthly status reports or cleans out old data. A https://kubernetes.io/docs/concepts/workloads/controllers/job/[Job] object can be used to set up an application to start up and run, then exit when the task is done. A https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/[CronJob] object lets you set up an application to run at a specific hour, minute, day of the month, month, or day of the week, using a structure defined by the Linux https://man7.org/linux/man-pages/man5/crontab.5.html[crontab] format. [#making-applications-accessible-from-the-network] ==== Making applications accessible from the network -With applications often deployed as a set of microservices that moved around to different places, [.noloc]`Kubernetes` needed a way for those microservices to be able to find each other. Also, for others to access an application outside of the [.noloc]`Kubernetes` cluster, [.noloc]`Kubernetes` needed a way to expose that application on outside addresses and ports. These networking-related features are done with Service and Ingress objects, respectively: +With applications often deployed as a set of microservices that moved around to different places, Kubernetes needed a way for those microservices to be able to find each other. Also, for others to access an application outside of the Kubernetes cluster, Kubernetes needed a way to expose that application on outside addresses and ports. These networking-related features are done with Service and Ingress objects, respectively: -* *Services* -- Because a Pod can move around to different nodes and addresses, another Pod that needed to communicate with the first Pod could find it difficult to find where it is. To solve this problem, [.noloc]`Kubernetes` lets you represent an application as a https://kubernetes.io/docs/concepts/services-networking/service/[Service]. With a Service, you can identify a Pod or set of Pods with a particular name, then indicate what port exposes that application's service from the Pod and what ports another application could use to contact that service. Another Pod within a cluster can simply request a Service by name and [.noloc]`Kubernetes` will direct that request to the proper port for an instance of the Pod running that service. -* *Ingress* -- https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress] is what can make applications represented by [.noloc]`Kubernetes` Services available to clients that are outside of the cluster. Basic features of Ingress include a load balancer (managed by Ingress), the Ingress controller, and rules for routing requests from the controller to the Service. There are several https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/[Ingress Controllers] that you can choose from with [.noloc]`Kubernetes`. +* *Services* -- Because a Pod can move around to different nodes and addresses, another Pod that needed to communicate with the first Pod could find it difficult to find where it is. To solve this problem, Kubernetes lets you represent an application as a https://kubernetes.io/docs/concepts/services-networking/service/[Service]. With a Service, you can identify a Pod or set of Pods with a particular name, then indicate what port exposes that application's service from the Pod and what ports another application could use to contact that service. Another Pod within a cluster can simply request a Service by name and Kubernetes will direct that request to the proper port for an instance of the Pod running that service. +* *Ingress* -- https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress] is what can make applications represented by Kubernetes Services available to clients that are outside of the cluster. Basic features of Ingress include a load balancer (managed by Ingress), the Ingress controller, and rules for routing requests from the controller to the Service. There are several https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/[Ingress Controllers] that you can choose from with Kubernetes. [#next-steps] == Next steps -Understanding basic [.noloc]`Kubernetes` concepts and how they relate to Amazon EKS will help you navigate both the link:eks/[Amazon EKS documentation,type="documentation"] and https://kubernetes.io/docs[Kubernetes documentation] to find the information you need to manage Amazon EKS clusters and deploy workloads to those clusters. To begin using Amazon EKS, choose from the following: +Understanding basic Kubernetes concepts and how they relate to Amazon EKS will help you navigate both the link:eks/[Amazon EKS documentation,type="documentation"] and https://kubernetes.io/docs[Kubernetes documentation] to find the information you need to manage Amazon EKS clusters and deploy workloads to those clusters. To begin using Amazon EKS, choose from the following: diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index e3c74498e..151ff2ff5 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -28,7 +28,7 @@ Amazon EKS add-ons can help manage the life cycle of pod identity associations c . Determine if the add-on you want to install requires IAM permissions using the `describe-addon-versions` {aws} CLI operation. If the `requiresIamPermissions` flag is `true`, then you should use the `describe-addon-configurations` operation to determine the permissions needed by the addon. The response includes a list of suggested managed IAM policies. . Retrieve the name of the Kubernetes Service Account and the IAM policy using the `describe-addon-configuration` CLI operation. Evaluate the scope of the suggested policy against your security requirements. . Create an IAM role using the suggested permissions policy, and the trust policy required by Pod Identity. For more information, see <>. -. Create or update an Amazon EKS add-on using the CLI. Specify at least one pod identity association. A pod identity association is the name of a [.noloc]`Kubernetes` service account, and the ARN of the IAM role. +. Create or update an Amazon EKS add-on using the CLI. Specify at least one pod identity association. A pod identity association is the name of a Kubernetes service account, and the ARN of the IAM role. * Pod identity associations created using the add-on APIs are owned by the respective add-on. If you delete the add-on, the pod identity association is also deleted. You can prevent this cascading delete by using the `preserve` option when deleting an addon using the {aws} CLI or API. You also can directly update or delete the pod identity association if necessary. Add-ons can't assume ownership of existing pod identity associations. You must delete the existing association and re-create it using an add-on create or update operation. diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 1468c07f8..2838d307c 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,6 +1,6 @@ [.topic] [#alb-ingress] -= Route application and [.noloc]`HTTP` traffic with [.noloc]`Application Load Balancers` += Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing include::../attributes.txt[] @@ -19,9 +19,9 @@ Learn how to use Application Load Balancing on Amazon EKS to load balance applic ==== -When you create a [.noloc]`Kubernetes` `ingress`, an {aws} Application Load Balancer (ALB) is provisioned that load balances application traffic. To learn more, see link:elasticloadbalancing/latest/application/introduction.html[What is an Application Load Balancer?,type="documentation"] in the _Application Load Balancers User Guide_ and https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress] in the [.noloc]`Kubernetes` documentation. ALBs can be used with [.noloc]`Pods` that are deployed to nodes or to {aws} Fargate. You can deploy an ALB to public or private subnets. +When you create a Kubernetes `ingress`, an {aws} Application Load Balancer (ALB) is provisioned that load balances application traffic. To learn more, see link:elasticloadbalancing/latest/application/introduction.html[What is an Application Load Balancer?,type="documentation"] in the _Application Load Balancers User Guide_ and https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress] in the Kubernetes documentation. ALBs can be used with Pods that are deployed to nodes or to {aws} Fargate. You can deploy an ALB to public or private subnets. -Application traffic is balanced at `L7` of the OSI model. To load balance network traffic at `L4`, you deploy a [.noloc]`Kubernetes` `service` of the `LoadBalancer` type. This type provisions an {aws} Network Load Balancer. For more information, see <>. To learn more about the differences between the two types of load balancing, see link:elasticloadbalancing/features/[Elastic Load Balancing features,type="marketing"] on the {aws} website. +Application traffic is balanced at `L7` of the OSI model. To load balance network traffic at `L4`, you deploy a Kubernetes `service` of the `LoadBalancer` type. This type provisions an {aws} Network Load Balancer. For more information, see <>. To learn more about the differences between the two types of load balancing, see link:elasticloadbalancing/features/[Elastic Load Balancing features,type="marketing"] on the {aws} website. == Prerequisites @@ -29,8 +29,8 @@ Application traffic is balanced at `L7` of the OSI model. To load balance networ Before you can load balance application traffic to an application, you must meet the following requirements. * Have an existing cluster. If you don't have an existing cluster, see <>. If you need to update the version of an existing cluster, see <>. -* Have the [.noloc]`{aws} Load Balancer Controller` deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. -* At least two subnets in different Availability Zones. The [.noloc]`{aws} Load Balancer Controller` chooses one subnet from each Availability Zone. When multiple tagged subnets are found in an Availability Zone, the controller chooses the subnet whose subnet ID comes first lexicographically. Each subnet must have at least eight available IP addresses. +* Have the {aws} Load Balancer Controller deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. +* At least two subnets in different Availability Zones. The {aws} Load Balancer Controller chooses one subnet from each Availability Zone. When multiple tagged subnets are found in an Availability Zone, the controller chooses the subnet whose subnet ID comes first lexicographically. Each subnet must have at least eight available IP addresses. + If you're using multiple security groups attached to worker node, exactly one security group must be tagged as follows. Replace [.replaceable]`my-cluster` with your cluster name. + @@ -38,23 +38,23 @@ If you're using multiple security groups attached to worker node, exactly one se – `kubernetes.io/cluster/` ** *Value* – `shared` or `owned` -* If you're using the [.noloc]`{aws} Load Balancer Controller` version `2.1.1` or earlier, subnets must be tagged in the format that follows. If you're using version `2.1.2` or later, tagging is optional. However, we recommend that you tag a subnet if any of the following is the case. You have multiple clusters that are running in the same VPC, or have multiple {aws} services that share subnets in a VPC. Or, you want more control over where load balancers are provisioned for each cluster. Replace [.replaceable]`my-cluster` with your cluster name. +* If you're using the {aws} Load Balancer Controller version `2.1.1` or earlier, subnets must be tagged in the format that follows. If you're using version `2.1.2` or later, tagging is optional. However, we recommend that you tag a subnet if any of the following is the case. You have multiple clusters that are running in the same VPC, or have multiple {aws} services that share subnets in a VPC. Or, you want more control over where load balancers are provisioned for each cluster. Replace [.replaceable]`my-cluster` with your cluster name. + ** *Key* – `kubernetes.io/cluster/` ** *Value* – `shared` or `owned` -* Your public and private subnets must meet the following requirements. This is unless you explicitly specify subnet IDs as an annotation on a service or ingress object. Assume that you provision load balancers by explicitly specifying subnet IDs as an annotation on a service or ingress object. In this situation, [.noloc]`Kubernetes` and the {aws} load balancer controller use those subnets directly to create the load balancer and the following tags aren't required. +* Your public and private subnets must meet the following requirements. This is unless you explicitly specify subnet IDs as an annotation on a service or ingress object. Assume that you provision load balancers by explicitly specifying subnet IDs as an annotation on a service or ingress object. In this situation, Kubernetes and the {aws} load balancer controller use those subnets directly to create the load balancer and the following tags aren't required. + ** *Private subnets* - – Must be tagged in the following format. This is so that [.noloc]`Kubernetes` and the {aws} load balancer controller know that the subnets can be used for internal load balancers. If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, the subnets are tagged appropriately when created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + – Must be tagged in the following format. This is so that Kubernetes and the {aws} load balancer controller know that the subnets can be used for internal load balancers. If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, the subnets are tagged appropriately when created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + *** *Key* – `kubernetes.io/role/internal-elb` *** *Value* – `1` ** *Public subnets* - – Must be tagged in the following format. This is so that [.noloc]`Kubernetes` knows to use only the subnets that were specified for external load balancers. This way, [.noloc]`Kubernetes` doesn't choose a public subnet in each Availability Zone (lexicographically based on their subnet ID). If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, the subnets are tagged appropriately when created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + – Must be tagged in the following format. This is so that Kubernetes knows to use only the subnets that were specified for external load balancers. This way, Kubernetes doesn't choose a public subnet in each Availability Zone (lexicographically based on their subnet ID). If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, the subnets are tagged appropriately when created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + *** *Key* – `kubernetes.io/role/elb` @@ -62,10 +62,10 @@ If you're using multiple security groups attached to worker node, exactly one se – `1` + -If the subnet role tags aren't explicitly added, the [.noloc]`Kubernetes` service controller examines the route table of your cluster VPC subnets. This is to determine if the subnet is private or public. We recommend that you don't rely on this behavior. Rather, explicitly add the private or public role tags. The [.noloc]`{aws} Load Balancer Controller` doesn't examine route tables. It also requires the private and public tags to be present for successful auto discovery. +If the subnet role tags aren't explicitly added, the Kubernetes service controller examines the route table of your cluster VPC subnets. This is to determine if the subnet is private or public. We recommend that you don't rely on this behavior. Rather, explicitly add the private or public role tags. The {aws} Load Balancer Controller doesn't examine route tables. It also requires the private and public tags to be present for successful auto discovery. -* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a [.noloc]`Kubernetes` ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different [.noloc]`Pods` within the cluster. To ensure that your ingress objects use the [.noloc]`{aws} Load Balancer Controller`, add the following annotation to your [.noloc]`Kubernetes` ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/spec/[Ingress specification] on [.noloc]`GitHub`. +* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a Kubernetes ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different Pods within the cluster. To ensure that your ingress objects use the {aws} Load Balancer Controller, add the following annotation to your Kubernetes ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/spec/[Ingress specification] on GitHub. + [source,yaml,subs="verbatim,attributes"] ---- @@ -73,29 +73,29 @@ annotations: kubernetes.io/ingress.class: alb ---- + -NOTE: If you're load balancing to `IPv6` [.noloc]`Pods`, add the following annotation to your ingress spec. You can only load balance over `IPv6` to IP targets, not instance targets. Without this annotation, load balancing is over `IPv4`. +NOTE: If you're load balancing to `IPv6` Pods, add the following annotation to your ingress spec. You can only load balance over `IPv6` to IP targets, not instance targets. Without this annotation, load balancing is over `IPv4`. [source,yaml,subs="verbatim,attributes"] ---- alb.ingress.kubernetes.io/ip-address-type: dualstack ---- -* The [.noloc]`{aws} Load Balancer Controller` supports the following traffic modes: +* The {aws} Load Balancer Controller supports the following traffic modes: + ** *Instance* - – Registers nodes within your cluster as targets for the ALB. Traffic reaching the ALB is routed to `NodePort` for your service and then proxied to your [.noloc]`Pods`. This is the default traffic mode. You can also explicitly specify it with the `alb.ingress.kubernetes.io/target-type: instance` annotation. + – Registers nodes within your cluster as targets for the ALB. Traffic reaching the ALB is routed to `NodePort` for your service and then proxied to your Pods. This is the default traffic mode. You can also explicitly specify it with the `alb.ingress.kubernetes.io/target-type: instance` annotation. + -NOTE: Your [.noloc]`Kubernetes` service must specify the `NodePort` or "LoadBalancer" type to use this traffic mode. +NOTE: Your Kubernetes service must specify the `NodePort` or "LoadBalancer" type to use this traffic mode. ** *IP* - – Registers [.noloc]`Pods` as targets for the ALB. Traffic reaching the ALB is directly routed to [.noloc]`Pods` for your service. You must specify the `alb.ingress.kubernetes.io/target-type: ip` annotation to use this traffic mode. The IP target type is required when target [.noloc]`Pods` are running on Fargate or Amazon EKS Hybrid Nodes. -* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the [.noloc]`{aws} Load Balancer Controller`, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Ingress annotations] on [.noloc]`GitHub`. -* Upgrading or downgrading the ALB controller version can introduce breaking changes for features that rely on it. For more information about the breaking changes that are introduced in each release, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases[ALB controller release notes] on [.noloc]`GitHub`. + – Registers Pods as targets for the ALB. Traffic reaching the ALB is directly routed to Pods for your service. You must specify the `alb.ingress.kubernetes.io/target-type: ip` annotation to use this traffic mode. The IP target type is required when target Pods are running on Fargate or Amazon EKS Hybrid Nodes. +* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Ingress annotations] on GitHub. +* Upgrading or downgrading the ALB controller version can introduce breaking changes for features that rely on it. For more information about the breaking changes that are introduced in each release, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases[ALB controller release notes] on GitHub. == Reuse ALBs with Ingress Groups You can share an application load balancer across multiple service resources using `IngressGroups`. -To join an ingress to a group, add the following annotation to a [.noloc]`Kubernetes` ingress resource specification. +To join an ingress to a group, add the following annotation to a Kubernetes ingress resource specification. [source,yaml,subs="verbatim,attributes"] ---- @@ -117,7 +117,7 @@ The controller automatically merges ingress rules for all ingresses in the same *Potential security risk* -Specify an ingress group for an ingress only when all the [.noloc]`Kubernetes` users that have RBAC permission to create or modify ingress resources are within the same trust boundary. If you add the annotation with a group name, other [.noloc]`Kubernetes` users might create or modify their ingresses to belong to the same ingress group. Doing so can cause undesirable behavior, such as overwriting existing rules with higher priority rules. +Specify an ingress group for an ingress only when all the Kubernetes users that have RBAC permission to create or modify ingress resources are within the same trust boundary. If you add the annotation with a group name, other Kubernetes users might create or modify their ingresses to belong to the same ingress group. Doing so can cause undesirable behavior, such as overwriting existing rules with higher priority rules. ==== @@ -141,9 +141,9 @@ Ensure that each ingress in the same ingress group has a unique priority number. == (Optional) Deploy a sample application * At least one public or private subnet in your cluster VPC. -* Have the [.noloc]`{aws} Load Balancer Controller` deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. +* Have the {aws} Load Balancer Controller deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. -You can run the sample application on a cluster that has Amazon EC2 nodes, Fargate [.noloc]`Pods`, or both. +You can run the sample application on a cluster that has Amazon EC2 nodes, Fargate Pods, or both. . If you're not deploying to Fargate, skip this step. If you're deploying to Fargate, create a Fargate profile. You can create the profile by running the following command or in the <> using the same values for `name` and `namespace` that are in the command. Replace the [.replaceable]`example values` with your own. + @@ -155,9 +155,9 @@ eksctl create fargateprofile \ --name alb-sample-app \ --namespace game-2048 ---- -. Deploy the game https://play2048.co/[2048] as a sample application to verify that the [.noloc]`{aws} Load Balancer Controller` creates an {aws} ALB as a result of the ingress object. Complete the steps for the type of subnet you're deploying to. +. Deploy the game https://play2048.co/[2048] as a sample application to verify that the {aws} Load Balancer Controller creates an {aws} ALB as a result of the ingress object. Complete the steps for the type of subnet you're deploying to. + -.. If you're deploying to [.noloc]`Pods` in a cluster that you created with the `IPv6` family, skip to the next step. +.. If you're deploying to Pods in a cluster that you created with the `IPv6` family, skip to the next step. + *** *Public*:: @@ -183,7 +183,7 @@ curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-cont ---- kubectl apply -f 2048_full.yaml ---- -.. If you're deploying to [.noloc]`Pods` in a cluster that you created with the <>, complete the following steps. +.. If you're deploying to Pods in a cluster that you created with the <>, complete the following steps. + ... Download the manifest. + @@ -197,7 +197,7 @@ curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-cont ---- alb.ingress.kubernetes.io/ip-address-type: dualstack ---- -... If you're load balancing to internal [.noloc]`Pods`, rather than internet facing [.noloc]`Pods`, change the line that says `alb.ingress.kubernetes.io/scheme: [.replaceable]``internet-facing``` to `alb.ingress.kubernetes.io/scheme: internal` +... If you're load balancing to internal Pods, rather than internet facing Pods, change the line that says `alb.ingress.kubernetes.io/scheme: [.replaceable]``internet-facing``` to `alb.ingress.kubernetes.io/scheme: internal` ... Save the file. ... Apply the manifest to your cluster. + @@ -222,7 +222,7 @@ ingress-2048 * k8s-game2048-ingress2-xxxxxxxxxx-yyyyyyyyyy.regi + NOTE: If you created the load balancer in a private subnet, the value under `ADDRESS` in the previous output is prefaced with `internal-`. -If your ingress wasn't successfully created after several minutes, run the following command to view the [.noloc]`{aws} Load Balancer Controller` logs. These logs might contain error messages that you can use to diagnose issues with your deployment. +If your ingress wasn't successfully created after several minutes, run the following command to view the {aws} Load Balancer Controller logs. These logs might contain error messages that you can use to diagnose issues with your deployment. [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 73b0a19c2..b76475b62 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -55,7 +55,7 @@ You install or update community add-ons in the same way as other Amazon EKS Add- The following community add-ons are availalbe from Amazon EKS. -=== [.noloc]`Kubernetes Metrics Server` +=== Kubernetes Metrics Server The Kubernetes Metrics Server is a scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines. It collects resource metrics from Kubelets and exposes them in Kubernetes apiserver through Metrics API for use by Horizontal Pod Autoscaler and Vertical Pod Autoscaler. diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 4073d8b96..33481a18b 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -9,8 +9,8 @@ This topic describes how to pull a container image from a repository that your n -* The [.noloc]`Docker` engine installed and configured on your computer. For instructions, see https://docs.docker.com/engine/install/[Install Docker Engine] in the [.noloc]`Docker` documentation. -* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +* The Docker engine installed and configured on your computer. For instructions, see https://docs.docker.com/engine/install/[Install Docker Engine] in the Docker documentation. +* Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * An interface VPC endpoint for Amazon ECR if you want your nodes to pull container images from or push container images to a private Amazon ECR repository over Amazon's network. For more information, see link:AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-vpc-create[Create the VPC endpoints for Amazon ECR,type="documentation"] in the Amazon Elastic Container Registry User Guide. Complete the following steps to pull a container image from a repository and push it to your own repository. In the following examples that are provided in this topic, the image for the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[Amazon VPC CNI plugin for Kubernetes metrics helper] is pulled. When you follow these steps, make sure to replace the [.replaceable]`example values` with your own values. @@ -36,7 +36,7 @@ image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.12.6" + You may see the following variations for an image location: + -** Only `repository-name:tag`. In this case, `docker.io` is usually the registry, but not specified since [.noloc]`Kubernetes` prepends it to a repository name by default if no registry is specified. +** Only `repository-name:tag`. In this case, `docker.io` is usually the registry, but not specified since Kubernetes prepends it to a repository name by default if no registry is specified. ** `repository-name/repository-namespace/repository:tag`. A repository namespace is optional, but is sometimes specified by the repository owner for categorizing images. For example, all https://gallery.ecr.aws/aws-ec2/[Amazon EC2 images in the Amazon ECR Public Gallery] use the `aws-ec2` namespace. + Before installing an image with Helm, view the Helm `values.yaml` file to determine the image location. For example, the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/charts/cni-metrics-helper/values.yaml#L5-L9[values.yaml] file for the https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[Amazon VPC CNI plugin for Kubernetes metrics helper] includes the following lines. diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index bac15f8d5..92e0ef867 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -102,7 +102,7 @@ You can learn more about the add-on in the {aws} Marketplace with the returned U ** Replace [.replaceable]`my-cluster` with the name of your cluster. ** Replace [.replaceable]`name-of-addon` with the name of the add-on that you want to create. ** If you want a version of the add-on that's earlier than the latest version, then replace [.replaceable]`latest` with the version number returned in the output of a previous step that you want to use. -** If the add-on uses a service account role, replace [.replaceable]`111122223333` with your account ID and replace [.replaceable]`role-name` with the name of the role. For instructions on creating a role for your service account, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +** If the add-on uses a service account role, replace [.replaceable]`111122223333` with your account ID and replace [.replaceable]`role-name` with the name of the role. For instructions on creating a role for your service account, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + If the add-on doesn't use a service account role, delete `--service-account-role-arn{arn-aws}iam::111122223333:role/role-name`. ** This example command overwrites the configuration of any existing self-managed version of the add-on, if there is one. If you don't want to overwrite the configuration of an existing self-managed add-on, remove the [.replaceable]`--force` option. If you remove the option, and the Amazon EKS add-on needs to overwrite the configuration of an existing self-managed add-on, then creation of the Amazon EKS add-on fails with an error message to help you resolve the conflict. Before specifying this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to manage, because those settings are overwritten with this option. @@ -149,7 +149,7 @@ If the *{aws} Marketplace add-ons* that you want to install aren't listed, you c NOTE: Retaining the default role name enables EKS to pre-select the role for add-ons in new clusters or when adding add-ons to existing clusters. You can still override this name and the role will be available for the add-on across your clusters, but the role will need to be manually selected from the drop down. -... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. ... Choose *Optional configuration settings*. ... If the add-on requires configuration, enter it in the *Configuration values* box. To determine whether the add-on requires configuration information, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. ... Choose one of the available options for *Conflict resolution method*. If you choose *Override* for the *Conflict resolution method*, one or more of the settings for the existing add-on can be overwritten with the Amazon EKS add-on settings. If you don't enable this option and there's a conflict with your existing settings, the operation fails. You can use the resulting error message to troubleshoot the conflict. Before choosing this option, make sure that the Amazon EKS add-on doesn't manage settings that you need to self-manage. @@ -165,7 +165,7 @@ Retaining the default role name enables EKS to pre-select the role for add-ons i == Create add-on ({aws} CLI) -. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . Determine which add-ons are available. You can see all available add-ons, their type, and their publisher. You can also see the URL for add-ons that are available through the {aws} Marketplace. Replace [.replaceable]`{k8s-n}` with the version of your cluster. + @@ -282,7 +282,7 @@ Here is an example of valid configuration values, in YAML format, that works wit ---- --pod-identity-associations 'serviceAccount=,roleArn=' ---- -*** If the add-on (1) requires IAM permissions, and (2) your cluster uses IRSA, replace [.replaceable]`` with the following IRSA configuration. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +*** If the add-on (1) requires IAM permissions, and (2) your cluster uses IRSA, replace [.replaceable]`` with the following IRSA configuration. Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index b91849fa6..d943b46ac 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -11,11 +11,11 @@ include::../attributes.txt[] Learn how to manage operational software add-ons on Amazon EKS clusters with Amazon EKS add-ons for observability, networking, storage, and security from {aws} and third-party vendors. -- -An add-on is software that provides supporting operational capabilities to [.noloc]`Kubernetes` applications, but is not specific to the application. This includes software like observability agents or [.noloc]`Kubernetes` drivers that allow the cluster to interact with underlying {aws} resources for networking, compute, and storage. Add-on software is typically built and maintained by the [.noloc]`Kubernetes` community, cloud providers like {aws}, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the [.noloc]`Amazon VPC CNI plugin for Kubernetes`, `kube-proxy`, and [.noloc]`CoreDNS` for every cluster. Note that the VPC CNI add-on isn't compatible with Amazon EKS Hybrid Nodes and doesn't deploy to hybrid nodes. You can change the default configuration of the add-ons and update them when desired. +An add-on is software that provides supporting operational capabilities to Kubernetes applications, but is not specific to the application. This includes software like observability agents or Kubernetes drivers that allow the cluster to interact with underlying {aws} resources for networking, compute, and storage. Add-on software is typically built and maintained by the Kubernetes community, cloud providers like {aws}, or third-party vendors. Amazon EKS automatically installs self-managed add-ons such as the Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS for every cluster. Note that the VPC CNI add-on isn't compatible with Amazon EKS Hybrid Nodes and doesn't deploy to hybrid nodes. You can change the default configuration of the add-ons and update them when desired. Amazon EKS add-ons provide installation and management of a curated set of add-ons for Amazon EKS clusters. All Amazon EKS add-ons include the latest security patches, bug fixes, and are validated by {aws} to work with Amazon EKS. Amazon EKS add-ons allow you to consistently ensure that your Amazon EKS clusters are secure and stable and reduce the amount of work that you need to do in order to install, configure, and update add-ons. If a self-managed add-on, such as `kube-proxy` is already running on your cluster and is available as an Amazon EKS add-on, then you can install the `kube-proxy` Amazon EKS add-on to start benefiting from the capabilities of Amazon EKS add-ons. -You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the [.noloc]`Kubernetes` cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the [.noloc]`Kubernetes` server-side apply feature. For more information, see <>. +You can update specific Amazon EKS managed configuration fields for Amazon EKS add-ons through the Amazon EKS API. You can also modify configuration fields not managed by Amazon EKS directly within the Kubernetes cluster once the add-on starts. This includes defining specific configuration fields for an add-on where applicable. These changes are not overridden by Amazon EKS once they are made. This is made possible using the Kubernetes server-side apply feature. For more information, see <>. You can use Amazon EKS add-ons with any Amazon EKS node type. For more information, see <>. @@ -31,8 +31,8 @@ Consider the following when you use Amazon EKS add-ons: * To configure add-ons for the cluster your link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principal,type="documentation"] must have IAM permissions to work with add-ons. For more information, see the actions with `Addon` in their name in link:service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions[Actions defined by Amazon Elastic Kubernetes Service,type="documentation"]. * Amazon EKS add-ons run on the nodes that you provision or configure for your cluster. Node types include Amazon EC2 instances, Fargate, and hybrid nodes. * You can modify fields that aren't managed by Amazon EKS to customize the installation of an Amazon EKS add-on. For more information, see <>. -* If you create a cluster with the {aws-management-console}, the Amazon EKS `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` Amazon EKS add-ons are automatically added to your cluster. If you use `eksctl` to create your cluster with a `config` file, `eksctl` can also create the cluster with Amazon EKS add-ons. If you create your cluster using `eksctl` without a `config` file or with any other tool, the self-managed `kube-proxy`, [.noloc]`Amazon VPC CNI plugin for Kubernetes`, and [.noloc]`CoreDNS` add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn't install on hybrid nodes. -* The `eks:addon-cluster-admin` `ClusterRoleBinding` binds the `cluster-admin` `ClusterRole` to the `eks:addon-manager` [.noloc]`Kubernetes` identity. The role has the necessary permissions for the `eks:addon-manager` identity to create [.noloc]`Kubernetes` namespaces and install add-ons into namespaces. If the `eks:addon-cluster-admin` `ClusterRoleBinding` is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the new `ClusterRoleBinding`. +* If you create a cluster with the {aws-management-console}, the Amazon EKS `kube-proxy`, Amazon VPC CNI plugin for Kubernetes, and CoreDNS Amazon EKS add-ons are automatically added to your cluster. If you use `eksctl` to create your cluster with a `config` file, `eksctl` can also create the cluster with Amazon EKS add-ons. If you create your cluster using `eksctl` without a `config` file or with any other tool, the self-managed `kube-proxy`, Amazon VPC CNI plugin for Kubernetes, and CoreDNS add-ons are installed, rather than the Amazon EKS add-ons. You can either manage them yourself or add the Amazon EKS add-ons manually after cluster creation. Regardless of the method that you use to create your cluster, the VPC CNI add-on doesn't install on hybrid nodes. +* The `eks:addon-cluster-admin` `ClusterRoleBinding` binds the `cluster-admin` `ClusterRole` to the `eks:addon-manager` Kubernetes identity. The role has the necessary permissions for the `eks:addon-manager` identity to create Kubernetes namespaces and install add-ons into namespaces. If the `eks:addon-cluster-admin` `ClusterRoleBinding` is removed, the Amazon EKS cluster will continue to function, however Amazon EKS is no longer able to manage any add-ons. All clusters starting with the following platform versions use the new `ClusterRoleBinding`. * A subset of EKS add-ons from {aws} have been validated for compatibility with Amazon EKS Hybrid Nodes. For more information, see the compatibility table on <>. === Required platform version diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index e6c211b10..9dcc9c040 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -12,16 +12,16 @@ include::../attributes.txt[] -Your workloads are deployed in containers, which are deployed in [.noloc]`Pods` in [.noloc]`Kubernetes`. A [.noloc]`Pod` includes one or more containers. Typically, one or more [.noloc]`Pods` that provide the same service are deployed in a [.noloc]`Kubernetes` service. Once you've deployed multiple [.noloc]`Pods` that provide the same service, you can: +Your workloads are deployed in containers, which are deployed in Pods in Kubernetes. A Pod includes one or more containers. Typically, one or more Pods that provide the same service are deployed in a Kubernetes service. Once you've deployed multiple Pods that provide the same service, you can: * <> running on each of your clusters using the {aws-management-console}. -* Vertically scale [.noloc]`Pods` up or down with the [.noloc]`Kubernetes` <>. -* Horizontally scale the number of [.noloc]`Pods` needed to meet demand up or down with the [.noloc]`Kubernetes` <>. -* Create an external (for internet-accessible [.noloc]`Pods`) or an internal (for private [.noloc]`Pods`) <> to balance network traffic across [.noloc]`Pods`. The load balancer routes traffic at Layer 4 of the OSI model. -* Create an <> to balance application traffic across [.noloc]`Pods`. The application load balancer routes traffic at Layer 7 of the OSI model. -* If you're new to [.noloc]`Kubernetes`, this topic helps you <>. +* Vertically scale Pods up or down with the Kubernetes <>. +* Horizontally scale the number of Pods needed to meet demand up or down with the Kubernetes <>. +* Create an external (for internet-accessible Pods) or an internal (for private Pods) <> to balance network traffic across Pods. The load balancer routes traffic at Layer 4 of the OSI model. +* Create an <> to balance application traffic across Pods. The application load balancer routes traffic at Layer 7 of the OSI model. +* If you're new to Kubernetes, this topic helps you <>. * You can <> with `externalIPs`. diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index c6769e013..6904048ba 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,6 +1,6 @@ [.topic] [#horizontal-pod-autoscaler] -= Scale pod deployments with [.noloc]`Horizontal Pod Autoscaler` += Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler include::../attributes.txt[] @@ -10,21 +10,21 @@ include::../attributes.txt[] Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. -- -The [.noloc]`Kubernetes` https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] automatically scales the number of [.noloc]`Pods` in a deployment, replication controller, or replica set based on that resource's CPU utilization. This can help your applications scale out to meet increased demand or scale in when resources are not needed, thus freeing up your nodes for other applications. When you set a target CPU utilization percentage, the Horizontal Pod Autoscaler scales your application in or out to try to meet that target. +The Kubernetes https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] automatically scales the number of Pods in a deployment, replication controller, or replica set based on that resource's CPU utilization. This can help your applications scale out to meet increased demand or scale in when resources are not needed, thus freeing up your nodes for other applications. When you set a target CPU utilization percentage, the Horizontal Pod Autoscaler scales your application in or out to try to meet that target. -The [.noloc]`Horizontal Pod Autoscaler` is a standard API resource in [.noloc]`Kubernetes` that simply requires that a metrics source (such as the [.noloc]`Kubernetes` metrics server) is installed on your Amazon EKS cluster to work. You do not need to deploy or install the [.noloc]`Horizontal Pod Autoscaler` on your cluster to begin scaling your applications. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] in the [.noloc]`Kubernetes` documentation. +The Horizontal Pod Autoscaler is a standard API resource in Kubernetes that simply requires that a metrics source (such as the Kubernetes metrics server) is installed on your Amazon EKS cluster to work. You do not need to deploy or install the Horizontal Pod Autoscaler on your cluster to begin scaling your applications. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] in the Kubernetes documentation. -Use this topic to prepare the [.noloc]`Horizontal Pod Autoscaler` for your Amazon EKS cluster and to verify that it is working with a sample application. +Use this topic to prepare the Horizontal Pod Autoscaler for your Amazon EKS cluster and to verify that it is working with a sample application. [NOTE] ==== -This topic is based on the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/[Horizontal Pod autoscaler walkthrough] in the [.noloc]`Kubernetes` documentation. +This topic is based on the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/[Horizontal Pod autoscaler walkthrough] in the Kubernetes documentation. ==== * You have an existing Amazon EKS cluster. If you don't, see <>. -* You have the [.noloc]`Kubernetes` Metrics Server installed. For more information, see <>. +* You have the Kubernetes Metrics Server installed. For more information, see <>. * You are using a `kubectl` client that is <>. @@ -36,7 +36,7 @@ In this section, you deploy a sample application to verify that the Horizontal P [NOTE] ==== -This example is based on the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/[Horizontal Pod autoscaler walkthrough] in the [.noloc]`Kubernetes` documentation. +This example is based on the https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/[Horizontal Pod autoscaler walkthrough] in the Kubernetes documentation. ==== . Deploy a simple Apache web server application with the following command. @@ -46,7 +46,7 @@ This example is based on the https://kubernetes.io/docs/tasks/run-application/ho kubectl apply -f https://k8s.io/examples/application/php-apache.yaml ---- + -This Apache web server [.noloc]`Pod` is given a 500 millicpu CPU limit and it is serving on port 80. +This Apache web server Pod is given a 500 millicpu CPU limit and it is serving on port 80. . Create a Horizontal Pod Autoscaler resource for the `php-apache` deployment. + [source,bash,subs="verbatim,attributes"] @@ -54,7 +54,7 @@ This Apache web server [.noloc]`Pod` is given a 500 millicpu CPU limit and it is kubectl autoscale deployment php-apache --cpu-percent=50 --min=1 --max=10 ---- + -This command creates an autoscaler that targets 50 percent CPU utilization for the deployment, with a minimum of one [.noloc]`Pod` and a maximum of ten [.noloc]`Pods`. When the average CPU load is lower than 50 percent, the autoscaler tries to reduce the number of [.noloc]`Pods` in the deployment, to a minimum of one. When the load is greater than 50 percent, the autoscaler tries to increase the number of [.noloc]`Pods` in the deployment, up to a maximum of ten. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#how-does-a-horizontalpodautoscaler-work[How does a HorizontalPodAutoscaler work?] in the [.noloc]`Kubernetes` documentation. +This command creates an autoscaler that targets 50 percent CPU utilization for the deployment, with a minimum of one Pod and a maximum of ten Pods. When the average CPU load is lower than 50 percent, the autoscaler tries to reduce the number of Pods in the deployment, to a minimum of one. When the load is greater than 50 percent, the autoscaler tries to increase the number of Pods in the deployment, up to a maximum of ten. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#how-does-a-horizontalpodautoscaler-work[How does a HorizontalPodAutoscaler work?] in the Kubernetes documentation. . Describe the autoscaler with the following command to view its details. + [source,bash,subs="verbatim,attributes"] @@ -70,7 +70,7 @@ NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AG php-apache Deployment/php-apache 0%/50% 1 10 1 51s ---- + -As you can see, the current CPU load is `0%`, because there's no load on the server yet. The [.noloc]`Pod` count is already at its lowest boundary (one), so it cannot scale in. +As you can see, the current CPU load is `0%`, because there's no load on the server yet. The Pod count is already at its lowest boundary (one), so it cannot scale in. . [[hpa-create-load]]Create a load for the web server by running a container. + [source,bash,subs="verbatim,attributes"] @@ -114,7 +114,7 @@ NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AG php-apache Deployment/php-apache 0%/50% 1 10 1 25m ---- + -NOTE: The default timeframe for scaling back down is five minutes, so it will take some time before you see the replica count reach 1 again, even when the current CPU percentage is 0 percent. The timeframe is modifiable. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] in the [.noloc]`Kubernetes` documentation. +NOTE: The default timeframe for scaling back down is five minutes, so it will take some time before you see the replica count reach 1 again, even when the current CPU percentage is 0 percent. The timeframe is modifiable. For more information, see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/[Horizontal Pod Autoscaler] in the Kubernetes documentation. . When you are done experimenting with your sample application, delete the `php-apache` resources. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index afd92d8be..2a3b11453 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -15,7 +15,7 @@ If you use link:signer/latest/developerguide/Welcome.html[{aws} Signer,type="doc * https://ratify.dev/docs/1.0/quickstarts/ratify-on-aws[Gatekeeper and Ratify] – Use Gatekeeper as the admission controller and Ratify configured with an {aws} Signer plugin as a web hook for validating signatures. -* https://github.com/nirmata/kyverno-notation-aws[Kyverno] – A [.noloc]`Kubernetes` policy engine configured with an {aws} Signer plugin for validating signatures. +* https://github.com/nirmata/kyverno-notation-aws[Kyverno] – A Kubernetes policy engine configured with an {aws} Signer plugin for validating signatures. [NOTE] diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 2d18d2f7e..01a353ba8 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -12,7 +12,7 @@ Learn how to manage Amazon EKS add-on configurations using Kubernetes field mana Amazon EKS add-ons are installed to your cluster using standard, best practice configurations. For more information about adding an Amazon EKS add-on to your cluster, see <>. -You may want to customize the configuration of an Amazon EKS add-on to enable advanced features. Amazon EKS uses the [.noloc]`Kubernetes` server-side apply feature to enable management of an add-on by Amazon EKS without overwriting your configuration for settings that aren't managed by Amazon EKS. For more information, see https://kubernetes.io/docs/reference/using-api/server-side-apply/[Server-Side Apply] in the [.noloc]`Kubernetes` documentation. To achieve this, Amazon EKS manages a minimum set of fields for every add-on that it installs. You can modify all fields that aren't managed by Amazon EKS, or another [.noloc]`Kubernetes` control plane process such as `kube-controller-manager`, without issue. +You may want to customize the configuration of an Amazon EKS add-on to enable advanced features. Amazon EKS uses the Kubernetes server-side apply feature to enable management of an add-on by Amazon EKS without overwriting your configuration for settings that aren't managed by Amazon EKS. For more information, see https://kubernetes.io/docs/reference/using-api/server-side-apply/[Server-Side Apply] in the Kubernetes documentation. To achieve this, Amazon EKS manages a minimum set of fields for every add-on that it installs. You can modify all fields that aren't managed by Amazon EKS, or another Kubernetes control plane process such as `kube-controller-manager`, without issue. [IMPORTANT] ==== @@ -24,7 +24,7 @@ Modifying a field managed by Amazon EKS prevents Amazon EKS from managing the ad [#add-on-config-management-understanding-field-management] == Field management syntax -When you view details for a [.noloc]`Kubernetes` object, both managed and unmanaged fields are returned in the output. Managed fields can be either of the following types: +When you view details for a Kubernetes object, both managed and unmanaged fields are returned in the output. Managed fields can be either of the following types: @@ -44,7 +44,7 @@ Each key is either a `.` representing the field itself, which always maps to an * `v:[.replaceable]``value```, where [.replaceable]`value` is the exact JSON formatted value of a list item. * `i:[.replaceable]``index```, where [.replaceable]`index` is position of an item in the list. -The following portions of output for the [.noloc]`CoreDNS` add-on illustrate the previous declarations: +The following portions of output for the CoreDNS add-on illustrate the previous declarations: @@ -111,9 +111,9 @@ manager: eks You can use `kubectl` to see which fields are managed by Amazon EKS for any Amazon EKS add-on. -You can modify all fields that aren't managed by Amazon EKS, or another [.noloc]`Kubernetes` control plane process such as `kube-controller-manager`, without issue. +You can modify all fields that aren't managed by Amazon EKS, or another Kubernetes control plane process such as `kube-controller-manager`, without issue. -. Determine which add-on that you want to examine. To see all of the `deployments` and [.noloc]`DaemonSets` deployed to your cluster, see <>. +. Determine which add-on that you want to examine. To see all of the `deployments` and DaemonSets deployed to your cluster, see <>. . View the managed fields for an add-on by running the following command: + [source,bash,subs="verbatim,attributes"] @@ -121,7 +121,7 @@ You can modify all fields that aren't managed by Amazon EKS, or another [.noloc] kubectl get type/add-on-name -n add-on-namespace -o yaml ---- + -For example, you can see the managed fields for the [.noloc]`CoreDNS` add-on with the following command. +For example, you can see the managed fields for the CoreDNS add-on with the following command. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index ba9fc2286..8ec3c2f7d 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,6 +1,6 @@ [.topic] [#network-load-balancing] -= Route [.noloc]`TCP` and [.noloc]`UDP` traffic with [.noloc]`Network Load Balancers` += Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing include::../attributes.txt[] @@ -19,52 +19,52 @@ Use the {aws} Load Balancer Controller to create network load balancers for Amaz ==== -Network traffic is load balanced at `L4` of the OSI model. To load balance application traffic at `L7`, you deploy a [.noloc]`Kubernetes` `ingress`, which provisions an {aws} Application Load Balancer. For more information, see <>. To learn more about the differences between the two types of load balancing, see link:elasticloadbalancing/features/[Elastic Load Balancing features,type="marketing"] on the {aws} website. +Network traffic is load balanced at `L4` of the OSI model. To load balance application traffic at `L7`, you deploy a Kubernetes `ingress`, which provisions an {aws} Application Load Balancer. For more information, see <>. To learn more about the differences between the two types of load balancing, see link:elasticloadbalancing/features/[Elastic Load Balancing features,type="marketing"] on the {aws} website. -When you create a [.noloc]`Kubernetes` `Service` of type `LoadBalancer`, the {aws} cloud provider load balancer controller creates {aws} link:elasticloadbalancing/latest/classic/introduction.html[Classic Load Balancers,type="documentation"] by default, but can also create {aws} link:elasticloadbalancing/latest/network/introduction.html[Network Load Balancers,type="documentation"]. This controller is only receiving critical bug fixes in the future. For more information about using the {aws} cloud provider load balancer , see https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer[{aws} cloud provider load balancer controller] in the [.noloc]`Kubernetes` documentation. Its use is not covered in this topic. +When you create a Kubernetes `Service` of type `LoadBalancer`, the {aws} cloud provider load balancer controller creates {aws} link:elasticloadbalancing/latest/classic/introduction.html[Classic Load Balancers,type="documentation"] by default, but can also create {aws} link:elasticloadbalancing/latest/network/introduction.html[Network Load Balancers,type="documentation"]. This controller is only receiving critical bug fixes in the future. For more information about using the {aws} cloud provider load balancer , see https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer[{aws} cloud provider load balancer controller] in the Kubernetes documentation. Its use is not covered in this topic. -We recommend that you use version `2.7.2` or later of the <> instead of the {aws} cloud provider load balancer controller. The [.noloc]`{aws} Load Balancer Controller` creates {aws} Network Load Balancers, but doesn't create {aws} Classic Load Balancers. The remainder of this topic is about using the {aws} Load Balancer Controller. +We recommend that you use version `2.7.2` or later of the <> instead of the {aws} cloud provider load balancer controller. The {aws} Load Balancer Controller creates {aws} Network Load Balancers, but doesn't create {aws} Classic Load Balancers. The remainder of this topic is about using the {aws} Load Balancer Controller. -An {aws} Network Load Balancer can load balance network traffic to [.noloc]`Pods` deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on [.noloc]`GitHub`. +An {aws} Network Load Balancer can load balance network traffic to Pods deployed to Amazon EC2 IP and instance link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[targets,type="documentation"], to {aws} Fargate IP targets, or to Amazon EKS Hybrid Nodes as IP targets. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/#targettype[{aws} Load Balancer Controller] on GitHub. == Prerequisites -Before you can load balance network traffic using the [.noloc]`{aws} Load Balancer Controller`, you must meet the following requirements. +Before you can load balance network traffic using the {aws} Load Balancer Controller, you must meet the following requirements. * Have an existing cluster. If you don't have an existing cluster, see <>. If you need to update the version of an existing cluster, see <>. -* Have the [.noloc]`{aws} Load Balancer Controller` deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. +* Have the {aws} Load Balancer Controller deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. * At least one subnet. If multiple tagged subnets are found in an Availability Zone, the controller chooses the first subnet whose subnet ID comes first lexicographically. The subnet must have at least eight available IP addresses. -* If you're using the [.noloc]`{aws} Load Balancer Controller` version `2.1.1` or earlier, subnets must be tagged as follows. If using version `2.1.2` or later, this tag is optional. You might want to tag a subnet if you have multiple clusters running in the same VPC, or multiple {aws} services sharing subnets in a VPC, and want more control over where load balancers are provisioned for each cluster. If you explicitly specify subnet IDs as an annotation on a service object, then [.noloc]`Kubernetes` and the [.noloc]`{aws} Load Balancer Controller` use those subnets directly to create the load balancer. Subnet tagging isn't required if you choose to use this method for provisioning load balancers and you can skip the following private and public subnet tagging requirements. Replace [.replaceable]`my-cluster` with your cluster name. +* If you're using the {aws} Load Balancer Controller version `2.1.1` or earlier, subnets must be tagged as follows. If using version `2.1.2` or later, this tag is optional. You might want to tag a subnet if you have multiple clusters running in the same VPC, or multiple {aws} services sharing subnets in a VPC, and want more control over where load balancers are provisioned for each cluster. If you explicitly specify subnet IDs as an annotation on a service object, then Kubernetes and the {aws} Load Balancer Controller use those subnets directly to create the load balancer. Subnet tagging isn't required if you choose to use this method for provisioning load balancers and you can skip the following private and public subnet tagging requirements. Replace [.replaceable]`my-cluster` with your cluster name. + ** *Key* – `kubernetes.io/cluster/` ** *Value* – `shared` or `owned` -* Your public and private subnets must meet the following requirements, unless you explicitly specify subnet IDs as an annotation on a service or ingress object. If you provision load balancers by explicitly specifying subnet IDs as an annotation on a service or ingress object, then [.noloc]`Kubernetes` and the [.noloc]`{aws} Load Balancer Controller` use those subnets directly to create the load balancer and the following tags aren't required. +* Your public and private subnets must meet the following requirements, unless you explicitly specify subnet IDs as an annotation on a service or ingress object. If you provision load balancers by explicitly specifying subnet IDs as an annotation on a service or ingress object, then Kubernetes and the {aws} Load Balancer Controller use those subnets directly to create the load balancer and the following tags aren't required. + ** *Private subnets* - – Must be tagged in the following format. This is so that [.noloc]`Kubernetes` and the {aws} Load Balancer Controller know that the subnets can be used for internal load balancers. If you use `eksctl` or an Amazon EKS {aws} {aws} CloudFormation template to create your VPC after March 26, 2020, then the subnets are tagged appropriately when they're created. For more information about the Amazon EKS {aws} {aws} CloudFormation VPC templates, see <>. + – Must be tagged in the following format. This is so that Kubernetes and the {aws} Load Balancer Controller know that the subnets can be used for internal load balancers. If you use `eksctl` or an Amazon EKS {aws} {aws} CloudFormation template to create your VPC after March 26, 2020, then the subnets are tagged appropriately when they're created. For more information about the Amazon EKS {aws} {aws} CloudFormation VPC templates, see <>. + *** *Key* – `kubernetes.io/role/internal-elb` *** *Value* – `1` ** *Public subnets* - – Must be tagged in the following format. This is so that [.noloc]`Kubernetes` knows to use only those subnets for external load balancers instead of choosing a public subnet in each Availability Zone (based on the lexicographical order of the subnet IDs). If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, then the subnets are tagged appropriately when they're created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + – Must be tagged in the following format. This is so that Kubernetes knows to use only those subnets for external load balancers instead of choosing a public subnet in each Availability Zone (based on the lexicographical order of the subnet IDs). If you use `eksctl` or an Amazon EKS {aws} CloudFormation template to create your VPC after March 26, 2020, then the subnets are tagged appropriately when they're created. For more information about the Amazon EKS {aws} CloudFormation VPC templates, see <>. + *** *Key* – `kubernetes.io/role/elb` *** *Value* – `1` + -If the subnet role tags aren't explicitly added, the [.noloc]`Kubernetes` service controller examines the route table of your cluster VPC subnets to determine if the subnet is private or public. We recommend that you don't rely on this behavior, and instead explicitly add the private or public role tags. The [.noloc]`{aws} Load Balancer Controller` doesn't examine route tables, and requires the private and public tags to be present for successful auto discovery. +If the subnet role tags aren't explicitly added, the Kubernetes service controller examines the route table of your cluster VPC subnets to determine if the subnet is private or public. We recommend that you don't rely on this behavior, and instead explicitly add the private or public role tags. The {aws} Load Balancer Controller doesn't examine route tables, and requires the private and public tags to be present for successful auto discovery. == Considerations -* The configuration of your load balancer is controlled by annotations that are added to the manifest for your service. Service annotations are different when using the [.noloc]`{aws} Load Balancer Controller` than they are when using the {aws} cloud provider load balancer controller. Make sure to review the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[annotations] for the [.noloc]`{aws} Load Balancer Controller` before deploying services. -* When using the <>, the [.noloc]`{aws} Load Balancer Controller` can load balance to Amazon EC2 IP or instance targets and Fargate IP targets. When using <>, the controller can only load balance to instance targets, unless you are load balancing to Amazon EKS Hybrid Nodes. For hybrid nodes, the controller can load balance IP targets. For more information about Network Load Balancer target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers -* If you want to add tags to the load balancer when or after it's created, add the following annotation in your service specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#aws-resource-tags[{aws} Resource Tags] in the [.noloc]`{aws} Load Balancer Controller` documentation. +* The configuration of your load balancer is controlled by annotations that are added to the manifest for your service. Service annotations are different when using the {aws} Load Balancer Controller than they are when using the {aws} cloud provider load balancer controller. Make sure to review the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[annotations] for the {aws} Load Balancer Controller before deploying services. +* When using the <>, the {aws} Load Balancer Controller can load balance to Amazon EC2 IP or instance targets and Fargate IP targets. When using <>, the controller can only load balance to instance targets, unless you are load balancing to Amazon EKS Hybrid Nodes. For hybrid nodes, the controller can load balance IP targets. For more information about Network Load Balancer target types, see link:elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-type[Target type,type="documentation"] in the User Guide for Network Load Balancers +* If you want to add tags to the load balancer when or after it's created, add the following annotation in your service specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#aws-resource-tags[{aws} Resource Tags] in the {aws} Load Balancer Controller documentation. + [source,bash,subs="verbatim,attributes"] ---- @@ -79,11 +79,11 @@ service.beta.kubernetes.io/aws-load-balancer-eip-allocations: eipalloc-xxxxxxxxx * Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer subnet in the VPC for health checks for each Network Load Balancer that you create. Deployment of a service of type `LoadBalancer` can fail if Amazon EKS attempts to create rules that exceed the quota for the maximum number of rules allowed for a security group. For more information, see link:vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups[Security groups,type="documentation"] in Amazon VPC quotas in the Amazon VPC User Guide. Consider the following options to minimize the chances of exceeding the maximum number of rules for a security group: + ** Request an increase in your rules per security group quota. For more information, see link:servicequotas/latest/userguide/request-quota-increase.html[Requesting a quota increase,type="documentation"] in the Service Quotas User Guide. -** Use IP targets, rather than instance targets. With IP targets, you can share rules for the same target ports. You can manually specify load balancer subnets with an annotation. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Annotations] on [.noloc]`GitHub`. +** Use IP targets, rather than instance targets. With IP targets, you can share rules for the same target ports. You can manually specify load balancer subnets with an annotation. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/[Annotations] on GitHub. ** Use an ingress, instead of a service of type `LoadBalancer`, to send traffic to your service. The {aws} Application Load Balancer requires fewer rules than Network Load Balancers. You can share an ALB across multiple ingresses. For more information, see <>. You can't share a Network Load Balancer across multiple services. ** Deploy your clusters to multiple accounts. -* If your [.noloc]`Pods` run on [.noloc]`Windows` in an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end [.noloc]`Pods`. Each [.noloc]`Pod` has its own unique IP address. -* We recommend only creating new Network Load Balancers with the [.noloc]`{aws} Load Balancer Controller`. Attempting to replace existing Network Load Balancers created with the {aws} cloud provider load balancer controller can result in multiple Network Load Balancers that might cause application downtime. +* If your Pods run on Windows in an Amazon EKS cluster, a single service with a load balancer can support up to 1024 back-end Pods. Each Pod has its own unique IP address. +* We recommend only creating new Network Load Balancers with the {aws} Load Balancer Controller. Attempting to replace existing Network Load Balancers created with the {aws} cloud provider load balancer controller can result in multiple Network Load Balancers that might cause application downtime. [#network-load-balancer] @@ -93,9 +93,9 @@ You can create a network load balancer with IP or instance targets. === Create network load balancer -- IP Targets -* You can use IP targets with [.noloc]`Pods` deployed to Amazon EC2 nodes, Fargate, or Amazon EKS Hybrid Nodes. Your [.noloc]`Kubernetes` service must be created as type `LoadBalancer`. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer[Type LoadBalancer] in the [.noloc]`Kubernetes` documentation. +* You can use IP targets with Pods deployed to Amazon EC2 nodes, Fargate, or Amazon EKS Hybrid Nodes. Your Kubernetes service must be created as type `LoadBalancer`. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer[Type LoadBalancer] in the Kubernetes documentation. + -To create a load balancer that uses IP targets, add the following annotations to a service manifest and deploy your service. The `external` value for `aws-load-balancer-type` is what causes the [.noloc]`{aws} Load Balancer Controller`, rather than the {aws} cloud provider load balancer controller, to create the Network Load Balancer. You can view a <> with the annotations. +To create a load balancer that uses IP targets, add the following annotations to a service manifest and deploy your service. The `external` value for `aws-load-balancer-type` is what causes the {aws} Load Balancer Controller, rather than the {aws} cloud provider load balancer controller, to create the Network Load Balancer. You can view a <> with the annotations. + [source,bash,subs="verbatim,attributes"] ---- @@ -103,7 +103,7 @@ service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" ---- + -NOTE: If you're load balancing to `IPv6` [.noloc]`Pods`, add the following annotation. You can only load balance over `IPv6` to IP targets, not instance targets. Without this annotation, load balancing is over `IPv4`. +NOTE: If you're load balancing to `IPv6` Pods, add the following annotation. You can only load balance over `IPv6` to IP targets, not instance targets. Without this annotation, load balancing is over `IPv4`. + [source,bash,subs="verbatim,attributes"] ---- @@ -112,7 +112,7 @@ service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack + Network Load Balancers are created with the `internal` `aws-load-balancer-scheme`, by default. You can launch Network Load Balancers in any subnet in your cluster's VPC, including subnets that weren't specified when you created your cluster. + -[.noloc]`Kubernetes` examines the route table for your subnets to identify whether they are public or private. Public subnets have a route directly to the internet using an internet gateway, but private subnets do not. +Kubernetes examines the route table for your subnets to identify whether they are public or private. Public subnets have a route directly to the internet using an internet gateway, but private subnets do not. + If you want to create a Network Load Balancer in a public subnet to load balance to Amazon EC2 nodes (Fargate can only be private), specify `internet-facing` with the following annotation: + @@ -128,7 +128,7 @@ IMPORTANT: Do not edit the annotations after creating your service. If you need === Create network load balancer -- Instance Targets -* The {aws} cloud provider load balancer controller creates Network Load Balancers with instance targets only. Version `2.2.0` and later of the {aws} Load Balancer Controller also creates Network Load Balancers with instance targets. We recommend using it, rather than the {aws} cloud provider load balancer controller, to create new Network Load Balancers. You can use Network Load Balancer instance targets with [.noloc]`Pods` deployed to Amazon EC2 nodes, but not to Fargate. To load balance network traffic across [.noloc]`Pods` deployed to Fargate, you must use IP targets. +* The {aws} cloud provider load balancer controller creates Network Load Balancers with instance targets only. Version `2.2.0` and later of the {aws} Load Balancer Controller also creates Network Load Balancers with instance targets. We recommend using it, rather than the {aws} cloud provider load balancer controller, to create new Network Load Balancers. You can use Network Load Balancer instance targets with Pods deployed to Amazon EC2 nodes, but not to Fargate. To load balance network traffic across Pods deployed to Fargate, you must use IP targets. + To deploy a Network Load Balancer to a private subnet, your service specification must have the following annotations. You can view a <> with the annotations. The `external` value for `aws-load-balancer-type` is what causes the {aws} Load Balancer Controller, rather than the {aws} cloud provider load balancer controller, to create the Network Load Balancer. + @@ -138,7 +138,7 @@ service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" ---- + -Network Load Balancers are created with the `internal` `aws-load-balancer-scheme`, by default. For internal Network Load Balancers, your Amazon EKS cluster must be configured to use at least one private subnet in your VPC. [.noloc]`Kubernetes` examines the route table for your subnets to identify whether they are public or private. Public subnets have a route directly to the internet using an internet gateway, but private subnets do not. +Network Load Balancers are created with the `internal` `aws-load-balancer-scheme`, by default. For internal Network Load Balancers, your Amazon EKS cluster must be configured to use at least one private subnet in your VPC. Kubernetes examines the route table for your subnets to identify whether they are public or private. Public subnets have a route directly to the internet using an internet gateway, but private subnets do not. + If you want to create an Network Load Balancer in a public subnet to load balance to Amazon EC2 nodes, specify `internet-facing` with the following annotation: + @@ -154,7 +154,7 @@ IMPORTANT: Do not edit the annotations after creating your service. If you need == (Optional) Deploy a sample application * At least one public or private subnet in your cluster VPC. -* Have the [.noloc]`{aws} Load Balancer Controller` deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. +* Have the {aws} Load Balancer Controller deployed on your cluster. For more information, see <>. We recommend version `2.7.2` or later. . If you're deploying to Fargate, make sure you have an available private subnet in your VPC and create a Fargate profile. If you're not deploying to Fargate, skip this step. You can create the profile by running the following command or in the <> using the same values for `name` and `namespace` that are in the command. Replace the [.replaceable]`example values` with your own. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 4528fe5bc..fdc013b09 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -5,12 +5,12 @@ include::../attributes.txt[] -[.noloc]`Kubernetes` services can be reached from inside of a cluster through: +Kubernetes services can be reached from inside of a cluster through: -* A cluster IP address that is assigned automatically by [.noloc]`Kubernetes` -* Any IP address that you specify for the `externalIPs` property in a service spec. External IP addresses are not managed by [.noloc]`Kubernetes` and are the responsibility of the cluster administrator. External IP addresses specified with `externalIPs` are different than the external IP address assigned to a service of type `LoadBalancer` by a cloud provider. +* A cluster IP address that is assigned automatically by Kubernetes +* Any IP address that you specify for the `externalIPs` property in a service spec. External IP addresses are not managed by Kubernetes and are the responsibility of the cluster administrator. External IP addresses specified with `externalIPs` are different than the external IP address assigned to a service of type `LoadBalancer` by a cloud provider. -To learn more about [.noloc]`Kubernetes` services, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the [.noloc]`Kubernetes` documentation. You can restrict the IP addresses that can be specified for `externalIPs` in a service spec. +To learn more about Kubernetes services, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the Kubernetes documentation. You can restrict the IP addresses that can be specified for `externalIPs` in a service spec. . Deploy `cert-manager` to manage webhook certificates. For more information, see the https://cert-manager.io/docs/[cert-manager] documentation. + @@ -18,7 +18,7 @@ To learn more about [.noloc]`Kubernetes` services, see https://kubernetes.io/doc ---- kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml ---- -. Verify that the `cert-manager` [.noloc]`Pods` are running. +. Verify that the `cert-manager` Pods are running. + [source,bash,subs="verbatim,attributes"] ---- @@ -55,7 +55,7 @@ my-namespace my-service ClusterIP ---- + If any of the values are IP addresses that are not within the block you want to restrict access to, you'll need to change the addresses to be within the block, and redeploy the services. For example, the `my-service` service in the previous output has an external IP address assigned to it that isn't within the CIDR block example in step 5. -. Download the external IP webhook manifest. You can also view the https://github.com/kubernetes-sigs/externalip-webhook[source code for the webhook] on [.noloc]`GitHub`. +. Download the external IP webhook manifest. You can also view the https://github.com/kubernetes-sigs/externalip-webhook[source code for the webhook] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 049eea58c..f17714380 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -17,7 +17,7 @@ Before you create an add-on, use the {aws} CLI to determine: == Procedure -. Determine the name of the add-on you want to install, and the [.noloc]`Kubernetes` version of your cluster. For more information about add-ons, see <>. +. Determine the name of the add-on you want to install, and the Kubernetes version of your cluster. For more information about add-ons, see <>. . Use the {aws} CLI to determine if the add-on requires IAM permissions. + [source,shell,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index cf5f2355d..e3c66f849 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -9,16 +9,16 @@ In this topic, you deploy a sample application to your cluster on Windows nodes. == Prerequisites -* An existing [.noloc]`Kubernetes` cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. You must have <> enabled for your cluster and at least one Amazon EC2 [.noloc]`Windows` node. +* An existing Kubernetes cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. You must have <> enabled for your cluster and at least one Amazon EC2 Windows node. * `Kubectl` installed on your computer. For more information, see <>. * `Kubectl` configured to communicate with your cluster. For more information, see <>. * If you plan to deploy your sample workload to Fargate, then you must have an existing <> that includes the same namespace created in this tutorial, which is `eks-sample-app`, unless you change the name. If you created a cluster with one of the gudes in <>, then you'll have to create a new profile, or add the namespace to your existing profile, because the profile created in the getting started guides doesn't specify the namespace used in this tutorial. Your VPC must also have at least one private subnet. -Though many variables are changeable in the following steps, we recommend only changing variable values where specified. Once you have a better understanding of [.noloc]`Kubernetes` [.noloc]`Pods`, deployments, and services, you can experiment with changing other values. +Though many variables are changeable in the following steps, we recommend only changing variable values where specified. Once you have a better understanding of Kubernetes Pods, deployments, and services, you can experiment with changing other values. == Create a namespace -A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. +A namespace allows you to group resources in Kubernetes. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the Kubernetes documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. [source,bash,subs="verbatim,attributes"] ---- @@ -26,13 +26,13 @@ kubectl create namespace eks-sample-app ---- -== Create a [.noloc]`Kubernetes` deployment +== Create a Kubernetes deployment -This sample deployment pulls a container image from a public repository and deploys three replicas (individual [.noloc]`Pods`) of it to your cluster. To learn more, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployments] in the [.noloc]`Kubernetes` documentation. +This sample deployment pulls a container image from a public repository and deploys three replicas (individual Pods) of it to your cluster. To learn more, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployments] in the Kubernetes documentation. . Save the following contents to a file named `eks-sample-deployment.yaml`. The containers in the sample application don't use network storage, but you might have applications that need to. For more information, see <>. + -** The `kubernetes.io/os: windows` `nodeSelector` means that if you had [.noloc]`Windows` and [.noloc]`Linux` nodes (for example) in your cluster, the image would only be deployed to [.noloc]`Windows` nodes. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the [.noloc]`Kubernetes` documentation. +** The `kubernetes.io/os: windows` `nodeSelector` means that if you had Windows and Linux nodes (for example) in your cluster, the image would only be deployed to Windows nodes. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the Kubernetes documentation. + [source,yaml,subs="verbatim,attributes"] ---- @@ -85,9 +85,9 @@ kubectl apply -f eks-sample-deployment.yaml == Create a service -A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the [.noloc]`Kubernetes` documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create [.noloc]`Kubernetes` service accounts for your [.noloc]`Pods`, and associate them to {aws} IAM accounts. By specifying service accounts, your [.noloc]`Pods` have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. +A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the Kubernetes documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create Kubernetes service accounts for your Pods, and associate them to {aws} IAM accounts. By specifying service accounts, your Pods have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. -. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. +. Save the following contents to a file named `eks-sample-service.yaml`. Kubernetes assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. + [source,yaml,subs="verbatim,attributes"] ---- @@ -142,9 +142,9 @@ NAME DESIRED CURRENT RE replicaset.apps/eks-sample-windows-deployment-776d8f8fd8 3 3 3 27m ---- + -In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three [.noloc]`Pods`. This is because `3` `replicas` were specified in the sample manifest. For more information about [.noloc]`Pods`, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the [.noloc]`Kubernetes` documentation. [.noloc]`Kubernetes` automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the [.noloc]`Kubernetes` documentation. +In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three Pods. This is because `3` `replicas` were specified in the sample manifest. For more information about Pods, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the Kubernetes documentation. Kubernetes automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the Kubernetes documentation. + -NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. +NOTE: Kubernetes maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted Kubernetes to horizontally scale the number of replicas or vertically scale the compute resources for the Pods, use the <> and the <> to do so. . View the details of the deployed service. + [source,bash,subs="verbatim,attributes"] @@ -172,8 +172,8 @@ Session Affinity: None Events: ---- + -In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or [.noloc]`Pod` within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the [.noloc]`Pods` that are part of the service. -. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. +In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or Pod within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the Pods that are part of the service. +. View the details of one of the Pods listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your Pods. + [source,bash,subs="verbatim,attributes"] ---- @@ -208,19 +208,19 @@ Events: [...] ---- + -In the previous output, the value for `IP:` is a unique IP that's assigned to the [.noloc]`Pod` from the CIDR block assigned to the subnet that the node is in. If you prefer to assign [.noloc]`Pods` IP addresses from different CIDR blocks, you can change the default behavior. For more information, see <>. You can also see that the [.noloc]`Kubernetes` scheduler scheduled the [.noloc]`Pod` on the `Node` with the IP address [.replaceable]`192.168.45.132`. +In the previous output, the value for `IP:` is a unique IP that's assigned to the Pod from the CIDR block assigned to the subnet that the node is in. If you prefer to assign Pods IP addresses from different CIDR blocks, you can change the default behavior. For more information, see <>. You can also see that the Kubernetes scheduler scheduled the Pod on the `Node` with the IP address [.replaceable]`192.168.45.132`. + -TIP: Rather than using the command line, you can view many details about [.noloc]`Pods`, services, deployments, and other [.noloc]`Kubernetes` resources in the {aws-management-console}. For more information, see <>. +TIP: Rather than using the command line, you can view many details about Pods, services, deployments, and other Kubernetes resources in the {aws-management-console}. For more information, see <>. == Run a shell on a Pod -. Run a shell on the [.noloc]`Pod` that you described in the previous step, replacing [.replaceable]`65b7669776-m6qxz` with the ID of one of your [.noloc]`Pods`. +. Run a shell on the Pod that you described in the previous step, replacing [.replaceable]`65b7669776-m6qxz` with the ID of one of your Pods. + [source,bash,subs="verbatim,attributes"] ---- kubectl exec -it eks-sample-windows-deployment-65b7669776-m6qxz -n eks-sample-app -- powershell.exe ---- -. From the [.noloc]`Pod` shell, view the output from the web server that was installed with your deployment in a previous step. You only need to specify the service name. It is resolved to the service's IP address by [.noloc]`CoreDNS`, which is deployed with an Amazon EKS cluster, by default. +. From the Pod shell, view the output from the web server that was installed with your deployment in a previous step. You only need to specify the service name. It is resolved to the service's IP address by CoreDNS, which is deployed with an Amazon EKS cluster, by default. + [source,bash,subs="verbatim,attributes"] ---- @@ -236,7 +236,7 @@ StatusDescription : OK Content : < h t m l > < b o d y > < b r / > < b r / > < m a r q u e e > < H 1 > H e l l o E K S ! ! ! < H 1 > < m a r q u e e > < / b o d y > < h t m l > ---- -. From the [.noloc]`Pod` shell, view the DNS server for the [.noloc]`Pod`. +. From the Pod shell, view the DNS server for the Pod. + [source,bash,subs="verbatim,attributes"] ---- @@ -254,8 +254,8 @@ IPv4Address : 192.168.63.14 DNSServer : 10.100.0.10 ---- + -In the previous output, `10.100.0.10` is automatically assigned as the DNS server for all [.noloc]`Pods` deployed to the cluster. -. Disconnect from the [.noloc]`Pod` by typing `exit`. +In the previous output, `10.100.0.10` is automatically assigned as the DNS server for all Pods deployed to the cluster. +. Disconnect from the Pod by typing `exit`. . Once you're finished with the sample application, you can remove the sample namespace, service, and deployment with the following command. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index e1a38b10f..4442303ee 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -9,16 +9,16 @@ In this topic, you deploy a sample application to your cluster on linux nodes. == Prerequisites -* An existing [.noloc]`Kubernetes` cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. +* An existing Kubernetes cluster with at least one node. If you don't have an existing Amazon EKS cluster, you can deploy one using one of the guides in <>. * `Kubectl` installed on your computer. For more information, see <>. * `Kubectl` configured to communicate with your cluster. For more information, see <>. * If you plan to deploy your sample workload to Fargate, then you must have an existing <> that includes the same namespace created in this tutorial, which is `eks-sample-app`, unless you change the name. If you created a cluster with one of the gudes in <>, then you'll have to create a new profile, or add the namespace to your existing profile, because the profile created in the getting started guides doesn't specify the namespace used in this tutorial. Your VPC must also have at least one private subnet. -Though many variables are changeable in the following steps, we recommend only changing variable values where specified. Once you have a better understanding of [.noloc]`Kubernetes` [.noloc]`Pods`, deployments, and services, you can experiment with changing other values. +Though many variables are changeable in the following steps, we recommend only changing variable values where specified. Once you have a better understanding of Kubernetes Pods, deployments, and services, you can experiment with changing other values. == Create a namespace -A namespace allows you to group resources in [.noloc]`Kubernetes`. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the [.noloc]`Kubernetes` documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. +A namespace allows you to group resources in Kubernetes. For more information, see https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/[Namespaces] in the Kubernetes documentation. If you plan to deploy your sample application to <>, make sure that the value for `namespace` in your <> is `eks-sample-app`. [source,bash,subs="verbatim,attributes"] ---- @@ -27,12 +27,12 @@ kubectl create namespace eks-sample-app == Create a Kubernetes deployment -Create a [.noloc]`Kubernetes` deployment. This sample deployment pulls a container image from a public repository and deploys three replicas (individual [.noloc]`Pods`) of it to your cluster. To learn more, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployments] in the [.noloc]`Kubernetes` documentation. +Create a Kubernetes deployment. This sample deployment pulls a container image from a public repository and deploys three replicas (individual Pods) of it to your cluster. To learn more, see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployments] in the Kubernetes documentation. . Save the following contents to a file named `eks-sample-deployment.yaml`. The containers in the sample application don't use network storage, but you might have applications that need to. For more information, see <>. + -** The `amd64` or `arm64` `values` under the `kubernetes.io/arch` key mean that the application can be deployed to either hardware architecture (if you have both in your cluster). This is possible because this image is a multi-architecture image, but not all are. You can determine the hardware architecture that the image is supported on by viewing the https://gallery.ecr.aws/nginx/nginx[image details] in the repository that you're pulling it from. When deploying images that don't support a hardware architecture type, or that you don't want the image deployed to, remove that type from the manifest. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the [.noloc]`Kubernetes` documentation. -** The `kubernetes.io/os: linux` `nodeSelector` means that if you had [.noloc]`Linux` and [.noloc]`Windows` nodes (for example) in your cluster, the image would only be deployed to [.noloc]`Linux` nodes. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the [.noloc]`Kubernetes` documentation. +** The `amd64` or `arm64` `values` under the `kubernetes.io/arch` key mean that the application can be deployed to either hardware architecture (if you have both in your cluster). This is possible because this image is a multi-architecture image, but not all are. You can determine the hardware architecture that the image is supported on by viewing the https://gallery.ecr.aws/nginx/nginx[image details] in the repository that you're pulling it from. When deploying images that don't support a hardware architecture type, or that you don't want the image deployed to, remove that type from the manifest. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the Kubernetes documentation. +** The `kubernetes.io/os: linux` `nodeSelector` means that if you had Linux and Windows nodes (for example) in your cluster, the image would only be deployed to Linux nodes. For more information, see https://kubernetes.io/docs/reference/labels-annotations-taints/[Well-Known Labels, Annotations and Taints] in the Kubernetes documentation. + [source,yaml,subs="verbatim,attributes"] ---- @@ -83,9 +83,9 @@ kubectl apply -f eks-sample-deployment.yaml == Create a service -A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the [.noloc]`Kubernetes` documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create [.noloc]`Kubernetes` service accounts for your [.noloc]`Pods`, and associate them to {aws} IAM accounts. By specifying service accounts, your [.noloc]`Pods` have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. +A service allows you to access all replicas through a single IP address or name. For more information, see https://kubernetes.io/docs/concepts/services-networking/service/[Service] in the Kubernetes documentation. Though not implemented in the sample application, if you have applications that need to interact with other {aws} services, we recommend that you create Kubernetes service accounts for your Pods, and associate them to {aws} IAM accounts. By specifying service accounts, your Pods have only the minimum permissions that you specify for them to interact with other services. For more information, see <>. -. Save the following contents to a file named `eks-sample-service.yaml`. [.noloc]`Kubernetes` assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. +. Save the following contents to a file named `eks-sample-service.yaml`. Kubernetes assigns the service its own IP address that is accessible only from within the cluster. To access the service from outside of your cluster, deploy the <> to load balance <> or <> traffic to the service. + [source,yaml,subs="verbatim,attributes"] ---- @@ -140,9 +140,9 @@ NAME DESIRED CURRENT RE replicaset.apps/eks-sample-linux-deployment-776d8f8fd8 3 3 3 27m ---- + -In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three [.noloc]`Pods`. This is because `3` `replicas` were specified in the sample manifest. For more information about [.noloc]`Pods`, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the [.noloc]`Kubernetes` documentation. [.noloc]`Kubernetes` automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the [.noloc]`Kubernetes` documentation. +In the output, you see the service and deployment that were specified in the sample manifests deployed in previous steps. You also see three Pods. This is because `3` `replicas` were specified in the sample manifest. For more information about Pods, see https://kubernetes.io/docs/concepts/workloads/pods/pod/[Pods] in the Kubernetes documentation. Kubernetes automatically creates the `replicaset` resource, even though it isn't specified in the sample manifests. For more information about `ReplicaSets`, see https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/[ReplicaSet] in the Kubernetes documentation. + -NOTE: [.noloc]`Kubernetes` maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted [.noloc]`Kubernetes` to horizontally scale the number of replicas or vertically scale the compute resources for the [.noloc]`Pods`, use the <> and the <> to do so. +NOTE: Kubernetes maintains the number of replicas that are specified in the manifest. If this were a production deployment and you wanted Kubernetes to horizontally scale the number of replicas or vertically scale the compute resources for the Pods, use the <> and the <> to do so. . View the details of the deployed service. + [source,bash,subs="verbatim,attributes"] @@ -170,8 +170,8 @@ Session Affinity: None Events: ---- + -In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or [.noloc]`Pod` within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the [.noloc]`Pods` that are part of the service. -. View the details of one of the [.noloc]`Pods` listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your [.noloc]`Pods`. +In the previous output, the value for `IP:` is a unique IP address that can be reached from any node or Pod within the cluster, but it can't be reached from outside of the cluster. The values for `Endpoints` are IP addresses assigned from within your VPC to the Pods that are part of the service. +. View the details of one of the Pods listed in the output when you <> in a previous step. Replace [.replaceable]`776d8f8fd8-78w66` with the value returned for one of your Pods. + [source,bash,subs="verbatim,attributes"] ---- @@ -206,19 +206,19 @@ Events: [...] ---- + -In the previous output, the value for `IP:` is a unique IP that's assigned to the [.noloc]`Pod` from the CIDR block assigned to the subnet that the node is in. If you prefer to assign [.noloc]`Pods` IP addresses from different CIDR blocks, you can change the default behavior. For more information, see <>. You can also see that the [.noloc]`Kubernetes` scheduler scheduled the [.noloc]`Pod` on the `Node` with the IP address [.replaceable]`192.168.45.132`. +In the previous output, the value for `IP:` is a unique IP that's assigned to the Pod from the CIDR block assigned to the subnet that the node is in. If you prefer to assign Pods IP addresses from different CIDR blocks, you can change the default behavior. For more information, see <>. You can also see that the Kubernetes scheduler scheduled the Pod on the `Node` with the IP address [.replaceable]`192.168.45.132`. + -TIP: Rather than using the command line, you can view many details about [.noloc]`Pods`, services, deployments, and other [.noloc]`Kubernetes` resources in the {aws-management-console}. For more information, see <>. +TIP: Rather than using the command line, you can view many details about Pods, services, deployments, and other Kubernetes resources in the {aws-management-console}. For more information, see <>. == Run a shell on a Pod -. Run a shell on the [.noloc]`Pod` that you described in the previous step, replacing [.replaceable]`65b7669776-m6qxz` with the ID of one of your [.noloc]`Pods`. +. Run a shell on the Pod that you described in the previous step, replacing [.replaceable]`65b7669776-m6qxz` with the ID of one of your Pods. + [source,bash,subs="verbatim,attributes"] ---- kubectl exec -it eks-sample-linux-deployment-65b7669776-m6qxz -n eks-sample-app -- /bin/bash ---- -. From the [.noloc]`Pod` shell, view the output from the web server that was installed with your deployment in a previous step. You only need to specify the service name. It is resolved to the service's IP address by [.noloc]`CoreDNS`, which is deployed with an Amazon EKS cluster, by default. +. From the Pod shell, view the output from the web server that was installed with your deployment in a previous step. You only need to specify the service name. It is resolved to the service's IP address by CoreDNS, which is deployed with an Amazon EKS cluster, by default. + [source,bash,subs="verbatim,attributes"] ---- @@ -235,7 +235,7 @@ An example output is as follows. Welcome to nginx! [...] ---- -. From the [.noloc]`Pod` shell, view the DNS server for the [.noloc]`Pod`. +. From the Pod shell, view the DNS server for the Pod. + [source,bash,subs="verbatim,attributes"] ---- @@ -251,8 +251,8 @@ search eks-sample-app.svc.cluster.local svc.cluster.local cluster.local us-west- options ndots:5 ---- + -In the previous output, `10.100.0.10` is automatically assigned as the `nameserver` for all [.noloc]`Pods` deployed to the cluster. -. Disconnect from the [.noloc]`Pod` by typing `exit`. +In the previous output, `10.100.0.10` is automatically assigned as the `nameserver` for all Pods deployed to the cluster. +. Disconnect from the Pod by typing `exit`. . Once you're finished with the sample application, you can remove the sample namespace, service, and deployment with the following command. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index badedfd27..ba50a21b3 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -11,7 +11,7 @@ include::../attributes.txt[] Learn how to update your Amazon EKS add-on to a new version. -- -Amazon EKS doesn't automatically update an add-on when new versions are released or after you update your cluster to a new [.noloc]`Kubernetes` minor version. To update an add-on for an existing cluster, you must initiate the update. After you initiate the update, Amazon EKS updates the add-on for you. Before updating an add-on, review the current documentation for the add-on. For a list of available add-ons, see <>. If the add-on requires an IAM role, see the details for the specific add-on in <> for details about creating the role. +Amazon EKS doesn't automatically update an add-on when new versions are released or after you update your cluster to a new Kubernetes minor version. To update an add-on for an existing cluster, you must initiate the update. After you initiate the update, Amazon EKS updates the add-on for you. Before updating an add-on, review the current documentation for the add-on. For a list of available add-ons, see <>. If the add-on requires an IAM role, see the details for the specific add-on in <> for details about creating the role. [#updating-an-add-on-prereq] == Prerequisites @@ -56,9 +56,9 @@ Your output might look different, depending on which add-ons and versions that y *** Replace [.replaceable]`my-cluster` with the name of your cluster. *** Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. *** Replace [.replaceable]`vpc-cni` with the name of an add-on returned in the output of the previous step that you want to update. -*** If you want to update to a version earlier than the latest available version, then replace [.replaceable]`latest` with the version number returned in the output of the previous step that you want to use. Some add-ons have recommended versions. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>.*** If the add-on uses a [.noloc]`Kubernetes` service account and IAM role, replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +*** If you want to update to a version earlier than the latest available version, then replace [.replaceable]`latest` with the version number returned in the output of the previous step that you want to use. Some add-ons have recommended versions. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>.*** If the add-on uses a Kubernetes service account and IAM role, replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + -If the add-on doesn't use a [.noloc]`Kubernetes` service account and IAM role, delete the `serviceAccountRoleARN: {arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` line. +If the add-on doesn't use a Kubernetes service account and IAM role, delete the `serviceAccountRoleARN: {arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` line. *** The [.replaceable]`preserve` option preserves existing values for the add-on. If you have set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `overwrite`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `none`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. + [source,yaml,subs="verbatim,attributes"] @@ -109,14 +109,14 @@ For more information about updating add-ons, see https://eksctl.io/usage/addons/ + NOTE: Retaining the default role name enables EKS to pre-select the role for add-ons in new clusters or when adding add-ons to existing clusters. You can still override this name and the role will be available for the add-on across your clusters, but the role will need to be manually selected from the drop down. -... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +... For add-ons that do not have *Requires subscription* under *Status* and where you want to configure roles using IRSA, see the documentation for the add-on that you're creating to create an IAM policy and attach it to a role. For a list of add-ons, see <>. Selecting an IAM role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. .. Expand the *Optional configuration settings*. .. In *Configuration values*, enter any add-on specific configuration information. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>... For *Conflict resolution method*, select one of the options. If you have set custom values for add-on settings, we recommend the *Preserve* option. If you don't choose this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to overwrite, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to none, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. . Choose *Save changes*. == Update add-on ({aws} CLI) -. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or [.noloc]`Homebrew` for [.noloc]`macOS` are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. +. You need version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. + . See a list of installed add-ons. Replace [.replaceable]`my-cluster` with the name of your cluster. + @@ -179,9 +179,9 @@ The version with `True` in the `Defaultversion` column is the version that the a + *** Replace [.replaceable]`my-cluster` with the name of your cluster. *** Replace [.replaceable]`vpc-cni` with the name of the add-on that you want to update that was returned in the output of a previous step. -*** Replace [.replaceable]`version-number` with the version returned in the output of the previous step that you want to update to. Some add-ons have recommended versions. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>.*** If the add-on uses a [.noloc]`Kubernetes` service account and IAM role, replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. +*** Replace [.replaceable]`version-number` with the version returned in the output of the previous step that you want to update to. Some add-ons have recommended versions. For more information, see the documentation for the add-on that you're updating. For a list of add-ons, see <>.*** If the add-on uses a Kubernetes service account and IAM role, replace [.replaceable]`111122223333` with your account ID and [.replaceable]`role-name` with the name of an existing IAM role that you've created. For instructions on creating the role, see the documentation for the add-on that you're creating. For a list of add-ons, see <>. Specifying a service account role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <>. + -If the add-on doesn't use a [.noloc]`Kubernetes` service account and IAM role, delete the `serviceAccountRoleARN: {arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` line. +If the add-on doesn't use a Kubernetes service account and IAM role, delete the `serviceAccountRoleARN: {arn-aws}iam::[.replaceable]``111122223333``:role/[.replaceable]``role-name``` line. *** The `--resolve-conflicts PRESERVE` option preserves existing values for the add-on. If you have set custom values for add-on settings, and you don't use this option, Amazon EKS overwrites your values with its default values. If you use this option, then we recommend that you test any field and value changes on a non-production cluster before updating the add-on on your production cluster. If you change this value to `OVERWRITE`, all settings are changed to Amazon EKS default values. If you've set custom values for any settings, they might be overwritten with Amazon EKS default values. If you change this value to `NONE`, Amazon EKS doesn't change the value of any settings, but the update might fail. If the update fails, you receive an error message to help you resolve the conflict. *** If you want to remove all custom configuration then perform the update using the [.replaceable]`--configuration-values '{}'` option. This sets all custom configuration back to the default values. If you don't want to change your custom configuration, don't provide the [.replaceable]`--configuration-values` flag. If you want to adjust a custom configuration then replace [.replaceable]`{}` with the new parameters. + diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 5fb9c6fe0..0795e9c6e 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,6 +1,6 @@ [.topic] [#vertical-pod-autoscaler] -= Adjust pod resources with [.noloc]`Vertical Pod Autoscaler` += Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler include::../attributes.txt[] @@ -10,12 +10,12 @@ include::../attributes.txt[] Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. -- -The [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler[Vertical Pod Autoscaler] automatically adjusts the CPU and memory reservations for your [.noloc]`Pods` to help "right size" your applications. This adjustment can improve cluster resource utilization and free up CPU and memory for other [.noloc]`Pods`. This topic helps you to deploy the Vertical Pod Autoscaler to your cluster and verify that it is working. +The Kubernetes https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler[Vertical Pod Autoscaler] automatically adjusts the CPU and memory reservations for your Pods to help "right size" your applications. This adjustment can improve cluster resource utilization and free up CPU and memory for other Pods. This topic helps you to deploy the Vertical Pod Autoscaler to your cluster and verify that it is working. * You have an existing Amazon EKS cluster. If you don't, see <>. -* You have the [.noloc]`Kubernetes` Metrics Server installed. For more information, see <>. +* You have the Kubernetes Metrics Server installed. For more information, see <>. * You are using a `kubectl` client that is <>. * OpenSSL `1.1.1` or later installed on your device. @@ -26,7 +26,7 @@ The [.noloc]`Kubernetes` https://github.com/kubernetes/autoscaler/tree/master/ve In this section, you deploy the Vertical Pod Autoscaler to your cluster. . Open a terminal window and navigate to a directory where you would like to download the Vertical Pod Autoscaler source code. -. Clone the https://github.com/kubernetes/autoscaler[kubernetes/autoscaler][.noloc]`GitHub` repository. +. Clone the https://github.com/kubernetes/autoscaler[kubernetes/autoscaler]GitHub repository. + [source,bash,subs="verbatim,attributes"] ---- @@ -67,7 +67,7 @@ sed -i.bak -e 's/registry.k8s.io/111122223333.dkr.ecr.region-code.amazonaws.com/ ---- ./hack/vpa-up.sh ---- -. Verify that the Vertical Pod Autoscaler [.noloc]`Pods` have been created successfully. +. Verify that the Vertical Pod Autoscaler Pods have been created successfully. + [source,bash,subs="verbatim,attributes"] ---- @@ -98,7 +98,7 @@ In this section, you deploy a sample application to verify that the Vertical Pod ---- kubectl apply -f examples/hamster.yaml ---- -. Get the [.noloc]`Pods` from the `hamster` example application. +. Get the Pods from the `hamster` example application. + [source,bash,subs="verbatim,attributes"] ---- @@ -112,7 +112,7 @@ An example output is as follows. hamster-c7d89d6db-rglf5 1/1 Running 0 48s hamster-c7d89d6db-znvz5 1/1 Running 0 48s ---- -. Describe one of the [.noloc]`Pods` to view its `cpu` and `memory` reservation. Replace [.replaceable]`c7d89d6db-rglf5` with one of the IDs returned in your output from the previous step. +. Describe one of the Pods to view its `cpu` and `memory` reservation. Replace [.replaceable]`c7d89d6db-rglf5` with one of the IDs returned in your output from the previous step. + [source,bash,subs="verbatim,attributes"] ---- @@ -146,16 +146,16 @@ Containers: [...] ---- + -You can see that the original [.noloc]`Pod` reserves 100 millicpu of CPU and 50 mebibytes of memory. For this example application, 100 millicpu is less than the [.noloc]`Pod` needs to run, so it is CPU-constrained. It also reserves much less memory than it needs. The Vertical Pod Autoscaler `vpa-recommender` deployment analyzes the [.noloc]`hamster` [.noloc]`Pods` to see if the CPU and memory requirements are appropriate. If adjustments are needed, the `vpa-updater` relaunches the [.noloc]`Pods` with updated values. -. Wait for the `vpa-updater` to launch a new [.noloc]`hamster` [.noloc]`Pods`. This should take a minute or two. You can monitor the [.noloc]`Pods` with the following command. +You can see that the original Pod reserves 100 millicpu of CPU and 50 mebibytes of memory. For this example application, 100 millicpu is less than the Pod needs to run, so it is CPU-constrained. It also reserves much less memory than it needs. The Vertical Pod Autoscaler `vpa-recommender` deployment analyzes the hamster Pods to see if the CPU and memory requirements are appropriate. If adjustments are needed, the `vpa-updater` relaunches the Pods with updated values. +. Wait for the `vpa-updater` to launch a new hamster Pods. This should take a minute or two. You can monitor the Pods with the following command. + -NOTE: If you are not sure that a new [.noloc]`Pod` has launched, compare the [.noloc]`Pod` names with your previous list. When the new [.noloc]`Pod` launches, you will see a new [.noloc]`Pod` name. +NOTE: If you are not sure that a new Pod has launched, compare the Pod names with your previous list. When the new Pod launches, you will see a new Pod name. + [source,bash,subs="verbatim,attributes"] ---- kubectl get --watch Pods -l app=hamster ---- -. When a new [.noloc]`hamster` [.noloc]`Pods` is started, describe it and view the updated CPU and memory reservations. +. When a new hamster Pods is started, describe it and view the updated CPU and memory reservations. + [source,bash,subs="verbatim,attributes"] ---- @@ -189,7 +189,7 @@ Containers: [...] ---- + -In the previous output, you can see that the `cpu` reservation increased to 587 millicpu, which is over five times the original value. The `memory` increased to 262,144 Kilobytes, which is around 250 mebibytes, or five times the original value. This [.noloc]`Pod` was under-resourced, and the Vertical Pod Autoscaler corrected the estimate with a much more appropriate value. +In the previous output, you can see that the `cpu` reservation increased to 587 millicpu, which is over five times the original value. The `memory` increased to 262,144 Kilobytes, which is around 250 mebibytes, or five times the original value. This Pod was under-resourced, and the Vertical Pod Autoscaler corrected the estimate with a much more appropriate value. . Describe the `hamster-vpa` resource to view the new recommendation. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 7417bd2f1..8fb81414a 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -12,7 +12,7 @@ include::../attributes.txt[] Learn about the availabe Amazon EKS add-ons from {aws}. -- -The following Amazon EKS add-ons are available to create on your cluster. You can view the most current list of available add-ons using `eksctl`, the {aws-management-console}, or the {aws} CLI. To see all available add-ons or to install an add-on, see <>. If an add-on requires IAM permissions, then you must have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. You can an create or delete an add-on after you've installed it. For more information, see <> or <>. For more information about considerations specific to running EKS add-ons with Amazon EKS Hybrid Nodes, see <>. +The following Amazon EKS add-ons are available to create on your cluster. You can view the most current list of available add-ons using `eksctl`, the {aws-management-console}, or the {aws} CLI. To see all available add-ons or to install an add-on, see <>. If an add-on requires IAM permissions, then you must have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. You can an create or delete an add-on after you've installed it. For more information, see <> or <>. For more information about considerations specific to running EKS add-ons with Amazon EKS Hybrid Nodes, see <>. You can use any of the following Amazon EKS add-ons. @@ -28,7 +28,7 @@ You can use any of the following Amazon EKS add-ons. |<> |EC2 -| A flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS +| A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS |<> |EC2, Fargate, EKS Auto Mode, Amazon EKS Hybrid Nodes @@ -68,7 +68,7 @@ You can use any of the following Amazon EKS add-ons. |<> |EC2, Fargate, EKS Auto Mode, Amazon EKS Hybrid Nodes -|Security monitoring service that analyzes and processes foundational data sources including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as [.noloc]`Kubernetes` audit logs and runtime monitoring +|Security monitoring service that analyzes and processes foundational data sources including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring |<> |EC2, EKS Auto Mode @@ -90,7 +90,7 @@ You can use any of the following Amazon EKS add-ons. Learn about the vpc-cni Amazon EKS add-on. -- -The [.noloc]`Amazon VPC CNI plugin for Kubernetes` Amazon EKS add-on is a [.noloc]`Kubernetes` container network interface (CNI) plugin that provides native VPC networking for your cluster. The self-managed or managed type of this add-on is installed on each Amazon EC2 node, by default. For more information, see https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/[Kubernetes container network interface (CNI) plugin]. +The Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on is a Kubernetes container network interface (CNI) plugin that provides native VPC networking for your cluster. The self-managed or managed type of this add-on is installed on each Amazon EC2 node, by default. For more information, see https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/[Kubernetes container network interface (CNI) plugin]. [NOTE] ==== @@ -105,9 +105,9 @@ The Amazon EKS add-on name is `vpc-cni`. This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. -If your cluster uses the `IPv4` family, the permissions in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] are required. If your cluster uses the `IPv6` family, you must link:IAM/latest/UserGuide/access_policies_create.html[create an IAM policy,type="documentation"] with the permissions in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode[IPv6 mode]. You can create an IAM role, attach one of the policies to it, and annotate the [.noloc]`Kubernetes` service account used by the add-on with the following command. +If your cluster uses the `IPv4` family, the permissions in the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] are required. If your cluster uses the `IPv6` family, you must link:IAM/latest/UserGuide/access_policies_create.html[create an IAM policy,type="documentation"] with the permissions in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode[IPv6 mode]. You can create an IAM role, attach one of the policies to it, and annotate the Kubernetes service account used by the add-on with the following command. -Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKSVPCCNIRole` with the name for your role. If your cluster uses the `IPv6` family, then replace [.replaceable]`AmazonEKS_CNI_Policy` with the name of the policy that you created. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the [.noloc]`Kubernetes` service account, see <>. +Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKSVPCCNIRole` with the name for your role. If your cluster uses the `IPv6` family, then replace [.replaceable]`AmazonEKS_CNI_Policy` with the name of the policy that you created. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -129,7 +129,7 @@ You can only update one minor version at a time. For example, if your current ve Learn about the CoreDNS Amazon EKS add-on. -- -The CoreDNS Amazon EKS add-on is a flexible, extensible DNS server that can serve as the [.noloc]`Kubernetes` cluster DNS. The self-managed or managed type of this add-on was installed, by default, when you created your cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the [.noloc]`CoreDNS` image are deployed by default, regardless of the number of nodes deployed in your cluster. The [.noloc]`CoreDNS` [.noloc]`Pods` provide name resolution for all [.noloc]`Pods` in the cluster. You can deploy the [.noloc]`CoreDNS` [.noloc]`Pods` to Fargate nodes if your cluster includes a Fargate profile with a namespace that matches the namespace for the [.noloc]`CoreDNS` deployment. For more information, see <> +The CoreDNS Amazon EKS add-on is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. The self-managed or managed type of this add-on was installed, by default, when you created your cluster. When you launch an Amazon EKS cluster with at least one node, two replicas of the CoreDNS image are deployed by default, regardless of the number of nodes deployed in your cluster. The CoreDNS Pods provide name resolution for all Pods in the cluster. You can deploy the CoreDNS Pods to Fargate nodes if your cluster includes a Fargate profile with a namespace that matches the namespace for the CoreDNS deployment. For more information, see <> [NOTE] ==== @@ -146,7 +146,7 @@ This add-on doesn't require any permissions. [#add-ons-coredns-information] === Additional information -To learn more about CoreDNS, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] and https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the [.noloc]`Kubernetes` documentation. +To learn more about CoreDNS, see https://kubernetes.io/docs/tasks/administer-cluster/coredns/[Using CoreDNS for Service Discovery] and https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/[Customizing DNS Service] in the Kubernetes documentation. [#add-ons-kube-proxy] == `Kube-proxy` @@ -156,7 +156,7 @@ To learn more about CoreDNS, see https://kubernetes.io/docs/tasks/administer-clu Learn about the Kube-proxy Amazon EKS add-on. -- -The `Kube-proxy` Amazon EKS add-on maintains network rules on each Amazon EC2 node. It enables network communication to your [.noloc]`Pods`. The self-managed or managed type of this add-on is installed on each Amazon EC2 node in your cluster, by default. +The `Kube-proxy` Amazon EKS add-on maintains network rules on each Amazon EC2 node. It enables network communication to your Pods. The self-managed or managed type of this add-on is installed on each Amazon EC2 node in your cluster, by default. [NOTE] ==== @@ -183,7 +183,7 @@ Before updating your current version, consider the following requirements: [#add-ons-kube-proxy-information] === Additional information -To learn more about `kube-proxy`, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the [.noloc]`Kubernetes` documentation. +To learn more about `kube-proxy`, see https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy] in the Kubernetes documentation. [#add-ons-aws-ebs-csi-driver] == Amazon EBS CSI driver @@ -193,7 +193,7 @@ To learn more about `kube-proxy`, see https://kubernetes.io/docs/reference/comma Learn about the Amazon EBS CSI driver Amazon EKS add-on. -- -The Amazon EBS CSI driver Amazon EKS add-on is a [.noloc]`Kubernetes` Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster. +The Amazon EBS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EBS storage for your cluster. [NOTE] ==== @@ -233,7 +233,7 @@ To learn more about the add-on, see <>. Learn about the Amazon EFS CSI driver Amazon EKS add-on. -- -The Amazon EFS CSI driver Amazon EKS add-on is a [.noloc]`Kubernetes` Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster. +The Amazon EFS CSI driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon EFS storage for your cluster. The Amazon EKS add-on name is `aws-efs-csi-driver`. @@ -266,14 +266,14 @@ aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRU To learn more about the add-on, see <>. [#mountpoint-for-s3-add-on] -== [.noloc]`Mountpoint` for Amazon S3 CSI Driver +== Mountpoint for Amazon S3 CSI Driver [abstract] -- -Learn about the [.noloc]`Mountpoint` for Amazon S3 CSI Driver Amazon EKS add-on. +Learn about the Mountpoint for Amazon S3 CSI Driver Amazon EKS add-on. -- -The [.noloc]`Mountpoint` for Amazon S3 CSI Driver Amazon EKS add-on is a [.noloc]`Kubernetes` Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster. +The Mountpoint for Amazon S3 CSI Driver Amazon EKS add-on is a Kubernetes Container Storage Interface (CSI) plugin that provides Amazon S3 storage for your cluster. The Amazon EKS add-on name is `aws-mountpoint-s3-csi-driver`. @@ -282,7 +282,7 @@ The Amazon EKS add-on name is `aws-mountpoint-s3-csi-driver`. This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. -The IAM role that is created will require a policy that gives access to S3. Follow the https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions[Mountpoint IAM permissions recommendations] when creating the policy. Alternatively, you may use the {aws} managed policy link:iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor[AmazonS3FullAccess,type="console"], but this managed policy grants more permissions than are needed for [.noloc]`Mountpoint`. +The IAM role that is created will require a policy that gives access to S3. Follow the https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#iam-permissions[Mountpoint IAM permissions recommendations] when creating the policy. Alternatively, you may use the {aws} managed policy link:iam/home?#/policies/arn:aws:iam::aws:policy/AmazonS3FullAccess$jsonEditor[AmazonS3FullAccess,type="console"], but this managed policy grants more permissions than are needed for Mountpoint. You can create an IAM role and attach your policy to it with the following commands. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`region-code` with the correct {aws} Region code, [.replaceable]`AmazonEKS_S3_CSI_DriverRole` with the name for your role, and [.replaceable]`AmazonEKS_S3_CSI_DriverRole_ARN` with the role ARN. These commands require that you have https://eksctl.io[eksctl] installed on your device. For instructions on using the IAM console or {aws} CLI, see <>. @@ -418,9 +418,9 @@ This add-on only requires IAM permissions if you're using one of the preconfigur [#add-ons-adot-information] === Additional information -For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. +For more information, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for OpenTelemetry documentation. -ADOT requires that `cert-manager` is deployed on the cluster as a prerequisite, otherwise this add-on won't work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Amazon EKS Terraform]``cluster_addons`` property. For more requirements, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/requirements[Requirements for Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for [.noloc]`OpenTelemetry` documentation. +ADOT requires that `cert-manager` is deployed on the cluster as a prerequisite, otherwise this add-on won't work if deployed directly using the https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Amazon EKS Terraform]``cluster_addons`` property. For more requirements, see https://aws-otel.github.io/docs/getting-started/adot-eks-add-on/requirements[Requirements for Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the {aws} Distro for OpenTelemetry documentation. [#add-ons-guard-duty] == Amazon GuardDuty agent @@ -430,7 +430,7 @@ ADOT requires that `cert-manager` is deployed on the cluster as a prerequisite, Learn about the Amazon GuardDuty agent Amazon EKS add-on. -- -The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes link:guardduty/latest/ug/guardduty_data-sources.html[foundational data sources,type="documentation"] including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes link:guardduty/latest/ug/guardduty-features-activation-model.html[features,type="documentation"], such as [.noloc]`Kubernetes` audit logs and runtime monitoring. +The Amazon GuardDuty agent Amazon EKS add-on is a security monitoring service that analyzes and processes link:guardduty/latest/ug/guardduty_data-sources.html[foundational data sources,type="documentation"] including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes link:guardduty/latest/ug/guardduty-features-activation-model.html[features,type="documentation"], such as Kubernetes audit logs and runtime monitoring. The Amazon EKS add-on name is `aws-guardduty-agent`. @@ -464,7 +464,7 @@ The Amazon EKS add-on name is `amazon-cloudwatch-observability`. [#amazon-cloudwatch-observability-iam-permissions] === Required IAM permissions -This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. The permissions in the link:iam/home#/policies/arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess[AWSXrayWriteOnlyAccess,type="console"] and link:iam/home#/policies/arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy[CloudWatchAgentServerPolicy,type="console"] {aws} managed policies are required. You can create an IAM role, attach the managed policies to it, and annotate the [.noloc]`Kubernetes` service account used by the add-on with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKS_Observability_role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the [.noloc]`Kubernetes` service account, see <>. +This add-on uses the IAM roles for service accounts capability of Amazon EKS. For more information, see <>. The permissions in the link:iam/home#/policies/arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess[AWSXrayWriteOnlyAccess,type="console"] and link:iam/home#/policies/arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy[CloudWatchAgentServerPolicy,type="console"] {aws} managed policies are required. You can create an IAM role, attach the managed policies to it, and annotate the Kubernetes service account used by the add-on with the following command. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`AmazonEKS_Observability_role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role, attach the policy to it, and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 2c03b1be2..05ea0065c 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -18,14 +18,14 @@ video::IIPj119mspc[youtube,align = center,height = 405,fileref = https://www.you [#add-on-accuknox] -== [.noloc]`Accuknox` +== Accuknox [abstract] -- -Learn about the [.noloc]`Accuknox` Amazon EKS add-on. +Learn about the Accuknox Amazon EKS add-on. -- -The add-on name is `accuknox_kubearmor` and the namespace is `kubearmor`. [.noloc]`Accuknox` publishes the add-on. +The add-on name is `accuknox_kubearmor` and the namespace is `kubearmor`. Accuknox publishes the add-on. For information about the add-on, see https://docs.kubearmor.io/kubearmor/quick-links/deployment_guide[Getting Started with KubeArmor] in the KubeArmor documentation. @@ -45,14 +45,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-akuity] -== [.noloc]`Akuity` +== Akuity [abstract] -- -Learn about the [.noloc]`Akuity` Amazon EKS add-on. +Learn about the Akuity Amazon EKS add-on. -- -The add-on name is `akuity_agent` and the namespace is `akuity`. [.noloc]`Akuity` publishes the add-on. +The add-on name is `akuity_agent` and the namespace is `akuity`. Akuity publishes the add-on. For information about how the add-on, see https://docs.akuity.io/tutorials/eks-addon-agent-install/[Installing the Akuity Agent on Amazon EKS with the Akuity EKS add-on] in the Akuity Platform documentation. @@ -72,14 +72,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-calyptia] -== [.noloc]`Calyptia` +== Calyptia [abstract] -- -Learn about the [.noloc]`Calyptia` Amazon EKS add-on. +Learn about the Calyptia Amazon EKS add-on. -- -The add-on name is `calyptia_fluent-bit` and the namespace is `calytia-fluentbit`. [.noloc]`Calyptia` publishes the add-on. +The add-on name is `calyptia_fluent-bit` and the namespace is `calytia-fluentbit`. Calyptia publishes the add-on. For information about the add-on, see https://docs.akuity.io/tutorials/eks-addon-agent-install/[Getting Started with Calyptia Core Agent] on the Calyptia documentation website. @@ -96,7 +96,7 @@ This add-on uses the `AWSMarketplaceMeteringRegisterUsage` managed policy. For m [#add-on-calyptia-custom-permissions] === Command to create required IAM role -The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-calyptia-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. +The following command requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-calyptia-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -106,14 +106,14 @@ eksctl create iamserviceaccount --name service-account-name --namespace calypti [#add-on-cisco-collector] -== [.noloc]`Cisco Observability Collector` +== Cisco Observability Collector [abstract] -- -Learn about the [.noloc]`Cisco Observability Collector` Amazon EKS add-on. +Learn about the Cisco Observability Collector Amazon EKS add-on. -- -The add-on name is `cisco_cisco-cloud-observability-collectors` and the namespace is `appdynamics`. [.noloc]`Cisco` pubishes the add-on. +The add-on name is `cisco_cisco-cloud-observability-collectors` and the namespace is `appdynamics`. Cisco pubishes the add-on. For information about the add-on, see https://docs.appdynamics.com/observability/cisco-cloud-observability/en/kubernetes-and-app-service-monitoring/install-kubernetes-and-app-service-monitoring-with-amazon-elastic-kubernetes-service/use-the-cisco-cloud-observability-aws-marketplace-add-ons[Use the Cisco Cloud Observability {aws} Marketplace Add-Ons] in the Cisco AppDynamics documentation. @@ -133,14 +133,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-cisco-operator] -== [.noloc]`Cisco Observability Operator` +== Cisco Observability Operator [abstract] -- -Learn about the [.noloc]`Cisco Observability Operator` Amazon EKS add-on. +Learn about the Cisco Observability Operator Amazon EKS add-on. -- -The add-on name is `cisco_cisco-cloud-observability-operators` and the namespace is `appdynamics`. [.noloc]`Cisco` publishes the add-on. +The add-on name is `cisco_cisco-cloud-observability-operators` and the namespace is `appdynamics`. Cisco publishes the add-on. For information about the add-on, see https://docs.appdynamics.com/observability/cisco-cloud-observability/en/kubernetes-and-app-service-monitoring/install-kubernetes-and-app-service-monitoring-with-amazon-elastic-kubernetes-service/use-the-cisco-cloud-observability-aws-marketplace-add-ons[Use the Cisco Cloud Observability {aws} Marketplace Add-Ons] in the Cisco AppDynamics documentation. @@ -160,14 +160,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-cloudsoft] -== [.noloc]`CLOUDSOFT` +== CLOUDSOFT [abstract] -- -Learn about the [.noloc]`CLOUDSOFT` Amazon EKS add-on. +Learn about the CLOUDSOFT Amazon EKS add-on. -- -The add-on name is `cloudsoft_cloudsoft-amp` and the namespace is `cloudsoft-amp`. [.noloc]`CLOUDSOFT` publishes the add-on. +The add-on name is `cloudsoft_cloudsoft-amp` and the namespace is `cloudsoft-amp`. CLOUDSOFT publishes the add-on. For information about the add-on, see https://docs.cloudsoft.io/operations/configuration/aws-eks-addon.html[Amazon EKS ADDON] in the CLOUDSOFT documentation. @@ -187,14 +187,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-cribl] -== [.noloc]`Cribl` +== Cribl [abstract] -- -Learn about the [.noloc]`Cribl` Amazon EKS add-on. +Learn about the Cribl Amazon EKS add-on. -- -The add-on name is `cribl_cribledge` and the namespace is `cribledge`. [.noloc]`Cribl` publishes the add-on. +The add-on name is `cribl_cribledge` and the namespace is `cribledge`. Cribl publishes the add-on. For information about the add-on, see https://docs.cribl.io/edge/usecase-edge-aws-eks/[Installing the Cribl Amazon EKS Add-on for Edge] in the Cribl documentation @@ -214,16 +214,16 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-dynatrace] -== [.noloc]`Dynatrace` +== Dynatrace [abstract] -- -Learn about the [.noloc]`Dynatrace` Amazon EKS add-on. +Learn about the Dynatrace Amazon EKS add-on. -- -The add-on name is `dynatrace_dynatrace-operator` and the namespace is `dynatrace`. [.noloc]`Dynatrace` publishes the add-on. +The add-on name is `dynatrace_dynatrace-operator` and the namespace is `dynatrace`. Dynatrace publishes the add-on. -For information about the add-on, see https://www.dynatrace.com/technologies/kubernetes-monitoring/[Kubernetes monitoring] in the [.noloc]`dynatrace` documentation. +For information about the add-on, see https://www.dynatrace.com/technologies/kubernetes-monitoring/[Kubernetes monitoring] in the dynatrace documentation. [#add-on-dynatrace-service-account-name] === Service account name @@ -241,14 +241,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-datree-pro] -== [.noloc]`Datree` +== Datree [abstract] -- -Learn about the [.noloc]`Datree` Amazon EKS add-on. +Learn about the Datree Amazon EKS add-on. -- -The add-on name is `datree_engine-pro` and the namespace is `datree`. [.noloc]`Datree` publishes the add-on. +The add-on name is `datree_engine-pro` and the namespace is `datree`. Datree publishes the add-on. For information about the add-on, see https://hub.datree.io/integrations/eks-integration[Amazon EKS-intergration] in the Datree documentation. @@ -265,7 +265,7 @@ The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, [#add-on-datree-pro-iam-command] === Command to create required IAM role -The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-datree-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. +The following command requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-datree-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -280,14 +280,14 @@ eksctl create iamserviceaccount --name datree-webhook-server-awsmp --namespace d Custom permissions aren't used with this add-on. [#add-on-datadog] -== [.noloc]`Datadog` +== Datadog [abstract] -- -Learn about the [.noloc]`Datadog` Amazon EKS add-on. +Learn about the Datadog Amazon EKS add-on. -- -The add-on name is `datadog_operator` and the namespace is `datadog-agent`. [.noloc]`Datadog` publishes the add-on. +The add-on name is `datadog_operator` and the namespace is `datadog-agent`. Datadog publishes the add-on. For information about the add-on, see https://docs.datadoghq.com/containers/guide/operator-eks-addon/?tab=console[Installing the Datadog Agent on Amazon EKS with the Datadog Operator Add-on] in the Datadog documentation. @@ -307,14 +307,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-groundcover] -== [.noloc]`Groundcover` +== Groundcover [abstract] -- -Learn about the [.noloc]`Groundcover` Amazon EKS add-on. +Learn about the Groundcover Amazon EKS add-on. -- -The add-on name is `groundcover_agent` and the namespace is `groundcover`. [.noloc]`groundcover` publishes the add-on. +The add-on name is `groundcover_agent` and the namespace is `groundcover`. groundcover publishes the add-on. For information about the add-on, see https://docs.groundcover.com/docs/~/changes/VhDDAl1gy1VIO3RIcgxD/configuration/customization-guide/customize-deployment/eks-add-on[Installing the groundcover Amazon EKS Add-on] in the groundcover documentation. @@ -334,14 +334,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-grafana] -== [.noloc]`Grafana Labs` +== Grafana Labs [abstract] -- -Learn about the [.noloc]`Grafana Labs` Amazon EKS add-on. +Learn about the Grafana Labs Amazon EKS add-on. -- -The add-on name is `grafana-labs_kubernetes-monitoring` and the namespace is `monitoring`. [.noloc]`Grafana Labs` publishes the add-on. +The add-on name is `grafana-labs_kubernetes-monitoring` and the namespace is `monitoring`. Grafana Labs publishes the add-on. For information about the add-on, see https://grafana.com/docs/grafana-cloud/monitor-infrastructure/kubernetes-monitoring/configuration/config-aws-eks/[Configure Kubernetes Monitoring as an Add-on with Amazon EKS] in the Grafana Labs documentation. @@ -361,9 +361,9 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-guance] -== [.noloc]`Guance` +== Guance -* *Publisher* – [.noloc]`GUANCE` +* *Publisher* – GUANCE * *Name* – `guance_datakit` * *Namespace* – `datakit` * *Service account name* – A service account isn't used with this add-on. @@ -373,14 +373,14 @@ Custom permissions aren't used with this add-on. [#add-on-ha-proxy] -== [.noloc]`HA Proxy` +== HA Proxy [abstract] -- -Learn about the [.noloc]`HA Proxy` Amazon EKS add-on. +Learn about the HA Proxy Amazon EKS add-on. -- -The name is `haproxy-technologies_kubernetes-ingress-ee` and the namespace is `haproxy-controller`. [.noloc]`HA Proxy` publishes the add-on. +The name is `haproxy-technologies_kubernetes-ingress-ee` and the namespace is `haproxy-controller`. HA Proxy publishes the add-on. For information about the add-on, see https://hub.datree.io/integrations/eks-integration[Amazon EKS-intergration] in the Datree documentation. @@ -397,7 +397,7 @@ The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, [#add-on-ha-proxy-iam-command] === Command to create required IAM role -The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-haproxy-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. +The following command requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-haproxy-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -412,16 +412,16 @@ eksctl create iamserviceaccount --name service-account-name --namespace haproxy Custom permissions aren't used with this add-on. [#add-on-kpow] -== [.noloc]`Kpow` +== Kpow [abstract] -- -Learn about the [.noloc]`Kpow` Amazon EKS add-on. +Learn about the Kpow Amazon EKS add-on. -- -The add-on name is `factorhouse_kpow` and the namespace is `factorhouse`. [.noloc]`Factorhouse` publishes the add-on. +The add-on name is `factorhouse_kpow` and the namespace is `factorhouse`. Factorhouse publishes the add-on. -For information about the add-on, see https://docs.kpow.io/installation/aws-marketplace-lm/[{aws} Marketplace LM] in the [.noloc]`Kpow` documentation. +For information about the add-on, see https://docs.kpow.io/installation/aws-marketplace-lm/[{aws} Marketplace LM] in the Kpow documentation. [#add-on-kpow-service-account-name] === Service account name @@ -436,7 +436,7 @@ The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, [#add-on-kpow-iam-command] === Command to create required IAM role -The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kpow-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. +The following command requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kpow-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -451,16 +451,16 @@ eksctl create iamserviceaccount --name kpow --namespace factorhouse --cluster my Custom permissions aren't used with this add-on. [#add-on-kubecost] -== [.noloc]`Kubecost` +== Kubecost [abstract] -- -Learn about the [.noloc]`Kubecost` Amazon EKS add-on. +Learn about the Kubecost Amazon EKS add-on. -- -The add-on name is `kubecost_kubecost` and the namespace is `kubecost`. [.noloc]`Kubecost` publishes the add-on. +The add-on name is `kubecost_kubecost` and the namespace is `kubecost`. Kubecost publishes the add-on. -For information about the add-on, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the [.noloc]`Kubecost` documentation. +For information about the add-on, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the Kubecost documentation. If your cluster is version `1.23` or later, you must have the <> installed on your cluster. otherwise you will receive an error. @@ -480,18 +480,18 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-kasten] -== [.noloc]`Kasten` +== Kasten [abstract] -- -Learn about the [.noloc]`Kasten` Amazon EKS add-on. +Learn about the Kasten Amazon EKS add-on. -- -The add-on name is `kasten_k10` and the namespace is `kasten-io`. [.noloc]`Kasten by Veeam` publishes the add-on. +The add-on name is `kasten_k10` and the namespace is `kasten-io`. Kasten by Veeam publishes the add-on. For information about the add-on, see https://docs.kasten.io/latest/install/aws-eks-addon/aws-eks-addon.html[Installing K10 on {aws} using Amazon EKS Add-on] in the Kasten documentation. -If your Amazon EKS cluster is version [.noloc]`Kubernetes` `1.23` or later, you must have the Amazon EBS CSI driver installed on your cluster with a default `StorageClass`. +If your Amazon EKS cluster is version Kubernetes `1.23` or later, you must have the Amazon EBS CSI driver installed on your cluster with a default `StorageClass`. [#add-on-kasten-service-account-name] === Service account name @@ -506,7 +506,7 @@ The managed policy is AWSLicenseManagerConsumptionPolicy. For more information, [#add-on-kasten-iam-command] === Command to create required IAM role -The following command requires that you have an IAM [.noloc]`OpenID Connect` ([.noloc]`OIDC`) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kasten-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the [.noloc]`Kubernetes` service account, see <>. +The following command requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one, or to create one, see <>. Replace [.replaceable]`my-cluster` with the name of your cluster and [.replaceable]`my-kasten-role` with the name for your role. This command requires that you have https://eksctl.io[eksctl] installed on your device. If you need to use a different tool to create the role and annotate the Kubernetes service account, see <>. [source,bash,subs="verbatim,attributes"] ---- @@ -521,14 +521,14 @@ eksctl create iamserviceaccount --name k10-k10 --namespace kasten-io --cluster m Custom permissions aren't used with this add-on. [#add-on-kong] -== [.noloc]`Kong` +== Kong [abstract] -- -Learn about the [.noloc]`Kong` Amazon EKS add-on. +Learn about the Kong Amazon EKS add-on. -- -The add-on name is `kong_konnect-ri` and the namespace is `kong`. [.noloc]`Kong` publishes the add-on. +The add-on name is `kong_konnect-ri` and the namespace is `kong`. Kong publishes the add-on. For information about the add-on, see https://kong.github.io/aws-marketplace-addon-kong-gateway/[Installing the Kong Gateway EKS Add-on] in the Kong documentation. @@ -550,14 +550,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-leaksignal] -== [.noloc]`LeakSignal` +== LeakSignal [abstract] -- -Learn about the [.noloc]`LeakSignal` Amazon EKS add-on. +Learn about the LeakSignal Amazon EKS add-on. -- -The add-on name is `leaksignal_leakagent` and the namespace is `leakagent`. [.noloc]`LeakSignal` publishes the add-on. +The add-on name is `leaksignal_leakagent` and the namespace is `leakagent`. LeakSignal publishes the add-on. For information about the add-on, see https://www.leaksignal.com/docs/LeakAgent/Deployment/{aws}%20EKS%20Addon/[Install the LeakAgent add-on] in the LeakSignal documentation @@ -579,14 +579,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-netapp] -== [.noloc]`NetApp` +== NetApp [abstract] -- -Learn about the [.noloc]`NetApp` Amazon EKS add-on. +Learn about the NetApp Amazon EKS add-on. -- -The add-on name is `netapp_trident-operator` and the namespace is `trident`. [.noloc]`NetApp` publishes the add-on. +The add-on name is `netapp_trident-operator` and the namespace is `trident`. NetApp publishes the add-on. For information about the add-on, see https://docs.netapp.com/us-en/trident/trident-use/trident-aws-addon.html[Configure the Trident EKS add-on] in the NetApp documentation. @@ -606,14 +606,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-new-relic] -== [.noloc]`New Relic` +== New Relic [abstract] -- -Learn about the [.noloc]`New Relic` Amazon EKS add-on. +Learn about the New Relic Amazon EKS add-on. -- -The add-on name is `new-relic_kubernetes-operator` and the namespace is `newrelic`. [.noloc]`New Relic` publishes the add-on. +The add-on name is `new-relic_kubernetes-operator` and the namespace is `newrelic`. New Relic publishes the add-on. For information about the add-on, see https://docs.newrelic.com/docs/infrastructure/amazon-integrations/connect/eks-add-on[Installing the New Relic Add-on for EKS] in the New Relic documentation. @@ -633,14 +633,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-rafay] -== [.noloc]`Rafay` +== Rafay [abstract] -- -Learn about the [.noloc]`Rafay` Amazon EKS add-on. +Learn about the Rafay Amazon EKS add-on. -- -The add-on name is `rafay-systems_rafay-operator` and the namespace is `rafay-system`. [.noloc]`Rafay` publishes the add-on. +The add-on name is `rafay-systems_rafay-operator` and the namespace is `rafay-system`. Rafay publishes the add-on. For information about the add-on, see https://docs.rafay.co/clusters/import/eksaddon/[Installing the Rafay Amazon EKS Add-on] in the Rafay documentation. @@ -660,9 +660,9 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-rad] -== [.noloc]`Rad Security` +== Rad Security -* *Publisher* – [.noloc]`RAD SECURITY` +* *Publisher* – RAD SECURITY * *Name* – `rad-security_rad-security` * *Namespace* – `ksoc` * *Service account name* – A service account isn't used with this add-on. @@ -672,9 +672,9 @@ Custom permissions aren't used with this add-on. [#add-on-solarwinds] -== [.noloc]`SolarWinds` +== SolarWinds -* *Publisher* – [.noloc]`SOLARWINDS` +* *Publisher* – SOLARWINDS * *Name* – `solarwinds_swo-k8s-collector-addon` * *Namespace* – `solarwinds` * *Service account name* – A service account isn't used with this add-on. @@ -684,14 +684,14 @@ Custom permissions aren't used with this add-on. [#add-on-solo] -== [.noloc]`Solo` +== Solo [abstract] -- -Learn about the [.noloc]`Solo` Amazon EKS add-on. +Learn about the Solo Amazon EKS add-on. -- -The add-on name is `solo-io_istio-distro` and the namespace is `istio-system`. [.noloc]`Solo` publishes the add-on. +The add-on name is `solo-io_istio-distro` and the namespace is `istio-system`. Solo publishes the add-on. For information about the add-on, see https://docs.solo.io/gloo-mesh-enterprise/main/setup/install/eks_addon/[Installing Istio] in the Solo.io documentation.. @@ -711,9 +711,9 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-snyk] -== [.noloc]`Snyk` +== Snyk -* *Publisher* – [.noloc]`SNYK` +* *Publisher* – SNYK * *Name* – `snyk_runtime-sensor` * *Namespace* – `snyk_runtime-sensor` * *Service account name* – A service account isn't used with this add-on. @@ -723,14 +723,14 @@ Custom permissions aren't used with this add-on. [#add-on-stormforge] -== [.noloc]`Stormforge` +== Stormforge [abstract] -- -Learn about the [.noloc]`Stormforge` Amazon EKS add-on. +Learn about the Stormforge Amazon EKS add-on. -- -The add-on name is `stormforge_optimize-Live` and the namespace is `stormforge-system`. [.noloc]`Stormforge` publishes the add-on. +The add-on name is `stormforge_optimize-Live` and the namespace is `stormforge-system`. Stormforge publishes the add-on. For information about the add-on, see https://docs.stormforge.io/optimize-live/getting-started/install-v2/[Installing the StormForge Agent] in the StormForge documentation. @@ -750,14 +750,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-splunk] -== [.noloc]`Splunk` +== Splunk [abstract] -- -Learn about the [.noloc]`Splunk` Amazon EKS add-on. +Learn about the Splunk Amazon EKS add-on. -- -The add-on name is `splunk_splunk-otel-collector-chart` and the namespace is `splunk-monitoring`. [.noloc]`Splunk` publishes the add-on. +The add-on name is `splunk_splunk-otel-collector-chart` and the namespace is `splunk-monitoring`. Splunk publishes the add-on. For information about the add-on, see https://docs.splunk.com/observability/en/gdi/opentelemetry/install-k8s-addon-eks.html[Install the Splunk add-on for Amazon EKS] in the Splunk documentation. @@ -777,16 +777,16 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-teleport] -== [.noloc]`Teleport` +== Teleport [abstract] -- -Learn about the [.noloc]`Teleport` Amazon EKS add-on. +Learn about the Teleport Amazon EKS add-on. -- -The add-on name is `teleport_teleport` and the namespace is `teleport`. [.noloc]`Teleport` publishes the add-on. +The add-on name is `teleport_teleport` and the namespace is `teleport`. Teleport publishes the add-on. -For information about the add-on, see https://goteleport.com/how-it-works/[How Teleport Works] in the [.noloc]`Teleport` documentation. +For information about the add-on, see https://goteleport.com/how-it-works/[How Teleport Works] in the Teleport documentation. [#add-on-teleport-service-account-name] === Service account name @@ -804,14 +804,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-tetrate] -== [.noloc]`Tetrate` +== Tetrate [abstract] -- -Learn about the [.noloc]`Tetrate` Amazon EKS add-on. +Learn about the Tetrate Amazon EKS add-on. -- -The add-on name is `tetrate-io_istio-distro` and the namespace is `istio-system`. [.noloc]`Tetrate Io` publishes the add-on. +The add-on name is `tetrate-io_istio-distro` and the namespace is `istio-system`. Tetrate Io publishes the add-on. For information about the add-on, see the https://tetratelabs.io/[Tetrate Istio Distro] website. @@ -831,14 +831,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-upbound] -== [.noloc]`Upbound Universal Crossplane` +== Upbound Universal Crossplane [abstract] -- -Learn about the [.noloc]`Upbound Universal Crossplane` Amazon EKS add-on. +Learn about the Upbound Universal Crossplane Amazon EKS add-on. -- -The add-on name is `upbound_universal-crossplane` and the namespace is `upbound-system`. [.noloc]`Upbound` publishes the add-on. +The add-on name is `upbound_universal-crossplane` and the namespace is `upbound-system`. Upbound publishes the add-on. For information about the add-on, see https://docs.upbound.io/uxp/[Upbound Universal Crossplane (UXP)] in the Upbound documentation. @@ -858,14 +858,14 @@ A managed policy isn't used with this add-on. Custom permissions aren't used with this add-on. [#add-on-upwind] -== [.noloc]`Upwind` +== Upwind [abstract] -- -Learn about the [.noloc]`Upwind` Amazon EKS add-on. +Learn about the Upwind Amazon EKS add-on. -- -The add-on name is `upwind` and the namespace is `upwind`. [.noloc]`Upwind` publishes the add-on. +The add-on name is `upwind` and the namespace is `upwind`. Upwind publishes the add-on. For information about the add-on, see https://docs.upwind.io/install-sensor/kubernetes/install?installation-method=amazon-eks-addon[Upwind documentation]. From 55162c4309ff4fec9ca1b9876544dd069a63e8f9 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 20 Feb 2025 01:06:15 +0000 Subject: [PATCH 171/940] Simplified contribution banner message. --- latest/ug/book.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 9bfc99f99..3eb2cc2bd 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -31,7 +31,7 @@ This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Ku *Help improve this page* [.banner.info] -Want to contribute to this user guide? Choose the *Edit this page on GitHub* link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone. +To contribute to this user guide, choose the *Edit this page on GitHub* link that is located in the right pane of every page. include::what-is/what-is-eks.adoc[leveloffset=+1] From c2d1f7524e87d5c5a26004206d9746ed1f168ae2 Mon Sep 17 00:00:00 2001 From: Michael Chu Date: Wed, 12 Feb 2025 01:27:55 +0000 Subject: [PATCH 172/940] Add notes for kubelet certificates expiration and best practice to update self-managed node groups cr: https://code.amazon.com/reviews/CR-177608177 --- .../ug/outposts/eks-outposts-self-managed-nodes.adoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index c34a3fad7..e8200df03 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -20,11 +20,19 @@ This topic describes how you can launch Auto Scaling groups of Amazon Linux node You can create a self-managed Amazon Linux node group with `eksctl` or the {aws-management-console} (with an {aws} CloudFormation template). You can also use https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Terraform]. -You can create a local cluster with the following tools described in this page: +You can create a self-managed node group for local cluster with the following tools described in this page: * <> * <> +[IMPORTANT] +==== +* Self-managed node group includes Amazon EC2 instances in your account. These instances aren't automatically upgraded when you or Amazon EKS update the control plane version on your behalf. A self-managed node group doesn't have any indication in the console that it needs updating. You can view the `kubelet` version installed on a node by selecting the node in the *Nodes* list on the *Overview* tab of your cluster to determine which nodes need updating. You must manually update the nodes. For more information, see <>. +* The certificates used by kubelet on your self-managed nodes are issued with one year expiration. By default certificate rotation is *not* enabled (see: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration), this means if you have a self-managed node running for more than one year, it will no longer be able to authenticate to the Kubernetes API. +* As a best practice we recommend customers to regularly update their self-managed node groups to receive CVEs and security patches from latest Amazon EKS optimized AMI. Updating AMI used in self-managed node groups also triggers re-creation of nodes and make sure they do not run into issue due to expired kubelet certificates. +* Alternatively you can also enable client certificate rotation (see: https://kubernetes.io/docs/tasks/tls/certificate-rotation/) when creating the self-managed node groups to make sure kubelet certificates are renewed as the current certificate approaches expiration. +==== + == `eksctl` [[eksctl_create_nodes_outpost]] *To launch self-managed Linux nodes using `eksctl`* @@ -98,7 +106,7 @@ The following steps show one operation to retrieve the applicable group. To use an Amazon EKS optimized accelerated AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-gpu`. To use an Amazon EKS optimized Arm AMI, replace [.replaceable]`amazon-linux-2` with `amazon-linux-2-arm64`. + NOTE: The Amazon EKS node AMIs are based on Amazon Linux. You can track security or privacy events for Amazon Linux at the https://alas.aws.amazon.com/[Amazon Linux security center] by choosing the tab for your desired version. You can also subscribe to the applicable RSS feed. Security and privacy events include an overview of the issue, what packages are affected, and how to update your instances to correct the issue. -** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. +** *NodeImageId*: (Optional) If you're using your own custom AMI (instead of an Amazon EKS optimized AMI), enter a node AMI ID for your {aws} Region. If you specify a value here, it overrides any values in the *NodeImageIdSSMParam* field. ** *NodeVolumeSize*: Specify a root volume size for your nodes, in GiB. ** *NodeVolumeType*: Specify a root volume type for your nodes. ** *KeyName*: Enter the name of an Amazon EC2 SSH key pair that you can use to connect using SSH into your nodes with after they launch. If you don't already have an Amazon EC2 key pair, you can create one in the {aws-management-console}. For more information, see link:AWSEC2/latest/UserGuide/ec2-key-pairs.html[Amazon EC2 key pairs,type="documentation"] in the _Amazon EC2 User Guide_. From 184e20ed3cec53d1857f3a6dbc811b24319fa3b9 Mon Sep 17 00:00:00 2001 From: Kulwant Singh Date: Thu, 20 Feb 2025 17:31:25 -0800 Subject: [PATCH 173/940] Update docs with Feb PT AMIs --- latest/ug/nodes/eks-ami-versions-windows.adoc | 192 ++++++++++++++++++ 1 file changed, 192 insertions(+) diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 7a69187d1..b6a1f03cf 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -52,6 +52,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.32-2025-02-18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + |`1.32-2025-01-15` |`1.32.0` |`1.7.20` @@ -69,6 +75,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-02-15` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-15` |`1.31.4` |`1.7.20` @@ -122,6 +134,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-02-15` +|`1.30.9` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-15` |`1.30.8` |`1.7.14` @@ -193,6 +211,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-02-15` +|`1.29.13` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025-01-15` |`1.29.12` |`1.7.14` @@ -294,6 +318,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.02.15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025.01.15` |`1.28.15` |`1.7.14` @@ -419,6 +449,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-02-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-15` |`1.27.16` |`1.7.14` @@ -586,6 +622,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-02-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2025-01-15` |`1.26.15` |`1.7.14` @@ -753,6 +795,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.02.18` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2025.01.15` |`1.25.16` |`1.7.14` @@ -1131,6 +1179,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.32-2025-02-18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + |`1.32-2025-01-01` |`1.32.0` |`1.7.20` @@ -1150,6 +1204,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-02-15` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-15` |`1.31.4` |`1.7.20` @@ -1204,6 +1264,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-02-15` +|`1.30.9` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-15` |`1.30.8` |`1.7.14` @@ -1276,6 +1342,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-02-15` +|`1.29.13` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025-01-15` |`1.29.12` |`1.7.14` @@ -1378,6 +1450,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.02.15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-15` |`1.28.15` |`1.7.14` @@ -1504,6 +1582,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-02-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-15` |`1.27.16` |`1.7.14` @@ -1672,6 +1756,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-02-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2025-01-15` |`1.26.15` |`1.7.14` @@ -1840,6 +1930,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.02.18` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2025-01-15` |`1.25.16` |`1.7.14` @@ -2219,6 +2315,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.32-2025-02-18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + |`1.32-2025-01-15` |`1.32.4` |`1.7.20` @@ -2238,6 +2340,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-02-15` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-15` |`1.31.4` |`1.7.20` @@ -2292,6 +2400,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-02-15` +|`1.30.9` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-15` |`1.30.8` |`1.7.14` @@ -2364,6 +2478,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-02-15` +|`1.29.13` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025-01-15` |`1.29.12` |`1.7.14` @@ -2466,6 +2586,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.02.15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-15` |`1.28.15` |`1.7.14` @@ -2592,6 +2718,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-02-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-15` |`1.27.16` |`1.7.14` @@ -2760,6 +2892,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-02-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2025-01-15` |`1.26.15` |`1.7.14` @@ -2928,6 +3066,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.02.18` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2025-01-15` |`1.25.16` |`1.7.14` @@ -3307,6 +3451,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.32-2025-02-18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + |`1.32-2025-01-15` |`1.32.0` |`1.7.20` @@ -3326,6 +3476,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.31-2025-02-15` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + |`1.31-2025-01-15` |`1.31.4` |`1.7.20` @@ -3380,6 +3536,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025-02-15` +|`1.30.9` +|`1.7.14` +|`1.1.3` +| + |`1.30-2025-01-15` |`1.30.8` |`1.7.14` @@ -3452,6 +3614,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.29-2025-02-15` +|`1.29.13` +|`1.7.14` +|`1.1.3` +| + |`1.29-2025-01-15` |`1.29.12` |`1.7.14` @@ -3554,6 +3722,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.02.15` +|`1.28.15` +|`1.7.14` +|`1.1.3` +| + |`1.28-2025-01-15` |`1.28.15` |`1.7.14` @@ -3680,6 +3854,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.27-2025-02-15` +|`1.27.16` +|`1.7.14` +|`1.1.3` +| + |`1.27-2025-01-15` |`1.27.16` |`1.7.14` @@ -3848,6 +4028,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.26-2025-02-15` +|`1.26.15` +|`1.7.14` +|`1.1.3` +| + |`1.26-2025-01-15` |`1.26.15` |`1.7.14` @@ -4016,6 +4202,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.02.18` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + |`1.25-2025-01-15` |`1.25.16` |`1.7.14` From b6c10a85ce49e0c1eed9dab9da32d9768144014d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 21 Feb 2025 10:12:56 -0800 Subject: [PATCH 174/940] Update community-addons.adoc --- latest/ug/workloads/community-addons.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index d104097f9..ae16c6a93 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -106,7 +106,7 @@ Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written |=== |Property | Value -|Add-on name | `node_exporter` +|Add-on name | `prometheus-node-exporter` |Namespace | `prometheus-node-exporter` @@ -139,4 +139,4 @@ curl -O https://amazon-eks-docs.s3.amazonaws.com/attributions/kube-state-metrics ---- . Use the command to download the file. -Use this zip file to view information about the license attributions. \ No newline at end of file +Use this zip file to view information about the license attributions. From ca5a1d55078a9a25e54b96404a92c34276e2c6ea Mon Sep 17 00:00:00 2001 From: Nambinayagan <75838920+nambinayagan@users.noreply.github.com> Date: Sat, 22 Feb 2025 05:47:37 +0530 Subject: [PATCH 175/940] Update private-clusters.adoc (#887) Added more context to EKS Auth endpoint requirement. --- latest/ug/clusters/private-clusters.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index ebb68f434..92cdc507b 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -91,7 +91,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |{aws} Security Token Service (required when using IAM roles for service accounts) |com.amazonaws.[.replaceable]`region-code`.sts -|Amazon EKS Auth +|Amazon EKS Auth (required when using Pod Identity associations) |com.amazonaws.[.replaceable]`region-code`.eks-auth From 0fa18a89891b7993b639a316c5f1c54417c8f975 Mon Sep 17 00:00:00 2001 From: Aakash Sai Raj P B Date: Sat, 22 Feb 2025 10:45:11 +0530 Subject: [PATCH 176/940] Correct CLI commands for managing built-in nodepools Fixed documentation for AWS EKS built-in nodepools configuration as they missed mandatory configuration parameters such as "kubernetes-network-config", and "storage-config" --- .../ug/automode/set-builtin-node-pools.adoc | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 9c7fa27ea..4bd519466 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -41,8 +41,16 @@ aws eks update-cluster-config \ --compute-config '{ "nodeRoleArn": "", "nodePools": ["general-purpose", "system"] + "enabled": true, + "nodeRoleArn":"", + "nodePools": ["general-purpose", "system"] + }' \ + --kubernetes-network-config '{ + "elasticLoadBalancing":{"enabled": true} + }' \ + --storage-config '{ + "blockStorage":{"enabled": true} }' - ---- You can modify the command to selectively enable the NodePools. @@ -56,4 +64,13 @@ Use the following command to disable both built-in NodePools: aws eks update-cluster-config \ --name \ --compute-config '{"nodePools": []}' ----- \ No newline at end of file + --compute-config '{ + "enabled": true, + "nodePools": [] + }' \ + --kubernetes-network-config '{ + "elasticLoadBalancing":{"enabled": true}}' \ + --storage-config '{ + "blockStorage":{"enabled": true} + }' +---- From b2d346c5b0bf594560f550f96ac9d9bbfee37e02 Mon Sep 17 00:00:00 2001 From: jebbens <63321748+jebbens@users.noreply.github.com> Date: Fri, 21 Feb 2025 22:22:54 -0700 Subject: [PATCH 177/940] Add reference to pod identities for service accounts (#890) --- latest/ug/manage-access/aws-access/service-accounts.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 268c21724..3467a188d 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -9,7 +9,7 @@ include::iam-roles-for-service-accounts.adoc[leveloffset=+1] include::pod-identities.adoc[leveloffset=+1] -A Kubernetes service account provides an identity for processes that run in a Pod. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the Kubernetes documentation. If your Pod needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <>. +A Kubernetes service account provides an identity for processes that run in a Pod. For more information see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin[Managing Service Accounts] in the Kubernetes documentation. If your Pod needs access to {aws} services, you can map the service account to an {aws} Identity and Access Management identity to grant that access. For more information, see <> or <>. [#service-account-tokens] == Service account tokens @@ -120,4 +120,4 @@ At a high level, both EKS Pod Identity and IRSA enables you to grant IAM permiss |EKS versions supported |EKS Kubernetes versions `1.24` or later. For the specific platform versions, see <>. |All of the supported EKS cluster versions. -|=== \ No newline at end of file +|=== From 40e593dbdcf2ccf767a1bf5fe0fb5d496cc6aed2 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 24 Feb 2025 17:31:16 -0800 Subject: [PATCH 178/940] Release vpc-cni 1.19.2-eksbuild.5 --- latest/ug/networking/managing-vpc-cni.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 38c1ec223..c53db5372 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -47,15 +47,15 @@ The following table lists the latest available version of the Amazon EKS add-on [options="header"] |=== | Kubernetes version | Amazon EKS type of VPC CNI version -| 1.32 | v1.19.2-eksbuild.1 -| 1.31 | v1.19.2-eksbuild.1 -| 1.30 | v1.19.2-eksbuild.1 -| 1.29 | v1.19.2-eksbuild.1 -| 1.28 | v1.19.2-eksbuild.1 -| 1.27 | v1.19.2-eksbuild.1 -| 1.26 | v1.19.2-eksbuild.1 -| 1.25 | v1.19.2-eksbuild.1 -| 1.24 | v1.19.2-eksbuild.1 +| 1.32 | v1.19.2-eksbuild.5 +| 1.31 | v1.19.2-eksbuild.5 +| 1.30 | v1.19.2-eksbuild.5 +| 1.29 | v1.19.2-eksbuild.5 +| 1.28 | v1.19.2-eksbuild.5 +| 1.27 | v1.19.2-eksbuild.5 +| 1.26 | v1.19.2-eksbuild.5 +| 1.25 | v1.19.2-eksbuild.5 +| 1.24 | v1.19.2-eksbuild.5 |=== [IMPORTANT] From 9a9b0fc7be105a4845ee829b6fad57c4472e1e81 Mon Sep 17 00:00:00 2001 From: Donovan Date: Tue, 25 Feb 2025 09:43:24 -0800 Subject: [PATCH 179/940] Combined permissions of Fargate logging into single step Merge permissions steps 3 & 4 together, move IAM policy download down into this step as a new tabbed section. The config file steps was too long and logically, the `kubectl apply` is the last sub-step, so the permissions were getting skipped by customers. --- latest/ug/nodes/fargate-logging.adoc | 46 ++++++++++++++++++---------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 09e512bda..a1f5400c6 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -166,12 +166,6 @@ data: ---- kubectl apply -f aws-logging-cloudwatch-configmap.yaml ---- -.. Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json ----- Amazon OpenSearch Service:: *To create a `ConfigMap` for Amazon OpenSearch Service* @@ -206,14 +200,6 @@ data: ---- kubectl apply -f aws-logging-opensearch-configmap.yaml ---- -.. Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub. -+ -[source,bash,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json ----- -+ -Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"]. Firehose:: *To create a `ConfigMap` for Firehose* @@ -248,6 +234,30 @@ data: ---- kubectl apply -f aws-logging-firehose-configmap.yaml ---- +==== + +. Set up permissions for the Fargate Pod execution role to send logs to your destination. +==== +[role="tablist"] +CloudWatch:: +.. Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json +---- + +Amazon OpenSearch Service:: +.. Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub. ++ +[source,bash,subs="verbatim,attributes"] +---- +curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json +---- ++ +Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"]. + +Firehose:: .. Download the Firehose IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json[view the policy] on GitHub. + [source,bash,subs="verbatim,attributes"] @@ -255,13 +265,15 @@ kubectl apply -f aws-logging-firehose-configmap.yaml curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json ---- ==== -. Create an IAM policy from the policy file you downloaded in a previous step. + +.. Create an IAM policy from the policy file that you downloaded. + [source,bash,subs="verbatim,attributes"] ---- aws iam create-policy --policy-name eks-fargate-logging-policy --policy-document file://permissions.json ---- -. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see <>). + +.. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see <>). + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -415,4 +427,4 @@ Events: Warning LoggingDisabled fargate-scheduler Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found ---- -The Pod events are ephemeral with a time period depending on the settings. You can also view a Pod's annotations using `kubectl describe pod [.replaceable]``pod-name```. In the Pod annotation, there is information about whether the logging feature is enabled or disabled and the reason. \ No newline at end of file +The Pod events are ephemeral with a time period depending on the settings. You can also view a Pod's annotations using `kubectl describe pod [.replaceable]``pod-name```. In the Pod annotation, there is information about whether the logging feature is enabled or disabled and the reason. From d627675bc21f5c5bbd1fabb7d75fc5017a7645a7 Mon Sep 17 00:00:00 2001 From: dluthcke Date: Tue, 25 Feb 2025 13:39:57 -0500 Subject: [PATCH 180/940] Update efs-csi.adoc to include a warning about self-managed CSI Driver addons --- latest/ug/storage/efs-csi.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index fbaf6c54d..857dea561 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -181,6 +181,13 @@ aws iam attach-role-policy \ We recommend that you install the Amazon EFS CSI driver through the Amazon EKS add-on. To add an Amazon EKS add-on to your cluster, see <>. For more information about add-ons, see <>. If you're unable to use the Amazon EKS add-on, we encourage you to submit an issue about why you can't to the https://github.com/aws/containers-roadmap/issues[Containers roadmap GitHub repository]. +[IMPORTANT] +==== + +Before adding the Amazon EFS driver as an Amazon EKS add-on, confirm that you don't have a self-managed version of the driver installed on your cluster. If so, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#uninstalling-the-amazon-efs-csi-driver[Uninstalling a self-managed Amazon EFS CSI driver] on GitHub. + +==== + Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on GitHub. [#efs-create-filesystem] @@ -191,4 +198,4 @@ To create an Amazon EFS file system, see https://github.com/kubernetes-sigs/aws- [#efs-sample-app] == Step 4: Deploy a sample application -You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on GitHub. \ No newline at end of file +You can deploy a variety of sample apps and modify them as needed. For more information, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples[Examples] on GitHub. From 00a00cbdcde52de619620b336d03b0aa87cd75b2 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 25 Feb 2025 10:52:20 -0800 Subject: [PATCH 181/940] Combined fargate logging steps properly --- latest/ug/nodes/fargate-logging.adoc | 11 +++++++---- .../config/vocabularies/EksDocsVocab/accept.txt | 3 ++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index a1f5400c6..757804681 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -237,10 +237,13 @@ kubectl apply -f aws-logging-firehose-configmap.yaml ==== . Set up permissions for the Fargate Pod execution role to send logs to your destination. + +.. Download the IAM policy for your destination to your computer. ++ ==== [role="tablist"] CloudWatch:: -.. Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub. +Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -248,7 +251,7 @@ curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging- ---- Amazon OpenSearch Service:: -.. Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub. +Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -258,7 +261,7 @@ curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging- Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"]. Firehose:: -.. Download the Firehose IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json[view the policy] on GitHub. +Download the Firehose IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json[view the policy] on GitHub. + [source,bash,subs="verbatim,attributes"] ---- @@ -346,7 +349,7 @@ data: auto_create_group true ---- -The logs are in the {aws} Region that the cluster resides in under CloudWatch. The log group name is `[.replaceable]``my-cluster``-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-[.replaceable]``podname``-[.replaceable]``pod-namespace```. +The logs are in CloudWatch in the same {aws} Region as the cluster. The log group name is `[.replaceable]``my-cluster``-fluent-bit-logs` and the Fluent Bit logstream name is `fluent-bit-[.replaceable]``podname``-[.replaceable]``pod-namespace```. [NOTE] ==== diff --git a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt index ab7ed47ad..151c00f31 100644 --- a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt +++ b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt @@ -13,4 +13,5 @@ VPC Reachability Analyzer reachability CNIs? repo -CIDRs? \ No newline at end of file +CIDRs? +Kinesis \ No newline at end of file From 4885b57c2f6a906557a17f57964ed69ea7c4dd5d Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Tue, 25 Feb 2025 14:19:54 -0600 Subject: [PATCH 182/940] Consistency edits for Update fargate-logging.adoc Verified that we are no longer using bolded "To do ___" intros for each tabbed list entry throughout guide. --- latest/ug/nodes/fargate-logging.adoc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 757804681..effeb7ceb 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -107,8 +107,6 @@ You can also use Amazon Kinesis Data Streams for your log destination. If you us ==== [role="tablist"] CloudWatch:: -*To create a `ConfigMap` for CloudWatch* - + You have two output options when using CloudWatch: + @@ -168,7 +166,6 @@ kubectl apply -f aws-logging-cloudwatch-configmap.yaml ---- Amazon OpenSearch Service:: -*To create a `ConfigMap` for Amazon OpenSearch Service* + If you want to send logs to Amazon OpenSearch Service, you can use https://docs.fluentbit.io/manual/v/1.5/pipeline/outputs/elasticsearch[es] output, which is a plugin written in C. The following example shows you how to use the plugin to send logs to OpenSearch. + @@ -202,7 +199,6 @@ kubectl apply -f aws-logging-opensearch-configmap.yaml ---- Firehose:: -*To create a `ConfigMap` for Firehose* + You have two output options when sending logs to Firehose: + @@ -364,7 +360,7 @@ The logs are in CloudWatch in the same {aws} Region as the cluster. The log grou Shipping Fluent Bit process logs to CloudWatch requires additional log ingestion and storage costs. To exclude process logs in an existing `ConfigMap` setup, do the following steps. -. Locate the CloudWatch log group automatically created for your Amazon EKS cluster's Fluent Bit process logs after enabling Fargate logging. It follows the format `{cluster_name}-fluent-bit-logs`. +. Locate the CloudWatch log group automatically created for your Amazon EKS cluster's Fluent Bit process logs after enabling Fargate logging. It follows the format `[.replaceable]``my-cluster``-fluent-bit-logs`. . Delete the existing CloudWatch log streams created for each Pod's process logs in the CloudWatch log group. . Edit the `ConfigMap` and set `flb_log_cw: "false"`. . Restart any existing Pods in the cluster. From c81f68d66054fa4d5b9a8b078b085b935fc146d6 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 25 Feb 2025 21:19:50 +0000 Subject: [PATCH 183/940] Put attributes reference above title that uses {aws}: 45619 --- latest/ug/manage-access/aws-access/pod-id-abac.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 50b1e4969..6adec2510 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -1,10 +1,9 @@ +include::../../attributes.txt[] [.topic] [#pod-id-abac] = Grant Pods access to {aws} resources based on tags :info_titleabbrev: Grant Pods access -include::../../attributes.txt[] - [abstract] -- Learn how to use Amazon EKS Pod Identity to attach tags for cluster, namespace, and service account to temporary credentials, enabling attribute-based access control (ABAC) for EKS Pods to {aws} resources based on matching tags. From 6ec6ee937697040f73442f984a0179d5f86546ac Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 25 Feb 2025 21:39:33 +0000 Subject: [PATCH 184/940] Added VPC CNI to list of components that are not required with Auto Mode: 45616 --- latest/ug/automode/auto-upgrade.adoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 45aea175a..6f17edaae 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -15,11 +15,12 @@ After you initiate a control plane upgrade, EKS Auto Mode begins replacing nodes Additionally, you no longer need to update components like: -* CoreDNS -* KubeProxy +* Amazon VPC CNI * {aws} Load Balancer Controller +* CoreDNS +* `kube-proxy` * Karpenter -* {aws} EBS CSI Driver +* {aws} EBS CSI driver EKS Auto Mode replaces these components with service functionality. From 2d3e5141b18f31763e7387f3e13a73442e511017 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 25 Feb 2025 22:09:29 +0000 Subject: [PATCH 185/940] Consistency edits --- latest/ug/workloads/community-addons.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index ae16c6a93..77a9d47ed 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -76,7 +76,7 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re |=== -=== [.noloc]`kube-state-metrics` +=== `kube-state-metrics` Add-on agent to generate and expose cluster-level metrics. @@ -99,7 +99,7 @@ The state of Kubernetes objects in the Kubernetes API can be exposed as metrics. |=== -=== [.noloc]`Prometheus Node exporter` +=== Prometheus Node Exporter Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. The Prometheus Node Exporter exposes a wide variety of hardware- and kernel-related metrics. From f148439fa907d8d3cad7de9d914786658859a3d9 Mon Sep 17 00:00:00 2001 From: Jackson West Date: Wed, 26 Feb 2025 08:28:48 -0600 Subject: [PATCH 186/940] adds ecr api endpoint to hybrid networking --- latest/ug/nodes/hybrid-nodes-networking.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index bd9f94c1a..8b23ff397 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -55,6 +55,11 @@ You must have access to the following domains during the installation process wh |HTTPS |443 +|link:general/latest/gr/ecr.html[ECR service endpoints,type="documentation"] +|\https://api.ecr.[.replaceable]`region`.amazonaws.com +|HTTPS +|443 + |EKS ECR endpoints |See <> for regional endpoints. |HTTPS From cba985629aa0b65a20935a50fc2ebb15c1cb4830 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 26 Feb 2025 16:20:36 +0000 Subject: [PATCH 187/940] Fix AL2 date discrepency: 45632 --- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 6e027cee2..e15053c2e 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -33,7 +33,7 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A * For Kubernetes version `1.23`, you can use an optional bootstrap flag to test migration from Docker to `containerd`. For more information, see <>. * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. * Any newly created managed node groups in clusters on version `1.30` or newer will automatically default to using AL2023 as the node operating system. Previously, new node groups would default to AL2. You can continue to use AL2 by choosing it as the AMI type when creating a new node group. -* Support for AL2 will end on June 30th, 2025. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. +* Support for AL2 will end on June 30th, 2026. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. ==== From a9ce65836e627a083b24400abace26d10fa6a64d Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 26 Feb 2025 16:44:43 +0000 Subject: [PATCH 188/940] Set fincd as main reviewer of hybrid nodes. --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 62a690ef7..631dcc66f 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -15,6 +15,7 @@ /latest/ug/networking/ fincd@amazon.com /latest/ug/storage/ pgasca@amazon.com /latest/ug/nodes/ pgasca@amazon.com +/latest/ug/nodes/hybrid-nodes-* fincd@amazon.com /latest/ug/connector/ fincd@amazon.com /latest/ug/contribute/ gcline@amazon.com /latest/ug/getting-started/ mcngs@amazon.com From 549112d02eb75ea28e189788969b86be892cdb23 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 26 Feb 2025 23:24:43 +0000 Subject: [PATCH 189/940] Added detail that AL2 AMIs will no longer be released for v1.33 onwards: 45570 --- .../kubernetes-versions-standard.adoc | 20 +++++++++---------- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 88f400723..995b599d1 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -25,15 +25,15 @@ Kubernetes `1.32` is now available in Amazon EKS. For more information about Kub [IMPORTANT] ==== -* The `flowcontrol.apiserver.k8s.io/v1beta3` API version of FlowSchema and PriorityLevelConfiguration has been removed in `v1.32`. If you are using these APIs, you must update your configurations to use the latest supported version before upgrading. +* The `flowcontrol.apiserver.k8s.io/v1beta3` API version of FlowSchema and PriorityLevelConfiguration has been removed in version `1.32`. If you are using these APIs, you must update your configurations to use the latest supported version before upgrading. -* ServiceAccount `metadata.annotations[kubernetes.io/enforce-mountable-secrets]` has been deprecated in `v1.32` and will be removed in a future Kubernetes minor version release. It is recommended to use separate namespaces to isolate access to mounted secrets. +* ServiceAccount `metadata.annotations[kubernetes.io/enforce-mountable-secrets]` has been deprecated in version `1.32` and will be removed in a future Kubernetes minor version release. It is recommended to use separate namespaces to isolate access to mounted secrets. -* Kubernetes version 1.32 is the last version for which Amazon EKS will release Amazon Linux 2 (AL2) AMIs. From v1.33 onwards, Amazon EKS will continue to release Amazon Linux 2023 (AL2023) and Bottlerocket based AMIs. +* Kubernetes version `1.32` is the last version for which Amazon EKS will release Amazon Linux 2 (AL2) AMIs. From version `1.33` onwards, Amazon EKS will continue to release Amazon Linux 2023 (AL2023) and Bottlerocket based AMIs. ==== -* The Memory Manager feature has graduated to Generally Available (GA) status in Kubernetes `v1.32`. This enhancement provides more efficient and predictable memory allocation for containerized applications, particularly beneficial for workloads with specific memory requirements. +* The Memory Manager feature has graduated to Generally Available (GA) status in Kubernetes version `1.32`. This enhancement provides more efficient and predictable memory allocation for containerized applications, particularly beneficial for workloads with specific memory requirements. * PersistentVolumeClaims (PVCs) created by StatefulSets now include automatic cleanup functionality. When PVCs are no longer needed, they will be automatically deleted while maintaining data persistence during StatefulSet updates and node maintenance operations. This feature simplifies storage management and helps prevent orphaned PVCs in your cluster. @@ -78,14 +78,14 @@ Kubernetes `1.31` is now available in Amazon EKS. For more information about Kub ==== -* The kubelet flag `--keep-terminated-pod-volumes` deprecated since 2017 has been removed as part of the `v1.31` release. This change impacts how terminated pod volumes are handled by the kubelet. If you are using this flag in your node configurations, you must update your bootstrap scripts and launch templates to remove it before upgrading. +* The kubelet flag `--keep-terminated-pod-volumes` deprecated since 2017 has been removed as part of the version `1.31` release. This change impacts how terminated pod volumes are handled by the kubelet. If you are using this flag in your node configurations, you must update your bootstrap scripts and launch templates to remove it before upgrading. ==== -* The beta `VolumeAttributesClass` feature gate and API resource is enabled in Amazon EKS `v1.31`. This feature allows cluster operators to modify mutable properties of Persistent Volumes (PVs) managed by compatible CSI Drivers, including the Amazon EBS CSI Driver. To leverage this feature, ensure that your CSI Driver supports the `VolumeAttributesClass` feature (for the Amazon EBS CSI Driver, upgrade to version `v1.35.0` or later to automatically enable the feature). You will be able to create `VolumeAttributesClass` objects to define the desired volume attributes, such as volume type and throughput, and associate them with your Persistent Volume Claims (PVCs). See the https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/[official Kubernetes documentation] as well as the documentation of your CSI driver for more information. +* The beta `VolumeAttributesClass` feature gate and API resource is enabled in Amazon EKS version `1.31`. This feature allows cluster operators to modify mutable properties of Persistent Volumes (PVs) managed by compatible CSI Drivers, including the Amazon EBS CSI Driver. To leverage this feature, ensure that your CSI Driver supports the `VolumeAttributesClass` feature (for the Amazon EBS CSI Driver, upgrade to version `1.35.0` or later to automatically enable the feature). You will be able to create `VolumeAttributesClass` objects to define the desired volume attributes, such as volume type and throughput, and associate them with your Persistent Volume Claims (PVCs). See the https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/[official Kubernetes documentation] as well as the documentation of your CSI driver for more information. ** For more information about the Amazon EBS CSI Driver, see <>. -* Kubernetes support for https://apparmor.net/[AppArmor] has graduated to stable and is now generally available for public use. This feature allows you to protect your containers with AppArmor by setting the `appArmorProfile.type` field in the container's `securityContext`. Prior to Kubernetes `v1.30`, AppArmor was controlled by annotations. Starting with `v1.30`, it is controlled using fields. To leverage this feature, we recommend migrating away from annotations and using the `appArmorProfile.type` field to ensure that your workloads are compatible. -* The PersistentVolume last phase transition time feature has graduated to stable and is now generally available for public use in Kubernetes `v1.31`. This feature introduces a new field, `.status.lastTransitionTime`, in the PersistentVolumeStatus, which provides a timestamp of when a PersistentVolume last transitioned to a different phase. This enhancement allows for better tracking and management of PersistentVolumes, particularly in scenarios where understanding the lifecycle of volumes is important. +* Kubernetes support for https://apparmor.net/[AppArmor] has graduated to stable and is now generally available for public use. This feature allows you to protect your containers with AppArmor by setting the `appArmorProfile.type` field in the container's `securityContext`. Prior to Kubernetes version `1.30`, AppArmor was controlled by annotations. Starting with version `1.30`, it is controlled using fields. To leverage this feature, we recommend migrating away from annotations and using the `appArmorProfile.type` field to ensure that your workloads are compatible. +* The PersistentVolume last phase transition time feature has graduated to stable and is now generally available for public use in Kubernetes version `1.31`. This feature introduces a new field, `.status.lastTransitionTime`, in the PersistentVolumeStatus, which provides a timestamp of when a PersistentVolume last transitioned to a different phase. This enhancement allows for better tracking and management of PersistentVolumes, particularly in scenarios where understanding the lifecycle of volumes is important. For the complete Kubernetes `1.31` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.31.md @@ -106,7 +106,7 @@ Kubernetes `1.30` is now available in Amazon EKS. For more information about Kub ==== * With Amazon EKS `1.30`, the `topology.k8s.aws/zone-id` label is added to worker nodes. You can use Availability Zone IDs (AZ IDs) to determine the location of resources in one account relative to the resources in another account. For more information, see link:ram/latest/userguide/working-with-az-ids.html[Availability Zone IDs for your {aws} resources,type="documentation"] in the _{aws} RAM User Guide_. -* Starting with `1.30`, Amazon EKS no longer includes the `default` annotation on the `gp2 StorageClass` resource applied to newly created clusters. This has no impact if you are referencing this storage class by name. You must take action if you were relying on having a default `StorageClass` in the cluster. You should reference the `StorageClass` by the name `gp2`. Alternatively, you can deploy the Amazon EBS recommended default storage class by setting the `defaultStorageClass.enabled` parameter to true when installing `v1.31.0` or later of the `aws-ebs-csi-driver add-on`. +* Starting with `1.30`, Amazon EKS no longer includes the `default` annotation on the `gp2 StorageClass` resource applied to newly created clusters. This has no impact if you are referencing this storage class by name. You must take action if you were relying on having a default `StorageClass` in the cluster. You should reference the `StorageClass` by the name `gp2`. Alternatively, you can deploy the Amazon EBS recommended default storage class by setting the `defaultStorageClass.enabled` parameter to true when installing version `1.31.0` or later of the `aws-ebs-csi-driver add-on`. * The minimum required IAM policy for the Amazon EKS cluster IAM role has changed. The action `ec2:DescribeAvailabilityZones` is required. For more information, see <>. For the complete Kubernetes `1.30` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md. @@ -120,7 +120,7 @@ Kubernetes `1.29` is now available in Amazon EKS. For more information about Kub ==== -* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes `v1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to `v1.29`. +* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes version `1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to version `1.29`. ==== diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index e15053c2e..d242af60e 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -33,7 +33,7 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A * For Kubernetes version `1.23`, you can use an optional bootstrap flag to test migration from Docker to `containerd`. For more information, see <>. * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. * Any newly created managed node groups in clusters on version `1.30` or newer will automatically default to using AL2023 as the node operating system. Previously, new node groups would default to AL2. You can continue to use AL2 by choosing it as the AMI type when creating a new node group. -* Support for AL2 will end on June 30th, 2026. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. +* Support for AL2 will end on June 30th, 2026. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. Additionally, Kubernetes version `1.32` is the last version for which Amazon EKS will release AL2 AMIs. From version `1.33` onwards, Amazon EKS will continue to release AL2023 and Bottlerocket based AMIs. ==== From a36177ec83e3d42b494d2407ed0c26887c4497b4 Mon Sep 17 00:00:00 2001 From: Ramneek Kalra Date: Thu, 27 Feb 2025 13:43:36 +0530 Subject: [PATCH 190/940] Update enable-iam-roles-for-service-accounts.adoc Enabled "Copy" Icon for OIDC_ID Variable which wasn't available before. --- .../aws-access/enable-iam-roles-for-service-accounts.adoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index ed41762b8..0d7fb164f 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -29,20 +29,24 @@ You can create an IAM OIDC provider for your cluster using `eksctl` or the {aws- + Retrieve your cluster's OIDC issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. + + [source,bash,subs="verbatim,attributes"] ---- cluster_name=my-cluster ---- + [source,bash,subs="verbatim,attributes"] ---- oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) ---- + [source,bash,subs="verbatim,attributes"] ---- echo $oidc_id ---- . Determine whether an IAM OIDC provider with your cluster's issuer ID is already in your account. + + [source,bash,subs="verbatim,attributes"] ---- aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 @@ -51,6 +55,7 @@ aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster. . Create an IAM OIDC identity provider for your cluster with the following command. + + [source,bash,subs="verbatim,attributes"] ---- eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve @@ -58,7 +63,6 @@ eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve + NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: -[source,bash,subs="verbatim,attributes"] ---- ** server cant find oidc.eks.region.amazonaws.com: NXDOMAIN ---- @@ -82,4 +86,4 @@ To complete this step, you can run the command outside the VPC, for example in { Next step: -<> \ No newline at end of file +<> From b7535da9cdb9c1c7597d673f216ed394b26d6419 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Thu, 27 Feb 2025 12:31:26 -0600 Subject: [PATCH 191/940] Further formatting fixes. --- ...enable-iam-roles-for-service-accounts.adoc | 25 +++++-------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 0d7fb164f..9abc74dfa 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -12,8 +12,6 @@ Learn how to create an {aws} Identity and Access Management OpenID Connect provi Your cluster has an https://openid.net/connect/[OpenID Connect] (OIDC) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL. - - * An existing Amazon EKS cluster. To deploy one, see <>. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. @@ -27,26 +25,16 @@ You can create an IAM OIDC provider for your cluster using `eksctl` or the {aws- + . Determine the OIDC issuer ID for your cluster. + -Retrieve your cluster's OIDC issuer ID and store it in a variable. Replace [.replaceable]`my-cluster` with your own value. +Retrieve your cluster's OIDC issuer ID and store it in a variable. Replace `` with your own value. + - -[source,bash,subs="verbatim,attributes"] ----- -cluster_name=my-cluster ----- - [source,bash,subs="verbatim,attributes"] ---- +cluster_name= oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5) ----- - -[source,bash,subs="verbatim,attributes"] ----- echo $oidc_id ---- . Determine whether an IAM OIDC provider with your cluster's issuer ID is already in your account. + - [source,bash,subs="verbatim,attributes"] ---- aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 @@ -55,18 +43,17 @@ aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4 If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster. . Create an IAM OIDC identity provider for your cluster with the following command. + - [source,bash,subs="verbatim,attributes"] ---- eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approve ---- + -NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout when attempting to request `https://oidc.eks.[.replaceable]``region``.amazonaws.com`. An example error message follows: - +NOTE: If you enabled the EKS VPC endpoint, the EKS OIDC service endpoint couldn't be accessed from inside that VPC. Consequently, your operations such as creating an OIDC provider with `eksctl` in the VPC will not work and will result in a timeout. An example error message follows: ++ ---- -** server cant find oidc.eks.region.amazonaws.com: NXDOMAIN +** server cant find oidc.eks..amazonaws.com: NXDOMAIN ---- - ++ To complete this step, you can run the command outside the VPC, for example in {aws} CloudShell or on a computer connected to the internet. Alternatively, you can create a split-horizon conditional resolver in the VPC, such as Route 53 Resolver to use a different resolver for the OIDC Issuer URL and not use the VPC DNS for it. For an example of conditional forwarding in CoreDNS, see the https://github.com/aws/containers-roadmap/issues/2038[Amazon EKS feature request] on GitHub. From 7836d631bbe285bde37b47a7eea89d9ca8cbc762 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 27 Feb 2025 10:37:35 -0800 Subject: [PATCH 192/940] Add note about Pod ID async --- latest/ug/manage-access/aws-access/pod-id-association.adoc | 2 ++ latest/ug/manage-access/aws-access/pod-identities.adoc | 1 + 2 files changed, 3 insertions(+) diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 500c2eb6b..5e6efc556 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -14,6 +14,8 @@ This topic covers how to configure a Kubernetes service account to assume an {aw To create an EKS Pod Identity association, there is only a single step; you create the association in EKS through the {aws-management-console}, {aws} CLI, {aws} SDKs, {aws} CloudFormation and other tools. There isn't any data or metadata about the associations inside the cluster in any Kubernetes objects and you don't add any annotations to the service accounts. +*Prerequisites* + * An existing cluster. If you don't have one, you can create one by following one of the guides in <>. * The IAM principal that is creating the association must have `iam:PassRole`. * The latest version of the {aws} CLI installed and configured on your device or {aws} CloudShell. You can check your current version with `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the {aws} Command Line Interface User Guide. The {aws} CLI version installed in the {aws} CloudShell may also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the {aws} CloudShell User Guide. diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 3dc2f3e97..229ea5f0e 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -87,6 +87,7 @@ Turn on EKS Pod Identities by completing the following procedures: * You can associate one IAM role to each Kubernetes service account in each cluster. You can change which role is mapped to the service account by editing the EKS Pod Identity association. * You can only associate roles that are in the same {aws} account as the cluster. You can delegate access from another account to the role in this account that you configure for EKS Pod Identities to use. For a tutorial about delegating access and `AssumeRole`, see link:IAM/latest/UserGuide/tutorial_cross-account-with-roles.html[Delegate access across {aws} accounts using IAM roles,type="documentation"] in the _IAM User Guide_. * The EKS Pod Identity Agent is required. It runs as a Kubernetes `DaemonSet` on your nodes and only provides credentials to pods on the node that it runs on. For more information about EKS Pod Identity Agent compatibility, see the following section <>. +* Similar to {aws} IAM behavior, EKS Pod Identity associations are _eventually consistent_, and may take several seconds to be effective after the initial API call returns successfully. You must design your applications to account for these potential delays. We recommend that you don't include Pod Identity association create/updates in the critical, high-availability code paths of your application. Instead, make changes in a separate initialization or setup routine that you run less frequently. * If you are using Security Group for Pods along with Pod Identity Agent, you may need to set the `POD_SECURITY_GROUP_ENFORCING_MODE` Flag for the {aws} VPC CNI. For more information on security group for pods considerations, see <>. * The EKS Pod Identity Agent uses the `hostNetwork` of the node and it uses port `80` and port `2703` on a link-local address on the node. This address is `169.254.170.23` for IPv4 and `[fd00:ec2::23]` for IPv6 clusters. + From 9a53a46ce57e3b992c9494f9cc82719c158d1017 Mon Sep 17 00:00:00 2001 From: erchpm <92137626+erchpm@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:21:30 -0600 Subject: [PATCH 193/940] Updates to hybrid nodes add-on docs (#893) * Update hybrid-nodes-add-ons.adoc for metrics-server Add Community add-ons table and metrics-server. Clarify routability requirements for add-ons that run webhooks. * Quick review of hybrid add-ons * Add routability example Add reference to BGP for implementing pod IP routability for add-ons that require routable pod IPs. * Update hybrid-nodes-add-ons.adoc Include CloudWatch webhook callout. --------- Co-authored-by: Donovan Finch --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 56 ++++++++++++++++------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 922077a5f..6a03e1f58 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -11,13 +11,13 @@ include::../attributes.txt[] Configure common add-ons for hybrid nodes -- -This page describes considerations for running Amazon EKS add-ons from {aws} on Amazon EKS Hybrid Nodes. To learn more about the Amazon EKS add-ons from {aws} and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. The processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud unless otherwise noted on this page. +This page describes considerations for running {aws} add-ons and Community add-ons on Amazon EKS Hybrid Nodes. To learn more about Amazon EKS add-ons and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. Unless otherwise noted on this page, the processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud. Only the add-ons included on this page have been validated for compatibility with Amazon EKS Hybrid Nodes. -The following Amazon EKS add-ons from {aws} are compatible with Amazon EKS Hybrid Nodes. +The following {aws} Add-ons are compatible with Amazon EKS Hybrid Nodes. [cols="1,1", options="header"] |=== -|EKS add-on +|{aws} add-on |Compatible add-on versions |kube-proxy @@ -39,19 +39,34 @@ The following Amazon EKS add-ons from {aws} are compatible with Amazon EKS Hybri |v8.1.0-eksbuild.1 and above |=== -In addition to the Amazon EKS add-ons in the table above, the <>, and the <> for <> (HTTP) and <> (TCP/UDP) are compatible with hybrid nodes. +The following Community add-ons are compatible with Amazon EKS Hybrid Nodes. To learn more about support for Community add-ons, see <>. -Amazon EKS add-ons from {aws} that are not compatible with Amazon EKS Hybrid Nodes have been updated with an affinity rule for the default eks.amazonaws.com/compute-type: hybrid label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, Amazon EKS add-ons that are not compatible with hybrid nodes can still be deployed in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. +[cols="1,1", options="header"] +|=== +|Community add-on +|Compatible add-on versions + +|Kubernetes Metrics Server +|v0.7.2-eksbuild.1 and above +|=== -The rest of this page describes differences between running compatible Amazon EKS add-ons from {aws} on hybrid nodes, compared to the other Amazon EKS compute types. +In addition to the Amazon EKS add-ons in the tables above, the <>, and the <> for <> (HTTP) and <> (TCP/UDP) are compatible with hybrid nodes. + +There are {aws} add-ons and Community add-ons that aren't compatible with Amazon EKS Hybrid Nodes. The latest versions of these add-ons have an anti-affinity rule for the default `eks.amazonaws.com/compute-type: hybrid` label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, you can deploy these add-ons in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. + +The rest of this page describes differences between running compatible Amazon EKS add-ons on hybrid nodes, compared to the other Amazon EKS compute types. + +[#hybrid-nodes-add-ons-aws-add-ons] +== {aws} Add-ons [#hybrid-nodes-add-ons-core] -== kube-proxy and CoreDNS +=== kube-proxy and CoreDNS -Kube-proxy and CoreDNS are installed as unmanaged add-ons by default when an EKS cluster is created. These add-ons can be managed as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, it is recommended to have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. +EKS installs Kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, we recommend that you have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. [#hybrid-nodes-add-ons-cw] -== CloudWatch Observability Agent add-on +=== CloudWatch Observability Agent add-on +As the CloudWatch Observability Agent runs https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. @@ -84,7 +99,7 @@ items: ---- [#hybrid-nodes-add-ons-amp] -== Amazon Managed Prometheus managed collector for hybrid nodes +=== Amazon Managed Prometheus managed collector for hybrid nodes An Amazon Managed Service for Prometheus (AMP) managed collector consists of a scraper that discovers and collects metrics from the resources in an Amazon EKS cluster. AMP manages the scraper for you, removing the need to manage any instances, agents, or scrapers yourself. @@ -93,16 +108,16 @@ You can use AMP managed collectors without any additional configuration specific Follow the steps in link:prometheus/latest/userguide/AMP-collector-how-to.html[Using an {aws} managed collector,type="documentation"] in the Amazon Managed Service for Prometheus User Guide. [#hybrid-nodes-add-ons-adot] -== {aws} Distro for OpenTelemetry (ADOT) add-on +=== {aws} Distro for OpenTelemetry (ADOT) add-on -You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. Note, ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests and you must configure your remote pod network when creating your Amazon EKS cluster. +You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests. For the EKS control plane to reach webhooks running on hybrid nodes, you must configure your remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. [#hybrid-nodes-add-ons-lbc] -== {aws} Load Balancer Controller +=== {aws} Load Balancer Controller -You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure your remote pod network when creating your Amazon EKS cluster. +You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. To install the {aws} Load Balancer Controller, follow the steps at <> or <>. @@ -120,7 +135,7 @@ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" ---- [#hybrid-nodes-add-ons-pod-id] -== EKS Pod Identity Agent add-on +=== EKS Pod Identity Agent add-on The original Amazon EKS Pod Identity Agent DaemonSet relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second DaemonSet that specifically targets hybrid nodes. This DaemonSet mounts the required credentials to the pods created by the Pod Identity Agent add-on. @@ -164,6 +179,13 @@ aws eks create-addon \ ---- [#hybrid-nodes-add-ons-csi-snapshotter] -== CSI snapshot controller add-on +=== CSI snapshot controller add-on + +Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. + +[#hybrid-nodes-add-ons-community] +== Community add-ons -Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. \ No newline at end of file +[#hybrid-nodes-add-ons-metrics-server] +=== Kubernetes Metrics Server add-on +The control plane needs to reach Metrics Server's pod IP (or node IP if hostNetwork is enabled). Therefore, unless you run Metrics Server in hostNetwork mode, you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. From 36823ec5166911f31df26e4036b35226763742a0 Mon Sep 17 00:00:00 2001 From: erchpm <92137626+erchpm@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:21:30 -0600 Subject: [PATCH 194/940] Updates to hybrid nodes add-on docs (#893) * Update hybrid-nodes-add-ons.adoc for metrics-server Add Community add-ons table and metrics-server. Clarify routability requirements for add-ons that run webhooks. * Quick review of hybrid add-ons * Add routability example Add reference to BGP for implementing pod IP routability for add-ons that require routable pod IPs. * Update hybrid-nodes-add-ons.adoc Include CloudWatch webhook callout. --------- Co-authored-by: Donovan Finch cr: https://code.amazon.com/reviews/CR-180771006 --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 56 ++++++++++++++++------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 922077a5f..6a03e1f58 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -11,13 +11,13 @@ include::../attributes.txt[] Configure common add-ons for hybrid nodes -- -This page describes considerations for running Amazon EKS add-ons from {aws} on Amazon EKS Hybrid Nodes. To learn more about the Amazon EKS add-ons from {aws} and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. The processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud unless otherwise noted on this page. +This page describes considerations for running {aws} add-ons and Community add-ons on Amazon EKS Hybrid Nodes. To learn more about Amazon EKS add-ons and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. Unless otherwise noted on this page, the processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud. Only the add-ons included on this page have been validated for compatibility with Amazon EKS Hybrid Nodes. -The following Amazon EKS add-ons from {aws} are compatible with Amazon EKS Hybrid Nodes. +The following {aws} Add-ons are compatible with Amazon EKS Hybrid Nodes. [cols="1,1", options="header"] |=== -|EKS add-on +|{aws} add-on |Compatible add-on versions |kube-proxy @@ -39,19 +39,34 @@ The following Amazon EKS add-ons from {aws} are compatible with Amazon EKS Hybri |v8.1.0-eksbuild.1 and above |=== -In addition to the Amazon EKS add-ons in the table above, the <>, and the <> for <> (HTTP) and <> (TCP/UDP) are compatible with hybrid nodes. +The following Community add-ons are compatible with Amazon EKS Hybrid Nodes. To learn more about support for Community add-ons, see <>. -Amazon EKS add-ons from {aws} that are not compatible with Amazon EKS Hybrid Nodes have been updated with an affinity rule for the default eks.amazonaws.com/compute-type: hybrid label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, Amazon EKS add-ons that are not compatible with hybrid nodes can still be deployed in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. +[cols="1,1", options="header"] +|=== +|Community add-on +|Compatible add-on versions + +|Kubernetes Metrics Server +|v0.7.2-eksbuild.1 and above +|=== -The rest of this page describes differences between running compatible Amazon EKS add-ons from {aws} on hybrid nodes, compared to the other Amazon EKS compute types. +In addition to the Amazon EKS add-ons in the tables above, the <>, and the <> for <> (HTTP) and <> (TCP/UDP) are compatible with hybrid nodes. + +There are {aws} add-ons and Community add-ons that aren't compatible with Amazon EKS Hybrid Nodes. The latest versions of these add-ons have an anti-affinity rule for the default `eks.amazonaws.com/compute-type: hybrid` label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, you can deploy these add-ons in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. + +The rest of this page describes differences between running compatible Amazon EKS add-ons on hybrid nodes, compared to the other Amazon EKS compute types. + +[#hybrid-nodes-add-ons-aws-add-ons] +== {aws} Add-ons [#hybrid-nodes-add-ons-core] -== kube-proxy and CoreDNS +=== kube-proxy and CoreDNS -Kube-proxy and CoreDNS are installed as unmanaged add-ons by default when an EKS cluster is created. These add-ons can be managed as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, it is recommended to have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. +EKS installs Kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, we recommend that you have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. [#hybrid-nodes-add-ons-cw] -== CloudWatch Observability Agent add-on +=== CloudWatch Observability Agent add-on +As the CloudWatch Observability Agent runs https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. @@ -84,7 +99,7 @@ items: ---- [#hybrid-nodes-add-ons-amp] -== Amazon Managed Prometheus managed collector for hybrid nodes +=== Amazon Managed Prometheus managed collector for hybrid nodes An Amazon Managed Service for Prometheus (AMP) managed collector consists of a scraper that discovers and collects metrics from the resources in an Amazon EKS cluster. AMP manages the scraper for you, removing the need to manage any instances, agents, or scrapers yourself. @@ -93,16 +108,16 @@ You can use AMP managed collectors without any additional configuration specific Follow the steps in link:prometheus/latest/userguide/AMP-collector-how-to.html[Using an {aws} managed collector,type="documentation"] in the Amazon Managed Service for Prometheus User Guide. [#hybrid-nodes-add-ons-adot] -== {aws} Distro for OpenTelemetry (ADOT) add-on +=== {aws} Distro for OpenTelemetry (ADOT) add-on -You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. Note, ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests and you must configure your remote pod network when creating your Amazon EKS cluster. +You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests. For the EKS control plane to reach webhooks running on hybrid nodes, you must configure your remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. [#hybrid-nodes-add-ons-lbc] -== {aws} Load Balancer Controller +=== {aws} Load Balancer Controller -You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure your remote pod network when creating your Amazon EKS cluster. +You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. To install the {aws} Load Balancer Controller, follow the steps at <> or <>. @@ -120,7 +135,7 @@ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" ---- [#hybrid-nodes-add-ons-pod-id] -== EKS Pod Identity Agent add-on +=== EKS Pod Identity Agent add-on The original Amazon EKS Pod Identity Agent DaemonSet relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second DaemonSet that specifically targets hybrid nodes. This DaemonSet mounts the required credentials to the pods created by the Pod Identity Agent add-on. @@ -164,6 +179,13 @@ aws eks create-addon \ ---- [#hybrid-nodes-add-ons-csi-snapshotter] -== CSI snapshot controller add-on +=== CSI snapshot controller add-on + +Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. + +[#hybrid-nodes-add-ons-community] +== Community add-ons -Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. \ No newline at end of file +[#hybrid-nodes-add-ons-metrics-server] +=== Kubernetes Metrics Server add-on +The control plane needs to reach Metrics Server's pod IP (or node IP if hostNetwork is enabled). Therefore, unless you run Metrics Server in hostNetwork mode, you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. From 24e29fa4d2c40de98cb6ab405e7b735826930d10 Mon Sep 17 00:00:00 2001 From: erchpm <92137626+erchpm@users.noreply.github.com> Date: Fri, 28 Feb 2025 10:27:23 -0600 Subject: [PATCH 195/940] Info hierarchy update and case consistency --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 30 +++++++++++------------ 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 6a03e1f58..4dc2d1f6a 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -11,9 +11,9 @@ include::../attributes.txt[] Configure common add-ons for hybrid nodes -- -This page describes considerations for running {aws} add-ons and Community add-ons on Amazon EKS Hybrid Nodes. To learn more about Amazon EKS add-ons and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. Unless otherwise noted on this page, the processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud. Only the add-ons included on this page have been validated for compatibility with Amazon EKS Hybrid Nodes. +This page describes considerations for running {aws} add-ons and community add-ons on Amazon EKS Hybrid Nodes. To learn more about Amazon EKS add-ons and the processes for creating, upgrading, and removing add-ons from your cluster, see <>. Unless otherwise noted on this page, the processes for creating, upgrading, and removing Amazon EKS add-ons is the same for Amazon EKS clusters with hybrid nodes as it is for Amazon EKS clusters with nodes running in {aws} Cloud. Only the add-ons included on this page have been validated for compatibility with Amazon EKS Hybrid Nodes. -The following {aws} Add-ons are compatible with Amazon EKS Hybrid Nodes. +The following {aws} add-ons are compatible with Amazon EKS Hybrid Nodes. [cols="1,1", options="header"] |=== @@ -29,7 +29,7 @@ The following {aws} Add-ons are compatible with Amazon EKS Hybrid Nodes. |{aws} Distro for OpenTelemetry (ADOT) |v0.102.1-eksbuild.2 and above -|CloudWatch Observability Agent +|CloudWatch Observability agent |v2.2.1-eksbuild.1 and above |EKS Pod Identity Agent @@ -39,7 +39,7 @@ The following {aws} Add-ons are compatible with Amazon EKS Hybrid Nodes. |v8.1.0-eksbuild.1 and above |=== -The following Community add-ons are compatible with Amazon EKS Hybrid Nodes. To learn more about support for Community add-ons, see <>. +The following community add-ons are compatible with Amazon EKS Hybrid Nodes. To learn more about community add-ons, see <>. [cols="1,1", options="header"] |=== @@ -52,21 +52,21 @@ The following Community add-ons are compatible with Amazon EKS Hybrid Nodes. To In addition to the Amazon EKS add-ons in the tables above, the <>, and the <> for <> (HTTP) and <> (TCP/UDP) are compatible with hybrid nodes. -There are {aws} add-ons and Community add-ons that aren't compatible with Amazon EKS Hybrid Nodes. The latest versions of these add-ons have an anti-affinity rule for the default `eks.amazonaws.com/compute-type: hybrid` label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, you can deploy these add-ons in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. +There are {aws} add-ons and community add-ons that aren't compatible with Amazon EKS Hybrid Nodes. The latest versions of these add-ons have an anti-affinity rule for the default `eks.amazonaws.com/compute-type: hybrid` label applied to hybrid nodes. This prevents them from running on hybrid nodes when deployed in your clusters. If you have clusters with both hybrid nodes and nodes running in {aws} Cloud, you can deploy these add-ons in your cluster to nodes running in {aws} Cloud. The Amazon VPC CNI is not compatible with hybrid nodes, and Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. See <> for more information. The rest of this page describes differences between running compatible Amazon EKS add-ons on hybrid nodes, compared to the other Amazon EKS compute types. [#hybrid-nodes-add-ons-aws-add-ons] -== {aws} Add-ons +== {aws} add-ons [#hybrid-nodes-add-ons-core] -=== kube-proxy and CoreDNS +== kube-proxy and CoreDNS EKS installs Kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, we recommend that you have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. [#hybrid-nodes-add-ons-cw] -=== CloudWatch Observability Agent add-on -As the CloudWatch Observability Agent runs https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. +== CloudWatch Observability agent +As the CloudWatch Observability agent runs https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. @@ -99,7 +99,7 @@ items: ---- [#hybrid-nodes-add-ons-amp] -=== Amazon Managed Prometheus managed collector for hybrid nodes +== Amazon Managed Prometheus managed collector for hybrid nodes An Amazon Managed Service for Prometheus (AMP) managed collector consists of a scraper that discovers and collects metrics from the resources in an Amazon EKS cluster. AMP manages the scraper for you, removing the need to manage any instances, agents, or scrapers yourself. @@ -108,14 +108,14 @@ You can use AMP managed collectors without any additional configuration specific Follow the steps in link:prometheus/latest/userguide/AMP-collector-how-to.html[Using an {aws} managed collector,type="documentation"] in the Amazon Managed Service for Prometheus User Guide. [#hybrid-nodes-add-ons-adot] -=== {aws} Distro for OpenTelemetry (ADOT) add-on +== {aws} Distro for OpenTelemetry (ADOT) You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests. For the EKS control plane to reach webhooks running on hybrid nodes, you must configure your remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. [#hybrid-nodes-add-ons-lbc] -=== {aws} Load Balancer Controller +== {aws} Load Balancer Controller You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. @@ -135,7 +135,7 @@ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" ---- [#hybrid-nodes-add-ons-pod-id] -=== EKS Pod Identity Agent add-on +== EKS Pod Identity Agent The original Amazon EKS Pod Identity Agent DaemonSet relies on the availability of EC2 IMDS on the node to obtain the required {aws} credentials. As IMDS isn't available on hybrid nodes, starting in add-on version `1.3.3-eksbuild.1`, the Pod Identity Agent add-on optionally deploys a second DaemonSet that specifically targets hybrid nodes. This DaemonSet mounts the required credentials to the pods created by the Pod Identity Agent add-on. @@ -179,7 +179,7 @@ aws eks create-addon \ ---- [#hybrid-nodes-add-ons-csi-snapshotter] -=== CSI snapshot controller add-on +== CSI snapshot controller add-on Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. @@ -187,5 +187,5 @@ Starting with version `v8.1.0-eksbuild.2`, the < Date: Fri, 28 Feb 2025 10:33:27 -0600 Subject: [PATCH 196/940] Updated cross-reference title to match --- latest/ug/storage/efs-csi.adoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 857dea561..9db8d8756 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -183,9 +183,7 @@ We recommend that you install the Amazon EFS CSI driver through the Amazon EKS a [IMPORTANT] ==== - -Before adding the Amazon EFS driver as an Amazon EKS add-on, confirm that you don't have a self-managed version of the driver installed on your cluster. If so, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#uninstalling-the-amazon-efs-csi-driver[Uninstalling a self-managed Amazon EFS CSI driver] on GitHub. - +Before adding the Amazon EFS driver as an Amazon EKS add-on, confirm that you don't have a self-managed version of the driver installed on your cluster. If so, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#uninstalling-the-amazon-efs-csi-driver[Uninstalling the Amazon EFS CSI Driver] on GitHub. ==== Alternatively, if you want a self-managed installation of the Amazon EFS CSI driver, see https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#installation[Installation] on GitHub. From 9768fd9a41158ca40984fbac097e85daa0983197 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 28 Feb 2025 10:52:48 -0600 Subject: [PATCH 197/940] Consistency edits --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 4dc2d1f6a..f634bcdea 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -54,11 +54,11 @@ In addition to the Amazon EKS add-ons in the tables above, the <> for more information. -The rest of this page describes differences between running compatible Amazon EKS add-ons on hybrid nodes, compared to the other Amazon EKS compute types. - [#hybrid-nodes-add-ons-aws-add-ons] == {aws} add-ons +The sections that follow describe differences between running compatible {aws} add-ons on hybrid nodes compared to other Amazon EKS compute types. + [#hybrid-nodes-add-ons-core] == kube-proxy and CoreDNS @@ -179,13 +179,15 @@ aws eks create-addon \ ---- [#hybrid-nodes-add-ons-csi-snapshotter] -== CSI snapshot controller add-on +== CSI snapshot controller Starting with version `v8.1.0-eksbuild.2`, the <> applies a soft anti-affinity rule for hybrid nodes, preferring the controller `deployment` to run on EC2 in the same {aws} Region as the Amazon EKS control plane. Co-locating the `deployment` in the same {aws} Region as the Amazon EKS control plane improves latency. [#hybrid-nodes-add-ons-community] == Community add-ons +The sections that follow describe differences between running compatible community add-ons on hybrid nodes compared to other Amazon EKS compute types. + [#hybrid-nodes-add-ons-metrics-server] == Kubernetes Metrics Server The control plane needs to reach Metrics Server's pod IP (or node IP if hostNetwork is enabled). Therefore, unless you run Metrics Server in hostNetwork mode, you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. From 9046a7b6789b9718153e6efefae0d336e5986097 Mon Sep 17 00:00:00 2001 From: Andrew Chen Date: Thu, 27 Feb 2025 16:41:50 -0800 Subject: [PATCH 198/940] Add region flag to nodeadm install --- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index be3631e67..47589a1be 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -82,6 +82,13 @@ The `install` command is used to install the artifacts and dependencies required `docker` - `nodeadm` will install `containerd` package built and distributed by Docker. `docker` is not a supported value for Amazon Linux 2023 `none` - `nodeadm` will not install `containerd` package. You must manually install `containerd` before running `nodeadm init`. + +|`-r`, + +`--region` +| FALSE +| Specifies the AWS region for downloading artifacts such as the SSM Agent. Defaults to `us-west-2`. + |`-t`, `--timeout` From 93d761537a2c0e093ab12f5bc154687bc43c0f36 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Feb 2025 19:02:20 +0000 Subject: [PATCH 199/940] Squashed commit of the following: commit 70f3005990631639f1b1ff1d3fd7be8a6911949e Merge: 829bf417c dea775354 Author: Geoffrey Cline Date: Fri Feb 28 19:01:13 2025 +0000 Merge remote-tracking branch 'origin/mainline' into gdr-slr-feb2025 commit 829bf417cc08c286e150d39eb89a99e0dd4e05e8 Author: Geoffrey Cline Date: Wed Feb 19 21:15:11 2025 +0000 revise SLR --- latest/ug/doc-history.adoc | 7 +++++++ .../ug/security/iam-reference/security-iam-awsmanpol.adoc | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a97cde451..71784f82f 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -25,6 +25,13 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-02-28"] +=== {aws} managed policy updates +[.update-ulink] +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] + +Added permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to terminate EC2 instances created by Auto Mode. + [.update,date="2025-01-27"] === Update strategies for managed node groups [.update-ulink] diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index a33712587..1e5033e22 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -221,6 +221,7 @@ This policy allows the service-linked role to call {aws} services on your behalf This policy includes the following permissions that allow Amazon EKS to complete the following tasks. * *`ec2`* – Create and describe Elastic Network Interfaces and Amazon EC2 instances, the cluster security group, and VPC that are required to create a cluster. For more information, see <>. Read information about security groups. Update tags on security groups. +* *`ec2` Auto Mode* – Terminate EC2 instances created by EKS Auto Mode. For more information, see <>. * *`iam`* – List all of the managed policies that attached to an IAM role. This is required so that Amazon EKS can list and validate all managed policies and permissions required to create a cluster. * *Associate a VPC with a hosted zone* – This is required by Amazon EKS to enable private endpoint networking for your Kubernetes cluster API server. * *Log event* – This is required so that Amazon EKS can ship Kubernetes control plane logs to CloudWatch. @@ -364,6 +365,11 @@ View details about updates to {aws} managed policies for Amazon EKS since this s |Description |Date + +| Added permissions to <>. +| Added permission to terminate EC2 instances created by EKS Auto Mode. +| February 28, 2025 + |Added permissions to <>. |Added a new statement authorizing the EBS CSI Driver to restore all snapshots. This was previously allowed by the existing policy but a new explicit statement is required due to a change in the handling of IAM for `CreateVolume`. From 0e7406387deaf263b6df2ed44af89b57e1d9c8ee Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 28 Feb 2025 19:41:11 +0000 Subject: [PATCH 200/940] eksctl 0.205.0: https://github.com/eksctl-io/eksctl/releases/tag/v0.205.0 --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 79308971e..795c80c30 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,5 @@ // eksctl version -:eksctl-min-version: 0.204.0 +:eksctl-min-version: 0.205.0 // EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 From 28bd7ea2ff304ceff7adc648b99a55f4271d0c26 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Fri, 28 Feb 2025 14:23:55 -0600 Subject: [PATCH 201/940] Replaced AWS with required {aws} entity and made minor tweaks --- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 47589a1be..358815973 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -86,8 +86,8 @@ The `install` command is used to install the artifacts and dependencies required |`-r`, `--region` -| FALSE -| Specifies the AWS region for downloading artifacts such as the SSM Agent. Defaults to `us-west-2`. +|FALSE +|Specifies the {aws} Region for downloading artifacts such as the SSM Agent. Defaults to `us-west-2`. |`-t`, @@ -591,4 +591,4 @@ spec: ssm: activationCode: # SSM hybrid activation code activationId: # SSM hybrid activation id ----- \ No newline at end of file +---- From b90e07a986c7a165ed9c2089baa015f2aabc1fe7 Mon Sep 17 00:00:00 2001 From: erchpm <92137626+erchpm@users.noreply.github.com> Date: Fri, 28 Feb 2025 16:40:36 -0600 Subject: [PATCH 202/940] Quick fix to info hierarchy --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index bbcd48b1b..f634bcdea 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -60,7 +60,7 @@ There are {aws} add-ons and community add-ons that aren't compatible with Amazon The sections that follow describe differences between running compatible {aws} add-ons on hybrid nodes compared to other Amazon EKS compute types. [#hybrid-nodes-add-ons-core] -=== kube-proxy and CoreDNS +== kube-proxy and CoreDNS EKS installs Kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, we recommend that you have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. @@ -99,7 +99,7 @@ items: ---- [#hybrid-nodes-add-ons-amp] -=== Amazon Managed Prometheus managed collector for hybrid nodes +== Amazon Managed Prometheus managed collector for hybrid nodes An Amazon Managed Service for Prometheus (AMP) managed collector consists of a scraper that discovers and collects metrics from the resources in an Amazon EKS cluster. AMP manages the scraper for you, removing the need to manage any instances, agents, or scrapers yourself. @@ -115,7 +115,7 @@ You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to colle Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. [#hybrid-nodes-add-ons-lbc] -=== {aws} Load Balancer Controller +== {aws} Load Balancer Controller You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. From 04c867ad46e46821410b669bca94211c03f6cb84 Mon Sep 17 00:00:00 2001 From: Sai Poojitha Pabbathireddy Date: Mon, 3 Mar 2025 16:34:41 +0000 Subject: [PATCH 203/940] Added note to specify that field InstanceRequirements is not supported in the launch template. cr: https://code.amazon.com/reviews/CR-181451769 --- latest/ug/nodes/launch-templates.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index caa0a3fc6..2bcead55d 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -86,7 +86,7 @@ a|*Application and OS Images (Amazon Machine Image)* under *Launch template cont * If you deploy a node group using a launch template, specify zero or one *Instance type* under *Launch template contents* in a launch template. Alternatively, you can specify 0–20 instance types for *Instance types* on the *Set compute and scaling configuration* page in the console. Or, you can do so using other tools that use the Amazon EKS API. If you specify an instance type in a launch template, and use that launch template to deploy your node group, then you can't specify any instance types in the console or using other tools that use the Amazon EKS API. If you don't specify an instance type in a launch template, in the console, or using other tools that use the Amazon EKS API, the `t3.medium` instance type is used. If your node group is using the Spot capacity type, then we recommend specifying multiple instance types using the console. For more information, see <>. * If any containers that you deploy to the node group use the Instance Metadata Service Version 2, make sure to set the *Metadata response hop limit* to `2` in your launch template. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the _Amazon EC2 User Guide_. If you deploy a managed node group without using a custom launch template, this value is automatically set for the node group in the default launch template. - +* Feature *InstanceRequirements* that allows you to specify flexible instance type selection is not supported in the launch template. ==== [#launch-template-tagging] From 86fc55b4a505729537e66e06e50881b207d91df2 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 3 Mar 2025 17:40:52 +0000 Subject: [PATCH 204/940] Rewrite: 45684 --- latest/ug/nodes/launch-templates.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 2bcead55d..53ab5f757 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -86,7 +86,7 @@ a|*Application and OS Images (Amazon Machine Image)* under *Launch template cont * If you deploy a node group using a launch template, specify zero or one *Instance type* under *Launch template contents* in a launch template. Alternatively, you can specify 0–20 instance types for *Instance types* on the *Set compute and scaling configuration* page in the console. Or, you can do so using other tools that use the Amazon EKS API. If you specify an instance type in a launch template, and use that launch template to deploy your node group, then you can't specify any instance types in the console or using other tools that use the Amazon EKS API. If you don't specify an instance type in a launch template, in the console, or using other tools that use the Amazon EKS API, the `t3.medium` instance type is used. If your node group is using the Spot capacity type, then we recommend specifying multiple instance types using the console. For more information, see <>. * If any containers that you deploy to the node group use the Instance Metadata Service Version 2, make sure to set the *Metadata response hop limit* to `2` in your launch template. For more information, see link:AWSEC2/latest/UserGuide/ec2-instance-metadata.html[Instance metadata and user data,type="documentation"] in the _Amazon EC2 User Guide_. If you deploy a managed node group without using a custom launch template, this value is automatically set for the node group in the default launch template. -* Feature *InstanceRequirements* that allows you to specify flexible instance type selection is not supported in the launch template. +* Launch templates do not support the `InstanceRequirements` feature that allows flexible instance type selection. ==== [#launch-template-tagging] From c591397c2ab1f1248025d4857745504d220c9b11 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 3 Mar 2025 23:51:41 +0000 Subject: [PATCH 205/940] Updated example outputs to not have copy button. --- latest/ug/clusters/cluster-endpoint.adoc | 4 ++-- latest/ug/connector/connecting-cluster.adoc | 2 +- .../aws-access/associate-service-account-role.adoc | 10 +++++----- .../manage-access/aws-access/pod-id-association.adoc | 10 +++++----- latest/ug/networking/cni-custom-network-tutorial.adoc | 2 +- latest/ug/networking/coredns-add-on-create.adoc | 2 +- latest/ug/networking/coredns-add-on-update.adoc | 2 +- latest/ug/networking/vpc-add-on-update.adoc | 2 +- latest/ug/security/enable-kms.adoc | 4 ++-- latest/ug/workloads/removing-an-addon.adoc | 4 ++-- latest/ug/workloads/updating-an-add-on.adoc | 4 ++-- 11 files changed, 23 insertions(+), 23 deletions(-) diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 491d99f27..1adf7b210 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -160,7 +160,7 @@ aws eks update-cluster-config \ + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "update": { @@ -198,7 +198,7 @@ aws eks describe-update \ + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "update": { diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index ab7e300d9..84c86903f 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -59,7 +59,7 @@ aws eks register-cluster \ + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "cluster": { diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 41d9ff6ca..5bc1cb27a 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -167,7 +167,7 @@ aws iam get-role --role-name my-role --query Role.AssumeRolePolicyDocument + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Version": "2012-10-17", @@ -197,7 +197,7 @@ aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies + An example output is as follows. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes",role="nocopy"] ---- {arn-aws}iam::111122223333:policy/my-policy ---- @@ -216,7 +216,7 @@ aws iam get-policy --policy-arn $policy_arn + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Policy": { @@ -238,7 +238,7 @@ aws iam get-policy-version --policy-arn $policy_arn --version-id v1 + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Version": "2012-10-17", @@ -262,7 +262,7 @@ kubectl describe serviceaccount my-service-account -n default + An example output is as follows. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes",role="nocopy"] ---- Name: my-service-account Namespace: default diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 5e6efc556..d4e4040d2 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -169,7 +169,7 @@ aws eks create-pod-identity-association --cluster-name my-cluster --role-arn {ar + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "association": { @@ -200,7 +200,7 @@ aws iam get-role --role-name my-role --query Role.AssumeRolePolicyDocument + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Version": "2012-10-17", @@ -228,7 +228,7 @@ aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- {arn-aws}iam::111122223333:policy/my-policy ---- @@ -247,7 +247,7 @@ aws iam get-policy --policy-arn $policy_arn + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Policy": { @@ -269,7 +269,7 @@ aws iam get-policy-version --policy-arn $policy_arn --version-id v1 + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "Version": "2012-10-17", diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index b7ce4e652..db00a06e0 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -479,7 +479,7 @@ aws ec2 describe-instances --filters Name=network-interface.private-dns-name,Val + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- [ { diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index e9cc777ae..f574e1f16 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -56,7 +56,7 @@ It might take several seconds for add-on creation to complete. + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- v1.11.3-eksbuild.1 ---- diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 9313f9298..1a8736c8c 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -55,7 +55,7 @@ It might take several seconds for the update to complete. + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addon": { diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 90c402216..48d9a3b85 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -55,7 +55,7 @@ It might take several seconds for the update to complete. + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addon": { diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index ddec19653..db2fb0cfa 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -101,7 +101,7 @@ aws eks associate-encryption-config \ + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- {   "update": { @@ -131,7 +131,7 @@ aws eks describe-update \ + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- {   "update": { diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index e0e60010f..dca290d43 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -108,7 +108,7 @@ aws eks list-addons --cluster-name my-cluster + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addons": [ @@ -128,7 +128,7 @@ aws eks delete-addon --cluster-name my-cluster --addon-name name-of-addon --pres + The abbreviated example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addon": { diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index ba50a21b3..103539487 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -127,7 +127,7 @@ aws eks list-addons --cluster-name my-cluster + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addons": [ @@ -199,7 +199,7 @@ aws eks describe-addon --cluster-name my-cluster --addon-name vpc-cni + An example output is as follows. + -[source,json,subs="verbatim,attributes"] +[source,json,subs="verbatim,attributes",role="nocopy"] ---- { "addon": { From eaebbc31c5214a0a96c129f01ebbf695ac9be902 Mon Sep 17 00:00:00 2001 From: Vignesh Goutham Ganesh Date: Tue, 4 Mar 2025 10:03:42 -0600 Subject: [PATCH 206/940] Adding ssm to eks-hybrid proxy docs --- .gitignore | 1 + latest/ug/nodes/hybrid-nodes-proxy.adoc | 42 +++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/.gitignore b/.gitignore index 7bc098742..1a6f6c8be 100755 --- a/.gitignore +++ b/.gitignore @@ -76,5 +76,6 @@ build *.xls *.xlsx *.xpr +.idea/* vale/styles/AsciiDoc/ vale/styles/RedHat/ diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 8eafb5112..b0bdb67a3 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -75,6 +75,48 @@ systemctl daemon-reload systemctl restart containerd ---- +=== `ssm` proxy configuration + +`ssm` is one of the credential providers that can be used to initialize a hybrid node. `ssm` is responsible for authenticating with AWS and generating temporary credentials that is used by `kubelet`. If you are using a proxy in your on-premises environment and using `ssm` as your credential provider on the node, you must configure the `ssm` so it can communicate with Amazon SSM service endpoints. + +Create a file on each hybrid node called `http-proxy.conf` in the path below depending on the operating system + +* Ubuntu - `/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/http-proxy.conf` +* Amazon Linux 2023 and Red Hat Enterprise Linux - `/etc/systemd/system/amazon-ssm-agent.service.d/http-proxy.conf` + +Populate the file with the following contents. Replace `proxy-domain` and `port` with the values for your environment. +[source,yaml,subs="verbatim,attributes,quotes"] +---- +[Service] +Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#" +Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#" +Environment="NO_PROXY=localhost" +---- + +==== `ssm` configuration from user data + +The `ssm` systemd service file directory must be created for this file. The directory path depends on the operating system used on the node. + +* Ubuntu - `/etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d` +* Amazon Linux 2023 and Red Hat Enterprise Linux - `/etc/systemd/system/amazon-ssm-agent.service.d` + +Replace the systemd service name in the restart command below depending on the operating system used on the node + +* Ubuntu - `snap.amazon-ssm-agent.amazon-ssm-agent` +* Amazon Linux 2023 and Red Hat Enterprise Linux - `amazon-ssm-agent` + +[source,yaml,subs="verbatim,attributes,quotes"] +---- +mkdir -p [.replaceable]#systemd-service-file-directory +echo '[Service]' > [.replaceable]#systemd-service-file-directory/http-proxy.conf +echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> [.replaceable]#systemd-service-file-directory/http-proxy.conf +echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> [.replaceable]#systemd-service-file-directory/http-proxy.conf +echo 'Environment="NO_PROXY=localhost"' >> [.replaceable]#systemd-service-file-directory/http-proxy.conf +systemctl daemon-reload +systemctl restart [.replaceable]#systemd-service-name +---- + + === Operating system proxy configuration If you are using a proxy for internet access, you must configure your operating system to be able to pull the hybrid nodes dependencies from your operating systems' package manager. From 11349b8633222e8f5545d4c115f1e8ce450a0903 Mon Sep 17 00:00:00 2001 From: Vignesh Goutham Ganesh Date: Tue, 4 Mar 2025 10:36:32 -0600 Subject: [PATCH 207/940] [eks-hybrid] Adding cni-validation to install command and no-color flag to debug command --- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 358815973..769c8b460 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -245,7 +245,9 @@ nodeadm init [flags] *Values* -`install-validation` skips checking if the proceding install command ran successfully. +`install-validation` skips checking if the preceding install command ran successfully. + +`cni-validation` skips checking if either Cilium or Calico cni's VxLan ports are opened if firewall is enabled on the node |`-h`, `--help` |FALSE @@ -467,6 +469,10 @@ nodeadm debug [flags] |TRUE |Source of `nodeadm` configuration. For hybrid nodes the input should follow a URI with file scheme. +|`--no-color` +|FALSE +|Disables color output. Useful for automation. + |`-h`, `--help` |FALSE |Displays help message with available flag, subcommand and positional value parameters. From 3adf0359faab92a751e8aa694eb17a08e1ca3313 Mon Sep 17 00:00:00 2001 From: Nick Baker Date: Tue, 4 Mar 2025 23:37:05 +0000 Subject: [PATCH 208/940] update node health with DCGM conditions cr: https://code.amazon.com/reviews/CR-181739125 --- latest/ug/nodes/node-health.adoc | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 2495750d3..2e5b40029 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -322,6 +322,21 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |Any occurrences of XIDs other than the ones defined in this list result in this event. |None +|DCGMError +|Condition +|Connection to the DCGM host process was lost or could not be established. +|None + +|DCGMDiagnosticError +|Condition +|An issued occurred running DCGM active diagnostics. +|None + +|DCGMDiagnosticFailure +|Condition +|A test case from the DCGM active diagnostics test suite failed. +|None + |=== [#node-health-runtime] @@ -390,4 +405,4 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |Event |Kubelet is reporting slow disk usage while trying to access the filesystem, potentially indicating insufficient disk input-output or filesystem issues. -|=== \ No newline at end of file +|=== From c8e8ca0fb796bc48a1a50ae9d8bcf855341d4d1e Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 19:13:52 +0000 Subject: [PATCH 209/940] Add docs for disable session tags --- .../manage-access/aws-access/pod-id-abac.adoc | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 6adec2510..cc4135dc4 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -9,9 +9,10 @@ include::../../attributes.txt[] Learn how to use Amazon EKS Pod Identity to attach tags for cluster, namespace, and service account to temporary credentials, enabling attribute-based access control (ABAC) for EKS Pods to {aws} resources based on matching tags. -- -Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, customers can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. +Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, you can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. -For example, the following policy allows the `s3:GetObject` action if the object is tagged with the name of the EKS cluster. +== Sample policy with tags +Below is an IAM policy example that grants `s3:GetObject` permissions when the corresponding object is tagged with the EKS cluster name. [source,json,subs="verbatim,attributes"] ---- @@ -44,11 +45,13 @@ For example, the following policy allows the `s3:GetObject` action if the object [#pod-id-abac-tags] -== List of session tags added by EKS Pod Identity +== Enable or disable session tags -The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`. +EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. These session tags enable administrators to author a single role that can work across resources by allowing access to {aws} resources based on matching tags. +=== Enable session tags +Session tags are automatically enabled with EKS Pod Identity--no action is required on your part. By default, EKS Pod Identity attaches a set of predefined tags to your session. To reference these tags in policies, use the syntax `${aws:PrincipalTag/` followed by the tag key. For example, `${aws:PrincipalTag/kubernetes-namespace}`. * `eks-cluster-arn` * `eks-cluster-name` @@ -57,6 +60,16 @@ The following list contains all of the keys for tags that are added to the `Assu * `kubernetes-pod-name` * `kubernetes-pod-uid` +=== Disable session tags + +AWS compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a `PackedPolicyTooLarge` error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity. To disable these session tags, follow these steps: + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to modify. +. Choose the *Access* tab. +. In the *Pod Identity associations*, choose the association ID you would like to modify in *Association ID*, then choose *Edit*. +. Under *Session tags*, choose *Disable session tags*. +. Choose *Save changes*. [#pod-id-abac-chaining] == Cross-account tags From 3469885ba4e2d6594627344df7fe84a66cf658ae Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 19:14:20 +0000 Subject: [PATCH 210/940] Add docs for target IAM role plus left nav --- .../aws-access/pod-id-assign-target-role.adoc | 153 ++++++++++++++++++ .../aws-access/pod-identities.adoc | 2 + 2 files changed, 155 insertions(+) create mode 100644 latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc new file mode 100644 index 000000000..1fb618d9b --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -0,0 +1,153 @@ +[.topic] +[#assign-target-role] += Access {aws} Resources using EKS Pod Identity Target IAM Roles +:info_titleabbrev: Assign Target IAM role + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure account role access for Amazon EKS workloads using Pod Identity. +-- + +When running applications on Amazon Elastic Kubernetes Service (Amazon EKS), you might need to access {aws} resources that exist in the same or different {aws} accounts. This guide shows you how to set up access between these accounts using EKS Pod Identity, which enables your Kubernetes pods to access other {aws} resources. + +== Prerequisites + +Before you begin, ensure you have completed the following steps: + +* https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html[Set up the Amazon EKS Pod Identity Agent] +* https://docs.aws.amazon.com/eks/latest/userguide/pod-id-role.html[Create an EKS Pod Identity role] + +== How It Works + +Pod Identity enables applications in your EKS cluster to access {aws} resources across accounts through a process called role chaining. When creating a Pod Identity association, you can provide two IAM roles—an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] in the same account as your EKS cluster and a Target IAM Role from the account containing your {aws} resources (like S3 buckets or DynamoDB tables). The link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] must be in your EKS cluster's account due to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html[IAM PassRole] requirements, while the Target IAM Role can be in any {aws} account. PassRole enables an {aws} entity to delegate role assumption to another service. EKS Pod Identity uses PassRole to connect a role to a Kubernetes service account, requiring both the role and the identity passing it to be in the same {aws} account as the EKS cluster. When your application pod needs to access {aws} resources, it requests credentials from Pod Identity. Pod Identity then automatically performs two role assumptions in sequence: first assuming the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"], then using those credentials to assume the Target IAM Role. This process provides your pod with temporary credentials that have the permissions defined in the target role, allowing secure access to resources in other {aws} accounts. + +== Caching considerations + +Due to caching mechanisms, updates to an IAM role in an existing Pod Identity association may not take effect immediately in the pods running on your EKS cluster. The Pod Identity Agent caches IAM credentials based on the association's configuration at the time the credentials are fetched. If the association includes only an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and no Target IAM Role, the cached credentials last 6 hours. If the association includes both the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and a Target IAM Role, the cached credentials last 59 minutes. Modifying an existing association, such as updating the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN or adding a Target IAM Role, does not reset the existing cache. As a result, the agent will not recognize updates until the cached credentials refresh. To apply changes sooner, you can recreate the existing pods; otherwise, you will need to wait for the cache to expire. + +== Step 1: Create and associate a Target IAM Role + +In this step, you will establish a secure trust chain by creating and configuring a Target IAM Role. For demonstration, we will create a new Target IAM Role to establish a trust chain between two {aws} accounts: the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] (e.g., `eks-pod-identity-primary-role`) in the EKS cluster's {aws} account gains permission to assume the Target IAM Role (e.g. `eks-pod-identity-aws-resources`) in your target account, enabling access to {aws} resources like Amazon S3 buckets. + +=== Create the Target IAM Role + +1. Open the link:iam/home#/clusters[Amazon IAM console,type="console"]. +2. In the top navigation bar, verify that you are signed into the account containing the {aws} resources (like S3 buckets or DynamoDB tables) for your Target IAM Role. +3. In the left navigation pane, choose *Roles*. +4. Choose the *Create role* button, then *{aws} account* under "Trusted entity type." +5. Choose *Another {aws} account*, enter your {aws} account number (the account where your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] exists), then choose *Next*. +6. Add the permission policies you would like to associate to the role (e.g., AmazonS3FullAccess), then choose *Next*. +7. Enter a role name, such as `MyCustomIAMTargetRole`, then choose *Create role*. + +=== Update the Target IAM Role trust policy + +1. After creating the role, you'll be returned to the *Roles* list. Find and select the new role you created in the previous step (e.g., `MyCustomIAMTargetRole`). +2. Select the *Trust relationships* tab. +3. Click *Edit trust policy* on the right side. +4. In the policy editor, replace the default JSON with your trust policy. Replace the placeholder values for role name and `111122223333` in the IAM role ARN with the {aws} account ID hosting your EKS cluster. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:AssumeRole", + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:TagSession" + } + ] +} +---- + +=== Update the permission policy for EKS Pod Identity role + +In this step, you will update the permission policy of the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] associated with your Amazon EKS cluster by adding the Target IAM Role ARN as a resource. + +1. Open the https://console.aws.amazon.com/eks/home#/clusters[Amazon EKS console]. +2. In the left navigation pane, select *Clusters*, and then select the name of your EKS cluster. +3. Choose the *Access* tab. +4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. +5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. +6. Choose *JSON* on the right side. +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `22222222` in the IAM role ARN with your Target IAM Role. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ], + "Resource": "arn:aws:iam::22222222:role/eks-pod-identity-aws-resources" + } + ] +} +---- + +== Step 2: Associate the Target IAM Role to a Kubernetes service account + +In this step, you will create an association between the Target IAM role and the Kubernetes service account in your EKS cluster. + +1. Open the https://console.aws.amazon.com/eks/home#/clusters[Amazon EKS console]. +2. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to add the association to. +3. Choose the *Access* tab. +4. In the *Pod Identity associations*, choose *Create*. +5. Choose the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] in *IAM role* for your workloads to assume. +6. Choose the Target IAM role in *Target IAM role* that will be assumed by the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. +7. In the *Kubernetes namespace* field, enter the name of the namespace where you want to create the association (e.g., `my-app-namespace`). This defines where the service account resides. +8. In the *Kubernetes service account* field, enter the name of the service account (e.g., `my-service-account`) that will use the IAM credentials. This links the IAM role to the service account. +9. Choose *Create* to create the association. + +== (Optional) Step 3: Add External Permissions to an IAM Target Role + +At times, you might need to give a third party access to your {aws} resources (delegate access). For example, you decide to hire a third-party company called Example Corp to monitor your {aws} account and help optimize costs. In order to track your daily spending, Example Corp needs to access your {aws} resources. In this case, we recommend adding an `ExternalId` to the trust policy of your IAM Target Role to avoid possible https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html[Confused Deputy] issues. + +=== Edit the trust policy + +1. After creating the role, you'll be returned to the *Roles* list. Find and click the new role you created in the previous step (e.g., `MyCustomIAMTargetRole`). +2. Select the *Trust relationships* tab. +3. Click *Edit trust policy* on the right side. +4. In the policy editor, replace the default JSON with your trust policy. Replace the `ExternalId` placeholder value for `aws-region/other-account/cluster-name/namespace/service-account-name`, where "region" is the {aws} region of your cluster, "111122223333" is the other {aws} account ID, "cluster-name" is the EKS cluster name, "namespace" is the Kubernetes namespace, and "service-account-name" is the Kubernetes service account name. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "region/111122223333/cluster-name/namespace/service-account-name" + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:TagSession" + } + ] +} +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 229ea5f0e..a6e14b01b 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -14,6 +14,8 @@ include::pod-id-configure-pods.adoc[leveloffset=+1] include::pod-id-abac.adoc[leveloffset=+1] +include::pod-id-assign-target-role.adoc[leveloffset=+1] + include::pod-id-minimum-sdk.adoc[leveloffset=+1] include::pod-id-agent-config-ipv6.adoc[leveloffset=+1] From 035395d5fc52193772c0306e296df07e213f232d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 3 Mar 2025 23:28:39 +0000 Subject: [PATCH 211/940] fixup auto mode and 1.23 --- latest/ug/automode/auto-configure-alb.adoc | 1 + latest/ug/automode/auto-networking.adoc | 3 +- .../kubernetes-versions-extended.adoc | 30 ------------------- latest/ug/clusters/update-cluster.adoc | 2 +- 4 files changed, 3 insertions(+), 33 deletions(-) diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 5da5bfd25..5d98fa05a 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -202,6 +202,7 @@ The following tables provide a detailed comparison of changes in IngressClassPar | `alb.ingress.kubernetes.io/waf-acl-id` | Not supported | Use WAF v2 instead | `alb.ingress.kubernetes.io/web-acl-id` | Not supported | Use WAF v2 instead | `alb.ingress.kubernetes.io/shield-advanced-protection` | Not supported | Shield integration disabled +| `alb.ingress.kubernetes.io/auth-type: oidc` | Not supported | OIDC Auth Type is currently not supported |=== === TargetGroupBinding diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 8a6cdbae2..7768702ac 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -62,5 +62,4 @@ For more information, see <> or <>. * EKS Auto Mode only supports Security Group Mode for Network Load Balancers. * {aws} does not support migrating load balancers from the self managed {aws} load balancer controller to management by EKS Auto Mode. * The `networking.ingress.ipBlock` field in `TargetGroupBinding` spec is not supported. -* If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. -* You cannot bring your own target groups. \ No newline at end of file +* If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index b2142af45..9331724ea 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -129,33 +129,3 @@ If you need to block `IPv6` for all Pods across all nodes, you might have to dis * The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.24` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. For the complete Kubernetes `1.24` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230. - -[#kubernetes-1-23] -== Kubernetes 1.23 - -Kubernetes `1.23` is now available in Amazon EKS. For more information about Kubernetes `1.23`, see the https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/[official release announcement]. - -[IMPORTANT] -==== - - -* The Kubernetes in-tree to container storage interface (CSI) volume migration feature is enabled. This feature enables the replacement of existing Kubernetes in-tree storage plugins for Amazon EBS with a corresponding Amazon EBS CSI driver. For more information, see https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/[Kubernetes 1.17 Feature: Kubernetes In-Tree to CSI Volume Migration Moves to Beta] on the Kubernetes blog. -+ -The feature translates in-tree APIs to equivalent CSI APIs and delegates operations to a replacement CSI driver. With this feature, if you use existing `StorageClass`, `PersistentVolume`, and `PersistentVolumeClaim` objects that belong to these workloads, there likely won't be any noticeable change. The feature enables Kubernetes to delegate all storage management operations from the in-tree plugin to the CSI driver. If you use Amazon EBS volumes in an existing cluster, install the Amazon EBS CSI driver in your cluster before you update your cluster to version `1.23`. If you don't install the driver before updating an existing cluster, interruptions to your workloads might occur. If you plan to deploy workloads that use Amazon EBS volumes in a new `1.23` cluster, install the Amazon EBS CSI driver in your cluster before deploying the workloads your cluster. For instructions on how to install the Amazon EBS CSI driver on your cluster, see <>. -* Extended Support for Amazon EKS optimized Windows AMIs that are published by {aws} isn't available for Kubernetes version `1.23` but is available for Kubernetes version `1.24` and higher. - -==== - -* Kubernetes stopped supporting `dockershim` in version `1.20` and removed `dockershim` in version `1.24`. For more information, see https://kubernetes.io/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/[Kubernetes is Moving on From Dockershim: Commitments and Next Steps] in the Kubernetes blog. Amazon EKS will end support for `dockershim` starting in Amazon EKS version `1.24`. Starting with Amazon EKS version `1.24`, Amazon EKS official AMIs will have `containerd` as the only runtime. -+ -Even though Amazon EKS version `1.23` continues to support `dockershim`, we recommend that you start testing your applications now to identify and remove any Docker dependencies. This way, you are prepared to update your cluster to version `1.24`. For more information about `dockershim` removal, see <>. -* Kubernetes graduated `IPv4`/``IPv6`` dual-stack networking for Pods, services, and nodes to general availability. However, Amazon EKS and the Amazon VPC CNI plugin for Kubernetes don't support dual-stack networking. Your clusters can assign `IPv4` or `IPv6` addresses to Pods and services, but can't assign both address types. -* Kubernetes graduated the Pod Security Admission (PSA) feature to beta. The feature is enabled by default. For more information, see https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] in the Kubernetes documentation. PSA replaces the https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-solutions[Pod Security Policy] (PSP) admission controller. The PSP admission controller isn't supported and is scheduled for removal in Kubernetes version `1.25`. -+ -The PSP admission controller enforces Pod security standards on Pods in a namespace based on specific namespace labels that set the enforcement level. For more information, see https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa[Pod Security Standards (PSS) and Pod Security Admission (PSA)] in the Amazon EKS best practices guide. -* The `kube-proxy` image deployed with clusters is now the https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-iptables[minimal base image] maintained by Amazon EKS Distro (EKS-D). The image contains minimal packages and doesn't have shells or package managers. -* Kubernetes graduated ephemeral containers to beta. Ephemeral containers are temporary containers that run in the same namespace as an existing Pod. You can use them to observe the state of Pods and containers for troubleshooting and debugging purposes. This is especially useful for interactive troubleshooting when `kubectl exec` is insufficient because either a container has crashed or a container image doesn't include debugging utilities. An example of a container that includes a debugging utility is https://github.com/GoogleContainerTools/distroless#distroless-container-images[distroless images]. For more information, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container[Debugging with an ephemeral debug container] in the Kubernetes documentation. -* Kubernetes graduated the `HorizontalPodAutoscaler` `autoscaling/v2` stable API to general availability. The `HorizontalPodAutoscaler` `autoscaling/v2beta2` API is deprecated. It will be unavailable in `1.26`. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.23` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. - -For the complete Kubernetes `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. \ No newline at end of file diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 5a1b6f984..7296b3519 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -91,7 +91,7 @@ kubectl edit configmap coredns -n kube-system -o yaml Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. -* If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <> and <>. +* If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <>. * Kubernetes `1.24` and later use `containerd` as the default container runtime. If you're switching to the `containerd` runtime and already have Fluentd configured for Container Insights, then you must migrate Fluentd to Fluent Bit before updating your cluster. The Fluentd parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to Fluent Bit, some of the configured Fluentd's parsers will generate a massive amount of errors inside the Fluentd container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. ** Because Amazon EKS runs a highly available control plane, you can update only one minor version at a time. For more information about this requirement, see https://kubernetes.io/docs/setup/version-skew-policy/#kube-apiserver[Kubernetes Version and Version Skew Support Policy]. Assume that your current cluster version is version `1.28` and you want to update it to version `1.30`. You must first update your version `1.28` cluster to version `1.29` and then update your version `1.29` cluster to version `1.30`. * Review the version skew between the Kubernetes `kube-apiserver` and the `kubelet` on your nodes. From 0cc27ce9a8ce773b2516fde21066ecedf4b3be46 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 5 Mar 2025 19:30:36 +0000 Subject: [PATCH 212/940] envelope encryption launch cr: https://code.amazon.com/reviews/CR-181910184 --- latest/ug/images/security-encrypt-request.png | Bin 0 -> 81433 bytes latest/ug/images/security-generate-dek.png | Bin 0 -> 66186 bytes latest/ug/security/enable-kms.adoc | 8 +- latest/ug/security/envelope-encryption.adoc | 154 ++++++++++++++++++ latest/ug/security/security-k8s.adoc | 2 + 5 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 latest/ug/images/security-encrypt-request.png create mode 100644 latest/ug/images/security-generate-dek.png create mode 100644 latest/ug/security/envelope-encryption.adoc diff --git a/latest/ug/images/security-encrypt-request.png b/latest/ug/images/security-encrypt-request.png new file mode 100644 index 0000000000000000000000000000000000000000..82051a8bd9171cc99ee84493f3e74be9794fcf59 GIT binary patch literal 81433 zcmZU)cRZV2+&_+6ODC$OEk#LbsTx7-nMAC_OvJ1`LPCUyS#`Iiii)bDMu*W_wP}nl zwc4r~TU%6#ps{LyFTJ1V_55D1-ycb?oa>x(o%1=L@&1e}-W+Lo;^_IKY;0^Nj1W*u zHnu|@Y-}8O?!!O}PVlZO@WUQtX{gUu_C(%?mk0iTCQ`m84@_{`%*D+IPa*_)Ujpj`|Bdh@4?o}+Xa>GfR=}4n@KKO= zR#0|^Tmdfi0s{OzFdnWZKBP;EaAh#$8dwErzHEZ9HZ#4XXaHRM`QSW&A43l}9N}Py zJJE%F&4&PVSCqe|a_wN@2Hr%1KhO!TAg^*w{+hBPuuKItHQ>(wZ4j=ga1DG7476Ff zc)AdM{y&d9m?Ff37~}&G;xAeLcjAK^9wZm9|5}3xVR&VE3z!}S?uQ7%0Wto=JE=7ykelYN{GI%DjXFQ01giGxA4ci<4HF1 zSVKj$3lwHWg1MS|+7ihY28Qx}D2N%>f<(cB3BcLFt-RIrlr5Fr%u z`b4;i1vWI)%Fh~uGQyFq3`vGCs5eSqAxO>3EmTzz65y|=4|hZQ8W@_QFDdGK0Ur|; zQxjkv`T;IrV8d`#V|k3R9oQY`=Ia*h26yo?@u7Gc`}sf(RKgUkJ*|Vu#$-!hjGqb# z>1~EpRZ}4XV*@ck?qD}BlA;pU%L1ns;ALcF6yl|TL8_RA$h&&_dg8GD09(U@RjfR{ zl`U*x!M46$Ue*{Be^)gx-vB>X1^+-5I9fgwnCpN65NJ0SJW&rC=&)grn6IQE+)L z0$4vR2<>Wa=tG3LDS2aXc4omQK6(USFAM|@p#-Xd0}ybcz7H8}fHXl{C>eSBC@av8zGgTL_?T|uZpdUF_EO?8*G9nnJ9rN z`Z$uRC&mouqlPpza91N3zzxX(#(Kd+7uyP|wXIfP}?Z!$}G#H4h@#K*dcFj#Kgk4nUuxWEnR|Kp?V}j2r!5eVge)DkknvSwn}PX4>F$QXXAsl03M-;R>I*!l>8xZte-o{${4L+ z73@t6HZeeZ$=mrFTX_+@EU+F5fo`}^;OY7yZYDS{1G1N=%YiVcSy*GqYMy8^JjBkx zh^%i3s3tg4Iha6(gWZ+LCSDe{zBUI;08>y=#45u835FYmTDpMMR7|XK6jKjZ-#|*J zvWahyzAD<%!VRGkC2rf7}|G_q7u z4hsl|8>zZmDEq2edMSq~m>KE8Y|Mf~O=JmF<4gv1$nCw_dtI$vYCykJSNab*~~W(1+Wgv z76P?#52B!9NOvQwA>053OiMu;5D&C~0mjq9&REZYi1JZZwFt&3%KQ2$9dHX7BX1KF zrW)o-FgCU_#Rk{`OMn|1S`kcC;Yc@2vmi@g7IT;Z)`B2!YvAvOA=@dKfb}R!WVn&3 zlBK^@kd3}|sG_2`0yxmx!%)o>qY4brSCh9iHdhQ%PzemwBU#HM(HVaT`TNloHws?5__&7(gwRAU0T2 zwNO_hlDnTi#2kgU#JU89A_L8VQD`F!3TcQ?_VEl>MfeyS*#vl5dDsQHhIkn1DVbuF z75p$L0~NIc&4;A8U{$>W%vIg3DSn2)*Z@@*D>JN*DH4p6hbyW1fjzwq6#Wz_b}FhQ z9B?1uYm5Li6U9!+8*1m_Bd=;@L-sXw^D49dn((=TVk)wB+N`H z5O@|E>=_D0l2qkYz(y`$Pc@RQm6 zVjM~&THp;;(ZL3$28s}@l9FPGzJfl<%OW65A(R9U2_*w03pEHbQ*_4?Er4^?_lA(w z^lXALXjKKPFfbHC(lau~nCYQi6XiNPdy1!Az8 zr=kiVMV3l|?j#@gU_Vlr8U}1*=R*onbB6=~xJExr^#Ce>5A^E)VvN6l1Ni?xFb@pd zEvG$aV-sUDg6dg^IxS>#JrHiKX(5#N8W;b2N{^FWyi?!Zk5^2-1GK%l5Q75n8Ji)=Ka_*vg>ZLc+&#OB}_HymDl>5LMPYS&X3Td;9AQGBp z^}9H8v@R-=*2#B`TbGT4_XZoM7#sWl?@~A6RDfOeBuVIRk4|3O_1NZYwxfpEzd8ztiI*#c>nnjQ4iPzLYckWB7nD}Sl9#O z0A)#MqzH5HE^`Cx`^>q3SH(}?WaGTarwiiw_(J}SI0b0%JsGnovmK)DUlLiIzqDTO zc)=^5A?pie`FgR>T?7bH&Bh*l`a=(b*ko4!uKR|tgHiUguN-~Z*Yw2%IA77&nSS3R zkI;k?HcceN?xQ)5Z48%Jeb&<~4v7eNsKX6SE?%TI+66o(9A)q3>RVD{OuQW2y(Uhv zlDwJ*5DVB|HRtQ{g~=;FkPy3nn@YOhEQ!RpYJQlTSH)dAcGJ61rbbWf4ClS^V27m> zA`7K;@MFZ5zzW)nKOA3=aDRB9iv}5L6dP+8fRg9_Ex^K#xJSzGlz-bx|BdOJjpZ{+ zO8I-RF;1KU&J!(t78R03h?pWbs4PAB_3g*8h%cC<9K1z2H!5iUanl3Zpn&jKw1I9F zB5*=_M~V>mFLQdJa$^vkiH-yDsCOagejEvM-F|g95l(4{veDAxYIm6EOs(h_qJJ6W zyy+YMj#mB->}gJ?)AeOyR7fb^Qj@dSn2jd17!^Bi#(><6(i0QmyoXpMK8mb)_FWx# ztfEBZ3U_GCQO)DUA>&Ky&k0Nu5M`zLPXBR$A;oGr`z_>0OWoy)ACBrQ(>7M~?sM@a zR%G`p9p_Mxx?e>bqW@U0nclr~CsiSLREdYfNOJl2#5Som9-RFs<&A=b4`^k#EHSW_ZD83H+UpRft-{Za(^Z41cEF~SkU$@gaQw#d~5yf?}HUp7u@fV0Yx!gW0S zyd5&1uWBdr$F!!eFP%;VCBIE8swsz4bJNR8;qk!V^c#`~LKi0#b1U7m*4~Hs{;+AY z`PNcMjL)s3(b20x?`2%p-9kVw-j|Ub%TPu+EV1>HuV}{(!O6-3Y=6k;Oy`_uV~-v zQ;u=)a>Mh|5sMl_-G18N?y4p&ap$t-Zj9rptJz9dmVV{hRC#4hVzjh0!ULR!SY~=5 zLI3hHi%p`Stn2*utSiKB@Ce|~_Wp{!NWGJF>_8mF?)!2alUtm;vi|MM<18kls_bw- zqc&Q)(hwWhy^XKGvzi<6296~rp z!%hB-uid>lp4fA>;0iB7G=`^eVSKJW<4wx>qN* zx;rO(NS5l@#yqdKqP-3(R~-Sx{R0ShPyxg>(jLD%M1DX1Pg!K_pX+?v&hzE#^)KwV z#i?!Ig^Yv_6zqq4Z{8)0YP1Fx&fcn5`lHpyo+`(?J1f|RIbUJ#{*}Je5jVZ z-MxQ*j%&fmow@xLRuJVlo5@z;yqNBvTy{rU-fymaJ$0a5>+-G5&m)jjoysUNDhASn zIPup~bbywBw=%Pnpb}KZXD0$n<-7x7D=d|sI}iFbsbLL@X6nuD*&snnUlFXt_51iU z9c#KM%=5_PW6!$}hd*i=HOam;bFQMP2bnB`q}#yQ|>JmvPJEgi)j3sQwhmhP_FrOs`>7^h2dy zM+s37RnsSS@FjEi&yP>&XMAzfuaN_9uF;$Zf=kLU%rNvmez3V*=kj<{+_buXtvnKvys=t;TX)KsjZ))c4RY2w)~-6gf33KGum9 zeP6S*GE3Qk3+L`IIrO$&v5V0h*Ic!i{%nosAojX;o6s8K7o2Gt64a&KU}?W}>#Ow2 zD*erp1hc3q^9SB2Pe@FrHW|j-vFQnzuP5B@O#D9!r8NXkm)h;RV**x!;R#p5Jw%b7 z3ybCJ-OY>TwL{^m4bgJpBV~LRwC#mO13{rtKf%a77Q=<$PZ=6F?@KfVY>F<&(ozN4 z%bq)>(Oj$?{i{ql`pu&9RctbX?hR$#{+<7A>y*6qBfRoF^BSfv?3HyCN?5L9eXSH# zg>#mmdJQ&<_XZA)pG(o4irw64rD{KN+*a}4E#@K@$m*6{g0j?tewtSB*BE}-X)$yE z`5~U)YjC3&=5v4|diB0dEqMSs&75rgVKA$q$-2?$DXKHUVgB-Q?N14yjl!OmIj^m{ zl0T03TV9Er`L^;QFKnYb`1RoH`%LtFVj4^A>rue6UNk&M6FMb443Jxlb0SwW|C{`_ z<&%P1CCu%;X~SLu&HuBg5=VrO)9KKeoju;KPjoh2^sr##1+J9hmQZe=>RjBvbHA|Q z;hXa9APKX+Bi~|g3Ew=ub^V1vhmA0~sjwNF(%AmBn*end{5mb|e0Z_=+8ZsFvz-0T3hPI0spZN^wXtxf^U9FPenIXbS+6{J`BKX0(Kn+} zGZ(QxCq45%M$JdMgTyI`r#nu@41xezgDe7oYpnecJ2$7q^5XQBi4d7#wg4H=(Ho0n zOS`p`=-ZBK5?0GE3v*L$6=u)zSA`dD)Jj}+%-LVjGc-%n>ucQY)ESDDn{;~rmc`{0 zt;~F3orABdR7shBD|zlkCi2_+vUOx(X%xGwY}Gn5r7WedZ%rV09?J5X{nXH+KOH(O zC#Fy7WAdK>7|2!kP0;Db=66n?QHgHHeV)fl!>ynLxnSt6uhxg+mkl-Z!Z!zK*ImOKR*#XQK@qb&p4kgm%a2u8p~Llw$F=EYsC1oxzyXG}<78${c{6OcYPX8<^P=H|?CWbPxJhYx-)kpX zzud#6vRM=h8wN|9!R#-Mw349GEyU`A&Od1!xGJ%Gi;c6AQ+wfj|CJv<#XBMky|SPl zQFNj3?VQ=Hta_&$)u?zfxDJyxb3*OMH58~ti{EH5F8uG)ZfQ3T085+*M8mc${Zw5s=R+LC+U>lRX!)N zC7jZDmjdtod1@I-Y#T+t=v>RiZVRlu_2b3FvF`DBLWz_1{e}|1IArMV4KL|w@sQ{!4mh=g{3>?FKf+>3`axC*2Aczz(qBj@ zt2#>VmmuePBQYGg*!Fo*L$^HozTaE&qgB|sC?SL ze@dS=^3jvEJKZA*bS*a_qlqbF`s;lV^)bO*k-Kqncw)}_3Uy=DwtGyvVtoLQnd=@} zh0&YEKgxBjyw!hLZYDDy`@-C5#(*P8mmn2RZNop*(eO%&zRVbD_LoGOnpHAdD@-8wYdk&}dM%`cYcek94g7qvoOumA&tx ztnJIR9bh1yBe{OO-hmuLjs%YDWc!^2-HnU9U=C@j#_JQYiO1`>{I|qgZG`LIZL~?{ z;-9|TO_|`mfb@wyvvl5LLwSFaSId*M)E4vjN=Yi zOo!)G{nz128!p7CC#j`62;LsBNB{rbav`sO5t&4}Vt~>{@|5MO?DQbFA z=(0ke`?5l7DzS&7Ps#d+0Z)i6MnG(Nk$jU-*IR)>f}EH8mc<*6_S!w% z>o;lry|^9gKm3%kMQFUk$6)6FsQt+kenLlDipnKxIH_%?;eqOV&yo-Ytj7iRg);7t zy4Pw3zJSvC%{ehfsa$%T^W({ofs+2tBcB2V!jfWx`?JAF(!)*DXCDM7$22S>+A9o& zDjZ=f9+YMcLd|J6zbjtRy3rOAw8o(Dxrs_p8-IfzoS)bGk4Ge+EVjwZhMXyyY*GM{ z=a{>AUHA~DAYqDT=Ds2SX%)N@-sUtLo-(~6LOlf5PK`Aek5q|S3bMbw`-yvOV=g8) zjj@qVuc(t6+Ll9IZGoaD%U(8qx7wH9RaqDBi2X^v0A;O49Q$>I^Xa8;vR@z16$~C- zf9ck_spu`YbRy@F&aP?eYHO!Vbvo8wFfS^aa%U_ zow9n($M-^BS_*O6-PLVII5jf#V8pDl2i)4Mt>UVbpRF)rd6WzlmuYEFQwqNiXg4j6 ze&-W0B|HMxo4j|WreeoKbZrimjZ`}V#>&k0tmffAX?%pP%+s zKD)V*p+Bxv{^*r24fs#gOBH~(;p*5>K&2v5kXlO zJ@Y#i&$zj(&jYM}?dvOAsmjuv9OnW>5-F{etJn< z^UuX+xib3HCz`GYw7&Ecs_{4BxI0}o6;f&fb%WJ{081XmAG*yk{!@C0;{+{hYE~Ud zf35j=S_Z(eN^v*tPA45svgUo(ro9*E^Y*S(E|mv)S(b=Xdxmd>A6|GBSuTKc-+U@W zkd^tE{Q7N|(DNMP)2RHt{;dXloj!;XD|xAPFq=*L5jW16V0THKy0f$~4#BPd>dBw< zdfA5o6ta5E^RqyJN`aFo-mtIYg5jzanpn!Q4RV5mbiUHte$3gFI5B={n7v-yzP5Jc zYf~T3#P(<}VXC9jcj7A6)v0M|Ttv2;|BWM7jqniV*DXg_o|rwSpo1a&X8CbdCwkJ- z{Dcw!i!{LPYUWy?dg7Mu0(WQ#9Uo*fF<~42Q|qxc&0aflKT#^H6~((ft7TgqLT?^V zb#8uGc;^x$-``ek>Fv|?;R(^3L*X?`YP4b=DY?>6ogU6G0ZwtsLIL>1O$`Im2fh?}-ZJiOL#EH)c!-ozky`jeNLNaXSBsqx^DrJH=c40Z zT(ZmXAp76Exr3$Qn4}Dr$q1>2b}rnxcTwPl4xroY?Vj%WjkIh}DoQH~Y;IQ2dQceO ze|5WfmlLMb)U_7=xIra4*TR4V&sbq8$_Z-DUOY(M`B3>!(%FLIa zIklLr6Rd6f6voQJH_Xh-)(!o5@csQAI7H`;?2)nGsu>5@FG{NKp5fwN0o<249CvzUWi&2HDYB>ml_t$J&WbLR&|>8~EME zq+D9-Epduol>aln4&~CL8tk3)qKu04d`4Q8>KD`qXN=M*`4IY*i&Vj(T&Iw_n~}YT zGDlj()+>w5$gmQvFIBVeS0qm#M}>ohRa( zM)}*buN{T7R?enO2WGTaKfC&$^~Cr_`buA>w(J))*ASi{M83Ajyk0N;COX$PP~uhm zn_ju-d^GYEG+`R-`AM}Jm8%{7xSCmeV!N{#vDb4)G%94i|3$Q~?WNOyqv@Up%F69D zcOVdqV9l*Wh;Qnh>0>z6s#O$3Y)v5JBve|&!8elwRix{zwtMVBa@mAw1@a##%S2|~ zq{|SLJPa*R<3;cSCPQLqoYTxU^Jt8~#czTgCh^zz@=hg6(xb!9UECZ>mG;Lv{9aLj z%yJUPKf?As%GsVe-Oo$Uo55CS%TUu_il#KenlH}%Dv+XT^vRTludM*up18S1czx$L z;bw__LTR!8-onVn!%l|(XpZmBOW(nc+6a2Em7v%|?-U2Ajsc7_^Ce;;&YO6q-8oCg z8L73_{~^fu&fHT$AdF-EU)F%LzTe_(WjCc#{}3aq(=V5L1$P5Z6(xJ+t={q&ZLG!G z5WmX>y%sl&xSP&@kK@i)>@4h7Ki$Kfym=&M8LLm-eFL*r+Wo|&96r};uXvMy+h za*X_Zhv(7xZEI068vWvHw%`e;`&UeJE(ewe72loKXlF^~JRm1slcjFNjn>Rnp?FnK z&3rS*cmt6h@sh}9xq;g?$RLuryjX< zpTC0{{wP2Co_SV1D21m?mmB=InOZqpp(TH>T z?eg1&ev?E5zRt1YLb2q_F}bAC9pS-Y5Cd8Rkn<|{Swp?t0?bJeM7&me&FOdNRTQXv znaxR}!7w*ZoHDa&u+f!Pdi}7U`tY)X{$^K|v{wDnTEk$mhc{^JY4|nStVw>HqE9d` zy))*}h!T`#`|0|5_LylPKR9y0nv|+^0Ryon&Jx7pYw;wBAFs<)lO$ZCCf&bGVN-UV zG4S&?6LG0T@y%j>a%YtGkLOcWKNn6nh zA&=-i)B>`wkIj>~#3^Ad0xuXDQq-Dufano+dRVd4N?hZ4TzhjcN zCpP?T`&gA$=#>3?Y4uCD#9Ib&x0Y^^(*--)Z1r|?y4+oKQyh4%jKm>WH>&Qr^WM0T z%NBy+q;-)w{$@whwJVzHq$nR-YJP-1nuJgmkMwCJitqm!$+{=XkRz0)Ci4RphcSR! z@YbeJ($zb*?Z4;GM373QYDd?tvzkZtO2S7I0U9%X+GcAeCq>6oBdTU|Tv4ogGw%_r z2RDAdRnonxYi|90tJ=~$18^@VAJr_a&A`^)1+N{(Yz;PhohYvVa?LMVIm$+vFfh_x;@&32Nb*kY0<}*H8|%l*a0&nsv{iW^G#d`?qJ9eK*V^LhAIl-nCBN z_)SX~d0#Sq!aR3B3h-hdHs};Zc8`pQD|+cYFe=x4MN7=h>Sv2VOCE&6GemSXWQx<~ z1THalSK&Yuc2QCxW%`iRf;Xt)%m?Sq4@ruMI`59@o_7C4F}g`tuQ$F)DO0N zEHnR{Z@3?5bJXyHv!&HSAa95LW_W6KbGUee_Hmi!iM8^Lqx8bzqS8})cO6>}W1|JO z$b->crI9?+uSGWMx+g_wIcqojI=2(BDGv1JpNWjly&{pEoLaUD>$}tHG1iwM{8w(+ zB3DCuP0uocc=CC(Z#4w>TKgmBDMzKHAIQTg|+w=%~{^OJBYSJ3I(#fawphRU58 zENd~C9m@Kh>fwK;%mW2c#Dqx1!n(*)LrX~*9Xo}oiEg-%U|O{+Y*2JT~OVbpW34JE6B=bxtlxB zaD)duBkb8kU@D1bs#e+3Q$F% zu`f`W+Q`D+dcUF5CPfvs1bB04hdD)FiJzY7+yQ1Wc|3-#-@Us8GHpTRoJl)|>Rg=x%6xW!PzL$){`X)=2Ke$}W}}QuSil(xI@%ydomSEk$jI<@){gcQwOo&yWS@3W9G8%r6L zwz1ns+vN)UB#5@qu$Z45AB@Y(WlD>gTmAOiBH~@nQAMudyUdE2*}>-X-aj|(8+31t zh1H+pp{D`qBz`IC_J`l_qf@Y!jWR@fl)TRmXii)~k7BPBz`-U!Al)LRu@a7dT6stG z8;sf#R4T%4x#v`B|EMJBF5pIA*l&jSjbyt4raGHMNWH-S|_e@*$AAw{! ztOnU9AIjsK89~aD-#TVoUhC9O6$zlK8^)9$0uJT``@*#lNM;6H7C;BeoO?|(wb}lX z0nlCh@cY@aZ`C_9CKDo>_m~hN3wyc5KYPpbjL3o6Sy9S-ykw?BxnSMcplbi#&Ml_X z%bqbq;neM_srD_Mt^tffqcO<@RV}4NfI!kBcr1t5#z{h2!aiDU~mnpUJ zocDMN>=O^$E*-+=Zgusn6_#PTO1=EI#2CJghFR-~&Q+-|*uq35*BL zMt9G~MEqfQs@~9`i%_FeuQ?c~x_+1qMs8MZy1#Wy7vg*U;A}a>*J@pcN3aE(5DHoS zEa}DgOnc!qzwtODh!{LScvU;siLvqckX+)vqJQ<=G12p@i=yHb&XrVYvHS3YC~IEB z>8j*Gr!zG)7;AReG13h#r~_N58iCam`pT_+er&lutPNFysap1HkA@oz4hoJ~Ozu7_ z8XpKZDA;+L(BiONLG#(s|0>1(;a}Yxgh-_sV=~GFdAa51;mzgqFVH z{Pe_3H(|fP=t`7AZMio>)moZ7# z8W`>T;1mYltAFHeB_8ea&E&W8!~L6 zU2g|lXE9%>MCP*=W@|;IsV#x^@Cre~9T_|wEvMZj^k;5M{dq0qBUc|2&GE+yNZ_3r zY=K3-y20qWy2`d^_e5t#^pz!p38XlqL6nTOdVC$VwuT^HYajna7hiZppW^!&bRkw3 z#}8E8q;1$^8Q@tUs$d|a&K%6B-Ml;5C_}gZl0k2p9MoDvQDTddVw_$}g%M(!Hzw+8 zBUg~lGRsbcIOWparY9S`MYq^O=zI%!S#Vq+B*h;XYDyKI z1QKGJK$$43*8YlB{)D;BknMW!)ebln(*w<#%!Os&YHVlSm^sn!&v8=KaJ8`MZkmm) z*U(m&a+lF$-|CHDMu*wC`w>8$-6^pU2uQUO@W}PJKV4`s^U6}Q9;W$?kseLfMf}F5 znjInn94v=|5qAseD_I1$sFPzJQUu1N;+kCeYT(LTo@2<%q2@(HQOJzX2yqvid8O)A zi_qQO8P-{4|-2M1wiCCbb*X6afEy6+ZVR1d`?@<9HTMZrd1uYoYwftS1~y% z&jEizpZAq`LynIOh3vxS%w--@*=#o zZ~a}P-DfW>_psI)RjnNfE0y1B%vAIn-s&9oyb_-2L^*sPpiB`L`@-VP&GFJU)2GLQ zd|?jf&!qi-hw=FWDG{IMq&y@(C{wrB-WRN$%B_irejS~d`zwCBrQS?k(PFZ7YetU1 zNS}Sce0_I%X?I%PY7s4$hT0yX7k2al5UfCJX3GT{oKki~PN(gkPhm)Sr|((z2>A$k zjRsd4YIg?M>#oexJHe7a#4|Pd-a{n-h^0tmlQl56<5a}N;~BPD$Yxx}rU{WYIUO$>#?Y|t}BpG3ss zs6f6jzbs}HgEXyM8;u%bqK(sVbskq1Hg319Lc=Af(UEp@QwBhmQuVXjh-J==+1R-d znY5NUiIe@M@a~5ma#~jjj=_kcV6TcWzlMgI^172YE#BWeX&Gy^d)4WKtJ{g*&i7{u*{5h;u`m78>qC6LXQKJ}=oV=&{NU1>>Xnr`cKV9VBvP1@bg zm6j0eVSOM%zv?5Ep%et!g|3}}-#6HHgRzLaJ#{it&0BKf9TI2xUlwJ*F_H49Z9MiW zO4dOxvu5c+I=%5^4P%jy>yYjCMBuHf;S}^|2J>C;PL_^#btiGW>~onLiZ$YO{l=-B zY_Q?8_Cij?`E*d+bl|xoBkX`u0qU`FH!nCnO`||os#fN0zK^IL4}N`=@wM=$UGv6j zW35SUCvJ1EaOL7?GQw%p{Js!}tjR%IB*rUl`*28|M~gB^m?KfjJOQyN*u>W%q=N<= z$XEY`RL0`{L6n>85_MPkI^NrXSb*B9kXU|aB=M;@e?Z0W`P~_=nGdYw#jo@aQ08R!7p;9=IvUL1|LP5mKv$T3zo_TXKIanV<_6FHAg^TY^9 z$%l^(X8T8_jN#j^H*o%m{B+LaU!wD#tN7-}mP|g4Cz_~bxt@Iy%xlSu)Ve=)QflKH z5%N-BbEaDd^CfuHX_&mBJCe3n-|Wd=q-PJ5CDV1LP_V(~^sY)l(IewXdN8fF{-UFO z;zxA9*>zBZ7*(o`yVnv>Fq$!f$Ra!~%`!hx^N+Aa;ajKqs}X4QnyE{Iick#tts`h3o5d&oA|*pJ%gn>|m^H8D%i5+e|cySX#&~FxSGU zcTD}M)15P&l6?Hk?TbK(_wCG%RCR#dnyU`KviVXPljN@eeyF!J@OH-6!nqn}37&N* zYr?gm?u>~wJ?}F)b*+2HtyUc+-15}vM`*#=s+L)@Z$uFnM=6k^6AC#D5S{wBC?f*^ zfKFtFP_vlmA5!;mwAcHaw!_WhRJtm*UE~UT#H&~Jz-tgd zv3d3}80#XH&L;^2nAGgj^1DEZ0$P$4{a3ODSFS8tzAk%vSq{_A741`ETlS-VuvkaP zvAmgBJ75MBl$X5VPwBk)RUZf&d_OEi6G{?l0GRSRrzfF4|8Qb|tJK8Ln&>QJ<-0rM zqKnUWX<~6e!F`PYc@<4qnE>KConFVs)II=wXNbYm4t`J~tOGkJgIPE>m^1 zA79mT6tFbQX0tvC;Q9kvEk;en^)gp5^InY|Moo4fNbV&at5 zZKULVAn>)i5TjlmUejoC=dpwYkG4$mUBSyC9**?k*xE;a^K%!@q9?<4Uf*CC&kr`o zO$YCA05yL9OTWCNoAr1{0PYN=0K;Xsx}zhPXJw%K1H=;}u8^Lh;9Z~cd^t@&@xe7O z139jg#wQV1ggLGp6n3lC4~^gd)(#*Z&Wp>dTUliFByf{R+fw5GXQtvGtBLh1a?zXI zb9-%Wl(wzX;*@Ex99QjV&-bzt>R-x7ruI1s$m3X0)z^RYQc*z9B*D&DiBK6~^59ovdbmBa}vek>>ocH(l zNxQK+xDVttSKtjl0KRxkwFZtFNkyXiWD-Sl0c5{+5m1uB+~shvD;6lDTr zx8Wcjc|qQee{{u<0Lfr!;M_g?Nf-yM#y+~7kb&F2_2i_XXc*eby#Yv$vG#IHY@J>= z_uTn;j47SevhS5B91W^mPpE%7T55{Ocy|APOImWqYqlo_>CG=Ar9Hck`4?*E^)q&L z9G#RRPv*)zY* zHVml@raqx}-FIv$A0`y--hgSrzfjz|U&X3LQ<&SiU2#)A)pUs;HByO5`twp67yi{X z<(^)^Pc0NrI&Cr=Hts8Kz){Gn8zSf}X3HW)ZRazZs&o-Lflyr;G$^6BW-_C_PA?GF9kAiFF7kk7T?)FyAe!9X-oZrtrVFyG&c89IR z0Z|s_2r5jRKdsgHJU(6hxb)bNN$$(hBG$=q^3K;PXtcm~qtEA%eB3+#1MT8-^~G5Z zSvVlQ#5WbRi*Hj-0LohbTgTc*Mpl}3ZoPI&!FjDR*M=s6{V5B|+_5|9_k=&!)M&3k znl8B&1NcF zRY1~Cu#4s#s)`b(PwM>X+sNPEyu;XBw|!AJ+F5>O)kj^N^0N6D=`e={-?D)Bxr=}| z6<1RivrwjWydj=>Mvx{nAe=A4T`eBdMi-hKMq7jAG&}oxuLOVaTI#0n{`7%gj^4h5 z=^E9kS5FlS-P@5+DlTtH*$n@{966HGc&0@$ej#X(3s;~sWxsNG{cYyhgwob^V7<-n z{%_GS4SjGkvZKXYNhyKR&u6Q&>$TptH;<=nHnHa>Z;oLLE})g@($=S=C*_hL6_FF8 z{$;<4^ZEHYtkxX!z`SvHfp^+|gj$e?KNExq&ZWDG>l0orZ4rwL6Cs$53;WNsA3VMk z*q~FNlrWy?OSRC(K8tvH|7v`%}&r)C(;UO)12ertZJL4Dy{!Vu_?a zxxlsdZ;zNI4GRwioa4ZEfx0|rtg8NAqO%&ZGAXNfa=@%qNZ8 zlFMzn^8-kw{RIH1{4W$Czxn3pjpD7%#gt2rrC=x_pYo(j=3b)V!y-}2`&u5f>sJXf zp}@jBc{L#v@5|)_pF?F~Pax@$lfnr*A2n+@Y{sg7A@Bp@kQv-PpB1SXmaH)faM~Z^ z%^$oO!-n&wP}{15h#9B7us>JjGx^j(-45DSz@#=5L)I=9){;k#~E zVxJAU1S%tgc^}hhB=<{5)@bkD*`-u5M2E5|3F2x( zvQpbCY~O<84dSW{S&Xeep73y5>vx)Y-&UF-*Z(cHGQQt;ENkOUegL=@0Ze?MhkNT)#TW@l}$gB?j3&>S0Zz(p1Em{$Bt1=S-;1~uP z>{3S~PgDK?@z8X~rwnzLJQ{GlXTUZsGl`=o6S@!t59f+5zxnm$GdPtB^C&y8BiW&# zlyMta4XydMJs(kE@9+k`9fbw6&tyQ@-m%e-xjRzz&!jJr)nJ#hjk2wbDpz}D z-}p;gfjCywXZvji)0j503Uz5(zhbP)Z%&p)6h9)IUU-(KYS{iF(|dz)bN|!&Yvf9d z(5|ec+z~Cd3(LMDkIf^G40Dc*c|8y{Hk)UCBMM}e?n&cq*1XX{2jl%&&a&V>2rU?Y?ZsQ$xvF|eJakywALh{ebX$y9d&}K@O zXmLhiI|X%ccOic8rmKaVQUo^+u4okS@qet;ZX#ldCR~=k`S;(TP-X?`mTP1; z4RBSLe=`uWG{I5re}Q+yFEiCo2O;=ie@!huvE_wOJ*rNyPe>r=}l32r*ceo4Wx1Hob_t>jM6EF_b^I5OAy#$qJRQ zAaigx9+6i?Sv57fvZ{cg@7t#aRD|1z4we+Cs5QsC||Amf`mO&0gUI z6{izvOIw(RVWPY2RXx=hmH}6S(!3(!Rh3PFlL+>(>(->W671M(8;LS_wbNHOMR*S$69=)p2^6J5PNBf$D^BvU0VCNDef2NIDjbbywtP0F+OpanpKNeAa5}&(gdGz^BDHYCMlc?yV;=Dc(Boe^1_kKC zUZ<}u?Hg|C*|as>9K0&GY<1S}WtiZ11^a7^H%v*5l%kW(TjG^0dkPRsc7*X(1*CS` z)ikw|+09f*z9^_;ecN9++0OZwi!lS{Qp7y%nUFp!=}?C`MCwvB81 z_c%9jPuRb1O1{|=rJ4AU#gv@!%kNX|Z1djR-`lP;^;%O_jHfgv*?O`=_)g>M#Lq@* z64ZPEvu*Jwp1xMl1*}%?R?dY%CT0&K-WMEF)K1@IOF8#^=@cX7f7l2rEQ&lhjmh7b zD--XrM3xbTzuj*v|Gw8w{fbDesMXYLbAn_x&~vVC4L&NtH3stSU{|P8Hm2Sc9+LG& zDd{TSMWY)Lxn7}qIRO*1&*?VcC)Bk`=K|S;%s{w1f*0JLh{>r268eNnyfZtO|=); zEaDy|7%X@2k*yIJjA{D$Hl1S?jgo|mM>~Skw#VYVB~Xc}*M!IELZ0w&S|6^oYx4Wf zq$+4V-@y{8r>dW%dGH?)_k{gVh7kZr)>XXYbPY3}Dmq{llVl{8MBi7kU4HCvTMdsZ zBPT%0A!Q8{Rl}OgS5`DyX?5{{5uqW>ZUSTg4@B{^N+ zL0h8dB!1EwfQm<<{}U?y+hYFP7<0qd)q0B7td zOq?ap;0t!kWsYa!O#hjT|2Tw?avviO;%W2oa!BrTc5j#-rN$(|gzwa8l$asl#qxb- zQcF@r7^@Bs4)oLGGeQkSf@FQHK=>j#=jDwJ0vus7z_=09-%8Yt!o%1ofJ%i5R;bfQ za8Pkslr{^|WI^H?&sd&FT)0k(vmoxo@34Wp69eBFLGrbnRSoV{#3z&B9o6R>mQY|M)Uv+JH2^n8tg>iAaNCAA z+;txrI;%GKd2ne63|Y}j_MgYNAaAz{B2uum&=h%@zPI``1wubS%A`p;XS1VG+^QwYoekU#^tk`37ssp^}uo9;qq7U_y zE7jx%oc(e!p9`$wNG>^;?E8a}CQ>q0F<$PJjD-nRJdo7m;ems0HabxF-qj0_Hbg)DV zVoYfBZ=|U}yui*cFeDEQL878yy+;!w*XgZZnK>{7j7RVzy4s{Vfvh%M&ljsCroR~j zpn;|tOK2o)td|Aed}VtWA9Ty;nW;?0eKswGs{qk6mnp&bSY;GZUX~ZJQF1nc*xmHB z&VZ1Zs&-qJ_YESS*B`g6oC^eI;Y(x;45r9M!FPdSK-q?=oQ(c}$cX<9iIRxbN!2{&jtkUkVk&TE;ab@l3)fFsCOX>_g$z*pjT(IK3+s+%w4zR@$4s!R;sba3z z>Pg^Cotuc>w{XA2zK@T4?!N& z)n2WhffmN!*}5pZzBJVXMf`G2g@vLFHhqiz=vu+%ETR0qC{-I`>~gsR*i?}p*NXFI zLBQN6F$g_7;<_5khnO-VtNy8n*=yc>YjiL1-6V-NXUax>am~SNkL&~9o$shIj~r8P zwktITXH5|8&Ni4)YHt?mH)h_2>HE%4$=BTw$G*Pj-@lB8F0DCkaIJYZ7;sw8aC%HJx-9!LKOGMezI7jUU{mLqB<{Xpd8QPRH%#@-psG{hR#thRCYayULQa z_EL0Xi=9d#24`DO=gb|wUhX8>J;2g-uk5o;sbQ6vC{0?$Pa?jpUJFW+XL(tx*Kc^8 zx{J$pbX@*U&C)N7!R+0gVf0F=1ghH)rhA9WBNz5opfcjtw&TjGn|3D_V;`p?<|v<3 zsI&4bEluauc2@np`FuiBen*3d(gC;TDD9Q$BULm|WncL4^x=KS^=7^b2Dd`YF$AK= z5rBPQUUEKNR9;r`K}Dgc3j)jb(5uf4-q$X zl(e$HoJB~_tb_rQdN(C)%I4-OpX%lj_Ndx8=+=wW-yXtcwQ;%ZX&pY&_}exdX-BDj zP2bU+9`KWh!e0$Jna4Yj1acvv74wsl=wY%=KBk@ULS44~z7C1+i)E=LbnR05wo|fa zE!9k!m59vw+X=kkZxaMsrn23tt=tVNoQ|jL-a<^bwECYwG^|gk`AVXwZFF9r8`p1w zI+S9DRoFP2l$b~4jNPv4)04c)Z8od1z@FsVsfigeKE_)y?MDJzeqQxuipO<;Ufs>f z8J4MsjJY<0Lcm5dB;t;3QJwjjmF*6ZGzbf=XIXv1?4Uyy(zM2td15{)BL1h{eDbK> zX79t^=T5F0x-Z7#8N%NPHVn+C8QiY5o>UrRXmaFz7G_Mv*0qbBGybw4)L^&HF}uIk zq5TR~yMNO1YV?h^Xv6n`ZFSVKdVtEjkig?go9D1mWU7o52AN|wEWxXmC~P~5cCT;Q zG;}Uks+>!YINV~h+XA*oVEhh^N814mHpyDd%elLGAKGD9rS*Cyfm-q#{#Pxw zm04{VDiDFq%?zW-C=v5aPj+s^8_r3XLqy4-6=KWg_$nW`lu_CrnzYb5?j+PJt()J3 zCwuTnzUM|H9r54^~>oBO&vT1P2IY%Y3W`?lPw5GXPhf%uvU;O}Isd6(b zkEv7mY=AfEHV|Ta^qG($%3wwcDyOD!9~^dwv4J7O7a+rR(P^E_3*#6-`9rd8RpGsqNh)MGbQrCQ@QNq+WPhsfp6}zt8ge1RMlDoXxA>x?* zH*~@^y%YSs<;Np_lK~!a$gD~vHN&w$*U0NWw<;yhw-ZXp6B?Iwqk>lvwr+Y9rwaQl zC(Ir!XZ0l&-It8s3R}CPeVI+?cbe?pI0;KxMlsgfdR1>^%S@sY(*lln;+)1lqrMno z-QQQZZzeli2R#Y0E$J_-ea6NnM@`f^gSh-+ZMX83k;{5?)9Wzo#_lbFkHZDRSMOsc zu;-?6GiUId)bH{fRs6Qijr7=RQ)}g$kpWwfdS%0(j$ilkjx?hlc8~5K)hr}*tMRA3 zq1^4e!D&T${PBDwO$+G4<}cai!fp;y_MZ&T*z>CTMs zA1C&Y8Z++_XV%{{iN9PzRm+h4tSnZbim<|=xS^VNGQy*BLvI8jzK3T0-jeHKwn3te zL8mb@eO!J=#pF>i9f&&8W`t>yL_{t7n_CB4&9FitOWC+iACB zAQ(%(!l3alOmRvKSw>$dd03wC;Zuqck4?@ZM-&u4jatxp5Pc=Tctir#!hugoXvAKl zr$YvwPv?=79LX#@&g(FCzTONI>vU)#_JyCKQAuAL`>@B*8L0{dBNzDhrq%XhjYZF> zbJ(3NAq^o{^iq$^{*eTdVbSo?IX|?zH;Zs(!^g#Sb<^du-q};W$5bin3YK$zPe1=g_kiFP%Fu zjQ^Uw=TX4ye$tE7-tx@S2J5V273<&%iJQ8G4imD}U3s?U`tRY=%WDXSMXIyzOH6hH zWN0{-*9()mw}V^LMi#;$B?q2mj~cLEO>@CNpw$L}mLjf1BL%`__h0t4f^9ynRis?J z)ZYQS@%rt2UZ26+xz|HguSTw0$-m?Pn5R4;DVL~?+B?@PQbH1{?;cuFHdsIH?=tRg zMhJbp`D!dlx@X5G(xCxqC?)bbJ=t*p&s59?RZ9y`Z&Mk~+QFRcu1>w$RIJ5``N6vJ&lQKEli@0?54^ zgt~+D1W-pRE%x#CH(|L?32S~EXMm21&7J1FntFq*fxYLmY}Hk6zes;pKASEYf4q$P z)fzShFRwkM4%;l#xLb)Kzg~S8*_pha@$sP9h^$+5)kNMd3_j^zFZ9&Ef$p#zrARo25Ec)N4XAPf93bhNaCkv10rOkN*x8;8-Dc~b;sa*9jeS0 z)9_BA3iL^0{ocJg$J-!07eoE+!`5|&(Acaw-);PL`vg~fcR1}yL}%1f6C!-d=~;@~ zx4yK2W-MdtTjfaa$7oHDtU<%)>{7dH-7DX*N6a@jw|*utNe+m^hXXuZHR~}pUSy`DS3D!xj z=Y-TH6f@{*uvZ;Txj*#WxqY1)M$wA6oRXMr#p&}I#1rmg+BP?CCKc`|*cb3iE{?RV z?kLogw0+Y>%WajDVUf*+0~H{&XrC{afzlThX~5}q%6b(&dX713Z6=i(YTUera{+$C zZtF5{wAB9jo5>yV-J;|{IVP7~^Ol~AQ^$O_JNs%@U`%(=$l$}Xb9`zuO%*rG)el8F z!j6B$tuJlJ-)!ll?FcI%evWI$!-QRnPm!Qxl~-!LPe?hd!)daxWajvUW_5?U{xHm< zHYEkqa5~=7Gd3J_61FLPHSVEmjB>-OS3viE9OyFTy0Ns#kj7-3slS~g4549WcIygp z=5b1KnZC>R>8mm(uj6@_IbW|@=PxtUSo|zVR#Q4pJ{Rx=(xKHhgC=}5-A9)D9S`dQ z5t;x#xL7(_W9>3swC*`k!&QaVto??%dyH!SC@mzo?m|lM=WMGTKa?UCl zc@tNB0ew=L27}mCvJE);QFa~4toMXm?pDmISBNsKc@``Rsp0w=HgxO0(S5u36XUe6 zhc_gnk^EzZX;?EU`_wiVwp_7N(xEJfV!Vi=QnXFa`NdwX*4at_i`#Bq<|<#&oLfky zWsHV)^0hG*oIbf8HwVKpcdt}E`wp!RTNwV~*v;+Hm?!j*&*OI7|woO!A-4~fmQ#b^5I0V~|8oJO3n$+jp)C+G?5M9uKE=Nn@O`vYDn zoEOe-Q+FNN#{Ecm@Mt<31ngr%;{P}xJ*$1EB4le#eG4ALUVYJbP};4+bLa@I)+QC$ z!cqpT!PHLD^!&ebxm3t~z8#%F9N$gk<_3FiYxi*N0WzN){5iiK*<^S+m~A z)U&2BL?$MAzD{9U*_FzEI=uB!iA~O7_k)A}Vcclg-GGocvDy2h-1ZWk<-doBjBWoa&3osxl9hG==Cw;IZ8u!Z%WE~_kq7lRzSZ_SGG27<UD7{KC^dBb>+MMnZP1jD(&7ArX%hmh2 zHx8qxezwmrkBn6#SIFK-k?e$f*!RQYf-6-|xW^Ajn4N7ZCh^thB{#5sGt7Ff5s_K8S1@_x)M#RHadbUbn61` z?)it$g%UGSPi=HL$1(R$0fVlhJ|@BHVB6UYTK_I?6_^Tb4(67--G2^vFClFt;kLyl>?WOCIVpMv=HVPCa!psA zg3ld_Z8Jc1l>nfN#B^q|a`74YbUDn0O{MMBwpWK!>NLx#mF^^f z0ugb&;&~-S<_7-S+4R}1 zCnyaIr)}0XOrt<;YK2=g%=3WXJ{<`^i0^Face_A}Y}_o~y$UcZZvyy(pw$w;AJJ0O zkOntomQbs(;aRg+BY1OBA^Bf3n_I=M=xbz^gpkviX?-5_@X(4JutRvd#)%(o(u=sJ zVZQhMuG}v8cAQQE674B3vI9W3YH&RUdRC~;D2D4b>Fq3kG;(!|%?}$M-@b3BYx@;f z;)XV$C6+>?RO#+Mfq%Mq`Ex+9t3@9399`?{%S;Zn=2eP<7-UA=_uWb~{0f~|ag<$V-MG;+i-zOAxVwswx6JDm-H2fWV6j(vYd(}tV)c!ap4^KX7n_voRPXq({&#HRBU6^Q=^7s$|w6gZd%z!)EYVyRxskH3A<8&;5%+FTo z&r>1$N)i}qu_=5NNmV+BEM^ic4?15d*r^rR_N?pOqYuoSu016`I1GVftj$zs-7p6x z5jq0OI}M1WhBH@>N8Z7Pfp8hcfO`}cR5&+-MY3Qj(Mx~z?2A}hz0T`?J=5d4u>ddE zJD*a?P3GSY+V|c;rGXQ^L-!AJ;RKtyL+hD88+b&Ew(;B3h?sTqCcZQHuxetcsIvJq zFm8;r#vr|6@hQLx1AS2uysra_*P9;1snXcHJ<(g+OcD!3bN>*V$1dBIr;ZC>bU>d) ztc`d6@IWS&Un?y6O8)J!goU@uMTMRAMCS42fE+75GDM->)fn#RE#{D$rEhD?*5tR+ zx0sjpYzJNw1T+~P9WQ=)pIFsYkLfjZ^_|{o=1}Aw+8Sz^UP;Ej=|`O8cnyDLl2AdS z6>N@a3f^3&enuv<9AkQj%U7}(6N8(-^$YPAkuH?1$KL}qr`F$x^^L7txoxBdyt#5; zRpA6PcF`pjlX3C})owb~)35--p;qc*qnpC>Nz+!f(cor*QY*dTpqXq?S=Oq<>)^L4 zD59Tow9ZPsm;tR;wBIVos5C(G9|lVm@|T=!(SYy{-G_BuG(HfD!VdY~gE{ALG3GC4 z1W*(SL#u47gJ)|leJnx=&u>QZ?Tqy^PUQzUT{pZLU7+LHFIeyjTdd#uGk4g6!{ce! z9oIu!(K|QwEk9Ko+Rkn6u;tlG-CtS43|`yT(&fMzmAE3_q#0)U?Rh)-ORs6brdFO$ zoH3P!ob?=|zmu>1kVZ*sLEb#BZJ&;*``!4^qhP%Ya#f&Y3CU;hL`~GbjQAF@-HRyw zthSv+$3%6uL`SLlgM=_9Y|HPrEWsGVjkzrRNX5HzE{n$HvvG#5^JlXy1;ANBzIzTC zdV|+}n~VGxvqj-axGZyG!p`%Lp`4a1Pq^@jOKaoYpU;}>RZ$HJ^Bs{ssy`=uGIcw* z@arqTT%c&6X~}H7I$HK<1--VqPA428zI*9#((%(CC2tW!tlyNL2g^4ZHrL63R7^l7 z(rFf|ku`L*@VNe?1)oEr#}VIUuPUKjT-wE<6nH2T_wnHZGqolgJXd=yb3MOI!qsA-$1dOQgnEASkLhbomVT5%P~n$0ms@gv z&^9``qox`)Qhoz@^d6pS{`?hN8rpKpQt%{sU_6;7V>)SqdrRGVPw=^lOcCC?#MEh%oMr=+}2C#iW}U`#5h33e!_L^;x89L}0-*&yn*-j! zW2!2lq+{G2W&9`H9p#Jp8JTS*f!eGlGrdsjn8^cI_?fU9%ATG-BLK6h=jAvZhpeo- zr26o?@*IB4)3iG;54S)99oJy@iWu=`59~vIRlRcc!>TIL-)?b62jdpDywTIX%Diz! z8Zs@S`&lhl4(eb7({>@ecoz^50FKPwAkYPuXU&pd>)pLHB3vT#0HAZ?sOFG$F?gPo zHf~B-)G=!PnAdgkw$64u{?Ru+ffbO46V$pr`()eZtv_rI1G zJ*c-bbIG2CvK2p)v`ICCf?GA+FNL7o>x}cPNu{LA9@D*&P4g3yAx*W z^@Al{N=8!S&y!I~56Rq?L}!~FtK!Q@-tc)j9jE&T!l#bi#0a}3V~~k9>mt|a{l4m1 zZM-0z_A)J-^vqegvu)E&>H-xDoek?P9i7I8t94|)1+5E(rv4^B2g=`4F4p9X**4r) zM!4Hm=pTcXEbCK(Brc`EyKh$%yxU%Izm*Z(V6{X3!Zy)5CGA|^^iV^6@H*RvW4`zP z6mnU%h-G~L*YwrA|jsKU4(qEjogyDY>i!{4ASvC%pGeZ9UrfBEVEt(c(E?oMR z7=QuQ28;(sf(d>*@j_+UOGqiJspSDwNye9^GXDm;6y8Y)(0Zj7UsLHsmL7sUse6Zi z{0c6$MQVxr@vud16(4|Rgj@3-Uj<3Cucm*X8k|A4He%fQUiSSPXn*6JCq&mcyki<$ zm8pR){>%+WbOD5WW@h421~Rcp{6>ZVKd+X4U^gX_+XQ4 zYC4eh&6TAB6vgnX{t(~>vUsA|Hf-{r$@q^$;Bxx7*9|x=N-f?f;GfpgP{yfwOMDH3 zR4*$4UKlP9MvfUDGJK4aW%b5^1th>K@*zuFA0pdc-1Lunj2o3o9&{>AZ_3Q4Azs*h zF8@i{kO6AP6$lcVA20L1eJX%7>53x9AEh=Pd?F!e*O~yNaT-o~yBo}VmthF^p#pCh`isHndksA815heBfssKNCld3WGxxDrW$Tjjp+vLTp2E z^)?m&36{0^=yn)eBRcE-Tb^nGAe^v8)%-!AFp3?CiJJhep$7?%9TEp(LY4ttiQwS4 zAK=~3?2Nzpy4)txq(zcrQ0OLqtq<+PRklZ_G!q0)YCIPS`XQx&+#VGyw#fZ#ndpH~@(Sc03pe{tcM4I2lzg0{-?cJ}x@K!NVXA zRfEC%Ayw~_%Lv0vA9jVYK51n>oGZ~aiqmO0ciy;B_o%&Cc;JUwXJq@mKus&Ibhowj z3X4Uz{k~dLvxP=Ic-w4vQN1xvIp1)4OBB(uUb+_v_V4B9ob_BF4k1zr8bWXwkOF*p z5SUSICbB}y7qk^56Fz3qof~`8j)ONje;i31gb1M#F{&GQ! z@DE&S2EfdGQdCmJ0Y@{yc9An-qXsxrA7vurtUv0EE$A;aEK_EI?s+#JjQ#lnY|a0Q>e|5rNy|4_C-F`vG^J|1W$mZaoMN=l0073_^? z$ZGpF#2E&)t4=53de}ou%_+_TRkK!~IUQhL_3iWd+7QuGHTKzd3=yn6-t$G!AtT;N zVE+4qpAZwT^Lf(MiwCUHXX!%7y$(p)T`$b}9R)}oKR+Z{PU|g=)46PfT^y& z%NvUa$b9C#QnqNNtI3-<+c3Y41u z1<`*m-kZ7kyp>wLCt1v?n0ZE|ysQFrW719hWAcbUCpX9cLcN){TfLTg_tmf12f}fc zf2A4^zn67jt{0!-`6lAHc(!2!h;Ky%rR%k)upe-O|A zSK@)6=JLS;JQ?$6amGs-Fv#^5X*SKr;KR}d#ebb3fr5a^44M2t*D|DpSif7N}k!%;+olK-YE z0bmvOKc8AX1f?Mn&J%wTE>0W>Hu-;B3#j@GgyVdy+bTF=nf!U61PcCPvZy&9eQsC| z7kf-6Y@?r?r222Ff#(xQ+><6{lZ5}*xo!Ldfw8#JoI#-UhaYr`1y5rB zG<*20682EhQ%hR?{|Em8J2iBBf37J0c+cgIP)ujAD-4 zBj7+{3+uIdj6W?e9aUFWMbpJ_aXcA(-zS6m!TTlovkvEVg9@*IA43jbDV(v(GB3qn zLEa8CZye=K5HBYk9 zsdnoF87+ilj5qAGcar{OBOq|#bK~A}hdpSp&(;ynw7k^!H+*EJUbp!wwE~Y(?*l!; z17@C~IR8r)|5#W8nJOt1*SIEyJp)_d*8FL^u$>>TKI{Ck^?YT% zToLnl5H(ldlauTiN3S?0FVE=3A@D@FZjzgap#(QCLUkd;==`PRVFvk%8|=ibV4R>~ z+N${KEU8;BOvT=#O28IBCIi)jQ89iBL}UBSoM{~I4;cmjDWeZKk)A}Nr|;oIP!k>d zRw`1n|~Y%sp4l#~eG;(A(w*dl6pZwDs!>_I>uL_D0L6)oG~e zy6sndsCc1b&!d91sqqF!&ow8{wX4vZMuf15wmX#tz4mFSnX_FiW|yTkbxVKkmpTTn zz8Y8JzCyR@{@WMASOHu=m=tV}0Tv~N%#!-X+>z;g>s!j*$OzBFti{OHp@fDHM-%ZH zdzbi}Wjq&YJxxXq=g)iR;T>M*9cw}deAs=yEV;aSEPB4*VAplLdP}|FHw=q{oi!3l zMqbfhz!%wd>8~wyO_SqF zSC;%hJ_%EU{ zKR)-xL35(dxFx5B=)<9BWe`+ZP^Bf|AnJIMwPgAAMC?d1Nm7^ytC$HdBqASf3dYyiRbfD*(ZYs^TG_C<}bDDwRZ3A@6qF-E9O=JKO!3 zZEnpYHprQBpIv-;;p_k{&+7H4p?v8X!EjpGX`6kxeX?n+|JTaG zT4hWQp9c?Z-NGe%%t4w|+Buv{=?3ON3VU#MK9SoV-7ehl-te@UHuVCHtjIh(-TkP* zh-rr{7+z7{jR4y z3CXTj7aXhMTd6PL6jmu}c^rm0QlcD)A&DxHH^J^fuzMRD*D1!+j(_BZ4RO>hGwpW9 z6@SP%Kkvu71Nly;FkfRZ9iKX z9weHmvn0l0qAy==Lg04he&TrD>yd~8!=rC(8fW8P=y9c}Ie7y%OiV7giYC~01H-Zn zmw2JKl&tHIifoyP=j7iV(DA6}##usLD6xU`TuUh2HsrSM^pv-Qo(Hi6EM`H_>l9tJ z+LPoFdzBH)67-s3EYADA_zl+5*Z3uq+mE)4u*gnGHpimuedwpX=^`740u6~@zRZW| zEEvHO=Dk2AI1IA|vuij=u{|uhlo_TXY@bj&!$Dg!;HQZBd62Rzj`Ww~iSRmKZdvRN zF+9wSQtn<`6X|zR)Hr99U+C{PK-jr7US#H9s?u9rSd%=dRyRDU84p9ss9t;fGUCHs zVD(^$IEiO*ex7I4GB(#VsS71Vg&tiN{wZVQv85NWy8TlbQ)n*1d+xd)ljdII{3vO{ z6oX!bU=}+G0tEU!5cWzQ(%G>6xRPWypl?}c{Z*t0FDxozTVR)rN%RA9@oMH_eqL&# zaNQy)n@pmuz!UPOwB{;m&jVpE`_}LeTYHDu6H?LUWQHOj!DRCVwkk!3;Onb~nMr);msPISY<5PVO z!{bQ}XO?hPm84Al9OI!d~KCnRYW6j><4Mz*#&7#q`H+b zX^TJN9s59Xqc7xqLHxH5IU{j+pm+K8Pqvx4LHw}EUYmGet-TnDH?mp(u!$Oi~i5O7&l5=~=HnNt1GH#wS%+_ssdbMV}9>E=V@g=ugI|Dc(qm09y z18#p(Zk0l|pHftBut_QX%o!ltffBKKL;rE~$X}}sf@^tmJPPsF;f-dKWosYgdvHQd zlY2(wQxo6eoMh{TnpV2i$}sazFpU zSEKVF{!o^_x5Z>wW1?qF7DY!zFgzcE;{NQ(h)cIjc@r&aK75nfqEbhqR zZc|qwm&5+%TV~fx#n&UF(jng#WE|k1|6H=ov4UszJiZ)JCJD@SkNm<&%wtjF3;oaw z#J6xK<^IIux8S{4fp@(s!0W$p7kHJdZXFHQ^gd86Ry(%Txc!L^Nyk`*8Y7Aj3Y(xt z&bx6IdaaKM_);M~b3z8?pvyT7D($rV>GZFUNo099Zc~Wxlmp8x&Uv(P;<mMik#eD?b;#>?S@-5&$^}gv-mdq-uV8 z_(|ICx z+U#BjN%P`VSzkhWR7mD;F6c32D=Z~li?NGtx$1~!Joi%)5x?n`r`BqlnVGjz&9!+> zmGHBb`)+EW4YUfji)yg_kls|XcaCC=Y>aO%XC#QVCFajFmYsaa9xTv5|3W)gVB!f){f=@I?G@gCT9hG|MIn)-Eox`G8 z5$Khz&vIXp2RMJcN-ouuNh&K(_neZc&hl?b?eR9UE2|}(mOO4=M%+ev`#zg zG4E57LJme5D_pxR%lIl$*-*3R9VJiHe2zPEIE^_dT0WV&Of-L+BU+Gi>h?!#$}UPI zl1C0{eQ+Le-Wid6Cpw{@0@JNS;hL9o#@#=@|M^}Ym1V?2SVUkthl8q@;UlW9AVM|jK>_5`w*=5kksCAHEj?yD2DnDQ6Td8jQZzY>6+9-_qNuA^lhaK(`Zyom)W zo636o%2pz`C)qQdG61-PdT@3MuseQbgJ=A1SE;<<7H&(&;qqDqZTI`ySyLgaNn zqFzl3#)qsoX$0y5;R^2(+wm`u?$K$4A95)auDTGY$Tv{ci&*IemIwA^i-Px3Z@1P^ zIn1he-Bn}fqg){!XI@*W4WFRHp6 zo4;RRe`o#>3{mcrA&EMaZ%dFJ5j#J9-d%`Na=jypRSQ%J@be(s z4r5g9X|@~2?7S1FxQ9D`|W2?DPw{qK-F3f}v$c$!x@nkr2fcYST z`yj+%`{m-tfqH0Hkn`HmK1$a>>>rh-W=i9h9O7u`e-!sLPL&+ zSEWVp7WjRRX85vaO>ANVQD7B}RRST(hMSRWjA`~nPsi{y4&>1XC-ujfmQay-=hNa{ zWUKH~n1IU>1^q>x>lqyAKK6y%@Kt8L19EYAvyf515IsCW8~Hk;&{t=p!z6 z6TbOp?8aFN?qE+BntbyZML(?n_PI#tkGml8so?S+P$ske#3KKIpwm<46bhwZtO|s4 z)O=AkZSB|W6bsWauzTJQjqaZsV~?uSUzmU;Q<_A7xJpzp47@U9mO{2t*l|UPL_Id} zXLcITSt^%^Q=&2%B{*FN1-7ER}H(aV} zXLqj7FK~bSK-smZa!rI#ZiSyD75=V+(~Ft5OJs!mMS zw%D1{H^W1F5`WYuLqtfOGeBt9+maUYh^A{ClO{`8>QA8KrUW7cyX}dxr%sNJ;f0G7 z+usSs{BR;u=lN4)T}-Afg>acqLlTa4i}`r%aDT;<$>_>%KIwp9h}hX)#*Xp97UI3(lvAC$m7%Q z#ouEh>Iy9hG|Kj0SPS$gnhp)>dZ!vp?dU8VXOLRAgr0c?5{96%QyEtKn2iL@TBKS6&4f=7xsACpdmF`JX@j zBG;XimoeXc1Lw%Pq| zm7&-wKP9sXB{gvaQFY6grT#q&R5LiYF6QF`t^bF;H;;$9ZU4rjDWe5rNsBCFkP?cr z?}Hg@T$PeFMY1-?Hg++@8A7A zujh~7>-)O?x~^(I+i@P}vAmD>ah%VpxoU1O87y}nwFyIMc8ygA?v-X*9A^;rJC$># z=3;|cVG_n{RMw$?`NPMPKH*Q<%cHA4GS0IN$fq-NUH(KB5IgoONQqK~6FcH73Zh4S ze<$gb``xye(WtSV!$&~&F9QM$QnlM%aO~Ls3eP%ygGasEd(Ks!B$;vI=P83u^mP)! z4EYGLH=Oq{bFi#oq6v*i;u`v)i^>-D^cOBD1WPS+H=Z2@!8&^G3|71(spwRJCtT;= z5FAX1SeOVsN>vJZSD0(R`~+72iPvXA3P*I=oZob1D8Uwn5e*gz!ANB!uAD}Hiusu6 zdV=t6m?Ub*6U{_->|8<+VPT1RW9VGJ63jc;ndY)`u!{Gl)CZw^0vDL+-N;tWA!&q4 z!m#|#WA`$C6II5Qd(p{vOqt|8a!v5Y!K-ZyXa~cRK_RAV77>I9-pFfOUu5?g#GJB+ zjo9u3ebVsWEmZ}kP?lU_ptUB~wB(jvv!m~J?B)C!Png41Djz?&8J4eS$rP=&b=b+H z`i{uXJoAqDx(wIq2Mr}5>8V2j73d0*%=J;ZMgQ&UV)NBwS==(zKVO8casdv+?kMJzz5KB)l5GbUL#rz44u2EMav)Msv%z z-)%MK)pK*{7RxkYmnW1i&G`#cZb#yO6H4a++2MDvcCTBn8_+KTOec-hr3gaW0U_nr zAQoZmk_5nG(x^dg0TYZRN^!k4@^LT@i9wvCxIUNAosm^NEsP*otLO9AzxyzqeHP}l zuA@gIngxzK1~(v4$Y8{b7S+!4L3x||BrAvB7V=TYV=MTt7pumHs`}Yibo@II%F4l7fAws>>VQ*JFf?Vx_*!I ze+uRP03ns2{Ja`eaug3KbsdEMa28;{A2Z*)IlFra{hu!RtM3yx&-(~|4#84@7E^Tv zml+e;57IgCcRecpm#_R`o6m{P%D+4L?0zikHAX17>H1f}=J!HFh<0(&Qq%7j{7Z~+qDMB2{g zn3F`mz9=o(HBpGPGT$&ZQqAS8h<6bvGAk#4UK_-Z@AM4fofV~d@aD9E+Fv^>2GQW} zk_!Az?6M~${^g9***rcUG@CC0bL3BQ&y9f+QzTUAJJ#3sO$-zf59%+kp%n*`IhsSA zaL^6cH!>HYC(Lhs_T$-Fxp!=i@~vMcUS?o7h+hQ-Rp(Z4uY32#qSJQIehFwDLrQmTPSMOocetmsRy&tdC~EkD#etO{J3cm%zEd{_yjE8i zhO=qB~`|v!z$Ma!??cdCEw) zGA@{K0T~d7aE_4D$opsDg?akKUySklc+M&4XAk{1962tYfxzoKs+9^QjMfnti`y`h z;fU5V|4c<$UkDCrt6q>j1He(%7s$c#8zD_vP|Wj$#W~V3@H#*1wPSRh9#%{L%wqgu zuNYT}mm-=ULO**2FPgh*SwMu|Q4rSqEXksS0K2MDd7=O4r@udCm&5b-s{E~BfA5vQ zE!f}2`2VI~>51F3xPacPVWW+UN15AO*gXmBt1<2vkr!$H@pglDpf=N%5r7S1j17YJ z8_sd>3*3wSpM=R}6k5hl7}`K>kX^Bgr(qtacT)qVA zl7q(wm_I!PrvY-bwEAAmRa*wg`I;~Gx5+AH#YK$ocXBo@Us)>N>cD)+;cU+D(wjL-i%g{&r<=Uqi9hfQ8EjLZL!}Y!lOamdqn*A&HLO+>hOUcVa_dU~Ni928f2S zv9^;4WN9~XQSK}#l%Ato>AP@0)f6I?rTTj>)s%M8Im&=IVVDtsI!9NDjXpPs3<7IE zPy;bk0W6_WG`fyiN7XBQV9pSa2Z#T-`4n3V>6y!rLrd?>YogXv^YYNrJ9tt?@MV5Y zS(OzxtY|FN7VCSSJQh=SjyzNHVVpC%6R%OxA4QFf*_=5Vn&fV)US6Rc5V%zrp#YzC9P=V;zT(b8;Hrh5fzy?WL${mx~i|( z6uoVTo$eFn{XOcnN|^-<+bGSL-W-W}AFLi07lAU@rnzIe<6x~`#>XO26V-CO8kNP-1I{X>sG_zjVlTIJXyt?Qi)#4QnZ`GN6W@4!`S5#(PPHCbF@Q!c0~lC<~8i)54~IUik+XU>Zf4>tOjc z7ey_{Vw9G`v7)I|zY@ z3ZlxP^_or~;ZLPCPduc$R30CHW}>_nk22B;+_U*vkDykGKD6}>B{qpxM^C#5 zt;OioiF#HZJFY5~)>p{3#$u<`$rwZ!YR}?cW?8?(Lr2;iB77lqQKvNK)m~_Hsa1+( z@Kwnor80iyp;XW!BO#{cb7usK?-M%(*CJ5*vkHrveH4Q1PM%)y^RovoBIXbr$Ex*F zYe^^)h8EdJNsWO8#HrC87#2p#&GI2AbGGI2-I2WAyrhoXR3A8{)b@TL?`n0BVtKKgygx(W#jR(R?1+=*2m?x)%2Ex_ zYRGxpa&e{Y^4i&BDb9y@rd!?X&2;Lno6DKACSK{ure%c#ZK|8^R=)cVFk~HUUwhBZx}(CXs1(_KADe>sC@Cm_88J$ zupNu^XriMtm_&~+a&1!D!%Ddx&&wm1GS_hL9ToZ7X1a1}0o$l$;GFhf95%tA6%jw?DEy3mX>=sly|`V8g37Z>C0P zrxxo?NPN1w()7R+joS<R%JlG|=%ehuDprp4b1H{g?R&|*5x>ti9`|QCS^fIfbHq0HN z5GJec@hnywi6{-r5Dj5xfk$T!^4>iX&D6@Q!hY`Ly`**&A*Ujd8fN^i=o|!ZuP^{|L>em!PJi42$>4srv?6Ua}^+x?0=IW?1&q@9l{2s_BJd?1^whnou zOw~+Qt@Tm*Gl-SOeaND>po{Kj3+>d_PW7xmmGQSxZBRzV-KEsb-Tx_`vwHP&j?UfD zgQ3Fn87&Obi@J2^pM3{Du&jvnhV{tbK#zX9#xl{AEQCu{6C7n4xOFNkM`^PrSuEuJ zBIl>-G$3fhT;BEHM8BzLNAi>;e@r?9pX9P{`q`-<{^o1#wx-3|-djSzEglA`XQ@iF z>nY$CYY@(n{n8{^UdH4A;HDOW0k8HDo^kZy(TEo9_Nh!mG!0n(FRO*3(W*adWuqT& zHe|Y=+V?pc-rtAD1(W*@{1gkki0G$MG#)+IVGGeldn@(TljPo(Ix)0zM@JJJ+ft%- zHfw8TRgWJE9zqg#TuDx)Jl{X!RtSmiep5Ew9zn zBkHx6Nxo1-y@Tvfnzn&VZ^BiURvGa`N%M!8{uP;-*vl6(_Y5iTYxO!JIE-A&S=_g< zwjw)J(Zy$actVS%P>7>j&@0tdDJ%Be?AO2`0c2-byjY0LzB9pd@3xz}*#7hhFCrjjp+4nCK?rU1WV$aaq9fe?x9sRLRy{s*Y#~{Bp2M z@K0=pkg7=Q+sIkrE>TbD5j2jJ7n;G+$aTQaoRDT|3lkT7Q|pnQ*Qk{7 zX+!w>^ROzyBX}Ix=mzn1bG|CBLQRZ-Tf52X*{dJ-xnL=x;Ru3^rBhRMLEpox`0|l?FIgh9fUmwHO*=J>QXMo_TdP&5XfO|7roMTe zH=h_Qc9LncTNlMc;TQnr`@)1cauG(c0dJ`nulhxPk?4eUK4&k}p7`a&4eBi+DQ{r` z4vLvb{i2C{!{)GZ)@qVWjg;totGoN+D|vI;)t&^LZoU#=@+sN zB3}u$#6|PhN3RFqK8wyt(>p2&c@7L@h7MMJUBK9(he+;KYZ7vw6SR4; zNrqYo4RfVMC%m4U96<@0uep?-GR<%kc2+GzZzc;8V@9(GJ6o=z znHTs37((|@b5bu0hEe5>VE49lZY{q(!2O6sz#XWP0~Xeu)S$@|L*2GoDW{lj(Y|=~$39G)&u46a>@rGMZhlT4VtEL6#I>)CiDyW< z?6r2E5w#aMsV!_GqGg;xiwHZf80^+obBVj7bWfq*JsWeB*vi2ui3&g7%WYqI3%^Bv zstGigN?#@BGn%;`0-IbG;XGg}S~CO zsp_|B@YW*_vEF+;uY398mTH}*a+Z?R`1+SL#E_q>NaV%VIf0u;hnP1Wg^s(`7h&{x zus#b)eRD=w+^}P#`kpcIJ(dY&!-P3P)X2|fWaT%eD&f`%lgq|!L>5!M1F>_HZJy2+ z%37?VJ0hxQW@5f2-Ek0&&CJV`w#3KOOGYQ#Xg_wM#SAmA%QG`iDik&x){~T9++&c4 zxeGH^tgTogos0SzqPXZn`(pL_DoV3GEe_j+=VO*yn~`xpK_yW4cU+!swAKfiB3qdbRx`zsYf+0q3;N0H57Z#xEP#rE3%I^kHMYgyjOae zKUCUQ`Gpbk9^yKp5W#>D5QfL0kAIUoFsyz`BVQz>&XbAbs0$hE8>wd@wncsSTLvCc zYiXQO(vYr-=n50m9G^D76?W2BW6L%Kv)<_%dN`8Hn{Y1r$zDF5S$J2$yuTEu4e}Ky zx1>TUcL-Mx{0-rC7VqZpH`V|}+j8ese+&G^+ZT67k41NkT)KT#aIu+$W1N~PQS;w6 z$=;Eg868E90>w{F3fUKWh*~_B#GEBg!F*Fa&VFEePmBq)ezGnLqJkh z*$4|ENO1Ik%L6BC`SQ}J0zbx6NNH7>a*>drWB8hnNb8dg|4~pearFrWl%z-NNY?W@ zDN(w)4s8)E*A?ve(qwF96-mLE&b){#w^CWYKe}Yv7H<)GSqR=N&{j-c6RdC*-aMpo zgzmT{3!i&@;5D7Jd?{NI0(FTbiR7I0jlK$t_9#ovV=GbWn%Y^FKnHv~a#NzUp4~9J z<)VB=|JI{AOPrJ6ht55=W-MWEb6aWMEC=lF5xV{b|R!;0* z81#<|amIe{8z#!~H5@P?Q<4Oi@1Nn81FUg-UXTeNc73Hr1Ww}tlnEEL1z;?YyFq#S z|1@C!6+Bs(EJMT#kUL))ca^f*4Sng4Ji8SpAtd8X6cbvjX?tV)RDaMO+f1Z}-#jJ) z$!Y4i9O%`wKLyFjEvFiiQy`F&Mp3H@#^N+2C-U!dvPL?mqsH`Tv$GSg1=coDAN6Um ziN*=rEc8piBQ7Pi+)-2&Y`GLU^h{61Eg^fq7w>#u-v5T8=;Pj?G?#yLJU3F(Cms}B zvmlC{waBMvB&yZ!{Ykt z*B??BgEpE_k@~n_D5vC#^^fhBQ09BS2uKZSR}txY%Af+tIiPELjJxy}fkAEslYuS? zMv*{&J3NAY?2cMAp6Qxm_akMy=*AonWr}yaV598WZuN0p8 z{O&R59D&Eo1FEkF(5z1KjpZx!i(scvDE8(T*vTs)lzMI6`Dv6=Pu303E5uqbi%zt! z{u41-jI8fwFyKd`a$~m(I+@#UZ{kT8gIrH%imWxD@}@G%c!<<`Y=0W{4lzkUSXi&# zt8)8r%%%#85YOJNvbo@zHCswBIomz24B;XT&lm=8EYnbMH)VDL5dqwp_5HQPjgH=OUN8 zm1M|!<(|*!(ugRE4o;r@HAbF~JWOm6G+C7}@tlqHnu+>JrNnG{O9?WaHH(FnuP$!L znfI64ZKPsnTedcNO4%>uXPHPa4lq?xGAVpjX_WGo0!?oS077Nfd0uC&!6|%uBVu_) zEEj9edZe~39;)Xzs#f~AAJJ0ehtR$c`f;Z=sbZ!0Oy#zk#PE<>jsO`nm zORXyxtGMq`@pWgC67BpIvzO2y6d>ed%|%Vn%-7iTb6BzYvW~kx*;M)#8K`uItSNh< zJfUWWlS4xo!Z?hv{N^11iCgWR8vIKGR43XI3|G>nW4qRSp9y^q(n zFfQRhU&TF)k>a9DhFb6nYdRJF;mClm4{%RnK+n7s{{qI}Zih&(n0K^o4Uq zrS=!e)^4;4XHSfVQmW&Ke#|D0^VfE#=|0gXD6fDX?hZUS2P6gqo3dRW)b9@e(na1!=BApp2ZucsLdOKlGo5UQBi?DjPS^q zJrVt!4WavG*~3*1sf66jd>`>tK^wFvSxvQ@@%VlmW_GHVi+OaAhQ{+uDh}soWUBJL z(G~8Tge?wegH-Oo$+qs;J3fXvyhMKE7~|~N0--e=$t#py0?@l(-ZyJK`EWiW*bvjI z)~9wHqMlH|#}Sgb>;PJS_BNO&Naww!~MX{{p+f1G}= z@`?!=jcCb^E63=?O1I8ZxrKJ_SH!*;Wko3Vn<1*Pd}^l?4KWDS=DBRw)^-6^Z(~1} z*oyPZmSK_uP50W>sH0I9$xkyjl6Aw60^^ah};{QOz0So+E-oVW zwpDy%EP}r>n$GwPvDO!p&9ySUl)htj z7D3zDZvpc%FEJQw;3eHuoM;ic4#eS^Rb#^;;gU8ljgaJ8&lPoCMgjRp^GH(WIpL5~ z_Dp9Kqk>~E5Z2&*@cu2;11C0Dtor8i&qf0eD5St-i(3zY`!F5Ml~h4hxUtf*V;QGaf#pj?%1qz{kMEE{Yma z{Z4#-Tb`H<_YggDGLm(ytpiHs)ndv@OO@je8brD~xRA$78?oi{@5{#b`(Uq08uUP8 zCGzFyR!nUOke?r7b&llDb(&6u9Z{*gP!50SQkafWWDwzT(Ae`i_LMa;irk=!K5y{N zTb<~_C&Z~h{4i{Vtuts6AhILF5shS{?Q}gIAva9%<$^}MAJ76w+NCHh|vl|jY(wWA--UpXmxtd&v~fr z8seJLn(W)vs7x$hMpB)py}XOoMnQWLa4;nXY$j+rQu<%lc}`j-`68Yf6NO=Zj=`d-#juxq%nTyBFc zs)5)qi_p9wY`I&P*FBqp+h(`xNWrJ=uY$l2bxF6<=i~7d4guhDMN&W%*oLrErauEV zfzu=NT_@Xw_GjlZfrs%v%zwnI9lSJCn%tWeO?>x^kk&c##ZWXilVwDQef62_LJ?s) z^Q;Oc1w}x%AYUwcR`3=QU*nC3T)y0`XLdDcb5D%24n8%$A-L8Z``{tw@t$ov(MfrviIMkz5e{UhY=3=%|3YE;l^u6|()9KLC)jP+c2&||hG1M#ysDC=-sOu7N4QLQ z8(n^kdlWke-C`@&FLW0MB8&QI*tahS|6uSjTtCE?@@T!t)^g%^#Jqr|+w^-85bO(qV1H(*^jSQp zJ_dnh_F5&IX+4bxSZ=(@Z3T6jmh)AxW0uwZgAN*!qkh6vO2uY@ITE#ek9o>6FYvh- z=m+NMS#XyRW$&R$FBZUxv@W*Lu0u8iu#wXK(Mw|ydm~vJOG$wtk_ijG1}Jx;4*#Hb z;BI)Yd;^#s2Twa)DAbn+LETvTNCE3LB_QA$#ozwuXH%{#)$4Z=?Mrq=oc_6{P}*Q@ zepZZe3BF1kbOpW|)e;X_R5$vKcc;iO1N-H9XDtWT5ebz~DG(C4JLm_rn6u3br2nDX zmw~N+Q)Mjx1^T+c)=PcPK``b#0+*cg`sZ{AsL242eW78a4*l#3(1q9e*Fp9grOXDt zRae{&O@D?T+8Ad4Y(b7vz5p_+S5RL9_!$Qf&ma4$CD`BFm96o3bY(rfsOH2oqklH* zL0gU#eAo4AEVTX9!S*|l6bD7Tl6-^QeXs%zRQ`EL9^?OH-TjaH6#PND?S-*Uv#+G! zPw=&3$Toik7=x*Z{*7IejRB$#&$PY4dX#%tt^U+}Yq@Fj$TjU-=)ze+!)3DS}-n?Diqp0kc?#^|&DXV>+dCh}l$ z##S9qAQA8e^f4wUQ|AvwE!UeWs$8UBd&lUj{+SX^p@SR(9KNYt7#J1q0s;S7f$dkIAAQA>Y~HS10~`ugi5n$ z>U1Ca35a@e1Z!~38=*nJ<`2FH;7~zY9PBnax!PQ;1s#YM4*E;$vw?R%liw(z4Ws~e zzzO=iB%)*1^pA2>;X=?==w;Z!mT%toZ!>HVh=6a>=2r%_4$q25Ja^WK`I4I#f!%^| zn-x=`2mj66|L($}H|Gt=LX2xh>u-FB6l2t`cB+O{0t`sm3;nm_5jaNIZdAPVOn?jk zQpaE)25LFTE7~pV(7&Sc&FKXm;`1(FD@RR}z*H0P(v6xRZ&EZ<1k4J|QvvYR@rCaN z0+ykKAn{L3&DA4dXqriVvC)EnrI;$zb%wEc3+x7G!?%vzg?Qn;U*aEJ03y&9q-}RR z?7^nT0{-$sKO{#@7?SF?KT=MGS$jPBEvEAN2ie@v7*ydDf1Ge1YJO3H1#YOtY zCfmjMBMG66wPMX3y;qe+%1gh`y3Yf*TL~d-y(;(h={Hb-;UrY)`T7izqTM(K={?5c z3WUoY@`P1|3#_4u6dhYy4-wBteoZt1!E?AEz?%lrs95Z*xYb9;C)71;ZXC7lk=xa^ zt`K6f95j-L(Sf2ncpBRuOVz`swlMx2Ufhbq=EhTd#vFY%P8ZENrcqA51)EM0!pLfk zmM_yodG>|&WdqG{9?XA*mm(yRk@drED4GoorLz z^d$P}{5F1`N++*i`*G&Ll2$uqN#S+?c5}* zxv7Y;OSLP4*yecZ**=roj&Z79h*7QzKVk9!I5dvvexJEA+8lt+pUo6T*~9%g?xY`0Ary`mfzzH02ac`nXHHlsyf(pl}dFd^-C012P~T zXouADqd&zEcj;f_vC6A>J0as8JE5Zha3O6N5#>Lz@gTT`)AR$y!!K#wWu4r{tQ-qG zrOGe!8DWL6^+Pgd{2GbjUEQ+k+%NMM5r&92@7X$*{?17vriCJa=m0pc;5v1pk zTEzsjl}*|FnwL;JQ7|a5=&|W!RZ4XT#cl1m4BEm3-)sZ_$;IMKP~p4MXyaYArSBFf zn#PwQaRfhKhBBIFx;W3jjh-HHubE$cyl}$ig=Wv~)bsl{16aIYKBf~9kL3fo=F%-x=2lcb1IPnK$?Fs3EGB!e~Fu~jcC&wkkJ+^iymp&Y?Fjubsd4zT=$rUI6kiqW1CwU9ntap z@@$Nc##c|KNQa5*@kvRmuDF#nNFpMH;rF3N?(?d{ppepv+G+98lRS%{z{lW?>Zn>p z#C!G($6|}cR#T=0PcV%n-sS$y(++11n zj3s1>`3W6(f?0KUrEn}1%w;24Vz?j3pxeb;yU_V;aXN+PJZr=1vUx)KJoISSC-0HR zcJ4E9cN%X zOfkE#w{9xccJrOytS!0o>$*DbiA6cifBtJT6T@-p%L?yKMS2;#J$`Kalp3xHzUA{% z4BeL_b-;!GURq#;zM!YNO_0qs9(7c<9~gQf&VXn^bP78^j}%Xkifdv2==delsCdp1 zrp&O*-VFmrl?3m6E+D=KN?r6IcF^y$=s>n(5huo&In1jSe`iF0MMHW0fZ=79h;aC0 zX(`cnTaH4xF^@w6^KZbK+t?8UnT>-5i|)wr#ahF3lhSg+n z1C47lU;5ew0iF6e$(ks!t!i#nk&toI45y9TsTiDSHR@++EUP7x)E7UPe#XzRQPGgM ztOmMT>|d6Urw7vI_M8H3_*|B0=YC_kydy_;DJc{gQ4Yjdb;Z$FD@}I`_B8=&i=9Ho z7$S2`kgiH@Yc`vBOigNiDs#a(N);x>AiVU({HV~t%|V67Yntt{1JX|;xg^CS>pvdG z#8nT3%?s|kRKYvRHsTvE`l}v*qM<^Zv%!Ad!#56Q<{nEsftT}lvSe9MgoJJx!Dn1h zb84qIYeVIcjp(@n#3VMmnvZGXmNf_2va$Cm-bSdBV5i`S67pr*p{@9ecM;cH3t!3J|hME$!kG~`%))*lXW zy5sComA-%O4cDy}^L6!1X$B#*zssIVl}fN2lwV_v3}*;4!=b;GE(|=NTm@>p*Sr>L z&$3VgYP$uWp4a1rK_H)t%XLXR%xi4V{%ue>Fc{4IYN@!a zPFr~4YHvY;uM=qua*ejZE~5kTRue1H<@YAeBGwvJ%H34fkBlDjY);h9>>Tp<4?3Yv zV~p|QQ8EV6W~AedD-ghpDB1KoeE+dICse1zo(M!0`{KC>&PvVWE zlgoYGZFp4PnOv)<984>RZ|3*kj@t^CYZytmJ&n%h?bt-WOx|eZCPD&DC1URTmq? zlB!;$A+GW0!LjJ?TqZ1^&5&=k*>}uc2kd#7WfsAdhAn0HQ@>>_&UK%xZ#g2P@SeX<4>GU5e*u#q^C~d1*H(lDMjm;T;1wkLW}lzv z&tAu9YOO3Es|xY5a3*$06%$;6bmVu|XCnt_w%^B&v{rlp7`(jNfdj~T#2cO-_0Rkn zxX%KudGxfc!wTY<|j8us7sH`fmu>>B_{S-xwusmS+Y;*f#GQCW&+%^ zTX5gu;^t#wkBXlb!e<}RX`shr?gnADZ#pSOQ^kj#1}w8A98+RoLN716;LO?HHq*h% z(VGHi8D-wvybSe^z(kBU%coPg4qeK>j>}p})IXt*7?qKJnwM#mo`!zJc6Pf_v@NZ7 za*3oCOgof;FHRtGO|@I;wUBm5!D@%P`BIod=|^rFj!LIR*M#8Lxd>o(o6BJJ$2~8+ zNwciieQi?Xs{zaYyo1ZBfs2DK8Fh$$?OZqCj*3h7!FG`x5b_zWbUhO@0SSD&wraO8 z>;r)Bmg1$mEgjE7mZ0-bIX|!jlO!1JTFik=s*g3ViFjC)me#}9u88uFJmE;en~8Nl zk@G}f`sf6&EZ)F=S#qh@#HELoGECDSQam2<>fXWu7+2^(Qo~UMgD^aqFi(vZ&4Rb0 zhn5%5lPKCxB5=av9z0r9aeB|1MaTrwLD@AKdfZT5ms3|(`%}>g zNkY}AVU1y3*x|hM4_MV3Z)a1hMQ?v}J;Q~Gsz|8{pz{+Wy`)Jn9iFGNwLOKm^FMeM z@xiI{Tv`@))jXS=QoJu8cT9iCWx1I8!UYyxCOOgEX-?n$Mh7M^n5@8-elfxjp%(4T z|1f6CN8Ul3Y@@GWm^f&}Kr3uzcUu>B!4qgF_G{5+_I-eyb zmA2BC7E?)*80z}iV5ngSpS(2J(?^sQ>|*eJ8LkORjP2Hs=V^If1AT%Wk9SQ)88E+N z0;7wp*Tf(--~QJ`TPTWvi!q{;kU7YCBrN7k@duVxoi7X7asf_x4JzR$+q8HMm!H|J z<$xK9jxo>H7)t8wGZKY3aMoMFMw zm*{*GJ-$BVCHj6OC%(DNqWN4umSlhaBlauJiK7wGo%k(>jW)F+=6=>E@wUkOfaJ=K^0m;+)d`>Mt2bISMb)O_CIV=MzeO z-WG}xWA^q!XrM&}0Ga-QU&U(zHms+;!*zN!K$&rx-uD+1`(aBUp!X-$U9gSw4?sRI z)fmE_pR;r=`*eow#&2~%@}biw!Gy9cz*m_|8!|ZyT8u&(LVw2uLSWEclKZJQd>x6; z*f#w=d_gu@ZIsud{{$2iE{0Zqm@7>h#%h9hvj>3PxbD&`D`Mpigu|vD{-26-#gc;g zv3fJcLzE+oI{e}j3S(bHi>y7xCOgO0Y-i#=+%L!;Ly5c6Z;#oJbH4*;4OCua1HRCD zPHx#@ccDhEZ%cF)X=`5?gWWi728{zpC#5u%C2bBqEKo2xc8{Jqw;6vP6d!* zc=!9(Ag}#zTZw1}P}<9SO*p_8LepCP8K49n7v(!B~PuJ75Z##t{HKN zc!C01b-ZK2H`atiz^t;q9PW838h?(<0h|l~^0#<>i;tvWWc=a=+06mpA|ed}2IL(DN?QMxgjg=b~}+ zrY@E{h3aTZU4I{gzjaA+`Vnjr-acFE){z6I76Vx=f_Nr1G@hbmu>}=&Hgx`63kp!L zK(#*{GdpfPQ}vut-Z{W`#_i^`B zcz+wZa}TtSH}JEBkKs@rTk)4X_RcS&c%+9}Ml(nA>%Nl0hagHiy6r*2jpSg<<1?wK zv8pC)NZn$oJ5Q|Z8Izx$KW1&Mzk ziUpAUuu!Mc?`K2hBdUA`rBhrNQJvScyVb%9aDA3T7LWz1GJ8qaO4cxLwjuTlBAVvG+*UngDw zlcGDdX`8t>jI?O|`@*P_iH(=6EZt678ur-LA2-q19E1#F4rUjpzxLscK;|d@Sb>KZar+*Ml&Xe`s z{VMc`oy$7$$<)Y!tP}cLI1y}dQ2`HD?|p%5@%WmIuo33d&FIP!)~;9|chj{VC+J&B zK_kz7UyMZosDqr?F#3z~>iS@nCDZO7JCz}0Kps7x=GV=_=j*C^0ljD>;AudVdgKEJ ziuUE0Dv{5`$e$wbC7N6yC)J)dktFw&%8y9t)5_LLoenb|3aorSTN>nVCj@=NbPVuu zigd=N^m~OM@5K98?=&Q!^0~~*>l&z^UZW3i=yE6dHwi*s=igRCyFQSDaT7uYqgw}+ zBSiC3RUwBqipqD`m`(P;gQ??Dm0G|EClq>nVbY4ZJok-+>J_}=^4uJAi z!BuRajAz4;73k_k<%8N~>2B>3=>8F?N9C=&gD$-qR5PAN{N?F*tTcbgy|=xRBHw>& z01;;;R3+0p46RW0f5$`p9T*4H4DG60n-53Mq{JU5Rcf#S64RX(S!wV_P0%M7@0}@! zEkpiAUi~kCG~fcbyN2j{P8yq*)9wyJ68n$}dTKiK>FE9wB?phSUo!6;IXh+>Li>@h z28xT~iGa5&@$Y%N&=3=7HCBn@a@)R_i&fXAd+~)P~S+@U+u zuCX{zH?Z*F-$iMFybz>c!qJv%a)umTA_#dbdttyyIO|qc4G}*emiKPkIT%V~S9aXg zR9&6+`Lh&;m%{W&1`_figuF zu;nbkzCpG1fPJja%xQg^jLN0y)ih8QIN`ymFuhtXL;!d)l)uy3nk4p6-p zX@GWa0X4EVv;3#xa^2h-zvmK_=lbNX3H=Gc9dUowJ7ED{>oDX4Et%Y;S&u^2Mqc25 z-TLQC%9VZZvTi%>8Y(zssGi>0b<*)_z);DUI9#Du0}~INrWya=hN@h;S?B=u|Hx8F zEu49r=XxBx?hWX5U-!;ffQaz_(`DOlXscqM;k1~GT8H0Qr`<>8r@%h=4D{*c$=wA~ zGlfg=pc2$OIm-G6VT`kirfmwvGfH9t+p=3cQpd@sekeQd?|T&>5x zORvF|cG?!HKJE?-wzZIkZZWiWL8x0fP4)gM48ekek@$yc`UTo=#o+dyMaep8q#Le1-frKpim`AaBz-Hf$f z;waz4fvr3zJec%FMXo4-p`&5;SXzT9_#C!=pSXZ`@RqO-&8z6reqKpZH+ zw)dEYiDHkl&O#)us7f5;^e^Ik$=jtGyNFop%89 z8*Jbvh*oud+f|bFC={&93;kt*yJiF|O?Wk@1&`y69q-9n7J|iwf<}8rkbHg+czizr zJk1yojm@+_{;*|i)Tz9%z0)JdERKEk>Tnu1DF!AmhJwTQv#T7ksPspwpbxSfY6?5r^_^FH#zJ@Za5R?2=L^CVRerZ1YYF)pRd$ z^rF1^?PIyD+vy9h?3vIg$^-s4yQixv&oLHuqcAX%a_V!Iv#AeQYoWisrskg{adj_r z(C1IqN=?qri;oV`UuPNQq6FS#aNs4n?+I6f&Zbu8HKK1y3cj_y5Vl{V&?8synG0O` zDHT>EbEcT?m?Ai=-j;rKTq}u0R`F+ce_*zkKur((#slt42VZ5y^uu37th~3yL=Uff z2<_WF)^ZchTe*7g*%9c`EU@`jzEj^AU^M+fgW_QQxt!9GtE+hh!$ zJw&J%6tk0<7dS}1ULRac>xnuBWbj?UKQcGhA@LXt)Pm&aWtCCPhmvP^ z4?(R=Qts9bgt>5#9;@#NX7rwr!AQ%m~?HB zh1oa8zr20P4;1E<(PP|!T~TBTwL}c)4jj}3raY`b*JWWb7Y*0S78k8NSE2 z^Wcd%NK`OB|4635L_OZ96LifBmEff6y?e9eb`Kbx7pxTgeBvaK939*PQ90*j`HU4> zbY8IND&pT5VK`{fkN$PhyHFm_o*^NbiP5i`irHTdgjO;b$Qo`f8=&k6$qSs<{->4N zlLT{ey$sftcTjy##Z*Xy7W9RIER~uJpLK+wbsF=qSRzmZ0>1rz^tuO|Ma*Et<6UJc zgAclY$~RyHQc-3Bip-lZ0i!QQ4016;C$Im#D9}Ro!~R~Bzjw<2`A!)@TRcd7bFm;U zW+`uD;4P!C`$`SlR{yK+rJ_$GGEK$PeN2go+c&zckug8sOdl#arleSM!mB+*c>&mT zh7X9pnAN|iV&8?Xi{}e|STDPa5ij3W=e2tt-Z(8}eSaKQv~r=Kp=mnB`u^2#=Vqn0 z);O&1W3^)XEUg!trYD3WDI56?O*(5JzQlK@UGckq`B!w zkia%}nf)8Hg&==AqF1k_&O&AuFPQr}+^6&ytuM1VE{>+@-BF-*6(T*|Kk1m9h%Pg_ zWy=X1R^XnEe34W4TlOP88S}Xw#L64&EN6oU%C!1Snv=tSYgQm$=o| z*l%Zjuxa|H#J4%Ej~N)M{+FAtXa;Ha)~v?vk_8n{esDHT$J}%Lf7*M`uqL~1T@;a5 zKt*~Hgdkn2(vdC%BE2X`m)=1-geIbt(4_YwNRuYL1c-&+Llpuy{&UWs&p)7Ed7d%H9COSu?)#oI4m_#aeJYRWrKk!|QtYh;1q5b7>F*aFdS|2> zSzDonsw1@Izic~Nv8PPN_ieU{@*n@S5`IvjnNR0amYPX(b<`)?9-foGi4V(G(S= z{V#oLG9j0i0_4H;W(HZNR?_OD$^sQS_F&=jqE!F3zAP&%KH+M`^vR0;O-C!wz}%Sr zzD<9tI^E_=LD1L;P2!ZodA7Y(M88U%6sNIt&rw$8O6SO+&1r>*z8 z=;TX7kMg3K?M_E7=L>m>p2hWz#k^h%>Wq7IVz*tm!tNLt< z?KKXtk@XXdwr?xFx%iN3WND?FK3UzT@~j5Wg>b5{J-52el+de3_X1zw>?Qa5BV8Pe8TTO{O$@|z@Aie?a%l%HtBKfPRX6&nr#AC&9KfAr( zuX2(ZIp*}u@|4+K4Y)lS$S06!*03)SnZ%(}YXLYvRW<8j$%SreDxPV0o6{zgU?=!^ z?mMZ~;aCIxjP|UP)kgZ{Eh|sY3~PPqh_wT&LtFtAuhpZ6^_1G-IkpX}rXdU*Hil+p zp*RNZ=Fh8~tx_nuS*HSdq<(i-uBJ;E+yA~TKrRy1owzrT=#K#9K;C-#D~n!crna!v zMc_F~x@$cDdmdYbo#gh$Zr<%TvDdt?-Q*^k8wGH{Gs3d<1_! z^r2m+{x9|m`MF7>Fsh!C_j{@Ham6Zes;;W&3C!Zq~g(b z#pG_bNJ?BiGN96qvx3!;bZg7Zll-ZdIPicH>%-%l!9e+9C!fO`a8&3*f$0eEG9-k- zYG&H|7^3$cvb)786I?vwRuD((o%FD#DAy#t;rfmw%sz$ZB0yn(d4o?lpXuSAei5B$ zEGdy)w|3EF-3K@_$TgAFNnscH@($i7FPFky#MceX-~1>fM|ngtt+I9~`@O8G z5)~{oKn90<8ahRR)xz7%-o&I5b&zhtXw;bFHogbp`RY;#mE+@d4;Mpt#hYq)s?bDF zM8YR*msx%5^|^dIgyX$SJQLFmm}(i;Avsz16>F4-CQ{;aYne{l4aLS2?TzxqTDpAu zHuno8F#6W>PgtoIvPtgj47A!QA~*H9R?;W&4NAu_z%m?$jx^>7mFH&6Lx&a_5*liA z@wuMHP>4x!8K+lOinGTv`Os#aek*5qZ8IY&Wh}6cCOjgWZ;y26;)(3c28z=kBt^Ya zrH{XncHc3-eG3<;c5!eW3BEpm9S;0LLZA#xi!QRVBH}MeLT?yJHu`;&-q1^nbuP1@ zS7x8Mlz#3y3Y;NCwNQlFN_UuI#U72)gA{)?HNo_yMW|X>8HA~if}VrlaFL-BJW@i z@(WykVVMzf9>MX+{eiauQg{Df4%br^CUY zV%YCNRnFha+v+FWoGqhl3Ch98DQ`f)YvU-o0sTW6vE=k~DMk&{MqAyuGt5wtCA%%` z9Oyh2)pB^xzD~=+Z!pGDcTn8L`?EPsk-U!oMizA403^v6otHCNvqmfLdxB$Y$ii52 zN(ApTsTn>{S_DnF@IrNef;FK57!>MzviTXTP80yh9YEKA^o z-A;mRy;sN&(}bn!v>!}lM7M#FT*Jm|qAbI}(Z_GRNF-qfOjw7(PM0F8+{P#QOMa>? zEido9KIsq{EFNrD-llsn@}uetq2JQh;!E(Z1fs8XM6IMF{} z)6o1h+H*o*GxfFIO2?eBn* zv%IyD>l{Y?@c9?K{f-R>wTc;O94GM81V|Z&Z@tc~J_kXUj|S#X*%N0u9>o>vu`4}v z)60l4B(`GX3|n-h!jT3#(?&8Ng1L3Ox(EJc3_AtrK2l&=f8<=5TX^8iP9}V(iMIvp zhF98qzud5=r+8ZF_(d93_*#QG2ACeL@oJV<4df?I&m$}t_~7q%ha7X{&UGeSFoAsoOM}927|~`h9yn0D}89HzFR?=l-rHx0rQN=uQ(zpt`;Tr1-+U zhKtuDf_%b&FdO#x%I5q=pM{ilevwAnohZ3yZ`@oO5$W1d9A@W=;paoP@~-|bv@}Pl zJ3u5aO`^eWYFMjS!_EM)Xae0?H?Wy=QW%Hlk3yzmj|?udHOj{F{l`#(p=-}BY3iok zy(pA2VyPKk3iB^yYV26XbGZmSdM!(Oq)!dgN&a1ui_g@vQ9gV=r?w=jE8hrv??w0( zwxuI}oukiSi#-Soo>Ow3;ey5&YX3g%`D(57B0(T@NlG>gMMzk@;Y<(pec-J7%6D}s z8pk7ji}Gr7o3UiS3~X=1GA8`?A1e}P7`hP0rnv!^GQ4kEn3lVhJj@P+@Lchp9x+ah zny~8rHq&&xts!p=nj7*!C+*4rA7n&p{#b)x|1HqK6X&Rnv;50Oz+)G#)S1&|mtXS{ zr_5$uV4lE^orH_&C9;{lV?JAIxLBf}Opf*Ql>n6i>yO45^V?9aIqleAJ;6Ldnqpmv zO!Ck2rJ%(KE@F3nsEDluyB+6K-C}79y)wfIJLNU5gbt=CNO_DAr)8x4kXIXWR7so3 z)S&noi++JJ-FVER>?wf~LzN&=eB9^6EF8v?_zJ32)dd2NKb# zsZ79)hOS(B&%Y)NaXds)f_s&|CBG_Tiq$Dr&#>8wRxU6=qW2%m6zj08HswBflxrl` zaWEva2i(zvUHJS|N9=QAgrQq<4(IMHCA*(eTawHM?7aiwC$%t#c0rj`v#mD6ZhiV}?Ky_SXzbS9m68krzrg&=(xS98%~>$d%LJV0hJVu9(Vd+_~=bdR@*3L*_efV)9}fvX(XOw8Ii7g z!1F~f5WXsG@hKb8psfo$EtCrymgBZLeoS2EU6ZD)d8I=QGJ0_tc?Y+J?VH%F{SQ^l zzk~rbL=Ytq-6g{SQ7UBG-aBQQ0F?(G@TY8F!i>gZy?MSP^A{jD4Kc;)OXf-5MW?nA z>m2Q&Ov#D*Kcd(jFBV;(kQ^V|yWPZ&b@s}!KVb7ozp^%gQU%!d+syMHpG2hcI3izj z71%a%AP$yYD4LlveKlFKBC2O8hJu5;dqS)Vt`f)!#?o( zm%Q{Y8IEnpMXUuyy>|t-D<3=anpNtae;V?gcVjuJ?AKWsr=uq8HR5$$!p$y3>y!J%yt1Q0O(7+DzFQL0X-^nNd z2&MpTYTbQ#Y|UrUzu{OcfRsLTzB42Z!095m$1_cO%@=-&NzXv+Em8y4vz(csu5hlH zMy9?47x~+GeuNy^jlHJj#OYe&Y;R+%z%n^ge_&+l|IW&P!^r=Jk^eu$_W9X!+;p#M zxiS_o1eWLGOg++b3%qTbgU2U-|mOxBlNBZrBs?F|2+yAT}Fq)`4J-v%Z_K z{HLbNu?7I}{kuFw*R+oei#5@8C&+RC#$gAm0L{-2GUP!Pf<9c8832bAC;PuM6K_#0 zh5!KLTmS42d`tpSehm`v4N0Bz8X;Q{y&m)&K+*iHEMO1I(H;OA%8U^G z`7d|Xw-9VO>F^&9MiY?a|03nR7joTEB>JD)7~w zVahD(Ny}j_1G`x{*$tZivby*OmMV(`q7bW|p!UJ7nH^xB=x-LA-qES&s}3$mkZ=69oc^xVJzxo=|Nx_rO_^V*yRtEpSW8?Qf3> z0Q?;^Bq`*Y^{Qcci?%fV6E3^}v*zOXvy1WLU%-y?-@>ps0repY);&O=+5+LBY|eS> zHb91DEExYf=Xw}-R-MQ8XKLSHL$}<{&}-Tdc+KBY`R~{K+iCxfw12Oge( zo>xkg1#J%)HNh@;EZ%RxTFh1SD{4|H}E6T%Yj`7QO~c$zMmnj{S{J72g)vKmaKuN8vtN+$rP zDViIe6rJoPPwwovrwe0n&pM4eDc*d(ONe{G{8qXwyT4b^yc}d%MP;t43=~XB6rD@g zg%iHV>88+)bEgWzkpL0k-7`ZQ&AgX6ZdRiNii{tmUm38VPuC3`W}6%9)~x70(6LHd zD#+YIIA1=a+eAz|%`W`zo63I(lu~ZE$0Gx&n#|I;hSFGb^}$I%6J*sHmjqP@>Pp{^ z{UKkV^_>+c2;BrkIo0NqUs%s&oll0Lb$Dz$`1bPHvWmv;ai7tSx?Q%tDopD5JMxCW zOENkDWq#)K2J21`bnC|XBd$-ScntvwW3G{Oh+bL_F2Ha-p3a6{cxg}-8Sp-5v2)o& z7279wgV+LxNV@CchtD>)#Ya88xqV*#NcnWsGVO(yta~%34rv+o9o@$XswMcXu18|Y z{_P-dld2SbybC|5_8GH^M3<$3OQb>PP6v*L2lwZ_s;eJgGKweFBoGI^m$nI8Ousbi zt3yRkFPx<0d9@gOWlpx7shzuw&mO4sk`(dXIJfn8G|5kOyC{kiDv_rC^PEuNIUBE+ z*84~i2J{BwK5WM`4y7^DU4WEtQJL`&-@k4IWa5;^Og(vs8tn6u-_H^YI@tqNg;M+V zJE1p@`%ne41Tw#4@pcMJVP8mopK4Mn>jW|!&#a>wcm>+F$J>XOve^Ub&xI{+5dqHL z(#5^Z@eQfbxQkmUy;@yXep%w!xHKS~uEN#+RV5@(gXt8$)zrN;ZM|~WApa52cQN4} zYmY0uBzSXC1Y<3cCjMh~^0nD!YuG_@gh2oue=sl)PDflf0*55!^f_(?{Q~Vz3L~0k zgwcM$ESmjd9ntLS@A6BoV$kPaCBTE}rR}IgWtxdM zBCxU2bA;{pX_&i{aD3{jmY&;_q(tIeCLCz80%7*WqJMqhFNA>+YTU)@c;=~oi=SJ^ zcG93#q_^4i_;v6vbHoEid8vXn$^`)1Qd!QBzxS)Hl_E$|!hqgoTp{s#sK5+~12g2| zXwV5XZyPoT*#7$n1F7^UX7X6$vK!~J6cS{MYGzahNbHJgPq;*U z%0Y<&wyf;$(Pf|Y?8P6QJ2|SFdD6dZZ3Gx-;9ecBcH6u; zmHe)hM`H8*tt#%FJS8BaUv#I9W!?#>Z>lR>=mT1k8tBP#B$_9?pJuo1dQq0$JD2r3 zFEZi=y2bV?MRkSXk!?a9+7CEPV)i-M>j%uXC8jWnSSLPajt?XJ?WK3y5@;KEf)i=X z^#NDZeAWkr{<9U=E$@pgoQas8^ae8W#pO~mD+@BKRUKhLDC2FddxE^GYfo)2o$IVxKd{Ro_wqI!Xg3^CzQq zc)zym!0#cm^h|ciVK_`a;gL(?FEU#B#MWhjyfH24J`hRU&I+u-hB{LVdmumP5xoSY zj%ELKX5iIN|JefI!aiX_?nq8jU`epr>v-`3OJb@nTHxpQIC6a{T_B*|PuRST97wgE z^-p*3XLj>ED+vH9vX?>fK9L%N{go{R;MdZi9&+FTKIFP)@1`?e{)kjzVgov_M+rf| zB;M6Ai?jv&Iud8+|KOjk_&@c7;M$Gj;H_g#_$wf!A}nLFB5xI<$x8)q-;j45msuhN zBCxrz>0H>(}TM%S`mV*>na^aEf8Yr^Y2ox0{neqxNGGYR3X5~-X)^Is(T`a;6 z8X$Z#G9)HoN0AIn=KNGhY}rG=e4!WNfcZ+}rCWwO@UdD)dg~B0W?=oFEdT(UUo2lA zf02K?p_o{zH`DmrtHd7lbl@(+K(Qp*dEj^kI~hr;t^#EAne}fV_s*E9b^ygO=JwsU z5EQ-0dY!LHKq1Sry=@<9=3Xl9TPjjGn8Yn$(E6n}q=_y>7gI{(?O}YN1T0;rIlI1! zMGCEX46HQg}-l`=E{JMUeW(WR3fbgcBY|dgpJ*O~cRHVu}>l+qW&T53$ivaq{ zcf3X_{i($vqJ0V8x&1JyJ6(ZgkjTFw+U0ca)d)Ert}_{xvBX5dy@SabIV$gJv}4JQ zvpunDOb?wds#;BNen!oh^6G4U6NGso$WW_dz;_?GOzn?Pi-}Iv~ieeMolmBllP*ZQ+#oAP6fqlVSYUG zEbW7=5Gh9`8q=19Mfy5P+tklUn|VozPCXyX0{LF8to#azS>Lv~N^kd<8)Q#X#0Lge zG|>if$A9FH;l3DQ&U|r+nZ!H(>#Dt*W6$dr zFcu{x&?#(GF<1bKD|@Wn+CC9X>UObu<3(CuhRkb3`qJ^rz-skhVTRph3=}I7aTcO> zoVfhz+{vrpOStsvJ+0Fzy;FL5?EZ9Tj6BQHTb(*i(Tgg*$lat=ncu37pb4<^^B2mG8Ew zjX>eyj!yMAvNil2n_Jb*w z=(7t>)I9PcmM{BB?cnm2^XNTs>tZ8cdvimCgkzFptt`TE_Y|Dz?p#PO+;7}^M1g_^ z2N={&seXh4(3i_)*c?VV-nZ)kFq-G=UoH z=A34VFX7X*Jg`|EN)NIrB%#QtsN$;BV`YoS2R%eF}*Qs=bKH{XPB(3NCn@myu);|69c2*EI2C1 zfA09c=l4OKsbcgiCs5$bepqLTbmgcNbaB5+F*-VJ#(gkMa-l`pp&J{wGSjwQXApO8 zjEBp*1IHYeN(WwXqx^yFGVZJsg~(^RIz$l=ZeA zx|>(5RZCB=c6~UU@#+^mX&T`(a|twSp8M4%vkguTVmo~HU~hn7nlKKFJLUDSvt&DW^$hcilwRNUq) zCyAgG%R%qyoR(v`pNBuC%W1Q>dz|~LUzT(_Eca3?oY-C+d}tK@<&0!A=w1iGpa1-X zm}|~IoXoC>j8450TiSEtUx#xL`CVn@Hz;a zL}u&RnVc`t&gC)x_IVIFG8p{Se?0Lz+i0<%y=Ma8Yvk3Avwf{LKLd9re|r9iD4bF> z5uf30waRb7n%fJb>-}6k7s*8=?PANM>-osKjZP+h<_R}XJERkx`hOC8{UC4OU`Oq@=3WpchC4=qRZj zd25E9{RDL{#SY}tzrQ-SMs)R{a;EOV6({xffvUPD4)F>z8BU>Qy-EmY7qW* zb!%*pcgLz;G4js_H`n|<&kzcZD04ay)2&-wM!`<-KtbqN($Y5<1R-hBO^hVJwmqK= zE52}~>OKnm@$q6uQh-_Z?AM*7$rEVmWA$gf(~obWBd*lgz3WW#Sb=b zeAh(TR^LeHw>c~^&_Ru$MNE_B(m^CmO$KxN6RzO1gWwffZ~(y3klw(aAY=vd8%__%)^!ELwp zvg>~4T&&Ag=lY&oXIHV1Wo$_Vs?~tb4xM!;EhoxgxLb?KEEZP>TcoHxBjrA?z=rM( zs!6o8B>R+l31m?VZfCO8Ld_TR?&LFA;<&x>ut+b8Q5wTu8)#^)!>nNupEo|s?1@#) z@;o9MKsQn5U$T4+k3B5G4xXZ#+)f>)G)ySIa}hnuj$o3t@?eL1Mjvp zfM;F-cNu(73RqDGr8=trf__UXr>REFh|pqs-O;6zlRBN;uy^Qk(b~De8g{?YzSh;* zaSUbm^VuN!65vYhbp>@zmYmJ~Wd(~y`BXY7VN`jOZ7t^LlGXF%%zCmFey=>yT!p$F zB_-K;de(0Rsv9!i|9q_;^yy4anp6z@`a=PB&>wv`-mzA1-9}2%1p`*dJJjZu_jxYl z{mYsN2HbVi93|RMKf)Ku9}0H`b9~ZMbT{nU4BDhnTH)CxB4}wo=pY_EO-3nU3C>fJtO#g zFZOYCNHfTaYQHxuG>ak8^#KdHHaBzUTSG(e~wL2Bgh(576G=ols{;Jpe1+;xUwd zH(wy2jvI7QzQSRkqYPUFU2eI;7u!0r_P)m4Lx}{;?D(irjH86H>expEN01utQ7&qQ zSU+g`QmL+b%wgl8girXzYKs8oFLjzK^>Z8WzEwnz@4Ymt8NbZ^G0Vf)?R;OZ;qb*R z1r^LHvxb-PV|Fq(&w$?fE)fsTIOTJn;}SP!^wFpnPxP$SFp3}B4ud$b$8ovZ!565& zZWH~v9gW_TDg8d+Z}pBpwdkq3t{QA5xJy` zIW3bR6-G4SKl*KnKT{rW5nJNcU#TpM2BJR^A^Z;dOY-VXDTtu`_|}skXHX^km5E&E zN1D3hI3G=%9CCP5I7{|w>-X?QC}YV*#bGwDjmCoaWN2ufND75Z;KW~U9sW+V7}gEe z6kA_lCwN0O4RRN0+_Wn^0QCnb29ZtOS^qTEQDIF`$HucUyk1*uUq@cS3eR9(WMBipcPZ zwvtu$RsQ>M$XwzYg(g4c{1DRJmyE`R5AmdI7|UcTv%V%b{Dv(_|f9PXk=`4|A2OUyWfdhcJ38^sR3USEqI~FOUI)e}!}C8)z=xF8yV> z7sS!hoh5$vm#MFMc*kfNL~7DMn7ljCZNtuY>UmVX>v;Bv_0{F@^y&=^&`3pAG%cYs ztmT5OZsPNXy;GU8<@4d4sPkX&LNTT7zkPQWyv3GmgsHjAo80z0;StyjvsMY;?@P`W zkdR^o$81+(a{Mo0lt>giCzN?Azj_2gZNe|2Bx!WoqUmX6gVsuv$Hs2=RWEVTt?9gQ z-+MEELpzUyTGxFyc4sFvP>{)(jf>q6IHmp`!gBQ;q%(QLx>WBYrkiS&AR{0s^1BA7 zI^zzTEK{SFdjnIYp?W;XcsOh|3&JuX@}O?!Yhal>S5IhJ#&kCm;!AU+96k?ZNnj+P zLRK>@Is2&qnTKKQM*-0x?&dWB68F4~`S zUp$)f<6v)y7|yV1;dFJ`n!D2(qs{PKGSXw|Tj5|+y0NeELEj_I_ak0`^*#5_ccvy7YR7ovB)a9ywO%xNCtWI# zAW%-vvA(1PKp+(~4tn|Ov@~MRs%dTUjUETfO>^sbz@7M@`IPqo~cxR!l{9cA_AhZa(yz50-CQy7@iq8Q({Y+}%-#ewQ zc-fWBp*U~DIuA8ZwOinMS3OSRlZ9nBYsI6hjR%#7DEA{H!O)Dw%(SnZOpVyrYq@!l z2kdd;RHwgVvYK0W!sRqux!Ii{=g4^dmLI$>EschO6Je4oyHW03u;1D&CXeo@Arh?2 zhgeyGRP!64@+B}07lpsH>*ykl^#Xgu=>Uu;e6ie^pWTOFGI71hMyiFZV&Y`vScQF{ zzIygZJtZPj+(4;9`Jt;Dc=Tf?iAGSy@>(tnB<87!A`>#o%~?4 zK1)(^omG#9K|>P-mzznI1Y;2;qWesu6n_wZ6{g_#}9)4f?4nXZPYk3Uko60FmBQ z;lPGHusUrOsM*(wWz@mHFPCE}z5)o-oz1V^Z_9k!e(bsj^G;wch@%vIct$AL3KF&B<_IW^%?Ev>>FhsJhKYJLrQCpZv|p#QWz#=#^Q0l_{B_Sc+B&^aP%1y15% z@)fzBq+3mHdv;d-m$kpeywd&ciI?<-YaH5bZhAF%-8ZwQt-Pg{bSMX3M_SU7N~~L4 z$n-wg_2|36j0^`6%osWGObah3f<@Q($r5#Z5tHeB&|l_kg%#<R;MM|w= zlFL<}`b8pe@E~x5ZSIb4Y0czFf3(l+=<26jsj1=^uY%oF+p;ZJPp-7xIFquP3kGQm z{PqCDSOLD%p|6kLT@0=W8V4p0ov-!kOywQCcDw3mFwELg1H0B9Z3tL_PX-U37Q4o6 z*XSWKPqDVhP<5jh4e;+;XzFtZ%l(I}O99$wJ_-L{0e&-Io-=nJxFm@WI{Te#d#1Ro zzJuJ=(rikF^JS3N<{R#iEfb@BIZlra`7Q4;`Aku^yVSA)y`EKflOBsM3P6W+7VQnE zC`@9fmv|-&o)sEaNnppectXEA2u-7f;Kh0 zT=M9`c{GED1yRwwhH?}n`KzdiF|M%kUZ)Hr`=4+)EX4{TB&#b2{jlOxC?c;Y`NsN# z9d-1Fp`(Y>={%?9lc_*TXu0^+fB6`=xN*vKWOGrj0Bm-#mRufoSOj!@LbrJ}HDNsY zQ`kx7I=Hh&lT6Fph%E~cDy)TxY2^m;SoaLJr(gb~r4o<2-Y7sPm)O++W9M7zmwWZ~ z(Z6EP)WTcye;>l28Xo6&3KX1kx||~;qrvE(!!10Zt<9kjON#D9b4}ddg?a~vTub*Q z8nnyECFD(t$17&yL2C3gklVRJ1lh%C^FlJSG_)1Su z_!9P#U4)!IE$1k7Vc&N!g@N%m0p2Xj>dhqWP+HQ5ez848F z*T9WniHX3PUAwcSn5`J>yOPx#^G{ZIYVYuw#M{F&2UXxCEE*=BSQTxSPkRgK22aa` zJi}Ha^HDEGmN>37gNl$Qmo?K>J+u*N%WTCwa~v1?L|rY5vPCt4`}E`TcWaUN%#ITK zq`6V!dhzv!X7yT(4XudX!&J|%k&xUN&-I1OelT$O51V~uSqp${LZk~%)sRY1?e3ZV zRp+XR_gvtVlD;cL=9rAxfS&v}7hQjeXL>>afDZGK8uC4V%_P|-o^E>a&c?VeNLyU)eyT0aw^3jR$CZ(Hzm)O zlv5!TW;1m*6LsOb*ohE#mLLINIeB4XaXv#jdV#^@!?lneE5krmEH>SLqeE;<`OOvS zBG4giQ);g$Ks?4eqeN@(dKZtMNdp%sO$NV6pp;m1MfeVG6)0hECh)c=kk@7mjrL!@ z;g6lpUm9uE@I6`da@&teM^8@?thz1i{E01+J0}K`Brk`;V7{xVejHyAT;SZ?;e$D~ zM8PR#g%Z9qD*z(ttic1icS0*&Ak;LRfkvqKW%>EH(%M!qTlOb>zuUM;%O?x*)>C_) z5!nT{CN&n^r(rAObo=p6`Q+qDz*pVvjcjZ{aZ6+R*X(=CVA!V&7a5N2!GvSL`ARyNv*SCh)&!0wZ6BZNydO?);Mgbxs03nenkXh8AXH|0v$pje22uW9Ix&&p zcWydhWSTnKWhepq8-^%n7?e$QFj3#51YdspX^zBSP7oI@VItkogWpvkT@;xSFq4K$ z!5c046@aSq_2*aya*iT2X17#Zq=Jq=Um7VVxj^8-4!b$T)qGgY3SJL&k28`aT-&1$F@ zP;M?=YHTR98i0()=`aIm0A`r`a_5+9>QpJOg~G89>3v-s=Cc43@!ZPbdd)9+QK-~i zbX<7;G|KbbI9J?Sp?Lf$=5oDEI@yyI6+4kr%O9~Q^jKY3yKT+-XRHq6#}Jt)5yGjy ztA%C-XlyrZ*Z^}CbXal1HH89Nc)8D*DV-NX)2a4~p&}C}gFh5{c$97fe5IDm{Ksj+ zQ6LU}N|hnb2Xm3DvROb!_e+mblEu(vO(K4@^#mEAvZnjO@HSPl7Gue!(#XAldclG( z2Qs_x4^INe&$fT4a4*ULBS3ciGaXjLqOqX*ECJzHQfso|+zvs94cQ-JU@?%^g@T*H z{ymF4#C-Kh>a(b*!XyMB7s#Jf7FnY`n{jeT95*pOjlM4l94R{NMN9V{&Uidd3u%@6 z#37$QK3q@hDedBt5RmT)5a8nR$*w<+XMUvcY+QJmvQfD*0zJOX0&&xVBF2nVhJ`Ol z63S1T5upBcm;)dkec`tfv^MCRvrUtY>ZbCiM-cf#$FIWuIfZ z))KF%1Kx-#iG1`ByN2tBS_*#g8tkK5uIQ^vob(;HPq9_d+l%ia(EZSGq%j}B@c7Cm z3hx2bEhbvx|AHmG=D4{(@RI<9^LM4lCp-Y%sjpQQ^Yfowdd)3!ssj||lB!`ip{tt? zp#VSOHFp{g7@%yy9Ws@Kb2d{K#wLmLx0WCRpqwi=k?{ce@B1!M;o)0=Q!SDJ#+xYO z!phdwugBWg#X{1pcas&coF}%D#?AnD6XczgK{EIp?hI{Co?B6=8hV`Fx%&~QuqGZivLqTr0wJUU&s%x1qBIV0O>5>VOHcw z_!aFKK>*zTAV11W3ecHk_j|pHMEy-%M}uWn@EUAaGwut)l!3{-mQRlZ5l}_@67QF`(To7%q5{^jQ_+96;vZ!g|KJCk;hX;{KagiS z5uP~zDU3FwOP7Sd3N{y}{S|dITX5E4a|4&eMj0n?ii#9J;XT0V$I-w{ zt70sPURo5`3bnpY=h({w3WXTogqXc9FkuQfDg-Rpxl5eEKr6P6*s*`!xZ=X-72N$8Ni z96%n1x=;dW{=tt_Fxfu>rKK@z6m)~Zmd?3Z?TJDM2S4-95u&2zGDsKIuYL-(avUbX zV|@GsP->OrabC+(+T+Hu@dN5lh0A;I?!rAP-A`7+(L4yERM}u)5NC;RrB|~a@=yfJ zY!aX5B0nk?(I|AgQb2FJq8zP`woqT60Jn+}$l(Oih6uFmM*~int;}DV1;XSogsUus z`7N5LGcBtM5IXc}3eGm=z`hZU$Q;{H;Dx zJ>O+^tqQv<{`htva0n*QbF?oMcpzwNKaCy; za8~-A&^auZTGs612xig&Pj*^e6a5SLc^mRT>nSkC;nY%{n;qLBLL!%pz*&ZkNSWJ# zk9QU6L1$;lQ?R8%y+E{}L8WW@0CaivHC};Q%TEQxWc@%irRUj*I>9&}J#fC`KZo`P z2&ebvs_JtSpygz@O(}HTm*quiyPI$bAzO literal 0 HcmV?d00001 diff --git a/latest/ug/images/security-generate-dek.png b/latest/ug/images/security-generate-dek.png new file mode 100644 index 0000000000000000000000000000000000000000..c9da41c5a211e48bcae3b4373652485cfe68a83c GIT binary patch literal 66186 zcmZs?cRbbq`#&zJj0%Z{LWHs%o9yj4j(N@@BZuSQILAJmW3}xOSqYV7JGQdRh-74M zMfNHjd;Fg2<@I`hez)%*XFbRDxSrSJ8ux3QV0}H!bF^1!DJUq;X=|w&QczG8QczIh zs80h&pl70<10N^c4K-CL^4qV?QBcspJk${$SZ_NAClm#@nCjne+#nHqXLk>7F*R-w zNZko#`XSpL1 zc$AyF10aY$VmT&!bOPmJjsAO7U&Y?WOBIDc>u5P+Y`k%HsyM^Hg76@?p#ENCi^4nD z0Gxoh#nb_j+d5dI-K?$c6w3wZ!s;L`M(pXj1 z#26&*3{nRHtHH(4C>JSljEjzkjsZs6(_2?vL){kaYN%x+t_9p}sP5zfhI=Y&yPJwT z=n#zUp-^eCfrO3|7;0dvX>DZUrt9Gan^Q|lrkb3Xgk^9^+oVb z#*S_{I}uT|rz04uFQumCXk&->z}kt5c)EEw;cWEv9SH`mf1e+FBrp?AWoa*KLjye` z!P`X~>!l|pjq`H#Hr2BQE^>7B41;s6B= zEjwooPo%h$gO;Q{*Z~CgHZ#RqONxlWp+ZbwQaZ>tgIxtQ~Qt?y3YLPF2bYj8iqR^@OABQBnv=Cp_UV&tM!v z+ZL%K0!QLhoFUeFo?3VZu#vWiq^N<3fgT`8M<+?Rsw>D7uZa{_gTs+9X+uvB6$xt> zZzR%5#YEK0*+4^D#SN#YY@?wE!V+vX9Ch{Wv_$RfP=JzYD0@2FsA*tD#GUP(AV@Sq z6;A{f7E#u4#H+#Zzy(@5>iQaHnmD49ry7*#p(UZNr!JvuqowC)uO*?Zry-$hr=@}R zlF`w(0cmL>3|(xzK!&RBj+!VJPaAEhri-zezJxJO88BWAEe+sJ2k-6)e5ja6O5u&1 z^z3wvk)Gb7rlJrr4SP3?rZ=!WObQBfgqxXyY;_&MuJ)qZSbYQrtffuR)qu0` zsi;d3bacc#Y&AV>Rq%EQcU`=Mt&xZ$4q|FzXy^i{h>A7fA2dY8tkqy1(uO9Q5N!>-L4@e;?{B2)~u98frWRRZ3_6M{klD;r2kV7)YK zWUyvPtgeK*Cq&iF#YxHlrllcn3Y@k_KxAz6z@Bby9;Rv_4@oRU8{%!`4g(Y1wZTqU z92~FXsUl_Urf27<0mI_Vbll*2I$$rPB!mdjwD!O`JDBNu;Ou~4rvhlYinWx!lqW$< z&(7Np?j&&(4|KKl(MJ++_Ob=(XlYA{Yl(WJ#N4nlE;ytaNK#)~)Xf2h(2%m%voR9! z7J~u$=H#FbhT21<2$CL9;7%F1r}t4HBS>hw!Ceu$#xgKd3?L(P%#=mFaMq^!wr+siR)MPEO>8~wj_z^6tLTf^0t{>5m0i`O z(5~ug8X&;)coS3!Mrd70VMi-J9=XXP@=0h#KsXNiNuIvfSYu5q;vq8sJY=$ z#%5|ru)DUklYx}JnLgSYNdW1YnW{q37=))C1`qZEF2@w+rUJ4SBj`(Oc}O3bk&3nWkxZ@CJfyXp&@kYLJCq1U z$VfUsarUkVH3Ms?jG>esM9a__eB^Fn-Xhix5DZ+}SqG=?ZfBxS#DR?<*2XwbFhulE zT!-5ms^MHEbky;hFqpB2wY9RVwUM2)lNS+;mV{Z`JF7TjWZXTCkZMvGCmT;J5C^R7 zbX*DgM_$xcPY(++H8V9-gBwdY;LTu2X*5#C#g1SqBPQW$U@c*Xuv2k|NZad)!BtJP zRZ-T&Kd}I&Yv=;-?y0NgY3HmD1aIKSas2)h%z@wkKqxWw$_J-gC@456wAGZ2y)74$ zPbJ*!?X88j4K3#K3x$GR=n6tlQD4}O4tV*!?7c6I9-il8@OOcH*WC-$H>18UvyCL5 z>hsGu?D$|(UimJgGADbc%$V$x8i-Dq%UP-R+Z?e<_W2TXHeIH6c0BR*j~>rkss~=8 zi}N}!n>Z*=P%BYTGH8jNSZtq1(^nP~@y{PqQ1LM(l&%TA#N?RYtjF!5`349k5v1Fp zS)$)~K9;p6+>D^O>JvEzGxP`iJfb>WfUx!^s2j z+)J%)0KdHB+|)|1;;6!cVq4T*c&cwt ze&br?Logp)of5iQwlxEY+w}~vEG)6!yhijjUEK4>_fHR~HRz~>RsGpeKs`!ik5mIj zfk%6e+&XoFx`9jIvVo6jt{Sn(7vVd`m&%1~yn8R-y-nI3c%akxP4UGVKRIi?tG|6} znaiH}^W*rzV>NfuSMGOmXv7We6_#NRi+BNP?oHH`2gk;$yEB6-q~kIb}owTaXXK5t@&3P z{kpzt`)d;y1Mq0$Z{>aHfNaQ}5Qc>B!l|!JN3z?z8RL)L_}4__9y}a%7&jIAsMCcbldQ_$$;Vgh)#4J1K261;Wf_MbpJ=sj=p<7Kcz2WUSAE4*W+4qVY zTztF@Z=WlTE$7Bm!@OtbLQy;V9-R#r@EHns&Rshv>#xsHxQd_I&uDq*Q%`Sj^0(lj zerZ{)jn_MmkKI`6w~y;GhL;8g?Zh9r6_TP4s}G;D>KvZyrzhYEMO#@JUspCVS~spT z-mkg)7W37@8`dj^xW##Y)O0kuZaFuCHJyXvfj5;eW2+-&uOe!; z_Q&Zr6DGT3J{po$01K!C&;HhljFhY;qx%yJ&&~(*OMT`sMT($2ViqV-)Pu!D3f&C(FzYOm0Mt&TVR94aS#8v{`EX zoKIC2EA01|b|$x4d)bk}AK!CyQc)?4+6A%+`+zGdOIM1^&x%m?o#xgop3TZ=n@Nuj zF}todjf~DPVRJti*AlQqx~FLFw{*2&Ud!h+FQpf7WgQbkg9e}o(q#sf2;$Z zr(P*W*fLotbi8JGFF#;K5SbWx+>MXhY|QOmc=OZo-lhTXWN>eJ zucpHvzYREDvtT8_Pb616EPXrR*WFFN)5?y}(0?qY9R_gcOQeNKk$w;1S*DsH&* z;YrCMCFAuj3o!v=TkQrh(WlL`dUZzCV^}|=jm*TDbI@v{79MP7#k)vyCGn(i?sW5z zU%nWx_tE(}quRr?kmqBo*USVye3v>mzFzF&2q)!hpCSq6!OulZ_~s8zS5)U4WN;!s zOzZd^E4yuc-Hak;WqrtzwTUwZpYiLLc;z^)#_0!5Ok1`|*S~sxx;YUW0)DhPc=z;5 zrI$a&TK3W97^S0lRapirY>9sW1>9S|QpO zYW%jgYoDKB#oAvLndp`1H@VK@k1()k;^Mz}^Okn)ylMWhYC}l*r)x7i>*yta2C2{f z#C`Y}?CHTTEBS_;?aj>ip6UbsFmOo*Zd7%1UB1w6d~3>AAx~31cTg(xuGiG+5Y9(S zJc)$t8&%{Vv~&u7uNDAdkh)WNjiizN2#B^vv74h6h`2eGXC93vPC1{ld89N+;|p?? z3tzani*mlcyTnBd*N>sqb0^i5bv(*cPxf0j_BdrRxm+2VfcW-uWcpWl@D`n9wkLDa zP`S*9&%GZ9rJirTqV3N>1uoC|ARVqG9SMng`0=pQ69720!B$ zu!SU*_=R0K*YPl@HwcKgIn|$&sCT*ot$ntUF_5(t8H?%B>sHcTMP`8^dd2y|L5MQT z{kzc!_@nZr+jiVbP;QoK2$fM#aBn2)a`Ad>#3_ATj^Otw5| zD~xRotNK;7C-G@c^BVTCK)l0k8kjFd@ZuCPIv486}%|HHzf@*~E$P04+7eqV34MobCPQSl2j zzkxGv4ricQX}%;q^!$?AIt6g`J;m6b@+!Z8*j$W|PqGMsy5s~u6g1I$Kh|$0N8Ndh z3lNwpOEsaK;OS~jZlG&?N6zYx?Mr(YD@fvuD|?-S2py}Ea;-LtB%-nsnDzK{O)J9g#`d)co$o_SIGOvv6ZrrSBd+3L1KB(bHclf~sZ5hcSi7KvT zscrw>%t_$@&G3<%Dw-6Z#?L~HcS{edhGX(k42AQDrQ2_d(~1RO^TyHYEDgVWeu-4l ze@Z!XN7TNW55cS^P@DfSs5EptS6KT=Zb5ZsN3h3> z6|maU8s0D#N-|HUYD0GCd*(vp$1nW13{dXbo#}*DZZ16wPsm_L{RG@nAV=!?<)s_Q z#{0&h0*<=gJNQotSvHj^oKYbF`ppgb!d!&pW`2#u zsUBj;=hsMBG|~NG5VLzr)VY7*o& zX{-?;Z(D1&eBwAr&s2sZai zo`bkPoN9X~p~uLvNum zeX~+IkrMWUT>{6@;r7k@qjNNPH0>oJi>FFWG*#u>YD}a8!?&~6XBK(+^c{BAJGoHb zn4ocC0`k+*bYY)kiH;66$k>m4M$7I=0f~X)EM=EpWBOv@pY{277VpML8=@piB~twYrHj*=G=6i52P$h1owLqQ^F47DIv0NI3I;AUW^D!4(Or7qLo~4PS!2 zQ?&9MI;_vIsO8d^B^XPNgXjYrGWheCV>|k6)N)lLaw}5Y_H$>(84ItLyy;C4>8G)I zdxH;&4Tu&XPFf~frU#)Gn(6etQf{~-X*GWcvGk{U||8ib^A@${5l~AR}|48XNZIXJX2E?u}A^{o_nlP-*Ji&TbM^fL~$Im(LKA z^-21OgqphNsjGzX(q{~fEF7nZ3A#ll= zDTcxcE*{?FO=e)QYRJBJX8`$WSwJA+WrnqYUB<+#22dacRhOocx&Y0FolkN{#HRxV z`VkDe2*H()`uxRw=X;rg zNhEWhshzv=du*IARoL#CjDdy6-$VGquJQpM06dX5_UlA7`@F zw-9w*PttE;@TsL}7+ZhyJ}&kF6OVSZ|D5M1lpYrkOqE42T;-o|7o`K3cgj7lcW!fC z4%D_U>g1BLd0|`lxbO&6;L>5uNZRI^i5?Ts+G>ufE^!*}oNIk%IrY%@<0Q2C6-09R zcO}u9*|1}kFCjdc_-uQtx~=SdW8Ly#s@oKutTJ|OMy&$oeHNNq5g?-=jj~545s_Ja zOroEw)pK7d%}L-CN)GiG4s*8B;Rh@={v?v1jHS_#Vz}t5htDDGsj}j3=Qcq+d|{t^ zl9=W;s`62Klfj75O9JQq<=>35X<1zOVu(V_Y`u2r(keaFW&q8#xyi1(Q6QJs9}u>x zy=b(QN?hG6lH*z&t{No-KK)2NN|D*A==Yidk9LfgzaFU6&2%dW(fE4Q2WJm!Ff_<6 zp*Fdth@WqKgEV$ET**z0x4I&obkRA%pHS_V`6k|y>!sxOFIr(Yev6ta3VniawQ4;) zpPeyB8NB-_<|&@&sQdgvY{;~CCJ}k6sbL1bbXDf_NqEZ5wDa$K!*u0IcC0HoT^N_y zcwbc|(xvu;jw{^PGkdhCS$PPexwGtk!yUerWi=p-i}Af*KX(z!rDtES%1H3ED>XQF z7N!4-6AZOp1&*5PmCzipIe4+euAsbN1&73eWYnTjp7VFUQ_8vVqozF_mUwjHZ*q~G z&C8E&GK=jOg}f@xKImca#!L$1%Lw1#)q(6KwX*>)#zsAIntx|8FtZdHKQ}y)YuE*v z6k4k;u(Ql(vw}|*57%l+F5Y@XOfp$?7V0nk#6+Jyk?n<8c72@T+Pl^Cc#9L3?&V12 ztPyp6L*U%lHmOvf-V6`Ei=2Yna9VA~R+29iF3!|EaCs*jWHL)C!{k#tj)C4J2r4=r z>W>8x1$j*@00&ZzbGY)a{{{fZ#gEIn;}z+j8JcAujB&!A(K>Uz2yI@Cl<&NIkJfLw zn9oXK-kmvnvA4cTpQXonIKSWbr+Nu!a-n^y0;bZC-S2U6h_LeZyR7wDX3T87-bLn^ zb?qKBpSXIaDH{g8!q3f9(jr-Q`Mc8+ShhVX0?>jQw??kaS4bKErih zLH{ZHqK}QAZ|CdjFR7W$Mtaa&eB=C9vunypxSNy0wGEeAgerCH%<)ftT7hq+gw^g% zjJfMy8?2VrWKN|Y>WLgL{a(oXbMg^Azg*2rUZ7C41>0&;lMcGOZJBxBgyDs8L-tGK z%UuDPbZ_9R71$&*ke+^1|+xqL2yLhhsKSD80Hjjk?}k)$+4n_-BaLTvnQ+R$r=sR2$&LI&)wzy zM~(27Hw&BY&nq9oZjq3Q8}&hmGuL5w-yj4Tk<2~hz4924de}zb5|Fsqb%e#Eq)A*9f$net!gc^2SQ zvRCWvZ?FyG3~8j>-`eE(R8Gtz#&g{SfKx8H8pp&qPW*~?dnIVe|B&uukn znBOM+UU>vdyk&E~f*W>VEthPZxmz@9J6MdK^4Xn3Rkl2oS`Kv*9yv&OpE^ zP{GJxJ- zm%|D=PD2uIIUY_e_0VpUPb+a~W?_;5ns-?w_P zo!V!p0oi8l_0Hu(H;Vf0(>m4#=dq*OruKe{ar0G~?Ycc_lLkZjY(k_w8`ngcmh1MM z5lMs+*5&`cy|yQIp1CZTaY{kDAAAqeZ<%y_%~G_mzqn^%=ocBNt6DA(I7~`wH_>C&MoTDTl^fz|=fH z3#lacw)-4&@Nne3l|<_1g+diR(~cd6!mCAbCJi9v5u~}v_52isT=FeC%S!mWEMC~- zpIMw;2o8v^!lsuA)2po^5IStxuG-+( z{4m|%7@HY_{{SMf($@G0RgPjR%ew(a?sBbO_sBQnTc;Y|O4ni-JeZ4nd|G&z(-mre zu3D1MjX4>a?qq|(Ka0;7vOH#KfKh3jfCtUYXF`^9m^ppB%~r;N%X(dW0cU_ylv|gd=4v@!h8m z5F8?5+LJTC1{Pk4_3OEDrlnccwsx%_C>`HPPcoh0Q*w$OkB!i zKZP3=H7|U+;`=aj;BAUYs_wqd&tb}S_F2~$KWJ{|UcHxs_R}+zi4~Sv=;!aC@3N!P zPmJ2U4|!r<)&!|(yi6@-(oi871krCw$Bg_;g81;^+p3mwn_UwJs3tt~*4^`&D$GNB zfC}-SihxoX@C?L&fp+kNsBm`8pKr_zX^f*vJr@s%ekSNnMuEJGA-coti(W2+Z?b7}4}j8+_JC~5 z0xOfKd?8*zR9HOg{l!>X&OSelu%qil9 z0nYq}=XIdMeMj)(QPtw8hVtskk+=zUto<5|%T7Op=~M%iuG5H{HSn>#{iG_){gk^c z^&&SX%n<3>PHIv!@BhfiC%&|3#k;rF1ypIbfFc*aY=GKMEi27V-`5ag^q001n~#m|4|PPnDmPk^m# zu3ukdSwD{@@t3|D1GidE`dDRM>O;qy_wnz}s?xJCzZS3FcmfIg93z;P0=*ij6Jt5k z-QlEg*Pv^!m*Lw10-C$IN!~T%%i<~6p@T9ov{yFJOuWT|U2@i;0dy`P4k*D9z& zh9R17hW$01d5tnLwLh-^aI-OURuUUoVj)OsxsDM_j$7L#;Q|ulEVGkp2!r|@R`%coXsmAzxZbnS((x=Ic$LkmH;R3FC))PS2l(T`L}IxU+Fd_p;D~r zb>?P$_m>UR$}x%pd-uutLZaOUd+L{iT{@(zUww(0VI@5U!oX;mMooaSrz z{a1=ZpR0nHi!}Mkmnvgcm;mqqrj%F9y>O0Mj`K-z=715bju!N^HBw>m-nT>XD~$XM z*^4VbD&RgpXx1?Fj5%ulcLTEa%xVk|!G5@1+b5-NQ;a}UjgP-)zv&y7oO~7s^2wJ7 zW93`F8g_08h(B4N-{&G7DhYcg2qUM~F0r0a9?YyLWy^!c^rd^o=`xasL5@+n^bI0+ z%eRxRGFhi(ynpuU;H9?((~-~r{~`SNQHRg^pZpiBS?B9JsdshNbC2-+j?ZAS`Vx@T zSXBxa?YkU0?LWh3_=((Y@-Lk#lrwriFbASCRQsM@D!I6htXa(SM(`m814fyrJNS00 zDmNc6Ybs3tY612vwp1$m*NWLecip2Ln>EPVc8T7;t`T5>x{o406OkrYp?YsIZI^yG zWIuIH{Q>~aDvG27#pcgv-t@q^hRN!=Nyw>4qw+ozhN2oX%jPa6mmG+|_6KanJ>!>x zk6@#+-kf;6-n=l_Ltv_Pq~P;OfRu*5daSBQoXM#@&{%%PGIPk2y> z-iscLlPl#1rKXW zXq9$SiOPQ7&#G79W3^^a-lo&n4u8*qs907pDI2{!r_Mj{ zPi`cKk4&ju`Oy0NwPZ*8%qFAHv^zFOdfRU?x%Rmt(W`yIj7$l1b4#2YSdR0Oix<3? znx7?OQ^qKQYEscl664D~ff>xpXF_hL7{`0(wD z4VClbO1~O&CXDmjCP3OdeaTE}xi^{AERXSrSqe~<{s;qt%QopG1xKei)hcJ4r%d)L zTKLAor>s*DMg7PoHpUBueIwS15mCpp00p0Ct|ws~{oy1bu7~RDTn-1BJBu^;YkbJ+ z;{Fq;U7+&ziaWPSZDiqb8lL=w)6bFo@yTyBf$MRCm)PDM)bDTSy{1?)iLgqI5_E5X z$m{Hm8Sgw7+@or{)TvYIu)Eo0kcQj@Dv3a33J(qYH!>*|$kE|NfwYDih>fPynL*rF zk(oNb`OI;7@u`yahK!Cwr{XtQ3M1~Q^{|4wLorUB3u{%FIL}1Kx(;Sit&VKjfbq1# zUP4uM|G`wFI8bxDS{M{A`kK^zb~iru!@7(ky!xqE)z^S2h3)TeNX!+iYtdPP1`#`w+Y<`iA#C{9cO>JsY0w1Y;84p-`!^3pQv2+c=b(abs z_P^I0@JSQjtIyx~G1pJ5wdAwgw#3im9n`m5l5(>3Qx(Lom$tgT*~ox&JImiypl5qI zw4<>!J^W?+&h!b#)s2wdc&5en9wDOa`3DynL^xqWV@tW2KYps`(q()pp%Y$;^;={N z3?kY%fH>oV7{lH~)9U1}4aov{^Y_!JpwgLxsmkdaNcFb65QTuLUx14Ls9R3qjiwuw zJ-4smSk9!T{+hstv^YvCo1JCNC*1Q?59xUK&m64XU1x5Z8t&hF)Zcme^yilEQH;-o z@4l129=TMB6~h5#tZu=s(j9f6{MPd3t>N)=gS0uEy_yQx^QwU=EuBdNA2v0vSPFZ9 zWYu5WEV#};5b5Zg9o5&mY;2va67Xdx84t4wQ#4n^qj_r2pQWXQsD9t>tkPCE zHxka_Ixi|wMXujRE!RhGWDCBWsm&odD_G5GFo#R>4;S^NksZu-W6^vY`cI0XJtqY; z#@zf$_G!xRW*hj`6)fj;Ff!%PW8P)IAzf3bD29mF*?DwjfKM^<{|sifD6u_%H+8>L zAq$jZsNN#QsS^yZUW;3ZD9eDK^`X1>d!fM73rH?@)Kk-uA7L``7mpiU6qI^Eq&_W0 zdBL!8S(iF&5r7_?l;1dEg*lF{WSJ{oKVK70@3C=hkqA$EKiw;Ej!#6oJsIEj?pR2 zz;bKL&@=MW2(KQOC@78+Xlua&xox2%hpYB|(4>X|Xs@O3Rz?C)XQjlFIu zy+W6hhh9CG_5BHozl%8evvfOp`ka?{x|J1n=b{9Q-{3HjG#PBNS-J=~ljYj;mVOx1 zjm+Aa-Aon3u7Jn<=Q=ONN3^07H^1z^!4AExT~OTHDJErk3-Ep6&XW3DrQeaIe-2bg z{~}jUpxd$I9zHrKi%EH=!f}p@Q$3e90>QVDIh&T1JIlmprPDCaoK|qztb_~Eae3HJ zU>w}Q*R23dB)~Soflak~nHJZocYnV@8cAnGkp~r{2_Tb;#UVrbkvSa)2Guhr?*++= zSF3%X9r=zsB-|**66n{xLjBKNLe!tScb)c<-BE!I4;08QGJ4}b=Y~9~}E@>3&-68zk%_ zX1@4tyXd)ufaf+<79!d5c~;$3@hdR|;qlb1r6-MKdP^G&SKSl&%94)Wjq+i@NB5BY zPydT&_?lm0Gp)~ViD3$F}|9uPgm(%iVyZWg^NjshJC1}$6 z1E|76Hv(Z^mLF5s>g%`fp ztwu_m4&2B+t1En8rqpwzZuMjC0OhFdH&x;UkBp2aH5JCzY4$WA4Y`pv!9LTRA(c9c z{+2a#aFLaJXLnWeusV?O^_zhVqM$)zAtx8l@(NJfd^Zu?n_vRYIriUgpWQE%tNzIu zSK84utJ;IC>>fKk`)KxJ|3RotYFw$DRrbMaC!xU6#3r&{>WwHCN+_u+f>5U~&~?$r z&Sb|oD~+C>#x$~-b$ndvu!O^0=;g`>nuQ?RGfe(DDbOUT>-jSD+mp9==jTp7JvY_> zR27(JLJ=v#$iaZUoGqDY{?D-t#qGZvbNS}o4RBwV<#&IE!e^TAVAR%MTc!Mzg{SVA z!bf?-PXCun=l~`TLtpxDU`0uWkv~hbZ!4{rYe7V8KC+`$O+j|$jU^k*nsH%}W+9;? z$)sUtYcF(aa!u$qKQdTrhUi=qMGN7$+fTzAnZhaK>K18~8sT85-1-jceEv@H{MM;u zgbl{@U_gap=Y#OLaO$XU*(?;UO=8Lq=Z)ik*#it&{mpFX7`$mJi?dCEravv~6Ckfi zph~fD&AUCC(o2|nIr?E{% z9@1y&x-S#}I6bcFo$<7Tmmb((8=-n7&l8MHJj-;05r@fl%8CW!lME%oFPt)Iprtc? z(RitN@4acM4xeTC!57yzir8$E%F&em(v2R6EJQ)+1f=?Sla)AVfU&HbCA5S>xtvLj z+rT6M+k*_ad5+O~cKL^_pTU5^v6{5_TOH;B+Lseb>@DvRy}^h{FWnunwAvm14B)@t zaS6lbhw}DL8N4`kf#Lc>D?vd!NM%c2LORfiB5kmc%z^%QDiaB_)XG>mlCR--?3Djb z9VA)&Pp`j)xqo%imi70S5Loa2$oHj7khJ+=@(*F*MU(Na&uq^&8;Hcl(w#qx$FE-H z_2IfxI3Wm%{{WN?sSDtc8VGc^8);@8Hb%jEEVvyO`C8jo7t%I$04QeAgr zRy4ylLbg4CaJC%ljcgodX*n*6P*ACbjn18tqR1|&jULEBE$R7iaVYOLdS0nqd*@D6 z5QpenUD!2U!_NT0<^a&fQm$WHtC)mxrV4xIQ@OndE~+)z88C#{;oR ze^OM#$mnfJ{(*g@y+h(mJjyVhE?pA;ccPJ&W{VzL2qYOs@4bP92&7w=9+aM-6KwLM z)`5+=z_?k*T?I(E7PCZuOwD6-5zs7GK080bn|AyA=9AaATE;0m0Qc5g*w+UF_AcL) zdg!3^ttOz^ zpH{CD$6Rb&m#w*#db7VHXDKp%O;(C{h(aQJeS#G$t-kkJtUL`JV%_vqgvDKDk!&N( z`CqxPTGch4vA<;gEj3(kUiST1Z$pFQ`khXNWBs1HaWq9|ZVgOxh8qIt=MH70P^B6A zuHL)LOJ8c9ce0$@w``kf-J8`i5M6j=WqxbraDsA%oP$7FX4_lby|!6vxIdcWf!#RB z0a^p)Uq_~h_}bt8_cnR7Cu^2N5sk>clG^>M+YS7o+9xYXUgXb!uYrI{Jx(6yY%IJ- z98mtx93L?V(K|}azdY|e3%lFAc!mw9cJbBQ8`Mlwn!pk@FJ}yG-u#k<%=E%7erzdy zeX-Vc5;W7;@0G<~CU56?>vO+uG;GEv(`)}?_- zU30-RKFD6BhA+5k%YHld2>?AgH>~Z3rADv0C8JihlGtP_E+(;C>@0Nek`^p?UHO)4 z`}_>PaU6?};g)h;xg7T|TWGC3LU?zul?E8~y#-`8c7TErV{gm+mM!L&?A3U=*03=0 zvmS2rn&vT=Y@gGO-kgby%`4-Bajg(#Hwcf6myc!t>3+B50?UQx_~V9!mLlMWZ8zSP zb`;8W*KS-nLG>cBu6`0ew|>Xr1%qnaSH6*QbG?ePtt~Q;OMZDCL|#;w%+P9AV5Hlo z9~vw?c)YjFMD0Dh4_C`AaS~oXo=$#X#}QR7S17z6dR}x1v)FEjs9rxoImrEMcFV+9 z*wno6!Uv}tNQqgw-|Lo>a`H4;`Ings!$Mwa0W1Oog8vtx0h6N*V__)gAz+S8_Xjeg zl|hT~!I{sbkwKmm+47qgT+M)@_Ysefqal#K)KN^;X%{*qve0qTA0z*)ot)3h1FP=m zUpk&mjW&rb zZ*iLYeo&+Aah>|O_xM+Q_C(4c1VmBYgW(@D{kJ;wmjq*|#Q$aEnCH%QpegXeKV6e8iSj-{ zXW4wytE$KkegUKTe`Le)1gM`GNjnJkpcdO%UM#X)<=e&4LGZMJS8c|ZZX@%E9cv)R z9(z*&Bp6AXSByAPc|54yTo!Ox*n|?SLsv?MeqH%T`#5@!XvzBt_7fJ{omm`=6_hS0mz6+ zz7`a}_J^ggbFqF>HcUe*^|yz-{20L&w7cYC)jl(fJ>BbjnWmh-+J{$K!%PEW;k;}q z>DHnw|6tc?AR)BF>DEoZ@UE>la6jnVl`A~EI1Qen#z4l!%9PywUs5;w_c5lJ zypMtrkAGw&*X^#fMRzDv>R66WCzQ}XIryhR4$=l7Sxom(^rKJ9PAv}5saJzuMlx8B z3aSV9#>uv^m8r2bOf_|^)TTUHyssXNkNHlXB4CF-jTBjqGqPq*VEYBy9WfCA7?+rl z4^OijhfL;vn=zz%=+__9yG&4rnGqxarPH3LnSJBGkk|jSS34)&U*PON>KmmFcq!AD zy?xi1@MuiC&sEK~nxrPvw2mpY-10GEo7nFH$w4YDhUU{JCYWq(*sh%Vvlq6&Bo|t8 zrqo39$>?CVSZcm&@ya_)%`6s08L21~gb;{!VysJO?(+p*{Uh{dmJ{cV248f**w5k7 zIi&j@VX1yn*Voj9CmEF*LOutZ-{!n8`s_{1o4*-aryG^DZt2K#G_h_VIWcAI>)8lD zDKVoKB{eF>P*ju*=7#kxejK9NQ z<8y@Qvv0vD#2*8VqM^L@4kQ|WmXqWDXp5oN$rBr+;$JWLg@Gv;`Gsz;rauK}JH88v z_)`i|qPy^2r1xP=%8wg1UUuGYV&dW(qh}#JsyBF8FdRNqB0NP>8DZ3a+)f2$5Gq36k~?3qGsIr~1c)AADu_E)tuVWy^7pGxoay$^F07IboCt zTgaIcVZk0>nX3O0%1uBhfDYxPH7$Rg|7wRZ2ZZux$2eiYj-8EQx8Zyg^Cjx9cMtUp3+P5~uQ7hG&)93{?2QuBEY?l9zvXoo}Ha|~ta*$0Jk1m^$ z;!m>~Z~LMPI{(LWH(vwT_zJmw@-N$G83DFmx7gkSBy#TULyBD--@9PFrkkDAM}Lu$ z>rW0HYyk~6o!_+Gxbti~bO&KDUSVM306&}UcxT}WLt&9Zec0at%`RPzsleN%KXx4J zCF|FF-L949R$dt(&z{7iyCF2!`II@Pc5$$2@wu@eJAJ!p)*HySEi&~L@w%9e6`jzc(gfcR_30o~Rc$=JmAOb+L9*>BDNl`R&P*p+Dtj+Fi}Oj9^bk z2cLJVWQ0(^^&W?S;wv?z*PTQiyA41SGg4)Ndjg9 zO(t&Tscp}^6b0Xd*~%6;WVVMN*^c~@WD;J?l8S4V>UhDG`gPqVFu6>#Qukn$LuMj` zusV5onIN$ z%hb5FA2lV(iU?(}TD^T<{{%xt)=d+lYa>cngy2C=H^8*gA3Z;5aAFgWbPrcxh z{aF+s_&k5SBYtgz-N}2=@4$R}%KuS#_`s;(>c}wIw$jM1b#Z$x6gzBlzCbQ5?q;gg z$p;q~D-F;a!?J;2nsU}-6y*zUtxRR@4nIQEOZa^8^b(5Z@?yWGIwWseqV}`CqY~A4 za=#caF*AwUOu7*uZyhvi={3YY(<$}|!Ovd#*|IJpv)wq((mWTyH!Iv$-~rxv{f)EF&1UH5 zhqb_#<{K%dQR50;5!cpAl~-H+&a{$NOm8XfnOM74x%?0@_1X3>`gB4JHA3AHgpl<6 zMJWH8C|ooI!cIez4(#LZ91LAx@|v&C5kDQzPH~XFS%FGs-f6k-&k5i6d40{r)mI8F zxVgAp9~QON$2FXSP7Q1Qtq!2s3DSS<$Rp6B) z61l(9f2O5l^NJJ8K)18dvv8hurs~ZcjVH{(LNeY3*NR#>>c7X*SESp#3Ig>Nk_ZC= zHcpwBxAO8%CmhT^?Ca?1l%D5*q+89(W)$@M*H=QlZFTHUi*o$eSbm(JmyM`WvmMICnG)YRr)Fc{YAp~~@qJTyo0c2xgHTl6@hkvI~hHvHQ`rMMkXj4t;gTUTp^U2Ocx9@r< zr&d+vR`Grbfe}lk^zoN{EW1^Oh2sPxo%8t>4Saq4B1RK0UpaME=~c_-s5E*buYX>6 zGexxLrB&^E%%I!n;?OB_R(%^`y@OsT`YxN5t=g5*cw>9wbRKt6FHLd!(Aw|S-Hzw+ zLTtEoDoAQudm^#aACj?0tYP#uhHuRdF@hX3g{kHUW*r@Afjbcbt?Zp^VJ~m;;J0M0 zZ;v)Cm*dqPd|D%LVqxo5`Mbpj*sm_op)=mA-@&2hn67u9=?{xKz#`d{GE-jf7RAYJ zb$xK##-7TEJDuA%%fkwwefI`kgJ){JhNsfdE*dqNO9k(mcJzT*LY^cmy(D-7Q% zw`8xdUY7&oR<7~M;W}$SS0gNDg{|(G4-Kh3^$U3V)q-J#rn9Hzy4$b#GcPi9l55wP zzX=M;!Q{#{+PydX8gYxV6X_0T7Q@LHxX*WY zbcO_5GdRreZ47*FiHx>-Wv9qZ{l;C|{*l)Q{lO3cZG%zalfM#0WrfU6a-Fz#N*dg| z{RQ8xC7ita#>#>7quu>06JN@nMtUz4`sIkmRn)C%3CxEIy@_#Je;{qW(&Rko5^lAl zW8L*O_jL4_7(MgXiP}cbb~}l!8%tlb+&@MBnE84@yK*v!8rMf=Z1p_A)5u>vrPlwW zlgp6NN}gf6s2V3~Zffxd<5jv5$1bW{Nh1{V_9ZX!uDpLti4#WeGK9Vrwls*=*b%og zz4qWB^U?VBLmJyRZ-&wYWTT6o5G4CfMEcy4J_u}bo>>llGk$kHz?b8+R0?m|%4yc& zGiDrpE&&x^Ez|gX_Q_riC9j$UnAPuWwY8_{N+m6e`{hY)&r^QfeN``n4wEbMzx)BM zU_Y^DHZwr0iFK}iNR3+ydYFE&zFTC3wuL9}PkeNVAT0I9*4_R1Z8yD;sl~fSHO+27 z>cdKz#G>S0p~aVpXK4~CyHj#m3f$}0KI95WG_?f{VnADby1c%^^MecTw#JBlkYl}# z^LuXgQir-HcJ{r@nH|yjgjg!vxY2v7a6MsN-!`ViQ9wqQ`UPj9eZcUW)QFLqN&=NH ze|iDFJ$~+&61ij`0*~ixvg01PMKe+1!5zD>Y;2<-kh0d9c!fphW%F^qi=K%^mtMT( zzP^6;hI>Pjm;AigCU>lqT)M;KJ>SGT&uyi}H%b;Vp}T50|j$Z1UBUc#5L^Gg*YnQTBLs=U+=)Q#FKW*4~be+&*2Oz zh3j9^ygNj|h5E=bnLPL)q=zudw(Rx?!kF#A4`Impsb}LvBYsaBV6TMd@HD0iW_9i| zzCzeO#iFg2#8S+rEAj@Lvk#2Ti?6i9aLq3^O-IOMdpB(o8m^Qp*L%5Zj@(!XTWvk{ z1M~wJB&;g5h9zrX2@O2{o0)}QzqWk+X>lK0cApKn#`SeythIX`4c&OIuCKv+jXHb# zH$3al#_Xr@w(3S6^uN#WqsDR0v4i_3QjxbjD457#cDAkXS38<+uOA}4IdnM$&QftL z;^$f|^)kD8>3i5ym+PMEx3m92yHPLtbB0lE^^@V5nufGX3iU6xj=5-Pt~AU`jgnvK z>a3NH08Nm$7mF&$R_F-}cKBGW#+y@5Z;eM3C~%KR>jeZyV=Y?Yp+=8)X!&U z2aSivcn8+)Ym344`{X{k{6>GcsBBhSbhGnu@c1hVqn|22ezCf;9cvt1X*X%6q2Iba zOz$$2bJfo$KNhXG_|R&kzmm=SoWj9~MIGLkfqQ;hbk-k{FtzD)n_a3De?RrmSrQ*% z#DfRzXjasH`xO(hWk-|=wRGN?YlZ*nY*heI*kY&Dah+94e0SB$`Fqic z$6O}6^Bf^`&VA7meiJ63wXNO6j9gyI*P8 zaE@gqAij%GYj9(U_6PYUpWp*beYBF)u+oZQwvSDviLs`|5S&f5=^EY=N4kplv z*{(}oAFM;c)B*+-ecuMqye@5m$9T}+Y_!wzAYHEi>V8~Nkw%1fe|-k7GqHb}OxW=u zaf3D=nJ=S|YQ}@Tjq&@>dmkL1xp8CLA-JH{e?3C{OC-TY(L+uG6W=a5`V#oCgMY)F z)Vyc#_>Gl%q0r=?H|BZs1jq(Va2nP1gAVx9H%d5b@N7o5+hs-kUzn9N+}`2JeH$Gh zS)ccmBmQJV?@LLW4_>oBmt8HfHXjyZ9ZdvA`?7Hzx|eqLpW(4zvi_-h0myg10@H65 z3#Wusj1s2yWBhyXllFn_{fy(m#6(#N4DCR_c}d>BWY{vFDRR3QgPg$xR%GX zIe)(-l)A2-j%WJ`<}hpx;?i!^0{xNoKaw@ zT$-2PdhNIe!_8DP;W=vOI#tuR^y0hjaz%wmvG-0g^DK~1TZY}fBj8r4of}7<`}IwV z)p}Ee#6n*0HJw}~G*ZZ4O70}-H!0km=dxWzn{j?W0{4tpQs+^9TrLbgs>kD{w$vuv zyqbTCQYEOygz3fbrEwXInxfZTzoaiY?}`oo@X!^>xN@=gC84jN(0B@QMZ_uPm#Gr1 zwH2B%oP`Yy0Z$%AS4@TYe=%Jg>`t`=Vbg;Tg^ypDF&tYBbL;x=2J z-@1jbSF>(UxS^JBYb%9ab%O+54ZTz zzc}^m)6mIRZ^HIO?YU6-FXKr4vFo?k@aqo;j2o?>$$f)bxqk9 z&t{IAK6&vpZvEbT*H$G4ZPl_oTZOEMa2mCZ6xeGFum2ITbXCN9=E9hQ;jDilId@;a zVvOGfn7_@FfI$l7`Tp#nF%c7=o1u4qY7dkYH-ZrL9u6ZFyz=5Y@de1Gu|wUk~4s- zThX0*A3_sJ_Agyu!_BG^zB^NAn%8M6P;PL`xFR9h8it~&N}$ncA|MHky) zF-sQ|vtHiLd0VmHBYeEj`l^vhtMglf;88HEB?yE+x6NXmQj(@J9B7D8g^|JGFuk)9sK@MZ-5|IFPUQZM#EKnb(G`ubk>Q^E<{U6R*P1w)Pb&pQMaDrmlr->}@{i&+j zm;!<(dpOJ*I)gG(XOi~QeXx^-?o=APtDqe0ekZ?57L+&`2-0u;_V5BkPKjZ754rO} zLq}3_zU|zj=PNJP)~p@Ap^;F@Cq$r$;diZ7m=BQf?PakwZgEfrn|X6VI{<&NX5IQ) zcm-=9TJQ3UzENgSC?dtz{QW>w5FI#bTcARGA4TJ``di%!*Q*~rZg_7CiFqnup$bHE zqB-gB3UG1)sI`1aWAu(s1(h!6Td{f4pg6NFl-o88Dpm#OZrD0dfV#!Wpxod0rDaZo zqoQQsYPNvrIkyUosTijUPv3t-$^_$b(Rm%n z&yGC)+fsjlid$Y^AEdK^j+CTSdbW8@Pz~FEa~tOl-fgQGt}A)1%2mYK@}R$%#rA=W z6w#Yxw$*_fC7p#a`h{0r%E3b%zY5ZFfMvu%(RH^$xl?qhuLlPQV(J`O>Yb$|cA8TFYyD{LRwR(H_Xe4W6{m7+_ z^2KABK@wD+-`l)C1oSkmj<$>SRaqtf)lEkRczh|g zBjzO7)$K&K?L0`N2@P2&K+Tn&eDh|RU{TR!GCeCZe?w5O-4oIHQ^?K~hxY%qwx{qX zAl`Ht+}Z_{s{q)ON!w3Fv{bVn6cD*n5@pfi9z(5HEq zV;F}>l7EBjGR$E>9L}&@adZd!czZ>Dtt9c-4zC@2i9l}0p~=pwza}H$y=8pd=Xl1X zjqmRdXjs4P@03}+TMT&pjUc*{Bz@h+kGD6TD&((;p=Y(IiD+ z`-Xa;UxG-qC_dZ9*!cHg{hAfHA^!nCy@cx%?wUmzp>~Uw52Cu;DSG(cwEDeok}^6& z&p(Ra*yyU1OYHBwW&FzsdV$%JGCt{&Q`89c_g?+l1;}M}TUaQFZpUGZd1&Fvwp5bz zrtbIQlb!cY6pH@1lv3?Tl1}sf;H3TJ!PR-jAlYEknB`@!4+AT_UT&XYeuWVqehCD4 z;^hSB6Bp|R50^a1Dmqcq%cE&)#|vp~2KmOU%@=_UlkpjvNL-2d3##bLiZi^hkM$*S z+Du2gH>`+U!#d8u<|tu%0hEVi5GKdlupx8_LVrGnQlLg7E3DN?{wxSYx!&nMx=j@_ z8a=55Ls{qEfR2OXXfP~P`RK4{f=kSba5#7mD z4m=CPot05&Es#<$`fU-Re?uc0@h(!r=pj=h9C6I2{P-FgNyZFE^)tbF4i)=Xxk!O> zGVshp^l6At3`&7g!+72b+=LY1<{5c3&2Kve{TrOvNhVA|;Uq)>Qr1SMrDIb6O+GxL z|0dsmOCJbY|66(gcWqx+IlsEXz?o(zw93?m$~Ab)W2)bBXu7(whYLc{(IyHC_n#Lk%rr*zta-q; z3ed);IZr$kW`to|#pvDQynsE$nL+sKIat+2ifS6f693lUcQHUqP!y5|GLIlm^eGRn zlKo@a7Z9i-4tV$dVFoVvyjz7^G=-HSHg81}hwkU2Xx#vpEb7_dKNyuBKln3S2k4Gb zHcZiO2X`xOK7?lb7$FgI+2-lz!qRa$kB1!_8VZ)KlRRr|FfUUD2a4!OMTI&vHZgN=ifHTLyNeufGpgteG}^RtMRb|sOok#V%KP#XGdx^z#tiBMF6*)BHtbLUCC?7{C3PA(njDL7C^rzy_7$?Wb%cSORS9ken`r**pX zNfls7N_8uRZ zfhS`8(QyGV<_;xrsQe|6CsNXV9|0ejY@D`$c@x_e6CSK2%*%Q zbF{Jktzu39NGiO_hL3;aROGJnu8cvSy$F9v_;j*%m{002&zjjr!sAJ&B47)2}8YBiX;Dh&551iEpe?sly3>s|+*YWWTND965JWk$b&X zf@QMwG1{0FZblP5qA-Jv5=-#rzkQwWnRIx^lOPYMw6l>fmM|bF1b_Z)L+$Zje%(d@2(ZzeW_n%%<|s}m=*S@f!A>ihGxX2zI<>-;^OoOs@Q z3(V;$a*duo6HP0RN(41cDm!;A%@njN!P6M;yG3+sh9@qq+gyhgBU_(;N^~HbkF$!2 z7Z?2|T4un~(o4gJ%I8Ql)jo@WlYlpB`vhGAw4D@t!;r}u5HjfGoxOUssp8FW$(6s^ z5eKm&`{OMvV8`$wI|P2S<8}lGb&+nwDUQg{^_50>wYt(i#zJET3eRic0YB=L#q~;& z<3aOLAc>o~dvjVnADwNmzNY#_gAIuOXG8JIl#|+CwS`*Xvh3OE=z(`^m4` zdYxstjQL9fjV1$?+VtK0Oc7o*eU4?1r-}Dl%&$g7$Q~HOCIe@}5bIE+<)jIPRXWhV zSPN{FG`S-kD=a8VI2X@l53Ve_HBS&4oa6}WSbHik-!E4Ow+0U;hGK4!gd^wkg>@9J z5aTz}W+hV@YjU%p=GLX^+H;xIrOAhNaEp z9Za;*Kkj)~+yT#J9`9YaBz*e~Kk3twUET8OrI3mPvOf`OrXEDUxTIUDfPM_bkT`=b z(L-@Ixd`7Ol#BPay8ZlVG$`~&2Aecd*B_9q=6S@PQuEGU4nP4hP0T0kyDnSmR-_tS zU+CnfHz}^C3ZA(O^f~Ex!I#Ts!nB*~>%(lv0Ns^hvlD}aOMSD*4T@+URU+r)+*EW$ zDtdN=LX0ZfK6uCoRHn*n>)z!%diNFHNBk9OPu>G&o%T#Vbi+c%9%Aui7!={3QsiDR zd3G1um!fKEIj33o5pWF!76Lz8U|(^1}JT(WXl^+!tJRqlum^ z&7}}Kp1yLR$vk_92|o)pm?3w!syyOkxHR)@g7@vcYYI$ct^CxrYj4q13JSs9g|k+@ zML`DO3ERd(<=pQtn^i_?R20gwOSyZ-QoU=WA)hhv;P;;dHx(W;;6~jRC&iX98J-XC zD0mXM@wQZS7Rr(i{qG!GCxENW72!Xk2g3~X@L z<0}O$@Ta)^wYOf|z4dxM8wL}IO8rUM>~ZLVx#t_7vLGTn|~UB z2Ordd4mK^afRrjx2G~Yb#UhlfT7ZFeq3OMN)5kiGIqRP1nyOWkT_Y*p$|sER7K=WT z{CrRZNmuok@Nocr6)8e9`9jGVolfiZAk`8oBbc2kv8-BQL1@CjC0LcF!T?b*rR^Pd zjbV;DqpN=a2w(}6&jTMnmm&nchF?y0n5{-a?3aTTUaAQ*+RmuoD^52xVtC_s9QKjj z(=y|vazM_;C7UC8Vx|(vPy30u`ymw0Nd~ek3XsO`TtLN9R`ju|>Ri+=jK-DQYKH%1 z=7BvbU~9z7H*$`Ja1<>c$kNk6CzwUHo-#0)n|~6Sq1TNxs>oG5nhN)W+)$TC{55nT zBM&qs+Ym-TOvOGy>ls&s8D*nxv)J_eGaX4|g)f5xLU0IZy|uA|mbrBvawrm@T$zK- z%nso4SSmGjyo{An{L6-e$No6y|7K92 z8aS5mhi8XxX*)o6coMuA4H-Es5YuVv+ou{nYbkOUGY&H~vKc_rCH0$J~D$W|k1 zp;+&haqB7alGM!m9{Njzup?Bv0QU2g=({+yLOTSuG(uoYD-C$UQ43aP+u(3S^btUW zFJ2T_h0yK1^N^5W4~0Y)Mj}wSvGCw;YRX&((_$!Dr4KiLI4$TN1JlyrD8QutM<#8B zCI#L5hawK3T^qtT(4-2jucD=itY?7p`auN+zgK_3FmY^Ji%D(?=x^-c1M$B<5P?2; z>t)>sK9D#JXgDAa!EkVvc*?R$6y3wfL#*b|Ix)ilhaNgbLoZp%m_TCF2-y<=Lft{P z8JyPZxW2;u3mZE`d}JoT3|=COmRdgoB<8)Ipq|q&>xddaX~Hc zIA!>u-~DkIw~PJSy50$a#kl)Xdem~K{<^9a!~{r#V}^DG@OVH*m*8I;>8I%DT6mW! zEIU!yt}OePS2qW72Z{yS6{rn>eSA3y7z9AJE3(}6rX9(PRM$@Zu3|9vG(%MXHY4N; z5VX0&7zIvn93n}ojP7G@>heC;a4}j5SyeVjs-Yc}(*d&Zh)$iR1tymo+D-5M!`;LS zq4hi9O7TL^bpMF03<=QnKDn5;TEKJlL9)Vc_3N18!E}$J??-(;%|-p^m_2Z4D;)|# z>cB3<9SQ*BF9Ep5@?gTKW7{<>{`DWf0q$gxDbr_|KOn>-dX@|&baV0uCxHBQi7V8P zzKg!j@`utuAs7ozuqUwqo1TA|y3YSfU7g9^`&SXKE}!M0{#|roj<)&A<4|K}24Pz3N#vA-_p$gm&k ziV^|-p;R)b=J_i)iocd)NoKFh)Mn(lLzbm~C`-_EgU~ss)a0|FZb6o|B5Xzxg z1F(hwg=}ml=_0<)`PY+$|Byq%aNDQf`zKYvKbf!7b5I|uEX22`kkHMx3f%#mp+4jc z)i2KY-9rcVbNHV5QkKKrFi&^Bbi9USPt$}l`&jADK%6RHqdIfa%!75EWG009!_xe;GWEKu^7$b%npf zoy@b)NK(i`9T_?F39eto6&!Xy(V)W2>?MQWdbNWwreXpuJqr1fMk+|LUx7QHcLvin;}p1-t~7nLYasiJ%iy;-C4;!l zh$_b)Vo5*noyF-U^$1Av$w1p%-i`#{T}7@zl;P6tKiMoGZlH`fqymi4LcdjDt`PYt zlO(A`&hpwAy{Cb_nMJv~Y+=2)e)3;vcFeO1d!cSYx-nh&DW)w6%CE zH}>|3DS2ye!Nw1@zsV2Y{{p@{J}L7&w7NIs?Mpc!$y^LZThZRFJOzGx#dj4QWGUzR zhRhAJ_u%Uzm8Z;)kmui^e;NP|!F3oa>_Co4{~`$NOUpT_pK$_H=`?n(ypxf@PCDR- zEPjBDkI}6#e<(dshNK(|1^3AN=xl-KeO;WK_fK#YpHzDPr}q)?x@Q!9G4jriYFw(wIDh0jLl$6yxP&?{ z0iEGK3|a~yB5r86a`G0-#qZ}jUg)DUA~LMVU_JU31W}TdblIToi9)mTc_-@*D*zF6U}F!LMnc zMREeqJ!6l)3@u+qJf!52Db_k4XoD7!ddl{DOJFYH6N}6u4@YIe@`)OaqSeRiSo8@M zN9#D9(#h_8WnSy=<_0ey0d zsx)$0#u43*_nyMeTR{!%CX%A^4yKoFD}eFti=E3V`wpgTov$#yHv>Yy=|S_}1P5o& zT5p8@9(3YP7P)#N-4Xhjvl5u5&n&7GSHrAp8e$}MFnkM`%V z&B5O%8^In4*@au@WrieMNins;on4sG(yEt-v`FDHM^{w2eNE!ZY;-3Yk{y2Jy~YV9 zxC|D(+*im7P9{obfflL5v0W(T!MDDU<>SxYc_L=_1}2ol%dV=iki*LfGoi6cqT;M7wJ3~lUk}J(DgdU_{9y5Dm4rjo0kdZ z6^GZm$@QV#YnTzl)^+ih-RxWY2-xg^tXzT`Ta`0r zIwn=OIZZ5ndej=Ui+s@L;@j$c&0Sq9md>m1Owb`0THzeJ|EH z5CnZ?QonnLKEMn!c*fB;fSFj@a+|q{`PG-&aqVWFdm>_x43q-aN^pxzc|o$COAX}F z$>4}U4dLM_X-M&Pw!F5%>R^nyI|(t8Sp?c5t=@|C_t)Df)$1-3vljaEbxL7&6)`pJ zTZNz61EkqI-^TdX6Q~f#Mx?^|EkpWJV)|sl5~RvQbP_b1tN6phqvo7duB6RGsF=ou zytg2*Cr~b$3lV8$i1)igzocm1-k~>;BB3TuV|6YjR4hyAke3@F{})9G^R4K(w~M z_T-5dMv!V4l+fk|;xqC>RK|y>{I@kA#m8P&q;pL}aPS&a^ll-8^B=XMbg5ZG=0#8A z=+aslu7#L#*S~9@Wyv`q82LC_Eus}=Yhhv*?uRr8e{ZmRH(QcM(7JCR^du{e2*V_B z;pL;Ja9_*4JRHkF>79WDZ&yRwaG5)IeFBmOI&@WXXzN`{k6S(WA24O15j7TL8K9f? z_I#ug*j}}NeTyZlF0sBN_Ub?f{HKc!FuG(hz~Hy&GNy+E7xAqKveU~%kRyter$cEt z-XT79C-|7oBGIG7QysndA3fzJ8xUKnUhv68ig345&({{es-lINoQfYRp92MAeV*6S<%2aZ`++;wJ zI_+wnICDuCxBxOeH%~#x2fQQ#E~}E|^nYLgt?KIg=bjRpjh3<=IV-rI+hbi48kTa{ z72XA<@51sq^ROAoXU9yQtJ4}&qx#n~htej)C(%U@kh@|FHUgy4-yXJ2WW%(3V^K@ujzS#L$YDXvQ{%bBGVz zAG;WuA3I@~qxf8F&oNG%SMPPhF z6@ge;wD%>5r_{$Ynp*qM@>_J5P|W=J^T^4Qx-y#M{}oeuytEKL>sH)7DKt( zQ+&E5X3AC0^p%8m_u0%{7YreXmq`-*Re3|(T*#t-5aK|`RLq#J{sB^5`fTxtVn?fM zqh{Qo7H`v_c#N?`rwTbK$_G|k{LYN9Nb zgOw6nR3_ktajSa7^Yx8#d0Ww=2dEI*1rL}g*ylq1qWpz+SLGa9-jQ}Xs(5Ykq3<`9 z?qR2tI$llmSe;xje!0U5=q&|8n)SXlB#|2Cr^ctxATWJG1F>D|KeOHZ)d}0L)*YpEw?4`ae@|)cGLQ+9=Yf2cH)JaRV@yu} zsNIML3|(c{hCDOuoWd%&vWQFenM{*T+lST@=!IfhrW?<^9Ko`GZ9EDeW33i^`iV!9ruYdL#H4` z?6*0hRKLZ}-8c}YAA)Ron@hF)Q)3FEpb{~N_VRfD4P&P9TeOjdIV8jX&jf5FBk9vd z7F84j&V1AOlnrqPQfw{7f5Vy36GS*QABc8Wp#5(A=b`_X|f~I!59m5YO-zhDj9xNaYkW0*td)^g}jRadk8)*=^FQ{5;CXl8wc0H?)C2c z&vqXoL9Xnqj?pZs6l~4_$Uz9@ZqGr@O-xGsvDxn`%YsD7M5!Q4|H$=dvxIH8+8&e3 z6N0o>b~c8x{jZd+ep`W`tkqVN5dm>C(JJp^Lo6xVcfZ8nNAhVpZ?MU}mk6Qdoibg| zFRAmvG;re$kYao>sI@mv!qhA@czusWpV7!;dpTGrYUJsY+zJt9 z$uc7pc8+~kECbyfTMLv9+7stFL-SY$pqxV6Ae@E9Vn9s|{qwkrsidrl<1`Ccxv$_K zS9VQ4SFD@!)I_S2Fh;Ua9apfxwdaM=M0j1rn5i_!@+qC%^QP}_#-k5fyR70b(RrfF zwK_L8`eMjs^_M#%h*#`YS1}WOI#o<5Gv`lQuT87?=c^xBR?}MTsbS32o$C-0eOr-; zgSe1|XCNT_vnI8hLK_Iuu5X!%GFT!dEh;iC*7DJiZ3No}VijL#&O} z+DVUoP9k0<2qta2e-?yCNSIH1MjS((q0g$>$EALaiE%ou6n=L+w$rs)`oaQAd&3Y@ z%iLMFaq000+t$ZV9j z_nCLg_P?TK`f6o4X2u%hYmE_O-->azUt9%9k**wzQq7n^C-G;bdYrLa0I&WQ3a#js zD6qaN@tLWl( z;ZHj@FFmhLsu(PDG&j ze$;HCl?jKxQexwU>_K)fi=+XA?rkp>hxnOULAOUy_alE;NIkuraKMpgzCBP9zy5>{ zuWeZWtjpaIu2z)UfCL=-ME!-EJodawv+`Mdk!ITF48CP;(u4~-z4OT$Axb|>$Li@a z3e`=fN6+iaao&>#7(-q44Pxq~Rb@{_w4PYA{GE5wiO!Xau0*dcU9q6sq11&@?CVe# zKip;$zG;hSXiy?9OnjgsRrcKopSzi3VCktp@nr!k9{%}YeoUmq(|sb9gR%&J)OR{1N8vLr(@hTY^A{xPsnpX3{e>R|lpOn1ONqJfT zpF~>p9@D+E_ayP_7UC(QqQWRhy7YR9#m(mLRit?uP5G#rBjum9+2ym)=x`9X)ngpc@p@lqDqfoHw8Eso!NkhRq1R=Npm1rJK*Kh z477u-3@!n@rUsAyi720Lut0jrm%ra=Oa-mQ2|lBEm}{$ z*xR_7OzFUBmx+ZYtJd=ab5pm0s#8nHIk`kD#wJ3N!a)(-Q0N>cf*F;3J}Zf?zkINL zCFzk0kuqJ!y=nEAGs(OXME8lXL_X~yNN(c;mtZ;i?6$2w*sbudI`Z7xwr)n2r2O<2 zYs*a}d9?G%mi-ik1B^8S&0)tL&7nsx-)S(x&vfL=>aDz*=&fv{|FT-sB*vBw6R%9DckYF#k)FMtBbV4*reW+2Oe#Af5SPTMZiR}2Q^7g=bg$QFqEiyqKmh1vps5WEcM zODb;LcdIr|yJGOTNoSMp{aPvldtcF}^#Z$64Fx3(_5DX1#e)j;Q0V$|?+~QApCtkE z9IkxXRqkDeOt=e5m!|2Aog8euXxQO;&UH#b7&B15GdSKePsp2ypAfTVTp9=P(ws*K zms_EodW9UfQezs@R5#b9SYkyeUIHaCuv8R2gQ53lNy_ckMg^BmN1mKM$fjVQzb z3f<=KmWH?&`k3A8jkzxJ+(Sho(bV*-vkHwaKgd`H^j_=C?U#per}kE}3^*lQnJA?4 zhvyC!c}rN3ej`ewt7>aVD&CwDv_(f7(jB~IV4-=%+)*$xM6occaz)2*x=m5HltS&#g=yWkskEiKd+qLw9V9BNdu*b4Pb^G6Qt6j8e>B7N(G8a9|_(N zYi$nkwz8Z#XXkTQasb^jQp979?iaOP29^jR@r~>Ol8}Av*k6Kx&q}b!94W(D)5m<@ z{9ZoF&C&!RcWyuh)k@q;ym<;o=ho^fqcr?Y;spZ(g)z*j2>i&aZCI6iSao4O9h%I14GeBDLL%Cib>yX*IcgN%k+`2Ix6=cC$$(!t8W6z67WezM@3)s;GR0B)0s%7bV>eL1!pTN zmRe_v$d+!)?MYK!Ap;60BW7`2mVt$y#0*rCnfp ze{flp*v=Uzv&rvU2yDr#M>m4DUQiDAi{Kux;yj7%#05Tt+6~)HtuPdPW5}8FD+=M> z^`+zHeSi#6jZn7~@Eqv>G@&lG2t!SEqc6?h(>Cej>OE)JnC8~QRMAZluDCd1whU7$ z6zG4P86n7|U3{GIp3p!MoZCnHnxC|gm1D_{%N_K6#wYZCy|#Mt+;YfbpO5WQug)kh z|Cmz7Ry&gJxAV?7Ec>{QY=F|AR@OfzqVHcWI&Dzm3%C_IgeYLP_ zhltZqTCa7E#FUEC;3=5=On%SHO?iz%cd+#nu{*)daK@|xA`H=SqSSePd2SjF4h0L= zUGt*iYR^lo^>lUebZz3_*J|1#GedH>NyU`jmG+3)U51&TemT`Vp+-habC07DCE&U5 zBhdOugg`i=1AZDMyW7np-t$=v*|vW7^o#1Dy`K5AR?o;q>2OlQoqmL`zIxN_m0B0& z>)D~EI;hAOV(=C&3JQkh-(4s6-A$FK_V6mWY0_i)% z2>q6ObkK6{g_}PMD8i4eR;bVkDCfP_)q2@~2(Xj=0@#7X{fpOfLJat?;3=`gUhqE+ zjaDjRwl)-BDk=(0?Z)A^mem(&cPkR-WRPUA$s7D(yxG@bK)jS}FyAtH*!F z_5P*7LWST#7Eb@Z;Xn2&1P#lg=)JxBy)%*NQh(02vf4sBjS@EdIMN{`Mo2p5P#)bzk83II!^G$ zh6IeeHh!D)RoNHo=4!|4%JxDb!b`qoIW$I6tkVnu0GA&K z@w?v`iWjI=c%x?qV(pGeZ_?Jn65(6g88G$hgv2^@tc}8Z)zl zkt~mO$w5rS%@B4SOkC`w>IyIu=?p-4`4JDrr!h1Q-oQu}gjl!ORmxxzII7e!6Dq4w z$Bk3?#*85_(ariF-BMKx3+<&3ECbY-vvuaqpAme@&ieo`+CpL&P-8-!8KS3Y<*`55 z0sO`l1_oucR;Pf<>F+4v$r6ODfXRs?)lQn!KCgMhS|RTYP{nX@XU zu`{MB^;#kCw3JToxnfAzy_7Jyh^?21T)y5f`!7Ny)zfx%5C&?_n}`*r3skBmT%AR) zg)b`!r3ny&$A>Z299wS%mzKv>{MkAcF}2u;s86+*Xg9WS&b+BDEitujT4XG}ei&a( zdV%#d=f%1lDnUv+Lv))()uRUW)fyEh-$06mSX8^K0yk4Rl}9FRl`7=)>maB9r$y^u zmB)UMj6kV`)1Xtg(otNl4$M8NfX-2Qvd5Yj0#TPjzg zW~^V^5f_Z7&J?P6O1;`qPQq8_cb`B6ARh(9Bh0uLWK2pTY*4OLC6|i{t`q2}zqd3x zZ?$VniJt+wn~X7o>|41A>FYW30&FXyR-HmrCfA@6z<)l!7=a?O`H6oFC5E@p?bk&#Ry$#+Uia@C(oZQ2$uldW6(?IR zJR?ttzP7?=(I*napSB!nHPgTJS^&uv7OfeemD37C;b3xmYV>LAor0&r8$*|FsiY^& z@Ulgri~xFIMR5(ccbE9x{L|U+Ug8A-CVeGKf#(ll#>Rv})Ofu@F{95Tn&EFy_JvnD zs(#?fac_5WBuqv`gIwxUD(=RpY1&NA=TJ9^smlP~+oE657}$0mu|LGZq0TwnT{I)Y z>oz^5&%bx1X1pnFEe9N(Bx;^IB6PS`bf%f=ss~%^r-yzK*9#bBDOeMc=fmcLBrP5v zdsy*geq+xH=SIWF(TaLKQ5vArBA8x(^}@ywqCrb3*zajX>!)3!`}0a2KQ@}m>)I#^ znPS=oLVM374J#A9qB_-I{6v%tM(k4s5Xi$^b1y3+4h#QSXtp zkCvXR>=#DV!zYbsP`L9=ba(?Uue}Y`HL-Te0+ivAFw^ym=$D$!I%LEzh@R41MfD#v zD0&SumvC@f-t7G!?7an4mEGDdtccPr-LMGhkS+n~5~)R(NH>cPX^@geX;4~V(GAie zpc0Elx};;#oM-v&cklgvXP<9;WBlj;{}X$RH5@~IVm|l0=RNPZu6ybXZbF+TiPXei z+0c^1`mRhRXeVojg3j0!MviPET^C&a6H_9;CO(r^e_3* zj(G6GgF@BAW;N2AZh~79m7bcqQBb1++8aF}4S5Y-i43UDA_yeR|CmdE-UN<++}JC`Yh1Z2JN+;3bGBsim5t7D1D$1X`^WS{kV;VE;=#BGHu zOPA#rFvs!Lpblic$jX>Phc+-Gaq<@^96guJ8tmsccmsfFD&#xq_J;Vg^7{9;KY#%^ z&@W@TaOccajxp9&OAn$GDBo$rj3k|@>Ue5q$_(8(b4*e1c+>ylJcnCu73hrp)4Z`|JhK%LaS-W zmWgM~$%&DR*!dFYmS0v~LDw3bPRn~HwWk=NXPwjsjng5uw z?!X=L`I(N?mr{7jy$y5?Eu*g8lQoWyS3uSdQ8O2iD#BoD9G7Yg0gDP9Vk>ZHOm3Ln zl=bYgDUkGZZidJ0qN1xhm^P!5X!NjQ@BA_oBFr0}T3g?`6^G9tsj zk^jDD@ISrh=cEPHWimmJ-|vudO(CFcc&(s=1EI7EP>2L;tF`0l@_ z0Yp)L)LPOK!=;@(9L{h0BS^&w-0?2|Wb-E$fXVdT&;yt4RBVSUT(0gJl$j5l&Y;N; zCVK!%_;0&cC1)U+9-itU>9`7F?tUHsc^k?cRZJ-M8v)?7FED-X-0%PRBe;Er6x%I~ zo6V^W{FRZ=38al;gjfQ9$B+J5RY2OQhzxyybAO)#@yveI21acZ%R8%o#b)@7{iBMn zDr54;D+q$FkQ4Q+G-mH*e;susde{C{(l*Jp3O=wL&W!52X=ll7y^;cW@V|1zS;W#u-g;9 z?f{Qjg@wZL9KmyX1Gyvm+TvIoz1PT3D1_Ic|^3Md9jytqD z&VdIB6p5>2O=avki!-m|_#2ZAdeg^GQJ3(FauZ77JxuTrl0a;C5HDfo*GTn##pzFYN3xc=ura>(~qd|)DB zPHdnVWkZ%3@_89ftZ+*|Ksw~inX)>q;Lke{xpql>)3DI98<*hAK2SO&BrY_Np8zmd zf)nP7u5Uxv?sg&s=N$Ff95Yti6P#3AvUXt!CWo8~{@eqn2`!=nj!AwyUe}%%)3u2$ ztOFW}*OCdG$&|h4Mor^Fkbr`h*tgW=25b=jRM7awPJ*cTfNR~a*7Y^!N?QP1;QqO{ z)d-k25F)|>%{JRHwENs~P<^<7NiC3(tgOCNIzT3Fp%kdt!MV|pOJlwMVxHW6h>4eROoO?L8kW~nNXBo|VK=Q*AI ztg`4(Kb=N#Sqg5wXk6P(Y1}hJB>X0F_q9bgX?`T?iA_XLBg|<#PKicm)Z(j~)QsKC z9!g3_w7PW$aUjjYo#x1LIc%R`vSCd&{ynNX_&JKe7BTk!Phf5|Eq?n~g5I%;s4RFMbW7f9I)} zK$b)S>Mo&0?JK99G#?zV)1#t~Bq4M^!5@ci$VWgHK&ccI!PajAbdh)qR`AMkrCLoY zN8zb>D$$;F-FldJwmE&9jGg?lnB0nQ@obfiLEWA2wwxhXBOsu_|DCD@glyox4@?Wa ztP-@fI{KGc%}YNP(AY^DPrqjWY!dLCHoAM&jsbDB@Z;{wvod|fY?`EKiN^pPnL z#nYk$yx5T~`chL1fVrkzL9a|%$d{Dn)A;*7C@mTme8cNEXo(ipYXOcL`K3|F!_yfN zuLkg;sLY<@lhYD?A>Mg8v0G;0$2nO;Cr>VdAGK3K-v-_(d89M6y}_V>`jbObHshwl zgbAs9QSoR2pM<^I0-0Eng1!~}Am;Qtc(lwx+4R*%iu`(#o{1wr{eYIRUpq^=>?b-{)!P%bHJ=n{?7aTC8hxu3z+D~_?BDrGHsdO9EsL( zJH0ep!494tTNrpl^$0la3@G(Rh>opq*XaONb_z6Ia7aez&ZyUmmZ%c9n#WBT?0$Rocp>dplNwnq)9Ej#$+~xQiiJZ7sC56pag$|I)_>b-pn{HCgJXBGO{}z z@QFSsp~Z|^I({q<0I3RQM&;RJha)&;nepD@F;{UPy%jbMA=S9oxEG+@S<};WSR+%Q zhTq{#CCZTSB+`*Z#Gs_?SmsTSn-Wooh_h|x2#!z;`uxyk3_D#AMe!^}GkN-BMaX%mU930^eU+puD*=q$4@_EP1>9Alk(T4(gXXf>CpZ@G9n!+XAxT2F{{ zcY1vls*@s;rG&l_(g41@;gPHYw_!Y<60&Hi6k7p3erM(3sY(&#wsK@^2x#ZLK_xvl9}l6qn%^sx`PYEz8^+bQR4~ z3X!&Q-~A#!PMyC+VyY!wwvqB8dj4GKRQg4a?18MHfPqd_6Vod*GKN_a<5-1$Z2)`# z>1ujiL#CmFhP`uk&GWJ>c0teW@Qx6OZ~(%g@HJ$W6p+o{?=b#1Ipgm!j9q#MbZx-D ztgHJ{HoA?}0T{V5T3MU6|Cj!psFd2|?a=}^>&%t3stfWHN{eyArLn0P+&D;K+FOAd zT7d2Moif3oAlj|ui`tN*-E{P~Cf|farFmcH0SvTF)OT&e7*)C**1l6b{PHpkMhMPlCTYBkb8U!k#tXiUQ<; zDTm*QVB5duXxydW#J^H5UO@{{_9N%;j|B{Rm}i4~-6=*VTJ}D}*^tTKm)i@i#K^`Paiw zN242$)-w4Ji12IFjIME+Daj9dQ!5Dg#1%mHSZJTWYyI&@aiI+taE%=k4g!x_5Cx9` zg;=Gd5|D(T+2M*SNazW|k#=0w6$K4AGUVpZiu5nvbaxJm((cmJk6M0pNM-*rd&epg z;Qn!9>ZUiNt6+Dmn&TEUFv=w4{jl>v;`Ku3egmg*=IVO|s``Uw4YIU=wAD5XyyHTq zizUz~Wy^ZBLRS20UxFyp0J}DuOB?vBPZm zjAK8uNBUMZVG$9=+{K5q)7~|GoC9#Z3IP4^qLVDy?VZok#^6;(yJei3OF0N;kpGLm zb|*C9U^IOa)eFu2ocv@Dl>KBs4sy3gb#e(X;%a{_S;k&5c|E%jQPlr(m06hCR^WTv zV4eV{IQeMl+e-P7^pO2`ABEqXPnka~m~$|Qlb!k-0;Wu^(K(ywD?AX#c%cb+tpK0g ztd)BJlGsw^%xB3;Equo^Krd%>kwiQBKEYRLfSTcAIDUiob$u$6&{fWgz@*JDfAbO3 zv9m2*;?KBIxThY8qPfUvHKnP_E@MZ-;+Zqem_dwEY;C&%XXu*3>mkPVDn~V;0NTEdT06y& zw(70Gp?(H55KxP4A;odw#N8AB>VGNcFOxgAeJ{0nY?ZIvqnYQ zhc5XHL?Z_@y0k~VvW3gSpQ^RwXb!NrG~BYZV&T%C5&^foK!{7&@;xC{G>F#8rj$t5SeV|Qg>2ZlOYSh$$!jLkhP~Zs+?+Sv)u%d)SYuw7HIXtA6YY2M2T=U;LEIx z1!5Vf-~wSHE|s&ycs%J98Z;|=^}B*UE!v$*VHCu0itAMg5u6#mT4FzcW$KyHgB!K8 zEY?vo-JBAyG|mg@b>oy3aK7Uij#gKRV~?$;h;~`_Uokr02YD>6wCq$6E$&}u;I4`* zv=u6Io1;^FS>l?axu(hKbZ|D;=TnwGm10LWQ=~}bR>}czYIGN@FpNvt>nlIzS zyF;AC`ZG8|cDMZBMqIO7YOnp3MTB2dW5ZVzP)$)s04zeW#alKwjy+p|PTEob_;5H8 z!HmzIz(`ziO$PP8;dbVChhKfEijGeLEbm;F_Bq!4Ev<1#9>RN$^k&o-X6?*JvVE>B z2d&ihu=eb4>v*;uDw<4<%Xg?18;7<%0ChfF*$3?l6evx`Y)$(XG&p(13492azOWUM z53kY_eS*kyk|UJb0r}6sE|Vw%n`H6L59q761mu~zK{y4EtK4xYdBpEY6uaF!f2QL3 zCEP$*%y(xr-0jRF^YJ8TIhbb&W0p1H+ESM@0%sQjQpN)C?l^1voVFN;cYP^aCcbIw z9xbu85ovT?&?j*t9Fj!&D4Wk*Im&RP`j!S2_Oyd2gn#(nD||30PbJLhR=M@<8?A|i z@R_eC;}k8X$vn=ah}k@e@GoS6cD+gS<-5DO5Sb9tp|VZE39jIgQcR@h_iN1u_qUwHTa;1gP-)q6q`Sj7 zB}p=6Mw~0WZ{f=|4u&sOTNlBpF|K*iU9yz>Ox?@14Y=~-unKZB?!n-1$+2XTjJBp) z#Id8AdQxH|@Xf8YT1na0`_guI@ZlG)G3Ak-8oOltq z_yl#BFp8QEwHeCI2rCsfsk3Z2Cva7EC6t8v*22KyWp(60Gq3x3qTeh zs$)%Ze}gTt(RtIOr`P5FCMTN9ITNmmr7b8|9%`;JI(O%JD4x$Qq=fby?Hu6O=)Z-N z!@fQinUSL)-oMgD=r5UB?VgxXGl2C!W-Ov2H&GuErX{*MHlk_C6SsD>5~%Ery|QR1 z^57%!;bi;ZjB_9mQoMlb6vQKyL&2%c91&&KE3SG{k>)-Gj^6OYMnQ>wZ-+_DGgO96zeLurZT-|GqM28fX!dY2z#9%)^W&og%1aevNW?pq2<=_MKy4$T>nPXH zEKqEaBWaIJr~If=#y6@9L}@aJC{5+hC~c?aS?yRC%4Mr;EUxDPZF;=UX>b6R4EW7^ zoL->qL=cm>8vzk+5;O%z5cW=Sp`Zl?hh`Io6;BZOZ?E zTGAK2dW>$mB&H}A6z}5JMmpbFL?O)6^~4idqfAHYTZfylu&K|)vHy0^2uXgy=FcCI z8@Hs77_P9On=kM;$01hRoqKL}srJZ5Y)=h>k!9D zG@@R_stV^<3i3lnd=i0sy7PEPY;``@*66&S!oTOFhR+QBKD}`ZaMczJ>`;1Zs83rp z9*Fv)Lbz7NB)JAoeeTVr3FC2>fq?_8txGzQrG?DhJ_;bhGF!*${^@K;}vT>1MdZgAb_ z%dhHpXE@aBFWSL2Dvp`kSzFEqBJyI7#lnDc7*`B}sIT*<;q)VjaDBPks?5G|-Hnw@fMfTRjMmItxyiJvQ^<23)=Ycdz9L|BVtI3jm0a?`q&XF&;V8vK& zxr`00$o>k@^` zx1G1<(q-Hpyp-~?l1|vZvm^BzZvCWdJrJ0EwB&Bu0lT{&nK_nU2}2;(;t2t0JmzLP zZpZA^z08c60W)eTicYqXs6wR4SYcXfjXs+`^9t_*dvcB{i2@Fi)?R^&IaXwQ2z|{@ z4?yKS#WWOm2)K7T_gZjL?A;m!;bfpnoIuJzbPW(`a&JVg1vy0V=Er>oP>vDm^M*UF z`F&Y{HmEr7G>TKGI(hn3HGtxMt&(z2uOjyH5&#m@l}!riqG-!T9VEf) zDoz?l*}qCmd;y!gsxhtcfXw%C?^@YX zmj`nCS`k}OZ})0KkT}|yO>OpKuMjmBL zfM;-MnyyagD+r*n=09DYp9)h3#d6Y48f|F7`16hx!+p<_J_C!JPhMNa@uzT@nhAwC zhrctKG(Zm-A%iLO#apW@<6UfbiYfQKMko+w;mw5VeG9IaVb}p!`6;bhHhoFzy3uq+ zmW(V!S~XQ}3xYh?R|VS41%J1ha2Aei>DSz6fS=s(MW_3y`Zw zGoKYbyQh%W=_f%kUH3J)Bhu$>ZQo|bq_y9b{UK`3wiQ>bdSS!iVpri1yNEcw+EjKt z06oh)R_#mOYKu!UiWI;#patFxZrddR738jUbUFl~A zU(*u?jr$itMGh_S_f^L2_rOGE+}m}ritCWmYkynVuaCUQyKT-+6Nk-jCsI@_7v_tUUGrX)-(Tmx93FJ-Et;90=FR| z(PTMUx^kgUY#^mO&0O2Dy;=7X_&PUD#&K;cykCEQZ))kUZ20X9y_K#g$E~u?G?42R zE-4!b5rW^JMeyD981l^5Ho=2V3)yMtJ$RZui5d5DNIZEIT-(s(Dkl(m>>KLT z6bZw?B}AFs=$A65Ey~%|f^{gkLZP$Cpd}!TmNzPY?7I;^zOCIn+a;%X=DWp;COASD zN^Q?aH>En2gD`@qWQWUVCeff)i;WwoPF(tPR!Sr>J#IELQnDv_G(0xN8`{#sQXtvG z@9R7&neYR%2)^s|r*?ATw38)%X^MS|X~KlHMh|wGG>p*9-s?30gB*UpH4=TYnpJ2> ztGwbk2Jjl&SE9jmg7nWy$(Pt9j42{(VSGn=;)y?AABw+z%Cq}5Z4|w9yX^FRFdQFF zk&T6VT)9k5T!gCvjPe`C?fUZjy+Zg%cxBvX z(M{l%eKb(-+*F8AV0)|Ja16VsxW2iKk66O?{^O7~EULbUR$Xs_e6(pn!R2X+vtO z2{2A+7niGE6H&epK0PJh=BCxYasL33MJ+q$8b+lQuBu&umL2OA;zRk-atY}{n>7Sx zxJ}=`o7gjsd@BFk6LD`O(Qy-P8jP9sE#@HlJ6g0VT}aNcO#e}y7!sQBg)jYRlAL%( z+;mz=B)jB;zQNE^^%3vGeWs*)@8a)6h6(n9XSfY1B7wqi?Z@-| zrOy7Y!WZQw8#m(*0|_Z5_XOHPH`+;`^xp6?b}tL-5=6Ksdw(qFrVKMPz@R0v)uOD= z3j)W59=L10d)6>0ChfN}(9c@1ibv#PCFfuiTQ@Sqgo4##-bJgkN7tpcHNJLDJb&vT>oW*{oc7zseZ$(U@kxb4vP|$eyb# zr`LA#nD)I3J~ezmZ6(X_Oj9{lNemC43*S)?zcfX+E7<~vqv)y(9h!!(k~1hP(wTa% zW&+|(xr8Sv1jm3s+P9T`aC}>8{IX^bV}>qhliStPFc;*Vvw3P08&~ z;uG-)Dc|)%qPyCgPXiyc>{}C~)}-|+ryEkAe7n^DA}@EF<*Me|4v;1GtQU-@4&g2n zvgGo(q4Y~@RrV8>*q!Wc&&lerlpzcU3gQNEsy-o0Sqbi}`tBCN?^Coo$2UMkr2)-F22KZzi&M_i++i zP~}q1qpYBAX8a%uapmd>Y!@-k*sgFxVH-Q&{!h|R4JtFTVNB)Ug_eW4DQ(3~#)OK< zGdT)|xGAeRFvSd}THMhE9dFZPaWZKKXLo}6GOeW^#0DJmIqoiPvXv*R+6|e!XV{RV z(P1Y=>#O1ZYU}q+wkWdy$j;1m)}!o~{&oU^&-L%EWCQsIMD zPr`iWv0DT-UoERNwAihnIk@pOa!!#zzF0lnQ$P|a!2Z7V$zeN;(v&4oZGKy7<@&Bl zcyULRcyWKOI)uKfxW3GE0%8Y_{dlg@vh@cH@>iuXhj0_tDyZ z(%5~90XWM`o6CzId)(cW^@n_-p4E%zCLMY1;}skmScwEx(YI2Rux{j(>P3(&rCN{!pF{Fn=|FL?F>vuVeLndYm^roQt%vb zuXBLfUf6mcT$#Sb>E?9tW^SfI?fqT{%Jk*q7K@7FrALb?yjqbszuem3m-kw9rbCF3 z4SW+vH`AaRRht>EBamDdS-Eezxz(c=72cTVMjM@vNn@KE+_i=rB-$-kbq%j9+aE=( z{fIBf@7TKiD|W*9RvJM5q?r!>hug#&&vV9_wX4)C%*loc4*lO1w&dk5$Q3 z5byiMelJPqhP4!5)ohnQ3?WI3VTX!|6RMOfymgA&JE?Onjt!yC@_F)K4p(Lz0ylV~FJEJRJG>q~ieX+eRf?DVe zcqBVs?DMmKhBJi^OLi!Mz8_j|I*R-FF$GYm=lC_=U^B(ZT9#ntb8NoDk|Wj~_1j6t zBUMg+RU^L>nR~_le&osNV84{CA69m`eE0|T$j`&=I_$Io63O>$<+ulv)y*8znJUlU z2U{;jKQ>=w$tBFUp0;|RyP9Ny!HtwW^!kIw+wUR0og2qW;mleU=fpde&xqM;%ZV ze8fP~5d(pfB0%PXN%@rp6$Jliq*JF3fQI-dOJD$iXcmDP%4I}^8s(&BpV2F}O;Mq- z*|#-p|LFM+pfby|L&6`3(V%4u&Ho-Gb{wL|V-o^u1hkL*&<6U)(;vS;@J0|HA{dPX zjKT(BkUd!L$1PPQa04*j>;C}E|H^wq4|Ru5w!Q{n1CJ2^Yd!=P)Oi@UbgxY(&7xJ= znDZZ3+oc0YANx}E3IK^;r+~;I+mofZJ)5(PsMSeZ6Mpnx5eN03L!e{V>M z5Lj@HO6^uHVCL!&-SLamgA=eLGNsCTxQ4z1f{ytoK_l>&={94w2tohGU;b{T0nB(8 z*N_~&nz6(`4LAxh;9`Z}t=82M0|q)LL7rtWcYnD3`p@D`2l}ztYuJ0U1NaMjMC4~P z{s+e3fA>!Re=76;8NCqxCvmX<%>np-cz(pcwd%io)W*L>^>0!A&p*KB|6Z-q2?rBP z+?oop2n=tj2Bi32D5Y+{nB1dUu2vI1or!C^*&{n?I^xZ~Xcf9xwIdVCxs$67)P=Dt;4wz#%eGAHsftier~AlhpFHnxNa~`q--=P zcDTcQ%oCBdYnm4^p$)llLhIL!2ce_&3b3_CmUnUftKGg!$D9MR?fWSeR2X^S=DfvL0fXxu!^^cZo zVz9vb~OxkhmYg#SkI|SmY&D}lX4Re$5J}zSuRX)m zY!Q!&5rNaU_8tPY>!SNIfj{=Bl9ed#CJnBa7uN_-TjltT-h?iSAKZGZw!+#wdyS)r z0Vf~vN&M)*Cz0Di1S$qbGn;ky(>*8Zn$y9yS;stoJf-z|zH!RKU=Vlc>eb4_hGL2H zFYt9SSnK$I=^-V!JHgbx`|68eoShOKLWRIxTqnPv-6FXPDa2O*#~xkJHD;bRmFlc* zj2M2t7;bWyogXgY9CddL6lkFZ5W=8YhM(b)yCrHBvcK^4BA(XA!WtI`F>x=Y5bf=oeTqu^67@BJZe%K4 z9un6`{%L}LV7!5QewDw;ES~>-W#8f=;o)HZ*a?Io^S5VSOhf>eQZt6uVcfIl$@cRcu`BMLjn)GcOq=(E5G3 zByhP1cuU`R08p3Z!TCI;>iKy@NM}GWj8VHdU?{uAN)@Z*7?{nB zDFU6j#Fg`6Ct9m$<+MNL%lIniAiRh>NKaRF5veWoUj>N4m%;5@ZGges4m-dgz~FyN z7wE8dNm&^R+YgUqFVo~y_$_=}gz#0gylD%?w}IU70$R9Hhdcb6PCQdX7$AKz@Lm%s zAf2gb?;|##s01KyG&)Ac9VV~pjB2w*>T6%u?=;zY)R&5T+}L130nqnU=MKE9n@GDP z^$+>;A>?1c(uykwbd9o$c(c0~rkPYIqzH)qaiWNQ0`L-q6#(dyz+?fuz5;;PSAXSw zGuJqO+RUzF+1$*|w*{dwiCFWigdj%J#Bv(+$HJ2bMna@jkO~yx7aow)nlv}#O{^-! zK28H*o%8C2S#tx0(V_!{&6)d~`A3bMjK-JS_i@}R$EIMVKBT`&59|ZtX(#Jol`!CZ z9^mBzNaPFemwD$TCAz4>w$qP<3q;RME3Z;qfmNAXimzrB*%4OXJo~b6r!MC8BUT&# zSlk`nzD!n2@fCHUA$!$1_>Je9Qiiyr@43+Nk9vQ0fu_ZcGrx>Rqw`3nOx6vt4RxVy zqAP*4ojDx8MnK~b)A+}vRdzh`D2NrGRbO)bmA(K!HCQuZvUg+1Ix2JBFlWk2FyB9U zUk*ET6%f~;@_<*bkyhN=I2>1wdWfCnil$|Y;8@gpzQjNxpW7?fNUiw}Yx+fcR8G*A z1^4^43NaGCXk!vx+B7&2Ez~c)Tcj6wf8DvxYyu3wT1`l2#4T(d8@g~>l<)fem@>I~ zpTBm@T5!*1?Q|kAsL%+^O3~~fgm+u0cAD1O?Y+vEpD|!JN$zp0bXKkD{ zZ>zi!XajVjJ+^)cU7%s!F#IkBCTgDLm0i6N>UgQ=aM{tt_sv3rRy%I)6=i$OGz`}k zu`DQA0doL-x%Yb(aysrD_eFC)vea?-7L1*|Lgs##7(tUmB8lhP@f8Q1?h&#KE@9UF z2jVXtb0Ix?7OjR$xT3*r((z{6Qc4CHkMOy=iIm!2R={qP=4fWh`!)|L`0k#eZKHwm z;)_!)$Z4_RM#fvQK%iN&diUEKC+BN&YY*YJD6k}+!cQ-l>YaLbl{9N$1tcgUw6ckC z%oSOv{I<10^Y$ywz#R8`o{djDjfcfQxaJvjUJu}jiB)YhAX&qHeCkA#FrrMVd5RZ8 z++;`>V23dvR2{VzQ^C>&UuqmRPGq=pb1LQPjnS9l*#RE0({54cvsV+`!ejl;*xSP` zayFT<{g&|Mev_vWbTIClvrcMRS{D0gfB`L~yR!lSd>>F&OT-EYe>FwfQ)QN{UQzGx zHAS_#@ncu$!@6y!6|Q#7-TlN7;2-i{CY7#sq$3^8E>7$vtf|UjH*A35lgBxjk&hv6nc0*tgLr0D*6L*{emCuRVG#Z{2%-y?3607iB zQj@BDOgH@E)kqPh*H$&UkfSP;h6DaZiDzy6L2E*4GNV3v>1y&FY4+ANt`)hUL35?% z>#P->-NlOx67P)fX_b5hp4@2f?je5NNzaft3*13wlufB}yVp7j$rJ*7H1u&t1Je(D zc`goLlKKRxo!RZCTt7=@18Xym`fKKv+t1H2SP*I*En5-}ijO~p$4GD+PS?uQVx*tX z3GwaDSoxh!t-W{AQ|*2#rqDvafjGg%*BtEL+=p$MN)+yuD>z zzw-cRy0i;?$bx5^B)dw$G?==+LXL_m`^m8}YihAt%3v7=&*L~(OX8tSdfucM67LM9ch9b=TH(#N^+?Oe0M#? zr3M^6K+*CE8SS%v7)aX*GeXP*mMQ=f3X0)xigiPZ>onx!Pt*} zlCSY>8|^rZH0-BO3n}*NwhMtgH`*x0wx`uvjLV~OGfOcbMJ4#UwY1FBw@zjz90A9%kU{+hlgIvQIm368VOE zrfs7^%EIm$CdJ%n>2~n_m{Aie1NWCr-h1K%C9a~rVytrBbsj^ZaKfP=i?yR0F`*#N zC&;DAJHdmv0|WAjeC^?{;-I~t-1eNyi&BBGqyv&_DRa8lMHh7VH1`p|N)?*>L>jfV zPhNJDHDv1;wQwk*shV%3_P4+WSCh%BR?q!fxABrC_G4})&x4c{(<4gXL`$=iqslgIL zkL&kY)EYE}k<#+N#v6LO8-q2LK5{g4Dt%p|+I~&=^6ay!C}wl@&J+@G+mYl~31CIdwkEWnWZErT81=J}3REg!`e*h&stX@$JX9ofUrK$Nf0)br!Mv7E0>L z-W*wRE;o5E8P1>SoUg=-PCuE&4XVuQy=?TVTk8MuT637MDl=nh-Kmpui_yDnf*yU} zc4F=miD_%>1!;h7d^)4Q;|Je!=}%@s{5Q8wS)K-Y{4_b1CPuw}#KY_0YHj!Oc zF}H)BZ^83@#Hi2li$2|ZXu_=RFJBuGO09lP(tg*vv~<$lUWE)j-;DNSA_8ir(=Kj~ zYB3F9%##WD`r9Ff1YS1dw?k#S_lC(6pAb`SXf!KoWN|$nZ1eG64JMr)Bni|>*6kMd zlYLfP!;Hc7YVe@TR}mcCp-qjav>5z6PoDYh(V5D05alzVPrIA##(GJ+M_a=)Qg&v& znjcc>w;sBo{qO5h#z!c+EA26k$4^Nu9SD32?jA9S`1SLDGFfyr4ZD7C%s|P>@?!4i zP2KISfyJw>GaEdNpy|jlB%4C^g3#XQ%Ff3Ypl3*kpGnl4E@BNxZ4aB-uy460k=oan zsW{ENG-_>*Q@(mNf%W3Qc&9XH&N}nV3agJNR0Ug>9K{5rQ!2`m=oyIzlwg(vkyl<8 zXG#`>yi{vVU;JyCn_rto&fT`uq9U=IeZl_qv==N|YrT|^y}nV>qdhu=o^1bGr@M36 zZl_b!;_5V0vnY@Dr#+7TW0A}6&)Gon`@-eVYANZ+w{^iU85%8nzUePcKCAWQ-c^mt z@zgay6ZBoEZF-$8#v;uj#%(xEiPLH=Xli2Lbaio|SQClK)ZNtHwqt&hY7~&}YIk#` zY;NSgF{`+yg05EJ;W(0_218!!V8yb;jgShBN`DgH&(|;5|Cu%mT)V}n*WDS0HhBjQ zkj4mP3_1$neK7cdgvxejeIsncz!Q_c34Mf5jDv3*Gd#0mZ&1Bmp-64n_{Z1zb-8NaP{jMU2#oEi^G_Fc~SQb_)PDhmVv;4Dx&4JjFb|YZY8}WPGzKoE# z_y5!uylk_7~8F$b$!)7;_&|5DH6T5JC(rrCG%{s zBUZm0uj^_~c^JmVHLMitNeH7^=eNRdo1B~0V_1P~>wr#tjXw_kQzzd4p%cj3vU)5zgPuT5(lsBt8u{z+^pRLC)mQT8U1@vcx=M&7M9jV zSvt4K%8n-JCNDgQS$)(~1qxo5a!K27OcO$BM04#I%WxDchDuw{@E#tn_%*7_u-zCL zX6N;U#gr3!YR_&o>{xjSmn(sDDSsOe%i%V6qjI;IiG#2prwMc4T;Oo+$j4B!Ch>7=oDIOB1b66fQBe zqP1UD5+$gIHOQH7c`@%}eL5+Ay?h$cfMTzq%5`8P9Y_M7I&!JSOXOObKg5UP1{Gj* zvr+6f*Y+Pol&ExfM*92w+AG0Rjqp|ON3-DgVwqmt0N(#;ZCGhF^u^irXX>A})!1-pYZl)R z&(QQvt*ARQ+hBF{^gkEwJ~Zpt=Gio<5Osy5_}=NiXo}<1q|$bREbic&n|)i>v>y$) zN>>y*3d{2@{t9tVn8&eJo?__TQFwza5BzA{kty2JN-#o*pkHCn3sk<*r7Ya%6mP9Gs%2xm@T;p7mM2~;`_yzqE{>4qkHCk0s~-ONu|=^eY#pZ5 z{o^$F(&y}61?JvH;)5m$U-xF49TN4qg(j8pR z@-qCwB$Yy8F8-VtSb&9d`0t1%_vMjomi7DEJm z2S>h8bJKlFtKnpV^U{olFN_dx$j&GGTVKA5p^U@$-eM1X_CgAQRyWV_vrJ|)-7OU( zX{4Cv9ZSdMnS9Mgi9whlw_+R|FKk~V$>Z7H_Poc^qt?fRa!3dn?vcIEJ+hcTQhq-; ze0n-6i*2`h#3($cFsvsmh4VcnN1OXj6=oaPw`7FYY= z;@I^BnVfo11O4Yi_~X(k?dy)^@X239h2|TQU)apPL}4(YY!YZV9Z?;jSgG5Mb$M0U zRzGcAy~S^YC)>oaV)}dX)9T#sCT4xO&47vK8ADr6{gAscVmRicJ4l2!;q#6muU}?t za_vs!L)vmD=PbLqmxQW0vG5(vbq!XQq}&h!>!05zeV;>^=~Xkle9g24+iE%RFyJf5 zq#;yNY|YE@_z=bW=&GLG#UX+*-zk``vWIvkI$#%M+XVZzq3vt7n~@fzgq)z?4jN5h z8iCWfSqTSKeB`{Ecn9lUE58!^N8vbbyTQx1;C`7OpJVj(qWf{e-8Kza1$CQGA5LNq ze5XqhS}Y@qsmzfQgZ|`=0&Ckje(ddd#AIi%_;VYV(4JcMxH~U`@Ys>eSRQEtv5xc% zt5*&L1Y2luh-#21B1~1YsGgXa8qU5ug%aW^QH!H6CCt`sa6E6@T%_vP3O9MG*+LiF8!VUA0F z*an^foKA-AnmqV?NnnV9N&3~-!!2~tgeLmNtB5W?r1*!uJ+{W0MH_}rHENmo=Hlw3 z=)Re}=*^~4i>#^UXNQA7+rnmPl3+3lUt1|ZA4bFn&tZM ztBq=3)c@p&pg<9uX?(T)qFph%qP64%`Hja)w88qNSC^+G11gvF&K zl*cF1>+ffipg}=SgQplS6V>mcFgvF!Z;g^O#whR=@rDMimihi%M|p^KR7G#LGy}w} z+I1;)tUIh`TP?Z~JPoGK#Z^9zf?X9YKb>FTVt<4FxAw059jdpDGlo!!nefGsCHtf( zJJY1GXNWL{?8=@L*&DLe2-#isXo#_k8hf?~C7FbgvW{VV?MupgDqYw62fRPN=Q`Ip z&kyH(uKRiJb3dQ^{`_!m)Ba-U>uDj|9Sl)8WGH)y0(Z>pIPFo}d|R!+me@|$o~)=S zpOCSWVb_MsHg|aF38Q~I#j4h+V%H~{ODAB;JZf!(l;8IQd|N1x?Ma?VaI|Q{aNNzl zYa7=tlY1;sM1h!Hmo>gHae|SxDS^CDn4oVtcvgy4L{};>l>BCHm~EA)M*&lDQz9Op zphs1^60MJMDEnYP*OeRO!10gyRA_B(JwxI`q82}&YUpqC=VC|;MYChy4e~VdFY5M7 zvxsTUB?hyzy={3p>~o#|5^p&BOe-9tc*DCIsAzL&ZhNe)Hld`8u);^QDzoTeCM8~s zdM4*K5{Xq)HOv`{0l94Ua?i@>k`aOw8M&>GR7P>fb^-Q+1d^>DLlEtbOJAtKGaxTn z^J-R5wGK?nJPIj4@oM0l=Q-ggMaOkL7D4jta`ZilvF#J_o3L-@`jjUVnl%fB26hKE zrtw+Wb!SisMP(UzU;6ghJ?3a`jXD!0jSLUia$u0(LHC9s(wLa>ZSL(a)&kBp9>$on zghh8eqNE3AdW4bnsC1q#xOd_N?Q0rzFQ6kUCLq@~z<$_oMpFk(d=t44Yp}B)5A(aw z_zDT5X%@U+a~lJQtsxa17B??4qJ7{|=4DqK8}+X6^CTu;B*Kw8zNIUgIU8%TL5K_-2Hn?X zKONvFQmx)6mVQGf=9EgwLWG|t`fU{SNui+z3SNdxbYdtj38^C~z*;QFn|tWfT$SoZ zwg)w$ORCN-JWN6t^Eq1+!%x{_H_tEy1zc;Adc9qjZu$jKgxsw4q}w^GIR{5?nHIpl z^vI^R%Y+Mm#4tC8#`tZs+PwX;51=x6h9R!G1~_<)VV^;KMDJa8;{L}Fn!Cw_Ho$cx%NlX^An);^Ej)&Vli4a}_iV5O8=|xlwuH^8Zb#X=u zd`zJ^#fkJ&R5GTcj7#UO`!h%PeM+SwRqt<9BT}IPxn7lFR|~?FVRqSY$1ac%%Xq?_ z$N#<}v1@UO8DE+h+T6RVb?51x>$~XE>~!ARe!Nz#%&u;Q5*l-ob;`E3%JoRFknNh>C;Hqx6)I>>P>Rv2{GENfju-r~& zdL~+?G&=qeZ}F+<2Vlbo|1$zQze}w|F!*Igsih?L1#h}d>gUs<&szi|vf}jP>2wF>R>ETKO2>ypd~Ql@%p!D}=HTSjw^Mf!dePMPSz} z7o=?w*@xi#C>;Jd%h%}v4l!iou!G?1#ic}s`Rg2U&Z0;z+03A1udBctKEi*Lw?y0> zHXr%fi57=}C1^gyEst*{R+DkCvHIqqvXUU+^zKvAZ?!HF#|*N$ zVukB8ghVqe4@Oc;Q!1q9DJk@yMIIX3#3GuhQfxQ4=g+eYY%1vtyk>*T0_1)K<5OU(`g6R_w*|n6$aEt zzLQ2&x-qHStkZxb=kfrU!m6H$xwZL;3?tsHU5VybPYWHJ)YdXnc6(XQ2k zys-koe_9nhj8r5@iS0eTjx8=-J&j=*-Q#~;mgf>~T`mSy!#RprA?O$1Ye|b23^wgF zNXs?)>ThpSY29EN#{d3&lynvK5M;^*RHvRZu1w6-1P05i-$qt}rmMjchl;;YYnGc!i~kk|AAs&l%h1KyuE#hgsz=|5W&N5B@xFBfRvkjQ+$ZT z`QH@XfY4Y$+4odAlA_wS0+o$`AJWwHekgxF&QVfRW{KYqs*@*J9nu&MoUM=ZFFyZ0 z>O~D282DKfN*1Db((Ck&@mj#mun#bs~f?9uU;ZsiD*J6|v3BsrTO@G~il~Lt~JO;2(GQYv*Opdi-zGgsFi4uk6X87g#>fuPo4=W<5mO0@E*d^n&62jV~nI>8n%|=`*=- zw~D*cvb3cc{~B*;l&~hym`qFjoA23l#h7^Gg0$M_e>1@*V5uZ-eUb2e3*3EIs_8?l zK9j)qpV#vM7ZnJ!-RLTG+Cd)@-XG!hzpmEcpQm`9%LPwE;t&kLp|6cbRcP5q{0B+0 B;qm|g literal 0 HcmV?d00001 diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index db2fb0cfa..f4e1cb0f3 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,6 +1,6 @@ [.topic] [#enable-kms] -= Encrypt Kubernetes secrets with {aws} KMS on existing clusters += Encrypt Kubernetes secrets with KMS on existing clusters :info_titleabbrev: Enable secret encryption include::../attributes.txt[] @@ -10,6 +10,8 @@ include::../attributes.txt[] Learn how to enable Kubernetes secrets encryption with {aws} KMS on an existing Amazon EKS cluster, ensuring secure storage of sensitive data. -- +IMPORTANT: This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. If you are running Kubernetes version 1.28 or higher, your Kubernetes secrets are protected with envelope encryption by default. For more information, see <>. + If you enable https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption], the Kubernetes secrets are encrypted using the {aws} KMS key that you select. The KMS key must meet the following conditions: * Symmetric @@ -28,6 +30,8 @@ You can't disable secrets encryption after enabling it. This action is irreversi eksctl :: +This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see <>. + You can enable encryption in two ways: ** Add encryption to your cluster with a single command. @@ -81,6 +85,7 @@ eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-se {aws-management-console}:: +.. This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see <>. .. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. .. Choose the cluster that you want to add KMS encryption to. .. Choose the *Overview* tab (this is selected by default). @@ -90,6 +95,7 @@ eksctl utils enable-secrets-encryption -f kms-cluster.yaml --encrypt-existing-se {aws} CLI:: +.. This procedure only applies to EKS clusters running Kubernetes version 1.27 or lower. For more information, see <>. .. Associate the https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] configuration with your cluster using the following {aws} CLI command. Replace the [.replaceable]`example values` with your own. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/security/envelope-encryption.adoc b/latest/ug/security/envelope-encryption.adoc new file mode 100644 index 000000000..216ade699 --- /dev/null +++ b/latest/ug/security/envelope-encryption.adoc @@ -0,0 +1,154 @@ +[.topic] +[#envelope-encryption] += Default envelope encryption for all Kubernetes API Data + +include::../attributes.txt[] + +//GDC +//Insert Images +//Existing clusters and new clusters + +Amazon Elastic Kubernetes Service (Amazon EKS) provides default envelope encryption for all Kubernetes API data in EKS clusters running Kubernetes version 1.28 or higher. + +Envelope encryption protects the data you store with the Kubernetes API server. For example, envelope encryption applies to the configuration of your Kubernetes cluster, such as `ConfigMaps`. Envelope encryption does not apply to data on nodes or EBS volumes. EKS previously supported encrypting Kubernetes secrets, and now this envelope encryption extends to all Kubernetes API data. + +This provides a managed, default experience that implements defense-in-depth for your Kubernetes applications and doesn't require any action on your part. + +Amazon EKS uses {aws} link:kms/latest/developerguide/overview.html["Key Management Service (KMS)",type="documentation"] with https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#configuring-the-kms-provider-kms-v2[Kubernetes KMS provider v2] for this additional layer of security with an link:kms/latest/developerguide/concepts.html#aws-owned-cmk["Amazon Web Services owned key",type="documentation"], and the option for you to bring your own link:kms/latest/developerguide/concepts.html#customer-cmk["customer managed key",type="documentation"] (CMK) from {aws} KMS. + +== Understanding envelope encryption + +Envelope encryption is the process of encrypting plain text data with a data encryption key (DEK) before it's sent to the datastore (etcd), and then encrypting the DEK with a root KMS key that is stored in a remote, centrally managed KMS system ({aws} KMS). This is a defense-in-depth strategy because it protects the data with an encryption key (DEK), and then adds another security layer by protecting that DEK with a separate, securely stored encryption key called a key encryption key (KEK). + +== How Amazon EKS enables default envelope encryption with KMS v2 and {aws} KMS + +// Do we want to expose this detail? + +Amazon EKS uses https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-v2[KMS v2] to implement default envelope encryption for all API data in the managed Kubernetes control plane before it's persisted in the https://etcd.io/docs/v3.5/faq/[etcd] database. At startup, the cluster API server generates a data encryption key (DEK) from a secret seed combined with randomly generated data. Also at startup, the API server makes a call to the KMS plugin to encrypt the DEK seed using a remote key encryption key (KEK) from {aws} KMS. This is a one-time call executed at startup of the API server and on KEK rotation. The API server then caches the encrypted DEK seed. After this, the API server uses the cached DEK seed to generate other single use DEKs based on a Key Derivation Function (KDF). Each of these generated DEKs is then used only once to encrypt a single Kubernetes resource before it's stored in etcd. With the use of an encrypted cached DEK seed in KMS v2, the process of encrypting Kubernetes resources in the API server is both more performant and cost effective. + +*By default, this KEK is owned by {aws}, but you can optionally bring your own from {aws} KMS.* + +The diagram below depicts the generation and encryption of a DEK at the startup of the API server. + +image::images/security-generate-dek.png[The diagram depicts the generation and encryption of a DEK at the startup of the API server] + +The high-level diagram below depicts the encryption of a Kubernetes resource before it's stored in etcd. + +image::images/security-encrypt-request.png[The high-level diagram depicts the encryption of a Kubernetes resource before it's stored in etcd. ] + +== Frequently asked questions + +=== How does default envelope encryption improve the security posture of my EKS cluster? + +// This feature gives you defense-in-depth by default with every EKS cluster running Kubernetes version 1.28 or higher, and heightens the level of security for all Kubernetes data before it's stored in etcd, including customer content. + +This feature reduces the surface area and period of time in which metadata and customer content are un-encrypted. With default envelope encryption, metadata and customer content are only ever in a temporarily un-encrypted state in the kube-apiserver's memory before being stored in etcd. The kube-apiserver's memory is secured through the link:whitepapers/latest/security-design-of-aws-nitro-system/the-components-of-the-nitro-system.html["Nitro system",type="documentation"]. Amazon EKS only uses link:whitepapers/latest/security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.html["Nitro-based EC2 instances",type="documentation"] for the managed Kubernetes control plane. These instances have security control designs that prevent any system or person from accessing their memory. + +=== Which version of Kubernetes do I need to run in order to have this feature? + +For default envelope encryption to be enabled, your Amazon EKS cluster has to be running Kubernetes version 1.28 or later. + +=== Is my data still secure if I'm running a Kubernetes cluster version that doesn't support this feature? + +Yes. At {aws}, link:security/["security is our highest priority",type="marketing"]. We base all our digital transformation and innovation on the highest security operational practices, and stay committed to raising that bar. + +All of the data stored in the etcd are encrypted at the disk level for every EKS cluster, irrespective of the Kubernetes version being run. EKS uses root keys that generate volume encryption keys which are managed by the EKS service. Additionally, every Amazon EKS cluster is run in an isolated VPC using cluster-specific virtual machines. Because of this architecture, and our practices around operational security, Amazon EKS has link:eks/latest/userguide/compliance.html["achieved multiple compliance ratings and standards",type="documentation"] including SOC 1,2,3, PCI-DSS, ISO, and HIPAA eligibility. These compliance ratings and standards are maintained for all EKS clusters with or without default envelope encryption. + +=== How does envelope encryption work in Amazon EKS? + +// Do we want to expose this detail? + +At startup, the cluster API server generates a data encryption key (DEK) from a secret seed combined with randomly generated data. Also at startup, the API server makes a call to the KMS plugin to encrypt the DEK using a remote key encryption key (KEK) from {aws} KMS. This is a one-time call executed at startup of the API server and on KEK rotation. The API server then caches the encrypted DEK seed. After this, the API server uses the cached DEK seed to generate other single use DEKs based on a Key Derivation Function (KDF). Each of these generated DEKs is then used only once to encrypt a single Kubernetes resource before it's stored in etcd. + +It's important to note that there are additional calls made from the API server to verify the health and normal functionality of the {aws} KMS integration. These additional health checks are visible in your {aws} CloudTrail. + + +=== Do I have to do anything or change any permissions for this feature to work in my EKS cluster? + +No, you don't have to take any action. Envelope encryption in Amazon EKS is now a default configuration that is enabled in all clusters running Kubernetes version 1.28 or higher. The {aws} KMS integration is established by the Kubernetes API server managed by {aws}. This means you do not need to configure any permissions to start using KMS encryption for your cluster. + +=== How can I know if default envelope encryption is enabled on my cluster? + +If you migrate to use your own CMK, then you will see the ARN of the KMS key associated with your cluster. Additionally, you can view the {aws} CloudTrail event logs associated with the use of your cluster's CMK. + +If your cluster uses an {aws} owned key, then this will be detailed in the EKS console (excluding the ARN of the key). + + +=== Can {aws} access the {aws} owned key used for default envelope encryption in Amazon EKS? + +No. {aws} has stringent security controls in Amazon EKS that prevent any person from accessing any plaintext encryption keys used for securing data in the etcd database. These security measures are also applied to the {aws} owned KMS key. + +=== Is default envelope encryption enabled in my existing EKS cluster? + +// Get clarity on this + +If you are running an Amazon EKS cluster with Kubernetes version 1.28 or higher, then envelope encryption of all Kubernetes API data is enabled. For existing clusters, Amazon EKS uses the `eks:kms-storage-migrator` RBAC ClusterRole to migrate data that was previously not envelope encrypted in etcd to this new encryption state. + +=== What does this mean if I already enabled envelope encryption for Secrets in my EKS cluster? + +If you have an existing customer managed key (CMK) in KMS that was used to envelope encrypt your Kubernetes Secrets, that same key will be used as the KEK for envelope encryption of all Kubernetes API data types in your cluster. + +=== Is there any additional cost to running an EKS cluster with default envelope encryption? + +There is no additional cost associated with the managed Kubernetes control plane if you are using an link:kms/latest/developerguide/concepts.html#aws-owned-cmk["Amazon Web Services owned key",type="documentation"] for the default envelope encryption. By default, every EKS cluster running Kubernetes version 1.28 or later uses an link:kms/latest/developerguide/concepts.html#aws-owned-cmk["Amazon Web Service owned key",type="documentation"]. However, if you use your own {aws} KMS key, normal link:kms/pricing/["KMS pricing",type="marketing"] will apply. + +=== How much does it cost to use my own {aws} KMS key to encrypt Kubernetes API data in my cluster? + +You pay $1 per month to store any custom key that you create or import to KMS. KMS charges for encryption and decryption requests. There is a free tier of 20,000 requests per month per account and you pay $0.03 per 10,000 requests above the free tier per month. This applies across all KMS usage for an account, so the cost of using your own {aws} KMS key on your cluster will be impacted by the usage of this key on other clusters or {aws} resources within your account. + +=== Will my KMS charges be higher now that my customer managed key (CMK) is being used to envelope encrypt all Kubernetes API data and not just Secrets? + +No. Our implementation with KMS v2 significantly reduces the number of calls made to {aws} KMS. This will in turn reduce the costs associated with your CMK irrespective of the additional Kubernetes data being encrypted or decrypted in your EKS cluster. + +As detailed above, the generated DEK seed used for encryption of Kubernetes resources is stored locally in the Kubernetes API server's cache after it has been encrypted with the remote KEK. If the encrypted DEK seed is not in the API server's cache, the API server will call {aws} KMS to encrypt the DEK seed. The API server then caches the encrypted DEK seed for future use in the cluster without calling KMS. Similarly, for decrypt requests, the API server will call {aws} KMS for the first decrypt request, after which the decrypted DEK seed will be cached and used for future decrypt operations. + +For more information, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements[KEP-3299: KMS v2 Improvements] in the Kubernetes Enhancements on GitHub. + +=== Can I use the same CMK key for multiple Amazon EKS clusters? + +Yes. To use a key again, you can link it to a cluster in the same region by associating the ARN with the cluster during creation. However, if you are using the same CMK for multiple EKS clusters, you should put the requisite measures in place to prevent arbitrary disablement of the CMK. Otherwise, a disabled CMK associated with multiple EKS clusters will have a wider scope of impact on the clusters depending on that key. + +=== What happens to my EKS cluster if my CMK becomes unavailable after default envelope encryption is enabled? + +If you disable a KMS key, it cannot be used in any link:kms/latest/developerguide/kms-cryptography.html#cryptographic-operations["cryptographic operation",type="documentation"]. Without access to an existing CMK, the API server will be unable to encrypt and persist any newly created Kubernetes objects, as well as decrypt any previously encrypted Kubernetes objects stored in etcd. If the CMK is disabled, the cluster will be immediately placed in an unhealthy/degraded state at which point we will be unable to fulfill our link:eks/sla/["Service Commitment",type="marketing"] until you re-enable the associated CMK. + +When a CMK is disabled, you will receive notifications about the degraded health of your EKS cluster and the need to re-enable your CMK within 30 days of disabling it to ensure successful restoration of your Kubernetes control plane resources. + +=== How can I protect my EKS cluster from the impact of a disabled/deleted CMK? + +To protect your EKS clusters from such an occurrence, your key administrators should manage access to KMS key operations using IAM policies with a least privilege principle to reduce the risk of any arbitrary disablement or deletion of keys associated with EKS clusters. Additionally, you can set a link:kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html["CloudWatch alarm",type="documentation"] to be notified about the state of your CMK. + +=== Will my EKS cluster be restored if I re-enable the CMK? + +To ensure successful restoration of your EKS cluster, we strongly recommend re-enabling your CMK within the first 30 days of it being disabled. However, the successful restoration of your EKS cluster will also depend on whether or not it undergoes any API breaking changes due to an automatic Kubernetes upgrade that may take place while the cluster is in an unhealthy/degraded state. + +=== Why is my EKS cluster placed in an unhealthy/degraded state after disabling the CMK? + +// remove, duplicative + +The EKS control plane's API server uses a DEK key which is encrypted and cached in the API server's memory to encrypt all the objects during create/update operations before they're stored in etcd. When an existing object is being retrieved from etcd, the API server uses the same cached DEK key and decrypts the Kubernetes resource object. If you disable the CMK, the API server will not see any immediate impact because of the cached DEK key in the API server's memory. However, when the API server instance is restarted, it won't have a cached DEK and will need to call {aws} KMS for encrypt and decrypt operations. Without a CMK, this process will fail with a KMS_KEY_DISABLED error code, preventing the API server from booting successfully. + +=== What happens to my EKS cluster if I delete my CMK? + +Deleting the CMK key associated with your EKS cluster will degrade its health beyond recovery. Without your cluster's CMK, the API server will no longer be able to encrypt and persist any new Kubernetes objects, as well as decrypt any previously encrypted Kubernetes objects stored in the etcd database. You should only proceed with deleting a CMK key for your EKS cluster when you are sure that you don't need to use the EKS cluster anymore. + +Please note that if the CMK is not found (KMS_KEY_NOT_FOUND) or the grants for the CMK associated with your cluster are revoked (KMS_GRANT_REVOKED), your cluster will not be recoverable. For more information about about cluster health and error codes, see link:eks/latest/userguide/troubleshooting.html#cluster-health-status["Cluster health FAQs and error codes with resolution paths",type="documentation"]. + +=== Will I still be charged for a degraded/unhealthy EKS cluster because I disabled or deleted my CMK? + +Yes. Although the EKS control plane will not be usable in the event of a disabled CMK, {aws} will still be running dedicated infrastructure resources allocated to the EKS cluster until it is deleted by the customer. Additionally, our link:eks/sla/["Service Commitment",type="marketing"] will not apply in such a circumstance because it will be a voluntary action or inaction by the customer that prevents the normal health and operation of your EKS cluster. + +=== Can my EKS cluster be automatically upgraded when it's in an unhealthy/degraded state because of a disabled CMK? + +Yes. However, if your cluster has a disabled CMK, you will have a 30 day period to re-enable it. In this 30 day period, your Kubernetes cluster will not be automatically upgraded. However, if this period lapses and you have not re-enabled the CMK, the cluster will be automatically upgraded to the next version (n+1) that is in standard support, following the Kubernetes version lifecycle in EKS. + +We strongly recommend quickly re-enabling a disabled CMK when you become aware of an impacted cluster. It's important to note, that although EKS will automatically upgrade these impacted clusters, there's no guarantee that they will recover successfully, especially if the cluster undergoes multiple automatic upgrades since this may include changes to the Kubernetes API and unexpected behavior in the API server's bootstrap process. + + +=== Can I use a KMS key alias? + +Yes. Amazon EKS link:eks/latest/APIReference/API_EncryptionConfig.html#API_EncryptionConfig_Contents["supports using KMS key aliases",type="documentation"]. An alias is a friendly name for a link:kms/latest/developerguide/concepts.html#kms_keys["Amazon Web Service KMS key",type="documentation"]. For example, an alias lets you refer to a KMS key as *my-key* instead of *`1234abcd-12ab-34cd-56ef-1234567890ab`*. + +=== Can I still backup and restore my cluster resources using my own Kubernetes backup solution? + +Yes. You can use a Kubernetes backup solution (like https://velero.io/[Velero]) for Kubernetes cluster disaster recovery, data migration, and data protection. If you run a Kubernetes backup solution that accesses the cluster resources through the API server, any data that the application retrieves will be decrypted before reaching the client. This will allow you to recover the cluster resources in another Kubernetes cluster. diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 22b119af9..5f8cb4fa7 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -17,6 +17,8 @@ include::enable-kms.adoc[leveloffset=+1] include::manage-secrets.adoc[leveloffset=+1] +include::envelope-encryption.adoc[leveloffset=+1] + [abstract] -- Configure Kubernetes to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Kubernetes resources. From 70937b153ecb5db14232ce1a8337dfbbe26bdddd Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 5 Mar 2025 20:00:13 +0000 Subject: [PATCH 213/940] add redirect --- latest/ug/zonbook.redirects.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/zonbook.redirects.xml b/latest/ug/zonbook.redirects.xml index 40dcda5eb..87e71ba7a 100644 --- a/latest/ug/zonbook.redirects.xml +++ b/latest/ug/zonbook.redirects.xml @@ -152,4 +152,6 @@ + + From a18ba9d40cf5403718aa9daa1d24cb03a6889d52 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 20:23:58 +0000 Subject: [PATCH 214/940] Update page name for target role --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 1fb618d9b..641b83cef 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,5 +1,5 @@ [.topic] -[#assign-target-role] +[#pod-id-assign-target-role] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role From 6bb9e1017bbdae7963168db89338704709963221 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 20:53:03 +0000 Subject: [PATCH 215/940] Update account placeholder --- .../manage-access/aws-access/pod-id-assign-target-role.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 641b83cef..601c24000 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -81,7 +81,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg 4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. 5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. 6. Choose *JSON* on the right side. -7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `22222222` in the IAM role ARN with your Target IAM Role. For example: +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `111122223333` in the IAM role ARN with your Target IAM Role. For example: [source,json] ---- @@ -94,7 +94,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg "sts:AssumeRole", "sts:TagSession" ], - "Resource": "arn:aws:iam::22222222:role/eks-pod-identity-aws-resources" + "Resource": "arn:aws:iam::111122223333:role/eks-pod-identity-aws-resources" } ] } From a18eb33a1fce20995da17be231c33290180df874 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 21:02:03 +0000 Subject: [PATCH 216/940] Update to different aws account placeholder --- .../manage-access/aws-access/pod-id-assign-target-role.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 601c24000..47306de54 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -81,7 +81,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg 4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. 5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. 6. Choose *JSON* on the right side. -7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `111122223333` in the IAM role ARN with your Target IAM Role. For example: +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `222233334444` in the IAM role ARN with your Target IAM Role. For example: [source,json] ---- @@ -94,7 +94,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg "sts:AssumeRole", "sts:TagSession" ], - "Resource": "arn:aws:iam::111122223333:role/eks-pod-identity-aws-resources" + "Resource": "arn:aws:iam::222233334444:role/eks-pod-identity-aws-resources" } ] } From 6292e3233309f3b2eb0a52406fba163bd5a5c604 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 21:13:37 +0000 Subject: [PATCH 217/940] Move up in the left nav --- latest/ug/manage-access/aws-access/pod-identities.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index a6e14b01b..e9507198c 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -10,12 +10,12 @@ include::pod-id-agent-setup.adoc[leveloffset=+1] include::pod-id-association.adoc[leveloffset=+1] +include::pod-id-assign-target-role.adoc[leveloffset=+1] + include::pod-id-configure-pods.adoc[leveloffset=+1] include::pod-id-abac.adoc[leveloffset=+1] -include::pod-id-assign-target-role.adoc[leveloffset=+1] - include::pod-id-minimum-sdk.adoc[leveloffset=+1] include::pod-id-agent-config-ipv6.adoc[leveloffset=+1] From 3d51e97216c46043b21a8559fb8ee46034e15ade Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Mar 2025 21:16:45 +0000 Subject: [PATCH 218/940] qualified acronym: 45714 --- latest/ug/nodes/node-health.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index 2e5b40029..f5b352f26 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -324,7 +324,7 @@ If auto repair is enabled, the repair actions that are listed start 10 minutes a |DCGMError |Condition -|Connection to the DCGM host process was lost or could not be established. +|Connection to the Data Center GPU Manager (DCGM) host process was lost or could not be established. |None |DCGMDiagnosticError From 6b4cc34ada34c019e6b9f1ae1f56e5bb93d16199 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 22:22:57 +0000 Subject: [PATCH 219/940] Move attributes above page title --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 47306de54..43388d723 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,10 +1,9 @@ [.topic] [#pod-id-assign-target-role] +include::../../attributes.txt[] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role -include::../../attributes.txt[] - [abstract] -- Learn how to configure account role access for Amazon EKS workloads using Pod Identity. From f2363ce9e0f6d44eb9735ff24ed5eb5c3417d264 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Wed, 5 Mar 2025 14:42:11 -0800 Subject: [PATCH 220/940] Fix broken link to K8s 1.32 launch blog --- latest/ug/clusters/kubernetes-versions-standard.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 995b599d1..3181eaff5 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -21,7 +21,7 @@ For `1.24` and later clusters, officially published Amazon EKS AMIs include `con [#kubernetes-1-32] == Kubernetes 1.32 -Kubernetes `1.32` is now available in Amazon EKS. For more information about Kubernetes `1.32`, see the https://kubernetes.io/blog/2024/12/13/kubernetes-v1-32-release/[official release announcement]. +Kubernetes `1.32` is now available in Amazon EKS. For more information about Kubernetes `1.32`, see the https://kubernetes.io/blog/2024/12/11/kubernetes-v1-32-release/[official release announcement]. [IMPORTANT] ==== From 8e95be9b1e364f5c28f58f8f4aecf0098e4603ba Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 22:57:33 +0000 Subject: [PATCH 221/940] Move attributes to the very top --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 43388d723..62337bd76 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,6 +1,6 @@ +include::../../attributes.txt[] [.topic] [#pod-id-assign-target-role] -include::../../attributes.txt[] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role From ee1efcede2c766cce8d0d19ee29f26a8510aed77 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 5 Mar 2025 23:42:34 +0000 Subject: [PATCH 222/940] Added :doctype: book globally to address reported VS Code problem, moved includes to top of files. --- latest/ug/automode/adoc-windows.adoc | 1 + latest/ug/automode/api-reference.adoc | 1 + latest/ug/automode/associate-workload.adoc | 6 ++++-- latest/ug/automode/auto-configure-alb.adoc | 6 ++++-- latest/ug/automode/auto-configure-nlb.adoc | 6 ++++-- latest/ug/automode/auto-disable.adoc | 6 ++++-- latest/ug/automode/auto-elb-example.adoc | 6 ++++-- latest/ug/automode/auto-enable-existing.adoc | 6 ++++-- latest/ug/automode/auto-glossary.adoc | 6 ++++-- latest/ug/automode/auto-learn-iam.adoc | 6 ++++-- latest/ug/automode/auto-migrate-karpenter.adoc | 6 ++++-- latest/ug/automode/auto-migrate-mng.adoc | 6 ++++-- latest/ug/automode/auto-mng.adoc | 6 ++++-- latest/ug/automode/auto-net-pol.adoc | 1 + latest/ug/automode/auto-networking.adoc | 6 ++++-- latest/ug/automode/auto-reference.adoc | 6 ++++-- latest/ug/automode/auto-troubleshoot.adoc | 6 ++++-- latest/ug/automode/auto-upgrade.adoc | 6 ++++-- latest/ug/automode/auto-workloads.adoc | 6 ++++-- latest/ug/automode/automode-get-started-cli.adoc | 1 + latest/ug/automode/automode-get-started-console.adoc | 1 + latest/ug/automode/automode-get-started-eksctl.adoc | 6 ++++-- latest/ug/automode/automode-learn-instances.adoc | 6 ++++-- latest/ug/automode/automode-workload.adoc | 6 ++++-- latest/ug/automode/automode.adoc | 6 ++++-- latest/ug/automode/create-auto.adoc | 6 ++++-- latest/ug/automode/create-node-class.adoc | 6 ++++-- latest/ug/automode/create-node-pool.adoc | 6 ++++-- latest/ug/automode/create-storage-class.adoc | 6 ++++-- latest/ug/automode/critical-workload.adoc | 6 ++++-- latest/ug/automode/migrate-auto.adoc | 6 ++++-- latest/ug/automode/old/hpa_scaling.adoc | 7 ++++--- latest/ug/automode/sample-storage-workload.adoc | 6 ++++-- latest/ug/automode/set-builtin-node-pools.adoc | 6 ++++-- latest/ug/automode/settings-auto.adoc | 6 ++++-- latest/ug/automode/tag-subnets-auto.adoc | 6 ++++-- latest/ug/automode/troubleshoot-lbc.adoc | 6 ++++-- latest/ug/automode/wip.adoc | 6 ++++-- latest/ug/automode/wip/create-vpc-console.adoc | 6 ++++-- latest/ug/automode/wip/eksctl-docs.adoc | 6 ++++-- latest/ug/automode/wip/tag-subnets.adoc | 6 ++++-- latest/ug/book.adoc | 4 +++- latest/ug/clusters/autoscaling.adoc | 6 ++++-- latest/ug/clusters/cluster-endpoint.adoc | 6 ++++-- latest/ug/clusters/cluster-insights.adoc | 6 ++++-- latest/ug/clusters/clusters.adoc | 7 ++++--- latest/ug/clusters/create-cluster-auto.adoc | 6 ++++-- latest/ug/clusters/create-cluster.adoc | 7 ++++--- latest/ug/clusters/delete-cluster.adoc | 6 ++++-- latest/ug/clusters/disable-extended-support.adoc | 6 ++++-- latest/ug/clusters/disable-windows-support.adoc | 6 ++++-- latest/ug/clusters/enable-extended-support.adoc | 6 ++++-- latest/ug/clusters/kubernetes-versions-extended.adoc | 6 ++++-- latest/ug/clusters/kubernetes-versions-standard.adoc | 6 ++++-- latest/ug/clusters/kubernetes-versions.adoc | 6 ++++-- latest/ug/clusters/management/cost-monitoring-aws.adoc | 1 + .../management/cost-monitoring-kubecost-bundles.adoc | 6 ++++-- .../ug/clusters/management/cost-monitoring-kubecost.adoc | 6 ++++-- latest/ug/clusters/management/cost-monitoring.adoc | 6 ++++-- latest/ug/clusters/management/eks-managing.adoc | 7 ++++--- latest/ug/clusters/management/eks-using-tags.adoc | 6 ++++-- latest/ug/clusters/management/helm.adoc | 6 ++++-- latest/ug/clusters/management/metrics-server.adoc | 6 ++++-- latest/ug/clusters/management/service-quotas.adoc | 6 ++++-- latest/ug/clusters/platform-versions.adoc | 6 ++++-- latest/ug/clusters/private-clusters.adoc | 6 ++++-- latest/ug/clusters/update-cluster.adoc | 6 ++++-- latest/ug/clusters/view-support-status.adoc | 6 ++++-- latest/ug/clusters/view-upgrade-policy.adoc | 6 ++++-- latest/ug/clusters/windows-support.adoc | 6 ++++-- latest/ug/clusters/zone-shift-enable.adoc | 1 + latest/ug/clusters/zone-shift.adoc | 1 + latest/ug/connector/connecting-cluster.adoc | 6 ++++-- latest/ug/connector/connector-grant-access.adoc | 6 ++++-- latest/ug/connector/deregister-connected-cluster.adoc | 6 ++++-- latest/ug/connector/eks-connector.adoc | 7 ++++--- latest/ug/connector/security-connector.adoc | 6 ++++-- latest/ug/connector/troubleshooting-connector.adoc | 6 ++++-- latest/ug/connector/tsc-faq.adoc | 1 + latest/ug/contribute/asciidoc-syntax.adoc | 6 ++++-- latest/ug/contribute/contribute.adoc | 7 ++++--- latest/ug/contribute/create-content-q.adoc | 6 ++++-- latest/ug/contribute/create-page.adoc | 6 ++++-- latest/ug/contribute/edit-single-web.adoc | 6 ++++-- latest/ug/contribute/edit-web.adoc | 6 ++++-- latest/ug/contribute/insert-link.adoc | 6 ++++-- latest/ug/contribute/pr-preview.adoc | 6 ++++-- latest/ug/contribute/pr-status.adoc | 6 ++++-- latest/ug/contribute/vale-github.adoc | 6 ++++-- latest/ug/contribute/vale-local.adoc | 6 ++++-- latest/ug/diagrams/README.adoc | 1 + latest/ug/doc-history.adoc | 2 +- latest/ug/getting-started/getting-started-automode.adoc | 6 ++++-- latest/ug/getting-started/getting-started-console.adoc | 1 + latest/ug/getting-started/getting-started-eksctl.adoc | 6 ++++-- latest/ug/getting-started/getting-started.adoc | 7 ++++--- latest/ug/getting-started/install-awscli.adoc | 1 + latest/ug/getting-started/install-kubectl.adoc | 6 ++++-- latest/ug/getting-started/learn-eks.adoc | 6 ++++-- latest/ug/getting-started/setting-up.adoc | 7 ++++--- .../creating-resources-with-cloudformation.adoc | 1 + latest/ug/integrations/eks-integrations.adoc | 2 +- latest/ug/integrations/integration-detective.adoc | 6 ++++-- latest/ug/integrations/integration-guardduty.adoc | 6 ++++-- latest/ug/integrations/integration-resilience-hub.adoc | 1 + latest/ug/integrations/integration-securitylake.adoc | 6 ++++-- latest/ug/integrations/integration-vpc-lattice.adoc | 6 ++++-- latest/ug/integrations/local-zones.adoc | 1 + .../aws-access/associate-service-account-role.adoc | 6 ++++-- .../manage-access/aws-access/configure-sts-endpoint.adoc | 1 + .../ug/manage-access/aws-access/cross-account-access.adoc | 6 ++++-- .../aws-access/enable-iam-roles-for-service-accounts.adoc | 6 ++++-- .../iam-roles-for-service-accounts-minimum-sdk.adoc | 1 + .../aws-access/iam-roles-for-service-accounts.adoc | 6 ++++-- latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc | 6 ++++-- latest/ug/manage-access/aws-access/pod-configuration.adoc | 6 ++++-- latest/ug/manage-access/aws-access/pod-id-abac.adoc | 1 + .../aws-access/pod-id-agent-config-ipv6.adoc | 6 ++++-- .../ug/manage-access/aws-access/pod-id-agent-setup.adoc | 6 ++++-- .../ug/manage-access/aws-access/pod-id-association.adoc | 6 ++++-- .../manage-access/aws-access/pod-id-configure-pods.adoc | 1 + .../ug/manage-access/aws-access/pod-id-how-it-works.adoc | 6 ++++-- .../ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 1 + latest/ug/manage-access/aws-access/pod-id-role.adoc | 6 ++++-- latest/ug/manage-access/aws-access/pod-identities.adoc | 1 + latest/ug/manage-access/aws-access/service-accounts.adoc | 1 + latest/ug/manage-access/cluster-auth.adoc | 7 ++++--- latest/ug/manage-access/create-kubeconfig.adoc | 6 ++++-- latest/ug/manage-access/k8s-access/access-entries.adoc | 6 ++++-- latest/ug/manage-access/k8s-access/access-policies.adoc | 6 ++++-- .../manage-access/k8s-access/access-policy-reference.adoc | 6 ++++-- latest/ug/manage-access/k8s-access/auth-configmap.adoc | 6 ++++-- .../k8s-access/authenticate-oidc-identity-provider.adoc | 6 ++++-- .../manage-access/k8s-access/creating-access-entries.adoc | 6 ++++-- .../manage-access/k8s-access/deleting-access-entries.adoc | 6 ++++-- .../k8s-access/disassociate-oidc-identity-provider.adoc | 6 ++++-- latest/ug/manage-access/k8s-access/grant-k8s-access.adoc | 6 ++++-- .../k8s-access/migrating-access-entries.adoc | 6 ++++-- .../k8s-access/setting-up-access-entries.adoc | 6 ++++-- .../manage-access/k8s-access/updating-access-entries.adoc | 6 ++++-- latest/ug/manage-access/view-kubernetes-resources.adoc | 1 + latest/ug/ml/capacity-blocks-mng.adoc | 6 ++++-- latest/ug/ml/capacity-blocks.adoc | 6 ++++-- latest/ug/ml/inferentia-support.adoc | 1 + latest/ug/ml/machine-learning-on-eks.adoc | 7 ++++--- latest/ug/ml/ml-eks-optimized-ami.adoc | 6 ++++-- latest/ug/ml/ml-eks-windows-optimized-ami.adoc | 6 ++++-- latest/ug/ml/ml-get-started.adoc | 6 ++++-- latest/ug/ml/ml-prepare-for-cluster.adoc | 6 ++++-- latest/ug/ml/ml-tutorials.adoc | 6 ++++-- latest/ug/ml/node-efa.adoc | 6 ++++-- latest/ug/ml/node-taints-managed-node-groups.adoc | 6 ++++-- latest/ug/networking/alternate-cni-plugins.adoc | 6 ++++-- latest/ug/networking/auto-mode-addon-note.adoc | 1 + latest/ug/networking/aws-load-balancer-controller.adoc | 1 + latest/ug/networking/cni-custom-network-tutorial.adoc | 6 ++++-- latest/ug/networking/cni-custom-network.adoc | 6 ++++-- latest/ug/networking/cni-iam-role.adoc | 6 ++++-- .../networking/cni-increase-ip-addresses-procedure.adoc | 6 ++++-- latest/ug/networking/cni-increase-ip-addresses.adoc | 6 ++++-- latest/ug/networking/cni-ipv6.adoc | 6 ++++-- latest/ug/networking/cni-network-policy-configure.adoc | 6 ++++-- latest/ug/networking/cni-network-policy.adoc | 6 ++++-- latest/ug/networking/coredns-add-on-create.adoc | 6 ++++-- .../ug/networking/coredns-add-on-self-managed-update.adoc | 6 ++++-- latest/ug/networking/coredns-add-on-update.adoc | 6 ++++-- latest/ug/networking/coredns-autoscaling.adoc | 6 ++++-- latest/ug/networking/coredns-metrics.adoc | 6 ++++-- latest/ug/networking/creating-a-vpc.adoc | 6 ++++-- latest/ug/networking/deploy-ipv6-cluster.adoc | 6 ++++-- latest/ug/networking/eks-networking-add-ons.adoc | 6 ++++-- latest/ug/networking/eks-networking.adoc | 7 ++++--- latest/ug/networking/external-snat.adoc | 6 ++++-- .../networking/kube-proxy-add-on-self-managed-update.adoc | 6 ++++-- latest/ug/networking/lbc-helm.adoc | 4 +++- latest/ug/networking/lbc-manifest.adoc | 6 ++++-- latest/ug/networking/lbc-remove.adoc | 6 ++++-- latest/ug/networking/managing-coredns.adoc | 6 ++++-- latest/ug/networking/managing-kube-proxy.adoc | 6 ++++-- latest/ug/networking/managing-vpc-cni.adoc | 6 ++++-- .../ug/networking/network-policies-troubleshooting.adoc | 6 ++++-- latest/ug/networking/network-policy-disable.adoc | 6 ++++-- latest/ug/networking/network-policy-stars-demo.adoc | 6 ++++-- latest/ug/networking/network-reqs.adoc | 6 ++++-- latest/ug/networking/pod-multiple-network-interfaces.adoc | 6 ++++-- latest/ug/networking/pod-networking-use-cases.adoc | 6 ++++-- latest/ug/networking/sec-group-reqs.adoc | 6 ++++-- latest/ug/networking/security-groups-for-pods.adoc | 6 ++++-- latest/ug/networking/security-groups-pods-deployment.adoc | 6 ++++-- latest/ug/networking/sg-pods-example-deployment.adoc | 6 ++++-- latest/ug/networking/vpc-add-on-create.adoc | 6 ++++-- latest/ug/networking/vpc-add-on-self-managed-update.adoc | 6 ++++-- latest/ug/networking/vpc-add-on-update.adoc | 6 ++++-- latest/ug/nodes/al2023.adoc | 6 ++++-- latest/ug/nodes/auto-get-logs.adoc | 6 ++++-- latest/ug/nodes/bottlerocket-compliance-support.adoc | 6 ++++-- latest/ug/nodes/choosing-instance-type.adoc | 6 ++++-- latest/ug/nodes/create-managed-node-group.adoc | 6 ++++-- latest/ug/nodes/delete-fargate-profile.adoc | 6 ++++-- latest/ug/nodes/delete-managed-node-group.adoc | 6 ++++-- latest/ug/nodes/dockershim-deprecation.adoc | 6 ++++-- latest/ug/nodes/eks-ami-build-scripts.adoc | 6 ++++-- latest/ug/nodes/eks-ami-versions-bottlerocket.adoc | 6 ++++-- latest/ug/nodes/eks-ami-versions-windows.adoc | 6 ++++-- latest/ug/nodes/eks-compute.adoc | 7 ++++--- latest/ug/nodes/eks-custom-ami-windows.adoc | 6 ++++-- latest/ug/nodes/eks-linux-ami-versions.adoc | 6 ++++-- latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc | 6 ++++-- latest/ug/nodes/eks-optimized-ami.adoc | 6 ++++-- latest/ug/nodes/eks-optimized-amis.adoc | 6 ++++-- latest/ug/nodes/eks-optimized-windows-ami.adoc | 6 ++++-- latest/ug/nodes/eks-partner-amis.adoc | 6 ++++-- latest/ug/nodes/fargate-getting-started.adoc | 1 + latest/ug/nodes/fargate-logging.adoc | 1 + latest/ug/nodes/fargate-pod-configuration.adoc | 6 ++++-- latest/ug/nodes/fargate-pod-patching.adoc | 1 + latest/ug/nodes/fargate-profile.adoc | 1 + latest/ug/nodes/fargate.adoc | 1 + latest/ug/nodes/hybrid-nodes-add-ons.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-cluster-prep.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-cni.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-creds.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-join.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-networking.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-os.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-overview.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-proxy.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-remove.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 6 ++++-- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 6 ++++-- latest/ug/nodes/launch-node-bottlerocket.adoc | 6 ++++-- latest/ug/nodes/launch-node-ubuntu.adoc | 6 ++++-- latest/ug/nodes/launch-templates.adoc | 6 ++++-- latest/ug/nodes/launch-windows-workers.adoc | 6 ++++-- latest/ug/nodes/launch-workers.adoc | 6 ++++-- latest/ug/nodes/learn-status-conditions.adoc | 6 ++++-- latest/ug/nodes/managed-node-groups.adoc | 6 ++++-- latest/ug/nodes/managed-node-update-behavior.adoc | 6 ++++-- latest/ug/nodes/migrate-stack.adoc | 6 ++++-- latest/ug/nodes/monitoring-fargate-usage.adoc | 1 + latest/ug/nodes/node-health.adoc | 6 ++++-- latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc | 6 ++++-- latest/ug/nodes/retrieve-ami-id.adoc | 6 ++++-- latest/ug/nodes/retrieve-windows-ami-id.adoc | 6 ++++-- latest/ug/nodes/self-managed-windows-server-2022.adoc | 6 ++++-- latest/ug/nodes/update-managed-node-group.adoc | 6 ++++-- latest/ug/nodes/update-stack.adoc | 1 + latest/ug/nodes/update-workers.adoc | 6 ++++-- latest/ug/nodes/worker.adoc | 6 ++++-- latest/ug/observability/cloudwatch.adoc | 6 ++++-- latest/ug/observability/control-plane-logs.adoc | 6 ++++-- latest/ug/observability/deploy-prometheus.adoc | 6 ++++-- latest/ug/observability/eks-observe.adoc | 7 ++++--- latest/ug/observability/enable-asg-metrics.adoc | 6 ++++-- latest/ug/observability/logging-using-cloudtrail.adoc | 1 + latest/ug/observability/observability-dashboard.adoc | 6 ++++-- latest/ug/observability/opentelemetry.adoc | 6 ++++-- latest/ug/observability/prometheus.adoc | 6 ++++-- .../ug/observability/service-name-info-in-cloudtrail.adoc | 1 + .../observability/understanding-service-name-entries.adoc | 1 + latest/ug/observability/view-raw-metrics.adoc | 8 ++++---- .../ug/outposts/eks-outposts-capacity-considerations.adoc | 1 + latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 1 + .../ug/outposts/eks-outposts-local-cluster-overview.adoc | 1 + latest/ug/outposts/eks-outposts-network-disconnects.adoc | 1 + latest/ug/outposts/eks-outposts-platform-versions.adoc | 1 + latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 + latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 + .../ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 1 + latest/ug/outposts/eks-outposts.adoc | 2 +- latest/ug/quickstart.adoc | 1 + latest/ug/related-projects.adoc | 2 +- latest/ug/roadmap.adoc | 2 +- latest/ug/security/auto-security.adoc | 6 ++++-- latest/ug/security/cert-signing.adoc | 6 ++++-- latest/ug/security/compliance.adoc | 6 ++++-- .../ug/security/configuration-vulnerability-analysis.adoc | 6 ++++-- latest/ug/security/default-roles-users.adoc | 6 ++++-- latest/ug/security/disaster-recovery-resiliency.adoc | 6 ++++-- latest/ug/security/enable-kms.adoc | 6 ++++-- latest/ug/security/envelope-encryption.adoc | 6 ++++-- .../ug/security/iam-reference/auto-cluster-iam-role.adoc | 6 ++++-- .../ug/security/iam-reference/auto-create-node-role.adoc | 6 ++++-- latest/ug/security/iam-reference/cluster-iam-role.adoc | 6 ++++-- latest/ug/security/iam-reference/connector-iam-role.adoc | 6 ++++-- latest/ug/security/iam-reference/create-node-role.adoc | 6 ++++-- latest/ug/security/iam-reference/pod-execution-role.adoc | 6 ++++-- .../ug/security/iam-reference/security-iam-awsmanpol.adoc | 1 + .../security-iam-id-based-policy-examples.adoc | 6 ++++-- .../iam-reference/security-iam-service-with-iam.adoc | 6 ++++-- .../security/iam-reference/security-iam-troubleshoot.adoc | 6 ++++-- latest/ug/security/iam-reference/security-iam.adoc | 6 ++++-- .../using-service-linked-roles-eks-connector.adoc | 6 ++++-- .../using-service-linked-roles-eks-fargate.adoc | 6 ++++-- .../using-service-linked-roles-eks-nodegroups.adoc | 6 ++++-- .../using-service-linked-roles-eks-outpost.adoc | 6 ++++-- .../iam-reference/using-service-linked-roles-eks.adoc | 6 ++++-- .../iam-reference/using-service-linked-roles.adoc | 6 ++++-- latest/ug/security/infrastructure-security.adoc | 6 ++++-- latest/ug/security/manage-secrets.adoc | 1 + latest/ug/security/pod-security-policy-removal-faq.adoc | 6 ++++-- latest/ug/security/pod-security-policy.adoc | 6 ++++-- latest/ug/security/security-best-practices.adoc | 6 ++++-- latest/ug/security/security-eks.adoc | 6 ++++-- latest/ug/security/security-k8s.adoc | 6 ++++-- latest/ug/security/security.adoc | 7 ++++--- latest/ug/security/vpc-interface-endpoints.adoc | 1 + latest/ug/storage/csi-snapshot-controller.adoc | 6 ++++-- latest/ug/storage/ebs-csi.adoc | 6 ++++-- latest/ug/storage/efs-csi.adoc | 6 ++++-- latest/ug/storage/file-cache-csi.adoc | 6 ++++-- latest/ug/storage/fsx-csi.adoc | 6 ++++-- latest/ug/storage/fsx-ontap.adoc | 6 ++++-- latest/ug/storage/fsx-openzfs-csi.adoc | 6 ++++-- latest/ug/storage/s3-csi.adoc | 6 ++++-- latest/ug/storage/storage.adoc | 7 ++++--- latest/ug/troubleshooting/troubleshooting.adoc | 7 ++++--- latest/ug/what-is/common-use-cases.adoc | 6 ++++-- latest/ug/what-is/eks-architecture.adoc | 6 ++++-- latest/ug/what-is/eks-deployment-options.adoc | 6 ++++-- latest/ug/what-is/kubernetes-concepts.adoc | 6 ++++-- latest/ug/what-is/what-is-eks.adoc | 7 ++++--- latest/ug/workloads/add-ons-iam.adoc | 6 ++++-- latest/ug/workloads/add-ons-images.adoc | 6 ++++-- latest/ug/workloads/addon-compat.adoc | 7 ++++--- latest/ug/workloads/addon-id-troubleshoot.adoc | 6 ++++-- latest/ug/workloads/alb-ingress.adoc | 6 ++++-- latest/ug/workloads/community-addons.adoc | 6 ++++-- latest/ug/workloads/copy-image-to-repository.adoc | 6 ++++-- latest/ug/workloads/creating-an-add-on.adoc | 7 ++++--- latest/ug/workloads/eks-add-ons.adoc | 6 ++++-- latest/ug/workloads/eks-workloads.adoc | 7 ++++--- latest/ug/workloads/horizontal-pod-autoscaler.adoc | 6 ++++-- latest/ug/workloads/image-verification.adoc | 6 ++++-- latest/ug/workloads/kubernetes-field-management.adoc | 6 ++++-- latest/ug/workloads/network-load-balancing.adoc | 6 ++++-- latest/ug/workloads/remove-addon-role.adoc | 6 ++++-- latest/ug/workloads/removing-an-addon.adoc | 7 ++++--- latest/ug/workloads/restrict-service-external-ip.adoc | 6 ++++-- latest/ug/workloads/retreive-iam-info.adoc | 6 ++++-- latest/ug/workloads/sample-deployment-windows.adoc | 6 ++++-- latest/ug/workloads/sample-deployment.adoc | 6 ++++-- latest/ug/workloads/update-addon-role.adoc | 6 ++++-- latest/ug/workloads/updating-an-add-on.adoc | 7 ++++--- latest/ug/workloads/vertical-pod-autoscaler.adoc | 6 ++++-- latest/ug/workloads/workloads-add-ons-available-eks.adoc | 3 +-- .../ug/workloads/workloads-add-ons-available-vendors.adoc | 1 + team/squish.adoc | 1 + 352 files changed, 1238 insertions(+), 621 deletions(-) diff --git a/latest/ug/automode/adoc-windows.adoc b/latest/ug/automode/adoc-windows.adoc index 96228a299..c3c8b1824 100644 --- a/latest/ug/automode/adoc-windows.adoc +++ b/latest/ug/automode/adoc-windows.adoc @@ -1,3 +1,4 @@ +:doctype: book = Configure an AsciiDoc Authoring Environment on Windows using Visual Studio Code == Prereqs diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index f1bc94240..f08f3f8aa 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,3 +1,4 @@ +:doctype: book [.topic] = EKA Auto Mode API Reference WIP diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 48a8f2d79..5e1e1ad39 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#associate-workload] = Control if a workload is deployed on EKS Auto Mode nodes :info_titleabbrev: Control deployment -include::../attributes.txt[] - When running workloads in an EKS cluster with EKS Auto Mode, you might need to control whether specific workloads run on EKS Auto Mode nodes or other compute types. This topic describes how to use node selectors and affinity rules to ensure your workloads are scheduled on the intended compute infrastructure. The examples in this topic demonstrate how to use the `eks.amazonaws.com/compute-type` label to either require or prevent workload deployment on EKS Auto Mode nodes. This is particularly useful in mixed-mode clusters where you're running both EKS Auto Mode and other compute types, such as self-managed Karpenter provisioners or EKS Managed Node Groups. diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 5d98fa05a..72fd64853 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-configure-alb] = Create an IngressClass to configure an Application Load Balancer :info_titleabbrev: Create ingress class -include::../attributes.txt[] - EKS Auto Mode automates routine tasks for load balancing, including exposing cluster apps to the internet. {aws} suggests using Application Load Balancers (ALB) to serve HTTP and HTTPS traffic. Application Load Balancers can route requests based on the content of the request. For more information on Application Load Balancers, see link:elasticloadbalancing/latest/userguide/what-is-load-balancing.html["What is Elastic Load Balancing?",type="documentation"] diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index d06be749a..9673ceb95 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-configure-nlb] = Use Service Annotations to configure Network Load Balancers :info_titleabbrev: Create service -include::../attributes.txt[] - Learn how to configure Network Load Balancers (NLB) in Amazon EKS using Kubernetes service annotations. This topic explains the annotations supported by EKS Auto Mode for customizing NLB behavior, including internet accessibility, health checks, SSL/TLS termination, and IP targeting modes. When you create a Kubernetes service of type `LoadBalancer` in EKS Auto Mode, EKS automatically provisions and configures an {aws} Network Load Balancer based on the annotations you specify. This declarative approach allows you to manage load balancer configurations directly through your Kubernetes manifests, maintaining infrastructure as code practices. diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index bec6d351c..d29795991 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-disable] = Disable EKS Auto Mode -include::../attributes.txt[] - You can disable EKS Auto Mode on an existing EKS Cluster. This is a destructive operation. * EKS will terminate all EC2 instances operated by EKS Auto Mode. diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index a0cee3e00..9733ef29e 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-elb-example] = Deploy a Sample Load Balancer Workload to EKS Auto Mode :info_titleabbrev: Deploy load balancer -include::../attributes.txt[] - This guide walks you through deploying a containerized version of the 2048 game on Amazon EKS, complete with load balancing and internet accessibility. == Prerequisites diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index 917866a89..b0183ccf5 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-enable-existing] = Enable EKS Auto Mode on an existing cluster :info_titleabbrev: Enable on cluster -include::../attributes.txt[] - This topic describes how to enable Amazon EKS Auto Mode on your existing Amazon EKS clusters. Enabling Auto Mode on an existing cluster requires updating IAM permissions and configuring core EKS Auto Mode settings. Once enabled, you can begin migrating your existing compute workloads to take advantage of Auto Mode's simplified operations and automated infrastructure management. [IMPORTANT] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index a6368f4ca..0a4f79aaa 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-glossary] = Glossary :info_titleabbrev: Glossary -include::../attributes.txt[] - IAM Role:: An IAM identity that you can create in your {aws} account that has specific permissions. You can use IAM roles to delegate access to users, applications, or services that don't normally have access to your {aws} resources. diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index 4108a122a..a43d92d36 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-learn-iam] = Learn about identity and access in EKS Auto Mode :info_titleabbrev: Identity and access -include::../attributes.txt[] - This topic describes the Identity and Access Management (IAM) roles and permissions required to use EKS Auto Mode. EKS Auto Mode uses two primary IAM roles: a Cluster IAM Role and a Node IAM Role. These roles work in conjunction with EKS Pod Identity and EKS access entries to provide comprehensive access management for your EKS clusters. When you configure EKS Auto Mode, you will need to set up these IAM roles with specific permissions that allow {aws} services to interact with your cluster resources. This includes permissions for managing compute resources, storage volumes, load balancers, and networking components. Understanding these role configurations is essential for proper cluster operation and security. diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 4b336cd34..2818ef0a6 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-migrate-karpenter] = Migrate from Karpenter to EKS Auto Mode using kubectl :info_titleabbrev: Migrate from Karpenter -include::../attributes.txt[] - This topic walks you through the process of migrating workloads from Karpenter to Amazon EKS Auto Mode using kubectl. The migration can be performed gradually, allowing you to move workloads at your own pace while maintaining cluster stability and application availability throughout the transition. The step-by-step approach outlined below enables you to run Karpenter and EKS Auto Mode side by side during the migration period. This dual-operation strategy helps ensure a smooth transition by allowing you to validate workload behavior on EKS Auto Mode before completely decommissioning Karpenter. You can migrate applications individually or in groups, providing flexibility to accommodate your specific operational requirements and risk tolerance. diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index de4369c60..bde4339db 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-migrate-mng] = Migrate from EKS Managed Node Groups to EKS Auto Mode :info_titleabbrev: Migrate from MNGs -include::../attributes.txt[] - When transitioning your Amazon EKS cluster to use EKS auto mode, you can smoothly migrate your existing workloads from managed node groups (MNGs) using the eksctl CLI tool. This process ensures continuous application availability while EKS auto mode optimizes your compute resources. The migration can be performed with minimal disruption to your running applications. This topic walks you through the steps to safely drain pods from your existing managed node groups and allow EKS auto mode to reschedule them on newly provisioned instances. By following this procedure, you can take advantage of EKS auto mode's intelligent workload consolidation while maintaining your application's availability throughout the migration. diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index bf48954a3..0c139b83d 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-mng] = Compare EKS Auto Mode with EKS managed node groups :info_titleabbrev: Compare with Managed Node Groups -include::../attributes.txt[] - [IMPORTANT] ==== *{aws} Internal:* The table below will be used to update the larger table at <> diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 5db0e020c..a5f7829c8 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,3 +1,4 @@ +:doctype: book [.topic] [#auto-net-pol] = Use Network Policies with EKS Auto Mode diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 7768702ac..7766749d6 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-networking] = Learn about VPC Networking and Load Balancing in EKS Auto Mode :info_titleabbrev: Networking -include::../attributes.txt[] - This topic explains how to configure Virtual Private Cloud (VPC) networking and load balancing features in EKS Auto Mode. While EKS Auto Mode manages most networking components automatically, you can still customize certain aspects of your cluster's networking configuration through NodeClass resources and load balancer annotations. When you use EKS Auto Mode, {aws} manages the VPC Container Network Interface (CNI) configuration and load balancer provisioning for your cluster. You can influence networking behaviors by defining NodeClass objects and applying specific annotations to your Service and Ingress resources, while maintaining the automated operational model that EKS Auto Mode provides. diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index ffe5741de..1416681f9 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-reference] = Learn how EKS Auto Mode works @@ -8,8 +12,6 @@ :sourcedir: . :info_titleabbrev: How it works -include::../attributes.txt[] - [abstract] -- Reference information for EKS Auto Mode diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index d905725a4..99d1fc2ae 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-troubleshoot] = Troubleshoot EKS Auto Mode :info_titleabbrev: Troubleshoot -include::../attributes.txt[] - With EKS Auto Mode, {aws} assumes more responsibility for EC2 Instances in your {aws} account. EKS assumes responsibility for the container runtime on nodes, the operating system on the nodes, and certain controllers. This includes a block storage controller, a load balancing controller, and a compute controller. You must use {aws} and Kubernetes APIs to troubleshoot nodes. You can: diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 6f17edaae..63165b73e 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-upgrade] = Update the Kubernetes Version of an EKS Auto Mode cluster :info_titleabbrev: Update Kubernetes version -include::../attributes.txt[] - This topic explains how to update the Kubernetes version of your Auto Mode cluster. Auto Mode simplifies the version update process by handling the coordination of control plane updates with node replacements, while maintaining workload availability through pod disruption budgets. When upgrading an Auto Mode cluster, many components that traditionally required manual updates are now managed as part of the service. Understanding the automated aspects of the upgrade process and your responsibilities helps ensure a smooth version transition for your cluster. diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 11e3a7dd3..67c6cab70 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-workloads] = Run sample workloads in EKS Auto Mode clusters :info_titleabbrev: Run workloads -include::../attributes.txt[] - [abstract] -- Run workloads in EKS Auto Mode clusters diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index fc470337d..8bffd8a89 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index b38c76d64..991d5abc5 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index 3646e6c59..a704bcf2b 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#automode-get-started-eksctl] = Create an EKS Auto Mode Cluster with the eksctl CLI :config: configuration :info_titleabbrev: eksctl CLI -include::../attributes.txt[] - This topic shows you how to create an Amazon EKS Auto Mode cluster using the eksctl command line interface (CLI). You can create an Auto Mode cluster either by running a single CLI command or by applying a YAML configuration file. Both methods provide the same functionality, with the YAML approach offering more granular control over cluster settings. The eksctl CLI simplifies the process of creating and managing EKS Auto Mode clusters by handling the underlying {aws} resource creation and configuration. Before proceeding, ensure you have the necessary {aws} credentials and permissions configured on your local machine. This guide assumes you're familiar with basic Amazon EKS concepts and have already installed the required CLI tools. diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 3390aef3b..13d9cc537 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#automode-learn-instances] = Learn about Amazon EKS Auto Mode Managed instances @@ -10,8 +14,6 @@ :emng: EKS Managed Node Group :info_titleabbrev: Managed instances -include::../attributes.txt[] - This topic explains how {aam} manages Amazon EC2 instances in your EKS cluster. When you enable {am}, your cluster's compute resources are automatically provisioned and managed by EKS, changing how you interact with the EC2 instances that serve as nodes in your cluster. Understanding how {aam} manages instances is essential for planning your workload deployment strategy and operational procedures. Unlike traditional EC2 instances or managed node groups, these instances follow a different lifecycle model where EKS assumes responsibility for many operational aspects, while restricting certain types of access and customization. diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index b5452a47b..b09f82de9 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#automode-workload] = Deploy a sample inflate workload to an Amazon EKS Auto Mode cluster :info_titleabbrev: Deploy inflate workload -include::../attributes.txt[] - In this tutorial, you'll learn how to deploy a sample workload to an EKS Auto Mode cluster and observe how it automatically provisions the required compute resources. You'll use `kubectl` commands to watch the cluster's behavior and see firsthand how Auto Mode simplifies Kubernetes operations on {aws}. By the end of this tutorial, you'll understand how EKS Auto Mode responds to workload deployments by automatically managing the underlying compute resources, without requiring manual node group configuration. == Prerequisites diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 32a76af57..226a83f97 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [#automode] = Automate cluster infrastructure with EKS Auto Mode :toclevels: 2 @@ -9,8 +13,6 @@ Automate cluster infrastructure with EKS Auto Mode -- -include::../attributes.txt[] - EKS Auto Mode extends {aws} management of Kubernetes clusters beyond the cluster itself, to allow {aws} to also set up and manage the infrastructure that enables the smooth operation of your workloads. You can delegate key infrastructure decisions and leverage the expertise of {aws} for day-to-day operations. Cluster infrastructure managed by {aws} includes many Kubernetes capabilities as core components, as opposed to add-ons, such as compute autoscaling, pod and service networking, application load balancing, cluster DNS, block storage, and GPU support. diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 6bdf815ea..393480d33 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-auto] = Create a cluster with Amazon EKS Auto Mode @@ -9,8 +13,6 @@ :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start -include::../attributes.txt[] - [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index ceb2af483..341509f33 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-node-class] = Create a Node Class for Amazon EKS :info_titleabbrev: Create node class -include::../attributes.txt[] - Amazon EKS Node Classes provide granular control over the configuration of your EKS Auto Mode managed nodes. A Node Class defines infrastructure-level settings that apply to groups of nodes in your EKS cluster, including network configuration, storage settings, and resource tagging. This topic explains how to create and configure a Node Class to meet your specific operational requirements. When you need to customize how EKS Auto Mode provisions and configures EC2 instances beyond the default settings, creating a Node Class gives you precise control over critical infrastructure parameters. For example, you can specify private subnet placement for enhanced security, configure instance ephemeral storage for performance-sensitive workloads, or apply custom tagging for cost allocation. diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 68d00ff0a..a44fa9b60 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-node-pool] = Create a Node Pool for EKS Auto Mode :info_titleabbrev: Create node pool -include::../attributes.txt[] - Amazon EKS node pools provide a flexible way to manage compute resources in your Kubernetes cluster. This topic demonstrates how to create and configure node pools using Karpenter, a node provisioning tool that helps optimize cluster scaling and resource utilization. With Karpenter's NodePool resource, you can define specific requirements for your compute resources, including instance types, availability zones, architectures, and capacity types. You cannot modify the built in `system` and `general-purpose` node pools. You can only enable or disable them. For more information, see <>. diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 95b5a494d..7b52891d7 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-storage-class] = Create a storage class :info_titleabbrev: Create StorageClass -include::../attributes.txt[] - A `StorageClass` in Amazon EKS Auto Mode defines how Amazon EBS volumes are automatically provisioned when applications request persistent storage. This page explains how to create and configure a `StorageClass` that works with the Amazon EKS Auto Mode to provision EBS volumes. By configuring a `StorageClass`, you can specify default settings for your EBS volumes including volume type, encryption, IOPS, and other storage parameters. You can also configure the `StorageClass` to use {aws} KMS keys for encryption management. diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index 30c48f7bc..b880fd847 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#critical-workload] = Run critical add-ons on dedicated instances :info_titleabbrev: Run critical add-ons -include::../attributes.txt[] - In this topic, you will learn how to deploy a workload with a `CriticalAddonsOnly` toleration so EKS Auto Mode will schedule it onto the `system` node pool. EKS Auto Mode's built-in `system` node pool is designed for running critical add-ons on dedicated instances. This segregation ensures essential components have dedicated resources and are isolated from general workloads, enhancing overall cluster stability and performance. diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index c24bc551b..bb4cdd4ee 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#migrate-auto] = Enable EKS Auto Mode on existing EKS clusters @@ -8,8 +12,6 @@ :sourcedir: . :info_titleabbrev: Enable existing clusters -include::../attributes.txt[] - [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster in EKS Auto Mode. diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index d602f3260..f3bf90bf2 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -1,9 +1,10 @@ -[.topic] -[#auto-hpa-scaling] -= End-to-end Compute Autoscaling with HPA +:doctype: book include::../attributes.txt[] +[.topic] +[#auto-hpa-scaling] += End-to-end Compute Autoscaling with HPA This guide shows you how Karpenter autoscales nodes in conjunction with HPA scaling your applications. diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 4dac9061d..efedc5701 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#sample-storage-workload] = Deploy a sample stateful workload to EKS Auto Mode :info_titleabbrev: Deploy stateful workload -include::../attributes.txt[] - This tutorial will guide you through deploying a sample stateful application to your EKS Auto Mode cluster. The application writes timestamps to a persistent volume, demonstrating EKS Auto Mode's automatic EBS volume provisioning and persistence capabilities. ## Prerequisites diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index 4bd519466..eccc95ba4 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#set-builtin-node-pools] = Enable or Disable Built-in NodePools :info_titleabbrev: Review built-in node pools -include::../attributes.txt[] - EKS Auto Mode has two built-in NodePools. You can enable or disable these NodePools using the {aws} console, CLI, or API. == Built-in NodePool Reference diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index a3841eb77..bc805a209 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#settings-auto] = Configure EKS Auto Mode settings @@ -8,8 +12,6 @@ :sourcedir: . :info_titleabbrev: Configure -include::../attributes.txt[] - [abstract] -- Change EKS Auto cluster settings diff --git a/latest/ug/automode/tag-subnets-auto.adoc b/latest/ug/automode/tag-subnets-auto.adoc index 9c5f2019f..1dbd6de2e 100644 --- a/latest/ug/automode/tag-subnets-auto.adoc +++ b/latest/ug/automode/tag-subnets-auto.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#tag-subnets-auto] = Tag subnets for EKS Auto Mode :info_titleabbrev: Tag subnets -include::../attributes.txt[] - If you use the load balancing capability of EKS Auto Mode, you need to add {aws} tags to your VPC subnets. == Background diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 7726a3fb5..abe34fc07 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#troubleshoot-lbc] # Troubleshooting Amazon EKS Auto Mode Load Balancer Controller @@ -7,8 +11,6 @@ This resource is not ready for publication. ==== -include::../attributes.txt[] - This guide helps you troubleshoot issues with the {aws} Load Balancer Controller when using Amazon EKS Auto Mode. ## Verify Ingress Resources diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 03188b5bd..98e45e224 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-wip] = EKS Auto Mode: Revisions to existing pages WIP :toc: left -include::../attributes.txt[] - This section contains in-progress revisions for existing pages in other chapters. //include::wip/quickstart-v2.adoc[leveloffset=+1] diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 8e1db8c26..1d34b901d 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#create-vpc-console] = Create a VPC for Amazon EKS with the web console -include::../../attributes.txt[] - This guide walks you through creating a Virtual Private Cloud (VPC) that's optimized for Amazon Elastic Kubernetes Service (EKS) clusters using the {aws-management-console}. == Overview diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index 66059289a..e33f40650 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#eksctl-docs] = EKS Auto Mode -include::../../attributes.txt[] - == Introduction eksctl supports <>, a feature that extends {aws} management of Kubernetes clusters beyond the cluster itself, diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 8041edbdd..592b68a15 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#tag-subnets] = Tag VPC Subnets for Load Balancer Deployment -include::../../attributes.txt[] - This topic explains how to tag your VPC subnets to enable load balancer deployment using the {aws-management-console}. == Required Tags diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 3eb2cc2bd..2056f3b7f 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -1,7 +1,9 @@ +:doctype: book + include::attributes.txt[] + [[top]] = Amazon EKS -:doctype: book :toc: left :icons: font :experimental: diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 0ee62ccc8..271368a97 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#autoscaling] = Scale cluster compute with Karpenter and Cluster Autoscaler :info_titleabbrev: Autoscaling -include::../attributes.txt[] - [abstract] -- Discover how Amazon EKS integrates Kubernetes autoscaling with {aws}, empowering rapid and efficient scaling of compute resources to meet application demands using Karpenter and Cluster Autoscaler. diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 1adf7b210..10e54b89f 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cluster-endpoint] = Control network access to cluster API server endpoint :info_titleabbrev: Configure endpoint access -include::../attributes.txt[] - [abstract] -- Learn how to enable private access and limit public access to the Amazon EKS cluster Kubernetes API server endpoint for enhanced security with your Amazon EKS cluster. diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index b3c2c88e1..bac4cf663 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cluster-insights] = Prepare for Kubernetes version upgrades with cluster insights :info_titleabbrev: Cluster insights :keywords: cluster, upgrade, insights -include::../attributes.txt[] - [abstract] -- Discover how Amazon EKS cluster insights help monitor and resolve potential Kubernetes version upgrade issues for enhanced reliability and faster adoption of new capabilities. diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index a18aec42b..00d0a8311 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#clusters] = Organize workloads with Amazon EKS clusters -:doctype: book :sectnums: :toc: left :icons: font @@ -10,8 +13,6 @@ :sourcedir: . :info_titleabbrev: Clusters -include::../attributes.txt[] - An Amazon EKS cluster consists of two primary components: * The Amazon EKS control plane diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index df688b671..c5b2b5b51 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-cluster-auto] = Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster :idprefix: id_ -include::../attributes.txt[] - [abstract] -- Learn how to create an Amazon EKS Auto Mode cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 8ce87269b..2dd2364c5 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-cluster] = Create an Amazon EKS cluster :info_titleabbrev: Create a cluster -include::../attributes.txt[] - - [abstract] -- Learn how to create an Amazon EKS cluster to run Kubernetes applications, including prerequisites, networking options, and add-on configurations. diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index 514092f53..c763da068 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#delete-cluster] = Delete a cluster :info_titleabbrev: Delete a cluster -include::../attributes.txt[] - [abstract] -- Learn how to delete Amazon EKS clusters, including managed and self-managed node groups, Fargate profiles, related services, and {aws} CloudFormation stacks using eksctl, {aws-management-console}, or {aws} CLI for cost optimization and resource cleanup. diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index 6b3b1c35a..f24a2e82b 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#disable-extended-support] = Prevent increased cluster costs by disabling EKS extended support :info_titleabbrev: Disable extended support -include::../attributes.txt[] - This topic describes how to set the _upgrade policy_ of an EKS cluster to disable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support disabled, it will be automatically upgraded to the next Kubernetes version. For more information about upgrade policies, see <>. diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 951b3d0cb..09ad4df62 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#disable-windows-support] = Disable Windows support -include::../attributes.txt[] - . If your cluster contains Amazon Linux nodes and you use <> with them, then skip this step. + Remove the `AmazonVPCResourceController` managed IAM policy from your <>. Replace [.replaceable]`eksClusterRole` with the name of your cluster role and [.replaceable]`111122223333` with your account ID. diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 443ee5295..85324f020 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#enable-extended-support] = Add flexibility to plan Kubernetes version upgrades by enabling EKS extended support :info_titleabbrev: Enable extended support -include::../attributes.txt[] - This topic describes how to set the _upgrade policy_ of an EKS cluster to enable extended support. The upgrade policy of an EKS cluster determines what happens when a cluster reaches the end of the standard _support period_. If a cluster upgrade policy has extended support enabled, it will enter the extended support period at the end of the standard support period. The cluster will not be automatically upgraded at the end of the standard support period. Clusters actually in the _extended support period_ incur higher costs. If a cluster merely has the upgrade policy set to enable extended support, and is otherwise in the _standard support period_, it incurs standard costs. diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 9331724ea..9a2ff7f45 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kubernetes-versions-extended] = Review release notes for Kubernetes versions on extended support :info_titleabbrev: Extended support versions -include::../attributes.txt[] - [abstract] -- This topic gives important changes to be aware of for each Kubernetes version in extended support. diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 3181eaff5..7f2b3ead8 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kubernetes-versions-standard] = Review release notes for Kubernetes versions on standard support :info_titleabbrev: Standard support versions -include::../attributes.txt[] - [abstract] -- This topic gives important changes to be aware of for each Kubernetes version in standard support. diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 36ca40e77..31d66e8a9 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kubernetes-versions] = Understand the Kubernetes version lifecycle on EKS @@ -5,8 +9,6 @@ :keywords: Amazon EKS, available, Kubernetes, version, release notes -include::../attributes.txt[] - [abstract] -- Learn how Amazon EKS supports Kubernetes versions with standard and extended support periods, allowing you to proactively update clusters with the latest versions, features, and security patches.. diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index cf3ae47bc..7f0c6805f 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index cc84bd7f9..2c99fb19a 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#cost-monitoring-kubecost-bundles] = Learn more about Kubecost -include::../../attributes.txt[] - Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. Amazon EKS supports Kubecost, which you can use to monitor your costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. This topic covers the available versions of Kubecost, and the differences between the available tiers. EKS supports Kubecost Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized Kubecost custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index d06e8b306..2a6ed5429 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#cost-monitoring-kubecost] = Install Kubecost and access dashboard :info_titleabbrev: Install Kubecost -include::../../attributes.txt[] - Amazon EKS supports Kubecost, which you can use to monitor your costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. This topic covers installing Kubecost, and accessing the Kubecost dashboard. Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. You can use your existing {aws} support agreements to obtain support. For more information about the available versions of Kubecost, see <>. diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 6362c3ca9..d7fb55410 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#cost-monitoring] = Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring :keywords: cost, monitoring, watch -include::../../attributes.txt[] - [abstract] -- Learn how to monitor and optimize costs for your Amazon EKS clusters using {aws} Billing split cost allocation data or Kubecost, a Kubernetes-native cost monitoring tool integrated with {aws}. diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 1de372393..9bcc77d80 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../../attributes.txt[] + [#eks-managing] = Organize and monitor cluster resources -:doctype: book :sectnums: :toc: left :icons: font @@ -10,8 +13,6 @@ :sourcedir: . :info_titleabbrev: Cluster management -include::../../attributes.txt[] - This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. * The Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself. For more information, see The https://github.com/kubernetes/dashboard[Kubernetes Dashboard] GitHub repository. diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 81051e781..5a2304fba 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#eks-using-tags] = Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources :keywords: metadata, tag, resources -include::../../attributes.txt[] - [abstract] -- Learn how to use tags to categorize and manage your Amazon EKS resources like clusters, managed node groups, and Fargate profiles for billing, cost allocation, and resource identification. diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index fc56d7eb0..bc495ad0c 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#helm] = Deploy applications with Helm on Amazon EKS :info_titleabbrev: Deploy apps with Helm -include::../../attributes.txt[] - [abstract] -- Learn how to install and use Helm, a package manager for Kubernetes, with your Amazon EKS cluster to manage and deploy applications seamlessly. diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index cb504dc7c..984d66a6d 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#metrics-server] = View resource usage with the Kubernetes Metrics Server :info_titleabbrev: Metrics server -include::../../attributes.txt[] - [abstract] -- Use the Kubernetes Metrics Server to view resource usage data on your Amazon EKS cluster for autoscaling and monitoring. diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 78fe8a77f..266402b11 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#service-quotas] = View and manage Amazon EKS and Fargate service quotas :info_titleabbrev: Service quotas -include::../../attributes.txt[] - [abstract] -- Use Service Quotas to view and manage Amazon EKS and {aws} Fargate quotas from the {aws-management-console} or {aws} CLI. diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index a5e28966b..f85d6ce5d 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#platform-versions] = View Amazon EKS platform versions for each Kubernetes version :info_titleabbrev: Platform versions -include::../attributes.txt[] - Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which Kubernetes API server flags are enabled, as well as the current Kubernetes patch version. Each Kubernetes minor version has one or more associated Amazon EKS platform versions. The platform versions for different Kubernetes minor versions are independent. You can <> using the {aws} CLI or {aws-management-console}. If you have a local cluster on {aws} Outposts, see <> instead of this topic. When a new Kubernetes minor version is available in Amazon EKS, such as {k8s-n}, the initial Amazon EKS platform version for that Kubernetes minor version starts at `eks.1`. However, Amazon EKS releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 92cdc507b..46eecd9d2 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#private-clusters] = Deploy private clusters with limited internet access :info_titleabbrev: Private clusters -include::../attributes.txt[] - [abstract] -- Learn how to deploy and operate an Amazon EKS cluster without outbound internet access, including requirements for private container registries, endpoint access control, and VPC interface endpoints for {aws} services. diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 7296b3519..98a5d2177 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#update-cluster] = Update existing cluster to new Kubernetes version :info_titleabbrev: Update Kubernetes version -include::../attributes.txt[] - [abstract] -- Learn how to update your Amazon EKS cluster to the latest Kubernetes version, ensuring compatibility with nodes and add-ons, and maintaining high availability during the process. diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index 162465a7b..a3b87fc34 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#view-support-status] = View current cluster support period :info_titleabbrev: View support period -include::../attributes.txt[] - The *cluster support period* section of the {aws} console indicates if your cluster is _currently_ on standard or extended support. If your cluster support period is *Extended support*, you are being charged for EKS extended support. For more information about standard and extended support, see <>. diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 0ab6b2940..99418a5dc 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#view-upgrade-policy] = View current cluster upgrade policy :info_titleabbrev: View upgrade policy -include::../attributes.txt[] - The *cluster upgrade policy* determines what happens to your cluster when it leaves the standard support period. If your upgrade policy is `EXTENDED`, the cluster will not be automatically upgraded, and will enter extended support. If your upgrade policy is `STANDARD`, it will be automatically upgraded. Amazon EKS controls for Kubernetes version policy allows you to choose the end of standard support behavior for your EKS clusters. With these controls you can decide which clusters should enter extended support and which clusters should be automatically upgraded at the end of standard support for a Kubernetes version. diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 6b7e4f176..fb5ee343d 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#windows-support] = Deploy Windows nodes on EKS clusters :info_titleabbrev: Enable Windows support -include::../attributes.txt[] - [abstract] -- Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers. diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index ba629073b..875f01b31 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,3 +1,4 @@ +:doctype: book [.topic] [#zone-shift-enable] = Enable EKS Zonal Shift to avoid impaired Availability Zones diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index f633f5738..1efc70e7b 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,3 +1,4 @@ +:doctype: book [.topic] [#zone-shift] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index 84c86903f..e54412eab 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#connecting-cluster] = Connect an external Kubernetes cluster to the Amazon EKS Management Console :info_titleabbrev: Connect a cluster -include::../attributes.txt[] - [abstract] -- Learn to connect an external Kubernetes cluster to an Amazon EKS Management Console and install the eks-connector agent via Helm or YAML manifests to enable visibility and management of the external cluster. diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 97e126e5a..45565ef82 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#connector-grant-access] = Grant access to view Kubernetes cluster resources on an Amazon EKS console :info_titleabbrev: Grant access to clusters -include::../attributes.txt[] - [abstract] -- Learn to grant IAM principals access to view Kubernetes cluster resources on an Amazon EKS Management Console. diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 2577ad400..5372af8c9 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#deregister-connected-cluster] = Deregister a Kubernetes cluster from the Amazon EKS console :info_titleabbrev: Deregister a cluster -include::../attributes.txt[] - [abstract] -- Learn to deregister a Kubernetes cluster from Amazon EKS and uninstall the eks-connector agent to stop managing the cluster from the Amazon EKS Management Console. diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 67759d9c8..5b94c737a 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#eks-connector] = Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector -:doctype: book :sectnums: :toc: left :icons: font @@ -10,8 +13,6 @@ :sourcedir: . :info_titleabbrev: Amazon EKS Connector -include::../attributes.txt[] - [abstract] -- Discover how to connect conformant Kubernetes clusters to {aws} and visualize them in the Amazon EKS console using the Amazon EKS Connector agent and required IAM roles. diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index ffdda5503..21fb6d36e 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-connector] = Understand security in Amazon EKS Connector :info_titleabbrev: Security considerations -include::../attributes.txt[] - [abstract] -- Learn how the open-source EKS Connector affects security, and understand {aws} and customer security responsibilities for connectivity, cluster management, and IAM access control. diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 62b634d12..0b29ceb28 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#troubleshooting-connector] = Troubleshoot Amazon EKS Connector issues :info_titleabbrev: Troubleshoot EKS Connector -include::../attributes.txt[] - [abstract] -- Troubleshoot and resolve common issues when using Amazon EKS Connector to connect your Kubernetes clusters to Amazon EKS. diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 388f1afc1..ff2dd1228 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 99d3d076f..33116dccd 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#asciidoc-syntax] = AsciiDoc Syntax Reference :info_titleabbrev: AsciiDoc syntax -include::../attributes.txt[] - This page is a quick overview of AsciiDoc syntax. We suggest using AsciiDoc syntax. The AsciiDoc tooling has partial support for Markdown syntax, including headings and lists. diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index 9d872cbb7..c5eae71fd 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [#contribute] # Contribute to the EKS User Guide :info_titleabbrev: Contribute -include::../attributes.txt[] - - {aws} has launched an improved contribution experience for the EKS User Guide. You can now edit the EKS User Guide source directly on GitHub. diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index bc62a0235..9b00eab15 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-content-q] = Create docs content with Amazon Q :info_titleabbrev: Create with Amazon Q -include::../attributes.txt[] - You can use Amazon Q to create and revise docs content. This is an easy way to get started on a new page. Amazon Q is available as an extension to Visual Studio (VS) Code. In the following image, Amazon Q generated the lines marked with green. diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index 73e178ecc..fc56e8e46 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-page] = Create a new page :info_titleabbrev: Create page -include::../attributes.txt[] - Learn how to create a new docs page. This topic includes instructions for creating the initial page metadata, and adding the page to the guide table of contents. == Create page diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 2479fce28..85645342c 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#edit-single-web] = Edit a single page from a web browser :info_titleabbrev: Edit single page -include::../attributes.txt[] - You can easily edit a single page in the EKS User Guide directly through your web browser. image::images/contribute-web-edit.png["View of GitHub web edit interface"] diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index 4db5fc035..242a1b59f 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#edit-web] = Edit multiple files from a web browser with the GitHub Web Editor :info_titleabbrev: Edit files with GitHub -include::../attributes.txt[] - If you want to propose change to multiple pages, or create a new docs page, use the GitHub.dev web editor. This web editor is based on the popular Visual Studio Code text editor. image::images/contribute-web-dev.png["GitHub.dev web editor user interface] diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index 4ec236f25..eab09fe8a 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#insert-link] = Insert a link :info_titleabbrev: Insert link -include::../attributes.txt[] - AsciiDoc supports multiple types of links. Using the right link type is important so the link works properly in different environments. == Link to a page or section in the EKS User Guide diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index 8edb46725..a628630a1 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pr-preview] = View a preview of pull request content :info_titleabbrev: View PR preview -include::../attributes.txt[] - The Amazon EKS User Guide GitHub is configured to build and generate a preview of the docs site. This preview doesn't have the full {aws} theme, but it does check the content builds properly and links work. image::images/contribute-preview.png["GitHub comment with preview URL"] diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index 7ce0bf8cf..df4500841 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pr-status] = View the status of your GitHub Pull Request (PR) :info_titleabbrev: View PR Status -include::../attributes.txt[] - After you create a pull request, you can track it's status. Pull requests have three important statuses: merged, closed, and changes requested. If a pull request is merged, the changes were accepted. It may take a few hours for the website to update. If the PR was closed, please understand we appreciate the contribution but could not approve the changes. For example, we may have been unable to replicate the problem. If a pull request has changes requested, review the feedback and update the pull request. diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index 076817939..ad1f8b30d 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vale-github] = View style feedback online for a pull request :info_titleabbrev: View PR feedback -include::../attributes.txt[] - When you create a pull request to propose docs changes, multiple GitHub actions run. This includes a style check using Vale. image::images/contribute-style-web.png["View style feedback on GitHub"] diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index 6fa1fd8bd..fbeb572e8 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vale-local] = View style feedback as you type by installing Vale locally :info_titleabbrev: View style feedback -include::../attributes.txt[] - You can see style feedback as you type. This helps identify awkward writing and typos. image::images/contribute-style-local.png["View style feedback in VS Code] diff --git a/latest/ug/diagrams/README.adoc b/latest/ug/diagrams/README.adoc index 6cb2f9a6b..0e4154e4c 100644 --- a/latest/ug/diagrams/README.adoc +++ b/latest/ug/diagrams/README.adoc @@ -1,3 +1,4 @@ +:doctype: book = Diagram Source Files Diagram source files have moved to Amazon Workdocs. diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 71784f82f..b8b28de8c 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,8 +1,8 @@ +:doctype: book [.topic] [#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) = Document history -:doctype: book :sectnums: :toc: left :icons: font diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index b4aa086a9..e61d88542 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#getting-started-automode] = Get started with Amazon EKS – EKS Auto Mode :info_titleabbrev: Create cluster (EKS Auto Mode) :keywords: using, Auto, getting, started, tutorial -include::../attributes.txt[] - Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 003c10706..8d60a9641 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index f4d898d0a..3ae41bd6e 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#getting-started-eksctl] = Get started with Amazon EKS – `eksctl` :info_titleabbrev: Create cluster (eksctl) :keywords: using, eksctl, getting, started, tutorial -include::../attributes.txt[] - [abstract] -- Learn how to create your first Amazon EKS cluster with nodes using the `eksctl` command line tool. diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 6c1fcec38..ed773aa8e 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#getting-started] = Get started with Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start -include::../attributes.txt[] - [abstract] -- Learn about the tools needed for creating and working with an Amazon EKS cluster. diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 4b4e667d1..bd24ed94f 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index b2613ce87..111cb80c1 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#install-kubectl] = Set up `kubectl` and `eksctl` :info_titleabbrev: Set up kubectl and eksctl :keywords: install, update, kubectl -include::../attributes.txt[] - [abstract] -- Learn how to install or update the `kubectl` and `eksctl` command line tools to work with Kubernetes and Amazon EKS features. diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index e07ce9632..97102581f 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#learn-eks] = Learn Amazon EKS by example @@ -11,8 +15,6 @@ :idseparator: - :sourcedir: . -include::../attributes.txt[] - [abstract] -- Find learning paths to extend your knowledge of Amazon EKS. diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 2901237b4..360fa25ac 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#setting-up] = Set up to use Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Set up :keywords: setting up, setup -include::../attributes.txt[] - [abstract] -- Set up the tools needed for creating and working with an Amazon EKS cluster. diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index cfdcde846..2ff5d065a 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#creating-resources-with-cloudformation] diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 8716e18d3..9ea3e7d54 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,7 +1,7 @@ +:doctype: book include::../attributes.txt[] [#eks-integrations] = Enhance EKS with integrated {aws} services -:doctype: book :sectnums: :toc: left :icons: font diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 472cbe7d9..203abe906 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#integration-detective] = Analyze security events on EKS with Amazon Detective :info_titleabbrev: Amazon Detective :keywords: Amazon Detective -include::../attributes.txt[] - [abstract] -- Amazon Detective helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index 45646af20..f4357f829 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#integration-guardduty] = Detect threats with Amazon GuardDuty :info_titleabbrev: Amazon GuardDuty -include::../attributes.txt[] - Amazon GuardDuty is a threat detection service that helps protect you accounts, containers, workloads, and the data with your {aws} environment. Using machine learning (ML) models, and anomaly and threat detection capabilities, GuardDuty continuously monitors different log sources and runtime activity to identify and prioritize potential security risks and malicious activities in your environment. Among other features, GuardDuty offers the following two features that detect potential threats to your EKS clusters: _EKS Protection_ and _Runtime Monitoring_. diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 66414c241..9525c606f 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 71c5356ac..2f1b41e1f 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#integration-securitylake] = Centralize and analyze EKS security data with Security Lake @@ -5,8 +9,6 @@ :keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection -include::../attributes.txt[] - [abstract] -- Amazon Security Lake integrates with Amazon EKS to provide a centralized and standardized solution for collecting, storing, and analyzing security data from clusters. By enabling EKS control plane logging and adding EKS logs as a source in Security Lake, users can gain valuable insights, detect potential threats, and enhance the security posture of their Kubernetes environments. diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index 5ba199fd9..f2ae12766 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,8 +1,10 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#integration-vpc-lattice] = Enable secure cross-cluster connectivity with Amazon VPC Lattice :info_titleabbrev: Amazon VPC Lattice -include::../attributes.txt[] - Amazon VPC Lattice is a fully managed application networking service built directly into the {aws} networking infrastructure that you can use to connect, secure, and monitor your services across multiple accounts and Virtual Private Clouds (VPCs). With Amazon EKS, you can leverage Amazon VPC Lattice through the use of the {aws} Gateway API Controller, an implementation of the Kubernetes https://gateway-api.sigs.k8s.io/[Gateway API]. Using Amazon VPC Lattice, you can set up cross-cluster connectivity with standard Kubernetes semantics in a simple and consistent manner. To get started using Amazon VPC Lattice with Amazon EKS see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller User Guide]. \ No newline at end of file diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 7d0a06942..c97c0ec83 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 5bc1cb27a..79990fd55 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#associate-service-account-role] = Assign IAM roles to Kubernetes service accounts :info_titleabbrev: Assign IAM role -include::../../attributes.txt[] - [abstract] -- Discover how to configure a Kubernetes service account to assume an IAM role, enabling Pods to securely access {aws} services with granular permissions. diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 85e1b92ff..5a08ba07f 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#configure-sts-endpoint] diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 71383add4..667168bd3 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#cross-account-access] = Authenticate to another account with IRSA :info_titleabbrev: Cross-account IAM -include::../../attributes.txt[] - [abstract] -- Learn how to configure cross-account IAM permissions for Amazon EKS clusters by creating an identity provider from another account's cluster or using chained AssumeRole operations, enabling secure access to {aws} resources across multiple accounts. diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 9abc74dfa..4d31afb8e 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#enable-iam-roles-for-service-accounts] = Create an IAM OIDC provider for your cluster :info_titleabbrev: IAM OIDC provider -include::../../attributes.txt[] - [abstract] -- Learn how to create an {aws} Identity and Access Management OpenID Connect provider for your cluster. diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index 91e70f495..a05720f20 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#iam-roles-for-service-accounts-minimum-sdk] diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index e1b8001f0..cd34f34c7 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#iam-roles-for-service-accounts] = IAM roles for service accounts :info_titleabbrev: Credentials with IRSA -include::../../attributes.txt[] - [abstract] -- Learn how applications in your Pods can access {aws} services. diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index 4afac47fa..d6bff8621 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#irsa-fetch-keys] = Fetch signing keys to validate OIDC tokens :info_titleabbrev: Fetch signing keys -include::../../attributes.txt[] - [abstract] -- Discover how to fetch the OIDC public signing keys (JSON Web Key Set) required to validate the ProjectedServiceAccountToken for Amazon EKS clusters, enabling external systems to authenticate with IAM roles for Kubernetes service accounts. diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index 3dbd61923..dca33433d 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-configuration] = Configure Pods to use a Kubernetes service account :info_titleabbrev: Assign to Pod -include::../../attributes.txt[] - [abstract] -- Learn how to configure your Pods to use a Kubernetes service account that you allowed to assume an {aws} Identity and Access Management role. diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 6adec2510..48fafdb59 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#pod-id-abac] diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index 5815b984f..3bb62df31 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-id-agent-config-ipv6] = Disable `IPv6` in the EKS Pod Identity Agent :info_titleabbrev: Disable IPv6 -include::../../attributes.txt[] - [#pod-id-console] == {aws-management-console} . To disable `IPv6` in the EKS Pod Identity Agent, add the following configuration to the *Optional configuration settings* of the EKS Add-on. diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index a8a340d99..ca2fccf77 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-id-agent-setup] = Set up the Amazon EKS Pod Identity Agent :info_titleabbrev: Set up the Agent -include::../../attributes.txt[] - [abstract] -- Learn how to set up the EKS Pod Identity Agent for your cluster. diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index d4e4040d2..7ee241920 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-id-association] = Assign an IAM role to a Kubernetes service account :info_titleabbrev: Assign IAM role -include::../../attributes.txt[] - [abstract] -- Learn how to configure a Kubernetes service account to assume an {aws} IAM role with Amazon EKS Pod Identity for securely accessing {aws} services from your pods. diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index ed4502aa6..7fea68d2d 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#pod-id-configure-pods] diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 3625c63d9..342ab66d2 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-id-how-it-works] = Understand how EKS Pod Identity works :info_titleabbrev: How it works -include::../../attributes.txt[] - [abstract] -- Learn how Amazon EKS Pod Identity works to provide temporary credentials to your Kubernetes workloads, using an agent running on each node and the {aws} SDKs. diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 11ac22905..75dcc8835 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#pod-id-minimum-sdk] diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 449829b99..445ca95c6 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-id-role] = Create IAM role with trust policy required by EKS Pod Identity :info_titleabbrev: EKS Pod Identity role -include::../../attributes.txt[] - [abstract] -- Learn how to configure the IAM trust policy for Amazon EKS Pod Identity to allow Kubernetes pods to assume IAM roles and access {aws} resources securely using Amazon EKS condition keys. diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 229ea5f0e..d24b48bb1 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#pod-identities] diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 3467a188d..a044bd4b3 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 668e59d4d..6b43f9036 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,7 +1,10 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cluster-auth] = Learn how access control works in Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :sourcedir: . :info_titleabbrev: Manage access -include::../attributes.txt[] - [abstract] -- Learn how to manage access to your EKS cluster. First, this includes granting developers or external services access to Kubernetes. Second, this includes granting Kubernetes workloads access to {aws} services. diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index 873a57aee..a0ec1f208 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-kubeconfig] = Connect kubectl to an EKS cluster by creating a kubeconfig file :info_titleabbrev: Access cluster with kubectl -include::../attributes.txt[] - [abstract] -- Learn how to create or update a kubeconfig file for authenticating with your Amazon EKS cluster using kubectl. Follow prerequisites for required tools and permissions. diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 1c95693c4..594b38256 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#access-entries] = Grant IAM users access to Kubernetes with EKS access entries :info_titleabbrev: Grant permissions -include::../../attributes.txt[] - include::access-policies.adoc[leveloffset=+1] include::migrating-access-entries.adoc[leveloffset=+1] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index 3b45c1e00..ca889fb12 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#access-policies] = Associate access policies with access entries :info_titleabbrev: Associate access policies -include::../../attributes.txt[] - [abstract] -- Learn how to associate and disassociate Amazon EKS access policies to and from access entries to grant Kubernetes permissions to IAM principals. diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 49f6deab2..952380b1f 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#access-policy-permissions] = Review access policy permissions :info_titleabbrev: Review access policies -include::../../attributes.txt[] - Access policies include `rules` that contain Kubernetes `verbs` (permissions) and `resources`. Access policies don't include IAM permissions or resources. Similar to Kubernetes `Role` and `ClusterRole` objects, access policies only include `allow` `rules`. You can't modify the contents of an access policy. You can't create your own access policies. If the permissions in the access policies don't meet your needs, then create Kubernetes RBAC objects and specify _group names_ for your access entries. For more information, see <>. The permissions contained in access policies are similar to the permissions in the Kubernetes user-facing cluster roles. For more information, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles[User-facing roles] in the Kubernetes documentation. Choose any access policy to see its contents. Each row of each table in each access policy is a separate rule. diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index 9aa3c38d2..a3be7f8eb 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#auth-configmap] = Grant IAM users access to Kubernetes with a ConfigMap :info_titleabbrev: aws-auth ConfigMap -include::../../attributes.txt[] - [abstract] -- Learn how to manage IAM principal access to your Amazon EKS cluster using the aws-auth ConfigMap and Kubernetes RBAC, allowing authorized users and roles to interact with the cluster securely. diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index 9e6481e06..f7be43017 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#authenticate-oidc-identity-provider] = Grant users access to Kubernetes with an external OIDC provider :info_titleabbrev: Link OIDC provider -include::../../attributes.txt[] - [abstract] -- Learn how to authenticate users for your Amazon EKS cluster using OpenID Connect (OIDC) identity providers to manage access and permissions with roles, bindings, and RBAC authorization. diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index b140eaa5d..33c801f1f 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#creating-access-entries] = Create access entries :info_titleabbrev: Create access entries -include::../../attributes.txt[] - Before creating access entries, consider the following: * A properly set authentication mode. See <>. diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index 631cdaafc..724582df1 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#deleting-access-entries] = Delete access entries -include::../../attributes.txt[] - If you discover that you deleted an access entry in error, you can always recreate it. If the access entry that you're deleting is associated to any access policies, the associations are automatically deleted. You don't have to disassociate access policies from an access entry before deleting the access entry. You can delete an access entry using the {aws-management-console} or the {aws} CLI. diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 221dd3ff9..40e382983 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#disassociate-oidc-identity-provider] = Disassociate an OIDC identity provider from your cluster :info_titleabbrev: Unlink OIDC provider -include::../../attributes.txt[] - If you disassociate an OIDC identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with link:IAM/latest/UserGuide/id_roles.html#iam-term-principal[IAM principals,type="documentation"]. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 5ba4180b1..8bb453230 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#grant-k8s-access] = Grant IAM users and roles access to Kubernetes APIs :info_titleabbrev: Kubernetes API access -include::../../attributes.txt[] - [abstract] -- Learn how to grant access to Kubernetes APIs on Amazon EKS clusters using IAM roles, users, or OpenID Connect providers, and manage permissions with access entries or the aws-auth ConfigMap. diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 180aad54f..1fc3efc93 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#migrating-access-entries] = Migrating existing `aws-auth ConfigMap` entries to access entries :info_titleabbrev: Migrate to access entries -include::../../attributes.txt[] - //GDC: problems with xrefs If you've added entries to the `aws-auth` `ConfigMap` on your cluster, we recommend that you create access entries for the existing entries in your `aws-auth` `ConfigMap`. After creating the access entries, you can remove the entries from your `ConfigMap`. You can't associate <> to entries in the `aws-auth` `ConfigMap`. If you want to associate access polices to your IAM principals, create access entries. diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index ae9df7147..afe7b60bc 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#setting-up-access-entries] = Change authentication mode to use access entries :info_titleabbrev: Authentication mode -include::../../attributes.txt[] - To begin using access entries, you must change the authentication mode of the cluster to either the `API_AND_CONFIG_MAP` or `API` modes. This adds the API for access entries. [#access-entries-setup-console] diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 3a18aab1d..4ac6eab26 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#updating-access-entries] = Update access entries -include::../../attributes.txt[] - You can update an access entry using the {aws-management-console} or the {aws} CLI. diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 9702d0e57..4e2bc1b23 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 64955b216..626881c73 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#capacity-blocks-mng] = Create a managed node group with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for MNG -include::../attributes.txt[] - [abstract] -- Capacity Blocks for machine learning (ML) allow you to reserve highly sought-after GPU instances on a future date to support your short duration ML workloads. diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index c0a2e01e9..12b55a9be 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#capacity-blocks] = Create self-managed nodes with Capacity Blocks for ML :info_titleabbrev: Reserve GPUs for SMN -include::../attributes.txt[] - [abstract] -- Capacity Blocks for machine learning (ML) allow you to reserve highly sought-after GPU instances on a future date to support your short duration ML workloads. diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index 6bfb4e48e..6d132ef6f 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 6637dac56..f6bbaa044 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,7 +1,10 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#machine-learning-on-eks] = Overview of Machine Learning on Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -12,8 +15,6 @@ :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence -include::../attributes.txt[] - [abstract] -- Complete guide for running Machine Learning applications on Amazon EKS. This includes everything from provisioning infrastructure to choosing and deploying Machine Learning workloads on Amazon EKS. diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 662f62670..5980f88bb 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ml-eks-optimized-ami] = Run GPU-accelerated containers (Linux on EC2) :info_titleabbrev: Run Linux GPU AMIs -include::../attributes.txt[] - The Amazon EKS optimized accelerated Amazon Linux AMIs are built on top of the standard Amazon EKS optimized Amazon Linux AMIs. For details on these AMIs, see <>. The following text describes how to enable {aws} Neuron-based workloads. diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index f6c256584..3df44c30d 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ml-eks-windows-optimized-ami] = Run GPU-accelerated containers (Windows on EC2 G-Series) :info_titleabbrev: Run Windows GPU AMIs -include::../attributes.txt[] - [IMPORTANT] ==== The https://github.com/TensorWorks/DirectX-Device-Plugins[Kubernetes Device Plugin for DirectX] by TensorWorks is a third-party tool that is not endorsed, supported, or maintained by {aws}. {aws} assumes no responsibility for the security, reliability, or performance of this plugin. diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index b8d3f89d0..af40b7376 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ml-get-started] = Get started with ML :info_titleabbrev: Get started with ML -include::../attributes.txt[] - [abstract] -- Choose the Machine Learning on EKS tools and platforms that best suit your needs, then use quick start procedures to deploy ML workloads and EKS clusters to the {aws} cloud. diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 5893d103e..58444b464 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ml-prepare-for-cluster] = Prepare for ML clusters :info_titleabbrev: Prepare for ML -include::../attributes.txt[] - [abstract] -- Learn how to make decisions about CPU, AMIs, and tooling before creating an EKS cluster for ML. diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 8e299284c..f17e97192 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ml-tutorials] = Try tutorials for deploying Machine Learning workloads on EKS :info_titleabbrev: Try tutorials for ML on EKS -include::../attributes.txt[] - If you are interested in setting up Machine Learning platforms and frameworks in EKS, explore the tutorials described in this page. These tutorials cover everything from patterns for making the best use of GPU processors to choosing modeling tools to building frameworks for specialized industries. diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 3ac9f58c3..ed197c396 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + :AWSEC2-latest-UserGuide-using-eni-html-network-cards: AWSEC2/latest/UserGuide/using-eni.html#network-cards [.topic] @@ -5,8 +9,6 @@ = Run machine learning training on Amazon EKS with Elastic Fabric Adapter :info_titleabbrev: Training clusters with EFA -include::../attributes.txt[] - [abstract] -- Learn how to integrate Elastic Fabric Adapter (EFA) with Amazon EKS to run machine learning training workloads requiring high inter-node communications at scale using p4d instances with GPUDirect RDMA and NVIDIA Collective Communications Library (NCCL). diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 72bd156a1..61117c9c8 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#node-taints-managed-node-groups] = Prevent Pods from being scheduled on specific nodes :info_titleabbrev: Taint GPU nodes -include::../attributes.txt[] - [abstract] -- Taints and tolerations work together to ensure that Pods aren't scheduled onto inappropriate nodes. This can be particularly useful for nodes running on GPU hardware. diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 5d49d94fd..6209a5b34 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#alternate-cni-plugins] = Alternate CNI plugins for Amazon EKS clusters :info_titleabbrev: Alternate CNI plugins -include::../attributes.txt[] - [abstract] -- Learn how to use alternate network and security plugins on Amazon EKS to customize networking for your Kubernetes clusters on Amazon EC2 nodes. diff --git a/latest/ug/networking/auto-mode-addon-note.adoc b/latest/ug/networking/auto-mode-addon-note.adoc index a7ae32ca5..9ac1a6623 100644 --- a/latest/ug/networking/auto-mode-addon-note.adoc +++ b/latest/ug/networking/auto-mode-addon-note.adoc @@ -1,3 +1,4 @@ +:doctype: book [TIP] ==== With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index c78d6db86..41684729d 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index db00a06e0..9a3b74b93 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-custom-network-tutorial] = Customize the secondary network interface in Amazon EKS nodes :info_titleabbrev: Secondary interface -include::../attributes.txt[] - [abstract] -- Learn how your Pods can use different security groups and subnets than the primary elastic network interface of the Amazon EC2 node that they run on. diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index ac8a5d42f..3c8f73b63 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-custom-network] = Deploy Pods in alternate subnets with custom networking :info_titleabbrev: Custom networking -include::../attributes.txt[] - include::cni-custom-network-tutorial.adoc[leveloffset=+1] [abstract] diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 820a5987c..7ff290bae 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-iam-role] = Configure Amazon VPC CNI plugin to use IRSA :info_titleabbrev: Configure for IRSA -include::../attributes.txt[] - [abstract] -- Learn how to configure the Amazon VPC CNI plugin for Kubernetes to use IAM roles for service accounts (IRSA) for Pod networking in Amazon EKS clusters. diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 9911cc269..34775c05f 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-increase-ip-addresses-procedure] = Increase the available IP addresses for your Amazon EKS node :info_titleabbrev: Procedure -include::../attributes.txt[] - You can increase the number of IP addresses that nodes can assign to Pods by assigning IP prefixes, rather than assigning individual secondary IP addresses to your nodes. == Prerequisites diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 7f0cdebc2..f26df1cb4 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-increase-ip-addresses] = Assign more IP addresses to Amazon EKS nodes with prefixes :info_titleabbrev: Increase IP addresses -include::../attributes.txt[] - include::cni-increase-ip-addresses-procedure.adoc[leveloffset=+1] [abstract] diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 651631d33..1e2f31850 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-ipv6] = Learn about IPv6 addresses to clusters, Pods, and services :info_titleabbrev: IPv6 -include::../attributes.txt[] - include::deploy-ipv6-cluster.adoc[leveloffset=+1] [abstract] diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index a3d88e495..e67a9dfc5 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-network-policy-configure] = Restrict Pod network traffic with Kubernetes network policies :info_titleabbrev: Restrict traffic -include::../attributes.txt[] - [abstract] -- Learn how to deploy Kubernetes network policies on your Amazon EKS cluster. diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 9256e93b1..3982b7de3 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cni-network-policy] = Limit Pod traffic with Kubernetes network policies :info_titleabbrev: Kubernetes policies -include::../attributes.txt[] - include::cni-network-policy-configure.adoc[leveloffset=+1] include::network-policy-disable.adoc[leveloffset=+1] diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index f574e1f16..ef108c7c1 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#coredns-add-on-create] = Create the CoreDNS Amazon EKS add-on :info_titleabbrev: Create -include::../attributes.txt[] - Create the CoreDNS Amazon EKS add-on. You must have a cluster before you create the add-on. For more information, see <>. . See which version of the add-on is installed on your cluster. diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 477d7a6d3..111c5ddd9 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#coredns-add-on-self-managed-update] = Update the CoreDNS Amazon EKS self-managed add-on :info_titleabbrev: Update (self-managed) -include::../attributes.txt[] - [IMPORTANT] ==== diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 1a8736c8c..9e3720eb1 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#coredns-add-on-update] = Update the CoreDNS Amazon EKS add-on :info_titleabbrev: Update (EKS add-on) -include::../attributes.txt[] - Update the Amazon EKS type of the add-on. If you haven't added the Amazon EKS add-on to your cluster, either <> or see <>. Before you begin, review the upgrade considerations. For more information, see <>. diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 66463bdf7..8cc31a274 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#coredns-autoscaling] = Scale CoreDNS Pods for high DNS traffic :info_titleabbrev: Scale for high traffic -include::../attributes.txt[] - [abstract] -- Learn how the Amazon EKS add-on for CoreDNS autoscales to handle increased load on DNS pods, improving application availability and cluster scalability. diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index b12bfd556..d15a924ed 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#coredns-metrics] = Monitor Kubernetes DNS resolution with CoreDNS metrics :info_titleabbrev: Monitor DNS resolution -include::../attributes.txt[] - [abstract] -- Learn how to collect CoreDNS metrics in Amazon EKS using Prometheus or CloudWatch Agent, enabling monitoring and observability for your Kubernetes DNS resolution. diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index ae742831b..895b6ff4b 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#creating-a-vpc] = Create an Amazon VPC for your Amazon EKS cluster :info_titleabbrev: Create a VPC -include::../attributes.txt[] - [abstract] -- Learn how to create an Amazon VPC for your cluster using an Amazon EKS provided {aws} CloudFormation template. diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index 586a54843..cfd311fc6 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#deploy-ipv6-cluster] = Deploying an Amazon EKS `IPv6` cluster and managed Amazon Linux nodes :info_titleabbrev: Deploy -include::../attributes.txt[] - In this tutorial, you deploy an `IPv6` Amazon VPC, an Amazon EKS cluster with the `IPv6` family, and a managed node group with Amazon EC2 Amazon Linux nodes. You can't deploy Amazon EC2 Windows nodes in an `IPv6` cluster. You can also deploy Fargate nodes to your cluster, though those instructions aren't provided in this topic for simplicity. == Prerequisites diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index d8c866046..8f4190c0a 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-networking-add-ons] = Manage networking add-ons for Amazon EKS clusters :info_titleabbrev: Manage networking add-ons -include::../attributes.txt[] - include::managing-vpc-cni.adoc[leveloffset=+1] include::alternate-cni-plugins.adoc[leveloffset=+1] diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 461f26cba..084083ac3 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#eks-networking] = Configure networking for Amazon EKS clusters -:doctype: book :sectnums: :toc: left :icons: font @@ -10,8 +13,6 @@ :sourcedir: . :info_titleabbrev: Configure networking -include::../attributes.txt[] - include::network-reqs.adoc[leveloffset=+1] include::creating-a-vpc.adoc[leveloffset=+1] diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 36ff4c5b3..9643070c7 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#external-snat] = Enable outbound internet access for Pods :info_titleabbrev: Outbound traffic -include::../attributes.txt[] - [abstract] -- Learn how Amazon EKS manages external communication for Pods using Source Network Address Translation (SNAT), allowing Pods to access internet resources or networks connected via VPC peering, Transit Gateway, or {aws} Direct Connect. diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index a0577ec31..e2869c633 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kube-proxy-add-on-self-managed-update] = Update the Kubernetes `kube-proxy` self-managed add-on :info_titleabbrev: Update -include::../attributes.txt[] - [IMPORTANT] ==== diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index addd2bd5d..ba4fdea53 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -1,6 +1,8 @@ -[.topic] +:doctype: book + include::../attributes.txt[] +[.topic] [#lbc-helm] = Install {aws} Load Balancer Controller with Helm :info_titleabbrev: Install with Helm diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index b7914eec8..8ff64c312 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -1,7 +1,9 @@ -[.topic] -[#lbc-manifest] +:doctype: book + include::../attributes.txt[] +[.topic] +[#lbc-manifest] = Install {aws} Load Balancer Controller with manifests :info_titleabbrev: Install with manifests diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index bf3f8b1e9..d2a4c7993 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#lbc-remove] = Migrate apps from deprecated ALB Ingress Controller :info_titleabbrev: Migrate from deprecated -include::../attributes.txt[] - [abstract] -- Learn how to migrate from the deprecated ALB Ingress Controller to the latest {aws} Load Balancer Controller release, ensuring smooth transition and uninterrupted load balancing capabilities. diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 56917a147..52b8e7043 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#managing-coredns] = Manage CoreDNS for DNS in Amazon EKS clusters :info_titleabbrev: CoreDNS -include::../attributes.txt[] - include::coredns-add-on-create.adoc[leveloffset=+1] include::coredns-add-on-update.adoc[leveloffset=+1] diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index 46537f7a0..b6b76a3de 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#managing-kube-proxy] = Manage `kube-proxy` in Amazon EKS clusters :info_titleabbrev: kube-proxy -include::../attributes.txt[] - include::kube-proxy-add-on-self-managed-update.adoc[leveloffset=+1] [abstract] diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index c53db5372..8eb48d5e2 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#managing-vpc-cni] = Assign IPs to Pods with the Amazon VPC CNI :info_titleabbrev: Amazon VPC CNI -include::../attributes.txt[] - include::vpc-add-on-create.adoc[leveloffset=+1] include::vpc-add-on-update.adoc[leveloffset=+1] diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index 1a14561cb..a47df2006 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#network-policies-troubleshooting] = Troubleshooting Kubernetes network policies For Amazon EKS :info_titleabbrev: Troubleshooting -include::../attributes.txt[] - [abstract] -- Learn how to troubleshoot and investigate network connections that use network policies. diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 36b0b74c0..99359ee48 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#network-policy-disable] = Disable Kubernetes network policies for Amazon EKS Pod network traffic :info_titleabbrev: Disable -include::../attributes.txt[] - [abstract] -- Learn how to disable Kubernetes network policies for Amazon EKS Pod network traffic. diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index c6a951395..512e7fdd7 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#network-policy-stars-demo] = Stars demo of network policy for Amazon EKS :info_titleabbrev: Stars policy demo -include::../attributes.txt[] - [abstract] -- This demo creates a front-end, back-end, and client service on your Amazon EKS cluster. The demo also creates a management graphical user interface that shows the available ingress and egress paths between each service. diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index 57e875ffd..b90c54221 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#network-reqs] = View Amazon EKS networking requirements for VPC and subnets :info_titleabbrev: VPC and subnet requirements -include::../attributes.txt[] - [abstract] -- Learn how to configure the VPC and subnets to meet networking requirements for creating Amazon EKS clusters with sufficient IP addresses, subnet types, and availability zones. Understand IP family usage by component and shared subnet considerations. diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index 474455e2a..ebfce8b4f 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pod-multiple-network-interfaces] = Attach multiple network interfaces to Pods with Multus :info_titleabbrev: Multiple interfaces -include::../attributes.txt[] - [abstract] -- Learn how to use Multus CNI to attach multiple network interfaces to a Pod in Amazon EKS for advanced networking scenarios, while leveraging the Amazon VPC CNI plugin for primary networking. diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 820b6d198..fdc657a12 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pod-networking-use-cases] = Learn about VPC CNI modes and configuration :info_titleabbrev: Modes and configuration -include::../attributes.txt[] - include::cni-ipv6.adoc[leveloffset=+1] include::external-snat.adoc[leveloffset=+1] diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 7102ea9ce..62c9b9bec 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#sec-group-reqs] = View Amazon EKS security group requirements for clusters :info_titleabbrev: Security group requirements -include::../attributes.txt[] - [abstract] -- Learn how to manage security groups for Amazon EKS clusters, including default rules, restricting traffic, and required outbound access for nodes to function properly with your cluster. Understand key security group considerations for secure operation of your Kubernetes cluster on {aws}. diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 736b8f2d6..27b25ec43 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-groups-for-pods] = Assign security groups to individual Pods :info_titleabbrev: Security groups for Pods -include::../attributes.txt[] - include::security-groups-pods-deployment.adoc[leveloffset=+1] include::sg-pods-example-deployment.adoc[leveloffset=+1] diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index b1879b6cf..2443adc95 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-groups-pods-deployment] = Configure the Amazon VPC CNI plugin for Kubernetes for security groups for Amazon EKS Pods :info_titleabbrev: Configure -include::../attributes.txt[] - If you use Pods with Amazon EC2 instances, you need to configure the Amazon VPC CNI plugin for Kubernetes for security groups If you use Fargate Pods only, and don't have any Amazon EC2 nodes in your cluster, see <>. diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index 5034d0b76..fbd12ab90 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#sg-pods-example-deployment] = Use a security group policy for an Amazon EKS Pod :info_titleabbrev: SecurityGroupPolicy -include::../attributes.txt[] - To use security groups for Pods, you must have an existing security group. The following steps show you how to use the security group policy for a Pod. Unless otherwise noted, complete all steps from the same terminal because variables are used in the following steps that don't persist across terminals. If you have a Pod with Amazon EC2 instances, you must configure the plugin before you use this procedure. For more information, see <>. diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index ed163d701..a58ac8b8b 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vpc-add-on-create] = Create the Amazon VPC CNI (Amazon EKS add-on) :info_titleabbrev: Create -include::../attributes.txt[] - Use the following steps to create the Amazon VPC CNI plugin for Kubernetes Amazon EKS add-on. Before you begin, review the considerations. For more information, see <>. diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index 4fbb68a59..f066b7cfd 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vpc-add-on-self-managed-update] = Update the Amazon VPC CNI (self-managed add-on) :info_titleabbrev: Update (self-managed) -include::../attributes.txt[] - [IMPORTANT] ==== diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index 48d9a3b85..e051a4575 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vpc-add-on-update] = Update the Amazon VPC CNI (Amazon EKS add-on) :info_titleabbrev: Update (EKS add-on) -include::../attributes.txt[] - Update the Amazon EKS type of the Amazon VPC CNI plugin for Kubernetes add-on. If you haven't added the Amazon EKS type of the add-on to your cluster, you can install it by following <>. Or, update the other type of VPC CNI installation by following <>. . See which version of the add-on is installed on your cluster. Replace [.replaceable]`my-cluster` with your cluster name. diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index deb8e088c..eb17bc5f9 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#al2023] = Upgrade from Amazon Linux 2 to Amazon Linux 2023 :info_titleabbrev: Upgrade to AL2023 -include::../attributes.txt[] - [abstract] -- AL2023 is a new Linux-based operating system designed to provide a secure, stable, and high-performance environment for your cloud applications. diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index f8644392c..a8cc2dd04 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-get-logs] = Retrieve node logs for a managed node using kubectl and S3 :info_titleabbrev: Get node logs -include::../attributes.txt[] - [abstract] -- Learn how to retrieve node logs for an Amazon EKS managed node that has the node monitoring agent. diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 7c142a00a..09b77c6e0 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#bottlerocket-compliance-support] = Meet compliance requirements with Bottlerocket :info_titleabbrev: Compliance support -include::../attributes.txt[] - [abstract] -- Bottlerocket complies with recommendations defined by various organizations. diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 9556d08aa..6b68cad24 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#choosing-instance-type] = Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types :keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods -include::../attributes.txt[] - [abstract] -- Each Amazon EC2 instance type offers different compute, memory, storage, and network capabilities. diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index f8f4068ec..0ad00e6d8 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#create-managed-node-group] = Create a managed node group for your cluster :info_titleabbrev: Create -include::../attributes.txt[] - [abstract] -- This topic describes how you can launch Amazon EKS managed node groups of nodes that register with your Amazon EKS cluster. diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index 8d9edbc2a..ed8d19c46 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#delete-fargate-profile] = Delete a Fargate profile :info_titleabbrev: Delete profiles -include::../attributes.txt[] - [abstract] -- When you delete a Fargate profile, any Pods that were scheduled onto Fargate with the profile are deleted. diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index 6043c4748..22e86e00c 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#delete-managed-node-group] = Delete a managed node group from your cluster :info_titleabbrev: Delete -include::../attributes.txt[] - [abstract] -- This topic describes how you can delete an Amazon EKS managed node group. diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index c8b3bea7d..f471fef64 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#dockershim-deprecation] = Migrate from `dockershim` to `containerd` :info_titleabbrev: Dockershim deprecation -include::../attributes.txt[] - [abstract] -- Starting with Kubernetes version `1.24`, Amazon EKS AMIs that are officially published only include the `containerd` runtime. diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 3eec924b5..18692e4c7 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-ami-build-scripts] = Build a custom Amazon Linux AMI with a script :info_titleabbrev: Custom builds -include::../attributes.txt[] - [abstract] -- Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are used to build the Amazon EKS optimized AMI. diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 049f957e8..4cb1bfa0a 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-ami-versions-bottlerocket] = Retrieve Bottlerocket AMI version information :info_titleabbrev: Get version information -include::../attributes.txt[] - [abstract] -- This topic gives resources for Amazon EKS optimized Bottlerocket AMIs version information. diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index b6a1f03cf..4c724e8f5 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-ami-versions-windows] = Retrieve Windows AMI version information :info_titleabbrev: Get version information -include::../attributes.txt[] - [abstract] -- This topic lists versions of the Amazon EKS optimized Windows AMIs and their corresponding versions of `kubelet`, `containerd`, and `csi-proxy`. diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 9bcd613b9..8c353b097 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#eks-compute] = Manage compute resources by using nodes -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Manage compute :keywords: nodes, node groups -include::../attributes.txt[] - [abstract] -- Your Amazon EKS cluster can schedule Pods on any combination of self-managed nodes, Amazon EKS managed node groups, Fargate, and Amazon EKS Hybrid Nodes in the {aws} Cloud and hybrid nodes on-premises. diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index 00fb4938c..fc3348b8f 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-custom-ami-windows] = Build a custom Windows AMI with Image Builder :info_titleabbrev: Custom builds -include::../attributes.txt[] - [abstract] -- You can use EC2 Image Builder to create custom Amazon EKS optimized Windows AMIs. diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index 0a6596c8e..fd2991f57 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-linux-ami-versions] = Retrieve Amazon Linux AMI version information :info_titleabbrev: Get version information -include::../attributes.txt[] - [abstract] -- This topic gives the location of Amazon EKS optimized Amazon Linux AMIs version information. diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index a8f15b93a..106cf160e 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-optimized-ami-bottlerocket] = Create nodes with optimized Bottlerocket AMIs :info_titleabbrev: Bottlerocket -include::../attributes.txt[] - [abstract] -- Bottlerocket is an open source Linux distribution that's sponsored and supported by {aws}. Bottlerocket includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index d242af60e..998b62007 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-optimized-ami] = Create nodes with optimized Amazon Linux AMIs :info_titleabbrev: Amazon Linux -include::../attributes.txt[] - include::al2023.adoc[leveloffset=+1] include::eks-linux-ami-versions.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index c61cdd245..6ba62413a 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-optimized-amis] = Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs :keywords: optimized, custom, AMI -include::../attributes.txt[] - [abstract] -- You can deploy nodes with pre-built Amazon EKS optimized link:AWSEC2/latest/UserGuide/AMIs.html[Amazon Machine Images,type="documentation"] (AMIs) or your own custom AMIs. diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 75c589ae2..4ce8c2225 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-optimized-windows-ami] = Create nodes with optimized Windows AMIs :info_titleabbrev: Windows -include::../attributes.txt[] - [abstract] -- Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019. diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index 14d3df942..1a27433ed 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-partner-amis] = Create nodes with optimized Ubuntu Linux AMIs :info_titleabbrev: Ubuntu Linux -include::../attributes.txt[] - [abstract] -- Canonical has partnered with Amazon EKS to create node AMIs that you can use in your clusters. diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index ce2cf7703..eb66276c5 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#fargate-getting-started] diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index effeb7ceb..d6d034af1 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#fargate-logging] diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index a56fd5a84..3501bfee3 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#fargate-pod-configuration] = Understand Fargate Pod configuration details :info_titleabbrev: Pod configuration details -include::../attributes.txt[] - [abstract] -- This section describes some of the unique Pod configuration details for running Kubernetes Pods on {aws} Fargate. diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index 297acb80b..de9554226 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#fargate-pod-patching] diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 87d7802f0..444c3a23e 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#fargate-profile] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 3c146c2df..191453a2f 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index f634bcdea..78a68fcd0 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-add-ons] = Configure add-ons for hybrid nodes :info_titleabbrev: Configure add-ons :keywords: add-ons for on-premises nodes, add-ons for hybrid nodes -include::../attributes.txt[] - [abstract] -- Configure common add-ons for hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index e2db7d847..6a1bf1caa 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-cluster-create] = Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Create hybrid nodes cluster diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 3fc165bf0..72d6920c6 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-cluster-prep] = Prepare cluster access for hybrid nodes @@ -8,8 +12,6 @@ Prepare cluster access for Amazon EKS hybrid nodes -- -include::../attributes.txt[] - Before connecting hybrid nodes to your Amazon EKS cluster, you must enable your Hybrid Nodes IAM Role with Kubernetes permissions to join the cluster. See <> for information on how to create the Hybrid Nodes IAM role. Amazon EKS supports two ways to associate IAM principals with Kubernetes Role-Based Access Control (RBAC), Amazon EKS access entries and the `aws-auth` ConfigMap. For more information on Amazon EKS access management, see <>. Use the procedures below to associate your Hybrid Nodes IAM role with Kubernetes permissions. To use Amazon EKS access entries, your cluster must have been created with the `API` or `API_AND_CONFIG_MAP` authentication modes. To use the `aws-auth` ConfigMap, your cluster must have been created with the `API_AND_CONFIG_MAP` authentication mode. The `CONFIG_MAP`-only authentication mode is not supported for hybrid nodes-enabled Amazon EKS clusters. diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 7e240fd77..2555233db 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-cni] = Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI :keywords: on-premises CNI, hybrid CNI -include::../attributes.txt[] - [abstract] -- Configure a CNI for Amazon EKS hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 39ca2978d..f248b0ddf 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -1,3 +1,7 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-creds] = Prepare credentials for hybrid nodes @@ -7,8 +11,6 @@ -- Prepare credentials to authenticate hybrid nodes with Amazon EKS clusters -- -include::../attributes.txt[] - [abstract] -- Prepare credentials to authenticate hybrid nodes with Amazon EKS clusters diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index a4764b29a..8516f8700 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-join] = Connect hybrid nodes :info_titleabbrev: Connect hybrid nodes :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Connect hybrid nodes to Amazon EKS cluster. diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index b23ed3a17..f94df7135 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-networking] = Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Learn about and configure the VPC and on-premises networking for joining nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 358815973..a1d15c1e5 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-nodeadm] = Hybrid nodes `nodeadm` reference :info_titleabbrev: Hybrid nodes nodeadm :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Hybrid nodes nodeadm reference diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 742577468..0ce108456 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-os] = Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Prepare operating system for use with Hybrid Nodes diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index 7d15b6665..2836c665e 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-overview] = Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Join nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index fefe553db..4f241a2b8 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-prereqs] = Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites :keywords: on-premises prerequisites, hybrid prerequisites -include::../attributes.txt[] - [abstract] -- Learn about the prerequisites and requirements for joining nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 8eafb5112..53675efe8 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-proxy] = Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy :keywords: on-premises proxy, hybrid proxy -include::../attributes.txt[] - [abstract] -- Configure HTTP/S proxies for Amazon EKS hybrid nodes diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 14d0c1aa5..f28badbc3 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-remove] = Remove hybrid nodes :info_titleabbrev: Delete hybrid nodes :keywords: Delete hybrid nodes from your EKS cluster -include::../attributes.txt[] - [abstract] -- Delete hybrid nodes from your EKS cluster diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 9f04ad87b..6e2f6a5ac 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-troubleshooting] = Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Troubleshoot, diagnose, and repair hybrid nodes from your data centers to Amazon EKS Kubernetes clusters. diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 68cee9140..8029d5d88 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-tutorial] = Run on-premises workloads on hybrid nodes :info_titleabbrev: Run hybrid nodes :keywords: on-premises, hybrid -include::../attributes.txt[] - [abstract] -- Join nodes from your data centers to Amazon EKS Kubernetes clusters with Amazon EKS Hybrid Nodes. diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 272c3578d..dc1ba3faf 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#hybrid-nodes-upgrade] = Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes :keywords: upgrade on-premises nodes, upgrade hybrid nodes -include::../attributes.txt[] - [abstract] -- Upgrade Kubernetes versions on hybrid nodes diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index a58a03629..cb2b9ed2b 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#launch-node-bottlerocket] = Create self-managed Bottlerocket nodes :info_titleabbrev: Bottlerocket -include::../attributes.txt[] - [abstract] -- This topic describes how to launch Auto Scaling groups of Bottlerocket nodes that register with your Amazon EKS cluster diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 0cef5e2b6..8e89660f4 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#launch-node-ubuntu] = Create self-managed Ubuntu Linux nodes :info_titleabbrev: Ubuntu Linux -include::../attributes.txt[] - [abstract] -- This topic describes how to launch Auto Scaling groups of Ubuntu nodes that register with your Amazon EKS cluster diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 53ab5f757..9a2f6d9ee 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#launch-templates] = Customize managed nodes with launch templates :info_titleabbrev: Launch templates -include::../attributes.txt[] - [abstract] -- For the highest level of customization, you can deploy managed nodes using your own launch template and a custom AMI. diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 7564b636e..416e07ecd 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#launch-windows-workers] = Create self-managed Microsoft Windows nodes :info_titleabbrev: Windows -include::../attributes.txt[] - [abstract] -- This topic describes how to launch Auto Scaling groups of Windows nodes that register with your Amazon EKS cluster. diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 0dda3a2c4..1a8a4a774 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#launch-workers] = Create self-managed Amazon Linux nodes :info_titleabbrev: Amazon Linux -include::../attributes.txt[] - [abstract] -- This topic describes how you can launch Auto Scaling groups of Linux nodes that register with your Amazon EKS cluster. diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 1723f7d49..3d3d48d4a 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#learn-status-conditions] = View the health status of your nodes :info_titleabbrev: View node health -include::../attributes.txt[] - [abstract] -- This topic explains the tools and methods available for monitoring node health status in Amazon EKS clusters. diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 8374f6c79..235e79df1 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#managed-node-groups] = Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups :keywords: managed node group, MNG -include::../attributes.txt[] - include::create-managed-node-group.adoc[leveloffset=+1] include::update-managed-node-group.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 7c9b7e8d4..639bc6eb7 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#managed-node-update-behavior] = Understand each phase of node updates :info_titleabbrev: Update behavior details -include::../attributes.txt[] - [abstract] -- The Amazon EKS managed worker node upgrade strategy has four different phases. diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index c3091da4a..c31638f9e 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#migrate-stack] = Migrate applications to a new node group :info_titleabbrev: Migration -include::../attributes.txt[] - [abstract] -- This topic describes how you can create a new node group, gracefully migrate your existing applications to the new group, and remove the old node group from your cluster. diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index d91c9ec3d..a86de301b 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#monitoring-fargate-usage] diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index f5b352f26..ada260606 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#node-health] = Enable node auto repair and investigate node health issues :info_titleabbrev: Node health -include::../attributes.txt[] - include::learn-status-conditions.adoc[leveloffset=+1] include::auto-get-logs.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index 5ec4b050e..32f277e61 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#retrieve-ami-id-bottlerocket] = Retrieve recommended Bottlerocket AMI IDs :info_titleabbrev: Get latest IDs -include::../attributes.txt[] - [abstract] -- You can retrieve the Amazon Machine Image (AMI) ID for Amazon EKS optimized AMIs by querying the {aws} Systems Manager Parameter Store API. diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 351d7216a..5ad9c8f4b 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#retrieve-ami-id] = Retrieve recommended Amazon Linux AMI IDs :info_titleabbrev: Get latest IDs -include::../attributes.txt[] - [abstract] -- You can programmatically retrieve the Amazon Machine Image (AMI) ID for Amazon EKS optimized AMIs by querying the {aws} Systems Manager Parameter Store API. diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index a0a1726a6..2469dca1d 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#retrieve-windows-ami-id] = Retrieve recommended Microsoft Windows AMI IDs :info_titleabbrev: Get latest IDs -include::../attributes.txt[] - [abstract] -- You can programmatically retrieve the Amazon Machine Image (AMI) ID for Amazon EKS optimized AMIs by querying the {aws} Systems Manager Parameter Store API. diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index b70a7948c..32c64dc45 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#self-managed-windows-server-2022] = Create self-managed Windows Server 2022 nodes with `eksctl` :info_titleabbrev: Windows Server 2022 -include::../attributes.txt[] - [abstract] -- This topic includes a YAML file as reference for creating self-managed Windows Server 2022 nodes. diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 75d815595..3387a4994 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#update-managed-node-group] = Update a managed node group for your cluster :info_titleabbrev: Update -include::../attributes.txt[] - [abstract] -- When you initiate a managed node group update, Amazon EKS automatically updates your nodes for you. diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index bcbb90d55..c6a8bc871 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#update-stack] diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 231cb2e7e..21ffe0581 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#update-workers] = Update self-managed nodes for your cluster :info_titleabbrev: Update methods -include::../attributes.txt[] - [abstract] -- When a new Amazon EKS optimized AMI is released, consider replacing the nodes in your self-managed node group with the new AMI. diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 1b1a03c86..81e7e997f 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#worker] = Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes :keywords: self-managed, node -include::../attributes.txt[] - include::launch-workers.adoc[leveloffset=+1] include::launch-node-bottlerocket.adoc[leveloffset=+1] diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 172325a64..756bd0b64 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cloudwatch] = Monitor cluster data with Amazon CloudWatch :info_titleabbrev: Amazon CloudWatch :keywords: CloudWatch, observability, operator, add-on -include::../attributes.txt[] - [abstract] -- With Amazon CloudWatch, you can view metrics, real-time logs, and trace data. diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index 755a829ae..ffd3f0951 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#control-plane-logs] = Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs :keywords: control plane, logging, API, logs -include::../attributes.txt[] - [abstract] -- Learn how to configure logging for your Amazon EKS cluster. diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index 48fb31cf9..fde340593 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#deploy-prometheus] = Deploy Prometheus using Helm :info_titleabbrev: Deploy using Helm -include::../attributes.txt[] - [abstract] -- As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm V3. diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index cdae45d75..5df3c8ea0 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#eks-observe] = Monitor your cluster performance and view logs -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data -include::../attributes.txt[] - [abstract] -- You can observe your data in Amazon EKS using many available monitoring or logging tools. diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index c9aaec5a0..97448cab9 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#enable-asg-metrics] = View metrics for Amazon EC2 Auto Scaling groups :info_titleabbrev: Auto Scaling group metrics -include::../attributes.txt[] - [abstract] -- You can use Amazon EC2 Auto Scaling group metrics to track changes in an Auto Scaling group and to set alarms on threshold values. diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index b4b45b6db..5bf45a145 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index ba7683066..ae8ac116e 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#observability-dashboard] = Monitor your cluster with the observability dashboard :info_titleabbrev: Observability dashboard :keywords: observability, dashboard -include::../attributes.txt[] - [abstract] -- Learn how to configure logging for your Amazon EKS cluster. diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index f869f68c0..ec2a9a8b0 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#opentelemetry] = Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator :keywords: ADOT -include::../attributes.txt[] - [abstract] -- The {aws} Distro for OpenTelemetry (ADOT) Operator makes it easier to enable your applications running on Amazon EKS to send metric and trace data to multiple monitoring service options. diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 215577315..6c82d652b 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#prometheus] = Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics :keywords: Prometheus, metrics, control plane -include::../attributes.txt[] - [abstract] -- This topic explains how to deploy Prometheus and some of the ways that you can use it to view and analyze what your cluster is doing. diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index 402ac3732..2c516d0da 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#service-name-info-in-cloudtrail] diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 6d4b5ff57..b9ddb0a06 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] [#understanding-service-name-entries] diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index f3c4d4e91..a58d94858 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,12 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#view-raw-metrics] = Fetch control plane raw metrics in Prometheus format :info_titleabbrev: Control plane -include::../attributes.txt[] - -include::../attributes.txt[] - [abstract] -- The Kubernetes control plane exposes a number of metrics that are represented in a Prometheus format. diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 1bdeb0576..0f381566c 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index af80858c9..a4867c2d7 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 01b31ae90..14cf6e9b7 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index d6992a9dd..cd9ec7c12 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 83d140669..a6d0f15bd 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index e8200df03..fe354889d 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 4e08bc1bc..8a8f744ef 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index f13a8b106..29397a73f 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 593b94324..88d1df3c4 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,7 +1,7 @@ +:doctype: book include::../attributes.txt[] [#eks-outposts] = Deploy Amazon EKS on-premises with {aws} Outposts -:doctype: book :sectnums: :toc: left :icons: font diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index ebeb7fc3a..52038a309 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,3 +1,4 @@ +:doctype: book [.topic] [#quickstart] = Quickstart: Deploy a web app and store data diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 24416bd1b..2c919007e 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,7 +1,7 @@ +:doctype: book include::attributes.txt[] [#related-projects] = Extend Amazon EKS capabilities with open source projects -:doctype: book :sectnums: :toc: left :icons: font diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index e0491c3dd..597b89b16 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,8 +1,8 @@ +:doctype: book include::attributes.txt[] [.topic] [#roadmap] = Learn about Amazon EKS new features and roadmap -:doctype: book :sectnums: :toc: left :icons: font diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index 7afa48983..e5be93ee0 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#auto-security] = Security considerations for Amazon EKS Auto Mode :info_titleabbrev: Considerations for EKS Auto -include::../attributes.txt[] - This topic describes the security architecture, controls, and best practices for Amazon EKS Auto Mode. As organizations deploy containerized applications at scale, maintaining a strong security posture becomes increasingly complex. EKS Auto Mode implements automated security controls and integrates with {aws} security services to help you protect your cluster infrastructure, workloads, and data. Through built-in security features like enforced node lifecycle management and automated patch deployment, EKS Auto Mode helps you maintain security best practices while reducing operational overhead. Before proceeding with this topic, make sure that you're familiar with basic EKS Auto Mode concepts and have reviewed the prerequisites for enabling EKS Auto Mode on your clusters. For general information about Amazon EKS security, see <>. diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index cda8868ec..a9c336177 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#cert-signing] = Secure workloads with Kubernetes certificates :info_titleabbrev: Certificate signing -include::../attributes.txt[] - [abstract] -- Learn how to request and obtain X.509 certificates from the Certificate Authority (CA) using Certificate Signing Requests (CSRs) in Amazon EKS, including details on migrating from legacy signers, generating CSRs, approving requests, and handling certificate signing considerations before upgrading to Kubernetes 1.24. diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 8527c380a..2e8e86a63 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#compliance] = Compliance validation for Amazon EKS clusters :info_titleabbrev: Validate compliance -include::../attributes.txt[] - [abstract] -- Discover compliance resources and services for Amazon Elastic Kubernetes Service to help secure your {aws} workloads, meet regulatory requirements like HIPAA, and validate adherence to security standards like NIST, PCI, and ISO using {aws} Config, Security Hub, GuardDuty, and Audit Manager. diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index dab61a383..4e4639fb9 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#configuration-vulnerability-analysis] = Analyze vulnerabilities in Amazon EKS :info_titleabbrev: Analyze vulnerabilities -include::../attributes.txt[] - [abstract] -- Learn how to analyze the security configuration and vulnerabilities of your Amazon EKS clusters and resources using tools like the CIS EKS Benchmark, platform versions, vulnerability lists, Amazon Inspector, and Amazon GuardDuty for comprehensive threat detection and protection. diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index 7f2874e79..ef21f9ee7 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#default-roles-users] = Understand Amazon EKS created RBAC roles and users :info_titleabbrev: Default roles and users -include::../attributes.txt[] - [abstract] -- Learn about the Kubernetes roles and users that Amazon EKS creates for cluster components and add-ons. Amazon EKS uses these role-based authorization control (RBAC) identities to operate the cluster. diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index 0b246ca30..69efa6ec0 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#disaster-recovery-resiliency] = Understand resilience in Amazon EKS clusters :info_titleabbrev: Resilience -include::../attributes.txt[] - [abstract] -- Learn how Amazon EKS ensures high availability, data resilience, and fault tolerance for your Kubernetes control plane by leveraging {aws} infrastructure across multiple Availability Zones . diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index f4e1cb0f3..67d3ae054 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#enable-kms] = Encrypt Kubernetes secrets with KMS on existing clusters :info_titleabbrev: Enable secret encryption -include::../attributes.txt[] - [abstract] -- Learn how to enable Kubernetes secrets encryption with {aws} KMS on an existing Amazon EKS cluster, ensuring secure storage of sensitive data. diff --git a/latest/ug/security/envelope-encryption.adoc b/latest/ug/security/envelope-encryption.adoc index 216ade699..344f7a9c9 100644 --- a/latest/ug/security/envelope-encryption.adoc +++ b/latest/ug/security/envelope-encryption.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#envelope-encryption] = Default envelope encryption for all Kubernetes API Data -include::../attributes.txt[] - //GDC //Insert Images //Existing clusters and new clusters diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 7a6a32115..c22f1d538 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#auto-cluster-iam-role] = Amazon EKS Auto Mode cluster IAM role :idprefix: wip_ :info_titleabbrev: Auto Mode cluster IAM role -include::../../attributes.txt[] - [abstract] -- Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS Auto Mode clusters to automate routine tasks for storage, networking, and compute autoscaling. diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index cf5b819a1..e4c885f16 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#auto-create-node-role] = Amazon EKS Auto Mode node IAM role :idprefix: id_ :info_titleabbrev: Auto Mode node IAM role -include::../../attributes.txt[] - // write short desc [NOTE] diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 1acf4739b..13cb34f29 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#cluster-iam-role] = Amazon EKS cluster IAM role :info_titleabbrev: Cluster IAM role -include::../../attributes.txt[] - [abstract] -- Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS clusters to manage nodes and load balancers using managed or custom IAM policies. diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index 6852b6913..aa6432853 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#connector-iam-role] = Amazon EKS connector IAM role :info_titleabbrev: Connector IAM role -include::../../attributes.txt[] - You can connect Kubernetes clusters to view them in your {aws-management-console}. To connect to a Kubernetes cluster, create an IAM role. [#check-connector-role] diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 41da07f54..8619e20f1 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#create-node-role] = Amazon EKS node IAM role :info_titleabbrev: Node IAM role -include::../../attributes.txt[] - The Amazon EKS node `kubelet` daemon makes calls to {aws} APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched. This requirement applies to nodes launched with the Amazon EKS optimized AMI provided by Amazon, or with any other node AMIs that you intend to use. Additionally, this requirement applies to both managed node groups and self-managed nodes. [NOTE] diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index 529c3a893..e8e41e9e1 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#pod-execution-role] = Amazon EKS Pod execution IAM role :info_titleabbrev: Pod execution IAM role -include::../../attributes.txt[] - The Amazon EKS Pod execution role is required to run Pods on {aws} Fargate infrastructure. When your cluster creates Pods on {aws} Fargate infrastructure, the components running on the Fargate infrastructure must make calls to {aws} APIs on your behalf. This is so that they can do actions such as pull container images from Amazon ECR or route logs to other {aws} services. The Amazon EKS Pod execution role provides the IAM permissions to do this. diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 1e5033e22..74664b08c 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../../attributes.txt[] [.topic] [#security-iam-awsmanpol] diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 29b16a33a..5fe835e6d 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#security-iam-id-based-policy-examples] = Amazon EKS identity-based policy examples :info_titleabbrev: Identity-based policies -include::../../attributes.txt[] - By default, IAM users and roles don't have permission to create or modify Amazon EKS resources. They also can't perform tasks using the {aws-management-console}, {aws} CLI, or {aws} API. An IAM administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the IAM users or groups that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see link:IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor[Creating policies on the JSON tab,type="documentation"] in the _IAM User Guide_. diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 9a99538d2..76214156b 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#security-iam-service-with-iam] = How Amazon EKS works with IAM :info_titleabbrev: Amazon EKS and IAM -include::../../attributes.txt[] - Before you use IAM to manage access to Amazon EKS, you should understand what IAM features are available to use with Amazon EKS. To get a high-level view of how Amazon EKS and other {aws} services work with IAM, see link:IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html[{aws} services that work with IAM,type="documentation"] in the _IAM User Guide_. [.topiclist] diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 35c2b5558..449a4bb56 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#security-iam-troubleshoot] = Troubleshooting IAM :info_titleabbrev: Troubleshooting -include::../../attributes.txt[] - This topic covers some common errors that you may see while using Amazon EKS with IAM and how to work around them. [#iam-error] diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index 00d32d92b..b4434710d 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#security-iam] = Identity and access management for Amazon EKS :info_titleabbrev: IAM Reference -include::../../attributes.txt[] - include::security-iam-service-with-iam.adoc[leveloffset=+1] include::security-iam-id-based-policy-examples.adoc[leveloffset=+1] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index df6c0176f..de488f0b7 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles-eks-connector] = Using roles to connect a Kubernetes cluster to Amazon EKS :info_titleabbrev: Cluster connector role -include::../../attributes.txt[] - [abstract] -- How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 19f262dbb..5b388788e 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles-eks-fargate] = Using roles for Amazon EKS Fargate profiles :info_titleabbrev: Fargate profile role -include::../../attributes.txt[] - [abstract] -- How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index db6dc69a6..c65f54cda 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles-eks-nodegroups] = Using roles for Amazon EKS node groups :info_titleabbrev: Node groups role -include::../../attributes.txt[] - [abstract] -- How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 2b922305e..0c806bf3c 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles-eks-outpost] = Using roles for Amazon EKS local clusters on Outpost :info_titleabbrev: Local cluster role -include::../../attributes.txt[] - [abstract] -- How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 63ac4dc83..79037a50a 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles-eks] = Using roles for Amazon EKS clusters :info_titleabbrev: Cluster role -include::../../attributes.txt[] - [abstract] -- How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index 54636c321..421cda0c6 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../../attributes.txt[] + [.topic] [#using-service-linked-roles] = Using service-linked roles for Amazon EKS :info_titleabbrev: Service-linked roles -include::../../attributes.txt[] - include::using-service-linked-roles-eks.adoc[leveloffset=+1] include::using-service-linked-roles-eks-nodegroups.adoc[leveloffset=+1] diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 5cfdfe1c0..35389a22b 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#infrastructure-security] = Infrastructure security in Amazon EKS :info_titleabbrev: Infrastructure security -include::../attributes.txt[] - include::vpc-interface-endpoints.adoc[leveloffset=+1] [abstract] diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index b66e0fee4..223fcb0de 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 2b4479dd5..6f29c0230 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pod-security-policy-removal-faq] = Migrate from legacy Pod security policies (PSP) :info_titleabbrev: Migrate from legacy PSP -include::../attributes.txt[] - [abstract] -- Learn about the Pod Security Policy (PSPs) removal in Kubernetes `1.25`. Migrate to Pod Security Standards (PSS) or policy-as-code solutions before upgrading Amazon EKS clusters to Kubernetes 1.25 to avoid workload interruptions and maintain pod security controls. diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index b40d61870..c4876c890 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#pod-security-policy] = Understand Amazon EKS created Pod security policies (PSP) :info_titleabbrev: Legacy default PSP -include::../attributes.txt[] - [abstract] -- Learn about the Pod Security Policies (PSP) that Amazon EKS creates by default. PSP was deprecated in Kubernetes version `1.21` and removed in Kubernetes `1.25`. diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 9abb7e229..30c7f739b 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-best-practices] = Secure Amazon EKS clusters with best practices :info_titleabbrev: Best practices -include::../attributes.txt[] - [abstract] -- Learn how to secure your Amazon EKS clusters by following the best practices from the community. diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index c4b82f4ee..07da59550 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-eks] = Security considerations for Amazon Elastic Kubernetes Service :info_titleabbrev: Considerations for EKS -include::../attributes.txt[] - include::infrastructure-security.adoc[leveloffset=+1] include::disaster-recovery-resiliency.adoc[leveloffset=+1] diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index 5f8cb4fa7..d136f931b 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security-k8s] = Security considerations for Kubernetes :info_titleabbrev: Considerations for Kubernetes -include::../attributes.txt[] - include::cert-signing.adoc[leveloffset=+1] include::default-roles-users.adoc[leveloffset=+1] diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index c75b1fb1c..ba6e8040b 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -1,7 +1,10 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#security] = Security in Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :sourcedir: . :info_titleabbrev: Security -include::../attributes.txt[] - include::security-best-practices.adoc[leveloffset=+1] include::configuration-vulnerability-analysis.adoc[leveloffset=+1] diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index fac0fd579..dd285be49 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index d55bd0a04..27d1b5d85 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#csi-snapshot-controller] = Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller :keywords: CSI, snapshot, controller -include::../attributes.txt[] - [abstract] -- The Container Storage Interface (CSI) snapshot controller enables the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver. diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 997171410..7e016a63e 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#ebs-csi] = Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS :keywords: Amazon EBS CSI driver, storage -include::../attributes.txt[] - [abstract] -- The Amazon Elastic Block Store (Amazon EBS) Container Storage Interface (CSI) driver manages the lifecycle of Amazon EBS volumes as storage for Kubernetes Volumes. diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 9db8d8756..935a43d70 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#efs-csi] = Store an elastic file system with Amazon EFS :info_titleabbrev: Amazon EFS :keywords: Amazon EFS CSI driver, storage -include::../attributes.txt[] - [abstract] -- The Amazon EFS Container Storage Interface (CSI) driver provides a CSI interface that allows Kubernetes clusters running on {aws} to manage the lifecycle of Amazon EFS file systems. diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 20c399aa7..029dc9337 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#file-cache-csi] = Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache :keywords: Amazon File Cache CSI driver, storage -include::../attributes.txt[] - [abstract] -- The Amazon File Cache Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon file caches. diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index 9aaaabf5c..f61eb9170 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#fsx-csi] = Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre :keywords: Amazon FSx for Lustre CSI driver, storage -include::../attributes.txt[] - [abstract] -- The FSx for Lustre Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the lifecycle of FSx for Lustre file systems. diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index a23a19341..3d7586d67 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#fsx-ontap] = Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP :keywords: Amazon FSx for NetApp ONTAP CSI driver, storage -include::../attributes.txt[] - [abstract] -- The NetApp Trident allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index a267f39c4..7136a1eb3 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#fsx-openzfs-csi] = Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS :keywords: Amazon FSx for OpenZFS CSI driver, storage -include::../attributes.txt[] - [abstract] -- The Amazon FSx for OpenZFS Container Storage Interface (CSI) driver provides a CSI interface that allows Amazon EKS clusters to manage the life cycle of Amazon FSx for OpenZFS volumes. diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index c651f38c5..10b8a6699 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#s3-csi] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 :keywords: Mountpoint for Amazon S3 CSI driver, storage -include::../attributes.txt[] - [abstract] -- Learn about the Amazon S3 Container Storage Interface (CSI) driver, which provides a CSI interface for managing Amazon S3 files and buckets. diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 518a5c210..1a37afa77 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#storage] = Store application data for your cluster -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Store app data :keywords: persistent, data, app, storage -include::../attributes.txt[] - [abstract] -- This chapter covers storage options for Amazon EKS clusters. diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 3f44ce014..040403192 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#troubleshooting] = Troubleshoot problems with Amazon EKS clusters and nodes -:doctype: book :sectnums: :toc: left :icons: font @@ -11,8 +14,6 @@ :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ -include::../attributes.txt[] - [abstract] -- This chapter covers some common errors that you may see while using Amazon EKS and how to work around them. diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 4fcf8adce..17244cdc0 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#common-use-cases] = Common use cases in Amazon EKS :info_titleabbrev: Common use cases :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description -include::../attributes.txt[] - [abstract] -- Discover how Amazon EKS helps deploy highly available containerized applications, build microservices architectures, automate software release processes, run serverless applications, execute machine learning workloads, deploy consistently on-premises and in the cloud, process big data cost-effectively, and ensure security and compliance. diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index f0c0ec7c6..6023b40bb 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-architecture] = Amazon EKS architecture :info_titleabbrev: Architecture :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -include::../attributes.txt[] - [abstract] -- Learn how Amazon EKS aligns with Kubernetes cluster architecture, offering a highly available and resilient control plane, and flexible compute options like {aws} Fargate, Karpenter, managed node groups, and self-managed nodes to meet diverse workload requirements. diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index aa202a8f6..6e1d9629e 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-deployment-options] = Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison -include::../attributes.txt[] - [abstract] -- Learn to deploy Kubernetes clusters with Amazon EKS across cloud and on-premises environments to meet your operational needs, while leveraging {aws} services and support. diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 2a3f489c5..b59807c22 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kubernetes-concepts] = Kubernetes concepts :info_titleabbrev: Kubernetes concepts :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane -include::../attributes.txt[] - [abstract] -- Learn core Kubernetes concepts and how they relate to deploying workloads, managing clusters, and working with control planes, nodes, Pods, containers, and networking on Amazon EKS. diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index a8772565e..b7d832f37 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,7 +1,10 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#what-is-eks] = What is Amazon EKS? -:doctype: book :sectnums: :toc: left :icons: font @@ -12,8 +15,6 @@ :info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description -include::../attributes.txt[] - [abstract] -- Learn to manage containerized applications with Amazon EKS diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 151ff2ff5..435ebbfd2 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#add-ons-iam] = IAM roles for Amazon EKS add-ons :info_titleabbrev: IAM roles -include::../attributes.txt[] - include::retreive-iam-info.adoc[leveloffset=+1] include::update-addon-role.adoc[leveloffset=+1] diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index 009d9bf65..a49d36078 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#add-ons-images] = View Amazon container image registries for Amazon EKS add-ons :info_titleabbrev: View Amazon image registries -include::../attributes.txt[] - When you deploy <> to your cluster, your nodes pull the required container images from the registry specified in the installation mechanism for the add-on, such as an installation manifest or a Helm `values.yaml` file. The images are pulled from an Amazon EKS Amazon ECR private repository. Amazon EKS replicates the images to a repository in each Amazon EKS supported {aws} Region. Your nodes can pull the container image over the internet from any of the following registries. Alternatively, your nodes can pull the image over Amazon's network if you created an link:AmazonECR/latest/userguide/vpc-endpoints.html[interface VPC endpoint for Amazon ECR ({aws} PrivateLink),type="documentation"] in your VPC. The registries require authentication with an {aws} IAM account. Your nodes authenticate using the <>, which has the permissions in the link:aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html[AmazonEC2ContainerRegistryReadOnly,type="documentation"] managed IAM policy associated to it. [role="no-scroll"] diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index 4199c4fc1..63e4b44ec 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#addon-compat] = Verify Amazon EKS add-on version compatibility with a cluster :info_titleabbrev: Verify compatibility -include::../attributes.txt[] - - [abstract] -- Learn how to verify the Amazon EKS add-on compatibility with your cluster before you create or update an Amazon EKS add-on. diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index dfd5e8487..790a4b02d 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#addon-id-troubleshoot] = Troubleshoot Pod Identities for EKS add-ons :info_titleabbrev: Troubleshoot Identities -include::../attributes.txt[] - [abstract] -- Learn how to troubleshoot Pod Identities for EKS add-ons. diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 2838d307c..9b869468c 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#alb-ingress] = Route application and HTTP traffic with Application Load Balancers :info_titleabbrev: Application load balancing -include::../attributes.txt[] - [abstract] -- Learn how to use Application Load Balancing on Amazon EKS to load balance application traffic at L7 with {aws} Load Balancer Controller. diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 77a9d47ed..67fbd280e 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -1,9 +1,11 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#community-addons] = Community add-ons -include::../attributes.txt[] - You can use {aws} APIs to install community add-ons, such as the Kubernetes Metrics Server. You may choose to install community add-ons as Amazon EKS Add-ons to reduce the complexity of maintaining the software on multiple clusters. For example, you can use the {aws} API, CLI, or Management Console to install community add-ons. You can install a community add-on during cluster creation. diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 33481a18b..9d8d12490 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#copy-image-to-repository] = Copy a container image from one repository to another repository :info_titleabbrev: Copy an image to a repository -include::../attributes.txt[] - This topic describes how to pull a container image from a repository that your nodes don't have access to and push the image to a repository that your nodes have access to. You can push the image to Amazon ECR or an alternative repository that your nodes have access to. diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index 92e0ef867..c2521014f 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#creating-an-add-on] = Create an Amazon EKS add-on :info_titleabbrev: Create an add-on -include::../attributes.txt[] - - [abstract] -- Learn how to create an add-on for your Amazon EKS cluster. diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index d943b46ac..f12edbc3a 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -1,11 +1,13 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#eks-add-ons] = Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons :keywords: managed, add-ons, plugins -include::../attributes.txt[] - [abstract] -- Learn how to manage operational software add-ons on Amazon EKS clusters with Amazon EKS add-ons for observability, networking, storage, and security from {aws} and third-party vendors. diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 9dcc9c040..0d66774a5 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,6 +1,9 @@ +:doctype: book + +include::../attributes.txt[] + [#eks-workloads] = Learn how to deploy workloads and add-ons to Amazon EKS -:doctype: book :sectnums: :toc: left :icons: font @@ -10,8 +13,6 @@ :sourcedir: . :info_titleabbrev: Workloads -include::../attributes.txt[] - Your workloads are deployed in containers, which are deployed in Pods in Kubernetes. A Pod includes one or more containers. Typically, one or more Pods that provide the same service are deployed in a Kubernetes service. Once you've deployed multiple Pods that provide the same service, you can: diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 6904048ba..8cefaf0d0 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#horizontal-pod-autoscaler] = Scale pod deployments with Horizontal Pod Autoscaler :info_titleabbrev: Horizontal Pod Autoscaler -include::../attributes.txt[] - [abstract] -- Learn how to use the Kubernetes Horizontal Pod Autoscaler to automatically scale your Amazon EKS deployments based on CPU utilization for efficient resource management. diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 2a3b11453..2496bd20c 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#image-verification] = Validate container image signatures during deployment :info_titleabbrev: Verify container images -include::../attributes.txt[] - [abstract] -- Learn how to verify signed container images during deployment on Amazon EKS using admission controllers like Gatekeeper with Ratify or Kyverno configured with {aws} Signer plugins for validating image signatures. diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 01a353ba8..0e75a7129 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#kubernetes-field-management] = Determine fields you can customize for Amazon EKS add-ons :info_titleabbrev: Fields you can customize -include::../attributes.txt[] - [abstract] -- Learn how to manage Amazon EKS add-on configurations using Kubernetes field management to customize settings without overwriting Amazon EKS managed fields. diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 8ec3c2f7d..99d512863 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#network-load-balancing] = Route TCP and UDP traffic with Network Load Balancers :info_titleabbrev: Network load balancing -include::../attributes.txt[] - [abstract] -- Use the {aws} Load Balancer Controller to create network load balancers for Amazon EKS workloads, supporting IP and instance targets with {aws} Network Load Balancers. diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index 7ed778282..39bcb3325 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#remove-addon-role] = Remove Pod Identity associations from an Amazon EKS add-on :info_titleabbrev: Remove Pod Identity -include::../attributes.txt[] - [abstract] -- Learn how to remove a Pod Identity from an Amazon EKS add-on. diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index dca290d43..f3ef01fbf 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#removing-an-add-on] = Remove an Amazon EKS add-on from a cluster :info_titleabbrev: Remove an add-on -include::../attributes.txt[] - - [abstract] -- Learn how to remove an Amazon EKS add-on. diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index fdc013b09..53ba6e4ab 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#restrict-service-external-ip] = Restrict external IP addresses that can be assigned to services :info_titleabbrev: Restrict service external IPs -include::../attributes.txt[] - Kubernetes services can be reached from inside of a cluster through: * A cluster IP address that is assigned automatically by Kubernetes diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index f17714380..3500a7518 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#retreive-iam-info] = Retrieve IAM information about an Amazon EKS add-on :info_titleabbrev: Retrieve IAM information -include::../attributes.txt[] - [abstract] -- Learn how to determine the role and policy to use for an Amazon EKS add-on. diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index e3c66f849..ff613d5ca 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#sample-deployment-win] = Deploy a sample application on Windows :info_titleabbrev: Sample deployment (Windows) -include::../attributes.txt[] - In this topic, you deploy a sample application to your cluster on Windows nodes. == Prerequisites diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 4442303ee..4a91c18ee 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#sample-deployment] = Deploy a sample application on Linux :info_titleabbrev: Sample deployment (Linux) -include::../attributes.txt[] - In this topic, you deploy a sample application to your cluster on linux nodes. == Prerequisites diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index b8f52daf8..f4cba2e28 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#update-addon-role] = Use Pod Identities to assign an IAM role to an Amazon EKS add-on :info_titleabbrev: Use Pod Identities -include::../attributes.txt[] - [abstract] -- Learn how to use a Pod Identity to assign a role for an Amazon EKS add-on. diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index 103539487..a3da16cbd 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -1,11 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#updating-an-add-on] = Update an Amazon EKS add-on :info_titleabbrev: Update an add-on -include::../attributes.txt[] - - [abstract] -- Learn how to update your Amazon EKS add-on to a new version. diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 0795e9c6e..872fd05dc 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,10 +1,12 @@ +:doctype: book + +include::../attributes.txt[] + [.topic] [#vertical-pod-autoscaler] = Adjust pod resources with Vertical Pod Autoscaler :info_titleabbrev: Vertical Pod Autoscaler -include::../attributes.txt[] - [abstract] -- Discover how the Kubernetes Vertical Pod Autoscaler automatically adjusts CPU and memory reservations for your Pods to optimize resource utilization and right-size applications on Amazon EKS. diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 8fb81414a..2b18bcf25 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] @@ -5,8 +6,6 @@ include::../attributes.txt[] = {aws} Add-ons :info_titleabbrev: {aws} Add-ons -include::../attributes.txt[] - [abstract] -- Learn about the availabe Amazon EKS add-ons from {aws}. diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 05ea0065c..86ca6bae5 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,3 +1,4 @@ +:doctype: book include::../attributes.txt[] [.topic] diff --git a/team/squish.adoc b/team/squish.adoc index 0804b43e5..1f5b7c955 100644 --- a/team/squish.adoc +++ b/team/squish.adoc @@ -1,3 +1,4 @@ +:doctype: book = AmazonEKSDocs Git History Squish Procedure :toc: From 21b9acd4a0bf756e4d18e06ddf82c78e99bdc50b Mon Sep 17 00:00:00 2001 From: Abhay Krishna Arunachalam Date: Wed, 26 Feb 2025 10:55:09 -0800 Subject: [PATCH 223/940] Add docs for updating containerd in case of CVEs --- latest/ug/nodes/hybrid-nodes-security.adoc | 78 ++++++++++++++++++++++ latest/ug/nodes/hybrid-nodes-tutorial.adoc | 2 + 2 files changed, 80 insertions(+) create mode 100644 latest/ug/nodes/hybrid-nodes-security.adoc diff --git a/latest/ug/nodes/hybrid-nodes-security.adoc b/latest/ug/nodes/hybrid-nodes-security.adoc new file mode 100644 index 000000000..d35301a4a --- /dev/null +++ b/latest/ug/nodes/hybrid-nodes-security.adoc @@ -0,0 +1,78 @@ +[.topic] +[#hybrid-nodes-security] += Security updates for Hybrid nodes +:info_titleabbrev: Patching hybrid nodes +:keywords: security updates for on-premises nodes, security updates for hybrid nodes + +include::../attributes.txt[] + +[abstract] +-- +Perform security updates on your Hybrid nodes +-- + +This topic describes the procedure to perform security updates for specific packages and dependencies running on your hybrid nodes. As a best practice we recommend you to regularly update their hybrid nodes to receive CVEs and security patches. + +== Containerd + +`containerd` is the standard Kubernetes container runtime and core dependency for EKS Hybrid Nodes, used for managing container lifecycle, including pulling images and managing container execution. On an hybrid node, you can install `containerd` through the link:eks/latest/userguide/hybrid-nodes-nodeadm.html[nodeadm CLI,type="documentation"] or manually. Depending on the operating system of your node, `nodeadm` will install `containerd` from the OS-distributed package or Docker package. + +When a CVE in `containerd` has been published, you have the following options to upgrade to the patched version of containerd on their Hybrid nodes. + +=== Containerd CVE patch published to package managers + +Customers can check whether the containerd CVE patch has been published to their respective OS package managers by referring to the corresponding security bulletins: + +* https://alas.aws.amazon.com/alas2023.html[Amazon Linux 2023] +* https://access.redhat.com/security/security-updates/security-advisories[RHEL] +* https://ubuntu.com/security/notices?order=newest&release=focal[Ubuntu 20.04] +* https://ubuntu.com/security/notices?order=newest&release=jammy[Ubuntu 22.04] +* https://ubuntu.com/security/notices?order=newest&release=noble[Ubuntu 24.04] + +If you use the Docker repo as the source of containerd, you can check the https://docs.docker.com/security/security-announcements/[Docker security announcements] to identify the availability of the patched version in the Docker repo. + +After you confirm that the containerd CVE patch has been published to the OS or Docker repos (either Apt or RPM), you can use the `nodeadm upgrade` command to upgrade to the latest version of containerd. Since this is NOT a Kubernetes version upgrade, you will need to pass in their current Kubernetes version to the nodeadm upgrade command. + +[source,bash,subs="verbatim,attributes"] +---- +nodeadm upgrade --config-source file:///root/nodeConfig.yaml +---- + +Alternatively you can also update their respective package manager and use it to upgrade the containerd package as follows. + +*Amazon Linux 2023* +[source,bash,subs="verbatim,attributes"] +---- +sudo yum update -y +sudo yum install -y containerd +---- + +*RHEL* +[source,bash,subs="verbatim,attributes"] +---- +sudo yum install -y yum-utils +sudo yum-config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo +sudo yum update -y +sudo yum install -y containerd +---- + +*Ubuntu* +[source,bash,subs="verbatim,attributes"] +---- +sudo mkdir -p /etc/apt/keyrings +sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt update -y +sudo apt install -y --only-upgrade containerd.io +---- + +=== Containerd CVE patch not published in package managers + +If the patched containerd version is only available by other means, for example in GitHub releases, then you have two options depending on whether they’re installing the patched containerd version on a new node or upgrading a vulnerable containerd version on an existing node. + +If the machine in question is a new node, you can https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-1-from-the-official-binaries[install the official containerd binaries] and then run the `nodeadm install` command with the `--containerd-source` argument set to `none`, which will skip containerd installation through `nodeadm`. You can use the value of `none` in the containerd source irrespective of the operating system the node is running. + +If the machine has already joined the cluster as a hybrid node, then you need to run the `nodeadm uninstall` command, then follow the previous steps for installing containerd on a new “to-be-hybrid” node. diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index 8029d5d88..ed7303049 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -25,4 +25,6 @@ include::hybrid-nodes-join.adoc[leveloffset=+1] include::hybrid-nodes-upgrade.adoc[leveloffset=+1] +include::hybrid-nodes-security.adoc[leveloffset=+1] + include::hybrid-nodes-remove.adoc[leveloffset=+1] \ No newline at end of file From 06a4aded18264162f8b4633f1b784c6df081f969 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 27 Feb 2025 16:10:06 -0800 Subject: [PATCH 224/940] Review hybrid-nodes-security.adoc --- latest/ug/nodes/hybrid-nodes-security.adoc | 41 +++++++++++-------- vale/styles/EksDocs/ExternalDomains.yml | 10 ++++- .../vocabularies/EksDocsVocab/accept.txt | 6 ++- 3 files changed, 38 insertions(+), 19 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-security.adoc b/latest/ug/nodes/hybrid-nodes-security.adoc index d35301a4a..5c8045119 100644 --- a/latest/ug/nodes/hybrid-nodes-security.adoc +++ b/latest/ug/nodes/hybrid-nodes-security.adoc @@ -1,7 +1,7 @@ [.topic] [#hybrid-nodes-security] -= Security updates for Hybrid nodes -:info_titleabbrev: Patching hybrid nodes += Patch security updates for hybrid nodes +:info_titleabbrev: Patch hybrid nodes :keywords: security updates for on-premises nodes, security updates for hybrid nodes include::../attributes.txt[] @@ -11,17 +11,17 @@ include::../attributes.txt[] Perform security updates on your Hybrid nodes -- -This topic describes the procedure to perform security updates for specific packages and dependencies running on your hybrid nodes. As a best practice we recommend you to regularly update their hybrid nodes to receive CVEs and security patches. +This topic describes the procedure to perform in-place patching of security updates for specific packages and dependencies running on your hybrid nodes. As a best practice we recommend you to regularly update your hybrid nodes to receive CVEs and security patches. == Containerd `containerd` is the standard Kubernetes container runtime and core dependency for EKS Hybrid Nodes, used for managing container lifecycle, including pulling images and managing container execution. On an hybrid node, you can install `containerd` through the link:eks/latest/userguide/hybrid-nodes-nodeadm.html[nodeadm CLI,type="documentation"] or manually. Depending on the operating system of your node, `nodeadm` will install `containerd` from the OS-distributed package or Docker package. -When a CVE in `containerd` has been published, you have the following options to upgrade to the patched version of containerd on their Hybrid nodes. +When a CVE in `containerd` has been published, you have the following options to upgrade to the patched version of `containerd` on your Hybrid nodes. -=== Containerd CVE patch published to package managers +== Containerd CVE patch published to package managers -Customers can check whether the containerd CVE patch has been published to their respective OS package managers by referring to the corresponding security bulletins: +You can check whether the `containerd` CVE patch has been published to each respective OS package manager by referring to the corresponding security bulletins: * https://alas.aws.amazon.com/alas2023.html[Amazon Linux 2023] * https://access.redhat.com/security/security-updates/security-advisories[RHEL] @@ -29,16 +29,20 @@ Customers can check whether the containerd CVE patch has been published to their * https://ubuntu.com/security/notices?order=newest&release=jammy[Ubuntu 22.04] * https://ubuntu.com/security/notices?order=newest&release=noble[Ubuntu 24.04] -If you use the Docker repo as the source of containerd, you can check the https://docs.docker.com/security/security-announcements/[Docker security announcements] to identify the availability of the patched version in the Docker repo. +If you use the Docker repo as the source of `containerd`, you can check the https://docs.docker.com/security/security-announcements/[Docker security announcements] to identify the availability of the patched version in the Docker repo. -After you confirm that the containerd CVE patch has been published to the OS or Docker repos (either Apt or RPM), you can use the `nodeadm upgrade` command to upgrade to the latest version of containerd. Since this is NOT a Kubernetes version upgrade, you will need to pass in their current Kubernetes version to the nodeadm upgrade command. +=== Patching with `nodeadm upgrade` -[source,bash,subs="verbatim,attributes"] +After you confirm that the `containerd` CVE patch has been published to the OS or Docker repos (either Apt or RPM), you can use the `nodeadm upgrade` command to upgrade to the latest version of `containerd`. Since this isn't a Kubernetes version upgrade, you must pass in your current Kubernetes version to the `nodeadm` upgrade command. + +[source,bash,subs="verbatim,attributes,quotes"] ---- -nodeadm upgrade --config-source file:///root/nodeConfig.yaml +nodeadm upgrade [.replaceable]`K8S_VERSION` --config-source file:///root/nodeConfig.yaml ---- -Alternatively you can also update their respective package manager and use it to upgrade the containerd package as follows. +=== Patching with operating system package managers + +Alternatively you can also update through the respective package manager and use it to upgrade the `containerd` package as follows. *Amazon Linux 2023* [source,bash,subs="verbatim,attributes"] @@ -69,10 +73,15 @@ sudo apt update -y sudo apt install -y --only-upgrade containerd.io ---- -=== Containerd CVE patch not published in package managers +== Containerd CVE patch not published in package managers -If the patched containerd version is only available by other means, for example in GitHub releases, then you have two options depending on whether they’re installing the patched containerd version on a new node or upgrading a vulnerable containerd version on an existing node. +If the patched `containerd` version is only available by other means instead of in the package manager, for example in GitHub releases, then you can install `containerd` from the official GitHub site. -If the machine in question is a new node, you can https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-1-from-the-official-binaries[install the official containerd binaries] and then run the `nodeadm install` command with the `--containerd-source` argument set to `none`, which will skip containerd installation through `nodeadm`. You can use the value of `none` in the containerd source irrespective of the operating system the node is running. - -If the machine has already joined the cluster as a hybrid node, then you need to run the `nodeadm uninstall` command, then follow the previous steps for installing containerd on a new “to-be-hybrid” node. +. If the machine has already joined the cluster as a hybrid node, then you need to run the `nodeadm uninstall` command. +. Install the official `containerd` binaries. You can use the steps https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-1-from-the-official-binaries[install the official containerd binaries]. +. Run the `nodeadm install` command with the `--containerd-source` argument set to `none`, which will skip `containerd` installation through `nodeadm`. You can use the value of `none` in the `containerd` source for any operating system that the node is running. ++ +[source,bash,subs="verbatim,attributes,quotes"] +---- +nodeadm install [.replaceable]`K8S_VERSION` --credential-provider [.replaceable]`CREDS_PROVIDER` --containerd-source none +---- diff --git a/vale/styles/EksDocs/ExternalDomains.yml b/vale/styles/EksDocs/ExternalDomains.yml index 6e31221db..e419a1b31 100644 --- a/vale/styles/EksDocs/ExternalDomains.yml +++ b/vale/styles/EksDocs/ExternalDomains.yml @@ -7,6 +7,7 @@ tokens: - '(?:^|\b)(http(s)?:\/\/[^\s\[]+)(?=$|\s|\[)' # note: this version no longer detects the valid URL that uses replacement syntax https://raw.githubusercontent.com/projectcalico/calico/\[\.replaceable\]\`CALICO_VERSION\`/manifests/operator-crds.yaml exceptions: + - 'https://bugs.launchpad.net/ubuntu/\+source/containerd-app/\+bug/2065423' - alas.aws.amazon.com - amazon.awsapps.com - anywhere.eks.amazonaws.com @@ -67,6 +68,7 @@ exceptions: - http://localhost:8080/utility/stress/1000000 - http://localhost:9090 - http://retail-store-sample-ui.default.svc/utility/stress/1000000 + - https://access.redhat.com/security/security-updates/security-advisories - https://amazon-eks.s3.us-west-2.amazonaws.com/eks-connector/ - https://antrea.io/docs/main/docs/eks-installation - https://anywhere.eks.amazonaws.com @@ -74,7 +76,6 @@ exceptions: - https://aws-observability.github.io/ - https://aws.github.io/ - https://brew.sh/ - - 'https://bugs.launchpad.net/ubuntu/\+source/containerd-app/\+bug/2065423' - https://catalog.us-east-1.prod.workshops.aws/ - https://catalog.workshops.aws - https://cert-manager.io @@ -110,6 +111,8 @@ exceptions: - https://docs.stormforge.io/ - https://docs.upbound.io/ - https://docs.upwind.io/ + - https://download.docker.com/linux/ubuntu + - https://download.docker.com/linux/ubuntu/gpg - https://eksctl.io - https://en.wikipedia.org/wiki/Reserved_IP_addresses - https://example.com @@ -157,6 +160,9 @@ exceptions: - https://s3.us-west-2.amazonaws.com/amazon-eks/ - https://tetratelabs.io/ - https://tinkerbell.org + - https://ubuntu.com/security/notices?order=newest&release=focal + - https://ubuntu.com/security/notices?order=newest&release=jammy + - https://ubuntu.com/security/notices?order=newest&release=noble - https://vale.sh/ - https://www.cncf.io/ - https://www.dynatrace.com/technologies/kubernetes-monitoring/ @@ -207,4 +213,4 @@ exceptions: - www.juniper.net - www.python.org - www.rfc-editor.org - - xilinx.github.io + - xilinx.github.io \ No newline at end of file diff --git a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt index 151c00f31..6e5b870bf 100644 --- a/vale/styles/config/vocabularies/EksDocsVocab/accept.txt +++ b/vale/styles/config/vocabularies/EksDocsVocab/accept.txt @@ -14,4 +14,8 @@ reachability CNIs? repo CIDRs? -Kinesis \ No newline at end of file +Firehose +Kinesis +AMIs? +SDKs? +FSx \ No newline at end of file From 6172470ea4f62eb547a25f823b97c472363e77ae Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 3 Mar 2025 12:08:19 -0800 Subject: [PATCH 225/940] Add custom links to subsections of hybrid node upgrades --- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index dc1ba3faf..4d9dd5fa6 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -34,9 +34,10 @@ Before upgrading, make sure you have completed the following prerequisites. * You must have kubectl installed on your local machine or instance you are using to interact with your Amazon EKS Kubernetes API endpoint. * The version of your CNI must support the Kubernetes version you are upgrading to. If it does not, upgrade your CNI version before upgrading your hybrid nodes. See <> for more information. -== Cutover migration upgrades +[#hybrid-nodes-upgrade-cutover] +== Cutover migration (blue-green) upgrades -Cutover migration upgrades refer to the process of creating new hybrid nodes on new hosts with your target Kubernetes version, gracefully migrating your existing applications to the new hybrid nodes on your target Kubernetes version, and removing the hybrid nodes on the old Kubernetes version from your cluster. +_Cutover migration upgrades_ refer to the process of creating new hybrid nodes on new hosts with your target Kubernetes version, gracefully migrating your existing applications to the new hybrid nodes on your target Kubernetes version, and removing the hybrid nodes on the old Kubernetes version from your cluster. This strategy is also called a blue-green migration. . Connect your new hosts as hybrid nodes following the <> steps. When running the `nodeadm install` command, use your target Kubernetes version. . Enable communication between the new hybrid nodes on the target Kubernetes version and your hybrid nodes on the old Kubernetes version. This configuration allows pods to communicate with each other while you are migrating your workload to the hybrid nodes on the target Kubernetes version. @@ -112,6 +113,7 @@ done . Depending on your choice of CNI, there may be artifacts remaining on your hybrid nodes after running the above steps. See <> for more information. +[#hybrid-nodes-upgrade-inplace] == In-place upgrades The in-place upgrade process refers to using `nodeadm upgrade` to upgrade the Kubernetes version for hybrid nodes without using new physical or virtual hosts and a cutover migration strategy. The `nodeadm upgrade` process shuts down the existing older Kubernetes components running on the hybrid node, uninstalls the existing older Kubernetes components, installs the new target Kubernetes components, and starts the new target Kubernetes components. It is strongly recommend to upgrade one node at a time to minimize impact to applications running on the hybrid nodes. The duration of this process depends on your network bandwidth and latency. From 1a4a0740677a9c13a2e21a24105dbe7f5a6d0e72 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 3 Mar 2025 12:09:22 -0800 Subject: [PATCH 226/940] Make hybrid node patching more generic --- latest/ug/nodes/hybrid-nodes-security.adoc | 27 +++++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-security.adoc b/latest/ug/nodes/hybrid-nodes-security.adoc index 5c8045119..509a7e9fc 100644 --- a/latest/ug/nodes/hybrid-nodes-security.adoc +++ b/latest/ug/nodes/hybrid-nodes-security.adoc @@ -13,13 +13,17 @@ Perform security updates on your Hybrid nodes This topic describes the procedure to perform in-place patching of security updates for specific packages and dependencies running on your hybrid nodes. As a best practice we recommend you to regularly update your hybrid nodes to receive CVEs and security patches. -== Containerd +For steps to upgrade the Kubernetes version, see <>. + +One example of software that might need security patching is `containerd`. + +== `Containerd` `containerd` is the standard Kubernetes container runtime and core dependency for EKS Hybrid Nodes, used for managing container lifecycle, including pulling images and managing container execution. On an hybrid node, you can install `containerd` through the link:eks/latest/userguide/hybrid-nodes-nodeadm.html[nodeadm CLI,type="documentation"] or manually. Depending on the operating system of your node, `nodeadm` will install `containerd` from the OS-distributed package or Docker package. When a CVE in `containerd` has been published, you have the following options to upgrade to the patched version of `containerd` on your Hybrid nodes. -== Containerd CVE patch published to package managers +== Step 1: Check if the patch published to package managers You can check whether the `containerd` CVE patch has been published to each respective OS package manager by referring to the corresponding security bulletins: @@ -31,7 +35,16 @@ You can check whether the `containerd` CVE patch has been published to each resp If you use the Docker repo as the source of `containerd`, you can check the https://docs.docker.com/security/security-announcements/[Docker security announcements] to identify the availability of the patched version in the Docker repo. -=== Patching with `nodeadm upgrade` +== Step 2: Choose the method to install the patch + +There are three methods to patch and install security upgrades in-place on nodes. Which method you can use depends on whether the patch is available from the operating system in the package manager or not: + +. Install patches with `nodeadm upgrade` that are published to package managers, see <>. +. Install patches with the package managers directly, see <>. +. Install custom patches that aren't published in package managers. Note that there are special considerations for custom patches for `containerd`, <>. + +[#hybrid-nodes-security-nodeadm] +== Step 2 a: Patching with `nodeadm upgrade` After you confirm that the `containerd` CVE patch has been published to the OS or Docker repos (either Apt or RPM), you can use the `nodeadm upgrade` command to upgrade to the latest version of `containerd`. Since this isn't a Kubernetes version upgrade, you must pass in your current Kubernetes version to the `nodeadm` upgrade command. @@ -40,7 +53,8 @@ After you confirm that the `containerd` CVE patch has been published to the OS o nodeadm upgrade [.replaceable]`K8S_VERSION` --config-source file:///root/nodeConfig.yaml ---- -=== Patching with operating system package managers +[#hybrid-nodes-security-package] +== Step 2 b: Patching with operating system package managers Alternatively you can also update through the respective package manager and use it to upgrade the `containerd` package as follows. @@ -73,12 +87,13 @@ sudo apt update -y sudo apt install -y --only-upgrade containerd.io ---- -== Containerd CVE patch not published in package managers +[#hybrid-nodes-security-manual] +== Step 2 c: `Containerd` CVE patch not published in package managers If the patched `containerd` version is only available by other means instead of in the package manager, for example in GitHub releases, then you can install `containerd` from the official GitHub site. . If the machine has already joined the cluster as a hybrid node, then you need to run the `nodeadm uninstall` command. -. Install the official `containerd` binaries. You can use the steps https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-1-from-the-official-binaries[install the official containerd binaries]. +. Install the official `containerd` binaries. You can use the steps https://github.com/containerd/containerd/blob/main/docs/getting-started.md#option-1-from-the-official-binaries[official installation steps] on GitHub. . Run the `nodeadm install` command with the `--containerd-source` argument set to `none`, which will skip `containerd` installation through `nodeadm`. You can use the value of `none` in the `containerd` source for any operating system that the node is running. + [source,bash,subs="verbatim,attributes,quotes"] From d0c9e1336cf1076fff9b4ed6826bafa3fc4255f3 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Mar 2025 15:39:22 +0000 Subject: [PATCH 227/940] Simplified metadata for consistency between pages. --- latest/ug/automode/auto-reference.adoc | 5 ----- latest/ug/automode/automode.adoc | 1 - latest/ug/automode/create-auto.adoc | 5 ----- latest/ug/automode/migrate-auto.adoc | 6 +----- latest/ug/automode/settings-auto.adoc | 5 ----- latest/ug/automode/wip.adoc | 1 - latest/ug/book.adoc | 6 ------ latest/ug/clusters/clusters.adoc | 7 ------- latest/ug/clusters/create-cluster-auto.adoc | 1 - latest/ug/clusters/management/eks-managing.adoc | 7 ------- latest/ug/connector/eks-connector.adoc | 7 ------- latest/ug/doc-history.adoc | 7 ------- latest/ug/getting-started/getting-started.adoc | 7 ------- latest/ug/getting-started/learn-eks.adoc | 7 ------- latest/ug/getting-started/setting-up.adoc | 7 ------- latest/ug/integrations/eks-integrations.adoc | 7 ------- latest/ug/manage-access/cluster-auth.adoc | 7 ------- latest/ug/ml/machine-learning-on-eks.adoc | 7 ------- latest/ug/networking/eks-networking.adoc | 7 ------- latest/ug/nodes/eks-compute.adoc | 7 ------- latest/ug/observability/eks-observe.adoc | 7 ------- latest/ug/outposts/eks-outposts.adoc | 7 ------- latest/ug/related-projects.adoc | 7 ------- latest/ug/roadmap.adoc | 7 ------- .../ug/security/iam-reference/auto-cluster-iam-role.adoc | 7 ++++--- .../ug/security/iam-reference/auto-create-node-role.adoc | 9 ++++----- latest/ug/security/security.adoc | 7 ------- latest/ug/storage/storage.adoc | 7 ------- latest/ug/troubleshooting/troubleshooting.adoc | 7 ------- latest/ug/what-is/what-is-eks.adoc | 8 -------- latest/ug/workloads/eks-workloads.adoc | 7 ------- team/squish.adoc | 1 - 32 files changed, 9 insertions(+), 186 deletions(-) diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 1416681f9..8582a2e0f 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -5,11 +5,6 @@ include::../attributes.txt[] [.topic] [#auto-reference] = Learn how EKS Auto Mode works -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: How it works [abstract] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 226a83f97..57cbbe1da 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [#automode] = Automate cluster infrastructure with EKS Auto Mode :toclevels: 2 -:toc: :info_titleabbrev: EKS Auto Mode [abstract] diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 393480d33..2369c34b7 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -5,11 +5,6 @@ include::../attributes.txt[] [.topic] [#create-auto] = Create a cluster with Amazon EKS Auto Mode -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Create cluster :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index bb4cdd4ee..4e607e821 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -5,11 +5,6 @@ include::../attributes.txt[] [.topic] [#migrate-auto] = Enable EKS Auto Mode on existing EKS clusters -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Enable existing clusters [abstract] @@ -40,6 +35,7 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a ** You can install the {aws} Load Balancer Controller on an Amazon EKS Auto Mode cluster. Use the `IngressClass` or `loadBalancerClass` options to associate Service and Ingress resources with either the Load Balancer Controller or EKS Auto Mode. * Migrating EKS Clusters with alternative CNIs or other unsupported networking configurations +[#migration-reference] == Migration Reference Use the following migration reference to configure Kubernetes Resources to be owned by either self-managed controllers or EKS Auto Mode. diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index bc805a209..3874ee827 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -5,11 +5,6 @@ include::../attributes.txt[] [.topic] [#settings-auto] = Configure EKS Auto Mode settings -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Configure [abstract] diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index 98e45e224..ee229cc89 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] [.topic] [#auto-wip] = EKS Auto Mode: Revisions to existing pages WIP -:toc: left This section contains in-progress revisions for existing pages in other chapters. diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 2056f3b7f..2a4e3aa4f 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -4,11 +4,6 @@ include::attributes.txt[] [[top]] = Amazon EKS -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - :info_subtitle: User Guide :info_corpauthor: Amazon Web Services :info_publisher: Amazon Web Services @@ -27,7 +22,6 @@ sponsored by Amazon. -- This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate your own Kubernetes clusters. Kubernetes is an open source system for automating the deployment, scaling, and management of containerized applications. -- -:sectnums: [.banner.info] *Help improve this page* diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index 00d0a8311..f8617ca84 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#clusters] = Organize workloads with Amazon EKS clusters -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Clusters An Amazon EKS cluster consists of two primary components: diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index c5b2b5b51..9edd95f07 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -6,7 +6,6 @@ include::../attributes.txt[] [#create-cluster-auto] = Create an Amazon EKS Auto Mode cluster :info_titleabbrev: Create auto cluster -:idprefix: id_ [abstract] -- diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 9bcc77d80..3f49fb775 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -4,13 +4,6 @@ include::../../attributes.txt[] [#eks-managing] = Organize and monitor cluster resources -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Cluster management This chapter includes the following topics to help you manage your cluster. You can also view information about your <> with the {aws-management-console}. diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 5b94c737a..17840a4a4 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#eks-connector] = Connect a Kubernetes cluster to an Amazon EKS Management Console with Amazon EKS Connector -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Amazon EKS Connector [abstract] diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index b8b28de8c..b0dc8a5fe 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -3,13 +3,6 @@ [#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) = Document history -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :keywords: document, publish, release, history, log diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index ed773aa8e..5f40f586b 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#getting-started] = Get started with Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Get started :keywords: getting, started, tutorials, quick, start diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 97102581f..065cb8f57 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -7,13 +7,6 @@ include::../attributes.txt[] = Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS :keywords: tutorial, workshop, developer, learn -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . [abstract] -- diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 360fa25ac..f00d5a3b8 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#setting-up] = Set up to use Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Set up :keywords: setting up, setup diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 9ea3e7d54..15c0c7431 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -2,13 +2,6 @@ include::../attributes.txt[] [#eks-integrations] = Enhance EKS with integrated {aws} services -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Working with other services In addition to the services covered in other sections, Amazon EKS works with more {aws} services to provide additional solutions. This topic identifies some of the other services that either use Amazon EKS to add functionality, or services that Amazon EKS uses to perform tasks. diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index 6b43f9036..c92e78456 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -5,13 +5,6 @@ include::../attributes.txt[] [.topic] [#cluster-auth] = Learn how access control works in Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Manage access [abstract] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index f6bbaa044..988a05874 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -5,13 +5,6 @@ include::../attributes.txt[] [.topic] [#machine-learning-on-eks] = Overview of Machine Learning on Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Machine Learning on EKS :keywords: Machine Learning, Amazon EKS, Artificial Intelligence diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 084083ac3..332b2463e 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#eks-networking] = Configure networking for Amazon EKS clusters -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Configure networking include::network-reqs.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 8c353b097..0f0399ec1 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#eks-compute] = Manage compute resources by using nodes -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Manage compute :keywords: nodes, node groups diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 5df3c8ea0..5709658e6 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#eks-observe] = Monitor your cluster performance and view logs -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Monitor clusters :keywords: observability, monitoring, logging, logs, data diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 88d1df3c4..c1e957a37 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -2,13 +2,6 @@ include::../attributes.txt[] [#eks-outposts] = Deploy Amazon EKS on-premises with {aws} Outposts -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Amazon EKS on {aws} Outposts :keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 2c919007e..0220e4261 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -2,13 +2,6 @@ include::attributes.txt[] [#related-projects] = Extend Amazon EKS capabilities with open source projects -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Projects related to Amazon EKS [abstract] diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 597b89b16..5de6b0a7d 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -3,13 +3,6 @@ include::attributes.txt[] [.topic] [#roadmap] = Learn about Amazon EKS new features and roadmap -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: New features and roadmap [abstract] diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index c22f1d538..8466cec66 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [.topic] [#auto-cluster-iam-role] = Amazon EKS Auto Mode cluster IAM role -:idprefix: wip_ :info_titleabbrev: Auto Mode cluster IAM role [abstract] @@ -23,6 +22,7 @@ Before you can create Amazon EKS clusters, you must create an IAM role with the * <> * <> +[#auto-cluster-iam-role-check] == Check for an existing cluster role You can use the following procedure to check and see if your account already has the Amazon EKS cluster role. @@ -59,11 +59,12 @@ You can use the following procedure to check and see if your account already has {aws} does not require the name `AmazonEKSAutoClusterRole` for this role. ==== +[#auto-cluster-iam-role-create] == Creating the Amazon EKS cluster role You can use the {aws-management-console} or the {aws} CLI to create the cluster role. - +[#auto-cluster-iam-role-console] === {aws-management-console} . Open the IAM console at https://console.aws.amazon.com/iam/. @@ -81,7 +82,7 @@ You can use the {aws-management-console} or the {aws} CLI to create the cluster . For *Description*, enter descriptive text such as `Amazon EKS - Cluster role`. . Choose *Create role*. - +[#auto-cluster-iam-role-cli] === {aws} CLI . Copy the following contents to a file named [.replaceable]`cluster-trust-policy.json`. diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index e4c885f16..8ea6fd01b 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -5,7 +5,6 @@ include::../../attributes.txt[] [.topic] [#auto-create-node-role] = Amazon EKS Auto Mode node IAM role -:idprefix: id_ :info_titleabbrev: Auto Mode node IAM role // write short desc @@ -22,7 +21,7 @@ Before you create nodes, you must create an IAM role with the following policies * <> * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] - +[#auto-create-node-role-check] == Check for an existing node role You can use the following procedure to check and see if your account already has the Amazon EKS node role. @@ -51,13 +50,13 @@ You can use the following procedure to check and see if your account already has } ---- - +[#auto-create-node-role-iam] == Creating the Amazon EKS node IAM role You can create the node IAM role with the {aws-management-console} or the {aws} CLI. - +[#auto-create-node-role-console] === {aws-management-console} . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. @@ -77,7 +76,7 @@ You can create the node IAM role with the {aws-management-console} or the {aws} .. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. - +[#auto-create-node-role-cli] === {aws} CLI *Create the Node IAM Role* diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index ba6e8040b..0b1770ab4 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -5,13 +5,6 @@ include::../attributes.txt[] [.topic] [#security] = Security in Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Security include::security-best-practices.adoc[leveloffset=+1] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 1a37afa77..6a440748e 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#storage] = Store application data for your cluster -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Store app data :keywords: persistent, data, app, storage diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index 040403192..f7ce122bf 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#troubleshooting] = Troubleshoot problems with Amazon EKS clusters and nodes -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Troubleshooting :keywords: troubleshooting, help, FAQ diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index b7d832f37..07e1cad9e 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -5,14 +5,6 @@ include::../attributes.txt[] [.topic] [#what-is-eks] = What is Amazon EKS? -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . -:info_titleabbrev: What is Amazon EKS? :keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description [abstract] diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index 0d66774a5..bb5ab8ad3 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -4,13 +4,6 @@ include::../attributes.txt[] [#eks-workloads] = Learn how to deploy workloads and add-ons to Amazon EKS -:sectnums: -:toc: left -:icons: font -:experimental: -:idprefix: -:idseparator: - -:sourcedir: . :info_titleabbrev: Workloads Your workloads are deployed in containers, which are deployed in Pods in Kubernetes. A Pod includes one or more containers. Typically, one or more Pods that provide the same service are deployed in a Kubernetes service. Once you've deployed multiple Pods that provide the same service, you can: diff --git a/team/squish.adoc b/team/squish.adoc index 1f5b7c955..8533f72ed 100644 --- a/team/squish.adoc +++ b/team/squish.adoc @@ -1,6 +1,5 @@ :doctype: book = AmazonEKSDocs Git History Squish Procedure -:toc: == Overview This procedure outlines the steps to clear the history of the "mainline" branch while maintaining a backup. The backup branch will be named with the current date (e.g., `13JAN2025-mainline`). From 66c2222af83a4e760dfdbfbff03ae8574f31dd64 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 6 Mar 2025 17:46:29 +0000 Subject: [PATCH 228/940] HTML and PDF seems identical when removing :toclevels: 2 --- latest/ug/automode/automode.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 57cbbe1da..9c721a198 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#automode] = Automate cluster infrastructure with EKS Auto Mode -:toclevels: 2 :info_titleabbrev: EKS Auto Mode [abstract] From 84bda7103ba4812a1f3c41fc687b69e11ffd8a53 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 6 Mar 2025 13:46:17 -0800 Subject: [PATCH 229/940] Review PR 904. Add top organization to clarify the two parts of proxy config. --- latest/ug/nodes/hybrid-nodes-proxy.adoc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index b0bdb67a3..29ca2ee2a 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -11,11 +11,17 @@ include::../attributes.txt[] Configure HTTP/S proxies for Amazon EKS hybrid nodes -- -If you are using a proxy server in your on-premises environment for traffic leaving your data center or edge environment, you need to configure your operating system, `containerd`, `kubelet`, and `kube-proxy` to use your proxy server. You must configure `kube-proxy` after creating your Amazon EKS cluster. You can make the changes for your operating system, `containerd`, and the `kubelet` during the build process for your operating system images or before you run `nodeadm init` on each hybrid node. +If you are using a proxy server in your on-premises environment for traffic leaving your data center or edge environment, you need to separately configure your nodes and your cluster to use your proxy server. + +Cluster:: +On your cluster, you need to configure `kube-proxy` to use your proxy server. You must configure `kube-proxy` after creating your Amazon EKS cluster. + +Nodes:: +On your nodes, you must configure the operating system, `containerd`, `kubelet`, and the Amazon SSM agent to use your proxy server. You can make these changes during the build process for your operating system images or before you run `nodeadm init` on each hybrid node. == Node-level configuration -The configurations in this section must be applied in your operating system images or before running `nodeadm init` on each hybrid node. +You must apply the following configurations either in your operating system images or before running `nodeadm init` on each hybrid node. === `containerd` proxy configuration @@ -77,7 +83,7 @@ systemctl restart containerd === `ssm` proxy configuration -`ssm` is one of the credential providers that can be used to initialize a hybrid node. `ssm` is responsible for authenticating with AWS and generating temporary credentials that is used by `kubelet`. If you are using a proxy in your on-premises environment and using `ssm` as your credential provider on the node, you must configure the `ssm` so it can communicate with Amazon SSM service endpoints. +`ssm` is one of the credential providers that can be used to initialize a hybrid node. `ssm` is responsible for authenticating with {aws} and generating temporary credentials that is used by `kubelet`. If you are using a proxy in your on-premises environment and using `ssm` as your credential provider on the node, you must configure the `ssm` so it can communicate with Amazon SSM service endpoints. Create a file on each hybrid node called `http-proxy.conf` in the path below depending on the operating system From 636f47422c2bfa1feae63880e93c4cb6a1e238f2 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Mar 2025 15:23:12 +0000 Subject: [PATCH 230/940] Removed link to Terraform module where Outposts functionality was deprecated: 45711 --- latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index fe354889d..88f22151e 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -19,7 +19,7 @@ This topic describes how you can launch Auto Scaling groups of Amazon Linux node * Suppose that you're creating your nodes in a cluster on the {aws} Cloud and you have subnets in the {aws} Region where you have {aws} Outposts, {aws} Wavelength, or {aws} Local Zones enabled. Then, those subnets must not have been passed in when you created your cluster. If you're creating your nodes in a cluster on an Outpost, you must have passed in an Outpost subnet when creating your cluster. * (Recommended for clusters on the {aws} Cloud) The Amazon VPC CNI plugin for Kubernetes add-on configured with its own IAM role that has the necessary IAM policy attached to it. For more information, see <>. Local clusters do not support IAM roles for service accounts. -You can create a self-managed Amazon Linux node group with `eksctl` or the {aws-management-console} (with an {aws} CloudFormation template). You can also use https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest[Terraform]. +You can create a self-managed Amazon Linux node group with `eksctl` or the {aws-management-console} (with an {aws} CloudFormation template). You can also use Terraform. You can create a self-managed node group for local cluster with the following tools described in this page: From da8befdff7b0f92af2ce849ab9616d74a25ca80d Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Mar 2025 17:32:28 +0000 Subject: [PATCH 231/940] Unified header syntax. --- latest/ug/automode/auto-configure-alb.adoc | 12 +++--- .../ug/automode/auto-migrate-karpenter.adoc | 18 ++++---- latest/ug/automode/auto-net-pol.adoc | 8 ++-- .../ug/automode/automode-get-started-cli.adoc | 42 +++++++++---------- latest/ug/automode/automode.adoc | 6 +-- latest/ug/automode/create-node-class.adoc | 4 +- latest/ug/automode/create-node-pool.adoc | 2 +- .../ug/automode/sample-storage-workload.adoc | 16 +++---- latest/ug/automode/troubleshoot-lbc.adoc | 28 ++++++------- latest/ug/clusters/create-cluster-auto.adoc | 18 ++++---- latest/ug/clusters/zone-shift.adoc | 2 +- latest/ug/contribute/contribute.adoc | 2 +- latest/ug/quickstart.adoc | 14 +++---- latest/ug/security/auto-security.adoc | 24 +++++------ 14 files changed, 98 insertions(+), 98 deletions(-) diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index 72fd64853..ff34eb150 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -20,7 +20,7 @@ EKS Auto Mode creates and configures Application Load Balancers (ALBs). For exam . Create an `Ingress` resource that associates a HTTP path and port with a cluster workload. . EKS Auto Mode will create an Application Load Balancer that points to the workload specified in the `Ingress` resource, using the load balancer configuration specified in the `IngressClassParams` resource. -## Prerequisites +== Prerequisites * EKS Auto Mode Enabled on an Amazon EKS Cluster * Kubectl configured to connect to your cluster @@ -36,7 +36,7 @@ Learn how to <>. ==== -## Step 1: Create IngressClassParams +== Step 1: Create IngressClassParams Create an `IngressClassParams` object to specify {aws} specific configuration options for the Application Load Balancer. Use the reference below to update the sample YAML file. @@ -51,7 +51,7 @@ spec: scheme: internet-facing ``` -## Step 2: Create IngressClass +== Step 2: Create IngressClass Create an `IngressClass` that references the {aws} specific configuration values set in the `IngressClassParams` resource. Note the name of the `IngressClass` . In this example, both the `IngressClass` and `IngressClassParams` are named `alb`. @@ -78,7 +78,7 @@ spec: For more information on configuration options, see <>. -## Step 3: Create Ingress +== Step 3: Create Ingress Create an `Ingress` resource. The purpose of this resource is to associate paths and ports on the Application Load Balancer with workloads in your cluster. @@ -107,7 +107,7 @@ spec: -## Step 4: Check Status +== Step 4: Check Status Use `kubectl` to find the status of the `Ingress`. It can take a few minutes for the load balancer to become available. @@ -125,7 +125,7 @@ kubectl get ingress api-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ho To view the service in a web browser, review the port and path specified in the `Ingress` rescue. -## Step 5: Cleanup +== Step 5: Cleanup To clean up the load balancer, use the following command: diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 2818ef0a6..87ff6635d 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -11,7 +11,7 @@ This topic walks you through the process of migrating workloads from Karpenter t The step-by-step approach outlined below enables you to run Karpenter and EKS Auto Mode side by side during the migration period. This dual-operation strategy helps ensure a smooth transition by allowing you to validate workload behavior on EKS Auto Mode before completely decommissioning Karpenter. You can migrate applications individually or in groups, providing flexibility to accommodate your specific operational requirements and risk tolerance. -## Prerequisites +== Prerequisites Before beginning the migration, ensure you have: @@ -20,7 +20,7 @@ Before beginning the migration, ensure you have: This topic assumes you are familiar with Karpenter and NodePools. For more information, see the https://karpenter.sh/[Karpenter Documentation.] -## Step 1: Enable EKS Auto Mode on the cluster +== Step 1: Enable EKS Auto Mode on the cluster Enable EKS Auto Mode on your existing cluster using the {aws} CLI or Management Console. For more information, see <>. @@ -32,7 +32,7 @@ For more information, see <>. ==== -## Step 2: Create a tainted EKS Auto Mode NodePool +== Step 2: Create a tainted EKS Auto Mode NodePool Create a new NodePool for EKS Auto Mode with a taint. This ensures that existing pods won't automatically schedule on the new EKS Auto Mode nodes. This node pool uses the `default` `NodeClass` built into EKS Auto Mode. For more information, see <>. @@ -61,7 +61,7 @@ spec: Update the requirements for the node pool to match the Karpenter configuration you are migrating from. You need at least one requirement. -## Step 3: Update workloads for migration +== Step 3: Update workloads for migration Identify and update the workloads you want to migrate to EKS Auto Mode. Add both tolerations and node selectors to these workloads: @@ -82,11 +82,11 @@ This change allows the workload to be scheduled on the new EKS Auto Mode nodes. EKS Auto Mode uses different labels than Karpenter. Labels related to EC2 managed instances start with `eks.amazonaws.com`. For more information, see <>. -## Step 4: Gradually migrate workloads +== Step 4: Gradually migrate workloads Repeat Step 3 for each workload you want to migrate. This allows you to move workloads individually or in groups, based on your requirements and risk tolerance. -## Step 5: Remove the original Karpenter NodePool +== Step 5: Remove the original Karpenter NodePool Once all workloads have been migrated, you can remove the original Karpenter NodePool: @@ -94,7 +94,7 @@ Once all workloads have been migrated, you can remove the original Karpenter Nod kubectl delete nodepool ``` -## Step 6: Remove taint from EKS Auto Mode NodePool (Optional) +== Step 6: Remove taint from EKS Auto Mode NodePool (Optional) If you want EKS Auto Mode to become the default for new workloads, you can remove the taint from the EKS Auto Mode NodePool: @@ -113,7 +113,7 @@ spec: # Remove the taints section ``` -## Step 7: Remove node selectors from workloads (Optional) +== Step 7: Remove node selectors from workloads (Optional) If you've removed the taint from the EKS Auto Mode NodePool, you can optionally remove the node selectors from your workloads, as EKS Auto Mode is now the default: @@ -129,6 +129,6 @@ spec: effect: "NoSchedule" ``` -## Step 8: Uninstall Karpenter from your cluster +== Step 8: Uninstall Karpenter from your cluster The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. \ No newline at end of file diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index a5f7829c8..1288abdfc 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -10,12 +10,12 @@ include::../attributes.txt[] Network policies allow you to control traffic flow at the IP address or port level within your Amazon EKS cluster. This topic explains how to enable and use network policies with EKS Auto Mode. -## Prerequisites +== Prerequisites * An Amazon EKS cluster with EKS Auto Mode enabled * kubectl configured to connect to your cluster -## Step 1: Enable Network Policy Controller +== Step 1: Enable Network Policy Controller To use network policies with EKS Auto Mode, you first need to enable the Network Policy Controller by applying a ConfigMap to your cluster. @@ -36,7 +36,7 @@ data: kubectl apply -f enable-network-policy.yaml ``` -## Step 2: Enable Network Policies in Node Class +== Step 2: Enable Network Policies in Node Class Before you can use network policies, you need to ensure that your Node Class is configured to support them. Follow these steps: @@ -68,6 +68,6 @@ kubectl get nodeclass network-policy-enabled Once your nodes are using this Node Class, they will be able to enforce network policies. You can now proceed to create and apply network policies to control traffic within your cluster. For all the node class configuration options, see <>. -## Step 3: Create and test network policies +== Step 3: Create and test network policies Your EKS Auto Mode cluster is now configured to support Kubernetes network policies. You can test this with the <>. \ No newline at end of file diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 8bffd8a89..571770824 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -11,13 +11,13 @@ EKS Auto Mode Clusters automate routine cluster management tasks for compute, st This topic guides you through creating a new EKS Auto Mode Cluster using the {aws} CLI and optionally deploying a sample workload. -## Prerequisites +== Prerequisites * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. To install the latest version, see link:cli/latest/userguide/getting-started-install.html["Installing",type="documentation"] and link:cli/latest/userguide/cli-chap-configure.html#cli-configure-quickstart-config["Quick configuration",type="documentation"] with aws configure in the {aws} Command Line Interface User Guide. ** Login to the CLI with sufficent IAM permissions to create {aws} resources including IAM Policies, IAM Roles, and EKS Clusters. * The kubectl command line tool installed on your device. {aws} suggests you use the same kubectl version as the Kubernetes version of your EKS Cluster. To install or upgrade kubectl, see <>. -## Specify VPC subnets +== Specify VPC subnets Amazon EKS Auto Mode deploy nodes to VPC subnets. When creating an EKS cluster, you must specify the VPC subnets where the nodes will be deployed. You can use the default VPC subnets in your {aws} account or create a dedicated VPC for critical workloads. @@ -83,13 +83,13 @@ You must create this role and attach the following {aws} managed policy: * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] [discrete] -#### *Service-Linked Role* +==== *Service-Linked Role* EKS Auto Mode also requires a Service-Linked Role, which is automatically created and configured by {aws}. For more information, see <>. -## *Create an EKS Auto Mode Cluster IAM Role* +== *Create an EKS Auto Mode Cluster IAM Role* -### Step 1: Create the Trust Policy +=== Step 1: Create the Trust Policy Create a trust policy that allows the Amazon EKS service to assume the role. Save the policy as `trust-policy.json`: @@ -111,7 +111,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav } ``` -### Step 2: Create the IAM Role +=== Step 2: Create the IAM Role Use the trust policy to create the Cluster IAM Role: @@ -121,7 +121,7 @@ aws iam create-role \ --assume-role-policy-document file://trust-policy.json ``` -### Step 3: Note the Role ARN +=== Step 3: Note the Role ARN Retrieve and save the ARN of the new role for use in subsequent steps: @@ -129,7 +129,7 @@ Retrieve and save the ARN of the new role for use in subsequent steps: aws iam get-role --role-name AmazonEKSAutoClusterRole --query "Role.Arn" --output text ``` -### Step 4: Attach Required Policies +=== Step 4: Attach Required Policies Attach the following {aws} managed policies to the Cluster IAM Role to grant the necessary permissions: @@ -173,9 +173,9 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy ``` -## *Create an EKS Auto Mode Node IAM Role* +== *Create an EKS Auto Mode Node IAM Role* -### Step 1: Create the Trust Policy +=== Step 1: Create the Trust Policy Create a trust policy that allows the Amazon EKS service to assume the role. Save the policy as `node-trust-policy.json`: @@ -194,7 +194,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav } ``` -#### Step 2: Create the Node IAM Role +==== Step 2: Create the Node IAM Role Use the *node-trust-policy.json* file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: @@ -204,7 +204,7 @@ aws iam create-role \ --assume-role-policy-document file://node-trust-policy.json ``` -#### Step 3: Note the Role ARN +==== Step 3: Note the Role ARN After creating the role, retrieve and save the ARN of the Node IAM Role. You will need this ARN in subsequent steps. Use the following command to get the ARN: @@ -212,7 +212,7 @@ After creating the role, retrieve and save the ARN of the Node IAM Role. You wil aws iam get-role --role-name AmazonEKSAutoNodeRole --query "Role.Arn" --output text ``` -#### Step 4: Attach Required Policies +==== Step 4: Attach Required Policies Attach the following {aws} managed policies to the Node IAM Role to provide the necessary permissions: @@ -232,9 +232,9 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ``` -## *Create an EKS Auto Mode Cluster* +== *Create an EKS Auto Mode Cluster* -### Overview +=== Overview To create an EKS Auto Mode Cluster using the {aws} CLI, you will need the following parameters: @@ -244,7 +244,7 @@ To create an EKS Auto Mode Cluster using the {aws} CLI, you will need the follow * `cluster-role-arn`: ARN of the Cluster IAM Role. * `node-role-arn`: ARN of the Node IAM Role. -#### Default Cluster Configurations +==== Default Cluster Configurations Review these default values and features before creating the cluster: @@ -257,7 +257,7 @@ Review these default values and features before creating the cluster: * `storageConfig.blockStorage.enabled`: Automates storage tasks, such as creating and deleting Amazon EBS volumes. * `accessConfig.authenticationMode`: Requires EKS access entries. Learn more about <>. -#### Run the Command +==== Run the Command Use the following command to create the cluster: @@ -295,9 +295,9 @@ aws eks create-cluster \ } ``` -### *Check Cluster Status* +=== *Check Cluster Status* -#### Step 1: Verify Cluster Creation +==== Step 1: Verify Cluster Creation Run the following command to check the status of your cluster. Cluster creation typically takes about 15 minutes: @@ -305,7 +305,7 @@ Run the following command to check the status of your cluster. Cluster creation aws eks describe-cluster --name "${CLUSTER_NAME}" --output json ``` -#### Step 2: Update kubeconfig +==== Step 2: Update kubeconfig Once the cluster is ready, update your local kubeconfig file to enable `kubectl` to communicate with the cluster. This configuration uses the {aws} CLI for authentication. @@ -313,7 +313,7 @@ Once the cluster is ready, update your local kubeconfig file to enable `kubectl` aws eks update-kubeconfig --name "${CLUSTER_NAME}" ``` -#### Step 3: Verify Node Pools +==== Step 3: Verify Node Pools List the Node Pools in your cluster using the following command: diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 9c721a198..a8c28455c 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -20,7 +20,7 @@ You can deploy, upgrade, or modify your EKS Auto Mode clusters using eksctl, the With EKS Auto Mode, you can continue using your preferred Kubernetes-compatible tools. EKS Auto Mode integrates with {aws} services like Amazon EC2, Amazon EBS, and ELB, leveraging {aws} cloud resources that follow best practices. These resources are automatically scaled, cost-optimized, and regularly updated to help minimize operational costs and overhead. -## Features +== Features EKS Auto Mode provides the following high-level features: @@ -40,7 +40,7 @@ EKS Auto Mode provides the following high-level features: *Customizable NodePools and NodeClasses*: If your workload requires changes to storage, compute, or networking configurations, you can create custom NodePools and NodeClasses using EKS Auto Mode. While default NodePools and NodeClasses can't be edited, you can add new custom NodePools or NodeClasses alongside the default configurations to meet your specific requirements. -## Automated Components +== Automated Components EKS Auto Mode streamlines the operation of your Amazon EKS clusters by automating key infrastructure components. Enabling EKS Auto Mode further reduces the tasks to manage your EKS clusters. @@ -61,7 +61,7 @@ The following is a list of data plane components that are automated: For more information about these components, see <>. -## Configuration +== Configuration While EKS Auto Mode will effectively manage most of your data plane services without your intervention, there might be times when you want to change the behavior of some of those services. You can modify the configuration of your EKS Auto Mode clusters in the following ways: diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 341509f33..10408724d 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -11,7 +11,7 @@ Amazon EKS Node Classes provide granular control over the configuration of your When you need to customize how EKS Auto Mode provisions and configures EC2 instances beyond the default settings, creating a Node Class gives you precise control over critical infrastructure parameters. For example, you can specify private subnet placement for enhanced security, configure instance ephemeral storage for performance-sensitive workloads, or apply custom tagging for cost allocation. -## Create a Node Class +== Create a Node Class To create a Node Class, follow these steps: @@ -21,7 +21,7 @@ To create a Node Class, follow these steps: You need `kubectl` installed and configured. For more information, see <>. -### Basic Node Class Example +=== Basic Node Class Example Here's an example Node Class: diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index a44fa9b60..47bdc7163 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -15,7 +15,7 @@ The NodePool specification allows for fine-grained control over your EKS cluster EKS Auto Mode leverages well-known Kubernetes labels to provide consistent and standardized ways of identifying node characteristics. These labels, such as `topology.kubernetes.io/zone` for availability zones and `kubernetes.io/arch` for CPU architecture, follow established Kubernetes conventions. Additionally, EKS-specific labels (prefixed with `eks.amazonaws.com/`) extend this functionality with {aws}-specific attributes like instance types, CPU manufacturers, GPU capabilities, and networking specifications. This standardized labeling system enables seamless integration with existing Kubernetes tooling while providing deep {aws} infrastructure integration. -## Create a NodePool +== Create a NodePool Follow these steps to create a NodePool for your Amazon EKS cluster: diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index efedc5701..7a99c54cc 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -9,14 +9,14 @@ include::../attributes.txt[] This tutorial will guide you through deploying a sample stateful application to your EKS Auto Mode cluster. The application writes timestamps to a persistent volume, demonstrating EKS Auto Mode's automatic EBS volume provisioning and persistence capabilities. -## Prerequisites +== Prerequisites * An EKS Auto Mode cluster * The {aws} CLI configured with appropriate permissions * `kubectl` installed and configured ** For more information, see <>. -## Step 1: Configure your environment +== Step 1: Configure your environment . Set your environment variables: + @@ -32,7 +32,7 @@ export AWS_REGION="us-west-2" aws eks update-kubeconfig --name "${CLUSTER_NAME}" ---- -## Step 2: Create the storage class +== Step 2: Create the storage class The `StorageClass` defines how EKS Auto Mode will provision EBS volumes. @@ -69,7 +69,7 @@ kubectl apply -f storage-class.yaml - `encrypted: "true"` - EBS will use the default `aws/ebs` key to encrypt volumes created with this class. This is optional, but recommended. - `storageclass.kubernetes.io/is-default-class: "true"` - Kubernetes will use this storage class by default, unless you specify a different volume class on a persistent volume claim. Use caution when setting this value if you are migrating from another storage controller. (optional) -## Step 3: Create the persistent volume claim +== Step 3: Create the persistent volume claim The PVC requests storage from the `StorageClass`. @@ -102,7 +102,7 @@ kubectl apply -f pvc.yaml - `storage: 8Gi` - Requests an 8 GiB volume - `storageClassName: auto-ebs-sc` - References the `StorageClass` we created -## Step 4: Deploy the Application +== Step 4: Deploy the Application The Deployment runs a container that writes timestamps to the persistent volume. @@ -157,7 +157,7 @@ kubectl apply -f deployment.yaml - Requests 1 CPU core - Uses node selector for EKS managed nodes -## Step 5: Verify the Setup +== Step 5: Verify the Setup . Check that the pod is running: + @@ -190,7 +190,7 @@ kubectl exec "$(kubectl get pods -l app=inflate-stateful \ cat /data/out.txt ---- -## Step 6: Cleanup +== Step 6: Cleanup Run the following command to remove all resources created in this tutorial: @@ -200,7 +200,7 @@ Run the following command to remove all resources created in this tutorial: kubectl delete deployment/inflate-stateful pvc/auto-ebs-claim storageclass/auto-ebs-sc ---- -## What's Happening Behind the Scenes +== What's Happening Behind the Scenes . The PVC requests storage from the `StorageClass` . When the Pod is scheduled: diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index abe34fc07..5d29907de 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -4,7 +4,7 @@ include::../attributes.txt[] [.topic] [#troubleshoot-lbc] -# Troubleshooting Amazon EKS Auto Mode Load Balancer Controller += Troubleshooting Amazon EKS Auto Mode Load Balancer Controller [NOTE] ==== @@ -13,7 +13,7 @@ This resource is not ready for publication. This guide helps you troubleshoot issues with the {aws} Load Balancer Controller when using Amazon EKS Auto Mode. -## Verify Ingress Resources +== Verify Ingress Resources Check the status of your Ingress resources: @@ -28,7 +28,7 @@ Look for: - ALB DNS name in the Address field - Events indicating any issues -## Check {aws} Resources +== Check {aws} Resources Verify these resources in the {aws-management-console} or using {aws} CLI: @@ -36,22 +36,22 @@ Verify these resources in the {aws-management-console} or using {aws} CLI: - Target Groups - Security Groups -## Common Issues +== Common Issues -### Ingress Not Creating ALB +=== Ingress Not Creating ALB 1. Verify Ingress annotations 2. Check security group configuration 3. Validate subnet configuration 4. Review target group settings -### Target Group Health Check Failures +=== Target Group Health Check Failures 1. Ensure security group allows health check traffic 2. Verify application endpoints are responding 3. Check health check path and settings -### Networking Issues +=== Networking Issues 1. Verify subnet tagging: - Public subnets: `kubernetes.io/role/elb: 1` @@ -59,22 +59,22 @@ Verify these resources in the {aws-management-console} or using {aws} CLI: 2. Check VPC internet connectivity for public ALBs 3. Review route tables and NAT gateway configuration -### Security Group Problems +=== Security Group Problems 1. Verify inbound rules allow traffic on required ports 2. Ensure outbound rules allow health check traffic 3. Check security group associations -## Advanced Troubleshooting +== Advanced Troubleshooting -### Version Compatibility +=== Version Compatibility Ensure compatibility between: - Kubernetes version - EKS version - {aws} SDK version -### Resource Cleanup +=== Resource Cleanup For stuck resources: @@ -84,20 +84,20 @@ For stuck resources: ``` 2. Check for orphaned {aws} resources (ALBs, target groups, listener rules) -## Best Practices +== Best Practices 1. Regularly review Ingress events and {aws} resource synchronization 2. Document custom annotations and maintain troubleshooting runbooks 3. Test changes in non-production environments first -## Considerations for EKS Auto Mode +== Considerations for EKS Auto Mode - Limited customization options - {aws} manages controller updates - IAM permissions are handled automatically - Focus on monitoring {aws} resources and Ingress events -## Additional Resources +== Additional Resources - <> - link:support/home[{aws} Support Center,type="console"] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 9edd95f07..3e67ef45e 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -124,7 +124,7 @@ The following CLI instructions cover creating IAM resources and creating the clu === Create an EKS Auto Mode Cluster IAM Role -#### Step 1: Create the Trust Policy +==== Step 1: Create the Trust Policy Create a trust policy that allows the Amazon EKS service to assume the role. Save the policy as `trust-policy.json`: @@ -146,7 +146,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav } ``` -#### Step 2: Create the IAM Role +==== Step 2: Create the IAM Role Use the trust policy to create the Cluster IAM Role: @@ -156,7 +156,7 @@ aws iam create-role \ --assume-role-policy-document file://trust-policy.json ``` -#### Step 3: Note the Role ARN +==== Step 3: Note the Role ARN Retrieve and save the ARN of the new role for use in subsequent steps: @@ -164,7 +164,7 @@ Retrieve and save the ARN of the new role for use in subsequent steps: aws iam get-role --role-name AmazonEKSAutoClusterRole --query "Role.Arn" --output text ``` -#### Step 4: Attach Required Policies +==== Step 4: Attach Required Policies Attach the following {aws} managed policies to the Cluster IAM Role to grant the necessary permissions: @@ -208,9 +208,9 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy ``` -### Create an EKS Auto Mode Node IAM Role +=== Create an EKS Auto Mode Node IAM Role -#### Step 1: Create the Trust Policy +==== Step 1: Create the Trust Policy Create a trust policy that allows the Amazon EKS service to assume the role. Save the policy as `node-trust-policy.json`: @@ -229,7 +229,7 @@ Create a trust policy that allows the Amazon EKS service to assume the role. Sav } ``` -#### Step 2: Create the Node IAM Role +==== Step 2: Create the Node IAM Role Use the *node-trust-policy.json* file from the previous step to define which entities can assume the role. Run the following command to create the Node IAM Role: @@ -239,7 +239,7 @@ aws iam create-role \ --assume-role-policy-document file://node-trust-policy.json ``` -#### Step 3: Note the Role ARN +==== Step 3: Note the Role ARN After creating the role, retrieve and save the ARN of the Node IAM Role. You will need this ARN in subsequent steps. Use the following command to get the ARN: @@ -247,7 +247,7 @@ After creating the role, retrieve and save the ARN of the Node IAM Role. You wil aws iam get-role --role-name AmazonEKSAutoNodeRole --query "Role.Arn" --output text ``` -#### Step 4: Attach Required Policies +==== Step 4: Attach Required Policies Attach the following {aws} managed policies to the Node IAM Role to provide the necessary permissions: diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 1efc70e7b..360462521 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -222,7 +222,7 @@ image::images/zs-pod-affinity-rule.png[Illustration of network] After completing the above requirements, the next important step is to test that you have sufficient compute and workload capacity to handle the loss of an AZ. You can do this by manually triggering a zonal shift in EKS. Alternatively, you can enable zonal autoshift and configure practice runs to test that your applications function as expected with one less AZ in your cluster environment. -## Frequently Asked Questions +== Frequently Asked Questions *Why should I use this feature?* diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index c5eae71fd..b8f181539 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -3,7 +3,7 @@ include::../attributes.txt[] [#contribute] -# Contribute to the EKS User Guide += Contribute to the EKS User Guide :info_titleabbrev: Contribute diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 52038a309..bb292ef79 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -22,7 +22,7 @@ As we progress, we'll walk you through the cluster setup process. Amazon EKS Aut Overall, you'll deploy a sample workload with the custom annotations required to fully integrate with {aws} services. -## In this tutorial +== In this tutorial Using the `eksctl` cluster template that follows, you'll build a cluster with EKS Auto Mode for automated node provisioning. @@ -38,7 +38,7 @@ Use the block storage capability of EKS Auto Mode to ensure the persistence of a *External App Access* Use the load balancing capability of EKS Auto Mode to dynamically provision an Application Load Balancer (ALB). -## Prerequisites +== Prerequisites Before you begin, ensure you have the following prerequisites set up to use Amazon EKS: @@ -48,7 +48,7 @@ Before you begin, ensure you have the following prerequisites set up to use Amaz For more information, see <>. -## Configure the cluster +== Configure the cluster In this section, you'll create a cluster using EKS Auto Mode for dynamic node provisioning. @@ -79,7 +79,7 @@ If you do not use eksctl to create the cluster, you need to manually tag the VPC ==== -## Create IngressClass +== Create IngressClass Create a Kubernetes `IngressClass` for EKS Auto Mode. The IngressClass defines how EKS Auto Mode handles Ingress resources. This step configures the load balancing capability of EKS Auto Mode. When you create Ingress resources for your applications, EKS Auto Mode uses this IngressClass to automatically provision and manage load balancers, integrating your Kubernetes applications with {aws} load balancing services. @@ -102,7 +102,7 @@ Apply the IngressClass to your cluster: kubectl apply -f ingressclass.yaml ``` -## Deploy the 2048 game sample application +== Deploy the 2048 game sample application In this section, we walk you through the steps to deploy the popular "`2048 game`" as a sample application within the cluster. The provided manifest includes custom annotations for the Application Load Balancer (ALB). These annotations integrate with and instruct the EKS to handle incoming HTTP traffic as "internet-facing" and route it to the appropriate service in the 'game-2048' namespace using the target type "ip". @@ -163,7 +163,7 @@ You should see the 2048 game in your browser. Play! image::images/quick2048.png[Play the 2048 game,scaledwidth=25%] -## Persist Data using Amazon EKS Auto Mode +== Persist Data using Amazon EKS Auto Mode Now that the 2048 game is up and running on your Amazon EKS cluster, it's time to ensure that your game data is safely persisted using the block storage capability of Amazon EKS Auto Mode. @@ -271,7 +271,7 @@ With these steps, your 2048 game on the cluster is now set up to persist data us If you liked this tutorial, let us know by providing feedback so we're able to provide you with more use case-specific quickstart tutorials like this one. -## Delete your cluster and nodes +== Delete your cluster and nodes After you've finished with the cluster that you created for this tutorial, you should clean up by deleting the cluster with the following command. If you want to do more with this cluster before you clean up, see Next steps. diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index e5be93ee0..260630feb 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -13,7 +13,7 @@ Before proceeding with this topic, make sure that you're familiar with basic EKS Amazon EKS Auto Mode builds upon the existing security foundations of Amazon EKS while introducing additional automated security controls for EC2 managed instances. -## API security and authentication +== API security and authentication Amazon EKS Auto Mode uses {aws} platform security mechanisms to secure and authenticate calls to the Amazon EKS API. @@ -21,7 +21,7 @@ Amazon EKS Auto Mode uses {aws} platform security mechanisms to secure and authe ** For more information, see <>. * Customers can implement fine-grained access control to the Kubernetes API endpoint through configuration of EKS access entries. -## Network security +== Network security Amazon EKS Auto Mode supports multiple layers of network security: @@ -35,25 +35,25 @@ Amazon EKS Auto Mode supports multiple layers of network security: ** Ability to define granular network traffic rules ** For more information, see <> -## EC2 managed instance security +== EC2 managed instance security Amazon EKS Auto Mode operates EC2 managed instances with the following security controls: -### EC2 security +=== EC2 security * EC2 managed instances maintain the security features of Amazon EC2. * For more information about EC2 managed instances, see link:AWSEC2/latest/UserGuide/ec2-security.html["Security in Amazon EC2",type="documentation"]. -### Instance lifecycle management +=== Instance lifecycle management EC2 managed instances operated by EKS Auto Mode have maximum lifetime of 21 days. Amazon EKS Auto Mode automatically terminates instances exceeding this lifetime. This lifecycle limit helps prevent configuration drift and maintains security posture. -### Data protection +=== Data protection * Amazon EC2 Instance Storage is encrypted, this is storage directly attached to the instance. For more information, see link:AWSEC2/latest/UserGuide/data-protection.html["Data protection in Amazon EC2",type="documentation"]. * EKS Auto Mode manages the volumes attached to EC2 instances at creation time, including root and data volumes. EKS Auto Mode does not fully manage EBS volumes created using Kubernetes persistent storage features. -### Patch management +=== Patch management * Amazon EKS Auto Mode automatically applies patches to managed instances. * Patches include: @@ -67,25 +67,25 @@ Customers retain responsibility for securing and updating workloads running on t ==== -### Access controls +=== Access controls * Direct instance access is restricted: ** SSH access is not available. ** {aws} Systems Manager Session Manager (SSM) access is not available. * Management operations are performed through the Amazon EKS API and Kubernetes API. -## Automated resource management +== Automated resource management Amazon EKS Auto Mode does not fully manage Amazon Elastic Block Store (Amazon EBS) Volumes created using Kubernetes persistent storage features. EKS Auto Mode also does not manage Elastic Load Balancers (ELB). Amazon EKS Auto Mode automates routine tasks for these resources. -### Storage security +=== Storage security * {aws} recommends that you enable encryption for EBS Volumes provisioned by Kubernetes persistent storage features. For more information, see <>. * Encryption at rest using {aws} KMS * You can configure your {aws} account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For more information, see link:ebs/latest/userguide/encryption-by-default.html["Enable Amazon EBS encryption by default",type="documentation"] in the Amazon EBS User Guide. * For more information, see link:ebs/latest/userguide/security.html["Security in Amazon EBS",type="documentation"]. -### Load balancer security +=== Load balancer security * Automated configuration of Elastic Load Balancers * SSL/TLS certificate management through {aws} Certificate Manager integration @@ -93,7 +93,7 @@ Amazon EKS Auto Mode does not fully manage Amazon Elastic Block Store (Amazon EB * For more information, see link:elasticloadbalancing/latest/userguide/security.html["Security in Elastic Load Balancing",type="documentation"]. [#auto-security-bp] -## Security best practices +== Security best practices The following section describes security best practices for Amazon EKS Auto Mode. From bc51ee68d42c366fe0006f57a85515e0e38c6067 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Mar 2025 17:39:17 +0000 Subject: [PATCH 232/940] Removed unnecessary bolding for headers. --- latest/ug/automode/automode-get-started-cli.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index 571770824..f97f52179 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -83,11 +83,11 @@ You must create this role and attach the following {aws} managed policy: * link:AmazonECR/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonEC2ContainerRegistryPullOnly["AmazonEC2ContainerRegistryPullOnly",type="documentation"] [discrete] -==== *Service-Linked Role* +==== Service-Linked Role EKS Auto Mode also requires a Service-Linked Role, which is automatically created and configured by {aws}. For more information, see <>. -== *Create an EKS Auto Mode Cluster IAM Role* +== Create an EKS Auto Mode Cluster IAM Role === Step 1: Create the Trust Policy @@ -173,7 +173,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy ``` -== *Create an EKS Auto Mode Node IAM Role* +== Create an EKS Auto Mode Node IAM Role === Step 1: Create the Trust Policy @@ -232,7 +232,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ``` -== *Create an EKS Auto Mode Cluster* +== Create an EKS Auto Mode Cluster === Overview @@ -295,7 +295,7 @@ aws eks create-cluster \ } ``` -=== *Check Cluster Status* +=== Check Cluster Status ==== Step 1: Verify Cluster Creation From c64e8478aa8187a65bc1e310a1affc6fa4f69992 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 7 Mar 2025 17:52:10 +0000 Subject: [PATCH 233/940] Spacing consistency in header. --- latest/ug/automode/adoc-windows.adoc | 1 + latest/ug/automode/api-reference.adoc | 1 + latest/ug/automode/auto-net-pol.adoc | 1 + latest/ug/automode/automode-get-started-cli.adoc | 1 + latest/ug/automode/automode-get-started-console.adoc | 1 + latest/ug/clusters/management/cost-monitoring-aws.adoc | 1 + latest/ug/clusters/zone-shift-enable.adoc | 1 + latest/ug/clusters/zone-shift.adoc | 1 + latest/ug/connector/tsc-faq.adoc | 1 + latest/ug/diagrams/README.adoc | 1 + latest/ug/doc-history.adoc | 1 + latest/ug/getting-started/getting-started-console.adoc | 1 + latest/ug/getting-started/install-awscli.adoc | 1 + .../ug/integrations/creating-resources-with-cloudformation.adoc | 2 ++ latest/ug/integrations/eks-integrations.adoc | 2 ++ latest/ug/integrations/integration-resilience-hub.adoc | 1 + latest/ug/integrations/local-zones.adoc | 1 + latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc | 2 ++ .../aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc | 2 ++ latest/ug/manage-access/aws-access/pod-id-abac.adoc | 2 ++ latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc | 2 ++ latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc | 2 ++ latest/ug/manage-access/aws-access/pod-identities.adoc | 2 ++ latest/ug/manage-access/aws-access/service-accounts.adoc | 1 + latest/ug/manage-access/view-kubernetes-resources.adoc | 1 + latest/ug/ml/inferentia-support.adoc | 1 + latest/ug/networking/auto-mode-addon-note.adoc | 1 + latest/ug/networking/aws-load-balancer-controller.adoc | 1 + latest/ug/nodes/fargate-getting-started.adoc | 2 ++ latest/ug/nodes/fargate-logging.adoc | 2 ++ latest/ug/nodes/fargate-pod-patching.adoc | 2 ++ latest/ug/nodes/fargate-profile.adoc | 2 ++ latest/ug/nodes/fargate.adoc | 1 + latest/ug/nodes/monitoring-fargate-usage.adoc | 2 ++ latest/ug/nodes/update-stack.adoc | 2 ++ latest/ug/observability/logging-using-cloudtrail.adoc | 1 + latest/ug/observability/service-name-info-in-cloudtrail.adoc | 2 ++ latest/ug/observability/understanding-service-name-entries.adoc | 2 ++ latest/ug/outposts/eks-outposts-capacity-considerations.adoc | 1 + latest/ug/outposts/eks-outposts-local-cluster-create.adoc | 1 + latest/ug/outposts/eks-outposts-local-cluster-overview.adoc | 1 + latest/ug/outposts/eks-outposts-network-disconnects.adoc | 1 + latest/ug/outposts/eks-outposts-platform-versions.adoc | 1 + latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 + latest/ug/outposts/eks-outposts-troubleshooting.adoc | 1 + latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc | 1 + latest/ug/outposts/eks-outposts.adoc | 2 ++ latest/ug/quickstart.adoc | 1 + latest/ug/related-projects.adoc | 2 ++ latest/ug/roadmap.adoc | 2 ++ latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 2 ++ latest/ug/security/manage-secrets.adoc | 1 + latest/ug/security/vpc-interface-endpoints.adoc | 1 + latest/ug/workloads/workloads-add-ons-available-eks.adoc | 1 + latest/ug/workloads/workloads-add-ons-available-vendors.adoc | 1 + team/squish.adoc | 1 + 56 files changed, 76 insertions(+) diff --git a/latest/ug/automode/adoc-windows.adoc b/latest/ug/automode/adoc-windows.adoc index c3c8b1824..257530607 100644 --- a/latest/ug/automode/adoc-windows.adoc +++ b/latest/ug/automode/adoc-windows.adoc @@ -1,4 +1,5 @@ :doctype: book + = Configure an AsciiDoc Authoring Environment on Windows using Visual Studio Code == Prereqs diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index f08f3f8aa..5ffe26542 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] = EKA Auto Mode API Reference WIP diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 1288abdfc..06214ee70 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] [#auto-net-pol] = Use Network Policies with EKS Auto Mode diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index f97f52179..a5b5e6075 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index 991d5abc5..a3a57e913 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 7f0c6805f..94654a576 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 875f01b31..84b4fd49d 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] [#zone-shift-enable] = Enable EKS Zonal Shift to avoid impaired Availability Zones diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 360462521..6e03de864 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] [#zone-shift] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index ff2dd1228..851521217 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/diagrams/README.adoc b/latest/ug/diagrams/README.adoc index 0e4154e4c..51d91f080 100644 --- a/latest/ug/diagrams/README.adoc +++ b/latest/ug/diagrams/README.adoc @@ -1,4 +1,5 @@ :doctype: book + = Diagram Source Files Diagram source files have moved to Amazon Workdocs. diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index b0dc8a5fe..205c27e4f 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] [#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 8d60a9641..084434813 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,6 +1,7 @@ :doctype: book include::../attributes.txt[] + [.topic] [#getting-started-console] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index bd24ed94f..9b896f63a 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 2ff5d065a..81a416078 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#creating-resources-with-cloudformation] = Create Amazon EKS resources with {aws} CloudFormation diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index 15c0c7431..b83117a6b 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [#eks-integrations] = Enhance EKS with integrated {aws} services :info_titleabbrev: Working with other services diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 9525c606f..4717ab733 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index c97c0ec83..97cfc9879 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 5a08ba07f..9f9ac1375 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#configure-sts-endpoint] = Configure the {aws} Security Token Service endpoint for a service account diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index a05720f20..32ac71cf3 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#iam-roles-for-service-accounts-minimum-sdk] = Use IRSA with the {aws} SDK diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 48fafdb59..50c587cc0 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#pod-id-abac] = Grant Pods access to {aws} resources based on tags diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index 7fea68d2d..c09ff9c3b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#pod-id-configure-pods] = Configure Pods to access {aws} services with service accounts diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 75dcc8835..731c03dee 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#pod-id-minimum-sdk] = Use pod identity with the {aws} SDK diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index d24b48bb1..e14d9001d 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#pod-identities] = Learn how EKS Pod Identity grants pods access to {aws} services diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index a044bd4b3..3eb6f0584 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 4e2bc1b23..00667950e 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index 6d132ef6f..e97504ab8 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/auto-mode-addon-note.adoc b/latest/ug/networking/auto-mode-addon-note.adoc index 9ac1a6623..8ebc6f28a 100644 --- a/latest/ug/networking/auto-mode-addon-note.adoc +++ b/latest/ug/networking/auto-mode-addon-note.adoc @@ -1,4 +1,5 @@ :doctype: book + [TIP] ==== With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 41684729d..098d9c133 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index eb66276c5..08707d526 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#fargate-getting-started] = Get started with {aws} Fargate for your cluster diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index d6d034af1..73a08f4eb 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#fargate-logging] = Start {aws} Fargate logging for your cluster diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index de9554226..e99cdd4cd 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#fargate-pod-patching] = Set actions for {aws} Fargate OS patching events diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 444c3a23e..5dddc97ce 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#fargate-profile] = Define which Pods use {aws} Fargate when launched diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 191453a2f..a97f2f539 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index a86de301b..4692e3cab 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#monitoring-fargate-usage] = Collect {aws} Fargate app and usage metrics diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index c6a8bc871..ad0d85e22 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#update-stack] = Update an {aws} CloudFormation node stack diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index 5bf45a145..deee5dcb5 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index 2c516d0da..4383b897b 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#service-name-info-in-cloudtrail] = View helpful references for {aws} CloudTrail diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index b9ddb0a06..2d203c82e 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [.topic] [#understanding-service-name-entries] = Analyze {aws} CloudTrail log file entries diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index 0f381566c..c07b8fc4b 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index a4867c2d7..0171fe8de 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 14cf6e9b7..12cf48a42 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index cd9ec7c12..cbac7c252 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index a6d0f15bd..b52f2cdb4 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 88f22151e..522a024dc 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 8a8f744ef..51b19b4b6 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 29397a73f..2f8ba7fb5 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index c1e957a37..6c8cf0d06 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../attributes.txt[] + [#eks-outposts] = Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index bb292ef79..7298aa84e 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,4 +1,5 @@ :doctype: book + [.topic] [#quickstart] = Quickstart: Deploy a web app and store data diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 0220e4261..6a809e053 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,5 +1,7 @@ :doctype: book + include::attributes.txt[] + [#related-projects] = Extend Amazon EKS capabilities with open source projects :info_titleabbrev: Projects related to Amazon EKS diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 5de6b0a7d..85a252967 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,5 +1,7 @@ :doctype: book + include::attributes.txt[] + [.topic] [#roadmap] = Learn about Amazon EKS new features and roadmap diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 74664b08c..8221ed9e4 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,5 +1,7 @@ :doctype: book + include::../../attributes.txt[] + [.topic] [#security-iam-awsmanpol] = {aws} managed policies for Amazon Elastic Kubernetes Service diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index 223fcb0de..d4b64daae 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index dd285be49..8097cfd0f 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 2b18bcf25..ebdabbb4d 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index 86ca6bae5..b24562d9a 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,4 +1,5 @@ :doctype: book + include::../attributes.txt[] [.topic] diff --git a/team/squish.adoc b/team/squish.adoc index 8533f72ed..95a810c38 100644 --- a/team/squish.adoc +++ b/team/squish.adoc @@ -1,4 +1,5 @@ :doctype: book + = AmazonEKSDocs Git History Squish Procedure == Overview From ab627f1a5f9906cced75aaebd89cf62aa046a5d2 Mon Sep 17 00:00:00 2001 From: Donovan Date: Fri, 7 Mar 2025 12:27:36 -0800 Subject: [PATCH 234/940] Fix duplicate roles in NodeClass reference in Auto Mode --- latest/ug/automode/create-node-class.adoc | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 10408724d..8b35cebd4 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -111,9 +111,6 @@ metadata: name: default spec: - # Required: Name of IAM Role for Nodes - role: "MyNodeRole" - # Required: Subnet selection for node placement subnetSelectorTerms: - tags: @@ -145,9 +142,9 @@ spec: iops: 3000 # Range: 3000-16000 throughput: 125 # Range: 125-1000 - # IAM role to use for EC2 instance role - # If unspecified, EKS will create a role - # If specified, role requires access entry described above + # Optional: IAM role to use for EC2 instance role + # If unspecified, EKS creates a role + # If specified, you must create an access entry for this role as described above role: arn:aws:iam::123456789012:role/MyNodeRole # Optional: Additional EC2 tags @@ -160,4 +157,4 @@ spec: * If you change the Node IAM Role associated with a NodeClass, you will need to create a new Access Entry. EKS automatically creates an Access Entry for the Node IAM Role during cluster creation. The Node IAM Role requires the `AmazonEKSAutoNodePolicy` EKS Access Policy. For more information, see <>. * EKS limits the maximum number of pods on a node to 110. This limit is applied after the existing max pods calculation. For more information, see <>. -* If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. \ No newline at end of file +* If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. From 9c415a9b693a811b2b0ef7726d00bdb5013ce1fd Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 10 Mar 2025 15:33:54 +0000 Subject: [PATCH 235/940] Changed in-line link text for clarity: 45738 --- latest/ug/nodes/update-workers.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 21ffe0581..4fad9907e 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -17,7 +17,7 @@ When a new Amazon EKS optimized AMI is released, consider replacing the nodes in [IMPORTANT] ==== -This topic covers node updates for self-managed nodes. If you are using <>, see <>. +This topic covers node updates for self-managed nodes. If you are using <>, see <>. ==== From 2a98a7895efedcee8bf7aad47df1ac4db94005fa Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 10 Mar 2025 16:31:35 +0000 Subject: [PATCH 236/940] Removed :type: book fr workaround at top to have more consistency in VS Code problem messages: 45742 --- latest/ug/automode/adoc-windows.adoc | 2 -- latest/ug/automode/api-reference.adoc | 2 -- latest/ug/automode/associate-workload.adoc | 2 -- latest/ug/automode/auto-configure-alb.adoc | 2 -- latest/ug/automode/auto-configure-nlb.adoc | 2 -- latest/ug/automode/auto-disable.adoc | 2 -- latest/ug/automode/auto-elb-example.adoc | 2 -- latest/ug/automode/auto-enable-existing.adoc | 2 -- latest/ug/automode/auto-glossary.adoc | 2 -- latest/ug/automode/auto-learn-iam.adoc | 2 -- .../ug/automode/auto-migrate-karpenter.adoc | 2 -- latest/ug/automode/auto-migrate-mng.adoc | 2 -- latest/ug/automode/auto-mng.adoc | 2 -- latest/ug/automode/auto-net-pol.adoc | 2 -- latest/ug/automode/auto-networking.adoc | 2 -- latest/ug/automode/auto-reference.adoc | 2 -- latest/ug/automode/auto-troubleshoot.adoc | 2 -- latest/ug/automode/auto-upgrade.adoc | 2 -- latest/ug/automode/auto-workloads.adoc | 2 -- .../ug/automode/automode-get-started-cli.adoc | 2 -- .../automode-get-started-console.adoc | 2 -- .../automode/automode-get-started-eksctl.adoc | 2 -- .../ug/automode/automode-learn-instances.adoc | 2 -- latest/ug/automode/automode-workload.adoc | 2 -- latest/ug/automode/automode.adoc | 2 -- latest/ug/automode/create-auto.adoc | 2 -- latest/ug/automode/create-node-class.adoc | 2 -- latest/ug/automode/create-node-pool.adoc | 2 -- latest/ug/automode/create-storage-class.adoc | 2 -- latest/ug/automode/critical-workload.adoc | 2 -- latest/ug/automode/migrate-auto.adoc | 2 -- latest/ug/automode/old/hpa_scaling.adoc | 2 -- .../ug/automode/sample-storage-workload.adoc | 2 -- .../ug/automode/set-builtin-node-pools.adoc | 2 -- latest/ug/automode/settings-auto.adoc | 2 -- latest/ug/automode/tag-subnets-auto.adoc | 2 -- latest/ug/automode/troubleshoot-lbc.adoc | 2 -- latest/ug/automode/wip.adoc | 2 -- .../ug/automode/wip/create-vpc-console.adoc | 2 -- latest/ug/automode/wip/eksctl-docs.adoc | 2 -- latest/ug/automode/wip/tag-subnets.adoc | 2 -- latest/ug/book.adoc | 20 ++++++++++++------- latest/ug/clusters/autoscaling.adoc | 2 -- latest/ug/clusters/cluster-endpoint.adoc | 2 -- latest/ug/clusters/cluster-insights.adoc | 2 -- latest/ug/clusters/clusters.adoc | 2 -- latest/ug/clusters/create-cluster-auto.adoc | 3 +-- latest/ug/clusters/create-cluster.adoc | 2 -- latest/ug/clusters/delete-cluster.adoc | 2 -- .../ug/clusters/disable-extended-support.adoc | 2 -- .../ug/clusters/disable-windows-support.adoc | 2 -- .../ug/clusters/enable-extended-support.adoc | 2 -- .../kubernetes-versions-extended.adoc | 2 -- .../kubernetes-versions-standard.adoc | 2 -- latest/ug/clusters/kubernetes-versions.adoc | 2 -- .../management/cost-monitoring-aws.adoc | 2 -- .../cost-monitoring-kubecost-bundles.adoc | 2 -- .../management/cost-monitoring-kubecost.adoc | 2 -- .../clusters/management/cost-monitoring.adoc | 2 -- .../ug/clusters/management/eks-managing.adoc | 2 -- .../clusters/management/eks-using-tags.adoc | 2 -- latest/ug/clusters/management/helm.adoc | 2 -- .../clusters/management/metrics-server.adoc | 2 -- .../clusters/management/service-quotas.adoc | 2 -- latest/ug/clusters/platform-versions.adoc | 2 -- latest/ug/clusters/private-clusters.adoc | 2 -- latest/ug/clusters/update-cluster.adoc | 2 -- latest/ug/clusters/view-support-status.adoc | 2 -- latest/ug/clusters/view-upgrade-policy.adoc | 2 -- latest/ug/clusters/windows-support.adoc | 2 -- latest/ug/clusters/zone-shift-enable.adoc | 2 -- latest/ug/clusters/zone-shift.adoc | 2 -- latest/ug/connector/connecting-cluster.adoc | 2 -- .../ug/connector/connector-grant-access.adoc | 2 -- .../deregister-connected-cluster.adoc | 2 -- latest/ug/connector/eks-connector.adoc | 2 -- latest/ug/connector/security-connector.adoc | 2 -- .../connector/troubleshooting-connector.adoc | 2 -- latest/ug/connector/tsc-faq.adoc | 2 -- latest/ug/contribute/asciidoc-syntax.adoc | 2 -- latest/ug/contribute/contribute.adoc | 2 -- latest/ug/contribute/create-content-q.adoc | 2 -- latest/ug/contribute/create-page.adoc | 2 -- latest/ug/contribute/edit-single-web.adoc | 2 -- latest/ug/contribute/edit-web.adoc | 2 -- latest/ug/contribute/insert-link.adoc | 2 -- latest/ug/contribute/pr-preview.adoc | 2 -- latest/ug/contribute/pr-status.adoc | 2 -- latest/ug/contribute/vale-github.adoc | 2 -- latest/ug/contribute/vale-local.adoc | 2 -- latest/ug/diagrams/README.adoc | 2 -- latest/ug/doc-history.adoc | 2 -- .../getting-started-automode.adoc | 2 -- .../getting-started-console.adoc | 2 -- .../getting-started-eksctl.adoc | 2 -- .../ug/getting-started/getting-started.adoc | 2 -- latest/ug/getting-started/install-awscli.adoc | 2 -- .../ug/getting-started/install-kubectl.adoc | 2 -- latest/ug/getting-started/learn-eks.adoc | 2 -- latest/ug/getting-started/setting-up.adoc | 2 -- ...reating-resources-with-cloudformation.adoc | 2 -- latest/ug/integrations/eks-integrations.adoc | 2 -- .../integrations/integration-detective.adoc | 2 -- .../integrations/integration-guardduty.adoc | 2 -- .../integration-resilience-hub.adoc | 2 -- .../integration-securitylake.adoc | 2 -- .../integrations/integration-vpc-lattice.adoc | 2 -- latest/ug/integrations/local-zones.adoc | 2 -- .../associate-service-account-role.adoc | 2 -- .../aws-access/configure-sts-endpoint.adoc | 2 -- .../aws-access/cross-account-access.adoc | 2 -- ...enable-iam-roles-for-service-accounts.adoc | 2 -- ...oles-for-service-accounts-minimum-sdk.adoc | 2 -- .../iam-roles-for-service-accounts.adoc | 2 -- .../aws-access/irsa-fetch-keys.adoc | 2 -- .../aws-access/pod-configuration.adoc | 2 -- .../manage-access/aws-access/pod-id-abac.adoc | 2 -- .../aws-access/pod-id-agent-config-ipv6.adoc | 2 -- .../aws-access/pod-id-agent-setup.adoc | 2 -- .../aws-access/pod-id-association.adoc | 2 -- .../aws-access/pod-id-configure-pods.adoc | 2 -- .../aws-access/pod-id-how-it-works.adoc | 2 -- .../aws-access/pod-id-minimum-sdk.adoc | 2 -- .../manage-access/aws-access/pod-id-role.adoc | 2 -- .../aws-access/pod-identities.adoc | 2 -- .../aws-access/service-accounts.adoc | 2 -- latest/ug/manage-access/cluster-auth.adoc | 2 -- .../ug/manage-access/create-kubeconfig.adoc | 2 -- .../k8s-access/access-entries.adoc | 2 -- .../k8s-access/access-policies.adoc | 2 -- .../k8s-access/access-policy-reference.adoc | 2 -- .../k8s-access/auth-configmap.adoc | 2 -- .../authenticate-oidc-identity-provider.adoc | 2 -- .../k8s-access/creating-access-entries.adoc | 2 -- .../k8s-access/deleting-access-entries.adoc | 2 -- .../disassociate-oidc-identity-provider.adoc | 2 -- .../k8s-access/grant-k8s-access.adoc | 2 -- .../k8s-access/migrating-access-entries.adoc | 2 -- .../k8s-access/setting-up-access-entries.adoc | 2 -- .../k8s-access/updating-access-entries.adoc | 2 -- .../view-kubernetes-resources.adoc | 2 -- latest/ug/ml/capacity-blocks-mng.adoc | 2 -- latest/ug/ml/capacity-blocks.adoc | 2 -- latest/ug/ml/inferentia-support.adoc | 2 -- latest/ug/ml/machine-learning-on-eks.adoc | 2 -- latest/ug/ml/ml-eks-optimized-ami.adoc | 2 -- .../ug/ml/ml-eks-windows-optimized-ami.adoc | 2 -- latest/ug/ml/ml-get-started.adoc | 2 -- latest/ug/ml/ml-prepare-for-cluster.adoc | 2 -- latest/ug/ml/ml-tutorials.adoc | 2 -- latest/ug/ml/node-efa.adoc | 2 -- .../ml/node-taints-managed-node-groups.adoc | 2 -- .../ug/networking/alternate-cni-plugins.adoc | 2 -- .../ug/networking/auto-mode-addon-note.adoc | 2 -- .../aws-load-balancer-controller.adoc | 2 -- .../cni-custom-network-tutorial.adoc | 2 -- latest/ug/networking/cni-custom-network.adoc | 2 -- latest/ug/networking/cni-iam-role.adoc | 2 -- .../cni-increase-ip-addresses-procedure.adoc | 2 -- .../networking/cni-increase-ip-addresses.adoc | 2 -- latest/ug/networking/cni-ipv6.adoc | 2 -- .../cni-network-policy-configure.adoc | 2 -- latest/ug/networking/cni-network-policy.adoc | 2 -- .../ug/networking/coredns-add-on-create.adoc | 2 -- .../coredns-add-on-self-managed-update.adoc | 2 -- .../ug/networking/coredns-add-on-update.adoc | 2 -- latest/ug/networking/coredns-autoscaling.adoc | 2 -- latest/ug/networking/coredns-metrics.adoc | 2 -- latest/ug/networking/creating-a-vpc.adoc | 2 -- latest/ug/networking/deploy-ipv6-cluster.adoc | 2 -- .../ug/networking/eks-networking-add-ons.adoc | 2 -- latest/ug/networking/eks-networking.adoc | 2 -- latest/ug/networking/external-snat.adoc | 2 -- ...kube-proxy-add-on-self-managed-update.adoc | 2 -- latest/ug/networking/lbc-helm.adoc | 2 -- latest/ug/networking/lbc-manifest.adoc | 2 -- latest/ug/networking/lbc-remove.adoc | 2 -- latest/ug/networking/managing-coredns.adoc | 2 -- latest/ug/networking/managing-kube-proxy.adoc | 2 -- latest/ug/networking/managing-vpc-cni.adoc | 2 -- .../network-policies-troubleshooting.adoc | 2 -- .../ug/networking/network-policy-disable.adoc | 2 -- .../networking/network-policy-stars-demo.adoc | 2 -- latest/ug/networking/network-reqs.adoc | 2 -- .../pod-multiple-network-interfaces.adoc | 2 -- .../networking/pod-networking-use-cases.adoc | 2 -- latest/ug/networking/sec-group-reqs.adoc | 2 -- .../networking/security-groups-for-pods.adoc | 2 -- .../security-groups-pods-deployment.adoc | 2 -- .../sg-pods-example-deployment.adoc | 2 -- latest/ug/networking/vpc-add-on-create.adoc | 2 -- .../vpc-add-on-self-managed-update.adoc | 2 -- latest/ug/networking/vpc-add-on-update.adoc | 2 -- latest/ug/nodes/al2023.adoc | 2 -- latest/ug/nodes/auto-get-logs.adoc | 2 -- .../bottlerocket-compliance-support.adoc | 2 -- latest/ug/nodes/choosing-instance-type.adoc | 2 -- .../ug/nodes/create-managed-node-group.adoc | 2 -- latest/ug/nodes/delete-fargate-profile.adoc | 2 -- .../ug/nodes/delete-managed-node-group.adoc | 2 -- latest/ug/nodes/dockershim-deprecation.adoc | 2 -- latest/ug/nodes/eks-ami-build-scripts.adoc | 2 -- .../nodes/eks-ami-versions-bottlerocket.adoc | 2 -- latest/ug/nodes/eks-ami-versions-windows.adoc | 2 -- latest/ug/nodes/eks-compute.adoc | 2 -- latest/ug/nodes/eks-custom-ami-windows.adoc | 2 -- latest/ug/nodes/eks-linux-ami-versions.adoc | 2 -- .../nodes/eks-optimized-ami-bottlerocket.adoc | 2 -- latest/ug/nodes/eks-optimized-ami.adoc | 2 -- latest/ug/nodes/eks-optimized-amis.adoc | 2 -- .../ug/nodes/eks-optimized-windows-ami.adoc | 2 -- latest/ug/nodes/eks-partner-amis.adoc | 2 -- latest/ug/nodes/fargate-getting-started.adoc | 2 -- latest/ug/nodes/fargate-logging.adoc | 2 -- .../ug/nodes/fargate-pod-configuration.adoc | 2 -- latest/ug/nodes/fargate-pod-patching.adoc | 2 -- latest/ug/nodes/fargate-profile.adoc | 2 -- latest/ug/nodes/fargate.adoc | 2 -- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 2 -- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 2 -- .../ug/nodes/hybrid-nodes-cluster-prep.adoc | 2 -- latest/ug/nodes/hybrid-nodes-cni.adoc | 2 -- latest/ug/nodes/hybrid-nodes-creds.adoc | 2 -- latest/ug/nodes/hybrid-nodes-join.adoc | 2 -- latest/ug/nodes/hybrid-nodes-networking.adoc | 2 -- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 2 -- latest/ug/nodes/hybrid-nodes-os.adoc | 2 -- latest/ug/nodes/hybrid-nodes-overview.adoc | 2 -- latest/ug/nodes/hybrid-nodes-prereqs.adoc | 2 -- latest/ug/nodes/hybrid-nodes-proxy.adoc | 2 -- latest/ug/nodes/hybrid-nodes-remove.adoc | 2 -- .../nodes/hybrid-nodes-troubleshooting.adoc | 2 -- latest/ug/nodes/hybrid-nodes-tutorial.adoc | 2 -- latest/ug/nodes/hybrid-nodes-upgrade.adoc | 2 -- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 -- latest/ug/nodes/launch-node-ubuntu.adoc | 2 -- latest/ug/nodes/launch-templates.adoc | 2 -- latest/ug/nodes/launch-windows-workers.adoc | 2 -- latest/ug/nodes/launch-workers.adoc | 2 -- latest/ug/nodes/learn-status-conditions.adoc | 2 -- latest/ug/nodes/managed-node-groups.adoc | 2 -- .../nodes/managed-node-update-behavior.adoc | 2 -- latest/ug/nodes/migrate-stack.adoc | 2 -- latest/ug/nodes/monitoring-fargate-usage.adoc | 2 -- latest/ug/nodes/node-health.adoc | 2 -- .../nodes/retrieve-ami-id-bottlerocket.adoc | 2 -- latest/ug/nodes/retrieve-ami-id.adoc | 2 -- latest/ug/nodes/retrieve-windows-ami-id.adoc | 2 -- .../self-managed-windows-server-2022.adoc | 2 -- .../ug/nodes/update-managed-node-group.adoc | 2 -- latest/ug/nodes/update-stack.adoc | 2 -- latest/ug/nodes/update-workers.adoc | 2 -- latest/ug/nodes/worker.adoc | 2 -- latest/ug/observability/cloudwatch.adoc | 2 -- .../ug/observability/control-plane-logs.adoc | 2 -- .../ug/observability/deploy-prometheus.adoc | 2 -- latest/ug/observability/eks-observe.adoc | 2 -- .../ug/observability/enable-asg-metrics.adoc | 2 -- .../logging-using-cloudtrail.adoc | 2 -- .../observability-dashboard.adoc | 2 -- latest/ug/observability/opentelemetry.adoc | 2 -- latest/ug/observability/prometheus.adoc | 2 -- .../service-name-info-in-cloudtrail.adoc | 2 -- .../understanding-service-name-entries.adoc | 2 -- latest/ug/observability/view-raw-metrics.adoc | 2 -- .../eks-outposts-capacity-considerations.adoc | 2 -- .../eks-outposts-local-cluster-create.adoc | 2 -- .../eks-outposts-local-cluster-overview.adoc | 2 -- .../eks-outposts-network-disconnects.adoc | 2 -- .../eks-outposts-platform-versions.adoc | 2 -- .../eks-outposts-self-managed-nodes.adoc | 2 -- .../eks-outposts-troubleshooting.adoc | 2 -- .../eks-outposts-vpc-subnet-requirements.adoc | 2 -- latest/ug/outposts/eks-outposts.adoc | 2 -- latest/ug/quickstart.adoc | 4 +--- latest/ug/related-projects.adoc | 2 -- latest/ug/roadmap.adoc | 2 -- latest/ug/security/auto-security.adoc | 2 -- latest/ug/security/cert-signing.adoc | 2 -- latest/ug/security/compliance.adoc | 2 -- .../configuration-vulnerability-analysis.adoc | 2 -- latest/ug/security/default-roles-users.adoc | 2 -- .../disaster-recovery-resiliency.adoc | 2 -- latest/ug/security/enable-kms.adoc | 2 -- latest/ug/security/envelope-encryption.adoc | 2 -- .../iam-reference/auto-cluster-iam-role.adoc | 2 -- .../iam-reference/auto-create-node-role.adoc | 2 -- .../iam-reference/cluster-iam-role.adoc | 2 -- .../iam-reference/connector-iam-role.adoc | 2 -- .../iam-reference/create-node-role.adoc | 2 -- .../iam-reference/pod-execution-role.adoc | 2 -- .../iam-reference/security-iam-awsmanpol.adoc | 2 -- ...security-iam-id-based-policy-examples.adoc | 2 -- .../security-iam-service-with-iam.adoc | 2 -- .../security-iam-troubleshoot.adoc | 2 -- .../security/iam-reference/security-iam.adoc | 2 -- ...ng-service-linked-roles-eks-connector.adoc | 2 -- ...sing-service-linked-roles-eks-fargate.adoc | 2 -- ...g-service-linked-roles-eks-nodegroups.adoc | 2 -- ...sing-service-linked-roles-eks-outpost.adoc | 2 -- .../using-service-linked-roles-eks.adoc | 2 -- .../using-service-linked-roles.adoc | 2 -- .../ug/security/infrastructure-security.adoc | 2 -- latest/ug/security/manage-secrets.adoc | 2 -- .../pod-security-policy-removal-faq.adoc | 2 -- latest/ug/security/pod-security-policy.adoc | 2 -- .../ug/security/security-best-practices.adoc | 2 -- latest/ug/security/security-eks.adoc | 2 -- latest/ug/security/security-k8s.adoc | 2 -- latest/ug/security/security.adoc | 2 -- .../ug/security/vpc-interface-endpoints.adoc | 2 -- .../ug/storage/csi-snapshot-controller.adoc | 2 -- latest/ug/storage/ebs-csi.adoc | 2 -- latest/ug/storage/efs-csi.adoc | 2 -- latest/ug/storage/file-cache-csi.adoc | 2 -- latest/ug/storage/fsx-csi.adoc | 2 -- latest/ug/storage/fsx-ontap.adoc | 2 -- latest/ug/storage/fsx-openzfs-csi.adoc | 2 -- latest/ug/storage/s3-csi.adoc | 2 -- latest/ug/storage/storage.adoc | 2 -- .../ug/troubleshooting/troubleshooting.adoc | 2 -- latest/ug/what-is/common-use-cases.adoc | 2 -- latest/ug/what-is/eks-architecture.adoc | 2 -- latest/ug/what-is/eks-deployment-options.adoc | 2 -- latest/ug/what-is/kubernetes-concepts.adoc | 2 -- latest/ug/what-is/what-is-eks.adoc | 2 -- latest/ug/workloads/add-ons-iam.adoc | 2 -- latest/ug/workloads/add-ons-images.adoc | 2 -- latest/ug/workloads/addon-compat.adoc | 2 -- .../ug/workloads/addon-id-troubleshoot.adoc | 2 -- latest/ug/workloads/alb-ingress.adoc | 2 -- latest/ug/workloads/community-addons.adoc | 2 -- .../workloads/copy-image-to-repository.adoc | 2 -- latest/ug/workloads/creating-an-add-on.adoc | 2 -- latest/ug/workloads/eks-add-ons.adoc | 2 -- latest/ug/workloads/eks-workloads.adoc | 2 -- .../workloads/horizontal-pod-autoscaler.adoc | 2 -- latest/ug/workloads/image-verification.adoc | 2 -- .../kubernetes-field-management.adoc | 2 -- .../ug/workloads/network-load-balancing.adoc | 2 -- latest/ug/workloads/remove-addon-role.adoc | 2 -- latest/ug/workloads/removing-an-addon.adoc | 2 -- .../restrict-service-external-ip.adoc | 2 -- latest/ug/workloads/retreive-iam-info.adoc | 2 -- .../workloads/sample-deployment-windows.adoc | 2 -- latest/ug/workloads/sample-deployment.adoc | 2 -- latest/ug/workloads/update-addon-role.adoc | 2 -- latest/ug/workloads/updating-an-add-on.adoc | 2 -- .../ug/workloads/vertical-pod-autoscaler.adoc | 2 -- .../workloads-add-ons-available-eks.adoc | 2 -- .../workloads-add-ons-available-vendors.adoc | 2 -- team/squish.adoc | 2 -- 352 files changed, 15 insertions(+), 710 deletions(-) diff --git a/latest/ug/automode/adoc-windows.adoc b/latest/ug/automode/adoc-windows.adoc index 257530607..96228a299 100644 --- a/latest/ug/automode/adoc-windows.adoc +++ b/latest/ug/automode/adoc-windows.adoc @@ -1,5 +1,3 @@ -:doctype: book - = Configure an AsciiDoc Authoring Environment on Windows using Visual Studio Code == Prereqs diff --git a/latest/ug/automode/api-reference.adoc b/latest/ug/automode/api-reference.adoc index 5ffe26542..f1bc94240 100644 --- a/latest/ug/automode/api-reference.adoc +++ b/latest/ug/automode/api-reference.adoc @@ -1,5 +1,3 @@ -:doctype: book - [.topic] = EKA Auto Mode API Reference WIP diff --git a/latest/ug/automode/associate-workload.adoc b/latest/ug/automode/associate-workload.adoc index 5e1e1ad39..08f2e9c3b 100644 --- a/latest/ug/automode/associate-workload.adoc +++ b/latest/ug/automode/associate-workload.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-configure-alb.adoc b/latest/ug/automode/auto-configure-alb.adoc index ff34eb150..549254644 100644 --- a/latest/ug/automode/auto-configure-alb.adoc +++ b/latest/ug/automode/auto-configure-alb.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-configure-nlb.adoc b/latest/ug/automode/auto-configure-nlb.adoc index 9673ceb95..e6420a90d 100644 --- a/latest/ug/automode/auto-configure-nlb.adoc +++ b/latest/ug/automode/auto-configure-nlb.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-disable.adoc b/latest/ug/automode/auto-disable.adoc index d29795991..75500b5a0 100644 --- a/latest/ug/automode/auto-disable.adoc +++ b/latest/ug/automode/auto-disable.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 9733ef29e..82794f0af 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-enable-existing.adoc b/latest/ug/automode/auto-enable-existing.adoc index b0183ccf5..33717498f 100644 --- a/latest/ug/automode/auto-enable-existing.adoc +++ b/latest/ug/automode/auto-enable-existing.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-glossary.adoc b/latest/ug/automode/auto-glossary.adoc index 0a4f79aaa..9dac6db29 100644 --- a/latest/ug/automode/auto-glossary.adoc +++ b/latest/ug/automode/auto-glossary.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-learn-iam.adoc b/latest/ug/automode/auto-learn-iam.adoc index a43d92d36..a52c2c60c 100644 --- a/latest/ug/automode/auto-learn-iam.adoc +++ b/latest/ug/automode/auto-learn-iam.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 87ff6635d..6f55692ea 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index bde4339db..394b9f03d 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-mng.adoc b/latest/ug/automode/auto-mng.adoc index 0c139b83d..2dfd18b45 100644 --- a/latest/ug/automode/auto-mng.adoc +++ b/latest/ug/automode/auto-mng.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-net-pol.adoc b/latest/ug/automode/auto-net-pol.adoc index 06214ee70..e9611415c 100644 --- a/latest/ug/automode/auto-net-pol.adoc +++ b/latest/ug/automode/auto-net-pol.adoc @@ -1,5 +1,3 @@ -:doctype: book - [.topic] [#auto-net-pol] = Use Network Policies with EKS Auto Mode diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index 7766749d6..b5bbc20d6 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-reference.adoc b/latest/ug/automode/auto-reference.adoc index 8582a2e0f..b0e57b9ad 100644 --- a/latest/ug/automode/auto-reference.adoc +++ b/latest/ug/automode/auto-reference.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 99d1fc2ae..72d976c71 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-upgrade.adoc b/latest/ug/automode/auto-upgrade.adoc index 63165b73e..5a81c14df 100644 --- a/latest/ug/automode/auto-upgrade.adoc +++ b/latest/ug/automode/auto-upgrade.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/auto-workloads.adoc b/latest/ug/automode/auto-workloads.adoc index 67c6cab70..4e9a9cc91 100644 --- a/latest/ug/automode/auto-workloads.adoc +++ b/latest/ug/automode/auto-workloads.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-cli.adoc b/latest/ug/automode/automode-get-started-cli.adoc index a5b5e6075..58090dca6 100644 --- a/latest/ug/automode/automode-get-started-cli.adoc +++ b/latest/ug/automode/automode-get-started-cli.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-console.adoc b/latest/ug/automode/automode-get-started-console.adoc index a3a57e913..b38c76d64 100644 --- a/latest/ug/automode/automode-get-started-console.adoc +++ b/latest/ug/automode/automode-get-started-console.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-get-started-eksctl.adoc b/latest/ug/automode/automode-get-started-eksctl.adoc index a704bcf2b..9a6bcf5b2 100644 --- a/latest/ug/automode/automode-get-started-eksctl.adoc +++ b/latest/ug/automode/automode-get-started-eksctl.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 13d9cc537..0eec64bd2 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode-workload.adoc b/latest/ug/automode/automode-workload.adoc index b09f82de9..c3e8712c5 100644 --- a/latest/ug/automode/automode-workload.adoc +++ b/latest/ug/automode/automode-workload.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index a8c28455c..a2721015b 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#automode] diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 2369c34b7..24231c51e 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 8b35cebd4..d2f5833ca 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 47bdc7163..04016f0ae 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/create-storage-class.adoc b/latest/ug/automode/create-storage-class.adoc index 7b52891d7..08d240fd6 100644 --- a/latest/ug/automode/create-storage-class.adoc +++ b/latest/ug/automode/create-storage-class.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/critical-workload.adoc b/latest/ug/automode/critical-workload.adoc index b880fd847..012231e0d 100644 --- a/latest/ug/automode/critical-workload.adoc +++ b/latest/ug/automode/critical-workload.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 4e607e821..fd7b3d8b6 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index f3bf90bf2..3a4a8e68f 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/sample-storage-workload.adoc b/latest/ug/automode/sample-storage-workload.adoc index 7a99c54cc..7234aff64 100644 --- a/latest/ug/automode/sample-storage-workload.adoc +++ b/latest/ug/automode/sample-storage-workload.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index eccc95ba4..aeef537c9 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 3874ee827..afcd65213 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/tag-subnets-auto.adoc b/latest/ug/automode/tag-subnets-auto.adoc index 1dbd6de2e..89109ca12 100644 --- a/latest/ug/automode/tag-subnets-auto.adoc +++ b/latest/ug/automode/tag-subnets-auto.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/troubleshoot-lbc.adoc b/latest/ug/automode/troubleshoot-lbc.adoc index 5d29907de..213878707 100644 --- a/latest/ug/automode/troubleshoot-lbc.adoc +++ b/latest/ug/automode/troubleshoot-lbc.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/wip.adoc b/latest/ug/automode/wip.adoc index ee229cc89..b14aa485b 100644 --- a/latest/ug/automode/wip.adoc +++ b/latest/ug/automode/wip.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/automode/wip/create-vpc-console.adoc b/latest/ug/automode/wip/create-vpc-console.adoc index 1d34b901d..453499fc2 100644 --- a/latest/ug/automode/wip/create-vpc-console.adoc +++ b/latest/ug/automode/wip/create-vpc-console.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/automode/wip/eksctl-docs.adoc b/latest/ug/automode/wip/eksctl-docs.adoc index e33f40650..858cfa892 100644 --- a/latest/ug/automode/wip/eksctl-docs.adoc +++ b/latest/ug/automode/wip/eksctl-docs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/automode/wip/tag-subnets.adoc b/latest/ug/automode/wip/tag-subnets.adoc index 592b68a15..9db3d882f 100644 --- a/latest/ug/automode/wip/tag-subnets.adoc +++ b/latest/ug/automode/wip/tag-subnets.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 2a4e3aa4f..a1725e0e0 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -1,14 +1,15 @@ :doctype: book - -include::attributes.txt[] - -[[top]] -= Amazon EKS +:toc: left +:icons: font +:experimental: +:idprefix: +:idseparator: - +:info_doctype: book +:info_title: Amazon EKS :info_subtitle: User Guide :info_corpauthor: Amazon Web Services :info_publisher: Amazon Web Services -:info_copyright: 2025 \ -Amazon Web Services, Inc. and/or its affiliates. All rights reserved. +:info_copyright: Amazon Web Services, Inc. and/or its affiliates. All rights reserved. :info_legalnotice: Amazon's trademarks and trade dress may not be used in \ connection with any product or service that is not Amazon's, \ in any manner that is likely to cause confusion among customers, \ @@ -18,6 +19,11 @@ owners, who may or may not be affiliated with, connected to, or \ sponsored by Amazon. :keywords: EKS, Amazon EKS, Kubernetes, K8s, Cluster, Pod +include::attributes.txt[] + +[[top]] += Amazon EKS + [abstract] -- This is official Amazon Web Services ({aws}) documentation for Amazon Elastic Kubernetes Service (Amazon EKS). Amazon EKS is a managed service that makes it easy for you to run Kubernetes on {aws} without needing to install and operate your own Kubernetes clusters. Kubernetes is an open source system for automating the deployment, scaling, and management of containerized applications. diff --git a/latest/ug/clusters/autoscaling.adoc b/latest/ug/clusters/autoscaling.adoc index 271368a97..5d721142f 100644 --- a/latest/ug/clusters/autoscaling.adoc +++ b/latest/ug/clusters/autoscaling.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 10e54b89f..6f43b3825 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index bac4cf663..99e8127b2 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/clusters.adoc b/latest/ug/clusters/clusters.adoc index f8617ca84..fe0d79727 100644 --- a/latest/ug/clusters/clusters.adoc +++ b/latest/ug/clusters/clusters.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#clusters] diff --git a/latest/ug/clusters/create-cluster-auto.adoc b/latest/ug/clusters/create-cluster-auto.adoc index 3e67ef45e..82b543641 100644 --- a/latest/ug/clusters/create-cluster-auto.adoc +++ b/latest/ug/clusters/create-cluster-auto.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] @@ -267,6 +265,7 @@ aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly ``` +[#create-cluster-auto-create-cluster] === Create cluster . Create your cluster with the command that follows. Before running the command, make the following replacements: diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 2dd2364c5..5aebc4491 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index c763da068..e4de990ff 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/disable-extended-support.adoc b/latest/ug/clusters/disable-extended-support.adoc index f24a2e82b..017e2b9e9 100644 --- a/latest/ug/clusters/disable-extended-support.adoc +++ b/latest/ug/clusters/disable-extended-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 09ad4df62..087e708c5 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/enable-extended-support.adoc b/latest/ug/clusters/enable-extended-support.adoc index 85324f020..9d85152b5 100644 --- a/latest/ug/clusters/enable-extended-support.adoc +++ b/latest/ug/clusters/enable-extended-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 9a2ff7f45..2dde57084 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 7f2b3ead8..86cddb85a 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 31d66e8a9..17da36a4c 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/clusters/management/cost-monitoring-aws.adoc index 94654a576..cf3ae47bc 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/clusters/management/cost-monitoring-aws.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc index 2c99fb19a..115985749 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc index 2a6ed5429..1b3aae8ea 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/clusters/management/cost-monitoring-kubecost.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index d7fb55410..7d674e381 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/clusters/management/eks-managing.adoc index 3f49fb775..4901184e8 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/clusters/management/eks-managing.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [#eks-managing] diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 5a2304fba..3e09491e0 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/clusters/management/helm.adoc index bc495ad0c..43d2fdaf0 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/clusters/management/helm.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/clusters/management/metrics-server.adoc index 984d66a6d..add311630 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/clusters/management/metrics-server.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/clusters/management/service-quotas.adoc index 266402b11..4416f183f 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/clusters/management/service-quotas.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index f85d6ce5d..5d1417af7 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 46eecd9d2..3bf47b038 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 98a5d2177..5861df86d 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/view-support-status.adoc b/latest/ug/clusters/view-support-status.adoc index a3b87fc34..1632aeff9 100644 --- a/latest/ug/clusters/view-support-status.adoc +++ b/latest/ug/clusters/view-support-status.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/view-upgrade-policy.adoc b/latest/ug/clusters/view-upgrade-policy.adoc index 99418a5dc..4a0a0fff2 100644 --- a/latest/ug/clusters/view-upgrade-policy.adoc +++ b/latest/ug/clusters/view-upgrade-policy.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index fb5ee343d..53a258661 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/clusters/zone-shift-enable.adoc b/latest/ug/clusters/zone-shift-enable.adoc index 84b4fd49d..ba629073b 100644 --- a/latest/ug/clusters/zone-shift-enable.adoc +++ b/latest/ug/clusters/zone-shift-enable.adoc @@ -1,5 +1,3 @@ -:doctype: book - [.topic] [#zone-shift-enable] = Enable EKS Zonal Shift to avoid impaired Availability Zones diff --git a/latest/ug/clusters/zone-shift.adoc b/latest/ug/clusters/zone-shift.adoc index 6e03de864..07a45e010 100644 --- a/latest/ug/clusters/zone-shift.adoc +++ b/latest/ug/clusters/zone-shift.adoc @@ -1,5 +1,3 @@ -:doctype: book - [.topic] [#zone-shift] = Learn about Amazon Application Recovery Controller's (ARC) Zonal Shift in Amazon EKS diff --git a/latest/ug/connector/connecting-cluster.adoc b/latest/ug/connector/connecting-cluster.adoc index e54412eab..dc05a6a0d 100644 --- a/latest/ug/connector/connecting-cluster.adoc +++ b/latest/ug/connector/connecting-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/connector-grant-access.adoc b/latest/ug/connector/connector-grant-access.adoc index 45565ef82..e6d423962 100644 --- a/latest/ug/connector/connector-grant-access.adoc +++ b/latest/ug/connector/connector-grant-access.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/deregister-connected-cluster.adoc b/latest/ug/connector/deregister-connected-cluster.adoc index 5372af8c9..addbc3429 100644 --- a/latest/ug/connector/deregister-connected-cluster.adoc +++ b/latest/ug/connector/deregister-connected-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/eks-connector.adoc b/latest/ug/connector/eks-connector.adoc index 17840a4a4..adc4f842e 100644 --- a/latest/ug/connector/eks-connector.adoc +++ b/latest/ug/connector/eks-connector.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-connector] diff --git a/latest/ug/connector/security-connector.adoc b/latest/ug/connector/security-connector.adoc index 21fb6d36e..63614312c 100644 --- a/latest/ug/connector/security-connector.adoc +++ b/latest/ug/connector/security-connector.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/troubleshooting-connector.adoc b/latest/ug/connector/troubleshooting-connector.adoc index 0b29ceb28..7dd90ca24 100644 --- a/latest/ug/connector/troubleshooting-connector.adoc +++ b/latest/ug/connector/troubleshooting-connector.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/connector/tsc-faq.adoc b/latest/ug/connector/tsc-faq.adoc index 851521217..388f1afc1 100644 --- a/latest/ug/connector/tsc-faq.adoc +++ b/latest/ug/connector/tsc-faq.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/asciidoc-syntax.adoc b/latest/ug/contribute/asciidoc-syntax.adoc index 33116dccd..a1294f503 100644 --- a/latest/ug/contribute/asciidoc-syntax.adoc +++ b/latest/ug/contribute/asciidoc-syntax.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/contribute.adoc b/latest/ug/contribute/contribute.adoc index b8f181539..851f8308c 100644 --- a/latest/ug/contribute/contribute.adoc +++ b/latest/ug/contribute/contribute.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#contribute] diff --git a/latest/ug/contribute/create-content-q.adoc b/latest/ug/contribute/create-content-q.adoc index 9b00eab15..523f0f496 100644 --- a/latest/ug/contribute/create-content-q.adoc +++ b/latest/ug/contribute/create-content-q.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/create-page.adoc b/latest/ug/contribute/create-page.adoc index fc56e8e46..e341b72f7 100644 --- a/latest/ug/contribute/create-page.adoc +++ b/latest/ug/contribute/create-page.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/edit-single-web.adoc b/latest/ug/contribute/edit-single-web.adoc index 85645342c..ff450f82e 100644 --- a/latest/ug/contribute/edit-single-web.adoc +++ b/latest/ug/contribute/edit-single-web.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/edit-web.adoc b/latest/ug/contribute/edit-web.adoc index 242a1b59f..e5dd4e4a1 100644 --- a/latest/ug/contribute/edit-web.adoc +++ b/latest/ug/contribute/edit-web.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/insert-link.adoc b/latest/ug/contribute/insert-link.adoc index eab09fe8a..3ea60e59e 100644 --- a/latest/ug/contribute/insert-link.adoc +++ b/latest/ug/contribute/insert-link.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/pr-preview.adoc b/latest/ug/contribute/pr-preview.adoc index a628630a1..c8cfa2ac5 100644 --- a/latest/ug/contribute/pr-preview.adoc +++ b/latest/ug/contribute/pr-preview.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index df4500841..de51f156b 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/vale-github.adoc b/latest/ug/contribute/vale-github.adoc index ad1f8b30d..b4059ad95 100644 --- a/latest/ug/contribute/vale-github.adoc +++ b/latest/ug/contribute/vale-github.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/contribute/vale-local.adoc b/latest/ug/contribute/vale-local.adoc index fbeb572e8..c22387bea 100644 --- a/latest/ug/contribute/vale-local.adoc +++ b/latest/ug/contribute/vale-local.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/diagrams/README.adoc b/latest/ug/diagrams/README.adoc index 51d91f080..6cb2f9a6b 100644 --- a/latest/ug/diagrams/README.adoc +++ b/latest/ug/diagrams/README.adoc @@ -1,5 +1,3 @@ -:doctype: book - = Diagram Source Files Diagram source files have moved to Amazon Workdocs. diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 205c27e4f..d760bab73 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,5 +1,3 @@ -:doctype: book - [.topic] [#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index e61d88542..828b7829f 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 084434813..860e6d005 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index 3ae41bd6e..dd89066c2 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 5f40f586b..35a0d2d7b 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#getting-started] diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 9b896f63a..4b4e667d1 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 111cb80c1..52b62ab62 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 065cb8f57..89ee1bdfe 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index f00d5a3b8..ae2698d98 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#setting-up] diff --git a/latest/ug/integrations/creating-resources-with-cloudformation.adoc b/latest/ug/integrations/creating-resources-with-cloudformation.adoc index 81a416078..580b3eb45 100644 --- a/latest/ug/integrations/creating-resources-with-cloudformation.adoc +++ b/latest/ug/integrations/creating-resources-with-cloudformation.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/eks-integrations.adoc b/latest/ug/integrations/eks-integrations.adoc index b83117a6b..a4778f605 100644 --- a/latest/ug/integrations/eks-integrations.adoc +++ b/latest/ug/integrations/eks-integrations.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-integrations] diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index 203abe906..da02dc042 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-guardduty.adoc b/latest/ug/integrations/integration-guardduty.adoc index f4357f829..fc50da20f 100644 --- a/latest/ug/integrations/integration-guardduty.adoc +++ b/latest/ug/integrations/integration-guardduty.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-resilience-hub.adoc b/latest/ug/integrations/integration-resilience-hub.adoc index 4717ab733..66414c241 100644 --- a/latest/ug/integrations/integration-resilience-hub.adoc +++ b/latest/ug/integrations/integration-resilience-hub.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 2f1b41e1f..39310177d 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/integration-vpc-lattice.adoc b/latest/ug/integrations/integration-vpc-lattice.adoc index f2ae12766..140232d4d 100644 --- a/latest/ug/integrations/integration-vpc-lattice.adoc +++ b/latest/ug/integrations/integration-vpc-lattice.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/integrations/local-zones.adoc b/latest/ug/integrations/local-zones.adoc index 97cfc9879..7d0a06942 100644 --- a/latest/ug/integrations/local-zones.adoc +++ b/latest/ug/integrations/local-zones.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 79990fd55..93dece5db 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 9f9ac1375..45f719737 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/cross-account-access.adoc b/latest/ug/manage-access/aws-access/cross-account-access.adoc index 667168bd3..0035d51c0 100644 --- a/latest/ug/manage-access/aws-access/cross-account-access.adoc +++ b/latest/ug/manage-access/aws-access/cross-account-access.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc index 4d31afb8e..bb1b1da48 100644 --- a/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index 32ac71cf3..03b0a4a85 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index cd34f34c7..b39d25513 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc index d6bff8621..8803870a3 100644 --- a/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc +++ b/latest/ug/manage-access/aws-access/irsa-fetch-keys.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-configuration.adoc b/latest/ug/manage-access/aws-access/pod-configuration.adoc index dca33433d..a5c950c13 100644 --- a/latest/ug/manage-access/aws-access/pod-configuration.adoc +++ b/latest/ug/manage-access/aws-access/pod-configuration.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 50c587cc0..1924c2d8b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc index 3bb62df31..a83d2c84b 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-config-ipv6.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc index ca2fccf77..954ed5c1f 100644 --- a/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-agent-setup.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 7ee241920..1a63fdfbd 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc index c09ff9c3b..3b3caed0c 100644 --- a/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-configure-pods.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc index 342ab66d2..7d5e04846 100644 --- a/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-how-it-works.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc index 731c03dee..fb44877db 100644 --- a/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-minimum-sdk.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-id-role.adoc b/latest/ug/manage-access/aws-access/pod-id-role.adoc index 445ca95c6..fad067dd3 100644 --- a/latest/ug/manage-access/aws-access/pod-id-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index e14d9001d..e77f07f37 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/aws-access/service-accounts.adoc b/latest/ug/manage-access/aws-access/service-accounts.adoc index 3eb6f0584..3467a188d 100644 --- a/latest/ug/manage-access/aws-access/service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/service-accounts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/cluster-auth.adoc b/latest/ug/manage-access/cluster-auth.adoc index c92e78456..310fbf496 100644 --- a/latest/ug/manage-access/cluster-auth.adoc +++ b/latest/ug/manage-access/cluster-auth.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/create-kubeconfig.adoc b/latest/ug/manage-access/create-kubeconfig.adoc index a0ec1f208..931b647a1 100644 --- a/latest/ug/manage-access/create-kubeconfig.adoc +++ b/latest/ug/manage-access/create-kubeconfig.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 594b38256..2f398f32d 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/access-policies.adoc b/latest/ug/manage-access/k8s-access/access-policies.adoc index ca889fb12..70d254867 100644 --- a/latest/ug/manage-access/k8s-access/access-policies.adoc +++ b/latest/ug/manage-access/k8s-access/access-policies.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc index 952380b1f..69ab45782 100644 --- a/latest/ug/manage-access/k8s-access/access-policy-reference.adoc +++ b/latest/ug/manage-access/k8s-access/access-policy-reference.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/auth-configmap.adoc b/latest/ug/manage-access/k8s-access/auth-configmap.adoc index a3be7f8eb..ba96df593 100644 --- a/latest/ug/manage-access/k8s-access/auth-configmap.adoc +++ b/latest/ug/manage-access/k8s-access/auth-configmap.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc index f7be43017..639d8d834 100644 --- a/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/authenticate-oidc-identity-provider.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index 33c801f1f..65748dcff 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc index 724582df1..4cb223b8b 100644 --- a/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/deleting-access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc index 40e382983..dc407580d 100644 --- a/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc +++ b/latest/ug/manage-access/k8s-access/disassociate-oidc-identity-provider.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc index 8bb453230..b64365065 100644 --- a/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc +++ b/latest/ug/manage-access/k8s-access/grant-k8s-access.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc index 1fc3efc93..5de2dee07 100644 --- a/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/migrating-access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc index afe7b60bc..2c3546b9b 100644 --- a/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/setting-up-access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc index 4ac6eab26..a2224153a 100644 --- a/latest/ug/manage-access/k8s-access/updating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/updating-access-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/manage-access/view-kubernetes-resources.adoc b/latest/ug/manage-access/view-kubernetes-resources.adoc index 00667950e..9702d0e57 100644 --- a/latest/ug/manage-access/view-kubernetes-resources.adoc +++ b/latest/ug/manage-access/view-kubernetes-resources.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/capacity-blocks-mng.adoc b/latest/ug/ml/capacity-blocks-mng.adoc index 626881c73..0dc169b97 100644 --- a/latest/ug/ml/capacity-blocks-mng.adoc +++ b/latest/ug/ml/capacity-blocks-mng.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/capacity-blocks.adoc b/latest/ug/ml/capacity-blocks.adoc index 12b55a9be..46af09247 100644 --- a/latest/ug/ml/capacity-blocks.adoc +++ b/latest/ug/ml/capacity-blocks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/inferentia-support.adoc b/latest/ug/ml/inferentia-support.adoc index e97504ab8..6bfb4e48e 100644 --- a/latest/ug/ml/inferentia-support.adoc +++ b/latest/ug/ml/inferentia-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 988a05874..1113bf17e 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/ml-eks-optimized-ami.adoc b/latest/ug/ml/ml-eks-optimized-ami.adoc index 5980f88bb..8b6336647 100644 --- a/latest/ug/ml/ml-eks-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-optimized-ami.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc index 3df44c30d..06f84bc3a 100644 --- a/latest/ug/ml/ml-eks-windows-optimized-ami.adoc +++ b/latest/ug/ml/ml-eks-windows-optimized-ami.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/ml-get-started.adoc b/latest/ug/ml/ml-get-started.adoc index af40b7376..2090facf0 100644 --- a/latest/ug/ml/ml-get-started.adoc +++ b/latest/ug/ml/ml-get-started.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/ml-prepare-for-cluster.adoc b/latest/ug/ml/ml-prepare-for-cluster.adoc index 58444b464..fb87bee9c 100644 --- a/latest/ug/ml/ml-prepare-for-cluster.adoc +++ b/latest/ug/ml/ml-prepare-for-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index f17e97192..84228d611 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index ed197c396..28bf1b68c 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] :AWSEC2-latest-UserGuide-using-eni-html-network-cards: AWSEC2/latest/UserGuide/using-eni.html#network-cards diff --git a/latest/ug/ml/node-taints-managed-node-groups.adoc b/latest/ug/ml/node-taints-managed-node-groups.adoc index 61117c9c8..40f359db4 100644 --- a/latest/ug/ml/node-taints-managed-node-groups.adoc +++ b/latest/ug/ml/node-taints-managed-node-groups.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/alternate-cni-plugins.adoc b/latest/ug/networking/alternate-cni-plugins.adoc index 6209a5b34..986d45ee0 100644 --- a/latest/ug/networking/alternate-cni-plugins.adoc +++ b/latest/ug/networking/alternate-cni-plugins.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/auto-mode-addon-note.adoc b/latest/ug/networking/auto-mode-addon-note.adoc index 8ebc6f28a..a7ae32ca5 100644 --- a/latest/ug/networking/auto-mode-addon-note.adoc +++ b/latest/ug/networking/auto-mode-addon-note.adoc @@ -1,5 +1,3 @@ -:doctype: book - [TIP] ==== With Amazon EKS Auto Mode, you don't need to install or upgrade networking add-ons. Auto Mode includes pod networking and load balancing capabilities. diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index 098d9c133..c78d6db86 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 9a3b74b93..8caa9884f 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 3c8f73b63..6088eb6c6 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 7ff290bae..8c12147fe 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc index 34775c05f..ffcbf0313 100644 --- a/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses-procedure.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index f26df1cb4..8c806970b 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index 1e2f31850..fbb0e3560 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-network-policy-configure.adoc b/latest/ug/networking/cni-network-policy-configure.adoc index e67a9dfc5..bb6bcb3e5 100644 --- a/latest/ug/networking/cni-network-policy-configure.adoc +++ b/latest/ug/networking/cni-network-policy-configure.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 3982b7de3..2d56bb6c3 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/coredns-add-on-create.adoc b/latest/ug/networking/coredns-add-on-create.adoc index ef108c7c1..158a42a61 100644 --- a/latest/ug/networking/coredns-add-on-create.adoc +++ b/latest/ug/networking/coredns-add-on-create.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/coredns-add-on-self-managed-update.adoc b/latest/ug/networking/coredns-add-on-self-managed-update.adoc index 111c5ddd9..bef4c0e49 100644 --- a/latest/ug/networking/coredns-add-on-self-managed-update.adoc +++ b/latest/ug/networking/coredns-add-on-self-managed-update.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/coredns-add-on-update.adoc b/latest/ug/networking/coredns-add-on-update.adoc index 9e3720eb1..455003ba1 100644 --- a/latest/ug/networking/coredns-add-on-update.adoc +++ b/latest/ug/networking/coredns-add-on-update.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 8cc31a274..262bd3b40 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/coredns-metrics.adoc b/latest/ug/networking/coredns-metrics.adoc index d15a924ed..c46cd65b4 100644 --- a/latest/ug/networking/coredns-metrics.adoc +++ b/latest/ug/networking/coredns-metrics.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/creating-a-vpc.adoc b/latest/ug/networking/creating-a-vpc.adoc index 895b6ff4b..350160a9a 100644 --- a/latest/ug/networking/creating-a-vpc.adoc +++ b/latest/ug/networking/creating-a-vpc.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/deploy-ipv6-cluster.adoc b/latest/ug/networking/deploy-ipv6-cluster.adoc index cfd311fc6..589263b64 100644 --- a/latest/ug/networking/deploy-ipv6-cluster.adoc +++ b/latest/ug/networking/deploy-ipv6-cluster.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 8f4190c0a..64fd23194 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index 332b2463e..b7993a357 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-networking] diff --git a/latest/ug/networking/external-snat.adoc b/latest/ug/networking/external-snat.adoc index 9643070c7..4edf836fb 100644 --- a/latest/ug/networking/external-snat.adoc +++ b/latest/ug/networking/external-snat.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc index e2869c633..cbf3e9cf4 100644 --- a/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc +++ b/latest/ug/networking/kube-proxy-add-on-self-managed-update.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index ba4fdea53..fb2e98e35 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 8ff64c312..760cc54c9 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/lbc-remove.adoc b/latest/ug/networking/lbc-remove.adoc index d2a4c7993..8ff205c95 100644 --- a/latest/ug/networking/lbc-remove.adoc +++ b/latest/ug/networking/lbc-remove.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 52b8e7043..8e1a3d016 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index b6b76a3de..c9f86d5e5 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 8eb48d5e2..31807e7f0 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/network-policies-troubleshooting.adoc b/latest/ug/networking/network-policies-troubleshooting.adoc index a47df2006..0355db141 100644 --- a/latest/ug/networking/network-policies-troubleshooting.adoc +++ b/latest/ug/networking/network-policies-troubleshooting.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/network-policy-disable.adoc b/latest/ug/networking/network-policy-disable.adoc index 99359ee48..36fb68468 100644 --- a/latest/ug/networking/network-policy-disable.adoc +++ b/latest/ug/networking/network-policy-disable.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 512e7fdd7..42d576f26 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/network-reqs.adoc b/latest/ug/networking/network-reqs.adoc index b90c54221..a299022f6 100644 --- a/latest/ug/networking/network-reqs.adoc +++ b/latest/ug/networking/network-reqs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/pod-multiple-network-interfaces.adoc b/latest/ug/networking/pod-multiple-network-interfaces.adoc index ebfce8b4f..856ea75ca 100644 --- a/latest/ug/networking/pod-multiple-network-interfaces.adoc +++ b/latest/ug/networking/pod-multiple-network-interfaces.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index fdc657a12..6c8c05c84 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/sec-group-reqs.adoc b/latest/ug/networking/sec-group-reqs.adoc index 62c9b9bec..17b39d71a 100644 --- a/latest/ug/networking/sec-group-reqs.adoc +++ b/latest/ug/networking/sec-group-reqs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 27b25ec43..971d389fb 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/security-groups-pods-deployment.adoc b/latest/ug/networking/security-groups-pods-deployment.adoc index 2443adc95..9ccce5c70 100644 --- a/latest/ug/networking/security-groups-pods-deployment.adoc +++ b/latest/ug/networking/security-groups-pods-deployment.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/sg-pods-example-deployment.adoc b/latest/ug/networking/sg-pods-example-deployment.adoc index fbd12ab90..5c04a5528 100644 --- a/latest/ug/networking/sg-pods-example-deployment.adoc +++ b/latest/ug/networking/sg-pods-example-deployment.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/vpc-add-on-create.adoc b/latest/ug/networking/vpc-add-on-create.adoc index a58ac8b8b..035086adf 100644 --- a/latest/ug/networking/vpc-add-on-create.adoc +++ b/latest/ug/networking/vpc-add-on-create.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/vpc-add-on-self-managed-update.adoc b/latest/ug/networking/vpc-add-on-self-managed-update.adoc index f066b7cfd..e50b049a4 100644 --- a/latest/ug/networking/vpc-add-on-self-managed-update.adoc +++ b/latest/ug/networking/vpc-add-on-self-managed-update.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/networking/vpc-add-on-update.adoc b/latest/ug/networking/vpc-add-on-update.adoc index e051a4575..ab11750a7 100644 --- a/latest/ug/networking/vpc-add-on-update.adoc +++ b/latest/ug/networking/vpc-add-on-update.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/al2023.adoc b/latest/ug/nodes/al2023.adoc index eb17bc5f9..271bb1375 100644 --- a/latest/ug/nodes/al2023.adoc +++ b/latest/ug/nodes/al2023.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/auto-get-logs.adoc b/latest/ug/nodes/auto-get-logs.adoc index a8cc2dd04..9f2fd4c7d 100644 --- a/latest/ug/nodes/auto-get-logs.adoc +++ b/latest/ug/nodes/auto-get-logs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 09b77c6e0..185a3e629 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 6b68cad24..e1480abba 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index 0ad00e6d8..d697be19f 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/delete-fargate-profile.adoc b/latest/ug/nodes/delete-fargate-profile.adoc index ed8d19c46..55a63a52e 100644 --- a/latest/ug/nodes/delete-fargate-profile.adoc +++ b/latest/ug/nodes/delete-fargate-profile.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/delete-managed-node-group.adoc b/latest/ug/nodes/delete-managed-node-group.adoc index 22e86e00c..ec4cb6b07 100644 --- a/latest/ug/nodes/delete-managed-node-group.adoc +++ b/latest/ug/nodes/delete-managed-node-group.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/dockershim-deprecation.adoc b/latest/ug/nodes/dockershim-deprecation.adoc index f471fef64..7db40f7f1 100644 --- a/latest/ug/nodes/dockershim-deprecation.adoc +++ b/latest/ug/nodes/dockershim-deprecation.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 18692e4c7..d4e3f6156 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc index 4cb1bfa0a..fcd9d9bcd 100644 --- a/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc +++ b/latest/ug/nodes/eks-ami-versions-bottlerocket.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 4c724e8f5..3c66801d7 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 0f0399ec1..278d50141 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-compute] diff --git a/latest/ug/nodes/eks-custom-ami-windows.adoc b/latest/ug/nodes/eks-custom-ami-windows.adoc index fc3348b8f..c2579f93b 100644 --- a/latest/ug/nodes/eks-custom-ami-windows.adoc +++ b/latest/ug/nodes/eks-custom-ami-windows.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-linux-ami-versions.adoc b/latest/ug/nodes/eks-linux-ami-versions.adoc index fd2991f57..ce7f7df46 100644 --- a/latest/ug/nodes/eks-linux-ami-versions.adoc +++ b/latest/ug/nodes/eks-linux-ami-versions.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 106cf160e..4013d2caa 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 998b62007..99c457c2e 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 6ba62413a..032bf5709 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-optimized-windows-ami.adoc b/latest/ug/nodes/eks-optimized-windows-ami.adoc index 4ce8c2225..f41c6d2f5 100644 --- a/latest/ug/nodes/eks-optimized-windows-ami.adoc +++ b/latest/ug/nodes/eks-optimized-windows-ami.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/eks-partner-amis.adoc b/latest/ug/nodes/eks-partner-amis.adoc index 1a27433ed..1df5547eb 100644 --- a/latest/ug/nodes/eks-partner-amis.adoc +++ b/latest/ug/nodes/eks-partner-amis.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index 08707d526..ceb264c20 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc index 73a08f4eb..31ab7724c 100644 --- a/latest/ug/nodes/fargate-logging.adoc +++ b/latest/ug/nodes/fargate-logging.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-pod-configuration.adoc b/latest/ug/nodes/fargate-pod-configuration.adoc index 3501bfee3..dcc438985 100644 --- a/latest/ug/nodes/fargate-pod-configuration.adoc +++ b/latest/ug/nodes/fargate-pod-configuration.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-pod-patching.adoc b/latest/ug/nodes/fargate-pod-patching.adoc index e99cdd4cd..55a6a381c 100644 --- a/latest/ug/nodes/fargate-pod-patching.adoc +++ b/latest/ug/nodes/fargate-pod-patching.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate-profile.adoc b/latest/ug/nodes/fargate-profile.adoc index 5dddc97ce..48a7ff4a5 100644 --- a/latest/ug/nodes/fargate-profile.adoc +++ b/latest/ug/nodes/fargate-profile.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index a97f2f539..3c146c2df 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 78a68fcd0..5378643f5 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 6a1bf1caa..305aa1318 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc index 72d6920c6..cd7b5952c 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-prep.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 2555233db..4adc81ea4 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index f248b0ddf..ad9234214 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 8516f8700..7bd229c0b 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index f94df7135..a04ece3ee 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 29a0a6d38..2cff230b1 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index 0ce108456..af8e76818 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index 2836c665e..cb01ea011 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 4f241a2b8..73c2e26e2 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 79a5d717b..2f9ab98a0 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index f28badbc3..02d199415 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 6e2f6a5ac..9d7b701c7 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index ed7303049..dcf3af7f0 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index 4d9dd5fa6..b68c0a992 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index cb2b9ed2b..74c4600a7 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/launch-node-ubuntu.adoc b/latest/ug/nodes/launch-node-ubuntu.adoc index 8e89660f4..98dc35078 100644 --- a/latest/ug/nodes/launch-node-ubuntu.adoc +++ b/latest/ug/nodes/launch-node-ubuntu.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 9a2f6d9ee..cc13c7523 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/launch-windows-workers.adoc b/latest/ug/nodes/launch-windows-workers.adoc index 416e07ecd..a7238b768 100644 --- a/latest/ug/nodes/launch-windows-workers.adoc +++ b/latest/ug/nodes/launch-windows-workers.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/launch-workers.adoc b/latest/ug/nodes/launch-workers.adoc index 1a8a4a774..3cd62fcf1 100644 --- a/latest/ug/nodes/launch-workers.adoc +++ b/latest/ug/nodes/launch-workers.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/learn-status-conditions.adoc b/latest/ug/nodes/learn-status-conditions.adoc index 3d3d48d4a..49e227306 100644 --- a/latest/ug/nodes/learn-status-conditions.adoc +++ b/latest/ug/nodes/learn-status-conditions.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 235e79df1..0b4d75e4b 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/managed-node-update-behavior.adoc b/latest/ug/nodes/managed-node-update-behavior.adoc index 639bc6eb7..36677a1a5 100644 --- a/latest/ug/nodes/managed-node-update-behavior.adoc +++ b/latest/ug/nodes/managed-node-update-behavior.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/migrate-stack.adoc b/latest/ug/nodes/migrate-stack.adoc index c31638f9e..0b3f6768f 100644 --- a/latest/ug/nodes/migrate-stack.adoc +++ b/latest/ug/nodes/migrate-stack.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/monitoring-fargate-usage.adoc b/latest/ug/nodes/monitoring-fargate-usage.adoc index 4692e3cab..454f2c3ac 100644 --- a/latest/ug/nodes/monitoring-fargate-usage.adoc +++ b/latest/ug/nodes/monitoring-fargate-usage.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/node-health.adoc b/latest/ug/nodes/node-health.adoc index ada260606..e94a4b0d0 100644 --- a/latest/ug/nodes/node-health.adoc +++ b/latest/ug/nodes/node-health.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc index 32f277e61..1aebe11f4 100644 --- a/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc +++ b/latest/ug/nodes/retrieve-ami-id-bottlerocket.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index 5ad9c8f4b..df08bef91 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/retrieve-windows-ami-id.adoc b/latest/ug/nodes/retrieve-windows-ami-id.adoc index 2469dca1d..d391f82cd 100644 --- a/latest/ug/nodes/retrieve-windows-ami-id.adoc +++ b/latest/ug/nodes/retrieve-windows-ami-id.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/self-managed-windows-server-2022.adoc b/latest/ug/nodes/self-managed-windows-server-2022.adoc index 32c64dc45..ff20f858d 100644 --- a/latest/ug/nodes/self-managed-windows-server-2022.adoc +++ b/latest/ug/nodes/self-managed-windows-server-2022.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/update-managed-node-group.adoc b/latest/ug/nodes/update-managed-node-group.adoc index 3387a4994..8f146a8d2 100644 --- a/latest/ug/nodes/update-managed-node-group.adoc +++ b/latest/ug/nodes/update-managed-node-group.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/update-stack.adoc b/latest/ug/nodes/update-stack.adoc index ad0d85e22..be0aae614 100644 --- a/latest/ug/nodes/update-stack.adoc +++ b/latest/ug/nodes/update-stack.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/update-workers.adoc b/latest/ug/nodes/update-workers.adoc index 4fad9907e..59532c86b 100644 --- a/latest/ug/nodes/update-workers.adoc +++ b/latest/ug/nodes/update-workers.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 81e7e997f..37202c511 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index 756bd0b64..f5125ad52 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index ffd3f0951..ddf9c54d7 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index fde340593..7deda581a 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 5709658e6..67f6506d9 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-observe] diff --git a/latest/ug/observability/enable-asg-metrics.adoc b/latest/ug/observability/enable-asg-metrics.adoc index 97448cab9..64f91c0de 100644 --- a/latest/ug/observability/enable-asg-metrics.adoc +++ b/latest/ug/observability/enable-asg-metrics.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index deee5dcb5..b4b45b6db 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index ae8ac116e..5429a4270 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index ec2a9a8b0..bc9c3db9f 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 6c82d652b..0d71045cc 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/service-name-info-in-cloudtrail.adoc b/latest/ug/observability/service-name-info-in-cloudtrail.adoc index 4383b897b..6b4ea4d66 100644 --- a/latest/ug/observability/service-name-info-in-cloudtrail.adoc +++ b/latest/ug/observability/service-name-info-in-cloudtrail.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/understanding-service-name-entries.adoc b/latest/ug/observability/understanding-service-name-entries.adoc index 2d203c82e..0516c972f 100644 --- a/latest/ug/observability/understanding-service-name-entries.adoc +++ b/latest/ug/observability/understanding-service-name-entries.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/observability/view-raw-metrics.adoc b/latest/ug/observability/view-raw-metrics.adoc index a58d94858..6164ad744 100644 --- a/latest/ug/observability/view-raw-metrics.adoc +++ b/latest/ug/observability/view-raw-metrics.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc index c07b8fc4b..1bdeb0576 100644 --- a/latest/ug/outposts/eks-outposts-capacity-considerations.adoc +++ b/latest/ug/outposts/eks-outposts-capacity-considerations.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index 0171fe8de..af80858c9 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 12cf48a42..01b31ae90 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-network-disconnects.adoc b/latest/ug/outposts/eks-outposts-network-disconnects.adoc index cbac7c252..d6992a9dd 100644 --- a/latest/ug/outposts/eks-outposts-network-disconnects.adoc +++ b/latest/ug/outposts/eks-outposts-network-disconnects.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index b52f2cdb4..83d140669 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 522a024dc..16b9b265f 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-troubleshooting.adoc b/latest/ug/outposts/eks-outposts-troubleshooting.adoc index 51b19b4b6..4e08bc1bc 100644 --- a/latest/ug/outposts/eks-outposts-troubleshooting.adoc +++ b/latest/ug/outposts/eks-outposts-troubleshooting.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc index 2f8ba7fb5..f13a8b106 100644 --- a/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc +++ b/latest/ug/outposts/eks-outposts-vpc-subnet-requirements.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 6c8cf0d06..10dbd53c3 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-outposts] diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 7298aa84e..640612e6d 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -1,4 +1,4 @@ -:doctype: book +include::attributes.txt[] [.topic] [#quickstart] @@ -6,8 +6,6 @@ :info_titleabbrev: Quickstart :keywords: quickstart, web, cluster -include::attributes.txt[] - [abstract] -- Deploy a game application and persist its data on Amazon EKS diff --git a/latest/ug/related-projects.adoc b/latest/ug/related-projects.adoc index 6a809e053..66a5ed7a7 100644 --- a/latest/ug/related-projects.adoc +++ b/latest/ug/related-projects.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::attributes.txt[] [#related-projects] diff --git a/latest/ug/roadmap.adoc b/latest/ug/roadmap.adoc index 85a252967..0ab1ac917 100644 --- a/latest/ug/roadmap.adoc +++ b/latest/ug/roadmap.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::attributes.txt[] [.topic] diff --git a/latest/ug/security/auto-security.adoc b/latest/ug/security/auto-security.adoc index 260630feb..832de7e61 100644 --- a/latest/ug/security/auto-security.adoc +++ b/latest/ug/security/auto-security.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/cert-signing.adoc b/latest/ug/security/cert-signing.adoc index a9c336177..e23dbe2ac 100644 --- a/latest/ug/security/cert-signing.adoc +++ b/latest/ug/security/cert-signing.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index 2e8e86a63..f0a689557 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/configuration-vulnerability-analysis.adoc b/latest/ug/security/configuration-vulnerability-analysis.adoc index 4e4639fb9..952bc995e 100644 --- a/latest/ug/security/configuration-vulnerability-analysis.adoc +++ b/latest/ug/security/configuration-vulnerability-analysis.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/default-roles-users.adoc b/latest/ug/security/default-roles-users.adoc index ef21f9ee7..89122f1bf 100644 --- a/latest/ug/security/default-roles-users.adoc +++ b/latest/ug/security/default-roles-users.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/disaster-recovery-resiliency.adoc b/latest/ug/security/disaster-recovery-resiliency.adoc index 69efa6ec0..7bc742c28 100644 --- a/latest/ug/security/disaster-recovery-resiliency.adoc +++ b/latest/ug/security/disaster-recovery-resiliency.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/enable-kms.adoc b/latest/ug/security/enable-kms.adoc index 67d3ae054..1e49ee4ee 100644 --- a/latest/ug/security/enable-kms.adoc +++ b/latest/ug/security/enable-kms.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/envelope-encryption.adoc b/latest/ug/security/envelope-encryption.adoc index 344f7a9c9..7709b9283 100644 --- a/latest/ug/security/envelope-encryption.adoc +++ b/latest/ug/security/envelope-encryption.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc index 8466cec66..68ff541d4 100644 --- a/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/auto-cluster-iam-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/auto-create-node-role.adoc b/latest/ug/security/iam-reference/auto-create-node-role.adoc index 8ea6fd01b..d46ecb425 100644 --- a/latest/ug/security/iam-reference/auto-create-node-role.adoc +++ b/latest/ug/security/iam-reference/auto-create-node-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/cluster-iam-role.adoc b/latest/ug/security/iam-reference/cluster-iam-role.adoc index 13cb34f29..72ac03360 100644 --- a/latest/ug/security/iam-reference/cluster-iam-role.adoc +++ b/latest/ug/security/iam-reference/cluster-iam-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/connector-iam-role.adoc b/latest/ug/security/iam-reference/connector-iam-role.adoc index aa6432853..43218577d 100644 --- a/latest/ug/security/iam-reference/connector-iam-role.adoc +++ b/latest/ug/security/iam-reference/connector-iam-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/create-node-role.adoc b/latest/ug/security/iam-reference/create-node-role.adoc index 8619e20f1..a62442234 100644 --- a/latest/ug/security/iam-reference/create-node-role.adoc +++ b/latest/ug/security/iam-reference/create-node-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/pod-execution-role.adoc b/latest/ug/security/iam-reference/pod-execution-role.adoc index e8e41e9e1..955930fad 100644 --- a/latest/ug/security/iam-reference/pod-execution-role.adoc +++ b/latest/ug/security/iam-reference/pod-execution-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 8221ed9e4..401c013f3 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc index 5fe835e6d..340feb6a6 100644 --- a/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc +++ b/latest/ug/security/iam-reference/security-iam-id-based-policy-examples.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc index 76214156b..f2df38b52 100644 --- a/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam-service-with-iam.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc index 449a4bb56..de58e8e2c 100644 --- a/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc +++ b/latest/ug/security/iam-reference/security-iam-troubleshoot.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index b4434710d..e5c0da53a 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc index de488f0b7..20e994bb2 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-connector.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc index 5b388788e..9989b46df 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-fargate.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc index c65f54cda..50d9d1ff6 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-nodegroups.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc index 0c806bf3c..4865db464 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks-outpost.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc index 79037a50a..47bafbf00 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index 421cda0c6..8d3dddb6c 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../../attributes.txt[] [.topic] diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 35389a22b..6350fdbc0 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/manage-secrets.adoc b/latest/ug/security/manage-secrets.adoc index d4b64daae..b66e0fee4 100644 --- a/latest/ug/security/manage-secrets.adoc +++ b/latest/ug/security/manage-secrets.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/pod-security-policy-removal-faq.adoc b/latest/ug/security/pod-security-policy-removal-faq.adoc index 6f29c0230..0ed61dd9d 100644 --- a/latest/ug/security/pod-security-policy-removal-faq.adoc +++ b/latest/ug/security/pod-security-policy-removal-faq.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/pod-security-policy.adoc b/latest/ug/security/pod-security-policy.adoc index c4876c890..e2dc81613 100644 --- a/latest/ug/security/pod-security-policy.adoc +++ b/latest/ug/security/pod-security-policy.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/security-best-practices.adoc b/latest/ug/security/security-best-practices.adoc index 30c7f739b..b5cf74080 100644 --- a/latest/ug/security/security-best-practices.adoc +++ b/latest/ug/security/security-best-practices.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index 07da59550..df92aa92a 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index d136f931b..db44d29c1 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 0b1770ab4..2a1be3c74 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/security/vpc-interface-endpoints.adoc b/latest/ug/security/vpc-interface-endpoints.adoc index 8097cfd0f..fac0fd579 100644 --- a/latest/ug/security/vpc-interface-endpoints.adoc +++ b/latest/ug/security/vpc-interface-endpoints.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index 27d1b5d85..be4349e34 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 7e016a63e..6a01a5f84 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index 935a43d70..c6cc63ccf 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 029dc9337..6a55703c7 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index f61eb9170..d55f64677 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 3d7586d67..e802d910d 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 7136a1eb3..44e05516b 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index 10b8a6699..f2db32c9a 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index 6a440748e..cbacf3f18 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#storage] diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index f7ce122bf..de762da5e 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#troubleshooting] diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index 17244cdc0..c51359bff 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 6023b40bb..8a573f10b 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 6e1d9629e..56c45a4bd 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index b59807c22..8337ad4b1 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 07e1cad9e..242b2be3e 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 435ebbfd2..4fd23a9b9 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/add-ons-images.adoc b/latest/ug/workloads/add-ons-images.adoc index a49d36078..00419ad96 100644 --- a/latest/ug/workloads/add-ons-images.adoc +++ b/latest/ug/workloads/add-ons-images.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/addon-compat.adoc b/latest/ug/workloads/addon-compat.adoc index 63e4b44ec..734cc0131 100644 --- a/latest/ug/workloads/addon-compat.adoc +++ b/latest/ug/workloads/addon-compat.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 790a4b02d..7d78f4a23 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 9b869468c..4efb5c99a 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 67fbd280e..9758deeb4 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/copy-image-to-repository.adoc b/latest/ug/workloads/copy-image-to-repository.adoc index 9d8d12490..7cab87baf 100644 --- a/latest/ug/workloads/copy-image-to-repository.adoc +++ b/latest/ug/workloads/copy-image-to-repository.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/creating-an-add-on.adoc b/latest/ug/workloads/creating-an-add-on.adoc index c2521014f..9899ec5a3 100644 --- a/latest/ug/workloads/creating-an-add-on.adoc +++ b/latest/ug/workloads/creating-an-add-on.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index f12edbc3a..79050237c 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/eks-workloads.adoc b/latest/ug/workloads/eks-workloads.adoc index bb5ab8ad3..e43f6b339 100644 --- a/latest/ug/workloads/eks-workloads.adoc +++ b/latest/ug/workloads/eks-workloads.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [#eks-workloads] diff --git a/latest/ug/workloads/horizontal-pod-autoscaler.adoc b/latest/ug/workloads/horizontal-pod-autoscaler.adoc index 8cefaf0d0..f983406b0 100644 --- a/latest/ug/workloads/horizontal-pod-autoscaler.adoc +++ b/latest/ug/workloads/horizontal-pod-autoscaler.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/image-verification.adoc b/latest/ug/workloads/image-verification.adoc index 2496bd20c..c02d9dc7e 100644 --- a/latest/ug/workloads/image-verification.adoc +++ b/latest/ug/workloads/image-verification.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/kubernetes-field-management.adoc b/latest/ug/workloads/kubernetes-field-management.adoc index 0e75a7129..e5466a7d8 100644 --- a/latest/ug/workloads/kubernetes-field-management.adoc +++ b/latest/ug/workloads/kubernetes-field-management.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/network-load-balancing.adoc b/latest/ug/workloads/network-load-balancing.adoc index 99d512863..046aaa5a8 100644 --- a/latest/ug/workloads/network-load-balancing.adoc +++ b/latest/ug/workloads/network-load-balancing.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/remove-addon-role.adoc b/latest/ug/workloads/remove-addon-role.adoc index 39bcb3325..3ab469344 100644 --- a/latest/ug/workloads/remove-addon-role.adoc +++ b/latest/ug/workloads/remove-addon-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/removing-an-addon.adoc b/latest/ug/workloads/removing-an-addon.adoc index f3ef01fbf..bfff11ea3 100644 --- a/latest/ug/workloads/removing-an-addon.adoc +++ b/latest/ug/workloads/removing-an-addon.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/restrict-service-external-ip.adoc b/latest/ug/workloads/restrict-service-external-ip.adoc index 53ba6e4ab..50cc8ea64 100644 --- a/latest/ug/workloads/restrict-service-external-ip.adoc +++ b/latest/ug/workloads/restrict-service-external-ip.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/retreive-iam-info.adoc b/latest/ug/workloads/retreive-iam-info.adoc index 3500a7518..ca0271e99 100644 --- a/latest/ug/workloads/retreive-iam-info.adoc +++ b/latest/ug/workloads/retreive-iam-info.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/sample-deployment-windows.adoc b/latest/ug/workloads/sample-deployment-windows.adoc index ff613d5ca..57a0eaef3 100644 --- a/latest/ug/workloads/sample-deployment-windows.adoc +++ b/latest/ug/workloads/sample-deployment-windows.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/sample-deployment.adoc b/latest/ug/workloads/sample-deployment.adoc index 4a91c18ee..f80c6c11a 100644 --- a/latest/ug/workloads/sample-deployment.adoc +++ b/latest/ug/workloads/sample-deployment.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/update-addon-role.adoc b/latest/ug/workloads/update-addon-role.adoc index f4cba2e28..c36134aad 100644 --- a/latest/ug/workloads/update-addon-role.adoc +++ b/latest/ug/workloads/update-addon-role.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/updating-an-add-on.adoc b/latest/ug/workloads/updating-an-add-on.adoc index a3da16cbd..af3586a85 100644 --- a/latest/ug/workloads/updating-an-add-on.adoc +++ b/latest/ug/workloads/updating-an-add-on.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/vertical-pod-autoscaler.adoc b/latest/ug/workloads/vertical-pod-autoscaler.adoc index 872fd05dc..721a11db2 100644 --- a/latest/ug/workloads/vertical-pod-autoscaler.adoc +++ b/latest/ug/workloads/vertical-pod-autoscaler.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index ebdabbb4d..1ab94027a 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc index b24562d9a..05ea0065c 100644 --- a/latest/ug/workloads/workloads-add-ons-available-vendors.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-vendors.adoc @@ -1,5 +1,3 @@ -:doctype: book - include::../attributes.txt[] [.topic] diff --git a/team/squish.adoc b/team/squish.adoc index 95a810c38..f81de1222 100644 --- a/team/squish.adoc +++ b/team/squish.adoc @@ -1,5 +1,3 @@ -:doctype: book - = AmazonEKSDocs Git History Squish Procedure == Overview From d20b10b1543c2268bab798a2d3319eaa190d9f40 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 10 Mar 2025 18:13:01 +0000 Subject: [PATCH 237/940] Moved includes to bottom to be all together in file. --- .../manage-access/k8s-access/access-entries.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/latest/ug/manage-access/k8s-access/access-entries.adoc b/latest/ug/manage-access/k8s-access/access-entries.adoc index 2f398f32d..737f81766 100644 --- a/latest/ug/manage-access/k8s-access/access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/access-entries.adoc @@ -5,12 +5,6 @@ include::../../attributes.txt[] = Grant IAM users access to Kubernetes with EKS access entries :info_titleabbrev: Grant permissions -include::access-policies.adoc[leveloffset=+1] - -include::migrating-access-entries.adoc[leveloffset=+1] - -include::access-policy-reference.adoc[leveloffset=+1] - [abstract] -- Learn how to manage access entries for IAM principals to your Amazon EKS cluster, including creating, updating, and deleting access entries for fine-grained authentication and authorization. @@ -55,8 +49,14 @@ This access entry shows: NOTE: Previously, this administrative access was granted automatically and couldn't be modified. With EKS access entries enabled, you can now view and delete this legacy access configuration. - [.topic] + +include::access-policies.adoc[leveloffset=+1] + +include::migrating-access-entries.adoc[leveloffset=+1] + +include::access-policy-reference.adoc[leveloffset=+1] + include::setting-up-access-entries.adoc[leveloffset=+1] include::creating-access-entries.adoc[leveloffset=+1] From f0d506a60651d4d54b5368e5763010d82bab14e3 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 10 Mar 2025 18:48:58 +0000 Subject: [PATCH 238/940] Moved includes to bottom when they do not result in a brazil validation error: 45742 --- .../aws-access/pod-identities.adoc | 1 + .../aws-load-balancer-controller.adoc | 15 +++---- latest/ug/networking/cni-custom-network.adoc | 7 ++-- .../networking/cni-increase-ip-addresses.adoc | 7 ++-- latest/ug/networking/cni-ipv6.adoc | 7 ++-- latest/ug/networking/cni-network-policy.adoc | 19 ++++----- .../ug/networking/eks-networking-add-ons.adoc | 23 +++++------ latest/ug/networking/eks-networking.adoc | 19 ++++----- latest/ug/networking/managing-coredns.adoc | 2 +- latest/ug/networking/managing-kube-proxy.adoc | 7 ++-- latest/ug/networking/managing-vpc-cni.adoc | 39 ++++++++++--------- .../networking/pod-networking-use-cases.adoc | 15 +++---- .../networking/security-groups-for-pods.adoc | 11 +++--- latest/ug/nodes/eks-optimized-ami.adoc | 19 ++++----- latest/ug/nodes/worker.adoc | 23 +++++------ .../eks-outposts-local-cluster-overview.adoc | 27 ++++++------- .../security/iam-reference/security-iam.adoc | 3 +- .../using-service-linked-roles.adoc | 19 ++++----- .../ug/security/infrastructure-security.adoc | 7 ++-- latest/ug/security/security-eks.adoc | 11 +++--- latest/ug/security/security-k8s.adoc | 19 ++++----- latest/ug/security/security.adoc | 31 ++++++++------- latest/ug/workloads/add-ons-iam.adoc | 19 ++++----- 23 files changed, 186 insertions(+), 164 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index e77f07f37..543af965c 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -146,3 +146,4 @@ You can't use EKS Pod Identities with: * Pods that run anywhere except Linux Amazon EC2 instances. Linux and Windows pods that run on {aws} Fargate (Fargate) aren't supported. Pods that run on Windows Amazon EC2 instances aren't supported. + diff --git a/latest/ug/networking/aws-load-balancer-controller.adoc b/latest/ug/networking/aws-load-balancer-controller.adoc index c78d6db86..78bd73653 100644 --- a/latest/ug/networking/aws-load-balancer-controller.adoc +++ b/latest/ug/networking/aws-load-balancer-controller.adoc @@ -5,12 +5,6 @@ include::../attributes.txt[] = Route internet traffic with {aws} Load Balancer Controller :info_titleabbrev: {aws} Load Balancer Controller -include::lbc-helm.adoc[leveloffset=+1] - -include::lbc-manifest.adoc[leveloffset=+1] - -include::lbc-remove.adoc[leveloffset=+1] - [abstract] -- Learn how to configure and use the {aws} Load Balancer Controller to expose Kubernetes cluster apps to the internet with {aws} Elastic Load Balancing for Kubernetes services and ingresses. @@ -72,4 +66,11 @@ Kubernetes includes a legacy cloud provider for {aws}. The legacy cloud provider In versions 2.5 and newer, the {aws} Load Balancer Controller becomes the default controller for Kubernetes _service_ resources with the `type: LoadBalancer` and makes an {aws} Network Load Balancer (NLB) for each service. It does this by making a mutating webhook for services, which sets the `spec.loadBalancerClass` field to `service.k8s.aws/nlb` for new services of `type: LoadBalancer`. You can turn off this feature and revert to using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] as the default controller, by setting the helm chart value `enableServiceMutatorWebhook` to `false`. The cluster won't provision new Classic Load Balancers for your services unless you turn off this feature. Existing Classic Load Balancers will continue to work. -==== \ No newline at end of file +==== + +include::lbc-helm.adoc[leveloffset=+1] + +include::lbc-manifest.adoc[leveloffset=+1] + +include::lbc-remove.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 6088eb6c6..8121193a8 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -5,8 +5,6 @@ include::../attributes.txt[] = Deploy Pods in alternate subnets with custom networking :info_titleabbrev: Custom networking -include::cni-custom-network-tutorial.adoc[leveloffset=+1] - [abstract] -- Learn how to enable custom networking for Amazon EKS Pods to deploy them in different subnets or use different security groups than the node's primary network interface, increasing IP address availability and network isolation. @@ -30,4 +28,7 @@ The following are considerations for using the feature. * If your cluster uses the `IPv6` family, you can't use custom networking. * If you plan to use custom networking only to help alleviate `IPv4` address exhaustion, you can create a cluster using the `IPv6` family instead. For more information, see <>. * Even though Pods deployed to subnets specified for secondary network interfaces can use different subnet and security groups than the node's primary network interface, the subnets and security groups must be in the same VPC as the node. -* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. \ No newline at end of file +* For Fargate, subnets are controlled through the Fargate profile. For more information, see <>. + +include::cni-custom-network-tutorial.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/cni-increase-ip-addresses.adoc b/latest/ug/networking/cni-increase-ip-addresses.adoc index 8c806970b..f402b3584 100644 --- a/latest/ug/networking/cni-increase-ip-addresses.adoc +++ b/latest/ug/networking/cni-increase-ip-addresses.adoc @@ -5,8 +5,6 @@ include::../attributes.txt[] = Assign more IP addresses to Amazon EKS nodes with prefixes :info_titleabbrev: Increase IP addresses -include::cni-increase-ip-addresses-procedure.adoc[leveloffset=+1] - [abstract] -- Learn how to significantly increase the number of IP addresses that you can assign to Pods by assigning IP prefixes with Amazon EKS, improving scalability and reducing launch delays for large and spiky workloads. @@ -58,4 +56,7 @@ Consider the following when you use this feature: ** After you configure the add-on to assign prefixes to network interfaces, you can't downgrade your Amazon VPC CNI plugin for Kubernetes add-on to a version lower than `1.9.0` (or `1.10.1`) without removing all nodes in all node groups in your cluster. ** If you're also using security groups for Pods, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``standard`` and `AWS_VPC_K8S_CNI_EXTERNALSNAT`=``false``, when your Pods communicate with endpoints outside of your VPC, the node's security groups are used, rather than any security groups you've assigned to your Pods. + -If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. \ No newline at end of file +If you're also using <>, with `POD_SECURITY_GROUP_ENFORCING_MODE`=``strict``, when your `Pods` communicate with endpoints outside of your VPC, the `Pod's` security groups are used. + +include::cni-increase-ip-addresses-procedure.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/cni-ipv6.adoc b/latest/ug/networking/cni-ipv6.adoc index fbb0e3560..47da36859 100644 --- a/latest/ug/networking/cni-ipv6.adoc +++ b/latest/ug/networking/cni-ipv6.adoc @@ -5,8 +5,6 @@ include::../attributes.txt[] = Learn about IPv6 addresses to clusters, Pods, and services :info_titleabbrev: IPv6 -include::deploy-ipv6-cluster.adoc[leveloffset=+1] - [abstract] -- Learn how to deploy an `IPv6` cluster and nodes with Amazon EKS for assigning `IPv6` addresses to Pods and services instead of `IPv4`, leveraging IP prefix delegation and the latest Amazon VPC CNI plugin. @@ -70,4 +68,7 @@ If you don't know the `IPv6` `CIDR` range for your cluster, you can see it with [source,bash,subs="verbatim,attributes"] ---- aws eks describe-cluster --name my-cluster --query cluster.kubernetesNetworkConfig.serviceIpv6Cidr --output text ----- \ No newline at end of file +---- + +include::deploy-ipv6-cluster.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/cni-network-policy.adoc b/latest/ug/networking/cni-network-policy.adoc index 2d56bb6c3..7cf18a558 100644 --- a/latest/ug/networking/cni-network-policy.adoc +++ b/latest/ug/networking/cni-network-policy.adoc @@ -5,14 +5,6 @@ include::../attributes.txt[] = Limit Pod traffic with Kubernetes network policies :info_titleabbrev: Kubernetes policies -include::cni-network-policy-configure.adoc[leveloffset=+1] - -include::network-policy-disable.adoc[leveloffset=+1] - -include::network-policies-troubleshooting.adoc[leveloffset=+1] - -include::network-policy-stars-demo.adoc[leveloffset=+1] - [abstract] -- Learn how to configure your Amazon EKS cluster to use Kubernetes network policies with the Amazon VPC CNI plugin. Control network traffic to and from pods using network policies for enhanced security. Covers network policy considerations, requirements, setup instructions, and troubleshooting tips. @@ -61,4 +53,13 @@ Pods that use _IAM roles for service accounts_ or _EKS Pod Identity_ don't acces * The Amazon VPC CNI plugin for Kubernetes doesn't apply network policies to additional network interfaces for each pod, only the primary interface for each pod (`eth0`). This affects the following architectures: + ** `IPv6` pods with the `ENABLE_V4_EGRESS` variable set to `true`. This variable enables the `IPv4` egress feature to connect the IPv6 pods to `IPv4` endpoints such as those outside the cluster. The `IPv4` egress feature works by creating an additional network interface with a local loopback IPv4 address. -** When using chained network plugins such as Multus. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. \ No newline at end of file +** When using chained network plugins such as Multus. Because these plugins add network interfaces to each pod, network policies aren't applied to the chained network plugins. + +include::cni-network-policy-configure.adoc[leveloffset=+1] + +include::network-policy-disable.adoc[leveloffset=+1] + +include::network-policies-troubleshooting.adoc[leveloffset=+1] + +include::network-policy-stars-demo.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/eks-networking-add-ons.adoc b/latest/ug/networking/eks-networking-add-ons.adoc index 64fd23194..4cb8f3fb0 100644 --- a/latest/ug/networking/eks-networking-add-ons.adoc +++ b/latest/ug/networking/eks-networking-add-ons.adoc @@ -5,16 +5,6 @@ include::../attributes.txt[] = Manage networking add-ons for Amazon EKS clusters :info_titleabbrev: Manage networking add-ons -include::managing-vpc-cni.adoc[leveloffset=+1] - -include::alternate-cni-plugins.adoc[leveloffset=+1] - -include::aws-load-balancer-controller.adoc[leveloffset=+1] - -include::managing-coredns.adoc[leveloffset=+1] - -include::managing-kube-proxy.adoc[leveloffset=+1] - [abstract] -- Learn how to manage networking add-ons for your Amazon EKS cluster, including built-in components like Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy`, as well as optional {aws} add-ons for load balancing and service mesh. @@ -55,4 +45,15 @@ When you deploy Kubernetes service objects of type `loadbalancer`, the controlle *{aws} Gateway API Controller*:: This controller lets you connect services across multiple Kubernetes clusters using the https://gateway-api.sigs.k8s.io/[Kubernetes gateway API]. The controller connects Kubernetes services running on Amazon EC2 instances, containers, and serverless functions by using the link:vpc-lattice/latest/ug/what-is-vpc-service-network.html[Amazon VPC Lattice,type="documentation"] service. For more information, see the https://www.gateway-api-controller.eks.aws.dev/[{aws} Gateway API Controller] documentation. -For more information about add-ons, see <>. \ No newline at end of file +For more information about add-ons, see <>. + +include::managing-vpc-cni.adoc[leveloffset=+1] + +include::alternate-cni-plugins.adoc[leveloffset=+1] + +include::aws-load-balancer-controller.adoc[leveloffset=+1] + +include::managing-coredns.adoc[leveloffset=+1] + +include::managing-kube-proxy.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index b7993a357..be53b9655 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -4,14 +4,6 @@ include::../attributes.txt[] = Configure networking for Amazon EKS clusters :info_titleabbrev: Configure networking -include::network-reqs.adoc[leveloffset=+1] - -include::creating-a-vpc.adoc[leveloffset=+1] - -include::sec-group-reqs.adoc[leveloffset=+1] - -include::eks-networking-add-ons.adoc[leveloffset=+1] - [abstract] -- Learn how to configure networking for your Amazon EKS cluster using a VPC, subnets, security groups, and networking add-ons to ensure secure and efficient communication. @@ -20,4 +12,13 @@ Learn how to configure networking for your Amazon EKS cluster using a VPC, subne Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the Amazon VPC Container Network Interface (CNI) plugin for nodes that run on {aws} infrastructure. If you are running nodes on your own infrastructure, see <>. This chapter includes the following topics for learning more about networking for your cluster. [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + +include::network-reqs.adoc[leveloffset=+1] + +include::creating-a-vpc.adoc[leveloffset=+1] + +include::sec-group-reqs.adoc[leveloffset=+1] + +include::eks-networking-add-ons.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 8e1a3d016..835b8a058 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -106,4 +106,4 @@ topologySpreadConstraints: [#coredns-upgrade-1.11] === CoreDNS `v1.11` upgrade considerations -* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the CoreDNS image remains the same. \ No newline at end of file +* In EKS add-on versions `v1.11.1-eksbuild.4` and later, the container image is based on a https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base[minimal base image] maintained by Amazon EKS Distro, which contains minimal packages and doesn't have shells. For more information, see https://distro.eks.amazonaws.com/[Amazon EKS Distro]. The usage and troubleshooting of the CoreDNS image remains the same. diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index c9f86d5e5..e246e3a62 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -5,8 +5,6 @@ include::../attributes.txt[] = Manage `kube-proxy` in Amazon EKS clusters :info_titleabbrev: kube-proxy -include::kube-proxy-add-on-self-managed-update.adoc[leveloffset=+1] - [abstract] -- Learn how to manage the `kube-proxy` add-on on your Amazon EKS cluster to manage network rules and enable network communication to your Pods. @@ -87,4 +85,7 @@ The following table lists the latest available self-managed `kube-proxy` contain * The default image type isn't available for Kubernetes version `1.25` and later. You must use the minimal image type. -* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. \ No newline at end of file +* When you <>, you specify a valid Amazon EKS add-on version, which might not be a version listed in this table. This is because <> versions don't always match container image versions specified when updating the self-managed type of this add-on. When you update the self-managed type of this add-on, you specify a valid container image version listed in this table. + +include::kube-proxy-add-on-self-managed-update.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index 31807e7f0..bc70402df 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -5,24 +5,6 @@ include::../attributes.txt[] = Assign IPs to Pods with the Amazon VPC CNI :info_titleabbrev: Amazon VPC CNI -include::vpc-add-on-create.adoc[leveloffset=+1] - -include::vpc-add-on-update.adoc[leveloffset=+1] - -include::vpc-add-on-self-managed-update.adoc[leveloffset=+1] - -include::cni-iam-role.adoc[leveloffset=+1] - -include::pod-networking-use-cases.adoc[leveloffset=+1] - -include::cni-custom-network.adoc[leveloffset=+1] - -include::cni-increase-ip-addresses.adoc[leveloffset=+1] - -include::security-groups-for-pods.adoc[leveloffset=+1] - -include::pod-multiple-network-interfaces.adoc[leveloffset=+1] - [abstract] -- Discover how the Amazon VPC CNI plugin for Kubernetes add-on works to assign private IP addresses and create network interfaces for Pods and services in your Amazon EKS cluster. @@ -79,4 +61,23 @@ To upgrade to VPC CNI v1.12.0 or later, you must upgrade to VPC CNI v1.7.0 first The following are considerations for using the feature. * Versions are specified as `major-version.minor-version.patch-version-eksbuild.build-number`. -* Check version compatibility for each feature. Some features of each release of the Amazon VPC CNI plugin for Kubernetes require certain Kubernetes versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. \ No newline at end of file +* Check version compatibility for each feature. Some features of each release of the Amazon VPC CNI plugin for Kubernetes require certain Kubernetes versions. When using different Amazon EKS features, if a specific version of the add-on is required, then it's noted in the feature documentation. Unless you have a specific reason for running an earlier version, we recommend running the latest version. + +include::vpc-add-on-create.adoc[leveloffset=+1] + +include::vpc-add-on-update.adoc[leveloffset=+1] + +include::vpc-add-on-self-managed-update.adoc[leveloffset=+1] + +include::cni-iam-role.adoc[leveloffset=+1] + +include::pod-networking-use-cases.adoc[leveloffset=+1] + +include::cni-custom-network.adoc[leveloffset=+1] + +include::cni-increase-ip-addresses.adoc[leveloffset=+1] + +include::security-groups-for-pods.adoc[leveloffset=+1] + +include::pod-multiple-network-interfaces.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/pod-networking-use-cases.adoc b/latest/ug/networking/pod-networking-use-cases.adoc index 6c8c05c84..9ca41f717 100644 --- a/latest/ug/networking/pod-networking-use-cases.adoc +++ b/latest/ug/networking/pod-networking-use-cases.adoc @@ -5,12 +5,6 @@ include::../attributes.txt[] = Learn about VPC CNI modes and configuration :info_titleabbrev: Modes and configuration -include::cni-ipv6.adoc[leveloffset=+1] - -include::external-snat.adoc[leveloffset=+1] - -include::cni-network-policy.adoc[leveloffset=+1] - [abstract] -- Discover how Amazon VPC CNI plugin for Kubernetes provides pod networking capabilities and settings for different Amazon EKS node types and use cases, including security groups, Kubernetes network policies, custom networking, IPv4, and IPv6 support. @@ -44,4 +38,11 @@ The Amazon VPC CNI plugin for Kubernetes provides networking for Pods. Use the f |Use multiple network interfaces for Pods |<> -|=== \ No newline at end of file +|=== + +include::cni-ipv6.adoc[leveloffset=+1] + +include::external-snat.adoc[leveloffset=+1] + +include::cni-network-policy.adoc[leveloffset=+1] + diff --git a/latest/ug/networking/security-groups-for-pods.adoc b/latest/ug/networking/security-groups-for-pods.adoc index 971d389fb..b8f0e7991 100644 --- a/latest/ug/networking/security-groups-for-pods.adoc +++ b/latest/ug/networking/security-groups-for-pods.adoc @@ -5,10 +5,6 @@ include::../attributes.txt[] = Assign security groups to individual Pods :info_titleabbrev: Security groups for Pods -include::security-groups-pods-deployment.adoc[leveloffset=+1] - -include::sg-pods-example-deployment.adoc[leveloffset=+1] - [abstract] -- Learn how to configure security groups for Pods on Amazon EKS, integrating Amazon EC2 security groups with Kubernetes Pods to define network traffic rules. Discover the considerations, setup process, and deploy a sample application with assigned security groups. @@ -68,4 +64,9 @@ If you're using version `1.11` or later of the plugin with `POD_SECURITY_GROUP_E * Security groups for Pods might lead to higher Pod startup latency for Pods with high churn. This is due to rate limiting in the resource controller. * The EC2 security group scope is at the Pod-level - For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html[Security group,type="documentation"]. + -If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the Pod's security groups. \ No newline at end of file +If you set `POD_SECURITY_GROUP_ENFORCING_MODE=standard` and `AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, traffic destined for endpoints outside the VPC use the node's security groups, not the Pod's security groups. + +include::security-groups-pods-deployment.adoc[leveloffset=+1] + +include::sg-pods-example-deployment.adoc[leveloffset=+1] + diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 99c457c2e..08b373d75 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -5,14 +5,6 @@ include::../attributes.txt[] = Create nodes with optimized Amazon Linux AMIs :info_titleabbrev: Amazon Linux -include::al2023.adoc[leveloffset=+1] - -include::eks-linux-ami-versions.adoc[leveloffset=+1] - -include::retrieve-ami-id.adoc[leveloffset=+1] - -include::eks-ami-build-scripts.adoc[leveloffset=+1] - [abstract] -- The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023). They are configured to serve as the base images for Amazon EKS nodes. @@ -80,4 +72,13 @@ For more information about using Amazon EKS optimized Amazon Linux AMIs, see the * To launch self-managed Amazon Linux nodes, see <>. * For version information, see <>. * To retrieve the latest IDs of the Amazon EKS optimized Amazon Linux AMIs, see <>. -* For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. \ No newline at end of file +* For open-source scripts that are used to build the Amazon EKS optimized AMIs, see <>. + +include::al2023.adoc[leveloffset=+1] + +include::eks-linux-ami-versions.adoc[leveloffset=+1] + +include::retrieve-ami-id.adoc[leveloffset=+1] + +include::eks-ami-build-scripts.adoc[leveloffset=+1] + diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 37202c511..7dca2eedb 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -6,16 +6,6 @@ include::../attributes.txt[] :info_titleabbrev: Self-managed nodes :keywords: self-managed, node -include::launch-workers.adoc[leveloffset=+1] - -include::launch-node-bottlerocket.adoc[leveloffset=+1] - -include::launch-windows-workers.adoc[leveloffset=+1] - -include::launch-node-ubuntu.adoc[leveloffset=+1] - -include::update-workers.adoc[leveloffset=+1] - [abstract] -- A cluster contains one or more Amazon EC2 nodes that Pods are scheduled on. @@ -32,4 +22,15 @@ If you restrict access to the public endpoint of your cluster using CIDR blocks, To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + +include::launch-workers.adoc[leveloffset=+1] + +include::launch-node-bottlerocket.adoc[leveloffset=+1] + +include::launch-windows-workers.adoc[leveloffset=+1] + +include::launch-node-ubuntu.adoc[leveloffset=+1] + +include::update-workers.adoc[leveloffset=+1] + diff --git a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc index 01b31ae90..045bc2b9f 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-overview.adoc @@ -5,18 +5,6 @@ include::../attributes.txt[] = Create local Amazon EKS clusters on {aws} Outposts for high availability :info_titleabbrev: Run local clusters -include::eks-outposts-local-cluster-create.adoc[leveloffset=+1] - -include::eks-outposts-platform-versions.adoc[leveloffset=+1] - -include::eks-outposts-vpc-subnet-requirements.adoc[leveloffset=+1] - -include::eks-outposts-network-disconnects.adoc[leveloffset=+1] - -include::eks-outposts-capacity-considerations.adoc[leveloffset=+1] - -include::eks-outposts-troubleshooting.adoc[leveloffset=+1] - [abstract] -- Learn to create and manage local Amazon EKS clusters on {aws} Outposts for high availability across multiple regions. @@ -36,4 +24,17 @@ Local clusters are generally available for use with Outposts racks. You can create local clusters in the following {aws} Regions: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Middle East (Bahrain), and South America (São Paulo). For detailed information about supported features, see <>. [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + +include::eks-outposts-local-cluster-create.adoc[leveloffset=+1] + +include::eks-outposts-platform-versions.adoc[leveloffset=+1] + +include::eks-outposts-vpc-subnet-requirements.adoc[leveloffset=+1] + +include::eks-outposts-network-disconnects.adoc[leveloffset=+1] + +include::eks-outposts-capacity-considerations.adoc[leveloffset=+1] + +include::eks-outposts-troubleshooting.adoc[leveloffset=+1] + diff --git a/latest/ug/security/iam-reference/security-iam.adoc b/latest/ug/security/iam-reference/security-iam.adoc index e5c0da53a..daeb4f56d 100644 --- a/latest/ug/security/iam-reference/security-iam.adoc +++ b/latest/ug/security/iam-reference/security-iam.adoc @@ -140,4 +140,5 @@ Amazon S3, {aws} WAF, and Amazon VPC are examples of services that support ACLs. [#security-iam-access-manage-multiple-policies] === Multiple policy types -When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. \ No newline at end of file +When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how {aws} determines whether to allow a request when multiple policy types are involved, see link:IAM/latest/UserGuide/reference_policies_evaluation-logic.html[Policy evaluation logic,type="documentation"] in the _IAM User Guide_. + diff --git a/latest/ug/security/iam-reference/using-service-linked-roles.adoc b/latest/ug/security/iam-reference/using-service-linked-roles.adoc index 8d3dddb6c..b37778b95 100644 --- a/latest/ug/security/iam-reference/using-service-linked-roles.adoc +++ b/latest/ug/security/iam-reference/using-service-linked-roles.adoc @@ -5,6 +5,16 @@ include::../../attributes.txt[] = Using service-linked roles for Amazon EKS :info_titleabbrev: Service-linked roles +[abstract] +-- +How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. +-- + +Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. + +[.topiclist] +[[Topic List]] + include::using-service-linked-roles-eks.adoc[leveloffset=+1] include::using-service-linked-roles-eks-nodegroups.adoc[leveloffset=+1] @@ -15,12 +25,3 @@ include::using-service-linked-roles-eks-connector.adoc[leveloffset=+1] include::using-service-linked-roles-eks-outpost.adoc[leveloffset=+1] -[abstract] --- -How to use service-linked roles to give Amazon EKS access to resources in your {aws} account. --- - -Amazon Elastic Kubernetes Service uses {aws} Identity and Access Management (IAM) link:IAM/latest/UserGuide/id_roles.html#iam-term-service-linked-role[service-linked roles,type="documentation"]. A service-linked role is a unique type of IAM role that is linked directly to Amazon EKS. Service-linked roles are predefined by Amazon EKS and include all the permissions that the service requires to call other {aws} services on your behalf. - -[.topiclist] -[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/infrastructure-security.adoc b/latest/ug/security/infrastructure-security.adoc index 6350fdbc0..743f45845 100644 --- a/latest/ug/security/infrastructure-security.adoc +++ b/latest/ug/security/infrastructure-security.adoc @@ -5,8 +5,6 @@ include::../attributes.txt[] = Infrastructure security in Amazon EKS :info_titleabbrev: Infrastructure security -include::vpc-interface-endpoints.adoc[leveloffset=+1] - [abstract] -- Learn how Amazon EKS isolates service traffic. @@ -35,4 +33,7 @@ You can enable private access to the Kubernetes API server so that all communica For more information about modifying cluster endpoint access, see <>. -You can implement Kubernetes _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project Calico is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. \ No newline at end of file +You can implement Kubernetes _network policies_ with the Amazon VPC CNI or third-party tools such as https://docs.tigera.io/calico/latest/about/[Project Calico]. For more information about using the Amazon VPC CNI for network policies, see <>. Project Calico is a third party open source project. For more information, see the https://docs.tigera.io/calico/latest/getting-started/kubernetes/managed-public-cloud/eks/[Project Calico documentation]. + +include::vpc-interface-endpoints.adoc[leveloffset=+1] + diff --git a/latest/ug/security/security-eks.adoc b/latest/ug/security/security-eks.adoc index df92aa92a..92cecab6c 100644 --- a/latest/ug/security/security-eks.adoc +++ b/latest/ug/security/security-eks.adoc @@ -5,10 +5,6 @@ include::../attributes.txt[] = Security considerations for Amazon Elastic Kubernetes Service :info_titleabbrev: Considerations for EKS -include::infrastructure-security.adoc[leveloffset=+1] - -include::disaster-recovery-resiliency.adoc[leveloffset=+1] - [abstract] -- Configure Amazon EKS clusters to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Amazon EKS clusters. @@ -17,4 +13,9 @@ Configure Amazon EKS clusters to meet your security and compliance objectives, a The following are considerations for security of the cloud, as they affect Amazon EKS. [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + +include::infrastructure-security.adoc[leveloffset=+1] + +include::disaster-recovery-resiliency.adoc[leveloffset=+1] + diff --git a/latest/ug/security/security-k8s.adoc b/latest/ug/security/security-k8s.adoc index db44d29c1..f11107b6b 100644 --- a/latest/ug/security/security-k8s.adoc +++ b/latest/ug/security/security-k8s.adoc @@ -5,6 +5,16 @@ include::../attributes.txt[] = Security considerations for Kubernetes :info_titleabbrev: Considerations for Kubernetes +[abstract] +-- +Configure Kubernetes to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Kubernetes resources. +-- + +The following are considerations for security in the cloud, as they affect Kubernetes in Amazon EKS clusters. For an in-depth review of security controls and practices in Kubernetes, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the Kubernetes documentation. + +[.topiclist] +[[Topic List]] + include::cert-signing.adoc[leveloffset=+1] include::default-roles-users.adoc[leveloffset=+1] @@ -19,12 +29,3 @@ include::manage-secrets.adoc[leveloffset=+1] include::envelope-encryption.adoc[leveloffset=+1] -[abstract] --- -Configure Kubernetes to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Kubernetes resources. --- - -The following are considerations for security in the cloud, as they affect Kubernetes in Amazon EKS clusters. For an in-depth review of security controls and practices in Kubernetes, see https://kubernetes.io/docs/concepts/security/cloud-native-security/[Cloud Native Security and Kubernetes] in the Kubernetes documentation. - -[.topiclist] -[[Topic List]] \ No newline at end of file diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index 2a1be3c74..09dd63050 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -5,20 +5,6 @@ include::../attributes.txt[] = Security in Amazon EKS :info_titleabbrev: Security -include::security-best-practices.adoc[leveloffset=+1] - -include::configuration-vulnerability-analysis.adoc[leveloffset=+1] - -include::compliance.adoc[leveloffset=+1] - -include::security-eks.adoc[leveloffset=+1] - -include::security-k8s.adoc[leveloffset=+1] - -include::auto-security.adoc[leveloffset=+1] - -include::iam-reference/security-iam.adoc[leveloffset=+1] - [abstract] -- Configure Amazon EKS to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Amazon EKS resources. @@ -50,4 +36,19 @@ Linux containers are made up of control groups (cgroups) and namespaces that hel ==== [.topiclist] -[[Topic List]] \ No newline at end of file +[[Topic List]] + +include::security-best-practices.adoc[leveloffset=+1] + +include::configuration-vulnerability-analysis.adoc[leveloffset=+1] + +include::compliance.adoc[leveloffset=+1] + +include::security-eks.adoc[leveloffset=+1] + +include::security-k8s.adoc[leveloffset=+1] + +include::auto-security.adoc[leveloffset=+1] + +include::iam-reference/security-iam.adoc[leveloffset=+1] + diff --git a/latest/ug/workloads/add-ons-iam.adoc b/latest/ug/workloads/add-ons-iam.adoc index 4fd23a9b9..95db03f00 100644 --- a/latest/ug/workloads/add-ons-iam.adoc +++ b/latest/ug/workloads/add-ons-iam.adoc @@ -5,14 +5,6 @@ include::../attributes.txt[] = IAM roles for Amazon EKS add-ons :info_titleabbrev: IAM roles -include::retreive-iam-info.adoc[leveloffset=+1] - -include::update-addon-role.adoc[leveloffset=+1] - -include::remove-addon-role.adoc[leveloffset=+1] - -include::addon-id-troubleshoot.adoc[leveloffset=+1] - [abstract] -- Grant an Amazon EKS add-on permission to call {aws} APIs. Create a Pod Identity Association for an Amazon EKS add-on. @@ -33,4 +25,13 @@ Amazon EKS add-ons can help manage the life cycle of pod identity associations c * Pod identity associations created using the add-on APIs are owned by the respective add-on. If you delete the add-on, the pod identity association is also deleted. You can prevent this cascading delete by using the `preserve` option when deleting an addon using the {aws} CLI or API. You also can directly update or delete the pod identity association if necessary. Add-ons can't assume ownership of existing pod identity associations. You must delete the existing association and re-create it using an add-on create or update operation. * Amazon EKS recommends using pod identity associations to manage IAM permissions for add-ons. The previous method, IAM roles for service accounts (IRSA), is still supported. You can specify both an IRSA `serviceAccountRoleArn` and a pod identity association for an add-on. If the EKS pod identity agent is installed on the cluster, the `serviceAccountRoleArn` will be ignored, and EKS will use the provided pod identity association. If Pod Identity is not enabled, the `serviceAccountRoleArn` will be used. -* If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. \ No newline at end of file +* If you update the pod identity associations for an existing add-on, Amazon EKS initiates a rolling restart of the add-on pods. + +include::retreive-iam-info.adoc[leveloffset=+1] + +include::update-addon-role.adoc[leveloffset=+1] + +include::remove-addon-role.adoc[leveloffset=+1] + +include::addon-id-troubleshoot.adoc[leveloffset=+1] + From 25dc30845aaaa699d903a1b62c2b6e5708842c24 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 10 Mar 2025 19:40:39 +0000 Subject: [PATCH 239/940] First draft of rewrite to EKS What Is page --- .../kubernetes-versions-extended.adoc | 4 +- latest/ug/images/whatis.png | Bin 0 -> 100606 bytes latest/ug/security/security.adoc | 5 +- latest/ug/storage/storage.adoc | 4 +- latest/ug/what-is/what-is-eks.adoc | 94 ++++++++++++------ 5 files changed, 71 insertions(+), 36 deletions(-) create mode 100644 latest/ug/images/whatis.png diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index c8d5eb4e0..20732cd48 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -10,6 +10,8 @@ include::../attributes.txt[] This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. -- +Amazon EKS supports Kubernetes versions longer than they are supported upstream, with standard support for Kubernetes minor versions for 14 months from the time they are released in Amazon EKS, and extended support for Kubernetes minor versions for an additional 12 months of support (26 total months per version). + This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. [#kubernetes-1-28] @@ -161,4 +163,4 @@ The [.noloc]`PSP` admission controller enforces [.noloc]`Pod` security standards For the complete [.noloc]`Kubernetes` `1.23` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#changelog-since-v1220. -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-extended%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23kubernetes-versions-extended%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/images/whatis.png b/latest/ug/images/whatis.png new file mode 100644 index 0000000000000000000000000000000000000000..5504ce23d15be1e87c415f01ec94df7660b3056f GIT binary patch literal 100606 zcmeFYWl)?=w=O)mySoLq!QI{6-QC?a1ef6MZh_#000|ykg1bX-4|aw;+3$XLol|vc zfAyVz`=(~9r+fA4UaPNORyR?~ic(1M`0xM#07*t#TonL-ga81*hhd>XJ-tLn0{{R8 znXkIGyQ+y7sk5t-rH#D>sk@J}1*wI%jU@o!y;Pf{<4M$+B=O1;jSv3YlG}Rz64Ca) z8Rhb$>D{|Ui{XTlk3LBN@-242wB_qrcl-m%%dBQ&RORf7Ys*skYeqHurO}CH_(|f<|XSJ)V)h>e|yMvomk3d-x{Hm*)n2QIT6Q8=98#%Fh z7^oX*1MT{VrRu_se4{okh-bXCvD&l*G2F+8m)}opNKaPR7N=I;r#DUYukr5}^`c^W zABoyVwMe#RLJD3#!sU{Dd)956TFrleGBUHS&jXSPjU_)%(qA#sISB5pWdVEY8Rq^mhpzrdiFC~32^L8$gaEG*lnBP!*}!lMiB7e^z=L! zF|IPgS3XQQQ8UF{FJ4Lzo%7Wd2h3%kF=0A)qqW=Um8P!h!M(hlwa0OArce4bRd1x& z8G@*d<>DC%-J%QMINIB@h>ZyqEZabuiBInf^EgXF>b*OD6=obscu(mLPS-U{xV&@K z{O1RGmpjA!CpWxNa#Y$KWmpA-Ty2TqxF_0%k75GvG1X*wQq|Su1U?YDjqs#1oF7xB zXsZsFrs(P(a?EP0jWy5O+E#ZxU;_qcUFmCEe){eg=BDxGpRPRnfPY)Hx@-7`D zUuU|MWm;uoh35o3U}1ANT+&t7wfy$XR$p={&-GgLXkA6A^!ye@o$EhRS)Ths%wd)H zDe&>}PQ}eh<%&zSqv4BGTteFA&v1;Kcm1)E4+oLnDv;9F^%;vtrq_~%YNPg7>JpdN zthC%eXidd|j{7q%XAO^7?Mg0eEHB+#d+X#@m>sW@JF%j7C`pgRtt3S)eVjAUZWJY~ zvn5Ny54pHFUg@d6+CKTe?1cD!Ivi(R&nR^q*fw4trF^{~l^v{U-a9((`>CgEhRLh8 zsyi1ioABe4K)k0t$ze^h=2EyIH*~k8b1i)Jfj$dj$z2Pc)5Hzn!x)K>A6_R*8?4zN z>!F@!(ydr&_?>av5A>GQk#WW;MOMF@Z%+|(OL&DSL!nMtt0$4+}5cR;v25& zl9LiFf||BrIhAf7zQ#HEd59`lE;Mf;CWaVgZw`*vCcEMF0ASmRCT9ALT@3KZXkutN$;x+ZJe4_|^oT zjsjWl+3mnQ)GW9MBt_PBpuQs%d`yLtR)HetMvyU=Bq8F zXslR%j9^@`yl?%Quu9+LHzZxQt4xO{ZS066;J~N;(yZ+22u$)b7f&gd+5x2Y3;&=M zT#rCbT4SPn8O~i&jZ4ukB#+jW#NO*Y!IWn>`hF6^<6iK-%apIrA}8QyF1^&o)?&8g z0}UCG)o)Gq6?O2{uU$rDQ?r6y*##e-e8nHnALh%C6P~*iI(VM#Oh<(#VyUCrY?=zJ zu9p#0e~ax?Pq5zB=6CzzeH|Bnw8N{8^}?PSlqYlL zrS`C&$sWY@zx^mSw2b~rh9ZhLR>rQZeFb2`qY0O(;IPN}N$Iy>gMFW2CFc8(<|`AH ztpGW0vJG_(ggBh*bbCPhw8nBHb_0RA#xfAGq34Dfp;Jmh$P2DRoSPYcXhU#77}ons zF#lkstiw&9d`f^{@`CkVCPtvAJ`$nZYIvjW$9E=*Z)aw?!x~FXJ<9sIoqP=0`0DMZ zqZnT=PZ%g_nGS<=7=@DL7~O}>7TEk!bua1i3zxy55mSK!?&t=RMoTzDbDxM`n$Q>=?rP<~NJNNsGW)}LD zov>qnHtd%Npz5crl5pFG0{V2wTD)9U&nSYmVB4OZ2D$fMpGj)l(1ALIJ0iW|tDbQn0bRYu@h4ZZCV{k4 zT_n8FcMFjniS!=9cn)@PY7pBx66EO-G%neh+LmQW@GN4(;T<#Z&%(M4Gf6P!orCkF z0jnRkD9z6C#>kLx=HSGNwZ*=XEw+1J^N@ZVC!~ps&U@!^#rZ^h5w`6So=)rT$o64q zq5Vgq=r6?>RF`F*O>w1xadM{?jCGNSS?XKctlfKSryUI%>Bq+s46mdc;UYAK5$uZ< zB3@X+Vn%mbUf+*~Sp{QI5!MxQ_pH0`Jqz1N1H?&sdEL+{QLNeBUjq0eLS01*l|FPB z4}GvlaLmuB=I}{&{wxdp&Fvxq8w9Qzh1vCk$VcYzRy7iBD`~iJ1X?p>Rw@YnoupJX z6|Ew-@NAxB^N{bP3y%TAQ#=st1AAVt9=m#Z`*QOl1E3#b3r#n(7obJ50KpzRD21xc zj>RLw10iF~tt70xQ{|Bpe*xCKeV~h9^qDO!?iAUw*qvH2q#XL1lqfcsd3BFUiIr4h zNML|in$;Ijq(jalV+nT}QB=}bLS_QbAVzVileG?RyTSL>L|YvXh@C7L)?Zn5-8I}N z_)YL*8OMy9tf>!bqu&PW=0fnx;}=#zf5Law2i=%E^FTTGA1Xo+1kUDA8FRkhPAxlS z$<Olm}mxonta{w01z4pQWi+~Qow?3H+ zLgZZigPpJZca0@fbe~mL3Jyh!72Fvzv(wo2MX$hm2?K?|P*O`6iChgokz9xBtVFFq zdwgiTO7zqvAWC8vUF6nr1M-pUgIVDusw!kPv|#6ccxm$Y&A>UZqTWlLtfPBIV+}=W zkc5W#m`DX>k;dxN-egQ%(EnXAQwe*MR)D0bgEDeEW7>}PIzpE83{@!Bd}(Ya7#!M> zc7+=yEvau8UA6rIvch|p%3H+7LJ)q7-`$fn4tNS1>uyrx0}nKL@j?~jOJi!JyjjDvlq zi7Q#P5{r^rhn|>=jEvzA0vOgC8;ThiOMGB4TTKd;s6w2fQacnvA)^Is8~AJwogpBM znJd#7)CL$#kpQpYJ{w!K;kdjrzm&6B4|IW7*836fz6S$C67>scU?{!Q0ffH17{h4u zG;`{;`1Kg@6M3;})qJoRjp=Od3#0s^iJ-8nKW+jq8&rkZdXDA>eXraB5g7Q^os=B&`m+#JMOEby`S#@-Fa17d<& zTXnHhax!+QbkBKcOx7~;y61sZJ&E!c)FVL!faZ^>En{##;>3Dkrc`|Iuf#+ouY0>0 zXVS}}ON+lQIMTK&q~NUa=&Zwj{>fH(>KS%aEdo_f8lr}Z!HO+EZplgDHAB-;AA+ts z9>dbJ9k&@~g=w|o1qb+0ZGi*9W!8A$4G&1t;%tfXvoXA^$E?f@ha_u$ZGQpg8!Cr1!99tRk zPdtL31K&pt8?xJEsbuZSJ=DSG8+$5$)>gw@f_#Oy*lyuGCVfHZv`7chdKD1RFr{r{Cgq{<-xsJ7tnq1a6V#2+(X z&Nj@&Lt2^bU^Tr$B0G?lnEVW{Gvd1ffXI?7;S;wo>Bv`NtO0MCjDCH<-F z0U5y*F9kn?0P_?uJtQj-3voaG87cnH^ zvC0yHZF)OmY!GH5K1rEiS;CaZpOEEvMF17y);afE*m8`ooG1v6+! zsGvI6J(PZ%x7mxrjfUXF*%hGG++B1|L0qp>5|{y3Y$MRv_%T(*MCmdPG@?3}du zrU~C%<`z(AdHz!+B7u&97D1$ubv(5|4>J6AAR+3aa#^IxtTn?9fhv|3eomS~mP#E- z*4$6_M&zn`*gWw~>{822k;jjmGWQpZ+Sp%R0(8Y1~SV@BvBaKJgGisoA>Na(~;n0sSn@5(C2a1J$kUGqfNJfX=H0DB(d(2Bw=Af z%qk-EH8sHjQRH4 zJ@U}ySE);SHtNf+c{(eWj;zFtF$G0uYUm~-RLBl0j00KU4LH`}aGe$=qQ?4&hq4s) zMXMGld9CXn5+!Stc3PY?VFb;wS&v)o* znhF1S$*b8&y*iBID3sph$ET&AWE(-&B>ROjz;8#bzo75?Aie5cZEJj{Ff|%Uv_3fv zyf?A{tq~J2l}VS1pkO1vKBT!b<@0&OP5Zt6G?ep-mWMz@zOSv}^D9Te-B*f|NmFO6 zbFp89GGZz5VJ*`%lhl*B!3U9udOxk*FtmmS;kbpUl%h#X)hJw^Z^(wIW+9;mjrQHO znwn@0croD{Jd;|%P|e;+PJTfaOul>HW@FaR>2QgetEJ&P)UyzxnXSxeP+bC3W^u#g zEh+Ws?uWm%d8lFARi1k1kL`?OZJgL&EbR!Du^$X*>kqn$ae=Z#L`lCw!Nxcgb@vP3 zS?XrWpY#$xY^WqTDAHpk%1NbGe+*08-h6SUL#Gnqg-V|=&ySOjL>RE+B`lJQ8VG(_5g~Ufsu&&sPauhh0y@uCz}UhGE1Klu{PVF#4$IXGXK)Jb~p8)5e=OhSG*bUsa34 zXAYq{`7X>2Z3;J6p52%EUhx1ABLzVb>4Pn~)3?vWJOciK_?j~e=Q5lIej}vxnSBsm z(hwY{9=m zF@qE9)fan+5fEtZ2x(61u#0a;YD_a9E*OI=ph3JF)4l^#{}fkNm8KcN^e;58jy

        Gx!9Ifdv<7mrSPI-<4adsl_zVRfa=vPy1y4oSpt}dea+yN6?Vca)_P z5bNxZLWy5gV%Jzc&g``F44*}`qu0?5W zeOtg7Rv0i`IirbOt_Vo~h7c{4Lm;vKWsu{CVvm7X%tTS;g6gy=$tMRY8gB8Hq8Gg6 zfl!!inP=4&QyC!q{eE-+#Igv?O&1!JEj8Gzl%J;8gR)&cUlN9$wb|Nwt$c3kq#c55 z$i2}Sukrj*JYtH{baB}nDI@9kFN4;`#UkWB-n&j<8OAYnpKF&I$X1&mgvHhJd1I;z zJZCW(q~@+5x~ee3SM;1P3O)HvneE)X38T0rlc(Ku<0t186j4}SBFqW3qwarpFee3# z#|G-EJ6IQ70>9T==ROX5Hu@S8mv|2C+zedWMw`LbDc+X7N_-d2Oz9@t#7hB7<5V#n zqZW*op1d10i&`cMwwZ3Q1q}6~qT&|I9z!i@N%S_Z#@OUnPs14QZfQ~G)g*eI?mEKb zJ|xzGJatelF)o*%!~@S&_!OngMD*yn)TWchQ^wnlrvmd~{1AF{2y)SFjISx{dMkCo zn_IoMy5y>o2TeS?_LjIsk?^3cINlE2EK=NE;XA#}Bd0V0nc%fA9Jv_+Vlh_TSBC*%~HR6!Q z;(=5|PpBOEevz&+{&McgKPqfyFNNt2IOxw1qh*;3dm+HtJEHbzu>H#W198cZ#&CXj z9MWDB!^AfBF!F{E9uQc10kSwA>IMPbKu9{+0pnBY+Cm~Bo`z{@a-E?h86lpiI&^}& z6uQ*V*HPa7j>+8lPRi=yx`$H^*-n|_dAQ~=s&1Ypk{UG}f(e@MnJ&V3K1ZaD*r8MO zM9TZ$knRc;Qs~kqHCLwz_;Rrwrlyj1m-=mhQ^(?vYjD_%4v_|8gLM>4zWE{MUCS%N z&GGEEaxRGhOTp73a|HC?kZX>105$JAMy2+pV4288ISj6O!3O|vN{pH(eGd0TjZp2- zLoOwnbi-vQy@;x$84as!dK;mM5$5%A@b2q zWR4E_;Xkrks8hq4pGSyGNjc$aIW;iU)S>G%#;sg-uv3zYh<;qeA=<>NJ<`DJvSfE> zia|Hg#zTj(n^Z)w3Rdi`KOCiXl%r>Hnc^TK3!4%vyF_&-+7U@PB6LY7nS@5TYDLC~ z@1}l;e=mRYvQ%#;QIOw3i~%5({8#Ls!4c- zIn^-hwSlqf+(+iB^Fpn0N>z8NG=EEO%uq$#3AR&T?04!-b{)xvSSZNRiL#czgJ}x( zJ6N=`A$#+E z>!z@6k0F2-0;it+ls6x^9JvHsYF+1T1bRQo_|lgt)TfJx1gOUdS3EV~Im{rO@GFiU z8y^V_VfFLLt<7=d#v-|TomXiC|IwJj$JDv=xj) zNmIi^-jpKRXsM|3tX<=^rGNTbo5o%)9?@f?CXL-2TyF5lvuk#xbiC`PG;Rm?g;tqV zDe4s2tw^mRP+qf90>&l3m8_~O#-l6nIB6Bu%?4PG1k>?^PhOd4%1XU{CA3@V(-*Gz z4c&uMNxzp_T)#Cm_$zoQ=j01LMf6H}HE6Z?;sWk9dU^D*? zCC3tBtKc@TP{bCOAS{iR_@ul9U(1`J|C@~6Mp{*$5NbX&j3h<_2FJ>PNFPe%9HP&_ zS=BuW{WTp^x6j*oCBf^C*y{{XXlR)=$AWC#;ZU~4LYu9ZBw7zk9xjL|nv!YpZW;ma zKEB=$^4=F`SLbE_g;2nD%~V*JJkKJ+2BRKB$!Q6CKfp98)jah+$9uE{0bR(|;Nm{c zZOS6VD%z5YLy7@iuAftLDI--r&O4gB$d-2(K_@|DTra2DHI?IR*a&z0_=ip1451`p zj5H}69DLP+Fdk=7(@}}G^i<&JpwQ0m(aW-!TkAN2we&*zPx^G>~LAkQY{do$tv zm~H=9K%qf_id)W^*`Q4hpx0_c*6D%X!+0GKrb(8E6DSjIXN(ym^+zTFnK#TgI;a|0QiNxolVT_EZj*=Ev#%D1<21j zyU9sy%mv7`I23>i&SDnUHqySX7HYnV>Sn%nW<2KPLW1!8-n<|N4i@evq}~qpj&8i( z0_1=A@`BoL-OS{qe@NWz1jw}&lu5;$TrEi1nb?_tj1t~9o~-18@TB~%=9avw;*x(^ zfPM*(Tf4hE^D;Agd3iB;u`xNhS~0Wm@bEALS(#Z`89@|`Za$9gCf0rvHoY zf1&;l+5ZrOs1y`<#huJN-nJ(rEugWE|bxO&rZE-dKT{GueRnaB%|J%}ju-jGQKBri|>C zJUomh+^lAdEUe}%?5sR&tUyz?e`BHKY6C*0iT%It>W!5-h?OOexg`&W1q&kwHxS6k z&I+_-?~|tEIb?_HE?mVbN?ri zriH5;2#arAS%6He?0-hy4u%&b4oI~oZ%73(_|p%PhF8qh!o=OlRo%(SUV!{1S* z{{Wnn|DR)#ws8Yd_`G5MFY47ST>km>&n2+8`7=aH`UkkYCT9OE;%4G$Vg6?!(7bz{{4b>bqu=KLa9k#)Kz0*W4ogOEOHLC;c5VwUkd94x7%f>$xjD^PfF@jj zb^I^xZcdi&UM8*AR8kP6uq(WvU2cp zu#hwV6_)w!PXC9r{LKHGKKTC-{F@N~&HJYhWL!YDiuqs0>aV`uRQUh!`Fjrk4_5%O z{+~tuTl)PUb^VXJ{#zROZxR0wy8cI9|1Aytw}}4-UH`wS3;sXT9ScWL1mp!uX8K0; zeL;y3w5gnwIN5Mmsg^^*kQMtkuczcO^YLK-%3MgHcE*tK zsWn5zisFBsl=V=sc*C(xd|WW8dP~*q_1;QuK*7R3&c=!dTmt`JX#-)QG3j*BoUY;C zyUkNh66U>6NyLu6n>iETI%Adt3}s+{vhEV$hxmu5xDN~N#)dlKxIuak2M~N>o0*KV z1nQ-;W6=DeNx&@W$-$u_J6@z=g1NwXQI{X%?<^ki)Hy6}Uyeb70MU!BVS|$Jrk)sT zFGk%{pC^fTL3#ud$4H?uuZ~Y%9w<%J={jHj?hb8nU@s5s{g0pDvctT-w;!XIoZ#7M zkP4qJJ|KDX4r1^sutqDzg>~4VPQd?_#}NUV+sgnP=XDj;Q7VfFUAbwE^nhIn48S|4 zhIw&f>dFZ=wwWpY(!vR!9*`gg^Upy?y6ORiSJ`1{$ruX++SP4;{lH?{*2CYwcGoGzNuK*i3MnFyU{@)6n+<0FoadBcmYM zTmio%Y^}NY6T0t@sGfIJZ8$^Fjb0sGr9t|-b2Z;TTMde&;}9BZjT@{%B~UJV86xo9 z!`IVmIpd^30bIaEWw4s%ndTC8+(`{(on49dkd@=NT-tf;&985L$5v1-*NoFQm|xj@ zUgDT4(_mxJyD-Q@DEWiJ-45em!3M72k*>5^JKk*p zH}B?8lSyIk1x^FwoxGm!^pbLNLYZ=x_I`Klanhy27faq#2pIHSMA8HTquw-P{9zGN zT*AMT{COM>bmWh=yQys8V256cZ>aJvR;sxE%KdI5POy+>YZ(h)2PHJec9w{rFdqM_ zV1>bzLHNlF9B5TYr*4gpTJJ~i3pO)=oRdep!VF|ii`(O>dejIBOI$m7iH7~?35WZJ# ze=Zr6A(>yDe7Owg?~VmKVK?tIk;dK}eDs2|d4zPA9q)I7zdzymx}Qa|$3YhowBn__ z;e@}MqsM99(fIpoU}6N;8&1gVzJ4Hujf~`f|C7j1Zgn+`N?xl*>=!yS6TOk)JCa7@ zUkU!WVGT^T6oZPrH`%RmKLsvaK8g@Y#pix>Fc_T3O%T~94ttZzL~ouB-*9Wj7IYHw zxtJxe=-!&w!dFyrnDvKjo(ycu>3E-U@QLi4?7hQCVWZ9T>RgE+6*A&M`!fpqjA+qy zv@vuct>2E1Fky?N+##xf2#;%axpI(i^?Y@C!}a5>%UjdVxKXOFl)jrxkPK~iWfgOf zir%AnC#z`}KUzszy#D2TDeKs>e=I@kskS?@1CM5!qf#wXwBm^#g@N?oGt9-)9yQ3$ z6@e?It`g9wH-hUwd5O7sW9Q|rC)#;F^%QP9yQ>#!#86cj*20f;bZ(wENXHVMI!)p# z%veu08YuPK9Ug*P20Sx@KDE6atuLQo#0O?yDT5Da`*?J`ncl|uXo1Y^RZaZRN(=7%B#4(p`0cflDy~y0eVjOT&5e} zG<4rf6xkVwoN#6^uD&H z(26}fDrx*WljbOvTzdU`t7hnf-%&!ygvb+3OqT&T6aApY(Y&5>3_1b^so!nsUqdxH z&Z)c96~&*3G*_jv*eyY>bh;2*tb(8w^nJ-9`ZrV@eBxRRkDK^WUft`CQTdF_qlqJl zwzfwc99d61V5aP13x=QK{#lAtX8O+SkOP5TW3pPBAPh! zmNzlsIQ`D^Z6g;V6tSL4=|*a0k>BYEi8LxURK}S+ns>8Cf8l@3&zHEeqNy937(|rP z@oHsoFnZP2=@bAs(;Lv~)%pDa-WQtX4{%?+T~S_Z&Y;ti(7Z2pm_UA+>|uH7tx4FG z_5H9I&-vOmA}8x!9u<|ODM;G7YhPJu1VAt-$e2|K1BDX>_O&q!UAzj#y`3Ie zat7=D=5{vtNJWadpY2F{f)2DLieZK_BqwldZ}B>A@MEuEr;!F;_dV$}Ov3AQLOE-* zOpa0fFryyiIqBrO!$k4}LqWH%#r9s*^Widv1$MbnbIPtz=lC=lGQRzNtw-~1R#V@0 ziO~5(x6R^Z=FrjY^&z$CySH;P1(H_N)9dse9D_on&@eTZWFLr^#XXe$IyvPEb13eg z2jJximgdXI`Mhp|Gvx^b0}NIi_XR@Z2BRWM@$$#T3%I5WAX zgKB5{YBz{@Exv))CResplu`+$q#U8m>$T9}$aajwhPI(Rm~wxRc)8Wmuc&WOM)QuJ z^sfLIrjEg;`9{ITT5f>gy>oeM1|WBY}UJ7ol5ekq_r z67mxwOG#lNpRU?Z8e?G85yeEZW<-n=_euJK?3HHya*1^YY-n(B&jt7EvBVSZZP!#p zamE2qp;+V$jH09xvfpAG1AVGS=KK6wws5JciNg^2Jx7flJL!3MEuRbdQS8=X5QtOR z_!IQ-Fs)?%O4gDWAhOd>XeJL5BO=&z|4B*-!;epk_epu;WZZR6A@uVFEjEntrz2=ob4!KFt@#+*ahi!b#WMOUx_IEb8_;m zGx5vo*PiG(f^)M4=)>kPDe}?0un!k-2RDbn;s{R#3sdy<_57dPB+TEo;=1mVT zo1yn5Yl@p=EqW(p4ZNK6tfn|@7}fR%e@=vVwNQ7sT(z+0(!3dQ6%nhu9I&NixeNDr z>hR?xXQbHRjze5fV)4n=RsA{C&CnGaA|TsLa`{hpv$WrEtk#rW)1{!|Pq!8MW_)AG~V$#V0@k3$}3(}pfJ zUhMu$+2AapZ+8PUW^Cd42N%gHD3ba7y5A0aw0zw#Rjws$7kDwr3 zQtU11O3~v!aOcf!;L3}21GXoEQoFYd@peb`v(oAM0Y)^A(y54>cbP*{^hYdEh8O}u zT-;Y9*M@kjMEGz}kZ3yRm0dziZl3G5Z#LOJNLp<<_~*usRQKI}Y3KZ`AOHcnl@gb& z&6}Wf5ad6XcM#uFEQz}y^2WFYv;MqcMg({lUKM1tf99D20f4+gqrPsv=OpxL@T!q9 z|uG7wO7x3Sh0o^!@V{0RR9>)tJk%^er`*!8CR)-_nB0!qs#BHE-eI?~rdP z1?Y)w-5+btJi$gp#kx3w2N}tN8UB8u<);h&7xFjL-uBCnM!$$$JvCdb+$Z{)k9xFj z-{*;vpRc?37kd~Y^xs@vhXhf1(XaT`U^VQu?lc7C7v2I`={DH0O&w=vI%KK(J&^Z+ zKN+^LBzX9n0H*|~FE($*O1`RAWJCA!B4{7r{-d%1{Do&6wjvlCLeuF| z5qrWd|EC1vD(0l}Z<||SBSpA(Pl3n3jV60zVhY@7cBUzlB-8R}aom=O#_lj@tVezu z`Q!Dtys3Tp^MvmC^jbF$^dgjmqb@5&ZgS9;s=ZsB27?~e?78y?ApWFih|mjSg{HRe zeCmgOI(&K*QhC8zs^(^*Dk)CuG;49#HWlR+^~19Ir_6(kIOLG?;dkLDDVGvOfu8E% zir~uK(~MojI@?r;(5$Z^8dlTi>Q|x{#8!W_S+r6oJWjQtEFZ@e!SRhi>{+?Z-^CD0 z+`QR`NPnuQ7#2BD^CL{y+i`$cBdp;b!JPDJKYa!gIw@KYR|iMdZ0)JScG>Y1rgc)R z=))IR*Jr`J|4Tkb7+twJ+sQetnLp5Nr}(|ni|7`al)T!1Y8qx1`E@*te=PG`crANM3_jL^n|#K1Qy12!s#f~i z%`%IU<$!}37uetx{38e1o7b7G9<~VlU6Ymz`yE|$G$jH-fDp?K6w^R?@v2u4*w6tM z@JkX~o~^sK@1+r-XVLF%&*sl>k{k#6 z8n?qD%)TuMOSCgCdzt;}!;8KIpynq=VpWSZIDXfxv|qhj7yHmcLhgJZYDnR`L>1|r^)*~d3?gv0TF@_QXAKc z)?s&!>+Lc5$V5NVjD!CaU<8>9{6qJXK@jT=_LobqkvN)#c(4qThXQ{~enCE*f`>=q zPwA%3^Mp$9p$%g#Fy^Z0YA?OU<8IjPS9_I6vnt)YGC?lgy-LXsVqAH<2ONZ`+{EP* zlHWm|j4DtNeJq>v<5v`7p%;jWm&XL^gf~1RVs4Rn2MoX<4T6$Cq!+?Ro6g1Z+5PcB zW03ggpq$cyK#Ojq?lqA9W3t-hesUcsQ3d@A$l}m5tU)K{__+UX1#^Vjg71;J!`2O# z%*jC=4&I^VSvWkJj(u-lIW+y@(Cc zMc|i~Bfu_qk<2@-3eL z7GFku=icIJ=Z6uF%BPj~~;s-3Uj#c9es37wRglP#BdY6E* z7J6pCjSUx2nqg08Hhj@2nI#!^cNAppjQHL2WH4Hz5RiEIcAdzfAugMWPW;b3@1?mx zCPcJ_zOFgjLrU-uh@y2$Y5`-DG1SosFLFr4R8pkAPh*b#6@| za=jTQG>SFRm6U1N6Ai-tT*C>i!?^U2&m)F;o(4{!0DoM zG^|z}b~@oD!_iENx0F0_Zk@nC9~6?==()^K;Q6O>+D*f5!g$f#1`LPB@}8}F4H=z^Qw2Ch@CbsIvoUa63+vRCbXdaJ3s5y2CnH>xxro% zE&?P-P$(OVznK84_%ygb=z>an!FBof+dZ4-@(>Vj_;C{9{2UiECFH6n#2C^t7ro{C zF<3yWdBIa9>{tfeHr1o=RD`lXlV`^|*NuF?|NDmoRO;mjD~SYo3U8pXKzvXXjf&^-vmiv!b%9j9T2+VcU)7XNP=Ty;e!0~F3h;KL`fov%C*#qI ziIS6453ld{1!&SZ(=M+fUxpp<)PAlaooUurEzA$Z9TjS`XeB?|*ax(vG+cY@n1QBD zzU*GGw=jb|ggS8d5HfVQ*y~&G-0-hQzy|*;$}0on2j`olOUvI!6n|ZDlogDb+s)T# zrTyh*8V8=D+Nf~9va_4FT6_9Pc`7(84aqH5zsc-dtuj2(uB5)V#sYAtn7Fu-X0fHrw)&`$=jIy3z zlCCbRtP_jHOX*_00;Vl5UVL0qK%%P*Or^K|oTvq`SMjk?!vN z_qm_v{oZf<;~(R93>_kuhqL#!*IIMVHP?0A|A7_5%Qf9?FO^SV0;hOsVP+jLT8ER5 z@LSBtQb4ML%CJw5*M?aO8$&Dv5=@$pVPY;rhJ>V<6W9P}0Ze0j7Jx4qC<=1-1{{58 ziYiHy72oDZR#C-evt@(k2NU!kzN6R?L0WPFUFO9Nrc=*8L3TeEHW#el4kkKmxM#0j z?ijM1!a-RLz&Ko6o>-99h!3_$A}R&#$oiG=Ad8s*K?U3nrU}uvAnzNE=A}b_zf;2@ z7k&};t>ckk$!kgY{PMkWShT$+YuF$Le{nZIay2BvVT^;3fn+{ z(2i226$6{$TaXhN4bQ43@!qCZPkn#|LhQyhf&9hd1;?b8k9BQs z?P0$;REgtd5lUqVYWbW)3|Ni;rlp_4GEaB!QKENtd``q-NvdQyGr?q*OoZ4?pkKDDLFl}@EgrTIM z&0mnoY#t_S0_BC}K^PPqi=cI!4>p747GY?^w*ei5-XQnv3%Bv=+rKs3 z*41U({PZo@ASU20{`}3s3?(;vp03cRZtlj>}*5?E| z7wb2&N5p|O?b2&QC`{i3Jrl)D+EPtyxMAe%S||51XMxZX2XY;dU&>6kh4a~bZgx#GP!hO3@rF|jL3;7EttL2(o=p zrs%R3)@X8cI5xKo^_R_QPfa##Ej8B9|9U)7^las#am}eEt991;}-{ zU86ftfo1t#MH2)`u4naI+w6T%_#e$sK7nPKq>r6ac8WF`o-{1nqm*}Ln>1ev8k2cS5Nz-F2iI=F{ zA_n$I0Y{PJZ^*1wlOoe#*ntwPt&nHaQ|``dD1816;psG7rZt~w`t|zo7M2jbOu`ij z4oWIh+8`Ws(1*ClRpzzyCTn z7Nvi$GFQX)=AOH|8BY4pAPsCxFF9`t1n1jN693q|5jY5M{uHm{Kj`-HjBRkHYedBB zJHOkjBNl@^abiAaV#U7yOm?_D}6b9g&!j>bbyKvkBHtWZTq7`rg#hC9k}192gITh z9|AjW;OVW4_yQ?ccTQu+pSg6Hxa}9Z;F2&l0w5s3o(S*!RKzGk8VZvhsR9q%`A9Be#_f4Q9G(J3EKcil1|7=z#Vc~s z>ryF?%Z(4Bl@85oKW+YKa{?^Wbab>lyuz0MvTbdZYxHB4YTak)Xg2F3lgU$ShWLGf zj~{Zk-|%mJR~P2}pkHmMJJ<9xaL`4wAWlKB!7uOk>fHJID{yH9<`Uv+DXrhRKQ{FK z&;3;~!OdjR(`P*`wGI^2PqOP#)Jj7{BMQ% zlKE~^jM;hir9lf(7!zqimTk(5+dVzhK>t=YHEePZRLE$SE|OlDF!SO0MV~1QgvV~F z?WV8NLujk@mX$Dx5649c=i|ru`UbJpy~Le}n_4%~l3GW?&)cC*juEs8PF$v9Rop-C zR?qtkn-VB@_V1R*u;u~8gA3^ZcQhPy*rD*$fYH@NE(0V2s!Z>L0~R*b#7ofJgM%#A zKML3_vp3=-H&7DA`;eM;?#PTQe07JL__YAht9Qaci6&=AV+=3dUwQa+`=M-&esepv zp>2&SgrTm03qH%#m3#~b=0GX_p z^mI9%;g`(%-MAO9b6oCESAPuk=h{{kbbWk~rjJ^v+UFTsuGLXnPK`+Pi-m!Zbl3GbZ*Xhj&BV>2iPm5q#v>rQoMeEk6wYg$YFA}56*QHR2v^P^1fWMm{i zOcKW`)kg2+ZkL^J!v`XEa~rp_w`hQHaGrX9J5vwzI;GUYw%{hRJF zsSj5;i_p{T9UrUaEq12-YA1VNJmUJ`95!6>5S7{&90Bf3Gm?a)q=Z$ebZuK@bssK@+X9F$@eC#>+*0JM(qL zRIQcVpDNcHvVE6ylDO%SMPBkpX{^|OH^9Qwj$VzqRK<+675*CBuJYr^ z^BuP4PJg)S_X=XtbF#Fax~yHdmaD!BrMdQ$fcu*{v9H!x9F2iTxU6W zpl8tJy0l7C=W~g#7;-Fm&3t(KI)g9?<>c5}t-ZTP#_!!sh!U55%Dxk)V80P^Akiw0 zh^dLcw8-xpa7;k6+_-}F>pS#!;Q3h475Ie2(oLyW!kD z^6Goqi#-uolH%!uCxXv;T?mIYJeA8vXC)V0d)2BBxnWJ&8>ItYia&)(i+6@z9|z>M zV9E_dw7s$R+CT}Uyd2dbYeWPM!?)nIb4FwxdOf?ELkISro9D*|j@vrmyL=UXa1*NJ z4HFCH#?_Qr_}2w%r{g!ofkMqJkm&5__&4N|3zyVg(TWSi=NHg8267AzxreM(Yl^2T z2$ok%wdzI6%o8(`M`p4eP4bpqkpiY zDJ0CcjotH%F)PPAn?IQ_M?1gYHeIj8k_ax(J;WWhcNLaKDM(_)ZhE>NBTL7l8V(u0 zSt2_Gb;;}crIdy}3!^sg!~vd|^>9wUY2GvZ`{my9+(r$NjV~H>TGd|_26UX5wI@s(xdq-bHqGhY`0b)HPS#j$2aBQlp>clT=7`I=QzQ{V zee`q-%98zp5FrjdGW4zIpjIQoke}`vtB$ANun4`}>`xH;H2C_09Gec|??ziSIJCcX zw_Sg~FBeRmv_cM~w3SAGw>Q%IP5b9XP;7uWl1b+%jDu?7x44VEPfcNF;G%=Y>KD+r zG@0*A#9@qB(zV=KenJOg!_4)W?zmFgo>dOk`c5bhIQYKm)~us@KEGF6P9XOHlrh71 zA}X9x+gwaQ_iE%li->8{e7o!O=dvY{)3<|2Q15E5)EVM3lJ8}9ieY(!J;-?));#k* z4S*v9@)}Nydj5imN87ijoxZHpsx9|>Z{%qVfuG>Lu5Rjbkjxe{cTCbv#+I*FuM;6^Bi8^ z)pkw%)fpd9LXR7`KK^uLkYDqP4FGa=%D(iHml)CCNo>ySyw=p%y%1qxd*s=6q!^xS ze6v*1@j>F1a6FIG!e`Qf*X1sXA=ym7dv1}pzXDOw70e~)aJIv|i#VW1)jH$IT={m{ zx^wXa-2=OQVghcMB?SGwb${pB?9CE8=Wi|2)CbSOv1WLcmB@@`+EFnU)z=sz* z=B%wrzxY!cobgnie(7#R#S!O*7=vd?rI_qVFKM1ReqU3Ac+faKQaC!kY2FjoD06R< z@47!b-8hBf5#F99pOZbr?93i(5yH)ZI@7Zom2tMJPj_6`>^Wmcn{k0#Btz3_a?U-& zMAifQ+uqpE54F_lR{vDpmL;n{0sElT4E2cGiE#v0#pIW1z+P=I^`l~?-DH$L`|`Ul zmcV=;6n3urmJ>j13QRj4AX{Vy2b7oe%ymseqN`x~QfYh*H@`pxp835t=Gx~CY&$_8RwW>VVu>*JHq38B|5~1F(&m*CJ9sKcOVNyrfiOXOtWM)34K_~30fTInU7PnsoF_~p6GaeOF=5_y*VirS=f zMRhSl$UVs))b+um2&V1v$#Oh+7(gL8XM?LYnN$k58dS3$KDy)6D5Mnfl9Td;%x#7_ zL(|9YpoisB&ay{gt1u3`BzclHX?<5F;yaK|Zm>wNbzot%QBL0D#r$y-mot!Rw!Nje zeZQZIY@~8zWNXg~8dxB@&Cl#MyVGj#G)rlgVrDD7>b#pwc;>9CfMY4DDctESf0$E; ziG=g;ll{vX$BMR#+bz_RI`>nH_# z&NP1QOqya_P1>6MNomRVDZkX~Z}1QADbXo552v5oC}K(nvecItGv}Oj98i@kR|==B zf=joUU?2eMwP$)v*w}qs_9KcGgAogNi4Y6+Z}X|#yz8~z2uQXr=V5c1hLt4T%+3}$ zmAgR54e~WNRrpu5$-d8E?%kdnqS-H<2;eUq$M;v8kS6 z^781x7mK7g0j3CcaD3UQx=gwxsd17TtE`y^9vZ-Wy=H|BW!(WtR3X~mZ*_eqtVVvp z0x`s9<&W&%9qNa{(#MIT$Z*Hl=^~c3QOt|u`*M@pI~VJ}t!WBUd8b}K)!z^Vw)|u| zd>%WYgAXYR($U9X8N9`%xS7&A2+7Jq)#vy5;AB|g#5|Db+_OwE%`hyPs7PUad1n7L z4b6H$*HaK=8>3Ol7Z9tNv#!j#3G8YYg@i4QQjK$c^yeaxv@NLuvhZ98D$$Y;)9#yqbFrEdB{-I?%PcYRr`@|? zfp#DAqXJ;yax8D4s$7LJ0tmJU=WUh`ary6I4C3FI+~;Z}v6@w1ct+d3TouV6yhA4o zyLh%quP+6N@?hmwXgb)gJC{iyXJ&t<_)CFCBYOYAlAnZ?jmCc%xA$xX3YkWM{B`u1 zCo5$ZPtwzcx6>IwUK{S~d4t_I^pzY-Ql9lje{5XR-`td$;iU{jlM10DMN6!zn0y~Q zo4)A93vvYvEPMB-R2^-K?DOuTquAZp>cs=?ni%<;u>{C-X?fhvXNt2ie zU2JNGE(>(Gg|Y&g50FoiPz_+p=zg2YLB^Wocjbd(6XJ{^41RcCLB-lF#EGTdvSP0Q zod*urFUI1+8W*8^({)UsPfUj~P_TFS1z4lS`*6EPy+kv{YUAi;{T_KFFBwoXIN0}t340=?(Z*`XfA*Tx70usK9}4< zt)$K6J84#E-7ONlclNwJ{+;DdqFU1jE`iFYJ5;A!^UNX#08uTXdf{iZ^R=Ib)+}i5 zk2Jby50VwAt!!@}TBq+deeEi*o2L@41f3CQ1Ilf3&JHF&2m$9OA|ia7-z={rB?RId z)*O1Je=lcR==8QdtA~gP`}5SwV>E3DRP92AfBc;Kue(?E`&yBrZpzH8sqE#zy?&sDd0;#HcaYk&kDq4Exteo&TZ& z6Zh-*<564xv9BEoCA!$~S^Fvf(G0SrmNdiZ$1Vo$C+%{R7Ia$lUba+^dv2;hk}L0f z#8v;419JT~VJLPBD`A8HohW_e7AO+vB>b8MrU00gc`iNUZx-?8p8X|X!?#^?{8nlK z<|@Y7N>ys&Ig8_7U;b9@6-@+Pdzjno>XgX&nH%c)T(Py8Rkh2ScF+Ys}B#&sGe zcpx9i)GK7zC~^@L+A5NO4#c$uvqFr7h^V^HKu2P8e*_W=w2d*wCJlJD@NTJmu=D!# z%b+u`B;jRgKOc?8CiH|E(BKBH?C`;2a1j*WGH8{WuGgEn7k)sA-Nzu~;G0;dCl{bJ zwIXo*Nd+(mPK6C~AkA=RiaoFCq=R2q;wVt(*gWn8yZHU08=}9+X|Cmo_h2;tVHC+q@0bJr4XxCfdPxouAR$F9Xeqq{)y48i&r$!bz|#v_ zU1|YE1S*KORcQETvG#S>K#L5<)ihJes_ccM9?+zoe1y4)@~|MFy|xbYEkFU9Sb%P_wL*va6 zJ-eW!7wNam?V0j}oQ+OCDu=3^Do{tEl^IPsSzNC~U@7!`eQ5J=yN#E!XBs&vOwX4f z7y~_@K&#G3L@h+kGWp^JF~A^jPrX1=RaND{wc^c>keFJvo zbBO_?kmK=OQ`Te>;r_=Vwkmc1=fZW>wye}4a6FHJIf>2d+gRSI6KEK_$FVRxKL4y)X(t_4)k(6+MhYp?+MvR2XhR!8SZugf)+v38^)cPAB6PlogDkU< z?zTI_V69VV`^a--wUF!Xi+jv0BD5j$aZ8xkh2dn;Zsz;Ums|Tq4bMY$`M8wL8c`l+ zL?RCL5FnLAkov!t!w)GeL<2jHgX2L03dy_UoV+|z+uHt~Nv+GPx5sHe|IU<=BVu5v ze(kHtQL*W(-&{H!NTC0@TkBF@Bc8k9$NX-;>dP#Vl8j8%UZ1!5J>YeM{$G!tfp6d9 z{`Ci2pXJN^_7Q#NY~2mJF*h-DjJ>{zZR5VcWIp!uFHHbTnyvGF^EemeiD z0irqQ4SIUPvU^<8=NswhUt?B7i14z2l%u*QSx+Jd8clg(Fu&7o@)h+R9#~XUcBMCLbv+E+K_OhKF=pERK-|`tOvV{+Q1A%BMGB3)GZU@e;oV zVXNXg3)Et7E=aZQOuRC=4yD(d7}&{P^UQwz%oMUQ@uz3gCAtO{j_yJ4 z(kMj#ITrR?9d(R|`to|8tJ)iA8ZaN^*LjS3iMrxG1I?A%VGy5;A2$F9hNcf2b3ns3 zuR(*<7$~0Sy(v=t=jC9SH5Jcfh=Czx>tqrB+QrYc^kJb#f(eCTFz(?04UhHHhJ@u^ zzhNdzMqkJhHo(iAw`D1RiponK)<)q?&44?5^cx-y7`srxD#rw3ZYuzBg0k{&p#seb zlJh>7hP~-TI_{`weD)0CO`kx9}0f~azfIU%?2 zMPA60_nFrC#aQkKv$+E*WLPi&Bn`sN4rCuti9C#Pf?%$wwlJ{6B0WyS>Qf)8s($GL z-R9fL4x9Oi?hi}Yw!!z6cICq)#V^z>eBmNB(ZsN`wc$24)*qE5ezv7iV96M|nq)~l zz*dAk0qF&phtsyxR(`6eDd*v%AMeKo;tc^47UV;*XS;C zfukSm$XX45GJ)-BPMhM}fTosFB%FwUo&2Z49C}j-x2jkBmt8Q(MCVQyj?{Z znJ<8ly&Bm13+|ojiSI!0=0|I)SFV}~Ln!(JHIjq7;y0GpQoz-Y2zMZ}j671bUjuZ@ z-io@Nm21=8s)A($WNmJxA3+8!Dn^d}?SQSCh4@VyzFDYM5jt4H2}g9XCN9zidH*m) z^OxUBG(pqL`cHSrUT&Y?q&+E+5r*!@_Q-C&@$fVnTeMV-q2vHW)4Ro${;d`ZH?sU> zsV>@mJGar(0X^ct<-sxzX^Uru*uXM{UQiW@zBzyKLBtmHZs z;zS#%8Icjjang~i@o}z*4Oojz0SrSF%S@UG83hKA{Dx-1ciG5qiIc-%A<&67>>^xy zJ964bm`Ev8>=>K(Etq5xyl?6ebiNC!e;D#qm`VW+NgWHnuy46mPu_#9`7ovF&oYBE z*(qmY&qM>C51FpOomKD3Hu(En3W!>gxWGo!47!A2;iI zg>d%DJvMiUi-?~N(=ld*q?*?~vd`G#%nSYWRYEPfsrU`ZXuuSKFMdt$a`iu608#+4 z>5tr)@(at^L08V(wu723wwf9%0LPka6_&C}DSWI3v^yf{@uW#P+X22XQr2ud<(dAN z&SpktE>CRn2PXg7&y=_cNHn4R)dF(+n*WC@k}hdIrg#GEr%DAd}UFq0vj8WhZDpX82?5Iz6^{LoQA`wsovTHx*LjCJYHkZfI{nv^wW7#{-Y(_wj zES$f}+Gu`*Qo^wIEB(ZF2N0zs;eC$+jq>xp0;$NE_L};klir)lEo{hzz~1i9yoD;( z3$O5odrIADx!XjhX(x7( zI;E67Fe3yS`kjJzsgw(Sx+Vw_s50)`;0ovHcFX{a&{_zo^ENL8!b!Qug5Aab(op7V zUDW{a>x~vZI|Ld30ZKr7)qYKx&xCAO#eaq2@e{cC0@h&6U5m1jyMVC4;2h}n^``bg zo~iuKQ2TF|+Wqv4sVNvtseuR3^8$U|B=pSD{f;ykge1YSa9%XnlLFGphlp>X?AzIz zasd?OXiZ51;`l(U+2^tA0sRvIXX7}@MG8SM3o;}CWki-_ru4aIdKaV8x(UFV++NZ@ zhYQuJ7oA+(>KVq5{Hmqu3=iSe|{FT9rWrzCUcY9U5XnVY`>&5-PS zF4ET=%-hV?T>md-2Eh~z(9pl)xI>5cKNGYFGA&I|OH8nIZ>)EO&>MErX2wz^2t4LX zx=l|0m(5ytJ~i1TTBZ7l)0H2OIP=r;I<7Ol60dI8e#j^P{hk9M4}yua?!_wxv*$9X z=zl&gsNJ0rk+b?Eh4)ICun%VaRSEwKdnYn@*Y}N`dU>_+?itR~T@_3_w)TN(V?!YO z=P;UGjg(yC;@~7#Sjr`FNcPplbZ7Gn5X_FC(HlulYXyGfW zkHL=6hFJDf5FjVn%g!ccqJ#95G+3Mo`%?1NdFl7N-Ngdqlhe8HD~h~Bq0nacmtK|5 zP?6#r=JdXOKthq*ojaF%lT^e~U$xTy0MX}tg%OP>7P7=Sw~)iyJECdEXT&BX_{<9XZX0rFz4~-% zg8q^V2Ox4Yew)=StdtHw_VcaRzawxEEM0)KgK^v+kH3DeTVoR#-*#SHaJ|#|DoN0X ze7a;M5Kp@Opu!-tafV8!`<&yIXvH!f|81Pl{0G4mj`p237V@V4z>JM2a#DfKPKO?THhOztHj7{+W^_;&aoy-6kNJ~s~B0)cUtM@`Wi zm-%_g=G?d&T@&zz7K7TaeiNLk$9!ykM()5fTK|$3fpm~7scTUQz)`vNzg-3>$q4O3 zOu7{kr}EJO7Lr&IQSrRu@4>~LOHC{<8&Xr3q>J|B!m`F1^C>iomcd8^%j$LQJrVG2 z45vl2{dh=$YEGm%S2E@NVuWT`reTtjF8hrk3tEPf!z*vJ-=6xZ9DI4#btj*{u^W(s zW|3SRo&Qg=|L*7by9Lf_Oy~WfqGbt>v2*d*leP9Oc{s%61egr3PsH`oi5yJVRIV+O zVyJS}w^YpiH>7>nDz*EvX-553pc_8;=j+WsdgR!I4F!4G*(U1)#)!aP@C_D`fFTYJ zQl$MXVwn&y*gXkHj5Ru6Wf^cuT0{EJex=zQDAlSJZGc!1)FBqxjrM(~C6Blv_Io%b zgqTI6s%^+%b?tt+grh!VPngsohfn6)*8MD<)~*pfPIiz|0XsO(-ryu+MsdL0)SZ*NEbDN3&=4~CG*S~XX+O5Cj6?ki> zdM98Ya-KBUO?GFmV7u#2B8V?2Uegex6U2zTChTii81TY`1S^do{N+n1MdeB&SF!^S z$M`Dzx7u|Mz-UUF5t!`kY$}Jr4?z`o9grcMAj&o06x8=b)TPkpjo?&lc?I#mSDk@E zTsq3$9d7oNW!BQNp12I)-E|drd8eST=}7rz71+I;r`!U75U$eWdftgG;#?~8>-sKJ zIjdFB%iAy&rOg=;&M7jEm|2^AFL6PHqZ&-*SWlaw2e3_jG4xh#0{zo0afHsijkSaK z#7N`6;g_ZYBMcUQ>mqfe#D4l&4 zFDL}u{zw$nHYOffiY&+`eb_Ljmrz^Bh38{^m2y>hVwa1HdOqtz$Sm|&Zo4k4_)-d3EtSZ7Q5^U*LR$Al%NZA|mL_(}w69-u8an;l%D?r|B3!ot z&-u9}1Enng;uFk7vrZ^LsqHFVax^@Sb9+Bdqkr*}qf=3lLKD@e?nk}s?vz$l_e(+u(b@ z+YWbYhF}bvpqRmMo-2p^5AK-)#zFuPJhUqygDoki$9*-C&oAAD){k%9IQmPykr%g> z0G|iVoM{IZwfQwZC1_b{wJ>!!dO+yfZ;>#R0HZ8lxlbl05WL6zc!7;m#`6#q7{pCr z9`47w%Yky3_PqnE9 z;vr};PtCDcd-f|6r3qYxwMZi(INt~k*k03t6PNeD#1R|5?ISUGc*JF(QP*O2Leb1( zV=3h1zb-EbC6K@Yfg!cK|JM=#tvi|CS%$<&@Ck0B6%fJ6y|TSmCz6s#@=e7Z6;_zY zwTML*9+z&V1Eo(#510;t)H^_q1iK=Oo#C^fNyNROwj0)%FACaQ^vKbI2$Wg-e*Y_n zwS(J{vVX$6izVp*CRcxFfQ597D8bCMx56=<$W>s5J)2#S-Rz6J%zQ$8x>E{y^n*ML z`d#v@wgyQ<&9gC3S4Ju?uKC2o<-hW73|pGhr&S}%hi1)t#(~Q>`g<=ecUl2*fI9Jk zy5a&xE4qO`q0npyoGsP%I#9J6bUaMKltZNNa%Uqk)IQh0dON=T8!BXH{NPI0a(0QG zVJN)!yLv!~m?i*_8o(9vJCADfpVQFvL;hMgp*ioOChJ)kDn|pyBTaAmvX`be*OT&c z*9x#iDC{R-z2tS+;SGZERK3sMD0Gzb(AI>tIurG8{Km+gx+%t84s$P7STbAfm^0Ry znlPz=&JNr|?ME0#i?U$ka5ctdXYNtMHx3Z46rXfD9*->6(OUQJ7TpB(r==EoDSQ8D z4s&>^L^pqvHyNe6-76q`!1gTlr7xFaECphLMXmVJnqD>LB-3CIeg(DR5PYmN*a+}Q z26SLNM27Nj&_DscI$rYEG;@c$G>?8)!$Qmj{Ljy&92^^8!~8vhAYB9m`0_JDjWK4b zxpC$?bTau22z7CqMP<3!_Xy$<3F&AwX2m7HJ!H^^8mSFpC1N@!2@vqR(0ELxh_@b| zh=z@a2b2GzqhDX2pCww^m2?1-3mdKU$t#?S<4; z2Ep$Ver}0Ozanqn+i+<_6!SSMJ}KjS-)MutY*0@n^IH^q+6YZ)S0R9zhoB5w!N01k zl)f(0yu2i|jbf^`?jF(#2JAiR^;qa`vPj(3hcndCKKa4(x)~ndv2M~tT;RUILtoHv z!l)m_*h2gCDP*uCn)yQ@B{D7|_Ggb&FV~*3SIxXhuISs&EbSJv&fG)kq&N6WjNKtB z11H9l?7r#0oW%n_4h2HiwS9{MPvKT4_o);x%=rPYuI?zLe>1?HhGfa5MTj7;V*klY@wGUSdm@PrYl@fPR!A+e5ut69$pJ^|w^hjwNl+1Gid$ z|Ac;hsR|=R4s-V#V(2Ax;%r2&DqT(4pE%3oE-H47E{2Uk(xXE7$39m9rL13A^Ov&G zP|LbR4NI7g|7#UAiGdi^+?+W@!fkT%bK1}Zf1Rwhlf16u*K8IZ#4YB3mu{aS5a_!g zu)-kaCrX)qO~uOlb*8qwQtjOpfl*jsJ87tX9qPzUWUCQ{JwE<&>-5V89Dbgpk%gft zgl`nX9cyL`tljqT^}Kv0`%z1w+VwFM@03z-{lU|qRyTGBJ!i5?1ncUHkB`@Nu5vUpoO=3hSEQ4h8&S24~1F(k_5=z!7y&hq$))BWl& z$T!Vrr`;Znw|?Jmi*Cq1&ZLsz{bzmbnr)T|*c=T;*Ck_RovzGSve6w#j(m&yq+Y*U zp?{5jz;L*y1eP-Yj-R;^;{mmfNGf;2uMQnuHD!0WSc8;Er58T_i8MDnDWXS+|9xutg^t#KFnVA@kiC8TThv=Ixyh zSEs$*QpI%Zc;(jAjP?`i6U|fG-&0m!Pf1_BJD-dd|D~EAW9aabkVQX0r+AACg;((Y zD!+zxb%VuXZ*W3&>43bv<207o{q)uX1`;iBUAEgZbH3hfbXY$$>&N<%Md2hw>Kr0+ zDD*iL!T3Ykq*RQOV&G!?)1Eyo_YdL#C0e68+8}GI7tL4b6$}>x&x=Nm>o7sDuKeYY z5GAo7rHbfI$CZJbc^-^+uJCD}M$zEBt!YB}3}F(CQa#1Q%pr%kipZqAwz$=YvtNpw zw^Jkr#z&0{i+>NWF{-p2Co(Olv58QTKt38NwSxgUoi|sc0{g%yI7wXmwf0%}^DlAl z6UUAF-rhl}$+bqK6bI`d9>b0CI?9>-kh-%ZpY%5mV8peTwj?@+G*k}12(k+@F^(I*vqVuW4!fS z>|I{5{$eP*#{_>yP`_?fi(>R;Lh=?UuRRG_R%#9KYIg(qwe_R)p6=V!*p^hWsg5`D zK4w&|&)%a&t|Vi=9+rV3xVSC3?+gwhXT+k|@ME37<79nV`|=wKxkwnppW>9DXG2^% zswcYPIvF#~`T^x*VHI7Y!Q^ijF7%hE87lon3`)_o1F= z|FR)OjHqKMJDU8KQ1Gun49^$#3%RT@LI0Int+LB|{S(q_)H_U)FU>(xDBgeG$(YK^ z>%khNamy)BCmiNKlpBb5Q|>Q%jIGyl0%dgVoQ|$B;F~G!uO0L9Wy8U;ZHH?EnV*|P zGirrXR2xgk|NP_2L^r^TrE8k6=u)+$_aiZHC{V|?fuA%4F;SHwf46wojebT(|B)Ck z(ZBB4_j8OJHRF~z^wuM1%6M#Uo)QU|<6pg$-$r^~suvEH7APq58i5%zJu7)J`zfJW z`r0mY_ze9gI>`@oBB$N6c+W(J*GkSV1H7?Q|FAd@lNk?OsegD*ur?_X#f}Up6@rV` zt34=!AiA2Yen3KZj}z14h=TPwBvvtmhlggyaJv_#?e0w!Kel@!+in*lX8lGd@y-AC zu!X+IHXpMrjN?o|>)f(3hFUFhb&A>i#KLi|WI>2mJnF``$;Sm&ng+%}5p>u%|!&o7p7Dhl*RXBB4ecl^>&s27kNzArQf%%k)e?I&SJxh{h_&m`4K>wOzLg>U`Knj z%z%TO#CHgT38J%6TMK}LspQ;HG({7cVMLm6ots8R4s?R2wyg+vg zZ8l{W-;rpkFU029zxtI6$-%n5#X=76YJ6al;VWkL*32EHZ*gUdd(OrRo^p@OoBZF_ zJ|yA2_i(SxGL_Z{8aBMe^_pF%`RS1M4>~1sU|AcbPQkT_oFxV|Qj*s$m-!OJ@~>1E z2nbR}dcSgR*&&ef2fqk$4Nve!*I$wPv3^@`tqwVopqka)9z160w_|fTyptA=+wZ_O z=v!kWfZII5fXItO_MFt((qzX=dF#c6`TG9B&~?JlkjZL&P$^m&ogao z=l2K{efQz8?qh-TOsZnA3=v4CV%WB10B~{{+Eexf*y3MZ>qoxeFJp_*SCC%$@m%oA zEVCW*vEOQ8V~3fXUquaZksm1mO~T>%#q55|Sp%_!VTKe@217rh?D=KTLmS5+nj-q0 zN(nu+u_#)gTFuqfo&~O7T1wrL-wxf@FeWVA`7kXX1$#owcPZ4=zNGTtA55&SQ46@N zMX{6B&N@Vqmv(DsBMm?7r|LcqI$NM`e|T?IYu3K=^R52BZ+4Ah#CP4G&7ZbglsS>> z4hdsS*im_h8Uo23nEj#h+`fFbNjf}fDDk*Th7_L6?^wOq9R+`0vV}Gt##a*mT?(Cz zwl3A}cJ$;6Y+K;3yBf{HE|B~GsnHF0Ud)xU`nhN2Wy*WW)eR2&vQkvlcIK~b#XXnt z#sBPB`xPiT z6T3MleW(~X0QRoz~lJO#~q`Q z)O8(t%RwQ-j*hKWhdY#~o65PCSC2RJjcTS;-56(@w599O_fH{0jfZvk*}OfrR@sv> z|K8!!zoMQ1e-K?Cd<6BeaO4Zq@XyKp?7E-mHLkt#;Ndc$7^GxfI~W+dNCf0caZ?RC z1&({4o5TNLUrtz_52!5_3c{z@$E@UdvuF57TszBgi5K{rtnK0g#!E{iqPI30`;tlY zk8dZ~S&VuE?+Qs_4e{v3^ zT^uXI)C`?5V=zW?;_isroxiOQWUXUM zoX>+8Rl^TtOP9MDZVB(3q)T-Mc<%#ucj5H65Sx@gyo=E`7KL7)4ig)DL4tQ#L^@XH zl}&#{49dm>94woytp6NLWgI8G*tPA1Z_TuYpwbT*lh0+pe`oOaz>h5(Yt@fd`cv+t z;ZckpqX$v3<`}>k$V3L+a z+L_FW2}6P7H2W?54LNQz#fB%_bL6cfQb^8id!v;+;_L!pt8^p-gTJD_4#R4%91`yY z?6K>{0Ge^J8{(6$Auep!OkZ44QE2ROBqlsPv@i|^z_R9KXf z0cJgTIJG!fcFr&;=hN~nhY|w&ipRvSl{c@~8FQQ2aRw44$NH=!4tQLrpMQnIGQCj5 zHi}ex4PY}CyMKuXiwernRe?d8&?3 zt@_8GX^w~TM)kiB3WI!V`10ggHA$e^MGh0IvgSF}$Nl=NNZak@#aR)(UuBnXM`Nm+DucFJv!siAM>{bjjp-xDJY)ZEHFrt6oBb9%vBbV;{*^ z^O{0fJvR(l&Bh~c9Iu7RM3Rj!Gjx9`uRePCb#=*UIW+COm?Xham(9sGReEwl+}tDx zjgH`EL)tmMrDZgH@kOR|sQX9=39JPCZ2$6U42w1D!~uBN+N4_eRKcHNL;JC?FCw?Pwvh>n^2 z5-|I6^%BPgj3M$=uPf|BLhHd;&4?GJ>l7? zmN2t4NnV3T*#iC-sx!@6COv?`l=L4EN^K%W^mMjOySi8@@V!N*t+w3vJJNYDY`}7p zp5xkN>F*+SIpO83nv||byAozzXYc5~D^kgtn1><6BBeP*(c>DhInFp_obfCRzz=kl zJQk`)h8C}iVo1S~%I7tFK-u2chXVu`u^e^o->J4K-w}lIL$Bm~#JSB<`*2^L=*XST zV>D_iiT%Zp_q25#Y6VYy+~UOQ9Di>D(C~|MB!6+s9;nP<{q&L+8y95MA)C6=MnUp> zOtQaRQNl_$xQdEVNdf}MZbyqjvN`N*_WgW*Fm6Z79RkilyY1H0lRavl*67=P30qlr z%Ed-snd)fX&&2D&p%YRdFv%kky(`4 z_2tDs$bp|>B+w)ar%Z-sNHbL5u$|=_E58v~?b=T70_vW_={P|l61mR*L)}|PMHRh& zqeFK|H;5=8UD90&(j`bE-Q8VEDoQufEv0lwNOz|o-QB!<(C_<;b^pHWUY5GXVdBI- zdw=SAP6>fV8Gc)PJ2^Rj;Sq77U`EUQ6*M zRWmExS9C)(%*IQ3THvNF|m-&OyqaeWp-~M&~KL9)KnH( zKt78_B;vj_W2@`-=>Qk*qsg}HTF=JU@192Z%9q~(b;IC1j65p6&(CpiPqAp6Xyrwl zRZ?9K*T7VfHv)p+Wxqrzfwq`cLST%hJIhl9RpxJ?Y_n7B6LSL z-`OG$l5Ye`vw|V;GqiF z7$0U8CuFMJyndC~hMyndDMEuE?Y-tu#xzf`nE$g-jMmup5Xew6#aF8Z|D1|LO>7*d zA@wO&R&t;;JnHY7EusXI{0`n#uX3N0Kj~Y$%CwNDupyjPVBlbdkT9fdd9D7|1hUH5 zQ~AU1Z`@sLyOh+_Xzeykqs&!cCDLi*($My7q9==NLUMUiUgAP<{lmmE{q7wVjDT49 zPfUTIk%u2nV#Q?YE~Q}7?5f2L-cB}woZBjO;eg%fzsJmGHWRdi)02f>gBFpU#-3hp zp=cWS#(`tB-0RKf@c_u{$k1b;b39^_1@dU;b}XAqADynYD5|^rC78Cg<&1c;yD_*M z8m|oIG=+bi#w*KPW*U0%Vz-U-4~zXb&Er88dfj!o$NEFPY>l*pP=s2e<<#EvWMd)H z^{1&!XCk8;25}%z(YBii8CPvF9sjK9FkvG z?>#>|d*$H->8Kn$2?kRrmDQ1-8ePo6H2Vb-JgNz3M(=>1P@mF&hk-O2)jC_0zH|Wu zhz9YdzjE$}bWz{paL_|AjYXvM@0BdJ=f?gmY}E0CghfpOwHm?>WK)P0!FeY&A8vBssdiOZ72riD z=6j8OPt$@4)Hby_pw}ol;UlnnfFcLkMZxjTy0P&{2Xt~DM#AKk0>!}M(YJl6VJ3NnRr(eIS$?hYP!(v6n(?_@FR4}v!Ewx7B*7$E3W)~ zR|@5lyzmBSpL;L?%8=5xBT94kVZhv<{{SS@?;a)C?dcOm2iMW3;yWWUU|oD|xAUz7 zC*j3CWrI{qMa*-C$7E^V*T{V#H(ggRo0{~%`eV}A=%=y2-iAIAtob9vc|{DxfrMY- z0`q6svM)DV{8Ac?qiH{&xe~_)@A8F{hgvDzR+U;7-UxgX!Q~k;8qW!+$}^WjRKU`2P*+2>|X8haKlWOlNzpLIJj0YCo) z9h)Xd68wZ0j{GI~Z9j41spmv40P{0W<+sH}(qAJ2nzdoP)MKFRsQ-LsAlYEf`1>x+ zw@oV03bYU_+vB|KI{r1MvM~6)vMw+Zn$-! z!jH}_dOXzOGY86uRi2pqK|#~!g|0zj@$tI%eDQ1Iu8%8R8dsC-bX1;dhUOM`Ad43M zMjAg0Trq>^i|FK^j8)9F^II`0gKcGoYU@Xjky)U?*Si%nd$&42Jw2 z(195_`RYPSS^=vm{$ctReTXS%{+r+zSE+uC8jb;DYF3^;2~BdKZw?Q>uGyHB0y>_t zJT_QDIY?nblhLn@hmo9Gu_b6kgy6JbQhKa)DEm`Tz16-<{7kE5OW>x32;av94AZ1b ztPh+8z;sFmE#j=e8F1rxsIhtZ#_%zkZxXRU?_ zE^;K(D~Tw$_v)92t7Edl`L0f(R&M$F=@qCARtM;OCLT2b;1wJ#F&UY7b)0j8GQ7LID>Rx z;(fo&%(n*N)6HPp$)B;;XN>6>sv@jO{C9y&{kB|NM+4-3HZJI@4lUJEcY7I-w|tNn6dUpEh(r^_ z2i2xa+8n}mdqOBEGmmxQ1YioBEU^3*{f(~MaDjv5>4m0 zh5#@=k2@dkKW8%GWX4Lu`{c#V_M+aQ2`11CpeV+_^-4y~@T2F~vB1%!rE)2bKqzOz zmPnnl-6_5o$3Z~0>||3%zL`;;hNlh@U`231E4-e0&Cx>eF4-#n^(zS|{~335(c?BT zsH{o0KMQW7TFq?8f?GZ37g;cm@+t5@7Jz4G@GBx&!lBU_3FTW-;ysYA_IXo?z^uO2 zkH9l9k0ixE!Zo1|rAIuxyhmD)lq6p;GwG%i_gs^e6ATc3t|$;0xJ3KzcuuiT%J7sK z1_WcX{w8koa(8~7v5_zZs9y# zA&8Uvre7{P@R@(3B=ru!3k+mzQ0uc0QfMh*@Cd`=368O_ zJh-;$)QzfQp#eMnj%%|zD$f!_DRtr_fwQrTc%Vd1>n}h|J{wb?gAno5^BreFe;C3J@-Y#ooh%s=LIfn?o9cv}*Ub9aE@G>SD6bn>=UaD(r;3sXH z`6DVd6&7Hb@Z4%uEb-kCiuwB1Jsf^?Up^6suN2@!h{zgXz4rO*@Q5!`ncH@|!&(!kkDiSl0WIB@f?hvpvcNS5%|WfL{iar8dz{iq5Z zG63g#;UPXkhc3iWIv-#bJY~h5ULj^@w~sniuVFP2Vic9lR_6P7ZrW3y-4cVUr|SP{ z)#7q)(ne_5MRihVJuMO;Hz7V9uA)jJu&yQuo(xxfQ_%T!(qtu8k}?6^j@K6!XhfL@ z9!jZg5a7*2#l9!Lu>q#(6z{?PDD+Rdo5$SeN`BAMvDntxeWhreFCKAQl7r(}4zo9t z$~rX&kI8u0TC;2-kKT2VRd{Ac^wS&fE2S{)m8ikSu4azv5yg9RDSxUY|1=@L61A)C zqstx{nNbL=Z7$W$@bmBcr}$)e9-=Lm*Nm9)tO=WafF~^N-4D@o5aUOno<(;bc8yYI zSCVP!{minJUV4et$f~a||JZIF_S-W@D5Pj`{Gz19(JjeZ0#i!SJZTu$0nG z(Gh)Cb$(C{2ACg`-xb9}s6)Q{-w)xiBzQf6Qe-f{x14>V3X2QANlbz%sK{;^xzTzJ zlLKe0`#Wmd=?8ENLA)X%P3ZR~dde1?&eg#TL@r)Pf9~`QwEl9e{)oZIGsD5CvbOxp z4zIggu$9jHVAhY9N9$)>9&St-%$^1u|A#lm6LR0aeUbO`dPLDf(VAUM@FiYzI3K3i zgG$rdbhSK<$Xi&t0k?>9qDQm`^~4!>6hhZOIZ5u<7hoiHwx!fWxqAC-L~=#~x_dLu z$w0A4Cba45lB8kfL1$4&rp5L!P5JeEF;rQ6Q*fCd+lMCfc;V*S{cQQ%{weCqU)#{M z!G4FZ%O3^-qjDRbi@o_?HT@Ag?&}v&>fLV1^403H%4QI~!6 z_JQ>PF%D-=`n`Rz0U$X+gK?nYXAIVBur5leDU}gw}&uBen zp(So?#O`O$-cy#*uONMwyMOjos>rFaN}o{@7u?k4Mf`-Oxb^?E(I^Q$6pk{!c79xHtulft^sxt?N;u00JG0XI zWwtj1Tu*>dRjT`Zb#@sr)e2b}(Cw=R@ibdg5TM&c9<{euhtdI@6H;#;)I8_5e!d09 zrulq(+3@iF4A1k@v1O)+51W6idu$50Duv!XFQibXrnCF7sVO!Mlg^}vo-V2jrokbL zY6#@ZH@Jn%Z8^~!!vLzVwYD5_>oJIWssElRbx$GrQmLZ&u&98ANc9*xQ&=qD@-+WgsqrbPbh6 zU%sRVQbJzTlNr2J;esW>RB#&`VD}$U_4`fu!1l`sTK~F4BUI9QWk7(E#Z2M4XK=dH z1YidM5Sk>{2%V9qG`mpC8|)at2PUzAPpla^xNTWkSpir6R5QFgui~G&69Bs&8`QXp z16|I@UXdzSV9Zwa%5@c+3)n+|-Cq-6c_KUs%@Tz(XgaFk8*7fSO;xolm%U#oDY3 z9Ypd@M_sTYSSv;`tz!B-|L zZz=x^<{TYqZJt%&<{erry#=Pg7c5ztxTxpnR_akLv6ec!G`6KdyFoBl*iz5rZ$I?B zs?IMIb{+iLCAk7*My_dLATG)IT0i2pnvo}eg)Nc2Vma6%+S;b%N*QQ#3yU|`LM86s zk-C`qoWD?SQ$M;D;T{2EYx&cR;xvI=GURsmyTcFS8dcd*$jH+0Fr`Ay}5R%`SO^iCMIm zI3HLbdR43~+K0WDZRy;1ISO=N5y`RXaJIUXK z2(dJB&t+wZITw>+o;X9=!TKN#v;t=|3sg~mU-SW)oyXty1+1Bnll%j+(xpuXxGF%W8N0j3j_ zD@eWwUtV1`bJlV2ZH5Qp!VT3cK>2vg7y<%wk1qd(+Mu%~(Df`>41;0!2d|%lFlWHL zCnoam#fdy`cqK}p^kQEw3+Nh!)W`ieNC%+CV6^UusF`SmfNt7SG#KLTvjHZ6-t|ZK zwPPI|6mg{9Ov{WKNe8_V$n}t>b4nzYi#|q$G{Bxz9wxD8aOySmnMU+5_9IyYVfo0T zKSCNqjd4!=HKZeKq&7Rxb$PnagXp1x>{xGY{Iq33K$?*LLA9HC)=53Ulf0JPQF{sF z?KVXQyt0k~O5aZK7ZCz=dF~p1AY&$33>W=KsPpmOcDNqUxlt+znS?03w4VJZ-p#Lr z3?9&S8FIdf?$U%^ff*Q*=HWmGW&a=;fH3(d5m#8YZjIn?)HQ4139=a8{CkOwZ^~{= zaKF0n--!$P@EYsF98{N)+iM6nz|P+$`B!H16MZq7Pn33@HXMwB&3`;9SCh6b+%llrDz8e~jnDUZuXn+s{cAcn>} zda-oTs6{cjYrA1;5u#*!H^d-$#@`puVCHFtjT{$x z0N?L{DeS)~sCBQ`$Gr&4jwQ_6C@rqxfB~$+Ejh6Ac zXQk{Rhl*PFbdZxB%qscg9W{~n1gD@;VYo<(c;>(fy-wn&E z35UW=jxj2G5s7lbLw7X@CW!c-RZ^@|OMH!)G{AfjeY#@WFL-?>s`iBdBq-6ql^GU& z4L=}QZ?xFzbb;8pzJHl;Nk3l3>H}_9?+w?uvf+Hzj;qT>&b`vtR+% zoPND$o$^+Z&EAH;AK4u_<*MbzYJ-B2jWwoUT1hnl$s3nIJc8|4wJcCbwtipzr|Tze zLQu~d>%@q4q0kek-3jxUAShFV<%QQ-8H>BLpSQpq4)^(M9~X)t&-=y06^azT)b}8i z)e_LLc3O0(G{z2|py%1U2@Z#{2h=jcmjsA*f#+k^_c*K5i^mFKdN}=|%$#!Zz-U|m zCaIjqCPIVYI)8>adj^I?$1-fCSdPnuD*2vcE$>G0B;A?Fj;DLsCLSA@8& zmbM8{uHg|wUtSSajM-Sq`6gY{L{V9Z{7z9~vudrqrgcC$BJo26uGg)A z|9mG3EExy0XL|~PKpF2#C4VAQPjzGMp1m@*L@fF@RX6{PY{Pl*InYh#4*MM^;`6;3tI49E=BK01eRYlU`@ik=Q&u}d# zE0q-+O*8L&&4m)8nq-0*1JSIwgBA{%Aqke@pP@eD;RM!pacW9|_8s6e zb{JNHURNx}$BxC!wID^p+Ej*;g;L(UA5e-?jmI!AwQ}#A2=k@Y>9ZD+syZC`pBAQ0 zn7p!bXz&~z{1g09uXPs7KWqWgp5V&UolizeD`#jKlKgVPmvw$e?g%7yp@kwf)^eR7 zPJfqJ=<74kdKk#ROo<%^cn~%PHxigm41xOv=uNAUPD%_=aUd7SN^_p?fP#E!dJRnU zzO_Mnx?P^Ob`vztmuRTLZ5^PV0hp(i<1WX_G0F-9R=XhndPh!jri(`)A#t2!^DkeM z!uRPzR~^sc{u2OCF-li}z1aHeml9P&yz;XZmsc;-W4;pr0t5;iB3{sP${BghTTQ2Z zcwut;Is-#>Q5?M z!$1NNF_*aT(SYs7 z!ctEJga4a@zjF-ih(rPbc#%6u0xUr)9=c{6LOUznAI9?*tnuS@t{!q=MJrcpr!K&!0={g*5;tMu_45 z`mDl5>($`p{n20WezCm)4Oak@TG5hIzlDnW&{Dw2?vAH*6y!RAxFS7L-EpdNT)RnqXe2)R3NuOC14e$ zFZJp#TOblVVgYvPXeiRK$?%uAqeZR4YPf<_FYt?V(T}J-3=B_yNw5M<43LLOXIiFS zf@V21#%9#77m#0*{_k}xBiG!*IFU84`Nt(wnkk;cJPgqRlx%S659Z8-27RcUx zP?|*YKa`dj?l&|xeh^59z_C2rTvD{$-`~K@5=5T&4Q`&F?w1csqdT1-ve>eJQeDi1Yfe!>v0wuz@(1g&eY#QPdIe45G?w z7bO5y>fgd1W_=X}NG2#;;&Hnm0=cirv)Ttqk~GJQIpPdTM#b#uoxjy!)MN-v51{f89AEYqnloj>>y1~7_kt{~FKW6tZZ~4vi<+O663z!`Wf#QvG*`dlriEfQ zVAU?f9syQr=RHRZ%6q7t&wZ{AsKV4cvmF{uTFyJrVe8l~&JeMOB3l>gTacv@rC<3s z^RQmrVr3{i$gYEaj^~@?W*E?6c{2Ib0A$w#cEKgLg?DAai6vKK&oK{TL!gHSPUtk!%{rX(*lRV>51GqI5P49!$szdNT_!%9nU zu*rL9ureA{I~ZAeu+=$xqer`_qGVCqDr`% z_Ui6E8a~DH_7tRCqnYNV^er9eYOr~?VSyA>7ohh)>uL0rU)(k+YEaojmMmE!7=e?A zHe-G>T1qir$|4F(r3Qgk%I4I2opS4~RTP<5x?RFFV0nV3e(W%xaT8Uk&>hTPE-nwx zf}y$>^4$G$W1-}^up)kMx+9}0y|1I)M>7!Od0`(lIn-28ls3oT$vU@pF1)jBy@zr9 z{-R6x((C)Qn|8~e4wO~^c;q&yxf*$SD1|~t6%KXJxMe8z`boi4+cZ1g&zwyfwLRY->AyGeg0vCmwqX>YLa zxP4|kWy+cU#VX{A!Im91S$+4{1JRNvWv`d}JO4$#UuPf;{itkwzrtH_vt5)600gv@ zEbGo?>$lgQbE*ug?ax_F#r}&MHJH5b!*#nLq>i4*lpAgkO0Wiu@e24izUHP zpE5MZs89@YJlO&j!e`R0*OjFwZ#n(zfM+iS69lEmDuF`CJvvgs;*Y#-f#EF z{dme?ey0f;GE{ky-v1aK0+M#>A}ZJDW)s&VAEF;?cldm{`uJ|cPa3^FJ}alnkopr3 zk`LfelE<;A>ls5s%%dP+lV6fE#{R><;q#FEL``zIx7AzWiru$@KZWRiBn+$x3G{st zpV}anY=hVvwAA9#qQM!92T-M_s5&~vWipuK?X0bHzItm9)aLl-H;NBB4cviH`B1gsc?DthSR z$kT;#?fGyuHnl&h3}>0fjb=VWd^+2bK$J}~%gN8n;ZdRC{6)FHbL&=>ejR8TdPAR(}3=lRg1 zfB<9{OYKxVAn3c~4^9@~>YUU^EqL8r?@Z1$_TM1u*c5IE0ZZ2SBf^L`8WE z!4uA0n>UFB7mMD0l|w9~ctM0a_fdrP>;OZ!)u3JcDPY%^G1a#fvRk4E7vKuK@XF|- z5$SpD&7@-UO@_sQt>U>+#apRA$cY*d9jgZs3MwxG2b4O2I05Z!GC13_$f_=uTz|2e zPa=7bc!w=&-U7lnvV(}L2H>kAm+XZm3urEKz_2kJ6}l+u7VgYB2N&N1}((Z3T1 z{je;0H&smkKoLuFgnwzLhi8KgK{+`5$-uo!5VzLdPHMPFzovG4B?3rRbN`ymK}9Zv zCmV!=v&kEM5Aw7B@$BKL6Gyy&^v?NG$!fVwAI-P=r7mdKGI^sh{N@RAR^-rs3;iIR z!iiQnPJLlMVWdK?TTdd(4ON)6P7xoy;L{(^iA!ai_*0vSLZ@fAsIMaYPsn-*21t;K zazB<69^z1+p8SlGh29+k{~in5HmwMQkWK|sJkckk{JrP<9kE<3%+p`!T)4&*KEDUh zBDd7J>5vH-U>4#8Mx!GRs@p<~+$~b5FR%3>-a-Y}3bEj+>|d=(f+qH% zAi=;n_ZX=2Ky$e9us7pBv)nsh= zdY|r~a-TNiEd8BxVW1>$&iJElo1vk`hbPd&p*BdCWW`FT;05Ed?9PP^6Ucl@kc(k+ z{rpJ_3ZCVxbkpI#C{JhgMgyrI_?wdF9l)5#LAm?X`zOdfo$;!ra77E3q#q7M^|F9W z*xWx`q?et#4eD%_oQ?_F+SfSgDBB&6gZ5jvebbO>_=FHI(GRcRy7D0I1kXn*7i&C2 zq!+>PAR=&5fkN-!l7%0XPv0!P1=iC}BON;VAuI@Lv;kI{j7kBFiB3R5#x5n=V}4OP zp5f1T6sG7amC32(-ftFK)~YSwyY^}L%p1p+c^?mKC0o9L9=$fmaj}6uR)!%Th6_rT zAc#1K-$&N}Y|^Q|2D=Xp5!RoRf#H3^u?>RPDDW_ljK3lXI1;~Ca-Ju>CjFWNt$Ex% zO|yKzA^$`y{tIm9Fu7vrCwQMf{eg3;oi&~lYD>W8d(Y-@iIIq-cUM0ZYp zE%8vF>w?aLSUzcKU<^>ff2oToOFYgoZZ}^;9hi#Tj zl6WJKlKcutniF2t8IS;OOeE0VYvO!DvSjY;{WW(zjTTx9dVB4QJfokIXP`GdO)p`( zyuCH}-}Q#Xe(8vRH5sD*DspG^U&s%pk2(&BSKrkPbe;+ypW@xL7sSotrUL2VmU5&`oAu(LG@t`T~A zp92Xd`TjzWjF%F)BV7t65I-s%V6okZ7|d(jx24w8(y`%{+smV8A1fQ{|O zTBoLWC;v8(x<1;M$`wdy%z%dqMd_f0d1U?hs|!vLp*@1@fZE-&uP{h~aRY>ed!^syXepY?p5j=7BMO3EP$3_3%Xl3=C>##t;EV|~xB5%d8>s{D(-C-I9zK^& zK<_WV8ETY1+8qRTZNN8>>EGCC!UJA5^)Gmlp35&IE{;UCtw~2ew`TCXrKhk#4urzz zW{@#zuX>Yls-Hv9t0kZ8B+x506R#M3V+o?8#O)+39k6*oM|4f0uZlU8dQV}cjyhG0 zx8V~7@5%78+2`;XD>&ob?wNxMV40IV#+ezLLdW?apJd% zs$4n&nDp^uA_h?QHL)q$Y$-u^fZ{i&1z)j4L8cpIw@59jNsMl!kZXibR~11JW|i=5 z7np)lc$@Op79J(7*};u~I)2bNA*4R}AbS>+Ql@YY4HTfUAqAwIUrG+AKc+X}1;)Zw zaWwVB*ILf*Chv9TyL?rnwu^O(F0md=nZ^6YuXk0RKQY0%Jn+F{?B9Fw=aPJ5e2@V& zN$9kWQPu@Ov1ogS%v)Lp7qNSBM$MERfDc6)Mo<8?ZF=6Zu?fd>20J#b-*<6k1Zp#Z zspqZxqd>%5$e8A2-vW4IjZ3Yv`y1b`6d4m1vRm(((8^tHCQ1#*bJk}2QPjIzK~pzq zf(hIw;t}q(*^3%B?oiD-(FHhYB~dE!^ZW$eh1{LEFfH`mU0$Y?z|d#|b2+bFxVNQ# z+bcEqOD_MF`}*!#1`moEKdDk$Zrh@Piu(-E%|#<`&^jgls~Be4UD{2Ax3&ZJ)D*Zr z(5KRAn6N&~GUQz5-??N>&;Pg1Du01je=mq#H6+Rb?H`yjKjfd;%~&u2g8{|l)EXt; zcVXP?<>_*amaq2G@N9_^`3%VJ{+DK_rApMoyA%$Jx}Fbl3N*j=7Ua@coNiO$d%zWu zNSEkTR${fK(aXb846C}|pU^jI)}U#J9a<986ZI6!!i6Pgwg_ozXT;Sh;{YMiUxrOfE2w7hCFpsF9b z>?hnDxj~@Lazd>>P6(D~K&@aJpF8YC>1@Ox?gSO*6C$A0DM({8p@5`xe>%dPV9e(R zOd|`j75k{UG&W6*0^l?@L}ATd-eP&$vF;KHbM*hgJ&g8k1KJZPG+HxVZM3u+*$!Xs zYkF0%iWC{QMZ?|wIcZ^sN8)cR7HEq=c8_iqTHyJ|D|4M+np~@7yZeFl9kweFL(mj- zW?5<9Ck{nk-O5&GpiR{)QJ-C%j2$zwo_A$hPP5zxBOT#KZr@G)&Fp*NaY>&4O7W&n zPB(H+9BUYNg^uqmz1_HH){9iTFbb<9(I*L6WP@F87g*ySlXDH3l*L-R>@zm`nVUF zL2(WYD`W46Cb&JOq53boN4&F)`1R8|!m@Kv`l#&V`RN-dqWHAhv8YIt0ctB!hOq3m zoSs6n*vB5X#Z&*mC*y7$`=A!`XIYq3GuUzWdAhpbRa8yPMfxbec2OqAVA$AvPyVZv0Xg{ik z$Yv2B*ElYBBfqD_`A>5gur>tkZZ1JU&z^h!x6(f_x>78XP?ZtxmU z-!=`7;`4ZE{2#a^_6;6s?{}9>x${=PxHj0Cg7}=A*1gF&2|Z?4J|Iq`jS7nY7coH| z6+J9?;&Z^9nAF zNJvnFjPmNCHwu*gNj`Sm3NEZ91*y=HD@A{3$b*tSPj~Di*scF0ZmE(Ga^QqVZCwtS z9U}hn>SC3g$MFsRhA+R;SOm0w>y0stqD2m+ zUtJK^YxtEhG*ostD3t|K?2gz!luqmQo_w*S12|Xt;>cN;00&C` zttXNKNfnD0!pc3KYo_NK(us(z2KHD3UWCn>iwf!`mIU&lqdxVnN@8e~DurU*sn464ug(>U4 z#=>(?HxECsml8wFMPI-`WS*fBvZ%D3!aHw{4HzYjC&}(NU*}3wErqi*zvA}xy$Raf zx*btGbvI9VrBS>c*O{(7zp7et<45u$zliskpg!krw)n@%?_-@)u(jSUmUcX3e9l)X zljiD{%)1vR2>uYNBIL5qOfQ}XRbWD>B#jY`X`~pAf@Pb{e_wp`u)M+Bo%R&T%p_=J zUy>ADY^>A@boEL){SChA&KA-{ud@4&?Pm_nx7WjRHRmUwDYu&^oE@O z+-#&O`eYHz?4QKMnMf`iY@N49bh(STGMqnt-8d%Xa{8$W{rpd=wJxt4?<{od+K`acS1nv`+A$(M(zD0Nqhp6W39DJl5qi&E3|mV$s<}v)f{C64sX3r z+9s_N*7ak}dJ6q_`T^S5%l#F&D#hE!y^DrQhlY|>o`dHf!YiNKrZuO_gOj5=YU-0^ zTeD-=OJY|to2NnOyfvXfUVqlOl86aWW-&c>#s5^BpYl?V&FwV8hC=i6g{`ITAGh!6 zlUFaWnAsP3VzMO!3#MomdcCisF89f*uV4OXXs};80r!Zg6m81tQL2{h>5Z_W#V=mP zLGH$x{t$=;frkqi91QgxUa_uEyibo=8mf;qp<`wquzDhwAfVz%$mm>jp6-owY8*;& zWz`z$LG`V8@RHO!ONaIe52t-kXr0S$lD7EIbZ0gaHmPi#PcEP>ULN16%l7t8NlL|B zpfH((=cB}tvv=`LeLvz?U*1SlK6~c#RO!2-XfsKt>7b4eg>TVEu}pNm~zw-1WEXy<~3nONk8eEb}^iHqWUmths};|L1pE z9Ri$#(A?m*Hmc2D8vQ&f;_COjgu!=w(LPM;CGSE$d%oo@bY7-{6|rc#pGKHg0Rss8 zkp1>QS%8z#rhYyjv%CfO=Z9S<2Oo{zH~*?l(^n5;w2b2g&#!rNzCl63w4SZdCJ2|T z6i&!Uo9F8>skRtAD?3>}am5Ei2%PZ8$>W99&k2*9YfJCNg4@tGl1uK-WSHb_bjUD6 zJDWJv*w`wz7R&OYC}#?2kZL#kmjjKXqbE!E&k~Q{e0NJUG&CG98+2T|i6WcJB~0Hh ze68(b)<5&w$ClDAPp9D|dB>%mWUOfS?6Mt8ExzAmG_g`?&Gcm@#-}1u4~_g;=U6SZ z=fW8Wu;=CjbCN>6WBIxr4NaK4vsu0i$$ARTd%MSx@DK>3Tc8`rbyn&{osmA{UP-23 zZ=_P2={&s}#PA-!vh$Q0>Rj9HmRHh9t(w)}=hsN~VG4~am?8qj^dX;sT&F+;= zdef|@2vCbg1kYE|+;lK01#@#Fw-Xa#!4aCTtJ0`t-tE66Qcz0fF3oGby}t2=)n+8Q zI6A)iGgYQl?^CJ$%F&_*OXf7bfHv=O?-#bg-3Ym4VfU@#M~}!n3LW>+=hA+bLIkhS z&-f4n%Jvbn!-pyb@6x-p(ZL>wuu?fDlV{C+GUPYyS2~FmlH??zCuF`gS*SYSpOkH1 z^pY-`uo^1lB7JhX=bQey*6DVvwAZ%zKC}7v&Id-l&NA!Ss&}E#In7xsxci$44I|Sm z5>bTf*RF_H?p5nwy$>2wjid;Z>2als6y0FTj(@mq*5Z|wJnGn2aD3JDQS?|QHL32! zy`TdR8O1vb)v~Ms1>pk8bnneme*L~~4S`NP)&OL12btj?`N!b8)U=R#g|(Ul_pR>4 zO_F#L-LEPmStMp_sPqeWv2JncpujsHlapp}r?s*{rJpM+Wt)k6Ec8#Gs+VX96lMlq zS=^-*%#?dn40iVKIvlMMcXUjTR(XqPIeF(citVGGnhD6h*D>U_UMNNV`0mtf#e+d} zNod-NJKE;?Glf(&vwTU(eU=?Z-lna++55mn`m0bMp{!#<=7M*}Pw8z&!E|de*c7;C zdVYJXJ5O#hI&+%bs283$(DP|D>v1rey)p#iXGLS8y2pudfQ(2rN~iWMK`N4{cqP=u zVlqxm>)?=cyztHIuBiJ$y{OwHD>%cRpy4Dw`v~2Q(_)GO9hG33HkE2jsq8i)aVpx* z@30GZJ~Oq`yY$A;F@R=--3$g+UE|uIOzL8VWprl~uPS$u+BxBS#cOV+)8!Ndla+ZQ zqVmk%CI6si6#&S|5vmY%xFHQRv%^#*uqu ziDT6+%{1K#n_VRD=erJ?cB4Ya|Idx5*g+9^i&|WTTc;XG`7+C542nzX4s+i#>)YD| zdiZU41V+3kOBb!8*lijJhGr9B=+pda>oBZlzKK8ADAP!OmL&Vh#k*F41&g8p`YG+3 z`-NbfjOVMrp&WRVQC`jpR@4c(_Js<^Xhd}KcX1d_V5u3))Ojv=qv$Mn>7?*FopqJ&5Fguxn17w2%3H(^Ne>HHl8VEzs$mW%CMt-3rE)_8zgJU#L zg3ofcx2C@LE6;Ol{w2rB-dAFqV|ymj?lTx-=g8f~>V^F!(NLF?Pu3@SIW`WbvAW@4 zZd`Is+HT3b^TMPeEnicMdUV?7d#zgj$>FEomnXq)?m8K*DH;w(__y_M-DuN0#M++I z|J2M|oxlJWH6$$rV=vFJV{h_$REQnv`SUkf`B$et173VAv{84>4*ed`)m&+vrH4K* zjyWYKlcv*RZ~@Nd)JNzjoPhaFsiV^REhZunMqXK*?-uuo+PXrGj~vU1$3#hS^KAThhf5TSn;$a-qWlRgxxbt~7Cjm?(rkavkf1D!jlIH2zU`l2}Ne?91K zb71*pgz1I?ed_Kp(Zg>3E*TIAGCMrn|9%ib3^6tUANNhInHKuHTBJm< zFI4k?h;c2WoG>8}c1m_Q*w3CX(~R@3J;c;l0$XzkG+ga*v3VqCHwQ zqAjC5#*T~6%S;_Dhg&z$zne@=f)6#h)al(3OOekToek;@6o2ya@)`er_Xiz1R^?B4 zKIUXhkEmk1cP4W_eoE2F0vS0-cP_>udXw#Gp5S1@!?}RK69@di_(0Y~uN4hJ%HcBv z{)w>+CqMM7We}l<68yj?$|VzHgUyyk5)ny>eLMv{zkZb6&}9%D>u&7-k3G;-X0UU& zL-u?ahJIE-eGl6S36Ki|w?Fts`tUzw3gf?H4BPnMVEg~W1IDJOZz;&y79P$ERroLA z=|n?f_WxWIai38yaFzbj33e6>`6@OH2&dhB_?{11i_x1!7TwT*lP5zD!KSmOCWTtV&`;8xBHC@Tt~w|c%ms>3-AJc<-3DCbt0I)2y!<7$1sVOpx;Oa7BsC1YRgX+P8W+Sg%F^-D#j<_B~zSaxhVPut8Au;^qy&MC6IZ%yYJnpOm$ zLal6GE?Q_o$=;=Y@$_tGz6|=}-=7nAB*2#$%dv`lvbh=LK-Q0-)c3UdyhGag9Rckv z5>_8LFX@3u3t?BwHMTbZ%Ba>H(M;DICJ;!$wNIv72GaiM>;@Gc0zIs{=u4p}=j;*4m%Z52=&t(7o1Cn|c0ZQn-&D z43Djuh0CkO?Q@w|WCE;Js_pzuhy1SlnP1+2_yxasC`H^g=>r<{0xCPr1i^Kcmm+Q=h%WWp;5_gwCR{JAX6o zkXy`syVsW8#wWG)_aK6IV0v$%pXBwf%ra&uzBJ7t#U^1Ejb8t`4`yyr@St~TSJ(Z#}slWlzgLzbw3UD$$`#5lO!X4&yKjpIVh#}#pX z117(%J6k}#|D-t-yFO8G^(s6@*S1cCT;|$eAE|ymMOcwwI~jNLob1wb@FF@VeE;se z=F7abg(jmZ2E{Bz9jOw%mpg9rTUm)J67}U#ux(@X!2u*y4Bx6**KfclpY{FHZv`|b zxO+7|RsY@}=&X>M{Ofji_P!pQjvAm=?kes}%(krWk;1sE-NAuSdoQS}UD4f3jNhKx z@D`IFB5puc{KN{L<~Z<3!wB6w0q_3p_5xdz;WSwspQ0h}wwwmtxjS4MgDS(*mfabf zJvP^iYs_!jv%j=`&?WOj`c; zykf}wq6=|l@Ok2GtH)=e3=H>YsRFsuayz6~-2Dz49q;59oNSJSFfj!^cy#T1{ETGE z0?QfyAcCi}ZY3_rg1Kvjs2KpqI@z8X_5G?*v6Qda6C2r-_1?lttVi5=FX26x>~C~n zV}>38hRFEH`S+(Yq}khq$pHbXbGL;ZLZU=rzX=gNp=QzuQp$=%;5xDI0&R7ndXE31 zUNtSod1taPx^il)_R-l!B2h|oUHYGIpYORgBf!m<=pmbkTLtjG?Z*mME91Tx&~!#2 zrTNDftf}H)a0htIqr@U8*UD5+(~*W?=JMQ77Pyqb!e>?aarcR2tCd$KJHtWEnF^lT z76Eu*{fk4LnkY-pMWG9~d48kT%MLw2Q`5+(#{th;f4dc`!XH2nCBVl66CD1S(*Yw9 z@u9IX?&`gmW( z@P3qi%xIoXy_g{8_Tl=T#iBz*ESFxTVTK%v=d_1*BEMN`899Pzou8G9He7QKwQTFNDd8 z4Vs-DfGO~)%LLEmnjpamo8+Hm$W^G4e>bWiWHjNt%?;8_GRk=98gZc`ByB`E^Z4n> zM7g2g&Z7Hc`VfaXuSbupp5#S-Ts(?iXrEYT+n!{Jg~bXOsqEP6;Eih(V=C449B#_q zwHQ``fU+dPP5uGaP*g4dCdwH!dQ5D<= zuf=e7PPXuifhH=a$=s%?^2x0}jYMH1Q=3_q;t|#TVmIa5sbjdJL+TWfHn0vU?Q*ga zV^8!RrY;&;5kp?DbCL4Lc6qGm-V`C-(^$tRUJlt0;z7TWOnMRpfDVJ_&!49rf9qIW zvMMtzdE87YI~JCQ&()<2Z^u*!riy#;Pc>T!!*}pY>3pENy|L1)$i0wE3+CQOh=pMv z?>1rDn8Q)mI-@`j0_o?(Ono|t!keGlD;xbgwgJwgE;BE#uTR46)?^OA_Fhob`mem% z;Ipc!nlN_SGPY44o)=90q~k1jHOf@Nbh= zraN>Z6y`@ajnUIzqu%o#zs4*e(loxh*RH z(^cFgBBZ5fAZ>w0^);lkrO9#xX)$oeDmsBQ_#`TlNieP`_Ni$ZV)xv}8Gnld-7haL z!8SH?nAv!2p#mL)3UJNfeRXMX{}#UDqapVs{jkuz=+9GfxY;rZ?VvZDnWr(dk^ z9!ohbkdzLf&GZ^5rbyHwC(h#J<(Z8U#SOY0$P5*0I`mghBYx+%RTXsJkd}j(pRXO* z<1hhyyJ@*snULiXz=B=I4$hCj@J`X~4Wy=HB32mQvs<&ik_Q%sf7#=+U}?W&L#lCX zR(O}5#c$N2NpuP1h0XzT%i4# z(-lV-7J8@yxz74)XGAq+N!82Gv?l{IyT6xk{kj8JGr?k})=SyPCzW?Wt-&2OiMSnn zsBfWIr6Ik|Y_xVZ#)~wlVZp_bU7Pp{#KlmviBma=CHDJXR=n4l7T;??Uv_0FRit9+JF0^)qNZE<>F{XVU{MO*b} zC(#n)h`aRZwl5r|cvuxo*uqf4tU7Nanq}_yTpe%^xHg;RSg*OGP3R4dhVJ7NpGL2R z!q|~c;~g|XU~sE*d6?ZLD|c4Z#)|ad4KS>8)HnDYp6?G;BTj02Im9**!o+TO|5%UX z$|`|N28oq!2IP!ZAdh_+Bqw$8xVgRrjXwK9jA4*a*M!=g!kHdVbSO|!@@l7Vv)mo{UHkcjOQHD5U zs{=X-2|;@s&*4#%U~viBV=t>s@H|Tav`K#G+1hL9sT?bs<#e}o(G8-{#=)_^_${zf zHIi-@zdjwI4VO+{i5*&RY7*H-EfdTgz-m?f{5k1L<*6f!rjLn?oqlULX&8|3UfCxn zr5~W*LJ!tQ$T=r@XoMSzQ2Z0=6QX>1i&n&3b4G4jIr9~ex1>{@IZ#3ocE2jS)~%69$f5cBR3FU<^env*WV zf1f?O5yL&YY6tgskz%7NZ<|g?%Kp$lcNbnV-15+<=d zaGUvoCLJ91JIknO-hFMJ9-Xqa!x8(sMlGH}PrgQs3@D{S*97}GQ(Tof#o&t()hX9N z9#G-Rk^{1Q4UIsv(CXv+CRqAGyb?c&js6#K8;SdgRG`!uv3l&EJJrsHQ$T=paG@u0 z&reSgJO2ixn5wAUGweZmlF-@3YK-eJEI#+Dj`!9l1?PrC z+Ei5YTrW$4fV@_!%;Wg{{_TSX-8MDPXG&JIxi{g#g)%Xw5MVWYmb<|)-{NY3<4ZUb z$EU}00c5>ZN2{W^kvqi&k}h07>_X*4Z}?8s3CSoj?VX3GC7ED=_mDV1u4cVl&cc+|=C4VFt zf$B^5yH3fGsmjq_5sDZr-d4(sy(sV`5whq=&bzaI)mlC#*7xs59}79dPu7rr6L^;3oMWviL-ufd#1 z-VLyS2Mb2UjF%CU2V8CgS65SJwOGC`XeM^=tPNz}_AxR@P<_D58M`-GGn^L*Y5#-7 zueUEiv767TyI02=E2kVjE_A<`DSqU1s7$lt`<|UtJSD<6>wg)G3NG6zw7@VwY~n)x}HIV0B7CFeIFv~oGqchaN!$o!7}l) z0a%S=2&NuT(te-ReEL=p4%X~=uh@s&qxcLC>C=fIvnPALzKfSy#xffZ@ydrAl#M3j zgl!^r=>2{{AIB5>mjBeRB!UUOiH4*bJ1cE{JNdpKw z>1=vX#_5qOUhu7l{-x1q-c?rd1Fj08dDwfeOXNtwqbnYob?M4mGikMPB2@xd5sT~; zaUPS1W#CJgnuAh7W!mZ3Jhv|bJ;Ehi)(*saW# zvAu8qWI<0gO@lZL2Kn(iF$;L$?H3IZ|K>Ict*JWX$ODS=I})3opfa15H(Xvl9Fxl* z(gN=We{k!*A(OpHyT-r3G6iQ^Yb+E`SojfL#9y7#K4c>Qr_M=%SDkEzj}q1s4cby?$n}*+P}o$C2PibpwSIAdD(m*vCGW@+8+xvH07@C8M=a4!E;APl#KKIS$5}Z*y za3vPafyD99mj=DOCnw8dI^?Sw^(}efNls++WP^)eO6K2dgnF@x@`!^wT`h~$>DEPk z&izqFO=3FH3-nTCWze`4`3d)yNq#)qYWp_Bz;VCSxDylbxb6ZquTAz8Y}z zZ_wxefBhdVkPYhX6Ze7FM@)C^|q?L@%iij-aLhfC7t)*$)Nc5=GouZ zDgFmCy46N`+AoIt?~f;F{tF=d{~oJ+Y;T%E1|$LM(fRPZaE#~)r^t;|u(^<;Klb(s zCrco=?5Pw{GO+yN>A#TV%d3=T3>VeTmgzhIAz#IIhmzt$^*#Ila{&JXe%%A>yM&gL-c zi(eCKO>)00^I%72@jAGT``$Fvf2@Wc?+xrZEQ>g26pLzzfQij=Qht$Y``o%L+ zy*R`tz3iteN^2e;2Ed$=XQ4MN)=%tGmoCMj`Ig3f;or#Pk#5}akTlfYCouflPvj3U~o zzG-Ud-ul5iJ)%EJa&=Q5>xH4Gi%@FLlxsczQOiw^lHp=!?lG97W8w>>v@h5Mt?m{r z%M0#ldDikD*Qiin1b~*Yo<;s%d(j>`)`RSDy458^DCq3YCgz-A=BFMBAOm`Z)B=Dy z-Rl|m{Tj*TdJJ}e{N7hiw-uH%R`1jYK@aIE+z!c>K>K(>ck4*HQM;KTK<{kM<}Mjxo^$6qP$5mXXz+DxY({hPZ1Q>vyb=#2uF`)?msKL`mx(D zL}4QNnB?>wf~CVQj`>c=81#%zt@1Ot5qqV@on~hR8FqnByX7?smFol>CSeD16|;OzJkTux+1*l9Nw+Ge)OxpkhnnN<0)

        l>U_Q3QT zWCse8_Lp)}PY?qJ0O4HRw(mdI2S#9qT-PUWLlQ26f~uoQ4JDV;gtW7$^;LImmeeAn zNucVN+mMa+W5v!vf}6UV0HkGB9K>UHG+}kjrG#GBLeX0!;|8`)hxT53>_Ba7ro8Gg zr4y(<(43t-b%G&1y+fOUSrXZNKt?v?K%?MQ zFP(C@a@nGhEvH`xIdp&wPaDzBl*s|724A__KH^Goe=%VoNhwC*s1+-=lzVOmvp{3K z3+CLbEm&^`5?&P0cNbY2;!MrZzxdB&tzR0!c&qsD;e3|Ah(a|KLo(ihu19DukPdfrzKtXGsQ$kNFq4LRJ78NsQlN5czK`L6{Jj z2M8UdH9A$Bb#gh!Rw1MXZ*E2hWC;XuOvbZ<%1&xH>*cwOS$6oZSn^CPXpk={ZvThj z&4jZf-#jGb%(Z@~QDOua{vZ(GSVg`=*VtqVts*-ZDMaE06hnXEGkAlJ>rf@o^D_no zufG#VhZ@Z+Jq~+h8#6rqRPz}{b!sAmRFGkv9(GmET^va6yYuQkpZfAYB51v6E+^c! z)ThOc?WJ7M$<0)gr?6!z5W)<0D|uVIZTu}B_3N3}OQ9dLqr@DvZew%~GB`>jneSs6 zmJ6VS0ehTJMsDF@+nrn%a-<6abG!!KgX}Kz~8wi+_mOTKU8PS_tbs+%VIXv<`_TSW_hVQ6C#o}bE0E1 z@PFY!NxiE)u=3kXK}%s%Bz$VCXX6gi<){6_CJqYRV6Dtm-?}Px;T9eZ2~k+BX#f*4vvG$!SOD3u?GcRulDgn&GJ6F~C`gWx1FPd@ zMGbyC2h-ZF`&31D=5fateuO5&je0uR4yUhDbZWd@9eXL+Z>hc~?6@DcE8(~*fGn5; z>vWGWnZnqdY52c^cf=gKa^qbO3|DuWWGpCFaxO1Giuy+6tGrv2u2|VA{c9KEzw10d z*_=6G^SvuB@V9bK{Re9f@FID1-YYUUs9jK|5I7^J9WVOWFSUOX_zb3Vrr-d2pjS@P zdwKnVL%&KMR;J#5kTnEg_ZqOQHWs~>1FWQ5E!bk%g2;}PXsWCu{)6Pq&z%NjffWZ( zhM@e#RcKe`)17}b8uqPDqJmREm8%p-=HsmnIb?Mk7GuR1Fi-vqZBzfCn>#z@pPR2a ztQG|3N>mqa3Z5O$VTI|#UF{w@8AU#Gv%}dEatQ3YbVeLuqp(n!hbxVSbO-wTk;W)Z zYkc2Nxx!xMuUA>)QO-fr(OZ}E2fVm3j+lK#H(jdxw;04`PCwi>#m9b*ff;37?)C#D zq4u9l%^P2>Rm&P(une6PFR83HO5yY;*<|G8*Px_0Y|gApV$Db(qa=zsWCW#UCLa9V z3%Ia(*jH{e_wxSiNz3|KRQoG~4ddKk>|O>}QH0}zTrP@=@S#4B0%QBG%Kbv$<8&F1 zuFuz#IU;?e48*VL8_+~JJ=zZ#weGiTlTCLtrN3?$3|2?6DpGqz=55vufUG^nua3uo z4V|Mma4dcZ=QNgzw?{VoNtbfhaCi4cQZ%)?E1k#(>VHmpf<$uUM&!B*X$aahyapC1 zZqq%rNcC#Op})wnL_65U!9TI9lXQl{#2{(lVkd}?@DPAJ9r63$QRONrlS8T{cSn!7 z(l-f%RBL9R#DAd+(&sg0SN>d;M9V^8BS&SDX_PIaJKIN9~V|Up1Q83;K&mS zJkKv}85kj4+oI_+NT32pqO%NxAb0F${<<7V%6B@!;GASnDr8QuA;l5|NzS@IPqqRC z{7bhKhZ_{=4NJZN*Kr#-%ESIfdDJujIaDwkKi3U;0ffK89q61S>wT0vn<3Vk^WbRx z{fs?pR9iOSzWMc8%DT@bm|ds`JVkJrwgK2J(ViiuTG0F_i6~sAae9LL?L}kG((~U~ z$etCzLZ-Y=cfSZF<14Cg0k43AUl7?C5|;zAphy!qU%1UDQ}tM03R{$fgP|qi02Yym z8xc|{u)-vMTJ`aP%b=RDxvE!N;Ec%IHxLGX?KPug$5!^=Lqi{tk-AugS7Knvs&C6y z^3;j>UBgp^%9aj&!HhMkY_pp0?6)~ub_8A+$WUrUw}a_f#Ozbh6@(*VhJZznl^1K} zNVew_Bz^jO)mM+qt;k$H|6SJQr}+T+kk`*C2B2$VJ$|YV0Hk0usAnl~;L)R!`AT8m zj6GZIA~GrC(@iAU;1Yi^*>66+YPZuDh67m2&vg59l@nqsGf!9i&HWY7CXbtp^NK_l zU#vz;bM;KsduCu*sQ?Yk03f+8(+z?XL4Q!wxl=1B&5-WX70pNT;bHK{O|cH9m4XyJ z@^&k|q5K1a!`v~7n*^Uat+{wtvjV5c!xzbDzax+dcvKgD@XHZLLbb`uoebP`G8~}e z7PvkV!9!t_Cd!i&fNPh2cO7ps6rH7*K2Hu@%Q59$#~G+Vr8ZpoZMa|roeHmSM#POo z;SUM}5?{v6iPl5Tjr)6QV<7XKssczw$xOUpA7<1+rpDkTxN$mv;L}k}(@gEOAj`@B ziCow-Qv$1T&#@Bkxbh)45~)H$ntD3+ZJ+szZxE}rNpV5c@u#unQ}-Lhv^`mgCJs`J@_$x-r%o(Ci(OW6s4 z0bf(^R-EvgGF*HZ_VG^A`DU?xgh$y04)!99ljb&|CNy_P(~p1^$RBh0Xv5V?J!cjhaj(dRC1Y`_oy{GNEBq9eMH~S_9RRIlq3|hurLr3Tj$#7 zBKgsuLT$>m2J33w`C-`>E5-Zhz@UFDa)U6|5GaH{Sc_DUUCzw5Yzlo85y3S0ZTYl8 z+L2jg&)s~=`%ff}!j*UASx%pF>^R#tbsCyZf`1Xb)~MYxc1`zuM85;k&CE$K%RY5{i$&T*NYBqTXx1muW#DRcHL_Me$WbM@~s^ z+@#|<7#df^ZzL&BJOHO{zr1NIF?u{fIiV=a1J(mMwxHY>BZZKJAA+E$q_EZA*>86| zo|Q@ze)e(f@*M0wco!hcPGo@>Yehl%>jc3Bh&mr{(G`42V(=CNK-E2#4*}+n-*bTC zv-hacebrJ_6I52+g9~32Jz_EdEe{me=IhOJt;t)>OIO`NP5+_aU!XCY>+wqFS%4me z>htvdg(O0&y1oG(9r(jj`+vhqvh7Bme{IFq@sW~(hsHxY@)<9<^qCK=e=qUB5!e2k z!S?^7Z_2;YfMHZLfB0tzjBHa{P6;F8>e7Go=R#td(}mY|OmRfj7{(r{7@2=O_zDPCQ&Iel zdN2$`=v-UI6@<-8BQPwJ@mVU|pA{YaR4vIb2kEL}h8; z6oD@M`J+PHCPhVlCH&!To0$XxZ`$B)A(>}}EjH_+t*g!)e(yf(+FBgbK=6?V!WJ`> zJGRoswcz*)yn4O@rB6#+Yw7IlT%4pTzxq^|;P2P|@31V#$dR{TQKG@dro~=o&d-5#z#+{?#TG@IdsJvg~I!7z(OHJWl z><{~0-GXj-2Hmiy{^70A+OM<+Dm$MGqO@0ec4{+HD7#=x5BDyq$^NBuPE?jx-O%Zt zA%lD`uYCJ!)D$l-egn2X-vulkaKd>0B4}^)gCvm}4gJCQ+fD2I8;jA7WgS!ABizX+ z9dwlc(&HwSb_r2zqQMp97l)a!#a?YFr*TxJC19BaOCLjOFu?#KQV^!qTZx2;2QBhK z;fR^9kAU1j#((WK;3>z(pXm(ute?TVshA*DeYtIs}4c?2Q^xUZS;lE^U{J;pJL-kYoC$R zzmtm_p6_wrUZ$Xt^vDpB#T`tX$e9HKilP8O$*@bS-uTir;!vM~n;nM3SB`Zfiw4Xg z=cvgtg(fORjkxXvp(1}6P}YHv3sRlb6sBLP8dgOrjL74id0x%^gXx1Wt|#a!Y<2=Dme{K@>oNQxmpe5QowFuc&vYips(AWc~xd0s$j}n&}^&Pzv1pD z#!EabAMl*A$0Z%iPT+Dtl9reeuK|FPU2|O6>ehGAv3@BBIugw-iw=W|m;yWZFWbK# zw7bK1YQaO;!E#h?RMDnI};TS(i?Ts!jZUhi#bXA9E*;g;>f?TfmBn0eh0*%oP zi?ehWfn^RKNcKXi9FXtrH=hIbOp%bHA5m2%4QC7t%w-PYxW(aGPgTA-1dD{+g&tG73Gn1l^q z$1?!?INwM2bmOMq5ua(P(z@@7sLV=&`8}I!`yGJ$S_C`G zIq&=!e-99C$9H5!f%{qxyRablzIn*lBO_BRs}g7kk(%+q`VC7bvc9#d1SITBl7=t@ z>bP4gsi#(*CL$3t!;c0sqYO(5GCk9lLiRX!3nT8A(WiL`-$`9Dgv?7$^@i+kY(=L~ zGQ5pS4i+6)=-jre9k1A|_TH>E&Ipv<^#4aGJJI2yE2Ep;#W>`zc}M@;e#|^IhrIVg zrSMoSG{y;Cb{;4q@}*o|7c96Xn1u8P*Xy&Cw+{P4;9xUfZw>QjocY~$^gDyj4==n= zpQE;Y^oHgQzfR^f)Z$EZQv%T0ATIiTgER&mhHNe~+fSQ&t&XE1REnTBE~sxR1hA9W zVY!CsEXI%Bv0!!)>415FkkpDv^>O1TYYZ!xtV)8G6zm6EU`_2YGeb7KqpmG(l~32B zAd31x5O)Ty=^0SL^t3R`UYi}U*vD2BG}R&Qx$2ALP7-c9>dsMI2XxXGa|!f~dqX=u z@cbL#gCDf2q#ZT@Lqj#IDYsx>C75`ajv{;{)k74^y@GTnzFNAB6+a!zvD`1?thS#B zBvrXqs$N)Z_F2cL>aOSzbDDQ(Z)gpxQC6Fj+VdSW#NPTlU>(O8KMjw^f>~ zy;;w5g6O!G-K4x$ccm-CEO(E;Qx0J8Z07;(5D?_dA?6Ubr%S)tQWXOt$=0KZ+#jdC z0=9WtM#*g*8u&W-}axq$@P{eWtw+(!rQ>Q zHC6cFSD&9D;bK0}a0xp}xDy*pY=Wjn6S(BPzpuSog)|*ci`6yZ_CCspH}08K0?x)g zzw}v7*@urVFpDTE1_+trG*kb%a}U=4)7wUou$q%RtiXBiOS50AW2I@e!=aJo;Yi)y zZ&LGq$Lc;txWFmsLq)Lx*Im~&pk(?o6VN0H*KhJI*^1Lw{``_Gg1g8?&~Owxh(BJ& z1yZTUdkId}FNxao`L3JN7pqiv$6baW9B43Ur3%rh4ZrRZ?ZYiJHP)xtTyiUQFa5S7 z2XV(HzEr2ub!1xB^Ke~=?-7y$@;w6Xa+|1XxL(!-0|iu=rk=;e!_*^Hk_F>TLi+Eo zS?60T5S`CXI2$5jCV=<6dvfvvQGlPBB@qJ&Y&%`A5KXo~b>uYrm4&2eV{P5H9o9Rg zCJUY;nOl)I(?JL>!37qYcrWN&B)?PQ4FJ<&fl%2_mLTV{&!&8v7*WLq>yK zVsGrMe4GzgTFUM}+n_@wFA-Ko|1Gq|pfvs9hXNhV7mjyP>eeVNo7F{7xQN-1CP!xvj8YMYhQytQlAjAV~0+h$qjo@1wYic0QPes{`DFtZaiA z33>I5J02=~A~)W*Q*@Le7I(biKY?%^8747>44Pi5UUu~ZZzVe^3%Fmm%M3Sgr8bSE z3Hqp|kStU2k`#ENfMstfyS?cQka3qNz#&4{#YVIDT)2&v=yW`;o$?_Dr&@gQ1|q^j z;3p<4Tna1$Y#RLL4Qe#i5ka{4*-;k6%dNymAClN_S?zdhO^HCEarNqAr?@~F(3M{) z!|^_J5$iWX*!O3pdU!JiD$7Af%OPP}=P{GV>@Qyes*e0xc@;&O>uT{sRHx3M6x1@v z%J75F2^iRh;HL#Qsa+e2SIYTzO<}p}DEq-cDTlD`WPTgE>=oe5iJA%5u3e_moYj5A z*z>_ZWu{gk6N(Ck6*Su zF)ZU&*TeBT<>gH;W-m5liNpq_dPB0r*Q)0(m!Ixs2@4%{L<-rboQdX>8~# zKdN?<>Ahylu+CntcgNANK#Ero;t|l_22oR;%0M8AT4|%?#s_vl2a2?$68p8V)W=>$ z?rq>deQ002Tt3g+mu7C&qa~31^8op$imYWt{=@R@{EMIu<>n(i@mTisr#rM_S`}E) z^=jt@)3zT!iZK)eyu~W_`>Q#Ml1-*S6coSR1=)|*pW#d7>jXPfyPZb6M&{{zYw}qJ z5Q!IKskD|o$^3d6U}r`mgof;1_{Lt$dCrmp#EJXK!y&`b;3A>Q9I)mb)t6%wA8$D);S#=P*n=_+9kX)yC38g6tW2ZBYW=_7njG{ z`On9oUB+A|`%4E3v4=JF3L~>?Wkd6CzS;8?V1Jo31}Mz?D9RW$wR5OxtCS6_D>PTi z0Q(05(uE}IiKg{=qJP^+&PKEw-b# zDMx+jjyidvargNOTTnaG^y5P6t!3d|2_;uSlB19zYOte_`o+nBAEiasuVy;qKXoVF z>8ft8UX1tDeQm9>H4{38?X9~F!^uBMbP~IVTQaY|dq$+t(ff)h9}@6sq@KE|eqjBO zl(Dp}j~0(n$n%k^_vYW+`*BO~R0jvlYjC#U6ncF5A_$2vAkGIQ?jcx zHOTR2!mo`#CAWJ>LtqZatcP~@JBp1kMpX_tO8CMgZ~=l!-|*nbj~aPFMX9o&BlzmH z8At;$Q1c|`jA(QCvjlVEbKO~8mg^Uoc2lYALeRu3*jvcJkR?bu<8i*a$`!t4qYH(I zU2WGM)p7X(i)L=@SZSU=406*9+9AnL_D-RipPd%YiY>-pj(GbHcst(VRn;_mRC0b{ip;o?rBkeA3KCrKgyBX;OO1RNVGu7srR;NBY1xim& zHB}7`9*4dPg1^t&IfUd#8imY!)m1s$V8aUKr;QSS>`ITVEsI0kiVcHXTojoao4;Ch z@aBx4H5tfz+>FK4@1tlHR8nuWREMuQ{P=oIZV^Gp{d3XCDE)qqgE(k(U?Ed8Ry?qj z`pT0_;j0!96(>P1)wYtgr)cK8R$S>)5B-k2kT_EBf2)K$d^7>1^#slW;0831Xph+a zx?`I@+N3J~a{wp%9COS)3VL54Mr!*-Hrcv3eKo|;XVIqi$w`!_rJKXnw#*WX!!aLT zpl+NFyFa;QOMTk!6=u2KuHnpsxc3$SDzQzGM2NNPM@ME z69?2E+4hU)toyiJp3&JN{}Tz3E9CwwKkM0L`52?tIXtJbyVT~B*Gt8^ggB=vME|~T zLrR3IA%%0>hX|7}1QzCk+07%zohcRy@Mgq3Md%KD=P^1$t1kJ9og$B(?18CsG3wmw zi|-6G?|G5Q2tZ-XL?)4i$-e9j&5LimBhVA< zN6K9OztYMNr9mKVT9i@;D`ktQ!hkPDs>())b~6_dqCie^UFXLV5BE;8 z40YrSKxNN=YY|t*3b;@?WPeF&FI7NG3c^I=+N_^~J$G{L!Dp18KnBd>X~?MG1bpkq z?Fv&W(&os(og}OOf&Dz|9e2gKtrqkuFH*E%Kr^D;ptHeVhijmdhy?r>JD=fg#KYfb zPC=N4Zh^dk}P(;0k*Q1RH=#A_$PA3Ali+rsfyW5hqo8os$f;b;cDAC6jSUf)R44{<)q_H->q9=ZU%#7Msc-5<~cAe8>dv}6M z5@PZot0(MO77b!Yf)Y?Z;V_;WX{r`oBL>9b4KNY6{1YfXm(!63ANrYNh4l)|5A z53JtT6-=24NHdv~MXSC#L1In@t=zrIS=aqH9vW(H%e@n~WA8sm8NNx*8j!z~$loD0 zl!SV|E`ts{`ZZo%SE!he$Hh@sYLCO4_S$`s7@g}3GsqJNkbu||x=!GYJMW|BOixZ6 zCMdlPQqR0Ocfs&2DUOAPji%k$T9WT$3CmlC<{S6IOK!A#zcOEFe+{Rks`De0YBIMd#-(T!3`x|P;W@ewiXokPmXufx`wFUBnf#R3of#(iaPGKR7YXIH- zkXQwZ(A`5;xd)UK4U2%L z6F6|(>Ko!6+FtE&dEj^7Kl8P_7q7oQk#miaFuJOFKN{(@Ij*6|(tWRi{$)i1Bq1V^xdJLpQ#E&Qtu_7-v$Q zLvD@!bAkymdLVFFymK$5Sfhx)k*HjWvSUz&4N8I|G@G)UvN%QkPjgI8wC1=9Q%q`| znf0&aW`?F%Y*s2zPNRGtByU^z?U@=rX<4MFxc2ep%Tr74e&KHrsyeZkRHRQt@sqCC zgO&SpNI3@5WO;OF-;Di=RICG+`=4cXA-c5-rF+LwGlN1`zDzyg_xszX z_G7tRD=zK<;JE29SHDf~lj@WUg}7e0RM6D{c=InY8gm&L&+jjHcP}O+s7XDbOjGQs z>Y8WZLM1Q?P_%@-YJT4PV}eDtOBGiux@QVwJfny)nRZ z^$Wr0jIGYEvN3%jyb>D4{ss@3@>n6A2Q%ALtqya6V8S8$i!SxGHIq|Fl|wWK+X9QA zsr?zd+UtEf=Rx;S1YNn>Yno>6xf@@75WK(l=MSaS%WJrMyY(%7%Na|%qppmLeFL** zuF)92iIZ>x2Vrgxq1>!_U#-UXb~DOnKX+eKKDFPBnKq#or>KEWy#a&XLdTfNJs2a8 z;`ydW%x;Iy&F@RCI&QzM`CLT|Ok9RX1ADq{4+MPcz6C-~DGj7Iy<;u1zPvi{odMA$ zH}J>KPDH?@CN%)F%1+VN0$8 zrWG1E*YJDjVhHx@DOA5a_2&Ti=k%{L#y{0ATrRrOwWQ~3|G@e6X^R)4iG#^1Ru&nP zvev80iPYpZ%p&S8p%McxGI*j!?mqa|^vBR=K^+4v?mNk4F9aHXz8k*?rzoX4st{q# zAIOZQWk+rW|KTezf?q7Qs&_bfu9>l-V>!ysBa(7)pWBv_Lh_r)kMs%L{IAT?^wr;e zJ?A&^e%zt0*MQ@?INY+@k%N(zN#$a+z*n=nw1J4OwFnQDVSjq7T zBYBQcbGQI{so0^l*sQWQ7Q45`uD$p<7&dLYzB@D{ld=2N3p@NSt)bMi?seM5;sUh9 zkj+jLcu=L~FW@=)aBtBJ~dkK%~ctsDqH#^?-KsZZo8 z&utn>5F9$D)4#EwEYp^&<$4Ah`N(}DadN0LjzUqV3jNG*a~V(qexrQBp8AVD zW$WGLpAYQ5Uu`6Wm?uywN#NH!zdLd2Ukx-^Fonfa8{Rh}#4@F_KAZ`h`>|3f<+dqF z5g2p9q7Xg*T)WIL=Byr8W>b*f8B@X4%#GKYU{9MeON{^{<_Jpy0fK=$35t{hanBogBjB(PB1--u*V+V$)nOAZ5 z-Av)LlTmSt(TqjPU(&3aje(q@-F`eYCDLxf@>Gu=wXw0^0=8Gbcl5F<&BwR-e2U4$ zPsWhbq4}|4#pWf@VFo6~D4PX|V`qgBOu(~Y*UPf>^&h?2Wxcs6p8US@lzSCl3;z3b zsNB5H&re5ec)0{(Im?(X@AI*Kwn>X$``{sia$oBcW`^*)k`7;2vBEr8-|@tEd1;?+ zHevkyJl65H6%6m@{WK5CZ0eWIe5uZ)a?PW@F@IUB(bxXcmoIFYqPOuGOx_VWJ~}>) zG_?3mDuGp-yy8>glby(>oU%y5-iNS*-yNm3Zub)P+T=pEE`K+CGuVT8_jGLQ2?lh(CgQaR+WZbX`aap(R%f`+>;bU}5 zw+{UayL}7aEp-kW-x{+~NM>ffPGTQHFbZ^s<0IQo(u$!?g^%A@1r?a46@{W|vdj8t zlE45#fIi;A3E%VmmDcc=x)Xbdv=0}Nrv^7tHVBexl_ud2$-Q4NJPkqKnW9MbEtt{ zO7BBM18*(-8cBFY(-eh*v?HPXJ&@Y%Fp~0-&MP*yUK{1>_*mf_IHVY3eWfj zeLwT2@RP9@Zv0G6H?I#cVR{j+??dH+kx`lRdzh62RZJ#BlyYw5#E-6?0PA7jC)`m6 zLGLwLd%mpR!%Ff9q@gc#f0wNP_oc=+;_mk?C=Cij@M1f$NHVKQv2F`mXhtfBqS9GtJ{WauT= zfo@9Ow#HW~E<`;v+Kek4Ka;d$KUV(H=hz-v#NagNr28lIytReoRJ9*2alP7{t*S#zJF-6&=ir>21K0Vw(BV3S)S;i1 zHezz*Z4uhyM>gJ7Y z6OCdcQT%MgF(d^xPQDPOgsDE=fLfG8%&zpZs+8;$cGKMU-j5fIpP8{GT~f=-+hmiZ zl8)W>T^Wmom~9p<4PCi65%%mlH|8_s+E;0B<`~-S?~>tnexJ!{qfow`neu>BO{~mE zv1Q^WvtVU5-Ho^Yr?4GLtQ*FMG|i7DV7hc$PWS9Mby6vntDmz_f5b#=dqYvMmDim( zBTu?qW1U8Wu$jiv2CPlAXX~xFEdaX*{XJz*#Z< zow}e0qh>f9gMD23H^YLGIBk z_6%H)YUtGJzXJgO0--kLzrRKM7CbmNLL4y+Ok^R~f47VVzXS#<%`p1+xwU~)H)C91 zzVH}`c%4a~J(LaRWlM_zADwMy__d-U`#q24dGZrb&e)34DQmY<>P#bFj>k*uw9G!s z>(H#WYC{!!LkS`+N6ahL_nvl5k}g6wbRA=oDg!Y8C@Vwfs!Juh@8!9&YY^6?2KPE< zk;SvFFL_p}hsm?kKXEX1BX{W*`bDNyd(9aNsj4+f91{7x>tL$`qM5v3kk8=waGHm9CA9t>S=)*B@o@Xl;P)SXQNU zM!ctMOEmHrF3h2D`Ec1J0Z0KqME{PMeTVMv1xk{ER7>qH7n5P4J_PXOwZHHe+N+h# zUf6}15srI|%S!DyGY%H>rm*dQR`Npt|JA;Y$`$b@k4-e+a$bgN_=@kbi$1oIrG4zR zk=rUZS=l6mL-t+VMTTHvjx^s#!=1Cj#MtPl2sROiN z$l!t%L;-6CgCh-?wCfGaqCS7z?z68wOOJLO;8Blz3$0bXKRI!YIqO&~B=ZvCz8)B# z{^3FNb=T;FyUNXcf}LT$h{U91%i$_J_?fZ=PvopjaH2Q-h>r!bV0sWdEKer2V!WRZ zcmRW*$s(L5b@+ITWEha{J`ca*y;r1PO-t>#Ijm3k;1LG1Ti*~%E)ApkISY|FlHqTM zdX6GwDcRk3%B{WZl{jh>g|y_yNR)$JQ$FR**c6Oz!*l%I36`!aPTlVQ-p+vSCP<41 zCFxh`#rmsVRjYEBSLp7Sj$H?zf{$9~9#;#BgG)kNuEPrecfkb&0u*xJ^Zd2ptxjo8(rO5CL-Z8`xCv%7T1y?ik1E3k+t_?lT=Vc~q|2_fyP=1kt9#!Mz`v^^6;Jbox~cLx)4+gnfLlC)K+bFrF@v2iG{;*TgFNiJQULGl z$wGKfQiln67U+&LMI0qQW%HVKfS6^q6y|6E#_UtQa-m!03ak87fzllx5e5eRYi^a@bjCZOhIp$3@l{$icDi!^ao-aqRqfqD6VqC*K~SuY562k9H5a361Nb1g zvP}TG-28leZ61iXHli#0_3Tc1HD&t3K0m&!Ff=qUz(A^hQf9pj|6etE ze48iHAiE(@3o2>P>6I`tzRU)}H#~ACkvDrDF73OhAup zo$P{|50RkXig+f;M>G0sPt=D~Yr2OzJ2VIffXY{wKbJ^TTX4^lJ3Q%O|HN)l5x(2L zLBge9aYsE8a5Bjb)XBKM9$Z;4+FP;e8bX485ksMK2_v+wll6{{es9?%CfdmX2nwG^^M!0Pp=m1M|00sqi%y53n zx1)+8aPPF7O7W@_Ui1Iof%Ro^iI2III#o zKd24(1OyJSgS};fKW-SAzf%74HjU@$RfMZ%pfw! zfy;LWJHVg{@VbryBy$(S>*`##FS(U~ZW5d5b@mzWznbr=8p877XgUAWud_?Gx$Y|h z1a>aBBp4brvZ*RtKOKiSQ=j@#bGjU`%8k3wXou zmD+vO`4=Dtd(TLMTK%pa?3RW; z82x$7^obEi^CDjLf7>T@Iwn2nxfZc?G)H@MTSyRMN3J=Xvl`ZI`|%ePHT@LmUWJRe z=+&eArCHoD4Vz(xMkRsD7yd4tH_j9-@MoCApun0`SfzwJEk;7Et2o~#N8=qSWQRdH zE-+wka6fd^YA%w0w%rV{l_nMV1} z>eTTz#l`W`*Hd?+hh_Mz;7-BEQo)a)8fjM{{6xqcfaq<(J*4^9J zE&F1XEM5EHFuaF|(`4y#Yxern+ROUEQxe5^4s?I1^uaEmoK4}M>lvGxtnRzyl2XV~ zZ7MxcRxY*7=l!XPWcHQaa!Mg7tc1%kr)cju5nx=33A+p+UTRilHb|ql0-24^u2B3a z&MUo?;ER`tiqX@Vgy%EnqjdyHFYs0YSa_Kk@YvOgjI7y@$C6*<-Dk{2E^=KzvTtLx zh-g?&j1s!}d`Ck?98HC@T0Ur|#6~S+Ftz^DvbaP?pgzlrXp(6@d}l$>s4KMO;ccyB zAPwSw7m8$g8CA8Dh7dkax&SW}rJ~+eemq4NaCq7hUv6F7tSVSihE)*rQ- z#?_nMUJi7`rgh(atqG&^UV13bFytjWAre|XKrX`c3UFS!ySGsXc#=#rOD@h{@5I}okhr`@? zeCb1A#~NC~;byzmnsrF%ddV!CnA6(q6y@P$vB9II za6=u5H$A2uQGx{*Y&DiE3nYT_mFIcyG{c7c;+ubZyv24BNY7#W4;>e~7^=xl5DR*! z6CMC?*orGn`%`=o#O8gg~(a+;V@p5b1gVJW{5tnR=R>n{_ky$M5q{$R@Bj9<*cpc2=vZQUa(7rC7gdaD*S% zXz$$jDo32g3FJiYbxBnyohWfSznf*FymLtbcm$ApD|!|>=#7s6lgAiFys!YJ|7dF# z4a>pajXDnu2>AKuh*+Kyhb0N_DIaxAwwWZ<>k3gBkZC#A=ne_^hU+zpC70xyD1F39 z6cuwjmY>4n$37boN0uS*>3)0O^G;dR{SFuT02vt`@%h&esTSzZZO4S_cWLSPkf~e6 zKEIKLft0WfUfJxUHcoEIs?=&bFKfDGcClSlE{~MHIMAJ(larT~8%_)^Sm!{`<~eAn z_Kfh|e`Q2iJ8oTHasu1yGGJ9$(mCOZsyND#_yXA z!lj?gn1i)7F`>q1e?~{A{0yi>&ig_kv13IIT<^(r&$+x7Jg@<+f4*aX_l~A1GGxQ^ zNw+bVcAe)uBPDX=;Xm`{qv;T#sI~%(nhPT4B|*y}kLq)n3x}UVON+Wb)0l-r1=hYp z0`ENQY9PAZ+o{9Dia~-|=7|JO@M2@MVc#^wNDgEu{(Vcr?HuSQr)cGj#sp@1A{|y- zY0a*_aP>7uW0+DjvYt=QaM-?UO9NqLc+?2qCSK6=WNVVFoUFMkFuY)E&Ir5ik|b;t zrAOM0+ZmLQ!^x7Cz}UX6ZBAGth5>1Za$=)Jl0n%Q0EY(zv;CfU+=qS?hd~lMSQSgd zgK6=D*?J$L0t;P=P;}Z8+ILQ$jNqFd4QS_&q~$Zwk?TuuL^h}&PrakxrHg#?7P*7} z-0eF$V+a^{6ViN~*M18KlD#?10;#@<$=t-i_!CaLgsF3OUXPOf zE0_q))ss}lzY$LN+Zvd)Y-w!(|db?uoD7=Ulb)e>`<|z|V@UgRopGv}r zu%c}#&uf8b!FaJl7RqpzCeT`{NRDzNd*3e2IM6#iff1!gmU~&=JYxZ6+rYOH(3kLw ziz^uWRfiff(|ueKl&gUW19nGgoEoL0oYqg=O}I#!w3>0qcx~E)65fAp z$Tc-Jp*`4i1tsxH*pom3ZD}I4xtz<9;sOYHVsHx_Gu#|v*gUU*7Ke%!&d2Jrm!e&K z>&@hB@NHc*(g%a(k2PQ7zLjaacWf?Y0c@{_?~RT zid?xWtoNGUQzHkO5wEJg?WdWd ztI6ged{r(T6I)JWI1D0`hVRA3=x9)}G2;8e!;9#U30Zm(Ay7H)9Qi*f>sb~A+?LzM z0Z{Eoay6)S2EZ)C4rMt$$Txs;SDVFJv!C`{w%hfdy2Wk$(+e;}WB~F)OFsrL}vuv+>oiMlqn@1^^#CuKRj#__{ zKxOz^O4hNX7)AaAcc(r(O9l4TAfKr=#4quIV>pucof8`8dEuJR@nrhdX{h81GMgU7 zF<-JE*u*p1DZoa^sjgU-;~J^7etOW!l8iQ{XBmKqDpsL}e0b-5GYA!5p;rL6@xAZz z^=hi%qlBq2llz@^MawXIzqu|XHrDwbz;AKIjMCSd2*8XyxmEP6V1S)nxmamwUHs)x zmxb~neAXZ8p8z`_xY0n5f7y(H6ivRFh(9MgB&wLf4l)BUiWWd}s+bI!^#Ts^Q}TjP z`w;c^9%id@$4+Y~y|yvF3ro3crc%|~3upO2Rb3Y3uY>igk_`Dpo=f?CKlu({mM(1y zF+yhADbNe=ozKTRX2pC&pTeM;Ff~I0xu|3dJAzo2^e7OzW0{s0#C=W?TC}PO(qE*( z75w(WWuhO2iSR**nc`JfbN!lz{aMEk>MC~fVlK$rV72hxoDeS z3kRx3oEewlmz-Z7{)t4sr`wg& z?6N!-XZzjcNnrA*dBoN|0?4Lg#sp$0P*J&Q1f<;U%6P{{oCizWZX(uQ({4^X0WPhQ zhfA&|SgiVZ^@z9pM^dNjaeAY*rzcN0%K8l zY8TBUjCUGGJgX_{AMtOe7(>`=s{u3c8TWlFPGlUE- zp^#aE=(wUusL7vJ-FB=J3X0q33D3FtI&qq~wiG1{S?gT1Y-!Bj8&f(d?UKNab1Kxr zR1)-D{Tj}0G;8k%0ea&~_wSs!>lCxenA1H0dFm8FhM$TBxU%O7@K7X-wKyFe*(|pL z54&T61Fs~8#K|!$1}S>Og!bFMrB$4OYq%Bm7p;;M+E&r;hL;(QqV0D8NByl4Rq*vk z<6VD=$&d11lZ2XO0^*^)n72%5NT!VuaN1PSfy#mE_p1ZQ&5-Tdo++T6V)z1rGGkXc_U@8B7G{t}luGdv zVNWKH;a{B{Orsrar!HT!sQnR3RO~ti*kmJ@<&J_5O^i)-ioC$isSUs$=Hb2>EP+A_ z6(`QgYCeB)CvXr>$ff?AZ^JKnj}4z7ZUX%^l14cS2?Y3%Kh2p<(Dy5hB5@LH_i-Zc zp6RqQx+pFvtFCSX1<^FZp*yCKiMwX|ivpYArCzbr& zVYoU$(Qp>}nrQgrk~us)D{tXm&B7j%1DeC$6~AuYV?YvPa6W~l1a^iTl_++=c0xR% z;TX!tGoh8p(7eXhSj)+NrSDJ0n;gFFunUWtd4)N|Xbb$Vl}X)RJBA_H{)1Qb^b4U{ zY%S2{bIfU=TZ$3|xQUhQ;SD|!(PR-*>f0Fe7wT}OHOK%t%Lxs4zVxuSVs`bv@gqk%v~n^+I$fhLXU;q9puS!mRdt2?)dkQjk*wGiAxZ((OYd7l&Crs7cGf_y>==n-6Jy)B^$$ zTforOL!P+^nD%K2^J2uRVBF(X%j582#`CdtBo2J~9LMCBQDgEVwxmiPK#;}7#rd@V zVU`V%|FrLwz@brh?mpEm1$sJa>SOI6sBjQ{pssCA<~>yl{1jX?IjZ>Xdy@XIIzFS` zj`E}9v|g1(m%nzcI3V-TyqKUcRD&{KK-!v_9{(j)G%*O+mQ@1s*gJm70hMIT`)&;? zC3Ygc8qCRh1n*R(&oDVj^)Txd9x3_|NWb<=Ul`x#GSGDbJc|G}K=|m=IOO-;{#u;m zm-FB|m}^XXXSMERzwh&7WH(}P76e?r1+sJiL)4w}cfwG#q3{y$r0q??obJ0c||1h@qAn>m5G zg1yW{!mcwY*wgcsW!W2XVfI$KPI53nsb#`}XGXVu0$J{0B*n)dHX_`*`E#(~0xj4` z5S#K;`)yP}6)h!UP<8NpTWJ{#%|67+SG)=`SP~f`%ftQh*;80*7dFkQrD3ILXd4mu zWl(xYigj+V`IRbUM$C>4H;ma1dn&2gzofesb$N>;p*B*2of(hl)E=gHtVwf(#W!E9 zGx}Iua*ctU-~Ef$FG|4}2++5WPR}=TbcoMzyo8)d$qWt854JAKa2$EOKvkWAS7 z&Th16z*lPkQ4;$PO0oK709#3J`x?6)l?H#P-?i%eGoiR0J!XGOJA+3*5$tDc;$r*Z zR|^+p^dMHC{u-O*eJqCPdgGny%0wd?Bo6fvpcl1lgS zNO965db((Xh@j6YzdqB)#%Zh#!VS_~*vXG`9iZJDiVSK#gPRRNdt8VZ5M5KEA>)Rg zx^c5rE6E>grQElYkUa?-$brai$GT3}Pl5>bH@17Lv~Qgc1p`Xee~fEI1EJ=M{fcPQ z$d^FA|K8jn?l$!QPFJPH7(&=@yozhufh#riDfdFCTp6*1YE!Esb-7%$jFS*W;X1^I zikY%9Y9~Rk=?0CGl)DC3VxMG(GdIO+F)&g-^f+kb_t&Dj4XU=A1_Tj*{Vsmhya0sRP!eHZC?WN^NOk-KP+IV-MP2aj zUGj7pK=p9kUkL+`4o%5GL@3$x@-Cv@|1^hb(ybzt5JJkxNwtoJ6O#kE5X~E4a2Hw2}Bi5gxdH|BPvA!>V?0Y*+J7 zu^I_r^#-(mvqduz6GPlgP_$$FQbWcj(m0dh`JRdp+-`qe z*4qY&kMhJIaBx5zlrOcAD=K}mGlOBhKidKna;V)w>I*e=|56pD=$OM4guteGTNPS_ zF~sUY>=0`!I%X3w2CAM?KB~&$)Tu0f_-c6`l@c6Mq>iF4Am``GllxPMP!5+Jni+gT zD6>4K?7tVuhQ}^;5O?PM1g0K7KK{61m+${7$%wZ*(TiBrM_;kQWJ(Ed6ZM1nZ-i{i zM7~9zJee%S&;YTkso9!b%u=)G-$25^yix|u*Du0dM~a(hh!pMmX(>6A(u1-~?f#7f z-=^(;tnAofZMb$&aWFsQvlxAli!Hv|afn1<+f|_AyoUYxWP=zVF+}p4tIHTi$A{4N zGHN)xyR}2&mq!@>lj|Eo(n?Bpsa5ki*R&ahAKbjw$WUMXynMD1<^)~jkCtAUJZnFd0FR6z|FRa9$ zdU`6MBwO}NK9PwH*?rcs`+STP{(n_&`=kh{2MXOcfEBOM&bj`F0Lnc5U_V7-=1k^I z?jDg(rJrsrR)sUWMDZwvgoXZA9D+$9dK_QgJ+7W{Ilorz!rXUbz<|oGDk!gk4xqU% zJgkOQP>BzU&*n~Rwf98>RT^UJwFsLSO$;&pFEAm&)K@)L&-(Q%;l?-PSVsz$=s~Tt zp6X=Q#he^lAPwtvq%dVr+guL@{|R&VlE=;qSWs~oKi;GMKEMBrHc<7n5KRxEdeFV` z1}!XZD-j{U31`VyGE`R$R-1Lhn_+`_*&@#^fB)firSVc$>@bbzv zSGDw>`}P(d*8NedcDn>h*QAPktJNGjTM{IhlFWT*>$P<)Z7X;gV*U?hLEFYa8m)75 zUZ37YLb%yMXC`jozy=XmyZs~5gV1s2c>UR^#_>9=nVn^xIhFQ;mEIh^qdy6xCcfsx z_^cIvaRe5gP|3Vd)Fd6|!^_!MZqenuXUx!wghr%dU^BRMs<5%z&d=>O=~d%JyW$nK zxwpP>w&lOB_bI9*Rj0N=fjomKVctS^b)qK*;Fc<_&R-CwZdKb^4N~`6P1&F*O$kU`skxo` zR7xnmL8E5TGwvIDB|cpJ6o9ST!>~IfCawFG6vUBEaT082%8*?YmRdCOgTBX?w}{xT zD(58N&+Or{e)`a}-2^hK3cT9VX$gWy8h6#qXtU6lgPQVhlV6s+*#sfv73CA9G+VLc z3wn=F>t}m3!mK>4`iVh179U7KzGO#K7>@KANZA?f(NWqM=%_JByuWgXra}G`UxQnu zcx_hs2SLXG7sK1+qEXXG6Og({xE&Ff$8Pyn?yQ4v$oug{EgOh~62Dka*CvI?2)N*= zm>zv1DBFH7=Hp(A)|a|7CV2~H-44b#UY{S_mrt=(J&C6H;4BvnEF|uwpeddJrO&3K zw4GMJo;K-J081MAA2y)f-=KgjtsK??I5)jT&!E#X7fnb*eM}D3*w3)6pe#wyOSmQQ zBIb=OaCK3@k9xRt+Sc!Z2TI`CG)e&hdatGh4m0BH9h$E_WgyiCJf)4XbD#>ZIR7?U z-*M7Tpn?F1j09X<@8uy>#MFai!IK6V5}&f0=K7KnBxj^O#t8vrV`tSgM)cW>Q0 ze}?^D&{F8fFWgD<_Txlga1C1*AHdV#CO}^YxYeYb;87lRAJ}bh`a2gtC45B-eTNDI zPNRnINzgpw0x`Rz{XX)L*gZ%od|7B1AHRNLYz*){`In)*CE%@t+=PE>>W?0$*Y!?F zK=$Xa7XpBBRfs@%L8aD{>;KgVynj=f5_{GyNz64lV7-b;Tbrg)%lQNz1cO3MmI&Eh zE*RjQADeNtlRMhPpA$+YMU!wTKqF~7k^PdvGuwK}P!C-F4~4iu0U%CBJvcr55;pXt zhhTE&_XLS49IOTQzn4m40QXUwPrNOz)+cQHp+)qv*Q1|x%O7?V8V|8sTKdRmtGIq7 z7k~fB1Uw(7L0zd*xf{m#`tjF1S0x%>txGoPs{N}1Nyh_DnO%MWPe04#faNo8sV9-i zx#!uthT3h6%DDDMh?z{3@wq?05h6D?jL?!~dnUu)C>l3kuxszDNuNJ$VTXYvK9$(0 z&NcOAPo~>t(XRKsZBRZ6%EHfxyvo$}VVTmG&~>;g%7*C8tFGK0z+TNmvgVkC7n?PY zuXV|m(4~ISg9!;p))>c7ohG>aqVWH#ZR1bbK&xwbJBVgX0yD!|yYldk! z2!k@l+1V(FYcpTJm8!dkulo>QFGT8g{0u=>SXN`Z0{V z(CqGaPrHvB!)TzAWESHyeZFk0EL*AXmUbG5`=!1R2OL$!?-YewXtS-KXVIlCmo-wV zNYKfWC%X5Rf<;i{T+ftq_>azVa6_+KM&sX*yQ9C1SNDXaLpH8$`1R|JpMEQi>Q+OR z$y#j+)ehPOa~KRhNGQsr{-;xG3Di2b{7tZ8gOs-I<-(`Cqg6FvjbH%#chpkd`){6S z6d8*SWOWNL|FtO%2K!K-1;P}DUf@)PD;IQ}60wi;oLb-{v(8d2Q9T1 zUSD2r`LjQsqs%mKKtNXJbI-c@LUE$Bd*Xk%#C-ful%O-{4T>N?Kq;5$2t*j$;BHx> zVtGNv=f#8rMHn5I(r^&4u=HEoN{1J-v9f5|fHm^u$tMqLCI-TRBp(0Eh}SQ>d_aOA zLe|RiHl$80Q&F7eS^L`YK>}wL5erLzv>r1)>hJ>(S%1m|8tsC!)Y&)uyTqhOLRJ|n z(dXilyg(5YpSFC;_93I(50X=fZF&z!8j;!37>u<41x@~+!;ejZQG zC&_swWo5*4jZYjFo>Ge<{cLTuB3v;KRFt@{6FYfeeIcw#$?ZStLFdbs58(i-{$ehI zI3dRGq(fZ0WkbT^VwMcLWSA`6zq(;_T`P484pL^N;-=g6$nTe`?oOb98C27aIyS@6 zB)d~1bL{S7EYHd^-DFMSwrzgHu1-K&c92a-d}hn85IRK;qucFkH3TE-!@QnO6#mZ7 zkH|iwR?!ERME@gp@+fL78_3F>t|8F1@DGyMfm;9&$Wb=zBMUnt!*;G=`Ri9#4| z4V7O0>B6hKOtPcYd#r}*=nD>RJSy`C2)xK0Ms#`u$7>Ld*+G{;b1)*@uO4I|VqO%e zwroPRBt5TVj`KkmMT2l~&$);+`xUy8Y%yLR*T0-?GZNF+wqC9}eNj zkeSDX>JZ|nL<-28RqG*s9D21+FOx}}mQ3k}W%_1lZhYEj0;t4bi zZwVjR8m7d)+o3}knqH6s`<7u60Rm#%mIEqU0uxw1nN6IzpD+?{%1$lD+9WdrR2|Uz zQ`B%aKJ-<~PB|>GgWkoqPR(~sYKl9KG{_Kz^w-!Ii;Kt8eqsQc!VDxO8trsU9)DWn z2Xj~wu44q(mJkNkH+RN6vv?(?0-5m(T!~>ueB6ehxV#SZng7NY9;oAD4Z1U;fKv+# zIqFK+2oXs^6x710x$@RvP!Gg-$7En*lPhqc9Q7yOK7rd5JCrztg`@$$yL>wj|Ch^0 ze>K+R%tx~QkrHb(eEc`99HwK_lKxULX~-Q&V=}tEPirC-lI<{0NSV}Q(n9EFTNU5a zg1bTfo(u4Pm=$+$BM19ClUw+$9~V8Q2u?=E+fYJr(L#u%X`w={XXIlg`c=M={=ny( zX10GZ0kR#mzw#F_csHe@lu>F9tlyzw<=`Sk&%x3@UxkOkEkMr>a%t-}NX4$;LAX5F zlu*kRy`3!Pv}h1iE;U}A`~CL4CP!Hr_KHRmJh+3i{j5ibiZC(TAx}+4ARXuySq3Vf zGu0a#s}+Uoq0%8weC7{s)0bfq`bAG&4=z|g5XVt1bvn=wuAu={+ebXHmolVEv1+yS zp_cVk=-`0Q3+s1>!Mf|FFvX=1325qOSTEW(+m}y`?(Z(sfC_pb+1PTusLVYlu|ZI6 zPphaB_KAp_FH+()b|{ms2x=hi{i3a(RoAzzkw#WF-CpTSwjX6{r_|LtkfNbcKfLKf7>0ukSIapt;)iJ#c>`0@u=+!nuS8e(qhvM+mOI^e0@>4(XCEJu zZ?cwEes@1&Q>F_cc*5{ z?HT!ORm&f53<<4ULf6k4KIzqZLGO(R@z|iPLSR@-O<{F)dE|iieWZ899s%Tu=Dh{K zi&B0FDf?J>mR(q83?g zLtFI|&UDM$E}Hi-Y28xv*nDTOy26{4Fz~E8)V5DD-sI&b04e&jh3-$*tl%b0{9cFV~Ee@TeOCa6@T)~)Szt9_3+)#i!76YHI~8h?H87Z z-9R0Eh+o^?`zST2T0$AnXtph%x8bS8$Vz7o`#-Z8d;Iq>VpFz1fm%R>D0ul_E{`N? z!H-dQuqa79+>^+Z`R|xukS$q@^?}=XM|6jFFLXooK^6HhrSX$hU7}`sqIdy^oZFj~AG2l~OVfh~di zl^t}$#7dhlfW$AKHzxsT-Ua>1BypP{E&TbEv1TwZ1`7W<=82#I*VQgpRsQtC%321_ zsyk>#n7m$gx7Nw(Tk;qY&v-Cc&i?$!PB3EFPN9SPFzaYHmz}>_bFwMY2xN{1X5e4; zO|l{9qYXaVq2PwXpWb_-=gJAE!yeY64cB&20VIoT^z?eEw~CDPYdMJ6U)?Ui^&dY* z$kw}BFana%);#Ou1^3FTF|Co8a~l@w)`E1#(u4~mug!dGa@nmndBkPzK%gYky4)Nz znIF>ZG%jRu-?xv@n#aB&seE3x)LD$ zP|!Nc+tHyWNC~(<_?di(UE+UPM9}g%x4080d!%t>PyW(AMIhv_Xr?3*fH1+zGE)Ca zuzM{`T^S2RWLKYhBhec3jY4#wnn*g9h}h$c8)$>|TtkYFfdrCakb+N;=n`lN(ymVn z$`2Wzll%Z$(GxfZhz=vk0%dz%9p4^*Vq{|L{1a#8hIYgqx_NYFA?(~K4gCvul?ByxvF|4eZLEsPix7xD&p&*&Im$FfW_!T3A+&oAgX4xqQHY* z27Zuh!mByVwQ86Q3F-scaa(hAnj9>F zKwbq`Lv^k1|6%;BQ%%6umUmBuL9FZ8`P?c?2ujN~LqOzo83_3<2Mg`{f|pyZR>)vI zJnA;(^W{Bw8%gTsPJ3M_P-mAbVRX>Q_CMNI2W2Re0fxKsJRCG;bfB;T!RfIUTuPZ3xPTn1|>s%Hy911}}!!RAluv1Jx z+er@VzH8G`aq`1)YN;HV?MQ_D-atOv#mY>Cpi152yF;`4Z+29{p#!1xZ2UyK{`*NNeTR)b9{^#d?Gt)J#ZAishzMNQ3Smow7YmBe%UmIr9+QtVBFBs()qXSLd=C@b0}VWEBaqe`aV8EqBB?_3Fu z(w<0{nwn^nW_i)#Y8Zm>O~^EEo>Lwl=n5%npQLRW3fA)B2eFhdQfQ8roVAXQD=0kR z^on4TQHCW0dC>Fo%>K#x@{XPb2!=!ccJfMEJt%ROH&E!8%fKI!e08c0bi%bNgcCC2 z$W8k|+FV<~XTa6YaYV`)fEQI}A+FB0@wPTs?g^4!`lVdSS4k$RN9tAA!wYCA)FKnK zPFwFkXK1X~QU{c*Co&r(D_0LVcVDeo55Z`AM^dgLXlYq}SgajdD>vC%z=O~9yF0;! zS9)631c`l<6T~eVDBcrD82hc43YXJ0_Le;P@$#uK26>3fD<`SD%;()}Z;<-}5v%qU zKd1K7G3becXuJ(>E}An^Q90-@l%+-rWpaSpg{rV8@ruGtzp?I-ASYamf@=AJXvzn$ zZAcIwE7N^W#X2PWYYMiXzB}uR?{WAuaeFsw877t7fY^*=#-kvEcC9K@_nx~lBa$2V z3D2i*XMrSZZnlWXnOtMl@YMeFi3ClIe*Pw8;rO2$PM5CWJ9$Li-~eK9*-k~@K>tuM z)QetAq=V`+baZJFuS4N$-J*|I+@Ne0dhCb5DN*?E?rzU+R(u`pl#$}Z_f|kf&@-G! zi5^+ZR`}uCF*%8~bKVf^i7zVE5d@UcIYYvHTjSlmGg9_+wp1Ov2gAbGPPpNcd=4M5 z4lg4j(T~PY9;ujU(B=0jFeYA8sQgi%$WYn*E5o!xdkXyWI`D4gNVWDF$6O9U|0guR z@5BfXS}0wwm31Fh2SpWMKkfPRr8VuU`Lpvb3fo;`psArlLLv(AD&YtT#T!`Svft)H zpuiUuKqL9&jB5R-*1%!J0j;Mzk-(~RJ=_1iZ&QXx0qPMrl_9bfZjpmgCLa@Qlia;M zndN2s7U*plgXFo?H{;mTE&aboZ3VP8!yGNq)PRqQOou>#wpb)0(Zl9RaU*(k7R3~y zPY<{yGvQJkQH%7%z^J@W_d)N8{VKIWD92nB%Y(X^1tR`W@kpsU`BOxgM{kKXahQy% z`x!;7?DvVeOxPga{&3pBIq99*d0=&O|28(Rhr=W{{kXl+GoB9!jW4}U@Y(g6Iz(EKgU{AXL~pWn?yiLl zU&V~BKaLge*+>c+%nV!aYUcu2K&x_^a9=PG*^bgTBY`0|$Ce0!WH%UEM{C>M*=@L_ z;gU?h6&`0JA>NeWtQ9(-rUJ16Y^Ce)m>?wg%J2jMsvkCb)X{>^a^Am2kdpEgT;~0u zmFdP^-kFu2x;Au#(ousmqOAdHse0*RfY#+;DP6AfR|#Xd<&<{BuRsWeogv%+_GpFb z>8GXP@W;11QwBux5z6}!74@qKBz2<&DxYEUIpsonM#Jh0USjj|ot%5wfFM;h(PU*01nmQ_>)R;i->a@zG1bQ!gK6eH}6 z9&h$YPriJ=DwKx>PCZEwy#3U%KNFq9JZU&toiE^4Q!x4UTwPxVFPtYcU#^u)OZw&> zJ$t9a@B^78tWhW7f0Q(YK|*5s`ng%aud7Xo2=5xf{(-=R)p?>v-LF1vS;~NX4hFRR zQAV!ShN*2>(FF7dl2QB?Gf+JA%NMR+PFDV*tMhJcLGdQ`gJU2t(ce#nujc(4D#N3b z9wCZ<3tR^61@>LgzWGnR9=5v+2v6?aX`NRup+^!xGro`vt$2AJVFR3SN!$Ic2(k93 zS>SY_jSY0@NjAEVF!~0=udbN)d21ZFK#~LclH`16WZplX{p{Ejqckv?a)Evdh%8ILq8MI6pg#g<@ zgH%m8*kE1k%3TfSb2ZZx|C0iyKYI-YA z6Z+XT>heJrwCz-EA{c-+b6cl}isGL=>25Xpn&3j^<#YL--r!5>J{$f!ew2UxG1N3*$ZwWa1I2ROr{(E@ZZVdIi_2yTSptcAZI=VxvoE{Tc`>rU%v7y9=-JGJUepR`Bg@Na*}%J7Z(auF2G}l} z&a2bHrI9?!X&=ImhGXRzc)+0i3noE0o_-n70A+gM#0<)zJw2Ej0qXYSt~A7|@Nukw5A z4_6lx-|EB4;}!?yV59%+W@2o7_C_;Ou8PG;qEES22lb7Op8hjUF(w){?Aq27M)Q3A zWrGn*G6dFN8P9)?<8x3^9VPrs2%vhyCCXrGI(XXkTAs`J%Uf8DO>kD&MqEGtq|-)< z)!E2Gdb&;`?%E5iGFzRnrtSB)V5 zvymN^Z_anQLj12}<9}2$RNej_`Z(6h^HD?na<)^aWXoJVFm%(;8k~VR2JQ!c;MkAx zd3`2c_3=^coWfNla6RW%dEU!;XG*MqT{ur^Rk>Knq|x1Z@ zS+2$+E()3b)}8+KnNb(6)EtN0@4jF}^vg@L93?Ti&C}$QM&$?z7?GT?zTQV|&;H@h@3-p)o|%-6 zI{c!sDae9bi6|IH4p-Ff?uI-x!;mg7GRGI`>UQz+Xm#FUK6m9-|LXOU77j9o=8)Bb ze0?AEaC6CCxt*@DLrz)L$7Y>F$Vy|Z{axEvw^T1x@HZ2GK@mA-eb7TgJ+JlPm&K1` zZWk~a<@p!AUOeje`}?;Dj`@-C!SK#y3Y4lH*0O6J)(Je!-p4Dg8*d-m}ylHPHYz8NCft~fLrV{0mna{um{=Qw8MeAU-?`Rzw|sqyy;@5dV^Zj32BT!LP@ z&k)FSd_Ne-PTaiBD1Ch8@U+9??rA^y^<5D9>dL@_b+@8{LAhpC*qA~v9izZZfh?Ov z=AEa)S4_lryulFcGlw!e&F+HJBr&|bOC~p&FGcg%`{8+CF~J=`5D3QUI-Ws1 zZLjW&RG8*WJU6p``4};+VCKs$KX)>B6zDBP5D4k}Sa9Lq{+(vC%mG_`QO<|{C&&SV zB(&f|BjSVKhesSnb!$DiEn7G=E6&UAv$OylPRX?xYtc*v9$<_6C>4voU7IT0e$xKD{jEhS=CI;s@q9PtWEoyJxz-b8u?W@|shwGtF7I-7Hi#DkX9K@WYZk$p|o?O6z!y~C8SW_-zrP1Xu3-+4e zkeqHDVImPB0|VC*OMOB${6?^oFIx5?RU=I~j&9%OlyH>0zQp=+ViriqKCAD(v#5Cu zm!0FqmV6VZExPCslqdrOZc2eb%yG4?vIg`RhGYC=m%lx%#%QL*cdU6dj|qqi>~edj zUA#dWN~}SPopF#R#g!$4g`Q%0;@OS2YZ>T3|@ZOZ4eBe6E66K_H5JRbTd=j!l%zOc9NgT zb^(XhCHk&jP4ywG{P^cnI{Pos`=O~kW91?56_={NSx;Xi9+2~Z1Lq%ed1^$<>_0x- z>+A!HEsd^Z)Ob?s+B(p{FG{=hUA?eQzV4~sL-EF zP18NbSX*{)3uvvI6kcYk)-}Y9-KLyLk^f_s`?;aHy=ZML z%Hxkvyv}F6+hY^^B<`-g5k3$YNQP+yg)FSVVP@H@-@ThXFAg6MUrKhyAAb9>%l~qz zc0cUPd0?LL`5ngT$grEBX8K&VUdnUsRc#XE`yNb*vt#x}>pzDdA8XmJ=}qoq94Mgs zN@T#~?&t$M)-(QRN?(()CJSFrY7QZDg%tESg{G!oPK z?@jSHcF2%lAt{_(Z=}&B=lEE^GYKm+Mf}O|Uyh%v{Zf=_%v{UajQJ5y=5cVi<332> z6}a0_>)Epo_pb2ofv?b0nZ7;QW0Vs7P-Ro9nfDRIGW11hd4Qu%(WIVh^+j&U^Jz1G zPQ@nb_-UaHbsUyji9%`7Sd$LT$MI*+h3Yid$39{=jAuW;2zyPc@!sb| z>o7Z@J6Y4;t4C;*5=mt=ZR_gDYpidAmexhGUje z@5-Bg%GU`|D_v+HRMllsD(OJ7qKxY>YEg3*=!dX6u_jA#bqhI`fi&VHAw66SW6I&v z4+HM9f)S0>@tVdOt5c1=pyb0>zSdvAI1tQ8nR|J@J?@W);1h&RwrK1k)JYxr!K%n< z0-O@K0e))|t)QF_+WNVh)7>ul>o4s%nQ20G+x~LfZ#>NWRZVv<&~+T&+g>2|tW zN@K$3l#)}M2?i1X^Dvj`SNIb}MmcuW!USt;qAENrys^&V%$5Ery=6~U?M-{-tJrd8 z6%}xc)7W;!5BHcDOrhsqDd%@-oV4erGai~LH$<%R_u*BZSL|N7-Zs;%WFzR`7e=oR ze3Q$*+?x2FfTi8j{UbTHq;uQIq|{+ah=d)h)_nG0muKv^8Rq>Z;l`;nEOd6BTXYN? z=lqz>ph(~UGs*w--PUowN*AW)|k$2Pi8lHlQj7wyxE1HFnPL6X2loyvhKHa9T9elSD| zg>ofdqSW|ETnEMl8eC)t9?~7F#|qck)!r{;ewxkb^N&mB{}g5_pN?DRxjBK65}dLq z3g;=Dwf05jVB}TuxxviLg>`k8n(OO4cQ*=9mScI#dwHv|N|K+~)>FDnGGTv6PGapz zX(Sh2#TM#g?O`?YLL!BOZq=gmKe33JUvmu(kt)WrKUV)XSx3y1Vf8mg<|}{oaKHN_ zPnuqZd#ZP+ooM|3RCnFcY_@+t)abCDPSog7T51$kd|v=javp${0ZipyTrLLG8>s}w+1RPbQ#+^S?{VBFR3H!N(-)|(*h-V79{FbYZ2Y5 z_OqLx7_}cmmnWEs@|r>V8sbh}&!W+LKJHq-F?_9vEw!hMIitdWz8lkzJO1lSpjlKy zH|El%>{YJGw#7FLN{LJF*8`fB7?9;W$5= zy+9xnlc~SCDBb^g>YRpA?GlGy@O5skN^g9(0lNO^Tcc%CzNBC^=03>ETm{=)B}4{8daLHTCv{yvWi}N9jF1R^{5xDd^_X$P_6Mr0?~kMHBH2Iw2rKG= ztetEu4(*EkBg{=xZ--htnVhhyJH!bw2?#L(@*PL>9i_>@I(Obj;g=rv_#pE~>YZ-7&ia2W*9Yj9+fb{|)=BGI zov8N$?M-=92;``;-i@mk&#wz=`)80H8ch`y?X%9jp3+B_%=KQ*To}JP;4vNEH658$+&RppcK#D^wtlF1y}2GAyS_k7*-beLc7pm&l0I&yT~Yhv-*IIsozIfRs{6 zyzf~LfX3isXmGL}yuo3js^0n+g9y6~3i@tPkDPvpqYc=%BUAdv!S5$`?RnpeZ<#?o zk-ONgv=gQEuv@pS1(XNIOq8vgh?w3oEPoK+6*SGt>%C*^=hbz|kC>?=(?}sSx;$3) z^0~5a!<;l(VId!SUH{R~GE(~cUNVZsPXi52VKPD(9kdF%^~{>SD}_miO8y?N)80VZ zj7tQQuG|o6?TdkT=P~H_&O}%t61{Fz0u*b8s0MEdh!JM`xK+6nYQf12#42g-$c5Xg z$!0pkRCJWIED?^kY;+s_e>7E5Q?5p*&x*GCBnYgc-?WMZru9J@G;kqto>E`1r zpP53n*L4v;nDGQGEO|dANdcOhh#K3!S(_yRH6KVohu&&^f0{Fzn-ka3p{&Vbo>$f7 zRn60hbTT@sJ`q(WdQssfFgAK~5_l(95vxBsI#xRi;j7*2KFIHPID2{&uvHVMcg~+P zeJAkTAp(|uQCDZC5((dY2^^8up(H7<;U&299L}OuvXXj0Am)`<_l=u&SMqvSzfn;r z3H`B#jBUzn>o?w`1&g6?=H|EBnUp&I@VT|8H%On<*JP4d zCN18Qu2&Ql);t!rj|D7@Tt>xTfHyw`8yq5Zuo2F4#NwdQe2iRDK@ff+(VK;iutmEY zckR1tWjEKqd?2}?pr8#AW5T2iE_se3m^)Va_Q*=ltvf-nqG)4sL|-cE#NC?Sfzh1} za^%ayD9r}O%O6=L8f(EeE+oegxg>CRC7w8CxSaa?Ghy4buVVv09-eG##GGOem>@PK7DTRF^Tt$*V|+?J60q`qEIQ6{Vy_!wKBZsRKl_wf6`g~D`aeXC&XRS71a{uVWgq&XBX)KQ=7B5^s4UER@-nd)H+s!pT`(V$<~sN zJ@aRjWs+Wf_}f75QK8bgN+{WE)>p@zif>Pd_^C?LzXcIK!z3kZF{w^Ca^B}7kVUGK z{v8~9+hmA^JWxg|#yeyhSDbKa5x7dsf^KEIw4R3lx?E?D~ zhq}ssk`OBMSJ>Pam$T1Vro1IfS7J9tKw?v$?zP^wUyQJ}Zlc|VKWLKZ7}6QLd+{_b z>Fb%4tC78WT$j!xB^-_*5Z565c%oy`{MR7?Y`{B^n!t;hRhgxk=0h9 z4?p6Ljg4-=g53nSxFpS?$HwnqvkACVKVDCJ+qLy|%VlB|Sq z3|-rU@ji0IH+;1>n43mhPkogaN?BeMP_eu}BgCTl(;Nd=@PcRSFI=yk;7}2I^jLTF z&WXL52lHDV|9R6myuX$H=43Xz9zjI&dmrpR;aM9v)R<8etL=%duI`vz-2f5{wV#63 zLdQm=J9g3(+x6p*QvC0^b3Ex3F`0jP*LS#y_d{>uS{DzjyaMR*mBj=RQPtAMr1PmT z$^&S*{~z}-9=T=N-hwH@k3fwmF28t1i-0bMksXbIs9HKW|@SdwCu z|AuU_-A)o_oA}$M*=F8waT7Jd&!5}g!kPo`4{?$|cW>`(S43gsb6~nDSD&4-uE)lTMH65D`xIoC%(PVxCgimZHK@6 zw^Mw3gxrMGT9l&6p4;<>Rpv)>576iilOyWOzRy9t;GAsRf2m>4G2xGU1 z5kTA$z=wbLfASGo#L>Ez8Wp*0F63|tcfKy5c;oYQk;rZJ`qNJv$hc=)p4yu5cf|Uo zO08g4XXLP#(8r88m*#l5mh8mvV)exYvex~gQ{J`@i9Xd}w)V)Ad31ALhCe?v0Qlv>;y|LLH3$zJ$^_^8v+AOH<= z^j9_yM!@EKBY#uXDYm?%=Wt|}-JrqC7AU8fe3&PqG-z{sASRN)S#-1LlH@jdKdr7J z^fuX9ODo(`^mlzkNY~e~{ImHg;~wGvAQ^}hyEYqn6V^!f0bvBmf)nfk4zd{XRFrQq z;rL~f{@c;7y%sZJi7S1xK)iUwhzID#3p41TX77~grS1+&8A+(_{aby{NCIumwFjbF z@u-1Or0RZURSL$bY?<8Y9C+AyKmtUT<+Uyu2h6IvNi36xC zjJrdat5Lk`9O7SRCg-qYuA}r2fFgDU2fHdW@q0v9bgJj2`E-5+V&Q=7*+(dYYxUA2 zEEtwG;d1lFAjYZ3PU}qpc_y2x`NOU90CcULzEQ%akMVAzlm6NB^Xt&v$Q0?wA`STaIq*!;ocWhF2z9 zXYQ4|#ab#*Z+vw5eKpNe8c;7#>mUj?sg@j-%>9VyQmdQ-i z2r4lF{;vD8jJUHk#7C0rUwy+pnq1E0O?1VN#?`?t24{MCRQ~CDA?ieT$_>14huXyt z&vc&LcY;Jp!>Ag|rUU!0Nbqm!jen<9#a7$kzlVNDggYlUsk%PlwMPLC?#_z3Zt1N_ zK*a8S4lJ1OqVkK`uq{*o>TFoL-?cv^;!cSR{7Vx4weM$w%5%hJK3Sk)`j=b`cVe&dEjXB}nNDZy`Tqo+^H^o4@vlIoL4Z8>|5Fv8qo zCEFkvzxsl4`Va`fW*G>d^Vq{5M@;(?Ui|V4BJ(KQ`?#>bY>$Dqoq!E?~c1h+_cjPoX#B(;8fhU&0 zb19tBJl1jh$UTBSW594{L}a^jLJHiUld`n$gxt6+!>I6>ACuAp?F`slm>>$4G24&9 zuZkkJuAJo0Mtfm#EA^jj)5ZMky{Z&yh&K!h)r{`4!=2UF%LSDFmY^8&e+Z^~*}R|3 zh7tYq#`fYe0Ay1IZ}C73g{`%YJK#~Z?*D-4`qnps+u1O$S?<0D`!pVbY1h%&h%!Qd zAkc5@Zc^%D^Z<(F=Kxw)S>dVbcfEcpSo>EP07`Qk%nolto_`v(Cd%Z!GaOveCqG5v-anV~9HX5vKC>?$p$ig-@uQd~TT8w6Mu35#6w zY!wB81bkBcpfeM;W4+2M>`J?Ws$$jJvFWOjxaPDm9^V`LW|XG6D9w-Ek-)^h>Mi{c z&sph*PkHys^Ec496DbLxhY9&&P5A4lJme#sqtqg5?ZbG<^jASxow^Zdv_(qeT!f$f=J^#gTC-Y{6_jXRuD(BA zZX<^%SNg{Je+I@sKNgb#GpyL?;Cixre3kZ(>ZoN71i1qy7OG{Uk{|c!@dL?O_enU@ zD#P%E8u|ROr)WDh4$xOibUAd^VXze^E#xzd1fAcf<#7H&mR<5TvV6CVbxG&*dPEoH zQ%39cHq<6AfG zJ+h+?1zS82okO}{7EN+N3kHW*EbTquLQU)b!uo8%Hd^q=Y1OR2=ExTzW5tyzz^2}x z<>)P$c8cGqu+q-?G>^w;_^+&hsKT@|jPde!i-1XGfIKWR(_P#GCw`a7vwL*(Y3-zh zy$SrfB8V7JzagoK?AgK){!rxtA*6Cm3F7vpngI+kNT%9e9Bu%;`MX2u8Gz6~(Z}#{kh!OT6g*|Xf0(3Rk z;y6F}U?HyNU%!ET;cJFu?)!;jM||WEJEkDrPggQ#&AuF}*aI2=^7dZo{*sG5N0Ka) zV&(7J&`i+{v-WTN(gO1&G7hz4@?P`Zy#1>CeGhMRk~sw0iR0Lx25L zCq>e)gf8X7=gKozx8)?y1;^|aDYrqpwkfofqA1n*PpbN$Q@jZ(hu5p;$osC&ibE@J zg_F*-C^XI~JH?MFL5CIVYFRFiyAgHf+7~*K3A4ySd-;1+1aib&GBnVh)!mf2s-{3z zYOZpR{ZNv0az7}byyEut*$@9#rXX?uBJKYHU`NcNHcEt~Tq)8QU zv=f2fQ8?v>O`y(GXnGCEj47DDoTQw!dn3GE*0q6o zEaN@7$Tuvfbeds6OOXspz#1&0;tVmCh>V{FK`-wZL0 z!|T1p>t-bkN#_hK4fwKNdDtj6CasPH5Mo`?p+-o80$l|59?aw}Nvm|^$diLodLgW` z##l1_5T=M)=#2f0DYCZfKzzHYiA8leE|gGqP2&)Ry0-`xb3mbZDBX~Cfd7k&@U8Af zL$8ksvxYZg&$_ml^b>n+ztGi`x`EmY{l9j=09~c?!FD_jvVXJ$>!&& z=m>ch1X^R#v^vtftbGvpL*=QU%y%F`r1lDeH~ByPjfnLhSr2>_V+E!a6bO+APV8q0 w=)_XG`dl8?SAxs0i0$fH2?qr literal 0 HcmV?d00001 diff --git a/latest/ug/security/security.adoc b/latest/ug/security/security.adoc index dac15f8a9..70625636f 100644 --- a/latest/ug/security/security.adoc +++ b/latest/ug/security/security.adoc @@ -32,6 +32,7 @@ include::iam-reference/security-iam.adoc[leveloffset=+1] Configure Amazon EKS to meet your security and compliance objectives, and learn how to use other {aws} services that help you to secure your Amazon EKS resources. -- + Cloud security at {aws} is the highest priority. As an {aws} customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between {aws} and you. The link:compliance/shared-responsibility-model/[shared responsibility model,type="marketing"] describes this as security _of_ the cloud and security _in_ the cloud: @@ -48,6 +49,8 @@ Security is a shared responsibility between {aws} and you. The link:compliance/s *** Managing platform-level identity and access management, either with or in addition to IAM ** The sensitivity of your data, your company's requirements, and applicable laws and regulations +Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with link:compliance/soc-faqs/[SOC,type="marketing"], link:compliance/pci-dss-level-1-faqs/[PCI,type="marketing"], link:compliance/iso-certified/[ISO,type="marketing"], link:compliance/fedramp/[FedRAMP-Moderate,type="marketing"], link:compliance/irap/[IRAP,type="marketing"], link:compliance/bsi-c5/[C5,type="marketing"], link:compliance/k-isms/[K-ISMS,type="marketing"], link:compliance/esquema-nacional-de-seguridad/[ENS High,type="marketing"], link:compliance/OSPAR/[OSPAR,type="marketing"], link:compliance/hitrust/[HITRUST CSF,type="marketing"], and is a link:compliance/hipaa-compliance/[HIPAA,type="marketing"] eligible service. For more information, see <>. + This documentation helps you understand how to apply the shared responsibility model when using Amazon EKS. The following topics show you how to configure Amazon EKS to meet your security and compliance objectives. You also learn how to use other {aws} services that help you to monitor and secure your Amazon EKS resources. [NOTE] @@ -61,4 +64,4 @@ This documentation helps you understand how to apply the shared responsibility m [[Topic List]] -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23security%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index fc08fd089..1004c81ac 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -18,6 +18,8 @@ include::../attributes.txt[] This chapter covers storage options for Amazon EKS clusters. -- +You can use a range of {aws} storage services with Amazon EKS for the storage needs of your applications. Through an {aws}-supported breadth of Container Storage Interface (CSI) drivers, you can easily use Amazon EBS, Amazon S3, Amazon EFS, Amazon FSX, and Amazon File Cache for the storage needs of your applications running on Amazon EKS. + This chapter covers storage options for Amazon EKS clusters. [.topiclist] @@ -50,4 +52,4 @@ include::s3-csi.adoc[leveloffset=+1] include::csi-snapshot-controller.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23storage%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23storage%5D&type=code[Edit this page on GitHub] diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 5330917ec..833bbb78d 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -19,65 +19,93 @@ include::../attributes.txt[] Learn to manage containerized applications with Amazon EKS -- -Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that eliminates the need to operate and maintain the availability and scalability of Kubernetes clusters in Amazon Web Services ({aws}) and in your own data centers. https://kubernetes.io/docs/concepts/overview/[Kubernetes] is an open source system that automates the management, scaling, and deployment of containerized applications. To get started, see the <> page in the Amazon EKS User Guide. +Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -[#eks-features] -== Features of Amazon EKS - -*Fully Managed Kubernetes* - -Amazon EKS provides a scalable and highly-available Kubernetes control plane running across multiple {aws} Availability Zones (AZs). Amazon EKS automatically manages availability and scalability of Kubernetes API servers and etcd persistence layer. Amazon EKS runs the Kubernetes control plane across multiple AZs to ensure high availability, and automatically detects and replaces unhealthy control plane nodes. - -Amazon EKS Auto Mode fully automates Kubernetes cluster infrastructure management for compute, storage, and networking on {aws}. It simplifies Kubernetes management by automatically provisioning infrastructure, selecting optimal compute instances, dynamically scaling resources, continuously optimizing costs, patching operating systems, and integrating with {aws} security services. +Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: -*Kubernetes Compatibility and Support* +* **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. -Amazon EKS runs upstream Kubernetes and is certified Kubernetes-conformant, so you can use all the existing plug-ins and tooling from the Kubernetes community. Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without refactoring your code. Amazon EKS supports Kubernetes versions longer than they are supported upstream, with standard support for Kubernetes minor versions for 14 months from the time they are released in Amazon EKS, and extended support for Kubernetes minor versions for an additional 12 months of support (26 total months per version). See <> for more information. +* **EKS Auto Mode**: Using the <> feature, EKS extends its control to manage https://kubernetes.io/docs/concepts/overview/components/#node-components[Nodes] (Kubernetes data plane) as well. +It simplifies Kubernetes management by automatically provisioning infrastructure, selecting optimal compute instances, dynamically scaling resources, continuously optimizing costs, patching operating systems, and integrating with {aws} security services. -*Machine Learning* +The following diagram illustrates how Amazon EKS integrates your Kubernetes clusters with the {aws} cloud, depending on which method of cluster creation you choose: -Amazon EKS has become a cornerstone for deploying and managing AI/ML workloads in the cloud. With its ability to handle complex, resource-intensive tasks, Amazon EKS provides a scalable and flexible foundation for running AI/ML models, making it an ideal choice for organizations aiming to harness the full potential of machine learning. Whether you're training large language models that require vast amounts of compute power or deploying inference pipelines that need to handle unpredictable traffic patterns, Amazon EKS scales up and down efficiently, optimizing resource use and cost. Amazon EKS supports a wide range of compute options including GPU-powered instances and {aws} Neuron, allowing for high-performance training and low-latency inference, ensuring that models run efficiently in production environments. For more information, see <>. +image::images/whatis.png[Amazon EKS standard and EKS Auto Mode,scaledwidth=100%] -*Hybrid Deployments* +Amazon EKS helps you accelerate time to production, improve performance, availability and resiliency, and enhance system security. +For more information, see https://aws.amazon.com/eks/[Amazon Elastic Kubernetes Service]. -You can use the same Amazon EKS clusters to run nodes on {aws}-hosted infrastructure in {aws} link:about-aws/global-infrastructure/regions_az/[Regions,type="marketing"], link:about-aws/global-infrastructure/localzones/[{aws} Local Zones,type="marketing"], link:wavelength/[{aws} Wavelength Zones,type="marketing"], or in your own on-premises environments with link:outposts/[{aws} Outposts,type="marketing"] and <>. {aws} Outposts is {aws}-managed infrastructure that you run in your data centers or co-location facilities, whereas Amazon EKS Hybrid Nodes runs on virtual machines or bare metal infrastructure that you manage in your on-premises or edge environments. If you need to run in isolated or air-gapped environments, you can use link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"], which is {aws}-supported Kubernetes management software that runs on infrastructure you manage. With Amazon EKS Anywhere, you are responsible for cluster lifecycle operations and maintenance of your Amazon EKS Anywhere clusters. The _Amazon EKS Connector_ can be used to view any Kubernetes cluster and their resources in the Amazon EKS console. _Amazon EKS Distro_ is the {aws} distribution of the underlying Kubernetes components that power all Amazon EKS offerings. +[#eks-features] +== Features of Amazon EKS +Amazon EKS provides the following high-level features: -*Compute* +*Management interfaces*:: +EKS offers multiple interfaces to provision, manage, and maintain clusters, including {aws-management-console}, Amazon EKS API/SDKs, CDK, {aws} CLI, eksctl CLI, {aws} CloudFormation, and Terraform. +For more information, see <> and <>. -You can use the full range of Amazon EC2 instance types and {aws} innovations such as Nitro and Graviton with Amazon EKS for you to optimize the compute for your workloads. You can use on-demand or Spot instances and your savings plans with compute you use with your Amazon EKS clusters. See <> for more information. +*Access control tools*:: +EKS relies on both Kubernetes and {aws} Identity and Access Management ({aws} IAM) features to <> +from users and workloads. +For more information, see <> and <>. -*Networking* +*Compute resources*:: +For <>, EKS allows the full range of Amazon EC2 instance types and {aws} innovations such as Nitro and Graviton with Amazon EKS for you to optimize the compute for your workloads. For more information, see <>. -Amazon EKS integrates with Amazon VPC allowing you to use your own Amazon VPC security groups and link:vpc/latest/userguide/vpc-network-acls[network access control lists,type="documentation"] (ACLs) with Amazon EKS clusters. Amazon EKS provides the https://github.com/aws/amazon-vpc-cni-k8s[Amazon VPC container network interface] (CNI), allowing Kubernetes pods to receive IP addresses directly from the VPC. Amazon EKS supports IPv4 and IPv6 for workloads and dual-stack endpoints for the Amazon EKS APIs and Kubernetes API. You can use Application Load Balancers (ALB) and Network Load Balancers (NLB) managed by the {aws} Load Balancer Controller for application ingress and load balancing. You can also use Amazon VPC Lattice, a managed application networking service built directly into the {aws} networking infrastructure, for cross-cluster connectivity with standard Kubernetes semantics in a simple and consistent manner. See <> for more information. +*Storage*:: +EKS Auto Mode automatically creates storage classes using <>. +Using Container Storage Interface (CSI) drivers, you can also use Amazon S3, Amazon EFS, Amazon FSX, and Amazon File Cache for your application storage needs. For more inforamtion, see <>. -*Security* +*Security*:: +The shared responsibility model is employed as it relates to <>. +For more information, see <>, <>, +and <>. -Amazon EKS integrates with {aws} Identity and Access Management (IAM) for you to secure your clusters and applications. Amazon EKS makes it easy to map {aws} IAM permissions to Kubernetes Role Based Access Control (RBAC). You can use {aws} IAM for cluster authentication and authorization with Amazon EKS Cluster Access Management, for access and permissions of operational software running on your clusters, and for granular application access to other {aws} services with Amazon EKS Pod Identity. Amazon EKS is certified by multiple compliance programs for regulated and sensitive applications. Amazon EKS is compliant with link:compliance/soc-faqs/[SOC,type="marketing"], link:compliance/pci-dss-level-1-faqs/[PCI,type="marketing"], link:compliance/iso-certified/[ISO,type="marketing"], link:compliance/fedramp/[FedRAMP-Moderate,type="marketing"], link:compliance/irap/[IRAP,type="marketing"], link:compliance/bsi-c5/[C5,type="marketing"], link:compliance/k-isms/[K-ISMS,type="marketing"], link:compliance/esquema-nacional-de-seguridad/[ENS High,type="marketing"], link:compliance/OSPAR/[OSPAR,type="marketing"], link:compliance/hitrust/[HITRUST CSF,type="marketing"], and is a link:compliance/hipaa-compliance/[HIPAA,type="marketing"] eligible service. See <> for more information. +*Monitoring tools*:: +Use the <> to monitor Amazon EKS clusters. +Monitoring tools include <>, <>, <>, +and <>. +For more information on dashboards, metrics servers, and other tools, see <> and <>. -*Observability* +*Kubernetes compatibility and support*:: -Amazon EKS integrates with {aws} Managed Service for Prometheus (AMP), Amazon CloudWatch, Amazon CloudTrail, and Amazon GuardDuty for monitoring, logging, and auditing capabilities. You can also view performance insights for your Amazon EKS clusters directly in the Amazon EKS console. You can use AMP agent-less scrapers or the {aws} Distro for OpenTelemetry add-on to monitor and collect logs for your clusters, infrastructure, and applications. You can use Amazon CloudWatch Container Insights, the CloudWatch Observability Agent add-on, and Amazon EKS control plane logging to monitor, collect logs, and analyze issues with your clusters, infrastructure, and applications. Amazon EKS also integrates with Amazon CloudTrail for auditing cluster API activity, and Amazon GuardDuty for audit log threat analysis and runtime threat detection. See <> for more information. +Amazon EKS is certified Kubernetes-conformant, so you can deploy Kubernetes-compatible applications without refactoring and use Kubernetes community tooling and plugins. +EKS offers both <> and <> for Kubernetes. +For more information, see <>. -*Storage* +[#eks-related-services] +== Related services +**Services to use with Amazon EKS** +You can use other {aws} services with the clusters that you deploy using Amazon EKS: -You can use a range of {aws} storage services with Amazon EKS for the storage needs of your applications. Through an {aws}-supported breadth of Container Storage Interface (CSI) drivers, you can easily use Amazon EBS, Amazon S3, Amazon EFS, Amazon FSX, and Amazon File Cache for the storage needs of your applications running on Amazon EKS. See <> for more information. +*{aws} CloudFormation*:: +Model and set up {aws} resources using <>. -*Add-ons* +*Amazon Detective*:: +Analyze security events on EKS with <>. -Amazon EKS offers a curated set of {aws}-vended Kubernetes software, also known as Amazon EKS add-ons, that provide key operational capabilities for Kubernetes clusters and integration with various {aws} services for cluster and pod networking, load balancing, storage, observability, and security. Amazon EKS provides a unified management experience for finding, selecting, installing, managing, and configuring third-party Kubernetes operational software (add-ons) from independent software vendors on Amazon EKS clusters. See <> for more information. +*Amazon GuardDuty*:: +Detect threats to EKS clusters with <>. -*Management interfaces* +*{aws} Resilience Hub*:: +Assess EKS cluster resiliency with <>. -Amazon EKS supports a range of interfaces to provision, manage, and maintain clusters including the Amazon EKS console, Amazon EKS API/SDKs, CDK, {aws} CLI, eksctl CLI, {aws} CloudFormation, and Terraform. You can also use {aws} Controllers for Kubernetes (ACK) to provision and manage {aws} services from within your Kubernetes environment using Kubernetes interfaces. ACK makes it simple to build scalable and highly available Kubernetes applications utilizing {aws} services. See <> for more information. +*Amazon Security Lake*:: +Centralize and analyze EKS security data with <> -*Operating systems* +*Amazon VPC Lattice*:: +Enable cross-cluster connectivity with <>. -Amazon EKS supports a range of operating systems and you can use pre-built, Amazon EKS-optimized Amazon Machine Images (AMIs) for the base images of your compute nodes. Amazon EKS maintains optimized images for Amazon Linux 2, Amazon Linux 2023, Bottlerocket, Windows, and there are Ubuntu images maintained by Canonical. You can also use your own custom AMIs for other operating system variants. The Amazon EKS AMIs for Amazon Linux have built-in support for NVIDIA and {aws} Neuron accelerated instance types. See <> for more information. +*{aws} Local Zones*:: +Launch low-latency EKS clusters with <>. [#eks-pricing] == Amazon EKS Pricing -Amazon EKS has per cluster pricing based on Kubernetes cluster version support, pricing for Amazon EKS Auto Mode, and per vCPU pricing for Amazon EKS Hybrid Nodes. When using Amazon EKS, you pay separately for the {aws} resources you use to run your applications on Kubernetes worker nodes. For example, if you are running Kubernetes worker nodes as Amazon EC2 instances with Amazon EBS volumes and public IPv4 addresses, you are charged for the instance capacity through Amazon EC2, the volume capacity through Amazon EBS, and the IPv4 address through Amazon VPC. Visit the respective pricing pages of the {aws} services you are using with your Kubernetes applications for detailed pricing information. +Amazon EKS has per cluster pricing based on Kubernetes cluster version support, pricing for Amazon EKS Auto Mode, and per vCPU pricing for Amazon EKS Hybrid Nodes. + +When using Amazon EKS, you pay separately for the {aws} resources you use to run your applications on Kubernetes worker nodes. For example, if you are running Kubernetes worker nodes as Amazon EC2 instances with Amazon EBS volumes and public IPv4 addresses, you are charged for the instance capacity through Amazon EC2, the volume capacity through Amazon EBS, and the IPv4 address through Amazon VPC. + +Visit the respective pricing pages of the {aws} services you are using with your Kubernetes applications for detailed pricing information. * For Amazon EKS cluster, Amazon EKS Auto Mode, and Amazon EKS Hybrid Nodes pricing, see link:eks/pricing/[Amazon EKS Pricing,type="marketing"]. * For Amazon EC2 pricing, see link:ec2/pricing/on-demand/[Amazon EC2 On-Demand Pricing,type="marketing"] and link:ec2/spot/pricing/[Amazon EC2 Spot Pricing,type="marketing"]. @@ -94,4 +122,4 @@ include::kubernetes-concepts.adoc[leveloffset=+1] include::eks-deployment-options.adoc[leveloffset=+1] -📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23what-is-eks%5D&type=code[Edit this page on GitHub] \ No newline at end of file +📝 https://github.com/search?q=repo%3Aawsdocs%2Famazon-eks-user-guide+%5B%23what-is-eks%5D&type=code[Edit this page on GitHub] From 65e204b1528f98ad840cea1d110c1dc9b09c5862 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 10 Mar 2025 20:01:58 +0000 Subject: [PATCH 240/940] Removed metadata keywords, which no longer influence SEO: 45742 --- latest/ug/automode/create-auto.adoc | 1 - latest/ug/book.adoc | 1 - latest/ug/clusters/cluster-insights.adoc | 1 - latest/ug/clusters/kubernetes-versions.adoc | 1 - latest/ug/clusters/management/cost-monitoring.adoc | 1 - latest/ug/clusters/management/eks-using-tags.adoc | 1 - latest/ug/doc-history.adoc | 1 - latest/ug/getting-started/getting-started-automode.adoc | 1 - latest/ug/getting-started/getting-started-console.adoc | 1 - latest/ug/getting-started/getting-started-eksctl.adoc | 1 - latest/ug/getting-started/getting-started.adoc | 1 - latest/ug/getting-started/install-awscli.adoc | 1 - latest/ug/getting-started/install-kubectl.adoc | 1 - latest/ug/getting-started/learn-eks.adoc | 1 - latest/ug/getting-started/setting-up.adoc | 1 - latest/ug/integrations/integration-detective.adoc | 1 - latest/ug/integrations/integration-securitylake.adoc | 1 - latest/ug/ml/machine-learning-on-eks.adoc | 1 - latest/ug/nodes/choosing-instance-type.adoc | 1 - latest/ug/nodes/eks-compute.adoc | 1 - latest/ug/nodes/eks-optimized-amis.adoc | 1 - latest/ug/nodes/fargate.adoc | 1 - latest/ug/nodes/hybrid-nodes-add-ons.adoc | 1 - latest/ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - latest/ug/nodes/hybrid-nodes-cni.adoc | 1 - latest/ug/nodes/hybrid-nodes-join.adoc | 1 - latest/ug/nodes/hybrid-nodes-networking.adoc | 1 - latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 1 - latest/ug/nodes/hybrid-nodes-os.adoc | 1 - latest/ug/nodes/hybrid-nodes-overview.adoc | 1 - latest/ug/nodes/hybrid-nodes-prereqs.adoc | 1 - latest/ug/nodes/hybrid-nodes-proxy.adoc | 1 - latest/ug/nodes/hybrid-nodes-remove.adoc | 1 - latest/ug/nodes/hybrid-nodes-security.adoc | 1 - latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 1 - latest/ug/nodes/hybrid-nodes-tutorial.adoc | 1 - latest/ug/nodes/hybrid-nodes-upgrade.adoc | 1 - latest/ug/nodes/managed-node-groups.adoc | 1 - latest/ug/nodes/worker.adoc | 1 - latest/ug/observability/cloudwatch.adoc | 1 - latest/ug/observability/control-plane-logs.adoc | 1 - latest/ug/observability/eks-observe.adoc | 1 - latest/ug/observability/logging-using-cloudtrail.adoc | 1 - latest/ug/observability/observability-dashboard.adoc | 1 - latest/ug/observability/opentelemetry.adoc | 1 - latest/ug/observability/prometheus.adoc | 1 - latest/ug/outposts/eks-outposts-self-managed-nodes.adoc | 1 - latest/ug/outposts/eks-outposts.adoc | 1 - latest/ug/quickstart.adoc | 1 - latest/ug/storage/csi-snapshot-controller.adoc | 1 - latest/ug/storage/ebs-csi.adoc | 1 - latest/ug/storage/efs-csi.adoc | 1 - latest/ug/storage/file-cache-csi.adoc | 1 - latest/ug/storage/fsx-csi.adoc | 1 - latest/ug/storage/fsx-ontap.adoc | 1 - latest/ug/storage/fsx-openzfs-csi.adoc | 1 - latest/ug/storage/s3-csi.adoc | 1 - latest/ug/storage/storage.adoc | 1 - latest/ug/troubleshooting/troubleshooting.adoc | 1 - latest/ug/what-is/common-use-cases.adoc | 1 - latest/ug/what-is/eks-architecture.adoc | 1 - latest/ug/what-is/eks-deployment-options.adoc | 1 - latest/ug/what-is/kubernetes-concepts.adoc | 1 - latest/ug/what-is/what-is-eks.adoc | 1 - latest/ug/workloads/eks-add-ons.adoc | 1 - 65 files changed, 65 deletions(-) diff --git a/latest/ug/automode/create-auto.adoc b/latest/ug/automode/create-auto.adoc index 24231c51e..68be2d55b 100644 --- a/latest/ug/automode/create-auto.adoc +++ b/latest/ug/automode/create-auto.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#create-auto] = Create a cluster with Amazon EKS Auto Mode :info_titleabbrev: Create cluster -:keywords: getting, started, tutorials, quick, start [abstract] -- diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index a1725e0e0..097675dcc 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -17,7 +17,6 @@ or in any manner that disparages or discredits Amazon. All other \ trademarks not owned by Amazon are the property of their respective \ owners, who may or may not be affiliated with, connected to, or \ sponsored by Amazon. -:keywords: EKS, Amazon EKS, Kubernetes, K8s, Cluster, Pod include::attributes.txt[] diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 99e8127b2..3ac9cbc7e 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#cluster-insights] = Prepare for Kubernetes version upgrades with cluster insights :info_titleabbrev: Cluster insights -:keywords: cluster, upgrade, insights [abstract] -- diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 17da36a4c..20447c0b9 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#kubernetes-versions] = Understand the Kubernetes version lifecycle on EKS :info_titleabbrev: Kubernetes versions -:keywords: Amazon EKS, available, Kubernetes, version, release notes [abstract] diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/clusters/management/cost-monitoring.adoc index 7d674e381..1eba7bd2f 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/clusters/management/cost-monitoring.adoc @@ -4,7 +4,6 @@ include::../../attributes.txt[] [#cost-monitoring] = Monitor and optimize Amazon EKS cluster costs :info_titleabbrev: Cost monitoring -:keywords: cost, monitoring, watch [abstract] -- diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/clusters/management/eks-using-tags.adoc index 3e09491e0..b6a32b659 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/clusters/management/eks-using-tags.adoc @@ -4,7 +4,6 @@ include::../../attributes.txt[] [#eks-using-tags] = Organize Amazon EKS resources with tags :info_titleabbrev: Tagging your resources -:keywords: metadata, tag, resources [abstract] -- diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index d760bab73..0376d1c4f 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -2,7 +2,6 @@ [#doc-history] // H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) = Document history -:keywords: document, publish, release, history, log include::attributes.txt[] diff --git a/latest/ug/getting-started/getting-started-automode.adoc b/latest/ug/getting-started/getting-started-automode.adoc index 828b7829f..711b94dec 100644 --- a/latest/ug/getting-started/getting-started-automode.adoc +++ b/latest/ug/getting-started/getting-started-automode.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#getting-started-automode] = Get started with Amazon EKS – EKS Auto Mode :info_titleabbrev: Create cluster (EKS Auto Mode) -:keywords: using, Auto, getting, started, tutorial Like other EKS getting started experiences, creating your first cluster with EKS Auto Mode delegates the management of the cluster itself to {aws}. However, EKS Auto Mode extends EKS automation by handing responsibility of many essential services needed to set up workload infrastructure (nodes, networks, and various services), making it easier to manage nodes and scale up to meet workload demands. diff --git a/latest/ug/getting-started/getting-started-console.adoc b/latest/ug/getting-started/getting-started-console.adoc index 860e6d005..54dded075 100644 --- a/latest/ug/getting-started/getting-started-console.adoc +++ b/latest/ug/getting-started/getting-started-console.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#getting-started-console] = Get started with Amazon EKS – {aws-management-console} and {aws} CLI :info_titleabbrev: Create cluster (Console and CLI) -:keywords: using, {aws-management-console}, {aws} CLI, getting, started, tutorial [abstract] -- diff --git a/latest/ug/getting-started/getting-started-eksctl.adoc b/latest/ug/getting-started/getting-started-eksctl.adoc index dd89066c2..3402a4e5d 100644 --- a/latest/ug/getting-started/getting-started-eksctl.adoc +++ b/latest/ug/getting-started/getting-started-eksctl.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#getting-started-eksctl] = Get started with Amazon EKS – `eksctl` :info_titleabbrev: Create cluster (eksctl) -:keywords: using, eksctl, getting, started, tutorial [abstract] -- diff --git a/latest/ug/getting-started/getting-started.adoc b/latest/ug/getting-started/getting-started.adoc index 35a0d2d7b..c9421da33 100644 --- a/latest/ug/getting-started/getting-started.adoc +++ b/latest/ug/getting-started/getting-started.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#getting-started] = Get started with Amazon EKS :info_titleabbrev: Get started -:keywords: getting, started, tutorials, quick, start [abstract] -- diff --git a/latest/ug/getting-started/install-awscli.adoc b/latest/ug/getting-started/install-awscli.adoc index 4b4e667d1..f367b1d10 100644 --- a/latest/ug/getting-started/install-awscli.adoc +++ b/latest/ug/getting-started/install-awscli.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#install-awscli] = Set up {aws} CLI :info_titleabbrev: Set up {aws} CLI -:keywords: setting up, setup [abstract] -- diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index 52b62ab62..b337b0535 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#install-kubectl] = Set up `kubectl` and `eksctl` :info_titleabbrev: Set up kubectl and eksctl -:keywords: install, update, kubectl [abstract] -- diff --git a/latest/ug/getting-started/learn-eks.adoc b/latest/ug/getting-started/learn-eks.adoc index 89ee1bdfe..f815ebdee 100644 --- a/latest/ug/getting-started/learn-eks.adoc +++ b/latest/ug/getting-started/learn-eks.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#learn-eks] = Learn Amazon EKS by example :info_titleabbrev: Learn Amazon EKS -:keywords: tutorial, workshop, developer, learn [abstract] -- diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index ae2698d98..43dafae11 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#setting-up] = Set up to use Amazon EKS :info_titleabbrev: Set up -:keywords: setting up, setup [abstract] -- diff --git a/latest/ug/integrations/integration-detective.adoc b/latest/ug/integrations/integration-detective.adoc index da02dc042..27a37ed5b 100644 --- a/latest/ug/integrations/integration-detective.adoc +++ b/latest/ug/integrations/integration-detective.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#integration-detective] = Analyze security events on EKS with Amazon Detective :info_titleabbrev: Amazon Detective -:keywords: Amazon Detective [abstract] -- diff --git a/latest/ug/integrations/integration-securitylake.adoc b/latest/ug/integrations/integration-securitylake.adoc index 39310177d..c4b1bd0db 100644 --- a/latest/ug/integrations/integration-securitylake.adoc +++ b/latest/ug/integrations/integration-securitylake.adoc @@ -5,7 +5,6 @@ include::../attributes.txt[] = Centralize and analyze EKS security data with Security Lake :info_titleabbrev: Amazon Security Lake -:keywords: Amazon EKS, Amazon Security Lake, Kubernetes security, centralized security data, threat detection [abstract] -- diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 1113bf17e..f470b01f8 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#machine-learning-on-eks] = Overview of Machine Learning on Amazon EKS :info_titleabbrev: Machine Learning on EKS -:keywords: Machine Learning, Amazon EKS, Artificial Intelligence [abstract] -- diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index e1480abba..46c59581b 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#choosing-instance-type] = Choose an optimal Amazon EC2 node instance type :info_titleabbrev: Amazon EC2 instance types -:keywords: choose, select, instance, type, family, group, max-pods, max pods, maximum pods [abstract] -- diff --git a/latest/ug/nodes/eks-compute.adoc b/latest/ug/nodes/eks-compute.adoc index 278d50141..31e135cd4 100644 --- a/latest/ug/nodes/eks-compute.adoc +++ b/latest/ug/nodes/eks-compute.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#eks-compute] = Manage compute resources by using nodes :info_titleabbrev: Manage compute -:keywords: nodes, node groups [abstract] -- diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 032bf5709..98f52abb3 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#eks-optimized-amis] = Create nodes with pre-built optimized images :info_titleabbrev: Pre-built optimized AMIs -:keywords: optimized, custom, AMI [abstract] -- diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index 3c146c2df..d540a888a 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#fargate] = Simplify compute management with {aws} Fargate :info_titleabbrev: {aws} Fargate -:keywords: Fargate, nodes [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 5378643f5..2cf09165a 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-add-ons] = Configure add-ons for hybrid nodes :info_titleabbrev: Configure add-ons -:keywords: add-ons for on-premises nodes, add-ons for hybrid nodes [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 305aa1318..50c0ea04e 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-cluster-create] = Create an Amazon EKS cluster with hybrid nodes :info_titleabbrev: Create cluster -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 4adc81ea4..48529d1e7 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-cni] = Configure a CNI for hybrid nodes :info_titleabbrev: Configure CNI -:keywords: on-premises CNI, hybrid CNI [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-join.adoc b/latest/ug/nodes/hybrid-nodes-join.adoc index 7bd229c0b..06452bcc3 100644 --- a/latest/ug/nodes/hybrid-nodes-join.adoc +++ b/latest/ug/nodes/hybrid-nodes-join.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-join] = Connect hybrid nodes :info_titleabbrev: Connect hybrid nodes -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index a04ece3ee..4d8d195ca 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-networking] = Prepare networking for hybrid nodes :info_titleabbrev: Prepare networking -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 2cff230b1..8d65f279e 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-nodeadm] = Hybrid nodes `nodeadm` reference :info_titleabbrev: Hybrid nodes nodeadm -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-os.adoc b/latest/ug/nodes/hybrid-nodes-os.adoc index af8e76818..76294d0d2 100644 --- a/latest/ug/nodes/hybrid-nodes-os.adoc +++ b/latest/ug/nodes/hybrid-nodes-os.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-os] = Prepare operating system for hybrid nodes :info_titleabbrev: Prepare operating system -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index cb01ea011..ec9d26476 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-overview] = Amazon EKS Hybrid Nodes overview :info_titleabbrev: Hybrid nodes -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index 73c2e26e2..da17207d9 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-prereqs] = Prerequisite setup for hybrid nodes :info_titleabbrev: Prerequisites -:keywords: on-premises prerequisites, hybrid prerequisites [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 2f9ab98a0..66f262fe9 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-proxy] = Configure proxy for hybrid nodes :info_titleabbrev: Configure proxy -:keywords: on-premises proxy, hybrid proxy [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-remove.adoc b/latest/ug/nodes/hybrid-nodes-remove.adoc index 02d199415..b7290caf1 100644 --- a/latest/ug/nodes/hybrid-nodes-remove.adoc +++ b/latest/ug/nodes/hybrid-nodes-remove.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-remove] = Remove hybrid nodes :info_titleabbrev: Delete hybrid nodes -:keywords: Delete hybrid nodes from your EKS cluster [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-security.adoc b/latest/ug/nodes/hybrid-nodes-security.adoc index 509a7e9fc..5d48cec51 100644 --- a/latest/ug/nodes/hybrid-nodes-security.adoc +++ b/latest/ug/nodes/hybrid-nodes-security.adoc @@ -2,7 +2,6 @@ [#hybrid-nodes-security] = Patch security updates for hybrid nodes :info_titleabbrev: Patch hybrid nodes -:keywords: security updates for on-premises nodes, security updates for hybrid nodes include::../attributes.txt[] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 9d7b701c7..eadcda992 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-troubleshooting] = Troubleshooting hybrid nodes :info_titleabbrev: Troubleshooting -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-tutorial.adoc b/latest/ug/nodes/hybrid-nodes-tutorial.adoc index dcf3af7f0..10bb20675 100644 --- a/latest/ug/nodes/hybrid-nodes-tutorial.adoc +++ b/latest/ug/nodes/hybrid-nodes-tutorial.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-tutorial] = Run on-premises workloads on hybrid nodes :info_titleabbrev: Run hybrid nodes -:keywords: on-premises, hybrid [abstract] -- diff --git a/latest/ug/nodes/hybrid-nodes-upgrade.adoc b/latest/ug/nodes/hybrid-nodes-upgrade.adoc index b68c0a992..acf5ef23f 100644 --- a/latest/ug/nodes/hybrid-nodes-upgrade.adoc +++ b/latest/ug/nodes/hybrid-nodes-upgrade.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#hybrid-nodes-upgrade] = Upgrade hybrid nodes for your cluster :info_titleabbrev: Upgrade hybrid nodes -:keywords: upgrade on-premises nodes, upgrade hybrid nodes [abstract] -- diff --git a/latest/ug/nodes/managed-node-groups.adoc b/latest/ug/nodes/managed-node-groups.adoc index 0b4d75e4b..d7f9fecc3 100644 --- a/latest/ug/nodes/managed-node-groups.adoc +++ b/latest/ug/nodes/managed-node-groups.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#managed-node-groups] = Simplify node lifecycle with managed node groups :info_titleabbrev: Managed node groups -:keywords: managed node group, MNG include::create-managed-node-group.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 7dca2eedb..0350970c1 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#worker] = Maintain nodes yourself with self-managed nodes :info_titleabbrev: Self-managed nodes -:keywords: self-managed, node [abstract] -- diff --git a/latest/ug/observability/cloudwatch.adoc b/latest/ug/observability/cloudwatch.adoc index f5125ad52..a44b036d1 100644 --- a/latest/ug/observability/cloudwatch.adoc +++ b/latest/ug/observability/cloudwatch.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#cloudwatch] = Monitor cluster data with Amazon CloudWatch :info_titleabbrev: Amazon CloudWatch -:keywords: CloudWatch, observability, operator, add-on [abstract] -- diff --git a/latest/ug/observability/control-plane-logs.adoc b/latest/ug/observability/control-plane-logs.adoc index ddf9c54d7..e9b925eaa 100644 --- a/latest/ug/observability/control-plane-logs.adoc +++ b/latest/ug/observability/control-plane-logs.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#control-plane-logs] = Send control plane logs to CloudWatch Logs :info_titleabbrev: Control plane logs -:keywords: control plane, logging, API, logs [abstract] -- diff --git a/latest/ug/observability/eks-observe.adoc b/latest/ug/observability/eks-observe.adoc index 67f6506d9..c1cdf88ff 100644 --- a/latest/ug/observability/eks-observe.adoc +++ b/latest/ug/observability/eks-observe.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#eks-observe] = Monitor your cluster performance and view logs :info_titleabbrev: Monitor clusters -:keywords: observability, monitoring, logging, logs, data [abstract] -- diff --git a/latest/ug/observability/logging-using-cloudtrail.adoc b/latest/ug/observability/logging-using-cloudtrail.adoc index b4b45b6db..58aaca584 100644 --- a/latest/ug/observability/logging-using-cloudtrail.adoc +++ b/latest/ug/observability/logging-using-cloudtrail.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#logging-using-cloudtrail] = Log API calls as {aws} CloudTrail events :info_titleabbrev: {aws} CloudTrail -:keywords: logging, API calls, {aws} CloudTrail [abstract] -- diff --git a/latest/ug/observability/observability-dashboard.adoc b/latest/ug/observability/observability-dashboard.adoc index 5429a4270..27f1df971 100644 --- a/latest/ug/observability/observability-dashboard.adoc +++ b/latest/ug/observability/observability-dashboard.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#observability-dashboard] = Monitor your cluster with the observability dashboard :info_titleabbrev: Observability dashboard -:keywords: observability, dashboard [abstract] -- diff --git a/latest/ug/observability/opentelemetry.adoc b/latest/ug/observability/opentelemetry.adoc index bc9c3db9f..cd376440a 100644 --- a/latest/ug/observability/opentelemetry.adoc +++ b/latest/ug/observability/opentelemetry.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#opentelemetry] = Send metric and trace data with ADOT Operator :info_titleabbrev: ADOT Operator -:keywords: ADOT [abstract] -- diff --git a/latest/ug/observability/prometheus.adoc b/latest/ug/observability/prometheus.adoc index 0d71045cc..667197546 100644 --- a/latest/ug/observability/prometheus.adoc +++ b/latest/ug/observability/prometheus.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#prometheus] = Monitor your cluster metrics with Prometheus :info_titleabbrev: Prometheus metrics -:keywords: Prometheus, metrics, control plane [abstract] -- diff --git a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc index 16b9b265f..55b36898a 100644 --- a/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc +++ b/latest/ug/outposts/eks-outposts-self-managed-nodes.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#eks-outposts-self-managed-nodes] = Create Amazon Linux nodes on {aws} Outposts :info_titleabbrev: Nodes -:keywords: launch, start, self-managed, Linux, node [abstract] -- diff --git a/latest/ug/outposts/eks-outposts.adoc b/latest/ug/outposts/eks-outposts.adoc index 10dbd53c3..2d52b449d 100644 --- a/latest/ug/outposts/eks-outposts.adoc +++ b/latest/ug/outposts/eks-outposts.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#eks-outposts] = Deploy Amazon EKS on-premises with {aws} Outposts :info_titleabbrev: Amazon EKS on {aws} Outposts -:keywords: Amazon EKS, {aws} Outposts, extended clusters, local clusters [abstract] -- diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index 640612e6d..fa00d8179 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -4,7 +4,6 @@ include::attributes.txt[] [#quickstart] = Quickstart: Deploy a web app and store data :info_titleabbrev: Quickstart -:keywords: quickstart, web, cluster [abstract] -- diff --git a/latest/ug/storage/csi-snapshot-controller.adoc b/latest/ug/storage/csi-snapshot-controller.adoc index be4349e34..8d5a6c1df 100644 --- a/latest/ug/storage/csi-snapshot-controller.adoc +++ b/latest/ug/storage/csi-snapshot-controller.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#csi-snapshot-controller] = Enable snapshot functionality for CSI volumes :info_titleabbrev: CSI snapshot controller -:keywords: CSI, snapshot, controller [abstract] -- diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 6a01a5f84..67acc0d78 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#ebs-csi] = Store Kubernetes volumes with Amazon EBS :info_titleabbrev: Amazon EBS -:keywords: Amazon EBS CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index c6cc63ccf..e2c8ac417 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#efs-csi] = Store an elastic file system with Amazon EFS :info_titleabbrev: Amazon EFS -:keywords: Amazon EFS CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/file-cache-csi.adoc b/latest/ug/storage/file-cache-csi.adoc index 6a55703c7..42027699c 100644 --- a/latest/ug/storage/file-cache-csi.adoc +++ b/latest/ug/storage/file-cache-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#file-cache-csi] = Minimize latency with Amazon File Cache :info_titleabbrev: Amazon File Cache -:keywords: Amazon File Cache CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/fsx-csi.adoc b/latest/ug/storage/fsx-csi.adoc index d55f64677..dec0c2eca 100644 --- a/latest/ug/storage/fsx-csi.adoc +++ b/latest/ug/storage/fsx-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#fsx-csi] = Store high-performance apps with FSx for Lustre :info_titleabbrev: Amazon FSx for Lustre -:keywords: Amazon FSx for Lustre CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index e802d910d..f60735d8c 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#fsx-ontap] = Store high-performance apps with FSx for NetApp ONTAP :info_titleabbrev: Amazon FSx for NetApp ONTAP -:keywords: Amazon FSx for NetApp ONTAP CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/fsx-openzfs-csi.adoc b/latest/ug/storage/fsx-openzfs-csi.adoc index 44e05516b..b495ca3db 100644 --- a/latest/ug/storage/fsx-openzfs-csi.adoc +++ b/latest/ug/storage/fsx-openzfs-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#fsx-openzfs-csi] = Store data using Amazon FSx for OpenZFS :info_titleabbrev: Amazon FSx for OpenZFS -:keywords: Amazon FSx for OpenZFS CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/s3-csi.adoc b/latest/ug/storage/s3-csi.adoc index f2db32c9a..9175eecc0 100644 --- a/latest/ug/storage/s3-csi.adoc +++ b/latest/ug/storage/s3-csi.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#s3-csi] = Access Amazon S3 objects with Mountpoint for Amazon S3 CSI driver :info_titleabbrev: Mountpoint for Amazon S3 -:keywords: Mountpoint for Amazon S3 CSI driver, storage [abstract] -- diff --git a/latest/ug/storage/storage.adoc b/latest/ug/storage/storage.adoc index cbacf3f18..e17a57a42 100644 --- a/latest/ug/storage/storage.adoc +++ b/latest/ug/storage/storage.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#storage] = Store application data for your cluster :info_titleabbrev: Store app data -:keywords: persistent, data, app, storage [abstract] -- diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index de762da5e..dcbce4bc0 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [#troubleshooting] = Troubleshoot problems with Amazon EKS clusters and nodes :info_titleabbrev: Troubleshooting -:keywords: troubleshooting, help, FAQ [abstract] -- diff --git a/latest/ug/what-is/common-use-cases.adoc b/latest/ug/what-is/common-use-cases.adoc index c51359bff..62a98729e 100644 --- a/latest/ug/what-is/common-use-cases.adoc +++ b/latest/ug/what-is/common-use-cases.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#common-use-cases] = Common use cases in Amazon EKS :info_titleabbrev: Common use cases -:keywords: Amazon Elastic Kubernetes Service, Amazon EKS, use cases, summary, description [abstract] -- diff --git a/latest/ug/what-is/eks-architecture.adoc b/latest/ug/what-is/eks-architecture.adoc index 8a573f10b..6679097ab 100644 --- a/latest/ug/what-is/eks-architecture.adoc +++ b/latest/ug/what-is/eks-architecture.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#eks-architecture] = Amazon EKS architecture :info_titleabbrev: Architecture -:keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane [abstract] -- diff --git a/latest/ug/what-is/eks-deployment-options.adoc b/latest/ug/what-is/eks-deployment-options.adoc index 56c45a4bd..7a2cb8d8c 100644 --- a/latest/ug/what-is/eks-deployment-options.adoc +++ b/latest/ug/what-is/eks-deployment-options.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#eks-deployment-options] = Deploy Amazon EKS clusters across cloud and on-premises environments :info_titleabbrev: Deployment options -:keywords: Amazon Elastic Kubernetes Service, Amazon EKS, deployment, options, comparison [abstract] -- diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 8337ad4b1..3bbac2c9f 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#kubernetes-concepts] = Kubernetes concepts :info_titleabbrev: Kubernetes concepts -:keywords: Amazon Elastic Kubernetes Service, Amazon EKS, architecture, control plane, nodes, data plane [abstract] -- diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 242b2be3e..dd2c81322 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -3,7 +3,6 @@ include::../attributes.txt[] [.topic] [#what-is-eks] = What is Amazon EKS? -:keywords: Amazon Elastic Kubernetes Service, Amazon EKS, about, summary, description [abstract] -- diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index 79050237c..b7f06e1a1 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -4,7 +4,6 @@ include::../attributes.txt[] [#eks-add-ons] = Amazon EKS add-ons :info_titleabbrev: Amazon EKS add-ons -:keywords: managed, add-ons, plugins [abstract] -- From b9f4662b160311f14ef72179df0cc499fc5a791d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Gonz=C3=A1lez?= Date: Mon, 10 Mar 2025 21:09:52 -0300 Subject: [PATCH 241/940] fix aws eks update-cluster-config example (#908) Remove a redundant line in the example of `aws eks update-cluster-config` command to disable default node pools --- latest/ug/automode/set-builtin-node-pools.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/automode/set-builtin-node-pools.adoc b/latest/ug/automode/set-builtin-node-pools.adoc index aeef537c9..339096396 100644 --- a/latest/ug/automode/set-builtin-node-pools.adoc +++ b/latest/ug/automode/set-builtin-node-pools.adoc @@ -63,7 +63,6 @@ Use the following command to disable both built-in NodePools: ---- aws eks update-cluster-config \ --name \ - --compute-config '{"nodePools": []}' --compute-config '{ "enabled": true, "nodePools": [] From 0133fe0000fe25583d8fccb452d2f018373f99fa Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 10 Mar 2025 19:10:08 -0500 Subject: [PATCH 242/940] update community add-ons security note (#911) * Update community-addons.adoc * Update community-addons.adoc --- latest/ug/workloads/community-addons.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index 9758deeb4..d8c6420ea 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -10,9 +10,9 @@ For example, you can use the {aws} API, CLI, or Management Console to install co You manage community add-ons just like existing Amazon EKS Add-ons. Community add-ons are different from existing add-ons in that they have a unique scope of support. -NOTE: Using community add-ons is at your discretion. As part of the xref:security[shared responsibility model] between you and {aws}, you are expected to understand what you are installing into your workspace for these third party plugins. You are also responsible for the community add-ons meeting your security needs. +NOTE: Using community add-ons is at your discretion. As part of the xref:security[shared responsibility model] between you and {aws}, you are expected to understand what you are installing into your cluster for these third party plugins. You are also responsible for the community add-ons meeting your cluster security needs. For more information, see <>. -Community add-ons are built by {aws}. {aws} only validates community add-ons for version compatibility. For example, if you install a community add-on on a cluster, {aws} checks if it is compatible with the Kubernetes version of your cluster. +Community add-ons are packaged by {aws}. {aws} only validates community add-ons for version compatibility. For example, if you install a community add-on on a cluster, {aws} checks if it is compatible with the Kubernetes version of your cluster. Importantly, {aws} does not provide full support for community add-ons. {aws} supports only lifecycle operations done using {aws} APIs, such as installing add-ons or deleting add-ons. From 27926c86e6e4fcbe9918718eb38d084e447395c4 Mon Sep 17 00:00:00 2001 From: Arshad Zackeriya Date: Tue, 11 Mar 2025 13:14:16 +1300 Subject: [PATCH 243/940] remove namespace from IngressClass yaml (#892) IngressClass is a cluster scope resource. --- latest/ug/automode/auto-elb-example.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 82794f0af..9f9dc12fa 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -131,7 +131,6 @@ First, create the `IngressClass`. Create a file named `04-ingressclass.yaml`: apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: - namespace: game-2048 labels: app.kubernetes.io/name: LoadBalancerController name: alb From 7de4b0733acd3cd53dde5c50cc918a6d7d7d4784 Mon Sep 17 00:00:00 2001 From: Lakshya Rawat <25130562+entropyReverser@users.noreply.github.com> Date: Tue, 11 Mar 2025 05:44:40 +0530 Subject: [PATCH 244/940] Update addon-id-troubleshoot.adoc for EKS Pod Identity (#894) Adds additional debug step for EKS pod identity implementation. Hey found this out after spending time debugging with 3 different AWS Support engineers. Everything was setup using the AWS Docs from here https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html The same config was working on the support engineer's cluster but failing on our cluster. Then we ran this query on the Cloudwatch Log insights on the eks cluster logs ``` fields @timestamp, @message | filter @logStream like /kube-apiserver/ and @logStream not like /kube-apiserver-audit/ | filter @message like /failed calling webhook/ | sort @timestamp desc ``` Which showed us some errors in the mutating webhooks then we compared the YAML of ours and their pod-identity-webhook MutatingWebhookConfiguration which led us to this discovery. Their webhook was on v1Beta1 while ours was on V1. --- latest/ug/workloads/addon-id-troubleshoot.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/latest/ug/workloads/addon-id-troubleshoot.adoc b/latest/ug/workloads/addon-id-troubleshoot.adoc index 7d78f4a23..4f2694371 100644 --- a/latest/ug/workloads/addon-id-troubleshoot.adoc +++ b/latest/ug/workloads/addon-id-troubleshoot.adoc @@ -38,4 +38,9 @@ aws iam get-role --role-name --query Role.AssumeRolePolicyDocument ** Use {aws} CloudTrail to review `AccessDenied` or `UnauthorizedOperation` events . * The service account name in the pod identity association matches the service account name used by the add-on. + -** For information about the available add-ons, see <>. \ No newline at end of file +** For information about the available add-ons, see <>. ++ +* Check configuration of MutatingWebhookConfiguration named `pod-identity-webhook` +** `admissionReviewVersions` of the webhook needs to be `v1beta1` and doesn't work with `v1`. + + From 201ae6e85700d8954eed8690d8209eb5e9f43e62 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 11 Mar 2025 00:30:52 +0000 Subject: [PATCH 245/940] remove unused file --- latest/ug/contribute/pr-status.adoc | 77 ----------------------------- 1 file changed, 77 deletions(-) diff --git a/latest/ug/contribute/pr-status.adoc b/latest/ug/contribute/pr-status.adoc index de51f156b..e69de29bb 100644 --- a/latest/ug/contribute/pr-status.adoc +++ b/latest/ug/contribute/pr-status.adoc @@ -1,77 +0,0 @@ -include::../attributes.txt[] - -[.topic] -[#pr-status] -= View the status of your GitHub Pull Request (PR) -:info_titleabbrev: View PR Status - - -After you create a pull request, you can track it's status. Pull requests have three important statuses: merged, closed, and changes requested. - -If a pull request is merged, the changes were accepted. It may take a few hours for the website to update. If the PR was closed, please understand we appreciate the contribution but could not approve the changes. For example, we may have been unable to replicate the problem. If a pull request has changes requested, review the feedback and update the pull request. - -include::images/contribute-pr.png["View PR feedback"] - -== View the pull requests you created -To view pull requests you created: - -. Go to the GitHub repository -. Click the "Pull requests" tab. -. Select *Filters* and then *Your pull requests*. -. Review the list of your open pull requests. - -== View pull requests assigned to you -To view pull requests assigned to you for review: - -. Go to the GitHub repository -. Click the "Pull requests" tab. -. Select *filters* and then *assigned to you*. -. Review the list of pull requests awaiting your review. - -== Review a pull request - -Learn how to https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request[review a pull request] in the GitHub Docs. - -== Make further changes on a pull request - -If changes are requested on a pull request, you can make further changes in the pull request. - -{aws} suggests using the GitHub.dev web editor to make further changes to a pull request. This supports viewing PR comments inside the text editor. - -=== Make further changes with a web browser - -. Use the `.` (period) key to open the pull request in the GitHub web editor -. Review the comments and make changes in the text editor. You can mark comments as resolved from within the editor. -. Use the *source control* menu in the left sidebar to commit the changes, which updates the PR. - -=== Make further changes locally - -Use the GitHub CLI to pull the changes locally. - -==== Setup GitHub CLI - -. Install the GitHub CLI if you haven't already: - * For macOS: `brew install gh` - * For Windows: `winget install GitHub.cli` - * For Linux: Follow instructions at https://github.com/cli/cli#installation - -. Authenticate with GitHub: - * Run: `gh auth login` - * Follow the prompts to complete authentication. - -==== Checkout pull request - -. Check out the pull request branch: - * Run: `gh pr checkout ` - * Replace with your pull request number. - * The pull request number is visible at the top of the PR. - * This creates a local branch with the PR changes. - -. Make your changes locally using your preferred text editor - -. Commit and push your changes: - * Stage changes: `git add .` - * Commit changes: `git commit -m "your commit message"` - * Push to GitHub: `git push` - -The pull request will automatically update with your new changes. \ No newline at end of file From 12fba6e796a632dd4b7a5db80fd8c7aa9e127995 Mon Sep 17 00:00:00 2001 From: Renan Magagnin Date: Tue, 11 Mar 2025 10:39:54 +0000 Subject: [PATCH 246/940] Remove 1.24 from extended support in kubernetes-versions.adoc --- latest/ug/clusters/kubernetes-versions.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 20447c0b9..2a0014b79 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -46,7 +46,6 @@ The following Kubernetes versions are currently available in Amazon EKS extended * `1.27` * `1.26` * `1.25` -* `1.24` For important changes to be aware of for each version in extended support, see <>. @@ -270,4 +269,4 @@ include::view-upgrade-policy.adoc[leveloffset=+1] include::enable-extended-support.adoc[leveloffset=+1] -include::disable-extended-support.adoc[leveloffset=+1] \ No newline at end of file +include::disable-extended-support.adoc[leveloffset=+1] From 0dd5782b46c1095fb1188532f00ce43549707717 Mon Sep 17 00:00:00 2001 From: Renan Magagnin Date: Tue, 11 Mar 2025 10:43:20 +0000 Subject: [PATCH 247/940] Remove 1.24 from kubernetes-versions-extended.adoc --- .../kubernetes-versions-extended.adoc | 33 ------------------- 1 file changed, 33 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 2dde57084..a6665f69d 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -96,36 +96,3 @@ Upon upgrading to Amazon EKS version `1.25` or higher, this updated behavior mig * The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.25` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. For the complete Kubernetes `1.25` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md#changelog-since-v1240. - -[#kubernetes-1-24] -== Kubernetes 1.24 - -Kubernetes `1.24` is now available in Amazon EKS. For more information about Kubernetes `1.24`, see the https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/[official release announcement]. - -[IMPORTANT] -==== - - -* Starting with Kubernetes `1.24`, new beta APIs aren't enabled in clusters by default. By default, existing beta APIs and new versions of existing beta APIs continue to be enabled. Amazon EKS follows the same behavior as upstream Kubernetes `1.24`. The feature gates that control new features for both new and existing API operations are enabled by default. This is in alignment with upstream Kubernetes. For more information, see https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/3136-beta-apis-off-by-default/README.md[KEP-3136: Beta APIs Are Off by Default] on GitHub. -* Support for Container Runtime Interface (CRI) for Docker (also known as `dockershim`) is removed from Kubernetes `1.24`. Amazon EKS official AMIs have containerd as the only runtime. Before moving to Amazon EKS `1.24` or higher, you must remove any reference to bootstrap script flags that aren't supported anymore. You must also make sure that IP forwarding is enabled for your worker nodes. For more information, see <>. -* If you already have Fluentd configured for Container Insights, then you must migrate Fluentd to Fluent Bit before updating your cluster. The Fluentd parsers are configured to only parse log messages in JSON format. Unlike `dockerd`, the `containerd` container runtime has log messages that aren't in JSON format. If you don't migrate to Fluent Bit, some of the configured Fluentd's parsers will generate a massive amount of errors inside the Fluentd container. For more information on migrating, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html[Set up Fluent Bit as a DaemonSet to send logs to CloudWatch Logs,type="documentation"]. -* In Kubernetes `1.23` and earlier, `kubelet` serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version `1.24` and later clusters, `kubelet` serving certificates aren't issued if any SAN can't be verified. This prevents `kubectl` exec and `kubectl` logs commands from working. For more information, see <>. -* When upgrading an Amazon EKS `1.23` cluster that uses Fluent Bit, you must make sure that it's running `k8s/1.3.12` or later. You can do this by reapplying the latest applicable Fluent Bit YAML file from GitHub. For more information, see link:AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html#Container-Insights-FluentBit-setup[Setting up Fluent Bit,type="documentation"] in the _Amazon CloudWatch User Guide_. - -==== - -* You can use Topology Aware Hints to indicate your preference for keeping traffic in zone when cluster worker nodes are deployed across multiple availability zones. Routing traffic within a zone can help reduce costs and improve network performance. By default, Topology Aware Hints are enabled in Amazon EKS `1.24`. For more information, see https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/[Topology Aware Hints] in the Kubernetes documentation. -* The `PodSecurityPolicy` (PSP) is scheduled for removal in Kubernetes `1.25`. PSPs are being replaced with https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission (PSA)]. PSA is a built-in admission controller that uses the security controls that are outlined in the https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards (PSS)]. PSA and PSS are both beta features and are enabled in Amazon EKS by default. To address the removal of PSP in version `1.25`, we recommend that you implement PSS in Amazon EKS. For more information, see link:containers/implementing-pod-security-standards-in-amazon-eks[Implementing Pod Security Standards in Amazon EKS,type="blog"] on the {aws} blog. -* The `client.authentication.k8s.io/v1alpha1` ExecCredential is removed in Kubernetes `1.24`. The ExecCredential API was generally available in Kubernetes `1.22`. If you use a client-go credential plugin that relies on the `v1alpha1` API, contact the distributor of your plugin on how to migrate to the `v1` API. -* For Kubernetes `1.24`, we contributed a feature to the upstream Cluster Autoscaler project that simplifies scaling Amazon EKS managed node groups to and from zero nodes. Previously, for the Cluster Autoscaler to understand the resources, labels, and taints of a managed node group that was scaled to zero nodes, you needed to tag the underlying Amazon EC2 Auto Scaling group with the details of the nodes that it was responsible for. Now, when there are no running nodes in the managed node group, the Cluster Autoscaler calls the Amazon EKS `DescribeNodegroup` API operation. This API operation provides the information that the Cluster Autoscaler requires of the managed node group's resources, labels, and taints. This feature requires that you add the `eks:DescribeNodegroup` permission to the Cluster Autoscaler service account IAM policy. When the value of a Cluster Autoscaler tag on the Auto Scaling group powering an Amazon EKS managed node group conflicts with the node group itself, the Cluster Autoscaler prefers the value of the Auto Scaling group tag. This is so that you can override values as needed. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler]. -* If you intend to use Inferentia or Trainium instance types with Amazon EKS `1.24`, you must upgrade to the {aws} Neuron device plugin version 1.9.3.0 or later. For more information, see https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/containers/neuron-k8.html#id46[Neuron K8 release [1.9.3.0]] in the {aws} Neuron Documentation. -* `Containerd` has `IPv6` enabled for Pods, by default. It applies node kernel settings to Pod network namespaces. Because of this, containers in a Pod bind to both `IPv4` (`127.0.0.1`) and `IPv6` (`::1`) loopback addresses. `IPv6` is the default protocol for communication. Before updating your cluster to version `1.24`, we recommend that you test your multi-container Pods. Modify apps so that they can bind to all IP addresses on loopback interfaces. The majority of libraries enable `IPv6` binding, which is backward compatible with `IPv4`. When it's not possible to modify your application code, you have two options: -+ -** Run an `init` container and set `disable ipv6` to `true` (`sysctl -w net.ipv6.conf.all.disable_ipv6=1`). -** Configure a https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook[mutating admission webhook] to inject an `init` container alongside your application Pods. - -+ -If you need to block `IPv6` for all Pods across all nodes, you might have to disable `IPv6` on your instances. -* The https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/[goaway-chance] option in the Kubernetes API server helps prevent `HTTP/2` client connections from being stuck on a single API server instance, by randomly closing a connection. When the connection is closed, the client will try to reconnect, and will likely land on a different API server as a result of load balancing. Amazon EKS version `1.24` has enabled `goaway-chance` flag. If your workload running on Amazon EKS cluster uses a client that is not compatible with https://www.rfc-editor.org/rfc/rfc7540#section-6.8[HTTP GOAWAY], we recommend that you update your client to handle `GOAWAY` by reconnecting on connection termination. - -For the complete Kubernetes `1.24` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#changelog-since-v1230. From 28f3e6287f24084f7e70dcab63e2d1bb0134e8db Mon Sep 17 00:00:00 2001 From: Soumya Bavirisetti <54733882+soumyabavirisetti@users.noreply.github.com> Date: Tue, 11 Mar 2025 18:54:48 +0530 Subject: [PATCH 248/940] Update disable-windows-support.adoc "111122223333 with your account ID" not needed as the command is detaching an IAM policy which doesn't include an Account ID. --- latest/ug/clusters/disable-windows-support.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/disable-windows-support.adoc b/latest/ug/clusters/disable-windows-support.adoc index 087e708c5..e3f5658cf 100644 --- a/latest/ug/clusters/disable-windows-support.adoc +++ b/latest/ug/clusters/disable-windows-support.adoc @@ -6,7 +6,7 @@ include::../attributes.txt[] . If your cluster contains Amazon Linux nodes and you use <> with them, then skip this step. + -Remove the `AmazonVPCResourceController` managed IAM policy from your <>. Replace [.replaceable]`eksClusterRole` with the name of your cluster role and [.replaceable]`111122223333` with your account ID. +Remove the `AmazonVPCResourceController` managed IAM policy from your <>. Replace [.replaceable]`eksClusterRole` with the name of your cluster role. + [source,bash,subs="verbatim,attributes"] ---- @@ -22,4 +22,4 @@ kubectl patch configmap/amazon-vpc-cni \ -n kube-system \ --type merge \ -p '{"data":{"enable-windows-ipam":"false"}}' ----- \ No newline at end of file +---- From e5f1e2c3fe4bc8a7c3b1e3eeb1f5ee2f1d366fb7 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 12 Mar 2025 15:32:24 +0000 Subject: [PATCH 249/940] Updated automode.adoc per https://t.corp.amazon.com/V1705646552 --- latest/ug/automode/automode.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index a2721015b..601976299 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -47,7 +47,7 @@ The following is a list of data plane components that are automated: * *Compute*: For many workloads, with EKS Auto Mode you can forget about many aspects of compute for your EKS clusters. These include: ** *Nodes*: EKS Auto Mode nodes are designed to be treated like appliances. EKS Auto Mode does the following: *** Chooses an appropriate AMI that's configured with many services needed to run your workloads without intervention. -*** Locks down those features using SELinux enforcing mode and a read-only root file system. +*** Locks down access to files on the AMI using SELinux enforcing mode and a read-only root file system. *** Prevents direct access to the nodes by disallowing SSH or SSM access. *** Includes GPU support, with separate kernel drivers and plugins for NVIDIA and Neuron GPUs, enabling high-performance workloads. ** *Auto scaling*: Relying on https://karpenter.sh/docs/[Karpenter] auto scaling, EKS Auto Mode monitors for unschedulable Pods and makes it possible for new nodes to be deployed to run those pods. As workloads are terminated, EKS Auto Mode dynamically disrupts and terminates nodes when they are no longer needed, optimizing resource usage. @@ -89,4 +89,4 @@ include::auto-reference.adoc[leveloffset=+1] include::auto-troubleshoot.adoc[leveloffset=+1] -//include::wip.adoc[leveloffset=+1] \ No newline at end of file +//include::wip.adoc[leveloffset=+1] From 854e50ca6cbb2db58035e0bdd90735b87b58e5e0 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 12 Mar 2025 19:59:02 +0000 Subject: [PATCH 250/940] Updated fargate.adoc per https://t.corp.amazon.com/V1704864797 --- latest/ug/nodes/fargate.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/fargate.adoc b/latest/ug/nodes/fargate.adoc index d540a888a..6f9309b5c 100644 --- a/latest/ug/nodes/fargate.adoc +++ b/latest/ug/nodes/fargate.adoc @@ -160,7 +160,7 @@ spec: |No |{aws} Region availability -|<> +|link:general/latest/gr/eks.html[Some Amazon EKS supported regions,type="documentation"] |Can run containers on Amazon EC2 dedicated hosts |No @@ -184,4 +184,4 @@ include::fargate-pod-patching.adoc[leveloffset=+1] include::monitoring-fargate-usage.adoc[leveloffset=+1] -include::fargate-logging.adoc[leveloffset=+1] \ No newline at end of file +include::fargate-logging.adoc[leveloffset=+1] From 0651c17fafc14d32dc4f3a5ade292f807916c438 Mon Sep 17 00:00:00 2001 From: Alex Karacaoglu Date: Wed, 12 Mar 2025 16:08:53 -0400 Subject: [PATCH 251/940] Add pod identity setup details for the ebs csi driver addon --- latest/ug/storage/efs-csi.adoc | 107 ++++++++++++++++++++++++++++++--- 1 file changed, 97 insertions(+), 10 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index e2c8ac417..ac7b39c6b 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -28,7 +28,9 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation [#efs-csi-prereqs] == Prerequisites -* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* The EFS CSI driver needs {aws} IAM Permissions. +** {aws} suggests using EKS Pod Identities. For more information, see <>. +** For information about IAM Roles for Service Accounts and setting up an {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster, see <>. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. @@ -56,6 +58,23 @@ The specific steps in this procedure are written for using the driver as an Amaz ==== === `eksctl` [[eksctl_efs_store_app_data]] +==== If Using Pod Identities +Run the following commands to create an IAM role and Pod Identity association with `eksctl`. Replace [.replaceable]`my-cluster` with your cluster name and [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` with the name for your role. + +[source,bash,subs="verbatim,attributes"] +---- +export cluster_name=my-cluster +export role_name=AmazonEKS_EFS_CSI_DriverRole +eksctl create podidentityassociation \ + --service-account-name efs-csi-controller-sa \ + --namespace kube-system \ + --cluster $cluster_name \ + --role-name $role_name \ + --permission-policy-arns {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ + --approve +---- + +==== If Using IAM Roles for Service Accounts Run the following commands to create an IAM role with `eksctl`. Replace [.replaceable]`my-cluster` with your cluster name and [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` with the name for your role. [source,bash,subs="verbatim,attributes"] @@ -83,10 +102,16 @@ Run the following to create an IAM role with {aws-management-console}. . On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: + -.. In the *Trusted entity type* section, choose *Web identity*. -.. For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). -.. For *Audience*, choose `sts.amazonaws.com`. -.. Choose *Next*. +.. If using *EKS Pod Identities* +... In the *Trusted entity type* section, choose *AWS service*. +... In the *Service or use case* drop down, choose *EKS*. +... In the *Use case* section, choose *EKS - Pod Identity*. +... Choose *Next*. +.. If using *IAM Roles for Service Accounts* +... In the *Trusted entity type* section, choose *Web identity*. +... For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). +... For *Audience*, choose `sts.amazonaws.com`. +... Choose *Next*. . On the *Add permissions* page, do the following: + .. In the *Filter policies* box, enter [.replaceable]`AmazonEFSCSIDriverPolicy`. @@ -97,9 +122,21 @@ Run the following to create an IAM role with {aws-management-console}. .. For *Role name*, enter a unique name for your role, such as [.replaceable]`AmazonEKS_EFS_CSI_DriverRole`. .. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. -. After the role is created, choose the role in the console to open it for editing. -. Choose the *Trust relationships* tab, and then choose *Edit trust policy*. -. Find the line that looks similar to the following line: +. After the role is created: +.. If using *EKS Pod Identities* +... Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +... In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity association for. +... Choose the *Access* tab. +... In *Pod Identity associations*, choose *Create*. +... Choose the *IAM role* dropdown and select your newly created role. +... Choose the *Kubernetes namespace* field and input *kube-system*. +... Choose the *Kubernetes service account* field and input *efs-csi-controller-sa*. +... Choose *Create*. +... For more information on creating Pod Identity associations, see <>. +.. If using *IAM Roles for Service Accounts* +... Choose the role in the console to open it for editing. +... Choose the *Trust relationships* tab, and then choose *Edit trust policy*. +... Find the line that looks similar to the following line: + [source,json,subs="verbatim,attributes"] ---- @@ -112,13 +149,63 @@ Add the following line above the previous line. Replace [.replaceable]`region-c ---- "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-*", ---- -. Modify the `Condition` operator from `"StringEquals"` to `"StringLike"`. -. Choose *Update policy* to finish. +... Modify the `Condition` operator from `"StringEquals"` to `"StringLike"`. +... Choose *Update policy* to finish. === {aws} CLI [[awscli_efs_store_app_data]] Run the following commands to create an IAM role with {aws} CLI. +==== If Using Pod Identities +. Create the IAM role that grants the `AssumeRole` and `TagSession` actions to the `pods.eks.amazonaws.com` service. ++ +.. Copy the following contents to a file named `aws-efs-csi-driver-trust-policy-pod-identity.json`. ++ +[source,json,subs="verbatim,attributes"] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowEksAuthToAssumeRoleForPodIdentity", + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] +} +---- +.. Create the role. You can change [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` to a different name, but if you do, make sure to change it in later steps too. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam create-role \ + --role-name AmazonEKS_EFS_CSI_DriverRole \ + --assume-role-policy-document file://"aws-efs-csi-driver-trust-policy-pod-identity.json" +---- +. Attach the required {aws} managed policy to the role with the following command. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws iam attach-role-policy \ + --policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ + --role-name AmazonEKS_EFS_CSI_DriverRole +---- + +. Run the following command to create the Pod Identity association. Replace [.replaceable]`my-cluster` with your cluster name. Replace [.replaceable]`arn:aws:iam::111122223333:role/my-role` with the role created in previous steps. ++ +---- +aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::111122223333:role/my-role --namespace kube-system --service-account efs-csi-controller-sa +---- +. For more information on creating Pod Identity associations, see <>. + +==== If using IAM Roles for Service Accounts + . View your cluster's OIDC provider URL. Replace [.replaceable]`my-cluster` with your cluster name. If the output from the command is `None`, review the *Prerequisites*. + [source,bash,subs="verbatim,attributes"] From 53c4a1df1ef108c05acddc4a05227f7f9e036552 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Thu, 13 Mar 2025 14:12:37 +0000 Subject: [PATCH 252/940] Updated delete-cluster.adoc per https://t.corp.amazon.com/V1704809000 --- latest/ug/clusters/delete-cluster.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/clusters/delete-cluster.adoc b/latest/ug/clusters/delete-cluster.adoc index e4de990ff..fbb402803 100644 --- a/latest/ug/clusters/delete-cluster.adoc +++ b/latest/ug/clusters/delete-cluster.adoc @@ -48,6 +48,7 @@ For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/in kubectl get svc --all-namespaces ---- .. Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. +Replace [.replaceable]`service-name` with the name of each service listed as described. + [source,bash,subs="verbatim,attributes"] ---- @@ -81,6 +82,7 @@ Output: kubectl get svc --all-namespaces ---- . Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. +Replace [.replaceable]`service-name` with the name of each service listed as described. + [source,bash,subs="verbatim,attributes"] ---- @@ -120,6 +122,7 @@ NOTE: The node groups listed are <> onl kubectl get svc --all-namespaces ---- . Delete any services that have an associated `EXTERNAL-IP` value. These services are fronted by an Elastic Load Balancing load balancer, and you must delete them in Kubernetes to allow the load balancer and associated resources to be properly released. +Replace [.replaceable]`service-name` with the name of each service listed as described. + [source,bash,subs="verbatim,attributes"] ---- @@ -186,4 +189,4 @@ aws cloudformation list-stacks --query "StackSummaries[].StackName" [source,bash,subs="verbatim,attributes"] ---- aws cloudformation delete-stack --stack-name my-vpc-stack ----- \ No newline at end of file +---- From f90549a346e8bf1045b2d89e03e5663c6cef53c7 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 13 Mar 2025 13:33:05 -0500 Subject: [PATCH 253/940] Add tutorial for GPUs on EKS Auto Mode (#914) * add tutorial * Apply suggestions from code review Co-authored-by: Bryant Biggs * fixup * fixup --------- Co-authored-by: Bryant Biggs --- latest/ug/automode/auto-accelerated.adoc | 272 +++++++++++++++++++++++ latest/ug/automode/create-node-pool.adoc | 1 + latest/ug/automode/settings-auto.adoc | 4 +- 3 files changed, 276 insertions(+), 1 deletion(-) create mode 100644 latest/ug/automode/auto-accelerated.adoc diff --git a/latest/ug/automode/auto-accelerated.adoc b/latest/ug/automode/auto-accelerated.adoc new file mode 100644 index 000000000..ea1d31e15 --- /dev/null +++ b/latest/ug/automode/auto-accelerated.adoc @@ -0,0 +1,272 @@ +[.topic] +[#auto-accelerated] += Deploy an accelerated workload +:info_titleabbrev: Deploy accelerated workload + +include::../attributes.txt[] + + +This tutorial demonstrates how Amazon EKS Auto Mode simplifies launching accelerated workloads. Amazon EKS Auto Mode streamlines operations beyond the cluster itself by automating key infrastructure components providing compute, networking, load balancing, storage, and Identity Access and Management capabilities out of the box. + +Amazon EKS Auto Mode includes the drivers and device plugins required for certain instance types, such as NVIDIA and {aws} Neuron drivers. You do not have to install or update these components. + +EKS Auto Mode automatically manages drivers for these accelerators: + +* link:ai/machine-learning/trainium/[{aws} Trainium, type="marketing"] +* link:ai/machine-learning/inferentia/[{aws} Inferentia, type="marketing"] +* link:ec2/latest/instancetypes/ac.html[NVIDIA GPUs on Amazon EC2 accelerated instances, type="documentation"] + +NOTE: EKS Auto Mode includes the NVIDIA device plugin for Kubernetes. This plugin runs automatically and isn't visible as a daemon set in your cluster. + +Additional networking support: + +* link:hpc/efa/[Elastic Fabric Adapter (EFA), type="marketing"] + +Amazon EKS Auto Mode eliminates the toil of accelerator driver and device plugin management. + +You can also benefit from cost savings by scaling the cluster to zero. You can configure EKS Auto Mode to terminate instances when no workloads are running. This is useful for batch based inference workloads. + +The following provides an example of how to launch accelerated workloads with Amazon EKS Auto Mode. + +== Prerequisites + +* A Kubernetes cluster with Amazon EKS Auto Mode configured. +* A `default` EKS Node class as created when the `general-purpose` or `system` Managed Node Pools are enabled. + +== Step 1: Deploy a GPU workload + +In this example, you will create a NodePool for NVIDIA based workloads that requires 45GB GPU memory. With EKS Auto Mode, you use Kubernetes scheduling constraints to define your instance requirements. + +To deploy the Amazon EKS Auto Mode `NodePool` and the sample `workload`, review the following NodePool and Pod definition and save as `nodepool-gpu.yaml` and `pod.yaml`: + +*nodepool-gpu.yaml* + +[source,yaml] +---- +apiVersion: karpenter.sh/v1 +kind: NodePool +metadata: + name: gpu +spec: + disruption: + budgets: + - nodes: 10% + consolidateAfter: 1h + consolidationPolicy: WhenEmpty + template: + metadata: {} + spec: + nodeClassRef: + group: eks.amazonaws.com + kind: NodeClass + name: default + requirements: + - key: "karpenter.sh/capacity-type" + operator: In + values: ["on-demand"] + - key: "kubernetes.io/arch" + operator: In + values: ["amd64"] + - key: "eks.amazonaws.com/instance-family" + operator: In + values: + - g6e + - g6 + terminationGracePeriod: 24h0m0s +---- + +*pod.yaml* + +[source,yaml] +---- +apiVersion: v1 +kind: Pod +metadata: + name: nvidia-smi +spec: + nodeSelector: + eks.amazonaws.com/instance-gpu-name: l40s + eks.amazonaws.com/compute-type: auto + restartPolicy: OnFailure + containers: + - name: nvidia-smi + image: public.ecr.aws/amazonlinux/amazonlinux:2023-minimal + args: + - "nvidia-smi" + resources: + requests: + memory: "30Gi" + cpu: "3500m" + nvidia.com/gpu: 1 + limits: + memory: "30Gi" + nvidia.com/gpu: 1 +---- + +Note the `eks.amazonaws.com/compute-type: auto` selector requires the workload be deployed on an Amazon EKS Auto Mode node. + +Apply the NodePool and workload to your cluster. + +[source,bash] +---- +kubectl apply -f nodepool-gpu.yaml +kubectl apply -f pod.yaml +---- + +You should see the following output: + +[source,bash] +---- +nodepool.karpenter.sh/gpu configured created +pod/nvidia-smi created +---- + +Wait a few seconds, and check the nodes in your cluster. You should now see a new node provisioned in your Amazon EKS Auto Mode cluster: + +[source,bash] +---- +> kubectl get nodes + +NAME TYPE CAPACITY ZONE NODE READY AGE +gpu-dnknr g6e.2xlarge on-demand us-west-2b i-02315c7d7643cdee6 True 76s +---- + +== Step 2: Validate + +You can see Amazon EKS Auto Mode launched a `g6e.2xlarge` rather than an `g6.2xlarge` as the workload required an instance with l40s `GPU`, according to the following Kubernetes scheduling constraints: + +[source,yaml] +---- +... + nodeSelector: + eks.amazonaws.com/instance-gpu-name: l40s +... + requests: + memory: "30Gi" + cpu: "3500m" + nvidia.com/gpu: 1 + limits: + memory: "30Gi" + nvidia.com/gpu: 1 +---- + +Now, look at the containers logs, by running the following command: + +[source,bash] +---- +kubectl logs nvidia-smi +---- + +Sample output: + +[source,bash] +---- ++---------------------------------------------------------------------------------------+ +| NVIDIA-SMI 535.230.02 Driver Version: 535.230.02 CUDA Version: 12.2 | +|-----------------------------------------+----------------------+----------------------+ +| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC | +| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. | +| | | MIG M. | +|=========================================+======================+======================| +| 0 NVIDIA L40S On | 00000000:30:00.0 Off | 0 | +| N/A 27C P8 23W / 350W | 0MiB / 46068MiB | 0% Default | +| | | N/A | ++-----------------------------------------+----------------------+----------------------+ + ++---------------------------------------------------------------------------------------+ +| Processes: | +| GPU GI CI PID Type Process name GPU Memory | +| ID ID Usage | +|=======================================================================================| +| No running processes found | ++---------------------------------------------------------------------------------------+ +---- + +You can see that the container has detected it's running on an instance with an `NVIDIA` GPU and that you've not had to install any device drivers, as this is managed by Amazon EKS Auto Mode. + +== Step 3: Clean-up + +To remove all objects created, use `kubectl` to delete the sample deployment and NodePool so the node is terminated: + +---- +kubectl delete -f nodepool-gpu.yaml +kubectl delete -f pod.yaml +---- + + +== Example NodePools Reference + +=== Create an NVIDIA NodePool + +The following NodePool defines: + +* Only launch instances of `g6e` and `g6` family +* Consolidate nodes when empty for 1 hour +** The 1 hour value for `consolodateAfter` supports spiky workloads and reduce node churn. You can tune `consolidateAfter` based on your workload requirements. + +*Example NodePool with GPU instance family and consolidation* + +[source,yaml] +---- +apiVersion: karpenter.sh/v1 +kind: NodePool +metadata: + name: gpu +spec: + disruption: + budgets: + - nodes: 10% + consolidateAfter: 1h + consolidationPolicy: WhenEmpty + template: + metadata: {} + spec: + nodeClassRef: + group: eks.amazonaws.com + kind: NodeClass + name: default + requirements: + - key: "karpenter.sh/capacity-type" + operator: In + values: ["on-demand"] + - key: "kubernetes.io/arch" + operator: In + values: ["amd64"] + - key: "eks.amazonaws.com/instance-family" + operator: In + values: + - g6e + - g6 + terminationGracePeriod: 24h0m0s +---- + +Instead of to setting the `eks.amazonaws.com/instance-gpu-name` you might use `eks.amazonaws.com/instance-family` to specify the instance family. For other well-known labels which influence scheduling review, see <>. + +If you have specific storage requirements you can tune the nodes ephemeral storage `iops`, `size` and `throughput` by creating your own xref:create-node-class[NodeClass] to reference in the NodePool. Learn more about the xref:create-node-class[configurable NodeClass options]. + +*Example storage configuration for NodeClass* + +[source,yaml] +---- +apiVersion: eks.amazonaws.com/v1 +kind: NodeClass +metadata: + name: gpu +spec: + ephemeralStorage: + iops: 3000 + size: 80Gi + throughput: 125 +---- + +=== Define an {aws} Trainium and {aws} Inferentia NodePool + +The following NodePool has an `eks.amazonaws.com/instance-category` set that says, only launch instances of Inferentia and Trainium family: + +---- + - key: "eks.amazonaws.com/instance-category" + operator: In + values: + - inf + - trn +---- diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 04016f0ae..4069f40a2 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -74,6 +74,7 @@ spec: memory: 1000Gi ---- +[#auto-supported-labels] == EKS Auto Mode Supported Labels EKS Auto Mode supports the following well known labels. diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index afcd65213..067012410 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -104,4 +104,6 @@ include::critical-workload.adoc[leveloffset=+1] include::auto-net-pol.adoc[leveloffset=+1] -include::tag-subnets-auto.adoc[leveloffset=+1] \ No newline at end of file +include::tag-subnets-auto.adoc[leveloffset=+1] + +include::auto-accelerated.adoc[leveloffset=+1] From 2331b68c76457afc79967d5be5fe1b5441615268 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 13 Mar 2025 18:39:51 +0000 Subject: [PATCH 254/940] fix link --- latest/ug/clusters/platform-versions.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 5d1417af7..aa3a2366c 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -878,7 +878,7 @@ The following admission controllers are enabled for all `1.24` platform versions | `1.24.7` | `eks.1` -| Initial release of Kubernetes version `1.24` for EKS. For more information, see <>. +| Initial release of Kubernetes version `1.24` for EKS. | November 15, 2022 |=== From dac7f9eb64fa4046b2555d0815b4ac2fc144db98 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Thu, 13 Mar 2025 19:24:29 +0000 Subject: [PATCH 255/940] Removed blog links from ml-tutorials.html page that are not useful --- latest/ug/ml/ml-tutorials.adoc | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/latest/ug/ml/ml-tutorials.adoc b/latest/ug/ml/ml-tutorials.adoc index 84228d611..78e55e4a0 100644 --- a/latest/ug/ml/ml-tutorials.adoc +++ b/latest/ug/ml/ml-tutorials.adoc @@ -12,14 +12,10 @@ These tutorials cover everything from patterns for making the best use of GPU pr * link:containers/deploy-generative-ai-models-on-amazon-eks/[Deploy Generative AI Models on Amazon EKS,type="blog"] * link:containers/building-multi-tenant-jupyterhub-platforms-on-amazon-eks/[Building multi-tenant JupyterHub Platforms on Amazon EKS,type="blog"] -* link:containers/run-spark-rapids-ml-workloads-with-gpus-on-amazon-emr-on-eks/[Run Spark-RAPIDS ML workloads with GPUs on Amazon EMR on EKS,type="blog"] == Run specialized generative AI frameworks on EKS -* link:hpc/accelerate-drug-discovery-with-nvidia-bionemo-framework-on-amazon-eks/[Accelerate drug discovery with NVIDIA BioNeMo Framework on Amazon EKS,type="blog"] -* link:containers/host-the-whisper-model-with-streaming-mode-on-amazon-eks-and-ray-serve/[Host the Whisper Model with Streaming Mode on Amazon EKS and Ray Serve,type="blog"] * link:machine-learning/accelerate-your-generative-ai-distributed-training-workloads-with-the-nvidia-nemo-framework-on-amazon-eks/[Accelerate your generative AI distributed training workloads with the NVIDIA NeMo Framework on Amazon EKS,type="blog"] -* link:publicsector/virtualizing-satcom-operations-aws/[Virtualizing satellite communication operations with {aws},type="blog"] * link:opensource/running-torchserve-on-amazon-elastic-kubernetes-service/[Running TorchServe on Amazon Elastic Kubernetes Service,type="blog"] == Maximize NVIDIA GPU performance for ML on EKS @@ -32,15 +28,6 @@ link:containers/gpu-sharing-on-amazon-eks-with-nvidia-time-slicing-and-accelerat + link:containers/maximizing-gpu-utilization-with-nvidias-multi-instance-gpu-mig-on-amazon-eks-running-more-pods-per-gpu-for-enhanced-performance/[Maximizing GPU utilization with NVIDIA's Multi-Instance GPU (MIG) on Amazon EKS: Running more pods per GPU for enhanced performance,type="blog"] -* Leverage NVIDIA NIM microservices to optimize inference workloads using optimized microservices to deploy AI models at scale: -+ -link:hpc/deploying-generative-ai-applications-with-nvidia-nims-on-amazon-eks/[Part 1: Deploying generative AI applications with NVIDIA NIMs on Amazon EKS,type="blog"] -+ -link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-amazon-elastic-kubernetes-service-amazon-eks-part-2/[Part 2: Deploying Generative AI Applications with NVIDIA NIM Microservices on Amazon Elastic Kubernetes Service (Amazon EKS),type="blog"] - -* link:containers/scaling-a-large-language-model-with-nvidia-nim-on-amazon-eks-with-karpenter/[Scaling a Large Language Model with NVIDIA NIM on Amazon EKS with Karpenter,type="blog"] - - * link:machine-learning/build-and-deploy-a-scalable-machine-learning-system-on-kubernetes-with-kubeflow-on-aws/[Build and deploy a scalable machine learning system on Kubernetes with Kubeflow on {aws},type="blog"] == Run video encoding workloads on EKS @@ -51,10 +38,6 @@ link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-a * link:containers/how-h2o-ai-optimized-and-secured-their-ai-ml-infrastructure-with-karpenter-and-bottlerocket/[How H2O.ai optimized and secured their AI/ML infrastructure with Karpenter and Bottlerocket,type="blog"] -== Testimonials for ML on EKS - -* link:containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Quora achieved 3x lower latency and 25% lower Costs by modernizing model serving with Nvidia Triton on Amazon EKS,type="blog"] - == Monitoring ML workloads * link:mt/monitoring-gpu-workloads-on-amazon-eks-using-aws-managed-open-source-services/[Monitoring GPU workloads on Amazon EKS using {aws} managed open-source services,type="blog"] @@ -63,9 +46,5 @@ link:hpc/deploying-generative-ai-applications-with-nvidia-nim-microservices-on-a == Announcements for ML on EKS * link:containers/bottlerocket-support-for-nvidia-gpus/[Bottlerocket support for NVIDIA GPUs,type="blog"] -* link:aws/new-ec2-instances-g5-with-nvidia-a10g-tensor-core-gpus/[New – EC2 Instances (G5) with NVIDIA A10G Tensor Core GPUs,type="blog"] * link:containers/utilizing-nvidia-multi-instance-gpu-mig-in-amazon-ec2-p4d-instances-on-amazon-elastic-kubernetes-service-eks/[Utilizing NVIDIA Multi-Instance GPU (MIG) in Amazon EC2 P4d Instances on Amazon Elastic Kubernetes Service,type="blog"] -* link:aws/new-gpu-equipped-ec2-p4-instances-for-machine-learning-hpc/[New – GPU-Equipped EC2 P4 Instances for Machine Learning & HPC,type="blog"] -* link:machine-learning/amazon-ec2-p5e-instances-are-generally-available/[Amazon EC2 P5e instances are generally available,type="blog"] * link:containers/deploying-managed-p4d-instances-in-amazon-elastic-kubernetes-service/[Deploying managed P4d Instances in Amazon Elastic Kubernetes Service with NVIDIA GPUDirectRDMA,type="blog"] -* link:machine-learning/establishing-an-ai-ml-center-of-excellence/[Establishing an AI/ML center of excellence,type="blog"] \ No newline at end of file From 868cca1b93697c162dc9bcbd55817e6627ec4e3c Mon Sep 17 00:00:00 2001 From: Ramneek Kalra Date: Fri, 14 Mar 2025 03:32:30 +0530 Subject: [PATCH 256/940] Update create-cluster.adoc (#917) --- latest/ug/clusters/create-cluster.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/create-cluster.adoc b/latest/ug/clusters/create-cluster.adoc index 5aebc4491..8075d2695 100644 --- a/latest/ug/clusters/create-cluster.adoc +++ b/latest/ug/clusters/create-cluster.adoc @@ -97,9 +97,9 @@ You can create a cluster by using: + The subnets that you choose must meet the <>. Before selecting subnets, we recommend that you're familiar with all of the <>. + -[source,bash,subs="verbatim,attributes"] . Run the following command: + +[source,bash,subs="verbatim,attributes"] ---- eksctl create cluster --name my-cluster --region region-code --version {k8s-n} --vpc-private-subnets subnet-ExampleID1,subnet-ExampleID2 --without-nodegroup ---- @@ -319,4 +319,4 @@ If you deploy your cluster using either `eksctl` or the {aws} CLI, then the Amaz * If you want nodes and IAM principals to access your cluster from within your VPC, enable the private endpoint for your cluster. The public endpoint is enabled by default. You can disable the public endpoint once you've enabled the private endpoint, if desired. For more information, see <>. * <>. * <>. -* <>. \ No newline at end of file +* <>. From fbdae5f090ec0ecb309601115dc7c42deecc8c4a Mon Sep 17 00:00:00 2001 From: Parikshit Patel <45248245+parikshitataws@users.noreply.github.com> Date: Fri, 14 Mar 2025 09:54:03 +1100 Subject: [PATCH 257/940] Update auto-networking.adoc (#919) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Current formatting seems to be misinterpreted resulting in following output. Note –0— and –1— ``` If your worker nodes use custom security groups (not –0— naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named –1—. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. ``` Trying to remove + sign to fix this formatting issue --- latest/ug/automode/auto-networking.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index b5bbc20d6..dda081ac0 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -62,4 +62,4 @@ For more information, see <> or <>. * EKS Auto Mode only supports Security Group Mode for Network Load Balancers. * {aws} does not support migrating load balancers from the self managed {aws} load balancer controller to management by EKS Auto Mode. * The `networking.ingress.ipBlock` field in `TargetGroupBinding` spec is not supported. -* If your worker nodes use custom security groups (not `+eks-cluster-sg-*+` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `+eks-cluster-sg-*+`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. \ No newline at end of file +* If your worker nodes use custom security groups (not `eks-cluster-sg-*` naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named `eks-cluster-sg-*`. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. From 7303a8967687c14ac3e177fb471cd166878a81b3 Mon Sep 17 00:00:00 2001 From: Chris Splinter Date: Fri, 14 Mar 2025 12:18:34 -0500 Subject: [PATCH 258/940] Hybrid Nodes Networking Docs (pod routing, webhooks, mixed mode clusters) (#906) * add content for hybrid nodes pod network routability and mixed mode clusters * CNI docs improvements, add considerations section * use correct formats for code snippets * create separate page for hybrid nodes and webhooks * add commands to see webhooks on cluster * add links to webhooks docs --------- Co-authored-by: Donovan Finch --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 10 +- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 6 +- latest/ug/nodes/hybrid-nodes-cni.adoc | 88 +++--- latest/ug/nodes/hybrid-nodes-creds.adoc | 14 +- latest/ug/nodes/hybrid-nodes-networking.adoc | 24 +- latest/ug/nodes/hybrid-nodes-overview.adoc | 7 +- .../nodes/hybrid-nodes-troubleshooting.adoc | 2 +- latest/ug/nodes/hybrid-nodes-webhooks.adoc | 263 ++++++++++++++++++ 8 files changed, 354 insertions(+), 60 deletions(-) create mode 100644 latest/ug/nodes/hybrid-nodes-webhooks.adoc diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index 2cf09165a..e9ae69fe2 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -61,16 +61,16 @@ The sections that follow describe differences between running compatible {aws} a [#hybrid-nodes-add-ons-core] == kube-proxy and CoreDNS -EKS installs Kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons as Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a cluster with hybrid nodes and nodes in {aws} Cloud, we recommend that you have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. +EKS installs kube-proxy and CoreDNS as self-managed add-ons by default when you create an EKS cluster with the {aws} API and {aws} SDKs, including from the {aws} CLI. You can overwrite these add-ons with Amazon EKS add-ons after cluster creation. Reference the EKS documentation for details on <> and <>. If you are running a mixed mode cluster with both hybrid nodes and nodes in {aws} Cloud, it is recommended to have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. See <> for configuration steps. [#hybrid-nodes-add-ons-cw] == CloudWatch Observability agent -As the CloudWatch Observability agent runs https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. +The CloudWatch Observability agent operator uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks]. If you run the operator on hybrid nodes, your on-premises pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network. For more information, see <>. Node-level metrics are not available for hybrid nodes because link:AmazonCloudWatch/latest/monitoring/ContainerInsights.html[CloudWatch Container Insights,type="documentation"] depends on the availability of link:AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Instance Metadata Service,type="documentation"] (IMDS) for node-level metrics. Cluster, workload, pod, and container-level metrics are available for hybrid nodes. After installing the add-on by following the steps described in link:AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html[Install the CloudWatch agent with the Amazon CloudWatch Observability,type="documentation"], the add-on manifest must be updated before the agent can run successfully on hybrid nodes. Edit the `amazoncloudwatchagents` resource on the cluster to add the `RUN_WITH_IRSA` environment variable as shown below. -[source,yaml,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes"] ---- kubectl edit amazoncloudwatchagents -n amazon-cloudwatch cloudwatch-agent ---- @@ -109,14 +109,14 @@ Follow the steps in link:prometheus/latest/userguide/AMP-collector-how-to.html[U [#hybrid-nodes-add-ons-adot] == {aws} Distro for OpenTelemetry (ADOT) -You can use the {aws} Distro for OpenTelemetry (ADOT) Amazon EKS add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests. For the EKS control plane to reach webhooks running on hybrid nodes, you must configure your remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. +You can use the {aws} Distro for OpenTelemetry (ADOT) add-on to collect metrics, logs, and tracing data from your applications running on hybrid nodes. ADOT uses admission https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks] to mutate and validate the Collector Custom Resource requests. If you run the ADOT operator on hybrid nodes, your on-premises pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network. For more information, see <>. Follow the steps in https://aws-otel.github.io/docs/getting-started/adot-eks-add-on[Getting Started with {aws} Distro for OpenTelemetry using EKS Add-Ons] in the _{aws} Distro for OpenTelemetry_ documentation. [#hybrid-nodes-add-ons-lbc] == {aws} Load Balancer Controller -You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. As the {aws} Load Balancer Controller uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks], you must configure a remote pod network when creating your Amazon EKS cluster, and you must make your pod IP addresses routable. Implementing Border Gateway Protocol (BGP) with the CNI is one common way to make your pod IP addresses routable. +You can use the <> and Application Load Balancer (ALB) or Network Load Balancer (NLB) with the target type ip for workloads on hybrid nodes connected with {aws} Direct Connect or {aws} Site-to-Site VPN. The IP target(s) used with the ALB or NLB must be routable from {aws}. The {aws} Load Balancer controller also uses https://kubernetes.io/docs/reference/access-authn-authz/webhook/[webhooks]. If you run the {aws} Load Balancer Controller operator on hybrid nodes, your on-premises pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network. For more information, see <>. To install the {aws} Load Balancer Controller, follow the steps at <> or <>. diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 50c0ea04e..7b0470783 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -98,7 +98,7 @@ You need to install the latest version of the `eksctl` command line tool. To ins .. Replace `CA_BUNDLE_CERT` if your credential provider is set to `ira`, which uses {aws} IAM Roles Anywhere as the credential provider. The CA_BUNDLE_CERT is the certificate authority (CA) certificate body and depends on your choice of CA. The certificate must be in Privacy Enhanced Mail (PEM) format. .. Replace `GATEWAY_ID` with the ID of your virtual private gateway or transit gateway to be attached to your VPC. .. Replace `REMOTE_NODE_CIDRS` with the on-premises node CIDR for your hybrid nodes. -.. Replace `REMOTE_POD_CIDRS` with the on-premises pod CIDR for workloads running on hybrid nodes or remove the line from your configuration if you are not running webhooks on hybrid nodes. You must configure your `REMOTE_POD_CIDRS` if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure `REMOTE_POD_CIDRS` if you are running webhooks on hybrid nodes. +.. Replace `REMOTE_POD_CIDRS` with the on-premises pod CIDR for workloads running on hybrid nodes or remove the line from your configuration if you are not running webhooks on hybrid nodes. You must configure your `REMOTE_POD_CIDRS` if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure `REMOTE_POD_CIDRS` if you are running webhooks on hybrid nodes, see <> for more information. .. Your on-premises node and pod CIDR blocks must meet the following requirements: ... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. ... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR @@ -160,7 +160,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp .. `SUBNET2_ID`: the ID of the second subnet you created in the prerequisite steps .. `SG_ID`: the security group ID you created in the prerequisite steps .. `REMOTE_NODE_CIDRS`: the on-premises node CIDR for your hybrid nodes -.. `REMOTE_POD_CIDRS`: the on-premises pod CIDR for workloads running on hybrid nodes. You must configure your `REMOTE_POD_CIDRS` if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure `REMOTE_POD_CIDRS` if you are running webhooks on hybrid nodes. +.. `REMOTE_POD_CIDRS`: the on-premises pod CIDR for workloads running on hybrid nodes. You must configure your `REMOTE_POD_CIDRS` if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure `REMOTE_POD_CIDRS` if you are running webhooks on hybrid nodes, see <> for more information. .. Your on-premises node and pod CIDR blocks must meet the following requirements: ... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. ... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. @@ -186,7 +186,7 @@ curl -OL 'https://raw.githubusercontent.com/aws/eks-hybrid/refs/heads/main/examp } ---- -. Deploy the CloudFormation stack. Replace `STACK_NAME` with your name for the CloudFormation stack and AWS_REGION with your desired {aws} Region where the cluster will be created. +. Deploy the CloudFormation stack. Replace `STACK_NAME` with your name for the CloudFormation stack and `AWS_REGION` with your desired {aws} Region where the cluster will be created. + [source,bash,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 48529d1e7..8e9861c14 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -7,20 +7,20 @@ include::../attributes.txt[] [abstract] -- -Configure a CNI for Amazon EKS hybrid nodes +Configure a CNI for hybrid nodes -- Cilium and Calico are supported as the Container Networking Interfaces (CNIs) for Amazon EKS Hybrid Nodes. You must install a CNI for hybrid nodes to become ready to serve workloads. Hybrid nodes appear with status `Not Ready` until a CNI is running. You can manage these CNIs with your choice of tools such as Helm. The Amazon VPC CNI is not compatible with hybrid nodes and the VPC CNI is configured with anti-affinity for the `eks.amazonaws.com/compute-type: hybrid` label. == CNI version compatibility -Calico version `3.29.x` is supported and recommended for EKS Hybrid Nodes for every Kubernetes version supported in Amazon EKS. - Cilium version `1.16.x` is supported and recommended for EKS Hybrid Nodes for every Kubernetes version supported in Amazon EKS. +Calico version `3.29.x` is supported and recommended for EKS Hybrid Nodes for every Kubernetes version supported in Amazon EKS. + == Supported capabilities -{aws} supports the following capabilities of Cilium and Calico for use with hybrid nodes. If you plan to use functionality outside the scope of {aws} support, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project. +{aws} provides technical support for the following capabilities of Cilium and Calico for use with hybrid nodes. If you plan to use functionality outside the scope of {aws} support, we recommend that you obtain commercial support for the plugin or have the in-house expertise to troubleshoot and contribute fixes to the CNI plugin project. [cols="1,1,1", options="header"] @@ -62,9 +62,17 @@ Cilium version `1.16.x` is supported and recommended for EKS Hybrid Nodes for ev |Yes |=== +== Cilium considerations + +- By default, Cilium is configured to run in overlay / tunnel mode with VXLAN as the link:https://docs.cilium.io/en/stable/network/concepts/routing/#encapsulation[encapsulation method]. This mode has the fewest requirements on the underlying physical network. +- By default, Cilium link:https://docs.cilium.io/en/stable/network/concepts/masquerading/[masquerades] the source IP address of all pod traffic leaving the cluster to the IP address of the node. This makes it possible to run Cilium with hybrid nodes, whether or not remote pod networks are configured on the cluster. If you disable masquerading, then your pod CIDRs must be routable on your on-premises network and you must configure your Amazon EKS cluster with your remote pod networks. +- If you are running webhooks on your hybrid nodes, your pod CIDRs must be routable on your on-premises network and you must configure your Amazon EKS cluster with your remote pod networks. If your pod CIDRs are not routable on your on-premises network, then it is recommended to run webhooks on cloud nodes in the same cluster. See <> for more information. +- A common way to make your pod CIDR routable on your on-premises network is to advertise pod addresses with BGP. To use BGP with Cilium, you must set `bgpControlPlane.enabled: true` in your Helm configuration. For more information on Cilium's BGP support, see https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane/[Cilium BGP Control Plane] in the Cilium documentation. +- The default IP Address Management (IPAM) in Cilium is called link:https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/[Cluster Scope], where the Cilium operator allocates IP addresses for each node based on user-configured pod CIDRs. The pod CIDRs are configured with the `clusterPoolIPv4PodCIDRList` Helm value, which should match the remote pod network CIDRs you configured for your Amazon EKS cluster. Cilium allocates segments from the `clusterPoolIPv4PodCIDRList` to each node. The size of the per node segments is configured with the `clusterPoolIPv4MaskSize` Helm value. For more information on the `clusterPoolIPv4PodCIDRList` and `clusterPoolIPv4MaskSize`, see https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation. + == Install Cilium on hybrid nodes -. Ensure that you have installed the helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. +. Ensure that you have installed the Helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. . Install the Cilium Helm repo. + [source,bash,subs="verbatim,attributes"] @@ -72,13 +80,14 @@ Cilium version `1.16.x` is supported and recommended for EKS Hybrid Nodes for ev helm repo add cilium https://helm.cilium.io/ ---- -. Create a YAML file called `cilium-values.yaml`. If you configured at least one _remote pod network_, configure the same pod CIDRs for your `clusterPoolIPv4PodCIDRList`. You shouldn't change your `clusterPoolIPv4PodCIDRList` after deploying Cilium on your cluster. You can configure `clusterPoolIPv4MaskSize` based on your required pods per node, see https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation. For a full list of Helm values for Cilium, see the https://docs.cilium.io/en/stable/helm-reference/[Helm reference] in the Cilium documentation. The following example configures all of the Cilium components to run on only the hybrid nodes, since they have the `eks.amazonaws.com/compute-type: hybrid` label. -+ -By default, Cilium masquerades the source IP address of all pod traffic leaving the cluster to the IP address of the node. This makes it possible for Cilium to run with Amazon EKS clusters that have remote pod networks configured and with clusters that don't have remote pod networks configured. If you disable masquerading for your Cilium deployment, then you must configure your Amazon EKS cluster with your remote pod networks and you must advertise your pod addresses with your on-premises network. If you are running webhooks on your hybrid nodes, you must configure your cluster with your remote pod networks and you must advertise your pod addresses with your on-premises network. -+ -A common way to advertise pod addresses with your on-premises network is by using BGP. To use BGP with Cilium, you must set `bgpControlPlane.enabled: true`. For more information on Cilium's BGP support, see https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane/[Cilium BGP Control Plane] in the Cilium documentation. +. Create a YAML file called `cilium-values.yaml`. The following example configures Cilium to run only on hybrid nodes by setting affinity for the `eks.amazonaws.com/compute-type: hybrid` label. + +- If you configured your Amazon EKS cluster with _remote pod networks_, configure the same pod CIDRs for your `clusterPoolIPv4PodCIDRList`. For example, `10.100.0.0/24`. Your on-premises pod CIDR must not overlap with your on-premises node CIDR when running the CNI in overlay / tunnel mode. +- Configure `clusterPoolIPv4MaskSize` based on your required pods per node. For example, `25` for a /25 segment size of 128 pods per node. +- You should not change your `clusterPoolIPv4PodCIDRList` or `clusterPoolIPv4MaskSize` after deploying Cilium on your cluster, see https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation. +- For a full list of Helm values for Cilium, see the https://docs.cilium.io/en/stable/helm-reference/[Helm reference] in the Cilium documentation. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes,quotes"] ---- affinity: nodeAffinity: @@ -92,9 +101,9 @@ affinity: ipam: mode: cluster-pool operator: - clusterPoolIPv4MaskSize: 25 + clusterPoolIPv4MaskSize: [.replaceable]`25` clusterPoolIPv4PodCIDRList: - - POD_CIDR + - [.replaceable]`POD_CIDR` operator: affinity: nodeAffinity: @@ -111,7 +120,10 @@ envoy: enabled: false ---- -. Install Cilium on your cluster. Replace `CILIUM_VERSION` with your desired Cilium version. It is recommended to run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. If you are enabling BGP for your deployment, add the `--set bgpControlPlane.enabled=true` flag in the command below. If you are using a specific kubeconfig file, use the `--kubeconfig` flag with the Helm install command. +. Install Cilium on your cluster. +- Replace `CILIUM_VERSION` with your desired Cilium version. It is recommended to run the latest patch version for your Cilium minor version. You can find the latest patch release for a given minor Cilium release in the https://github.com/cilium/cilium#stable-releases[Stable Releases section] of the Cilium documentation. +- If you are enabling BGP for your deployment, add the `--set bgpControlPlane.enabled=true` flag in the command below. +- If you are using a specific kubeconfig file, use the `--kubeconfig` flag with the Helm install command. + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -146,9 +158,9 @@ NAME STATUS ROLES AGE VERSION mi-04a2cf999b7112233 Ready 19m v1.31.0-eks-a737599 ---- -. To use BGP with Cilium to advertise your pod addresses with your on-premises network, you must have installed Cilium with `bgpControlPlane.enabled: true`. To configure BGP in Cilium, first create a file called `cilium-bgp-cluster.yaml` with a `CiliumBGPClusterConfig` with the `peerAddress` set to your on-premises router IP that you are peering with. Configure the `localASN` and `peerASN` based on your on-premises router configuration. +. To use BGP with Cilium to advertise your pod addresses with your on-premises network, you must have installed Cilium with `bgpControlPlane.enabled: true`. To configure BGP in Cilium, first create a file called `cilium-bgp-cluster.yaml` with a `CiliumBGPClusterConfig` with the `peerAddress` set to your on-premises router IP that you are peering with. Configure the `localASN` and `peerASN` based on your on-premises router configuration, which you may have to obtain from your network administrator. + -[source,yaml,subs="verbatim,attributes"] +[source,yaml,subs="verbatim,attributes,quotes"] ---- apiVersion: cilium.io/v2alpha1 kind: CiliumBGPClusterConfig @@ -163,11 +175,11 @@ spec: - hybrid bgpInstances: - name: "rack0" - localASN: ONPREM_ROUTER_ASN + localASN: [.replaceable]`ONPREM_ROUTER_ASN` peers: - name: "onprem-router" - peerASN: PEER_ASN - peerAddress: ONPREM_ROUTER_IP + peerASN: [.replaceable]`PEER_ASN` + peerAddress: [.replaceable]`ONPREM_ROUTER_IP` peerConfigRef: name: "cilium-peer" ---- @@ -301,11 +313,11 @@ helm uninstall cilium-preflight --namespace kube-system + Before running the helm upgrade command, preserve the values for your deployment in a `cilium-values.yaml` or use `--set` command line options for your settings. The upgrade operation overwrites the Cilium ConfigMap, so it is critical that your configuration values are passed when you upgrade. If you are using BGP, it is recommended to use the `--set bgpControlPlane=true` command line option instead of supplying this information in your values file. + -[source,bash,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes,quotes"] ---- -helm upgrade cilium cilium/cilium --version CILIUM_VERSION \ +helm upgrade cilium cilium/cilium --version [.replaceable]`CILIUM_VERSION` \ --namespace kube-system \ - --set upgradeCompatibility=1.X \ + --set upgradeCompatibility=[.replaceable]`1.X` \ -f cilium-values.yaml ---- @@ -337,6 +349,14 @@ The interfaces and routes configured by Cilium are not removed by default when t kubectl get crds -oname | grep "cilium" | xargs kubectl delete ---- +== Calico considerations + +- It is recommended to run Calico in overlay / tunnel mode with VXLAN as the link:https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip[encapsulation method]. This mode has the fewest requirements on the underlying physical network. For more information on the different Calico networking modes, see https://docs.tigera.io/calico/latest/networking/determine-best-networking[Determining the best networking option] in the Calico documentation. +- It is recommended to run Calico with `natOutgoing` set to `true`. With `natOutgoing` set to `true`, the source IP address of all pod traffic leaving the cluster is translated to the IP address of the node. This makes it possible to run Calico with Amazon EKS clusters, whether or not remote pod networks are configured on the cluster. If you disable `natOutgoing`, then your pod CIDRs must be routable on your on-premises network and you must configure your Amazon EKS cluster with your remote pod networks. +- If you are running webhooks on your hybrid nodes, your pod CIDRs must be routable on your on-premises network and you must configure your Amazon EKS cluster with your remote pod networks. If your pod CIDRs are not routable on your on-premises network, then it is recommended to run webhooks on cloud nodes in the same cluster. See <> for more information. +- A common way to make your pod CIDR routable on your on-premises network is to advertise pod addresses with BGP. To use BGP with Calico, you must set `installation.calicoNetwork.bgp: Enabled` in your Helm configuration. For more information on Calico's BGP support, see link:https://docs.tigera.io/calico/latest/networking/configuring/bgp[Configure BGP peering] in the Calico documentation. +- The default IP Address Management (IPAM) in Calico is called link:https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses#calico-ipam[Calico IPAM], where the `calico-ipam` plugin allocates IP addresses for each node based on user-configured pod CIDRs. The pod CIDRs are configured with the `installation.calicoNetwork.ipPools.cidr` Helm value, which should match the remote pod network CIDRs you configured for your Amazon EKS cluster. Calico allocates segments from the `ipPools.cidr` to each node. The size of the per node segments is configured with the `ipPools.blockSize` Helm value. For more information on IPAM with Calico, see link:https://docs.tigera.io/calico/latest/networking/ipam/get-started-ip-addresses[Get started with IP address management] in the Calico documentation. + == Install Calico on hybrid nodes . Ensure that you have installed the helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. @@ -347,12 +367,12 @@ kubectl get crds -oname | grep "cilium" | xargs kubectl delete helm repo add projectcalico https://docs.tigera.io/calico/charts ---- -. Create a YAML file called `calico-values.yaml` that configures Calico with affinity to run on hybrid nodes. For more information on the different Calico networking modes, see https://docs.tigera.io/calico/latest/networking/determine-best-networking[Determining the best networking option] in the Calico documentation. -.. Replace `POD_CIDR` with the CIDR ranges for your pods. If you configured your Amazon EKS cluster with remote pod networks, the `POD_CIDR` that you specify for Calico should be the same as the remote pod networks. For example, `10.100.0.0/24`. -.. Replace `CIDR_SIZE` with the size of the CIDR segment you want to allocate to each node. For example, `25` for a /25 segment size. For more information on CIDR `blockSize` and changing the `blockSize`, see https://docs.tigera.io/calico/latest/networking/ipam/change-block-size[Change IP pool block size] in the Calico documentation. -.. In the example below, `natOutgoing` is enabled and `bgp` is disabled. In this configuration, Calico can run on Amazon EKS clusters that have Remote Pod Network configured and can run on clusters that do not have Remote Pod Network configured. If you have `natOutgoing` set to disabled, you must configure your cluster with your remote pod networks and your on-premises network must be able to properly route traffic destined for your pod CIDRs. A common way to advertise pod addresses with your on-premises network is by using BGP. To use BGP with Calico, you must enable `bgp`. The example below configures all of the Calico components to run on only the hybrid nodes, since they have the `eks.amazonaws.com/compute-type: hybrid` label. If you are running webhooks on your hybrid nodes, you must configure your cluster with your Remote Pod Networks and you must advertise your pod addresses with your on-premises network. The example below configures `controlPlaneReplicas: 1`, increase the value if you have multiple hybrid nodes and want to run the Calico control plane components in a highly available fashion. +. Create a YAML file called `calico-values.yaml`. The following example configures all Calico components to run only on hybrid nodes by setting affinity for the `eks.amazonaws.com/compute-type: hybrid` label. +- Replace `POD_CIDR` with the CIDR ranges for your pods. If you configured your Amazon EKS cluster with remote pod networks, the `POD_CIDR` that you specify for Calico should be the same as the remote pod networks. For example, `10.100.0.0/24`. Your on-premises pod CIDR must not overlap with your on-premises node CIDR when running the CNI in overlay / tunnel mode. +- Replace `CIDR_SIZE` with the size of the CIDR segment you want to allocate to each node. For example, `25` for a /25 segment size of 128 pod addresses per node. For more information on CIDR `blockSize` and changing the `blockSize`, see https://docs.tigera.io/calico/latest/networking/ipam/change-block-size[Change IP pool block size] in the Calico documentation. +- In the example below, `natOutgoing` is enabled and `bgp` is disabled. Modify these values based on your target configuration. + -[source,yaml,subs="verbatim,attributes"] +[source,yaml,subs="verbatim,attributes,quotes"] ---- installation: enabled: true @@ -361,10 +381,10 @@ installation: ipam: type: Calico calicoNetwork: - bgp: Disabled + bgp: [.replaceable]`Disabled` ipPools: - - cidr: POD_CIDR - blockSize: CIDR_SIZE + - cidr: [.replaceable]`POD_CIDR` + blockSize: [.replaceable]`CIDR_SIZE` encapsulation: VXLAN natOutgoing: Enabled nodeSelector: eks.amazonaws.com/compute-type == "hybrid" @@ -397,7 +417,9 @@ installation: eks.amazonaws.com/compute-type: hybrid ---- -. Install Calico on your cluster. Replace `CALICO_VERSION` with your desired Calico version (for example 3.29.0), see the https://github.com/projectcalico/calico/releases[Calico releases] to find the latest patch release for your Calico minor version. It is recommended to run the latest patch version for the Calico minor version. If you are using a specific `kubeconfig` file, use the `--kubeconfig` flag. +. Install Calico on your cluster. +- Replace `CALICO_VERSION` with your desired Calico version (for example 3.29.0), see the https://github.com/projectcalico/calico/releases[Calico releases] to find the latest patch release for your Calico minor version. It is recommended to run the latest patch version for the Calico minor version. +- If you are using a specific `kubeconfig` file, use the `--kubeconfig` flag. + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -438,7 +460,7 @@ kubectl get nodes NAME STATUS ROLES AGE VERSION mi-0c6ec2f6f79176565 Ready 5h13m v1.31.0-eks-a737599 ---- -. If you installed Calico without BGP, skip this step. To configure BGP, create a file called `calico-bgp.yaml` with a `BGPPeer` configuration and a `BGPConfiguration`. It is important to distinguish `BGPPeer` and `BGPConfiguration`. The `BGPPeer` is the BGP-enabled router or remote resource with which the nodes in a Calico cluster will peer. The `asNumber` in the `BGPPeer` configuration is similar to the Cilium setting `peerASN` . The `BGPConfiguration` is applied to each Calico node and the `asNumber` for the `BGPConfiguration` is equivalent to the Cilium setting `localASN`. Replace `ONPREM_ROUTER_IP`, `ONPREM_ROUTER_ASN`, and `LOCAL_ASN` in the example below with the values for your on-premises environment. The `keepOriginalNextHop: true` setting is used to ensure each node advertises only the pod network CIDR that it owns. +. If you installed Calico without BGP, skip this step. To configure BGP, create a file called `calico-bgp.yaml` with a `BGPPeer` configuration and a `BGPConfiguration`. It is important to distinguish `BGPPeer` and `BGPConfiguration`. The `BGPPeer` is the BGP-enabled router or remote resource with which the nodes in a Calico cluster will peer. The `asNumber` in the `BGPPeer` configuration is similar to the Cilium setting `peerASN` . The `BGPConfiguration` is applied to each Calico node and the `asNumber` for the `BGPConfiguration` is equivalent to the Cilium setting `localASN`. Replace `ONPREM_ROUTER_IP`, `ONPREM_ROUTER_ASN`, and `LOCAL_ASN` in the example below with the values for your on-premises environment, which you may have to obtain from your network administrator. The `keepOriginalNextHop: true` setting is used to ensure each node advertises only the pod network CIDR that it owns. + [source,bash,subs="verbatim,attributes,quotes"] ---- @@ -502,7 +524,7 @@ kubectl apply --server-side --force-conflicts \ -f https://raw.githubusercontent.com/projectcalico/calico/[.replaceable]`CALICO_VERSION`/manifests/operator-crds.yaml ---- -. Run `helm upgrade` to upgrade your Calico deployment. Replace CALICO_VERSION with the version you are upgrading to, for example `v3.29.0`. Create the `calico-values.yaml` file from the configuration values that you used to install Calico. +. Run `helm upgrade` to upgrade your Calico deployment. Replace `CALICO_VERSION` with the version you are upgrading to, for example `v3.29.0`. Create the `calico-values.yaml` file from the configuration values that you used to install Calico. + [source,bash,subs="verbatim,attributes,quotes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index ad9234214..9226ce905 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -16,6 +16,7 @@ Prepare credentials to authenticate hybrid nodes with Amazon EKS clusters Amazon EKS Hybrid Nodes use temporary IAM credentials provisioned by {aws} SSM hybrid activations or {aws} IAM Roles Anywhere to authenticate with the Amazon EKS cluster. You must use either {aws} SSM hybrid activations or {aws} IAM Roles Anywhere with the Amazon EKS Hybrid Nodes CLI (`nodeadm`). You should not use both {aws} SSM hybrid activations and {aws} IAM Roles Anywhere. It is recommended to use {aws} SSM hybrid activations if you do not have existing Public Key Infrastructure (PKI) with a Certificate Authority (CA) and certificates for your on-premises environments. If you do have existing PKI and certificates on-premises, use {aws} IAM Roles Anywhere. +[#hybrid-nodes-role] == Hybrid Nodes IAM Role Before you can connect hybrid nodes to your Amazon EKS cluster, you must create an IAM role that will be used with {aws} SSM hybrid activations or {aws} IAM Roles Anywhere for your hybrid nodes credentials. After cluster creation, you will use this role with an Amazon EKS access entry or `aws-auth` ConfigMap entry to map the IAM role to Kubernetes Role-Based Access Control (RBAC). For more information on associating the Hybrid Nodes IAM role with Kubernetes RBAC, see <>. @@ -30,9 +31,10 @@ link:aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html[,Amaz * If using {aws} SSM, permissions to use the `ssm:DeregisterManagedInstance` action and `ssm:DescribeInstanceInformation` action for `nodeadm uninstall` to deregister instances. * (Optional) Permissions for the Amazon EKS Pod Identity Agent to use the `eks-auth:AssumeRoleForPodIdentity` action to retrieve credentials for pods. +[#hybrid-nodes-ssm] == Setup {aws} SSM hybrid activations -Before setting up {aws} SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see <>. Follow the instructions at link:systems-manager/latest/userguide/hybrid-activation-managed-nodes.html[Create a hybrid activation to register nodes with Systems Manager,type="documentation"] in the {aws} Systems Manager User Guide to create an {aws} SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with `nodeadm` when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes. +Before setting up {aws} SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see hybrid-nodes-create-role>>. Follow the instructions at link:systems-manager/latest/userguide/hybrid-activation-managed-nodes.html[Create a hybrid activation to register nodes with Systems Manager,type="documentation"] in the {aws} Systems Manager User Guide to create an {aws} SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with `nodeadm` when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes. [IMPORTANT] ==== @@ -58,6 +60,7 @@ aws ssm create-activation \ Review the instructions on link:systems-manager/latest/userguide/hybrid-activation-managed-nodes.html[Create a hybrid activation to register nodes with Systems Manager,type="documentation"] for more information about the available configuration settings for {aws} SSM hybrid activations. +[#hybrid-nodes-iam-roles-anywhere] == Setup {aws} IAM Roles Anywhere Follow the instructions at link:rolesanywhere/latest/userguide/getting-started.html[Getting started with IAM Roles Anywhere,type="documentation"] in the IAM Roles Anywhere User Guide to set up the trust anchor and profile you will use for temporary IAM credentials for your Hybrid Nodes IAM role. When you create your profile, you can create it without adding any roles. You can create this profile, return to these steps to create your Hybrid Nodes IAM role, and then add your role to your profile after it is created. You can alternatively use the {aws} CloudFormation steps later on this page to complete your IAM Roles Anywhere setup for hybrid nodes. @@ -68,6 +71,7 @@ You can configure the credential validity duration with {aws} IAM Roles Anywhere The per-machine certificates and keys you generate from your certificate authority (CA) must be placed in the `/etc/iam/pki` directory on each hybrid node with the file names `server.pem` for the certificate and `server.key` for the key. +[#hybrid-nodes-create-role] == Create the Hybrid Nodes IAM role To run the steps in this section, the IAM principal using the {aws} console or {aws} CLI must have the following permissions. @@ -306,9 +310,9 @@ aws iam attach-role-policy \ *Steps for {aws} IAM Roles Anywhere* -To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See <> for instructions. +To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See hybrid-nodes-iam-roles-anywhere>> for instructions. -. Create a file named `eks-hybrid-iamra-trust.json`. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the <> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the `nodeName` you set in your `nodeadm` configuration. For more information, see the <>. +. Create a file named `eks-hybrid-iamra-trust.json`. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the hybrid-nodes-iam-roles-anywhere>> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the `nodeName` you set in your `nodeadm` configuration. For more information, see the <>. + [source,json,subs="verbatim,attributes"] ---- @@ -471,13 +475,13 @@ aws iam attach-role-policy \ *Steps for {aws} IAM Roles Anywhere* -To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See <> for instructions. +To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere trust anchor before creating the Hybrid Nodes IAM Role. See hybrid-nodes-iam-roles-anywhere>> for instructions. . Open the link:iam/home#/clusters[Amazon IAM console,type="console"] . In the left navigation pane, choose *Roles*. . On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: -.. In the *Trusted entity type section*, choose *Custom trust policy*. Paste the following into the Custom trust policy editor. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the <> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the <>. +.. In the *Trusted entity type section*, choose *Custom trust policy*. Paste the following into the Custom trust policy editor. Replace `TRUST_ANCHOR ARN` with the ARN of the trust anchor you created in the hybrid-nodes-iam-roles-anywhere>> steps. The condition in this trust policy restricts the ability of {aws} IAM Roles Anywhere to assume the Hybrid Nodes IAM role to exchange temporary IAM credentials only when the role session name matches the CN in the x509 certificate installed on your hybrid nodes. You can alternatively use other certificate attributes to uniquely identify your node. The certificate attribute that you use in the trust policy must correspond to the nodeName you set in your nodeadm configuration. For more information, see the <>. + [source,json,subs="verbatim,attributes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-networking.adoc b/latest/ug/nodes/hybrid-nodes-networking.adoc index 4d8d195ca..5ba0493b4 100644 --- a/latest/ug/nodes/hybrid-nodes-networking.adoc +++ b/latest/ug/nodes/hybrid-nodes-networking.adoc @@ -24,14 +24,18 @@ For an optimal experience, {aws} recommends reliable network connectivity of at *On-premises node and pod CIDRs* -Identify the node and pod CIDRs you will use for your hybrid nodes and the workloads running on them. The node CIDR is allocated from your on-premises network and the pod CIDR is allocated from your Container Network Interface (CNI) if you are using an overlay network for your CNI. You pass your on-premises node CIDRs and optionally pod CIDRs as inputs when you create your Amazon EKS cluster with the `RemoteNodeNetwork` and `RemotePodNetwork` fields. +Identify the node and pod CIDRs you will use for your hybrid nodes and the workloads running on them. The node CIDR is allocated from your on-premises network and the pod CIDR is allocated from your Container Network Interface (CNI) if you are using an overlay network for your CNI. You pass your on-premises node CIDRs and optionally pod CIDRs as inputs when you create your EKS cluster with the `RemoteNodeNetwork` and `RemotePodNetwork` fields. The on-premises node and pod CIDR blocks must meet the following requirements: 1. Be within one of the following `IPv4` RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. -2. Not overlap with each other, the VPC CIDR for your Amazon EKS cluster, or your Kubernetes service `IPv4` CIDR. +2. Not overlap with each other, the VPC CIDR for your EKS cluster, or your Kubernetes service `IPv4` CIDR. -If your CNI performs Network Address Translation (NAT) for pod traffic as it leaves your on-premises hosts, you do not need to advertise your pod CIDR to your on-premises network or configure your Amazon EKS cluster with your _remote pod network_ for hybrid nodes to become ready to workloads. If your CNI does not use NAT for pod traffic as it leaves your on-premises hosts, you must advertise your pod CIDR with your on-premises network and you must configure your Amazon EKS cluster with your remote pod network for hybrid nodes to become ready to workloads. If you are running webhooks on your hybrid nodes, you must advertise your pod CIDR to your on-premises network and configure your Amazon EKS cluster with your remote pod network so the Amazon EKS control plane can directly connect to the webhooks running on hybrid nodes. +If your CNI performs Network Address Translation (NAT) for pod traffic as it leaves your on-premises hosts, you do not need to make your pod CIDR routable on your on-premises network or configure your EKS cluster with your _remote pod network_ for hybrid nodes to become ready to workloads. If your CNI does not use NAT for pod traffic as it leaves your on-premises hosts, your pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network for hybrid nodes to become ready to workloads. + +There are several techniques you can use to make your pod CIDR routable on your on-premises network including Border Gateway Protocol (BGP), static routes, or other custom routing solutions. BGP is the recommended solution as it is more scalable and easier to manage than alternative solutions that require custom or manual route configuration. {aws} supports the BGP capabilities of Cilium and Calico for advertising hybrid nodes pod CIDRs, see <> for more information. + +If you are running webhooks on hybrid nodes, your pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network so the EKS control plane can directly communicate with the webhooks running on hybrid nodes. If you cannot make your pod CIDR routable on your on-premises network but need to run webhooks, it is recommended to run webhooks on cloud nodes in the same EKS cluster. For more information on running webhooks on cloud nodes, see <>. *Access required during hybrid node installation and upgrade* @@ -194,12 +198,12 @@ Depending on your choice of CNI, you need to configure additional network access [NOTE] ==== -^1^ The IPs of the Amazon EKS cluster. See the following section on Amazon EKS elastic network interfaces. +^1^ The IPs of the EKS cluster. See the following section on Amazon EKS elastic network interfaces. ==== *Amazon EKS network interfaces* -Amazon EKS attaches network interfaces to the subnets in the VPC you pass during cluster creation to enable the communication between the Amazon EKS control plane and your VPC. The network interfaces that Amazon EKS creates can be found after cluster creation in the Amazon EC2 console or with the {aws} CLI. The original network interfaces are deleted and new network interfaces are created when changes are applied on your Amazon EKS cluster, such as Kubernetes version upgrades. You can restrict the IP range for the Amazon EKS network interfaces by using constrained subnet sizes for the subnets you pass during cluster creation, which makes it easier to configure your on-premises firewall to allow inbound/outbound connectivity to this known, constrained set of IPs. To control which subnets network interfaces are created in, you can limit the number of subnets you specify when you create a cluster or you can update the subnets after creating the cluster. +Amazon EKS attaches network interfaces to the subnets in the VPC you pass during cluster creation to enable the communication between the EKS control plane and your VPC. The network interfaces that Amazon EKS creates can be found after cluster creation in the Amazon EC2 console or with the {aws} CLI. The original network interfaces are deleted and new network interfaces are created when changes are applied on your EKS cluster, such as Kubernetes version upgrades. You can restrict the IP range for the Amazon EKS network interfaces by using constrained subnet sizes for the subnets you pass during cluster creation, which makes it easier to configure your on-premises firewall to allow inbound/outbound connectivity to this known, constrained set of IPs. To control which subnets network interfaces are created in, you can limit the number of subnets you specify when you create a cluster or you can update the subnets after creating the cluster. The network interfaces provisioned by Amazon EKS have a description of the format `Amazon EKS [.replaceable]``your-cluster-name```. See the example below for an {aws} CLI command you can use to find the IP addresses of the network interfaces that Amazon EKS provisions. Replace `VPC_ID` with the ID of the VPC you pass during cluster creation. @@ -343,7 +347,7 @@ aws ec2 associate-route-table --route-table-id [.replaceable]`RT_ID` --subnet-id [#hybrid-nodes-networking-cluster-sg] == Cluster security group configuration -The following access for your Amazon EKS cluster security group is required for ongoing cluster operations. +The following access for your EKS cluster security group is required for ongoing cluster operations. [cols="1,1,1,1,1,1,1", options="header"] |=== @@ -390,10 +394,10 @@ The following access for your Amazon EKS cluster security group is required for To create a security group with the inbound access rules, run the following commands. This security group must be passed when you create your Amazon EKS cluster. By default, the command below creates a security group that allows all outbound access. You can restrict outbound access to include only the rules above. If you're considering limiting the outbound rules, we recommend that you thoroughly test all of your applications and pod connectivity before you apply your changed rules to a production cluster. -* In the first command, replace SG_NAME with a name for your security group -* In the first command, replace VPC_ID with the ID of the VPC you created in the previous step -* In the second command, replace SG_ID with the ID of the security group you create in the first command -* In the second command, replace REMOTE_NODE_CIDR and REMOTE_POD_CIDR with the values for your hybrid nodes and on-premises network. +* In the first command, replace `SG_NAME` with a name for your security group +* In the first command, replace `VPC_ID` with the ID of the VPC you created in the previous step +* In the second command, replace `SG_ID` with the ID of the security group you create in the first command +* In the second command, replace `REMOTE_NODE_CIDR` and `REMOTE_POD_CIDR` with the values for your hybrid nodes and on-premises network. [source,cli,subs="verbatim,attributes,quotes"] ---- diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index ec9d26476..ece77e092 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -23,10 +23,9 @@ For an overview of the other Amazon EKS options for on-premises and edge deploym == General concepts of Amazon EKS Hybrid Nodes * Amazon EKS Hybrid Nodes must have a reliable connection between your on-premises environment and {aws}. Amazon EKS Hybrid Nodes aren't a fit for disconnected, disrupted, intermittent or limited (DDIL) environments. If you are running in a DDIL environment, consider link:eks/eks-anywhere/[Amazon EKS Anywhere,type="marketing"]. -* Running Amazon EKS Hybrid Nodes on cloud infrastructure, including {aws} Regions, {aws} Local Zones, {aws} Outposts, or in other clouds, is not supported. Use Amazon EKS Auto Mode, Karpenter, Amazon EC2 managed node groups, self-managed nodes, or {aws} Fargate when running in {aws} Regions. Use Amazon EC2 managed node groups or Amazon EC2 self-managed nodes when running on {aws} Local Zones. Only Amazon EC2 self-managed nodes can be used on {aws} Outposts or {aws} Wavelength Zones. -* A single Amazon EKS cluster can be used to run hybrid nodes and nodes in {aws} Regions, {aws} Local Zones, or {aws} Outposts. +* Running Amazon EKS Hybrid Nodes on cloud infrastructure, including {aws} Regions, {aws} Local Zones, {aws} Outposts, or in other clouds, is not supported. You will be charged the hybrid nodes fee if you run hybrid nodes on Amazon EC2 instances. +* A single Amazon EKS cluster can be used to run hybrid nodes and nodes in {aws} Regions, {aws} Local Zones, or {aws} Outposts. See <> for more information. * Amazon EKS Hybrid Nodes is available in all {aws} Regions, except the {aws} GovCloud (US) Regions and the {aws} China Regions. -* You will be charged the hybrid nodes fee if you run hybrid nodes on Amazon EC2 instances. * Billing for hybrid nodes starts when the nodes join the Amazon EKS cluster and stops when the nodes are removed from the cluster. Be sure to remove your hybrid nodes from your Amazon EKS cluster if you are not using them. *Infrastructure Management* @@ -86,6 +85,8 @@ include::hybrid-nodes-tutorial.adoc[leveloffset=+1] include::hybrid-nodes-cni.adoc[leveloffset=+1] +include::hybrid-nodes-webhooks.adoc[leveloffset=+1] + include::hybrid-nodes-add-ons.adoc[leveloffset=+1] include::hybrid-nodes-proxy.adoc[leveloffset=+1] diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index eadcda992..4479e7181 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -237,7 +237,7 @@ journalctl -u kubelet -f *Pod liveness probes failing or webhooks are not working* -If applications, add-ons, or webhooks running on your hybrid nodes are not starting properly, you may have networking issues that block the communication to the pods. For the EKS control plane to contact webhooks running on hybrid nodes, you must configure your EKS cluster with a remote pod network and have routes for your on-premises pod CIDR in your VPC routing table with the target as your Transit Gateway (TGW), virtual private gateway (VPW), or other gateway you are using to connect your VPC with your on-premises network. For more information on the networking requirements for hybrid nodes, see <>. You additionally must allow this traffic in your on-premises firewall and ensure your router can properly route to your pods. +If applications, add-ons, or webhooks running on your hybrid nodes are not starting properly, you may have networking issues that block the communication to the pods. For the EKS control plane to contact webhooks running on hybrid nodes, you must configure your EKS cluster with a remote pod network and have routes for your on-premises pod CIDR in your VPC routing table with the target as your Transit Gateway (TGW), virtual private gateway (VPW), or other gateway you are using to connect your VPC with your on-premises network. For more information on the networking requirements for hybrid nodes, see <>. You additionally must allow this traffic in your on-premises firewall and ensure your router can properly route to your pods. See <> for more information on the requirements for running webhooks on hybrid nodes. A common pod log message for this scenario is shown below the following where ip-address is the Cluster IP for the Kubernetes service. diff --git a/latest/ug/nodes/hybrid-nodes-webhooks.adoc b/latest/ug/nodes/hybrid-nodes-webhooks.adoc new file mode 100644 index 000000000..22a1c7e78 --- /dev/null +++ b/latest/ug/nodes/hybrid-nodes-webhooks.adoc @@ -0,0 +1,263 @@ +[.topic] +[#hybrid-nodes-webhooks] += Configure webhooks for hybrid nodes +:info_titleabbrev: Configure webhooks +:keywords: hybrid nodes webhooks, hybrid nodes webhook configuration + +include::../attributes.txt[] + +[abstract] +-- +Configure webhooks for hybrid nodes +-- + +This page details considerations for running webhooks with hybrid nodes. Webhooks are used in Kubernetes applications and open-source projects, such as the {aws} Load Balancer Controller and CloudWatch Observability Agent, to perform mutating and validation capabilities at runtime. + +If you are running webhooks on hybrid nodes, your on-premises pod CIDR must be routable on your on-premises network and you must configure your EKS cluster with your remote pod network so the EKS control plane can communicate with the webhooks running on hybrid nodes. + +There are several techniques you can use to make your on-premises pod CIDR routable on your on-premises network including Border Gateway Protocol (BGP), static routes, or other custom routing solutions. BGP is the recommended solution as it is more scalable and easier to manage than alternative solutions that require custom or manual route configuration. {aws} supports the BGP capabilities of Cilium and Calico for advertising hybrid nodes pod CIDRs, see <> for more information. + +If you _cannot_ make your on-premises pod CIDR routable on your on-premises network and need to run webhooks, it is recommended to run webhooks on EC2 instances in the same EKS cluster as your hybrid nodes. + +[#hybrid-nodes-considerations-mixed-mode] +== Considerations for mixed mode clusters + +Mixed mode clusters are defined as EKS clusters that have both hybrid nodes and nodes running in {aws} Cloud. When running a mixed mode cluster, consider the following recommendations: + +- Run the VPC CNI on nodes in {aws} Cloud and either Cilium or Calico on hybrid nodes. Cilium and Calico are not supported by {aws} when running on nodes in {aws} Cloud. +- If your applications require pods running on nodes in {aws} Cloud to directly communicate with pods running on hybrid nodes ("east-west communication"), and you are using the VPC CNI on nodes in {aws} Cloud and Cilium or Calico in overlay/tunnel mode on hybrid nodes, then your on-premises pod CIDR must be routable on your on-premises network. +- Run at least one replica of CoreDNS on nodes in {aws} Cloud and at least one replica of CoreDNS on hybrid nodes, see <> for configuration steps. +- Configure webhooks to run on nodes in {aws} Cloud. See <> for how to configure the webhooks used by {aws} and community add-ons when running mixed mode clusters. +- If you are using Application Load Balancers (ALB) or Network Load Balancers (NLB) for workload traffic running on hybrid nodes, then the IP target(s) used with the ALB or NLB must be routable from {aws}. +- The Metrics Server add-on requires connectivity from the EKS control plane to the Metrics Server pod IP address. If you are running the Metrics Server add-on on hybrid nodes, then your on-premises pod CIDR must be routable on your on-premises network. +- To collect metrics for hybrid nodes using Amazon Managed Service for Prometheus (AMP) managed collectors, your on-premises pod CIDR must be routable on your on-premises network. You can alternatively use the AMP managed collector for EKS control plane metrics and nodes running in {aws} Cloud, and the {aws} Distro for OpenTelemetry (ADOT) add-on to collect metrics for hybrid nodes. + +[#hybrid-nodes-mixed-mode] +== Configure add-ons and webhooks for mixed mode clusters + +To view the mutating and validating webhooks running on your cluster, you can view the *Extensions* resource type in the *Resources* panel of the EKS console for your cluster, or you can use the following commands. EKS also reports webhook metrics in the cluster observability dashboard, see <> for more information. + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get mutatingwebhookconfigurations +---- + +[source,bash,subs="verbatim,attributes"] +---- +kubectl get validatingwebhookconfigurations +---- + +[#hybrid-nodes-mixed-coredns] +=== Configure CoreDNS replicas + +If you are running a mixed mode cluster with both hybrid nodes and nodes in {aws} Cloud, it is recommended to have at least one CoreDNS replica on hybrid nodes and at least one CoreDNS replica on your nodes in {aws} Cloud. The CoreDNS Service can be configured to prefer the closest CoreDNS replica to prevent latency and network issues in a mixed mode cluster setup with the following steps. + +. Add a topology zone label for each of your hybrid nodes, for example `topology.kubernetes.io/zone: onprem`. This can alternatively be done at the `nodeadm init` phase by specifying the label in your `nodeadm` configuration. Note, nodes running in {aws} Cloud automatically get a topology zone label applied to them that corresponds to the availability zone (AZ) of the node. ++ +[source,bash,subs="verbatim,attributes,quotes"] +---- +kubectl label node [.replaceable]`hybrid-node-name` topology.kubernetes.io/zone=[.replaceable]`zone` +---- ++ +. Add `podAntiAffinity` to the CoreDNS deployment configuration with the topology zone key. You can alternatively configure the CoreDNS deployment during installation with EKS add-ons. ++ +[source,bash,subs="verbatim,attributes,quotes"] +---- +kubectl edit deployment coredns -n kube-system +---- ++ +[source,yaml,subs="verbatim,attributes"] +---- +spec: + template: + spec: + affinity: + ... + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - kube-dns + topologyKey: kubernetes.io/hostname + weight: 100 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: k8s-app + operator: In + values: + - kube-dns + topologyKey: topology.kubernetes.io/zone + weight: 50 + ... +---- ++ +. Add `trafficDistribution` to the kube-dns Service configuration. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit service kube-dns -n kube-system +---- ++ +[source,yaml,subs="verbatim,attributes"] +---- +spec: + ... + trafficDistribution: PreferClose +---- + +[#hybrid-nodes-webhooks-add-ons] +=== Configure webhooks for add-ons + +The following add-ons use webhooks and are supported for use with hybrid nodes. + +- {aws} Load Balancer Controller +- CloudWatch Observability Agent +- {aws} Distro for OpenTelemetry (ADOT) + +See the sections below for configuring the webhooks used by these add-ons to run on nodes in {aws} Cloud. + +[#hybrid-nodes-mixed-lbc] +==== {aws} Load Balancer Controller + +To run the {aws} Load Balancer Controller on nodes in {aws} Cloud in a mixed mode cluster setup, add the following to your Helm values configuration or specify the values using EKS add-on configuration. + +[source,yaml,subs="verbatim,attributes"] +---- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +---- + +[#hybrid-nodes-mixed-cwagent] +==== CloudWatch Observability Agent + +The CloudWatch Observability Agent add-on has an operator that uses webhooks. To run the operator on nodes in {aws} Cloud in a mixed mode cluster setup, edit the CloudWatch Observability Agent operator configuration. The ability to configure operator affinity during installation with Helm and EKS add-ons is planned for a future release (see link:https://github.com/aws/containers-roadmap/issues/2431[containers-roadmap issue #2431]). + +[source,bash,subs="verbatim,attributes"] +---- +kubectl edit -n amazon-cloudwatch deployment amazon-cloudwatch-observability-controller-manager +---- + +[source,yaml,subs="verbatim,attributes"] +---- +spec: + ... + template: + ... + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +---- + +[#hybrid-nodes-mixed-adot] +==== {aws} Distro for OpenTelemetry (ADOT) + +The {aws} Distro for OpenTelemetry (ADOT) add-on has an operator that uses webhooks. To run the operator on nodes in {aws} Cloud in a mixed mode cluster setup, add the following to your Helm values configuration or specify the values using EKS add-on configuration. + +[source,yaml,subs="verbatim,attributes"] +---- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +---- + +If your pod CIDR is not routable on your on-premises network, configure the ADOT collector Custom Resource Definition (CRD) to run on your hybrid nodes so it can scrape the metrics from your hybrid nodes and the workloads running on them. + +[source,bash,subs="verbatim,attributes"] +---- +kubectl -n opentelemetry-operator-system edit opentelemetrycollectors.opentelemetry.io adot-col-prom-metrics +---- + +[source,yaml,subs="verbatim,attributes"] +---- +spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: In + values: + - hybrid +---- + +You can configure the ADOT collector to only scrape metrics from hybrid nodes and the resources running on hybrid nodes by adding the following `relabel_configs` to each `scrape_configs` in the ADOT collector CRD configuration. + +[source,yaml,subs="verbatim,attributes"] +---- +relabel_configs: + - action: keep + regex: hybrid + source_labels: + - __meta_kubernetes_node_label_eks_amazonaws_com_compute_type +---- + +The ADOT add-on has a prerequisite requirement to install cert-manager for the TLS certificates used by the ADOT operator webhook. Cert-manager also runs webhooks and you can configure it to run on nodes in {aws} Cloud with the following Helm values configuration. + +[source,yaml,subs="verbatim,attributes"] +---- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +webhook: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +cainjector: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +startupapicheck: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +---- \ No newline at end of file From a4387c9b22f3c6b76becd4a327dd4acbe642f8b6 Mon Sep 17 00:00:00 2001 From: Rob Date: Fri, 14 Mar 2025 17:59:17 +0000 Subject: [PATCH 259/940] Add taints/tolerations for accelerated nodepools (#920) * Add taints/tolerations for accelerated nodepools * Update auto-accelerated.adoc --- latest/ug/automode/auto-accelerated.adoc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-accelerated.adoc b/latest/ug/automode/auto-accelerated.adoc index ea1d31e15..9a70bd640 100644 --- a/latest/ug/automode/auto-accelerated.adoc +++ b/latest/ug/automode/auto-accelerated.adoc @@ -72,6 +72,9 @@ spec: values: - g6e - g6 + taints: + - key: nvidia.com/gpu + effect: NoSchedule terminationGracePeriod: 24h0m0s ---- @@ -101,9 +104,13 @@ spec: limits: memory: "30Gi" nvidia.com/gpu: 1 + tolerations: + - key: nvidia.com/gpu + effect: NoSchedule + operator: Exists ---- -Note the `eks.amazonaws.com/compute-type: auto` selector requires the workload be deployed on an Amazon EKS Auto Mode node. +Note the `eks.amazonaws.com/compute-type: auto` selector requires the workload be deployed on an Amazon EKS Auto Mode node. The NodePool also sets a taint that only allows pods with tolerations for Nvidia GPUs to be scheduled. Apply the NodePool and workload to your cluster. From 0ef3f10dade6f8f0b887e80e2cf7e996f5565711 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 14 Mar 2025 18:26:37 +0000 Subject: [PATCH 260/940] fixup for tickets --- latest/ug/automode/auto-migrate-mng.adoc | 8 ++++-- latest/ug/automode/create-node-class.adoc | 7 ++--- latest/ug/automode/migrate-auto.adoc | 1 - .../iam-roles-for-service-accounts.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 26 +++---------------- 5 files changed, 15 insertions(+), 29 deletions(-) diff --git a/latest/ug/automode/auto-migrate-mng.adoc b/latest/ug/automode/auto-migrate-mng.adoc index 394b9f03d..2ac24c0d3 100644 --- a/latest/ug/automode/auto-migrate-mng.adoc +++ b/latest/ug/automode/auto-migrate-mng.adoc @@ -21,5 +21,9 @@ Use the following `eksctl` CLI command to initiate draining pods from the existi [source,cli] ---- -eksctl update auto-mode-config --drain-all-nodegroups ----- \ No newline at end of file +eksctl delete nodegroup --cluster= --name= +---- + +You will need to run this command for each managed node group in your cluster. + +For more information on this command, see https://eksctl.io/usage/nodegroups/#deleting-and-draining-nodegroups[Deleting and draining nodegroups] in the eksctl docs. \ No newline at end of file diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index d2f5833ca..1600a7e9b 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -106,7 +106,7 @@ For information about deploying CloudFormation stacks, see link:AWSCloudFormatio apiVersion: eks.amazonaws.com/v1 kind: NodeClass metadata: - name: default + name: MyNodeClass spec: # Required: Subnet selection for node placement @@ -140,10 +140,10 @@ spec: iops: 3000 # Range: 3000-16000 throughput: 125 # Range: 125-1000 - # Optional: IAM role to use for EC2 instance role + # Optional: Name of IAM role to use for EC2 instance role # If unspecified, EKS creates a role # If specified, you must create an access entry for this role as described above - role: arn:aws:iam::123456789012:role/MyNodeRole + role: MyNodeRole # Optional: Additional EC2 tags tags: @@ -156,3 +156,4 @@ spec: * If you change the Node IAM Role associated with a NodeClass, you will need to create a new Access Entry. EKS automatically creates an Access Entry for the Node IAM Role during cluster creation. The Node IAM Role requires the `AmazonEKSAutoNodePolicy` EKS Access Policy. For more information, see <>. * EKS limits the maximum number of pods on a node to 110. This limit is applied after the existing max pods calculation. For more information, see <>. * If you want to propagate tags from Kubernetes to EC2, you need to configure additional IAM permissions. For more information, see <>. +* Do not name your custom node class `default`. diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index fd7b3d8b6..4572bc2d3 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -23,7 +23,6 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a ** Learn how to <> * Migrating from EKS Managed Node Groups to EKS Auto Mode Nodes ** Learn how to <> -* Migrating from EKS Fargate to EKS Auto Mode Nodes *{aws} does not support the following migrations:* diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc index b39d25513..a52fdaf24 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts.adoc @@ -10,7 +10,7 @@ include::../../attributes.txt[] Learn how applications in your Pods can access {aws} services. -- -Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. IAM roles for service accounts (IRSA) provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. You can't use IAM roles for service accounts with <>. +Applications in a Pod's containers can use an {aws} SDK or the {aws} CLI to make API requests to {aws} services using {aws} Identity and Access Management (IAM) permissions. Applications must sign their {aws} API requests with {aws} credentials. *IAM roles for service accounts (IRSA)* provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances. Instead of creating and distributing your {aws} credentials to the containers or using the Amazon EC2 instance's role, you associate an IAM role with a Kubernetes service account and configure your Pods to use the service account. You can't use IAM roles for service accounts with <>. IAM roles for service accounts provide the following benefits: diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index fb2e98e35..828bcad8b 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -44,7 +44,7 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -You only need to create an IAM Role for the {aws} Load Balancer Controller once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. +You only need to create an IAM Role for the {aws} Load Balancer Controller once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. ==== @@ -55,31 +55,13 @@ Below example is referring to the {aws} Load Balancer Controller *v2.11.0* relea ==== -. Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. -+ -==== -[role="tablist"] -{aws}::: -+ -[source,shell,subs="verbatim,attributes"] ----- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json ----- - - -{aws} GovCloud (US)::: +. Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. + [source,shell,subs="verbatim,attributes"] ---- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json ----- -+ -[source,shell,subs="verbatim,attributes"] +curl -O https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json ---- -mv iam_policy_us-gov.json iam_policy.json ----- -==== -+ +** If you are a non-standard {aws} partition, such as a Government or China region, https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/docs/install[review the policies on GitHub] and download the appropriate policy for your region. . Create an IAM policy using the policy downloaded in the previous step. + [source,shell,subs="verbatim,attributes"] From 921fff287e1e4a6b11684cab491a79bb04d766ae Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 14 Mar 2025 19:01:26 +0000 Subject: [PATCH 261/940] Updated command to work for when user has default output set to text: V1406803426 --- latest/ug/storage/efs-csi.adoc | 2 +- latest/ug/workloads/workloads-add-ons-available-eks.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index e2c8ac417..92d8f32d2 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -70,7 +70,7 @@ eksctl create iamserviceaccount \ --role-only \ --attach-policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve -TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ +TRUST_POLICY=$(aws iam get-role --output json --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY" ---- diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index 1ab94027a..f68b99762 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -252,7 +252,7 @@ eksctl create iamserviceaccount \ --role-only \ --attach-policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ --approve -TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ +TRUST_POLICY=$(aws iam get-role --output json --role-name $role_name --query 'Role.AssumeRolePolicyDocument' | \ sed -e 's/efs-csi-controller-sa/efs-csi-*/' -e 's/StringEquals/StringLike/') aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY" ---- From 05b4067d17d80170f8fd264ee81cbdf52f699806 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 14 Mar 2025 18:52:06 +0000 Subject: [PATCH 262/940] Updated install-kubectl.adoc per https://t.corp.amazon.com/V1696512794 --- latest/ug/getting-started/install-kubectl.adoc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/latest/ug/getting-started/install-kubectl.adoc b/latest/ug/getting-started/install-kubectl.adoc index b337b0535..03a490cc8 100644 --- a/latest/ug/getting-started/install-kubectl.adoc +++ b/latest/ug/getting-started/install-kubectl.adoc @@ -59,6 +59,15 @@ Install or update `kubectl` on one of the following operating systems: * <> * <> +[NOTE] +==== + +If downloads are slow to your region from the regions used in this section, +consider setting up CloudFront to front the content. +For further information, see link:AmazonCloudFront/latest/DeveloperGuide/GettingStartedSimpleDistributon.html[Get started with a basic CloudFront distribution,type="documentation"]. + +==== + === macOS [[macos_kubectl]] . Download the binary for your cluster's Kubernetes version from Amazon S3. @@ -804,4 +813,4 @@ aws sts get-caller-identity [#install-kubectl-next-steps] == Next steps -* <> \ No newline at end of file +* <> From 0c0fd9eafa7359afa2c7a467286f3ab684c0141e Mon Sep 17 00:00:00 2001 From: Andreas Skarmutsos Lindh Date: Thu, 6 Mar 2025 12:17:38 +0100 Subject: [PATCH 263/940] fix: broken NetworkPolicy example URLs The eksworkshop.com links are outdated, the content referenced is available at archive.eksworkshop.com --- .../networking/network-policy-stars-demo.adoc | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/latest/ug/networking/network-policy-stars-demo.adoc b/latest/ug/networking/network-policy-stars-demo.adoc index 42d576f26..9d21f735b 100644 --- a/latest/ug/networking/network-policy-stars-demo.adoc +++ b/latest/ug/networking/network-policy-stars-demo.adoc @@ -18,11 +18,11 @@ Before you create any network policies, all services can communicate bidirection + [source,bash,subs="verbatim,attributes"] ---- -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/namespace.yaml -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/management-ui.yaml -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/backend.yaml -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/frontend.yaml -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/client.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/namespace.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/management-ui.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/backend.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/frontend.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/client.yaml ---- . View all Pods on the cluster. + @@ -72,8 +72,8 @@ You can use the following commands to apply the policy to both namespaces: + [source,bash,subs="verbatim,attributes"] ---- -kubectl apply -n stars -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/default-deny.yaml -kubectl apply -n client -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/default-deny.yaml +kubectl apply -n stars -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/default-deny.yaml +kubectl apply -n client -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/default-deny.yaml ---- . Refresh your browser. You see that the management user interface can no longer reach any of the nodes, so they don't show up in the user interface. . Apply the following different network policies to allow the management user interface to access the services. Apply this policy to allow the UI: @@ -118,8 +118,8 @@ You can use the following commands to apply both policies: + [source,bash,subs="verbatim,attributes"] ---- -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/allow-ui.yaml -kubectl apply -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/allow-ui-client.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/allow-ui.yaml +kubectl apply -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/apply_network_policies.files/allow-ui-client.yaml ---- . Refresh your browser. You see that the management user interface can reach the nodes again, but the nodes cannot communicate with each other. + @@ -178,11 +178,11 @@ image::images/stars-final.png[Final network policy,scaledwidth=100%] + [source,bash,subs="verbatim,attributes"] ---- -kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/client.yaml -kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/frontend.yaml -kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/backend.yaml -kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/management-ui.yaml -kubectl delete -f https://eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/namespace.yaml +kubectl delete -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/client.yaml +kubectl delete -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/frontend.yaml +kubectl delete -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/backend.yaml +kubectl delete -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/management-ui.yaml +kubectl delete -f https://archive.eksworkshop.com/beginner/120_network-policies/calico/stars_policy_demo/create_resources.files/namespace.yaml ---- + -Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. \ No newline at end of file +Even after deleting the resources, there can still be network policy endpoints on the nodes that might interfere in unexpected ways with networking in your cluster. The only sure way to remove these rules is to reboot the nodes or terminate all of the nodes and recycle them. To terminate all nodes, either set the Auto Scaling Group desired count to 0, then back up to the desired number, or just terminate the nodes. From 17d0efd569373272b6e1b0db3696d759fad92bc9 Mon Sep 17 00:00:00 2001 From: asjarre Date: Mon, 17 Mar 2025 10:08:10 +1100 Subject: [PATCH 264/940] Updated curl command to correct command --- latest/ug/networking/lbc-helm.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 828bcad8b..e04cb2e0d 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -59,7 +59,7 @@ Below example is referring to the {aws} Load Balancer Controller *v2.11.0* relea + [source,shell,subs="verbatim,attributes"] ---- -curl -O https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json ---- ** If you are a non-standard {aws} partition, such as a Government or China region, https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/docs/install[review the policies on GitHub] and download the appropriate policy for your region. . Create an IAM policy using the policy downloaded in the previous step. From 011e6290a16ebb3d38fd40511c7fed2de3ec8f62 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 17 Mar 2025 17:18:32 +0000 Subject: [PATCH 265/940] Added callout that access needs to be added by users for Windows launch templates: 44869 --- latest/ug/nodes/launch-templates.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index cc13c7523..b3d7e9b0b 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -225,6 +225,8 @@ Amazon EKS doesn't support all valid TOML. The following is a list of known unsu *Windows user data*:: Windows user data uses PowerShell commands. When creating a managed node group, your custom user data combines with Amazon EKS managed user data. Your PowerShell commands come first, followed by the managed user data commands, all within one `` tag. + +IMPORTANT: When creating Windows node groups, Amazon EKS updates the `aws-auth` `ConfigMap` to allow Linux-based nodes to join the cluster. The service doesn't automatically configure permissions for Windows AMIs. If you're using Windows nodes, you'll need to manage access either via the access entry API or by updating the `aws-auth` `ConfigMap` directly. For more information, see <>. ++ NOTE: When no AMI ID is specified in the launch template, don't use the Windows Amazon EKS Bootstrap script in user data to configure Amazon EKS. + Example user data is as follows. From 52ac6102f9d244ae1c7347f0d136802d160a35bd Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 17 Mar 2025 17:39:34 +0000 Subject: [PATCH 266/940] Provided example of AL2023 customization: 43371 --- latest/ug/nodes/launch-templates.adoc | 53 +++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index b3d7e9b0b..6fab6fc23 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -196,7 +196,60 @@ kind: NodeConfig spec: [...] ---- + In AL2, the metadata from these parameters was discovered from the Amazon EKS `DescribeCluster` API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn't affect you if you're using managed node groups without a launch template or if you're using Karpenter. For more information on `certificateAuthority` and service `cidr`, see link:eks/latest/APIReference/API_DescribeCluster.html[`DescribeCluster`,type="documentation"] in the _Amazon EKS API Reference_. ++ +Here's a complete example of AL2023 user data that combines a shell script for customizing the node (like installing packages or pre-caching container images) with the required `nodeadm` configuration. This example shows common customizations including: +* Installing additional system packages +* Pre-caching container images to improve Pod startup time +* Setting up HTTP proxy configuration +* Configuring `kubelet` flags for node labeling + ++ +[source,bash,subs="verbatim,attributes"] +---- +MIME-Version: 1.0 +Content-Type: multipart/mixed; boundary="BOUNDARY" + +--BOUNDARY +Content-Type: text/x-shellscript; charset="us-ascii" + +#!/bin/bash +set -o errexit +set -o pipefail +set -o nounset + +# Install additional packages +yum install -y htop jq iptables-services + +# Pre-cache commonly used container images +nohup docker pull public.ecr.aws/eks-distro/kubernetes/pause:3.2 & + +# Configure HTTP proxy if needed +cat > /etc/profile.d/http-proxy.sh << 'EOF' +export HTTP_PROXY="http://proxy.example.com:3128" +export HTTPS_PROXY="http://proxy.example.com:3128" +export NO_PROXY="localhost,127.0.0.1,169.254.169.254,.internal" +EOF +--BOUNDARY +Content-Type: application/node.eks.aws + +apiVersion: node.eks.aws/v1alpha1 +kind: NodeConfig +spec: + cluster: + name: my-cluster + apiServerEndpoint: https://example.com + certificateAuthority: Y2VydGlmaWNhdGVBdXRob3JpdHk= + cidr: 10.100.0.0/16 + kubelet: + config: + clusterDNS: + - 10.100.0.10 + flags: + - --node-labels=app=my-app,environment=production + +--BOUNDARY-- +---- *Bottlerocket user data*:: Bottlerocket structures user data in the TOML format. You can provide user data to be merged with the user data provided by Amazon EKS. For example, you can provide additional `kubelet` settings. From 16b9f1a5b167e431bc9c8e55f6ae635ab8e243eb Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 17 Mar 2025 13:09:45 -0500 Subject: [PATCH 267/940] Update lbc-helm.adoc --- latest/ug/networking/lbc-helm.adoc | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index e04cb2e0d..5439160f6 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -44,13 +44,6 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -You only need to create an IAM Role for the {aws} Load Balancer Controller once per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. - -==== - -[NOTE] -==== - Below example is referring to the {aws} Load Balancer Controller *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. ==== @@ -156,4 +149,4 @@ aws-load-balancer-controller 2/2 2 2 84s You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica. . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. -// GDC Must Fix \ No newline at end of file +// GDC Must Fix From fe6d9f2c9f6de864f0e9ad8b94c0e98fb6ceec62 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 17 Mar 2025 14:54:57 -0500 Subject: [PATCH 268/940] Update lbc-helm.adoc --- latest/ug/networking/lbc-helm.adoc | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 5439160f6..b493f2aa4 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -65,17 +65,18 @@ aws iam create-policy \ ---- + NOTE: If you view the policy in the {aws-management-console}, the console shows warnings for the *ELB* service, but not for the *ELB v2* service. This happens because some of the actions in the policy exist for *ELB v2*, but not for *ELB*. You can ignore the warnings for *ELB*. -. Replace [.replaceable]`my-cluster` with the name of your cluster, [.replaceable]`111122223333` with your account ID, and then run the command. +. Replace the values for cluster name, region code, and account ID. + [source,shell,subs="verbatim,attributes"] ---- eksctl create iamserviceaccount \ - --cluster=my-cluster \ - --namespace=kube-system \ - --name=aws-load-balancer-controller \ - --role-name AmazonEKSLoadBalancerControllerRole \ - --attach-policy-arn={arn-aws}iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \ - --approve + --cluster= \ + --namespace=kube-system \ + --name=aws-load-balancer-controller \ + --attach-policy-arn=arn:aws:iam:::policy/AWSLoadBalancerControllerIAMPolicy \ + --override-existing-serviceaccounts \ + --region \ + --approve ---- From 885d088fa14bf87f10ccf0871b54245bca75b899 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 17 Mar 2025 15:07:44 -0500 Subject: [PATCH 269/940] Update associate-service-account-role.adoc --- .../aws-access/associate-service-account-role.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc index 93dece5db..43b27cdc0 100644 --- a/latest/ug/manage-access/aws-access/associate-service-account-role.adoc +++ b/latest/ug/manage-access/aws-access/associate-service-account-role.adoc @@ -192,7 +192,7 @@ An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies[].PolicyArn --output text +aws iam list-attached-role-policies --role-name my-role --query "AttachedPolicies[].PolicyArn" --output text ---- + An example output is as follows. @@ -276,4 +276,4 @@ Tokens: my-service-account-token-qqjfl == Next steps -* <> \ No newline at end of file +* <> From 38ba96b49c01f1420e735259aabdbe5beabf3a12 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 17 Mar 2025 15:17:44 -0500 Subject: [PATCH 270/940] Update launch-templates.adoc --- latest/ug/nodes/launch-templates.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index 6fab6fc23..b5dc781d1 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -479,6 +479,9 @@ NOTE: If you're using custom service CIDR, then you need to specify it using the ==== For more information, see link:AWSEC2/latest/UserGuide/AMIs.html[Amazon Machine Images (AMI),type="documentation"] in the _Amazon EC2 User Guide_. The Amazon EKS AMI build specification contains resources and configuration scripts for building a custom Amazon EKS AMI based on Amazon Linux. For more information, see https://github.com/awslabs/amazon-eks-ami/[Amazon EKS AMI Build Specification] on GitHub. To build custom AMIs installed with other operating systems, see https://github.com/aws-samples/amazon-eks-custom-amis[Amazon EKS Sample Custom AMIs] on GitHub. + +You cannot use dynamic parameter references for AMI IDs in Launch Templates used with managed node groups. + ==== [IMPORTANT] @@ -517,4 +520,4 @@ kubectl edit -n kube-system cm aws-auth ---- - eks:kube-proxy-windows ---- -.. Save the file and exit your text editor. \ No newline at end of file +.. Save the file and exit your text editor. From 4bc7f82f0b109d20d7892dd184008cd3ca20b289 Mon Sep 17 00:00:00 2001 From: Domonic Neal Date: Tue, 18 Mar 2025 15:12:52 -0500 Subject: [PATCH 271/940] Update fsx-ontap.adoc Customers who are using FSx ONTAP alongside EBS CSI driver to provision EBS volumes for EKS workloads must ensure that EBS devices are blacklisted in the multipath.conf file otherwise the EBS volumes provisioned by EBS CSI driver will not mount successfully to pods. --- latest/ug/storage/fsx-ontap.adoc | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index f60735d8c..739428c0c 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -12,4 +12,23 @@ The NetApp Trident allows Amazon EKS clusters to manage the lifecycle of persist The NetApp Trident provides dynamic storage orchestration using a Container Storage Interface (CSI) compliant driver. This allows Amazon EKS clusters to manage the lifecycle of persistent volumes (PVs) backed by Amazon FSx for NetApp ONTAP file systems. Note that the Amazon FSx for NetApp ONTAP CSI driver is not compatible with Amazon EKS Hybrid Nodes. To get started, see https://docs.netapp.com/us-en/trident/trident-use/trident-fsx.html[Use Trident with Amazon FSx for NetApp ONTAP] in the NetApp Trident documentation. -Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed ONTAP file systems in the cloud. ONTAP is NetApp's file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises NetApp file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. \ No newline at end of file +Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and run fully managed ONTAP file systems in the cloud. ONTAP is NetApp's file system technology that provides a widely adopted set of data access and data management capabilities. FSx for ONTAP provides the features, performance, and APIs of on-premises NetApp file systems with the agility, scalability, and simplicity of a fully managed {aws} service. For more information, see the link:fsx/latest/ONTAPGuide/what-is-fsx-ontap.html[FSx for ONTAP User Guide,type="documentation"]. + + +[IMPORTANT] +==== +If you are using Amazon FSx for NetApp ONTAP alongside EBS CSI driver to provision EBS volumes you must ensure that you blacklist EBS devices in the multipath.conf file. For supported methods please see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/dm_multipath/config_file_blacklist#config_file_blacklist[Configuration File Blacklist]. An example has been provided below: +==== +[source,json,subs="verbatim,attributes"] +---- + defaults { + user_friendly_names yes + find_multipaths no + } + blacklist { + device { + vendor "NVME" + product "Amazon Elastic Block Store" + } + } +---- From 380fa45d6cd1879cae6073fa26dd4cfa775e0098 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 17 Mar 2025 18:31:34 -0700 Subject: [PATCH 272/940] Add EKS platform versions from Jan-Feb 2025 --- .vscode/asciidoc.code-snippets | 12 +- latest/ug/clusters/platform-versions.adoc | 243 +++++++++++++++++++++- 2 files changed, 250 insertions(+), 5 deletions(-) diff --git a/.vscode/asciidoc.code-snippets b/.vscode/asciidoc.code-snippets index 7e0093784..bb24f9976 100644 --- a/.vscode/asciidoc.code-snippets +++ b/.vscode/asciidoc.code-snippets @@ -68,7 +68,7 @@ "----\n", "====" ], - "description": "adoc step tablist" + "description": "adoc step with tablist of console, eksctl, awscli, CFN" }, "adoc region tablist": { "prefix": "tab-region", @@ -179,5 +179,15 @@ "====" ], "description": "Creates a collapsible section in AsciiDoc" + }, + "AsciiDoc Platform Version Table": { + "prefix": "adoc-pv", + "body": [ + "| `${1:K8s version}`", + "| `eks.${2:platform version}`", + "| New platform version with security fixes and enhancements.", + "| ${3:Date available in all regions}" + ], + "description": "Creates entry in platform versions table" } } \ No newline at end of file diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index aa3a2366c..1c9881a93 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -44,6 +44,16 @@ The following admission controllers are enabled for all `1.32` platform versions | Release notes | Release date +| `1.32.2` +| `eks.4` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.32.1` +| `eks.3` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.32.0` | `eks.2` | Initial release of Kubernetes version `1.32` for EKS. For more information, see <>. @@ -63,6 +73,21 @@ The following admission controllers are enabled for all `1.31` platform versions | Release notes | Release date +| `1.31.6` +| `eks.20` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.31.5` +| `eks.19` +| New platform version with security fixes and enhancements. +| February 24, 2025 + +| `1.31.5` +| `eks.18` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.31.4` | `eks.17` | New platform version with security fixes and enhancements. @@ -98,14 +123,44 @@ The following admission controllers are enabled for all `1.30` platform versions | Release notes | Release date +| `1.30.10` +| `eks.28` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.30.9` +| `eks.27` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.30.8` | `eks.25` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.30.8` +| `eks.24` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.30.7` +| `eks.23` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.30.6` +| `eks.22` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.30.6` +| `eks.21` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.30.6` | `eks.20` -| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. +| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. | November 15, 2024 | `1.30.5` @@ -152,14 +207,49 @@ The following admission controllers are enabled for all `1.29` platform versions | Release notes | Release date +| `1.29.14` +| `eks.31` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.29.13` +| `eks.30` +| New platform version with security fixes and enhancements. +| February 24, 2025 + +| `1.29.13` +| `eks.30` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.29.12` | `eks.28` | New platform version with security fixes and enhancements. -| January 17, 2025 +| January 20, 2025 + +| `1.29.12` +| `eks.27` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.29.11` +| `eks.26` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.29.10` +| `eks.25` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.29.10` +| `eks.24` +| New platform version with security fixes and enhancements. +| December 13, 2024 | `1.29.10` | `eks.23` -| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. +| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. | November 15, 2024 | `1.29.9` @@ -231,14 +321,44 @@ The following admission controllers are enabled for all `1.28` platform versions | Release notes | Release date +| `1.28.15` +| `eks.37` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.28.15` +| `eks.36` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.28.15` | `eks.34` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.28.15` +| `eks.33` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.28.15` +| `eks.32` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.28.15` +| `eks.31` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.28.15` +| `eks.30` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.28.15` | `eks.29` -| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:blogs/containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. +| New platform version with Amazon EKS Hybrid Nodes support and enhancements to control plane observability. See <> and see link:containers/amazon-eks-enhances-kubernetes-control-plane-observability/[Amazon EKS enhances performance observability,type="blog"], respectively. | November 15, 2024 | `1.28.14` @@ -339,11 +459,41 @@ The following admission controllers are enabled for all `1.27` platform versions | Release notes | Release date +| `1.27.16` +| `eks.41` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.27.16` +| `eks.40` +| New platform version with security fixes and enhancements. +| March 4, 2025 + | `1.27.16` | `eks.38` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.27.16` +| `eks.37` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.27.16` +| `eks.36` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.27.16` +| `eks.35` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.27.16` +| `eks.34` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.27.16` | `eks.33` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -467,11 +617,41 @@ The following admission controllers are enabled for all `1.26` platform versions | Release notes | Release date +| `1.26.15` +| `eks.43` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.26.15` +| `eks.42` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.26.15` | `eks.40` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.26.15` +| `eks.39` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.26.15` +| `eks.38` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.26.15` +| `eks.37` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.26.15` +| `eks.36` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.26.15` | `eks.35` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -600,11 +780,41 @@ The following admission controllers are enabled for all `1.25` platform versions | Release notes | Release date +| `1.25.16` +| `eks.43` +| New platform version with security fixes and enhancements. +| March 4, 2025 + +| `1.25.16` +| `eks.42` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.25.16` | `eks.40` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.25.16` +| `eks.39` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.25.16` +| `eks.38` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.25.16` +| `eks.37` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.25.16` +| `eks.36` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.25.16` | `eks.35` | New platform version with Amazon EKS Hybrid Nodes support, security fixes and enhancements. For more information about Amazon EKS Hybrid Nodes, see <>. @@ -739,11 +949,36 @@ The following admission controllers are enabled for all `1.24` platform versions | Release notes | Release date +| `1.24.17` +| `eks.44` +| New platform version with security fixes and enhancements. +| February 24, 2025 + | `1.24.17` | `eks.44` | New platform version with security fixes and enhancements. | January 17, 2025 +| `1.24.17` +| `eks.43` +| New platform version with security fixes and enhancements. +| January 3, 2025 + +| `1.24.17` +| `eks.42` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.24.17` +| `eks.41` +| New platform version with security fixes and enhancements. +| December 13, 2024 + +| `1.24.17` +| `eks.40` +| New platform version with security fixes and enhancements. +| December 13, 2024 + | `1.24.17` | `eks.39` | New platform version with security fixes and enhancements. From 6975fd7b024a0ed5263cbf647221b5b7e9c2dda7 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Tue, 18 Mar 2025 16:07:28 -0500 Subject: [PATCH 273/940] Edits for consistency --- latest/ug/storage/fsx-ontap.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 739428c0c..3dcfc1de6 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -17,8 +17,8 @@ Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and r [IMPORTANT] ==== -If you are using Amazon FSx for NetApp ONTAP alongside EBS CSI driver to provision EBS volumes you must ensure that you blacklist EBS devices in the multipath.conf file. For supported methods please see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/dm_multipath/config_file_blacklist#config_file_blacklist[Configuration File Blacklist]. An example has been provided below: -==== +If you are using Amazon FSx for NetApp ONTAP alongside the Amazon EBS CSI driver to provision EBS volumes, you must ensure that you blacklist EBS devices in the `multipath.conf` file. For supported methods, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/dm_multipath/config_file_blacklist#config_file_blacklist[Configuration File Blacklist]. Here is an example. + [source,json,subs="verbatim,attributes"] ---- defaults { @@ -32,3 +32,4 @@ If you are using Amazon FSx for NetApp ONTAP alongside EBS CSI driver to provisi } } ---- +==== From daa116023a176d58b8ebd7fdfcaf92a27ded3d70 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 18 Mar 2025 21:11:11 +0000 Subject: [PATCH 274/940] Added back missing tag content: 45855 --- latest/ug/nodes/worker.adoc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/worker.adoc b/latest/ug/nodes/worker.adoc index 0350970c1..3616fd0d3 100644 --- a/latest/ug/nodes/worker.adoc +++ b/latest/ug/nodes/worker.adoc @@ -18,7 +18,16 @@ Amazon EKS provides specialized Amazon Machine Images (AMIs) that are called Ama If you restrict access to the public endpoint of your cluster using CIDR blocks, we recommend that you also enable private endpoint access. This is so that nodes can communicate with the cluster. Without the private endpoint enabled, the CIDR blocks that you specify for public access must include the egress sources from your VPC. For more information, see <>. -To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. +To add self-managed nodes to your Amazon EKS cluster, see the topics that follow. If you launch self-managed nodes manually, add the following tag to each node while making sure that `` matches your cluster. For more information, see link:AWSEC2/latest/UserGuide/Using_Tags.html#adding-or-deleting-tags[Adding and deleting tags on an individual resource,type="documentation"]. If you follow the steps in the guides that follow, the required tag is automatically added to nodes for you. + +[cols="1,1", options="header"] +|=== +|Key|Value + +|`kubernetes.io/cluster/`|`owned` +|=== + +For more information about nodes from a general Kubernetes perspective, see https://kubernetes.io/docs/concepts/architecture/nodes/[Nodes] in the Kubernetes documentation. [.topiclist] [[Topic List]] From 64ebd002e17c6ca3e00479ad9b5acf29b421c051 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 18 Mar 2025 21:15:08 +0000 Subject: [PATCH 275/940] Style guide rewrite. --- latest/ug/storage/fsx-ontap.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/storage/fsx-ontap.adoc b/latest/ug/storage/fsx-ontap.adoc index 3dcfc1de6..48e6709f1 100644 --- a/latest/ug/storage/fsx-ontap.adoc +++ b/latest/ug/storage/fsx-ontap.adoc @@ -17,7 +17,7 @@ Amazon FSx for NetApp ONTAP is a storage service that allows you to launch and r [IMPORTANT] ==== -If you are using Amazon FSx for NetApp ONTAP alongside the Amazon EBS CSI driver to provision EBS volumes, you must ensure that you blacklist EBS devices in the `multipath.conf` file. For supported methods, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/dm_multipath/config_file_blacklist#config_file_blacklist[Configuration File Blacklist]. Here is an example. +If you are using Amazon FSx for NetApp ONTAP alongside the Amazon EBS CSI driver to provision EBS volumes, you must specify to not use EBS devices in the `multipath.conf` file. For supported methods, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/dm_multipath/config_file_blacklist#config_file_blacklist[Configuration File Blacklist]. Here is an example. [source,json,subs="verbatim,attributes"] ---- From 89d9f1eb375318f73a13993f3c1624ac8b4c0f23 Mon Sep 17 00:00:00 2001 From: Vighnesh Maheshwari Date: Tue, 18 Mar 2025 21:27:45 +0000 Subject: [PATCH 276/940] fix: broken links for botterocket --- latest/ug/nodes/launch-node-bottlerocket.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/launch-node-bottlerocket.adoc b/latest/ug/nodes/launch-node-bottlerocket.adoc index 74c4600a7..d272164b0 100644 --- a/latest/ug/nodes/launch-node-bottlerocket.adoc +++ b/latest/ug/nodes/launch-node-bottlerocket.adoc @@ -100,7 +100,7 @@ Several lines are output while the nodes are created. One of the last lines of o [✔] created 1 nodegroup(s) in cluster "my-cluster" ---- . (Optional) Create a Kubernetes https://kubernetes.io/docs/concepts/storage/persistent-volumes/[persistent volume] on a Bottlerocket node using the https://github.com/kubernetes-sigs/aws-ebs-csi-driver[Amazon EBS CSI Plugin]. The default Amazon EBS driver relies on file system tools that aren't included with Bottlerocket. For more information about creating a storage class using the driver, see <>. -. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. To keep Bottlerocket's https://github.com/bottlerocket-os/bottlerocket/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. +. (Optional) By default, `kube-proxy` sets the `nf_conntrack_max` kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. To keep Bottlerocket's https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/develop/packages/release/release-sysctl.conf[default setting], edit the `kube-proxy` configuration with the following command. + [source,bash,subs="verbatim,attributes"] ---- From 4c340642f26cce1f442ff154dfcc5d6b487630f4 Mon Sep 17 00:00:00 2001 From: Gaurav Priyolkar Date: Mon, 17 Mar 2025 18:21:17 -0400 Subject: [PATCH 277/940] Fix xref --- latest/ug/nodes/hybrid-nodes-creds.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-creds.adoc b/latest/ug/nodes/hybrid-nodes-creds.adoc index 9226ce905..a61329f59 100644 --- a/latest/ug/nodes/hybrid-nodes-creds.adoc +++ b/latest/ug/nodes/hybrid-nodes-creds.adoc @@ -34,7 +34,7 @@ link:aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html[,Amaz [#hybrid-nodes-ssm] == Setup {aws} SSM hybrid activations -Before setting up {aws} SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see hybrid-nodes-create-role>>. Follow the instructions at link:systems-manager/latest/userguide/hybrid-activation-managed-nodes.html[Create a hybrid activation to register nodes with Systems Manager,type="documentation"] in the {aws} Systems Manager User Guide to create an {aws} SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with `nodeadm` when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes. +Before setting up {aws} SSM hybrid activations, you must have a Hybrid Nodes IAM role created and configured. For more information, see <>. Follow the instructions at link:systems-manager/latest/userguide/hybrid-activation-managed-nodes.html[Create a hybrid activation to register nodes with Systems Manager,type="documentation"] in the {aws} Systems Manager User Guide to create an {aws} SSM hybrid activation for your hybrid nodes. The Activation Code and ID you receive is used with `nodeadm` when you register your hosts as hybrid nodes with your Amazon EKS cluster. You can come back to this step at a later point after you have created and prepared your Amazon EKS clusters for hybrid nodes. [IMPORTANT] ==== @@ -529,4 +529,4 @@ To use {aws} IAM Roles Anywhere, you must set up your {aws} IAM Roles Anywhere t . On the *Name, review, and create* page, do the following: .. For *Role name*, enter a unique name for your role, such as `AmazonEKSHybridNodesRole`. .. For *Description*, replace the current text with descriptive text such as `Amazon EKS - Hybrid Nodes role`. -.. Choose *Create role*. \ No newline at end of file +.. Choose *Create role*. From 4330d6da47be2889f5980439bf7dd88ecbc19f72 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 18 Mar 2025 19:19:25 -0700 Subject: [PATCH 278/940] quick fix platform versions --- latest/ug/clusters/platform-versions.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 1c9881a93..745fb10e4 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -218,7 +218,7 @@ The following admission controllers are enabled for all `1.29` platform versions | February 24, 2025 | `1.29.13` -| `eks.30` +| `eks.29` | New platform version with security fixes and enhancements. | February 24, 2025 @@ -950,7 +950,7 @@ The following admission controllers are enabled for all `1.24` platform versions | Release date | `1.24.17` -| `eks.44` +| `eks.45` | New platform version with security fixes and enhancements. | February 24, 2025 From f8b36488a54b14d6ac08032b3737a6d759081359 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 19 Mar 2025 14:59:15 +0000 Subject: [PATCH 279/940] Fixed the Related Services section of the What Is EKS page --- latest/ug/what-is/what-is-eks.adoc | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 5ec435ddb..e072612a3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -66,13 +66,26 @@ For more information, see <>. [#eks-related-services] == Related services **Services to use with Amazon EKS** + You can use other {aws} services with the clusters that you deploy using Amazon EKS: -*{aws} CloudFormation*:: -Model and set up {aws} resources using <>. +*Amazon EC2*:: +Obtain on-demand, scalable compute capacity with link:AWSEC2/latest/UserGuide/concepts.html[Amazon EC2,type="documentation"]. + +*Amazon EBS*:: +Attach scalable, high-performance block storage resources with link:ebs/latest/userguide/what-is-ebs.html[Amazon EBS,type="documentation"]. + +*Amazon ECR*:: +Store container images securely with link:AmazonECR/latest/userguide/what-is-ecr.html[Amazon ECR,type="documentation"]. + +*Amazon CloudWatch*:: +Monitor {aws} resources and applications in real time with link:AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html[Amazon CloudWatch,type="documentation"]. -*Amazon Detective*:: -Analyze security events on EKS with <>. +*Amazon Prometheus*:: +Track metrics for containerized applications with link:prometheus/latest/userguide/what-is-Amazon-Managed-Service-Prometheus.html[Amazon Managed Service for Prometheus,type="documentation"]. + +*Elastic Load Balancing*:: +Distribute incoming traffic across multiple targets with link:elasticloadbalancing/latest/userguide/what-is-load-balancing.html[Elastic Load Balancing,type="documentation"]. *Amazon GuardDuty*:: Detect threats to EKS clusters with <>. @@ -80,15 +93,6 @@ Detect threats to EKS clusters with <>. *{aws} Resilience Hub*:: Assess EKS cluster resiliency with <>. -*Amazon Security Lake*:: -Centralize and analyze EKS security data with <> - -*Amazon VPC Lattice*:: -Enable cross-cluster connectivity with <>. - -*{aws} Local Zones*:: -Launch low-latency EKS clusters with <>. - [#eks-pricing] == Amazon EKS Pricing From 3c936e55d0eea041e3df08b9b4a060da065a83c3 Mon Sep 17 00:00:00 2001 From: Donovan Date: Wed, 19 Mar 2025 13:35:53 -0700 Subject: [PATCH 280/940] Fix IPv4 cluster endpoints in China --- latest/ug/clusters/cluster-endpoint.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/cluster-endpoint.adoc b/latest/ug/clusters/cluster-endpoint.adoc index 6f43b3825..7bdd73715 100644 --- a/latest/ug/clusters/cluster-endpoint.adoc +++ b/latest/ug/clusters/cluster-endpoint.adoc @@ -57,7 +57,7 @@ EKS cluster public/private endpoint Amazon Web Services in China:: EKS cluster public/private endpoint -`eks-cluster.[.replaceable]``region``.api.amazonwebservices.com.cn` +`eks-cluster.[.replaceable]``region``.amazonwebservices.com.cn` ==== @@ -246,4 +246,4 @@ When you configure `kubectl` for your bastion host, be sure to use {aws} credent *{aws} Cloud9 IDE*:: {aws} Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. You can create an {aws} Cloud9 IDE in your cluster's VPC and use the IDE to communicate with your cluster. For more information, see link:cloud9/latest/user-guide/create-environment.html[Creating an environment in {aws} Cloud9,type="documentation"]. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your IDE security group. For more information, see <>. + -When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. \ No newline at end of file +When you configure `kubectl` for your {aws} Cloud9 IDE, be sure to use {aws} credentials that are already mapped to your cluster's RBAC configuration, or add the IAM principal that your IDE will use to the RBAC configuration before you remove endpoint public access. For more information, see <> and <>. From b078c98dd7fabe5af6c5306421d8f96237d812cf Mon Sep 17 00:00:00 2001 From: Nick Blaskey Date: Wed, 19 Mar 2025 13:47:24 -0700 Subject: [PATCH 281/940] Add docs for new community add-ons (#921) --- latest/ug/workloads/community-addons.adoc | 49 ++++++++++++++++++++++- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index d8c6420ea..d033e24f9 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -53,7 +53,7 @@ You install or update community add-ons in the same way as other Amazon EKS Add- == Available community add-ons -The following community add-ons are availalbe from Amazon EKS. +The following community add-ons are available from Amazon EKS. === Kubernetes Metrics Server @@ -119,9 +119,54 @@ Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written |Custom IAM permissions | None |=== + +=== Cert Manager + +Cert Manager can be used to manage the creation and renewal of certificates. + +|=== +|Property | Value + +|Add-on name | `cert-manager` + +|Namespace | `cert-manager` + +|Documentation | https://cert-manager.io/docs/[Cert Manager Docs] + +|Service account name | None + +|Managed IAM policy | None + +|Custom IAM permissions | None +|=== + + +=== External DNS + +The External DNS EKS add-on can be used to manage Route53 DNS records through Kubernetes resources. + +External DNS permissions can be reduced to `route53:ChangeResourceRecordSets`, `route53:ListHostedZones`, and `route53:ListResourceRecordSets` on the hosted zones you wish to manage. + +|=== +|Property | Value + +|Add-on name | `external-dns` + +|Namespace | `external-dns` + +|Documentation | https://github.com/kubernetes-sigs/external-dns[GitHub Readme] + +|Service account name | external-dns + +|Managed IAM policy | `arn:aws:iam::aws:policy/AmazonRoute53FullAccess` + +|Custom IAM permissions | None +|=== + + == View Attributions -You can download the open source attribtions and license information for community add-ons. +You can download the open source attributions and license information for community add-ons. . Determine the name and version of the add-on you want to download attributions for. . Update the following command with the name and version: From 00f98a407f390fb0866e155da69e0a43e7fe61f1 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 19 Mar 2025 20:54:19 +0000 Subject: [PATCH 282/940] ticket fixes --- latest/ug/images/cn-image.png | Bin 0 -> 311749 bytes ...roles-for-service-accounts-minimum-sdk.adoc | 8 +++++++- latest/ug/networking/cni-custom-network.adoc | 4 ++++ latest/ug/networking/eks-networking.adoc | 12 ++++++++++++ vale/styles/EksDocs/ExternalDomains.yml | 3 ++- 5 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 latest/ug/images/cn-image.png diff --git a/latest/ug/images/cn-image.png b/latest/ug/images/cn-image.png new file mode 100644 index 0000000000000000000000000000000000000000..90f8d479c255d0cc93d1653809450aa6fad62f4f GIT binary patch literal 311749 zcmeEuXH=8j_hqo5(iEjg6{RQ$NH3wNsB};fkS-v-*8l+m(p0K+sUiX*y(W|-N|lcE znh;uqKtc~CkO}Xs|E!r0|24kzX+Hc|D~pGakb9qd&pG?-y)W;d>8R3OX1fdk0O-`! z9=`wpXegJ|k{2&fzCBtFu?7HWogGwEo~f&-+1tIde|QK;c~gz(+143 z`!hNy0Uk%7JRK2_L$Qxag(9dPH9rllN%n)DvAg535Tb3Rz& z8jMt4eHst>7V+UtqA7ldTq8*~+45WpQ*wTtf4Sh}<_D4`of}pw?!{}tHnaJd^jA;H zc<@Y{DL&MIf{RNZ)iuB)=>pcRhg28ZL;_vyueWtviHi2J{-S>vqxD>t+6rbo=

        =n~G~h~$wF6#i_84QxZsJq|jDe^{cRVK2_%@cS_0y%{8^tq%4XZL=4XqpW2O zIsNZ^`@Muge&g7s=F*7QsqStBo|AVwa|LESCV54lt7>gMI9Ye?)crq97{&0Z3bE7p zjnQymz;3Fu6wT7T!ZfSlN5UkWX|h^NLOc3oo37P{}ng3(E0UUV-zaZA(AK#Mk&L?f?uw{K(^oMotk-u5&)2}sKMw&u) zD*i+N#sxDGZh9grDBiw*zXKTru&i}Qn|S2?4(R!HSWFRe1iC=1;*ZUcb{(E25HG7G zcFIDn34F8r-&AA&-;fgqWn{#dgjd>OVq2JfO#fc>uKN>KktKrobxDH`+!hQ{nX7%~ z^Lk)c1R9Co?hez&%oYfK$BuL_F}IZWJ}Mgl9H3Azm*X~g+!6)i&D}5EJ#!RR+3I)6 zDpK;Fo7c_&bRga>4S-#y(TI{KWZ6zpDa*V+d>yR-5iN=+dj%cFJNP~&b)Sc@NAwCH z_??k_i3fE8zig~hM zmDd^>&eOjtO)2v>)oWU*W?Wj?Sf8DiYZ;!15#gg2QbhKs{<&LssXwzj<}&7g4@^M9 zcmrkTHMNO$H5?V8zwsd;o4))RHEw!#dl36Y8jq8F*YIii3KPAH@>k{C7Zp#ckQo#s zBhg{^A0t5oJk0tzW=f+7?Y@OI!NUaUX)AMaDDyI^YG)x;tx*iA9)%x@Kzcrx{0FYQ42pR9{{>gt8}(J8m@=8}a|WcaXB)oE zz`Iuvv5>KUlfOXe#*SfyFAfdd7H7m=2%oEv#Unc|C(L^J-*rJ&1TjMz8uollssqnq z^HscEK8lZPosdFMgskTIpq!?#LEK(^*N6g&vOX;v4be>uDjX~pZ$tJLyA_CfWzl=i z3$5S(s;kg^WZ@_&YOLQ%!&P@dM{k;e^wYsYMH_U=hv#}Uk|QGU5aU0*9u6KI_MO0k z(3yd4P8)Sg6!!_Ox$tNML(vogBLP>2;O+ByQDuvtO0@ zce5V0HEt$x2XDUyFW-E^KSJ{&^A@{vE)@P8KRDV7C`9 zFP`AkOl8^q>wtK>fip}y;)}AM<2LxcKRN$<+(S%+?XT4?ju{)cr|0ezG1jG#B#{WF zG!OpKNN}DI8*18E#gF7RT}I0~6x!-{!jDLN{R^rj46gA%`&kjAFSrTYcS5brRizb0 zQ&1=$D5Ly$sDxlRV}O{?R>A*8V&hu0N?!dxbiH+4Ra?|GOowogkgfwrBP}V7BAtrT zNQiWYbPA$`lys<+NGaV2lF}&M(%sFs_CfFS#`pg2xqsX%a`swlt{G#DIX8~wy>qR6 zx29;F&cMD5Vul;2z8hon75O@#4`0uhos~6n zhsf~LJK3-g(V)LfGx;&5TJqyF%}J56Kqsa-#^<0!+DyWW~o&0m~lOQ9@F>d0Lg0JoR3VlF8=*Wlqnb)<*S`^M{wDG*Ib% z7;6}hjq{LK`nsYIRt9^bFfQ?%@+#%^^zjlqXF#Bm(MGYd3>A=IXz}vk-MeDOUEVXrsgI(8xyRM7X zvtR#_^)>^)>C)Z0KH9dK@gE|$asSH!ZgBuB3P}=I%9PS7F+H;#+r6v+R-!S+W5>8* zP#S+&Fr~ye?#dh!Tcn=ICXlBbH_rdjGBp`8v%JT>GPzy{o&FllC>j~=>O#;VwWJ|k zs+bC7Dp}7AWs_1&y7ChH`*-Q>y=vXxE-YHEz{#q51h9_rcx_cXVv5z@pA|8`SsO6z zCAqAN>U> z236RJOPW6S&D?5h{Wvl+?8cCa^5DP2kc8ic7%l%u2+zzf{Aq;TahKN=%A5TI==~aq z4u4W>H%YZ_vHUP8wnE2(HHp10kp50gdh;WJAa2>+aVwT!%U|5CVrnIJLq1z< zw=M?f6$gbB&+{#uig&eOaD^XK1+*sLdQy8#Gf{!g_+K&SC&>@eHSQrie2Nq)6X3y_ zgAg7(lok0r)!tSp?!IRawK*=PLDam}uP)iS=Q$Lu_l@u`K^?xCnZ?FmjM;Em{c4Oh zQN(=Z<9zjCWkY1C3rF@_@6nc4lnQ=V!EYOcQEq?gkd6>M~AA8Jp#v)?)Od2vd{EMA@WvMhhUefm-XvrL#f^=gl6X<(4ZK;f)OoXV}6 zfInlJ+*!6lh1@k;>594Tc-L7ZOZR#8>aLXYn%K=jOxlYIrHl3YGvk(^J$ivk0*b8L zyrChT5pRummznIQ*%tn%gz`56aS_uQn73( z4{;D8!O2gJH6+LH0Cn+;#kPj5pdPr$tz=tGz&IVo$EsD#t0=z43hWUL-#qVvy>QyP zSR$%k4bi3kx%ccU7F+eBiR7&-Fg~Ggsn+y#DV!$LBvOQfVXJd4eWhhkLyiw{n#`%< z+zgL{+PM#cb8;1Pvl_t@TGblzF0Z)<$9S$QlKa|R&OGw zAv?>i`!GyH?ODaM!2CY^`_ca6V1xyky`6A{KJ^Nea=`6TYCqg0g_ian4mb#zD*2cg zFQPzNLkoV3qEqny#b^8FuStD)jzVt#29{g7U-stuBoDQS?e&k_>rX%1r6th>OFU6 zmwWs8W3?Xabyu@W)faY=OoP-e?xaaVn>=jVg;X8{6hgg6iar_ag_MaLTP5lh>Sr=z z8hhCd9{`pxAjc<>(^XU_>`~O#|7vi1?N#4a5`R{!qVLBuTJP8O2HQ5fQ#kh{`*_ZR zV08Rg2GnEJvUR?`C}p-~5~(kD9bUXq2iXU!;IqKjK%N@yzjh;2>R|khGl=5GfMLLQ z#c34Bx`hXvAwGrl*2WXb8+F(-h(bv=3G9Nq9gV@hlap7po1&%go)kF!Thf6#HJKOTbn<`fBzpU@5A-ARE;UEw6FFKjiAOcv6yDc(lKPDQ{BYcEDCdgt+j7G0o&Z2r&;?eb3 zWMe|{#Q~SqO1HS!O7z)fQtfkMiYG!I3w9M6t*?o@GP+&7BJrg96vzL(ZhHp9ze7af z7=}CdbgosR!6OJM`Ofal^6duGXj;J53L=yAodon{By)6v2x(6bYF%lWaO zJ%S~mha%EGzv`2$z$dZu3`r9-U8XNF^L2sOm>|@IJhztPP6T?yPqhk_4d-2&x*pcA zes*`PCQsiw?{D=g__UNz6jsgM919K!p61Nv>!nTk#xtAuDp&4^p;K$g?xuu%Z{4xN z?%w??PYG6*C&3|!TS}jp-cpV|YiHyi*>F`eCU>SN`L4^vZ~FU=MT1sn#cOQ!apkNz z2?$ueMFI{gcz7!J4wkGxz+C`Vb0qVBJ-*=0a6F(IxFK@qNiaI+?=O``2k6o=qw&HV z>K`Zcq+t7T)Z5YAo^mor3}4;&*FO=rN)T}^6ipZNya;OzaWnArUmYsEf9;7!`A$x9 zMdb#Bz0XEoIt_I^XWTmy+t7M>Jf-^$2WHoBM5ix!e)!QQqNy*#XOh>a`)W})>0~sa zqgNtr=f+)|0iiqm_Nn4mGcI!PM#Fc0Wvr?bQv^j;1!3s7HJmI5ls~28UuJr}3&K|b zluzqxJ6XjTx!0T!TU1E)g zot`FevY&ml8M)1Fo8qC)W4^)pyNME`M|E#hl@FIPFivfSJ>-ihKKMs6Rqt>e_33V1 zGQU{7ta+eu#dp@H%Km!g=(%3hdG`xuf>Wdbb47F(HfqRy*4A&>{ zuRKj+iyZUL!O(}JK33*93^fw;jmeq>Jn{8~g(B3`RF$JC0X;VU^QD-lD;d3P(%*4n zat8H}B+|a^ z+h-e8o2$=nqAvFe8YnX|GCHeO#Jo#~HTYn`s`$%lnqGRJU1*40)ONk2Ey3d6FO?#f z{{B_S4d|O>I z%moASo!h0p#2np!gE1NrqK6z7NM`r>p5TqUWc**7A~51;0-)kQ8#LwR^}}GGupdCWD`cXC#2DS9fnRmgMjlx>&!OBQVZr zI3h|YoDB@C_qYU^hz=%n4zfp?&7%~ABibFN6=0KBcS zXxGiL`_z$}ap%?xFzx=CaK&k(S!#SzJsppdv$iNUa(Po2w7oniY&m|Gm0 z{_I6peBRsrz8!3A?!*+8+uWozPOXoHw$i#&+e?l5^hj&?Q8Mn*1Sc;g6@GJVdkm|r zNGY6C$AbbO3z5A@6_s=#uQUYV_sN2ch$*TRypb`t>wM6|5DVA1?tYv;X(*nEE~y!m zEcaV_AlngNI1b4 zYwW6`fm?4_*z%efXzY5$xJT9hg-F?lvrN&ys2;T_13kPx2l%}K_FjoZ+#V1z&0o%~ zEUla*WPcib3f@Wh**A0EGd-c!tu6iPAt|1aXsT_C%?FDyi7A!K%l-MI{tjlUm~#(1 zd2F$>=36gkN=iDW?M?>oIw`Qv&kJ2sY_JO%Y^4r4nT6z%e)SJjly11EX~R zQ4F2q1F(Dw=IOj$@2o;iz2YBwGy2$7C>qr^@41;7Y`yQlL?n;?w}4g59t3&OHXJj8 z*UE57EuDi&pqi%!54(JHqz=}GKlwHYhgoVBsnl*ej@}g?xe(o!2x=*Z#i_q27Oa~zoQ3Bg1KK9rctrutd81+4oFtzlk)<Dt)U&gQ>B~vd(`)#kGQvndWfVk?7aIZr+)jE%gT^=Vti{z!^DZ?n4CH{4&iTo z4;~nWJ;|dl8jLoPZmPx8917jyFE(kgK!J?-5P`^#=Z_ASMb z>J5T2tKoe;kBabvG?=jIJ{vE1?;DWcNm}$x#;DPNdq;}GODE+z9j?5943%zr5T?XU zt;e0tw3=T-_CyW8h9rQH)X~K@?HFhs@Ts;lz=cNgUj{G%zQOpy;4vfCYrqa=yyl(6 z$I`WM|MU2a)Jx0tk^8|Ut0aG~;7DN@`wdZfr6D2#U=~@*l1#VTH|1(vw}A!)9syVd zTm_rYc&DAO!m9HdGfeso)>UR)g%`c9zI-S>lYTXQDRv(la)wCYWpHr*px?~9#^;2$ zfj&=a;QnYn+Ij$CvX1?8+OMq`#L@nH9>f&uyGggmN9rdh=CXf3(#1t6NhEI~Cq}_* zirR2ufrJbRSda-UB<%$FG+DL%50y;z){U7*2 zArtFBoBCVOxGL6fa_7D+$+=6(LPGFFt^LROKlBv>E>0Qhtw&aMdYv$a#0UHNEp z)!Sb{p=I`wFLhG!iMzZ!vvDjsa9j$A)A~Fng}A3`0Ogn(t(rV>Oumn=Ud44 zko=`@!-)t@k8q;NS8-9`_#FNL#1sLoI_3Mt%&WGm?BQ+rEsw2h}66w z`Uuel{?dRwqO1LN)AKxl3}!ZdSu7jv_zKH1qi7w8kb(g}Za!v0OQ=vB=q5Z|f~#D`lW z`0#D9IQHCN-%uFael!Mj`rY{4RoqtD4|YljU+pNq=Lg0nPh0*KyTyj!UW7DigmUu{ zbTt*wOr?Q4k6lGE1b=Ba5G+JygX|!z`kK{#Gbuk}wBvVCV&Iw{b|!^x=tM|4hp*SG zRuO_gVz{M&|0n1!e~=~agB_{V$qQf|U8KV=XzL`KfmB^*pJ)X$k=vL~Y#bKAZR@*s z3u}j%*X$YiE^l}z(E+zC26OV9JCkUpe=^&d(L&P@^+rzJqZrJ1KlhZS;Wa7*4TB1>1ARjb6oK33u0tKZ!;A&94Wp~WMsXM&&fr}XY*I8w ztsyrJvIj*ioC6UjBsdz3Nx^^l0=LGZ2DF%hPC?!^3`ttd)XxZs7kE^E75R|03H;gm zfO!`}hml>tiiV!9s9~R-!-hjYT+EV|?JIF%Dvt zA!MO>&AWL0mEWZMbW4w!pm+`WUJa}EbDf$=x@-f-fu}birxuldeL6lGQeS{&LmUzK z9*i1>m@Iyyh|`Y@ctjQ4v~0z&f9|_aS*z|I^xKC#aWo#hl^i1Nm={`H5_n)8l6&BM zjEWMhcx_gk!b4PGZ&;w31r2>DZvyzS<{}}EcXHkXO&lM@9rz|2jKNBg{*|CrU3h(PR{q^zo4X~yjC_Gu#fd%O)*G%H7d$BWj#^71G zl_Xc*-&og`nWQuae@POq296u0HTml{%NxVy&vg@}38cnKh{D*B_aOl>iV9cTd#bOy zR6!eNZRVQPdrl&kZrvy5xgueFLcATgzE6NZQ)5P$^Y9%ygk(II0C3d))Uc=LAGp;c zyOM?TWAMs2Y4q6EEwLi*C?NU-*rDpxpd-P0T3L7MD!#l|M?rM)%g0H@Uju2w$$6&Z zo2Jo_MCP@!rRE<2Sf0+(qE?-!RsQfEKAT}(sdmhR-TTJp&pu|+yp^=r#=;wYLx`nm zU0lB$TNf^E)@`S3GKbDuL;AI{L}^4|jMWGiES2lpTxPcYF zt;1u+<k?+E1cRj-XfA}`}HFa~1~ z(TzfVKs^Z^&g3O~vNM?_FC(9dUFiL|FB+d9MIRCx{R8;xYr5Bv#w)?KTR$`SF+?!$ zY-{FCq03pas%q02M;ba0Gvqpg5PqNJ4~A4DU_;>~Td6-9!5>}+KJ?Xj8>BDUkceB_AAjx>4|pPDx;^+I3i3uu*PEd=&bw^%41~8H)VFhytOyAl*$;jSl$8K43Y2zoqq&g;9fpm&S50pAd8k zIcUv<6o5|GvVQzZN4cu`fJZ)G`Fk7d1-B8^2J2L8G-JVg@O41@cc}j{oXcNN4r?W1 z9Im@up)pjqymf0o(PozuuaNyJ5)ta>q!I45?Niz|5m<;g;>t|Q8Y>OW|6_uynIC4K z-C0MZ)VHvL==irC9^i;h#;JRgkdM`ibswqA^JZIn0{MhlOUR+&G)d)#^>i~?!xL}G zHzB2Ue?UYj!1=TVDV9L1n28KLVWcs9>*q~Ikwq`DVRZsZ=ZH)*IYx8`tymfj7IbJw z9f=T?%go=(1>lD)2@h`*iliPmVic;J`E=bd$)W)SGR;Jdhv-AOHy9NH7v)?_a{ogi z$1>uF{8PQ#F9IDA>Uc+#zSY#|wtgfgpLpSLjf}=Jw?{CKPsy*F5Tq5-XS7SH_N3gg zZm0M5@mt?|XDqy`77TrQK+xj545+6!ud)IZ+D}sJ+TG?3q541vcN0R;#(3X^y*wET3_&YV4G)O(_I8U$oQMad`f z4}T(mMO@Dqgzv*NfHJB+WvEZcmEW{Xi;U>NI#cS1{Bvo~`?}>qk@rV@EA2g2FEb?~ znkvjTLeCJ7Bml)Nz2Eosw=$`nv_F2K$E^=P@l*KsWe_mEeoci8XjWGpH(X3XxcmCg-vtSpZSNPW;oOyU;orc6 zIKUBJZeC697|53JxqyqqElXGldpWX0?x?I}`YbS^^;B=EHVNW)ZF6z{vV!q`^8YE> zUpzkGT2aA#(;%BTS=4Z;0LioK&NgfIC*7vihXu~{kRaf35uSs7L;`Mh8<&9>F5k_d5bl-l<*X?A0jOsTvY40C%5MY&U1oO# zuIBaec^#x;tsKQ?vN<0ju7J<=R!WpdgD8W9whjq0jYKLlpfyONx(O6L3mk7f%?-uX zd!CbeI}S7HDSorbb#F}u2lDVt72~+uU6 zvp~>=ra&LK{BX2{$30;1)Bp?ipx%NTfrtp8X$6O@o5bXQvy!GJnabMDgq#+>q8mEjL{fW)cI3gP7B&T?0CuY#hP0Q7zfCVRBFrZHYVlPz zkYp>mBuE!_${1mNvT9@jrLi$0N>3NpaDy6L4GBErLS7&Kr;HZcR*XmBjr8=W5`1v} zTa7V9j{w9JN{sv{Gt+&+S;zZIbfx+(g)48FyO*DaJ{W1L2p+~zWTQQrA?)gleog%8 z;f5j(DW}rZ+E5JSD5Fe^O81AyZi{OM(3KHOC3_f29sBqSWygC%~6Valt|r zsg%^~lOiw!o~0!WaiJqM^=H|E+qnk<54b=dbE*j_0Zg9z8faACI5U$$U>UMDv}vv0 z4+eoIXTXeB$b)-W^a_hnS23O=v)pDpd$7>3A#HW|bHe#W<|~@4+3&A%wipSqKkUt7bb<89n8DbzwSYIh^1BA}2Mz zr%jY{v*GG;VQXW&A_pBup%wR2bC|_HdHn8QdHmy_o5Iupx>|Uz&Yg)$_1X94qWHlKWAaehP~BMs=ta2ECLRAyo6 z_L6zeIm*y}{9xCBo4}m}%S%48c(3V17H2)48Zu-yXrh(r`bf1ep36`LO!Q{FIBK~1 z89L4l#+6dsb1z=wJ+hsWcUn8=NiFhv+d1U2X7T$^C6GM>1Z!M8a33C}?ALbqE8(r| zJ&YRCsM286i0PTTQO@Guf(C2bSize_b9AV^G^qM$cN-+mSKc~yD2NYLI9C*uUFim6 z?7uqSy6NhBw0*B-uWyV?sb%xdlgy_5#=(7Av9m}lJ7)34bFD8Q*!Zz%ov>lm0lh1> zpi8DYEbAU3PRN0!9Ovt0vlJxt_6(Mov<*Dc){k>otKIAQz^a+;Uie<+N-LFH%%|fJ zhlirGJT}>fd`Qx;>7pU`pmz;T)B}9%Al(a+Sb$w152|xm;#s2f4!NvM35)<>OkW!K1J!v{LPRU zZvw!d0NVWN=eg_NFaSp9<9ro~RGE7Z^YR)vKiON!PPWauYo%Z!!J%Irt5atAC!a0& zrSm)Xhjh0Ocj@0uw`vbx;%3qX;UUM6gJwh*<`mm{R0lgko}6$ijvEg5NP&+R)<4iw6;!@s-ZwT3O;C3l1DG^28FA`G+H`$^Mr3vG26+w~NV=I`cyk3vVKz~iLA8_L4d54z|B7avqcK%zln#2h zh_M_;U+#7=uYmES%1kT2zJOQH4r{M0)Fx*-%>P)KZhJ$n$>bAQK=WU-&C}~WbhG)Gt=owy_38Wa}m^e!4 zbS;b|*lxB&U_4E4MW~UnUi;<$mn*#x{1-JBe%Uo##5?E>K&>Hxm^ZUq!$}7#9p(qj z_$`M*<2jy6gZB<-v1#Ad>AQ3tE3ghTT77+MZZ@uH;KU^5NhHOOkCeaii7sd%^#n>bZ~cx-X{S6)=1hQp1alP=t_Zr zY*jO6TFfr-V$Vz8FMboiabACHK_CNFF^sGCg)&GANRE}$H&*VO8Z`p3SfahFB-rzuIrPHZmf$u~M;9SxJk11oZ!*(`&Q_q+?O7@AP zC--R%?{_nP-57~uaMcAc%x}!7f2|60fI*c>1M@pc*IeB6is%DLK_>GIH3(x;3>$$M z`}v~eOQY(Z&Q8#e3AwnASzLDxaH+e_wUQcsv?{C$DYuWx}-yNW)b|75^9TEO>6x*PX_4$~}sf~vExB0Ht*>B)LlK7gK-Qx26L<@}Ww;V6O zLv7!P{B7Fjj5UFda5KeF2`UMrdxuKot#3)oY%+m*zgm$&1{t7zGesqnSTI*nQpXK* zqh7}i+4d=(Xe&9H!+v>st{@EGjmUr2fiDMg^Ia{AVoto!h!>7csW#@}FgAMBr9C$O zkw16!pNnQ9KY#aQ2fQr+;1xF#8?y?J`XZ{>2e4KVZMtz7P68d~FRn_UmiliUmijts zHNt0jbpkV35C?=&O|G=S3Y|a2ueW_sbxutxruYt&LE0+Pf%*lQX}@=DG1GLPx^Zl8 zJ4$GiDwjDk$g!IPue5R~uI%>T7DbAO`}4W+;no?=P*3kmRA z)BG*;ew;(hSJRW{ftj^Xlayi1A|ZvlgCUwjIffAlNh?ajaq7}D`lxTAvr(z4wcL!0 zYNKsDJKo}t!_YCyZHS3W_sn}&xM_EPlm3r^N?$jS-1;Fqxp_=4h;vy@X4W9a!2Y{8 z0zqGYg4rKIerXM9B&k&+>(S-pphJrD?<(9_CJ)3EE>v+agg*syJ1?MxtbSS zHn^Iee22<;X;9AJSy*H#1~InOC-4m32swr=%sFzZA5=X>M?xYUTv7;-7s7dGu$R-e z(4oqG2KDt_1B0H%VT&m@b>P@qGb=g0*6=B`j+a$T+^h*PHGqmcnIF=qL4R$e^+E1P zfr?}1v~n#5S6ZnJiOAtCyUzAafyY6l&d2Q= z_W_p7htv?X7Flqc-c@L{GjwzO_0z4OHu$sC1?&?&2t;5#Djg3#+u4_rNF zW|JmgW$(wDSuL^9&K>#uOULTU8?aF#f1ywj+cESPz{Vvr@Ud@2rl@@0^372i4h$VN zB8~Bf36l4RC%s)Iy>VImgDX?(S0G?CXfo&&o311NeLb`*#$auftsnRfbj^Dx@z5_q zeAcnRp@5d|p*Go_k44b~IOLiM5>JsehLH}%V zRzPdf<%t7zYe&GFUw1@psJ)+05ZWgMUc-X%m<-Z6UbZhOdSPVG+a_j zW0@>uUxvA>@0Ew^^g6ruJ9m-w!}5P|9L(i~hq+oat=jXdZy6iAFIhVcyU8Z|(&ayu zU<^90@=228KRDFF)^2#;0oShT)mQ%JK-^E)Mv&?nLwgg#s)0EGxEh}VBT+a4-W^sw z*({bGw{r0FU52RjL=Xm5@-62`$rD68pho#$IzAloA8+9eo%>(bN16=$(R)8ns_%kT zN_8!RZ~$7PCPN$@Fa-675Pl60P+Fgxd%Zn1OWd4L`sOLOvXru!B^SDS_o!`JannVD zK+M;hZOP-v^hY+}B)B*5vS^nG?^?z^TUrX}n|VdEiva1*q2dgv>1y&ODS1W%({r7d zD#45p>pHyb4+9w6sMm`T^oMbIOEug(=G=H+BaM>}Isf_D9F01hh#`%%Lg{7_3Z*Sc zmoAuepzgDWh7S=*jm;VrL;ha5-ra9KE44ju3q&a#H_%3^;+APYgg)N%#GJ`>3Vo@! z9NCaCQ3YObBSEw=s;u?Jbw9!#Jm06XXiUU+H%36fIRV9bgzB82iF+SK89QJaT=`_b z95vEHISjX=(f>Nx2p5`jFkG{3kv~}RHRoLFc|c!OGIvl&h9|r;k`J;3onBDrcnlOI zgeB1?jiqw>kj9rvEKPg#B-AlTFU;$2&ZU)ctSx0(*W8<<=?#1Aqq$1zYpY>lkURl&ImKebX&xF&|q?y!C13V>xWKt(l!7dmGGrZogMEPf@TIR3*!a?@R1;w+daEqR*}4eK&- z>5=P;DysS*?k0(^VmyKiUXLB5V}F{BhT+rOm1EJbyQk9TZCc=eY%@^!=51p6yYW%) z^IgL;hW&lb!=xYLU1Q$M7>Twi_E6gzFvFeE2wHLCrGW2Ij?nM3NusqKc z^Ifd019pW-hkU)a77d-U&!?q_Dq;O=zKX5zWqZQ@=nKtHKT~A)f1b&H!BgC5bYBY7 zN_Hr~GZK;|Ei0c&`=Y3ECH`>&6;`5gH}K{Lzx{lxbQb*EoL}L6ZByY zBotXxXY?YG)b0r64USI={@AesusoIfrpM$MkRj%ZQm5W_B>|1;L1v$iqc)Vwxtr+y ztt&)(nZE{OlqCD_>3H+ieej=NU25#-pr>-i?I#yZ_~kz98#?7PQ6=Wy@6{(G3)6|u zCinKSRIgD?kHwGn4m+EBpUuqK{)U)tAl=Q)vSga`!FSzA!aJudWioyj&bI2C6-kqmzEB)w`0=^hu zti>Kz-t!@LaUdT-`M|#+N=L&^J+pt_@}wSK z#DA)ptvxlVkfbSl0s}+S)?Hs22?qW)2=ltG8Pyr_ua(DXpb0jAn&dbRvGL-Wpe)$X zYcEUo7jqixpSf*nPa~R1=Sdof&*r>kF@wIjZsO-o`hB%E?>)}k+$3(!q}Iz2i7nF^ zYM7V)sjPxpu|ayB^!|!so~qC^UE3!gXna(f9uI}7G%9U_^Dc2>{o5M)M}p!>%bm|P zk4U_t2r-W5Ov0;g7B9$ubQLMkdw;6L#2=cX!b5S~{xLFLwWQY8QGuJ_cadmlS}hBs zeR1x0uz!y;{e#21ewhA9D&`$);OiH5%iaYqf~T7C+)akZ`xnPm(6ab_!srFLxSEgk zy+EDYnue6Vj&;1TrlK|Jg*i9Hn=dU>j$|a((;ns@(-)VN98Ob=O(_0%;~$V`(n;-akLJ~;sxXTDSuOpu9dT=lu1Wh!G}K)V>#xnYUFVRM z^IO7Yn<0Da4{;;ZUYGXGIG^8gHSph!7dR z#NF}zTC$#|fL4clwMf3LgR;Y`AH_Y-YqipdxD=`ROx+wPRII$ePkrobY(vqnvC|G7 zZir;U_da=<-N$WA)_?j(7Iw&7J;Jn!#^>Q|Sp1?vI&j-;%T9LMH))KuNltdBM0swR zNoD>vKQ47T>uKn&xytQRFU!@6WCO)8#!+e1t%VtCYA*-^%7LGRKh8U{CHTm_uwvbP(7+Q}*eaxR!*kqGbvA zgi!#fRNac;n1~TL`}2yBQ~(ib9T2)3n3H~PDhyixRvoEwomC#z?@1pIjVsO*r8olt z1D^)YZY_83??i^sG1rRTtMx~D=+0|%bxIa9tzHI0qyR27Es|p%woMrei}nWA-CPtH zsf;dFUK3;oh|q}H?dgQj#X3#4g^^JwLJHgW=DsQY>mLRxQvYcI1j8=BZn3bG#4zYu z96N9l(5`%ZnQD*SKl?l{`vF4uiG&OwOD_NeX4V6babCT#Z(iTw4m&5o9q*#4&A$Ol ziMSd?7u@S=<7|i#ilKJCgEh{AAR0iv+YHAq+fgLLbsP=q!!IN8mrzIGi&j8bdz|Ml zpXq<0cR=00K)@P#zZTVJ?J|)rulH0>b?EYA>D|&zBn$7`{ZD=6KXowj+i$P%kbW9i z!KV<4Z~CJeckmOSNhLHw@n~(a?e)iZu6TSOdar6*xX+7cF{bBq=Iih=4xMk#Xr+Wd zz$ARzz(g$5EN?L*;xJjtRr0~#gsqsYNgK3t`hQ@KRGOSODH57-DGVPRvWpglZ9*w9 z5>_nZ|Aq~=B`_$JG*K+UJxPOK_ZcahJd^X+)WZNT2K;un6Uxz`4;NaNkk5`rWX3K~ zC%)$B{D}!2d0CbVbJ=PkiZ98*(xNb>p@CudSk0^D5+_Zwg|Ys|BMH5~!`0PeF z+gn{C{bT#l({rI@i?RAAw|s&y*geI|m(R~aJL9;@+N=`=aqg-}%S=m*>( z7Lg^e@#$KOl)YWOpPuY_A__GmOs`w{b^OZ)GzZoFTei(^rtT141##U5k0u zm?L9+^xJC~FW_x_qHr#axp@azjlq~wM5%ilElb2FOyRqfMW}*eVDu(t)H)MC(yN?vMq-OZE(vK=On;gNRU=_@xcU)tBJN{O zc#@;yDj##^Y@@C0g>6@Ng$W^*ZGn;@)A)U%jPD zpB5Xal|H$u7t^}>e{cEC@LMeU#~PBrZ|%No{ZnNm)|2aj z0YDjSj04Md%c!=ox~3NC5C~jZ>t4c=sYCsGMCYR~k;&9Bz3fosM!T7twGw7#P_i~f z%AYv>M#AZ~dhmtDk^6HbuI@eE6PIK{eSz$uuWpwr`#&2r8^Q(mj@A{t51Z;MwolR? zSSp{{i|Tb2F$;DANPkApK;HqDZ-F5W3B|fN>5BlYXRv6xT1+Ai2mt~L zIv_C)nb-h7NpW$@KsE*tNxmC|hkL)%k6t>0R%{_#ls45F^gX&>f=78$ve;Rqws4&@ zlTKzI(KOOUkABay9|OHTb>X=luQVEj1(3P2!^6AIH-48Ml-_`OX;W3*wuT*365!B+ zDXg5oPnjBu8AvX^_yF(abQ#B*wmvP)Xawft$$nX@xIOknkB!@Y0%P&#?=3v~>KXr1 z>A-d?<*sxyCr}JM8G3I|O|Vrs6TbGtrou*yVCxOO%k${$#|&cLc%Q&hz~>ksi+~p| z#r!k&!sz95)baTWo`QtQ=X3S)KnsRZ;?z9-o2=?DKm;d4G3IhMmXjHE6@z*wM-aV} zlFb3o>?y;&@FhFFdA`swL5bMVY0D$Wr}La6tqSd&PIJnio*(L(@D>~G_^7W$%lz^h zUL!1NHzIv_yyg}<)pcW_TaJ4NMZ6)le3LorLl5IB4;TWG*0x)>uXkXZMM53+!yt)J zpx|I8m85pQ`Gwr~wqBx(t+FAMvxBn;EW$sf_`6Mmvbw)>#Ep@I=Wp5jS(MDrzL}N9 zq-JOC^{IO)3L|qWIj$1ht$Pc942kNhw<>Q( zeCD3t(cqDeb=)P+^PBt?9{J*#ROTeM?3J6$3N?vaW!l~mHL2Op?{cQ8?&J|l?<%-8 zpuO}H{yRjeKw_;1>eB40UJ0`TQpdRX(03ylb6h#t(x&!flRG(rhZ}=hE_f@Fa3ho? z+ONo-;d5Yv=N`h>cfwb8lEwvgdBqQEj=@w*8+JPHCkVQ*0VHb8`89Yoq5TmwJq!kJw&8?bL!eoWhfBC$np@055b zRUszma$g6(ok`8s@D@K92t^4TffNyz=Q&DdrZo;2!chJDgO@&p1TnLwH94e&KUs5*;{5C5)uHg*CHySMKbj>h@jvO3e6&~7LK8E3c@?hb3bf0iR4;i#1B?hK zVb7awau|X}$~P-vybj-W3@1@-ax!|YW856<_2+#A^207sC>H^X!`(&^FPYJY-QsZm ztn?=!ZRE#_i3Jhq*!$GJ#yzG><~f=t^T@^bFZDhWG>m)DyE^DD31@L!a(G@cY>u|- z7JmiUvG3VFrI*$_cX=F$yLDsp59Gh{O38notWaQ`f#&7e4250~r zl#c+V%Ty8jy5r!71ZiWSeEs^Atvaufe5|5%A0ux&8iqPE^?`$~??+5zVz75wEOcOo zp&uTK15LwnZbJbs77R>XF>Hqp*X{yH;5d%=0({EdjVk8-B)$@1jPO~#(taq1+*BUVT)&29&!{R~QXwCIJ&@$s63iG;q*@ZKRvvf?9>n%j(@P z9a(>oW){?71feG)87+kYOLI+el@i)`2?ksGZoK)&!9}TpErT>$VtX&L3QH||)m+-_ z?FZF<*|dW3CFl7lflnq}<}n8X{Af|aWSa#;ynUuAS_7cEu*G# zb8Sx~!P_)&S8&3hxcz10fkitBv234(I7S$km7fIJ(K*|W>o?C+pgU}Pw<5u|aX+u8WV>+o6=6p6zEKiXL zQ;h@C6=<;KXaxGGw_te`f*5cF1`t)_D{0Yqgo&1d*aT64y#6|gd5`+kaFLKcU|TX2 z{k)+vW%sEeF4409eUH%-VP#hXI(H+vz=rz&$Z`ZA2j{m~`)q)QDLVfws@ra0JDG1Z z&{zWRGfm7w8^&&cpW(Hdt;qYDd6NPJ^=3VY`P0Psh>?+oTlRz$=W&*tg0B4UO<;=G zxey#5x-{T-Z-vvt-zQUJjHMRe!g7Gd5r|@4tJty9)tCSy21)usX9~BcxaAk9`O5d! z7ik$ax!%(~wKUys%#sgMJvUgdQ*KE(Ekc=Cy#t!qk_(H9N#mE{81q6jtOfC}^d%7O zF7>qI*A@HYe~_B*Jt)nl&DMX8B z9j5w8K+1;PuZ{|d)RaxWVT+2zKWw<|s7d~#%i#Qwh9=6_5O+$!O3XmM#iUr&kyTe{ z<`_1|7kcC5x8RMs2TiDE;0;j(e=8KQX}hl=f9DFQNy=)uA7UnIKM+;y)?o`sB=Hf z)kdoe33zx6_;)lYJG}lJ!>>J?oJnOze$DK}2%=Zf{kpktC;v_@=ynX{MSf!l=a;SW zZLY9@2B~Zu`n&zLB>*k|uhl7@Avz!l&aa!n_7ZR{F;L(}N#OMq;KdzB!XsU@2#>^= z)^K@DC;0Cv5PkO;Fn(!j)cXwYK@|r~8_~>xgOv*&Rq{5L5s2D!gwzBo(1d>s-=85% zMG`*ki0&xpIgHZ4|HXnWdQx+Ml6m2}rPCk5bU71Xd1iL)<7rh);NyRhAd@K9TmapRY^E;oY_Z~x|f?xEm{?sb9aVvHF ze|Hf%=Efb3|4vPD+oQ%J_EVh)P`7t=>2S*VgWd!{ZX&|o%8=$yed_>&#+NH@5y`PVrN}F zjRP|zNxG}EJ73!Vhk61~ASi*=FBDh&`0_m5(BXw)y~MD6DSs)Kw&UBpzz3a!{jUYg zViOMI#memv;c>6q)f||*t}~`_Jo6PFML6k5*DgQ#N*w`UdjI7Y|7U0j|HWMmd1t{K zyWC@dAP0*4Lp=`JVwZmt06PDFyJL3`wMH9t`1f&U|C?G@;_}8hdw_T@u^2S*Pt4Y( z4TSzj=KlS4VCwu^`4^zDG}Ema&#l{?l~Zs5ublCh`u~0&s{?of=o=u?&8skM__^!8 zJG<-ub?`Vf%eGRhA1B@com~v2D>-x;7TPiNbCv1xoxqsnN9PCVm1YAh>+D+yYj;~R zfWy2}Q~n&moDZ!N`u^mGo`@?;Sd`)&N-$XtosmPY;2H$G21y zfG?Gw4*$Qb$?1@~Xe`1(KARYU~gZwgZFDQ zMoN(%PbZoPgcL$p)sSl$Ayl|0PLo8(F_ih%V8c!J&m6#i@9y+};U@EQZCYTAG%5RE zX*Z$=mjb@Eq0+lIXHawAhgRXID<2#_exzJRr}aaKTBae~D`N(jkvX09Qvpx=YxpvN zG#ZRgX15=XV@MqSCJF$VO9cwvpOx)agDS?u{Bs{BkRnJ?wf?%#%G=;gKFZmAm4oH%UZ7Djm7}og#F6XeEzosSTk+RM|4~RNKJlz;DC}>k}Nt^^zXL`A#Y z)1RspoirhZ19n41HvgZyAv7L3HapIYhQ?h*mX~3v5uYB8ab$irp|7xc@>)L~c&=QX z+X6hWfZ`djTkDARR%4us4qs^N=Pmw~DjTlS`7%MSwj)S-Epy>X8_K)nsYkdvvsp_= zv-?_S^}Q|Xxvi@&C3ogTqseK~Q!7P6x#O=HN}bkgq791HN`UxDVSQV;w94jyR$*aI z2^zU&@sZ^3)Ry3iv6Z`JIa8cR-qb%jjv3Wbo#cR_n)SZD6b5Wg`k{c$iky*Q<;M+e z>2I6qN}VtD{ucL#A`0hxvs$g=Zm$&SJiaP3pd|XFgPRS(l3RZ!x#Pxrtz6$X{)YLX zsnn*3(?#0MBZ1P^%;KvzSBy}`171>Me)5dRy+9V9tCj8ADGUiqZf2{C%H}IS73Px- z{n%)+f`Q9#ga- zsK%0f&=T(Z5+o_e9?VQ=$Ne_IZPl>pbXk($XH_(+lsi6Mx8VyGSLsaX9mDx^8XZ?I zo&PrvbN0j1)b&>1f{#E#Hd^q=j_)Z_ukwoA{%y+!3M`VgAR{wGzo6%xaw~-gy{|AZ z9VT!<$c2T=Vo8KIW+LzpjNQV1U4jJhMg_)vskXT3B_J?jWPh6!?eQf6({UC57r_~~ zCjIqL?#s(a8W#WU>#%fwbS_w!4aTp{GXIYVcoQ-YY;SULw3+{f000NtH(!0}a|>~< zd>ML(C*kz_j=9vqZil@;*=ki`Gy4kH`t>9v(v#7n=J(#Mj?1(o&?viaT+7pXZe_t< z>pHN{5Zo?r`SOw-IZ5ASA#%FEE(v(!yInEm+m+u(S~tD!N`N1KUh7nypBQ(1^my7N z&XK8V6MddIP(WFG-gnaBIi+I1tP98{TVCwWMl8Y?TyZlTNDGX~^^0IRQ1WeGu3fcw zkk7pwG*0$iV*=4^?kt-a;ORcD*iNB7dUQ9LyPmZ^oABMA%z`^kmTXN7-sPOGx=xAT zuZfvv`jpx~l|rY@OK5F~#6-13De_f%rdhRlnx52QBxLiLuf>{laA@e<%oq!+bRvXM zAKSK{wOhYOI&f{_?34w^mU>~`l}x|wx59TggyQ`3NOoxTr|10n`m9JMf@b<_R7qwG zBXP#`72>1Cy4KCiFw1m}LbQTUhx4Rn%S-3tY(#{9{-&&toR7~F* zz
        j$uBWOf@{okW>ZYac&9Q(0yR`?kK!@u%NLM@Ve=Bx)jBsu`Zsod`*9v&8Z?z z_n#_RTS>B*bfefhmi$cF>o4*HeDyqzzu>*#n zodTYa{6Ry-!Qu^A9cq7JpD7)X+|nIf)bnK8TjAWum%(UxzFST5+6KAQkn42%aLpgC zYBxuIf&(~)y|_RwI_6$j?@_?|323O8t0lI6zIZYM=mou{tDE`R=Z`cRyv1x>?L{ol zjXwNXn*vdHHtQ1BFYXo3$dF-cf3C54XZN|3$i>kzW(Crq}Eg3FPj~C3fsxO zXxMv}sQ;ZfSS&V9KX-G+kswsnvXfnZeVp`P2NMmZ=-hEr!^gvK3r*C^oE66f1&`G)d~#u%~|g}lVRSFa*w+$(AxaIdgdKiiSI?W?sSS} z{J2&){_!B2<3+)B?LIYrs>@e@vh#-T(c13%8(z^`+gjwH4o zsdy&1B4-cJcTMllfz2Y%XWq6O8RuD!(OCj9HER3aBO~ZIF{kl_E6;?tcuW(GvF|TV z%THpLDLLB6+bBUjOIKfNijTJsCWeU#o;W*wv7Egd({mR<@cb zI=lDkBJy94(#zQLZ&2rWRbZ69X0wv}_pyag^!Nm_wdV>vJ>gxY?u*WU(GW$$$j$4} zFY)m@}pTVNsATX%$8h`8kyZ(DPN-8wCT;hJ;1ic>PnP-{! z2USlM!<{e7ZDSniz;Lqj1BU{HySDXS=2=q{yzyP9CYBXq{^N6_>dNgv+hD00%Cvng`suRl%HtwRSAqLbUp zINX*;_pEwYaFOZj>+eox|IW$Em5Au+6{pS&#ZKS6UzwO04UOM9m!z_R#e zmn%wg=ffj~4^8eoj^Ax`8bnUL zI4e>ZMN4cHoT23k1Ee__GkJmv&ScbGINxpPD`c2mv_NG%z`!~{9n3W)At_r!Dt{@j zwV0IadQcJ5DNL0nt)o(|#=c;JJ#YfAZlvn-zs>_&%o8c*5uq#MNP}>h_gh%?vtl>T zGLo7aSO~nkPOj`;(1p1n$Jc9f=nb~^M9s2e-&`3%R~tkM@-<-P9`UmIY!e)o2VEzg z_tE8S(ASkjw!Bie9p1y$vMLaRclVx1D2!pzwhlIOsF?PbUzJuFKJ@)@p_YfW!&L%N z)utP%+CZcoqc$OkZ@xl9!%)f%1c}Y~G34VtaScQ@X2q6rdFXD-moP(I9|3$ zyS*tP|8W5%cN$O57koLp+e5@K_3;MdQ&}xy*Sd9FV_eNP8fkie_Dp9EWoZ96H)Z~f z(|SkLJw)csny>Hb-N@tfCsgv(^vt! zD=7M!8)u~&HZTl}+R!Cwx!SccSTO^z%IqE33+dtc=q#~r{9@)$f zEtkz?oQ+0zSvkv(8g@zd6XPV~loHv!Mej_RSK#$eMgvn^1*Be+FH!;`_0pvYjECOw zu;OdBEg5Pf5sPb|Pt5ZN?Jrajh;HaNkS+@@xW2Xmjm_4*Ejq`nQ|6@gnOfPZ-ni2u z`Q0g5`qkUF(1>lksILrvgbB?Z0wqjOu9s-YSVJ+%2ti{0Gx92PFx#eev(O7^6=(}` zp>Cu-L6w;nF7UpXn7M(W0wr!g$iX{c47`FaKU}olG)uos$TkGIlwnVTt_N;!bnfRi zmZv)J-%lIlWAWVdP^B!dpd)b#2~uYI;LHFU%zMQ2L16yfkx*lqa@(9=voNNU%)YZw zm9phTD0@(+msugp={{aJ5`yWXO@S!QS}Kp-+61Ni0G(A15s~fe1a!^a`2BP&_xa+F zP+EbSWR}KqIj{rI`?DONdoD~-hz=A`+B1dKtJTv-Z+>WKgtQA1Us)>)ZscPdv!wEZS-)BZ!#C&*6(Hu;D`0Bm z&%6mDC==Khh$7Y_?&#`V24J-BW z*%x4B9NP)m(u}WhqELmDZ)fLokZ9XEstjWbKqc)cGw9T z6ZP@0voPTmxCZj9Kd#W)e+i61;c>seKv&5TNetM+G@mw@QUHMrn2;9)C38a zp#0$CT-b};%j|imE;!7S(OnOhM4OK$ z79JCdM!y48#ef!aX5=X%=T})7u^yt1R^N=RXMerSujmKm$9ee*FkZI{(v>D0LVgTt zd6Ct|9ykTwfa)!~C4!a5Bn{&)CBOWqJ2?N1iy|Wnn>M{~{Hxd(y8kB`@G5m)VRHddNp5yX#jjc&lR|gD0;_9^3v?-|l z23ZhhoFuH1$O0b_ync{HZdy<%mylfCLR{FY_{R=epv+}ceJU!3Y6=v%i^6`#6-0|e zc!tE1IsTb*7qumi?=RdhFDpJ$;W{r+Z9x$B-2judfph1EOLHB#VA$P=YB-9U_5| zFG3o|et|5uly*^kd5jeZ;vu3i@&V>Dba0KzGL^*qw3gRwMx^*bbSE;ERc^S(Yj42% zhJ;%s%ujkmveRyl`uYpqLgaUKaey0zhUvc!5x4ru8)=SeGTGo{y~a$tno5zIzr+YS z^Ra05b^cm&@N}Vx3ItIgKn_mM&W--@*v2^DuO$?^bdvR{rn;zPqMPWI-+}_4R+d~X zSYF=tvb=wLV_MfRf%!UDk>WhksDZL2<)9M8DS+e?9;Ad*3yVx2%Y=?J7bA_sW<6I! zJvh};-6pI;G>wXh7bw7g&FcB(v7ht{w0U^`=|l*tX^qGjy66)_M2_#deQvjOYyT8N z$|sX!G0wh${u(=Sa6 zRU69n*>Iwc=4G9D0V5PjI>KK`*Foq$W?`=kDZ6}soseiD%Q<2I>aAPvnzj*p%wzNM zGsiw`Yg&M8vw^td^4n_C5v6`Cod1)NOZHqFF`(15{-@9X+ZtiA(on)^i>Awpx5Z0=*IH%Fy} zX?Ax%xe$r?1yyqW*(FW{oxrPfH+zIxL(vcnb*$r1r}mm_jP@kUH;=|zl;_?RD3FJR zMfH~lF{Dk()Y#Sj{)4|%#4v!UQ8_L0ERpMO?_f?S+P?L!3uLN~v1! z@k2{M1TK)TtpC-~vDov3z#Xl+I+SnAM(MC}D8U>2+ zT$*uaQ^tDX37Ybm`EI(&X0h#s2*A6sTVWopD5q1&Hc^hue{&TH$uvLzvBp<6>Z0gq zjr8mpgMlQu0v@dQW0(Eo$6SAhWEC6X%TW<-TkWBgs&ZL=Z@ej-iKBiFl}33wuV?&V zxy6@+wy_zx<1+;YTs4JUhUtq#)0^IJO<5Cu;bBv|=XDaS;JqriNL;&jTwUG` zsFvCY8ihF0`8Y6P2!&Xnt4Jw(>-040D-;62VHv?c=AkTnz3zZ#Be$SBo zOD4g)w9+w`jIJ2335A#7T-ZT{pEmQRAff3|+A#X~$B>yo&F_$sD#BL1pMP*7c)wwd zN3jz-IupNKZvemK&Ot#ResUhd*g*7QJ>KG?> z_ukcshCQ89uUH#nT115$lSzzxp(R!Ui6)|=(QUYq19#f47~dh5OZHu= z(9rL%5nRZ{ov9sR08qk(e~)9p9cHb8hO|!Dk|S0LUydChZG$SR!mP!c%qO$zP6uAb z1Vj?UIg%l)+b@tmeC&<6C^H=1ZwH?vIWaE8&8I5kOkW6{2!@|v)#miw#)w11cF3TY z;>_d}T|Do;?56kGmMlU`7i9jcAv$K_ET0_GnB+L8=w9$O7>1D~w(TcyI%<|nphWfQiaRAt7!_?W7{%1&wi0+kKVzdl(TiDIK%;>{rzxzQxsS|zjS{7<36=>MRmQAr0FK6d75>ItwJ0dc5Fv-k_@GcX* zi10ccH0u%8m#@)~OY2NSmK2M)tnz0U)yT4>13Iwq5=oLXg8*#p38%UW?&d|wXUVkH zFK-=eRG@3=-L~x`qbr@k&~cx_r$mC^#Ec-}T_zOFQlvm1^chB#qXKnF&M6}h&CB-= zUF~oRhXa(8b*L}Fw_3bf3ZUN2b(rnLI<3fZvz712BPq^C`Mt@yFiW3j^HGs@ikP~# zF?veuow-28e%HG-GyDEIVZrB{6e^7#YTQ*%TG72@^2Od$Eo#DTUeC}8k|-+LgdbWjwo!1<;;yw0hcE0Gkrx-_!O;(v~Wd+7VRM~N*2i5&XCpVIX)tEu;#b9c(6 zOAbo(x->C;r3j$9#R8DOga%Gc?s!tP^t0DdXmBtTe(ldW5NT*`C9ae3pbuk%>akdb z3WGiq=9-#vd^*Ax-3&v@)pFWDeZpbx(0%{@<@IAKUE%!&zkyau_(Gb+X zkxAWI#s4DzOnTgvGLMBx_|*dG)sRG`BAD#CrLGf6hO^DVc`%#kiM@Swkx8`TXoP0q z7n5#4MJsYOcNNJe!@#dVc!b#5LE~269ow`GOH2MeOnS;GlVSvI3)T)2F-Szm-Is07 z%Xz*x3|bdWuJiQJi8C`EyPzipYbbSG%u)mxy#TGGGznUr%ofg$Lu!#dSv+@3_YTbe z7S@1AA3TgHGq3Sk%u|t*675HzjrsF~T+!Ojm!DgYPhOyoOH)O=YjpQGwldyW)M-Vv zXU;?1Kfkh#g8~uG&!SSh?0)d*Ou)0@Y^*>ud(ai-ggp_D=c0zDe!me6NB?n$FNC~2 z8ZLq({D8v#s~U7u#Nwu5j%*0tqx|#8%&0``t8<<-Mfm&NdSNQtNC}f~jBbn83={+o z&Sk+p{6Rex;pm4)gHAe&O#X;ziFuImU-WA4>CsrVzrF9a-OxtW7JHxQ&Z9Je%|;^d zY|?3e=htUnY9X{znZn2>1A;(94(yj3Je04%-HV-Dufm!ZiGKOphYGFOR@Cg5ePqzS+LQyt_16@=4}yqO63-ai+iE1VeGBIEq;-ZJQ2EX zt?od0S&~EeL^C+fR0u}-C0n8xFshFbY@5IcZvRy{bGw!du<%h-zLllYcgY7u%JSD4 z>hkBp9^n(-!K2Qd&fBb4D?^K5p^@QYPELr-pPIoO{v-&S{@PVJacQWp_6rMx1DOiY zVW?>)pd20yU#D`)b!{zWMbRcGQ;2^2Mu#*z$1A6O?Y*j*r}{8s)wZ(kkoW(tHbJyTv%tP8A@UO~E?w-l!J9h;X@x4Wc@D%+{^6E5Sk>^$U zZ0Uu(pEkb8Bu63)y5yK`e_c_OF>d9*C&~NhOSbppC*1?qq*gUPl#`h6m(!>N4OO>0 z<@(;QMF^~W-I#Ne`XpL9dZH0^Om+*$jAaUT4SO2c>!^Ic1_B}|foH4?`j-n$OBPV}WK@K4xk^Dw(y|g58kKI3b5mR2l zIDOHH@Y-8*KZu*dHYB5y@$`91oKtWXQ=%5r-;_q_fSm=c{^Gzcxh2d(g|o>Pc^`UW z$Rb^%GPq}Ts>yC?zw6|6?lysNLqU_6(oeuK_bv)|j8Cb%@(U9hSwIaC)Y0mVVHb-qxlq@Zqnfpe@Rk(n})IkrL&Z-%PvHX|ny>9DWr z1LpnGgY~-ZJv7i^fA;Qbf0Tg?-%L@xFBCzFlnU4`0_4H6(7CVK0Kn$2kKtc`^%Ado z06?pPSS8OLdcJjrLE9-0bj%Vt7(-BrY5{!N;>E+YX(S#8^ykl?<1K}RgsL0n+uf>! z?n=JF(%{$Y873jkUR~ddzplfsIH~Qm4dv+n8n=R*#@<5<#py4iZ7_a#*&GiDE3hm5 zpb2_T#4quhQZ-^tirEcwx*i-=ovEkX4W#+`6{KSOCkD5z^u3g^Ak3gt!e?!n<(l6+ zJEj6GoNAIKZ4GR}zZUE~$?FCAD)s4#8roTyy&1GxGPXfx}w zHgItaqoQ^2+-&4FIg<0_xNz_pruGK%p-{oKb zY7Y3&Vu3-6FNPU@lM_mU4jlidS2|Z|#Jn7Ocwm`?%r(@jAL*PG`P}3C7Sp_ZGp^@v zs+iC2FG`Z6v8dazvy3$09ddbOPyBa-!7Bu)xOkyoC!n;!OwgANhi=YKZyWQZ!iYcY z*23TR|3li|(hBQ$VbK01a=k;_XjhM~YotZU%P zP9w6cwi~&PhT}Gia|skD!{D5vZGj+Y@ONDz8oBTfU?z)Y94VoE`;_GkzY#PZjX9M@ zP=2>eJdSk8QaKGgJ%;+FgE6h#Vd97#PJ8(3lc42)MI9EwK6Zd812c#VwVTH26*ujL(gWgKmM@Arkt^MSBq}0wMdTJC5c74!bj;f zl-0#cU=jj{f*~IqZs3Fvos!>|mv9I4K5R2arO;pEH==-*Ro3Do?m?uG2c$WSREK(= zf5;4`og@u|=kwNg($`PLj-T{Zq`49V{7NiRd1G&ukcHYi70O-?{%&_II|Z6uJjVP_ zs)@U)T2>z@H(Xc4Sq2LlxU7mAKrd+(yTP6J7j!K*L|JCcJ~aWA#}a)#gT8mQEjYQ# z-Vr^m9=&Zwdftu5fEHL1`jh4?SdN=kmz7pNrx*9bE(6oGR>0-u4Gnh0soKu25t|!c z?p@thmLHO185ubBtTF5NXs8~+X7PFc#e`k4&WLFOH} zaR(_ubVedys{|CtDUx`BgbTyMGCVus)#Q4@drXNE{=vb+*&3!O9+}j%hW5_o!QSZJ z!)o38-7&YE+O{(NMOs22Ed+hCLf~k+0zcI=?fm^nKZn6*W^a>2PPU){b*aRoutqag z5(b>{*j8CIND7-619M*^q6hW-RCxBuVu1kO6&ayGUy-8GOuIpSoz<^H{?ADF0W-vL zw0yf^>ObZmvFZ0J1EZ>V47~txCFGTVZvZ;j z_?STS?@e4mYORH-y2jkSBAR_3L^o+<F2MpX=GOXj=d?_*7gFd-Nw$?E`tFJjZ?+b;d7t$@cBPq}12K7#~OR-vR zca{t85s#TBxS?^-JDHf9lZBaWfy8yZGM@RkE#Cr{SLfI*j%@(%sp9)5x;WVb^%0l@ z2Xvuky&E+T{lfmsTZPPgn+ZKVy>ileTFZrUFs$eW3AZCk-6?jx)kL2ceA_}eivGa> zaWc=_vaq$p5gt8kr$#@yhRike7C0xiqyf$t;LsDmmeY=P>CQ36&WRIOaN z`!PqVG-vEMQ~H9GXzQO~x}Kva+|Uac_(dF5#*zd({jPhsi)W75dE_Bo)vQ?5ryvgm z^CSms7%K+&pxj%`tAw`KgQ$jYt^rrQ1oY1FStcc?FMF1>YnvSbQ3^KL-XbN@h-4uA zDKJghJ);B~9xI3auO%g%rAqdQJ*N+HJVs-QXh8@oC5(0zWx7t)cjK$BL$=>ijL%r} z*IMpj1)*V`HJCH)Ot{O?OZzYAcd>@L6^kC`Wu(<%^#a=rRN!4SOP%p%e7v2_`B}UN zr;9p2EP~j=B}p<5OKcsUUxrYX)W3sK(a{W`6KpIAf0`YM$YlmW2ztpqQ?nLehRcwp z+1uOGs+0&lS)E*fea~*8$`xf(BG%2b6QJ)A&qV@IJ{wy< zrQ9$10ez+7HK< zPwu&Nc|=q^HoB%~4PtbHYASs24>OVAA$XT6EoYsDLlcXq}sH91L_$WAFLxYa= z^GB%{#6aWlhaHtOpOI}ASqmEc$e__GZe)PBdPe{j&L>+=dtb$UUeBJb)bUbY2?K|9 zQg~zV$w}M~14$rP)MoGiNasmi!npjC=7{ea34eH{<&45ziG&}!%L*7|vp!>ANQQs@ zqgliF)T(x#^BuLIrJ>Yt^hm=eujbjvF#je!+C}AFrfk9 zY9JnANgz=_?)X+gc0+uNLBgIhf4IoXe*r&dQpfWjZj?2B8!@ zkkwSPO1)-frumWz!p%leKJ2$&dIIPd*e8zrrxIo-cYI)Bb zdnO{A1LqqP*>@o0s9dLm6`P$9aR!?YG^e^2-yFwj>R~!l;rF$`C3=_vl>)^42rXN~ zDe0W=I9T}Ug6@gCP$4r+D&55JA!Vv1gm*T&RA9+hm(vkY!_i2iA6^7oh9`B~q5*b^ z%*rr2(%+Jy0fDJJp?@V2u=J6~X9b*4hzxUP`S-aOXYt2?XCeZe5GMY6IR{ilVh+gm z7I;1&pSUTs-;VV6(w%!hbT`=jlVu?-*whF9*oNS2UrW6hA=Js^B(*ggNOAGeO>bt} zShXpv%Y;h6u1nGl1U4oQ=@W)Vx zrws}xr6CQe?6`@oNitcrBr5!a+*AjdxmMRv+4o5fA_h~YoEGa6s<_2&(>=7Y!Yq1i z9u(7ZMuR|#H8ho0_VkY73ap^fREVz)G+f1;1?HXxTrKyAW$qYm(C zJ5>$nJL5#xIX7i#I!Y$M%*0eqbJg5ay7spXuK%lc7fwVFc~UWYTrO1uAhes{ScbQZ zz*~OnpG%1?hsAxoC#J!VcW%xfL29=fHg2?9hqAsR3ztwG%Ce_`&h?#C9OEQs)GS{Q zM_Rq3O_RMvU0}?N61#&+tjy$d#iO7ei+{>cWmQq{`$hD0vAG_S%IN{?;fg_yDs6-y zJllzK`Y8l{FJp;|oPc`#Q(zg-`OqO{?iaIH;)9uOmJg|N5uz0vKLVB&^81=8_~Q{w zDpM$8Y5&r6c-#JY(Jp1!{G@vv@o_CJ!8XZ&%Fu$%J9{)0H$$fE=;B@9FQ0YmerSGI zCgP;O5pcgU3JeMwzO{F7=*bZe**Z8VPGVk`+-}ue&A4cBOqST~`-50^ zkns?IA?@&IjKyI9(&j5c&Ky5QG?oEY**fm$DJ(;U5~3ou49iiRD-rbU@co(*N<5yU?V$ zArb#6L<~2oUxfqTS(5!5O7GjV-~GL4wJsweO5h?cBFMWo_0jb|D02SEB@j+4EJzg! z3%2**M#45u%JWJXhU9J7%=YambGVA@3zq!`f&l7sxMf3w|68n_{(YQ`K0>AkknVEA z&*1s>W@Rz|K5ll-sJRCCv?8UFes5F`G7Z})PP4V+aL0?&l9axy6Kne1rEPyYc8r+D zYTE!LFB}|BfNe5*_EYvPNLKg% zYv$G2;A|k@&L>9-obUbgg`Cx{I%n9V=h=>K3X=mi)~8JH}MNyKn0yPuL;&5_)lLi|VnA6|~^$Z@&GBUNj6T zDsZ#M5w`VbuskngTtf-Q6=G=wVqw}1c-&dtmagmNa}Y}HoV`dT@%-n9k7Vsm7M zgE^v%!o-^zba@<6o{cPFfa<}K>hE)&_skRNgW63-;3XJ`@%yxd;~9T)Ks5C zkRLv{YD=uG@Z#Vk7J4f3v=o!y5nA0~TEfH=+U7(H5+k7-<2K?m)E2 zd|=2=XT3b2DB$J^3=g&r9D}Omkn(j{wESKZb`bhtxv z1EK2k6KeHQ=_lX1+~)0Fb|mTr6PX!;hZUSk4IEN#M%7B+oG9J6R{c|ubC!@V6fo8R z)Y0bt#>+7pqjiH6XKCvR5#qn>ce=irj_(CKNd*7xihMfW$AD-%r=tFWQ*%cw7J>Gz>zM z8zy+Eu@8kRWr%e)>nF6JvE3R)8D@b-1Uck|w+< z&e{VeZxTX(oRT$@lv`p0c_liE5zcj#BWT1=o=Dl$gc9b9X&wn*`IP9fTzo?O@g#kCWG2)v!!m<6f-kTezKy`T4%L%ZE^2f&RUZSpAgtr;nY^4vTjT?EbUg zqSp6jjx8eip~mKU0@}2XdQ#2KU4vCKlbFskNefi|Ocnl%{$2V{?_ObZ+O1Y2@%$d5 z{5IIzj_R_n)9jIc9DoJBqCQT2s!a!js(lBuijeK@dnM5>%val~M6wnfk1V0K4PR)J z@P4{0EO@S6yxE!1-zoI3rE!AA%Vq~GO|1M|q9OtVX$0XTuTQ{2S>`8}M;(GLf>H@m zvmFI5T+(whirSom7oY0NG=UN&+W79eUTUiNoT=c-p><(2II#IbO)g~co}_=%F!8Q7ijd$F?(K!o(IzX0Dwaxc&{d3 z62>P@2k2a`gg1W|0+V>7CK^=(13#YjGsgS>vfwBO>m9Rw(Jm~@m?Sr994}P0_3{$X zaXx@p(7+jb&(xWuBmOFap3GlsA0Q~t}kRbVY`Q{40>gCXwO{$qz7l$aHyc*0}33Zb_l zggaBkFNqw7-U4D*U#CPhTORWlNcPkJF~`=K569X9ebMRN#irHWY-MimjrY7$57ieuhlR9JQ?z7;;)$u|A_I`MMk{N^OO6-sN0OL> z0{9nYVb^ZjY@O0P|Av{H9?*&T8Mty*ZeL#Q6h>LXp+8Ahh67e>3j8nD&_V3}_7@RU zpuQ2FzjRiaLxs!d<+o)Y9eeG80xHWAJyw0w?I3*+CK>Qj3AqT==Z(JmC!7$@gKK)< zx3rKsHN(`ia?Eqf9PU@;__=HNa64j_Qs8Hq5KUyP8n2o5mj6H^(2SHEQmulN{X|qz zNB7fba=s24ATW17s?ir|?V0*3o~E=3K`%HHIxR5pG04yyQit6=d^Lp{sOx0#`G|xO zF~)cJ{4xVmH8N%tJwH=rDmx?Ljtea2Xr80G@9RqZeg8XKb!~0m`l!_B z&o-5{nfC_)7y2$TOw*|Mr!acS83RM1-@F3aNf65|q{Q@;;mB zK_Ius^Szc*LuQpfLD-E^IOVC$F`R>;2*JHFCw)wR34{#^it;)~>+n`nnq&KENX z+`?o^#z<9_5;7#)eVR;|9P}?chmxY@B`?XOO|tT@P(_AGV1X!FFIfDT{O%X0a!gMn zO;$;$`=jAu zK>-L;xk{4@@oW)^x3-LW0DYAPRNp+W6DZHEz2)Yc`>B-K!)MAdP&EuokkhXuCzMDw zLNX48&3}6+5f~PdgwXABMB)(VkJ-P^zmF(3*Alz1|EtM#F?^M~K`}IRdMe27u?BUy;SsWwQ z;jWp)y|a%9i5-k~;~Igwu7feIqC*C8c-Y49r02zw=;T~4QiyF*Bx3oVe${$h;XN)o za@CWAgkrk{+m55*ceJdpzUem2psI6#L8P|NC{dZgYqxU(mYPOY4e^eaXla2)M;_YvD-bO@?is&+$4+<#Wi^fs@5@AO&<1O-v@{O_{ zLxK`tAf)a@o3=xh6t6@6or?e#ITMg{afuJpeZofiFpi~jZjRs-zg?*h`ObI|e$lW< z?qMJ3Fi2w;p8(6C~AkY)SuIp+FHapq^QPneFNNmKj<4@wlXyC!eo(EQzh zIk|*`pGFFmIM1Bb&a;tWB(KX6U0jQaCsZ&JFL)I}))mH_ThWc7<3H^0h3X zN{{FbN(8?_iAfLhxAb7RfE~bJCWn0EFCX6Qh_hzlWc6i4?>(m+ScTsg1Ipk77oNZV zzX-@>hvoOihj@|2b{=d**aZbrOWCVR28tfqwV;oC`q6?xgRcu@Qcs&7Knb+jndjTO zixrVmsKe+InYxe2rZk&U&$BoIPcCZw`P8{&C#3`%oF4`j$j%Q2emnF8p%L@)zd(P> zL5jzGCbNv>2H1mQEiZbvm?rZug$r1f&y8qqyLrUAvY$aEk41l|r?^Y3fHT%%)L!eoi zl06p=H7lZm!LVSHL}1rF250tU%AsC7|Fu9KJ!pm-=;O)#{re$Lk;54L>x#y61$YLJ z+_|y!IYiutQJxxJ_^~IslGVk8NdrATVTxVpK2OCOveRw$EXO#yCa%`q&Ry`fL25!{ zt0$0B0^@YqRb^gN>_#KTLDdYEZnJjHMwqn? zk%OPG+ojPYOY{30riWCUASo#HlGCXd^HsicAM00i;A_8+HR5H#{Mv!iNNVhN##?-~EBapsrxJ*0vf8uab>=0wV-=b`G)-y9ofV2e z=J8*-UqiM|UDXwtcq#Duz<8%)<6C80YjpM625w)^O03rkHPn`{s^=Bc(lx`-kanji zLUKxUkrQuqNT)@h!iLj|q(#guhXzF_7&YR59(tYIhirHL{)!HkQ?Y^5Pfanx0c$Kg zW@?@QLfbC}{x$FZF9VH3PG8b|4D{e}gtyVClLrzBT{J&kaUmLddAN9#F`7))IJHX; z4c^Lhz3dp|PI|U}DM5MC5bL@N;1jl;4MTli z!Yn48C{1(N32ipYfuLvm#cbFLR%u{xtbQp%sQ5bY>-8^xQR*HkL(ig3F#jvN1 zMXIWM&#>QP#fa?1QIYh;d+oNbkmNI(L!*SP3|QXC-$aQ(_r$Cj^j}5v`2@lc_`JiwkX%C54bWH_TM=u;KGUU zLQh^X;;+?m9;#?QZ8iM{k0`Ij)5*Ri8;<3rsGW0;1u3;z*TCz)`46IS{O>xxDv?4Udk&ndXG)N0bMA!t+kp``pyv&|GAEEUb*DMDj8AZ9UHe2*yr`atpFGTYv&4 z0TI;-n>Yk@qd#{*stC<2uA1kH&DQ2O+$H0|NO~?&A)j9tT6p0zA&Iz zU8#RwNLa`Ry1*dp$4=N(L>218iV~CZuttKYy$I00_R@ajwT0`* zSBk-xCQp-i8wb#=)Qh^Q?rD25kl^S7G$~c7q zwMF*kOBpl?HI+x4@E6kQCcj3&&hu&7iK)Ig^U3H|Rc}e>V+<)h`)z9^DLqGU;fqoK zadIe~!0opZzQ_JPCt=eKJ}rW*M9z(m4aMx75@LN8m2I9>`Rf}o*zx_a+YN$Lph z78HQ1qEgVMWGIGT{*|Ogc)$6BG?zH0;DcLcF?)EjP!J~L+ zpEW9IlZajcc;?Lrlq?*+bi9Ai9GvfpqB@3UqtR2aQZUb#{NAIJCG zCcqF_;~m^&o2O=*Z}rh(=Xdc#-VhQ-#3zLa7=7`mgq~GUNu+HT6NH{8yJL_bS~{kb zpa+FhOy+*{ofQNV6|}1xf%lnaWY)NHP+;gc)#gg2IY14ue(`{|E9Be!(u)k+9B!zL z{nq{{|1P&1l$^qj3j=szrrwpn)^c~%JJagj6x_SZ?ze+>LMX4PD%8Kx3S`1vEC79U zvV=qU`^)&4e2V&Pqkz5_VCzNH`?og=}HO-Zm$@%8Md7|)n4uSXk|WK3$HguGz>!NfYEaZBM*>V^`| z5Tw#rTmHj6xzv|cH;v(`{8;-<{et`{s>JChnPij06PFcaQORX@Oc#;(gd`+UwKH24 zAIof0>+x5VE6{f9;{0R#ODK&$VrhJ3j$i;({U>Z>+k=55du>p^D@&dPpK( zkU4$b)4`Whd%G$_)V6QPopQ4{WJPO53G>0{O$pGdNpFIzK(+dz1G#E5Zt1$3p@+HH zi)G=`06oXa_2wt(kymw|qmcm0_>JN2q9crJ_Os_RMvXSZru}`|vot^)eyCDAF+q4H z%E$T*EIP**eQ4R3O($oV8ZH;}g062aKN2t13LtUiixCi-Q#52$LqDIstkmQmrc1Qm zta`5Y*+`h%9}ZBkN(?U6a)^z0n1>wM(<0Yt{FJ8GXvPhL>kjyy8yf237qLJdm=Zm$ zqa}-Ip(!CvoTPqteZ)UBYt`4B!(Rj48-X;=ssiGCgZrCWHCpwJ%FnS+=xbKpIJ9$c z+nnko1_1No(ukZuCdrNAg&j2^yaxL-1;O?bM2S;NB_?W2wvg19>~8jjr$Nq8q0|D? zob-pce+vYWwTqt(c@#cGY|zyc`pUa2tr&KOY*4Os-iQw!!=K67$=Kefr-U~O1Mk{y zNY`RWTGwV4D&=v|Q~g7E zm7ZXd!?F67uo$Y6r+HpO7ubMv{r zkM|>HxH;lp7MnLBL*MTr4R*$KL6r?NjM}DoY`&>lXhC?C$ zwjz=;fL4$YzeOh}R((rIzKpr$=)Vp>F=&G|^rupr10aw)O`+bpR!wvmbLCcG8^<9w zKB6_=unV`chJJQAz(P{xhM}3ABM}k@q>%JkLq*dILH8aObkVzx8h3Y+$efs{fDAUc zc-)Y+Cf_=U4`ehK7l)?jL2S%P0%$}+e-cPe|59`uJlBCeX$>m5=?c9@GqDc&$%hDF zx;>uP)*qNL-8K(nB5uLs52Q8fQZnQOAo_L5GdlTV0C9=;7IB_Ms@xw?r4NJMnXRx1 zlcS6)G@)y1MwL+fU~7=Qydm+Pr8lS;`jw12cL!Zn3StGB zNmjEYYNy|G1H9P{iJ-W-f%~pXv>24@~7vnYRlp&rs@8yko zmI#?Fo92)mkHGqEHXumM8^Ltm(}6!ySHw6WQ(=OmLV>>WDp3EjP`7!CuPs(a#o^8! z=%fq2k>(5gg58&~=&RIf;{c7t$RC~aK5g^*!9dUDdbS#Jtp*!Vs~Qh4Gp+L(LdQ`T zQA#py$kJ&zMUh-})*M!SLI&k!%{MA|AM1IYcPw;K+6V|JVo`l!&R{k8`h4{;QyXqs zA9WOvP4GK309VCH6OsI`z^I_(=cNKdjgpIwV|T}8niJlEe5lOv(0i?1tr==^);~Tb4 z6|I1&x(QAj@%8nagjyc*8LJYVQ%lxGLl-?vWGtjVb1YE$d*qjSm#mh{kTDp>lI#KX zsJt{^O+!o@DaR2DU?mMEDvS6qff|u{=U@(9DhVRm*q0}8H(M98I$64+j#~7?hu*E7 z4_5hqp1&6FE?G7%ku@+Ay*DKMG;U+Aj+6h@%<0b%YGh75gg=*Ka9V;?_3zoKZYUZW zn%ieVEQ@c*biO}l_$MbPdA!aAXhyLpprVf!LfI6jX2cf{(+LJ ziAM{-5dcVvG#;HnhUef>(T;)XDX0@n61Ph=vuZnFcwJs?G?^_aI3Q#xz;7ou0RB>r zhBPalXNfJT5NzNTC4W~#p_Nj0nAT;(dRY$nU~v@7`X!b!G(S1?Hs+PC5F!G;PAWBn<}VKTcg?zSr)JhZgNm2_@?8eF_j! z#(+FCDNv4()MTkE(#2BeSiDP%O%FR>7C!=y(1@LRV1-Y8&txe0@b$s(WmN3|AK*9C}!X@1P|@^M_r+0RF9 zNz2$@Y+wJcR4IZBMRz6C)e)m{BBjW2`Y`hbA-0F>GM<6r_~Tke1b6-l9L3@ZgR5U` zs&)psYrEY$hHQ8Mbu!jydsD+jUwAE1#A;W>3TVz53)EJ5NbgUQH*d6RqcblpRz{L% z-oy#YF#b+nO!DQ9;qAqhoKcEyJQtOV8&xjb`i~3HrQY`~X+oP3q2iZT)^w(7q5z;0 zgMTNr<+Sxkwt4BJ;f%&_Uk-|nq4|+85q`dKN3!C+JS3#~nX#Orl?YK9yg2L2?^*uhiMCl>^3)xo|3Y*?_L{d<=PB~Y8tAQZgfP>E1k@Mh7u9L z#1BuVqNz{MuLuj7H>A)cI!Kylu}`gjkQhY^nKWCWf2bcP_pAz&=;QRv>zQ4mh_|R><^W;CZ3J7 zz!)RZQL%JLd_(_+4%j(Y7kyi?9`vMo`b*6Kp=^OHnh?NvDOD^&1hJQQ5U3b=`^?r) zYc|z29RsN>`{_Y74OK(#GDBYgfo{+Rc*9D$0gmfALphIEG)|gB+KB_-CM>k3lKR~{ z@&h7FjM|Rg2lct+BY#LidWdkkgk6$bj(u9^H;_0w{{rx3CLo1EF#%E2{Tv=dSR&uI`;;j9*W^%R!PWYPvVKw(8qj2+&AGotQ z3lpi;KWZdRSepaYcIq*yn!JH*p@F%Y%%N-bpGo0O@jOD=`Fv&MLL@@diUFB<`O31X z`SAC{m`ngBq1>b>H)np5oK&K!<6DcB75@Cozabtv`96NMcN{gy9o3oxhL_uyhE#mw z`ggoL89YcbDVFIz^i{%5qw>cbOR|`nmz2&v{v)4G?FLZbGsnkxR9Io-<7}(pT}##D z`O|t=-O3&(4PTA^^yHE1!)m?%;~3mZJmcWz9&kP#(}BR)Tu2gie&>hx9k0fnHIGAC zU0aJ)SP+vwYZ!`9m)eolYBKs?o@?dHk1q{9dD@swGImSt_z{}rTKv_EoPPcFbz(oe z54arx<}2J%tFO^iwoTLR9lY#w#eQvTk)T9D^UL`#g0{P44ScUq;{Ess3GwZj7}PsB zuRfTQMoJYKZ@wVO4>H1%I|7&&q;Q9Dg*1t{2a9NjX|aXv7+}$xgZ?h>#6H?502z}4 zhuE8##--J{JJ!d~nqlPNo4O_IPj26SydC3<3aFdkbenRG&1aGR#SW|q52J93jP$`l z3wla*6zacD4BTKUURNuAz#rfkmVV+859Vjz@T#6f?5I76)Lq0oeJY3!>tk(0>9$yL zjqr3{1*{>QG!u*c1$)*nGO}BK;|}@fl|v1cP^)~a9K|n*mU3~ZIPL&uo)}+x|KUmk zIu1pGD^%>~&rnw}S+0d0l;s~|_7F7+iSRKwd1{V%sW%~JEy}gu*~08fu5NJweOz9I z1EZ}fH@Mmer}u1e9CC_aL4>LYl3ehWTGagKqwv2o{FWM1y7UH7k)vcqG1Kan+L2v| z4w}3(4DKm_8G$=-4BIBhsNv zFrEdnRi^SkRMdBEWmE44>2p7+n13#9b4jON@Hm^SzJ2b7FM@TYP-EVrXluD4?Tx%+ zAoFh4|C-m#6&lljqt!kTOGioRW3I-yS0-!6f`tmmsk;HU7h|JNyyRp=6BssGI@I9^ zh)!;O(DPxe8i9STjhzc#Ja)n&{vaC8I9-lb_Pw$fUfF|4(g_IO+ku==F&~Q<`SC_2 zw32Lxav{G;*)8b7va2gi7+IO|ODu(~rm30P+4EQKIfoV0A#`D&YL4d{tGhKkuiV(- z3s0D_WT!w^7oQhA02A)PR?QY-ou^NKVjzoreKaZcUN@chm-K!H)dy(ISoIq+H3!>N z+~KdyO8Np3e79%hZvbF|!u9!ZAaPn%Xgs+RJ1PQypSiccr`(D}MwiCjMxrKJl@yPk zOM8BjqaJ^nw)ESD*xqN5L8|BO_~rXKk?PFur&9(5LG0{1PkexA9Gcy z4-E3ZOI+6^dRU}628tBeXeLEqL{+6xd;I`NVV^w!y$`^%UQcst1V}Uf>`1}vb=5cg zP#W_Uzz`c?ZX8WxLjeqY$2zt9yKgyHt)4DqB72IUqgSG#@(-J>%{LS}Zs9P$GB7dlq&TgDe8yqmG9)#O7=4 z{a*sj&PWS2Lz^g5TAv6`UIyn$-7^|2f8_4q2v#-jeukhWm_nQs8S}1QV~<0xdBJNy z@%8g2U3(I1tPC&6Jt+7RE-^0+Vr06mmXn^Q@>BG(kbzzhT2C$O19A`tZdS+9e_IGZ z-+$>KnO4e%3qxm9k6r0=f&kT;GitcX6(;q9BFM+#lXzbKu%K}XtD2aStgyeD>6nlF zD1!2z<&m_I876BsuZl@tTe*}?-@SB=yc ztX>Jm&ay)frR`%{2ASo9SNT;8imkr)5+bW@m1vv>$KcvXAD|zm**um!{-GZxV}!

        H4M4OrkA;o zzp&@N69F?Ee4A&()O((iJdH2)k?Fz$K}jY$Na z_Zor)pi6yoWxiMf4U|P3+jKQ3Txh|=7d+2IyWef+8+}zuq%vK<<0yG?KM3#!q?)N- zQ;oH~AW}>w)UHx$kweaeE-$Zjq|um^isAOTu@Ixbtc^U@QNzRK%X@OfuutxDkn1Z8|3}n?Er&zx&{oguWrgW3 zWgrGcwB0Rnp;UbnpBpVyR9JPzIcE!@4YlMlp&to>Uflle@;^a;DR7V~B`@v3cH0p|>A-8f&9s)A` zW?u=n*sEn4Qm```*I}Qrj1AxG^5wj5ZI+nIGnuaEg_m^Ix>b)BX=x<4_(Vt^$fwIw zBZcE7(nY;rr)CV*fE)f1PMg7AkGjvc=K!?K{+0+Gk#c-@vI_L3`JQx0yV2KWxOxm@ zvp0Ni_DezM*zv#`yMkQP8{zr%HFrXG^b1G?`hCt>pZ8x3WCM;}kTNn_1JM;d!0vC& zQok)OWM8*6Yp^09km~spTgD5zQJioB2m^zFD{cE`eoNBV!2P^;2~y`9paA>Mc__gR zk4d4t-9AGASseZ2jQlLp|2q;xq?^-L#!Gw3KB;H!E3MBJ^JLrf==xAGi%9&ZntGyn z)t4>am#*MfObA0>dtRq;21C6#X{m^KSWe~9K#J~5_4pU=q2~xfLlin;ULl+{Y2WJd-~8_cd3%-3v~|)%`GpB z+_W_itpmH(cce`~Z6+Ha|!9n^BtP*ZK#ndwK`Mp4i7*9F~hu@BRDt>Bv0?s(-{{Zcp&CK_swlR z&G9B{8EvF8i+iZ5s&|R9zIa>cXU;&oc74RJY3^|xQs@U!UK${XY^}35( zZOh+iU>5hhsXkqFdwR0Rl=UH;)@aag!)G+aN&MRfpELS*W2%bz`l2G{74V0CS^>V8 zFSM%%*66f6UfNvdMJzO75^ApQ)mB_m4Z*902cAPp77zM~0)02%m~MPWt+6Ifaucg@ zj@-ya+m&Ti4MI=CiuWeYX=bt}>a?Zsh*~b?YQiFr(U$T;p$-1YcnFC7Z^lDclON?N zG}If@8}qND^$@|dduF3K2i_S%6Oq;*9l=8Y7ym~FrxCL`u1(HZ>>;=dAsI!L1`n4r z&)JP#Uhmzz(L6b#yN3qS>K&3g0iQ}{LQj$1L2CH94%J&e^(pDmz!^MfYeD##{5NZL z$W?>{5eIwF!Z$0T8HvdG)B$U2-jU6cS|pOHl*pKy4|Th>p5IC3jow7q3ESooR|LfY z=;XwzHjsr38lI6ljjpNB3fB|>h!x6BJZBv`>_>4v+Kwpfd`h}{C;I&LA7-g4=*TJr zHH{B<3UFo`ZR$_PKHD)@Kq4a}*ZBKAvo1u!=x~&9Hm6*{KOWh$mGFoh{4oVWj^j^2CO9t?LTc7+P=e z8Hvq&m5T60$bvn@dm96Ro9Mb?+?4@G{GADAu3GGjW=Or|sl(8w(`b#CQJll%^epaH zshxg4iK^H|9BP|ZGp8XZmB7V zeW7x3nSLMgc@3k0pmADP?Oj)CF2M%Y1PVB>h3;YGU9*-A7^JDJ-Drj^_#h`gZ8#Kk zwT^<$(XDwe^q<7C69HhsJjj`jWLsfc-t(|zFCD`5;CbHrNEM>vs|@)%Q#IOi)Q_Y` zl&XKOb}E(W4=pq^4Lew<3kj|o)F60PijLW6-*UZCiyM?Mx*Ap6Ln#V+68(IJ;B`AVbN?G&o$MdI`4&3hI-E#Q0?A(3%8J-6sv$#G!-`dRj_i-%dUpc3 z`1Fz1Lnvrse0*J~%&aUN>B`;rv5ebPo%LZ6YZH**nWjC}dD`1@h6XYSLlQR;K|yVz z>!iAmZA7_9QYm!E;3w?p)%_B=J-WpFeCZKNxMsVKIPZ;REwKa(eMLzXv!`_j;`*x;C@R%KG~kk0ROblijY zZZuPv1_?9Ma-l8N%w6i8cpL?H!O~s(L3z$uFd>K7sO{_8=zzL1dd%i&*>7>Sse zP~KJ;+9!?RgIXK9Imi(EDaL++*>XldbAz3-q3=Y8C-xMyc`5!GvGEh>@3EgjJHh?1 zc1<86Jb75N38UDvc)u@tS%Y!8%d}y`4HZ}Y0NdiG=8}BwoKLqh+;1=XhiaBRLc(!4 z3tG@=H1bZE#H>k0eJa*%!SUvPR|fuktJ*|B(M*JwD)h-g``Qm!P3Z^ohBDvz)bQ@OO+}3wU`vZWk@moTzVxJvqBa?0Yipodb^^2Ps`_gfcFzX!;!vTgKJCi=Cj{_7s zkHFgxg6Q%Y0RCkINck_8KkqNzcyqN05Ph}i^?Y>q23Q}GPo^Uj$lA;pSZ(&l zT>%2{a)R6Kitgd=RA&6VX2}KSe0Q4F@9mcXHm@>aPOE~!>D-;SsqV0Crpx6u?7M%L zACLpSV4%bZJ>}adq9rE~?E~aJw)ekgV@2^RuFNTer4z{@xQ_gzr+QDNiBMAS)K1_) zXe1zT=8WiRJdX?CQ(Z$a3%5n6voW)LS0qQ}Q zTi$&7EmE~MUfm=9tFNC)rNXD-Q_M5pQB&EKNGs_A=rxn?qDptB3%aK^` zjUs}duRq_m#?EJ4%G8`x*Tz@sK7*gv1O2z?m#QqafW zq@WOh6jX=GIcoz^@>n*YPYkdy$S=%Aw?jE*Z|pv^*RmKT_r1ALDa_~`vyfIZ_$!xB z_c`+XNv~MR@Ot#LW*7W%Z|_*~)^Cs9Sc}?sO3ZVhlcSo#8EtZU@#pISGSM;vkF2o# zs4yHxY)Qq3dz=A2aUyD!hBMjv?fSoz&CfwlM4!@f{wOuy*>(R+=@#$?#6G?BgSfqr z)2o74!U+RdOu4UTfs@Aj3>H&ZKf%HPblLEu%?2rIMn#HHn}z`54&>xNh|$vrzJ8)7 zBAj6V{P`#PKU-S!hkhwD&0>?IFl*ywn>@gRff3HF5j?Os|5Uc)G)~F*(3*5`N{xw@ z_K0RvS^T}0zWUE*divmv0+7d_p15|O-Qdp?|Dpd`R}YmNYUArIK8Il(BK3FBmz+Z8 zGjhJ52P>_TRNfDi`q%3LMvE1}?|K0zLRXd6`q-N8mteVX zi^P>xRV_fhhcQ%uygwM4#&-`Hv3}I3?P}#pqHLdZd;gQh_q$pn6#s|XnVFeURgrF; zf44&V6VBiJztKCp#ic_FA0jPIsd!MzGdkC3de0Oo9POZw_1UiHiogg3e?{6B-(y7n zLNZU)A=fs$E#$e_`U(Bdi@$|BdLXf`UV0!51$60R)%q_&kc`d}4m(!Srha7j zDV$002fP}qX_WT~f5``c_PLAy2?zuHo_Sh0GLc_N-Bd!Iv$mGed*@(No7bNNl2P*ho24>4yZ0t+ct=LGQW9-g%i=Q^nB>#9!8@H)=;lFyBBH)=H zgwNDRgdGTPL)KqcR(ilfo73p(d9~F!Uceow)0?tmeRYMQN%^CPb~|Qbc7a zb&bJptMB+lwD{UDB*FSyuQgcq3%-u}Dowo@kzZ!yhj_aA06vXFcc(7%4Zr3g?E?#T z+1O3DzIzzVwJ~-rUM=2NPl~5swRp%6HRI!tO=XiUg_gWw&7RihSBvHmz@fCzrWYM( zcRmv9tWV{U5*%M;bLdW*r@`3grtE^aEg5YdAKdM}b7QF2Jep#vtwY$$)(NnKfrAsC zEjZtmnNV9ShbyL`((yRJQe?fnmPa%6Q^D!DLiWfClK|#Fswj;FFkv!&5NV51*ld6H*)-x&r6@o<->&}f z(`Pv?erF*{u$ItK+q4fx2pktTaZFk3c?8ACZA{HjEx{=@OOrLc|FUPNSKl>xI9=Cy$ZwXjV7s(V)2I$O!;f@z0we^ zrcXuriWchX%W7}J=(F%NxbM>s+H=w=e(P3m6aj#HOe?Zn%3fbo(#&gL`Ix=auq(ow z?{QtX4HbI5C*j6v8HCxI@KPk>`#6Bxf7SLp?8I8UDddRZ!S&xxbDzt6uvD*J-91EG zJ@mX()j&rGWYxCxJ2CK?Jl|bq9ceb@4ICl(;EQscE0(}Q9Y36=YeLzV_gON{hxg$I zG9V&VcDhg{Kd@eAs#V>xG1nKCVwIKf$R(k9=Mdgpi+|venRRyLHX4SxK&ktv&7G>7 z6t?=l;-$UmbZ5H9;-nF>w8`-a-tpoG12$A-^bZm?3XM1NjCN+z$aS`xvi955THe9~ zQ+X{$9`x|wC!12OR{f!eWgg>(+0rSPykGBMydTG;jCZmKC^!23TAm}9N&V_4K!17W z!_flvSM#ip1D2x&Ab;6)QSAb+>Ib))6S{G#9Npny_H*Ma56ucbXISEzCn^z+Yh$wU zDJqO%rrtF}t=s17RJSeELi=+KxX;6%gfE-%p33Q!ca?yC0pq-QAsXyeofB|rmOdjD z+e-59#Z`+Fq*@;Hx#-Vq^tVfQTD60nv=j^HH8#^QPP8oT%r0MV+}E^q@V0%KG&LW} zaT;w`<+!BOANUCVc(4>OmEw|LPpDUEx!9hmX=le&FzKpwKAQIslgRF@VS`kG^INb1 zjy38N$J(iBMCa_a3qbq+cKwC-&&yaQTls#A{^UIq{Pdoy9mu@MrrVX)8sShBP$!3bi?@VTP$j3C3u(+$LwT1p%8QIAP9C&a+gT9v$G}c0Krr9@)&7 z?5NGh(`Lv-NWYPNN*RYFl(sGS4NMxn>}I5v&VTj{ZBJZ?U(qcv;UlZuyW;60R2r>% zJ$l@x4o`;z{`ndv+F*)x(eznHxah$oxW9I-HSKp?pt<&Bk>@Hu{UNP;(F4)VqX6I) z+B^JW^gAN`!bjz|8XU}gyxptH_+6ZjR=i)}=u@_vw}D(s25dnh;B|x)a~9?z-{g(G zGoUtWnl!~{vAkE;WJL(mrxfjo*k#E$)RDTnGTix`r~NtJuL($s_XI|e6`I!b9c?dj zj;_k7lG)O)UMpLEY^M=-U$o_aK+_cf3wCq1eYbmq7t0Nubhg@i+?z-b>Tp**M@S~5 zzkxI1k?V)7Sl==Wf7qM_jZ7FX=0r^4X`$-h=xmeJ&3O{jM{2FNd~u#@C3B#rGWQR* zq)h-gLQhQ#9K1f`O}HBf+I;%6Rh9(3E@^{G!EKqGhP5`uyaYuf*8P+%DNv%5(fk**xC>Q{QsVaUdd`Ay7=ZGgrp%ek78N_S&&y{ajmiTFbdS z=|zA(ZnGFVA4ipG5W@0!JDz5((<_3EZGZ_%svr&BvBJdCGz49;tOrJ@n#At?b8$l^Ntw+<{2E8$y=-r`d!Is;!!b8}zlg!-E zRotK6{=>GtOL=k{l@tHNY2*W;A!@x%=#&FmXUr;R5uhVIwbR*KsF2wtnt2#_0XR0K zCbJq~bm*8*-2F@ca3%9i*(Sgo$~L_L4-^%!>Ra0>^Sog_-8(Uk{Dj!1ROQ=eAdw)n z&8kMmkxS?YldiV;q9ELt#biXI@Ns<1lHO{DZPOrq+Zpi?0_>K45ukg*Xr;BgBDo5t@C#HvpnXa#K=UeChk;8d)lkxn&JM+7cvh^&6+wno zBdg~Jg#&c{-^x_Vdi6(fBOf7vP$(PIan#}CP28`;biDl)#qqr%e44OIvVh>58)La-$=ll7v5Dqs3@?J*k@)u*Vddau*5cwFvKh#TdA<0K-1VpRpt;l?u#X+Pgg&(fhpwsTW^_sglY zC$5egyD1IN;|UfC%|flULJ$?<8=(AsMEJG!vuJk)ww|nR0++XM(YoBuiTB+ZB0%$Mqp$-a%;^Xe{k* zls3wRpB1T4zW{%ekqc-cZU|^?V!x=;0K4(+Jp{GKclUei*&Qlf&o+A+tZ>D<6o5#1G1C z%i_W(jNe<+%NC4_nh9gydxxAFNMs_vb0>o8^=`)A+udA8@;TNoHt9`cjW{8$MY2}F zNesF4p?3u2LU+ zbGz}K(fGv1_1qDNJCxudj>SfJT^k-{@?umf(zB z?z2v|405AwEF)vSUw=)VUm4pVCzmH%7<8j96xC%5pBZhcB+AP`cpQyDJfNmjxQ{trmf)ZXz0E&XVjDdoA)paZaViU;Y zbVa7xY?#t@v;h=7*VO`BRha8m(miftM#EUO+Jzbd?sjIPS)}Sst<&{uf#Fn@=}w8Y zqtTZ;me+eRNQZ(pl!@Dlk;9#ZYlqq@1uhDPZUKGchJ`H#RB^bJA)Jnfdc&TOQukkz zE?(_Sl<3kQxLzJ)xk*vqMa3Q(N_GOQ^5lmnoqShqkbF~9wEzto5MH4}pc^SfKFS`* zMv#$|4KVQ_$I0H~!nzQ|}z%{js9Jho7^>{ol;i5XAGo>19Wc zhXsdF1h29)r6=FvP_4&3#17BA{3gMb$JTbiM`Ei~u6=dMl=rU)#e97-KwT;6(?wel zln4ze3ekq-aY5ym4tT+^JQnqK4z5xMb6ZsI8Y;m`i{}Z-E{Rjr>Y+A}`|7bEiLcR=w zk!Uv0>W`cpMfB1e8G_aEN#wU3v?H1w_K3Lg#(JOD(GmnV56_z3Xq6nWVQRfAfHE` z>Py+|EsuHatKgrGuUMiwMA%kEoU!D21dw8fgEReL)L;eYm@Q|;HE(};VVnWt^MBWC zrQ$~k=vlDy|Jsq>0*W#b>V5_e%)p7F-sM1-z`er+eC?%$*V@8>;&U?v!KVJbsh>e( z2>s-au37H>#<&6Q9vL%_hxBjF#s_i??R4|t2lPsF9sAWQO}zCM+IKln78jFD#_!3! znegIuX`$8f-1l7KbqbICyP>##+yH2vMx6&Zaom+HGk@;xh46CaUScg|`xnL?P{R}; z4dQ^5$m7bxbE}t|U*hX^bN^Ww>cxx7LT<{x%gFcUS34^fU;o(JKDNKH)iNoaPL5^7 zvSt<##{W>ysU$iyOenN!7%{xB!hyh%o0I(FpQ&j{15MxfVX|A0jDgN5ziTo9zXR|% z1bpm&cv)S>fnbfnd_a@~RMPoNCNVsC0hV}e&BGrxi0Uw;Ukj{GCfN{b#JL--FM zZbb{YO9z`0yZ?>>d~O!}p~07Di?JzwFE(E=;mSU49tx)Xgu{mZ-(cehu!BtSv-%kS z??5YYz-D2qp#rLL9W4~i{#5b)L|0ZKo@#lK5V5eZcHiifc)a^MkEfy87he5$s;%hI zPPg|T3lC*9n?#;QIcNJXs8g)<@+b7@b9e|h^cw&LMgTf<1LAhI__LGa$A8}G6JCk; z^hX`Lz^TL9A)q%cx0Sw&yMIM{%_i_SIxt9tMA*?73w6*vhO ztY_~3YP~=Jy23k6=&zHOq0YBHg_N_SXn&s%s8_da(Y8Im&o7+r1x6{sCENe68(;A} zp$}J;Bk8;o-P%j4SW5^+rBQ@h@gj zl+qb(qzo+XfZ-B+r5Rdt1 z>w1C7!vgoCFwAHF+e_t##q=fyT;LV7e+sPuXj&h@;3Hv;&HgD$_%Uz-u)bHDUu@+6 zeT;*rmMn|D@6-Nn+^1LDssapr6c@L~_U{{S3f|II>C-78?NgWZ5DDDI8 zr92Sph^Q1HUK%X<9T-adhtjVjhx0yQE57;tI$3x0=#BzK_vy*kkjtYW4p4NbEVT4R z4Z21ZU;*GEB&dy&z#N=_M(of=HUPwS0L|Q4qlVigM__0gE!fD3lx%^)+z=0nlIf>U zd7>o#*+74k3ok?3z6BmQ2aW_41Mit?c#4uXg4h}#SDRHob@?h?yIw|y-4!)*9!zI( z<9qY$QY9<0m6JVHzf5KT0#8>zmvv4FO#ou7 BU>^Vg literal 0 HcmV?d00001 diff --git a/latest/ug/images/hybrid-nodes-cp-to-pod.png b/latest/ug/images/hybrid-nodes-cp-to-pod.png new file mode 100644 index 0000000000000000000000000000000000000000..81b772b207f4c8ee481bae025218d330770fd154 GIT binary patch literal 256763 zcmeEP2_RJ48z(}GtvxDxQjuA#WgB}6p;gE-c1DanTh=yPn^q|*skBK#(xyE`ltM)a zi4w~4KX>NdnL7;i-s`ozf34=+JLjHz&iDPk^?YZOv7s*aSb?!DEG*pmdRitdEF1zX zENsqP9H1poE};bc$LeLGOJF(ua7Ggg%li(p_A0WQpS_bSkwpThN&QIzE9*$|B1_=3 zB(PX*SE4Q1ljIJ51nt%iM0fbYQc{4EtE;sHR!2@o7F?RM)Y{g`olNp_l)w?dXMJ}v z(G~m;n!&$Drr@7d;4enj3L|HwAO(KZ@bGXYt|ZzRIFX@Va0)UwdC)w^K+kOH5(%s( z_}SITg$VxBCEB`>ps(0@TKmd4k-+U(c^Qlh1~h3pdXn70O*$AHRz_AvUJ-|v!D65h z(TA=B+Hf*B&}M3FZ|&)XdK~mtK15G1C-91t7e+dUE_m5myAt7M>IB%3Jne{{)F$X5 zSP7iAgscX*7y5(Kv~#j{@U(UVAKb0Ms3<)egISXXLxp;DvZJ=iV!S;yb(XFo8m`j8 z6W4g_Xyfb#_lET8=BMjv?cunTWJj4$J3sjGI9a$;JAZ16f*jo7;E6m3)nMur01t>d zaICC@x04;w3+|0NJ~D~qN_O&KY_ui0y8|jm1~+^mtC;RY{9YdexJ_4|}2^r}$j z5t&U-5()H&S~T=!ev4FTKq-^c#4bQm*R^Ao7DZ!ouSQgMS*&n85`Ssq=6cB7lt|UOp5b=6C z*v!F$K|wr+!6;CFz+&a4D7=h(0rcnqeNoTf1|l%5tRWyt=o_*!in4(Bz!<2HwDAP3 zLmvo@MB0l&hR{PXvL1kx0ags|-eIVUaUQcH5XX*gKJvai%o9yc3PSm6^GQcVV04h5t zK$4nNI?!?_xdYN6IFj950ViR=kG_shWTL5uwJk(az5s+k8#L`OlmHxoKf|;IeFk7b zwg%6FKoa^)SqY-2whwp`v>?=bfaLJ-a_apmQVE1|A7E<_=+SO| zV5}aFGS9AdO@Y5Iedpcl37h)HiioW~=Qa?dC*Y?}i9hA3FGHtON=NG@L(} zfPfwaH2!@|pfD4J5x*KH0PwJ~btQS*Sy@x$;!rHWVRZmKem5+D*nAKc0KlO>f&mLW zh@MV>S1FJQfDoXTgDcUP-uOe%0gq^f2p%AxQFwrZbOea2(0D-m;xB{;Ftnin!G!1l zsrY{|LG~x;3BN2Rcv7hXh~vSEfvl_sUPJz01p^FTL7Sif9zg>GNPD1?=)bE8;2|*$ z@iD^d2w$Ul9pQg8uj3Gf;HU7qt*x=2fuo&kfSZSbyE}d*u;q!;SYWL{uY%%rO;>L( z2u-oFD~y3fL$^t&#sV-`D8GRgf&mT(=*xe!gg;sW#jddO@vw!^Y6u=EYT|V$TKso1 z6qqOnv`5hJ0J`ai-~kR8)+ju{B5aPr1FRww*^kA+jXwnsaHgIZISo?_iYe?&B$NGN zyVu&AOad!|GL(t#b{ddF4BQMGkHGfyBn19-PxQZ#DLSZsyaG&X zuoV59{o{a$(xFbox4$%#;S70Q#9N9?t{2JM)0POo1T-&yZ626B60d+A!J~k~!J-)% z0AK+JBKdC&fHFnE4URY(MxH15Zi?gJYj+OuFEGUvn2vrdrXbF*;n0DCFoO|g5b6xY zr9YU0=IW7uW+~&5x6AwAM z2!p-rZccV~P&k0%GSjhkb8>|qq(^l1Awphw_yQ7n80=@aBidVgQ`~y4);2^}g0-y+ zq|dwCA&z+Z4TCkap%@8TV9ky47*u2ct%adAwPE!xDs6%n0e3KUT_c+JFRGvoQF;bz z8Q8(mfZsvLkGK*jM}oEih$6^p8dH}S#im{^M6xXuuZ9@GgITN*9WSKC8yOn`jDesc zV;dzf$k+%3z~I|J3$>LN0Hj7V2RA}b7~BSj9?_45ZW(kN^voeqQc5Fr)U*dv+Tc+m zjg-Cyf1BFK_-$$%{oBLGDu?r<4^n5ewG^Nv0VXDrJ>?g;!eCq@AhZMm4P%m*6PcO^ zVnZU6Np9e7AZ`Q%KEW{LV0S&*(}=Vo zLjH#a8JQXZfLI};2?Y-(Agm5zzo3z94TZ8P*HI|(FGby%Q58Ds4hby^CjGdmI}o*G zq7`)(m@psBvxR2Ye-LGd$afGTDB9uyhl6$+e?!yoV`yAq5RKC!VkjEN%3+ba&}5Eq z!>>c;fW`-rxioO0Tf2FH>2$a8g8oBX>d+DZ;-^zQlE`Drm|29C1@1*CwFnYy;6IEk zmU&_k-7`=1*#o1B`V1t?M`zHZ;RgZj3VAfp&}?lfelk=O?Dq%G{$ctZ^nM^`=r1Nu zVIf_f@@`lFW|Vhj{)(<7kWqs4KKT700XjHZ@k3{ylEwvAX_#sH;nNQ!7Kqt?ox%{p zf`UQNwF^=J!vcXCx%`^sTpi=-v)nI0M zK#6`(XaY{4gXAA$qyUz)`+DH^4lEA(stIKE^`2w!Wk2!LKBj?^JAgu z?}g16UBZkIhIR`7Iv|FY^5_vF?xx|wir)lUOxF|IHv%#4|08NC$PYrT?;IB#+&^9( z*qhK~{~T0QKoSNKR0NhgJRk&?zCSKvWHBRcV30$?X~+nEUtmG)|^M3EFP{myzb5qY4cN5T2)E01Xm`fq)^Z2+ia6>zLmoWSQB37$D>bW%Mba z?RD5uKP-P!37_geWV)U>m{ZV>My5AnVN>JxK@3ErgX962AewalZlEx{ck|n=?H`y~ z%6wU2R}5OEr0WPjM{_{3Ng*DmMuEF*R{k?b|=IG&Bo)%sMz<`$VC|!vLixiYZ zAd^0Y3~JIpzz*25`VV4k#U`Rn2#{6igqKYwFw|6*P+T89IG{)ZK4tU%`u%9O$?0F6Oh ztUNqPegKFWQ$_xT*#59`@rSV?7TM8+Vndvq3?61qG#etx8@~=4LRbjl*hp-M6zHP( zl&M7rfeQ|Jkg27zz}iDTo^M|WtSrD&r~o0H`2@a6@#>Dew-dStJe8@F5F?9+4PKh; zhZSbjnjj%A^nxI5ztDof2HZ#s^2-Gq7&Qi(CO?!Um>V|;4St8P)Ni-mNcIQAdQ)>b zA$|iiPgnAgoM`9*s_vqa2e7)J3}?6wB>0I^*3rp>!eL&+=7vIyPwySebbABzEF_Z< zh(J&?gIYFYm|}xyiAi_cGCFu*+lfID{hI=Mh<^yB=%V3@*%pf-8uQ>i7U*0zL@T6L zEF^+*h)%Xv_D-H4FBmEbF}#?gY~C5VeG#4mI)q9?4q)`I4+vqQ*))ZtcwQt|sCX&C zhPD;bh*|^^;4gHqEy)ceLQ{YK35*9B{@}5A8AS!KF97~UDLo2N83M~Pc;piG|Di!Y z9JEah4ymD$8Y?FQxBfaT2^Gl7tK>K|ExMt{OLaEdTxCZ5pfow~- zVKu}@kdgT}LRW|c`i}&36y!#*K%w{vP7Y>bgfIVvC=LemwJ6SzQT)En9(X$cib4SI zW5=mf1vK40TtNYiP8wLQmZxt#Tue~v;rY(Pjv~=+sv#TNp4^x&0r-%(@_6g z^@||__g{8V!7}#$#XI#ClYCIc1x2vpRJCj+oD{@p(xE;P;LX$2%EqwD0vAXIrF#F0 z>GzLJypa;kXobrV_yxKMqFN)=4(TUYMH$%IK;Y`3a) zL4lqP0)B$sNIwNEm?q@|{(@NSA7}>{S@2R6enZ=4F^UHJ}0VchH?PVpvV3Q%u{hnpIrl=G6SkC(2lVIvqmWlJ$Rcw z?W;`Ar=e`AM}2E>Wd{lfqkN}mzbE3`8(ce0PD5T3>^>YSi>VS7qFKb*Hxdnh#rsbq zaps!&h(hK2Nn|A%J)f5+<_)(%4uJako$E=8rcdrEKO5A?%!4@ z!p_MD$WV%l9+9Qc+7E7n4qalrYX}k2bZ~|)p{YZWCWDpzEk1tQp%&lZ;|KUnD+a`f z>@XM5$PprG1kNcjV^l>enlg&qz#Q*sGUSJN`E5bbd2r;8rFn$o9 zApuN;%b2hkQo{hvVo2LB#9>GfkbdTm2_V)#<+z|DvOs3`Z&Hry2a!F7nlV5NEYY%t zQR0PG^d3$4NUp{&MEJ}C{#0N`q5A)I)hMcTM9DP7!!^j0MRRv!{%O%JxM&oS>r`{14#2fK_Yq@i!_Q~$ez~jAizXDH51J7;8?|9sXR%ER6y`eDI-3N z?F1giyddFUA0MjD8g%?F4oW=-Z-9rrt@5BoCZz$o2%{46pA>VEfPz)yfP$O`-muYe2^3T6KrD=;kM53?e};=x}hD2PzL7i_>>@DJ(b zU!H6x@C_Uo9lpnSy80OcT$B(yo%bi@PPkj+@% zwde(-f0CY^JS2&Duose6uN4A!THVusVKd7Jo6KQ%>R;b*`qx~O=$+`yX&5C#E42IaiuSoI0SO0%|d=Jx=1B*mi zC(1c`)ckd(_aU{w{?I&f(iH|yQbnm5UkCMnTwml*6=Eoe_R|0z)_Q&*ppOjYXo$yY z4qxWu+k2t*$mAG5ETU*3aW+I>`?|nEkMiH{|9cfl2B8zMhoAln21-OZMP44!I)B?- zd!(ozcV zaA?y9=yH&tMq54*D?x1t4gUNzZVWtd6fwcN@*iTNo{#zci3vp0Mj|GxBK*kTkC=w; z0%D?a{Xr(#?}$u_jHHB=vqwZeQd;d-rX{8r4xYWu+C~!NCxskLs>?Y7&ep# z2mOG>$}ypV4{g(C43$mrk_B zS~AoW#A}SUPfXKNm zDEz}9r>CPeGt5s-E@WC^1olaz^{`*T1^ve%H|PL$n1+8*4+E2O$Bgv{p(1pUutDr( zDDemSjMymOe`h=v50f_X$ibWO|F&t4xGMftw+blQ$T(xj@c)`ySQ<##wz z0Ek{HIRFLgPyCmF1)3&BRQ)cZ7ZDV&+{560^vMEBgWQ&20KfZ50`giW+CIxYmpBvM zGz_IRr5z01JwbgB3SFRN6=KQ5&Vyg8HU&loDjqgW78Rt6p@8yFZ3?LDGQA8k@a)JD zDCfR?zmmznTWyLTWm?0rR0O_2*=AS;L@6N1UOol|L{a9~DNw=G)<(9N_4&QDf`4%I$Vilq&H`gD6<~D%oe{&78sN=szl&NS zKXNz;DZqfJ|Nq#aAKto#ERC<_vLQA)xD$1B+Q^~Vf0X~mlonu8_BFDtgjau4?X|%J^m>(Xb;>I0@g-?s)2hD`SNck#l<7t@R?EE2jytpd`7_VOWZzt9>m+bReN z8am=)iN9=OI%6&myi@BNox3#Z`wph|ue|I`aS5q!gK`l;wbzNBL+oh=zYx=%gOJx( zlYY?VFME~%yhjh^+k!@p>|SJcs?HE!!r<+Tko}6-G>9XJa$Yc{e7h&OI{5qmPbUXQ zGW0FlN$S#|Bn7iAe@r71|JOu|gCkIAX!1dO=zr>>kM9xuHNsT2jI2P8m#7mE%H zr9(plhBYdhY)6FjKepzEPx24z&;mK5ugrROh0~#3hAiT_-|UiG&&qiO@D)J8K{6d zf4}y!Bgt0`f_o4X{&#F%8qog`tCwf{fNQqa^!gw2P| zfkfDS$TtvRpw>zJMuwsh%wRF{9qruTZXprvXe2KBk7^YN2@fWR{|7@=4)OWW{S*KB z5G@Tweu%j`Y><{V3{;dB+U@#JQS3iPwoF~ZP%$P*uSKC1Ovt~5UyYIy03TFFiSCm< zNiM{dPIhERpc_I-0*tX=^v>_0hWj@* zmr`~Zdy+^X+hNG@T*&TYPiqgyr6fC|E5kjMt9DM-pd_^$d;$If*joX19zoqz-LWoV zVG(B0*U~WavursqCU0x`Kv4lvU+*cg#=KQDLE2#4veeX@CJA%KBoKC_X|JA}T4uEP z;+()wa@tx?&$VgoO6BVxc(mss`AyEF`-^ZN?&ssY)M_d+R(3ty->|45?~(uMJ#7se z3Tp1jSX?ISJBq81`pO?Zj<9=k@DUo@cE_`f8TrqgQIiBN@#}@MkNoG_Z1ofoS8`tb zSMJjbC9rjU?V0iFmF!@6+hV6Ce(hFc$J$xKtP@85!?lkkGU`l8JK-z$3A2vne$Mul zxls%K#L5o#!n?wegqwh!XD< zgd`bf45OnSGT`y${6aB-QS-?sgQsshn}6peeaY3A0LqKsaPRe}-8<_9mD;pW15zKA z9uBB{(kh3s+)^wDvQZ1R8?2$nbjQ$lbMWFqF4dbDSoE3*VB8tb{Fa(2B81Sq{q&1A zp`gDybM~>^cZ&A<(q9C;QJ4o8AdBcV5f#RcF?_-cBU#G0fr?M zo&iyM%9NLKlLSQBZ{MR6yf6poPw$F0^mZrxB^lV1D;f;L*b|L*)0HGQo7 zKxpBtIguQ@6$Em{Xfp~;w<0vDqo-^F<5zExrqA0|sINKrOL=LPGwI_1J%RXt9I8!n@R9xG!%f^?1 z=J~SOCm1>&UwihXU;jMGj1`&7$Kl8~Bvr>nbXkK>=Yv#=1AQtQ`^gSZzO44;jEuSz zWU1&upOg0!4iy8WjALVXgZR*B^=n+*k1o1Mfxq>>7UqlE_fME2Ja(&~idNQRE1phm zd!hbnL1mk*6J&~c-#JX4enBtnOAl@=_l90N*$MXp;^&hxkO%-_#xH+h2u{ zyf_$NVQyFizrcmpLM*}@j;!iic=@K+_9{ejNUJ(J9%ZR*Q<26uUTmD2S-7M`#Mq22 zGRinxs%kq;HmSGpA1Yo~Fnf}K4Jp%8i?M6BQDemL-E2h3`ND@;GhIs5x3K$J=&B?U z!sW(_8k?zJv2!uI{ojVC)y7${ucx08?gZq0NvJ_6|yb(xWc0`Bl ze$A3jn8F%k#PfD_OyA6Hb$v6*JNbia|a5(C=ze^&{u@d z1;Xu>+oGBtAG_D`^gNsUk$VdY*3JrS!KAM`Yje^~Ay#ra*M`qc$2zX_s@*PMX(gRm z&>w((j_G{i2~%$qP;>ktoE{}%dTDZYtyCxO z24@W4nNkIdOwoCsc8}&p$IjTvEvRsBmB_##Gy#y6?c!XhRJENLj1xePZm(LKW|{DYM)rZPXef7Il- zCtY3>Ue@j^mJRMu=nu4@ z?y}R7Mbl2Resg`vK!^2*QG*YfT`Ap_hfSC-yt?UJYbq>ZhDfVc>oY#$0N0YIYqhU9*+tJ`pvQS_otoQcc?9T z;T6aCyvmg!g8P-d7h{Qc?Q+$GSB08ibbabtalJ<6+5ukYZQbUaT#_j*Mkk# zeN$*zsQfDDERY|DzEi3asNk;NJ3)^trEva3S4pl_rjph$|t$C5p#cN|OZ+OSEWxIx?hQ2Ptj>^}e3 zQ=EF=o4(DOs=P?bNUc4lt8ZrRC%ybzaVKgLo^X}$p3w-(HP{~5)^QOxddESFg?brN zc#n4lfzD0Jo`IJ2CV(_k&#-0rirMJ&s znwTHhHFm~3kJ_oyYs}VMbd_3ZQ6E?M^? zojBe0OZV%zoouSsNB5P@IQc5< zpjGR$ED2I|-l(GYyQIy_RvFLFU6bYPyua$Ao2i$swcE5A_ipD56l?NE)|v78ZZPcW zYOAr@r0(&l;Qh667w^gXyh6dEfJ(j0!9(_l z;wrxAX1>$j1+;FycO*`A?#_9ECfBY#9eC=HELGj`D7mYex22dTXz!GV!JpskBh}@$ zT`_ek5Rh{gKX3mav9q~i+$vG-X-`r#!a3&7WwR|@V?Cem>E@{mP9OGf(c)}rUQp0$ zQf{nnf7Q0`Mx4J((y=SoD_-l~+g7pL zSS_L}`#id7=3hKtOMx(5zl!L!dHs-+#-h-t+G>Xk zuOFW5qNTeK&|L8mUEawvS&qG_A{DeYYN^dQ#wWPW!?|19awvnwf^Klb7p~SW?|rh{Evxt5B4t4C+S#RP04jXAekt5G?L?^l53@` zobSSL)6YE($z7Y?6@LhySb1`#wPi^2sqDGB*#`=x`T!9w-0Lg;+Ust}$Ho#%`Bf7$ zjtFHbkqaBZe9vpYd0K~U|Lb+5&v!f_uxU-@;_QFISF!i7)}=4{alF^2e8Ow7X1wsY z&b?UnjNrIW#+jD+8xFFS$!Ks-kL!TN5&1@#68rRT+gPudnIA%gUz!>BX{Q0>XUi>cyiEpOV^kQYvBzrf|cffSICG z*Ill}2Y*U+?0C*QMK3AF%rVr_!~Df;&z7#&rI$2RCYP`To~=;d)7v?}^TXlkuO&jR zxCF`D6rIi|KFQuv=3@S2{`=rn8_wDKuD(Q0E6WJV%~R`^E4ik5bjkGkB8kWOt>goo zou5mmSKp32RpoQ{#Zr|e>--8zUU*NA>ma&+(l3~#V8p?RT3ZdS)Y&Plhr=w~Mu*4= zgc?=^6pLzkj^kEb|KhBzZr0{G{Vk84I$78&k~+t9CrTKcFs+hpjj3pDE=xaR*!{Y! zH)71hJjq^>CF+MfY}PmyyS;3Q!U+b+thsR8{3^s_yL?)orQ07Z4y}1fK5dqsxL0iR zs@GR}-vsn_uP>h^Su@Y<_@UAnr!4c=ym{D}iq$5w8NPMFHAJiK!#jyeEZ$)(`9y7? z*DJZ{`TC-nCTDH5mB@|po87PaS!+h~aPRfxY@X26?UA{zmwy}U+0jQM*}WzlFAC$D zFwOAE^)W(A9E&S#x7FG$Sb2K?iTcnTYYX~5?F;x4#yQJ4PlR1qS$ko7`xlqY{MmY> z$?t+oUq61W{&CC=A+E)IE0(NhEs^!D_CGd3%>I5-$_>tGTH9@IZca~rP-eq-VODUr z_2fNX9~+lVesOmFYn^hQFDF)?w}0zk>R9}Rx6L|po!ZvvxLfl=KQ=usGWQ7T>8L;F z*KSkJ88KF?Zf)SHwyx#LOK(}xY?fEC>I5$CL+>*A@DZFz2Uz&#)F(dfYFV*pl}4jp zB!`w@<42w34exiEWq588i0TR09c#2WSAHN(_u3b$C7;(=`nS53`+SawtN)yMv##yD zL;ah(on!io5o&2!6EWUdyQ`Tki8X{vto z>4BhSm>j!DyOujwTw1zU{<6UsULSwk*YEDU45g{~CMv+f?BAkc>y>(;c%AaHrMmgs zw~cd{Z+Px{&&kKRNwI#4eI>`_6`xscXxHwXH=`hK(W@^?&udhcrWEddHipMP^^?Yl zSxKrpNvFh0&N~<--)2wUOi-4XW>PPFAl6AQo2>|UGO+7iqFP9B=Xs@qhJ%5IO0ijc zno>_12BtpPqwIacdGlFzuUWYmRmtAMOklU%?QuVSG}>nOEL!+glh|8|_`xEwV^NRPPv}l%HF6eoVS#+Xk1<3pd;KU?^817Nmo?t`wbrWrB=tbs5ifQ{6?j( zHAycr$|1LNS!D9dt5)r;cBC7uSH>?t>7Thc&MeiKwa4d~gQ{lb6|cCmf=8xXQflrk z(ED(->+apQkR7_o9TB4z?C+19bUS%v-`X4>+sT;rUYuLq9!a6?56rU-!tGC$2eJkD zZU^ZlteeCLid-hdLM=C!G_66uQ?K^FBn{)Ganj)vC0+~n`!J@8w zF!8CO&m2(!a&@5MI&1s4sVgo0CG-{e1cVin4o6uy3$8uhEasTP%442deRkGu%wt6n zY5vlQdkC5z-aJSH^Qmg<4*XU$Hes3d9KDcUwCa&l%7DoYRtRi%Z@|^>?4G4FIYr#8MQAJPKk)}TfJE? z0_d+s`Zoo*%gyHPkd|;WS82huiiq91y{YsQuF#EZ?${ZB(7XzW1mpw zcl*FR-MsnJi%_l_eXi6gDTSxfjNX;$>rF08GngvZYb+|z-_sz}RF=N|GEb9(vG}y3 zGq3CI`*35Tk$B-@Z8k;QmpioQ&XhJ;CD=Sk^Rs}9fY^)b{cNSRhl(?$@RjAW8lPol zDBsN7g0DIyR9bm8K4c*M*ujoH$usBe-%+&5KS?fA_3iS;UH z$JuC&ljQRg=5dS;l1(Wj?{D_Ees?L((syAsP`$1!){OXK-Fp40(IuTYUczM2@k=yc zHu%r@6Frr~2cJ$USZ3R~G z)njy03f&#v%fZ%{-h7IuOht@e08)O1M=73N5r^M?(Bfdb(}`xqt4|A@3(ayq^cNAU zVl8akzO-IT>-hL#L59o91^qgc0}m<(ovyocz;xGxJ#}@TRNZ{qUMvXWQm}ywLcRw5IkLWU1>{e!)w7o1EV zHB^L*GuSu!@Pp=4gzLZ^V)ib0;rX%LVG(>PoIzHmj_MCXCLMYbMLwn%SXXvB_nk6n z<`(r2j|t&Tb1J&Hv>jufbjwbe7owtilJ&{8=WJ_Q)DLXhB|VTKH+6~QnJHxXuB3wF zEEhDm<0K4r9T#cJ;`LU0xkg2G(ua$iR{`P4wRzO&vE8n08O3LSZtdTe-?iU;^5mY4 zT+>V)Lu)x+7U9Qo$0nRZ{Qu%J08YzDr^_gw8pu@DdX~EOT5|#y_qM%iP1{zf3y3ZZ z_h8Xn_C{`C!GuG?`!71--rOChVzsisu=}Hm)2BrNN^o|?nhkfqL z&;BB{o-KXHEay^V%fOpn*zp%_D`siTm0Z=;ko@V%mNSACRv~@TX(!57l3rM3?iwF- z-D~DHx|8u$g1R%m0OVwqBV`EN-U{p}*vHY%a&(;PzP6Omk3g5SYdFaEwtfenK>Qod z^q_Sf_pfOP-iIuZc`HwwJ@Dudl)P&F4AZiJdwY4wwhQ_IQY;dyL{v&!vujS5iZ{93 zzdh!|sK-tjUd@~n1nz&jz0WH1;IS$D)b4GUj8k{zl2^-)h;rP<`?^aKf9SaU*cHtx z9vyZ1qz4fX4=l`hRrKr{a0WVtU09(nPxsDkxX0geHRZZV z-$VPi4bIssb`Wb$txzMaQqn!0hYdFh;l0=*?DE9zy_15SF)8QR70KSoQ2~6!6V++K z!QEjxrP&S*p|>;2Npp|ad#rr17u&Mb=!&@j-OGAIEUZi%uZ}OansGmCqo465bxU)8 z(KH~__tyk}IkjY;{8H}e+D^;%%g2i>=O4>vmFKriDKeqRO6b{`BFqd|E0+dEE!G&( z6}Tg#$+5la1h&(<$`X^V-Re%5a(hh|t6S|yoz2H*D0%Abn!mctjqSlB=@gMQuQdz$ zBcgB)5B;{NC;-DVZ9L)a@r=`#?+WG|&WRSoJMxQIUD>cXrM%WpcgL7dlT0Qx5$?Wh zkp%A8?OO_B1X}o8CQsWOC3bUCWYjt%xf(e35LRX&{0?YGe2c11?>xCCf5j=A#auko z!euzNVQPJ2cxA!&V>tQv*KM)iy1TdMbk>WU+)pjrmAeA8VmN%OMcQ~;>K~t85&q_! zZ*qg(^p;OmbMGW|)hsEk;5?$XJv%z2@x$lM{-)w9d1|(=yR4RKyI09+>s%8zhXVH+ zDPOtvh}i|*8y5O^w7*I3y7T%zO;37t5V+GT!6>*nbfsooKE9g8<;lrC!lH!_g|T@b z9xmKirY}2F<4{%9>uEd}?__z+Xl;2bom4Ved8vtPiuH{c{u8lm;}7c>ZX6vHWj!Uy zN8s$sqs4sN+O0SCM{wkU36y<$j<{uUGP|zQ;idQYatjzM62fzId|bG6Rc>%idpr4% zJL~-YeRTjiFpcEJdYd9Y^K=(D;q33n10^+mcl^e=z%MdMV53SIjc!daVV9-~e0(Ny zj&&oOYhw)Nj*O!E+Tx9DTAW(awFA-z_4bO%?T_Kupnt;nNXlm6OKBUNdS1P@X3aje z$EK+$4JUqY`JVh%tC@;gw_=lD_2oNM@RXjo$)^9=9B3Xn1={9q&3fhdz`MuvpDo?5 zY#Q)!da7mgZQ0&aS4>WS+*bYA3K;0Sd$#N{Xk%?V@zLPSo#butScRJS%|a@M2M{0; zt_Gftn4lEaK-Zg_CwKHT9K5c4#zv1@?Nx;EJuAjOV&81h z%$1boQgJs4V{0a^lR}6rtB!~iELr!?LH67{)tN2+FX;}0vr8cl;X3)79KAe+g&zit z4xbyVyq8cx3_TMX=$ulRT+1I@e8!_`u|F^n<>FZLbMLTqy_o1>DAdrBQ%b<@3=7X+aJ~DGrtQ^^^7PywXnm7;WQLpP^vrbssEhh9E_>$}M4wN7K1D!Qhf7AUWb}2*>y}}%qcDrx zgt(+GU(vq=7J*|)%{YE7JmUHdyCD*9ObEA}l2IF4@v=7#pPx8o5}%UwlpvjfqsI@m zk#@_Eal6hha5=B{@{$9pE0?Z+kl5tuy(?qXJ3^`sVX@e%ZO%LEkGwqSVNuyWQL=v5 z-mVkL{9*53^k%wxWxwissPg$v#rZ`-drx)Fy3e}ylHal`dz6ee2`W1mDqo$u^R7X& z?!KO~t$O=)H{ocp8a+2CG2-GYDJlHAR1fkivs@V-x0x!31#7uJtyIr(cy#bCtN9Tf zZtspNXT_Y@$DjMhF03lSZqd->E0&5QoA2LBdT}|+sPL6laF4cXcP(2vyZ21KG1d+S zyXG&`jz9Hktn)-+X*0l2K{Dg;Y6l3MwlkE;#~*on96eGje{$(Q`MEYXHsvU(K3^~` z1b1`Uyih+b4SQs*H)gY3_FoDRZTShw)Fq`H ztb~fgj#U>=?U=j#ZiA{lrt#>~eTyILmCJ8C!Y6+?`U1C*>hn7*tOaR{rYI60PYAas zNh&5aA8wxO$a-x1_xf|mkaK;mHkDL15+*H)^&8_wH43toP;Vdq0?Xhom?#*6)M!I`^JIh6np1tDx z*hZ&LJ+(?~VV9qCc-n>HL!2?&`}o-77YdDDpJ2(AZcSdiukLyM8pk=NN4GBOsoTC$ znIBlI%a7g3%>T4TYV9SD#JrxAt-M)WvX6qkd`c%=Q9NaNauuc^dMlx+YTL!Ls#lB~ zVtQI$L*>(RC{hP(p0}&7R$mWZUuArJMi+tKGemSx zRhL}|&Bb^}Q#d7(V;kQ_wuo@`jT&<q6nIo>ike~>Ki;jHEmxuUfIWINofMW^7`_Zm2@Nt zWhaQlzm4EnsHj}ZI*`4YD`E54NdknYv91P)vs-;syCz5|ij30pod^CI(-D9W0u(i; zsPm&&Y~&xB5CK7ywCj=sJ9ebXtlN4x*Jx3Dg!%EOymaLVypH%nFupsnYa^J3-3e@q zQ$+BVu1o2I0h8UX1tl4roB~4Vp%2Yb#B+~*!fMA#kYdpCEb!`bn>hj&sp~AO4wn|X zM_enVfev*E!YUu3)vBD+{H6N zQi$z?g>Zlb4wEQCu%sz{&1DW=iz|LNEyNeEKAsOs>evFh?OFA~klr82eBp!E|E2Mk z_X1XW>Q4DS{JR$NoDOf(P7P6Ug;68+*07U-?Bxh4rD z#>ovzj(G`&!N-%um6=k^C!%gi3zw*m!l;A(I;2N^$JYwGG*O^2mDgd9KR11J@u5}h zue2QxZLePxQxmhL4{1)%F2 zZO_)%(btEPw)76{uc_hX?aH5kwg+$mPik>4XPq(%q4owAJd#q&0 zuK{<5f{Y)IckHMUvrgcGlAB}?wNGGZ6%LCK2mOld-br^~fhWX3X=Wv}@AuQRaOxbs zic~)_MLqLZjIp2ZbA9zQ1v4P*3r6I~aZKDVBWql*fzliKo zwL2!ClA>M2da=8RyV?4Sa#i4&__%23*6^O_jbFmRZ;>Xo1HD}v2P~6vp$3sDpEQrx za=fp-GNgBBFzGk;xf6%71IGafVjdPA1*&2&g z-q^^sd9*HHq+oyGjgYwRHvR#XR|UEy-Cc9a+AIO~NlXcE?Nb_M>v4R>1UhAjj}I%G zjTgUvZN2EAB|1G(FN+Xf@Oa1RiH1=;Qh0GTyXuW}vY8J}zX7x9k7BPJGf7~=I)0_m z$b^Sog0SJ;uB~jdsVIf~8#4jS_Oem?_P;Q3)H8gRHx(I~x+i}z|M9b*S4+x`;Z`2V zF6b?|lO^dVg!D-5AgmHvLiq}b)MYo{?rw{pU3iQB7V997%sJ_oZ#aX-awnV`oyqX* zFfGa2H(k8j%Za-|=4;*TMcGDM&+3Hl%ea1p&NNqp08xwDz8$HHI5RPP+5H0s0lVi) zbcZB&3f7f#s~u}pwbs(y{Hoyrjf@UM=x(>}MeiXaFs!WFa{5RiJab`x-oLf&O;_Bd z2?DZ}9!CTMc3)ood54U|79OExHkz0EE@kC_Y%T4?KH8k$fF>{DRMbA9k1zTsOn7?V zPY#(r7+O=2PQe)GpY)2}+kE(X^v+r^FQsk|nrTDR6PAK{Y8|Vf)|lHTA%1R8yYrxl z)*ExFZ+gvxHlcJK$6|i&Bw15Q?aOKYD)a~5kYvqviOE?ivIY!imgETH_j%%9}m=TA99kf}I+DB5L;o?rk_(iOOt)7DMXS%dg2bJ_@b73qPZ4ZUCJVpt<2g=Vi**rK5;ie1+Y@O`b8B@I9M9pIyoaRJxvvt+eo7UiL0+VLx#8 z)`P#hEpmO*2d<9xy1#SY?n!ga^g!;ABdLS3vuv_3@^th=qdVBFsYggO8R}T7o!S3!3eVKw@&!V8qN*vGe zXj!Yx&oQw1Bz2s>G^L5R&9e zd@CO9a!7llo{4PaJpBG#k7XU52iiPRMe93=2?KHq=J}sqyhp7p^M3VQu@&!j33@r~ zy4jkcI7>m0Ch`CqK}@|5Ftrq3>*AC=Wz3k~50BJJ(@iCdw%^+;m$7J|_d}wzxqMN@ z4bSW69Uk3{;ub99BVBsQQ7^k~S3a0+%M{j!@2&)W`Rx7h^x7N~;QTxmReH=w2ui@a z5G4T_w|Sr6W}Fzb1u^><#--D zL+LPk0xKJbUyaZrzcVeBXT=&TMfR(7mYJFy*4iZQ_PWVmF{D2)4LTJGa&#k0K?Rs%uFgxq&8at+=+&v`v-tl?EC3+2J< zoQ8wvy;XDN^nss0*|#Pr`}3oR6P7!!$`8oe&~ZnyTFSOy=ls7UOty^1w63(S(eL}yeUSH*hCjz>3%g%u3z1z3}h-0%Z@J# z&cRXlq@fL*r5C?qOo2M}-Fid7>1bXH7CTdjdBmU&(Z~yFZ$Z`mEN|rPgsxL6G?DQMAecU&TDBM`qGHTH@}V zReN-&z2Koi6xm69puA*U$kI=n+M{TweG$?{FJhke9%}ovJN~x)tqgr(d9I|`^1D0d zLAf~23uRN^Pg4oF(6vL_r0RKKTmD(hCN7Ynyn0=veMbO_hL;?~gWJo8?@2 z#yatF%|3az#IEYVN4Y0f=oErHIBP`}cexmD4~|EBb9?%(uVov{Ez)vZ?`D+aIPRpoIUzEOuLK{&8+aSMiGO6inq9uuDgef+2m@Ux0l@}Jk+#kuFg2lX{ECZ$4;3)2e`*REF7a) z6tBu|SYtds=gazS7CinRH|5nEe%P73$lpX(E!F?rQEZ9rSZ&A9^Hav}udY!hxoELf zFEB}sSsY?3cZ|U1`S^$>tFwc!M7-(swd4T7W9i#P4-}|&Zo?4Pske>^kq5bX8UeGW zz16v@aaww9iiTC3*=jM}ShE7rjuhZ9t-f-kbCIIOZuQpSp8Ba0pH_?EJhrK&ur?*u zHb!Y^MI;^PmI@%hP2WelvKnyCRB}>s@aObwpBT9ZyK>_07w{hShPI^cvXB)`S}~%je>_(@d{I0<9iBbEq7bDbF8IU))t4|pRy+>&U-8&o%He1 zO@of=ju%+l$JVQJ2X-tjB3E?gq&hV%I`^_x2-{Y1WO13}GS%d_r2D*I>;UJbYCT-i zVb4~xHl`}JUuwal>bV)8_QyYV7+BVt@TTdCiGQkYtIfv4PmZc!*5~(ru1YS=vd2gz zwl1E2W?k<58t=6hTbi9G-J9Llc3Ji2xOLIzcq?}yx{|Q}m`Mwo?}X&Ly?9lZfA)H= zc60cZ>s9Bcj}c!KW;`P!6w1s9W2@OKB-B>uq`3Z-R+t!{+d7ZBYVzZych9;iHzv&H zOgE}kcLBLkkb~+#Om#LX*|Y4WnXI7#NEu!`Wr5|%{b|ZVi%MH-%}80!<%uVGKlinq ze^fSYN%Z{EoU0{!C5>ja$>~{pHWrJtNx3S%O-M|2tGc*YFU)!a6owKIoRKbje`Ze~ zM$%>TL3Kf$aom@tcs&O}59jK0L<8@;RTtI~t^=)0zmk_t8 z1Blisb$Jp7AI%rV=} z-MXvyNWpHa;ML`Z>KE7!^Q^Niiru+9V?}zhRbXqDc+=DO8(z0@+}HnnZdJ3<79~Bk zNUrHgQn!!l757qbJ}XkT zULv~K*<@CfX>c43eEadu8?#KgaRk=AQ zxUEudnP+*dkdUoh-Q;rqcEzcAi;sTP*G|0DKkr&0&8u^X5K0K2H|^;du+Ib{6UCC) zYbD(wASrx@`XTNF*6UH+AIxi~MmqCzr?{v?Ik;)$u$OX*lBYNt96~lyCT2aoeP9AO2?HGOGMRzSr_Pn{S3YMmhe!cBQJH=+s z=PzXCbdMT8koJUI9G{fH>eCf=WWurJrN`C_OUk{=)Shk%6#9NBmGoG?b&Or8-o(>6 zB6wlt+HhV~J?yOPgV7!hQyP`GazEN8-@<=@++n>;f=-#rQwUcTlu zFv!VUnX!iFyu47tR0r1;U7?5GFTc0h^J&4;J-}IA^kMOf38jrkpO0d#>+GpAv*U2J zdu-wvl0IPgPRlm`sU%`(sc!)O9=_z}Tg$eGnzQd$UXgIl_H9{uwdfi91WU#1wfKr- z&4M6(Rxe?cuAJ6JApB0e-0S4LB!#t2!!=Y4uNyn#9J$G4^36lsvF~Ru-K+QVTIA02 z?!cG*R$5C+eSWC*cn|gF<7{=YMbm2eUgY_opR0cI@#vRkawgm<(xOtT{oS_ZobTcm zbxxCf=QJfhzkZjwSt`r^u9)#)MjG;qnl|jm@<8c@+pB<4@bTfzHA2^ui`Py0^kAPt z=H}9?1H7{q9pC?Oj^enC)#s1m-JY5CZS^k9x2|Q~#b@&VGvME*ZIcSW94)SW)BE7s zO&|Ulg_V2Saz*e-hJK3CFU6yB+80G&ck4ZqS$$4x_L8JSm(NTTcz;seFI=VLw%ApLA=3FxBQCh4HM#;RbBt?_6)1>^w@-+VsZ-S%w zT>AEi-U0h3`g9^3!)_%Pv$S)#t5|rjsv1O6Q5zF4e;21y^{V;271C!5v-q zKgQkys_N|h9;PG(F5Qw!C?O%2?vzFmX;A6zkWQsT=|)OQB}75Ebcb}Oba(SVS4YSB zuJ!)bJF}MSE@y6hPCVy%_Otgs1#-7g7pR#TUEbHvfo{N+JEfv z?!3+jc}<>%h@gv*{G0hxu|lF#n=OdOYh2Czai<~;P4}S+_Lxmq-_bvUU>aJ`u9a4ZYI(saFFlzRQe^WdG>_{2PSClTWL)~F!2J+9^Wh?~2ppI*9z>d!8LU6r zOp~wydY>;ko`*xiei+|LR?AgP{bf;ezV=J`R`kstUC`pd@UXd-S6#Eou|e6P5bOlh zKsAilQ?9of64jw2Co5rWb6=xY2A-L1$Dfa#@AlKy_t&`pH1t|FmY|RB{SUpcC{z$KRU`oaGMTR2swk z^EBK@{qj@f`#j|0iptNM3$dUwh+ zf*KiErUjNTK3)7W2nW@BrP=ywTr^%fq;lFSfhKe=_OD~{%q$r}^`6I5%k44l^NfdhGbY%0ks<-~G~(E(^UM zas@vdJo>|SK2msaWFiJ;HT`%?6}T7MGLP$MRV0y7UcJ0rdfyrJ;G0}he5ZxSHN~`MQOmVx zqQ#HPb0J2&^1i;cw-L!V+lC#fesYzv`g!=?O96lc45f->&Vi~>t>B@7?6Q#wQ(KtehA(DK(#RMF zwkx$%>T>V#OU3{PJf52y0jQr!d@4*oeZzgNO)rmxDu&ii`URa!O>3xFo45Uu^Y%0= z#M0o4e$}##bZtEh*TnJjQc$0PG`DD&FB7uEg4+%+J2Y(5oG?S^C|ehCTQtlM@I7>K zybnpbE^SCKp4ZkrrAAS*)rDLh&v?i4IV`zmn;ke<lB3~6hjz>1!VFJ#<_e{eZk}GN zq9K&hS469S-TJcrsK;5|w0?E@hSExgKMohiJ+-2+6y&aMK^K)4S-W-)+BCyua9wdHQ^(HjP_W%XCHUQ+|zRsJKKz zBqIAiFuQL)e7%tA0R&&&G{lnC)yW9oc1^Q+!v*k|Z0as6kupPQ3JldqZ z;AARCEKHw~!pC>pYw_M>hi0CKy7!SJI?2IB6V;oQ6EO!SThD4|%F#`wBN9mHQpwa9 zVMtO!D;7rYL@tjP|G~-7CVOE4K>)ca47r;i0&CT|>)oJQFSery@by-d$&0JG{o^Zq zVV-JJ>vYo4@=9?a=!XnNRh2TjXI@$bE)JdD9_rPCv?bs6FIo@to{eQY%calzk&YG5 zFf&B<$P?|8Xu0kh1J`Y}j6pdPcHNjsPr+yI@2oN0Dz(%ypDoM{s4ZN+DeUfal5caU z@)!qx3cGX9pZx9#+=h3Ukk|jl5;LJ1-7A3r@On?MwV_8E8YXc?f8+Y$hkq)X&Bi*cte$cf65(asS^ro1A>Izm!ftOKOP z>7-lW0Bk>urvrqn`3~ET#tWjS(uhukYE|}S$^NS=N6R;P(-|c*Gtzug>rIYqhKcNA zH0~0g2{efUrK_tuw@0QIJY{M6F+KzA>v^+LU;Af= z21Q2Otp=&~k&)P5PL(wVp*JbDLj73Ay2z=h7^UoH`cl?ysbeNfB2>`ZPSPc6rJffC zW@fI>tP`)-Rozy&lzVzq6(8O%*fhWdDr{68eVaiRIIL2L=iBhzjP3Z+;Hn+>JZJqt zaZPVvVv_C+mirZ6c3)H&Mci+14qpy%x}g(H*2Pz!ilqZo*aG&RAXbzq;_+eXdkM4~ zNCgp5d+52TrYB^~l2P(aP*Mv=hMA1pxl!I!)*-VPYafMJE>KUfq#^DW^WNC6E ziX6)UDXRd)RB^hi5})O?J}ky73lf2zhl_?X>A7HQg<i2tneO*S2S9HN$ zp2+vnD#*L+#-)Y~ia*>MP4`E`#UUTV!@680XOX1^09a|pU2+9epODbH)X{xoJNr-1 zF0h+t)JTuYQZpzVX)HyNFy!kudrz#rt~sJxf!rS^jXxAMPDft)_U(dq3~Svbb7HCNU5c+7@plK_sa8;# zf2;d`em1)FBFB8r(tdAypVMRC=DXb*`*ba#!XMzG&@*)Jbg>(iSN03{tq+K+X)r;Y9odlD;Z2|*wFfVs>; z87uXgaCaDqLw#HHxeqBK8t+Y|XV7NbJ?b7CLMrJ+|B0Wx&Ov53&EcY_L!$@G&!8*O z{1_Jqa~&<@1JJWQuIocdCm@>D*;XUZCuLH*%%=Y=Zav}Ix#GT;YWgyA{BL{)jr2d zM9CX-CV~VUAx^TbD8amE=iuj{G-rKq4%rh+jpR1_o`1xTO+1X+`>;Pt>hah1SVpWS zjPao_nw{bH{2+4T97F7FCTK2MFP z2Xc{S9ScM`I^XV1UjY)t0_u#1>SbO!koIjL(&b2Va0HHt;cPgTb z=eI9hIJm!tVk%|`q|6{|NqHrE8^weN1;Gl~08|B{PQnooPMb7FR@R$&;d7Kyuj#GA z$$4Tx_v@@am?=}a_t}Q*4AL@O@eA+kOjp|W-Wi~*_lp?8Wp^UCXUoEl44xsidCMLJFsalQ{ zrad#5S!o#Ybrrkk>p$jhFObkTyV#DzHOSyYKgC^@hQ|0Tq&%D;6Y*FSlO-qXdyr6e zGg6K569F+9Si+$~-*C}@-^{KHLKf0dj2VPMm0B{{iG7YgWqza=@2vjIyw|wO326iQ zP3F3&GZ5VyXLvTK5(WsR!AdIg*?D)ZH^(QH#CK6U)GKgwH_iKkDhtrUE@XZOg%My_ z!?`tX8;JU83u%oaqeqO!!*x>Y)OlTXDCY@)o%-`%ahP3-t@3+*iq!OR9{JJ5P`maf z%KdiiQq<(>IoV@U_nx=c!ZjK!uHlZQx(Y#TQ@2AasnvOiRJ0L?J$f|Uyqm3=J*|in zXG%W0Ub$zxe2qCDU^9{@6y)2R zPF#pNnjy#Hch9o9jM+P|3Z%q7Jmy*+x^$rwpm+PELp!qEagRyO>Pg19YOv*B?pTO` zdop_jC>XY}2udy4w~*96&JMCteg!<|hr=)DNgJnYJ%+r=IG?NV&;vm7*}CSigUlL9 z&X$-*iZicrf8%MGDFQn63E4LN4ZNnHI8I4snoR=D1#Z6Y^KfSzz8PdP$(w|4f+Psm z{SGnSt_x}H%hUzqP^nqsts(?-eODhFvXW))dF7~IbQ(b=Fqj4t_Kk{V)vhed3o*F> z2%tGNog&#VJD^w~rgLp*=V(b#;azyvr&SC)V!ROjFs;wzaDPI4v}uMSr?i0!vjmp5 zX}jGFYD_%vXnHGi>Y zG(plcoA!sY^6N#&6A%so+po3{_*eOrva0OoKfU+$B}ln!YJ)EsuixHDFHxR~ zSVbNqT>Qy)+|@Im&-ypb#rFixp3QnjJrGwLJmRQt&Wplb;81`TtQ=FD#Y;E?aE`Wr*D+Kjxcr-p8a*J3dZ9lboPvk%NkJ>Lf%hx}2mZaan&`(N|Q8-{s?M_`> z;XM&YMtxsb(=tvM%zq0LI}`tz$Dftq3b!!(_}G5m|J#JVI9)Q?f2n+cv>Er$$AEAD zK7_sR4x9r07GC^$jQen7z2}_^pvtPM3y^%krKgCrt84%i2p<8M?nBU?a6g-nSxpk& z(FWB}|S7XZVM1ZED!SDSPJK*F0vu)E8_1U zZOM}OeY~1b0vMP>Q<_`SB=+Nz-y;oZde|thm!Cmzj@qjfCJ1;~fNtb^70y`8s?w0KU;W#8BbXXa2}38RH%-f`6M^g%1&*n z97yEbC2)n}AUo3@+d^aIX0iNZ;4C`M?*Wqb*$^IV##}qPsd8dgEm^Qiv-knYAqZ4v zos8)(=c!1tu;ky~DVz=qNkem5Ujd42u3E5^0VXZ(f}#}f13SzWL&784Rk@|@<6?A zv-I;k<|@c(VnVP(STrJrmEev$ywk4P*&h_r1fLSK>6lIsKLZ7-jI7eB?3wmg=i-+K z{W9{z1A6y3)W9uML&SQ#@ofjK`UCQneD0LvB7v-&{8UUcFSudLWUSUR0RwqFyEL&n)ORL;&^ z!NN?-U7v{ET0S&;q5Huo&_L0^*4S_VMZ7LCk6Q;eaV~|`6`Yx(v z1*|$5R6^VE!U1|U12{Si`$3~VgV2y$eW`t7m53YI zYL7`ma_aTkKo64~jgInQUDKP41Z5A+hK(|Umw)B6$FS3qPqLh^(|_;Q;zPLX>^b zIa~>B{1i18BRDGhM2BMnV9pA2@5BQ!zr*wF7a_Lw{1Spb3)D(m2JtX(AkFOyaT}kNRJW)4GH2|zrhd6SUn5(j? zT^Ee&U<3qO1S9;>r2f0^w}9|AL|RjyRP8QpbBvj+&>;vkh4Fno>6!#=>Uw}MJd5LN z`p!E1lpOnmo=#utj~DEJPBHMJAFjU8dOpUE!659b0&4OXI7+V;B+Jd9_rvIFn3mov zYe|IFuNqm9zx}Dw1C}>GR05H2F%HhvG`@05p_J}%hvuo~lROJp(9I+E+Ja4eHyYt| zEp^z`r!SjoH-VSV0O=Lm=O@4|DUOT!^bAD!6)KG!aewE%HCaDkqoP%eaSyDD&BHI6 z>ryE0XLFCL-Yd^3o7Si4RG7b6!)JCYnkQMyS&=1{q(OO4V)WW8-_G|#@&oHh=woe! z2c~^AHg5df}mrG7h`iqmDR+Z?QiELYvgn{0^ZtogZ4f!3Zi})^;|F$ z9eauS#2_%GySjnddYDgCi{WBR8SsZ9g|aPB5-ts|vvEo3L})(V;8aiW@j<4Qp;$VY z4`nY@zW~G>HKWJ}y5(9}A|YNrK0(V}aye0achp_Wb4$N(N{5kVsu9Cf1O=m{#?y(> zqt?)!#LC4?8wCyX`+ZEvmy}IK@yyWE-pRj-skEAKKNq8h(J3}~-hzwye9nJ{Z(Hvt zA7uWDBfg?VG8wsdKnLNXn9UN`Sq#ZevHn#b0vg5M8~P#4l!8Rg7ixJq6{|=^Csayy z(4AQoaLkmxChu#`Q8dY^h+?HohZn_+i_z9n%Q7i_1 z^vr25_vGFHJ0U|T2T*5I@aTk)o1(P}sNMBE8Z+^8D*+5t_TxG|gzb4e(-YnAE;SVi^xE2cOO zDH_f|Nv^^^_HO+{Wph$iPw@11et{1Y4QRE~9_%{+LL%1HK<>cRY@&R+aBXCL@Q6w_ zQa^^$O;z4AzOvBoqSUTipsLUQA`yp}g?;gq;nMfMx$9=3lD^pV&qwcpjO|pxp*G0ZpK}y4HPs&dN4J+_4)0oMd;RG)@nC3T zB#1YHthgv8G8dNk)$`ohW>+5_(RPstm;v&9wVm^Oea~lrcpl0AM>1o!a=LJ_o>2C&+b#t^dSrXAktS}i zSbJnSZOP1m5p?6te0jJo+ddd&ddgX8RSXMAsRODiFH)No5ukSvyomSjT$q}#_6 zZ>_*fC|y+C|EUj|5$^ZR(L^P#faNkEJrGmP3gN-LpBzoJBxM`&ObM{o55G;;d3(Rn zxEGb!`#8hdxE2T9$l0tMWI0Tuyd3ECwv*?dWX}eih&WIO6?dv4K;E!{p_@OYpF`9V zc|Kc>%blKq)dsf~R=o`uCOKpj^+SeUJX`)Z{70RDsgSH}0dQj;z@xQx%<;?cIW%pX zgnn}Y0#O+q!BV0J-L9htQq$f!OTP)KV+>Ol+uql)aJR$Sh(Q6{mr3HtDTTHr=3L4| z3xk46y~(J{Yd|URILBX!H=C+iFc zQ@KoLs!817V&z7$2tKB@q*)fqA~Trl!eurBeoARb_TB5>4lZ%2_;c27)PrY;CHa{lP{xryifB|rGvQcN!T35+6NG3Z0fI6ss z^_`CP4Eyv)wU7)ITPaov#MCXjq(+gxCK zOb*YoZKdmh%xQ^=nH##$tMTvXiz0c!RY;Z=pZ|1v;)kVP%)6B<}I zC}d4J)CF%8)S0hvns~Lkh9^xuA{ygP&icqzszY-?N)1!+AiO5ts)W*X+wp!VU>o?J=oymCt?azF;h|E&Ha$BIde-^L^n3JFd{TzUa z%3~d(F**`bb02$h*RnyyVisN@bF&Z1_-3Fqa=l=rT#Eqq1E4Q+UVQdghUKY^(XcMM zMmFu_6^#+yZ9+{Ns~BBOMxheGP(Wb{$>c!i)qL_kQEH5Sj4OgTAY7J)2+#JM>s#`S zNY@Jh*}Z;nJMS<1#eO(I!ddvg84D>l?#!xzzF1cs!4*n6D9>f9tfvM& z>BhKVM}#wszJt=gv5pZxaS8K@#FW1f%p6Xn=FVXiuIWl^JB1!WAX$87{}Ei_&_o8Z z>L3vA+OwoW2XCU?B+dBVm2e|ib&)uN_dTuCO*#w}deP-j7j;vPKtu~{3?btEgRf83 zVft$fsm|y~=yYssUpGE7?2GrCLo1>&JLJ5sfs3*2axlSaNRTL-8{uMQ5;GGYL}bl~#XTfa6^$_^ap4jzO*G8MJ63%h~il=56AAiP8j?=`T~drRvlmXFyA znzQ-QzL$QND2CnUOU$PRW(5i|E*UFmtkx@odZ0>s0|=|{39g~9Y)p&;Vp0)I_54FH zB{k{++H?mL|H|LrDVYT<>xC*^odiu#AJH~J8C4&EvnWil^j%%nB*1PChLLxVdD&Bh znk-~#D&W_ZWa}@gowqDr{G0UBRDdclYFr~_|2E<=dH@}FSHgV>(4%{2T@s3z?d8wb z7M5}eysP-ca}<2DMSu*96J+CuZZV0Y3IV3G;Jsh3GoyLEkXbF@PQxSfQ9v->I{NG9n+h^#p89oDmtHf$>y}i@JSEpwPN;4xmo@bUr#?C z{}A;1_oKuR8bA5A5tX+>RaSJ9$yn!eK087$FF_ewc!b==b|cy80t6LZ%UcSx!%x?p z!LO5nNFg@z(=_7)8#5aFpCGy9x6skQuPhL4f(OE|D5@yY!rKrq-%FmnRF>oS(Lw;s z9|uqYmNcjpj>%Dt+y3Bo8v$+}W0zGXOb{<3woR5ONBMK(+$(}@Qry@5=B*4Z_ss{H zp4NHQ^8XM5n1>B!9-vrxP!)q~3BsgP5lK^4Y#r&lC7d2d&fHZD8rmKGxYEE(i8u$_@2UE(<>Y78 zC@=INCX^g`KhKl7;61>mDo9r?qBJ5oqM_q{U^UJFs@He;(*_|uV(z8Dp|xOsl_SIp za$}eO=0f8aaZ!IEfSlS-SXC9IHrtgAt};0{hnc zY_G`;Tpl`=3E1j5F!oeX%4dYjuWX7ji_oBkQ#-fl9>5{}Er9=vX2McaoBl=R0o*|c zFSzMm)+C^)@xTl2#l{gOWv0e+ z%=@B)5GLnr1wk%TN_yob1j=9L_*vJWKK!m(Xt4jJySPX~AEZdXCLMrJu=bZ0uz4`# zx)2H@f~9viZZkgXvjW3zYC_~~m{MO0*SxbK?n`p2;lOrRdO>aYvv@tWS~MAHKx{%yiITbHJ}{fnYUaGS!b_D8 zC?#*Gi9ikESb`9&c*ehx zO3GZd6Tz5OD=dyTpUZ&XrXMFlCS`iKpF-)xA`?-{Vb>v_xaYzaS2C_1W~mzw#~o^M zWLTSgK*;33g-^LCOPh`5tIdv*4!GG5U*X@jJa76U7V&}?6tVCd(o<@JuOC`8E zwLqgd$%QH8mM>|L3C!Get1Nf+IgwkG^iAeIKyA|lc0an0A2up9KOf#JOQx0#%#;W& zJTM&=3W}2hny5Xusp2bJecRyGr2DYp_OQJV4-H@F)d5N2o2`zsjchiIVa$rB@D=_6 zE`<+W`tX&XlI-7pSd?fNoH_XEVWV%fXd%5%RG&j^5h% z%hm$U?Vt(z*%yUKOhilk>vH0I{WJaN{VV3BmAAXx*T|Gq2~{2u(!X9k=yFf%NZg9c@Zs~PF`!|#YcDJ7M0LJC zc2@r?^hs!7YGCNo6qk)qB<{MxW2eK?!n)O~>5}b#n5@68L3SRB9t(ZzS;oc0_A-gz z{5SakL0KZ>$;?%Y=5lY!t&aO>PTABQu|G2Y9s%%L5Kh|qj>f0_sjcJRxfex>hF@5- zr`|^JpZ>LP5ipqn7f%hdd8I-BorM56w#U(p+WKFsBZk>PfOTVH>kVVA|55IP-UABU z<3rS7jP>77_}OY*L`Na|!jqSqn=8$TJ%wv;sLYlhOLhLoHW~bsK4sD4%YrRDRHy7x zj}#!|`_JRhoT2!+Ux5d@tbqON6#?ER3*>aj@&D7zM!-k_`NU1ChKipa82>yyL>$R* z#y1Hp`>m5=S{>`ZZD8QP(g*ivZgQe2Z24Dd0RzK08(G{#0Zde`mi&tUo(EZ)0gRQG zS7jfKR&o^d`2_!3^ymp-fV_R2rU4y!hnM7koURg;M3?u$npeclGO1~fU6_rZ+}wmoAA&13_fS% z5;DKt^*fSozjEa(W?_3ESRqH&xDrAs3-Pde;Z>m79nBGe|TMqNU$1!W{UuZv#q}-Q7VW;1Dduva zA#^w3uO8sf4+!|RRSlnpJ{7{j#C|GtDd_fd3Vcz($e(DF^Vr-UT4N4>G4hWLpWx+U4U~>cfA|**V|=5#yD$}9H1_cCPUcMI1)eDv-8Z!VOU)QX|FyXAn8C%E1nW+Mi45F}hvYPhkz}+dB<~iZ zebxB9wS*Wt$n+oB#XVw8FxGCp+gdgVV8OSEv(R6mqX7gX|GKe0x9rk$+NPPr5C7v1 zm5OmxEE!VK1PR9osa@EXGV zd;v=i->SS2!X!etQmmhi7H(Zu@`Hihc&|x!aIOE5j*CNlE0XdBx{q zY#Z%2Qb(l>Wh6dw$nA=YvWWW|#VNGa_XIO-*n)*vK7ab#j42?}XX{*j%7kq8zr@+ZLixo8W&teosfG<-2@pGGp z7f$v61i4aT$hiQ!vWoC(E)Eb zSjhWs2>igx5*Ov$Ycvn#lru%YyO3Y>I3gB!_E7tlO?agCQfsK)OkK2@f>z>mMg%=- zU>HkHvCf3a*`gVqt9e6j(9 zYe@%j_9)$lk1zQXXVQS6M~w{cfFkGhEEt4v5?oxVpRpA}24eb!;+vnxDtJ{a4UazP zF`}bX%D_)K#q$UZR+J)&}p>M#y-wy7Z+!Z%P&lG!-kQ0PYK4?dPfrFm+ zsKP)?Ui{Te0XVJWX(oPs`*S+@EEqrj86BcBK)V}@2|`M9Pt<_p>N;PXugv6ISb7aJ z1m+8ZQ$+`SRb8R4I18RqC|(YWp<|aHe=&IlKR6_PeXKo7&u{7f%oMmw+8nX4`5PH{ z%KK)eZJCmxoZ+9C#WQJ(Kf7`KvlIKo;c20?$i9iv$oKRuCBHBIBRoo}5qYk`1So+g zNSR_7IHNx}ygHnwQcMWcfX7JjM9+%4^f3*_&Kw2YA0B5fklca&QOg< z8iRq;IsBwO{8}r14+jm*!Y~p%YMsz$OzbY&a35+9Ot0VRxB{oc$2VYXmErmBthm3E zi|=7WGh0xM3@WNUEAL=L&`GS^9ViO(1He3b{`7PUYCS(cX!%_yN}m!x?R3! zwcqpV{?R6csZ$kNdNPyvZm(Tg`^C<;?!{R>W6eUz7rSdL)yGrVA7_+K?YHJw35L(T z%mQmJR*e_V2XM`4JzXq~w2%9bdE38NJl@MgWPN86Tocy|E14T&FL~ovLs@+pMpt~P zC7@kxm~2^G6rDQ0d`Ad%$!&AVe5^pXWbt$Q{J8MLyXMd53gs8BJsjI&jTK{D=8s*W zJ%01@tD2*lTHID~_;sv5c=j6iFwLfFqBjQFl*#jk73Eud-bx#~2=-66mPn3!jC=4_ zGQU3h=DP6U=?BAP$GhhDHnko&J0uk?M2n7Ydj8C^1lb5nhnz66S8-yWyObD$ZF>@f z!TuO4*MbNPvTH4p=I^@($brv1s<*>z%We(|YJiNm+-*rUmh5s&9PgJe-#jBx5^pTN z)?;V)u6%lS%of$!V_`Bevv>H|elhiK*tRfL|Ko9Pm+f%R=N)(4OutK4FScpeH)n{q z?%pZ19jF^_4=Al_(~rCxhlN%tKaSf(TINf$dl0xuFzmTLp;mpBZV|pcQDuIQ`sVt* z>hN`e*2r6*#NU>@k7>Og)Wex!t!|q;MENj0J9*`$;8LonJ5*YN$2Yt5PEGG|><;O6 zH_IEwyfxQ24#!!>ChO@kQeTzv7%M>DS_>7+zMdZr zomqh4xi4!|JpaC-=KBfjowjPpq@$VzS>Hrz!eRHk{pmWE#f!sStNYJ{w|Cy!AKC?0 zuGbUUY81-QY(y}QpN}$U*XGqK8@FVcZl|A?HGRfats{Zf4R@2b@5D~DVR$C@n_Dn| zlR!Dsa0L=Rkov8}5gpqQLMnQ1I@6}gqFymIVeg)_#H(n0p&@-l0p6buqh0zs@xQhxv^0GwkKGf;rAKtCem@&T>T(U^0sx5 zAe7Tk!z1sTX_l#sxog!F#RN$B;rFfQTLO$)F6QOQUT(`HGd8{LDW;(CYpgVnMs{E9 z93XL)J$oy%b~)pD_n9-N<-O(}^a0;Gi#)+Z+sAq1!WXx2J+FRL^Kkw+=ghtq7T~@= zt@79pG2nI{75mIR&OoNH+7|=TA3a6{6Hgxo(zaxzl#w74tm=H`cZ(x=ds@n)%4cFQbPLeLu_>gx-{tB2~)>%%t3OOLukM z?lN(s)Q*pe{5q`(;q@D@1vmvM#7&{#)X{N%lsQ*)pjDLl_L25RkS+er`N(YN2T;Ct zPASu!2ENCch^+~(o+e|NR+b@|`54&x?DyhLMA+~yzGjw>i<(qfAVnN4w3bBak7zVQ zN9Ifgmr96&=)Dfir0mW8qO?{>zLK(?wVE%GZtD!lxjS=9JggPTQ(*IU4&Ob-ig)H{ z&|HO1H;uisAKJGF-*?+zQ>w@;l2+7YzrJ|+Y4`1#3H{eQx@_@+wbGF9>ltaMdxJM} zqx?Qh9dDtYwjSVTZ^jv>zOzVP%*?GRYPT$*aBhu_#eP?-e2w#feFSS$Xw&oKP%KRO zHy7a0ex{0$6OPveU zailnNy)sU3uDh5jruq>~&al!g-#&fV5uVT)e3e_UF;x6Y=d6o-Bs11|J%y2IqRI8H zcj=bmqQ3VkssH`xzMaO`^3~_5*n5{Tn9Rlb4|-MuJd@hr$qc8)uA#f(-%9(ay7NG& z!^XwT94dr5Rgsm3j*xd8JMe(4$9*w*Wjy!8Zp)8AnerHo8$C*OtFGSe4nLM@)(ru7u-rE`0kXErkUYv#N7+-7) znN+-x#r8J-R_O%NL?v-#Fy}(VT${C|br`B2k3p8jJXo&o`vr-3PF1|N2(NV30>(;*nqzprZ9tv z@`H8I(MO&UAx5Q~Y{Z!?Qh_53h zt~dgUFUAvR!mi|slm{iF=;v|wB7^Y>>R%40PK7&}u*wH~UO%?_aeee+W9y{iO~-Zc z)b1h!ci;2?_&529*WiXwfO`$$hlhEB^vZD+G&wZlimC3R4rHGE5B;X#PnC$ zuGuScAnsp+VV&=l1uUE~V;318sY_tu5R#Ld|JeWhD^DEz1p*BJ1OZS?mKI&@KgHIw zNycR5I@2;`(yHnb;nU$+ZA8^ixbg=C87tZ^`lKD%z2>zkF7YJLzwNJK^ETa67OQ$S z=RpPVO!rS{yL2{Vx&E9{3)0|x+sWzfFf?~cECC`&1L}*x0;|O^f2~1G?30^L)`A7$ z7r72;8~qipZhG@PAmgUoLkrh552%4n>@_Nzv!1%~?QO{1w%_*dt~#wn$F|jpbo21< zzlBsE%#^#+7t`WA21`B zb+{hY{$l_BIGF&o@R{9v5D3hlU1(&^9r2D(%q!$Iv`BjefP9SHkebcaJiH&x9>2!k zZJr8s*Fx%tWZ6VN$B~F}e#Qx(B(>~`+o)A;!od{Php$xgk#P!&JYF~KEo)!Q20e74=CR&D&%_63P} zry_Ncdb*EwYpiuk`SAxyv+ZZGVgn$Ni)5NOPuI}sczyVI@6^v;%+HjNXk58Uw|)5P zPu*AK0NnIviKuU9(#ncuWHx|O58c)G({F9eN&2%mP)EJU*q7EnmO$^hm$(3oDV^~d z-Y=Ag)|<)rzp?&kD{sBW4Gq7Mi3}01w^9{vOrEifrqFx(g#FI9*FXX>X7yuKxZ50v z3wrWyuH(mQk_sTrMonjH6S!@@j<_!_@ls8{#x0U}erRG%Sz(IdxbAEJgAGJyDFc^) zCz*&1FrWU;aNZ@f?E!_YTi=K4@!7d)itw6letn6+5{%IFI?=^3b~|39ZFOO-Zr271 z6&||>A&x`$(M3lK=a4vN@-o*Owkdc!6Tw-R?5<8C5n`(zgMr;v>_dt5gi@U;o|5Ri z(&R@a`Rb>sf@@f~ZWu%VE6fyL#wn96y%6?o9qo7-*!C{u<9gHPtM{A3hg3FJQOhE1 z_fd+^gOVJUb44Ly5rhFL;)a~2yn~Y?{hO}#-p^fl%(e*}vTAM213qNemTJ?hRvshU z=(FABwSF%|wxQF6BTel2Zvk912v8esiAo_UF;jFS5(&DZS14#33He$ax&S8|qvTLT;?StC0&*Iev21T(t zfz>-K+_M+L=Wg#WR=17qpVhpI zAH6CPH{^A6#FP4B`KTIHLtI|W@t;~4ah6ef*uB0yRhrC844Y!Z=My_KwyT~z>G(3P zqMM+;7-t$oL89JXK<||v^>cF#{5%ReDFG>|J%c{a zyZ?Rnx|WZ8V1|?T{i_3Ou>su9x)>?2CoU1&NE8oMoOS>>v}gB;+kfUy_`brCebI{x z;qa=rFN!m3FQo&CpF{vXSulT`)$!>8$xRz}l+n=l%s;L;IPv=)_Ki7NzK3w`drg1B z)7e8dcZ)Xq1T=^`Rm9q=d#+;1G>9EMwL(}>NpN~ry@x|jn)~O+NKQN<&d8u!l9BC z-!tURl}|!vz8}%x#%o|Ub>hjJF3*;58@gUY)#|d(Kt+z!$v-_M;kdOdq-?zr#%pvA zM{7~HyiRS06mM2^iX%e6WhYbN-T9WoT0I*s3$1uLMa5E0%r;zLm?^%~wGxwZYb4vm z)d~Pgi=5!B3m*qJ+jdX*f@QGe_oew+G^^-*Hc-ZWcogNF`k{DFskS*Ero5<&?O^8o z;so|qBpmc%?%UBY4|TA&#w!{DOz~#UDTDJLsn&ImyNmJiovBAZYRu^ZFD$!^ZnaS; z0Kxm+*MQh(ePfxzweyRydu|1vY587)!W`$zs9(7Nawt6GGn|J-<+5)OUzrn)mjy2z zH#X>E5bbUp4s1khPfgB`t-Lf>cE@BDu1L})uEmu=At(fa!WMp5uiVzLodVMd<)+p9 z*L^MRc(cE!Uh=X=+dX?@#+yc{B>#+E+^*o4@>Ii**25?{D{z`NmwCFE9NifY%ai>v zyGuXGRgG7EIb}?TOEQV^pfR1;%?Tf+SRJ`QQX}zIhBYHyAvp_{HP%7@;Zbqp)4Zjb zTnhLk9t0Zrt`Nyb>_6@fTasStqm;M&;jI+DH62qDtzDNrM}`eB0}hG#p~Yd2=^?Zc zn~ehPhaOevp0xD$~%>H#Gggt)HOwAMVnW(D@v#CBLrvWto$A+!3%IWmHFaWDT`jsc8 z9B169sOPezeoL`2+S9o!elo+VbIW9UaVi=-BQJ1&im;lq-9T1txyfs|_RfS0MoY3r z#<0#d0u&?J}^LB2CNnSH=yW=S{?I?Y`nM~=ST?h0)ycNu4DZ#85N z@A(u#1h8g#jsfUDLQ1p~b_&IK()8kXJxr8rL`uUE>y(YqMVk^t!@^eHbL7w*q51xc zLhLd6GFwUPL~n}SYL0wUOXc2Z%>lYY(Wu|y>h&S$DVs#{2eF9NC=htzn)b{^4Hy?| zU;AilSp=Q)x!-NQgj?omSu*1N`5l_k^89H2!p>WVdHT+&baC&&1Vru`Akh*E}chs zbY4BtQIyFVsALRGol3T}629{tr*KLPoS6w`BFu5@cB#Vzd!s+}6Il{WlZnOAI}`*h z`{$1qdh?85(jUGg#W#{gM_zsMX=}5u%H5?uQ=|^cno^a#PW_ayqgqo!z;GzdZRC|! zqkAgU(^T{@ufjwxY4AF?gQ#Oy1CqGd$X&P@II6}=7$%J6yTw`*t6F=rb7b88jIg(Hxp-Kd5IqjD9^#Q7z435zo?dgM?t7 zC>L!>4@$<5xl>wq7NLuPl*$}^iwsxDJMU26C2-grBKw+;d@^?%LdJ|4XsJ>C_7jU? zr=oQmdvgR09?5S~xigu6u=5c@M+-bxY7pY$kq-NGKbg{czBL{_Mps$nMeS(Ga*-a& ztKu+1(lo&DoB-|&o!Qo>Np+SV(zNQ+b=K7evAZP~_Na$~PV4Z@WL&eMEwOptnMo4ReqW+y_q^^@!R+>ng*NKm@ zMYZnr@1NR?9KwO?zJrI68)a<8T;kL#C8v^7!5%Uo+KapcUx;^X(AN;3q?{JMKUCz> z!b<+!E$24n@jU5jfLgoGZ~HBgI|o^LJ>FLAxvZ*e?H0<3<}(3gDxO=blB20+X8ZWJ zJm_gO`riW7lR}J_m`%HCYab5<^SS*DI14e)M2**8zTNsml=W~~jH+Sh`)SC@vNjcs zkei|ati3;qIb5VTT+5#(^6uS^Z6o1d&oVL|Duf$bnVN{ObTud#u?h~Eh5{K`U8i#1D zW31$TZM{lt!b5MGxRd0^L$zzvoOG`k(&f!%KIBt_huot#0Xq5|g5%|_qtRbYCvaB# z3MRavg3&-nCXApepDz=fyOOV?amS#;BKya_0=82}`qX0>q)ys>WMGj5VhP=1LBK2D zi#NW=0CqfLrG{t1J?Ar^;SA$q4XE+6#Hv-Y1Lo>8JD8q)Dj>W|`NOIuZayjd`^-jJ z9Nvgb=`Kq?Z)n~!sJ#B?jClPIWIIFe>k=9m#To|Z5AKP*ppcN7^ZuZBb5~5o9?@|K z6$$?(8>PPlg%q&$TH}(eNg;|fK7S5)z-*sK_SgRa74YO+V5`=D02R}1w}1zJ=}4B+ z0p$LYd?ad$NXRG!fj(6HZ$ksCGwr+x*|>Sb(a=}jDj3{fA_q*D?wRjdzP*CLG2sI)M`;35eITAvafBdm1+!Me?$I{g8 z4*~tjt`D*-2>%voz-C1>YAr3N43X?|$sZ zyV1i1ima4ZR1p9~^xm`l(mXO*l&~!Y=K>2=g3He<{z(XAbnWkGpq;&%XEDzJDEW4*B=b`Q;y0w}U%#etwj?CLZ%jROWZ{X+d~Ae@--NaL^+9&$}ZY;aXI9MTdql0`U1sG7o^E{eO~~s;ylA zCn3zlNi_XB?=iYq1lkHvndm6I7$F76j6FGQx%yGS$~p&m2D&=*LVxT!hvVKuYh_wj z+83f}ewlH_rK#)}Io_87 z``#oBp5%?Taowvz{=h2p-f@fGj@GiDOsZRn^a^NE*mWpbCOofs`adVd9`*3(n9Q*3 z;$%Dr|GbqyO#X0q^ zfUHzviN2R^Y;X2aEPm>HD0KWTw5Gmvn6YKNLp^C+ur)5uL_lj+?aebQ9*qITeaA=Z zXWFk=ED?IecgCodK6N{s%zaM%v#HKi;cSysW%pfE8=up0f-WyQ*~w?~Wa!22G%E3# zZ%M9{>WStrxTo5BPj=;sa;2{XEhZKgiG1{Q=m)0MiLJ8Vp{}2KWfM=`^N5~K?PE*R zJYN7gMx682hAUv%GBJbv*xFYv-6OBrl?HG4u+#Q1@Lu@&%VSV2i<&}b^V$OLNX#{B zG&7ayDiZbroXV$X(MjN(9faL?spO2kxE>mf_zPih%nR|UDp8*+*bD9bgyZRbqeVgz zMt?2z(mMj`Gadtd`1)$ZR%5ro)rrFPXIuD5*QA2u{!z*12)s5wxBrRTM$jqBZoAg) zZz=LGO6LsKE--rQ@>ghy<&ak^U4kslC*x0&s+h_ zh&f!pEl^y*F=CyO7tGRe{)k?V=w9zR3i8m8m)O-#RP6t}9<%<&ye&F7Rnby!o-F!1 zrH0x!QUg17vR!*&g=T2v5qCrBnw0qkAOVT5C{?j`DkX3w(%KIEfBq!7G!m+#jUY`KdwIhrW*;sKA=uw z_`J2r#YOSql>?UPPh-;N6%h~gr@4uFnjU)GCKN?EflFnOtu(Ryyp*${U9e3h`l!P_ z8Y<{*h-93BgFkuIdiACU>~zhDbnGpRC_RDA{-7eD@^d(i%yXjXE?wT~Y^-x6%M#i` z>_s$Y6PIA#z6Rtv-&LHt<4^ygcYrw!DL`;Qc~?8^-qZTiM(0}S9ccFF@@_Hk26wb# z@CF7Ahbyxj{@aRt}AkwY&m zASqtWVs69@>ik@i15V`*KaD z!;vQm1E2MbuWveX$xT|*oWW(pe`R_D zCT9T^oi{n8{M;5YRG5<0tke`3btbIoiJAI%K5}^w;F4-ruLDk98E1tM_Ps67xU5US zwgK8x%~=lT*KI6ghpD$dkKkN9e6C~}I9G^}QxP6Y{QnQRid5K@eo_VqNf0R>+eSKe zck2;p+=A#kDY+u~$I-C<`Ut9C+IYO{*5R+%V3&JcRq=XQpegryU(#tBJ`E1}gwx?o z%5_EF>rY%3bd9b<38aX%?2gi1$M4EEg4D&`=z|12E-RvYrVEkL&5=THGaKcRP5}%?42KkvFzUzuZ7lsM zLOjXUY)mQ6Mt?a$BgB5{^QAJhedT{r#O&KPwW7*MF70v(kw*=ge7mLe}V;*-10dq>A7Cba zghqJ)Bkcy-VM#Qh)@@53{J%|w@FY0?f;>EUVS4GuFje4(K+stLF^FZpf9l3)VSMNO z43k^qceycYPBPFgW8bdaixuwVf}(2MMu;@5!!Vibd$dmoG}FId=%YM1S`V2Zi?+@u zLzke`qF-iZP3FL~rKTl^Aa_yH0{zAf8nIo-5R_kf0T~_H|2L3#ZC*bt+4!_Rl#U<% zN>-~nQT>wu@$KcMshB>3K$c<0w9ZDJZ%IO+$JPMH{B*!i+(zo#Uo*@SLFMyVSwB~G z?G>3QmtPZ}$!vzSZ8Kw>Pkkey9eF4jK3%rQ^!SZ>|5nNO3c%DVg{MJjUv5f?GBJcP z+k#_cm{{O>Ij+S1Yoen+9_^)ZEYVK@I1w@Q*ni|ms3XKblo{(uG(}|x^1}dfidscY zyJD9E^It~pKYs$eV?!M@c=^q>`Y2WB4Cph1xw~J{;zWdN#|$!bXjNO-656jg6BIHdd;UfKH5uGe`Zu2|Hxoyd^@iM{@mutS=f_zS+H zFQY4xVasMPS5k^#qaY7X-&0uKI+PE@sEe4?yc}iGj8!U^Bmr2YO?1A|pHtL=5!V&Y z3c5a2``PLEcFN*-R-_Z`dp)lm{4p(S&ii|6Gi1VbW@XB8*l-Ew=@mA~Wa`%`avVU} z&Ir3?B{0{1C(7t*pQv#=&d$JIJ)wTG0NCQ~c~a|O#EpE>jEG813u>NpJkn?s z6kg0moBFXESJ$osNSMeLw(C=#rQzO%^wHWBYu2(-g?MXxUaYd4jVlcjCkutl_qVZ_ zYo*JzT#k}%PY8vpwPB>ORTg!UQ_FcPX_VfJqk68jUM(QXU|gsiw|`HKg!Hq>adE(E zGo3j1DShKtz|a-_QVX?}^UQxvD9F zTDZI0~V%bhID)tk_jQSyDzbhdU33yvp}DtP97`ds5^dw549!r_Cq1mhRID34Amx zTS`@D_VqR_IdZLJ;Byom$%ET&di518YwZT8mEMWP?@c%$9RXs;aahy0=r-AnU$`mJ zg{g1bzlFN)?an8;=i})iOs!401fnmQG`btauCZ1bf!&b&$^OGYx>&+25YzTmu95+yPLn?0s#Pt z099fRs>3Zb@ZqW}uGA#r@Mk;=876q7(1AkcuPi1#5+?k2}x0s;%MRPUldCP^L3cb$c|?v-6+C$ zwFz5!L8);Jbp!u!CY0cFy|@Xjm>U5lO6A^yu*TB0Y2?Dy!OPhkD_r*#Oq-}`zY6=L z6lYRzw4G^j+e^J;lj$i34}6lQjLL6C4l{P2zTx^t5B2&vP|@K)$P7UNjgTlkVr7s@ zMPhYTz`iwC6M+ev7u)}BUOW>}VAI0tiHYsH5#$meIm#r&ztOL{U0deb`nH(_w3|9L zAv^aBAF$%pJF}HpW0CCPNbTZ~0;7O~grGxWq5|2D2T2J{*mMm9Nz3^zxHM)cf^H=l zEcsT1*?V9Lma~0bf*=yjNTwBze*2O-pj=`G{lT{RS5UQ#78z$Wc`H~4ylpi05%w)g zJMXfj{XLvq3n|f%;@gh%a=otK|8f|$m3lUn_TVda2OBk7!bCJ;QqJl(v0%reIH%tA{T>(;=sL1@%(sIrl{y_fFO!giHhL-1iaaav>`HGB{EZ|eVFar2Qhd^1!PtU1 zZ_KSz$;l@bZ+F<>pWv$U^xquXzLzyGiH=Gq(hzQ)nh^_h{P}Pw>PzkvIWaRMQj5S< zEI<49xY^($CbCxb-SFjjvrQ@INUbl+^r?xNiWCe+`eA;Ei<{eQV2a##j&5VM;SD92 z^Sp97`5j8{crHNto{idk{hXW{la%kHJdm7!C^7tV&xHfI`5Q-W;3H5HfWjE7mrIBu z^ggu+f5blnsc<6>kP2U9jntsSwvEKdgBT#pj(u|9Y09=nGx|zT&uiC?K3`9E~XqfgiHsE`#C{j@W{z5Nq&%G08Jt(8KE^u#|c527xDs^`=SczKz6`eVy%Eio| zJXZyG3M}!GY}v2koga=#X75Z@>BQhH>9SusR5lu|><_%#?6HAqa2?y*x;kX8`2d6Z zvK6YYf9>pK6K`y#v!}*;l4Z0WwE>hSa&>+fP4Bcil+|Ifh`!XZ!g8p5b0I5xg`U|A z6mASowoQao%fR{-=Yulwz-cE6AdF2h(0yXCILBpLi_*ndOpRBZ1(k@fl#tZw{mK1w zs@beMY5l5)pZrw6I^}yROvb}sbsi2NJ4ON$Jg&K`hEu2es>zxof1>}2D;ZRjA397A zI(7ke_3uoAN$mrn@s%KqqP~YQw8xCU3$f8>tTvS#6{xj(GLH*9VAi+JxWDE#7;@tm zo!@o+R~MsgswQeqMK@eUkW{A?e4%pZJBD5Io~~`majwoNrLw9+#r&ginLMkHN7UG) zV)^rf1Qts)><7@yJHgD{F~(P4#o^;$bRNaPnehW*oNZ8u$c=Y(+`!7;+Q@i>Z}yu! zc=*rNv{3gXerMtC;zKDrT+FL%_X}Hv%_EWTn8aVA3p+GtgAHD<`OoG0JtrWoQ5y){ zu1Z+sPjx3%t3STvf^{f1<3CNdx7E#mIS$JZL|2Yh=-es^ zE_q`$1zO}k=~)KdiC63$NYx+rc4~jK)iX-DsN_vq)CROR&$GF!E})Z24+f>F(@oR$ ztSKmM^D?hCF83cbk~HJZd9qb?=Px>K&9p7xR0)1h_=qK$IUzW0WX^hru&O_ zvD#5A%5VJ^x0l`!+zWBFo9EOC@a)ZPFg30_5R-7c^S4uZ`IdiZ7nW|ryzH<>f}kk`N4b%fHbJpL&FNS zXq4Y5h7YqbI}oFUn`PAWf?j+4h}pO7)PI}bqvFcS)5E@Zr#-+I`iVMZFPgA50*I=J zL~z)1R>%NjN7SFcn85+@T#1@V1=OF}&D4T-Kz4_q*i)GHJBUW20^hesqWguXtkkPv z4&M(<9NIvsDCw!>S>}i`x|DBw_}#AO^Hpu4mD2OzTgl)vVGirYMJ-_X`0E5K8YxRy z{8=a6N419~lY6nxD9rh~;v|BQ^!mNPtuF4qtqh(bNcd+i3bt_uKD^9GIvDCp_0Sh~ zw5&_R=E6;f(#|29%J5W7DD_(ex_ZDbfg{;~)jE;Ans+_h;0dt_pdXsmwxRQX(+xa! zK3Lgs0tCu)HRewnA;Sr$skQx>EX+|Ody-*bpy!xY;eB)L-mBs_#f2}Rxkv5l`@7O| zGC9!S?tA2`r+^Hr`G2G*v}}xLskC<(?*05HX}IO0lb5;P8b5^gv0OB`<#w#W`Ag*7l1s|%r48=ySwIeMO~8sbv8sAcHdbaA43a^5yL_$*=94BcEU7yYYrzrk%gr@d0#L$xjrypn^=r$Pe8d+7DT1C;y>n0B~$8)^V3DKO%N-3 z>;|f=<7vXFF5a!9bUn9E0FojRATK`=#pf;at@U-HbuZInq7;yT+R9b4zX{R|V+(7( z8|AYB`t*g5Ws{0wS*n{AV4E@=sb)i9P8{gt>}Kd^&Q$@cvO#*kK-WixQ7|aI4tMCNKxst39Nv= zP4^Q4G{&$7+2m}AnT$?HfpLFYw#9GN^yrMzV=%KqJF1Zqd*+&L2lZF7fQgec2lr+Hq(#MLx!I5!S{_u z-e~OiiID_G|6*F0Z7mTv^D#lv{D0x7AwjLBMI@&j--q~@V$Z=&I;zS$)>K% zfIkyJbaiW;pxJV`(2)wv>z$-Gf{=FfGZRhnUE@ARDu`Lvd<0j!u0Y2NlAzZEwzDjO z^<%{d{Ea?_`^L8Be}orM$pG4UBh=eVY#9CO-twIebe^jJwORg1+X(r=@)Srb58!Gs zuAS}W=$>~`&Rb{%fGPDE4izBT+flcBlB}TW6Z`D*v)J*&53eq-zrU_`%u%!BP8i~{ zjAL_8N2PDo@U*CL<*`^Q%dg_Mz-udM3Rn+Ud(ERwE8~(`98Q~^%(21;=lgP`-*2>*|r>=YJW+#Z0L24$$2;2QP|4?Ml@CnZ2ziu)!6 zI21b{2d=DC1-3Jz(vg&ruC~oh9qRf~1|vG*mw4{TJ)sbgePzZv=E%jhJFmyD@A@7u z-6iwGZO14INY)sH>%Hf-815UfyW!7#LWwdk-=<4N17)IfROAheSQDKDt0N=C+e;u7;^U0YkY zt{U>^6}SHZ9`m<9+~3~s1mIr}Y?aEo66;?!{~KkIEeGg3&b{@>gF&Ya7@hZ0v{on= zs3@slh)awH1Y-D8FHvzNuEdszcUF)x^nGh&n7d`I5~}@NC2*%~;UL4N)JmEvlEP+{ zajiKee3D|*s5p%oUuvv)G->vcS=AhQ!rJ~R><`0U6m7*{*%B)(eoa>!C!=qCW&Ay? zuZ&cZTO(|5j@v<~aVqIMP2_ZBF)RMgq_|11cwA4EkyZAcBzO?i__!ecc&MBPA2~(dVc}DcuOZ4HQB^*oZUbO3dc_csjC6R zJ`7CEqZd+Hg>qTcoT}~q_fiKZ&I?_5Ma)+sCHVE{suN?7oS~2|t!|naANtoe?mu}= zkm8)qAQUr%a#9(0iU^oRUpKZRbn8C%WsnalwHVMJj}nGob$ndlJz2$T_$gHRSz5`N zg4D9)_FW7y4TnZo#>jf$B6(!B3>7&-#ifVO1`GBKOHn8SP3Nq) zjQRN$Be|2(zBi=4nVH zi^Fy0x>McEuEmYHz0i|XoEy5mibsuue*Op-UtKjwSbt2Vs_dxqQV~~6h33Weude+x zA0?_cZ^@r&8@Q?=FLYvXJaQp`EeWc!oy@~!XT6C-Hazz$Mr>r(uevVfGKXh0Y+j7V zV`cqjYpd(Ht%A7s?n-mc^eB+uF!?U=D=lSsh7K%c!g7-Od6#S2@FMyw@Wssamv3I?Q(n-AO-B49>w1MQ?*{$qc=3~%i3o+F@C-@nC8V5VrmyV z9zu;%N)EFwEGH!S)pJ-f?_|G@4(-UJSuTAp6^aYNzieHmqoDsoc>=w>X-OYS$1-@z zLC#^nw(O8tPb&&2pI58TW-c6ES~u(>)}l5>k|VsD7rZ3+^r>WeRD^=KEuM}y$yyI> zxzq5Zy7xV@TUfk|+er&r$FciKuoc->57`yflz1%8+8ci;+=}l8ND_*-s6> zZhC{z7^7^v!!}->bjf{fGa*Iw^g1tHrcyADaw^Q4nb04-VO=JUhQp)S2BmSm-_}d4 z41Euy4ib-?b}|D+RN3yW28-cSHfGQ}`W2?EtSI#L_QnX&t{Rr|X4<@nwm0jw2#we+ zI$E_Hs~N_7uB8PnR1n|mNWM~HmO-WcAjH~M#&ciOQqr);o~}5T?*cEc{9Ih_pi7XO zT%Yfi?`m+6|9n#Hy-8iRB5}IglRu##cvO?`?G%TfIz(s)v3&Nz!oLqGa!;fG&weX9 z9?8#>)#wnvXL5Tv91GIxcux5Ww_O(#Ea$A1VI0d zizyzFjD~s&V_&-KEuz-UkNujgr7>XT2o8umsU!P3(n(jF#Y!Tce(!WyoZ=$*|?Q-N)9}Gu+t{y)}21B^t*8BcZj$|#c1UTH2OdM`W`^Vr27f7 z9@+v*BI4bQb|5qzxkq3)L%AeBVB7#6wja$mn? z!t`k1F_M<{oe& zwKo!%XaYSh2}#OteBOo6iim6dARzh0u!n!g8i4|i++Xr1oKbd94@ZDgbVB=}YobIXWrePZ)XlD&(m;MfwkV)_z z3dc`X#V5fT>Wfkx)MHVE!*+Cix}o@MoCKiLO5B}IH$F;n{sPj|OS>Rt z>ow5kLFjWeN6JQHpQ5SEARw`1JMXPF_m;GL}cUkKRO0sysA8#YHB;PX(hc`2x<(U$$ zd3f6;Kg?eh)3++{X_+PKVfHiBj?FAv=0|Jo@38!>BufP~P0r5_JXE3wP54OSZ!)e= zJmU%@B{Am3Hmv1JvkiD|mEPYfBe>IIeG3mp2w;enJ)P43W>C^bAnOf%r`jYk*n zY)EcNl#=)yp~Ww@VPdbH3gIJ#_#BPAcAoNARFF6VT&c1=JQ6H%^i*N9<}ksHOKHm-uR^noF~4$2xF!=;3bYF|NK$Mwvs zm<3$v)8`^mydUmvt%XOmagEj+Go(y4nY=(!ogr0h-%%p^w3Fc7cb(hwsXu4-e2~Vn zNm8ge67^9$ywn^+|A?PQ3MlsVNLP+m*=X2?Uzk0}l5eQu?EZ1n7?##*kj^o}O3b&zAV?M=rP_lTkgEJgmDSa`ir2IaNg_Jl)}_#Q+~#M z&TuIvhwK`*WfmKf_3N}w5QkP|s0#jqRmal&=3Kkb!gt)EuCW=5Nb=hL2pC`Ujs}*( zgONoDbe4v@I3({W7w9f=eoYBSd`pgHwY5K{wZ{1d>a40waeI#25G;cVG4qeLBj!)i z>xF1BmT>sqQSMy+>9)<2^h|%0FU&y7Fj%l(tF?SE?%89%-;0th0qpC_?>>V?ZwONU z+Ls4^+$X~Ya5#A=zxtgSQF7@vWDqgP%)Oq)IAD{xrq}5nqld=y15*HA zP0*$({49pp6sI*WN@^t+z7U;GcBCk!jE)tLgkyFE)CA zFS zcBUzu7=qIHY60(B@vVH0SR4A3_cHFIsuCAZ z2YAAXp>`3HIyU`lwR7|LgwlDF+Mc7-Z?E;&7T)piVhXqQCnf;V;K6&s1ZHa$WYx7V z3;vxgBf+4XA+LvqON(b^w)7s#-J}K@&1RGlGW+Ij^J#8H6Qu>AYIN=|!%zh!g*he` z)}rH|P6od^4)wsKG!RKs$tFHw=A1b_`F2i2`ShzNmeiURT^q$UDX3gatg`Bk_SJo- zF?Dw7+jeI+3e(!%8u1N1s2~i?SnAaLqG&D==ldo~r^9*YOCV?Cdd>s?1u{*0iS);S zqgG!maLJS1#R*9c&vf4EawnxWK8St1-Ejk|<~6TjnI5l+E1HYxC+8u0c0R!&y)8H? z&~ZFsD(-@cQh5_1S596fDl2o^*e7R8yIdv59eWEeH$o(K?P=c6FEgaVZG=7C8fI31 zYkd2s)WV8YNYvzzuHH?J^uIjvZuXba%zd2dLne^WL|#a}^aGPfWBeci1#Jg)HgQM1 zvtxoX`LxU?86x#%zy8J~KY!#@a9>?ry#mD1_ZMqz-A;#6`e=gS@)sjFneA&Q8FAGk zUT@}WhAggL#b~g-DlBv6&K`|boD;l%5Sfl~w5Y89$`Po0vn28FSyLAeWk=lg^P_fX zPW=gOTsNuY@VxZK3IZR=3UWZ5-{NC?#KP=&v^8o>OwVxCwL_XOy~`Nv5_t7b_`$=w zeLaC+Jy_Jc*I({A1UbHbWH+LBU32M+Nx?YI8BRMfG@})Y;Ec6$`ZOD&OO1G5;7?O> zoZjEUFKzNo+^n}cLC8h;bvYN9m*+J2<4pKEcO9-YlsDQUW)Fixl1)>gquA0yDk??? zV?t7j^Fn--VKlV)DMvF$jrNPwODC5X_$09xB+-g=aoxi_>gBYyzn$YgC`cX<x58H*5pBRX+IU72<*R>ziFlEB z0@EhMM{m4i#REyK@*ZP=;1|4IK=XgCO&oYn0PX+KOy|e?3F z?rUD^S~ap8Q~Ps-j+)Pv0#k{N(lcSl657$>D%&8!iT&AH)SEqXd)36zSf;`FpPl^~ z4Sa86U0&mpT+eub@Dr05%-noOf)%fX*}lK^^NpVIQCf{!#6p9fNt>YF_mRdvKj9m2 zG_v7cPLsu@Ye%996x$}sV4)i}=&;144xQ6#%1|l8snnhq>QBs|xGd6Lc`+s5NPqb{ zht?SWE0qb018WNH{0nkUzPKyDLi9iPB6MqzEB6(1PMPsd`z8+AH25E9;+V{RxM$ z1Po@O^5?(jnGy4ma!oM5D%mP+dA-%(&|*Y2a#+4gA&x*m;Z+efV1D85f4TKsoF;4G zdH0}ext&>Di3O=Pnu( zx?%SLz&^jR`lfb?G3bKi#Lc>EIg0@I=V77H9xzWZ}zeE;gQ{O>t$e{uW#x6m|yj5o~TJ^N5hFk$3bfTCwG!W zCL33@y|+YMLuonQHFtR{uI;5=^M5Y*eSnu$y3A)};S{p1LSs{NM_`!W9f5PmNBjD- zP0b(#4p`@X%63{?%;w;elpb4&Eq-3J+f|&{Zo$3W&^XD(Uzo0c)&T5vK-$tXCkJi| z0#62HjQ(L5-HiSrkR~BGF%$Kahczl2uLCn-`;NwkSeUc zJwKy~a*|}784=7oExFN~i@@889MrXFd1mVEsosokJ*4q#7Keio{#$gg>E6EGo3QJO zcIVL*oAu#m@<@~vyx4Mt7zN*RUEIlv-LYdio%a|`eQA+C*{JwvTWzU{ra(Kc38R@3 zRXtMYH&j@CdYw%Rn{e#qjiw)Uz0a^2e0K48I+99X0Ch>No3x0D7c&hLA$%Fa6I1V4 zd6|A%!gqoTU=I<0>(&hQ8IsuEYBT`?gI|c(IwBtx9q1@Sn#KA!Hs1QrJRo&DWbb$C z08x26`cEM16ZPDCd(V9&LVVxOY0w$&wxLw9NU3N+dFAN^TKK2WJUMU!dqyWb*2y#+Pfo@3c6~S& zZZir5r8GsbO5^g4+`}(P{hzDYCTQGmxZJ3eW+7q9#^ahz1h)~#NaczO8*pgu{c(K@Y$e0n_6j#0{R{5 z*~fa=6XNd3;k#2Tkwu+e<^B}5i)H=-mhnHtWa;IqcNaNk4atu<2snq|t5Q<&v zsOx`b35bnt-<~PN`=&+@^#OBseWzIG09ALfk;V&Dg>& zk*I02QP>zs_Pz5Oz;=V_Z_D$i0v2ty4|S5u=MRX$8x9}k)mBz0eFH9Sno4@juwv~> zJrAGdks{NY?Z5NcI6F51YWEo>1u-f7Fbw1}GX>H4QHX!18v2Uxvu?hvS*? zu~=~lex?&5P}0$@L<82tH4W$c_$k4ZJq7Tg zB1`X|F+Vrf&1czuh@(im(B0!WA(l8ehP+J&5u%cmIq&!#HTKMEiuPeG!i!T6i07@_ zfJ?XO$q;0(&M|dBELq4!K(Xx9`90hB>W3vn5U)!H4oMvAFN=1M(rzy>*B&@7OJ45# zBD2i+k3oYgWj0+{wLmN*w#?}#jH?^ci?{D1dBW6eIl2+j&m=>IzH@~_Ztm0MJ-z7% zT$QWeHo&w?S48>(VG(Va!z|z!BL-aC&!Np~)fv}L`0={(w%x?3sp%)2*7KSS96AQ- z^R77rmlaCk-ojytNX7Nk!H7emv)~~-(E^kpZzM}Vx;3oV8m$K3h&`DkM1qk-qHqLo zhPC;Il$3<`4?9Z+gM7ayu%lGFls*id=~3Xz$=x#R?34>0y#R?B9HGXCY5n4zJbZ-R zR5N8;4m>hAQvjh^p=#*e-rdmU%o|;S!zluXrOACpcHV1PS}Jf!wcp#4u;^g!xDMeK zs_hVO7%%6i2>W!9lwG{=F-L5hxnhR}Eh}M95nJ(gA>-ze0P5OfgixyP5GGW#2yEc9 zAw&yCWC(<`YHNaoRjQx&Iw7(D5pw)DFctOcA|Qmw56Pk?2Zm1ySlT6b*W?%HK~R@{MB~q;k1GfNK(pX1DVUDB`|voC|3s)di!fdO zGj3t&{hba2XR{1iMnExg|L>gGcwIvd4JQIMFE0w34r5gOx66rfUea64Brqi)6(~XB zaHuf2>SSPBZtM_KhWOL)sO;|TWztiUW0QSNZ2-~i9UtI7iFrm2w%wP&7cl@Uz#_QE zz=HmYb74B&XZMV$ABgY-Qlth$%FhQU_ns~~EWC${XKMcm%@-@7N%hHL;QWC@2FqUN zzJm`6hE0FdPvlzswuL~ED%jNGP$xgH9 ze-W&4<^-X$7~cdDVOMM&?P!smZ_e6v%ETgN-6bAAK-BPl7{Yh5K?n!==^DWz_A%9J9@MtZ2c0LAUc^e5~m6g+O9rDcvNdK4;-A zv?NE>{A1-6GK>`4ckpO&D6A5;I85yQ00iqK<6xl&)z-RmB7+S&3 z{xDYHDV->fVQb(Ri36+GgcOWNA}s5Cog|`Rbmfgb$m>xkk8Cdm86;veQ8c`~2 zb>;#M5$m`h25eM#!HXsHoG+?l&$mJ?Dx^tP}O$=)#U9?>;(z zv2=SdExf(K`68^l23Iu@pZSb=C5Xo#U5yiRwcPG)AzG`?m&G+#FdkP(znQ6^(_%Ln zc%c*b!eHKAFW5K01ljC=2cw+v*CtRdm7CQWNUkoxB0()?dVBFD;iyDCM_jNT!RAOT z*mkH8{EYF5HBfHA?&om5ygl>s48{)HEIJ&r>_4OYsddqXme^i-QsBBrx zJ%7LI)2JZl2^_`kgMnb0V*OaaUeYyurTJtJ^VJc2C@tKhVYAbat9R1)$2P9M160l> z>*R_M_@@8G*;|HX)i&S5Hv-cy)@#Bmg+7J7gGm_^59pFf z()?JM2W_*~jb7hdhyT!mCM2Ty$QeW7bez>NIWpz{ZB2BR^3&#-{l5BY>OdlBo4SZ0 z{1l7(6Z^BAi;B!ej7F!y(QVF$Ch&*K?<{tWko}%9ZoO%jMxM55^=z$X@P%Qsv%SZt z4aRB#VfM@W&UKb!>SR7Kw(j%?{`59w*@u7TwkCNEVjT2;D7x&jC!KK;)hR!V5cyjMYJn7EylHgj4q9s0_>Mey!FzrztQEiL@@6_RUt$$?2bc(?AQe zl4CGIrN8csYq0X%d0iDYbI<@aDbpc&>ogjToA8kce*PYiL6-K0gilmeEp4E4X~T!2 zrDa%8`Nq~+c4=Vdy?*}$El)c7z>O@UA47|$aBS|;>1V&TETe>LsurBG z;pqr%_8pQlta<(BBFN4T^TrYxwqFt|mo&*7gLIsrA}Vft{+HYs1wJZentDqUVS`q1zc z{pm`qpq)e-1#S5bOnwmjU>zKob;wyS+yt@~7cCpJGpgkA5jFMw11sK7T>6%!d~Qf? z+v`HVz9=_u^gfIq-Ngv9J3-E&K6=WOD0w zldA^5Jh?Ub#p**jU($WZv`+-L3)u~cnSejTHg>rF!ovJ3-mv-vG!t@JS=Vr57R14; zDO)=mCNXdPusW!Dk5_YIJ~t+}=}BYtYpQg{6m545vf-XpSDx#pP`EAkj&Cd1@Q%5K zJxnh5YTE87qj`cB>QAXiG2@LSIZzVQ{JNlXLi%Lx->$aMD+-0-f4ka6K4&p#;UuJ? zpC}!{@|gNcP8AT3Q(#tt&wZFoCk7^=+w!FT9wbLZ_Ar|^+xE5QkhMDClE2$Fx;`xg z^Qk>V^juJ8F3Q~+H}Pd7M4K=1YCGeHtXSd;^WKOD%F-& zE^GYHIE0(%Ky$|CTD;*H{ghbhvF`VAp3AaAw>6fTxS%a5Bs*rHyix`VtjMGMS-UN^ zVe4PTuWF3`Tk*r@wA~rOn5_2a4@}nBZR(1>2HN3QiO!0dDX2Uns?BEyYSg?;Bln_4 zZ{6ZHrV=zm>A3-8mEWDGf9!v!!~TVYOG@(TbKklFAdpOZxT0QHxCJJRQ_Qt{@oH5+ zK}$7_sc4aCFxi(H-rAVUa%v`(D;32vDHn=hee;?rABGQcnu~vwbM_kc8a*`}S*a_x zoA2@dfzy$QdPoE6n@O{X#s@%#2R`}Fp?qz2FtePACshs{%uk7GeqTa2zgovvjW(e# zYp`d+)6JcYZWpqhT-0j)98kH~_WL4bvhStJuA8_mS^h9oA7A;6kFO4@iqL6%|9kjY zsy^s&bK{$Y`2?&k>`E?s^iBKoyr#Cdh|C;eNpi*qD8XY70bT%xMp{0`fZ0>Xt- z-8J5CD*@LeUQ!pG+SS&NxGU3<<@F;Zyhu<1DW7S=>j zyLu`_1N4kcPl+Fv=fRfTT&O=5ybdAn2=az20R^ zm=-b^V)zHKKkU&Dm)4)jKPsL~C)cOsopAh4{M~l?2SPi&FfuRda+fGFxXnKOFwp7Y zTD(+HXYcvHxe*P}w3vb8z;=4;W?+P3cRd~-AXVKGh9T9Q=Gw2gu60b@hUZ^Zq1#YB zLDNkp35Biun*obF_{aJgVIu&SQK#Robz-I^-o}t9ZcHDR2-z+Y?d27{Nsq-YGwH#+UqT;=>vt^7M6IlDgfepY9pv|6T^K0&b@B%VZCPa~B?cd0|- zCmKy+*YZ$rtiWYG(LVTx^k@c4j~V4f_?gSEa6}>Lnosi*Uxwa~wOU_VFDVULPK_My zBstO@@7~h3RHoLh^sz-<_E&Fnin(m@2o10ebMh7AtzY_EhbXMEzh3{~vd@E+*T=Zq z$TDF&o;t*2E5_w?tnyF<27w~*@3I88{XOcp5c?rkr_^O{9~Iy6Qx@I>AZgA(Jf@bRk=vvLWRz(KZs< ztjrn6$kX+dv8A;HQMJa;s&c+U--y`f zGLXA@oyP+QCjOlKOaQazOwHzdU32Wc7uDWMd$Fi99w!t%B)&~zvWcK$Hk?&Ltu^+~ z>*C;bskGK&&iE43@L)Gvl~ILgIJNozZqrGIRTRO&XaK8GO2RZ%-LQ!!pe$Gw#UpG$ z*|C1T$h~?a{f-C&kNkBiZJMC@YG?DtjCrdu7v;|qm(})@d1hh;{5SNMJdR&@47X1c zr9|E7lt04W{d*6pa1Pq8o9!B1RK(GhU3Rn-_#p9DY__o7E@FmAlMkD6cwoa_{&LBX zhk@_%AU5-xf@Zs@x3#3233tFV`v%9$S#^kQc^b5@wOU`-?z1(r5%9g@wA30L z*nYbcnqwOpw%y^>2&qEabyF}JxUF@%<*FF|H%R+O4lVN7{e9^rAgH5owQ0o!x(nFm z7BBwl|5H-EQqv;Aw0|$eTFQ6-PPUB(qs}J-*%R^ z?WwtZw4UU8?s}Ud+Ys0Tyh+#aI^*l9Sm&|VY90vwR_ihTZ~kgvYf*!_Svc&DNe83&gPIZ`cymJbqF^4xcvZiG&(Hp7?6 z;HCG9eQY_8=D;Dg*t`8$#z^-w9)sMG?UMMwV%&TgS&0;l|!|AvT$& z>L1$@f1PD8Yee(9g9nH5`xh`$-L`j$5(cru-k809_p() z^=E|-+ePkRo&CMM)6 zYlYri=S#iyx`nCWFDuLvrGLqJEtT(lIdrzK3I0}|vlqIjL9e;I?EED;D0e)yF>I@^ zj*PuT+o2H1ZJ)ptIYm6EcxW0&cdSIgZ*#YeSjog!o9ewI4MDFS%eZc7cEMW4K`OGg!-wnV$b9A!a|bp z_=M%(#o@4p3csez(OS~QEkbWf)8(iK-$a4ytJZvQAJBYz^TUEBDz0B*d-K|P*sjNK z;=|5052OzGccjrEnCR)AM36@aD`P>T+EXSo1Kk({VqjMS_ADL>m~X+VFUuo96Bx!1 z33OH*UmX#C5-v$lr(y`VWX zJEns}h+9(3%;&N`Ej3&rl$_|eFQF=O{~$-A85Z%JWUiIi}8~)9qvzuARJV=x7PS!|ou$+3%b5e-oGt8Rr=UoCtA{GYy76 zA87zLO_zeLoUctd?}*5^@v5#*`(3(bSiQAESs}&Y$SZfb}gKcuVDUxFu0X9cD?=d{0e-om?9G z)U{q6*Y9s!eXclle%6{?@4J_-$MswEdS8!{QsX7o?(LtBAjEq^8hfeV#CP zNQQZrrsbCO1Bquv3DF**s0z@;@HX&ahT(XX=8*b@S31KUxWwjn>xeS-%(cl#cK0t& z_%`?kI1y&MEd>H59RZQYXj8ChEzkgNLc+yIs}$ggnNz?M_oe73QvgR89$6GcE8oX zOKGI{tjW8&(>}&$Hlil<&y;;7ZJTV+ zABiE*&^+7XM%(il95rEIjhC^9DPKk-sn+)TC|T)!jZvrLiIlBJN`UpTPc0@iyutRP zDC4s(_j_kUrIOn`^~N}3+-fKZhn6`l#*_ueUZ4~m&E##_pgdBuDA;q4!FlHCxbtFe3muPbW#;opw&hyN?-@~ zJPnzh%v6n*Gq9rr>|5Fl-TGjjfCXBeYNA zjKwN^&Tx6N2Fs>@zvjy({ybwo-C{F|PI*!bO$f7PT3XpP{GO4;>wH;3b)ge=6|6UU z0%`lEEw$9^9+N7WR_N&X2hKL{2Rge(JiG#`nnDQDuwX^a%)X2LdECw|mXGlPGfDgo zvb5HAj6Vea+Jn}zo~FJz#~;Z#jl8fQE#d_W6yuWz;pXc=*omTh%IVTfZN2F#YPr7w{>@Rs#l~`7PZf`o_44w0Cmq5g zw)(px|C+ZZJ$JvTnaI*N9baG#E{{ z@Qe?KKC;@~VNIPd)sue!I5d|m7l0< zm<>>jlXO2@1Z0xCdK|YFYhBCNa0R*E4Q;nVz=&l>9=;>;M#nPBY?gWJWjlPn%I4w0 zU}OIm1W#~&;*ZP|MZIxe^fIYyzU9&bGD4O$LO6Zsn8E0d6dH;Cd5J65xC8o+E2YC;r4 zZuA0sD#DGAGjBhH(&f4DyxU#m>_f(kh&8!POu|Nbsd}yzgWRTu)85?4xHyhCYJ`{p zY$%g*DUH*aC0wzz81OXp8#JAY(D)f0O1~Z9uzLG5D2Dg-R54lUu=bf3P06W^1S^7W zv-i}!U(13YCvUnsD*pbjf5MK3C;634TsF#?+db8PB26<#WEckjuyC842y;hE{E}W zi`MhS>S_hX;vbGTto;xK&#d{1)9Ul1?uf`FTJ#w!YM zCF(1|?#-48U*-t3lW{JRy-ri503>z)7BBo>V*mo|nXP*+vCAVK-97p7wpMxDW;L0S1Lh|tt5d+Y0@!KCwWvr5f$ z&&rrf_p?Wu&^v|7P_6CGJMGGjm2f;<53=zS|Nl7RAF1cN(!w5{c$YV6onZk;jP^eS z;~xE5V{-XbmijW19n)16g{+@z-3dL<(aLepsqd*p$0Q~rU9&m`A!{01d{yTe z33pU(KuPmWyChhfi&Fdk*RBvvj+8YbKl&#Ge7F=$o%9xxMat%lAa|6sr~p?P>-dxz z6y1sqB$jkR?3UEcY!V*7Q}XwgR5d2Jtf~%*gCP?$`D|;|WEbcQ=A2%MQ_M@_y*B9w z!m3RBIr1F$+SW+vo>v}MDql2Y-+!!=fV8DyiA$LKxRmsJ1z8*ZHsVidJqpQ5i@>tq z*DD?g$9ziz@uC(UznoXQ=)@apLTAf{|5o|3S z9{KV(>TR{yX2M0FLf*+V=wI-6Me$;-@f6<`Rh@DVrj2d5g;rBdm~^2e5Ty(Lpq{zi zF}7*Pe=(dAI3BX%lt*^$!T1{2BTo0|TsK&4bce|ITKQz|#dHcYlpM&8HbR!Gc%TrW zF*@Z;`Ws2VYceTEc;P2_tQtMOA3ai4iK^D#7bO(8btxlLc{BxSFeY?`_L`0=u8cNT zQO^_H22#b@`}^8!UM*geO}v71ocFGA#D^ijeWV0)A3C|&FiaibO#2Vc^qZ0_a&~3? zox1P}Toxvj{3v8v%#AgjA{c}%75}bv;#WT?35s9Ez>AA_tJEwL58TCku71hWH~ZqvA8e^*{+2F@0LF7H#1Ja@-eh*T+ zgi3K`nYdx%IoIW?+P(PvT$!fVzYZq$5SYwQGQ4oZc5VuAiZ3G}mL_pY{oS1i2gk@+J zxabAWpG_?`1kZUU-XWPP$cOOLWtx zZ@h4&RYBo9ae5(Bwxw=S|3RckS(B>ZV1$(l()?CV8SMBPbdckj1Me|O;Qg804(4<`E ztMhK*X;6puC$O>)-;DJ_oVB$1{M`MF&aU8ujnIJc&Bp0F3~^TDdb#>chM7AF#oHih z>gDplRsA=sqj@8-H9C)R8MU)U#hFYYT&Oz}L=5ro-uW1wqVq3#`jIJLg%IY9iz!| zG@J4in;=D#kEuFdhr}@1tr7n``aKi)nv!%)GU00?r?txawVf%O$(v5xo1>Xeg;!_D zFZBc#=E?XU)yz7YORBn@?X{VQsJ(JSI@$G++TE*Qbugge<;(gI^=lP}-XL7QQjEed zq{?j0zdY*$SG*rMy7sWc`bKXSWB}OF#en63>U8vE1CGz8UxY|eO|&qSPo>Frx3OOV z%u$Gp3AOqlrL;}krDKy*9YUNVT+GxRjtOd?jK!M$nPWQc#_be^U7&ilaovSQ=Zz%hbi-zu` z)+6pVoV3KJxGSze1^G!XxJ^XENIJd6$#icr!y=cI0=Y+SVsfy(_J*nvlReZvW?&cG zmfDlxzERDy-8{8I#{OCRPvNLB(~sT>0yrqj4%nwE#_y1IQ{11XIWnkvMR!^v_lkeh z;Y#vaqtgBL-_Qj`=_2(cq)r#Ky;GW|*W#hA`e zd&2zAS>2{5GdS8-g0;(;-=$2s@gRrt^h5{*H%bQTutLb$x$b?lrsWKz(W9~U$IU^G z#mPf_n}D4$?YtwW&OCLxolD|*B7%%8izrPwkY9ZyYS$iEnD~k@0DVYtr zJlzY40LZII_sdV7o9>pw`7H15%W$v*N)7g~WmrWDv%7Qn62@Q4ZV56$b)K*|9N@!+ zaH#NVCUyCXSrxqRzgB$Ao^xYMAJz$y+&@(0gfKixL3b47F5{1sAD4=AZS!qjnlbwQ z_-lbR$++;BETy^=oR!2?=vhxcb#yicEv0M3MLhl$z#^V|-^0&g&-Hkj8?VJ&c}2nB zFA{Ip2LmmU`BgPyRpnC)^F4zUf6_KP0zIm&NaOHBcict?R;O|@p3Afpb#3xx_s7?Q zmDSBy(1i+f#qGfIqTq8&mD@%b9`)78Xel6hDOP+(K4%V4C{%!MAg&ojn)m#BIs+!c zhjlmaR-ZRgV@*yC78iDHpL|eN_&n756nR-z6kP$L3QV-q_VAR9+c$OH3~DV;^(dm5u~!8m&?UJh znF$X=IHgL%y^)IsX8h%A)Ya`6T4% ze82ggk6JqUHTxo;=|q{nsO`oOMOss{)8iEFyU|TT2%pD>9eDOUVOPR+HmE?aW92^i zYn4J@M|ntFLxx|@cLXorkYA&5bOcPhjnLXA5w^Cd`||~l+AQ4<#5}et5rR<6Pv-Z{ z$k0?(mqZ??CmlgJEtzE{X~S6rL2@IfqRFnL+8*Z_l-8|XF@h$kxo@F5zRcQq0slli z!LD0mufs4$ljQQReABB3?8uJ71YJbp6@V3um}uVdBW=`Nu{S&GKk!+%OCQ~ZF-Erb ze9VC!+z0qdk0-W=Pi?LLAbs<#+^1sc*p3FeS?!wF{(kW4a;U=HT^Zt~6yu3bS-9(g ziHtq|>G{HkiYmwMfR}GE_l!yyD6d<7q+Gphb=SSObnOH=XZlCGwmao)vsMP}bV}e~ zkQtVB0`Z#gjnQnnBfo8O*@JjF*Tm;b3MW}gz4~2P0@cBW3bZ~W;|vt(=cauD$L6-u zPNrVHJP=JHzfR0o$-nnm2CvR~Re|q=ghZ=vzsH|CJgrWExM)*&uUDuxZoaB*OcnOu zx?(01r-~@Z5WOp9wD@^P82QHOu~afwQJ1Sz`=r9uN1};N|Cki%-9d;KL96Q=!y~nm zZ_$L^Av|vVh=CGATkQViZ)h8zi*nYMJqt7ZuN@n$u+Y2{fB21wrR&a>%EdOEy&zQX z4e20~(*M;b6eyd0PUo9`S*|l4kM*QXrs`hmrJdaQ%yF7B{5k}ljHhAdSnBhhg~)ow zsU1P$hcA50n=7is>g5D9%9b5@+V)F3(eND2=d|CY5*58a4J5!%1+I&R1`3B?Z^?DZ zAIq&2cpx&bcQ3ih;ZY?`zLPw!*zlsk%Vs9ts&W6R4N;fjbCUW@T%y=Mv(RZaC$(;; z2a==|6e-qNB?otRb?q74tzf;PxDObcu^-bfTMtSa%4_Jtu~CyB{hJ1b2tiCV?5R}C zNQqa{dm0iUh;9uz;zFooSEw-lLQ#|F_NF)XcIy4e9oqI>U<~rP(48w@)|p{?3--Ic zMGQC^=u^Uo)G>wByj@(|alG%@hxU)3Q4f-_}XY6SL z6$Kl+)FZsC>_p@&0Z=RunEh$YRMM4kFRhbQNUDkZs`yVLI^7ZxDb@(-xc zdV!SJo_Jz@ygm9gFZAF)Rifd|PTsO?Q4fx+A)1rn3%*1?^*XJx_nfa|**MvJhNtbe z0oRc`+VxG0VzoC~#IKrRDBDneBz-{SN#V_v3#$9-$DP?Knl{7yOQw~$PQe!<1|!SI z1|`KC(3kctrs@LL>qC?WySCfNH_p~AZ}N0-bZFQpVy#L8-@pK|Clk3$nX|cJocfDf z_btVZa@v_dcNym4UW+d>MX@^7uj3+H2P!5K+ig;a<+k3)H2U7ujm2nH@A8MOS?En7RsL_ z+MD;@&DSBu8i$_<4%CS|y~q;3+TPcktlK8rnJs$$CeJ2BhO+HVRgP*auR7~z&MRgLh*?_Z zo*IfDxbV$A{7GhfH{H*AQ>JTTxhS=+4&A?)mMsQX=<7Etuhul5ySQl$8g*9h>?f&v z1t5WXdY_cE8$4bU71J^2v6l-0`fd?KyDPV5A8G9|0h|c=C@ek?+_;nSsJf|)kt&F~ zIgQT!`5e4fkNWOcIdm+)-`wAJZp>2so?92k-ZtU6;(nqsu4ofdR7B1v#Fc!xM^nAn zkm#Gb$UD5y> z>9sj-8I9q2n>2HjrS<6-PEQW9UF`1PY9yrCs8*TB?rB5sB4Mv^^E1ck4FL33{{ILg zVsv8^m|&tF`fHWezosTGr0lo_B^r6~!&_{nlSTGbmK~K&SBj9{)E~dT<63;p+#>1M zwe5q+E9RH_2Pm<^Y51K z0<=z?eFtQTrs3IW$(*F3hj6!WH(EURr-*DHuL1X|mIwX2Gc!f^YnSG6oD!$P$>>|R zpM^iZXqCv-e3FpLF3kQDzk$p-74$SvDD)*P0xh7#k_;ew>I~_NY^UKCd}S47zi8}r zJJnZucGE9rvd;Y(HFF~B4mA-a{?r*7{0wivZ~40o$0gbFUykH1RafZ$~L zR8IA*7#6oJwioJZRA41KqEh`rsTG2q{|mrWriek{(+CIs6bI&ZEVQ{vNYE3mP0S>W zD$AyaY!5KHWlRJuC-T1cG3C_Vf99cspOU$p@Jt@;Kd&$)0sR+ylj&2(i$~`6{BGau zAkRyTcs}=4pBj;Mv{jeSHJ4wzL=2K$X?EoOxT))O#D&rFERV{b&3Yx%bw8;rOXqkV zp;Pwl@wqO*3}0ZU;@Jn#0r_McdKK?bRv8L<$(b`n^sDcVfEpKL|jB(J~OZb}wr zhD?8>Byuk~RjUs>X3I~aOT!@@#4b5NN)4{~e&#@;GTbiKRpWrS8ncx?i5 z`7t{ ztP{utwU#OC>H%rR3hhP?UdXe=+*8x=g{OzU%;;_>@YOX5v3v1&Yy^F{1_~8vH=}+s zrMqaKgnTs6k8fXJ6BRRW;jP_LuJ}Iv8V)%*hxt;@hmF|(Eoe6UFvJHTyhxI=#w)U@G;F|2gr^Nx=*BIcQ_rcJz8J)9>n^n zqq1+LdSk-c(3P*Pavo&K{zAGP#nE3tWgmnwg%bx?@YN()9UbAzjA4iUsi*NPuU0W; zY8=7dG$vEO67=_DhB!5@U&fZO}6qC3(}1SlcTQ)#{z3@rKGWq?W?j5XS)d=0R|w^ z1k){Y=PE#pvG)g_XB541y8!4$}u4OjH;O=@bC(-XyZS zl^GTwrlz=^ss6k<>W%KRh%siOLv`y9knKvO@yoib{o#gS0Q>nyWM4=z6+p~G$zN5m zM1%WJO1jvC1xgNzU&tHdo?*DBEgfk^`dz#rp9;9c0;CZYu*zQL5>!`&JQpHlFr5j@ znNcA^uj8z5uTCdRb-i>KLWtP^_~2=YHNNuzf?c}_&FB@=q<0FW-XLjahc2CnS1(q~ zsoHzcHMm#9t;2Z=gO1X#_)r{aL4itsLl{xoR0s2KDHMDhkF_g!Xh@5JP~tl}>0VgA z2RxV;cdjr$ZQY2ks2_o6>T|S)>%rgiOWN7-#m4*2w7lh2^zx*<&e&|Gqra-nXRtZj ze9_ui26^<=*9Q1lN98shwD;Ij z+)~;!W9`z?V4AH#D@n!-NB1;_qDl`$NGq$dPG1rU7zi2YTZ`a6Eh7a1eG&J8exSYf z`ra^hxIs<v(~@Z_ueVw(%*Ao z)a6IpqVh&OIo%rjK+OZg`ajkZSoW-=@qO0yA6X2V|xD}F#WhCFPc-xiG^_@S4>i8uMO@{O7*2U?BcGMv{ z{|(dcFtU9yT(o+t6V`DY$JchQYd<-y`VVD8R}X(pqIB&^8%~6sXKgLs{Hp~}b_C2I z1y8lqXjIRhbeu8xjqE6B;-Zp>uPl}7VT65lP33^uhl`#lrZR7jq!gSFhjkXYuG2HKL<4v+g~uA6$@ zAFFqxWmB4HvXxd8hJCYxcz_i{j#}8BSHl8L=O8+>8Ep^!%^u6h?cKcw3giR?eazL>c>!UQZjWxBn_P?6tby zt;r$WO7XZ8Jp9w4Ng$Q!UX1;?MP~{ypc9M;>fSN2-+~iD<=AgtNh5<| zgFEKb2xLn{xX@1+6_{XhiUcU_YtOUw+SN@sJwjMNtL!VGy05*(W{~5UTcs}I(my6s z|A-ewBW=NRuE03!u&E4${#&wLdfL2fFXfe;c3vH|c;O z;8s5{t^;omXFQzwnD73^rbDLD<@|S71eGRHNC46Vh8iw8;68S)RFUGjkx0S$dSux; z#0WdDpsi;4nVRr@^C`hUBIFk+_`)nIPEYxd`rUY+M>5kE_S5FKNIl6KF&ap9SZGmc zGPR@g2IPe3Dm@(q2uqVy*JP3@rv#w&P^ggue;xOu6GrIf-JU|)fKnivr6a9PwA8J0 zz&54vbQ*)zRHk#(z&Sk)){no1E3 z>N2EeE18CW}AV zKl!dm3^yT^!OnI}J<(Fy2M2vq6^?)6@JfxR=&}}s(5rv5NS{dhe4rw<_*u-A-IQ?n zvC(FIVELFaCT;(?E%Gh))WLE7U<9YlT5R}sfG@+g()2rNz*jzMx;w(ckHD2=o%D@C z1}+7%If3-wY+lI>O9?}N{-y-4T)iP_o2O~okzph+F9Qvbcbon;C|SaJ~x z`cHE4ct`4^|CBv5zWAo{4XtDIm!y1^vm(_B>Za>G?yL`Cq`XY_J1P@1OG77Ylk?OJ zV}?y4iVslOTJ`JON9EV@0E4^XkiywlQ!odF0?4y+|Xm?)1Qi5Rr}*s7~A zsd&$7r6A;t-(O0?X7OAkB%u(M5O8g3Y?jYQo+$u{oGex(A0U=u;?ui8Oow*bygkUm z?71+(5?#77D+%RHp-o>J@U@Fz`+(c0UJ8k`1Z<{k$yxvA+NboE6Wo<&!Cx&O`oVF% z;xB%XNjRShYe(*Z3KO!~VcqH{0HX8Ut&#rz0i!&cQl$fLB&xcpOUAZZ<@dAT^s0Ob3I$HkzfsW zT8IDn_EY+!%kNI|vc-~lu?Imf2y^+`c0bPi0YmyFPJRPzN;tPe@#tk7n8lj(tDc$* zcJ?Yt|1UOL>YCLqJx#9M@cIu}`5b568_kfbkSDhloAn_kU8~W#+5q2fUd9Py;PZ5X z^X4!ouWYL74j#LPG@%~c!zX-tIR1EU82pr^ZY+zIbXW?OWPLIFvGu7Qf`QO4+QzUc zqVp@ZAwg#Yb&^9>1Be%Nso`_&y?dOBpeNZ)f>OfsFi zuskP!%?uhMj1D>ot`F6j4Cr`R=b(i>V|gU_lJL7!a>t<4NDdXO0P1r2Al$pAQK|#C z_w#sQ^p4wpM<9;b@O2pbmgAoUhKt5=v&}b}HhS1F`cvW!dgwz6vA=b+^g#y4yj6c2 zqM2vx(F1`8z{t7epdKI21f$di#Ui^_7IQ@`y+s1sdy1!AGfbEiKY|nLA8@=rxZJb7 zP2U@&RP$?Vnl0Uv5|Om_e%`k2*^LW^wp)V;1#9KITn{oHt7fOz=49j2^rylMJd@NP zEnYyw6BC2aG|Ae|`HSV-`xEZo&}pYNnRh|FaJ=i#sTN@vsJ2ZN)HB@Xj<&Iw0MrP) zoB0=zAL9VVW0l%2xPbG1i-7Xytf#!Mzr%;sEddV=+QaAZRSYimxe+Ee{Doc&lc^s`m#()Y`4z zzE584sLvGhKaDMUupq?>aTC z!s8H_cLb4;j4d3OFrKc3%U3Qays^j<@yfIEdPWJfP$5V~veUT@>JBZ@<{q!eFar)p z>KBFz_Q_ZG6`%6|e%TR}eP%gwDO-5CsqFJwmE+ot=EKt4;I9h*BVm-Ljm!CI#qC&1 znUg6oY}1#9MEP}G8Ui+%=vazL0&N@mt-BZ!tnG@u>=SmCk3G%j+}j+2z;HNEgjoFo$>HbM7k;PF^ z3vW`XO5k+-Y>QyP@AzGle_nkF_^I!~B$uo*T?0Q3(1O)aOc;xelJsxuAw0*2<3?Vv z*8#8U$3 z9xh1e!8 zxV=b9TUMoizehr&#r*()rGE;mq!+@DMuDLUV*%`F035*t#n4xVWb2pJdp@ut?RcIl zmMiLGeNWRVn1v%0H51P&zW?sFfWU7)kK@a8e5tdaLQo|s@_g-Pgve#ESozJo>)QzYS)*{$j)L7?T6D@yAm&@XJd<(IR^!Y}^R(apD^Tc`Z+E)T@c<)X zkgC&cNeKTJZkf}%LA(}-LIaSRG1o8g;apI#>ClKJ3(|5>v$-C#FIY;4%34N%Y^K}f zf>tEX)Fy-g6^O^5`o_m^eP<~-b1RTvKCxmMB;jNs>iO9)YVcXojPGfu(egRg)2QZS zLk3T!moyaW*_G+N?igqexK&Dp^)hD?T?tkG=>-H(0k`TDH6Ner5j=T=^p@%QRjoZ( zHG~gVP%TD16EV>2$EA)3VtL8neVaa+KBM#HxvFZ(wKci4b-NWyGRW7E@Kg3Z z5$*jH64e}Ev+b+R{`q$j+V*>GR4zHCL7L>Ybi)EU{q9yw&gc~h*lUF?{uURd$V_(o(|d>K~xeeq19!SVn4KMCw-Vkkygz#k_L zS}T6~^gni!&37a1zBJy-9BtcB0_1lIgsI%=>p z4Vs_hrU2y-L9rP`sGrDmvF))XikGx@;dK7clF)UAuzZwps@|Z&Nu7Ac%;6e6d`948 z&As;QaH;UtsU>dz`?7Q&`Fo3rEcB-PFC_lPsvHUOG^$mI=Ru(YKLe1a%(1flkr+Qy z024eVQT@b$A;y~SS%}L}?pX}W;h<|#4sH|prVq5m0a&2lB}^7X|W`b|8h%^7ld8OB5Xt__5)6a zUslXy2%Jon1d8cihBrzI8g!?8*tA~SFiE_=#*ng{^!iayvo!f9grma5a@4$)jo^<9 za`(e`Y8qdjx`lv8;)kx){S^3@BGM7g|3h0h}NRCICXE z78%fr06-Q~U%t~WLLL!-)Nk#_cLjH?rS1(F<|l7I?QLbr7Fr5ne|GW0aC+TN^0y?i z@#717_8j0jgl@IM0!;9SBSYiH2Mx946UI8oEht?fz^@5*0q&S}iLTN|xPg6AYQmqh zMj#(M)!9cg;DITjgskmheYc2y*{*(VDK{%!D0nr6p5JyY-+O*i<|Z8U`YHIA+nZPM z$?EY3|0A=Sk6pPJU`ZlDH^zKta^#CPH6gK3Cp-b1HpanGk#nfAzj>?JcRzWW%kovH z=OVvg&j{*6lMIfX7XbCN86KAYLx};@S1i)Q-4z_w1}sv=^MUfsJFQa;$X4$AvM-W2 z3T(R**^$d}2E&MPg2>OuvchxLvbvP-pBN1Mp!$j{yoC^KOsn zCxIapdrF-dUf#g8g5|i|piI~Y!ctCPGmg$s(H_sQI}0hGXhMMsWIiHs9hT;*)Zo>e zTf7oOs+S6RCK@si!L|DUQuh<_Xez8n#L#dkp}R0E2LmO;$epexz9$5b!{D>CB5=UC zJZmky2Wxo&Yd!Enh;w&^&352{N<(qZBe4Kk3hFXAa>7dXf{^*ZchhHtuLLJHKI%dN zn*{YQ=OKU*gzgY{QPwUi78mbz7;MR-xX=6c~8Dx;6xBw(sv2x-#jDvFWw>eUQ<|fpH z2K87fcp~Jy|NQ|z|N8;hZU-+28KzFL8nvQn7{R~jG9w!ABLwXV@c7$GYC>A&T2cW> z3?$#9>ALsI{jrDA33IEx#uIxo4ne@EdUTHd=#dtwy$cYVz8cfhEtIawKDFTrMd|Ch zVv3i{c@+-)85Wbk#iYN`-}buVZX6cAxs+z*rT(@& z-a}Z8Er}b7Ds-@M(#G7Zo}08lyb=d|tE~NiXN?~mdl?Vi{9p^&Ijy%^dIXEymNLQf zt*b9zQeb`Ui(>&Z&Wls;@2=7BHEUrS)Ja0;or}jSV6y%DRZa5QVAjZU!O`VVc4K0&i}?ZW5|DM=WK=0gPAC zt2>uSse{dly)830zynx4Xrfe?Aa{NIX^7oDw|J6)@5k3})E{s085_@Vr>p9bK?%iU zIst!A+Ungs!n7aM!Qr^U1iQpjWvUf6W6?y~zh`P(y@EO++{^89Mx5=&j1EYv7H}IP z0x+?&GRvm3j+%CrW^U-#t9>TwqUOKqY}UWH&1G{q9bq@AvOety#C;cOchfE&oWOy| zfA^ErY@$f{3PWlvU&GUnyQ<@qEuSFt+M<8(!e9?irD2a9$Yew}W151wreidDr8$X$lkp`sj?>KSK@9wajP%vM%3rC*#*vJ87r zR~VmRGazFZ7(WtZKDcK8r@z98#fnzA=G#lp_l94$h*T+K8MGW9M8B%?h#b^sZl!QP>*0m=EeJU(JQ^V z5~7TOx2cwlwx$l+_1hnmTtoK4(EPc4{R7cyetP!OMLT42qksSZVdI@U+r@%qoC{yR zxsSBLao<75P*?){mORE}i&eOB#oio}PoNk*R};?m{8z4j0j-b8GcK_z7pu)^*uBRT02pZwZygCul^rpZy6P3+rJA_0)j*5&|Mm+-Ce%dc;EkLKYOpW*V^wF_`nCQ-x+=IVcackCzHrO*A z4N}auaF{*r*i|Z$I!?U*mWQ;7qmo9WW;Jso)g2R7Ltv--7zVn zRq>YL|DMG7J|#VJtk<p)x@O9p1R4M(q@ zM2NkGd5g>PCjv#prYw{3X=UdsMqSh%$^$$sshBH5$*khQ<(5}LiN4onNtZ=;P%-{?BFPYCO?|NRH z7DD|)NH=`q`+VyTODc@6-SfmksQGMzqRE?obIbv)5@LXHM?9yi*%rDs{x^zTyu-V{ z*F7US+ezqQ6}Jh|BxqI7WROHSb6190Zoz*$zxV&u`32I~zkrn3?{M!}^nFf;Bx}5& zB1Meo9MyY@FZz!$gyc}EX1|dk?Jee@Yi2w2F}vF``g4G^d|0x>w4>(3@;VuY&n#K>x>PX?VW$KYHabSAc-jC$v`7#TiA6T2nJ@ zsMX!%dqT43zqLmmb(_I~W(}%mNV%Ev z9FDW`>UDWQIgVJ+=92^GMYXtCR>C23Xkg;|jA~b@>?eePhc$o#avq zNM-7RPmt>MUdTX!Y%}l@N-r*z1Obg|ZtdN}{AgUqNz+-e#)?QFzy~ppWb&zAgGFkcLE$lDKd)*azd;$#6VC+3^DOyA}BP zX)x34Q(y6yRptmVIu{tzpt(Q`W|I|3>CG$f`zK1dQgjpyCVtBqsO~&UQL9|Kj?5uZ znI(DuCmY&e#|9A8@E=o*4e>iHOVgp#8}q|{Zs5PvDM9Hm7R89dF6-5jxZhJb3kuGn zcbQFp)p1kB@$#8L%ky|L-;Qs5U-DdgkLkhF-2zK@A%{OA{C%pme7-%06XJ@0UznzC zoFpg52Q5C_P=F5oq*BFB?|CX-o$GCH7Fo@`H8<9{RxPxxGR&>}-mr~Z<~`7I39*~l zEjJIAt;S)uKmL;P0G+RCtUUN3t&YeRuBgHs=CCa3!E(P{nQDL=)YL`O5#olZ#X8zv zj_LiIx!$t=ufE0K%vDj2f5K9d%4wlC8*g_LPWa>o^KpqH`i;|^>n2)^4(#VAI*UL% zJ!9qKsndup0g|nh04twX*UhI=h1okA^}tE}Ef@3aOh33KT@fIxves&@_jhHNl%V>> zZ*o_69j#GXY*_0V?W;Rbp_RPT$ep$%(iD!GZUkBoA6{aF`e+Zw#S5W~P4j8py$5Fr zncU|)NVMpGa{w(y+w^_Z+F??TnPIlcBPTiTaFJ_?i#2;i057^m96LuUVS$nL>9-uY7+82_&s_y7p*lGt0M8>@JnmH2%x>diU;K4sJ{`rP}`G zHEct<-^l?YhdN_JCUz{laZ>>>=j>jmA2kv^_NV`~A+5326L6?qXA-3Hk_iju7$dlK z=^NiXYu_HccG%IrKk$WR0R2LqBcZZVm2{XY5U4z(zo!6+pNq1=9CXW-UKykZ3te95g|F7QeMv*Yr}9j?fhK7Sb5hlll+J=vX>F=e zll;qTglxY44;BFb(bP@lqx4pOX%Tl+Ll2}&97Xe|*=M(#4CiVg%HncOTeJ@g@1)+x zR)h%@R<)9B-8fT)eKUJ>@$h(k9QVvuQc$q`HHvHbbUmjD$rd;7%aEXj(!0UXXAa^d zWrj@PibD#{=~kkrk36-%aZJhUKIcYZHKJ?lp^-q|TY2{j9y2*^7r!KF_F|tp(0FD_ zwGQsp?bJ*^s(;q7W^6TP$F!qVukkd*vNSEfb+)slOnZGESfZ3!<+*7sT|Z!&{ABMf z0SPg3rnlnv`{E1V9XOHx7?LLZ1R5XXFJ4O&_RPGEpX6J<74&mm^2N}JUUkN_Yx zOUVMZZbX<-3m639O?&eOm|?3wKi*4FUPozlCH*D?r;o~5i7OTPvl3Di{_XnI=BYtR z@?DOPg0ONO z=i;ChGiLd3aeB6qo*Oan7M~i>`XH~?w%IdA^n_HChED3uXy~h=%~owsgN&`$`F-uTG@VC=`0PwxHi^Eu5J%d{k?Xvn%!PgsHiGfK}e+Uww2y95z z(ho%~*}@YR_d|Pp)U$UI-HkN0ahVFI00|t_>++pa;2!VX@866JX*1YO!DPKit<^GdBxG0wfBkZgM8yV!lb1BujW|*kl0yn!gT= z^P;~C0!@~sf{g!QcYys+oV7AdLIj~Nbu@=nM~G6@*D1e(gBU;vlq-M`Woa~@*g9dh zU>pwPxtxskO)1n1+%lkAa>nBSVUH4RXUIP0TvsD>2TRxr5GeK_ zIT_&KJ(k*U!|6M}tn$K&Wz7E5dE*yBEfvS1`zG}BpJUKbwtpRZJa@$k6|1HRl`KAC zdU!0jj2cEHH_Z=|9tevK|LOpw-Y9z0>03OD@9IOjAQh(cacDQH8gge@H3ZB?z+4;e zy3v}l;Z>AqJj@JQNWFydAy;NIrGV%yyg6brIA@1+^Tn59|B{>5<)uJ9PLz0hcC%#ju!CZ zyv^itGCo>f~&=J8KQt!F|0Gm`A&7p8Sqn{$QOPngpAh!*qu=V-t**Vx$r&)u zZb_HY+eHNhl$memS@zA+Ov}tr>Fi+3Rm0tWN?HW6te(9J)g}@@6HH_oJ}}zov3|IMd{&nlg&F zD;mz0!vR6IjJ5p5kG_k-(0Mk;jxtU+9gba5jN)>*WoNEzuu(HHtbY%0B?;%47Cc;@ z(W%T-k(jgCqQuBY0+%|ctg8-c=k=<&!PaL0%Y9|&Zpp!I+~InD{zD~;FC^6!A7nRP zFu1wW{%fmo?ds*OAV5`n9`&U7LiaER-tE!#Wb-+Y6E5GnF$0-A&pCKz(D&u{Q&v;u z-zMR!NCrbs5EXfV4gl^wc!v+D7^+iHQ`sV1PxCq9%l*IIUzJ4DzUl@<(;Lx-;AQyR z-%kM=kr1Sgr3tX1R8;=9&ppKgge|8fZ_6`ll^8A+vzOizYgCpaH5ELr&-MmNHm}V2 zK{aN}M-r6YOER3UEfzW)f&E+eVyzWL}|xjKi_~Z4C=}bhGq)DXG6T+0!kqQunq)Bqv<}iM>a}!Jp)lzL7|gGBoHQwtr>VhE%f8({4LWWB{1dW{ z8i=WUE3`80%!_o?fj>4=!QWm0Tn8vs09A;yZwWN$t`1(rCL1aH6%b(1qS34S@Wi9M zEHa?Xv*-rYeS@RS#K0Q=^L@F0v3&FA;XK2k4)m{}hBi?|+BNKw$PEx-zsmpxKB;Ka zs2jqW2=C<$SEnP~i#h!v$jsOu(X*k#_xz_lLy!(FN>Wcnu|3DH`GE&agCuf3#zH4T zHi5!{Bk!Jv(#oQ3rp`MV8 zb~K6iR?9`XcL=MiRhQy}l*87u)h87Hyn8-VFo9+1XrIPwhfJOS?hV_`I~H(kUaScR z{P{ztF%OhfUvkFJ$s@tDJ@XktQ=+dE>EK@|3nA$KL3|$DZ|LLkoYT0 zF9`+_b^1I-TwqxhAx~jpb&hbXu|t>07v{dqsDVST3#F2bXLgPnVbm>Qu#IzyD=gbF z<02y6hhRhHjay94+}73XRy9D5~vp<68H4De=dh{N{|}jp#e$@;2I!o3Ialc`ka?EOZEWB8UaJ6T#a5AMPX?jTwBF z`p8AFwFck^64K4dOMSx~d!g8hq+fPc(!Lpo=BCUKwSRLqSX5bY{6)z@db1Rp{Jhu` z;v<15AM!^-MQq6W{^ zhERs#3$AM-Kn4PhILYM)tmK5eOaUwsm_i?6{0lMcbIJuEMlRp}7Y+sh%g*1#HG2Pr z&oX^}wyI}RdpvdgR&pMCc>18N|Q^}RuL=EIb+RKIqk z>k{!Hvg7Z{Afs-i^tzoyXwkysmo%CifR2Il#i?Bw)h?3glk$)u+;`jZk8*$kvDCXQ z;O@53255C16ttYl!}VX3)fw$dB|zQe`6rM!7%iN!;BYULhBZXmyCD`zDc!!^)1L z1{@R4oKrgXbdHy|Z9G8Xqa8+1QW4bUOA=3_WT~%X3p>-!r||<<_uM0=lWf0rC1HJm z4x$LF5l<`ASk>^$ zIAHqQ%tiLfrl=(XaO2aG#i~c?mEsqVQ<$nn;BI0AR29 zggC?P=f_8hK|WZJp8EoK&Zg*roYr28VYlG7 z-N>0|02^L{x@WLi6lJ|QYPcIzh+9cK0JY56LHudS%)1Lj z<+fEq3N)Vi7e7(6*D)5-3s;yf5>-si`(nIj0>A!){b5l}O+tgd(cI%_?i;F=H#ipC@vam5jdmHk ze<&^}bC%|5iM8P;5A$6#mtI?O-M2Wb9(Z(b_!Mvee!8&NIG03rBG4w*xEIR|PHh8x zYsH_?;(E)^d)Jk+Y{c3C5WNBD3se?vzoK8NFpHWI41|WXK&uEOeyqz&1vE+rXh~0{ z-#y2_NLAywQV*7LJj*tu^Yz1bdq++P8h4w5jQqbB?A);a{V`e&03I-@@MvO%C`_|9 z%*ZoqVVSeh@tA#C3%?x-3;akU37Rd}7<%$!1FMu^aaOYcV<;MxI zxrXl~uppqG5VV>2iFSkSN}xjH$DL`Lcxl|lpxJ}2+0bIdV)f0|Vr0?2vVt{=u*@Ax zn~xpKnW?HD3t%GgLxl~K9Gc>*=jn=Ou1D9&wi$SH!qx#a1JDSz+zLIjk2yQ#GCUS2 zpghuMe_v!;?KS0vm5O)WcHdOrGdR#a!_6Ac3!U7$@cfF;={hvNv^7~>NI+NQ3U{E% z+Ae>4JRe@>dq;l$`S#|khIR?@SrF^TwfxKSH2|Lbq+JWaP3{U{S^wsf%5HZK_S`#8 zpW%#|Gp7s<$l-7KQ7Go09O_-Dvm@!Ce;6Q^W6!1XosJ=C{TAqm*(FU2sRC$*yV}S? zV7%&miF%3q3`ii*=Dcg($0P9l063H8zrdM@SvD}wuw5`%SMv~{eB|OeYwG(ZP<+ZC;zK(Ob=uL)*gDUGA$v;I6-ku zI*xkV_KrBFZkepZ^sTL|irG@@LDd(tu?dq%wiYvm&c8DuwbH zK0x#)PXawLh}*gQ(KBRfWhEV($QDdk*!nm)2ZA-&#A@mJ4T<)Jgh$uc=>dD)2t}AQ z^Yb5D^rAWabd#rnWjs9*nr>NUi?WY488`Hs~1A%C(GQ% zX7o~+JZ!tFL=HmEzQ1z%f;gB!*n!y$YkSg4sreS=E2$dLwk$#e?$qOp?wPFtYV<$oC{k_@41Lp!ODol(2eT)yr8DUN zMZMtzs?a#PJ4!81QyY^ldEBPo!RERJ$bVxv1vC;yHD zUjRsd0BbTIuArb0id*n$4@bh6AmXKF*>La?V^^?rYrw=AAoKXyYVUAxl}winDAWK} zpg#o<0780MOZhy0VZD)_C=nsZ8MawYgkjqm|D0Cbk4(5hmUA>utT0EW(qg2g{bAoq z=6&g(d*j+U%_1_*4ikS^pCWacoM?loT9Vu&E;ewHf&3~==5uqQ2r}g&uJyOtaePCk zYzL;hQx>-!?v!?J&36t*%j@k4Vj01bof=FYm_sOoGyde)(>YCHuHLvKV+X|zR1HI7 zIdn%9DWm{bQcjBTeUU~QH-Irz--m{I7Kg zriQuZJ~e;${7OP2*=+!iFuGp+f52DWNu?~{yJbyVjAYn3oSsmzPNItL4RnI~L`jmf z(7gsIrU6a`t^X1L$T~tn?qW-~qUsZ=bY30IxqCwn663%~4Bj3-E1H{VXS|xrD#Fj}EXp z2e-_c16Y4Ul8cfAPJ&c<(Z=FyT=DQ4PX4sF;fTLq&Gt|^MO3U%-1`ON7*7L-^ArH8RMg2ZyU2+GiPH zlcMOCkPW}E*TObS#ct#-IwaFqilI$SC9a;+&+N8Y`r_*xmUW6qY^JRMvPaxx!p2ns z5`c&3&;6fGM$k5}tCk|(2?6^{@-l=Av84Ejx&fiP;1qE~1;B5i7)6aZbS*L0&~3HE z*}<4d+u69rgMrlZQk~a>JIv=q7 z%ceY*=}U+x?~lMJe^w5#SIKy-V^1ytL9Sn|s^5NZM6i6L%k)S2TgfOn|3K4zecw&? zvZx~XOPyYXnNF(_<-YqC zBAXe1@$;1Ws)3x}fwRx^pR@m$AMpC{k*E`^SB7ZbB&lX|jt~Hg8EQD~LzAO5Ql_29 z{dC9uDD6pb(WnPN3~U~_rp0^We+&1o7-XmAY<302PL`Hf|Al6lVa7`M#(N{l!k+-h z5H$t{0;VrvxCOsjBQ~;L{AFvp8}J;rS^!Sx^Z#->f8_~CKAg%+4quy^a8p;Nedx3o zhV^q;8@i<6Sv1j=w8E%D-5n}v_nl_-Y|&uXRFfi5G+D-RTLDVza|T#%Vf=E4SrDAG zth@$SS<*>70gy5c50;puEo}N>20BSF68st`C3V(MSf&Q%hidLT^>>$MAda;z8pd!q zBQMj(68%Ygb)0)?--nknQ|Q3`rHbY@AVf$MSSR1+e>QA*M?>IwxBmms)U_Jo1;)_E zS?9o~FyQU?WM1zZ*YA<|P+gL+sy;b9&$>P+$fxv>w~I0&x<1^!a0kRSuNKlTwz+{zCGK#^olLbJ)#0 z0U?05;}#uiC>|~MVJN(16X+lTfU`*|x`Bu{56=44K5T?I`l(H`-x4BN$^lxeKa(Rz zN(m|8DlKDt?dc*UlUlvW&t8Vm)GuWVasmHc5ZJrFUaG(F^G5)E%nWu~F+L6!6WK;d z5lL`vEy2O#W@OjagJE)QaA;fmfu!>vkiYA|RH+S&roQn2~-q zEGyAI0M=2~{7yTH+ z=VA^L;B_Q-(mId@g=3}KXF^pqb=Z#k)3WY?D0X~SuFsuN9=vy0YcO0WfjDNP|KtV) z8X*pk_z+4q4NV%8=lDwe6Jb|Ad|_W*&<}z|JK2YDQK}`79!x-YKI-B}&-|D)k0C`j z`E75J;3wmSk7h^FXM>8VhY9huODQ!Ez^k7#FK~Y^4KKc@&bs~}YIkVQzFq7Zxw0jQ zg#Xl(1?f5-GIZEy-UrM(OerRBQcON}OXJ?|Hn~<>Bw|i3w!`p1YdP|kL+)hA9GF>v zD(8As@t|@UBWm^t;Dt@ek};U@G1OD5Z9n!eNgSQ5DrqpvNq*+V!#q$>W27G?B0qsr+>n z#@tu|kN(D%#Ol37-!~E;ymDVlyaK0jzxR$A!~pmY!TO5z*o;m6x3C%jpK`cHu!v)6kX|{N!H9tiXTcAv^%r3Uar7Mp- zjq!)|+E9ho4zn{Op_rgDkHzw)0Sv5;uKBw_&68h!Z0_f(!orKV!Bo!&tNQWwCqAnz zcvB4aIi7P>P#S_K!2DRzrB_w!TUnb6y4qp5GTAKDjC>@<+aFi!S*gHC#T5j8TW18=< zuWsH(#6=rcmC9)l6RTD?&PvPCg6*>vBg;&?PW6Wnp1ci94MZY`4agPKi-CMu2dU&Qe&H#&|h45ak#FKSbWiO*m)9W ziHX4%E^Vx%IXiHhfuBN-PPOraK2Dkxv zgJBx-|8fKL2wo$e8%$bvp}1%n&y!W-law_uK6px&O+q~3OrO%Od6Oy`Qa6iNG<(BT zq?_@5I5x9=n`1Qre0{|rj z25<}NA!0zj#`nxLB*na0z|AA~`w?KV8&QL0w&-sLozOf#zH!N>jLy$0&rlb7z{Zm8 zCoSg!+t?<-38JJkfx>=_&dcWsGblf%fnq_qQ4Sw_I##Y?S=h$O{qx7ku;oMvHX7ZJ z{qf7k>W0749{YhIeWYmCVp5kja2%F6l5>3ANx;v?Kvc<@#Wu9Z{|5_jBCYfpwOrAY zHDmIe*xfBs7L6NN0$7e0Khe(3xTgbv5q7GbER2r)%3OIV>Z>ENS^=+FXJ%%Vk!+Fl zH!{F}jMV{_Y5Ixx&rtk>q0cYVS;B&hXQq`+bzodD`)$Z_@e&fg(6qmXM&U;#$(2s7 z&@#eljl|e!XGxU8o(eNpKFaTnI9F@Nt1DCv?9B8*6-YkkVt^bZfrFTT8yQE;1-}T@ zkD=;lRCz8zyY4n!S(!&%%`TAt9TESy3B-j=KoZf-U zU;(If^w8~Xle{ce>`54o9^MoZ0dT+F-PH4oV-as?Fw}{{q+G}S=d;|3NMGdjz9*=y zLz!1)z^-|x&dUI{uAf2NgXPMTuik4K_XhbCKtQ~;qzl2nsr_^J&q;jcD|8ThGDFQ-1tCf3iSlA9*y^XfIR*^8xuhpgx3L> zBVZH0{Xo$1XJZSUkTcoVznatSf=Kh1`}uxIiQpfB)l1iD4%-VKhQoilq6219GdJ*8 z+zjB^K&-&?;00gy7Sn1f&5oyT)?7zRPgbv_&;47)Lea(1mKf;>UdFghSirFq9ZMrj zPo!zeq_nW7N9jq=n18ZH<2h@ZRn=p>I# z7qp z^QNZNqkP6o=L?5J@;7ZA_E*ixp@bj%p(IJ3MJ*~s`9%U^ax(n;twc)RaiCk^H8==u z9&k5Qe+|>^2J{an-;mD$g^-sq`MKvw(fUSit$%pGqPa4Bo%rWba67CBGoD*e3q!-G ze-p}KmBI%CRR4W~7t=7dyNy1jZ_bZYRDwN=8~f&Y6(yEk>i zFL8kxt=m6?f|Y>HUu7&tg!LdTif_1^&O}!u+eM@5H}v(Sqi}39 zhS3vpWMYKui7gA+jN?&4&0|71t!M~`;mQaw_jPTDFp$L>6#W{TK4U}*dKhTqlPO_W zlt={uFH+zXz~t%3h~ouSf{4^I;lFQWsrlXq&!^)S+{qY?`{iBfNWS+;VvGBz z?GM^S?w=rAu&l^WI)NF@nhFf(QXM~|{%z6xFvr}_2!o~087u10TDuC-pLL0pJXd}s z&sJQaW%{HlxnJ!G$}v6FUBzQMbh^xsn2b0mlw-7?Gmlk^KLOGr6rz5blb<_s4XLP- zEQ&mpJp0OKphdycEuP8?Kc-zr-;~H;VgNdVhWua=sY&_~bk1LN3#$HxsX?u>RP@BG z;bD_(+qv0JcGb;7@wf$hKQo}+`GDm-ZZM#xljL0gW@3g1LgbHB-{^5s)bA<_7Z766 z5rwy$117cri8@r>3&o#;NPD^AiGi>(vC27lg}Q7Fv(fULPUxYemR)Hqdc53(5Iq?H z{PNb}Sj|lTH4FFjq(2;eY@r&UXVo4jwJg)f16+EXeRO7V*q0)dA4F;d^Jg7CU{s=~ zGI2mY)HQMt z@dm(2>ew*-rZp~ds^;QHA*AUV2kOOZSUo@L!T)Dvs$y|nB7 zBAQ?tvU4e#1<3I9ABw+qkpSkFODGnVMh%nzBqE(!Y31EH>cw3hgy^gQ+4>7nfCy}Z z>KY>}OZ&-tZM7o%-m}yC0_4EzS*oE3R}}d#gR|e_KAfwB%DYxFDzu!b-58F=Mwepu z8ShVnpG18@qSA?_>`o;AhSDWiRrvh4Qsm&(lJ#SLk?z*&`mUmxm)uo@c!oM*J3_*o zjQLV{C)x-lgH{U`7!H;>6nks zglir$1w1zwhO6r6qS4MKAFnfZOeMF%`IL(U#gWg;+@C-ut@3<|=BmRqK`$uj2B@Mb&cY>U>m<(u2EEULq@g|PF8f<;aw0L@ z!s`)GR09f^*7ALbRlxvAPulDgIdn|(Ud-S`kQIb~qJnb;)x%t!LIaKsL>Ea1AbslW zLDlqUs?{pCVmDCTzi^Q{|7<@e_f@Qk^lFty03{Th`sD1e*TdeUErg0yAD$EJy$;Wd zq!XxSORT{IjVSd6BqI@77T2Pg@lP?a&Mi>_ zm1nhu-F@REb1EeRaDM7b<;4JED%Gd=^-#3E8y)y*?nrZWVPQ}DeRuZxCsR8hK&UWh z{_UB2-&f9yA|$K&os!XZIwAbJosXdllASwpl$xCANhTBiB+sy0$k5g~vw~|Ra*CvJ zix#N1>k~44j$AE1Bc0Qlt+=nFACM!ZS6OLDR-d%hA#Z*_nBZX6WSZEl?Qb&|1Sg9#{CNR>EEnKOS2-UbS8e`0oL+fb z^9T*E&#%|#{WRTk>ld-$QuvRj=|>*j|MnCoIbPj#OSCpl>OA^Lef)-Ppg+w}SLP{< z&a6Xz{42mbH=vjB|9)J4JTdVa@Dpo@Ov?JdBBR*D^cV17!@o!0-3ao3$|jPD3LS?B6epll+>0C(QWE?zA5FNwRiJ4BC4(npINfcghZ?ZI48(< zM$PzdJxK}Q6RdfQ;np>cwMKd|pkhjn0gibZ&^F0K^iOyywD+!bI2-|y3;=s_8+nV6 z8Vv`eM`XjnnQw`~Xm`)ia6uLL*aGw(AL1Pl3Hr0<)1vkBe!`J*2pkJ|V5MXWMNNU8 zrbVK0M*!fVhG+no8Nfe3b$){nJn*B|M88rm0d)FEC*8+i4i$cW`N$j5X~V_7 z=41JIy`oaejIn;PkS^ zovnu&!+!qxE{5yI5r6up_brD>PPz(6&0e`NRF3dzBid8x2xMuzG$>l5d>Y<_9D_rw zY00OL#7T_dq4+RKf!XijR{Z!+LzQ)M6bVz75B~f)7^5B+@%c8Ny_7vazjP>(ob2!O zMXWG8znO0(|I&uu(uw%hG12SJn;(?97JJ_t!?1BWj~VIluE?3#^{wYJXcFkUp7h>) zIH(q-3QH=dJxfbdu$4%H&G24CWy`*I9yFP-?7^M8%{tU@SMPY#&Ao!b6cad)X1zJZ zI&2ye5T&!P_7cKg+f%B2ocnqw%48(HQayqr2Bf!eBojqP)`CA;frdt)fg~gQtBVYz z%8lHi#yj;M4}9S!*vIpk>FqYSq!LVI?`5=Ln84@4mj&LwlqD;V#n|Wl}*^ z3b5g$F8QtJcyZQY#HGaM?T*V?_{66`nn>`8HDOA&MhR`X<2`aQUA+(;zZ}m8Ef!41 zWTeRG^>a3(bZQj0TJyPnIY}LdHvBMkK{x*x-YrmXJ|62fOUf7j=J9m7S>&yUgIk1eoWZ4wq=q&z$EI45c`p}M{k zoRb$UvW|-01Lbl{XE#To8&WhG%0MT0nl#@%MTTGNwwdT{%kK{a*2j0;xO1<_8t6+_ zXLE)9 z?=m@_9@$6wyxntC7wT|HKbh)iq>OJhDcz05isNTOZWmk0i)r&s7Cg4pBX*W{%b z$at|Sz`4WxS>k|)DNSn*wa}9CT>GJ6F)XC=ZVyjQ`^^kTrc7hF&4Mlcm0)DF+kljH zvGp%cBv*;X0H&TFQpHdCkJvC?ANG+Z;JEZbA3`L3R7HEgfD}xfUEoP9?fP8(bPmOI z6$U@s9?L{5@I+09LX+Fn zIi8HABb-j_$8r& zjsmOPi#oTygEv=>MkHicy-R^+4Tf?ZA2eit8DN>c_--*_!i-H`_r3oQjc0^{Z-ZQV ziqM@YTzVRfm_AG~FnZ5l&RHj0T~Mlpg4VbU#L6K7eEt-xF@qJ&=4}=A$H3l@QmdZJ zU(tZZD=&0l8%hFqDOUYI(=~;_?`!J67^(`Iu+zM6^Qj-#r-8u2M_bz!X^uh zNK{E%kVqzCTY^isa9D;dvG-ulKjBfN_tbloaEjsgn$(vq;cr9nXU}6CRf46qN?o46 zszGzf9nI)IX6zzAoLyt#w;pm!X;kwv%ATT*f4fqZ8-Bu12%IQ^T+J3=e89QAp!)=v z#R|BS;2OZy{l_e(Nc22t3OSb|HVSPDH;Sc@2^~M9lT>M`h~-ewbk>JR^j@h6GxNJH z6xm{nZ&9Bf=YEQo5xjXX%bu>0$JD{PJA_|JA2@s?I}We`IelMyG96Ff_v|-`(Z1-vIn~NaV!N} zElFG?vewTwf0^+*H5@a_iul>zZ%$Ph@7V!+)28K<>UuBz+j#Uc3J&ZLmAB%mbf2q4 zMihE6vP{HYmb5<}QWzROX4g-wVmj#vI(fCnVh1IV)~kj1(Gk?SOe>0Yv)r9vies1e zQC2ip&cnG@>r6$lZDYHPk%h5u%xNOgb;LRKlUHPvq9~G_RPKHWSeM)IgrUm(P5?zc zjQb6Iwizxbi4g`hQE1Fls7nh@Ej^z%fB(hlbJw*^WHfC#^T&?cBQa;Kt?lp$TERm` zfsBI<4aAI~o z!F~~g1Ns}*+7fWiywGk_K2QX?=dGG=qRa4dfOsW4$)5ZBl%fZ9Y9{$FhaDt_$}$1r zKm_fhONR`!FEpMZtYJ-JN3eHUQpmS{@5L3&{LZd@$}wUoX%~+e_cg=M&!%q9DfpVg z8pTN8qJAiC6o&W3MOXN*beZ)=y-^mDnpc4@F{8z3gVIy~f@&-R#kcRAe*HG=v+u4#Iwc5H(+gaz*|$+)Xgznx(&0M~)`zb0YWOdV*Wb$DLTst$ z&S6{*)#jprA$3VCZ7R$U$k>k+d{|FC9g8RHeI@FJu|f1G5sS;Tb;&&g&NWU|gd*<}~TKvAFJ|}b~u&PsH{^SlgR5a$r$fx%p^-;PWb%|?hmaO)zjZ0(Q z3d)WzgiLv(p24T~)3vj$53H5C&rih8h2fU1imAJ${CUvtM^{~EGgMsgw)bB%5}P~4 z7qk=L<=WSNL#%ALQK3kf!-T*+VsDmaa;0()4W&l09O|a7MpNNrE1nAxrek^4NQh+y zT)G#3ObjW31I8lI;e1^#5TCI&__Op+S7b$#b_43Z3Nv4Fbs+r3es9JIi81T8TS@9t zZk6D%m&@zMZu)XA7-iYDdB+zg;rHG#_~0g?v-i)nwEA2<6l}Pmwv2?TqGBm6Pbdbz z9L&v|KqeK(%5+4yK@{5yZF^yCo31C}L>HZNOI6i2k zUKx7C&Z3P&oq-_&r{&=HeHA)^=fudU2DQL~9fPs(b*S##zAZpKm%tQEHG0~z>0gMR9D69QYOf1PyyTJw5Wfnbi0|Ien z3lb}`P{pj>QZL;5gdQ@H_p8miU5+Xa6YUf;yGvm^p04t(3mH201ET6T-MMX3bv6{x z+YfpzUKa!lcPD`hjTT=0O*mD;g*j${G6aRjEsxP^nEpALt)|!m@pzbk^NZ$K6IGfO z&@65n{3$1kSKObFd=`h^p^kN?$fyO-j;>2Np2-IP{v-{x$n{%e+hS^duU+vvurX|k zSZs;**8=Mf7v%n~_;+*c!gA4la-aj|_nu>-R={mY+zERO0mCOas~*x237(aqxknYgTnsjJC{@1$W)80^iNUJ4hD&v6 znWj7$v&-h-acLY-AYcwPaUr8-BgbMVJFjOjj6-)4mDgFWBbKS z0$y9cYq9l50WCa|cPA#x?O|)nY};?yi~Bbi{X6@YvV3|OHv;cgq6Dwx2OrlzoOsNX z!jkFuD~iZgc<&H_auaZG0i&1FpIJ9=X{S?I4iJ8C{-QE?C}x6o5fyoAmk5lNZw(c) zBom;x?hYjhuroG3X6Ed&R&LD|o-ZQe!$J)U|JPlw{*Sxh{#M^Nw!Jmg0*vQZJ|?|6O=5+f{7u`XV3zdp-oNdqixA8&+1~r1U32vYTH)~2ZEW%5DAOIysYic=fL`C zzDOGZ$~B{SAPJii1hxeaY`qnuSgis*iXYKz_F~xK4vK8aWrS}wij^__Rxe%R5Zbhs z9!1v*SHwW+e;m2w7BzvFC+-eWpar7o_(@fcO%(e0S}Wb54|{RS@ao%djD<3d4Ds{B zEOfRSC6t#sbz{LO$`T57TB#vzS51!*5gliCYNBdgZK|Uk(`?>6f&|#5bNiQY`g%-m-qj$ z4gG)Fh6(amN%?7`W<(`}+QpX>@<~m^**dlO^z=ovcg8x#>s>S7&sPpsvhBF_b7t*@ z&KjNA>~fTeUV)bPNn7v9I6Ka3FX(c->2$rF>CMm&=N6}X>fhAA z#fnv&{db$G_<^^w##j7Xxk?~jj>0xaUQ+gt&$rEDGF`u~-QDNz-);?T=-KD<3nb)e9|G7`=?|RDY9Hm_oHH{UV_8cztehq=!qi5F#%< zEirnjb)J&#?===eKl`$Wv^bLg6)ml3VSL*o8Pv$=QG=gJ4`W=TU&+N{#=*7wjIs~3 z8)=|I>JWwTLW;cQC45mgAfj*4{o^+af~70{9|IBHzxI@?`&xncQ||8k+ro)H`vm9V z+c~3*kB12%aChBz9L%s-An)dN1FFW@H*UatgM^peAL0%|{5)Fe-f;22m5_i=zh9 zjA&7$zSDQvIn@;@T(gOEoEn`7c8>WmT)0?*_e2zKZCN8Kcq-*^)@RS^mOXejv1g9? z|KsefqpFO$cTq~%#Fh>T0Z9Sr?h>R^Q5poK8&tYeTBM~Vlu{b$kWgvqM!LJX>qY&} zch5P$G48nkF&yr_*E`o-&wS=H=Ui{M+4q0F0J*%Ej(cur?W^!roe25W&Y9xQ(TlkU zHY?e`>&!=ytuSsMa@Qz2QcKtD(h4ry*KUA2<4*Sm*DTorg4pZvuD=%Yz1PH#0ZCrH z<=N5OJgX~>Dar50g`ru(@jzqJh;gIl7B{!==nDEalbhRmx9bjh z{d<{WA%XB1a9JdrKTwF^Y!aF(KKZSFB&aH+uW1&uMhb70pkGkBTRn~b%_!A9P6Fe+ zWVyV%41(rFa$nPv$$RDSNE5$|EX6T%>x$SQUv6#4M2g%0JSj1sTU*P!Q;kJLs?8(n zWBb~S=JL>Brq4zyxeq(4P@ysT^E58WQ}bDT^v0#@86CMO{mIm|g!sM?*HNw?fzH#hkC-fY9_Oyp*aAFpq{6) zf(A#J?_~-N_Z#;$tK_{SqHmY|8)Vvp-U(Yd`;?yq17|-hHw_YNe#)%;jn;>$<=s=@ zKE>z0+UD>v#AYrIk8*PImq0W7!BvTQ$Kwa&I&OMZ*8x(z+2vta->E1Q%8@oCN68>fP_hmi!$RZ>jbRx+>SSy~WKt*B{19wsz!+ zWwgH#i`MYBwhjRARu~v6(69hES#ewaV#)htJ5}3nk(VYTcC{N-P+qS2irlR|Y~^Ig zbSVEirp1(s8f5Pzh;d|^#zfSFuoZ^r0EhH#)cYYMO=QdM#vJx4oz`vZ+X7{zC(iz4 zK-LWY)HM5Uj!>0M(*J3CqCBBV=G*PY2|`lW&vn@Yc-p0w#PF}j%z5Y=GOM#@XeP;A zd%ac`8&RZ#?>(jSrjAUPwkgXLvI*-}Vn!Mr0)o<&bQQi3Z)HS2upIc3tv!%!=OtAo zR>u+dUXSX5c6|!!MakXcw{78+HrWQkm7;N5F}Ocg>e4JVw#l9h2=SGFc(G(nC;B?Z zJNLnflh=9KZq8C@YeyVuq{9QcP7lk^MUV;YJ_mmv3Iu-m;=fHOX&y2c8bs&Mw6e}H z)B7flp7`K{KV`l6tI3Utswmc)MZ9EwhpZRxv!g_lf$_Xm2R|qU_FP=F$d!8yY$%>} zER#Q^xZ+i3^d5!NX39syP{f<45k}-lU=Fl6M=x7~9JUGVs6UZWPNyy_9AI8oAJk72 zv)eEeq|c3B-x_$*eou*kRP)^KwhsUgvYl+Zk?fSKD;}k^`asf= zj}k6c!=28@S}Df^;m@@NIY@6`D-Cz~6&G3cfB&f6w^&ulUq%d$d>n>{v9Ai9hliEU z{3y2A*@7iQJ+tV=CGh4d73&OU6`My1M;5cGX0vg4#gCdT+{rb=Kj=@l++P=>=*izM zG7xm2+$$-+<^9u6jQ9P}_eZ0z)LS`A!*=N%lu6THl1a9GPg&-o3U6bP-a=F#UIRtQOIm*4GbX6q-}-7(^e z_FxuA0%-^qA{no4KLr()0@cQL0DNJ3sH2KyBIm=gV+t+lghUW}0O}p>;lZG1j5Swv zU;HJURF|v1Req?gkS8aWA*S9thTDE= z*=s6xobTgms^zQwxJ~Clf!{;LU5MNla~0)g`}%HY2@fo~#;3S<-j|T`DR@x0FUXIV z)eW55iFWms+QPLD5AU8`JvdiUs}9N?GmY&5`BxsjQgYwVG$9M{f`K{IuS=7ouLiJ2 z_vTx_=g}tG7^TmE_zcwP50<*B;XkKB+ zQyuu55poO;kUtqn*-?$q;XYGj}6AFvtupUr;U+imzqVJ1t*(dd(}yKy@OGl5Rfx z3X43!x5SQzDffOth5gl!k*)gpgKx`x0xhkd)^*gfYjY1Sb)NKVr5u^QfjZ~ zG*)^)7rd@Mb3WcrF`u_eakBR9R1K6eTL@J#+aCK8Y&l#=$8&O9^u*9|`m2EFPBU7h zIh9+5?NsuUPfsNbJa%t6+-WbKs{4o(J@TnWj5WkuglWKNLGD)j$va$E(c!7RQm8yI zC1uwA4PwV2#sGFKKYFV9vW}X&P0{@6>mQ2Ro)h6o4*eJ18u^>`%NS8{6hf}5X@V}C zt25r$o@--Y^7gOOJ@(LDHph9Kwzs{nh0;8a##&6-8Z8Bj?p#~ad-i-($^KP!d*=tG zD{@yA5-q5EbmEj6wGvJtB7H__xl$hG+;XW_i8W1ncVOga*TW9vE~$@h+Ju<77lxT$ zL}h(V&B-c_mkMh`S@fP~ro&66Gwr^aDdbP(!yEAww%@&+h^B`EtKeEKAs{`&_t6@t zI5!wrzwEZ%L%bf$kU(x^?Wqw1FS2=&HdtaH_U+-PmEjLcWZDfLHPL-d96L{8zI{~k z#H*TksvPNs=)e9dNo>ULpJY1W(cK3WXZG}- z{)2TI%gatv!mkO5T#@BQ#c5FxahgI=-}pYogPjY3qQ$$ZyQAhBp!OgRgZtKXb>$mp zzNKUt>b<80912~qWZR`ciP&pf{7m`V_`$f}rt@izOVZlF-3x*Ay6+tteWLz-IB&`K z+5>&UPBmZXJRSvX;stineKMdO{KO$0vVUWBpJ{1uqf*K|@mz-Gn;%o=+``Ys?6mM- zCM3@1J8nSah!-0z9m$c4a|{UNoAHQK=AT2EGp+)X$P%T42EFIAyd~$+mYMS<>^k2? z9Yj1J_L#s%KhK4+A|l>FGV*4yzH_YaKsqZbXGR;6%k!HzvoK^J+?=TD9oVa7~u}R9q9);nNOdtVWU!&&wZQSt9!_F*+u8!#Oet`mz9l8U91km*5&MP;L zna7_mh-i-6H!|mBMBz7n2RI*^v_T>0oN)`2=+UXzRGo#;51WH<#XCG}32MD|9p}je z|9zNDTM6}$kT`D+6Ze*qtzQqjvbr|#oWy6z0jLzurGHCy!HEi6mE%pXOii5T@!{1+ z_|appx+D8%!w_uczTWS(jeiQ8UC#`@n-xPNI{;oIm~YziPMHPfN^|~GXuGeAAzcxl zUeSJQza0t1pjhF<%=Oi=^X1{livZNB+pON_N1H?WYBb9#Ahc&^N(BpEr?GLT0xNO5 ztZC-ySElUmt~wB*c@1F zN#pkmZp$-4CBp3B?{7m-@9x(p#k||l*8G{Lh;d`Riy!YwQy4BJ&zg|2`v|pkWA3oNw@A&b-kiv<5Ki}dC}^~ObE4kKQblTnUuhO-OJVB%XmIFOSV>s3-d__wS3Y9XOQ0WDCh#bWQ`or@MLH1ppz!*6$Ts}M<->{ovvHQ zj)6XG4JUpeB+Y&g4brP~RRa@o6dcX;zB^dNuFZAK>ocTV4x*{fxZp= ze?PlAD|fzQTARVt&WO-<9EGLS{3gt>%Xi z@qqwTwqv=FVH~g0MA08jL{jFk5xYWS`C=a1nz>IJ31rRb;a{-ocFS!hcwe-Np1bX~ z6R!?wsJJLI?w|)tHfNw=k<7MP%qn?`dfGQ3qVcycV#2{I=U&tQ^wa5`uxs3eA=y%l zNw%iFoR-U$iEs?Sa*cTF$z%2FyF-%mm}x>kSel}N*C`#3#Xy@}%T_uOtL{ph^(;T` zMxoq63%DX%y-P9AO7!tVg#r!H3=)$?Mm#!YAqDw-Q^!^ zfn1O;jS92IIO0Aix76qfeCp2ou+{Uyu6f^gK3iaZW^4dTd<86*L@SgIJSD z;Fz4LElYM0T~EQTHpFCFY=vLfFwARATo?_{Hv3cXm7Pi=mw3K{gZ_kI3fDxZ^b)Vj zGl8wJy+BmH50b7{y2Ot*!dwS(dZIq3=8>y2wqVN6#U45#; zN^5=)mz>M*VXy*Q{af3HQ!@sc)(2ISl8u*}c9+z9XwLERlB>~-Nhr=g^O!#qJCcKWDleH9H83{T zLVA8jTx=Nj+0MSuUxr?(sVpeUGpkRYn1sx|j0yJ;6AD85W;ctE`?Y4~>uV?NDqFqC zzMV}w@04lxZIQgu4@xP5_mB+8Q+!8^HnKu*!HDp@&IZ#3%kF#@yKvl0WH<7o5f0JC zA(dvN0?ZD3LdtCK`G4Z^)V{@2Hyl!9dTwivGh}U#BjhBnlBo(hmvry! z9sXJ3`P&qNu-q3~@{MQ1B>@ADS+A!$1|n~Lph|=?0cDav(m3{{FyM29gSf21xAVe}2o!Nf@<(b$c*+@|x&-^0*0z zLO_04NR^&dx&Uu%V9=~{wQ*ZYdXbvw>`}kh&3tgV?VZlAOi?G8%=O}SJ$Q@l&-y!D zX8hjE-PJ18~1VT$U5fwz}LQkKJxW9Jb3KOWHrQ=o&11I{aK!w=5Z&lX30xg z%f7tuzHJ|a^;VE@2ybOi(jG6|4L(31ayo!;A^3_(?LG|Y9s>@t<+|Dbi4D4J6x~S=nv-ndU-M%W42W!LO zAp4qIoEwCVxs)Q<56CeHAR!x&cP5o2^H>R9+m4n}U+$-0J9l?BJUv*MX%usq6mGcd zu_H16>h&0LIO@w8Prl2ukw&6+*oa&U;E{btr$esiu>wpRR)o-bK8ol*d1i9%0s0cm zB$36C6i^@cji@xFzb1tWWVgMzJ>CSeM~y5KD`y?XnY{=z_xPzcG-qdw+tF%E6<9|0 zT7t?3#d_LaNynfqx85VxwsrBPqt{Cl>*X1LP@HCVZYff&ftdTiN_5` z@<1}~&w6;!L1t(2d8Ys=vSerMMfz`o)?LC#(KGY2#_MyjJpGvUXsO$olozvTZF#Ja zM#PVpx6kH!Jd~$GDLec0>no0WKp&JZIf<3IJNxAIwI`M}CN>qOLrT9qOx*rBd2ZBD z<>b-P&IFO9=N$)(=! zB6}3$3}d>5h=YK53x!wsiq+HQn?kvbZG2Bisn*n8n}YTgje?7>&vU}%&$a_b3Q&W% zA;zTM@>{9Nv#PtnO5J1@=-2^dX@Ee?eUjM9hvkpI3hVaLSqtnlR8WzA9=y37)#R9^u^d?6!}YdT8ALLe!{KmDI28ZOAeUt0?o%#ng}sP4e?glR+{o#nGdmPW`qm?3TQH?lS4|6@+#JpA|kV4vl$rKU6pPMDK~* zWgeWt39JYj-3+IsuCv%=lv$rjZWcc%keIOrXArG$u%2+(QcF1(zRtgTY&))8_s%9` zbN@;IuQ3Jl{hob`Z+^qKdIa<5JuKaJ(ItOI&VAFk1Xb{)u15UzyYJ)iTN&zn{??vnbHdE>gg~!fLJB4knV=#i_2ut^6{!w`d{%*%#yl|+9dH>}J&SR1JkvMMpjU^=Fibo% z4oh%y_jS$0g6mnD^`nVxl(wL?>=~ID-=cs%9NQ1-^{N;z;Eu8n5y(_5JD&r$1T_xh za}UcpPlwIp>amDZeWfU)1}#WG9TiR22TjTTM;|z7;_tCSjVS&si(wV{Cf%CLuD?s? z4b%#=vII$-EA<>kX_-1WY{(uJb`W$ULR(piGJo$$-sa0J)vu^q+uZN18EHA$u?K;? zkY4kzsBu~96qPb_6c}6Rnw2__Qo5UC7Qm?Q^^pT3mxRXfW>Fo2Ouq@idbkiE`S#E0 zaVZi5`B%i#G)ZJF)4B;v7~CPPWtEmU^s0AUM^0j2cB_TqUQb z58_ULm1ibFu}dcf1Cqr>TByc#(-Uu`%HF)niDea%`>~Q#pGJL^u5#W4oK&_Roq{8b zq|99%75u|j7$|fv@%(=SD|gX0Ik*B0V9RrW3X?xJ^+g}LwjQtUzFfShXQG68cq5sxapC3quEXU z5P%Pt-(cWR8ZBC$JfhL-8$3|w8vcM*_`QHT!6Wha(cdueUC zGZQNRk`7k*CiLG5#WR~d%}>IIOSWF!f5CPC zJ92x9*aMk#?M;P2c2mb`cDAEbN=d2FyW(EJqq%WMPY%$^Pd3mTlP5P@*8|%ZK+fGS zg)Jh@R)2u!dA6DdF-F0IJ}Ha73<+-gS@A-(>>vW=lBc*7>9uc255+h&ZhJ8lsuF~2 zHKlCZ+@=w94I%Kd!aJ{#|2+Jd0H`8TokxM{)xW4;rosYF(|r4I^4=>K7u|Sh!eor^ zI|=h9l1HS7{}pz*rxrFT9ck9|6$2E1oGJMm~JdI2S}_4kkC$i}o?Frkr|CzJEaXVsLag3xyZY8h!y4 zZFYO1Ul%6SQxyx1<;%iCQI_K7(QZQ@>7M)n&b;_0z7lVl^fcXzsv;7y$CCb=l)&2myRuDe~#1Tk!YI9V40DkH2MWU@SX|F0JSnbV@AW{Gs(`&Y4^!sYpK-s%3b&~YUHJnU@NA3LD? zyE1pl#8aq~Y)NHoD{e<C1?v?+)|xSp#qf+AbJ7%6WO& z^@*p~OIq(GZMH?ULO}i+o)6y6o>UIx+q}I!$K~toulvfRB5ux0`lhD2s!3y^?+kd- ze!cPL+0XkIurI{C7%&zH#>$r`)jI5F2QfW%eu_|QkPw__225j2gPZs)eDb!Ab%>Kyo|}8ZKA8mLcUJ9?sq85XuAG%GSm2Q zZT19@x6Xaf5;*`h=KX_InM29@sXU!&Pmt7L@b$ZA#GV|EjuML=^QHeE>6w!<$`Y}g zYWwNX!94!JczuCI)gO{&mXVQ(l8NX~wT1GRU$tE(<(rA|M&pg-n&SZP%0&^~x)2(# zF<0uS1zeo+MBy8dm;1f1_9@*!iPLGGS22}8CJ397RmrDuBNa3(C3%43H)w?Ey$$VB zn?pD3wrznef`yiIG$G|@mHRsdw;C>#Sxu@KZSzPz+km|i<*io-yfE+!YR#a0Q+Z#s zcP)F0dmN^l#y{5Pg7!`Df3*y5X!xn$qH(bP6Xgu71xbT~z&s8$wXp^#`1F0b3Hr%#HaoM;+@5F7V_B&O7lBKYGL4;!MF4T! zytt-My)TqIY2f$xUk%TP-L|>?Q7~;*pHotjdVPU~z1jxjpBk4y88a3m;?S=G3vH>@82|$3He8L#Y9s{H)8r zbnJ3JmNW=HiWx?^H6nVUjMB1dV%#jz;iNA_K!`d z>Wg{^$l?en>XPEQpm;|%>Ny}w=_w6F)+`>YqdF69kSn^Z^hqRJQiJw+>WBd@Da|Z@ zcP2kQ?yg!>PEVxA@0|Zqo(e#D#&&%Uc4-YI|F<4MweAgNi>?}ci{tJHfoC{hB;Fc+ z9TpexfuUiF<4iZdqslp~~ilZDgS>#Do2IQD|yaSF4S#6Za!hM(P4 zqC6QDD8$(AD{N9&>SZ%l(V|?8q!o;Au<>JK>fJCwjnneGQ5%n&C6EBWy6#P1#4= zo{=@t6fc`2zRePbQycKlp1>uL<<2WG0A!;!a`>H7;k@&)&Gh9v;{(L>+jprK5x-nx zsngNYtxpb4gdDFXXAia_`+S)NP^@QOeFj|U4N7?%7|}x&ldQJ8@kJOMM9)($Fn6}c z>VpXA*nR5g#DSQxgjg%eSN^{eDzYmkQq<&%)R_vN$%JI38On|ES&Lv8 z{s2;dwWBOycW@$0tLzMuNC4Zr9}rYy7ZOv&@^}c-h0MNsi&)pYPk)P~WxUIm{#5YD z`}(%d-95m2e8gj6|B+SchquOKYkM2jszZ+_ov<(W5*k^Oy+DTsw_y{)9OqQPpYDt& zFZNtK);KMPt{*L5Q*%FB(0oU|c1#R|57*%_kiLc65uhO5M%0s(y0T*(p(7*nog&!V zUJGYySb?3V3BCLPD)0j<{n-U_arEjUD}>DV&a0jjveQ;Z-aHSyd`fh9^Wp0wKs5~Q zW|}xTK$rGS+TAAep041jV&8oh0xSCSaI?mK914~@SnOatj>-|~ymBi?;LypFv*#?- zYoqMj%3cp!o?XK!eV&NTczGrOp|@uTt29%}Y}fsNq|0t9?ni@~DPTTN!p3SS;a9=8 zQ02^U+G!Ofj2E?$tRL?cxMk*av%ZZ37Qz{c9gIaJn6>_n7aZ(A2Bt z!#@1mB!8O7o)5=Y2G%mOukcsQej8sGl@10y-Du#+LV@Dx!5-J$Ee{$Z1UwJ=Wi_*9 z;LDf_(;NJ=KFCPa`x7VZH5_F5i0D7xRvr_N6$kWDDX{R>uLY{}TSW^Mp*X|fMuC@r z4{985O*z#D0Q8Ev&WTgb0`&`}!ikFj&w`fdQKmn6?Tg1RT1bjesJPAB!&~4us*nf< zHo|Ze^`m5NbyJIv`))x1A*I%3I>wye6!Y9$sZvoHR*>zS;H%DcOVHiI)w&Ik3on5g zbmcgJ9D1=s!^`q7zt=`z0XbJK(^t^>v$~XG=USU16@2>u1S_@HAoyzKgl#sN-Q@P3 zJ*Ykpm0M^O6f-XssuohwR)+l%jGloGL79J(u*m=D3<*i4<6{(D5?$)%h=L{_vvACN zMAcbRUK?mJUsF;2{2A}(AS2>DBK57ll?OzPDOdnBzq-7lQLj2+!Q8FPib(OFL5A<* zR$jmF4;@WA1yZ|ijK+Yg>F0C2kH%gU7&LnQ^tPL6msiKv&3800g#E&1~&cc!?jSZ zLvPI=>)gI$Gd~{2XE8>n;kafk_WK@_*mh!Sql7v8_yd7>y2Hzdg#G`t6VJyN|BI5` z&NQ04vtY50xz7o=6LaB@#}?3rwfWt`%m+;zN##0~)|rn#J^{LLc)r6zN2CIsYc|2b zIQyoEw&1~>;t^`z%esw^2oZyAYU!3Y&k9Xb@5!hS z5Upk9kvvtkS9!34M;sF>$C?b`6-+BGJo2M-9DxP;UidRj_I z69)6=666y6v0U+<+Pmv8!$BjZX;scZzRH$4ap9Dn3>#)VWs-zAA)?MQNQ_&93fC60 ze$$#}vNEyfkCwkwVPJns$U!KrY>;0%(di=zjlofY)Z(v3XuuO@3vMRxT{p{o4$+l| z1mhtfQGe@v;-S{qm?-MYq`>lLr2IQ6naXFH+p8`(ebn5-9^0Fm?jyx-Y5+-<0-7u= zNz7)Pn^bVfJEFUcw7BugEtB&L{^nG9+7j>C!zC3V%i*j!t%w*_v^yKLhU*>pOYTD7 z6iAEw`l37ZRm@Us(zc;?ZXB=qR}0sn>tPHpRoDYW>SrI1%sT8jkbnIYI7>D8`wA zHm)xxn30wFPK>3Y?n)G#PVA?vymGSNQA-lBbkhx}K!ojwbHm{6V_+`O);h}!NA+P7 zZ>CZA+xyN}r^_#rzcr_;hyYi)h8hFTnz6m2YxrL8nUL~YCvs!J-~*k}hyZ@6!8&Mj zX!^0NKz#M-n-$_eC6LN&>Mp#6%G*&QDms?2wiiCvw5jndovBXkHk4rG)0S?86_g)c zjeH~=`^)z;_3oE_%z4ZwECsr}3!cb+=~2mYJtlmK3pyxF?Rw&GWoGiT!QhSy=mio@ zGDv~}|C*1!b8B_D42WHys;q&+EdBO-5qHiq5`at+E^8Yvo7;-xMgwEN$8QT3fZ@!w zQ>86A^rXFLB8aBUOM{W@R5#4ZWU7omBjxyM@p`gDn1@uGhvDBc7Q($70wC zuMMjiL|=*Dg*Ks2E~BptwfGBo7iz)k&O+|g{jwA=xz-EStK5^fUdA^609*Z{mzYfm zg#9-2{An>x)~A{cD*=WbH-HyTY~R+*b7w9bE*8e0jBSjbtguG5Nv{e6^-9SUgZC;z zM4wpAZOam|PLrs(S2hmkO=T~ykTNsft^sA=dM*B=i#9{b{OR8gL#)yxjbM$_=sweiAnx$(u1!l?$4e(C7^|e@Aqmj{ z4uSVBo@zNkcjXZggNwMz@7a+?;W` z8HW__3L)cl0TnR)KWUZo;zZi;_;kLE0JL%~rE0#qJY3t2o0RlN^?N^JWBoIzIL*UxMq>!W) zf{r-NGRA&Nady^qjQng8B6SxR+d<=PV2@z+vB0)e+>Cb~F`}Tb&_fHWa$)#UkiH(d z()TPo*OQ@M_Z2M)$%R%27q&aQMx1(H6{?je*0PuY zcSrE$hqnKlzW)!w8_dbD@gQ`(lcQiV8$^J|`&8J_{WDuhW6iOwNG_TJbr~XJ*5Qs! z0kHfL-mFsGj}i|_ofm8$Y$!ivfKJhYt>F}Npmjv{L%oSV-oe4?;wp4EAuAlIqv2T@ zeAu;gDvMK53dATCv6P4kYmMd_~~ zcL&88bd_(#jSc{Xij6Rv(PRB6p@}0AYIIeOu}{f~W$#7;+l35)#R}ah$qOLz1;Kd+ zym{G%Fl}n)>QB6mRtNt*YyDNqj6qiR=SEP* z;5|UHM)0+Ve%5*zWMz)V6g;GTae_aqX;YgKo!IX3`||!wjqCbR7FYYTOGxr=skI59 znc(!|fbC0o@0aEPI@+jzOG*)ttpo=6SsP_1_NiJg7-)S3;5v$qC939oliiDpV}muj zRfoMLt>`m6Ln(yCZE#!QK_e6KrV$5J8R0(4nMSP(+XDkeQHzPwf2+K;$qUc6{;|KU zigZWZ`1F@=)Pz*;K!7I=-N!K`;&T?K4F2d2L@gmf7o5VW!PabOit%=9Q8C}aBXfS= zWWNbsfO~KscM~kV^pEMmkf*~DFa}vl{v8xe+`jwVr4c~HPyrLx3D1immS%H^fiMLW zf}zvXNyA~IHF5nLoW_Jqzj}Z4jux<`Itw>};ExREQpYQ)`Cr>~I3Zwy`hDH5outX^ zS(g0-!ARFFS11GZVFLeKGv+ND8k7kqAb<`6F|kfuY@}MS=usGt4xc0M**f{OHZyH; zN?;^3^*MxZ`UzG9mzjf@)~pmb(LpfS3S{kEU~Sg8uR)x4lkPPXc!Z>rKfL3L!!bhP zf>XS!X{f4#ka0#K<2YX;1En2E*embFhOC1iIYg&yE7QB5n1*4QJET46_MogPs3u!j zFs7S4b=+#Ryw@s0xU4Z4uF|K@fN|52Faagq^}&Ye7D$C+^zuc0hP4Y>`uWRMBR!_E z1saI=HcWxKyQi7Ai)X1=ovJ={`z;!Tkq%J3u2w$`r2ibGg~y&H-57I-nR^cn4(~}< z;{pzrjGl-?T8++Jk|g)h&b>_A%DK%NjKMY$R((C=w)9*__#v$(eDf#@2$KHwp2$5} z)EQ?K20%ngc_e2FGdV*g#5oP z<;EB?VwTF7h#Hc}`?{{}n%eHy>%)D#!0)xE?4Oux$!{=O48wc-I+C0Uhx<47;_|0F zr3MFz%o(7?yaK@GKr-hUT$?+plXA=JQC z`dyNhw%PjC7u=YE<5na2egb3)0u8pz6masYz_NWu^LKQ@%_!~ zm@5&FX}+Q3io;tBiT@{kNR=o1LqO77X34Kcm%Y&c=4fEY&Mtc7T z7kaHm*h|415^r{Wb~CJm^KnSoML9%WB2-E!oirAT`p&~Q&Yq40E8C~N9l@_;8CtMU z_U&(fXx>zSI(8oox-3Lo{5{C5UYiv^<4r8}lhb$7Z1^2tc#; zwt>@lAgZ_IBSfSld>At~`KtkH=T56^BtB;dsmb}4Ai4Ljh|u7IrC>FG?a%w-hTTgoKB zh{dVkz%z3)6Z$(C!O11z9fDow6R$Z4{!lgF_uApV7wK)d@VkA)%-zNWmI8es0|#={ zh=_a;7OZNXf*)+-2jhdIicLhB&8Fpc>&oL7-3;KO2IKLgW(-h4d9bNpA9`dnwn|&@ zKh`Oeek2-^LFeVE1US5eQwTJ8kY(keu4hqRZwJaeaD(SXw6`&eL?*tlQw--96d(QUBYu2qHdHf0Ec?{T-;;0s4e z`X?m%YrtKVJxVcv4fKHxq(=}e)R0l>A5fiP!F_T5m!2q?3lL0V z1O!#rD9y_CQ-cHn^?5FH3hD_$59Lzc;B0OU+W z<1Gwn3`L!pJMk{68tc%)67T(D;F9oTxew_qLjXymQNeF!t^a16F{mC6=~u1ac7OZ? zh7HqWJ8MA&BcE-c!61ml8BY<+?jRsO1P{)L6lyG$g!)4Mb&|4jIHbT9tr`_~rN@m`}k%)-Ky^IR0=Xuc1^T@UsI0gMUyD2Nc;E z5fJOax3Bz8xi3-}So?r%hP=^dfiOg$$(XzI*L_Q!GUt%N48MEbHv|vDpDZ$5wfaWs z5#yROx*?0_LELq1?J*JJEY5Sc)X2j7~X6Z%;^LlCSPJJr1NImNJ~$cznM z3eVd8FHwH$%8!_W=6i3Fqv)9Tk zTP(7<>PG}@2n9Ned*E}OTpIB-g~!B?kJeeyB>in$7%5Q>fWb1-IV_`3_ z6rMoAQ03;&MCn2Pu@*)*?TS1i}Gwc;ux=#!u^mMCG z1xds+;++g&7p#f53GImS8^|UX0x!<5DcjhJie+D!EYer`S?JNGCILm%5n!Xy`nig1xzr1l!}IX zl$Nu4P}0l#ja|j0Wbl(W@*SUip8$jSh<^ur1DiHd!-RiO$>@#+BX|l}s}fD3U>i5q z@t=YX`K8J#@vj#E0SU?*`yLYg_5-374317jYKazWFF>ILUmo_QH8g1UIi`RFxaJ3k)OrzKG&bz`yf;=~yRrIjwXcmP zI^iVn;d5oPn_&yltZ00c4H}#$=A|VMOQCUSR3w+$sw_Lf!;Iu2(*Cp0uH~-oTucRz z<>`173Ko6TwRbHnc(|spi6<_$k!6&dyq&IXrRwHw0sE{zrrM}V^MNi5fM{EH2imEz zqUohkPndD$`^G!H2B(zgjck`TgrvG;;pp&oUG~7uJoZ!2(V7|j6@uD~D4*{gpG2AG zpE(k2vq8j$FlqPG`a`kz*>|4!`#@+y0$tRYiT)O6^J2P7^H(mN=jUTarXm9w=7e{F zth|i~BToKxCD~v72nb-A)VI>!(96h+kDMV(O6gb00KZ=d4a$MR^^IZ5+|q(0nT`M# z3BZ6_q7nyv?+4l4E4(~W*dFzFZ-tgL`?q&`!Ht~@L$alWC>OwhJ2V03;Met0EQbo@ zgp@@CiTDIU<;jLKANQ=0+-j#3-0MOMx$QU#?tt8tw8V*~%YbeMg)Vt}>O9cuqE2Pq zd4o4pssZ3RS;UtB$5i!@21RjvWTagXCaAAGLx_BQW-xJN!c7eB28(5nA%|R(0Kg0m zxd||3a}iHEzNG)_rF>izO$gPJ8M~2vP4Grt+zhk_K4TYM)vB$antjuq)j($!EoO?< zdlX#%SVexY5@U^D;x6&J z>8V{;FVz)6rAL>B^JO(d*)(WpquqcX`(gVsP8;~?Scx(OpzeQHqk-i^*OKz6flQ+7 z-Yg8O=xku^5FSXjgn@3WcG5T#iV!ddwSjaIQBIWTmh>exj}t~kvx|248B7c za5{|-f+G6Rjc@Oxj5BTH`lx6)?Snyj7C2BtLHZlp3gCa?l&j#PN+UbxFI991lYPWl zfgd%?O8?Jx!O1`0^fzyJkXmi+oxtSjbTMeVen&_cz;rSrioPAcgAVH-#8%r152@@i z5ro0%EwYQb|A;W>)d_@mOaRuj2YF;>F2{TnU|U_`6he5JWv|(nm zmA}}`!?*VRkfUfyW9hwQD z7J-dIvB%RBDO{Y238_wbQ%V6_G_B!cttpEhlmnJMk&iW7%A{JVsz;~8b!su{T6IWm z&_Tfe9W@>Y!J=Ovs@kzsZP07g7;u-aVch6!d%gR@>5%n6eXVM?E(D(lzV~im?Jfjs zU`*J$sszOPLXiYxu7J5)=9{D#vGBpG<8K-oJNd-_?9eEgz3$5@S#AL7g|{;oIctSrPPxuv^i}>#N{=S$2@f zBl=4I!SY$<-fKjznz^5c;4Z~`_mGz{p(xKYWyY2%F^q});id^4JS4juNZbQZ;}+m9 zzTyPnv(ge2E`DG`*C=N~uO=?l&m3JmRs1zEvGm<(#|S@8*X@MQWz>oaxm8pXf?(38 zP|ET1h8=E|=M$}+l3l7@L|5~Mgkc$ht8FjT%174MQDE>7>HH8?gpkrtTyvYPcoQOu z#HPBwt8V>T9F?l5|7F=G7GIG|Z*hh3H2IJ3hIc>j{QVkYQ9Lj2@b!?p{nwTzZ#}7Hlu8bx&mzMD{IK8l1Q_W%8 zd0~}qV?_(M9tIZOT<8jU*ab}b@M?Y>i2rWb66QN(72u{PM_`B>Bz%PATkr4v=z4st z#8AU|BPk>Vt5`zt2nVAk$#s3G-;C@VMgS_A`z>C&P!Ol3>hAzrSWGs<1pd}b(TEu7 z@sCUhU>py+36lsY1F}?w#|hQZw{L)2Cdl$`K#=N5^c~RZ2Uw2;BGT%;((SKbR(}+| zc*Uz7{E@c!k&H>-eO~*qKx2!&dhQUATMrz5&8}F2s9c*cV7Vhfp5&1o?T^iO&iaEU zXr-|46#gL-s>HbU?j9)l#$9>^A-{=KBH@_#E7UIPE2!qj@3eA zqEhYJo9cD0VUUMHWzv6Ck#)$%A)VG=uo&oA%~hr(G!Jfo2myA28?txV-pfn21wN5U zY>52#-$QVB!ty!=TwYT%E*6J8gf}oau8yCmd>jSGz+{LT4(^=;(Sl#7AQj{ipl`wD z@obxY3IPcPCy*Th#yyp%>OLk`h*?a$l}UZO9);{iEe1JYX%Cg&J!CF6TIr(dBt6~hLg@(zO{mgP zvOK&)ksbc%lc3H9LA)zc;5^<6!5s{6(Fu|PxMp!==G0D*?`n{qSKR#3xwX&HI)Hnl zQPrt8X?xlF`QL65I`F-BUcdbd%{~%HppZynZJALBs8CCg;-5oJW%x!sGr~FTp1(m_ z`;kysjgI3(jNzS&jmLThZ+}aehs27mDMM-6eO%J7UZ0$=N`pLK&C_!?*{F}+l?AyE zMC8cOr5|uZHOdLJzvu@A0|YRdiqnqjMx9CJe%)@@m>oS;JI`YuMIhwc%)k`uC}I9c zUL}j75&~PiOkcE&1aI*)F-;@X`WbAy#Lq5^hsGa!qOxwEtI_}6yH~&oRXub;RCl^j zrNAQ`;q7SWtvgFC#&!~8?1}9WjBW2QOQ9X!c%t(g^0(+n=fD*o#q`Y{W*g1R@^&IK z?6s2R=u*74Ploy{&~Ge!lZgU4ND^EM>Um%v5WvYL5F|8Q^B1r3VpGA(I;YsW8+qT3 zK&{#)c5|e36;La>kP9l+RDk{j=a#4r z_8)+WmPS&mzPmTyc}}Wt8*FkUgb|&OS zL191|>F!cOP*8FJ1yo9uPDz6jl#)ieySaM?zvukUbMF1?J`6q&GR$Z1wbx$jUGG|Z zZCA=jbkH~xShUE&vPul@bonD7_jLqu)0%&6!$R9+fS`QkDh zV9st0BsbVru%==)iiT`Kf$|P`c)oR7LS8)bg>}_iKE4~CqpJ|5NFQ$~=q}rl%!svs z_rGk@D+6h-|7;U@};9A7b z0x~%kTVGTGRZFZ%6_yHV0SA_V<%L9eLaW_U7jMwTN85Gr}M0At6=jC$o zXNLIB@9vU6xi^eVUTLBS2w6Ohic zwd;sFb>rwgp<)CRGwL`LQaOaN8fEc5d1dp}Pd|t@-!UWDpd0)4JBb!mxkrLA3-Bn7 zs0h76+n;K_;Q~s!k1gUoaw^Qb?U~tKkrVlf?zCFNx5R%W6aCvOY2+24jKqOei4q6F zj3xaLMSFwis9?=Kc^#H{^W!uE@7Z&k#^doBd{*^&V1N+O(lFS+qyr<5zEj@Wh2F`< zw*TZv-7FI}>rOWf_dmlbPZIWz&Ei(PX0uRu50;k`njXNE*;0Env8AWW6&QEIsjB7w z1<&>3lKg+OAxN?}OJASMG9t0}OtFY-l-Pud|FHf3&6dRUI7JpE^AJ-(vTMs88p;Kf zp;JQvPRgJGnnhl3-&4GQ?AS<-KE3X35G5Yb=RYL11^@^q@-PQ0vjfNEyeC*|vX;!L zXynbj8Ziqd$DQjH76I`9a3;O;OwPyxT#!4-mH+dHLvTqCs`?fU+>1kY~%xg+4k-L4ZU8QIPwF2RM_{DLemW7DAq25)CpI zO=R?+^T}UiX264kE&>X4W|V-z-Ihao3YegndC^JH6irOqtN#?wi8k^#i}q+CV*V6ZPS0tA|KI!>n2(e2h3J*hRmSlzdz+!@ew<&8(tU;{OK)rx7~@WYMWEPYct_K!T2H8@SKR7uRVmMB(`edDyJ%c`7#oVe=a}oDXKaZS=hWpvz{$u`4PGku3aG%u- z9m5?)x^zTM5y&i(k@pnE-62DiO!?-4yi;3sxy_RR_WS^<2a(a|jc<=`&d~%)A)6#0 zKXd$p3$mEtG~qmFmeeMguGP6P)}_LdX4H(HmJ{j4?BN=XTv(fPYW(5x7^n<}Au~!h z1(BB{;N5|3Zt*Kj+)=6H~Ul%nv!74l*v3qk~K92k96$$<;dp8%HD%nXAxN0wgop)f@1gCZrd3~aN#E}#_9f#d=_LVjK2CyK? zDj@Q7-vwbP^i{DK>Qoy(lHMjW1$~!4-wpw17fCCT{Gj$jlx1_?BO2!gq67ijiT-?w zlB!$J)Qk^y?0QH7H0>5!Z8NP(Cw7hO4caGhjQJb#lB7MHGn{P4leqfGJ+B9z2L95> z7XL3YEvvw9l|~Gb0!-+cz|&VMC?jb|Vig!c! zo9wJ?l#Vp%kT3;@ngW4Ntn)~$mb3U?1&}<&;J$`l@i8GEUK1mjjVG~ffm5L*^=%4K z(cy0FTY~)vEEyHUv#}AZ>HUvLjA+Ou>u9dKd2& zCKuAB;^3LR2}1X_eLVS~2YAQ$_`yf*!_QDeTe3FNkb!z9S;hdPMVAkhbd`YV+DZH0 zd;l8OJ~A^GKYd3r&87x}O%zsQflS4Z{wsfaB6PC=pk@1CW`h zmmMg{;<~5IE?HZ|;^xo%ZAxuY;rh`L!*S9`XEmepzijBkcmS1QUHB!yNjz5qSC;f7 zHo@Ny%#53A!S(*KD|+cF!HZem`M$sFC5DhDjYWbMB@5C6#YsKkp!c&(+RcA52%2fx z$R83CWf|=7|)K^Xj4}4K32f8esRH@S62GK#O>S_!(cK_q|}BS zO!Mq3~Jj++$u3 zSu7?&PZLaBhSdD&z87V810787WV#n=v)Rt;5K9vRX2euh%e z4ok8b0-4AJ+0z5-Rx{Gr=cozG-I>rwo(KPkHv`K3l|HII@wg8d$FCdrKLME4ni&ep zKcDvKsVnzTvpP}HApt{c78XV)3abtG;KfZS27zOi`^yV0gU#Q9uuq1|O_C(N#52Hm zEL6-99?8ms9wu@YN5Fo?+O2CLGi(*uRFo7lF z>40?sh>Zd9GrkD@WCF4-0F~yj+JP$Z;e%z_F9j>Hn-=gdG9h`3y{`$D^k2E1B{GPd zO>ar51fLbN7Po~R7~M$vDBsG3F2~%q)vRx;4@ytu^Z!@K`0D?~u8m534hInEbKja_ zsLokLEYU~B2xl8$EASwax!h?CNdE{LY7s!RztIh~ZHyag*4Rz@n>E`QEpBCPer=JJ zcb@npboub+Ng!>u|6x+LzrFM!jKR-WY+f`^5n1D@tG?Y({*5>d6AAN>bU1*1zN$_j zq0{y$`HKJ9BtC_FJC5*_14;9h#Cm2;b4qn$bV%b+CACR{;VYU+HdDR8Sknmiz`I~{QND& zD(u+kXVTNIX{%8cFu+)^s}Jhj2-s)_YI(_0<*(g@YEW_D4UxLjLsg4K<`- zt!q-Hym_bE{_Noxiwxk5P&@tXMG`U@0fXK7XUeDU3R&fV23ph%a_aWT9pL#vA4G?t zGFZD}r`oRd!uTUN`YB<1k>JXTJ+;B9K=+spU~Kw@(KY2^ju_y+F!mScC-q-=d#G&* z-ji4uf)INQ2l(uOqm6kY!5d63uya3Of+b=P_=-pt!md(s-2; zPUAu=6^(OIY_)iq%X6uCBztVX`fJ{8yxuvJHGlgrdtuK<6@SqA31ugbc$ttby5;55 z@p?61=kvM~cnPpD^q4#SV4rn!yCA{V=--&;8Yt6jOH!($ot)-OS9j>-nXd@6OKH;f@xUJ0_dpkqIV79Gc*tqnNxA?<2}lvc)3Y;*6hI}wxyPq zsoFT5Rk02-n5kavRwCWXc6hCwgpB)Zvfp&)+O@eFFPX?)MvjVz9jwVD--=*xAzU+0Fo$Ftz zmXlRy>O1SGI~s{^SQ*{gf9KeJ1uDtzAC<)ntW3+LNP3IM>d5@Xx|anw27_x~XYhhq z5E&^@GLzOEQ4eL)E-2BY(tQCAUE5PN=n_jSkvHUVG6rx{rC7+8zyBY{(HYqO-^(ha z9EW)cBX6Sk*l77yMY~;(OmI|=&F~>^SR~oN=Sy%jy)lfuCd$8hpw()J=`6dz!weir z1TA-_IA3Y|H-9anEo(Ww!-<1wRrBWpO=fpwr7xuA^oOD2NVSm;ZEDd~woC0_#wAz! zk+6BGZFXJ}w;V-5DCkF}WKYx>`ZBokkHn-v(9a7)vjWwwMD5HLL~sP(6CJ(t?WeL& zj&8MhZayM}+|2qDwC815W!D=ia|ur@y_QXNHK8|vj2%fx7otT0a!0SlS9yUG#_YlY z%94ilf83k%1KGg{**>5||BCg^Zh-Ts+N_THH#l}#>ch3WFQ(S8@c(d>0uD*K(4xmBNgc|J-Sgd0M{(y7?C)A%QH6;H5|1GN%_8ryBQ;3xm zm0?h zR1RsOSDWWU%Cop9oh@>z3==iq@gN%{j+*>(GWW#g$iqVku6-z#XdV$VfUw4J4+s&Q zd<^cZpim2n0xqj{6#Tb<%D>h{H!N94z+pw`{)Q^Jg(^>S^1gnl_g};DibUI~DeVb| zk&lp1K~p^Ak^%V6!G5wErWN&hE4W5ky4w7FjI4r*o2hd&1?VoRS~3rcak1t=p%XG@ z^cMh=2DIDkqXy3U-RFcW-!%E$Y#1x7TSp>7=+%OB%Pu`Cki8c^jd1I{_QcK72&oPJ zv^U)ui9;+KG>m_d^@K&S-KwasFw>=BMB{3Wm;dd{-h>AEIr)CCwco&TER@KzM_prk zg&RnU&5$g1;w<5vcfw0dghCqS&lM2ZD2P2sBf)^RV*Tp{n9uq2UlnB0X}8z&@Xvos zRX%Ob-UIE~o%#cBmCHUeo0iOjzjB|zN-7vYtI;rMhsG(uK7-u`^6&KLLW-EVj?23n zTT*|`_ftJr#9Hc~f+JCCG4x&^_i6@Bo)xB08)v)pG|Qei31&+i+xO*~V%09#w`W~> zgBw)Z{i@3S2xSW{mDI#T$jP8n83(TQ%khFbr&8S(n)bPVj<=;mUBQblMM8<_l!@h%M*apwRot{2b`{^_5XEF zUeP5ne(<4>)_WJEo~KQx|;M_o^zEkoXrvP~{N1Cxd2D;gJGY`$fai2!T9HH&?6?LyZ4=27-$=~&LI zoE7k$v;TYVxK_$ycDUT}<);5xRw`T(vz?=JNjBezjWh|1OGFPYFqw`3$AiNB2R6qm zWui&^4A-iZMw(5lJs>>BTrpc$!Vrm%_D9gQ`FmD2qlB!V`|Y%#5rmnd!@-+@TkXet zxsPg3<2AQ0GfbMs8wD3Fo(Aap41Ho1anhZLd+hRai*MXA1Tq!uTss|jM&wH%*LMa{ z)elotlD@3F!;twQ66^h1iBh~UJ34u+C^`Y84gW4Y_K^7Dl{dZ~yh1bnKs^-e3o~g? zD&psH8P~6)cW(7Wqjp=7Ru!M8MOxO3b0E#Ge>8C!a&dV?-G-&rBsE14ZBI9BwH~eX zSXy(kB|H6_<`9Aa!s8kq$q1F&^(*b)3Vxk*hAUfoaWgJMjVOpx!gFyrINeP%JK$i% zRJH8Hmo-Wd&iTlp)keFJe^PtaXPhk1Va(`Hu03zkR(PiW; z={S-Tv`Y45?MY_QRBF3rm;Kd=>RHg-eSXB>U+E5Vxw^XDXH0#OPdOhg&y(cai#3rD zK)xOp@l`I`va^|5=zbXcX+{nU^W~5S^-8OH@YtovOtWfzxO(ZqqLW6eHin%9t;Y-g zct_!Y7g4Z?&i8+mbgs{g`x06_DE45)@C#R%@1uz9-?1h{u(G|#tox{f~7!Mi5@$fSX zWzXPqnQ+6F#O}oD8yC+4PFF3-3<~=%aEVXH94Mg+`2=-^r`ea6@ZtA&DFTidsw6dMTt}@4OzBmZ> z6$pM^>qumlC`@q?DA)72a7~$z=VdFzG@oIS_BFQ4r$=@5`fx!-FiQ?H=nbIw*b{ zndPqRB$?QNt=}@Fg)|g$-?wsu#fi0{zlO@1 zP8AH+57s!N@z$$`Dn>jmmLSD1q(qlkmJ_mnGm`cAN|MVlhp5@Dv+BVHRk>e~d98Mk z_ObwP+}y9^9_ev>1+?(!S?MS2-;`i7%* zm9X;@?K9npI=aUr&K;K#F?#h6@wH>Q3~Kcvt86{V-Cl;iNVfKxy!UvN4nJ9*ha&di zf-nl_YElis{Guf#Y)JL?%%UQ%j$aKv4WffxelO@;GUz?V< z$f@8dVm8r!@a8B_MZ?b^%Nv;a*&KTiQLj0)AOK`WOj zYTLv?!6g>H^>k=xXlFo)#6f}%^9AT>J@?8!rxNo0ritC*dwJ~Uux)b zuXVuVk1Y7fp(Nnr_?+=&iyN?Bw=7OC;3#k+(n;m@1BFn~&=C*( zNh;Q5lP3mo@M%)fcXAoCyl;h!)zPDMo}8d7IQ1tNa8$7ZoOrr_QF13UK&R{StG}f> zcjqQN+Og{N^bK2ZJIH*{iB4TznG3E$MW0yy?y?L_)Rv=G;2%ildHFtk<*bF6@ z`dlPZ{`^=n(7A^NKZ*36d&Js#MVKon**I(oe!fi1Tm0oE+y$_uY_Rs8+j?rie7_%9IgHBe$CC*a;VG1 zQ_wFKVcVT(cF`7rJAXLgdh|Gx-%574+-ll8_ubq#|NfcbRf`<&wlAF6{=(C}fe`X= z^{zcC(RBidf$n9)dRel5)Gt`F_}(b>1FvpXpnlxyp^8c)ePuVLn1(IdekiEJxbaZK zO2xq7RKQ>(rN;8TQbaKGiLyMaU;~mPC*w^>EmrI-N1?Z2Fg(WPW{<9fSV0+9a*Gce4}6HV4y+pFj$f zsV34fVu$St)e2Vss^60Yn{AFXZvc1TX>|vD5)+k>>rj^A3lz|Y-2HaS;5eDTk zh}I!^L9?cofEE=EPkGeBmh6x9yN2NztEaI)ho#qP5LfVsO0|MCXzf8G=8|Q6)h~CY zY-R?ncAZYV^MVHfT7SGep$msRvF^$p9X^rKeeuP4wO~OoH6ME4xpq?1;`s5QGt zhDFk1SjbJ9u_?U|>KJUvdMMwkUJTK+)qqi53+rwe*%J8O3^CH#OWcLK*)w@iKE|Mg zexR+y0i%||;B~xY(gD}3m6*GZ2`oG|owBq=15Gd5{?y%LBx{DKJ*7cJ8Gd^uT(lu; z)S3EysN&tAXO6d@W14Ej0qe~(d`faIXv|SqBUgtyyC@a~H2iatDqev+OGGB~+ndzM zR6upfqtT*p2q5@X_Z+zJ3kj~(`kmXHv_>dazAo5JQPIm=LWwh2V30a`51GK~D_XlF zF4g6{$1w}OBJ_Lo*>au5!F?OuEmxOxpDuxl7sf#lFZW_}Z8Qeeq0ueV}Tn_D-y8VQ=8h5HfIZj8a^FJ#*TR_$^-6(1%G7R*YJ?J8EG13gkC zR|j?A8^7X#wVl}e>kEc6OM$YsF>*rppQC|=5eqY&ZV^z6xJo4Y+scWwwmHDs0*hC} z@hKLI{Dpii?upR!-crBq?3XC<;PcwUX^7aLPz-DWI2VU*&QoyK+rL8Hm%WbBF|MQ8 zmz-|BPYRkt6xJx!@fQBn-lyz?8c>;Ito(!Xlv}KGT1Z`cQ* z5CdwUnS?fA9ylK_MRKZ%v%!Kqu-X-~0NuOiO=;ASSrnhT!YITdKktv5nX9)_z#S zFJC*-Kh*kuAq!|=rMQ*ASSX_Inf%ylw*zPPGF%0s>o>~-Zk19kzj#S>Vaj$l|Q^`T(K2fr3qK}t*GXF*#@ zc2_V9a4XCP;ZC|3YLVkHa>`BoGZ#ljQE2FP2Sx%G^i0OJ0U z${`vXsP!KfFa;el@%_IBPK{n4iW(ZdzUN=Qo2_mLS$UH#@USO2?|{A009+^Hd{n|y z_Th*~r*!JCgULk#uHL7h`Q)=5XVUd&Atk)7=bG+{Zg?D`;_O1E_(YC6IzKpVj@LuM zh)Vv4qx*Ffoyr_mOpcP8+Anc$9k3e=fJY$@tXmmOHn57R&AAyBU2Dk*Rl~qnfn6Ls z+~iwkNGv`qkI>uRg;p=7`Q}2;q)?~XQOtL|G_q>#>fYE$yJ{U8B11MWB#_> zd2Q10wp*1o05o+ydi1;Xj+5K2+mx1*o8rR?R)HSrESm3R%j-xGz5=lM^7z;bmA?`7 zycrUB_-xqMT4x|X!-jPK;lTX^RNtvuNcIvezA1|hQjVl}=K)Jt^yh}Ut2f^$C*3F( zDpA9eLF-Orh**FhA5DjR?igSZGW=jFxZtMYIM6G@X?wLWEh9?VP(b^xca`qBwl_}$ zw|I}~go$`6Yg^(ZInT;Zot0ykotuUBg}5F174qoA#m3mT-x;Y^=Bun*+cJRNNj?BZ zn>Wx}jsa9Liwq^i?y)CuV(=pdMeOH+nQC0eVojB#XuY_~;7{Pqu{Z7=YGRaVw2B2j z*DJ1ZqS?KDlZgVxnO^k3s9>qF%bUmP`B>yS{kW!7k*9bhhDjrJ;khiPo*b^DtJZPg z;rhMdrs5YH25_|(rFus8Omd+)oqm-;;R0#P45 zRP4i2J%m0PAa+@>5h$VSTQ`2Q0c00-jq|Bkfifh^-vQ2xH1HL-NMXkajG03N!OZ+J zPW8FGBANL14%6uHK@fi?@3XCVgP?K`FUA1Q^YGG(w|>v=d71H3Zh2Hb_Ksu`=PEG7 zaA22=3zWI*lDg+rI6vyllsIGkyM~;BM`WOh!Vq6Y9q*wh zEKK274X=p$g|K~J{#2)b#+%3GPGLUN!DCNGpFSm8A8TNe@K})lO5V9X_sNLg5HUNt zGoMUPfuO|iXY;%TVkWL$({v!(NcnFB5SOiJ5T`cCSS14AM=E>0zm8d}*pWul7Zpf( ziX3nCEYeaqxemc6mnTF+sVrE*TyGE4$6^`8hu(9EH2<66hEHv+Rw7;qQeNT%L1 zU5wX@E@tb~!Nb&X;^K906IbO@jQG@0H{WDh&j+-zcbD3GsIN#qI~pE{SnZFHYh|5Rb`w|5e*4a+SVX+xreCFM+5RKz;*PVdhq{(R<(F@KeN?&D7qNg5E-tV~cM9-3pJfAzQLJM$VOG870 z>)$d($Pkaa?+XU@$di1%CW~{wqSO>~^HYYF{T~#yd)1lJOieNm2&SM%=&!{b zV&^$^;4JZ!!p!XP6VVo_@;}LuVeilXAIKwL8|J+2wC?|?Y+7KjXUzI#ssaw**~7za!KZ+{#O_Mbdv4mY^AnbV#>W&MO1TQgV^w|dh73)x3*hSa%Z>s#}VA$WG49L^zM-J zICNK8%?_-02HU3jZ$k~CLlWjgw!d{0d1>2uO9F}Pn9~EJFuzWdy0ENRQ-~5kc5hrg zN*CFC7kn8g`Lf)6UZOBPVXjwT{p+O}F%CEXGx~%hxvY|l^LdjY{Sq6Aa@n_i=k)!} zB6rTTb|uw=ak&u$ke?iSiP50bFk)jvro!R7Xm7)V#RZ>a)&TD$hL|M!PHmsVVQDTG zhY12!t5dm+*ZOeM*@p`Wx~wK;=7JNf^ch&spMgLp-FSEd_dp((Vb0jz7=wFr$2eCp zwAtT<;o-?9)h=hqe9lZT@@xBw`d4X7KPA+>KCFr+T2U$R17;~2mxvoRutv2Cuw?s) zrxy8YglUai@yYGn8X1K_TNm*csUc$7iY&fDqmNwwzH;%J+!SwHrH#Uox`^uzU$Emc z{uEnOPfqj{_qeP1a6>Luv%JCROx@$Q^ynGmhCOFgw9(_=^Di4VhfcGlH@(aU=U7@+ z8jriAj%NyVKlPhjoiuT90Uu_y6deEY(VeljR!IQNM3L+;KF?3b9TsqikECXz!7F+0 zuu+^5X*j_vQVC{!L~(vJ8u%Fm1XT%R98e@ajo>*0j!b~n`ejv{DZlIFN3Osi8A`Z5 z9>=1PItRC^epo_%(UOq(tFD=N2&CQA|IwfLm-qL~NK}YJ?v>CIMH=t@ zE>@AAtQ!|Ju!R_kyfIw-LM{}+sl!L}J|fI*{;>1(EYBR@uYzpt#mq5~40!D*|2KJR zfF+7t)f^`PE%A9Iw~7<6B%w2X}7zr3$eqfg}K=~5XeK@xc~;RqS+ zjYW9!fN~PCALG^8A!q3ZZ$G4KqvliROJ|4LG7IXBD)}5NkJ7tIG22Ja|C((^ex08l zSiO%AdB*Sh{%?@p*St5{c>@~r)4A~@)4?O6&+BqSB3F%g{UW2^z2Kc|;BQLJn%I0w z1<(%$Fn9yMvc*FxC25wA1CKSrZ4R2qQf5<&4hF%r-W$!-{+pKif722J)9QBBa2!`g zFy9`@uHpzYr9gp>i}4!q%7>Y(Zx>t*$R6QLhR#{=c^9_$u5}=x{$@uYFmpmL1*P?` zf@KC8JVr%J)i^>%OEf9-GE~mRyJ|pb4B<4izvI0D4mgUWtZjTpOW)749a@ z6*!>}pP9ai1gYR9z?tl*7%{yCyPjyrHMLII*!t2sRPWd|ECi zM_Dr!7?H~mL(J5cnB9;f6W~2uVr0=!<{>gr&=xn@A*msspvJ-%UzJTzyArS|kn2gp{EY@97J>j@~yfqWS2%;H7Dt0^$;!19`g~>dS~q)`RxKYdo{MQ^roV7mG+@ zvG2YwVvIPlYy?_EuJWui9TF z?-UXRoh$6Gzdceww8dEfZGs7e!DT`KfAe5-F~T1hjIa(&iD7D2Oxsb`0{NMSpui~n zzq8giL^YiBbI6+KX?*ii|EmSaI4Eem#U--cf8(Fc@5l+wJmR;jdNVMi8^s8zyt3>l zz@~)Gxf{VLuJJS~ER<>!2B`e>a1!ZJ)3_{&JX;;v0aziw#a-8Gl2Tt(Y5bnUcAQSE3WP<`Tsx*ER9A4wny?tJrZUB>*)e`B=7=XE0N1BT;d?eF-_||Pt zL532+oP2COqN(sXy+VWBNRQXfQ?ULuKAhbEo}i3~Cx**ZOU6BbS#k-Y zaDwmm0;4n2jQmyDG3PZ%wu$a)B($p|5A0qB!2Mk0%4cJqlW`?RRz~u%T!OWr<2r7J zz>2M06&uqRDc7g+f8+mNlm*Ew;Yte~OO*GsW2O44G>SdK3AQ+ZUcu+d-80#zmuV}^0{xVuFsQ=C%n6Vd)HPT|LEX;J;`$C$19mm{KEAJ zVA$kAQcH89trzzIY)Ik$DC;SraNZ2ga98+SYeq;jBGvFdGTCtl@G{rN{sz{c#t=c_ zD8&dlDv(?me+{f;YY<@BfqT5?!7gZfN`>yd6--6DfYW;BK8881o7l6`D;@BLN|o3vT7z^Wl%hk-(;|! z$viEEWTqegu|Ho%91)Legd&wXT;Tfw%#vVk1NPv>Q%1twhC#;ZYNG6gpIxXN6>{{X zk)abu{BhMZKL(TGye}IM4dCiipa1>QA13y!S%34k?p%M=T%7!eP0r&j!Ki58Q^tWC zA;4AC@}f-L<+Z7s4~hN+mm1?a%cS(qYb3;&KHczWXptPPX_YrW2r zKh#9+bRF=k=Ri)c=dC9QF5b_l4ZvKxsBg|*c}e@xhzGH(d6xJbspt7(AGOq$awliT;qEH!VxF1HAG{O1OBkQv} zO(U9{Xl2WG_E`37AUj38fz_9Tvr8Snre}+_%xj2+F+p|l=3E@E%2(bL0 z1p*cfTmx-pd8BnM{Q_eAQ>&b73J`FvNv=JWu*(Ou3Bd>vn9G9-jBWd~0spr{q$ zIMMKlk8b8etTcT)Z*}<11u%OfaU>ek>G}yEXkP>Jf=w=tgZWw##3IYpA{{x!-mku{ zTNdPO_EYVDlB`kp0lO#@ER7U{8 zoEEIhh`xK{=N|ni_w#m^``%Kwd)G#(ppli4AULirQS}te_AtV%$Y3Und*0qk zoY@j3OF_v8w#+C;SHXdTIkzdH=OrN8o2n@>jZjqbDD%&Ys8!B%X0u$46Ezt}DGJc) zIOW!rB^lsEN}GoW?H^S`b^SzQV?twbJ&O5rX%pxVHT5wf&u_+D*m=Du3M1zzEPMK< zE5%#YUGd;n(5pDocctZcb8pomYy_J*-OlqiZ@XPlx~c|(KQ(!F(F0T(U5U+k{@87Gx%Y z`hXtmpd6d8*v4If+Ly-)yeg0p_=n112lt^A;u&CyRGU z_X>&h=56xsNzJ5_gcSrF$nuI3H4cg1{CP%d_fB2W`RkC|-ux-&oDs{{?5h(3(ta|d zNQ>KF_K2_Q{fn0p-Pnbd2F$&@Qs?*c;oNBk$KwBV#Ja$0C?>5(?94{}y5 z-}I-0)Cdxf3!v9*S&=*6`r=2{)r&a`xJJ%#$v5FmE}QQSXK4974MQUCO3=GBe!xa; zRHPSq$TqXTXZa~dZh3H~>MYAr{C)2RphkoK-XjI4cP^lvxYLyYz>(nxp6xrcehDid z$ZMo6EFG*i^%d#4fAL)0OgYjl9epFG=XKk=+)&pk0xfgm-iBu4v=3=U_WKs62=CPD zdeYhZ!(LQx9ki&o%*oybcaxnyXt|ddebt2jA*Uz+FLtuaoZ?**9x+T9V49ZW@a}DK?bQr`5-Y z1I4%9E-von;*djsUlQPPvJ;;ivMLVtMugH!ls4-(f@};x9tucL7D)Fi@Pb>Uqx&e_ z7!9NyJ*hKfhScE&jbb$09` z>NG6)4s1D$HVvcW!2-!ra(cCt$<@$|6bYAJ&9Ik2PZS<(am@7dqmiK(nvdYZJqj+X z^x?_Vnnr^YR1IjOm8#T`G#{m!5ieH~Zac;H!Hd=o%Tuo%(iAVMtwg1UP?f5WSfsS~ zove}DJWLt(4{J1l&CL?{*q~h%RL0fyRgyvjWrjDNA2_Q4ZcYNp&7mB`D4E;o$#a03 z9JO7BpvEs*JHx&1}>!^iu3-?d+gV2tI2P6J6 zOW{0oy>3Ic_XN*7Qx&A4h5Pgcgaln5w<)aKx=%TOmi4_j?MLx$rinPb2!${FpVv2> zCmNa#>NMc_vRi8-#+Su}mz1M_5*J_#R#@z%N9K*t1kj^$A~-8 zKfGf3qGK&=nD#_{x0o(f0g%kavhk7w!BU_c@L>I08a!qy2xbYB$)i_&8Fc;2R4!Rf zfo0O&Z<-0*AAhh7yri&PELn!8A#DttwAxO9L<`@o)Z34UQtOP?8_ba_QsGy5)QAWhXrxgR%YH3x}FL? z&I>5IkL=R)_sWab$R9O}nKhVYU(d&!0e1c7xwKaeBoz9YaNiGdtlaXJcp4Oo+WA=* zzhr4t560(CA%M(DxLG&kWYn8GyG{@nqBB8;n<&_%Q=hVf?eOPNL~lbeWO0t286!+E zJvw(F8NJaxbEM#oC!P`vFE19!Ku?5Q8+h_2S>MVkn5Lm(F%G&da2KXZya@Y<}_g zDbffc?V#U3;P~qq0LMF!8&!1L({w5)lQgI5w z$I(rhiV>06{#--vzrd#(zqVRg`4U1>&oIwwFxYu9C$)EV@KVKuQ?=E2M7ZwvGTY6nMahSq~cr>;psWeM!fiV?mZv1&1tuilprFz0F> z^X~X2vuIS&)wuuFMaM-+Ef%k1H8@-`;^d<~JQglhRT%*gkvN{PPQ4HXwBwWfT$oX@ z*|fu}Ch5h@ySksr?hkuDs<3Z|FH9z+{>`Jk)*$e&=rz^FJfL0j>|)0Bg`Q1-DsN7a zKD>CE96mH1= z!zO?)Tyj(5q~b0JusOaVj8GUeI`fdh|9DToS_Ns@Vy0zrUiS5pd;I7kWD_Ae{~?_< zC})K(_b58tAcwwLv3-#}H1f&E`(>Nx=DzPI$C0%p@)(t@|B-EFAa(w~Grwb_2XyfR zr0RhcYj5(#ziZm=l4q39Sg&{Af$Q;SNgV8&t{aE4f*M35!UtqBh|)ksklvBj@R}4b zDkkt`{0&n=tq_CU*WY|#u9GbzCRZOe(DJ4}U)~k-M>A}psr8Dr^MY<%}JhXDtg>GzTx*hWL@U82A zRup7nltEay$mY3s>sx_>2Tv>wb0>Is$KVj|+6deF3${jL<3gRd__noe9^^m^SG8KskW>!0d} zV%ex%7mo_DO}_JF&l2kjf3|rT@jjDe6{+?#Y)i(hr!plOh?Gc2JQX-;d9=RI@*cT@ zLL~NB8>{gAxz!UoHzS`bKRQon58ckLT_YvChzK0}Q=it84`!Od=wF3loxoOfP?8ya zGsLZLnw87#y+X@WyAUZLXCg!S-y&h4BEswtLXEOO|$+#^2H*dUuCHlNLl zvZ6}Z5^?T*9(5hfh5f;PJf#8uRa-4!Az!>w;m^=%v+plYwsDguqcurtCyYq zlUt9f(7Di)s0`l6udOT3m!nIBVF5V=%25A^#I@r0kn%e+q}wsrhNQeNqXk8B3zPFM zNOyyJsnerMa0X_oaQ_7AiA|+(^cjoP4BtYu`3m#9PH7giag#4uP1UDMSbe)*^(hCxBFFSr~EwG5yrT9LKoEwB?8My2j9#-43xNE={L;aCXQiI&;JEAd7kv&u@dJXaPp_8Au>4E2O zdcf}UC_iWW89bvjDJ;LpW69u{m9w>+n~+ht;wnFmC&uknj^Pq$c;)xqK*lPXXP1;U zhvld77fB6qwpS5pvRmj;cUI*x@gZI2#MQzs8=v`QPUseA{HRJ=_;+F()i&X1M z6ro*prfpp$|Az;PR8Th8@CDsu%)MqNG(SR&9yD2cy!FWsnK0LGU@__andCAK#3Z$&d8RR|By8u7w!%ow8&W z&(zOS)l8)Qc(;AX90<~hA173z7M@K86x-cJ7TW>L{QUAU^=~Y0k;tf9n{@2Egb(K~ zW|YPM)LOAYL3Jl;8{%vIi^!aDim3a(IsILAG~&-G=dJnU<}9*kA@Kdh%*57k_eYyU zI!~ck>z#|p56Mbh-q`WzEJ7LVG8C1WD;`>4r_i zT^R2@|1<6x=Q@Ud@XKE7m-Cs=oO2CgQK_*qd+sAPM@n^ZhGi;WeOT@D)7F$+jCE%j zMZte>O+`^v)|gBYU!wV$3)qILUw+eoeJOl|ST?VbzW$he~8Y^W(yWKB(+YoV{D#JP3mQ%>IOysL+ll84Uw1}*gi;yX&e$#jkz(!oM; z$X#p`%{S8^10+*FYIfl&`0r^eO;2OyYfI|~mP-OT6@lb~aKuaSuUnMLCw5`&SW&-K z21X2N&W0WqA1p&0%;kbKDurX(EvC6J1Ab~i!iGbwpBiaMipuKdMDWG+=meEjRrR|) z^iUXWdo1Npf-p0!nKRvPls$~}pHIb5bg0Uvj8%%*n_ECo6MYQ(+$W~qW>I#>#Bz7R z8hL)jFhSS(-(?f998ML1wV?1^oj3fg&TaR4ILODtTjp4U;E6`cQa7Dqlx47>yP}?(bQ~OhHAvnW!l^j2p z2Aw^|8iA_kP1Ns_?4?u*YvFV*VXNNHII39dpbYsaw&y#%%za5SlJc8wNq#04pAAu= zD|WEV*Z{8>=SU{YtCzS<9&7G4r@yAn$~S}e8k+qlbp7aC2s(XSI(6I_jM7t`%^;Qm zTw3>sV(w^7MymS#F%}^&yE;6Bv)$FF?)WoKtLj@u?9aSL9~Vje}?>Sb6DyP~S-1@a#*uRY{ZCbjF<9*&MCX zKF4Nf@RWRri@rGSo89sdhd4?epCEat5La^=%Os);Pw8EX;J??vdc+^TwDLySXeamj z)+e_Lpi|=PF5_u%Y^g_`;u!5F)4(%zzlpxeADu57x4G}L7IgE9>RqoJjyl4+MIVwx zzdnMuH>HP3tS+}Z#c9Nm)2z%ElJYtVMt3yDPh*k={mwq=Y|9JTkt6?J(4z02JG!;i zjEwj|i#lp_AO2}?)!-##hMbDO-)%brBqfrp_l@;kcu5md+y&JP^>jWK+9n6$Xf6y~ z&X^H#cZtXvC0MqQ8n-(rYRJ{2&4{MTpwr~onvJ>ai!@~1O5u?i`k^-1%mb5_oN260-n4* zIGLr*0lzjZ!bvdKIj?e9zt_Gzk%>1A(rlwUPV=YBPe6dtARqxbx;N%?6bD&t&WZ`W za;S7T`t(EP&-L8(Ul+IxAm0B6Ftq}|#uu;>Cz}g1=g%3#7{V4c$h{r?(E(0uN=sgZ z)Ej4Z`buSk`PzcF2AkJY=ZY}8{+T$W)OW9={f$f4I`-f{L&p_B9(S^W{+n;4{@?gUBD%33 zCTByr>CKbpY3zenj$6)0`^f;+VaQYBKY}n+Wvv#T{(_8XVM!x_@d>J#Mf%yE26DVrVDPr&? z$;;tAIC-xgjFkRdPt+Kwzx!x&$KVH@LX_@C5$8WHqAZ7Z4?EcQj)qboZelS6fZQpH zsWqdp^v)R1jW$}d-)d5Mp-f?;{zAXn%Zt723xY99h!u_iB>Nclp9=YHz&n@w z-4(bU=d^zHg#J0YKeO4<)JN0d?CsYA+q$nr1OuGUoUL+KF(=G#$)KZ1#>(Z= zc9o#+>fZ-_9E>OX{sq3lhE6#j?xZ)OiO2oH$}hrh#`DgZuwvaaQ^#=$+T`ek_b~NL z0CBFub%Dl%@0s&Me=_vbaX++f@}3DEJ@jP53yW#A>n(}Z9fQ`!;W zG5|l?-x))ZH&WveA)c#UF?hEz{Ta?viRan@htO+!7U=TH2ElQl!*4hNyjI&lzB*B3 zCkj~O6Bd1L+nH_XMLwrb+q)V-Wc>T|#!CK8btlkqUcb$fky!W1$hPDIF!;~NH!E3! z6JbGFZK8NPUsz_Xhtv17Z_cy;DPzkNYgmqyWT7*`*il%?my%n=>tCfE9Ptw8W#!N` zjPIuiypw$jmvT#4B(L$D^@A)4Cwc`m1B+Ka2Kvm}CFQJv?4Z7F?~+2jtA8~U_<_}5 zB3aX!6;<8E4#o^^>hPR--7-_y?tyJ=wW;IW;F09yP~dS!sF9G}caF;U%@fR#g!S<& zX?)jQ0EFc*w+V56K-B|*rVIQ6gKOKNy5zzn+8#ocsrld>H$M$uCFJ};fo|BpT^5n6 zK(m{UC$BBrpMN!(M+LAHN`9-?@v?iDhmMK0iHd&-7cr?~GqwFQ;}n(PX0D_Z+qTZO zob_J=_?dVG1ONmgNT`o$z_q)selYW74my0`2%R<0LYq1moAywRadgI!;Ay~}HKWQ&dXSikfC^P$aF$Vzs zCJ00&>X7?&b#kc|c#k$zat=L}Lh*o2BMivZ{h70N3 zixXV@)S+f`z&Y!?z=IOw_Ub^Vd|OXhs)fMTgNZS?-Hkm|CLkf*#7V4E3(p6N>00Ya za(=2&^@&d{OKcwI$2j1xlD*DLYHhXgtgjd5L3}g0?fo!6Nak!T8Xm~}VSHfhrNouf zY@7Vk5I|!vLvLBc#K^V39@iEY)W?6V#^(s-wr#7wilHJS2|+KNB^DUr+3&HP!p2^_ z_@cq2VR_`WMGVZ!KK|Z@!i$%fB5JXsOB^9P??Pv3z_08At{&Iyo;SKti0{OxC!h&e zcFl}>hH`OpZ;I5vx-}|B2fJw_&j0SvQ^)MVEVhB2T? znWCD~Ik)T-)srU(4iWi6IbSnqyv;q{uf6RAkMQLcJlGCaUIVV_>t-6pOFOfdU!&A4 zl_LX=@1uk#d+k?0MfTzZaF)8?|7!DBU|Zmh4fAjU%?9)$4!iAGBm>UKnYe4=RW83x2E9mz?HM5r8OgroR;||ld$nPi2tIn|X z7LYBb6-8o_1KjEB1raB$jh7!E?k=I7Hr84b$H+r&916?h#1ux?f)yE5rLTHUm;qY7 z>Kk~=1Ix5J+d4wcB8C{P-5Z4|?JLdZ=SX~6ix<~l+<9|AZBRagD6n~gd|pAp!wL|H zyQcMeOVAA`8qKxZ(Z4Sy(SMBw&mX%%)$9vAJpSqrZY{P$3mDPh@t1!m+x{z1y`l#g|u z2nd8AiVaZ~`6bJ-f&I5RVRAgZ&j-YLvjiAy+}m(q6RMTL571EX(Rf9)Y>9wLA0}jj zf>{lro-gu2OQw)ImWY>3g11_zw z!17oI@QkVjlD(_WZi&BNu_NPoGt&bBpJ{qyyFnYtfK=yCK}CLv(BLhy1_nN4nGN9R zf8}d^oiw_0vjOa>G{sN*hQ2YmPC-J`<@G7HJ+w4m1SCo(*{;>tFCQOSn@}5yn?)#0 z6rtUz43RG=U?Bmv=fx9G zzy`n`_3q{WPj0WZy^RQ&=}zNm$R^A9=!H@5)$ME>DYV12h+}BFg|<93(CP6@PoS^R zn@qgDN? ziIK5coHZtsWW(=<8BlvO|EEK#Gh~SRS7MJ-u7cZ7ftC1U*am%4c_va^qOeCxMCV!e z9ASNMs}2I`F5(IhrM}<;igTdL#lYj&;{?4cWEw6-rEFxMm1p!M4EdHl>;MEl~`2*BkkzZ@xri zQ=sK4wbA6PaB3oaB}_|3<1}jGxFIq5j4R;7)R!56cEN-t}DH#cf>bZ9A1S z(cm;pQ(F?(OAz1%dFCoefbqg1d{=+R3+R{r+})yj*w5}Icc5at1izu*08rG5L;vlu zogfAfl@Zf|7$+izHgx9$vB``;4t;G;Ug26TOyw?Mfc9%^?C!d=Wc0`jtx#FSYC7(# zDB6U2tng^sX#sGzY!(B#7=3#el;m9@Z^Z*Hti0k4BXiImB30 zLaDg+u@Zd)EVZEmHf=DLRapvQo!qAkEtG8{owqm)ZGm$vlrWwQuBTZ%eCW;e(X5ZC zAl2leR4%<9KdB3o%^zy|+4tnP0`>PW0{)MU24g>f1&AzQRXG2ISm$b0V|!sk)Dd3x zY-lC?FaxIw0%3EB1VE{0L6Y0mhP?gcjz8o;a}DOZtStHb(3grrspTa?!MGVysqgpB zHx$JzEHHT(w(VT*ClkfzO^By@f{r%k4jNY|O{d{Kl@_GU6b2F*2wWnl4bQ!<;E$y1 zmK3D;eu9KPU!d-98htv1$vGrr_A~=y$Y`NtuJ$uReJS0MsKsi|+$?wy3Y{Cd+$*i7 zIXWIoJ@j!|?j~>XS#7%AV;f4lLlBwNsf3+miNEaID zfTyuth#~?lvBa{DraB^_tII+gsLu7$30MYarNvG49a$w_YL~NFJ(^uGiBR!JYODc)O^`MUliu-;Ih+JHK_8+Ozw&o_9T&0Z> z#S%~f^~h(pjAg3={FYYEl0GaJc0*&Tx^GpU&=uzKkJ`PrqL10yGmT*hi@A(0qR}P z`;w<&<6Ja5NO`^v>UtBv8H&fR<$9Rb!gGQ0tY#0{^heot_H50I&kw0SZ?<0Bdw79= zw+X3Z^k7nbmU95#)uX+~njZVt?!U(b&{AWATyBRk^a@t|c|&}Cjeg*BsGF))H5_ZF z@c0r}#cT}qIlV;YRv}37nE+(~ngEqh7l;u`Wj!LM9<0RJ7RXjo|@cwRUgul>}<&X!U z(P^rIAdY{B81Y~E;yOYt^IKJY3*JUS)P;;|6q#QoHNA|J@<9ueGC`VlGHt;qJvP0- zCl7J6dRmScIqA?LzeKw6$^OU3g({P0*cisDYpTTfZ0bZbSHU3Pyzb(l_v@tNe9_Og zuXKRpNv#%lQPh_&BjE&2`^U(+KK*0ld_(^gSJXyQf3UJf4@uL}MHinbUh^M87jQfQ zf_K{$r3N7bDCQuu4-CktcP~f!liJ=wvuH0jy;r%u^`INeCOn&B4OvVKr;@=G`h5L= zaN`_&I}5a>o7*0gTp%r*+xJAUCf3sD@X1GuiG1}mylmuZ14T?n4r!PrR$4&31Bf}e zxX*cGMu!3+EloMuz87&xCqUj(?{{&?BB-mCp_Ng?61v;;E;7yqn;C8{`X zHLL`k9p@kZ%l1&s7|@z?8)G`>z{a9Xt8a;A>1C2s%=NDJwt#^OQUtp30Cz_~uhl>W zyabIc9wfuqJUkZ1q)*lu#{6v+_upmElkz`6T*RgH=3gHWfV__Yb?URgb&-~EF0_b_ z)7smDAKZ3cP1cZ2l9IhxeMpJsNWJ#iMeq*yIT43Px(L2pEbmnsm2M4;bt#%%?}Y^d za%W6vfkZ{XHcZbKwwK@9+uv2ZBB(iKGknu055e}e2Iw7az?}IbY+i~+2M5lnawhy8 zpzLS)rlu>Y#&ss?W$O^+KWw@CAN=wyddUfMW?IPE#wdT;Iykvi=L)UXJL9N0G*3~{E+z-WB0 zCin?1t{RqEVo3LAa-BnD zLso=ciD`9k*x9>S{^HVGJ+rJhp>K<%W;S1PC~7XvZ2mrkEF4h$08iH~{EPVSr~o=? zKqN0=Uswd_#CUVmBh%0QDgH~p`miuK3&c5qv5EGWiSRBfORXKxJb0l3_}Mi0a3>+{ z>0Ah~n{s!P8vl5qK$KlJY_3S9`!Y4p?N;At8-~LW?;L=J)$IIJ_Bubvuc@vvG zK_x_(-JRI_uPZ7Dz%W24oqk1Y^UvLY1$<8V8Ly#v-NSP`d#@l%K4(SQI98{ksux^} zpR(ZVaz!reyR^QLR8uxU?yH|(O8G1gwvutmTwPr(2CRZwCC%6zDxSflsET91vs->I zhbI_SpyA?a3AFHC9hvI+90dPP#&ZnW^G(A?ct6wR-UqWl)DcGXF!d&*Ka6HU&;;*r z3};GY-+Td%mhoS5)Gj+HKD@B`+LAWJK998-DgZkK+*g^pGa7XjguT&Fg@MQxs$wk* z;Ru}~n?(_;8C~~hG^shBue?;ZN4AZ$-x((ZK?t;PW$_y_^T`v)_(P;T{ox773;zv$ z59_~{E0HY{YDk-2cw~LlB|GKfB7#gbsT7cH{qffjL1}w9F5|n!hL03BKGk}dQ|)dL zQVTq2MHyNe+`;jPrXgoWp%=_994a03n7;l20?prnT2>&3UqGG{5Z_qQd;ZhbO;Y_k z>SF%)qb>*$$ho>+4>_kCTA90*uE|-%A^ev$)xZ2VYsz>|#O=hW6;ly}K`x zNaD!Kadco-27`wt~-vDF0s zZZ`n7iDCdfy<-(XLfOpMYR~dz*!aKAvL5=U?#7oXwD}S@Brfq^=u`t@CSZRJgF_{B zdxZ+90~Jt~E@mxES!4RAQ+kVk(kj6#mK@}E7}2m7-U!e`Xl>cY+&Fs)Yi#nd{I5Sv z{_m&D|8GAXU^kolFC3)d1*072R1&l9`gR7$MbaWhQDfQ@u0Z4X>;ivuExzRJ6|eiM zou+AM@T?IRcW-b^JHPdRCzdFb3hnO+2rgv(BJBIWPr?7VZ3dYB-8Pr@bib2RrUvlv zP4X-!^0Rd7ZRcf31YCM(GrY1Nh|6RGYL>W-UV=Y8j&r=8qt(s1|3M;N$2^Y;JkEFB z$Jk%SY$KfvobhvBX?XmL>5ersF%SPO!5C5YXSS5}eGpuIJTiZ){XokAAJ2bV2k;{O zzR$BuJ=u{_|0T{SsQwL=qF^4+k_b_5cCk5_tA;DD+z}s8~PA%m<`!W zTJVCdsgrQLdrTC-{_bNJI~EIdQq9@7%hypGzl__?QZPoLOk$xQSIj>nW7y8qa;sP) zv|*b(T=C4WVE;E5)G=PbWe8YP+w_MC{?gZgEk&Gs8eSg|uq0PLAA43r1Cfuw=Jtrh z9&Fg%-EFu(`%!7XCXU0PhOkg)BN0m}MGQ34Dr66;QQ1C)`-#Ifx`&oyv3_;eDC~Z4 ztKvWzq93Q827%r}vD3=^od)VvIzQQT5r2ZXKbcMn-R>q#g?>TI?6C3m0V5=! z58v==0Z+qx@;TI=ELEq1G#8Ek>m8E%^N3h)Er9O>FdVhr*$!XJ#lOq~j=%ZQi2|jW zGfvqsYJ!@YXh0@B+h6}~Cj-PNM;4KgADyxp)dhWQiS3chDgT46v zxx|6|v_JO`i|fa}MyJ$kbH=D)-4H5~60xmQ{n%!C#J9SmWPCwDK2hg5*$kz57*o!L$MXTLSqirZN109D4E;muRs@bC@c{B)Fz>y~Ls9>9LOh zE#;rPk2(edhSL2JfxETg3b>PP7F$%D97`#?lIQV|cf8!YmF6kLE0QsA>A3EZqhk9oqh)@(NCWFK z2`!)pAFUu&rxn|Z#hqX~dM{+WSS@`PmB!PMpytQZ$O9&HI&l;bDPX+(WJdXH%Y2|( zDeFoyAX^^-2WUUEx}wX2n*@zO1saDvx6^j+wXuU+h7GvyLuydXKj;v>&)LiTuoZrN z^rL9`K`0seyX@%gf&VYjjP@>4j$%}a3U$FZFJIrznke3Vwe28cMTsnSKS+H(w?4tV z^Hu^>-5`-B8cxYL6n>nnEW>smAbL+v*09A*0gePYRt)m3$z3>#!&1~3`DMZ^pfqa# zYJfvw!|!Q%k%|L9L8di(n}RHBSswCw`89E zPyP}atkQlF#hD{rouXiCiYw2}yD2Tu1KlQF0{)itV)n2dkcwet_n7Qm#WmQzNU^N4sn>UjJ7$Ocmt85&L_o4i&dz*gYr%3` z*m_db;Y}H>vAZT(~8ypCZ(08UG(A`uI`t&gTFPK4HGhH zRdk%Ymm9R&UruRyb}`NE5qJ0zfZn~`z7m|;GARAU^Ki)R+LEq)W?mft>W3dWQ0@u- zaddXPR5nJ=oL4q`Ae}Y43im$hPk-$94K@9TbTArTj3oqgUsTdGqO{)#qsP$Jp%GCP zkkH4_>WNCo`~R9pE*%UZ9EmH(8g)wAhy$$(#+EpRe`Sn2<>l$3SD&Ae0)&V+# z=6*s+6@cAjfthT?ZEzQinF#4zWA4Bg^3_-Hn+WkEZuCP=f!rR2U^av(UdddjzVy)Gt!h^`7LmtiUNs=wWE{+;}td?ubEAA8I0R2FvqPg z`uti5NbkD*MyL)b0Uvf(miPx-+IC4zaej~*2Ck^YYX62_j1GrUy zOg;ZXGR%_&wQ(i!GGi(*+=DS)tnGG7@Gx1ExP;^AMHw|N77^X| zlcXNhyQy?23j%`^FVj1VrkVxo)SlKMpEE2d7rHEoWlck+*|+QuA~XSUJC>|J4(PEPq2h~{wMWevG#WW+&_ zxB3203n0;L!|K_`2ReaC!XewC6`kcW-G7*17+qMI(b38M6B9L9S?Tp3fy}O{R zthJ=%nhLq%LcUuh43}H=ENFRfBNh-4bfk4<5g69{r zk<_r}qo2pfAEt_fYOQ917iXSXC~){p%RHA5H{l#|VDdhLDKrY|koe2S*zJz8;Zr8g z@5Doaggg?8b6ej%{^026e`8Ai@uP|#pZQUN9kvPK8>rEiYqJjiiDggZWW8Bx%D3H^ zgw#siKjWhLSvgIEG0rZXDg?xUzVs=>?5vNqXx7@A*y!rlV;|{JTas57r|0@7xxd0*#X9Tyr&$ho>k$uBGt{F;)K$zDb3t1RYgb)w( z5kC#1s4Z@_i@uS#E^_bo%gBHwTtZz0XDtf@J%cA${TkjD-0%7ryjA+>!%lPLtGAjD z1aB=W?xu`|fMo^^cpYgMNmTH(~a& zq{qP51XHxzg59vJ^j5TsF~um0jd%_Ukzk{`ilG;^J&4kAh?wi zxhmnyBvgsE;4PCXwf|BVqts_}-LA|qWW&fg*#cEp%dr69xH*af{~TNJr<>;s2rC+)Ygl$Ym(=B)hg+5-e3Xf0 zm`rU(q`2Rba9%p`eFTKE#`-M2->Wbk^`~3gAX352Y+BpuW3WL9@@`;Y}CP#7M zw+Fu6cd-h&bGJ$qi|TUsvz`-N5VrY_KYRI;hwf(`Wbx}({B1C4_pOHAhk?XzUSlLQ z9)w*Rrgicn?i%Mz-)9>9lU6$GQ$@V66vBnGy_pQ4g6s-I^jUp!5Mfo@JM-~lnay3= zT?(cTy5?#m=-ix{C-wnau?GNPwbWC!Ac8=>JY?gEB{GY55@F4(QiH%HESry;AzZWe8w)y1e~JceQe;o?QTO|ql`{Ri+jw;4 z0*y;wkT|KuD}{uVbm25Al}IkLcD(kcl{nlxmbAYLB_j$lM&7I2c&5#y!7VuIb%XQ zOoL@fdXDi%eTSyEZ?~?m|9iiFm%V{(L*}Bd3oX$Gnzu0yoT#6t5P7{}8bDtRl=gUb zA!|m5)GJM~PTE6!t7(0IdHa3shy1=+?_zxkdD%URJa!dJVF8*zbpsN^){IPnOVW>; z;%}qB`L(TQW^mIRRWXbIA~!kLf@4t<%PSw35!;Qd+AR(A)zYSsdzzJ9s73e5i59)L6*nuLBQt=`dV8#{~T>V82d9LjNvNa zqL5LPe*M_iH$dSX;7k>h6Z#l@vm5DInH~J})mpWDEg!#D;^Rv8Ek3Jn-`%ok-C{7$ z0te%_z_B))$Yq2+EAu+ijHS|IHzushd3~(joW?e_KojJ`I*rsKL_SpaU za{e4XYZX^}fLtn6j_5W><4r^OPG)$C#1R8c*Rpw%c(=K}FYW~NRYm~<+jWeO{?@@c8@ib07z3Fe z6cc(?0yk3*jPTN6Fb-kYvamJac)_6X(;{C^(z)b3Vku{{dXcdq4A6^ znPci)D%qaMo9z`O8Z>}(eo^Kpwcxddr{R4;(YAkb`wQjYVW{pRbnMpiD7DCTds zR}@aq%aMVs;;b+8`BUl^ixuhnX6*p^lPc(pbZFNi{Bk3NeGQ0GHRWgt{b0>Vkz@X3 zj;5F@7?v%Clmilp#}{}5x6ok8D4hC8|7cJJRa>mti#nqp#9dm3*30yx$x^^|V=LBV zymZ0_@;rr9z!QabBu#YJE06hZ;p01a`EBON)V@O0q|$e9DH7a!ySgR{MvZntXY6li z@Ym~HN==N#yP|g|&qG*4tqIN|T`L05`?M<7mVE4;&!xwQD<8=`H6ih)>ViP=7}z~f zM3~6uDYM>}9_7OO^QALKz#p`Oqa)kb7*d$9^eW<_dzIi{uhBWWQJ{CUSFYMZI0U8* z%rhKEOF-pMJOGME+2ZmNxlhtp<>OT6O7LRy)8wXp(JJTxc9pI%M7RsAAvhR84U+pf zg>G6-;kj0ShNKWGaLX#qkNrN=4{M98$r|z_HnKD>^i4s%+Ah92yI?iJk2c1JCMt)g z{-Ri%$YRpM149U+?;(`Uo)n%D4h#$MBpxWyPp5(Y-5YYn-w4;&SB18Cz0A^*K8dl8 zNnKqfLhH1_hh(ZA;*|`i4>Ky~#pTTZxN<&*_Bv=*Kx4xoj34bCMe~zFwd8_n{p_J6 z818FRPc!4!L0Zh9a>HKU-8YWFNqh_|xMuW8{)Z043$X-rL|oYDY3Oa~@6d2Clr;hf zI7O@^{tV;@FWj7!33%D6VN#gk2VJ1Vy&<+m{8&{P;Nf(}o@A+0J~1#odP45(S^4u& zj%9WSV}1?C#Go=7L&&`l2&!C}aY8jvT~;E?n^0=trSXMRpGU}LlnQ&?oVLnrMBK@A zW!6@pFGWzFLZQ0Rj!-kVM6^)WoQlygvHBE|_H)$Gds>#WPSTvwDm-zz%QaW~Du0|k zaOpC}N@+@7tu{d|XYjPV`H0?`mFmcOfYgNJzoZNagxj5v3+OkaO z=+$xCfHYTmMmQ8R$^G$C>1U+{dPOXk6Us>FZW(*t`bfH9XeWhSJfX5q7 z32oQqyW566j_4jDuaQ_${iw*hX>Vl1Z?G4NoWWYr&Zwo)5hQZ6 zB2<3a^Ko<|E>Eql7^NLS#0|!?;wCtWARO>V1&I1J(eAC=oalnxe_eceRkbLa`s74< zb)P$`sSeS<{vl$#RFa1~gnOSMp%!D1n2rkHzaumST_1#Lfx$@V z6ZwV=KLmlt5RULOj$CGoN;NzG64v7+@=F&)wbx;izKU6rO?O?B6d8ki2y7~nRm-r7EJ;JA6hv5lf`mZO-~jZMc(E_h#@ z_2uo?vw5yD#PSc2W8%VNQjtrGCL`oJWh=lCCX{Q)L!fR-bp#Wg9Q1=Kkfn_z#=X6b zRNm@r75;eqIhn*jAUJQQ21S5WdW`a|4Jqv9n*f5X{Q-u~;}_7YjMjoQQ=AI- zer_>8ce#lag(zpKyO33>N;xKONlk@B{m1>X>f%Tyb)=llrH`T>^urYgTo=d)l99n) z%;5tZ`epc+v^q=C(C$)=>SVMok?aebqMLW3o7c@PeJk~0hs=-`7U!BAlZ85%z%AkT zo+W6db2QBlf@gKWjJ$_Pwp0|FSqXnk`new)`}o#{x(D?9;;uX-kPyIG+Lu!>IyaBF*>rbO1XI%B zeaco+8aFaY&g-_>!}lp&5MI0L^G4TrTE)olxuzjid-lzjUvV&PZ}5mrj^W#M68%1k!ChuF`gn!X_{K43Z@f4&9Fan0rNER-@3gI}1AeWV zi6HN$pkjv&d{agE8&X{Pr7pdzD!(Zo;X(cov zW&sRu;8NaZ^klSMRWW#EOnR*gmqMaCdE+ojOR89SyV?w1fwp+#X%43#QI)Du--n&E zA92v&?sgSDlsGG7_9Vvgvr<~DNVqx8A|TTW%o>vQ-u6FUhtX=oRktfNz7E#rBLegI zeG$7O%RZU5tvDFDeArQ*t%hpRY3+(um$gfhGbf8P(eHAMy{85Z6jt3QZlGwqvIE)R zFn##Oiy?J2T^y;^Y?&;Lr2l3{p|0!A64w-;7CQ+{rtxX2+@~g5l?4N`YkQiHnVtK1 zGb70MTT{QZOZ+}``x53PhJYKsGp>Xs(ep!nH$}rKfxSn7;3tJ=I#cQKbEJZtp%Oiz zHMmJ1$EhglyS%MpoS>)|-~oxsYS3u>FujEEhWCqIY%g(qKT2>p zh@AVom#x_c|5K{RfYLWU*2|UXJjcQbJ-tO9xEBXM73mcdVpcqNU|0;BhZ)!?DXFxf z+H6ZdT$d~1Zw^tsx!r5RryEf6Y4JHnBj7Og4eA^AtW_fH-3yKqk-Pd5X_|+mwyT(GjD(LB{SBDV$_?Zow3x&QVm?x_QK$IgEVE@ii&TJ1?|56e4pXIq~#1;L9S!=^*cs`K0d#P~{7) z(zi~#l@G%%PVMt)X^$c^sqOGC4U>>}%ZJ_Jgp6A6JK}w5D=I5GXFW|Sr)(Ifr*$G8 z^KK;;oG%&XA|O#=2)*_nQTGkYWuAy0PLP!vLLz0i;>7fS>Aw5R4`1~ihZazPTftN2GDm0SJqmdR88Tq>(asBmF2baB*pF(DVI*UxSTz zVBei08IYz5OL%Y=Z}-TffZ%f+2H#uN`IZrB>lb{`aa4FjJH?!#lNS9XdiHM*-Vhd0 zkBKgO5!b*!ek*6-OUiME-OQL){Wdt#v_ASeFjuw~L&FWU1CCCGA-F*#_oIyioMT)RX1)Ei4{a z#M=IHNTxizbOup_q^kQv)dgo#F6-qxh9UXw(%K8L-)HG8qAm1^HgKjdOyfy=4{%1umsDrf+ZBYjvIXGP&V~A#+f)2O(f;zv(mzrt-)gzqdIi_)!1xj&#Vd_;tV3O5}@4qNmHFu3$&^MOi3*`e*T-X`KW0PA{Q~a{U4&Sx-v6hcQC0cB6e%{aSBER4>#)B68 zH7aWwZBePk^3uv`4ENNY|Na#6s$V0B1+M1~ujAdY= zIG&k`9w!*knPJo?NW)TRQHBj*8WTNCJ>y@yHJsssLY;KcNYwtUWt=UYndRR33x%4T z+`lkUdXd1-Q3PGB8?UBu}pg6#Y*mR8Ve}GP&0b_1)D^Z7-^#s;5$qsL?{;Iw+paI zE#ZC_*MuXmuN@)KryB#W9`=-{cV=AbUkPL7K{bTa$(x2*|gzASez z=J(0nmYG7+K=W$Z=eTi|Sb^q4V(jn#E(*QNk>2h^vQfZl)E0wr=4+64LL~_GcAM#a zg1Dp{m(`gp@6ztckAtXXwsxl%H;hR}>hPRnZdTlflCNJg$tTxHw0TY2JA3x; z_5AvO`s|sF`&P%Z~bSjF7L-*Sc*V@ z{N9emalIwi`(pz0`_bF)8l1{`UAZa&7$Lkv1~n<_5+&N~$dUVw4ALp)vke6DVOu|D z>~fA{PURs2xksUTxwlzYIzUt}=~ehJrQRS~a~vfd;m>TJ zy^Bc0vok4@_E?@?z;9dM#0*IodKL;18u}T*x~MwH4{DErP&UK(mq}ZJ-1chJF-a{h zsv1q~D}8Bh+f(b_wdGFz^>~*3Y{l+l6muOceFZ0VD8h6&;okd#b8T37L{nr@=u4_G zsmw_J`D;2ITw5A^d}mP!QAr4g9!A`2-xi%y4udFEG0RreDad@o#N;0!k zwz+oi%W&!m6XC)WWLG}4$uz|gb=q7a<&zhl7afsDZP^-i^oWDm{N6J$u zTxK66u+f~bn{E>-yjtlNqmAk|^q@M3g7;@_5%1Y&{a})=nu1b=md7}Je;m?U5a1z%hQ$QLMDcEs(uLk}M{W>CZeS;nO(uPDrEg$m z_f~!N+&gngtRoARY$HU(-WX-(E~kCi0rIi@+Lej!AtHb*$9D))T-WQO(%*ei4K<&Y{k)Cr9J_ zvsZ+b9r8W@sUf$fHVUgiDx&PSY{fWdQA~@m_xj<;D!GcP_Xcw+HvgD9%>JXCO-y|jaFs`S4TvIij)Q&tL- z4SW|^xve0TH9eTPLST^zfjNwsmWwKUr~1upcRn;w(FU(({A-lljJtZRl2wgdO>hkY zXUqzvcN~RFiHnJH)#)P@er@D#F6(K=zDXEOnF&?)Nsl!KQJd-zzucK2h9fuqhamQ2 zvwgvb86otO$CWoIg>+Tr=vDl4eokb<7n^c?A^q`22AxR{Z?eZZ4F~QvzGSi!K;kM@ zp&5gIAjw$m%Q}?)Fb7+@De=R7?X`(Dmy`$-u&u=-znB)lSz3VSThL5$jE@^iux3&H zj%OZyAR2tJi>)90GPBcs+ETd|;Y+47CJ|m3EuNr3Rpk`7LDeC!B#EujTNcq19`G%O zv1hS7ogsL~q5?3myL?+q-L}ND=0&fp&TP8xAx5oyC9HfE1wc*6*3RpRSj9|E^ zLiMb~{{8T*PDdP{Xq4>I1?Xg!sF-B1$5v0*sQAIeT^)?-NjLx>*OV~(W=J;EeM8=I zE1pF(Ap1p)y^go?itP)qp%V9DK>z4i<+c$G33hfSB}1{|p^ouwAg0{hbeyoihI~Xm zs;HWVe=J(SuG!m{*~DX95J~xaQU%f8yut0GPmxF(xF-#lCNv<~Xuq8}7#nCm{xDy- zY%B)P%>Re4w+xGG>)NcLC_Fd>0>Ry_2o|7lcXxsW*Wg|Rch?}n-Q9y*ppf7Mf&>rl z_SHG(Io(h9+t>HM>fhRXt~tlJ=VmcN>H@;!T)qSi!DG-sd2yg%IC1!0zy$r*DyF=z zQHF%cEi6-wL_nv{aFH&lJ49}Y&4+3R;mxojO@~ZEHqiR8wQ>JF#abqLOc!mzuew0I z4pYHQ%uupFEFO!YKJ3tE;5tT9zzGV8z7$*b*nRPH32;f#TzoA5xVP>@1vM$mHr+$F zq-hzn{_Cv$`%;5w;KQ5sC=>Z~Yv9{d8QiTwkSJx0J=QH7NkwwJtqFJ)VI9vWq`Bp|XC;LqirQ34oJO9!J|5yb;d@igpLu3Qsu+c*w)>%z_~zVVyC zG_XYGZby(AD(pE56$;y>$+u0eq3E8j{_6tRu#4?sc#PP*iKmO6x=d1d32`+U>CW|z zZDG}_>#=~xHuRN=bqg_Y8O#cmPuR*uV{lK8T9XRE_#8#6>^~MndwG(+r~`Vez$*y< zs=hhESu+YUtf}!K-|!n&98s%ckozf{hfC$10<0~#jev~&6zf6?F22J+0(~JxTGhu~ zoCkXUOwPStQreKw?tRb8u^jiJn5&xtMCw*r9YoXuds5W+k8Gjfy8wbjK4sG88_8L~ zW)e~|n^=2m8LDqp#d-p!l!$l=YsQ*v0L0G=Zg4rmK7+lHbXT_hb(IJRr0-5vrh)ggRazMY;gzo-n2# zQIlGQSd|L1BP;%@p^DgA;c@!}cjh>&u6~~AX)Y80yEccu`F8#36K|2Do5eW6fOS!x zLmL|i5+pQ|Nhq93Zay|!AT9yVk~{voug(IgOgx=D?ivexUv|$q(_DGcC(;5=uu&DnR6qWD~0;! zIN=-r&Vj*#5RWT~#sG#@5;hC5iI5i8&lXq~#F>ky3|b-JUf}c%L*`3n#Vwx`79NDn z-xQl`8zeoq>*%TJ{5tn(Z(Q(|<)%1vYHo-}U-3OD;7HKvN zouAQLnDl}V3EveP8Li~f)J#VS?j#kS9t|7HE7>5 z8$5ZMk5;FG(`D&JjXPfU7@v=MG#t|Pcd;nrnmRGT66Q4d`T5Sz=WZ&SFEt-AIQ=$J z+&eO}GARA-FR>HPKt%g~@qeT>H1K1;@P(mrd%lYO^D~eOl^AvTUJ0a-WXbyR`;CKP zNMvl$k}oGG=jrABs~Zn;9haYU0Y;If- z51SukCF8&!3T1{R1aJxoIa`f+>4g0rewtkp4Q6ZVWXz3qyJKdJ{LBNfUU zZx7B3kqY5Dpqt6J`nd9H@+v!l_0v0kjF6UZjvrbUV((tsE-c$Td4+!v#R14<=P5O8 z{u=x%+GTP0Ap_{>R&#srzn8v8D3qtP4ayU+4y`ocGpsp$?r?hz2~{GEarr)bAC<2f zM59FY?+w-zIDkS!{GV5Tqx+p?p6C@pL9phjq;~L{R~R{4F819#xvFtDw*YSarUk#?Lh| z&(J@`20^Xw?hcnc2m$YYsx))!@I5(*N15v%xXl|(Mj0O&AhWV~NewD9B-VZIXt?>>r z2M7u-K=*+>Ytf!}+Vs1#==bAIl~)?52arLM|zk=4%y)_zE6Vsb!!?D+rqm?I~sWZ+^vZpZ#6CL0zqHw zyb~j2#_x-4b^uV=X}5Y?9=-T1rRx&}%<~g?;9x3DVb?MpvG+g5;|3^LRc_^==KoeGD_3h89 zN;-av7JukMeAlVISBNzS-`}YB4v6E127`M0APH}v%uwF!jpWU>)Nir#$6Z&d7sD(! z+**jW;L)F=R6sb>o1CT7ZNqOrNE04Jl-dfdM(e86<57I~>Jc?W>2$goS>pq|<=gg8 zV6a1}D~xVzklht}<&9H&>I@|-_Ms%&*T?_4gjam+b-5$}MFCa1!vPF_OsN(lKtIM^ z`s7P`*GU_xQ>KwZw}?#=l$T?{p@!e#dUnUm^p_DxW8t(g1BWFybdzlU|%nUBc3#BjT9~L`Z1azzG9*seKCXH{9%QRMWg)gpT8^uf z`_jwU%&(QWb)G*n(NwQ>mZ%wIGNFX7kqub|nB(2is3`L1 z*2{H_p(c;bE3;SsV&wv$g{=U2h`)(2GKO`VQtg#dzEtb@RpzmYudws399`GKyB9Ro z14gd}XKqpO8r}VwYi7mrg2XYAL3P$a8JZvKiAFN>7DRL36%VXHl^xzef9LlXQLHo zp&ocM_VW*Eyol#IRze}mp&HBgzpE|>^OSEeM^e;#p2{n<{h#4=T0&lsbCpoGM{-nt zR~~}Bo8zLQKi=3&F{5`W8IQJoJs$iq>rvN11aBrmQG{m*GYNcCmPd7D>~ zH-lBuItNvya2$lgIL}E)sjhGmrb*<|gKxDdvM@|6*s)|#o`OW+B`T6D_~L5-gpu>J z;dJ5tpK6vG(Fd>`84hTK*3?#>R&GpMd;G9$ZJD+Fz#7t_8~}`PwusU%m7ny#Esx=5 za9gSgf(DQ8@CS6iM|#QjKKx1TdN}N+$wub!QMiI@ z#?+JG5-r)JWcKlZg@Fr&J;`eG#f`QED|6_zt0I1d73d1DXBS7N zdYycK69o;FN4qniV>(On5LUryj32|F2G3q+&Vc(&1<$U_d@LZovyZ~`EnwE_P2V5y zktX`HUaHBi#3QmZ7ymUk<+1=s+Y7}>Yq3i%I=zj#NTE8P#yhz=IN7>wJ;H2(Gpmwl z%<;&YvI}j`ecQEq#@7?uMSbS&2JBy_TKbh2%P1uqdN_$+H$~FZnpehc6mWoB0#;1U ziN4di9nigcK-FP|YZm|zdT#!*#s%g9g2cS2Le2- zFPUMKfxw0*%{C2}K`3Rg*=ix_&Ut5>42p_prnk|&a%%hu;{%qkOfl_;E~_4sMHYuB z7R?>yJF7zyXFvd%2e8Pn5QZ(2_>Mz_G{nTA-%aU~Nf6rhjVpt;U@?dt+ zwrE^YCp)Vkb3V|cGCU%5=xkZ@7}N-lHb=W0BMYBAGwQ9WiHa|4-y52IEyQE@E7||K zIFu+{m_`WjSz3AUYURcm_91m0U8X}F8o%xBHr37&iFH7a6>4=V8zDGp)W3c#` z6!Y<URh3g8Zl-1MMVfSF8 zfX@?%pD4GPb|2J{L7vJ&@VRg3Gir67b*mOplc&ruA#!rE6!I2`L7_bHwTm!CK$m%? z=y=ik<%B+`E?7XfP5B}rLdj0Wt#@$2$+0myJ9bp$g8g^HO=A*Dz%}YWmOy(7I$AaD zaC`of_-Xzk&Fif9{UlWSvooj09@(1qDrL5#9b0obVrT!61WGXNLb?o9W%1qGjOJvq zEem?8?)mC$lb7g_sn(IHhSzs^a>(S4&QaNm2O4w=Y$WH(jU@XP(vzzmpd_XB@C@ms zr`tc0k?Pu40&U3y#g8HLm=Rd}cmNjJ($Kfs=(V7Q^$=<0+^y^|`qwqf1D-7E0IOT# zON@uOFQ!p#~*xhqg&0(a3h0}WlQ6u<)+GjLX5ws{i%bl zMa*}eHP&b{i6D(+kYpuS80_#DlmQZ7Mv-4Bp+Vz`!AR#qJT!+%Xz%vaW%FM&l}V`! zFE4oABt$Q%%5d_`>9Q{;(^WIHn99tE3&>S(vA<(wWMnYjyT1^+*=X_%%`pli?<2kC z_rk2>teYUj<#teM`55^?D`0Yq;tMlpMjO)dwA0*KEGhL4BEX&!Kq;m4kjx+DdFmZn zWy5u#?NLW`5YYqin+wV5^iQ-NZ;kmU&1HSu!2Pp!;<}ri(GLo!VI@vBBDQO|49*sX zlWa)GJ}7aRBp-g6BR?D#=)5eFi=5Gnn_PP^rj2qi56jO47n=U6S~FSdLVAdnbI2vw z_>xWFUn%CzeP!W)@CBxW+|~5N#yw?c=V-RB9 z;kf8Ex?%;e-uh#7?zTHSO)zJVyd$YCB8V46e~DhM@`HPSid2dgG{lldPex${&`9Mk zRqjQM@j0Z95Q4v}2h5|ILHYcc00=J|W;1+iu|wKIzA2M}U2M?u!UGgZDFpRuxZ$-x ztaX|9Xbf4%4Dke3I{16qx^3i|_$n3!A= z&TFOfThrL`dYsw#K5kPxmwL2d%K2tpS~$rtG@l3uXL*p-a+z{%zC3nFnz*Lb{`SXXz>* zH2w2B!;ScxrBSUVt`K!;l}T!L1(mkteq3R04&*e$FZ2vK3CslXTgpm-X!b0>vMX@$ zEsqXAzl(LuiF~zm3yYs{l@5ym`bbn;^D3%GEuA z?|m-e<{Y@t*hIB~sQZr}O1Y~^kQqcio()ggshdS8hIU`RD;=$2W+wXl(~9%$9it2; z-1L0Hw%$Ss4)R9FB^6rrVesmcjr{7_Q3pCaiDTaBHCduWab=A}lX}JIOM3524lA>2 zktu(Z{4@}xa)qjCtCG0z-}Kp1R?ANjHcuu6;OmVgJ(eFSIp$?zU=!eB@l7bKW+lA< z0_ZfREwT}UpEVqmNBwJXz(0e1FN5WKS4j?rS#!{xluf*G%Nfn}YwR#z$-z;Xi_oj& z&)IBjdHgWL%llOY_{0r_Lc1R*R6>F)*WPxCPzE>v`<)n+AM(^^n8V^m9(XvfjQ~3bR&F5PyBDvv=in1&uvQD@A~(rc8|4wx!qu!7q6N!r=O+acvF{d-_SAZyFUl01_`YL^8+zKAfk1g+!`*`R45 zz0E}UaZlGS71IX|JV>&C2{r`jsW}J*v_~j%@Z_-Rom!j514D2&fHx!Sa{y30yDU5j ztUG&oV*Vdzg$3|0EOGoBmIzK;8yIyCHD!$nAc>XCvu5=cgN3^c6k&%a!dI@+qIoo; z-e^Ysnp0Hd6tv((3nxY>-APYwR+26cD=$vyEm#l_I!}^f3BIAM)Le{^p)7X1uWrchO(I6a2hz z`4Tq9bUB%f@VWVNkssaRAQ(ZUpLPf^NXXzF0r0SQdpvjVSg^jcw@_~x#pxw_?Gf7z zZ3pA2{TG+TSMV@y`wc=}QtN-{Ko+HmuH)4(92R%$IAGp+bsKmPpkbZ|Zek+PA;IlE zzkUwtr=Q&Xwq>b;3j7Nj4?3K*C{6I9{1vO7mT&mT+fLzLIX~UE=TVs_xP3;va3sw zdbQ!r@u|^b9fu>MDVCIruwG)~#;KEmGa~{yQ=4VPYJzKN+Z+s&*pz4`38dQuG!efm z<^fdu2?T|)bGn)v(8Bsw+Nqr$NP%|UgMm;}X(S4>Kb3hl)#P#SmpY4SFX|7N%1!ev z3~r#23mbWGzP8`>&xqMxL;T zcIxFzeWonP5E!0$Z6#w*fgs7v1COyCS8ehcHhP%!5xbQ8Z(MilMrHCJw9@tAZ?uA! z9m)qRnf#@PR6gM~>!MNhCH{kAe!na{u}sOgK^uug2okQTzo8pjg@#Jw+p4#!N2hQR zsSr*GlHWqnYbzozxNiAmW>TwT*ZWTQ2KVUUfVKK1E1edtd~G!tTZGGhZb|`Kh{CDlTYK2pfh6PG}T*lG{HpBR6&iF|JE;X!)M z6G{1wDpJ!02hJ1)s$7Cj{cfJ|KNf%hA~gXBHfq&y!bw~Tsi?XQU#HBW0`vkmL5tkrIBvvR9!20hy-2QLL*iG0{5KVFu$bj&)k-4)Tp#Wm5 z$~ENJ4`WBPl`|U?U+s08J|L&oto8Lu0Z277=wMGm$cvPM+7d4#?4suUehiu$qfP0G zIAh5Pc{zZg9ILpQx5%jml2hAFg&R;Px(@VQc?bFEz=mYMQ7s&@YQ8fe|8 znOD^Dv5jxS0g(yn*>g2z`u>RobWi}9PdaMR$A1tiIGBy@vV}~I zym@>@zP(=Dy66_c> z-OB}zR-IUrfbsvrrJcfFX3x>if7#bD@=(_<*rh7)hLo35zA2xX%Hf@!x2arP*LX5k7H5Z%p}myntjy)tbw$ZXph35-v$FN(ss)M~F-~gJbY~liohD4KzPeB`=u=M*KXof`56Hi07;S<`5$;>_6rSTVSR$$z4hpX*{@mMr2YYw z>~2zqUD~i2-h6fXpJyfjMkM_S!M>ksuILe^1h~#r6i7VKMfu;D1$N*4`PU=;^RK>4 z-vA0FWbzCS)tdXZYug}l2}L+j-ne9Pd#7j3sr?63 zI%TeMX)76sG?3HLorxjZD8N`Hhz-UnosIu5R@sgKE0r<`z~k zIN;L0r$A(+a$jDs#cElhMnAyT#;G#*! zw!6fH_LBD|3mB}6eq5;+UJyRLo{JkOBlks$ZG%Uw2YjwLzw40<#QasTf@2iISppBO zap_cXL#igBBtkVvdM(~X)q55@b0Rb6J;Y;jg1(`LMIn-g7oScEK_Yhj5qhlC{4vVh z_iH<4_R%Ih5_n)}@WbTh4~6v)LjyQgOO=#dA1C0r)z#;7g9`<($j0D8I?`fmr(pBB zp&@&pbSVVC=e=cA^NDoTl4CK`Z5lbHsU#|&2buCD6u#38_n_(Uovayv*DxqmV;RMV z=Z_@_h2iw5A?f@6sS{v=nIJLC7!K*5gon}*ztn^9_NJ}*L{`i+RTmR?_7!96Z{zD| zsz|zl!C$+(j+OR9Uw$9`q)4i2&D(v2I+s+8mI1Dl2*9htg-}ThCtHF_)X=(biH#6$ zYAs7)RE*+O!<`z<)dpAyyVy4|akCnci!#dMnAiiXVoN`~h?0@Y}$T~BC z3JNVNP_1sg%`f#!7kc<(N*}HHhIVzkN(UX zA@$OweLxS722>fTK33z+^T)Y6dxZh=#kda@IcQ2$$d}u0^La^V_2T^slo&imx;hU1 z@NyM=LufqbupB$gpsln$k&ull&%E4iU!hXwt9u1eyA1^q8Z9a&9tkdge)B24!MxK1 z2-?p5nYd34WenhIPYZbeTndV_GtKQzE<&c}_&kus7@;gR^##^Q|Kjmvf7CKeh?X>y zZhw$no+cFInTrd{@iYu^?CZqKq+I9;kO@S?O>EYkN%fP4Z2~Ja|F~m!df^wi>Uqfz zUq7gfl{!IkH;=`BL?{2u8c3~&tZtW1^{=ItkaxgY2J7u`Izcm|wmMpp(Fr(MI~o>Qs$W%r}rP%n!+ajN!M*)Z|P1*86(q$wQI%g>}g$JVA$GtPIR zUJOf^uD6kw?cqqXl?wh^idhYck}+muHbrISG{x)98Y#*@j`>%#Otv9M}j#s(*U!hisuyh?t8A8_B3bAG9x1NWpf zazh!PZ>DP^i}&o6)^C8K$3YzTOo;Pc$pZPv1%AWDX1 z4GEv`O~5CUM~B>m)uyoE5`_@aw^BJVxVKiZSL46)eEHXmdIP)>A*G?+q~0uP(Iq}< z{&T;{G_W%4KT)mj;0ebFMQ?m!r@a^l#9e+p9>c69qgmrCoZeh=B<%jv%^pDd<%q~L zp(#g5CVAOo6j5a-F@O4E+}p`d2WtzC29gn{*c#ZRaweW)L_^HVysRLCwr})m)nA&6 zriwmWmu|FyQ#*`_p}wSLHCYT12|-n8_xu2DTFni1xm@=&n<^pl{fl3FpTQ&z7{Bhi zKB22l!(*S9e3iMZcK*JIg(p%J&oghV5$AKUzp13S+%etSZ(3sg{DPFGnQCs0?!(!R z*(|AX9gE`1>0gmBJmZ?BQ_S-;e`?htTGqp|)H^kA_j4YO@K; zpkh*8fJV(q+*0RC^$eGtd%WyZ8mH@#s}zs-@ujf&NH2HLw_W3J4GWl~5dQm0XmNGz zfu?#@98Qhz#!vG$19BS!lk4@PUU@Y|Se{n-K7cUxSnj~7GFL_O55Gaphiw7l8z8YA zvU@X|cIq)DMA%Gr#K~-skJ$oq3=e zG1{{fynm&c7q;e4-$ov89fTQ=t5Ur0ud+)|I&%O14~kre(gF!SNQ))$Q_e$N&gQz2 z_!53xb*{vTR{Z_DIT~gqy7=ZU5!pRkW$orG~xN|%Qsj6++Qb5SJCjSe~K#-0-1g$%B)}aI(AmViZnTjRmC1st-dC8Jcsx`lin(}htU~>*yU&gbnw^FDYQg~+B7#Zl>@!B7hHiH3B zurRNq8Wy7cxp+czSZJ~NBXfXJwn-93ZNoMJ=0P+t&G`PppSH@AT=D@2arF^pn+rj1 z2Wg^dWC53F#-80@E^z2av9jscuY`s-;NATcOh3l7hgIHR8^xAz3^?k@TSJT`Ayl#+%A>mm^VWDL_v6k-Ad!#sQ4 zv7Y-e3U>|tg;ow#*Gv#^*GTq)6hwu{9j%Ps5+90lKZ^XPpd~->maX@sl^(gZ;-lwf z0;G=4eLeyKxz4$gDoUwhsd^9Y@EcS7J4L+6^_O!TY)I$;dmRes@w^2NAA+P;S8m=S zplYSr8(f!PT)r%(>a?WO4Sj!LRjdJdHD{#yLPcw4J;8_ispu~cgePFHj`ZuoI>o1N z1}JU!p%_J&R`Eqm6CxD^4?J9x|IG=iqs+#gymc3?6@vy_gPhZf})_&txoHZ+^H43(+Etijc zGmVgxa$yvxa93aPmY0nUlXd0BG|Z(~nFykET$nNl4`T&S)e7(UajqD{A;=N%7++h~ zf7#CxuzXz7PZgh>C(w~}yk#agcT~%qMy3A&%!6PeH#x515|EDP>EJy1`=H1^pKN*M zL$Tl8NIk+=$%EJBdhb&+rN8)Qkh9ntOYvsEccTuty+y^!eLoBnI^V?D$-!gjdmKw| zPcdk@nNHBy!gy((CGs1HN8^c^7}e5~q}09p^@6l@HwTj*N?64nm`RiJX;O;*I;(kq z=o}8=!FBKyq6SU_hnAD@2TIvtwteS!YjjFaAR?8ThkIT^$2J7f-ZYs1euZ&FOp6_< z;xkqgth^a0*-r{Kk8UJwO0lrQu12ntRWV+2-V;0zVPe_yxBZCxmAQ6mXe!d^Dh7C31wMaa=_RAT#Y(PolAV{pXRVp!lK^>(O3#w1cKna4BYCv z*ZN+)``-_u;dRvFHE%@k#X^XmGM-leD8=nU&2SHqkVa?&Lz94m zL{DEowMuilFRF%-zKya>TQ$4c) z<5hVNfvPTbW4_5$UqfQsIcK5FzzT7NOMe)m-M+-b2&6KH$#6|dFz_+5csYyqNdUYS5pB1$R+t8g}hvjuT> za-8>0xvl?;Yi&ZQ{pYDplc_iP=_!bRSOm2tt0z$b5d(|(#Hj0ogr`qO@)F*+{d20MrWxQY7GvEL)Ul+g$AQH~ z9fhopSC{9Ei{*pd@gg<;jhfc%xIHDq#vW^CL06H*N)5knq7z$fmSCQs_~wIXrPb}# z2_Y;46)9x{AW=hy#^c9BOkurBX@&2trpE`^+5`-Og#lR5^u1FZ8SQi(?(fI_H{rV> z^tFWr1t(P5hIgP%INvlQiEnP%@g2tYvH_wMH85rfW2%a~&c>-ZLxGWM?8SYRuKuzw zyUklViAJwkrrl2+rE@peL~Iip3@z~2=&NX64t%jr1RWC)`=@4l%=WZ1w;b>a=P6 z<4KSVc-^fc(!6d((E^aKqYMm%C1Fhm1@0tSvv?6TctKy;yZg8wZ>n=XY3>n)N zXO?D4(jA*XoN@tPY<SFflv3(bUf~e(Oci%~r9|=k#Vppfl&W+PgseRdJc$ zQ6yd@p}N{*Ngqu-qdi&W#S1wjgg<2QRn{Jz;*mGHhevmSzaVjb7wRA#NXj-d&;^Ui z5-0QTIBFGIAG!2pY^i6Uuszc_$DKX+(fps=wUZ7qNIu_0-8 zSOUI7JhvueNO%pq3M4}df+?r9Q?D}V--I-lFl0!}_Md-ir)L$xbo!_v8(DH862lK% z57|wDL$N2k&0mx#{w3Y6C6PswUMnRDCzj>h^Un+hfmW32X1dE>9rvT>`(P zJ%PoOx{-hF3BfyVpo zZi%7Y;z1^vw&4ZLfWJr=O z>3!$}Q6wa@?b*naV7sdV!aT8KnG%h#65C}0AyMoLeZDuEWL6Z*`;d~&E6V41Eml+^ zJOtu!%owX_nHoqVX=BshiQ8Xt8f7||KFz0x|7U#Mz|?`{6B~7i^8b~Ng#5iy3N~-@ zn1(gPJ-4ckhr5Rv&4HEH0OC@68#od*Vk;S@5%3vowZhX)^*d_56OpmR*n?;#x>-~U zKNc7)+6T4j#BjWa#)Byfb@ua)?_p6|70quQTDEfljJ~pMvh0-)o28HlHc@IQMSqMk z!cOjd;&cztZo8!RiU2wf1W62@($JjM%*r0Lhj>vXC{c(!0bW&=`yLoWtx$*wbGH>F zBDiK!ev z9GTAC94laGpym^0NhT$xk7N~C91f#zZ0P??){Y!_L%Y8|6YEa!$j``CAriaW+UA&ZURhYY<7?!I? z|LwBU%_}jNWjnN^km{>1RLy+k16x@sgIB=&RT35putchjNy z%kJSuY!k&AzNF7)|J5r4gzX;6jSY8pqq00Jn8v?(!+hfG6n~%C4cKR$Q|f(}dx<=@ zt4XGgVIOwLImMQrvZ6hF_X%{zPnR`5$tRVecf2@Lvn{BlT1nuF- z{GOiI?vuh#pQPDr($-qL@y>tCQVc7bI>CyF>0cq-XmZOc{01elX=;^tlsW2lCDt!+ z&AO|pw9i0lOi#H#1pj1b=iPLqqQtsYT@oaUM#E>HV5y&@6PMiI)avjdTl>TxzXEA! zb!Aa92Wk*6GW>CW&MHyB#-|LeQaNeETm90Y=PY$vL%{}e#B*9DNI9w%O4lFE7J)DM za<7AN=50Ij5d=|lG-iPyXsfG$_W=LS8x-utbuGOjibg1s6@{>e9Jrjz3=ShC^*r*G zfTUtcnMF)5rodN2-LYQUyXAQB=d2FoXSVqk|u|Sbhr-%kC3N=3{ylFbn`{S#=A|PNGrDS~t32PF^n+RxvpHfT%0GStCuF!E#KRX3VhIJwha+ zrbO~XJ+_F5|Db$WStYZoSO)&DIaS#va*;mOYAN;kr=wrT3`WT!!$4}A+E&kYF2GKB zUpSNdWEVm#4U2Op9!Ck}{3tUpG=ChvTuRNt@a>j$y2gkS5t>!H8!5#vcSB}kG9ka% z>$N-XrKeHNLTb!1YaDQeL#w5bZkuJbuwZ$Rn+QgLeN1av6CT6b5Pu1K0mK^nRrZyh z%=36oCcWqncJxU`+Vv*Gfd5H!U4k5R^S~>dWu&yvsBjFe<BEQ_f)e*H5oyTNjMAGh@i(M8t4dzBK#q~b#i&*O*z=gi;7imKTMX>muvQn7FQ06QtPQXJFJ6v`p9W|zh zl29dY<#7IEgmsM-q>%@epP9u*7NS|xBv(A!^Py2!WJbX_%mFkDvx4! z87on)=0>bw_#<|Bsj_IamJC$()Yu0@m|L0C12wO}Jm6oNOA5pNdFA1RgI;&}UV}l2 zKH#%*0)r)pDidnZ#X+@AL{xu5lc+5J8WMoMp~c1gh7Ue^J+_TO69jEHPR*WdG%59l z~lUyj8aE!(e&oAk=&*^zB5 z!R$@&|IV&TAzVEx0(9ToUQs5K1kape9aax1$P?S$C7r_l`jx$h!GV=Ds%yRoB~$!g zaoIM3ht`*B3%>|3b#(>M7vnp`ufZ$v3HdCD#@|r$hzD92j+AQCJDTXQU_rS`B}4-)q{{ ztSS>!Wtd`|FepNg-N|Yl)!Q>~hTh^*TmW(zB zz&;~(HqJETU2JNuE*vr04Fc0P0!k&t_h7T?v(*!eK$er7ZD8wa%njvzI`^O64hj=p^+{djh|v)uwot)G7G&1agCKXFeF>E1 zr6;8Ubq=9T)X6YENFUcA8x6K%NoB-Vx3%+K(;H%|)_;?>iT@;ReLwP0ap9_}PQ#Qb zfgz=gu%1kwfy)T$#bX6w_&q?Nw(2fyj0+SvPp!JsZD zCsg=72Ngzy|HP!$6%S%242gNUJ8$|+ZLK7fobJ`)1UWU>UfrQ|9KvTI+Q(ah7Krkm z|E9+=FnU~hAbQQe^&jtDfT1uKWt6Q%7IW|x2bY*A8vl<}>RsC^;uII(#oKIs!s z^~X$HiBb67HNsL>ngt;rjGh>!(!B^ zVyZ~8J?7ntycMwx>N{z$66wD#fOzrkTPR)e!7`N5PoPS~ZB@l}p8|`bIBUq~NgGjT zF`a&g@z?qZjngQCN+Eny1Y)-|K%-0iX5(`=Sl70froi=DDQr`+Aot>7+m~?vN%Y3E zTk@=L>O=1)-5G)6k0QTtz5O1{$4by%-CjnpxP&SJf0xlr!Jl|98@dS%WCCXrHIL?>CzDN0`T6sj>&-h=d z$K`LShgFICzn|N}d=#PwzrMwbqI?zGok$dr6+tm*T_$Bduo@(sd`TbJm!3)-h@@9j zZA*CdCb~^N(UNVdyMyNOIg(o?v3nvbBU(LM;hLt-PTxlR`sr;dzV=@x`w3?87=>#i*GlZDSomYhd3Tp{L}kCz0)Xo@gz?<^%$aD>?eU zXD~O>Xb|s<`Ca|Fb62z>M^Li#lu|Uq}!{0_n=!v?fR<*0_ zTX&P?$Jkp1#no+Xqqqg9k>E5A!QHKK_uwAf-66OI z4estP!8HU3?(Qyu;LhK9W$*o+t8+yaMb)Bvjy1-dk4+6jWT}(hMm51CzhSo9!gnI+ zD19AuLVm31>hp_iQ@%LxMzk!%L{TZXiD~OFTGgoPN~VhTUl%B8NffdgV8CfWd45^= zi?#eBc|1m>kQQ+RQ%Tkl2+hr~lR|;6Umy^cH~M_(PJT9b2iomHijPpV!3)NQ!=v^G z0Dl(V!QD{iIvVIGfb)sX%SUaQanq>U&tPYl%Dwy^vtf3nrLv=ihu~Il9PMU*!y1F{YF+KTT2^^n(iE-QOqq5C_ z)LK-|F+mf5M~TE0lN+AiA(~92%rkxgOJ$qrliB@ethV|7gf&R$VcRCuRfxFU@bD~` z>>boBT)bT9xJjFRq#4${?1hn5iNRNPnri4~lbw!_=L}kF&10sut8zmAm%NtX{bRBH zZc+^)3-mjz51C3t_$y7hLgS%GCe)nML`yaQ1KF0kxLB7BqlFRI=vLoy<2zYwGKF=AG2UB1mswm0h(;2!ai{){{ZD0q< ztevTA!2Qt=eF&UY6%v#m9lxRGGpnNBPYK7@Rs)3uAnD$cVdq=q^jR!=V;jH}_N2x5 zjsN~6=OQ*euq7O2<<_vb-qi|sUu_4?Mz5b9NB{p=bN4R)Saa>wOZGU<$jU!o>Un`v z&zNLyb0@SyJ{-aM<9o09Ankos zD;*b=0DRfw=V$>e5(UG%BE$MwxguREHsS9|`s zBR`_tmzP*gpFy2dX)X|g9i3A3M*cVu4(dIE4SIAygpoN9WyYy<=r65+3l0}|eLIlOeuOw2I`!94ZZ09R?E1iVa8(+Jf@x2<84J_93OV6VcDV71bverX^X*q zvfs27rqEqh15HVjq_NwcE(#JRrhb18gdoRd+J7Pi}PA&82$L)di&hfT3J8IoTm z%09Fo)EJ&*YnDWH#DA9_Mj={d#~x3s=YyJG2VWK5HOko~$8Oq;A*cB7mAD;l3f(y1pf_y6vbo4wZ%0ci2bRQuF59Wl~sQL)D?*KNkYG`xSGT zMLkGN)uOyGV!ZEOlxuU_@l=tjOc}{p1IM+UcI$%l9J#X28AD*bU1^o#l3jj@F2k3- z$B1(o2W|M>uEV+nyAm6CqL1f$k|E6&jh;h2JMj8+e=5 za~gz|U#xR*H`%>^X(tqv&KZB_JFfDrcJuJ9k6;hBL$BzLj2^EFaY3v|$^6>ys#S_t08_o?HBFoZtI#fYsj1IasmY?VOE%$}sZ2xrwFO)c2_KRlD9^*KHX+*Ma)F zv%zcFro*7*(=w8Dm@exSsiypvo14AdV~=#$t?4YCH_AQnTXuJ)jlKjmJ}cdqv?e`} zz6t^tQ1ZMfow_Ygv1D*oFuT(MHs>bA#fF_JK3&`G)5P1oG!1^s5wK0<1W=`EGf370 zg2qA_9K)k8^qV#3FjiQ{=Hk&OPT77rBFC5d7zX1uv{reTgu1OUyo0e45=DdPU-W$} zG5Gs0&K&aNo6H&U)m#6%JKjU#tV)>+@@m@LPrn??OBx|} z2VVrO64R8H{CjqE#uVFO8>6<9ezMGGgi_EGaa7?FiD*eUlEtb#{(dGX3^KLJkOv6N zDT(4U+`Xc)S$Zfrl!+ZD+B{8acK`nI!y%mRWL%8#uS8{J`O9G7mdKLt*H!c3CP4ycRqJuWRFb)3TT@%c_yg)-;RS@o$ccg{GM^-Y-q#;m!<$K;gdj zR;MCA=aoe#hP2nwR@u}WAzB6BFPS_SA~T_QizQ){6{AUJH5>Ks`0j{Afvs-OcWckC zZxd4;!%u1TOsf_<=pIirP+T%!=F^5(^AdMuk}Fpsy4%q%R+6TM(%7^J*S{s3ch1)A zY%}{@13C;^aJ<}(;%;~?LWs4FpZX>8NX-eZ(pv4KwVwLt(h0<^=gqn>=Jlq}$`gM- zde!RZZD zR>Sp5v&ap41nw+v$qNUQ3eeOLwoe?wLDYh}ce(xT3}z)GzIKW?(Ckiup8<-Vs;Bl7 zUY8K$&ET`{Wqt1Q(JRk4DT`S+A&7NsAE8hV6TGBh@EGx4;Mi z@?t}Px{`G@2t1_in%dhS-K5`QUbdKPcNCoX^QuQRq|Yyy5pOG!^+P^K`nu9NeI%JwFXl35Pkg zVE|bQe*Xv%@arj{8HTNOBFjz168>xfoe0WMb54|m^u$Tso~k|H#5jGuV(O5ULKpY; z1oQ^SZy3F8nOIG{!*%(wTh}k%cGQ3aWaica)fk-H@!Fe-cSrXgqpUbSZoKP@NsZq2 z_gn3v6g;1&l_$tAVME>eJw)VSrGZ*>=U25KN}p&b6E7SBWhASJm>3-__Q)x*62Z3D+>%J|Kb zG#qOM$}{BS`zm=S1PCV))CbR+`>YXHl1U|W9|}$!R-;%C1ql`@+Gbh;^0;+xBGK;d`mP_V)Di(0hA^x^D8M*Z z?wj^+y;7^z$i1*1m5N3uWLYzxPOp*RBFVAc1$1j?-bJA>A_DOPCoNp(->^hGblE)RvMiq7V zVBE~AQPedl?K1Sy>&~#V4U=}xzRV96Z6$J&$G_j&Q4xTbS{aGOY)I6Xk|i23=bHqd zR(@8X#D}8o8@afsx%kak&}wdy!9~JTg&cqADY%2V~QmG$C1;nm@Jg>%Mxr|d0geT?T~v7quUwG;l!=94leOOYjDiD}>sTBiY1ce$sVa;l93+y=@KUz zMPaJ2ESO!}$WUFn1#;V$M%YQ~R~$4+08i>+iF1oI@(qG_OeGVa5eo0JKS#jLP<<`p zd@OFFyV@VO3ENDIx7e(e9zK`!s_9O? z2dGkCXv%PR*arL20;6q9&~$nWK4K*1DjaR5qs|^0j*XKG(ZRpuSB3=#Rk!)ohzsM* z#Kk$be?K#or*CbpS*|k0#B5UqH%uyb6eco8Q1W~buj~!|Ma2zJS8f>PWpi2Jq1fpn z{0!mctQH57?CvF&BZI{ke1B7g3gpWCb2cyykY?WG^fJAyg zu6eC1L9%~Zwr34Nm}KhW4ARhVx`Mloc5?FFw?{y#w}w?z6f`=A3W2LLI?AqPt?NM! z>4I#%5YBVtAjLBiJ)lbG6xK;Qj3ObeCTS4m}s`~kM*E$4iCK77$_43 z`i4g%F%HgS@aHPu<2Sy;`V;X{9@FWS!=V0>62#-$eW60j{@L1vDP19uLq5={(m<_x z2aOmpq_-v;?CkBzfEVjk16T?lq7Y4t?s%tv+8SEYO@yQW5w_bB=|_3?HW%iUv(+hi z@F*tOuRX@P6Ff;;g$n?OHAwo2mIWf}A3qZv92 zy}q4x!Y_938x+%G{uJqZXJW?+JjlPg8Tbe33DEG@xqz&%Kl4;B3;dXX1FgKH^_(~h z47FThBeKiVJbPE7B^lV?yOsV_%Z`OYG2l}&?t-BpHFN1&igZq7KxzG+ zf^GoCh_}?)N<|}BHoun2-AW!yi(Z$c23gCP2IeswPW7oM#R9JjJFlThfT*<7<*7qC zgAw@U4ZO*o%9joTv>PE$3BxGoVN{_v?bLtUk`K%NN+QoiyQ^je>TfC$ZlXXrX0;RU z-&V0GSZxh3uj_GlO&o?kF8wf&nJxhxGNtQ-!R=uHggZ3c;3D+EfPbF9>~@g8nKQC( zR6$y6Yfgl|&$f-_vPlISo3rO9M#MTBz@Kul=m2S_gXef8L?t&+rGF_n8C`@<0%T zXS@OIXu`x8MM#60cp@}4g9ds#ZAHxaH=LArt31r}xhFN7!t|0Oq5buUv62)#=o+(_ z>OGzxBeXq=%-{IvMAs1o@POmtofbuRs!XHi~dp6@9)pS^{SUcPn~AD-8nOOV?8+EWaEf2YU@6do0M ze9yt0$t^~1SS1i5h@NV}Z0q&Ws=!{mg4Nw_jNooIgHaViafXO(3{~zEIlhY#pHIq? z(H7ME|5VtYv6+C*e0P^!)FqT^F_~JwPy8+VLPE*r?kc7F$X4d(ClqmhSJe+iLDsx@ z?c3ZSfB~CP-Q|S=j&n29-WM6PgiaJ>TglzQcNgb%x`e;JuC9_Op!g2-ZWVM*pB-JM z`~bSU9u?OM7C`qdHlS^F`l4UDCfGR=SS26hu6;p$-%dc>z*{g`i!-u+&vB2?yPgahk|JIA=5P)N_qasoW- zKLmJ4c%g%mECfq7M#b5cv!O-%EM}&njvSkMKvId_zbHB3x$8z+D(b1MX}Z z=If2<;5W>X_JCAb|0eZ~Op@3;n1TOG4_N|tYxxvpN0pBLJ;$RwVb@7L_%HJsUPUj^ zR#eglx4As!+cgg1m4!moB41Cw+{Z}qPJhZpS1KeIOJ^=5cdpsf{mpp7s-7R{SHh{J zvpXrhON23Lk75BnD{(DRDBr5_{Xk^JhSG9;GaiRDjDd5`PvaSx#uki_f&&t;rkhda z2X?+^T|V8q1rN7>XPldG&+3M^9Q#Mh`Bd-C%Gpzw8mgus>xa0GzBxyS%44$Sr~48j zQJT3TJ+q{BY7C6Q)XeV9ma$EqnhMqmgMzeh9#_Shh34*Dad?p`o`_=nWLm!)4rGNQ6=Q+m1*z)?j9@15rwEY;LYlu7 z*52yyLT9P>-4ckh`!p$Dej=^V0$3c7hsZ5^s3OIhTIL6Wa)}a9xfqd^aB~z;n4B?D zz=sv37Ej5%y*k5vif8sM+}|yPGSZqlDnNWGgf@wOHy{B<@|iYAka->O0u2EZYRVFb zueQ!GO_F=@Y4^P_J|*blduAJxC|N}I;Xn}H|zyG15~|~4rS=EsK|EiXvCPNmL&&3#-}2)kLJ|>K8G|KtwKpiG&mvjabpyAm|aMQ`p)Y21sY%G*C+W|TIn(BUU zIu3F#4pW?b5!_+n)OxOe*OA4xcoyIsPWt|U(=js4wOWkfE6=;W(!ox{O0V8W9bEr{k@&I%= zdFr}^b2#Pkzn}lgPQI)2luYDFlHos9cA2aFm{(^frP<4&OpC;)CeuA zmh4cvDF3k)8Cdt*(_bgMQOu@LpU9|vmDC0&_bv$JgKx5H0|QSqm5K?%`QQ=lPbiV zhd62a6{Pk&3vo|5tZbT6Q#ghG8wqdY3Q7^6P}>W3{-P7&(`54>1AS^ z%Y>g8Y@WmIkiu{NV{!K6s%08>{KJPLEN>%gYwN>n^dqV0Owh2U0Bvho_cUKbco4PF zIkwS2WVC&3AGtQ2fbDK;xyKVK2mo_!KtDp~@5t`7@S$3xTMijuaQS`}o*i(4H};g` zzY%C_WR8Jz{`j9thlHjc?hmsg^>xOGgDvd$1{@!%R#6JVt2!28?WOK2SNnmjCz z^h51Xk~T@@dcz(4`bMHI)NA|<3aF?~olmF`6An1;{s>R3pdPtK0Q-Tu8UJrYRj>lm zvN#evlCa{^DpNYJ&F&9Q#Vg-TvYj@@&{_WOSf&R5 zDdU8{%Q(df3a%21E86uvQKNbrpVj~|bpiJ-m#lS|2FCB#my(DJU^-QbVwkmhzj^PV z!b>jeI1`{{Bu4X7K|dFeaY*fFj6Z(NiMStNqU=L^!Y`@l2&|UR!K#)3y;Hwx$BvKsX>e+ zJ2V=%DDQ&N2?4K96;*aeDGz~8m%v_SD0wyD=62aV z%occ!Hn4aQ*N7X=4=$pj2{`B#J6SMi3;dt~L{+Quihq-e3LIAK5~4xmNNn9pZY130 zS5tfj+w0DIVwChsWhUS{;h)#_A2UD&LhDJZ3P3=3uF}~`{JL;M!tq{OhDEp!amcbf z9}WE!<>mAD+%0Zj&S6-Pl zkP?1(+YPTh#7r1K=Fft@2B69EQ_IJF{6CE59kY~ zw9Nj;@6h%y{c|G)2cV(k^|zS%b*{Udt>Ovpy>2t70YhdUqc+mN+n_A2l6+}W1RPe+ z&jBsAC{3|Xr1*;&WLVt@W$amuIvs6<;i*{e7`_9z-*NAP^$@wTS}puZX> zb-7#01E35z<{uT<;27EfICaMcptFw8T(4UWG&*>{47!*)*41OW+WV3-XX(Z>o*f}PZsC=uc5WS8qZkCbbf*42uN0D_ai0e9iyePQyoJWYAKOb(>* zZ|_cJA01A=;W#Aca~94WeqI2F0ia{Nr;HrRTEW;rKFylnp3Xei`pAt_^O5P&pRW|{ zvX#4}wX)H)uz?^_LF62G^cy?tI)2^w5J+Kppe&{RLq}7<9(KTOk*hsYP}f?p`BiL$Sa-QmgP}={ zFL`p z06??!+|ZSgi&&X|`X{^mz>$=GG7KJv$4QOdk*~5<+S9tE_V0Z;eWd(-=FZuEUj=r5 zG1;o;06T-1hGa#l2ur_EI+x^WV?zU))aiT(t_cBFG*(Y$P5mC)Sce78J#odgSEI2D z3!gEbXHY>TZAGJ1GW^qG6Ax=j4&d0&JhYL3z!UV=t&T@-cJP}UqB>JAn#AjJYd|_d zDPM3?vB@>2bio%9K*1FG^LARY?37GA8*C1)qFc_qc*Z`|i~jghQ!jNK8)L$_w|ux< zg(G8kTB1>O8b~HJ8*r514yzLirXQXVtrt@AdKad+sqk4>!qaLx+fawt(l!3PqAs3c zwOm2$ifmVpvPL$vgjMD0*I9+mHHzLP?IfevTXgC%jG9ThZ)WKR+Hd;w!W&lU8a7^% z0OBR>2k!r6WdeSTD#qAB#}lIQzJ9^=uBkZtdDs_GCb6M}*8X9RPJ$z;wu^VyzDR+j zd9Wt2D9YXx@F{UnIE7IQY#c>d`+#aX96mtX_3W(L4&NH%B+}{a^VyM{LO`gKvmZNL zHZnw~l5@J@J?ezty+696co;KI%w3h7s%CNIquQ@vx?KIH+G^E(j?5j-Yj%Q`12oVb zH+8Jjm%nrJ=qzCgk=hsRIY$r;&TAV1KSj z$mL+t@@liXs)r{aiM7rd%-(ofsa(KPkc&kHFdL zWQ8rli|W`S8dp&YZhqLz7S)(#k}da#gVCMtkXi8e*Qg!8V|&`or?v%hFK?>YLT{rQ zsr2=b0Hz<-dSv6drPMavZfK2n&K|n$XzpWBi^nD-d9vovYj6GfmT$CBq}bF4KtX8% zqlMp1uf;B-71(RJ#73}$*lN0CA1ftBhudqfoWB3uaTk}o!9XcDVu(^WBE4=Pj$LF# zeWY2fD2D$`_7gT_xO2tli_|esNz}J9#jsaUK%6>acA)O{i^vA7GzePHBC%g_`ik&N zYj7Cv*4TD$ZvkB=7dP*`b8<^e-mn{25FJd%29`$cj(D4qqX^bg#Bf}i5}aJLyV<=n7?{8 zTo}BXt*QChp+q79Z=b$zL3n>9hCOWcP!)A_$Suy&?Lny-EHB zS#}!0h4p>Lg=wy9Sl{^cqj+B1_cn}6dM9j0mbUkbRKKvc$}MAPS-XgA-f<%;y0kq@ zPtZL|=M@cqs3V@{v%B>xa$IA^=O2%w#W2h#dxwdV=Bb)ayOIB4@zCBcGa&IT^GCb@ z!RD{zkwHf28-pvj(H=p8iyft}sp9WTtB&T97HW2sTC*eRVdAzTLa+PiWal$L`Uw@@ zry&q=VYq3GMkgPZ-absyT7zTxmv1alJ9PRHV& zzZBj*T35H+xXlf3J1CM&Im~&Ma&yvc6Lws{oBnpX;J_+X&5Gl;E+3etFA z!pCQ!zSZo;i%OLr9}a_{iAr(bFQD2(0SC57_9*Ln)yTJZ)1R0d&`|)}v<{PA-+Yxx zC^ck$O}iYOxy?z3x4*!ow-l(a2>wlB5v6lhhM8Sa3WzKnk^(rx*p)P=d6MKH3Gq?y zf5GGj74bKt21x4V_RI8qf9LTEvAB#K?hCiL2boVIyZ7}RhQA$A$)nJRGJr}5`fHJr zhQ|};#|1bKj8t9q8EN4rCKnUo;DKtUfRcp(E~bD?HKY@MEsxE{9i-d5fSq(m|}sc%$IzpLOyb5o?D-PrSiLdlj8E77lnZnQf@8+b6+0a zU))lw!eXK7?5-3tyItgUBb{qoB-5rTr&=^|S?uMTN(B}!a{Gaup#BpbG9ZXy%<_>l zLCof-k$sfHuK=LQ3jSJjPcH%b?GxhG8e_K!%Nu{d##6VK{xCX)q} zg1{Z*G#p4O{8Wpf#>5l?J02JS5-cVrW;D)nlWr6;z2{MR4EMdJN~V`2Jo0@$JU*9{ ziUwz8_=g-i78VR4#hj>&mX{=7J!WgnNF2_yX1Qc|#weFKQ3NF#Ncou(twiy*u{CDM zf4JV@-lucJF%<&e8SSr4PA8XExx{X1P)amK*NxF~>_gU3bb@lMr4z~5`u<}a?y5li z!_e2J&q5YNecdSGJu#RCAwMkVl-7)5RIGB!sfdqocYQYq;xiaO^AinZQyVu=N2wbe zQbgwI|IJy2Zks6NlX)y^1dl%u=tp_y_w-1NPz~V+Q)=7=t{k{FrQfnr;eZ({B#avW z?>@8T%9P*t>A}*Kz|$ybuC2dl91Q^r_`Wyppa4JXU@nKLGLjwT^RM&d_|?@gZYQYT z~iCj@#yuwZc@BH3qG$$R7X9pS%qcAGhWY#_Y_3TVQWx0M_Q{_IB=mtkmD2Z z;fGRVHck*ip^#sydkS`XtWeIk2eBwvMQ1+0LTYd(Nula#v~f(TwuLZdw1$UP8zA=< zRdCIY6f6Dg{~-q%VxZB~4Yn|5aM@2)JCigWw7ERf^ezsw)q!E)EWPE6AN;e`S_~W@ z)n@^Yd@`#Ab&Sgo{wa4#R?bdpVM8|un{P`<9G@prLx%>a_ws6OTakF)Z3nVLNk8Sy zavm8M7R`&v-pFDF&Ca8kFz+;`5kP`5`bC<hYMGS~YVvBBIe)a< z*HNtrT+WS}We&B-WtO;U*D~L|j%Vv{DvGL{$wk(V;+WsC<~k2B{&vy;-T{447Z$0dmopd+);T#21l>NP^;crb9^;!P(1`J(ai2;rK^5@ z8`tZX4eq9J2D8OxUwrK4+?%G;6D<&)tvV6DsyT@XeRHcRs-*WAa0`BQ`xq4vhxJ_d ziLH1-pTcFVx#~gS`|G3;8Bw_)7!xm~_x=QPIe(|I?}?>aRZVP&?;zx)JoBvZ zM{G1ehRK4QZz0+ zwtaP~Z~2N7<9Js)=!xs!XTw9mwDRVLFAo^00sW>-_(ZxC<-6ec)*qq`6Wkl4jHp+b zR&rTjDTAUUTNQ?Lk|JZSqQiwe7>V@>5$40qOD`yB@Va(TLb-Z6-PJ6jC4jH@554&} z0?dmcbuIvlg;FdpCu@5xZ>>K6Gb`IPsM0w%YLPh!eCOF~)s}LuVoEQ*t9f&pdCZOb zOR`=n__|=$Nwbrb39+m@xpwhPoc!L|eosubPF3?Z1nNS|2VS+1yDv2fO~{zo2nLQ4 z7M$E1wDf(Hoo#pld`-m>mDts>ih7z%A;V@?25M3Bvh2tkk&{cy*{De=c1c`TGq4!( z6LlWH)EX^-mduCs0}H<|&b#CWzEIClm>p{M^td7zc*#ij4H;Eein5n_Aw6HPYju;p zVl%Hv^O|bTSuEa@Ik=N-o+A3>020FaQA#s)TLa^n0tlr=eP^gJIX1jq6Hd&43P?Pu>tr zB+z=zkb6SPBwy5HC@)2Er*e;#^NuY=C^J(L2;bh9PQN?+CQ&8ljDey?BQ9vM+DxAv z8fvtk#B%@5S2j3AGG9OHOa6EkL2|xRNWHeI%{J3jt=kN0CkWb%6!^K186!^wBqldX zza{cpIRhtEKtQ@37;?u@lrt^EKJ>sYK!j`?O4uf)=>>*OLe`Pe1i{}w2Z&_K(5id) z6|de7FA}@tCqBZ*<0tZdER=a-L2Dbpo}g9(qxH_v%|BQgxC8=j(EnNen5Mr;aqE4B zSZJ3qUXEcnv2Zx~b0}Hj`x1BwE$8O68qF?ul5mg1$4aw?P#WFR0BP)E5IdM|+KDW1 zk!}6dXS}!7{b66OZkk>|>Xwtaku08osi*sg(-wxZle0fJ$2BBTxX^LCHbD9H^5bsx zuQX#vihVhJnDrHSG6U+PPj1?yvtpuiyg71fv2k_nTPzi9NGOS@)WgsC&vY<0vbM*u z&w3lG*8Be-=4YIc$Hk4Dj8`EzhU|3MCB!K5$~RJHk2-vVw(@I`qR4=dCm9$p-O!Kn z3Rhw-POWS$Q7tesXWD$^&2?}!+%&tfnrBaG#8!)dn|4S&CodwO2*i{RFu0WFg_Ea- zjv1s%A;UuPRfNtymz{uClqHLlS}`(Bx{kgkJ500s2+j(zz(jeFh1?K?*lpH)A-wl+ zU5UjPpT*$-23vn)Sba}x$*cGwcmR= z{nZ}@`O_|`v&V#}JZ;6tu&s0cnm$nu%%*G1I7|xmzJCBy^Rja^Dtz|+&{lZHqB8Tb zw#qjohnRmkAP90p2AFAYMR1?6B)9!rOxD(V69Q8|u+>SX4*+vp^Rp?FlB^%u2Gr)W zJm0sQmqm#D4BN%7{t{%Ojy9F{L+Gq$#sJNd=>Gk(Dvy7!eMYadzNQ%`FQ`zA%NHCq zz4sFY{aul3?_xC*)c-dxgnH>($=HVz-x(GCoukEQ``qb3G7wZ{CMzWeii-6D(s0AD zQN;{UlTd~nPC>8=vg6;ajBAEQ(>0kvT)NNWoKUg`4a(*e-3+!^dD3E{Ji$SxBuj~o z0P>~glINgA8OyOyuKA9L<6Z;3d4@9r>|Rud$iUz@U+tdiFqVlLyWxq&q_vS<{+6pQ;W6hqjf)V@Xl8H@)idxlS&a6` zN=*jT-+jPTumC|Tr}Z^*Z!+H!dU0h55iP7cHm5mKQq1_2KzI15iu<|d(uT^3TgvzX zpdHg!W{K$o2U(Mlv##akKD^s@crJ5S(zC7ubYZ9?)-E>)ttJTF9ypptgLL*k2Mg$e zBH&_pjDH2ncGC`V{Es-rO(fusi8hwqn%y*otM|fBJJCk!>_U(-pNza|#=(Wh?2~8! zY732DxBc0X=yeimFVP4yHBWt)pvb2TN5%%K4k`?X`HT)-0027_@cy zT&s_>3&)%x$GI7IAi21%pyCh)-Y-2hTu2y))81jE=C7;a{)8bb9L1Y!4Jlxu9(QJX zQXr5FqgTi#=x?4!(8i`{<+bkMc}qugI=a-smQV^$d*;wh=xbVw<9jo~F?N@g6c~N` zWMX<$rV!MS7!)Vor3xd`1KBDAL~wS5m7sKLnw>6ROJzXG3@YjFK_^t0%^`S( zztRKd$KC^t=Y*gpRCM6`<^^h`XV}H_xAv(Fz1_>6H5vlbp^Kp1k)#_-a;`fZnkekU z3VCq6h(7A7KgJ9}0-^DvVbT>fElZ$Me*r@j9-k4E>eH@udJqlOv3kZ4@ou2Py&*@X z((TvWAkFw7&h?>xP(i#sQ|-lb;7ZvWx#yUwfNm{HFW*l(+SW@#TS}@Oe%PagB4>fj zjZ=)BfOhQ$KOrF;V@WJ<8huGb!x>`I4#O}}^^q&YczGGy0}I8+RnL}iRGwXF>s@m7 z;Ho%%(#_C13Mbt;*NYSkC|@+tvH=IlH%!_jbgQ3}!O%Jb>kBF>@a>thB197ANB~_+ z zh7PPY2E5-O79VWHxXO^?u8-_W+*E1?=Or{24`korT0?doq)Xsa?JBEV+{4pw-k2;d z?hX7j@%y%-i=?9|;3nv_o4hXn2Oq9(eKH$uGaABkOurWYmviO^t5!6uI5qqKyCHdx z0BLJLZ#q&_-nNs=!5E0AdUnk zg9c)@3qXPst$Ioh7S2uk^y?k{XLN}$z4<>ut?-F15Neo(^Gq^yC+rr`cQ&hg> zc(gIbA27k8{5WbzsQt!Bz?#d|MX-ts|H}Kt-Y==oNja72GL;ksL7lwsbZGr%D1$oI zFO%KR(^mk`55-S4qoiCqa_lg;k30d?4>{xomyR8$iRH;6!9$M29iS&oqUxUG}%8axv&z! zEPx6h`7`Yb;t*$b~iOX4r z5S5I_-s*1|^{Yd!2Nxc*3X~XRZ=3TKjFB&oh)&oVv95~UiPZhBu{j`>nvgYR!`es4 zZlEA!ONIPAt%SVibqF47p@B>78%o)_Mr5?L`E;SeSBr2I*k%_vD30(CKwML( z0DkmPSZXYk`gy3P=-_PW3oXvJ7oi3vCw<;~`)<68(sv)KljYa}r3lDfv=|8OPf$}L z!)8hdRMWn3RilzUFE7KpA?~uI_C}l93BqhgV!GONUquEa&rMX);_t3aG+W^(EjzE< zfsl*q(BC@cGfW*_pqEFX>F(6%e`125)k(v|fS8-tc~wJSWs$fj2s~%w%wq%z1Pg__ zj_=+BkU}o3NCUkv8B=1U;NKt+tslJ?LW_(Q2&^34vwK>`nY<$4Cf;1ddhOGxa7&a( zO`nPR)9MW#qS*;(GE+}ob2VB-19kSO5LDv%DQU78-x>Jf_x3lJH}zM!3xL(4stA)6 z>6G(gmvXG;f0YogUFLY(zaOnZ7GRpfq~XLQ zC<%&{X@s*8K=_L(a!4oz@Nh_;*Z(mALEsVvC&GXBT@vN(Pgl}Fs>1v~puG4O{$nzA z_KMv5UA1PDJ>yRVA50#_jndXv-(efYxDW-5z<0QW%Z9b4eK*Yy{1=6vBVr5_MF`PN z5XFt>Zj4HKWz5ckCd8*AI*tvW#FSCM;+*PD_}FM|nJaa(dm(N~_aP=NoWj!$I@}8e zy%&6p{YDjGPyu+4LyY(qAbfqV0?e+?;)xqXV#r|tV^i+Wzus;4&J@t-W@ddbDEopR z{=vtW4aQBsy4F>8DG2y`PN$;_`}68t=XIzumO2fxq7ynYCz z$eRq;t2D`$E%K(8!6mU0cA!F4rrhgOi0s1T%gw^f!_W~pm(`j8YHSPdks7nD zT^!Rm#10!Ap4t6)^9=^W8Fwen^8q^JmA>0<;EkW~phQ4K=m#nGi(+<@ZkJWw{|G^= z5I#P2|DLZ_#KN`q&c)|r{0p_dmCwOk5)L~j{u=POHX0O5W*WpJ9XcyYsRdL^@{Ai< zECR#W8Ff=z^DIzhq_yr44op1bT~hMfL$=9du{q|NdQE@1G-TNYkD5V4wZ3 zm$JH>lH_$2f|uFjy$$fa82C$ui0dR-N~*;tlq`0LX++KKjP2M6iKwz6X)Teh?w zkNjez>|EG5{UUUi1C~YpGi{?IR4EN(p3AU6JN`q=ajxKw~&> zGlI9y`S;t|we(xX4bX^Fjvl-_r251+LAI}}4tDC0uw7Qj1bi#(?jPgh!o$_yfZ*ZT z@f$5nY^l%T?b7#KV@0LLeg?b|f{v3)MK)pU+2(u$>ZvbMaVrWKR`0p0N4;#YE_4yJhN74}1%9O(izzaQWT}KA4GsvMX9QH7ni9d zHfvY;hlR1%$=C-^fQeUk09eM_Q>UW5d!k14AXFB=-}b%zk`)y!1;w=11s@u@HGT_k zk?8d0iDFbafe(c$l*xy{(w?(g1!R0(*vTgiEWtsmNLs?$R7BB~Bx;?2A?v^o922nWFpE*W zPFG}XDbLpnVjf`eKog_dbrwumeMn>5SG+4Yuwya`tkRwHb3Rih_+y&PvNa&u*Guw zn#YI7G`K$cFIo5d2*Uc}hjrh8TfN6fy4bT71jX2Vjk0X1L3olk)bySDRzD4R$^{wQ zsm5=7ikmtIxFTSW#P6b<-cJ91_NKIO=nd@|bayT_djG%JdUBFIXE5*zR=k2)56A8^ zpRCkB4isI%$^@zo?!=ov>qCr%qJb|4*1~*EADjCR_!=z?C;HD!3C!gzr3LqG7%Xa5 z%)mx;)V6Z4(IZwS!Tqz%AUfh>`Z!Ebd{FvWg3xgTJ`44E-}p~#rq~Va&IL*KV7bL8 z>crbX)J-t&9N>;o=fQ8>&V5MVX&;^pW}cP0_>ZI7#}2{^vz^<*S6-QJ_2Dr{P1Qe} zlWNxaY}|7FD!-P=Dxx-)QAkKhF8>oQ@vwZJ1kj;5`@6;Ky-a#rDzci^mnS zE;?l*uv>HRT8BrG2^PVaQBpr*vB0xB#R7~GEL?DH4GU*0!gkwI z&DWI7P#PD@4Al&&4}3rT#Gm#JjSQ@#wAPLPeP#$g>KjFUA-B5Y_+6R5L1C5#rT~wK zTEJP$IK+}eg}x4!>KG4#)uEZyo)uys^Rp1YEJxdzdLk!*!%Q2VdzCi%TGI~KnJ z8&n!v@&6s&0T@HV2p_$LjLsfe(P!Z}LL%UT47Wj+pa2ATlRn&{I{cspmR3V%wM-@0 zz!i1ssD1%oP`~;?-u7n4bmwp_6GI4Xg8dmE2W=4Rk5Gb`gR3#z-?b~OyS9fx_0<08 z4_F4B-@o#2g#W+xzA~=rAZn8a>6GpcDd~oLMd=1rC z8C$ChKGk|)g&H(ilY+Fr(DXEB=z&IPUaRyb^yGn8{A1RjmP}l&nnGonnQi95M#^Hn zwj$)dy^8~9$W$5Co3A>OaM=N>6L1ec)#yA|W5l;)dy`+4(5?JUr>BIT+UQ(_ZpP?|U}(^q&j)aapB;RQxGx=^{XUZW4(gU6gG{?i&CyH& z+MpMXy*rA%dB{=GBP`!W^tmP!iUUNfhd|&&!y*Jhh>v1#_6`_T!OfZy?p3{1NP=$! z@!lnTSrt3(1!h?vB3SaxXZHC!t}h8P_8$F^hg0%KVN=K~+B;z^E5X{M|bm1a>s-vp>nMbnK0t6YYl z!SBrW|3yN&*3jbp+YzE&Ma^JajPvIN>GyrTCl8~k>~x0|c&{TYF5?-`*zllMBd4kIYu4nw9fEs-5QoW>XcxtgbPvHMpXmw7tolL%}|hrfqZlm9Sb<_qiNEY zK^smw44N4HA*o-)ND=FZ^t`R@XI>v~ zUZUToo5MW-jyy`SL{R8>%MCs9k#KexorE++k2-{K73XuuYT1UgDDG7^DbkTXz3n~X zv~wP+V?RLL&N5I=v}oWYWT8BHB?MA1GDf_vAurGB7+(Vs(AqNv@jbn-^=0|3MxyUfYB5Rgd ziuxiatBgE%R|X*8W7tCCub^X>Kk5#k3^A$iBd>BAX?a|orXRZ=uH2h)-pM-g9Q($z zHmID2mWlL~d7v|Q+r#;#MF;hvYQuA0i$t=@dT*5|Na&O^(G9BY(r^w`@D-Nu09+!8 zdOe_>kLUU68yCU5_>jh=7ep`ab|MC;(`|>SPctZC-&{f)iIMOYRbo^XXh1l&ds4|G3EOx7(j)qU2bm$d^qj(hosE0E@)* zCZjVE<|Jq(JkFp_GT>&e|CI17>iBf(t7rzv&Uw*DNb!Q2qJGi0x9QnnzD6wXX!3OW zs&;DzF`uBql6fmU+)v-gd2I#L6(>s*f_`O|AC;Xee=YdzvswaW1Q+$DCMSSyh?*M3 z{gs6B>$Y*aizczQ=fgG@`r~4!`!InYvz&15=xUZW`S z5sHYWSM&1wM>;28(3XmKi@zLlilGQ9MBy2+EG0-&5fLVTVxz(;rT0w=Vnm>IfnNw9 zm5MfK9r_42yT=?C7K|F==Ukj^P9%XWV&`W+O~VzUM47!h+JZF2h2q~2XQjtLK;RsV z&}9kFoCgPOmYRI!Yuga#Fg=H;$^d7C1$TPznz^gDcX$^BgQuf7!G2%85LQP(2UcZ`*RJVma|a7_nHH(lajC4WTr0(X>s!m(NX7k6mqMLuF0%X}OCZXZ3(&Qi zDRvOa-k-f5h}SjVYKXp|=KMxSgJ~Nnzee{}3}E(YpqJ=didQ~vc`ZWVbtbS=CC?PT z?y%fyY_ggp-*Z0zekm{s3joHrzpVNER`+RE{uExF#MgeT`J9G^RHOEw{aE{jAFYRe z;{@APug6i1s5Q+WxDTLu9jAC`Jl%#x)J@y1AH0Q>@wFQ?)1t+!_(sG zqJafhqRWvF3n<6EL@N4tRRR<*Ajp-|L#elh9k}Hmrd!m60?eBjvX9xxoSf6w|qz3=EcZCYx|#sM|Wo)xLd{}PWR`oVX>GcLx-Am4m_jKM%J|jiQ?sT zMzUbL2W!?gDyWuxvn+Psaxs7s4o~-I3Lrz^VUxjUVWr=p^Il1zlq$J$p9d>$Ft*J{ z@vj48I}CJ#AgafNXHbiBZ|O^RllnNPo)R{crhU-DjzsGu!I=ar1D+e1s&L&4M0#U5 zVQWT~Tu}vRgx&z+27?>@j3iu<9ea@KIV&$|xsGY8F}-h$0vt?<>W*nm&iq9>yx67! zLr4EW+-7dex^7nqoSWL06F4IYKpKdjecnq@6p|?{1#!NY9?g;&9r2eJ;=vQTy04l; zJm?Ummjvik{$OAr5})lfkqW4T+wn7rCr~EfCucG!TeRGGB!XnC(<% zA|wM73|1v!qT>sNgoe2>im^yojv!RzFQo3QsLl7=ss|@o%L`Wfg z0(F>4kTnmoJx^nIDpx&pHSiQReO9)4HjeawW(RLUH8>8^V~l=w0)Ta!Hdb4^3rCds zdNQ*@Sx6}hqotpS*?Tk)uJq37ZVTS9m-d2-8+g1otm8Sg5Kya2+x>H_xOY#9{NFP8 zt0(5j@_l(*LDHvf_bq9h3=H~G;IU`Lr-3FNhudUb{?^g2lq^Enwy1ZB!cBq5_(~YS z7k9+5`uOwdgC}b9>z-^^eEaFaw6~=)6n_+QJdX^3Bf!#)hx7<(MC!Nyjp!s1!CO%{ z*F3cP zbSDo47I7NMdzPUG)OS+7JgTHf?@mALZo*j!#|1f|8LzBy3u$v$LWrGm1 z9`+?;f7sljX}?&{C>(GgrCW0tU&rtUv8Y!)tMZMB*Z?EKl8G3Z*z;ezp<>2egwVr(2rd^3~S);}~4I!TDICPc{i@__VU zV{`;)c7-x%r`ta%Zf_*exO4sm3!`C_d>G{H^zzve8BGvtq54M(Jw6*a4^dGlbnkS3 zM0+3dDAFr{-K~WvtUf>Y0cfev*t%kwSBf5f-_ zZ~*=q&SR8k^?h z|1OQqz_S88ojMBSNLldl@h&?Agx+u=)HLsQeA2GpR$=h7n+0S@R1$@F2V_MyyOYOz zD8QNZg*h+m>LQwkw8u;Z<)EJifc1kZ*rx8<^Va`AWUxn-5lVh%u$_b+{l^40%0|lY z93$O%C>NbJjDC-!%9#d;CnfVat22<<+9Fgl2Q}OBljjSoirDAHfIZITj_;PdS=x@_ z>y{}+j3|_E!4sA;lM0BHI$USl)`S}|%pR0`M-4A85a*2{1Ycx{Fd+<|Wd!HI7T(Qgio=*YQW^;nK5nW9L8ai%MMi*1yJM1(>w4-<>-QsHHvN|_-~ zB3?^f@_NJ$LLjs6c~-6k@RFaA^G-r2-yg4aU8S^-ggvTU>~jw*lekG;6G?AsZ3R7K z;cXTVkF=m)5sbArBl2Qy0|-9FY!*sk;=5d92=4RzQGAL$Ssw=Xa8#`~y30QHg(Y@h z+Sk+(R+qSMc`o(bYf1s$`2_|*C8-}LeL!5`fl|lv?>NO#*S9jq;K+MD-DRyQz> z{r)ZTu1I08I<3F)YZEyDT65hFKx?wBenM*&XMhh)&=7zaHQBJNmjysy1f7*@i1_4A z!xDCsWtEB7nNEOkX|1jvW1x~cr@YRjPx1kraus)-r^vTLG6@WUmvRm#arj+7f&kF} z{$~y+G?h-|B+I&el`My*o>z;)3D0zfDZ_XiK7(9VwTYmP3*`Jy0*7DkwEu_9b#v}F zANfa5zGeGlSQH#b4EKp(CA&4Kqs*o5 zJ3J#Tkhvx7QeaKkR_9XJ)w)O9)rs68#xgwT5ua+?^&v{SWc&x3Mc>FCM6IlVAJj5& zIIGX>P~}0LNN)F4*Jye14bu%3#R=6z5~SMXTMtBfpEVGoHhUl`I>&=kds(uFQ;4T# z?~Nk3p1B-2qIbo&WD}l*6+ubl&XPjmH$b~tttaWjEyucb(Ng1-!==;p2sMvpL<%Ic zY4NBrVzh&-3AN>R=;0J_v0?|ZR2wW_mk9)kri-9ZPE~1cwh;#ee?QWddu))1MLI}6 zkF^tl=tJ2pC@F7R$MS{PO)&-~@B^OdOS4_~rLRwGW6n1>+xD#XQl`YT?o~`gDzk{u z$?;M67MW*EY9CnA?K0idVCg)608Sh9ndE=W9=0MXyGs~LV3zC#Fc;LtS9Zo5$`Wg} z_fUsW^^C*pU5W9s3`8l}2&KDH2r9>vn+W`Tder{{^}4<^s#OYT8&Ll$L34xAG{d~r zpu^Um(C@A~AX7zCNRNBVs1xih%>2!$djRkkeWf=OLhPI_=2r(*ClWdHDC2tIUee062tJCyKA}F=%OteU~KnrrjB^8E^^*W1L1 zRL*`~qp!n)5s3WS1Q`)bU5sf&Sn4p*+rafWL0<$0ewx^B(B%?phU{?vK*tR(5oH0-IcUE#7In1aoCZX&kh{Rkl7SXF0Jn7ent@~Ie}5scO0%B)7-fHu`4XjW%4uEro z(a6F;q`x9_6E^u>9Ly-mV}W-^&I>YiAM$?@jmH(wYl*@f#N*$Ql=2) zD@Uq_C)U0VDb>*rWFJT|ku9BIZH*vGVvpjLGgVlZNwiOsv{p1PiD$4O zr0EGKU7lhjmSkQe&a-*M4uu6PVhaks!|RE^MJy;G{^v}BfGjWzpi1fY^#Q}1H;^pN z2%VH*I{`kviB%z`HXFT*<$sxfeiK+<5fCJS(XH}5kN*5wyGBqDa0G}pP{*BL5SYg;s1@tbKhjk zOy9Rfj)X-#0S2VUT{s>`D-&Y7QmXq~VKk&!=b!MKNBKLl36c|C%p9uWO?sH;ccL~0=!z*#(==`jn(DFmyF_0+ z)dx43X94se8B^u_uU=2TOi`CKs`0H_FO>i7)=CBxJ-h0fy5N7x!+(19ZQ@)*!LA_6 z+w%Be_r?nmx$#1h=MXvl{t+(uZ6Q3SeOaD{CcPQs+d0x40;TtEB&(PL`dOxm?PrQT zm?ma!vy|3miSMu5(~6c)cUwFSczDVVO@%so{r%X44H)@G%$0bRzw_<4gZ$a&9<&?% z7ywqO$Orjy*Ad4+_HE?MKLYESx>+5NG8tJ({Ec2;ZuXd`&btzRr4L*{pKK&=o zb!<$)$~oENkB0tC#>FuH&7_;Wr&VaQpSg28AsSI2Y#wE<-SL{A ztb8hzZ0=oPC%EWw1L^%04rLw<0Qp;HeZ>W&sq9>#tl6HW#zy>ba3ooBU}?>RBT~RB zg(zW@^VvKe;CS|e_OA$TO3Y0X+<<%m5Jip~1CSd0@ckbY8}R-iN9b@#D$eK7!UbNy zmO@xNik_Zg=RWuG^9GDGS1g9I;Xi1z;Q(L~BysGv>RD7=@(cOPopm)rtHdwC4?ohO zjAwE|e}m;0S1)u_-WpI5|153yyZR3teT>%)pEAxiKMB&)%ysWH^;Qvjw$K2yga;DP zzI9*JX4|;Vn?3icTFQ)5=M(w$#j$xj8#G6I0w7WG9Qr6oTl7lU&f^31w&e7K*y@1X z0jUh7M?m}u?iOr$lu zub*6F_Z{ze5jiz2?dZwV>d&<_w_EvhMt*$stpJ%fG&quz^X&?0JL#=i_*M6+$RDr` z+J3?yEneppnIeOl2bC7kqF%^oqgwd(#p(>Br-c36NB2(?_aXE3b$aJd^RBuMMpNto zho@?F34Z9bf-_&W|Dl)<)iFX7iYE@8NN5ZVy&ZakL0#EX82&RO{H*jASE8G%;f7DK z%3r7@+i_mC2RPZtvC?;s>B!z4Un^hEHe4{T&3sHN$E@RYS1pv)QX~=9EVc=310d&_ zrcG04>lf0Cg6PauZru_^b7hoQ@Y0`;vX%BNLIlpv-#-oUkzFIG`PU8zAWUj!`Go}+iGQqf z`B!frlL0%)5oQ00y=9XaWWTBJB@zOY+V!{S=eE^qakQBPbu9-E2Ei=RQOEv#bxAP zXUx~#VKs*Z71?xRezIzUbAqQnmng+!3?2P5_o_3D$N5l+tkrJ2A zNYzMyz0T$_=!z=hjU4VnleN-snuUdP}4VU7w)s-A| zZMWP1J*Nm=!k2pa6_}f!==2L_R~iG;X<;J6EBjR+xtF>CTk+m+S8K*9S{nXGI z&2%kerc(OH_K1q4k_Kv5%U-F~v{PIZI?mVCOIVkEPpsFlt;0rETD6_diyjA9Nbp1R ze)(Num8i=1{AAvuKoMWaW6ra;e5Otl<^#%%s}1{aMB95Xx^qqs;M=I5i&I9!p6KN* zazitAnlMH;t5p{~k7C!_rlO?wcA4Tjm1@)(*fBk`U{2J0zQ4$5y0A{4Shzs_?%WamZg@cO zr82eWnOZ1@Y&Ys|X^XIAk}Eh3+Sle9A?G4B#jC4Ni`Y=^jsmLk&=cjLT_<5&#B!4NlAj} z4RIQnXGiBp(^F+i%bE_p@+JRZSp<>PUkg6_jLdcn%j!kNGOnw{z`r>_H-ad7?VDkm zQ2S=O?w25JsMCzIXs=D0C8~N=9#mQnazEQJG(D;f3sTK2aU5lagl552udBM$s*Vfe ztWOC?Hkp9W^IfO1TEqnI8Sq|haPLp0faZ-JhIo5LvqlcqZmtxzcSj@=-gV$iA7&{L zb5?xWh_*a$q9Oci`CQ~UCBv1yZCQOaB&my98` z`NhrQ{x#iXsk-a3O!aw5B&@=*k`t!i?YNI+r3MFUIn@ftVV@E{RKL3F9XJokGnY&m zqjz1*6b1FYvGTMC3J3WvW5Do5Y*O5)`9XChewo;J!@N{NzkbNq5_WF^jNX}vg z?KPYv=ZDMbg18P5E1#w%LI=~;+Ezy|S-wuh!x7xBLvaDv*lT`jfEy^fyNsJBIOUop zU^?qO#%WO6mnq)SSK4@2d3&BYGRCk%|^&WhX zU)Ggq&0GibJ5T)TS$@GZb&6%4t3|cUu8l(Ce%O!IcOknw&L-%r8+uX=IxV!&kKOMu z8=PktF~tg8OglTpYYZx8+;P5^))eskI;~O}tvZ$l04u7c33!oyc1 z4#!wz{UpL7Gw!REnvp`hrYY6)oUFr+jz(x9lwLCKcI|Itp}w4Tc(@Ma_idk$NypAl z?N%DrZU?gu_mOaPs!?=JM_SYbeifJ%YC7JqvI~Y`_umWm>M!$yzNK$S*t!^BO~(m2 z72|2r(HXQqtwe2KfUf2YG`yS?oH<>Hv=~~*|gzBN>5-7OV&JfVri&t}k z{MPmR!Rt=@ZLkbe`Vmc#gZ@e8MboJ`g|hHd&GW6fg1Gi-eII7nzq-FXQY85mTl^f8<6GYKo$g?1n0wxM7yaGE zO(Fi_0GHLf3DMKt5yT;sBHQo0qceN#N>Xsg&Zfp?D0=snMtrcmP}6j|*G9jG@*!*N zpFkf{2c39a<}WqX_PjK(o|gS}umK~j3ojjzky$SOW%ADLdEa29f#efwth@}z845{r zRIB|yx6bGsfwTWzn}X8`((+U&qff#j_B(K>Pds)o^4@uwLeC6cCRx82@4a;0J{BDD zaER}mU%j$B7xsQR)N^0PKtIz}DdLW^fJwqe-&JF^k>Cqo`#7)4+C$jNqli{zEi z7w_lFP?2#%2ZssA8bgK8O=i8!fN`!{f3^4$2H4kE%9QA(uc)~>F0VdH=8iiTr*S)V zA~W7~Aj>9+U!r^>gqQa`Tz}Q;6jSGlP0*jVr3(+s!3^Z>ahWM9lX5)HKG}`&^9}-x zm)`*f8rf$;KEC5F9o4&IC!y6#1q_^_#A4~o!pkh z|4IeNs${afY~ESJ7GpJ<^qtYXn1#XGM5b4-@Z9x62X04j$n!58Zj!-_Sr60jBz_!? z*dHw5nO;fW%^is7BR7^5anu$nxgI>yHPnzBH5y=13G0J(wTR`sxcgfIt>MW1RN_2d zLY9#Ea^B)(kv_)i2xI-dj`v zYHp$x>lc$wS(h12I9$AB93d#qkGA`2jGOLbYV^3#Om4!V!3N!mdg;{1d#ABX@A19L z*$w^72N8FJMmRh#()Q-wKd=CI2#y)%Egd-!f(*`tl@kc_c&0onl!oiRS1KpW7`g7} z@CA(|-_s9HbD60&^V_UNJ9czj33eVg6t({NBbTu&w42fuTzWK@eJ86!!sF!!Gajpz z8UNs93pQlNUsqH!ZvMAZ9O(egKMFs{;+K0BLJM5d{G|bR82k>o>Npge9V{mx9azKe zMEA6f(-hI92Q$cjpN1+X8pxW1W^q;0!R_^(9ORpk>G0Ly=dJg72ua4(Zs@`y@RI^p z3qH2wN;dc);yy}Hy5tX@bS@+$ta^lBc16_+A>sVW6bvdpMq2(oKQum`8;6K2`==j} zkaZ`}etC%%x_DjpK?*O=H<@Sq&0zU5nJW_3`EM0f&ARz3Y9rF1D~0WHn|deYEb6Uy zaf@+|gVaYMi}RG{0aqE496ljS*BIBvgs0)>MLC=Yh#Ym1!1_PvVP{h%QQi-nFZx$eb6r$A#lu*#w zxOf;xJv4~R(S2){&~SS&NQN@F{{BoOMZ-)386>z>S0pq(DZn9t;|uwxPmCNOVWt$V zoIkzT?g93#vh48Bl?IqWcHrFWS+FiM+`2Xpb)bc5lmZ=eYbt@44iVr6Xmz?+{IMfb zM7Vt4Y^Pa;e_tIpeV2i@`0hRJX@?l%I!_i2YxB-^f zNc!(+aDJ)28PY1ZP8crDARMp~#6b#~zkQ^bfEguOYbX4Ek)Yw`R|10#xA&|3)2SE@ zjm$D9CqC|vnUlM@;WQmtZg0Vx&RT?kuZ}mL^XDG0)B$e#2AjO4KQ0dvTKr9$k%~F} z?ZhEWfSjHW4}OsQJ7B9kFe`S(a>PGU@mmI3+>!tM41Dtfa4p3BZfE2xg$NuKEGb8{ zfBGZ=GcqgJ)e67ul`#wqCXXR1`A?@RI$$>w-l!}8*%T(={(`7~&E)=P-kNH_ydQWb z{&8LN4FO?pSEs%HR||}QHaGFKs6XQ+0g_9W0~Ip;Gax%reqDxX4*$Q)D^)d_+j`j2 zUO0NK{(~HLPHn1kJDr=~Yx=@r+f&u+@Ae>RS0@G&s@ zQ)J42cTO8A*>f<42y*;a3vLDfyG5H*^#l)#y(L@xkG}m+-}n^)izpv{z45PZ{j(mV z4>W)T5$YBGQO|z|`S0KVZ~6VV{``MEKbMkPwyVltDx<%_0bg@;`Ux-dPy*-m9M8zgG9mopaAU=lg!&dcL#S)L5UFM~G+Cs8PIz20CV=MsW&_ z8pZCy%?Vlp72+R*|Jc0D^l_t3Kb+AxYE;iYvhFIfyPt!z8)1|bMw|MR6k6Vi=tY*o z=t!Z_x^4tJGKuH`egy4!M}i0Z!BS#?vzr@U3azIgCl5ZFvlMUV>_H}aIZ0t~;M&lG zOmGALgJ$rri8=UZ75Iyiw?Qe`D9L~ywLCrD2rCJ;M$TlY7mSh|MiDg6F*2}NxIB#lN%jO1wF!C% zS_-2pC9ehUh5lf)?Va(CB)mJg@W6vnQF=55vnC6M3iar0Pi>P&d6TsDmaZZguhPR3 z)_CjbV(k0(hV<#~r%%FrIxQvIQzq2j4}QFg5|-Mjy+7Q7!l+PN97)K7;O9aO=FS1| zh^Qk+%R72I+Y`LtFH^rsCKBDq&YsMTc0>;kKn6@V;z=Z;FY|24ZREFDDI@^;0zF9F@B8PCVBzaXEU0vz@+? zk&&spn~OZr-$fP;sGCB|csFl&&ZW?bZs1LE4n)ASfSAetFfl8x_lBkbXGe4+0$PTs zm*i+W2MY!TF&zq}MEwDcR+OPIGx7z{qa*Z11AkkHz|iu>fF_}D$jd3q1Lgx`pgz); z1X>3^5E_ZB7ljO=hoa;?0WAZt=-Yv_Ni#M}Uukm383E2s~oLuy0+YtRSd z4Jg``yd0%_#s=tdjMtO_GBhxM42=fr1L>afdUE}*sRIP}U~oilvYWF9L7T?N0IYBT zsqCErNorH+K*xjV0Z0euM0R%roP+{D`Z_t23Fe-7JBXxw0SbXOXxd>Y0XPC*!?Xom z1F#_D!LuNggsv$oK_Kb+fG0rmWM`+8yJ97#lPPw*8-k|B5&%TH|xc4!-C4=*y_!;WABjfnbioEMN~u3#D{ zgb%0zgH~2jAOIA{0U79qw8IktuTI6%DM1!l+D!*L1a zN(TeY8Z<*lSKtwfia4|$fDN2I-ph#qAtdy|@b|!#EcAFP0ej-<5CNkGGzbC$`OsZM zLl+&u^a(&Nl1cu6h2XEND5=P)F#J-cJ`|B2Du9Y02=S#uF-i$;b7F*H1fTIR{5#T~ z1bzK`AQIdIBka&`1F0nafY`}>xs$gu$ z0s?vz(D?b7Kw%~bBSsn~0PwJ}b0d1&+u$j3aUd38(0YI#e;5`(Y~BwG0N_v`!Gr~# z1d=o0RSIMRAOxu8=teN5H~tcIz#>{9f(OVo10G-?9RcDhMm(T>aRlK33~da6U`B9+ zbo@VEg7&BWPd%X%AEq{kfU|7827C zA0xbu@HHc^BmB?E>lj2K_*Zz{&d$`&$jROKG_Y2nS7G3FZ8vW( z2u;!QD@=h!L$^t&#sV-`D8GRgf&v}~=*xe!gg;sW#jddN@w9``Y5*Q6Yh(2&TKo?( z6j&$+v`5hJ0J`ay-~k49B_Vi#usH)Bpp{w3ehda~{8#V*V@^UTXqhV+kQA0!_%HQZ zjB>-v0!z9dM-%LU*9q1}i6pWU(UItZchjY};($fzVNWy7==UrkLM9)@6m}ty$^Nk2 zi}xlI!OAcg%7~%r;70J%f;?m3V`T1>DCC4Ek>L*zI~!Q1B(febJ7J5E;9=kI4n|S~ zhNQN(yu2bLk_Heb?UO-?1)2l!9Pl~Ct{mFzVrfK@2yS>XFwhx#0S;jnCgAtber-{yA zrb=U#5E_T6o@Ngt0sv43S^-T8*K|rb@j|NiG z&W<7_8Jb|NAE^3+^xNbM}V;GP( zzrU^WOJ|=F!~v@`$Ta=(=?6Y?;ISE=!VtoOOhIV!(FzKzryr$N01X$v-5W>(~BLOQA z-Etz!+T%&CbD;1T)n5&96-J)&3t}vgh(Lg)Jtdaq><%LJT3(*i90BOb1V6yKP^b&K zfV$ViyF0r<0#X|&fX)=(j4=VSlAsS^vq}ZIgl#ogSog zW>@HMvm+|(5sbNQP|p8>8E7bZm7&&fFe)O^=itsB1o^NUh6;s5{M3<4|Nct zfG!x4j;J?yfDA%vck=QI&^Mq4q(9`E-XHWSy+i1#e~-+SsT7^NGYlKS60kJNCzL+7@QZ(>_tDqE>sV@)yh4}#i;~%dkqvU~0ogvz#!koh#yQ9efHt2gg1vqWJL2S_y||zmED}>IkXbBRDP8oxQ)Q5j zl_-4zRj=O{pxY@ArSF21qeS0<Kw>g$A1};Z2^5wlE@O5mxx6DI_c<8luts z8k$DJL`$Hsjwy(KlBrv{ZHZ(u(H$%;a)TDrF1~(7+aFe-u>zetC{qg115yEK4B~3z zNh10Im5w>A`xD}DR1Wwz*$|E7GcvFtMnMh>GbbY(B7xSC!-fzRLJ%?(8zNh28G`UY zNe2>!x~UbcJqBET|3aYU0iHso0^lqK@J)&hFmwtgqKGqS;j|oHlspyyJ@g*16#+Pv zdd;vVh&!5bL6Ei)v>>nnH`Ia*UvP&Oi5u>t%7X|bH{}6+s3ymDk8A7p2haSKt z{qvzAiPm2$q}CQ7fWigNb~X;qB#^@gZOs^5%ng!A0?z>*LS-QbFjRwpu_^*Io91wy zlNZqqDl>w!r6r}9P|G#ID!v`j9V9JM)%|~g@gTz=JQgdbtORm+;a`*@A&jsrhebZ3 z{tug`3|xzW%5K2v6pToXR*-{RM-EnFU`?BWhlcmEA{52A3Fx1DUV$Hm>QsOOFtA^S zVuJl~%>e#nHfpKV2e^sB9iswlOSpmJkb$gM_<9hZ4CTxHLstkb|3?BkN(w_*piuk- zqX088!k0fGii1K87sVMcir?4S15f8)Q3&A7bEHNS$ZQ904j33{C998gCdWx=pbeSu)dipx}l&jJcJe~C3suXpgUur5^hkH zHAP@u53)C;pH1N)X5v@;G}szDFzCIOLRbLeSedTxxg9i_I`$< zmKIJ42Z78$TLg(_`~Y(wwmMKCWo#%l1sD}Dk0II_7}X%~phV9G0YAZRq<;l0SSHW{ z{(@L+aIBykBM1%*;CJv+6n>Yd|G;`DoQa35Cy4+RDkXUMID-PO?m*@JUe@m~cfmvd z6j%J=#T8k3HW=Lq6u11Z-RMm%kzz+Ac@jxrm!pk6o{YDl;RLfU2;jAnja|6u>@;Yn8eVbf`r$`WF!2UjJfY3R;TVV5iVPSxl9vQ2&UtZzvib#`{kran_po zkV56hNn{l{1z60(5gA0?Fs+;SNTUrWEFegxts>X=K~VpfpV-i|^aiZSU+u zrz1vJKSEpm33X73OVh!by6mTdGg;Z+oL@xtC?uf?p?enU5*pbg%t-i1uEq!=d{zN}DzG!4 z`u}x>7pmsP!o$_ivZcAZQIr%vph3v9wrhtiumcx(A&{Mb^2l5S1Qfhrl-a|N3iLp+ zwiSS04E-?3n6yodjdisxbb*(WCe|5MPH?gbwH-P(fvPF|Qlfy1p|Ttslt#}yEAYxd zFGI^p_*aT9A+!J2tNt)fJ|%mUb=4ob5rDjDf2#c6%2vZ_k4y!&{x%&BI}_#>S{82ZjVo8bF%= z2@=uMSY#Rag-pVGfB+NqdrAiznQUSp?rE<&w1D@Ip9>%(O*k2zXLro;; zpd1VwgT=y5Rz*QexweS*+%?_!$%McOcLzYpw0?R)PD)Y zhhiRN1%ARSFjC0RSb;$qe~=X!6c7G7K|zG_-73v6umN+yKcttRJlRlb!+t_`kXinR z?=cMB4=K|75gAKF`ip#y;4M%PhXkuZCId7xSPBDNlYdId{ex0+EbUno;;Z;^{!+w# zh3#2nD;tBi6pd7mVKirvwvl7bLZ>rA4oD_XX+MwTzmz1&?4P7(CnMn`ntQRo7m`+6 z5dwEwjl!R>ndR3Mm0(HJV2LQJM5(+@&E;iz9}3=R!MK~0^^I`o{1@&-hnzyg?dSeS zHNRQDC=$XL@e~hy^&_wb**~Ot+8ZHI$vW?r<;wk`c>vT*f1pZ({f^ROIddpDNtLcC zp@#?cf1Kt1r(!4+MEh&8CdSette5h;0Ug$Qej%WLPr4|Tf-%~Im-+bqUXZ>96gHwM zU;X0^!wZ~#90o2~l=J*S{ZoY74>%+QgigR7e)=yMC=ulpQC1PH^S8~lM-5C>VF7Gz zZs4eEsI>MlnHK|cU4OQ^2=$L-j8HbKQ8G?e!ui}RYc|lth) zBMNW-{nLNjnu3@gvMztBB@F89G0zw>{J&-i|3ypn7al{w5{*Cs5eiu_C}i+7Fap#c z-Tp`F_Ryw(x(fmni|%JAQqQRESN)Es7TWY5Vf7=06>`)LLfpuPF$T*E zvCT$|a8lGU)AdG6O&$d-s?C zLRoI)6r^Bn8o_x!42<>*QUU07+dy27a{$k-r@&`q#rLa6%V@ zhl)xf3`WG?J#}Iz${G-9|M5prfL*6U1T9cXu(gD66?ko=gbSnDhqNIp{qJYDv8qzh z&%ZL_(jy0{`8^PgSei0Omg@kb8Cu~+lyoK`|JyA$Or}f>%B1AeIThJV3Hb;AoJ!%z z%9X(2TcqUdItM_O)1Ol*emdX5%JqNsR0@`|4t6Xuv2H)4{^JRU>|go;fUscK ze#yy4LowO!5-viaVC4#N(t;GC0Vfar_>^H3R5}n+;f8wb@8Aq#E!T%lIT>hc_S@`4 ztCGa{!=D3>pfYt}e-Us<4HEF7D7(Myaood1l78udM?<08k8mKthAdLP76Aezr;NeB zG)NW+oPaWN9E#slD2VC71POEwTAfpfR<)^z!GfGD%n(O*vQ#5ss2^Z)eGjfdHP8ko zLDJBdZr}cA_DNt_xw#+^VNhrWv3HSg_P14jylJbbJk+6tXpr0lOB5!Xhh@go2)BG; ze+UzT_gjtsrsYec!~WFtH`tbm3aBD+WG_3CS2xtM|95O&8qog|tCw;rGIf|UToc4Ev3{+_-O({4aTB&-s1a1n$3=_Qa96qpS|3{tlddAYxB7$R@^Q;qHc zGlmTRr<&QnFlV1N)C@3rb+sXd2|jljoM8g}hRouAYSf=|;K8&g&^FPt^r8=P(k_GC zW|dq&TrP2cp-Wi_0!h~gEe_w;hMb%SsQY9SFoopmpOJ7xqgYN9gK ziU^H?#9*4Jch3qm9d&E>`iZl(d zet!)1BZ>Q7-K=A9US$`%0CXh@I!FuDj!nEkuPDXgHNnEk~{{ftSh zvK&f<@z-xy^@#Pf!3a769WS&D@Bd6K0@@oPS}&y*0no)(K{}Y60w~(dsKqH@prcP9 zUG4j|II27x(v8EK4!%>Hp^(eS)n@vYCqwiB#CRCl+6+qJ|52TR-}$#uXB7WbVPe`? z`bV7^iRuidzdplcC=F0&sGlNY30w`5eLr$)II@;vf1w@=W9}*tv+$(_(G$pGSx6AW zEjS{XOmqj0l#|J*39m~C4j}!N;!0uEWa%lC)cItg#{yTT2f>bvr@AS@ZSaU0<1DOS z4eIi52wqsfMfPaIma+=$!y0DAfdWFYuMzn<0-SG14hdt`KF9^YsKEY?nf@$jWq6vP z5YOKr3WjAzGXsS(QUIFK2|L(5BZw>pIz@Di4XMP-KpFo(DG`vDml9SX`_lp<1Bwdt zkE2i!&I#`cMNpXHBOrk51*!;W3eb`_K;*@q=nKOp zGu%Q&*r<#3OW6Ri{pB! zJp>qJD-y%xBikDpCm(4WIg<|}eiYS=$!_ka2vH}0;Px#VBtyI~WO0~bU2kMaUuJQX z_s|5>KV|a=CIJ6-3yF}{PzyP7@t8Sk%#=~UsJ^l!2O0_YCx?Hg(IOK%viVnGpds_0 z-@8h~9fo`$ia`GP_i zpV~X)L4F``rBS{Ne*qMl1Lh{wvTfYFJEKO4jxyBIvhcHRJ}@?KTUlRG0m0DV8KK&; zMLb^CXxy^Y)SG7UbH>KwcBbjBo|{@~viRbhz%L5AI?v9v>g-Mx=1M{SBc^Y|lfnEOQ8cz9p14>Na~qwy0D6$>b;S{n>E&6+7;fx}Ilfv6jp z;cI$D;|zzpbq>~(f9S;mpGGVV#c5YG_=yd(u5qI_alRjJ;zYyFj5T%Q7M{64a=2R$ z6<<{wp6(RE4C9Zy*);4N1ES*^n&QBx-%WH^y;D;Bo(ZKcW?C_n{<_M`H&IHn#~&{j zmarqOoiT}d(llRBXsA4ODr3iy;+na}K6(t_7RUe;dgI+)&$aztsAmp!{`g;iR07zU&{Iz1dv`J`2jJiIca4rDVd*dDNkp3|K|-_OBH zinvy7W@6E6Vt{dHxCmNnr-7loy)-0cA=H%&L zaCRa6SpcV^31Ak?)_Kptrj8<4CD7-4Er8I%S#vgV?okrTm7vWiG~LS3q>h=g8H``E zUY0&@SE0VG;~SC;fWoNoTCcTs{s%z9FqX zE}{buuFeOk6$kp1H}sMnpMG2I%e5);QjoQ>Cw)#nOgK~wkTRB?=?&sSqcpE^^FF%h zDg*x3`C3^n`j|9fiYU)EVKtqsCpLWTx(*_}Rl=&a+a|~r^S^hTJpF<}*taeW5ATL< zI@yW#0^%2tF_X_+bNfIbpWoD-={sJB5WP5=Utw-ogrLxcHzK1%Ii1)vxAF^2ujy9W z#3`%pk4L160#*`l6086 zb{{=f0^7+>ke)Akm@U)wvF26|KP!E;L|nK6kGQEt#Evmu=1vuDO?<1*+3vdR{%T`a zn#ZZi9pmwzp0=DL*LA#WugtJWXfm2|e&*X7nGUx%n;$C;j9uiHymqgcc7l(z@xg@6 z=8nh9w@#IvpXHJH`iaAGec2H`vd1-RI$?@xjg`zR4)uN#6Xg0;a%NqqqN;ns z6rtuS%%-s~k9F;PqW1b|adD2mMpwYoMcz$I_M-2;)3q_WOm5r|*>*j)Db2qr=3SOz ztlAtk)oc@V>5gN)aXe+hel~sN+I8t`a&QSg0)o$dgIDKQr3bk-ekgtOuKta*@#6YD z);rSXE!r5V(Nvw0fz9nJ_@+#_a6WaccmEV>D(K>HXduc&aZL1Y^9BCWCFFD3{H zSec&H(@t(tb!ixtZq=ihT>kK&nzYjL(;3#ejgblHmaY6d+&=nm-EEj_td^gtQFbne z+*B%On9CMky(hM}BP}4PJMop-*|jq5m>XQt0%uB;tTM&tk?bGMjf$DEi&t3b-o~5r z@`8e}-Ms0`PLbvY+*e+XFkG09WZZFFxN(quwgbSb-J9-}`&HvAuZ?NDoA|NX&qn)Y zfeHeGN|@R_>6dZ&qcmrii^NB!2o98z7vwN2xUzBE6pt0@dW z=T&d4;@_6q(eth>!|2J;rMt{`?hb%}vTDtORcADhF4=q7Lw-Z&hlZEYYBat{ofZ}` zL1;;R!OUftnF$^lHsPOa^idW0QN5!l$3E@wn((S-cd>kMn^GI8AbZ2n0N?yI=+E2L z4UbkI)mB=acYlYibI+D%38*)_)ZGI*LiBGfP5fFt^#*QCZKZRvRAYVb6n8?;g8gMp z!Uf6FV7+&=2CteIyXcu={?m(P*V}MK(mOWDSe~)pw5Z*UzwD@HZ{9i2uTy0%Hu~Ek zlf^c{GhFj953lDtZGnocj&&23I6QXDbC$-|cw0$6Z$9+aeR65j*Kr1OTm?24%lkC1 zTAg+GlghOCf>V~+yUo%TMG=B-fYo%nO^NfSdW$X`D@=e*uB zFA;aIE-SUT25su2592h-KolRriD`d)qRe%d(>rF|_CoZReA?j zr#jdq-$DAeMMkv+-^|{nWmXjz?e@52lfUTXD4NI-H5?yyOQjKW&3j^=j~C$+J{~-) zr_pbE=R>Y{jFR?U-Ic3BBXlnR#uCrz?9NN;TYZ zi}=lGkKCQ)kY1U+nB0|7;{~UMbbpLmT>Yl>v%>0g_VM@Ra_8S6)IU66o@r@*lC!A~ z5MbLQjlMZWxn-V@3i^62(GK^go!oz@HEQ7%rw{z96(Pb&s@{vyguC{+8ltO0Eibw~ zb1T1It#<7IzsvScOD=BdlxCBY&R;(_YR9}Sv@TSAopTn*4`bgcmGM+?*X*8Pz@1V! z|Dl^S_bPK~e9mWugP#|>);;q%mB7vG(>i92i>%L~?J_Q_GS_Q6b$Wj@&dD$|Dr>jQ zY~Q(L@9CY#k~=nR7AmgS^*{9SrFwRc|C=e!-5<=~WldFGBx9oSF}kB?X6_e*{9Can zs^gz>KjuH96_jhVBe1pYB4*6agH{U-GN$k!?+D0OU!|U`ytF5;u4q%jEtBZ3Ez4c= zY`G50ZJ8oBt-yp&-xv|`aql3F-F;kY1Yn(RzttDr_6jw;^sPSCJI4iScrX89n7oFv9Re8@UrMH;djXyeZy4|Y=C)ojcPvcq5MR2+X zNSH^QQSE!M@u7gweOK?fQYWRpp83*5+}@(Y>uRYK5t$tslOQM(Yi^ZkscwECRmR&j zsQsI4ozcCiBK)6nWYtCYWL9bRc7NJ-B6gIPR;8m&uv8FdUPkcC&({|@cWf}(<&a)@ z!1s18d!T>i_Ra>3ziZ;LE7!~4=-=C3zQtQ*Yd?BN0$og$FfB+ zSWPJt4Pv2FjLHOt<&d(}t74izc3&YL7cGV|$Y<^$-DSTqZ$(4BPkfu}F zbM>kF6C~P0TnVlBGf}tOxTw@8iwWdhAJW){Qye_7umi zGnJdG_o+bnzQa0~z8S{yUz_p;tHYM@((^j+V)-+|`NjNYS?FbUxu}_SRBY%ct`{1h3j~&dzuB zC30G6Mo?~^MyJB#YuZPbOs^}FdXnElKET!fwPbqL?M=d@cVOH*ALKK8Tjmray#dS#Ic$L?`JZq<)wPj9k^P^|Z zRu0O<_OYD_Qbs4tE9G0F%UhaC(~lT;zA5dF7&|dfx?60C<{?kpHBQCuubLw-;ru zAGW8Wb;<0;?_4qUQR@4#&f-#wcbZB+)#&T?N^X3yzG$Y|SzBEdazoq}kE?!o?I=Fp zeI%}?35}hend`a*x3ircb957j*M#FmVcZj@89%)~R%D4&ak<_08v6w+PbZzI3*EW4 zpy$i}fNx=3vrO~EI7C%-7k>Qs%{4QBwgGYS`{0r{Pu^&L9(zNCd$GWZCF|K9%llUO zADbZIa6d8S2G=y59kw^Oq$fWpwH3H9E4ULsd9T;!hGmmqo?ZV&uZ-{8iPh&F-Z`2( z6@TMz#b>V5*ft$=YhLK*#wSIVoy8`yam@Lj! z>`T+X_RVI=*EQDuE$(GLUn64cz9!tPZ9VT;_x5gkscUA(ySe;T)tVPuU&yw%1}@20 zYzz@GcvhlxBJNew+|m`9t0iWBc-~B$Y8Z98FK8Jm$Ntgou)MAs@0aJ6z+RImd`)+i`I!*iR!zErz9SqcQi@9&5^nVrz$ngtWNYm zjI%*DdlBYjV8{Cejga8>^C|`P2Lp{&VzTx&rk*qoOntCd)%%3Yma`mQvvN`D(%prb zz;3zQ<#GDR!5s$|aIjwpR}mBvU8EIS!ugTYcJz2YU*)=`+Ai}?9`PndoKIeoQh1q9 zfHQ8*ScivW3nX5TZr58U5a&{MA}zT0!*%|;W68m0hi_+OUU|2DUtwTPly_05*dj4; zgJZZ7L0;9K_|+yHf)fl{#<-T9*fqgw-O0x_=Vd#`!S<`9BxFpUQN29pytRx~!|DP@ zJ<$e5pT}dLc0|T}*x-p>YIAI>X4C5@Z`FEQ5)C#*I_9=7+m!t3s?En1d*ThYE8~}+ z^v_%zYmsWo*5&iuQC+*@idSrD!6WmnDb@ED7<@X~arbU($WHy_wusRSl6p5yx}ChT zXKjv;-DK3qZj5{FUTKjX4=l5d!W~YP1+oYD?f_Pw^qtS9O9DzR>^-;cBhTu-dk&S2 zM=CxG_XHR;?mumEn`_Gsnj&YQ2AN0~!J@8wF!7nO&m3_fa#f)6I=sWX)Ror$Qie(b zLZZrvha;_Agx4N#l5k34t&>WQ+LtYFE+y*TYpZy%(A`Bb;_2LN5#=)JIB zRcN1diQrz(>Y$FU`;X+lvS-cu>`Xq-$03I`7ZAJ2XWYeg&Y&o&)X=!gWG`A*Y%+g&;Pn}S%HQrx5)!pOx%1XIgsx@O;#3XLr zUa8jo! zw~42AT=civbdB2jrIvL?-WvC=NnN?d&M~3X@AiRt`g!xG7csbM47pRMq!gY?GkITX zXfU}n&1kAZx2d>LZ&$rYV`=)1%Y2QFrjpZ+&b)50|I>|$CX$7Rb=j5eUhUMKJ5$zd zm2lG}?XN$4wR=zeM|0y>E4U=}XKLiAKdWi?lBh3dQmM8SNi)_(9Vt+;!j%v3MW6@H`K1 zScHHYSCEalljg&aNr#?Bl8+e#)|Q^meXmNKxmEMi6I^)XobnECU8m@$o$^!Wg{Y~Y zWP5t;1^b$2%>$cv%l2g`OkLu1W(rxcBeCH4s0&)Wu~J66kBc>C@q25$TBD{u>C?q6 ztAOz2-ZFX&Pp2DuM)4V-Tl=@>cO-dCp4_#Odz!gZXbtD9A}kMYO#C^-|1UWM;Iy1< zx}5T7p~{?cH%|HY*E^ zJ3p&Af4QU|-PxJ1lon97xXLHm;J9gi*w>!?>~Avb+0%EzcnTFGtedN>kqQOtJ^6c6!(@ZJ!qZh{cBpn_aO^p-pbP!4?Nq1rLW?j zqna1+?kIb_{emHY6sv?vF}0GG?CR4cl8vtSZ;$;n`iXOfR}R8l6*aOWBAvGLzv+<19y+ebv!Y4Ov#r*U_#oopfrS~bi=JNt&OoQI3o8tW z1V>`t$4KBP(oefz63?CTUix!Jk)w3drn%U}EQvE*0xu`rF6R7pbCQq%uU&o&PWw!O z{Dx%sT_^0(d@+vq@`{Zb$AU@o4;0`^FJ9q78CHzK^x_-JTVi>E5~Z_XL}-rd&7cdFb%2-X(j*PD1sm6&l1BPeo(5!kQg!gRQ%m+MF6EuB>%1&UF-~l` zAP>7up5HQ+P4PuGBG1Pbp=P+*xYjG{utkfnz#JJvj_KCKv7gpgm6~+zR%iT_+iN=5 z+-pATZ8<(eg=DaM{_0Y9_6Lt-Q^eN1(JttXh{QNP^xLYY1Psr#@wj)#GfrQ=E1YvU zCrSeABq(NcWy6+~vKl}AonyaDGMm(hyZfqH8n|P3Y%PcuY8GssJZ(#)#LY>YBG;KH zRKu}{uu>z@_dq)mSX6m>*U2^cD^A%i=H{CgF2}hYRpT4YFAu&S%_ShXZmYw#J>6ZW zvtH)perevJ+7X}=&FNbu*2>ph_vG}7@VDoDlk4rLH-D*|dnd7@dPzw+*Aa~!*-;@4 zpT2JKHcTAJU< zCO)35y3|ZQ1%D%2@I(yz_``;U8^;7i;-@6~2%UX(v{+#KNBqX#2+lk(f%4DJ5w-8HvTlT5Fwv9z;7|DCf_vW|Q%v9F76_fnBC*QH0 zujIr{cEhihK=a5c(6wxBGAP3a-aTgcd})%ZdBErCsn$`q<-1Q^F+2Tvd({&gV4&~m z+Pd4Qm96!}XQMNBlDEg9m8#>mh^QGKK!8NF3V1rAgHqT6-EMA~+}2fp@Ve?5Qr%sd zvux5AmdQ^~C;PmAA+tl;WcQmQwdCcm;v%0YFWrZ&YPz<5JXhr#Fd@e|Q(rw+mfOuCz+r6d692*J1nE=cw?5xmdy=_cK7TW+;%XSX zl-j(;RY)#?m&2oubDm#zRN}(-uHbpZvBj#1J2A_({B9!3&O%Zz1-GfRDq@rH<8|*H z<GGXHWe%p*?@MZ}O#&n;UW_qH3vx6`ajdv+m~3$8 zwQj=aC|mcs3?r>qxo4LoF<+UIBr>MCuWylCd3x=}oraKo*O3L(MZ=eu zz4HsA&L_W^A|$WJEobm}%ysMQ)?xCaQHxtexMeP1F}ws8fpbaqI6)mO;`$A{Ar@zf z3%8zY0Xe4>> z&KUh3m#T+bEU{|4%dWa3uMT=zReYQ%UAKE*$BAUYun#Z0Gu^zhU-vvz`+BGR{34Nk zr`l)TXIp#8Z`qZ-DkhtSRb2{Iug=|d*QiNiR zll|CDtG2?gj`XWIVb61{rTd4Nw#+7HI?u)KnodayI&z;R%wD!xKz3kh1THI&J6Xyie z7c*qeU(njHS02AHd(>tBr2x^EpO8*nQo_lGD?jX1dGXZFxy$d?t2>|?jxOE5_`yDf z{MI7^iie{v@QSFvxU&K;Oj|T%vA8%~xC2pIIkD+*(_AOEYa232H~Z8@Ep^A7KVVfl z`W@zwNl5&pSKPeo&m}|VF`@i@&^gCywr3$VhwSerE^DiOD5X1Y>IX}6aqG9Y*3&ak zLJdW;xOsJX-tO9$z5I-9=lGAKE_!zDlibffCUxqmRT2w3{9MA*E)*Z)ir z!A4l zWX$?_YwmPBdGY?*7jC0BXK~9v z3i|dX9d||fl=aC~sDh|%xW>xu7tg9+F|Cj8YJQo!vS*K&HfL5gaB9BUv2k9h`i=~> zFE5}-9k6-ct-e}yJ$QYk>G2sII6+c~_}TtzitiBaS-6=nR?rG9`19?(-l+XY+5FZ z*#adtP0ew#kgc=Z48-iEM#&>^qRY8?XA4A+lDATRK6d`hu0yWs4b=zMx|T=cv@g~A zF~q5F@B!8I@D2!TX-f3;hx2~ z86nPY&CwsVK|;}{NCV$_;GeN=0SF;LQFDqqKW4>7!GQ@85JbtkEjh4rXR6$~ZHIGB z7JZDcJpPQIt{j2akz5GIcPD0T1k12Hj(u^87}nZtDSa?tvOnrTNd_mUfDn4n4?+;|Y2te!q%5>`oAs$}A(Y1B-4+Ypkf0EVWASp!sY2HMp zcZ&ckuB}`uo(EBb_g)FTDa-x|gIGY2QF} zJZQTXddrBZHI!pQ0#GO;)~+z#f+#{DZ%p(#m@u9F^55v0I22Nfo(ej7O-NHVW@L;+ zaj+amcZY}5x*(Pv9$xZTyK2Bh2 z6%C7!1pSKb*+q9>fhR;mX=aaS-|wYq;nX>Ny-D-L6d^g`j!iA9RxXcUeDS{6u}(~c zpX)vN{fU1}2Rrz!T@s?&)jFmxU*30<h{MJQ&Mz`*e-S!@iyVVsa6J_iHnVb zZVm5>+W0LD{1$7}IMCg(vCld&7itij@+()r}3@TgK=MY!dDbyb%)H*(%tl_PRj- zac9Sz(pGDLeNt1xTY6MR+j$?P6o!$^QIyr(?1JusJ6Y0xB1n(a4#Fy+B~&bzN?msI z-JaIC*@d_0Z?O*Y$efdX^_DA$hd2Jzm`tW;hv`VyyzSuMQAXGUGGA+FFUmIAc2+NZ zf5!DIbf&o)1c+MP?%hyb#9ByTOYa{r3fMDOsxu_HUAVT4SL0ZNI$lS6%j^0FG%`92 zp}YOMm)(aH_ve4Kj7zBfD6&&0ez-ClS3<$O|pkgOgqF+)2#+}Vw?O1$tQ$L-m} zYQoDf^MrYyCYPMNpY@)6*P7P3?QQ_Cw|C!q!2cC6i{&`$1Bo1QvVI^lg7opVZo$O7 zw!8DBLVCO370h3KPI7j%ePS7i0M>SXeDltD@>~nkMLo~L*tu$>M1oC;<(W1%Ai67% zC3sN9OYchWSJ$#WwT>4OE3Lejm%dM1*bAJ!b>QzFt6ZP-zN=%r?(dqnXVP2?1CTo; zy%*znab{6l-Mu=HY()ZTGe(fM?|yaMi{|<6&o3k_uu%sZ^O?0?4-|sy_Xr(~8aGwW zU?0|b?P|LZszF~b*x%i0C|A%;Dhj%+!ubN5_U(H0qv;rj;{`{2UwZFJHA${QjSJx| z`~vbuc9I)Q?o3{}R&aetGnm_}Dr`yxA&I_(cal-Ahjcd@n8|ONhfT`$T-Mfppw%-~ zysnK9->0x(p8x5^do@Zk?^n&0Sn+6i) zMUCzL^hl#5-CVk8$Gv?D8H@V5KPAXoDi)RBAYDK2_~>pVuW+dV@zN{KI{EFp^TBLe zr?5SIej1;Hw-1D~0#n}f zeCxRP;nnrJSdHEffg;MMpunkuOQ}H#=ZlybDu+4Z+1NS#sznz0ooTK(E74FPmZa8R zYHoH|XS1aHn?`@-klwsJkYsT;XM6j-gKD|eIjt{p%z=$A4sttIw48mE3B1|qW@%fV zcceVur{KC%*}J&{)tV*{{QlA#KB?Y{&3w|vNpT=he&@1x6Ng_EJEIWWRWU?s>;0 z=y%scl6Ji;>TA0a<8wawq~xY^){W~T-z%mtDJy4aX`7DLpWhzkeKo-1goPnUVLU7OsS^obiWfo|7`_MB#C<3q^;$?r zN=bb7jOz~C6QbEidxYHb1(UdW!P`xo;}sL;jLtTb)?Jg#_Q_M*slhbs%;(d4K3k0b zs?pV<(RNKqnDG2jlvZF_xl&C zb*FNi-!80l7obn(KC#PVUyn+vb}c`>{B`&g$&cA=O&Ob>mKa^mfiD?x!dA8!fgdui74zP;r34Bfs)G=)uk zJjYtuXf1B-3q?6z^|c^|JmE~#OaJ-1In2hfWox|2?drL{mYs)JtogRV z%}A$lyoq;nLgW@-2|kE5@-})K_sDYRr-j$g_pP18k(*{Bj5}Dkb&uqOx+`KNG11S8 zx;dM*0hwReV>4R?6ScdNzx-hLx4gApgu71LOg`)E6M<_dxVVL?Bj#Vy-Q|BVNJi`mr64u2bmwDdUr>s#S@uI_y;o%u=HlhuA3`!?BZ|9I<9|aTJw`Grzu; z93XrweTVpg0`>OoDBL>Dma!p|A3B{ zzGZ#!D_pAb{0&{IIVK2+hH7<(seQaL(d?qz>ekYazWm}G5n`pN#KDJ)OrXzSnzu|qD1B!fZfyEa+}T$wgtNGcrP<%#1Mh>U|<2 zt%c6Y>tE}HNeH;F^Q^5RKUsSBtea{>{A{jtlNwD|kQ)U#s18I|WfPN0rLQdHjg>&k z@Y*R0tWPGTsfsKrX{oUwX1SCloaF!7(|rC>>9i$L^GkBBKHev7GOJa=08eTt7HgGp zQ+^kpkm_D}aj`)deghPS5)z(~E`NV!R}V_sb<06bVZCv@m!^2V06`Czs&fP*@4J;3 z*5R%LiFe#srRjCar73UpV>Tp7X5WjCUDO6d>y+9iF5zu6lZg54D~MHo8J{Xnb=g^6 zklz#}?^$y-RD9BmN1jJ*la#}%L6*~kgCN6(9FfJvRq@0`t_QQPZ?22M`Ezeky zo@^7?k|o*r?8AmPt(^A_zn)vwWU^JoKw}g4^hBB4iA|FYoQhrRObj$9jVoD~Vh{jQ z4_{PSH^*|k-UpQEsRg%h;@(MmDY={#D_t)YRqXldwUmsyXFTaf_Gt@E&X->Kz6}dw z4#XE-StV^5{3(KO%_-a7jOBvPm}@nq)qMv0$2Jijf9c~9-CJJxEadYeuQr{!(dZhF zNBP}lPKh~P(TjR-ngolueO5T~KvrF0&Iw+dlv|cro-3r}D^@qUp1)mwYTn|bpAB^r zF7?j4R!H;eT*8Io!sktUHWutNfyhMpam=;HogpA8e5d9i-gvg_k-VQQYo=~;5#&vA z)r4|z)5u}36qKb;an?J6^rz+frY$^wusG5H1=PgkfC*2V?z@sNPjubym>jgCj8~I9 z#;nsR>cY#;no-&F=DI0an>+b+e=OQ1F>}6PAsd%Rxi(xya!XRZzRLsTVP$AyyyIXdO8TqC+2A7_^@FH->F~4UwjrP<& z3iuMn^i1h7ANOemNi9tgr2vlZ2ENZPOg#KF;RiDp|`_lOn-9c zZXLZr1#V;q6G#q^~nyt3ItJ1=r)6M>g87U;a&-lHLUH&s^#L&{*0Q@}y$xXMG z?FhBxNK#!9f6ne*X?m6T8Hadl9 z`JbPwdGg7aR~8CpyeYEcGU~mZc4b`eV;8kglYZ|!B|pDzx1~kusHBeQ@nA;k^NSic zB%%4B^uisLz$p0q@a7tk>&eCIrhIv@Unz4-$<;poS&NP*J)EOFE@SoiqgeOn7Cqa% z3-j?cY`X=_K70lI+qivF;kTp3HE+8gT)XKbIHRy)Z)>g?HqqEmIqH>UWX{J$5$HVz z&*fI1)0w>_@zCWn6NNsU)btBiYr8EmmvqzR=qQd?0;6q3F&!d@r;tkp52BhKWv973 z9{ngSMh~T8+4?v|o2%Wd?8Ndk|4(m&qXb-g_KM#D`zQX#*IS20xqa`$l%zw43>{L6 zAR&!I4=A0YAR#z_l$3(R&>#&;NQ0ChC?H4W?-J@ z*?a93_qx|Tr;7dv=j7?ly6ZmV~)I1MNOq%YiXV+wFkQg%4EHSx(LmWJys<_S} zv~#DPg~wwJAQTcmh9Dq9M%nQtbuOgR@P!n9^Zt5;bxKuUu*Pf1r2rRe^$jFwHeZ<$ zcZP|Z(=G1HbYIJ&uE*<^+mWT-PlLv?A9US*3|xiQ{Mzf~a$J%5n8;TzHVHAFtj(1l}OX{uEJ*MS{kL4 zgCc8pm0Gu-Y%aPJ8=si#?sC)ehhy?+XWGqr@x&rFXb(y9E~w;oCZL)ZMx*UjbA7)M zWHSgnKa=h8Nx%?P$5|nETODR`z-gRv2$-RoFIMzhf)#>d1!i!)bG6%w?CzT$j1Qzz z&e8WoFKL!yS_1Be)RB)MjZHw`v}Hfmgi=3hZ!J~M9?bhx-SgZXkoG0`O0!g^f$)Rl zW>@zrAj^BE_D)!c8^|Dn3rkP3pb$`Y+zxU9(?B(x=ii<%HYRF|4&hKh2aE3JT8pDJ zyfIxa72+ZZk8yAviMv)!EEQ#j%Y~1T!^5C=InWXIxWqUJ!MXa$q@2~P=;mn!q>O0CAApT&9?$0v|VfCtfgKi5$WmVN5d@3LkRT@=C zv|CJ$LNXd!MWcN2&161=ol{+wYh#yZiEEEnn3vwY@5ug*iIw;*T^amzv{cP;$=QR9 z$QPfdC)DXxo+Eh$b#Abe6SEtYO_CwWn(D6mU7v;eSO zm9_64&hIoIR}dRr8;eYd4r*VBWeK-)_6@TA3nggL0yE8j)F5U=UP8*x@J4M4^^pWm zgcYldr9z?^Uy!eQB%YfmJrL!&|80RyXjqKdkwl(;c+OXZ4RhkzwyN$c6Ho#1c#C}w z+8m~e_1gSI^FofHOWd<@GOdT-Y5sPDH$SDjumY)+NQ%G(vI~Yn1kF7>Lg__My*HX_ zSZam|AY4abu`B%E-*F#Lv#Amlf~Hylt{=6n9VoA#&L=*Mx!CJWZd{-a8o@E3TLZn-#;Rwoe zWemT&c}1@X?Zz&RPS%xl z>sd79v2jA4ozA~$54=&QoD|<~<8e+mVNm$_9F}M^cX}+vNmka=v;6X8EAVxR(8SQb zz23ax)AdQ4#&MpSu)k@d4EpHy1k9DeQ7lLk&Pu*}mCOzfOk$6lU$roGJrftDZ1}-0oO~=gV3VWt)iWt#6O2;iOKyIFL~0+LB`;MDUVSD3 zkbr@dn;FxfD%8rqWddI?d&u=AOmY=TSd%m~LI8Qfq>!@Ez5k5U--%54;;KJx>06(2 zL}?vK=v_7yEL<79-b+>Zf?9?HMR!G7bzIjccu60bRNb#wuve@_HIO`XuAC3-F;NtP zg(11Hoo1eHi13Mqtyxp1OYLPDVXni%d;#CXh}e6VrsLF}hTuVM{T(J8H3uWo)BQ>B zcrmB>Cs|fIPBuAtggV|0R`POJckxQb1l7^Es5%6T=AQpEV7akP3C2wj`@pXnALxh9JnI$iV_e{xq zzXL2XoL+WI7IP7QTyCWJgVp;#ERi>H2p653%%l6HfS&Fy~L zmDW?$>$AOthYvPtQ-$D$h()c^yc&b&vT_NLn0&usc4QvfUTBR0g0GDTe#HC4#f;ox z+2GTv8{je7*PnjC%1C*Z6HB^_p}{W})gXrZu7MJo>b}fPwPa!lMmi%3V7>D#Oy1+J z_*LqHSPf}C>3uR8Z1VST1a=N1-WBggO_a=rD!|uUaK=y0rnmRc$fbopBJ9#GJumwp3kLd02cjy9Io&f( zZ3AWpjxG;$83ye*2iB2a z@RQqa*zg=sKyNDv;b8T~;LO6R4obKq!X{>)r}nZpLXO@^7< z-22%Y6uB?KcQaQ%xU7qyC@X4&FwbH3kmDAxzqeAP@P;9q=#xlFqi{x6V zULs2)>=ayrVm_<;3U*&oMjp=JWDvdVqWD&;*z?51%Ib-^UE=wQ=F>$%^{y^W)mxYI z*Gve(6gKX?`}X}jXjr9y4B7bA>e~LP$yqDOarVlN>aua)*f{G8BKI@0te&Vay0|~u z97ui;-S8>K>*GHj%A^5Q*rwqPMJ$XfLU%XijU3(uto(?mE&QAm!~re0e3VLa85obh z^6=Vi8daCO2!4hcS1Sc(=S50cQO_{#FZ|wsNtUWSq{_eGpS%P>ObwSS8u6JfD}yp3 zaF7Ue-I_I3O3ML9D~xbsL6lM8L9mMbg_cdg4%8iGF)ACqpYf<{3}7f#uc@J#*U!Np zwt`N`fG6`_I=nnF$he!<#`gxju&#p1`b->}l&@ENdOFNz&sc*xJh89il|wrmM->K4irz5}r}^QL z5JN}Eh)$QFJa85OfEA}-f!;>=1V67&8Q!*Zd|YaN0{Jwlb!o38C7sTh`4J3@Kn1nd zePHKx&L7`*Geyt zsm$FP!&0@O-{?INOOU0(_Rid^L8{tQ(2ee?k4mQg zS-`?%fkXr8$m6O*naMRimgvqf{aDx|Qv88;gbV!iu?nG-n}b;V+Uu|fK9?}@L@uhC zi+*z0V(PM|WKf*-8~e%Y?B{-JFj#nJV0eeyTy!xSx;Wb!yX+}CSnfCGoSO8pciKO| zkCFSC#%vYfzxg5vF5w_aZl3hqEyh}BdCZ(}fdcAK`_%f*er^EniQT-F(z}PEZRJbJ zn+M-I?%Pwp43s-u%1wJ&W+gT0maF=TW72CyEDWy?a31F)&r~%D?@d4XY}}ZXk-h;~ zjus~eo7RyHP!YSUF3bI!GIX~QC}}xs+P;!KQQt%>;59&yg7HVi?E%i8`V#;5beke)7AM65e!3h#MItI6c z^C|P4Yw(s#N~Dn0*StM(2=yRt_pRPc1>Ne_SWcp5f|b-y>zAt4m;#gd=h|LqubE}s zERjp%^4_H^w4uL^fO$AcMT=M|2i{}>dp~InK*u{7#^*KOnSqz0F zj+TGUZGw@ZKvVIVKKcXx(pv|JKa*z>HPperVj)tR<;Y}mv2h6bMCK~eZ^ZqvL_*Kh zY%7*vKf4dxH=&ADJWliAvT%wF%zYRkPj=?lK&h-xST&aV5;95+3A?v@1`GRqCpX``_ZrnWxYP)}$Xy?G1iX9Gr0^<3LLa3fu%r^7 zjo0VK(_#uqVkfl&-4c6OQoTJCv0XL8c$)4XHk4BaQh6}=Naak>c0Y)0PgIAM(ZSAcCS0Sjt-X2V?as~^#KC&@oOD#xI#djj>D0hkdxT~ z9oD-~5xGyL{I3On;5xA@2Oc?a5IN_|g&R3s4z{4%lTadY_e}fKn5`Y#0D8#o zzTm>ZsT;in+tbo}EJF)zSGlxo_0vZ+gC6}$9Sak1Pp0+&1;Zg0L+x`GBbL_tseWGi zYQS^8HTdlNrKX8mj{$F5fd?AGYyglnUojYTQd*|T{vqR$>?)$(+jJO)z`$oZpj~IX zK-L@>Cm_$wyhdR#BP90qJ6ah>Y!aJR{vzdzKskyP-(7;2D^iBrO7%g+3|f!KmN0?@ zziN*R*uuHHLY(gx9!4-o^rtpRBcoz@?|vxB4Ssk65I}1tR#nlL`E5H5|tPk8FVEfhf z0R1Z8VqT5yygOH`pMjLizBcHT^ZX@8+FQ+XW{nEdTNTh4>7r7H(I=jHVs?LMF31Bk zmrHsmJnMgWT43GNU}ahrpPz*X!oPBu(*EH^Meoggj`@679((@e=)`vGM@)+K5h^8iSxx24Ey~lq3Io2~DViv7+fU^E_I=vN@wF z_N|7tZvu}-u8AEjh^2KEPAFW?>mg>KBmZU$x&`(N|SvX)!ZGJmBBh#0~#(h&?^LdmtNSu)nl0k0n z@z*k*pe4-S>ptH0s~fv7%leA;f2n+cv>EsNW5CtF4nVfufl{FFjK$x_xQ-Uqd(b`u zs;r87fB74N#;RDG>Ly?U;XMG;eJENJu4hqlYssTK+MpVWJXg-`xd_^iR{u7LJdED)w? z2L;fKTOJ^v#ekb>|MZ*&`+XOHvZv4lDt`gnp;6;X2br(g$}@)E21=4?OJ83*6?JP! zV0oOl9nQrEx#!y+I{*Zc$OGCPOXoV@K|26Bqy7rgmQ1-n;q@UsfPwi96oup;#=h78 zv(kX32f+!AFUrXI2)eon$#x*3wah*c<020h!~#-0l%l8)UIK@#w=0Nv=xS-3zE(D`{h`-SY|a>1JiC?Cv;3S1J#t3W>nUz|8t zKwWA#ZY}Bb7b7Y+-E$EajH0~&9XDeTFXs=SHcbHN{{jZ6vhRI-j8-A3KZPNZZrCOj z-mOprt5__Li7#o<78eZ)-JoaZ0N-r|Of-w`R4HTA3y<33`HJ_VQp`_gB5zXPqxr(< zed2hTT1*&U9t<7EftIqW5n9#kBLKLv!O%*KgqvONwuZ^{oty$hXRoNX3zEOn9tIjg(o% zijRO;w4c`nM%t%>g&~|dj;!CxsCfAeD@gaJO4quzZ?2}SpWem&0<0QFVpinnR?|JjNX8<6vP<)i!OXR|B?K2v3;2om30Tcd zkp6*Qr$?>RO+mWVp;T82oOMYhsIMBNs|`2(uFwd?aYY+h?wMXR3HU;mTsB$d^5(lA zg6vYJbE?M=F?(;g+W=?^?Me*8@Jj^cD@4WK)dMM!r{JjR(gbItjK6>$CKQjAerLtN zo6{?wgbum{xbDc1T3<>LL&u z04b&xjSi0;DUtR(8Ww++($(EY6JZs5KTo!a=Kiw``VoH77b`=>>uw}ymr^m(M{dqk&6S{}{lW zZ%@CL4IuoA&a*9o9Z=$Ol0Gv`YClZA$Iy0~gfF8eP?FBgpL;UoYHcDYZ=t8Ut11qw zV#UVFW%^MKet5d)r0E?=_#mEWTcwx))~Qn*lqcq_q+-*J;5-Neg9XEkd^oB1iaR41 zybV?~xPM9O3d^S$E4b7ya5M$+JzZ%A6xXzk0bzKG7>Rgo7k&tZyfePnlQL()_cw}x z|Ma4#FAN`y@DZ>}BQ-!xZb7UTG9zDRC3-!KwT5f{jk=*+7;4GP2Kw^nlpc`0nbQcs zX5{Rju4xK!Nv2oqau?0j%%d^)pE1g%_7&Wo4r0=~P*4;&iV27(yAhb{a+iFt4;t{8 zc0!rJ`o;sTs;{}0SYL}Mujt)2tgu^KqgFE+XNoX0x{n#L_R6kGS!`6!Q9zsuI^UIY z1rRUGp?<;v;eCgR_o9xhL69og!%QB@d+q=Z^_6Ih!{wAggilWv!)AgAs|i-fwMu=U zmJ}z*ba(_j{33&1wydA))-v1|$fy_=5nKgUv9?=fu%dwDel)F9@kV`G9f3-{S8n}c znVkD+;dh$l>_s@WJTuN48naNZJV)faS2yg&MRo6D+(7g&+dDd*UOc|VOWAf`vV)1< zq+^Mbo3!YMheA;A<@-i93wlO(G)!};2|v#;Zg->1C1nbC0XO0a-l10|Tr4Qq^A zZfldK3`9?jkxGI5*6^SpyH~C=^&jfI4-R<<;K|7ws&)n7#Kgn6WU;jZVQ`-Y%}3PT zkT`vYwe{+C>9p^k=R+PPZwzr;bc|$K;`rmH=zV@h!kIS>6MA0T7)`{Pannzmo--wS z^a8gAv$H{G;Q&U%1HfPOB4T8tBBjqqvVxhE6ha8ctq!u8fB=D;p7-%7xJn-B(_lzC zzxCq$lwM&w#<5;^{B{}2dcpstLnmnO1ECnv+y^EB$(g4+UUuM9_I5o{^`CQy!GEH{mYLaVTDTRIUJyaa8h*b z5s9k|mZK^vqz40!ZtDfx0AX@|qJV`~Zg%++R^b7Inxp8(lm-Yh#i7uiPuZ#uv&*A+ z>C@0fG3RWwox*~WQW_~efCYfon+kIeXSr(7RkdqPGI?y=sn52QUjR8FQ&D~}olPfv zFBpozYmv~p;<-2S(AQZYSPLZ#@5I5p;1uYm7g-C0N`2!*zBopn?Sxp`jHbd~H30bK z9kWY>nxnt?1^7AT^2rqGCwhK;h7hD#Q?M+Ojd5m(*d%NO{92qcJO#&QzLD1}?>>A=%Ipf7 zSkKG%;bI1@c9xxOCqPIfI_t~nJDW;WNt3RPLl0V?T}HNQOk zF4B>W3N+M4TK#j6g1>!hjs82gmu-#iTHN*e+iemiFd#^fZ30 zi|S4H2lSCFB}5tGTjoe0oxX)RqmJR7{(a;8vn@dgjBWj_h7P_+9Tf-CSC)H2wH|IV z?DG75ve@%D0NxOlskLaQPP?~dY2@cHAEcw>aJ7j!uD|H+&_e3Gl@llE##Ac^*Qo*>LZCzS~}4ew6w71W%OW@ zQ+i=9>41g#!awdm>Huto{D;o~Zp;OEwBd#|c?mhcfkU&@A1*)uE~hgvB{tCQ+Pk4J z;hjDIhoCyb{_SMl`#ct{c32zHFX8YkNftY~z~Qa6pgPq|zoc6CE8K-;Fe#v$?WZP^ z#ZWtFh;bw?y2S!RX$WR2$8sz`^akR6gbqC8H9=yyg8Rn|ZsQqRau)=7g>YQ%Ws?vNVG%%DA{e%*-+Z9{bYnfpS&4L&`TLUgF7mUVj$z&>jLpt2jUY@- zd9Khx)$PW0aYC%^36Ki`0pL%s%-WNdJKmmyWU?IqsQq`(zOu3$;hXy}VRfF(Q!0DA z+vA2_YVZV2rQmz8HL|{qXIVJ}gSgubf*0h3DC9#NKIJ>?L(y5bgCYuyIn6V03yIEj z>;1F(Ff1?h6w)J`%Dtsbmy4Xnf-z|FCg#MGRdkc33D{6lJb+F>B$L2-xD1HQRgxMk0_ z91lxEea(p;u_408oLrM$ucu5-p<3#Y z{66>;t9S58-R%w8d`X3U9#(0+R`Mej3N4hlOM zW?`;e#QW$96#=wA>%l_WM=BrIC5n2d0E>V-Ni@HgA23mc?Sl1&hk|RaL&i5BHEP&Q zp(|t|zJ4WSI!=?I1tU7BU-FB+Xn;hZ z;Qy{8AtZr2`AM*v4~r4`vRFs5nD!~2Tqqf(7V!fIH8~wnPwqV5k6J#dihV-7mk=!h%^{q0XNY%Qrks4t}P-S_G5p39_oa99IEB?VchJ0n^ ztj7|Q|Ak;?3t)X}AJh<>_+aOFyGs&`ESf)l55B^onHFT#fxz9hW-2`IzleA7Qu^19 zgbP8Mv(ynHZ&+L|vJz;p!4{soX(RXpFl`_NQqJ-MN7w?Ivw6|TQ{Ph@(@yJo?n4u+ z{M$-y>5F*0c8mSSph|lI2&-=>&P7A)A6ojyq+lS7{elVQ^-ut9;sC|J`q$TLR{jgd z&(+Qj0>_y4SeivSHE)1e6sB7Ix;}FpU^hF1*qi$ze92PHHgM*0^w*VS-JkWf?Wj0^ zGe%X&{YNtiJ(8Hfy3yF509EU_2`#xT{>qO z%h}bTa`M}x@I)*nZ!i<~0O;8+^NIlb3lb-3iDc3jrg9*$K@I{Ch45=7%3=A=5DYlP z#hu%T$iDW$Btpw;`@eAv-?yHXKn!AA&}m{UMNOn{RFn#;aYCcuVG5TC(B1|u5;Xz0 z>{4VF)Ys?Zedi{)KQ1MaQictKkvZ>YhR`0L&BaApN&%(iB8RI9JtYrX$$iUwwFQxnJ3`7KiecVy{)7MlsegjtwpunVA{0 zA4cFq?C2|qNXPV^>KlTF&B~5T4oAm;0j9f#mtaJAW91+PA5t|enIKzOI=Ge~_%MPw z6f4jL7J3=L7qHo1xz#h8cX+d(#bYY5E7tynnbuu^Ww#CVo0Ek1;jpO1j%h~j&CPGiQ9>|O`CkRt@gT&*) zQjkfoEUbWi7)*k40SGDfi1t$(i>oOKtE@SYh2KJJ0Zl^!7wNP2#esM$Pb#tBBAzB` zaTC9E;T0UAVE}4et@!5p>WG$%vI>{*$3V6+1s{2sC*X=NyUF`cNl9|%^!OisuM=Nx z={(b5!zyP;ew#v((J<@pE&zBL`-252cOQyD$U2LeAIN;C&=M1r(D4yvvK`rnayT1L zxPP}1n#nL3qFcR>*J#3J<>+lKiC^HDg`q3It!bOw+(f0b<`9aur^O8I4rkx9g_9da zFGKwNm?B))PTcMyP*w>13#9la4t9+pq2v1w8Y@FnI@gSAD&43$YBrwqUR{0kUd9`o z1nT4*r6g)wWT^VxctF4!TROxT(KTZf##(0HCs9Da+AfQxvXtQnigryiSETlk za0ub7(5wS3A0r2WNy8FRoeUY8=D=b9r&cnpt(Tl%f%r0d=M%#?Nu!UK-P8#ljdqzp z8ik+~S@Lc$PvhAjF0lc{Hzs2xPcllKp&KsCI>j47Lk{ZwhP|0M#(pJ%LQ3wPJ-M!V zcWs=e4i$wygDKORebj*qJCSi&4$b4zoAO3eiEc@aUqH=s{guMIO^LG{)B7?}z23J< z?3r(%#h%P!|MYWauU$)k=f^HS3hoR_%=#lDT7gD9Z^y~{jY&kDM#Gj_Oj6;BZ7iaU zrz4<(oCSL1yLI6wtA?UJ!#*Gw$=O5ccSJiQ=udO7U3QlTz$9f_UQSg>+0zuYhvsfj zF95Q>H*Lao@ior1Z7g@d`OaQ(jr7qT9_J&FZPs#D?s_;>X2E%_X;Fm=&!e|+U2tzN z@QyZY2KSALyEnB)^vYs~&VOIf;7vZ9W(?*6&GM>i>Niiz+!-PagE56|2Aw6@MZZML zD$-z87~@N$)%(dWs|@djxcHG;sP_7Oq3|r2_#wN>f-eoYZPj4jvbFlWly%rxPGzQ zcVJ`ORJEa%XNx)fl2*DESx?OeyKhwmF9Q=pTMOq*MQ#QY0$F3-rQSl1i`=mQD4yG{ zx_dfZH$~hhZ0=hWOFL&C-`G~;1;mngzP;ETQ8FSgq_QskxjXRy&7kg#wE$l-!%k#5 z;s2*!gHixBA666iwt?@K=4kpF85ykip(wq2iumQBdrskTSMPki5#%i|Lh$(d4@d(x zw}!)VEewgZe2(0j$l|5%N1z3W(j-tBA!iQObh-7@i;7aACQo;=gj+zR7Q5~+)g%_) zSR-2gRv{DqnZVK{NJq?pxydv_d&1R)j`gEDtI_jC%3ujDudq}9Q>!9O^0sGWrloG{ z#tl}U_}2}v@h#ytbKRtgeo~NkcrH{WmLMT}k3U3e@eY)PRGWSa_%0fS-CA6p)!*)O z?GM^E5Ohl&u)KTMBn1VE@bYMd-DN= zIdr^h63S!q;s5HT*#2yQ`q#*TzF$}v&2KCkb`QSKP^$@1E8h>z9i|(E8u?qrQg$h`KQA|Unr|x z=6{=g8d!Er94h6qavEQ+i3ICiU&Ipez^&SU7>`GvE&(Vs|9ndmG7hv2k?5O>dxrJY z{-3zSj664A7e{5~)vXg`!xjlL{G1goR2z_e!u2)KLKXP4XwjnJ9D4`Bg05l?@KmAdB7lb2G3{^58y?T_`d$%zoI=mj82$ zzi${rR!HZ1CNf*5-f{XVS4rx~aYGRuJQ%kkD$W(>@53toeArBnpti+7FaEtF=6g8) zh&(fSKjNTlxyu1nj&MRmG48x;54oL3A)mZl-W%q*zsnXH0u}~bvLoe67B$ZQ`7Gpn zMU#%^CB=C2_1aGZZ_OncBU?JDzqzVLK6UzVU9uZ>W=AY&a(9};FGurc%rheKRdT$X zZLvl6uk6enVvNaHEb@NZ+1bf|9#Z2S8EK|WaA0VypT*9f75TeM8hT*cNk7T^sh!bV zrCzvFjIRmF^yvqy@^iH5uT~QrK`U8|MQsvKCb{0ka%m6 zz21{FVgXhu@6*Tog;Ztd5&nRABX6eZilIr4i9tWq z;zjSIhHVo-1P^Vpx*>J6-SIs^}D$ zf6%K&5Cl#JbY(#jBm3=kM2Rj1M4hF?TSUWP z>h!H1_EZiHa@lcW-Sr%=#`9)W?40d+R2Bv~MVt{`T&~|sIdyFJNh8K!<+R^sJ;4)G&}Xr0r=~W;zY3Qf|QEh%gf#2%kJw@7BbOZ{4~YUkS@i3P){xRE}Z}` zP?K=bo?RYWiq`889`3{5_?jetL)?;uc5^}w^`XAMA}Ebu=c>R4QExhb;`K|z)kdCm zE*vmcl!{&_-n^=&e#A!%(G`x}k=0&@)=TM~?=IU2-X1uPd~z&y3Y}`cRWk>#ih7n2 zWwPi=qR}L8u;D>YEx3+RnGrg?L0eJq zexLwbZc_6+p1K$1pe7W$-S3?q1 zZo-ma5CNh^fxSveGU>Ft(6dw4lJ8CfEwn@V@}FI0<-{S&aY*&NC`n{+pvbzWJf`}Z zTW#TkH>HXg?BY+tEz0=)`-b{-WvzMHWr)R~qTa#rTnV0OD(QtyIG5S6-VvZaksNT` znm>41_gd{paEEj(ljW?E2s!9wjNLA+@savT?U)OSlLEZlG}_^muWlZj!#JtBX>MY5x6BMv8c5}55}v{ z2oBZ+)4jBX_d1+)hX{I6k1g#3UOmjy(6I!jutnlA8;AJPj>%z^VQ4{a#Sxpc-_l3( zW*u6A{nnjl$0ZIR06(9R3LEVuhm=7)co%6A_ul|S4&LYC?wzt6W}kn`PeE`t9g8(* zHRZZpY~w-^cuNS-H@6A+i(#VQIeODWNK)UgOAsO^2sS7&Z0a!KSQ=GEM9B{C+O%OY zvwfTc`wJIwlNfT~ScB&t+#9VF%TTF{U3FA>lkx)@EjV(dnwQ*zS%SHe5Iv$%T#HYj zQIGK*n(s99-Z|#oIP5D(z8Q^L?~rev(x)=b{6x?T+cIwunu=5?psqEpR2S4j#y|f; z9}%0%#QOU|UQqmeJl){HwvX!;djIF~V7f3^aG;8c5JCVIesa{ps(cANc#XUR5{s8Bm|d%Ja2mh_0jF1Ad;j7d&NsHq@egp8y_i`lAMe* zzb9!_Et5%bCY>>cS;5n>_6fWi=h7`h#K48hXN6Uk9MDVBOYfC@mL0nWE;)%wPS!s# zVEbS~{OUnKMIyoko||ns;YCD*Eb_*vzTsZamMHt4Rhn#g;|hNTf;g8L1Bkyq>(J6d z=XM|nn1SQycj`{itMP8HG)(W;t3MOJUolRF1bLl8cYN>NzM=oCko2)jkwKVx;}jM5 zXU!&(Z7+5SmehOrm058cz}ZFQIIZ6Mgrppf&=a;6Fr{2dGQY~3iBxnA-rX=d|lo5>z)j* z(DJVuDR3o(;LfWvE0Y!UG<`2#*C~2sjJ2GT*F9gNT>Aq{JY{<9eIf#XkaNL%6QN+B zImnAG{Y=MGdf`TT`^N^usFgoA?{jRkI?TUS6D=D;wn3ei}o|#7)>-Fv#NUdMYH`o_$die?!%A;lpBlfRpe_~9i;YFsX`>$!co_(qVb_>NBczSLzK@z!2agkq}f)Y7f~fhIM)YnRBL z{h)jKW}GHY(4I^A5stl#%I}B}hlj2N;>z)?^DgOM&TLpaD9SM7{hLSs&9s=S(CJEO zFs>a{iuUwz1?K#1e5K46h=a%EC6*aUz3HtmEu!NQUiS+IXYY9W*1civUDITcjuie~ z>w$457g7$upt#%7pa8`FPA`91duu+C9FuO`4}oG#8S-kv%N9hc}wV z!kUSR%1lIUv1ZPI1VyzTdpjp@B9X)wC%j%B#Ks~kKc5a~W){t8#hv7mSp6UjtMhzv zac3P-kGso%o{Sg0H#5BQaw9*KmQ?>^W|=g=8Z*NXQ+mCrkduxcQ8oWLq3dKt^4Lw3 z*YACIDazY~{=|sEv-fa(-qsG{DC6W+R`R8Sw zJe+cUa-K>h_B8za-o{Op912)Zg-*&T56ZYG`|pTgw%pTrtayhOHL=#l+})!|SrHs4 zb=N0R!O8LxTMP$CG}%!M_B=7o_d)V1?RD{BL21CcL=w_`I3S@r@_EhYP3q(KS+B!> zM>Qd4wBz6bg$1Nq=ktH#e6J6>UVsZNhRZZISmTcn_$027HPOA(GW%ECx$a|ML8?Xr=g@HGVsir9TeBZ^ zG#{#jq*lV&LkyQvB|NR>X?M7#AI2w^E3%I1dV-x$OEb<29Ucp7Ak_b$PD0$~NQ3pQ zxMD&knjCWMhRrvbDXVtDVzYtTXFt!*=(3%*qNfC3{)ctsBFO4k{61eJ#>bI$xDV(IN%;38Hg6gXsDdf@q z={sYsFLnwcy$U24!YjD<-MCqPp$Vi?Kc9kHR!F|v_(k;JO!H5i{+U~Wq_c-XE)ti} z>Bh#kL{_co3q!{IIzbAii@nY3ckG&j>gI~X%@g4k3%FCyAJ($CoQ!4VVsA4b_^>^{ z(QhpdCc=tvCz39XMXUbd0?gBs9^G}9Pj<^y8N6*D`ZgXr7owxTv{_8Dp8zkdX@|9@-^g$72yxNHf1N!)p?xmHxuWkQhV6QuyCvLje^Kbs+AT_h@|Gxg^^Lq9 z_-$fUd!Ns1Nb%OeS|&-1)iHu*&I0L^SYAQ>#yxMJLg#c>xpduyHt(3p8B75!szf>Z z6%oxtf#n?kDqk(*Uq_BPi4=Y0gh9N@`Nm`Z+eH5{Mx+LKUnUq==~%&oqoicyO+y+Y zUBr)r#(B$1RRw4Hi)v;=?}O~9U;YW5n8p$P0yM7Csf+)|wvk#&KcOCaTLA{?km)F) zMAU{1JJdOW-RTRvD!e3&6cWMwQuePAz5eyBZ+a7Z zv<`Dddh3Plp0Wz;;@;zi5d7XLoXgyQaUPv#;8c@lW(c`C=6Z<4TW){-@N>;{iIL?L zcNOQ76(*JD-hW9)r-xW_>H(tL(J7;3atptlqcl0f;;jl2Y?;n?C9)+j_w6gr`*9i1SyWnIRO%nA2|M6u%j}*cp$3gYy zP$3C_VSHeHR|lyw8)((ERKQ25;2{wrk|3iNU%6HUOa(R|hqCot-!skRxg`|0t9Lc> zLC7bd z0KZSqJoRC^RVJQ=irY3*X2%oW&JqBSDX>{nAHZ^&e)>-Mk-;C~U_U}gZL_SvAh>#QI_#e1IzP_^ZUq5MsTc#sq+l9kwo1-fz*PLSK250)WP$ zK0af>ZUAoF<~dot)C==Fh+M~DP{%wPr+Z?3+~;$-7#jczvkN?aZrf_G{wi4IwK(W3H)#8-D~+I*Ca9J0o5a47O8NVHH=`HgX5bI=pjwL55z z=%-#hPheF_hG(yJrV$n<phba)=MW!OX`5xuXMxs{`;GmtspTY zd!}^Q58mfq|1#u_}D8+j4!QN*J!cJ#0JM6?n#@hnN7W-omj^rgRr~g7-!Weaec$X zTvNx|a`O39j78_AJDJu`BI@E(`c#?w4?q@#2FPqUIz-62RwHv%Hvol=Kx5kwl4lYHO^+B- zX#d!8>9lPvL^KWI7M29+Iad!v9XUwhn7nxX@W^86n8uU6?`RXXb5+cmU-Bsi z@E1n$^FWO7$dK&GGwH}*4b104mt-~m9IWC<@tS=Y7hwUpBG1LLzJXybXr|kx9~Qh z3*0ccBvh?_KHg=xq{eia=SuhYDp=fipo*pPMS@c& zCYCmJR=e;81@QLAsrEaw3FA-GkFS`0Vr+1Y77=*YZwc%Gpv2OS zZ`t@`L{w}^D3#n4mQRGJaYE>q0BY$hGeW1=KExlN#@j9?#}%~AMs4UZuQu7cA$`3a~Ma#O_y1d4Wt6z2Sv9T(p;~qU$2+8w#qRHS!+B+0~7yUnoC77OO zjN_t&9yoc;GZAYFgjiT{(iqIruLbhJgg7(GD`YhhCemHAxRYG4Fl2!|^;b&dQ{z>w zcDvU*TyL744q;(wc@pf~)3ZgG7i-sEWTcCE&mrmB96O%K#Gb1eBB?M%rr&$IxcphV zGj)`ST-}h6?%~hsNFVR6X4n=l-P4>zzSz65QOprl{!|pz$UL2Ox1CFh+np)MUU+lC zAXiAZX_V*Wb8f~i^=+@vHwR5%t&_cf;1cCvV<=hI(`&-NbS~F4iK)AHHCmbXNczFN zyAL&>f4Q|C0k@?YZRLLVb3<(RDsGHQ~J^$G6Tx47RK z=?S_+{9CJKx>mEb4{GiR|xloyvg`&#HLa6bb zd;2j(ZUBcs`%T18&YN7+hSeSEiTUSrc!%)&@YvGPsX1(UD*u^g;ycCMPGn)t4<2jd zKi)5U=+~FW&=`(B8f_f0z_PDLTa8(Jis3pU*kR|Ob17nj65pg8s?}7~52G7rp|^4v z(~?j-fPPrRqL$3eY#?v0fx z;WIDmFhu5ok6+JA$U~$gXdNXNP=;F?6AoDeJ~kiiQi^6`k?EdAtD@e&`Db7 z143c9e0^ijrjub;v+_l=#Ys|=5S8I$kXH-aN_IF)Y^!pNwLps(g_i9gZ$IhFl@05) z%4aXfx)?P4j3$QUn%5N0TA?^msPMYT)1!3U? zxsUfQlgY|+n871x+#|kwy$^Ehc0LXCRw~I@Od z47CVlUZ{n?%ij4k0yvPt-~8VJ2Y(JcLh!H?mbf~xR0KVO2;-0*5>lnucWurf=(40& z^?4%XK{2&ec-T3mmJQO#u&cecua?ONT%!gaU6Qq94#tJIe~HrDnUCcpE2KvopC46 zdbc#)k8bu$Ho*AX;P(pt$>?ieaEpQyONrdp*NsDJT+#xK0MCZTLw7P^7k<*o5}Rg} z;RXeKR*Hom#s@vmqAtnZNTO{cx3CYSUWHaMmpIP>*Ul1FXq)jj6k$?cb@~R69gJ&OaMj@ymMg85=FeN)iA{PC@++F@fSZz z_dy%KKIjktg7MK0!55ZRFG^^a#fN9cCh(Wxj%M!< z>JtI9pthK3Ji-ZVt5yyL(#S*V@;H_`PSTjzx*t?A&=S!pf*aW%KBb^ebTnKgZM`Ke z=qxbM=3XRFNk7$q9c7*$--)3`NiqK{(#3X3d28BLCfpV7W4|qpB~othl$utn?-G*~ z_KwPkkhxZ|<17@09eflQ2kv{<{#Mr;Jf13Qvx``|m~Pf>AbL0s+F7Kds&8#taN5c5 zO6#SqN9ZlO9cAA*9?gjHGr^Ju-!_Wi5{fNF{rv2bkgRVxyc=Xj;G~ZWO?Q5Tajj*x5cD;q5PY8g&_BU{|zKiv28{Qb;W zh2&Z8n_pW72FJd|6A$GZdRHL|-WNkyO2!Ri{rX%mcfjqnT7fk*=@JMDs7@EKcy>X} z25v##VO*6BKrZ+VR?fTe$=clVahxh-m%VgYnIM&`ts1TG-1j!1;OP4nnm;^%>%e>O z>nvUsG8L{A^JFI0y(?+QXC?IF(h|?F{0QFBP_9wnpN$KQu3E(EX2rqyQJf%ZIh@j_M!V5oxk|nWjq9*}+GOs*r@;@*BLyvv0TXIWEEF0wvwi z3J*J!D(?71`IE~#Ggqr!-o5)uUXm2i6l(+6Zo(ESM#pUb&6Gepf56wA%i!j;Y(1rA>UU!LqQAR`da zR#_ke2cSsdoM+`u!?y73IXO?n+u zq2lf(4E`iOtgUQmbs$u2Nw9wWEXirDlAw7Zz#;V1qlP?FdIeTiEH*)NLj}bBLSE*_ zCBvQ&cloFY%<3?4VyF9PpZz~koo14xImfmLRC3! zk+UJn64A-}0K&PU))wCVBIXO_GJ-wiI1GKYn65>cIyCut*K~BnC ze-f@~F_sjlHi0lRXQF7)CW5W!F(nAG0|)ow@dC%chM}lzG)jOOdiz#G+^3x)aVgl? zL?gjsEtK8}&Geg452Uqai8Gi- zxNDkz&IG!m9E#psKnUZD>B1k`;JPtfF&_u_d-z#K;h#VXe#u>aiwkKWZK*RC%e*nj z*uo99%wD^xRJj11D*&0#q}mjU7?2z2mvz&x70l4E7A;7+T+;TY;;U2Z3WE%b!OS0p%U2GV_}Q|l-+jazqxxIm_Sr_EK4-+(xyu6H{~od2y8<9 z8mxNl^RTxVQeEUsaFHKcb6x0kyuiZ8pB@u$wnJ=#F~n3JvgnfhsiFIat1ErF8}($g zEIVu8yVKB|A7gh>Y`YtLMi~Z`%16t?hB%J0Pvw8rn(%)0c~`KOv{J>ky&-Mp*G7j) z9~u6v1W!+SKAxKq-*Mq+ldl&jrtyjWpr5hyfUEw#u>a;BO6fJ5nHfht^9xQQ3f5#T zcz-Fb+pcT#fB{b`UE-dC`aFff`%TOf{-$iRN<%Oik=d)k{U$qZON4p-8~}3vV)imN zkv54`Fv4{EJlm#eX?d}-17eJrc}sm0%NxnDoGpnx=Owa}wpLd_sO-^BCGcAk_7h7M z%$bF9`cm~~5z|%pi@6Whqn>zGqOBeif2{vx9)n@xUSjP)H$Io?dJJcUEKfOpQm*K2L96T~Z3x>6v_QpQlRgMX-O@6N4W-?l?pm$(Q}Nj% z_8kAxU)b)b!9%a$N|ST^75Zb)r_)%pb>Xud?c_b__b(o5>((WHBKI4uo*T_~s5$3n z;ZQs|hkE4jNl z5s?ZcGwRHQ$O#v*{=9Vom~Yn>kg7%qpr5$Omr+eV`twU4fxdG7{iraa6dM6+xh}fz z3x$}7YqHdWPUS^=XtQpI3bcp{fTUDVs^d)nb>WL5YDa4|=Y4TAtb*2HwD+vqMNb?) zAx`0(v`|O?W0)JaFl3Y_`hh{Z~hGONnP1ALPVd1ap2l&xTH; zVp(`L-5q!%p7L1I(aq|}(^ztC+aHya43`9=&dAH-z5;WGOvImRJjV!_t8GV6s#BbR z6dV}fDwF03KVGJsB$cZR@5@>^aXhXT!s@zqh^rGfI8Qar?cAHX4IARYcEGZ$n8``< z3FeYmoy*I@iX}e;*oB2R9Wle9|NJ-%UmPaM`gwF*06Q#yio`f{FY! z|A~)9`V1pJnv00e?K}5l58yGcNIure@S64&zF#ICA3E03!%si2P>Vy&2#%%k6^O9% zf04UzT90O~s~Q@pZ+!@lJC7Zx%)oeM_dj> zQphLuA529xR_pAGA`ctk=$wukQTdmkLnbe^dZP-UQH|tyUtUnsw7rPRDV(Tlv4Um` zQ}iOj`h=WC!dOBDARth86InIxO&n%qlI87%eK>gYt_1pr=(cNj>aue9iDa^DF5`^y zc*XoTFX@D;4uTR@p))5#JyO{-I_F`#VX{ZI*HV5wx529o+7%0$kiP&ojcUky;r3aF zM*u|Cta*T?a%OSmbtgeT7L*L2GV-Ks`dMaEjB0O`5k}kr+9TD4cjqD)AH&@US6Ku! zx}!n(12tLcV3_Nw@4#MFk&(e-a{Ez9wbRJ18)ub@pYZ*z5j{oV+<1u;^U_j@sQu1w zo8je(XVk5kv-UMTPS&}dPZ2A{CdN-A4rO!AGc0FYo+v#T9#>w&!|vrVPbdhz_%0BT zTfVlt{?48B1yQe2TF6kdx66yG@|nJ_&#M_(IHZ}Ffzf0J`iB!ozg0ewp8Bu)k~jH1 zP!PB`FU4Ap@Au9Ayk{Ux($0EegwIsMRKub?d$^K>^|ZLHev)j9LPbn$lETfpcpH?^kM|#-X)eS)XpKe> za^_B+`20Pj3qZQSLRi^c=`S$+VM>OlV{09bvc@9iWf^YtR> z4^L#b*Pqx|?8p5w!!rx6GD-9=HqCC%Ss}D~S;Ozz z4_4SL%miXcIQ*+u&|7o5q&^K*-Q~&Iu`+=y&)VL(ryXCKX`{G55^Z~hlr|f}&3*Ys z4s3~w@N5h#)8H+V4JFdkamp`A%=-8W^JbwT*j*yPEP}bA_0MV}FHN#fA@Sxkb9nNk z!S~+_JV?D5!_SX0i-pCa8sgqBK$z?0Sb*qF09qJ00!I95MrMXVRXXGdTYh}KM2bMY&zmYmUOXe{IC`m< zT9}Fv#VTTt82fv-b<5qy#{;1pSDgxhC=u&6C2Rliw3s=t_b?-d=)Xvz?RU*B`AX6b*wT)_yXaq!*@s+i>g93?cF0`T2hcbB4iOwBRbo&pF zYp%pt{Wi0liTJEg>bM*jvOl&tqqUYo$`{FOvcMPF_0EGoko<0!bU`q%fr_NBqf&L) zi?+1a4_4A#c@$?GylOhj!K6XLDuS}eC)_CV8c4C>sB|Fdl|HkJ!x+B~0OAUz2c5TG zRGFhoLnO~gUV&Sj)gLSWrdhVN-UMxD}oAVqXG9uBayJ{M4?gd zl-K_vNQ?o;pN-k!yugS%gt_?^>wq`@jj<1-EeIJlw?sF0LlQQ7=ZyiU_vRdTIyBm8^;|H@x=AS4VzFRL51x%05!SzgXo*O zAZ(HIKP|wA%G4JGsp^57at&12-Ust85)a=ZP!A(Ip(7y(*iLr^`KCXCcG}yNJ-V4~ zKwem3L!gJ^gr&VB7*X8=^p=;k(^2Z|@mxT~I8D~Dj|BOyu6s{jpcL6P)K@4s@QzYQ z@7J8k4g*9r_b5LA%3M#5@;wPT(W!G{FQ2)Ux8dFXbScCoR%5?EonV+6|X}VPp z>%>!DiM?Pd*brS4ZmLt{L=Tn39e=xNVdiUU5UHdh_>J-qQs8*rYA8xIaR~=L!!BU2 zK{vq5M!KXIkQ0Kb#-PG_VXD=bFEFmPjaCQ zGMWmOBx-q&Hrt3e+ajBh>##UIqe$b4?9aGpAIIS$1n91wK_U4cJ7^8xr=q(SEgXhM z;}dyRZBWzrm87ZX@rmcU;dD8sr3n6uyjnE;y5)!kx^=r{aR_rF@(1x{`a|gGGFF(rWlW}ThMVBZ|4Q-eo5C5tk(L)nR=05hBj5cT3Ubs> zJ%=gvP5|j1V?xb%E|9dooq{VIwyX-1Rk2rY6YQeHT&}&%dB9}_EjTs!=~-l73w0-M zKbZvqKkLs&$f9(m6c^K8_bU*UaBwFIWU|UyOX=VU?1C70i$?{MCez=^nc!x9a;o)~ zTpGLURg1~s!tssAAZK2ZM|CVtWj5fSgYX@%uCezLRgYRl%6IcI$p23RwuIEURL zKVSot@mEWY1YH^tLpB4ycfV#eYr%jUiCD_pV3~Q_DvfY=xy=>^3iyu zgRBFAwYrU-!rVuBOGgYh%N}N^Czd9x@GU_0x*Xs(2p(^XmO0xWd0ZUO6W~*0Zd?bW zfZra?xp8e8aM3lMpA!88YZmAC|1j(SE=mn7jM~)aO z9-Ezg5AsU|b0BMHX`!8Jza?Y7t)-X-I}$O#bPb68j;}@KZ>$#TT+1JWp$p_#IVT;1-xRYslShdwtC@ z3~180Q++*mS7f+eMhUJ(+-N%}bA5kgwZ`fVI$gOMo#{#Kb%40{53+af_31rHVMgTM z%K&dowLSqU?7Wi7lV_>2f0y|tl|PB>{`{MyixalR;s?`sRK3)xn~Atdzi?C|dWo}+ z=3U6~3L8U0X7g9trkXR*z1NaeK>g^VUCm*ZRFF^M%4tz=<`2n9lY_SkJ3PT$;ss)Q*624|GqzcGuES&3@fjxEHx$vl-GVd=;yhw`^H|iOxG9T^pP2J=F8Svg~f3X^F2Lf z*G-1km6=T@zG#tp^%XZSXq=@_z3ovbFz!P{1j!VM;=>9+*8u!Ww$X_7&g4@>cjmoM zSE&V1vND!0%5I#!HFG=EtQPm@WYggaz@tuQtD6@XJ+u+&7gDdy59k7Xm@I%$!y>;zcjv^%_(grjlXBiV zv(59zR^MUc9G1mTN`gHbM*fJN2X8_QyxI$!>j@?k|A=P(BpwZ7ltI|_m(r{mNki@W zEETCkF&!^{6{6&1xnQQpNTILR(~-%}6$n)2nRdp82RisZ^<>n~nhJdcIwL*?|oPv=3rE3Y5nK z;so7-g^@8UpdQxS3<97=;wv_{|FtM(Thpm7k8uF9xH{;f?>NV^+`u;psm8Pvxe_xI z`9T*3<8MBI)7Z8jGTJOs@br=>w3eR$!e-9i<8`s>O3OnD`jC-|)BUxN)smR|gmcdm z;iR-GKJeYHq+~fMuYDgOQ{6K^nb~u0Sqb1{fcWGu-V*m%2GF^a{>Su( zjs$3xPW=7x0r`T+<`yt(l!G??Q}S8_3W5l3ja(2hQlK+7U++3dp{e1U72R*qA+~v(sPb zhZbb(?h8b0XoTfIof43E#0$|sT%H1|pq#Q)2QPl$J#Bvs3~8{yi?zX~P6A0DhOieO z63NJ1+E5>$$c)+3zmR^#Iqtt53+Vae@ZJj_G*e>VE%?zqGGU1j&>a+(qH9P4gi|Zj zp2*Kw7pnXzg=Y0RlKs9%U`|#QFP!t zCy3{OcLGgPu=G64<@k2EZRMClwmjT7r8pA?NQSFAk``zp z+dRnC{)pI%pTa*$3({gMi}z75ntHZbHIV(^b_jeL^XF=8hZ9azS`g;CLW~gcnUPl1 zmwUt9fN;Qx;p;Xjp6@m?##>Hpds1G)eDC||k^ z&EaDxOIbVmDo5YmXJUIBDa)fK5;A}f1_jBatV~($;QRZh?4Pw*{=e4(Xv~T)6Nlm2 zj{hVuq(FHNP<12hB*SKF!Ea(JOG#J_3syGm(jk9Wgt zyv&JW^w5BCpthtL=lb^N+||{Ll7ZK2yY%@=NZ!T6VrG~}fZ+R;hoPQ!p_6EaDLYWl z+U5nX3q|!~Lt&({!gzI-av);hdKRLB^-Z2-d_!MX*)>!jy zk#Mi{Us=ttjGokkb%ub$N=uY6lLuGTaaII;I-u}U;~-4^LiiU=gJbQE`0xTAP2Cwt zU2{QXnX^q7T8@&BcN`U!WqIF9K-ir+_zn`qV3+vOmY#Rbcd19mMhiI;sSm@N*iqQ$ z%3EvsSTO=Xvy1C-SsX{+G=rfR+Pe|9{S}Q(&g^ z#$j#Z`_LtZ=5(jnYzs5f=drgA$-_Oa>v_y9)|DuS0nBR!sD<<1>zaJR+mIjnJjjlq+dn1vSBDN zZNM-wFWyYHM89`2JTc(`mu{rLPpdsc0DyMNuF>)^{n27_A}K?fsTWDA0$YLXs8nKc zcCkT{tM@OguGTNvHmc#Yy4fTzHZ~G%d_ECBfQQR3Y+&cV zya618ssC~HKC1e!KvTw2VIz6zyrVk9sd{ZPkaf5Jf)TV+c_hAa)AQ3x=g!85O7xcT z2WRPztFw_pi(V_&dIqB0wd5Yyare7OyxqyC%QVb8BC0w&ohtjzNBwBKfWiX7&03?Y z1@<}DKUeS@6%bl)6X#=B0Ts}ZRs2>&z~H70d629p`~1<=!{$6>JLn0ho*z2Ur(IGN z6~m@pZWGRfdpTX(6~ip<;Omvbl>#W0+Kaq)PN#74$jXqhe^GG6Y*P#kejZ25B*Wp3&jZF*dgm*k>2xvndJSm(!`u+VTA=aFuSvs#l-(=<=kEW zgvx(~GCb)M{c&rV!qc*ao3*DYM-D?+tgXiTq|LE=KLJJ%P_uL~0}lj}(#4>@i(arG zt+uN9ay-rM^b$avzq7{K^7c9o9K&0|e1f&0`?-X7q*biJfO;eTbdM|xC`3R~T4K{x z-L8{7m`-<5LfB?tj3{U?n1e4CXo*o|#_|Xhr+$(8h}ABkk9EhZ;u_|*upkWxiBWd6 zXwF@|^^1LTkO!zxZ0lzT7dkmb{o+bO`v8J+&|Yz@uQAR6c);Pzl!oeqiX52hyQx~6 zQBsVM(Sn_Crkg%J#f%<43yD~DSI25!*ylVWd?&)a`5(b>8k#;j;YoqCRD;X?KU5{v z%jI#}RFupZa~-)M&mt+5Hb%dk*_|}ig>ob$iHf<)M&vGZCQk|&5uk0H9OvGp4k$dB zja ze4|<~*ic`8;+?Jb{!M0^-lv#X&8P9C#@J!}ab0(QAks$q+h2D;x}SsUu13gYroUSb z8?k!i>7{lwuAt)IM#A&tkU#nk?7g1~yZ7TPCFpv_wK#FGKu(_0MGMl2L%lnt(nj5r zgE5k!pfQq8ba2m)+mRqC#N8E>xCeQ051VSn_1-+oRN>{kax=ip;#3&({}i~3d3im& zU>yvQ_yiAe5Ln_%=GeK&J2Xseq+n^(Ukwxb(QZauZJ`@?TgFHIFn(Cbvvs#WG1vmV z-S)2VHNf0x^F3-6k?p4^cw|8alMu9caO~g=_Y-RRG*&BCx3xaG{Te%u%xuPCMW2QW z`_1nlKo$b9Ifgp$rm?H>XIN_jq+ILmTHErulOg{~Mc^&_FNZyuzMtPi=n@y(ae=dt zP37nIUodn$MvUvhSS6Vn{|xShspu4fh8f?9iuC>%K$d|@*Ig{c+H*1!RXI^AOo%(P z_v?|X4a+*}#JJreAN_6To!{QZ{DVr!i2CXs(-+Vta%iuP%Q8}RW!elc;;NWEXvC@? z=VRWR)v1gtH#3|vfg(OCoORmO6*)kEv#={B6FS00E|-pnjTKmP1`P&)IK$|jFT&4| z2JR0e&9_-qAoT&l2wO50bfB&K#0a$Ix!|%xf+On*qj9@Q^7TC{A#8&0gHlo{8wLW* zgC1rrZ{l3-(f!Le9I1y-Nxg97U$%(VZ~?4(Utn-3ylnyA7e5Q1@WLkrG+dGDxwPpo zejo>DlFloxnBbnx)YWE2~aSICZ<*4yMTr0t$@Fb^){TbE;wy;C!xp)M}867qmVd)g0@j>d^U_@#y*1a zVUFrlLfHRpRRTR7QKMJybGGaKY%_R-#Lm4SYm6IN`dtC(jn`BLN1HfZoV^qjY~{Z) z=d7;I>e=W&@h5rj69OAHq-uV-3Q+leCzn~(%Z2_Fd46LQYCz}*^(hZ2fx10AGdGzP z`^^O*FqfBjhVKWhvv`&Thsf>4Hkz;R-^dE|ZoJWBzGRqJiGK9i3WyIHxpCplGr|d) z-fAHA4Z^EyO-b>6pNV8mtDmhd?9gozc>40N7u{*TBl!L))XdYgby6OO()#4xLo#qr zRAjzbD{ptwWuE@^Sz|llDMc(Wa`Lw}c@;0K<48@0PMv6hbQ=;dcG%DSGkzH}=|uJn zed_V7wYIDzc--Vw7ccf6rd$yrG|dv-9j%44khaOg`6Ies{aZQkj+aixF!M)4S$nRu zHGxBPgv{ZBwZ)gBt<4zoyszJsw;6m2g(EImgd1j#lFguOCnIJ}Cbi@9{;!4VKbT-O z#>_c@;coa7%whY1Ir9RS<1N+WQ?Cj;g6E5;St~!LXogsnATP(FrdcbmT&2}Fn((kY z-J9>+017D~=Bv5g#3kc^G(7vz|GaGZu?27`A`V~3jN)$%(>#pTyS3sfTS8@4n!n8r z7Kr>WyNv$?V3*tB?DE2bF)%L%Kl$QMlMt>9TnFK!ZmcD0nswVG^-fX$2;e8NYoN^8 zb|!L3Y$tPG_e=(JpBx6{a|dRF+`vPI?%wQIc>)IRrr*}p!-X!MtPUUVo!#>1rR7Ad z6kP!N2Qn(WdDR|)hcgqCtBkJCeK0JCvu2;8`>Nq=>ENUz;=pN90-%+TW*Qk1FW5Rx z71H?SJ8nkHw`G72peI>JY8m>)!uS>^Otbej^q{iTbZZ6;i&(6!LCz=~mu~2e!en7t zZ2_X032thlb-XmijF%yS6X#5DPk;qUz~w;rSIZ=VsJM^s){8i}9i>k_g?-$rDoI%O zJ&N-eZ1WxlYPq&dVdgViPLP-25W#mD+8bw5Hh>Gl_ms<#0xJUGioGGK^4Tq%EMEj9 zz?T4I}8=&F%3@FzMO)bNaKaF=+?Gaf-c?7^Of1sf%*Il@Vn3^gBmb40i zxk4`f$DjQ?x1zAJLZ+J>yiKwE=tqvSa}2yC+3Br{=IEuiH&<&*l+P1i)VCJ5P?J{e zUGZU9exiud!PJ@N>`p6K+~3=zD&ew+4Gt=e3_Dz!trz&j zL^0G{!$#x7eg+jPOlc@yW-KK&?x`o|_DUIYyKkSda*_(=)( zkP5?LCO>*!VVUXX=GrADkpIF5fZNbmUt8&`XLB+&CdYgZ)x*R!Ob?-luGlK=#ORZ+ zUDdV8UdoBR>?{3(7DRw8_^D>Dy5sQ|KzB-xkvx*G&>$^k5evNOTPRP!lx;z09Z3j{ zhU9mgsJyewp)u0qUm}wze+R z4upv+i&8|tbC_?KiNnIVVg)FE|?~Ajbp{oJ=;!1(&9-|;;Iow3_Kl>TLC4AkhjLU)FS`T+W&7XY2;s)ds z7Ps)cCS&i(pkv38?b;H%E=B$ZKENPfV!BNVKrBb&$?G7(W$`Vj!*-~D; z>`7y9l!$=z*i<|14=>4TKKmZD!o!Ax-4p%DPwG-o_VWkF2vnxGU)QoE%>-lih?u3j z&N&XboyitwTc69Gon%xmjRLs>ZmYm|VBNU)FiV5s2@6J8)OT5%+?+E?q3(*hkv=Oq zQcM#bH+qa^R>@zDH)i+)FN{~yi@XNQ&y0WT+hCoNo*jR?Y6L`eYuJ2k(Pm4!i~=(P zjR3FLNTB5T4lyC&syX|q6K7>z`>=lU+mHv-s)LUTl?@kXf&!(VIG7Tw(gzI};HZ{m zL>q2&;SOvS&KcJR0F@=g zbM>M!WKSo=yXNm)CL_%hKPzBfY=>BmL$02w6vu=;cgpPQh_y8F%rgTBVrP0zR{|*( zHPXp~%cKQtsVg{tCo!P_GoIcyQP&d%uo!ln71y7bLY2N!v1_#*oVtR2C<_dg;*()- zf_n`!Q4Bxke8_CCd*d{V>1~}Z^5!#FYy!zNQ2P|&Non0(L+JpHXyYB7#p7*N`scm! zqKB@dXBVpxvjDX59%8v=P zJnXcQ7cRGg*F0{MP<}WD+&t8QR(^E&*{4XGQ?Y>)#cklDh$tb2*?mZijqYx)wxF;x zMTXuxAv zkg(ky@NL9Qh=H+8V6Ofr2(Wb7ZqFM7Z785{hMg1oIb`HX{5c!ZdX z1w?(@tSYPJ0(3p$ZE;EkvMz`JB=LCDcZ94H$M9hy z!tC8Zcl=-o4;d}!yTmK_@Ck8E_^nu6H939C_HQ1W;o*M<4{gRSLKg;3?Vum#4JQo@woM+hmzIXTsx>8|OU$$(eYm7kW}Tf9k`H8B@vK9n{Wwaeq3) zkmnVwlchLMXbNzXTsL&T3{5V+9yx@`CISMlhP@g=NFO91mGTuBs2sRQ_iZT)jG4PF z7PQvBAT5n~v&%2H_}kDAnW}F=pCwS-&Q4>bI;lslJ<1Nv`AX_Ms02O&wfn3txpGd$ z>&jDbD!oqmxU8yk#_73pceai)*d&ZWy2Z-bw~RBD)rk8_R_9k)Hvixwm0~=(m1t`S zlMJA(!Qp#HK&>RWT&X}I3i|yyJ#EFt`6=FSrP#Z}oenS7ox{o#v13d0a}W8HKT(0L zK6`d!bk>^D#!ram-dqHAsy&(|R)AdQ06FN=P=@W##s}Q2-oe|+eS3(bg(*;p`hEFpeh0z--xH#ua|(Y~ zMuf6BUGT5VGD-rb9=(`YO0tX#B)9$g>n@kd);GrpH_Xz6ItLFSCpO}jf@R2j93J)> z4Z9nhIRHj~NlR(!TJ3v%{6jM(9E$xVnc&n{Z8Drlqe1_Vy#l^kzy0j+&rC2?J-}bA zvgF_EaeCJkor8z%FI3!OJhimE`hNy!in{{dQ7P9lMctUp5Q$P++xv-bd!PL%ksL;Um8g(z=Mppi&Sge~f~XbIZB z*7XEmg;~CYnbVOfv&M(ZNrkomc4^?>Qk8{|CzBPIv*J%ayza3}1$H-I!vHg2tM$^ z3+}doHQnVB%~}3&^Z&Pt;L&eB;dTZt^FnL*uLZsfX`lYiF_8{_py?XOz#EnB+GRF~ zgM44KJ-EJQ^?Zy;iObuj;4>xk_Wj%IgMa|(t-VM6%SX>}?DY^;{BhP3^=WhF-W0m5 ze<^fPa*(?t+A{y1lohpC3lezh@VwjGDodFyQ+@JUN>!xNzr!8p_Wn`T47=31Aa;W5 zs2%Mk$;;4S@&K9MNq)6&7KZr-C#o!(Lv5vf$Z-V-Tt7{hc7^5_kmK7On2TqWA6tzk z9B6vHPu2p)bV>&ket7Btq-Z#EwRE^C!zzRu{tdNTvz`hg>HA$hi9kH2s}hdEXtBEy zZ3P$QZ1N*;5jMqZ+(M&~`h3I5##FqHfdRBxtr$Ei?C-lm?BuiQh~Pp*3W6*A=OGD- zY7!kHD8(mt2CC?`LJ0X(2#GdG?E9=sTO4Sof!|>7Mdrl2q}`~sU9xS{choPnxX(TY z#gv0DQQdYw`gMH7%J#?3eifY9BtYS3BOAEiE6R<7^lHB_0O#WfTK}yiO+7*(**oKz z0jPon)saIQNG?w=r#xi}a9qn|gQ2@sp8hTynM@E}uZ|{>z3UpO#LE{vIZQvGoT_NXOB2$ z>oltmF)Y0|qQVvJb#o2u_u6Og);!G}t{z?QE=2EhIbonGOn9!U7drJ%#P;f@CI<%m zw$?VNv!59nKfAF)+_(4Hl?AXSsjjP)wYl@y8}$0|Wtnmsw~N-^7D44@kUbCW%<1N@ z)hybu4)xTyx{Uzd{w(n-Xn_ZIE|bSLYM#7r9-q8$DLLq@f%y29V926JO?~~lWuk+J zbF)p`o28C00{wEXy-ZJ5kP#TfReAiSPFo69{b>k%w8R@JZPuq+a8Q6mMi@jV1)hzX zT(RmT4&$+k0+}!D~N5S)(YW|>_u?|suFH2 z&XrfMvyke0xL$B={a^tfDE=J99371@nSN<9z_j0HKqa94rl#+gDSwKw*ZUHX<`_}FZwu2kUdh4~uGGMnwvr z^yB6TegcU2*a*wyg2g6O*=euT0@Em!Wut^vo>P&lxH|anNm4AH`5b$Im1b;RN}U9S z`Q0eF{XNOS?&_xGV5!fQVmW%gBkLzG7N$*qTvbO6>DXB&VxKn~lDn3}2(e4Y_m;<0 zs|~e>nlu9~XPY}N#X=4Q%K*aZ*YEEduCZKEtW{|R}(qHrxzOpS4r||%w-xc8leEVn-q9FiU6Bo zs2+L60hQYYkO*d8QR;taiec{F`-$McR3;yWDTqWu1@g4DeW-*^otu4rsuG@6_p}Qu z<_dT$hYB&xGFvUOz~t`j)xZU_j2GQ?AA1MK!W72afS?W>kvjsAF=gSezJ-}cWGZ2) zpIZ^l7>Xa95+RD2Q{Pe$#vAx9hWn@GtTB=7X=pBa9Q)phx1m`sAjm7A+$$jO_(_ww zppLhc31UCA_aH=sN|7T)ICW$-2l~B0a2vm(5>LD&uIQcwDBb~U-!HBFJCu%>!tZ;% zyh{_NuAgD+R7xd?GJNC>%!`1aJ|Vr_MUU^UBiLIGYeOt7xz?9-2wCy)6d}wMo|$)% zsh6pOHNUbpXt&c|(Zk194p7OwmN+C&#FXPj$F` zV#{2iYb|J8FaM@GRzb9v`9ZJa0(p-{33$)F#jQiqjjuK&pX81YxT*-qk1db7@~c`4 z0U@|N_YS8l=rQPaD9DnNkmBI8-$z+)OP-1GiZMU=-+n6n?R3q{j(nqKN9h~>_smgV-%}-X14Bl^VMgz~DX%|wCJk)4ZFoB^HTZjEU{OqS z9vLR5VMOch_$)KE861v%|`4Um3yi8Fe>ixS!DB~mE%xT1mz_x^Lf;E zy*zYR%pGy;uCTw=M+I3gboFP=Q{vQH9&y}-ZEsYZoF_nQD-7z+qh&iJiMBM!(;UbH zlv1<-P@K|cs62821ljswY6X3hIHBH#emYLeVFG;Rky_PrCAI;puh^)i?Y(48iI$l3 z+N=K98f5|8G=9BV1Fev}H!Es&`*t$m3d!tifFys6`&-Umwiw^N|7m*cuWaGyw|IG( z9}onvGrI9a&k&r}-pSviiWC{~*=nrF?haHy4`<>e7 zmGs_G%iaCvM`_*8ZEXz*^N^O(E=y5Uqop^pp{nns>;zshR>bItS zA6}Ml;K@B;&p2WaKAwvQ91275@hS^~Kw64%05=_nY%>Sw`hc;nB{N>X6+q9#`H|aR zk7?8GD1WB4x;wqEG{Km4hp*F&*^p1@XawtzKy6xq&X&vesy?wN#1_U7+H^^VtxZ(F z-=xcXZC*lG`v}nkKOQy*8k-3~`*>dH=BA zU*)VtZ~Bq!=YFR<5f!bty{+GO?B6huEdGSOWShT4)6HAu2Tu%@^$Znu`fKjJ#zRP> zL)+t1_g@JepX{EN{nb2Ffb#$k*`lL>LRuG@j=)_5z91_Fz<47>AiNy>5=XPUxL{Y% zvVRxWk$Uw(N_JE#X1Wi=fINWuGECv~OVSyUM_yMjzF$46`$s$zraR4beyI_V&CIU& zwjE+33n-KN2qk;VvGkTw(B>3O0>MZ@ znJ^@hd^)zg>Xb;2d*u6@M^@4m-!*?qdlYF7NLP>zm2R9orX}Ze<-3{ERk=jc9Xg|d z7w{&V2REWX(nW<)WapLWBqp;70XlQQclQ@qW_UT_ACGB`)w1qLnlHjj2-Vt+fDfW*v9S~Zdg zn9&8MtkODByaWA19zEjgJQy8;n)5GOA5PY5Rq^J1XeT~d_O{_&iq(BPkn>ciYH}&t z@lOL(+9Mr^4{wbwV!E(hmb`Dm7FZ&SKXblUME3D}$1`me@=+OYwp7cb^jfKS;v%;= z9ANI2loZ(2j)@}j*LvYsX5#_jyJ|QVfp|<R5+e#5M##cuZ#x5Q1Wr38{qiqtEJnD$Hb5OCB0c#_^<^3B82*G@=VSC{6O&7H?l zOG&(aIvKX>Vw`v1<9Y%E15 zFPX_-sUe0^X`daLH*(&({eA*W5CT!m;$IlVp6&HqUKwqxEWP^LRDK*~HqP-;@(j#2 z#jSwfOE^-nh9GVOEO_iB{irtWjf83O)Wc62-=*Kj$Tu^%uXtG7WtxaUwvdc*-Q0Rx2j;^cy4oTPj$Ov-I7hwPvmh`URP-bupexWBHr8{*sRiA4~!bm z?VJ;FfbNKE@Vs$YxNN-VDf-z{V{fj&hkDhFHk8CYU=wHG zJm^H1!ShmJVf@-%(jXtv>_8bc?9Tj#eg zkoW{)J!?ukI@NR~Qt#7}*UMmA!y`sV{75NDai+F|JE62m5lTH=ly^6qWSCb9$N--( zbR-u(ZQGFaD|sLf)wuEp`84OKX9DyE9Jq3d+eN*zGli=jpXe$~(H4@_qgKDGff@4p zpy~6HXX($Ft!s}r>Uv|S+&zJ3TG#e-y{)SAe^xUHYlc`G`z^anri^DtR;l6Zc^(=U zBta5FG%^|BZ-qaWm+1@b(lzSSOLw#O>g<|`q#I=2B1?i)I6DqF+b$99Mf1|yJjC^Z zDTmB6Bg8~szVa8Vyijv)jD9mactg+i=I_nN;hT4-7=R_NJe!IlqGnBdw&>Bhv73l$ zfGVqdBPbZa3ATTpyuXiK)U!QM6~nT)h6Jmb4cgnp9pc#vrKiQ?#|ii)e+8>>+XXMW zytyLoMLZpI$p!YS+5d2pq3c$xRO-!qVVnC}^j))4p6Vot@$DeiExFR8wkju_S!gP~ ze7HxWZ!sFa;NtJ%r>`BzdPZVotIO@B7oou*wXf0o-G!TOjo$eEm^hR(F)VnImfZ4f>**G)P?j~lA8Id! z9rU(49#!vgqk4CptBE4n9%b_=Egw^~Pi@24@vap<(-dPOH_(#QaI^8NMjBU3-5W^* z&kqo@qd#-U-4A`~w{}q@exprRY>cbBEWd4J3f*rRZp#yo$V*%a(uFSHcnWT>j9SRj zaZ@mYJRV3s`$-6ET3lYA;N^+j!6YT7mG7JTT-8D*^7U?*dxT?UF zo)ahn?Fd4&|=njhIfl1k!k#+X_|%thV#u19lExA5iZ zY~FkhDdzGfT>KW^7yil|3aSr^INM)-DR^}Fx-W=)0=j2ViK&X1t|wq&VG>Hqh;t)S z=G0^AFv#M;r9dqF3>`6l*Z*WCUyAHA3zdOHX*PJS*@B2Ca=}R$}6>!)}R|{iwQ`0vhiZD#t4$+EtM?ii+eR_s%YOUHk`} z*@KtzEE=IU*~jOdX6M_DXU@4i>r@A1_tPo=)XYgeYtv6YMX`Y#bjjOid-lH97!V_e z&Va$+jvbnWzAv7HRU5O4dIQYgCC0{IWQ$)gX#_wA8(S6%N5_!p32gjh%u+yX8N*i4 zft%)Ua$d2=MYQB${@&h%>{$+*f7;3e@j~^UePRaz|L&q{x4cCtqskAJwQc=Hy@aJP zd!KP(X%LK$GC9L^c8@mLjKn|!PpE8^=r}>iI+xt8{uhH`K7m0dMU@9Iy<56^`%X7? zKbKmxMTW1nG{%TGpPOaRyaKm3q(D_lu&<4>fvAejLEbX&IGmif`PL*e9%xwyckcbu zePVOqZT7;q)rc>4nslu{K>Hi&e{|)L#GhG-BF=B9bI_CDE_5kGwn=dw3Ph zI*(S*(e|6Fa0_3zFOm_2hoXf*SHrR@+u-(>?v{Y7C9coww!$sQ9v+bKdp*%ljSk&= z9DT6jm|Kn+h2YSr^7Tb&;;HEJ;Umx6`+)-IzgSyzMSWdIjO;ojU8j`1wqGWMoOrE~ zqB-$VPMV@km2Wn_Jpo^MaicSR85FbK-$JnRV~Cw9QfV7-!$jefL%7-3_ds# zyVty~^{r?4pI{-|>gkaC8botVL8jAtJo6c-q@FlEdH5K#0ihojy0t^`;SywAmJfhk?N`D3O9AKfaYr=#wST5l&{ww7f)_iy)5n7a zHzt_LFQ?wN`3CDoJj!4lxF?m@zb9)0d)}~+q&HNf;x@vghso0SZDDQEOV7!!dvSKb zQMKIqAT}~wr8d)0FZkV37kCicVov?Iv>OG0#ukrTUbS$XaFsyHsLW^IyZ6*WcQAyw zH!`i42A{YESbGUqD?B%QlAia%#Ns1_iUAiG%*pNrD+4b%jFG@w`}+Pd2GpMJ??6jd z;U_%w&CwSHZm&&0y5s2zxe47(6BQ@!9vZ?y0x_+Yp{IeT_{+yM5Adi~QHp(yvepbl67y zV!8|TvUENepIEKjzg6bswEZdA%I8XOIq`O{#O8WTWSMJKpA4SRMZky{CWBrUy0|{_ z%wiv=cfP);F>)0Yv2hZQNO^o#uUoBt5kN)G1~PUP9`}C=#!tK%JhVX1+5LQ|wfkW` zwXetqFR(L&Sg3&9P1c+$sr<9kSV^BsTO&`q+s~u41532k30<|!j{xsdhwgjm4PsdN zV8;(0&eJ9cUiI`t_b26WF=KX6U9>G#V7%~x{+-6p5HtUUuqwY!&#o1KET?3eLm!Db%GfdJeZZ71J{ zKb>1$7%En4G2QTieJeNEo(~~=;7eJv3@y(hFITWU6O5UxL@2PfES{KZFMBDV9JVg& z-KeiD%had;H|Ved?<-P+L%$@Y%w3xs*l5CnbJQf(~i&m!U3>-KKn%~v?i zC*$F=6s=7p>7vJK&!WN9zBp%oA%f6P^Ru8O!N&J4_KkwUG`@2a`|Bd1y$!d_? z#l-mi!=~h^_*?YB_}Ia{03{Dy`95rTx$FwlJ#Fy{%BJYb@A#z7yn8C%XdkIq0Ty}gu0HopW%HdH(sV` z8jmS&Z`!pVq$h-J8{g~jfx>2($TfKA`=(XpfY(AgLTJg8tbU?f$fDVSA-zCQ~q!@~*u8S;hfrvZl)PV-7|skTVAkT#2z#TkO~LQFPTSMbXc9 z&0prM@@NT;1?*?;`kK;UoKxv<9`=%ABG0fEEwT^NBFn-2x-osICHa%!m6|{s37GqS zeA&@V#g*BXD;}l|OwjU#NxQkvjsGaE*zzq8*=5OR&3=y0?$bP=&w-Mz3VPhZ%HupY zFHf0XG_3;5<^sfzf0;^Rd>T@4MuoNYFI(E>mT?J5a$^E-_7N9+9rhHC$8NfKI2K>46^vMeg2U9gB#jqb6h(n&=nQiRt(ki8Kc2$ z?6G7o({nSQ`6F!crmHY`orBzX2`k=bk{i#90LdX$T(cs|KlfD9`%k6v6hZ!5N z-llXRd4?kATQ%1R$DvlZHC$*tF22PN#FYwOjno_*7W?!HiN4-$YHcFsH8B3zER{=Mq70I;38ss3hkWrHu-sHKwJ_G$Zbcf9E`wGz@nB{T5|V!M^978zxzr#nng5 z1Q;|~d69NO6m+@L`Gr2zl*cs{D=K(Vt>$xFx2U@%GTMt+Olh!^f$XkfZt&bc+kwgx zR(N7=q(U=Nz7@}f6zI3?$xaoL^N?qvGB7t>-vTtM8#Pj_RxUicMtgg1V83EtYv)ww zrxLb-S#0#+v#`;g*6xIO3DB~TLz%9a*3BZ{@nCVlx2Ra91np5H_*s>8VU3z+Zm=<_ zfx<0yqv3&KGD>arqxFpVZQUjJHn(vNvyU}n6$kqWCV+aaR(O3Y_$t?;zKsJ8Wq=zp za#0Mq7T;Y?B-iFGydCWMDfCSsAu^L00qqcG^kk+uJ4*XzHRJDV$&+;ShF15;o1W3R z3CAE$k%O4$d=%e?dbnI#ioxWYsvKL^d&S2S-?uK$1t-?h5E3)zKa-q=i20z!`~@%N zNYCNZM4lagx>8(^%haE-KG||3B*vVxCgP`GbgtE2eKA|2y(1^{F44H50UX4}7N$5V z=6Z3&xY8~nWUg0bm!ih4j;1Ar^5?Z1V%|V-kW}5xilU;rME%`vGC`dI94&@RwHKjo z+n%rN2Ocic50vN!4PWJmHzwXaataX}y!uqrcPO;D_C}t#62sZp`n(SzjP>sLX5qD| zQ+mN<`7Q1S@(1(1E0~tkiULddo`AaO{Sc8Wbo-40mNQUB^MYT(^v>RzPgaAuxyVya zSHD56;5o-*j?twGBQk{x&m~ysPaUAq)%-BJe5j`0?e-R7RQR-BE%MTZ*snWt#s`il z3l29&F&h_lxeW<7?mb$j#j`wXtijhKF)~QpQwFwR(5`)Bbea=D-I^A8GKvwXH9GRi zC~}x$LZ1zckntGYiN^XOv;?L7zCe9kt@NTh{njBeEJv)PD+1P7av|~Ku2=gSv3jNh z!kiBl0#IB->2^=CClU0ke|$QVMtxf5=&e(fYUXfx=)JgIOQzq0Lw}LH0UBDYxIy_k zqMSi^CZ{A5IN(Mj-J(cDr{5r!1MaHImi=*h)CJym7+t>5?r!>T`gpw5kfPTQ0#__%C1 z1jf`AbFjC-_seqbjok{PCJ%H?fZ?Pv9`0%UhLHSzzW8&RoL|iJA8)fDt1HdSp-ylZ0V3#XrkB*9tdNG>(rvz)m|ph=op@@<^P$U& zWGF&gD;Vi69jZY=(d7BaNj^!xA_|^JrmcOiZmAIHK`ePZhsx74?K{#H5p_YX0@=`a zzuz{H&2sGbV9oS}5K`tAW+?Lf6Is#vuK;6PXG66xh%J+R!?suPlS}KMfC17a8}AO* zR}@h~%ECog@~_$R+m{NAV7)BGR|DZ#vpd`#X2P;5Au9^}zqBV0#^c;|D}ImZhRXS95F6`%v~CAxuc%A z@oL^+^klosXkFM(m^%vxmyJpRujayNW-Z!A`3^1#@E2^MZ+5VBV0=J_Nv41UtzG$I zqI+BTRr>bO2?!?OnMh$?TSVAavuWkzlQ{Ysb`Keypw8!XSxbY+bJG{$%0=|a97u(B2I&~E}< zsv~BBB`b;2#_Fue67GzR(+KNOIDd85QKf>8h6^SU*AR#uR)rDo6d1?FRbALU-Hr;! z`B-(BT>`B;4G5w|bVr%U4OYoq+TG$GPVH|VQWp9}yc}&x?3_Gsmzy%Rc2Colm_<)edXGUmh$VW) zBdg`*M8Rm~%={=et5x$H|B=i@;SW=BSInZx^fxqz^Hh+VGjw0yc|1Qyl`^(udfsL= zDm(ij;JxmuCf`VIz_UfZvVr>g22NuWrvA)2A$AaXRjboHkQK7;&!`(lHbV>d=GF~o zlrMe`D@YUKDgMBgY%K0Q%~Qky%!Yv=7gKb6QdrLgdOlh*uQko+?X5B9{1&3$PFf9I z1rA;rKvi13$y2*wr$=P3L_crp9V*%Q)3!ZKoagalyRH(LU{yY}C8*=^MKO<4UFxqqs?8c~3RTVchG)O<7i~4mc(b@Jp z^;A_(TYhdY2WT10B%1r?wWZcg_;dtV3|S8s0)AAHjT8{0I72ECcDa~KJixoeIa!bM zB<{*S+>A|NFh6%e9HV)hI;@0~(_hy{>t@Lb$wx`2*THVzPqTrk!Dg>OrGAUC2|NB) zzMzx(Bc@V$0|vlY+zDQw3Tk@k>`aZXcpju1>@ ztf%S0n>jVgY{V|}N8-;9)Yv}U`3D}fv<>c%T*HHHaeFHQk>S(l>gU^^KXL`bD%Vjet~>6)p}~$toe>Sbj*aO+SafhXbsQ zDhc@b8i}y+HC>TE-V5qm@>_HUY>)LW8G`~h+jY=CyNL`wBN?bFu0{UQUd4*$NTph+5ifM5CV?-8u+yzIvpY#jCI44gQShF6fEIE zItl#G0yBo+mSe+x?pZAqlD-lzWRLV$WMcxnwP@!sj3Wm0*QRBtKAaY?ffPl}o=&lW zzUt$@18f0@2uFz0x7ut$6@)`m|O&^+w`Nd>E@;po!rf zdD+w1hn*6487YEMzbCsW5(WQU)c&3r^1wHbFlk3AvYGs211ZIa_v^$+ek@qz+#oT; z1rFk5XDG_IfxS3e%w-ir*8!e<0~`^%Hm|`5 zY0Hg0fj^jXe{nVLb-wS+*b$~JrS?y>m6CwX>ak+wQQV7kI6#O1IB}u|I2rihd`R07 zej=o8qBt8F;2t%10ml}PI> zurGpHz3zHS)#7f*%z zdMX`+pC0x1qV`eeLtf+K<^PFMnS@|v&dH&_wz+ssPScIP6#fAAlWD*d#|VY>z@f*O z(wOQUMy>^xw~V8P;%&L1JMY@lIot|LAJR`mFPx`yIQ^ha*-C9v$DFUvt8K&54Hirr zInYR@hcD?iXL4zi-WYjYu`y{==@q!%9)B1azWRcv zK!z4RF-7iDd&G#?gr)LagZGHYJHvW*B3W++Z|v}rIY!-NeC&J4^F%u9veTRrM~ewh zsY};uFfomB8QixZGv8w>jt$C?BeL+O9di zH~EbNak1N2H7I|XAGCsNe)NO!#I+&am+s_hg|}2*TOe(V0hiZ^9H?d(57v}A zQjs4_>sbHcvZmYFo-;1rN1bj~eFEqEhqt64AN~!J_elTms{%bEpRZxo$RPwL&C@Z?H&Rd`_A80hz%o^j%9mG(YrIC6T%W`4Z9N+Buu3vVr0 zd02~cC$`}@P)Sss<309o6!T#Rj9nMO$z?J=4<@-^tsWGX&6VJeM#VEO18e@EUnw_@PFVRbIx>fac-KF4Z3fOBWPBU zrGGW$2+MmoDEoc?sK#~X#yRLx#A{;+4>#NBw#@;txfr(mMCU(&E<@}=s%cD{idbXNLWK7sd}B>Y4!z_n!AiRh>s~xLbLc)-Zv#3fqhw2 z%s~|ZekbjF7Z=e*+k{>GN@9)!OwwnIq1)Rp=bOGH3tFfi{qD~ZvTC3!GhTN21W&Gx z*Ubsz*e!RP-#k_l-9PV~kX6~4A!1HRV1B1;9GmRs7+U5!8UYYZA5Q(|5{8kI}X&X=ot--fXkrpa775@ zzOv}%k3@3D(Ol99D0x$q^Y7AP*3(5_xBQxjQv<_U&p|mg#|-bsL37stkgJghsz$75 z25h_+D9ifYpC)j^@U;ryW}+7r7TXHW2pdZ2=ew@c7y`!0LOX)27-RFAZ?O%!4{?&J z6voD!rw?1Ly~G@#L5$uvpsew8lZD&&&i_id%TMZ45$yZ9q<4z{37;xB*m;8v(kOC( z3Vr~B^G(5`ABo3ANfIe;{pAnR0u5Ytk6I1nz!$3n4qi;k)oF~+<(^>%3;nz;@;q3A zjtxK$o`E4&17q$-{Sp!50%a90?c%9Z=RN57G;fHG+DlORT>Qct?^jDdi43`3sga6n zqxnk-3U1Hn`&kbrDeCmVR83x(0|$mX_wD-ZqkOj2G^M{T46AEihaWaj?)X;&1rk|? z)`-r(#^6Zxrp5Pvkyl;+9OHYj&)M3bp0QnvFpS94;m)>r?A(w;q<+W?l2fR>^pzw;7m9R|&8-VYNVg`$R(DUrWEa#WMIftwd?6O>4I zH13Fh_ViU~XE{VNZBOm|Fq*|S-(jBA^1!h}BOUl*^hpt1Z$xI`(7mE(p|9*FI9Y~CMm%4fTHVSu zwe|}OCue-DfXR^Y9bbPo*&HNO?KNnHBs*>`{h~QO#=3}-5D6RwQm>;0h=$zF>hf!wr#zPReBHIZ4yG(>m6eX zVukyP={*(}Y_zR}B_C^eR99Dvx-Tj&Uy@nwB2d;KIe)LE^$F{MSY7$^RdjG>(CHKD zqrQhp=o5j`ATN+0lLs^?O}Bs&9x@n@+-fiXngg`m{+uN71GTk|A>ERJXqUTuT(AVX zQT{PEup-4hsLoPZt)-@)7AtSbAr0Jn?a`LXwTrcx`bU9CWL4gh$Nn{pfx9@+z4RV1 zArVraL6?f$;rDIFMGeOs|MUH=NA4}gafH}7tw|?hZu-w=i_5g+Sc70J?BcP`9YKaj zGk;8C)p8mA_N_6yzV*U|!It8$bu(@)87~_)^U-L)oaIk8MCtI+!b7d3Q6-w0zl%X=$rrI*=l za!slUfFHJ3rMM^7m@)!m8u4M#N8=%9Ot?=`hJcIPw%6xG6#@ny?NsaFm0Iv z5rYsVQR8r0pp;YJQExCz3O)lXyNf@~RW33jOQKQVrXs%=VZ7*v8QB}U6uznqc6O!M zQVDe^SvQ<)@OD|sZTrM$)Wa|1%)ar2I6iO3^YJK3X0fQZ@F<01LYzOt<#v^fUSY^8 zU-CP!uGgKf>+W?cz(>f5m{2#ApVX?8w=Bhl?iK$YUF$@XcWDB-pG|zK1^lk1ccs|y zd|~fExT2^!{=dWn2qW-T!wyc)$Nv%!$bUokYEB+wB(I7n9mgP8sp#iGF)4|6R5-EP zNo1h6k^bqlpqOZm^2&B3#p@l=miuyWPiKeU9o3jSN`rDJ%N%iL8J}D=7Qc4`(%bje znlIm9C#|gM$2qDyakH|Ssnu?!b14He@zWVRqc~t?zpQVWV=?!IpvB_;uS;`RLlN(` z+txt)C?OYNOP{X`?lH@+gOh_hQ)ZzA)J4T5B_&3o>ZQp$ZZTo~>^rgkp932fIQDa+ z?`-{zIgXUeG%^5L04U_^Xv%MBxjkB*4|%vXsc9?_^0c& zj^(5Twd*QJy`N0uTg>BZKhaV0I5(S1A_oM$y zoa?k4beKHWGp))T!qa>6<}wa0VDQf#;b7&tZJ9U4|5A|9YYI~KBk?6$n<`vMdS7<^ z*NoG4U&qOf?ZAPLqKi>l{d9M}om_hE<(%jZ6uQmrMh1Hg#V~T5tm@41 zvGXSVMZK{nCE)<0`J4CmA3iG!`(f0FlN0dQow=?PXL#hNpEv+Wy#_!koDX5}%n42a zbl_PBDUyb1*mvfD^+=1KiK^~=qbM;>PmCCh>=b&fpJ?C=!QiRdYn=rYrowkTgpsLq3v7enIj{^}wBmiF;>3SLemnKcBZ>^!f~) zx0pSFx*9eL<2qf1~Orw z!I7}vre4_*6xJ||9>4vgjmT_pOEan+Rt&_%hotAW!b|?{^+cD5-f6NF=4}ZkjuurK ztg%&UzSv4b!x;KM#aO^P6YV2v{{B+F*RfsA)I&Y>n$pKy*Dyg{s(hMkZR51$!y)U2 z_0;C4o0cTUT^Z#eT@G-&uHlo|m`+jCce`R_vS&{Ns^JQj^WPPPm^?=ei>IbUC6sF^ z`Zr|?OzCw+WgobbWdytkKyM^wc%kQd?KnVncFk^nNVrNElo#wP|2^~fy&0t)G;{e) zHS2ND2W%c^M)pIu__^=0UbehtXDY*k?o}M}N6y!KI!Z4`a*%ABTD54L8F@P?ijH1O znm=DeQoR;wr!4&|GnTOd@$!BC@<&>*vc08}=;tXbCdRybuEv-jM+MR2`u%V*2iv`u zh@~lCr!~1m&`HO0Wk8jB#H>53_dI4<_l&b05T^1;yN8Y%+l$a&+u38g{h0I1ogR~D zZzMk`Fd3;;Sct+(2QbD4X9co^%?xgvvw_O|Uz1y5!ko9}@(6>DBuX}8>u2nwkc-;^ zJ)ihQy*Bjcoa`I0ArpaLWfd%ln%BQbx?@xMWVBto)kN=jREnvE>3WSxGz?7JD)~ zCM-N18qP8+F505}0Ww)tnjGxu;cMRH!!u}Sp!A|)P3uEsL;{gTE z-40OamN>S?A}yM~qM=mrU~g~leUyK1f6=tIXw|mwBTn}2)AiaqI_g>lu_VU7;*9va zA4dP5TC|TEDAG2z1?0jd0zfW&IShO%qSVVDM?jL`U@K6w3*g~s!0c3~Dc^yKMsKH_ zGN2A+OIG?<$0?r{V0fSs!!z-+?_oAe5rba~u7bRcrb0r&?MHhr^61NF5>L0r-!`Aj zjCmb=(Dj;qGybzXEAN$P1zU6TInau8$3T{#@{y>zO~magN+&44Yk)^@iv1PLarxtd z*SezDrxAWYlPHnQ#A-)!rbUIz{?mEG?nm~25#vyx9Ja`@*cKID7(zlXUJSIo=!tWh zG+24z?RXq$Oi%C~h-v&sik<}9vp*mF=BPp;8!J~pX5}78?0*Qe*a+_$=cgs_I(5^z z3UHz{uX)KM_@q(bHaw)8jQi2c`nB62iIUR@qF7eZ}7C+mUcVBe zaAZFes7eCLaMt{&b9vclQ-iBgj1^-IvVgTb&-HsUGFjsGP^ZRsr;GGk-=cx{{?3e* zKmE+QHwy%i%-u6hQ}pu@A?foPd;2v(dE}2VREr=DXKm7~S{n&( zK*#{ElRSq%zWcmmz#Ptcl>u1-uGiK4wQGQPq3o&h9t{F*uqn;-?sDu2`NBaH){zL= zw+5DRW|W7$_Bp%M$G`6JxIIxG&v%jMD9<@vlY_e^5YHoBD1*!g4Jv${oHfH2OryT; z(9H=bC}m)0!~~%WSJmED!E8R{wDyhvw~Asos`xHmB$51bT$&gqaLWYV`p%XlZZKrM z3ZR5!F$L8c!9>ZCHtPP{nGRsO$4Y^RmJ@4Yw*@pbLO*vO_O^IFusqg zZAWRc&WD48!-HoD7x8StCfbBf42+2;Gd$_*?&Gq_Yb4di+ZiQOg;^F zV;~>c?*vX={_r&P1ND6snjgE}Lpy0*D0mdE7IdpVax2Z)4?C zvAKVH=35y;AiTqF*J9!C$IVGPAqBlKmrEijAAG6SjTTY;X`@gsN|kw~-({R1esIO+ zJd?2DSdan}Abtdu%P2H*fj5Q+Onlk5_%)$>82O%+LV%UzxyZ7N@N3-m8HIJLsJ6BI z7MjxON21I6@VghESZ8=Zy3C4RyRB>6a)&I)QI+{5?FrcEr%xZo70~#2h9uAZFay>) z$43%!G)vQok*CEk-%p3{uxR+BgUL;~zS-2Hx%LRgCMdW-maS^)o7sj6;^!BfzoQ?3 zI6ho+Aj~wDUE7ipZ78Wpl)0Nx6~e7O&C6w;4SU5nt_eJ;`=e4lIhXd4R*%qJ3LWyt zD`te7O9QG+uF$iw)3;0rV5Be4R?MYQlN4U_9y^=G5fh^9e_S-cXhQY**NY(K`)KFYwXgh!uFS|3p_DXddsB z-OEs4+MGeyG?m<`B!Qb#CDDd2bM;O}p7N@#MUJR|zyl8R5> zLp}uN)R?irAU{qt!1+;GTAQhQB24vqF2$v#IbT?VG{t08D1S$MF--&nUePe^w~+mS zYI`{sMpbou4Jf}LBZ|Ht&~N|BuSs5G8H;^paeYVLYTHIzKQ;4^OM7Ep_}4@}HSeco zZ|9FhsEP(3{ORcKtRE^vhpw;OziS~OkpCd|sq*fGy-3-0L-bCIFNrytQZ#L>F zqvAGoytJ*Wm`w8aoaqS5zYl6?EzYAodbousgIi(Z$ zV|?J5%#o+t<}9~gN;t_Qzq9(A=3|!0dZ;=dBUPcSGtZG8v_SE|So{W%Uq!2m?9(}B z6-g>GaDsBnHTc6I)1=w`Rrh9qCc)*`_=b;%HxMBZ$omXVq;0Q%+{?Rp7Mf@ypvv4L zxz-yBkOd?Tl(p-NAjB?2DVSNo2-E_`$8K-Lf86 z#%)r>)EPB4PP~^A(b0O!X9YBpj_qSS$u9#I6rvpNx%q>h^^3#zTK-rSz1sV-W&%vR zw1P@4UQ2O>pP=M}&_VE)z7xFER`A5-98U7icXHE8u%S2zH-v!d*ED)95#-ynh1+FX zK=}RkgVtXKh3`Fu&v@AC$Y~=MBw5le|XDxGw+y$y!F^iRe zC#A_j+t)rJqEuOu3D8Mh7088xc+FtWzb&f2uhTnzhS!yAv0aFU>MUW_k<88(-jsq? zN^qd$G0U{*n)1V;heOi6&qJX)w`p%`i)Oth`KcoMZi#W-pMuc>6`%nvmZ{Oi{9{N0 z2OGpWuE=liOH0PP8(V61YWGpa$&A*N;PzkCOT46`zou3HxxcjnV24r!T zEIl;a`01lJQ6bB+6xb*tc`fyF55!Ex1%?0l8>`$`LGkT;Ay*L5C zRJIsTjr;|UutJ#4{1c_)UZOwXsRx_KC3r>ZaUt+ zFV&Nazn&D8u+VD8pu!AL(7g3XY|lSHZ*?uj7)$RzS7uuV)Pxbib+0_-GMg7f1H0qF zY;Q@4xIy}|1aW0)W@igT8Csh^73%R4viaan)Z`wej(lmPryPJZWglZ9&lsp=d79u0 z)33dN)R9Xko73;3SQ3C*DEGjaZRpDt^AONZsMTzvNzTfC7 z*etSbKZVjVCW3U8&-~aVTPx6cetk<`te_b82kj z_l1M=PW8iTr@)|T6*a01eQu3oR!3??(~n-V_IlIdd*bK|(Su(zlmC|R$K3wSDYqr@ z^zuz1$2-$+$K6Wvl+iVC6GmU;TN4@3myQsGg<+R?KLp*Ds%rZ9baVLa>CXIHe_tmh zi7PdFYB*qB6*!XpL$AGkm?{-^6wVvND1&5%ty;v#D7U1`-Goes)r{e-<0niJI~_}U zTx;5ofTZ%O>4HGP>HZ~R^?g-NdDhGC4FL6)CWSh)OZ=@@|LFoeGf#2t^E#q7)Q#!S zT+lAP?s$(BQ<+S6YTvcgWvm?= z{^{mZU_|l4h>hhkU6zIi`$%q%-%OPY^ultG|0vdwhXM*x ziF@Um@L_P2ei9<=$HNd9a9BR|VC-A2j@k|xw)w#;!-i@PjB54A3LlNLk^2n%L6q0| z80W>e2m8i+`hHh4;E`k+=81@n7N2#2*H^S~ShLd4?xZf*QtSS28o0($lyo(B!}9CB zhXc?bepF|=C#)1lc&8RVR8|)W^!J)Dp5VC|+6TD%+faX3$v0+moh80wWb>Q&FK6;% zQJ6YDfFDz5C=}i;I+`mFcuryy;sq`bznG1n+&>gP>(INuvmU+}cyj^TadA36NPY5R z4+GRA3^`SDsHxORLcW&Tgzv}*Q@PF|Kj?)i9APM~`gmgJEi^`J@_b*l3jdwpv7UMM z_TgP`QBbEU6h=hh$9$~^^#ks1!QkQgNjq-wNY#70p!)b+CV3^r7!(Hm`K!lDh2NU`$oRXRtA{^xQEIqiQ^t3i*8_o|lCC?dbyh%c+=+`MIc^ z^Bqx&JBQs7a?{j6n!k~eWIZ2l%f8{~5*2*hK)ha;4G!?x4?fic?~kcyvjsMVK&H6k zWzRM@!KJAIC%~9X0NKDGed|i_#gq6+V9X_L;;lD05Gq42f47x~t4{WQ;zn$TH4L_+ zcDw|F-%3O5@gu~THO?Uf1O(K-w$S#G4)?BnD^YW+D-RHI%O8PBk!72L(?$lC)~V*C z_1Z~2_kmm7jGuvRFvjrY#-Mj>f6T3>R`;q2)awFP3As9zLuY zn&cV3#f=)AK@X2g&1{T9Y02aDW**hbZU$i+-MkABD2T>j|Lmg$$vh*uZ|+kSx?WQi z&K&U8!QP7BtrC!ae5eGz6me;z)$x-ppCwXN-1k+shu#_EXJs*IVJA!y;~r=u(y7Ex z!esxCwyzGWYTMhDE|=2kqPrxN5RmTfP#Q&8NJ>jLB7#WwBBdk*B&8GtB&1UsX#wfx zj*0GlzH{!m_lx`7zxK1$XU#dr_>K3M?>qNV=iXNg$)jg8tP3bmZ5=$#dt!Q4(9Pq{ z4r)eT!cT2OgO^#uhwp;)lqbKls*Gi8ciQKdze8(|tViaA$jH`89b2e3Z#aB1xAP!t zM|j2i`6E8y*OQH0KON*>%-B)Z%)|@dKfj-`BX7hNiAO}?$?B)LW!78_iUMb;h>R*u zcH(P{+q|;%_xU^*iC~^EBIC9esn6`1aBQ?j#@DVL>QW*5)`+^SxaF#W`j!E2Q~$XO ziVcG6%wkPC=w-FuULTQ2#ob*jn6Bm4QozA46@e}IS(`?t?DUQbCpz8IdUCU;@9XK(ye;8s`mJ%v_;^w>L6A{h7PvZAW$w1frua0FxbxXeAF z%1W-TtoVa$%G9I*q5-}eFM=dXj1Ame>UMWhm$zs8LNU>4yR1cC_H@gz zvb-f-^<3}UvlC5CMMXW4(Xjk4>vmMqZI<1*=SJ6$m}`R?M?UjE(EmME6H{K$qY9() zDh}5hKmYPzln1c0LppL#>O1|IR9Zgf2ft9|+v>nbEps93iwd8@LGwm?m}@;D-jYk{ z?$V1#xh;>|U~VZHE~})4E96ibr7CP6wcVY-80axyID8 z&~v9Js;dtvey-Akjar|yD=KtMRNr&=E8g3BSui0~v_yYu$y4;as6SG5fl+m2_J%nRiSP zP&Y};A9RzLuq%TkpMWV<_#=?+ykI1`IUwNwjcf?ZXj1BReNE!9O+Gt5PIG@@?Q=h+ z(Te)Yz9se~UG;A&-JwJyGA!6qQsPCPWE82L5#&>3P81R9IdH++?g4idFyb;~^k>8+ z)kRQH#a(CX!2HG9GAL*W4qpyFR8cm^VGH5-hZbLU;7Os;jQ0+N_%Pr>B0)#tmT8n9 z(@=LoqdLXK9APyhK z(Q-~%0DJJHS7(U*)XV9kI1iw1*b4iz6Sxtg6B(jFy~5ivpdb6_2R$_$3UQt#J?!^m zitS##@%pLiCP#6GbYWJiQg17sAGTr3?rPz(K}p;4hm5u5(b%W?nUJ-B;#x7^K-~5H z%)&bd;2-ekKWv`vq%F$SKlFImrR*NIwyLw{$U~oMzy-<$=xIuE6ysoU`3m}XaqwUY z!&VwgXpHpEr%*uZ9>5k_VZ6bUZ2DtZ4*wQYEzD~o-Emov(r_YO-^bi?jUVPykfluq zdeF;=uI^gCWqupunYW9daw^3^9x&@Z2S!O`BGe?mmg)c|7nmG^qyIfBd_F}W-AZo` zJp?<6r@X)iheyFRpH?ZqLzvT|6Vc z#{aCw)6JQDGV2>I_QG@F3DR~>o#^oGA7e(_b8<7A<%KIkCC0!_p50XkZZbPwA9U_l zj%fcKEd8!YD-A?lKkiS)PfOgDVPVyi|9C5;iX!VN)=ytwO4R3u-zpCW9LCGE8^93e zRDpyIwFwjW)5iXDtv>^pAAb*EYF7Ny0492x6M>}HWvesNni(K7Tne!GYZM>_gULE2Rn!$yGN8V3B>0eN1ig5=`UA z{vNh?kJ_hZCSYkds0^#A7DiQ7CV0Z&-JRR~l<_G*z zuYm;8YXAeA=Kbl;X#`+~-QuUky24q zK$%I34tu@&OHG~KR2vWtn&~$_Pe}cFKIn3^Z9ebl;NLEhX!;2 zpULFxtDfxeS^aIju{Cy^OqvyG5f_J8XaFPlo1<^ir{N)uKyw(*fdkT~ZG}X$^rP_0vMrcC@ z-%BXp|BF4j@&Rv3zI`Rpyy68Sz9WeBZcw$Ek&C3CMurqut zqYTXWO5y+EcR`=JpOffE971l~0E9-0-|pf0<>E0F6LvPMd7_#E4hBa1nOVi#L&uBj z5v!)-uyHiME^6PsN4fuoY-uFC0l`33D=QRqpR?i89aNT z>EhYh1U`~)2FXUE!fYsayWXUZ;QbwUH>MQpUS6%iZ{VB4jU5F;&OS(B1Z3<#mjKJ~ zuUCPF$n`7Yq=D_;PFrSwjt&V1aF-g2tQ=*EdVpOqDY2zagroiiktmrN{>s_)>bl&z zdwRuKX{SN?B9B?|akE06>)s4{gBN?uEAW$RX~SEPHj4wl{jW!}GNw@fH4E_PH7+ku z*_m`gHRW!OeasZId`FP?Hn@$!rz=8M+?CKBG9F$>*mYsg$gA@WwzH|93C`iZy(_BjM ziXLuYG~4gath**JnW)Cf&gWC-SPewtwrfz>mX4nBq^DV2sfa&cSCn+R;Ca&Or1@Dm>@ zn=c5G%Z5zwWe#h5!%JaW_1Umr{~sP})s z8g#t@3}IvST9n5hGN?-o6#%jY*^!5-`G3)ttiBChZr)X;(a_*WTh%@sN<4X_Ab^z1 zFq$H0I#zB&HP|~?Nsp~p2Q#X}z+-VIS9xWb@!hX*!2!R|VTo53C-Ix9Ra$UL4b~xA z+q0?!aNshD(DNt;XuIKB6^k&biOi*m8q0h$55W9wmYD9Dmmq*IEeO6m(d{#7Jl4p# zpNd_PLVMTjjBb5hXp957b{ulL3c2AnT;88j;4#oRnq+qD{G%E9gK-kzG?dW7eZ_8r zU;KhvsFBNY?2!|i5k&~Dg&0UG)bv>M7Wl#ckn2*nv<=CZqEM&50Jl&&U9DRWJv$V0 zB|g+ak%!*q4hUCrme#<>P!#ogCe1k1*ftoVDAr!jupCT`u1i7Bs;~a@tV^z@=PRfu>p;YBttuE!@{sMnh8(U3^7C7J3A& zJ!-eX?g8q6%#AvN%l^wFkU-L~)~nx*#w^--1;A3sN|em8>JlvZ-d!nIgE*A93VDyY z0c1lga7?!K$q!(f>txb~2~J5q6mV#UhKt`W2p!VXQC=S;2RI}Okea4~e53q1AjBr} zAW|(LgMWB3mQZ&YD3zIFBn07tZPHScphzb8n^w75jPX~0J1;!7n+YD7E3OaPGtAJh zv-bS`>tNQNzeo=-ta9Hi-=Bb@qDt=_uKSmC%^%G&T(Z}}l_*6Yfn4|(XXiqo=@_lT zkpQ@gR(`q62X*B;eceG#^Y*g?n5;q5gK1mam~$7-Va3+9XIUcnr5F%s@XjVRs@?#g zkp{KkVY3i9Je^?jGRb~I3R;gYjSp;s3OZb*Cu#zS$QCQM&3 zC$NQ5ZP(a;iZ$&o0rD3VLJ`NKs;Y0ga$+dmoJ|L#WB6AatlJ0hJ3RZ^X#mI$=*B6Y zi+EL(F^P`@_8OC#Gj9S@rugx>&X;k3f5pP-4Rv7i>~&ouzf1nXj;w!&9UK^G^k}gn z4}M^W07di;Uilv}fdB)$ZiJId0JHLXQnRo*Aj{@K=!?jE2b`)opWTT}hqVjhCxie7 z{iJ5>K|nA*%cU>a^8tYpOs<3ND2MbH!)yk2D2m4^bIG$uG{5WLiR7Ozol7XlC$ zr(hebAOcb1Z??Togd!NALX8!%Zyo?ctTZbA%~WJK8FY!9aDhMo;>TYdIzUrWXP+J- z2LNQ-ALcb5B!+$(_y6$I|HvY{87{}I3~_~8De|roUIVlkqr<)GbDLL0!iCFMFR#!1 zUC4s1zA^Y9MfAp^ssF!#7+9kRlMS^>Q;N%2p+4U6_MM-Wr(t9*QsQ?JcbNO$lpDw6`HyN&DXJ*g@A@#Ms!fow(Zj+1xqe-%dA=;h`c5w|Esns z>TCVXp8idm#{%DK;(N0%W7uslWK~1zrm$MHtbm>7Vc=2wBc<4>eJ^atuUL&J_m-52 z6w|d!OON_zOP??f3|$j9#+3yS5o55-O2m08Ognq7P1T(>fJT=Q;FBpUP$xUt6Dy60Ee88Mra5W-}wCisWEN zOmDE~xyF+^?f5tm(7_kKPjaqm^H;HJZx=>ULm<{ zH$4@v$HVkgM_al(nV?&5nA@#>;DM(^_b zsSYN|sJ~{685y5tqUbU{e1DZ%${!pPBeqMQ8prX;ZtvHrcEBE5BL?Twtq7w0Z1Mj* z%7=#Hn{ho{dAH06-dX`iOO+ zHC*o%WYu0yzGG!y{skkP5(z56&-+hKU8h%7JU08H(voX}8lEZSx<8sNGfiDCGaZtV zLX!i*CB2xpCKOx}4BBm$HI5+J^@x8r)?xGiGx)|z%cPHIXM~$i^~I;9H3aqWzoSr2 z`VemGW^L0PM_K=oX>WNjB`u+{M(j4Z``O&5A^CXksr#Y$ds1joqD*C4cV3`D$5}`} za^_VAqO1z2+--&ZZ{9`+fDH;YJ_WdeeeWd|@8g&L#UN*6zysmQLYWfJ;QG5P&T}&i zm_QzE(%n|K_V9dYHz#Xipf_N=w?@=hK6T<=R!HMyz}v1dm3iZFwQ7!)k?4E zqK0G9?mDuKf;b&WxD2m(UrhCJSI=&@rl5v4Nnc!&;M0LJ*8WgTdY=fh zw}=>1DAUrkB|Y_W0NX_mTGr0EfG5BBUrh|40>-eB4yvkPvjQ+3H)kT@{Y7)Vs+>wO zdUVB-)kTcErUU!qGRP`~k+krA-rSru7nx7+=eHnkp#Z3z+`GkK(K^ipMf51pJ(9h` z1TU*odK(=YWDf;JjO|egV2~d8(bbhBcpaNCIe#hAY4{?R^G1~n~PXIYF5YE**hu`7_=!*94)4vb3p$PK#V6Ua4 zyhj#?@bo*3G_9yk?_YWQyBl+Gy$Zqc4s=5b>Z5X?0)f;8yEi}NIehB%5%Hwt;Ll*~ zpP==RJjs6{8v8x&noe1;x_U_JQS<18qS};O*&~aR5xH^j@G2<6#}BnCRf$B2uF(b` zKbHZ!Ci2swZ@LZOsJqI^5e7gjW%*0u7QoXL(xN9IPNfcGa#y580bJ+ZtJd+V?hVV| zjKG$T7Lv)m4gR|}0U`(!B9H|Pb!pe@kfNyqsxgf>_js`X!Z$ty%H3+nU3-py&1`&q zy=Z+e^^0{#}cMLH+puSy1dwiK;5k7?060Q(G8v zS_$fsY`JfQ4m|`wU6M$&QA?Y^a4&bgTltX;KPY)*0_lwMv5XIjP~<4DANhg!w<1h{ z_75z8T}OS+Iu=jsAW0YpDcVY`Od5iORxJ6sZbanOxu=pLV(B1jE_p=*GNL_7+aPDfsp^*t zbXBB2$>k74Uu6aj#}?r1O9U#PZyzioYWf0HSwH^DV=B3*%id)&nAzJOo4kikUGrd>C zVG#Mz#6*=Dc@1QZ>p!*QX+_X@k#Hsn7x58~{BsIct&^0p& zZtBgDv;-udH}@0&Fm@a~ZjkvS?A5JccTdnI$#Y3Fsk0OXfv@&=kR$_1G>Fz~#jHSU zZ{iB7>N7fP*9#!SXdVB}_NTe5AU^DFZD3=3bKj5=K)9%r>-aE|cOVuiRJ(JlePKVG_|wGSYt`=1;<#ZG;FmD-tn(mxge#-e*X>gXfFS0`14 z3xJGeI@smo^rUERdeSz3%Wo=MV|2R47`3>6PNH1EuSE+UnwR;YHtjOD4P=OeB&C9e zEopq4fEGBmPzUs!%PiVad$YI$=EIqF2kbey;ZN!Rn6Yc%!-_d(zc>US+JhrG0(tWaP%Li`s1e)$a+OGd`ZE5_`LnET2G+jCBqicBI4_4}sW> zJf;_V+NByBz&@U9zpDhgaL}8()#>|tbDW7CiNzEZ84W>O^@@L$kv@z{Q^K3=&>DU<+ML2;ipHQy@9TP3}J9oD3|j;}BLJNJ91 zV;dY8&={}Icv^ooqIjPcnils(ls;l#;N3z85$jF>z8LjgaNTw@Itv>|WLaxSmF^0; zJpS?Pl<2BuijkT$EnXlfL1^2=7c>0^&jATB!7ZNW+h*{)W^x@X2_jh8L2tfRV+-Y{ z$4msuK7krldf0MUXg74i2?hBTaXhH&&7c4as~^c* zU8>oJUpj<5<{D?EI`t|GzUIRjaPRlQJSr63`}NA|0u<-lL4l~cHc*_$Owus{1Ahx@ zCfMOXS0LJ!AntYZ;=Oa{_jyi_KFgE=t1k{F8>zC%a@x#>@qjK`S@ffRl)!+*9>ouF z*MxrE6fg6W4>aisp4;?FR2Ygz+IR}nZV^*ea_m|si?V;|;yaqz9C-f}9M$)~_UzR1 zP6X7mmusm6l541r>j5)TlI!@7uTbN&L54Dm(U<-@(JZXg^Xh3_WB2o$nI^OSDSs-k zm8PF%SPuCL3+nyt)ua`QjL7|R^UNfF?I}FvF3kdjZTbAx&4M74V?A*$-#eE>t2 z$C@Nv{V~_ijieqJl+-nsGr;fl1+!Uy}S! zPge@SOyQ3rl3UDQ0JZO;#}{8)9|@GjycQ>UoZJE2VS(OlL(YzH4RRDF{A=dN2l`AT zZUr#`83w(KDr087R?8TEOqNoUtDN#aaEwIy9|4W8Gc(M_TUInbJM0{C2R5q8jND`p z`G{M#_ zAAC}fkCtl62W>lp3qFW&X@2ELwsVRfQ*iHfR_(8iY8zSsiUMSyG-=ixlW0zOK8QX` zzYx%PuTSl+4P=2piVAXl{{?hb((^TAew`K$?LLv!>wCAH;3&BofoMK1;6`$%-<=w# z-&#Q4HIqm;z)6#N$D zHDDH)U{dCfYl1XROy>Lwv8crFatb z-3BNDUJ3cbpp$SPCgj~}p+}3x_GWQC7K=qN_blOGT}TiSU8W%{;zL#Kv+q zTsUA&@5mNc#qH)kGobR z^%?k)tKh0+71qlg4$OT2hZhSZg6Sks0bRg1AmK^BZfJB?FQU<>A9KHZYceb4x~uE~4Uz>NlMdUhZp8{Sxl>s6M8%uxa|p%x`r_-c%~!XARhz zmyS8((^a9O%8y(ax0|P#GBV7*Kq&PGEAITtmG3%QtYab#uGt$`&-|?Y+szcO&Q9N8 zG`QywxZKj|9BkGb+C+XrO$~n(aue-}--FASQ7tOR zM_TX^sF}L(s#d+$ey-pF&J~rZF7zumfVMAt9?dnUR_$#Sz6A8Nm#S>UNCy)KldYNN zAgjo)KkT>m^j;!nHnl=uR*j12TX5@17V%PYk+^?G%tudYO@qMC0a@<&$n^HdZ*YZ_nFqV{Q9W&=v_kp~*sRfnE zZjq24<#4Bp)cS_7cJmqcSY+EHLN``d+zhSE<Cdked)t zA@)gHQ2M{U79@#O^${}-{P*q+AmBF)dVb=@B+vH_j^$RWnk>PgDtwUJ!DRpezTm4e z_3ep-@bwQIvRqrv^5iqyjy(3l9Oupo=c5L8Kz&FG8w=E(c=RI3XQp0u1eaR)ni#h_ zpQT@m#`W~~E78P_D{aW?Rw*GtRdsiJQse?&j~-JUV5O>tWXCHK@VyZqbukdTj5O?M!2spFLnYZs{a9xK6icshJ5FAn^4hU9j9{=O@7su zCerh&jx0;lU$X$HF@i&pEhGxyzQ^R(sc++4DOc|#y6W9{u3sV2+%)2Wf8{-79OM`&R_+ANOAL)L=i(;<@cD?e)V4cq!)ClFZ`=mMP$s@s)MG z*}zL%&dBez_^RGS55**j`V@nhDNH=oBsOoa9TMzmie@Ejwu)9@2?^r(^)R7F zT6;=k4}ib;x3kLHbDou3YhS@-tN@qs+n}rt(4Z7VJM_@bR{N%d?sR53DkKJk_29v8 zVy6QTy_%hs2XXyTR>*W9nbmKV_n_`S=n^wmZWZ_;dj0WY{d}FFWJVVUg1S$7F@g{r zf6|*h;X?nK`t${nKGbN+Kds-8=~!s6jU~bnw>%>LT!FzG1ioV;)oaSFqVa|6p~2A< zJz%7i`1hQ$878-!0XFNY1@1)!nhMV{bwq7H_VTgj%CFDI1F@X)#z0)}t#AzxGkj8t z{{A-PDwdB2N}od>9N(NS)RW3$W+mFVQGqJlJ#SrToP01$5GI;1j_gH_Ut3i!+Fw=Z zE}S4;-5f6s7ddldw@Lo+s`BG|Up|#2<%y+t%o8J1M2#vQo@-`Ly2N;xC4*jyH7Q)$ z5`zk`rSKDAOEg9lai0#@s)(L71oJDTf%4GSz!-Dl)JTy8&sHcpN9%&bmg9K?;V%SVG+V?jtQmxTk)*b*^R!!LVT}E6B-@a0X)+?97#YEwc;`RFMoy>s zU&$c{sP;a3bghNNP4AD&m*UsypP596*I}xe*O)ePc^kV+zGbOy_=FD&ZOL@F)ED0m zKmPtaLIX(+k1>&8pf+K@jH-#^8%N^l$=DSPH;IEU%x#l~7erb0AH#%Xs_)ni4awOEF%bRbS~skp;E^mkJ|Sum(>v+#Qx%~ zDvwHtWM@|9JAG6OnUpMPJ(e6JvO(cxxM4A``X6G++)1zcyms-&*QN+Es{IhyLD(d| zzC)LGr%HZqWc+fyLhdeh8pYtQxyH+`&^5?+2~UnH@z|S$;URSZ8ygSFv31W;N#xL( z^@kOdXc4KSsj{N`z2q?ka!^#QQUNPFfiDeeo$=lJrElx+<$&3$<>mGp_W=5G78&lH z&uk98FVG_Toj?5Z3g{?+!-+C2Ig!ygP|tnQW3kuL*w+>>@;zHMHX6i7Qrdn!zG8C# zYcUlJQzH-Q2`SaarlNV5EW7k% zMTn@rIu<%%P@L8$?$2(95WiT;!#EdVbwJ#Z5(5V3_r2Ry_4ZYdwGUZRAtePw-u-W; z+O>sGPd){%$pkmHa`;`15|5XC|IcF11;vMgIT*%gu%8cV8`PsqQ^4Z12*9T#z-%r^ z81_)1(vbtZy-gH(T&z24U$3tUM6FL61Xlw+?UVn3r@tw1h`4~Lmf0-&!G5+ydvAp0 z$gVlq&<@NSXpAcE&0{I^)7*_`4wNL$6py9GPR?b0sLnE5-lB+27@8eaHEr5E>(Pnd z3zqq!n9evwg!o*f7OXHi%{I)R@zjfWu$S?LFEBl{n(BQjAZ=QKlbKQRe8*V^694Lp zSGs%E)B6=rm@&nB*#=~s4jIipH*ZcExL5<6%A50`Ho14X6tw@a6jNaaXRoN;FfP-b z{xcC!9xxR6I;1KQHKe5z5wa@-#d7yhWZyu0J%rSWSbQ5`#k z8I-KV)#M*OizIm!qGEchntCfc0KOV0AvT138{GD6sS z#{+IM*Ee~K&p z3w#mSuB;F9n(aPsi*hKsTznHfLH;5kH#punNBS&&JN;JfE3UHy1vBN~yza0Kp^h+i z%;b$LvV5FxABg-tz%ZP%D$~IOkP6lB$!s)U%KF0~IqdS!LPRhTK0)YQnteQ`7vQ)! zW&TTR2U%>2k;?#hD+{)~ZlV^P^Snb=H|RoPC*K9pJ{8l;fZ??MJa5d3hT?EPR8@x6ir(T*K3OX~s#XNl z6o`NFRH#ofAC26QreI%hu-&NQ7eJK4kO(#5?k2BiUU33Xaq3oCo;E(Kz{4vpL{E1L z4K``|vasnMiRg``dBFgH{WhN0DlK?%=abli5>U^nC!X6rYnl#t5Ld;zdlLgi+XtRw z7s_|pqAH^UOZrRi`t@IW*D_IU6@7n6yluXnBsg16zjcpqg;XklrQhYl2+a+DzmF!q zCH=1woSNjZ>YQu|BWDujzJIp9K|9+ocX+a;US^ziI8LAT%N5z5?3(b+VQA@a=Mj&> zk?ww$r@vBs6MKUQOGF?jZSGoES68meu=JeNo~6gB-rlkd1hFw^itSd3I&1O#l0zQP z3I7v5NyAF#2QwX1MTE2IWD5s74EEDN2uRT|nb?z0t@TqIx?T0x@kdi0ntQpHv)Qc1 zDGfyDQ%WZVBG=9vSU_H3UKuhRPM`+;EmTI4q@Uo12^IMqQzTvdFy@2TY1jrTNQj&t z&O1%mRFM>XcbgA)IzL*n`j)R%`~pSQP$sp}$t??f5e6Y?^&~){SrDnVrOFss&qDsu zJXBRGhV^^At#6mY%w1}&LEk`8XMET#F8`RfYDzrIhe2Ha8Ey)KUb*P9XQep~ELu_W z7Pj*A(?BNOT$~joeJWV?TcIVob8}3%Pk=O&fW0>shmznSPS(*u=~}{^C)>zX=ds}e zFzPU(AmXh_3ODclL%ULUvuG8!l z^#@ZPmb=S+<7f5(($j9fke~LNfCAUE3;qIi90zDi0-G#MZ9D^b8PU*K_Gz; zW-1kYYulm78BO)Pz4?k3DD<@CWBYJa3(EJT^=dkyYn@u|PIc=SfPBs_!ZAg-X?lJ& zoBt=CS0P>c9JtqLePTQ2DnrekNww5)xRyG|PRyMUDb^2}Pt zy3&N}8XSo-GqfHp)7^WWYyMMzT7`xj zV$~VP7`0~?4PxH3k{_njI-!}ecDVesQ}zpyr`?-Oqz+B!VG2zXfo5B68n>8^ zyE3b8JIBVT*s+dK$I`)dC{`_k^j%cqNpN0n$_QR*nCC}wEgQO4}{y8C7}n&Q-B@XG75_t{!+(9T6x(pmk{<F%e}Z$+-kv7Ei) zthvDM$tqA8-L~<0d|N3LY#Bal17ALn!9w(|>wlttcX1BMQ2&~5i=P@*P7sSXbV+nD zZY8mx5Q>97!*TKK*Pc9>RFh2B`#gN&ocqJVSZR}EH22Nb0=pIkY$MhOqaQEyd1e#e z@YqcWh0^rON`Qb#4tqJ%bX$%`i}sdhRE+7iBRr z+#0=`tsuiqw|>}{lledbShE#}lUa0eq2suu+X=fc$?gqqRMvAIa{^YE5?X+ySTv_z z0W8ha@kW4|XX#$P+otm?S5U(r(G&_wqoGB`@)5x~Bck$b8}9FoDk&d}$ewwhYd?87 zPY?fF0KIItc7tctaYn@T$9&LOi$K~?|X8wDm-!+Umu8&IM7>DKJ%gCrT*e~`u=en z;YA6N(!tU^*2ByQs^JFyhr5IM?zyX2*C`DW$Zjx7I^oXG-Jq}rp{BTihx6xC%W>{& z(bvx#ehoEPt`!a*s-FSQ;B%W#(-Vl5{Z8UVRc8xmbS|K{yG3I<5RvdlebT*V|Lm-F zaL@m7><@!#dm47*hK~*B;L`>VE_TpA0}UvuR2e+k@5a-{xdT{zO-p3O&r$o*-@P4V zbK!q>MOoCEhuwI%!6>d&Oove723F_zfsx|%`V(pQv%Qh%o97qhu9P!6#7h@GoHwcs z#N4A9QQFVRdEcfWtjDJPwYYG!ji-aY@^)G6+~WpyNRo z;3fDn88TuSW?-y<4O7Tvo5wpyQq8jUjrU5}OkQwmyWu=Nw)eQfbpxmC;O(p4h0$4F z^o+|CtTP>gQ3DS zm4oZoxXgX!<#eixlw;Ar;HJrJUOJ>%!n1`Bw`c?6!(geHf}ya-BKI+v$edgxnrf+e z(9v())$b3)%rxxV z*U=_z&+G*$Xy`a3MetxMr~$V#XkOr7$)H)d&Rs?(+hipYK5oK!!Zp40y4Ux}=sN{< z;Ez0uw{F9myhxeJf|f4`<^-<3N5&#<>2V@ruY&6nEY=-)V{NA19H)04%jTEbKAZ85 zWZ_vKD-AavuH$>67&|UK=sYmxhK~mF^*Vp2Hv82mMnW{MGNyX5mJ4}KVC)&Q~x4I#~(qt>NZt~4Kgq>q+$(UpG&9i>- zp!TNyW9I{6=}q_g+11Kfvk9^VDbyv{d>xsDBykpoa{>JfFS6jBezrBV4>t%d_!2!$ z!TC~v5A{ADT+FpG+OZrg3ho7))_e1+Bbe0xoaga;5%ZOCfEg~#peor5AAY(YvAByN zl`}GxLU1@1SmoxZ-af@Of2GgIb64(DpKJI07g=X~xMx#T0*|~zz`FtL8dMI&^|)T? z=QtcHB!MLG>MkOqdpke9)ziJxlC^}F!^T%*d#p0DpU#K=+$Os44GR1`K`K!DA#z1m zC|Nfp2$R6C+15@i!*3^7l>10vY-W$t()|^t=#O!mPhX-(s;Ca05N#!?J{ei65`xy% zri*Cu^vNZ0d{IKAD%6L&$nO69jPwU9)(J*t;0|}{h$q~+P`gMJ_bbEe(|yB;st4WC z3xYUI@J}#dY}o7}O%)uq(8q_jd%Rab+by!ncj!S}-Qc=%xwbMgUH$R?7mPle>#L4T zV3(2z2(2s9$7A+oY%n^WY`bO0=b4$l zBa0DTCcRzls$46(V*TEuaz@@*ltk?}VJHLl(zvEQUgLEgY`o%{-uw}8G<9+k^NmFb zxk1$f)GgHX(B72I9v z9@z}=k?QCIfP<+-SQ&mci{ZKH@yPC2181`^SW3@Nr+^n$S$Wep_qIdQx@n(!1ni4$ zchHy|f6*M2KwCW7n(rdDyE7ePk!Xmz=y9a9QzP~F3txa27ESxbZ{z8qQ!sVLWF!H@ zB&Te@)P#i?NAgl;kCvZ4!G>7}4(M0bsN8$;#YApetsF28*BzwEkZJK=Zea%A zr=E__@!?W=i*|5eI^Wkndm7*2xHBE*BYJ1LZ3H9Fjg#&P2Wr`p$Jn>SP!hP)^@kqK zR3ornYa`RZ;GBEPIV1;-(X3@1Lrm(0ZO2#}gozTL=d2h93fiVs$NJa54CJ?Zd1+jP z^x{`1$2__HJr}d6?ws^^weYPDg^FF}_7}tbRx+=*hAU(U-UCC$dn%(yKAUl~q{Prl zED1@TNhD-pP9Bu)q&Oe@Ee>7|n194!sy|JWv4`7ukMZMh{5t}`=&w0B=msSR` zcm?^gdZwpIBHw){f|UzSiceUS$c^=HeCW(K+LYA%Yti2a8t-|PosHygr}Ay4@J;$x zud5BesPG?{ZfMQNq-Z%CLdj?bp9s&7X5`_o58@QG`0=vaV~ZfFbz5gW_B_8R5%ILBnT^l!CL~MatmFw1{*asP9Ln)k0VAs_DaPZPjtKcag`I$?F!L z*f8(q5IMXIQ_hcN?Dr8eKkGMM9QKsFofP}<+Lr2t{c&h;UzY5^*6e4r*z%*so#l|n zlq<29=d&1_@_64lV*Xl$$)U1q zYFF9Xs*w>5Aw2KlQV=n5L1ABUhieQ z=W4DEKHS`UAte5eB@K_6ORN8m0%EezI7h^qKbz^pb6dIWv%P_!dCQ-ND=cKI$cgar zhNzlbC>b>U90gj>izscDjZdahj)g{oiR?7SHlpLQ&n8s9B|EMl*Q^;DTRX|DSL}A) z+O^bwJjFhq3*&T33am8%SN(;#TZwg->FH3aT?6Bw~5Nd_EdkEbCZ@uy`pf0Z6 z;VY@9ooo0+N?JQKLNFck%wm}D*z~z{ZPF0la`m-V9;*%&!E!5QcgIB?y$Y8q=hr(F z6B(Fit{W~%M>{HO%{T4HK(rV+dUh$EIU%&>4*)lZItaI0=S2 zwEaV1`?Yy5LLa<7G72Q@Z}Ib8_GBF=h5Ue2+sl3@(?>j|reF^b%T=botF&TOsXcWq z{#4~v7teQ%r=_#&ehmjLOCCg5v$J~9L!z;ouu%TDe~b^5f3`9Ntu#vxm1_T zVlzVQ`_rB2q^=nm9aRi1(`&nm3w1v$X*jZfhD=Iri#I<&W#D??XKOE zkwzac&lkviFHLHRTqWK+vstxay`o?oFM~#@q(!u3J)CJw>U1>Z$cWF&@vA29MTafT zqQ{t&I{4m?_oC(-cN!is1Q0d(I?z7qmNe;14?Zf&|HP_Z#4vv{#>DpZCq6gtY4B0T z!CU!{p1N2{Q&^b�@G!KguDJy8)Nt`#E}rGef*ZwfbG~XzuN@py1u^J4DkmaYNoQ zMAuR8E}oRK!`OHZpYak6>*SuQkWFPe>TtNq(Ym}GrqPI7=P_-;BzWWZ)AU$&)Yc z?&s0UP8YtxPA*kRyKOjD?0$Yhm?CfNg)e+m1%zEKi3$w0#3b8_G7?2M)7!j9+6jp^ z63QZs&ON!k>=hlKYE(s1o{qS~ev(gQ=+pm{JItD!CGR<_Z^V||+@0u0Nzq{BU-;f>@(Dvjz;;hT$ zsn9w8hU*+`OUgS+jC3y^)1 z8ZT$vB%`udO-Ds5$M@X;s_~f?0dW$BA76N34y)(Si^|^V5*vl^{V|VzUqkk@g9y?% zv8|FsefA8~1*VO_9!)Lh7D&PEaLt@@#>c9&6C+=-n4b__u zPzri4+iQa#R-bB)1a8Q}}=h2Q&A}8+pt2 zp%32j7mGaNk#cS*$9#W%r{1pXi$#+sXKol5a91}+H2k}A1t)Mp(kYq#i_vO+rHz|1 zH{9;q*HRiK6GUV9Gu$hNxw;mDGeun{L*AXz?tAF{)4?QOb+JX;Y&@g6*FIG+kFemV zXNd2URhy3cf9#;6wraR8sj~FN`sV$~ZSy*DTw2WP*68<3iR%fR1>9%*H-H8m^K2 zMO!oY+R56}+WD$IOV?X{D+ipaUgzv}JbGo(U%aY22;m&?x}>)k)v4pWMKTv3i*E@Z z{9=UfecQ|5T}QQ?dTBVg6z{&SNx11*7hCLQYQs8Noe{p$zR#Pt1VlN@@9X!HaaZCa zKejhSk)8_FosGKTUKq|1mj0p-d2FDFa~HX4ZG{h@c5R(T*csUA=UY4Vbiw`QL4c%;7`Pd1p~$-5U~sc(9f#OJuVSVbiQ zkoRorYn$b7+Y`b4aaoL9W<;c550z*KJ=H0R zTHS~xJLtVnm-O%s{8~fJoSAqV>5%0rukuRkg>B^{&eGl{CX&MzRHVY;MuSevdn)gf zc3if4c9GLFV8iU3@%=-&Lphx)`Hxf0XQBx!<(e())^$@Ejrs;z*FgN_wCdGaRDFF+ zx8GmXqKb-4)xn(JTBzgF%zAQb$H@jktW@hRrz)JV`NJNH5up7PM6NysSvv@Iz9e;p z=kh)l$v}qGCzxV|!EBhW=Zwo%T{lDOGKzGRreBOI(0=x2SklZ=e7*NI;sg^Pn-J;O zy-&x}ewFa2(<-V&016roqZ?tQz_iEzqU^1ss_dS(aoR&4N=iBfNfD6ll9Z4xMM9(m zlx`%YyF*eM0qO4UloDyAJAV7%^L#$<_q*QrkDtr6WZ^mYz4z?dGuK=*v$sYpji?X= zvzEKjhjXynRZ*-gZOl4TfRZa9(oT`^ZN{6cKZ@8W1EMLy4Oz$&-}DWCurn>Z)W|o! zI&PU;wEP+;v>;D2^v>{y@Yc~ZnuSV}h5vAK!kvTL)7d85XWMFRU7*2jVVygD60>lW zZm2j%9SC>Z!%PZY<4pNGHn)9&)lwJ_51WP3d{adWNL9_EMZb56BCn4 zmouvZ{f63-mZ=;CQj5`SR5w5>#+p$&e>WTPj(wsfCVY4O)Rx!^+!03r-(9FaM@lGB zNlv^8HZm+uf$*mlSUG8eja;}#CAbEY?Y|p&$F-n#;qOL%&BUGhQ15w!hVY3Ioy*qA zrrf|E0p?0(I>(sGok1R$Lyy@qbL~JKzmyg9YC(jT&XGg%MtOln&Gl;*B7LdZe&i&!SV6-4RTPj*97Wx-($7 zbVv;87L8}GaePsPE5kM7=4k0LGpOc2MU^S{Vm;h4iD2QfsYi;LvL&+^_Uqaem#!=n zrRe`D^(w?5s(^K~C9UGe)yyZfSyL#9ccge@4K$o1t-!MI|1oN`45}ru!E8~)4AFX? zWMl5^_2Q8-;)&2t1OsGF}9d^&27|o z<->}L_Tq@%zQAH<_dlH;H5$C@Lc2@GD`Obw8oMB2Sk%iq5PrNgG}C@L1nzzdG*Ds>Cp< zo2_<+9v^g3jA@ysm@EMJJ(p+DlfD6-MftnSsiv0~+SOJHY)#jk4!g4x ze3&g|l+&Gyx2M&y3YmleV#uzU@@XCAGx3!JqNAkX^Ko?W1^H1!YDDbf_wGcc_j0@= z>_=IeUx*->x3!@Qk64H~{J0wh`wXO7#vPm;a$>VC{T;h#HOV3$Q^IA4!mHtfoAl*rRlL=B60kd0J!YEbCdH8YiCPfcvN-A1sOh=X z=h$<+E_|0@)pT)-tevFDV|qGnLKn6%9|gSkwQ zo=O0^g2+cz>3_TQpE*luyH8Pn5HfiQvo1sjp=CU&YNQn|`pmNzCthk*RVzk9JL+GT zoeSJIbPHzPZKpHCg^dxOk`|}aExw{_vPSIM1ik!PljUPpTjf<+?d>XVqo~&f61#Iv zR<1`K4!G4Ln`%C)rRUjU)#CAB_skNq4+NTxN+QVMvqA1KqV^n(m z=PlwGs9tn0@o9gzkbDuxIshfn6j@Tme&W0z=nrnX)e&pO44tG3vU2hsWLqQ|oBs5rDw&K$z6U;U2KYRI z{p%g7dcA`w-To z>5m}&->Q9Mua(<4`;~U0D8&$`TD<+oI+FaU&r-N?8x&2leffm=po7x|H_n3oDPCy+=DQ;%Wf6sb7#dVT_m75zRg<{izZ7d5OySReJCGO~Z)mX7 z8YoX?O&sJ!%yZ>F+>Jb+tK`#^ zbei}5(^NRxBDz{?gXD-vulv|?L9C(|qQm;Pa%;fZ%e}$sH z6_SUeDY4_K`SxVdq`%wc$sqrqVe{OSw<*d?cvwHYMb9?Jx`M` zQxd+34yrJmI@-)l)Ash%ldc`!U-H2o1%}QPm3W8b@r}iNP1zdf=3yUOF4)Jhv1|s4 zn55j5k)>C;6du7f>1#_)7Bmi!QNvNJ><2>G<)wSzvf9){|1saeo6`xuNphdln2n)d^`!gjxp(k ztr4zpNRqjW>UZpF)7~MD>`I8&x)4AxMe}HsgmAifGFp1vaL?k>emqILd?lr0H!#Jd z^t5zAG*!vri>W&HCFf;GpEB?Wcu&+cbmn_S_f0?c8u6rReA6`gAtTrHDeJcWXprXT z{<1A%=}>=nd!_O1f#X;^2jQrn zKPn#maJneS#TngPo_vAh9YSZTH%tjyf*X0%UkmVLex<9iH*&aT1~s8VPoFiJ0p>VW zgeQ6th8;Smkvx5gbQ>T6IPl?Thbc3WTrzI7|tXN+)iQ$WPSjL zbPVpASHmTlRu}=-VVibn@@}O2e7kZ@ar&JQTbH?mhv_KqcRV@G8qQk3FGeEl?&?2m zvt3k;TlaQl3~h4-e*Mqr*Wk6uO&@HbQg5{nPar~MEgUqO_BA`@eH*DRdu7I4^T54< z3)rhaiT@(p=1|^33%%gp3pJGI5KP_?%GZxF zFrdSVlsBP zCn*K=QJxB7*B!Kf#~@<&q*qF{RPWBkpPs;p>m$9`Y)Rj39@>fB05-I8^dKMpYNfgV zQTlTov!$y|4t!pB#I%5=fg5^-#Note?>K$^+pzdU8m|vu6i!Qpl4wyQ7(7ZcnkZ0@ z4W@rcsVP&l0uG{bM9}Yb%zEFWp#>6nz6nVk@ioWZ%eR&zu51 z4~a>yJR&3{)L&V{%?ckA39li!-sgux31gek5hsBs$+RhE0pP!G`jV7f1yA-mOBYz8 z(^fh59XcL6^xRe}cOo%FmL0&r`8F+r^~&AtSyL{_GmBwT>w3{APxenhdCo`=Lz+DB z8Q*ou2I4tWU?0lp zH23oZ*c#7Uart=Txjrmkf$O62NXVchzU*u7sX?N~9*}xJua`q%+u$N=+!fuSKi7y+ z1SYw+*D^h%j)<~BIE=KhNbWT|M%sIUpD7^HFplp-Hq1$pz&@`%YD!(91I_T-g);AgOtkK@swYod@DQ^w?sJM{+2oIWHiapld z4%dnHObg9D=G3XOG*96+6!p}jJ@6MwgIgLyaOG^?G>((nIqY^cY0rd9^Ni=Q2KUsD zNasIsE%01r?oZ+8$s+nvVgq2tnDFfZcAZ?Gr7bu++;rM7!^s#jY*@|c;!_nQ{7fg|BdP(0FLit;+Sc9wo`olbvFU=nfx|f zSW4OW8rAnEg0v4qnTpbNlU^3PN)0z zsw^zYWqj#sQR`;AdsZ_O3Rv1O7!w9q+U`^(7!@9{{gEnn!H6gP5DP-`E4VrJwqY}B zx2ftdz_RxTD&`OFD+!Epp6YpH4x8ut)^j;c8O+ql0n`3ml+cd|Mjj0Egd{Z{l-vPf zqq>=;Q`b!TKA(DNQ88E4+EoGM2%HLurpJNQ9*mb7iC+R0-l+T2SYb>@d(+yfS}yIm zd6d6-O6PLC@lNo!%kyur)EwYC-~3hL_LDl`u>Lp?hM*AasrochToYoN?k4Z%> z8fI+TK9tZ-Ap6k5;^8=Zd}x~}>dQS!8zF-0i?a7BihEdr%ru9?dl+h!-L22)SAp^) ziyCUb`k2W@p@@)FDd#kVybi!Fg=!@wwv2~>wdsTdLx3g1b}sN?oK1~8Atl!@y`hA$ z^kY>_OZBR4j3zO0H5PG8|Ge%j{V`NpNwX#QZU-i&pz0F^Qo+S^ZC(~7rU4~=lQ*kF+)G9JBlb>9Q* z=-GW;KPn=CAAo99+EX%dq>Ajm#!mO(t`RaZP5ya1@Ka=rtbhD`(9bK70T>HvEDn-U z{uvg1`Q+c+T8KPx-OX##f(9r~u;hli;6~q;&KRLw`D~!wJSrI9AS9yxI`%cb+=x{3 z@x{3PRi%SkD|4$Wn&-omyCAxxV zII<>?sE`BYH4Rnzhu7SZD12&YWf=%^tgl|W4*5PO2Qj{N$X^@2R|B0sUe--?SrPXd zSXlQ(+-$}!Mo*?778OB(A6r))+l?A|z(_-m)EY!K{VPmbc)cR#-j;%5io-t!)0o-a zq;QD+RLUZ1&btH01K!+aP||W9Tq@4^r_qLiT1c(8itW1+J_?HpmI0isUSCFx>grdU zQdsdMP^y?g1(4-kQUB1fU*wmvFMOG>qM1t}Pvm7(FiT*^&dEhkZK=R7Sp|{#Ki~iZ zavvicT3i3~;t*Le{0ak`ZHt|(=}>^qf~Du31qWENTk?1*GZc#lU%Fa@60dCwI9#P&vp;}l;}I-i3%m9WM_1| zpShM|^KWg;Mbavrw~{9=c0GD486Ss7I=#S=s9goF6P<}V-~ z4P}8JOG~@ALZ_r+5G}(BSm(z=0@(YezfwIQMuq@Qu{=-J&+=nqTKl-0f^#x zIxAzuAvzXpYCa23qZ9_SFL8yms_US5&zmfnCgDHp4RAqRs&@*MgdIhMQUJ_(nK;we z47J`GO_<^3(y<%r;qqm*X_cDy6Dr1hY(Z}E*LTHcW|QgH9VFoSwUU2bLW&wf4l1UJ zj^l9W+3(@l%_H;esTXEl^%IrvI#8JA>f5$5{|WBe_r%_j&qi9DSV}u6Zi=W|5YT-` zAK4>nuLtpvkp&tUbKnGT)l7~Ay+E6m%Iiv;^tG=wmqgA)6rrBh_X^br< zQ;H}lf)Gib!E-TiUXZrjeCS73$g<&(-xz~>Dq)4rLqe~XDo`R(Gb8>ViKw977jC|g zlFtBnwwKsr_$pZ*td(?kL{q^n)F(UY4ZHXLd!$WQQ{eksTU2oOa z#}(BIO?8;|=93Gmtwj7Bf{Tt_xGl3%g5}KTzL`{-Tq4Y#@10e;odzYF?7p%SdRBWp zo$Y9CJp2A09Rw0HnlXx+HB$!g!_OQ&hGltd?-bR_DM)3UroNV$hd1DKTF(UOZh|t@ z^l&|?`Jep+MxFozAj4lP2B@CV@J@ft2`;=&Fi_!g6RKQSjd(sCbRx1hb{Wecf7TD1(Dq0(v9B0%FBFgX88Q6T;^v@N8g66zD$#i zmGdvApQxIu6=WR{Feq;`oP2W|*gLqc9K3gNhac3^)fEAWWvJVp0#oOLlLx;3-y+aq zS>1Vt3fdX#H2cyyOY7np(s!HISBJkz4Vd)8X#*Q{bo#1x(nJ3YWUzo)PnN_De{m`_ zp9;cMt8)4rQzW-bT`>8LmEgOz{4?zLvfrJnviNfC)0w^pd9we8aR8l<)aj12Z1z_h zWgM=K6hiy}Dr%4ak2}y46EBX!C`u!i5B*HWKrpox8D>7Rj~dh4-h+}KAIj8!Km3p_ zd7`XnIA4^npHym45dQIwqHR;n4QQ5>l0T8z;gCY;OK(p~@{c=)V0A;t)@`CRl_c#mO1e3Zwg8mDV8an3A;Kr5s-k?YubsN039@(sV zB%yWj70Abz&~n>f{&rk*aGCMHvO@(0pKog2>|7APCdk8y`Sdg(&PhOkzwg!cc=HV% zCyVOCr)GzjdnM@H;SxEx+3;S!pi7bmkvOVmt8*36T($q$n>X>!XNXi z9fId`C{ysA_I0^b=PBSKktgs?j4H|^$6Za#g{|KWVUgwxm7MfyK+u;t?pEL?2^=MsPlcL=?(Xm zt6r|M6|sF7^7sP;$|ZTqSK$(h3pO%J7WO?Hjf=Od)#sA}{GpRy()KhTdsBD5<`M(# z`)Qf(?p`nkw{|2fF-lD2>o9xWb~grL_{pXHS4UNUX>Z4W3y5lGzP{-qu9h@LXNpl0 zIqi(HLmR~I@ucq44yUXmLrro=~%1}gw zLx*uTkG?0QCSGumJevPl9`$DQ!`~lM31$ay>RxL*u9Fg@Th^6#zDgD;N_&)7Y|HqZ z3#@Ji4hk#f);b{sGo}s;R6t{!zCnVQMkw(0KPmB0I2v-|%TgSfhJY-s{aVbcmrhPj zgZl3#zY#Ckc9FFz?tV&35RA&?hg|)(Jk9Ks6mz5{yan#52;~DWT?S&cnuj)aWX*4v-}ub5;faac z-{5^8hU)coSXeEtePUh~pcu;K>#8Wo>NB>lR|ROvZO63GkrVOJNC%VeLiISHD zhnxM}Lzp;Q-fMkvsz<*E^v0^*&&B>8N@G(?P1(pr?=nq3{074=SH0{8CX{6f|G4RX zeLr<3P->_wN?@`@d+(-~UQ^{(WHoHb&5A8NBvMP(-Z$R0r^pnCT67~KY@zaYyvdu) zB>$cwFkYQRtMcxDTcGq?dp@4GC)I;HBvGf=E7d$8F-#Ymp#L9V$K>n(x0tlwu+JSq z!~--v+W(4>mLnudMiBqFaLucpuO2!AF#Bxel zK|n`5?a0NAy6j+Ja>=k0o~nDm69G5eM=3~DH#+&|VRT>mN6mwvpiWtLj ze@Kk=X?tt9II{lSb^(-if1)cB9sla}>Y|1%4vg!Ez)dttMoY>=kP^74&n3gh+|)QrSIei5~QYIn>KTj@~jsdV-6n@5~{8brug+$;tg)uKX{+k zKplg<7v)OB#R=N&0SiDplg}=P3UpSkG*dYg=^qZj>`|k!Ix-HCB~{Cp{N`t0gVCv< z&1H%^?mUR7Pe$?fVa&glJ3CtWYJaHZ<4fW&U_v;e-o{!wdb;%ien4kG>f{dtMSYTU z%FAU|nwv!Kn-?T@Gbi@#MtWwg6=7ek$ZSWSS611R2^t)-mwoao^oFwrjnyt1C|JVQ zSAJ_7#~KDH`Y9|Kh;dqA$4X35KuP9j#LXZ)+$L<%ty(_wvUKTUX5EhHGrzW?@+My2 z_~8ieHzRTxw?mk30MRYYkmg!$qhI11T#_JPNbVsVgRw``5YVyOct7X=g=PWFQC|bM zGtaZwse6*6g37rSfD%Fh!Tl_Mt`W19w?K7k{OD5vvSxOZhHmd#MMc^IME5$8;=@ z&Mlcx^~<4~I7egmQE%FXAO^Y#4oJ=i)Aj}i{Ra>U7~}<~8XJnX2z^hN)3v#>tAJ87 z@rl?3SR{_?Sl13OF?=$u9d3STz@Eo;V=nPK=?|2o{mRa9Dx%Wi_llaovs>-Uy2ouD z=;85p|5{?)clV{7^YmpX_yn<@gP}8}RljxIA((rDpz>fopc+soa-vpHh;;huO4{b6 zEE^K*8^^+%4K_sgxQM$9)3ltNZ8_Dn3x|Q}!dGn0>nR`YW?_lx8M}P7?-uHdj;3|R zx>`-}dLMh%8v8_1o}%`XPxQ*Pu`iO&umo~h3?deZf3Iu93>I6HehUqkY#zTL7i%*# zHP|la`^m~+@Ng>=!6!t)<;ou6X*7ZQh^wxMB`2ni?BE4lgTJMAiL*%R{jwAvNbDFt+j;u(?ERGN6Rygc5<0TG?b}L|K8@NFf9B2BmUXR7O0G}Xfqy-R ze4Hxq9C0x*BcS!b931=cCFa2R8kBxygXEJFX;f_MV|M$gfiTq=ZOO)7QR8P|P>pU3^gN-9&+`X{!6nE%&P7W**l1Yn01hV{9AIcwaJ1 z$#2koQM_2SoyXL)ZSQ_A`70C)1!@aU8c>=_M!x>?-2e7!@lN|r2qeeM=4)(YnZ0zZ z8)9F_?&FE}-&WKF&;maJD^MydVbYbK1nH$g!Lxa_=KwPG zeQHeLGRHmn!*=_q1KFf2hsk2m7wht1h)+2S3knAh4M+w8>aGLaAAojG8~abB`3nBV z*E`j8(-Bhv0&*vY0D}z!@)wS!JKOVUs2A@mk>GG@m+i&Ky zb-X42pgv~vch4&?nJ1wDx|lP%5#pa5q5Jyx>H!FI#x8{dwSoC=$WeWpZ5|3HNp!i> z>COzSB5V6jN$7%B&tXD6-^IY=<{6n?H&vrE(GY*54HXB(QzRAmtZ-AZpx?gqa4=3T zgGx$8WE|Z=_`Tzt&8uam!1qTqoYU`BsJLxrtcsJ=AWz&cQOw)$K-X;PGY_|AliKx+ z+&ti#?bipUM%8)dK`+$Tq}KZ7F5}kx+|)#-6eX7F);6$as<**K?ibqzPhE+ELmt&H zGl)G-(~!-Jh|K^w+_1pYMM;Ua&tPB6sc;_`pY;RtmV3QJE=TgBFa#I7>qs|nJ2I`tzx44@w zx~xzNUX|>*B4cNj8tEp+0ZlJe~M?Hb`!qxHw6y)T9 z`a#aDR-Q%Is6pP<5Ro?795*iv5qfFx&P-Aw7-(IU5VwDg_sqxh2{4){Rqy`>R6*&3 zuFoEgM$HQFw8zaP@mN>sr)riOdJzyMO8RRQXq*5jhD_d z4YSgp_44PT?dlY>9SVY5qp?U-F`tM1Ut;2KuW`u|f)c5? zBo+|!D3Dt5lFXM!A>%zZs)dIRM34{rnlZhd-bqZ?^g;4L2K9={gn$O*K2zrZg|%5!3)>tVg~6 z)VW%Du&b5t`xn3S&hxLbJ+87^kkhMk{QBd=dd?vRg-|lN^9EIc*4P3;>?^vjQH|Mt zh-nIRg=2+J$@VpJJWNVBZ45Aha4c$qqDj6Fr(YozK%$PhKmq8RE9;X!l1)(&0{9p) zaTx2?+OoQ>#)AcXMuiVYXyf->ZDE<~N=0&D1N8>-BFhu7zDxp;D$s*a@K&JBYlTm%JK8 zG16T2o|AC4r!}qW#;`QLC(~@?9ia{2et_o*XFOL(;1nxkEw8sGDs5yPKbDu*)eMn-Lf~HKM`TXjI z(bS(`nX(dQONTq59x+y_qq|>P->d4<<4vO?P$QM!5KR3O9Ls1hD}c%tb5Jsre+azrBCwTgbc*OwGNpkF&Xloa%%VIZe<~T=ss5(F-4T)7bBRpF;b(CLyfHn+mwRR5^pYd8_f$7^BvU z2xS(S9$(bPkOORB%%!%MvbRRpiYWHmr*TIzz=kFqiiD3hOvPn`SH2)UJMa>xqUA9? z;?#rc@Sq2HLEs_|_EZ2aR_h=r7W9-?#0I}FX~-l+0gd)Uo?G-wPTx0SOD%va$9BVJ zO(G#L#{5vMd{paEqS{Gt24xTtRG{6CY3q+#|-?pnU$e|0zXc*$;RRN}!T`Uot1 zb2FTmJXoZ+?)ZHiI45F)WQm)g!fBEhf@zb1-&aB%!tLAqujP67$!o!?cVFgP(&AY{ z2(lB5DPIklqb@^^;e+kYg>H5LJNVFkyu&)A4jDZ7wiQZ^cZI<1C8CVL=Z8|oG1Y_8 z*p(|ls%IBs{ZVd*-h7~9j8oAx=crlMKRpZa0u1U9z%hTrW&FyqaR6TcQO&061wQwlYtY?XF78qCfcfPfG>&NIu24f#)sb zU`K8x&jy0z>x+(*B-N8i%)C;ovKaRv|M!(2R36`-1uAbKLb`a9S~a8}QSnWegIIpq zniR{0T{s)tIOIXd1NBu=|6$LAz=M1XSH7G0Z4&DrsRq}q+UgA(NK>*}f=0b!f>^o4 zM0&cQipOG~e~nTQvO~AON*p%US#4@UiGzv3;*+Hcx53xIHwJHQf>Ic(Lf8wD2KJoS z-N-KK@ESJ)eI8PPH9U9ta z?#~On53}MkB=X4acpC)8GMs|%d8Y4=2`T2q9+UlRT*mQCzCpfXesNj`hG<&^$b2V? zl}mz$Q{^e7n+B?3HvMl^g(WoYQ1_y_>8Y+93TsHfH1Zpe$Zgx~XNQ6utO%twYB!YR z@F5ln3IZ;K_Ef@WZ^@hf$#{z5Q{A&fUzP0ifEsXZG+ogCdQQ3eupT2W5(1v))8BZP zPSe4}7h0BPu$0hUd#2RBtUvNimj*7e-H(S*7Q)SOfXmar6us)97iju4L$n5xHY%gi z3zU?fMaDrfdJv5A{>tVqwXJ`{q}&E;UnfcSpqq=&~~6FEzQEUA>_3c$Mp{Z&`)ESIBZBx zrFk!w3s}z6dR2-6(DpYdmj27AcmVA__3__YF^nl+dou2g*FV zV&DR8k&`1y5t;Bp*$8is;cw0EDm0jQkN|%S&Xo9+)T$|Gv z4V-fliwpg4Urcs8Fa8!_O~vgI5&zn23P3Xnf;HM$4$;1!7ZP}?{08!L_z)5<=*rp~ zXC&ML55|9$;kE03MZ2*0WIS#N3C7E62<=_v_&GmXpzqK!vsnq{#WZRX>`t>s_&=*ZDDh8*cBL=} zg(J64gt(O5-vj|K=f81DS+Gu6*KuEc!gHze;U##djGR(d3Jh+D06}HJA&rA@Ej`w{ z;5hH$R*t3Xhiil{uPB{+0!Egq6;ULhJ8AqF*1+ha*W{NXkj7&tm%`rEet*p+(e0_ufRh48mw z!}Ty~q7PM9*^HLMb8UH;F!wo*JN$#Au!`=0S+HO|t|lDR62c0KD8pe&6LQa#$Y6nm z>Dhc&$wdNInaeiJA|sWB>-dp~{WzRLsAGT@B@?$V4oUgZ*3XTw*Zc3?Xb_&=tC|P+ z`1RAM7#bi_tFsjZ!YB2fEjDM&B)KPV$iR?B9JKI<*haojdVqeP>!;#aP<9v# zGUkkQ3dG{+`4_fH_E0w8>m(K{QHPk|);Wga$(#W{TNzdNTQ}ASukG>2rMxq?#z$d! zuE#Ip9boDVheS;|+)z*Jt$mc$%b04gA^{G0N_IxC^7ecRUQ9#`Q-<(IV0w{bQ)cE| zU?*UZ=lQwfqo3sYp`eheS?)7)#Zz*O-w&nh2LUUBEW`hECqWkRO^sD!xl&Z+^#r+v@YW%tyx9F-4Tl|_ z;0=p!_jW*iDFM9)UNs)CmNw$JxKb$;z-> zydZ{^)A)oj{z8I3f&ggN{|@H~0zlDTBDU+lEA!n53nuHyi&!ia3ag*xcyIZsDHnyK z6+9e`q(Ea%FmI}vK8zzIdJgaL*27AyZp8{#rF%xX!;|7!a3XyVyZbvIIK7sCdt=lW zWSo)OKs;o9L2=TTben^QSrrO;Dw5E1N^kJ#!TEda$Ke2tfL)HWU%^p081yOjQ3v1$ zQO?R%Oa%&^hr`y*{3k$F0Gt@26bfMd%n*9G1{fpt}SJ>FPlN0 zP9@!OBikgPO$V?Db>j^e$4i8QNsucnuYDE-jI9#aui)V&T7O`FvOkb9fv`b_9bTBU z0=4tk^f7D?jXwZH-i3i^4c-^`&WeHuH@qh}mdNmIU=`{i%R*qo;(0N3Oqg8-GK^gN zGbkH17;9JMX)-gqk3=X5iP-OdCKK}!)|bIVaEIABSWm>#$0ypG%Y2Wa+;4z@fjP0E zS~7k8kn$<8k2VxI01Ae}d!55T{hg2mx`+sa*NV8#=$BQcbTGNGa=K>@8Yva50az;w zz=S3fyz~}rLR;c0^8p=S&l7x>^ybKmhOCy1nLa;c&nlDXm z4WVX;3V#@fAe4i*hAZH&d5O5=PS0$sX%FwRci^LenD-9X+*>0J0TYH#>~g03B*g?%tVzpH2v@GYcp?c z2OM=KG8Yv2mX-@Mo4@dhf(=S}0Ja?x1%iq|6H>K?hazyH30YFma0Rd{Ei*yzco^(S z$Ic}jqw%eXd7fQIrt~$FjZ_nS%KMR)TbE1P<*g!Ll|O;!6&eN>F!!64^9EPu+psdI zE}K|ggHb~lj1RZyQ8C>mQ1+lW8C0+M>cq3IjRqc)Bv${FdLU$56kFym_t#c%0trBb zs53vgqgoZ+CPPV%pGt>PQo>vbIGlzY^6PhX<#-fkA6F*QqX;r@IN z2*QFsVv-RvV_$VaVLk+90R95tlp*f(3O)RM@>x*{lqNABb7P+|^APb<0~t*62Bl|K z(b)Iad`Sdmc8zfUazqB8m-ZT0+!@Lq28MlfiS*D*L=DL?)e()wax6HuWWH+xi8$%B z-r6utj@Lru{9)a0!}Qm_QvUj{BeB3FYTxDw-T^6gzs?XHzX>leB3F9@q2`LG<>s~h zqkHFKA#lr~o~OckKWR@`k#o!E2Y@(ngw37>Se$>|=>v#_Ou8KW$nfp)auA+gXsHsr zuV6#ET?vY}&lNB5^2=u!>I~k0Ws6d)8UiVn|D`55Orf9as>>h@v1#CA#Z!#jFk{%d zchk^rm^TN#0(Xqk=uwJb&ZE+Bvj9^`KH$n&Yx)u2s5MN_fTo4uqbFKbXmWM5tsgZ; zTF=lDrvtZ{ooWR#;HDuN_|R@i@Ktg^V{gs~8}jkY|G2d*6P0+gG`V3ZR02nT~05=O5avxBrKRb5EXCT%0YTS`armA_VQaVz< zY^MRegb1sA`)Sszg(9%;KkIvk+Wxigxsus zsJI)OqB5L@VRi%7$~ zE8VR+IzmMjcE@N-HiKyAhE(y*6s^EZ`WFHG_;*v){~Zu=Mur`>sM$Wr_Zn=3TVR0p zyU_DRDJdX3n;*H|%2)f76;#Shsi`@qQSzt7yVu^%7OP4oDLi5Zzii}0<;n%+#s(4n|`Ki#yy0CgWp8Tbas#U36(?^GgC%-*x~Id1yqcyRZ5)_ z$^l;;g;8)S3ro(>|C5|~x>Bs9j-AmGo$5(;0oY)loYYXe46C3kTH(A^CN2pw*E#Ih z*~s^f01o&S6(JBIzikB(@;w9n&+j=96c6y9=Q6P&{g@{x%WFB4UYB_IW-iiGfG z!+R~k465lmvuQNC0|c|NmdVDrMgc7Zix_5Z;gB%sple6L88V#xU=zXA>#y2ShR>OV zGevkMtmATP3M{!L9`|iNy=r7)L;cZ?qMpkyPxSeJL`VRQu89eL*^65FlnHMYb?8(e zaUTOyCLm?Hx(6cKg1~HpZW{7;S?m#htl;M16WdMncq14n0$HwKC-jEiWd{OsDN=|u z{iXoy6CwfSXRiyd^FZh|hZL4I3|B3y-6)rbbgxJvG+v-uf{Xi^vN||~(@2~i<}bnD zVJXTfsam;+mO{nq8!VoWFREmyNK@k)%D02d1^$u?_lyA*Yyo3>DJDw|Qfp8#ZIbY- zx*{m?;s>2}xgu8AgYpz?^2KF!f3z)GC|J-uqUVfwNT(pM2&c?w*_0OV3bPDn zOYX+D4!2YP)nbl9pr%6q*Oa2(qgQsLM=*$YFPQxolvDX|dTdCuC;U#4(1kyxXEydu zSplu@qZZvUlR)E*rgt|s!XEe{tqkZ_%Q9NYM;W2`nb)+WB3v)A;6DD>L4+^fKf3!5 z&X@ZL91ik}#*0xG`?>8eH%x|VaraYxyO@lE#g$5Hd|&wg(Al&aW>9Hb1{08Tts}5~ zKC!g^`IRCzGBa{6vA3-_>-`|TK0#p|DhCNuSQL!Y^^u2sog;H6eRj z%~R%s!r~vB*>&~_Qh&&wV~}3GcT)S(BCr$8>g((0(;n~T`-KB~<}wH;NL#x*}6#%TJ`8L?Q!c0)x{~ zgrHDZ@*zZZLk-3blX_D899}Rd2rm(?x7$d^|2qL!O2g5k;6MSNddN|ew^2r-Hy&oj zKGoCvMG;BGW53}-Tn+O9L1~=Y4VLLY+I0>d+(J>(oUfphm((b0b&1WU_!Q}uiIV2; z_d+1?r`N_Ld>{%rf$V_(1F)hpoL)6G+}v(WZRFy%whgkBG4!%0dgWf^OdW%UrED zhGn8%9oUGv234h0Ok6g6w;#sg$R_#jxLr$*y_}^d?=0W4nuQMxd^c{frp!U7` z$6lp>_8dd^$|)X`JmWtO|4>3V)fka)*%1HFhoE18uWdnW!@=)=za=IpS4MRc>a(MY zPc2-(X>MP`(n}C0D!t&{hSBqPABu=D!KF#ckl14$16lrM*X-VnskZ!nV!SD0@o_qhe_jOp95&(yRJ|D8_b`3*A`g6fdWH3T= z5Z{0?ZxUf|+%83&8sY(04l8eAll1T4AB3lva^gN$hU?!BBtq5}tas({HTp&R!>kqlS1&K$%6e^&Q4K6J6*KZbCPE-Gs_Nd* zls;Bx)Wq!ffsEr@p=u>nlw%gC(#B5CplAMHg-EFO7yae|C|LLl%Hx zkgIuXF_5ry*kZN>L$yH)z)@QTSQBM%m$ zrPFMWl1i8`&(KsW#+Bx4SHb~J)Li2-eR4Zb>%^T+>{{~wP005QYCD>Di@m{0$q%T%LFqyX>eEpYE+ifXDHJST$r zkLI^|g5pqs&xO63s~74uoZS~P82=K88u6iF3YE$n1Wy#0)}dk4s`8C5yu{f?pxgg; zqi-hKJg7$~pUOT(bZ3K!{~36;B1$eh_Z@~i2#$yh&LA*nGDP>KQoLEfUpl(i!J-% zztRKyGvn_4I+BH2ZW2g2GTxNEB}p5%w-N)EXplH_)h)2wC)4A$L%x7(5NUf$# z^BBZb7NjndHal=oTmeW$BtS$(GRW6O(J_lGI-Tubu!M{m480}uycoPZ_|?EL!gmi8 zKU5KQ91@~tAuj;jAx+`y;pU~;gbVY>{&I&O3%C!Nd`7Uw(jOpl+ycC{nJ@f}vYJQ% zKZOgFS@y#U-dGVLg$lX~DkOJ&lAz!c3-V_$J#A0o@#<>2axS{CTN$AU(4PDn*!;^xyvp#uoCqe7EezB}f} z-s_Get0XE|mtmM8-Us97Emk)s0(94N6l+*ZSEW3=VAc0=r>#X+fw4ZLH;^;VDRO&+ zNd5}h$B4d0)4936Kv4-Yk2;#$8{w8k&l;XDhk34prp6=p=R98w>-NzxqOq8WM}PR= zRy6qqkZp(^>@Hv}FBk!DlG|=5@EBfV^_GO%%r!J-Y7ktp5u!4^{%%SYP(@6jI6+36 zLhgsg=+L9SHz$hmJYt{xUSTjmeg~rW294oJ&N6=1M5_xx16Th&z-R-2ur&oK-Dt9w zrvqFTClp|p%{XGj@v<$LPWKnCY!kwUXNE`vY7l6v0HpvqPL>R_r4HFcu*?FEH00~O zna?`aor}%dO>OO~-*MC0USOQ_hhV2*@O>G8H6j`n7XMU2u;wvXC@$bYQcQ?%I%Z@* ze+*_?2pf3%2@|0r;?e^T$I@6(MMC+9oA(#==F2h2*Hff(s0qO#7lf)^ic9+-{(usO z)W<_ejY}2A+XDKOW8e}2$>b6xd0QyAJq*XfDD*;uQVQs^e`a`@&xkF2Tlq9#6E%; zpFjF4Fh#(c<%6PmvlZxdchJ{R7AF36f>GyH#yDTN;xlMwf=^=1tfNsuX+AEPWii5H zBC@iT{EYuk%l4lw7tPZ~zPm-h#CJkQ{fGnvc0iv_(_nvgfx;rg{PX(zOJqFX4A#8- z__ko=>&KrD-+z=`d0Q-bE%5!#AN_M7(o6^cBe6VGt$#3lh zmzV}V0@xr(V^lyI)7}3cd4g4@{>2Gmx6_K%fS^n!S;8!U_HKl3Fk?4Fq7DQFO4+gT zWO*o+gsx1gOlu-j1qZFXy<(;>jxk3rQ?G2P4D6ebwq}65#$$6}fwyXettvYJmJzCgFGx#X`aAW4GoDWDq3uTR+jS)g!RKt}i!zn$L3$e(s~K|r3&+zzjvQ|=}X?vMd)=)51?PvznG z2yr4FLB4=-i$ccwIGoZD1YR#7@ZPpaB$JfyX4sVjv-FqG(DrKow+{()ae4tG{4+4($5BJpb41r&fy#j(HUcMaK8sq0CGO=xNSS`}KiutlVMIf2gbrrKDe7}csdNV`( zsxyL;u>FJAy~3x}DMi#y$OaC7`U3SBz1(1kA z!U`e2sm%gY_Ung=y2U4eaINf&rVu#neCX_AeMetV16LFm?cYxgt7K2$vu+n79B)$f zMA>WI@u8wB4ab&LJu-+aDK-$32Ga274n!=F$^in^h@ks@Kjiu@9Q_{uBq5lTfAzu5 z?{LR)L#Q9}3cmymi<~swWA>itNhW@|Nei3XPRr}J?Gn*X*P?{K;`|Uk(kv5Fzr@CS zczwMVT)j_DnDKUYW8mC6PmK;g^L@|pN6-cn^xKlm3ooWMnG##>Xju)i2pXvGN$HQ? z_s%|Npi-UbPBEQw|5uGqwsj&8FR6Cic7Yy>p1Qmlb&?X@$~C>5mvbZhD}Q5kV&ft~OCL#6b?D*W~QSL}#%By#~^NS6GX~&XpJlpK(gzHg_K$GR(cus{D za4u*qqFxq0*B4$mh!@{3B_H_sOYY`ai5*Fr>vZ45xr9*a21fKPxWy|3^7e zelfT=;7GHIWbb7;s3P;)h)v4R%(a=#OZ;xWB`UhN=Iyl7Y1e`?Gu6s7i$MW zZ3|n}nLVhs@+n0Ig{J7fh<^SF1Q)3lz4}}q&;Cd24y?pifP*&iH|6>t9CSz!@Q|vL z3l$oDk^}wU6puoKB+6aZ?B^pdzJJ`{3gZ&2+dp3UY&a!a?yz!ieQ1GnWB+`+CbW0U zGl+SOSxvP4SD#E8!&z716KZhvj^2)!lJ1mk@Z)>!#_*vMFIKVoOKW`9^Udq8eNtZM zFW*dmeXRnY74*EivPe;Yd_nfbzFi?(G=%CtLj=K01yk8e;4~L&;9CS+tf5M|1Y+P^ zlCh&Lt^ZZ_!~3u7M{BoPM}1*J+g&W|Y2M|zqBqy{s^s*C}~$i7cK_F#a) zhDzDy>Kt{W%l>*wNOR^}UuFgc&&T*aYBSIG8!X5(8&ZoZXEWV4g=3I~4A%~o9aaHa zw*#stlbB+Z0xO+MqHD=^Jiqdt;MY#?LeHo63uhUel9Vg1(NPMKO9l- ze$}%~u6)%ZI9{FquA=9;g5D<{P^{*q4leiUczt%;$bHI`rES1di`G=2(JHRUhH@R* z7ZHZ@f_viVBPL)5I&fo`we8R%dM`!;36Bu6oi7+l|J4HQ`=F!ND@gIhsY#UXwKSzm zxUcF?sh9me*x9E!>)H}}dhJ9)EqwB}(zLJqcPJKKpZW(C=b7uIgsZaxo{#3LlLk<` z%$1Y};UG72`Xn<>|JEc!aS+r<8CL7osr-{#`7Ymns0#L)4j5Ht3hyuApo~!-+N7v( zZhN;ADYP(3d>&wJ*8shR&i%fFJAB}vHWdzTvWYrPnQ{^RUR4}zk^H}s1NA`@5eGXbz#Ucy zrus1=`ezEa2Uyh-CA{c^QbER9331H7+CO4@hed_>sr&z{`p+z~SlIWuRPs5iW?tlZ zI%-H1wXym2PgS_j1PgyV(N`2?l7ExFhrlF0Kli-o2fyBG@j&T;7#fQyhVd@h)G ze0AR!yFjNif8(RBVcx{`UdiE~+?Dj)mKu7?OZQoM-GM|SPuX?`2ee3cdmV-J;B?xD zIT?k*pE#HVxSrK~P!s+(zcwGCt)9tFUsa&x&hum0-0eC?ox?x}RM5=7O`uJ^i77f6 z1K)#CJ|CPkX-eY_z!+vGTnYzS3&ctTqvS`};TV^7$nXDow`9SOG?~Bezvd;|?rD}C zUJL0st3q-4!!lYu@mfzO12EVtMj79Id{^oNyFFwCh$P`pz-u~9qB%(%9JDYO^37b% zlGJPxR6e_2mhSehKa574@ZGrHw0=GNQ&+E)9Dm0NOZ8%dghNb0;tV&EN^0QjdPar* zQ%>}%+C+s-UggYXi1o>!#OJqbu$D41&b2DT%dhUv(;nPuGuM@$-wI88F{qxl>y2Eu zi#ze8y}i&JX*hnDFi^F^PBPj)S~zMXLy>Nzi2=%_Q`hH*=@9|DSKV_Q3$VnG5OVn8 z3_^Z!xA>Pd0YPSmLeFsk=KQ~PE2#aS-3lgO2ntuLzlinyi7{9NihYH9jK^1f!By>o zfS)0xrd7;0%9N-OvrVv?5^-UsIMBc0BqK zNfb|@-c{eOyf@P@%SnG89SVu8+!0|GN!GXz#TJ(*MQ6!}VkK$F1+ZVqv~t~Lio^Bs zLqpz8ZuH5{q$KQoX5TB~(6IApCS_u9kY7S#a4_DfaA|LP4Li^4vBO%?)Cw&&-u9M! z6zK<~Kv2X%4E2Q*#@H$ptV`|;ehTk#|m??ECSAKk>}U&FQ# z#o{12BI<5A3=zM`m;J5^J?OVONo;)q>GdA_jPM) z>~2|#6x?3fSmZ5=o*|_RQoH;zdyIAGZ5r=*^u~9_6CJ!7Nl-m(;4EnIF7kC!c6Z6S z&T#q;Jkbay3tXW}1MFV!XI^;-P#xu0$;V$AhM3c(1L$Z)JJUXI^r8#s8y@4Y_Mh>oG6-56Y5=$^{RcDWtIz>ld);N=G#b#5Li7OHo}c_3T(Wq z+Gv>UU2kU8zBCx>F*+p1XAlkFYY$V<@vJd#0={TgQZ~W$O7>^xlt$G8nU^Zb&jLnp z(}5fR)2&B_?8wBt%+lacrYF$`reor#P7@^`G+OA52%Q_zoMcc~q*3Tm>bxQKM9r>5 zZ9S-S@Tt}P4I*!}$w}Q^A@}EUC@h3{CkaSpB+{27Tp&X zw+O8?+&+7$X&U;T;P=yR{Eh`~U0HCj*?gMuz`SJg%U5X>4t41BK86E0uO+u+e%^(1 zB$5);4CM*TZ}>0<^MyQEMdA`@<9Xt&&mDokoTNNxcLZ9yRQmCWK_OPKlu=lubHrZq zqs&RHC;XC5o0QuP*Ipka+()#(TmC7dlyED5%%8DgUd?p3&x;aWZ%dCxdFJ0K5)zveeJ2(}|4O}#y4{lP3em#ec zXC9hGL(AaX?P{N-Hq~7qbGO1BIYvXJlxvquAm3d|f*}mIbdsAk6^%Gt`WH5yH9N(k zzuODX`*3bZYn)F)jIpD{`w9n3pk<3pjR+;{{GJo{mzq`6 zVwiBkJon?rtk;8|PQdX@S|aM)_=E?T3kT~{(^r0h>evV7^{J=SENHP2uSf-9WYoFo z7tV(g6}!R1&=}!CXQ!uAr9?o+*u6}pSl}@U-E1#(I_U36O zIPI4t=~=U~Vk<$NyH(MiXR;IGIxVAeWE1tfxEuo4^NWEWZkkyl<%VK7 zQeY4~_GJT0j2qfWC9Q9c!xJ}lLpv2`()ty9Jt#hdWCVyzO?Re$z=yw(i8^hD;M0{S ziZc^Y9$nB zwl!}twE3CRg#nJO{vN?|d~kNK<_|hAyGuT+w5B8HG29I4w|#Sp|MkmxopUbj z$K#u}(e^A&@g&EIm1&CzT9NBW4IxwZK_gDN*;U2QfkT)|=V@m~CdSIR6~{&FpExuy zJP%0g*;Swj^@Ve88fpf@rn(b*BkbBtNb%ViI zFT!24I<9-d1{a?7M2`Yt#6^SUP8<;!Ay~hs8s7rMFD%`tqEu3|?E~5LL&!q>#=J2H z>@!8AVm1%d46KYYUtv{M7th-qm4|?_Dx<`*_*XCs9IOxHfJWgJFWss-Gb8<<(p`yp z&RRc6rwP7#A}B2JN)M+CVa=6g|8plqlKJdC&Os!MzWF32#Kd2V6sM%|fklns1CNAd zF}@UZ_fvldll9|)_OSa3GnLdYVbP|2`)#55lVeKrB)vA`-Xu- zaqqxux=>F@-}~}#n)e~2BmV5{kW}gCmhr_++tR2_Z~v#i~Sfb(Ci1 zAj>;5w~z0Wi(QBQ(lr+tAqyb~(7;$?+)@dKAz8GaZ@|xP#z(>kK?q3R=a{ES`FBp! z=d?C2CRXVzMlC-}brhCNtW8Q@oLZx_4RozKXYF^MwVrZ5V0(n&(}}vAg|H~L{IhU| zdjBk3Xh((d3xC@B#Lsy8p6YV4E;PYRg2EhpPXkrL6!P!9QYxhYR$dM~qUmG8f`84! zOc7iN3-S%pa3hA!l7jV_4?x;60;<{hB$tXD=%{V@%@}9@t~@N=jf$9rh*-RnD|{@= zv_8#|W%9D8N%)6b<>>og-xw5{Mh=RYEcw%zsBH(_jcajq_TY&M{SFsu=}Z~KBvG4mSQWDBfi@R!k)I!(! ztV17&OEmP9jM6mhR5QUW4g9T-X@erPn~h{U z=o}5I=tF(J;~ONB8Dh@(5ANBJ?`b$%7=+z#F_PPTAunsaVD?ixPko_s=E1;5S&(C_ zl#wBO?JFZN2z-(on>)w-a~r4)6YDJ!f9p{JU?vn<-UpOO{{S9bVkMl=(3N(bL zNKA&ws(9cLzlZ}q_eCz{GqtC}YHx3qdPN$t+azNqd>sm*5J*tkVmUlJL+ zv+P`yZk2g3U6TyeM`9(;fu^F9ObX&w3mKLCdB34y_xr0dYk@(SJ3BsCp4~rla@wO7 z{$#cMJ*<>+OCea@C#;#tNGF?kum_Zj!o=YYv8@mIA2uGoB{Kq*&$8SG1Mw9lJYWt( zY(StVXWDS3tsO=2o^+V3cp-)rqwgZ)e(Lbja?`Rx_?ca1}u8M9%hvxr=4 zVL$&rE-G*DXzT5(Y5a_eA%xTWqG3Fi(#eup&yaA(e^A`t%r!NZdw<$}g>2Ad@b~W$ z=NV+P&Ny`WaMCceQX{=uSj#R6J5+>ilN8d&;=mmvm62xt^&tw2F%0@L5Tnvr_Wz3? zG|MS3WwaRtt}xgViL*w*2j*{)FG7ge`rjt8{-{tK&>kp?8Tm(W!`iFqf<2Sk`E&#L zXPBZ8-i{v z!pf_k#H$_VdJ?Y)hQH_>2wqDh3Sk{v~oI+rT^wVQ<6- zn?|4cHumb#zz304%mLa9PvEGUyu&r&N@v9ePf2q73CRTonE;~jZM?E;Fn-vlEcrm* zGGAazX7R@-6)cIdVy1N5>k98ab+bEC75rgG@D~j&cPc^>Rx|6ESmffho;(~lQ+gX#b3 zkvSR!zOLD=z?ZCM(($Kah*Y?&d0rIcJadj^^J9Z%{^87Smw$%BgqY2t*Fo=CsEhkS zFkGhrU+shV8j)sh5`;r@QgAZ`E$%%66ucMw{|^eF<7iH}Nr6+vy@xbx)FL$9_Iw?U ztmi_CYr5ld?q7%wd9wXU6SNt#dvPNVoBj05nD4FDVn2q*(Bdt$dHdaGcyoGx+SL>5 z`Lu`s%8G1o^lXsc&Mp=q)13$pPptK!dQ!zG+LmJ}?#9`~>Aj)ay|S~UgK69R6+^sj_p3-3Sevc3?h_8y~vRLTDX zF<&z$2-e?-FDR^wO?X(8*0%+E2;ff=lui+>D_B0YFly)hE)@x`H{q<pqC%VxJM znd$k4vtL1y!{CajkR{Gh7lO5=Y!`mq^_huyf0sWZfX z@(fxrq~AV$v?r?Mg~{O*i1C`_j$+H{{>s2!(Y>+qm#OWwCgTClv8)c}#dL~M^eu%} zwQk~ftZn|_+SFfor(1x>2E+>)xsm@Vdl~+Rey))v#u7}esyy3TDj!pHm9SFu8?lmI zbmbW-O8KzE2DGb6wm?~y#m zsl5+v>cR=6(zj1N4l`!l(a?YNml$v3zT?v5BE|hG3t%D>a6gQGVdc;3u<&AgTegm@ z>2j+ic%l>$ybO5F5rzz3qFqY}8gT=>zWJge6cO4CWd4!_$h#XWY00vGwCh<83uyLF z;!3RxD|-Gh=7+wC8AnW)_EK}Kws7qsRIP9_l%(M@JZGk`d2P5B)i0|318(dlHiB$& zV=*nLP>2p{)1{Q4zGplUWf0?kfr?4sni4w3d;Be0qeL1(wE!mpZuho)tz zPU-1A;J?*pqJ}C0VX|+ErCzC{Sd+x?Do$jihk_Vf;pHme@v^!toaJewIPSK|_kX^j zIQ+7HsLJ*XK(j*AJ(kfuF1Mo7D?r;uB9L)AIiC#kR$wp0g`{kivYcWR|x zxmR{O0udFWASjN`G-2;jQA+qR>_pk`#o-U4Sd+7F&fJBCu;3hW zQ`u>|O98xHd)Neuyhj1a)f zI1Nz!5bUH4C-jBV5@4H(VdGt-%KuZ%Wi%~Sxa|b$@OFJpzw!S;k4U3r5ei?NYSDfu z#|k#Tpi^;d5Jf=a=CooMh!~pRWZa3oLH}yqgHioZL%c*or}$T6*2mx5y)!&0DR>O! zz6S}pNp2jws2^;8aTQwaN^zvI)2qc4X9&gW-|$sS&q(NpTICkjf7SniUnnNNdU}U6 z%jC*$W?*X|PvS862QQ)Xq*HhXU2rt*&t3!f7!e0^{pW>cD>c6cq@yv|ok-3RfiEew zmK;2$#XaHgvsTQ@oi}1G;(a@1I!x8X9ra%INBI8<3t+ zhi^*n*jR+N~0co2wj?b(0F%CaMs`MJ;;BTZvi5m9FUEcF|Nt0xR- z{7Lf4_Tc=1@a}}d2mKnlSAv@@)l-VLyC+oY1>LR=P`yr+4$Y60_M@Es;*p%p-rpX^ zil|4un|*^Iyq!_v=(1$mw0R!CeKSfeo9_DC6qX8-kig@-wWbDchtz8Rg&^FMLktWp+0zE$092NMnqk)GZsi= zJ&gYmxJp#uGD8^B>7%bH0I0$Kkq_d=P=i)UB`ELz;2S&u-+)dtvxTWE#4yw&PQ55? zREHXP6m-eO4cNcwn0Em4Jtvwzyas>wfK%5h&>7)Z}aq}1yG0yu(fDVnGoQ`o6|%POFe)x!LL zr9!iU6@GlCWAi*-;Bm>1Cf|8Ze4l{sgr&^9XZ_TmncH!7WFp=If!XdawK&(AHwb#* zwy7q~pL))Z3EA}|MB1(&yzV}=mOQ(hc{uInmSwWCEm2h@FV^>cI=__^1o+b~&7$!J}UnLLixfL8bnyF^^tmwD&m!=wdJ?zv&N}y8!5i8Hj=E z0K|eCsD{l#-;q`CLbKXJzlM&oaC9G=^KT#fXVnAg@k*}^TXWD!spst;!$}aoazcE=A&4~%7WLaYZ1e(ON)twUFMy#w zDWcAGPkNfuYc@7-x2xFO<29>?RmkEPeNSW8|Ei`q0W zIX!Z-5iT?9oc}EQzt!R$8TI5eskLPO1Q9h#C_$DRNB$A9pfc7_Sxmj@MJKzi_aSH*~;MvM1+ll_%y`(mbYRz&+n@>e$Uw?+~yyR z*BIS!v3z=RlXObNPtTAqp_E*gji9>@&3G0^FgGO>lhkev^%D;7eE5v@v zbxhM4!elt)mw~U&B>gbAhs6nVS4pJ0cK9W!BhMTy+=@cS{&vTV)(L(QWbzUpS@3%M z#v9Xqse5h9VzDZezE=KS62C<@iP9fTz{W=*0BwbToW>IIf3*Oq1nW)#82o*K#?!cd zoJs6{_XV_hqcKcZS%%-k{2!*qA;>Vq%Lg4G|2c3}`8rb(@*e3GGVzpZ3%J4}F(iHcud% ze`*O_?Np%*%(n1cacR?*C-w8<#^-Rt169!>)}Z{~BubjQ&5} z?oF%J#%z4~b$Hm1p;=8_qy8=&A(j3CkAJ&!b?msgM_5sbc7BY!$rJ%6tOUhEuG}#q zwz{8`!#MDS%XJITGj$eS$p{jX;Fd?)iX=stth2Lx9pHNjc{pXnZpOrW^I*|GfDez6t^>5h>~HL!>&DVM1GB$%nCXLH zvaMKuKoSMglL0o_T=`fcIBW?j!7<#lRz}@NdOO*0?=-f4DlJ^^(`N@ zD<%6}2@Go;4D0Rs>@RxTb7ScxdE1xvn$&W2_jL?I?%*|9-=ZZYXcktLr_|h$3*$euW&bGmBQg#<>T3#AZ&&+8du*Yb7q+z{@-Jynw z9_X}ENbf$Q>sT(zMeqJ;pPOpT$Usi!LlzQ8GV7sFN$aXdkJ`jg8AiHmME{&-_mBsZfL>~%>!l4u44R4YmWDF3tYAerWFe3dQF@Wp6p2T=b)P8|;yFjl zTW7UOzRZJB?hT2#ZqNQ8hG%&qOH&O)h3eMhaw^Oad=N(&dV^iQN{6$75?$@UZEHpl zQyjt;Ag5Kqg>H^J;^uN_W-e)4RD}L3@u@jWhdw8G~!gF&AUHu)@+JW~P>dSN=0- zfiH5Va~PA@8$X*iUK=7;6c4%m*t4D;@6C#swM;XHwaghbR`W}5qwG@5hr;~7o%{Si z_<3n@BHR6|pO(|z1GDNMHOI$dDwWEu4`c;>$P5tK=?6na_@t}G+!`U1GoMmYDQpho z4>N->vzjvII)gn9ytAqp5dSW&d!l|eM5{^d$Zwo7Yo{d3(KJ~-6E0dK!d-FE&ZD@O z&U9DgtK@N?MG1|D0=&(y>b__eHeU17W+`Q*d`pp@bL_;et z+l|kAaO?9*rYk=`^@qvY7rABnSIMPXu^6t03hIsnQtbxpgvvFptw?~Jabf)+&a0Od z)atGRA;CT&nD+TR8EfIRM-Meo0xr0MFU=hj@_dQea*HB9w#7QR*})FEJ(EKTzZ7bs z*$w8%lu{0o3EL^{Q@g;kd2&2ceMOj&h*0kt_7`>fIwo-Xrn;es?4ONfOcDrJFu-jK zmKjaB;?Gdp3EqHHDDSQseXXcWKG-i}lr1A|(_+2LN9p!b?vl~iP?!y?EuSWTgz?0K zK<7=at8q8o=fc!Qw;2Dokn5qZ6dE-_*C+O~*O!#W8(LP~D6Bqrb&>G&kfprQXeaUx zpH-;Mrd7;27ZR9!3S$|1FOF9!@zImXkTq`dbcY9NmsV4L%)pJ#))AAt(*LeoR@MZi z@s*45KCvoR9Mh$dGlRyyf>ABVQZ{b|m-;NmX;`v!Ye#OBpOzskK4Rm|9$h}nE|eGM zX|8gG(t?^0IlVlclF=T|1Z?qzmr?6Bws(VDA``!7(%lN2B_;yxgV%I80B{o2xV3$2 zf#1d_6#zxb+2>~r^IzBHk)&+r!zN)OraTv@Aew8uBXGwC<8?tLH#t4t-jfEFC~~5# z@nPwLJbv?%b;a4#N>q|W*?qMZpX?>R^@u7(v7w?FEfS^(c>`UO6a}Y)9CKUq6pbx;+trhl<&Rmv(jyzoeN#N!n9?!U_m`uQzuRDo?<~zA z&(v>tPo)+x;w3#G9XoKIm25q_$Na!fG0YI&Kk;HS%i3XfIhaopk450C0TLEFD?ZgZ zQPygOm-PFuPiF2Qib9~iCs2fct&eR^fRD_MtD^@#|^a@P__6y4(&E zw~gyhqbjJ=JLt53axSM=owjPacPd{~x!zq&0TH4}2up6Pi(AOn3yTe8>7z;Ms~3$? z!;M1+b_Is$0$W)S>~le6?_LZ!v>1DB(686KJmU~d#_+4(NKrp)WAB3$cxD}qD8XQz z1mHID+VPPVYF>~2l$9HKTqlOVgW+{8Ad3`R`V)g3vBj0pP)chuGW(6|#ehd_u4H>) zncE-pVS^SN{9etXzxxakKxf67N+5n2fpzKrlj?glo(~CsfITr!$7!mgGMkj9$MY3u z%Z*I#H$Hfw0SnX?`gms6Z{KKzi^^h%TRUnYLZL%s6Qp-;-ujn99b*?B^V>0(?apdf z_F7}JdbxV;)JN6wj4f=u-)v8#FgUYhnt2|0_K#K^(+@4PWrezVWE$v+sFPsiDvf2g zZ8=)~7Elk~Dk$&!3d$1sG@>vd$p`y#kxQo90!?xW-`IVfcZSjMi5!8PvMH$Ls$7iU z*%Uz}a`p~=YJ=fh-2oWNe}8zz3f2dh5bw$+2qbUtr%*CEg?e^R%+`9J&;S?U@gEAi z1dd#?f&DX_EHG$M-*JIIO;RX*np0oO{Z!vI>Y*pu{1YR^>#`)b(nlF$efwWC-RB-% zd$92&Q5h-l)AW6QRkNu7tT*fiuKZ8JCJy zkan?55bnX(g&naQvGJD0fK#aRHq~mE1iP_vz#g)8P2+b+Ejj)8?odYqfDAzFOj zk`#xE0PnuNuFjz+%?6bbef&&9dksn7+s?|e51`!U#t5?T06du{T2)p9;B0?G(+j7Z z*L9ljW)8EWbAKdLW;JjOvwOT}8Tf5DzDmG);7KXVqnr)DoDfv|aXG&-pfTb6dCAI6 z1UJ#F=`L+FZKISheusg^`R10>^Hdu8{$|`{vd_$phc;ui90E#DGZhDa+&wtz$w0bz zFrf=i>ZcJdA-nUOzG{YLCxF+LQ{vCtT$q2^QnRb^6s$)Z29r}BV-X9?PiA{h2_(Eo7>&=tr<>EynDOw0bJrz?N%`BxciSa(WXv0(gHjls!CbW{25W&j0FU%~}6glM+ zR9KGcDw33F@9v%X#&rLPK|Gf(bAw=~FaSfOJ5km%0r$BZzR+7OU*Z(@pi*Eneif~c z!j)rs!pgX{fL#;5ID?eDwGN6g6*PoqW%WJUw^i`=M!ra*$5wH*2gMmZ*GR;_Ifm># zDQ3&WV1+$yH}QZN%4ar#sx99)&M!Fx##r0V2AIG$dTwSqT1=P47;{4SCDHE<4^L$0 zLt}*|nVIN>{!Bw*hxMh>u|g!pn>xuG402QLgi-6xwtkpa!+{5~C6FzBoJVWLs;Wz3 zF_qghJD)vA_Utm3Bd@ea-H~+aQK}ZG3e|YCWa8ALYjg`h8$)O{ZcXG-WzQqHMm0T4 zV!+}%UUJti?;+3eyjX0!j0RlG6N3#-T}jpa>fD<5E7>mc#uv=b@k2pG*sZ*5&h;xt z#{O;yCF9RK0!s6%9H`|M#78Q`hM1gMc}jm~9bFO-8(S;ZXQDYM_C8?L3`XztEN=NB zrSbz-=<|s|$gzkvJmi?H%q9cOeBAZe&lU7Q*h%-ax4bE4yb%{C%7EKd$Gi7zYfsWR zK^BhO@@*x9{*;Ht=*+wI7N|%i^}vquPuxfr9e+To)lmn{6!ttsLnk6P!)!>VU%B2B z^WE4!&Zv~k^Q|M|v1xm#36tG2m)<{+Yya|nks?MMRcn%*TJ8~%=0~}gnfo+X`+qKk zc=;tL9eMI0<$ zo-TDqfbz%(P#0&Zzgz!=Ex)f}6h2m! z*D#$=+mODKD{^K5b zZ&DCHxFu(v&y3E!5zG(wMT}$O`jde7gxG8XFRM<<$(1VuE7|` z5_{Cb@H!otPj`1+W8tl*?zw(zglahQYv#$^p(^~7zWDJzz4vcU`E+7~DR)U@D~Lyw zn;AQ4a}Qh?I&^i;|A2m?EB5&_#PD&{j(5rhJe{8#+_b-CnLW-N+@LbuW4}QmzPL9! zW|#Mmn#w{@Q!Fd>8s7eonU>{JK5Ea|lDzIMzuA^Rjff+Gzja4c(;}GvWJ{Rp`!^UbbuLn*D#1B_7vFhMMrqxZf-wBT4cdXqvbixeHL=S`uuRdx+Z z0x|#Xnxy|`jC+I9ehm+QF%&n_wXU8U|Hn~|?c~-|-9JARp^_^(@v>CtVDzjN4@4rO z>L!Npq~dtIQu@usn6!vwq#t=~gIr{Zqd&osqquul!@6Vdb#0dPAJN97qLh-Xj9{1N zA?@TEU=C`yT(#fD$MP;JZWM%&gkGLmp*SspAJ&gO48xd zj(r(^JeMsecVc;`#3Idxq4|-x?7ehMbG+d?hFqnjuZ3Mc>Vqw;%7%d=Hm^d6z9fDk zcmt_Dly4RY&D2Y6(a}r=pKD|hG zA;)>D7`XiOW@58H-YZ=-dr_r)W(YEC==*Ogds{{f7;AIU$dG5Pu$#c1PzvpZqg0c3 zGf<0Q6J>24Y zcJU3?mGS0I>G7Y9TMqwGb1ZTeb>yyD5AA;{8#aVR&JX|U*b=SN!OB z>%Auq?H{~%Uyya`#ov)5QrBRtvuKF;MH`$G5v$GwG{yI15C}Nte6c<_s7A__I@R~) zr&$fsnA%)7Fn(;bmpt&`i2?scpQZSzCCG{5x|W!H|9w>SFh4u=$9D}it;IGTBhA^4 z|BJY{jH)Vp_eJUM?pz20QqtWajdUYOw}Ny?Ba)KRCEeXAA>G~G-LUS&`0um#IUmj) z_rrB8zo}^7ux_coi#-a$}8nx$L3Nf!?>8$U{Wp874 z&nY!Wl`vxOf^QEjbq+E+%2Yab@rJW!87wfj(w|XW%nT7cUGIcaFcJYQL{@^~Lj%wj z#MWsw5kUp$Ac0J!m+4Kg0VdYyKTIsuZzfg%s2d;uFtMQj&csf`Azhp$@W0OAX1etF z5ys|K(lqpy46`8RjBZ+pp?~;pSZ&$VW`g4qD)Gs6L_S00fZH3-r7^`+Iiz2Bn+u9j zjmZ8ZImOa~DH&E2qdiMTyF%-aZ~#NIa77b+8Qs|t^ND!?t6+p8jOO8OiHC4a@|GX$ znK?JGv#CM!#&tI7VSrH*xg`|ryCv}s-Bf0@;o3HhN|`y~Qo&W3sP5`a*Hcf0SF zGcUt}7$8VOL|wbZ=tZWAoQ4)4O1}3h`*VB)yDr>sZt36?P$V*S+8-${@?(TgeQnWG zC?fZSvOOx?84jdIfUGp*#jTiP1QnkW%HJX2p=p%t2SDPEsRxX5{OX}yPYS`fv#)b2 zrygr^&v0YUBYmCAV80f*#c?tszU*0L_nO5FhT>gYH}V_@Pg#j0js06i3N!uXyO?{( zo-1fn+ev;<*n1U&l^c=6q>02aa_+KM)M0PK7lfxs+ESo>vDAEKnJtz!s%>FP>SXtA z+D#0*uZ43Yli+_YM9n41l)&>y$Db$;xP(k(Q%LWi@Jei?ojTgKtduZCW@M^%s zt7UC_IBnaaNx}e0+_fGF0-a5ZGb}cdKM*1c*+-KxBc1SrXxifZ{U4AvnEbhM01zBa zV}Qb?22#EGNiN0_LF@!E@`ap^euM|b1T-qro|}spyYdzf9^K}Mf4fK!)9+!RQ#L>O zAsP|b^(ZJY?g%J#vWdU99P*Ec1UMT|AYaJgTi2KlJB@m{4gk6byGz+Mb4<(vJ=7{U zUgH;qUN9}Ld?y1NBTeHh>E`ueywpddXx00*6aEOs%F}8IxlyE^A0+bb4g)O#;FpK! zPbqnhfzfzb|3cLrlZ3Y=*VQ7g!i<{5CfzixJotz2UDK_x@Zoo;VfWilZMDaD2G?7b z($J=;u$+&ib?D{Izog|Cq5w$eqK3ddZ=R&?HX}?C8WGhBAEHAhMC_-RI9)V}pH{`s zE%$!qKV*jo;xk2XC24;yvN$B4udJ#B|8Vvq6vy+k`K9`o(--P@7?dJQ_R4l;(xj8> zo=lIs%aKuOgLAyAru$cS|Dk}TC4bkQr&+)2PBAvGajG=zfWThDpT_8Wc4dO)WhwS` z{m>nZO~p@%3SM!Ma%XZsI%bn-($PTddE1gd&W{4<*?YfVwaUT7d6yQiy^4TxO0p38 zHGj9>U8lZ_}fR$SJa9D zx|LW&Ae1P7b}U8oay@Gs0f^pI;$8!knR23pBthHBLZ4g#b`hiH7c0ZFKEV(wwtJ8h z;E1bAee=lWFKQ!mxD7Bf^^(}A-#&?L8zt2S;k?dRoq;se9jBQh zP_Wg^wEd|b4AcHpq6eiSny-@e>kK7fu!*u$8Z1;1GY1#mse#`xjw~m`S<*i4+{dL& zq87CX8N25jTgyfSmemjv|LuBwvVQkeuakkCbzCIWaNE=D-7p~NnK5Tr98eVO1&v%(n&iNzeaxL=)&ToBCFS?u}x-OU$TKNoiCU0xMz zoQwCP9}QP&=V-@{#$L<~|JMC6O8EgO>}q_H;EvV2JG$kEm=SRS!I6^Ui=-c&S88)+fKTGEFm`;p)h-?S79##gZ18#pL5%Wz{Ko1fIC7izC>h`An z>_|r7H8TQ3M*ECe_Ec)}`+r&h<_JLSt)#B`{}y08qCLlFK}PwvmA*pYery7+x*-FXS@AX7s|V(t4(RF^ z&;9Il+Pob3bWz{W|BbJ3Pap*DYO-G z68H_KJkKj%P)k{@vo; zoye#=t>5yZbFR5MnFHuGFgtwa|Ca898cBc=V;LeGKNu(wHx`J?uT=2MDJJlz!<IAJ427XW|Fjaib2`7j)la}bd%1qvAZRDXKPUD5FD%q%17*9cSSOG= z&reMXtdMM&*`=2Nm7GjPXz0lc7Gl&;XO?Id#{eeQ!E>am;cqc z+Sy!^?Pa*(b`b|icdqV<(ZZgaN4kE|=saoUfTE%cE~7y7Tb2Vtgl<#XoUZS&$F|uc zxz;uZU0%L1&s#(>Pfgv?td4ttiZ&At1$g7&msADc@=!i{b$Sba2g8}>Zf6FIn~zk+ zmq}bVp_ue1v!<5eE>TSY7`HZfT9*RjzDq&o=wZcOJ54fU^}=CgacGXC@0{Y6EKI_B zp;Gz2N)whsXUOFqZiMVNRv`e41h13*`^nq%BP3I_Kj#48fRk@Kyhp6O`4%azpZz1*RRO|Hxt(b>|;-md%lXB7Nweb;5WC9)+DuATa! zf*EDJH%$77b=UICkC%&dhO@PEX12(vAEcldTBd(;x}o&0f~(A`#DA$!VG@B5FK#~i zZtkH8uV1yG)Re;HqD}}RgVq+D&ru@lLp6eke(X2SZBvD1<(I^nfcq53O6BNRl8uZU^E zV3YzPi5?Jn6LIb9AyJ(+=nv<~6m<8>H&?(%F0tw^I{B`Ui-Y)$IxKHyRiSxXwwT%TYVI1& z5~F~XPm%f4zX#&9B$DbwOf{bu1jaA|$0tmSGyI4kQrW*}4ITTl0Pr6|4eUvBfN?hc z3mNLuud!z-Z6nA3Y~WP9y|Foj{GilwIVtR_gWg`a;tx2|5ZotEa8aAK3ex%^;4McC zBJgC}#s9#dpz_nAT7Cb)_ZUSci3TQyWChHNJJSkVSMkc;=0_M=ccE}e{+KPDQVkkQ zZs7~-oo&igyfp{R-mKN_5I~n?0e=wjBM3p|F%*N%j>P`J=PCq&?!RMjG5f5LKZHsH+C_`pfc4v8%W z>n>-tD{F`=+c7}~9pqj;mi44y5k7TDS0t#lQ$uxe;hAzt><^%jY9zh)?<1b>`a0W6 zE|a7rj-Z75EQMFcoZSrd{(y;G2;zXm=O_S?7JfY z;TTpa2xO@EiplMx$I~lacEk>jyUxk8W$4?^j&yFbk$g|G0lWCZA7#`Hh9t$t2C+|p!PU1#~vP_R<`eaJ6l!+?O zaxz_vtD)HwHfZeoh$j6-o0&6JFbS7U&hndb_HG_me~coLy8oW!$=+>Mm+kvMLwvDKDU?O@73 zn>}D;ll-e?I^_C+KSWar7?A%UACbZ&e-G(31Sjd-?1taL1lHbeFT#hk2(g$OW6x^y z0@z9y19Y7Tg6Bg?1K=1$LtGaD=?yw$;#U_QY30wpcdZDJR7k-}6lpdFQOX+1kzO0x z>+WnY$hUGGuV4BC#?hS~mVLzo9Cwgv^hN&9Tq&`SS1BNiCnJz z@gk%~K(}(*1)+#sQ*Ycm7cKIV6+F0P_{j!}gpL9-Yb1T@E!qV@=n{Q*CFwOY?eKX< z>6YL#HdHXaUjU+dX`y~jHy{ndI87kmmGdu3M}KGR_?tw0j`#pTYrwD&e-$*2yd6DD z68M+dkfsR#s~C0g=LNl0Q8WJ+w((8*uRp5ST|PFFpx{jpzHQsnHU3JQ|FYbC?7=cg zj)8@7;jl?jk&t=ZZ6YFK)R4}Sbo@I!D%!D@*(EYx;fxpn49OPPxG0-#v798!B zl#|FX+Ru7hcD$JO(1vS04v~{;h3k+&jo4FlUe9drGKJO38YXk<(8|e$ z0T^yggg|kA($A#)v=l@BtXhwcxPF&?>6bybmTc-!KC{`tAxuaci7!r33h%}a8i>ox z_*alPJy&1#=VgFRJn#7ZbFjegkBs8K>I+tm17P22#p+p8l!~^U!kLy^%7u)rO8dM# zbED1tc$J)WbP=i|aY#uP*Wywnfcy7cxp&|JUDj_rDcVkC(_rK}3tw=cgH>ixNt8_s z%IMi={`=!w2SjR6A_l;bA$2`ohr>PNx6g&GCd|SU*V5r>n9{Rx+wWDDs_2%UUc&`CSe-rS47)LQq3$ky(Tf zX+}F8eI96l9z94rNRc=oFQ`6yEW&&xfb3KWaUqXiAa_iY$a8GBsK)M&9L)i(c2>{RI8jCu`^ zs{o0w2q{5fGSVKzOt{{i_}G|2_bz%hIucq&bcF$P!brM-Rdt}7kxU4Jr78{H&Ie`~ z%O8p;Oiml0Dxbm*bHdAuvG{jJ4ZR;{f5%J!hXYpBZ#`^Cot?$&f18XCGQemmnPWgX zj(C3@dP7byiGT4WiPkTw!G*J^`N}CR;=DF*6O%VOqZiU95B`DPBkDkE+LKxHKKt=C_9hUwrzoe8(j*zRBv*g?tvLSM0X}0sezNYpy8$2itkM3k zR={+P?D(BXa@y&NY3h)hig`%K6%gn>AKslo=gMO5Y8@!o_vHj2;v>OtoUh$!#gm6a#s z5StVk-qIu!F+d$yzxlgNp63aM&p%Gt5@^k3O+WlGJv=MHxTyf?s{j0YH|AcXoQ!G4 z>RQNa&FE>a*@_gH5k-MZoF$j_ujwRd?ngW*Wc=Kqse)*&cRO%BQWPIjNowvK8qY4w zplQ{eRSe6p2q&6Sa3G2txqBbxnpZd-{$neBeun@1Q_cjBD9k9vaf&WPyD-qdO8nVe zI8~(8>;#WO0C8)#+~R4z*ubG)ti4&UUTdqzsMo-rEqEELK1C8XUiisfD0CaZQ*H^8 z`A_gE)b+95!fnIl%iFIw&7lA7b-?uIeeUD|2FSCo3KGzm#t&@$S0Uvf{%6DeLOns5 z7(D>^vmqj9|M0P*6Q`xG~FSy zUvqeBF~j#RwKgL9@q5+0&g%a_si z5eq_Fy+3Zfo)}EwgDDF^k`-$M)-SY}|01dOCB@)jPRedeftUmdqZ+oAXRBH3_n-?PzV{~Iu> z(H_kXfEkiG`YtGlTGm(B8Pjzyg77sQy1+%G;=J?WoY7pBh0*1wzd=!U^MGkGy}caM z=o0s<I3y$pf|`ZYbMd%hTZ$QrGH}pIO$FpUP`-ZMElK?fZ5S-NDmoVqY!Q)}|DQegoK` z6+vH3@{a($WblCx{wZovlqEi7gLcW<~yJ;^qD ziujX`Wv1rvi(d5tL-EH{{YqkYse#VZ0OF`Z=a)D@l^1YiX+FChfQ)bd=sjnAo$7gG zxM5ZIG{@jMm#p6i-{Y+nVJuW6l2P-O{}GM>A1$RTs-D5&;}Lzbb`7a(X-OEC;$qmr z=HT?uSR43Qy%q53dz=oUFBNF$s-tspS{%%OT(xQorlZNka@hpU`kNWJ-SFARyPZH-y*dW z;-yrpUcjqG!H(I(AhtVquprK%vwYi=Lg`$<<>2y_1$C@!s|)-a!Ev_aeAhWTVl{Z& zU-8|a(iG1Qk8c?P-AULmlLgGh4Z{Iz*4#*7@tOsj^8>B^2km7yrczES|zx;e34U^#@<TG8kFw>? zVe0Ln$C2#tcktg#lbNHp{GcgL*TwZdiVv@r8uNo@kK$WTFVsG5TlG52K#qISG-wrG zEtZ)sN}{-K$p9|!IUPH2ok5w^jz+I~F2<0J&;}-YKRhN;IJg0mSUc>5g<+(C38~t` zX94xs>O_Ga-AEH&1x~+>x9#q$ZzD>rw(?bW<4CCclh1($9{2M%ugYvF%XXy<_nCzO z2??jQfXfbx*TW_kqh1S9n#Uav5HHgFbp{Z|QONz%(AnD}qVDU2`?!26Q28B%NZW}` zITOd`_Ud4!96IMs>=`>DpEIM|<=&=^pxqMx0#LowIPbLQd%t@dblq&TpZv(^ zYC$UOjgNx*B=H_kFgl3+AqMO)yy|>-DHfIW#$h<@8<%JcaY4phgs080edG)jj z&aNW|eOT-AxV|V)altkJM)Bj`d79|be!<+)_43v6>c~Yazvr7}m7zoau=hFDpkP#m zaPci&!VFkZ!j*~s6iqdEgf526sXa=7?4Bq49@KQIDDe;W2mQT(wPTr`zQ8D0do6Y(l#4opCULosTzpNMu^6ED6?<~ ztqSOPb{M8)*rXN&)fS0Lvp)E?V`?Ah{VFS!QbX94sZnhL+Dfd@;@v~98w*M|!BZ4~ zujE2~&JyI7e2$}24vY~SNYH6JdRI@w{x61(Ls8%KIdn5}K*0N{NwF>)h)&LMzdq7z z^%7VDk_*EGzu@-(VU9qAVoT(mT5OGg;2<`eN^F_IOc_Uk>!$D$il-Uhh^xOIpi-tH z=~q8jI+LB*i;Vr-{QqtfI{p9@fn{;+Ueo|Y)B+na3rK?~QsHI42yLEX^JKW+S&IiI?wdFKp_!h4a@!}4?H<{_m`W}~Hxr+-F)1nrOCrmr|0fu>F1P0Ey z?;D|u2ewk%iZA6Qu(TQmwIX1og{A(13*8Dp_5UY>PkD)^4@h~jEGEJ_!$Kt&B=Nkv zK-Bi$8b~xB|Jfq7-Jj&=;C5+iw;XFG6!y7zKfwC?TU_W6lu_wilJLP(Kq#RL6@q%& z!9=oT{hxD17%JpH$Q;CPWX=z*@?*E+pPl306X#y&Ex6%mb~@-#%xt2$Xv7(+c~~9f$TqJ8UgK=2dRKSDXQ< zO^|$r5~q7C7=e^Ye4*uv? zSC;-!^5x2n?clG~KuY1&{VW8r`lxLR)$i+CKqO8AB8P2YGEyw{^Gf`Oi&kL$mMi$l@^wGAt_SIza;bvEeg6aDP=$bVIG!+NxWI@@@a*L*55zkcj?YIWdo_2HXq)~h%C ziKn@Xb5;iDAiWayOA#DP@5Do|?ib~UV?s~+GW4%D*G_?6UC~{q?C44(s`#Ub&LbK4 zy}*<{*FX${cCp{-m0~48Aqw071+g=Wy(^GW zf1b!x2>wfttWf5TUDfPDUk^*bZ0EKF6=e5!+?yF9sBC9Jrq@`JiSTl>&fFW{z z-yDh5i-#h7B+KSi*`6_?bqkOl@&eI2;hi(KybQ76WdDG z_VS(ls^8VuT6-5l<9G-JDzZ3j;hT>a!0Hp<0aR^~e_-W2nvrWgWUALi2J(c5tl%Pm zRacXHYY}ceCm^NKF6D*5Lx-EM#;Ed?;}gU&)$w~m%sf!DJlYlyc}GBLeSqC!FGelf zdVSac@+ny$!B~BFh(8B@$*y_Cst&Y?2q}LcX?)(0o4mvWQNQif%ywk%+hI=Tlg~Cp z>1T3>PrZi~f3wj)%{;R#KcmeSIXl@m6!}{M(hx-b7*i89pvCAQAMW?>G`>Usg?51e z328uQg9UIw_HXIocPzG<-won2uU|9>q;@_gPrjj$eM%P2m0PlDT~C~yc|7By8>!%= zmve*Iz9#LtGqrP#X3)4f@xs|HK#qu6+FQ&2KsNkY_p;yRjE~?~0QHX(#dcbLU=0WZ zE!Vqi*<}}hsC)zWaoOH)9F+!*<5te=3*nu;?w%au`#@fP*IgVnzf3_PcmaJjbh|Ux zUFaehRpO`_30H7$5A4*E5V+oId(lNYw3uGBJFQ2Ma`WLe6QKHFBAmgJ^49c21-tgV zt({8Rj;eGE?CDtYymz=9{N!5V$@3@%WHC9m2~k>@4T&{L`k%Ha3yJV!gAkp!7G|Sf z>fqTmRw3h;S1FO}ayt{f4_y3;<(VWxP}01L3iNb~Qksa{$7<4m)qf|A5B7l->&BH% zsR+*=%x_b=K@Z3-ptAKK0!^pS7{0Y&)j55O%Q9N8ZNnGvq1N$fqVa8MtTGub#ho0m znGh>v@Ra7Mfxf8{u-~FP8DT3qO_i(~GNe4y48NTDy zX$fzmGk7~{jiF=*J7!eSZ=gb&@ek^}7``}W9L?3zI?BzHUD|9*SAjFK#3EGbK(4NO z>K!A$H#vI|y{)vMsR~|$Rk8yU_kLRxk}P|JU}If)EjePq2ZY1L#ZNau_oLYbtwk(v zaM{kyo@-75ajp8*zmB!Pc0)%s8u7Faqbod-e&_Yxx#c%Z`BS(*&fzr_Qqm8eeAVK& z?&1!+wP&-n9wRtzj)@YUpSkg&JpO#@c4=@&d0b7{MH3ATW{C7xyjHby^k#%SxHE-sU@{>PnMoEKXUVGBUq^sYJba|4!1~aPuQzx#HYl zgh}Sh2!St<*36N4deCiA!y;Pe9f>CGYgHVBEoC<`o@5cl% z#K<$xn0Vpd#MhQ4I!b1_oiB@BBb3B8Dx?2vRBBWhrln5h0?O&mAjP>1PKJnej)or? zE$ni6S*aD&5T~;~Xsq^5|8j8t zC4ytFg`AVxDv;^){ru4bXxZjoiw`BwI_P{c&C^xBPG%goH4s1{nM+_@F1&-7w5v^S z-N&__yW3vNxv^-c(rrrEVy%{_+*c}9ke?p(dOR%WcDiHN25)aAgxQ&OM8ng^97(8p z>L3yd?0bK(Kbv?76l>(o?ukt^7Hl&=<#kR+zY%Ia3?r!)>SER|d?eLoZ(Iu3igWsO zFz2VSL=rG`c#M)TeQ{I2&h7dH3f-o+on0P^;Zx=}b1<2dvMIC1{f^|kg^P?loXqpZ zSInS?Lqk81PlqES01;6r_w6vbBu3)c2Jx{WA^@Bjb~Zk)>}`F`{BF!s*R@nqbD0?4 z-0977sNF=w^mtA4A zu(pL(+Tf9a*3;v~IbYGQt!W(BmeR7FLn7eL68x5{D@v}B*xc(AOzm(Ifk4UW#jX6; zn|_#eP0GzazdqUTrOnJ4M@JZ@(|;LM+q#fkDtz5Ux$*PkcH8WX(5l8UZ}1GYK20vy zIVWd$&d5otZ5x(+80)LsH_(c2dV@YjeC{^(tyjE5f}^6U`VOgToirNYA{@+8W*OLO zA6bYna%PjRK)Z6oWO!EGb`++BMm8$?6ayMn>FQit#r4tC87~H^0prdxKt~4%f&uzy z_3AN6&t-KXjcEu+Yi&&vxWJ_pCeuefY*wgEgdX5SBW%m$Xr&^Xc3^S@WV)(eqRtt2D>{i%U3p@-U2>evv$O;bn5cQ%z`|4FupC;%&1S!Eg2ye(ku988UlOY|-t#R5fZere>Fx9&!tB=OZDM?d$MFx)a3AkDZEVK# zY2%7@*Q@t8+ZD48Q)(rb6*>_vODsaLX%*hhAVWL!*woeudgVbQ6}r1$w4Z3ex$0-L zDet*!P@YGg|14ViVCce!FV(;f-?=N-x-B39`0~w4HGpw z9UL7EmG>MS9odSYU`SxXyo44J-YdV_T4-5tua8IG(OSN43A#SebWch6Fx5H@MmOA# zujYB%lP*S_Dmyw&r#4p%mR_g_6Fj;iy*@(5N=ZC}b)gw z1R7bwgCW~gvu@8jP!;R2N%)!iCTsQp277r->rYRio2;c{(%G^fXx6@2V#=P1x6IQ9 zFhpIUfobcR5fM_^QV`Ina$i6yOL?rCekUE;0 zpp3-yLviugjcWutU3`ia;S@{>m2~2hO;Wq~MuNzBk^0LBmX%AwHY)VURyM zA*^+agS@h#*ICt;$~!$)k>!)3852C>%)*@hl60qOtx3r#`T*rK;8M-3Z>E}8Byey+ z>5|kfc-ELDqx zwI>VP=xaMZmCZ9z%s{)Gk)I5rOBV`5zfy%a$Y0x7#pWX6alpGKYoMt134FzOO}!_@ zF1z$&6SRK>-NWKEq=IrV4x0sct=3S~;(^-TR~fH~CQh903*i$k5VR8Yg;EG|rI z1^WnKhJJEKw09IBuM!`9IScBi2C@0m3?Ej`RX!Pbd%QO$we&!+39S;@?2KK#>r)%^ zb{d={P<6xDBPsQxrBoz{6yEyw3vt=Y!+0I(>cU$ws)rH1fUFp)AOQpG(o^=T8@H7K z#RJ3ZSCUqeH&O(mSu1mCc`_v4TuEW;TW_4@U(2+J(ilILAGp5CIwZPyXPPum=$Fmh zXx1=Q%9#f5kopeA^BG_7FCMTwnkMzB+8$g<%p1Eu9v*yZ-)YF)|Kex{UsEcQE2pw| zlAUU>#!BXEfM?Ef1#38fFJV0N{(w95oJI($$~{1Tp{Cd%G)awt#+!or8pj9DXl_h_ z#@>2ZlG;6rcl@!@fiLcnVY3^LgGgnYKe#d!^Cp%$a_$(1Y9!s`G6!!&IMsu|n}8hu zL_DP^$KTYCULG##ZCY1a%XJ04TUu4qx?nRT>PIge21#*cbI;PbiDPhwE1v9JAvBS0 z1-fy_Ia_Ka2zR%m#Cd5Aavcx2MZjo^`I*86c+WLJg79lEc_Fam3r^Acd8)>iHrl zYBu^%nw9;@f-#;zFhTDmKs_mMa5`sJp=Vm(bI|YV+%1U>i7Nfj{AVb4;h_4s;v%i>49Xx)2qp-kmQEk1vbyRcpCz}I`AcF9H3 zfE>m6Op~GLy6bHL6Ry4?H08CX!CTHEC?nBZ#00hXcn6?eA99urybG}taP5YMWcqkuQWnMQC#og^#NI~Wx~ zsQgC-N+{I+ZEg-w;)wo_ST_r`_VJf&;m|{v1%;@&z`9Hk!n**Lh^p z%na3x%{1-f)FbIg1Glk-L@N8*TpLX?G$j^6Ero;T>hem09|KJ0$d@SX8Tc{9yZ1=S zG|fJlT%Jp}wpEz2dd%HpsP4Ayd=QI!LtmN}pE?wMk&`O#=eqk4UB7V9vmSJ8#seX) zBc)=g*Fud>VK^&6_qp*ioYAU{fYD@eQuO!bjt=F*T`&RZK-OqIvor zcEMEdR60oR%cc<#$qR`hqt``{j_lK|554Ka(8~BW#f5TyvdE7%2qPXj?CQ065coZX zLfx;_q1E6ZMTUJjET=3I(Ft;jdV1kF*hb167x9X8Yt?K8#977FurEAcTAiDPNzDr- zWq1_hIerrnpBGod4c)qCg>XuG35_vPV!3%XQ!V4hY~?P;S1RM^W(ENA3OL)igx~%XBERUPo8kYBaF&(iG^XBf)8<`_4@cX%J6?>q;=q(`zaV2YzNF z#jr!6zCx-oq=1CP6fb5!8o34PnvpfXA$ASch(NT>|S~g-+(z!ir{fm zdgQ&cIrBx$pce`i+;}2H;^vN^8p3+Dr1|Za9vX51lVOH3Ec?hYd^1|+Vz)Dvy%=YB zj44w`ODFAUxedcWY6s+g+9b-KDczug;<*;KQN#U}0P=Zab|C~~Vo;wTO9^{;%iL{% z>4{K7m6bGRg%69|RD+z-w0Xy0V#=$W}A>4@eONjZ_lwQAuaM85TNyBa)p zEa|>GcKF(-^l)SAR_y33zYzH~pc52+Y1jU2Q(9_c^488k0we=$@wke}YOC-iw+fvG@ z02S8w7L)NeATEo;y`OHPO1Nw-pban0OGmYjXBr5w-k~|*%ls4XL4( z74)YFt}wLVgQd-^{*M|&wj>2%6kn0p<^&X|nm}hB2NSSc472srd)z`Gc58z{9H|YIeo`fwAX5*=a#0>fgs8w z_ho{znHYT`HQHcrRbQ6}P4t=CFUriFY>G424u$P~qzcGp(Fvmx-@z~rVlHj=-!#_# zKTYGvKq|w7YeeJW_(0L(ScX>m5#e^_oLLHD_SZi=dY9^OD%6?#oe|$cF~3DCDaX0z zfT~*OUaKeXICi1D=s*^4dC243%FpSe*jIAPlBZghNEa!bzlpc4vH~l|eN;88dY$M@ zw{P4BNhJNFebUXO!WRzfotKsqS)r;@RdR8P^1+F4NSrULFP!Ie4xTxI69lAeECZ?e zp|Y}&(hpa6$;k@aTaw5lJ(XPK5n%}BrE>Yx%@gC?ZV_C%_sfH_c$42&V%mKIfAINI z>+w8}?nL;=aPC%cO~ZKDLSJ$C=-2w}SNbx%^+6%@JvG>@zT#Aa6H= z1;xcdrf#DBR)-o2;pTtd>iNL!#T!9SS5qd@Wa?lY^nc~s;WObM zAG2?El8pbwvsle>ah;05POyu`auM=6dVY=l-v&tmbcn)4p+4oyv|$1UL`c=@B@g|= z(6GVg;pVh9JG0x`-Llh?ppTZdWyMP$DM?-up zd+r><4!qRm6H0Y| zN2Ox}A9>W-sL%g$`@)5dk$$GKRfauji^0_!3S0FBb^4l2O~!$p)~dM;sZ74p?Jy5& zYhRCHZ8qsyxHZV3Cu>U7f6>h^)BT=GBdFieRwX(ydQbvscKsmgu=g9QarCbd81|cC zLDT{~O6)48wT`TluIL_F&YHQOvNb8dl=LI@*}nI!@P@W=fzo-$j0OQe_W|SGJMOYt zj#6DZRrnnT`4$@&iWN^(drRmMTeIcHwz#<_717un)^w4$g6*pSu@kp#KPJzh%8lK@ z5Ad6L?*5zRP()2j%~C(~#Ry$;`lF%Ql|`iao|)&6RNc@SF?LkETgG z!MokLo+mdic`u1FvyDY@RK+DG>piUo61drT;;XYG(qqRew8SuCV-2%A4X@G&v6az| z@K6|DUuKT?ERlAmZG**O_mNx{w#uW0vU`L-%6zWz6;2Tc_B6y;0VTX)At883%nR`6 zpOC1a5iU$%eTw<&!6qn*>Zl2eX#|zf*{P*kup+F$LE>x{^|S7QY^H(PW#bD6C6C6* z8+>}*)A{&?Z#E`q2fF4tV340VYI=CHE%ByzV)PN`Q zr|_KfOdECf_;fl-Z<|D<^{rNFiB&%G{&<<4gQNfSLi)S7uS}`1UxCXPUR25YiMJ+L z@*!4~GWz}Rkp@!gS@we*f=(S)c{XmE8AH=HLdf*wcI;kPK^|yG*AEHoF-p#$D)w3u zM!pCGhsDT&13nt|wxl|C?#C6*E>}PVGYMvQHMHnC_7qC~iaakxqH|98viQ>jDX0)v z(X0P6&BgId9XI=3*6Xa`48653*3v%qlu|`^@)esO^1a%{bZ?eqvazV#V#Uj{ZbC$Q zM^&2P{Bv(n;nf%!OjDCSlkgO6P?E^02)v zG#7QRt-c5wn)GSDJWY*krl4i}pB4ZFZ%)AFB#1`3-S~6TA~@3LJezfF+c(2EFgRHH zTk+Dj;{B&hV-}9hIrw6}%kJ~|QWl2^irD{$u(OJat6R4%6otEca1Fs-i{S1WT#~{< zaDo>Q+}$m>ySqz*J3#^j_uzUfJNrLppVRJb_q|@KwYBD&bM(=_xw)8DX|=RPnENQlT*xjW08E6(n)%C!5YD3*BZq`$Mx2Dwwvnr!ZiIH@toW|dCa_! zxCZm0ar4=H0kr&%Pqsy@MSoYiH8xakqIU+9lMJk@hAnx0|GC!rtzolYKLpn7&Io~| zUx9!m+i=gnQeKN5w}($4Cb}(JIaxbCRZ%;-l_2Et$|<}L>F1++lC$YfNz(R1FkE0g z;65v(?GW>|O7`?pB>Ul;9z3iA%Yyt-o0^T&k`KIP2TFzQdHmAQ+7F>xWRK4$EkziL63!EEko4!mZ7 zu3TsWF|1t$Je0=Q%lfXvxlA#1XdW{_PrBy1`mGzGta47(U5N0bR=w;^w5{S;D_sm# zons-9mjw(qlQeA`@I~)XFVd4o%TJr@BO|T1s@7cu`8u^1oEu6L4yXt{p`N}zaKl))isw%rWl`#e){6x;K8p`l5y?i>?aP9KK{)8UH%zQj_K+q$TwFM9JIz&SFWO$NMGRD4AG7KKkKwhck>Xz^mrm!2+Q@wY3 zIX|m@`~KW(`-(P6q$|%n{=~jVm6r7}jCv`oyDXm2SuYu@zIu;cdR0;%@B4AOxlVxL z@W(hqWr?3Idp7(>E+)^udl%xYYf8#IJzqCu;#`mtN!mz{q%|H271tqtp`kYnwLV<0 zCxH9v!)cVo%4t+(1m7nQ+h43RrE+qe7`|rwzI@IDCs2mQ|2c&H*P<^c-Mx5MY8p@P;+LP*xp4KTMv3`@ftU_8 zIg4-BY4mKcQp>cCj}c$Zd$kFuuHkFJW6K|pJ$JomC%hy zK24+Egh{sF)=83ebO%aUS@_xIvq|SqU76t#1YSBd<;YvOJaJBEI2P<9EN;TnG%yni z@>X(;$SU3NshiE`VrFM~y|#%S7|PM~J$ZSKX0hDwf1oItY%Q_bW2T#;CweJ{x=hjf zD+g=_*5VWQa!^?bnr@5jtt#m+<+5g#Dnl>)$>YsZN}{<0tly~&A-7X;y|xTjuhh^2 zuq}&DKo8AhD1cl!%?W{LSZ7-6B6q)iYJ)`OOpdyQi{XA8q7A?{GeZCKhS}sgPJALz zH>OZxR>voT$SLLaa3Qo#g4Ca>K$kha_rrXo$P?xk8>?zGf|XZO92mn z#yH;@`+T;yf;9dj?%QF?9Rikwu*ep*&dR7Cl)D#8e$yUXeIxyVX);n8nPZLAQ#>8a z>@y6^L>Rc@w$UUkBV-5*EQ^fWfrEwg6fXtZc#|!4h*Rq;z0il{iH$$?zyLV`WRB@O z(k7BQ78^dwPt~2*9zZFC+>J_qMZZ)}k)v}TV zGt)G7sLy9n!h&B|pCeGL=IXSFJkqlt@*`kyNe-Lc@`~HS1~tE*wXZr6*z4gkyUF$i z)C)__hyti5&u{_g`*#JJ4+=WAsU+CC?bb9O*S$jwUn=}sQuVBxDaV=qwW)y^3jzk8 z?b~a1HH2FRD?xKtn>f&&I!%)3%4-06D-1%|99HY)9G`v(I`>}P^(A9x#p#{;QTFnL zvG@EImzfwK*;riwsKt}u#U87}OS_y*qp~4ll1yu=w2X$a8`M+Z968G26?7uCQTkdj zphp0V%$YLE5K^ph+tH+0L^b+amlNT*ldZK0QxRq4clJ!wBcI)ZTsK1DadlghJ_=>2 zg}e1oyc_(>aiH+ar%^g7g;19PpYZ;+%5-sj3;!i$yU<52{ShVK(_B=+8{#Bd!mdg2 zh2K)$y$?N}DJNe{^6k~!W!O>#cII}cA<{WNjTtBx4WGy?1p#(9veCG2rt3s5(okB+ z{jwHd6y8}00f=3B5do_SLye9=!B?>5nJ`u1-8DuRCNlK6OqAjsWoQ8Xas=lq9*3O- z7?N?L=CB@f_qmZ&iFZF$BYsb#Hkuy3Vln7cwllCC2siHZi2O3Pur+x65OanDB82XT{wP2*XoeV82sWWGcAHVcRgtm|R_17YQx^vrdl@pr|(rp2^_FPbC zQaK#&h$L=KYl^c!UVoB)ph+KQh&98p$TG4LRH%>t9Q^s~Oo4JUF6CS!>HEnUF^>;)v%@ojs{4${*dbD z60<1Vf+;(hGgV7FU3=h+QmK_$P@$H&wvF3q&0x#L9pJhAf$Al497M5}9rN|G z)pqt>u+i@E(SXe-m#sFNZ{HLrYxQXGUgsHqHuq{baA_)JxAHbvap>rR*P#Qw0d{uldOJf+>28HJnOQ^G$C7a%oFJf!_yp zXy%hVjyvO=Bv#_ficZbkH~@noAZvzJ$sF-J7M-wNA(V!i1dpkO_b1r}k);+LjV2K0 zQM$13no9(AT(D}BtDSjrT4zzB4PQfcmvpp*mvAu-1OzujeUZQ#);Zav9~h3QNRCsI z689-7Zc`Ita*&b?iz}yBzfRa67})o1M0?BA)EUGGC;e@VKvqzbsh;&-JK_S(q_ed2 z{!fC1<$`m55l!-gPfD3VD*!7|{eAioJ5!7X^-jfv1z-{++6308fIq$j3w5d zTO5DstYCM;W-RgZ?*5IfZMohRtQt9SFA_IpD{Y=*?T9%#sm<$@6bm&W?t$;eEr^_! zzxfe#p7?PAN8oJOOa1K~*~%!gxwk}#9@J5vfT>v@@*5EEkgeCXU056QD<#Nj>mGs)x(u*Bd*cz0%FJQ zMYCPq?OieUUR*8fU&wiC#im)wm`UlZ{kC=GE5cnf-5YeIgDnRZX766NUp83Hp`m^_ zS2yJ}98aFy9s9{(yAYEnuto$orausm%Q-J|rbd+Wux`g;S-uk|=z<&c0#i;1Sj~W3 zU8D!b9n-jEIFYCL;Jb_9G3HZs`M$uZ@~AN!{4&Y0m|iy|dAcVch(c-5A8t@UPskcI zd)Ih6@Yw9=hzSl3<#=OpXa}rl2|7bOrJaeZHc~WUJW8sUm@mC(^Qym!{R?&u`WVmfB#nF)^G?X^s+^&1d#ZsqII6m8-nOEr_1w%ZHlNM9 zYOd4q5nqOZKfpO2%!iRbw&*A=1%~DGnn+kbWD&6bob`Dw{6Z8WN-GAC7*y=LTDfu9 zzx}BDj_FXB)^|JMxa3x(XgD{!wyx-8uYXmA?AgD-C5Ou8YogDGB2BC0&OUK18M#o$ zqILX2`w6jIM0P_=PMjlp5B4eNa6csO5PbAjLk?;1Q{^siprJ2(ynoC2G4t+&1|s*Z zk`U}mDnn|u?(- z3vO&Gxbqr~yAEwX7dlpK3^ZClQ8r8Vrxm<~NF zU`5+_DR1#?!}jXAwOcOmZ$%(U1F^AtDz}(647vs#(1z4ats#L^@SsKV5j^E1qq`lT&ViF%TT;joIz-dpQy3iCI z0R7%j9Ll_nAB)`_{etRYIAcz&sPwW8s>QSAah@hTmWimKi;@)$N*>`zBn%ywRgv4y zx6yj_5%L+Lr;y%Yu+Q+f@82h@hSrPUm6dW7Dqji6@@)){IE92qns>&eIP`h&XsohL z!S=~?-vo#ie$xwEGhC_5_yV?K0AR<){-H_M+GYOZ$M1^Bho)m0x>%q$oH$wh>t#)x zcJTTs98Px(J?*nD1=sX{CZ5p4!B8<>@M-j*Q{5b8%rty#Kc#9H{1|9yhsbY4@%?_t z`vtU`D^f# zOFKn%_?_Hy9QLm%)ZNsG=-KmSui%@x94T=$)j94*10G{LMV?GH<_d4MsBp#- zp(4R-_EZcK0TI~tyZ(}pkM3~U)PCjkpbCGGf$*n#8k0EPE5Uo=Pq%buNr!_y0@=>g z576)RJSeODkEk+ z5aDTXDBq!#LaEr}mNwH(S|rCsZVo#v47Sh+Hp&y`v@^yXPnDNVm6CL_m~pbJ)={jK zF=rIu?T3K#P0;lKU}k2%1cX1f<*4 z-Yeai{qh}AXv;6p4n%$`%r+UaGC1^U zAnulV9PpWms#_m{LOPj~s7-|`(TT6w1@_im8X=$nADuWP?ma@Wg9;R|tUQung&*3s zr#`gP6us?_9=1$0SdK9DGKwwpA4kqV*-!ox64AY<3Xmkic^ut)GtO}(#i_vgHcsAP z2E$t?eX2Yy$7>HI^mRhF6BIV5+ST?5nAD83;sh7Hqf$nfyoXQX3I92>7MvrGNY4*d z7>R4ofV;n^XY}GaXX~uk+1`9-Y+H&R!d#zlgb8Vk%AalZl6eK{t_^2wuH?G7tfFxk zYFk$Z+P6b`S3Kl#QfoVL=9DW6U(5jtp1f6W6T^PZvP$7jg60@BE5zlDX3RdPAOy={ z+bp8lbjOw7r_ty1oRX@7iB&GjYK6T0tX)CQwtx-x*H-q*&*+a?x>Ct@tXS6)Eh2Oe z-qL_OoZnNpY_PvS7E?62f9&Rp-IpsajIrw|g=go-4vBfn1cj=<08YC~U!}vKi{YoF zQ~3p9h#&+o(^?$wv;+|GSn<9_Oyt?ji3q!gtgl=pJa~^}$bp|cap`tdGFk$$arxN` zz|f}J`!+A4c+ zCY}1vcXVAdm>Z1djPq*kt_PJr@e83DPYC}>VCn3Tnki%AzxfWzArK%XeE^Z;8LSZZ zI>|VgczjGePwVrG-T2^{FToJt2Cj8g&W283GHghkiQ_2D>M``&8&MOhxSSGI6~PK`4CT*~Ai$DuG-O2-lnC&1GRitTb;=09 zeD|VQtjIXA;vKbNKHdR~MW-Iji9D+qdW)x}&g}++WQ%o_B2)!lJVSEF2S8C~P!_B< z-C7ve0bBzrfRzIB%dLe?;F}-YR$||Kq#Ot{ItH1*7ihWYw{E%7@MwC+TE~zWP0>cf zf{^A*1vMNz^m5tm~$G3Q3vSt-(p_`bACe8=f!GE%yP$F$(p<`F|TDX44NGS zzH7CEO*2GTlp<`LeyYMxY_Y)U&0J(BQ)wuF7uI}sQiiK>s4iBGS>0MU^ggeAAmBxS zO$CDE)LeQNwkmI%_k_!OYl+nbC{0Qn3*ag;U9%Ug*0RoT ztKNwsMjp(`Unm|xc_t{q%~r!p;4$U+tT6w>lH2b%DIPlh0%Y)~C!_?G*&J3=_*vHe zl1P?X7|74=Gi&uTzd^jf6do&XtjL|#;O?abGNPRRPEYnT9vt0SS_o@sowZ!~IDzu2 zbB@TF*c@F2WhPD&v7t=)5SSpnt0!hrR@nPehUo@<^ zuCOQ0S6&p9=fH!=XS3hrOC7M53IfdE#mt{kjut(2-%NtYL%JMKb8+2|e?^|1uE&1o zd_8X52`Sfmv*B?Vp{$a0TTCR(OWJ?08D>23EOy^V2&`<4NZDYgG?%7?TO9YzBOL`N zeSt;lIjq`h3&&LW@u6{KoSSG^zAK{#=e}0j>@eX>M~g%JShwJ9xK?@iYHy?Cr99*{ z8&?=TfHLEi16F(%hi2@?Cm*68Wo#x-!+ajEu;$`d^BRYR(sTl1p8I!2Fwc%l5ksh% zG%%d73UDJez~(x-H$QKxRC%O)h1N(=$4CaS2#LQlw;;iA0QZV!La|8?@nFrnRERu9 zGyP)`NWwu9B>c!sN4<0Nk6ncRC3&Z6h@7evI8n-PXmZ5WhSLI5tk6p=x1-IzAl>E3 zQ|e=N(9$K5!=P-}5@Mmd_HFAuO@ zqL??uZ9MXTOEe@%42!Q)>+nqa56zuA0slW?F5+kE7dROe^WIB%M)l!WAEIq#=;izA zP1B$h9w*ltn^XLdnpGG@h2?X*g?X7>yTytXfTY;2Y_(gil7sbwxeeeq$;hFp4V1mk zz5U{Hp^s7vSHwMe_6B8GGyfFBxQNf5HO=g=$?FW|a_K8@y!Oz?}S%fq450_>8S-(84{eLlBR zI_IRF#KI;HwMKt2(|=V)IMLs1^?PX@kQm2o90wqgMQSxWUe|+OtKnx|ZP=khJsGn$o^tZc3_uSP zI>q1jcFq<*qLKvFn2AFr1{;ZgnEKxjMNBO=`{m7lP*6*@x><@$*B0FD)(89Fi=cM|eq+3q{9}#{ zFH-3VZw(+Ju}5U}fPJ0rq-NQgz^G>IOA1OuGt7h>XB-C;LvRx3os@#@aRn--huB32 z6Pvp0JwP25WW_`}s43aHjE=LJHr#<;h=udN?lCx%-yAv}liRC2$!6U5Aa0}}LJw)| z`OMib3bbHc(N>C|T0~ByfT!0CNLn8@Te1CPyLqfQX4wE_r?eu{dGlOVu%6kl3m$;G zmJGjsG-U3{oH9P!z6+jox-HZ>bYcraOm-M*R?%0`9`@KJ`FmxOQ0?!eR8BjJ?0j72 zPja%YPT8hts?DDJNDohA3#zt1T7#{i70BqyOb~S3f=jD`Y($3S$o^+_3wvWZ7aUl` z=NT1t5{{LUH?j7%xN-%NpDG4lLSSLx*Sy`T1u}E;X2JnsRwL-c+y{PtKg8?qK8!xMFJFvA>R>4x{fM+8PRGE4SM*AUIm1jIU_U*+oO1 zjW0w=1=UFU;#S~5s3nII+|Y{DQ95pML<6p?KNLS*TvMKDUcbfLn?;h%y{g;wTObQv z>`;c_lajsx4EkiVUwcWT=0oVAU<3}H6CLwwNuGG-35diKTR%gznN78xK5+&%%rZGkkj?0gbkG_lI@ zAE0kJgUwpvk`(}tHlUGH!0{LHUFF$M0l8z0VD|}Pu-#4UU~hxuMT}PgM3?E8>zb*c zd&Hw3AGViKfv=FH{iof$ApvZ+Y?@5ic;gT_y)u(@82!uSXUk$#;D=;oDHMy=Yx~a!;Yw8p@OduvA$!R}(2oiQmp}uQ^i2{==)|i$`{u>@^`Iipm zLlZEWvuQaUB~So!&oAfNdhXpqGw9P}G!?U!-BrKjzn0ls+3|Ld&J9n0ftdbFg{G0) zrO&lPkDgcCQ4gj3#bq*_ z`fHNTEN6*tyQj9lwX>cZV(EO9GlS!fLFrYpRpDUv?_=8^=IUFPwP*PY%eB)=<<0IJ z3rf98KTgb5;*jz&g+D!#8&8PH?6nYktvOcTW@XD?77*Wst{M$ zrR6I9v^>|aZ+*#oettpPALp2J!$B#W=9@gX#WL!#6d+UC?D3m*b58;TR447SVW5pF zF4pm0>qIdJU#qO?;}pNv&WBe612lq^c&Sbwq!2V#d6P=egIO6Cx;d1>`|Q@8h^mY{ zYm|J6wNx!;f)uA~zI{Np7)c<|iSf!74ZJXjDOCt}mS^~`9|)CjwyLz1;>AYTerNzm zeBS0zb#x`%M=VBn|C%PmUV4bfaigP9+)hLfz5X?f>yEidCr5@e)ZEu%%Kql#*NgdU z;#NXPS!H#8w$mg|;>%BzuA8KNZX`Krk`PxS!qpX-eY$WXl=XT;23XRR#=es^YbL+q zxSu8DMd-}8_6*y1MOpG<8fJzGXI={~T%Ba`);36TT6zo?Zt?5FZZXJbrCf#+gs`an zp(?F}{;{1>Kgl~xc2abzhH9XP;v;yIC2~tjzqkinYlfresw&~99R|<~?u9o}{+=d* z?sCG*+7&yYKS9Lc*B7b5Gvngv4M(^A^GU{>@1h%V$&X&NsvY@EleIwAEiog@+;M5` zT|0OhvEa;~^-8tUiI})Hzpt3mav=yL#yJwypEh<{;D+Pq!hh7~w}9FzXP1h5yg8~> z2wiW#eJQ(zvc#BI5hj{+R4^FaL-)U&)H*XhvTcZYi3Su0b&`3oBu5l^CW~7CMytfc zeJ}|5boJ%5xerO?#(=Yn5ez zt_Q4UOFsDWv6grmhPO`uM$Tl%T!Yo*jpn0j0b!{0SQzh&4Ap8l^zbShlz(NxK0*DN zcjrVGUh4WXHeJ2A+k_H2f6B;^N=o8n%(tTrNCABNWHY zfz}Xljd$`{MM(ux9AE&ZW-71Q&~56Wj+l~`udI(gcc?Ntxh6k5_VdcN4pEp=W#OOqCI>Zj3vkd^Gb4ECJ6lTVjK zvD*V2b}}1nTD})>IpGY7Oz$a{uF6~sR!nu5W{2j8?l)_!OYAaT_{+2C^Bp#&R~#2# z#Dvo;V-6)EQNP{A+quhCB8#Ft$-SKR)?|*5M_u8Tj&{iG@kAKx91-68Dwi^}a@ev&kbN7s6Q>6`NBdOa zJ#LTr;vOI=^k6t9Sj)5%L>HgwpmNNu=$!fov<`7`^8sqQ-IkYOc;A~>gN5$SPqdB} z$?6nXWfIX}FVbJx5CQSVfRbm0u$HkHO`?IN^kY0g}e6UWDsFrj;FS zw(cqYPE5N-+CqdLyrKN{cS3-d1_UF7^Y2NpKieB@R}_hxpWm|)8(dlScJ}V;Kv3=T z1#tBhTs6j-9sEum0#6ZrXCE@V+A{^K;iE7ztU%nyG?V~z=(71V7nk&Ia45jl25Z?) zU-G9_!G@ccEg7|em&rkl>_9?)DjeGQvE>N{3sl9^V;hB1LN`ycw@(tvPnRd8Pg3bD)(bikA3Ht;Vd(CwkZOIk zThST-i_=eW);mo#C~EG;rDXpP+!fX!LFSSfzvvh5^hF_H~e zDD@lcQh`$}({{`G?p<%a?yE#(uU5powIE7*_JmbL?#{y9h{CJb`TiT3Q(_{U1Cw~} zPgsN#%(dXAw5QRiYT`VA)eLv8`(sfw6o1irhe_r9Eb4;KLE@ea)1qse3w>J#ppU@k z(V8O&^B)_$__CuW!&QJ{k#ik(Pgp{%U_L09@*2u)?#u5CC+v{go>A!GowioybZi-2 zKmjZjmVaQ`&1`T@ux?!Jo{^lVyiPdseb9#i`Z|tc0Jmq|G?Km>d3|g+FMndYkWtx< zz`*Cwr0KeI$Lr2NKCP{{&x}f~TZz|JT3+`fZ)@x59+!wUn^_`Sy>?z}ehRh-yPiPT zmtnJXiC@j<=jY(LT)veAF7r)U=Z|a^EEv!nYv0WhnskEKC(wjtQNT!TPY6}%6&4(0 zQ>A2%4JF;o9yCU`G%_>O5z726^f2i40>u*P+QoYY2m@hzH^)@8cU{UGq0r$N?WD-0 z^{lW@%&>>=tX?^cT6WfyOAxO*U(7~6o^-Ii5_RZ{#r;4WX=@FO{?7G8W;PnE?PB(g z)@FEqCFcVoF~rSzb;u{&?1qqde?`EEqT;T<7))hbnTKAY`Q`F8>G7ide52499NNJO zIt_vxtRaB7^y4-RNsYjE&Bp9h?|W%8XCf`QTN^fz^Hjo*3F}^Bl0^Y|TD;ur1mn<@ zZ?NIgE0AJcDV;fqSlPa&(y;|2l zoeTuSO2V3BHXI0*dEw9dI^V6toX&`Yu00e552L z^K4!2aJuU;xQRG~#a=W+H!P2mPmz2#(3cZs3gs8?cQJ#S-`Y{fEQhkzfw16ILH)Rff*MGuZpZMm(XWrOvZ3G))D<=*j0k2 z3wf5QvN+(X_c4F@!`{iujA|HuaXgTLaeWkORc39Q|#27=n}#>zJg z!!@##zXP&pBlDwDdd5uIe5QF{Yjm?pl5M4BXM@8Z-`?gQnB_1T*!;proGr+zP%-gEE&hDCeOwZ z_OI#rBeWc2PmF>hh>4U^pbX>7w**^7J`)oK}g+tk{ zYv%q}VTHBPAwYNP?DslbD-1ebWId2KA3ujmfD&#%9a?qOxjU;f z`cm@r$fIcx56vkry64{4OAg7W{DxB1A1Epoax%Mq1A=XvLKiTABtyv_m(18AUvfEL z@v^G3#;ocCZKYj@Kc1^!nEFIvPrI{^oG;(QIg1<{Y7$uJHu)>7`|kz)ZEIs)KA9eAd?D(CXbUEH!inSKl=c!Uba82 zvJ>vWUdaQJi|c1wSPlbEU$<@Lf(+(AZ#sC+!~l3^mrw|OLW_}s6f9za`bJ&eRXb)r z<|R#Jqm-uUc1l0LGkK0U2S3PgB~;D%tI;D%*DGmi<$`PVJ;H`cwOOML)3x`!8j!m6 zJCVPunVe+HKXqlfqts2`5mU<0|8NRJ-zQ<+;tAGDjE83t#a!nIeYd3LE>*7>#dk-7 z%uS2JC7!L(C?FCZ;u;BlZ|FGo+eHA8P3nDF`K{{`c@+t3yfcmQSbJ(8*rlXbHZieT z5M}8g$;2eET$!<$ehR2>U5!c9^X%Y5(!8|-5jonNH6`v8Px652YLbj{{OdW#DE!t%c$fLjCLyhLddCjgMwHRs*h zU&cO8f0J5tyQLLuwEME85vL>f^>^f1yz{Lk1i?I8%)FD4#EI2>NG(If95P6Tm7fqo>qY}CvDMM;IMCp>=q95BY2krYeN?uOP% zxM>M3RDV5GA#m^cURl5Dxmr>%X#1>U*T-9t)?4XUu>*+%$Kp+bkVWK)aJ((`vhU*5 zWIe;;J|}RqP?UO3U;N8&m2+_GJYAGP(see1I-0JKi7+KI5}$kURP)A%U)G30z(L1&forx=9VMwT6y} z!n7Ac3IN}d+@tTZ84d*!qb@y4AYS(Ww@}*$9TTz`b-kn^o$DI8Zt~t5rHSy>ryF;4 z!X`qNo>B~O&iTCUGGuX)KY?{0=G{BeX3zE>=)906gBw-~OY=jse^ttR74XDFfC6bY z1j9L{MW@m2rYE+Tb#Zq@vLG$ROGPGEcNoX#fswmV&ig|L9WMjtEG=zpEtV@Pn$aJ& zF66XxxK;1Udl&wELxM{YzGWWkQcSx->)bf;Z0!w*HWGFtNQ_7#PiWbgqW;I*>)50O z1I&X~XhT9Ul0hWpKz^>9rGkhB(JWZ1>Fs9GSh z<^<+b^YyP%f=8ctc#>k0ka`X|-&z&w5Rm5V((XA&$pPfvO%dj2G4=j0lag>CQ8U7) zH{bZOw;>35nXjCg#VI!Vtmfh-xtO5Z=VS;$y{76*D2f{s&NXFNZiApwq`(gMNMXxY(1oRthV0p^*pfXQ#HcKa*v1g z@vTOtS+e=$!%*sOs+H*Wgi3;*J;XpO5Fev1{6Io^Kpl;R!L8aG?-v;)1qol>?&IC{ z08~s{=GfDj1Q3v*zlbQy=D+$2TeVPVVQ@KXgT>5n=UYNFzGDS<i^yJU?xD;SxJk&+SPmB5^ykkA|J{NI8z2y#%jA!|ZCmUlRkfM1~Txj=N5JWEgP&O3*XtDm$U7i_d)Ym9T zQQ!?NK0e*4irCDmPS{KEEyXBqPi3%&!7@pt|7Hd}o03ySPgj(gc#k>AS0g;E;7*JjGxw z%EusbcE|q~alaNibtHz^TCWIXHvIF%0se0$ZZ{hl?D-Sjetb6B0j;@_GSgL_{WqTc zYlC~*!#N20;BsnJ^y&Se;oJ}I!bTe%d?7oSSKd$0bNBHfXMc!o@@l@g-S$|zY*hBQ z4O)2aektj#P=WPveJ0n;z&x28O6+18=S=-YSX-z-tMG^{O?H;><8^Bjo1;r{`C)Yg z!56Qu+ti`*@z_NV@wO66>%Y7RDHUM99Pg97&jr%b>B%9b^;g0F&UV0o9w{j&x?35W zrL&Tuvjsi5@8UJ+429|_;BDgzK~O(2(C{Wu#!y*}4z(BQu)%mK_86#A30kaUZvcWJ|GiZuX6re^Ifn*oe3FU zTMX4QLrUtfvI@-d#K386%It5@3Y2HoGKYE`cyM9xT9OG5%}8QvzP(OGR^_kN-lh`# zoK+iXI9;bvt(4}Pe>(bU$7qxwHUy-xuD%6AC!YNZ=?!6ag*I!VXjvWJ+L?Tm__YLm zsikyaG$ZpzTLl>=*-K(F+3_aX9|S?Y$F17j!j29S!LJ@ukM6daIkAFgRji?<4~4%S z=|qyr>HFY}!UB@}eycPUVb*`3$e*&?qu0L$M+N&2EEQeZg|p#49zrVj_hr$HHDI=?|`OcHu?6#*mXe|xzxwNU76{w^7y{%uMSJ( zjWSgnGw?4LmSHam9;KcTf4b!;Qo>hX7?LDD zn{j-q3G{rjED*STz7@gi!69+GC?8OaXi_SBugh=aKUl&Iiw=!K`zkivd6mCZCl05~ zB|N<;=UZPaWUS7K9Q-`X1I56BPaDp%mbUz>*yl}RcSw`t)|{K4bnuksf!rBqFwcv9 z4}{-f>)*hqd_Z9BfIp!->m!8&GdA(6#k5kf*EC-L z4}E#*F7n1Co>PMs14_f(wKJ00^fg%+TM+Rk^n0|(i3{Q=`KwOKlbZPfOC(7NGj^1p zIAv@;xJKi4-~LJ|Q zRGj}oj)W1`6h_U%a+LA7@q~)~j27A>J#)^v=!dS!lJT0B0UjShvqG8UWdjZ8|1=t$ z@;5zPs{~__!+(jhf2tLPQOAn!>t|&6Bz#W`W^aO_lj00ipv|KF zEl2zgy#KcM%z$Xb|8Ag242}|+hk^n)@-pt77}a5xl3~Ga9gXy~-y@MZW9*@ZQw-*a zVHKH78Wssfo#Hg5K{^+tT_J4KRt%JPKYtv0NuMD>!wMe|RB~%V^(=*%p z2!{&7wIAf#A~uX~7+I;)=*}2_%G_gw5kLo9unGj%WtYfPdd92Y^538-WN18a+V4`s zSvKLZOh3`&iFrXRS8V;^Y8{f8hIS5o%_w z;_ju1R%{(;MpnPWT+9iPtme{BVfXRq2?-kHSwND0F>AW@9Tv*NW(<0Dl~mnd!BQQU zQKo=9S-s86elNTWS^q&YY~AaEE2{$8iwIF>GKqNn2ADi+7E|pZpse=i#*J!W_|%mQ z8`TUax$t(V7(MlH2spXPzW^@QV;7HTEc#J^B#zYNgAIiiYr%Wwmhj9;i zMd<-Yjvv?`1i<22gw9&=%7HnVt1prO_!*k44X;H^Miz~uw}7eou{8dZbo^xFbf^ga z5N&Ygc53Pv|3lCh>9gH7SJ{7ywj3W1ydJ08vEM6_jC|BVb%M6MQ?RkIV;SFNYTP5u z3jMchiw`T~W)DhLS3jV#t4#g(I6oWxBP=VHgbxf1&oXG8WDXFWp-8O2^wlyp(5)fc z;v3uWcJt;zn5!G&`d|^8qvWO!T9~yH#8nui=bv9B3IpDHFkaf`m4@0A8dE!U9#tP0 zB#LmQ5J*ImR2wg2q&hl8QI_i8pKJy!vaQE{mC|$dr!nw8&wFGUnMT5*1*xz@%tm~7 zZTJYJ*Ct}qV3YE>AC*AZ?fU5 zuwRO);OUhLzKI%cRzgvr?@N3)9UCYXfrS_2mIPk)3S%_@^B&gH4rb=t^pX&TJXWOZ z*3HOW<@7_qiNneOa__{??zlo^e5JVp?-2cwH!*N{K#+U%hCWN}mb%S!9OcxWp^5+x z?rIz23Y;FN8g8u{7=1nqO(Z zNy}9kp7AnhM8c{celF>5xjx4Si_P-PITee1lHzXS=gnJ@9M$D?-#_7E z{WhIen^)xRk$Wlp4Qjs~;ei&i=nj+De|^=U7R#n13?KknwF$tj;1z3SXe$V8BZuTz z6qwK&DfBjYNB=fvoKgu@kPjRsv7)(+1US-#$v|(gHY2pB+M`!>RA=9eW9SG@Jh+p1b$IY;4T)J%*H7>9rH4I>Iw){Q`f{R=&bn+GUJ{d1mE9j{9=;LKE z?yJ)HpN6fM*VE#9L8ko1-I$KN;b0_@U+1dJ46ggkd-6`Q&%J|rHtgZvtSz2OFeGc3 z%YA-aoWC7iZ_jyk<6;QO)MjPRvb{-sG@5fbVY8;5jp@9BQ+E@H6n$mn#$VZ8y%ftc zFqJVGdh>7=V%#&n*dG_k!w;=&oz-{i#>@xkF}+Lh8RxprM-@*)?`?;Ms_a-=^NUvg zPi2*GMpGGBq#ZS4s=9?A-0kxt568y{6GLLqo8(q-C}k&rOAqN;@Y~rYZ-0$X!iuD% z+)vm-cQ_A!vW#$4=*H&h8(~XxV?8Nkpp19(dNp|QY8@pdoi4XE(KVUUgZ{5_>rDRl zgVcHH>L>}N)R{Hgcj-pB>(G+-B+o%9I6lGsR!ptTw^U&G9>9s{ZlwMn?{@6jOrrm@}vcw{xCYl^E zzCqTB#(!K|z9=5LQ5+m2Ez5e+JEawuxNVv{RSP%!ZLprQr6-O99fuBQ(NMgW4p0A3 zpZ$S@DyJrUULaFzS2o$?1doU8$y{w&(s-<=)McD>I!*3EZ8*MR9}k43HZ-rwExLo{9bq)17R+TU<6L+U^ zcZc8-oW_G&@Zjzc+}(mhfZ*=#?hxGF-66P7-}1cA`=6<)`7)onit1{*`ns-j&R*-c z_D-WDaQfo=onc&ISNpE`2L$2@d7eA=!b07$OyLkIKTFUFBk%OVqub*oe{eUa z#{OXbA*q^vY>nAYU-(%k;7f8^N#ZF0rWp6P&bnTLS|EWYHK`c4?q9|?*JG;q5As_s|3+&!<@!&xO4*c0_q;E=*} z2@cN9Kb<1fVd9Wo1bqe_KnPQvEv=O!OTg`G?$0&O)7cn3=dc*&vlRw)J}q-yGthut zLotf$f3Ow*u@=VI4huT!v;s@B$VNe>C-dQj&u0bPCpMqP2yc2?UF8Z=7+3toKF}38 zR@}w*T?k!IeIt$%zPe%=NboUmBvn5RWPVhPy?RS*y-`6K2!NmCYO7gFFL{8T-ao@o***n zJKWw_+}Ez+%Wl5=qWC{QCpY7kSCmb{+kf<3AFO1q86z`)f1aoKx9i!)L=_xIeiM5# zzponAnM;9!%*NRBoy=dYfDq#KgGX;YO+nWTZ2b)>;DtSt#eSD{xpIje42YHhUsaNMzj3=db;L} zU_Aeut#P9=_VIelC0ya8Hp=q)K0eWWgNPSDImqo4JNSZh6<6?e#)USgaRJRI12%aZvzk3u%D@*cXsgJFuZBfu*WHKOq36+z!nay&!Y?_Kc?#$ zGhz^LrB9soj+~N@dcDLjkD?j<4O^bxuGnz}Ff(E7OW9ky)GB1BICIPvTK7N9F8Q)c z`5KQT;tWNg5$V5O>KaAs=G6?C8^++bu~Ji8My)S-z9cUhUUm#5FLBm9KyU%k#L>{j zMS>oj4jf6UdQY#eel@&5yKT-1IMFznP4apwYaKPpy>tV`@G0@nyj5g+^(ny$EuRf% z(Am8o>RQMpvP#i+b?vM#e3 z2+cD6(n`<)gS#I`Z7bJZj&l}~T}kmWZ2L*vxx`wp*Yld5`?0lq>mKG=ACmrko%KL3SD zTc-N9)0HG!yp1@QXz1Q1s7XW5sLfE_!;uD6*BL?yhnQ}Ztfw1wk|Ov>uh8 zYRxSRX*GPNbGN@RF&e#^1ELYsS)$@}wtsYixOngf4kq#-xoOui6T0BYLPwKEZV%zL zjkb~X__MOdTZ8Flv-K=mwmr>lN1exrwU<^!twnIYFmtMTY+0fG=QeI?udRGxPi3nl z-RIXR-${LSE|vyNqj2Vkg4|fL@5y7}@{z0_vvdDVjIgr~tBlj+1oCoTs`M2DjW;~<7xtP|f!Sn>z0l6QGLj`WW&tWha3uOL8 zj@+Z4Ym%DP{um#9-zEoLw!&uj`0Azg5GP>AhSN&;>U-6_9xPFDLK0$H2+~tNBrw%H z``Lty+(Z7t*;Y;lv2YDgC($Js)Hyibn+L^3d9{DaC;YKN(k8d@bcs)0!VuxkFgI?VsFjZ(gLnY{qJSKmI zK%_1k!D?9<_c$9E3jVX<8?Rna*B5lx?yD5^rP>>X=_Gj@?H;B`i_3_buT#j)-QWZR zYczSdX?yVEy@9na^evO|RvmQIh|zIvLhz`ytPuAR1&DIbC3wz9~egWHEd5d8v1CJ%7J6 z9;ZLAJp*O03=TWR!e|zMd~~LFU9MvxpL$!ScyCJ(gm%A3ve@Ts!DXZ}67fk_8jt)& zzG`~`W2gQh{Cpd}b2Zq&e_r5&LloUZLA^73qBhl{TUNg)LU22*wMl}40L{Dlb%N2` zXl#L`vT==erIvX#y80sCHYLl?busW316gAoCL-{L?SY!s$nAI2ecc>Gh~W?n!Fqp6 zI?Ikhs0q2A{&j*F&6bMN)cZj!6$O_H^bu8k(zvL~!4d%!BOf~d$ z^Vmp@P<}?8CQcS(n?k~37=d(*guWOB9gUj-&l7GSlu6t#Gtp}osHYF6x1w9H?efbmeha(^E-_%@W$@0JE= zQ{b}Wrt|qW0Tp8^BU!`G0tLATEn<>9`bHu$1@#Er&lN<+QN2hVieF_6M~-t#weDa5 z-_%HY7vFbYy~|n@bKAMxJpr$fIg$wLj~XO|ynh6bA*aOYu5I!6(gec*o~DzocaGQ@y7i1Gsef=Z&|d6CKhOC5#JI3t(ZfEE*oA%5%O za+-akuD*B5{k6m3v;2prNHcnZ((5FPHiyI_ip`f5G=cQ*a0(&k!pSgHipG}@mbT4o z@Pz<)Ra#KTnM6|jksFa~W^BAa#=+WkY{TresrYeHPU$-*62#4P3zQLg(iSE+kA?Va zT_uID+$}qT8O~rzhp*@_XGx?lQuU0In|uM*6pP+}qDXVtLY+~DH*yg8Th(!%HuaFu z`f1j`lX1VU32_20ZTGfU$r-iggixUzc7C$gp)uq&NTYxYGY|K4onv*WwD3O9VMCFG zM?=S~Q)DJ6At^`L{2qkMzs>Ajc;PgXT$_1OF*;RX?r7k89+^+a_H7!vlDkgYhV@xthrZsqiR>2Vn>7Eta z1Vi*k`3rDn%bxxxWD5)zT4?!!mLpK?%8K-Z@GU^(;~t{a6C98-Yau#QvAhUxp1CES zVp7`(hp}JS_uehyXVz=-hA!zxS9F^q>mYtf1@wsTpi@eOas<-$0ri{H%EOT+KBYM^O~Rt z_Hc5YKGEar1|D~NXt-N$n#8GkYG?u!D@NlE5`;&k67|SREn&pj6EQ$0qCLSl&$WIj zE-N}XWwuBJO4&o92N>v{@LP+(`$o&8tL6M0ZH+h_1|>c5(I@}**{aKqzUdeGx4&)| zKhTRZ0=Sj8Z@x!v&w}5oW1e|gYvp=-AZAg63zD(*YP~f?m6!Wi0AER<6`x{WASX@L z87%>inkFhdtgg$4W~ASzLb9Gb*T~h8GjTfqYhX zr`N8h;>|w;2t0Z^jCSPqvvXF_*>(_E6^Wu?lk?W5RSZzD{P~a2WDtV#M#^PA8%-7j zEv51c+efge%#|CdLPViB6*~L!_ZJyrWLXw)SADSOun-bdup3Oh0f#&P6~XR#v+lJz zW$oHlF!a89r6#Cp;Y=89*LQfw4$2p!9_P6VHDpv00f`ThJco~Min(Gf=~#&QGF5=Z zus0viBi{EjfiT3BDlwAjE4Cf1}pBuNc3~vfxlLf3?k>ffHZ!`yo7$Anc7NB0?uqaCfJU4gl$i3*9z+#LZLl zriX|iU}G8;6znyY*-}VHZ@f)3_beIB1Jd$%yjQ;|Z+D2?VLdtd&B!wHMm;{%NBdRW z1D+L)b9>sKOe&%~-79K0*IH37ten9tze{C!*K+6j_fZ#2xc685y_o%VcjEfjNBR|X zJ(Shxewfm9S|VGr4$2u^ETwpdC@* zkDaIJz^2ilM zM}J_kPRhjM{1^rh5(^gxC$x2ZWmi**)>NL5PLv=xBsfnZZy~ocgCIHAx@1S|E+(B1 z)r$LkN|r-0B%4N|#^Ob9%@^0NxXCV#%88m#&;tQ9CbhqT9Tv&E0?6km-EsD(K^FUaD#;f@vB*WAFXVqW}3DGMe~5D<=m`+NEe(7YbfmsMw= z6flkuJ0R5xTf)n^{A!OJq8}qaO9`?sT!j;&aYf|_(mx#LrZ5z=Q64n>?sT%+XfE2Q zPlt0$zx-+8@a-(xd@A^SOBXvd7}5AY>)+qYppA^aa=90PebAEcq%MyeF=AMlLqQum&>9L(uWN`!okB}Pli=&CW>J~^SK);77@E=XHk;-%NulOOOuX?{b5ndQTZ0K*TQp2wAekVy>&r?ye49NKR9giD(AdG;dyRIBESU4Ulp*~s@Fm`hj?77ibV zBjDenVPtbHNKB3qvVfG3amXd(XW{1G>_Xs=;(t#e+ezdAa4m&b+DD` zXQaA0on-1ULC*6T=jKc`b`HO*Q5luuSX4|`ElPShG))tt3kLTV$9luX^m4|C>|A0T zh9Zh+E${5?P9H^1z#$_Gjc}6k=8|1u**}#~_Ika>0l31Ue!XG#uGm>1)~ms<+QCgq!Z2n=s_0j z>J8h~S_fqyl}~{ll3I!_e0HvqG4(FUI<^c<{Sqs zT2`ikXxva(YVDj0Z+%w>ReyFAraqo7L>nq4CDUa+dSNiSl#m9$H;@h{HJJVXdz8WT z&qu4ieIUj}=1Q|mCgvgF{5(*aqkRETSZ_K3I9R2i^w8OY0=~UHBFmLD6yLX(6CroL zRd=@%KcYRuJm8O`vyLE^AHl?2;Imr2s|Xi;-E;ma)ep6fw7`KN`RDN^n*829t^*P@ zbz1^mZ~uEi_>QSVjZvV8Xf>cP$QHUSc?>d!IE&s6Ofusp)XqhkU9_{IN>j4_l3mI4 zpmo4`gRoJei|r? zm>#();ijzaQ#$CARkGTJ5)rc>&L$oKDsg-kAh`3gb3FREgw6_x;D@9s1p^GBu% z_^Tx%?kS?A!hg$B%7rdc$pmYA^Yha5BPo@>lLQ7bZ|AMbk02U3ie+EYe88&}r8rX< zQ}|oW7#8cJEzPoCb7M3R`$8-^WAaQB4Ks|u(~if3_Ndlx$ChKd^`e@cXX{(pEAGN* zXx9kP)RS7Yw?u<6gh9!21U=KN0y?@npt3jqV$CX>6fi-&OqVIy9?@T`Mi49kDbVF? z$U;a&gq%T4P81%OK+9V}1I>M>?m>g@aCO_%K_2xrla* zkXs&)BS~ts|7v+R+AsW0wMiL(VglpiJ`Q3ot$T(pEi_+K;vg9MX)U|y3FD<@tqIBZ#-mw0gb^xp5hqdpd ze^gz_e{au)N#(ppx@>Jz7A$orbvqiSlYKjV3#vG+!;8f(4GV`s1h+67Sc=pL6aeW- znlHT*g$&#&=!#X@6Ofm17`DTnMyVj*d3#a7-WKPOW6nZZ{2e+T5SZ{RVp6XU zXPbnZHzpBk2h@ozNhWw<#8|v}CC^mRl!taAeV40m#`u%uWPy>Nu1Moz+LseV+KP2uQMmHQnjTkf#4*=H1|5B5%SvNAlA==qAnxSbX` z*fmb98!glED}IWyyW+_TZk=c&rR0ASzV5LU6lj3dr9aT)ewSs`@9F%QQXj%m-h9%Y z{=<;VQi{*kXw~P9w?X_=qIr}%!t?Y8PcijJ>5qGdf$@s$sge@XqaqVxcl|%Wf4`xu z!A%F3-j;9DbYC*%gC-(8kIIFgQ;Pb-A<9OnE#}DbZme?YmkC-cV28>R28cOv-oPvNFp;U@6!F`_qrnvZ5Bk5#nyp z9{Z^I_3giCA|(+yUAC|hy^)5>E6;mf6HWszGD_*g5isKK)7I4!#rA09@{KF^+pji+ zzEtpg$Ol=+y$R8tMz?$ra!3A9f7hm#M1o1cEQI@a83cgON6Dm`e}d%yJYmVAhkP&0 zQOzAl)CC9Xw9l;F-tmfSC%-1XhpxY;zlJ9d&F_4W`?g$X0ek&ioYicsst6h2BRelMkEaGEmYevXgw?hUbM zE43}EtMhAW=SG57XNu<7v8ocnwj6dx2n?D4!o@jMkF(98k#=i9_nUrisL^SIUpkP*oj{r0UE%FLZ2{;&4`IuwJtrE%3yLmJ9iBYdcZ||c<-_>~Z#MDu<&^W)2AVOZ` zlKl93pXeia!|;fl(&A7_N^6nLJ=m;`PKjQXA^Va`iB$DJEPx1twyYJQ?o9qA=cGP< z;Dj*8IQ}Wwyg{^2YOU>0HlJTZt$#hGmw8n9)=bRi$NqH}9J0$ZkiHuMhfXm^)=)%i zNzI=`|5!_XTH%Me)vn^_$;aIlM@0^DLSIks?Iz*getI?9nX2+SV&vhm+6<$vf|{|2 zMa3(jZ#B>{S7B)wSAT4Ea%1xwai4KM9qQYV`=LC9F1}yh`+A?BXy|}HU#LxrQHl@McArtt+%SKpBr{(w=6}|| zg*}FM$0t-xvPh=JFZSXk#E63gsVw3lNO*IlRO8TplBdlAVQ&XrJ37&YNFGmlu$i?XX9DA* z+bNBE{ZGEKxw6qGvI{F|7xX^(vxww`kT>e9e~v2R^cS>rLMcY2xjb`oWr7pwx)9#W z(f++w+D{>Ho4E`i3*?Bt2{X_WMo@ za_?E1oOC2|r?&1^iQZExt_TziE{otA>hMDJz|k*%*U+TA8|vW_& zzVAk(wCo0qv;{D!QT(&Y%g%3|niFCo-*XuzTUAv;{+TPB|Aq?MH80WbO=AyA1gg3K zgUP+qrCJu7*L)Ap^{%Zi%R16H7&bLG$sa^58qFBf)+^tIIP&UZ{+RkB3d#XS577L~ebx?3DZF z^z~2LSX;h;uL<_(HJ2vcvpgM=qVEm&-av{8|^6CJN~3; z=Zidr8+%>tUmE@xJ$RSn1n4j{h|lI;@(0^BlxX2J{$Y88;q^Fu%;w6*0unx|r;V$TaKz%D*qU?xItSxI>i7e@@2zB9D zzX?<GykWw*nI`|{q*PFzLOXW2ghsoPL8t;|B8#v4-{RwM*ll)-Z6y>P zJ={p;^f)o>PJYgDJ-v`1CchBFtP=@aUQ3}VWB6u^#(W>u!dKd1Nk)#mS`hkJL ze)Y44$}eQ@mNfWF>14;@c9W-Xtb@hR~ynvh!`$x-qzntZA-TYFm>Z~uEcXWENB)s)--Te8@44kf)vYXA+ zKm~?b=<#}yAgZT-TJ%cT&ih&`#z3Tu0Uw>$;W@&L&nK%<$KmO^WH-XrtDje*IQy9j zlvI27?Hw3lpOY|xcFKi0VgC=Lm(uCgZc$^mSOIO1x6@$#be74 zIc&Tk-oCW-)nSBT&;2Kyb~>mqcJH)Xek#Hp{Kvz(zD%OKoLH3w5BMpYqRBU!<6fC! zu1LG3;Tdveob3|YJ2CStp3^$eiq202vKTm9@f3#6F}F)CqDR;Zc|md-dghVyQ$l9a zeS)ZLf~Ju`zU$h~8=J%WCw%^iZz*t}rek5kVLUeySN63NVF=#(Sd1M0WZm%8nn60c zQP$PSioY$kgU>d3(!8=MQkg2zTUyC*?yt9*CsyR_Ab^APT(W{{nS?v)*p$5!Viz*7 zy>0PA*(E-?dm&`!-wPknO)lPPV#Zdeszya{fBB}#jWb2}Xfh?K=2M|Wp6ryJ6m%W$ zS|>K3p6~%YYqOFZIxYmXC=;V=>DjkZDR$=x%*4mLcvdXj`u%+aDl>kD#K;xpm z4~EoywD?j!54LGx*b{dNZpkm*hz^gE?%~#-7Q=X2l8s`;!(b4uZ$S#8o0m2ww7Sg2 zjPvn1Xs&8l=NllcDNk)x(5i>+wbP5}WUWci2`fP%(nQd@!npM)hlH#0jR z(51y5goEI|s|)~>_2d{!<434S^DZQK&#qH;%ei_{Zl*+F0e+}Z;iJ65J)VODu7%a@ zvTuC4dCP!Oj~B_AW+RZ!YmmP(Vb+$(1V&ZhNvi@-FTqmIgwN51U8D~c*`V#sKW(*P zh9SlO;b{faoA*~|@Glqa9);~*xEG#t>ZZd)djir|853+h$@%qCm@t6Ny&%&v1lRVy zEOxgRc9#u>tId<3sy?c7!vLkup0VA&BZs*|=ex$Q5I+!`e}boFv}hcW&~nY1v$5cs zuD;wtKYPDn@d}H?6n}Bs?^!YsGWggwvYZrf+V2ih3KVaptHa)Lm{Kv(2AN-e3S}0d z%N~zMtP3_9;h-V1;j#|Q6BD%R`J^7s7BmMHE!Z`O_{8;E`6=dZt_)v;iVJw8wn zcmmhSyMd6H$lpJ^w`?zn3Fj!1GBZz@=jfg`3|GgeRIY>t`cn0mxVngB*?rEjt$;Ey z>5GuMDcRZGyFZza&I!3;kUQQ4+Mz%iNc$w367_6%-CFn;DIbJ z5s-&(inQSiYqhX)l)hM6pQN3l0eM%w4)hbHE66V}%@xtpR=qZe7x8ZV%giWgNe4^| zbKh3&%)xB$Oj~jpN;9y!`{d&4NK3cOqG}VE1G22hcJ8Wv z#?UAIrdswAxBkTw>+P~dy(Y*Io(r0Dyy9OiG(ieds5F=xH`7LsNl+bos=IWRJfc5)Lb^3Wp%Oy?>|FJlNcyN z&EvahBsqX*t@NUqCUy_-2sZLjCup7Tgs)wiITBZRvuLT0`TT%JCNW!X5&l>SQVSu# z3bk%j{ep*ig^z_{>{_bu!#FX`gT^ z5;(`<527Ih28&H$SEGIjI+|8DI>*`IC(2mW3_N?D9}p=bxq2@Ynqa!^&tfxh!qn!6 zg*=F`IP`h`>p@A^y6uxHhLutcwSlxhE><1TY@FS$6Qiw>v%-@84h6M7Q zokQyAGYFLNfw^7bT=k-oI_8WJZe8kAIR^4GMQ|j|#1(VSOBy4%iycwo1G>xGyVK3$ zX~a7m{5%b|-pRIplVCh;sSq4hGTYnI<@!SnG+n%6%BtI<$-RTjE{B?!cJyade5U$a z(9rmxOHWtvJNo#}{#2(FG{RS;&-cXrpy4DrG3L$Zo~WN6h$O&CSjfOKnKK}hD^`Mx zir&Q^CTv*$q=1`tM1l;I?R4huu3g8yBNc+D6sa_S;)~BBOJ43Ybo1Fzvuy1O6)wI+MrF zcp^~akEQ?ocVS8SOf>?dc_@riV?aAiO7gnent)M$mI%v-EbPU>2;Z?3F~bFWA@3F9jfaJ_Uk=WhXLw!OXcL z^Le84vjH+ZtSCJ11d5f2Qy$S;smbK{#flMLicOlH{D|-aW8oCnCXs`1$cU2B5*6YZ zpSc;umz4(^3YVHoZmPe}qI3WuO-RWDdOxA(hyeT2x$S~s2XN#F4DJ)5&Lb!{n(}?v zlFVaoEIjydSCDv}<0^0U>Q)gtu-LqTfh|^Hg1J3wJ|l0e#_OK|4Du;lXrP5hvXlnj zTEMGuiT1a5t%+{qVBD$Ee;uAxvVX5WffZxsddXzen_wco{^5^bg+LwvACe`O{-dh_hZjbb0$`k%H*m8|}s&JaAA2Zvu2a(Mrn=}i(@ z9)itr;F(RsfJgXP_VtWe;l`sn6N_}Nfxghz42HB+swkjjrIud!O57#a--l)$azrX!} zF+5Kz{;k&6wEr=S*8fklC|V}M{PE${#QB&an2tfC6$*d83K|q$+TOl;xSr*@HV=!5 z=t&wAis<`roHQfPh@^y3$eE}8l}6oThIU2&bevJ(n)0PG@}1eqm;4u^Y*6Jtr^+dp zKE+==y1&W(GUh-4%BSgUR!NXIN5>7_V*1}p_V^WT>rHlsVjLftWHkMon~;q(7p1FP z7GOFyZN-A8_18=$T6P~(#O9^8O9YxgftY=YVN2Y`IJCXJ;`jZLFkLsUeXv?Cra*{O zk1eqyf;B4+$slyP>RbZ;*2TFKuHcjG^atRV*v`PhU}nA_Lm*|Jd`kQtMfmv)5B-G_ zqKQGSKlHFl>1^p6XlX}^Xm*1_UWQqWci)=cRpH^0X?n|>c!P!E9!0TwoYa;H4R{})S(&p?MqXxTEQfoZG5`9Cg@ z-`3_m0^#pR1$C>@?YyEX-zi$RX0xFYNbRk&a>wdSMLKx9O`A{JZd9>YYfG|G(0J|) z!a07j($YnNw|L|qoe4|hsMlfqJCQhL@91vWD=RoZc-hi9#R5G&q$dR!DBV6&j@87TcJKU|u>+!@;VD|-PT5Due8%cdELT3tuaxu)K+fNU zkOwO}0hibG+ph9E(&(-adRj2RQEbP$+9tBMX1tn2qKheS0R_L?+Gyg*YbC{6?EDt2 zFa_|XKIf`x)3KoAUORvVdwDn#7r$dFS~UZshKUgpLxxdme|!5KM1qCh&UDcMWGun|A*0+ zj1DPt4zG=3=7ULG*zwwVzLGQq_1#Y$#TIO=$e3vW>5FV49(Hvif^XMP8CS&bpQta(zVit#9 z?VEA{jg^LTUiqW69q9{SQA>1WA4Y$=^u@C7aM1ltuKYBwo^}Hf1=e%cl_CE;aR86{~^i&TWw@O18j4eiHOPTKTRe&9TYqQ55!z zbau=r`Y!gQ#<}Z@E;kY}kG#1G6ysaR5HK)0WO4@5EYH-5^S@9-Y{b9HT>*J9vLym0 zGEC3yG?fgKaUk;+ooZZ#6pXhX<{UFQe=(D_1*U&@R@2tg8U^2HNj+pL=BQYH0t`lw z4FvU-Yku`+5WdJQHF_}7~YO?bYJVGl9g#vss|U$br+!G zgKE;UeLAr{a+M)NF8bb+C+o78{*J}wRyx#LwE34mu~}bu3l+EOK*lcJcnXKu0Xx%dk zsTyJ#piVJzEFAeq_jyEoXqdJ8kgq>~UV1ubNdgsquBacAjsFln5IYW$4P2NQE-(Ni z97fa1UrR!ClJb#}VEsKS^)o9A(QDIJBsVo!Yz-+&e8*&%=gma8pmhPi;qHDmS}4q8 z!D00?#I5&t;GbN3Bhoq=dnS?W)LSxUrljAbJ9(?DC1Y2f&ovCI@aA=T&${Ta)|XIg z8-;SU%^qNKhu|ik%aTlxbN%UK`^eDY?VqRAjfY8t3F4#qEr;tQvXF_V2sZDYVGx2v z-8f@~1>jRgCGrD({en2(I;{GXS&NVxjy@}FYul9S<@UVz62+c|K8Fv`0pN)1U=?UC zGz2NeVGwAjJ&B6vD-^fX!)pRmDHY&libi{rvm~anD=g2ij?^IqyIip$Zc9x;cMyL9 z<1&lNBC^;}^z1S=xUBCbh@r^4uDk7CE?(9_{tp$?4VO<2W!;fg?c!YmXBn8*3k($b z4pC47Y=G1C8ed*a+p_m?px2YM=zN=*GmlHBIjJ=I2#Fpo{Z zX!I;@kZO1l99AvSiXyxZsmIq}(5K_c3d%Wfaa$>q2Ucm1x z(u;?L1osJTvGUy|h80vgWh~3$SheSi- z%Hu(KE`t7XFR-zWATbyr=+RdkP7grnf9yijQ(>m!Zy5gEVEWZUpkAg+**K_KS(Y4h zl<9~`Hm`1I&MttRh);+Z{V&G|{vzDH@B**BXhxD3yCg%6e`eEfy}FS<3}YEyfVw6} zMo=!oW*%atEWSSD-FP0h(#Qo$H$=K>l|}bX{dzs*|8chLM@YQFhh5Up#WqdaRAu)d z|7eo^BbIZ-Wy^*Z?Xk*vH|rLCqYJ#^|4zu6g?$dfwcSmqoUn9(;r zZU$m1Kl&$9&5wSOQXB6dcZ0^{LXHiv|AQWUf*=9^XJZodBoO`kTPhcJNC%_U-imaw z8V53+QnR3x#`IC)3BtO+aS}4fmqdfD!^K2K2Il2`|5`E^wK$_j;BZy7n;TwP$$WHU zLqmpUU0-5JS8Q6zh4$!GIX$p!6%u=B@aQrI0CxINw8jc}suwKPcHD=rj)QQm5(02) z{29{e?(~_tw;6}ie=%iTa253GJKtR!-7IS6#(QDT?>axtKVjFzaC<8oLlSj*CV^Xi zuSOCKiA7GP#EVBvGLBYMN*1AaNr|61wL6gr)gFSQ4D8+z?C$92c_HTvr{LBGi#3HH z_~&WxQ$zcf3xWsBzA!Q;{&$x?Bk@lZJTe4T47|pF6RXc|PBfBWQ`FG4zU5 z4k_cqht#hsyLg|mQxz<3#t`{l2>o}Rz>V>1=oC^GnEuAEdaz%;FEO3$k{XI|X!<`T zw*Oqze?I#A*MB~`Dawy5^geN61|MZG3e24)_N@&*_G2L>3m(QOcE3JK_&4b%r+2nj zr+e~+4_4GlW@frsxXPq|etgpTzlptn3j-5SVIVy&rM-}3xq)O0_unt}mGG~h?Gq>; z6sz^`f2D>9!9Xd^ha@_g{U|p8(oTH@V7za}@-d>vkHmWLM8A<{KcdAnrI757hqwK8 zTz-xG+*jfkI)U<6TcG9oKsWC>R1gNVSXI;a9~PjuLYi*xwUU|e7oprmH90dei~3t+ zScV4LE(uJ^PUi6Rjf%02o_fXDPuLtdT}S1zOlQ1|t?3s0Uy%oFEy#B7?tUrSEZgHF zo>Ey%6d)u!Vl7Zeto6$Tb&50|1?om`WP{oDh3Ti-IXZ+GP{`ss;dLbW>Bs>M-+Nj! zzs=c^q_)*W>A?MihtPmwBJ4UM#v>+54WZk~+~{wtB9WDOhbdEDko5PkY5`bnQ^hZ9 zf_Pc`t4qx0@4G*w4t92eu(P;Dw*v&F&DvTKnrn!|KEMFhaC3M`I-DgB4>+#=-rfcG z4SI;p?y2(&#l=la%{HidL6TvPY^KfwsNQX6x!Ep)^2xPTqO2AoOQ3c*t(WmM(xoPN0QW!7j z8%9UQMEG0rvbep^;4&BdF;B7r?OXIU5?$uV2ybst8@h)(z& z9Dk#uDDKyRTh2{#*0N_di@H5h^?9yUamAHiC*pA7MEx}#ckRuZId?)(^<}(6MGc^{ zIctpj+Ey+Mf-$t7ZsaVGCk?U~vM}MdG+YZOJi-81X-^H(HgKD6;O`m9R{Jh=$poPD zm9Pi*Y&(2dv)f-5eM>>*j}WV;eAI#=`OIig3N24=bduG(*WLv0vJy6&_3`SpL1`Zb zWsMQVcqFWUq^rG5`fG`4{3@-`>B2EX6!Ejs%)Y!6Y_7hH#UC|j4~v+#W#l?F@OMdn zPUM1>XFV8xhBURC@Y%yDr*1_PynncE3|?c|n~oPSrjgvz9qT#ISf%-*IIRS~3Ot@i>DDtEa;-H;jvxk;aZ?#&Hk@V&+qi*1ot z+IO<52wgZ@EQ92B=vwy5_z76P5vXlsG{eyQHFEzSW-U4gwE0PlA6Wj+$}K^P^)C=7 zE3QZ|2cX7B3JAx<3-_Z73aq3zp6Mxz+RGqKX9Wgy7P9wz+spPb9wBkjj|M>yy(2?J zRWX}b9gC72P%-O~MY|9FC|fu3*1@POxmTdvq{Ebk@g^7(DwJ5Zm-ifwE5QW1bjM*m zX49Mgc?ZhB=5vVGa{neso4GrDFQ}<~bgsnPTF9?&ezPtg5cCc{buZ{!*AbeNY+S$! z))=UhenG$a^aYIw=!R=WBC5Y@x~&9}z9z&SuzFa4-ujq-wL%&b0P>;1j|rWzU--|U zEx9Zyd|sSRWdJN%QZhw~Ti=7jcSw^_V4QBtsfa_F`9p@gE~NgkqI);>;QKRVFq2#~ z)65@FA`6Q(D=;kQiy=@S&ZNce&gkv!Nzv?Q-oryQz`LiXm3;{&!PqPkoCe3zL4NdK z&_3B@-zWD4(R{!(+B+MB_V;(Xw2cxQhGrAi_YStg&EM`Gbi!y($856w#N$pKz(7&( zt`+tm8c27+{pTA0uU(mPabc;BJ+pCS3hE&L4-`0p`e@WBcW@u%2sN5ugwu5WEia<^pLu2=6uF#z2XTNx)fWWE{HoHMUcA8ga-rcnj7P)|_orpy*{pvOJc6LU)kh@e8bxiYC-g&RRcV9k;Fe{-GpVtikSHQ3%r z-fv-nLHQ5o>`XIfr+%n*v{2u~lwlZ^DBDl7HXk6#J`$2=Idf7d1cYG0@8n$l z@R7igBg-Uy&_<21v&!w3p?gIRE^gKJ;m@@b3O+bDpGPod`Wmtc3hlhDa8_G)K7*4I z1@(f11cP9WEd}3 zh&T~tVo99tGQKHGs@Qp0ws*7)9*U*6L;XiI9GaE=-6U9}(6^ws(3lc|hp{9`ObKM{dC7oIq1G%30n zk^6{jG`YbLlUm`XmM{)KVG#DQKGl_M73REz&8x7y`T!2f2zSFJpq5G5ZAthXV+$VR z7{Awl>gCpja_3Xj-Pa!r5evE9arMqg2n(aFZR^t0g*OVN=HdYFOqIu2U z>KNjvWyJN62EM;UgsV7r792OE^>>t-k{T)SD=VSCpQ3pFU+sNmSd?GaFAdVAbPY%f zij30TozkHQQc_CSfJk>JB^@Fujnt3=@&|_QQo067iGg#Yf_g<*KhsSW)$EGQb~>$2QiqPE=N24C^>OPThqIokgz5@G*f%v z=;p}MvsAF$`@!bmBO)dx`(im7|Ho}o2WL!L8cgjmoql!KA}JY5{dv*mFO$UGnLVLi z_)gjcQD$senTQ%xhqZOQDt#c%Fc1KozXB(C>;8+`3R-S%_&|fLYt>2xbA(jk^12k( zzv0d#^7V@uBL|)UwX?mX@G`E=>?icRU3>@Rh2Z}IsgQ`6=gITAgq|0B;~8pF=xJHw ziGM=RRxfmIge$e7X1H>NOWj>F8P2C8>4Ves_JnZvtq8x6p*;FaFyPcO1j8T<=aS3g zfd69TY7dOW7%hP{?jibQ<3s~XJFd_?tHo@UFPj33a7~QahCNX|UR(Q-sh^M8iCAoWXJ{6(K`w`{O(oVk@6N=M|`bEPVQAr02t`h#a7Kvc(? zVofg13=f6T_BZ%w*heOG-u+jeo$O!E#3gGO%|1WjM3GS0=}hiTyzfcG9?ubAYvZF@ zZVaMWRXbRE8wN7^&LbJ~>Dd$WG=eAg4izxDg#Za-ibZwtOsnT#2X?m6?+s~!2=6bW ziKJlU^dM2wpu_MW_meE$9LROYq&&3OZ8ElQVb$R6z8D`?@Gvf8fthj>x?$)JvBo6k zKP2qZLFeNq!rDU*g&;ePrv^_Qs`!HNcRrvmva-2ryn9EF5P{Lrw?46_n?KQC(;Go< z_J{hC`5?vMC@&*HF4$wJ7Om8CKEy{#6@L%`X?9Ubunc4%JzGMb6^avLTaQ2m&ge%3 z$U5iIU6|>UVy@19FBOUKm{^;fSJHLMU-(<@(&6M~+Z9{W+rK{dm-%+yCY!HbMcf3i z_eTolPKYh~j3gX(cz|0j3CXxjf<&?ws^P+$)2`&`UJb92-0Gb0b*rsOB2!PuW&~?G zx=b+05qHTJQw?d0E zuPe*S>Wt=8Mhdo#Q89^fF@>RXmfhr zsIIExDrT7?>vmImtT)h(V%?V4z#zT1|Di{I=yCKfi6B@%ByO-FYb?2igT^ytr?M7TAa~$giNLKJAe=T{uQk{spoD1@F<{IG9p9obhHDl4St-gzs}ogViz}9Ub$hiiFbwUYjnr z$NVUle){^7HOVONYPJ%X%W6r6XpH<_7WnSm=MrAE#S0tZ{V?JXDYWcBfsFFl733we7yc? zemvXqJ|}r1JRn(5?N|00jS}h_UH2b%!}v9e_U{uAH{#*i%Ki9^vjeX*q~0W(o~F{X zCc9Zj5am&HOFF(m2%Cb#gGKM1eT0>Sf5y(CPuHkSU6O5)^r?uy$xIT+khm&$JcOZp zG)0R>m1RqICx2!qdF0k7O!=TVGl08@gFGdX;=$;7syZAxUS}g3c<~Sqeb4jTeBT4P zbd{qPx-|v0aq`wQB^`3+_5R}6rycOcqy-HyS(kyo9O+3-f0hb}G@SpT%kJ}{xpFFj z2b3-@$R(wyLL4aGcMEkY@-lOZGZetlfo*458Unl2tZD>_$;yM=`J%}AJnUt-fLqIv za_3yjn>^zT4niC3@Stu7_>QeFH z!5W?PBDZQAjj;C?H}eitZiis7yS0tZkn>nQ3?*gvMV-=l(lYoU@#qv=T!~oxLr*Lt zWnQmdxOpM(`ad=}Sqr@%Ja-C#YZt`h2pgZ5C%){1uZQy66?HFCyDKi4%-&QvE?-z{ z7Zp$D1U)xwH!M5U`)S0S79PvTj_SVS_g)wG4G9D*fOFE=K65^~cB~+KN;luaG?IVP z29WxBI)9S-J3dh$%QO=LRDZ;SoQS|2c@kWNSt9gF++S z+NYOq!6{fS$nK;PSF0x>1S2%v?#qJvFh6Aa^mz#uw^YzhMYvLV4m?fLNKOQYNZU4}O;(ozT zqQ164Q9>6kk;-NyRl4^hX<%!oH4KC*`#6$I15qGOte@iS6v5%=@I_ax0&ow z>JC&Hg1S=t(BjQ`;w=-?P%{WsNKx2a-RU8=@|#KRncdl~lTvM|Tg`7vZ>xqc#Q0_x ziog6aDAiWKYN=&EuD|MYCy}2Ppv|+Nzm;TLv)0m(YJ;xa%~qsiQ_}l1cpH}Q!^tPe ze}f9gT~4Pu8d?G%eV zIy3q=4EsfL7Zi>a>!);RMi0j=2XKmx%q-xPD09TIJtAn>%Y1`pD8i=ZbMDUbUF6Gi z1kw}>ECgEvqbI{ak%4G>R z=6L*1fv+*;#|>YbP69`;5VWTHl85-0Y?mE$MV+VHSvS9Un87hH-yEg*Frk2qGn*In zZ~~gze#H30%B>jr1oDCk!@{~mA>GysMB*LDQ?-*@x=hrpFe;mHQOOs{NR_+Y&i;C}m3B?C3K zgNEa}mls&o{tB6A4sA-La_NgMTLOO|xl9yt8K*IO*rcwMI+S4WmjioLiaz(~t`azr zx9(?v9edxUGe402(n-x=JDkA$8@1lEsGBia-bTymXP;@0bSDf=k=BwJXIjj1GDom* z5X@`g#Pz(FY}|cPF+U$qXd%j=e#K;z2-^8Cn2fuynPPb>QsEtcN^S`&dDjJ*^94{k zz|ZV@@G(>0ByL^wHWRn?peU>oK&;m;5$gsK90AbE(ZMin&Du2CnEkQokBsxxiK@oF z?^q@fm0-~gp4LLIE~Vo1In1W^twHFGD7*lOcdekNJgX ze;vyN2<6rgI3#$>y{JEf^lo0l3x1W6V)Ok5J6_vFsWVKafy87oa%p%sZk6p}qns4$ z&^8ThUHpGUuIVV~6O?N%x(g+SaM#FaHbvLVCD_K5%wby_fMcTIrYn#w$Z7il;ibcM zO>!#wcExs^o;PN6LBOL>y?p8Ab`05h7wK+Esp^JrP_eXu-rnTdZel!jhUT}`%}?<_ zVO{7+Nc04+#l=IU{EMo@I2ki7h`ruM*j@DhlbV=-e{OIGqoDvbjDv|7k6#fLVXuJJ zx=kx)_Slqy^i_xxof*d=x&s6Pa#yeAj-DW?eM=8hIw4GWt6)y}ePAn5>)8)s#Q2*n zv`W3Zh>~E`YF89H`ypmMLt)>%J>T-wkuT*K17bJ37NUdE_`EGS?wduo;&sc=K3LSt z?#CcljevW2qhbe37~?UiskSba6RpkD(LYg!z$ZUy{bMB=Ar$OYs63(wcDpD=eSuID zE#nJ7X?c1$zt)cUVv#c;w$N@?idt276MLGSTieYx<~>^Okol7yRYpsgc9n~pQz3Ht zoFERe$D;~h5T(h#-PYL|Z*&vzN!NA_=MVC*n~I&imL=Gvkd%V*7XF2A=jyN~D6J%w z|FLPnX#Xubx+p=PBlPd{TW`qpW-2Aa^`JL>K@aiab{K7dr#zBY-czj|>Kz3**J8@D zqO{2$R8_N+27iYzG~^j7xLL=zCR-Jk(dyTk47={yg?dt;cTU@(+{KpfcxH0xzwZYo zs1n%n9}d8Q>#b~H$N6U$GtP+80Fn0?*3E9AwRljIbcxgXRYoBNWbz;PyHih8AoB}V zI^WUYK>2@0r_b{@r2)3tCbgZN2qVCK`b~aUM*TN8a+RwHBmQhiynar8XVIP9hlU3|rgScN`&ob5Bev=@?)~)BF2G`S zGycjH65BZqVgq2uTUMlGt$%RZa4}-6o%7pkYb~^RXD8SGZQwSXMsHuw5XVDl9C_+b z6DYo5lJVd82im1K>Sk;CKf`bx?SN+AL-PYt z+2L6+zW?j+BO`Y6a?`=bN{StDJF|K}g4+O6yDKvgTjBS2Y=r@^%{V19fRBZD4F5~A zydEeJ*Wh~$5KK;Nd=-Dm38v} zD&WubX+yq1NHXBA~JsFBno|b9cOW+Q8DYka}QMm?rM!TGvHE$t9XoX zu}PV$trfJWYJj)&krl_$%;`DbLBIQS-AgiFyVC_DC$P}V6{!W3w4@FO{L7{ficgpN=JO?2*o=)Az8`M&ngpRR(bGN0Qrw%kH#C9`PbZw9nX5h-IgVz&Fj>uO!{gwEK?k+I= z$JYXrLjt3Ya+lJsReu{+#%Ws5&1 zCLSdoLvu4K%}g*Oo!O9($V%m<#I>p|!;?s4leIGyxBxmyU^EV(*T1H%oS1J2hTv^V zH;n7o{gf()6Y%!P8GN&nvzKUVRnJzpiHR4wiT~ULoy@`_RqrM?`pG#MMOO8U(Fgj% zL$utiFNcRSz|@22oEV6V@EB5)c^ZrX5~QZ4o?nb_i7wH*(|dYU7VLI_ZD*&qZ~C?{8;7D8>Qq=gdAhGM7H{THYmy9 zqByhDbAHzwMyL41R?8|h{y^k_mLgUkLDFZ`P;mH8h~C3%2tQYW^k%<_OoK#% zh^T)sK8UHSE2Wi95@S;rDwUMbp1*R}I3VugT@ZW*^Q-$3wz+!!vzz;ylg5M;W<;f+ z@5=D>_PH4WpMdJ(6po(gjV#PZ>~A{9pP-IR%8;LVo)cS-<%gO;wpo0#9W+v0H`~_n zrWWW3^OaO5Nlj|3L+u4?r2DA1zaH213SQuL&`=eTiuY2@ zg$ojwQ6obGMdbDjy%2^{)zF1;bIlx{{Qc8DJVo_tEk_{&JjvevroklbQERt-J}iU} zWeAYBbWKSo(~#{>8V?1(5YvLcD(&7IpiICx>1r${kx<-)mWCi9oV z!onnT1vsT>@YYA$2i-N50>(@BfN;ODw$6xagCe2;48GOr@7dID+u%PY9SF9f0d8^Q zejO4xEaHD>u4y;@;Z4l>bl!q6AYoLBVN1R1K>log6>FFfK64aJ=&R$#9WWEA#d)JI z(Kn0W^6sI>U&b?oqoOd0Za`=S0^OmdgixB)JmQ`v>BAEw4T+i ztWp_ral1uaFiQKW6(GiDX{vUInVyF`TAt_$$2nH7gahls-m2pi;C=bEd5j_fg3f?# z1)qh;QSzTbpdk#bAc?$EzfQELy)*#e{%E6ymP@=+91XP9MZoJ}I;mS0S&}DgaKNHA|{pF)#yz!x71~ep*{#7fFtI9i(O67Q2 zhB%qXbU&q}`(InjgsqbaFS80n^iN_*CFnCL zberGt+a`l~Ez4;te_qwQ5R4&*Z-##s%;*=teOdNFwx%YW-cRpTL28q+NG$%MQOVHv z(nn7o*#H4*0IUYsq8cZ`t=tAdS9rF0eOlJ19A#L2N}UCmCNHkjU!?F*9=*tfi{?;s zlBxzFwVGS-rl&CAaaP+g;22uip9lkPwkDD8nqC`p^WI&`e=%1*)!BllBAIsXqYmca%+X%wlz}c40A4xrL}S z5zk29W)_E@SiKKy3}aOLi)>BnyQ#1@YPT&|8-`YF>q5-F$()7vZ8ecXG{>2+iKN%2 zd?s);eNIP=^MX32x~2R(7?x13Mg`!S`|_Ju$U#6&*8le|P+t~U=J#aAe;ze}B&%yX z_4@u7HLmalZEa`TX2=)1kU`d@M6&xl4bhY>jNz`Gu;)cdgJ9)ihkG)wF=PGcr7?D6 zGssax^XG4Kw|PqGColLDm`6x2ugZl->PMo+e_aCZ1#ur0*czG*@~7^bnDRdK6oH#q zz!AoyCq*3#Gw`FLs$|+=0{*?>+If?{!u)?Gt2RuB$5`w&TGA1_I{dn<1e6Mbjpv_J zVs3@25X?d@27A7@hCzZ^(v8!OR1FOL0|z~DthRzx(;c1{c2(HdK7c|dyVJWhIdY3h z)uD2bDC zy5qCI@_p*Ujky%D(@JL?YOX3Y(xBR-PH%;s2fjJPfFOv3_oXBqoi3H81rPPpCPA9a z`}X;s!+bw)-J`klDI?S07oSDU7YP{!ZPwXO-}_>9U%aiJYwHyn79su5a)aCSmgDRt z$}S}%5k8#?Bjd6Oqn50~iS~-N3YtV!xRlFxYkBkf5{IbSD_u&e(eSKDn|)CA3CQ#X zS46$69h9KYP0#baCbLcM>XGX7HHa)vyBXk8?RJoh>=!K)Q69~@7&TP680~@jmNY4I z515x{>gZKn<69GZZ8`k|QFiG~Aso9a^&G#Q37P`lq<`RVZe`kq zRd`w2KqGDdNUik^M>gAkMg(GBmz2|>|KsLOV- zE#*M;v!boN?|JBPM{};}$jn~k3P7vp~J>ENmXZkC5z(A7w)r_<62OX?W8 z&a{K8ufSjEmE+=N^t?`!-EV5L<$mKjTfXUdYJ{`Le>hv{>h)r0z;Pb=^fTtsw6MtT z0>P34h*M+czNPLbYv(j(Hru%d2c>r&gYUn6Y++gY2tucMDvM{c*_XBdySw~Uxaci) z59L_wK^=_0x)qCX6&q#LauvJSP_MHm&xGWq{jssn%U#~SC>|ACeQJ-FQ(1Jv(?Y2l z?l3hE-}GCL&Rbr&mkmWiG#x`LKfctT|HR2iIp~*b6+C$SR>(oNBbgwVvgbp7EgX%Ox{I&N@Ye;ot#VnY@}4&N%1H1tMrI*yFId|CVPS?>nF znS5sRTDrYH{0ZXZz_FP@d5A4notCFGk$9$hruul=9*S`BI_n~NDK{{QGAS7t6>(b; zLKK9*NtfLxT<_lAeq;}Q5_dpbXKb(e6y;aL#ca{h@LmN@9^SL~J({ryE#rJMGL@AA zCf8I;8z`-WU+>QgMM%{iPjc+Bz8bB5Q+PqX#^7Vs7_ghcP<#-5{sLOXmN=*-1rhx5 z^0>Ad1CNARH9~M(FFq_rhIw;rrR}D)$L?SmgAZ*#zY}_u zRe2y-Yd`JYvw3zO9mk4P_PE+@V5@9}wtlI`*zJ2R-yx53n5inID0`p4R!*olWN&fE zaTmCjcFu;=vetee>ghk|35)%r&ePnE7ye;;tihPuO`p^dGUiufJ5^l_MsK+qj?hTD zDl$?LgTa=Pg>?9YVX6d&ic>YrQBiFe2T?OFTW@5Ei`=&k&YFcHd{_f;t>#8$z&S^B zpCIC!Wm6@`PHQcQ)$eh8T9Q^a$1v{&glI^qa$>BgLG5EZ>W^^Q-TwabBOJ#wi~cX7 z7c((I%MZv0gI^C?wDqSalD+HG6hSPetv1b=y!Z0hoJ;7Skd%EeX3?$#rOpmYPc=!1 z(v>S68kQrN9jnZDnw-_Ie~3@*Rb|UGn#{nHu((HBu9znT(o@O{W9|X zE8OG@JXf9g;?o&)w|}joheb8GvRdLe8GEe)T=2Cl2;O_z`|jn-e-ef7UI3)69oeI( z3(t*W-NSax-my7tD8gY$cqUPSj|(;;gQ! zisZ9$Ls2V8*+2eOY^)?U%iyq*6_wXNM2=fEDKhustHD_e5zkp|73t~(JsKe^q23Kw zixy#i6EKDq#3e0E3_qS2byD2;y(psO_wj5)vbhk5{ znzFQ^oH#kHiK9sc%~LmKz#=R{|tB~o!VzC=DdGknxO#3Z^q!*b=!(agqP zuwNyf=tb*~?`?|7cWbgXPY1k3z3y?{R)ZeQ)rv zeGt?1bgP~h?mBcP`0c9|&)&w=a$m3?>dB*b->Syuf=M3=RsI+VJ<`;@@BHPp?!}5| zr~6ap&pj9Q>=0w)+5M9kS-LO?B{vsjbW%$rVvMIi^Q$%Fd#TEYcLA3M3FzUE?tWo; zecf~_6udk63T>BqQ7a*inU}_zo9oesDKN)HMA;PNahK+N!$<~X9C&$_)`ZQ3_ z!($=J%uf6%*-|5yNPm$!NXNcZO5wMQhKBoTKF_3!jB2>>*XvF8CNXmn>Bdc<>JZzk zei6D*yP3KN>CZ;iMLP;@Mi+_j;2WPbJJyC+11ooc3%S{ppALKW&+L5~s#K|(PCK5d zaL0bXRqq-VMdKvafih-Aw9b;QPb=)XP40Oxo1I0zR!gEv5j&S6Xk$(7-JYR;tKvx? zr=?|Lo`%}52F%|@sX94lu!MD7O>8s)CfLNqJt-J0bJ_Wx-yMgwH#(gS@H@c-n{|rD zrCC$eQ?Vgf;{JBO*LZNUZ^lCS5LIz+e8O+l!EU3W;nCPE>(8vZ7HLH?6MkP$9^1u= zut@h5Q4!ggR@yBkk?Bk_`9Ylq#loU=LjNU8#sHf20irE9P-f%C7scN*ZPg6rRbb=; zxnjG0L2Y(flHgjG*|XZOb0s!;a++eC#!jA2@Fp5saet93dGf`In;>8(nA(ZPRJk&* z-LrjvL`u#NF#jsSiR3XHA0ZBb(LHRG+`S06xckLZ+Tf&Z`S8OLqUJ-~`V30RTs{gg zX=gnTA}JD7Lz_;ItcKTzbEe_otjvAA9-OF8H3wPa(Cz@$IREnu(fErz7~MW5;>pm3 zAObRQZji!71#Tco!t|%b^|-g%^4NgZ%XZ8E{;Bgk=_uR)YCpAmsttoRr62$W z)s%uGK|4BrcvKJDzdVA3(+ax;A03V(_iAIi0l&}qSrH*SAIF7GhUh9m)hdC3yJxIx z>Bv!(ifC4*ux=#7m9eE)BfggpQv$;WmMuXTwZzpr20X$5*sp-+ z+HXKt_2gFpGk>(TPxY^dvVnf0%*~CD``yK28Jah+CI53n)`FQnmQANdN&|%ryurkpJ_-=39VN22ACs*R}g810^2l z*Z%__l7V67fpT5q=K=^h>9mf>MKuT85 z+;`VfrYZm>ACe`XT+a$D!u)JNEs;OCl&_?O)dF&VwiUd6ZTIQLGU|Y`bq@im>-Uin z0lUALKyBr}URccvY-~X>G=FM;&Q5O$C$Gz*lCr}S7Ad!p}+Y-}N|E_8QB`PD-*pgQ*0Y(80pcdzLSF0;2 z{XX9$1cU9S*!Ztn0;qEYDAO7nnz(*nT`-`NFmRgA3mD<6+~H%@7~@L|I^y5LHw(P6zG1n__taF ze^q?l!b>${0&1p#8O8qV&#qhdpWpvSfBzXj|DE$^{sI|SKOxD}RkH#K_>-4bkt&gR H{OW%JCE0dw literal 0 HcmV?d00001 diff --git a/latest/ug/images/hybrid-nodes-highlevel-network.png b/latest/ug/images/hybrid-nodes-highlevel-network.png new file mode 100644 index 0000000000000000000000000000000000000000..2b9a8a07d986579f7063292897bfee2d5a1453ab GIT binary patch literal 145708 zcmeEP2S8KF)>cumA+D^lpfnXxks2TrAs~t%APOr82oWI^2?+*5FCr>-I!L#GEK(x9 z6FVKGcTnk4f}sRL$v=U_1=QVr@9o?2{>9zMoyN%wNKs1*aBsX zwlU|090u1aC|d*){0*AHr-l~zI0OC{5r&J1!=d}ZuL{=INQ4gJysCvQl?ntZ2$2BI z`&5;GR9E8_RRq5yEi4h>uVV;fOEmQs6O56)pamLq7nKkc5flMUisl%!73icS0udDy z7L<^LhzW{{P-pb>)RjORL=Xbnw2VxRFcyo3qdt`#0%KzV9&!GG>4d3Y*cclj5wzxo z1vrn!m>@6VFVL6AL3VjFA<%KpBBq%~L!HR!sm*l}gdVWT8!1 z1dCBrQa^(@aYjiDp@&sE3NcwujZV|b;TXoq+FTuNGQXfE4z%GR!hj-`sEOl3it%dc{Mq@Mz1yHc0qY(y!wqM%K z6pf@k9c@%=@Zd{sqBdy#yrzq~=~$T90^m>)Cn-L^uA;)!-pU9IGjsaLBEqz9tc>WL zX$>~!MkZ+ch5P557VpZ!I?`7YgGK{-i#BcX*Yr+S4vGjQ6}|Lzq>TfB^RM6g`7tq{ zndd(tXKZ}ZLDk#@>11WCib9F$07L_Li7o7(oe>gCTXPMRfHej|g(3oFX8~B)iaPu} zU~Ft1>A1E=1E!tdNAbhF;)lV+6oq-k!9FNbuLMQKmo+TEhAwRY&${UT`70_7I>Cj8 z<=245;tnF8uY?8X$uDl84!8Jveu9e{mVQm04V4C+{QTnyF27!wAm{@*jK!> z&xi+1eHd`Gi3M0ZMKlsk<$V+y1=jemxvdovT#0~R?aeK05n9$p#?-a92iywUOwlM? z8qWc~q+Qb%o=O#Pm8}sNi%OAtJ--tO%uzcq5_Lls`T!AYZDVnMe!HkG7=$qvNGm&p zCc}|vZ%`j-JHTcpDqXNeI>bG!XG{zc@F|tL#O^j@f z;KpEV>Vyv40GV$ImSN$6c|{@6Ba%{5lHePlE0FYd+Cl*NX=?%4S^;TcMjgi%O&!*V zc7;Tk0){(m16IcZWu`WNbp%44HFbsPq`(m33KEKv5}@70$i^H&6(!V83y8Hg`k8rX z{6rlUL6?QpUcb!LKeP5R1W*{Z7)QVvwA-PQG=`)JQW3g@wEtNwiPD9S`67`dM(=1u z6NP4oW(wZN!oS)DRIY9U}{VSCYvu4ons0tFqQ ze5upLT2>AxsfHY&MptRjr4SYqr>)wr z>!bymi$AHl=U3=ML})ns*XTolm#4I_5WnT2=eq-ch^}RS`5s#Dd9C?tJ%5{Wg#aIt zil{}}^=C61@BnaXsmd1kttiWdp3B%y&FDOE;+C)q-A?*!do4GotSn4SsP-SQ{ea15 z^s_BU0}Mbm)pn=Z*S| zOJPA_8c_Z#JoPh9X{MZjh}6O&(76n4YH9QnuoID7nC~LkX(G(1A&dFP zScI{qkod=)`+w%nVHQyF75`0GSV2sI>RkQz{5KIX=+VOpV2IBK9o02nfaqcoMC1Q2 zgw4M%R753~DmxLn{kF(|6Qe7{#r7J6-bj}Yf2jZV)kuyg^b1~BL}G2I7O|+X_DP^G zsS4;HmjB0eE*e^dD-G3;Spm&j5FZDxwkKcU`Jm1|p*iS4XH` z1a&j1Umc+?@-Ob}uexmX?fP|>4G1@?eEW;KY(JZqG&c)Ej{?wu`1zWyP!^Vk<~&iK z?C)Z8iv20D{HC?=s}Q5YhPuAL3NbNS$3GBazh&2de`l4xB8$9+FN_BpON6a4HStE} z@2@65mIdiQNA13m6j^Luf|&ki6|pp-K#K`2(HnHPciu%liMFw@UC7CvN88$>t-$o? z9loAs`0PF}ibDNb3dYFBdLgfAYT-bQc72h9p-RWE=2k#F$Ohy*;3$NxJsM*P2eB6f z#&kaa^BbJ--`@iMoQR;wA&^A{!hD_~7O6zKmRzh6>1}j@_2(-@F`91wV-@0mAbDtE z#(yLaJqIO9TakYx50I>1P5%D-lE)TfgaWb=ZU&OJ_C}6yBU@V|WApjk{%?u@{r;jy zLTah={dX2UkS_ymU#QH5wEDbg{Vh?A-#>&ZCP@ov(qz2|eFGLrdJ%eHbQ9w*j>RvPmLfGp z4t$Cep!Ck>3qkPTww?b0=I5f8-xHWL&z&AJ{`=wd%K-5|(6rTBR9W}$8&`j_%%nk6 zgdU{)+hJ3TrqBN_t{a4AN&Vxx(Oow&nuGAi?jSYHe1_^P0bAv_Mx&|y78Qp5hY@Oe z#_(5>K!?m97(VGehYvmiw>jdqS<`3TFpQOEq^$i;l)!mK|JJl{r}HNA13*7Ca-8kgR^ z(Dw7)^Oa-taQ+bsYSryRULCstJp5-v~%r{+P(Iwa-dlE|13X6Sm zdK+CX{{>P3v|QaHDe;HnkoS9h0QiSxH{U;b+a zHs3bLe{INr+h6&!>&WSwzet@PRi&O+P(1m|YV{vu`)6}`{$%ujW^DgU2KBOvnr~zU z{#Pw$ge5p-^{157e6Am*S<#|Unx($TTA^Fae;F(Kt0m=PUuLy+K+zI->jhwa8|-;d z#PkLGFGk(x6MW0ggnxNpn;O6SdYRUIDb}JG{j##M&!oO~l73M|*Ej8--_d=7(gQHG zjsMzd0uf0X7#8pRpL?3%s~KHU+SdO?tkhpMPw1x~{-Wl|e>Knu-dwW)ZyN3(qBM8u zzZwYqrWqs&fq=K^fY1@uYoNFIqOa{A%NX=L$Iq4ax{I~uW;`RNY&n@tu0^VmX}_dm$|ohrPH!BJ}P`Y#N%)jJn8I-Y=%?c%J&c$%Qi6KOCs@2hynTK3SSc{@a&t zQ>!4T5t@b9v4BmreYf0dpI!qf;m|5~qa z8dASwv_z8rJ{Oww6_KKu4U3R1L9@jd2TSN}e~R?|Dza%Q#zn&SA7szJGWK^q!SuI5 zwiGSK_Ziu=V94JN*)-2#5wgD!(|`J@CJ9L?L8(PQG-rdh_TM^GwxpDi{w9URVutR~ z{dL3)O&0#rW`K7OgLg1fU-|Vb;qWgi-Kk;quj-1$N1>@v`o;10pB2WhYLu@k*)P@1 zSLG`mh5zG+i@y5oG|BNxoBoflIsc0BfB7i>e|RAFtK0QELX{Tl5fv1LLZA={5bhC! z0Gm}<0=%@FHq0V@LKjzmZ4pMZ@O}x+f4V*q6aHm=@}-q34&F_;=;!aDO@2!a)BmJ4 zp=0p>qc-_6pHD5|5k7iCu=Bcs_OY2 zas3-q56!%$M|J*onuwMm|0PZIcQK|x1s8Z>-@-flzO<-muITR=xLIC}4H8fb!~T^) z@YNz0`hl!PD42gyrtnde39WK*zKCH_uKypg_-~3u+KK`X^8Y(V=POvg@vjNdt6P5l zcbgWU;hg`L{x3x>d_lVbRNVoupZbpz>9!o!U9p0Dg~}0y9~}$_+t%l)jZ+FgdHWimx$M^VwhnfKg1@sOIxW)Z=AWm61V3$CE>y3lO1vnCg;^GY< zm9=KuR7OZOl%2&9I;$Qzn^jCj5*#CK4BC5TqR`i_T)DFP0neostJZOU^+R55g9&$$ zck#fB`&;B!tX%!o58+j-r&`y2g90G^>gfsvw@vV!*RFkYoD~Xkq;G$@O5~ut57$dp zuV0v|yicX?jqdKKKJZiU^y`2{5Ue>^vY8?EUNnTo1s*=;DpSK;q}go;b$9Uc#u z+lDL(S5HM^s@azBQNR8rZkQ_^Ua^^q;b%KmUUot6G#JMu&2+!owsyxd4hXMVHNiJh z8R*U*8_PCj=%vy-#=MHp8_Xt}`y6F%gj{K8+U0c#rZb0mp~1C$to`e^bj9xZK9}Ik zvG?_Gh^QzSk(&&_aVl#q_>k}QS%wjj{Q%wm!LRG?uOk|WB!348zPqtPp@8pp+`tuX z7}gMZXX!%txUE@7>?AdB?J6Xs8+QS4y3dn0{nN-dAuQ^Dx*H&Ps`fPB4k$V>dt-1; zbA7qe>M2w}<65xhBTARJJ9ZTQIDXhC>VTkx(o$KXTnOgxYjBpS20D{}S}dBmPHa#} zE9Iv~g_9=7(kJ#7kq-OHQDu)k=r&c#idlP8?U@PQzRI9t>1=KQ03y| z{EAj|{ZE1lZYHgR)D=9U4nVMB?Awdfgy1RiF7wX+PJV@l!*@XLy$IY@zF#ouz))>XFF`T0chbgIn8Lx%6l0jh*xoVQt)if!&h0G{0}dlx;aGE~7W zDl#HQqf)Rq$3AbsjiuGHPp-RM#8hTlXye3*3OPS#^x&jQ&+|(Yj|w+#`ZVOV!YQwd zUBNAH#zFYRvT3Jn2h&!QJmUj@Y;vlm{~A7%EFGJ6!lYth6ZE;;R!`YIO}fvX(Xuj^ zW7zUK?tKoVDD$Q3^e#z;iLUlkPZwwXAsu*4&!%z3@)Eux?+L5QPhd|LKgao_U@uen zpP$e4ol2fxNugE!dy6zSA39@=gAm8DG69*24z6vH>4Z&02D49Ip>>3w7tU;5IK5QE z0{yhcof)>pAF3bfcJ5I;lkF67aPmFhs8grvfJ*nx?#r7;UuqQirUpzA=K+vWRj%crDJ$b_9Qiv2(D@R_+3RrrCNfO@gdx&B$9zJ*L5z;KOnHOz z#IV1cw;b=r?YhjH{46UEiO4s1+;iBOX^Qk(CaUD9Xv&D+-vPNKaNTCz@8$Pf-$oXoum zji^=)T@N^*LlFIl(jaU|Q57uGIXx}3$<7DY(IP%JBu#p5I?{r(;Igxb2-u#Tj(e!1 zP*8Cf*V5&L59=IHe%XDqbO$-#Zm{uUoHqWdW1?Q*O=7<@dQbL)f)G;v*q}@i$;rDS zvqaI=d2bVH@+TdW7cGRahS(EMDj(~gpbF}(;fiin;!jRXL~SaH67oh;NU*8S%0S}K z%+Z2^y?J7XL(gi%%25}jmkGG*TtMU4HBq*jG=(K0g7+_ zG&8v!U6qw#n-dokZf|(anz_{N;y!twC_7fGo=jMAfJV8Br`lX^68ByR&AD>O1O1a4jo+bF0qiAKlvJ?QVbV;F%e( zemQ9dWLwuI}-ooUb@P)iH*4#dTB-AJ5L|=Z$0A+wvy+l3ZDn`@5$m#eN}M zRXO3RmtDLSYO-=|S-NCYJE>Cj3bEPN)NM8=y^P|yW{N#;AcMWVg(uH|p+jmn>_>TA zVTSjELffG3^>(v)8;C2yW#>z&dIW!c$!I4`ObAgLdh`u5fu9XR*5I~9 zMfq@J-n}&{4%{6kbCy*hX0&eLo`7XFRydvO z@=UF{l6#BocU>~9QB2#j7=!9h**SB?&s2!^*QBcYal;y&9|(rb3M*t@loMOmT6l}w zy*!5rqn=ywc%V0meNR)WS)eoL(+dsET*RlXtv!19mx2_Vz_jc{FULf8+%TrnAalAM zj{k(VXzJNKnje&3)im84xr2N?&C>M_TBeubrUHYLO7LB17%9@hDPV^1Qlq>f-Yq0- zkn6y$?Ly`D+Y&&o8ClD+h?ZX3vPVRAFk0JDxoi7)y~6i zZaJcxjJ%jlsHn#nogn$IhewHO)gv2sf!lmUc{h}@b_fP_^Fztx1l{z6v8*BK;z$9J zod)TsTel-7Z|t9je7q4U`hFJY5+&)-AJ<;MxPrZ?K-MZ_W}?>#-gN))8e-Aw)1@Ic z>o)Zcjpimf%I-gvcE6AB`?<6E#kXUSal5MXP6=2zS*Yt~+ok4>Rw1jddZza?Fef^; zj|atTZPW9Tk;|O(-sG;edFP>BYlsH>6v@~PPHj;xpE#yS_?dKuU8k!U56%(_RO*qF#~!;JD$E+o%MTPwLI+;17oNSdAJUzP zuP?p9!slA3CDWF4=KYMD@w#3&vh^F65YkJ6W`WwN{lisbBg4$M2W1%8GOcoz zm$2(|-9L9IMZtD;wSf=UnYlM?M8<0a6>BWTi|mIjgPW^LAG)rd2y5-$F!7e#T3_h$ zOmAUf)87>BDayfoMBC!sb*!CeVmO?bOd(~NLVpRZ_oEKbeKWmqZkZi z4o}xHvOL#oW8YTJuwvSuk-e+~YM#*aBbS_2W1j4!n>c@{7Y}8qosY!q#@i=RTVg-n zxi#<(KmsA$7q>ER?HKR`Jb2NoRLdk^I`ukxO!t>LTTPtLA*Y{yQ79dmaq_u)v_io( zB9nfazd%UDxz&wwLbE%3wZo0Dxn<}+>z5;CiV;1c!7iR&rp zSis=2bzWAXm*!0mRY^r&4j@4`J@*T?ls+RXc8qu!8rBFo!vt3Yp zLJ&VvrYI9yFRW_@;W}h{q#zRiDpMYvc&nt;(_X)BL%2eL8}7j{BKWLHMRIpHc8}KM z+j}M3(#`NqhGrL3mEW3m6M<6C8dsHmGEuhy|Jzz*;k$}3I5*o>8BoN z$ZSP#Gyg}`M>(gvqd0QQ65Kg(8TM}u`F&XReEs_M-+60z2l`QNp5DcvM-i@(B~}I-a8!is+issx#aIEW=*^+ISbQuYW+(G8hmCMHy8J<=bFAsB3s;* z&=L1DF4QPW6DokD4yDUhkv7Nun3Of;L~3WKo>uGM?|QCwHp8-tujvM8`yJ2f%e5aX&EceWrJ*;b%x7&;RdQirpueHUrAJz!3wN040CTGKrC zJRoT20mD}mtqpFh*U=9T_y}Hh*`|hipwBdszGh>iVqn+BX~U=S!PS>Deb-J&>$eNK zL#FC_yHivXj~a&KV2!!CV}n6wr(ayB?D3nP+P> zHu>nIkh}vDNWb`IJuY99k&2d0^yZK-q~za~KJ+Bd+$S>e1pe7YD+){v2@9X9Dw zAa!>%e9U?F)w4&H>SBbpi=BZOEQG(q`BS;KNijOUe04LcS8L~Vtye)T^VzW+oFV@8 zp@Y>LX?=DT+#LxrB4cv+@twBUC|N2s>Xdxxj&qzB%pWNgbXa{i+7TVb4UZW*YG#FX z=Fy*)?cL<$9Cj{sfT3fDj2p&pqXofC2xBRfG;qiiqXVnv##bsTmc7Ve_Yn%6^+ms# z0V*~cRa5`ijg-SRZ{s05&srtF@|g z&bc>y-H0JZDZNC5^78qL<#;dzc!-$C!~2+P@$4x%R?@pWl4RtZieycpW)=~?-ny0y z(qU_-*!vouXd7}4T9ijJYm<+_GY4vbuv+^NeaCHI@s%THAyLlK258fE8P6FMN0Ki; zyTKsz?sK6$gejbHBMz%*wj~}iAd`{4SF5>~b+Be5+Er53)HSmf*_-eZ*CC@?+uD(s zSeq+pyP2hbGA-?{KE)muxf@>v0h zZ=qfGsJg+euD0!-W;EE@Q~(V(X6|*vtes+kJDf}jk7|Mjz=LqUtcGDhUEzaFgI-$Y z?1l&J+nnx5!jd17eA-n#tls-=>v?}I=)VD)N%{`gkwOqxA2B*(WF|;Kf zH5eM*Xc}`X;RMCWw@L76(o}}KeX-|DLnvX*^lJHcpLTOZ>ATA&B_V|0?YBf$XdE(^ z;uaWv*zm60ceZN=;^6>M%j_syE@u}qx3XE0 zOqk%|L&)3WRrR`Zh3#+LBx7zt2X<9dG>`M%-0rgh;n#znX6BTDOr$sQJ_4#uZp&Ln zhKe2+dF$yr<=vsC<7F+YrxYmrt~ar+CqA;a*tMQWA-#`%$demZ-#sxQ+NVGXd^{vg zW`8U+XP0x$b~>oW1&E_cc(Zj+1MWk*#r z7E6ct^36FB8{bKjm^TqKXLI#AcTVV?9DBwMtMyzvy)$jN;96V-+msN~K(~%|Z*5#n zbsWKFSTODSkMTe1aSmZEZ}tK+u7bN+PWi&+nKbsOyS#5ZIHL?1^0!wwKXbeH_9;p{ zyE0iG4HnyGqM!}$>gpF(m(-#@_s%jT{~c@Ut^B+47YKZ94V+Pe+DLcJSDapuB6sow zLCu^aM)+xN;UbE0_gcq^?zkjEU`z8^o(6Fo0lFJcFo1@NbA;dF?hv<7Lo53bs=AX| zYtt#Xwzd4lk8sDfc6C@=+IQS`7SLizun@+nvql(@DLgKZ)k0jtT*EKLJIDY1Z@aTxV>X5Cueg2{GNza0zdi0EbTCI1+ zG0v<)9iT$9?(UR2P$!fwCu(n1YAR}XC7p|DaVT?({JYj|RD*lSGqB#G`RQG?P_m=n zX4{qeRyM492%T_s)}n|^^El*Wi=N3SQphg8&}A|Ns@BhH#qM%pMX088r#l4E&WsN! zx9v%(I9G4Vh${~4U%$yOJ)y$>7DXA8wP_ay(JAf6qj-MuZ0ZFms@J8GQFoIuljK;R zhiZ^u-qt0fSlgP7Q62~izIMnUG28tVFaPLztefGQDGPBq4tI>goX)6Qki8uFO%7vZ zp3cOe%)5A9*rbO{*@q;%jeJF!TpPrm=&KK74}EX_0w!_Z580U47Vu+=S#|7$TlL)F zr!~&Pfz8|b#$@K zX%@0`p?4CT3^LnXJU4OF3hkLf=(O$8Q>BD%S4XrK@m0R*e*eP~akgSUCrKFo5FN}8 z*e0rS?$l#9Q-N1cZlOMY2zwA3l#)IDz6$ek%z`E7u6qW~q#~edaO;VYP`@k=Im^B| zVokn3ayWbl)vymNz9nNmm%EDX12_jIZ1;2+<5~}^*^ZX3t~f1CVK`@T1i$mm-rmzb zQQDm~ZvGpI%$#!Plj1Ta8lb)rxf8{$NAbs#!kfD4%!Wyi)`P83B>TPIP%?5Xhc~(2 zOT>PH!)SQFfYIpSvs}%w6T>cfn}`vD6sR#++AEl$H#}2_L)VEv?S@q>mx?D4;1HSykQzBj@D7y+dohT?FeKwbb3h`Kic7PaLs7% z#^$J?fen^RDDBK$%3%lk@o4nAG9EbVS*0v zkdL0?OrN~&y6FIQEaAL1FW*XU?Ud8)bK}F*s7MdR+*SHq>r+ENsC|V`4AwTc7e4(K z`N*pAQiWzlwEN@Ev+@l?e4D|-)SP#5N-AD6MQ$GnZujqwmk1?FPfu`(-r6E#+0)V> z8P44?wf^q8hLc>OhvYCRQm?4y{avfDFdR?^;C}2TyKD}D5V5J(UR`;kGf`x<=?^kf zUGY~<^Na!85PS1|xI5ao9$mzr1}LA{_BI5VE0(|#tJY;66VJB@*0dgHD(6=>i*5jG??!Xffgu1Se``J0CAG+r36ljf(y zt&DILC-fdXyO$-_4UuCl7#&)D+r{h-g&N1&oiD9?7pbcb3(Fi1Ff$}a4Z^G&59X1{ z*BQ&oW&D zq1c`Yo7@QEIYsTWjOEj~&3HJbyC~?PJ*Kx4>q9sw6V048oR=MAB02iq-PfhsC8ho_ z@u)rf^q*Ycur{do_g*DcM#=;8Kd_9gXMn`s zr%%a@eCpUXsKL;P{Un~%VBD0|;G{wh$?aA6i;?Hd#UM|#(NUVE-3@-t z+vzoOwDs+=XamdmnL8P}9fCg2)4Cg*E`&*0rTlmhzE{OP_C$nVGf+It%xV1}(sGoo zo<7DB%_>slwwq;Aow8)(Ld46*o-AeIua$hK$`RLAUP0jht2{z09fhq)d ztHZ?s)NqFS`pB{nmWGwJuGP{-nT3J7owcQ0$!P?w)zWt_DmtrF?9~1N*t58nJP;>z zk?lBeF~P&t_poDk<0t=z4^rD!u^y1!Ax<1Jc9xYJg8t}(yESOHW8`wUP?OQ9fDExYTTANmFc*prUwxfO06#P;BAPU#PIur;?7GHYue%Vgp!avw>KMF5Mb=lftc zsG?w5Af!v+QH)L6mAe^xgX@CV3*8y9!kZD~vZF05NAoN0Q!ZBU74SKGL`>|ERFj*o z)^pkOw7tMae>P@%stjHBlEJy&^&C97K3>3pU{26Ug&il!dL3OF2)_Ou)!Jg+B@5(J z54-l=kdb8crxy7;NZr(;aRI@=dV$MATbw)YUok2a+H#jJ$HPr zLi8x9tx1o)J~7B7yt5;OXQLbWWq@$Crc!g-A+27PDT`5zT3E2TPHvpqt` zKVm%l_!PngfMd%EfBG5~!RsICm=zyzz_5tmV8<5mIJiDwIMZOjS%V9uHfJ4#_Au)` z0R)E0@s$=T9JvlAbUf+)z(hS*%Y{X-FDIkLEu8tY`{eZgEoGo?ZldD zgby0BcH>yYD?0;cnRoUDI(U>oN2bSve4E^Jsl(}V1rs5yd@BL7Rn8@T*Zv*IDD2$< zwerPhA_LtsQ2v8WDJt&|uZcnSZ!NALV!gJ7Jls^$ESIAzP0| zgYdVXNT*}m(8mNcj?|i?u8(NB+h)r1ju>+*bo%wc%+C_ZDbsd!n~<}H`CC1VtxUlpLwah%q>gxC38cmwIF$o zpcZ7~Q8FkGz=2eA{&s8?7ldfQoxFZ&8OAdy9%_nAG`8V2sx4x+sjbBD{%O{2`S_MQ zW~6sJsX|g2)TqEVWUl>Y6-RFFLF$l=8>pReAfIz8E9INjB!uAgSdQ^^dwf^&hbt|msU3-CzYE$`!Q7e0IUun*T7+s!wY;&6*UHEkrQnyQ37 zqDV?JCtIHzei0Kl4E*~#lR;{v_KEWdduujb*+pDstVHF6S5ba!#xxYW2RZUrt_Up1i>S4EZhg z3UWLSGi@ffe^`pS6&_uyE9$tTwuDEmpWnAyurRSox4z&K`Da={!fQzNZ=w?5jsVp^ zu{9e@Etb`oac^M;JNwBx@Q2-0pvtEK@IG=~BPq8OwkuZkg6hdRDVI-D*!eP&25?tW zT;rByvs<}352$sLUclVE$z1&i6eKz2Jqc%7PVV9^u>X9lH;v}Q{6|iM{d+RAbLTR0 z9yXw0j?!8%7cNUBa7l)$v`!$G2}uAy3vN(uu=Xe0dD!|41Fo)VR8t$&!A z%+|jB{rsXhfrsF1HoHeOeA~WNx}ALtn~`~DBzb2RR~A>e`$=mU_0OK!x?;jcH@GBW z!!RTG;}z|Gf=FVVoAase;PRVJt$FFb-K%b!g4-FSn+$eP_K-QB)*GfxWa$?DgOg`A zw=%afSHSjVaa9kyDGyif%*2BgZabdcD430x%xx5Z41Ld4GNTyczHgKnae3uskATZ7 zU86c!XA0ht*5HLEU7u42-!p5&9pnZBm3D7n`8B()^EjyHzAJZZ*fPU1V*{pW6998> zrA#UMaP7c*mG7%o_2G(l&%X6Qwfy9gHSoy#?kOdaJ)Tl;tmM|(dVJHuLTp+&ZN#YH z_Je~(I;bYoE3Ot=x?l26ATr=RSmLy8%Tb996Z2Ii$|s)1!(wYbuoy`9YywG)^@fH8 z4wJ7>_z=3c#R|=X#WG_0x-iYuvCy(22v#=;Q;)e=HAo{u&)d9lY|j+MfhR?Pe@r%qWwI zA8diHI2p~n|Vlr#E%UfLxC0ZXVFzp=+9${Aq;x#=ilcTXPX zSCA(eab~tOg0)wPYl&2RmJNI(E`6OtiI?v+N~k2BW8_NQ@%u4#1m?>#Keor)-Qy}| z@c5Baw5dGAmk_vTcBy+-#R^a}CvJV0d+{9PeJBGn_wqOHTK|5C8{Y)AsqUIdn=5Eh z@*!y799puI9*tBAiIzvegEV+nQK?%9Ji9%Uwte#>caW?W-aK$2xb`*(tZm!Bta|n$ z(6e0n!8f>J8A*(fsGD7_2X;8|>dQWuxRK*Il7+}_ckA(w)oCXcs&wbdikLeur)*pX z`_PTA$e|8~3=SM!&fB&)x<-!88xZH#JB;_HHQ-@`12z?PMGY(@P@fsi+{^4WdyYH& zwM~d`B^PAbQkqdUpr{3I)x#pC=hQOF6|0J=WW)f7NoV%(=k{hR!#+k34n6m7l)Tb@^Z~UlXdsLy_3s8dWwB zb90-YDlqcTUsoYdg4!o3>%OP8xmhUz0xEkyteuK?gq7A0{lCKE;h= zTR#kJ$qV&GdyV+s=4<7qOvcq{BKvkWJWRjY?U#wpKeM5??1K}R5Y%NRzD{(`OIzOY=-Rz#Z;(jlKIY94+=505Hi*Rs?=4hD zN63lJs5j+dW5p~^YB|~FN$k}?7Zc*UCqJ=(ViKeM+LCa!yS@rng#ZEzB03^{SNAsi zvMLnF?trsq)U83iv@%>hHI*7AgcwDrieBMhyj%QO_LvK9zz&YZ@x>5LnC!ERKp2us zfdnWA5#?fl&JsY|sQ9 zKNOzgn4L$S=q+dn6Z?q=6!HX{8X3BG6>Qeb$FNbK5wLP?>KjF$j_eL) z5PFGDLpjE^Vq9x#qxLwzN&`anSTNuA%Pz8k$^)I2Twvs8YzbF;I8M&u4r_{ z!ga_MyN*pH5Svq7{lia3@fikDBRUOy-t62V5VPa{5WXS}S$?VjZhWZ^j0NvQ#=J!h zH8;e{m`OtR71h!YF1v7ae)5lvX%rsNVh}jc6HLJ-1P%sD+7Z)Cw)l=hB6`UeBBUd@ z*(z)DcUkHUyH9%<`}OB-(&Ro?-Hd(U)Zj|ukmbovRk9bjRJ6KrhesoevW9|N+MEcN zvrgc53w-NSux1dCKQdqsQ*cAJ!7aAEdR4C*>HKJlS{5`nzRTtV^F*HRh12{5uXBvO z*%(v*S;hqEsYh!`0f(nXCo^O)WA|Fc&jm~ssNHx$tW`9)e0aFY{^W^BX!2+g;S~NzAdEamuDpA$4+yl+R9P`c!m7OBB=Y z6q4ElOTClf#A{Q!t$VaMpGj4vzKqR3yt=q%J(2iAo%k9qW6}hhR?m*KJirf&|BGVt;)JwVp&647Fj<0dk zvf+9vuqv4f#CV-+7inTv9s{J%1Hzp%6jDKhy`A0~5kqg_oAN!q(6*gTn#_?}LyNCY zOHWQmxg$U%q>SX6lM$HA0uzDL>pBaDf)da0S9(+4x^zr@RKnC?gQweN944>li69=& zOf)!YNxw!RRJZv?W@h@GzdAb2GHvZD4T43y+fy^`<7@Tx`3hMq1Z-!Xavg_Q)`xCfPV zs}@;VCHYjb$VnJid$Hl33KnQ2t4$3~np9J_) z)G76({u{S@BluV&*is{-+QxF2cFHN7h&ti3s7CEn#%yj2@?mGqRh!&)OnNx0$>AsZ zXpYhsQ92;@seSEnXK~2xFe#|)F+JNgc?Ud#wDBM9f!whe5@zdh(T5YB_A^r`euJST{v+mh~2 zo8O!3c+iQ_ncXTnqc?D-xUMKFn+VSy&F}Ebzuerw+9vo(pW$6f@b-{T5(gp*S5H3I zyR$31D>VtrJ3XbsbvT-6XJoUw!U7nSHe{j=aY0qSiUC$$Uny{3gEPfFH*a}+GPjgr zw|bUA4k#uhzfURc#FQKH7IU!=Yr81I;feM>UQcpsPYbGqucM?4%^F7V z8XMTNt>g^LcTlS)9*sK@yS%)2s@5AY*c+HPpqMv1mtT3!ew~tx@g$6&1V!Y6?!?#j zN4O4|=VqT~v9LM);Z>=<+?-ND=(J6WabM%ahU|%(qyAdN- z%Rp`VT0Osg*+Bx9+a2dV<#xXaZ_>)^7?T7CC_?p~#DM_u9#9>kFP(`$P>hLVn zlnC|JFo!GZ>F}Er$VK>Y>)=26hn&IvMqp0-eoOi!mzL_}0Alv@%a_h-NpFW0bvAqf6Q3u~nG^^KjzxjBz=7VSr z->Tl*RJYeAPU_TxiC%q&y78(iK2a#txXs*=YarR9o!Elh+0HroG-O+%x|zM@B}=d3 zD3|n;k6k}SIJ#HgVsL3`!cL51nP#xpGU{{tV930|MhkWJL11KLr=2)G+D;7I(H#hi zbRMJ(L+s876-ShA$RFbFDA?Dn${NUix&+h#@s=}Oc~&jW{(;%;y+9MjbnjduRLoyn zM`FaF2IL3Gaw;buny-X-=AD~s?aAAlPf16cI^l<*DiQ4Up*QS&(Dn~Eu7v(%@Y?0@ z{fo07}l-4O{s|rokxbgasNyg2bBFsv)BPmX-D)Bu`d+d{Ts+9Z? zF$(+X)CyqtuW~x>HMXmWi7b6eH z#M5<`MU!3C;m?wA>N6IpLYFl57jeyuUvNZJ?X793B*FK_jFKA=VIwuBj$LZ^aM;=O zAH5~ad;ox?F}fkIY#JC@yS*yKTgD3#(hgPan%wm)NodQCUDkJj0Ugx|T@gz?tOueh zJ3;its{mB0UUblcblqPSRX(TCPC-UGqWe7Uk7sKhJ*rw~J4DHIEZ-c1y*B&E%=F>F zZ5O6`ahD-mijApEuiETURqdiuw5zFMLrABzXKRx-x^b7r-IU{GV1z0HBecS02&DbA z^DC03qoyZudhH#S#AG-(9K|+%L<27>%+5{X zAl_Ub9e?_OfcHdB-B{-)B7Y!14}){tfe;9<_Wrk{b))s2mXpIsz4qQtn<51oHhryz`-%hf`vnsa>a{73LV)T2w$nXZDTwhdSo2 zOju%Z^h>V(y}Y-!je%nnMy2;2kW?Z!+DuN=VB|aZszWm~T$iUVJ(*sl$@ZZ?H3Uj+&~TbvUB>vF{*R?=_}4 zf%67eVajw3+h|~9s@wj}IVpK#R%hP`&A?k@ec{DB+D@?6CrVxLh_99=%gb|ZN{c^r z=1r#RjB=>!Oa!C1YMt+Bd8Qse9?lX!7nYh4TYdf_sfoKYhIB zWd-7DY{1AwG11)j>rfAK#;N4tqdr_s+lULkTH>k-y-8{PTjxX7&@`gN75qI8*1|F#Y4VAmZ^_wewb~Rr6V=G-QJU5(?@Z-iSKhJyIrE$*2P%*dG*G8$pH8Enke-+*} z(xE9YIx6F>)5LoxORm*ZJm|om^84$eYHEu}BU_cWzKA_~XU1Bi{1!MHaofe-gm7|X z>PSPKnK<1ehH|MISq)yZTO=ERdssOxb7}P0eB_3E4#bue;Sdlo8m7DF2ks-RbH*}F zk62ofsU>dc8T8|_>G#koCj$C*U$3VVtsqi8E0KrPo9Z4A7o{83)4!GhKPs%I?MwV6*SL5r0~#@<#aLM;%eK_o5vGIc-M+kE;&dI-orCv0GjD zhs;ERj}D?YDZii`+wt*qiE_lpZMO~Hy}YD+c}58vUz~5BaY9rqV%FU`%B*~Ve5tEP zJ9xUh2tQD78Lj*B*6c)$bI*j_%W})ij>gu5>^qY(Clq`L6L+O@TO1c+6AgE`DQVyD zxUlB^g4-wM@N9x!3*Z^-BX#kB!tm52Gt~u59m+uW`6f6a+yA9Ut>zm8jGHk|gcV!b1Iw*H={LMkJY4^8r8Djiq0%}_ulfp()XU0f| z7J7nFE{(-xA&8Biu(l(l!uP&s27sq)s0<*?(6&hKZ~nbw8SJ z%S(fp5woiY@QbHcjw~>t)yBpLIUI%^qkTV6&s?p(h6kBM#W#4!%fZKx9=PK)Bz0fn z+6tCP0)Zjjvk8=99&D37%ksSwkr7@xxCVcZ)Xp|~J;W6aP60eQs+zGnqwBJZ>!p#w zXTxs1w<2zh9T)&7K;A00i%TNmJ`Sx6FP~ZBU_gwQsp-*@XWX=w;b}>$iDL&MI=cim-=6pc1x_(YSvp&F*pU-VmDd+W3qn8}m zo5erXYlrNVDRO^mq3f8%2BJ|gZQHBzTUX*PyD$ykg70}q$y9WiKF8iO;I3aW14|TS zSR64<<^`S=*$Kpt?C>Bw(bGHLo{HB$;9q&L_KEm=FZ@`f)T`OH=HvOdSS&Lw4W=R) zj)jq&+S`xs&7%Z{6yvZB>2o=4IWV!3T6+!D_AHc{(BlD@bv~io@WP2wVtUHCI4H_b6@Of_7Vkd>|aEl1AKe?1nP})x5hZf=Z>qFQ_b4i>d z9Qv$995QLa9iCTDHmGrh9-KA4Gc(s9JvEDCD!6Kb56diNZ{8H2I+VGrn?l=dsiS5mN3Iz?Ys^mH@5F=^W?Y9N)<=exE#6BYP0>^LA9`PMTNJ3vTa^mvnclnNw=hsEdc)M-Mi?B->oy^GNk`kF|7q zc^k8^Qs%g)*U^ep{FW#*JuntfMQA~-u!r~84osVw!Uyr)(yLYL%ZZD|!s^$U?f~fy zI2!{_-b@LsfXFVbU#F(F7wTbHfacJvy(0)eEr1ff4v#VZ1y;!cKT?AILWTQ+?_UAz z{SE`0=?)!W@nvB+)u)-R@|>1K)JMy1qh%Jpjo7-b;jzm#*WaJO6@;yi^zXP%IXr3i zXK;Ck7%&v%deFbk%Qjwm_kE4OKAx)-pRO427H&y!A#Pe5uXpom2gkE&~P5Un)lz-yUMmx5=n1*=HHKGBAAp#}mizIYv5l7A>L6+HB^&UxjK_YSd7vJUuIiuGI|#y8B(N-T}@qa9vB>m zzI=2Z(RgGlk<4O`AmQbUvFQmb!8{p(qw`zyw}5Qc)eFDWsbk6b?L-`6M>@Fx=w-El zUbd2G(mHmji?Gh+7$YwaPKyuobPN#yE0*q8aI;3D>O@RQ50IN}%C-O6*eTbV!f`*V zx!z&29cS_Id%0D9&6mA50sNM2Ma9{k&2rY`<$jvX!d!atqkRQfD*d{67v|l&7Sv3b zg@w*bqXwFc!kF^RlIguxJwohgMe$Zb|9u%wD3~1uF=Jb$SvM1qzvk3{fTSeaW+d}d z#-ztDygw1&!ge=>zi7Qq*>&!d>huB=<7(@MM<4gVp=4jId&Xw!hhZ;uSDO~Dfa9Oc zif?z^xw|0gH${nFz>b>evnF)#Z#~UG7Tj2lAMY{T$amFL+-*zP`<9N~xm|`es!ED- zG*G=@_p!lOkh0gin_hJK@M|1u#(ZIOlN&{trHpWflHPtI_Pa+e}qs!xm%e&XvnJF4=su zD&xn|UIPSgAdb|o@wMwYWaf@AbTZ-JZSha%(pyfO-rAw0X|11Nu)*#IPj4B9p@l14 zZA2}@7%&U|9`FLo1#S2AqWt#!odQdTvCYTsxyb{1fMg-aXYz{H7JcI#c~U(;0M^is zm;%TkO|-M*H{y)lI-a;0FRU^^_nm36=csO0roTBKIFM#-Q8~5whR3&j{DF!Ag}`tUpX>c%MEm)Z7RWg%)wF zb2nSDvAEIp*Fn#V$s5vaP>J4+jtZyGj*U&mtF*=0i@=;*<&lWpaDQTXcJIt3 z9+Ml*XL_1F`(sTS>6uLte_bq>#MUCMxlb44(LAh`BPF=fvf8nRB|QS*gO?1feD(qQ zPkm5>S##$^#dL0^T;&yhQ99jR=OAd4yRX2siRF^HBb6pZ6SXF|Hh(lQ{ZyT#Uw&KC ztwU48kUGrdjL{eSD)&2M+W9VB^#n-owf>Gf;G=zVT4Kh$;AWuWLO+3RJJRLDrpY+< zgKzRO9?8Yx>z^`wK32IX4#k80-G5l2^>_l`RU_TBOMItx$CqVvpEQ-eez29RH1524 zUa|QDjqJxMaQgsoowG8YOL2KJAAHqP^JQN+(B3iK++tc zxyd`N*A5lmrW5}@ygS@*4EJTFe^PdDIIP%_XoBXWkQ;9vIUgf_t#v#YvILW5^l`Ap@ zIq$7HbQ0!dC9J^T`-Qf}0#*6gN9WqZJL?TKK{90l&E6Nkzr1mkWuVFXu8#77pkEZA z|KegX+2b|l&(+kN271bwTlxag#<$Q*$#j^i1Z$b!D+yhsvxWyNiQP)=;$^(|xSVxO z*ZZbI@sm=y)o!0+>x2Y(ki%SN?ail;ck3Xu+Wg$IK6+=W?6G$?G>o@r~cEl=%E9q9-m&$FtYr#mo>m zqFm=c4TPm8$D4=5!m(W|(j}j;(|Izl+YOFQP2bRI<2jg_4u_6ANa^kD6*EQzRn%I3 zyduZao0G-&?v|vv%#RGU<|LObv|n6rElQsMfsn_khl1A@@|rgs+R@Wwp+d+HI_%4{ z%4hazR8URra_2%3VBKBO9SsAaPKJ9v>Ov^rjQDSHIzmDz{EZ3U^wM>aY?Lt?pHCZe z^(3t_FI@ORI}? z5q3UhpT1>Pvbhu}pLQSYv!0gUe@i`zpu4g*=fQPXxUtqjYYl~9Y;>w8s;Pa1+u=s~ zXN#`_%PBxAX6K$H?GP~bChvAxMaQLr8$};6ZL#8uB6nZ~pFgeV;uolyQT(==OzZ7; z^>mu=X3?DA9V;~~wyml6^;TTip%fBxB)rRv94vOvfsUu2Xv;KplRYR&bKGqYI@kz^ zwe}nsAi0+Lz2Z|=Du*OW$ANbBdAsRe0w|tnOg!>3%Zy1aD%5!hfYC(7>p6?q5Mpqy zC71Hu>xt@{zveO4rOwu_GdZFw?jAK|l&R0fMHkbZCYL!~TavKtT0z`i)fckZDQGYH zkWWxd$3E}Vm|JYfdkIAB&jhghpbIHS$}rU)ZLi(We85CvkUxVY^wzJAaIO$u6wThF z`L>;BdVUVlcR<>sUH$rT!T7HH)>F-@^5-cg+a{6$eabqRZEZV(hWmzH6A)L?YQxju z@}n=tmKeX&%WM|HOGS5Uj^Or)S~g#<#X9AxdVFA%a=*r9s2JvD&xC}It$Ro5<>8b&V4iI!D2s^Ah%yz>cG59*$4&J=~J z?H$~JG5>Cu3g0u^wEtlSM0`OH^nlYIE|606UlaP)^PvCRELI|k?2c7I>0^V~c zJHBS!K2ciZ_JW$r*V8Oy6b+2(PDq!qMUyXb&qD2$qYYzT(okPB4F=}}Ef@GYGP#P^ zO1`J4@<*5vUZ@K-<2V))!+mk_rRXsR6;}*3Au`*)jzLYef7fQou=2V34F|TjCF9dN z+8-T;b+S9~FT;NAW^tJAek`+>RLNdzzZ{Dop*&>KI#G9!aNQtqccpYR9u&@<#xDkdHJZyK0kVL#r(%gEOu_jMQ!ClV(Q;oL;bNAPa78Yz3=$e9$_5vxSvI^_booOpK;@Ua8ySnHu@2Cc@-JOGlpODo%WA>X|N*T zFOe^c^IzXl3{?}t9cAum<8HSKFyib8f)7vKPFw_+@`>>LkN{ZOD7B-3aG}23Zew9@ zY5M5$k^;!Vv)xA30Z5Ig!{|Fuuy&W9a!jziFL7)u=NQvaWIG_KkxoLiaAwejmUG)n{99cv|)Ii{mVzSS(1E4-vvBI7E`4_QnR!%@TIE)du|*+fPmYM zK&3XPSg!*Xwes-NyF6p|Z_O+}Wb8I5QzHrroQyL(6n8(5aTK_hUe4vdvFs;9WF@e2 z=*`+Y`B+?z-I6cd&Ab7Qr7LMF+ohLgn6;$!b^w98XwYX5O+xYE@lE@X`1x_+WT6WI z#eJr6LO0kpt=f%m%yblS5IZl4-Dki!1Z;UmR^R8@7Php+JPzu=+P@9Q4L#@|FnO@| z-0qot2_rhvSG?cbvXy(x`*vNtz(aPDSPQy6?qvZP$Qub~q2%$;OUEE-RVkwOjKu4D zGv%E-Aw<6DR?Z6~iB$vrJpg01Je9z|S+6@-<>gJP=h|q2<6iM(H)sn=Iu_9J9|t_Qp3DYQ`014wr9R(C zUQH?ekw3PEP=5DBHGetomW-BaATG&8*9%O|<76*|tY)b{9M(D>)gJJ=`ckH3$s z3Xv?r5dh+_+T&14mjk7Ae_Rj-b*J9jh%q+%Xz7qNZ7 z2{K!9c5g3d?+jxdkO4zW{adU84)tkfJ%zOk{2W8BPpaKat;4aSwL9ly>HG2wr*&wJ zH@$E>hdR>s){n*7T83kUtfP0npK-91RIGKLNpnKqdSvh(HI!!SPTu+xr22ZN8CZOt z^yLaY%Y8C6pTm5)wA6zCx-Mp&`C0(m&_R-k>~D3v5Se-l{IxxJ3cMW73|R7*{OjPr zg<9Bp^{Gd`of>mMI(q4ZI^PRI@rS4VL!O86K~wI}a^nhePJMDY|L9(@uguW_?`4w# z*|ce(vX?jdZv0d7(z$CNBGnuCVi_N(irEZ!5YsslKbFpaT~H2Z=`<}U|D=|E$Cf{2 zV8>AS1kpDepV5J=E6!10Zs?bjp0w2Jz0=bzX7cJX;1oxWvwk(K*3MSoi@j@@{b6;$ zlS5R^c;wJw{AP;iY@J;(UZKI+8IXLReziZ0m7g*8nahz_lN&2n#qO=O0HHkYM>x} z%H1t#Gvz67;fJRkKlF0pd%aY#U6Q8ivAr6E3#f9frt5XrvTcR;s4woY#JbBHQ?Gc) z>7!*UScy5hk=6aG7!(`p-0Pk;b*NLaAB+jy4&kGhdc8YYFb-bnsTn6) zl7@C-p7nRLdpdL%OAZH@e9%4b0`4N<4!|+#Tw0#%;n>^eD}He6r^9BU68qt_OdXpq z!W`_GQel_NBgF1t{o9~;1vV&4lJ_$!`umP`Mlq3ATN=D{rh)xI$7@8z?lWP^cFP1Dma}&7I_1PD#Av^B@1fnCEmHnXO=;nW$Grpc zT-V+_Revm6IwGDX?>>42;|@4*aQ+Pd46s|2MrR~uSXynly8UchuVpt0su4vEY~nX* z;iWqAh{Aavhk|97aLhR?za@d(2TKPz3{o}-i$`(#(r+>XMw&lRDh>DV2wd2)Uszxw zME2fEzD83`qFrbq_590%)8Gcd@u4WlR2Ax@0}Z*q1BvdPszJcB9imT#qtcpn)tb~qul3Fo@Zo?kXT>AJRm44H_x$P&g*M*_+k%EC6-t+5_cB9UcK|8Ky0`Me&vy8Z=k2%% zuQ??4NeO4EV+kL^7(1qq;>5RUE*bj0cxfAaB%ZF~t=G?2b;Hf$OB@W|CN*==$#^}| z?xdbc8W2!GZB}EY_#q%d1_=)jV?);Hrr_3PO5(=M{${;fp2d9h?0~*->!EUDl-8;tgh}bomyOd+TfOvM0M-B?s0ST9VP; z!WD4KEhC)$x0zcmUG^UV_=`}iHH~?prcUeiE~}K*CF529&+3k1=>*n@kE}>HJxOs~ zoJ>|o4@Z{s$ML*TBTVHkU*^{1*Zso>hg00OHh;jU&J2>1EQ=KyM;|zZe&5hl8yZGX z31F53%ChzEp9a!Xt0F$gB;N#rOC_qx9EOEc&b<;}_+k&n5+HuVrm?)A#obGT%Vp)e zoutbvRCnhGr(qffzN@m;a7%}QI@hqi7;x8PjQ`Ih)Ei4xF~|PBS+(&;4@BHbY(#|4*XsBTdj`pP{6sCQa=Qg67p5!qyr!d@XHjV;2IP&pWC(md9U?H#l||0@7@we4P1~g>9}kfdYB`x zvp0dp!(V#AXVj^myl8k+m!TzzZwkKmieEMVh|#C@%sQ1f$3Jcsfg`k~wGJf)40Y<< zdvuFvKHN&-*B?Xvv&hk?ZGho#r|~hmsd~nm3~hJb=Iyt6|q+ z+&Vg|93dEBg77Ke>sJo1XR=4`4V7>>_J2>q*Wn~V1csWLcoW*<-S2lY}A*CXs-V9Vwj$~H)VeqaAV0y` za_^5+1f%@nI)8FS)AW80ovOoi!5qhMG~2wm>9HFc9Og$2qrr8sj+^y1^H~uK2k*Rl zbuO{0CU=N*k1u?fdVa6MRj_Ijo2xX8S`w0mMJc7zS{Y!|?RuAdaa8(-Ij9Gkzu%8veHUZpJA2)*qJ2kl(*YgW=4n3L=gdySICSrJTSuYER=4yX zKs`=#W~cjGfe)-X*1ux>-?HjC5=4X!oouV<9xJW$;kO-kWR4u&2-(xd0*F%jL{*M0 zW6G;ml&quz$nyScQ{NT0k*wB7t@gODRfOAGI8~jg%5?}M(3GlhH^RdpP{O%D| z+7c){y%1k@_t>S3;eI~GcRv=N^5Bw5gPP^Q(xx5(EjL&(D-l~3AQ|o}C0&Hkv(aMm@ZQ(6JLbP-klqzw;Nl=+vLmLjld3ATaHl3$biK|?@cy*l zkCS&T1iKf7awWj+QPd;z4(lA%o28G5nR2&eVfQ4CZ428w^vw)V9`;DxdV>-cRS{dO zYiGi>37g)(kESaP{F3w2+ zKsC-gSV=a)9xF@A&^n$2v%O;v&4$YVoQ)Fzt|8r^a|7A%dlJFEc1A9VLq*ID$Cxl9 zBeQ&Bi$B!sjK9Lu&Pq{AO1$$JQRBlzggtRDGjO>5ZK-agH!TI0hwr zt=M}rGa>^CFLnvT7pky5U@q(DM;X9N4UtQv0a$AU!ZYD$z8~(i;Pi`@{8H2*5P{TX z$O-}i207c2$QOGj@cE6K4Bn4?vH9Y%P?h*4MaOMq!DOLb|H43rF);`T>zc~H`1ss6 zms!&zT})8nKw5tg$vh50k!-Wh@YW7`%K~i-w7d^xbvO58mtYW3$tpsJ6Ou`X6Xq`e zaHJ%%jyv?YN_iL+OxcQ|%3EhIYRwM@)j2CenlTw&3MfDx2nvVHaFq_D=H^o*3Z)D6 zQs77wwkz~0p5^$Nbe=H?c3fq?2(ApuDC|fp5B8GzI6!MTGCkG5xAfg2I6x9nJLb}> z$nslD4a=?ox7RDy>O*HO#Oh+D_LWCQ+!Ej3#q*;d@ ztX#qf9Yw<>c)V;}@zLswRc6Pxu_VYdo_5+;0$b?o3A47c#I`lQC3pT+q z^J}^=XhQ0v6~w@W%f76m%<}pscCE?X(w}e7<+#aF5c#N9exF90Q{Hbw-fvrg#G@%( z1d(^*Z4nJLfeNG4UzLzpMh?YV!)I%x<1T>;j?^kLs2C?UI;N`V#UoySJHPZUwo{h$ zeE_tEpsD-r6(xrv_mtBWX-e} z4MBTU;7?~?rhf;7NPmHOLUXnr)gKp?<#wy?%Q`c+zsDv)-&SzwcW=L@LaQ$afb351 z1q)~kUI$%~t>gg!U9tNZco*^!ct<(x|NQ>Hev`qRHpFv%*z>`g@xM;Jp{OmrRW#v7 z8ZuYE(hw@lhP`YDJr9i8NMr0eu)YeC%E z@bLGc|4Z`FwHtPxnPd)-GDkg6;p5&e{lcCFHz?w;HLjE9dxh(J5#gTbDBtAa%VLg? zw!=5*J)h$1PI|eekV2J;Ied7J_NnxNgTHU;4*J9pzK*uE-a+Sr1@_buwIcc7bF5_esBwG9U>ZVw!nK z>W>J5b}0bXOhF#}=kw^H=K*?m!2{gmp11HBIyn^tT}Q6xaC4I+Itteay0fQzk>~2k z6MwA7#{&TYRDND(^B9Jf77P?l44oyV&I)iTvVz?--CWAgEcD=~y4rVUSlB~&X%;#^ zr>;l7t$b0|T&DvHdf+J!lmqMPXfZN}s*hU((A5#0dAS1|yr8|fMQ*VpwS>pgm_CB< zEutAt(?PHDQf!3%lDeNPrLjNk?gY>a1PT<*z!hw1M?v3c8Nr7Bw(!9fQuFr?ZG_$X z%Q5OM`X5+fC`5E^&P{#-^P#W_?yD!vnlx?xRQy*E`@!CDwT|K_G_TMkUE`~V<_8oC ziOOH5NwcUyGFCodv414XWV?tq!9VU}Ug7!uiOHp$=POY3*lQk74jdCV-wSB`-u=Aa z$lzmm@{y^;Yg{5+Z&Y z3R>JdGMK^va_HaWoK~hNPrsVs62r{1ldIDmM+8<^CX(o_&ymHz5eLX%*OLO@VPn44 zEcW9gu7*0KeMcM!s)r3)z$hQb-GhTSKnhiV_aNu6E?>MTvz*us~1irvgtmr3^d>^&fiFL$&(#?M6KQoKmePck~z1%gCSu zO8$q9#6qFB1l@x=9H#tC{m%|R0Uf4R@;6S_m3;b+En)6*4kM|pc%1`?I>(<;l%&4s z(iYaxdXSUr{+=!P4@R<)Rpt=i@^6O_=se#a$Dj}OfEm?cXp$o}a8aXvU1?C`?8QUB z=Qyy3BB}199*x?<34Tj+@~a}kv&Trk%7e{rrb*!8pVYulSjU>d(i3xD8AnAhpRkAn z)Dy^J4T1e32HmB#+I@ty)Ke&@&C-IuZyHmNhko;o_r<~k69PdknnKB+DE>JddhwiM zVCX&WZf)f6&%S`24^Tv@p=jox^PGg{?*-nmIsC_3!J-14 z5NJI9Zl{IctEkRY8UDhy=CE6u;qNFeJqiI$Ub#vBrdIwOq1beQ_cCMteWfsxUHc$T zpVV#mVK7N7R$V7Zj@SScS%}leH8}q4umIFy7}3^N zdhFsGkLzzvrQaYe*%b-0knQ3K(KGw@rU=;^73?Az$*8~(3?ZkY#f_bV>=YLy34KVL zK>;PHb8?H+zz;665$c<~FMpiaUycLhx(rsk-Ey+0^YlOXx>Kn%R=jo~VX3f3`eGqu+Hfv%fe__yJVn2U_+Bv(awu7{F{LP>ptr1^oL7~g$dDPB z-)TRFW*4W25vK+yIH4EcQjjq!8D0jZ14*upr%>oWci~^7BeL$B>peJ;4tS z|8^3|d$(@VLk8RkoWw!%(}FO~zt*%~Y0&#f+WiBF@5$Fs-VfPk{X8Fa6_Ebt?qzfR zHfXKNp_7muDbzy-&CUF$LGL@jJ30l}(JCgCFfp35zRT$5fGVm>WZyf9$9W|n@0_Al zKn;9l`SXL2CtRafnAM^B)^i&((DU`RTk7^33e^%T*dP-SlNPKm_VIqhS67rgYVoR4 z(54be2vj5a{yFXXUV_?`g~!6?*S8Jgy0f5LRuqoHAqT(AxnG0@S>ytzQ_OckOwCi%}MU}!WA0F>rs3}?3?o<2O-~;hKy(7z`Ykw4k%d-HY)hHxSS?? z+D}y_r1Z4ocO3Rd_31g1Yz=Z0SOahr>dy-QIg-POjPHO^7c%Jhf9VkJatH3S`*YKq z5s_I1&E^3LC7wVeyQ@dUG1C8;(1WndBfd1EaA0pQC`H`@9m$lb`(|Y0zR| z3+)Lhq9J`&7ka!0y{2lq((Eyr6-?qb2PVw?puv-;M6Io;2Oo8dWRwyWuD4Np@B2AF zd8J&Ajx21s3;etk^)uMA9%wmkN*WhOz0$>O$Fi8INiWf9}&GR-bnHePyxHF|1g%4SA5=7708@ ze|a?>wW?Y<_*wLtED~jB9w3ZMjpie^H?@}c*G>&c)(UO3ZXZIhBhaBTbnNeSt=7}R zY`*K!<_SN@nW12_TCOGPb zN>uzyL|5O1=@Ib}xmvXsfC~`JQFfFiTA62W``x#tEQvUq5MJ=rH-DZ^0p*gp`fUm2 zxih8MSEU+p5^RqNVAHxHI&yNLYK9Q^iBs%7onP%)KYH>Om-W+e=*2eQ`3Zf0zn}BZ z3ZTu*j}bTYd9j;UqoOv1!?$05VaVZ$E8;?mKE-tVPO$zi=Kf~EMRv!I$?POg!8e z6gRXvF?tm?zJn1TjNI~`Qj{2X20xCDE+A=0otr2y6KL4Dt0i&wF(hi&Y-~9EHSM z$}-_kBIIR0f1@G}(RCdpEd&no_KrzWKWVDAx?65{Ppo23_T&lLVI(;s7|5ATN>`&M z#0Fj+?4IF_mc^w$zP2fWk(A|UH?4eb$^o{T2n@bN660Ox6ALoe=8|;BvbWP z*W#S)zpv|l?JDok#`h|W_7T~y3Y$mw9fl2I5C94n1FVZ`M=sxuHU z3{;?kCP)h=GKiqfUwhLpo{>+?O7tN1n@!H8$WPg+V8eg)w)Rjuv{??@y|XLmu#9g{ zm1zxgV_Lsjjx5lEM^Yc1D7jZzbN%u*K9jD7vq4{2kNpF*eHHM&Fb(hGrbS@3 ze%V_$sWFG@F~o9UfZ1l~FfSMn%zRu1#^g(wXWnmD6>4|xe{WX}MVQdd%Z~wb%~KqN zbb-36oNouUbd1!J!i!@7N%WnK@$AI%08`Z$82qe~` zCVBlV##;h%a+k_;qz&}NE69ZTBWuAd4&|G7~Z@vlx!i;IJWf+eEPgb{D{-g$o3 z?8A)Wm!``I?c|FWw9bwVr)=&5coEMe{l|_AoX_SBNL^}L()^gnTZD-^JhUFvnOJn8 z=q({>QV#c^qW#uTJZ)TaVzwNNs1eez;R6}2jr+hV*g0+2(<;Wy*yP+`!d2q2_3@C8 zglxyRWU-I}Zip&?-4_K?mM;f?Pfa`Z-(v1%RKVL)Wxy=dHrn*TeZ-&6`rbW~_c_WL zfewio6ws}21U4d^VJJXC(t%;n?8vH2zitJcw_p9c)sfJB`;;T6aM z?pwfpnOdWTYs^6`D$L5zx#HgW<_Z48em?LmJr-**^pg&P59g^0Y1btSU_sswX8sIp z`73VinK;o`o+=OLr{;piA-BU*xKWE#QgDR$vdihTZOnoI#BpukTIQ@}7dF%ScXqC} zo>8jxagS1i(9t81H4dW1ILzkS)1iK<2`}ODDxi*k>kJ>Kn|PO)L({+Sgj@G=ZVZqD z&k)FT6#HaTN&XDJCV;%8iCIWZ3JZw^?V$>!5;gI1|f7ep}p35aqf6iwY5%(rC{CYT^Hy+Q3t#nFxjFCL{dd&&t;(bG|%uTRP?!sET-F^tF9V_j_ zN!m;>AnHs?KfF3tkwJ$O?*lQ22T5W}kP0A=7uQsYXlS>VQ}XvgSVnAAHhSszUG|S_ zk)W;tp(t5T(6^&NFU=g60QM(2rCKddu39k$nDK@Rs=%Tq%na-tDf9oHOQ=x1l&m=F z`wu>$RJ*Xymr=8+@@u9&-ByU|xG_KrNwC-~b#1Wrq<~TDgTFnTglY9bX@c)Xwz!CBez70PJ93kQ#!tWp4QEG0@tLJpMC-iGs0Z>@0Wfy8CCnVueg*8f^UC~uYyjJy~K9Qe*ZI`BTHR58qdmjzLG zR#ASl3b+}Z*|76&+JrJeROGaTAYGEIU4C1}>Xq`Y82~1^V^nByc`xm(pedm(BymBv z7Y$fXy_A$1`Nuf{xT0coy2$aan(Z0OXPa;gFWr$zY_1R{ELQcEI!7Q9opNQW1EqJ4 zX?Gt~u0dF)pW)DrXD|@{>F8JfON6jRhx#&#$|SAYjE~6)En7(_=Jq}HWw>>-2V6x5 z2%BXCZW643r2%H{-j9drR5YNYjDPPa+iK#vqm)UG(bAlBF`|Pyq|>@$rKVhGqK86e zeu%;#z;T!aA>N#!DB(nBN;m046JP=G@1j8^Yue7k@wVQMfO|71?Val|pPu&auu4ilcn5D$B6NjJ339lK95lxixV3dUs>ze3SN6H%}9=|tP*!}d)1#m65Z z(duoGzsHr_y~ncH0(} z-EAm(u1GHVYP^${z)!_pNy9FkeQymBPT&Dptc<^$6OB)#WX$(H3YpWr5D>%E=wrVe z3&}nGec0_j1jS}wo7aj%=uD5u(j~)j36ER*%nDJIaY|A7oTp4|BiP#He80`&MY7r2 zyj#Rf9Nb;B0UD>Rs?#aX9lAkdaH4ryi|SV-ry(bq2Z(bpKo-MEsXjaiikVsz|7*-d z+aWB89mj8b%GnQoUepz$#XXrJN64R24%v3BHYvOO7v?!QkIdrndr5FqTObZ(5UgYt zH`2|h^T+C1&h)%GOE&Un5DEuD$lydN^A1QSW2-MTZs z6`bW>JQdUrEjAqa3^HL&N&6efdMGQreKRR>OhPFdzFvx;O=2*Y;Q@kE{+AG5COTcEY z3g0X9LSRO+I|oTKWEBn3@1^zp66cj%TpRuyEMh_Iy>uRYV|KwJ{zp@S_5p-^^3_}> z&98=g_Y7hJ>2XexAb9lUN^y{qHZr;*K*vx4=4w`F`X3(lpq`RkLrz8KA$EZg0E2$L1TYBS{HEQzA75_(cy~b`7;(2(Bm*Kf ze?kKZMi+vRVxo-U}5)X*=bgeowuHOOwgdFodbY?tkv`UXMNQReeIg-gvyh!Hez zEr>blx5@&@89>jJS1|=J1_8!kQ@e?ZIG=uC-nP|jg7)NE&li=N6P3gxFG*nI-QVd= zR~cGfGh30zAX>JPqUGx{Gsgu8*4-DeGxmLC$7FKzqb(^~vNzS3m7Z0im7~Mu-YDgO z5r-aFRAjl+;!2pQWTE^K0|M|x8ga=@H~?_L{}sT6abZe=hr;yI9U;Rxp+S^$MV@)UEeL71V* zc@LKV7;jVd=>Y?4&2SMqZlzkP_sc^^A!y@SFs|)$!c{gE@^(q{gh5c5fM2-^IXh#c zh4Zz#hCNVMUpn28uN=qw;b1MMa2@rK|V;)dvt}cjrrq+%?9yHSCPbdP> zkmr@kZ-fh_L(6@s_A$THp__Wi7mKfKfDzH+s9%S6klg-zByjul$$bBJa!ARa{^j}I zaaFLn8$+A>f8row5&s!XLdFgySS$#68u85}E{JX5u=o?~b7HCtc^^`c=u~b9&XPEC*^CYLs&Tpz`_vgPtie%npc+~rV}8q52-bh!}TFsgW4LT zR7x-TQp!G8Vg#j9UtY~Qiva{#@ee==6z1$kK;`r8=ReZq%1~cWqdUzp){vuYU!NdN z4sj3k*;N^)_fuV49xAp;#(sAD3tytb?|Iq3^4hEY>fs4)068F_$hpQd)ADzc?ABkZ zc;}QM!n2|?nd3P~v7UVGc`v+gIc`N6?tZ!pyTD{T3;b7L5bJXVa0ZkK9nU`l$Tu_e z&ke^Q(HenlZPRjgkwzX@Hw5TuKzrW1gGZsvV&|RmB~mSvjP54FEcyZn)g2}O9QH^N zWRzF?ek;hg@os~$men_W3u*TOy29VHp!lB^9HIV8`GltIFfBR$zc6KGp}wFnC+mZc z=)UN(EWqAvJgBCxqCwpu%^g{Q5t~r}qmBeq-XdHN(4>a*A_IAybGDU@RxGCYIH5z9nG3 zNl}B4_ievK%1hz}K4Y>|LGwL7|6``TU!Q*eHJCc>`^axT7gx;eiu^YAe6$+lN$_ zp!r(e(9T?hxa4Hwf8mlrHhSjnnuta{2ze^i5Mrpb>uL19tp=EgNBjK26>8UpMI+a!rSfrCWiI7f7ZBJgYu`hRw!KdP!Q1bWmiZ~=-JI_H)5 zH-Y^&L4mb&5dnf~GbyOTVW8F-tbWUy_P&yfbxx$@ubrsv$Q)r2-~D=@+|+=>cc%3H ztjA^Lu+6Lr6zC#!XYK?dGY_VOnUj2!hMGQ+qyb3=^_IIf>4!vw zrLE!xq^;c6pE7wP(Tm?(Ts&^e;eYYf$=!EvG2Ev~gvMewy0t;G0K$3We{(TV{PH?^N2EQw!H zC10K1{k&BOSeMtde~A}4hv#9SNbu1YxA?(`NAsw2ZSTqnjl_I^q3BZey{pffGPxvd z_hgAnTp95)xGgVR*S+U{i5D`2$o~~cu5_lJ+Dk9sr^z2AxkAhz9EwcRf_-yeiO*0y zr#`5xn#SdgwmO?-w8WiK3#7bHDoc|;1+a+er2EDmpDveq?XRU2}$}mX=fjX%nZHp&`FsA$E%$pFwYJu zfLAzb=~tc1VZ<_&s1S*LHR6W!72*#MyTAi!PkJcs_neLRZ#|cTk`0esk8f*D>&I{F z7jS&;<%3s3!b=O#=$mrltCCBtbf#$l@?wWFkBJ$lUwYd{E@iLEq4II2A(PPv<+N zA^u;`RCXv^8-h zubf{d$?wNwq$S9Bi9;t-ylKrUL~$iIbHqtw#{i6RQMlsQCSvVzV$Wtc5EH1PXsQms zXM!?}ZEy0*(33q%wH;efcG&(NB+VMh;H%pM~t6aLbeZ^*VTIcPwB=RF6=H*Lqs@n&fv__Sz*lD~w-$Nl856)KYG1}cBy zT$7GJdN3bpdGHF`1r2{T&BOWeN{}dogaPttPKD^1b3GYRLY1h8wIEJzx<9u6f`!S$U}zeRSDM8Ei9&CuRb%&paJk0q zC|z~*(1Ynn?{^-n;7V;7-&tD06@Jr~W*~vM5b8lC!1AfQP>VU!g#rqh z=a;OEfHda%UqZn(d6(r6SF~Orgg|*j?Wq4qu^Gle~9gTM;M2_LHV;P^;BF& z=*QrS4E;_E)1pfs$sA%|TArJ{cj z_nqVnM7kUme2lo_^_PgG3b-L>=WoB--hfmjb3y)Uy?y z$6wxXlkbUX+@HIx^h8(KFeRv}Z6(&J?`U^@g4p0mO1g`A`NX9on_ms-<#2lvZ+jBDy3PA;h4>M1Z zSXajRRYB;31J`-;>n{Ck=>hYxz*i3{#z12uKiErulH$W}DVEEQ#MdAR3MB~q=NfMA z7g?beerr)7p~V{&uo*$yp-yZgi0}2JDokc4St3;k#06BDdENG<-Y<_F{j)q0h}1g< z`uiLbGm>`}(!M?L7xK{HJaD=r*Mr0P5KR=9o^ptg3POLT%ljDqx2N?;QmsSF8xL(% zpFUhHn%WYy$IfO8Lo6*!7G*{Mpyjg>DQoqp`M9$O5iaf*zt(o=1*=OcSJJ zGmO+EPx*m>%$p{50%S8tVBY?kSHyx3P+VXD0!T$vXWE4j?#DD4Q$@BNT>5LZ+AZoeRBZCBYa;b>IJCm6goHnE0 zj{STh$kaHtyt&kCkLw?CQA?8;vALDCf)-yLKP&H$*QH-JR=GNbGy}58tv_6zE@V5b zk~<_zeX;*7G#`Mu`VIIYkI?rx@SC`rw|3h zE3n0ONy);Sn1ITfs;!M$8(Z`#?q|(a-IK>wFk>PeoM&7y|r_2KK^)Fu9Zm z2&1kBAG73_fhaB;dH*2!agu}oAxQ?WZYX~(bb#0rrG7z7>My#~MygLnoxkJM9Zn2$ zfy{n|Tj3~R@!}6rtTCLtuy(eBApC&iiwyR=Wz+W0d&F;vb))CMFMzN8^*H7BqIz?< z?v;Gqooyp<#nzjy0H`Y`3GCH5+dtnbTTgIe778>3l;C1O{x)p)@$M?bGv_sx_J3&mze|$rJXHnGnUeKY+CT*XO9os~9m1cInar=A% zI#U?CJ!5X{G4%RWlU7fn1X!gDKu5jAg23<&T&ZFL@U@ZSbvYk7#KN?J;Ans}^&qKV zbV{fHL5&TIs*ibmnziQb4fAsJy^1xnsSzj6?Ut9#;nK<$Y?7;qRW4CqaUL?bOrHr= zsj0RHwjIhb-+Zt&>_a#FJi%RQQa_QIZX?8i`kS0n2?4cC>5>Jz_O<>Ji$=s5hl1A5 z^)dcUyuyw+p5Xbdy=OVH>6#%n+FN5!upAl6Y;xtP^m4qJ9VSzDT}8?oqY*31{S$p} zD%<(zLm7m;!}i^@82Mcz9&_)6w_yV3BqI$ov4rPip5waCwNBoxqBu+cDFdmkYH&-6 z6pd*G=K7x7Zf_z@NhlU=O$;}oeNzTep?QajBhKjv95 zThQlBxIbgg!E8pq_sU%SDgFD^>c#akv;_|cTH#-v-J{QVeOg@2GCwtXmm4z^u~&z! z;r((s>bd;5XMlhtcSkNIN4s!U`bx8W>qK)#FTOClV%4H*503MD8Ok(o?Xk9!6Y0It zHP7mW`HYKW-#crl^PP&E_6}G5_G>>NFJi8`1*&Z;S&~Y-@mfv#hsl6mvNNL%=rdxF znKkOOkSZKb102rlZ5Ji^3PrqCe#m|I9Y=H!Zk6-#v=SpPrVhU@)9o2n!*SD?YIY_= z{m!RN*JPRssyEW|Z{5Seh~LJ)e~Edr_|EdgY5AX5jO{~R zzA@;@3T8EB^puWVDnQnCN4BD}F(^Hu`hc<7-o~27QU#jC6@!riw#^;G5oH0oE0Snnp+b@g* zqi5@?yiC?Szl0r+1qJvgyIT`#naD9p_TGdozx82p@0KF(i4|eJOxm4!CG&vVh0Dgb z=eQsA9ZCl!woawA4a*XQ%zE*u%~$*=ba{GS?uBkaM!niN5SzaFygBu*qW z*JjSxhet6IlIKYHadWm;wX-P*jmU{jY%+FCIJY&6aX(>KAb3|JxW3{v(Lv@w+@Fg( z4np+ge>4u;w>I(Y)~J8(H_@DGgU>vnaR_dZfHuvxUGeW6nX{W+7=q!I+?QWvwk{Ql z>S4MV(YyW1E0??@otCRc2iymWTD=v2-425FmUy>;)0AO9uqi%h^5PV(7+;{NHGc~| zf7%50s*CGNA=Kgw#I|Y#j(snDu$O-*E_Y$BN3=B2uuD#&VskY+Un9^lRW7GsWh+yD zEy!a+cCc#OyElbm2`m-!-?p3ve>`_UeFj@*Rv6I3c;sYx-HU0c`2*m3&HiJ96GM3r zaQN)XPB0&D^i+`aP1yMlHsW|URk&`v@zagk@=OU#33_a2+l_xOC89cc4w9Kw|06M&!Og4LdePgiq#_25yg8&>YPFiqK!WBhhYDgRaG}_!6B< z8=mTcm+s$s!4ng`fAxZuS&W9 zbmOB*-aoOF(C$|mf7q?X)jo6xBChaNms{Ity~o4{N{0eVVQ&$s16f`-XS-!h!UDV~ zU-%s@t2b?W@7?AlqoGAS$3z&1&q5O7OJk|;wEh_Jonj*7Nn9Gz#dNV9vQ9}PQ42wt zmST+?a8soZ`82;(%}X_elCX!H&zvsXOvp{dtySd(W0?82Vi^ zEKbP0E<%4hbQaDy828Ri9VxBW?0OD8h7&m>2bdL$f7>3Fe{GLC;edq~Wwz1(AN^pG z=C9r^r9|liVAiP?-3zsniyO4}9zFaxGMC2e#o_l6Re@uGMq5(KA3W8unRYD^?k%vq z7!)+mRnbqo6+2`O`}C?}P>`)Pozxw#HXTwIr%AD4lh_$G#D9v24+?6y5m4H+2y62) zwCO9F%0YS9j`BkH7A8kq?i_IXZA6BJ1=#Ei46npmiXcjlJwKCVMZ@)by@GV#8PAds z;S6qAZS(~RblvWAaUSTJA$zZ7L6)rQ)`)X!AyKMJiHpPaUF=y0RG(U$6%FJzZ2aN@ z&#j@g$G|`3$?&^T_C_%1f;O36;Q!DjC*6F|s<@q6kOjXc2R$e)GS-|eKsNLlC@kFI z^im{Z8>}b7Se6BGShV`~(@Omm=UwNqj(2i`wlOO(&gu2sQCO0p9y|TMw>%H%;SP+i zjRb@jTIgcRAiOhU@^H4LBv+J!*1);Z1ZX7!e)P6K>*6KszUlM0^Ow2~_XP(1<1(k; zO~t;5MHMxv%j%G-`GW6?+m85oIbDclC+gJs4p~^J9)K#(C%?4WTUa93@;G{B+a&{i zb^xk{s-Bc#8*1F?5p^Hmr^N(Ta>bhjrH_8lK_5`Py+fV&iJR^`+5H42?bCqr2Clgn z^_8RPinDKBgnk=%E5{oJJjHqP9ZlkVV}Ce1xxIJgnZ2cpf~p^9al2hxoFzIzWP?})|qf!9ZDe5 z|6X^}@L#Tyw_~w+YsEt>4Vs>5PXWP9cMhEQDtUQwc~uRDl#Bq)uv`AI9sV<;$adHyV1IKeD(bb(x9Uj%v$pz0?r-y zL=5>se|saN+8KZgluM?Ly|f}eoBDiaBmaYS7Qw&95C$Mgw$YxtN(NH5fov59(ejz& z3MoRP4ax1Rcx(Ulg(jIX<$I(VnXYx9h2!xe063^zk!%?@}6KP?Eg>@kywWQB( zg#EGcWFl7pH&Q=afKN}h8UbEX;~>eIsx|j!X&Ln(nT4NUtXC}?G!FMag>$t5O;vc-PI3pw)=%h+;=V6^Lc?;AqV*O|<}J6+ zkz4A=gFf(i`|#wl=ocDxUTU!q%6)nqN3W7*bNL1qK1KT-$t{%tUu-W{%2zXLE8f$ zhZJo2l%GKf0K)nRZXBLBlH(7(7Y10PJCag2j-O)p_b2xsRDYFs%e%w))yx$o-iJJo^Aks>+ zU5!T(i&+Tc0eI&@mu()4rMubv{-x~uyvmW?4o;);gk;F3)_&n(84F>(r405BVc}M- z)1-W#BQO`9ciSreQ4tHF-#}?$^mujZK=BUN!rzP7Dq5yNd)#4vxpD0@akoN8>+oTOWS%hgBPV1_JwB@)>z;!_e-4mNcQ4Ae#l#Liz1Tl4o6c5l$v!1mb{& z^4Zpi37Edu!|8mdviC5I?!P9`b6ZEIcIdz0zQifLlxl$rH>^};k`~@sHH_@e<;K|n zr1i>t&&5%5BRB`4lFOSBw-WTg1?1tXd;`<3xKQ?!s`tpP3rCF=-m1J&AkXKOK;(We znu^%G)7>EbTbnf3XRf{f#Ym9?=r@#s*lcX?<9{dP{&Ecmn@~7-ZzIYMb+Qik+6ir< zWo?9Z2_ZxYp+vQzV%%?!!`E+Yo$xtYqTRh+oN*}yx{PnX5yz=$dLlRWmBAA9pcP>- zY-DU%gnyiMFEeSSZKXBK=O!~W;IfJ9k~EtoE?vEJCT_-9Q5(Eil83n7^_pu9Bv@sqw0B3-ZHM@^>$x!NV4)=_zQnu1x5bJ0KVECYsL==?lyHNn*G@z7NK~fw5 z3j>M_P3YvWGEyASOA6rjv?$^LL^=9b-&Mf}^=_W8Y^AXc6br08*G4lVyIeV|(C5Yf z*46jZ_#&mM-#8=S!%3}MPyT6`IYRjYOo=kjnZM8#Dv(d+-@fGKF#v=u&$Lw8y#*vi z$EiI!;Y5IO3l9CW^*;DA;3HaoJUUO2{I^?keBTV%OO|JE6om6EJs9|Q+>8#Rql~40 zOhxpS`q9_*4=z%`pGax~RQ|l_8MQZrzZ*;A1LmW@g^_OnlzlSO@+kl!!C>;o9R|EP zbmG7+`ou%Wn(l+{A9etC{A#SLgI1oI!Se}SG<@HB=KHHFRxM}dhmo%5Rp>QrPTlU> zx)T@g8mIW*9a?sefvHsz_&dJ@U#1N?{Ri#zM(hAUwoOYONJ96&F=YudzR5~tedPdL zEKy>xKWulWqQ0SlnOvQU9vQ}HkN zKb0z~Y3PA9x$3F_FDJXF-zgfvWddZpx$74lRr--X(nE-=Tc|!{{W*4xve52O6hL8z z>>yVItm{o6)HW~jWE7*kNw!RjxSV*VocEU{dV4)ZYiC2s)h8yN%i%0=MYp~GPubv; zBNU$)lrgl|swqzZ+teS@!3=%Y<2uk2P_t#S3n(kfr>C89;lbGj_m^J$8^$NQ93%xO zj#8xo`s1&){X_i2;WXRW6BOS1u0A4Zn`hS}8j!^sq z22W}m=k26W-toL9Et~S}$mZ)~>G|ShI!#QM%$aNapXoHwplDg@BNM%YeZS6AHj=3$ zqxvVzzquSwvJ+!~=_HKYO7Yv_)@<$LS z5HQU8AmI0*{Xvy%i@5pY%xSPHs=zUQ?)w>vkemM+Z5GLI#mO2e@VMGMM~+88rWImgs+G#D4d9r{}Zyn5nKZ)^0@M zabTQGuD-W&F~hmS%}jawd%b>E;KWMB9B(v62{I%t^Zit!V0%F}Tu^@HLkt-ja33yO z*-1q!@y98xC5ct`-Kl7g-8UQz*ha5>6G(+JR*$-7D}oF}i$-U(z7kPgJcD31AFpTc z{fpN7Wmy2R{nFlu%-&I7Qc(f8X+=WZf3aRoB%5%}Z(-ifW@zITVOkQ-*A4r0b151#nk=OtH3T@-wvN)eIR^3OR0)N z3WQ9NiK7v+lzNHui-R%%xb#;%wpKYPTmU=JqXYq`{Q@?L?3sm0vLJ3D{rGURECeIL z0?WYi_mu++<=Pv_ua} zTWaIb0D;el>$AozP%*Eab;ypg((c^Utw5!}kp7&@o&Y25EVQCc{N%rsVulGi+$ZL6 zs*_<*8!*P}F&)}v2Qse}cl7phmaI>Nb7=&kR>M4}-nqAgXo4#DGWdT;6~No}U$iVZ z?Z~zyEqtwSTrE&#KYsJGO0(y#r737_BQ>^;VZC?%D+*zI=(;!f2q7LT`OuLRvb*q<>Y zj9TI~B(_Fj_)FFeqv7gPwu*d*Klx~0Uc~ArgMnILA!vmI9TQN79$LZ})1DJ=nl!Cj zem?HqT)GRl%aop;n>dNdZ$h*AN9*tJXS%OfHCO|#LNjO_$UJ+3+Aje#ggGfUR$gH1 zML=>vWTJQ?WW*a?m^xXkbNOdLZ_Kn1jxHaobV&$fHZ6P@fhf%u5z4wEzFWywR)1r_!f_MeMVkf^ z@i7h8##ZIs!R+EanBg-qeFY#{d`EYiw#Qc(-Z`qm5vikN((9J2emidER)s8IL>@vd z0J^vN=$C6r)zd})2eZ^qk)!o-ul;AV&rVe_5RATu$DS7;Pe>^j@6uk;WQRS#jw8B4 z{_qa&HpBPRp|CyB{c5ds`7ek4gg2ooYe2Z!T@$||0nemFX*RH_et>kEI}cI5*0j3a zKuiCPGKC$RFcQH`hau<3$cDFjg4`Je9`OEZ=R9Gg;3OCPKdCpi1}yYSgP*?B*kX(8 z?{(dj<*J$$cOGrnAvogJgtBAR_redaUUKlCy5xWmUySS@_qt6+NfNlZ3MTOf_Q^3-BT8P4Q*11V5=HGwppOhw79z~=%6URxz2Bn?VFLSkQ zUe>xz!WI%ZSEMeK)q7#>?CiJJQ$)KL=-cA21B|S9x3T&u()Y~r9NE2U4ru%rv0m?W zEqM;XbeVvXUu4>^Q06G{n2j;Uq@t=GU)6gZ4?TP`q1CV?T<}^p=jgutp|3G)a4%RG zzWG75$xwBv#W*ORGpFz*7t#V^!fdgzKJ}!pbg#tw!nwgBI~ab+8xUQvgPXswvsvPS z*YKl~DRRX(h=rx{E+kz~F@r%CRrui7W9NZxDVX2y9EB=M>l@*_5r6`_o=gCB$iD@9 zT_Hy^0cApx_*4vlT>F+}<jSY_m` z2D8}ngBMGY3|&FKyOedL;&Bb~BA^7Y*O1xo?1Afuki07IXxJ<%)0RjUis?VgBq4#d*Cgm-^cf9H&dR3=_#G{hBc}nF zh_nU_=b$AGI6HTyvZw97#KycXfzae{;S+ar%@)E))SXHuHS8(po*JoJw71_!BTtZHLd~ApI3$B=|F>7HqT>2i^tmP)Mr;3rt@HsNYgF6|o z9;d2|*%mg*s&nw?S!5L-0mg?bpx5d;5}glDdqHxuH8uG-^VW18k7Y4rb|tN zH=yEK-F;{LVu>2YxV6t|#I@k@_Fmk{WkI0>k|Yt!=GrD`wsN7aI5y6p6;p_?#Gq{n zbrszw@LtrjD-!!^HM^h2y0f8waTMOCh}D%_8S>K9#328fy16-auWG*sw^ytZ{O(zi z;qr=U+7p^nMI5VGs9VVEfL(QiR;)0O#Xhf!MK$zY)sR5h5XpY)n1w`l(=uTl2kMn* zuHI6>!`0U&NDLNL?;~T29GBLiQQZA1&U4tS4@s6ru}O@z_IK$GJ71b=$$C>+b!V_= z^Sbkb%9A)6qw))7#ewCH>R6lK&NHVPFgEBrr-2BfpXW>#ff^8GN`Nu@K@=HMwMNv8 zVSoE>(<|Sp?O2}#He%htQrl`oZdQLfxO#p0om72f*QV-$Ndc#XyenE) zCY1}ms67~%-8p5SzrTFN#JN9Niki4dd#v;NlKPCeFGbE?=2}Q?4-xGk&ro(cM?)Tw0^Qgb13>oWpZ%kol z)v96^6|Np@5jd~@O47c9L_9c|cbJmVPMp$PcCWR3aBp@B;X%kK+s(D%tXtWdn=Y?T z9nBw2IQ%A*jY((oirW6eV9R^YVxgO~eV}18oiG=8QRb#YcvJns)<;Fc4?ca2UtS^IR_& z=T7C^@wx?p#-PT1zoL$LygWp4#n%8HWL0Nl6Im8$1bvw7bczRU{p(t|8V0G2_Os%{ z8B5ICXna?#73+C%EQB1pRA$);!j^1+7_lb{Xj#f{dYWL26Mi2{%_8Rdt`@2&hB=vW z7_IMSb~OyVxZ+s}`wkJD=(7cq zzd$i4A%~u`t~NmD;Ba0mQyzjJ8|==Wrz0e1YH9=>nQ+A-VsrD8!=I@FBjmu2NtJU9;Y|DI%L(`R*XXghs>2i}bA(~L3h zU{-s5?1BXt2kruWqT$0F;Ms_OMt(nj&=EY&8CkGk!+-!+r;0HRVB!mnkIAb-$Q7)? z2Ha^~90}^`du}nisfuza2wh~1Wo6FXD^*|YZG{S>4?3z7BBNX4Vqn$SVZ8=E=w@Bu z?yc*dUkeM-3?GBMdde$SKT~TRLW9o4?goLsT45w#hHiOli8^y{74N$gb8V7~t#WUh;_h%vTW^8V57 zz5<<5zn1i%Y1tGJEeC<_yDM{C&pjyl&4{p~rvWDn>p_4@Y?y`208BCX0@f_ zrrWiTFAXln#g|0_Ko*2?oO%wlkdj57;&jZPJM$>Rx#`XTwC}+kZEm_Jv44v!XK!9} zzfrLIjb^5k9avc{ORx*RKeFVtBpy3^bAWp24muyLoV71O>CD4-IYe{6+IWq+kCxe# z^!s0{0-cIPy5v1^)S?5ZZE;tth-)85akaU$$;VmDKj6E%n&#ZE&ysY^Q2emP+V$K_ z(#><(ew)n}`+a-DdP-K0Hl7ad>NGiR5wz{TZSSpc?yrp^%>~9y*D{=^$nz&5Qx_RC z^t)%pE<+ve;M=Yub0LE zBnz^9zHXjRP09W16sWuU3}G2`tMPv?o=mi90YC}WK61~jAPUh_4L50HBSHp^($>?u>j%62hB&yYO zh8LMFAu7EPR?>lh&fxM^_ME_Cn5_mB-Tar!n zlCJ;^@);nfTrMt=XDDj^RvIBK-mXnmk{fv*fT_EA@8e@+Y!U%CdaJbw)BiQ?=SD_w zDIX{$()}So^bcOK$d+3UpLns{1Js|Z5nxWx`u5p~%186>Il=CDX0HWI zvfyMZ&CJI8HYZ|S5K0hAB&6c1Dkb8{WzVy*{k=U_QyyK%{Ui2>s?uh{t0P)?Yfa5? z3h?czKju1`ksr)Epm?TA1)IFKPT&gFPeGt^c^dE9Kyjf}1_^B#(P9W5JU(^fM-vRR13Q=z?04K-KC#%3@7wM495kolyk?ug*f{dIK%N9 zXEMRpnq$32$E6Ba=mYk{6!7oDZac{P!ru8|OmP6rP;(CQhq0Hh9L9E^sF+4;hXx#a z%sEhk-&N}VNdjQ=vfyoh$ zuAGB9K6^8s$qZuo8qQ~s(*PF8FsTNBN&mE0WIX9#8IAQTcVUuv!6-$lb9_I_ppaMB zJ@UV&T~^!Oa_;*aWs>jBK>lblGX&?u3EBMkJkE#nR&^Elg}u|GhcRwg%LohlO4@m( zi9tR|G`7CM{FzDn>O<9!6yWWm{=v#X!33aJ5MdCdii!f;kBJ!1cS{14Y5#=$8a-az zUiOzhdTv~F)sO*{_HtQ#+?(Rzzr2mT^H$#j7076A&OKvP2vXcPWK{2DP4 zq{c)#rL}fELE*m}d}P!7NEV+3I2HsxgP@WkNrV_qXz4TdB93p)8}I?xjftnPT!2By z@EpK}!EHChKfTr;E6>X8?2*p}*}h-!J`{bGhsh!FWf#Li2~l>qmZmKSypZ z?wcxN%ib4;I$ad?6jb<@M=f`cfiCbI!Q{`!5TT1;)PWHRHKeR9s(^7z*01h8x200bAH@x7j6n**lb7=7KzkM^8&IzdH z^9HZJ0_}(bkFuiw%ff3eAO@}tq!#CjP!a88yCa8L%XBbh$#-79DGS)a4ZgCVWw@IB z#>1A5kg20BNizt-x{tk722G3$_<)P20pE4*Z`vqNu6-BjE zt)5OtaI8rr87`?ZZO{{%_6whkxq;b#_UHrv&*L*dHE{9t1fkCiWNrp<8%8-G8o8dy z=KL6U!1DyHoH>4F#bE^HUw@UK2eNWm&h4AjMO*>XhNDDBW>D*6S3F`6r1w6!GjGlf zszm3}Pdrr0%531paTdM|A_=bknU}p0{2(OapD946k1#cQLPps3Oj5PHW@}1(_Prmp z_TC_->m!$-K-gA~RpzmxAT$YmSh^qdnp(7Um{=f6S{YwJ_h0mt#hSXufwc(13eYjF^L`(r%6>RgU2I^`wRNTJ-?Nz4?vmre z8`3Y0hmqb{IaHk9kruaE#FTZ}-C-|wrXug`$Oc*S4C(HJF05zE{k@<}de;i$f@w zx|>PRR%g1M-3nkLcyZ=3hL<}5j8AQj{3V}fTzkTJ^L^P;jSSBS@=F119+9~hu^Ym| zI-vrpPAKWc$Hz1wQH(wtdI@1DVFH#-gL(HU29iBMYrXHRp_DFBu}{D2++a-)bQssb z$kyCQRVnk?F3q>Z;V!5uuRw?-B)o`k6(Apczh+0nptK#opVzh*`FSmvRl1)|eq06{ zOT9FPq=+em)-muupsE5qfW8|5-nA(?n{;p?MZDA!yo3cQ?UK!drlD%|#!cR1&*!W0 zPo;q<#sowUwv<`8hU$Abm76OaU8oC~sn-HOS-tOfQ4C}tB*GAQx>d&_pi+NqdTh<|U{ifeAbmd}2Uli{!M+z#g9k?8#ZBFu_&jUxB2kFBiGuY2aLP9HB zC`qC35y%z8AAM!Zf^tzA2B(6i1iuO>s$Gf`4ao`(D~_sxOSk-+x$)GFcxV!0*Df$P z_|1y{^aO;GK-QDD##n;P-Qc0X!(Sb|u8sER@ol~pBf0(fka2> zSo>0828s-LZ#V(LxPDs=tiqCqls#oYHTB`>`kp=4umBIF+5ut?UYnCw>y^1BDZI0U2y+{rD*a=Xxd+Y;;)!;Asv|UkzXcWZ4zc&9 z8I^a$vaj={^C>H4Sed2RfEMo^@O#$@<3vMDBj=XHtB*lX5d|fT!$_vzwQ1$<%Cj5~ z1mRsq_|heOtUhy##kuBQlHW%S^k@mC!n5FPup;~4*(}wRPlgBqo4}6}-ot?UCh6>J zyzl$9toQijrhdcrWw}x151)eL^;GfCDh*I+H7wPC3o+8&!Horp`12T1fQu!g$R%BI2`=O1CzpKmr5-*#@ImLcHEzeN>ROG<}X| zoYUV`3pVjM^WErleq48?P8NtfAy_CE4ZY02*RROT)G`kvTz$ zYG+dg;nUZ@e7sIvd`3zrmIh#W-P_DL}FZQ11TI__5OW1#Jj)dN3&jdFsM@+!j(IqGqw@2&J0 zDjk<=&@FjCgP3!huT(MERt6nEaGowqM@lz<{pU}jCoGk3!>rjXeyx6nhK2DuYvV6%9q~OHMC1|-L$_DeDEtQ8Tor$^C!Fi zU*|7NO3luY>m}8c6pjW|9 zq_sx z%f?hZN*`~03B5+X4MP=vV~`(k{tP}O&V*s1s(gmYZJ!>^Q0MUI_mz2U$>4GfG1_{{ zoJW?SgKQI0-y82qi!2Nte&_qs>83Fg0%bJ|Sns{wDdD^d!bZ^dOWn{{gbmsC6P=7H zLGijeNI>YmjDRMuPY!cbGv-kJGESbnL>UFjpF~UC7~PZPkBn04`7v?Zr3-BIHS)Kt zmv-{>i{{la63^K{{X@f==#@Iko85_&g|mcLcusl%DRpximd1*Cow-o>Ee9?o7#0AH z?JhEK-v046Q*vBfZ=5o)_kb6NM~6F`DLAJ3(5mjT`kA&w5bd?QX(-^}qqjw&KGY#s zDTkK6mi08a40TwT|9l0EJ^AToNZ_Myq2(E8hln+hM~spH+}a5cwp5*_WW-DuUOM8v zbeZ@{D6H(Y@=w*H9H(e-ZPfnsT$piq}D9Bw&qTcFE^5MaUiS*{M%o zsc=6?I>JU@G2tvQvkkdx-BeOJDAIF*2Ti58o6aA+YX4Hard?23F;$nezDD=EI^uqW z1+X=&nlY*Me4*^`dj1BaJS{Dm6;H7jC31O-Ue4x&5v1~jDBD0^1{HK}c^V9-@P-Os z@iz5ta8iHVF_aub1z`P^lVS@z;CF@d-5cQsgFyQ+Rg~h^SS))*{5S~_Ji|Xo*O5$H zdTJM3!!m}-ljB4t#;|5myr(bRf6PC%KVGU&FL<~oK7`w*1Ppj?9 z=c*G*YQ)Ly&HvAzcqj#)Nf3>p7F|?)Hh%=dVh7yJA|ahx!6ry_y+a;m<%i)hEJ#Mt z4smw@Q)GP~Z+)@x$fGot@q5)5B8FMO4@Fs@hVcBj5gbG1Cz8{z8G6Ms05C0LVCZk& zsm8~w+Q(i>X$Nw@)GqVw2!I4cY^Aw-Sr=LTPzGtQ8Eaq$9SU1%yDVofl?q-3=sC}* z-Q3>vTTURYBcib9EJ6I~)NcQ?TkDeC>Z^-ww3iWI&&h!|{)g1903L=kcnF5i`>N)> z{<`p3Qj4?t{arKOy;$tSrs}hxdkp{$^co0NYNc&=0i_pQ{o&gP$Yr%l`LwF=ad8pB z*eY#4Km55y>12%@R;JYY--EANrUH-%8QvK@;p;sm`al~%{f7N49p$3v3go#E|C^vP z_kNv#<(BnPKC$2#&V^MlGS_nln6fH#)R+-s_CRK=0_Mic&K%MF#I$Dq zin1seWm!P$Z^2)FEX1AaYi10z|9ZIIWO)O@m|@WSX{W&jXOKx@6+Qh3)Hq-qMVf({ z`uCtfN6=v+WN@9E^Ly}yQ%S69VV0I#$rqL{{ApySU+)Lj?JBTWbS&1(!xBb!M2dM; z;SKAXqXGk?m9Q0xh$*vvsPImbVL*u>SapY)%))(v+tz$f(FPgYBQ2U>Dqr^n9WeOd zb+_Eq4Di7+>o1!{LrG#)Lsip{IXvVEQ=tKySB7(P8e*XgRSaX%2O>P;wxANqh}zcE z*KRyWKw8?9ro`l1l5dX&?AOhArF*wFM-HP3@-t<}#jXYf8YKjF5)>bi!j*l=7$u^EV^CrOy}3_M%z82B};rS~uC9U+Iliq)!-Aqi>=tv8^c zw}FrwUsY78m2K2%V!nES(Mz`)FtUxlPn*|#V`6=;p*>kRb31Cdxxev)US%|7Wv6Dh zdWw0Q(F-;`+;(nC_04aF@fgJcU7C9p2C;r&zoUZwQ}&G|-ysF4S!n_2ojP`&#k)Qi zy%$X$6FTXrm+3$;o~HQIC=c*ZwjPJxrPHSvavBHWL+>KM$$yug)TBqD5!WBNE})HZ z-SlwIbQ`Sbzo{G%?K_yPaU$Ef-LM6~SCgO=8?w-?h6gXlP#vgSW)--x(eKhSnz)MY zD}iCqE=ofYJcrFEU!&N_U8*mTB9c!4dIFna>h{r4IWy>{Gs;u(0cb+DnAdyOzJ*6M z65Vt08s3#WIB$tCS;6Q_eC{8cEmO|wsr{|fqu_hes-Dog>~bc`%4k z?G!}}xj<7Oi;7l>Tv zG(UdTq?By^T{=5H@s7`zrJe`w^Q`~qK`m!Mm?IxfmPbg}shammZxL_T*!T`oj?ycX`86M=-?{r{Kw(|OJ!{fsDc}pt-jDRa?;CK1_$1nf8dV@gm2$A+<5%+ix zNb)ThlDuX?r^?WC03>R6mr{kyj5@WY#AfGZ&=E4?K3rt*PDk0t62Ad4Wz29R!a344 zVlhbNLfm6;D^e1egVAT&UK|a1M7f;KPgq@wxfbQ5UYKq5j(8w36Ij>eSk4qF>SBrf zj?{n$#EyXxAbJfn%>Rs)RJA4{_;fg)op7iq96zH9=j*KkN+4bofq@4av~N`|9|8y~ ztjo1bRru@smiNRHedg#0Mq+ZDSxL>IZrpT#7kauM<@72YMw4S+hEsL5%_*Itpd7Jm6TR$aVyXJUe&X46%k-cm(Ss&gAA=N_M7#u`lc&{* z$N5k+JRu(9&{wG1J?fi<$?av+Jx4V0Ysz~UPHEq~SPKh#+Sy&l!3bQP18N!rrVmM7_Y;VBOkr+TXU+>&EZ^JZ z{m*%~f#mffHoojxP6Pmd1#n1)wSFDv{&r_wKn~`g+H-^g$>$?fy=EL|rr8fP(U`Z3 zRG09qR0AaR<9DO1Dh~jNz%}QpJ9(W_6&#FQcdkVWs8hH})ayzGUF4m_%I34So>g&eU*A`UO;>5Ih=v}jv9PD@ z-F5wLa@Ccqj&>w$XS*wtS&v#&ZQZEfaKr|LKfL!+Jt)FfkpfNRB24(2ZUH6@#e@1- zWzf|psljmJJUE2=eNSalf`Ee%YA6BP5*80VVH4C^IGzmU(qL9OY|B-*^sh+>0o_TD zYGnD3?(;te2e!XC&O@2OKGY z5OuJI;n0F%-He##X|9KWYp;K_jcxxu2%$ha?f;5o7&d&%fNCQ4G(OlgE#8aV*hGsJ z>Q^nNy^Nybfke^;jW>!y5O0E-=>cGo?acE!rT!ZS(Vmi6Ww$ERYNdmL!fX;g*%jpJ z$O9&VTv8J~%g=%lDgOnX@8+wG_0-yxE&jI+woUzm>)KDf*MxgbBK(yTuGQ3LlC)_r zrnj28NGGV+y<3;o1---7q{mjzz(YT~@WMU{;5$)H6&9f+Yt5?1VEc?yy(1n~K|H-^ z_SG29jq}(Oq<>s3ibg>jICeXt%ilGdy@YHAf#lq*d+U=X+p4lUrH?@l<5j?274UNZ zx)y>65+}5cUkG#(dfys3Y7)Bho|f32V~jhh(b4+eDScQ1{T%ZVIv;)he;=yo36<2u zYw95T+tszahr<;q3eg7b@=8|e`{>QuE&Hz_wH8n8catq2oS_Oi4L-T-LC>i{Q3{h; zkmKIFe7`K5LB@8;JkV@)atxp7C7!U!@}grs)wNWh0((CY90<|nAaL{_$bxjKKNG_5 zFJO}u4PCLIk|(4V|1jVQ+=Cy)MqHJF4Qxqg1nzFwOF|q6#0(mido4HRH@w80%wpPO zNn5M{4KynUKr9h_OuJoY1RX||J32ml^Jt(b#I))5wdnEu;Tdp6r2!ALIcal3MV+)?0W*F%yqFqYmkMeiduN6_8p82`&)(IgQX`9MQNo`eb>7vKoF<;QUn6sBldVI zG%UAZtMJy@p);N>FIZo0tEB6qSsN5U&73Z$dHC*X>qr<~f#~JJz4aHFN{&woMrrmM z(XSn2u_t*TT@q*SzBaiAOCuLg=%QZl-wU+6Ud+i~th2v2eYo%KoHR7vA7|=+nRprx zKPXt}GHv=`j&7Z}|1N943j}!|Ucbe06dXmxwW)J0V6Qh(8b=asEP1GiAeLR2@l}6$ zpQ=)O9;|1!F1_`eTUoV!GpVrJ$Fdg$XXXb&#eu>CniI0t4 z_)atu^lV0$MSw?w(kIj??|j!Ot%T~Pl{p7TF)l>MaNm(%cIs`4GChrkY%T`HlH=hb zHs*e8p52B-mqOmIT%KOQ^v0?j%Pct^N^0r5N=;l)An9jiUR>zPD641&`_s;quYes9 zc&fmySnwA%w7~ZA^%V+97pK?(`)vAN`JtXZwf>>LF(Ke)ss8RAXWXy4v@RK|DG#ou zsafzqS_DxUM=JwEv-DdfXzh1KjC+;dK(3Xk@5+~0lEQlJJEEx+?KNIchHe25a8n^* z3jze+MkrVcnLIbc@F7bj)a8=N-XzIL< zDD_JrPMU=VoOI=GHNPo3DMP(eEeUwG#mtjwOd4BTwA@cCY&Fi&F{!Ix-ot8`oH%z* z!!3q;CNwJedVBDxTa*U3FY_?;F-@I*D)+!vSGa=rk!EwKy^27`cIE~A5VAnc%NzV} zd$?jM!14Z&U0Jd=Cfmj-6ReO%ky@1i47yKfqyWt-6!p|tg5ZVU}yW^%FG z?Glew^UB^hEl$gfrxap0MHGw3)PBpUyq7}2v6fM%w>Eacrr{GiD%Q!pN zCC+Z(Hdx)@nrQxtiq$7CChZas+a}4C1m7$;`T$XuHIYLNZ-#6r> z>ZDc6?Bp?MYJKW+nF=J%k99GM^P7_1*2k}$(Rr)c!aN~8TPnlPAHCmEZ zcyV8P@Oj~OjDgmgabSt1Fz>-jp99Wt?f|*=S z5-$eaZL;)K;aWHG%1<)`47uPq;M20>R|IC(pHX&ZaABwUarn93F_+hMhtZxtoz2%j zmRJ-#CcT;L@$jbWcx5{FY+}tA(SAlBVHN5@_y0!Vsvo+kf z)-G8`#h*fAZ$iF&=0yi&C@g z`|ch1yhr2r*Tx!GovnROF@}-2qt!=U*33rc83MI= zWyytm3+xQv{M~k))jjMe&Cotg6GFMFd9^qJ$|6mIkajbk+j8%xtV6%+>}4lx zSfL{{FgGl|EKb0*N9V}rS*U_h?kW*(k3KoS8RhNRsBg%$xxXBwJ(Q^qP3zLW4O>2@ z3in%-8kTa$r8aa*RL6=f3C^^#b}Vlm30XRwF?LcFZi_|2*J5NvOoZ|EU3knj0lPvXto=YlpxP0e2jN;O|!txd6NNzQvj zwl{wIXL`{Wy`q$|dpC}OPHx_=$`zc3vDCackB-`&(H&hOCY3{^-3g*JpHg^yS!j`D z*kZRmP@mQ*fgJ0k0_;~R^aK9y5@&hF1Gw^R-rl^cq)w`8w1T4}F#4@pTj)HM0SOV+ zSg*S(LweyY(54ftX1BX9eNPt>rllgPL?)*KnT19rZ+3OGSitV6@zXIKl5NB=@p1i@ zjshpDkp|PzkOsvO7iA7756rQF7p@bgwvtqq)G%>^xD2tGN@tOI7zo_l2)p|6TmkmG zm-_3lNX+c<#N}i0cYD?f)njTw2Fm5?`X0xG`PSy(iwS0oAaHk}I^kqKd08P>W=5`o z{+t7=*BCK}KOVHnq3N{UmMw-o;qLshQ~1lKh~b^u$h!|Uko*)tuNA&t_dX9KaM)@n zIkFh-Y~0jl-m;vORwM0B1s0dKON7JI(4zHD(G8h7owK!d#Z_f^C6GrI2GeU(#>9z( z3q`hWzz2(?;yJxUiqvQQ^M*s>x%!V0iy?;^IYHy*N`f5pRPd+Ox{POH(J<*`Hm z4`JT{4EOuJ8zMmx(TQGz5JYdWIuR|RMGuJ{M3e-p1<|5MbSp&k61^@-)abq2=-uk9 zwcK~}{r-Ocd+*GhJ7X|o?C1Tw<(%g{=Q-~wY|fN$ZvwPOs)x*{yu~n7iUCIysD2JJ z6X@V5&4Y%XuAFu$ssW+cVgkCKVS$4aHs^!k-7 z%&U8}zYI?ecnMI01c0Q-GK}q?QX+?7_UAVz3MXyCf6wvWc9|_ih@T0~(><+3y~1^! z6$NHaW8}{0rhuJ#ai1c64bg?(9mG5q~`823_z zlD62AQ>j(G=a8zuf#H*>=>xL;bjBO>GVg8Uc@HF-)oCd~;L&K2!E2_C0#M{2QI!fn zs}4G3KdYD5J5PiQf!g}VzDBe3F@<{K`ekjf<}0Ax&)})&C|}&}I`wNx_vn>YiOvk3 zC~qIy7g5gDXEi2YQCnJUsdqt@{JwEIVZ5T+Xp^^{y|$kafX~U-dt;r8O`G+CLwnxV ztCJo~ilU8ycRKPbEuUG?GAGw)j_k~k+wZfQ8&F*K&t)526HTZwEp33fk_iR=x|b zf1(YfcvOzsuO2CMuC_T=FoaH>xMfIbE=D?#8l_DZLY@+!Hj2WHhVF3#Ij6Qw;8`t* zaw~>R-~0?#jF7qSEb@CwuExjHzMnC4;3ZwwoY)2v3mCOJ3lkN=78aZTH7;~lH!H4&kGz7=ZV zR8cFb(>DOPfd|CEieiA(HVja7;uKSf>`Zj5CtQ<5s6WSPwitg*y3Svk>3AB3^0*D8 z!?RZeXL|S%q#AUF-ajao6V{pKA=$1xOjMg$Cym3`@{d z{0y*(ORKZfUhQDch&vt>_xMEFp5^VQXkR7$IT3pzshTrt5d~Z_B(+=$-gpz{bkAym zY|oRUR$BbIOUCwhGtK6BSjcQDs#jS|K!(`QW*-8>KvP5d0dv038g#z9PyxHS^}a!G zX$2OjSZs{89Q2O-%%IjBzW=&~8*Yq#{$&RFhHQ7+eSz!{^bPjRy#vFioWtbdIr6J> z)639p!Hn5Nvks}PzlT;z$~EOQKMaCm)DNau`xC;$Zxj@rZ*EsLMo}(?YXVQ}_Ceby z={3&aLhv$g5K4-n?L*^uae{s>r8Y8kfd*)_-qmJ}uHo(9hkj#OXgIoufO?SaPevRg z4v-5JV+Y(TtDX>*%j%Bl_azjzU`kP-f&nTIAOBIl1rSHp?s(7=T?zn1#l1ZL>I6(gecA^`iqCI=Ub7GhB#-I(gO+4xF6m?U7cn)?{HtDRP+8Vx178^LCw2X>iT$? z2e|MAjR6<0?}0H)-3F}jk&?Vme=3XPQSQ?uO>ZXDKR04KjQiNBA`IsvR(1dgN7z@+ zUPYqz{v#Q#P0-h)iB3I`958Qb$vd=~n;~TZ1oe*HUf!Co7NLtE7#_1x_ucN#-c9}> zyIqZ60TJIN+iwaw5=WxVoJmg8-Qx$x6;#uf@hC zefWIWN;+u_lHf*gCO1tWnC>#+NMf{}h&d(7QYp=M4EdcEO8tJU`(90>`Ae0w1(*&( z4!x*k^w*r|o+KDE*=VubmsNX7anYoM=xXhjo>Az2jCzjGCvDC@Z~OI}3GX&xk-eYq z$4#w6%<8ho9}9iAX7OT+DR-8QDKW2UCtlzUqj`;@l$oP{<_-tev+txIdq?;*EpRSX zaAKxHR~%QTJjo6Y#9@oOp7f6Loza2zebYUGG5n^V?#ju8`d^|Cf4uB1Wa<#NN_A0Q ztbl#tbQjuE`?~ob%U8)Xd!)Tm7KUqTDLa76fP{Su zs%Awc3XZfjnQ#)kYv6O?(_}&ChdweVhFR-1W7P_vo3_tpZ)FQF2}_?XlmmxFW(qp+ zFIYL?fPOn-NUTseMpnw`lJ3_r)UD{wzEDn2w)=V%W?x~9Y3yCC6>l3XDM1UrS?ZW) zP?+wCkLeFJj444ip9HwMD5sy#lR9e4 zJliUG%uUKgQw5mZp~&3r92v5vgIj}z)w&YCsTPzhGCN!)??Qu|M^y*Zxh>fnM^VL~ zI|mJ7YPCsSH9;NOwsUvQr(vSF0MwHV>ymSNgavTlq@y1o=da0p>N2em>7aAB+J+;^JHdV5~;u3AAt=zJi5fd*JT05t4wcBQUx8Z#qjB5k*i;;OG>Q~`{NPrgYKA3uMKMMk>s z7{o!Ti#My6Fw~(LjQZ0YMW*MNB@T7R@z}K%SIp)n7dTI}O4zwuHtl@t^~7c&un&yx zp+Q>Ke#Ji3ouKp69ZJ=zTL4hlfmY;%D3=>&_cO(|j8xD4YIrnp5OcZaZjeN+Gn|{) z~z6o6&-8H}88Tmg~yEpS&=Neq+X zfX(*?q#QWf-kR`w?~1$vE93C*rxE$BV*@qiFe<`hu_{V${C)vTOwewZpO$rR%H6ZVqN0&-$QG?~A!&G|l~U*GJUeAVziZ&? zbG?MO90W?OVLdi_#!vX@aX^!k+R=h*ESG@tVH@;gm{lb=#PsGVm%8>p9S}2Zsd@TT zwdU7_g-n|#2&m(o1RYCFG!J3-6iYQrW?=;+2_JLTj~DJPAg9vv<`F|x#7*P?)>~7Z zhIJME6!y#AN~D-BwoE(U*~2_C+xN|R6aD6FN0Ja#PJiOK9nmp7H&jDzMT66ER12Bz zI6B{|D1Vy2*#SwWdD3VGT4SsqoY;^`OE*?Kk{mb)xfuUqPkyRm1hVrzNb;h`%AGcS zZ<-`+pJ+V!!Y7BgM~fH{`%uBY)Nl>9X3296dLh$KXnMdBhOblWEKWXrMjM;T9C!8jFC2m0W&+b{jG@;oU-IkQQ%O-gxC1ax7@hSaNxB9ddKxyn! z&({y-OO2A>-P%H$yq3eYZ!sZ+(biveHj6ptkgNgw;CwlkVBf zod?IjK5Ct}zAW4=;jTp!P8`P?X0Lj(<#^Q*E;(5?K5oz?W~$AYMix6>FW&4hYcu;q zh=qTztyRbF{AIevcStSa6{oFVX`MCP(tZW}P(1~DM6yqVDtB;IZ@}L4+E)pMXCf;@ zhA9OYKjfIF7ZIW!GNS2-El%ER;zDXlg=k^ZYHuKDRD&%{p_4zQL*%0v9}7(5fIO;B zoovB{LY@0X%yz0IRRV>q>Ll=czh4Pglngs0zp^70Yjt9U96a!Jd9?z}6{yYG6Ix+> zAKE1sbk1y9AO2`Z@fUDn9v{L=_8o>d=hh9zowP{6LVU111PcL`(W;HH-3zJOzP~V~ z^z^myFX6wW<2s50%TWzhhy}0*YkBL!N6R0)hx5fsRx`NJAqZK zXseSmXBmFr{i&XlcfR+7z$)+u{xj}{#>Z1B%<}LmXE^?T8|utz&Wpd?*AfcE+-70~ z=$FrV~KUfNVv@h&T+Jj@%iqrbo4 zDr}6oZpdf_aRgKI(fsdALG@hBj+vCxZpL|=-8l2b1X1o6)5$lKt+ez0_l00YGX35e zwo|-))n`7@6$0`iJWaTyx7V~PeQc^c7Px^Yq%{PxJYk-FLn*uYVIFS8;|Z;Sej_6W zMq^Sy=i`{48Difl^?!RO7C@H5x{Oo_QDmBocs}tA+iyj2rZZOPKypnZLwerPxGoKl zKs%O@nzW8Qx6&HYr6e&2jmq|v`N=G6D1ZnZ9b;2(NCXV^It?@mvyJ*9gJ3bvl<3AF z4+peGFw}|7c9t0!WumsVYx2Gx=jRCStbDfgZC)>C`5GKWN2wenXel-b&HR@_%4LC` zDJ>TgoEfSW#_O@bw)Is@$rW2xMHfTcS3QQ4`caKSU&X*iUjMGuxcW61Dj};UhZtEq zZ)I2>w$Ohk-zny}vQ`n&2Bj)$Vr|%`m|saChKXH1)DJy9TQQ*L1r|Ecep?hwdjSx} z88Oru5}}y~wL0H+t1{h{j!G=H*p4;pYIu;`^YIu7{D=%&{Nr~@D;4P$NG6WRL8l0F z=J$l4|DQD&wKc%USOPZ$>mjoJpT=(4BlgmhV&E(loowZh@oOa^wEe!TG!z#CC8H79|Q8ugoM(I^eHe0R4HJ z>^)qPhc8(K$2;ayM-t}nSuS)As?Vy={F z5V>_iXZVZ-!SjB+S2Q8*Qf~9Q1+oJdRtRFe(!Sr7af|(IXU8vW3ZJ?Cc4d}dEDnpJ zvrbU~@(q;(LhO{Q7cwl(2k5mVE|%qv&LcQ|GOHf{d7tjB%VI770)CqN(ZSHVRr_=IwZR73r1P;iG^^G(mZdCnCZxpRF|5K?(Uk08XZ0}i*q z6z-KFuD9C5Pj=tnHnHr9# zoVDkd=rH=`*1zeIo8T0p3m?1*TFs+9|E3CRqvhrd_9;Tk<{{04s?tFMsY=}3zW$nqBWGw}h2M@^< z)sM;d^;ioU`_})Ec57rOUU5R~N-7l^B8j0)G4Gq)b+*`dT&FcpsL)O9k3nO@t{%r4 zfG%>o%~g`O2DrY1r)Ibi zAs4b=@r}`S#r?Xi=Vf4DdNQl-Al^@vu&%Lj%akJaZ5Q9iFh!c@i-MJ8W?38G?H)G1 z0rsR1XSs>762Ubn^mn!1)B>8y+$px^Dc7PP{Uq|GSTy3^2I5TF-H*o5YyrXKjLsbEp#Qdm+q9K4RKh9ZzzSYC7X^f0fR%Q~UW=|2fzN#v#Op`YT845_9F@=WE_g z5A}=#V@e-$(=F>}9eA=E5-LscHPBMi)j*2KR9kJLs(6WuF^=VKSpqsGJL9;p1wINMEPBZI%R(-hrF8qCyh@~9BJ zZC6Z4Qraz>T(cGk!!b50WCWd|>kf)BskEU3B{#Ll;mcpac}P&ut;{B3-4W%k)fgL{V8RD2=_hdO(1y ztvjAhipd6fbm{&jXg3pQx6%BuqrOR4k^1E?#@U>`niwk<^P#TtOqkX5uO3YTltmt8 zsiskuFInkN>i*P~C?F&i#8SYwY!ZM`D0~ubb{$J`8roZIJj!B%GoM+1q0x7q3b#FB zRCJU~ve44yQAZ$C8DmRnjgW4CN23_&Gsc z6$O1lXH%eH=Bnt^N$#GO#}o+$Dhv#SZ>R3|Ljsf`#bE@;A2lX$LPxfL5WFxPSyfx9 z9Jl*qVlrv&IX;O$C71|UpqJ2W9v^+dv6Y6zuf*@V#WYR^K}}M@YFGx15}@4xqp$v1 zF5WRz|6H@uIQo?eLP{Gjl8$_!vLMSaV2XnT5QiE>^)V9Xm>?+V-u}mtDC5DlBLVqo z%XJJmqMJ7MuOd9j_Gtuj^9{4Dt`%4L<#4(}D8wS^&y*f#FD_jH7f{dL5PWfmf2l~D zO^^w$!ybltVA2O;I?kNwx$^$YZ}2HR+2JMwBSe-<0akf9ii@19Ak6RjE?SqH8$w=O zM>Qxld}v%}=#Z7r9d>-mIrv*9bjp1c5ps_gkbWzKe;I=OYSXQ1$c&hKI)~#ScFcFc z;^aDOiMF4L6R7@23jnH;;$iAC4?{ze#aPViquAz9f=UDY_5S=A@TcM4YrXzg2oynR zE+hC;mgwuzlm|1LtI5R0bD<6e4IjWd>%0w!z2102Ke&n{EB?-*-E=0RjfNig88D5A z*4PH%QV?YzI}vqe14T(i6*`G(Q~e%ZiB}k@QRnxT7`$rrLoO z%a=SN>dhlKyT39XdL}Y>u3hThS3s8U+gMV|$gEf;U2;aUzsMTlvAjSrNR)K50Q?&W zFeON?1c3VfCHybJ<#wg!>WEVL&W^Wuc!wmrlCMRIYd9jjCV0Imy!E9IXp7I4K&9EY z$>(Q3!BmfrNILPU%MTcAD~w;gsxd4QYYmvR_jNJpUz^O>kcZI0IzaH+^mL74T`k!6L&i#IX1%)n8TKmxL6d@wFxb z!w~_vnc)nK^+_quHCnJ_zM?)Bx-VJGb2Eu?%rQ5Cq9UF0@pZPCV`cHADlSKGZ#J;D zKkOEh)ce=kG?}+UE3@9=f!x}|Vw<%8Oysyw|G*7!zxEP7YAD|6n~L%=%CcjZxa`ev%}TIt=G}@P7A!nwt!E$ zuR(s0KBo@&jMe+yX4Al>u2zijfkWu#7dYM=o^0mT zU`qR_do4c#BPi$#s=fa&v#4axvV8>LpKS$*^o4!%(&=#$9v-+Dk?Xe-vn{2vuK6agn2V8A&}f5E|z4eM7K|6R-Hn1yZCuVZ1N!|s2*gCjY?S6)E(c;q!w zl8kxOxTeIJ5GU_)1Q8w(i`J44xWl40BTFPl>*plU@d4|86BQ2(LECokuxmaEo!*nU zDu_#n&x5R8X$}Zr^kyi_?bt+rP97Sk=z}=q13W$^`jBtZx?f(zoRX5V>lXWqCLroa z`t?+ldXt&}rH}3X45HHC;5M_;Fxjb)lBw|^ZdM4fbWsdaS4@=@hJH)7-|wd$uP~_2 zN3d3}wRwSNnFnFq>lC@plegjK^$Y~37q_f{-PCWIvO-q+-R^VV16FD7y%RvZ`nG#+;9v&=5{HM8qTcuG$FEr^^Ef`C z+{?a!8aq>sIGw4%%oARM=p`vRP|_D{Ks4#^LBKnYrrS{;vivEm04^ep(jJe^Kl1eh zGcF+PaK8OWAg-H;R+y_Ylj-Gfr?y(e9GiXhRc&vzGlreshEcnh zdi-`b6W@9V`fry{QB^V}K+?9Vl;3(D(F8S7Q{Vg3{pg(QKrX@Wb2spA zE8m&}oV}u;rm-1aenJB;=<(8qrtv@np~+ThIcN~X`o9iII~PzNun3xWfK zyURL#hra?Ru+dF=@B542(blZNny=l0LeEJCo+yP~5&ii%=}D*j6;jm2u$*Ar-CqQ? z+?M5-suz7I1O(g-EcQ-?K1X&%zJ@%MbkN zW1o&ioM=71^h2=@pbG?|A_0m*bu3_8i%1HWBMMgEEW+n{H6F#%n9m)Au{wOtV5a(w*OIJL8Q2Igb!@jQ-Lq&KDQq-(^ z*zT3@)~vOEygz^U^}VLcTirI;;T<}dWdA$^QGJ5H6AL)JCWx6=)tl_0xv@?hTunuQ z{c)DfD>`|xn=S) zk(?aehr;(8jg@=~Ns!k01xY1SC8Jb3!`tu$_PoNuqI+$}oqJsZd9Su++BdCpnY_#XaJNY_M%zlSQw#lip82D;C>rcbhy5?> zH`y3Do^IN{5lzu%1wkz#`Hf&^tmzHv%8L`k`pMfstyVL3O!f}TaJ-i~VNg^zi0rH( zcWEenB;~%8Km=}DB0To+)|~_-R~#@>&k;0``}G9{kBiA3Q-1z;96(Ee9&KrP0iGel zQC4jotItW(x3U{$icnAk$|}g{8SaCq9>jxaT-WJ!+{~E=#kBh74;ye&J3=DJGbfbj^rTR^i&OKk=t~McWeEX3? zl;>H|o7XGKYgfS$Y1%z`t)?G-8uv}+Ql9yb_YVB#cC8Pc_Ucj1T#kh6Y8b4>aWwAY z`^jZp_0cr4dH5V zb8F)J3n;^K=CWahH6e?^QF%Dr*Rs5-S3C$hX`Mu0<|_}Wxu*n`h|1JHvjgcUJg5X; z6klmkk#0I}Fdrv&Zuk#{pD;o}aPkdlz_P@nb(aDU#|qbwJh_5viLE$l-|aqBjsO)5 z!~KE7T%`$oCFwsoQS}nTqlH4ZzPkp4Lpj|hy)Wf1&wfx3Yi>_{PN>^inO@7-Bfdw3 ztR(l+z7*2>T16{bq&EjA^>te59$8K6{xp>k%qMZ8E_oD`u>cc`q*bdyU}W> zXfV`d51aazS$ud10;}l=V8|bI3tS&25GP!0{H84dRnpiJD*{vA|Q!)+t)KL9R>AO+_kx$b!a=?ns5{KXWoqY31qV(?aw&!1+x z9pq`7sncoD6?^H6`C<7^Zm#Ul{+5=>4}w3uAD%ac8_|MWKUTrrut%u@E*%;zi~@a_ zU_!6ZX-y{?2YER8G_xF|>H{UF6%ufJT@=6I3&4u?)N)gQknijdrc(?2^GQGj_OAL= zEMhs^>5d7{H4S%nkw^xyWT!hW4O}%CkK*<3VQ-(NOS-o<7t3GZJ44KQFntB1g?2mM z2TE=jVl`h1_iq|BoKKIR@q>3}Vytwm&|p3V(1Qmdupl{AV~I4vs@#I8f`uOWGkN9R zXnxxG>8CS&zPoNvDPSePM!aYAC_GaRaK8a+;$|6Nz58wh+t1lBfK*ai`d)8td@%VA zm-|F$5uY?W0FXaFMzN$kZj}c6pHF6->a;)E+dtoBVH!MD?Foe*ec6OW(xXr*)EU`8 z=+A6J_du5bbzNL8p78zvljl!EVQ>?9I2FumjnRI%KIg?|p?+}|W0Ph!>L!E?CW9K7 ztu)=#U$Bv3F&7ngZ&%-VYoX!0GOuub=*R5EWAk6l5jvf#Arxt%p~DLgFP9Ye27Y=0 zQb#y{;Ny3^r9d(MtJ}En`-R4x2C9YGPnEA#1B%;^$n;19#{nT11g(>Bi)b_eB1^$B zHN63qlsgGDfr88=X}}aZgA30B`|mjr{Uzp~Oe^AQE{IRtS?c=g1N|Z?ESZ%S(dz6k zA-Z0#g)Q{X{ca3YHy*8PEm*a#@3&t(6^O5k=rqpjZjWj(wi7Wt()b-A9mkS&FfP|4 z%2l0Gw%epKfQG={gY7PLuBg2_1J8Ye7>?rKnP(uuIgx`6i)~5#27zAzb z(ImYzBj$ZyWliLw;EH%3GgWc5L^`uZDfXpM9 z4fqfG8uhXFF)-B{t1(*wRI3yJdztC&K81GGoSyqpCyZmqUC8zeM`)G&7Z>BuCRCY$%J7>`neQ8Fl)OGdG3Y9(%TM|$5WMi%5q^gQ*7X#geZ`p`KEP~Zd4$W*sfQ;?kgI& z3N8=C^os)?t5^arvDB*DH#^a$S@mGf{K=W=cpro9;REA18*r~zTP=qB_{+44i7~f5 z^*$=l7)h_fri@_weXIVEUh;U&FB}Ghmn6!`_sPnX7x6&?_g!{qm*Gq6xL(PLX)Lvt zx@0jC2d)L(Z)yTHeN*>=^dQn)+dh>~K9z5YjkcK!K~d2GL>}>e8_cZc*`u?Ik2HAdl@N}i`q|pdqmv|cu^E-PFNMlR8CT*3&fPJ{D zp3LReHYzr_q>@2V?R$Ex{-!&7TkK9@3?ly*LT%mtWz*Twc;;v0s!Y*hfFM+w70k{XT>KfG7;ZjbaWnMgO3l=%_Lrq+e&ezF4hi951OWO4#XT6gBOv65@g64$oieG?1fPwWvvBLwFhX}vT+g1-6u zPywd9da^4NRVN7A0hY{!{a6YDYl!6uTym5mb6 z+0o)7m&NLmHd>x9UCFajAY+OAY1ka&~A!#%yZB`v$;+53>Vj$)!y4lz%BGU;Ts(OBpNX9mB8u6 zQGmL)fDP$CYabuM=)?k{EXl>+Ee_531G z491@`LumiWhwYX0M}w;3U&QOm;br5 z%j!-@DAIjShaQt3MY$~7@)%qzy>b=1Is9dx<92_>a15*wQlk)UI(`9mj zEsocU0iW~4l8gA?&u5Mi#VIlef`)soK&gwS%fMWK!VdBMpWa8SDmpcJde|c_&PR$(xxN?@ z$e7W*aqGT2cHDI>hrzMmEV5{@6Ze`J`!|=;;6~W0{Q`C zdFD$g4}tSAKj*-a5irj^-DY3eB-zu$gEEFh!Fvu_iv$DwOBA}W)d1fBkD~EQ5$m^@ zVaaL7{@}g{rC6+;q zqXtS)JuQhuKww5P*{??U7i2n99vKQpZ)#{zZJ}hM7EZ{KIh?OEp1@aLQYnKX-kWCc zBmX&WQ-pxz9)mCo6W~g)ToI6vR(bCOBws=Vd1Nhs;G=lDnb*g@`sS}3In!g10FU&r z7`L9{wD{7%%7$_Sn=#hgGds>@vx+Wg;=;#``#&>}Y@!%qsc+T~a6x18w05lw`O&Wz z_Lc|VQipNS?i38XXZ8Xb>DqUFcU+zr*f;JeM_n&6Yf54C-LgAd9yf1WO?8|~s%I*5 zHk>4eoF_4Q9o{=T9p+yHt%1J)7UL^#jjeLAv7?d-lg9(cLFmErz=}^Rr9XNS&9dtb zAenUsE5qoURN-1R4zuCabM`kS&&qZxk3JiZ*qaCUx6?U2GOn`Kl&W;pa47n&Y)hw2 zidU|Dg>Jsc^VTs{uq=r{vY781A*;x~I8r^Qp0upGm&V#}@_&nh;-Zt!RWNHm<%E32 z&y$;;M;1s^_g8Wg)K(D7H0I~Dz``_2gPn>v427EF#@Zq1CgO>3E%1DDW4qibODo=) za+Wg7H;vPh;rfcM=$I9cxWjKl6A=7 zg;kaI=r8G0RmG!J5vPG4K4yjy%kV)QMr<9u-p$yu3>>tP4KB@FLywyRwmWRJf* zAb6PoXk^19`mH`G96fJy0KQW5aIhnE7Y8O1LakL#S9 zeH+^s#-gj<=4yO5h81ibK=1`1BoC6WjPcLS0jZMX@!z_;fGH(TX5#!&md4HJVf3ex zTvlP?GAcHDF@LvWzIe_dRp3deG}4@_{_KVHl;MOyafvj;`{1j;Li>dPAQ{H zEn!Wz4URP+#68{1U5LcjpBVgi=FPug6)dv#BH~N%?`$RDqu-{aGy25Ljw+=QUavq zXk|vmw3vCd%}aVod`c0ywu85@<`MM+u>HbBI>ti!U+VYcaNJD#f8kbb-(8wkf>I4~ z&bg}@hNod;GKOg;=Cc{l6n;HpP%QkD!I zYj{kICvG(WFnq$60t-o}AV||xY)MaK*x&-LQ^Y6oqv#2FuX*b=KSrNVxzh5V%ws8XJ@k{?U>+dYd8hyhI>#NL+ygR<#k2PDyZ6TRD)N;07cOZ`rzd_$~ zrH(oei82W9Z}8ZW%?=q|y7`23-zwYGi(U-|Jq`{%^IK2$LnVjw%P}9|m67%}-W2dp zBO_qtD7>*lmauUGv2F0(p3dILuGg%l*6(~vei~R7EqQ$eABTiMMfM0nRdTd74%AS+ zApq9wDQv$aoak4KL+z%|{jR)uu%E_SeJ9JO+*bk6NZ5o4sJ;jc_z2n~MVvxO?nj(z zY9DH8ct`csEpb~MF2=VH9Zy$z&|jJM+_GB@?LSK^i>;&jj}~Ag_4baw?~@Xp91sqt z&ZP+%K!qKDi!ab0n~mSIF;}cGOW_?tHy+Pqx8mQsM!JtS7Y@zHFmv5So{MGt`cd=a z8|!167;yAy+-TMLK(J-`hUAB--nn(BlY9;A>dX$$kmhFU6<ZC#|4kcp zx&U;2k88~po8rZaJW-h24IuM=0sU}|IWzUYxe)h$@k;!^Ffm5uFPs9ob^uH49oo5d zVIbOYQ;fbUJzZi@$|y43sG9##L1alV2^yiE=oj9=F(WCxp|8} z)CUL)((2Z3;>EH2cNt!;uz39gS09D=|65?#|35EPC|VELou}G`G5z=4#8n!PXrYsJ zBj`K@>C}tU;r{&bF3dWJe#f}SL6CKLBJGi*K)fN3*5A@N+8j3!JU9|Vd@;*Cq_)C0 z^}5aAeJGQ#F?rJvwQJGnjjZxEj16Y;Q`X~$KUPcRNky zZNeyDT?=3*Yz3T9IHDk=vwm-ve1ALN{iWyVCn-6`M`e-!pO*q+Ah+6V0}VX48>k_6 z&D@IJMJ+Wd2&NQ`rQRO$npJO!VIyPV>*%m~?Ri?qknRnv!)H4PG2GiK4nb=}*0D zUZZ(F{MUi=ot`h}CPi6nxfU*-cuTZDkT{P|Vq3e47q0&An^u5(z<~OJ2zzprK=jtU zCd9nBIPN*&2%L!B2vK0ZT%btUK|7Q8#uYD2@!M-GR6~YOh+Q#&U~yY*B43a4<_zE9 z4jF%QIep!qItT%E7F3Mq5W@qIXs}3i^`|{=nt6b*u59FxgL&c*Y5+Ysz?9MZ5{Cz;T0Ha zRAZ(>@5h0;Kr@Z_T=u!O-|O(A?azNBZgo3%!gF;wAAWV)cce?$?}tij>|sCT;>zAM zo>}56Sa;*)Sp_Ro^KXk9_=n6Z1WTWQwUuzc{~^H>SFZIXWxzDDfp7Zx>-$U7rN@33 zn##xCVHh)?uKt%kxzKY>pJzH7LErmRLSP-o8!uU%hVAI(CTx7OEUqxeXyf{xRDQgz zmO2R-0gdQRaK(h3D;F&`w8tUgV#~x{$-qR;Ly7Bh1NAVoBO^tV+Qg;!4&BY&erbVN z(K*||p=ZRKvmtZoV&w z(5e`JAJgf}tq6WQL|`;2D4o6lMTvsEgLcXwxJ@Hf`O))}6xd@lA&T41eG4-g&|N9U zjX&=-Yf$vQv5MHih#?nJL`<8;5eW0q#MDcFB=`w`O-_FGI*tMeeiydE<;sH`1$+Tq zDU|3^LphN25<%h`B%pl~hHLSFmApl{wsWpyLW2Vw6YJO%eogX4Hx zB4hKh>hs^79%;WP(F0aYHH)MC(@a54U9JSx0kRo{*cSq#>p^Q7kWM*&@^|-@gA@>) zLo3<$UCh6}hRJg+U?j&CA5o1Om^$`j6m^i^8p|+J5j|Ygk{QMcNoQ7k2j}Lekp)R; z_4CH(^PFyfNI5^BHC_~`t+nu_+ZI>Rh9inWAhpta8B2!$Obo2+Jx^i7cc{q~= z)a)ftL{Lwn?=*DbF>~auGL&gWOM6|%(ZeFQc#y1@j86l~7A$tdI(}xJze)xQEK)0$ zud?rr6rJ(6mbpygDghUrckea-CyQqr$hI#bi12bLNLO|!z58ayxKyFxZO&$C{ilu5 z;zD~qQ@3T3l>H@P#J;K2+f0@~zHdikrn$OQ@^F4p3a$qLf!^GL-kP<=C5az)C7#Ib zV3ZE@=f*~0s&btM>8gFpKyA1fGWC}Pp#1CCZveq>jLhXe&-QWjP5`%I@Oh${PrByA z16*yt-$7Eg9oy5j)gtfK9${Iq)5g&;(OZ6=C;Y%O-~&w4tp0owI;K;<|;z}&sTp!_2AdO=}fw#cE)b}cJ+)twM!S!OF- zkQ>iR7P5J&r$?!$tNZm8Q9VA6G??(s`B43To*{_UBff5b{lkRhQCbT%l623nc8FyF zZX=1wG5{0ij2$Lc0{`V7aQ}+r&jAJm;1))vO;e+PnnmmtvB9;GYBYxdP_JZk8OkWu?}N<)N~Ct>!ubdHuam<2%ViD1FW11P`EJUL&p3nK ztoy~cp@+ZyWx4S{joYGEcA;if$=kk*R);gDV_j<;$!l2t7nckeIDgHK7&&GZ+UySF5?X{703!3oU@*`f6{Dm@|ldQ4RV3EEv!uRs3&-b;$A!OZ5 z^A3|nZ>nQSuOJu(Fj=`JA&i`7J}=MjOy!#zJBntqkPK+Zj{6v$Ac!S^3cX%B>iD0z z#sjBWfE4_`z}zx;8hD+EOyl5^G=T}{4QU7$hQtAgn7 z*<#km%Dlp%yn?*UHr|No71QchHkEhERuh)}jT_6(_PCCbW<6dfyj(~=dD zD4~p$T^T3YM41_x$sWhNpKtZ~{J#I|{{8OzzW!aGt}7qcd7sz&^?HuS^YI)njd(Rw z+tv+x%lB44K-k2|Ui(6SAx}DzJ&l!(K7x7)BWOzSM2hR1e&Y7GWp1tm8!q0}PIg(( zXLEq+V!>s(-rJdnA2da26LyC>vTCJw0?kvZLL15k%Vx-4gcM>iETjW|xMxp;BMFk* z^XcDgFw6&#Z4WvKu2RI+gB-OVdnLL);gjk`UsBdsj=KtX_ZG3&&d*v#p^6QQYi0Am zOvK#$>7Jw6*hqGng55hG8(7w1GI2?9PIx`%!FcF}O)=9u zLd>2654*~~8uFOgREviGu5hvXeB|v@X|gL#?Q8F_{!*(=((#2!6MeUY%c zxT`)VY`p#^tZTvnfn9H#CAu7!n(dm!XF6Xc*mOc{&n@3)TQD&7k<`ZyO5LV_Bh8u# zjfFzEX2!GuzXp-()f3L*qw5z434`B!%ey^ls@Puq>=w##m^fl1beRJ;}5^q9b&T}AN6I5Jx;xZS= zFZWxF)l4`LUblO!ZBs?0rTN{ULFn2-iDS3t^_j)41+BA9e4W_Z!0)GDe19Z+ZpwSo zEn|mkw4qIR_B!W+QNFq6z!6-$Jnm zZe*=D35+cThFkVrQiK>)lAtWIp9~rb9g_Ax7mgA;OpCNa_$y2!!9(^Dk^}IQ9oG-~ zXkl5!i&YZ+c4#sRa4CP?SMZMamH80NYYL*kakpBziTa@{+bddiSy&f(LY|Y)?x)z| zo~qCY3%C5Os%$o4Uzl35duu1uL!U)c!6LWR{b}~F%3&nSQlxm$5U7#y)EC#AKH^)#|Bu*OKc~URej`(SK+>FMr(+mFW5Fc12i4sDNVjp&*F6MOU(PZ z=In&aca*nwg6*l=$8{uxplkj4_g37aD&;GR`9RyYK9m(@LOd7=KtWir!K@1ORFD=O z%uyNrLX8y|abccqRWBTeUv_1Ac*W-8YqR{(N2U|2C-Hh0z$Jnv*Ulm2MQ?>=x4z9^w3`7M&UPtfm+zk9fA|rQV?gh z7-{Djq@$AzIgAQMXe{XFE9Qp+6rf~V0OWF{sbAHx=-iFEpR;?EHzH+8kgz0fvo7A1 zbzyd&l~JClYTxf}lLyj}U+|c%p{#4YtR&B#U+xeZs3J|zvAd&rVe;jSdc-2*GA=bq zY*jb@6Z!Z2%2iWnMG)0F?Z5+dePu^NAV`I?RRR7+O)6qGhY}FXfdFj#dWRL%#SF_D zlcG%aeBeZ!DQ|C6_n%U_B3;BQ=o6hhhl~yp|5krR8WvpE$-6bn?R#t3U%qSNS<)na zMjT?%uI-%rbp^)PaHC^`Bewiw?y1@A$!Aa7wmgFYi!XC>(!J({)1ju0_UFZ*EfeA9 z=NDS4G#*q#W_qga_a%q#3!SaiZAKP;$~R}av!GTbqSZPEuQF!qb3EC;`rja$_3bst zexJ@h_-Ze$yhUB3Cgmqz7p8!6iIzRjFtVDFb|(MSHorD;i$eJM|TtWc2DD0RF>%kG;3@#xtt=f%p>4q)17 zaceT~*(-Ot%e&mtPSSlN(jaF+ zAR(n>@*spd!r-JAR=JT{_)C8(|NE$clIN$ezNwbYe!KHVWez(ef3^U#TrVTmH5bo-OJtM;c0BEBAArl(?OsR%B+C?v6l+Fzr zBB&pxMfA1tqpv+dvNtE8`PV7pPlKcb8s>SGFH1c_tZ^^oWhUSA^0o~zi*sJ)P3>Rf z+#{tVSj0_}J?(oQRaq=@xtX#N%NK4P$!05cxuCS$_)BtXU0z&&8=q(T{_b?1e)S`V zS4#4Jd>0l8p1cD-lqF6@hke$zX?hFPT^8E>3k=O%G<7709t>{Ip*Ac($Bx|E5*ZG7 z!yUt&W!4=SWC%$vebX)Qua!D(96qs1G@KwRM)m&4;W6U#Fmw!z+NA7j+O_+J*i>iCts> zQfTi21`=Iq_8&g#O+wJ9f4@HY+>D`_K9nt~M{mhacPsiOa1=UZf81O2%t#w-Q!P{IM%LS#sWfl%G=iOCkLckGf zul)`wv4VT27e&coE$2DYImfcEF_%GLL6G`easb`2@*gba(RSQzFD_&kesUIgB zNfmg;4W#Sgzsc5%7qn|1X37Hmr^6Dvne}qy^vI+hF@dTt! zVl3%ze5ynH-^ZsUWL8Ltt3_?mhY{=4#S=1r2j^ls*%F*=AIc0O|hwWWJrxg{@A|SjzTMe39bXQ0TiLCa&QRd>FI_B!v~O@LlFZxovOr^;?z#G^7yE z6*Y!<(VP~M4TpD3tZ2Fvf9I#qe@KbqL2M`ykoB#=N(N5i8q9XzdUcz^^SL6j2h+w( z_Wwp-h%88<_hbQT?0QO>j-sC-u$OW**S?ix8A_$np}ML{fd9c4nt;LW5VSjQRGHYl z@0dld;mzDr3~EUVe>T%UE>;?;twB09`2*BTvF8x|hxw$3s3Fe**I5uvMKY*AA=&*V z4iWM{G51jfCf+~FgJh;O0%4V6IhlGGz5}GGGYP^~>vsozH=RriuN^FL9!Tna>!dwX zP+i5VLG~n3x)lhVsaV_&ratdYJ@W`|6Qc1Orj_0$GZO+%u0GD81>!yC_n}DHth+hE z!dH`$@#M2s`OTN(VfPyG9K_Y??EBSmV4uZ)MUmurp6 z^q!j{w{C*-A7Ztrq45F1hO1H@fjNW!PN^tNs7Wb*3V8u1c@RV+jpUjKDQZ6t=H~WC ztI0Y>i?g)H&!)RnZ@*=zgV|&4H+wFrH?ZAG;j%;%ZFDQZ;&lX&ALEPa^V{9F?=7}3 zIpj20AuVKD9Ok_|sTeD_YMj?80mFchATRUHk zEV3$Bd$qT=h!bg@SqYc5XnDaOh3?<}B3zxau{Kx0JsHc6dlG}&xjo(XbYJECN6L)K zKIii27Wqxb>5eQ)oius52ei)bh7X9Y4b(Hd)W3Kt3A8v)XxIFt8}0CJ6;Xpd31-R-r`gS;u}mk8B68#7b)v`n#sjF`WTWWn@56|*M1Mk znsZTAiMer%~$&i$qk5+**I(kWP|VxbfKuhrtRj&WHC_tnTy`fIteIDB51_iNe;P6o0pxIMJHZSkT-xOz)z-+@Evo4?ET zwql$nzZYds8vd%j4foyoQmM^hbQH_ZoeNpwV|};zE=Ldq99>KL>O9bVl{>B^lF#3qrdxGj`Eo zrnCL}#n9^@s3Y{pw2?qs6kSf;GGc5AwSEePATqpPSSkY);?Y4S)vx2qX5aR8z-k0D zUYq<_p^2VoO%pz!HGi{_KfCSHtpOfi`Q9!xEoK86~vD~Sb z?ezA0i1C(nxzq|Kax^7$XF9iFbh0y^R# zqo6VN*Tlk&W$(60A7YI^`0BmyE^hF(NzP+z-S@k7+Gxjoyb7A&ULie?xY+As3Dl0+7*|$n9 zhE=l_w_CBExZUEy{i}SgDl5M~2=7}{LxlyjyxY!T=BS@EC$Pk1-2}5Mh8%Zm$~?eh z_tdh7lK+P(p%L~Yr7Bpp z*Kc=oD1##M_bJJ(bj85heI(hD`|Xa&;>3PvAA8dHw(y6G9J@cxw%izN`(eoU&E%K% z3Fm|r1!IRq$-&#o#l#Qf>|x}ntt-L8$L^Q-*|a+4RM^k|E}!erm7V48wZttXlAk&5 z9J};kY2W^tx{=i|YAzLN8v)^%mWgFaAk}cAl48tacGw8bDo0`UiJn{|y{*ggtUul_ z*3#;o`|?O=yMK=O{(21F*L|#Aot>WichzdILyS{lTPqdSIvfC_@a3~?vYvEQl8+DK zf-FVZjpPyHCX`(?;x_!FrCzLxFfch-Jq z$TIk5<;;D>si%G+*k(VFWL;^#JO4b{Ss-ZnzMi~^SOZEr+iRixRp|2@wHuXdgD2py zCtb%AZ6naP8KQ_aU%^`Ig|&3!XZvvzcWf6PXBJD-q;bs=%f^!&Y6G5cb$@Vgl~ZRm zX<=0VKIEpZBS6YOw$v&JS8b59Hn-?c2x7j>qz4|!*xBBUJk|gEo!e-w`qraBy29D3 zKUi)EEuJbI-g zA{~h1mh5-kH(NH7Kf*y_v3SmmVOcsgW@VO=p_eDNplTyRqR;WP)$ZcHBX3P8hePYxzKAfGIWMv#tg&iUD(xTX!B6>LJjvHtOwda6-QagB`D!?lmJ$;Z>;u(5BOA!kF}yiRWogZkvQ%m& z%#iw%G*|HV&a8{y3ED*qpA`e@uR_8xd=qwF451S(sb*SipW>IDdW)&+jJJMv$zD#l z5VOU2`Sw%pC|S9S!*mK~Z0^)nT)?Gthftju7aj1P$>a3FSaj1#ZTWvnx@`0L9#7W3 z7-?%vZH7i`l`8Rj{icsEw7OpQhzYUXguYuqO6M8GTdA1Wn@Osq zGSXCiX6oK*#3yhq%ij8JPO~U2@Fa65kFmP4CVr9iD{^;YVe8oT0P~CA>votr`;Y2A8{g|sdG6t&qC$c(Dqch zZnyzIPLd`$4~`%*V^J~Yj99`Kce$$mV^*#~vN)9=rH7@A;5}Ly+q6+9uwHnZKXagRVbX6(uOQr)cP=E-^Ojo9%Gw(6cM$>sI{LGti$v18uP;BJL;s<}DfpjJL>@$VWSBKwPzvOvBb;e@-o>En%i^DOWYSG~( zM^7~*aj;h@Jn&NZH@?x{%kR=RovHbiUxd?%bW-kxnPZc1-VyS?nUjKuhR$xL| zb_=IuUs8MFuEm@vJe2EqRHr4hwvn)bg`3ETOAg^*`q?A%Q%cR%#=hjZmJ6Lyul_Y8 zFlI(|<)?QyIX&y_>`MKIX2~JJdf{MvOG&HOXkG%{A~D_AH~mUw1_d$nn0Jnp!WuYy zZrxq0YN>}*kpp13rr-pZ1#Yz9OJLx47w3_}mHvIYjAI`2C)s71 zluE>{kF0$_Nu<%%F!r6sue&yA+&TKb)kViu-scH!H58SSoaXcSE)inTNpBL7>;lUV zDZ-nHWS+P>p|PT{Ru>9aZ#Ma;1mRNh6TVAKY02yzGxm9lxKt-tjCP6Cc!Rgk4soI@OPg`wM2wmXL>bqq ziRb-ohm+k2eZk&Dl26_mxt(GO?TgM-Wba~{8d`CP>#`1g?>XHSF4bCHv3@2<^lJTs zn{{dK(lgdBq3oQ$0D)(qTN77j`(%Aj5QWHmSw4JbxD)&?81JC#L%b5~^kZv#G2k4j zi_m-4Q$btiWhL{0cjGM9`H^4*g*|r`Whwcw?pd%teg!S`0OTH;Zhmb9*SWPs z3sYf#_RryKrXYY6E`x3v2I|JjJ8REN2fekoocrIod2B5-BsAS$laOD(sCMcL)vWa5 zc0D)O;`if79j~6aks?7z+D*GK@w&~KK1?dO-P9q^;ClDeFbd~rnIFj@L__8KcfsMSbIS(~?W4$l{4B1OD*xN@oy+qdzHF(5Hd?m%F0rH~BlOHsUw?YI|7@?% z{BQUjr0^};RV{@4G=$&hk?>n}eUh2%hAxEP!Ak{8q%TtLT)HfHZ^=*4^~*j>;_2+1 z?RRifTWnnygi#m91ST#@GfO4}~oOxd>#h9r!28SfT@mk)Xi9AivTBD=>t z3xi;adr(EfykM)$YxYwPa@fbRCcxS_z5Z~(T1kF)CrlDjV>f6F|u zm<>Iu%rJj|(~ITmo~gv}QHK>$A5cR;(L6YG_9cYZJc-ip5oUebqV!rWI-)os_^0ge zcY&VYtrJX@jc*Oy3_jNqKgwF^Sb5+uvx;Dn+n6}z8{dQ|!bFZcL$8Tz>E(Wg3893w z3%b=@`+wke)&slE-J4A>xgPzU7HmCJM?EU2zz#?<%OdueT++ts?1>{|Key((BiTLA zEE2dlO?NUPPYP_F?OlR^4ed5K<2@QJIhnS*Wjm#a+D+c?T(w^FP2Ojt>*ZjPtsb+i zrz3x8WhF_q^qWENnS;1@Y;=x!pU6LGS@wG0{=N9~i#8R-dYq|mWPotFg2(1;X=kGC z6Mp$oQj^wrr^jm+KlmpJsaxLj}BM|B3fWvs8S2o)X~70U@L z^VZJy*?o=K*9rC3jqJYPK2T|{mjQqZ#t})s5aPMM{F0il*=Il9^M=L4wMs39p40!{&2wr=71b% zn~G*!g-DEB9qjpySM9WDI;g8%`2wYvst-2r%vJJsv^pXT98enxS?9y==g}=nS00+U zu{#{fUdxe_(ipt-z@=iL{%P3+pDRG{muY^3H@*nfDU*9y9QkS&q;1pYtL8hAbqH!WFTV+IY|N0r!6Ene_QB=S)&@H_r zsf{lPQJGX>VEd7~{rt_j%SonxngdBtx?~vQ-!YODSR^s)Er-1b>M1AVnh= zE!@B3ArvK+82G0tvvjW@nnCaYq%6-h2D~EX@W$<_i`Jd(42SBC$;{Y@eTK3(r&R{Z zZ-v@|S^2L@bXM>|1)mekfZ1(Q{L?OJhOo5mlnnd!kwP4}NAqG>{_xB7<47(Bn+}V? zH!HNKP?LFNDZmul&#C_d$qec0>Z&?|0@mqoN#EPv_nEHkAEk>rJRe@&E!&l^<*8*l zNTn8_pa6Ti52d_t7U5S9N`BBll$?Zg0C~BYV^qDc8j(<-yz5iqKhOXbUW}BXAiZS= zps)+9WD@S2><}E_L|?Tk8(Yv;hWD}2y{y4qgflmH-C~kQL%PTL>G7V|B2w@Gg};rO zWBI1RH~%A{0({ZzPzEyXT3;^K4av+ad_YPbPfGb7Vkf(yqfmP8zJoC^@cs%|qy%3XU{=L$IfEz+NC21V^w&;Y&u{I35&c%kGU`@f|p|83g7k%C#gdBkKm`eeDF{is!h^mR|2IcsyO2zo+zE*t z+~MiT(|_uGA54XkFNi?T?f++D8D!1Tb~z{z6<`#rXpYl?wLmLEjuM&Er;K+ymlX$Z z#@I2-RLlvA8Iisf0mA^ff?6Zhz=X7)dD4IT4YlrGKWzp`sD)VU)e3AJ>)!srRKnkz zAy4*h8-2S?J~Ilf@D{Xi)jMcYVm~51EJnqpOi3&l$^3AIjEoy4A@P`xNI=lKUJb3C~!n2dyGQ>VN-0f$@RtJ`Tq z=I-uu+v9_G##<5-PoJJUqxS?qbW6{t_5E5)h5Ps|yO*K?m-nfA+c(58Ur*uX6 zRDDmpgcDU7Gh?=k5IycskW^Fs7)RDog*o!w{GKuitj(X$+IFS=BKlgCLhpodzC{7& z;%SMe_9w}#xcv#S)F)N5)kxygm^XeIp0!K;6?2KfEQZiJl4G6OY;S?K4W!8nA|W&7 z@F%zgGkal4NNG{_Y1P<89kmy}%zZ;tZh1LT-P$*lYYwBr@RIcbhTnMn38i0(Fj*Xn zl%h>79yIZDP3Ok)IpARvNBG$8l8`l$IYu(KDM2!7{@^p8ox6|_XLRzzVHY!_$=@&O zz+&bWgs#tFh^lNv^tRfVy1#mN8ySZ9G(P@AoI)?-$B<_3qh#1PMbukWodeWu*U$>s z;z6sdlujkFXKl6tJQrq$*WxF%L!tM zfkvNq#*nJWFTq4XbC@Xj=mrM~{OAr#1C5^$4%^a#?}!por0dzrHV0zIpFpJ?S!}{_ zWyZaCbuF}&Dt_+AS*0;qDL!du8ctk8VDgQgcNkqSlAL2GX*iA6g&!T_(46YO#Hb?A ziTf$Z@zpkjgcEmKSylN0)}Nq9>TPPkx!B2R(d11{tYcl{_HGV#rFrmTAF2*cM|k{Q zrvsW>@$bjOZ!zB-3xJPPWoodGz`>TPbgwiA7AJ?{wF7lT)nJd*9&2==NKXct`KvLY z6>7prIET=*;aHLY2DB^ewE9@-d_9LY$3g5OrSvb4-Z=O@=3>#cuq~UQLgI!^vNLDv znN7R|OWKWGY9c?CLQL+2l2k*Wb`Li06sd}D<35EI3_+B%#R5YN+hVQ$FqLEg=bkIY zFK7$j{^$T*yvxC7%5|*b^CCyZ(yMziD23lEon*TCUOCUbnm-J`*1(r5G^Qk#%cWk< z@k1U?X!EKHB}W`or=?ZD^Q|n~2r;{(EbCrR#~b=>bxqlvvtIMI7zGMhu`-Iw>nXZ+ zWn2GUvoi>Nhl!3IThZFv{EulOHXc{3f~t-x>jV=dZB-jx_cWl#^gL*Q3Fj5Fu4^ym zilN3VEa6`r7)|wia3nyGT4BuAzSz#816h7pxvy0a!9~7JVE!h3)y~l5xx@nU6U!{8 zRmUXL+@IM+Bhr^wl4K5<7X~zTu}DO#m>Tt+J8qR2In$FHw&mF3V0t(}3Vt=3u9av{ zJ1Oq^tS9JAW{BE#ivLj79(KD60TyPc+$Cz_BYAngRs31jf!5cu?IF=H`$ z)KM7d`}e_7I(A8v0Zgz9SA(?MU%;xfL*&cpX-%`YzZukjaJhMndgH^Gas1G96sN^$ z6eydd1A76y{dZ8u*5BXSZ=m179AFSb-{PZIo0}Z@^bgy;HJ#D#6iMRe>ZRH!%3%XM zy%;jYRCaz@N|*%iHWjtr8FrVL>wi%(<&+tIx2@oLAVIjcK}#U@?52{`L){DfpoD1B zzKrAXY8Su@#z9X2Vj41aXu&XqZP|?~{>IZPj7{9ZNA}99`0A_6D^*hyN9w92qXR8i z_6=QIscPJM(fNe7^5D7Ueeo8{M==(=omH5a0^0|NNFnQ8^EOAb9M?rfihif;zm!ma zRS^{29c~}`e^YQ(Mj~x}lyg~pUNuE^e3&HthU(BE#(4G~*~A;~F*ZjONKkIDlYjLd zk?DtEnwZS)hTRe%GY9p&Wl3ij=!AMJpY7!5x4x}1)_2T}@+ZB)SaR4c+5ih_vYnT{ zmxhNX`EI;pQ>hA;6jCLl`JwbUoRk#cDM>s#qe){h37M3i;uzN=k=5V-D5(X^DeN_X zOp<8P*=KhZ6ydBXPqph=r?Zb$0!IzAxytJZG0Eco*rHUtx zI#QH++Vaz6ko`T)ZB^=xuq~0(p~aSHR}R(?273;Y01=QIOS^am6!3|E?NpO&NUQZqb?TvMpB6|mZm}GC{?mqsjT3i*>tUtmb03ZrIjdqOWG}%YJnq&;HglJ( zL*CDA+nYWxYaN}& ztN1!B1)Dd62jl3k2!7^ILRP2+uIp=j<^aYu?O!u9koKts<5f-azQ^6>@I#}Z z46z6=8RFRw4*hD%PhHA?)76_17Sm=-O}kj!3fPR3aZ$f&=a3qdK7Y3>jYJ;s>f2QU3&7F7*1#% zdu^T3j$j8AO*DcX5c^x)g+8T7f_jgbN=i;#Z*k%FHlPoQV`D9n;8&^|N^>fe#~5#p z0qyRH6N^FxChQfo)lzG@ZJ zeNZ;@WoI9aO1r6|Gx{5N>e5f~=leOqQ_JMDd|>N^KaQO4+mQn{7NY_uv^j@VTy0H$ z7{$CZ?94AqG7~v!twgy&Reb3*C`l>c&K{wc+ z5_aok6w2wfPEGej@$4K`by^s{kIVUKg__zjd!QjdV(Z{lHOa##?k9-ISUyjF(RNGR7ZkF|?!Lq!fDoVBIEBct7zC~y66yfB z21>sNAwsD8!AmKVyvJ{^jQMEtwkN+iI*faQbV z7{sU6!Wh6y6j|l2N%#yB<);)gx)zSVSC^G)4#qvGy znkQxaHmCy5AP(2dV~T~WgXdrL;4#5lqFloRo*_Xk@a;DQIjR;a{Nz4r+8`FCYkE&w z?~^m<@`^qAZg}XkjTnMngvY|P=BCoS+qF}oWH2Nm-Xi7A^K6Vp(qGHK<@|qw5XIao zRWE9IqhhxCZ8?|kSGe6Jl;Y|i7{jcDV3AQ0QuJ7Yzmxubi}TP_i9u`sfhFIlb9G%d zH%a5!oz4)TW-@FGAM2ujCzK#OO;De_)ej2G%{9+;C|%KzZC_<##x66PCfKp65B~Ab zco4u-+GU5Bm_#fB_cA)gXi!KU@q}=+C@mD^ixu;PWt80Q$GnEOaS7$hdZ!AS>tQZ= zSGKsMq~yEG_y%Knb5*^8VLxYe;=9?w@&d-eU@l+OaY=)YCsYd;(nBi1w@VdpX;&jH z9V)&XR~0C+aYhh$U>8q-u!z1T)4x3Aw|v43RO36du&IOEKek~d3}57SR?Hx2L?WF2 zNBGAk1#1MDygP+!CdQHC#o8^wE6bjd5<84K3gX?mPSSx#OZ|-+hK42iblf9AHC_y- zi^hN_k(I!@Ni^(ti)@Q^57M?yepTP&ak43N-Ts{Nv4gH0DGmBrdjDmwF$Au^fZ`ys-P3i(AS%d~0 zf31FYE6k$&qq4rI=ESdmM)qK}A?_IBbX>xPI4z!;L~WUN5%9A2g>>GKyPf0vMXu)9C=B;z*DZnW>&M4;E4 z#=(GkM0;)UfSa~xUJG4c)Q)%pvWB>21g8ja;(kSO%7J5ow;6hqW!nxuGV}DZmg{yc zpHBQ7m&7Hx-;{RR%J*}v&VHKg8l+Pko4C$QS9KcXmeH4lgd~6!*`M34Q_N)Np%VEo z>VLq?_f@%u1N1iZK;Uy@u08PZ3IPuSwEu#K_h4kvK86!UdS@Z1cu!GXNTyPiB`H%U zrHGxSwB*IMp}{LKz-}48KF>#n#d7`$wIT=;$VDORAP-H!XJGp$+%8`IeWBy&#jQ3O z#et5mL~jhPnwXv}|M^E~`#}Nf_@R{3{DsQ!(BWTk06+W{jNzfLYc&9$KL+Q#wI4w1 z`43YFP%FteWhxBg;U&TG3^0+KS|)(}o@`ZmFn*7)7LcrQUB|4Je&c!W{7rV0pK_l! z?a_FPu+rO>GKs6fu9ga&`e?d1un`v&f;^6*Fgft0d!fq<`~T5GltyymqS}lS3qteH zv@Tf+%zx_dM@(ToU4aX-%dt{&AqsA2FzR(2>Uv<{Z2*|tpABo1X|_2x+T(OE!!8di zN%jlWqHkD(-@JAy4{Z5^8QGwgTpM?af6U$2iOMyXmX7M?Uw<(L|QNI ze@FyoAQ4`Dxl1r|WOi0J%9;Tz@|b?=$Psme`)8F7m2l2)Yhj4_tt7pSAxJpz7i$C3 z`v-vk2{1lYT-8XnMX^_yPN(kd4!7bqw^uB3fB7}6XjSLUFTq@ko#x#;PfXe+(Oq!b zjCQ)$RL3@ztvE}?ogM}IvRZoFeJ;jXt>ChZ@_0x&j5>7cQjmfcNC$sFwkewKZ=k=H{F3j^kSFm0IcWmCxlnY-OftE>WYKX%Fdq^xWXtt< zbQ)=YVtfDi8CliPIThbAj!cqJ*sfn~SK8>%V}K!Ww)?bhVSix$m@0heV4N6_AxdCw zlx{7WxgdA>=1=+axNeT;^K`I#LLbz}A}iKl(zlp6-PyH4A0g_K!Tmru_^OyIJME z(;e2>7R$L{+Yj&k2+g%P%1D&Cc$~((^F80PPOr1skIhb&c$cYYT~S@k52bJ6mg&?O z0uNZilc5iF6>Ih);D2b0Q89$ZsLy>%{kEEYgho{NW2XN5<5w;W8r4_y7_9hi;aMaP zh;1FoU3QnFr|f+Ht_nv{`aN%kS4}3fh}o2Pa=?zW?h^HeCTQPCFhRJ<)|*2n3G{;l z+o_4Bdw}T2xhM}7@S$-1#2=G^AC$ll7y=B*s)VPvAFuX~zGmq*bbgRa+{Va1U&d@a zf2J`Z01-}Byc?J%7tSGe3EHP=-P8CB0WPv+)BwMdldMtzIRw8hx&r+aSWF_E%_$`c zh;OFa^!NCc-5v5+kyjdeaB|9#8X-T7y1wZv zbJ2$rVuM^fZF=;g76ledECiY)=lVatSSKErWE!E!3?!5;KYz|-iv&5p1eu`i8ZN{F z7!(x;v@PtdwmV7u5RJqsMXWvwOoqX?&D`Ik_tv6i@+FziX2~nz+W9X|He!gu$9B49 z(z3yNk)0iTKOX5GTs3&HO++F(hI@b2&=IAXVz>Z2AsLR=IfgRtuEH@8)+LdMWm1$g zV!rBDf^C7roDj;p>rW#>zb^6Yw)G{6#?xNjHEMEAbZ9YvW-e-BJ$=-Ka>AOdBiu3g zd{b$l{-WsNOxg*ZAhm5U9Zc4ZuE7Y5%y&&^1B?nt5x;qspBe>u(LEE%?sU9&$2aVR zm{RfOdn~BggE_`&x2>+8+M(FW$(;*)Rxb28rp?wf8{t7$(brz@WI)KRgnMZ$NxyFY z>SI9){Cud&(*DLJ1oWI112gQ4Kvg1-YAd*>*Lzkiik@g`d-0~X*@k=7-#OZ8wIVFQRdK-TJ7#a2lcrUof3SkwH7@>gsidpS98Wp!@ zzsBZcq?dv%TtQu5d6rc&u#zAwi?2)@%TdvG|w3SNit&eoJ1)Ykt2E9?`pQH4$zI|eEXqZjHxUwv<}d3xvW z#3Q%3}zPk?=_?8~cOouifJvj1bE>5}>Bk=gG(Bq;!I2$fe9FvEZi!1<$q30|)M7 zQ2HRWnQgg*NCKnRTwcOUyO-a(=TGGyJAP{D+3ZP5eD!u1{(d~Sjv?ZW9>!;+VhG0& zq*forpbT?g{`iWbMQ5SQvdNnGzJ-w)O?;*0IpLFjvpKaKODqHC3ge7(KEu~zftyr2 z5T7O&KS$+5_jJyRDK(uRZn62F-{C*Pu}Zfj>8la6qXvEGy?Bg?cetHz;^2Cko_*sD zzpvH#Q3Yo%rt7h>3$Di#Tl9pOnf3*M{ga_{Dl!8r;qe<|n!O;)7uD7pQL}a@C4}I& zJDYHIogm;D5AL|`z`Xk$ggiDF5V`*oAp3>MVLX3aQ}efrAj|SK|7x1SEYDsJJ${T` zG=#0<&a*e(BaE*k`=pu@juJeecLe<4mvDh|Q9JWK7{M>@P*p*KYDYGGflHDMV$^>F zHm@}WtQShNalw1|4nDk~(uI3*WyO0on(LQN<~;7L@?jp_V%OsXdnuc*F>K;u=U2kE zG}diwJ-2Jo@$Am&fwi}~4Tp_Zr4Gkil-nx3qsHFkA+0^Xf=7ss?+1}Mi6pI*$Y$n! z07<3(12t!lYHh1>ozuJ6@P=l{*38T{t5%YlsCWwZd39qutf(cU`4i^~W4y()_P1R| zN;8iG51BrUB}h(W^HURtZ;NY18!L_VCF?vOBSp`9ePIR5-T_>v%UQPgwE9=iS~6%f zlt+3Rw@kxb1Qt(N`_d@Meagi)2sSg4HyxI$y9|MUy!>vv7BhPA3j(Om<}YOf@UbTpVvJ?j7eoat&@` zU$OwBvU}CBGBgbD{tW&ahHXv0N_vPqS~8id;s_~_IyDn{kkA3pTFeU!#4Vq*#tn_ z*lr?zg7giL{u1i9p{wMzvVW_YEGz$h6yU(n)P4CDbA3C$uZ67OOJ0wvZ8%cr@Ggvg z6MRd5Dn9~0t1Xu}M^SEg`#!J9KP)jFhWNRKJhKMUky4*79%dGyEJ+g~HgWA*`$~4{0Cgf%u_c zY=jw;xVHRAe5$JA!s4Z}qaV+<;z;|3*yZ1R%p=T+c&7BMy}c}#nkpWKUwW!ImRzI+ zNBs2_SuG7`^>^0co50*0A(eNTb$vz$MpzDvFvN1Lyvj*r<`&Tfj)mC8gKzGS3qE&7 z@_=Gg7$WCf<;r>bX4@w|m&?|EJA}Iy)`2oD<)>1$YYRFb4C7Jpb+g6Eg+dp{dWFs- z$r8nM4McjtqQ?&|IIoD?iC0DD5+E+Uc`eZJC#_XOo^;woH-a-y!dJW43)G!&3KGq< zF4B>FAs{=&D`quitVp3M2nonjU#E_fo#(BYaGF+D*oTdSx`{}9Pk~W*d|KZNy#`in zT=3WR2>uhCX$Hh2XQxq;r0~3XB)8;zT*%o3ez;-6cOc${)G9(1`v{=0F79Or2^pXg z*aj4s)vIA)c*^@xoLCGD)yiEc;$AGtd(}8G`-lNN4$op3-f+w;N$U+=An;HQR>7Q$ z)WmQd34yzi<>@jz{L_lDEcJLsthqaoOfW$QWZj4+OuLqDjZLj}h8k@O@?4l)QCP@X zJ*Y#zU7qVWz`9^n(%Aic%+1H|_4mBMrFeP}1Ena?mzDE0TsRr!YBD&Hp+UzCZuD57 z!Xxe~J=Vmu*!Swf*fs!u$YBjlmxto>Xb2tGx4duk|6Iz(R-G&@{pzJ6FAMwbDaG)T zPNjR!m*fHblnhze8@3oUWP0}1sh4jo@nvxsFno><}68kEG&6xDo!jQeO~xv z0aI&71l~{3A?@~+&c0{1UY^s+W45-hQtbIb;rRYT;ox(B6i$^R&N@7{Nw`rkD-ATR z^b~nm{1AosBDnW}SDNF35nJiWJg}juM^#ATTPx6jidPFU zhvOU>Dw=y|T&|y6U$PZ_`VB!r;N*#dX~iVxo%!M?1fn-6cq>NBxIpfg~15f1JS(WCPS_hOGIYeD$30 zk#EPLpF#3$=&=m&*{}Z6ODCxbrpAy9(k=>pTdN4zN{ka1)9zM$7Iw4-IN1MfM;Fgx zXHK1&nQdL_&v3zL03u-jH(b1j*E?raK~~6M$eYV)(Wi4e_4dT6EF;?2+uOqlgHQAF z@|ur3_RO{Q{cbo^E#w)FzLka411iPp@cxNU{APMr!6&{dMp&7mw zsW_%SaY>dvBf+?T??gvhe7!GUM0q_N^qMu&pWxpPfwF5PM+NLOLzxJYvKPlI=q^dJ@m*7$|S2BF_+q}fIBi2t2L1gax;B`yI9$N9+e0G8fhe*+6v>Ik(<-V2E-h7w(CPv-DnFjqZ z=TId;FvJyHYGyy~a&f~xa*NNWb!7abenaHe6eetDGt*Uc5wRRo4~ySftNO~gOsAVt z6Msjko)CKDGu)=dV%~@#3T;6iZz!rQ-W8;CQjF)MdpN2lHrC zpIV?etCOrD^jKAUbPs@$7E1MgpX!Wo5gSbY{3k%%%BWVJtQJD$)i)II7T!NZegEwt zDpP}kQ7g`+PUrGGqO$bDpU7<;iQEjJI^%ETh9M3gV2)>xVdTWg6sYlF!IUkuh-if> zY>-6=ltlK@v-axT|1(cVGLJF8>Dg9)weK9wCK zOl@K*2huZ=1w+DbPPJ?KxVeUv_B;R=8U*IpWP6dE;ei&u^6W_A_T?{QkpsE;$cp6|3qi$Ov{9Z6C@*0}2*em0+Xp~T0# zgkgO*Vcotz1Wr0Pk zzyEP1_|Dtb2B(4?Fr~L=Y|<1?#}8?Y*jBH7UQJ&;)4FUQcFj!F$&2gC=H{n~PZ4-> zTdn?)x9!s|?4gZ#IdhArX$J8HD2u-QT}hdH?_PYgDP5H(bF`59=3pYj|D8J2{%A-$(g1Oi?#U$Ea^gjvk)AeB zukdl___@+=7bnXFmw*S;*}rqTReo+jrG0l)9z$FOW+~U?28W}Ivpx;kJ&2Y^LQV7; zLboL7iH%H&X=7(IPom#x?g6)y(?Ip|4mdu%bYfBGn)_StNka#6y(a@t(%m~7dj_sc z=Y9S|=qQgF1uh!}m%lz$@sOkC9zpWG+r9rq*qaAJ{e6GHB^603NwV*uh(yRzvXm`* z_6i|;wrnE_QMQC6OZKc~-)2UUHQ9G&6k{L5SjPQMWzY?N1x?f4lx{QAaf!Q$FKa0InPM?Y92}PN3EErnam%V9O@0 zH^l6}^IV5N^Deak4r9?5trr)7p?+!q?lfe2C6mrkQ?$~n>ii@!m-RP&)4DZfFMEx- zoO3lc)vJ$c{~)*;8E=L(_mEXaUQsugg7%>f)ZkZ0&VjGxEbx= zETE;`VM8MTuB_WXdQ#ptD;8~OF>ts)F|%dU5EELxY%lS!LP{b(Y7pqZhA{8~G@28+gw7Bw5;f#v*eZU6918hvecP9OQWkK>d~y z4BK|ionHD=5bHjtTw(XDo7#t&6H;G1rvm%X*;xX5=iGNqeZ$UZzCCv0`J zG9*IbsudlVsuLA70CEJ32R9&=0EO|m@>;##l#sxn6{59TUx%B;;HM$%JJGRVJeA`^ zg>F<5r9-g7iv?m31DFnG#v6$HqA`TG!iCWn*GFcJeIMq$5u!jlGXk%0&y4==0q0#^ zX-Pq$Sqgy60_hV0MzmAS$AQ(|+(640!ER2{74FTK1ck8JFiPE8M zTG_h4_R6h!u8Zoj>jrgmw$EsZma)#H(!jI8qXy(JFUrc``t4Xl;_dJTS*q>m@cFN^!WtCjHA z8%_pOlD~cfYr$KrEEcdlwbk_Y6`)3zDSM6;(j&gMPAh;yMUHC6mFy2zn{nRu)ja*6 zw|`{ylx~b;2Cgv0WH{HP{dv!3+N#X=uMQFFa&4d1r6O87oBb}%E1kZ9K%W3Y9Gy|d zQJ@&+xur9e6w)0=oK~W`s(kYV2#;T$r~KivvlZ@+9abSfWd`o9^l5p=CjOD2eHKgV#Ejxn5W1qEDZvKEok$c!h z;1*S%dHpl^zC8Yw^`E-!J!Fl@Oks+QfeZq06wJy7*b2>E4C5QVX0$qR(t;ff9huDn z_d&c5Pbj^u+a;wx^p(K}cHd{o`o+yYH=!gfRj=32$x$vXDL&8%zSl>4+`$o{)<2M+ zb8X)Jm6bNw({b}YJWTTPPBG5gjh_MSxS1l|@-q-v&4lp$zDA3{d%P`WwqJ+V0GcR7l@COhzNtRNe*{=h)Ym@RX^YoMZIPf4^7eD6r z?4&>sElo+IslT`b1}s@Dz(i32@GxkNo8b7`?36iXS$MyBE0qH6%=mP*zNzC;LCM*x z@%-GeEP?m?gMs&r0**KbZMf)(ZNb&`E(UBNO9ixRD_!Z+<93^34#zl03I5~ZcXh$_ zh(qf0TwR{B+CPW6@RLb{KoMv{*>joz1k5M7(F5ukEL5+lhNy~T#nnc^c+2J6roY@Q zkMY4n{J!1!y%_$%f)0C4~?lSyW;j|MJ+U=HfQZ~(ha;bEiLZ$_sG&-zdz2I)_@ArzADi{h>JbYLY5173hWGjx#G`(nv5OH%VN3}mDO)6-MLG= zVlPW|ax!W2_*_pzM~aok6um)nhxgROd_Y!4zHGn>K5f}tNjkFQv$ERoTWW-how+D| zt(Psv8P@<|2fuuS|F>R$I$S|m9j%dI(0Jpb;paPVD$pB|wp#nHc$K79K z43;a9L#hbt?y3(1VM=tPVRk{2*9z-|W)d*z+`j+_9X*JqAm*)`7h5%TTl>XQ2ksnbK6#_5**8rh~{aeY}61;iD@uL>NroffJcr%o5{qD>3 zMsez)-Q8v4mvEA}O1b7Z(8-1?9VAUB%e1EL-$@GJdQc*l`y@T2oBBSmM4NlD!5@h97R(vU0DX{PCkb}goqzemhhpTDKG;>U_G&9k zRPqCrcCu_oFDGcA!-iU5Pf!DBJpgGx9^c8BF&Zj1@e@p4{ z;p$!$z+Zj>Pz6Pzi>SmiSl5GUYOjXYd9W8k4*vhHD)`|dHQPZYIRMt}9&1q{0+yrc z1W>J8-TDehE~8-dKMst~jXmRY5-=Ed^S=!?@W6HwtL!}$NUJ+e00KpI@{`_bRY zx>TfmrrKEIB%1GDn;3}2BzgOJSb=3yJsfUVCXMvPA*lQsKz0c8Q!&+$mg11t0D$-$ z9YaYG%o7b{30m=zH7*XkT0-=|+Ciurhs@t{*yL(;wNi~VR2!aW5@XN&)amTA6NIzV z*=kW%P3fqPsL!#nA5x9+*YiE=IjCn6Bz?l+jK zy?h@q9xnL_WlbIw>(`qaIh!?7C~W!gu`h8JT0i-jp0=zL6p3GeoerH;dU$=|;^C8k z>8?BsoYp8_UcfZ1oM-{tsC0CzDHV8PfC%TT4=0^lyYYwQpym-+O=?}a=zE$_Fj+O% zRgi4NVl(ni?%z2sy4{E&$CB0d`${ktJ%Lg{03zVkU@tenf`FkdDywT#ql^Bf`j+<= z!nw;dha{qb#2l)n9qtKt-lJ~qBIMVzRnkzmydAZBUYRcRuD)+mY&fmSDsr;y40r2> zT~g1HhrPN4#8<1U4-29!50=ak*7h|Y^77qvsQoE!Dw65g= z5wjS;j@ccTe~-$5x{7NxXv^+gQYH@!oL$^hO=V{oJp zI^3Nff?f0}lLx4pz`;$jW%MopFTqI%a;YIvS{YdIDw8Tpug({n(c;{~xP|@T%a{2q z@A>i~HsGkd03Jl^^Ju=C;2c&fGecihtqlV%%FroG05Lm1Ydr_pptt-V#qIDV-@$p=LKR^!{Jo(|-Y-4yoZnra!~rBS}R|7dUA=YYR*N9QCE zWw7s^Fo;$l#Mibj%F`ltq((#9q?!N@CT*O5tUSK5dah(8J93amJm|~28>N;rq0L5P0i3kXg zyY#u}kr^HHb)>dg1rO{}V6p!v{RH2Pn=kO!A)ku}n7w}{qVsLu6jsHE2ql{bQiXKtB!5Bv>J!!9`u35JF}i=-@A{!3ntjc6&|+*FKG2M zgmfaZ0<+Ipg88)6)1c?VCvkD@2QM4ahLq9NkEjeaTpeI_{~`0ZaU#* z@d{fH7uiId4N57n%uNIp38Ta>+9uE?3wL*P1g+33!)x%&&h6Z5*6v9 z)lKF&!08KqrkGZlVsz=!T@>R&vjIaS8xPT~kS`Ji)~csASgXhPK6$N{a02Ar=opt! zst3ce`V8%g$Um>>4J{z)0(Q}v$Cx>N)#pLD;RgmkeccwU_pX+f<4_V9Mcvy1u)xj> zPy@614;M{=14l_!NbmUU7nSJMP4(==wj6Unkg3IdXdE#vf6=2K&emaoGK{3jUw$E> zHa=He*g03_MCrBXa)#yGf&{r?0$>!NB&Kz+KCm6M|8oe@UKC2TsLDNdw662gHX~i2 z!86!xHNOwYFFslQ>$@kE`vw;{DdbZ=<>0kcG7{NvpB!q-7`5AApQ$j?>N3|+G`iJPH^CpB2GiFVi9mzRhT)U zOB1Fd6P~2x%>HODt28pnsv3M0vnesB6aNB=DwKhOlA7l$m=7$N^~6)4_kh(7_j7bR z!!)is9ZG%4Qt@Nba-?xo2>Ao!YX2cggQ=vKTy_9GF$7=8h@j*GHPIjOt0{B_2zCaN z9&cTnQ7XT0J~>laqwQ1z&y=8Qge*yz5ac630|D?gGy$=cPjA5PBo@ytP&?@+vg?0L z`Vyt1)hD;@=-|G30LVIDWd;FNBT%-5w}>=d%}fAULtq615rzC&H)1$se561LB2ed|j%7p+@&ms?$khXP$EnHMrNr`8ddWq+!ciWz>;3L7I-2x3`}bbSD7ZriXY8r5UxV15}@ghHwf18L@pl&a1B z%f#aw**As!`RTx?Wq;YLQpp@!(LI{>4gE(33R*xI*4?}H&u((yb)RU)feCJ>?1?Ab zJLsFwN~^1tFUk9KODjw>8bd-1>q^c8V|pc{JnmyoF%Se_>sz)ewoC#sU6%kjb`&I`G|z zj{?aJEiSsB*%&Hs%0`T^N>D~>q-Ya0VSly4#Dy+gNxKZq{!idHL?vCsfYo)}JrkgP8hqLjm>h>F_QFtwZt9_Uf^PF+8hqqJST2V%-;iU3N`}w;O+UvB zr@nl05}O1eao{G%s@eyx0zEgfj@V0=;gwwicWr{9p8Mk{5V-L##OUYv!3vTAZ+G$e z2PpX~@rfhTxNUiD_@lU;IF%uWWxgvH4v~G&GSJ!Q2??k`;rAYZy%=sm4&K6wa&|* zP$TiZ*<$hZWS@!y50nD7B}(EsXpPje*F_<)MBus`r^m6_>^g?m)siB1$wxtsNOBv#3-_?caIQJF+h5Qk`){q1SqJI6<5sos@R&i(*l8z*sG|Vjy z=cm?fG>x)_(gwhbOkJ98_P7QQ3(c?NYVMN@Xo{jmC!IxBeYU=TD#3>fy$(>B;+K!x z-Hi%p1EmkGx|L3E?7B{YgAb^()af`UC<4>;2>|U*Z(B^?7!4+9GIQJpPxGr(z6u;8 zr}b9@&_a9iL<>;6rnZUomRjm@iig;67+hUz$fL=)nf7;X-;FBkv<*=ljApRH&22ef z(lzDCD@E2ZeksaT z&i~dAB0DTPEB?;d6|Gm;OHQwWPzhU!AGS$tzyCt`ejW0&B-(Gm)k&ODaJ1`4@kM_Q zEF{f*Z~$x?%0T6OywF0FeK4#$)3bX!sgWfc_mfg;bj9y!^#24`S1lyrk|UYuodLyk1X+q+-5C%YPh{6I&eGPfN@e+b*$pdKDJC z6i?pW48R~9@JZ{|L!t+)`r}4%G+su2=E=27WyxzYE@)539ejR(TIy~P z1{BeKof0r+=HoGHR))kO$nO_RCUKcF>|Xh8ZfM1*cJS;w)7c{Pv8PqmWa^n2EvSfz za->WQ9iF)Tsn3@@t+yn2<0cI5TNRp{1klzkCO#id*M2DbqC0f@a?DBl*g6$$5rP$u;p) zxMQPE0tv|hZ?*LYBj8G!@;PO8*!6@|Av)QO%$Lbms?E&D{q!a8tt%n;Zc8ny;oFXG zZ{D;lE_j6z%)RW14BtvqY}jY!`kASu@nQ&cLR0UgK6yQHrKHGByD@~s1v$DH{}(b9I2)Dz;5GCWf?uTa@;$W#S5QkzEe5w z9_;WDCG8Re}5&m4Fo#@^~G(RMqM$U|TxMpCiYAn8owuW=&D9{QPnd z#?Zc)6IVw>ut<`=;g9Utuq7^zQxeunJFQo-8*4oa32Oq1QLn(gn7VSHc)azut()nR z$Jef;llMQmK|TOaZNTTzq%d9w?qsO4@}a$VXIASO_oE^7#jf*0Oa9__d!$2z3n{>Z1JeV0j@NYceQ42Nx;T@Y6ly5Q?l)0e!%D^nGTylr^)H$|x~2 z)!Uhnb?$2-3Wek?s3~3ngL3 zhXEM#0ty?U6ia-q)Q^o?_?ZQtF&7L0Kl+`S`NY;T4&47Lv$@C7k2 zg*uBke=!ll%WrR`mh?wvCGFpS7A$9{?Q1)fEP~i>i{098{Bjm4Q24fw`Mgg?*2d$h zm7F>e7umJB!~RFO&WmJ(DRJ$2moDK?TIm&BX-Ky?ykpSbbD_GiaZO;gR)a+2D2aEF zM}mJ>E4KIv`LS3#AT>q8Y=bOywjtOiWf9w9=skO1)!#T^Wc5EnYw7)}db>-Q!MoJ%Z{Jnlq@bgt#_lvN7y7^JoWVwjHX;?8wm& zC0~-~*mifmwAZ@5Lz02^aA9Z&vyQxHLr0~4u!(`ndh@u~s{=k*ZZ+XgZxS}Lsbj53 zj$YpK79K0AMox)Yqns=r7+QQiw{D$MbS3I>;x}+*g?Ea<+65)xL8vX4a^Zy(KRz>x zv8c`?7U)KaI6oUvpE3;JzSXzQ>D7%H^btb%#~?d|W#KLoXXmXGSSx8+65ERff)lzg z%ANI5p|hA;m@XKR=*@T)Jl)+tXW}ueCxLe79-gmEwhqR`e-IRWW^{P@j~1Y4W8Aef zNbK>@oVl4-Br==yb!O9kw6L~CpE2TmWtPE|VPr?Hn`TUMg)_^@M68y4tnerf8<&%G ztQhENuCVVA4K4h!g+qgrPhc(N(Q8xp(>q=TS5rNX@VmEd4#eqr%^HHBQNVb4W{*r? z_NpZ&bUdibORUDO$f;$4J&xwYy0f!JKp*|Q&ur`gX2uD9QI$(R@N&WH{ZfFmlwxqFCiD(bO_6iG|)7X`;F1%^QF@^s(axqA3@--lXF| zY|Aj1S~!e0W#GokPg+)_jzOcCk#YbM>Sg3hl0Ve>}Ec{-M%tW-VK^rIvJqF9BszoNyUj z{c&$|UCk8vO@q$g`2DDP?c-Jr@5FeGy=eHjOQ-_8f6I=VbW6-A?uU_MrA+Coc(6k% zenml*mwR3x2z*E}f3{C*v1)waQEPS9?WRH&Q1P_Tp<+D6+-SRTm#HDNMNp`agS<79 zgYWB`X+x+QwneeXHI7=|R@#xJyE=X0XW!)KR?DlO5jxEnlaZk1m#e~Y_RZ>RZF#TP zxjT{S%IGWa$1c#K3*=Oy22qbqJaIthsl*xGqq~pqg^~mP$?$4rul0Sm z`PFsah|yb%`s(ITve@QWDSLY!1Ho&2^Eu1qvbEr=DFad#=Iz3zud}>PLxDbUIZpzDZL*eQS%`>I4R=Oum2px(3-nNDWjFPx z?7bl!uW5M&fHzb;*Z0CM7+3F;TSt^9Rz(o6H7bY47uMe&UVF_MbnBiqX%gHOvV6Tg zH;P(1-ohynPfw0xyS90z4}M4}3UMH$?Ypnj@}a82TATe%ej@lpvu-B zwGNcc?ePc^a?o`(Mu(B^@izbvxv(Fk8s(NG)x0l&+0NfP$&C$8FpqQcKepMkFkR(i z*dy-{=2yI!68hLnZT-MT7}1&9Z)yRX7(l;MqODyw%SGecVXHK?z}V01+_8o)E_u|P zcV>6{vwy3;WQ+b_)T;Sl^2lYB$vbTROGU5F3xlm)Cv3cv_On-6NHTe~!e^nEobYXV_Uf0PM5FNuEX}>Al z#Vi*XTLor8WEl1|4TPht~G>??bAL(VeqM$5_OpEY1&<;eY-EIE9;$=oew^HsJ#X1(&N zR_R<5vmW8B$GHIM?Hk^}C58jXXLu(grN!Ags?ph|k*6MvVO0>rzbo&CSQw`QOa#BlPo? zbMPxUYTu=lJV{cg{e-xXcp3$EV&2#}C82(^_QCP8wW+7%U`89FpghSVj+DG9yV!5W zbO{{_b|x7_+;wl9eQduG7mCk0MlZ0RJ*I->S+CmYakI)tI|-VQcB4>l=2>SMQ>t>t z4}FHhC-)#z*){5;2>e;R#{{r~DcfT-DOKRg6IgmNdDWsj__<((Jcug2$wA2W zeCIlB)?kC)RAtTK_W=hK8tClL+#mPbj1Fw}T|dU=@|?we>yx>R_}X`Hg6M5XBWOM> z76_m8C$-v4#SNnHUoIfYn}Ee`FHVTAxC312R$tkR2OF1~6} z8_2g>G2&RC!6dl z6!{gjbk5TJ7J{7s}tlb10+Iu*}IkU38hz^eznN<&V`;NuBaH%JqXy z$K1r|uK}(6gXPUE zktm;{o_BTl@6b(N88sy2##ac~O1kg(Mz;)pl=5Blwe{{b-#Ix~^`%6AOfdC+mx~OX zPWD!|tbD@)GTXv={4xf|zEgUBCypEx+w|HJS^lMcyD>{)Z&IJscT$${tj27qn}C20 z!qCf9(rN%PY%&=$GvF?N_lbJy$}PKVQw_0JDDN4&q48U-<^p*B@%1MxzCBFV0m~3z z!t7j?GAkEgUr-Uw-|OM}9-3#BbYW?1jhmetPsG&4si_$A=hNK@?=F})cUQCc7&Xk! z>QXS8dphdpvUYg=Bqs|^I@h)fS;oalx8W*BjR#C@G>lw>F?DbrU*K!ec$f;|J>F-A zbazjZHCfJ&Z;U9_I8-KhT~cu7vCXwSM%4#ojy6trIMb49Q(WeytoNIm} zYV{NH9;``kscNYnmK7X0+M_|w*ZMq$@em)e;n--)O~uG)-h?{^^XpeeXXNv;7z7zH zy1rXp&GyK1;*H;d=eU-_mwVN{Gw@#X(R0o^lgR8JLBfci($zmlK4Ir)`yIWcNYOj_ zDLP#@3YQ;B9D?#8_m1~H<^@~>zVE$9dIa(}suc4C_n^!%=bcO0Y&k4rGUYJah0xIt zrwF?gx7KOSO5FvXX`Wyc`bGDRDf=daO^&|0Q5+(bgoV>h&F(+kPDn7FET8b_YkHS8rj(8bgIYHZ?i34Q! z0tjg=A!IYR0?EW*gg`^(tzw%b+9eu~SO4I#6RX+cKai~c*F?_c0pal8G zP1DGxu-|&U-yq%_MrhBro@X_omASMz=GKmH7sduphxyD3`Z>O+xH+2Uv`gC;En)J#0FdXv4i$g-=j;NSsA$s>Dx#Qshph)JaPu6)4?2=&n0%N->(v z$?l(EXWsQOt6pzvhg;~6E$C9kHBWB76p@MCl;2XV7%wlIbH06wl2#PH3EP1W2Hn_Y z-Mo4(C^UHqj_BPm!yrQ0HVszL0YuubiF#{gynhJjML+{lkS z{#`}Rka|pPj!oNjiQOjUQJwo-UCjB~H67Ibn`T2Ft{WTTh$k(24;8iyBDJcW(<`6r z(lJa1MaqArQOZy$>_aRdRHky@=lB$lUv@34bh#b1w|LIRT;sm9)%-+}*pepCI<;e5 z{nI>PuuF<=Tzf?8cGMp~W2Zop6{0aJAL|+Zl$Y7zos*n>CKhzS7t4J%JqN$l89)|d z-rbd78H!2w4R5!lz)#(fdiCzl^koi;G@^(OB+=;xnc6c>8G&(-nn*FPHJiDQaeG$am}8v72DZ%FWw`Loa9XI_cgPS zS$O@vfFkmvTj+3P-KT1nqx0Ic=eC02ABOyTEYGMUHM6U}+2i+f}ld`j7 zprMV;kmT|^CP=>Q9>q55F@C+M>SGxNTHYN18s9dfa@Y}O@y7R8>a@7GX8^7aL?15x zs~l?MnP>j_lJ?%$6Hs=RWP1g|YZ!Ppdwa9nmoEvQQ=1=wE#%=pAE1i|cU9i17;|M8 zIYxSuFTDK9Zf)^}Fj7;vI#2r9%Wy($$kEpqByc>Tte4dx%vNNFb+Tx~pl)F$Cqt`X zq}>@{oS3|ZrE9Y`ERPpmZ~_#v=CEy8A^=p{tkk@-bB@K~0=BLlWA}UIN9xpq4+@RuBelFAycGENA{b=w9(pncp(o+-L@2mN)~%*gzJ&!6W@5AAO-%>L{Uc(ytE=Kl zD^XGMD;q;e>*HQ1xsY<=0(@mdeU5|GDgu}WshM}Brl_1$e_;#QdR!$}z$Ycf4|)8B zvQ+5pb{TVU>-BW9p~Rhl3LFB_*T2@SnDVa>tBLPaN3g<0@Hs95dP5;_|fX+FTuh~jdP$L@6!{xrwI84 zecHm(_EivQbudH0D+3V5D(_VQ^$*3A{}|O?wb${pvsDIqHT`PF2LegQx4`v)m{=_` zFU|RjNC;dc%$rr{C9*DfU551_~#>^CxO8@eR=)wV`A@%AO--7I~GXpBiO4UM%5}9S`(_(2=C}$ z;*WpNy+S=mbc2cS;feo~8Q&X5mslW?J%x*%w8JeDP$}yL4shd-_l$}WyYcG&O9w?d z9wbY=08MjH92n9YCa&NIT=13G2lJ$8@qtBM`TrjVU}usG)#;J~-|C7WW)>ShW)F zY4^6MpVIpz;WxXLFRpnhyDa>fA7HXAf0;5FiF>xk_RiERKz8D6cL!Aa{4E39+i~@- z6n{X{a{O@fQtru>IE}%$tr{+iC;+Ib9@!_UF!4&G{Wk!M{U$WR)K{4U?P9&jvB-t%I(hNnAhYBpB1S2f*jT! zM#wZ9pP(fAhV(5Pi<`vDmKe1lz)H(46KLM_I0|M9UPaB5xd;iu5Je~t(46=!U zeaUR!@b&f9`w8UjldT^*Tla^?!BBR@BC+{*y7MP}Ct~E=e*|ga&C&NpFJMYmwd`+6 z9*ZgdM1qiow@U&Ol1q>TekRMmlS$4sL%2y9-Jq zK-5|)w*O@offCT&dV|j-!Jygs(=gwo9fp~5do}Aj$&fx`%x4mV5zhw2(`{|pF66KB zF}Drb3**~z{kSG}N1dbl4b7@KU;KvdyjL)(-c~wBk%R50^rzSX?^L(CL=>Cok}K&6 zZ*M=C5E*aR*}1&^-f_!uCIT}x8TDG}w0W)>{ZiG;wdz$wD2BkOrgha8={4jjl(@j? z);4i3$M9m+p)ju&IGvneeqqV0chZZtxN@7E&S>4vnxR@LS4fJ1 z$#6b7e$+^Ex?iz+wU{txN6#?@}0g={?=D&=MCbD z#0oSW@382`$lDKi;q$+b`eK$owI6%5WY=)RFt50}TLOjF)3cDBS6|=;bBwDpWEW9J z-g?Zib*;I0z(`lTpbK0Fwg4{>+UP{CovkLlO`_-paA_PmE@|A{6?;c&^JjkDT8+vR z_UpM7`{4W29are!?=Maa{lGW&b`Dq%;_Ce|L)^qT3%Zd-1Lw1A?BWGiPe;j$UjA4| zqnvWSc4@6PkN^Bb`iBL6)-K<|Y@VaO<$4{J-PY>yA}@xH zP8y!lGAMRztT<`0y8T!>^IBdeyD0v8aZ04nd44+0noleeGe3ojVqX+jp?tAj2YlLK zvKy~?Pn)Qt9xsSI0=`__CU0)t{x0&nMfp?Ai^!j9o4qCP zxySzWWqYhHTthO(l^^DhTKTd(t9w8Mj;~o9Cw{~aJ*-_j6zpV63b3&-oj&b8*|N=( z25=J&uRYYrMi(9Z4qI}COoj{KSdgo&rSwNL$taSn1Xk9(ojavVMF88?(g^+Nio z!__PV+BQc#RE$1NKC<=^^tJFKtmpOr6fD-KT$uM@Xp|+g{m5b$b&p;g^w(OL5*oG9 z+43~2j203;f74!8P-$1g(Bd2r5NHrCN5mq#ZQ{$^`T9|5Y33tHhTa+-rV$c zuGXAR_DXrg7Ka|i4zv@&)YAR*+Zi&!l({K;6TTCW^j4i_0T$(gfEliBnd4_S=~s%l zS?s9oU8F@jCc5+xxBh@DU{yo%)q;rpU@U&u^}CW`TioFI;*RuAr&q$};ao;;3+It{ zuBa^Y?Szz?&RWhN?Ch|$PwqR4cD#s?l@GK#mSUQjKvNp7k!Cwc+`FqpZ_!8<2f0&? zkhiy2o4gsQ$(mC3@=1PqUb+-HDIPI<1kZRc-8i4xh3aRUZq|2L8O8)_grY8{n;KeK z_$+-W`Mka0qonS?aZu!Y4I5+fWmC`HoeGUnCW&irHtdGiZ@{cg$!!u2NFvPKblZPp zE9fPQ>pRlAGp-%CxrpWMMz7<_n_YpR2?EK@VgewJz}Q|-Ug|beh^pZN9T2uu|A~~p z%3qvQ7Mb?PzRyQHR}my|oz7P`KUTg%CbkS-yp}A1O3TY_^G=hzzs48LwtfS#p+)=< z+B87!{S1fiZihOh=S#}Mq&h{0NfL{he6pa@E#zL-|Gq5(GD8YbSx;B`Y`?!e*Jz5s zw%g|*_-AdtqIU3zd_iPUE^O(OjP+9WOx{DYtaF1d=XYuM$#=83xkp2I$iN*B>tR=7 zQON|wYQk#3+KRk&K5MNvl1|3+3CoZ@`+{t-1G+pRh1WyI8v{1y(hSd4=jn;WBHnxh9Uee5mlMGY56{eGIHUweF?{J^> z*aQn-T}Vr4>d~!QJ(b5i^`*V2P%x*$KkmAjBD$akAFiRat4oLCQxnmziJ4@FRGRJ! zZdIEL4PKFPafYU!iPb4BWMI{;h_XJuTJBq+MQgZ{xh51}ah{H$Z2HiTI1IMu3FD}%mHmp@h)XD<14wKtJtjNzd zn2Jh%9C}oK(oe(;3!{KNa3nvm)I4^Iu-*41mTv6q5PyWOJYnfDd}|$2=!Coz*KtBF z?Ba3P5>wtvm~F2KjX!zwxFM^g`_RH=212pAf0`gm^favy{&FYq9VJC70=oD<*GLDn zq`^uyon$UEKiboOK;m5akxU36QE`ISh7ll|E5&sXEyd@H3Jp8!dxCl%Uhhe8`JB@j zNT~OlSk2r~IhRW3C#U!Q$h6`r;p6Njk(T>fR~LBwa34`(ooM;^ESz5pac6*8B!M=- z>`0g{VMm7i&C5CwSdIW0{T^k}XTE zcCJq3dGv+qsygy*fpI~-{R@1IUXoa z5|U3(1fNUq46R0xDhnQa*eUjQR*YVsCQPuG)SK|O?#`M?8U|lqL5pZB?cT)gDmo!B z$BMtxbY3;`9A5E4bzZ|YR|5#ipzguD&20%2Ct<@V!LN6V6U@meWi0`_Ukx*x0}s?m z`1d&)5*}n>^1oBA6PFfgilg(3*cs2^FR!2vv7M9eSZ&Y4srcW&-_E)j6GbL`0HV#> zcOTc%Q(hVh6gSJLuyQ#f-;|DTekdYsrrv#Qv;4kCqM0S^IjLHXtTPSJ7=jCV$13cr zO>+|&!U`Zh=(@z*%KEl_JHL$Qg-bvE(pLOJ===obZ}+^V(`SDuumcJt&|Upm*mzph z;%B|zT{%72$VK*^WV%8>Jg5cpUYYH0>v!T$=)wh1jPB7!{iuw?EQ^i?XWeg57iM7m z@x#a)k}v!3%%3%w29a9KWdoBeGyUyt$hkK_F1#20dD+0Pw86kOIdEsY1pwH6MKvQ` z(&TLt&0HOp&AevZb42qyySI)$+xV16DUic$=l`(ImNhoUz`mASV#Zz+<6(%qQ>`Tn znpwwwOdO|@MNl@u{_M}n-)c7X2;B53?QjaZ zzZObc*t;;n4Ud){;d3;>{&4GkOvn(CsvW+Fmxd4$LExM6QU3B5(xgDd?WPP}*77?l zNaS^C&-AsL73jae-d)?&3PcDri@JI-#lfiG${P&6^9te4+}NCCk1N3%g9MR@x$mSS zllQJQitIy4jrXY+8uj`Dgu0lxTS;XS((z^w1dISu0Ox_(vg*bZduvLqaxq;(oGMY? zWa!#CxVGgva9(Po@zNB8Ps57&@#~i(0*gN_uXlAR`ft;nhTlv}I%a>=e_Z^|=9wXQ z^Jmn;_9nzfO5AZ~6#)|99i9eF+2+xg22n{xh}#kiYs@&CBrb9hku4@8BxOF%cd)VB z+G!@T#<=K=f9&Sws8db)nDEX{vKKl*)^~l?=^{%vc^?D?bcBG?dB9bGB!ZVXf6qw= zfYXvLaUJ|KN5@;v2Nv({lsnY*3u88%0o)+=V_R*0qdBBy@XJnwNmAe_2=lC`o=;i< zHK#*-pD(<`UzzEKRg{@$w40VtA(yk#6xcEeCB3M_kAIrcF>KfuA;Rl`z$2y3U=C%g zgg|ThU%v-%&4ff;or%*nEfAd|v30J5&6#W@k1X*!if7Akp+Mk;a9woWR@(yR&RV&o zoI^N?j=W1ZSK}7-$d{BvpX#@r=zvtgJz`!9dxD8KGB)>Jb;LCVv92+#ZMm)G3{UIaHCgLf?G!6IH@%8ZaWtwH%VU#le8jR;tupB9 zNqKf~98k0v2(H?mWf%rH&W~V$ysPeXPk_o=LwrrWE8K59YGPuiwtbk< z%&1(TAY0b1r5?{l5obLgd*nbQD_aW|ge|Q=Yf>lW=9=}Quo{^Hvrg8zf=WTEPMY4yQqt6KP~ktP^`D1 zQN-JF+q0HNPSw^{5&DL0Q+bZq7aNm66#P2)wDIi$3omS5goV%vf+${pO5StxO83@A zG4itR9;W*R-`-YZUkEh*GFoPNZ_PKwLA-%$*+i2$0Q*@|P}3F;pzih6vMVFlJrcSyc-hnC?#3uA{CU7{AUcmC-Jr(cvgDk)tz6NWfv*M`0)+yk!An=9O$T3Q2jS1-IDIE z=Y?xZ>W%kXe)aDlugiQi%)s|ojm`&QyR1G*);b`Y?)TXKexMWRMXl&DNOuW-ImS0p z*W$&@{(Ex%&*c4jdsZ)=tTPaX=j95)<#PYG$v@q!0<}_c8(Uq!6o`L6^3UI)$vbxi zO!8;`edCY{`u}w9_a`gCyp6N58$(Hazo+Q`eDomLA|hLqX~ciF{-0+~NPs0WI;ptu z|N115i8BF~$HCNn?w}ULf4=_rGsnQ{^78ew1$D~){^fsuJOyp83Hm2Xd&}p4kM2Kf z@vqS>ld(hBXo2HRAxbX#bnTJHMQQWn912hN?WdrmI{uvI41V(9@zh`c`|H=ge?S~O zNNoo^Z;W?^~h%dj|f|%7n??{peFK Wh|S$P`@p}ON}B)AT-G@yGywpXM#U2V literal 0 HcmV?d00001 diff --git a/latest/ug/images/hybrid-nodes-kubelet-to-cp-public.png b/latest/ug/images/hybrid-nodes-kubelet-to-cp-public.png new file mode 100644 index 0000000000000000000000000000000000000000..ea207ddeb8fce546ce854da676d8ecdc82d8d93f GIT binary patch literal 248126 zcmeEP2|$e7+qc9m+N`CJP}$n2eQ$)Mg^;uvH8rVbTBcP~5@iojwl-U6qiA2K2vI2& zttx5LzVF|8XWn<37R$ZYb=~ied)1tI=Pb{8&hJ^zGsm?wHZ#rPm@{qKG$z$88+S~b zHk)JGG&*Ve*`OtQY3LpBW4hgr&C1gvbCxzto0h0ZRM|tcaxyiy#7^T8MN@v`5fQ=> z?1(&~8+k-TR4lQ^L|XzL{0iDJW>`G@hC0E;+|m-mBeF?MKnT3GMjc~pjwcfAa6F>Q z;I%5Ah_wViK{NPQQycuV2mCKAWF#zRB(WC!s$^|#iPgdGS2HIC;eHELUS zs&C^FL4)5d%`LFt$7Zat1p)eqi7m!az?=Xc7ZDc_77zwaXq+v<3Ouw)SX4wnNI+at z6eS=c49#e4>YG5DsDLPF)5e%$Y|UwggI48$wY4(`OC&EC=@@#$&KP5fg_|h^*iW!E z!P-)qpg}}lY(io8+HX=3HJR8O(x;WvW?PIkPMu&vCa8%MJiLem=n?AF#F^3}A&R0jnAsxZ zz{5ff+U73sgeVgi5i+wkH^JJ$y-_|%BoHi#=GNmIjR|->;DT`vVr*>*j^iIQC0N3% zgGaRn3m^9(s6l&-rZkV~n41s*<3JoIDMqHNh!FJj7Oc4$4jEZk2!6*3gFFm3*x@iH z1V_r}$xXDoLZKrN3N!H(#RFf7&t&>DV8uqEOMW&}LOQe~`F84%4H+8JCH$@(01FE& znqWzwoDxwqT1ZG-96W@vG&h6Jm@%LNbcB?_u_KxTZcu{XurfC>fo894O2890VXVw8 zA->*%wRFHj&%tlNBMU=QfgVJLGQpZ+>@C68DqCXqV=a|2#ujGe)l7cCj)<`(ZUX29 zx`&pD#hbwE--svRp&5V{_HYD8OSz=O6}OAOK6fwmWb#PHcOqdqqtiY9Y4Z3_hTS_A;spnDijB!yt` zfWZU>^C&V9pqUw#2!9Adoo}CoZ;dDlb1gigsHhl)ipY?51bbU!?B5s?>?#JLAkv{V zv}8MIknh=sZ%ki8N{TYwiPQgcgrSTw#fD7mUs&S1QG<5oU+kZXv+(@?>HZOh`g7zF z1!}-1%07P2o{=910uwnEU;hmJG#Tr^_2eXxFeMI4Qdr{O$6>6KIdKn!ZvtWvo`F}o z2-<<)H$sP=41LfGhyjonT3B0i06b(J2WtCY#d9E}Y@I0t6c(2xiv-X>rlEkiIE47* zC&mZ~JwHZC=+#70QdnaO5kbK@unFLaDY**9MG6Fe<+=Zu$dN!4Q5b;`gh1f>Z;PCN z6#vB~U~*5G{r?wy+wbD6>WmfMjzgjNx0`62ii#?W@QcDS?^gvlNL_=#ZtPsr0^E2o z8`Bv7->9ZSS14*94yR`#UnBR*~-5R`ae#cK$!YUNPyfuZ38qM?Q8M`X&T1A4b2AX1L>Z;JfMM&e@&SnXagPw zd!nT|9{39o4-=$w0uP#rIZ&?<+9Q z#eoL3BCZoFCoorQoB+nr4kZA&8?3>bX11zeEYRcRca6Y4rp3f$e;ksPF9J&Zc2?o1Jz2SIw4R98o=lvjJ!tV85lwo zQ4?`AzCr2-5g4KMi$EiO+iwS+fo;66&mS_?CwK>^#se7TX#imd)(rA9|HcH!D*cTK z6vQyHrEtX*wziOv5=sg3o&IxRAdHewQC0#&P{9CFp(!jng{k@@&pLE0A?b*mb>v*r zo^|B>)1Gxv#1ZzdoONSkEhjaciKUB`wHh9e(g6V_EWd~ZWhpdg9c^iE2f0y1gm!BI zAC@>7?)QV&;${#`3k!i@75EEKM;JuCerpN85rL{h7&%xQLmJE^uQ!!U_CsqcJ| zS$@$_*gxte6oV`(h!+rh7m<43R!J#}GVQ-pM2S!mFt7c+{(qEtKXJJtQm|x1&gS3t z)JzIoPNIOQ7?3670O7yjQ`rQ$e5pV`L;>c69X8OdK?N9a4 zPs!#m649_ZKXA`ste~h0e!m^`1999zAr!#;V;nDTV-MvKgQyZY(-q19w>8_pMg+>D zgfiCwKtMl)g+$g;x`Cgc?Ej;91_7Q>#-O+dA$Wm(hVanvKp@D13=OPtV`Fl1Elm^b zT?8)0FZ4TMeIN=sew=SF5mF||YZCzx4)R*3UZN!dB=;h{Ph215{h#O){i)QKgx#-S zAk$ALKZx6b$k4Yr3}GzD?&ip^P-;ioFh9Dv!E)0PrP2?WY^5JOp z#E>@i4uCBbZYQf6G|_r;&O4Mh0i_N=cMsr@JS6|d8y0ZHoYv`pG|}7{02dE%M1B*D zt;L$LxHxpGU^gdpu)w7oEG+HGDFWtJ;9823oi*h`3^X#<2^?MM$^`TRIz-gF3uutQ zZcdH?X<(t-70{b-ih>mK63$S7RW90)+mtd3QO$l_%pD1_A&v!bV4z*373jz#wBj7O zrGx14KUJJhY2+e?5)J?T1aBEg4{;zTQIMGszET5nS}ec@kLSt%&-sQFo}uMlm{BQy z8cK4=*BJU2wQm1m;}Sk=$k9VoWJvq_dJ+o7i$(eOPa2oVhb9^BC`ni$o;V%ki2r5x z*B6Hr6O#B!sv>G)VDB$G{eGfBJtZ_D`2jx{n*N%je*E3H@eoFpi~!saN&fHO=cASK zv@@K_fr*HpXiV~s|vbBF;Sm2Ae zC@duWwTy8wgd_+u|963rqBzjFU=VW+wnoPg6LEV?@VJ2Fdc@T-_RG{3u_m71+7=64 z&d1^%%t28DE0Fq&j5pCiG10^MJ8_$woeoSdvi0@90ETk3DA(S}^(iJK&VNxk|AE<@65?M2 ztf}(2QOLCyTC0-kPezdK7ceV-CPeMPS`mm)$rBAw?F0Nkt8Ux@egMxXa3u>MK1*`S z=tS2V^`lw@ld(@ipMu?BG@tqw*iFH^lNeo0NgOQ+B_~hx;ZUw6kbNCA*Ds*g2wwsv zjmpDQUFD$h7g1RpGOs5y@|4;cY{vXR?v@e|gY8+wHk#}u5e2)0g0Dx?vb6B8=P5xl zt;dO7$mugCZAB=zS;$h5)~x?i1Q!v4OUJ;DJg|Rcx_ysr3uS0*My~NwFNlaBQ-}8f zv6vCH9*iK2JVLt(Qt*ELI1w7&1r5u>cYAsWqQ1&ikQ~ zKvY;kumt1|j=>1c?jyPuG!uS`lNE|^2@6?+dp=OaXhJk=3djM)m;lO%fNNy8b&7t4H5M^4#{-WA-WUs%El?ted@FB)3l#_s5lIO# zEct%lkGUX+IPGa(`fgc-fYFZ-M*l&OLqstx$W1u- z7$lZrYVHI%(v|Hjuta017#KwLsZ;@|ovb!MTS9vSl!hZ?^qCp9yi54M5Bn3dlG@3s^Cx*`FuY(wf9Y}*1unjl`Q8d zrG5a)PIi|}61)@rC1l|UCxRh18M#1^F{lUus`}a*nZa4JUs2=!HHkSv{SrlFAA)^g zVu&I`DxYV=5dGRx6cIfrF^f? zssM7X63grr?B;mG>VQe1cOz{_~k5unT0IT?5f-4EIESoSyPq z;UE|I9n&uUR!kLS5K$Y-kk z`x~tACP;j4>;fVAX3r*&?f_>=OfLO5{ua-KQ%sG^AdK?o9on>IYo^>!SiSuJ;rJ$( zb$~DyIWPYOzw?xVBRE0zYr^B#%>10-mn2u%fOZ67VSs~E*)K>NvT;AvFFEB7AeX7X zwgta#6nILP{A81N%9SI$_XDKge{a`eJfzumsHPHB901~C8nHLdmHVHLuGmt(yOTDD z@1F~t zyU5H(t+#=cXVCezGgwex&0s-lUeMqnqT2s5>i(3hB!UQouVe;~&rSKpMIlJV)r7wL zgb3L}d^FLY_P*U=13@?hP?z9Y#lryG9sbBAsmhe<4Me+R8B*^?v*R6wu>No`!iGfTA zx`6a_IAQ(omJNi<)?tY_;L#ml+6ChE~r;@@UNki1C_UrsqWaAc5a!~6jw1azpV_esB4()24gNylRV^u>yQ z5(T~+n@pVX7^`tbHEGFDzNs~JQOzI6h{)AlV0C?g%#`N8gGBo=#uktl5O2aygW^P6 z3?7)xwouU&$XuRyCF#%9z6G2@z99V7C4j-EE{Xc*=SNfN5h~Lw3d&rsxI&)=)kd;>P%gZwx7>Cnfhoktk<}703(wehK+rJWe znwmDS|90#QiF`ZAKHdvAcC&07f$Ten@_-Iti9~0(urXAY88p%4p#QFr3wa~I=z08h zu}RqN_KSwn|Ire;;F|l_zD-6HQskic1Ay6op<=GE5K`U)h6d_w8RX3Woa|wNy~~mkU-h*i1VJY7mv89(+a+@$j|{Z4G|pzYg%-X3M{Z01_#lNC;(&!Y zS9pp_TEAQ*Y09jE$uUU^8GCG#mVFEe0u)^UvOWrzY0@I>oVnPO2cxt+ZKzQ*IqBu76Qg zW|FWKLu!;Fs=p8%5JJT3UzYDbQM`U_BWR@SB-9+2h%~WM7I2qA4l*Iy>Qsms(=V(GSor9W90As zq+J@h4W2dfAi1xJpQbd9?~&3r_G!?8sPdo6>za_g`-SWA;Nm>BuGzS2zkl(n;Uoy7 zG3g*j8f@=<-yL}be#hO12jB4nz97dKs|u==0h)l9l;1Xve+o*IGXm-$B4As{>gA7f6NsZghftr0e4Rq25`%5IaRT<=ykhs& zuNq3n=6N;@dv?HZ!DT3aMzQA_3R2OcoG}h5ibQ z!ix5n)X;xG&V0e>`ZG1jsNZdh7-UFIGU^+M$pv3o`8x*JcMBSzR70%_bO69kXipfiWEq{{+5bO z5h>LBu|TFnj#t=SLb)yb)od0>x4|M8;V8oarwkr^Tlx?C4k#2#0(?ot*q`wR5j7=b zoY0}nfk?{F*p z|5O*KEIg4N{ufMHD3Uk0e?5GNHU`)*qm~*GL>6WRdMn_N2 zacZhLllu!cp00$>A~LW3!ouk2n4W!UQY-Qv910FGmi}Y@m&kH>w(*xH#ah2dF)vRz zU?#(th^pi%{H00J6E^^IU&`_L5={;TKVkpUr0ApJ+EgM{<9PdHWc@G^rWO z=F)RW-?m%vC5nP=p8X%+W<@Ky+v;g@+X7J!#D@#F(~^mZ2Ajr&EvC|T&9)U@f7o0V zACArItJ}?XP1gLPiT|??+-~ZuZ?@+2(r&KMPC(d=RKo7uy26V=`;3gakp7zM?MbcC z2DT+#X)5{|QnVk+69mldcK43JtgW1LDmu?j!qP)hK-eWlf zJ%W(CdE4YELauR^O+TS;6wZNPmhQR~w_pKv?JE?6*}x_l-bvzxmlr&HM!*rq1`bA*sI;?e?tC7e z_qhd0b=+g*3*G=e5xrAc1{s&MI!_f063V`5y(S-Nk$BgeeZ`At*zj=hlNHnvpBn_1 z9}Nl(6yn)gyVmQ?{Ss1Q$h{|9TRfjK(6GdvWWW*~JZ}-2D<;sDT()kF)9i^W=-nfR zK_@(mETXQGbw%D~@VuzR=6T3CsChWE>nWAWUKehZ>#Swq99lzti*<#TJ=loC^>>Eh z?ejQK|4{TvMHDyM_#G?S-@Jg3y)(eg$$sbUGbP7q_&#+ZE2;~tYkvZ6%OiQz@3Kg)5MPavJBdeItU_z493gCNF z%D~x@GTbkQ{FGR{z3#1;uJlg^c^eo%1&u z`;RSp`i!Fh;OFo;Ad6BQonxXqEwSKur`yi#fv(MAI@@lAC^HHIgtXdruRdrtvvAu3 znrSMoAb@#RT+i8zkl?stk!F3|6;u>M@ji*H1v#0AxYgo?{LDGT>6bN%cXW-7u4n^T zt=cl+GD7g;8M?f$Qbf!@vOZ5VMBgx2J{=wNUPc-1{S>ayq(d4VwGcr+K8#lYqj zO$CgL#qoxn4u&D93O@F|rxV%5QK^P^3rA8lX>p}$1`yGQk>v+lP1h8Cs4iZ8XoFWx z+SVRXr$p|gi*huK%DxWBx0O^Xm&|WNq4o4{v|K9`4hqA{oV?F{)i;Iu_5{79hV{9K z5 z(^8Hw_3KKHv7CoAP;VNwup~r*`MCOnx!1K7oEoAPp&a=~uhqEMfIZG+op}oIx!OoY zU!B8V1%Prd5-i6kNY9GnS%Jgxd>o{@u7arx?DIIqA#u#zm zs)FG{4>YZZS#{r1z%8NbTODVYon+-xlQSmB-pbciU#3D!-@{(gyY!5Z9ffv8nAF;= z<5M%ITb{U~GC9zMUEtcS+wJVrccf(9t{8*PNd!8s7-moB+CdtcdFy?q`y1aOUBl9w zu{BWoEUgZI%9C>)!pi_3)Rr(q?cZ+eWd;*T-&iD*t3>R;F;`*;}cGL2oOK6x z5&SDGpUb!H)qN)FOxod~c@SARJ?ov50Eh)H7HPs=J(i?<$$>I4*ZCZKpIfgzhK{M> z^7XsL+E}|sY-7}RV*}#h;L&a$1g%086F)t9*bs-6M#lx=o^yzxG)`r`Xcr+o(0oG* zw*m)dQPI&2O(;}Sd|t@?^OC}2eQgD&c-?m1)5s|%Y6h1d;8u)q613xelzcK<5(q4-bAyE&7cv${yihK9I_3k)b=G$N4vCN=X+dZAH6Np?8zF7 zcV}<8tH{K~XrR|Op+FB0&v%fd^g{sfs-mB2b2!_2mkycSSn-~_ zmKe03+hVI_r09pMn%=F6apWUeGg4PEea0%lshegYRPdVNoV?tu2!tj5oWAVt{tNk4WA_f-M4YC^DwMx zAK=S-(RAKLY~D3&ddjgGJ@?X@kF3WsaCmt$2gujvS#+*^cFvB5x32=;#xE*1qHI*K z-;8E2#uTT+AptLX98Rzg=I0E|NV(RRGynbtVH`W5dH?C#fz~@^u#W_3sLC@Rs5N)k zuOOmojq-}@kM=e8kY1NTJ*5;pSa{Sw^v7qZdfhbGo!I zsJk*o*p7LusE;-E8{ig?9dk@B$7^s_WQVfv=PWU|C{tjX>3220=u(flb$&yClJ2_= zR^iHdd8%?X!s%Z4GvdXF9RR>02!MrxniC;5bO9mA(Dbg^&`nz2g0rCG zRIH*MpAwpHL1p=#71AeF1ueuYxGsiI-;=Bng}&e3Q`kO6;>OkBAdP7fcTOvYz38QX zbNYDao5wNR?no?`*{!G7Z6B`rtnU38+1WaNJv*gv$2K(|VME)2&+bkSb%M$47ZG7BnI2CxqrLN)u$8VKR9m!!ELJcrIt&;t<6I1hm{kKI5O-K~sh ziw`07=;Zp|03ZugNE~SaIS;Sw!<&gHL#ZJm0Kkd-@?9>vhF5p`9dCTY zTUZ+KDpwT8zTOfSXAp4ei1chGUBl2tXfJm0cP^{IvQH<4AqV{)wBI`(J)~%kI~9TI zU%K+q9F9a`-HJ1h+m3f@l=wU5L^4P_RC6Nw{jmuFc&i9@)`ARR@ z-oJDe?s?W5U4(arAum;3V+>sE%y+5uLGLW zy`B74JY*TM2)G)$BDWl#t%PpfRM{7G4I409DWfkyM#^)XvDgSnN}ZH$ilkX6umZQ{ zn$ugrLqJpGB-NzZ`UO`#9`u`I6ER!Q5eUWdZU-@#xfK_I*So^6h?7a+F&})$Mf+Mj zJyD<0B|Ktl6zhS_Z#bBmaTgtpl+ex=t8i-wRu50X5?O08P-%77g)F0Nf+kQgQ`X)L z#t?hg&Dx+_v^KuCC+wi;^Es&pfMyrwJ4YaWO(+|x>sk3O1PyipVY2h?-jc0k60TbT zc*Nk`-W2J(TNku6uW`8^vMi#b`5TfxXdGA&@PG7J$!PitC6L!4Bf$y%UQGAw6k2LQ2d}b3S&gg6F zE%MIR>g$#ko}M3f&-ijl36qa3Sn##b+jfYhO^;dtJo9W6PF9SZ!TZp**0RZ@;CAKm z*a}RquusD$mswU~ZcAn2t^^B2=j!ry7DQq%ugSGd-Jpc_>wH)cX>)45|tHw969lp4sCxUk%=GqNiFuC~M#rT8wYl(_}vAw02ULP0eGzZhu zet!<$Y{g(S*lllXX4s6nG8ZsS^YiD?8tAkX`MZGr;jVtFozLcp$kM&A9cl~a&KAZp zE!m&6w@|R9;DEu2ijlV$M;lwRYopFBrivMWGk08OJqjWZa$(!!BfDGYp0Djz9qwXi z-@Tx)+~qoVglp1*(bLV@ww5(F5Bd#fFBLH{cTbyToDz?Y7wlCo7ej!c8vw!EunHG7 zG7!uGySq!$CVMUrC)|NIjpTU@V}rR%OfM@EHkfdTn@9;n==qUAZ<(==?irMY1}Q)A zQ%IiG{2^7JHM{_sAUz}4WX9PPq+6i_ak#C6YxD+9v94^sr+VtU9S4tlJ;XK7p8g;J zu&LjXg~nFGI9zWT_F8yuiMJa=rt}CVr%JK6mPS%5?%M`*`023r`*Gbq<@Gu_XEgon z=f|B|kk{;x7_Nl=ytzpFCh1I-CL`ywlKrpu9-VhO%m2YMU4xhJdK|LMmh?Cp37{7} z^niCKuM+UiNMuw6g|#E0&5`cE!}h9UCt5aMC#Wx1?cOW0B4jAgE{nZ(CznGcv*+Ly z?w~gxQm^^kh(SzT`cq&_grq4V*F%5SHeBsXsYqX}L0Cv*l-9a~d3j;?LjdO$3F{V} zHPKf%D<}Jol;GVbfJm@AkQb8oXb~lnkjD>5R(?LmAs}2+Y^Rjv9iVnMlRJ>n6xr!4 zYdZMibBke1Hmx{W29VS~JW-w^PG*29EIL;Dbh(;zLQ^eLp3y}HA13w3B%Wa2)#V>*T(WU6#wt?M1Z+g~TWE_6L z|JLqy2Cu#@WyU2Xde3)Aulw$+sOlH1EZ3k((#|S7YW9RR4y>phF?Ua~Z^_9_>Kkcve@3qcrTh1g3R>@p$_-eAe=3n!%bN>}3(KtjVQ@fkWE)spj&4 zGt-r7id5yU9A#_>JK2G&X|uaor7Sa7ChoxIsKe)XH#f$$CJFZHsdRh8%&jF4kf;B^ zbrp(^kPqa-J?&Ht-nfH>Ne>L&QGvile4x_h_^_Dnk+#np-uhCh&GSeWb=RVgJXe8W}|Q_pI?frH(5M;vZ8vZ6NnY*2c#M{~M~RO+(c zl|84G)IOsnf{v}d&b3QAbkO$Vy;~8895?_exVjP%6b1LzB7i$3`KLv`U~n``cgN90_Mj1qP=II%mc-_31COE#_lR?!Y}4k%HSNf=lngTli# zCEoJmjvduxb2zi0+a|l?UWka?n-2_Lk)wTQT$FliJKid*!CLml6%`+mT!0zFz&~AI z{IZeaKBzwjws!fGI@kBnvzYA}Ii%N`M|pao7CxAb<||y^!rog;<7`*l2aJY&t6^M8 z0G$8wVoV*M8rzAM?!#{mds(7G*p$!%AC)aJexU-<-I<2YbK(W-?l$Pdbe%rqH8?!a zUbd>N zIUMi%Cdn`TRcYnX>N74MJtdFZhH^8uX9Zqj z-Ig?z+;+SF(=xU!`vN?JU`pSPJuR=*ym|ch5cTWU6+9VrZhvZ>@lel~SADPjEurFT zb{FnCm*k_T_tq}2PC_9T3okeVR~GJ-pjcFKU?6+7MET+uGPp}aBbrCt<-3XRdb5LA zWGp*hq3F_OHA7rN?FCLy;J%>~vv201up}~&6p{0mQF(LG*$O(>W$>V4X zUVxsww}FrC)6T4vGXJJM_9P^KfT#oPXaj-{MOh^Yf-~EyR@TiN%ZZX5EK5tjX19%A zG)L07AU3vhV}|=k=YFRQPE!Wa*C_2zZfPAa*K@~WDx5zti@p*<7t~Zc*GSbQ#NbEW zM*4-ajxgM45x_lPr<*nm2Gy~XqYet>bDot=F+8XM7&LconPDI`-Sbvsz^odQ?l_tU*AGwi@mxM4q_g|h^eduG*s{2moEdIdTUDJM z$zhqXwbe=Q-6!p=1K;#EAKg5cBh@~WB||mz+7dtA1IOFabPShVGa(!~hDm>) z*0@ShlLavq;Z!;q5@@kq;PQTzoT&`<$fD58OK**%#}}Nx8=~4|*?W zmG3#n!q{KL;@)v`bv(P3OxI&l`X^3;kaY`F+<}tO74t~{y9kjcj!=+trd{=gp+8fT7c(zzO^33@w5-gkBCYW4B< z)f~l2*6FbERF;zbtuk7YEd7TPfG+9oQ+L95R81guOJAl}lXqBDkT^Rkvo(v4JvBBL zj|rK@MlVs>F?heYI91FkWxW8q)BKfq9RnGDS9~$)yh2oapem+SuzBfXU8g5){)5XI zz1>IOwRtO)Uvw3e=V`Ba5q1=8K)ZErO0V}a$5M&@0TyPN72$2MaYvrA8QhF07Ogdq zsax-TXwX)wF?bQ8BDsNBPM4j1H-%VTia<27Q&3 zlS%#7BjyTAhAMCtsHJTYt1|AI1q3DUXvpu>V4f==H2Og}Ds|w%J5rG6`QqhIg{lVB za#aoe--3l&uS}IUACY)1<5Y&#F_d9Pg^#rC%E&zf8IboEh98T$D!P2W2c*Atv#krZbYzuV2OeZZ@9S4Q*I@+ z>xq3CEG(qq?Z$c5C7Pi}93x^o&UP9S8!lqvQdqX7E)K#S!#oXY9Z>7*<8$1Sy4dr$ z*lzdYW3jG-2Nf7?PM?S`ckaYu{B%v{p-h%(iIwG&61-H3v4~{w2a>^HwxbmJbzUn# z)`67t@>Zj;U~Y{ZiByL*Rv7)E{$pzuau%Y7YL4?|98`E{Zi{o>_2xvYYw58w@`In# z&hss=_KUom*S9gFHcg&?Lqg_t^cf3Aj>x2s*Y4*Xj#A*6=a}5x>&~cW+4=P2rEE7b zu?;C7t3!lck40e)xGJxd>tE)cyk7rcP1naL9V1uMJ;bV`z{SXQ%c_ZV${;!0`2s9o6|<_h3-B*&@8CQoGlP@GdN_?&eLhFsroh5 zP11-|Qv*^>Kq-k57zEK>hKR(Si3f)*f&Qt({#0klX+9jz)nL1R@4kp$_2n_1Vc|n( z?!TRX@(~-VtPik3INGT7?FL-mQ}a46PZouB2_uF{tqT_$T6+kWMpq0LGsfh~Ukwg9 zh>o_^u{Da+e}TG$m_AZK#?@}U{e)s6l!5(uX%Mt7Hj+~*BW+~Zbr1Hm53lT1_v#x} zd7i1#hZ}4CjhNjNTAzGuA{d&!5NhJA+_NRmy6{m!dYwZ#Uqa5j$}$Dl{Tbbx9@btq z3!3XQGTbgyb4t`Jjz7(^gLG0!$A;(_`WhJIHV#MtrwLb^a@pT3jI;@ip%c4BF8@huf>n#+od0#`^sobUfc7^ zk>y42Klr||m+uI%Pk&Q6{Os7g`vv|zbN!9%NqbE1@}%FY3tEZ0)1SK~tR+b>ZvI$6 z*rOe6{j>G;P87}sp)CgfnJWn%$-n~9>TCO>m^o{yP1`=Z-2Ot9s<1zn`VEod0^%5w znv<~#lPRthL5J{C@8z>RGDwYr5zPJ5~ z&B5A2oeWKPn@xQ=EN9e4Qb!Gq7)wbmCqL%;$oDwyY08-CE{{u-OAn1JlWg4~X{0i% z%zyn}$=8S?uyYGA)I;{0Qyk5A4g-c+2VB%vuVirVS~)8j%!WJCm5zA!R*JeF=scYs z7M02&A5-8D1&;YD4;Hv~dO<+nS9-(8`(P`V6LyDdN!59yz@>}#T915e1!T!3q{L0IHMjs6!b>Dz!t^Ufc&QMJ?sLXSli zJ$?rk>08*bSsUd9ydBG#^8z+JBLjuBu$xO-m%i!}*Qo5!hs}JvizSTu!-QI8?fBf~ zyPk9L1hsHk3DQydFKmgYA9QXM)rXFJHh*l-nNcds~-!VW|7|`W%+d*D|?h!Pz@q zZE>c$C(GP_b(1s-A2(W+i;2l~lkd-Obt4^!eoRb!dcSHkwLQT4sh9+#6tCB^q~?d} z?_9DqPwml9wBc@W%6p$CDZWkLd{)h!Pe2O;WD?XL1}>_(&jl!Ua^q^Cr)d;M z;*E@)YcHC#f0RhBVgdwRJV!KFw)1RG=2O4cGtX>RTz84KV0=?L=cS(DlCjM5LyB>b-M&z;N$`fj zYU{NW>pk|64)LM-r$dKl<@4dQ2M9@SAbj3xw0q8Sjz>}{gSJ*%BW}Q*dic#~XytMq zEiGTbWSr;U?f=H_##3hUo59||$aFc@ny(IqDCcB%9*xdV@$2oqSmr;Nlj>mM3QmR6vyxUritbKB z;6SQXd*`?e+&qlB`7;K(qnCHTWpMXgHNgkC+tTuVZ8xe;G~r)7B=`l;G3j1NO!FDE z?R{;4WJ_r6hSs@m)fDUWNSwuF6FutTy_`vSBfG^(Os0sM07t$Ns$)%ZFgMH7p8m)w4a7wjwOmd2js?bJ*+f57+Fa7VgN^4~WgIU~;bKSu$-w&q8%fK;!&-D3x zcF>mTMEFUBey4y^K~LUp#-+t*;YAB4n{dk-ZqfU8!*D6#q~+Sn2wvrF(2H+jzCvZ zwu;uq2QjVPKIB#gQYKRxin9g`V~q1VZ}D-urBv0R^R%jh*wvv$dIUoD){>ODKH#Dw zNF5pW&LAbUtWq3B5=x@xcB$vx9~3C{0*PSwwg*Yf7$rFF0H)BzLEM z=?xO$r41j?6BSv_0i7Ef=3O6}YV+hFD9$A>VM^okD44+DnDjGj1*bDiP{q!9gc-UCD z_By_vrykz~OkOdGvJ0-H*M*hKDq@GC)vr1i2?{di%J%Aaq-YWnY%W<9>2Chq`zj{) zXiQF$Q2&4}!B9Fp=~E-RC!zWZXF89+(SqeeO&L`qe{eC+eWhST_Wfio(xJafNLIRJ zks}q&`koU0KgB8(g4Md94m>I;d>qT2Kc2JBmFqn+2;4)meIGolj)t!s6a>EWrBQ;#3mrk8_{&blyJf)}PmVL1h!mvwb4ann; z)i-30v=#H+(v-?1Mo6JCoZW3RU z>v%LfD$%V?UqSAZ45nF(x41rQn+|loR>iA@XCBdul^;o0r6^`S|4i z*tUjcy<1XaI~{`N7`?a3nwNILz^%I*6I$M@)}y<>T_s}?+qI$?rPg!^gtgQmTHZ5V z^e}OIu#u;i?<6v_f%lb&kHq7N`&5mh<27R@H?oxfXKrkjIN4gmm<1pA$N|N$Y z9|e@n;H>Q16qWbV88w%~cDB7Vg*BBuQW-cnj7TVu=BkQgjq5YX_^2ATdemw$Ds$h8 z7S4>LsMTAF_u*WxW5TC#8_J|?N;a*r@V`U=G;-XrLwtm1&8>; zyDC`t+nzB?R4Rz~+i}RFntFA5Mt4h&rmLMNlshyNposFCDxV{~ zkSkA7ch-QFa#(my$wh8t6d~BPvRc9Wpn!Yh+I4fogF;po7I2RYB_B`?^c6%1O zfLXrp!^h#l8&>VhhO?GA>UT81H@(Wg)ZrZlbNjL>hy5rNF_HzKhB+hEq369p-lILr zeR#byNwbJw&NMRN(;VPp%s7@YGFUmvYs58jqHuSed+kM?bcn_#)ug_~QO-3-a=j%| z-!*Qy;qLyZ_>5-id-K5)ZMh{^>jDo7Y`Y{B($IIzLxp&iklKHx$oQcJu_P$I==tZE z+={M;!jk4@uBm<1C##qUPUuq2&ddk%o7mm)SF8?ug|EtXBa86h#2KV{D3m}>*#=hj zk;a>QBD*em6t6E|>`;kKng@aE>0OPe&&LK)UK|-dFIM6DvPmpQd@K{KY#UdlCb)wz zcx+q0Aj{Bv`+6lKCMc+Z78uM@s9YxBemCHJ6bW0rEThh`uj@l^t9x6>{R%#L-yylw zqBZivtZ^AE6%v*M?LLex#q7bK(|RK@Nf8p7sg951&M<}s+PihsB@t3qzCyiR^{H4h z2`lvZn5IFpa|2J`p);K8picFfFyM!(Dj1}(M#xqtj z?U@UF89vWskrm36zpZJRX+JCfQ1vZ;!#QRF_PgUdb7cN7n!AWC)h$b=;#?QT$?0rQ zD+p$~?;*ZXL0@A}1(MM>HuGt8@gC#THv@Vr4ifTvn7t zic1@|if_1mH9dW<;8KS&o2-wQBt4b~7}MVev*L?-FI{)dZoYr6>nBl6$43vH^k*+d zv^Au78gjD*(`21eaBRIN>nzKpmuRMqbVp^JmZ-Rt++%U$wD=r01LF3+46YH@{Sh@5 zkE=`m;KavcI(BZdR14o_smA!;PY<8)(LB&J1iiG_?3&G{XfI`1oic?pS&k`92CD)a zj}M=UePi5P?x^XuTOjFk^hdK*cwyJek~aI_*=F9Ad{P4cOZr`*tkPMM-&bM6dV{|*$^RUQA7)rXty#2vv@uAn+ zv#s+&6t;}G)V=mUYLJ@j-f`s?lfsZkn`Z_yds%CIP~iMCk}ms5-bMj#%6qD;2&yAP zF?Y?p32u%bT!bI@&?2l*Y-)Osb|6n@!_uKGyx4IlX{u5*R}4`>z`SND#zj*bYvl4(tT z(aRZ>cx*vpT%~;5YR9sCaEq<8{)UgnK!xQ=-+ZHy4u5ai@^d|c8Z#s!b>27)9jxdK zG`XJiKK8R*l-DBx5|4ITP$0p}x}DFISx|hm?VyOc{NBOnfgtO222b$^ycv80H6=?M z4(B#SrMb;dMd{t();Nk>?3UhieP?4}RL^w+J*b5ugtEMO8|acsJBqGDH@4hNI_Q7z+3 zd3`BWSx@=cs{I7SmyOD{ow)7M^wcVR-+pl2jFG8gFho5=A;?7<3bmf+(lI>H~FvY z^bH}0%eABdpfzmWF*v($E$&!|Qp}@8n*b%5&k!TLQAg?>@>msYQcCejJT)kR5!n)x zx;Brce1rnc$AW1?9WO#-Yy31aLkHd4Jh`^XS8*wbxqrHB#_X1^FnfV;@bhS(BqtKC zeLmy+zWthxp>yqr8AYwGbut;?^qv1)1X3~5vQ+DU^e>M+sbvyp7w?W=f>iVnZH)j@j{y5DMh6YFMj z^(kILneT|N@~mVoD7v;bxogz+qLq7>ZFVS!;Z^P)9jOaMO48%(I@%(m3lU-9QKk=-U_WdLgx6YhKWEU6XSmX;I8eOh({a0y{N= z1rK}Okq0;Gg`JM+#Z225t|NdQHjFtDx0lrgFr9133R21&km|BB{J}udc~g`dDXQFo zG0C;1yLi>p)*y$TsPy8r{uGnSxjC}J$yWW?jFW;X3oE3YQ$AW$N(0NImY36OaCx7_ z9`~ADUL%=7wk)sX>m$y}iVPJMRs^|P_4zWlTd*0qVBgud7Q1gZCptrsYABd~|NSN| z)x+MVt*0Z(G|$W?TcX8~gNo1b$zp(2Z`eG~5L1{rIQX`6@-@aVewJLqsqkVsUr<4D z5=tX8OLf#Khj{YIW1X~t!jDll)x8Bl%LiK9-bB7+KWt^ zM6pzjdp7y<75=Sz?4Jpdx;^YSh|4#-V**2;xw+?;w_Xy~Ps@2c5)dnR(!Hw`NbvJ7 zdY?((CT$($oaq^FR0cA7gq==I-C?n|j>Yg%5) zD!gU6BdFcBBhKw|c+ISClNpXCGO~cB(hU$XT#Y?R+Pf6g&nNmlCYUoC~ z{R2h&GL?p~xO{0YO+%lDuXd;%QOi}pZduTB@I%P`k!Le4gqMQQ{gDXqL8tht+j<#h z4jfJk`%cW&n5(uS71vSsqIGm*M`osfT3rP=ez9s>P*zmDFsx>j!Ow8)9-t z)&GyWul}mC>$;XkI;6WLl#p)ZC?#OgEdmE=knTEkg9y?R(jn3%-6`GO-TiI2Z{PQM z$9VpM?-vFG&ULQXYwx|*oO8{q;wono?CPIYhIZOoGQslXrk7z~lh5v+^7-BbClIuI zJu=$tP6Xrg#unTS|Pb#V8LB?-d#jAog&pqJUT9PcWpNQ(2s-Q*ZTVVc&^!k z=lTVzaX$`|>0+)u%$+)GpGN^mt>h1SuUb>|a`Vg3cEMf;D_!=d3zZhFoiVi**%>RBPeAQg zi15kuD9rt8@nfP7KMB?Lw_FwnK$>P}``)iYiX_M!8!G zGv?LE*{!CyMfaoJ%p5q)!FojR5->?rf7XJd)AdI+nOL=XF3l=PaWMTjK+*mV$LJ^r zO=>&BC;zmw4il~cQwx?1V#WTwJJ?0W#GP$@;}gCLhLFW+HqEr?MnzO(@=guY`9$Tr zFedpMg2oD zXJxYMj?R3T{S3Z&?RD6EV6GoBHYas}i7;E~+?5h@+*{#Gxh@_xcLKk{O835^=4V1&;)+PNzy*5!l;p2 zwORM0?^FzhG=ZZ*zji+gx9EcmB!xv(ufL+jHyP}fp0=l?I$_Z}Q81%@TOBLU{nlUj z3k$PdY(KmGGuvKdEaGEZ$>}@Dn6)8fnJnuMt^QcgZd_TuZn6Je>>g!o|*R`7x z3|eLsL^iK*Bt6(B?UH9`x9UfU{I=o?7IBy^v$Wi_&-NH6eVljQIWT5V2U!aqCf^>6 zM(Stj9B+OsUOjwTLC;px4?jOKo0PbGAbE1W+2oFnLgn`Uz$t5qYQ))%#%1THMwu%m z$~`yX3Ks0+d{;H+r%-4i*EAOChs{Ant1#Y(**p~Y%gNcsR6oji7n4NWk%!;R%ElY& zb#7-H2Sd;ye3W9s(6ctNn~0j~`f*-i&|!`$a~ZB(4)mzIS7GR{vou_$ja|0ijBMvy zxNgn~66znb1LqN@&PARHOj7McPM>6Vw=a1;=xUQhiu_YzwbFSKc`p`;rJKH1^fs4G z*42$@0zG0^6nu{$(db^q#YS$FMaC}+d+_v!PFh+@{QOh_K`n=?@lW{^Z}`roK1QiL zZ7B?6f{sCRDNvGC{R?S6m9@-Kn_InE(YUz{r+$hWYrd-EAamAvGb?-Jw9@BJTsCG% z?a#mOH;ZXfyF2ZD*}{aUtYOl$v@3QsLnBjxtCMkbr%0|lKlW6FwQK{x6K!8f!DHMAPltOuz@^*MJ|>%^0qX))!;TkCcd$#s=Zl8R zS+a6s%H}6pdzJgnR&eXAh4l==d;Q-#Vx4ihn@6v%KtZTjK*eOZh-j8;w(%!>9!6#^ zZ5Nb$6`K4YOhb@Uc*5i>O!0HuDC4xlVhG(+BAu|(m3R}zLK)dGV;AeReUDa|$)o8D zeE?ovwwf>gbERJ~~_zh6fkE+KFwVxhzVR2 z745_$)RVVt542HYo47gvWuHln(c6lX*7c6$-HQ2gy|Qsb3hTNj<K?R)wA!(!_~2W@Di3;X-FvQ{)(V>f5& zDf646&8`dS_AW2}TpjjNfdMU8Dgl$NFJ->l%n+-uk5lsN@-j}S@Xi_-tw}NU{yk91 zV>~^%Dh_jHb2NDEV*4k-rdQx>Np@pKrav5p8uX-0^#i|45dQ8ya}tP?2?M*;B@IxAny=#{uGb~L!YC*8T3>RQDjau04^dP}FO&g0 zKDqsrRfiy!RZwb2q})@1bdnJCS4OTM=)hwy!8F9eW*3nx*bZVM11)&7LKkb_o2Kn& z6Kh176{6d+m4Px8vgPLo5RPIlE3g%TA2ObQMc>z?kptq<4vjfIC^ zJ;S6N?P#{lY=|EVm^8ZWKbHT~Ds-z9v}z0Dj`kKktJNi`GB8 zAl&~3_})9Br3qZl*97Mo$5na8-67J}mgq$%Dy!g@?V=_ubenF@J!dthMdsa<)cs#? z_l;qoZ8e+{bWKaO5|;XI7^GN!;kf^=|5eJ=9SaCq zX)U6;5kba6xV=`RQIby1lpZzk|NXqikd!-^(BU&4x29DOre53hiTs7tn&+iY58sS# zx9If|k&%yN*wveozIl{gGT!U61|X-k>sTK3Vc!xc>bIG4vpMN&Jm`AzY{A8fvr=hv zg5x3I0wIw_Xb?Z&3oV!&J~ zeC41qHoAE9(zK1nkDQBNVj6g=tqN@B{cHpTRZIdGG8+1m(${BT>X9v^J5*unw3lm0 zNY>nhnDjo{(KMbLI&>^$Pcq6&p}Eoi3Gi9pGq@iWEiya&<03Ab^x(VrcWVwC?`m>~ zDkLIJj%F1`5rCr6twhcx<$9;N=S2f6qG$Z*K?=kRm}2+H|K7E}X%OJjT=ylAFo z(3(vj0^`P`yZ&ndAM(%5il?|EUa&x=ySRic{dK~kZWmo^-;zFVW?~{Gat&Rzz#tgh z#Rn?Z)iqVmFv<5bfoQ~+%;H)4S`WTEVYG^$B4jKo2c&s

        KVU4Oz*U!IrotN);lqxQP?jG})RqVW z}DW+ylDAvGDQR8$=tFzXh}NdTIfQJ_$cjMe?WH^?)z!K zfXabmCF`loD*G4(_qB5bUgj&%kK|FzMBEww`xL;32@3evy+g16 zpUhnXn)jxcVyp%>Rnj*<$mo$96W5g7x*9IXRJd7j62Z-&yqb(~0qD{SEKD?xddAY+ zUnzZCn5gNRDMmYgw-qArWw?lJo6?*8;Nhxz2jB#m)l3}kj|HCJ6>H^U@P9QLB?fo_ zBbWTHQ`-X7uR#AMER==9Dfp@my92>ha?+Z|zk?xSBTiPhLJRbx7cJ0`x@GdE?3v)# zj-0k}(&K@Gf|Ap;?>=fl|I@lTj;r(H03I}&iPlmq-52T_E_bnPQTMnmj)eLiy1Iy%DDl&4{#!t> zln>lE&}uHUd8~%L@C;&@=Nh8K0BDS$EADCz$x3DolWpS!bHerRuNZ#w*d|)br%!jZ zIKr${gU#mrpR>Kg{{K9|sODAw%lBV}TfTe5IAn^|m+MgZ`uRLY=2kTP^6Hg*46sP* z9^kG-lt(T#WZ!@Dutn&zlV!nIUWW5N+9Qc`F}JjD^5H5wO|mg^(nGaxbzXpt&+c_k+$PAp3RGVIZQ(-)0vTdi%NUiz3H03${(qxY;*o*j2NuS9rA2a$GFr4Srj&%W+>DN%# z9IA|~%HNtkE51sl{@}Y8@pi;fs+=#YPG9tvspuwX1fis)AYVi8jB^jxe9JppjJFiEbf^3iTA!A$xJI;* zRtz9LxNzPRp1v8-QmKlodhtZ}eSS+jX<}i4n4$;8YcB8Xy8#9quzrwNWiKLow>-Xo zn=So5reh9#-3a1s(Ugoc2n5P0{}317nTlv4*&l{4J=xF>exN|p|287NN$6krOkEWN zb|;1(+!?$QkdOXEebp34h4HDFBLrBCek%E*Z4f0plvt00y;?J1!j*ZMp>4=EMHoT`T=Y7wl(9(bNVvRMl{+TcUGV_~`5pMV=1x z1Uf%<{fze590!GbFTt3uG;?CUUye9*XC7-=eww)&Xv&f}Vy;+%u}V_htr;%vq**^BzsHy}#^ap46co0z++xgJ_} zKpgGzv4QO3Q=o(xYF@b;};($$d(LfBVpP8GGXMB2{leQ32CAO#M>qa6(ewDQQ%RvZ~&Yu*i>~Y636F` zAbfSdek#N2m17W{(;k}oOZ$VCD8HV3&O0beX8oiGfgA;gk!-f~x{MAtR3Wbi+3m>& zDXE$Avdj;|7f(`$EB-h)q)nX%2`qp^nsWX}%**4s>?1wjtzks`f9lY;|1$o(n=cR2 z;%Dp)#c#-suQWDumI>W}bzuVEfvtpa#Pt&P8Y^*350R(J>ml#?Amm z-vA@`?SE{pC>+40w8GS-ZP#{%w-r_jVhv#Iw~)OOc6C^evVejt?WKWTABgvlzYjv+ zMR!8%APw@+!#73S#8lrz?#EB$e{h6mS-w~5pyb>L!btMPnpOFnvY8KL#u;d(@P&nj zuJ^-#t6<1u68cO<&?-e7{BkY_YHUY7M=7CX{qv7*A3MbJQmpcLHc=iKIYy+S$UkW7 zV6_=ZgFZ=a=J9q{dpq{Y>l(I(%Oki4R!52-qjn2V=yDlRt%Ybn_=ctRqntZK`bzK+fE8ti`Swqxm3~GkqlxKJe+Z zGFp444+uq5i0^`VLx`Zg3A17Z?J<*bqT<;s@*WgEZ*Qz;e-$0QJ{rJ$z88lg$>Fwp zhfX5s%WOI6zk_aaxyjpjb6UEzlcLB&37DEaTg}TIUlh91e!U_+mq6f51?qFx#6qQ5 zb%J`&y(dWwR$?5J2SAmMr9ZnS(UN!Z<#YbSgN&Q6NBb8~gN7kYpXN6dSUEFars^%m zGLkUS6J^6}gmDC^W;UfOcT8MH5!^Yg8x%U6CWin`ibFjC)kO8l-apLA(ul`H~pBE4_B)YqHsm3yExP&s=^0>GOb; z=m5bny`I&Zdi~G{Y4ikUY=WVXAiZ0IB1&hrdebUL67=)ZffyzD7NXDw+JDz?SB5m< zlhNNG{#1_Ac;p6OLxkYLS7E+a{-5j#5S%p2w))DF=bjj9SvD}=h{%pEV{8y?+#Q^+ zbArCK@crYy2*PKWweSOqY{ISLr+^Eot9Hs&e0B{0OMNcpmD_2ufZxYaa+Q@J>@`Xr^pZb^V?menoKKw6#IZWqlK+XUM4o$k$%dq&w!4!;%qE5x=u@cLtj_(dsdkofb`i4;!Bgv z!{KL(l~h-@Apmkz)wh$Uf^W3rmB=s{FCe1up=i>;3~CU3f0QV&P)YCumK8$AGoRrW zi6M}G=YqcYR)mZ*Ttn(s!nZm=@)OF0g_ZSyp)_7S>d3TmH*-Y#H&mCOz=3rE zOVMIfy-^F@SAR|*D2NoV;j@phgdUzqJ2xmW4&gAGCfsz z)5In*=)*pLG`995TT%)wD7o>!9)lJL-?!ax1X(9ec%KkMCQ%@OR1+y~;b9~S5b$7N zabaNg0@Xze!g9$FreNskiE$*nkVlop5fNiy5DE@&vYPk@50C9~vX&Lbd`U>T*&CjZ zvrM)D-^;hCn{>$fzmSOT6hqOe2_OX(pfhc$Ig~}tG;IBQT2K7rn;(}C2d$RAGY=5_ zX%o%a==M)hepy)j_;SRpa`G0_$aEDf9vayi#z|Pew)SV^I}JxBns7`Vp}$lqR&N2s zS{fUyao0NTuj(Dg%fmU$9^t){xjHK)t56+h3`_$&3ZvEcAl{RxnfhZ#foNp=_G%0= zqT|SJ_qb1K`zbU9aQZhhPZMSvswjOczC9+InXCpF#(Ct#dK?o-SMzV+wUojSXRzvq92y!qn2{_P9Oz@lMcQ7w zfysjWP3FBn9VyP+X^5(m^!-v41zsvCwA0JgAi{cj4iv)>y=g`!;u1z*m1m!CilNa> z5l!rUUv;oCgG8AM1!N^8QefjxKFV(AqY$?&Ino`EtR~QR4>(l1VG<-JLy@k^M;OK4 zVx*>u+tn}xiLy9CXZ}XmWJL2ZcaxDwhErFXQ#Ri9B~!x#o0=;AX)oE5&#gQgZb!}l zTd*MG%Zi&$#R^73J>TMl3cyS_)<}o)F^%0U!s9rSNqnwzEUHuJ*wdaJgV0ftXMp=@ z0MGXXrS3QC#)rp^w;qx{ky~4$tgEYx+VUQnzXQU?4Sw;(ShZMF3|b>SGc&S}#j|fz zPbHPjfydB(nMlRcRJlXPyL7ZpcvR|&9+wH&)mSXo`*Cf{kx#n2{!|fjzr?~o&Bbjx?%W(Q|UZbY533=DY9Bk=ZsmEcb4Iz z${ttz1GAz&X-Bdyo(ake+fip37`&!};R;8gfk8jFsS1Cf(#k>F4VQl;Y~mNTpBmLT z;QI4}g(lB!aQ#=!HN5#)qKx~S!D__#-)~HnWJXcd#BLQb%NR$-2P-t3?x3VwosGgL zMf_7zr!`z)HxvmtO$d@J^wBjUKG!XSH{`%#bpd`~6f*AqNMh=V(s3xGe9_sG6sjQt z&BENWrG%PIxG|o#I!}YghQ-9I+CkNnpSh`7fgsNh8Hn55{kcv}gI|S1OB}%Ma+Wgt30~HVQGKIjE-4<&cu(~{QBr>QW zWoWVV9o`8WZ#P6xnZ(1$)|o3=rE>T(<1y+~>T06rfdlJveEq_45YnM0hh@;VGhdeb zrU*Q_2G@ynt{#=(6ciSASpzN*els@DY_el~FH97JOM_e2zi5%Pr z;t{x|i&xN&X*SFT!!5SHc*81}6NosYZ+2{Xjl@i^nxmRHV3MbNy+uFgwJ;dka9Oso z*mU);fT+xpKfouR*R#syO2~#_=MOW)ee@sh;V#l8w}UYK8X%uG%S5%LqgWpdXSwf- zgAB7H9Yt&20P?*R#mlUukqUt`l|RlIpjMwVzM3o7;rO`%C)OQMF1o)( za?u|K%syb7I>es1xRb2lX5`RTHOcFGZr&nl7Y$${@G&E4T}Jlq%H2{prX7%e9&B-bop+KHFJkh#~U1YPPNDMlw zxDg)bh0KWBL_x&pDPfqr=0h&Tkc*4DRca4XxyW%-Fe5pd0iG^0Y77>Z@=5Qt>Qc;tTA%Si2}|K>4Fh$Z;sO@I^YhNT<{Mmx zAsh9I;13Ff6rgv?HBPs#JB9{~1gazgeQ}4-1*0zn4aH(wjPWFg{9t zYW}ddSV+|%+40Tb&6nI7v5BjnPZMezE|o+CF0yUhHkNL z0j76tf#Uyh0f+%Z=up>0%R3CRdz*B^;#_4iIgANE9_8;u-yH%&MV0I5PRl22Tu#{5 zfXF0`uN%tjz>d`s=K#z#HTb0V!!sa1iRpJS>WlCWlvZ>YR}T`@RyM3n1Ej|b#81gE zz6h;`_9P36BBEmy zw%_Ws;qAurz6@~E3R*uH>eV($K0oy2WPxA>3l&b+kYM9@Ex!-qtIU6?=ot;mz?>^1 zkYzdwDJc1v>Bwc^LaAz_g1&jQ&}r(lSr*jZN^26h&YxOb!prZx^|YmmvFk#3Pw9HB zOl8>dWxB4Pe9wc3{_ssCkpg{ZY-XS>=}TbjP)JD~XX%`hFpJ z*w0)_m+r!|X>HCSGcMboc5RK2PQ7ZD5Uej$!^JT%0!DZP)jN=Wa93_V#5i%JAdJWx z>F?MX!gABvz2C$qq(Ymeph>;lx;gSbUCG59$e`u+a5MzswBEkv>K`~CAC{1(slLI; z7N*?9Z3klMFmxJ=I9Xs82d%UJeEvjZpDIHax{MdS+v_hQFkHU>h4F60FfvO&oh#&X z0z<&8fkYHj5v2Ql7^%%v@cFxPjis)DAkhmI$KAugl&JVSlRNg?%eTuQhL&f3G4`=;Oh4`j+L4-M{@&$V40mJGx4dcBzGVGAJDSRQH zFIa0E00!4A|YxG?xxiHdU~okbx(sCtvY+k zicqONkuTF+EO1LJ){H;l?vM@ojHsiIOZ12p9_^0{2~NXo*kBxM11-(Xdc8wV6YH(p z3wt1+{dU!u37i&eQknfNFtvWGW_hB;cQan=hwi`it#Ti0EWk{8qLo^7La7ZF%<{3) z#)ie8-eRGRgupGNgNNuJwoxPCyjF5MCofODLf}L)l&0T1dBK0zS-w{qlE~OzE`qp| zEl9e%cdsseQfDBSNTt1NJuI^J(3;l9ba_@Z>;2H78~Isb8qD4j90GBr_tsX7St(F_ zez03sT(N-}N*EpgiCxLunvB%(3{v?>@_^y!Cu!%&s&=+g)T}YYTqG>TNV#qjb;*h2 zDBe06b>T$rVZq7LiPI=YdudtZ-d_D08mn?OIQRvroXGlN!)~ z`0?OVH?h{|l@Hs4*E&|GR0fs5R}p~_=!AXO>xJdUAeL&za!|d{+g9a&94dbZ*YOZR zdbVT2tV(Yv($4gAxnfq-dJ;oIVk#Ev(Ul=AJ*LV4g4aiPowZ~Ce8dID9K-FTFs^Ok z_N01V7CnAt5-gg5bg(|UN`CI}ba;BRn9Yr#axTI5@0A!dppYaOp;nkkbWG7qx;VMQ z{u`z*dPQ$fS97fU2XWPor@D`@3*Yxhu32KiS)mBlLw{=t>!>J{Jpzx}{#-EPgDwU& z);SB{h*O+Fid55YN;o8KvO=8(Phhy-kYwB2pp+|+=0=l7dsK07zwOdH0n(x;itmlO z`>PG`LOxaaTrbtwq&^f&E^!$wHL1C8Foq-o7wS=mV+HlN4l+l^1o-?=EeZWBY7~=n z!WH)e#BvCNK10WDyiMg6(Nr*BHjhJr+k2K2%fflFSoX%#8L47zE|Sj7H8VW%E%)2 z3RbzzNtK!AlcGuyaQ9Pw<5+9KXF9o`{BxTpx2Sz9ggat>mC%Uh9Vr7yR=^VWB#p2R zt}?{|IGf6iu-Dr%1TMTw1gi7>20M{`K7J|8COzX~9W}?mh1xz{?qo)H`kx6nlOvHZ zuIb-lJI0+5j6U#YwqU7{YJdJ2%m;qA}zTjd*ypANGAz2-Xpp=$(7;gc0tcB)3QFPsl zLGkGm82G3oCro1rAqb-kI-W}{h(y{+Gy%%LXW$k8CJX*#YZW_)cmy+A@W`moPP0y= zZIZwd=NNb6*PD5 z7Lq~rDPuk|Jv@MHxa#u&J-FR4xnrg{yk?dmh>hW%?7MlojQhwGbmQ~FqB^;l!#l?t zFA(1yr#X}P{z3Lw0(H-ssdzy-b^Bi6<4KysDIr#Z^L=S`SyxGEBqzRjbYukAHH*7Z zBEk2x{jXJ35s_S+vqGmQDsBht7z;HarYCcNXK2g)c6lADH1+LbOh+|_D;DL+A2%iw za*ARKv&H<=ovOwq*hN=1cU=`$ZDUiwx)m zWXS$V$aFfPpLuurXjnpChZydCnGIu=URt?9&KF&=DCNgUna|V}{w{;Dts>vjM6MiY z+&_s~<-(bJN>f1{E;l3T{6O*)ccF+Ns41^bhP&}6Jh}b^4HqO@W0MPUh1007NW~|i zk5|5T)10#{XS+C==(G*jec)%UVFh}=Isl!5yA1-n0tVtb*83V2N)?nx;9O{F^oUby z?cc4b7plaUNGD?@DlskVG~&<0Rj}R>ah|WBBE~k z?S(WbJk+n*vvRp8%-rxhAJ2G@qbO4}NM0q8*1riZ?5UexZxzfFbr{u+gmX!&^$s(> z>vADa9oQQbU&}ZaTO(8XA^{;Qn+Fb#Ff>Oj``)U~Mz4c?yK1GP2rO!d)t#G&>p@iP zFj5z`3GFY4tikt^PaBP>MF(GAOrhjExnB>Cz!12rt4^^XM?=~rhE=lH|3-pVFT0H) zbSPr2Fw_@!3HoGr2Dc`^e$~QMU)c>G>?5%=l{j5<#hbzz|_;ZJ1m}({sFe9{B#z zC87wVQXbmeLgYe@^GUjqIe%@!1nCB9J7`&$_!pnF-M&A8Jtk;@nyY$V;`^?^RzP>% z)DnJ^dRjz?G*y!?RHG*%8JJv2hb)Hmwl06Dgr7CE(FfMR8~M-Pul7-9uH8FRIyyQY z*Xuwk0UQ=h7!zLCkL@Z+c+!kMZfsa!>T@zV!{2x~bm%#2lcmzZbMz*&QRy?mT><@= zlkv0aPK9E4>sd0~0&c>W1C6b0;!7pTuiNX$cd?+AF4($k9`A@DmAo!}2<2w>nz_%w z>_`?dQL=hhrDhue=iRz1V9#@tM!OC%AcKb@I|IQNU0qHsM38FvXw$Apm>YK1up$O+ zp9r7c3tqg%b@Ir0GcWShqOkRjnfQTs6iS@rEg}n!QDA(F7_<)BPkn4~X@ok51->is z?HQ#>mdJ5h2@@~{@&K{t$aM0^pll!vlm#Oya$XmNygkd%oE2KDxpfyvryw>2rf|L; zVt^v}Z;anL|KI2*b%_O48L=)2J7O8|EJ!3;)^+33U^%q+_y7Y@x#-0_;DZhJ+dc4>73~;6n{2 zp?9VY9dtAMZtV%+S1f}volU;os)70valdI6+_AT+X*gOh+DdmR=NmlfoYwHq=GW@P z7+LWN2I7Ml`9PD}qakQ~ipNz0>tHO{(aMFX9&X6W>{l!x7ZTD@Q0es!Ch`xOx_rKR89x6f)IVH~=t z_Ngl4Rq|t4@%HTPKh||t{Puijz9|9RVk0L$kj2l)`KzWQIt;ktJT<@(`xSOYLOmC! zV-oyyVR&L8-3`_)hpY2T-MI=rC@5orU}D;^ms!q>IyHJ<*h_1*NLaG`-fm#JPoS_~ zJmCClmd@{{@|TE~!^&@L0xR|$uB$EM3H2Y}DigYqkmOJ<3TQY6p2}`B5dzDTH`|+l zT@2+*haXh5y#lt&%;FCk4xd`x<*dm+sGVqE89)p1J^EISZa8EqiqS=Vj*v<%_zfeI zMLeXh$z>-Kl$WEx-f}iCQ5%zTRu&N+K_+$I9Xl2z9>G$Ez2mC?@_}H=2Pi|D?|Cdv zLZjpDGlWRdkLPv)rZi5#w)G120aB1Wa0pxsBcmt%EP(B_zt4tEj`(O8yFommb%PwG znO*@0rGdj5xOqm$1TiFp+{!1PSq)(4r+d81l0r$)K;Aump-p zG#YWgL zc`rdmrl#xtGx=kJvYCRF)lFKnh{)4dKUJrl2K-RI(U8xRAJMs zApmbrlxHp&12pXTDqD{I6(jung|~45#Vf)-EBT@)gL4<6Dh}VC54>Vje_sy}^bkj& zSTYin?6}xL-9vQ@Q?Vvb^9PLf=Klmzd~y={W|N<3X|4-ogmO5CjZ5?gK}ckMD_SSt-{s zL@YuH3x~#`SuSp?u;jSEM?AZ1q}ztj8|Y5>0=%X z1_s%=n$!MjQJ4@8J-XWieTBkv?>{|Z{dan7jEMzN>4v%R39RV}a>@ z;H_0Xy_ha|vSVV6&@8{TKK@kxcbRbhhx73P`Hh{s-gv!R_l_$27!oQDH+Y?P;`65t zNf9Rx2)MN`F##oV`N)^<0`?=*MK?h$*8P0Zkl`8%2QC_2zJX4 zU1S`-UBCncqgMpOm1*5kcPvG>?o}NYe--PATb1uki02FmAaCJ`m&$5@ak}wJ?-X$+ z4COBD#to=U0Fd#fayAxX_MIXcj@XjwTj+pt2GHa$tK;>rkTsF9{fZO{V^GXYtjs@O zn=X9=)A}S2oV;6DW_jexMjm?~0vI_8GD_X7$vzk02nhJVp0$jTd+71VjvamORQ;rJ zARDdFIVz)v(eT7rvxz1-hNlq=py>z*9DaYc#L!U&=|T-3xsNLZ1N$*OG4!i3&aeE? zOsdqmOOMWaK@y|C?I*>GCPX%mH1S2Z4E$9>Uk)gaEBS(Nmv`cLwLmT$%rSvMMq)*F zqRf$?3hBdSwa{m0VUny!iRhhSO2?Rc1mEU@Wj+>zrq3VjTV(Fgj#fgyXY#5J3p8N` z@kdZA&TYDg^1;FNg2yr@qP^)ydhcd3m#P^UdW~kSt368brjTwqW8QMVn!Pr z=Ii7{rrTimxu#I=7qf>OtCQ*5*m#&kKg^GYy^a72$al-2Qtb@!NR#0jc{RE@s3{^@<}G~dGd;kJ z5@-G~3c2<}5L;2j>>_rz+GL(~o;xft^`oS9SJ!NpTOom4|Sj8&0LK-AH9V{rg z6{tY!4k)dUDvNKiJgqWmBaibFEe0et6ATa82A@$}(O%CiHpsRdqsJ)D{|{WOsmD$0 z*n358E6=CF>4Or;fLFU~CHrWW>1_>1a`-a7sh?dro_|@h!i>(C|3LARQP5bWefQ@z zh@;kG-x&*Xj4L~T5iJa=x9AP@9q&Ry>J~iaq8}U2w~y11^#@sr@Y3)6V6`uGa$~kyTb5bd=tF;@J)Y)URjiui zDl;|cuGHN?c-_2k)J5AZh&kKkV0^ih|FgrK?_O-En!wM+EOllo>1LfR(HBwW$57$S zyY=ZSv+N7#-ZUF)Y)RzfGK*+;09#V#3*33z@<5?bf)mE`2n9_nrbaM{$LnSq$CF=v$*&^rKhtbn_RQ>M3bb7I}?rQ+25^9?rG70)}%&be^_Wpj4m_j*vCqW7CwoC<@Z^N8%`v?ivB=TP3Wk& zC&3*~!5k$-;dz?jv8GJsg1fkK01-#ue}FfA;i24rqE$$YeRw<_(8w$mWOhdYQkbeb z`w%#H+pi{1ma*JQ4!=trNMP$xV3<$f9u2G-{onq2ZhGT*Q59g9yq?K^K*P$4+2Obv zq}Om_+&$yC#*|0CeJoh6|Bx|r^?ztP>!3KhAYbF|8Z5Y52=4CgE&&1)T!Xv21q;Cv zEWshT6Ck*|y9Rf^FR}02-Mh7W|F~6DipntW%$&DRpYC5j-BUs|M{16;RZ4H(m0qua zs-F~CCpQyRCb>8NW!UJ&velrxU6+;M}^)Q z2ROyh^POOu_GCgTJHB0AyfGOq|6=|91ux(;VmIMdvmnZ`V;1FVV~t+2otC zyW9#G<)u**-Fx?l1Sp&qoOjIZRnI@~>@j z+>dWxWM}PLgaFil+UooyzWKTn)7`uRt44uopMn6ikyM5@p>lVjhC{y>C%B&IS`&D# zLWZbjkjAAEH*_vwHknY}{3<0XLJ7>iyAqc$imSf4#lE)^oZ#ceV=S$zwx3x^gpC(; zTL(;9*KUP2g+?ydsap}({3_mj#8bCB^k&GgneVdBezlflt@SuZEG2^jjw_2rAE_)V z*pav7l0wL=Mnc>b{fuEFjq991ukJ0mGohDzWAxUpPW{Zy;V3r4y&K~Lw-b_P>5`D0 z5*pn*`Y3}1Ug^Eb1*gL)liF#UX!YzBK!W*D!l9!xraly@;JonmJOI0v-vc&0(mJG_ z+~93Jf#%|^v;(u6sZ-jxW#s&qbT6BiFSp>jR4>hQU=q%LmV;Fw(Q6n9x8BQ3CP8p3 zohH@iri_8r`F@B0Wu)Kp<=C=*nW;g({Q`++-ccuQ=W=`H#(}ngECk_Q1v%>r=vV`h!P+LstaS zE8C~2^}BH;<6AR}Ttz0yHL=gHm~1ta8~rdTJ2kJcT1ajkU!zy98ph^AR;jbP<3m)K zB@OC2ri+P))tw(|N71ivfyc43oIF>U!l$mIe(AEb4$=n%%=Y3PpN}2$Hr-2y*W<>? zw@jVs&>l(_(u(U|l^NpB_Q$BhWu1>C*L#L+h(qJm`=cGPDGb)#@s{sCFsn;kFC`M} zx27LntT<#6=aeQzMEYPSyL*;q4%?l17&X<;5xiNh5dSt^BoY`qMxfid*>HXQSd2z+ zA)Qy^AV>1{9+}2=-YA*}y1)E{()>cCb(x@5uo4V|=Le-b`XdDbTo0t)EIh*-3!RV0 zG^7$K`Gr2plZR7x3l{D~WFUTG5-J>i?`rKn<* zteH@`P6?_ZYQ62!qkIu^1q`h~WhHA0S1In3nWVl7f@umse8LDOv)&I25nP>R5?%`7 zA^PrqT61`QZCmx029>fRDKFx|sS zLVPf(62if#R8;V~OvPNnOcvzou+OA`MQpKRMt*%DN;q&D7X-E<*ASOk`aQ}%jUhbN z_N_xY88w2ISKi>&c#EiIa;(3WYVWZKrP_2J9N3l|ES6hO;%FU}YHpPH&1iCS(qKGw z+E|son@j3?QqGy8S8RSC>*tM9uX_BN=9>i(-&j`9%Wp#|T-GQVUzDL+?u>B6hKq11 zUJmE&E+jt6nA08HV$Be|lOITQqJB=@hm>5T)J+$_K-bM4#e{<#^U;qsD9{(}J+bQ> zj96OwGA}40!z2v^p2hoNAp3bH22pm}tW9}Bl7nFoa-2a&KhpH_%@NmL z!J>I-cy3G?^BirVk=n%Oiq~n75kptyT}a81TEeM6X{3x09ZOhASn?8(ZoLq=)ew@+ zn5&{;5<-e&U|Txy$XH6A6SGS%4sSDan0z=rUgC2WAy!DZ+755k9xYLh`&4r*`rOKo zdq{L7PrEFmk&)XP4+JxExn6MU-n*8mOTG$y{W1|fhE26a!>pvw$;kXLQrM}4=?9^k}*2>h0=T+8&5S@nK2aNKt< zqn_B^O0TP}_8U>F8A3QSA!sFKTv_0K!ZDidM5Q6Cj-Z1vAACB6~~R zI2n_K!@*r}_7jXb)s|LMWoA9c8J3f>Fxget` zyLI?hD31Z6v*QC;9kT^DW`X5biP|zet&0k~Y&HriH} zUP8w(BBolmW;%0cY0>KYNU_+RUyX(4owLT6g*K+-@=febNDT_$k!2zfa&w_4$}HK+ zP7$*tT(a&_fmUlktjz7{=>gq2n9nz22hpwtuT4x2pgU8;oTr7=l3V(`kJ(kH(_ttd zF&ylOp`X;k#xDSaM_&&PgF?o@UtJ@X!NIcDW&idytZN!uL$hojvjhRzf!k3QR{TUuoO(NB>TENZ}(*Gv6Ki?`~H}19z z2l-|`ID-!>3HjJX+-QAX{OnD#?yFxa?iBoX`EkyV^u_(ugpoOjiJ4S@n$tG^AV`k! z;_*nTM@S%_kILt3P9$r-8GHJo_OAUSvY?CdNr(+2yH7Sc0(So)j)ks>sEi0%bYN)d zyFH2_`GvdW0Pcj+GYj0YB4omSss59I(CvDq*=gqc)4A@Ef<~;%6_rv-73@UR7$H#c zDn}t=si5?~Sxze%xR$WWsC=n|_yT6^w_a8?`nuNh&syN)$R|Hdk4MvRNm(hV@XXm& zV6|5Fhu6e4oQ_ec7wOc%XL_-~=gQ)IPpT3GK$r6hh=Yo(O)#i^fW+uedR@A zW4B}yWbS(~!%Yl(r1#O#8Jstkd8ZY_!huroceNp zgw+klHXyxNCL_6Q+DvOLl-0wxR(##z8?g+mG(y&4ha- zp&;@`@4NQRi3k>t2h^17eKP433O^Ob8BBaC`OFAt*`&gx2~p6KtYV&-Ne1noCv@fz zAHcokQ&ax6D_y>VOL9_$61O?5^<$l#$-He=3S<0Stp{t4M`r#(NCti~J}jfSjyboZ z_Yx`Ks$kIZK|Qpbr-`z|dSF?O)$>Gvpzg42=8mW27-L#2P~|QK1=xg(4ca{Bub``Y z8tQC%yFxrA2u7A?Q<&TO_;ftLyQ`Vb^{g6>M$jgHN$@L`gvRi@q9zy6LPpK*>BYTf zq5T{p45MwlCie}uh($Qqz*I<4+dz*lBgY-#euCcOydsx1*=Sx`l@?6z&FgHxyZnX< zw})jRsKFLCQ3n>Wv?J_lR1qol%jO^Pki~QX($t-Nt>ujYIVGAmTdYb-mfV#2Ia%6s zHnr}I7ztfSotD;7Oz!9|vx+NhB;GZG~tA)x39(V<%RRG_Wovl3<42OX9j)CxDzD^T2A{dy|VNY=j_U5#u zYoE3oi^0Dw!IIq}-;C*q8_GaALoaHiN>Qa#*X7~%`?efaI`yN{C|O_@_4D7T;L2M4BFAiK9oTrK(V z-G`7Tx54>ys*{RIDAfXQM=P0iYBu(7OB>d*2N+M5h#!84(Q<%W`@?F|g!Xd>`1$&d z@0OzKhNNL~k{7A7ztfpTlvY0GTC%ENm&h6a_`G|r(obBoyA##RO|cycnu0^|DJSl| z?aL(@-rzWs+?>yrYV=0Uw~R3A2hvW7Xew+YDTTJG7$0G&jrQ)jJ#Hvdbi>;ODKvva z*&UZelgt1J(KPCt`pn(_#aa;yZf?aNndTI6e(_d4LX&v!05K?*1G{p4XyvRn{!p-e zM33wRtCxLxr5pDAhcdi4L#tRWwTKj>(d4C?!#0lq2@>0k`ROJ%N`HSWg1xRuTHn1o z+&pOw_;(=3*#E>R4o|D7svsEG1d+QR8)6K-EW9BFR8Sj6qBN0jJ=m=lpZ4}}#(a71 zJA!%ZC~m4^Ks8T%BJ3J|gEL`@uIdMJd*2S@U{t~IQ_{9JkTNYKgZhim z3^ou@n_vPBs1)e!f*wuY zi$ius7mO;uqXZ|X#3M;ooO%S`^@3x&lY=9#2!hxkEe}vhZ*HY`^aVqo)^q6m`i1p~ z3&-`cwucYI$fmSWxy9TT$sM6G7gtOGfi=aMP61BVY1A6{c}eP+s0)cWkfZoLsccd| z96U-=@6h`iv5L?vS5yiOrTS;~(1r?Wr`t3InIr{@ zkBNH2`VM;uv>vh2*iJ3(c1IWpF;-FS-*lz-(!{uA)W3ZvsWldkpxVheS4li+%d#vJg%Ye>EuDovU& zsSI;-lRW9F0|YRa;lDt0pfF}@>jb14b&Fb{Zmp>-<`@m{Buz)3^(gOr&XKmcOGB5< zBZsBj+DfAs3+yvzpDIU_IBq%5u=^`xEQKW1+A@};kDe3cR5>=SwDbx8uz%a;ODVMf zFZ5pu9QnKCRi+O#*QshHSCI-dFOI|$%4hKfU*{N&V?DO=%@E*jB(JfhBr~!!AfB`= zb*$Tk*xcLQsc{JqoIQ7MnbCF@Fis+h^%vBY?I_$Vrp3w6)N6_uQ*Vi7;8<4!Y0aO0s`m#ukL{w+!+W~IKO-jd=Taq0mWesk zMX8ZvU2YK^i%y`=o6ilJqn3#Zj%XdCKpKALZUw91g6X3xn>Y)ZJ{4No;sm3hY-hRV zN)s%$3h8UC-W@hi*JA>;4F6MwCHS2NMfYBvtCgT=grw3Uf!k*qcvlQ+CxWnpAsg+U6tDL`vJLCc}1M z4t$WO&GG7(+ML=H0mAh@aZ1#kKH8TV;y9<4ktMVk)HJEd#{jf6JL0bQq*H1vo4i4C z@}X=arR5PgU&PbPeeorO@U{Kn*XGu1Id`(yr%aYw87LqFb;W*hXtw~vi?A<9XpFbA z?6}kgC>R(tc>#Cg=o@i;z2C#?2!Ci_RDRJ&(x={O;;G~RQ?lIsS*Y6sM?_9i(*i9Q zPNYG7#ll^8LBvOG5*_A+q+|?4bmx>lEJs%#qBONnvJVLK>=`vT4)i*_TKAjSudWXVgtN) z+9R-jl&5)<1eIrCB|x^N9vZ8-zHfjkPTdk*6eQ=hFy>Za%4J{``mU;jQ$O~Re+=2% z(%4sz)9YSQ1ADV4&VHopA@?9c1(HLR=*sd)I*!mKFj8%t(F34})a3C8Y zU9B*ZZ<)GhGt?Q2rm7%8D80>9&(6M@D*e<7D?j#y^%)xXiRS#X8rpMUDmRIXam9q6 z^c)PNf;v8>wsl-C)P}083(i4jm2jclO=MAYkwP?9O; z2f?q}m^V%pyPE16X!lZnU3o(go+XoD02kFk9mf!bC;k5L(fDf&yfdGHed)@9<4LS!S^dy`B1h0Ldu%**nE{pV$*2_ig!aNJr>yJv zeK7IX?R%J!1EyvOXfw@!<(O2l_CKYyM}7@M69zWZ50=d2(c{YWFz!pS#W;<}2f`wu zpFTn&qTtz6n)kDe;jRElcXxc}Xz@E{%+wZF?&`a8)m`KN8<#~3;cOo0w0A*-gvX6u zZht&#=eUI;i(LHyy=%zC6re%`z>AldwLxV=dI^L&iXWO3Xcwqw`u6&^+)TbDn}^(X z{bC^8F^?usp&mVo1jZQHw!NV3JlxUj)QpCW#|&nYaL&1ny|Tr5-TNVH+5psx01D8z z2J^3Hk}W;0c!Q^sESoqwN+>G z@E1nKB8KKicYnI6o?o9IxP)sw5C$#OyT;pEEZk)kAez|({)%)`gzBk)PNcxa{p-2) z^5JD$)~@?138M|TJ-@^%tY<&MkQ^SrVuAhWw97hn#^3U=3^;6Q=A@n{|8s81wQ@XZ z^4Y_!sJWgqe-Iq0OsKO5PJ_dXesg(SL^X3wWJKgajJ3OFiBNDO*Q6N8~PDdeghKz=b3OcA>}mxouQud)TA@fC21@{@US9{)vnIVxFje(O*a~0ZCH& z*T(%Cx9%;qyVqF-=DIqAEK|R^8Q@i~fFMv%b^E??lfg?fLlG7F%&{6T;SOk<4vIk} zfS;bVo0?U}VBZPvCQ(e9G=`k8>{EX?2@z2kF$lzmnzsWRe?O34I-m6KO}m#?Ixr%Po?on#wKnDkAGIm`xpBHEa6S@MdVn#r+!+D*3f|GjDpGc+t1g)MH-xh87#w#WWCf!UKF!Kp({<%?jV$OeF+SSju zCX-eR1hA}#eFFNNZw6k+W~5y?EWc*&LvV9kO1?=g!G%JN{%v3Yqc;4fn!b^9-mx=o zZ4>;@W35nE*PR#Zj*-Dgp7vKO!{_sjHJcgIICyZGjM;vJx_hP649He>E~B%F?}(X* z4qpB_tEgfX{&*-v@x8FI&vXBrV^qtcP-os5!wvkzBKu03Kt2nHX?_9@G08E?|Eh-s zb*fQ5w|hBsIE#v7d&ba>FvDsLHVMYX@856hcbik^e|gJCq!8|cirWhrsM&7|=mFL) zFpSkL)t6HY#<9Fj&(uy0q!f)FN!}NNto8V!W!H?P|%dmllx>m}0c7+2WDb_CHa{JeOkN*cMKm`-kQ8 z^z)rO^uW^q4fED!O=4~#M#SCzrr`j)*p?MK+=6eK8%xf+Ee5u^fM`iuB~+0%E0V$1 z%v++*3wYUWaW`Lk*Q7k*i)Sm;QI~wqv-++7oJd9xIsm$yt&7X(rc)e2jOE&1;B*S{iIvJCDbQ3=Ntb-6G8wULs)ja#FNFW(5uN%@BHV!W86yF z`_0S(f9e_Wv^CDW4IGo2>4)+|Aa1zlBBi|n?zTPo6~b*jJEVM|ARO|dQ}+7)t!;3f zmTT5Oo7M~p*i#WO12~wPztw->u^i??o(>G&M2H8l zD+fm3(&;XJus^{5dsmk&|9BO=$^Xr6aw1z+oJ5-BIOL6jql#v3&0os{dJ4PWWUczG>ee>c98(l6s`mXsPXyRs}tPI2h$M}#q7Gy z(C5P0&N>4B@-^Rr7#sf# zg$dw5-ZWR#iu}Ffty}Qh_k7td9s+{kW<;jhK=jCPe=)T*PcI$5;9NggW}>8byVsZxN}w&fW9 z+`_Tmnw&9_e_gU2u(y6Pz#p1FZC)ogxNInlhxT=HvIBsumwyM?qK&Rs4Srk)<1YZ_)b z1UW43K-KjAdOHHrt#dfnx2#yHuC+mSh=%nHMV(!oozJthAl<19 z!$y{WOrM93Ed!q?!_sf=AFCRL1tO&Bk8RYN6{NJ#sHld*cO{Nboz3x%4Wwmi1{2Lx z->H^2a~MPCym7Q0LdeV`=(-cCOze|L{hY8j_zGm(bojak#O7=7i1i>^`(=iporG+#PVt!wV! z@Djge9*@&je5GL~VWjqze!@$5b6ZmHAva(Gg5*K8bB?=p?s@~Nz0V$PhYf#}hR*^nZ+YRCovz%hrW+aA_bL^q#Kt7fu7_OO8)woj727FB$#_Y-fPLR+ju}!Y{2s{$pgo z6!)Ms4&81G3Y+V~vBSaU8FY5rM0r|+;)$3LNcYmPio1sW@PlEIhUFCW=_`TWTf9l#K*VUDd&7KFLm|pai^3^m@2|oJj$<7_Hfk&bvoxqS z0(#d)6HUnD07+B!oa#fJ-%-6G8MlI!MBnH2JI>g{eF=`eJL|o-NQ5u(gAg{qm&gl} zJ8t%?JWMYst~neMAFa(z6*E2Lp7N|ZJEB;r84 zfgqF25G^>#%wB9OXVw}U|F+1EDC@9=sb*)yU*Rl~L4MQgQPsj_wrP}5^*ib%=(5(~ zX>$XI*3T%dOfQCk?TFn%q4h3z3a_no9=|=c;$SeaCJ4r*>tKI*4$t~iz<2r*j>TPcb5KB0hW7hiRQq35WVb85j=jw@pG#_Xsovpdb@Q{#|=ZI zKwjLj&quvcL&YW*J?l$g!a-ImB8>GfmN3r)UuQLP&o9*0T)VjJV#2+rK|5`*3ElgEOahf4&?bF0 zce8=j2h}F>9$7nLLt?e6A>LJKG8aY|edbY0cKP$ZAMexQVyT_w9bvO@r8sf?ZK z7{VjSVFIrWa{VHK?Q}2zp3^*^M>dGCGlCwHO{*(h=nyM@?ZmaYU8_ zbk4pS|^8{FK^C4*>wWb2_JaDfnL;I=k-4C8_`Fr=J zrx5e{*QILI6Y{hG{1lB#M0Q_tZpZO5$kh4EqGUdqef=ybR$Xj@^^@v?xc zADPKq_EBiE`riEQrEuf-Kb~CgK{S~((O^k4WuFIv|VoZp{;8h zr$?6vV<^02SXy(S%RodDORlCS?NYNuAune!tE0C|_ngFV`vHyhTnk5lif3nelS#u;LvV8GAy9R< z(JX6k-uC>R&M2naQqh)EQ~nokQh022g=i6}39`={ide*S)}!>D7?SiYH3u|I)sHxJ zy!=rw1zXZ}7|dqC#Tv`I#TZyhD|IvdxBz_>X?F?s@O;OnO4>t2^k-$Ho$bwY1Qc)h zOK*NE_~&j0KKRfAu5FZisISf0u<@TufLGE(#(ZS_p4NhJG^k9Hp!}om2KUH|Ts2v) zS7k#7Vj*w?t_vF8uZ<7d6aq#9?3EeLvv)uuD4EQ?Wdb25B>XFfIIZb1`xRWAPhn@b z;fle$hc}!qa#6Rk`yNkmUo7$*{cn)g3Izq6eNH;?JICVp0A@8^b?K|_Pc-{gsQhEl z0-2R8C~LrNHV2gr2$Q{$rnqDI1EZD zQ{ZZW=Q54_u3XM|bmNY$=5B#b@{m{N0D6hvt%_4yrmn@T#21PY<(tvaSxeh`x}h&r zegi;Mehs*OjKm1X*_~`zi;_v6KmubL=J*_N%KdP^0<;H?6`%=cE;6^};R`%+HH7eO zc()Mi3Ze+)`8W0Qwt2ldDH;(q8{yKjgy^|FVLH5s%}@lKv*d94K_3KsaW!Hiy-~Q-P)x! zN?XZr*%h;r9x^xf^+)6ky%uV1A0-D)-)b`v(RO|#6`PR(gInL#cCW;D7jj_LsJI{7 zk0gc0X^j-v?MwD-h1`N}KkI+;OE&~#uZP_CL32}y_vK#;0@*(zprsInHc{!ZvR^^D zzNw%z0kYX9r=Puv2){Gu7I_X}C;*4aPH78n$WQ{ukHnt$!^^T{kmpmHfiSxf^u~a6 zv2*CYiq7)4r|ST{`4uZZnS_{kIr#OG zbtHyk{rmCjrCfT@!xy{6ua>7WSd4nZW@&(x0lh!=)#Y}|xmd5(k8vJvoUyL5KC7;& zm`%!oxS9daL)5Jd^~`DEs~|uNhe;GhgX8-4HTa!3`2t8(8El@LDu&-!VbB%YJJk-G zt9m{mo78a(L}aERe%vPkG~Rb{2-Cf0%hnNS@M;;*y4frJ1oRq*A+cdLQ?M!de848q z0!jHyVaA016GzAVjQDFMhucQ)J|2+JR9ap53-_fx_LgpzqG|`ECDiCxHS^8})LO4_ zOK23Bg4fZaw>IL`>(a9J+>*wytaJV;AqOCmDeAG?qC0&MuTE*OR0hXs;{A(4PS$Dyb5xQybD*7*U@ zWo=oL9&Q>c7x)r{Ki3_WQ@vCYMj+fT7840@Be4VsWs@U~j}Ixjp-P715MpVFn82(% z-O8^0pPd#zH)gYlZ&0uk4O>o#Jou~-Cq*vF-AtGimy7J|JZgy&TB;)qBslozsiE^% zdv=biW`R{-f>mTaNNMSwZ>7m6`_m`uj6=G4(9N$slLZDHzGFZXvA{`qn%?wtp3+pv z=&K5h?wLje8--~G>kq0A7U-C0v6Knob%94|Png6Efu<5aal;1IV9kvVf{MQVC3UwB z2`pJXb9_f|i0g!mJ)L$dJAnbJKcYB3`#s&!a%lmcZT-*-p?{IcJIiQk>N-}AXn9rzwd zC{q}up4Mq0bi-_r{&FHWnZ&owB|l^@zuRQLA3?rtoWLN0o@+6ey)$gL&nPnXQ-12{ ze&5Sm8@`JR^gfR33h|m0g@0OtOuK;$L-pgi_nlmVcu}G&d1C=%F*oS7eYx`Dt4A(( zUNrFmf&>$wT?+A#{?0`O>q_r^`GI)?-C53tqaI!qy)@!z?1*r>$1J0~ z#LxdNEB(|vw@Uo`ypr>7E;$bgtw%L^IdM|Ib>MEsFiWhM)}iB=WIdJqrP5Y6rAso4 zz$_M1!+nK1llQy&9fUxq6*87k8+Fv0#&#cb%1~$oK4Bstd5(P4|CT`Up@ba;KHpaB zL!l>#OT;p{jO+O?%$kCz=Kc3)XtRxW2U8ZG`kC+LP!zA-1vZ&tLgwFQGg40kM~u&(jujqGxGsH9&j zAsK2IUN4pg#?=wVvYa9I29O53UE2u*N83CF5Ug4Q9hS9qt+lmtP{8P?Q|7~gh1=Q% zBbbubd1JqzV5G)puG@d(TVFaLGSC7Y)yb~yO48eVba700$El0v27C*A9l)}n>j9O# zq#c|yXFrPmpC-cCc}$|b5&c!s)F7f)=D^rWD=%if*d4%GA!kS|Y2q*)P)hI8qk)*`7&k&Vv zg1*vqL-+^!jkRbYz>>Q8X|Ve3F8E#%v{q>Prb&+W#)E_(m199Nrmv0{rCVp3@ht&m zCmp-v^;3Eg0=V+(9YD_=++D5EK`S#KF=9OM#j!T;;CY9GXfa7}*P>4#lQKN>Y=fYmuQ=tPhxt zgyagAcH&~1XGu)RXjS%)XO=FY@V;*|YW+0E3AnLJiYpp@25y}oHvw%BXflUXz`cbt z9G5Y2Sc!lIlh8U;k5c?OgbX{36jxbNxA^EjW^0oynPEnSP{v78U1kR)E(c`xwI7)x zq~8qDe%OGgW{HIH+=17##|f*q={fMqB~K+TbGWi$qcj|#`cyK52eM zf5Jn!&cDhrpV0j}I>bx|-m8C_J^O41%pp#>IrscrE|lA9Mb43vGn@Gl+ceI6a3 zv2HRz3=rf}MeV+7<)st;)-cJNeBlSf zac78uzgLp_{6E{MV`dmos>U8lPXZ%{uwkK{!Rw%XB-9B>64I~N!V)XUKX6E2L+$Gcpd)} zg@bPa=Cn-6oa}fSQQx;+OY(OWjQ&OzVt*nF-Q^BG+G^jIKy*V>3Y6Iv0SN#bFO>Kx zveo$ykuB!$$o5)%;l8t%{m%kE&35=%#PUfq1j1te@7teYz4*VkTF+1|51KWxmkXCN zpDye)H0+5KTYniFDK9K{6kE2hS^8H^8E7Gp`zwELv{re?nPdz1&8*b_%`CwA;kKKO zfr5+si}4EN;!MS=9|RK{z$+Es_MF#A3N1U~t>skEoQPe^t3iyq=g;VCSizefqox}89Y47HJX`(YR585Fz%qCU53$MQ`vDm8OmN^Hjx=8KQ?asPI#AMQ zU~@Hgc1-{0C=moK5U5V+Z_56By%Q`xQ5A&e&zt?P^taF&7zru2-ijK1Zu~Mp`QHky zbsoX%SYpf%1ecS~+txyPfl-NY*Y1KLWtv}fC*Qmv*`3p`Z8?UDKM)Wb+*FTkF(fx- zjPKjH_?$)EC4Syz!yU9ue7QE#Bem|@%y)885Hp-FJG;M^OFuPSWX(ytl)XTJp2R9? zfoHxc%Os{}Qj^hjFHe26?ts*;qb?rDV!iObhSBGs9ng?+sQd#UN9td*zGKvHKbW?9 zO)^*H3s&<*iSY-hDftjw^Z`q~-wGb9|G?XD(q=l`5tmGb-uyDRB;91#Tw;02pY6mvmZ!f^vl;J+?QmUz^V+mnV z4)eizO*HL+LTNkIQy7$W%)|ROdMIm)Zl(Gk%kd#w{(OmA4SJyq?cQ9lHno zJWoo~>?;Qbpqo>Tn*$@Y0=8}(RxxVt;EU*0>6mAPfcj6s9H(+->OZug-!rh6vYt}n z*4J#pF*S2ceQXN%5D>ly-q16a2wE5D#Xj4v@!=Fij7QGLpdTIlA5cJw}Ht1W2k=D0v;{Z2=*q&C^>305j2!jj;J}CqHmc=)bA+dfJW9Z{^@b^Wrebz*pM|Rnz@yDvD> zn5sNFJzk`P*g#ZWCv#s8mCHR-$L+aU4b?(9j7u9^^yo4Hg?y9{8mBJ^7z5UQzN>2E zr4BSL{ioLL}-7`=z?r&|VmW6qCysG@L?>l5Z<&)P1#*|^f+%GR zfN8qGZ~#go`j_>{0GPZlWSyk_u-6FYqWKU3kd!i$@*h%sTQH9szU_8=m^-Q)r%&jaz%30=%e z5J5#u=rhD9mJ;o#I+U=|donVj9Xfe6C}{EbX9{plfoLRXBt1i^eG5OR8hUKrUfT3< z4xI}6)bcu-ZKlthFJ2#Thd|w>`!-|QBVCC&AsYh4(GNS(&4SAihhHS0O2DxVa`JdJ~#Gf|4|-37?=LN-bg{ayjxFp1-w!$ zcsHlA6RCNASMb*yEfI3({>9PG?c>@h7w3FzMY;r)d7f5|0@B4(>0VoQWusCPi<9qp zkot=JnAqf=@j@~4Uq-5{Qn!Cq64Mp&E#npHauP}>6Ov;nt6-01s+#<o0X@x?7AiHpSk`|-4D$Z7lMXv}cs+O&tFep$3fwKEYnWO|_sf$h~apfR)=d;-}zNquJfsxxRw!0uEz1piLiXGNhIoTM9O3t+P=hUeY+8vL<>GP9! zJWe?0;&kPH$w?QXV(Ct%9_*AiSr4aSYC*7mFaw4GvD4enCVzWzQqm_{4+#slQZ(V=NkNkz{wICrKgN5JD$&Cvtr?)O-FD5 zFlBVVMS*68LjFLmTd9fW1l2nF3Fe$Dz|^#R_{6^JSe{mBsZV(%p57RK`c1QNPsQPF zQ50dZC6`c=`hB8r{vj<58&^%`yz{5S`GVCY=gKpv!6;&{(;OAd}f z^81GzzIN|AKt!}ro$W+;p}Tp$NgI>5Hi`4>a??%I4O1;F#me5drgR!sDuJ4n&hVyx zg>;b@GuTVKYFH?~g=9>X61{rcFf>2lO#OOR3@T>=g$tGMB914Axy6Ue|9J$j@}j2e zi-Ytg8&cnCUNo11J*&su+OunBnwL#P4lae}_zF@}ZnZp?h~ZvSJx;N21T^5QRP%QV zYrS|e5X}{Zqbw4w6ewx4g&P$+bVX6z#*+Js9qe-GGZ5Ww*i=G_29t6EgHJjAK4w~m z+)egY54K_k`QDD8LWd}a#cY1B7CIf(N$)rD)4jx)O#b#T{2 zvON7sO0k|Z$Zel?2)yYzJo@I8_&b_MO1sTq=Q%RahnkOdbs`|wViV@jkU+PY`UhB~ zD?7G_2bY-6b3=_GNwsl)Hrtt=)tf*T;?>+uc?=})fm!+O%VsLMPUd^}=AaDyMLX9% zLK;>%Hzuf3FG;ual;jlNOY~+7)CvJj^v{)0?RPaK-jc^b{j! zl)RWSbR-EB%5*sUSU1obOHgf!7GlGdZocY9+WcZ5& zIP$jXbKVR_g%>Xf`-%kc7EpcdDU0eV;O!YKwU!3v?){o8#^KD{k%ZQ(i)sSA zc6dxtOR++}!{2WP<~yHp9@DFRR(mekpPsah6_0_xPNIs!R-A|-TTkZE7ie2G_f4)e z;oa~HOX^`~WV95RtD>-ruE)VsUpO!qVlW>Ua0?4&Zxdab7e2&C8-hZ4A=vThSfX*mTR-d>&Jxu5F zc_2$F)ea$QcnDz3UU9!d?!S9W>af`z98Vce<}q0`eKm(Op$UBbO_`0`d|NI5tr(x{ z+uZ%^FB)|Z+$!d>JSY=EEP{|DEZs^~p*PWz2mBFZM9u0PV%=E6s^PA<^IA=~xZiD+ z47A+bImMJV+ILyesaU5_CF(zNqkFBPTqHjahfTI66Rjeni`1SKnMsUwd-V=SMusoi z;cFrEP8m8r(H|B-R}2~+S<}H;F|hGG{lt!jBcHs)s|H!K2?ZBB$p1 zAlihj(TrzrgG^(}I%n?s$w4e37Fk~4g??lqYfV9U@)EmPkblA+wPD)lM$ViT6~XhD zZecUulAQ07eFYa=Y8|R%)IXQ@6D?KFB%0})^#K;lL_mUE7wO9!tau_G0~0LoFq4!^ z`q$M7QY@Ejp&}q3b3_OV6bu ztaaT%5FohEMzD6;uy|&{`H;D5+v%TLpw%qr{~+nfhquJ6W1|X+g)tw}Z~ge%((cX_ z&PGy#%rP%=`e+Zwv_A#h<56#Km|50p9P$UkkI%DeG3nV4j}LWrdKoA5&-I$1b7Y{Q zgqp6ISAtcb^VA{QC-8ho925(9Y84ZxBYN9NHp)fG$Nie!;!O7(mTd=2M0RNvgSPSt zsDcE%I>{PGH<-QEN#Be4($uJ8vTSfl@L~9Kp0%yaW){4C$#KmetE3pz)#BfHXt78V z@3VT-PE>n+i;hi3>pV#!B}HAX>ZIYZzFXww<6KI6-O!&28Mo6DA6n;O=;jaxwu&$^ zlpXZybqL%uFTqz%J}7NR{=HcEjYjBPP?+F`yik|o*?zAQu7dt`I?h4Sus!?Adv`3X zZ`|-$=~yc7FONT=emtH|8%Ctp*EW5SWzg$+zP*$8&4)kL@dl$#X{F;?NCT>FEoAXFX0WNJSKi#l6a6bY>l zh346r-FR>AV%2HbvMEn4Y_0GI<9ISxCo`#)jFoXseFk2}K8_{|uHDB72p@k8D!1v> z%Sj5D7L!pC32+SytqH~ApAzrir};6MbNtfWl9~C`T^b%)BIE?@Y$>FIzu%by5`Dq%db}YGLqpQk^Ntwh5znR!47a9_(vRKYR`N3@Ult zIcVUeryO)z3=xw?a>F8ui#QmFDG9#)vk$Bn3IX>n?au0^`7os00mUqSTG7iqNThle z%Yrj&o=W7OuLOK>Go|)|FFX6<8DqBv%j;4iE1Kf%K6Y_J|J=Px;)@q~n+x_j26t8%4=xC%?vF6H#N$U*dx@7+7Lx%B>CwO}Kg?JVeN#>q~@^h4%99w8F%VE<;DYA?ahi zslcALl-nITIbUdJMmCQqD`F!T8pZNqiQ?~m6SItYN3S6Z!;~%25+2N-5hE4F2HHbf z70sf*-jhk`ZVL9?TS`X+ZABKwNm}#sL0!kM5_%m#?^G2yQLscR zss8n~nX1?MMOJxMCPiJUXElAcTfG1&jfVf`4B;i}4EaS#g0D5Zs<^}fa3&lSeES+- z-RjQAgUyv0i=e`k*pZ{J8Y>Agt>}Z5+5KPQHqx6{9o3}$FXFuG)GG0mgktk}1P8ub zoq|#qjdiJi3|p3d4ji%rw`DBQmCn)H6M-$Pj5}q+q!9w<&kegweU08wt zPTXb(XWL6j)ayf%_fl2mL&u?jR=a2b>PPhMna|!95xkO$DQW{)8R+6x)O8q`XpqV^ zLAR38Y7q;tRC5Ss2Vf{8W6+7glztHO9QIp|iD#2$G46{E1g&l-UdZ@*dhh5R+7n*4 zbo3(JuKO8=MUhIGfPq64Ttti2Yi{$rk)3IN?^loOK?G8g&9yC zLQIs9y>a3y?z)gHKscfoZ6XQp>jIeKZb*93`}fuB8aSukw#=-~xB z8KQPp3Ii%^)EKUzxm&PIKYPjQ$?nT^{UxtV43aWb);!p4Qu$s)Jdm`rdu^%CN{LnK z0(Pf?ple}Wz{7}`ziC4;DlDqasBbcm&CjT1RGfVi(v33_It3$>{DGjX4Im5s$YnT=FhCl6T@FW$U_Sj<~con z?k+eYJPxtYhM#_|o#N$X7Y`Zd7@^Vb{iQ>4aN|hI7lz_^zrSt0tstv-%QmvccN3q^ zqs|eCTm%v_;U90fQqsdYw@6aHL53W2GF|qL@B$r;u^u?BFb;w93@n?Fwr6!iK6CGq z*b_H~;DU%a?dZM-8Q2!RZtD2-Vm3N<1poR4v86W(5`vAvvmuerFt;6BzTuD7k7&bS zeV*x4JaO@^{GFgpVgldyjlA*TO;kD+*80t**yw1LPI*zN>$^0+*GNlDP>~oxP$&2- ziQLrj!sao-%{ca9D($OX_ISS^HuaPk`<8&-6{Y|Njzs=-yE-3qB(FAyTLlJAce+Ea zVpSqnx`@R2V8;DfwT0&fh@OE5gE~D24 zD*47(ij6YF+wBi41i9{Hu5?n>usd{Gw1iA37{?#_Bk(P+C87>(HcA+wZ|Hev5)cME ze1Z}Q`jR&hwS(`rfS@^aWGTeTdB>7eU5|5T#z2Aln(xv-_>L7Uz{EJ2ZW(egGRs^l zMwTEb8%D}3pXa5uqL4fVf82}JrTjv)i;a4yFF76u<~yuAR|b0sxF$C>G~qLFF{s=E zt>12;vu;nJ6v;SpMpnSMSnOe*n+9BtMX|atUj>ioNa-Wyo*7yVpykT_aeVPe`7+uN zfOeF;C{X(~U@IHXx0;H-BG|)eD6zJ@h%tIZ>@bx)~w_ z+`43rvqCom5Rfr4H=>)1<5~52*M0v98Iqk}Qz16fFY4EoWh$ z6Q{yHqK>sgpk9B0vuRmu-C!$!4$j&o zY5&mKnb3&t5_N~x)$IAw+u(%b-1Z|7#aR&@U03@Gcwry3XkV_*Kf=9q;B{pkF%L7q zLZX;c1S4gcEUD2hA^9*BG86N-=$@{LB;%va+3Ajp1YW5MYsT?@HjOwhbp*w!ndxYQ z^<#ox@mNc>vI;H35RYk9nbejr7amVu;UKMtb=3&|#krLjA-tJp3(EWP+^TQNHZ*}X zp~Vd8D(Gk5?&@!xfW}wHn?-ezZgeh4w9uMXkvxWym?5v@_ImTor&gOrb|Ym4R|g#4 zVs{TXvN}fG^ez?>jG+#NbGi<%?WJ!9s(Q9g%xO5qhWLH16iL;x#uBxu^tDS4C@Iy&1;h@0|Gv*+s$-(5#6FPye)-0Lk#bZ97Tb!YExE&3vn!=uh2KBv;Y2d_4SggPTie&bDZa+yf4QcOo1w$ z^@GL7gvLo6`@Lw)LgrG0dpcEkx6PGl9AS7_rNl(8w~-|}ECW zLyT`irSLwHS+C-gDm&|o!w0l$18cve99x~uv9awT1E}*g3CWDM!xj)8c7E++lOym9 z?cfc6AgAvV>{87#JK-P6IK=16@D}iK+!G3KFNEss?k42m zm|GQUNKNhh$_`U*v7W_t&hPzguAF*j+Bx>^?6}Wq^us$ny`#}u@fpvf!1qE5WT8Ud zZbN>>C(+-nF~kv}k}qrCsN%KE^uHBMCw>|ov<18wNRuPDmg{J4aF4MzOk?weOmV3X@|yI8kcmz<8G2I1kxWo!I{NbC3| z%Gc4Ag>akcux8sVJ<}|ptQCsH5)IR=Jd4#wt|8$*@)`8cAE5Zkk=qljv!8O5hH42H zlr=ve^E%x^Ut4@IIW6YTw`iWrEGx(wTUi{|?usne$(2_{ffYG3i#-;LfFi%?i|GOi zhVN^JKOqQ1$Q+n`zE;ASczn$ebs3Zs660APMzz1$fz-{}P7+Iw%cUTzqxkCR-uwFQ#FkE~z5(l#p- zH4Z$~Tp0rOl%YHEYwDnn{=GVpUQIycJ|ofJ=K?tU$oR>B*6o-5tRexz!zI*)ibL!n zcnyERNnaR~i#Ng(%#hLMm+kssQGRGHV(tfK)3e&dt%U+a&>~w2Wh4w3uk`xoFJO8E ze=ivyNI0@sxq#1TANY0p!M7=WcT3`<+1R&NrnfDLkAwPv-|DiC$WHq70**{UM3!YR z7Sl?pae;GFif1O1)Dg$bQwQNe1~vubjrxh+?IT0E6g?Y5?em^^>!W!84a?E$P!i(+ zn=N8~UYbyEoqvJbZZx+zlTk~wq{M!a^%d&UU?FKBLk8s zy|X1~W02e87Z?llw68)NQJwa0_iHO2xfrHlM26t2qE?SH#lug}k}8bv^f;9)xAAxh zP2<1jvV<2UEQ!^M6!8XP@g86gdgUe#~=wo z7q_tpQVI+M2LbuSpj%bm!e!Jm*E?AU&%mwJpD|>4?~JX|vQ%(zSQO{x^D%R! zhZ_6K_mDVqXUtxWh1J=}#2NhipmZHAwJ?ZkY7qTT$01ScG0jPLv*?a&J(9mgXhj?Z z1@lhU_~=~FJ0z{72S6RDo6#e1aD!SIoL{=B=vfG_eq)TWa=jG~87AJcIKH+dxoxlq z!bso2TTcGl59<#BZa!(unl0x&^w{~2Ns}HY@JkXs^W z^gGiWmG0nzkj*hg%#k8BhtKPHz?br1zd8}j8X_}cpUNiRd~;m6;^Z489=d#Fhn)DB zlf*UwL!LZPXT8v9kEOKBWu&X$(SInHnP~eVG%Jh4?F=l{@;uk%Vm<;!u2%NBs1%#h zkAq%pwfLumaXLN~Y?zDi$^~og|YDHCEFbH1Lid`ZRbdMd7K#O#Z zx*~A|I!rK3CMHBildd*nE)lY*CTIA*W_Y7tw#iJej@%~L-7fHZb$|qj4)1f|3=Yh_ zWon2?uEp=13peX|Hr_4Qw{nw(03LsL#9T{vA_^8i6atc^-R@&rV{Ng*Ahg^VBF}sA zX2n})7{%hj1w%CLK|_i9&YAMO`Z0|8ksp2{N0H+edJJs>9??F7|0W^(gNrz7EZWJDu%?$Sln^jTeBJ{C~JQ!jI_mlSnDy6G^-E-<5 zywvw-1|K96b2ock#EIAgxyNlYOwtM^G^<3uzc3J-$T#i1utEL2^m^LQUq#EzpUhNA zFlCN8l2Ps_N z-w^Cj#JlZOcQ$JVu$Q?WVWzs%t3cPNJr}n4qAPK!T=Rj1ND|wVX3Fp}M9Umm_Rfzb z&V=Cc!=+pqz-;^)L}~L)!9^Oq?mAK(Cn^g(PpaP5Hg9Ny0bvIKd5{f2U`2VcBBhT+ zUYP*Kb>E_Dvrksvg>&OTc{nE}NOULZ;G%M5Lj9SO zkCDf+`ejB+ssX><1urmUXPk9`gL&3bz|DFXuM2U^%ca~F0Cw!xR zn}iiB@_iYCjjLrhC=%i3-hlZPs#`1lT>M)pslvOAyRTxUz4**66e%3PNZ{y(sDU?RhTR7`#vME+V`2R zqgUv6FAia^L{%LFQ+!R6;@Ji)ugw52h3P6!l_7Ma5-T*F3kkl1&^hLOR&&U*^~No5 z0v5_mcXC7~a9mbbIc;B<^4slKEBvsLyo{0CQE=tsIhZ3AxrPdRcBv zn1fuNoYx=WAS8|T&d{1$J5>XNS>LOG)uKJ&>1ew5d?}oj-3nC&WEeV~gX&inZ473M z)u71r5^tIt>yA%OrH({)(Zo`2M)las-V>t)VCx%LD5B*|o%#B*kB88F=$kJ(QKr;; zXKk>BM#2=lEx4C*E0)Yl`Grg6`8BWGkbqchle_NOaG+{~_C0BzrSHU~#L%=ULCD*~~xFZ|qDeVafSYt(rU18`zrKbuvb<{M&7mE9+L zgp+Ik?5h%UyuE*0d2=9Q#+KKfx%jZ_i!431G2{y%MFq>G+@txvt}(36o3`bY^nJoB zAso)A+X1D@(>Y?s(SH*0&;0y5RpJGFb{(3lKEa;oi3W9PV#CMiALbE%iiYaE9QIRZ z5~pCtLOwM^#4q8ok_n$#fsZ2as3kq^aynpr4p4x9R8I=vCF)nR#4}S<8hu}M6iLXWt@RjL zPWz9|!Sgjl(0K1u#d3ediLc3GTF;o z-E5vZ4wUVJd@SZbN>|IZ- zb;;v%P#)~CmdC|+*7pgMr%0&w2!rYlUut=DzXmwvJAV?5d|3Thl{|9jE|nOp4UlzV zxEmT*kK);74HHi^ptNqoPj={O>4AiR+a#{OdkLYu5wv2E(E0L*E1WKL23q&(=SIuw zhPGTMobradeCKseCOGD7Z6=FU!?A)#^*puZ4!q&KypxKe9tuJmu{OG$5pSqQBn}SF zW%boK_b9nAE{AyJyT29<94h<8yo;r?vA;-zayBjbK3+ttD3CwNO^}h@$tg~IfJz#s_uf3lFQTa_$>P)b#L-NOWo^>tGegiU?^0t1j?Pgn69W*U|IXWUez5@j>}@4bdU8e85Sav=mhv$}kKe-kR|EED5*y>_N__HVS2^z>jOp z7Sgi<=86&}PYyBflM2uZuTkwK-d5w?2xCU@)Wr?X;MNSam#>gZaeK#zWCRy(XH4c> zI($7JEoGc3E=yP#` z<-5Ey$e1Mo%dKB6(Fu*h&B)(ol7BH83=V5CmvfJMEeE?B--8o6Um?@!W27>NTVN8m zn?__`oxLuriE+w^h~opR6q09U5d~mKb^(@ga7YZoBe8@_;H=7rU0ugmvFOUFOK^Z= zS9T-m+xPX{C#u9)T4=e}=RPN3t!*iL?Waw8a5EQYh|gJpwX-OhR4by zzr@-&YLW$C>6uRmWe*&vrnk@5>M%L zQC#pkulpDVlZ7nVXq=spF`_s5VQVgwcC$p&Ds@0As!W9K>kUPDfsUmRzBp0#Jc(_v z9kfXSECVqZjb^wrcS32d$e^8|#F+k3L>y4bM|4$3jh7G`I*&(6E8UtpZZQF?(W#Z4 z%7^OIcH?8pt%VN0$DZaCWgA}R8T^-d81e`hljJ3|uLSGzKc=6gIW$|yX%H|4wtf3% zJmGo3tkGx(o)-2X>&H@W!wg%6^(b>*qt_;>NTp56|477>8hVIMT|>bn=2Njvqci%2 znazU%tcHjvid{j(?8+X7!SJhBlV^$jw*(TFo#zhV7mDTuJwvjOw5tp>GS{dGB}*Xk zIUpeEOLqxYg83lhub;2(gz_TRktyOVeC~@8-qeXanaM!f;ahGL`(n?2RI^1-a31@) z-Bv*{Mj)+O4@v9$33^Kbq7)%t?EH1c3!}=GjewmRDknia?2`K+6S8+P%b?KbipF=8 zy|*P>aD>-nCA16P$t`%^zG81un4wN`OJ*oI3b}3UrRwH*x%;KP|CI4*wUWPLp_r3>@WmhZ5vs$nN8?VsIkMr|Yr z1X={5>XaqE;;&9ehhvbRZ5(L_Q-TF_-q^(TM#i?{+gdAW^VDx(v-|~9YGa?cq2x@R z>ZDIRDZ6Q)?MwOM<80k@?suRVq`+xsD7F*6WK+k?QI^)A+2zb`e6=O@E4zD;MxGVn z(0uEXwJ-I8w}N?#a)4_Wx+DKqecR5;(OL4`{P?B=9KV0TTylSPFgDcEk_R$Lg1u-p z+MN2r1)Afa#8Nm9uRiJvDdV8Vd#q%C+w7swwddQ=v8of`v)UD~8!dL5!%mM`GO~@v zx<%^r==q!YEKyHM8ZE*#YC_>*dn8-V7Y&T>En(+6Sjry&4V}FY1LK8Pg}shuu%ggf z+Z}&h24tB#O*3}v1~gu5`7cs4Erf!62_1Lg8b8zpIjyaHw)1hr2Qh>A!T$QIl7P>Q zTA3ZHe^^o;7u*z0vQIwaHjsjwePf0)I;sY^3W)rx`wxOe)l$G#3}SQ0Jt)~zYB~p( zH;{~=)P4wOY^vPY*b;_c8Q=K&RBm3_;b=<2F3^z!jb(kYh=)Aiy~FsQyn*wiK)dK< zegQsl+*f_jM9%u*%t_hJ15?3uBlu|p82VH$--wUHp}upWpEO+0M9E2$7|7Vz6s;(L z-5o!4#lfuX)3!gsd2z4^N;t)x8cn_KF$=uTnV*~tIDqJw#XcqDjc)9``F)FEDn=TT zJ1LOJ#n7;4vn-}nnW+}liFBsJ^FiVacK?GWW)p)PxICnfAX=gy^K(0E7iPnkoC}_u zxcU?3eTh%MUP#}3EoU;dg(|lrDivsz{cZoWaU9Bzti{m8C40%JwrVqRPy=Gi{hNSb z5MDjOE#)NkcdbeLo<<7`j?k2K&Xp6FE&Z%0kI_)*URvehioP4*^zubSW53@->L`V;H!X|*jMF|!vyr5wR( zErC%(-ddJ1)r}$cu1Gy{7MDoRc{}6b>g$ioYqA6@Ux5DXBcv%o4BEkTJ5imwaU}7G zcUIMdqg|CGPYMdH$_qHhgQc#QGLJHwCy6(+Vz8JGQLC|o~Q1xnyTLno_ z@q@`M0;?actzQ!>k_1Y}kLX-1M&E%VFG>DGFdzse))woFkE+Ifxk^{TCnufM5nO|k%O5T8ylST;Q0QMboVnRayS4lc^n&d!IvYu!SrjD(FE z8Q-A9`Afv=D{a(%isq4YSLq@e!VvWxL!g4PS}q9%z~fjQrp7bnTdlSyvQQsKMjVS;QmY8{#aRk+ zsVS(@zp)y*wN?rTbM4+QXqKN#U2*#ZQsGOE*oZe@a5Q25p3bBV>aL0p0W` z>mOKJ1jv{F|8Wl{r%yN&&DAFjPu~|eSH^5ia1K2$41Wg1rA?;q?*o?o8hs<+DVb

        _ z=T_T=E27N5S{PqSn-nB1=pzQFwC-jW4CP`qs7Zo>ipf~ss+T0U@H25AxQFjt=P!Jq z6*}?#K{ChLstaxX)mhX*gN%i;x?O~Io?g~`{5 z34^?M*YaDaw^^*5nM_w#lTXO$UTs}*vTij&_+|!kUyWiIVbc$ z@^#p=ALl$L#DBa=pnF_q=3};@BgaS&dvLir1b}~5VC(+0`^P(0^J@=y_OIQdN}%hb zxxva5a^@RZ{Hwls_Jidg_CJ5baBR@dD_lA6iGc^cPWAg`BJOut>I=jV+tLxXx!h97 zN+upYT$iDvar~mscJNuXaQQQzSPZL13~%JMb&uN$SBRbY7%5h1nHg##XYWF$BIZV3 z>_)nK*q{zfLj5K0F;DmJ&zxIPC5|6AgM{7Lf33WanxjhK6knj7xhRX_8f2hhc$=e` zmsMA&|!C4NwGH3GW8eUT6 z_2qk^oV}fNepHYvv@JjGT%lonD42dRpQXh|6_CDf{QGRcRU#zLTY(H394!WTNe((t?n?5KGA;0?tN}G zta|W{L1XNTVomv9&Lxq`a({_%z1sekB*R)S)gvSF}f z*n3#+#AD~%N<4cBYP>3mx9^5r*PKt>Qg8pd`xXB6+Sih=^e-wh8Z$m+WE#VaGcsP4 zsg-HD#7}wDl{gNJ9{w_Z<5bNpm)a|!DePE;4skby@Gh#Nvzsk94!WL_* zLQ`1qd&{B6UcXkaHmcT~t}(Laf@)ZWm}>r`e1nDW9YWgGg?0RzUSDkUY(FjY^z~$z z8NU%`7p`YEbgDOq7<*o3Vyrmj?P9q8YF%NyU3&Nr zM@$E+w$zlfcgHuUbo_m?WwRw;D?NRaQw$rBwUd3|KFW2*YR1~ik4ScPW)O`gjCqZ& z8?8b8UaME_RQ1-HT2DGpy4cuCO*t0o*NvJvRoBJW4F+WI%HbHK>!t5XM?0@Nn@_M! zcskR#l(-P4f3Lk=E1b}uGJ^_C9Zg^-+^UiDA@Y9m7dZtvM1Wu7%;Ro#YR9>>UTO`B zijFd*M=m|~v65qw)dwni+RCZ|S>(p$kZhJxw_Mt~uVSAD`fPf4`AlLw2lP9AlAS&} zh2hv`sAY0YBBp&n8DQ8E2Qh#+&K1XXCccjgs<@JqugKyr4G!Mi+Di-=_45fZ@h<|q z?I4!&ao4alBiLrqpE7NrIJbO)sIRGAD_X(R2u_52DuNUJ!>YllG21Ye~ zX6o#x(3Mb=v(sU{VX%iO597mx!w!A|!*XlZj3!IrrG`8rJVOb$dAKKn*NoN*pWTzZ zRm)o|r6q9huCvNSt9$fD>Bi~?{^G#98&|bIhX4BZE9E0pmY;*G=)oK+~#Rz*s1icCN`6ih+~~khlw#+=d?F< z48$m>Jz)+tKwu;0|Tm879EnNdE*kT)Q_$s?>ZHEYvz9i+Prgq zTdHKiaxwz_wZ2HR6o2^)jo{^gB7R*(No{b3pK*_O)QV=IvM8-6$^U{SN?eObLPA*^V55! zB4c+_nbF3JNc$eEz$$wW93znrmli0DNi)6Yb5~gCxH%cRGp}2&oI)N!-t#iTc~&fC z8eTDcXE;l|EX9)9~Xg~v}1g8SPCT;ao8kybI>uu}jr*qfU zP#$=@+}sjhw)K0n2R3PbhDZ4Q*`ku>lJ9%01S9iUgPsx~F%Av3vG{{HWGl*WIl6JA z$q;gO>nwznc+%4s_MAGC;eg}2oO6)h!qvl%iN;@j16)AamE~}yI>h>)Z~1+6Cv>X8 zJ|{kg`To}JVsPu8c)d7LSrp{U#$(;2uf@1GV_gD$Ng0G}Ht_1=LEl2RI^iafL-wTe4FX+8MQ%Yul&t9u80C0Ul;Ai+R0G41Eez>5`e6LcF{nq`wwPkqcSw!e8RhGhzKfNx*BkF zgw6mwa0JXn*CLT_dJu9N=luyFKvMg8&O@e0;dYT_d6&KIcEcOysGsNPB6~JFx$fNB z04VQ~&j^4L_@YQgg_QO~*5;MEt+qBmkaB$yKo#WxI7hjnqCD6r4*=lI=QIEH3=QD( z+5ftxmOTCChy|bs0C)gUfBf*JAJy8df0n+_vGT@1_Khp1Z_k`Jea<5#BUvNKQkmFy z9_nG(TP?0#7A%-iJSj8MT_8S>gaJ<_tUn>tEIF!NAZPcKuG{H>MMpkr^NVW!*1zrlOil z5yt!fyZ0I2ya|{&qo8u>Uj zr>S7KgN(;C{>^d@uADy?0z5VZ{3}fKK$YlYL&M;PK`T;Vdkjfg& z(2w29pHF{&=BLomkj}r!vkCk+0a=CBUyNr~Wbj*H)Q*@}h0*iz#&wB~-b^+^Qm!6# zoEgYlX;HQF=0?sY>fyin;}1SRKXc|stkt1g5$hDZ`Mb%ee~r%3To~Cv_oZ1{KS$lGI|We-$LYal3*4UnS@NIj=soGOp6iRgsGB@;63{MlZqUgDs=U2bHk`-^{{)+!Il+99^-SDsytR> zB+zj9pmoQMZINgU#>pzTxT-!V53lvFW`0xqGjG{91Krob<-9U}9qImhG{R>)_P97y z;1bsR#Ee%a%qPONW6GTyZsb>rQf*h<#YHYeId$?joi!|fE+^aXQ5Z z8CS{txc`;v{_hu|I+V|8ejBeic>s0Ym%*dJJ{*joEteGQmy`3=pU#S!gPvK|7tE&e zd+7?z0I&V4NqiG}W<59I*mtw;RX7bbW;&!agCj5W%$B?@n(_u32$fTrk%M63s*mO8x($? z1}`isYVmS-9`g5mOQ`SN1gEqT4Wp4$IHT9?V%Qx;Z5Q)N2DT9b+a}nEk-!=l1YJLO z@=}klpF^)nO=83UjF~iDUv}5=&KL=7*$Cm;lP6CcUSah#Z)t4eM+s>R+MZOW0e=|`jL9=VZuRT>Rzi8ZO;7HR4ywzxg~NWF`@JBmKr$nUAw zz$RzhJHkedY;Y2P|MMH@?Z$UU`C*ZCnZs>WE~ucBL{j%LaB$gek?Nd$>W}z-j%zt& ztTImcFeHqgwlnw`x4W8MJeco9!ma$x>inrZ(=Iofk{$0XXzKBIw=I30GvTIXNi%J;4khy?h>WeqT*Oj8 z*jJ-i2A<5&`IWBQ5Q{H18AwYmH6tQEjhijNPBynWxE|qqpJnHYxek4`X#ec>!fnfA zn3L$LFXphd?SVkH{nVx-^A89`U!ATnTxw-sz-N&9_(gvJ&YUwa36*o}zqH`mEY`e1 z+TIP8=DzP<7vv`T^lzf~v*P88fTBRbhCuvOi%#>g==!7t$|8HHOjslALd<%Qx#fH# z&mu1^2k4yAP4(o??Dt3Gq&D2w)KcjELa(fC!$P>7kNPfXcvZVtUn>jta1E_&)BASo zstUJSG1Rx1H?mJRu8CuyBwf-0TBxPuy0sXlp;2~SMVbKX1^0`nhQWEY=G z$-MbY-{{6NVq0f_oJKSpTc}M#_FsstwEz8uzqfL=QN+AimV{L%Um^$M8!~p0+k4Y_ z;s{+;S!NMaR@;FLrb5MS=Y3+2XcQ3@B>K|O5PDRAwZ2RaBcd533UwI*bMQ75}8SRt^@Z737h=7a4Q=u=3Z2+a# zCo8fx@!_v>?{Ccei1rwcmx7OKgG=;WV)-;rU@#n;ay;QB$7|&~V{uMhP0JchfkKL_ zDab0mZE5Q@c@Nb&btb*S9U*S<#eAmN3QAN{;s+^EY_ zX)VljNtG&){~H_?nsTdh^_od+U>~KX=nU9Mdj?)>)Q)aiqt`eTXd4LVG3$X~Eoz1oTh(KOE?j+?i3{1vgbZnj+| z70xAAISn-DTWOVw7Wf7qhyr%2(oRG7l$NY!zN+7zFaHTDlw{H%bnIEAy)-oU8vOOK zhNgYd^!fAOib&r9POpa5=mi(Wfk)`{V<2YmYU{}>n1w#}Kr;iuWLIsnZU&mUT2AU? zk^+7&EIVG~CdXFy9ZWglQrUfi3cBdLpY%9Q;}*LFuMBGF_*?u+RRlPqOO@czLBO)HE&lSuHTWtF|p;otik^UXT0 z*z8e!`TEWC7ENp{|MzN7bw-=%PJeOv_rN#S_rrpkw$JH_@so`llmsxh@r6ZpXMCT2kq%?G2K{|7{0ak2M%!EXB5BZhF zI27dTbz`jqu6LBhVNHKoFniVRo+%mSJ0NrrT?_y)tNAwGm}%v9Ctr_!nF3uG2X#aM zIX^O9&3Dpe#AA4|3z)jtT2|#n4mj&+naeu|{x8Jn=R^}SYUX=zFQncO8Yh#dY_v)39#vl;ab<`z?T%wLZ-R&t&Ix4W$G2LJx@ z1XG{sb_p5%v!(EYapsW@lg#Y(ex-$8TRI4F7St*e$7yy=O%Y4leniC2W=iRLT@W^F zl#GGT74==t;~xMY78kXkRQ4`+HOAjiY?RZq-%Edko#D>%bWA!s9zl&#a5eRtLmai( z7?St{9n#D$FQs_uJgO@SB!0DpC_{XIo|nSx^#pI@Dj&{d*9*sQLU|!yR=L&po8+1> z{CVre3<}S#^+NVO*{$l%M5ep}{o&5`w^a+qW`KLsl@v`uyQ4klLo$JB9)GjK=Q3_T z8_IfEa*$qJM=<1kI%;0A7;S@D$SC3m9(7a_Bs}cqoaS}PkDWe{iOPye58P)8{4|CH z?rJLs;cLXM2cpPQ6$o;sMde)mzOUvB)J90MalS^wkO*31J$;~Vr5_qa$G#U|IoCSS z4$mcjIwU>w^bSxAZ+9vc6R9s)ziE0Se-Yd<8wO!iK@?-q^K#ZO;(Jze6#p1n)HRxD zW}US^es|Z`P{VhRG|PmfYYGf5%HXs#G}xD!RIhEopc~(*-`tH78#HDDiJ0F|Wo%Qx z?MP&Bo|H9p(DW;cnjROC%S;@Haf>xvK_kEW=*i5?Y3ClsE3IuLobxms+ick$7+?D~ zJw&i$%uzhtxZTq1zdhx=!rf{1!L1P!IdYK1nVjj#3-m-Q1qZV3rBsBwagt*zt6PyW zq=UnaY`5T=Cm3{La|PnBZupc2gjjsld-#AS`2r5Moo@tCK21KeV)W#1eji}do4)OJizlgFNzgcS0mi{a?A*!H7N(V3 z!^P>d-^jbG+^NZ_fnvVJxk`NzVG#0&o*5e}LL(F9f3&`_O(S|4=mHJeUutKGiV&-X zRma^WqPaoWIfotNo3Qw%)&p$LwBxpvza&AQ{81v-+0#&0trr>NopvBM=|s` zmrN(D{W?y=op401)r0pj#YGXHD*8*On_rYC5tbU14}WX;r$+rB?8JY^A=o>GR@VnV zP|bvlIdBIil={!LB1?ZE6OIpFXU#gCCXdn2DL=8yRbHTuP`q6XR~wp|H*To9UXszf1J@gfCsPLKuCKN zE?`~N7xLp37*DROSI3#d10q`EbQWSvwTJ~_lx^)jodpY+&tAaJ|_#3}>z_hST)DgZx zX7@lnMB3;m97v!oC@3fnGB)nTZew=1N%yzCbeGXy8*}c@4tOlLsm`{@;{pYn$tPf* zNio?=gZ$Xq+r<{aU3{2QuYPqW*XQeFA2Rhix&40q^a#Rzt!Mi1-eF6TeC!69wxwEX zsbP~BXaWl4x~O!TTO2!1fd33u>XGn!=AhZi$d&@Z^$%TXKlBXAT`U|_J~Vq=Y3S^VBd(v zVy*rTd8owgp_w7Qh5bc=wjZ0}u#-`FK;Xo?tMU3;8KmIASzQ5wsjL;RFS^Aif55CU zDUm3xycpxL%P`L0tM!;KeBz>Re%8qq(WfL31mxXr*Ny+(a^ zmp?_rvmw`TNyP&o+ve_5UGK{T;DX@FO74*|KcDQ$AiHR#T^mMIF;K|9%7pzwY}z*Z zbt_%#XHMUXow@Fh_E-F|QJJnV%Z9y{zKPruNm`VXnzlXcnNyh;SiOs)U$vmg*DZ+O z`ZtLCdPc+|`EdFJQ952=3hLSOtF5)*I@&_}oi(GHM~sbHKE-ZLP z+p=jLT47QSN31WKv>?s>^7ar?q9Vw}q286m!OcxH$rirhHcJHzKH0{kP78$dx@Y>D z?kFqML^BI(I5|ESz7%(|_LfE*`;8T1LV2kNwlz-n3;#=VQ_&f6;95jPkAa+S^YPw@ z|KT2v1>}#Ct1ByR7bPIT`=f3Z7tv%0xuRHweH1xg=k}m5J_KJ`@jrK$yb*3!wK;fq)hqf#>j%7(Ye{2j-IPJ*Qft)uRY>E=v7Gn*2BAO^syLQtrkLcu zt~a1vGWmXw#$rY;Ik^^}+iYU>O%``LcUmXgb6U}zq`948>vZ>?dC$IMeF#a<5nj-a zD@XAAeBiAlEo=|C-G5-hntm=_^gw@)f6@rZ&e9=+Re+q3+_zyK#VV?6HM(joJ+X4q zGxqr#$}DEdQ@gVuG+mbtyevpzYp|8)l1~vQ3u(;`Q)A-%aqMM9>Y7zx+i%s;5`hRX z9sz8Y66hj8Nov0D5i5~9fJ2Nb*Y7XrqSKP0hkzKTZw;bbrN+r}wA^yy-UP%95<9rX z@=hXf=eH{6i+!dq1*&DYEKz_iZ>Tx-U-g=C{DX}Su(-WFvKfKInyiSdHnDNJLqux# zHGc?2-LPKP7LJL_L*LyD*r-0r@fb&!KslzN5YOE3@a+atxQ&ajyfCzB!xb+y5xB|s&P68Yd zroSL^1?ZXEh{I8+-fDJX^4gz(UXRX*X+oof7Hm5%VJ&qkUo~FZpBy;j>fhqBpoiu1 znG5|CimIhjPuN@3)75tReklgAGap^-(kFa^jg@Kf8ZIoLSKeGq5(jl?vsbEJMnegT>N9cQl-6TQ60B=@Q8KMSG1P^WC2e(|U^_gV*aY7y&K@fox9=wYL*4 z{tE8sAWKY3L~*>@$@x&%*~WtUyMHA@*b~m2`O)A$MIkbGV;)X!UvApv=Qc+0qHFlL z%|#XqnL9+M*Fn!P!IKTxA=8-ysQY5eNQ;eTKZW&qA(|p}ywfm1L02GeBZTuXYidv> z-!`cAA=o$OOaVcloJ1tYk$Elm1h`+f4@M-_4^B@qtwCGm4ID(BV$HfZiLXiwjj zRs8))+|NhQrDna}GR+J`mv(YEj`>}bdl{Pra^0U9Gl3omAtuoB<@0^nEgA{t&B4cgP1d1BL z1^yZkjOo(HUSKN6rCZMn~{|R!AFt!*`|tG=<)POaq)o0qvkN* z37)#LJS!vGkhmETdPIbXQk1Jh&CCZ8zfy-F8;PjAqYNi$|EWG|+IN^~ZM{xKS-we9 zvrn9^(g80ou(6P{tG~KWE^*FhY;!+9-d0Mg;bcuYr)%cDw1->2nD>6=h^4Ob?n^&1 zocLmz&4jek%FyZpoynLwp5tFLXg)c_QD6_8kAoPyph7^w^{`GQ^D_-ztzkEiMN3iK zV+Qe3qJNdBQf?)jy98ViLwd$`pZI`C+AYuqk&h`h-Yrg{_Y%U=YpK9s>Em&qzn^*!jqR|KM_(S z(272D6F#}xEiGL^s>*w42>CpPHEaKBj_>J#Yl@W0UY#iDxpYZy^La`Iq82tbaa3;B zxKj!vqSASElp6zIrk1QC{KEFLCvGkKL1T0E7+;!;!a?cJDO5);t{x8c+idh9(2Vmn zm~PE_mGXw3g0fxpCVah#BV4RK+xO%V44>h&>Z6^LvUYR2Kr=1CMO(OyVCHv{OV;At zix9HCM|)JJ>I zPNY7T?X-^>`IJ<7m}=sZGF7PdSA>54MelBaJ8dhyNI2vlTt=z$CDs?cUed1CuX*)E z4BKWkkm6dp!iPJ1;ruy?xxLm#vLN>%p2<3y3mqbf)wrRk0 z9|(aO!$nSz+w%e-|K3dzZUBAWbRTH8hRAb!PX~>c^pB-rx+ND|PHC$)p}V^sDS{+q0WOkDG>B5QB5D zNH*&A1kOKMQeL*K`;!CGlFiRu2+ha7%R04vlMS$qK~B)r-BZ4h23m)u=mRBi*Oe!X zj@rP)E9a-xf3GlWayq+3!*Yatkqs81!m3bC0fpq-Pzkk|Z2F|vcx%Ub$AOXi2TQ(!Y40`lwO7*D&0ky(4YfeiQ; zOspeB*gEG8%PiiheDa&zko@lYxJ;R;9#}DeVsi-iv>xm7>oP!~X|8_p736qVFKQsr z$M)Oz@0U+I{&nrU|G=QxBbS7ewUPe2?Xl8RcM8~AN-7W;r|Dxpd|I!G58cP<+lwlY z_Zbuv>_8szI1yKb>t{S8N;Ep4ye|L%;dpbHtf!Apl3qpSR-_3YsmY2kS_n z*);$fMiuv^3ysH!X>%ophb-VbfxYtUVGQPM+he6Lp^dsKU*{wNN4vA0qYau{d$A*pl=dG%NuPP9pm$}=60=ZYV)S)U2vai+lToD8$*?^+% z?iyT2L)we$1M;tD+)h|?%=Fn=A149a#jzdiZi#FF^UBXYh*YEPH|xBayE*N<=J1+r zEDiI$J9t#-QE8o9rDgRe&~|+A4XU{}9dDr6x^eTSgQU)n>gkd=;BbXS&zT=MyL0bY z0wZIsq3daJz46 z77pHBWs;t7Z_UV^-J4LP<&?g+^Jh|G^y$a{jx+n;xA2c{=06IQVG+?bO{lS(Se5D{ zw;}~ko^j+_QnlVfPi`7uQRO7VZ*_xeE=-j^sM%_05wy^>^Fg^zH4u4iq0f_QjuOR5 zZLi5wIz1wu2PB*JxXYdTqg@u(;nZN7uGd-xwD z?&pkFxv9^dG?-oil+z4Fj&sXg0qFP+xpZw7b1A-vf;4X|j0EUK(?~3@{FXRwh|N}> zu9i-AmNwNX&gB zfH~FwP8EWG5Rb%w5^!fF6TaXB(7mlOQQLWFz=R&Oi_&8!}*zea9=lo`o?&uo> zJ-#GGQGX&YtKwYC+AI*5s4KEq5lzPI4X2uTiL7yg=3?ZgO?#I`fQ{aAJp8%Q@q7p8 zXlRHx2EZX?TYAbppIwV)S5N6 zYd-lF3UJp{Z1gd~TbE^**ZKZ7gWXrmM8QpnQ+85Bt8CV%+6(}wj^9Ck{Lnb64BRt@ z=wNetgV^fih6b+F_5H4M8t=7}DdfQ&ZDB~u>wrL9-wNamkwXEd5@F5~oQ%)}&HJqD z8%790yq?%@KzWG36L~SM26CwTZ&AqANP2G6GeeiZBhX*IZs2@8y`x^@w*{kFE0xz| zHN`gSne#UR7@GZNAJ&QHGBAvpgXW?Gjf|$~5oSXCvo!;r6)6mz_dsNb45)3^r{u-z zdex2r{K-=5(_Kg5JKl5!0$8t6(D-q2e+sGWyk5DqN{w%=%L*QO>6yW23EU^`C&%^= z1K#<@#>{!>EfY|Rip`|WFR4-XNj}YF6u7v@;m(gt`On`b2KOUdnw|{5K}qjS+619K zB{508DN}S}L4U#Y%<>~ZvmTwEbuE2Aqf%K!fNlPm&K0V;wxuF0`Ku8I-4ZRpLrg*( zXFu~8){aP&_&X>nGU#yT$8%rDhccIt%;mt{2EmaFlr&d0P)^UhWN|d*_}yN+M1_6emdGL$RdS1t=K+t&XsIP5hq zOy|X)SYT67{8=+qM7vC;?v;_zC;6|MX{l}(EsQgiI*0hmYW7AVI<1U4ylM_v#x*sD z`;vl<%-g*ry)E=pPJ+}slBGA+BA4&gO4aT?%I(MznDsYw9Os=-S`@NScX6s{FXap| z@q*jsdf2A#^*V0G_m901WBH5e|IlDm({(EQ8ddSVvu!rysN%aFvhlXt4l2xFTZa8X356d}_t%qeoJB*DES5?VU$av=kSBM-?1JA*T0CMK~;)5vze} zk9t+Fk7ovOmo+}kUw_dtoAUzaT~IpfseG`Q#B6epV!!Z-lNvXbs6&ld5v7`n=qbi~o^1>_EU>u1J#ot1^-}69 zZ0~!?3#3;B^muHuGYYAE^6Jk}fo9&~Um4Y27n~yF4ULbx3HtmA1Vl$}i$HYJP3Kw8 z@}4ax;)Ki?f7@%E*e-J#!}w@P-9k&}Y!j-g3|Fq#ts0X)ow$S@TM^^G z(1tr4)nXxv!5jFt%SEim&B0|OhDH>8nWgZ&E3Qs3klW4X*})n;i~4Uc-rM&PI+6OnH>Rdfo03yAPaV-mlwS7F zk47lxe52-g1R&{cDAc3q~T-E63nO}Gb35XocKwXd=N^3{qu16*m)dfhO#E5Oy- z;!ECUS=F|u3eSA%g^-%D9Gesy&!hd#V(qgR=xL{&n_L`Cz#_Im*u()V66duAS7fG? z<3U&Xu(Is&PUX)F?2%sm8b>v(ExY690)Ux2+Sz}@PZ;a{Q^-D7L8wF`&Ft!YCVc)e zKMpuSv8x--mM%U)m+L41AKS9jK-!|3OQ2ElEHKm2dM`I1Yrptwk`o`~)j;Uz-CMYe zQ(7(r5;(vUzdn+6984_lB6Z?RtX?%b9mh3%IIQb8ajNsn$n(Zn6FblAWGBOQsXSPmX~v!1z`Mfwo;{w*q74u%CBLWS1+})CdNz zoDM22b=z=umx(_8e0+Qb121QSh=o3mv5g!u{#!;Af8r|*>;X-akK)||)LqTol~JK> zIJVcpD8YBE_fxSK#liqQ&0%8-lpg-Z)%CR3eANTDHRL&0NS@8T+us9*Yp zAh1)vNikiQYt^g?4XFtXIq0f{g zfaU`IQuIDg(1Uj*@;C59KO|XHlAJltL(Gvt%?5UtJ6@oy{7cJ#($gU>b^$c4v-lpcQlEOg)55jj~iq%vHbt@pu=a^I32FPc#L zMn||@yG#8nKQB6VenFY64)OIsmL83pYceQ9q+11Da!dq=WQZt=v}p_B9?Gc^cTxn~ zl5YziaEwt9Ex)MUoZT=I()HL4nay>}ZA*pre+TgYEyy2K3+=Bx>psvYx+?X3F0ltI zB4i5P@^{awC{Uj4Dljm1R!Tz_-q*KLw<*)itIx<1b!Y=C)RRw+WP*Udo@zCVH*zR= z5{e!vfvh@e8kamV3>2DbfKA3>$RCRG$MUxyyEfv=``mK8iAzpF)qbuN-v-O0CkOBH z7_P^!_Y%8YKj)$yieA1wP4#uC^m!o(+c&<`&NY4F(-}jR4rjMXM@wm$;-j8HH65;v zlZAOEP}iPa7kpm`)e6s_H^liT+>n_WhgO;aT8dRs=w=UPB8X98uY8C?n!n334nj>0{JFX0F9xKuvMF+lx z&^h$|-h+~0*>YhzXW@`2mIby^T7=C0I4jc?G1H*WS5RZc3KKlJ_i9g1KT+t@)y`ni zI5VI%Df8ewcU-?cZe&TgeoB1zm^*0k<4Az@2eRMc%808|S)IYF3fyAPA2JDMmIfLEG(>DCiHjOf>5Xq6Cmzg*eSgM3;86}#|K3Bi_U-&w`;py z$+Mdv3InRzN#v?!Lmt)9HBTp!-kyg_4WcYF=sA^0;Ddytpxew@q<#TQ^kNYPO*Zwb z2QLkUQo_AYQ$X5EjI*JKB6zEro#^Q*{9c>2=MMUV8IeQ6dPItMmzj|p?b&)!N?Dtv zk$#^K`Y9=xJmhhi&Jr>$Fk$%4fBi22BOUVk@BI?qbJ=xgaY^w-)Cq=?M>`NQP~ve@ zpYL?Jyv(-2s(lIgOXGeb_BS zBC^(Q;LW9B-P|K*%CQ63we@ofWfX4u=Rc<|7LTt*{qb<{gg0^(9IW;ddm`@hM4FTs zq=A%At*}w169R|<0pY-+RbH*YUxRr-d=mk|4RtRc_1#Z^?{x=4fdn=rvJPzgwr|{l?XmZ9dG>rwYW>qC=6+r^Fjyj#p6@PFsOSXA{lL7!(#0MwTgN zViDeli-lYZZg43dHFWTCi}ZB8Il%8!CNXiV(O#`_ErZF`A->GR*j?4u#RC_A4N_R= zk^07VNQYUHomQ?n^d%ThrpkA$0Is&{0E2jZR!*x{PN0IKLbm*CqfKSE=8uyzU^A*Y zEsnn`D=xPNS19rp1?1JkoHb^zxX)Y#J)@<{Mf10;+YIdow`0(4JR%kRw6o@^lT$cZ z`?hzyRlA;3%?GCYHpcL(I#ZurRfiz(OMNNDh;-@a5{^r)k+Thz(`>nMXsp-5#>lSJ zeHS0+BPRzD=k)OR))Un$CU2zgAFPgzY!BzsgXy`l4vojnee}PT>&UW0W&(#{z5R3% zu@cl$gOxpL$gIhL*4=TtdK)QI@aSlw<{v$?N*FI~C%UC>x4_v!|N;pHVa0U^ID?{#-gLI zxoV>UK@^>z!Nj@2#)C)?LSoHT#K*JN&diJ~5N#vUtgv1+uiTu8Z!6)51QS<1gL3H?=lc zgDq;Ur&z=fch)l}A+b_p7pc?IqD%w@S9cqhAr+U8)|xCPf}=W){b50*{f$4j<3}#)f>wcI6Y-=ZtGX1g4w4^h4Yf*vCB-vi0rML^syF0>WB=~p#0d#qmjM&IA4$?c<*;tB9XrTg!Jj>0`T zY-vp^;bf=tX+#{0u<`Z86NgS?r!pqC%YG~!yk0W_UWfgyQ5*sGc_vXx6*c|xmV`VN zJy~{5Vp#7q0z?q;Ub%Haau4N!K^{7!O5I4wK;fx{9)15bII96rW3r zOgvD8(hDzpx{$qoN90j>(A1Jq_`x1XSBnlH5TtY14{D)fS}=ft2^6Q&wP3$h2cM!c zxX#;eQCuE=>p@fPOvpoh*jifJy>UtVD9)A?v5V7`>bbNUk(rp7xX~)1qZ{N}P2*mj zV_~+LIT+L@MWga!VB7*^2J<&PEbmeOEOCj=j#J%l?+ATl4kP4%({PFB>_k~9ozq1T zvvPCTq+gQuqalIy28J1sg_;6_9qVF`#hmsPURHzt9Xl%#4rxFLp?3HYDJ`Y7h8zxSRa`xaadvNh`d5+Z z!t-p1Im!349CbVAvm(k7c4C1C5q-jGKdWu-xD~vq*eO6@r=}rG8w~=^?4CdM5cbPs zvkvKc1Uor{ytTi1osbT84_~%F!yFS)?0f7=wlbXOpC_p&{cxiAwTp9u zIzI7CzL&*Ke1(vEIX_S|93rQ*!p!FQd&`xfg55&3xA}(T6-X;jKK-|GgF7*DSXG`& zRCb({lNiq^E}f-$JL`XsKtb5$xbXh=`}9&Xr23Hb7#2NtJmL4N0#F9 zZ8^Y_Wa|{~<|r-q_SS#J5Rvd|bIK3|exfqnG#Ho!*1J5qiNj}y)u)%zOxbh}@amYl z$(p3;0M%-}t&dAlkrWBC_V(nBgJ0HhI!@mWo9b=_5z#?=)1U~T&Uj`iCrf1DlF+H; zpwARjrOL(Bfevs|3+5hTT+s1fz){TViH>K?<_7U!h@ecfO4lGN1O7k z5!Qt4jDe+!_f4Yx86Jnt)HvTi@5cW*NcW8%ysQ%Z(&ih-%vJRNVDCNSn#{KLVX7c1 zMMRV$C?e98-it~T>Aly8(tC%1j$orm@1S%-M|u|}(xvy_10g^NAqj-{X6Bq{<~%cV z9?$>7`{{hiFCyG~-+QmM_FC7v*4phU=Rf;|mhGHW@2<}JP*I(pAPQC0yzA704{t~a zIaY4weRLQvT|BEI(b;L0y)8K=;u&~)dQ$#zEqeP#8p+eD$X2!VnCo$BooT*9DvM>y z966HUPwgsqi3YWnY>qMP_S1IGFyT=sMKYpkN20}UC3SS zkKJh!ye(^SJe2t5s)-Yw|KT>xT3;$Xes4tQ(z%9M6`+mMj3OML`b!o|nuJ&V`c-Gj z?t8qSeZC@%WbtknKU4LXVu6IGymIhmB(o1T@aQ04miFmD2Az5E=IZVUt%hx+Dnmbh zPy8d#a=_GrT*Oa>p~iQkGfM3jbC`XP7JzC}v6Y9ftrjSc8BS{t0=)uh00D5~bH&iL zo)2gCbX`+#=_1;x$L-uHS)O9VUp`}DorB(%?+=R@<|ye?($&wUc!Q-14bR4&7+VK@CuTf3Fd zvmdIk2!Oo1_`a&Y+rG3!RA{|8xyl{~GD`!<>EQ-Xd%w@<}6?1j&?w6gX!(i0}uWqm6we&9Ed4hWUPj?aNw$gg^5{G z)6dAa92xE1P0OunQ@|#DmJ9`ulwTk=(IV$HYdYOF%Yx~=PxccH#PkrTF{g5kOqn1C zM-2wqTGZI$RI6$0m*9xaa)1T;Y707hCC1Fzz*FeTj#_6hRxs0O@XDEq|H3&h>-6e` zVc2TRspfoZ%YL^ad~NE-)VKxsgifY3C+GI@_R_mE=OxN3xEaZopD32 zME_!$8n7+y>l%29`vOE>jKbd%edc+qEH1w{vxyKEnBEde^X%qad@Fk_b9-@l?FJN# zOkM0WadtjnvX~A)^eVyc`wsNhG+Z)k@H`K$gB7_>QGpF>XI8c@fbmFIyasq`!)@Sr znPm|G@l@fhfa9#a1yS9bo|nFVyi}>mcp`4sj2_@`zMbZQ_q%!CUGnDwUM_$Kt;de2 zCm}EP3`LEZ@S~Ce#9JN63M6eC2XvM3Q5oR(qO9`MeVh+=Z%d_Z+Xk#l`-C&go?;ZE zREb`<)@@gg$k|+e@6>I2=5yAq9-g=AjS3#IEU5E!Q+XzK{tJg`*R-o1+4N zTP9O;^D^lQF*Jv4p@B<5Ir_&(tL}$js_dv!|00F434n5>M_VU@RI&>P2uF5a5Chp& zvU!b5s$f6#>@q`S*|;o3Q(yn8&yF534OX8+6HGAlnGcFf-h5@ON~R{p-~ zj>6gkCf?n_es~?=R|M|>Ot6w->oJ7Y7{bY8tooFY>=!Z?Ke03VQ0jr1N(L%DwuSKq z4mxZ#5=thrKG^wF?BQp6p`H0*#;6LlOvkoY%}6yC&?A!zy<#5b;TX#5>Q|U)b4z?o zU^rIt-g=+-A|A+5_ZrxR0mvooS`+5!84=A8ps3&u;fw%rmNDkXhWE6~{HNJR^I$~t zJ+JP#-Kp*I2Ll<>Un1}K*2BH0t2c--XN9D#YC-p!Fl*p1(=N@-;JLFDz3|o!?RW-2 zjT$#-y$o=?TNMWU_V+lxe11L<1|Ta;#09D0%`KG%hE=4E7=3;HFz5|GAt}^KtW|%S zsKX2`u6oS4@lMuEzQ+9SByUZDQNVx(xM9*kBLmrXf)3y0Z)Gy;{-SRJ=G$(8-r&VD z(eoHm-w3pPd^FyQr<+R=h zKQgz=n~{kvx=7sTTgV$`snK6|F1F46LSW@Whh|-L|}3e z=#!|LzTNhcO8qAx8P*@cK<}Mtgq;oOS3{VkM}n8IdH|CO!l5o$O!%#ji2NKnK{8ba zG_Am$I2OPEbsat%W&t1^KswJG@uQU8f32y#bV`x4bob|gA}EozEc~dWLg-gV_lI^U zN2c$sCSf~um=G?4A>P>F_W!Kuzx$FEbb*|p7BK*Y{c7su-jQVZZtsokHEuUJOt@x8 zXis1Hxi(49=7~V?06%@D--u|RA1!>1)u6CAT@!_=4W3cugnup#Kq3(atP=DntvKe_ zRT5Io0+{W^&4*Kc3=Y&k6L=94!F957g7|uhe#(0PZl08B0TP9d*3Xo_{0=1lP$%u4 z+HBxC6IB$6zh~bnjE?T72bSZYEhl#6z_m5={oJelb{5M)uL6yXCNeWee~Nqd&)Iqk zoHcej3=J^*sp#k*=YD7;FQ7;jva%44e*u8PAAc!Pb0%x}X?k`#+MyhudO8ba_lAJh;6!nTU;K}tdrYB_@c=p&SY znw6mL+z;{FfAj3W9TfPF3JPihCI}P!KOGd9VF4i_QHTRU`omlQZh*gj=l{O$&u;O5 zclYm9=Fd|1Ut#`P)A3*3{d-gVzvSw_rs}_@>MsxE|61n%pDc5zzp(2Q$~ST)ba(l9 zYaM{>nDy^og%v5qeq~8{d_joZ3z8)8ZSolBf8)z!^^?2Gmi3#$B-}m~6PR-F339yo z`M3DTsG24u1~JH=HMhV2UI8r;3BmZAo?eyz+-n-S8tPxY`bdlla1q;7vRL`2 z-MQFU{;8d>m9pwS&qU@+JJHBx9iG2;S`aiIC-~qmMHl!RWedWc^;|@?&B`LFA)#0k zjqtx&w!eMIb-)GGS<}8p{U3X+gd|@s0IuiUYlh$V@~6M$0PtKJrw8XX^8W{ycafBw zfYRmBrT>R1YXeOg7vk!#TqODDs{g*T|JS$BU0~d(^?GMg0FToDQeyePlYqZ}Yt|-Uj}{|<8lC_6h2^@*sR_~q5?_S= z^eO%Op-pWL?9r~`$luTGZ{LL#L;}n0RX&p{-S9RFujtiVWBxSgrF1e+VcH7G!V^L7 zwTf5&@;+bL+m6}zWEj|fpTJ*zTi}r+D6hK2P7dhss~UEX;>Ql^^1);Kt{lP*w$>bp zJ);_=Bxr3flW>TJ_`j^z0$ba02iZ%t|3g}1*Z~QtwB4i+O`%WXb9P9fz?xC_X)3O) zZ^Va^Z5p_B<@7IA<`+5P?)|w={=|xM!Rj z$0Oy;TPv<4#0fb>f0!HuHKtC+40f43d)I8rV@m)&Oo0Vn{^JUdcmdP!I-zaD z{QEr|NehW2x_vW54o;n99-TPaBYIR@=Q;E}th5)z)#j5zu?uI~5z@QpDma~B&L!s? zNpTLZOM0STa(UZGYr<*sgnbeFk?D^sZ{JLSj4}ql5tskBn;WWo)sl2Uw?*RprO@xB zBYo)Y;5pbg_Sh*yzJMBD@BH+wV}Dh)00X#0Astv&PyXvGuJR-G*&wD2334U|3nB@kFYDFTtpyX09W&4s%;-l1|kHlzki5Zf)|8 zM%g{n#nO#p5z&pHe_eCVvo(jgdsP1U$$u1)LM}k6i_EWgzLK*gV)Q0i_P5_!n7^2a z%A>%eNVXKm6poA~lIlKkBh}_vE!|9-ztraZi+vrr1q@WZVeQWK?+4oC1qSlBkX5vR zk~-EN40G?>pJPr-eZOGA?`BEu3aBd4bWEU&IO30w(QE`%XJluqXYy>V{`f!t`p=w1 zz!GkHHDBW;Y9YE1zHT?L_tf^OZNK_Kck5hBGeUw~YwH-Oa@5!hR($3YIgEYT=j{*A%Po$o2W7Fut}3!6+Sv9sKJH{mClJ z5uI5F);nf5H6w^rDfX+bZYMk4a z@D3yVE!H9X>XJmELGLCN|6rIyN9Zl_AF$)EY5u*RG;%-G-)lQi+>FHjRftoU5aNw( z1H;8ig%m$DWV2b#ZSrfd&bW+5>G9V6p8jSQNwmoiwp( ziUNyWnmV3drS1|+H>c;Nl=x&jM?F_fEiKa6t1i~Xvh2pY)k@iFr_EK-8zvI(dV+Pz zu5I_RWMoP!IccDGkdc3UJ|{PDf`Rxi5kLIb7yDo5XF<=I2HIF5d6Bf=^+7j1m#ZEg_h{!Z18g5BSpl=z=^Uf$X|7k|n8y3`T2x)3JlJkt^2Sk#(Z z=o5HpYjoPvL4V9;E@+PCf0ole7SLqRrj%aUp}nH}PyeWG|MNTlkhwp&P;cnOI;PVp zT+Pb9gfur+4wBW_zx4Fv zJ_B;2#H|=aVs9u{!UTEo6f)#qt>^WykxR5%bjml}AUd-eh+G0cPHEJ7>}EW8gm?u4 zHG-y4ciuMczkSVcWZ+(SZBx~;u<4OeUr)J!GegYuX}~F$aGjm1V%wk@A#VFu6ERZW zR+MSb)q7p=eRdsaL(@hk8JKT~K?o+?;1*EP49*#-w$Axg6sip@+mA7oN5dKs9KO3B z!x@lWkN!&dS&aeLIh!t9hDey>-YmQZ8ufj^sL6x;(4D50&erE@ZkN8ixwoD4$fuZn z^90p%g?+|!7o{3(-MJIZFeMUYW+=bTWW3RH1H6x;5$5_sk1E;MRs1RWujRC!V=U=} zgK`nBrb{rv+lai}7C*=F_j0R;@JesEu~D;swWGmwU#e)L^aw;Nd&FX+;nSxF!KWua zMvYG+Y;A47X9VnQUJq#YFFf6v&r?fX@d332&-yk@Eq8{ts7Rfnq@rxHQv0S#c2WyXu_a{w3N?u09~C4P}0_SR$}U@BkT{~92E z@D}1QV)`s1<-+FtpvmWFi^)BpoOaW@a~@IEK@t{d-E^Fcut(mWJJ7{pSkOS|YMxeJ z1}zM;fPjD#onQ#60HOH~!BdcWk|O=)dQ$A7G>HQsPP%M>7VSLDFn@Yv`0&2W73<{W1huT${M{rt#CgN{!@16ie z6L;$g7Q!EEhx<;c)OGW`x%m24SxbU}MX*sushq4km>y9kZFO%gsRwiRI=4)|ve_zt!(!A!QQ%uMX%J4iFIN4WBeS^}z}qj)6q> z=9Al7L0e-b8Gb1x_$=Ba|HGCn<4$T{)8@?5acSnY7Jv2q!!NZ@w%xTd-$h^sZJhxt z)Aw<`C!x>eMM}Egp;0AJGEK4yP5pT4bnMu5*$=d%x}Sm-zkou=h&WAme}q%T0;OEt zocS3kS1mq8j)x!q+3d@yo&V*65Tww}&6I?CmwdwK>dNXBto5%^%tH5e;ZilWFe#(I z1ytcg#=>SQEBV56{-VJ^#SEy`2sqGE_-b?9_w>;g7cQK+4?%R-n&i@L@}C%VJiq0w zk)Bw}iHs^yu;1oo?mYbnuXLUpYePM^I>o0pd%f-MKCIk+Z!?Nld7LlTEV`S3X=>zh zLOWK^w{t|Pk=Un)n7g5K=`G?^Xzz6UsP^ssVB4u4x;68!*;#Q8*=yBfTU$GJP;Eis_cqVi1Qpp4ia4nK2jr_Ww9T6x+V{-s7$ku-?d ztd(xht8Mx$YQ?pLm{N?l2L5M_OCOS;&p4%s=j4AO6W~dB9tt~8e&9};fH~DMS{5Eb56tzkFqvG0Y=Tb%p zzQy2nVwGe!@VuUp z+WbTFPKSqw0p!@=U~5h#w!7A)%0hcuf>n%lQi(1;K67zILk{Fkqs&d%923!^avtf{1moD9(i)a0HDqnJEy%#(7mmlcU(BY+eyrxq|dP+V*0R(2fvOxUwmIb7K%RjV1;#7HDJQ_^_#`TG2@VmnJ z$vaaHOr59Vlybn{-a~6{{vhl8g?U3Lvqqz5^UkIadep)*UEC&YPXN`t^fsx5yeRW^ z&dXVrG@&lwR(gT)G82w$1OvNAMvzG9!=~LC5BL81S#p9%)eoJ2whSRgZJ_=;^n@h# z`fXgO3wYkt2@TW3%A$q&6lT*eQKi<&shb`>o}gffGrR^t2!PJGLihw?#aFT@6y4oh z5;S7<5+6}L>#mX`-&p$;bdq;5Qiq!`F-5(-a#cb{#*aJ)5@O!97W!t@eZKYZ=&3V(^zA4 z<5G9hOK|hcVbSffrq5*?Av3VY{_NSR{ub9fcFTOy{6{OeapregPw|bS+>40R(QZ`@ znY~{sESg_b>I`KrhI42n+*nVeHP|hyJq5|~#Nx-z_`$%LFUrk{zVR6XM9JEKPvmZsPUVOMP@8vN5ICHLfnG%nZW~uqzDgHgk zy3F53(e_3(SBYea&QL2lQTY3`N(ChzXt6tYV%tKWsLrF?p2x-^Rzptj0bViG~EX z>g(Ar84M%8uMmq z-ME=ob>ZDSso6|(Y3!bnAP8^{-V{b@Mwo-)!q6qY*?u=3+?cX!Jvc zN>K6vHhBCsUV!6YK*4_oAk}AaJ$$QU1NJFo8n!O&G+-*7(b|WX2ct zd;tFnOcrpy=}(>w4)=?h85d;Db$36;VAeBNM-wd)pe!d*%O8XpzNeW2mIh>X<80hyDyUZ9KRyJfHOlgz>TD$|K|Yw_KzmpLl2v$nGh)t?M5j;<2-{m>)Zs6 z52w|>xvfeIZgJY+=IAYQI@eFrFWV@DKM7jK_Errf)WD~@GXmi3Cbfsj}+=owx^7xms}Ned&-X(T{Wt+5bhS^*!dR^G|rUkD$6 zv|eMmwJAk5#F7gH5IuB>rbTPysZ6p)N=$w^>#7m?MdC&fecs$I=SII^i%}2p6D%e_ zbLAy^E)nnq^iG^J7v04V=^fg)?J_oIJutEc~b{TJ^Z{gRbq^X8GJU7qK&c@f(cxE<}n4DFmuS0v5_vI>;V z#B0c6z9MrS5Q$*3(v{v($aL89U!ZV>cg_GrGn!7FaZ>#&D|WoQw+iGY3b{fm`q`OD z(vm-jo1`BlV^=P?d*sn2CPW#es-c4YZ$tbR#AdBeXp-nRTd+L6Ueh&Tf^ubIod9OB z9d{!tT>RwWGU-eA$H)6j-inDz~qr8f*5jo3-+jkFY=UyaK2{77-w+{a6o&Z8wd zth<}WaeJyJNBbnRA&*h7)6@r~h<|;Iha5-RO>lB?vp8YO{F_Wm9>a~E`_0t3MQ{lS zgcoIP1>b6|J$$seRpd)s5nyA+0guuHf*Qk=_Zn@fzthRM zy7NVHwTq*dC4Z?AkpM&>o97u0w^#`!C6a14N*kF1V1rfp?{DbvL@zvR15dMy8+=U)}D5`R!kvTKBM0&^A!BzYFGN>}s5j21?Q#5@g)9 zsKj(rBH9$J@63N~$6#kR8M}L>{t2n0QUgO=tyuv&o?HKQi;?r=W_|%)ZI_~YK@GC_ z`J{OE<`Fha^s^Rd{|jal>zDu*l63TJ`_`G%I(U6?leoc&}Kt}0adnonRpKtL%;mHXO28X?&oefB%_k7(6 zL!-v9xoeNykM}a#6i!H65v@4&gSS5#5j4j*Cru75+l~2e;TK!P-(Kx1NjZy;)?1L) zffVo1w62Jxib$loOS*0A7C$AwX?fe;y_e26c*fBP{^aE3U@uQ!gbZ$b*>96bI-EuO zUN2Ix#&^#e1^OX)0;_uY7g$*IHA1=%3J(ZEM`+5|e4*N=0){& zLl25>YSyj~B4H)<~l4%}1Y7$)R=)?SUC;xCA7XLUi zNm!M1xbt|~=8GQ_9V0<0ijt2g0Is&4K{`f>?$sQC*kA;1BB@$6 z6lNz1`v4>|gLqRTGlN)K!YO6%Wx=}hK-IS`DW8OG0WF8IwrVQ>y6-hLiLS|uyXDn_CXj<@sD9R1*Zm`JZB&L7ClMuaE+O9kHK zfx5FZ@OA|@uvU4`%_%(rSTg>Yu81A68b9xm9;Cyy(RH$-|Ir;=_B}M zElTo^E4pRGvhJ>wQjo~VlZuq_aHUR2+A2^)5Me)*NYr@`+Nnx$58ePTo&Q7xiSV-N z3p6IBlgzE$SNUY{`t9vmDcjc@qc7ApKZGCCFNuu4VMh!W4!`d^P(w(Lyfwfode`L; zCqd)mCG^EkW50?GOX${_A2t#2inQXDswjta;vv442%vFR4p<8s<;p`8i0NB~*fA0Vi35 zK+JhjT0_s{&er=S*_mU|D{GBcDdGN2R^A0frLd*MP`(a4cmq`+yPo$TMQW1}<2(3C z_u5;#i)Z5Dv;%orB73|*yj&f%%E{BhoQ@g*cN0^|u3#kJ;3XdcuteZH+L{v8FA9;@F-ate2_|zy^nJKr=9Z3uB?+Pk!Qh9^set4v-`s zS`#ziunYaXH)J;-&?yxXzp^=T0ZI4NWN6FJ=Z7(0qLbooF!$;c-k(wR0QJw%E0iTn zeSSWi^L=AfXNdRUu%>Z}%iN&TRpSg; zAb`fZsi9EIF4gs%(y{@O8+tCZ$ya-Q%s(p2J`hUr-0_>0hIl1UH61U#%iFHoH}_Kk z53q`DLN8hbs$?#_pcYpTt!U_K0?OM51@=Fk;x^czsWt0p7+p;^vF<(0u*aJ68P-z; z)YqHL>n^h7r$6mJTnWO#MI%9jS2j|I5iKX)nz5P?A2Pi=#Gw*=XS<9wdygRlHuU(7 zCB6b#bpLeXIgPg}S;SZ_MoD5I^x)eFGOL!p1=LhZT04IStNNlaTE?X5(c_U=wI?dz zwIaz}q?ZP?zHC^>@Zfl5Vmay^c7H3sc1FOnpb5E1Cg9iI;eObPXGg`SCU|ryci9)=a{@tLvIA3aq1gJhGG!;qW6;LmnZmYgw;r8ELLmuG~a;C zKI)T=`Ou1_M&|1C@pAI;ykAcaL5{4iJ@p#+ln>jwQ(ajexj*w%DgoXtxVqIe$R2C* z1|++w*`nxp-JyQPv>LlokuV{FMUtYXo)sXp*YS#rU*7}|`00x3m5#%`KVLGY7`_^i zP;1)i;^AarxgiO!ij;!g701Nsi^aU` zYc{dG+Ge$ZxiAQth6cdX>(j8*uGvwphQYj^(z=<6M`Z^c#PccBV1k?57+#N0N{)h_k_7`$eF-rbOY6RfE z>Ok%U+xG#ZR2QWp5hn;Ff)?@Az6K_EHS&+Mf!CGpy`h zdEclQm2fzEZ~T(f{6FJRt7P$xW4qfYw(-iD_MX70^$u^n56(!td0{@l0BdL0HOFgm z&KxlD{6_?AB1sFQnRIbh;*lg^u^dZvybX{;`VB~O_tIa#9N3W2$0lm*ToT|nkk0v@Fs+y+K&>pbmCi61-*c|$~E7K;K^NJB_Q=;<0ArJKFX zkUbYJ;EvAGfj>GiIk zK^bR(8yx5CxivTIBf8|o?8~cdS$qn(8v*)C0#_B2>yKhJ6v!T>#&}1ud%?XUlk~%f zqA1L3y-Uujq$@nPo+F_w;O|uc9Owwvii6NGO1`-_T;d!enY-49_T+kd*8-fe&-{Wr zjFLaPBkBpB{`@V5yYbX=ti?c1wEPi`0U%)?t?_$kjxbDkhlaXY1~>=Fq-@b|mmvUd zR|AI%vc2K{BoP?*e$wXcTPcmu^E@M&jjH^uPcpze^=+SW5cz;zs;x(avji?&lbS}p zFsHHDYHG*OjH`KmtLNW9)R5%^S%SwvkU&Zw{g>|WWujt&w9AR1@<6iF>56Nknc1k{ zb%O@sG#5rXbN`aJ_tHTwC8lLB9)S68Sm1{MvQg-Ar!-T*?W9Gy(HPJqf_??Wa$jhi z|EL!BgKZyZ?dxj5^hrS90JJlqc_Dz3pND&z_nz!mJOjk4vpsCVLL>IYOfk?3tL5vD zmbraBhiTHasOHnqW!+tu-J!%9GZ7yCt)-BK`J%Ol;pS*N1!P{%X!YFaQzd7cx*UADG!tdnchC|;J zM$h@4cqQ*mEXzL}^a%S@VKdSZZND}^xaoi9eM(L*swSO^!G$J$T94Lb{RpFky0Qzk z*896NX?A+cC85l9aJal`Qr+y%Qk%a$SnV5jRFrZ5q>{qJU1Vy^Tj%!E=89Ze4J4#j zJ>t9=>EI2YCh^yzF`?cPQ{q{`RxFHqv26;L_q(*>VRe_Cc(~~UaI$N4%T1}lh)mwW zcb*(~#7V1Rj7xAzse5ZL&suGC*31VwQSOWAQ^sQ8wQB?m!;(Ic7{y>9r0D#VhHUO9-+kxIwJk3=2(8~FoF92_&lNwS!OusMTxqTOlhNY-Oz&JJMenDB( z>Rim_Nr=Kb21e@!^E0T&8A!XVNkLAxucYz8hB?FpNj*f0Ef94t_MY3NeR#q4^o)}B zCqKX(NV+#)ZeoijA_9UrY^g*;xqp~#gl>DTcbh{fdIF%nNsz?>*P_fHByiwnd3R7< zGKvB?mirrF7Nd{r>~l>TQ;iqLn>_7oiJ#?PJ#7;7K+lgC>VtaO=&| zqCUV>>sG@X7q2WVm_VPKNP?T5eW<82K+JU>+uAx$*Qn*GC0lP}4e4CxK0nv7F{vAA|b-0|I_6vOl_T3yY$Du*{)(n@7Ip?{%9mh;x+ulkZ zjy{*B)3vP+3aX+|e zpeZ}o+)|5;s_qo{)$YvZN)V^LJSTUK=s6Fdd`C<7Pss(W@QV+>obiDBUXy5B;XhE= zye9AYI0SAL0@ovU*`i#ZRS24pZQK#;^WAncx(5#aanrcQo}Eo`jwTLhHu+mrCh5=_ z+o?KTg(e*;&|J;=8`O?xFHk^5H~DKD=c4V;FTC?@pnybhjc z(A1d?k34Qo zO@#2Ldvqh|xP{zidIxNDS=RwMr8aFsAC-D-V$5y6#gT;2V#;T{61zh8PB7~%p+@)NlBng+F^)N8&s*{>n3^oAWKWNWU1Z0Y^D7XI^DPzL zo6pC)ZxR^N!|2M+(2P3lxTrw7j9`iJH+q7msD}i5nc%O7euXnFW*LD?=a(^u^#?oQ0xQ2VjXI@ybo?<8r#i6bQthhMk!Nsnm{CqZ4w0Im1|0-g!nmd%6RI0aJw zGMdOr#A>Yt7Gw8-#RnT63CPNv(@X8x_nRVcoq@9K7rsI~9wP6X`{TO&M3Ld3R z2rf<$+~UuGWmW-qy+7)gMo0||q+$_yg(myI=jeX_cKI%VuM^$hqzEM;H#IZV7AOEx zK|ugr*1ftL(n1*IMTAuw-~))LJ_}sRHHkirBF$0P;!21OQ4Ym2WuMN|rkG5ZsD5=f z`}D$EL)++*XA5Vc-002hoz~O#X)?--kzzu^1sP2xCph#echSSi`1v9v%HfkU)uSss z4qb<%!Ize2w9xE_RIe3)yIvD6_5^Z#-Sm}jZ_Rl7;hc{o>Txg;iAXq*^hH-BGztq_ zEcK;|a9FNO+%)YB+=ij1IeSMf zg=E!F@L*#362V-97o@f^3q70CDefKa;nOh5EEE#*-e=x#yiTIDbS&F$AY`g*nzsSx z40W4Hil-a4AC)aN<$QQ<-jV4bXc?*s1nHs)AApJ@8h}=}3$g~Xs~u>h<-}9GmE2A4 z9Jzw|{NF@@{LPg-*OJBa)D0?CPy0sD&Q3;W?)vGGHU{9n*l74?AW;Su0p`f{zSuJw zgiVyBdf2SU0|{p4U@sk={OKB}*i_`XxyyuE%^4 zLfk*hzRB;NGPDzLEImFX`!M#-lW3rw^`LHFYX?J?pV zzq{i@!oOfs${hn7Kd6f`75Qyl*5OgPdHK5|>H2lt=Rg2Mzp(GXEZdR7iW3^JA>!8LyM!G(-Q2^2)F`so25jN@uvEv}ed-?_+4BiyEW z)gwW|aeK?d@UoYj^FyDGT)OMiM9@Yh%dqDb3JfkntI(AE9p)P4rK#J;qM~CLV%xkK z9|98!ND8~e$k3=f!qt!}k}SIu!O(fCJa~ue+9(r&Bc+5$#DWr}qP9bR9Jx>Qj@aNMh-f$_Ge4pLn2uk`6j(8G1j7}i;a zO5sL^J0ET^E{vmF2Mw=s>6AGJ0(2akct~lzqPp~n(63+zbv+Q@w3Z}+0hawrei%mS z_T!N~y5C&i_VL?OPQy|P=skP@qAQD#SSqx6@DQ{2Nx|K%?80pq*B0B=6=lWdjl3;1 zg#Tj@<{Q0yxb)I@Hg*nv(Yvj81b*YZ_%x2`GcrA*lY*L&j3k>!A$HY8Olq)tMxy>g*Nalw60j2 zjV~P2C=(JgZx{pFfruM#&CgH3Ya}6km;75Pb2mFYs-OV_q5y|olk`*sxicQ`Ll@>i z#S$l&YpHoS$3<|YHS7nm9Q{RB<3}ZYqQprH{WV+FWXq}l-scJH?-#m@5YC#{ZYKBl5ZMghe|yY#Nuph}5#mco1I!13SF52QaV_fI2Ua~_SOH*%LB>xL|qv=~{{ zo+3J;RshOJr$3N0;0H)iq6vCFPtW|RWLyhykz1sOtavL!=9ie)0|~>4-uXZ;(I;oD z4}bWm!D`F}{G=y;c5bnq*qV&v@nK&asaIw}U)@_U1 z*YXvUNHw$aH)hKCq`!UK9q?wt4~)o#o)+l^$ZCex2lr?@&z1~!y&5-NKIXyP%NKF9 z)CU5;*hrmGN~(eeySCut#)N7ErgWh~U$!;Z(WORJqm5 zi~WM9Z|qkJ8dut0Qc_GSdFd&yZ|w*rs#ez{1gm;AtTqG3jE1Zc&5$i^jukO%ReJB| z?QoF5_L|8Gp6t$>o^L5aU7zz@{uGB61Q4w~i)vVJyUrGEOjP5^cSH8MeS221!$I3w z-9!QFf;tzuZ_1SP!}ZZGpXH^!Yk&Bx&JVKFN*1=B*ANb~$rEYYv+oTC_c@na=_m=W zP}wlom`6YgJ_o*~;KBRIv7qi~WSF*sPw{Ww5540c@J$Tado}Cz&MWKY#v!i!Qml5n zIrB^j%1_>0KYSt3eMqbAdG(AYx2l4F1|1z;XHf*BsK}a9>STc%n@wzqNgq^L-}}2K zL%=5@9!7|q?r?XFI@IghQ_Vw*=^9etY`jb}!dw*P3vDU+B6Vn}|1uS5vo|+<7|>d- z!Qy88e4@;nNwUVNr`#l5thB{@+YQ?FW06#gMZU~XKXX}UE))4~kPzK*^9-l{bFu%yoaM?2ZOVC}DXGNy&| z0>|)i3lP9H+FwHQe_zs&^?yKeR%oPU+C(qE9sl|w=-LX3&9*%ts!jSB&xhvnPm zc66zC-Kzzh?c7ZKK?|F(_?g`6O=RkL90jU;QrpWso#-W4&~z-7E4s#LKRkMu&5>ez z5LABvYj$H#oM1_oFdWSaMP5$IJ7=}8d(R;Mp56mG(H5VfoU0$XNa81V79<^O0-1Ho zj0K7uO>*d`%B1E!A%5_OrIsrsVx^4z8Os~-iRSLnK;xDC$f4HAAEpZ9(EE2}t~ z00>RflfXydNZ=#jwp|oP$=y^Ze_R)!8GpHE-F)keLprHTc04DYXL$7#t$N)+pKFqs zOc{ugR=;OQ#&kr9J@735WIpM$RyFW_0&s&gJ$?arinmrOJgFs4+YtQ3-l58w=ZUkx`Br2=?RiN~S7O2$wYBWSk^oCwjbP*aCFFI{( zWk|zS$9cA!J6nrT#9W%c=OO6 z1^;F5Im0nzz^=p}qX4TPrTw8d_sHy;L#0{ixg|<0TYckhibJnfcneu&PCUZ7z^Qu5 zK#H(U8Q0iJ(|X+sKIX`t=Ivu*;-1UTdbhtMt71pc&H(w_3-@ z(~3Iv(7ML$n4}6s1EiiMe_4^@YEjTFeRE1WR%#c5^5Kc};%#)HZJDhUhhq~v#IAaXIhu#pqI&UJNE&#j#>i$yn8@XFR75`W1+Q(l( zz-24HaYVoFzSLn>`$yb6>Yqq$@jdlu!4_kX$oB~!MpF}z=-;FZxTi54qdK?!(>x+8 z@Zda+#P)~Ibi)YXR+{6g84<^%irFOGPW;sXgcA>>tM_xu&hvZdp#Ag6z+8=a)mZ$M z1lz#U6ruaz=jhI2o-W2T{tv;0I$$f0v8sW`iB&i;B%<~CCV3-~D zT3w&bU4)z8xfc?oF2C8$KT^hh4=)YhN%#qn{m$npuECWGl!WVnVyB5XARkiBbiw=! zCXR{T$XG#vx9)q<^JO60zz{+9G%n1#L~x(g5jhB z8yT3C)GX(ikp#^O-`<`v%T`|r!vP}PM-^X09z*S1m9OqAuLePfe^yv*Y!0b*WX3AOFG)fFSfc2kFgn~m^>!;3Dc)*FW}9o5x>>gU_VztyuXW{rM%>#Msv zvOnOO_8gNG#evT^g+&tw-%~n70hxEBhtdAy)Vy|$q|m&l2wMV-0Q`ocH_6G+Gq_>o zGGt+*tC)>BJCyLcTyp+{j0NJn)nb^2`@^FZUd+^ZNeNTn;-c`WmJu~Yj<{b;XGd|q z?*JY9oU`q*3xy5#l_V^b*A=w=zO#ny76PP=uM6MkT=t1iraxXK^|RyVBBs^Xow9@D zN=>q5p4nXB&=VdyO}p?$#A)rOMjK!emOLuBW%C4|!7Jh{itK_;H=q|f}&*<^~>&%CR#S}{uQ<=p+3EZo83QI^sLZLi^^Ox;`3<>Njaj1i2 zKzB5I&$qrnK^^Mqh%ECS9@Ai=n9%**7i;~@juXTZ?F-(V+a248TK9I6s*_xHEHBg4 z5UTXWsh7$6C{XD$9GG>p>jLk7UpgxXW{Js!k>h#U^l=3uM(zYumIDH;{uaRMADsQp zgHzKmIm>I+Jj-k4gC_i%lSd^fasE3Ht@5kZp+HjY(D2)^2&)a1y|sQ(jI2O-F`3A( zN*G+q@*@_~Nlvyr^%kv!deB8+42GjJMGqrhnPG4gsCS=KLY6IQ>ak}5$AzjQAA+uK zX0yYm+P3KB)swp&xldTD2fVm;W5GD8wpf>N!4(#FTpjvtuiL^03Mu!WLt+1^J(@X5 z$dxEPwaaAB0kNvBt0|$VarM?2sCwQWGzjJ9oLaz9xO(5A@4BeA>2yb~6E^KxdtF=I zG#kv;KIXyO{Nj9@3Z=YL2djzk)LiA*1|OHTB6#)2Sk}cZ0!K%j+P8Ad#GdC-OwR1~ z3>$9XgNKWYu}beF&_vwvrbMTUxsqm^P)|ba8+4{!&5SmXUNy~qpR0>24r;$M-+CQt z!|xWLan#^`}P9R0HIz^5~s}uYckN|?V}UktCqOfDT}9O zWERYPD6j-8h%ueMp#!r*eB@g(@8r^rnMzAEBR|-LO%%OJs>ItPczRYX=2dH+*7E{tzhqk=C3NOS&BFO>Y=sb6aGmPMV% zc1%x#oWz}nF<-RP_%aUG;Rz)sog(?zIiAh(F~3P4Aa`5JJ<@Ec?Fx8*A+~h|Uswn4 z*_omO`ulrO9aISxdq^K>V{4xjRd70Ph@b zeoHp=aaabp4fqefIQ`vW(am*#P>@ec!l`$kn3Tbk!&s67{<&YMX|qv)O0YMu8ZyST z^gL6s^>!eG6`d7e-r);-1?hs1KL2f=l%Q|Qt&C=8WmSN#B&R8ECc6$Pvgv3RUGglK zN=<&AYUTDQKumu`H~pmqtfKkUpg=DJVw)4&F(r@pjz5aK>kb@Rqi1Y9=OTmixSB8D z0=46hGKjC59`wz(%6Y1XcU8|5ZZ|Ql#zm@IGx@Slt<6I%38@{kLXh%26FNeqLPTtx#ZEhniJ8xY1lVgNwT{zkqK%R9K0ep zH_ARVzexNc|I?f25U&#l$zDWF&00xt*|;ajM7JzHl!os{)<}`K`uUzLV3xpu%W@8G z0H2WtUM?Z(5YBm>Vi*JH@{S6iQZ zf$*NJQLM$#AShON<{^>kf@fkCSM5@bUU`9pW0vcNemNvNbRXl|rcp|pgm+W8bzu7}6+ zfXfQS2G_hDg`{W8mej>=b5Oh;pDSZR5G_@@SsM#~VNOFE6EsiY?2Rtc+NgC~U%Z3%^bTF+*&+!})d( z$wnlo0`>}Amt-Ur&=I_bdl+-mh%F__@jyxGcae7O(A^m~++abjI2BVh-pl z>wKn#t8zC@)3j~)GiIm^SeQ1e6|q?g*sjMv_bJGJaF$2AcUJoRRscxzPWVZrZ5h3? zlKAs+)!79jo$T{Oe)dCMB!dayifGLR^b+@Cmi3vtPcspydw`#~?}ji227lZmr$m1H z7~wwai%;V@U1s^IcH3i%%poNDA`kdvyX{RP%oRNilK7>9{V(zHuUCN-*#z1G0NcLr zFAXan+U0(?-+wJXe9PwUv31_ybm}dE)onE`eByea0^1-Wwy=%L7_5&!P&%gO9eBTV zUXg;_)4W|cK-!tiOFcOBJAa>fkqE^$3Jie@*{z){W>e% zbN0XB=jZVD#QyM*YWQ+#99!sKtjj)GpwhC$P-a3&(;|nF-RT9(;5uvV6mOj?Y=4ut zpg{TlbV6Byfn@rut3tW55aEiA6^iv(E@)n~Bg8>#(v_&E?}+Uw zWUgw0aFaE`>v2Y%f!srnXUEq^oRY>}fW88~-44iBzT88RrE;r8ws+3yGRT7ZBPd5g z0BV7pGFJI{E+!$n^D`!f7CM#_?ZTyHYsedQWV&2`aV)0WV)j6!-pKC_{RsaOolVy% zZ^~!HM)6c4Rcn-roi#jKV}#E>jAq~ZF75rV@lZ?Y5$TO6X0stGs+b)^XZ_I}9`_ zXJ+tJdNkz_Xi}B)0>h-CJdylHJ1YU)dYSZAB4jXujl31rBm0>-CJ=0EeSPDSwTOnkiCO2oAc*WRG>c5QqM7I9i)(c_$X zDf;YT{Kk`tC2O*{J%TQSz7a&%wrZc){@QaK-N6|*?NI_j+8xXToSJC2gtX728-{Ve zn2h-9DlJ&oJ0)*sJOZ3K>%qG}&`_w_wq>gx8Z zivu~+15&$Z1Mk%0H3EF92OEz-G{NC3{omqL@BLli&E_odw)lwsQm)Jkf8q8W7UJPY zBOrRygq7TSDSDO|^9+c(!9}G-hXCT6TLmk)lg5u9&93v(7~Zj~34Wf6{waD)sg5Q$ z7H!vOR*p^ZSVqlbQ{Gxgi;yeAE)`W_S>!Vj4N0_w_(~e~&%);r$}q zlaW~)3MKDZmz>(sk^%;+Xk-jqQIJQK){8BguM6hob;Bjo#Mfyb&T^E~YYnpV=Ur|) zYrSJ)UKy@_er#QQRMy}w)+ccJ+-idoJ-H`P?%}`j zLVlST0p_}kULHT49X`r0{bI?BW!gw&V`F>OkriyZ&`B|vKe6#zGcf(tW()>tssdEp zypF7{I^4_Gm7>U0c9-p4b*Og|t=3SBXGK;`lr8`x=XfcC>bI#lu|OpWGmFb^X3t=z zf!=cVTUFi_A)Hl?pT_=5EiC^z#qd5oUeiMJCzX$x%1z$pvzwW6uAu}gO$nq5Bgq7um88{z9LYynjHoA_CGx33co!K{ zojz*B{LCtTqXsZLpy#jQg-bO{;azvCJ`Evua~m6g@Jw zR@$OCtl>Hg8Mu}ci}4x_a07Nvt}4b+r>%G( zrusJ#G+#{;`>?^s{sRv#Us@@9Bc@!?`uyf~DTifQEyU~kPo&D`K}9t>crRSSpz!a5 zuSF*LbM#?nm98|1dHNzN+7;W2mzUmzSz&E-*h+Nh9Wi0rqRc^?s&QSLACE2aSG@=D)%cl516z)hA47f&)w{)WMzimJeS{vpFL8P9LG1bJ&-gb zzPF-Vajg@*fvH=S99HC9U5%xxOa~E!;n0FG8*dY@j|A_g0cQ?&r%uE}YXJzjJYdj9 zRE{B869lDb`0UnfUwVPp2IT1(_w)P;om0MQ3`!OFIXapGA>(7M0pHT}55aWWC1NSg z)&tH;;Wv{dK*^|kmSHQ}*c#MW(Pl5y7C!Gnv2-#$m{C8W1+O|fO1oIwl!3R4qSYoE zTCaAN5YXR!-&w9PdR^dy;c`b*VJ*h0s=)r0v>#Zx?KUysM*(_Y1yY)yM#lBg?}i`J z$Ag$v75rC|dmW87<+#O+Wn-6*%qzK~JdPjlqnjox z(4yDd_x2KEQN7Wf>+ps8!EGQvDm@}=2f+o~JE?2YQ~m@*T}RWs&es;#fcnVi9i2iX zTCTYl4VBrigx(ZZ+I!Nhk^^J~hOv{cjyQWJ4k;UYo#GATrCbJj{P1@Gu8;PXx8KCf*wzcXRm&rA zS}6BASVB^4|H~(tL}wucCHRWR3cgC0b~H=Pg7#4Q)q!^s1egj`nS4aU} z(RUvi`BX|Vp>Xu*la*4BH) z-)-koWQbUAF5NV*3}pnWwO_@RtwU3*tE-p&3h{l=HE$(MC$8-UsTxexCZL6S8R+m; zC?`+3SAF05mTU`c2M)oo2tdNg)6IJh_*3!YZ8NwJ!%S6F5we~1_SMust z8t!z7o{d4wP8!PICd@)SmGdMP)%8^>%WCns0A1`Gw>6x;qXnpM8mHsPS^gZ6AZ z8%2B|vDLtmuoYKq*0Yi+xf;lDBBNO2C6Wbke-s!WyHSfg@XF$kp7!jUo{Q2zXczlT z#ppd^d}es#bk*9Z3x2QnJ-NgI9E{t_WN{qanro7#v)HO=W3U!T5!qNHROg?5S%Pbo z>L>2~9F4|ovcC9S;UMB4E`hQ5X5E~{SEMdtKyKi?x(>Tuqnz-}$@BVEl5wvK8xs7G za(2>NYT_5_+;Ic>Qwb(+dy(?5d2syUtUh6|_QR>tz5t+mR-Us%?`fd;$=p^jEqG>_ zKkIv_A7sj2<~^f^>vVYzMBx*&KQM?skSZB0E=q|FrA07PO!f+{Hr+l=Gc}swUogxR z7^{og^iD7$hQV;Ict#TPb?NrS*1Ja;d$oN&#{uc#LYcFk_~G*C3jECq@K6!adO3Q= zxRbL+7QJTud4mi`gMF(+*KcGIjI*uh#XKzz{VNT5;_b+rJ8kmqJ$loSN$`a?E2|`@ zYsckNuRcR`U$@?vJR$x&-ys?PV@Z)F#d3|T55N-B_qNtI!CZ+u$z%j(JE2_U=2gqx z2S^Cw<~_SQ=bEf$-^6v>T~r^aNcbA#gF7c%SrV24r79=q(FL&jjA@_e+N~0Gp5A-D z?y0lWi%|cPDgH4ogX)LP)V74So|`qG!@eS)yUp=ogtiW5^Ij8?gyjT8tdJR)~63domGIOte;#%z0% z-hTGH`zkpw;weQDz+iRr;!gnIJN?wJhh{8j8__e-DSjcfYW&lIHPtYb_ME6if6CT$ z9=Ly_D84zV6;@9w@nM?ieZAXZP9J%_04o%dY*&$k=BX>+$ne^P*Jf5so#ZV}C!!8x z!9XTijK(Mwe=mbx!=@Yg|3AAqrC z`iY;OU3wyOi(>Je%~HTxRSxrK=ESS<(aRAlqv8q22TE_w`OZ+jm&iX>Cx7fYB@$*S zprQN~S-T>FxQfrzwH+Y<_4!1)k2pL89vGmaOY$;`B<--Xs z5P?GsJPdm9))VO{A3`^wPNm5dE%#e5fH@$pPX zs6t$V!86g|K7!x4@ts$Tkm<6Mu>N*=(W9bh)712kW+7%uLAT9g)$1s^iO<0kB@;H4 z%P3eoeDAF8Udqal+W*p(y~;Po;S9_!z~~)JtR!d}T=s0O;6Vtz2y~zO#xea!8?zF^ zBz$Wq!G}~uWT7r-x8^AcSm*%}8|R{78avh%C6oXNS-n-mPIUb?rp0&Fe*>!`n1eOy zTkhRQBzm`etCqmFa5Y|Sqc_?*t>Q%n9S6f2rUpE(CM|2|{bgjDFBlk|cUs{ucHu6U z{jz)??Dl8blO^c7BUKV3{>8o}D3P-)0Cw?vB;YGR`wg@|S6{8@ln>n2fM$9WZbMeT zU641~qcc*C+#cYo0Q!x*rFJG_x$|CdV-pxpNaQ-@=z6%v%(bBzlQ(K2WYZe5wZL9< z4arR2I|;AGN(Iu<`A~b`i~|MpZWG<)zGbA9w)QsM`~F(lZtvX3U~%;=lqMN-Iji7q zeraQy_)!pv`9*d!PdKUkJILu_n|lI-FtWII!Im&DH@C4|;>5V}V8yyo3vu`ezLFLW z+u1J)bcMJ{53J)(D`0%4I-RbKU)vaCi*$gt?3XWHkU|W7SdwHY6r_4q9&> zOqxTWO%_67un0lZ6;6(}_4Tvf4s$U}_3Mt1Bd0j*)Y`#ks2)0%7(&enBszb*avI7! zNDpwu*E6o5twA`zLCCCTO8oMT3LwX5=kyGNhcQc37WGaO-S&M3uFmey9Rk+#>e16A zo)fNw1-Ov`iaO5>(l!2R6C3d5x zNqy5z{+o*}`}ckE?fFkljHf54tz;HGO}1z&_?Ovj+$koe*4cBt&b4dd*8j zWNB6Aq4+QKnxceNl6tn~T0=#a^R!)B2&~FYVJD0F+*+W8%qD}6V;lV( zVQk;E?brt*rFFaGCJ7q|@ne6kD5WisC~TuTc4F#hzKK`LoQ*X?xK3KuowDEGJ|;ba zZdCWt&|-N8(1lgP`Zy%5v=?F`p2H3&F%Sy^pX}1&;ao1O{DplasV==bw{hXK#+5xS zU-qJEkJr#UA~{@PT<|#W^-!BeZwI$l**B7mREIm!+OoP5UQC2dh2@a&v;kd&N2@NQormZ#Ff*07l;K)=Ibq{>x#0A+G&ObgfrlG{ z!Kx?ckMxMZ)^QKrUuPAOK}hfm43GAU{9PgT(r!B)%#DEY!*b5~cq^u&{_eG2vi_+7 zx$nd&66hAL09Eio=^PgrcboIM_n}H*Fup0~~*o$*Oc)=DEH0)1E z6~LFL?XRBR_6`u-0f&A=Vh2;D%X}I(0rR7FKs&5}1b|{k(UMUyM1AQJeY8WWF8kBCZ`BMjR4K3Ty5iu=(6c`<{I%tz{F17Ag2^Dfu}nt zWe;Tv&(|k;Qrk@R65+Tcpsd|xZxg)_HsAK%j7Zgc7daq?iCdZxsNbA6hheMtK-J^h z7Qap%{ljR;2w?iF;8+u>?;z!4a}`xnjoAGbg)f6S_~{NkOTi|*_W=GVqqr$y?B#~T z7w?Bw!o!ik^ki_KXLUKkAXDY~c6wF?F!f#l^P=d`rh`6|ndqhXVZY302Kw^pD9oX- z!{XfGfPr3O!CIUNVq|ZrP+Sk~h^RwD#k(gYzGqjU=tOQwzG*O{u*ZGXtuhEX=X=Ut zTm?uFs?j>~O>a=$(U`l@)9s?m&ijPr?jrXi z8xIKwj(o0X%Lahreh9i>M4zt@@R^ke&VrzQb|6KCtmHOPin5)9L6B{Hgl;^M^7(If z`Cm8Pm3#xp!vv$*#RQ*tblN810q1_z9#QK|09X^n3TO6dP+!L{YfD-Z=7;+DFDx1@ z!iYt-zkGV)`TEgcXK@0jflKGmc?%EYPuYG|etIWMRB#lhFfPdA4lkzVmC`S#kG+%z zc1Kiz{OL|?t+pHbD)T&t_G3UVDxU!+=WXw=Lq(tH&enTwunL|qg^TCDNFw-)x&=N! z?^Yd9X6x|>AdoX}!4W6-KusKN;l#(X5@ObWn%?TWL2#j*iK@kd!{rL!yiBVC885bcaV{!d8J8M4B~dd+fmp% zXjJD6`Y8~Chy45j(u|@o^f21rY0~uwvpkqU={rMekK3-U0ZxYQ*ebT42L&!MU2sHo zUk%6Z7rDzLwRLt%SpGVncS-L2`G&gpn}e4oDIS}uhQD-I1yv}+JH=^EXo-0-blx5h zYjte{*W!LrZtYxK7JI3?Y5s(}&+1nzkvlQ$z?zb=cvE1f_}-vj(TO9i#6saaDrRTH z;XT(&U1x*=Q|b?l@(VCL6eTB%XFj_AVKVIcm6Lt0@c9C<*@lZv%>@;`dRahPlF6hKQ`okiH)7TDdM)w&M?cJ zKjPRondBx*e+9G7KG0h8KQ}0IVVPk?yW($P@>eMRxU%;K7zDx~Idb-HNh8vT^OZ&U?;QSu z#2?%Hn_Dc>Ks6QVyOL-{+?g{SYikAu8upO+{FLu*ZdDxeD46_fy(#G)&Jo) zf4${fe+Q6e|9;vZ@W>*aQu3Z3Kw7_?ucCyDVQz4i@SjfPNjCu1&B_`2*K^^IRierO z`F6L?>+)aa_#X)CKQMnw%??0)mu*WAFk#{cll^aelJW)b(z)2Z9ct14!$WT*tALTp zoD~!TM*sbr03GrX7=x`p*k!);zwPP=`vBjva1Wresb^DO{}asq!X{6i1N@`F1^M>( zZ21o`ib??F#A`i=-CuO@f4NTv=rGW=hW_$Lwj zuMYc@Uiw#u{n6C@*Xa0@vGuRf@voKmC(Zh=(eX#k`X|u*Yjpe(H2)eM|9>$$)O790 z_<=Jzrm$hHRNnM>V<`lfmi)6CiIAU-=b9&H*xZb#BgPlIKf6EH)KLAaclWoG-0yHo z;4I!P@6t$^31$H9MUY3F7qm=!_a|fJFVFn`@GpNzLMTYiO_|5GHvDhD{PVIu0S*dg z<)}YOw?7H~|9H(W4=+T88%$np_j17Q5dadw3LBQZfocBR?VqbXmaL^~<3)J2LP8zvemeT+GX8vHrq!e8N z{GjaY#&mzX?LYkT&&z%w0X!#{KHmGkJ%#xIcr)rtZnR4MdA0uq0V!7icgDY;_CsX; ze*|m3op&ZJ0DAQ0A#E3@mbO};{glKYMy#kJn$=_6fvJ4u2iY(6TN4xyHxLgCP9e)9zAm!|yP4hs{FK)y zC&>R#eo9QZq$w``Lp%Vl6d7Oq(%XD__IUw9Jr@LHb* z&Gz2+2Si=;flPlo4E&?uxI(fNeijly=6)tSf59E^`z(TWj58s=qC|NvYBdJYpUL8& zqhyqj*W+j&o=lB*p75MX{>Kad<>Gr1zD~G=kJP09!~6ewYYBE1Wcr1$CQ0MGd$U3Q zO5=4&_q<_j^vP34uvl>ICh_o<{}zrZA^@SfW@Xl2Az`8SwTWYRI#)bMZJ!)zmQKBw z&OvL7wGhsf29gtQJeJdAqzOy?N80>Bll;23>N>=h{#&B{^+Derz*p^7s$N6#-|@n4 zk111;oU2_9@c1jN{--O&6PMTo;L-Z;0pd=OpDkbFQJt^T~DmB*_Brsyk-F(M!G0BB9#3ddE(b*ZbxIBGjC&q1vnThP8Jh1LOGPz zf57cW?DNXr`vx)*qZ+SA;d@hoB1x~OcWBe*TEd(8kJr>o(;Ay@P!RmhD}OBIX7Iv{ zU(B}WyA;JLm5RHwt{^W)XaW7DWa7cHrhbx`ph0}ymXQh7sXdGkg?rV%f-x<%8+Q>C z{z0R4tN`Z;>>DKfuUx*w=S$7Yn5|#t)Ml)uNVTRJsZz&9(;h@|J4BI)rPO;bI1#4{ zQHE4G*e^KOBz-;9_OoV-72BDP%#(R+`e{A-$G(?z0WB%En&%316@)c>LG>}X>(+Of z4KCwn>6h9(tFL~_<+(96z&jYPG;<#|P;>p$6K|i^|0$#c(DC;M#7KEfnC{myhghlG zj!)R=!w4tVmcoi6r#YiljC6&vw@7lDq znj1;hdIy##j`l6){L97Vs2t_htdlehAO*mPh!QvBk>yD+3Cm={1FSPKargypF{6BE? z(wBx|GDuD#orukjbr+Q~Vf{)_1)y>=o1ebV>F*fsl%>mqHJ=m*<7d|)waVA6_rfhP?MgA?yQ@~f1lHv7Ej6kN$!n`dDF8i0JTx78BfpNQ_FWZ>O5DTg;x2iB~z zVQ&9!NcBH&VEkObw{{kilPtP=Espzcv#usmvU5~#dQGBC{Js^q=aVbSmI@zN=($~F zyrqJ_SkR|kxd99xSd*(73Cqf5O1WU_n9zW6S;dpY!Z z>`axz1TdpAr+Y3(vjv`ZZki*_=7AW0qb8f|gVqV#wAIAus}oFlG#Y4m--c3`x~*vW z%QoYf=(Zx|5unMm^Y6xun#-9%Vb`I2mek>`onqE$Y}})PUc6?H{1_`^hOCY#WQfu* zTuS+BXF9GXQlsYl-p@~j?3_OOgmL#ki&yKMy=SAN}Telb=%nINZgg(sH#4@nV! zlGFVn7d(>;LpWaXwOf{mJZyh%pM+8za zE#+mC9%sfR+PGaw;Mfr8vnf@7G+V4p{^q29>8LpOL#IT6K6L4ucOL|d`*IhI8S4>% z49B5y1_68Wb`m##!bG$fu`Il9uw^_WzZDzl0F?DWIPalml3dZejCbG|_X zk$4lVPl7*3G;;(bR@oA2OE{Rr(-M(_>GsH#h18cz*@-(|_(0NFXfQ51o2IraL^l4y zg`Nvto0wrABieLIHVmd7XK`Q1{ z#pz6occ)FgolJ(`^JSUiV;SN71FANLy{%zK%9+z{a5xyMm?RwZJJ!|!3nvzoDT_rcy@J`H|@O3T0Tzfp0)-D;!eq@m(U#re&f>&ulsy$G4T(4{4@@WZYF|B6sT2ywh~9)W;cx)~rYC@6mCuKj{vzfuC-u{GHw z5MYd-G^sxy{~H+p)0$hl?AwuLj!#5ez16RDWizYVSKOq{i3&Sjw%xaxTg@LcFo}{u=H69S=Aj)8 z=;UY(0K|WQAksnAcE1bd9}rC_(-NVc>M?a7<{YnrPAEW-&=~5G7s%gxMLQap8>tt# z*Kj*&BWs+Dhjz?gkXv--C2%FRCHc8i&3U~|N`6i^P81&{r1p?1_TBBFaH~!$11Iz8 zer~u9W8I=zVCxuVU^j+Oea-8h=C#Q?nna9@mu<=w1AX_B=%t~?Chv==(=_pxSEQ1} z>NM5`(5qP*enY?J!TqO9@Obv3^e`A7?fNl01{KC%Xwb|7xol= zKO30MCuvXb61&o!J83ouatz#XP|`sUrl&e{gXrGX7|#qDH;k@dBA2HQOyD7|SaxVH z46I=7aJ-49UwDG-YqTcD3O2{TAhf06V``#2t``Xr#e7m%+lrI!dEFU1 zk+P1ynx3|cEO6N0DPC$-eOInJGjt>5^AqiWq(Z~t!TLOrJVqEt?Ln5&Pb!RMO+LoM z>Qr|-^{8z05Bu7YS;qV66_38bg7vid*0XXizq?(-ND;v3;c>HeNJ>G2~{<)JaPsC-TKe ziv-Ro&VJNcXhF=G1lFoO1$KUaaY_%rwxZt9#(=CYKpuwFScjeJL59sFPSIq?ga&}jIU;nV z(k+2Qx7Qf(PQt=@PKm5A`|UmApBZXiobbjqr4uV00H#A&YTC-Wr+zU@=M_<0YgUZy zzD1?b$he92=!4(Zm+Ux0>O=;w{TWhKeFdBBM%sf?eOgWuua1i0)NXE%I==3F&e$yV z-XR6F$|07L$=dF)w3qI9;SG}CI=Q-L`ds_<@{W+gZFh&QSDx@{u-FYsL$J!rlcQcs z{hB+qn1+4ja6xY8y&BGS?nCDhBT&axD_fnaY}Rvvy*~P$>(oNu;*JU@qD!>GPlWHE z%vA+xAZNcv%KJQ2pV5!V@#MH)UrKpd7x!!n^a%(P!AW*p-gF z`e6Ck5d(};7wB{o6&^lC2R2Tc`^0LD4dFA*c-ZLxb9@8Obd6(^>LXOYB^V>o>0Wy8ju5Ga52!FJo#vBsQQQ^b2%$Gj#MT?-M7f>+QV;$i>gW zual9d0-PSV?^i7k7Vl{rUC~Rzl_p|(>GtMVvv`sHF@G-)Jrriw+Hw!_>2L?p%l5{? zUtEGqj6yz$Kh9an7_iCgGE2XSDwZRksAOw82X~*s^L0U| zXjMbIOwy`rzoQO8@gC<^_Oo&6D}Gn4bXAWGnRASS+%PR5Tsb{z8x2%G=F>pzV0P^W zVjJN$*2zj{gm%+k0F$pm+-8DN|CWry)QcW6*8uJMgRr!>U_D_k6Z4}a#I+(XY+Qsc ztlCy9u+5=(_3b8PlIa_)2z!+I_8Uyk$V=~A!>Az3{z5#y%gqzG%WK-$TDnCq_eVMo z=nD8VXSYP#ags#?=MyvHQ(GDxHu`&s*rr+&eK)M`ZMY7k!cKz_`34zl&Y%g*-ho>e zxUbA?4N{>AX{p2!P`1tOJaw13BZT@RWH<_U{#gpR2O`VIc4 zy7^V|@dr1|4;e8CV&6_85AtVLHdyEm0$8$dV;Y!iOo1xoS;Vv29F{hRD}F;cYtR8? z*$11&Q7sMEYP*%H-Gga%f)KlrLC)VHObw_VPGpOK^BHq!`FiQPAVbm})Lx`=^uB?+ z(B3dT4Xwyk*9+`4M!wD+>+|M$#Xr0dRW6>LfK^*<%ESta*tX0rjm7TRIPg#6X@hU6 zDsRg<9L%~Sgl~Hgvuo@r>~|SmC9HR~8dw(@+A0qOQ&LXbOMQvJ3q&F5ey-ipiL)MGLuy=W=dz*a>9)~$!rrO zag*E|XCt^OULb7X4)R`j2T>IP5BPW{B~e__=jpOY`PHWMO(tcbBOT-&8)65b?eYAD z9sd`*cF#zsxaf*n3GzpdU1r~par2aQQm;KUg;{lnToo_FmLqEYf=kbVzHWN%j25`> zY{U=M9s93vxLR42I&{F&W=A3KqG2%p5BojXj7-5d&K*5Q*GyC~;kDRuj*yG#KoMoX zqenlbe=eNE=%`<{@jK9*a^N1(z3D|>*FfJ-nanGn2}&kdNHAr!QaL%f=Z)t{sRE?n z>-4#;HnjYlJ`Y}>YUmuV`JKsqGAu{^_IGakon+%#{-GPrM+5|TbXoYr?=%! zaMU3}r-a5MMm{5ZpDn~%7hF%Ze>REfWM>TEZ>`1S1XdjZTgA9Jp^sqO8Z^saBkx#5 z6q*+s2uM%1`>@^I=J7MT&4(t zn*m3C{H9D{rB7WgS6jwZV_R3x$~u2|VScwJ#vl5|^9}(-W#2xFxem(HVdQ+0p>Z4# z;m%adS7YgohLy5EUG6SsX-B@(gl@+LtW3f)6OE3`_u{ryC3tydCFJ5RjN(S8LVjC) zoj?{$I|=*`D4tkUs&bj=_TfvvbC37T37%%Q&GfZL+;cc2yBNj9NT$8vA>}a}!J^~R zR_ri9D3sK!>%NP3PN4QV?RWXr0>BVUO}lsc^l%m4KOL?DoT;RmjsWF!?TdpN2wq@T zadN&P80@1ErR-)4Uj(%0RpXPuLX}He&%)uiL&UZfjSo{9uk4<#j>~3FX@gyr$yq$5 zvgztg)B3^)zVAW>XXm+Z5%H_It`lyvn`2dVPJ&gLIVtcxRWN&EfPqtUZ{;)L_pe2e zUG!p83<^Lz**&j$=G5204>(M>X|Bh+yt+x&;=~0gjIEW6W97qqoA-}K%$xYB5CdL1 zdyaIMY8H-R)OaMDq-+5pY?xYQ+ncn?f~(ampB#DAyyuAfu748$)U7!kZC!t`73y9} z-*&zguJ2)VN5i?LU){KQj`3;}(UGLimfz6lw@!LSt}^Ru#h7h)V}D(^wZT*wZ08%} z!u5v?+{P&GZDhs#tFgj~g`NRx^hxnzM~(D4ALEltmCV8*jec!I3EO~$KUX&VhOtZ4 zTDKA=SJ%{ZsTRWu4WE0vJuVR8GKilMp`dBuB418a_V*pgl4K?(SaucQEU5Eb!JEsw zT{_=k9uuZZWv9YNIT331J9XXVjNshfrWHSvw0j!9w`=M+9+Xz2(ywK>L-|w@5Efh7 zagilueCEk~cQ!D$nL$)EKZ4&a>lGtF>i#3)*n0r%qSl>HsKQG~WaX918TB)vi?-DO?lim96Q? z+U&e~Y74hmW7Q5I1&LMII%wQm6cjAyh4*`h5yQQY1_0GMm%w*e;U044BQtIB*4{Pl za!i~)DwjYEzXparc5NPdeBTqa@EJrgJidg3+TAplNp_o4zD*QiSHn@WE&-?Xw=wb7 zIRzsgN3}seiQ^S_> zoS%o)%D1A!=WvWVJ*ZbBrLbW32MDXA3<##$^RWn1M+mAC) zankYbH=E}k@0Ruao-#k{d>$<8c^BY8#HD*;;Dh$A9c8vpDiVi}GN-&o?iw6SRi&GM z;f-(FQNDvIfPCycg^LD$Hb785n?n07Hf5qPrj7|b>#b5D1r>a%QxlkCOK|%JsE<`q zo7k%JGF({1mabM0b`q_|XO)l$J-QHzZ&RoD-p>YZS9B^KU(QeDL3dpL>WvxP5s4JM z;x-@2c%6OYNJV8oSKf!dwGM49WV%kTBzP=;=Bz3o`_fdcy@`|3dA&%xbAM`RUxPa!8Np?%@}5dGm?{6LO)RLpDj0O~D#{tNzJ7Vx#cBOacMKQBK`fvPmfHS;o-Xowxh2A# zN?1Sc&4j869|2Bxq3z8%KvgsFtUkM2J+)H?^4Dyk1xA!*d)M9SeI$CqVeYTJ8D8>& z>gzsW6u$4W{)f1l7|YKZHMQR5I|ehHP#PUioGEREaB6>|GitjS-^s$XwLQ`K!9<#W zO5nxX`&G0M=$nb+DnDnEV-s|>W}Qd)_tKsvjSHtK8ya24+(2EvU&Fl3chhGO>1Y3+T=S|(1&=oRu=wD7*Kj>f$CJs=N z5LS=jBHRMBQJjUqs|uzYrVigeGjBeL0y#8v+$Iv_bfI2S$F?8V9;#XZn!fC&v-Q=Po%oJvIf|JkBbdNXx`jE;A-om}s1H zsWH#}y;6DU`>hwi4nmrLC_;nZ z?Mc)%A^JM+VKeIl3c*6dU0J(xAhV`P5_4(WnvpfkC{zxxjv4vyyYZ`wf8TN>GhL@> z*0tWn>$vweiO`7$xI{2au3dXlnAbR{$EEr(?4m3)chxvc7}MDzY>ZhQEFarnnhJFpgwY+TZ>bu`GYL^ZVQLWSI|5#X|kO5-OZ=CmI^(91{5iXGURrI*wXhjv9~VM12!! zt;{RREN6oJ%#f>2F0{oxWoodOKE0Nqd6XzRD&d>l4i(Z`^f5)4E-pf74g*Xhn})aQ zh4<nzMPT`05H;pEmJ>Z4Rc z`51&ATJs$wXWnKjHhO(G+0uKw%!qe=J*Xs%;Ic|GgQ4f4xlj*{HixBp*;p9d;GDpiZ(Cp~+82inUtujn`a>to|kgg6}ewgP&_v9r#nhYLK}uDq3>C z+52i2E)>a&L^nuY|2ekbsd}rox@PU5Xi>?li5=H|^|Hb4E4#~xN(VYYeT%$_bz9?o z6PRUASSfxHZYXTXL z8hRHQ(~%_wMF~II?6bYy%%Ef(SVVfJhrVqv?rc|ACyB-b(V9x8d!! znwM$~r8gjCG?s@&q}j?H_k6?L-f>zSG_$HtF5Fh9JJ6HiF9-1_xqAh#Mbu;(=p3W? zXh+5N2g~7dz76VeKRU>y%wL*R&Cq^5^x(xA3oWT$xX7%m`s%SQ!FUqdY3L!ZbCEw( z*A01Y>fo(?;F^!-+iYi&?a2x7aQ6jY!Ui*@CIX)nCeYoB*I+v#3IAO+udu5$5`~ooNl#?F6 zVvH*xfdy1_>l2EPs!v2qcY4OseHAc9m7>fA@-126m4`+g$2}q~mv;FpY<&u8Mz&!= z$v)WpocxUht}wHo`hK_T{`d!rg0GELQ7I|}vHI4(EmNk&d@!dQobfbA^_>krrbGN2 z%=@*1#zg7>O;3A3Hx)b2M3IfU*cNh#D-JxK&>JWAkOoA~Z1cm{efK<~l09RD=h+3I zI600M`>yA@J8foDe(eG_mHV?E|0i6sDBv0%N@sPU^Btq2Piq*J5~07jGI?pC@EFC| z)L@(GU*2~r{$S;H4NOdZv^vFXMejKy|9ac`1{0OTry6E+*Z&`3UmX|aw*3tVf*>Uz z9g2jsbc0eNB@L2F=g^&^AT83}Al*5nNOw0wcX#tX92w3z_jm8-{clEj_UygZclFxO zvQCr)2pq#pWsZ$VRxwTE6KJBQFk}g+X<@Km4B)J!$fD!wZg6~Q7Pt_Ovgiq(sFl+p z@wby%)zvHiC`8q}D%3rQ69PeRnxYMj&ceO!t@;=%Lsg=JOW>*#_NZ!0>6Na+WJ*fV zLG3b-V5*3_b&w*iq{hV+(KmMw0jj1A9sw_fS4Tj-*MI-~@II}f%hYLBYTHZ2z@bDx05{Cxk3>o@(CYP#{~~x>^o8}-M&77&ApJX=;o4n z4y)0ml2`WS-)D%@{=SQBLk-mVg`NYyO8v@{OFmzNz2tXGO?y+kRd=zfEY;s38S4X& zR8RErtzBW5-HCDZub4iGxFfud_Mhs`m@muC6=YeSD}btW#wu68M$89FXrcw0MEH0s z<9c&8S!~evj*^&9LH$c$yDJdx0Grin)5AAp!rr%)=gpW zeFkyXQn}e*;EGfQ>XJs90#;zUhU=PMi|O3$!7 z7C7|!xJ2p}$Fg`^+E%(ciYRQZ+i8EvX!Bl{g-$kH6;gIGN1!xBd2W0alYpzBX8r4f9s>r#wX|BD_8X`6lqMk>TLC z;7$_^JTU(Ch2@5)=J2c*%XL`O-EQnU=f==D^k)Dv&4F&RR61>w-Ay#1WZce_)l2^p z$pWWCcOm`h?6{Y$_z^ym68eZeMu#o0<8Zj`%!q%IoZynSF2#@U*DhzbZuJd_0F}xQ z$FcSV5xt-p`tvF`)z;`Q&gVy1S8=M$wpRTtegB9qJ%iwjAza1{6Gxq*3hdsEW|R6t zBKq2jS25r7v~Wj)roP8;(VoOsn8{e&7m52$;6K2*H zJm+JEkH00o8p2&1bQC3?N$Nr_Z(g_lgW;~zr0e4uC1&jw^GhwqtT4r3cX|0fBS0-g zJZpswHc33wc>dk0@A%@YLKuB{YTiqj(}bO6R{xSm288U3VavlrTmrC0itE*W zkQXr)m58b$$E~ZU&R4$jz~eSF8e5jP|DqtGICzxPB8iq7bSFOSscUlvLP24&kUP@-kYqq@C0Xa=Tnl`2hv%WlX%Ess?5!b8Cn!eY= zt9e3kWz|Pd4GQuJ%4|1M&`y9n<@5dwr_K5j=?b)m=D;fxtz>}=aW7EavK<@Q$oxwQ zKyyEbF@kpbZ|m8$D?Wxtdpe6kc&8|FevR~3U{t*OIuy0a=kut)L3A`vlb`c^UPDBO zUF%Sca>(rGTQQD=z+_{yjBP(x!W5-F)YEy>w|PO*s`1F<>EjCP;eMu3iQO5RA4V|} zh}jM>Uq7rZUuS@_+3;yw#xYlc-MqKn0Yn3nCI~2pGCb3r=P03#QFGYVg6oGY_alnR zVpy;rWOTf@v~bmLdj!^cf8mb0L9pYp>|QPnGz)1BauDA6r-JRbm#V8MSO9CwjS)rU z>cGkZij}P7rAZ90$R9#s`6$Y|)A`Po;A@M3!)@OImi@8<Gv^v|*@yz| zzH(=(;-C4h%O|p5^!Kl_W3oW)qayOEKuR)~Q2PD4b&t!eB3tS8N_bO+(yk!hh2v)f$f(nqw4*D23+27_{Vz~k_rXcope4f;9P8#zrwN0ZqsiS zYpfkii7gSgea4o;jO8urS2EXKG9Hjn#Lc9i*k?w_vV z4$UzC%--7;(4xSoeDSoO>`xDnXYp;f_tQ?(AAqYuZ3bkX>gX|HYJj|=uQ+P75~mtS zdV#u+1C7R<7-pQi$-;W_wmPhcsH&QCo6YTVuRaUQSiw1Qp)x)51g(UX*%$85B~oPP zwC;paPpTtWK3&=~P{#s_A1?Dh%5JWb3#W11WpqCTu^_dMf8pr55bNP8m^rzUMu2H; ztd{^)(PaiZXk19ZSnw9n3!KL94rFGEyy`*aI>>dt4(4k8iZ-7+HkajWoxKpy9sdZJ z`BX7!-2>wP=H;&jvc#~s@;l4(|F!R2M@;z?ABG6AqM}lwpsZes*qbdbqSsJyv04g4R3D`=Ni>TSVE9R0_6b zZ#Xre;Tg`BFur%{^yYy{q#|$Gv7hU8h_sKum-C?-&tb(*xkNVyTbH2w#FF+P!ZByP zo!lYS*agu2Hof*e9`EWkJLUPv$c8(fxzmXgHJhhGIn9Slv();o3P10t{0Gc9yg;bsa6MQ+t!s-1IOX{q+bj=5Z0e3H_T>%wk?!^s&Q&An8#);zv?#n zW7~P^V$OI0IuK_A6OGhN?$@mM)<2G}9{mtBIccO`OPA}&3uM>V<0DJ$KLn4W-ZrP; zhcDzdbee;o?;QCow>Q*KA}i2S!mw^LmAFZ%98c;(n$VowXEwr(KQ2AhX&MU+J)pDW zXOq`|5yK8-pGWvF1XFlHufsIXhA#@l6;J`!Lkd4nP5Jk@-=w+8jiuIe9-B$_?$)oG zwB1K}iM4JYOve6hsOr0d8;@q8No{SYrak62+;ZQvcC@uyC?MP@30BZ;N=%Ui-(YI& zjZyd6t=D_GgWVs;4(Wu^ar*I$b0PC{zSNc1>S4_w=}K$Tu|+)+P(4VzaIu;Wzv%rL zUo|=_RqY)LrJo*M;Y};9bb?#s=gt%@%}N&J%i7B4x+mYRj|m8GFqK;9GOj_M>#JXx zUODmAusK~DW8+=tP-C1106jqh>kz5U`?%B89LRgbs!bi;n$V;{ILoIqoP;1}wQh5e zNddR)pLCHK%6wN7v03VjrR7^i)Hb8126pi$@u6?(a)0F!>W>tlS=U?XKF2cUg(N!@ z4OSZ!Y=Ruu-M=bSGh1%qoVYQX0wwtrm(y5*xQeS^qzRMBBBtf5nYdp~ue{^j7B=kd z%&fUrQxTicFWv*e`Y1ynLysokZB}E2q2@ZS&~ne;cfTB=?8aL9xryzR{?M!Tq=Wue zSB9OKo{N@O$v_`LxyA}nLFLKC$7zY+Wk85$j|LNh{?YZSfva+}bY&Otz-=RYgughy z+FXx4_F4z~-9@u$*b&FNt?;PxHkLt9fT$(V7PTKJNqNu!bW(k_Ro=WPslFLoY1ot$ zkeQ}ZY9ssOYk2ZA7Opr-*o_^07P%=ZdSes$HS?$$< ziS_2v5JVV91qMwXuXzeJMJ?3#m2>90pY1WNNccSM3L`*71YT=s?+v7Iu~ve(=JthE zLD;`vkA7ty9s$bdDJRz{M6!A1evM5+L}L?n{`8u4n;!4$ZKNl&GZuhSI?i$zFLf@^ zD1miE9$ZJAMw9(yi9!p*RmAO=>Zq+Ffm+>7tgkiUX#O`MbhHi4ONo^HEV6SO_jako zM>(WY+^wn+v_63namqln5Ws&tAnX`7e74kyjtn><6zeIVE1%~2$`^FCOMks0nREO6 z`X+IwD}TE)LQjpKLXCfkJcypl7i%8o8MfiG`uRS&Q??}}3ivlk^>T3O#-DhI=u4&0 z->P*KtdI^wTzgoh5m92axkBt*Cil(8Ba~XVyH0MR!-=)3l_tXV?X(`4i1V;O&Rh~p zoOH`BW_mCCn>V~GeOh}lICKA+Nh0`X;)RfBPj7|f&P3@kpRZJ&z!A}f1I8)NtH|}i zqXU7)n7K;Kv6^=)r)ncn^cs63xZE7&F3B7D5fMm3QohhBR1K9VtPs1OYd_SE-TS%Q z>74@Wl7xP{)P@^X4hA^CB4YA`%deAFNdH>F8RXKxQ>MmnwOgmA1Pu4#_6tqchYq?W z%Z9_PIPzbY{7DE*!CS>0OIQAKIpKj9WQxCg?NTYfqJQP772Gc~JM&XMj_}AR!lZR3 z6#eQVX^>jWsXJ-op&F(Q>~`gi$%FhLnP^&b$G*3QrxdH|PMe7KTG+>^ziKCMw9~P> zRp`>C@}9sG)%NK8a5#fq<0-Ul@br3bwUl1ZK3nZu$%1rfcX^mI0KREHKqLKP=fx%C zwve|nP5LF0C$VZLMcaD))NTBFjcqNzf+8>{?PtF1Ioi(mgm{^EI|)FJaG?vG0yRgs z14hHBH#hivG-VAX?O547G!=3o*CPKiVVEx5B)^`TmDomZ=IU$3+uc+8c*ygj7_vq4 zqgN*=Ytu(VBGVbYL=GJVuJc_LxUTUwTis7=4p8A*Rv2co$cwLz6`$DTGW6>ptdts@ z3=Y&DMK;;F@Y}~(*RSkZ=RbtpP7%3d&i5+8zOxaIWi!f`qZ=Er*12zGms1y;Ni1E% zb(1-l7tX2rZ?>n#&MWPHoq}3z>$NTs>s>?yLbF)upzIZdMJ`n}SekQ{n&%|7_|Xm- zSdq-+5!yZc2}6pi8dGe0IBpxl9}#o3G3_RMl9$6@db4dzc(EQ)pS>}FPQE|e@q@LA z47#NUzziCaw_h(X1j#z!cp|5))95>}@T9gR>RfdFw{fQ!K4{it+11W)ouuGkf>T}E zhrN{4c}=1@o0q)uNlitXJ2=n?VDeSmwzR<-HuaXDW7joZ{ILmi9u$2jR#@Zs_6 z$OV*0Njm-Meb8KSr3JI|=7g&Sy!_c2G{{_Nz20Mo*dNDy;IFN6~ENCkaUMY^HNYBk#l(6mTWpp6OPk zw&P=T>Vv0tM@+#X1lB{ale@Do?g1{h&vC7mz>Bii1&d0!M@F*loCt@H976FfR;VP` z7b0EKu4v;)X9(2M_7=;*xQA=X3GO}zrLs78KoM3EBqS~TvoMAmY()zDw2@8HJ6h#h zqa?6TZGmaOqL;aR-R6;3KB1w=_hT&F9Pp%HEJ*>^Fc&h`#iIAsLyq+|s$Z;(Sc?SFm*AkIRENqCPZB(m>M zS0_rV`HLL4#Ez=L0t4tj+$2i!>ytf4E^ma4AFpUNA)&BYS@;|L2!6p{;YL}sw;!#8 z7o>stM+L%oTA-K~ZttUS$CO@bU(g7c?=S~d$u!k-nDl>fZ*pDUPpO{udl6I?n{7Hy z9$tP~j#EKosB)NqOUvd$;_@~a;eKW(nFL&_#7n)k*~hm7ycPwum;84MuG$3`*2Ui4 z?EI+bJ1_Gb5xJ_vozZemy)L_)^y<=CB0CY=-rmOneGj77s{OgWA6{?O?@C@pzFMiq zT_93jAz;)fbyzNQ^I-wG*85=_H}9o+Pi^vn6!k?wvn&|glTBjdNRfrEy5WZN2=NV#t-)fLqY5G&6xVY!BMS!Pq`=WL_ z3PWgir}_6#bWNf#Vsq)Dm^J2|9x-5%dg|7?n-y{^G-DLF+Cj(_h3{w&zGc>uM1eRW z_~hmaG0mV=r)e9PH-CeDDw*qxzW|8+vc~G-6u;bo{f;BI1SR_oM@*_8XV=C zG0!7D56;Bs)p;(#^67J*L@e9Pj;)z-)ui9S3QnTa>a6g{@1lE-nm#HuYK7eJ?si}o zRJtZ_G(*gCP5UYkDfLWTT3(Y0c~+fo4^b*#Lg;DpPBSGyGtLD!{R`m4+$^q_W-YxI zbnJf**fv)+Y533>JJ(+ck znM34`yEx+UoMC9$E!mmrVEER|u8@w18wx#?(LjgG{iV?$CkAr~&mN>}r0$O^J^H9a{J$Y*=6UbksWFhBF%EjN*?#gN3l%H=XH z%fA3>IshpU7N1>giJ(;{PaN58*~klb2s1{v%)>eFpO7)OFTNQp%Q^y0SDwkW?+BE# z{XUW-fLbo5pAF~iggkaOkV6nLS7l#dWbO3cCdk;?d)AfZDLkc01NS*oTn@1i{~Fk7 z=||nRyP9R`33wkoSdhzi~Z&jI(7yeeLwvX4si?VbI~@2%pd3{F&UXJ&wI&qGiF z{t2O)zCStXAnj6}m`VP?E~CUT!spR;fz`}S+xXZIJK|g-Cqpj#E3GB&c%s745%0x} zh3AxnJJ$BS+nfV+zsh)`Pk8nWzO};TjMe2BMkow{>s%Zw>AjwTALM#x%-ms&TY5boAlj1_DOoyFotZ2wzuO zT}TerUVc4and302^33(`xuT%9Yv|*G$wh_^IcwwTn-jMb3iw z<7Pi62yr9v_Np9!&!gP@!&68TIcrwMXwA8H4>B_)Cn?NY7!64%fsu@Vw)^;*AdCYN zkyG~5<(7^o7Q^g89GiSnIn%X~E!$v%~+Mq~IOHL34hj0%Z7nDy|fb2w|!KRoc?pTC__YiXXObrYZDyGuTtvyeVrM&6aCO;3lagTJV(lIE!{(3Sxvx>)a^2@Au zTEDQUxU4(HIp}IHdI8-omt`ZbClJ@A$8Zy_xDad6i#FqsIV7Rw&A{JV0M$!lL$iv$?z4F zs8}i9x|)q3wu%V%<$kIjt=8L7v41@yXa^rNX&S;c!LPg!R8qq7Je3SX0~WQBg9B1y zJz?!mkC?)PLUV6Uiy3Ei-QWJL4F5jLpHFyilP-EjTJnLbXcOWQyE}q{m{l^9K^l4* z1`?kZCbWXzwueC{Yhz+jk3%#m<{5{Jjn;9Bti`ITFm@#tDD8|GMD-=_+1mlIH`V3% zC-Hx9=kDus^1d>oEvY*4$)h*?w9n;PzoOA3trT?-TAgTG zCETT|W-q_i__VOZLe2&22SxUKKO6z{4M69o=|QJZ+r%zDtLLdgv5+}Qqk1qP}C zF*xZPPw`r-;Gdn_ zAGl3wE;Mo<)O~#}2vhmKhxGuMz>SF%C80YuD%)a7NWLNVo;CLWU_r1A-if_}Ve@#A zl=aeCr0rd5+#V+NVAG|+r@;vbn;_nWvBKscg z5$MmB7roUqat{VK6pQhyOaA&UwEOekbLrNvZjntg(b*vA?Wo7NCKfxiAjxj?yZZFW zdSiNyE;##+fn=p{BLuDC?a%c;8k(dr!BYx1{LT%*DKVdv=YHn1l63!TNPsitvzzw* z$^S7le;rm>W_E~}zWdXra_RnTaVZ@V=ST;=M(l^rt?($&Czzgl9=X?)jGY(1;b0)? zM>G8*IERGS`gT~MSK|YxynY7s#~S(o3HCYuNDqDTKg2B{%V`(8WtOr7O;(~cA zzproz|CghJi!xSzgd@#tOF9SfH>=FlYWQ}hJDM?aGUo}!=wm939f^oWKtJ@hU-8g0LZ7{ZO2aOkk3dB}Gp5WXSVfiVa>P`27S4UJ z%5e*fGUc&$2fK#va3hDDSp=@;Rl056D!zhq$YFT2-KZSf)GyWH^a20n&+>7Am2esP zyz{@L6cfd81@dD+ci((^t{QXaxA#{%3@nrSu(7e~IXa(AhK;>nDU3>)`d06Zhi&tfpYe$VG8PB(+k2xA;SH45|S|m2pSddJZPD)e_Vo}gNYZ|APG6y zDU2=1ChYFn{A=(!K=iX`eO#_;U6yepmr62f;X^Aq#Mwk2fJusf3{6==%?*d$yU-X5i38|D*IC8}Q=Y)&khW_$0#kw)) zBdadGGk)b|jv}~`4n%H_0@upl>lTO~yjc z@PUvrJ_6K`_8_>l)-$gl&cWcL{MHDWucRz7QVT26$hYs4m)mfjnO7(E*@Gg(lL@5{ zmb1&iXX1Yl_7^Od9AjrQ@_a|46_{Y7p4W1k?|l^ zazt0F_?=%+6vDpI#Vobyp-dl|y$cWF6LWD~)zfmje)F!pOl|M-5o0JED~u_T0Vc*j z=nlyLVo5I)TmMpI7=qe@p4)-ST}M*u5S#Sl%TKSh)e-V{w)Y^pVwWeDd^CtqE&M786CZ zUbw#~twrL}9!gd2JP;dZLpC;gSx(W!mk^x6j01`~Xw(R`yXl@+?f>8xHT)(Ad!=t4c)RaY%o|w@5$rgRoykDoKzj6W*YglQ1P({aJMzIIW1lU* zySc0}f~5)Q4bwT_t9vdbj@=q4S%9g^CqQZPl(X2vI}}iVijsM+_Pr&h4)Zc)7OVK` zcx#43sVXk47Q@2p(q`nYl4nB#TG>-^`?O-S!bK=g!CN8y!M_sj32k$$`A()}x&9BR z|2oB@;OtPjMqUhxg9Mtl{#$s_7fI8rPgO1X^9bFwg?S1w?;aEW&|t3{-^ayHwbIxB z#n4hct+ef}W7b=tc=DX(BZ&Sm_Y)gfl1@1}>@VNq59za#A=5stj_O_wGF!WPJF>L# zd`i_9=MNff5J~(GlP;ufT_a(3lX!FQY?-GEE)c@*7(|`@_Yk(>8-i&p=c88>SEJG- zd(x)g1kvDg$Ls-*|H|%c3*DUxv5Doy-B!PdBz1EiTU_9@e23{7dFi{6dDh_0CKRik^?%6JCY-OshI7DJj;~h0 z^bgDy%A`l$##`{GYar9H-CDx!+EGH_Mp57$%0A*4ayuoBd{g}i+fo>TcV7LOp^jo= zsUo|pEzOFYg_6)HX0B~uJc!lklw);(XU2cyn`FT&C;#>hrEhVP-%QO;mYQo5YD#-M zlChL_N(PdXXZg2?x|q3PbFN&4jDd(Kg{DW(mVM`JBfC>|BHn7BKX3pMt*VZC2jn)6Y)1D z9FpS?tb8C>cW<>1d}0!=44X@Gq)-@tHv^JM<4^T?{~eVk7MyhmywAfR+nm{UZK3p62K6Q~ZYueHjJd}iYj^N9M%b{o-hlC^0Q zNWbDsnFcyd7=&>TBq?IRB#g;7_TOpX+YW9R85nM#`=sT+K;vogD9%)kPlWco$wE?19x84pa-f$p!)BR+OtUTkYB9nRf)EliNEv^d<)MC?_x5VG3+jXoz*%a zB=hiksGPDe@Fc7sJYM)X7gJ3z9y&P>I1@VdBl zJ36Fov=#B-zV80;2^kFUcjS}*u0#YIkq)PZnR`pt&~gx13@8ccVY@%CHs?=Qm<-#C zgA>*#*rqweg zwH_2v+;>36PJ)4*h2ve5#D_xn-|l@6a+=EuvD5gHs=>}25Bx8xB-ELi$g#0~ExklH zU76GD)aQ4c!wdA#`DDUco%O2s*N4x7Ajcv~_DoJ@P&GLKiy;$xh!LC9Aen`Dk+&O) zzwX$0%hdIE8;mf`ak7E&g|=s?*CgwG7=?BZXB??3&x#L{7{yUha3?+mb_F%NY{g2# zRQC1o9sD6tQr|5`&dEK_?n9G*f&~yN;)yF|-iyf>kC9JbW5j0_6aq=aB{wc^3i+3J z2Y*bVO>Bf&B=WTncC23*WR@Osb|f0J&UVVvEpC5>x*e-v{zBU7<4>Os$BoZ0w&`}F zXyylHD_hyR?)I}fnYl!q=6Yanj|$?xNjF-mC+Dw*5C)>d2bG`rI^@Yk0>A&MfsdEnoA?%*%UFlRMQ%;yXyh@P7BKF;6=e-cJ}{iC z+pK)GihU4wfZ!zx6cugN08Vm4naQ9E@b6RHeiD8?J7%D)tkzpcj$7q*s<=alo+g8)m78SAp`H9Mt)6^wpFXz5tktuU++wb7LDk()YD5Pm(Sj3-ibpf z+C-Z(%7k3C=JJ9&BMs~vi_4}XbuxvWevI=;{}g2znEgHFl;;a$@l*P7GgL=006<=m zi@dLJ{(FZ&)+Q**-YDwF=vyIYZ)#IA*ubvb?FpOlf-v{>#vRns1fbpGFQq|70GGd~ z?7Ikp;au`1;{UkxZN`rH$@qRQ;}S)RhLIFEQjJp`EvkHAC7S1~Dc>ho)T_EuNMvhi z=MD=vcawKf0`xA8(TE~T%d8v?d%*HAWJtTY2g%4W?B4xc6!yTau>RF?pDX&eUdGV( z>;Zq!WUSM`S|-Rs_4I^it&~mM3p`olhHH2LYk6lmWieE4LZjI9qp$62UqBWLUaztu zB_C(x#;rf)O7onhD!>|$j*$r!vew-|Mo1#@KVt8tlmGx{!Gx^y-n_+j!;-E2nk ztTbwYxj@tp5P#H(G9DWZMbz9~I^#4mW;9j-GT%3vieQxv)EO+##`93zr ztX8kCJi8Nopz^KUW1~8&VjcVX*~DOy)7=vCNno zr{a~j?vW5lH|Nhxw%WJ>(Y>!fYQ>#p^hzoc!Zk$m3XVO!+xc@^AZ#wq4Epsy!Pa$dI&CpD(f$= z8zyjKnsU2Vo>mm7&Asbl+aHpak){;>@siecX4i9e_7HyBGjVz=6Xbp)6cQa8n5#P5 zK@k|l+H04_$?zl?-xvHt`O9lgjx1{#Cnaec-&?KMTH(CEh^B>RJ7)8qJJbh+@eA$O z5QT`S{xCr_&v0A$m6GOEX4X8f2GJ|2mV=D7!-U?!m(28c_D*mXxS(0r<~kE{3j1%d zy$>d%v^{kaH8jll&hpeF`wx0aiS{wJQ%urMM+JCJ+0}O(EC@&9o-#%DuH~9wj~_pO zac3qlh&_+Y1bl6Y>|)9YO&r~KCRc|N#M8U2iK@&MCBZ!{dM04T;M$beBU^QwJo@RG z1@$>*7>C5|Pc}<-lEW_ReT0o^B)Q>hiW|fAtcj!5pUHg~BDF$=E09%_BkYpuavL3p1N(d8Va2FRhhA18oMavs3&RT{PTvKPk z&OSyA>|3T`@2%FaE-mA7>V%|Of9ZLY4h==jZ?)M-B-Goyr^B6&5{7FYF`U$x%&z_Q zMgb?CjEM%8O0U-5uw<2ol`+AQTUWtHm+FqXcsYV%t@ElaV@|HpA24=?c?dc*SO>)+ zGnVOZ!QPIElM9{l6T@~FueHDrP7pP`-dps++E=Eh4t6|XbXZfvxQrLj5XzsxcgV7P zn84p2@(#5wA~MQmWs=D)gQ2od3?w%&HzPl-G!d-k=(K{5PCN4!qvtiUODF5DnkI$S?Ci%%Ox*5(+I(=1Mdz%_otTKdr zU&YxR{WmnH^PSC8vp`i{KD2D_IqUnrWcv~9R1W3*+TY;|1k0`;3mAL12Y@?VT0wEe zRw+3GL>qxg_9hkH-igCORgLud?LPRS@iz9e=_N;aWkHey=8cMa1V{|*PvG^aj2~5B z+8rJDZbkJtj(()=-8o)-3HV}sS?=+=Dk@z#S#)f2^5(k6Wg!_(W@4G!*5Lf|xV+_MNIA-7`&N&fR zUOvzkE}^cPS&@WgfdS`cSrD##xB-NmLB?dKQ8PaXl8DX4GlcDk_XjI>_+|u-KRby% z?P6MEXtX5=i%;_$Z+Ge<`xe(p!CCS;5`v|1bws*aSiF!F9(jDWzwah6eZ{c~&pSY| zs;mAa(k6+EDKj2T#xq$Sn8t9(3gX zE3&#*5VLTwgu#rXCq0byv*vEXWCL(@23na|m5c+SNe*|~TSVK-Hjqdqw^uv|S+9dU zI@9T`Z8RW@>a|Bc1}7v%`&M8^H8!S6x2cX~G_B8MW*E7|=8t}riItXYhlD0v?o)*L zJt4QwB#7padQieb6rI1f@lr8pND==fEs1$)NZ!d&R6HNShmnL5AL-NL6GQh^``Dh3 zJD4CPGi2zy0JNM$-=9>8A;S$UeXz$+Pf*g)waa@L&2|Vj%m}^a%GdBveTZZDJr`%U(LKhyl zBVpB;i~o<8`IWv;-M+GifM@a>{Yz8dWCK#0(s(UWcuft*CJJ-zQ?L*i4m8ZPb*;nh zit?+0s;p`I?Lho%rjx4a#%>w=oA_6%4;pQQx(2taN-_@-O*hJN%**VM&^}j?Ykckl z^(Av6QIqyf_9Q*n`xv|ZhRBBLnAyedDG^xIMv$k@;1r4}Q~X?m{Fcz-eO zokCD%rd}~W6M>R@QtjcZ5aF?nbbjb5wdnxpx2Ck#{dadC10PnWd-z8q;dw|j-q)wq zf;uv}OYcI&wi#`Zmj5(<0Ht3)bx_D@dC*E4xq$rZRW_uip1949>U48%3-HEwZ&UP( zVlgm0;PvoLeB@X?<@wQIRwz{nNgz+SoEMQXrU~d8*seyMc;+yIP34+9e$KX9!}C6J zI_ZHW20vO5zRlTmrVc_GyseEP8P_01l-BLP5)WZcElY2qQzCxUj_5*Q)dunEL>`CX zC~nNad$3UHqTe0x8*n9Z7Acin$t%7Kno?Q`KwgYE*>k35?DAl6I!Z9MlQFxW^y5QcPUk#zgsS-RZ9F1jJdc zo2jqviwYQ;K*%u1$D#0-;`xW8c;|enKCv*{M8@1IZ}}{E{pdH5&gfd{HQh}{OTZuO zw^707oIxI-1ctPq*RUp1vOlwy6$4c0+T>^a=X|cueacWQF7~d!Z%c1IxqJsMNY=>N z*esk^k`Yf))&)QORzZsWGRT=(q^V`Flm{d}l?J|e81K%*oyTt3W7=V09Is}edu=1O zEXA>wU;lc{!8kA^357|*4&kuEEGuD9e4IGE|6U4rftGAE2v;&RLjQMUkI`1wpvbLj zbnK%i3{R;k$U@zHOq;W?{2(|mX>|JcsKi|j4m(9~!{=B^+K)v!mwu3;fll=)^~)#G zdBn~JGL{tM)K)c}8Q^1*fu33(^jqDjr8%+E+5Wo?jmQRLCX?9B>$WX%h$p?{t$Z!H zzy7g3PX1uxMt0y(7}hy)pb_N-=ckO*mL8+?-I3Pv=~}_m>HFrD|F1Gthb7PPF}twc zK6VKf`~qJJR&_n;KTZFzFN8@GEBD6?Q&W5LZ}eEJyI1p5QC!C^u#k>o|5iYqcvwLZ z1JRh?YO~y$a$XFRvWIv37|h7HeMGUkN@#Q4J@Uj_WSxpom3uOrf`u(WeWh&?+3XB( zrIbv8_Sr6GemEz64U?|od6jloCtW7r z8ZE@(H-Z<**34>%(Z$zswFvi)O&y9nqcc`}e#zVT+eBz(An%O;^5IWcqpRkC zWR~h!|B=iViH6^oXCoDZtPi<0eI8#~em3~sD4$`sReUksDz_i^&{_?*+G^{avN3HS zr)m;%%TF4XwaKZhlsWYfTmQVcKD0(~u!^I31!M2J8IU)s2@z;^8)nZ>zAaj)@{fk- zIprh{x#xDskvCh;nby;=T|@9pl*3N*TMCxOPD$g*?_59_xCL^cZ_Oo+3;Dk%3M9XK zh(~uG_UU2SoW4fmk&O9Rd8{3CO0@O~9OPTEu@_?AWB1@uW%Gk+ou++FD8W zoeBa#|O#R5NWeBxt-8jC}oUpf) znB`EP@8HP~kSN=he!IiNt1!^>Q#KrqUsMpt*2wKvV3}~a8Z?WJ#Zyfy@Z}NyewZH@68>}uo zWfO0!>}I?5F*rH%b8yEv2Z*h#htEvS#< z?!K#e*nQnYU3v(5$5KZHzVNCS7?|DZWj&o7W^vg)`Nd*U)7jyE`J4jc{wvZ%nRA~u zvU)A3K~YaMZcmhWXF=mzV=w+A!+huPjRfl9cqABu7p+h#W8eTllI4;gf;PlKsefmL z@KIhIuGdt{o3-#1KY;7UVhXa1Dcz(>Rp!R|lMnq4ffGqE!WPqCJfZ7NoNoUT4&+s= zZmbh7pCer#>yupaxeJHnn`>QfJQJ7}akyeu)&&0wKW`VMRF1MigrHRPw)e7Ar7{}^ z!Lt^)W-Wvv!fHQ-qMD5HHp*Kv(v$m-ZQXsvK*BT8$6fv!!F7W`t?dHo8I*iyA!3^H z65$j^yW_7vdWLgaNH0D9z*?iIjI#Fzi#`X+{m(M37Ybb{UrDLN4bhc$ z49lrfzZTXD+QGGsS<)-cfsx});9v^x4$t-%GKERp#v{x8iK?u`B?&SKvU1qvSiN8T z&N-;u^=Rx}3xAL|TgQZqw>SNKup)bnd@^B@a)7XfAnVaRlKmU-5{`qG3h#mWpB!1# zZ1`r>aRs!-!#%?+EVfe8(h5-$g5i9T`Gxt9t@7V>GS@CCR=2Qp}#sDk~(D3UzG9OL<#n^PyEQf7yjd5vQ{|Z3&vQiLC=R$h@Q?aRX3_3fUaKpAu0xj0~f1!H5`Qo zhW$pIF!^@TBWdwXN(BcKb|E(;VP;my>TjQ72Jnh{!15hmpnejRoOf9YjBgjy6iQQ$ zhGg%l;U+8#n3pm-Q1t4${-l*X3sG1>4*6{=2IY7l<1v%&G=9P_I)lEDS<)PcH!b~S z7O|)Mbq$rwR$;MeP{^=U5M9DjTinZ_u)w`kxkkw*wn@nz^^fK`!2{_n^f75A0zGTA zU9B)Bf9x7rBEn&l_x)z?1Rly(z~yvk$s1Co@2-!2MGpTEv+pv{#B|0Mk4U$C>Q4n% za24TGnWAmb9wD1Yl-RV`U^~R-n!~gaf$pg-4#K8pV9nRZPu^_arvT=8)55ZqW5M-s2gnrW@&cKaTSa-+J6B1O&p|E8$^I zy)Uz20f|S4Pgh*fqSn9V8)@-v!z=TmGJfUPogs`(-tr9`<=k=M&?|CZskIFZU6dX) z^h*Sa7R=9)YQ+=4yIDEAW1P+zi826%)of9*r#&`lxu=`gjZ=uRH`*tO)3H0hUTQN= zI@`qNl%@YtB~`rNOez*o1mxy8zOM@Y3um6+Q49@=O#xN zcwYr$1Kax_ur!|&zyn)+w^;vg_MtG&FL~M3+E^zoRSNgkEC6_U%5GcS81jF| z60jrBJ`_XsuV@X)0utE3{VXK1_egLA&*P2r%#aV%d*R)?*G_k4i$dFgT7S;Da{h@5z{tS7)010YFGAH2(Rbh*lVOAXQ)8QuMH2k!mmu+xNQ3QKZG3m zRamIOUo=|5S5OIowME`&a%Aw5JSY3{pTHF8gETV>VkTy<+*1)NQEb-_+Gf@V)*^=Y5_0we$k`|MP+GtK zHz4j}MNee}qK(74^9K;J_hfKRMe7|2^9ia5%o-VgxG6}DptR#|uh+G=Vq`zP&xDQl zMac`sq!1ps_twb;NvQHKSV2w`8o07g%gZI7L{s5PAbaS-Aa7H5Le*)K6DgdjNpqh} z@CKT2cxy1#?l%Y3dw-Ec5FR1-=n;(AZjJ1|3c_ZXE{!7Zi0l~Y9f(93zthnqnl@|Y zUVWls)p2G&-7u`s3MrX`fy<3fm~QCB)6$&U=uEs;eph$(ld6^5vTMlldBx~1_$B*t zhi|T@&V4O;{OK&S_W$nfK=SceSZ#K8l;o!aD$25ET!>jL^ zG;{k??pGP^(v2B!j*1JA@(W)5>aXSp7Ri?LHWa|d9b5e#Q zJWZwDOPORzCBZ=n$9y-5t@ByPY9yiVvYzzI?Gcox_8Db3gx0vH!a*L3Vga z-sSxXclHXXq*Fl}h7O4VrMnvj>Fylr{z%{Z-S7UxTCmm(PoCIk zpZ(Y{O_}x{zbykiz|nS>TG+PF`8dsaF*WsZNH{}B^%-r5c6tA!#6Xpbwr&#g9LBIqBi~SH|b)C$+gIA9$`4JJ+yf6HP`#a2atZ|50fT`sQE%q zR%_Uqk@4n3DSV`yME}WDBb4FRa|aK}v#ufMxs7w0XU8EbsDlOG!a}S&o%-K1yeV#c z3z+`Gs(~n8{qJ|@_M}|+^GClt*=zP_jNeRBSA0Y9g6>9i{M;OF#Q0tFteW%>7~=ux zoSvHOs8aJNdxKgZAd`HusH1-fpmyx0`k(A*iqSA`3FvwfK&>*8oZ$Zx72J&Oa_&~h zv7CHlWi{=+2#dvL&*RrfrB*rP@@ANoz86EuU=v^8)2d8@-#gM0|6>LZskB9oTeweh`Cgt7UzS#r z^O19wvR(}4plBkJwe^ziJ@^5w6JB(nkNhxRRwOoC8S-=1r|ZzBgN1TP3pad;T@)Z3 za_PFRdRy0g&u%e67(P$~LB`l8s!s8SCxND;a^d&ftJnyT{)Q_~(`#$ex zxQwpU=SJ7J_i(icXRx#Tcz4^-Z#k3Vr=Nwj582jlhNs+83$Znf#uKoTmi57{{l${P z{bjM)1K-2rU5!qD{(@PNTg;(nur~$OfhLp5r{_v+LD{kH~ape@y2ox043dk86``B?d zNX;?Eqbr?2S*oPPo!KLlU!(U^3clBB=IY9S+MDi-6|gkfjk)9gRB-2F9jJZ2plOzM* zeOSrDg?mFzz1(r3W@Kk}1a;wsoUcjLt!<^AXBy))H5>Xa>Ww!v>hH+GxhjgQyQxac zZ9QAx%lImlh)fnuhu{!vwi7AJ-XfOIM;g5cbKr&7q!T9kYZR0atsXL@yj(U#kwVIB zOtjNvqt7dmMr9U93QG43Zp%*E@yL#`T%A+ISG`jJ{~REbYmO#-Z4o^Y?b?F$H?N{S zfOmd-Yx8B^U`3tsFx1I?1U>aJ_?B6`jSBg@t+pzFwCrRz8lc+rqK zB$aPRQA=S}Xo7~6>+$@KsQG^{@r!&RONh9{Qtir9xaOFxq?u(@^z^nLl(CHZ@a}zRn1Er`}j*7I`A<5RG zd?JqWbfr}z8l8bCyHxOT*XE0W&I9z-d^t z9V3aw*WI>NxZEbo$6Yn^`%lcWxb_fbxOD!%2?&uNy0W<6 z8c{&af)AvTxykXeWP+xC?5umSpzs8>W76ZedC|0`C(*CN)RxWW41);CpRem_Hvfjv zS!YHld+roeC*&*iU2~ z+k6a`M)D%xdKhEE_+}ZwMbsSGK)#WCP;TMFi3i+U{aU(IMF+t zYqTPBPpmQ40}#mC0eF^aeTsw01pkRA!9D2p(p9W6g{5qX9{htRcbFt#by4hx*-Tr% ztgX`+9yv_vPjlowHiT1v>QX$0MVz}H0yHltcjZ)?ms?lMCL&+E#+OmeIgZQhjEv?+ zFqzn?v+wcO?g%BZS3Zgu37j;#)Yf*K%Qiry($^2ecAR9RjL=`wGtF4Rl(L4Cs#fUg ze;x#2J9?VWJl95@To*Xt1mOjDu1@@4+{KEO?X+)E&T;mK)i1Tw%}^amoZe{Us=~Ab z-HJHyU8t;;S3JIrPDA3xJnXqF4Vp!6+yfAu`6dhLXHxOO(p*hvg1HlZ`%dxQWl&*~ zqtIk=+d1HSR>!cnIMmSJ{%yFI)0cHY@xfgt{ErSwvq?hAS^$5Rxa|^;y8Oc5^vTw+ zywjo_Q_Upz#?15CzpPy^l03a~b1S=ASu4$WP{uRM!i&Q_IR=DXW#SgPiDPXKO>_SJ~74FH7gwT^}yW!h53%kvwRHGx#s{{# zkk4x9(PdTNsMQ|~<@77r5kLE~^LEbVU9|)q(|QTOCjnSm(`~JyVgOZCZ^=w7OA-}? zX@9m?9nWGtPQ5Z_))L9l$2x33ek=RntpY^U(OnoNS61SMx94f&-LjRV1UsB4PLsm} z+z01(lN9HnYp#xw50z`X_Ynfuxlq6w=*#2nt3aSuL>}iE*&y9OrHozm3VvXxF<`Qh1v2L&0(VH~(#z>%q#`dasZu z9(f`v{L9iVmp*+*m93NLoq<+z*UrzPA=37<=D-S4Lj*+jo5>P+^1EF4?FIO2CNK2X#7=^ z)<^ZudO6)-c~z%=e|qB4-rZslDC92+KpGAu#lDu4apJ9e@Ve$q!rJIzuOA-)DSV4R zgnqddFUQmD6tdz~?_n=WASW@ihi$((3F7v}cDVYM7lhykgeMbeby_o}TImcVnveu{ zrh)VX+n`~5IYBYXR)HDnuf3+&7J^f4ov)MH6WrSrT&C%epqpKhFud*hK>(>d%r`g9<_Va65L~j+i_mELaY}+OoD><7gkyR9 zX?o3Fef&sS+-weljYNv98*R^>DDGz}%`$=~NRaj`<7!yoW;CNshriz@Y_&L!VYB!P zss(3g32nsH+@T2%KjWo(LZWEKJ>KfU6rh3!re5e$`&!9giSyqWH_)rNg$D`Rhe+Vg z-tm^WUU{KZpt>an-&NqdFswo~Xz>6axR6M$x&_-drNqAai^r#0S}AulHsj3$Q;j$^ z52gZz^+o?CsMdksJ=wX1w=p-$YZo~v&=)7y7L&(2q#0+m$`Bl(MRF>>>XayyC07+y z>I>b$w#KUx)md>DiB=VNj&0Advz>2bxo)xVG?*jfy&3{~Yhy zjoq;<;y80|8g3YE|B&|dDeBpmgB*ns6r|35@}-T}KkA11f;`bHIQ<3=V5@9IW4y|! zWkH^yGJp}duzUz$dDPA478$blu36~hHq*gvgN^DNa`n-6qtEtNSD2?}OFZ3M-DB9d z_gI*Y1QX&0&mBEJLXFVoPB&Daru)WL}Ma+mz?+w1pXqYY0o zO7I`^OH?1~`mt-#Yz?`KOB;8f92gY6K>7I5Wm>JWV|S10w>&2MRjQ8l8ay9|$=(oL z44uGVU>K#etEn;ImC>pkILEUQV(~W&i}k@pnRJyD%-_?ZgKK`Pp?*C6COX76;Ybe_ z#Gr@(s`anEN%MPf$PtKhcV3rVx?d;y?t_uRh-X>?`nl)!2~X=_d;&wSq#3w2EW14> zyGt_XJot3a%a`}X$nbSs0KJ{tH1+Ec=z-U{HWQ*`6yg!PjWfa z(pY&aN&JMJQ^IUukHUiQ(NBf?DNr@s>vyK6+;pDPU>utanj38#Zb_xht|&`X!`je&kmmQ6aIa641SgK`F>g0HtfhH zFXl%3XEyr+Y2YtvziiGRX91BoXmCGUKXBt)YH=xEgf~Bu{mza1V(8bP`Y52n6*p*m z{$rXI>iV?lp58UZ@bV}KQ+GQlw-G%QYsV|ep#J_mN65c`KRtD$Mlhm3{9JB&Xq;mG zqzzqfz9)X(kCbVmiXn76>9BT)R7%tq_w7}=skR;^r(FL$w-F9a5lfokGU%;;Tc?1H z;v~W-7JjTX{obc7$$RFB_~Yw9^6PhC4)^PZiLXwi8R{^HHO^KEr$6jK zg`|j4ZH7fw6SaTYY|>C?(xsB4>@0$*h4;Co$F!AZ$JdtsfLvDKT0h<)Mqh&S@Ig*! zUUnAa`;L$q`YE!}r`6|25`GL$3H5_DZ{mL)&8Q>#5Xq94>+OW*efz?ev$nF6L}KA` zBlS^R0U9i~hgterN1D#|a63GJQOak4KI5G5yScxCAD{my**_EJhqYg5m|k3@A3!%c z*XTmX@@2wB@w~gbVlT^^oooQ_k;l9A+LE`F&ZJGbX4PlkNLO&18i(vGOiqio^+q_Q z$08H0c?ItMCyUS~Mlw?aKo2GR1onNolA(StkV~Hvv3HY|uU=VdB2e6^B#Q!?YNFon z*ii)YenA{zj{_w>^$ekAE7MLjJkQLFD&pqQy*j#IH$ZIyr5=$>tPjowT^v9(4jN=< z=ch-V?THl|W)?PxsHpi=Qb?v%W2$sIx*mh2qoX=O8JP z$9j$U1n64_&DL2bD@vho7Tvl|QNXPr3B1x>5##ITL_m9eJsO4!Vf6Eq1XbF}U- zxpSs?qPA`rdxEtnR(p<=z>d_jz==v8I3*s zGO)r=2kj>ES2neHbROA<%J`8HD8NzpT2kxq!~8h4dgT|F@NWSB3rnVhx;vRa|HCn7 zT}`#lF*LC!DSc`y+M!LFneX;wjVJ?jq_G5)> z!-D}9Z>*FaTO9JHRQ&;nyttyhZz^6fT&hX5&#r+kDTQ|~3H?v)VRZF;hYSk`(a(5JgY|=bs*h3+n57E{O)m1U7eGB_gin9&jI`L zO+*M{dj5Q-qKpvg@l1*qi6yRvY4YzvDm-gX=jrTuk>7gfJ-d?yF|)tzs*IsKjAUC| zhGfxaYn-pg+efl}PDXft={CD<7yK!3R8`MTdSTzr%99uu!hD0ZOJZB`6-ma~8Kqz_ zzNVXt4>z;`IXlH@v>s}S3Pa+dWZ{dP95B9IUe3q=3YA_oLWowIov7HC2kBdk(86AJ z6c_3NY&Unc%-G~3jHzfxE$icM+L&I#vFTQx1SH7P=wtzI%1Ofbj=ued9RpnPT5+Ub zf+Z$jQfFN-%J&2~Et(MI02E42s@U8S34i}fBIWf^|BPnkTdPMPVlz>L-^0fUx z`KST=_<Ad|3CcK6JCn=1KFFO}%u__dydxN*>)0 zkNMYr74zKR!kNJWX^OIh0Lr)~Px58riFFJ)7SyI35w@TEaKX)wcNsX0A+$ zd?#orYgyEMQbDbgJB$cK`S@zY<^_#Q-PsG67Ti2*JvMDYu9p@OsBf?!(<0=x@5o-M z7a`*qo$mU>>-S`m>~q|N(;aoeX&>Gr!5?-v^^ZWM%9ngxN)W1{B=3E0U9P84Ch|0q zlAAQ_Rn5zpXvO9C(SlIWx-InUq~&?8WA4~C?~9ZNv|k5*!zeYD%nUiId!X+e=-Wum z?||~J+Hk-#DBRDSpIr$LdqDD(+s+DdDEyO z6vBvBTjep&QbDDG0y+jct`$Q;Zng_}cn4p0KVos*U|Ckd2*|YyU-Pd&_!oVVXvA`$ z3k?QI$kF6JN#O>8tI*rarunfh&cJcCU1(KEr|0zEDttr`^gY9pro;%9>cG9S}KmLgX@n1Rfks7= zv!A=MiFgXVKrSqS!W)&j`w?6Q&srtMGoaB?U^pvL zR(?Ajk!Z&AEc4hhvfnLfNKmRua)?&^>>0xeKdzi%0JF2=~Zsy8gO7@mr=R z5qsM%PXja^a-g6BoJ~Q*bF!vPWsk8xg|aZlk(t*WFpFPy1}^V)p2}X06NqP(5z#zt zBXk6>{?LiDc-EgqFu?4Ro>!wJcuLG~$|^{Kbsv!u(x=r`8AcSVNfhYmd$lna+nTJ1 z!~@Z)t~XdcC;{yrJf}9?=93{0Z?#8UKdloJ>E-)yz!p>G>cSTqy8bPWB>VaNcv93$ z0;H=WA&Fx(E>&DyP#UKAR2k{HLak)#pPecP26N-#%=7uS?=jZYiJ~?)+2%_mS_D!g zADOF-zE6b(&09K<868hga&>PII?g8rPoWIoRbJ)yTZt2}EJ^@>dPorZFLL^pF4ROb zMDMSYtw}e{cFiVA97;{%3g&9x43e}T60XgS1ujzj*~kT{=+3xfMfB2 z&$Rwhg+yKvT)&r{hud@(b=UfX#GMZ|NMD|5=eo&t(I~@8OPo{&USR4w-0Tc+Wo>Xb zA)G0RF6lKARcs5Nh6{3#$2BmeHqNWW%q**NcIcIC_>F<4z~f~+^&x?SFF)UqG7XNm zU&Y=++$ilH3yFjbXL}nPL*HHr%z6raM-DXNjqhgQ_(>L7*%01*z&SBmn~wd;;SA-f zbPoK_$H@p>%Fp&MbDj)GM7N#Mdd?iUcgehcL$u}=IfA#M5Rp~2n|sb#!6AGg>N5+X z*DWH6g;Fe}a~iASTQ9qRHQ=#KZw#Fu@@aIO1ZCsmF=9fwSKuv%!5aWLF* z*S6Vd?6heMy*8(`sX{q<&ftQ{``AR!X88hxgpN?W^X^$S655unIB7X;2e5`jbUBef zyji0ub?{#(3-ka%5sB^Na`nsPmKy&qGG1as#qt;XU2n>6KhpGOX2y0YVx z2KwS5BFUmIsyQaQLsj^WLehgdR(VPiZ}o+Nw=?At)bk7@t1dmu_EYURq7@wG3gvt1 z32r_NmXxemAnM1_KSS2wDhKd)=N$7XArtbw;?e){eY>DiCzW>;gvVL9id7W5EnkIR zBCl@U33GoD(ok_KvO?l4dZNtD=zahb8HE^k8?-8sTDGMoJ#XS`xvrTAqlpBme8?er z)69)e1m1qQDK&o@@*UZYxl%*dA}i!4S@>9xz>80}@CdCXVtQ2{CGXXKh|+YYg+PMD zD4_#!gxO-8IAWAo;^1iJ`G;E%vWLptonO0=Q&L@<$ctcB9;IH_4%VA4ee#mli&`8> z__=n;q>ka3)P!%P3oFdLCYu_&_an+x0s;<0Vbk1kl%~;43!$8HH+r`3p_xL zFX^!dv&(Kg8h{(Y*L?(e(`f<+uddvsGf?&fP5t#R5WK`U8c^yv**bIV#w+(SQ|aiQ z8sp@OAfA6YDA9E>6@ZP?s}m_rTOx4Z!cr-Z!~r*g>GrGsoM`R^F+c=(g+jb8DZ$dG z?2K(2IN?rl^yvx42i9xf70)0)_M-27Os*7!Bt)8hf*E{=BJhla_#iE7KC zY1j<+&j#5WcO^uCB0sBemnQT|dUBhoyZXEFXK}rh$*yi$1bURWo}Qr&)q)DfShoAEsfyOH7#(66JhWN0OUnLR31BD=bk*CR&qnw>Eayk>)oD4tGUKS z!SP7rftBhmF~MENhW5e$HOy1f#bCwbltvNBw!rzjna2{rQDeB4#V}qw{y*u8li0nYsKUBc9Ah5;=6)i8TX7aA^OqCg zPglgA)0q~&PG$p%RrdCVek=-CGkud8cnb8Kmi=IR!hBuG`upfbr%mn$V!X~NKSD&L zPTX#fuEdg18g*R@r>v5{OGRZnH%m<}zYcnY5OqxO^wN2OKcMbvIvgPzE3XfJdir2R z$X+yA8mZW2OpT(TxeI4ysQr2PH}R|5+ok7108I?#ItO7FY5L?ntKGa0@VnAcsaO+N zO*}G>A-+x~6Aq;?k5NX~n=qdn^}TL=g*-&JX}*}3_lak%6v&-O`xNg{af52nALs1> zBM2XD8Ib@vUhzW_zUy6*w*nk2x@xdfH?8HDy74rFS}a{6?F($k0&KX`JK~Ffv5f}Sp$XM)CHM16T6`(XOm-h} zdM`Y}xkRspgpia@I((Yri_CM z^q8>j);GS!Nk%9a@0Pwaq*!L)L^(|XSOC|7(KpslB+q)D$kQXblu%Zm>qGN1e!XX9 z`B&u^;zH7S3TJnNIjC^`pq2zg-LT}G3J(sYCOrC#D_t6#9zyZfb9}FK=D@uuBD#}` z3_9`jqo8s&>=(eM&&t$FMg`kN*{zk8y6R8*RRy&P-5hX0T$C08V+55_{o+7@Ptf%O zJoq=5?Pj@B-j! zXoDx3!o$Q}((UslRwk>;opcv6AG=<2@xbHA>RXKc7_|>=1iknJo+Zn1f6dD9edT1& zJmSNy>|@%lqVk8RwuDR zY#uiggX@smVMF@8?s!vBQZuH~e|XzBsL+sIR4%)y1?{-#rMQ8$cQnSGIeId% zY%T0dELl~#m*u5L04DGrggsPIOUSDLF;)Rl$g5Ga7-mu8bz19H)I1Ghx5@d_YI~1= zq_8XE)Lf}I#uG^jKb^gc@x!zH$EN&6eUDYnciStvY*nwn4goBQ2kd&U$DQU2fFVO0 z(WNg|!Y}psjoZhyUNi%8J0u(I!!`h;5L?FWI(FC@9NViQ{MSPw^b?h85E4V(s0P_6 zX?)J$u>Csu5h!u+EuTZNSnnAp6TL?Dx`*a|MS_pqX}j{ZNodwcULtb{>^sj(OmBeN zRgg6#9^q~VK$->#Rd}S(-4}S^1I>Y`!Tm$Nftk!WLB6Sb7`s2wNtR?qf9`oltTDJV z=hLViRQ86qI*0^v@*$oEY<|8Y`A%$uU?IbIjM&zYpQ2;FK}`QX6XyPHT+%8AxPWc$ zD80*o`^A04u_}A%A2eGs{Ig*nh#T`z-e!3UxXR?otd3X8LEUo|v72vDFRYBWh-37! z!sF1s6G+C}JKLhk!yp$qs@Lf5TJcH&`l{iHr|M6+yVRJ2>cbMB7c7=}= z$bU@tH4>?C3sTVG0UC2@lrtu;Pu8LA??g}5(wW|=*2%LsHrF##JP4OA<=tFiEa)A0 z7@pw6KT_2cA;ZgWyutI%-x=QHsx=QnWq5g}&Nphi&CZbKxS9Bc&X5}3@0vZ+<8xcmW zWpPDb#Ijark8bCK@B|oAa2xOb}&Gu0fJPm_RXc@P<)=#FVS(zeVMWG@7yVVbY z=+q-J@KPTX3j{V>$XcBA=o^z#{!FeeEJAJsn#rNj^0O>=RXZ&S;lnPT^1XMNYFzvv zKfg@N0*4_+mJDk>4ZvaejJtU}%s&!_#c=3m{k*BUuERxc{O~^x^8>o0=B(?fawS2ANMWeup;^a(k3g zu4o#}iKx#$Tf2WUjGp+NBy zGLJa0HtiVy>Ma$G;;lI)uB;kt58Y+cP3hvwgZQ~Fy}>N8`z*kXb5$Kl76Anf4M)@X z;BhN8s-1?=Nx35xC#%lO+SPAtjuqF3>f2J_46N5+pZ`p7k&Ez~H!QUk+gk8F)cBko z7&zcHr4s&Q8!q)D3?RhiHni%FX#giT{LbjJ;S}D@3QtP)H;X%?TJIAVh-G3I$@q^N zMiNfV4R0%$@-2W9SKc0>xk!AHerAw#K=pOaytcF}d5z z+xI!zkNKML10+b2PrIGmW{%*9tx!f41nEGb|9(S<1tPNIW}&3ztwMGG}njgsy+ zb)XNZdOGIl6pfwTy;=-1`UF8j8YT7<3Hqtl3L=BM$mp^N2to)FA}`<42Q|0*JyqLW z!TTJm`1VW9*FeECE!S0Omab?lF43CEs`zu=IqkRznM%Hq4CJ~oH9mhoqA#e6e52sK2^}WZ4iRoNrtf~w_nwTWY zH(~8}C+}y8;2Xt2=W0z!Zf>0Ja@{ zmh8vZ7JWq6*=+(UI3meNpuy3Dk3g8d6>Z8nsphp518myOrx5@dcRV?9s#Tw*uSy8& zUqq70z?2ilBeqosfeaJRED!v=$1~`(Oi*1LN&i`2)SM!0%G`jQg76{@DO;Wl7JHlG zFRX-H=p*Xq1 zGdMt{D)EWyEgjCL1~Ma5uPIQFCONi!^{N<)?(|yfQJ;j5k?cLkqeGYVF2?>IBSo4li8Gd;L7~_&Q3}9kq z-(G-x6eMqj7(@p}qqZ>sfQ7ZWv zE_D7C8M2-_eXFlp!>TFBP-G!5c4$<2c zGAT0+*q1nuk_?9%me4wO_0+7_@;}Q)u8SBWDVK+GE5#=yS_{6zE0P7mixzqd_22;g3{ z;lKktxM4r_&mgZ6?2P;1HFF8>@yvIW=?r;>E*SO)?o*}dA)6U9ed>o-$qhIZty~9} zkdF2FQUVCtW(kNrIx`$5$Xn{QNT-mvQ`+>nilqfDFogd-V|+~f4-{-6t!?Y9xIt}CiLfS_Xwa_jHbDh&HmlXl{uw?)nP2X*Dgfgp; zEOj0k_7+aI!$tK9$omk09Ja6U4Z3I7`iVxss!~yC0eRZ}(Ck8nOV{v4onFnk)&>1-ysFFsLyGJ!9 zr2)EkME|y3%=-L!6_up(HUjWdklB!RU78w%)kd_WGwg$DO=utg;<=xMpv zS+-ecf38jBs~8J6+^_7N)NdHbtD}E~8Xf3pQzlXcu{1H_;_9FLk2i3X5E4vjys`-Z zF8I;%{i(CtAGll_4JFG`jX8z!bi*|r!hVMe*N7yau;n*pvaeM+Y#RIWqr>#M^E~H4 zi{hs?QYJP{w!LPwF^tn2jBl>(iqIkQA_DQ5t@stwlnG^64w504IxDy*<~9=xAZ(J< z$pJWeRIvvtM~c zsVtqCoa%^6d+WNAoc+?u`+Erok9A#GmM{}l!lIMf z6IAg02sqv9KaF$_Vw1IjQII5(dFNVLfjEfQ&f-;(c)jaR7qohX^`(E*^_fM1da^eb zw-51cpFJrfA3Y>7QVUjdtJv#mZ76<>(&!Z%VRZF62L7b}Ot9k+6*(Ihg+BT6- zpiyC}iOz2WTteb^Q}?`aPf6G4;QZYNKPeS_p&4Ju44Ff?BDR`W+GMhWt>a8rHb%F} z9!@s|CRE%QA+QZLa4Xe2shlqE>0`$3>YAmloMDd~tGm5oc_rTrG9tKV)`FiFfH_feExo`5*MhhhNGC9P3E>QGXC8pzCInN^d< z&0<*CGp#LVur!o86Ih=?`t_S;DM=qA)Temy00^v4f1O81v72oWsuY+KoDlBCc@ccr zf{>;~wagEVrXNemx#`;njQ4JA=G@j(v6^3cN*xk^9lnIb$;&}7wK7H=yZsuudTA7k zZz5lWsL_YJsPmw%rW0bMP8ng3n{QMvu~4#v9C8dJltikYWo%(zXh&J`)5(#@in~mY zPs83elJbtmI1lYPYzPw16Z>6#3|xyg+|EbYxmw#8m0oLLVhD?k?(upjH(fm%VCM^e zTg?|bqguZV<=EIt&1>DjSZ!W?CTd`cy}9}f?p8`W+#IdCh7q66^@%S~Zr(xKVgLhr zZ}ddiSWfk18n$1Pa5U znriZQ-bNb6q+V}b@_XP?<4MIjUH*J)?S`YU{iAN}5NcS+-veFQ)q2x?}Pk(4Lpd>;jyl8^hah|1Uwz@0N zmde7UtAqC+!%Gtv=}z`4&zFCW=SM~hB-s>>cDyS(0>BO*eb~W*+%J7CK%gG8^}`wO zSo*Pt#fRfvEkWzbzxiO8kU1wp^lrftrWvp@f*s9HtS6ukG-~vG z{f;lkCbN^;cyct{-NGlt__$L^+(V2CHn24o#^!`Rib@VJx8O=L$wwXa6>F=a|4a`V zio%r-$z@(%Z@JTjQ51F^@AJb9@KnP!2Y{8cGA8Gri4>n7FEV|7wSX!E zkUCC>i(Lpp3jIW{*Y!JCe(;$(VqNGA1rSGdHgG#gS30$7zej5N;8j)q4Z#`Zt(WIY zGaY-^&(H1br;82^Z$k*I&{*yLMVM+#YS%^_!tPDB;v#`)x)W^XxEap)afi@i-6Q{y zWLloI0bzQd%q!);yS98cA-uK`_~XFplEO;oW8D&wA{N{f%g96I$}>}mPvUZtg&LkA zCg7D142u&f$Po8*7=Nx3PUd%}SLzHMd_CqxkTnJhyMa9ELB`rX8vK~=$hGLjQ+9u) zQ?!EmjSEbJ858Q_)HI0u4%i+OTlE) zeNuw&+=wKWX411UTR>6r?&Vv@XJ^803x){+DJBQY$4Cc`8f!xV?P-T)@-*Jo*Puc2 zGytLJmA{eweX)*CDD{FBCK2V^OyH{Qx1{xYU?EN9-T6hTxG;}_m$0NEFv0!Xw)kUAO$>AhP~2JAUdzK{Zr38BJ#cLKJNjc^}=yORWR{NvCUgvqz&%n7JCNY z3A9FzkZsbB9MqXqwlx~w+cyo(v2Ln&)MbBb?^+)bx0U|2Xv-zejDzxtVZJ= zuJc}_HutJ@qH~*cs-mndtU*E^?LspDiV{wp=2|z1 zCW<#z9avVI>+{uy;@rN_3PiqWKwow1RTaDz@5Nx1vgK5V5Kt}pO{pDtblkb34C7v> z3=zOe%(y0s0P9362d;;|v(3?s41nPV04_k3!K#>-Ar7PQ-m1GjOK8op6z1yDN-4(@ z>7L&G%ZLZ~@d<6wBS@az6*IDWQc2S);6|;O|!GLi5K4a*sHKjzs z*_NGq8pb`cbrp}A;m5_sFLTeg1Kc<_de$-b@}#@HhPhR(R`Ko_^3KXSP$_wvcF!z+Z`+x7HNQ|)qgF%uQY-<$t(`mzIDe&d|M`Dl;+hVkaG)n5`}vEG6YX_zYO zoww(c8^zQC_I|REd3~#)neB{fU)3|_DNVE6{0ob=+|zK@M0c&&OO9<6^{y*sh2_+u z{tA`zS+*!IdJ~>}EpOo~fV%j$mOxT)H*Y`HjF-de4JLSX*;_ndMb@`dOUlUB) zlkUw)T^)_9c&rX4K3YJQ`aFDvmT65{&3v}XSQOozq(VE7vX6Zqb?KE~H2At(6w;s2xAXlo;iwa4wrj84Ibh-WqQ1bGdo&8+7&d8~ez zJ*)QY!8OtUm8!88?T{me5ik89`h&ys9ibimHD%MS4L?K&o$ID4pxQRo+)|p!-q^{h zl(oZQ6oWDAu#ua&ttFZ!_o7f-Dve2HO58A|8PH3v9Smnsyg zNzW!T|DeYjH$|acQYf=rf7QPE~vCMGH2x&mu1%J)Eo`Gy^1d0Pfb> z`6uxsP3}kIzt-wd_?SZV|lWBw~cwoqF=4{Kf*!{xLijq0Z*4%-!pA&tc~b2{dPt1emA8jCz>c2`)vkp zm;94vPGEDhb9Q5WV{r$)W$dcX71-ReP&ZaHe5M8oIMzdEYiQ+Ug=#FQ*9 zg}5u79NV!G*lQSO`Wx6#{NdJl{=8y4*Be%6iL;)yZ)=)!m#vxxQ3qw_h4qim%Z=ks0@c4KY6!CW{!}X z&Z^oBo_Evvdfc3KV&S_yC;a%e6!j7TUmwE~nWL*tsiAE=-96pmB*p;rJU&yI+aEIN<*$ zo(F=r(QLPr8az3%VpnYz(bs6itKu!4rKwcCca&@57p*;ZkAOF1=LS1v{XOWm%e=4N zn3H^}op4vT>d0-*mpXuA_u+9vp{_}>3k0`GmdLX3^)J)TGF4Zi2)8DRQ%x_La)O&1cs(M-$$&xLR(rbD9bkM=6bi)O`yl2}si>r!zxmM!SR~%KZSn?2@mgJO+Bg)woD_fq*{M58I=p0!icVR;mXr zxM7L*>Wr|#B{7mHHZGeH3NfYjkc-L&k;l7!@wWl)DrnT&MGI}`Zaq7tDuJg58k}-G z?=wd50k+ajWH09l(sqA%`J3>QukWD-k?iYu?C(i`Kk{c4{fct`*$W393fq$Py@V$R zdiQQVh5)WY{rHZ$Q7k8?W6blux6o%4VmZCp5la5vk?aWCJM^k#@#_*!f+jU?2T7(s z?~vIO*ZK`yoz+K@+8r*KveG{(ckE6^g*)oX!x(-9nf%PtGUBb7Z2lb+eDZhMx8CJ- z;^aze%2)~c`^q~DaAKtDFJYQ%7~|Qmp_D2oUVRd}f$CMYp#uSwg|3O=YwE-<-=~Ip z*616so9*A08bJ4|r* zZwk$vy^?b&T`^K#j`XOph56WpfU~`i1>>(;b^xBxJ+R(Wo>xf}) z0jAl-)3qCUYFd=rSph$`{q-p%80IJJo5O>~Gyromr(MbU!=mO>L-&i3<~b>f-c$&> z0TECK04k6e=6ZK^={7mS``Z>E`teyw0(Ncss)HT>zy*1u3u+2O`{CuXr{FGHXtKZB z7&<-6xTgcW%Z?IT+aTL`QgL@LGZ|U*hR*`HU$pl_RV-r>nd%Rzn2@%qrUWhELSm3r zla+|XKmi};uher+G;;fT0;vtqvSo{p+(h;M*PP8qinZ?@zWDZlv?CQ!4;#wP+L#)v z%@jlk@kFU|$$~~5`kC(T&xV@kts3pslhif+q~KWx1nF~nykIaD+|UtKgjJ>!w>Mcu zZtGQp;Yxmv4(6xR{f8B5xBW&J!dVxy`raCSIjf_`zA+Aqm4;H=ytEf!Jr+`N+@RLz zdMpgyFsu@I2J<8pf&v9;ue4-rR|=dQE@mJ5_nUykIX_U4vBR06uTpP>Je^ zX*na~TBf%B^{vVv2c|~1s2Bbm@P$~S;QjeD>)?X(+T*?td@l8Y!0WQkm=4AcY-hL= zJ03ohw{La=IJhXKyq3nmRK@zwh|wo)y!k3&Wz{Zh-j6+USoLfA)!)=at&>P7my$|| zN4eYC(yA;<8@M|*tv@_>9ZGw6Om`M_2RIQI0i7iMi&MAUJ&w@C6|PQi9G~C2K$Yxu z^_wOFr-_Ep)ix%CGsto8_U@!@Qu!v}6rC2bby>`-Nb7Mh5GmgT`gLkn?kl@&K+hxC zPEndvC~rESQ7V88`H3Ld`=W{ATcwa)ze`GqfxX0b;DGqRhKES}7Hj>}${j+lOai*e z(6uo4*)bhnj0HQhyRXR2K%<}6|Llh=PwEPsO!?(E$X4BWJ)vl%cxmTS>-dHb{xR>d zX}<_j%(eW@`?ktGNta3d+@mj#e==11eBqN152w+Vr6IG99>(=*Brco@JBrq#f zsl?opmNV2ZPT9eD_{9r`SdL(EdYg#5PWnrrfiWq568P56??(ty#geI6c^{XUSwV<6 zR)I&Xr+5bp)i1l;CJ++vgm2h}HV^ZozNv}MeySBma%N2=?*9REqfrd&->_BTqg(n! z<6?RGwiwUJM!~X00@%r z-)Sg^pMN00{^z9x5!0a&IoDYyImmxJJn<{Ua!=EN3M&1t*WGpTsu!XI{xgNa3>g8-OAE; zRGY(Of+7Mn;TDjNF8DR&wEfY*s(y*l9pVTdNhNlWooL&fLt;(@J&J|UnPx>Z zvNbBq)_CH@h&-`gJ-pE%xdV`fP1yNMDj`5ENL>Jm@kh3qgR{cPQC}}cCvq`hM8N|t zvB8?!13$cu9l17%rfIGl1p@dE7f6Jbi!0&&CsX*-#iDLaf(1tlv+Z29#-tmQP4&Ea zj@`#UBeJm+c;9!s?vyj{&Od3eE8Q2=hjod=g&tN9_HhNHR~G{5bYq~Y zm?{swi9OOJB4wWy;<}rS3?Zckq}^Iq_i7CbRQExBTs=$NW=Be72n#M?h%_L){336t z3T5scyR>{EyD@@*b7%(#gdq(|P}-PaA3yoqJWKoBXAzo6tmd8 z|L|#(vRrF2P;mj$q0@D^Y^6sq;&sQxrNWSQfy4}#97Vngljeck;&v?551a<$`-6U$ zy3D5nGti(38|OF;wNUUOve$Om!wGM@YD8?ci3bEGP-r z{5ntJ`J;sDu2yqNd8IwW_1FVM51NQ-Jfq!TxX1{?QdZQ|c}0c}rV-IGurE5@$No-h za#zz5#oDUxq#4zJ;|cLa`iViImuY3{kR41dV@t^jKlJ~oseI8F=M4YxOKOzOWmWpM z%j2k<>`ViRJRff^fI_OMHIHXVZyF}GK`Anab{-)~| zT?ZPF9sPpJRmek_vWN^^hC%>(ksL$Rq*0?Z-*or{K0`>>5t(;`-T~!xAZOFSw>P|U z2S9_VTQPIEaY*fok%FYsNWG-wlygXAexFE@S6w2IIAJHTV`^Sh&bF%wEa#X3y`5x8 zT4N*QTm~AuRJFS}|7QTTz_Hu?oQp``g1h?IMJ#jYh>(_o3#F00hWS<`Z%$aSq;xFEGFP8bp2*=&q z{`4tJRfbg(cQu#b$hsM+ifFmM6=@v6xBR;7C|?xH-uRoL_5PSr(X%LH5s(wRThCF( zir)V8B*vpUq3avDbhO;4fQVsX0iA~Mu>dwLvWwwnGxE~a?2Jpj1jug{V@=BhO9PBy!b&O^$?7oB+a`&|U9}Js zXK_=b)mnkG-FvbxMKZ{lB>-+baJ5htY?X?{>`tj+(V$^wgXr13z8!y{c^lo+wTbU| z1uKVdD~mR6yM|>n`;@PI4nx`P@Vigdg)Tifhf`j0_5<|y1D8VcwudEu^K7{iBS9x_ zQzDEb*%RdpoDH!N{}nG^W4+jZ?)u9zgz*xDse@d30Wx3O`=i8P_Zz{5cH9r`>V4_} zB14q`(BJmF;$qvnB>(^5D;1C=BTr-G8#5JTpeRCyo0jQk<~9|_t8JYo#lwb8%uBel zD|wxVpzKl0P4w|j<{Or8Npf29!yI~Bh1QRpr}}cvoHA*tE4#Ae`CZ0C%*U5nx{A1t z9t8$f={mk^G$pgp3=>Gme;2g$HHv@YUe?B@GSn7|ooC9%_Q2zwvm44SwB0HMNSGCu z|NQ043WY*gaNNDHt>33_FnU3moK^+^^Dj%oS~5diOz!~y;0?Sszst{b=~ zRmC3TO2sT=K92q=5{MQ8oveDdp_V9`1BShyiUM||X|fpab*h>j=+!h+INSXN9U+E$ych8R@-rcxHD22g<{f{S%*tFOzJ@AWbAcx7R@4(R zq=^rkD({Aw%moHy4^$S2x+NLb@%G;Pgn}aQ{^3iVEUeW=L1C)qyU~ykgiGRlog^vv z%3i?_Vy%k>9vc(l+(WA$JS&gfW<{Qa(xU{ts*9?S`0icevu;e(@WN4`f4FqauzZkB zd5h?bFNB5g@@)fm^e)9C!m^1cNMXKoo3<}H>kCC6avrq5!7pwSm z^Z1yAmyd#&+hn1#)^edIF5V7-xMJ(@U;AhUAOB=XWrEE-J1t@P?3qt{tbTze)PEbd zUg!Kp8l3;s%xlxA3pNlK$WdYvBI$hX&h|UYBF^~KX_L6wjY2c=K-o9>RYKZDy86&2P}RU1Q2&IYF!2&q$;u?> z%{s7E=Y7w&0J* z9PXcku(MV833la41Dtz(ar28?{NpwIr!{(dV#E%EAt}Ftvef3Ae?|qp!BakZHT|cV z`NK=3B81^|%XtI*dq{P^_%PaUQEUTxx#_O8uwtT?D?>LgSywShyUX_UFJRN7P`NO6 zM+X5G3u9rC#I3NSzsT^|AJ<~$a1TQi4UBI=f0hsF$c-NAMbN8vA-t~ILGqATqCy3F z+p|#YLXUkr8813&&fq-_jE;kUT5CuiY}LAvZ85K-ob@%a?t~?zE{xT7>hsjaDnM!-v!EnnM+j%}MN>PoG>FTk|u0!0k9klU%o^z5c<+b3hViG%{ zEmlLnEDr0Z=t$JUy`^o(*uWn&k`Q>fPgYnCO$WDvq+g`Sc=iOB%k7TSkHgoB~)deg5hE9^kEE}8}iAC-OFa2 zD%8x0;#Na2J1?-6F)5GN-MNWlpx-ZB2IbwTu42JR^uU}v-3YQv%<3U2QxleR{--1a z2Lw{3J7R_~YT2h0&RLOO;dSNj>z`g%{q0KNwapTH)4|1j5{3kHaT!Ac)-(M2SMz;g zgk8+HLZ<8&YrQ;|4ZVd8_z&rP(JcgB>@cz1fl+>>j(DVlh)&UQ>_WjAdX zUWI9=i`E6A5t&5l*Z1^xex?%uKTksXLBE*jq$%J$!d|&#R;_q|Ypu0-7m?A30w(!2 zci;TwkZrJHT|Q%9x1kjlbsDu#8TyNA4|M+US9$YB`u@`$ zq_>jP4JWx|_w7sJV(rO}vu|SQ<$1Nd{8zTZJZD!KP}{IWnw)9AB(VX&%yHk2J56WFi&AS%?&DzzX+_(R zMIdKih_zw4Z5|@Od=nyODObzw$54`}){5+ZGc-sO9_^%L%(jT-6M zS`l6(aYIeY&e*Wo_9{qhd4x}T#^xsa;2rZ6#Zxn}GuxVFR**dlpwIOm?tQ8iVsJ0+ zoqWEt#X%1im~KhY6jNgGX>RMZ*N5VOOq+&caRu9;tVE3v?ylyb=jcp>K2r~u4=~$1 zLhrtQ1PH}64pJk*m*M&J1LN&nNey!XQ4;;jjtG>8l!=@kxYW@xhC}S;d|cfES^qJz z(<~6zasF+%(w(-x7RjV!*<|tMs1YScD;jx6sWbyg{%-&U%wx?2Sw|er1DS#7k#LD? zk15HV8SzZ}FV^=9EfY$1C2Edl-Z1RlB&&vFvG7iOF|sX$^wUh_;iq5wqykb=Ro0G> z{=ayGgbqL|2x*s1dH_}$0~w-LW*i)>WwpN6WO<}L3XtAJn!VQ|yf*9uWb*c5>m-nX zNh{2#l4tQ+3W|eMT2Y~8m2R{f8{Q550b$L(%D$|Q8xnZj44xpjd=wJS$1}bZ`qwu4 zE2eRY%t`Z)bQ#KmI#fN!G_7P~&i;SBhrjrMNxVhqMRm|@( z&HDr^!k3+w*cYN!&{bEGjLc+H^*N@8?#R__cVr227pt{=d1b*|9Vz{E?*+Cm%N%=V`&+0n?7mR7GkLwaLFmh`|Dvc=nhsOu;X`Uj12 zZ6eyZ)#RZRcD6hHr#<(xoLV>DP%D7*ao)aWv_;utYOwj1mL3>cG@e5QE!N&8VDNAL zeqX%vC75{nNjRcXf&liEw^*GR;ToGs*;54X#aIl0%5D8mh|W@$)Ia^kVInP2DYSjhh9 zfyZBWhL$_OL)Sey&X$w$S}Qdea$%Z%;2Ni`SQoS4C}vpJjhdYO?30`KMiBu~nyz^x+pAQ{qfqIrhqR zYcZcXCF$om0hzcm2&<=tY4a_#e(6#xw}HU~YglOT%%?xdNyQmM-2aMWh6joSXy(tl z$`0_KlhDpl;6e3nMF|mnf;&xY3}?u?GTSfmJg6tFs*l-o>iU?@RzOkxD}vjuqUiGiolEZ1D_IUSL!)&V<1xN?-IFsGa6)!`C;nh;# zzC5$xCToD>$dXg6(8RSeEh2KeJ{||rpRZyfYQ@N*}X-jOhhxRIr z!%j6_@13zmV>Z+x3FMZfDzL~-l2w4QL3L3!zYA0?csR(6f zvYdEVu-LmG4__W%%jk_A(&T>;StrkHM=LqhtMEM||B!q+e1$wMFb1%%*EN;SWPZ~b zkWNdss})+U^B(qx3UMUg`U(`V7%6_F1j<#amZ%G^$k5MmYcCCdVy@i&lKL%phdi;= zm3nR6rq=mrvFc$n>D{G!Aej|%wPXyqFRC8);VgPoCSe_rA^eNWXFPdKI~i?~&16heRf z|2<#pOz^Ck**|6sRN>7Jg&Hw>@3|AQen(4^7bA`@KmSyBu``ZHs|^=bo3v1U7tY4T zVvq%k&e)n4N;X0@&NQQ#?8n;gd^J(9pOt-fNB<*bdIe~MI7-v|tFK8y-})()oj;KD z3@VHPNdzJ7m25t%&Ubr@lp@o5^PqC?FK0$+65?9N3_b<_tW@>deiECr^m?)Uv>+F1 z-wMa6y=SQt4&xhAn_6T%&@Emrqn_h7uRiB49kymAxp~=7#imCLFw?mW8A}^#iyX+v z+;wZmav7fc&v?nv%=@QudM1p{wUh|IEVsy^sI`7CaycLu;PZWO^nRIDi!?Bp{-J;R zCBox1JjzcuIU-8zrL^%r2VZu(hSqw_IpF%R!*;qt9|ByVDbR^e9vTqaq?yztAlEJs zL~P#}y2N=4)ud1UTpM0F+o7Iy_J>85<@rv%jBNbaX3KFQk>kj*s~0ernoC}s%tA$G zE}bhgaOoJS4(|E^>6+_(bpSDHphax?jOz-a(uo8$nHv)_##=LUwtYoa{yCu+0Z)%a zeMJ5V!IVBpakiL`HY#<4Fg%FWv|NPIu~1@@G`N^((8qCnWHUfflQF$Ar%$N-$9O{4 zq=mMFO2rv+HPTi@L9LJKZCM3np6XlK#SU%O(nR7ARC)OqDSv~No*pCk1l!`=&Qhtu zmI5Arf~|W~sGY%D{uer`l3iZ^@{enug1zA>1EtLQQ-MM&|1xnjXu|k9z`4t&Ghr(D zkPigZM$@~7&*;G$v;z#Kv29EVAN1NAF2V3In>B+KmiFM#Tkit>c^OsPSW#WN3mWxA z26}~Yp9SU;vSW6i>a$!C-C}6qAVY=jFj8Glqu}@DohdXk88@93?FqV)O8Rc*a2hV! zlJ|zT2Z-jr@(p$W6)**m+mtr8 zs2m7svUgGgXL;4_5|&HU4k}q1-gE3_d$B&Nxg`4U^|_t7oE{~^jf_J`-vHcn?-etQ z%amO1K4`F_uRd~>MZyahxB^TpIN>tu+LIYfKMd1#TD3m)_T+55v$Fxe8uag0w4`$l3FIMZ)YvA1CBlv2<<@l^fOd^E7JxTywYC;28W5 zy?FTlgKO&2z=Tb2b{*g!-+d(vfHa^DFB7sm{G25MI+m}o;O+-Dz{CrhwUJz7kf@`l zrSXqf_+{xCSge-ekJFIvT?hNxBeX)|F@}!$PPYWY$4LuxEdxje^I9>a7w3;mLkMcRxe|9uNrG@{OC55 zPs^*u#|`wTF`^i9OV#-u7#u9JpZCR^5C}3}DDbM>+5muN0l<`7FSfX@NI^Oxpb&AJ zr^uJ-Q7V{^XCdzA^bIV8;whEre4g>dBq{&VNq8X^&`D)i20EB0lbqPM^lb>1+Uw2q zcIG+_enpxy;a;hr<@8n3oTPz?@V1Q#5tFH>`NR5frs$Wy+Gp{N!+^7N# zbP(r!@FFCYHPb5P5cu-2)Nh{&7#ReZ0bk$i9hE!OIw_0hbYcJ*&hIG`(6~SENNsYh zXs;O1r}9>%)SR{s$z;E5d6P}sgJjOn#PVAhe5?Nv{pI?uDNfN1vnlS2mi}ZeWlr3| zMR+?|=QqX{q4NUTxwG}-R>tjOwG-0l#r-eb8p4iw{Nqk=Kpvi(GJ-FuZrT8F& z^*pfMnD2+%JQ1`H54P^jU%n)%d`Sj_g(%5a1Q{43(l3+Dad$qL*i{zZ?6|27Uy8yP zpiaXV`FQN=>2??rWiMjC9}3|C3BaFs6~K$P3m?bpLi10Dx^qBAHq1Y4YKh zt6C?5*xISBp5~`+)~cGF5~n-;Z7Mpn)_+Q2xhw~AvlM5U^VLh>^!!oju=SvW@0myr{fa?PIoWE`tmVr$^B*qOgduTjK9oXbBP)+n6w$FUA$0H&_za z*U${A)uCCiKjgQm%H2AIt;Z8`&q&H-AabvFmB?96e)aIG1pZ{Xz zDK(yOPF{*8P@rFiKS?i5sCM}5xVacYLG)$r?(OQL3@;Yz&F0rD@5?3%zHD@9$IyVb zhbQ<-+ei!$z%}1YcuwEP-)Y8tDSM_|ANhq$)@$n~mzZWlT%RBN8Rz2t0%vc^Vaxeq z^^Y@p>dN-|2*?f5T>MXK__>muG4fO;v3;ReU9JW(Z2QYo&}qX$94f3bL88r7_R#ih zT_&ENM{w!IH;&ojr836KJ1ha^AvvH+q+DiKpjvaT$N2|6x*n?iOnH$ZmwcH9Y-SrAHQfVXzL80e}ArCU}wTsX}GzPow30?pr^{(yO&k{ z&KABZ%sNp#?!0k$(9A!ODpTwm^1=AH$c^Hx34;jqK0>mN_aIV#)3MNJGc4Wv_TTbOj$C z?fihZwe#-9HQBc|+MbAax$?Ny z?L>G@roEIXNca{qLFb}{AWawI@Lm1pMIoej7xz>Qzis?c2Y{jlq8UpE7v~IPvkScW zdK)rg;5;)en~}*rJ4MDI2K|V5TgQ9iGheeWV{#N&`r$XvDr=}8Pg0n>H*5Sn|5#6CvBf0QD7dK)18@9m-16G<#0BF6{3>p zhh`0Ze!uC^u$fY`_b&_&SHur}Mlk1hZiYo&`X)L#5AZY+$cpRISJnMP;+taNV4e|3 zEu_BOTpFpSlTKl{-5;ZJYbsIRDU!$rO8cAa!ak*Lx zd|xaZ9IV3~lHM9)E>tK;6@R!Pb;>bbdKw>LEftFN*6Id!LLs$K0uKG(m3v?$%ulfp z^zniA$rBX?!iU;a@ThNmuZXzLKO)X5$=YWZmCGV;k_Vnzkih*S^$RIKx%~}&U*^1t zWq!z+GR_eb)|q1ZeEa)Qm*J4=ddO*TsV~t+^gs=keL+-@FJs$*3)8w}XW{JW!SYE- z+_+4cSufl52rkGm(&%W`?m*68+G_o!U(Af#G}V=j^iBd6BO`3>J57)$C~uykV7h1H z#Fr?+6X>RW*$Q2AkV4m$?e{+()nOez`|fU(+30p-Nj>W5z!C`YNSKvZ!9(af55a#@ zt&(~u{iz=29jhmV+(|csrGS>05FsebA}_Oz_`kI5lc`eUSUkg_!oO0)e>1a#x3QqV_5kQ~i_g?(rgn!3GzNcMwo2pXBJZDp6<3;n^-wh9N12KE(mnNAKO zd%>usgLOHH@%jUyB0BR#L)z(K?t)1PveB=5Ndx;6AOaL4x$qFSniGZDtZ_B>ImX{U zm11nL(Lzl7WLHJ&zc5TTNvxZ1ltYBl=L(FLm8HKgB-wP+dWBg_Hh2-Pq_|L}jr4Ct zcLwC;S9kK2i1EG|n&1~DNew|$(*``5$bXsk6D14FBgNOY=PD3?@e2X9?pJ>@{iU^l znjm4i@vRXI#n@4ET)vY+45k7rj>`PI0eW&W(3z4oC49@8pW0gtj7EY*n#iE?qWO#6 z_3thX$PJY0t2%YRh;$DnwD<%i5bTKIxiQKx1PwJUwQCCqWcx$aHAy2J4Gf*92VzYp zjD@rCg8YIvyyW%;^P_AkTF}JD7J0F*Yw?mO4Cb{kW7jttr@?~o=EY5Ma<$KQ84o!P z1Y{vX9dyY(g1&g*@JWCcHAK)EpVBXh)DV!DFCO~_QA(q%PTtz9e%|k2`P>Yj=6Ra; zk+Z4KH=lR!Z}Tr(E|;$w_YvX!S}lS$scdJhF|FNB>l`D3i>(rNXKHf+M(!U*iJSX3 zjPY)^JM`cHs#(2w^ecX?<{jUr0W%Dj=cjM&;7+knQEK?|KAY_p)#D5Iv!(jb>5BQ5 zW3i3a1mYtJ&7gRpyUHf^Q&PmT&%-vCQ|tRHAyNv$AKKeeC5AE&?Ll+mIy0b?Fo=KE zdbxEvn)x@JTQ>~leh~1yH+MkT%{<6EpBL2kpp3VcuCqWIvo@%7ut*MzqvXj#eczk2 z`%S|N6eGygX0ta-f>1m~beb|N)G+;bl}~idaX1fw4Hvunf7~{Oq9Ryka**``0c8i5Mjk*DbNDBMxE8hbOWCUUAf(vC|v9G3yu zz2#94h2VkNe!KQ!R>gk9;xkdtuI|PwbT?t=@Fmp?0O1@%v_c^M>jU=Wtict2m!AbFOtQ_>jt(gM@a>tLX;0n)VtA;rc@l zHzPQNw}YIb92&0*gMfx9Vo&?~W$g4_l9w<2E8tYCzDh@+XBlJ#;L>puS5Gstm*-XY|~q#GvQ z9tyIKvK(<H*ZM?cJk?jQDq8>mt9O^1@R9J z8Z#-WXFJoC&rg4NxAkFV-`M#&7bJXM9^AE$k8--_UcP4676}q2eE<@ZAB?E1s@nB( zCDG!?_xk30N0?5-M#S_mHK4*nzB{5eNXywZFrw$yb%Y_we;mrerQPgd!c=_hwXr7V zu{Pl+Z7X+P>bh+9Hvem+que18BeKRn(%X$9kOrh!6<`cQv#E0fZ;J3G&nc4(6!Z)?dPD4@mzkz4%xJz)#-nF1+Xq=dQplO&Mumy{D%}JNcR}!_?^%`C`M1tEu9M|xt@#+R zj=;jjA|?3xGveF}0?(yqOOrz`Cn{8)KQJ+`U%D;5#mJzx8Ha9e@4WT{`GI|2=x^Dl zY1#AIVye%95GKdE%iI9G`LbA!}| z>-_;YPPpFH8cBtSEH$|A98RgHojs7xa)ZnLq?>-2f}=XM!_CtgBJmI9DHapUtpBc; zidId<=AiU>gPq=;`gi~lo&*9zEi?a(N&{~qR0Xp6eUXUPGKTFotVfBZWjYC3($;IJ z*%{xj0;uV$C;^LnD|m4hM(=5#z zk5-mtHuaPh-)0~0P_Ak4fzHk7THqr-HGpUDNe~vhHY>mx`V%}b?Avw@(h_L0YaR9K zua#TmO&!KA&Lc<7`ae_};15dEkxFoBLG^RaXZi}l|EBhl-EsT>1+ZSNYz20CshGw_ z(%~{kh}k^^2LV|`mQtzDDzXY~NX^W7uVJHk$6G4e=sWX|9;ph1;8B4$ z%S11q2xx$GR=GCeZckK^?O3vBi(zT78_Yqh9N@z zpX*?Ksx8iQ?)Sl{Sj>8x6=&K{0{Z_9Kf7sGE~aAQDl2-M=_!yq*x2BJo@S0XHlu#Z zJ!D&3y=1MNx;pl`=Pm-6!I+i`*lI_D{U;&q@}!%`lMS@rDG|GR{U>gYrt=BZr380v z84uDm2Ris8>U2iK6#g2a1+07wseJsax+^SGaP;Pypxw@`KGvo55y_tDnT&b z{ErSLSdpM#71J)npjZ3iP~_ba!ogr&*PcG;`IN>!wZjsdMIUU6`k6U39=4!@#Ni zM>HuBz(Ws%1HgwxKFzv;nF%emOOBIq&Ppy-6y$HQsP4=;C!nW89q(A>0Le%^0mc0- zM~Ul6tHH$pvI0wJRW5t&9c&3@L7|hXH}7}(t4$}|#|C)PU34z)$gm#)hvP72igkNF zfvuG#rL9|A{OY-dbxeI0#aO_0geMKtXCcyepq{jk?;8N3|8Aab`^UDSPos<dxADLe?K7YbLl$eXw`B4GI;pmQBWLnsHBS zi`4LN2^2r#EI)%5f|69t<@dEsvzPo_j$p#)e~k`jZ=y&PPf1eV{&*kXYO*)X7-%4r zcICPad%XjSB*VQKrW5sY} zJ53J#He-!rog=otmXj!~Q2ZNNRSMhSd2o&d{~DmrZ@wgxW8nYC1>4!4fw zJ=U@;TVu>FH>Ss54(56+9_Vz10_#fOr?OZ5T{9E-Q%ktq7uB+E)8Ea?eo|br%C030 z$_l*Z1laUdwhb9U`ZQA0MYM0eMQC-<`bo3kaaR1SrL}IgMoToEqA*oXORbQLwWbZ9 z5ZQ+qf|xbf!qn64BEJH=H#pjF|nF^u^R?<*z;@{jCx%DKx&`$^hOHF$2c#%{qm z@uFRctg+oli#o*;=CkR|Xee$@$vMuxRAwbuCOz&tg@O8skf7vwS&vPY5FKh=U*{V+ zRJyps>di;`W$cGV@<1QNl{P}lQIe-z=luDHF1~ApTyotMahl6&{%uOjW_X9UoC-=i zweV&T;!oTdmAWF(AX|L}L*JiAv?&vTfheSjpxqZ1@~E7qeEi68tSQN=^BLK!^<0sN zz5m#KOzuF;uw>o@yE1y#PrEmJJ|>v+6QF%Et;a+{+$XG0Q^XCO5l-)90RXuG@3wl<#|xZM&K{J59nuH-f z_uVG(Liecyk20gdZLAyH{O2W8#ev+oWh}uTJfgQ`=nT+5)RX98@PPt?^TB2#J2&Hr ziJ9-@|EFv#mzkQ3_s6TJe~xRxpO4o8y6PKWq)041538cOS6}~db^A<@g+wIiwhK}c zRIYI_=Ne(*i+f>Gf1E?Y!oXu5>we06}O#00WqsdT=+swkY-rm*U4KyB>+m@ z$&T>ZA8KDx2@*=21b-HUNL%>v5*n5F4Mv;us_qg8(hy<{j1hd^zKPiZ!~N8!YnSV0 z9JG!WFu>=H4DHDkBYGF(S;q~tf{>R={%-XHW zgEi_1lMT<=`i7CRr26V!LQoGT*KkDmkM{W~tn7=i)4(r(-IFM03f+rRLX5BM#OgcJ zjU&#L?w1h7)ZMPUrI&L1Qf~v-oOja3LeIuDOLL#aEWO~m^OTUp*Ozf5YWyeQ(@-bu z?)hr7NovG0t)&D@iaa@Jek^r-_F># zqTUq8D7N#3($op>K$QLhh<0mO()mb>aM2(^hhwSxoNrA~3xUHWFmU;_@3FUt;0-d4 zf@G5WI1q}w_x$$x9&s{DD5{zg(2P8w%dCRUrzip=Iw`p*^a7t*)UD)yhn zl>@*j!d4Tq%RMHEc1ZG$oMnM>>yN*|fbMctBzbPZ7w7D~v23me>pqP)CNz-&EVdv@ zOVk1v95|~eW=O=N1ofeS?T?20xb56n{FteUxnmtS*}U&I2fd=waan4Z{q`RJtBGp= z3#$<^aV-mztSy!D;pP?rZDPm92ok~d)*mvNUO0cyUouC&Ix%N=GY_!)z#CW$ERFn2 z;MV!(zfed-0Z=F7PJ*|W7YW0D*5UNGrA+Hn=Or-QE)1ddkQ}$XAHmTywq(iWefO~t zq}g)qZZ(xP>fEfxOfT1wHM25#UEG>Hd}!Yi9g>-y$hdedQ(N_#5$BYe<4=m`c=lEY zz87M9{>AQAOP!BD326wLBa2;?EYU5YMD9H`Z?RBIMO>c2(58&5!y=Uq9}!Eb2WV6e zzz7(8TNGn}71=!H&)U39iBO5%x4xI{JyaX9ZI4JG+M4&Jh}Ykhmq2+;16~tn3xDun zIC0*KA;c(?95G;7W9qnmeXUjnHo1HoqyR664iK>juQ0Kzx8R4WuZic=WcH&VSi!3h zuVFUBdp{*zv5WL2kJ07_qY6D#n1k?ofYDbN*nDCpfLa=r*Tzz6&KJ+l=x&M|Q<8^X zY(!_7f~cL!Fo}5Q*Gx*Fp7#zWv7+w=vMcikPrqD_|Mx~p`}L-%YbQ%+XYFoqt;^o& zQr6-P`vk>PCGj^W;{onLK1Y2LnzFG_VA%chaKR|10=x8PTik|)6Dh)Sn`#9W!5Cv@ zM)sY|q522GZ)EhRB(;h8ms@fuYW4zES{C+yko2Wt@)2~r*wE9EKB(ag=Y*$d6T)_g z8eUQYXx(*qFs%ysB1hV*7y9lU>C#wVhZ7B1s!<^RoRcJvR0H_4pN_BgkzRhf8}qh) z!^y9t9h6~>*X_OgvsvZId_g zEnhd70^!K>MAQe$#-IPN_gqdQPkRIn`NGXTn842{-dxxlX4Mfhwy{Q%69{8@aD6?i zB8eS5C8fKfUtj%v9<$}Cbo@~UUo{!EmKK+w+&G(pmxI@8UrAgord9a^_m7c#xY^bZ zf~OpRNNnbXxl;3uShq(cO(@-$SCTh@y&IG#D$_4?H58z=IgbhB=OA;hJRJ;6ea!*J zziXgCPm2a}55=TZy-TwsfTXL$gT)*oy>K=^D@My~y;v{i>csQ`C@59eL7e!OIKy^N z4BekP-#HEiG!d+FtfJQn?|JFkUwC5I2=7{XVZ{{-Bdd z*Ttstl1zfjxoCzO)YK~e(s+0$bIoa z6Oe@*64#rySwq+wgVlpzv&mLpEn4pi7sr$2upmV3`(mOe;#mPH>yGwLD1BUiaNAUK zt=#ld63V@^m`U0XAG;{%pU*#;pAjY_ztv#`s4C!a_@rLgUDr1Q>%!J_U7KXbgp;_< zg?TnjL3vuQt_?XU`k6BZ-{+9oz-^VGhn0nwyCbfYAySEyh*NpBG!9p~5{m%fK_&w@ z>SmX0(CdxZ`KiQ^-vOt`L+;1Rl~SW*fj2=IqyfCwiO-16>{O5t`zNY`wl{mgBiQcLN`e+lvR2ZY>RUJQ zMJeQSw!@q)k>Stuwe^KJXODEU*?*7hcU71ihMaDU#AlkC-M{M{>5l{?nVsXu!^<8r zlu8dq-?u|ughXwpjM58ysy*%Qet!gv>b)V)!1CqW;OR0$geQTH-ha`tm~T86#0DuV za*h22?I$mYTpR$U@0lnQ3x-AW9CNM%Eax)4h=ahFP)y3aygc zTJwpud62UNTvmE0XC9`fhD;H5Rr7>^G){u+PfpWO>vp8Ef+tGM`^1qG*1l6;$Ih2$ zWha9SDoVeh_;Qu@9TLM#&Ti5&oiK5HLlv@LDrAWs~XS zYbp^XdgcOEEVt4ujsl?&H%>Zx{UoXjhC$C^Qsxrkh`Q%YBUP{K_eJiDeIz?B6~^)y zW5+luqq?84y#Gr*^WLd#d~}9lQQI~Scd~iSA)}N5iF0B{*}}31$4w9jBy}0IK#FU7 zzH&LsH%$uqybZHbo?lBQ*UG%rJ?AQ0H5c5)Kz9(WM%u%+f3h;z`Q9(Z zl+uqoNjQaY;IS74E5X{jJYZbm~*Enlg7*P zji*E%(X$nw27D{0&si@eR@JN1HaZ`DHReD;0-A{c)P;ZM^xulC-eJ{tjqu2pxU}bu zDxoVu9mw62@@3Yd7?uCxQ(KauD?+F3*Xkik@hcq?lL@n&(o*n7!X?+zao1&~30ps+ zpFCEx*C-v}EVC%OhTzGZ{lZ8(^dHD+)dDq&I-48T*tYEh6(kHF4bq!3f1i#yRE1-L zQTwyi@VFf`ij?L@&m3&0FED5|? zxqOyO1v9F$4|)IdV$1?8W*8%`~N7 z+_X1$Z>1LN_pCZ^!6()4;Awe^zMCCbwv>q^_U*%!|91D<WHjBSORqF=an2P3NhOs2ze8g>7!^ z%r7CkmYaQn(K7n945$;SmX}fO#q zLssjR0Byb5U5azi&<)Ji#b0y~U{70(o_^fq^>DQ+9O=b~!CqIV$~U&LZoa;~Ft^HF z$^2gu!vlxj9YKCm`LbpixqFrjc@3n;oJ)a5wFFJv+dIx1sM_H>pr#w{BX9yCXlfAU za}0I$-^42qpwYO-B&{vb$s+xUS>^0SKDf8LE&NA>z5lnIx4WAt_pcasaJ}~i||)sd$81;vee;vI91PgrpjC>z4!=| zcOo`Yls0)gtkkz2KV>tqvD9$WE$QgqdNf3HR9`b@HR5YTwWO}{*@p)3`No&;@ZTS2 z4~Yi)*8FkDb32UcgFfu!UOXJ@739!5=j8JGlnvJ(o~0nZi57jrAsmJrCiN}GqMFCX zSe(^jn2hIrezyMvw%J=I4s%RSr7nIWKQGyDG&y{^&^XRHT0h~e{W2!2yo7J6mDLrG zn>jKpkw-mWG{k-L)Zd)MNz}bI*>C-?)9n`|)^!L5sO#nQd$u>K$+|!KF7t)5fBJJO zhIHn?9?xm&pd+iHU=7v6`et@@y`4X8dTP&yVJRm9j|6i$t>jD`yO;q4L=4OQ$?1oG zQr}$GSB=_9$;#q!q-W_Vx!1By7un3td0wQFbO}4k-~3k#1B36c7}oOS-$4S^?>nh6PbVx*L{G z>F)0ChVKD^_xJt7b>Stu&vVY1nfu&x&rFW#h}mf$*am^PX&>+BTSEB=_ML=e13lR= zhb-FM&W*w#TFJ+DzNExBedUg$i$;#W4jQ-kGv8;YF0FGC%VYVzZYcgu5d3%^|wFKPPfDDv4+3k^O#0L*Zg=`|8 zgU{P(v^iuewhNO9W%;FzEdY^H_C5@fQ_&KVd|KYm`P*-kchPv>QArtqskCQ~yJ4x$ z4y(WEqQ~uRrZklKnO~o7sbH@@VC7$38?+NB(`$XiRH?P9k_Vl7?SD6~VD*!mM22IW zP1AM6@(|J(m^#;b#JcZv$a>oH!OLiy_qV-0tE~I=8s-VJuA<^pBMQS;*=#A-32Z3hr?c?x`WW7TQ1<#7 zrU_9amsSX6DR3RgZ_=XKaBI57yNTHd<&zb^8e3zTiX&k3*%^d7x#4&O?Pr#WbgF>M z__LK4cVq#`^%BYx1}(Mj$mSTFTw5<_xlz^vRtc<P#qy;MKtInN`#?9MJaubq72GYgYeJvEgyF&CIIUW7!?nRF z^u9*k%%?RRAT6^wql^p*q%6^~)P5D0#^A(%@?&8~33W>7Z&>0N<##BbXw%pIju9+_ z#vvAH+UqeDAriurL0abMM>V9j+=7_lZ;j#Yw0l`e3nyiv5s;bRHF(9&`dfU>cV2@?zw;*(QyHQVP)V_C1o;_Dp@RNsNj z#ZtUpVy2}FCD2|$x!E%X_q58+OVWujge@{ohhc;~)0#-i7G9GOgyWun0R_Gv@> zVgpplUHDdxb^`)4m2FM=$656P=-8ySq}&^(2t^GfMWSJBtGwibPG>YDL{u7FcSjEn zWQCdLC)l<)U7LOLZ{fJxMA&)pWtqxiaGO0IumEwQePJmCW{aFm;wnn%K2U9I2ejW~ z6*l--uv_5VToNOu_KqPLLDVc0?&aKE&9@UqLhg5~5gHB0e!#s#(Ag2^lsMN>cG>Cl zaq@IDhveiVI$8qd?d`ip0;FhG(eSr7+BTzcF^GH|WjMc=^6)M4ZFvPjjMVTXBjAv#J-_7(-S2y_7m zKKTPm-=4$%tRD}b+Wc(>XYtw8g-yg9gB|VhP%@Sf$cB_&W=V=f6cZ>`H30V;e-($< z(oaTk(yyQeVAX20&ai~o%X3DLk6sth05Cbvc`d5rDwfxOGD~DWI)G8N!r{B|Hfi5$ zdPSBldos_9p-4sqtq#2z?_FbwLkEyO1%LuoYEYFUOO3|qI%&IRpw;wL^;lMF2hdjc zHW_<@8Wkl;psu8w`J3(P1s4{i1=WASnOh(@{IE7|Uhh+xqzu1P*5zSib;!72<%*yb zi4Py#gS)>TLE*|{C_K%fg&R6bH4-ggl`kZ6*eQ-0{~eTwWgd)B37cs9dNIPPy--Mt zaI{9{dT6cpX|9sNvQktqXl1Utxp}NwJDw^slhgBgZ3f#X+i2RqFNOr%h373_)c$?= z#l`FM+>RZ(68EUdLJhq-bY&ZLz}5XjO@ZpS4^06m^wexfx<*C$Ta7%$iEUerO7Pr& z#uPdq;k-Xbw?&?OA4Di`I_7+a2<{@QWxYi`H+e2VrmCg~1=@SSfheC07Z%Rc2KG3m zZjE%*wkAy$QmP@*BEKgB%f4c=?&B159f4-4FLPe*u@dT0GIpr$;OHNQ!X zNT4#k6St+*g>vQShupd3g6^mEkHp(q9rjS?v5ac-W#?1NIwrnOllY_KWuVg zb?oS4Wng{A3x_9Gx{=;NKkiDm02{;uzs92&JC#}K=1&zT$~bi@*Zjecgb zKcGqtIU*s7P!NFBTFdpiR2>J`CyNJ1a9e9Jff}V-X9k>OT(Kqgytmk{V_ueB6V6&3 zKXp}MXTuts^%x`sCpAYwXlNaa1c!G3WfV)_+aYo#3r?!v9aGnr+B7F4mviP1*+ItkMOwv>s^>A2WSto2cmUUfOi)1 zK=^KTvc=JaeU;P-^JINZhh&xSV&M*rnr)EwNC}aCqLAyBiVqh@()Q7iZl-1EZ>-&+ zq*5#Dof81kP%hGx2Ak@-U8xL#uK{rlGy-jntkr1N?Bm0}%{Uk0{b7kMvCG=YnRD>f ziC3yi;@n&$y?>a5#J?q%6%twtR!brDVR+vCMbh?((^_7VO(oH05k3!=>>>K|t%p9P zbcMT{D3WdbqZ{HSw95~D%2}E8o*zH_;*`MmqPKs#bu@XdwIsIibQ4jD^cWg8WB>w)FvVZ?9R3&YQQc#``QB-CU%$f2(Bb>$*iE`L80 zL8dQ~$SVtgkpjkiu4^+GYTYt15eE0oGK3Q4fV*vWc(gXj&B`J21kN9-*?ifZ*BGs! zAZRil4C~X%&NNwI{N#}u-u)!1KnO-lxt~0~6lmpt@LjYD3{|eZ)wKYl@8ChNnV6_( zOCec~rn4a5%hTwy#|IcgK_panO1?eB z%*88PRYQNqCC9`)o5gYw(&VC69J0tv{MLD4$D&8(OEvbPn=DyaPNgzizs8O+c{!(S;%_T#7oZ8 zlN`GgMQi!dz4A^V)q*;{y_6cU)HuR8$YF%55rKuu#^G(;>su8o*F+8bqD`TL`UMOw zwA=zR9zaaI4vpWNb%!jZUmyRFJ4PqlQ~dUOGTbjfrLr@mox@)qS1mb59^lmrJ%3M~ zM0FkzNS194O_fOTo%}>U>N-$3{GZlh7}u1b7L@QhQ;z8fDazV$-6H6$5_w>P{*AQF zzBfZ%I$KE?ce-1O4F0J!2;#pc4wJitmNFUzB9-7lo6(nPi|efJ?M#It(#n}mE)5P1 zXq5ApBJs~|kl;Z4$(ifrWh?n=wvu1q{Xy-UFatnzUtN*-NGYtRSCEWz%_INtTh~*I^;@-1$x+ z5l(8b2E^p|_dNl+c$#TAL_8Kb8u9tC{u*(3K1s1OAf0O3V7W00?>fTTG?P%+eZ zkE+4^2Np>~_+1I$R20e6Dj-oHZ(=+D!8uczV^SVS82uj9|606cs+3Qa`8zgt zSGJ9w@EQ8OzN-kpk>(p6^i!)bP*p@QR=h2TWJ3+IS! zJ)^U#u3Fj`+YE$NZ_Uq$J^pds%M92ep~Q30ph{*dEaqEV^Xje^{?^a;%m&7WFY|T( zgfJNiXTyd=dJ4t5g2Ph_pKs53@pBK)h&#r_5cm-V7{h8pjEZ?Y69BObqajJoF0m}U zE{c~M%c13v&01xhIM*UDZ02s`a<2tOgVB`NLixnUh$M5af4FDP2Ncv$t@tbA2>!Nx zF^cV~L_6rpmy1%JZrPi1hLwsB`ZTPr3trS#b+N&Z>K2-Z({@G}?LZx*&j|4Pq#;M? zvDmOH`?Bw!!)nE!VdYeN4d}g-?fSG zIKs=YKkuWlsAFkkIz7nJ6I`xPLZ)j!bHHCUVCxuFL=bnDR>u*=s9cnk)!JWZEoLi` zaccdmqx-kVN}y^pD}$k_U#+l&$$^ato8}-X^022#cfA09Y}wKe5K&*;CUS&Y5eJv5 zIs&86XB9rb6VFzTd8qYKn$W(IXM0p<4%a!=(BS}!s`l`=%Rw!cBP438b)brWjC@c` z^es6P{D0XXSrv`%#wotdZ@q4grwya|MLcga*=ZkxKr#Y3SAFmRcwa8-kvSjzPKK*^ zT=LpGe<*jXLCyJ$KlUZo-a=K# z)&cW0X}kOuJyS<>J|ZW>4K{b0m+L2kgPfqM6jrXN0^QNI$ouD~)J#0*r%q%nssGu= z0mC*v#|lrUE`#p7i>JZ>?K*0+8$DF8gRksrivjf%uPLM6qLuS43eO6~eu0p53ygt} ze)bgbicbjsHEflY()i?lvR>Bc67*P`CVr^ACS0xZIW?KQqyN5_5H3P~Hgog-(dl?H z%ZwAaxgvpt%Z@+iKME39K^M>|Cr8O6C^_lfEc==QkbGNfK;X`cmzpQ0+)uZB--Mdw zNla<3QN1d5MD6n?H+orS#OyNn^SdK4?|)g^>tYkZUR@4NjGOm=gsM_yvr_d`_o~4Z zNG$6){%PXv@mN9@R-FDVcRxs&b=6CCNr{$V9mYhCs->k!<+_|-I zpZ%JSp^_n{K&nJ^m?gl z{(`d1P7H#U#+c(O^oGPfzEWcU0R;6Vrs-3;QKYV%?0E0kGqdWs711Pqo}~Yvh7d3< z+_dRq_3jImnJ4JC9!*%Nri4T6k_Mg&WW`P|{K}cmLip6vB0JJJ;!#ZqRQPV<0z5(+ z6|hYXDh4-YL>drK^XEy@(T17^T|R!rcev9&Px(YCVnEFg^IxTWsiJ!UIFu}wy&R<< z-}-v7zuMoE+`tReA*_3^NnLJNbMf?HXY5P!>$eFUwD-olIgZyq60HF+5!o3UaT7#7Jll={V;nJl;F;noX+8WI zhxU8IN`4P$$o2H;%b30SmX$rTHzam{FY#UXSI($jq1D|2!0V3!aEU{ee6CH)mUn~p zliM>*iR+!CP}#a&u*mH$MvT>6S!b?Xp zVikx5|N9JKnHtBF=`LgeGhwS!Z$~I-rIHRseRq#9uKq4m!duMd*(fpFGT=PH=DNaJ zAAy%B*;rTOLyZ<1kHQ~keB&b8vgr9=QIa8QLk20_#Xt5_T4FlpXybBcN!?**=paxe zC%RM$(Aa2k(Gf?;CQb`knTsaBVmk2`d!d@rWPk_RMnPNMGEKeQgjP_`bxvk5D_IPc ztvTH1JpquP(h7?ZZc$8Jbls&#A^WP7ZwF(Mm=UJM>$vKmB_;Hes6n_R5GZkS*A7Uk zXyL-xiRxPEi9WwnZq&^jK1~Y9qof8MB5tH&G_nzxh7pDm0&LLj3say0+wAof?_cS4 zVp`2xsesG9c3Z~FEv1+HWyVv9_RBMU(YthTdLoTuR}Xwl%0;Mq6xf8|zbP?Fo;3#35v-_p3vQHsGKYK@2%lsMPt#V-*ya|z0#8G++H z(evC751^{_1Kra8^GSiBsi+r|3u5M<;+jD`9A;S*1k*}yob zGdm0ydeB=6;k%b96?#h6ewbW!?#q>0|5PB{Lr@%Ep1E3Frz)f)O8|eYqu2kwIxHV3 zwvQJ#aj%kQ{%I6b=_&sc|5@lcaf2ktd|59?!A)Fia3Y(S{8{mXwf|mcRm#nbZ`G`m zkOesUnC$SdWR}C)o=m&2xv2MagcwJ9ItDT-5uA}*f_ksNy?9^#3EYlpHjMDOi*{WK zSN`dulZGBr2{p9s`@b4+zLGQY`C`=NJ6c&?{6 zMU}Tsr;T!&cx{n?g{akWK_ANT1UX)4@IZ&lsQGXE){G>1`3NP&zx7X|oCZ%4iJ}3O zaZ%ZOzZgT|Rnp*8w8u^Ya%m+%a+;i;^kka<1;MoID$9X{2TyOnK$K@qkd%Lw%+)WO zN%}v1^zuAjRt5SHRlwyDUCa7-e9r?@_9p2{s@8h?2E6?M;`twtyF^eT?HWK0<~i6z zSh`UCFvL>L_WCDXZrT_-V*imsuk=69_`lb6X(Uj>iNlZ#v}lUgF0Ixl-Fd>Ghk3VaqQMBb*yRfa zn{R6`MM;EfhIzNnfbB@D3fd@p?@C+yLxl81cC)w813tl*2I^K-d&TrsEY7RIQmb(Z z?*7wX`RVdN`JyJ$t2b1|I@KoTD!7O#t-DM>Nx7!JbrmMOYuR~ks0pe8MC-pZX(&#i zrdaW;}fTi3B1f3`9kic*1Dd_u=a_(_S$4@m_#X|vh6SXOV1 zjgRWImQ2`*<@XTdKDo;j$s!JxY>=GoB&d&Mzel4@*LwDDJjLM;+tmeCvc50J8=xe| zrqq!JO1p0D!6otL7E=RLyyuCPBAOej#=ZZnb#+lflMp>PByG1rN((tOCuOvO2Uy&1LRV2h zlYK!E{agM7Q-~JSjW9B2yv(P1F?Slp?2Qp2dmrL;fcGz+gdhLdwF^PQhP$5_fFs>7` zY`wG8N2kHGa2R@(e>n00wd3<=(+0_TbVbigF1gGs3K2$Twbz|fHsFsc12XUNZ5!ju zm;)&VEfZ-%pzppC9zhQ*V9#+O-b_M|DJU%OF2QtyuwSjlP-p{$Qc;z`2zQvh@8y7u z^;^ZaNjq35%L#?dJtN7l?0onP?#nE_%K`KGl<<1?8t$x0Oh*coo7puLk;fVi*K%h( zs9LFujFU0Z0|1n)$h5wz+-L3!Uk%@6%1x&=PQjupUKwM}JI6vHZ41eE0Y9g0B9^dX z`aF`il9&#nI(6V%JE_kOIQYVj$#W+K7kgyv)YnRj?v$a{4xAlu25GAX>@-YCmW71h{1xy+2oa&$(l~95fRLA81Z0j_x{~Aza{g24uUlE4 zQ)%m9hg+Wr7~##bd#4Fy97GV!sS@^VqkymBi5}deE8Q^f1vQ+@mp(uTxZ5C`cuma6 zzlj#O`TfK5?GvET)Q@;}i)nEAiKGBp^}06T9@`#itEwMb2fWYYHDoq;nE)P%ml9AM zNn5^Wc(@pHhu7MDqOx7E+`5vsGZz7Eo<-^DPZd`Z{SNk2LsK_2vxVx_e>}pq#HG4HadG((T2opw=W9^`GDfI zmZ%TP<>v`KXk@S*_?-OhCpkhJb$14S!$TBuhps7;QL?DhLlT|USlv7CiieQ7lLeFT zH_q_v=|3Py5%{8foT;EKqiXd|f4fP^>eslY))U`o>HpkO8#NH|qcsd}Fl%BZhcC#8erV4O zF+WqnE*kd1hwwbL5YIF!ZS?9eOMcwu*zcX4#@)2-Yav>M{rM*? z|1s8>9E}`nPvFM$8@`|LA}2G0!}ODsck3AN~UZKuRj_=ZWM5RT=3i%~I1JO)mDh zu*LwEk#aun0bO9Igb)gXZTyG#N?~rPO8eTo+fDCUOIA2OGDsm_JJTB@Nh__H$=eUY zZt_0}Tnq#5?l_|2$#SlW!=f}-{b8Z5%X6%c>)DvYk8NO_b1q*;Yqz+mCm~3Sq@f0? z^gBkEW0gUIM?!X6&YDOc<0~AShB$a%%?TtAf2G*?Fj&xQ{CltE$qK`}*uuMt&;uF` zNyCuE%gx}IP7>M7jv{_Q3$#rAWYepM{L{n*g5Lc99U;R{z~xUV?n~2kJLLY5npv3Z zel*f#?nQBR$T`^8S;uABS|kQ5Fw;b`KLqXVyTn%@K+5oHVxu6Eji&^dYo{uhBf++R zucG+NxUEd?kaDJ+GseLevlo%PpH1ml@+}(U`575%d-k@}M))*KAJ9Dts}^C}J!bqo zFZ#Qjbwz=x@_THzs;Vixt(Gp|L-`GKRmUgB<}2}9aaC76JuGq?_RHkAhMhzg?9H7u zJC;!j6?C-X9P{>bj(jyXH^PhqLdgO-RTUO-pGKAQh(4>M2Igd1&jzgAVxz)u zv*zL5rzP@$)LwmsJ}Tc7FB|Z2Q+x6(OsFf3!4d!Q5Wy9l&g!>&oBobyT7BYWvBpbW zc)InSh)h=%jY({GpvzN+`5mW36|d1-`b7EsQ~a&v(<`~}uXw)wPwmll#Rl%L6sjAW zu|&z#2WtbOgp*&TA=Y^Uy+8qThLyxO?d!%b3Z+89jC-C! z^A+|!>`_iubKcN+RBG#PGMu@|-(uXp z-&1M$M}j#`-@ioGqwKoA-_JVuQxZ_kJ~VLpjPR}lIzVXbU;ECjdbyi(fQ%9qIW-sX zJ5HXnAsJkri?Ode-!E-iu6nJ+l0lwlf2|uNcS+ic*R^IM!L{kzbUejqIyS=j4m!9h)}y9us}11cjbib>xKe?5CZYk8UcSrG0#PO+(F20Ns`~4F!t76 zOp`!3)*3Pk;X=XlK#Blr2uLTNha+dRCc&~VU%}Wd91wod-A<7W8;bpN$;W<_ogslaY(f(q7~8fU}9UmpH}ymzuimW#t{=HWHe6ZZeF zELS7@da1woU)*ff8|K`VL9aeeQ=l6pfRy*GYZuv2?alO*dQWxe0R=w}{xWHYxb%fx zId(mh&+z-XW|ziF9jSDCapU{@SRGYv^2`z#D{zEV7-yVR`(+2|n>tor;aB(&(~C-I z+lgn_8WZ{=lHpnL4-=9vK;Mq>}hOsSwM6Q|Dh0 z`PU8MhR^Ev1kBKer339IStkhjVj^X&l3O`*paf6PKe2pvAbuIIgu=BJioh3-J+>-O zA?7hM!Odav5CRqL1P-suk-R{4Nrg)?!QCklmaHlCN$_tbv)&K-K0RA=SgX?iU8oWn zXR_ioAo#Z*Jj^yUsU`EzR{qQezCZdAVBN=u^`8?JV(Q!A+3>iwMoMf&Z{<0*Fx3AH#+7n@5zU zU(sNnp_Z#_pV!evu52@Z=v<-wNn*8OU&l8MxDI zjnWNrOM+9!|HI}r)*zEXALX*nC$Vv+oW<`X5?k!3V%XaFsh)C#H`cL>`0rfcI&W-5 z;*EJ7+*$&_PZTj>=4{Nc+yD}YBYx@1q4U;BPlCx+j?$Br&MCoos&0PpPREWz!7o zZ*}>fN5AM@YQNCC=V`fLBb#L7{B@HPekA;UFVYpJm8c8IA!4JVb z$4CX|#OZdST`j%MRpDLNsUk}Ab^#Wop<(>~CjAebzHgF@S7I{s#XU);G+lKO$jPWq z*~RiGzu<6c#~T1i%_dr6*{wn{N;rYBa9G!><$hM+5f-Gw6quS#zQl|S+Ct0(A=W9 z3OtnOd}Y*}ptE=Aa-j*+Dc?aVk(wBbk6;)=cwZBKg5^?fKm1)N8Sz`29R@jhxIgd3 z`~J!;j6<|B&dLMcW?lwTs*C#!b23iL@$Nv%!=?CNih_hrcs$%c!cZe44?CODna>z3 z230=u8GFfCH(CsTmH?Wn6iZ)l4rk*pIUk|J_9_Dfuj*zrD+&O7b;%4qf+rtRTm+wU z>xm3RfSKtVRvK1fL5wKo540oU6kGD!^DB-l%|Pw6g*4)*-o+3cEOXyEOwHa}l;516 z<5szf$14`nC)f66HunM=ICcI#@3Q)5=*u#RO#Lcs zrb)?&Y_Aw`N0+=m7bF^|(yie)&WEx-*u}t~Z~b8rfwPdBVxmMCMH`l~UkEud<3&nDGME=x4$1hWO(?2%kKMz3w@1i>Gd_x8XV}nvJbtiW1 zavZL%M#ivU$}nc4p{c|*9xN<7o`uX2tu%yja-8=3k2MI>LjxWd#Fqois&5^j2U%u< z6;{fFlrL{-KFk(wNY{(W{IdlHDF@|-ieWStJ1g11XoW6>o%%TRH!acB7I+|eKFM&A94 ze*!~}EK9r{tnBXapNkn`sJZAUI2wNS>ISB~MYvonA--g*ZmE9fM?i9@oD|{BV3b~u z6?mkMco3|*jRor>B~^i28;aaK_~ket>C5uhMb>Ah2A#)9jqcKbfZCVLvmYOp>gM3b5h*b zd}9ix{rLr=`p00W@qPW-%cx*8^{K-{c2_ur`f^_s*{$@w`I9e!B+Dn_?UM<2jLLe z=Chf;j6V3#mqnXDJ!wk+CAg7A)VqEhl7vI z&gUZY6v^6jfeMFs&P!F$&_VtG03pRM1Y|h9{+XnLoA3LB74=04PXKJ&ii_6e>_*4xL7nhd}JRJJUlwLNm{)H3_{m_eHa)O zavMKt#8CR17fh$ZrdBSKsEWFbM}koD28&L2|9%kNyv(2qs@iDzUIi5vxrmhwa8F^e zR345jDK6ceHv0HV=%R^Mesuioog&xBrhQ zfc$(U@j`X7`e>9@Ft0waYJk8pkXwZ}Fygg>3~8uL3V!P+>_?AFc-o(ciNj-SPRZhj zq&d9B(6Cf-9g+WIc2g#hH~WO$L^a{K@WINeZega||x@G~8F2 ze+;VQb08IQ?Dz{lr52gX@j5F_wW}@zZA8qpT>Efq6gP+?;fo2Vpu{$HfD`XD+~4YL~x^@Dv|p9Ea#U zyy^OIW8*D05UR6-r$Yw>H*JfBnovn>>Q`3>6XGxOaB*ksl&Cg;)T6h^UX4l0)pxB+&GZ4LS{wfMSapTl{cL%2_+!1xV3fr3Gl%xuq z&zWPsa-G6!h&#)6@*DaiWd6M3+ROy=xPMu83 z{RK5pMPtLCn_Z8ye|%l>m8kOB7?l|dr?R)<# zeh|*vx^@1`49SBs4Y3NsZjqGotxhGW$;sK)59n8$2HVskDmFs47nwMNQV)U_-)~Q{ z+exgg>+$2=gBxV+Jh%8pEiL_j28t%8QD>vW+Zn^YS>M;R$d0D}K-IubTw-v@qj4NB z3I!s8IXs9-DtkP1aGpNVv2!JU%!wWN!ud}2DT|^YA5QZzj$?5M{!Az>pJuitd+|YS zyX=OaEhd3~O=n7!$1Ku^Un9kg@zeO#0#O_a_bz@}KCyo{Nk-2!*Xc||)l3|=mcN|~ zihm+VXnoNa8#sPw{06GLAoh&I5=KXT)Ze^$8s$99g06!oGf|S%6V@EToxj}Z!FQ5P zHI|NY^|*0&+JsRwXpUH|u0p4gw9gPjt%>1o)8HT~SQKz^;-ay6H(+L;{$-i*q{F-2!cOaH7zjl z>3tfhG27~~(t_Tm#^6BC$i|FCvn*3;tB!+N)d~+@MD>VT{gs0(epHVzv011cA}L$& z@n9UA^+jn6Tx7$7*C+@Y3}$A|v|O-77ZN-y4$Jf(CnWW$3QE}&TOa!@3>)8Z7gPiv z#hFm$i5}i@rGQyigAm;Mj)uE$YDyr$7z_E+&EmOK9Cfzpm(u**s?GaEM%dXZsRM3v zi;hOL2)$x89WtDimUl6$esLr(9EVcF+oAurt6NR~LK|SyaK#vgc*eTYP2+%Q^Y8DlVL(3fB6S zF(=XTAcsa9h!KPj$u=)i(yvw~1ILMDnUj+Io=EwjirukP z?A;0&?eBDhQu~8%B5O780+0?|qihXa7)E4gTA8GpbY}KY9PBC>4v4;xZumAM1@PCa z+iQX&N{4I|X7IIr8uh-R2|}&!2xUw$PdNB#*=M~sq`#0Hiqml*IxuQcy{EYe58A}+HRwCk3 z_d7X*-GaU5RZPRg4-Armi>+{bN%;~B6mKDKyS&s64Kq>fa^3m4VdU8PAJ-LZ3HjX4 zTkX*KG0z=V(BR6xu(4$CZjm*TTT&aAD#x|kC)l(Q!bxJVBC)aLuWjVa9{m^b=*eTU z*}Oj{I}62nSi5^P77j8Dq_NXEZ~1JzW1P)WEY8QYOebe|5u2M&)%9Hn>qga2kSo-BB+toZyA$2$aM<@?QcS+TqM$9}ds=4JV{zplW+e}`n#)CBbU(2Q z`{LTc^zH1_w4|g;-=-oaZO-Ym!1bAHUdh7Wd-%U`T&&4zLa1GphIHo%rj=SsdaKH*_u&f;B7qBd!at&cE;n8Xt)eCs zFWi&a`Kp0|78fz0->m-OfwO|7=$mWf_Z>XWJqjbG&_GBZoy`ZPL$i@ugQx4qfGf%K zb>7sgH7Z_tG8dDFO#R*ZbLLyj_+wj-L1vlT^NY=MyK`Pz z`Hrb{ft*f6?x%Ubf=sCkFI)FAR8E2_W-YhGQ4I8tkS`CvhWm~X)lDrRX5~aM#f<#$ zJ=Fh?t)&28BgU>gZR(p1sHf0yHd36YD&TOo-36}1tH$PGzmj7Hhra9R=%fmJ?TwY! z+V~X}NKoJ$X}ec<4Gwr5h|knI+wlJ3Ivx~+e%ddQA6K3X)?xe)e2Dqf2wu1t9e6mM z*`lkH?eBpdv}Bd2#&@V_TG)2U;H^GQMVz+0-eYQit}cgPb&weSpL$h9NaJW$>sP!M z>eck)q94X- z)tAo%_UBaO{0H@ec7vYZe;Qr)fBtu_wF7E)Xb$0*IWMVOalwIJee3p-QRIA4g8uL6WBjZheQj!dhmXjze1)JQeOiiU%+w-@r zqI$;WQ|F^fZH{v9FCQe7g7@^Y7$UZH*JYv+Z(q$#D6(c;nS%pq7ia_IMq)ktB?n(? z!_cSJL#PemFDZX9r*NZ_%R0BG)@FT|$@rOUm&1P=Vi6^ci+Itkeu~-nhy~cMvqf;@ z6D~MO(rQMR#t?Eo%&^EIp5Eb2KUQf6^o_$W{G|+6;A5QJ5rGKIk&JL}a{G>u1U{_D zWa4q{zDvT9AKvFMad(Ph$5Wktex6ss#y^ESvU7=aQ&=Fs~ zT%>jJ@q%fSfndC#wp8vs%kXevB^=;Lq*xr54?NiP;i3&15J;x-)y(;~ItNg7IsAv! zMxOk4%W6UasF2dPB3?H!PDFV+iI=0=ai#}bkkdgzV?z2A>%Dz`Hf>zyLlS}C`F+x( zTCwApX#*5B$`!oYZ&ii=g7tIzhQA3dp~(2bc4v4wFAa0Y@&)d`Ab1U=WYa3BbvR7^ z17~>aWX2{8nh=e85rxTx1#bmWcjyC~arE`ioS(0`j^xdVjp{1jIZBFfkkM)k*}(I{ zBR{hNqYCObGCpHc%Cvqu{1h3i%I%iHvMJloh!>coP*eM$|6qqV03xb<5W53>@#2f4cA$bCX3o4|T zuQ#CQx17d#(4?a2$RSc-bkvn*ck%ard-v}MlOtpFV?~Av{e(`5R${z5zx=V0jfU+c zZN%i{JsbGQ+pb}zz#j_xRs+tQD%WRY1$XLc3OBcwVRFWtSayM}wnXRcjlhnrX@=)K z$y6NO;GHC&np)6eT{n8s%#o~x6^Yr(fYgSP)AnfP{XI%VQKR+G&f=S+7kQb2e#4}{ z#$)5goZsZ|JL$wT2)b~+z<|xPq*Or*y}<96Vic?Xa%fa_aNv3p^ExSJ<9>HN8uA!V zpP3rqAML1R+DhGm=-GDS>b$xL1eW<+Lq1W2QBQK9Qd6}F4ikfnB+u|8| z4hEIR=H^c4zmIIQA^y7DC>amo#}S%st*)I z4YwS*@!JYJIh>PjsRy7S-#Qi3X3RDzRjOI@IM%X9QIf%9^z5`pO8 zWMUPcL;bbjEC=pPkX#lSw4wS zXq3$h?koP@!gN4M2ZJ4)DGd_tX_v`8fPM<46P0`x+^Y5MRbhFZ^9JN3`l-e@7;YBJ zNOsAUjhEauCwKq1#0?3i&a(x?k{s9znWm3G;m0k>D}l-7tTbcCJ2x2}&vKLry7u&H)$*RsAb9-^{OgMKFnP497m_Mz{wKr`xz}SPeBZ( z(bZO$17NeqAI!fGQgVrcaR@Hd7UVD_1}57?)ZHsk6pQL3VEpV9dqH_Rn?JI;tdo;=kgJ0yr+B2kztAW;nPu*=WEE#SALHA%9lqBT3QJ9 zIMQpbJu{_IGis>VIfZrEQNsyRy$$A&LVN;wr9u0)LKff{GgU4jjTEOb5Ul0uKn^#O&j;S(JFvWs+{pFcgtb%s`9TMu}=65h@%fMi2m)C zm^%DgtdUX>lgfc-A3#5x@5nr|L!697B9L8*tqYVxc-%U=np?OQR8Py;_Jb4@NcMMv ziNygdCAuruGeeb$m5SS7yPV~oV`4IK4q-J@?TaD(@So~KOdTTA8EZGUA9@Z`sEXT* zMXfAm7v^%6nyTkCsFfj9N^b)+^=f0lr`EP#gVfNnZTze8&By2sPM!@&!u^L~8Yq@Ze{g zjai_5Lq#8!F4sKiRq&++;w%s4p2-c@cPiY>pf<9A6rSwS2j`sXZ4$sU*M!pofAuWt ze#Xguy`6UIHlNZW$A+o`Qk0?*#)wb&*B{esowgNcigJQBRze*g+*42K*7{WEMJk)8 z)Jc`kM~&}ntdMSz8St!XlKJ=UC!XiYbCr(#<`AwiyY(AM8D>H7VLJN-+UGs}fi+5vU$aW6ttGgoV>D?# z8!%J0HGTD{6)Oz2VXiRJ*XgtoC`057Z8;cfXm)Tw6z@0FKyp}6Fz87-ZC>hE(b4mm zi}ZSY-N4PsmG2y)i-pm%H9gce#`vVXT)a)hmmHSM~`$>1mN z0);!7HzBu`Le^b&|6YFJjrT1TvlNisAL&PwbxY@wi$*V?%Pd$a%u_Oc?l0Zi98blw zb)4+lzwdj|o^v|jC}Io>58mUgUguxt4M6m~FJB16#HyFYD5%}_JA+B;9HEsWMR{$1 zSYeyIT8gKx;;SLPR;;vQa+Cg^gX7rz?C(q0$T6NjITV;a>@1<(7Ju`gi4zU;YbQXb zO}t8%`bWs2GFZGXRIH-K4LbN-a^a(6<&Nf4wu)NORZe@p;kS1?r1@+SAzH`UPTlGJ zIwz$cT+zT=9tORuHns^Sy)XNZrT--J+%M}KnR+&bba|~9!6c=B9sf#{gk~eO{p9hC zfH_syJUVLnb(+>WGT>o<$B4g#7sL3=`3KfYOaqzIVk(_%R?)?;qH?`H6gk`EioNWL z&q{N7!`$X@?#1vh-z{pHZyzXdesf(0XNz>yx_CTK8Pab+7KKY>>PH?sBtQLa8ZOYj z+6Y4}&1X6mt6^cW7N@fQxvB1VtbR!4PQl7*SFDEejbp=s?aRcL#tJeb&I=9=1Gnxk zuFF>3o?2P->fFED+wD=4SiOqlm8W$y+?AL0q4s(7IiZlH%0CGX)&fNavR89l87QX&XzI{BwT{&v>$AENgjME8JhF$a0Tj@ye)h zif-OTu2ql|T9J$@8?zw|*xHARS&DC2Ka1R4{=6RaYWYJ&4eDon+i73q2ZB@InZz}d zkId|+xkCoJkLWV4pdTix+_bL-aXA?vnW#}(X&c@U=iT!hwdo!1RpTtH1m4`KvLi6I z8^Q#`E=Ach=-VMy!Gl}L?0)#s-6qT@Rb?StAoDu~7TZ-pQL9E@r1IoS5E#y{`K_0BD+WOiO)ed=4ed9_8%yc> zC~jeO+7RbDrtYHU8S@8$BycZVR2#~--++HV^;&mgS>~<{t(W?;ivLZWAsfd7M1*r& zArfxN^m;;Y{aoPqbBO>%j|(pZ{-Tcza@d5quEs?U^D_ys#9aZUFF(I7g!1Zm)v?yl z=M!Ya(#PN2*R$f&{A}F5_ems%pIPDKu4OM!`;MK=(fe708^e&w^IA1Ss4tcS^?^U< zZ^?uzVr^FG%~#RKKRf^_#H$|$v_A3lo&GQvJMNjmGfru5s3G+xay6tkEAvrdmJsv$ zLs0pn>=<{3pty`RjVuax0h9gQc~_}Imn028Tu;B=93j$tDEbJm6q2|FN`nS0{i;p@ zsx}wvVXvh2wKLe=%;-5P3!E?(xBGM6RoGDBGW5u344ERybpJGeXl`sjcfafs^Y!<@HVf=Z7ffkYg?iagIaIsqeB5a5;3WB zKkxg>gXebR2buognsen%9h=rc9YJTQuPxs;(a_h3T!P%7CFZAqX`Z(9>nz_UP>|(=ca>)ie_;OpXBGgYimu@5mDAYU z2L7A4mPq@WOMCWF<3;;9s1Qn-KXDEwHjgBbf7-0vS!22A>!_+a$rs_J<6^dBi~&yPsk}27yiAHArvHfg zH{)Q~$70ce4!K>m8;pY`9_sWC)kREuBhfR#5PcnS=JZ0mTo!5xZckN(2jBCdrsT&Q zJ!B=!q$2WO^~^Myq{W}=r#7s&P!auW{se+?FQ262g5`deDX}BX_Bm|qP|u3tFvB>n|;5d7UXHPQXxVT`b?_Y7l< zK*dX=kZxGOhKp8EjOpDT8i%(sQjf(A%E1SmG>&CrRRyz~sPZrF(n;(Eze7qOko~Fe zX@A*xAj#Rj^HStyje_6N4e+(M+txRzu|#nml{$&*h+1|9h#LQOpe0bi0+K}X5qH*q z7rnWGGIF(^xgWpl?oA!hbp&R+a31e89qsk{F^Ca&wmtTRF1mA7QL$>-sM zc6Wen{rme1z82_W=mH5l~SuR$*YeuL0A%_%9zTu|@R zB!Lhj9r4-m1*a2Xj;n}%YKu;Vqb}UxWP-lRUz+}E(t0Z#x? z1ar-l)#T?#F?^gl5H6z^0zh9{+!fT2JzcrM3lP{Mpb{inT)I!MGcu$+IQDMg+|yPt z=erySmUUTVYJWFwQEV=hzqVbm!U3DauHeyz^OWJMtq2cs@pHygw?*jj%KtH449_qs z1`Ls%g|*+u@Os`Rb3%iLvU_lIzgIh;;*ZNAskrzkNr;Eo{gp${+h$JD0{n~d&j5G8>b7rvlIeROD#zA<5nwM>m~De#b&p4cbVv9Bx;DrQ8Tt;QY#! z6_yAE{2T zSPc*N9_J<4ETW5_#`6m6YybFm$;ExOgll!oewf%LEJpe@J6T@8?txaf<1D0}<; z7$HKJ^BwpMp=O>WleN=7YT&}gtFf_N@KqoEaHKhuaqeea)u`cyHIdoP9VZa_Sr=NQ3SjPd(fG}eyC+IAGF%RYPT#MbZvvEHAOcEN>GhJy{}e@N z{5_N^ixtbDQjNuqPu<BJl(Ue;*_!6#ys$k@Ma9^rlX^iw<5am<%V%FSG-0f_0yx-AK0HB|G5{@He# zf2@x6EZ0o-l=^oso9-S?@$2_o;+o2-qG~-`StR!+)h1l@?k<2I(jdes9jjCJTb53G zHx2m@>Oxc__Z^;VPlYJugc(Ek?F>tTcdSP|EWCC9^7LM$f+!Vpf!h6uqs7A+IF;NX zz2n|W4JysLAw0PSDC0+5~5q`8AXPCtB=lXsH&Py-eg+N2j8G@^8OA#&Zs-|f^G zlB1o*Rdah>H10h7RpZJ>l~$~FS643Z*LXF^%AD-l)ty)+;7Cu57v1?TU5K1y%1yix zC(S8)?9cga_9Ue#N8Ga7*vghOFy{WRc=DGF0&6kozdc1?@456_e_nHP??d4$Jx_Ip z5uvW)kUrBRXaDZ1#QiVHmNnvBx^mBt8r^mnf zqk|Zp*9hEnrz?*mQjK*s1X>`Iq%Yj~t|17K=IV`CzfyP^+ABR{zJ_CXhG^d)IU71K z1}uCG zqs|#y$su~s?|J%X+VCv|h)DK?DEEFh`+4e-AHroyvtd7AP}_Zx8ojMy1KM_>ERGq? zZ{k)u$%ENOg26g-8gEpW)-jd@y0)u5CSFAw^95`|Zx&;5$=&OK2vFY}x1Z){FZWRa znOv0aNw4SE38fn9X&q^3pj}b1A0wOgbFMlnqf0zW-bd#4Tyyy53`(aFEszL~O*THl z@x1v_`|F>HzA@!~*ONR3Irj?Y6o88ehi)<)qDrr|WAGHg$J|+09y(WlO zLfSEGbW?U8*D7Nrj>A{($v`|CM8eSaE)qs^g?C~}3;3ww)-iQ$zobo$7*?p(`}ntV z#HHGGP3PT_MN2&=`HLAo2C&eV=5FP0nkK=9-KFz#GIu?D0#ObtK8k}v;M}Q+Y_X5s*P>NaLPbdHAKk->a+MMcF zC}tt~DRC~97+hYPFd)Rr3#1Q6%Woe#%?EB~Urs$DUHa#65I`&vlmyq@L24Dmi<<%v z$okBH*ca?MNG%uNq1EfQ(??(3ulwzjWl9TQ)o`smuaWhdvVDZ3B% zl%EE=n=S1Rk9DBhwoogBOaa~the-3KZUu+;X4i@OzMPBN;C&Y|g;yC}zHUDXeY2Hev68S8JExP3)_@3Cp zb=H$kKY2HFxf}8xyKaL1(U1^9x9F=VIXh7TlT_Va(j2>qnHP&`%Wq$|V{(9K2Cfw; zBP_eyiw;I>ON2ID%+hA@iJ}5 zMy#CDG`)cDI3!qT(xbMK_x@02*W(>MHq7q3t>G23yM`8+M+CcF*87)afuv^UUN5CR zo>D1n_vD$9>kP_%Fl>x6YS6N00XLDFU)cEE@slp8=b81ivs5RX(Qr6AWTvzk8`GAx<}!eEB@;r5LW!_?k3XGdSKi zB+`WLU%V7ll^JmQ%uUuXoL7|De^%cH9bLZK^|1m)lM~OU2>K$dCRIP{24}m1`}V!1 znzPZ^bi5{f(^|{l?3z$m5B);PI~%_tHmjc`!zIq8T3T;(Eoq~uhV5jZORg6vt}C-z z1+)#$+i3aGulw!R_3&TVSSSv&8>m?xy7!eUkHf_2`)xASmt$ek=|Mz?!8BpsELE`v zg=Kuq&CZxHDU!O1v`(_M+7wYz;T0wYLTeu~_QtNiyR+itbxfK}CH%10yR4vEXfGUw zR^J_XeU-)U@H*R{TXBEIVrP+q+qu}T!>|%XGE!N71TS@s+`#g>y7dGSnXkRev07T< z*p(6K<24d(e}OTi&k_I(9#HEe`~6dDT)J9cl-@sicpz%Fzd1_h#sB<$-6frP0q~@E zgQA5-nscQ16DamgdixW9o0f!R#_3z9r!_AXFB^DaW(hJV7f>#65RW>1F+@I5PbjM^ z+>61z=>`umjmU{c>C*2v1(YXJIDomn3Hj!4K2Jwk!1bJ!t2kGCUTD)kgo@5QC;s% zY|5=QB<%Q1x+8*P|IF2gKW~*0pZ8vL zW`Y|Vmi`YNYYGL54_gO=2ED92h%OWim*u6IGr7#EfO>2u)avM9qSUFvet&eTSk?6! z&faYE!?7Ze_TU3>fa=hcxJ95oe1z}Ms(45^oHZEa&bFHT{=MsRm_d{u5L_gYDl0m> zf@^Qz*S4B$D9ADu1$0DJ)VJB(H`Dld+;dK|bUJyk$$1oj4D8C2d!`r;1yp%ngUY{4q692pRX9SOrt5A#ZtXoc+} zE53(bNL?2jJ2FzeDPI3EK*+Q;DHmF z@OyV+uy;!7Jl(0@?9gm%8no05=x_9SC46P=PsN*5q7Hvan&7-Jt!sz<$#XK-&C`9N zeBjP?;);ZgzTDslhtuivmNOvuf2XE9$)yspe8{D~+u4s!w-69JdP9>&EKTg^*n=8(|;_23zl1$!u45}b7sWu zH&oG=PRLQ4w{qxkJ}ZT1*N?!(5<*>wj@_58X>f{*-<4MAcb(f8+_W-7%+K5BiWH28 zJq3$}@&}emcU#QkC zJkYvjZgNvrk#5Y7t)ljV| zy?$>td6U14jD%P9mE*V^h?#$4N)qB?ND>kLPBjrD{K_r?FYYuJrdUF~MJ0CaGYQah zKb9EWK01+j=eT^Kv-qKQV=eGyh9oHW-Pw;-2mN3x%h3n6vet;t6{TW3^F@oUI|1U& zsgtLlCR3(#NC3 z{jadzJ@H$%_-F@Ochq_5k@UJDKz35xFoyrkaypNaep$O0MGt%$d^De_asuyi%_`J8 zxv`olh1OulLTe>jc5ZYn5|?%+uEr(T0hrzSj{Nc6KHaVBMA%W+hFf3MFHkmD>eS%m zPv)wkWBt^+-;nZ`QS*PnJk5i(dee}pJKS42q~5U)hcq4wWb47dJ1@DhJduPa(r$@} z=OTw|a#)W|ZY_v7_s7|@+dI?Sd`#5%D>0_~7W*D#+zH~Sp}5aCGlno1arp6b&GGHQ z>uetnxroW4kjrn zD(fKDcKtb1^ddO~ z%%9Bk`59DhB78mMs?tc%2Vu#|=s^d2-w{W_1sTKer0f?KKWqY(Ir$lV8rxdoCkR@sNYEeFytsP&`GT4ykh zhulv=H6hugXftTq`i67H`o8CoCOm|h24ZX81pc1Ei<;Z#Qd#dw#fFfOZl8BMJiFZib&y zc=E}FkYo%`*Qe(O92G0GM>~yv`hCMjU9lvxPezBN7x3na7EPJ-G@5#g#wPX?MQZvY zU;>qWbQ|jM_$d0kFL20-#LF(xNy>gdR%$}jQ2Oq?Gzs&!()~J=+^PW~$I;RJX%xVZVp-2>^a6kimQf%EW669^W@kFIbm(p zc^{Ydxd!MBbVrF_xeGFwaSXU`Ao})*bPutH-(-*6O7N2MfL)n_!XYjP?IWXzf9L2 zS@BwotcSxOvC4*vn9a*WSYW>By`A(jP3O{%u!Co?=R4IgL#P+k6NJnI=4{yL8eE^< z;=L##F1Ye~t0hYq#vzEF|OG(y*`#BHt z#RMSbqYYb~S?rV;`4?AK9jXeKaHN$tMMzP6=4IY)6|2COn3KvB$L*z2v38WDwP=;y z`d2lO(Mb9Av*S~LXIdmE@%IFSy5IM5W1qwO1&0E>qUKcWVw(ZgWWjQ72pOui_D*tSpFG+z+SPj*oO)%1`K_`%Ss&c86(ZJKRr# zY_X&C&a)f0@8(Yn^skC+Q~J+~XI1enzEitDXwC$O-gEqxTY^yRFW2Tq$i`$%>x$o4 zhkhA9`E$2OSe5xwZMYb$c2@2A!^r5BBpXF-n+m< zp+fbeaNm(Mi7~#x_aOg&9a?6~5u*7ni^TI%o{P(v;7VM^IOP~}!;i^J(mMvi5bUH*3VP3}wQq0PI; zQ{KmAj!y1dWwolCW=vCo&;YNL+rt@pqxMxLZ$aXUMYtfCN%MqtHhVU*b~#e{M0ATB z@~W1}m~L!;)Z5x|$OULl3X(y1woSgG8>GbS%ua4*zl9o|@#Ug>!_6=sqn&a_Y-eOPw^b zHDiiABMg~JP6BJ&xYr^lG?!o8r4IdcE9lEgokF64xzbebXG?%j+VEE8t_3i;WmxPX zv+ufnhY4$F*^GM)e-1k*GFM(VfOgN4 zBH&+l9Us+pIrv;+Kg~NjgYwgap{+aigY8A3O{LlQk9(fgFDc}1N`t#$*@bpbwV<4l zTMk0C(EFc44dJd12%dGlDlr~bsL1j6y>qnt$?Z9j+VWK4^j&lNk&kCZts%Id3?lDK zqz7@FRmUtZ%s@+6BHBuFYNJ;wC;B_U^_t|k{1L8lsxaB<=sS(j)-5wc+v$nr#$K}s zz{fu^PTe3U_I9{@`SFjSWf#j#iZYY$0z4i_(VC*3{l9}$r;W))oPu0Pw@ySpx5t6cPrZ&Fj&L);^Rcfsb? zdu?F!t4=QchG8OF0x`Jx_f{oh^1l$*Q+3{rj((q-gJd3^S|;b3KFXnfoa?BS(c`>o z;NLXb!tWPZQ<#&Xt;6D5DO`HK`G)kTre_eM!%_^{wjy0460<(Gvl+=1&SUc+P2I|T zvCd`k#&*f;{EDF*_E2FP9eXWu3{KXSSYve_#_6u5y3q&bF}z!8!MPaurtNRY`3F7Z zrphGPu|j%D^J8QUr=ykc(LKu_?zbs1`7W5k0w0}qo!pnqbMRRjyO+}PXz?OoF4R6N zP|)jNWHJAyY;|=wU21QP8cIN$uF;P@!3QJy=&6D5ADuMh(YcZyDaC}F1i{9gJ77qq zGC|_}5ei!?@3AexlVkkS7R@mmuuRq-vlrIp(cn0uWH{gZQslrW=130atd@HN7bv)@ zN?`CuCcVxp*l_j@T+4oo%&XY<=X-ILZ^@~=J%=08pW2>=uIas_CG;x^y~^L)BbmdmZV(bWb_<>8kRPlkT3Gh*MDi9|s;XUM z!05P%`M0zAWBi!d$7I~l=_*6R8Ex&-)aOZYEzDq%O}M>-w&7iI!4{&CnTX*T>2>K+ z`{35Hwd(RnT=}M^k9R~gvT!wCNv{?GdlQ1=KB$uIKXM;n4Q>Xx6mWhGAUHhWo;jcB z?jZrkVi~F~az^f5rc@`3PQ5>PneSFs*kDJDZ1Iq{1s+cfLoUIhgF*qgVBqbra@MYc z0(14v0roXqUW$2oRq-1PlT`Tp-KSvV#k3?(udW3oyis>(9hw@ZwSrWBlMKR}WGzBRJUF=Pbi@e`o+7a51HKYXaazEu}vv$*K7bn^?aNoj`iPW5? z+uf|1j1gqsB!=&#nFa2DyEVz+o zp(i0Xb>ob>ncs-myQyFd_s^MEl^SNA#o2O{%fS7?eBZa{VccIY@u!OO7byO| z8mjL(5fBozFy`FtQVUfj&*x*ca#xLO@6X?eZ@q-fn9NoQbxal>Gp~GI&Rk607iwi| ztfFi$`-O>@d9*co!?OhG&TspbiRp<}JFR75?z}`L%o`H-uyT}7Z=RJYGH~#KL?Fhj z-jh8e@9=s0fvHyHna-si1P-40Ip znB^F%=5SJ{nAplS?Mfy${L@hj_JeHK!ZehA%P>e5pNCO5& zC>DqjWV(BKnviMMvTqHKJR8d7)`6KZJ9pAB4R{koV3FZ_uR>vt<$^kKReNj6!0d|{ zo+JGdC!l$lK3KeLEwUm^c3I%`uPO1#8dKcqsEMrY^Nrwtd5?2{_s`!v_sCVjV;wcy z$p|nJ76@jRi}wPSrlW#Dm>grvh&k%LG?HHvePjNp5^XK{GB{R0AQc#x$OUn3>4hTW zLZfdNIz+K3Av5=bxk~2@((&dR!inD?MDrbBMW1fTpk~9Jd881aH17rXD3E<>+B}Aa z=GcVhv}wt7ZbA?%X~o*ON3~Al&l;ZqIkcFK@=MO1Q=>MZW3zlwjl^MeqtTp_zCV)n zG%e{bo!Zd}pp&!(k+T_fN^43n-J>IXp)Osy8F1uu=``Ldh#dShg>XkH_!HHvp1 zTb#1SNCHdsQUb`vc**wE{1Y*(}V%$Nf` z#Qw6M9;Q&n^eLLNgJ=HVHT)k~e@uF}q*|#K-JzzU0+cLI-q5R;@r$x3HkaL=Y4^S# z8UN+WxZ)z^GetkH&f{qAp-&m=rveI>8kl>`)0BiooTo~>y$v=yGoF&)0)YHTs=n>ma6K#;H?V5V5=fa*$;|X6Lr4;6a;}_Y z;(DY9md)+#dcDq$En*ql*;klvhe95Id*Rh`RLMntWrG;SZzjywSsR~b@M5*KaMGRw zQh$uoFYwdS8`6KQ+ADPavYzfh*nntnJTLqIy9_)7Nqb(@Wi>&Uv$M<>0v6FlkD~H`_}wCg7sKw#GEO!z?bPsm7%J_!wBzaYfBwP^Pf@Dlh&UY zXV}F^KR;JLQn`$J@jNWTZEw7*c-5@j@sv)%%3XxBgqn22obU?3w;yzmJBa3u$%nUme(rc$iy5Lfg*PXt67A(8KR z@shWJ9u&7Z-{SvGqyMpkP)e*wfz;%KOy3WV+4D%MZ|3;rPqI$M4r9Zw%%CPlBy+x* zKiAbs<0qpU(OhmVG7PrpNw$*ps`HC`$d`>gd?&3OS+x_^j|D_BrLsx7GCgm|hJxf6 zV8vAh4N*}rW;;;@AopgiD9F6iB0#HF(;ps^bR)DV`0~&4ueoduX`K!^Z%-DORZx48 zx6{nFp4*D3l_=iXFu7Y^uxY(LeIQKJULw#rqk$;#)<;}L(Gu&8USQO9Qy}$ro1^P| zdM<1-lI+Q6pw@SNn zGxq<`c&%yjTv~N(p!VU0XYiT%lGKO|iv~6wE33L5*=cZFk8L!!JeAfDS-aTijNv&= z3A7B2Hxyqq&i(7c0W~5G5Rm5|$jZ#?>Mq(GR9z3eI&s9{XvDV2Z~jDg_u1f_sXcrs z)H#}85oT3b2vRf~lO2pknn}CfL^MPCDK^uzpfO4?n9D_97!XbOV;@XBzSCbRcRuss ze~~2Vl16e*(ox|&657Y7js&*vt8pf8n~lr`AXkA_eXXQ<14E|^oE2gQw$-!{3pQS) zO#cmf-bp4~ghk|&`KV(K*Xp#~?DDzK`-2Wk{XnHDvybqnBiNyB9D1PI@M~+*KTlZr zh#{IHMVIvV4T0UQFw@Yu{D)ZhdyKlv11-0V&YM3j9_iPo6tA+1-{Wt;Sua|2F`@($`{`p3!n)fH9r73I^{=0v zYS-W9$0*0ut^^LUI;0puO@IH%fx@XT!+1=J{0gVNqPsBi!$R2Ias1BO9Yk z;D#FL;DYY|yT&zOwOhs96k5;9;nE;WWG{7-c7rTDb6}*|2WFYczl+-T1{hU|7)L)h z!Qq%CoKp*eEby-JdmjB~>M#JYeNsTc*{!WSfC5bZ<*?1@4YG*SOEVHrCvC4YYT<4Z!w8Kz}S~x<^1aoSxkz)HU#<&y< zp8~i*KNp1NDP}(@r_;DKl%bbOae=uH03(k7f#;X|7Z3cmcl`D;xp<(+KxvE?rapJH z6R9Bkz^6O~_L)w)(_X{T59^)Ik!_24jp2ET3=mf{o)^2C#jo)rB5pRH|HCGF=P*`CxViBAa(o;J>*;yJ-rP5U3&)GBT{-Vl{5Rt# z{b}i$15Fy$qf$qFI1I^rY;0xzc3}xzu%apLKA^XRiFp&8_0~!fYa?EnEcgR`f$I-DY%d9U|R9F%c zGERe?Rt7S7tj5c|aA}DBQq$5FlAR4&f+Lpu)9D|87`SG(%ip|tv!+w>?c3utxwula zeK(6AO56Y?&W#rTt6Anumo8K*hV7-pZb#Y?x?&L)sbg(dw@>Ns!um8l@KK z)kFoW>g}gTN8ONG$k55ruHpJ<2~ubGVzk?TGN_*-z=jUTI4H6>Z%_xMHu-ovN0AqF zMQCic>hjKe8UFEy6{5yC*9FfdB_R*=tamLpc25B!@EoVy0z-acL_|dB(=m%w0B07f zm0N$&blYy0vfAt+B3X}HboR?_Sf#ltxL2d=J26%r987%F!Q>JA=kiZd;CUfc(QWwjZK1^da_0tp z=3OK#uKWY*Q$MjwEytMYkA6zeRV*e77y1rUd)~gLTJ2O&eK2Y+JxqAfV|bwh|Mkz6qya2hpka6U zby5{~2iERlchs47_)P>XI`15>=CvC}X))8%(js93U#93!rtsb^COB>+2@J4AX}e@p z@Ab(b1;me+QV`;c&lm8=oo0jH4JxSwnfS>)S&6f%eC~eONFTi94m7X)R~h`LsQ_Q8 z`$;f-yNvzdcM=ip#`qL#;OSSW^ zFEHhLKDo{wrp2OBX4P3A_G{Mcf2!nv6$OI;(6hVv!^Y_IuLo>ou%7W}Y2$-w+P-WD zv=2`SN6dtgi}bprC;Bi1O$tXyTZgO>{%@q{uiNN;!+w9egcjG5&?{MaFSN9@cI@5VYc<`E=35snEiDVJryr@+x;YoBuL3H@9zew<&uMOE z_Q`&Ah$$%!68v!GuFyvL>;aTtp{=d$E%IO;xv2H7m5Il+@6NUe(10?tnCL2BYB6%F zv$M0+QbBMU`)DT$das2Za)Pq#2tPh{ab80gIkHT>R^Fej>mGN-#1z1G{BZ3_Jx8;a z;y6zUkBnyFfTo08|G@Z*=8lqgtqJ4r(56PQ=BfH0=WEkEF0w~7F%>qbMAKTcAc~p+uYjIUKEBSHmaoJ7Z0~*rNChDht-dHl3utzn3r(x z91Ey8@3gWsULp}8{SkDNYSJCKzIC*i!D8(Bp?7zE!v_qxwmnsG)cQec00J;4!0~EhQ&{&N%V&E z^^V*tf&}4$?)Lx?cK={*l6x}G1!)aV5LVGcJHo*Nfz*6#W7ih*7h=tQ`xV4RY23Ez zeJ04pIBWtu^90~-wy47hWp!2nGcraPW}WIV@n}eAPTtK&8w8s=V%FJgY(H!^C%sf@ z%VdNZTwgEhdeFh=%<_Mc4hEK7`s6Cci$fnd+gdmb(J9!~Op(G=oI47d}451_M4;R@n`W*Hq~ZnjpdXd{nBen zV3-wZJH#4ww8+v`GGY|xQ(2jY-sCef?2OQIoZz#ln2*$(u!j+`=M=xrb^bDGkh~7S zCY8guP0O0*%#l9EW{|+7s>8U`WVF9y*@VMotty93qwOHi0^>wyqpy%F-zVON%aK_Y zyjxCA2arM+^EnfnR65sm*bkjnuGu{(u(HT)6`UyWGAu3Kh+(bWT&AO>4xWdp&FR>wT#* zU$y>7B3}^Os5_DNX)w)=N$16ctsxDN&wYa*-Zry8d?=Jv8MA8+M!)Dl-5F8eImP&9 z*>#TEW}?5^mcExb!JLj4vMs#LQMFd6ce)P)0j+2oq-U`40m55iJVvOd(bMl!K!`P42Q{nrtgQCA#z;O3%n@QJNln4WN}_S-#peE-8k{<1 zlK&l4IH*h>KFXM%6?*?`E$vJ^)ryP^FI{^Yc>QW_?eWT|5=y+zNV~fxKGo4 zHEbjjxS}9-^me9w>=4J|3VyIo9rSo5%fG*w%S1Yaj@D&wDGU^1&;$cuArb#O81Pp+ zU_yb9MeP9dsnG)<^6uKFiQJqVBG>g2mGYf7cBzh&IQBEOeHTYjBd}14Mj=@ig!LM{ zw@!Au1*kP?I3|HbYZ5|?fuN7UdhF6PHjfX_h+bWz2!L2YUC;taz{}ip2cXv2tJW6$ zBbfFkXXVmY>y?c3h1hEHe~^^2LgHZpF$A@n)M(Q}OEpuYUa_+YK@0cNK$7i&$MoGF z(%|aNeSM1Mg-g_?PzXVzMxZG>MEqn}+bzMJqR*LaBzz+9=-s%HQr!(3Ei|^W2Y7Kl zmiLEI1ub;u+aZj8B=mHg6?30XUZy9xyBrSYxkuztS-Byq;6y&?+FAH>Ds3k{J*u() zj_y5=JYy*jV82npPSx{O%2UIlpyoh>dF}hRUn4dqiqx#zanL`mRJyJeNIwxnz#)(< zJoFFp7KZM3F>z*QW{*x9O3Isb#~Y^L4X5yv1%b<1j7Ao0oJ2%K(}30d6ln37c~=iT zB8~~NEFDS9r)E}2jQ=j6WZGugFDF1`o?Brwvvpm!Pu2fM&}Es9M>M=$B@X^N3tUU) z3mq|+A0*rk5h=W5eOTNte;EWlJ-`ZDWcUZc>KX_G>BYs6-XCialU2P_@OO(J6be4X z7|iz5&D5knO1@3lG0I!WXCPw4qn=6Xl1)lu6^5|6MAiZ!r!S zf3F}8R`U(L%MN@MH+a>x06HRf(7HYjfCD@6wJuu4RwN9H+RyKo7v>wak5E!(9RaKy zocE0b_VT2B{&_g_yu&=)K-cDqZTf*!AAWw2 zfdQkOI`_TM83B-}qC8wyfKYb{Z&vr@Xq0^%x(|Tx$K#UX{--xB2j&>t?-j}FqkV5$ zsq%C4!&q^{C?lhrOEqusTc}nnd@42VPxAqEj`3v8Se$)C<+&7-)&2Z$+!%sl>c^>3 z+H3^g;Qc|B#^C}3^7K;_0-E%_>?u=hUgb*WWsw0u5M^~OKv?x-dM;dnm`c-H(mha` z&iM`i#k6|B^0!~GmEw}Rt?5RY_mEleYYTc2C+j7^A*t&5P&_)R9|71+1h|<+;~G5g zbVUV9cnSB4HCO)-RmY(cBPm*|i6#4AD zEx*if&u)Zurn5x`h*cOD^7@SDB|P6V0(aeH=RI#%mm6(jB21szYkV2@Pgh z7Qk#E;ijok6>VpxCX2S&A3pX5W1+I3!F zc^GKujTnT8HUQzM=I{X981$$U^e7dxFXvsuSII8H*+A>noHAy*B2l}g9?~LK#8Pj{ z_cFGBynFIK&LjkVx<-D3P&ycKs|@b$+IspdNeukRZM}Rpcv@Qg_?6)NXT=5}m{E2z z83w*9b)u&VP;J1oNJx`^P}oof)$CI)7oJ7e)>EE%zU#n`geAgS|A+ScvLW4iY-|j! z=(v=#%gL7ro9cQ2!jajjGW6-5EJuv&l}MB4tX=ryp9}(!fEh(Gx~sYMJ!kRpA==}h z6IRI^;BeQ|x{g6}N!OsXyn$?tu$=^Q*w|p^HxjIt0V<#N&2Q(dnuA@->o!eKpv(od z#VwBLj~!?boUH1gUtFQ(jh(dXmjjrUzkJM#>X4(;O-NFwhYOGvU~y=nk1lBr86jhN z#hC9+*hGKj2fe++a-SgqMZU#9KlGpEqL|(@_JCK3m+7}&#FCkGdQ7HuDOPVTrzdrZ zeLVVkJ0$z=VcDm9?ahlO&%t>$2QTbGVm=r=ozZj#{HY8b%jr4@B3xG0ShHEZ+ck2< z#piMr;J2iztqA|DQw|OxB$}ez9!NYGd%3WSZl1Y`kDInSfTwyv0t>3) z`z}Cn+Z=<$H%5Uw?e72J7Xw0uHIjO5m*vzmkL%~OIhvuEzE-n5Rqxg42t`hiwt$`k z0Y83-ILgUs+J~ypKy15-e56rD%`jpO460rXLa1fsl&Uv3qRxUHuG&NWgM9!(eOkj= z{N|%{#4HM$DfP~X!p{fD&siWc!8H0rcb47oshrwjzo2UglRPosL{5+1RIU10fb?Ubs`THyg0%oy3s zlG>DB(?nJzt>ZXhKeCFL_M`Vr34X}dWG(=jtX@MMir)lP+ce)un-x6(NZL-zkJUZE zwe#tKNNyS@fgQ?^7UIaoKLx6l0gN2JW?U(nT~9;s-{QCYZ-n?5+OPAf?SF9+Pi4|y z908v#NQ%y`M{*iibVF71oRYRgM#K}hk%XK9AU}cPzKY>CW?AL~tR=7TF-O_>C&6|g zSPK2_*!1Gc$J&{X>&}nR`~UG* zqhWQY2zXMoWrqVLRK)7up@2iM=T%FsGq>Nws^25w_Ga&lfIen;awYJ?2t3l8%s|pFRozJZq_1q^3GUTZ=*PJt%wv! zh3CTWAaP|V=!Ufc|8Uxij<+WzdEgw2|Bt<|jEib(-$q0f5kZiUHUK3>Qd+T*P&$W@ z0qO2x;_8p0jSPGMC)b#1Zg8R!_KXQ={(KgKPXv7~Ulmsr#xY8A>KP+Q{MnhfqD0{qkkz zw!>Y6Kn?a?xOj=c+#5^+LR zCuQ1#Ra8|~2YU624XmWwo~vrlV8(Ibql|_;3bOuN%v{G@e}cIjC0nNHOBn|mScb{=AW`_ki-4sMhXO?qg%I9gR+?p8gQDlwBQCr!)9U5l3{6RtL40_TR zFnLjA!9i|mfX#+KdTIzqLTAc=Z!iziIB90pGxbr1+o%Woq3idVu)9rG2yMsE#fnKYWNGd zPXWRP2oXkncd0uh_u(MxddU|3GAKzUyaaGTwY%Xe<=55diX&KDT9Qc_1~4_asMdRz zW@;+qqZeA!7X9q#>3gRf0W5s;B!_(^L^$E7iavBUOf0bUD7hN>?~9r9;+Q^kaEjdX zS&-;TNe&SIy@3+OU0+kj7Vnn#HY2^kfU+N)Tu+mssaAzOMEUqquzAzip|jzK95@7x z%V#X|9xrax;MA$f#62WVJgSZzE}8g^IPXZ?+L$2blUZ8??;zeF&_VeSENDiAI(-st z{%PuPW3v2?#_KrTG03L+Fjhn$2534B+I755^opPRm84Ilz(7`!2LBx5x|v;?@Mde* zafu30sp_07<%a;idr#>iN-j$5UBq0zIyT+JJH5smZ6otwt#SdNY?`UU7jyp8O-wnr z$ItOW->B7hcK;@(eF;imwOUJD2mC0KM#y&-ZUsh5VAKcrv?&|_gMM-}Zkpn}zAs_- z9`J#?&3bDtXTyP-Db#&7|4KEeU<^(Sj*#L_N37{cGFAg+6X>)mpf2>_g03jxr6#Ev zAl<&9|6J+1lhN?%yfislzsowA1uE$d>JPP<#bdPYAo%(S_k+?wyto)tn46Q=bz`K| zmN=Sx7+?;|w~YDB;lvK|b|!i(9p)e|YbU54XqsaV_PE3hPT&NK`;9ZZsJFrcr42_# zf32wy4Be8#vx?54ee=7f;^sjkMdnF=vQ^%FJ;VxNKh`R7LZ zhqklRrzjU0kky{|q5nLu=ELOf^bW0I+H~eF{h9r(rDBC_OW2ZTraM){dk0^ymBQgz@zJZ?bTCc??W18y7Ogt6fE!xx-{T~uLCD0O;a z%@RpMx+dnKTFw$)S1aoTgHw07Iju+Z>bxlhS&F79sP(O^^!DZ?v60zvHZ527kR@k4 zUrm!1M6q{I507IU-pZW1nUz#O(VnGU9)_efH&8IsyK=fL(4(s1V^+AfgSv!O(ds}6 zgLZbw)XS;aye%Mru?!hVS)6jQNHYV>(RZ{R#(h$>X=19;9Z!v3jh=5@Vtc^A%Llx2 z1U|lXh!f)q3k!XV`aje=bAI9|tM~6DevA{UgX_FcGtgFnC=u)cHZ=Jq%yK#g_>T_U z=y$aksgWRDa-N%&u)mRKR|G5Q>a}nv<_~H6S0+B%l0u5&(aGGF1X_Fc&0V$WrJ2_SCLt zaa2?a)>gwh$AVkNyzSFI5F=)qg6Qrt*eku&$s&h4sm3I3n1OQ{_lWV>HKu?+J6NiF(U+F4joYxs%<57Kuv-iXcuS%L#GVm1u4{H~6iQJOjJHn71)f?~bfPxD+P7{l5oclVV_(~*roN)vS0v=;I%1>6Wv%16waebnD~ef^N_ZWo zMDb)%ZwCy6=> z1aG}tlhFfE8%!*V{cCJ3g8WwM6IfN7)Ec4aq$p3ufTuoR zHB?s56QHSqLuh0W+0gW?GWL4aWJBTey}@O}i+2OtptgP< z_`LH%(1U;*MCB`Grt?FErkGv`(9NXX%+`P#M;|_xBn)oEdsX}Fz?06RD6_%$SphjPJcb<;u>`!grI`BoS|h{Pq6l0@5R^7zQ9ATFbSQJ`lnM|t zeCwtU9b_Je!S(R0=(AJtCTh{BuoyOkBgmI}%LBQkCfk+r@e;l+2BC4{u7XABNifjD zGWi=Z_vPr((xeT1{`zW}#lqc2iPC$i3e{m8DaghFHGsecK`{cHnbXKT zur}S~qjlB9TGza48sF?Jl+hj3N+~XGF7|OevV58>oZtld3(UL8K!mx!$>XknSKlb* z@%=8-HD0f+THR?a*C0l5o9Ol`Y9mf=N2ycmn88l>e&fcuS_2#TOIIrH0GMs?6=oCQ zjk_#mPUf|8w`z`oa;k67GC=oxoqGCrkEh0fq!I1tY3xdY0&}Shcv|aTO{wr>AM*I#J^>XgZb+0bat} zW8Fpun+_2224G~StZ*OAUA`O)3%+j=yCyCXd5LhpaUG7`f&1EW&(Cr4-lJ44vtJ5p z{}ihUk1?sp!b$kGp{hFS4SYfZzjRg3bHG!>{g=!_e~+!cXJ4FaI4N@q6A=07?Ds1? zil}M$pbtv`B-~&d0su;r9*>?Bm&)^Zth|mSXIEofc7ePR%TNxAM0>XN0W@MRpn}3O zM3s~WP%7JLSI~z-z7?j@59H+f^9|>~)cCRU8Fg?r2M+^1>a9+uW`O+i<&G&dPHh4t z<^3Q9rA~UINH}p^C64Ia_=rQwgLQz4wH6ht7=&|c*WNhJa25xF4qoky*vbpyIekvL zulMEC>%HxgHJ}L!Jwm+*#SvV3n@{H_0mSX(L8YZCyuyeA z^>pI3gU~k-UPU?eX0u{ICzg6FlJdXrUwMKB;&LisLIXD#6>JP`Li z!#_$kf0+=qdRz?WE$KP)`&5{-J03y2WYn~n1+Xv;M$ng$yF(8(fwzH0RN@5SXfU6uV0c7o5 z1-GuT7_kQ7V{S*N=nUez!}7oZpxioxSvYNY>J`w1p941(>+V;Z0Vza&nU>#J;q918 zD3G;;csFrY{-|sH#hHubO_ZuF$H-A2i8hQrSoAuVEaOo0xK2gWoYG}yC6>v29~=>j z>B1q7w&I2WmMcdsKoz78kmnFJ_^AS1^_Ie%{coVOF%C*=SQ=gYJ$O)sNVRGF5h^)F zJfBDHj%-bO)!2G38)pBz3=38XhE%kGm0Tc!j!69I(_5jVUgRU?iT-why zeIM)4f^glOKO;D7mhUERQI9u}(gLc+I-iXIhiGObZ(16!hEJ`^aFQ1Jc7gd5Z4YnS-5#KQQf`Z{%D6Ys3gr4M*>yNOTJ@OP=5#1$OS=`+!TE24u zh>T1b_Ry0!UNyxJdc&SN0TpT8+`4Lfw^3+)i$(7urp5*+F52W_CIP>k3S%K)9>eX) z*B<>IC3J5P=-(;9)sZp^`!$GdN(_E@2bBUdwCk`t$o-A*K2GM2wybi#e`oyGd#nmA zEp06mX4S{6%W4wi1TO~i2$i50jwAc-e|mjUT2bBDs6C1j2b=48c|Y(`XG9NMe>_J0 zMKB+fs=>Q~0Iq}^w<=G$;nbB|uT1FqvV>G$Hlabyg%+pxjjROk(Cp&8g>A@yYz@@h zV~tJIADr5!2gqB07x&$IKs@m+(wYHag7`RtokG^oysI9bqhjE_kFUnkseQlKowS zD@c)IO;=14XyQ}pJFy%cdEZ}QKE}B++PQLX1*BzA<)CYCGvoMiFF&=3ooX!12}m_{ z&xt73jTl88%xJFaO5v(xd6BLLDHAkgv`5+bb}S}ACG0egDd1$=n{C3HTDUkgm4YM0 zKIf&qp94(8QOyHwh5_PT3v7>RA9M=fO68{xU@N6_H&0FYZ(Qc&rL&ytSQA`_8v=#! zL^-lZ^MyxiDS192F7(iYeh)o>u}-YX`w4eC#np1==3)UGiTGqzjw{#z<9l{qy$KB@I?wFZ!Yg*`Gy#@p4d_VSeGpkM& z`bWM7y;hB6d<5BfE$n(g`py)~jY9B;* z9{_A6a4n~MMYRFD($)L>`wE(xngbPG!)tu!5Hyk;GcBM@ppaFnJX|znlAZ$!1>C(6 zK8!BL_rsRF&Runvn4UZD4*gyA`wt$Xc7O|qSb?iYf4BF9EdosTmiM)9GN05lQ1Qp% z?nw}vIteSOg6u&{54DhhX3&iyua6(Rj^p%ySpvK!7_XXel|Jhj&BJp?{aZsLQiTb# z!#HrA5Kf>!BTwDL7Hyzw>n5PAFE|M~n4Tt zLSr54Won*hdr_24Hmdhi+%d~Qk40XE@>KtJVu`Yge7zHdyB$ILDyCz zehh%xpS&2$#YxHXZ#HGLeJ2jzbKf_M;dDQ8q{a_R8*${X51b%PT(8^pwbIT!7ST}n zncUMmyL2|{s`*fX6`)f>u4>CzoZ+yPVaz9SwJ5M;FBC`h;7%0LOWEfEM@d4Rg!gW*y0^1^! z1qCRC0{y&tbHzA-ddp6{o*TG6+*5IZ9@V8wO7y*=)>HMXz>l8?N$g*)#~Y7eaE`U_ zPyM3AwYcF2Ik*r5)R#R2eY{=Zt`XV8#ta@xDFq$(?)*pZh?38<-SEYd)1~UW5-eY6Wz4KMyG-;U&a%KWBB0tjd9(c8+^X%-o?Nk-9~>+^*}H12rg>xP+GZv=Q2Ng zW!i&@U>WZFZF6AsvOmH3zmACNgXRduuWxaJliLGeSZ~naCSsQJkx&mbhE3x9hE#l0 z!CeH`wK)Lj>V`etk97X$9};MB)uuY-tG|>|sQhY5tfy;1k{g&W?F5ZAUCA=xcXo#V zrhkzD2!`!b!l}03>C2y!_5;=b zlnbSL@NsCs38=2pIN5E*_!n{g>lCYXt@W?+^0;#H_xw%7HMTmq`pnq}t&tJ$K_x-XF=iQJSo$7f9H zG{jBnM8xAs6y-G89;zqhtFOz=R%1Dx5hE{uWh}-FAQop%8~-4(KQI1JqExY5Y7Vw0 zd1$gtHu5j*=Ubc#d*Ttr;=J}vj{VbY{w41JkW0W136(@A@GLA<+uVLNs$YjdFtjjZ zk1`gQEh_nEQp!XbqWUIjX{=AKeV;NY0WK2S>4hr>iMJd+JpTeINV&Ras;J}ny`l40 z!~0-zrAW|EJ%WkOoGmx;4WK&e;2>*WkYT zJ}|%gq`wwk{&twkT%g{W#uL>1YybSahrI_{Y2;i!{BIWl>o`)Q40C=M_;@^4h7tb)#h>TnU!eE{a(w;aU!eHYe0coJ#eR}4fZP24%f%A7)s+EbshOgn0otg` zTI^`#ciDlM87H$GN6xsjP9}bC#Fv1ZpE7g$8G!smLvvQ~mjWZAG<{wjV{qmkaZvNLF(o_<%OpKuV zxT_Q>zYad_rEdhm*A)8UrpE?%ZOYi`;bn=zmFSP9c<0%!ma3p@_LB#RDF^*pk z0+XL)#=1 z%Wn==*}=`!-@sZrr8xfSaO|{z`7rDZX`DNP&vo`5qL*H1V)4qwX}xzo+x{q)BUQIy zpK~p(!ChZ=W`1iQ`|k$I07*!h=IK89Jq-P`b+@C(jb%h zuzNqHzyErNE^DxGjxnZBS^nAJzCEz$=IZt&U{!BmdPatfrOu9 z^_ED|9le(4Z@9yyoz9#DB%Hz9!1{fSwKutm0Qyp&CG`s!EJS0ORZx$D2obi(@kk$eo#3zaNe`?EJ z9l-jF^NFElUk!4->|)Akiz3zIOILB`(#CnE>OsqVqWE1XZ86VaqQ^g-prK?b+47je z`~O!#;y))8(df17y#S31~eNi@}a{Bztjk82&|E4A6=SPtu#?2_6%-4#vv8cxa&nOeC z4$P{VNJaEuD5ouDoa?D&n%;JKrxz*rKxUFm@sVL4iKbEQ&tqD3!)#e}i|^&{+btE` zMCHsn^RNx2RR(9pQ#Uden&?M~I|y@T6pZir3Whcwt8!ZD)cag0EhCa7Vo!9~0T<}y z9?gFONhXQMAYZOFk2VWqbjBsFY##LA4?X=T^blHg{o2D4yL590Qi z{D2Papz*Z5@pS6g_CwbGsmGG8F4iF~6!;6*`C3O-?ZSb#tWqiEW4RmIvADkrrPO+FSteG<3=D&X-p2soD z51L&^8GbJ_X=o;(pCRk~Rk2|-+pR%OUfw)LK2aUo6vzPOMI#vFtQ`I5zzUhCXZhB6 zS@&UsC^W!1t>lU(swxg|BJZk<({#NlDJgE%k`_gHCdtF(|0ZeCQrvq_NJ?7R^Zua* zN9@TuTH4Ri-b#z|Bpap{5TnHwMN}Eb46jW<_tW2B>cM%w0&c4eygJq+_zX8E4(;xZ zsyVO-=sg+S4(y6h*DO1)?7))xNv7Lo`C)K)G_R6U_3=WNL@tI1bqm)#I*zDLNpUe$yUMq~PI(V`@w?J9yGZ(s5UripvTYa-dOD=}G>KL$+2axiA8}>|*KW0|U^-naPjmwBJe^ z#&8iq!*>!PA5Uu%z7T0@vMCN_#H_z_e6a0ECtQ*wd(-Jj*AjT4(x5G^68*SqU}*sH+P!#9xUef_U=fU?`~0rK>L%%v(oQZ_c_b8 z@Aj@5RjDNr+gC`H!-6VVL{!Ha$$`8f>f&>{}#dA0wXFSLceV4jY=TvW+ z?@-=6Y?G(xi4qVA@pA0ErT8v1GFx(JzG@`!TsBsmGn}Z)EUWF@&dot?ne1xYL5BbW z8~l(gI;#D+{sSXk#JK3s7DaW7S=?>)F`r2LSQ_i-Rp!u>NBPd2fq)%qV4o8cx!YtA zhBlkrp+s-yl_)+JM#5tGKAw%Ns2toh!HR27ZeyXZ7KQ~Bm!dkppk-P2+ix8=a!7f+ zz{6*N=uDSykB5ZEi7&;p&j}{=#2a;pv*x?HL9vyckP?m$9Qm>r!KxA6$|`?JGsDJ|h4jnBOY+u0bR)>@<~kKuLF zZYT}**h4Je=OJl{z7Wh-U>`&XF81e)2p<3P#|}`q0qG_Zu%2e>HD4G~iXT!+gR?8= zE3$raoXEIp+VIc{^&qllc;*^hz%hvJ1zduf5D87sO|_Sq6V}?!-c(X!jk`$5Xf!7H zsVG^Igyg)q^K1pr`wlUqeCq|fMc=ZaO}fZKgK&|pQb#`2kHjN&oQg&a98GhWe?MLJ z@N%KfdpXGIRGH-MmXUYd@q1^~{T{IP7dx_!>=ekwE|NxtXI0uyzmu$R9Lr^@MDN$L zr93a+PPOdT75M{b%s&JCO?2XR;U#>Tk{Z>X^8ytaH>8C*dL;6etG34m$Ow)4VNh4d zof!Demg5y7JUO8@Qd`Lb`T5VThpgek(|vazZ10Rr*RL)}hd&p-lhx*8@Wdj&c}Lw+ z;!$3;L!?e(R+9+}GC+X8EfN>zDHf}Dg@=>%R@xMbmmehdJTQG8u~w4VQjt1cchJe^ zHI(e?-NCVAn%-03G_qMys)s3Pj$C@Z$L@rQ>3ZrVkqAvq))bRVKF;rUU9`StRqd^G z`{Pz67vqM*vduwex4p?|-%d5L-FL(CCuQK~#bzo?FOQpg1upD6M|O_PD@Y>WbzL>O zGuw*wRv5M)R46`3OKe>{8cmX9xp4L~XpO4AHg_trmqZ}eAULOp!*741$AN?Q+7IvY zm_7EH+Pu$x8@yI=f`s=SiZv2%*qrv-Id{Ih&})ZKX$!3Ay|iTOv+eP2ldeyuf_u^p zXX&xe#+Wx;$58x9ine?oo3q<@x1iaE7`jHkNTzE+i~U^U5^YYCJ#FyjW=`234BQxn zzeKVpKUWqShF&a44H0S^nS`-zTz-jq;x166HA&j5QPHS$klnd37HKVaY9R`?G~0=8 zy(3->E5Upq9iK1!Y!Y(kwEQ88IDv|E1@C(}JA#kY1R4Rl${h;wsK;rxF4)9Go@tZ- zRB7W#4UeRf&GI!mI7gfNPN@P-8=a@sTp(QBZlULvlr=c0(`!2R(uQ12AANVI0X<@rfGHi&Ca&9 z++L6aSjS!5BKBG??&gK2A;KJfuu^pp?MszWb9pyfyFSc7U$!-#@)obJl&R{B#NI|Wxk2WEC-KIO zzMlAMHn)TKe899=XVIHO8wLJ-YkMxH=5`u-TR9_P(zQ*Fv9D>a5vIG_4L9o*)?r^6 zTc$ra@Q3dQrQZbGOPzA!5rY)0#OqOs1NPghi9{HNk zn=nN4LE@Ved)fp&##@R{Fl{Tr=j?hODy*hNa(P z1{7M!)kcI^?BQqrZkILqCo+V@MoU|pLiPoc9!I~wd05OR?Zy{UDYWtYWq(Db3<7H5 zR~_}>y?ay|$$0wxWX1!xmZZD=q7GAj9NTL4Z>1)Vl~|qr!}fMSU>H7RDZp8c9j8Zx zUUARK%DM`9wo6okrfngKO>%YQ=3b#R&uNarh-GBMR|c7z46BMea2Q&{A9Od&AV72Ui}JVO|7F8(6KKEXNcii6gqMnriIscGmHEbP3Hx zwNy2k3LWlMKY_&ZMZQ+0bCAyeIL3R~ZgvTK&tC`?vcq>S$kodiaUk4w(D}|6X0E-E z+jC}e1CHT!+v^tfRcw$NR3F9)Qw&ttzpWJD;O*H+qH`yQ24IZx>+UR_;}L%apH{yY#C zAOD~uoAmoK;d$J?@`}jsUi)>+4F-Ts?;4WFAmfO_+9h<}3DmJr&A70OtFn>_Z$t!N ztzeCnui>3!iW5WAv*>3uJeZg=YNM@FQImqNt{poVN6+RL^SSAEbqiAdOqNR@`}<$N!!o zqx$IU)LPdUsY1h!Lg`-GrfL^0SMlB!2}mW>?A zgTE1rw$qBHANFHJ3#CCxQS%E47Y7+18i@tWOZ!Nv+g}9L<4t?3ufdh zW~!3PdDYTEKl1piOu^0lJlhyManS1^*J+)g|zgpChO^4bY#Lf*c68@CM(LPtsdX!Mx<1rsfa*ZEdO*&``r#v;&ImrmOy zJG}X^cGQ*YA`dIE#hDVZ^9N&t!vb`#=(1G}k^wJT#W;_j*r?tu$>kp0Uf>y{mZ)0V zWJU8A@j+i%+*j9%j}L2m1o`9fi7&41IS+3~ICsptwuw0Ui9WV3gcGN3^6*W=1UAyN zBdkR`a#Oj%+93IY?5bS)51i!yn6y+zmsBwxV*4O#d69PFerYCX|6^iDg*W=|Q#q2iXAI?iY z`4qd7OI=54{owofJZ`gfIo(j`Z0&pbGBIN$t{Vdn8Y=F_iU-MkqE-q+R4$}`l|F5fta zH)1$paF+swp#mh#YA5;KQA1@a{^Ew%`7Zwj&IKWclJ0 zwCzI$)aV`d2b(icUx9^!wu4fm#+a;3e65OgS>ByOG5g}|N=KH--^w=J`izHloTN@t zL*_+01Pd%(1`s+q6ZDX1^A`n-!HvUX47QN5WyK_?KFv$;es&_|4&UvCA#5H|F(#ZJ zyCxX2MY40fgHUZ}eCwX7{$gE zJThb$ESlL-%%f5#&Z?WsmEof1x$3U>E;L1bnZH;p(-SL%o}INXYRQTozg!rIj<#P}E)3T?A9vUxDjfWOZF^Vu8*R_h>O|`uAT%3!Ssg;UC3s7gY6% zUFTc=KrARPa`^F>>dGFn(NbA_PV^b!Puu!m1G1?Vq1LT1U>PuiqV{s6u5^4DrxP!# z-;=KG8nUjqGAG5X@aaSM^=`-6Ng?4ZCyLgQ5Wyo;$x~Ee4X}}Wq8jfOIjYRrucJK| zU8@{Jd)?X~sV>5EV(Sy~`YNJDN2Z@5Mwil+kW`_~^|o1IL`InCWlW>!+w-Gib4W9{ z8-d~&(<>Sn@3Hpoxpq=FNobew`~4@8>s65L)GY0*STkFc4hNU~C`&+bRS&h*4#`;d zdF7RO_ns-1pN`bT~k=z4KINU-%s8!U{q5!Apwrtv$JQ5#}lE<{4b@K)C;>Tu+;2OYG8; z#78C9Ocz9E)v6^bQ1FDi8+F z`$5%>y6U2+wU6T?U!t=zZ;2w`Ic^bQw^95H@sd0g5L;#JtT79ePEPg-hlaIp+wO?L zBXGwj*l44~xih%CEj_NfT#up5L)D-_%mUVt1NX~#4T zAp{AuTrjRPUE&aAK6?HlmMdg@8wDF8bbVAgiw>5Y+x%E|suZ;f8-I1^=+=VhbU{R< z41a~~f}XlTE#b^N!K+8Ns3OeRufR(Mz)s`+oz3tsotb+c zF0Bl&#~7Rfe;kB!^^`~7&hbU64);)wavsGv4Hj_p;~if38(z5i15{>P1zb#4>4^uO zRR^}+qfwH(+y%`Ow>!(f5$fIIHc0Tz{k|rGg)22|!=E?Gcufh&Xw(u^{7hbKk;$u& zx~WB>cuoBZp~FxWmFU3q*62d^*@9t+dx2&7b`r9b1O~D#zh&b~3G?mSlfiy&=DBHj z#nrpikm}mob9+N((yfY)dqaNmu=If%>x$v$J=i`(pEq}Tw8Q?8fxwq`Efz2P+&SuW zct(-*&d4>Z-5m-z{j~$rrh>#7jON0gDT|s3T#{y7#ic`_DiFkmB~!W&iR^HZ~Q`apd!f=;5%-xouYO54y?kEoZAk!|S z)<&6$R(W#Y^3ulkqX%tFXTqWiwXayLqGb>(hn;2Vjeysfl~FFJ5ep~;)ZYRh8NYPJ)?*wBPdl^rU% zp$cfrW5kf2>ic#{nj(&pbEff59m-WjA8F0{hSbihLk66m-C&KgoxyXRGPNjMf?i)u z@7xs`erAkhW4fyR(rACX!NhoY^HuhBIA#!c-ASr=)bMEEZg4i2il;zZbgo!`mi5zU zt3^qfl}(rNQuD4t*hXE|wiDfuj!PG!a5E+yX6`8%ap`9Fx{RCl&_nylG0hzhWF_QI zd^qIb3}je}#Ny*E+c*SiLAgBIX@wW~UL`GxH_e29C>)Sa8nQYv zOml(;m5_SZ(c5XUqp0SkeDP?G{vu6GnBtGf6?r~q*7BnvV!5isc``zj2A*x&PH@Fbq4uuA9Or0+|;45}I)I z2a=F_i!V!({&M5D{c99A3**ybBIegNnUpv7Q}mdet14~Zt&@N+^`#J40UpUyq2I6JWU$?;8`g?m*U!EZcb zWx5@e#ByVM?OK-O<4o1&&O2lmbLhUq2e2I0)WUHNv^!6)e*4`4e$nE}$8q<>&cF_a z&P^iEBC)>W-?EWro^?mfkNI_k8o<%xfE8~|1coz(R1ChqGd!eo(CP~lmtTiw`l~-G zaa7BDZ>g(q-`Vrro$w{w-u_*UhpPgCTuP59?q=7Q53Fu=H@UMkaEu9m`8YXS$%{5a zx1Hl1rZC?e3i1uHbjJ#R5{#MHVy+8l$n?^QRnF`RxB}& zg?&-HCiZ>tUJ2scGYx4b3|+`pY}tdS>?8I0*0e%?W2o4_Gn8R5Kv8&Of__7|`POga zXKe7p?L_-_`nAh<{64NU%Zs^3UpOIVrg8e#kJNRqNUEqhQoe|1`s*=@{!+}vP~YsE zCj2?&8-w#7bcW9?K)euyR>z4askp1Ugx-yvpX#T^d>Mx1%)5OhdHWmB1y`@fv~#iV zFi<^}Tr~9?yn4%UB%-N)uw=()sZE5Gba2@39XQnO)aQ@HjwE?IyWEro)$uZwnajWJ zL_S+NJ6>;AQi+~$fS`3rbo^aAvNVs~^kks2jn`CLG)2U6u?>}NSGr9(cZN9CR*1t~ z-3eR0F_sqwcjRT5-$V)BB_)^qBjkR5kYEpkDKG6)Lii@10lkF?o3hxaXyY;G+*vSE zvKX5xa(mY6dwB5om6G=4Gu2kK9#syov=RNnh9!3VsU$KjsM%+G2rpD;tbbtki> zzbja8*7^KSz96yzQ|U<#0|#k#5mhMJUH#Z!asB;$&1wY;v<&?9$W!~z`y))Sd~Pi_ zkL*lG>5spu?zo?WSsbmQw8WSd|NgJX3<~9p30X>#N5*e}rhIcd~;Z=w9MVpy@#s+pr`&&hoKqm22oj z^oQz~h1t^_Bxe+fO0lz4VOy3jm+UiKJDPc}Tbnud1X6U~UBBgJ<0B?ExDzyOM}fz< z&ffLMv53r!9{qHxT6!mw1R}DJGmasu>ut&R{Zph8KksXDEva@OS60fN>eq!}N)v9zbCg#^L*l^u-2kWQk=K$9lh*^%%|dE~lN} z3fGUVZA%ueN!>0VNxWcvT3YC*1QX0&LwAt0ehnO!=kHllNmh`RqxreMIrIXpoM9xb~-9uV?t;|-^-BkloEgYKtGueC(Ufh-1;iLk87XgPjI z_ar91%BJ?|@b{5)>P)n&dIF)~ve?MG5RL{{=> z$IbO~hXku?v$n(c_2RD-TY{HECH7^m=hv|-S| zla) zpZfdlfT#Iqf%7f9x1R9h7S7`l)n&C++Sj5IeMY_8?LoI7#bUOW@eb$<@W4IsezNFH za<>nvcmoc_N5Bf5AAfypqjS4(i~l)m=Zdq-lo5a*Y;kPsNuqb~gw=S(U!V6L6>@Z` zdS{FMTGhhD>2}P5LpyrTS=)$|8 z!yqT*T{P#QiW+yuhU)Q^o`q2ABK87%B!g1%^dO>0{54m+I6)~>NuE*^Dh^U_&Jc{U49&WwauOh-m!4vY5b8A>$=j4A< zI;x|&>w6bqXv!Vdt#2V8QXSGiIv*}yyYr8`Y9BPJev9g z;H$^3Y(TTf4bvJ<7v4TvvorGfeRL*kMqMmyXxZ<#+eeS{d4@oD_Z@{u7#ubko}{HY zthjd|=%d~o;8}I_-UjkeHDCOpq)rXH+9M7_YM4~i%7IP%p4!HtqZUu7Wp$~%YbSAW zPQl!QZ@l0e+Na`|1PfZARhI?`GSbJkWCsto;K({X6!K8AS`I&15hn;suU) z&eUPxj2ebx6aBFOmC={w(p`QuxqW^bb- z7{{{nU9m{Sj@wu{F>XIb_S|tL=ljLh%4i|H)~pD?JHVaXc-sKV5_4d##z5_9-z*VGchVEW4rEY zTUHs!cRRKC<@=>~Gw#T8hN4`uPkdONl26Ku${M1isU54?i-;As%f*@Y!=B@!k(SAH zejGK||B$vW?OWo}|Nh^5h90$EbNeZXLdTHo%p8jelS-IKbV4=><<6KH^JkS(WM%2? z8FKo!?4~*TE-2}@ous21%8+4Ql6F$eK(VNjKodexg{0`EO<%c1fOA=+Wo3`jgOzn; zKILiss~yFk)B?eee;nNhKv-mPnnbuO;l4admx zLWa`@4vR6A(P$J3yFWltjT}DfomYvflwAbtOju(ytjYK_{40S5#TX^`#~Dd`#oq(izvX@>5G5rYz>yOa=+?ndeE zPU-H>cY6pu&vTyd`)|WOamoaq6#)&BQYh|JW?)@XrCUsKJAEQDEeT=m1N{&V-qq*rq zze12*6CNGg=B?K9-^cFQBA_hU5WPA@-Wdzrx5L{vnjd*?;ygjp^rZ5b!kaj9J^q9y z5wGw|LG}Z;?P1O)KKEAv4>}lSuLN>nz7h4T83%jU?ga7w+AnS9)2ZM9s({v%($itQ zEtdz2*@yNhBo<*qOPfc<&1TGl;i%I~s7{eps|Cg)Yg5f5ri~Y+Lq?kiN*_0;(}8mC zNTU04O0eA11+qZ$L?v1#wkROwMB9dK)pTu85-Dnxwh z#p6b~l>xI9Y<5J>HhcwoRcgN z>QJp!ue0|?;HJNlbJ^8%gWQYH-*l&IkswS@cxz8_@|E7-2VMuP2WWe*^ZtIld&TGh z4x_tPV#$uvtCL(EKedd*o~>Hy_{zjR>5TdHqlWd`C07*`lh-JRm&+GlDtXTWvf{ib zUChrOe*VHF(dCjpFQvxyeROnnu)P1Gk?_!MNdoAFMV8Lr9s85I%RLbmUenx)%d74&;_?Uh=$}~S8;_ckRsTSzB*^_KQ z&^WUkdb5@;8@_pO{B+B&W^?SQzzo8r6?n1X>2@Z`EBd+_wSHxCb z074|Tng;WlVb3fIUXU(s0)=}Sd@9S)fn`y+BOZ~B>u$FGk#uolv23!ULd_RS*vof5BX9j(SbnQ z!g=wiM%VV(>Z@6~hjY=Y`R0BqMrPDgt@|Ys%_TIcwo7d8P0P-~8kLG|dWxwVqlue> zLg9s}>pzbq`?WY}s>0&vkW-9LsA_tOvQw(&1hr`nFFRw)U%*ju%;$9SAAPp7@N82t zuUKkWxZ3YcNUur6?5=)k#;!xayjd+0NEF6MqC;Qu#y*ETvO0~3HzDFs+LNeY)^^L< zMR4hICHsf%pID!dVXUR2Lls{_OP{h z+#V`aMy<-TBbmsGt)21A@q&9$rMoT@BBdn2d=}{A;lhHNBz4ED#vgG647WC~Rqa{u zm;Hzv7jPR#hO{ZiHtnOrbn~{CmLz-tgwxncx9p5})cvy&_u*rhr+48eotzFaPux2rIZo`3 zMq4HL^145v^&40$t!68-_p+qT`ic?VpAO;~p^kHb%k}^uk1u@)otM*Vww?HdWL?%= zOk6Kvb(n{VA@xi7nUc-;!`jneai#BCy&M|QQDugylW@+)^?rBb$dP8S27q?&eW*Gk zslVvgc{lv0;%UX<8nPOrr23Tz`B~eVCgZ;&okrb!F0}8xksQvAf)eCW21T<{*W{%3 z{Rg~&Un0gKUT&7l(H-$EEE^bV^>@^t^G{bvzHWzsHJF05$%|&Zm#8Wv=iY3zhd55f zr}J#O&qs`kvgtyf{He!v2|;nzTr}y|wFv2J*wVZw>L$;Ipdyk?euI4a8kZAn_tzDG zUKs3A<5;lgZZs>p0XfnLl!A^2k{VsFy(cJPp@tdqp8NM^WC>oRVLsz$r zAAai5m!lu=S83PWJ7q5uS&(eGm5JlMU?_~(1I$l-@ik$qf+N>z@t8zBVKH2_AOJ5!gy`okEZEmPGA;=8=w z208$&FLZa1Rl+7oAXJM%oPu#j8)+mBW09NY-8!!v%1`_U4DNl`+kx3I8P=3@On7E_ zoM1Tx@6WVf+}N+nu({Z&O17avyl3AX>mHM9{_Vp#cY13;w;ujlzy<&R*{B?`-&G5ebgB>!|f+PFJ)I@gp?2ANB0vD~;YR?aGd_;fHGOIS&GfQB^ zh190>#0cZpbU^J`y=qcK63wYCzyg_JJFnx`KZXk3egR4bznIM}hy8HFSyDBQ6JEHJ z6*}FzNP5Mj_>s`}(F&~A>7Eybpte#LV`}3oN#Ib7VvQ_$sL=$xO0g`eDnnrnnh*eatZZ>3XMR#piOrs$>Www zV>x!_*EU5GR(WnQSlLcr=exQ2H+PV6;(6DL8{9)46PXuJIMFXQaoP2xWjcBYt?O~c zqCg{o%uUCCgl}7WF~xPY`L1wykY2_jxO|CPgaLlMZAe5?2e(@GqwQ0T_|iqaBVnOw zQR4HAqF7R^GUuT3(#pW;VQM+eylr;s26vNv?Je$RtIbONDM9|d**_Qy?C@au!yvT8 z+q@L>va@R~u`csoj!jK}fro+ZFB;-%8tB~eU2=X%pSM5Ogr7aXq5jj-PFNN_o1tU6 zCz3;j0PI_$ZUcA0?dBN9q_vSu`<1|^|-gxb_ygjM6N>|^l=3zlEfrlw> z(~`0RvrE6r^9%U51`5BqIAM~DBZF}WO=%D4#WbP2{`gq4O|{JBJLB!450;_Tqki2N zSpqa`aT9{AAqJYaS&oz!zN7SBMv3lOY3J(n=Xkj9Jm|2D6+Q1*JVtg;up@D`k47ea z2_i(`X+Z^6U_4F}@+ z*Q8|~!P5ge>CyI|ZGYkg0_F^ZFhc)pk~=H>!@&So`T<~|<)6qIUi`E@3O@gHK3dee z(`rNsfs7V64$U0lZ4h&YYtI=Kgp7_=bK1SHcI_lt5`06v*Fi7YaV8&nq%V|I>-8uG z&8i&3JxzXfG0*1GvbDG}H~UIg&-p5$>W->F1ADj6oGmtF zD&ycC6<0f4V|vl-h}vM z;JkA_OCS?sD=k(v5>WQjdcIvdeJamva|ha6^C?2twBA3C#6y?6Ozas-5OPLXIC07 z=5vggb~CO7HQK%O64th#<_3Qa+%BNb>37K3VyHVo2kUBrWG-N&M;;>Qm>f1k2*@yrgToGo3u+G>6IP7C*A z`PpvF1NsWPOtI3x%@M1;hM%n}>5?;bV7%iP~SnZlWmFFiMd&uNi zb?velMBsSVaj8TO+liEY>~2LJn4~aq&ck8YWL|YJa1v{U+L{WdE3gj!OHP7uj*vZ$ z%BvHGwx^C^IV;npj)_npSP0l!^6p0`?4jD_BwUPrm+lbt82u9nZmwp^>Y9L359#?4 z^`0p=HDbUQaNWS=g&9yoYd<+|sFw|xEqi!dqL`5P=+a+anr^i(1jq5)PKa$2QNMG} zkY{C)PV0WgCY#iB?rT-eFr{?j{9aJqp)-fK>WFA+M_;`4m5H1iL}XFRQu*Djp7+s7 zVJ1F$13dNTUN{NmSlPN9Vy92g`yDmr4z(vDoeODOYKP9#8zk->mmg}*T(mzalW?QM z5Fcyi#)WQMq6+-gbGqJ)&jTq`?5b`>h}Ql4a9}l@>VwtP=W}FHg@n( zZ#V>b1zmgZM}($hS|_pIXNzS&&N+F}FE~U~-oY_uI9C@yl*d>+>A$mh&Qx{T4hm-F z93~F3+fUJ{m`|~mni%#IIers!aL!Y|jccT?zYEsxV#Cy1E5F_5KZc|KzAm3YxvK4* zr(goMzd`UEm6f%2%UKHd$;W00TpWPW|Jgy)%OsCaj~vQ*(>O>b6qZbvP`*@g##+Wd zN#bZ9Ikt^>2hzlpNTdpMn;1ORu_N8`8TyAA|BK;+fja#&F+;`<}qb^3Z(TyH_{Pq5Bgnts=4J`!J z0*vuaEkegXby*!EZ6WL()o~LE>cl`}7MjkPLpBFuO*5(>3@q9M!UMWV(k*3_St_R| zlQ*j)eGf9*<_sZ;!bJMm9U?ZbsWPt^nh<9!pxHFdB)`nV68;NO*t?D`Oj#w`_0(Sd zg(shl?k36V(B?&Z|3YY~r1z}*x|J$7!Y%tH20UxMj?M}_3hv(_{np?Dq<;5b!*R+R z1Kwn5=94jhfIHnCic=EAbe=!bbCQ?2_2#dXaz}yH@IPiZ-zO{&Vr=rXzoS%%3ZYu~ z%`cLEW`#>5&qFDcWluhA@8I_+VF<2$!e4gQJvnUVIx}iHAdtw4X+Zu*Yt}%_42<;) z1pIjgu5Hi4 z)n>xC=Hm=44m?>B6W#24Pz01qExJAV-6aP-(|4<)|4eFm>3G59O~1ndp|z;P7V9tT ztOmR$p~@;el+Uxev(X!YW1tx$f7dju$d#Nys~~3{gFA4Z)zm|%wkW!9$anK$u>`Lr zctfthnwP#Y2~~y6tZ*4mk{H4x{IzzZ1|b)c=zD%BxB3H(jZ@Zb!{a<#{%n)lr1(6Z=lm5H z2DAf>nd}%IIcJoEn@zc%{`QBV>p-xL;~$O*|3eV`mC-(1!)2#&D)o%TA%PKGATs$f-Z1!0+(zQG;FDvjLU z3l`KT=A|Q?*4y|d^N)4>eYK4Wi+Qdz78(>45$9R7`w+T=)zd!y*0I`% a)^7x0 zo9+G02m6m*`jMdzapeO0+W4vJRa$p%Zv?OL z_#UB@=IeD5Uun^Ug8agSRVVGH?jL%v40d|k=kj_84$!;{vavN`Z~CFdEccy_f>!~% zmbrj5JiN`tcZ&QcI3y){S*XS{NaSn{cSwTdpC@H9s%~3rB=cZX*WYw7z@#7QQcEi* z)usE!GJNwRsX+yDVBXmk_`)G``mUdih5ENPM`{j_2$Q~%syF+$yzao8el8f2H>iBY zPv;7+>g1hr7!u}mF_n?Y6R$*0@ z8y^%h{N!{H%s|aY@a=Web7$J4fox5G1=fI?`JI!aZs zWc|wa9DVr`s``OAa%%^5#z+7pWfX7vYv}bajX_f$EEA|i6q~4p284pT-MW1~9Mr9G z7u`M!z(GJ9#!2{Xv`e1)XIyI?OXVY-=!zFZ*Qo$pf%J?sa-QBqE3MCbwgVT+g2qfz z($W7~%}_=J#_3@dH~j57nB`%OQtnyZV($MTb5dp;ICFI8LhkN~d@kH2ux=R0hA$X( z4dIvL&R0+y^Yvx|6iG)0;~Cntc>1ilh@nzg%s-Ab7am->>(4eCNZ)Mub1>X_9}5K& zgZ~XT`fslzy$4U|T&kwTd{3n*gjKcf9j(kJVh#_3cVx>=u`5Oao6QqvPk-=kkKhLTfnxO{e|R_(x}*jBisyubq}u9TiQ?C2 z=`$Hzyr=`bmbJ2Bi;XG*Tq_1GmgsQwk3`uaq{p{l5)G_t2h2n9@dW-oqwu#IievQX zd}qQ<)rn2{g@*%8L8hf@WQ1ZzQeOzi-3kE#n+vN0g)0FtK1JVnHKruRfiT3)UO0dnaFPgaRBpsKOzBsbJLPb3?9!lJkt%rPr<0GzoSNU}Jd0-Q zzeBbK@&MVbtnGmFd(8KL8l@N51!!lTo;xsZ$v9M%%r&c^KA7#|*RYwg>#uW{@>Ssg zAz;hdc&z0M*-9s--`{AKxlx!{h?g>%H&aKOQE|iP8f^Nn zp4_`tS&JAf4TVbMm)qoY`~T~hNJ;@3i>u?qyyT~%z^NxM(5hpH$?bFi4F&zP-nufR zXFeF+ydu7fp&D}z=v>xgh{js8!aw)=4Qu|Ogcf-~(nc%qjYj|X9)aIU@%CDBx|$a| zjU2XLN@S2xGw1niv_V*X5lgu{`ynM~8WgBKJ(jos5gx_UQfk%r@ohuZ4KC6GtJowY zPU3V}ROlX@2W&RA4+RIzx#wkk(I081_yM3;u^gl0Zqt7P{_m?(#AT*9?E#z>0TC&r z8M|pXYMAvdZidOo;NCq{L06T&dvyqTGL^~i7inN;0%~Ga34iMfD5i@PEgo^nm&q4J z`t|F{Af`lk^tZiK+~MNl~VDqP>Of zzJ+9%(;S`8MSC!z1GsYPjKifmt7(@~(PY=Ril#!d zs_O6bJ3ezV)KXRseFm#=q9Pt0iJ1^uq`=I4XQ_2Q@W=PNe30<|eSu?ksS*kH(MXlTkCw>KPFyT-+MnoWL1=+y;+UQb3 zymsT*8hSIHrGAf>e4W!WK^GXu+WbkN%|CpdZ@HC%$$2+&slLEDD8eVQm@lJfn{|Q9 zR>9;&2mGB+B;^8@R6|_#pP?NFiiKtcXA@%_9RjED`T=4F?NyDt9>;y!u38AmT20+4aq?L15}I(`(&w zXm_4Nme_-Z+;bWuxXZ#9;VpmY^pJj8sC5PcKHIdsLwrIT=~vNvvR+ zQYV}3sE8bkJwy^z_+~a@_YX|Emxa-aSn`D(h(RcxSb=w85KSxs5UhSH>(g6>-$BQJ z-1wnJ-Fb4k#mIeIQaHM&y7IM3jETGp`X}@C-RZ}Q(Ztu^!XumEw&5YE6z@v4>mWFa zOFEg?788e_9BZ4ur;s!v^pv8r{gUW}-x_Tz#38&cOfpHmUpePRBO67!t)Rg_I+&80 zDkSMTyaQ$)go={$&*X<{c2mLdk)rb6dM$JZn-qqx<}!}x&L;k4`=>~R=HHk&rD+Zz z#7mJvSf)hu=1J9MOC+PGKJQ3QpHEz@EaO^b;)rbn)fF!S1aB4pk%QTnv#|MciA2js z6fkk$h%T=2x|m|pbKcXsg#Ix6*$d4tbB5MeNg2DbiC;T_-YQgWJt8~cgq z+9b6z7Lvp{JHFd|3F1tkx0(4C@rjpwcb`MHWV7FTa3BQ8>}tg2>c4@8tjbdrW)ejU4hE}HpF^_t0}mEsN{7R#+W6ph@%JXl zM8}0WHg@LUYoR+^mquKO7Mb+-nZ5X-m1e^{z6}Z+!qgNU>~bIWf6wG08;D|w75K+l z|NpE^63pFYqQ3T;lIx>A&!ZQ*ZlEIVOagqu!5*-C#qV5>{f}2jf;!UMl>K&_$iBo( z)deD5jG5LLh|sGqII1`9NYvWO+N89Byv(s@6vzDbL{^P>dPR*&BZ%%7nN6*=?(r5s zBR-tB@^4AjQ&%5jf3+?AG)}x5(w*h7M=izn(Oha??)0wSL8Jr{0k^F z&?ONxm<*mi3+42w)whV#>qmhqVlW>a&l{dhzhO&XRE)v3y++=o{h+XA1>rDfOL6#_ z?|Ax{>IkwaiHZHS-kp6EhI1 z>=S8XrQgq(pA`{4dp_gdIri>tvG6hNkZxG7`=UFtvGo)ikD*nz&rYoSy zQHR~eHeLBj$)+mPvN!`6&8X?8VTe}W6w^i+kS{nn8?B{}NwG8^bDSMX^wmgs9&`65?yMUcldM)#xrmvq-*UO*$ z1r&g@V*}=?LhJIWq?V=h_=-Q+nZ_=)v`jJouO9&tPY?s1d6sLEesp+kllkT6Z3$ z-EWI2eiWslZyHJP?HQv+f$H1TJF=9H1}NYco+4rX@ya{603;lLcs`@xD3BEnaszON ztkhj;VkK*Kl@~w0!lR$`m(do!-M8}~LDuEV-l@^c@I8@I_MpQ&J)VSCm~Kv*4)&l3 z7Je3*Ymh)H2_nQ+wfGWCy%?<(i?WY1AJt%3PQgY`6fK}89-gtuTi(DYg~r9%{LZ7$ zU%zD#VPcNVgdj{?6EYQN&s8uD@;u^0SY=-8?o?o&NHa2U){^UCGU)p2i%P@qSRu zYTf;!sxpmshp@r$@oS2S|&U-5Coib;oAY$>7F$vO9u+d&ShuYH_qP@j(SS@vq3Oi(}7OwnyD1A7AEyAW~u z&ngpG8u^Swk7D@lE>LwpJ&&`C1Cb|i=uk2S1@y0QGv0tJh8cRx46#K7uX^<0d!j%N z2--Lk;ow^nf1VSSSwxQy%1K<2*r24!5h8UevasoX=b>Y^KX0wDa1_1qI|!$+J?R_F zP8~lV_-g+Ji>P@*yjb1N-cKgTE zzMki^_YIQN1w-Ne4Lhuh6{8+?dBwBZeMCuh82yL@UmCT&8sYx>B=KXtyk?RUU&lAWlJtG+ zVDC}0A9uw7RPi^DPOtLT`L8wp!PuV{;Bp>CNqoZ!Y1wfttB{yHroB{y@r)F$(cQ4J((NB6JHj(2`G9+TT(zkB~V}*$dDelE;cAE3TMdI zEKop;wT}0AZFnlxVBCYzb9}v3h)Gy~>BpRs2WGjndDPh0C<_}m?Yb|Uf_;W~(+3zU za!y3|Te=!b2{4B;7*Fc|Q^3Cut+WNdk-p?)dFGN{>(!?SBXgD2^57r&%1eXSctY!+ zw9R9b=4RMZ&ColWY6u6G_}YCewiEgA2sAEfkabV6vff{y#x=1;JXIp1+rgmKP83JV zo|1+Z;~_0lMaZjn9C733LsLY(HYrK~-b~=jry`fNIMDYj3`9u9EDtwF9RHAEDnIn0q!0GpZeT$n6o7Se=LFmh$NXCrNDqX`6C$Ot zn=$5-UDF=WionlERhNAKCjRW=m%D1pxU7Jb~Ga*z~m-DLfDzjSgq zaqtcT+y(?3wPFu z#`Z*Zl%jRq6qniG8DbMYjAGtuicjD($Q-j6U5Z|!sjJQr0<1KNKflFRaYrf!w*cG z!~Zi}_E{WGZ6_!}ssiZn{#Ts{4ZxN|$CMPSFL;CJ`doEn1kp((wuXnn=+KqZF|hN5 z3;8DIKJCF%Bh8_2-BxPSOvvuxP1TJ4$guR(dLa*KPoTCv)TlI;d0Sid5plmw%7GIX z2Zrdzki*{QxtapYu)tetH94(S;jDYziKbnz7F&cB7|XbTU}zgQlCS=uQk zVueh3fZJ_>axo0)l7nav$+LlZ#t&7QZXy~f1VGS68>vRW{#Ni^i~-28Y#2h(M`Xp+on~l{GrZ*CLp3BI z9n4Ih>}UglPRu`9kYc86Px?Ry6Q=9j^t-o~WiwVffP`$C_*7&#Q8kc8K6vSjq%Iij z*ih`weVF)dpUf|=6zD&UW@BKanP`nZ=}M_TB$CQ1yYGhS{KHQVq{+`dOojj zao9FSUn{B})a_|m7?FJjppWs;Nc?K!104+{uBlFC)-Du@XFX<}^wI{?YKDM(ww@@! zayPH*oqhC@?;=#;BY>GY4N^|HOIL^iAA#~_M{X(ZKX*(zgNew1#EW#EJjDrv0z6U0 zD`J;$xKq42gU#qV<;%;=$Zyb(x)!wB;-pVZG+DoB5~7}G09=ecXztgj*8SqDqUKO( zYUawNyoig=gb~tgl%Yq(qgETw71WMqdVS6hM1p^6Qn81IbwruL6%Ga}#vI!_=Tl%e zO6-cRXayQ|jrP5M(Vn)reo2wAZpuS^I%zhPx0XahWZhADRAC0LsOuO5&^_fAb(} zy|u~*moA_@^yLlq6cf{Z-Uxk=y{|~c!hfTg0>d7r7r=>r3JeZlrx&y ze2$FBeS~@YmBMSz1iN&UMT?2oB-%x%mi8G)AQdjwdd2Q|bq_vW4TH>88D{La=Gz=o zogX~R-@hS{n}QIJo59cC<57P2I6-CjNXgKHCc60b*o-)M`a>+KcTl8yc6KjK%cqDuS%G zoNTaJee+=)V4fCi5%K=D5G{AA3(d~Tx()f?=15!N1QYEi-OB&#%>a<0|5~hPm zVsrzkVdA*RMDJ40S86bf(*P~rUr!VJJ5s%*oQcj2S|HFD6>j;lLZkbJ20av(`aHoS zG7#^dK%SE1)#s9fbQO_0Gtl=&g5!~fvRxJaW*=VQNLx+GZVt-qCUdx>W0c(HkbA;9 z8>|+=0Fmih#tbCuSfEggk_jugEoAQ3ct+ak<}(E%rx+vz+<97VUHa3pq%8~Erv!(S zgY&J#dxhgw3KDhQK(%mAe z2f8sf;H=ZH2SDd1hwyd|=(3z)hZ$?utqGwI1Gqc=m#Kcr7sapV#Hl3A zuysp%v6-)mJ2{8#W|srojQ^ONFR%|8#emB{|M@?!=&15`$0k!JX9s+SPSPGQkJBR0 ze-KWK@vBy7*IG$<3J`&!S%;gP;jX0{NAsyKWwj?ZT6;^5Wy}~5w>YppHhvEgA4CAG zkkUfSL};K2b`Enc12ruj9qB$VVZU&owQzVWlT|baa8$3EbDDKrxbm;Lye1)lZFc%* zd)tHhtE~Tn;jgctuP~SUHXk-0&`Z;)&(?lT!*@+e633HbeXem9Wwcv)un|be5$=jg z+~4b0*S)p>8+?uU0aDyDHiuP7$y5Y*lbjCT)_1`SgmjG0s1lJyc7d!WQD>${p_}tP zD_lJav*n_in*t!8UN1el6_^*mhvx;o`~L`BO)u-_6)UK|)$7@EbY0hR;Kc{uyf_tH zT?%}mhMVM=n$ew8V=$Y<3I<1A&GiMnAX}9#>xGHNoG@%U>zB~Bz*lj(UxH%9-~22m zPfz^5;FEz?HJ1d?v3$-$d=7-$l(ST2F#Y_-FKPiMLQQe5<;C8&7^ibh5oZaTw?7AE z;_L(9it@llhp!5DqeadTZ zC{P4v{iagMzn#}A5u9!W`XJ4?P#+Tn3z`Rr6=w86N{vcgcPpF8Z7kv`aGxNHIp9-`kLvAze0J z2p$$IU;Ftkgh4lRk?61i?S>z`sqZDkBi!1YQcY)E-N!0-oWCY&V6WGUf78jyg)u#yeN>gs74GpyN~GS8`?% zc(}nVf=y3rq54s`uZ`b6v)=Z9Nk2yc>9L_|`Tr=j#W4{59pcPn%qUyKUn^*U{l^IH z_!Yhe-A-A3V33<6%3#@|kj2=87W@hf?rIj13M@$#YCpVC-(>qSUCX!C+RNctR&s@J zj&|Hkz;`03fPOsauf;w6&XPu2PF|OOJJ1kqBw^Uz%wT425XwM9oVz^kDR5ZKUptwo z_p`-}j!AdA@u@(b=MSAuDGhm#5-GG>6|{f>q5#k7l^Vu10=;#eoA9|pt6PJhio5;s z(yq#`!x;qkT9%=v%?0E|cwN+Zq5I6gG?hLqL^+@)Q?$dToMmp7hBbd+KTY;X)M5sVKSOpHq9xMr*ox3VDv zJrQe_$lFmVFb^US4?ku#5dNnVw7@|Ffrcc^9z*++vVkZ0k#)U+7P(xzM@z2kJGWD7 z7+8oR19sLaJU{CDD$aU27(J(FTN626&XW$%!x=A8sXv4fD`_Wi<`~Nol)A&tZ+gF#nm)tK&l49^bbHFNOUN$=&=pgKNBc zIKk>^D^cXcoA9|SF$WuI(GT?E%UkC!e)JuBA>V$o_A*M-vB**fd%$f>jw!4e%=^ag zYw+9*W&@)ULo0E4QyO!APZdH&S6)@}XpjzHp7+0$^*HyUiJ$y>#qkBOmaR*i2tk33 z){MQdxJoWk1%|M&XwvO(ZnjXhIW$i>bZFJ91fYi5by zW3@SF4*ti&v?IFexnGf1F1c@SMrWC8;E)ZLutd50!<4&@yC}j9{(8Ml`?$&-$;&>c?b>`d)a~wyJOdTC33Py^zcy| zw#TAO=*V_M2H&XS!yIO%ciw5W+0#uCop4&{vK8bpNx~e{pzr^50d*VTo+HVyY!#*j zIwfHd*SV%{=DHsl7t|UOREB-$@6UH&^mJk+52{KsSb0K~-f3?jQ%n(#DT)Rnp2^-G z$?o7O`1AoRyoL=tEl4LS-${oTKPljDYL}7}U=3iORNN`%UkU;5g5tzdzVg2DFfb|1 z$14%h1`g7FoE&&ZZw*oL;oVcTHeD52kZ#EvEQoW0e^e?;IlEGSl~~OS4Vuf@y1F{) zT3;=4ODu33x5nVL#!xG;1;@d>hk1|1ESmfd=Th!LSf93cr&ROfQLtfjuvty~}a zRSBxat>ax+NKKH@vd{0f1+smn9n<;M%UW4N#gU6?Aw(3R;;xm@^a6k&s^9wm99H@l z?2Dsdc7CHKm6c5GHXXs;r7B9;g{M8FJi_*o>R?%x@?hl3k1h+tsEcYg;m8dIq(heW zGV5MpSb$f}Oe%wkY-Go~=vy`!N43NO5}n^g$TGG6gp)t5bCi@Y)`OSuynA)hD%F6u zh128NZS)67$=6s}y7lbbKIBgt9O6s(Zuy_; zRUX`r=e|)h*cceg|F|f}jP{>dQbHwZZxMLQRLdI1P(_+geXV<7-a(^-qfhCcK=s9| zjs|t>V)8u2z^y_&R6iBcgzd({KIJMleZye5t)}^d&w{Wr0}&#a=oJF^GCTc6{3Zywrk$YE|orv_sIdXscS|y&$2W zTWbW%0M*h`SY*?GhGnoWDeSnS&fsPYch1~-_y^Cc7p0YXW*tlxd_Bgt)l+`_?qc#T zp)IuSX$vmjiW1qOfflmzHF2%#-p{VjU4VU&xX>LVKInVHSp9hVT%FbDT%gjpak_>f z!JR(k=#7>#@sxqV85x5=;PN?NP9^##^W|*+@`~83`@$`Ggf5kCL)~UOK^t6|NI2*BA^x_rVu1Q zX~aKc!Ga7>2rCk!UmN*E7q3qPfi2+8vYU+9VKkjGdVdn^^oSM+dDjK4Zz922#=V}$ zK!MY#s0-dRJjzBS>~K#yK`ruFo*I2)2EV@Qoz1I7BxGvV{Cw+9wk7}(`ZRm4^X{C_ zzt;Dd4az1RDH|wU?P!`kj=D@r4Z8R1-sLZnz!njv&=zb<9HX}LUt0|k$=J(cP8inv zj&-LXFCo{k$B%y}dGI&*7&Bq@pbnfh2x6HP&iEOED)QW+0zs)2HEWC5+@x~JW@*8a zF&ZKVU=Iuoi@fUC$KUq-s2w z`%qNXQRjv>Lln3~ou#%m5qvn}c_uixy4RlUs9ZI^Ins>%Mw}1J;AQXXVnlr{V97(` zCU=nN-*pTebcB(CiG9d9k(wxH7qbR`Nhg_uTOci}tcu;u+SA`saFg^Jze3 zw)>=~cYwKHxbtIUXz{6xr(r@RlkcXPqg2&~C)!nyayFvdd*R%&=N&2BR4hktqUTq- z!otc8ML&Itdm6#bf_lB6UAh_9sfWYX&tM1}#OjMvL{qK`seLXHf_`!~<)cZaeP8D` zU8qAs=RCfQvE1*6Wiav#XVijyoRiPR_jR-1&voG&LGm91hX(vUpw!UVbYnWqpS==- z*!qf^CP!U*wD=6(j#C?88=x!9olPkYhqsCc)8&k))kKZPZ#XD76e~3H%zZyFGLB`_ z)SG~g2|%ic?&p0BSW9Ubb24+Ed&TeWqPkVOeA4ed%f*PqC4lUH04^#}hsEG$12Q%}&?B2C*8f5ULj>YPftdd%_Pp zZWX}A1#A8`bOHZddYbHbdO#Y)2q$*%sCW3@Fa?H^X8OJ1AR z1MQ@mg;oRN9B*NS$}Y^?K?v*@bo=hBMUbVb7q%D;T{Y?!Y)mSe)~M##pl<` zYFlhZTXh#!$j6}zV@S9y%FfRw=Jf4uqY!upC?=jJ=(S2+>!PK?%UoS~=#?_Z^Lxc? z0eY*1EdK0zt_cYtvAD8SMv#yF`y4;GN+hyeMONXK%PA!k;f8s z9Jw**m{%|LISD2_ORzG3%#%3ghjXyHs*MrU!4AH#FAYFg+ zi2~JV0*3b{c6m{@XVO%L@aWXKair1p&OCFnVpE5!Uxr^!Adx;OlkyA1G@Y;MzD5;W?eLb{V-fl$yIL@8PnC5u9z$=0^UMxOPMd*jk`{Kh- zLr4jECV#oNKW5Z zMmw)X1%ANkv9zGR+Lzur~f;~Aw}V$NAAj z6AAB|OAjN*U=8M*V=(_%Ap*8BBr_2|sA8+HmOvnrU|0M+NnP(K#nY~m(xXQE`(=Rk zg$#OR{|`OKX9*kJ5!)#Y3zE?gbqm3o;*C+GvX3{Iw;sEvYy(SF_+H(K&f79et1-TB z{ALnM=g!*6{1-n5G9Cr9?SvsfKTQ;h2v(^sw#E2sM$4dae9Zd{MS;e{yeARePwLmINME@g@$1IaOS#H zU!wG;Y(+(yC>Ph?ve%hgC=z)`E+$C>WUIU;^N2LGsL4zr%znSvWf0l$Q^-{O^{6IV<6HI9V0 z!L|Cy+jjAJr;e7y@&3s-JT~LHVbrH%yxC@g`UY3lIt*~GHiPeTs&wBo6o+yl;>j&q zD(I!@?04xQm$*H5Sjts!xvM}VQ~>m_LhNez&p{kHa<~%lIH!~y){DeFlh1$rj?rQlq?GqO3B~E?&lBqyfs^XJo3JbQr;}7cy zURTHL=qLgot;JoG)#t?XmE{LtEj=fq@D%;917@NAEqJIL@_?%4mjr*Ur^*nRB`2iI zWR8_0ORFHy659@b-92?Q)may;m!FDa@9V+x_c7RgwveMgo=Ud^+ zPy~Ui)0>mcy$P;zZvdW8a@~tf>z{k{q30!5RI%dhB@V9~d#0w-<_?;fnr|cN-QZR8&-p8rzXXeh#eWU|@ zJ+obp(4U`lP(svf!)b;FOfi&bK&A`{`s?uf{OolLJk>0Rg4*DJF$I_cqPx&-zgfEz ze^bkv9bhNIsi>kmH9oRXrOekhAYN1Vh+bNDaaTVXx4Tnu(L-U;BUE(Gg)5GzW=RPZ zZfbuT`X0VBh1>il$-Qc#&I=~%s?VX$j(PM|FE0GxJ8jPMRA`i%Ji^^Uw+PQ)v&55& zU7|5ua&*?VtY(3HnSM8j*|ak1F#o4XxY*aNIrwIS-0L%v(%hI}M6fko^FnQN_~JW< zee(wb(~*;*34`R@RnJcv3}gn4gs0aOMSm*z)S^AG+Ha<`tTUR4l+Pb5w~6kttj_zF zEze)=uh7{W--ZWnq+zbLA9>i}EY<-vaz4KlO)%^^<=yu_dRVaS9gNTVWieWY=31W1 zxh9^|X;*1Vo<~bnbWTLF+?^iqpdS_aFH;#3OI}sWcwA(Leu*@4M3-Nr?DJXOaN;ko zfm%G*JVRofGt`?zaM62-@&1x$Fo$Z*E}hP{xaPQKlL8|=kK!gKMwZv+7s&`^^L>*h zjt%cH$*nutha7s(|KinpPT)0dl(_kOcaAS*9@50^G=r?D(L)fvf*s<%l5tdu*KQZ6 zolFQ*jH1|2l5p~?`I}A*hV6YR@aJj`v0c>fb|#MDBmY5A+kuF8fhcUSS!CE zQYiaCA_qPT!PBkgZN-ULPQ~~8iOA%BfVYS~rSUwub~T(}ewRMnKB<0}ObxCTbTiNO9o5@EzueKKFIsrtgNQ5#(ztgX@C?^kCjj_`tl5N`qz6RA){{C^ zxbLSjkPkc`sXYbZuRdC&Zx2(rbZhEBy_~67q@Lre%wvf_7{1vUyspc<%#iKeE8Q)| zZEMmv{0BzNqKlD*$VaGJTxwnl2m@DpPSRp!Kl|*3-^k#zTBH7)CI>-^LT8gU_${;e zO{D)r_1mC>C%mtkd5nO55A-PR;DBX6zSEV^yJm(nzl==kbxrU=g{bi60J+uNiHJru z69tL^L99}WfL7H!g~TBI`vFbYop3fOH_5nA{VIFHe?yp#BA#1CJc4y3cc0WfQn?zp z>kkbdq$nK=bc+ZL-L@=6ds{4G>t)@ps7}KdlxNlfpu(CktyupF{E%F!#n7NggKNauUfPYDEoM zx~E02X^uqvxZpG83A}fI3>w9T%xuASOWy)FR`7fwdG%5C&q$eQmT6EGF#!Cwr`tWA^=4xZ*ISGAC=+)b!X9c z%ULJh)WZ4A8s_hR&qV$iU1%bx$5l{?bAsaNGoQVp9;6xa8~SQZIE`&j+UDyo_IKUT+b} z@EPWiSOh7w2Jb|x?SAFKCObLx?u%usCB1u{FrdG{+$lFPRq^c($^+2h;aV%#nCfL` zbU)X@e$N+TJAnvc^5nEk%`GKc^QQ8~3LaAn$TmIt`ZI51#@mAH%3>Mueotwxt>V6M z|LGB=#?vVH?d&tkv1qZFRolWWnX{U=DkGhX%m<0yt&`N;qKn1yD7lV}U#CnV_c6FP_vqb*|n#N((;J*Zt>8+9>RQC%>THzHxF>&_qd2HTmSEb1o$G z9A{=KD-X|7P$bnfFS{nN{DXw+M1~^%mQd`Yd${4}1)Ir5U{6(VNxOxe7@jPL@nSra z_xfq5e`zcg&RxZxV>=X7bE1@W#CRtiq;(9kXzKZuXCdf}&XYGubbv|`%QG`IQ_}Di z@gWrk*o$mpt&MF{tOegAD)Mp!*lu)jH4ZXGUH$f9@x&0E#Xb;fPv>p`?{E`wt`eJk zI)3=+tcYIno9_j86(ce-{YQzuh+S?S{5@QOvut5TOrX)qRw!XObRp@;v|w(jPs@mB zElH@rHU0O8t}c*D2g;uPrOOP}O8e<-M?eB5|FP9C+Q;c>nU^9Y5u6`JFSpDJC5Ud( z1mekpWtv`)^?oF>iqB!QVV%<&oedgSnFjj+cS%mvWBIBxDWq1L!vwzI$-pG;Q9+Wr1 zC*TlP6RAQdr&q-aJiZw1cjO(QvdPmzF6H+|D=KY^b?!$Nfb<)R=$f20ldY1!`UA?{ z04&xvf9F?hjjp1uNHWgLZ$CMhI^S-o>dKnF3nC9`yMLw#s>%$OPlgW+hDQe$p@?0e zbu{9Q;4e$7jC|;Bh5V>C8(nA%gb#h0wATE|miUpT7=|OcHLb}zs!*4@xTmUl-&*WY z3rW`gVTlMGFts)RVg2R_Ykz}B;}z)~>Xp;T@@s6AxPD`T{$j^G9du=^ww@V7hyj+oqIU_zh_R2VAcB|Mh<$yl z50`5;!g_NGAwu;V51^3H`dSTAdD!H?CBtF8J?(VbuIrYxfcek%S+D3_!En}_&sr7* z%B6IFQLd@1G&bIhC?u1!k&p6-!5X!#$kvG!MSu1)n>>K@`3E3E{LkV7-;!6mFGO+X z$}Hn!X9iijwZY9cI*q^!|? z!Nj!v1!l#YCKbHa9j0GjaNhtd^&rOf#auOa@lZHQA=WlBD(sLn1^9d%|C6sL_51gu z`sEOqZCh){yKz56JprH;!ox5I-Q-A1$ab&TD#L)7)2@kikrQVBl z4B4>^c-X#>nY(_WpI-h}@TuWqIW`^tOF!trsQD|(oxX2xbuV}racKzUq#5sWSPo)@ zF&tghlw~%#(em+yXeeYbs!mlPzgDIOW*s~w;tj*_pH>(eIDxoOEaKKP3;E5||4yyQ zhqxzGJ1RuJ0!MU}@C)U79-&*uAAe|SB68YTP))kHdlf)tDa4yOGu0@I9$xoY_6cZ1 z9Rk>vqXFw+YXq|ahvt7EXIdE+^#XF#>4s7wW9pPfU|XRfwk0AZU0t5Gn(OPKjPVQu zcB-Ve*JL38fMl~F0V3)|*v%7hB`-+|!@qVWSurT9Qx-os*1Uc19K;I?ZyG%fi}zUa zx-m~)0a7n{^-|JlQQ|av)3jiWDf{tfFVCpxm`Jr0`Cn5Uo2d_KqUs=K|0eQfKY|iF zLOfQ2+~hH(L!Ljz;DqgPYaaZO*bB8g(3El;MjmqgpxifTh+X%Mhz0J3_tAO?j>{^T zJ^t3vNL)5Kx{N}i+cng^Wd<#Yn3dPHVqa!*0jU(7t~5Hkn`|GfysoWUD;QFoDb!Pk zLLu6e50+M99Pm0zAKh!t$PxhD3CbKh<8`|1g@H0$WIEB=c39PV)X^k)Dx~lKpsib6 zu(p|i(;??3r6>O;7!9)W zm03OAkn?xrrbP_%&ZeP))q`u3g$3)4Op&M(b66jmsF=Leq0M=AW_Mh2w4w97>W~GEXCyE!s(Qh&!6oZoL}p+G zsfp;Djjvqq`z9k^!)y|8z1w>l9HZlCcrPpDWwCmEBX;N!ke+H_cVaRDA>od~R6`67 zQm7L2!KH5%9xDW(dI{N#Yw&sA$IEtX{ZJ0;m4sb-z5;KqTNnFX+puNfl$&=^B3xNx zOWfB@bU~|)m8$UvR8==MNpAIAc6rO=(;OEzpjpt4dHbd?noEF+&NZm-T1u4vEn@vp zuEv7@o&=Pi=eUsx1@sNC8#_?KZR%3^th~`-O{`&ZFX$U7v(J5N7K5OSAE@!@cN$#v z=4pQeBNKWQR^@#WK89Fb>sap{GhaB=aA&TB13_*6HmFh2XoZ+U*;b8Pf+DrvwJd~|g-UcH$9xu&i@MHdK(JL|o% zEX=eZFXX21vAK>AzQC#Sj2y(pzc_b?2#9iE{w~o_)+M$raF3C+PjPou`ov!h@7-!H zLmU$1p@3AvG-RBe!+IIMQEhZfZN0`(x(K7SZ;Ux{j$-1CrmKf*j=>}d@l18kj&ZBr z*|Lf#A`i=h%nG)MS?F(5i&zfj4o6BQQ{#4MJjD6b*-B#=bF*MWEMt`3#_jrFW z;y-8jays=qN{1s!;}1RT)k_{^%#MS(5bvcqt4pPi(?gQ`&ka9@01ViQNc_FFl!hn2 z(~PBrv&weRC>L32SO3-|HP~56Sko!2x|y;ro1U7du)8hZha;R!{-vh1rPZmITLUNX zn&&zKFkZwcg~rXp&Klo1j(@EuNZ5$VXS z2Zf)UPNdcK+XU8e~Kt*WMt*exKx(j3r1V4sRTcrmBlqvsqcE>DqF;#4(V%`P%^K#_@ zA0M=tBf{`s>c&5Km0yH>@xA`!z_-bBQ$z+Lt(BUqL%*j~g7UINB~`h_^Ia;#~pWu-nZHTSYE5dguqt>8no|Den-2 zTn%{5f9<&muCM*z_Xq2cnHn*O?Fph@u2QusVLa1-ihijOPX9Zkr#et9Py83-+@jmzBS|pS+)+c8+vyU7Zb-<=N%g~1>e0duWeui1#OB^ zTj=^#JjPhI&?r+=+an=q#eGbGCdf}t2C@v=8b8tGeU2q5RL0j%SZW zDm{$Zb}AO==AwGXV`=XGGBAS(_G}V|xL@1iYntRJS4{1S_wY%w6p8wic49r6?%Nn zJ*^8*Tl)YG-tCy+T6GLSFHYXU(${0>36lnf73QOY$^2jqyaTMMVkz(&K#h%2^421r zS;Jz7JG`h{pz5sM$7~L&E!IuMk~nrd%^&$)4u#f?1}a^YsFV#{H5^0l}|{GkKHBY+~i9iv@YMlG`3pS?EE)z;-kpT=YO4*m7 z#!6?`*s}$lShT&{$O{V&d{=wykxhm_gtssrg9Cbu#s0HyDqFORcAKmE&xE^n$k8_p z)TnPaqzVQpY*WSisZ0f5L;heeEZF9;Rs+x6*@bF!asOuj)QQeBg9MbPqxaOJ%~OE% zH!OU04Y9J%K!z3?MfI3VhMbcU$olQU*j}!P%jxB8^*|FxEB@nA@Ci)X?MMtDYyb!A zV(8Ydw3qYngSH&d@b{{nDgMdr%0wc4qWJY;Z5J!|Vez74fU89>rHOw))7j7Z{tnT&ZL;Mex8xum7NM8Hu`|0`A zWcm+?suHDPA>zE$wB=k60+034bj98v<$szF51(UjZB`Bvq!ZcveaQCgGRS~&AcA>( zZKT6oG}G?#n6fKpniK^8(yEa1xoT(v(M1TmNXGZ@F!h6z>?7RmeFDxKkL19Px%|q5 z3pC|q>lNm+un9$gE_^USqSUtrPxC(nwtn=R=&T;rgJqU+LCePsxcB(ieuaOob_CaB z)IiOH=DNDu`abQ*o+o>^GU0>J93oDor;}n<*|+S|)CYWO+j81>7~si|i8!3ff@@9f zu1m*D_Q62&iNSd=Ce27OCFNu^2_|AhZGe(EscArvyYX>?c2wEo+K`&UPOL3N>n=w8 zg#RwTfD(LQXp-9V2`~d+N~=wm&Y5)<-?5)rj1Fhjm!CxW6dhb2HVNEc)WP3^V#Tra z#RCcE%AX=rYtvIDo=UImRtp`Myb9whAPw*=W2~;;@u3`vaJ%yxfCQnz2x`pf-`>h! zFBUfiT!F?awJk!*kMqfh%y9`|16mEiJ6mj9!;$L~klUa~-mRECo`IM@_NG^OAzXZY{hMkDYcFu^F=J|@Uaj^NE7j#M8}JzkTm&V4x^AWUrQ+7g*R z)IX7*cQ9_Kd}nc0AWU7l!C9g?XR;$$$?qMS z0$2l9tA7xkevJwH^cbcVO1V?g?uwUP`9SuCfQd*qa+K1kN{HBn?p-f;18qP=rGro9 z*hv|^urFKpDaHg?F{MAz576!2@O|>&UKU=HrRHY^YFo)&Wv#$0S)w90;GEIP!3oHiUf`^Y}g)6s8A`ZW)~s``Y2z zRe^RZhT1DONLA?B)!c*UR=iB(AWKfW8GZ3Td4gtN&$*bPwFfyYBSt|0hcT_}Rcs-{ zO0xc$9PHYuL#1DT*(_0A4V|=w=-wIJKJKrqME$IOCN~nGAx#&>Z#4N@IBL z2fp_bpg0NqOSG9ws=AsgR&a*3h#%FGSs=aJmXe&ONS7wf0w|!du59RH=h$mrRNtHK z8viqJWn_t(X{%#BU&`zshyXIrWre0LzE;KLorD3ecus)1ojoXO8m@zFaE}Zx$vb9NHROs zp;ZJu9O=`D|2-i4okWp_O2{pt@rpt@-vK z{0uz=YDEBhhwHKlAl8)!10IHc?jHnQHAs}p6eyN7iB63pcVVDExSs5+$>7oo$Zi}3 z{7AI7&y@$zAMY^=pt7DbZsap<0L7cxo z%969c6g(G;%6&_1M}9P>x64OXWlQ>rZ#PAn@9x}d5rK*)3?@YVI_~_T?{;ciJ%KDu z{dz0JcK$>EBO;EEXH|}=+nk>;D=YqAvzU8nF^s2P#i^(1oRFZuubwt~^M6AkW>5T_ z7V04Wng#~Fa9PeHfv3R(y2n>=*3LinoAlNl5b&&cmO!TKPiV1fv9P>anZh~xh|8=( zDccTM%Nm<^m=z%0%WYqQHDEq%s#xR}tw+8F7A_u62<}~RwohpWPYu!*>xXz)O*e}Z zjzn*>+N+560}JRKz2N=JfV)zkEMn+Db$bB{H$Grk-T(pw}mZ2vn^cL`>vo7MXU7JBVeUk3l4>Ru4XU zpg=z}UkiZ&^6g3o5R$owYV}`B3z>~Zh<2GEf#dSj-savB!sEoXWf@9lYR-4+kC}4* zyb+Q}T|Of%GYh9AQOD%4X>C3HO8#)YZ4e5vd#XjO3M)0m%i}ru%&NL+j%X>ye+cKm z;8H9u7;m*2F1wWG|A>cNVNxE5EaX9h?=j)q2&9h+Akr77tH8wG@sG zpFSywW|BgT3}I$6PI$AS7mNZ4O=gcf%ftI4S&da=2f9m6ktSYW#`O{H=CUZi4V);|tJK^$ddW8?7B)tYtfF zILBKE9y{VMVx_x0G+Q zcZuGENIS7U`uMEY4ycegt~!R7KhMe1SbY<%0J1PH$~P{dM&H`iAJXPJKFgS~Yh=~N z-_8!d3=muIKCle1ApUdjZPS^S&VJBBiE+pNbN=GAl+UkNW<|9%C<$$-qQMk z>D-Ro7EXX}nKU`|{hUyB%7WIG>+V0ji4HRg^Un%R@uN_W=7GtL}Y?-QY zRb&DK6-a58!C3^*Ur??*`w;r;}z&c2p z5O%`oxxD_*s%z1BW2x_jEL>-zA?N3xi3;vw!o%mXmmi1@7PfVoTEV7{TbxgZ8Q8k{ zi`o+x-^k853^;|pjGq%1YD+4ulcG5~Y!vbvQEQBccPkZ;pJAe8Aw-1ma8S@!zoOW& zpphw3aEisCs%!&0 zk!V|a+IrV-?GYl-;i*=Z39Jm23wo5C_Z-B5!=RJ8@@RQ%Bk@2n-oZ?K@i$G}ee?}f zsGW4yml~JQ5W6Tb0us$OZ~oqb{H^yT#Ox8DJAd-&1ubAMEtlGq&5UwEDqWgGMu5EJ z`h0z5(7K+suLn|;P zaLisBB^r{YqEm>KM;QvE!gq$-?MiGz)A>mA9h=$N zc-Dq6sQJ}Bgnj|=SM8l&e9KjQYj_UyPOSs+aF0Ji)Uuv+K4PK)BP&ercFt{b+3hFM z4nJbJzkx#QA$<9l5Bcuh?$+t)ptbrXS2 z(?Z#70u)Znm1a{tq<;`a7Q^w1AX)Oy20FVk6s{h~*<2LDsA33(W4lNbDkw20qgzfOVTk?7r((;pBT_ zUb<4?d~yXpa$$w{p8C|Mvg2@>{t+0D@+I>7UA}&pb(vRkp*6%d|6qg|)BF}g_*JyB z?L&x_%|cLf`kQRNdj5FS=}!c94++kUw2K;VOv^m)OwfDcSRE7HYD3w!1kWaFQOZg| zOPzhy$MgXV*}XZs^W&S>aCKt2X|JsqRrNSaAet%3SazZA=~-{>N3`Tpoz_VDbYerp zHtq^hSn!`K87}T7@9=Aw)_Z1kK1gFK`QpT~Tvge(A|JRwV_vSdRRZ9Hx6;dv=L~m8 zXx;8%?-N}zew%uyek2O?8PkOsA~?$Z$YlFSNz`Vz!&tsd$*}j*S-7a`09A9$UTc^u z|MBhd>OJ}Gsv?oiXi%K@b#MO#KG@yIq&iApB(Eya^8gf;3kFmOM_>cb(|*hk`Sp^Qg`WI_{xyY0AL==G2}Z zhOwOIENYUC$4wX*-$@Z*Jd^e+J_wPkABAt=;4=6GG~XsvP&cPzEvl%Vd~IG2tXDZW zQZjvcptyCq1JOjCz*fEGA!?1lFNh7pEuoKo82|WugzBA*OL&~!UAt9^9L^y}qRczg zOogJR%-&~2uEeIrAxi$s-}U4jwOb#(MN1B4wZenL1te7XEsjAsl2T@E77VrW0WaHw z*1XyE{g9(A`L}1=zNx0~mWYY(xH6zD!ifYP(wkH5;dL)3SuuHIF-jtvo^08z9k{&- zvBcB&ps5UV?=i_j{9m4TBKHZ#N5R^k>ym58u+vt=Xd>a%uw5lK6kmHyY9?$ln5j+~ zeo(E99sXRJ`p{K8DB}hV?@MDIjSaaqCoLfmBu2QgRkB51#aie`>xQ&I)KrEI~m z-KiweRpr+fSe5^yYzBVL!g;#{o&y%)ehPH{Z7pLbH{)S%g2oXG{@w~Sk`v$js4ul* z-f6a-yC%udrl57~Ecy5W>7&A(=GG#e7u0CwQmjdm<`?0^q1aHi*rmCiOLAY0`0cE9 zz6n~tu`gIMj^ELlRa{N6%l}%kk}f-5ntQNUN^KbqzZRLuW4yI~Zra};HjX9|2Q~FV zVhsY%lcoZh!sEmvst2T*^6iSl_twnKRcJlu)o!SG#GBQ8-} zWV=ryhsU?sfvpJx6A5?6w^`--~*`sC`+6%W$gk!8N5>A0=_07V*3|p^y-KsJ~~SNjkM9 zW?JE{@>AYN*%yn!*$K5wRqc`{-oz9gP`~TC&$SS7LOtF6LT{3PuRoZ-fo6QxPCT+< z{T1`yiPwz|CM*XiL96Qlf$KIF@J|BGwCU&B@uDn&WOjJ9CcT75FKi`;=EaZN!grh7 zG>AwZGn>q5;{?;(FAZ962N7A8w zUv-lH%8d+uJhk~#-UC%n=3xdsQ7lgbjy(p~aaC($uEMs;0DT9KR)~wJPHQZ6N()A8 z=bUMD&V4?jh9V2gKJ@2iV&=2Fmt*0nu(L_XYK^jd3L|)zCRzLIQ3=byrHN}_Dr}Bi z!qiUpy)p-e2y6##zjen)2GU23ktkmN)zfVhBIR;|)W&L*8uctSaT;=m^qH1Z`Oop^ zzDeB%a{>r|y(7x2@9d_Is`!fvj8$*ywu&8h&$2Z*9m}8U(;ZjCc-J4d zOQ{vYNV`{*8+)>1Y373Tq8l(S=e_wb8E2;I*5>ha5j=EH6kFz27u4@^`cXQXi zf&spX-GG2RtFEvAT4RX8LV#4moBrYJ(Gx96uue&qbA*QUI#z~O2ohf+#b+tls_I;~ zXmgc4<-WqlQ60X<_hP`$@L-{z6-)#2$YlvZ0u7a|zcjkalBi}*RQKPFIjFPbu4dZC zk@56*JfD)6JUu2LZJFOg{@d5fkdw*w zOSrN#io0}w^6!}tsArP|N=>tI5qH+i>R-ZRp8nM~UR3BN$70$LRS~k4F@0T78XH1F z?8i-9Y)yAFw=E*o%^1fQ1yv)2x2FuyO|k$VgAYiRUa17~2cQh6>g!vZS}Gt&M_o7T z@cld?u4?1B8?IHIi>eKblm_?OA9^zUHP3JZBr0EAcTQ*U{Ea}Rvso~|m(J3PUTnMV z{5)9|?lak}SZ9t8^K(H6z9sE?v44eI+v`9%oc~l`TJA(*h=~hkoQ0`YIqmvoLnMiT z-I-TaQVx2ZI6r2zL=D!uj8AcEo+Wikyq0)PJoKW*@72D`_Q#})vdhvWRx@)l<>4YF zO$&pMGnx|}1%u}rYjz%oJ@oxW%_I#k>hCERSnx5n&(Jl3@CzW;e;>&0!4B9%*7^Mq z3uq8fX@$5si0)-*hE=S1{rEfT6>@L%?=XKE<>GZ^zl>U8k^zIfY?_8`h7z8I#Uybx zo^%FP7jBf4$IX70qzc|^rZ2Dk&_mi*_(WFIFN~vlufea>ep^AZmjTS$-}ne0VtB11Ew}8-JA0o+jn3j1485TJ zmsHYQJ$)`$L|`I3)AjKYIfJWL%RqS35y|K1%B6}i72g_s)mw(KRtbq*FV%?(NXO)ssT4`w=JUD)5ej zPk!Kf6>(Z&AP@3yyJq8Ymo@sU3Kd2AWHeKcf|w6D2eJ2gY%-{iiQZpIo%pmQo~iZY z#(w``J79JJkSE$4+t3Ar+-1001wP`o?IW`!3y-nygO6%Fj_H1gdf)L&fXT-IOEvg= zJ^B_`CLfMyC(?GIl4kQZT++`NAP1B|&J??32UtUzEK)?j*6qKdINat_$%XLWXEl;R zJ-rHAhbd2Gl^03fx*U=y&Q(nwKu)d?0p};s?k3CF%_e&f15x{o-K^CukTN2H$G#F+ zu#u?JaA+q(HRdBgrCPPYJKI)0r%?H=w|3Oy%qqWKcRWJyy?}oxZIY zRl^5JPf+aY&?PVssSV3xT~?UMeaK05>_OFD+kaQpc=3V;Sx&=?JAOCIB|UZYaXtI`7{jO*O9O#+PoJp6AIBi5p_?WF8@HAZ1A2@NFi!b! zf2^)?;}qFW#GMojhku|RpCp=U@;$QZ*k`uict;x*WN6~u`J>~|VN^UJ@wb14L3EzNkbq}fAO)lfIj~de!1W<6 zK~jDms`it0<6ZUH;4Z^*NkT)t6|_hQl${xd3}IX%Q&8 z8FVplco^Lu^S1Z`0C@gNcBT5~%5`uh*Y!F)h?eflWvStsBPl2nEPR~+AENWZM($&? zayR*6fab~w6R38CQ?F1i88oPYQ!tU+-{VomZ&>^L-oCPs*&A2#1vqH&z~XQCZC|pS zW}xrBtUQ)jE@hU#HsU`x-P@Lljj~I-T_3u3P+n(LX-}jS2-B%AH;ZL&j*ZgU{2FL2 z7OXboS{4gZKqi&uXB}Srh+yKQy1lp@&Li?v(S_+PT%PSKE8>q{eYiG;>{uOt)1c~N z;Z=ktXc^}gT+3-Rq)EO0#$;fzNk3acf@sKGaCx5t1~&QE?0at7_W6^m7C$9(b638e2;Ha%a=bM%d^5L@1yiINi|-DOu`k&FT&z$rj_!xC|X` zf0LlNHts1AhuiF%#A@|Kj`c)wBSFzA%CKCfm9a`=inc}nEKYhvaD~lrWK`O#hv&z< znuo^8tcZXVFxaw&i!*yt=+M-DIt?uV7+GxtZ|IJKQQ^8?*=QuvNSM03SVS9`v`Rt; zwU430L!DL_A80SKW^WU{Kau+BJJwn-CjXU4nH>q zYhXZ8FU|?II5tnD`@Yf-PO{bRW!*EH7|(QIC#CUs>hw*nfW8hz=|q($ov|26IexB- z(ge5%aj| zsC>%X3yIpjfEZ2`fCLUE1M{a1^csaIgIJi{RzRYotHPm)NTA|svmS=+57}8`Id!At z^Bn!X+23a7$}O$NY~Smx@lwu_?iD)cggf;Gt0lvZEfD_BPF#N@YwS=Ol$%J_@3}K~ z2F#_H>H}pdXL%M-pt7g(`7AN3KUD}yNE-;Gk6TL3gi5C~s?3z6wOZ<#@tw5Tz0j?$ z>QNN6LhOXTX{kS0Wppqr(;X~na{c`9j^YJwJ(L6z#V{nU#B0!bNYy=AX;WrVVDoFk z5hzLnMQR7uMxZ_luov+1on}|g1ixw@?JBMbj#lng* z^a!|~iT)SeXJ|?Dd_jM!9>P~LFQgm!p8W=Ru4}-US5EGg8C02~Tc!?(SqjI|aCqxh zK@7I14#7^3|E@j3NlC9ZV`8sG;}V9TtwjS+=JP@o2o`?UJQy-1#(k@`=7hbd87Nzv zFL%>6+&T5Qab1J3@jI$N+}vthk$yPZLWmX z`Yv;NMB)cfx}n-FWK_rWe95c1(#DQzhlguxo5HLPsXqK-C`vBo-^~V2 zDA2jz_M%DN*Z3N>asKX+WUlj5M{^Uhe;liZE~Or>$*@}$3O{PWhLm8iaZT+FF^GsovcdioLBZAHoH*uk^KcYtWsT%v~{9KlFYZ zZ&CSluOvpCL)N)5V;O?BN4o+fKy{IZ{eo3%bS7f(0xKgfFw^f2h^e>BDb*zQGv@2^>W ziM7^-nt=ae7p`L;gI%#!EYPhi=P8V94(k0^r=U}?*@I+#J&~=xcGWw;}PwN0c zU65m?wV@{st|pYX>kFCJev;VWdP%j1L_Obba`SpPN&or7XpOr{3y}B%T!kII+3p%Q z8C+pq&SrNVE2=DxU4Bym9BOQ>eqz%^GV*p*YJ$HD+K<$=#C0(f2D(O41G(H67j>gm86z$10w3FT14>Fl>s(`>q*sr)Pt-fE0I(i3AIa$49 z@b)6!wU)91!`296K}$9?TIH{H&Qc=f4);X2l*BMY#&!B`=MRA%GX~IqMVVz_d;>(* zWIHe?=hG@l86&B$46cSFw0#oY($7g;4FdVu!5Q`8MVvUG+8K7z;G2al;B1~?)Y!`> zN{vRF3a8Z+HnOfpVHQp*8q*#23y1+a8&Y^y(CIJE@XJn~#l>IZ7$a_Wl#{2y!3PGb z_yezC+L;u9aRJs+czEaA&(|Y1|{$_4qPF`sJmgn_osk)pES1 zmgsF$q~U7o{xonfMYT^H4n|YXp7Kqc#v131AG~h+hj5>s00{Rv6i@f+BLmfHC*9SZ zvNq~n>X$tpE3LOcdrv+onj$*pLuLqPX*M8u&jTYRMkIKjbY`KvW^nce>H*|ssud0A z-MItortqj-SR zKaGb4lG;3(R@FG>_?`mv4X%74|LJrP_Inr&f5*Hk^;PKFD-~Du7-02ncs|S9G!Tn5F%6a{2a06H1!JihSpEN>svUq?*FhZ0)&-y6dGDT_(qh zHB7Dlkq+|&;A&AH0C_}m3_`EaK59I!9A)e{*cE>7wr+$HZCZ=>=YM4YsaiZdqQ}7X znpTq>aW)#?Rb4G__D*k1|CyTC9I#Cyx8a1ZLgZ0nK$<%kD@ijx!e9ezCnRfv`-5QZ zPe+VH?)DSN$3V=J9zRDLBWy{UVq-Rnjp2za9VtCN1jJVZ*WBe^us#pl;5jlM zL{Ti={faN7e+r%mNMQg6OR_wDR|3czxUiX(K9wi%G5C)ba2XE4_XKUaid6HP13X0* zQnPiNV)=B?Yy=YnI8Hw0H0NTMd0&41dZ7r-odp0Es{?$0B1;Qb8Tl6{rl!y{`}es$ zL^D%wiAl!>cmu0OSR_HurC`!tWIjJ5PWAb73s~$DT8+lBn}G%MS@PqwFkVd1;qR`V zVRRX-AwuJz7_i_v<+OiIKD06=foto>pSwYKzR%y%Re+O5akkv`Uk$6Lne2(RJ zvMFcj#4>3xXvFi)KFFYi(!phII;bl6it;m$9U!qO=THXv8NR<7;J$@9tt>Em8mGeU z{`DqOw`g)Ev;8N`g3s8}Zc3-z{;w*f6ILXikbvki*Y}9gF$khO6{LWBejm4lOiB28 zi4G_Xekd-|nO_(shMmre?Zvo_7{QB${oGY zYeL%Gq(86yRprlRpSSulg*c1lZmx0Zy^sZJSH#-@LWV{jH?sTb5{(VV5V+Q}q8*2ZSU+SW&_$yJb7Ep~ zipGV%ie6k^$y}XCb0)CsG;&T2%gC8BEip)~SanM}IxCiy8IY5Sa+aZFGmSP++5Gx% z9n=P8nZquk-0iRPT=Q90k>x;AQ|XFD8D)UXCF=lnS=xnsWpvW#`S?l7&D~5PtZ^PH z@h#7pN<+H!TxxhK@gR|`YY)i7ES;Ws7hPnK=l)AwtC=9AzdY<{#-wtHf~92`el3gm zFdyY-_J%+2`LI+H(mg4Tm_RX|u#3%iQy9y_!;Td{Wv4llkSE}LEoh<)KNTcf`H_$X zwy*!iQ_OLemqHz_<^3B&v}kXIKHfu6f}Ga2&rrL}gnP$S0Oe&)$*5cWCjagh$AEZ= z*Ho1ZljbE&i~FVEEZKy7dFV=d7D!;XMRt&_qGGH?@OkE|#G9|fzyUi%nvlqFAslz! zR<_WBsbEhJt(sq#N+MfJDcGtl(8gext#BS0k1{Quc%4_m@Dh>nzMz-Kn-6$P2GPV18a%T3eSk4)XHGSpVdRi&c;*BltrB~;n8*v?@ zZk-$AMP40fArk|7Oq`AF7>`_Hp4WW0PJIP?JTm_9MU2#=2((*-t>RCN896;U{N8&c z`9G?zIxMRH>B4?NK@7SPB-NFW?hufYkd~J2?p{F!X^?I~Kq=`iLAtxUYl)@ny$h`V z-hX%=b!G4U#LSs9GiO4EaAP{f{+Kp*jMAaNWLQXu)zqOQMul`qOaF!=LOAb*B9XQz z8NtOr1Y1#T*{_tTQl)tB$70V>V9FwQNn9FCI1X^Unb7mu#nl-`qsaNnK!wl(xbX<6 zkkm(c+MLy9S1lq5>M&~Vx=CMyK3k$Tz9Yf8w{4+?GbY)K)(atQu}*q;4EOJc%i7jL zt2dH@7E=T3zE$7!{R%3fXoQWuPEZ;Q$h~*<_0Ce`(AVQvRYiIU*`lAM>>~AyjU;Zm z+pZ5I4i*KnGo|EB?}Z#Yq}xkv!n|<#fdPqkFqR<2I7oS#bx~h=mAX{KjZy^BPFC_% zN5EEd!Ft>)+G=ZN?L1>-o-`H*6p7h;&oI1uY=L`NUp@+qMX7hQ>6q$}gEIc;!3}%- zFM82U_^GeyWNfX|2^y>&rM&u3`~iV4M(*Nmo5`&N#LpCHQ%Qx&WJ@iisc2*2buSpZe)4*pXK z$`VD!_BOLo0^Sku+)t2aMpI6qg=in&WC1YkJ#tG-JeZfd@h=6gcaPV)gMNFKY~-B7 z>>}Ska@Ow4G*&E76{&zFzTz&yjjf23arc7X5!2&HJ5kT-#rO8?} z+#=9U9%HGoy!vZI+nLvK1=A846(8;O>JizkHt`D+Ft}|`*x>m+d}WKk z?*lVt##s1F%~~VVH9X}MY~*t$n14~JcRem@Ii>j*@6Bt(#pD9mp^R?A3fDb8c-w80 zh>r5ltvH&OvEYH*ntDj+z58A|jb9X}c8aL4KG{Riz=fbBD+49~YdLZ|V5g^wIMSe# z!aZIJEvjWf-Z8W6O6fP+6^@S*sBJ|_T8;KQF_E$!0(8&{4k~RgZblDb<@4Vq(h959 zU#mSp(XO4gtWgCFi}Q#WyK5B!1(@(egfC=D@qm;>GvT@_+;CZW|Y$n^(Y#5 z#&Qor_~{{()v1i$vFd$rX;B^Ij5tr2Poo7-g-5DIBX9-4!wmEzgfMkJWQ7sx?#W0> z|H^gLw;5s59Utc1@~oe6$`;9-vbfYSygxMgwU~lir@MK>hiYF&aW5KfgkIfbzySvIC z=|7m(37deorj#E~ZMH2;@UD^YvbdF|wM6&ut#=%;aUJJwkhwH|M~_YQua|bsefLqo zFj0=1rSrF$9H8Lj%Eb4cAUA+Y>P{ffKqF-EGlSzSK9f3=!gCCIX zjg~1tf)0w5&#+exR|U*(Udm{4TbdhYuMlc+jBfP|qLT-7r6XkS(G)c)4jRm+7XoUe z|BHQlpo5l@1M(cvYUAChOW)3g;v9V-$&N{UJ8bf)a32y#_ah-0r)LVk9SQxWRRThY zK{%6`Dv|B_QPEw>1qIK`jjhkA2MZixvAft7?Y<_PIFVK~675F5yEM^rycY%5bh)4j z?u>u0@0#|*nQ|w_zgDjnbAiL7DZ?@cXOb)AM!4}h8qfm_j9&GP)I(NA{cdXBABmUI zDlDJMgSN=sg=}TL-fikc$5b|#OV=$glPEs3Go+7hdH}^W3ZBj@Z;ogC7LgO5JwT0I z-aHbwcC*Ep_<%#vy6^;-N;8Vs{>H|!`KnT%;YzdLbtEwbpcMa(nG7&_GRAg0n8y*? zV3B#Zu=aS^FnBSfmiI8K8UY$233{n)OVgCHuk!NFN9Txk#gik?yf)j4syuR$+_#%% z2B@IKI}Tpjp1<0{IC32pKMm!*NHDmk1WCN7sQi%MDrl(L#Uw}5nO`4NOGPrAU)B~x z^1!JZV{9A~AuvNB_Y7D7FiqD@!$l?cIRw1QIx!qMO zgAJo+n)rQe?>}G6ax^oWCcvGY*0)CmQy9`P!Es(Bb5`>*fm@;5i2BUO3!BIKO?dtp zRk(M@d2p+lM2&rS^e11IWAG8FOr#5E<*hI-gc2q1tmyEQJ%52b^eKlzgty-42MKi- z*UZR-6={=8A#6*hI>tx*YaM#(HLtLDh6pMP-IKz`27<~BY8S0@M6|OZK?mbsX*;{| zaC%={R5Xq_=7k6So??BT(JlD*ESCdk`QeBwCcHr!lLWctlt5iCydc(^kapb$*_kjZ zHT~tWOU>Ez;6wgs)+A=9WzJ7TMY1IvA&n5h1hF>*9`dj)}8Klu%b*M(m&LwtS3%!kKHuPilqw!#JBLN ze+Q?ZuO|yN=Xs)gcDwvhxgax}cioCW!TVTu@J1_Xbi0EM5Ggu91*WI>hH=p^$)Y?4 zGbDxNdD9~CJP6jvXQ4pmtn3h9M7(4DSCn>lzPYcuH(EsyV*H&T4VA_LJ%Cx4yMvr7 zUQm30svqEJZow=jn#^vGRQfi%uK48=-&@QbEl-U??K6z9O(seMY{FJ&<{Uil4eY|Q zH^RNQ6MWI$$WtWu$Pnla%h(=?Z)MbB;69(b<5DMtA)mxnV7vI4`J9LvL_YAP{t;hv zw5&iv1S4M(qv9R@Nj)0vVAn@W@sdRLtA(n_8)x}oNAl9!GXOY*EHb#WH=>V4hi}j` zWWFDsCg~trRiN$;;{EP?GI!$#>EjQP6u0BqOy2^Knq<4L=p35!r{ZO18;0{)Qbgww zf6Din{s^cqUkmQ4tQ$6UJu7VlV^9Sa<1G*dfEqTsQ)NbjmU3hRm@|uh@ZT8!rO!sqRxjkoA3n#Ak4@K7`LXSz0Uch`TG>ku(qhaBp#bVK8zt+Pok9MvF)q zqSXnm2WMYNJPN-!+7XlV9Rdha-sfX2Q2aKd?3eCc!Li+E0A@MN;bYEiGtV9K2Rfdv zzmM|iuS?~4SksGv^xtv3!Q|An!L*mbo+@3N64`yEJlh>!mWPWNSFsUp0zgJY`=F+e+GUdudaVclm zIJk5%vf+rN41$V+tn!Ct%AzavZpmvT$nm}VGX-;2#e2iaEh^rzvLX~$n-{w4@iZ?%nNEAz6_5BclcTc? z=b^Durr)!*7hBZ%#!6=*Rvfts4P&WBv=&=k_9g3ZGu0D_9`%R_*H=DpI2bX`x%&-^ z@$Ky`1FZU2d2f_idDH&u6kWY93bvC|E0Q9(ViePJo%FYX74nbXc)fkpY3J@b z_z|Ht%wz&d1&r9E3pty!bRL}+RrE#AQ`9j1H0u0|#G-DVx`VU%n&ZTxTJ|uy#P2HN zdk1AQ`UB_|5f?`jO@~f0#uE`7g=-BFUN0t&S_WL&)@yPP9txesO|X+OObFT|R5ku! zu)0XgXfZH)wlG1l(od7J&PcW!1C%T8iX@Hy@UOq?F?ReV%mJ)X;aNfjX2ntk*UFTm z-hJD`AF3uIhVwY=K{ka>PS}RSUt*!$+6xh7ot?u6P)sVPRWYV+S20ICFll*o#Cb$A&H%3zcJ!2c^K9vr zpYvI=z`_Z-Kp&Id?|2z~;j10T-KryL{edr5X;&ohKJtp&A7z$fGAar{FxGzD7{=t4U$=ZzO>o9yBtr(K5zF@<)4#r zZTwcNl0UU`I3-4}H$t74xV<(pe)Y3=ff*xuou6TQ*~9+kJ?vRD4XKpT&oSe+e~CB@up6zO!OALZZS%3WA$d~Nvg2}=_<#XiWb_(UM zd_0Jz%Ys^_9M&iwpnP|R5>iz9Qk!#Qn3qTwSsLWDCAVk#U{~N3DQ)Us%#HR{X!b?j zov-h4D{s!+tP=7J?ecnG*^)P4NHWfZ$+F1SpK;gD>U$W+(_Z1nEqr2c!bBNf%&h63 zCgDPfphS!X%?hl~bJCWBs$ZF%{@4g_4{Uu}@?7ULfbV9t{qz+|xc?M(Z?x*jxJz^P ziF}l{!(n+8<-o*^06X7M`n$AzhM%cw56UP_mWMX}^un!OzkAUqoTGIA$ENUI2WojD z@LBNb-p;;D#ex~v$*PlWVcHZyP4jxEa((R1fRSY@3l`?DJiRV9EVQqf*L2RcSCD)G zI3Rzawd(@DSyE6^o%kb}p=3R<*24gA=tr9HqL#Upp38IRo=+Y!A4knfUjK2%VA&nP zM)z87Dl_~m`K2RLU+Q1vJeSjBVkoE|PNZ4|%)Yp*9lDuD{>UlxNnjo@Gpl9bz@aL)?|baqS$_q1;`gP}X#2E?9K9(r*_>l$75=ndH9od&Tfo4EuyBFJTs>T1 zf2t=BhjPyM%L+e=%(}Ne+KMKnIwa!`t|iY?x+BBTbXkK0hv#s9rb!wwYUR0{`|xo5 zC%uk=P>HaPI|`;>xwqA_sQVpX1UaIFNho7^ob37vMy5m<_ry$Prkh6bmbKFn_H0|8&j(@(gFjxug2Zu~TJ!i>PZ%eT40Dyu|BLSAlhb&J^KCksxjN zsA;RH&TbAM6A|)8yE)5nUq+jKD?fm41dzc}3mhhf2$ulx6EiklT`n`1nxvL@dGY8D z6MY5wsVeB8I7V}SB1XA9tB&Jx?Zk1seTGBr$BzsX6L%GKZl~G!s^~}q-34o=nnq3R zzVz+0#jiq-H&#EN&f3*96P98MV}<0u_>sdXFvhUA*^vbFCAP{PZYo3Qavf1}V%GdS zH#_WK%Z_yC#K4gke9eLKx(Xn6cV~E_b$x7~<|5&FOKnJ4p*6j&j}f&=V7Egs9&PCN zuP#mvl1j)2sUfiu8;}}ILhbs)QmO5*kf1uOe0&t{ySCWW->b)K&$bz%j|ndz2zQGK zf~47PuztyYh1q8I1cjWe*w5n0l+)se+Synf@~2u8p;q0Pt;?e9&;tW6u}}t!d%>Aj zBG@}?ly5J`XiHp=hTbM27u;G<;HhyL1yN_`yGE~vOzYeOxjI}@K71;T9I6R0YEPjB zNPlOx>U;xvPG6{BoLirWlo|1$&{EBAdA!cykRNkoK5H>Z_TY>Ctr!tp;4?P)pIUXu zW@7mZ{{3sa;pgkEw-Nq&FI58RvBbg9m%5)~e`eb1KIZIdv)QwvJHyZRN0V1n1Y3*`~lZ5H09sT$&yOQNEv|!e+2aC?*V3Fx84uY$q7Dqd?d9*yLC)W!x zSnMsq`D6C@;`{rUCF8iC3R#*`8Kx$~P0?YC-eF(Y^E|;*|0#cvY$zti+@bk_UcX^^ zdQtO$jfo`VX5-g=~^d6rlc(fjYNtQ1fVP&r~Hpk^v(fx}42_Q$v_&p9LvN-(y~@V+g)LvDD1J+KxF@?TnP5^aki47>eM2yJ(@@ zT~4`Dp;f}`%|J$>q}LHB;*aGvv>Y*SbO}pBYiNT$vB9y}QZY8G|Dvq@L08zJOgx3n=v>NP$2yku$@cIji zqniJet-k2_%v$;5Bc9?_*P@TBCuNt!O1&59E_s|<$R?tj=R3YJ*YvhwVAT`x-?@qy zulv7!KQ-FXTx!l8JpaZlBX@FiGF7|DIoq*L6Rc6^N{!{*Mk*F3juPC?9NhfQ%3VMl z>2iJ*$Neu=ikW4BoLQRLvU%;0epC0pI3aRipVTM@<@9uN!;-u44O-f(Z*Um%#X0JNGhsVj?4bKe6;~nT^ky|7^jvvKbNx4|f$B z{aU*dFOtxfb*fBmE4pb$GE~+$@co5vsYwXq5np(8&p8F%j0-!X`r#S#*MgjWUliej zw>2-90mRN9eP5In1+jEMTTf&TL;lMfqH^wLzs0r~H zLok%48uip&Rj^Haxm`ctm_Nbf?2Qgf&C&L2+P66R;&L#9CZy_%xJ#L6stc@6IZU;h z*6jlZr|+qE%ibgoY<)%jRHUpmX#|vifx#;z73(0e;iQ#z(Ew7DbjqEt9vzdA;qFkH zq$1}6pyOh>U=>ko1YAE95H-?g9V|4s0El0J_r@`cdx7f?q|wdho!zp(U@XddPGl7G zfpi(dj=YCJ9%;B0U|k)RyIA`Yg!P(9QhfKXOZ=~5WSKR0ddhS9E<4}BIF36)m1hpq z7-!*e(FidWO^uuRPDMfy@|@~?n@HHO$n4hL+|4!EQpHp)EwUNqj;$EOKz@)z&Zhnw za6w2K$JCByl}yXHivKR*wG{?jHbDJW0*|aRk_?}`3{gc_Z5cQd;UdNRGW3(>9ZEZu z4r#1rQqqk|Ch+-hFLX$uR=F{eZG!K%r#a$qVJyOEXLB$1fi}+xdMyI? zS)*;5;I+K$W~03P3VKd@F(MEcg*|Lap|Bp1*hm-JCG`Z|8Hxq88K3P9Br4-Tq@NI# z|L|m;tE#p+J1t#bE!Z2B$=@-C&U-k1DlZ5c=8i)$cX)eW& zAIJwFeoL)WJ~5feGnT4v50N0F(u?2y;WT+>RK_=;?fgOD`gQ=nR3CIV+MgQs@&x}pTU#92gY6M)h%o{h z$|nq-HNoHJmj>}?wUwzK1)S^0gGm@{7vq$Ii&>+rmfY^-@)og(^B(Gtyw`TUlY@fZ zP&|N=W2|ZDb;1T6GLJ1NkuUx+e%suSDBMKA(gp?9M7bda~4->O4vrQ<@;^Px~ zlI+BQPUIVJ{1Yw4H`{68R~)OVJBH~U5*t`gMD|@f{1oT5)vdX;KU!Owl!<&vo1BXs z5j>$Dq0tdDmVIepr>17Cf$*Lo&2RsO zA!%4zoc`sve!{`|ZTc0$iS9g*kP{J=L%ZDvf4Lv%sv#Nq8PwbM%*;T0&^oeio`e1@Lbd*FpcZO%K z0`+QHUHXFUqd;480+YrA%a{@7YJl6SJk706_pcXl?+c3`=CsXKMok*yJ;8ZZQQg`> zR(sw;E6WbuUj&%u9DXsLGH+U#>^_-MuH{LZomCh9twjNh+gp5qd2G)X+k{`3CX|d7 znrLjUx1guGyEqKMITI6md|rL$1|>l&~sX4}sxPNF~6X9;S7 zK~5$P)6>Y>j%3VxjRb+!C$=hi+FO!R11K{(bW-!dwN$3o?sgwGo@`(-yj_JFk=H5jvB;vV!1~ z$HV&5cGMVm&=Y_;VHO_+esescy!Tl!wBC)^z@P&eTvhx5S|_lAhYj)CmRB(hj6fqz zk2u;8Ya{1Pju7JrQ9LJm^I1;@E0EHt2^y?3>5B*-056sfupOcw3a$%s>laa%tGYZT zVOnyEs4={hZj|1@k}c5Zx{+SYiI^1hsT?E3std4UmdiI_BLVSJd~;3X+W0Jbb6+dF z_;wi;#*-7V{NlWaW)8L2WCHL#-E!Her>M@j6_TB|&}$KWsB-u8$@c5k-79(t-7edZ zgU^dBwQ^x@{Q`S*R!v7}flp@5D6OAU?d?6$)R#+U6K zD{I$Yn9Dpg8DG~Km)toCXD33AA5gq78qnR2>zv+1xFsNLq6c;>twc-YpE_^~$kn+# z)x$w^=NBBp2m%9n_8} zxffE@vCQICu`tl_2<=(@uBx*kV!}WH{4x!9^eiG!AjJ6I>Px+DUJ<)Bznd07NI3d^ zFXP4%SEb&K6Gb^@dG1#_{UD;;(b5a!^{>w@&_{R$>|6&tBDTMh-TsyoTacM$!C@;z zx;c*LAZ6lAS`HTd3BU&rozC`tK+kNia9m>h^cPj@BJGF2Wa9alDBv+o4ZC_B=pGft z|4C?h3HxDNC~&)^6qv}s+Ee`!_x&d!X8qIqaRn?2He!dguZZt?(uD`=`;JV z{KvHa4L*>BE++30pZOK#!1IGf^8~gbP_Q;CA-ju6C-_Rw;%{iNuLuT^uBpaaW7lQ6 z)YZ|%p^}y|`De1Dy57x22}uchyt>rI@x4UGf92xhXWpL~uib_j&V$C2uayS3QyFet z1W*gIJoJS9*4q3F4*(O(f^uiOTsLp}%W<@idK=)+0a()V$+obJ&Q21OtLM^sH(^Yh zYe~Wr;T?L>ic8+DkR;}J?ymDFS7_}y1x2bCuUl>Svv&6SN>aSULc{jT#ZM|dl}f55 zF!_UFjBIcgL{N!8Q?Vu_yl1uRd7F*~LMjnufW&BJAcOpiR&N7sB+xFd^+gj;F~eA) zb9d4^D$K`_93z94zW3<0NrSd5B#9GwSE~w*bbKv;5giB;KW_dl^Q`v+)Sm3!5^cQa z)b1t^X;^HWlZ0@}Iw$nozq^jM-S?VU z+z~1WL-?v*+0uqn|4E%yat~JyyTlV-jRci+QL8As84zBXgW|qwiC@wyqA(1i@=qx9 zay*|6uya=JuPfNE{qtX1&+fHQ`n7MS;0J(A3xK>4`XCf?EFhsLejaQrB(#VG=^wQF zo;z_RuG*tRe>N31OFdVl)C5fusxr9IZK87MOVvxoQZi5u9W%f4L<$(lxV9_@i#gq| zT>+AtH|lu+pG0dt4TV}5o8+i((*d8ock1y*&S}pQoyRa_~~!9#laG zlslH{0u$2XGdbO>fq>h9cxT2Qt8**NCp&T_U6$_~U%(!v-HcZUvR*jAov6uZdd`^a z<>NdZfAF(ngS4+n+e}tpR+*9a^=p8Zq4KY9NN$LCp+S#lfG$c6u)+Uzqw)-V=K&)DI0%o8^eymql+ST(f)=BXAky#=b1$0wKTMKma|O zd6gA$jfGb!3V>&*Pc}&c*;F>_dhDJvbNW!o2_Y+pUkoA3wj({h*m}YLZo7HllrUr^ zvFU2;a5l~y^@QlJvZEk{FFZ)Iev5W9HVBS3b=;BZxnCo2cMSTfz?I?XF^AOCFVWIl zgM~%M%o4TRbuH$oX>6JkGZLVkcTwhm5m+PTWNC3yR+wiI@H#pqPc$G%LUf}uV`%Ks z-Nk>m>)AoDuS{l|OJ%5>Dq_?aX3MCDdW5-O@$AtDds%Sf@=~6ohqy z2an%@{V&jPq(zVcXd>!@*|DJ@(k&Wl*PBD}1)s3?qEd9&RX_z6yb0_M4c4fOx$5DO zVfU(;TH=|Al-+_@k28es-y+r~tFCb#h6Kgn;Sq%jVWP#>n^e?43CJs+Q(f4!Yr0bB zsk@>vVac41N-Gxb`zx*BEhvJL;MXJ(^KZY=s%b-yXuKLWUBkV#apvGL4Ls=5u4lP? zp15>6p8SkOgu)&4IoQa+swcLsP8vP4j(@KD?5EfCC|+%r|Bdu1WSl^Cz;GiF+`)!y zYqHf7MMTL|E7(N`BI)ayJWL~EJV~>#Fe_Xz+j)-gb>4y+K&?Pl%>gUE2(VaR#Zv%=oYCY!`zla& zW*DcX_F_e#XzLI515pkHgiIG~oD0Usy273cs;b2|X<0@Sk*seGP0~F35^Yyoxuvjw zhYF9U;jbw{`>F)EkixzG8-&*eQr~NVxu+&kq{As@1zho!>htCxg-ze7TmKIfAWd0} z6cg&r;Kq8R<3fnBfPDVm{M=Xly-b6vb;hII1OJI>S7`TVGyR`$ZlZOF_&v_N3Eid~ zfBhYlAVDG&(;`q%o4T3TEX|@qJi%mFB1ij9ZR+1d0Yy7V;{ox~5S1f*opeF_%q;GF zgf51CDSll()>v>CE3_`eO?P=JIw0HeD$7zM5J4C&;TT&lzPiwycfZ_aOn%8nWnC#4 zdVaRq(7+Pmg+UV6Q@2*c!*6}c|38NBm;d?w8inTX4K+u`XcQFkWBgx^4Jx=)0^$_` z+oNyd6=3{$Gf(1w9*4dq?loPOeGc8_V*gt^jP^#UzCdL|%sWzH>l48K>FB~CB<~2n z{o$fEm@y}2q1sB9uK@4%1bvmBjk-ITz_y>`5EX54pZhhiHf*X8!_TT$3vGeslg=S+ zqUKy^|7yunKp;h=JS1k}Yu6lzmZM$V$77kl7s2NAz;P?jdU@vZO=ssv?gl31&|mZ9 z9^Z}6H`AQHRC%TOLGfy=3>j7-snee=FmONX?0^*eYnDI@j0|^aeXt5(cKnHNmyoO?th@z2c$a8z1P>y zCM!WOe$+hvIB$3>C)bB5k}3x#K7F|&a;V}uxEE}6H(0`RfTM#4ttMKjeqhgwsE6Ft zEhne37tvejD^dS4`itisG}(AlCY+g>jJwol2X*&*2Ga=r)#(oET#RhOWZnJ0Y;Y{9 zlaqC}9a1%hb4%@6?YO!BW-F^Xm`;53*`3(;2BiSpa6)aW3454oOT(e+3yz4uc<(Ue z8E$O{yS*TSZMAWnvNaa%8%qP28;CzfC=#y?xb&J~i23H71TH2^Vl&zO{_MxQdRE|b zI@lmBYjO^=Pxd1$QsL6y1a32$NDylbQmZPnb+xTxRKH&>*5`G6CqJAG8Mwa*jKnf`D^!~eDjP7TxeO?j7V zQH?_h6Tz~#;4@U%9ouh_1!)sGZR#`pi>lCl5(0XYkZlpa>yplE7?pwz($`jc75nnq za%$nUo((5$v46|AsE6C3dM*@OHPEPy{w!(y?rrFUHt6TQvCLt-XQdDX*IB@ngm}~t zjrE6do9$U)?!fM>;8>lVcR2YnJAb$Z{K24M;+DvFam(e;g9m^*>_9plwiAw@9I#)y zIgHEbJxz=4<%z5cBlt8UQO`nD;>~jzeUhAUAt~>YuJyV^B7P&mV(*E|z#8Cs^<%ika z2d8%ktM=ic@xQ5ab{2nlw9=f=6!@uWWV+n-PFtPcyDkGqwDIKHXq~FPL!7>ha$^>F6BQ*Xn^OphiYx`G1U%!Fd=(r=|z{;w6fh=F7|79 zfPY)65jl)r&A1 zo378&^$$q~!Go{i5&hTtboI`li`a9)IowNUl3ilpJ()h$%MBCEL@zWGV|%wS&70iZ zDpSeX()e|nST#8XJ6&cp#dou@OOOHh{hK*)Ia)_c&LXxMg_dSipOhufOUi zjgIvAT1@P(W!+R1>k@p3jWC1GJufcG@H^(xT8y3-sViPcCXH)iU zDPRm*EaACvBsFHxb?{vR6$mlu-CUU)G})RHw54kHlUbzq^E)lwXxWxuS0fOw5>ELK z>B+pu6{E+Ofj?0j0Ht*;oz0%A_xCidTyZ9kmYhT4!doi(I1Z8 zQEDf~?zS1(XOD`B*uLFW0J-KZXr#PfQ<4R&Tg(?hT4)DgQ2T!jd9_G=G!~DuGDuvW zsa;PBqP~(rP4Kt{KWT!?&TjII;S+MrPgViS;yJC3c6*iW(JukmAch64cENi%*?0RL zDTct)=EZ*3rv#oKpm8UC2NsNSAK1O&071&O6DkCi!>pvKB2SqHYJN zsi|BMOxryn9>WTPb_|eS#j9^uGvOGR>Hg((F|(2Y3_Vn2qz}9sMG~lXYcS#qbI#Cb z;&9x(pNsMJ#SCGK8&tVZQ-N_ci|M#5K;{q$61bPf45&`>$%Q$;>`F12` zt|4b;bX@iP63$ob;t{q7Ck$F+_hV_J8s4BaL3fl&V!O7CYCdhFH>k76FL+q!A%b!T zM}pcJq30yj$RQ&dHGFUMYR**ZU}I!g)P;7{(k_UE*{dfy(uor;VX8blxO12&z)&&5 zt0L>6S7pruuLxvMW%dp;w>5heN;nA-d0BWv0{n>h8|Y)hkBB|W`bPMatLN^HPBV{} zs+GXFINt2)i^pM0ymZ4?o^?HUa+|1bUD(kkXiwS1)%T0$5jA`d;DM zPN@Fgii{(0h9Q;d`(kxFv1C`uEJ$x|dj2441jYja3&AHN#Eqi1CAEW{R_maK$n=Ik zHm654id`IqLj=%^c!3IIt1J)|A>u3}0g%}mdLYg~A_R|^`|x5SS*KhL_K~HLqQ251 z!7HR7{%9yPSn_JfqkTRlr^&%8w1tll6pUaoDrvl=v05X{xaY$v7EoH`eHmP{u=?vf z$HV#+5Yjj-|B01eR*|^O?L1|=ZNUGIU2YIh*kx3mr+Cr#2qmE;C(t3($MUqz32 z?0s)(CnLW=&;}-`cL+9RID?B)i);ExKqb%Q%IRMFwO^?f@C~;TuzT9hU6efQz7hSq z{=T12fG1@eB!V~n`xSVbxV=c+-K%2enmLR>B3*C-DTt+TLN4v)*d_;1bm*c>GP2A6 z>7#vnI;&bIvyc~}yV(>dSb=JrG_97&n1<)|dGWiRiNp%V+Jl9MW`WXdbct8{&7$2r zBOcByWh9SP0tjvl7+Pk1>Ld)~&*^?65!u@(m<-4@u?f?PuLbCm&(dsZK;)&vyqo%+ z0>+ASep%Q>hWG#Ne<22SJ3r{Z8%t~*CpgW)!@F^&>Elu}fCaw-oMnQt&lyc}k$7{b z`Qog0&bn*vA|y@)2T^T@O?ts270!I?7!v0+z#yC`?$4)1g>@X@|3ozud zAh?Wjj9Rc9^%Wg%JLZ6FMNITTUV26GbUds0Y8w16SFl&fx&x-CRIy(_)F|8jy|6N# zG;)ikC{97I-GkLdy@+Ck{82u9sjI5&-#bq792@82om`8lro~8+3{7i4I5+6Yi+V-XtoKop#V9Fu5 zm;NCDHAl6@rnD|~tKfXBZ1J|g95ags864bmvahE0c3D2h8~-daFExR5wL`MZbBJ^n zox|*)l!sE*katCP+U2Ud3uij)0pi66LCsEceJtgGcBVjgun@4o~)AGP3MjyVMZ_3-NK7r0%6fqMo(cK+R5<6lIr|Y#XfTeiYtZ4JFu~Dky248be%!R}6A1@gx31M~xT>$6B5CX2b_Oc1W6l?8Cv-QK)-O;th zbo-e$GF}>mDb(I+Vq_+0U!^GGvExY?RG<;t99ho87p9T)WVf^)g;pY^05!bGl)p^sfl?l?Mxodm2;Oztq zU)g%6#ZM|2v7Z>r{lpZHdB4{=unrTMSmJV7srg+WEYe_IOq9{fylEMq=0>emvyGTeIHeDg3nDQp#{r8|2g_@saBJx4&D9 znWY3oPi77VvGB@!Ok0SrP3dX=>zskPk=ekmZqR!dBhXr{O6 z{ycO{-jgTvB<#gN`2@pnZFuSUz#*SMD+=?|$0vWQ{E#4p=+qzXe?>1{=FZG~GUtBW zf>CxQtWM%zhoi5@a@*Rour{2i#$L7s{n%JNo;8kk;dZeja@T@eS7d1}}yn0e{Hs z&iW2=dQ%O+@fPxzr+-4axmXRw|AKuusPTs%5-jSeYsZ00*V{j9xh}c%XhSO?ICCFc zk@NXHsgaG(Q0p+f`uu)tioEU1yFUUsF&Lvh&72gAf2(~>P0JCq*?1)iYY88D;xTdM`yE>J9L8{+kv_u~0U=P`*aY$!A;s`p9;*AP>2tXFT3hnAbH z^p=r^gY%Rq)OGA`of@-R*r%m|tAgE&p6%SF3TBSmBZyg%Qe{`F)m-@#BMy20KURYQuo|5+ zNY`@YSyAU;3yk-Ex;Z{r(toVv-BUvm`xc!v*(aj1q17p(*g#xud z;tuV8yLV+K)EAZ#2i;uDkXv#Zn+%hzBcONGPo+h=tK{7{s1_$OoD9W%9GejNUrWyB zHq4+!2>jX2V~q@VjR>AS4tS1(ox!C{7los>^ybcR&qhn`OY$DFjf=db)8`rCQVyzw z{}N{ZA27pEqDuLO_G<(*E~=dmGZKuxrzHdAao#ss7bFD%X`Ixm_C}3NF+=d!2az3O zS%7qMD>;SA4TD>0H6w-=cGbacovH|P26s|If&+NW573P|0#BQawCmi5|6BIDO6Rz5 zgN2y;qbO7FSL3*NXuXJ=B*mAiIGqdiFmUf$o|mo2JX{A%Z|G`38Ht7~bQA3uld_79i@?DR+h zwyPOoEl^;wW^~$&=AC(qM&Lg5X#fy$8od90E%ywB7U?--Sz@9&gnD~%=Mx+W(G^{7 z{+sRWKt;#`sP;1RNjZ~FvB{qzvE>qrq4-I7u@U^L!+&I1K-L^&j!uf!1xmkj>{mEV zAN9Xav{);`HH{A)yY;jRAhXMz*%x{SCCiNANaySA+|OSYwY7$iy^b>ZI3wCH!bLU1 zXsndgr_mGVN*DNsR{T!VwDDs2_Xc6=2)pk^J<bhQ+Ui{G$HzB|(>;uT^AsV*CcrH$7QX8A z_)aFv<>6Sqi1R&PL>htyH!C}$BXBn}IZH?FcQ@6bQqAzgSf0jKTj^sytE8|$aj+`q zC@Lw|-7--eU7w~=&eD1srg!`*)KGue!|_*p(D%|vmLnpw7jcB{voVZf#oWKh_Xibo zzi9@SwOV@Yd!#!&-JjG0IFMlE)qkU7ks!N({eLX`dE|OC+MoY=8zMGTVW`J#g@Inr z_oMp0A#bcQG|EAPTMPh081@enfEqRfqEp)+pE4WC*|7d4hA5aEAl0hacQd-hAKl#9 z!9Z_4Y!#Dr!%fRX0%{ohNWhE4h1Pb|;G7sM{Z!?nL;(fzIJ8MQ?NZacFb^m-Y)~?k znv8cik&ZdWaWRYb^6}OHwNCE+YN+wfj=>C;wr$)C(lU0yLjTmT*~%BoIq{7!b6zay zVU%p?invkKy>?^1!oWqe&iU^x{7*J`zx>nBjDPQ2cB{t|w!8M{O4I{M{e!LgYAix5 z!oe$iQWD-Uq{$e2?FxWTdIqnzM4U}OAMfaqv&CM-UqMt*bEs4TMk_f1?E+R7yF+`b z6-HLuhF8+(iBR0|cRnkC3!>&K;+v}@5CR?8=LVAUc574Eetc~C0GNhwUv+J>q);rv z+sSEt;aB9sj~MrJ(nLdaX7Aj{oRV&j;T|uK0lwS|94$ijn_9x_CjnT~^EgFaxyoxN z`BX;7GVzT3tpCKPa^%Y_u929ROjOyr!398+`Q_HX&AsGFAgLhNwC=5|=yu^PC46%O zJAwZ7!Ih$6yK)}!z!^|MqHBA=Sy!xH6%6t3EGWa5E=EOUhYZ7NW#~0h%F?A2z~B)L zK%UKJ>9^=>@C7$>+B<#2h%l45YGP9IbZN~LAv5v2cwc>5{z!=oYtM?$ghu9h=00@q zZ0{CU)-pZ%p4LOa9~2DDZL5omV4Q(@?0@WxM7##An#Pk?^V)j-vCeenK*bUpO)tO&iiO0mQzxVn9c&+& znSOYKP=lwX4wd0#Uz57&wPd55eP^an;eOw$Rf7rxF%sx$fw#b{_9pG-i69ly3e5^h8Kt{J+Xs_WIgTkL=N8~1sZXv!+?JuL;djL^Fd2;-W{^fO4p1jD zN-x=dWxdGeOy5l}eno#sj}x<|HB(w^H?vGs#8dp-sS|JE{Gsml?N@sX9s^$Q;Y=JR zyb~K!3i5j7qU`aEo6+x=^vHrxYpq~oyxEh1@B)}lKhXF`k-vm9&W3!vIINa@+~7m0 z7VrTPX4~NIkaA2UcP|0c>NIPGNu%SrvIV<~n7@|9-dT7ELX?Q14Nf!}#AR{jMzK85 zyvQQ&glZ@mi(xZ~o&weA1zlj?b=ZrepFr4B)D8eNp2A;4VZMh18Um}h@pD9TW$}-d z>5m^6qNoVDCEoe>b@0#gzG3p5gTDL#L~C<{V8} zUS`K?bn^IF{4*c_OK%F!-iM6L)NHk#d7b^9I{h8l5YT{}QNu?Bw8e+UE#g>CLIVu{ zoT@Q=)9A{#4*vP0hB_wYG=F;gxCGBO2*#K=opMqK&ppGP6rey6V6}ve*S00H%svNh@Z01IVubwMV9vPf^*)ji`NX}OV9>VYf2x!pqP36zZ*XRT&}|XZu29%PxqEqlRd&I5xL(;i?SHv zpyX67@i#Wg%naRTwIsr9nbkKRl36vrP7@7tsU$sEdYNxp zyYjhk1R{Z><&!p-4BD<%hbBkRIyrxo2tEN{fn;q*I-8>28_pr;2g;27sOrJUP&j?= zKLYU~#w8L!dPH@MiLSA>T3+G;&H5CPocw~7amQlt1JuMdCq2ERJ?ACmtH#_Y?vkRz z@*&njM>S1oYYTRyg-;9Au6HoDj7^ATl`qMCsQ|4D?ERR5rR85`*@IUQ)r&#Gj)=$a zflEl?3mWUr_WX4^yNNH0pv}j7`QuVejYZ&TY3z5nd}I$skS}R(VJwnaS3C+y?-v!i zXR;g>M0;=jMve~NJD%?<1tmQn}-`}3Hw+2$`#~0i!Ws_wziXmzptA>Xb)&?he!gt&7ZSb`G%n36Ia`- zDPT{$=QQxBN3HUvnq#H1=h?)v_5CA}zYDb{;NjVg$H_vB2^B@xz7hkXU8e)7PvH1l!7D z@d-!y^pG0i%X=PRS^4me8x7FZg7oMZM^=6qY0hr+X@aUJ_Dtu%W;f80Xxh1$o@?s#$n4Pyi3=Est8M2lj;3t5 z#mI*VHD06O&zimXdFBdB$0z-g7YXjbUVbWG}gSqr>cHqkP3;f~o>APu5k~^&wSJGYlCvZ6<{~ zKyg<13kq(p`dWJTP79zJ=WKjN4f87E#uH4ds3*i{Hy#|M=zes?b2!-3x}%`2=DP{Z zrnk?R(e{@}vNI$lkJ&{QVKh#i{Hcf4(d|FP;#9TPi1Vs!+?$JxjU9VPi+k~cCAFg+ zk6z2&pQ^9INzJADN0e49%hZ6`()%Q4ktY_xs^9|ri^zfW2#4A;0Tt&*U9|@KTfbVjDm?q5cri&QVNEjZqmF#?od+XT{_S#Z zA%Uy$-IqX&+n+17MJ|~yA}SovnAOye?3^bq7P;j9W0x90Gugve)EzX?{rrWy#+4>0 z!&%pLhI39juLuFY-98}ZrY{^Wo+|tCxTe{rV!dF)_j@h0#P7H((4I{uHnK=MJ1j9q z)qZS&)~n+=N6`$CZ5IOy5`DT5&rx1}pMMJ7yJgzqp7$r6tgG7hku*qs4hHGUeOkQ6 zRLzbl$|DIWc;0@eBUC4!3Et3Q;)L@Z7BgoFyLIE|Jh+GFU$2A}l*m}7l!(@rn9a&C ze1gBBAJbO#A}ms+o9m-#$5Mf&n-mN7)w=@$n_rbOspU__hKdr-gED;^8T7=tzU(mE zC%tw3g()zvbN}B(#9UVbK43*0i-4`CL;$svtDTSr|L&y3@JLrCwV-iZ943%45HNke z?r{lrca^T`t<1b!>f@F7Oia49>4_jAAm-|Mj$RC;Yj&IdVo~OYBJV~Y25S>W9bPOj zIyguyu<9G#R^sU2AFiH#>DrZ7ZTp1XCQsJo>Mev~jZ@NBi@z&^gvkc&e&u=4`tDEt zhDXECnnhmhh{$fCKf98nntwh{GY->@q7`!Q2#Xo=XBb$oSuy!IM{O7XT~+$fOu^;Y z{H>!8YKzF84T}+QwS$lFT5wthGVgb^R_J4@gOm0^?!62{>hnV1vxx_ z#H_@1#f$2G6Lnj9Z9fXq+xb9@WdrV&`aQIjK59g64ti0FKdX2nA-oZ+oksMfG?(4= zKmsF_$5@^`+ZPOg6YtIjk);_5>|-zGS%KtN)!?8LTQOXFAF&y`@&VKa5j-g4`Jpew zA(0`PC)BO>O)iWH7zNSA!CF;4+s>N53VN8oH4&V=&hLQG0-Eh4Mxc zaI{cG*ne01Hnkv+UM?&jF*jU#GjojcR3_AoH7^jUjjGcQt!IJUO3>To*G#--Cm%!XwCMzWbqLTs8QyU=wve z(kxeDr0X|dui@>(qFDG;bthpAr(#^$*OcL={&l(`64`m1`6nUv%FK0x&zeZg06;z{+i zzvLNRS)PArJw@13QD`voeVQ({z)bV5NQ;R`3$-qFm70zC6}YZoDmU8(;>n{+RL@m^$}`li240O7|b^2(!&lYH8@9s^?}D_CUP88bN+U%NK& z-+ZnmYy%v+)2Br$rEw1H9J7~E{gYx=&klty$9DhJ#{tSi0g@JYS?SO+WQ=@!E9y~X0)Aeg=#potzhc(ad3jY?yJ__d9B#_F#++?s^nRjG_l$_uCXK7}`p>W{J^727snwe$Eh$HLrWt1HvHjtr4zi`c^hFjA`g zuMfQ<^0S;Zw^c@n62Yl$CkR74ajTLqDO>t*@CB7d{|~00=ASdAJSg=5=kb#k z58r=TY9mAsP9pZl$iJ_nf0!^K=aFl`vAf-?mhN?(pOK?gGR(OY=PI5LwJC#XL3~Hl z>GZpkn~eo)5d-Z3XDu&B`FVmkZf1hq$73<7#>5TnnK1!*(LPMYzM`AH`jEr!0XG0pA-GP11$a176ynF-Lf2P7GKxE41$Ur+$xJ0v>I#u=*@iU zdBdA1h6#d>9G`v}J$tlh+4zQjgqzvV)MBgVFQMhZ<)fesU}IX9>oACqJ4F>;5Jk#y1^p zpV;Afq*YQ!#@bHjDelTLUGNK5oJW4wGNV2mw)iB_Y$O#S)_XejV>?Qk?}MxZ&M*^+ zLs<8)8V=8fK&qg}91!`z@|&qNn_K_UQ2C|c$97l%srtcrJ{pKAsI$Ofh7?@-n#S-( zaSD^6soK@ug`1+RkGI9SFa+buGBaa8WoBi|>}(&f6YCY24cpcZ$-t!F;H2N_(g01= z@rBPCEH5iZ5~rp+8$%dQ?ER{!TQc{R0P zD}`zziQli53HG`wuqt#lUY8*Lcpi(Ot8%#tD z4pV^)gRe+@D$?U(-kEvd6;34PF^@^F{vCnblmdb~A4iVf zgD)*s1d3UUS+Rw84r-p1yP1o$&lfoSBKxFKrzWxT4q?X#!?NMfTC1ySCeBGp`Hq*5 zLy%f#qfCt&PmYS9Q3Iz>XE*pm7ade8H1fuTx_n$UMqFx~ zRoLjXALo)&%lK({4r+)Cdq8|idst=CLRZaJ%EiT6+3+^8b-mICJh#;Cw3bWUu!c+t zUm$oX%0@e~PiFM1#``BBrvz`|#g1x+t!sG^QX>CRDKf!;O2I{v<^26yDsI(9voCb! zcpf)t#O)pdCPT9!juxBoBlZK+eyd-z@)&uM$3T88DrEKz9p4mI&lO2PyRY>2#9ry^ zhaHb^o~ytQN`ZConk^x5kw{u1ArN2*3XlpRCfpYV$||YKp40h73suMI{w#bhb(@%^ zNf4cciVxPq|7?68uV)}E9V*SizH_zNWM{nDx5}rg6clgSV!<4MSrOsDLo@dY58&`%lC6q-0p^^zGk+#^O{c5W%he7MB5* zbV$O3XfZ^L_rVSU0>tAi$=I=%PU^1?3G(^P9l2g13ojzbOJb$%_3zEYrQ1mXbIp)TBYocpT*Bl@Xb=+SihZvfnB2`z5r-nkrRf)i1+tCq{s>F3q?oW1&LB>i?ye$V0aA;DXFrUMCWdX#FDii8lvyx$To$b$X7Wmt+4 z7#Y`CJLaN|jM$WVu)uQj*8o=Rz@tELw!O^$jl6Z8LCv!T!-wLfA2Fxhb*w1(re2Zp z_J0Ik`&C$x@^E7c$LG03k-?BU@#SDJI4%l!-VY$n#Oiw)u_UCH~H(mUMy|;r~;sZ zfRha^a&>znh;uAM)2W-FNv))ryt<|^_`O95|GEI=mMC~w*aXfi+Y=V_ zLMPZNLlP>pv7ctuIx0h%qN5jTOb)NE3Dw)+yZqM_sofK?L2Mb$lXjhzC0vX`Rau$Y zn5x!TbI*}GzxksBqs@KIvd4fSS@ds8EJ)kj=I0Piy33RHB+==x#P!RHjK0ZjZ-d1; zVV5uN{J)5%BGA+5$rjzfCKR9;Bzt}aFz<1nfqqL_UzY#X6F-1+{`KIqlzmFE z(QBK73NP1~$2ts+Zx*3EqtK{cdW;N-{lcZP|0G_I0}7bwNFL$x+TQF*&Iys{z}=nL zoK1^pxXkd2CTaBU-z$Ab3JQB1+@I&h#CNRg$6B&UDl}>RLw8E`ZzYWZj;g&_D|>y% z!BM!8?2H42Gu!o&D58*Em6Rtr?i6WooWss=ubh_JG%cAeZg3%Fm!O~IgXRu1V$*_r z!VK}}gPwvFgGi$~JL(XMJ39u6ch+x&2+$9N5rDo+)mxyrmJY}(928zxZz~i0xxnUi zXaneW)b4D>DDDS99mf^pnY=TypQ}v(az7&OO<=O<3V% ze91EP*tRl8qPg*Al2vB#5!nOl3C}R%_U%X$!>fg}he!4E)cQ^cNlPetMgIYNE=>S2HNfcIck|M5E^m(4#a!lp|Cymp7WKT(d8&QD#Kv`uj z4st#VsvT&bL1_0DZn%Gt@xo+yw?xA}c7FL|>9?R|4f6N5MG*!n6t*p86N&eO2Hr7E zNR&$R6{KS?@)gvDDO52=y|?y#qX7UZk)&t0FF-^RXBI}-S>56W<}L#|D-?+=%dAl` zQ_PGg@2pphVuKjmVhg_1<qA478rNNYbp|w zggkqY-I#iqQzSvi!i! z!WHH~3p%W&4csO+ZBg5I=v?p$*mR{_?>)u}|sR{{=GR0mcEZ+&IsBs`1A zOlo6GCs(X>end}(_4o{>MED*VKrwQe@>My0U3O|Vxb4)gl&G;9-Ubo^(Z)}oh~M#| zHS&*HAaohxcdB4ZC3_bG53n-(+u;MczXg$YrzR{F zetFV)5GU>-kyvHV+Zr4y58J94c5={+5ViP-K6MZ+E(9v)g ztk)O)EMn+D*3RR|OZi`__rp|#*RNZhN7t@>YXt<5U1JfAV^3|+)ueYeHP+V<(JSyW z8~w=h8zFhwP@<{Yf1Em4GI4U7|hG8=`jCF@u!0#Uu?b0~3CM`lm^ zNtRU{j%j{$I=gz}&!y&+@SRI^XfP32_1=$}S|Z)UquOsU7ZFC*1SF`U3TfU0lXCeu zGm5nM&ZFDAZVAD4f@PObAF0-RYiUp8xQw5pH#Zj0A|b5IpH4#;pFuOCR=W&crtT2` zCy-?i(jGXB#{B)65B-}~JT>58)}x>p-eGJkgOP33j2=KqLm2K?ZGz1lk3aW*7g%LW zW!M{R=1<3#CIt{)`m*GV$A!Xq5hEA!v`R38Cq_q4 zAii4e3o|B$5~d-oo6iN*DL(;VXZz$SdaecUt0qMrUAd0@-3sb3Q9rrjnsUYv6ZQ?D zt0v$tOgTOi9S*q5)e@BR41Ub;Mil$+#is|+a8zoTg;~Coe-=)Y5a5Lj(ZsjbU-seZ zju5ZQ(C^F?2=3ZSx48KS7FN)^2i?0Z4-oiSrzZ-jMUkv^?#`i4l|WIXx--1+;20AO zK_&k|h=f+aRrsk9z4u#bwY{C&svHqe`4y+}DaSw`00Zl*ei($NTou4or$f>#>Zw2% zIZ8BoPVeWe!@pfipGfv{;L+bmvB5*B}M+3^lN?p8^r=XA`{>vHYABm{%%}L!MXe1AqHka{8g_fk<0`(BQ&$Fa9#`~ zy!kR06>>3}k$~CASaP52T}*kF?N0jh72WnOc|ce%T*81;4V#;v=?IRy!qnS|R{}Ae zPh~8h&|7?U%{bg;+#0JZ@g}%cXl0<4&8wZ^&je&XIjE(h1w3<|rduv^{MzhmHB(NgG z(DR1NTRxg=+~suC#T?jRY03snxD#?UuHo2tEdd)WHx*|LoD6S5s0?>|Vl3tUiGR|GsgIg1Vkb zf=9WET>M)mVwP?|SW_RUmh;i{oK=RK#Ap#&2pJij5*%3ho6W=otKN1(R>S5t>!u^0qAomGKW`mwjE;D&D7lMjZszA#i+wn!_!d7Oyx+sw zh1IY^bOVaMY6x593%y|H#72nEB){V{&%V&w=TEX%R{C<(Tz@O>$awjAe8&^MWBb32 z4B90i#h1jPK>`^)zqb&X9w~a#$BAOw^*T1L(V~I~SmsAp=aVF%We~rWhj_N@^o<=IU;5>o)?21;*Q`zd8 zY#t`hiY!|hu8Z_B{^)!fMY#}E`<6Qsqmir7^EWT6k1e!B9*B72Y5#eQLK+B-c}k7x zDUUcTDM>pG33L{zqo3zUmZ*UxTmAJOZxRB@P*?g2FeF=JW&B7)qlo$*6v6#q z*Ymb3+DLRV4~L$VLQSJ0Vhqr>5a~t=xEM&?!$d7>86>`#;xnizSxdjNGbVp~+ITN$ z{#FhiM593V3pGj^%jN~{Z4Bz_P81+E2|P`B6N3zS^?&6mQCMj$pI|Je`K5xp<3zOfEMAy4=#HE0}4%K7#-p!in`5AJ);k+>Ls#Ui+va5?2FXYS z0V0Al4VCPfC3}UnEAh?KSm1S^+u<(~Q{sD1z2DvnUsDy@#llSa)PYfYT=_Q@@uL8( zrxR0`rud^aR!Ddh$)Lkn_ZqltM(lY{Z~o^u%-IEix+bOj2U@73@`5H6@J)kP<9|ga z1HOEo*Ik4u{XWfc7A|8A$shl*rQE;Hv#<5eAO*G##~7w~A_n{pl6lW~u_ zi`a-mZ(Sui9w_`8<-KlU-UM!#dwp~8CF9{GbNzYXWV+~fi}=l}g>~bR*ZF+NKcvje zG{(lZk-fsOp;Usqy959VRUJH7qIJjXoH+tes(lxYoPEbSKX1pm(^(=~je4W*F3ITU z&C<7o7J@_#PnR-%-2`$AE2j3T*3-YO)YbT^+-}je7oPzLd$o)9``_JHgd>rzjsk`n z)YiMgKG7G@W4BB5>4&1CfCS_5ru;-H5-|-UjD8Ag?!XQd;VH+n<-0Y%6jGvYo)_E& zg6}qsk{Z5-NnB15%4hW99(4XmES-gB^ z}-fhMP!KkqFGct3vF+Mi)C?Yi%8hxy=3Sx48SAVzjk!7bjv>oj^c70jD!0Jtp z7L>&xVNnJf(Fg5cuNW;?B|9zMizrwUL6#Sfq)q|O;s*Nsl>0SOB$RkM2X4w$+0xo`*6iKnj8av+--{@+{2DrJIT>-a=R7PCb9*L@ zAOfv}pPw=6k@XBju8zDT`4ErMyn7DVU$kM2FNJt9`PZ6)>Cus7uF(%N z(=UX$^j~88Ja;6@KlS7Zyx}qb8@Or{)xBH~O%fB>mxPyq6;p=G+gf|Vns_ca@=Pgif|C^xDO>X+>S-nLNd$@siXAJA8LG}(sloc$L0}@?R_d>V7?LLMIG-Ar2Q5%{Df1JG-8)@VN^D3333QTz7 z6=D;H2|KX`bAnwlt6hfG?ckr}v`%ta@p_wYc3&YFG|*e5>4VzG)ZUAyk?H$+j~dbX zof~0ZG+W=vMLmAoTG}nZ^b&5q-t(f&$iUyW2%To9PY7x&D$Q_0KJ&a~srpjFvE`17 ziLp#*^E)Tfyl112gSkKeA6r*dsxfWsk=6Qs$4c#s)A83-E=|5+kAJ&PqcLZO1)IiU z-SdHLjrR}J*Ycu($X36fhoDuN4{`?7;{f8$Gyd5;NlQ`LA}0z%AivEl@E69-y?f{< zoWsE|wEKPIYkK3yY5C(^L`cI&H(xENx!U_4o{zKAXMdS1ieM<9$XAX}Q~#hqN&*zY z(_BWKLMuNgXT0c?J?~g%rGu2Q-fC0(e0ZxM%HlVGvkR}Q%ay3XDa6nu%*#(H7SggA zZu2ZCi2MQLS4GVGD?Ky{b2BR+poal@WU5P(ZDb}w-2w746D_FTr^P->_8Qst4Qh^l<-3|DTPr*_p+*=rdqyHVZ_pH4l2egJg^H+8r z&5!z1L;O{yb$PZK`Ge??+aUv`-q0Ph^QGN?fT(_|_%&_}8w539nwX}qv9 zBWAu$y`|kX9BuI(*t_)cTQ|d2tjVo_Y2Ib_6Q`LH7*1225=3(6Fs&*xyAiGM6LbG` zLMUVY7txG}7)8Cr>{nu+97@-A%=E82r(Lu7bPplaPq0bj60?cCq|wslTc@!I7UR}( zo&f-5uY={AXTiL`wduj)|NjYS)AdGHL*$P3m!eK=Sv(iB=RRIz+iM{+2{HuykC=}- zED)XEO(Mf<@(h2d{mQnUfpKv(!tn1 zNi&uWaJ#zZIHx@Y3U5h1$Q4MthQm}A@bNsu-8?TR-@R)%_C3OSqT8Zuia*DGZ=&Vd z?Yn@(w0!|+rFd=(j^Am8x+O?g^R#g)trjPRYfaCwDlzyb!_G@TV$-o`vK@6{Lkx76 zUINoS2cPZ4@|4OhH0?s%$45??jDlh)qXy+c-@YGK(_Aq zL~N}7S_8%0c8i%2PTNCBJf3wkqrBx-_;Yu%UL5(4QyjI;P|sgualR3c!Q6%=K=+M5 z){;dHWYth@*xoWjXK5T@4y~hSpb@y{)QR#W`oX*(h9uE9t zX;8t5ZJ-lm`8KD}0PT$iv)`u8(J>baUHxNel*(Ut>3Dqdy7r%=O3C|Gx7% z($^Pvzwq$CoIT++V)iYSA^&}@nDo{i0vd@4itC2Gd^xX zMOO*9q)~5je_mP9#;Gen!*plI8sE$UY%&ZVzqg$aHs?Ms{rg?PSRmNRz?n{X)R_v# z5sAB~LRvy?Km#i{Fh=_dZscj$nt0#r0p2aisg0_s zxZsVlh3qnMVq7c`V_xu-YVC2LzUZtp#w;qC#sUl57U7d^*wfnn^ z14g%!2Mj$2zRx>M=1;Q@Us~&qggCN7t5+8hS4Fk&oFyc6<_hE3oVE0W(tL?Dd8SJy zupq^#RSb^hJ@q9vNJLwM@5a-<>My`8qQa}%-~@YIrSPuC*Ht?{T; z5w+>kdih080#QQxP61Fm| zo9Az2DGqy5s1#kIS)4vgPAI@gyDI05#+C!g=yNyjObj}&_E@#trAa~;;n8q~oJ}7C%A&Wh)05zp z3a4YkEHXSYGgX`HRpTJlK8EsxLZ<7V{j zq}}FdW(iWfdNC>Kom%f=Tsb@n`RumVQ#pE3f?~3I+X&A8MKa~6vL(OW5gjJus;II# z#*$qn)nc1O=wQEIdQ{g2u1CWRx@`jS$$3elANd6@^_XCEXo4$~>KU4|Qhu~j?`c)Q zkxthwvcI+lwjzK6(d0%e`)yn(GLf!MR}TATify5Mli(p{|Fn0zWm{cHn;ukwnbo2m zRF0c*T97utxF*MR@^Yd$kNZVrWEET0pDf3o`?{n5OD}Puv)*NlQ{>#oQ#ItIJ(vbsOhk2Oq;DTgYWQyb*ky5SR357JKtAo?onN z>QE_kTMM5sOxpK1Asxr%`f7{V#Pon$_Ti3jqPJ(#@EmmI(5NQxWG)2jET#&6>11^l z{sO&0v>9zcq+Q11<*!G|&QLe;lge;Wk;e1=&RS2zH;j z~%=`SHvO;xm*!+G3C$E9-=K*W)kEN7KBnWj%q@Ss!i5ojAc?Pp07 z0MPUT*>hheBWFF8F=#TG0)vq1|M2P*V30Uqn0<}1a5pSw%$6d5D%#G#6!#9!gpW2$ zLwlPw3N?Z7t`%y`D3*_|rjrfg$kdVVUVE3x>6MkDZC^=vnfYKS1e^+Du(6<2q@@W!Q6?#w25eW`zHLZSiho5pqqN_9%ae9~>reaupWE8n=S*;t7 zv>d2ZjjU$=gnIA$vT(r&#T>a%!I+?#PlND?TSs|_8IjkWOWx8_>Tsbvxh@Q>%ri0# zlG8x;P$4q?A8gDAIpVhH=l{*|!UlzW$@;+i2l}3YS%#c2n(BGO{1#1xO%x0?+25)~Q@je6EhvoP)iNwr-8pLBP@==DKWIzStUHWVo zb8D1jZIts!idR(Z)e}-nc<&GxT4JN3VwOVO&wMNRI*1tMb!TsPrEYrxC^4gvrvf%m zLU?AxY$?d>PWA+LCo=7+?bZFn_^PI`HKl`R?o67-m zj}0(N3v@tKnfsUG?*UN4&G$bn7C#@O3`G>h*^RzBN>f zm-1o|BW;F)^CyNV<6;+ZSfYg(-WR}vB{f{stoo-XV}oTfl`^FYm=EiNw627;WDAZz z9o>Q!OSH`fLysVgA7=K+r}P*!-Me+g)h02RVij8$OJjYROA?-v9fgsZhFysY(`Oy3 znz|+JbD6eT77H_@(Z11*ZwNYp5=q#>cuv{o#wHBd0J2W zIi8Nl*Z!xsFb4rJ5}y~UbE}tU+koyPAy}~{LdEy&HsiI zzp6ALBYN7beUdNZjoVq`T_mAhpvt?-cl<35$ z!Qn)hUC{BOY~~poxCWbj6~*JCCTf?>q77qVEHW(vJU&U-SxO>`fq-cMwxhfM{q0ZG zSxU$>K}36y%8a$au`1ev^WQB32F8ebp*Jn0Nc~}lkeQ1XYje$d6IHHMfLx=k_k0@} z*xK1dnbYB=F&S~B788$DxIx?MyG#kDXKD$ylLA3BCr*}zWk+Q^5i8gi8r(@}uD2n; z1)2w%w#OOFZK2Ik{zUw^MY%48y_@rGd*Fj*hR6$SYcBogj_C$3MUR7<8#^fSq+^Hg zah@E9T&$5Y-U?tmLDutkZbx+vZLZL<3d`=(qh;qiwO|XKY#|B7L*1W~BET>5!s3pK0Q z-JB;B>3(;RG=)3Zr)mt!69Tm zNgfSL=K(Woo);r~9Ki=%Pk}F68-Un;}u0)_kljwgYT|g-u;^TtsDg6g*24}7Bk9`V|Q&~NrSeBR!Svq z`V>rbj%-mOIvu1gW?H0Mtn@(*kJ=B35iYxohumXAY8P-{pSMrN=|~X1EORg+Ic;0l zAh7H#tQb=NDH+L@iJ+k0_ zu0>^e%V3h^-HOM!-f;=<%rsskLV?H@Yl2-AH7#;1hyK1FUv0XG@i3w3E9Cj40{7yr z=`OPDLUL0fAR>Jeu++!Ss($C#?K@j|NIVz78^2gHqsoHyC^t&U(5f~fbM&5VsZn$N zdgUuME%L7#LY97!3E3Ai8>J(W+N7g`Z*kuXDcSZV**k{jztdsaaUP4yKU#6+8FeOg zb!{xGSZgP+tNyDn6M;`0DwA*b~rt@`==gx#I!fyi-eti_KB ztl7`@m!e|~*{sy<%U;@OlA%@!?^qBEmy`-THQ^H4rHfiKyh^0Zbb-5#MwpS~squ9x za^I#?0h71F8Ydl(Wnn@M_57xdeAMd+p|4s37LvvghIk@g^H^9`hl^LO2!@S_6~JUa zmWZ%(a5<7L(@4`R^PdZM37+n-mosYNPKdAHPCL+h$l}x?4YRBNVk!Y zyg2RIH&Lq;co=obEwFxpO_^6G>4?>eCUC!D)Wnr6BK_{n6CRlT-(D^4#@7iqr<()U zP3{pO@i-v5KXkOgoJ}%Pn04ofL#MNpY06oAUoh;uMD!Q(W4`x~7Y4J!hO5 z($?FSS4IiqCp-yqCoyLQKjc)v(T>GD_mDLsp+K>NT1C0iC~S*VV+ZIW!JZ+;1YXMu zAa`GIC`W=X&z)wxx)J4IAVM%(;+W6etdse}dSc#n-dmo_WG9>C2W%j&u8pPm$9#_7 zIRyxV^p%T9qbLUL$rx9tCQJPRD#q322mF^iFp9*yTS42!Rn3`rd3n-H!0ESnsNC(l zo14uoUE%6pFCofZxs9y#=RL6`ftzI8tegMHX0Ij#v|vQ%l0JmPKWH$m$z^O* zvvhrroqV#Ic{jm;*DdNQls^N$>`41Utu!+eCb5Y;B(?bYDRzwdIxOj39tAR5t&-Lk z;iGkq7QRWXHfXUH>Zo6+4U}Cdi8KEfnpKUXq20T#0lr&F(A`72y2_k7BJ-@P+ag&Z z_0)11KF?}9#f%xuRr=|c>wvB^k{BLl9Mw@)^4VFGjMc@x>o|7ib4@B2qlUeBz_O~T zs>qn@vkF9G;V{NZ^YO%l zNQK+9M+z2K$QfVY7xMG;3O;%;4w^fOhj`(BL{I}qU^i7im!r(rIsjYxCcHZJ8*-~& z{Qj9C-q7~hfbThGafM(wU!tT5pXe)g`Ii|=vE_%#7lAA?o(F05XzQb&iDsj|=8eex zw`9Oy7T{xwPi=0dv5KNbOGnk5@4?ib?D<)_FQ$*54gB2E35C4olH49Ae^2O9)AhXqFlUU7?XMGnX$x#_0;E|GK;o zW_Y;+nXEA9Gdt-DC;NLs{^{OIoCdn>)9;>=HrDRy>Z>RQ@_m!RSB_Za_GlONoe2Lm z!x)KvZX{`=zqQD6$MbFOQ_^<$Td7~`$IyoKO6SAX+c6P~u}!0}-c9byuqi9lOPn5g zGpJR|9?3R$Vw&prPEq>7y^9RtS%*YsPX|Y_z-ZGJ^5zFKM@#zc59njxIb<+Z&l!+r zn)?1y*aka#)*hTOcOjv?Uxrp055m{d>sO+fI2Y9t5$tmQIr!}b2s&h?8?Q|M$RzqR z1G$U&QHAYiE^FsDskX_PXSeAs$~&&YNda{Pn8Y)lXDu zUQ!IxS1@VpZ}+}|K5Sv)eoXJD{r1RxLK**yrcH+yiASzs;EtlLvbxA^O$GoRp6#@e zk6sLT9Agj&R;3*7IrE;>Wnkp;KJxcdni<9!BRR#fJ?LiRk-7t!*(785L9i-?1dzW2 zT)DnofzRV#ep*>Gcp&(8ZK_avFO0DdbA|Be?;+8s>uv@3RVH3eBybV$;;+7K95cH# z028i+^-mgd4q2*Sy}>;&yyG!r)9~gk;TLoX?VsP6teuJs;ikv1etmZ*H#Ww>s=iKK zvpX*4hU&3=><@WWU*?gdddU*&TcWl$S}if|ySAwke)>z~T(@ZlSb2F=zKGv9`C+z~ z`+fjP1H9ij2%Zw~vcNz6d(g&G$;_? zIiI81vdw`!OIa?pTC`V(c(&9Q`{D3UE@d=BG5$%3(@-U@4Q!qVUSg01yc$_lFLyE^_acG zC!x)+_pAmsT-7eEY^9X^wuZ^uXE=T+NxR2z<%=1;r`QS4qD`0KjF0F`swE^DqkwK3 zBqKIHHTjxOodWw5_tCs6pr2w_)#Zzmw1x4p3X{%c6G!WhkN+lz>4K22jtV9@E6%S1+)B#P0quL~<+@-yHZk%%-z!%CZ9@t&Q5KN_d&}^5=N%Azu%fJ9lmf zgX^6HGQG%cb7}a`Mxio`bICx%zcW~L*^rgDEb3wYYV7zMGT2GD`YZ1>eB~(lVgeYG zYi15-uieZl`lp^AIm|GAt|xv*MAXY(cmR=N0VRxp+?v9PD zjTXzqdwIxPD;?#BDtHvtm|R7E$&HDSl#_6aC~@=N{knUk%Nnd)jX*Imi9Gw@v6}E?Kt>~(9n&Ds=e4}GGjcBP5WW9 z+u;Wp)8*fH)jFRTy)6^F+PC1cax-up~6ER>Uz#!PRmhCS1?0;1M)_0cj5ic_N;F%Bhb zC3Pges9j%bo9$}Y|Kv*>;dpU(^9N7$zZj_h8{M@~gDFEkD?v6qwXEVs^1=D;vJm{{ zt5gEXwXCZzoRGRIp76@}r7j(Y-E$BmQ(oY+pO(uaecwi{h~uFz83Q|Yi4 zpa=}w%7P|YF5+2jFN!c9waT6QK<*@%ax)pmzU@Xv>Z1#ij4--az_3fbj#c%U=PNJj z)`KY73FOCR$9D%aAdMEp{=tt-&Wf?Wy^mau-TMsJIiEE1*e^)`j@*uYRt)6j-Gt|2 zKu{08zN2+%BafZ#r`bVipwsX`Sl=T{ux7FsiCGP+@uxrmdX5Jt?O(HGU?hb=W{3XK z3k^`f2Wzeo2P*G|xJ^w8`#w6WlA$K(OybIA8ed|aqK_vDTF=+3TNig1g+sGG%VO3L zTqu+7gWT3Rb&z9WvU>nD_M8NGM6SN{rH?(3izOm#9=MqN9f-hFA!|RVu1G^+nOjpE zQ%~RPTE6flk~=OXG{Nq~DBWyopp4gtRt2Ba$h15TpBPQY!M&Zi5T54WhDE_IE>G;(5ctPg1iwam8 za*vfZ!52~$(n;q=^869}1A!2KgoIIS!V{OSTujlE7~4k&nn2Auehl{LkMaNkcZ3#@ zv_xp+PpU{(_ebR$W_y>kQyj#wj}yD2EL~Wi!UmAsR9`fA&jx<&OFdrksy9!jhRxVm zcp^LQv3(8|DxtN;H>If zcAmF6sad|mZ$1%`PZn$Hn4|4s-jn3qu7$_r##DXrqy+u34tKtZAqusM_U6?&aS`tC z@MB#TpwCdDVqjM-Q`auqX9*;P3n`QQw@hl@QKlf}jup8f8ELDo=`w@}si+(6Mg9Fk_UU4aB^Zb!)10-vr zNc!^J5W2!A>Vv8|)%Cnw?cXoCq�+hZr{+N})`yB7R6i7(6-XidN{5iI%SkObc`l zkdKiXl5!)ygFhJy@o`8n)q#`dYHgUJD{F2)A7JDg9-_cscWci#2qV0J zm>jnd+3~R0;NjzBk&rRGxQ!qUB1I%WHo0*Ad9CC(G5@mfl?XAZFLsanz0my$B~fBS zbysX3@i-j%6?>c0={XG#6}l!Y#uD>&SMe5x!ZthTE#gV3cMmynRg3VPH```sq`-ZP z&E9q{g@L7iU&(XCzlRFgcHtut`ZM5}*HAPR%JdiMayy5y8I#~?{2!UNWpr4#yAr?2 znhz<4ghiRETBQ`%U1Vg`d-N$B5m#2hFIvGf_12Pq60xb$~J_0DLB;Eu7FReyY7TvrH|zA&@&C7zn~RL@YU z1}WlHLt@4}zO#i0P*G3EA7Bj!K09MMyE&On~mHE8BGu z1B@Gu1?ubV>sHI+KMYe`v>vPXx36D4$SpKE`(pL>%oN`jTf8x~3XJLL1X(0%llZ!A zYss{F#o-hzp`zWEVCiM2NMusT{hpbCYz`xJGpA+-u9&6yE?g;`(J#ak_E_843mO%x?wpq(8f7OVQERyUiQ39cxy(tl=TXxKqMp7$$Xwz z_*xo%7G^83G5FLFT3IXQJU_&S($J!WeEM~u^5Jh8&=w7Z376U^;+Cev+2FW^A-yPh zzPI=dXa}X_{g&NygY0y(%MMqe0?Lkv0sQTj<^`W)CN}+UOCbROIp>1aX%i-{Mt!_v zigX(P!~e>06m3+ERI8KPI}5?hX6AWPh1TL~3bYsUpGWc4F0CJB9+nsyFZDuO2mM14 z0-Y2FK;~{NEm3-SGB&_UUMA=BvtBYp`8F;3$xJUv;L^tjA}EP`^rIq+Zt#*?vAw*n!Qp(i=o|+YiKm0cE=nbdPxdL25IFvKy|50#bx9$p+#(JE$B60e{4r7_zSO z^^et*xIYP+Oke0g6LDq6Rwqv?Lmbun?SKl%NoB&^>R}Czc}}Bu{>*5I0}y#5aA!!c_fu~=P#rI_E7-jJ=<~qpQ;G# zC%NNSbUkB*_)$8VIMsOLAkb?0gwW)wk>J}QjluH@DYASCBDE6^Ldr(9Rt*ZD1_>A; z2@zg1m+SBY}@o|MpX@llKRj7_3Mf$#88VVWj^Gd z(aGAhd$-JRUtLh1A37-p<}zfhYp#cE z!-Icyt}B5d#K*Ob!_v~`YrKq`4PCiVsc@1CQn%}&>sOpG#gpV%8ICIAm>hjPH)8k6 zbbYih-pc3lba}#cIt&+biL*IKK3HX4l5=1^uW*U$ix6?>2>OBf zwd~37imKyCy6sxl#K5b%Ot-+>&6Q>8@bc80(x>-LK3NPP3sEzphuh75TMzwF3q2hj ztY|LA0xgtekavf(Mw+`xlag$Y_pBiYB1Ca{vC2+;f}j9RRyO?G{3DJz`;nID3=Ctg&K?^EJ%x!ZpylaSON>XmWZ=9T&`9*b~bW*YdfX=arLwN z@ibOJ|2T%H%79C^SJXW7Q|R8;QxMZjG#j~|HYKR(%Mg_wg;|+I@XSf3OHS+UoJ3Nl z%npCg5&w^$Y#QB+?(+KFH7<3;3w-jYI@zHH)6q(+eSc=Q=hb+Bgkv?N(E$~h68J)V z$?f-1?PqVE0-86aLY;xo8CG@r)i6 z=^7pBb=DRvWJOBLOpXcF@5Akrrnx7aAa=GoI{K$$l&bg>Kn(MD23XL zjW;&^*>B5rqY1f|I+6AXx(vc@O_{Kc=x0*ES(O$exhFRMKx!azHZVA$kC_^HxL3yT zg=15Lg3bZkvwnN|Z@m6Op2-&_rs+Zu(GM$z88^K<2#=DCcs~nK1{Xf3FXV{ak^$8~ z$1~RR-}e4iMc~`tqyWWt#U^zBI&{nBUY$0-Yu}DAt5;1{m&4du_b#+g+b254E*^;+ zOvMU&%@Rs?Fr7o$&*u&8tZZc0RH$JCd5?7)PPS8L^wBPDeT7_v^u-nADWI`^*>7=b zZ}AdJ!6SKM9m3b|k3^pLYl|;18ToV&TQ_I}`g6w7AN&0o2kS&B^D1o|`bLsbu3^QK z#fJOft#C#~=4SsFSAx{p=M;DIqZIgj^LDG$!v2}dFx$6)AIFp(4(BB5AJ9jMQ@yr7 zfX4bN(l~{|6qvT zH5*^v^b8wou?`H;a?EO=xrc%q(wSoJ&d+j^U%;DgWU2&olo;+lNbh zUf+AAX4}for7L7Aa5FfZsx0Q}3$Au8)xtBB3)pifRrlBX9-OUJ%u%KMaWvpBxi#Ia zV?;cWT-y2>3;cPgtfx%433rZHpA0}*fDv3{D)p zZ>I_U8TgrZs40NRotP$u1+-MUJBaPpkP?Z6^w%`-Jc->Ge_xmVTit#>bxI0_Zs$ir z`$&GZ2WL z7@Ec?dZ9*QhGiFAw*Pu*^a1{fhlIQtv%)`Mjgu4Z4V)17oAd!@XZ$J;~{N)aU290zYI`2R*uqpNaS%qy2rZf3D6y zmtDbGdS1H{4$i-Yv(bJEKI-#$86b>_UT_Mlm!|tfDZ6c zE%lcFV~PI=Fr}MZ*!T`uoxOhLNe5f0qg3Fa3|^~-jH!QoM$yYv+<{cIzbIGR#C^Bx zpP`0;wx3h0Yn zzrJdD+e0dzDXWXT&4C3&9^_=a`Ailb$C4^pW@>hR|4Hw;*0ibD<%O{_h}4N{v2&9Jl0w+IRnGqnjQ^K< z%*52iv9*W174m$Yx|a>B5kVNL+tDu24V&lHUgIh68r0@jeDXhrDFlG!ehx+9|2dQ2 z9{}mbq3v6C4YR$8YALh0d)Ga*^L)i~o6;w%YRJ|T_!lEoHRW#qcF2SSV@qn@+WAv1 z`aRZvitC~I?Dl3k7*0waol*7fw~sUYN~U|&^8Q{3^^5Akas9HwH=GON|5)h7!&c~r zjelQJ_a9^a`mq!Na??05E69X*GQ)ZmRhq)qCv%ECa$!NgQz4ZO+aXk*jP^2^3;zsl z0T5?i!Ot)KJ%8l?6nBkm*-5MR1cJ7C1Bvk+;~a2?lzGpom%4*qsh+co8I{aU7gUe` zgZ_Yl0!}_SZuDLJ|7jtBvpuJ;3+h$Qv0Giob&8@kXEy@}s@rQh2h5tR^e&3IRE58B z{G8s{x(a(VmEGQQ$wArR?Kfjy*Fiy!q+92Lj7A15)6-hsu{`^h!@%KM+P-&3>Mi~X zp(@`VDD>ZY<-uCOCRPEdrUiF6=erWOHZuSP-aFDNEd_}L7E>k5wEgeD+vzb_?VN+3zIF2XoWhd2OU%cUw z?(KW}r4W``*4H|1N4B@JX=Bqf)cAH}du!KX&TFG!)7SgpJG?!soBp8nv{2zj1}ar@ z?TKMh_m_aja|V3ew;(INUBKzz8yrmgU?*q)CWIONHxoY-i!Ct!GqwANn5mS;=pXz3$L4;UF`z?$-e*;NS`IDo*%9+pGq57fNt%?2n?lwe z^|XXEXXUg{25uoW^S)+8e8L;c1^Sah4LEa4Qydg#d5l<>tS}RjiFZK-9JZY)aovX- z=q)~E2c2KV9-{2=J_@_39GM-kOSQ^B@x zule7#GOMp&^O+a|>&?|apUIw;AIIU}7^fU<5s@;k$bPQF`S|{({_p@^<_gtGBJWEX zCH!Bl6<7s|!eJ7(=>L~<{4f7jUNv7X#lYZc?zs7{KAv`7%VWm2D1GE@Il80OJhk(e z=5fy^L5p7w3s)w*x*2M;V$V`<|>-y)1xzWf9{>abQ=cVr9K59MtO0ireJ3%)Oc1gFqT0pe9w^`+6YTC|>O&`G7QH+aZd*73LHOuD*K7Z*Gq}+Av4EiR~8M04WMxCg*q=S-KD-j7f zuIE_qrr@%o9O~7krwkY3Sy!DQ;fvk9n=9uH*>U z%deGiAKbLG0M(izN;g|dlp0hyg{*X5DAbO}5jV`0tCrTIw}>yZkqScSRD%Ui94|go z^_6gXY~y>L^S-+=$1|o2;yyIPC02HCZR~GG_6jfIl;h9DGZ911uD^*f?8OoX5?H~v za^(|%oe!N{G+5$WqD?h5Aw5tgM^bV-;?*A7#jbKY(8X1JaeXt|JNt2G>)W&Jvd@nk zB_pRi8%s?#l6;ft$Mv6^|8da{A`44`_wPnSk2!qnBuqsrO*3KkIb;dluDqBR2sO@^ ze$$uG$?tp1aHXH)UyEeoZm3bO6~NrG^UpaBT)tPUad~&s;E|WCt|2$qmh`5QUDZr- z2PWf02}I@;sd;DCKGy0BS7Rnx^csq&uYB$1r6s)!y^%Y+Pf7hUxDH=!5(`X)6XHAE z&-GP9W4A|x7t??c%6y%i%s>n|KwmUdW88-*Rm~O5ZB0h%_c^VEL=R@ru~s^LtY%(q zPdNK$dj1AH?+JG-7}&nA0h9ladH!?fkscXGr}0MFV872}t|-UO>%!Ru*F}y+cuVEZ zfEy1wFlC;Z$9?Ty$Bh}QiBLO!Z>XPDDiV=KLj#C56VGjoIwN=;BX!Q13R4|b0E3Oi z4mQK*1SP2$6eh~kgq>Z)Og!vdb+36X9zP(YZxugIhuwOTe0QWmgV$^JS|-$lGr%}(1=5}9NI+1mZT$D@>v|(e3idtUzRGUcQ zNQ&1POBArN)%T3LrfkrJwlPcXk|>H4*7vrRxmVE@22!O7ZlCHkp@|>w$k~xMFCU#_ z(^g`p>G)8`R(6>xs@GOoq)dkb>f&a{KulzKP~Z^bmz+S&czH7G-q?lw{;{~Y0>`+G z#q1G8Wj15VEwy%ozl#tHBI_gid<4CAV?Wf@|2~@^Yn#RBzf^$CpG94!du4TWqNL>N zT;KNXLQG=IYXkamT7KBhO&-EbY_uS;FRy_h zf{$NOF>z4z^z9a(7@lNwkW4L14%?&q^RTg6z$98@weC0>|34-Xn?{zVroY$7Nf+;^ zI_sv$K+bwc;l`bS6Uhk_jx99wWV*YcO{lvClft|TaK{A{?#W1vIE8c6ni_0Y&Ne0Mb?>g#6Rg&yyup;?AXK8D5Xcf!JC-e!!?oi=q^ z1dna=h+<2Pk||Gy5wbL$)a64FU&iq%3DNo$kx%lnu3x%4LAigXm5Zzkc*l5}+_OnV zgQlsZeVxI$XL0Dgo7$4@Sm|BFY;Vx);9vxyJoG@lmH2VH{*J)2zw&nHNFj4V8K0uN z{M+&US)YF|>JsQLKqqhWmu=a>d8kN4j`;6i#U$b}5Sv*LnfRyiRpY2te`rblAvp(C2ZcOfbLW{>oxH_dvZz?sthF?U=jBU>$pCf zL+@Fnm{`bFYs3}PY2(1;wYf$mlB78wAtd$Bqw=#KF~-GwBR~0{lKs-bSc(5|x{)SEK2DsxqS*fYxRMn!u+^v%n#f}QR&4xB_HI0BbY{0U++|%bZ#S$e*&o>Zk2#1yL+hPhOSN<$fw+IFK zbHbea9lO6a@n2>@+3w>1y2}(F;!=qzN|A<5vIsg=Jt}<2=tn?+h`&#q#b%xPj1+ zO}d>`Q@v$xtTLablG#X&pP`RaOX?^k2I^fxvHdRgbUxJQvC8 zohnqjuTeH0IM1C98p6g1n^_pTqiu}TO$?pJHSs%Vj`eDetf#4dcR}D}P#;VoR!qnl z`>`7e<(31lGFk13cR3->5m1{%p5QT!3emapgI5QAmLtvtrM3n{gprZ5UWlD-e3Ttrc-$`ji{m#AYXXY@jEYg-2!C#sg!>jkx<4+dGiM_@bJmT!t*{0a z2leZURC+J+qJo>ZCvpevAUk?MchL8QD*DT(Z(2r(3{69sTv6YKq+@-Sm0a}}B@@^I zPoc~~<08==FAsaWD%S_fK2~G>2YT(zQZt(eB`J=G(mF}4p(YZapqbK%r!7cq$uUjs zqpMWBr`u*X%#7ld7^T63U-&b%TeEip?+7UT)lNer+yAM))SOQD zvbR%R_A;nxptJKMdx^2NU#iNsM?Ss7o}g>93Exx3ke;QEmBp|{9>&7)PSYTsM@m6f z1AZr-9-XAzk_RtT4!X@IYW2QUTyf1|Q&Yr@-!SUC9T4AFU?4XM9f4}-?8YO{Jgk0p zd17dsH&and$>wd|6!ywyX1@&81-+I-{l<^DNAxj|fI)VhT*uH!6whDt7%NrVkIHn! z*zi^BYl&}B9qSu6%G`2ckYtTz;eJs+FoBI95iNw9s4ZE}12{z6Cna55nowL4b1A%& zmYBa}_sr$bbRmYaM=I3Kq$6(pvF=|N?S}qu>2735tX6PH;l^BTX1;}EFqz3}{55O$ z4BdL<`npr^_vPdk#Oa!P&z8OUS-YhEZ(nMi%js>BA}ef(@ckiqa~eo3cz z$+CWkz*?3@nx?XH^l1gRxUR3<{kr8!}a%ZiZ;T<0F`Vdwe$U@P2@(UdFAxub?9Dyxw^V_>8OFJ=Ro z@tJbSV{n|sObtQMbG`PU2FY;H_sL)uoj2ilXqU55X#VC9qox*9dsRe*vkOx^#Y+jh zX&IhOJ8aSi=>%gnGrX6shA7nyg}|wLs;_p2-$ckdEXHkB=f?%F<(?fwXnw5Fd{$oK zKfjERxgDp>Dgpjzq(e+BVQlF66Qh~Tfc01}EWUH~f3L@uAv@UEu8N3X>U;c}CAvBI zV&5bYhw?Ogd@v5iCWcCGd@J1POVcGlTktzdvq#rSoDO#LaV_TzYpRKxv`2 z$mP151AK3;wDF9@d3kZ*X5WCGnTbB*V*=8lnm3nAgtta>I3=R<8IR)=Qb-(Yf-Y^7`UBS#OrkZA#d`#-RR@_)Z;0yG!r12Qa*{W%N z#C}|DwwE3ooa`33hRr)GeEp9@@c;Duh*QsfU~B9DbP)nWRKcuL;*f(SvqEj+3U%{r zj9JoD85T~+pyIC)$Ti;XDPO9+_!UOJXw2TQUXoh|gQ*8UkXuC)cgmwk^58pRqs3L? zVWW%9WrUr%3fQ%u%gm%Tfz9L>f^KuPKtV*BK6HssdG3H&&Y0HkvjCP1A6IhZVgGi(5VW=BJ)j`Kf2d3OJL+O!7^QCS?TKJV>MNvqJ>*Vad6GU z6LrX;Pep0G-jM39%Yvfc<0qnZw(O6*^ zwBC7qcE7YKZL9+N3^V1vxr9yH>Y+W5u+f>8Z@ zR#`No*Lo9UpW=-~ZPD-*7?RHfkkAVBJ#2rYEz=8ByFF-ASi7U-jCR=>v0~goxpqnQ z6;!Xr;kTFc4rSOwPQ(u(GJr4xh9wQA$Cw)KRj>CY6SwT83Ib?<8NdcvBR`Moh&8F4 zU-{ULd`-1{f@N|?3~9_IfGSc;EJ}$#v)`w_^L{kxHObLAz|1l8SLS_|{gEe`s=EjW z-A^c8qL?CitP96<$5Q3p#7zAOwuC_gt3)@#N_khm!BA(uP|~%GjwrG+5(8Okn!Co) zWiXmxS{NeElv{FlUt(FM+2_Zqc8ijg$&kN$m!W6uELXkexN@;e1nrB-E9q2{+54_; zE2GpUO|Y+a*FDQF;7UIA+CSpDYMfZW#lT;-E073G=+ZuPDP@DdH9aF8_YVKr_ zH%%M4Wrpm&6qEX5_wQ`hRX0W3)T=(z%t4VCVa=OKuuR!$PLQHjz(&c6rO)xKgQs^j z#leU9-*9ds=pSaSPK9=4Js-HL|hCIaa933 zdB|N@<1*^f#@nYRu@d=YA84<9aaS_mVs~va>Q=5yw4rTwIv37nsi4|n)Ddyed%KON zZ~8H|8Vld*zE7iLO4{r4>m4q(=(`fc^Ff-p9+r7%5RfUlVR^%&I;M~XSJeP*ZadS_@#viD=|A%Jg$E4u6F`BeOsh2L}XmQ zQsH#p-GJjda}xH$MXhKVW&T<>y=qVV$jtYMK5CJ%_YKpP^GUfiaq;ne@3;$MqfIU4RCZBLRM};+R?C zp_QSM?aN9ksXxyA84ylwK6>DusPFD%sqsDI%<*wYPa)#+E>Dg?(- zumP}7@+3kkXWIKWc2xN4F6kruSm`W1TtHS2x^^6>h6>FlAIJw^&{)8IE&++zQ2yr2xeB6f{vKfz7Is82&hzYkECXKhg=EY>e3f-N=R7{5|(|%pa z3t<-FWAR<9=S-@4gnUxt%kG*C*~uP@IE-8#eK6?$^CEm>L)Mr5QM-cn{&TVni?SVXT@s=5wfYL0-_i4)npQXCG%~ zLN7+RjP1cUoE`$NGrMm)e-Syy5-LO7Rf@#{08tqT_1-IwqKGd~(w&m|ItJi^UNaJY z$ZfT99!3yZ-{0)g>*VwstKAvpHgRsEX9-O-+v`>4Pfzq57ejCzOw#x*xE`I@O+`P8 zF&Sj|P>|H^3ExcIDn}gfMk%E)a$$c(DgP0^HLMx0j5F#Oy0$FxI!|(3FHW;k5`qwp z@BFB~Ta*9=E4V(xe%ETnyuD=rF$6K3j8qVgidO?_bWzE1awi0M{=s@uXRR0Og@u1n zkuGGas;W_^o@%V*?l^z*+iNp(F;XK<0fDMl7>G_ghM=;63_k&Ir#l(orGX?VX{i%= z@)y5+hi|Po43a1C@TEzbkAtHj`E$}%rc7Dw8OgOeHBZ0!L{Ck7w9c*w!u6$l8kvK3 zz)FtXwP_NLL^OLni4NT%9LD?|02c5hznA(73t+grkOfC-?3M>~^Z^knZcyJMWDAEN z)ux3>7<+DfzoD0NX}&R^1te4nXc%MvCgEpY7{p+p*Lq_Vp&Ar%JDq`hR4 zq5_M%cJ+G~_nJ{0c(pR~oNj(TpGma|oD^iX|EbZBj@BV$Dbi7cS|n+(*Cfa&wmQOpAsHwCmQJ&o#5rjGP`V2yM_a9r%ewv5 zW|9DBdM-9j)B9j@d~U11jjXQZWo^Q^y$$by^{%%v`i^q5$jyHjf#K|t)mu^2KLU=d z20QB=@VCpa&+9hFtnKC01=6@vw#)l_NxE1ajUExDe*KG|!pGKS#5)+qI*%b8$_8{X z?RUCVELuW&eTCB!*QZ-D0pC`k8CdR-m*rw45wj?)L5(X(KCt%z+(~ZkDXhjd;hlWy zZ}JnaEi9fYX87Ki-lE5irw9+`54~A05TFMf4iJUd+>5`3v9*6WWhRV-5>!8?5Wg5<)OeYpK^F1HF6JVE$sU=qGm#O z4mup65da9O@?Zmf`F@>~i%DTv!dJpJd9U5-R8*?O==DK4dL&1f4LL$KGgS^}hM z`KYQ20m)nmeMQy^$mCaqF&dPJ^Qpt-06Immfn%RTyq&_I{3b>EoO>i*>T_07(!jW>us! zCVxj_z}OayQ~c)H_Fn#6>IJolX*QBqwd$u0Tk?xJD?lb+DA_53KX&4bJ>e6v7B{Yp zAZ{0GX*axsOet^L$`yMVJ4=437zL<;z|zH>T;1v@T-H}%mzi%cciI>FK=3UgWm?+3 zQ~G*{BYYOKGr7!;w7_Xu->}yKgadNtZ6GD{gW=0_7bjmuM@OHZr!UNMfz8F)F~G0| zn}vP{+$aDyVgeaWA0DEfYq7;!y~=v58Z`g{)Vp^UfO45y+M265+s!L}B%B}B(J;zj zUm#>I*zUr*RsokM2n0qLv6Z{fSPTcFhnQdHiV0i+h8q?}QrI#7ydcusvuhNL#_vO=@e45bfj}>&dmxGJel2c#txf+fAdHuv z8}I14+_`y(vNzlBs3Xs6xL3gBc5mOy*;~2d<=rVZ|9Lu0241vxh$IUTM0`V4f%v*- zJ&?0UPbGY4;J&y;V#;hmSWiL`ojnfxC?z5y5szVUD|FSymo#XfwB1;omv`i<1>X=9O z+jor`9p33tx;guxFP-8`+GIoPjwz$WwbwG*4X6R=3Ya{@?pV()2Q!Bto-Yq)vEO~q zN(Li<-_au?7ux16SAU`SW0XMLv+E-!vx!xrzc2z!K0m;WwJi_oE=`k-9Mk%u;)(gR ze$Y$bHGW$#w>Q*DC}2ULNZh%*G3!!QRvlM@vUL)~q+T4i8w&%7i_V+or8dmAYn`A zhuBHq7P81LO-?j180DE}f=qwOCGq6fuy;VX_S3!xXHn&aF4GsBKP9vMDaPDfaY)#yCXL4;YL62XbuGn=pC%4MwZ3e{HOhoU`iSz;4m(f919}d8&B~Iu| z^ik6aVCV5N5Re-d>IYxA_365ls`zS$Hl6Jif7E{Fl>84V1eCV|#Yn*@5Y0`pW20$oJ<1^JGC|Kl zFF9-*5oH7tz?2mDhOS|?d^zP!Fy~I@@5W*bBsOFJ_Mvkb*0FY7jdY~_czVdP`f?=}5 z7r3E5EPqoNeaM&iib(AYTX3=+51~o>#eCtQ(hf)StI_v>F4)v}pS0=Y6S4bj9gj4s&tB;t%b?C*O zE#$UIB_EtBk&HMl^dklMRmHt?ll_Qfz;lno1jE15h#ekT076kbpYEwG`81&WD9GYL zSz)N5HX9Mp`q9-i-;^t)$;+=VeGmr=I+2HN4wUB*^2-Jdqqtg5u(&;%txcR;Y~4igTCV;?nicIuAN@SOfwxFhkb zHBxDNYX3NTuhX*%!u0^8U+&{KIyPpUoeQT8E1gISWVU{z50@oB0F zz)gPM2=tP?CmhOnbbR!^-1Y@!p5h1T=dfoamLFvcGwAqoTmbK{x9Evv*C?cTG*XN3 z2uC;-^V09m0qJvZ2w%N? z9@HcO@W*W_zdQp0q{)~=m@sDHal(BjTtPP{4vGb%x$T+!+ecwN^2`GTi$$btbqH6Y z$EXb`c{W-0me1A#Yam z7mEzkHzza^Sqdu7WvkH<$;p2s;b44AhIWV(J=Nl+s)`~JWysJh2eJY(y5xa0Qd`~o zIcH+pW?jgKwqtyH_Jc;Oimx2GDkewZd}gv;N0UFzn>#zqypUVA#@d zrf=je$&|t1X*gyS4Dgtk9`{B2wJaBwNi1Qtx)2nB^&=6Yl)mQ{RN4LmvBa(k>@zAO z%Es^V6TfJ)mOepfdcWp5y)3aP=6=h^dyHpa!bV9faclDV-EwL0&g}@F%Ic0kG!@W6 z*F;9Fh-<2Q^}~*v&&3KnzUPC-WNJyq;f4@I_v(mT>JAu^z5EJ1r2ygvTAjui2J?R* zZ5R5b1NEyc5Q&oO0lO&I?%c6+#dm!bSuXq62b?Geu~~dw0$e#Sxh)pJdN9xiRoTF^ zX{w!k*eDl5@tGKFaWwz|_27|RdTIn9MMF6t3v}J)VDm{}hB*l!J=>ZHpz&bhI}_w( z?*?BfZeiV9J1EocMM1^XyF)%N=OsLMDH))Dl_-iRkN)hC z02~vB_6=KJ6F1kQJO#Sq2Ao7BXpM2m&kpQ|m2FJ3x%X?>bO;Uc?29e~d`+99rhzoz zf|2=4)=ec{(nk7HhuE746y`>wEglaSJ&scP8W_dmHYHt_W?OPt?0dXK$vN~&nTmNv z9N>n`W=$ntAO;xbQ95g-X=2*Ae7Gm0K*-VuN0e0J=c<)2ZG1*1%j;lmTnOS8z;T2( zNO$s^YCt^XjnwbumPLh3qs{j#oRFY$-b+NFCDSAo0RZ*$_&d3-z`gWC>eZ5ZDA#!k z?X(|aNWgLv!9cNvG@4s%|2w?K3X!F6q|HYv&gPW|Nrc^QrQKisQq3jZm}BeDg~)c64L1e{)if0>$Dv zR;=JkXfq@BPJ_UL6AH{t7N(n%=ta23wq0hThb`lg&{GC`YmV*&FEo^}Lghc|MeYU) zT2mlW5h>4mo+ox-%K_9jQ*E<6TpS41ODq@@9`~9qZRN^6f3J4P%ny=zbTrF4!I8F< zMcmCAI-p{(%5%CeqCQP&Y^&7klB@QSTxqy?^P5Miw31NhRYrA=Z)oMgS6&tq`w^E$&-4cb0?`fz(qSGBxna@% zF!!KXf4@6Ngf}#q=17ZI+0l-DufyyFj$E3Zo0~f?v)@{N$kCx!+`IvrZfUDzl;#ls zx&aAT#v$ci#?}!D5J$I?o&r38fZP6aezvs`0Uzlj`+#fHhO&QTvnxk=w0SaHdZXNd znzJ$SyE?SjLrtSt!q;+#h6Q=X-2WHf+|BK;xmWC}r5&*Qw9upE);}3PIi(v{_raYb z5~zU_Kb`tI`IPcrr>O~rSX$Mv*nC1C$9sU+cZh!JcgSsLfM6pTePTRi{hBM%hkkf8 zKeqtLEa`KCqHua~yypWUKe!*(AmWRSED%=O;h-R&TU& zYe~MSNb}ep&|}n9@JiP(B)=|R#js9k{i`&?E>J@832(iBVF}=?)cN7NPjaZoPBb75p*b=&|GH@nwlgFHP-m z-*KCdrx)>^&}F>?NfN8f+)_bPgxsebC-nvd?M%o}p1s+@q8?SF8IWvpzUUs<0jeF@ zRr=n*fhhS}>i2sBSqKm3f#ON_{>|GmsQWZhf^ub+zn}DfRgIa{QwT0hA)cL`z^nKU zsZDMF`)9-8bM=rA!e8ald9X&Bq zoydm(;+74-N@J?g2M(D?x9z*?W1r%NXrOBWu*X0hS}R+=eDW1DEI%kvfelh>;$F%R zaAbiXOZgk^VCM7R**p*H^q%0dnnQv&Elj#fGcms^?UcFB$zSxHtOA(~VWjJn`dQKa zwZ^`~d?r+Q#m!{@4bQ!pGMw3AE{c2+!xE^812{{ymgU8OeSLsq;IWS@JY&3@@;Y&p zFpooHQFM-*sq>;UO5FMVjU4J|ODdis*=iPv>eq!RfqNw^6mK?>C?J={9OnL;xuemC zyiKc6*o~a8+{D2*r+Q+{px%oZG!-ad`^n^;ml#P1~$X8o83bY;Zqp?|D#D;Fd8V7SeU3=-9H39cWxE|?!Zmro^NU` zkS2fL{Qy2>;Au;jRfG5&tmJa@hmF9&qea-o+(Ogp@27DbPiZGd643HGYd^%-Fo|+2+3ZCj3s$y)>+0eOPb==r$iX66zz$D9==A4#l~YNevzBpycD6(EFR z0KOO`QJd9y0L1Ise8=B@=6{>QeW0`ARzX_HVHwZ=Bm3F<9)RuvUk~ozK6_X&9b#6Q z&#Z++fyo^t-tMJxr4H}E zD}=1r?Kw2^C{Pr&@m2H4Ju9^hV&4H`xsmq+PxnO6Kb4}dVPhLB05{VPSi+^pL%vyV z;c^T%NEzs(7)N!<^#|`xm6oZed~?(?;fraD0_7fLWMuRgnjw@teOf};ie{6A*GIab z!ikWbktikD!1PywMVM6d)NYwfUK{YGP_EKF2HZG{4)A)HJ9nZvR1!V?05+Ivz+6H? z-t#f0*rG)jIuU~=0o*xgaa9^W`I@a0ds{jBaNX`50n)TRRRFX?b+R8M%9u;?UL|1# zNCs)V$pE6n068A_J_rT?c{RNhM2~#}&HwP)zo9FWVoG+nT65)(|NScs%q@@mfTu5n zk%cbSoM81bpQM`WY+g`|n(f?K`HlxT{>q|}%`O?U?1#oC7YF7KE8Di^8>ad4dio>m ziJ)?n@PMuz0a(_=sVbY_VX&qS@BxX~jI7V%09V&gmE@M8^6|qVSZ>JJ%M^2Slkoyb zb$}1db3Lq60|*pW3&+)B%Rq+AM?z_c8!?Dd$oR;;1gkMNU9kW^A45voPy0Yj?K<6PDSU+l$d*z`q5O6!-rP!A(v>aCr9p^Exmtv4Nw$XUVeI?%{thNfc=O-;x$p7U80S3a z_xzscw|#%#=kOL~Luy{z=6|2CizH!H0@JE4a&k0?stxrksxr$urs^hO2l8LMJQ%zC z)=h`Tf2Y|9cx8XKgXVf`Bsoj{lXgFQjix~rq1FaxNJJ=7NN7H$kcaRO+?uq_B!z1r zo3UxuqKVUcffXbJKtY4y4;7tA{|blYp+g^0-{YJNb59xs%POsFM#>9AMs;L)ckKv( zf_8l`;*c(!Z3*GvbBH-5?*tuB|OZ2)cZO>zzKjcD>^(cIava-?xuoFfQoolm*&mLVyd?a&2(Uy}1u2lun@g>qL#06hy~OT15%tjGEV zG(6(>yO{(?_|v9a0dvzC>lF~%0^?W36XWxh>SEJT>Uil~?Q8E^gGKmkmJq<3p!s_^ zEYQUYhzjX`i68#$4LlCcP{5Y&%8_+6Bi;BqKpB;ZCvB6fqs&IE%1`^G@H}V)XPb1^ zg?Cxg0a9q(Z>uJ(AwQp0Pc5nUH4B1W55k*F-p7R4Yw<)!M>mCd?}+rc(iNnYMTe%1 zLWX1(_pQ!WsOk2b7(57odPD(;F`cP6Vik_7`KXH5g*?|G@WMBBlm}{uBNOZHv?2I1 zdxWO0Om0${RkpWi!U$~S$HWT8p2)m$RQEB3rvqs>XQmu0zM2o`_oEF2l^H%k;LtNu ztiU8b9&i}@X!3S>vPHRk9ulbwD?hc74!aK)1`w4KR6c-mIrhCDZL~)s12m{N+ephf zrf|~oxR&KkwsxjCK;z!kXPX$N;+0{^({TtEPVVRq?XL?@b1FS~JGA(yade?Lel1_4 zW0)yX7n|ahy;}wBWgPWZDtoF>fiU|L!C0)49?-@6^{_Xte$L^2|DFlJ8IXZC7}dGS z(@N!Ijj0vXFo)>C0x1Oe=QpI^$w#gr_^YyM+ov==a)fFw%&EjgP9r})G2mS8ZfaBk zq>1;OAsNja4FB~4K%9n>1)B15KM6M=05H}jPAvtXD~|GP%H3tFgpG`nK;Te-R360b zh+HP>()a*Lc`Q3?U;CX`0g{Q|g@*__dD)f%M7zBw%L(x>B_IXOl+_Y;P*xRT#-N92We__g@EuzcI$fhyd9m^!r~te#!P-Z@l{xG*n~wYj$g7)*&L>;Ts;D#8u77J^gRQ=TbkyXNjb zP6v|^)(_B>;gpsKq>{sJ{e)XFXYd>Sd{aYm1HCNYI{f}GZ?-)9>#EclTd^dC{T^4W z_dVm~_cg?Q@(B}E0{2w>j%xCNj!pMfD>1fzc97(Hg**Qp#vyRvTRVqX%6%>!Fh;J2tETYy|+OaQ3=x&(X zG{j+=odCNni|aBBNDC7-d4<^c~TA1W70a`I3i_; z=Htpo?I)HvhkW1F&4yohBXi4Slf#4^=~nFrCV({?T6^Y>C`wFRCWoJd zjJj$8(o4oK5b=axH)le=#c@?$E;aU*z-71xU= zwy0_eE7H6O{oa@uUC{-WtukI z=#Ql7(I0ZquU|R8uK2I>lR7G7+qiP@l{n=OnBCfvz{KRdWC*+kkoVt){$z$7-n&(l zP(^m^{#y&5YU^=07J|JaKpS|)u>R^J*RcjCQmq^^1P}WV0089d^Q8{i0A<#XBNCdl z)~#CWdx0lZd+-c|zvt_TB3lKF%*mOjd5cB7$Y>7owaN4C~{mY5y86*4p{3}X7v74)Eiaq)RPVXpcA1Iyx4~(J8E{* z8M^>R%aX|$KUs7$li@qtSu5QWq>LX`i%qKCY>ij;1}&bAk^Tnd2)BaIY@-(SPb<;} z5ew{tiwM)EHS%H>v14-?(&u5{l9R)qP08MiKiZKfLB1svke8I+6U|2n4!nu9VRMTj zU-MRYahL-IspN(u8i~%?!}Mp!YHz5jeRx_%vHo zsx_~m@<=z}o zXRYC+{nXzeVcLZ+;*G{vI-i{tA#-fN2siL;xXEs>9==gzx$p*WSMPk)(GJ?5!e+r* zJydp{l>ks=46NMV24G;oG7=s@H=%W@VT$&uA-*jDfRjC? z6|&4l+`-dl&)aexAPNVSWWZsLno4)c^Gba*zr-aOdv})|TVM^f##b@-diALRL0(co zX-tPW71X&sA?JHb$UqoP^@UUuV1x};wh;|K$g$?nQ!(?L!I2+n?%CC#G2t_ET*w3& zM-Mk^V-FW3Hal0-!#VgVT*{C&S>Yo*E=$0_xw0F%{@BR=S&u%>Daw|2)Q9xCq5|1U zc|FU{b@kvU+shcT<{GaI=}wh&Z^;*dE`OgfEFGAcgfqRBs;MeQKK8`;@q&6u^5=(k zQ4;GZfdOlyd*uOqXz7)rma7-XmmO8K(<-m+ix^2u45G{azI>&iuF+aQx`LGoQ1l9+ zuDzu&q||#g4{7ap*Zy|+(T}pFo7OwL9u=!jN~1>-tN3wvOl-DxTcGJEJ5aJFWC|ePB>h-Cz9j136tBV>%h`jY%Vlty%wa zw;IdhAX*>q=g%3;a0is}vT~+qvv930A9ghA!If))@+Xn^(+vYFZDfFYi%oYT_v4o`VM_@9>4#%~QGl92c z7b=^&G=;vQ3)ybno+HE3Hzw^Zzuh4$g-f`EN?$#%ASXMG0xN3=hh7`QNFBg!8%Q8)ui@L_O+pDR2P7O(4O#nY# zfOI~a{-7u_CnaWTMuivTk2t5){;JIp1rS@?UbCr@ zF;EE#%Gwwq%+GZV9`{!;H|3XSPkd-p2UKH?VAMqJK~CS9uh%apvV1xxBA>vj*b=ud z1s+jIBQL?W)!yfwXS8tMMzg{aCNHx47#UViVmnkbmJk57k)%Tb;1G_6UtaQR@eL|` zQSgza2aj2(1#_?1cH^B>Yzy^xuT`$8ctXh|#l-QQ9e`iwAXH7sXznvAhm+n^s z#KwiXbAc`7QwgX#zj_7IRj~|kdf(J8y>(i0)p&%pCcZR~9(Kwm{)-4RKbU{VDf6zj zVlRWKLtf7y8=p1;L)sT3>nPGi0mR#CA(9%;22*_AFl%Xoh#$Sq` z1*Men06cNuaZL%e3GrPwwO?4h;2q3)tuqOZ`1^4Fz%JS71gGE)PEO}thpKxkUyfDjx){VzuyBJXC3(Jf)METjNCaquzi$Phw&`%TVaVqcmwcnHH_&2zy#Zl!DmJ0?l|&x^C{YgU|?HKyta^es!;sJo;WV@E8k zt!#ry#uiJ#IO=cE)(NB=`0w*{o=6tqJtU4R?z`5XuN(HIt8|w$PIrp^ema8W?w)X~ zq-xglX9)ZGCpb2hlCJa})3YutJM-RPAkrM~&Yv6f1PNzsL#Fa{OCT~hxt%{WPXavW zO{yeSJ#Yn$4;Cq43^=Ri!OlCv^GP$O&ztX@;G7pTM^-iAgaz%X+qHY1iO+Ml26*8R zPZ8!YOx-foHRoOA6d+N@G{3c&I`TWWvS;0W4OFkeJ?)(r-*T7Jc39<-+u61Atjs(T z^MUHUMO?n+2~*d=M#Ln??4-P2TqxTNwj{8pdvO95Q6b)%n2G$h$o17lhSYGBii1~srL2LL9liyGLJ+YUw}*mP52`-ep^A)@eA3`V;DfVvv)OU{Kx zvuV{Gnl4T`10*Lz(?wuyo zD`-9TKUt5_#_St>Z8v&f6uZV@xmS!WdYfq1iMXD_)CBz% z(^7Ve{sMJH!`<|4zVn$YO0=W z`A^I2XH5fLD0HC~+VW)7qL{{pTGXT_P}j%w8UM@}RV5n)!B9!Rs-}6U;bul&+tk~t zq1m~IWo#^2qNZV?;F!CnU4WF=TqLllNGH6_9ODZAu5q68cQZm2a|KkZlpxS`DfDP8 zB+pm3F6XRRH7XmVSw&y^k!~6^IwIP`J@sm5v9kw|N&eib?7x6-qy>>OFfBY^jlG~C z9&9T~`%Ydx_(lG2`9Q;b;QGc8J~b(5 zs$A$B@(mKp+3;<8(^y#Fpmjk^>fDLmyeqW<3`6%=$h2+!4O*ANI4@b;{P#l2{UBbQ zNpzc6oEf8hJzZ;qP8?@I6Pvg;h+%*jW}q;K~ps}RYOxXw8lYe9JIzk!2uK; zK*0eNRYOrV6jl3QMb#?y9@8qio!1c5v4ndr6m@=5 z+k9tz=R{m-O97o<^rPk+Y9Ro4QJ@!k@i(B>=n~98*HMkl?@mxfp{@ya7yq|bKoeg| aWa(LY#PGn%q7NAOIiR7V9<$f{;(q{H#;OGX literal 0 HcmV?d00001 diff --git a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc index 03b0a4a85..570753c06 100644 --- a/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc +++ b/latest/ug/manage-access/aws-access/iam-roles-for-service-accounts-minimum-sdk.adoc @@ -30,4 +30,10 @@ When using <>, th Many popular Kubernetes add-ons, such as the https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler[Cluster Autoscaler], the <>, and the <> support IAM roles for service accounts. -To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. \ No newline at end of file +To ensure that you're using a supported SDK, follow the installation instructions for your preferred SDK at link:tools/[Tools to Build on {aws},type="marketing"] when you build your containers. + +== Considerations + +=== Java + +When using Java, you _must_ include the `sts` module on the classpath. For more information, see https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/WebIdentityTokenFileCredentialsProvider.html[WebIdentityTokenFileCredentialsProvider] in the Java SDK docs. \ No newline at end of file diff --git a/latest/ug/networking/cni-custom-network.adoc b/latest/ug/networking/cni-custom-network.adoc index 8121193a8..17e1e8105 100644 --- a/latest/ug/networking/cni-custom-network.adoc +++ b/latest/ug/networking/cni-custom-network.adoc @@ -12,12 +12,16 @@ Learn how to enable custom networking for Amazon EKS Pods to deploy them in diff *Applies to*: Linux `IPv4` Fargate nodes, Linux nodes with Amazon EC2 instances +image::images/cn-image.png[Diagram of node with multiple network interfaces] + By default, when the Amazon VPC CNI plugin for Kubernetes creates secondary link:AWSEC2/latest/UserGuide/using-eni.html[elastic network interfaces,type="documentation"] (network interfaces) for your Amazon EC2 node, it creates them in the same subnet as the node's primary network interface. It also associates the same security groups to the secondary network interface that are associated to the primary network interface. For one or more of the following reasons, you might want the plugin to create secondary network interfaces in a different subnet or want to associate different security groups to the secondary network interfaces, or both: * There's a limited number of `IPv4` addresses that are available in the subnet that the primary network interface is in. This might limit the number of Pods that you can create in the subnet. By using a different subnet for secondary network interfaces, you can increase the number of available `IPv4` addresses available for Pods. * For security reasons, your Pods might need to use a different subnet or security groups than the node's primary network interface. * The nodes are configured in public subnets, and you want to place the Pods in private subnets. The route table associated to a public subnet includes a route to an internet gateway. The route table associated to a private subnet doesn't include a route to an internet gateway. +TIP: You can also add a new or existing subnet directly to your Amazon EKS Cluster, without using custom networking. For more information, see <>. + [#cni-custom-network-considerations] == Considerations diff --git a/latest/ug/networking/eks-networking.adoc b/latest/ug/networking/eks-networking.adoc index be53b9655..7055667d7 100644 --- a/latest/ug/networking/eks-networking.adoc +++ b/latest/ug/networking/eks-networking.adoc @@ -14,6 +14,18 @@ Your Amazon EKS cluster is created in a VPC. Pod networking is provided by the A [.topiclist] [[Topic List]] +[#add-existing-subnet] +== Add an existing VPC Subnet to an Amazon EKS cluster from the management console + +. Navigate to your cluster in the management console +. From the *Networking* tab select *Manage VPC Resources* +. From the *Subnets* dropdown, select additional subnets from the VPC of your cluster. + +To create a new VPC Subnet: + +* xref:network-requirements-subnets[Review EKS Subnet Requirements] +* See link:vpc/latest/userguide/create-subnets.html["Create a Subnet",type="documentation"] in the Amazon Virtual Private Cloud User Guide. + include::network-reqs.adoc[leveloffset=+1] include::creating-a-vpc.adoc[leveloffset=+1] diff --git a/vale/styles/EksDocs/ExternalDomains.yml b/vale/styles/EksDocs/ExternalDomains.yml index e419a1b31..381bca83b 100644 --- a/vale/styles/EksDocs/ExternalDomains.yml +++ b/vale/styles/EksDocs/ExternalDomains.yml @@ -213,4 +213,5 @@ exceptions: - www.juniper.net - www.python.org - www.rfc-editor.org - - xilinx.github.io \ No newline at end of file + - xilinx.github.io + - sdk.amazonaws.com \ No newline at end of file From 477f333a3caf5fb106feb0886fe6e505aa16e106 Mon Sep 17 00:00:00 2001 From: Chris Splinter Date: Wed, 19 Mar 2025 16:06:26 -0500 Subject: [PATCH 283/940] Add hybrid nodes youtube demo to overview (#929) --- latest/ug/nodes/hybrid-nodes-overview.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index ece77e092..09b494745 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -19,6 +19,9 @@ With Amazon EKS Hybrid Nodes, there are no upfront commitments or minimum fees, For an overview of the other Amazon EKS options for on-premises and edge deployments, see <>. +video::tFn9IdlddBw[youtube,align=center,height= 405,width=720,fileref = https://www.youtube.com/embed/tFn9IdlddBw] + + [#hybrid-nodes-general] == General concepts of Amazon EKS Hybrid Nodes @@ -93,4 +96,4 @@ include::hybrid-nodes-proxy.adoc[leveloffset=+1] include::hybrid-nodes-nodeadm.adoc[leveloffset=+1] -include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] \ No newline at end of file +include::hybrid-nodes-troubleshooting.adoc[leveloffset=+1] From 7b8c9f8ae99b4c4ab9f79bcd24c68dacfecc0172 Mon Sep 17 00:00:00 2001 From: Soham Marik Date: Thu, 20 Mar 2025 03:02:54 +0530 Subject: [PATCH 284/940] Update lbc-helm.adoc (#926) --- latest/ug/networking/lbc-helm.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index b493f2aa4..1f4cbe024 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -44,7 +44,7 @@ Before starting this tutorial, you must install and configure the following tool [NOTE] ==== -Below example is referring to the {aws} Load Balancer Controller *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. +Below example is referring to the {aws} Load Balancer Controller *v2.12.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. ==== @@ -52,7 +52,7 @@ Below example is referring to the {aws} Load Balancer Controller *v2.11.0* relea + [source,shell,subs="verbatim,attributes"] ---- -curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json +curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.12.0/docs/install/iam_policy.json ---- ** If you are a non-standard {aws} partition, such as a Government or China region, https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/docs/install[review the policies on GitHub] and download the appropriate policy for your region. . Create an IAM policy using the policy downloaded in the previous step. From b23291dfdb3fe091b3dee086b83ad42e00fa98e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matth=C3=ADas=20=C3=81=2E=20J=C3=B3nsson?= <59418825+mattijons@users.noreply.github.com> Date: Wed, 19 Mar 2025 21:35:26 +0000 Subject: [PATCH 285/940] Fix zsh globbing pattern in aws iam list-attached-role-policies query (#930) zsh interprets [] as a globbing pattern: `zsh: no matches found: AttachedPolicies[].PolicyArn` --- latest/ug/manage-access/aws-access/pod-id-association.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-association.adoc b/latest/ug/manage-access/aws-access/pod-id-association.adoc index 1a63fdfbd..70cf1ef7a 100644 --- a/latest/ug/manage-access/aws-access/pod-id-association.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-association.adoc @@ -223,7 +223,7 @@ An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -aws iam list-attached-role-policies --role-name my-role --query AttachedPolicies[].PolicyArn --output text +aws iam list-attached-role-policies --role-name my-role --query 'AttachedPolicies[].PolicyArn' --output text ---- + An example output is as follows. @@ -287,4 +287,4 @@ If you created the example policy in a previous step, then your output is the sa == Next Steps -<> \ No newline at end of file +<> From 93e737ac9093047ed588768f29e0f7ad49347885 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 20 Mar 2025 14:28:48 +0000 Subject: [PATCH 286/940] Minor corrections while reading through content. --- latest/ug/clusters/windows-support.adoc | 1 - latest/ug/networking/cni-custom-network-tutorial.adoc | 2 +- latest/ug/nodes/create-managed-node-group.adoc | 2 +- latest/ug/nodes/launch-templates.adoc | 2 +- 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 53a258661..83549680a 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -12,7 +12,6 @@ Learn how to enable and manage Windows support for your Amazon EKS cluster to ru Before deploying Windows nodes, be aware of the following considerations. - * EKS Auto Mode does not support Windows nodes * You can use host networking on Windows nodes using `HostProcess` Pods. For more information, see https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/[Create a Windows HostProcessPod] in the Kubernetes documentation. * Amazon EKS clusters must contain one or more Linux or Fargate nodes to run core system Pods that only run on Linux, such as CoreDNS. diff --git a/latest/ug/networking/cni-custom-network-tutorial.adoc b/latest/ug/networking/cni-custom-network-tutorial.adoc index 8caa9884f..582900573 100644 --- a/latest/ug/networking/cni-custom-network-tutorial.adoc +++ b/latest/ug/networking/cni-custom-network-tutorial.adoc @@ -401,7 +401,7 @@ aws iam attach-role-policy \ ---- + IMPORTANT: For simplicity in this tutorial, the link:aws-managed-policy/latest/reference/AmazonEKS_CNI_Policy.html[AmazonEKS_CNI_Policy,type="documentation"] policy is attached to the node IAM role. In a production cluster however, we recommend attaching the policy to a separate IAM role that is used only with the Amazon VPC CNI plugin for Kubernetes. For more information, see <>. -. Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the managed node group <> and self-managed node group <> options before deploying the node group. +. Create one of the following types of node groups. To determine the instance type that you want to deploy, see <>. For this tutorial, complete the *Managed*, *Without a launch template or with a launch template without an AMI ID specified* option. If you're going to use the node group for production workloads, then we recommend that you familiarize yourself with all of the <> and <> options before deploying the node group. + ** *Managed* – Deploy your node group using one of the following options: + diff --git a/latest/ug/nodes/create-managed-node-group.adoc b/latest/ug/nodes/create-managed-node-group.adoc index d697be19f..7d5d588fe 100644 --- a/latest/ug/nodes/create-managed-node-group.adoc +++ b/latest/ug/nodes/create-managed-node-group.adoc @@ -177,7 +177,7 @@ If you implement <>. . On the *Set compute and scaling configuration* page, fill out the parameters accordingly, and then choose *Next*. + -*** *AMI type* – Select an AMI type.If you are deploying Arm instances, be sure to review the considerations in <> before deploying. +*** *AMI type* – Select an AMI type. If you are deploying Arm instances, be sure to review the considerations in <> before deploying. + If you specified a launch template on the previous page, and specified an AMI in the launch template, then you can't select a value. The value from the template is displayed. The AMI specified in the template must meet the requirements in <>. *** *Capacity type* – Select a capacity type. For more information about choosing a capacity type, see <>. You can't mix different capacity types within the same node group. If you want to use both capacity types, create separate node groups, each with their own capacity and instance types. See <> for information on provisioning and scaling GPU-accelerated worker nodes. diff --git a/latest/ug/nodes/launch-templates.adoc b/latest/ug/nodes/launch-templates.adoc index b5dc781d1..ca88469aa 100644 --- a/latest/ug/nodes/launch-templates.adoc +++ b/latest/ug/nodes/launch-templates.adoc @@ -311,7 +311,7 @@ Bootstrapping is a term used to describe adding commands that can be run when an Create a file named [.replaceable]`my-nodegroup.yaml` with the following contents. Replace every [.replaceable]`example value` with your own values. The `--apiserver-endpoint`, `--b64-cluster-ca`, and `--dns-cluster-ip` arguments are optional. However, defining them allows the `bootstrap.sh` script to avoid making a `describeCluster` call. This is useful in private cluster setups or clusters where you're scaling in and out nodes frequently. For more information on the `bootstrap.sh` script, see the https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap.sh] file on GitHub. + ** The only required argument is the cluster name ([.replaceable]`my-cluster`). -** To retrieve an optimized AMI ID for `ami-[.replaceable]``1234567890abcdef0```, you can use the tables in the following sections: +** To retrieve an optimized AMI ID for `ami-[.replaceable]``1234567890abcdef0```, see the following sections: + *** <> *** <> From 840f3bb33297b7ccb7bae48585c788eabe4cf0a0 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 20 Mar 2025 18:57:13 +0000 Subject: [PATCH 287/940] Updated folder structure to better match ToC --- latest/ug/book.adoc | 2 +- .../cost-monitoring-aws.adoc | 2 +- .../cost-monitoring-kubecost-bundles.adoc | 2 +- .../cost-monitoring-kubecost.adoc | 2 +- .../management => cluster-management}/cost-monitoring.adoc | 2 +- .../management => cluster-management}/eks-managing.adoc | 7 +------ .../management => cluster-management}/eks-using-tags.adoc | 2 +- .../{clusters/management => cluster-management}/helm.adoc | 2 +- .../{clusters/authentication => cluster-management}/images | 0 .../management => cluster-management}/metrics-server.adoc | 2 +- .../management => cluster-management}/service-quotas.adoc | 2 +- latest/ug/clusters/management/images | 1 - 12 files changed, 10 insertions(+), 16 deletions(-) rename latest/ug/{clusters/management => cluster-management}/cost-monitoring-aws.adoc (98%) rename latest/ug/{clusters/management => cluster-management}/cost-monitoring-kubecost-bundles.adoc (99%) rename latest/ug/{clusters/management => cluster-management}/cost-monitoring-kubecost.adoc (99%) rename latest/ug/{clusters/management => cluster-management}/cost-monitoring.adoc (98%) rename latest/ug/{clusters/management => cluster-management}/eks-managing.adoc (98%) rename latest/ug/{clusters/management => cluster-management}/eks-using-tags.adoc (99%) rename latest/ug/{clusters/management => cluster-management}/helm.adoc (98%) rename latest/ug/{clusters/authentication => cluster-management}/images (100%) rename latest/ug/{clusters/management => cluster-management}/metrics-server.adoc (99%) rename latest/ug/{clusters/management => cluster-management}/service-quotas.adoc (99%) delete mode 120000 latest/ug/clusters/management/images diff --git a/latest/ug/book.adoc b/latest/ug/book.adoc index 097675dcc..668edd515 100644 --- a/latest/ug/book.adoc +++ b/latest/ug/book.adoc @@ -58,7 +58,7 @@ include::networking/eks-networking.adoc[leveloffset=+1] include::workloads/eks-workloads.adoc[leveloffset=+1] -include::clusters/management/eks-managing.adoc[leveloffset=+1] +include::cluster-management/eks-managing.adoc[leveloffset=+1] include::security/security.adoc[leveloffset=+1] diff --git a/latest/ug/clusters/management/cost-monitoring-aws.adoc b/latest/ug/cluster-management/cost-monitoring-aws.adoc similarity index 98% rename from latest/ug/clusters/management/cost-monitoring-aws.adoc rename to latest/ug/cluster-management/cost-monitoring-aws.adoc index cf3ae47bc..100a132e2 100644 --- a/latest/ug/clusters/management/cost-monitoring-aws.adoc +++ b/latest/ug/cluster-management/cost-monitoring-aws.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#cost-monitoring-aws] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc similarity index 99% rename from latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc rename to latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc index 115985749..c09e404c7 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#cost-monitoring-kubecost-bundles] diff --git a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc similarity index 99% rename from latest/ug/clusters/management/cost-monitoring-kubecost.adoc rename to latest/ug/cluster-management/cost-monitoring-kubecost.adoc index 1b3aae8ea..a975f6738 100644 --- a/latest/ug/clusters/management/cost-monitoring-kubecost.adoc +++ b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#cost-monitoring-kubecost] diff --git a/latest/ug/clusters/management/cost-monitoring.adoc b/latest/ug/cluster-management/cost-monitoring.adoc similarity index 98% rename from latest/ug/clusters/management/cost-monitoring.adoc rename to latest/ug/cluster-management/cost-monitoring.adoc index 1eba7bd2f..6d2e96cd0 100644 --- a/latest/ug/clusters/management/cost-monitoring.adoc +++ b/latest/ug/cluster-management/cost-monitoring.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#cost-monitoring] diff --git a/latest/ug/clusters/management/eks-managing.adoc b/latest/ug/cluster-management/eks-managing.adoc similarity index 98% rename from latest/ug/clusters/management/eks-managing.adoc rename to latest/ug/cluster-management/eks-managing.adoc index 4901184e8..10d95c265 100644 --- a/latest/ug/clusters/management/eks-managing.adoc +++ b/latest/ug/cluster-management/eks-managing.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [#eks-managing] = Organize and monitor cluster resources @@ -12,17 +12,12 @@ This chapter includes the following topics to help you manage your cluster. You * <> – To help you manage your Amazon EKS resources, you can assign your own metadata to each resource in the form of _tags_. This topic describes tags and shows you how to create them. * <> – Your {aws} account has default quotas, formerly referred to as limits, for each {aws} service. Learn about the quotas for Amazon EKS and how to increase them. - include::cost-monitoring.adoc[leveloffset=+1] - include::metrics-server.adoc[leveloffset=+1] - include::helm.adoc[leveloffset=+1] - include::eks-using-tags.adoc[leveloffset=+1] - include::service-quotas.adoc[leveloffset=+1] \ No newline at end of file diff --git a/latest/ug/clusters/management/eks-using-tags.adoc b/latest/ug/cluster-management/eks-using-tags.adoc similarity index 99% rename from latest/ug/clusters/management/eks-using-tags.adoc rename to latest/ug/cluster-management/eks-using-tags.adoc index b6a32b659..2e0e1c4ae 100644 --- a/latest/ug/clusters/management/eks-using-tags.adoc +++ b/latest/ug/cluster-management/eks-using-tags.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#eks-using-tags] diff --git a/latest/ug/clusters/management/helm.adoc b/latest/ug/cluster-management/helm.adoc similarity index 98% rename from latest/ug/clusters/management/helm.adoc rename to latest/ug/cluster-management/helm.adoc index 43d2fdaf0..ac6303cfc 100644 --- a/latest/ug/clusters/management/helm.adoc +++ b/latest/ug/cluster-management/helm.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#helm] diff --git a/latest/ug/clusters/authentication/images b/latest/ug/cluster-management/images similarity index 100% rename from latest/ug/clusters/authentication/images rename to latest/ug/cluster-management/images diff --git a/latest/ug/clusters/management/metrics-server.adoc b/latest/ug/cluster-management/metrics-server.adoc similarity index 99% rename from latest/ug/clusters/management/metrics-server.adoc rename to latest/ug/cluster-management/metrics-server.adoc index add311630..75bae42d7 100644 --- a/latest/ug/clusters/management/metrics-server.adoc +++ b/latest/ug/cluster-management/metrics-server.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#metrics-server] diff --git a/latest/ug/clusters/management/service-quotas.adoc b/latest/ug/cluster-management/service-quotas.adoc similarity index 99% rename from latest/ug/clusters/management/service-quotas.adoc rename to latest/ug/cluster-management/service-quotas.adoc index 4416f183f..a96202cbc 100644 --- a/latest/ug/clusters/management/service-quotas.adoc +++ b/latest/ug/cluster-management/service-quotas.adoc @@ -1,4 +1,4 @@ -include::../../attributes.txt[] +include::../attributes.txt[] [.topic] [#service-quotas] diff --git a/latest/ug/clusters/management/images b/latest/ug/clusters/management/images deleted file mode 120000 index 5fa698708..000000000 --- a/latest/ug/clusters/management/images +++ /dev/null @@ -1 +0,0 @@ -../../images \ No newline at end of file From ea9c5f8a6bf1fa09b58c84dd0bdbba2d9f1029b1 Mon Sep 17 00:00:00 2001 From: Abhay Krishna Arunachalam Date: Thu, 20 Mar 2025 16:58:18 -0700 Subject: [PATCH 288/940] Fix containerd/kubelet proxy configuration docs for EKS Hybrid nodes --- latest/ug/nodes/hybrid-nodes-proxy.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-proxy.adoc b/latest/ug/nodes/hybrid-nodes-proxy.adoc index 66f262fe9..e30f3d55b 100644 --- a/latest/ug/nodes/hybrid-nodes-proxy.adoc +++ b/latest/ug/nodes/hybrid-nodes-proxy.adoc @@ -43,10 +43,10 @@ The `containerd.service.d` directory will need to be created for this file. You [source,yaml,subs="verbatim,attributes,quotes"] ---- mkdir -p /etc/systemd/system/containerd.service.d -echo '[Service]' > /etc/systemd/system/containerd.service.d -echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d -echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d -echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/containerd.service.d +echo '[Service]' > /etc/systemd/system/containerd.service.d/http-proxy.conf +echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d/http-proxy.conf +echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/containerd.service.d/http-proxy.conf +echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/containerd.service.d/http-proxy.conf systemctl daemon-reload systemctl restart containerd ---- @@ -72,12 +72,12 @@ The `kubelet.service.d` directory must be created for this file. You will need t [source,yaml,subs="verbatim,attributes,quotes"] ---- mkdir -p /etc/systemd/system/kubelet.service.d -echo '[Service]' > /etc/systemd/system/kubelet.service.d -echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d -echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d -echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/kubelet.service.d +echo '[Service]' > /etc/systemd/system/kubelet.service.d/http-proxy.conf +echo 'Environment="HTTP_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d/http-proxy.conf +echo 'Environment="HTTPS_PROXY=http://[.replaceable]#proxy-domain:port#"' >> /etc/systemd/system/kubelet.service.d/http-proxy.conf +echo 'Environment="NO_PROXY=localhost"' >> /etc/systemd/system/kubelet.service.d/http-proxy.conf systemctl daemon-reload -systemctl restart containerd +systemctl restart kubelet ---- === `ssm` proxy configuration From 6e02adff565568fae0cc4b9e3700b2173b58ee23 Mon Sep 17 00:00:00 2001 From: Ramneek Kalra Date: Fri, 21 Mar 2025 10:16:30 +0530 Subject: [PATCH 289/940] Update coredns-autoscaling.adoc Updating 2 commands which were wrongly typed --- latest/ug/networking/coredns-autoscaling.adoc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/latest/ug/networking/coredns-autoscaling.adoc b/latest/ug/networking/coredns-autoscaling.adoc index 262bd3b40..16e8df66d 100644 --- a/latest/ug/networking/coredns-autoscaling.adoc +++ b/latest/ug/networking/coredns-autoscaling.adoc @@ -37,9 +37,7 @@ A new Amazon EKS cluster. To deploy one, see <>. The cluster mu [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-cluster - --name my-cluster --query cluster.version --output - text +aws eks describe-cluster --name my-cluster --query cluster.version --output text ---- [cols="1,1", options="header"] @@ -266,9 +264,9 @@ aws eks update-addon --cluster-name my-cluster --addon-name coredns \ + [source,shell,subs="verbatim,attributes"] ---- -aws eks describe-addon --cluster-name my-cluster --addon-name coredns \ +aws eks describe-addon --cluster-name my-cluster --addon-name coredns ---- + If you see this line: `"status": "ACTIVE"`, then the rollout has completed and the add-on is using the new configuration in all of the CoreDNS pods. As you change the number of nodes and CPU cores of nodes in the cluster, Amazon EKS scales the number of replicas of the CoreDNS deployment. -==== \ No newline at end of file +==== From 610d9c60dd32b44ed9a99014d7ffeeb1e023fe42 Mon Sep 17 00:00:00 2001 From: Leah Tucker <57272433+tucktuck9@users.noreply.github.com> Date: Fri, 21 Mar 2025 09:30:27 -0600 Subject: [PATCH 290/940] Update eks-optimized-ami.adoc Update date for EKS-optimized AMIs --- latest/ug/nodes/eks-optimized-ami.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/eks-optimized-ami.adoc b/latest/ug/nodes/eks-optimized-ami.adoc index 08b373d75..0ad27de14 100644 --- a/latest/ug/nodes/eks-optimized-ami.adoc +++ b/latest/ug/nodes/eks-optimized-ami.adoc @@ -25,7 +25,7 @@ The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (A * For Kubernetes version `1.23`, you can use an optional bootstrap flag to test migration from Docker to `containerd`. For more information, see <>. * Amazon EC2 `P2` instances aren't supported on Amazon EKS because they require `NVIDIA` driver version 470 or earlier. * Any newly created managed node groups in clusters on version `1.30` or newer will automatically default to using AL2023 as the node operating system. Previously, new node groups would default to AL2. You can continue to use AL2 by choosing it as the AMI type when creating a new node group. -* Support for AL2 will end on June 30th, 2026. For more information, see link:amazon-linux-2/faqs/[Amazon Linux 2 FAQs,type="marketing"]. Additionally, Kubernetes version `1.32` is the last version for which Amazon EKS will release AL2 AMIs. From version `1.33` onwards, Amazon EKS will continue to release AL2023 and Bottlerocket based AMIs. +* Amazon EKS will no longer publish EKS-optimized Amazon Linux 2 (AL2) AMIs after November 26th, 2025. Additionally, Kubernetes version `1.32` is the last version for which Amazon EKS will release AL2 AMIs. From version `1.33` onwards, Amazon EKS will continue to release AL2023 and Bottlerocket based AMIs. ==== From 1e69b9df586080c00148592a425e1e05c400c4c8 Mon Sep 17 00:00:00 2001 From: Sainikhilreddy Date: Fri, 21 Mar 2025 12:13:16 -0700 Subject: [PATCH 291/940] Add March 2025 Amazon EKS optimized windows AMI versions cr: https://code.amazon.com/reviews/CR-185138517 --- latest/ug/nodes/eks-ami-versions-windows.adoc | 314 ++++++++++++++---- 1 file changed, 253 insertions(+), 61 deletions(-) diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 3c66801d7..1caff2f47 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -52,13 +52,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.32-2025-02-18` +|`1.32-2025.03.14` |`1.32.1` |`1.7.20` |`1.1.3` | -|`1.32-2025-01-15` +|`1.32-2025.02.18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + +|`1.32-2025.01.15` |`1.32.0` |`1.7.20` |`1.1.3` @@ -75,19 +81,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.31-2025-02-15` +|`1.31-2025.03.14` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + +|`1.31-2025.02.15` |`1.31.5` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-15` +|`1.31-2025.01.15` |`1.31.4` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-01` +|`1.31-2025.01.01` |`1.31.4` |`1.7.20` |`1.1.3` @@ -134,19 +146,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.30-2025-02-15` +|`1.30-2025.03.14` +|`1.30.9` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20`. + +|`1.30-2025.02.15` |`1.30.9` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-15` +|`1.30-2025.01.15` |`1.30.8` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-01` +|`1.30-2025.01.01` |`1.30.8` |`1.7.14` |`1.1.3` @@ -211,13 +229,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.29-2025-02-15` +|`1.29-2025.03.14` +|`1.29.13` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.29-2025.02.15` |`1.29.13` |`1.7.14` |`1.1.3` | -|`1.29-2025-01-15` +|`1.29-2025.01.15` |`1.29.12` |`1.7.14` |`1.1.3` @@ -318,6 +342,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.03.14` +|`1.28.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.28-2025.02.15` |`1.28.15` |`1.7.14` @@ -449,19 +479,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.27-2025-02-15` +|`1.27-2025.03.14` +|`1.27.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.27-2025.02.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-15` +|`1.27-2025.01.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-01` +|`1.27-2025.01.01` |`1.27.16` |`1.7.14` |`1.1.3` @@ -622,13 +658,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.26-2025-02-15` +|`1.26-2025.03.14` +|`1.26.15` +|`1.7.20` +|`1.1.3` +| Upgraded to `containerd` to `1.7.20` + +|`1.26-2025.02.15` |`1.26.15` |`1.7.14` |`1.1.3` | -|`1.26-2025-01-15` +|`1.26-2025.01.15` |`1.26.15` |`1.7.14` |`1.1.3` @@ -795,6 +837,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.03.14` +|`1.25.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.25-2025.02.18` |`1.25.16` |`1.7.14` @@ -1179,13 +1227,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.32-2025-02-18` +|`1.32-2025.03.14` |`1.32.1` |`1.7.20` |`1.1.3` | -|`1.32-2025-01-01` +|`1.32-2025.02.18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + +|`1.32-2025.01.01` |`1.32.0` |`1.7.20` |`1.1.3` @@ -1204,19 +1258,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.31-2025-02-15` +|`1.31-2025.03.14` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + +|`1.31-2025.02.15` |`1.31.5` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-15` +|`1.31-2025.01.15` |`1.31.4` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-01` +|`1.31-2025.01.01` |`1.31.4` |`1.7.20` |`1.1.3` @@ -1264,19 +1324,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.30-2025-02-15` +|`1.30-2025.03.14` +|`1.30.9` +|`1.7.20` +|`1.1.3` +| Upgraded `contianerd` to `1.7.20` + +|`1.30-2025.02.15` |`1.30.9` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-15` +|`1.30-2025.01.15` |`1.30.8` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-01` +|`1.30-2025.01.01` |`1.30.8` |`1.7.14` |`1.1.3` @@ -1342,13 +1408,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.29-2025-02-15` +|`1.29-2025.03.14` +|`1.29.13` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.29-2025.02.15` |`1.29.13` |`1.7.14` |`1.1.3` | -|`1.29-2025-01-15` +|`1.29-2025.01.15` |`1.29.12` |`1.7.14` |`1.1.3` @@ -1450,19 +1522,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.03.14` +|`1.28.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.28-2025.02.15` |`1.28.15` |`1.7.14` |`1.1.3` | -|`1.28-2025-01-15` +|`1.28-2025.01.15` |`1.28.15` |`1.7.14` |`1.1.3` | -|`1.28-2025-01-01` +|`1.28-2025.01.01` |`1.28.15` |`1.7.14` |`1.1.3` @@ -1582,19 +1660,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.27-2025-02-15` +|`1.27-2025.03.14` +|`1.27.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.27-2025.02.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-15` +|`1.27-2025.01.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-01` +|`1.27-2025.01.01` |`1.27.16` |`1.7.14` |`1.1.3` @@ -1756,13 +1840,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.26-2025-02-15` +|`1.26-2025.03.14` +|`1.26.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.26-2025.02.15` |`1.26.15` |`1.7.14` |`1.1.3` | -|`1.26-2025-01-15` +|`1.26-2025.01.15` |`1.26.15` |`1.7.14` |`1.1.3` @@ -1930,6 +2020,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.03.14` +|`1.25.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.25-2025.02.18` |`1.25.16` |`1.7.14` @@ -2315,13 +2411,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.32-2025-02-18` +|`1.32-2025.03.14` |`1.32.1` |`1.7.20` |`1.1.3` | -|`1.32-2025-01-15` +|`1.32-2025.02.18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + +|`1.32-2025.01.15` |`1.32.4` |`1.7.20` |`1.1.3` @@ -2340,19 +2442,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.31-2025-02-15` +|`1.31-2025.03.14` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + +|`1.31-2025.02.15` |`1.31.5` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-15` +|`1.31-2025.01.15` |`1.31.4` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-01` +|`1.31-2025.01.01` |`1.31.4` |`1.7.20` |`1.1.3` @@ -2400,19 +2508,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.30-2025.03.14` +|`1.30.9` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.30-2025-02-15` |`1.30.9` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-15` +|`1.30-2025.01.15` |`1.30.8` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-01` +|`1.30-2025.01.01` |`1.30.8` |`1.7.14` |`1.1.3` @@ -2478,13 +2592,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.29-2025-02-15` +|`1.29-2025.03.14` +|`1.29.13` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.29-2025.02.15` |`1.29.13` |`1.7.14` |`1.1.3` | -|`1.29-2025-01-15` +|`1.29-2025.01.15` |`1.29.12` |`1.7.14` |`1.1.3` @@ -2586,6 +2706,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.03.14` +|`1.28.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.28-2025.02.15` |`1.28.15` |`1.7.14` @@ -2718,19 +2844,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.27-2025-02-15` +|`1.27-2025.03.14` +|`1.27.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.27-2025.02.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-15` +|`1.27-2025.01.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-01` +|`1.27-2025.01.01` |`1.27.16` |`1.7.14` |`1.1.3` @@ -2892,13 +3024,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.26-2025-02-15` +|`1.26-2025.03.14` +|`1.26.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.26-2025.02.15` |`1.26.15` |`1.7.14` |`1.1.3` | -|`1.26-2025-01-15` +|`1.26-2025.01.15` |`1.26.15` |`1.7.14` |`1.1.3` @@ -3066,6 +3204,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.03.14` +|`1.25.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.25-2025.02.18` |`1.25.16` |`1.7.14` @@ -3451,13 +3595,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.32-2025-02-18` +|`1.32-2025.03.14` |`1.32.1` |`1.7.20` |`1.1.3` | -|`1.32-2025-01-15` +|`1.32-2025.02.18` +|`1.32.1` +|`1.7.20` +|`1.1.3` +| + +|`1.32-2025.01.15` |`1.32.0` |`1.7.20` |`1.1.3` @@ -3476,19 +3626,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.31-2025-02-15` +|`1.31-2025.03.14` +|`1.31.5` +|`1.7.20` +|`1.1.3` +| + +|`1.31-2025.02.15` |`1.31.5` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-15` +|`1.31-2025.01.15` |`1.31.4` |`1.7.20` |`1.1.3` | -|`1.31-2025-01-01` +|`1.31-2025.01.01` |`1.31.4` |`1.7.20` |`1.1.3` @@ -3536,19 +3692,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.30-2025-02-15` +|`1.30-2025.03.14` +|`1.30.9` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.30-2025.02.15` |`1.30.9` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-15` +|`1.30-2025.01.15` |`1.30.8` |`1.7.14` |`1.1.3` | -|`1.30-2025-01-01` +|`1.30-2025.01.01` |`1.30.8` |`1.7.14` |`1.1.3` @@ -3614,13 +3776,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.29-2025-02-15` +|`1.29-2025.03.14` +|`1.29.13` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.29-2025.02.15` |`1.29.13` |`1.7.14` |`1.1.3` | -|`1.29-2025-01-15` +|`1.29-2025.01.15` |`1.29.12` |`1.7.14` |`1.1.3` @@ -3722,6 +3890,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.28-2025.03.14` +|`1.28.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.28-2025.02.15` |`1.28.15` |`1.7.14` @@ -3854,19 +4028,25 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.27-2025-02-15` +|`1.27-2025.03.14` +|`1.27.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.27-2025.02.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-15` +|`1.27-2025.01.15` |`1.27.16` |`1.7.14` |`1.1.3` | -|`1.27-2025-01-01` +|`1.27-2025.01.01` |`1.27.16` |`1.7.14` |`1.1.3` @@ -4028,13 +4208,19 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.26-2025-02-15` +|`1.26-2025.03.14` +|`1.26.15` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + +|`1.26-2025.02.15` |`1.26.15` |`1.7.14` |`1.1.3` | -|`1.26-2025-01-15` +|`1.26-2025.01.15` |`1.26.15` |`1.7.14` |`1.1.3` @@ -4202,6 +4388,12 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes +|`1.25-2025.03.14` +|`1.25.16` +|`1.7.20` +|`1.1.3` +| Upgraded `containerd` to `1.7.20` + |`1.25-2025.02.18` |`1.25.16` |`1.7.14` From bea440e012ef2b71d7148c7c1b190feeadab3663 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 21 Mar 2025 19:33:20 +0000 Subject: [PATCH 292/940] Edits: 45917 --- latest/ug/nodes/eks-ami-versions-windows.adoc | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index 1caff2f47..e58a9aede 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -97,7 +97,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.31.4` |`1.7.20` |`1.1.3` -| +| |`1.31-2025.01.01` |`1.31.4` @@ -150,7 +150,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.30.9` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20`. +|Upgraded `containerd` to `1.7.20`. |`1.30-2025.02.15` |`1.30.9` @@ -233,7 +233,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.29.13` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.29-2025.02.15` |`1.29.13` @@ -346,7 +346,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.28.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.28-2025.02.15` |`1.28.15` @@ -483,7 +483,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.27-2025.02.15` |`1.27.16` @@ -662,7 +662,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.15` |`1.7.20` |`1.1.3` -| Upgraded to `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.26-2025.02.15` |`1.26.15` @@ -841,7 +841,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.25-2025.02.18` |`1.25.16` @@ -1328,7 +1328,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.30.9` |`1.7.20` |`1.1.3` -| Upgraded `contianerd` to `1.7.20` +|Upgraded `contianerd` to `1.7.20`. |`1.30-2025.02.15` |`1.30.9` @@ -1412,7 +1412,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.29.13` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.29-2025.02.15` |`1.29.13` @@ -1526,7 +1526,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.28.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.28-2025.02.15` |`1.28.15` @@ -1664,7 +1664,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.27-2025.02.15` |`1.27.16` @@ -1844,7 +1844,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.26-2025.02.15` |`1.26.15` @@ -2024,7 +2024,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.25-2025.02.18` |`1.25.16` @@ -2512,7 +2512,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.30.9` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.30-2025-02-15` |`1.30.9` @@ -2596,7 +2596,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.29.13` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.29-2025.02.15` |`1.29.13` @@ -2710,7 +2710,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.28.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.28-2025.02.15` |`1.28.15` @@ -2848,7 +2848,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.27-2025.02.15` |`1.27.16` @@ -3028,7 +3028,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.26-2025.02.15` |`1.26.15` @@ -3208,7 +3208,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.25-2025.02.18` |`1.25.16` @@ -3696,7 +3696,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.30.9` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.30-2025.02.15` |`1.30.9` @@ -3780,7 +3780,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.29.13` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.29-2025.02.15` |`1.29.13` @@ -3894,7 +3894,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.28.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.28-2025.02.15` |`1.28.15` @@ -4032,7 +4032,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.27.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.27-2025.02.15` |`1.27.16` @@ -4212,7 +4212,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.26.15` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.26-2025.02.15` |`1.26.15` @@ -4392,7 +4392,7 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.25.16` |`1.7.20` |`1.1.3` -| Upgraded `containerd` to `1.7.20` +|Upgraded `containerd` to `1.7.20`. |`1.25-2025.02.18` |`1.25.16` From b75d45a7deabd3b744a3292673ce806ad141396e Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 20 Mar 2025 21:18:49 +0000 Subject: [PATCH 293/940] init change log for auto mode --- latest/ug/automode/auto-change.adoc | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 latest/ug/automode/auto-change.adoc diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc new file mode 100644 index 000000000..32dee3b43 --- /dev/null +++ b/latest/ug/automode/auto-change.adoc @@ -0,0 +1,24 @@ +[.topic] +[#auto-change] += Review changes to EKS Auto Mode functionality +:info_titleabbrev: Change log + +include::../attributes.txt[] + +This topic tracks changes to Amazon EKS Auto Mode. + +If the update requires you to enable or configure it, the change entry will include a link. + +If the update requires a certain platform or Kubernetes version, it will be included. + +[role="no-scroll"] +[cols="25%,75%", options="header"] +|=== +|Date |Change + +|2025-03-20 +|Support Pod IPv4 Egress in IPv6 Clusters + + +|=== + From 1cda2e80b6f515ee7da5cf72cc4482083bba3eca Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 24 Mar 2025 18:45:30 +0000 Subject: [PATCH 294/940] revise release notes --- latest/ug/automode/auto-change.adoc | 22 ++++++++-------------- latest/ug/automode/automode.adoc | 2 ++ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index 32dee3b43..222514ed6 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -1,24 +1,18 @@ [.topic] [#auto-change] -= Review changes to EKS Auto Mode functionality -:info_titleabbrev: Change log += Review EKS Auto Mode release notes +:info_titleabbrev: Release notes include::../attributes.txt[] -This topic tracks changes to Amazon EKS Auto Mode. +This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality. -If the update requires you to enable or configure it, the change entry will include a link. +The dates below are when the change is expected to be available in all regions. -If the update requires a certain platform or Kubernetes version, it will be included. +== March 21, 2025 -[role="no-scroll"] -[cols="25%,75%", options="header"] -|=== -|Date |Change +**Bug Fix:** Auto Mode nodes now resolve `kube-dns.kube-system.svc.cluster.local` correctly when there isn’t a kube-dns service installed in the cluster. Address GitHub issue https://github.com/aws/containers-roadmap/issues/2546[#2546]. -|2025-03-20 -|Support Pod IPv4 Egress in IPv6 Clusters - - -|=== +== March 14, 2025 +**Feature**: IPv4 egress enabled in IPv6 clusters. IPv4 traffic egressing from IPv6 Auto Mode clusters will now be automatically translated to the v4 address of the node primary ENI. diff --git a/latest/ug/automode/automode.adoc b/latest/ug/automode/automode.adoc index 601976299..17332fe21 100644 --- a/latest/ug/automode/automode.adoc +++ b/latest/ug/automode/automode.adoc @@ -89,4 +89,6 @@ include::auto-reference.adoc[leveloffset=+1] include::auto-troubleshoot.adoc[leveloffset=+1] +include::auto-change.adoc[leveloffset=+1] + //include::wip.adoc[leveloffset=+1] From 69a995d64b5b6d91e72d97eea1578dd93b4807a2 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 24 Mar 2025 20:48:42 +0000 Subject: [PATCH 295/940] Corrected typo per https://t.corp.amazon.com/V1718151236 --- latest/ug/what-is/what-is-eks.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 4f94244df..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -43,7 +43,7 @@ For <>, EKS allows the full range of Amazon EC2 i *Storage*:: EKS Auto Mode automatically creates storage classes using <>. -Using Container Storage Interface (CSI) drivers, you can also use Amazon S3, Amazon EFS, Amazon FSX, and Amazon File Cache for your application storage needs. For more inforamtion, see <>. +Using Container Storage Interface (CSI) drivers, you can also use Amazon S3, Amazon EFS, Amazon FSX, and Amazon File Cache for your application storage needs. For more information, see <>. *Security*:: The shared responsibility model is employed as it relates to <>. From 27b850c298c11ac2ffeb1e61a7ad4ddc34d2a19b Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Mon, 24 Mar 2025 17:35:41 -0500 Subject: [PATCH 296/940] Editing pass --- latest/ug/automode/auto-change.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index 222514ed6..8d70465fd 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -5,14 +5,14 @@ include::../attributes.txt[] -This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality. +This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. -The dates below are when the change is expected to be available in all regions. +The dates below are when the change is expected to be available in all AWS Regions. == March 21, 2025 -**Bug Fix:** Auto Mode nodes now resolve `kube-dns.kube-system.svc.cluster.local` correctly when there isn’t a kube-dns service installed in the cluster. Address GitHub issue https://github.com/aws/containers-roadmap/issues/2546[#2546]. +**Bug Fix:** Auto Mode nodes now resolve `kube-dns.kube-system.svc.cluster.local` correctly when there isn't a `kube-dns` service installed in the cluster. Addresses GitHub issue https://github.com/aws/containers-roadmap/issues/2546[#2546]. == March 14, 2025 -**Feature**: IPv4 egress enabled in IPv6 clusters. IPv4 traffic egressing from IPv6 Auto Mode clusters will now be automatically translated to the v4 address of the node primary ENI. +**Feature**: `IPv4` egress enabled in `IPv6` clusters. `IPv4` traffic egressing from `IPv6` Auto Mode clusters will now be automatically translated to the `v4` address of the node primary ENI. From 737d3983a4b9bb23e7be6445ecaf77f2ec0ff6c6 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Mon, 24 Mar 2025 17:37:12 -0500 Subject: [PATCH 297/940] Replaced AWS with entity. --- latest/ug/automode/auto-change.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index 8d70465fd..eb3ec3244 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,7 +7,7 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. -The dates below are when the change is expected to be available in all AWS Regions. +The dates below are when the change is expected to be available in all {aws} Regions. == March 21, 2025 From 937f2423e1cb688aad35c38c98d16145089be58f Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 25 Mar 2025 15:35:43 +0000 Subject: [PATCH 298/940] Consistency --- latest/ug/doc-history.adoc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 0376d1c4f..6a73ac891 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -1,11 +1,9 @@ +include::attributes.txt[] + [.topic] [#doc-history] -// H1 title is necessary, and must occur before the [abstract], but is unused in the web page (:info_title: is used instead, and :info_titleabbrev: is used in the ToC) = Document history - -include::attributes.txt[] - [abstract] -- Important updates to the Amazon EKS documentation, sorted by date, with brief descriptions of each update and when they occurred. From 60d4313e3a8fc79b7f39a216046daa2b20de2d86 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Tue, 25 Mar 2025 15:33:07 -0500 Subject: [PATCH 299/940] Style rewrites --- latest/ug/storage/efs-csi.adoc | 98 +++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 42 deletions(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index ac7b39c6b..ac8c23141 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -28,9 +28,9 @@ link:efs/latest/ug/whatisefs.html[Amazon Elastic File System,type="documentation [#efs-csi-prereqs] == Prerequisites -* The EFS CSI driver needs {aws} IAM Permissions. +* The Amazon EFS CSI driver needs {aws} Identity and Access Management (IAM) permissions. ** {aws} suggests using EKS Pod Identities. For more information, see <>. -** For information about IAM Roles for Service Accounts and setting up an {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster, see <>. +** For information about IAM roles for service accounts and setting up an IAM OpenID Connect (OIDC) provider for your cluster, see <>. * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. @@ -57,9 +57,13 @@ The specific steps in this procedure are written for using the driver as an Amaz ==== -=== `eksctl` [[eksctl_efs_store_app_data]] -==== If Using Pod Identities -Run the following commands to create an IAM role and Pod Identity association with `eksctl`. Replace [.replaceable]`my-cluster` with your cluster name and [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` with the name for your role. +[#eksctl_efs_store_app_data] +=== `eksctl` + +[#efs-eksctl-pod-identities] +==== If using Pod Identities + +Run the following commands to create an IAM role and Pod Identity association with `eksctl`. Replace `my-cluster` with your cluster name. You can also replace `AmazonEKS_EFS_CSI_DriverRole` with a different name. [source,bash,subs="verbatim,attributes"] ---- @@ -74,8 +78,10 @@ eksctl create podidentityassociation \ --approve ---- -==== If Using IAM Roles for Service Accounts -Run the following commands to create an IAM role with `eksctl`. Replace [.replaceable]`my-cluster` with your cluster name and [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` with the name for your role. +[#efs-eksctl-irsa] +==== If using IAM roles for service accounts + +Run the following commands to create an IAM role with `eksctl`. Replace `my-cluster` with your cluster name. You can also replace `AmazonEKS_EFS_CSI_DriverRole` with a different name. [source,bash,subs="verbatim,attributes"] ---- @@ -94,69 +100,70 @@ TRUST_POLICY=$(aws iam get-role --role-name $role_name --query 'Role.AssumeRoleP aws iam update-assume-role-policy --role-name $role_name --policy-document "$TRUST_POLICY" ---- -=== {aws-management-console} [[console_efs_store_app_data]] +[#console_efs_store_app_data] +=== {aws-management-console} Run the following to create an IAM role with {aws-management-console}. . Open the IAM console at https://console.aws.amazon.com/iam/. . In the left navigation pane, choose *Roles*. . On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: -+ -.. If using *EKS Pod Identities* +.. If using EKS Pod Identities: ... In the *Trusted entity type* section, choose *AWS service*. ... In the *Service or use case* drop down, choose *EKS*. ... In the *Use case* section, choose *EKS - Pod Identity*. ... Choose *Next*. -.. If using *IAM Roles for Service Accounts* +.. If using IAM roles for service accounts: ... In the *Trusted entity type* section, choose *Web identity*. ... For *Identity provider*, choose the *OpenID Connect provider URL* for your cluster (as shown under *Overview* in Amazon EKS). ... For *Audience*, choose `sts.amazonaws.com`. ... Choose *Next*. . On the *Add permissions* page, do the following: -+ -.. In the *Filter policies* box, enter [.replaceable]`AmazonEFSCSIDriverPolicy`. -.. Select the check box to the left of the [.replaceable]`AmazonEFSCSIDriverPolicy` returned in the search. +.. In the *Filter policies* box, enter `AmazonEFSCSIDriverPolicy`. +.. Select the check box to the left of the `AmazonEFSCSIDriverPolicy` returned in the search. .. Choose *Next*. . On the *Name, review, and create* page, do the following: -+ -.. For *Role name*, enter a unique name for your role, such as [.replaceable]`AmazonEKS_EFS_CSI_DriverRole`. +.. For *Role name*, enter a unique name for your role, such as `AmazonEKS_EFS_CSI_DriverRole`. .. Under *Add tags (Optional)*, add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see link:IAM/latest/UserGuide/id_tags.html[Tagging IAM resources,type="documentation"] in the _IAM User Guide_. .. Choose *Create role*. . After the role is created: -.. If using *EKS Pod Identities* +.. If using EKS Pod Identities: ... Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. ... In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to configure the EKS Pod Identity association for. ... Choose the *Access* tab. ... In *Pod Identity associations*, choose *Create*. ... Choose the *IAM role* dropdown and select your newly created role. -... Choose the *Kubernetes namespace* field and input *kube-system*. -... Choose the *Kubernetes service account* field and input *efs-csi-controller-sa*. +... Choose the *Kubernetes namespace* field and input `kube-system`. +... Choose the *Kubernetes service account* field and input `efs-csi-controller-sa`. ... Choose *Create*. ... For more information on creating Pod Identity associations, see <>. -.. If using *IAM Roles for Service Accounts* -... Choose the role in the console to open it for editing. +.. If using IAM roles for service accounts: +... Choose the role to open it for editing. ... Choose the *Trust relationships* tab, and then choose *Edit trust policy*. ... Find the line that looks similar to the following line: + [source,json,subs="verbatim,attributes"] ---- -"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" +"oidc.eks.region-code.amazonaws.com/id/:aud": "sts.amazonaws.com" ---- + -Add the following line above the previous line. Replace [.replaceable]`region-code` with the {aws} Region that your cluster is in. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` with your cluster's OIDC provider ID. +Add the following line above the previous line. Replace `` with the {aws} Region that your cluster is in. Replace `` with your cluster's OIDC provider ID. + [source,json,subs="verbatim,attributes"] ---- -"oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-*", +"oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount:kube-system:efs-csi-*", ---- ... Modify the `Condition` operator from `"StringEquals"` to `"StringLike"`. ... Choose *Update policy* to finish. -=== {aws} CLI [[awscli_efs_store_app_data]] +[#awscli_efs_store_app_data] +=== {aws} CLI Run the following commands to create an IAM role with {aws} CLI. -==== If Using Pod Identities +[#efs-cli-pod-identities] +==== If using Pod Identities + . Create the IAM role that grants the `AssumeRole` and `TagSession` actions to the `pods.eks.amazonaws.com` service. + .. Copy the following contents to a file named `aws-efs-csi-driver-trust-policy-pod-identity.json`. @@ -180,12 +187,14 @@ Run the following commands to create an IAM role with {aws} CLI. ] } ---- -.. Create the role. You can change [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` to a different name, but if you do, make sure to change it in later steps too. +.. Create the role. Replace `my-cluster` with your cluster name. You can also replace `AmazonEKS_EFS_CSI_DriverRole` with a different name. + [source,bash,subs="verbatim,attributes"] ---- +export cluster_name=my-cluster +export role_name=AmazonEKS_EFS_CSI_DriverRole aws iam create-role \ - --role-name AmazonEKS_EFS_CSI_DriverRole \ + --role-name $role_name \ --assume-role-policy-document file://"aws-efs-csi-driver-trust-policy-pod-identity.json" ---- . Attach the required {aws} managed policy to the role with the following command. @@ -194,34 +203,39 @@ aws iam create-role \ ---- aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ - --role-name AmazonEKS_EFS_CSI_DriverRole + --role-name $role_name ---- -. Run the following command to create the Pod Identity association. Replace [.replaceable]`my-cluster` with your cluster name. Replace [.replaceable]`arn:aws:iam::111122223333:role/my-role` with the role created in previous steps. +. Run the following command to create the Pod Identity association. Replace `{arn-aws}iam::<111122223333>:role/my-role` with the role created in previous steps. + ---- -aws eks create-pod-identity-association --cluster-name my-cluster --role-arn arn:aws:iam::111122223333:role/my-role --namespace kube-system --service-account efs-csi-controller-sa +aws eks create-pod-identity-association --cluster-name $cluster_name --role-arn {arn-aws}iam::<111122223333>:role/my-role --namespace kube-system --service-account efs-csi-controller-sa ---- . For more information on creating Pod Identity associations, see <>. -==== If using IAM Roles for Service Accounts +[#efs-cli-irsa] +==== If using IAM roles for service accounts -. View your cluster's OIDC provider URL. Replace [.replaceable]`my-cluster` with your cluster name. If the output from the command is `None`, review the *Prerequisites*. +. View your cluster's OIDC provider URL. Replace `my-cluster` with your cluster name. You can also replace `AmazonEKS_EFS_CSI_DriverRole` with a different name. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text +export cluster_name=my-cluster +export role_name=AmazonEKS_EFS_CSI_DriverRole +aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text ---- + An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE +https://oidc.eks..amazonaws.com/id/ ---- ++ +If the output from the command is `None`, review the *Prerequisites*. . Create the IAM role that grants the `AssumeRoleWithWebIdentity` action. + -.. Copy the following contents to a file named `aws-efs-csi-driver-trust-policy.json`. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`EXAMPLED539D4633E53DE1B71EXAMPLE` and [.replaceable]`region-code` with the values returned in the previous step. +.. Copy the following contents to a file named `aws-efs-csi-driver-trust-policy.json`. Replace `<111122223333>` with your account ID. Replace `` and `` with the values returned in the previous step. + [source,json,subs="verbatim,attributes"] ---- @@ -231,25 +245,25 @@ https://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE { "Effect": "Allow", "Principal": { - "Federated": "{arn-aws}iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" + "Federated": "{arn-aws}iam::<111122223333>:oidc-provider/oidc.eks..amazonaws.com/id/" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": "system:serviceaccount:kube-system:efs-csi-*", - "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" + "oidc.eks.region-code.amazonaws.com/id/:sub": "system:serviceaccount:kube-system:efs-csi-*", + "oidc.eks.region-code.amazonaws.com/id/:aud": "sts.amazonaws.com" } } } ] } ---- -.. Create the role. You can change [.replaceable]`AmazonEKS_EFS_CSI_DriverRole` to a different name, but if you do, make sure to change it in later steps too. +.. Create the role. + [source,bash,subs="verbatim,attributes"] ---- aws iam create-role \ - --role-name AmazonEKS_EFS_CSI_DriverRole \ + --role-name $role_name \ --assume-role-policy-document file://"aws-efs-csi-driver-trust-policy.json" ---- . Attach the required {aws} managed policy to the role with the following command. @@ -258,7 +272,7 @@ aws iam create-role \ ---- aws iam attach-role-policy \ --policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy \ - --role-name AmazonEKS_EFS_CSI_DriverRole + --role-name $role_name ---- From 63e87364a66f57249df44664ee5607d5276f4dc1 Mon Sep 17 00:00:00 2001 From: Guy Templeton Date: Tue, 25 Mar 2025 20:39:31 +0000 Subject: [PATCH 300/940] Standardise Community Addon Name Formatting (#940) --- latest/ug/workloads/community-addons.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/workloads/community-addons.adoc b/latest/ug/workloads/community-addons.adoc index d033e24f9..1b1c1bd1c 100644 --- a/latest/ug/workloads/community-addons.adoc +++ b/latest/ug/workloads/community-addons.adoc @@ -76,7 +76,7 @@ The Kubernetes Metrics Server is a scalable and efficient source of container re |=== -=== `kube-state-metrics` +=== kube-state-metrics Add-on agent to generate and expose cluster-level metrics. From 61d27fbe684b9da1f9fec5abd7c843c0e34b0b5b Mon Sep 17 00:00:00 2001 From: Amanuel Engeda <74629455+engedaam@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:42:00 -0700 Subject: [PATCH 301/940] chore: Add termination grace period note around defaulting NodePools (#938) * Add termination grace period note around defaulting nodepools * Update create-node-pool.adoc --------- Co-authored-by: Geoffrey Cline --- latest/ug/automode/create-node-pool.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 4069f40a2..86d2cf2d4 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -220,4 +220,8 @@ By default, EKS Auto Mode: - Consolidates underutilized instances. - Terminates instances after 720 hours. -- Sets a single disruption budget of 10% of nodes. \ No newline at end of file +- Sets a single disruption budget of 10% of nodes. + +== Termination Grace Period + +When a `terminationGracePeriod` is not explicitly defined on an EKS Auto NodePool, the system automatically applies a default 24-hour termination grace period to the associated NodeClaim. While EKS Auto customers will not see a `terminationGracePeriod` defaulted in their custom NodePool configurations, they will observe this default value on the NodeClaim. The functionality remains consistent whether the grace period is explicitly set on the NodePool or defaulted on the NodeClaim, ensuring predictable node termination behavior across the cluster. From 838bd78dfa4141eaf2d65c04b137fc7a028457d7 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Tue, 25 Mar 2025 15:55:14 -0500 Subject: [PATCH 302/940] Did required replacement of AWS to {aws} --- latest/ug/storage/efs-csi.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/storage/efs-csi.adoc b/latest/ug/storage/efs-csi.adoc index ac8c23141..a59d73751 100644 --- a/latest/ug/storage/efs-csi.adoc +++ b/latest/ug/storage/efs-csi.adoc @@ -109,7 +109,7 @@ Run the following to create an IAM role with {aws-management-console}. . On the *Roles* page, choose *Create role*. . On the *Select trusted entity* page, do the following: .. If using EKS Pod Identities: -... In the *Trusted entity type* section, choose *AWS service*. +... In the *Trusted entity type* section, choose *{aws} service*. ... In the *Service or use case* drop down, choose *EKS*. ... In the *Use case* section, choose *EKS - Pod Identity*. ... Choose *Next*. From c46e089073258da3a1c1fe4b94706b9b23645212 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 25 Mar 2025 16:38:12 -0500 Subject: [PATCH 303/940] move 1.29 to extended support (#942) --- .../kubernetes-versions-extended.adoc | 24 +++++++++++++++++++ .../kubernetes-versions-standard.adoc | 23 ------------------ latest/ug/clusters/kubernetes-versions.adoc | 4 ++-- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions-extended.adoc b/latest/ug/clusters/kubernetes-versions-extended.adoc index 92f775bd4..abba3ce8d 100644 --- a/latest/ug/clusters/kubernetes-versions-extended.adoc +++ b/latest/ug/clusters/kubernetes-versions-extended.adoc @@ -14,6 +14,30 @@ Amazon EKS supports Kubernetes versions longer than they are supported upstream, This topic gives important changes to be aware of for each [.noloc]`Kubernetes` version in extended support. When upgrading, carefully review the changes that have occurred between the old and new versions for your cluster. + +[#kubernetes-1-29] +== Kubernetes 1.29 + +Kubernetes `1.29` is now available in Amazon EKS. For more information about Kubernetes `1.29`, see the https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/[official release announcement]. + +[IMPORTANT] +==== + + +* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes version `1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to version `1.29`. + +==== + +* The `.status.kubeProxyVersion` field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` - which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you've been using this field in client software, stop - the information isn't reliable and the field is now deprecated. +* In Kubernetes `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system +---- + +For the complete Kubernetes `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. + [#kubernetes-1-28] == Kubernetes 1.28 diff --git a/latest/ug/clusters/kubernetes-versions-standard.adoc b/latest/ug/clusters/kubernetes-versions-standard.adoc index 86cddb85a..416040c89 100644 --- a/latest/ug/clusters/kubernetes-versions-standard.adoc +++ b/latest/ug/clusters/kubernetes-versions-standard.adoc @@ -110,26 +110,3 @@ Kubernetes `1.30` is now available in Amazon EKS. For more information about Kub * The minimum required IAM policy for the Amazon EKS cluster IAM role has changed. The action `ec2:DescribeAvailabilityZones` is required. For more information, see <>. For the complete Kubernetes `1.30` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md. - -[#kubernetes-1-29] -== Kubernetes 1.29 - -Kubernetes `1.29` is now available in Amazon EKS. For more information about Kubernetes `1.29`, see the https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/[official release announcement]. - -[IMPORTANT] -==== - - -* The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes version `1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to version `1.29`. - -==== - -* The `.status.kubeProxyVersion` field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` - which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you've been using this field in client software, stop - the information isn't reliable and the field is now deprecated. -* In Kubernetes `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run: -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system ----- - -For the complete Kubernetes `1.29` changelog, see https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280. \ No newline at end of file diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 2a0014b79..2100a727f 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -32,7 +32,7 @@ The following Kubernetes versions are currently available in Amazon EKS standard * `1.32` * `1.31` * `1.30` -* `1.29` + For important changes to be aware of for each version in standard support, see <>. @@ -41,7 +41,7 @@ For important changes to be aware of for each version in standard support, see < The following Kubernetes versions are currently available in Amazon EKS extended support: - +* `1.29` * `1.28` * `1.27` * `1.26` From a13b804020146c6ed97237766dc8d63b9814fa4d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 25 Mar 2025 17:57:59 -0500 Subject: [PATCH 304/940] disable vale --- .github/workflows/vale.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 .github/workflows/vale.yml diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml deleted file mode 100644 index 0ea1ba69d..000000000 --- a/.github/workflows/vale.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: AWS Brand Checks - -on: - pull_request: - workflow_dispatch: - -jobs: - style-job: - runs-on: ubuntu-latest - steps: - - name: Check out - uses: actions/checkout@v3 - - # Vale uses asciidoctor - - name: Install Asciidoctor - run: sudo apt-get install -y asciidoctor - - - name: Enforce AWS Brand Attribute - uses: errata-ai/vale-action@reviewdog - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - with: - fail_on_error: true - reporter: github-pr-check - filter_mode: added - files: latest/ug - vale_flags: "--config brand.vale.ini" - continue-on-error: false From cd27668fed50b6a83d5c5e2cb9d22d9e8a289466 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 25 Mar 2025 18:00:57 -0500 Subject: [PATCH 305/940] Update auto-change.adoc --- latest/ug/automode/auto-change.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index eb3ec3244..98f372d7e 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,8 +7,6 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. -The dates below are when the change is expected to be available in all {aws} Regions. - == March 21, 2025 **Bug Fix:** Auto Mode nodes now resolve `kube-dns.kube-system.svc.cluster.local` correctly when there isn't a `kube-dns` service installed in the cluster. Addresses GitHub issue https://github.com/aws/containers-roadmap/issues/2546[#2546]. From 8eac7c9b80c46ebb3a290a0a2d7d78f9c0909087 Mon Sep 17 00:00:00 2001 From: Maicon Alegre Date: Wed, 26 Mar 2025 13:46:59 +1030 Subject: [PATCH 306/940] add summary of the EKS Cluster upgrade process --- latest/ug/clusters/update-cluster.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 5861df86d..112c9dfb6 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -29,6 +29,20 @@ To ensure that the API server endpoint for your cluster is always accessible, Am NOTE: To learn more about what goes into a cluster update, see link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for Cluster Upgrades",type="documentation"] in the EKS Best Practices Guide. This resource helps you plan an upgrade, and understand the strategy of upgrading a cluster. +== Summary +The high-level summary of the EKS Cluster upgrade process is as follows: + +Step 1: Ensure your cluster is in a state that will support an upgrade; this includes checking the Kubernetes APIs used by resources deployed into the cluster, ensuring the cluster is free of any heal issues, etc. Customers should use EKS upgrade insights when evaluating their cluster's upgrade readiness +This is the most important step. +Step 2: Upgrade the control plane to the next minor version (i.e. 1.31 → 1.32) +Step 3: Upgrade the nodes in the data plane to match that of the control plane +Step 4: Upgrade the “core” addons (the addons provided by EKS - CoreDNS, VPC CNI, kube-proxy, etc.) + - AWS VPC CNI recommended version: link:eks/latest/networking/managing-vpc-cni.html["Manage AWS VPC CNI in Amazon EKS clusters",type="documentation"] + - kube-proxy recommended version: link:eks/latest/networking/managing-kube-proxy.html["Manage kube-proxy in Amazon EKS clusters",type="documentation"] + - CoreDNS recommended version: link:eks/latest/networking/managing-coredns.html["Manage CoreDNS in Amazon EKS clusters",type="documentation"] +Step 5: Upgrade any additional applications that run on the cluster (i.e. - cluster-autoscaler) +Step 6: Upgrade any clients that communicate with the cluster (i.e. - kubectl) + == Considerations for Amazon EKS Auto Mode * The compute capability of Amazon EKS Auto Mode controls the Kubernetes version of nodes. After you upgrade the control plane, EKS Auto Mode will begin incrementally updating managed nodes. EKS Auto Mode respects pod disruption budgets. From 28452a06ba9db0a91847a02b69a2be4c215f0a2a Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Wed, 26 Mar 2025 10:24:44 -0500 Subject: [PATCH 307/940] Rewrites and rearranged steps to better match full procedure --- latest/ug/clusters/update-cluster.adoc | 30 +++++++++++++------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 112c9dfb6..5e5d06752 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -29,25 +29,25 @@ To ensure that the API server endpoint for your cluster is always accessible, Am NOTE: To learn more about what goes into a cluster update, see link:eks/latest/best-practices/cluster-upgrades.html["Best Practices for Cluster Upgrades",type="documentation"] in the EKS Best Practices Guide. This resource helps you plan an upgrade, and understand the strategy of upgrading a cluster. -== Summary -The high-level summary of the EKS Cluster upgrade process is as follows: - -Step 1: Ensure your cluster is in a state that will support an upgrade; this includes checking the Kubernetes APIs used by resources deployed into the cluster, ensuring the cluster is free of any heal issues, etc. Customers should use EKS upgrade insights when evaluating their cluster's upgrade readiness -This is the most important step. -Step 2: Upgrade the control plane to the next minor version (i.e. 1.31 → 1.32) -Step 3: Upgrade the nodes in the data plane to match that of the control plane -Step 4: Upgrade the “core” addons (the addons provided by EKS - CoreDNS, VPC CNI, kube-proxy, etc.) - - AWS VPC CNI recommended version: link:eks/latest/networking/managing-vpc-cni.html["Manage AWS VPC CNI in Amazon EKS clusters",type="documentation"] - - kube-proxy recommended version: link:eks/latest/networking/managing-kube-proxy.html["Manage kube-proxy in Amazon EKS clusters",type="documentation"] - - CoreDNS recommended version: link:eks/latest/networking/managing-coredns.html["Manage CoreDNS in Amazon EKS clusters",type="documentation"] -Step 5: Upgrade any additional applications that run on the cluster (i.e. - cluster-autoscaler) -Step 6: Upgrade any clients that communicate with the cluster (i.e. - kubectl) - == Considerations for Amazon EKS Auto Mode * The compute capability of Amazon EKS Auto Mode controls the Kubernetes version of nodes. After you upgrade the control plane, EKS Auto Mode will begin incrementally updating managed nodes. EKS Auto Mode respects pod disruption budgets. * You do not have to manually upgrade the capabilities of Amazon EKS Auto Mode, including the compute autoscaling, block storage, and load balancing capabilities. +[#update-cluster-summary] +== Summary +The high-level summary of the Amazon EKS cluster upgrade process is as follows: + +. Ensure your cluster is in a state that will support an upgrade. This includes checking the Kubernetes APIs used by resources deployed into the cluster, ensuring the cluster is free of any health issues. You should use Amazon EKS upgrade insights when evaluating your cluster's upgrade readiness. +. Upgrade the control plane to the next minor version (for example, from {k8s-n-1} to {k8s-n}). +. Upgrade the nodes in the data plane to match that of the control plane. +. Upgrade any additional applications that run on the cluster (for example, `cluster-autoscaler`). +. Upgrade the add-ons provided by Amazon EKS, such as those included by default: + * <> + * <> + * <> +. Upgrade any clients that communicate with the cluster (for example, `kubectl`). + [#update-existing-cluster] == Step 1: Prepare for upgrade . Compare the Kubernetes version of your cluster control plane to the Kubernetes version of your nodes. @@ -256,4 +256,4 @@ kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X [#downgrade-cluster] == Downgrade the Kubernetes version for an Amazon EKS cluster -You cannot downgrade the Kubernetes of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. \ No newline at end of file +You cannot downgrade the Kubernetes of an Amazon EKS cluster. Instead, create a new cluster on a previous Amazon EKS version and migrate the workloads. From 3246b56babc97765b7f90a5084be31193dd160b4 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 26 Mar 2025 15:38:24 +0000 Subject: [PATCH 308/940] Created Migrate from EKS Fargate to EKS Auto Mode page --- latest/ug/automode/auto-migrate-fargate.adoc | 242 +++++++++++++++++++ latest/ug/automode/migrate-auto.adoc | 4 +- 2 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 latest/ug/automode/auto-migrate-fargate.adoc diff --git a/latest/ug/automode/auto-migrate-fargate.adoc b/latest/ug/automode/auto-migrate-fargate.adoc new file mode 100644 index 000000000..3cba8ae52 --- /dev/null +++ b/latest/ug/automode/auto-migrate-fargate.adoc @@ -0,0 +1,242 @@ +include::../attributes.txt[] + +[.topic] +[#auto-migrate-fargate] += Migrate from EKS Fargate to EKS Auto Mode +:info_titleabbrev: Migrate from Fargate + +This topic walks you through the process of migrating workloads from EKS Fargate to Amazon EKS Auto Mode using `kubectl`. +The migration can be performed gradually, allowing you to move workloads at your own pace while maintaining cluster stability and application availability throughout the transition. + +The step-by-step approach outlined below enables you to run EKS Fargate and EKS Auto Mode side by side during the migration period. +This dual-operation strategy helps ensure a smooth transition by allowing you to validate workload behavior on EKS Auto Mode before completely decommissioning EKS Fargate. +You can migrate applications individually or in groups, providing flexibility to accommodate your specific operational requirements and risk tolerance. + +## Comparing Amazon EKS Auto Mode and EKS with {aws} Fargate? + +Amazon EKS with {aws} Fargate remains an option for customers who want to run EKS, but Amazon EKS Auto Mode is the recommended approach moving forward. +EKS Auto Mode is fully Kubernetes conformant, supporting all upstream Kubernetes primitives and platform tools like Istio, which Fargate is unable to support. +EKS Auto Mode also fully supports all EC2 runtime purchase options, including GPU and Spot instances, enabling customers to leverage negotiated EC2 discounts and other savings mechanisms +These capabilities are not available when using EKS with Fargate. + +Furthermore, EKS Auto Mode allows customers to achieve the same isolation model as Fargate, using standard Kubernetes scheduling capabilities to ensure each EC2 instance runs a single application container. +By adopting Amazon EKS Auto Mode, customers can unlock the full benefits of running Kubernetes on {aws} — a fully Kubernetes-conformant platform that provides the flexibility to leverage the entire breadth of EC2 and purchasing options while retaining the ease of use and abstraction from infrastructure management that Fargate provides. + +## Prerequisites + +Before beginning the migration, ensure you have + +* Set up a cluster with Fargate. For more information, see <>. + +* Installed and connected `kubectl` to your cluster. For more information, see <>. + +## Step 1: Check the Fargate cluster + +. Check if the EKS cluster with Fargate is running: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get node +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME STATUS ROLES AGE VERSION +fargate-ip-192-168-92-52.ec2.internal Ready 25m v1.30.8-eks-2d5f260 +fargate-ip-192-168-98-196.ec2.internal Ready 24m v1.30.8-eks-2d5f260 +---- +. Check running pods: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pod -A +---- ++ +[source,subs="verbatim,attributes"] +---- +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system coredns-6659cb98f6-gxpjz 1/1 Running 0 26m +kube-system coredns-6659cb98f6-gzzsx 1/1 Running 0 26m +---- +. Create a deployment in a file called `deployment_fargate.yaml`: ++ +[source,bash,subs="verbatim,attributes"] +---- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + annotations: + eks.amazonaws.com/compute-type: fargate + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 +---- +. Apply the deployment: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl apply -f deployment_fargate.yaml +---- ++ +[source,subs="verbatim,attributes"] +---- +deployment.apps/nginx-deployment created +---- +. Check the pods and deployments: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pod,deploy +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME READY STATUS RESTARTS AGE +pod/nginx-deployment-5c7479459b-6trtm 1/1 Running 0 61s +pod/nginx-deployment-5c7479459b-g8ssb 1/1 Running 0 61s +pod/nginx-deployment-5c7479459b-mq4mf 1/1 Running 0 61s + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/nginx-deployment 3/3 3 3 61s +---- +. Check the node: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get node -owide +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +fargate-ip-192-168-111-43.ec2.internal Ready 31s v1.30.8-eks-2d5f260 192.168.111.43 Amazon Linux 2 5.10.234-225.910.amzn2.x86_64 containerd://1.7.25 +fargate-ip-192-168-117-130.ec2.internal Ready 36s v1.30.8-eks-2d5f260 192.168.117.130 Amazon Linux 2 5.10.234-225.910.amzn2.x86_64 containerd://1.7.25 +fargate-ip-192-168-74-140.ec2.internal Ready 36s v1.30.8-eks-2d5f260 192.168.74.140 Amazon Linux 2 5.10.234-225.910.amzn2.x86_64 containerd://1.7.25 +---- + +### Step 2: Enable EKS Auto Mode on the cluster + +. Enable EKS Auto Mode on your existing cluster using the {aws} CLI or Management Console. For more information, see <>. +. Check the nodepool: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get nodepool +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME NODECLASS NODES READY AGE +eks-auto-mode default 0 True 3d14h +general-purpose default 1 True 6m58s +system default 0 True 3d14h +---- + +### Step 3: Update workloads for migration + +Identify and update the workloads you want to migrate to EKS Auto Mode. +Add both tolerations and node selectors to these workloads and add annotation. + +EKS Auto Mode uses different labels than `fargate`. +Labels related to EC2 managed instances start with `eks.amazonaws.com`. +For more information, see <>. + +. Modify your deployments (for example, the `deployment_fargate.yaml` file) to change the compute type to `ec2`: ++ +[source,bash,subs="verbatim,attributes"] +---- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + annotations: + eks.amazonaws.com/compute-type: ec2 + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 +---- +. Apply the deployment. This change allows the workload to be scheduled on the new EKS Auto Mode nodes: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl apply -f deployment_fargate.yaml +---- +. Check that deployment is running in the EKS Automode: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pod -o wide +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +nginx-deployment-97967b68d-ffxxh 1/1 Running 0 3m31s 192.168.43.240 i-0845aafcb51630ffb +nginx-deployment-97967b68d-mbcgj 1/1 Running 0 2m37s 192.168.43.241 i-0845aafcb51630ffb +nginx-deployment-97967b68d-qpd8x 1/1 Running 0 2m35s 192.168.43.242 i-0845aafcb51630ffb +---- +. Verify there is no Fargate node running and that there is no deployment running in the EKS Automode manage nodes: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get node -owide +---- ++ +[source,subs="verbatim,attributes"] +---- +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +i-0845aafcb51630ffb Ready 3m30s v1.30.8-eks-3c20087 192.168.41.125 3.81.118.95 Bottlerocket (EKS Auto) 2025.3.14 (aws-k8s-1.30) 6.1.129 containerd://1.7.25+bottlerocket +---- + +### Step 4: Gradually migrate workloads + +Repeat Step 3 for each workload you want to migrate. +This allows you to move workloads individually or in groups, based on your requirements and risk tolerance. + +### Step 5: Remove the original fargate profile + +Once all workloads have been migrated, you can remove the original `fargate` profile. +Replace [.replaceable]`` with the name of your Fargate profile: + +[source,bash,subs="verbatim,attributes"] +---- +aws eks delete-fargate-profile --cluster-name eks-fargate-demo-cluster --fargate-profile-name +---- + +### Step 6: Scale down CoreDNS + +Because EKS Auto mode handles CoreDNS, you scale the `coredns` deployment down to 0: + +[source,bash,subs="verbatim,attributes"] +---- +kubectl scale deployment coredns -n kube-system —replicas=0 +---- diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 4572bc2d3..2fa12dd09 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -68,4 +68,6 @@ include::auto-enable-existing.adoc[leveloffset=+1] include::auto-migrate-karpenter.adoc[leveloffset=+1] -include::auto-migrate-mng.adoc[leveloffset=+1] \ No newline at end of file +include::auto-migrate-mng.adoc[leveloffset=+1] + +include::auto-migrate-fargate.adoc[leveloffset=+1] From 13cdb26667c7ce47760e061e1c84789fddca3382 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 26 Mar 2025 12:45:08 -0500 Subject: [PATCH 309/940] Update automode-learn-instances.adoc (#943) --- latest/ug/automode/automode-learn-instances.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 0eec64bd2..0974dd515 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -67,6 +67,8 @@ The following functionality works for both Managed instances and Standard EC2 in With EKS Auto Mode, {aws} determines the image (AMI) used for your compute nodes. {aws} monitors the rollout of new EKS Auto Mode AMI versions. If you experience workload issues related to an AMI version, create a support case. For more information, see link:awssupport/latest/user/case-management.html["Creating support cases and case management",type="documentation"] in the {aws} Support User Guide. +Generally, EKS releases a new AMI each week containing CVE and security fixes. + [#auto-supported-instances] == EKS Auto Mode supported instance reference From 8f8cf6abce55a427a93a2199f9fed116a9d4bd06 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 26 Mar 2025 12:45:17 -0500 Subject: [PATCH 310/940] add IMDS info for auto mode (#945) --- latest/ug/automode/automode-learn-instances.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/latest/ug/automode/automode-learn-instances.adoc b/latest/ug/automode/automode-learn-instances.adoc index 0974dd515..850446d77 100644 --- a/latest/ug/automode/automode-learn-instances.adoc +++ b/latest/ug/automode/automode-learn-instances.adoc @@ -112,6 +112,20 @@ Additionally, EKS Auto Mode will only create EC2 instances that meet the followi For more information, see link:ec2/latest/instancetypes/instance-type-names.html["Amazon EC2 instance type naming conventions",type="documentation"]. +== Instance Metadata Service + +* EKS Auto Mode enforces IMDSv2 with a hop limit of 1 by default, adhering to {aws} security best practices +* This default configuration cannot be modified in Auto Mode +* For add-ons that typically require IMDS access: +** Supply parameters, such as {aws} region, during installation to avoid IMDS lookups +** For more information, see <> +* If a pod absolutely requires IMDS access when running in Auto Mode: +** The pod must be configured to run with `hostNetwork: true` +** This allows the pod to access the instance metadata service directly +* Consider the security implications when granting pods access to instance metadata + +For more information about the EC2 Instance Metadata Service (IMDS), see link:AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html[Configure the Instance Metadata Service options,type="documentation"] in the EC2 User Guide. + == Considerations From 6fbb8c6e53441c0e6f41ed02b682e6494142edaa Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Wed, 26 Mar 2025 20:15:11 +0000 Subject: [PATCH 311/940] Merged from priv/pg-block-cluster-upgrades into mainline. --- latest/ug/clusters/cluster-insights.adoc | 11 ++- latest/ug/clusters/update-cluster.adoc | 91 ++++++++++++------------ latest/ug/doc-history.adoc | 9 ++- latest/ug/storage/ebs-csi.adoc | 2 +- 4 files changed, 65 insertions(+), 48 deletions(-) diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 3ac9cbc7e..946926a0a 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -14,7 +14,16 @@ Amazon EKS cluster insights provide recommendations to help you follow Amazon EK * Before updating your cluster Kubernetes version, check the *Cluster insights* tab of the observability dashboard in the link:eks/home#/clusters[Amazon EKS console.,type="console"] * If your cluster has identified issues, review them and make appropriate fixes. The issues include links to Amazon EKS and Kubernetes. -* After fixing issues, wait for the cluster insights to refresh. If all issues have been resolved, <> +* After fixing issues, wait for the cluster insights to refresh. If all issues have been resolved, <>. + +[NOTE] +==== + +If Amazon EKS cluster insights identifies upgrade blocking issues on your cluster, it will prevent you from accidentally upgrading your cluster to the next Kubernetes version until you review and make appropriate fixes to resolve the issues identified. Once the issues are resolved, you will be able to upgrade your cluster. + +You can use an override flag to bypass upgrade insights checks. This can be useful when you believe you have addressed issues and the insight status is no longer accurate, or if you are operating in a developer environment. For more information, see <>. + +==== Amazon EKS returns insights related to Kubernetes version upgrade readiness. Upgrade insights identify possible issues that could impact Kubernetes cluster upgrades. This minimizes the effort that administrators spend preparing for upgrades and increases the reliability of applications on newer Kubernetes versions. Clusters are automatically scanned by Amazon EKS against a list of possible Kubernetes version upgrade impacting issues. Amazon EKS frequently updates the list of insight checks based on reviews of changes made in each Kubernetes version release. diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 5e5d06752..f2207bdcb 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -15,7 +15,7 @@ When a new Kubernetes version is available in Amazon EKS, you can update your Am [IMPORTANT] ==== -Once you upgrade a cluster, you can't downgrade to a previous version. We recommend that, before you update to a new Kubernetes version, you review the information in <> and also review in the update steps in this topic. +Once you upgrade a cluster, you can't downgrade to a previous version. Before you update to a new Kubernetes version, we recommend that you review the information in <> and the update steps in this topic. ==== @@ -103,6 +103,8 @@ kubectl edit configmap coredns -n kube-system -o yaml == Step 2: Review upgrade considerations +Amazon EKS cluster insights automatically scan clusters against a list of potential Kubernetes version upgrade impacting issues such as deprecated Kubernetes API usage. Amazon EKS periodically updates the list of insight checks to perform based on evaluations of changes in the Kubernetes project. Amazon EKS also updates the insight checks list as changes are introduced in the Amazon EKS service along with new versions. For more information, see <>. + Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Deprecated API Migration Guide] in the Kubernetes docs. * If you're updating to version `1.23` and use Amazon EBS volumes in your cluster, then you must install the Amazon EBS CSI driver in your cluster before updating your cluster to version `1.23` to avoid workload disruptions. For more information, see <>. @@ -117,13 +119,32 @@ Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Dep * If your cluster is configured with a version of the Amazon VPC CNI plugin for Kubernetes that is earlier than `1.8.0`, then we recommend that you update the plugin to the latest version before updating your cluster. To update the plugin, see <>. * If you're updating your cluster to version `1.25` or later and have the {aws} Load Balancer Controller deployed in your cluster, then update the controller to version `2.4.7` or later _before_ updating your cluster version to `1.25`. For more information, see the <> release notes. +[#update-cluster-control-plane] == Step 3: Update cluster control plane +Whenever you try to upgrade the Kubernetes version of your cluster's control plane, cluster insights will check for certain upgrade impacting issues. Cluster insights will proactively prevent you from upgrading your cluster if any such issues are detected. You will need to review and resolve the issues in order to continue with the cluster upgrade. + +[NOTE] +==== + +It will take some time for cluster insights to update. To determine if a fix was successful, compare the time the change deployed to the "last refresh time" of the cluster insight. + +==== + +Once the upgrade impacting issues are resolved, you will be able to upgrade the Kubernetes version of your cluster. When needed, you can use the `--force` flag for update cluster version commands. Passing this flag will force the upgrade even if their are upgrade impacting issues detected by cluster insights. + +[NOTE] +==== + +While the `--force` flag can be useful when testing upgrades in lower (non-production) environments, it is not recommended to be used in production environments unless the insight is no longer accurate. For example, there could be cases where you address deprecated API usage, but it takes up to 30 days for the insight status to update. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. + +==== + You can submit the request to upgrade your EKS control plane version using: * <> * <> -* <> +* <> [#step3-eksctl] === Update cluster - eksctl @@ -137,36 +158,36 @@ eksctl version For instructions on how to install and update `eksctl`, see https://eksctl.io/installation[Installation] in the `eksctl` documentation. -Update the Kubernetes version of your Amazon EKS control plane. Replace [.replaceable]`my-cluster` with your cluster name. Replace [.replaceable]`1.30` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. +Update the Kubernetes version of your Amazon EKS control plane. Replace `` with your cluster name. Replace `` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. [source,bash,subs="verbatim,attributes"] ---- -eksctl upgrade cluster --name my-cluster --version 1.30 --approve +eksctl upgrade cluster --name --version --approve ---- The update takes several minutes to complete. -Continue to <> +Continue to <>. [#step3-console] === Update cluster - {aws} console . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. -. Choose the name of the Amazon EKS cluster to update and choose *Update cluster version*. -. For *Kubernetes version*, select the version to update your cluster to and choose *Update*. -. For *Cluster name*, enter the name of your cluster and choose *Confirm*. -+ -The update takes several minutes to complete. -. Continue to <> +. Choose *Upgrade now* for a cluster you wish to upgrade. +. Select the version to update your cluster to and choose *Upgrade*. +. If cluster insights has identified any upgrade impacting issues, Amazon EKS will prevent you from upgrading your cluster. You can force the upgrade by typing `confirm` in the *confirm upgrade* field and choosing *upgrade*. +. The update takes several minutes to complete. Continue to <>. [#step3-cli] === Update cluster - {aws} CLI -. Update your Amazon EKS cluster with the following {aws} CLI command. Replace the [.replaceable]`example values` with your own. Replace [.replaceable]`1.30` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. +. Verify that the {aws} CLI is installed and that you are logged in. For more information, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the latest version of the {aws} CLI,type="documentation"]. +. Update your Amazon EKS cluster with the following {aws} CLI command. Replace `` and `` of the cluster you want to upgrade. Replace `` with the Amazon EKS supported version number that you want to update your cluster to. For a list of supported version numbers, see <>. + [source,bash,subs="verbatim,attributes"] ---- -aws eks update-cluster-version --region region-code --name my-cluster --kubernetes-version 1.30 +aws eks update-cluster-version --name \ + --kubernetes-version --region ---- + An example output is as follows. @@ -175,13 +196,13 @@ An example output is as follows. ---- { "update": { - "id": "b5f0ba18-9a87-4450-b5a0-825e6e84496f", + "id": "", "status": "InProgress", "type": "VersionUpdate", "params": [ { "type": "Version", - "value": "1.30" + "value": "" }, { "type": "PlatformVersion", @@ -194,38 +215,18 @@ An example output is as follows. ---- -. Monitor the status of your cluster update with the following command. Use the cluster name and update ID that the previous command returned. When a `Successful` status is displayed, the update is complete. The update takes several minutes to complete. +. The update takes several minutes to complete. Monitor the status of your cluster update with the following command. In addition to using the same `` and ``, use the `` that the previous command returned. + [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-update --region region-code --name my-cluster --update-id b5f0ba18-9a87-4450-b5a0-825e6e84496f +aws eks describe-update --name \ + --region --update-id ---- + -An example output is as follows. +If needed, resolve any upgrade impacting issues and repeat this procedure. If you need to override `ERROR` status upgrade insights checks that you believe are no longer applicable, add the ` --force` flag to the `update-cluster-version` command. + -[source,bash,subs="verbatim,attributes"] ----- -{ - "update": { - "id": "b5f0ba18-9a87-4450-b5a0-825e6e84496f", - "status": "Successful", - "type": "VersionUpdate", - "params": [ - { - "type": "Version", - "value": "1.30" - }, - { - "type": "PlatformVersion", - "value": "eks.1" - } - ], -[...] - "errors": [] - } - ----- -. Continue to <> +When a `Successful` status is displayed, the update is complete. +. Continue to <>. [#step4] == Step 4: Update cluster components @@ -234,17 +235,17 @@ An example output is as follows. . (Optional) If you deployed the Kubernetes Cluster Autoscaler to your cluster before updating the cluster, update the Cluster Autoscaler to the latest version that matches the Kubernetes major and minor version that you updated to. + .. Open the Cluster Autoscaler https://github.com/kubernetes/autoscaler/releases[releases] page in a web browser and find the latest Cluster Autoscaler version that matches your cluster's Kubernetes major and minor version. For example, if your cluster's Kubernetes version is `1.30` find the latest Cluster Autoscaler release that begins with `1.30`. Record the semantic version number (``1.30.n``, for example) for that release to use in the next step. -.. Set the Cluster Autoscaler image tag to the version that you recorded in the previous step with the following command. If necessary, replace [.replaceable]`1.30`.[.replaceable]`n` with your own value. +.. Set the Cluster Autoscaler image tag to the version that you recorded in the previous step with the following command. If necessary, replace `X.XX.X` with your own value. + [source,bash,subs="verbatim,attributes"] ---- -kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster-autoscaler=registry.k8s.io/autoscaling/cluster-autoscaler:v1.30.n +kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster-autoscaler=registry.k8s.io/autoscaling/cluster-autoscaler:vX.XX.X ---- -. (Clusters with GPU nodes only) If your cluster has node groups with GPU support (for example, `p3.2xlarge`), you must update the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes]DaemonSet on your cluster. Replace [.replaceable]`vX.X.X` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. +. (Clusters with GPU nodes only) If your cluster has node groups with GPU support (for example, `p3.2xlarge`), you must update the https://github.com/NVIDIA/k8s-device-plugin[NVIDIA device plugin for Kubernetes]DaemonSet on your cluster. Replace `` with your desired https://github.com/NVIDIA/k8s-device-plugin/releases[NVIDIA/k8s-device-plugin] version before running the following command. + [source,bash,subs="verbatim,attributes"] ---- -kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/vX.X.X/deployments/static/nvidia-device-plugin.yml +kubectl apply -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin//deployments/static/nvidia-device-plugin.yml ---- . Update the Amazon VPC CNI plugin for Kubernetes, CoreDNS, and `kube-proxy` add-ons. We recommend updating the add-ons to the minimum versions listed in <>. + diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 6a73ac891..3a90c1b99 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,12 +14,19 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-03-25"] +=== Updated cluster insights +[.update-ulink] +link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type="documentation"] + +Cluster insights will proactively prevent you from upgrading your cluster for certain issues. You can override upgrade-blocking readiness checks if needed. + [.update,date="2025-02-28"] === {aws} managed policy updates [.update-ulink] link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] -Added permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to terminate EC2 instances created by Auto Mode. +Added permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to terminate EC2 instances created by Auto Mode. [.update,date="2025-01-27"] === Update strategies for managed node groups diff --git a/latest/ug/storage/ebs-csi.adoc b/latest/ug/storage/ebs-csi.adoc index 67acc0d78..98c091736 100644 --- a/latest/ug/storage/ebs-csi.adoc +++ b/latest/ug/storage/ebs-csi.adoc @@ -90,7 +90,7 @@ eksctl create iamserviceaccount \ --attach-policy-arn {arn-aws}iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve ---- -. If you use a custom link:kms/[KMS key,type="marketing"] for encryption on your Amazon EBS volumes, customize the IAM role as needed. For example, do the following: +. You can skip this step if you do not use a custom link:kms/[KMS key,type="marketing"]. If you use one for encryption on your Amazon EBS volumes, customize the IAM role as needed. For example, do the following: + .. Copy and paste the following code into a new `kms-key-for-encryption-on-ebs.json` file. Replace [.replaceable]`custom-key-arn` with the custom link:service-authorization/latest/reference/list_awskeymanagementservice.html#awskeymanagementservice-key[KMS key ARN,type="documentation"]. + From 75c1f441d2a1bb429ecae51d69941ee03c304d51 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 27 Mar 2025 15:38:43 +0000 Subject: [PATCH 312/940] Updated date to true release date. --- latest/ug/doc-history.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 3a90c1b99..427d5c3d0 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,7 +14,7 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates -[.update,date="2025-03-25"] +[.update,date="2025-03-26"] === Updated cluster insights [.update-ulink] link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type="documentation"] From 3c0ec0fd9ee63bca5522fafcbb4e3eebf1c26d3c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 27 Mar 2025 20:02:03 +0000 Subject: [PATCH 313/940] Merged from priv/pg-bottlerocket-fips-amis into mainline. --- latest/ug/doc-history.adoc | 20 ++++- .../bottlerocket-compliance-support.adoc | 2 +- latest/ug/nodes/bottlerocket-fips-amis.adoc | 75 +++++++++++++++++++ .../nodes/eks-optimized-ami-bottlerocket.adoc | 4 +- 4 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 latest/ug/nodes/bottlerocket-fips-amis.adoc diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 427d5c3d0..39ff21b87 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,6 +14,15 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates + +[.update,date="2025-03-27"] +=== Bottlerocket FIPS AMIs +[.update-ulink] +link:eks/latest/userguide/bottlerocket-fips-amis.html[type="documentation"] + +Bottlerocket FIPS AMIs are now available in standard managed node groups. + + [.update,date="2025-03-26"] === Updated cluster insights [.update-ulink] @@ -21,12 +30,15 @@ link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type= Cluster insights will proactively prevent you from upgrading your cluster for certain issues. You can override upgrade-blocking readiness checks if needed. + [.update,date="2025-02-28"] === {aws} managed policy updates [.update-ulink] link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to terminate EC2 instances created by Auto Mode. +Added permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to terminate EC2 instances created by Auto Mode. + [.update,date="2025-01-27"] === Update strategies for managed node groups @@ -35,6 +47,7 @@ link:eks/latest/userguide/managed-node-update-behavior.html#managed-node-update- You can now use update strategies to configure the version update process for managed node groups. This introduces the _minimal_ update strategy to terminate nodes before making new ones, which is useful in capacity constrained environments. The _default_ update strategy continues the existing behavior. + [.update,date="2025-01-23"] === Kubernetes version `1.32` [.update-ulink] @@ -46,6 +59,7 @@ Added Kubernetes version `1.32` support for new clusters and version upgrades. === Amazon EKS {aws} Region expansion Amazon EKS is now available in the Asia Pacific (Thailand) Region (`ap-southeast-7`) and Mexico (Central) (`mx-central-1`) {aws} Regions. EKS Auto Mode and VPC Endpoints for the EKS API aren't available in either Region. + [.update,date="2025-01-13"] === {aws} managed policy updates [.update-ulink] @@ -53,6 +67,7 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added multiple permissions to `AmazonEBSCSIDriverPolicy` to allow the Amazon EBS CSI Driver restore all snapshots, enable Fast Snapshot Restore (FSR) on EBS volumes, and modify tags on volumes. + [.update,date="2024-12-26"] === {aws} managed policy updates [.update-ulink] @@ -213,7 +228,6 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSBlockStoragePolicy` - [.update,date="2024-10-30"] === {aws} managed policy updates [.update-ulink] @@ -222,7 +236,6 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSLoadBalancingPolicy` - [.update,date="2024-10-29"] === {aws} managed policy updates [.update-ulink] @@ -231,7 +244,6 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added `cloudwatch:PutMetricData` permissions to `AmazonEKSServiceRolePolicy` to allow Amazon EKS to publish metrics to Amazon CloudWatch. - [.update,date="2024-10-28"] === {aws} managed policy updates [.update-ulink] @@ -240,7 +252,6 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] EKS added a new {aws} managed policy: `AmazonEKSNetworkingPolicy` - [.update,date="2024-10-21"] === {aws} managed policy updates [.update-ulink] @@ -248,6 +259,7 @@ link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] Added `autoscaling:ResumeProcesses`, `autoscaling:SuspendProcesses`, and associated permissions to `AWSServiceRoleForAmazonEKSNodegroup` in China regions to integrate with Amazon Application Recovery Controller for EKS. No changes to other regions. + [.update,date="2024-10-21"] === Dual-stack endpoints for new `IPv6` clusters [.update-ulink] diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index 185a3e629..e20d57401 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -15,4 +15,4 @@ Bottlerocket complies with recommendations defined by various organizations: * There is a https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark] defined for Bottlerocket. In a default configuration, Bottlerocket image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see link:containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark[Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark,type="blog"] on the {aws} blog. * The optimized feature set and reduced attack surface means that Bottlerocket instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) Bottlerocket instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). * Bottlerocket is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. -* Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information on selecting FIPS-enabled variants, see <>. \ No newline at end of file +* Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/nodes/bottlerocket-fips-amis.adoc b/latest/ug/nodes/bottlerocket-fips-amis.adoc new file mode 100644 index 000000000..aa741b3e6 --- /dev/null +++ b/latest/ug/nodes/bottlerocket-fips-amis.adoc @@ -0,0 +1,75 @@ +include::../attributes.txt[] + +[.topic] +[#bottlerocket-fips-amis] += Make your worker nodes FIPS ready with Bottlerocket FIPS AMIs +:info_titleabbrev: Bottlerocket FIPS AMIs + +[abstract] +-- +Bottlerocket makes it easier to adhere to FIPS by offering AMIs with a FIPS kernel. +-- + +The Federal Information Processing Standard (FIPS) Publication 140-3 is a United States and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. Bottlerocket makes it easier to adhere to FIPS by offering AMIs with a FIPS kernel. + +These AMIs are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. + +Using Bottlerocket FIPS AMIs makes your worker nodes "FIPS ready" but not automatically "FIPS-compliant". For more information, see link:compliance/fips/[Federal Information Processing Standard (FIPS) 140-3,type="marketing"]. + +== Considerations + +* If your cluster uses isolated subnets, the Amazon ECR FIPS endpoint may not be accessible. This can cause the node bootstrap to fail. Make sure that your network configuration allows access to the necessary FIPS endpoints. For more information, see link:vpc/latest/privatelink/use-resource-endpoint.html[Access a resource through a resource VPC endpoint,type="documentation"] in the _{aws} PrivateLink Guide_. +* If your cluster uses a subnet with <>, image pulls will fail because Amazon ECR FIPS endpoints are not available through PrivateLink. + +== Create a managed node group with a Bottlerocket FIPS AMI + +The Bottlerocket FIPS AMI comes in two variants to support your workloads: + +* `BOTTLEROCKET_x86_64_FIPS` +* `BOTTLEROCKET_ARM_64_FIPS` + +To create a managed node group with a Bottlerocket FIPS AMI, choose the applicable AMI type during the creation process. For more information, see <>. + +For more information on selecting FIPS-enabled variants, see <>. + +== Disable the FIPS endpoint for non-supported {aws} Regions + +Bottlerocket FIPS AMIs are supported directly in the United States, including {aws} GovCloud (US) Regions. For {aws} Regions where the AMIs are available but not supported directly, you can still use the AMIs by creating a managed node group with a launch template. + +The Bottlerocket FIPS AMI relies on the Amazon ECR FIPS endpoint during bootstrap, which are not generally available outside of the United States. To use the AMI for its FIPS kernel in {aws} Regions that don't have the Amazon ECR FIPS endpoint available, do these steps to disable the FIPS endpoint: + +. Create a new configuration file with the following content or incorporate the content into your existing configuration file. + +[source,bash,subs="verbatim,attributes"] +---- +[default] +use_fips_endpoint=false +---- + +. Encode the file content as Base64 format. +. In your launch template's `UserData`, add the following encoded string using TOML format: + +[source,bash,subs="verbatim,attributes"] +---- +[settings.aws] +config = "" +---- + +For other settings, see Bottlerocket's link:https://github.com/bottlerocket-os/bottlerocket?tab=readme-ov-file#description-of-settings[Description of settings] on GitHub. + +Here is an example of `UserData` in a launch template: + +[source,bash,subs="verbatim,attributes"] +---- +[settings] +motd = "Hello from eksctl!" +[settings.aws] +config = "W2RlZmF1bHRdCnVzZV9maXBzX2VuZHBvaW50PWZhbHNlCg==" # Base64-encoded string. +[settings.kubernetes] +api-server = "" +cluster-certificate = "" +cluster-name = "" +... +---- + +For more information on creating a launch template with user data, see <>. diff --git a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc index 4013d2caa..31098508e 100644 --- a/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc +++ b/latest/ug/nodes/eks-optimized-ami-bottlerocket.adoc @@ -59,4 +59,6 @@ include::eks-ami-versions-bottlerocket.adoc[leveloffset=+1] include::retrieve-ami-id-bottlerocket.adoc[leveloffset=+1] -include::bottlerocket-compliance-support.adoc[leveloffset=+1] \ No newline at end of file +include::bottlerocket-compliance-support.adoc[leveloffset=+1] + +include::bottlerocket-fips-amis.adoc[leveloffset=+1] From fd5e190749d7357bb6949278bcfbbea9ada29b28 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 27 Mar 2025 21:56:46 +0000 Subject: [PATCH 314/940] Added clarification about insight checks. --- latest/ug/clusters/cluster-insights.adoc | 4 ++-- latest/ug/clusters/update-cluster.adoc | 15 +++++---------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 946926a0a..39db1d274 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -19,9 +19,9 @@ Amazon EKS cluster insights provide recommendations to help you follow Amazon EK [NOTE] ==== -If Amazon EKS cluster insights identifies upgrade blocking issues on your cluster, it will prevent you from accidentally upgrading your cluster to the next Kubernetes version until you review and make appropriate fixes to resolve the issues identified. Once the issues are resolved, you will be able to upgrade your cluster. +If Amazon EKS cluster insights identifies upgrade blocking issues on your cluster, it will prevent you from accidentally upgrading your cluster to the next Kubernetes version until you review and make appropriate fixes to resolve the issues identified. Once the issues are resolved, you will be able to upgrade your cluster. -You can use an override flag to bypass upgrade insights checks. This can be useful when you believe you have addressed issues and the insight status is no longer accurate, or if you are operating in a developer environment. For more information, see <>. +Amazon EKS refreshes cluster insights every 24 hours, but you can override upgrade insights checks without waiting when needed. For more information, see <>. ==== diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index f2207bdcb..269125857 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -122,21 +122,16 @@ Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Dep [#update-cluster-control-plane] == Step 3: Update cluster control plane -Whenever you try to upgrade the Kubernetes version of your cluster's control plane, cluster insights will check for certain upgrade impacting issues. Cluster insights will proactively prevent you from upgrading your cluster if any such issues are detected. You will need to review and resolve the issues in order to continue with the cluster upgrade. - -[NOTE] -==== - -It will take some time for cluster insights to update. To determine if a fix was successful, compare the time the change deployed to the "last refresh time" of the cluster insight. - -==== +Whenever you try to upgrade the Kubernetes version of your cluster's control plane, cluster insights will check for certain upgrade impacting issues. Cluster insights will proactively prevent you from upgrading your cluster if it detects any such issues. You will need to review and resolve the issues to continue with the cluster upgrade. Once the upgrade impacting issues are resolved, you will be able to upgrade the Kubernetes version of your cluster. When needed, you can use the `--force` flag for update cluster version commands. Passing this flag will force the upgrade even if their are upgrade impacting issues detected by cluster insights. -[NOTE] +[IMPORTANT] ==== -While the `--force` flag can be useful when testing upgrades in lower (non-production) environments, it is not recommended to be used in production environments unless the insight is no longer accurate. For example, there could be cases where you address deprecated API usage, but it takes up to 30 days for the insight status to update. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. +Amazon EKS refreshes a cluster insight 24 hours after the "last refresh time". Once the next insight check is run and is determined to be resolved, you can upgrade your cluster normally. Additionally, it can take up to 30 days for the insight status to update after addressing deprecated API usage. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. + +You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. If you determine that the cluster insight is no longer accurate, you can add the ` --force` flag without waiting for the next insight check refresh. ==== From ff7adda49986a8660ae93da3349e112bf7e82145 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Thu, 27 Mar 2025 22:05:07 +0000 Subject: [PATCH 315/940] Formatting tweak. --- latest/ug/clusters/update-cluster.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index 269125857..ba06fc2e6 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -131,7 +131,7 @@ Once the upgrade impacting issues are resolved, you will be able to upgrade the Amazon EKS refreshes a cluster insight 24 hours after the "last refresh time". Once the next insight check is run and is determined to be resolved, you can upgrade your cluster normally. Additionally, it can take up to 30 days for the insight status to update after addressing deprecated API usage. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. -You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. If you determine that the cluster insight is no longer accurate, you can add the ` --force` flag without waiting for the next insight check refresh. +You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. If you determine that the cluster insight is no longer accurate, you can add the `--force` flag without waiting for the next insight check refresh. ==== @@ -218,7 +218,7 @@ aws eks describe-update --name \ --region --update-id ---- + -If needed, resolve any upgrade impacting issues and repeat this procedure. If you need to override `ERROR` status upgrade insights checks that you believe are no longer applicable, add the ` --force` flag to the `update-cluster-version` command. +If needed, resolve any upgrade impacting issues and repeat this procedure. If you need to override `ERROR` status upgrade insights checks that you believe are no longer applicable, add the `--force` flag to the `update-cluster-version` command. + When a `Successful` status is displayed, the update is complete. . Continue to <>. From 18563a00348d5da3a6bd398c3e0321558a484fb0 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 19:13:52 +0000 Subject: [PATCH 316/940] Add docs for disable session tags --- .../manage-access/aws-access/pod-id-abac.adoc | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-abac.adoc b/latest/ug/manage-access/aws-access/pod-id-abac.adoc index 1924c2d8b..06220ce92 100644 --- a/latest/ug/manage-access/aws-access/pod-id-abac.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-abac.adoc @@ -10,9 +10,10 @@ include::../../attributes.txt[] Learn how to use Amazon EKS Pod Identity to attach tags for cluster, namespace, and service account to temporary credentials, enabling attribute-based access control (ABAC) for EKS Pods to {aws} resources based on matching tags. -- -Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, customers can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. +Attribute-based access control (ABAC) grants rights to users through policies which combine attributes together. EKS Pod Identity attaches tags to the temporary credentials to each Pod with attributes such as cluster name, namespace, and service account name. These role session tags enable administrators to author a single role that can work across service accounts by allowing access to {aws} resources based on matching tags. By adding support for role session tags, you can enforce tighter security boundaries between clusters, and workloads within clusters, while reusing the same IAM roles and IAM policies. -For example, the following policy allows the `s3:GetObject` action if the object is tagged with the name of the EKS cluster. +== Sample policy with tags +Below is an IAM policy example that grants `s3:GetObject` permissions when the corresponding object is tagged with the EKS cluster name. [source,json,subs="verbatim,attributes"] ---- @@ -45,11 +46,13 @@ For example, the following policy allows the `s3:GetObject` action if the object [#pod-id-abac-tags] -== List of session tags added by EKS Pod Identity +== Enable or disable session tags -The following list contains all of the keys for tags that are added to the `AssumeRole` request made by Amazon EKS. To use these tags in policies, use `${aws:PrincipalTag/` followed by the key, for example `${aws:PrincipalTag/kubernetes-namespace}`. +EKS Pod Identity adds a pre-defined set of session tags when it assumes the role. These session tags enable administrators to author a single role that can work across resources by allowing access to {aws} resources based on matching tags. +=== Enable session tags +Session tags are automatically enabled with EKS Pod Identity--no action is required on your part. By default, EKS Pod Identity attaches a set of predefined tags to your session. To reference these tags in policies, use the syntax `${aws:PrincipalTag/` followed by the tag key. For example, `${aws:PrincipalTag/kubernetes-namespace}`. * `eks-cluster-arn` * `eks-cluster-name` @@ -58,6 +61,16 @@ The following list contains all of the keys for tags that are added to the `Assu * `kubernetes-pod-name` * `kubernetes-pod-uid` +=== Disable session tags + +AWS compresses inline session policies, managed policy ARNs, and session tags into a packed binary format that has a separate limit. If you receive a `PackedPolicyTooLarge` error indicating the packed binary format has exceeded the size limit, you can attempt to reduce the size by disabling the session tags added by EKS Pod Identity. To disable these session tags, follow these steps: + +. Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. +. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to modify. +. Choose the *Access* tab. +. In the *Pod Identity associations*, choose the association ID you would like to modify in *Association ID*, then choose *Edit*. +. Under *Session tags*, choose *Disable session tags*. +. Choose *Save changes*. [#pod-id-abac-chaining] == Cross-account tags From e03520f91c499eb0ca0513cb732673e180202e1e Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 19:14:20 +0000 Subject: [PATCH 317/940] Add docs for target IAM role plus left nav --- .../aws-access/pod-id-assign-target-role.adoc | 153 ++++++++++++++++++ .../aws-access/pod-identities.adoc | 2 + 2 files changed, 155 insertions(+) create mode 100644 latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc new file mode 100644 index 000000000..1fb618d9b --- /dev/null +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -0,0 +1,153 @@ +[.topic] +[#assign-target-role] += Access {aws} Resources using EKS Pod Identity Target IAM Roles +:info_titleabbrev: Assign Target IAM role + +include::../../attributes.txt[] + +[abstract] +-- +Learn how to configure account role access for Amazon EKS workloads using Pod Identity. +-- + +When running applications on Amazon Elastic Kubernetes Service (Amazon EKS), you might need to access {aws} resources that exist in the same or different {aws} accounts. This guide shows you how to set up access between these accounts using EKS Pod Identity, which enables your Kubernetes pods to access other {aws} resources. + +== Prerequisites + +Before you begin, ensure you have completed the following steps: + +* https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html[Set up the Amazon EKS Pod Identity Agent] +* https://docs.aws.amazon.com/eks/latest/userguide/pod-id-role.html[Create an EKS Pod Identity role] + +== How It Works + +Pod Identity enables applications in your EKS cluster to access {aws} resources across accounts through a process called role chaining. When creating a Pod Identity association, you can provide two IAM roles—an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] in the same account as your EKS cluster and a Target IAM Role from the account containing your {aws} resources (like S3 buckets or DynamoDB tables). The link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] must be in your EKS cluster's account due to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html[IAM PassRole] requirements, while the Target IAM Role can be in any {aws} account. PassRole enables an {aws} entity to delegate role assumption to another service. EKS Pod Identity uses PassRole to connect a role to a Kubernetes service account, requiring both the role and the identity passing it to be in the same {aws} account as the EKS cluster. When your application pod needs to access {aws} resources, it requests credentials from Pod Identity. Pod Identity then automatically performs two role assumptions in sequence: first assuming the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"], then using those credentials to assume the Target IAM Role. This process provides your pod with temporary credentials that have the permissions defined in the target role, allowing secure access to resources in other {aws} accounts. + +== Caching considerations + +Due to caching mechanisms, updates to an IAM role in an existing Pod Identity association may not take effect immediately in the pods running on your EKS cluster. The Pod Identity Agent caches IAM credentials based on the association's configuration at the time the credentials are fetched. If the association includes only an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and no Target IAM Role, the cached credentials last 6 hours. If the association includes both the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and a Target IAM Role, the cached credentials last 59 minutes. Modifying an existing association, such as updating the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN or adding a Target IAM Role, does not reset the existing cache. As a result, the agent will not recognize updates until the cached credentials refresh. To apply changes sooner, you can recreate the existing pods; otherwise, you will need to wait for the cache to expire. + +== Step 1: Create and associate a Target IAM Role + +In this step, you will establish a secure trust chain by creating and configuring a Target IAM Role. For demonstration, we will create a new Target IAM Role to establish a trust chain between two {aws} accounts: the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] (e.g., `eks-pod-identity-primary-role`) in the EKS cluster's {aws} account gains permission to assume the Target IAM Role (e.g. `eks-pod-identity-aws-resources`) in your target account, enabling access to {aws} resources like Amazon S3 buckets. + +=== Create the Target IAM Role + +1. Open the link:iam/home#/clusters[Amazon IAM console,type="console"]. +2. In the top navigation bar, verify that you are signed into the account containing the {aws} resources (like S3 buckets or DynamoDB tables) for your Target IAM Role. +3. In the left navigation pane, choose *Roles*. +4. Choose the *Create role* button, then *{aws} account* under "Trusted entity type." +5. Choose *Another {aws} account*, enter your {aws} account number (the account where your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] exists), then choose *Next*. +6. Add the permission policies you would like to associate to the role (e.g., AmazonS3FullAccess), then choose *Next*. +7. Enter a role name, such as `MyCustomIAMTargetRole`, then choose *Create role*. + +=== Update the Target IAM Role trust policy + +1. After creating the role, you'll be returned to the *Roles* list. Find and select the new role you created in the previous step (e.g., `MyCustomIAMTargetRole`). +2. Select the *Trust relationships* tab. +3. Click *Edit trust policy* on the right side. +4. In the policy editor, replace the default JSON with your trust policy. Replace the placeholder values for role name and `111122223333` in the IAM role ARN with the {aws} account ID hosting your EKS cluster. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:AssumeRole", + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:TagSession" + } + ] +} +---- + +=== Update the permission policy for EKS Pod Identity role + +In this step, you will update the permission policy of the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] associated with your Amazon EKS cluster by adding the Target IAM Role ARN as a resource. + +1. Open the https://console.aws.amazon.com/eks/home#/clusters[Amazon EKS console]. +2. In the left navigation pane, select *Clusters*, and then select the name of your EKS cluster. +3. Choose the *Access* tab. +4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. +5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. +6. Choose *JSON* on the right side. +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `22222222` in the IAM role ARN with your Target IAM Role. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ], + "Resource": "arn:aws:iam::22222222:role/eks-pod-identity-aws-resources" + } + ] +} +---- + +== Step 2: Associate the Target IAM Role to a Kubernetes service account + +In this step, you will create an association between the Target IAM role and the Kubernetes service account in your EKS cluster. + +1. Open the https://console.aws.amazon.com/eks/home#/clusters[Amazon EKS console]. +2. In the left navigation pane, select *Clusters*, and then select the name of the cluster that you want to add the association to. +3. Choose the *Access* tab. +4. In the *Pod Identity associations*, choose *Create*. +5. Choose the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] in *IAM role* for your workloads to assume. +6. Choose the Target IAM role in *Target IAM role* that will be assumed by the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. +7. In the *Kubernetes namespace* field, enter the name of the namespace where you want to create the association (e.g., `my-app-namespace`). This defines where the service account resides. +8. In the *Kubernetes service account* field, enter the name of the service account (e.g., `my-service-account`) that will use the IAM credentials. This links the IAM role to the service account. +9. Choose *Create* to create the association. + +== (Optional) Step 3: Add External Permissions to an IAM Target Role + +At times, you might need to give a third party access to your {aws} resources (delegate access). For example, you decide to hire a third-party company called Example Corp to monitor your {aws} account and help optimize costs. In order to track your daily spending, Example Corp needs to access your {aws} resources. In this case, we recommend adding an `ExternalId` to the trust policy of your IAM Target Role to avoid possible https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html[Confused Deputy] issues. + +=== Edit the trust policy + +1. After creating the role, you'll be returned to the *Roles* list. Find and click the new role you created in the previous step (e.g., `MyCustomIAMTargetRole`). +2. Select the *Trust relationships* tab. +3. Click *Edit trust policy* on the right side. +4. In the policy editor, replace the default JSON with your trust policy. Replace the `ExternalId` placeholder value for `aws-region/other-account/cluster-name/namespace/service-account-name`, where "region" is the {aws} region of your cluster, "111122223333" is the other {aws} account ID, "cluster-name" is the EKS cluster name, "namespace" is the Kubernetes namespace, and "service-account-name" is the Kubernetes service account name. For example: + +[source,json] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "region/111122223333/cluster-name/namespace/service-account-name" + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/eks-pod-identity-primary-role" + }, + "Action": "sts:TagSession" + } + ] +} +---- \ No newline at end of file diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 543af965c..33daffe17 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -15,6 +15,8 @@ include::pod-id-configure-pods.adoc[leveloffset=+1] include::pod-id-abac.adoc[leveloffset=+1] +include::pod-id-assign-target-role.adoc[leveloffset=+1] + include::pod-id-minimum-sdk.adoc[leveloffset=+1] include::pod-id-agent-config-ipv6.adoc[leveloffset=+1] From a18e903c40a6aa6b1dbb8ab00f18b8f80cf0fe5a Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 20:23:58 +0000 Subject: [PATCH 318/940] Update page name for target role --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 1fb618d9b..641b83cef 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,5 +1,5 @@ [.topic] -[#assign-target-role] +[#pod-id-assign-target-role] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role From f41d1fe9e68faceed627070a46af6262950a87ba Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 20:53:03 +0000 Subject: [PATCH 319/940] Update account placeholder --- .../manage-access/aws-access/pod-id-assign-target-role.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 641b83cef..601c24000 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -81,7 +81,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg 4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. 5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. 6. Choose *JSON* on the right side. -7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `22222222` in the IAM role ARN with your Target IAM Role. For example: +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `111122223333` in the IAM role ARN with your Target IAM Role. For example: [source,json] ---- @@ -94,7 +94,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg "sts:AssumeRole", "sts:TagSession" ], - "Resource": "arn:aws:iam::22222222:role/eks-pod-identity-aws-resources" + "Resource": "arn:aws:iam::111122223333:role/eks-pod-identity-aws-resources" } ] } From da00db654cff8d855451fe7ea69a42b0b958ff51 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 21:02:03 +0000 Subject: [PATCH 320/940] Update to different aws account placeholder --- .../manage-access/aws-access/pod-id-assign-target-role.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 601c24000..47306de54 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -81,7 +81,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg 4. Under *Pod Identity associations*, select your link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"]. 5. Choose *Permissions*, *Add permissions*, then *Create inline policy*. 6. Choose *JSON* on the right side. -7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `111122223333` in the IAM role ARN with your Target IAM Role. For example: +7. In the policy editor, replace the default JSON with your permission policy. Replace the placeholder value for role name and `222233334444` in the IAM role ARN with your Target IAM Role. For example: [source,json] ---- @@ -94,7 +94,7 @@ In this step, you will update the permission policy of the link:eks/latest/userg "sts:AssumeRole", "sts:TagSession" ], - "Resource": "arn:aws:iam::111122223333:role/eks-pod-identity-aws-resources" + "Resource": "arn:aws:iam::222233334444:role/eks-pod-identity-aws-resources" } ] } From 019e6d3c85aebd2a9f8c222701fa71ad702d095b Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 21:13:37 +0000 Subject: [PATCH 321/940] Move up in the left nav --- latest/ug/manage-access/aws-access/pod-identities.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-identities.adoc b/latest/ug/manage-access/aws-access/pod-identities.adoc index 33daffe17..2390f8486 100644 --- a/latest/ug/manage-access/aws-access/pod-identities.adoc +++ b/latest/ug/manage-access/aws-access/pod-identities.adoc @@ -11,12 +11,12 @@ include::pod-id-agent-setup.adoc[leveloffset=+1] include::pod-id-association.adoc[leveloffset=+1] +include::pod-id-assign-target-role.adoc[leveloffset=+1] + include::pod-id-configure-pods.adoc[leveloffset=+1] include::pod-id-abac.adoc[leveloffset=+1] -include::pod-id-assign-target-role.adoc[leveloffset=+1] - include::pod-id-minimum-sdk.adoc[leveloffset=+1] include::pod-id-agent-config-ipv6.adoc[leveloffset=+1] From b64ee74fb3b85fe34f969083bb9cf4318207861e Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 22:22:57 +0000 Subject: [PATCH 322/940] Move attributes above page title --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 47306de54..43388d723 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,10 +1,9 @@ [.topic] [#pod-id-assign-target-role] +include::../../attributes.txt[] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role -include::../../attributes.txt[] - [abstract] -- Learn how to configure account role access for Amazon EKS workloads using Pod Identity. From d03c114405538914ae3a171fe6bce2e698c8b575 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Wed, 5 Mar 2025 22:57:33 +0000 Subject: [PATCH 323/940] Move attributes to the very top --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 43388d723..62337bd76 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -1,6 +1,6 @@ +include::../../attributes.txt[] [.topic] [#pod-id-assign-target-role] -include::../../attributes.txt[] = Access {aws} Resources using EKS Pod Identity Target IAM Roles :info_titleabbrev: Assign Target IAM role From c6bc88422520f0b2252dfc1ff73daa5b6e4bfd42 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Thu, 27 Mar 2025 23:39:25 +0000 Subject: [PATCH 324/940] Minor copyedits to documentation --- .../ug/manage-access/aws-access/pod-id-assign-target-role.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc index 62337bd76..7f55e41d2 100644 --- a/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc +++ b/latest/ug/manage-access/aws-access/pod-id-assign-target-role.adoc @@ -24,7 +24,7 @@ Pod Identity enables applications in your EKS cluster to access {aws} resources == Caching considerations -Due to caching mechanisms, updates to an IAM role in an existing Pod Identity association may not take effect immediately in the pods running on your EKS cluster. The Pod Identity Agent caches IAM credentials based on the association's configuration at the time the credentials are fetched. If the association includes only an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and no Target IAM Role, the cached credentials last 6 hours. If the association includes both the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and a Target IAM Role, the cached credentials last 59 minutes. Modifying an existing association, such as updating the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN or adding a Target IAM Role, does not reset the existing cache. As a result, the agent will not recognize updates until the cached credentials refresh. To apply changes sooner, you can recreate the existing pods; otherwise, you will need to wait for the cache to expire. +Due to caching mechanisms, updates to an IAM role in an existing Pod Identity association may not take effect immediately in the pods running on your EKS cluster. The Pod Identity Agent caches IAM credentials based on the association's configuration at the time the credentials are fetched. If the association includes only an link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and no Target IAM Role, the cached credentials last for 6 hours. If the association includes both the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN and a Target IAM Role, the cached credentials last for 59 minutes. Modifying an existing association, such as updating the link:eks/latest/userguide/pod-id-role.html["EKS Pod Identity role",type="documentation"] ARN or adding a Target IAM Role, does not reset the existing cache. As a result, the agent will not recognize updates until the cached credentials refresh. To apply changes sooner, you can recreate the existing pods; otherwise, you will need to wait for the cache to expire. == Step 1: Create and associate a Target IAM Role From e72d503d883aab9e6b341cd92d937b00f7980929 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Mar 2025 14:33:29 -0500 Subject: [PATCH 325/940] revise based on GH comments (#946) --- latest/ug/automode/migrate-auto.adoc | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 4572bc2d3..996be3efa 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -27,7 +27,6 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a *{aws} does not support the following migrations:* * Migrating volumes from the EBS CSI Controller to EKS Auto Mode Block Storage -** You can install the EBS CSI controller on an Amazon EKS Auto Mode cluster. Use a `StorageClass` to associate volumes with either the EBS CSI Controller or EKS Auto Mode. * Migrating load balancers from the {aws} Load Balancer Controller to EKS Auto Mode ** You can install the {aws} Load Balancer Controller on an Amazon EKS Auto Mode cluster. Use the `IngressClass` or `loadBalancerClass` options to associate Service and Ingress resources with either the Load Balancer Controller or EKS Auto Mode. * Migrating EKS Clusters with alternative CNIs or other unsupported networking configurations @@ -58,7 +57,28 @@ Use the following migration reference to configure Kubernetes Resources to be ow |=== -== Load Balancer Migration +== Migrating EBS Volumes + +When migrating workloads to EKS Auto Mode, you need to handle EBS volume migration due to different CSI driver provisioners: + +* EKS Auto Mode Provisioner: `ebs.csi.eks.amazonaws.com` +* Open Source EBS CSI Provisioner: `ebs.csi.aws.com` + +Follow these steps to migrate your persistent volumes: + +. **Modify volume retention policy**: Change the existing PV's `persistentVolumeReclaimPolicy` to `Retain` to ensure the underlying EBS volume is not deleted. +. **Remove PV from Kubernetes**: Delete the old PV resource while keeping the actual EBS volume intact. +. **Create a new PV with static provisioning**: Create a new PV that references the same EBS volume but works with the target CSI driver. +. **Bind to a new PVC**: Create a new PVC that specifically references your PV using the `volumeName` field. + +=== Considerations + +- Ensure your applications are stopped before beginning this migration +- Back up your data before starting the migration process +- This process needs to be performed for each persistent volume +- The workload must be updated to use the new PVC + +== Migrating Load Balancers You cannot directly transfer existing load balancers from the self-managed {aws} load balancer controller to EKS Auto Mode. Instead, you must implement a blue-green deployment strategy. This involves maintaining your existing load balancer configuration while creating new load balancers under the managed controller. From ec3c316ced734c7bcf88a87156d9e60cfebab0c2 Mon Sep 17 00:00:00 2001 From: guessi Date: Sat, 29 Mar 2025 05:03:50 +0800 Subject: [PATCH 326/940] Update guidance for EKS Log Collector (#936) --- .../ug/troubleshooting/troubleshooting.adoc | 47 ++++++++----------- 1 file changed, 20 insertions(+), 27 deletions(-) diff --git a/latest/ug/troubleshooting/troubleshooting.adoc b/latest/ug/troubleshooting/troubleshooting.adoc index dcbce4bc0..a2510202c 100644 --- a/latest/ug/troubleshooting/troubleshooting.adoc +++ b/latest/ug/troubleshooting/troubleshooting.adoc @@ -314,64 +314,57 @@ If your node enters a `NotReady` status, this likely indicates that the node is For Amazon EKS optimized Windows AMIs, there's no reservation for compute resources specified by default in the `kubelet` configuration. To help prevent resource issues, you can reserve compute resources for system processes by providing the `kubelet` with configuration values for https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved[kube-reserved] and/or https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#system-reserved[system-reserved]. You do this using the `-KubeletExtraArgs` command-line parameter in the bootstrap script. For more information, see https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/[Reserve Compute Resources for System Daemons] in the Kubernetes documentation and <> in this user guide. -[#troubleshoot-cni] -== CNI log collection tool +[#log-collector] +== EKS Log Collector -The Amazon VPC CNI plugin for Kubernetes has its own troubleshooting script that is available on nodes at `/opt/cni/bin/aws-cni-support.sh`. You can use the script to collect diagnostic logs for support cases and general troubleshooting. +To troubleshoot issue with Amazon EKS nodes, there is a pre-built script available on nodes located at `/etc/eks/log-collector-script/eks-log-collector.sh`. You can use the script to collect diagnostic logs for support cases and general troubleshooting. Use the following command to run the script on your node: [source,bash,subs="verbatim,attributes"] ---- -sudo bash /opt/cni/bin/aws-cni-support.sh +sudo bash /etc/eks/log-collector-script/eks-log-collector.sh ---- [NOTE] ==== -If the script is not present at that location, then the CNI container failed to run. You can manually download and run the script with the following command: +If the script is not present at that location. You can manually download and run the script with the following command: [source,bash,subs="verbatim,attributes"] ---- -curl -O https://raw.githubusercontent.com/awslabs/amazon-eks-ami/master/log-collector-script/linux/eks-log-collector.sh +curl -O https://amazon-eks.s3.amazonaws.com/support/log-collector-script/linux/eks-log-collector.sh sudo bash eks-log-collector.sh ---- ==== -The script collects the following diagnostic information. The CNI version that you have deployed can be earlier than the script version. +The script collects the following diagnostic information. [source,bash,subs="verbatim,attributes"] ---- - This is version 0.6.1. New versions can be found at https://github.com/awslabs/amazon-eks-ami +$ sudo bash /etc/eks/log-collector-script/eks-log-collector.sh -Trying to collect common operating system logs... -Trying to collect kernel logs... -Trying to collect mount points and volume information... -Trying to collect SELinux status... -Trying to collect iptables information... -Trying to collect installed packages... -Trying to collect active system services... -Trying to collect Docker daemon information... -Trying to collect kubelet information... -Trying to collect L-IPAMD information... -Trying to collect sysctls information... -Trying to collect networking information... -Trying to collect CNI configuration information... -Trying to collect running Docker containers and gather container data... -Trying to collect Docker daemon logs... -Trying to archive gathered information... + This is version 0.7.8. New versions can be found at https://github.com/awslabs/amazon-eks-ami/blob/main/log-collector-script/ - Done... your bundled logs are located in /var/log/eks_i-0717c9d54b6cfaa19_2020-03-24_0103-UTC_0.6.1.tar.gz +Trying to collect common operating system logs... +Trying to collect kernel logs... +Trying to collect mount points and volume information... +... +... + + Done... your bundled logs are located in /var/log/eks_i-EXAMPLE_2025-03-25_0000-UTC_0.7.8.tar.gz ---- The diagnostic information is collected and stored at: [source,none,subs="verbatim,attributes"] ---- -/var/log/eks_i-0717c9d54b6cfaa19_2020-03-24_0103-UTC_0.6.1.tar.gz +/var/log/eks_i-EXAMPLE_2025-03-25_0000-UTC_0.7.8.tar.gz ---- +To retrieve log bundle for Bottlerocket nodes, please refer to https://github.com/bottlerocket-os/bottlerocket?tab=readme-ov-file#logs[Bottlerocket Log] for more details. + [#troubleshoot-container-runtime-network] == Container runtime network not ready @@ -703,4 +696,4 @@ The first two columns are what are needed for API response values. The third fie |Grants for the {aws} KMS Key associated with your cluster are revoked. You must delete and recreate the cluster. |The KMS Key Arn |No -|=== \ No newline at end of file +|=== From 9b6c6ad4f95364998fd30d25a1799701b9a032ad Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 28 Mar 2025 21:11:54 +0000 Subject: [PATCH 327/940] Partially addressed V1720872427 --- latest/ug/automode/migrate-auto.adoc | 38 +++++++++++++--------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 4572bc2d3..832d256c3 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -19,50 +19,48 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a *{aws} supports the following migrations:* -* Migrating from Karpenter to EKS Auto Mode Nodes -** Learn how to <> -* Migrating from EKS Managed Node Groups to EKS Auto Mode Nodes -** Learn how to <> +* Migrating from Karpenter to EKS Auto Mode nodes. For more information, see <>. +* Migrating from EKS Managed Node Groups to EKS Auto Mode nodes. For more information, see <>. *{aws} does not support the following migrations:* -* Migrating volumes from the EBS CSI Controller to EKS Auto Mode Block Storage -** You can install the EBS CSI controller on an Amazon EKS Auto Mode cluster. Use a `StorageClass` to associate volumes with either the EBS CSI Controller or EKS Auto Mode. +* Migrating volumes from the EBS CSI controller to EKS Auto Mode block storage ++ +You can install the EBS CSI controller on an Amazon EKS Auto Mode cluster. Use a `StorageClass` to associate volumes with either the EBS CSI Controller or EKS Auto Mode. * Migrating load balancers from the {aws} Load Balancer Controller to EKS Auto Mode -** You can install the {aws} Load Balancer Controller on an Amazon EKS Auto Mode cluster. Use the `IngressClass` or `loadBalancerClass` options to associate Service and Ingress resources with either the Load Balancer Controller or EKS Auto Mode. -* Migrating EKS Clusters with alternative CNIs or other unsupported networking configurations ++ +You can install the {aws} Load Balancer Controller on an Amazon EKS Auto Mode cluster. Use the `IngressClass` or `loadBalancerClass` options to associate Service and Ingress resources with either the Load Balancer Controller or EKS Auto Mode. +* Migrating EKS clusters with alternative CNIs or other unsupported networking configurations [#migration-reference] -== Migration Reference +== Migration reference -Use the following migration reference to configure Kubernetes Resources to be owned by either self-managed controllers or EKS Auto Mode. +Use the following migration reference to configure Kubernetes resources to be owned by either self-managed controllers or EKS Auto Mode. [%header,cols="1,1,1,1,1"] |=== | Capability | Resource | Field | Self Managed | EKS Auto Mode -| Block Storage | `StorageClass` | `provisioner` | `kubernetes.io/aws-ebs` | `ebs.csi.eks.amazonaws.com` +| Block storage | `StorageClass` | `provisioner` | `kubernetes.io/aws-ebs` | `ebs.csi.eks.amazonaws.com` -| Load Balancing | `Service` | `loadBalancerClass` | `service.k8s.aws/nlb` | `eks.amazonaws.com/nlb` +| Load balancing | `Service` | `loadBalancerClass` | `service.k8s.aws/nlb` | `eks.amazonaws.com/nlb` -| Load Balancing | `IngressClass` | controller | `ingress.k8s.aws/alb` | `eks.amazonaws.com/alb` +| Load balancing | `IngressClass` | `controller` | `ingress.k8s.aws/alb` | `eks.amazonaws.com/alb` +| Load balancing | `IngressClassParams` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` +| Load balancing | `TargetGroupBinding` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` -| Load Balancing | `IngressClassParams` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` - -| Load Balancing | `TargetGroupBinding` | `apiversion` | `elbv2.k8s.aws/v1beta1` | `eks.amazonaws.com/v1` - -| Compute | NodeClass | `apiVersion` | `karpenter.sh/v1alpha5` | `eks.amazonaws.com/v1` +| Compute | `NodeClass` | `apiVersion` | `karpenter.sh/v1alpha5` | `eks.amazonaws.com/v1` |=== -== Load Balancer Migration +== Load balancer migration You cannot directly transfer existing load balancers from the self-managed {aws} load balancer controller to EKS Auto Mode. Instead, you must implement a blue-green deployment strategy. This involves maintaining your existing load balancer configuration while creating new load balancers under the managed controller. -To minimize service disruption, we recommend a DNS-based traffic shifting approach. First, create new load balancers using EKS Auto Mode while keeping your existing configuration operational. Then, use DNS routing (such as Route 53) to gradually shift traffic from the old load balancers to the new ones. Once traffic has been successfully migrated and you've verified the new configuration, you can decommission the old load balancers and self-managed controller. +To minimize service disruption, we recommend a DNS-based traffic shifting approach. First, create new load balancers by using EKS Auto Mode while keeping your existing configuration operational. Then, use DNS routing (such as Route 53) to gradually shift traffic from the old load balancers to the new ones. Once traffic has been successfully migrated and you've verified the new configuration, you can decommission the old load balancers and self-managed controller. include::auto-enable-existing.adoc[leveloffset=+1] From 02c2e8d0eccb735bd6c296ce1523abb4ea22e58b Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 28 Mar 2025 21:29:14 +0000 Subject: [PATCH 328/940] Resolved conflicts and did edit tweaks. --- latest/ug/automode/migrate-auto.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 521006406..2d48eeb81 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -54,7 +54,7 @@ Use the following migration reference to configure Kubernetes resources to be ow |=== -== Migrating EBS Volumes +== Migrating EBS volumes When migrating workloads to EKS Auto Mode, you need to handle EBS volume migration due to different CSI driver provisioners: @@ -75,8 +75,7 @@ Follow these steps to migrate your persistent volumes: * This process needs to be performed for each persistent volume. * The workload must be updated to use the new PVC. -== Migrating Load Balancers -== Load balancer migration +== Migrating load balancers You cannot directly transfer existing load balancers from the self-managed {aws} load balancer controller to EKS Auto Mode. Instead, you must implement a blue-green deployment strategy. This involves maintaining your existing load balancer configuration while creating new load balancers under the managed controller. From 32bb53e0eb18d9b54f98e27e273bc73ee449d174 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 28 Mar 2025 21:47:18 +0000 Subject: [PATCH 329/940] Merged from priv/pg-cluster-insights-rollback into mainline. --- latest/ug/clusters/cluster-insights.adoc | 10 +++++++--- latest/ug/clusters/update-cluster.adoc | 20 +++++++++++++------- latest/ug/doc-history.adoc | 19 ++++++++++++++----- 3 files changed, 34 insertions(+), 15 deletions(-) diff --git a/latest/ug/clusters/cluster-insights.adoc b/latest/ug/clusters/cluster-insights.adoc index 39db1d274..38bd77a8d 100644 --- a/latest/ug/clusters/cluster-insights.adoc +++ b/latest/ug/clusters/cluster-insights.adoc @@ -16,12 +16,16 @@ Amazon EKS cluster insights provide recommendations to help you follow Amazon EK * If your cluster has identified issues, review them and make appropriate fixes. The issues include links to Amazon EKS and Kubernetes. * After fixing issues, wait for the cluster insights to refresh. If all issues have been resolved, <>. -[NOTE] +[IMPORTANT] ==== +Amazon EKS has temporarily rolled back a feature that would +require you to use a `--force` flag to upgrade your cluster when there were certain cluster insight issues. For more information, see link:https://github.com/aws/containers-roadmap/issues/2570[Temporary rollback of enforcing upgrade insights on update cluster version] on GitHub. -If Amazon EKS cluster insights identifies upgrade blocking issues on your cluster, it will prevent you from accidentally upgrading your cluster to the next Kubernetes version until you review and make appropriate fixes to resolve the issues identified. Once the issues are resolved, you will be able to upgrade your cluster. +//If Amazon EKS cluster insights identifies upgrade blocking issues on your cluster, it will prevent you from accidentally upgrading your cluster to the next Kubernetes version until you review and make appropriate fixes to resolve the issues identified. Once the issues are resolved, you will be able to upgrade your cluster. -Amazon EKS refreshes cluster insights every 24 hours, but you can override upgrade insights checks without waiting when needed. For more information, see <>. +Amazon EKS refreshes cluster insights every 24 hours. For more information, see <>. + +//Amazon EKS refreshes cluster insights every 24 hours, but you can override upgrade insights checks without waiting when needed. For more information, see <>. ==== diff --git a/latest/ug/clusters/update-cluster.adoc b/latest/ug/clusters/update-cluster.adoc index ba06fc2e6..7c8aad841 100644 --- a/latest/ug/clusters/update-cluster.adoc +++ b/latest/ug/clusters/update-cluster.adoc @@ -122,16 +122,22 @@ Review the https://kubernetes.io/docs/reference/using-api/deprecation-guide/[Dep [#update-cluster-control-plane] == Step 3: Update cluster control plane -Whenever you try to upgrade the Kubernetes version of your cluster's control plane, cluster insights will check for certain upgrade impacting issues. Cluster insights will proactively prevent you from upgrading your cluster if it detects any such issues. You will need to review and resolve the issues to continue with the cluster upgrade. +//Whenever you try to upgrade the Kubernetes version of your cluster's control plane, cluster insights will check for certain upgrade impacting issues. Cluster insights will proactively prevent you from upgrading your cluster if it detects any such issues. You will need to review and resolve the issues to continue with the cluster upgrade. -Once the upgrade impacting issues are resolved, you will be able to upgrade the Kubernetes version of your cluster. When needed, you can use the `--force` flag for update cluster version commands. Passing this flag will force the upgrade even if their are upgrade impacting issues detected by cluster insights. +//Once the upgrade impacting issues are resolved, you will be able to upgrade the Kubernetes version of your cluster. When needed, you can use the `--force` flag for update cluster version commands. Passing this flag will force the upgrade even if their are upgrade impacting issues detected by cluster insights. [IMPORTANT] ==== +Amazon EKS has temporarily rolled back a feature that would +require you to use a `--force` flag to upgrade your cluster when there were certain cluster insight issues. For more information, see link:https://github.com/aws/containers-roadmap/issues/2570[Temporary rollback of enforcing upgrade insights on update cluster version] on GitHub. -Amazon EKS refreshes a cluster insight 24 hours after the "last refresh time". Once the next insight check is run and is determined to be resolved, you can upgrade your cluster normally. Additionally, it can take up to 30 days for the insight status to update after addressing deprecated API usage. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. +Amazon EKS refreshes a cluster insight 24 hours after the "last refresh time". You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. -You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. If you determine that the cluster insight is no longer accurate, you can add the `--force` flag without waiting for the next insight check refresh. +Additionally, it can take up to 30 days for the insight status to update after addressing deprecated API usage. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. + +//Amazon EKS refreshes a cluster insight 24 hours after the "last refresh time". Once the next insight check is run and is determined to be resolved, you can upgrade your cluster normally. Additionally, it can take up to 30 days for the insight status to update after addressing deprecated API usage. Upgrade insights always looks for deprecated API usage over a rolling 30 day window. + +//You can compare the time you addressed an issue to the "last refresh time" of the cluster insight. If you determine that the cluster insight is no longer accurate, you can add the `--force` flag without waiting for the next insight check refresh. ==== @@ -170,7 +176,7 @@ Continue to <>. . Open the link:eks/home#/clusters[Amazon EKS console,type="console"]. . Choose *Upgrade now* for a cluster you wish to upgrade. . Select the version to update your cluster to and choose *Upgrade*. -. If cluster insights has identified any upgrade impacting issues, Amazon EKS will prevent you from upgrading your cluster. You can force the upgrade by typing `confirm` in the *confirm upgrade* field and choosing *upgrade*. +//. If cluster insights has identified any upgrade impacting issues, Amazon EKS will prevent you from upgrading your cluster. You can force the upgrade by typing `confirm` in the *confirm upgrade* field and choosing *upgrade*. . The update takes several minutes to complete. Continue to <>. [#step3-cli] @@ -217,8 +223,8 @@ An example output is as follows. aws eks describe-update --name \ --region --update-id ---- -+ -If needed, resolve any upgrade impacting issues and repeat this procedure. If you need to override `ERROR` status upgrade insights checks that you believe are no longer applicable, add the `--force` flag to the `update-cluster-version` command. +//+ +//If needed, resolve any upgrade impacting issues and repeat this procedure. If you need to override `ERROR` status upgrade insights checks that you believe are no longer applicable, add the `--force` flag to the `update-cluster-version` command. + When a `Successful` status is displayed, the update is complete. . Continue to <>. diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 39ff21b87..582be7ea4 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,6 +15,15 @@ The following table describes the major updates and new features for the Amazon == Updates +[.update,date="2025-03-28"] +=== Rollback: Prevent accidental upgrades with cluster insights +[.update-ulink] +link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type="documentation"] + +Amazon EKS has temporarily rolled back a feature that would +require you to use a `--force` flag to upgrade your cluster when there were certain cluster insight issues. For more information, see link:https://github.com/aws/containers-roadmap/issues/2570[Temporary rollback of enforcing upgrade insights on update cluster version] on GitHub. + + [.update,date="2025-03-27"] === Bottlerocket FIPS AMIs [.update-ulink] @@ -23,12 +32,12 @@ link:eks/latest/userguide/bottlerocket-fips-amis.html[type="documentation"] Bottlerocket FIPS AMIs are now available in standard managed node groups. -[.update,date="2025-03-26"] -=== Updated cluster insights -[.update-ulink] -link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type="documentation"] +//[.update,date="2025-03-26"] +//=== Prevent accidental upgrades with cluster insights +//[.update-ulink] +//link:eks/latest/userguide/update-cluster.html#update-cluster-control-plane[type="documentation"] -Cluster insights will proactively prevent you from upgrading your cluster for certain issues. You can override upgrade-blocking readiness checks if needed. +//Cluster insights will proactively prevent you from upgrading your cluster for certain issues. You can override upgrade-blocking readiness checks if needed. [.update,date="2025-02-28"] From 5fd22281a7ea32095620d43bf1ec37c96d7f3fcf Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Fri, 28 Mar 2025 21:58:01 +0000 Subject: [PATCH 330/940] eksctl 0.206.0: https://github.com/eksctl-io/eksctl/releases/tag/v0.206.0 --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index 795c80c30..e41f178ba 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,5 @@ // eksctl version -:eksctl-min-version: 0.205.0 +:eksctl-min-version: 0.206.0 // EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 From 6526ff07fced191e67ec2999c1979f2e6bc0f635 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Mar 2025 17:23:20 -0500 Subject: [PATCH 331/940] Update what-is-eks.adoc (#948) * Update what-is-eks.adoc * fixup --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 61e8386c574b51c1d441c28b24f046690ec79079 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Mar 2025 22:25:13 +0000 Subject: [PATCH 332/940] Revert "Update what-is-eks.adoc (#948)" This reverts commit 6526ff07fced191e67ec2999c1979f2e6bc0f635. --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 34e76e63bfff395f53fd4b18668bb1c81bc28ca6 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 28 Mar 2025 22:26:59 +0000 Subject: [PATCH 333/940] Update to Migrate from EKS Fargate to EKS Auto Mode page --- latest/ug/automode/auto-migrate-fargate.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/auto-migrate-fargate.adoc b/latest/ug/automode/auto-migrate-fargate.adoc index 3cba8ae52..85ed83aed 100644 --- a/latest/ug/automode/auto-migrate-fargate.adoc +++ b/latest/ug/automode/auto-migrate-fargate.adoc @@ -12,7 +12,7 @@ The step-by-step approach outlined below enables you to run EKS Fargate and EKS This dual-operation strategy helps ensure a smooth transition by allowing you to validate workload behavior on EKS Auto Mode before completely decommissioning EKS Fargate. You can migrate applications individually or in groups, providing flexibility to accommodate your specific operational requirements and risk tolerance. -## Comparing Amazon EKS Auto Mode and EKS with {aws} Fargate? +## Comparing Amazon EKS Auto Mode and EKS with {aws} Fargate Amazon EKS with {aws} Fargate remains an option for customers who want to run EKS, but Amazon EKS Auto Mode is the recommended approach moving forward. EKS Auto Mode is fully Kubernetes conformant, supporting all upstream Kubernetes primitives and platform tools like Istio, which Fargate is unable to support. From c59e9630dbf99d01ff8aad23574e229f26a700bc Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Mar 2025 17:31:43 -0500 Subject: [PATCH 334/940] update what is page with new list (#949) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From e73595c62fa3d938596c51abd065ed05b48620c4 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 28 Mar 2025 22:41:04 +0000 Subject: [PATCH 335/940] Revert "update what is page with new list (#949)" This reverts commit c59e9630dbf99d01ff8aad23574e229f26a700bc. --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From a28eccc71cf2c9da72aa0d613bd6a22fdc139c2b Mon Sep 17 00:00:00 2001 From: Kalpak Seal Date: Sun, 30 Mar 2025 21:25:38 -0700 Subject: [PATCH 336/940] Fix typo in User documentation --- latest/ug/what-is/kubernetes-concepts.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 3bbac2c9f..7ac4bc496 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -47,7 +47,7 @@ To achieve its goals, Kubernetes has the following attributes: * *Available* -- If an application or node becomes unhealthy or unavailable, Kubernetes can move running workloads to another available node. You can force the issue by simply deleting a running instance of a workload or node that's running your workloads. The bottom line here is that workloads can be brought up in other locations if they can no longer run where they are. * *Declarative* -- Kubernetes uses active reconciliation to constantly check that the state that you declare for your cluster matches the actual state. By applying https://kubernetes.io/docs/concepts/overview/working-with-objects/[Kubernetes objects] to a cluster, typically through YAML-formatted configuration files, you can, for example, ask to start up the workloads you want to run on your cluster. You can later change the configurations to do something like use a later version of a container or allocate more memory. Kubernetes will do what it needs to do to establish the desired state. This can include bringing nodes up or down, stopping and restarting workloads, or pulling updated containers. * *Composable* -- Because an application typically consists of multiple components, you want to be able to manage a set of these components (often represented by multiple containers) together. While Docker Compose offers a way to do this directly with Docker, the Kubernetes http://kompose.io/[Kompose] command can help you do that with Kubernetes. See https://kubernetes.io/docs/tasks/configure-pod-container/translate-compose-kubernetes/[Translate a Docker Compose File to Kubernetes Resources] for an example of how to do this. -* *Extensible* -- Unlike proprietary software, the open source Kubernetes project is designed to be open to you extending Kubernetes any way that you like to meet your needs. APIs and configuration files are open to direct modifications. Third-parties are encouraged to write their own https://kubernetes.io/docs/concepts/architecture/controller/[Controllers], to extend both infrastructure and end-user Kubernetes featues. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/[Webhooks] let you set up cluster rules to enforce policies and adapt to changing conditions. For more ideas on how to extend Kubernetes clusters, see https://kubernetes.io/docs/concepts/extend-kubernetes/[Extending Kubernetes]. +* *Extensible* -- Unlike proprietary software, the open source Kubernetes project is designed to be open to you extending Kubernetes any way that you like to meet your needs. APIs and configuration files are open to direct modifications. Third-parties are encouraged to write their own https://kubernetes.io/docs/concepts/architecture/controller/[Controllers], to extend both infrastructure and end-user Kubernetes features. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/[Webhooks] let you set up cluster rules to enforce policies and adapt to changing conditions. For more ideas on how to extend Kubernetes clusters, see https://kubernetes.io/docs/concepts/extend-kubernetes/[Extending Kubernetes]. * *Portable* -- Many organizations have standardized their operations on Kubernetes because it allows them to manage all of their application needs in the same way. Developers can use the same pipelines to build and store containerized applications. Those applications can then be deployed to Kubernetes clusters running on-premises, in clouds, on point-of-sales terminals in restaurants, or on IOT devices dispersed across company's remote sites. Its open source nature makes it possible for people to develop these special Kubernetes distributions, along will tools needed to manage them. @@ -255,4 +255,4 @@ Understanding basic Kubernetes concepts and how they relate to Amazon EKS will h * <> * <> * <> -* <> \ No newline at end of file +* <> From 2d5313823e35715d218ac73064f314ea0a5c1143 Mon Sep 17 00:00:00 2001 From: Kalpak Seal Date: Sun, 30 Mar 2025 23:12:26 -0700 Subject: [PATCH 337/940] Update kubernetes-concepts.adoc Add missing whitespace --- latest/ug/what-is/kubernetes-concepts.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/what-is/kubernetes-concepts.adoc b/latest/ug/what-is/kubernetes-concepts.adoc index 3bbac2c9f..77954dafa 100644 --- a/latest/ug/what-is/kubernetes-concepts.adoc +++ b/latest/ug/what-is/kubernetes-concepts.adoc @@ -100,7 +100,7 @@ In {aws} Cloud, you can create link:eks/[Amazon EKS,type="documentation"] cluste * *Managed control plane* -- {aws} makes sure that the Amazon EKS cluster is available and scalable because it manages the control plane for you and makes it available across {aws} Availability Zones. -* *Node management* -- Instead of manually adding nodes, you can have Amazon EKS create nodes automatically as needed, using Managed Node Groups (see <>) or https://karpenter.sh/[Karpenter]. Managed Node Groups have integrations with Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaling]. Using node management tools, you can take advantage of cost savings, with things like link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] and node consolidation, and availability, using https://karpenter.sh/docs/concepts/scheduling/[Scheduling]features to set how workloads are deployed and nodes are selected. +* *Node management* -- Instead of manually adding nodes, you can have Amazon EKS create nodes automatically as needed, using Managed Node Groups (see <>) or https://karpenter.sh/[Karpenter]. Managed Node Groups have integrations with Kubernetes https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaling]. Using node management tools, you can take advantage of cost savings, with things like link:AWSEC2/latest/UserGuide/using-spot-instances.html[Spot Instances,type="documentation"] and node consolidation, and availability, using https://karpenter.sh/docs/concepts/scheduling/[Scheduling] features to set how workloads are deployed and nodes are selected. * *Cluster networking* -- Using CloudFormation templates, `eksctl` sets up networking between control plane and data plane (node) components in the Kubernetes cluster. It also sets up endpoints through which internal and external communications can take place. See link:containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes[De-mystifying cluster networking for Amazon EKS worker nodes,type="blog"] for details. Communications between Pods in Amazon EKS is done using Amazon EKS Pod Identities (see <>), which provides a means of letting Pods tap into {aws} cloud methods of managing credentials and permissions. * *Add-Ons* -- Amazon EKS saves you from having to build and add software components that are commonly used to support Kubernetes clusters. For example, when you create an Amazon EKS cluster from the {aws-management-console}, it automatically adds the Amazon EKS kube-proxy (<>), Amazon VPC CNI plugin for Kubernetes (<>), and CoreDNS (<>) add-ons. See <> for more on these add-ons, including a list of which are available. @@ -255,4 +255,4 @@ Understanding basic Kubernetes concepts and how they relate to Amazon EKS will h * <> * <> * <> -* <> \ No newline at end of file +* <> From dc180e2038cc6ade4421d22ec4c302ab2500fab2 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 31 Mar 2025 13:16:05 +0000 Subject: [PATCH 338/940] Updates to ML on EKS landing page --- latest/ug/ml/machine-learning-on-eks.adoc | 64 +++++++++++++++-------- 1 file changed, 42 insertions(+), 22 deletions(-) diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index f470b01f8..71c7d6ee4 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -10,40 +10,60 @@ include::../attributes.txt[] Complete guide for running Machine Learning applications on Amazon EKS. This includes everything from provisioning infrastructure to choosing and deploying Machine Learning workloads on Amazon EKS. -- -[#ml-features] +Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes platform that empowers organizations to deploy, manage, and scale AI and machine learning (ML) workloads with unparalleled flexibility and control. Built on the open source Kubernetes ecosystem, EKS lets you harness your existing Kubernetes expertise, while integrating seamlessly with open source tools and {aws} services. -Machine Learning (ML) is an area of Artificial Intelligence (AI) where machines process large amounts of data to look for patterns and make connections between the data. This can expose new relationships and help predict outcomes that might not have been apparent otherwise. +Whether you’re training large-scale models, running real-time online inference, or deploying generative AI applications, EKS delivers the performance, scalability, and cost efficiency your AI/ML projects demand. -For large-scale ML projects, data centers must be able to store large amounts of data, process data quickly, and integrate data from many sources. The platforms running ML applications must be reliable and secure, but also offer resiliency to recover from data center outages and application failures. {aws} Elastic Kubernetes Service (EKS), running in the {aws} cloud, is particularly suited for ML workloads. -The primary goal of this section of the EKS User Guide is to help you put together the hardware and software component to build platforms to run Machine Learning workloads in an EKS cluster. -We start by explaining the features and services available to you in EKS and the {aws} cloud, then provide you with tutorials to help you work with ML platforms, frameworks, and models. +## Why Choose EKS for AI/ML? -== Advantages of Machine Learning on EKS and the {aws} cloud +EKS is a managed Kubernetes platform that helps you deploy and manage complex AI/ML workloads. +Built on the open source Kubernetes ecosystem, it integrates with {aws} services, providing the control and scalability needed for advanced projects. +For teams new to AI/ML deployments, existing Kubernetes skills transfer directly, allowing efficient orchestration of multiple workloads. -Amazon Elastic Kubernetes Service (EKS) is a powerful, managed Kubernetes platform that has become a cornerstone for deploying and managing AI/ML workloads in the cloud. With its ability to handle complex, resource-intensive tasks, Amazon EKS provides a scalable and flexible foundation for running AI/ML models, making it an ideal choice for organizations aiming to harness the full potential of machine learning. +EKS supports everything from operating system customizations to compute scaling, and its open source foundation promotes technological flexibility, preserving freedom of choice for future infrastructure decisions. +The platform provides the performance and tuning options AI/ML workloads require, supporting features such as: -Key Advantages of AI/ML Platforms on Amazon EKS include: +* Full cluster control to fine-tune costs and configurations without hidden abstractions +* Sub-second latency for real-time inference workloads in production +* Advanced customizations like multi-instance GPUs, multi-cloud strategies, and OS-level tuning +* Ability to centralize workloads using EKS as a unified orchestrator across AI/ML pipelines -* *Scalability and Flexibility* -Amazon EKS enables organizations to scale AI/ML workloads seamlessly. Whether you're training large language models that require vast amounts of compute power or deploying inference pipelines that need to handle unpredictable traffic patterns, EKS scales up and down efficiently, optimizing resource use and cost. +## Key use cases -* *High Performance with GPUs and Neuron Instances* -Amazon EKS supports a wide range of compute options, including GPUs and {aws}} Neuron instances, which are essential for accelerating AI/ML workloads. This support allows for high-performance training and low-latency inference, ensuring that models run efficiently in production environments. +Amazon EKS provides a robust platform for a wide range of AI/ML workloads, supporting various technologies and deployment patterns: -* *Integration with AI/ML Tools* -Amazon EKS integrates seamlessly with popular AI/ML tools and frameworks like TensorFlow, PyTorch, and Ray, providing a familiar and robust ecosystem for data scientists and engineers. These integrations enable users to leverage existing tools while benefiting from the scalability and management capabilities of Kubernetes. +* **Real-time (online) inference:** EKS powers immediate predictions on incoming data, such as fraud detection, with sub-second latency using tools like https://docs.aws.amazon.com/dlami/latest/devguide/tutorial-torchserve.html[TorchServe], +https://aws.amazon.com/blogs/containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Triton Inference Server], and https://kserve.github.io/website/0.8/get_started/first_isvc/[KServe] on Amazon EC2 https://aws.amazon.com/ec2/instance-types/inf1/[Inf1] +and https://aws.amazon.com/ec2/instance-types/inf2/[Inf2] instances. +These workloads benefit from dynamic scaling with https://karpenter.sh/[Karpenter] and https://keda.sh/[KEDA], while leveraging https://aws.amazon.com/efs/[Amazon EFS] for model sharding across pods. +https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache-creating-rule.html[Amazon ECR Pull Through Cache (PTC)] accelerates model updates, +and https://aws.amazon.com/bottlerocket/[Bottlerocket] data volumes with https://docs.aws.amazon.com/ebs/latest/userguide/what-is-ebs.html[Amazon EBS]-optimized volumes ensure fast data access. -* *Automation and Management* -Kubernetes on Amazon EKS automates many of the operational tasks associated with managing AI/ML workloads. Features like automatic scaling, rolling updates, and self-healing ensure that your applications remain highly available and resilient, reducing the overhead of manual intervention. +* **General model training:** Organizations leverage EKS to train complex models on large datasets over extended periods using the https://www.kubeflow.org/docs/components/trainer/[Kubeflow Training Operator (KRO)], +https://docs.ray.io/en/latest/serve/index.html[Ray Serve], and https://pytorch.org/docs/stable/distributed.elastic.html[Torch Distributed Elastic] on https://aws.amazon.com/ec2/instance-types/p4/[Amazon EC2 P4d] and https://aws.amazon.com/ec2/instance-types/trn1/[Amazon EC2 Trn1] instances. +These workloads are supported by batch scheduling with tools like https://volcano.sh/en/#home_slider[Volcano], +https://yunikorn.apache.org/[Yunikorn], +and https://kueue.sigs.k8s.io/[Kueue]. +https://aws.amazon.com/efs/[Amazon EFS] enables sharing of model checkpoints, and https://aws.amazon.com/s3/[Amazon S3] handles model import/export with lifecycle policies for version management. -* *Security and Compliance* -Running AI/ML workloads on Amazon EKS provides robust security features, including fine-grained IAM roles, encryption, and network policies, ensuring that sensitive data and models are protected. EKS also adheres to various compliance standards, making it suitable for enterprises with strict regulatory requirements. +* **Retrieval augmented generation (RAG) pipelines:** EKS manages customer support chatbots and similar applications by integrating retrieval and generation processes. These workloads often use tools like https://argoproj.github.io/workflows/[Argo Workflows] and https://www.kubeflow.org/[Kubeflow] for orchestration, vector databases like https://www.pinecone.io/blog/serverless/[Pinecone], https://weaviate.io/[Weaviate], or https://aws.amazon.com/opensearch-service/[Amazon OpenSearch], and expose applications to users via the +<>. https://docs.nvidia.com/nim/index.html[NVIDIA NIM] optimizes GPU utilization, while <> and https://aws.amazon.com/grafana/[Grafana] monitor resource usage. -== Why Choose Amazon EKS for AI/ML? -Amazon EKS offers a comprehensive, managed environment that simplifies the deployment of AI/ML models while providing the performance, scalability, and security needed for production workloads. With its ability to integrate with a variety of AI/ML tools and its support for advanced compute resources, EKS empowers organizations to accelerate their AI/ML initiatives and deliver innovative solutions at scale. +* **Generative AI model deployment:** Companies deploy real-time content creation services on EKS, such as text or image generation, using https://docs.ray.io/en/latest/serve/index.html[Ray Serve], https://github.com/vllm-project/vllm[vLLM], and https://aws.amazon.com/blogs/containers/quora-3x-faster-machine-learning-25-lower-costs-with-nvidia-triton-on-amazon-eks/[Triton Inference Server] on Amazon https://aws.amazon.com/ec2/instance-types/g5/[EC2 G5] and https://aws.amazon.com/ai/machine-learning/inferentia/[Inferentia] accelerators. These deployments optimize performance and memory utilization for large-scale models. https://jupyter.org/hub[JupyterHub] enables iterative development, https://www.gradio.app/[Gradio] provides simple web interfaces, and the <> allows mounting S3 buckets as file systems for accessing large model files. -By choosing Amazon EKS, you gain access to a robust infrastructure that can handle the complexities of modern AI/ML workloads, allowing you to focus on innovation and value creation rather than managing underlying systems. Whether you are deploying simple models or complex AI systems, Amazon EKS provides the tools and capabilities needed to succeed in a competitive and rapidly evolving field. +* **Batch (offline) inference:** Organizations process large datasets efficiently through scheduled jobs with https://docs.aws.amazon.com/batch/latest/userguide/what-is-batch.html[{aws} Batch] or https://volcano.sh/en/docs/schduler_introduction/[Volcano]. These workloads often use https://aws.amazon.com/ec2/instance-types/inf1/[Inf1] and https://aws.amazon.com/ec2/instance-types/inf2/[Inf2] EC2 instances for {aws} https://aws.amazon.com/ai/machine-learning/inferentia/[Inferentia] chips, Amazon EC2 https://aws.amazon.com/ec2/instance-types/g4/[G4dn] instances for NVIDIA T4 GPUs, or https://aws.amazon.com/ec2/instance-types/c5/[c5] and https://aws.amazon.com/ec2/instance-types/c6i[c6i] CPU instances, maximizing resource utilization during off-peak hours for analytics tasks. The https://aws.amazon.com/ai/machine-learning/neuron/[{aws} Neuron SDK] and NVIDIA GPU drivers optimize performance, while MIG/TS enables GPU sharing. Storage solutions include https://aws.amazon.com/s3/[Amazon S3] and Amazon https://aws.amazon.com/efs/[EFS] and https://aws.amazon.com/fsx/lustre/[FSx for Lustre], with CSI drivers for various storage classes. Model management leverages tools like https://www.kubeflow.org/docs/components/pipelines/[Kubeflow Pipelines], https://argoproj.github.io/workflows/[Argo Workflows], and https://docs.ray.io/en/latest/cluster/getting-started.html[Ray Cluster], while monitoring is handled by <>, https://aws.amazon.com/grafana/[Grafana] and custom model monitoring tools. + +## Case studies + +Customers choose Amazon EKS for various reasons, such as optimizing GPU usage or running real-time inference workloads with sub-second latency, as demonstrated in the following case studies. For a list of all case studies for Amazon EKS, see https://aws.amazon.com/solutions/case-studies/browse-customer-success-stories/?refid=cr_card&customer-references-cards.sort-by=item.additionalFields.sortDate&customer-references-cards.sort-order=desc&awsf.customer-references-location=*all&awsf.customer-references-industry=*all&awsf.customer-references-use-case=*all&awsf.language=language%23english&awsf.customer-references-segment=*all&awsf.content-type=*all&awsf.customer-references-product=product%23eks&awsm.page-customer-references-cards=1[{aws} Customer Success Stories]. + +* https://aws.amazon.com/solutions/case-studies/unitary-eks-case-study/?did=cr_card&trk=cr_card[Unitary] processes 26 million videos daily using AI for content moderation, requiring high-throughput, low-latency inference and have achieved an 80% reduction in container boot times, ensuring fast response to scaling events as traffic fluctuates. +* https://aws.amazon.com/solutions/case-studies/miro-eks-case-study/[Miro], the visual collaboration platform supporting 70 million users worldwide, reported an 80% reduction in compute costs compared to their previous self-managed Kubernetes clusters. +* https://aws.amazon.com/solutions/case-studies/synthesia-case-study/?did=cr_card&trk=cr_card[Synthesia], which offers generative AI video creation as a service for customers to create realistic videos from text prompts, achieved a 30x improvement in ML model training throughput. +* https://aws.amazon.com/solutions/case-studies/harri-eks-case-study/?did=cr_card&trk=cr_card[Harri], providing HR technology for the hospitality industry, achieved 90% faster scaling in response to spikes in demand and reduced its compute costs by 30% by migrating to https://aws.amazon.com/ec2/graviton/[{aws} Graviton processors]. +* https://aws.amazon.com/solutions/case-studies/ada-support-eks-case-study/[Ada Support], an AI-powered customer service automation company, achieved a 15% reduction in compute costs alongside a 30% increase in compute efficiency. +* https://aws.amazon.com/blogs/startups/how-snorkel-ai-achieved-over-40-cost-savings-by-scaling-machine-learning-workloads-using-amazon-eks/[Snorkel AI], which equips enterprises to build and adapt foundation models and large language models, achieved over 40% cost savings by implementing intelligent scaling mechanisms for their GPU resources. == Start using Machine Learning on EKS @@ -53,4 +73,4 @@ include::ml-get-started.adoc[leveloffset=+1] include::ml-prepare-for-cluster.adoc[leveloffset=+1] -include::ml-tutorials.adoc[leveloffset=+1] \ No newline at end of file +include::ml-tutorials.adoc[leveloffset=+1] From e609b5148ef5b5b2d5a43f12dccb416b25675ae4 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 31 Mar 2025 11:50:10 -0500 Subject: [PATCH 339/940] Update auto-change.adoc --- latest/ug/automode/auto-change.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index 98f372d7e..e4a37133c 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,6 +7,10 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. +== March 31, 2025 + +**Bug Fix:** Fixes an issue where if a Core DNS Pod is running on an Auto Mode node, DNS queries from Pods on the node would hit that Core DNS Pod instead of the node local DNS server. DNS queries from Pods on an Auto Mode node will always go to the node local DNS. + == March 21, 2025 **Bug Fix:** Auto Mode nodes now resolve `kube-dns.kube-system.svc.cluster.local` correctly when there isn't a `kube-dns` service installed in the cluster. Addresses GitHub issue https://github.com/aws/containers-roadmap/issues/2546[#2546]. From 6c8026ab58e41400c0c91ae6423e39ddbb7aff77 Mon Sep 17 00:00:00 2001 From: Todd Neal Date: Mon, 31 Mar 2025 11:52:28 -0500 Subject: [PATCH 340/940] document issues with R53 private hosted zones using .local domains (#952) * document issues with R53 private hosted zones using .local domains * Update auto-troubleshoot.adoc --------- Co-authored-by: Geoffrey Cline --- latest/ug/automode/auto-troubleshoot.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index 72d976c71..ac65c30b7 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -262,6 +262,14 @@ securityContext: level: "s0:c123,c456,c789" ---- + +[#auto-troubleshoot-local-suffix-name-resolution] +== DNS Resolution of Route53 private hosted zones with `.local` Domains + +If you configure a Route 53 private hosted zone using a `.local` suffix (e.g. `mydomain.local`), it will fail to resolve on EKS Auto Mode Nodes. You will need to use a different suffix for the Route 53 private hosted zone. + +It's a general best practice to not use the domain name ".local" for Route 53 private hosted zones. RFC 6762 reserves this domain name for exclusive Multicast DNS use. For more information, see https://datatracker.ietf.org/doc/html/rfc6762[Multicast DNS] on the Internet Engineering Task Force (IETF) website. The use of this name interferes with DNS Resolution as it leads to attempting to resolve the name via Multicast DNS instead of forwarding the query to the VPC resolver endpoint. + [#auto-troubleshoot-controllers] == Troubleshoot included controllers in Auto Mode From ef414dc27ac0f8b0fb306075c6640d48ba702cc5 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 31 Mar 2025 17:01:16 +0000 Subject: [PATCH 341/940] Review comments included on new Migrate from Fargate page --- latest/ug/automode/auto-migrate-fargate.adoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/auto-migrate-fargate.adoc b/latest/ug/automode/auto-migrate-fargate.adoc index 85ed83aed..5b8843303 100644 --- a/latest/ug/automode/auto-migrate-fargate.adoc +++ b/latest/ug/automode/auto-migrate-fargate.adoc @@ -142,7 +142,6 @@ kubectl get nodepool [source,subs="verbatim,attributes"] ---- NAME NODECLASS NODES READY AGE -eks-auto-mode default 0 True 3d14h general-purpose default 1 True 6m58s system default 0 True 3d14h ---- @@ -190,7 +189,7 @@ spec: ---- kubectl apply -f deployment_fargate.yaml ---- -. Check that deployment is running in the EKS Automode: +. Check that the deployment is running in the EKS Auto Mode cluster: + [source,bash,subs="verbatim,attributes"] ---- @@ -204,7 +203,7 @@ nginx-deployment-97967b68d-ffxxh 1/1 Running 0 3m31s 192.168. nginx-deployment-97967b68d-mbcgj 1/1 Running 0 2m37s 192.168.43.241 i-0845aafcb51630ffb nginx-deployment-97967b68d-qpd8x 1/1 Running 0 2m35s 192.168.43.242 i-0845aafcb51630ffb ---- -. Verify there is no Fargate node running and that there is no deployment running in the EKS Automode manage nodes: +. Verify there is no Fargate node running and deployment running in the EKS Auto Mode managed nodes: + [source,bash,subs="verbatim,attributes"] ---- From 79167c2b654a103a2ab30f231889ab97e0f59d9f Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 31 Mar 2025 09:53:54 -0700 Subject: [PATCH 342/940] Release hybrid nodes for existing clusters, modify hybrid config --- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 1 - .../ug/nodes/hybrid-nodes-cluster-update.adoc | 127 ++++++++++++++++++ latest/ug/nodes/hybrid-nodes-prereqs.adoc | 3 + 3 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 latest/ug/nodes/hybrid-nodes-cluster-update.adoc diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 7b0470783..323e136e9 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -27,7 +27,6 @@ This topic provides an overview of the available options and describes what to c * Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. * Your cluster must use IPv4 address family. * Your cluster must use either Public or Private cluster endpoint connectivity. Your cluster cannot use “Public and Private” cluster endpoint connectivity, because the Amazon EKS Kubernetes API server endpoint will resolve to the public IPs for hybrid nodes running outside of your VPC. -* Currently, hybrid nodes must be enabled during cluster creation. You cannot change your `RemoteNodeNetwork` or `RemotePodNetwork` after cluster creation. [#hybrid-nodes-cluster-create-iam] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc new file mode 100644 index 000000000..049e45a05 --- /dev/null +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -0,0 +1,127 @@ +include::../attributes.txt[] + +[.topic] +[#hybrid-nodes-cluster-update] += Enable hybrid nodes on an existing Amazon EKS cluster +:info_titleabbrev: Existing cluster + +[abstract] +-- +Enable hybrid nodes on an existing cluster +-- + +This topic provides an overview of the available options and describes what to consider when you add, change, or remove hybrid nodes from an Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. + +You can do any of the following actions to the EKS Hybrid Nodes in a cluster: + +* Add and enable EKS Hybrid Nodes in an existing cluster. +* Change the remote node networks. +* Add or change the remote pod networks. +* Remove the remote pod networks. +* Remove and disable EKS Hybrid Nodes in an existing cluster. + +The following examples enable EKS Hybrid Nodes on an existing cluster and include the optional remote pod network. + +[#hybrid-nodes-cluster-enable-prep] +== Prerequisites + +* The <> completed. Before you create your hybrid nodes-enabled cluster, you must have your on-premises node and optionally pod CIDRs identified, your VPC and subnets created according to the EKS requirements, and hybrid nodes requirements, and your security group with inbound rules for your on-premises and optionally pod CIDRs. For more information on these prerequisites, see <>. +* The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +* An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permissions to create IAM roles and attach policies, and create and describe EKS clusters + + +[#hybrid-nodes-cluster-enable-consider] +== Considerations + +* Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. +* Your cluster must use IPv4 address family. +* Your cluster must use either Public or Private cluster endpoint connectivity. Your cluster cannot use “Public and Private” cluster endpoint connectivity, because the Amazon EKS Kubernetes API server endpoint will resolve to the public IPs for hybrid nodes running outside of your VPC. + +The `remoteNetworkConfig` JSON object has the following behavior during an update: + +* Any existing part of the configuration that you don't specify is unchanged. If you don't specify either of the `remoteNodeNetworks` or `remotePodNetworks`, that part will remain the same. +* If you are modifying either of the `remoteNodeNetworks` or `remotePodNetworks` lists of CIDRs, you must specify that entire list in your update. EKS replaces the list during the update. + + +[#hybrid-nodes-cluster-enable-existing] +== Enable hybrid nodes on an existing cluster + +You can enable EKS Hybrid Nodes in an existing cluster by using: + +* <> +* <> +* <> + + +[#hybrid-nodes-cluster-enable-cfn] +=== Enable EKS Hybrid Nodes in an existing cluster - {aws} CloudFormation + +. To enable EKS Hybrid Nodes in your cluster, add the `RemoteNodeNetwork` and (optional) `RemotePodNetwork` to your CLoudFormation template and update the stack. Note that `RemoteNodeNetwork` is a list with a maximum of one `Cidrs` item and the `Cidrs` is a list of multiple IP CIDR ranges. ++ +[source,yaml,subs="verbatim,attributes"] +---- + RemoteNetworkConfig: + RemoteNodeNetworks: + - Cidrs: [RemoteNodeCIDR] + RemotePodNetworks: + - Cidrs: [RemotePodCIDR] +---- + +. Continue with the next step. + + +[#hybrid-nodes-cluster-enable-cli] +=== Enable EKS Hybrid Nodes in an existing cluster - {aws} CLI + +. Run the following command to enable EKS Hybrid Nodes and update an EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +.. `CLUSTER_NAME`: name of the EKS cluster to be created. +.. `AWS_REGION`: {aws} Region where the cluster will be created. +.. `REMOTE_NODE_CIDRS`: the on-premises node CIDR for your hybrid nodes. +.. `REMOTE_POD_CIDRS` (optional): the on-premises pod CIDR for workloads running on hybrid nodes. +.. Your on-premises node and pod CIDR blocks must meet the following requirements: +... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. +... Not overlap with each other, all CIDRs of the VPC for your Amazon EKS cluster, or your Kubernetes service IPv4 CIDR. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-cluster \ + --name CLUSTER_NAME \ + --region AWS_REGION \ + --remote-network-config '{"remoteNodeNetworks":[{"cidrs":["REMOTE_NODE_CIDRS"]}],"remotePodNetworks":[{"cidrs":["REMOTE_POD_CIDRS"]}]}' +---- + +. It takes several minutes to update the cluster. You can query the status of your cluster with the following command. Replace `CLUSTER_NAME` with the name of the cluster you are creating and `AWS_REGION` with the {aws} Region where the cluster is creating. Don't proceed to the next step until the output returned is `ACTIVE`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster \ + --name CLUSTER_NAME \ + --region AWS_REGION \ + --query "cluster.status" +---- + +. Continue with the next step. + + +[#hybrid-nodes-cluster-enable-console] +=== Enable EKS Hybrid Nodes in an existing cluster - {aws-management-console} + +. Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster to display your cluster information. +. Choose the *Networking* tab and choose *Manage*. +. In the dropdown, choose *Remote networks*. +. *Choose Configure remote networks to enable hybrid nodes* and specify your on-premises node and pod CIDRs for hybrid nodes. +.. You must configure your remote pod CIDR if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure the remote pod CIDR if you are running webhooks on hybrid nodes. +.. Your on-premises node and pod CIDR blocks must meet the following requirements: +... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. +... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. +. Choose *Save changes* to finish. Wait for the cluster status to return to *Active*. + +. Continue with the next step. + + +== Next steps: Cluster setup + +As the next step, update any add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. + +Then, see <> to enable access for your hybrid nodes to join your cluster. diff --git a/latest/ug/nodes/hybrid-nodes-prereqs.adoc b/latest/ug/nodes/hybrid-nodes-prereqs.adoc index da17207d9..d0c4ad5d8 100644 --- a/latest/ug/nodes/hybrid-nodes-prereqs.adoc +++ b/latest/ug/nodes/hybrid-nodes-prereqs.adoc @@ -140,4 +140,7 @@ include::hybrid-nodes-creds.adoc[leveloffset=+1] include::hybrid-nodes-cluster-create.adoc[leveloffset=+1] +include::hybrid-nodes-cluster-update.adoc[leveloffset=+1] + + include::hybrid-nodes-cluster-prep.adoc[leveloffset=+1] \ No newline at end of file From 2bcbc4c0e36df5c4f248036a90194302e4742e6d Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 31 Mar 2025 10:59:52 -0700 Subject: [PATCH 343/940] Review feedback on hybrid update --- .../ug/nodes/hybrid-nodes-cluster-create.adoc | 1 + .../ug/nodes/hybrid-nodes-cluster-update.adoc | 24 ++++++++++--------- latest/ug/nodes/hybrid-nodes-overview.adoc | 2 +- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc index 323e136e9..542c12797 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-create.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-create.adoc @@ -27,6 +27,7 @@ This topic provides an overview of the available options and describes what to c * Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. * Your cluster must use IPv4 address family. * Your cluster must use either Public or Private cluster endpoint connectivity. Your cluster cannot use “Public and Private” cluster endpoint connectivity, because the Amazon EKS Kubernetes API server endpoint will resolve to the public IPs for hybrid nodes running outside of your VPC. +* You can add, change, or remove the hybrid nodes configuration of an existing cluster. For more information, see <>. [#hybrid-nodes-cluster-create-iam] diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index 049e45a05..1cd083840 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -2,23 +2,25 @@ include::../attributes.txt[] [.topic] [#hybrid-nodes-cluster-update] -= Enable hybrid nodes on an existing Amazon EKS cluster += Modify the hybrid node configuration on an existing Amazon EKS cluster :info_titleabbrev: Existing cluster [abstract] -- -Enable hybrid nodes on an existing cluster +Modify hybrid nodes on an existing cluster -- -This topic provides an overview of the available options and describes what to consider when you add, change, or remove hybrid nodes from an Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. +This topic provides an overview of the available options and describes what to consider when you add, change, or remove the hybrid nodes configuration from an Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. + +To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ranges of your on-premises network in the `RemoteNodeNetwork` configuration. EKS uses this list of CIDRs to enable connectivity between the cluster and your on-premises networks. For a full list of configuration, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. You can do any of the following actions to the EKS Hybrid Nodes in a cluster: -* Add and enable EKS Hybrid Nodes in an existing cluster. -* Change the remote node networks. -* Add or change the remote pod networks. -* Remove the remote pod networks. -* Remove and disable EKS Hybrid Nodes in an existing cluster. +* Add remote node network configuration to enable EKS Hybrid Nodes in an existing cluster. +* Add, change, or remove the remote node networks. You can remove individual CIDR ranges but you can't remove all remote node networks. +* Add, change, or remove the optional remote pod networks. +* Remove all of the remote pod networks. +* Remove remote node network configuration to disable EKS Hybrid Nodes in an existing cluster. The following examples enable EKS Hybrid Nodes on an existing cluster and include the optional remote pod network. @@ -56,7 +58,7 @@ You can enable EKS Hybrid Nodes in an existing cluster by using: [#hybrid-nodes-cluster-enable-cfn] === Enable EKS Hybrid Nodes in an existing cluster - {aws} CloudFormation -. To enable EKS Hybrid Nodes in your cluster, add the `RemoteNodeNetwork` and (optional) `RemotePodNetwork` to your CLoudFormation template and update the stack. Note that `RemoteNodeNetwork` is a list with a maximum of one `Cidrs` item and the `Cidrs` is a list of multiple IP CIDR ranges. +. To enable EKS Hybrid Nodes in your cluster, add the `RemoteNodeNetwork` and (optional) `RemotePodNetwork` to your CloudFormation template and update the stack. Note that `RemoteNodeNetwork` is a list with a maximum of one `Cidrs` item and the `Cidrs` is a list of multiple IP CIDR ranges. + [source,yaml,subs="verbatim,attributes"] ---- @@ -122,6 +124,6 @@ aws eks describe-cluster \ == Next steps: Cluster setup -As the next step, update any add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. +If you enable EKS Hybrid Nodes on an existing cluster, remember to update any add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. Then, see <> to enable access for your hybrid nodes to join your cluster. -Then, see <> to enable access for your hybrid nodes to join your cluster. +As soon as the cluster is in the `Active` state, the cluster is using the updated cluster configuration. \ No newline at end of file diff --git a/latest/ug/nodes/hybrid-nodes-overview.adoc b/latest/ug/nodes/hybrid-nodes-overview.adoc index 09b494745..242bf0159 100644 --- a/latest/ug/nodes/hybrid-nodes-overview.adoc +++ b/latest/ug/nodes/hybrid-nodes-overview.adoc @@ -46,7 +46,7 @@ video::tFn9IdlddBw[youtube,align=center,height= 405,width=720,fileref = https:// *Kubernetes and platform versions* * Amazon EKS Hybrid Nodes supports the same Kubernetes versions and deprecation schedule as Amazon EKS, including standard and extended Kubernetes version support. For more information on Kubernetes versions in Amazon EKS, see <>. For more information about Amazon EKS platform versions, see <>. -* You must create new Amazon EKS clusters to use Amazon EKS Hybrid Nodes. Hybrid nodes can't be used with existing Amazon EKS clusters. +* You can create new Amazon EKS clusters to use Amazon EKS Hybrid Nodes. Or, you can update an existing Amazon EKS cluster to add the hybrid node configuration. *Networking* From d7e36addeb7e0980e22def820a4d98d3cb659ec5 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 31 Mar 2025 11:37:29 -0700 Subject: [PATCH 344/940] Fix builds --- latest/ug/ml/machine-learning-on-eks.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/ml/machine-learning-on-eks.adoc b/latest/ug/ml/machine-learning-on-eks.adoc index 71c7d6ee4..168710ac2 100644 --- a/latest/ug/ml/machine-learning-on-eks.adoc +++ b/latest/ug/ml/machine-learning-on-eks.adoc @@ -21,7 +21,7 @@ EKS is a managed Kubernetes platform that helps you deploy and manage complex AI Built on the open source Kubernetes ecosystem, it integrates with {aws} services, providing the control and scalability needed for advanced projects. For teams new to AI/ML deployments, existing Kubernetes skills transfer directly, allowing efficient orchestration of multiple workloads. -EKS supports everything from operating system customizations to compute scaling, and its open source foundation promotes technological flexibility, preserving freedom of choice for future infrastructure decisions. +EKS supports everything from operating system customizations to compute scaling, and its open source foundation promotes technological flexibility, preserving choice for future infrastructure decisions. The platform provides the performance and tuning options AI/ML workloads require, supporting features such as: * Full cluster control to fine-tune costs and configurations without hidden abstractions From e95fdf34a9d92791011617466436e1ad48ea642d Mon Sep 17 00:00:00 2001 From: guessi Date: Tue, 1 Apr 2025 03:50:53 +0800 Subject: [PATCH 345/940] Clarify the details of "Amazon EKS optimized Kubecost bundle" (#935) * Clarify the details of "Amazon EKS optimized Kubecost bundle" * Correct values file link * Unify the wording of "Amazon EKS optimized Kubecost bundle" * Revise command example * Replace all links with the ones hosting on IBM.com * Address review comments --- .../cost-monitoring-kubecost-bundles.adoc | 41 +++++++++-------- .../cost-monitoring-kubecost.adoc | 45 +++++++++++-------- 2 files changed, 48 insertions(+), 38 deletions(-) diff --git a/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc b/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc index c09e404c7..8abd6dcb8 100644 --- a/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc +++ b/latest/ug/cluster-management/cost-monitoring-kubecost-bundles.adoc @@ -6,9 +6,9 @@ include::../attributes.txt[] Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. Amazon EKS supports Kubecost, which you can use to monitor your costs broken down by Kubernetes resources including Pods, nodes, namespaces, and labels. -This topic covers the available versions of Kubecost, and the differences between the available tiers. EKS supports Kubecost Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized Kubecost custom bundle_ for your EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. +This topic covers the available versions of Kubecost, and the differences between the available tiers. EKS supports Kubecost Version 1 and Version 2. Each version is available in different tiers. You can use _Amazon EKS optimized Kubecost bundle_ for your Amazon EKS clusters at no additional cost. You may be charged for use of associated {aws} services, such as Amazon Managed Service for Prometheus. Also, you can use your existing {aws} support agreements to obtain support. -As a Kubernetes platform administrator and finance leader, you can use Kubecost to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. For more information about Kubecost, see the https://guide.kubecost.com[Kubecost] documentation. +As a Kubernetes platform administrator and finance leader, you can use Kubecost to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. For more information about Kubecost, see the https://www.ibm.com/docs/en/kubecost/self-hosted/2.x[Kubecost] documentation. *What is the difference between the custom bundle of Kubecost and the free version of Kubecost (also known as OpenCost)?* @@ -19,12 +19,12 @@ As a Kubernetes platform administrator and finance leader, you can use Kubecost *What is the difference between Kubecost v1 and v2?* -Kubecost 2.0 is a major upgrade from previous versions and includes major new features including a brand new API Backend. Note the https://docs.kubecost.com/apis/monitoring-apis/api-allocation[Allocation] and https://docs.kubecost.com/apis/monitoring-apis/assets-api[Assets] APIs are fully backwards compatible. https://docs.kubecost.com/install-and-configure/install/kubecostv2[Please review the Kubecost documentation to ensure a smooth transition.] For the full list of enhancements, https://github.com/kubecost/cost-analyzer-helm-chart/releases/tag/v2.0.0[please see the Kubecost release notes] +Kubecost 2.0 is a major upgrade from previous versions and includes major new features including a brand new API Backend. Note the https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=apis-allocation-api[Allocation] and https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=apis-assets-api[Assets] APIs are fully backwards compatible. https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=installation-kubecost-v2-installupgrade[Please review the Kubecost documentation to ensure a smooth transition.] For the full list of enhancements, https://github.com/kubecost/cost-analyzer-helm-chart/releases/tag/v2.0.0[please see the Kubecost v2.0 announcement] and https://github.com/kubecost/cost-analyzer-helm-chart/releases[the full release notes]. [IMPORTANT] ==== -https://docs.kubecost.com/install-and-configure/install/kubecostv2[Review the Kubecost documentation before upgrading.] Upgrading may impact report availability. +https://www.ibm.com/docs/en/kubecost/self-hosted/2.x[Review the Kubecost documentation before upgrading.] Upgrading may impact report availability. ==== @@ -40,7 +40,7 @@ https://docs.kubecost.com/install-and-configure/install/kubecostv2[Review the Ku | Cluster cost visibility -| Single clusters up to 250 cores +| Unlimited clusters up to 250 cores | Unified multi-cluster without core limits when integrated with Amazon Managed Service for Prometheus | Unified and unlimited number of clusters across unlimited numbers of environments (i.e. multi-cloud) @@ -71,8 +71,8 @@ https://docs.kubecost.com/install-and-configure/install/kubecostv2[Review the Ku | Alerts and recurring reports | Only supported on the primary cluster, limited to 250 cores -| Efficiency alerts, budget alerts, spend change alerts, and https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/alerts[more supported] across all clusters -| Efficiency alerts, budget alerts, spend change alerts, and https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/alerts[more supported] across all clusters +| Efficiency alerts, budget alerts, spend change alerts, and https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=navigating-kubecost-ui#ariaid-title6[more supported] across all clusters +| Efficiency alerts, budget alerts, spend change alerts, and https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=navigating-kubecost-ui#ariaid-title6[more supported] across all clusters | Saved reports | - @@ -137,13 +137,12 @@ The following features have metric limits: |=== |Metric |Kubecost Free Tier 2.0 -|Amazon EKS Optimized Kubecost Custom Bundle - 2.0 +|Amazon EKS optimized Kubecost bundle 2.0 |Kubecost Enterprise 2.0 |Cluster size -|Limited to 250 cores +|Unlimited clusters up to 250 cores |Unlimited |Unlimited @@ -170,7 +169,7 @@ The following features have metric limits: |=== |Feature |Kubecost free tier -|Amazon EKS optimized Kubecost custom bundle +|Amazon EKS optimized Kubecost bundle |Kubecost Enterprise @@ -257,7 +256,7 @@ See the following common questions and answers about using Kubecost with Amazon *What is the Kubecost API retention (ETL) feature?* -The Kubecost ETL feature aggregates and organizes metrics to surface cost visibility at various levels of granularity (such as `namespace-level`, `pod-level`, and `deployment-level`). For the custom Kubecost bundle, customers get data and insights from metrics for the last 15 days. +The Kubecost ETL feature aggregates and organizes metrics to surface cost visibility at various levels of granularity (such as `namespace-level`, `pod-level`, and `deployment-level`). For _Amazon EKS optimized Kubecost bundle_, customers get data and insights from metrics for the last 15 days. *What is the alerts and recurring reports feature? What alerts and reports does it include?* @@ -277,11 +276,15 @@ Kubecost provides insights and automation to help users optimize their Kubernete *Is there a charge for this functionality?* -No. You can use this version of Kubecost at no additional charge. If you want additional Kubecost capabilities that aren't included in this bundle, you can buy an enterprise license of Kubecost through the {aws} Marketplace, or from Kubecost directly. +No. You can use _Amazon EKS optimized Kubecost bundle_ at no additional charge. If you want additional Kubecost capabilities that aren't included, you can buy an Enterprise License of Kubecost through the {aws} Marketplace, or from Kubecost directly. -*Is support available?* +*Is support available for _Amazon EKS optimized Kubecost bundle_?* -Yes. You can open a support case with the {aws} Support team at link:contact-us/[Contact {aws},type="marketing"]. +Yes, only if you are using the _Amazon EKS optimized Kubecost bundle_. + +*How do I get support for _Amazon EKS optimized Kubecost bundle_?* + +You can open a support case with the {aws} Support team at link:contact-us/[Contact {aws},type="marketing"]. *Do I need a license to use Kubecost features provided by the Amazon EKS integration?* @@ -289,11 +292,11 @@ No. *Can I integrate Kubecost with {aws} Cost and Usage Report for more accurate reporting?* -Yes. You can configure Kubecost to ingest data from {aws} Cost and Usage Report to get accurate cost visibility, including discounts, Spot pricing, reserved instance pricing, and others. For more information, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the Kubecost documentation. +Yes. You can configure Kubecost to ingest data from {aws} Cost and Usage Report to get accurate cost visibility, including discounts, Spot pricing, reserved instance pricing, and others. For more information, see https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=integrations-aws-cloud-billing-integration[{aws} Cloud Billing Integration] in the Kubecost documentation. *Does this version support cost management of self-managed Kubernetes clusters on Amazon EC2?* -No. This version is only compatible with Amazon EKS clusters. +No. _Amazon EKS optimized Kubecost bundle_ only compatible with Amazon EKS clusters. *Can Kubecost track costs for Amazon EKS on {aws} Fargate?* @@ -323,5 +326,5 @@ No. + image::images/kubecost-architecture.png[Kubecost architecture,scaledwidth=100%] + -With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest Kubecost data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write Prometheus queries, see the https://github.com/opencost/opencost/blob/develop/PROMETHEUS.md[Prometheus Configuration]``readme`` file on GitHub or use the example Grafana JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. -* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, Kubecost retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate Kubecost with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations[{aws} Cloud Billing Integration] in the Kubecost documentation. \ No newline at end of file +With https://prometheus.io/[Prometheus] pre-installed, you can write queries to ingest Kubecost data into your current business intelligence system for further analysis. You can also use it as a data source for your current https://grafana.com/[Grafana] dashboard to display Amazon EKS cluster costs that your internal teams are familiar with. To learn more about how to write Prometheus queries, see the https://opencost.io/docs/installation/prometheus/[Prometheus Configuration]``readme`` file on GitHub or use the example Grafana JSON models in the https://github.com/kubecost/cost-analyzer-helm-chart/tree/develop/cost-analyzer[Kubecost Github repository] as references. +* *{aws} Cost and Usage Report integration* – To perform cost allocation calculations for your Amazon EKS cluster, Kubecost retrieves the public pricing information of {aws} services and {aws} resources from the {aws} Price List API. You can also integrate Kubecost with *{aws} Cost and Usage Report* to enhance the accuracy of the pricing information specific to your {aws} account. This information includes enterprise discount programs, reserved instance usage, savings plans, and spot usage. To learn more about how the {aws} Cost and Usage Report integration works, see https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=integrations-aws-cloud-billing-integration[{aws} Cloud Billing Integration] in the Kubecost documentation. diff --git a/latest/ug/cluster-management/cost-monitoring-kubecost.adoc b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc index a975f6738..3d833d890 100644 --- a/latest/ug/cluster-management/cost-monitoring-kubecost.adoc +++ b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc @@ -9,8 +9,6 @@ Amazon EKS supports Kubecost, which you can use to monitor your costs broken dow Amazon EKS provides an {aws} optimized bundle of Kubecost for cluster cost visibility. You can use your existing {aws} support agreements to obtain support. For more information about the available versions of Kubecost, see <>. -As a Kubernetes platform administrator and finance leader, you can use Kubecost to visualize a breakdown of Amazon EKS charges, allocate costs, and charge back organizational units such as application teams. You can provide your internal teams and business units with transparent and accurate cost data based on their actual {aws} bill. Moreover, you can also get customized recommendations for cost optimization based on their infrastructure environment and usage patterns within their clusters. - [NOTE] ==== @@ -18,7 +16,7 @@ Kubecost v2 introduces several major new features. <>. [#kubecost-addon] @@ -26,7 +24,7 @@ For more information about Kubecost, see the https://guide.kubecost.com[Kubecost [NOTE] ==== -Install Kubecost as an Amazon EKS Add-on and benefit from additional features at no additional cost with the Amazon EKS optimized Kubecost bundle. For more information, see <>. +Install Kubecost as an Amazon EKS Add-on and benefit from additional features at no additional cost with the _Amazon EKS optimized Kubecost bundle_. For more information, see <>. ==== Amazon EKS Add-ons reduce the complexity of upgrading Kubecost, and managing licenses. EKS Add-ons are integrated with the {aws} marketplace. @@ -45,43 +43,52 @@ Learn how to <>, such as Kubecost. [#kubecost-helm] == Install Kubecost using Helm -* An existing Amazon EKS cluster. To deploy one, see <>. The cluster must have Amazon EC2 nodes because you can't run Kubecost on Fargate nodes. +* An existing Amazon EKS cluster. To deploy one, see <>. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. * Helm version 3.9.0 or later configured on your device or {aws} CloudShell. To install or update Helm, see <>. +* Cluster version should be `1.21 (or higher)` and `1.31` is officially supported as of v2. Learn more at https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=installation-environment#ariaid-title2[Supported Kubernetes versions]. * If your cluster is version `1.23` or later, you must have the <> installed on your cluster. -. Determine the version of Kubecost to install. You can see the available versions at https://gallery.ecr.aws/kubecost/cost-analyzer[kubecost/cost-analyzer] in the Amazon ECR Public Gallery. For more information about the compatibility of Kubecost versions and Amazon EKS, see the https://docs.kubecost.com/install-and-configure/install/environment[Environment Requirements] in the Kubecost documentation. -. Install Kubecost with the following command. Replace [.replaceable]`kubecost-version` with the value retrieved from ECR, such as [.replaceable]`1.108.1`. + +. Determine the version of Kubecost to install. You can see the available versions at https://gallery.ecr.aws/kubecost/cost-analyzer[kubecost/cost-analyzer] in the Amazon ECR Public Gallery. For more information about the compatibility of Kubecost versions and Amazon EKS, see the https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=installation-environment[Environment Requirements] in the Kubecost documentation. +. Install Kubecost with the following command. Replace [.replaceable]`KUBECOST_VERSION` with the value retrieved from ECR, such as [.replaceable]`1.108.1`. + [source,bash,subs="verbatim,attributes"] ---- -helm upgrade -i kubecost oci://public.ecr.aws/kubecost/cost-analyzer --version kubecost-version \ +export KUBECOST_VERSION="1.108.1" + +helm upgrade -i kubecost \ + oci://public.ecr.aws/kubecost/cost-analyzer \ + --version ${KUBECOST_VERSION} \ --namespace kubecost --create-namespace \ - -f https://raw.githubusercontent.com/kubecost/cost-analyzer-helm-chart/develop/cost-analyzer/values-eks-cost-monitoring.yaml + -f https://raw.githubusercontent.com/kubecost/cost-analyzer-helm-chart/refs/tags/v${KUBECOST_VERSION}/cost-analyzer/values-eks-cost-monitoring.yaml ---- + Kubecost releases new versions regularly. You can update your version using https://helm.sh/docs/helm/helm_upgrade/[helm upgrade]. By default, the installation includes a local https://prometheus.io/[Prometheus] server and `kube-state-metrics`. You can customize your deployment to use link:mt/integrating-kubecost-with-amazon-managed-service-for-prometheus[Amazon Managed Service for Prometheus,type="blog"] by following the documentation in link:prometheus/latest/userguide/integrating-kubecost.html[Integrating with Amazon EKS cost monitoring,type="documentation"]. For a list of all other settings that you can configure, see the https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/values-eks-cost-monitoring.yaml[sample configuration file] on GitHub. + + -You can remove Kubecost from your cluster with the following commands. +* You can remove Kubecost from your cluster with the following commands. + [source,bash,subs="verbatim,attributes"] ---- helm uninstall kubecost --namespace kubecost -kubectl delete ns kubecost ---- - - ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl delete namespace kubecost +---- [#kubecost-dashboard] == Access Kubecost Dashboard . Make sure the required Pods are running. -+ + [source,bash,subs="verbatim,attributes"] ---- -kubectl get pods -n kubecost +kubectl get pods --namespace kubecost ---- -+ + An example output is as follows. -+ + [source,bash,subs="verbatim,attributes"] ---- NAME READY STATUS RESTARTS AGE @@ -93,7 +100,7 @@ kubecost-prometheus-server-7d9967bfc8-9c8p7 2/2 Running 0 3h27m + [source,bash,subs="verbatim,attributes"] ---- -kubectl port-forward --namespace kubecost deployment/kubecost-cost-analyzer 9090 +kubectl port-forward deployment/kubecost-cost-analyzer 9090 --namespace kubecost ---- + Alternatively, you can use the <> to expose Kubecost and use Amazon Cognito for authentication, authorization, and user management. For more information, see link:containers/how-to-use-application-load-balancer-and-amazon-cognito-to-authenticate-users-for-your-kubernetes-web-apps[How to use Application Load Balancer and Amazon Cognito to authenticate users for your Kubernetes web apps,type="blog"]. @@ -111,4 +118,4 @@ image::images/kubecost.png[Kubecost dashboard,scaledwidth=100%] * *Cost allocation* – View monthly Amazon EKS costs and cumulative costs for each of your namespaces and other dimensions over the past seven days. This is helpful for understanding which parts of your application are contributing to Amazon EKS spend. -* *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. \ No newline at end of file +* *Assets* – View the costs of the {aws} infrastructure assets that are associated with your Amazon EKS resources. From f6905367ab7b8232723948190ba3897551d0cfbe Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 31 Mar 2025 14:56:23 -0500 Subject: [PATCH 346/940] Update windows-support.adoc with access entry considerations (#924) * Update windows-support.adoc add consideration for access entries type * Update windows-support.adoc * fixup --- latest/ug/clusters/windows-support.adoc | 29 ++++++++++++++++++++----- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/latest/ug/clusters/windows-support.adoc b/latest/ug/clusters/windows-support.adoc index 83549680a..c125a67c5 100644 --- a/latest/ug/clusters/windows-support.adoc +++ b/latest/ug/clusters/windows-support.adoc @@ -10,6 +10,11 @@ include::../attributes.txt[] Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers. -- +Learn how to enable and manage Windows support for your Amazon EKS cluster to run Windows containers alongside Linux containers. + + +== Considerations + Before deploying Windows nodes, be aware of the following considerations. * EKS Auto Mode does not support Windows nodes @@ -28,13 +33,23 @@ Before deploying Windows nodes, be aware of the following considerations. * The source for the controller is managed on GitHub. To contribute to, or file issues against the controller, visit the https://github.com/aws/amazon-vpc-resource-controller-k8s[project] on GitHub. * When specifying a custom AMI ID for Windows managed node groups, add `eks:kube-proxy-windows` to your {aws} IAM Authenticator configuration map. For more information, see <>. * If preserving your available IPv4 addresses is crucial for your subnet, refer to https://aws.github.io/aws-eks-best-practices/windows/docs/networking/#ip-address-management[EKS Best Practices Guide - Windows Networking IP Address Management] for guidance. +* Considerations for EKS Access Entries +** If you use a different Node IAM Role for Windows instances, EKS will automatically create the required Windows Access Entry. +** Access Entries for use with Windows nodes need the type of `EC2_WINDOWS`. For more information, see <>. ++ +To create an access entry for a Windows node: ++ +[source,bash] +---- +aws eks create-access-entry --cluster-name my-cluster --principal-arn arn:aws:iam::111122223333:role/ --type EC2_Windows +---- +== Prerequisites * An existing cluster. * Your cluster must have at least one (we recommend at least two) Linux node or Fargate Pod to run CoreDNS. If you enable legacy Windows support, you must use a Linux node (you can't use a Fargate Pod) to run CoreDNS. * An existing <>. - [#enable-windows-support] == Enable Windows support . If you don't have Amazon Linux nodes in your cluster and use security groups for Pods, skip to the next step. Otherwise, confirm that the `AmazonEKSVPCResourceController` managed policy is attached to your <>. Replace [.replaceable]`eksClusterRole` with your cluster role name. @@ -71,7 +86,8 @@ aws iam attach-role-policy \ --role-name eksClusterRole \ --policy-arn {arn-aws}iam::aws:policy/AmazonEKSVPCResourceController ---- -. Create a file named [.replaceable]`vpc-resource-controller-configmap.yaml` with the following contents. +. Update the VPC CNI ConfigMap to enable Windows IPAM: +.. Create a file named [.replaceable]`vpc-resource-controller-configmap.yaml` with the following contents. + [source,yaml,subs="verbatim,attributes"] ---- @@ -83,13 +99,14 @@ metadata: data: enable-windows-ipam: "true" ---- -. Apply the `ConfigMap` to your cluster. +.. Apply the `ConfigMap` to your cluster. + [source,bash,subs="verbatim,attributes"] ---- kubectl apply -f vpc-resource-controller-configmap.yaml ---- -. Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command. +. If your cluster has the authentication mode set to enable the `aws-auth` configmap: +** Verify that your `aws-auth` `ConfigMap` contains a mapping for the instance role of the Windows node to include the `eks:kube-proxy-windows` RBAC permission group. You can verify by running the following command. + [source,bash,subs="verbatim,attributes"] ---- @@ -117,7 +134,7 @@ data: ---- + You should see `eks:kube-proxy-windows` listed under groups. If the group isn't specified, you need to update your `ConfigMap` or create it to include the required group. For more information about the `aws-auth` `ConfigMap`, see <>. - +. If your cluster has the authentication mode set to disable the `aws-auth` configmap, then you can use EKS Access Entries. Create a new node role for use with Windows instances, and EKS will automatically create an access entry of type `EC2_WINDOWS`. [#windows-support-pod-deployment] == Deploy Windows Pods @@ -163,4 +180,4 @@ You can enable higher Pod density on Windows nodes by enabling IP prefix delegat (Number of private IPv4 addresses assigned to the interface attached to the node - 1) * 16 ---- -With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of Pods on your nodes. For more information, see <>. \ No newline at end of file +With this significantly larger number of available IP addresses, available IP addresses shouldn't limit your ability to scale the number of Pods on your nodes. For more information, see <>. From fb6823d9fd770c1312f6fb12ad2f2366596ad466 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 31 Mar 2025 14:12:58 -0700 Subject: [PATCH 347/940] Add hybrid config updates to doc history --- latest/ug/doc-history.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 582be7ea4..a1f1dcee9 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,6 +15,14 @@ The following table describes the major updates and new features for the Amazon == Updates +[.update,date="2025-03-31"] +=== EKS Hybrid Nodes for existing clusters +[.update-ulink] +link:eks/latest/userguide/hybrid-nodes-cluster-update.html[type="documentation"] + +You can now add, change, or remove the hybrid nodes configuration of existing clusters. Previously, you could only add the hybrid nodes configuration to new clusters when you created them. +With Amazon EKS Hybrid Nodes, you can use your on-premises and edge infrastructure as nodes in Amazon EKS clusters. {aws} manages the {aws}-hosted Kubernetes control plane of the Amazon EKS cluster, and you manage the hybrid nodes that run in your on-premises or edge environments. + [.update,date="2025-03-28"] === Rollback: Prevent accidental upgrades with cluster insights [.update-ulink] From 30b0d8385c890749cfd466090253f587679bfabb Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Tue, 1 Apr 2025 15:57:08 +0000 Subject: [PATCH 348/940] Small enhancements to auto-migrate-fargate.adoc --- latest/ug/automode/auto-migrate-fargate.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/auto-migrate-fargate.adoc b/latest/ug/automode/auto-migrate-fargate.adoc index 5b8843303..35cc0b7da 100644 --- a/latest/ug/automode/auto-migrate-fargate.adoc +++ b/latest/ug/automode/auto-migrate-fargate.adoc @@ -149,10 +149,10 @@ system default 0 True 3d14h ### Step 3: Update workloads for migration Identify and update the workloads you want to migrate to EKS Auto Mode. -Add both tolerations and node selectors to these workloads and add annotation. -EKS Auto Mode uses different labels than `fargate`. -Labels related to EC2 managed instances start with `eks.amazonaws.com`. +To migrate a workload from Fargate to EKS Auto Mode, apply the annotation `eks.amazonaws.com/compute-type: ec2`. +This ensures that the workload will not be scheduled by Fargate, despite the Fargate profile, +and will be caught up by the EKS Auto Mode NodePool. For more information, see <>. . Modify your deployments (for example, the `deployment_fargate.yaml` file) to change the compute type to `ec2`: From 315a9dcaeb0c21034458b44c403ebded11342d23 Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Tue, 1 Apr 2025 08:46:18 -0500 Subject: [PATCH 349/940] Update hybrid-nodes-cluster-update.adoc Tweaks to hybrid nodes cluster update. --- .../ug/nodes/hybrid-nodes-cluster-update.adoc | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index 1cd083840..2bf0737c5 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -2,32 +2,31 @@ include::../attributes.txt[] [.topic] [#hybrid-nodes-cluster-update] -= Modify the hybrid node configuration on an existing Amazon EKS cluster += Enable hybrid nodes on an existing Amazon EKS cluster or modify configuration :info_titleabbrev: Existing cluster [abstract] -- -Modify hybrid nodes on an existing cluster +Modify hybrid nodes configuration on an existing cluster -- This topic provides an overview of the available options and describes what to consider when you add, change, or remove the hybrid nodes configuration from an Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. -To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ranges of your on-premises network in the `RemoteNodeNetwork` configuration. EKS uses this list of CIDRs to enable connectivity between the cluster and your on-premises networks. For a full list of configuration, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ranges of your on-premises network in the `RemoteNodeNetwork` configuration. EKS uses this list of CIDRs to enable connectivity between the cluster and your on-premises networks. For a full list of options when updating your cluster configuration, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. -You can do any of the following actions to the EKS Hybrid Nodes in a cluster: +You can do any of the following actions to the EKS Hybrid Nodes networking configuration in a cluster: * Add remote node network configuration to enable EKS Hybrid Nodes in an existing cluster. -* Add, change, or remove the remote node networks. You can remove individual CIDR ranges but you can't remove all remote node networks. +* Add, change, or remove the remote node networks. Remove all remote node network CIDR ranges to disable EKS Hybrid Nodes in an existing cluster. * Add, change, or remove the optional remote pod networks. * Remove all of the remote pod networks. -* Remove remote node network configuration to disable EKS Hybrid Nodes in an existing cluster. The following examples enable EKS Hybrid Nodes on an existing cluster and include the optional remote pod network. [#hybrid-nodes-cluster-enable-prep] == Prerequisites -* The <> completed. Before you create your hybrid nodes-enabled cluster, you must have your on-premises node and optionally pod CIDRs identified, your VPC and subnets created according to the EKS requirements, and hybrid nodes requirements, and your security group with inbound rules for your on-premises and optionally pod CIDRs. For more information on these prerequisites, see <>. +* The <> completed. Before you create your hybrid nodes-enabled cluster, you must have your on-premises node and optionally pod CIDRs identified, your VPC and subnets created according to the EKS and hybrid nodes requirements, and your security group with inbound rules for your on-premises node and optionally pod CIDRs. For more information on these prerequisites, see <>. * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. * An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permissions to create IAM roles and attach policies, and create and describe EKS clusters @@ -38,11 +37,15 @@ The following examples enable EKS Hybrid Nodes on an existing cluster and includ * Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. * Your cluster must use IPv4 address family. * Your cluster must use either Public or Private cluster endpoint connectivity. Your cluster cannot use “Public and Private” cluster endpoint connectivity, because the Amazon EKS Kubernetes API server endpoint will resolve to the public IPs for hybrid nodes running outside of your VPC. +* You must configure your remote pod CIDR if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure the remote pod CIDR if you are running webhooks on hybrid nodes. To learn more about these requirements, see <>. +* Your on-premises node and pod CIDR blocks must meet the following requirements: +.. Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. +.. Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. The `remoteNetworkConfig` JSON object has the following behavior during an update: * Any existing part of the configuration that you don't specify is unchanged. If you don't specify either of the `remoteNodeNetworks` or `remotePodNetworks`, that part will remain the same. -* If you are modifying either of the `remoteNodeNetworks` or `remotePodNetworks` lists of CIDRs, you must specify that entire list in your update. EKS replaces the list during the update. +* If you are modifying either the `remoteNodeNetworks` or `remotePodNetworks` lists of CIDRs, you must specify the complete list of CIDRs that you want in your final configuration. When you specify a change to either the `remoteNodeNetworks` or `remotePodNetworks` CIDR list, EKS replaces the original list during the update. [#hybrid-nodes-cluster-enable-existing] @@ -69,15 +72,15 @@ You can enable EKS Hybrid Nodes in an existing cluster by using: - Cidrs: [RemotePodCIDR] ---- -. Continue with the next step. +. Continue with <>. [#hybrid-nodes-cluster-enable-cli] === Enable EKS Hybrid Nodes in an existing cluster - {aws} CLI -. Run the following command to enable EKS Hybrid Nodes and update an EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. -.. `CLUSTER_NAME`: name of the EKS cluster to be created. -.. `AWS_REGION`: {aws} Region where the cluster will be created. +. Run the following command to enable EKS Hybrid Nodes by updating an EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +.. `CLUSTER_NAME`: name of the EKS cluster to update. +.. `AWS_REGION`: {aws} Region where the cluster is running. .. `REMOTE_NODE_CIDRS`: the on-premises node CIDR for your hybrid nodes. .. `REMOTE_POD_CIDRS` (optional): the on-premises pod CIDR for workloads running on hybrid nodes. .. Your on-premises node and pod CIDR blocks must meet the following requirements: @@ -92,7 +95,7 @@ aws eks update-cluster \ --remote-network-config '{"remoteNodeNetworks":[{"cidrs":["REMOTE_NODE_CIDRS"]}],"remotePodNetworks":[{"cidrs":["REMOTE_POD_CIDRS"]}]}' ---- -. It takes several minutes to update the cluster. You can query the status of your cluster with the following command. Replace `CLUSTER_NAME` with the name of the cluster you are creating and `AWS_REGION` with the {aws} Region where the cluster is creating. Don't proceed to the next step until the output returned is `ACTIVE`. +. It takes several minutes to update the cluster. You can query the status of your cluster with the following command. Replace `CLUSTER_NAME` with the name of the cluster you are modifying and `AWS_REGION` with the {aws} Region where the cluster is running. Don't proceed to the next step until the output returned is `ACTIVE`. + [source,bash,subs="verbatim,attributes"] ---- @@ -102,7 +105,7 @@ aws eks describe-cluster \ --query "cluster.status" ---- -. Continue with the next step. +. Continue with <>. [#hybrid-nodes-cluster-enable-console] @@ -113,17 +116,13 @@ aws eks describe-cluster \ . Choose the *Networking* tab and choose *Manage*. . In the dropdown, choose *Remote networks*. . *Choose Configure remote networks to enable hybrid nodes* and specify your on-premises node and pod CIDRs for hybrid nodes. -.. You must configure your remote pod CIDR if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure the remote pod CIDR if you are running webhooks on hybrid nodes. -.. Your on-premises node and pod CIDR blocks must meet the following requirements: -... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. -... Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. . Choose *Save changes* to finish. Wait for the cluster status to return to *Active*. -. Continue with the next step. +. Continue with <>. == Next steps: Cluster setup If you enable EKS Hybrid Nodes on an existing cluster, remember to update any add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. Then, see <> to enable access for your hybrid nodes to join your cluster. -As soon as the cluster is in the `Active` state, the cluster is using the updated cluster configuration. \ No newline at end of file +As soon as the cluster is in the `Active` state, the cluster is using the updated cluster configuration. From 1bc530b2c065136c9811781771bdda48e89341d7 Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Tue, 1 Apr 2025 11:18:41 -0500 Subject: [PATCH 350/940] Update hybrid-nodes-cluster-update.adoc --- .../ug/nodes/hybrid-nodes-cluster-update.adoc | 50 +++++++++++-------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index 2bf0737c5..e1238a9af 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -12,7 +12,7 @@ Modify hybrid nodes configuration on an existing cluster This topic provides an overview of the available options and describes what to consider when you add, change, or remove the hybrid nodes configuration from an Amazon EKS cluster. If you are not planning to use hybrid nodes, see <>. -To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ranges of your on-premises network in the `RemoteNodeNetwork` configuration. EKS uses this list of CIDRs to enable connectivity between the cluster and your on-premises networks. For a full list of options when updating your cluster configuration, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ranges of your on-premises node and optionally pod network in the `RemoteNetworkConfig` configuration. EKS uses this list of CIDRs to enable connectivity between the cluster and your on-premises networks. For a full list of options when updating your cluster configuration, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. You can do any of the following actions to the EKS Hybrid Nodes networking configuration in a cluster: @@ -26,9 +26,25 @@ The following examples enable EKS Hybrid Nodes on an existing cluster and includ [#hybrid-nodes-cluster-enable-prep] == Prerequisites -* The <> completed. Before you create your hybrid nodes-enabled cluster, you must have your on-premises node and optionally pod CIDRs identified, your VPC and subnets created according to the EKS and hybrid nodes requirements, and your security group with inbound rules for your on-premises node and optionally pod CIDRs. For more information on these prerequisites, see <>. +* Before enabling your Amazon EKS cluster for hybrid nodes, ensure your environment meets the requirements outlined at <>, and detailed at <>, <>, and <>. * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. -* An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permissions to create IAM roles and attach policies, and create and describe EKS clusters +* An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permission to call link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] on your Amazon EKS cluster. +* Update add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. +* If you are running add-ons that are not compatible with hybrid nodes, ensure that the add-on https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] or https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployment] has the following affinity rule to prevent deployment to hybrid nodes. Add the affinity rule if it is not already present. + +[source,yaml] +---- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - hybrid +---- + [#hybrid-nodes-cluster-enable-consider] @@ -65,22 +81,21 @@ You can enable EKS Hybrid Nodes in an existing cluster by using: + [source,yaml,subs="verbatim,attributes"] ---- - RemoteNetworkConfig: - RemoteNodeNetworks: - - Cidrs: [RemoteNodeCIDR] - RemotePodNetworks: - - Cidrs: [RemotePodCIDR] +RemoteNetworkConfig: + RemoteNodeNetworks: + - Cidrs: [RemoteNodeCIDR] + RemotePodNetworks: + - Cidrs: [RemotePodCIDR] ---- -. Continue with <>. - +. Continue to <>. [#hybrid-nodes-cluster-enable-cli] === Enable EKS Hybrid Nodes in an existing cluster - {aws} CLI -. Run the following command to enable EKS Hybrid Nodes by updating an EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +. Run the following command to enable `RemoteNetworkConfig` for EKS Hybrid Nodes for your EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. .. `CLUSTER_NAME`: name of the EKS cluster to update. -.. `AWS_REGION`: {aws} Region where the cluster is running. +.. `AWS_REGION`: {aws} Region where the EKS cluster is running. .. `REMOTE_NODE_CIDRS`: the on-premises node CIDR for your hybrid nodes. .. `REMOTE_POD_CIDRS` (optional): the on-premises pod CIDR for workloads running on hybrid nodes. .. Your on-premises node and pod CIDR blocks must meet the following requirements: @@ -105,7 +120,7 @@ aws eks describe-cluster \ --query "cluster.status" ---- -. Continue with <>. +. Continue to <>. [#hybrid-nodes-cluster-enable-console] @@ -118,11 +133,4 @@ aws eks describe-cluster \ . *Choose Configure remote networks to enable hybrid nodes* and specify your on-premises node and pod CIDRs for hybrid nodes. . Choose *Save changes* to finish. Wait for the cluster status to return to *Active*. -. Continue with <>. - - -== Next steps: Cluster setup - -If you enable EKS Hybrid Nodes on an existing cluster, remember to update any add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. Then, see <> to enable access for your hybrid nodes to join your cluster. - -As soon as the cluster is in the `Active` state, the cluster is using the updated cluster configuration. +. Continue to <>. From fa6bb8163f2f9ee69cf9be84299e88c919f70cf7 Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Tue, 1 Apr 2025 11:35:21 -0500 Subject: [PATCH 351/940] Update hybrid-nodes-cluster-update.adoc --- latest/ug/nodes/hybrid-nodes-cluster-update.adoc | 9 --------- 1 file changed, 9 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index e1238a9af..ce18f1a07 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -49,15 +49,6 @@ affinity: [#hybrid-nodes-cluster-enable-consider] == Considerations - -* Your cluster must use either `API` or `API_AND_CONFIG_MAP` for the cluster authentication mode. -* Your cluster must use IPv4 address family. -* Your cluster must use either Public or Private cluster endpoint connectivity. Your cluster cannot use “Public and Private” cluster endpoint connectivity, because the Amazon EKS Kubernetes API server endpoint will resolve to the public IPs for hybrid nodes running outside of your VPC. -* You must configure your remote pod CIDR if your CNI does not use Network Address Translation (NAT) or masquerading for pod IP addresses when pod traffic leaves your on-premises hosts. You must configure the remote pod CIDR if you are running webhooks on hybrid nodes. To learn more about these requirements, see <>. -* Your on-premises node and pod CIDR blocks must meet the following requirements: -.. Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. -.. Not overlap with each other, the `VPC CIDR` for your cluster, or your Kubernetes service IPv4 CIDR. - The `remoteNetworkConfig` JSON object has the following behavior during an update: * Any existing part of the configuration that you don't specify is unchanged. If you don't specify either of the `remoteNodeNetworks` or `remotePodNetworks`, that part will remain the same. From 4041719d90775194182deb726c563e91469db266 Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Tue, 1 Apr 2025 11:52:15 -0500 Subject: [PATCH 352/940] Update hybrid-nodes-cluster-update.adoc --- latest/ug/nodes/hybrid-nodes-cluster-update.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index ce18f1a07..e0bfd2132 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -26,8 +26,11 @@ The following examples enable EKS Hybrid Nodes on an existing cluster and includ [#hybrid-nodes-cluster-enable-prep] == Prerequisites -* Before enabling your Amazon EKS cluster for hybrid nodes, ensure your environment meets the requirements outlined at <>, and detailed at <>, <>, and <>. * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +* Before enabling your Amazon EKS cluster for hybrid nodes, ensure your environment meets the requirements outlined at <>, and detailed at <>, <>, and <>. +* Your cluster must use either API or API_AND_CONFIG_MAP for the cluster authentication mode. +* Your cluster must use IPv4 address family. +* It is recommended to use either public or private endpoint access for the Amazon EKS Kubernetes API server endpoint. If you choose “Public and Private”, the Amazon EKS Kubernetes API server endpoint will always resolve to the public IPs for hybrid nodes running outside of your VPC, which can prevent your hybrid nodes from joining the cluster. * An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permission to call link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] on your Amazon EKS cluster. * Update add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. * If you are running add-ons that are not compatible with hybrid nodes, ensure that the add-on https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] or https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployment] has the following affinity rule to prevent deployment to hybrid nodes. Add the affinity rule if it is not already present. From 0089ee1f82159980dc71b7341a6caa0dd3a1a68d Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Tue, 1 Apr 2025 12:08:12 -0500 Subject: [PATCH 353/940] Update hybrid-nodes-cluster-update.adoc --- .../ug/nodes/hybrid-nodes-cluster-update.adoc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index e0bfd2132..bd9e23b18 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -17,9 +17,10 @@ To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ran You can do any of the following actions to the EKS Hybrid Nodes networking configuration in a cluster: * Add remote node network configuration to enable EKS Hybrid Nodes in an existing cluster. -* Add, change, or remove the remote node networks. Remove all remote node network CIDR ranges to disable EKS Hybrid Nodes in an existing cluster. +* Add, change, or remove the remote node networks. +* Remove all remote node network CIDR ranges to disable EKS Hybrid Nodes in an existing cluster. * Add, change, or remove the optional remote pod networks. -* Remove all of the remote pod networks. +* Remove all of remote pod network CIDR ranges. The following examples enable EKS Hybrid Nodes on an existing cluster and include the optional remote pod network. @@ -28,13 +29,13 @@ The following examples enable EKS Hybrid Nodes on an existing cluster and includ * The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. * Before enabling your Amazon EKS cluster for hybrid nodes, ensure your environment meets the requirements outlined at <>, and detailed at <>, <>, and <>. -* Your cluster must use either API or API_AND_CONFIG_MAP for the cluster authentication mode. * Your cluster must use IPv4 address family. -* It is recommended to use either public or private endpoint access for the Amazon EKS Kubernetes API server endpoint. If you choose “Public and Private”, the Amazon EKS Kubernetes API server endpoint will always resolve to the public IPs for hybrid nodes running outside of your VPC, which can prevent your hybrid nodes from joining the cluster. +* Your cluster must use either API or API_AND_CONFIG_MAP for the cluster authentication mode. The process for modifying the cluster authentication mode is described at <>. +* It is recommended to use either public or private endpoint access for the Amazon EKS Kubernetes API server endpoint. If you choose “Public and Private”, the Amazon EKS Kubernetes API server endpoint will always resolve to the public IPs for hybrid nodes running outside of your VPC, which can prevent your hybrid nodes from joining the cluster. The process for modifying network access to your cluster is described at <>. * An link:IAM/latest/UserGuide/id_roles#iam-term-principal[IAM principal,type="documentation"] with permission to call link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] on your Amazon EKS cluster. * Update add-ons to versions that are compatible with hybrid nodes. For the add-ons versions that are compatible with hybrid nodes, see <>. -* If you are running add-ons that are not compatible with hybrid nodes, ensure that the add-on https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] or https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployment] has the following affinity rule to prevent deployment to hybrid nodes. Add the affinity rule if it is not already present. - +* If you are running add-ons that are not compatible with hybrid nodes, ensure that the add-on https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] or https://kubernetes.io/docs/concepts/workloads/controllers/deployment/[Deployment] has the following affinity rule to prevent deployment to hybrid nodes. Add the following affinity rule if it is not already present. ++ [source,yaml] ---- affinity: @@ -56,6 +57,9 @@ The `remoteNetworkConfig` JSON object has the following behavior during an updat * Any existing part of the configuration that you don't specify is unchanged. If you don't specify either of the `remoteNodeNetworks` or `remotePodNetworks`, that part will remain the same. * If you are modifying either the `remoteNodeNetworks` or `remotePodNetworks` lists of CIDRs, you must specify the complete list of CIDRs that you want in your final configuration. When you specify a change to either the `remoteNodeNetworks` or `remotePodNetworks` CIDR list, EKS replaces the original list during the update. +* Your on-premises node and pod CIDR blocks must meet the following requirements: +. Be within one of the IPv4 RFC-1918 ranges: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. +. Not overlap with each other, all CIDRs of the VPC for your Amazon EKS cluster, or your Kubernetes service IPv4 CIDR. [#hybrid-nodes-cluster-enable-existing] @@ -92,9 +96,6 @@ RemoteNetworkConfig: .. `AWS_REGION`: {aws} Region where the EKS cluster is running. .. `REMOTE_NODE_CIDRS`: the on-premises node CIDR for your hybrid nodes. .. `REMOTE_POD_CIDRS` (optional): the on-premises pod CIDR for workloads running on hybrid nodes. -.. Your on-premises node and pod CIDR blocks must meet the following requirements: -... Be within one of the IPv4 RFC-1918 ranges: `10.0.0.0/8`, `172.16.0.0/12`, or `192.168.0.0/16`. -... Not overlap with each other, all CIDRs of the VPC for your Amazon EKS cluster, or your Kubernetes service IPv4 CIDR. + [source,bash,subs="verbatim,attributes"] ---- From 317b7256c73d611a6b271a7fc031c7b6c7de5972 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 1 Apr 2025 13:57:25 -0500 Subject: [PATCH 354/940] Update auto-networking.adoc --- latest/ug/automode/auto-networking.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index dda081ac0..b8c9a6631 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -36,6 +36,7 @@ EKS Auto Mode supports: * EKS Network Policies. * The `HostPort` and `HostNetwork` options for Kubernetes Pods. * Pods in public or private subnets. +* Caching DNS queries on the node. EKS Auto Mode does *not* support: From 94cbcbf646da515e57105484e1af056e57df9340 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 1 Apr 2025 14:04:59 -0500 Subject: [PATCH 355/940] Update auto-migrate-fargate.adoc --- latest/ug/automode/auto-migrate-fargate.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/latest/ug/automode/auto-migrate-fargate.adoc b/latest/ug/automode/auto-migrate-fargate.adoc index 35cc0b7da..7fdf9e71e 100644 --- a/latest/ug/automode/auto-migrate-fargate.adoc +++ b/latest/ug/automode/auto-migrate-fargate.adoc @@ -129,7 +129,7 @@ fargate-ip-192-168-117-130.ec2.internal Ready 36s v1.30.8-eks-2d5f260 1 fargate-ip-192-168-74-140.ec2.internal Ready 36s v1.30.8-eks-2d5f260 192.168.74.140 Amazon Linux 2 5.10.234-225.910.amzn2.x86_64 containerd://1.7.25 ---- -### Step 2: Enable EKS Auto Mode on the cluster +## Step 2: Enable EKS Auto Mode on the cluster . Enable EKS Auto Mode on your existing cluster using the {aws} CLI or Management Console. For more information, see <>. . Check the nodepool: @@ -146,7 +146,7 @@ general-purpose default 1 True 6m58s system default 0 True 3d14h ---- -### Step 3: Update workloads for migration +## Step 3: Update workloads for migration Identify and update the workloads you want to migrate to EKS Auto Mode. @@ -216,12 +216,12 @@ NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTE i-0845aafcb51630ffb Ready 3m30s v1.30.8-eks-3c20087 192.168.41.125 3.81.118.95 Bottlerocket (EKS Auto) 2025.3.14 (aws-k8s-1.30) 6.1.129 containerd://1.7.25+bottlerocket ---- -### Step 4: Gradually migrate workloads +## Step 4: Gradually migrate workloads Repeat Step 3 for each workload you want to migrate. This allows you to move workloads individually or in groups, based on your requirements and risk tolerance. -### Step 5: Remove the original fargate profile +## Step 5: Remove the original fargate profile Once all workloads have been migrated, you can remove the original `fargate` profile. Replace [.replaceable]`` with the name of your Fargate profile: @@ -231,7 +231,7 @@ Replace [.replaceable]`` with the name of your Fargate pro aws eks delete-fargate-profile --cluster-name eks-fargate-demo-cluster --fargate-profile-name ---- -### Step 6: Scale down CoreDNS +## Step 6: Scale down CoreDNS Because EKS Auto mode handles CoreDNS, you scale the `coredns` deployment down to 0: From 35dc08da7fe6b7b3393f944559994571d564bfe9 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 1 Apr 2025 14:08:55 -0500 Subject: [PATCH 356/940] Update migrate-auto.adoc --- latest/ug/automode/migrate-auto.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index c1dfbfc4d..5006737d3 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -21,6 +21,7 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a * Migrating from Karpenter to EKS Auto Mode nodes. For more information, see <>. * Migrating from EKS Managed Node Groups to EKS Auto Mode nodes. For more information, see <>. +* Migrating from EKS Fargate to EKS Auto Mode. For more information, see <>. *{aws} does not support the following migrations:* From 23af5a5a0de855ec3bac722c4d0d39f1703a74c6 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 2 Apr 2025 16:27:43 -0500 Subject: [PATCH 357/940] Add CIS report steps for Auto Mode (#958) * init draft * fixup * Update auto-cis.adoc --- latest/ug/automode/auto-cis.adoc | 64 +++++++++++++++++++++++++++ latest/ug/automode/settings-auto.adoc | 3 ++ 2 files changed, 67 insertions(+) create mode 100644 latest/ug/automode/auto-cis.adoc diff --git a/latest/ug/automode/auto-cis.adoc b/latest/ug/automode/auto-cis.adoc new file mode 100644 index 000000000..9d945069b --- /dev/null +++ b/latest/ug/automode/auto-cis.adoc @@ -0,0 +1,64 @@ +include::../attributes.txt[] + +[.topic] +[#auto-cis] += Generate CIS compliance reports from Kubernetes nodes using kubectl debug +:info_titleabbrev: Generate CIS report + +This topic describes how to generate CIS (Center for Internet Security) compliance reports for Amazon EKS nodes using the `kubectl debug` command. + +The command allows you to temporarily create a debugging container on a Kubernetes node and run CIS compliance checks using the `apiclient` tool. The `apiclient` tool is part of Bottlerocket OS, the OS used by EKS Auto Mode nodes. + +== Prerequisites + +Before you begin, ensure you have: + +* Access to an Amazon EKS cluster with kubectl configured +* The appropriate IAM permissions to debug nodes +* A valid profile that allows debug operations (e.g., `sysadmin`) +** For more information about using debugging profiles with `kubectl, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles[Debugging a Pod or Node while applying a profile] in the Kubernetes documentation. + +== Procedure + +. Determine the {aws} Instance ID of the node you want to run the report on +** Use the following command to list the nodes in the cluster. The instance ID is found in the name column, and begins with `i-`. ++ +[source,bash] +---- +kubectl get nodes +---- +. Run the following command, with the identified instance ID. ++ +[source,bash] +---- +kubectl debug node/ -it --profile=sysadmin --image=public.ecr.aws/amazonlinux/amazonlinux:2023 -- bash -c "yum install -q -y util-linux-core; nsenter -t 1 -m apiclient report cis --level 1 --format text" +---- +. Review the report text output + +== Command components + +* `kubectl debug node/` -- Creates a debugging session on the specified EC2 instance ID. +* `-it` -- Allocates a TTY and keeps stdin open for interactive usage. +* `--profile=sysadmin` -- Uses the specified kubectl profile with appropriate permissions. +* `--image=public.ecr.aws/amazonlinux/amazonlinux:2023` -- Uses Amazon Linux 2023 as the container image for debugging. +* `bash -c "..."` -- Executes the following commands in a bash shell. +** `yum install -q -y util-linux-core` -- Quietly installs the required utilities package. +** `nsenter -t 1 -m` -- Enters the namespace of the host process (PID 1). +** `apiclient report cis --level 1 --format text` -- Runs the CIS compliance report at level 1 with text output. + +== Understanding the output + +The command generates a text-based report showing the compliance status of various CIS controls. The output includes: + +* Individual CIS control IDs +* Description of each control +* Pass/Fail status for each check +* Details that explain any compliance issues + +For information about the benchmark, see https://www.cisecurity.org/benchmark/kubernetes/[Kubernetes Benchmark] from the Center for Internet Security (CIS). + +== Related resources + +* https://bottlerocket.dev/en/os/1.34.x/api/reporting/cis/[Bottlerocket CIS Benchmark] in Bottlerocket OS Documentation. +* https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/[Debug Running Pods] in the Kubernetes Documentation. +* https://www.cisecurity.org/benchmark/kubernetes/[Kubernetes Benchmark] from the Center for Internet Security (CIS) diff --git a/latest/ug/automode/settings-auto.adoc b/latest/ug/automode/settings-auto.adoc index 067012410..0f5e064ab 100644 --- a/latest/ug/automode/settings-auto.adoc +++ b/latest/ug/automode/settings-auto.adoc @@ -107,3 +107,6 @@ include::auto-net-pol.adoc[leveloffset=+1] include::tag-subnets-auto.adoc[leveloffset=+1] include::auto-accelerated.adoc[leveloffset=+1] + +include::auto-cis.adoc[leveloffset=+1] + From c92a5275be5c7aabb6566d3076a78d3e12d1a85b Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 2 Apr 2025 19:23:21 -0500 Subject: [PATCH 358/940] Update what-is-eks.adoc (#962) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..43cb6e58a 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -13,6 +13,18 @@ Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for runn Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. * **EKS Auto Mode**: Using the <> feature, EKS extends its control to manage https://kubernetes.io/docs/concepts/overview/components/#node-components[Nodes] (Kubernetes data plane) as well. From 0d6c3daf81c294b1839a80f52aa204d01bdb06bf Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 3 Apr 2025 00:27:18 +0000 Subject: [PATCH 359/940] Revert "Update what-is-eks.adoc (#962)" This reverts commit c92a5275be5c7aabb6566d3076a78d3e12d1a85b. --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 43cb6e58a..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -13,18 +13,6 @@ Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for runn Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. * **EKS Auto Mode**: Using the <> feature, EKS extends its control to manage https://kubernetes.io/docs/concepts/overview/components/#node-components[Nodes] (Kubernetes data plane) as well. From 1e437ed8d3d3d4f79e8e24653b199ba726d94c94 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 2 Apr 2025 19:38:58 -0500 Subject: [PATCH 360/940] Update what-is-eks.adoc (#963) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 69c6bbe767b9627828dadf8c73fc60d2dea27a52 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 3 Apr 2025 18:59:47 -0500 Subject: [PATCH 361/940] Update create-node-pool.adoc --- latest/ug/automode/create-node-pool.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 86d2cf2d4..a5e0bf02b 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -133,7 +133,7 @@ EKS Auto Mode supports the following well known labels. |Number of CPUs on the instance |eks.amazonaws.com/instance-cpu-manufacturer -|aws +|`aws` |Name of the CPU manufacturer |eks.amazonaws.com/instance-memory From d82e2b36fb96645323044f1c461fe2ccfceeb20c Mon Sep 17 00:00:00 2001 From: Todd Neal Date: Thu, 3 Apr 2025 19:33:00 -0500 Subject: [PATCH 362/940] be more specific about Node replacement occuring due to AMI drift (#964) --- latest/ug/automode/create-node-pool.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index a5e0bf02b..97c2cd557 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -221,6 +221,7 @@ By default, EKS Auto Mode: - Consolidates underutilized instances. - Terminates instances after 720 hours. - Sets a single disruption budget of 10% of nodes. +- Allows Nodes to be replaced due to drift when a new Auto Mode AMI is released, which occurs roughly once per week. == Termination Grace Period From 66cce6d9edd3b3f903bc9025669b7e57fb8daea6 Mon Sep 17 00:00:00 2001 From: guessi Date: Fri, 4 Apr 2025 08:34:03 +0800 Subject: [PATCH 363/940] Helm is now on "main" branch (#960) --- latest/ug/cluster-management/helm.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/cluster-management/helm.adoc b/latest/ug/cluster-management/helm.adoc index ac6303cfc..4211faf63 100644 --- a/latest/ug/cluster-management/helm.adoc +++ b/latest/ug/cluster-management/helm.adoc @@ -41,7 +41,7 @@ choco install kubernetes-helm + [source,bash,subs="verbatim,attributes"] ---- -curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 > get_helm.sh +curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh ---- From af9f43d80c4d209b5ea0e631c5d057bad0e38a3b Mon Sep 17 00:00:00 2001 From: csplinter Date: Thu, 3 Apr 2025 17:42:19 -0500 Subject: [PATCH 364/940] minor improvements to hybrid nodes nodeadm reference, flatten TOC --- latest/ug/nodes/hybrid-nodes-nodeadm.adoc | 345 +++++++++++----------- 1 file changed, 177 insertions(+), 168 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc index 8d65f279e..49a213a54 100644 --- a/latest/ug/nodes/hybrid-nodes-nodeadm.adoc +++ b/latest/ug/nodes/hybrid-nodes-nodeadm.adoc @@ -10,51 +10,57 @@ include::../attributes.txt[] Hybrid nodes nodeadm reference -- -The Amazon EKS Hybrid Nodes CLI (`nodeadm`) used for hybrid nodes lifecycle management differs from the `nodeadm` version used for bootstrapping Amazon EC2 instances as nodes in Amazon EKS clusters. Follow the documentation and references for the appropriate `nodeadm` version. This documentation page is for the hybrid nodes `nodeadm` version and the hybrid nodes `nodeadm` version is available in the https://github.com/aws/eks-hybrid[eks-hybrid repository on GitHub]. See the https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm - Amazon EKS AMI documentation] for the `nodeadm` version used for Amazon EC2 instances. +The Amazon EKS Hybrid Nodes CLI (`nodeadm`) simplifies the installation, configuration, registration, and uninstallation of the hybrid nodes components. You can include `nodeadm` in your operating system images to automate hybrid node bootstrap, see <> for more information. + +The `nodeadm` version for hybrid nodes differs from the `nodeadm` version used for bootstrapping Amazon EC2 instances as nodes in Amazon EKS clusters. Follow the documentation and references for the appropriate `nodeadm` version. This documentation page is for the hybrid nodes `nodeadm` version. + +The source code for the hybrid nodes `nodeadm` is published in the https://github.com/aws/eks-hybrid +GitHub repository. + +[IMPORTANT] +==== +You must run `nodeadm` with a user that has root/sudo privileges. +==== == Download `nodeadm` The hybrid nodes version of `nodeadm` is hosted in Amazon S3 fronted by Amazon CloudFront. To install `nodeadm` on each on-premises host, you can run the following command from your on-premises hosts. -*For x86_64 hosts:* -[source,yaml,subs="verbatim,attributes"] +*For x86_64 hosts* +[source,bash,subs="verbatim,attributes"] ---- curl -OL 'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/amd64/nodeadm' ---- *For ARM hosts* -[source,yaml,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes"] ---- curl -OL 'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/arm64/nodeadm' ---- Add executable file permission to the downloaded binary on each host. -[source,yaml,subs="verbatim,attributes"] +[source,bash,subs="verbatim,attributes"] ---- chmod +x nodeadm ---- -== Commands +== `nodeadm install` -[IMPORTANT] -==== -You must run `nodeadm` with a user that has root/sudo privileges. -==== - -=== Install - -The `install` command is used to install the artifacts and dependencies required to run and join hybrid nodes to an Amazon EKS cluster. The `install` command can be run individually on each hybrid node or can be run during image build pipelines to preinstall the hybrid nodes dependencies in operating system images. +The `nodeadm install` command is used to install the artifacts and dependencies required to run and join hybrid nodes to an Amazon EKS cluster. The `nodeadm install` command can be run individually on each hybrid node or can be run during image build pipelines to preinstall the hybrid nodes dependencies in operating system images. -==== Usage +*Usage* -`nodeadm install [KUBERNETES_VERSION] [flags]` +[source,bash,subs="verbatim,attributes"] +---- +nodeadm install [KUBERNETES_VERSION] [flags] +---- -==== Positional Arguments +*Positional Arguments* -(Required) `KUBERNETES_VERSION` The major.minor version of EKS Kubernetes to install, for example `1.31` +(Required) `KUBERNETES_VERSION` The major.minor version of EKS Kubernetes to install, for example `1.32` -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -99,90 +105,41 @@ The `install` command is used to install the artifacts and dependencies required |Displays help message with available flag, subcommand and positional value parameters. |=== -==== Examples +*Examples* -Install Kubernetes version `1.31` with {aws} Systems Manager (SSM) as the credential provider +Install Kubernetes version `1.32` with {aws} Systems Manager (SSM) as the credential provider [source,bash,subs="verbatim,attributes"] ---- -nodeadm install 1.31 --credential-provider ssm +nodeadm install 1.32 --credential-provider ssm ---- -Install Kubernetes version `1.31` with {aws} Systems Manager (SSM) as the credential provider, Docker as the containerd source, with a download timeout of 20 minutes. +Install Kubernetes version `1.32` with {aws} Systems Manager (SSM) as the credential provider, Docker as the containerd source, with a download timeout of 20 minutes. [source,bash,subs="verbatim,attributes"] ---- -nodeadm install 1.31 --credential-provider ssm --containerd-source docker --timeout 20m +nodeadm install 1.32 --credential-provider ssm --containerd-source docker --timeout 20m ---- -Install Kubernetes version `1.31` with {aws} IAM Roles Anywhere as the credential provider +Install Kubernetes version `1.32` with {aws} IAM Roles Anywhere as the credential provider [source,bash,subs="verbatim,attributes"] ---- -nodeadm install 1.31 --credential-provider iam-ra +nodeadm install 1.32 --credential-provider iam-ra ---- -==== Files installed - -[cols="1,1", options="header"] -|=== - -|Artifact -|Path - -|IAM Roles Anywhere CLI -|/usr/local/bin/aws_signing_helper - -|Kubelet binary -|/usr/bin/kubelet +== `nodeadm config check` -|Kubectl binary -|usr/local/bin/kubectl +The `nodeadm config check` command checks the provided node configuration for errors. This command can be used to verify and validate the correctness of a hybrid node configuration file. -|ECR Credentials Provider -|/etc/eks/image-credential-provider/ecr-credential-provider - -|{aws} IAM Authenticator -|/usr/local/bin/aws-iam-authenticator - -|SSM Setup CLI -|/opt/ssm/ssm-setup-cli - -|SSM Agent -|On Ubuntu - /snap/amazon-ssm-agent/current/amazon-ssm-agent - -On RHEL & AL2023 - /usr/bin/amazon-ssm-agent - -|Containerd -|On Ubuntu & AL2023 - /usr/bin/containerd - -On RHEL - /bin/containerd - -|Iptables -|On Ubuntu & AL2023 - /usr/sbin/iptables - -On RHEL - /sbin/iptables - -|CNI plugins -|/opt/cni/bin - -|installed artifacts tracker -|/opt/nodeadm/tracker - -|=== - -=== Config check - -The `config check` command checks the provided node configuration for errors. This command can be used to verify and validate the correctness of a hybrid node configuration file. - -==== Usage +*Usage* [source,bash,subs="verbatim,attributes"] ---- nodeadm config check [flags] ---- -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -203,25 +160,25 @@ nodeadm config check [flags] |Displays help message with available flag, subcommand and positional value parameters. |=== -==== Examples +*Examples* [source,bash,subs="verbatim,attributes"] ---- -nodeadm config check --config-source file:///root/nodeConfig.yaml +nodeadm config check -c file://nodeConfig.yaml ---- -=== Init +== `nodeadm init` -The `init` command starts and connects the hybrid node with the configured Amazon EKS cluster. +The `nodeadm init` command starts and connects the hybrid node with the configured Amazon EKS cluster. See <> or <> for details of how to configure the `nodeConfig.yaml` file. -==== Usage +*Usage* [source,bash,subs="verbatim,attributes"] ---- nodeadm init [flags] ---- -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -253,87 +210,29 @@ nodeadm init [flags] |Displays help message with available flag, subcommand and positional value parameters. |=== - -==== Examples +*Examples* [source,bash,subs="verbatim,attributes"] ---- -nodeadm init --config-source file://root/nodeConfig.yaml +nodeadm init -c file://nodeConfig.yaml ---- -==== Files installed - -[cols="1,1", options="header"] -|=== - -|Name -|Path - -|Kubelet kubeconfig -|/var/lib/kubelet/kubeconfig - -|Kubelet config -|/etc/kubernetes/kubelet/config.json - -|Kubelet systemd unit -|/etc/systemd/system/kubelet.service - -|Image credentials provider config -|/etc/eks/image-credential-provider/config.json - -|Kubelet env file -|/etc/eks/kubelet/environment - -|Kubelet Certs -|/etc/kubernetes/pki/ca.crt - -|Containerd config -|/etc/containerd/config.toml - -|Containerd kernel modules config -|/etc/modules-load.d/contianerd.conf - -|{aws} config file -|/etc/aws/hybrid/config - -|{aws} credentials file (if enable credentials file) -|/eks-hybrid/.aws/credentials - -|{aws} signing helper system unit -|/etc/systemd/system/aws_signing_helper_update.service - -|Sysctl conf file -|/etc/sysctl.d/99-nodeadm.conf - -|Apt manager files for docker repo (if containerd source is docker) -| - -|Ca-certificates -|/etc/ssl/certs/ca-certificates.crt - -|Gpg key file -|/etc/apt/keyrings/docker.asc - -|Docker repo source file -|/etc/apt/sources.list.d/docker.list -|=== - -=== Upgrade +== `nodeadm upgrade` The `nodeadm upgrade` command upgrades all the installed artifacts to the latest version and bootstraps the node to configure the upgraded artifacts and join the EKS cluster on {aws}. Upgrade is a disruptive command to the workloads running on the node. Please move your workloads to another node before running upgrade. -==== Usage +*Usage* [source,bash,subs="verbatim,attributes"] ---- nodeadm upgrade [KUBERNETES_VERSION] [flags] ---- -==== Positional Arguments +*Positional Arguments* -(Required) `KUBERNETES_VERSION` The major.minor version of EKS Kubernetes to install, for example `1.31` +(Required) `KUBERNETES_VERSION` The major.minor version of EKS Kubernetes to install, for example `1.32` -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -373,30 +272,30 @@ nodeadm upgrade [KUBERNETES_VERSION] [flags] |Displays help message with available flag, subcommand and positional value parameters. |=== -==== Examples +*Examples* [source,bash,subs="verbatim,attributes"] ---- -nodeadm upgrade 1.31 --config-source file:///root/nodeConfig.yaml +nodeadm upgrade 1.32 -c file://nodeConfig.yaml ---- [source,bash,subs="verbatim,attributes"] ---- -nodeadm upgrade 1.31 --config-source file:///root/nodeConfig.yaml --timeout 20m +nodeadm upgrade 1.32 -c file://nodeConfig.yaml --timeout 20m ---- -=== Uninstall +== `nodeadm uninstall` The `nodeadm uninstall` command stops and removes the artifacts `nodeadm` installs during `nodeadm install`, including the kubelet and containerd. Note, the uninstall command does not drain or delete your hybrid nodes from your cluster. You must run the drain and delete operations separately, see <> for more information. By default, `nodeadm uninstall` will not proceed if there are pods remaining on the node. Similarly, `nodeadm uninstall` does not remove CNI dependencies or dependencies of other Kubernetes add-ons you run on your cluster. To fully remove the CNI installation from your host, see the instructions at <>. If you are using {aws} SSM hybrid activations as your on-premises credentials provider, the `nodeadm uninstall` command deregisters your hosts as {aws} SSM managed instances. -==== Usage +*Usage* [source,bash,subs="verbatim,attributes"] ---- nodeadm uninstall [flags] ---- -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -417,7 +316,7 @@ nodeadm uninstall [flags] `node-validation` skips checking if the node has been cordoned. -`init-validation` skips checking if the node has been initialized successfully before running upgrade. +`init-validation` skips checking if the node has been initialized successfully before running uninstall. |`-h`, @@ -426,7 +325,7 @@ nodeadm uninstall [flags] |Displays help message with available flag, subcommand and positional value parameters. |=== -==== Examples +*Examples* [source,bash,subs="verbatim,attributes"] ---- @@ -438,7 +337,7 @@ nodeadm uninstall nodeadm uninstall --skip node-validation,pod-validation ---- -=== Debug +== `nodeadm debug` The `nodeadm debug` command can be used to troubleshoot unhealthy or misconfigured hybrid nodes. It validates the following requirements are in-place. @@ -449,13 +348,14 @@ The `nodeadm debug` command can be used to troubleshoot unhealthy or misconfigur If errors are found, the command's output suggests troubleshooting steps. Certain validation steps show child processes. If these fail, the output is showed in a stderr section under the validation error. -==== Usage +*Usage* + [source,yaml,subs="verbatim,attributes"] ---- nodeadm debug [flags] ---- -==== Flags +*Flags* [cols="1,1,1", options="header"] |=== @@ -477,15 +377,123 @@ nodeadm debug [flags] |Displays help message with available flag, subcommand and positional value parameters. |=== -==== Examples +*Examples* [source,yaml,subs="verbatim,attributes"] ---- -nodeadm debug --config-source file://nodeConfig.yaml +nodeadm debug -c file://nodeConfig.yaml ---- -== Node Config API Reference +== Nodeadm file locations + +=== nodeadm install + +When running `nodeadm install`, the following files and file locations are configured. + +[cols="1,1", options="header"] +|=== + +|Artifact +|Path + +|IAM Roles Anywhere CLI +|/usr/local/bin/aws_signing_helper + +|Kubelet binary +|/usr/bin/kubelet + +|Kubectl binary +|usr/local/bin/kubectl + +|ECR Credentials Provider +|/etc/eks/image-credential-provider/ecr-credential-provider + +|{aws} IAM Authenticator +|/usr/local/bin/aws-iam-authenticator + +|SSM Setup CLI +|/opt/ssm/ssm-setup-cli + +|SSM Agent +|On Ubuntu - /snap/amazon-ssm-agent/current/amazon-ssm-agent + +On RHEL & AL2023 - /usr/bin/amazon-ssm-agent + +|Containerd +|On Ubuntu & AL2023 - /usr/bin/containerd + +On RHEL - /bin/containerd + +|Iptables +|On Ubuntu & AL2023 - /usr/sbin/iptables + +On RHEL - /sbin/iptables + +|CNI plugins +|/opt/cni/bin + +|installed artifacts tracker +|/opt/nodeadm/tracker + +|=== + +=== nodeadm init + +When running `nodeadm init`, the following files and file locations are configured. + +[cols="1,1", options="header"] +|=== + +|Name +|Path + +|Kubelet kubeconfig +|/var/lib/kubelet/kubeconfig + +|Kubelet config +|/etc/kubernetes/kubelet/config.json + +|Kubelet systemd unit +|/etc/systemd/system/kubelet.service + +|Image credentials provider config +|/etc/eks/image-credential-provider/config.json + +|Kubelet env file +|/etc/eks/kubelet/environment + +|Kubelet Certs +|/etc/kubernetes/pki/ca.crt + +|Containerd config +|/etc/containerd/config.toml + +|Containerd kernel modules config +|/etc/modules-load.d/contianerd.conf + +|{aws} config file +|/etc/aws/hybrid/config + +|{aws} credentials file (if enable credentials file) +|/eks-hybrid/.aws/credentials + +|{aws} signing helper system unit +|/etc/systemd/system/aws_signing_helper_update.service + +|Sysctl conf file +|/etc/sysctl.d/99-nodeadm.conf + +|Ca-certificates +|/etc/ssl/certs/ca-certificates.crt + +|Gpg key file +|/etc/apt/keyrings/docker.asc + +|Docker repo source file +|/etc/apt/sources.list.d/docker.list +|=== -*{aws} SSM hybrid activations* +[#hybrid-nodes-node-config-ssm] +== Node Config for SSM hybrid activations The following is a sample `nodeConfig.yaml` when using {aws} SSM hybrid activations for hybrid nodes credentials. @@ -503,7 +511,8 @@ spec: activationId: # SSM hybrid activation id ---- -*{aws} IAM Roles Anywhere* +[#hybrid-nodes-node-config-iamra] +== Node Config for IAM Roles Anywhere The following is a sample `nodeConfig.yaml` for {aws} IAM Roles Anywhere for hybrid nodes credentials. @@ -527,7 +536,7 @@ spec: privateKeyPath: # Path to the private key file for the certificate ---- -=== (Optional) Kubelet configuration +== Node Config for customizing kubelet (Optional) You can pass kubelet configuration and flags in your `nodeadm` configuration. See the example below for how to add an additional node label `abc.amazonaws.com/test-label` and config for setting `shutdownGracePeriod` to 30 seconds. @@ -550,7 +559,7 @@ spec: activationId: # SSM hybrid activation id ---- -=== (Optional) Containerd configuration +== Node Config for customizing containerd (Optional) You can pass custom containerd configuration in your `nodeadm` configuration. The containerd configuration for `nodeadm` accepts in-line TOML. See the example below for how to configure containerd to disable deletion of unpacked image layers in the containerd content store. From 352b49cdef4b421752031143e788f6449b5e54bc Mon Sep 17 00:00:00 2001 From: "Yu Xiang Z." Date: Fri, 4 Apr 2025 11:35:25 -0400 Subject: [PATCH 365/940] Fixed table display in single column --- latest/ug/automode/tag-subnets-auto.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/latest/ug/automode/tag-subnets-auto.adoc b/latest/ug/automode/tag-subnets-auto.adoc index 89109ca12..61ba6f458 100644 --- a/latest/ug/automode/tag-subnets-auto.adoc +++ b/latest/ug/automode/tag-subnets-auto.adoc @@ -24,6 +24,7 @@ At this time, subnets used for load balancing by EKS Auto Mode are required to h === Public subnets Public subnets are used for internet-facing load balancers. These subnets must have the following tags: +[cols="1,1"] |=== |Key |Value @@ -35,6 +36,7 @@ Public subnets are used for internet-facing load balancers. These subnets must h === Private subnets Private subnets are used for internal load balancers. These subnets must have the following tags: +[cols="1,1"] |=== |Key |Value @@ -77,4 +79,4 @@ aws ec2 create-tags \ --tags Key=kubernetes.io/role/internal-elb,Value=1 ---- -Replace `subnet-ID` with your actual subnet ID. \ No newline at end of file +Replace `subnet-ID` with your actual subnet ID. From f3c3d195cbbd80325e42196829c0073876eed409 Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Mon, 31 Mar 2025 16:44:31 -0500 Subject: [PATCH 366/940] Hybrid add-ons update --- latest/ug/nodes/hybrid-nodes-add-ons.adoc | 3 +++ .../workloads/workloads-add-ons-available-eks.adoc | 14 +++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-add-ons.adoc b/latest/ug/nodes/hybrid-nodes-add-ons.adoc index e9ae69fe2..b660e26eb 100644 --- a/latest/ug/nodes/hybrid-nodes-add-ons.adoc +++ b/latest/ug/nodes/hybrid-nodes-add-ons.adoc @@ -34,6 +34,9 @@ The following {aws} add-ons are compatible with Amazon EKS Hybrid Nodes. |EKS Pod Identity Agent |v1.3.3-eksbuild.1 and above +|Node monitoring agent +|v1.2.0-eksbuild.1 and above + |CSI snapshot controller |v8.1.0-eksbuild.1 and above |=== diff --git a/latest/ug/workloads/workloads-add-ons-available-eks.adoc b/latest/ug/workloads/workloads-add-ons-available-eks.adoc index f68b99762..a7c032fef 100644 --- a/latest/ug/workloads/workloads-add-ons-available-eks.adoc +++ b/latest/ug/workloads/workloads-add-ons-available-eks.adoc @@ -28,11 +28,11 @@ You can use any of the following Amazon EKS add-ons. | A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS |<> -|EC2, Fargate, EKS Auto Mode, Amazon EKS Hybrid Nodes +|EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes |Maintain network rules on each Amazon EC2 node |<> -|EC2, Amazon EKS Hybrid Nodes +|EC2, EKS Hybrid Nodes |Provide Amazon EBS storage for your cluster |<> @@ -48,11 +48,11 @@ You can use any of the following Amazon EKS add-ons. |Detect additional node health issues |<> -|EC2 +|EC2, EKS Hybrid Nodes |Enable the use of snapshot functionality in compatible CSI drivers, such as the Amazon EBS CSI driver |<> -|EC2, Fargate, EKS Auto Mode, Amazon EKS Hybrid Nodes +|EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes |SageMaker HyperPod task governance optimizes compute resource allocation and usage across teams in Amazon EKS clusters, addressing inefficiencies in task prioritization and resource sharing. |<> @@ -64,7 +64,7 @@ You can use any of the following Amazon EKS add-ons. |Secure, production-ready, {aws} supported distribution of the OpenTelemetry project |<> -|EC2, Fargate, EKS Auto Mode, Amazon EKS Hybrid Nodes +|EC2, Fargate, EKS Auto Mode, EKS Hybrid Nodes |Security monitoring service that analyzes and processes foundational data sources including {aws} CloudTrail management events and Amazon VPC flow logs. Amazon GuardDuty also processes features, such as Kubernetes audit logs and runtime monitoring |<> @@ -72,11 +72,11 @@ You can use any of the following Amazon EKS add-ons. |Monitoring and observability service provided by {aws}. This add-on installs the CloudWatch Agent and enables both CloudWatch Application Signals and CloudWatch Container Insights with enhanced observability for Amazon EKS |<> -|EC2, EKS Auto Mode, Amazon EKS Hybrid Nodes +|EC2, EKS Auto Mode, EKS Hybrid Nodes |Ability to manage credentials for your applications, similar to the way that EC2 instance profiles provide credentials to EC2 instances |<> -|EC2, Amazon EKS Hybrid Nodes +|EC2, EKS Hybrid Nodes |=== From 7e1830befbaa995824d2abe1ad8b408d446202c6 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Fri, 4 Apr 2025 18:07:45 -0700 Subject: [PATCH 367/940] Doc history: launch node monitoring agent for hybrid nodes --- latest/ug/doc-history.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index a1f1dcee9..fb43b58f7 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,6 +15,13 @@ The following table describes the major updates and new features for the Amazon == Updates +[.update,date="2025-03-31"] +=== Node health for EKS Hybrid Nodes +[.update-ulink] +link:eks/latest/userguide/node-health.html[type="documentation"] + +You can use `eks-node-monitoring-agent` on hybrid nodes, starting from version `1.2.0-eksbuild.1`. Run `eks-node-monitoring-agent` as an Amazon EKS add-on to detect and show health issues. + [.update,date="2025-03-31"] === EKS Hybrid Nodes for existing clusters [.update-ulink] From e525ff85107f6a92e8689cada7a5e58e9e9f47a9 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 7 Apr 2025 09:36:54 -0700 Subject: [PATCH 368/940] Release eksctl 0.207.0 --- latest/ug/attributes.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/attributes.txt b/latest/ug/attributes.txt index e41f178ba..1a72599c5 100644 --- a/latest/ug/attributes.txt +++ b/latest/ug/attributes.txt @@ -1,5 +1,5 @@ // eksctl version -:eksctl-min-version: 0.206.0 +:eksctl-min-version: 0.207.0 // EKS Auto Mode versions :auto-cli-v2-version: 2.12.3 From 54468ebc7570991574c179a576da79405dae4ce4 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 7 Apr 2025 11:52:02 -0500 Subject: [PATCH 369/940] Update auto-change.adoc --- latest/ug/automode/auto-change.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index e4a37133c..b050c00ec 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,6 +7,11 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. +== April 4, 2025 + +**Feature:** Increase `registryPullQPS` from 5 to 25 and `registryBurst` from 10 to 50 to reduce client enforced image pull throttling (`Failed to pull image xyz: pull QPS exceeded`) + + == March 31, 2025 **Bug Fix:** Fixes an issue where if a Core DNS Pod is running on an Auto Mode node, DNS queries from Pods on the node would hit that Core DNS Pod instead of the node local DNS server. DNS queries from Pods on an Auto Mode node will always go to the node local DNS. From fe68001eaa9b5ead7766066ab0e00085441b0798 Mon Sep 17 00:00:00 2001 From: Leah Tucker <57272433+tucktuck9@users.noreply.github.com> Date: Mon, 7 Apr 2025 11:46:22 -0600 Subject: [PATCH 370/940] Update eks-ami-build-scripts.adoc --- latest/ug/nodes/eks-ami-build-scripts.adoc | 80 +++++++++++++++++++--- 1 file changed, 72 insertions(+), 8 deletions(-) diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index d4e3f6156..9e972c0de 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -2,7 +2,7 @@ include::../attributes.txt[] [.topic] [#eks-ami-build-scripts] -= Build a custom Amazon Linux AMI with a script += Build a custom Amazon Linux AMI :info_titleabbrev: Custom builds [abstract] @@ -10,16 +10,80 @@ include::../attributes.txt[] Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are used to build the Amazon EKS optimized AMI. -- -Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are used to build the Amazon EKS optimized AMI. These build scripts are available https://github.com/awslabs/amazon-eks-ami[on GitHub]. +[IMPORTANT] +==== +Amazon EKS will no longer publish EKS-optimized Amazon Linux 2 (AL2) AMIs after November 26th, 2025. Additionally, Kubernetes version `1.32` is the last version for which Amazon EKS will release AL2 AMIs. From version `1.33` onwards, Amazon EKS will continue to release AL2023 and Bottlerocket based AMIs. +==== -The Amazon EKS optimized Amazon Linux AMIs are built on top of Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023), specifically for use as a node in Amazon EKS clusters. You can use this repository to view the specifics of how the Amazon EKS team configures `kubelet`, the runtime, the {aws} IAM Authenticator for Kubernetes, and build your own Amazon Linux based AMI from scratch. +The Amazon EKS optimized Amazon Linux (AL) AMIs are built on top of AL2 and AL2023, specifically for use as nodes in Amazon EKS clusters. EKS provides open-source build scripts in the https://github.com/awslabs/amazon-eks-ami[Amazon EKS AMI Build Specification] repository that you can use to view the configurations for `kubelet`, the runtime, and the {aws} IAM Authenticator for Kubernetes, or to build your own AL-based AMI from scratch. This repository contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time to configure your instance's certificate data, control plane endpoint, cluster name, and more. The scripts are considered the source of truth for Amazon EKS optimized AMI builds, so you can follow the GitHub repository to monitor changes to our AMIs. -The build scripts repository includes a https://www.packer.io/[HashiCorp packer] template and build scripts to generate an AMI. These scripts are the source of truth for Amazon EKS optimized AMI builds, so you can follow the GitHub repository to monitor changes to our AMIs. For example, perhaps you want your own AMI to use the same version of Docker that the Amazon EKS team uses for the official AMI. +== Prerequisites -The GitHub repository also contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time to configure your instance's certificate data, control plane endpoint, cluster name, and more. +* https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html[Install the {aws} CLI] +* https://developer.hashicorp.com/packer/downloads[Install HashiCorp Packer v1.9.4+] +* https://www.gnu.org/software/make/[Install GNU Make] -Additionally, the GitHub repository contains our Amazon EKS node {aws} CloudFormation templates. These templates make it easier to spin up an instance running an Amazon EKS optimized AMI and register it with a cluster. +== Quickstart -For more information, see the repositories on GitHub at https://github.com/awslabs/amazon-eks-ami. +This section shows you the commands to create a custom AMI in your {aws} account. To learn more about the configurations available to customize your AMI, see the template variables on the https://awslabs.github.io/amazon-eks-ami/usage/al2023/[Amazon Linux 2023] page. -Amazon EKS optimized AL2 contains an optional bootstrap flag to enable the `containerd` runtime. \ No newline at end of file +=== 1. Setup your environment + +Clone or fork the official EKS AMI repository. For example: + +[source,bash] +---- +git clone https://github.com/awslabs/amazon-eks-ami.git +cd amazon-eks-ami +---- + +Verify Packer is installed: + +[source,bash] +---- +packer --version +---- + +=== 2. Create a custom AMI (examples) + +*Basic NVIDIA AL2 AMI:* + +[source,bash] +---- +make k8s=1.31 os_distro=al2 \ + enable_accelerator=nvidia \ + nvidia_driver_major_version=560 \ + enable_efa=true +---- + +*Basic NVIDIA AL2023 AMI:* + +[source,bash] +---- +make k8s=1.31 os_distro=al2023 \ + enable_accelerator=nvidia \ + nvidia_driver_major_version=560 \ + enable_efa=true +---- + +*STIG-Compliant Neuron AL2023 AMI:* + +[source,bash] +---- +make k8s=1.31 os_distro=al2023 \ + enable_accelerator=neuron \ + enable_fips=true \ + source_ami_id=ami-0abcd1234efgh5678 \ + kms_key_id=alias/aws-stig +---- + +After you run these commands, Packer will launch a temporary EC2 instance, install Kubernetes components, drivers, and configurations, and create the AMI in your {aws} account. + +=== 3. View default values + +View default values and additional options: + +[source,bash] +---- +make help +---- From 5a40606b31e1c5383bc72f993e9ecf3d92dfb2f3 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 7 Apr 2025 15:15:01 -0500 Subject: [PATCH 371/940] Update what-is-eks.adoc (#970) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..367d79563 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -23,6 +23,18 @@ Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes serv +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 7e8f64286301d4a2d710fdcc93b79da3df1e8a0d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 7 Apr 2025 20:18:27 +0000 Subject: [PATCH 372/940] Revert "Update what-is-eks.adoc (#970)" This reverts commit 5a40606b31e1c5383bc72f993e9ecf3d92dfb2f3. --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 367d79563..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -23,18 +23,6 @@ Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes serv -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 6436234b15dc23c8e9bc8061a8129232e7d13989 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 7 Apr 2025 15:19:09 -0500 Subject: [PATCH 373/940] Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From abb3b435924de270a68747ad79f14ddeb30e8122 Mon Sep 17 00:00:00 2001 From: Abhinav Pandey Date: Wed, 2 Apr 2025 15:12:58 -0700 Subject: [PATCH 374/940] add rnc update examples --- .../ug/nodes/hybrid-nodes-cluster-update.adoc | 121 ++++++++++++++++-- 1 file changed, 113 insertions(+), 8 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index bd9e23b18..0c23808ac 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -16,18 +16,14 @@ To enable an Amazon EKS cluster to use hybrid nodes, add the IP address CIDR ran You can do any of the following actions to the EKS Hybrid Nodes networking configuration in a cluster: -* Add remote node network configuration to enable EKS Hybrid Nodes in an existing cluster. -* Add, change, or remove the remote node networks. -* Remove all remote node network CIDR ranges to disable EKS Hybrid Nodes in an existing cluster. -* Add, change, or remove the optional remote pod networks. -* Remove all of remote pod network CIDR ranges. - -The following examples enable EKS Hybrid Nodes on an existing cluster and include the optional remote pod network. +* <> +* <> +* <> [#hybrid-nodes-cluster-enable-prep] == Prerequisites -* The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the last version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. +* The latest version of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device. To check your current version, use `aws --version`. Package managers such yum, apt-get, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/getting-started-install.html[Installing or updating to the latest version of the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Configuring settings for the {aws} CLI,type="documentation"] in the {aws} Command Line Interface User Guide. * Before enabling your Amazon EKS cluster for hybrid nodes, ensure your environment meets the requirements outlined at <>, and detailed at <>, <>, and <>. * Your cluster must use IPv4 address family. * Your cluster must use either API or API_AND_CONFIG_MAP for the cluster authentication mode. The process for modifying the cluster authentication mode is described at <>. @@ -129,3 +125,112 @@ aws eks describe-cluster \ . Choose *Save changes* to finish. Wait for the cluster status to return to *Active*. . Continue to <>. + +[#hybrid-nodes-cluster-update-config] +== Update hybrid nodes configuration in an existing cluster + +You can modify `remoteNetworkConfig` in an existing hybrid cluster using: + +* <> +* <> +* <> + +[#hybrid-nodes-cluster-update-cfn] +=== Update hybrid configuration in an existing cluster - {aws} CloudFormation + +. Update your CloudFormation template with the new network CIDR values. ++ +[source,yaml,subs="verbatim,attributes"] +---- +RemoteNetworkConfig: + RemoteNodeNetworks: + - Cidrs: [NEW_REMOTE_NODE_CIDRS] + RemotePodNetworks: + - Cidrs: [NEW_REMOTE_POD_CIDRS] +---- +NOTE: When updating `RemoteNodeNetworks` or `RemotePodNetworks` CIDR lists, include all desired CIDRs (new and existing). EKS replaces the entire list during updates. +Omitting these fields from the update request retains their existing configurations. + +. Update your CloudFormation stack with the modified template and wait for the stack update to complete. + +[#hybrid-nodes-cluster-update-cli] +=== Update hybrid configuration in an existing cluster - {aws} CLI + +. To modify the remote network CIDRs, run the following command. Replace the values with your desired settings: ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-cluster +--name CLUSTER_NAME +--region AWS_REGION +--remote-network-config '{"remoteNodeNetworks":[{"cidrs":["NEW_REMOTE_NODE_CIDRS"]}],"remotePodNetworks":[{"cidrs":["NEW_REMOTE_POD_CIDRS"]}]}' +---- +NOTE: When updating `remoteNodeNetworks` or `remotePodNetworks` CIDR lists, include all desired CIDRs (new and existing). EKS replaces the entire list during updates. +Omitting these fields from the update request retains their existing configurations. + +. Wait for the cluster status to return to ACTIVE before proceeding. + +[#hybrid-nodes-cluster-update-console] +=== Update hybrid configuration in an existing cluster - {aws-management-console} + +. Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster to display your cluster information. +. Choose the *Networking* tab and choose *Manage*. +. In the dropdown, choose *Remote networks*. +. Update the CIDRs under `Remote node networks` and `Remote pod networks - Optional` as needed. +. Choose *Save changes* and wait for the cluster status to return to *Active*. + + +[#hybrid-nodes-cluster-disable] +== Disable Hybrid nodes in an existing cluster + +You can disable EKS Hybrid Nodes in an existing cluster by using: + +* <> +* <> +* <> + +[#hybrid-nodes-cluster-disable-cfn] +=== Disable EKS Hybrid Nodes in an existing cluster - {aws} CloudFormation + +. To disable EKS Hybrid Nodes in your cluster, set `RemoteNodeNetworks` and `RemotePodNetworks` to empty arrays in your CloudFormation template and update the stack. ++ +[source,yaml,subs="verbatim,attributes"] +---- +RemoteNetworkConfig: + RemoteNodeNetworks: [] + RemotePodNetworks: [] +---- + +[#hybrid-nodes-cluster-disable-cli] +=== Disable EKS Hybrid Nodes in an existing cluster - {aws} CLI +. Run the following command to remove `RemoteNetworkConfig` from your EKS cluster. Before running the command, replace the following with your desired settings. For a full list of settings, see the link:eks/latest/APIReference/API_UpdateClusterConfig.html[UpdateClusterConfig,type="documentation"] in the _Amazon EKS API Reference_. +.. `CLUSTER_NAME`: name of the EKS cluster to update. +.. `AWS_REGION`: {aws} Region where the EKS cluster is running. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks update-cluster \ + --name CLUSTER_NAME \ + --region AWS_REGION \ + --remote-network-config '{"remoteNodeNetworks":[],"remotePodNetworks":[]}' +---- +. It takes several minutes to update the cluster. You can query the status of your cluster with the following command. Replace `CLUSTER_NAME` with the name of the cluster you are modifying and `AWS_REGION` with the {aws} Region where the cluster is running. Don't proceed to the next step until the output returned is `ACTIVE`. ++ +[source,bash,subs="verbatim,attributes"] +---- +aws eks describe-cluster \ + --name CLUSTER_NAME \ + --region AWS_REGION \ + --query "cluster.status" +---- + +[#hybrid-nodes-cluster-disable-console] +=== Disable EKS Hybrid Nodes in an existing cluster - {aws-management-console} + +. Open the Amazon EKS console at link:eks/home#/clusters[Amazon EKS console,type="console"]. +. Choose the name of the cluster to display your cluster information. +. Choose the *Networking* tab and choose *Manage*. +. In the dropdown, choose *Remote networks*. +. Choose *Configure remote networks to enable hybrid nodes* and remove all the CIDRs under `Remote node networks` and `Remote pod networks - Optional`. +. Choose *Save changes* to finish. Wait for the cluster status to return to *Active*. From 4533dee537e3758a70f979cfd413bd62ab8e8887 Mon Sep 17 00:00:00 2001 From: pgasca <87044997+pgasca@users.noreply.github.com> Date: Mon, 7 Apr 2025 17:42:40 -0500 Subject: [PATCH 375/940] Peer review style edits --- latest/ug/nodes/eks-ami-build-scripts.adoc | 25 +++++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/latest/ug/nodes/eks-ami-build-scripts.adoc b/latest/ug/nodes/eks-ami-build-scripts.adoc index 9e972c0de..2b4335b2f 100644 --- a/latest/ug/nodes/eks-ami-build-scripts.adoc +++ b/latest/ug/nodes/eks-ami-build-scripts.adoc @@ -15,7 +15,11 @@ Amazon Elastic Kubernetes Service (Amazon EKS) has open-source scripts that are Amazon EKS will no longer publish EKS-optimized Amazon Linux 2 (AL2) AMIs after November 26th, 2025. Additionally, Kubernetes version `1.32` is the last version for which Amazon EKS will release AL2 AMIs. From version `1.33` onwards, Amazon EKS will continue to release AL2023 and Bottlerocket based AMIs. ==== -The Amazon EKS optimized Amazon Linux (AL) AMIs are built on top of AL2 and AL2023, specifically for use as nodes in Amazon EKS clusters. EKS provides open-source build scripts in the https://github.com/awslabs/amazon-eks-ami[Amazon EKS AMI Build Specification] repository that you can use to view the configurations for `kubelet`, the runtime, and the {aws} IAM Authenticator for Kubernetes, or to build your own AL-based AMI from scratch. This repository contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time to configure your instance's certificate data, control plane endpoint, cluster name, and more. The scripts are considered the source of truth for Amazon EKS optimized AMI builds, so you can follow the GitHub repository to monitor changes to our AMIs. +The Amazon EKS optimized Amazon Linux (AL) AMIs are built on top of AL2 and AL2023, specifically for use as nodes in Amazon EKS clusters. Amazon EKS provides open-source build scripts in the https://github.com/awslabs/amazon-eks-ami[Amazon EKS AMI Build Specification] repository that you can use in the following ways: +* View the configurations for `kubelet`, the runtime, and the {aws} IAM Authenticator for Kubernetes. +* Build your own AL-based AMI from scratch. + +This repository contains the specialized https://github.com/awslabs/amazon-eks-ami/blob/main/templates/al2/runtime/bootstrap.sh[bootstrap script] and https://awslabs.github.io/amazon-eks-ami/nodeadm/[nodeadm script] that runs at boot time. These scripts configure your instance's certificate data, control plane endpoint, cluster name, and more. The scripts are considered the source of truth for Amazon EKS optimized AMI builds, so you can follow the GitHub repository to monitor changes to our AMIs. == Prerequisites @@ -27,9 +31,9 @@ The Amazon EKS optimized Amazon Linux (AL) AMIs are built on top of AL2 and AL20 This section shows you the commands to create a custom AMI in your {aws} account. To learn more about the configurations available to customize your AMI, see the template variables on the https://awslabs.github.io/amazon-eks-ami/usage/al2023/[Amazon Linux 2023] page. -=== 1. Setup your environment +=== Step 1. Setup your environment -Clone or fork the official EKS AMI repository. For example: +Clone or fork the official Amazon EKS AMI repository. For example: [source,bash] ---- @@ -37,14 +41,16 @@ git clone https://github.com/awslabs/amazon-eks-ami.git cd amazon-eks-ami ---- -Verify Packer is installed: +Verify that Packer is installed: [source,bash] ---- packer --version ---- -=== 2. Create a custom AMI (examples) +=== Step 2. Create a custom AMI + +The following are example commands for various custom AMIs. *Basic NVIDIA AL2 AMI:* @@ -77,11 +83,14 @@ make k8s=1.31 os_distro=al2023 \ kms_key_id=alias/aws-stig ---- -After you run these commands, Packer will launch a temporary EC2 instance, install Kubernetes components, drivers, and configurations, and create the AMI in your {aws} account. +After you run these commands, Packer will do the following: +* Launch a temporary Amazon EC2 instance. +* Install Kubernetes components, drivers, and configurations. +* Create the AMI in your {aws} account. -=== 3. View default values +=== Step 3. View default values -View default values and additional options: +To view default values and additional options, run the following command: [source,bash] ---- From 3b859ee104cb94aaeec27c34905a76bbe08b7e3d Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Mon, 7 Apr 2025 20:05:18 -0500 Subject: [PATCH 376/940] Update what-is-eks.adoc (#971) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From d5cc74501bf8a975e7f65b5aca3350223d5f0076 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Tue, 8 Apr 2025 14:35:34 +0000 Subject: [PATCH 377/940] Added permissions to AmazonEKSServiceRolePolicy for AI/ML clusters --- latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 401c013f3..74a681a69 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -366,6 +366,9 @@ View details about updates to {aws} managed policies for Amazon EKS since this s |Description |Date +| Added permission to <>. +| Added `ec2:RevokeSecurityGroupEgress` and `ec2:AuthorizeSecurityGroupEgress` permissions to allow EKS AI/ML customers to add Security Group Egress rules to the default EKS Cluster SG that are compatible with EFA. +| April 7, 2025 | Added permissions to <>. | Added permission to terminate EC2 instances created by EKS Auto Mode. @@ -503,4 +506,4 @@ Added the ability for the EBS CSI Driver to enable Fast Snapshot Restore (FSR) o |Amazon EKS started tracking changes for its {aws} managed policies. |June 17, 2021 -|=== \ No newline at end of file +|=== From 9affa907da814cb34e8e6faf2f63edc7cfdd3223 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 8 Apr 2025 10:39:02 -0500 Subject: [PATCH 378/940] Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From bc2dba187c46d49fd88598dd0a03bec2beffc8ab Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 8 Apr 2025 10:49:47 -0500 Subject: [PATCH 379/940] Update what-is-eks.adoc (#972) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From b4219242714522cbda9b84a4458c45e8e8556c39 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 8 Apr 2025 15:53:23 +0000 Subject: [PATCH 380/940] Revert "Update what-is-eks.adoc (#972)" This reverts commit bc2dba187c46d49fd88598dd0a03bec2beffc8ab. --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 467cd9ded582ac82cad524c58d1119a739f17275 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 8 Apr 2025 12:11:25 -0500 Subject: [PATCH 381/940] Update what-is-eks.adoc (#973) * Update what-is-eks.adoc * Update what-is-eks.adoc --- latest/ug/what-is/what-is-eks.adoc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 8a55da9d3..0f7ab7ac2 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,6 +11,18 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). +## Amazon EKS: Simplified Kubernetes Management + +Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: + + +* Deploy applications faster with less operational overhead +* Scale seamlessly to meet changing workload demands +* Improve security through {aws} integration and automated updates +* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] + + + Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From 51bf1cc267577ccffa918eb9eda9d246140450d3 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Tue, 8 Apr 2025 17:39:07 +0000 Subject: [PATCH 382/940] fixup --- latest/ug/what-is/what-is-eks.adoc | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/latest/ug/what-is/what-is-eks.adoc b/latest/ug/what-is/what-is-eks.adoc index 0f7ab7ac2..8a55da9d3 100644 --- a/latest/ug/what-is/what-is-eks.adoc +++ b/latest/ug/what-is/what-is-eks.adoc @@ -11,18 +11,6 @@ Learn to manage containerized applications with Amazon EKS Amazon Elastic Kubernetes Service (Amazon EKS) is the premiere platform for running https://kubernetes.io/docs/concepts/overview/[Kubernetes] clusters, both in the Amazon Web Services ({aws}) cloud and in your own data centers (https://anywhere.eks.amazonaws.com/[EKS Anywhere] and <>). -## Amazon EKS: Simplified Kubernetes Management - -Amazon Elastic Kubernetes Service (EKS) provides a fully managed Kubernetes service that eliminates the complexity of operating Kubernetes clusters. With EKS, you can: - - -* Deploy applications faster with less operational overhead -* Scale seamlessly to meet changing workload demands -* Improve security through {aws} integration and automated updates -* Choose between standard EKS or fully automated xref:automode[EKS Auto Mode] - - - Amazon EKS simplifies building, securing, and maintaining Kubernetes clusters. It can be more cost effective at providing enough resources to meet peak demand than maintaining your own data centers. Two of the main approaches to using Amazon EKS are as follows: * **EKS standard**: {aws} manages the https://kubernetes.io/docs/concepts/overview/components/#control-plane-components[Kubernetes control plane] when you create a cluster with EKS. Components that manage nodes, schedule workloads, integrate with the {aws} cloud, and store and scale control plane information to keep your clusters up and running, are handled for you automatically. From eaa9be5d6857728fe8ba2159ede1533496822acb Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 8 Apr 2025 22:10:06 +0000 Subject: [PATCH 383/940] Add ssm parameter for AL2023 NVIDIA ARM AMI: 46078 --- latest/ug/nodes/retrieve-ami-id.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index df08bef91..f2ac6fab8 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -19,7 +19,8 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama + ** Use [.replaceable]`amazon-linux-2023/x86_64/standard` for Amazon Linux 2023 (AL2023) `x86` based instances. ** Use [.replaceable]`amazon-linux-2023/arm64/standard` for AL2023 ARM instances. -** Use [.replaceable]`amazon-linux-2023/x86_64/nvidia` for the latest approved AL2023 NVIDIA instances. +** Use [.replaceable]`amazon-linux-2023/x86_64/nvidia` for the latest approved AL2023 NVIDIA `x86` based instances. +** Use [.replaceable]`amazon-linux-2023/arm64/nvidia` for the latest approved AL2023 NVIDIA `arm64` based instances. ** Use [.replaceable]`amazon-linux-2023/x86_64/neuron` for the latest AL2023 link:machine-learning/neuron/[{aws} Neuron,type="marketing"] instances. ** Use [.replaceable]`amazon-linux-2` for Amazon Linux 2 (AL2) `x86` based instances. ** Use [.replaceable]`amazon-linux-2-arm64` for AL2 ARM instances, such as link:ec2/graviton/[{aws} Graviton,type="marketing"] based instances. From dc7f0ef85beb971a0cc5932e98d8cf3f6a7b0c76 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 8 Apr 2025 22:16:34 +0000 Subject: [PATCH 384/940] Remove g5g from not supported ECS families: 46079 --- latest/ug/nodes/choosing-instance-type.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/choosing-instance-type.adoc b/latest/ug/nodes/choosing-instance-type.adoc index 46c59581b..438f321b1 100644 --- a/latest/ug/nodes/choosing-instance-type.adoc +++ b/latest/ug/nodes/choosing-instance-type.adoc @@ -14,7 +14,7 @@ Amazon EC2 provides a wide selection of instance types for worker nodes. Each in -* All Amazon EKS AMIs don't currently support the `g5g` and `mac` families. +* All Amazon EKS AMIs don't currently support the `mac` family. * Arm and non-accelerated Amazon EKS AMIs don't support the `g3`, `g4`, `inf`, and `p` families. * Accelerated Amazon EKS AMIs don't support the `a`, `c`, `hpc`, `m`, and `t` families. * For Arm-based instances, Amazon Linux 2023 (AL2023) only supports instance types that use Graviton2 or later processors. AL2023 doesn't support `A1` instances. From 1880d1423060cc9b1e7e26bbd04d10a7d4bce72f Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 9 Apr 2025 18:42:52 +0000 Subject: [PATCH 385/940] Added AmazonEKSServiceRolePolicy change to history file --- latest/ug/doc-history.adoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index fb43b58f7..79263b94b 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,6 +14,12 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates +[.update,date="2025-04-09"] +=== {aws} managed policy updates +[.update-ulink] +link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] + +Added permissions to `AmazonEKSServiceRolePolicy` to allow EKS AI/ML customers to add Egress rules to the default EKS Cluster security group. [.update,date="2025-03-31"] === Node health for EKS Hybrid Nodes @@ -1930,4 +1936,4 @@ Initial documentation for service launch [.update-history] |=== -|=== \ No newline at end of file +|=== From 7210487b63d7ca90d92d7ba0389d0ab237a24b59 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 9 Apr 2025 19:42:50 +0000 Subject: [PATCH 386/940] Added note about docker-2048 image per https://t.corp.amazon.com/V1734858203 --- latest/ug/automode/auto-elb-example.adoc | 2 +- latest/ug/quickstart.adoc | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/auto-elb-example.adoc b/latest/ug/automode/auto-elb-example.adoc index 9f9dc12fa..99558d177 100644 --- a/latest/ug/automode/auto-elb-example.adoc +++ b/latest/ug/automode/auto-elb-example.adoc @@ -68,7 +68,7 @@ spec: cpu: "0.5" ---- -NOTE: If you receive an error loading the image `public.ecr.aws/l6m2t8p7/docker-2048:latest`, confirm your Node IAM role has sufficent permissions to pull images from ECR. For more information, see <>. +NOTE: If you receive an error loading the image `public.ecr.aws/l6m2t8p7/docker-2048:latest`, confirm your Node IAM role has sufficent permissions to pull images from ECR. For more information, see <>. Also, the `docker-2048` image in the example is an `x86_64` image and will not run on other architectures. *Key components:* diff --git a/latest/ug/quickstart.adoc b/latest/ug/quickstart.adoc index fa00d8179..b85035c60 100644 --- a/latest/ug/quickstart.adoc +++ b/latest/ug/quickstart.adoc @@ -102,7 +102,12 @@ kubectl apply -f ingressclass.yaml == Deploy the 2048 game sample application -In this section, we walk you through the steps to deploy the popular "`2048 game`" as a sample application within the cluster. The provided manifest includes custom annotations for the Application Load Balancer (ALB). These annotations integrate with and instruct the EKS to handle incoming HTTP traffic as "internet-facing" and route it to the appropriate service in the 'game-2048' namespace using the target type "ip". +In this section, we walk you through the steps to deploy the popular "`2048 game`" as a sample application within the cluster. The provided manifest includes custom annotations for the Application Load Balancer (ALB). These annotations integrate with and instruct the EKS to handle incoming HTTP traffic as "internet-facing" and route it to the appropriate service in the `game-2048` namespace using the target type "ip". + +[NOTE] +==== +The `docker-2048` image in the example is an `x86_64` container image and will not run on other architectures. +==== . Create a Kubernetes namespace called `game-2048` with the `--save-config` flag. + @@ -277,4 +282,4 @@ After you've finished with the cluster that you created for this tutorial, you s eksctl delete cluster -f ./cluster-config.yaml ``` -EKS will automatically clean up any nodes it provisioned when the cluster is deleted. \ No newline at end of file +EKS will automatically clean up any nodes it provisioned when the cluster is deleted. From f7b43e5f734cf1181826574bc946b6a636f0edfd Mon Sep 17 00:00:00 2001 From: Yutong Sun Date: Mon, 24 Mar 2025 22:48:50 +0000 Subject: [PATCH 387/940] node-efa: extend doc for Bottlerocket Signed-off-by: Yutong Sun --- latest/ug/ml/node-efa.adoc | 111 +++++++++++++++++++++++++++++++++++-- 1 file changed, 105 insertions(+), 6 deletions(-) diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index 28bf1b68c..a81f436ab 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -124,17 +124,116 @@ If you don't have an existing cluster, you can run the following command to crea eksctl create cluster -f efa-cluster.yaml ---- + -NOTE: Because the instance type used in this example has GPUs, `eksctl` automatically installs the NVIDIA Kubernetes device plugin on each instance for you. -. Deploy the EFA Kubernetes device plugin. +[NOTE] +==== +Because the instance type used in this example has GPUs, `eksctl` automatically installs the NVIDIA Kubernetes device plugin on each instance for you when using Amazon Linux 2. This is not necessary for Bottlerocket, as the NVIDIA device plugin is built into Bottlerocket's EKS NVIDIA variant. When `efaEnabled` is set to `true` in the nodegroup configuration, `eksctl` will also automatically deploy the EFA device plugin on the nodes. +==== +[#efa-bottlerocket] +=== Using Bottlerocket with EFA + +Bottlerocket AMI version 1.28.0 and later include official support for EFA. To use Bottlerocket for EFA-enabled nodes, specify `amiFamily: Bottlerocket` in your configuration. If you need to use a custom AMI ID, you must use standard `nodeGroups` instead of `managedNodeGroups`. + +Here's an example configuration: + +[source,yaml,subs="verbatim,attributes"] +---- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: my-efa-bottlerocket-cluster + region: region-code + version: "1.XX" + +iam: + withOIDC: true + +availabilityZones: ["us-west-2a", "us-west-2c"] + +managedNodeGroups: + - name: my-efa-bottlerocket-ng + instanceType: p5.48xlarge + minSize: 1 + desiredCapacity: 2 + maxSize: 3 + availabilityZones: ["us-west-2a"] + volumeSize: 300 + privateNetworking: true + efaEnabled: true + amiFamily: Bottlerocket + bottlerocket: + enableAdminContainer: true + settings: + kernel: + sysctl: + "vm.nr_hugepages": "3000" # Configures 3000 * 2Mi = 6000Mi hugepages +---- + +The `vm.nr_hugepages` sysctl setting above configures the number of 2Mi hugepages. In this example, 3000 means 3000 * 2Mi = 6000Mi of hugepages. + +[#verify-efa-device-plugin] +=== Verify EFA device plugin installation + +When you create a node group with `efaEnabled: true`, `eksctl` automatically deploys the EFA Kubernetes device plugin for you. You can verify that the device plugin is installed and functioning correctly: + +. Check the DaemonSet status: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get daemonsets -n kube-system +---- ++ +Sample output: ++ +[source,bash,subs="verbatim,attributes"] +---- +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +aws-efa-k8s-device-plugin-daemonset 2 2 2 2 2 6m16s +... +---- ++ +Here, the EFA device plugin DaemonSet is running on two nodes. Both are READY and AVAILABLE. + +. Next, verify the pods created by the DaemonSet: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl get pods -n kube-system -l name=aws-efa-k8s-device-plugin +---- + -The EFA Kubernetes device plugin detects and advertises EFA interfaces as allocatable resources to Kubernetes. An application can consume the extended resource type `vpc.amazonaws.com/efa` in a Pod request spec just like CPU and memory. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#consuming-extended-resources[Consuming extended resources] in the Kubernetes documentation. Once requested, the plugin automatically assigns and mounts an EFA interface to the Pod. Using the device plugin simplifies EFA setup and does not require a Pod to run in privileged mode. +Sample output: + [source,bash,subs="verbatim,attributes"] ---- -helm repo add eks https://aws.github.io/eks-charts -helm install aws-efa-k8s-device-plugin --namespace kube-system eks/aws-efa-k8s-device-plugin +NAME READY STATUS RESTARTS AGE +aws-efa-k8s-device-plugin-daemonset-d68bs 1/1 Running 0 6m16s +aws-efa-k8s-device-plugin-daemonset-w4l8t 1/1 Running 0 6m16s ---- ++ +The EFA device plugin pods are in a Running state, confirming that the plugin is successfully deployed and operational. +. Verify resource registration: ++ +You can confirm that the `vpc.amazonaws.com/efa` resource is registered with the kubelet by describing the nodes: ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl describe nodes +---- ++ +If the EFA resource is properly registered, you will see it listed under the node's Capacity and Allocatable resources. For example: ++ +[source,bash,subs="verbatim,attributes"] +---- +Capacity: + ... + vpc.amazonaws.com/efa: 4 +Allocatable: + ... + vpc.amazonaws.com/efa: 4 +---- ++ +This output confirms that the node recognizes the EFA resource, making it available for pods that request it. [#efa-application] == (Optional) Test the performance of the EFA @@ -305,4 +404,4 @@ View the log for the `nccl-tests-launcher` Pod. Replace [.replaceable]`nbql9` wi kubectl logs -f nccl-tests-launcher-nbql9 ---- -If the test completed successfully, you can deploy your applications that use the Nvidia Collective Communication Library. \ No newline at end of file +If the test completed successfully, you can deploy your applications that use the Nvidia Collective Communication Library. From 233f22fbd733a83afbf9826d03b378c6f4137dd5 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Mon, 31 Mar 2025 16:30:35 -0700 Subject: [PATCH 388/940] Add docs for SessionNameRaw variable in access entries --- latest/ug/manage-access/k8s-access/creating-access-entries.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc index 65748dcff..db86582b7 100644 --- a/latest/ug/manage-access/k8s-access/creating-access-entries.adoc +++ b/latest/ug/manage-access/k8s-access/creating-access-entries.adoc @@ -27,7 +27,7 @@ Before creating access entries, consider the following: * If the type of the access entry is `STANDARD`, you can specify a _username_ for the access entry. If you don't specify a value for username, Amazon EKS sets one of the following values for you, depending on the type of the access entry and whether the IAM principal that you specified is an IAM role or IAM user. Unless you have a specific reason for specifying your own username, we recommend that don't specify one and let Amazon EKS auto-generate it for you. If you specify your own username: + ** It can't start with `system:`, `eks:`, `aws:`, `amazon:`, or `iam:`. -** If the username is for an IAM role, we recommend that you add `{{SessionName}}` to the end of your username. If you add `{{SessionName}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the session specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that the special character "@" is replaced with "-" in the session name. +** If the username is for an IAM role, we recommend that you add `{{SessionName}}` or `{{SessionNameRaw}}` to the end of your username. If you add either `{{SessionName}}` or `{{SessionNameRaw}}` to your username, the username must include a colon _before_ {{SessionName}}. When this role is assumed, the name of the {aws} STS session name that is specified when assuming the role is automatically passed to the cluster and will appear in CloudTrail logs. For example, you can't have a username of `john{{SessionName}}`. The username would have to be `:john{{SessionName}}` or `jo:hn{{SessionName}}`. The colon only has to be before `{{SessionName}}`. The username generated by Amazon EKS in the following table includes an ARN. Since an ARN includes colons, it meets this requirement. The colon isn't required if you don't include `{{SessionName}}` in your username. Note that in `{{SessionName}}` the special character "@" is replaced with "-" in the session name. `{{SessionNameRaw}}` keeps all special characters in the session name. + [cols="1,1,1", options="header"] |=== From dd4e7a1656e9634890e7328f79bbb7606f9a3f0f Mon Sep 17 00:00:00 2001 From: Alessandro Germer Date: Tue, 1 Apr 2025 16:39:05 -0700 Subject: [PATCH 389/940] Platform version updates for EKS Local on Outposts * Introduces support for Kubernetes 1.31 * Updates platform versions for 1.27~1.30 --- .../eks-outposts-platform-versions.adoc | 51 ++++++++++++++++--- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/latest/ug/outposts/eks-outposts-platform-versions.adoc b/latest/ug/outposts/eks-outposts-platform-versions.adoc index 83d140669..3c7f15b28 100644 --- a/latest/ug/outposts/eks-outposts-platform-versions.adoc +++ b/latest/ug/outposts/eks-outposts-platform-versions.adoc @@ -12,7 +12,7 @@ Learn the relationship between Amazon EKS and Kubernetes versions available on { Local cluster platform versions represent the capabilities of the Amazon EKS cluster on {aws} Outposts. The versions include the components that run on the Kubernetes control plane, which Kubernetes API server flags are enabled. They also include the current Kubernetes patch version. Each Kubernetes minor version has one or more associated platform versions. The platform versions for different Kubernetes minor versions are independent. The platform versions for local clusters and Amazon EKS clusters in the cloud are independent. -When a new Kubernetes minor version is available for local clusters, such as `1.30`, the initial platform version for that Kubernetes minor version starts at `eks-local-outposts.1`. However, Amazon EKS releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. +When a new Kubernetes minor version is available for local clusters, such as `1.31`, the initial platform version for that Kubernetes minor version starts at `eks-local-outposts.1`. However, Amazon EKS releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. When new local cluster platform versions become available for a minor version: @@ -30,10 +30,29 @@ Local clusters are always created with the latest available platform version (`e The current and recent platform versions are described in the following tables. +[#outposts-platform-versions-1-31] +== Kubernetes version `1.31` + +The following admission controllers are enabled for all `1.31` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `ClusterTrustBundleAttest`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `PodSecurity`, `Priority`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. + + +[cols="1,1,1,1", options="header"] +|=== +|Kubernetes version +|Amazon EKS platform version +|Release notes +|Release date + +|`1.31.6` +|`eks-local-outposts.1` +|Initial release of Kubernetes version `v1.31` for local Amazon EKS clusters on Outposts. +|April 9, 2025 +|=== + [#outposts-platform-versions-1-30] == Kubernetes version `1.30` -The following admission controllers are enabled for all `1.30` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. +The following admission controllers are enabled for all `1.30` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `ClusterTrustBundleAttest`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `PodSecurity`, `Priority`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. [cols="1,1,1,1", options="header"] |=== @@ -42,6 +61,11 @@ The following admission controllers are enabled for all `1.30` platform versions |Release notes |Release date +|`1.30.10` +|`eks-local-outposts.3` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.30.10`. {aws} IAM Authenticator updated to `v0.6.29`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.2`. CoreDNS updated to `v1.11.4`. AWS Cloud Controller Manager updated to `v1.30.8`. Bottlerocket version updated to `v1.34.0`. +|March 27, 2025 + |`1.30.7` |`eks-local-outposts.2` |New platform version with security fixes and enhancements. kube-proxy updated to `v1.30.7`. {aws} IAM Authenticator updated to `v0.6.28`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. @@ -56,7 +80,7 @@ The following admission controllers are enabled for all `1.30` platform versions [#outposts-platform-versions-1-29] == Kubernetes version `1.29` -The following admission controllers are enabled for all `1.29` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. +The following admission controllers are enabled for all `1.29` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `ClusterTrustBundleAttest`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `PodSecurity`, `Priority`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. [cols="1,1,1,1", options="header"] |=== @@ -65,8 +89,13 @@ The following admission controllers are enabled for all `1.29` platform versions |Release notes |Release date +|`v1.29.14` +|`eks-local-outposts.6` +|New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.14`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.2`. CoreDNS updated to `v1.11.4`. AWS Cloud Controller Manager updated to `v1.29.8`. Bottlerocket version updated to `v1.34.0`. +|March 27, 2025 + |`v1.29.11` -|`eks-local-outposts.12` +|`eks-local-outposts.5` |New platform version with security fixes and enhancements. kube-proxy updated to `v1.29.11`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated CoreDNS image to `v1.11.3`. Updated Bottlerocket version to `v1.29.0`. |January 10, 2025 @@ -94,7 +123,7 @@ The following admission controllers are enabled for all `1.29` platform versions [#outposts-platform-versions-1-28] == Kubernetes version `1.28` -The following admission controllers are enabled for all `1.28` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. +The following admission controllers are enabled for all `1.28` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `ClusterTrustBundleAttest`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `PodSecurity`, `Priority`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. [cols="1,1,1,1", options="header"] |=== @@ -103,6 +132,11 @@ The following admission controllers are enabled for all `1.28` platform versions |Release notes |Release date +|`1.28.15` +|`eks-local-outposts.13` +|New platform version with security fixes and enhancements. kube-proxy `v1.28.15` build updated. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. AWS Cloud Controller Manager updated to `v1.28.11`. +|March 27, 2025 + |`1.28.15` |`eks-local-outposts.12` |New platform version with security fixes and enhancements. kube-proxy updated to `v1.28.15`. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. @@ -162,7 +196,7 @@ The following admission controllers are enabled for all `1.28` platform versions [#outposts-platform-versions-1-27] == Kubernetes version `1.27` -The following admission controllers are enabled for all `1.27` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurity`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. +The following admission controllers are enabled for all `1.27` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `ClusterTrustBundleAttest`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `PodSecurity`, `Priority`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, `ValidatingAdmissionPolicy`, and `ValidatingAdmissionWebhook`. [cols="1,1,1,1", options="header"] |=== @@ -171,6 +205,11 @@ The following admission controllers are enabled for all `1.27` platform versions |Release notes |Release date +|`1.27.16` +|`eks-local-outposts.13` +|New platform version with security fixes and enhancements. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.2`. Bottlerocket version updated to `v1.34.0`. +|March 27, 2025 + |`1.27.16` |`eks-local-outposts.12` |New platform version with security fixes and enhancements. Amazon VPC CNI plugin for Kubernetes updated to `v1.19.0`. Updated Bottlerocket version to `v1.29.0`. From fd22c11bd02c1628aeb894f0738a1000e8ee3d2b Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Thu, 10 Apr 2025 10:13:00 -0700 Subject: [PATCH 390/940] Add doc history for 1.31 on Outposts --- latest/ug/doc-history.adoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index fb43b58f7..a50a75b5e 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -15,6 +15,12 @@ The following table describes the major updates and new features for the Amazon == Updates +=== Kubernetes version 1.31 is now available for local clusters on {aws} Outposts +[.update-ulink] +link:eks/latest/userguide/eks-outposts-platform-versions.html[type="documentation"] + +You can now create an Amazon EKS local cluster on an {aws} Outposts using Kubernetes version 1.31. + [.update,date="2025-03-31"] === Node health for EKS Hybrid Nodes [.update-ulink] From 975e91f68251bf5a1b3329b198d6edec6a5a2162 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 11 Apr 2025 01:50:39 +0000 Subject: [PATCH 391/940] Cleaned up auto-cis.adoc per https://t.corp.amazon.com/V1736250927 --- latest/ug/automode/auto-cis.adoc | 71 ++++++++++++++++++++++++-------- 1 file changed, 54 insertions(+), 17 deletions(-) diff --git a/latest/ug/automode/auto-cis.adoc b/latest/ug/automode/auto-cis.adoc index 9d945069b..087233dc7 100644 --- a/latest/ug/automode/auto-cis.adoc +++ b/latest/ug/automode/auto-cis.adoc @@ -6,55 +6,92 @@ include::../attributes.txt[] :info_titleabbrev: Generate CIS report This topic describes how to generate CIS (Center for Internet Security) compliance reports for Amazon EKS nodes using the `kubectl debug` command. - The command allows you to temporarily create a debugging container on a Kubernetes node and run CIS compliance checks using the `apiclient` tool. The `apiclient` tool is part of Bottlerocket OS, the OS used by EKS Auto Mode nodes. == Prerequisites Before you begin, ensure you have: -* Access to an Amazon EKS cluster with kubectl configured +* Access to an Amazon EKS cluster with `kubectl` configured * The appropriate IAM permissions to debug nodes * A valid profile that allows debug operations (e.g., `sysadmin`) -** For more information about using debugging profiles with `kubectl, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles[Debugging a Pod or Node while applying a profile] in the Kubernetes documentation. + +For more information about using debugging profiles with `kubectl`, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles[Debugging a Pod or Node while applying a profile] in the Kubernetes documentation. == Procedure -. Determine the {aws} Instance ID of the node you want to run the report on -** Use the following command to list the nodes in the cluster. The instance ID is found in the name column, and begins with `i-`. +. Determine the {aws} Instance ID of the node you want to run the report on. Use the following command to list the nodes in the cluster. The instance ID is found in the name column, and begins with `i-`: + [source,bash] ---- kubectl get nodes ---- -. Run the following command, with the identified instance ID. ++ +[source] +---- +NAME STATUS ROLES AGE VERSION +i-0ea0ba0f8ef9ad609 Ready 62s v1.30.10-eks-1a9dacd +---- +. Run the following command, replacing `` with the instance ID of the node you want to query: + [source,bash] ---- kubectl debug node/ -it --profile=sysadmin --image=public.ecr.aws/amazonlinux/amazonlinux:2023 -- bash -c "yum install -q -y util-linux-core; nsenter -t 1 -m apiclient report cis --level 1 --format text" ---- -. Review the report text output - -== Command components - ++ +Components of this command include: ++ * `kubectl debug node/` -- Creates a debugging session on the specified EC2 instance ID. -* `-it` -- Allocates a TTY and keeps stdin open for interactive usage. -* `--profile=sysadmin` -- Uses the specified kubectl profile with appropriate permissions. -* `--image=public.ecr.aws/amazonlinux/amazonlinux:2023` -- Uses Amazon Linux 2023 as the container image for debugging. -* `bash -c "..."` -- Executes the following commands in a bash shell. +* `-it` -- Allocates a TTY (command line shell) and keeps stdin open for interactive usage. +* `--profile=sysadmin` -- Uses the specified `kubectl` profile with appropriate permissions. +* `--image=public.ecr.aws/amazonlinux/amazonlinux:2023` -- Uses `amazonlinux:2023` as the container image for debugging. +* `bash -c "..."` -- Executes the following commands in a bash shell: ** `yum install -q -y util-linux-core` -- Quietly installs the required utilities package. -** `nsenter -t 1 -m` -- Enters the namespace of the host process (PID 1). +** `nsenter -t 1 -m` -- Runs `nsenter` to enter the namespace of the host process (PID 1). ** `apiclient report cis --level 1 --format text` -- Runs the CIS compliance report at level 1 with text output. -== Understanding the output +. Review the report text output. + +== Interpreting the output The command generates a text-based report showing the compliance status of various CIS controls. The output includes: * Individual CIS control IDs * Description of each control -* Pass/Fail status for each check +* Pass, Fail, or Skip status for each check * Details that explain any compliance issues +Here is an example of output from the report run on a Bottlerocket instance: + +[source] +---- +Benchmark name: CIS Bottlerocket Benchmark +Version: v1.0.0 +Reference: https://www.cisecurity.org/benchmark/bottlerocket +Benchmark level: 1 +Start time: 2025-04-11T01:40:39.055623436Z + +[SKIP] 1.2.1 Ensure software update repositories are configured (Manual) +[PASS] 1.3.1 Ensure dm-verity is configured (Automatic)[PASS] 1.4.1 Ensure setuid programs do not create core dumps (Automatic) +[PASS] 1.4.2 Ensure address space layout randomization (ASLR) is enabled (Automatic) +[PASS] 1.4.3 Ensure unprivileged eBPF is disabled (Automatic) +[PASS] 1.5.1 Ensure SELinux is configured (Automatic) +[SKIP] 1.6 Ensure updates, patches, and additional security software are installed (Manual) +[PASS] 2.1.1.1 Ensure chrony is configured (Automatic) +[PASS] 3.2.5 Ensure broadcast ICMP requests are ignored (Automatic) +[PASS] 3.2.6 Ensure bogus ICMP responses are ignored (Automatic) +[PASS] 3.2.7 Ensure TCP SYN Cookies is enabled (Automatic) +[SKIP] 3.4.1.3 Ensure IPv4 outbound and established connections are configured (Manual) +[SKIP] 3.4.2.3 Ensure IPv6 outbound and established connections are configured (Manual) +[PASS] 4.1.1.1 Ensure journald is configured to write logs to persistent disk (Automatic) +[PASS] 4.1.2 Ensure permissions on journal files are configured (Automatic) + +Passed: 11 +Failed: 0 +Skipped: 4 +Total checks: 15 +---- + For information about the benchmark, see https://www.cisecurity.org/benchmark/kubernetes/[Kubernetes Benchmark] from the Center for Internet Security (CIS). == Related resources From 2dc04539b8087f77301ce4ce2d3b4c62973949a3 Mon Sep 17 00:00:00 2001 From: Markus Ziller Date: Fri, 11 Apr 2025 09:47:01 +0200 Subject: [PATCH 392/940] fix: explicitily mention Gravtion in ARM docs --- latest/ug/nodes/retrieve-ami-id.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/retrieve-ami-id.adoc b/latest/ug/nodes/retrieve-ami-id.adoc index f2ac6fab8..be68db725 100644 --- a/latest/ug/nodes/retrieve-ami-id.adoc +++ b/latest/ug/nodes/retrieve-ami-id.adoc @@ -18,7 +18,7 @@ You can retrieve the image ID of the latest recommended Amazon EKS optimized Ama * Replace [.replaceable]`ami-type` with one of the following options. For information about the types of Amazon EC2 instances, see link:AWSEC2/latest/UserGuide/instance-types.html[Amazon EC2 instance types,type="documentation"]. + ** Use [.replaceable]`amazon-linux-2023/x86_64/standard` for Amazon Linux 2023 (AL2023) `x86` based instances. -** Use [.replaceable]`amazon-linux-2023/arm64/standard` for AL2023 ARM instances. +** Use [.replaceable]`amazon-linux-2023/arm64/standard` for AL2023 ARM instances, such as link:ec2/graviton/[{aws} Graviton,type="marketing"] based instances. ** Use [.replaceable]`amazon-linux-2023/x86_64/nvidia` for the latest approved AL2023 NVIDIA `x86` based instances. ** Use [.replaceable]`amazon-linux-2023/arm64/nvidia` for the latest approved AL2023 NVIDIA `arm64` based instances. ** Use [.replaceable]`amazon-linux-2023/x86_64/neuron` for the latest AL2023 link:machine-learning/neuron/[{aws} Neuron,type="marketing"] instances. @@ -46,4 +46,4 @@ An example output is as follows. [source,bash,subs="verbatim,attributes,quotes"] ---- ami-[.replaceable]`1234567890abcdef0` ----- \ No newline at end of file +---- From 5b66da025c05d6459db9ec1d5f4d51d929407b58 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 11 Apr 2025 13:35:49 +0000 Subject: [PATCH 393/940] Create the EKS AL2 AMIs End-of-support FAQ page --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 253 ++++++++++++++++++ latest/ug/nodes/eks-optimized-amis.adoc | 4 +- 2 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 latest/ug/nodes/eks-ami-deprecation-faqs.adoc diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc new file mode 100644 index 000000000..bf5f8779d --- /dev/null +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -0,0 +1,253 @@ +include::../attributes.txt[] + +[.topic] +[#eks-ami-deprecation-faqs] += EKS AL2 AMIs End-of-support FAQ +:info_titleabbrev: AL2 AMI deprecation + +[abstract] +-- +This document outlines the End of Support (EOS) information for Amazon EKS AL2-optimized and AL2-accelerated AMIs. +-- + +== General information and timeline + +=== What is the end-of-support (EOS) date for EKS AL2-optimized and AL2-accelerated AMIs? + +EKS AL2-optimized and AL2-accelerated AMIs EOS date is November 26, 2025. +While you can continue using EKS AL2 AMIs after the EOS date, EKS will no longer release any new Kubernetes versions or updates to AL2 AMIs, including minor releases, patches, and bug fixes after this date. +We recommend upgrading to Amazon Linux 2023 (AL2023) or Bottlerocket AMIs: + +* AL2023 enables a secure-by-default approach with preconfigured security policies, SELinux in permissive mode, IMDSv2-only mode enabled by default, optimized boot times, and improved package management for enhanced security and performance, well-suited for infrastructure requiring significant customizations like direct OS-level access or extensive node changes. +* Bottlerocket enables enhanced security, faster boot times, and a smaller attack surface for improved efficiency with its purpose-built, container-optimized design, well-suited for container-native approaches with minimal node customizations. + +Additionally, you can <> until the EOS date (November 26, 2025), or build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). For more information, please visit https://aws.amazon.com/linux/amazon-linux-2023/faqs/[AL2023 FAQs], https://aws.amazon.com/bottlerocket/faqs/[Bottlerocket FAQs] or refer to <> or <> documentation for detailed migration guidance. + +=== Why is {aws} proposing to end support for EKS AL2-optimized and AL2-accelerated AMIs before AL2’s EOL date? + +{aws} is ending support for EKS AL2-optimized and AL2-accelerated AMIs on November 26, 2025 due to a combination of critical technical and ecosystem-driven factors that directly affect performance, compatibility, and user experience. There has been diminishing support of AL2 by key technology providers from Nvidia, Neuron, Linux, to the Kubernetes community: + +* Nvidia https://docs.nvidia.com/cuda/archive/12.4.1/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[deprecated] support for CentOS 7-compatible distributions including AL2 and completely https://docs.nvidia.com/cuda/archive/12.5.0/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[removed] support in CUDA https://docs.nvidia.com/cuda/archive/12.4.1/[12.4] and CUDA https://docs.nvidia.com/cuda/archive/12.5.0/[12.5]. The https://docs.nvidia.com/datacenter/tesla/index.html#r550-driver-release-notes[R550] driver branch will reach end-of-life in April 2025, long before AL2’s end-of-support date. AL2 is based on Linux kernel version https://docs.aws.amazon.com/linux/al2/ug/kernel.html[5.10], released in December 2020. Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. + +* https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#id123[{aws} Neuron] stopped supporting the Neuron Runtime package for AL2 in July 2024. + +* Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. + +* The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. + +== Compatibility and versions + +=== Which Kubernetes versions support AL2 AMIs? + +Kubernetes version 1.32 is the last version for which Amazon EKS will release AL2 (Amazon Linux 2) AMIs. For https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html[supported] Kubernetes versions up to 1.32, EKS will continue to release AL2 AMIs (AL2_ARM_64, AL2_x86_64) and AL2-accelerated AMIs (AL2_x86_64_GPU) until November 26, 2025. +After this date, EKS will stop releasing AL2-optimized and AL2-accelerated AMIs for all Kubernetes versions, even for EKS extended support customers. Note that the EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. + +=== What NVIDIA driver versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? + +[cols="1,1,1,1,1", options="header"] + +|=== + +|Driver Branch +|Amazon Linux 2 AMI +|Amazon Linux 2023 AMI +|Bottlerocket AMI +|End-of-Life Date | + +|R535 +|Not Supported +|Not Supported +|Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[September 2027] + +|R550 +|Supported +|Supported +|Not Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[April 2025] + +|R560 +|Not Supported +|Supported +|Not Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[March 2025] + +|R570 +|Not Supported +|Supported +|Coming soon +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[February 2026] +|=== + +To learn more, see https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[Nvidia Release Documentation]. + +=== Which NVIDIA CUDA versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? + +[cols="1,1,1,1,1,1", options="header"] +|=== +|CUDA Version +|NVIDIA Driver +|AL2 Support +|AL2023 Support +|Bottlerocket Support + +|https://developer.nvidia.com/cuda-toolkit-archive[10.1] +|R418 +|Supported +|Not supported +|Not Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[11.8] +|R550/R535 +|Supported +|Supported +|Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[12.0] +|R560 +|Not supported +|Supported +|Not Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[12.5] +|R570 +|Not supported +|Supported +|Not Supported +|=== + +To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Release Documentation]. + +=== How do the AMIs for Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket compare in terms of supported drivers and kernel versions? + +[cols="1,1,1,1,1", options="header"] +|=== +|Component +|AL2 AMI Source +|AL2023 AMI Source +|Bottlerocket AMI Source + +|Base OS Compatibility +|RHEL7/CentOS 7 +|Fedora/CentOS 9 +|N/A + +|CUDA Toolkit +|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 11.x–12.x] +|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 12.5+] +|CUDA 11.x (12.5 coming soon) + +|NVIDIA GPU Driver +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550] +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565] (R570 coming soon) +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R535] (R570 Coming soon) + +|{aws} Neuron Driver +|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19] +|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19+] +|2.20 + +|Linux Kernel +|https://docs.aws.amazon.com/linux/al2/ug/aml2-kernel.html[5.10] +|https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[6.1, 6.12] +|5.15, 6.1 (6.12 coming soon) +|=== + +=== Is AL2 fully supported by Nvidia? + +No. AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. +Unlike AL2023, Nvidia never explicitly supported AL2, thus EKS leverages CentOS-7 https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL7 packages] to build the AL2-accelerated AMIs (AL2_x86_64_GPU AMI). +Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. +Additionally, the latest Nvidia driver version supported for AL2 (RHEL 7) is https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550], while for AL2023 its https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565, R570]. +Furthermore, Nvidia has stopped releasing updates for its CUDA toolkit as of March 28, 2024, with `cuda-12.4.1-1.x86_64.rpm` being the last released version. + +=== Is AL2 fully supported by {aws} Neuron? + +No. Starting from https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#neuron-2-20-0-whatsnew[{aws} Neuron release 2.20], the Neuron Runtime (`aws-neuronx-runtime-lib`) used by EKS AL-based AMIs no longer supports Amazon Linux 2 (AL2). +The Neuron Driver (`aws-neuronx-dkms`) is now the only {aws} Neuron package that supports Amazon Linux 2. +This means you cannot run your Neuron-powered applications natively on an AL2-based AMI. +To setup Neuron on AL2023 AMIs, see the https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/setup/index.html#setup-guide-index[{aws} Neuron Setup] guide. + +=== Is AL2 fully compatible with the latest Kubernetes versions? + +No. The Kubernetes community has moved `cgroupv1` support (used by AL2) to maintenance mode. +This means no new features will be added, and only critical security and major bug fixes will be provided. +Any Kubernetes features relying on cgroupv2, such as MemoryQoS and enhanced resource isolation, are unavailable on AL2. +Furthermore, Amazon EKS Kubernetes version 1.32 was the last version to support AL2 AMIs. +To maintain compatibility with the latest Kubernetes versions, we recommend migrating to AL2023 or Bottlerocket, which enable `cgroupv2` by default. + +=== Is AL2 fully compatible with the latest Linux versions? + +No. Amazon Linux 2 (AL2) is supported by {aws} until its end-of-support (EOS) date on June 30, 2026. +However, as AL2 has aged, support from the broader Linux community for new applications and functionality has become more limited. +AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. +Unlike AL2023, AL2 has limited support from the broader Linux community. +This means many upstream Linux packages and tools need to be backported to work with AL2's older kernel version, some modern Linux features and security improvements aren't available due to the older kernel, many open source projects have deprecated or limited support for older kernel versions like 5.10. + +=== What packages are not included in AL2023 AMIs? + +A few of the most common packages that are not included or which changed in AL2023, include: + +* Some https://docs.aws.amazon.com/linux/al2023/release-notes/removed-AL2023.6-AL2.html[source binary packages in Amazon Linux 2] are no longer available in Amazon Linux 2023 +* Changes in how Amazon Linux supports different versions of packages (e.g., https://repost.aws/questions/QUWGU3VFJMRSGf6MDPWn4tLg/how-to-resolve-amazon-linux-extras-in-al2023[amazon-linux-extras system]) in AL2023 +* https://docs.aws.amazon.com/linux/al2023/ug/epel.html[Extra Packages for Enterprise Linux (EPEL)] are not supported in AL2023 +* https://docs.aws.amazon.com/linux/al2023/ug/deprecated-al2.html#deprecated-32bit-rpms[32-bit applications] are not supported in AL2023 +* AL2023 does not make https://cloudkatha.com/can-we-install-a-gui-in-amazon-linux-2023/[mate-desktop] packages + +To learn more, see https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023]. + +=== Where can I find a complete list of Amazon EKS AMI drivers and their versions? + +For a complete list of all EKS AMI components and their versions, see https://github.com/awslabs/amazon-eks-ami/releases[Amazon EKS AMI Release Notes] on GitHub. + +== Migration and support + +=== Will EKS terminate AL2 AMIs? + +No. EKS will neither update nor terminate customer instances and will not remove existing AMIs from distribution. + +=== Will EKS allow EOS extensions? + +No, but you do have the option of continuing to use EKS AL2 AMIs, build custom EKS AL2 AMIs until the EOS date (November 26, 2025), or build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). +To build a custom EKS AL2-optimized or AL2-accelerated AMI, see https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html[Build a custom Amazon Linux AMI] in EKS official documentation. + +=== Will the Kubernetes standard or extended version support apply to AL2? + +No. The EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. + +=== How does the shift from cgroupv1 to cgroupv2 affect my migration? + +The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. +To adopt `cgroupv2` in Kubernetes, you need to ensure compatibility across the OS, kernel, container runtime, and Kubernetes components. +This requires a Linux distribution that enables `cgroupv2` by default, such as AL2023, Bottlerocket, Red Hat Enterprise Linux (RHEL) 9+, Ubuntu 22.04+, or Debian 11+. +These distributions ship with kernel versions ≥5.8, which is the minimum requirement for `cgroupv2` support in Kubernetes. +To learn more, see https://kubernetes.io/docs/concepts/architecture/cgroups/[About cgroup v2]. + +=== What will I be responsible for if I continue using AL2 AMIs? + +Continuing to run outdated EKS optimized AL2 AMIs in your cluster after the EOS date (November 26, 2025) may result in compatibility issues and application impact. +Deprecated support for AL2 from key technology providers may lead to incompatibilities, making it difficult to integrate with the latest tools and frameworks. For example: + +* **AI/ML Compatibility:** Compatibility issues may arise for AI/ML workloads on accelerated instances. +For instance, Nvidia has phased out AL2 support in CUDA 12.5, with critical driver branches like R550 ending support in April 2025, respectively. +Additionally, {aws} Neuron discontinued updates for AL2 in July 2024, which may further limit support for machine learning workloads.  +* **Linux Kernel Compatibility:** Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. +This issue is specific to AL2 because its older Linux base, which is tied to RHEL7/CentOS 7, conflicting with these kernel updates when paired with NVIDIA’s R550 driver, whereas AL2023’s kernel (6.1.x) and newer drivers (R565/R570) avoid this issue entirely. +* **Kubernetes Compatibility:** The Kubernetes community has moved `cgroupv1` support, which AL2 relies on, to maintenance mode. +This means no new features will be added, and only critical security fixes and major bug patches will be provided.  +* **Security Patches:** Without official updates to AL2 AMIs, your team will be responsible for manually applying any security patches that would otherwise be handled automatically. + +=== What do I do if I need Neuron in my custom AL2 AMI? + +You cannot run your full Neuron-powered applications natively on an AL2-based AMIs. +To leverage {aws} Neuron on an AL2 AMI, you must containerize you applications using a Neuron-supported container with a non-AL2 Linux distribution (e.g., Ubuntu 22.04, Amazon Linux 2023, etc.) and then deploy those containers on an AL2-based AMI that has the Neuron Driver (`aws-neuronx-dkms`) installed. + +=== How do I migrate from my AL2 to an AL2023 AMI? + +We recommend creating and implementing a migration plan that includes thorough application workload testing and documented rollback procedures, then following the step-by-step instructions in the https://docs.aws.amazon.com/eks/latest/userguide/al2023.html[Upgrade from Amazon Linux 2 to Amazon Linux 2023] in EKS official documentation. + +=== How do I build a custom AL2 or AL2023 AMI? + +You can build custom EKS AL2-optimized and AL2-accelerated AMIs until the EOS date (November 26, 2025). +Alternatively, you can build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). +For step-by-step instructions to build a custom EKS AL2-optimized and AL2-accelerated AMI, see https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html[Build a custom Amazon Linux AMI] in EKS official documentation. diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 98f52abb3..3cb677a1e 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -20,10 +20,12 @@ With Amazon EKS Auto Mode, EKS manages the EC2 instance including selecting and [.topic] include::dockershim-deprecation.adoc[leveloffset=+1] +include::eks-ami-deprecation-faqs.adoc[leveloffset=+1] + include::eks-optimized-ami.adoc[leveloffset=+1] include::eks-optimized-ami-bottlerocket.adoc[leveloffset=+1] include::eks-partner-amis.adoc[leveloffset=+1] -include::eks-optimized-windows-ami.adoc[leveloffset=+1] \ No newline at end of file +include::eks-optimized-windows-ami.adoc[leveloffset=+1] From 02a2ff533a09807252a27ace216930e13c1cb61c Mon Sep 17 00:00:00 2001 From: Eric Chapman Date: Thu, 10 Apr 2025 11:07:38 -0500 Subject: [PATCH 394/940] Update hybrid-nodes-troubleshooting.adoc Fix typo --- latest/ug/nodes/hybrid-nodes-troubleshooting.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc index 4479e7181..2b7447b81 100644 --- a/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc +++ b/latest/ug/nodes/hybrid-nodes-troubleshooting.adoc @@ -275,7 +275,7 @@ msg="Unable to contact k8s api-server" level=fatal msg="failed to start: Get \"https://:443/api/v1/namespaces/kube-system\": dial tcp :443: i/o timeout" ---- -The Cilium agent runs on the host network. Your EKS cluster must be configured with `RemoteNodeNetwork` for the Cilium connectivity. Confirm you have an additional security group for your EKS cluster with an inbound rule for your `RemoteNodeNetwork`, that you have routes in your VPC for your `RemodeNodeNetwork`, and that your on-premises network is configured correctly to allow connectivity to the EKS control plane. +The Cilium agent runs on the host network. Your EKS cluster must be configured with `RemoteNodeNetwork` for the Cilium connectivity. Confirm you have an additional security group for your EKS cluster with an inbound rule for your `RemoteNodeNetwork`, that you have routes in your VPC for your `RemoteNodeNetwork`, and that your on-premises network is configured correctly to allow connectivity to the EKS control plane. If the Cilium operator is running and some of your Cilium agents are running but not all, confirm that you have available pod IPs to allocate for all nodes in your cluster. You configure the size of your allocatable Pod CIDRs when using cluster pool IPAM with `clusterPoolIPv4PodCIDRList` in your Cilium configuration. The per-node CIDR size is configured with the `clusterPoolIPv4MaskSize` setting in your Cilium configuration. See https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/#expanding-the-cluster-pool[Expanding the cluster pool] in the Cilium documentation for more information. @@ -665,4 +665,4 @@ Run the following commands to install the dependency: ldd --version sudo apt update && apt install libc6 sudo apt install glibc-source ----- \ No newline at end of file +---- From a9cdbb8c1705b032157adf2a1418c2ae3796ddf0 Mon Sep 17 00:00:00 2001 From: Theofilos Papapanagiotou Date: Fri, 11 Apr 2025 22:48:07 +0200 Subject: [PATCH 395/940] Update alb-ingress.adoc visual consistency on service type --- latest/ug/workloads/alb-ingress.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/latest/ug/workloads/alb-ingress.adoc b/latest/ug/workloads/alb-ingress.adoc index 4efb5c99a..c88264433 100644 --- a/latest/ug/workloads/alb-ingress.adoc +++ b/latest/ug/workloads/alb-ingress.adoc @@ -84,7 +84,7 @@ alb.ingress.kubernetes.io/ip-address-type: dualstack ** *Instance* – Registers nodes within your cluster as targets for the ALB. Traffic reaching the ALB is routed to `NodePort` for your service and then proxied to your Pods. This is the default traffic mode. You can also explicitly specify it with the `alb.ingress.kubernetes.io/target-type: instance` annotation. + -NOTE: Your Kubernetes service must specify the `NodePort` or "LoadBalancer" type to use this traffic mode. +NOTE: Your Kubernetes service must specify the `NodePort` or `LoadBalancer` type to use this traffic mode. ** *IP* – Registers Pods as targets for the ALB. Traffic reaching the ALB is directly routed to Pods for your service. You must specify the `alb.ingress.kubernetes.io/target-type: ip` annotation to use this traffic mode. The IP target type is required when target Pods are running on Fargate or Amazon EKS Hybrid Nodes. * To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Ingress annotations] on GitHub. @@ -244,4 +244,4 @@ kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-bal [source,bash,subs="verbatim,attributes"] ---- kubectl delete -f 2048_full.yaml ----- \ No newline at end of file +---- From 76b2e143a30d221543f38c97e2d9d6d5371a5f6c Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 11 Apr 2025 16:57:34 -0500 Subject: [PATCH 396/940] add network resource notes (#983) --- latest/ug/automode/auto-networking.adoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/latest/ug/automode/auto-networking.adoc b/latest/ug/automode/auto-networking.adoc index b8c9a6631..e05998188 100644 --- a/latest/ug/automode/auto-networking.adoc +++ b/latest/ug/automode/auto-networking.adoc @@ -49,6 +49,25 @@ EKS Auto Mode does *not* support: * Network Policy configurations such as conntrack timer customization (default is 300s). * Exporting network event logs to CloudWatch. +=== Network Resource Management + +EKS Auto Mode handles prefix, IP addressing, and network interface management by monitoring NodeClass resources for networking configurations. The service performs several key operations automatically: + +*Prefix Delegation* + +EKS Auto Mode provisions `/28` IPv4 prefixes to the primary network interface for nodes and maintains a predefined warm pool of resources that scales based on the number of scheduled pods. When necessary, it provisions secondary network interfaces with identical security groups as the primary interface in the node's subnet. If prefixes are no longer available in the subnet, the service falls back to secondary IPv4 addresses. + +*Cooldown Management* + +The service implements a cooldown pool for prefixes or secondary IPv4 addresses that are no longer in use. After the cooldown period expires, these resources are released back to the VPC. However, if pods reuse these resources during the cooldown period, they are restored from the cooldown pool. + +*IPv6 Support* + +For IPv6 clusters, EKS Auto Mode provisions a `/80` IPv6 prefix per node on the primary network interface. + +The service also ensures proper management and garbage collection of all network interfaces. + + [#auto-lb-consider] == Load balancing From 78f9b5a8149eb835a47ce9af8ed109d7e1060aeb Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 11 Apr 2025 17:00:18 -0500 Subject: [PATCH 397/940] revise node class (#982) fixup --- latest/ug/automode/auto-change.adoc | 9 ++++ latest/ug/automode/create-node-class.adoc | 50 ++++++++++++++--------- 2 files changed, 40 insertions(+), 19 deletions(-) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index b050c00ec..f4da58d6d 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,6 +7,15 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. +== April 11, 2025 + +*Feature:* Added `certificateBundles` and `ephemeralStorage.kmsKeyID` to `NodeClass`. For more information, see <>. + +*Feature:* Improved image pull speed, particularly for instance types with local instance storage that can take advantage of the faster image decompression. + +*Bug Fix:* Resolved a race condition which caused FailedCreatePodSandBox , Error while dialing: dial tcp 127.0.0.1:50051: connect: connection refused to sometimes occur for Pods scheduling to a Node immediately at startup. + + == April 4, 2025 **Feature:** Increase `registryPullQPS` from 5 to 25 and `registryBurst` from 10 to 50 to reduce client enforced image pull throttling (`Failed to pull image xyz: pull QPS exceeded`) diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 1600a7e9b..5ebf40e5f 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -99,6 +99,7 @@ EKSAutoNodeRoleAccessEntry: For information about deploying CloudFormation stacks, see link:AWSCloudFormation/latest/UserGuide/GettingStarted.html["Getting started with CloudFormation", type="documentation"] +[#auto-node-class-spec] == Node Class Specification [source,yaml] @@ -108,50 +109,61 @@ kind: NodeClass metadata: name: MyNodeClass spec: - - # Required: Subnet selection for node placement + # Required fields + role: MyNodeRole # IAM role for EC2 instances + subnetSelectorTerms: - tags: - Name: "" + Name: "private-subnet" kubernetes.io/role/internal-elb: "1" # Alternative using direct subnet ID # - id: "subnet-0123456789abcdef0" - # Required: Security group selection for nodes securityGroupSelectorTerms: - tags: - Name: "eks-cluster-node-sg" + Name: "eks-cluster-sg" # Alternative approaches: # - id: "sg-0123456789abcdef0" - # - name: "eks-cluster-node-security-group" - - # Optional: Configure SNAT policy (defaults to Random) + # - name: "eks-cluster-security-group" + + # Optional fields snatPolicy: Random # or Disabled - # Optional: Network policy configuration (defaults to DefaultAllow) networkPolicy: DefaultAllow # or DefaultDeny - - # Optional: Network policy event logging (defaults to Disabled) networkPolicyEventLogs: Disabled # or Enabled - # Optional: Configure ephemeral storage (shown with default values) ephemeralStorage: size: "80Gi" # Range: 1-59000Gi or 1-64000G or 1-58Ti or 1-64T iops: 3000 # Range: 3000-16000 throughput: 125 # Range: 125-1000 - - # Optional: Name of IAM role to use for EC2 instance role - # If unspecified, EKS creates a role - # If specified, you must create an access entry for this role as described above - role: MyNodeRole + # Optional KMS key for encryption + kmsKeyID: "arn:aws:kms:region:account:key/key-id" + # Accepted formats: + # KMS Key ID + # KMS Key ARN + # Key Alias Name + # Key Alias ARN - # Optional: Additional EC2 tags + # Optional: Custom certificate bundles + certificateBundles: + - name: "custom-cert" + data: "base64-encoded-cert-data" + + # Optional: Additional EC2 tags (with restrictions) tags: Environment: "production" Team: "platform" + # Note: Cannot use restricted tags like: + # - kubernetes.io/cluster/* + # - karpenter.sh/provisioner-name + # - karpenter.sh/nodepool + # - karpenter.sh/nodeclaim + # - karpenter.sh/managed-by + # - eks.amazonaws.com/nodeclass ---- -*Considerations:* + +== Considerations * If you change the Node IAM Role associated with a NodeClass, you will need to create a new Access Entry. EKS automatically creates an Access Entry for the Node IAM Role during cluster creation. The Node IAM Role requires the `AmazonEKSAutoNodePolicy` EKS Access Policy. For more information, see <>. * EKS limits the maximum number of pods on a node to 110. This limit is applied after the existing max pods calculation. For more information, see <>. From 9ce99f3fdb0bf59954c847bdd4027cf82e8a4370 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 14 Apr 2025 13:29:22 +0000 Subject: [PATCH 398/940] Incorporated review comments to eks-ami-deprecation-faqs.adoc --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc index bf5f8779d..40e6b4fe5 100644 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -2,7 +2,7 @@ include::../attributes.txt[] [.topic] [#eks-ami-deprecation-faqs] -= EKS AL2 AMIs End-of-support FAQ += EKS AL2 AMIs end-of-support FAQ :info_titleabbrev: AL2 AMI deprecation [abstract] @@ -25,15 +25,13 @@ Additionally, you can <> until the EOS date (November 26, === Why is {aws} proposing to end support for EKS AL2-optimized and AL2-accelerated AMIs before AL2’s EOL date? -{aws} is ending support for EKS AL2-optimized and AL2-accelerated AMIs on November 26, 2025 due to a combination of critical technical and ecosystem-driven factors that directly affect performance, compatibility, and user experience. There has been diminishing support of AL2 by key technology providers from Nvidia, Neuron, Linux, to the Kubernetes community: +{aws} is ending support for EKS AL2-optimized and AL2-accelerated AMIs on November 26, 2025 due to a combination of critical technical and ecosystem-driven factors that directly affect performance, compatibility, and user experience. There has been diminishing support of AL2 by key technology providers from Nvidia, Neuron, Linux, to the Kubernetes community. -* Nvidia https://docs.nvidia.com/cuda/archive/12.4.1/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[deprecated] support for CentOS 7-compatible distributions including AL2 and completely https://docs.nvidia.com/cuda/archive/12.5.0/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[removed] support in CUDA https://docs.nvidia.com/cuda/archive/12.4.1/[12.4] and CUDA https://docs.nvidia.com/cuda/archive/12.5.0/[12.5]. The https://docs.nvidia.com/datacenter/tesla/index.html#r550-driver-release-notes[R550] driver branch will reach end-of-life in April 2025, long before AL2’s end-of-support date. AL2 is based on Linux kernel version https://docs.aws.amazon.com/linux/al2/ug/kernel.html[5.10], released in December 2020. Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. +Nvidia https://docs.nvidia.com/cuda/archive/12.4.1/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[deprecated] support for CentOS 7-compatible distributions including AL2 and completely https://docs.nvidia.com/cuda/archive/12.5.0/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[removed] support in CUDA https://docs.nvidia.com/cuda/archive/12.4.1/[12.4] and CUDA https://docs.nvidia.com/cuda/archive/12.5.0/[12.5]. The https://docs.nvidia.com/datacenter/tesla/index.html#r550-driver-release-notes[R550] driver branch will reach end-of-life in April 2025, long before AL2’s end-of-support date. AL2 is based on Linux kernel version https://docs.aws.amazon.com/linux/al2/ug/kernel.html[5.10], released in December 2020. Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. -* https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#id123[{aws} Neuron] stopped supporting the Neuron Runtime package for AL2 in July 2024. - -* Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. - -* The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. +Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. +The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. +https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#id123[{aws} Neuron] stopped supporting the Neuron Runtime package for AL2 in July 2024. == Compatibility and versions @@ -45,14 +43,12 @@ After this date, EKS will stop releasing AL2-optimized and AL2-accelerated AMIs === What NVIDIA driver versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? [cols="1,1,1,1,1", options="header"] - |=== - |Driver Branch |Amazon Linux 2 AMI |Amazon Linux 2023 AMI |Bottlerocket AMI -|End-of-Life Date | +|End-of-Life Date |R535 |Not Supported @@ -83,7 +79,7 @@ To learn more, see https://docs.nvidia.com/ai-enterprise/index.html#release-docu === Which NVIDIA CUDA versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? -[cols="1,1,1,1,1,1", options="header"] +[cols="1,1,1,1,1", options="header"] |=== |CUDA Version |NVIDIA Driver @@ -120,7 +116,7 @@ To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Releas === How do the AMIs for Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket compare in terms of supported drivers and kernel versions? -[cols="1,1,1,1,1", options="header"] +[cols="1,1,1,1", options="header"] |=== |Component |AL2 AMI Source From 2bceefabd67d948a0171b4c406154262709f6cf9 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 14 Apr 2025 13:41:42 +0000 Subject: [PATCH 399/940] Fixed hybrid-nodes-cluster-update.adoc per amazon-eks-user-guide/issues/977 --- latest/ug/nodes/hybrid-nodes-cluster-update.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc index 0c23808ac..1c4705c7e 100644 --- a/latest/ug/nodes/hybrid-nodes-cluster-update.adoc +++ b/latest/ug/nodes/hybrid-nodes-cluster-update.adoc @@ -95,7 +95,7 @@ RemoteNetworkConfig: + [source,bash,subs="verbatim,attributes"] ---- -aws eks update-cluster \ +aws eks update-cluster-config \ --name CLUSTER_NAME \ --region AWS_REGION \ --remote-network-config '{"remoteNodeNetworks":[{"cidrs":["REMOTE_NODE_CIDRS"]}],"remotePodNetworks":[{"cidrs":["REMOTE_POD_CIDRS"]}]}' @@ -160,7 +160,7 @@ Omitting these fields from the update request retains their existing configurati + [source,bash,subs="verbatim,attributes"] ---- -aws eks update-cluster +aws eks update-cluster-config --name CLUSTER_NAME --region AWS_REGION --remote-network-config '{"remoteNodeNetworks":[{"cidrs":["NEW_REMOTE_NODE_CIDRS"]}],"remotePodNetworks":[{"cidrs":["NEW_REMOTE_POD_CIDRS"]}]}' @@ -210,7 +210,7 @@ RemoteNetworkConfig: + [source,bash,subs="verbatim,attributes"] ---- -aws eks update-cluster \ +aws eks update-cluster-config \ --name CLUSTER_NAME \ --region AWS_REGION \ --remote-network-config '{"remoteNodeNetworks":[],"remotePodNetworks":[]}' From ff2c0328cf8367616bc39e90060d688d6517a39e Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 14 Apr 2025 15:06:34 +0000 Subject: [PATCH 400/940] Fixed auto-cis per https://t.corp.amazon.com/V1738776771 --- latest/ug/automode/auto-cis.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/automode/auto-cis.adoc b/latest/ug/automode/auto-cis.adoc index 087233dc7..e35727f0c 100644 --- a/latest/ug/automode/auto-cis.adoc +++ b/latest/ug/automode/auto-cis.adoc @@ -12,9 +12,9 @@ The command allows you to temporarily create a debugging container on a Kubernet Before you begin, ensure you have: -* Access to an Amazon EKS cluster with `kubectl` configured -* The appropriate IAM permissions to debug nodes -* A valid profile that allows debug operations (e.g., `sysadmin`) +* Access to an Amazon EKS cluster with `kubectl` configured (version must be at least v1.32.0; type `kubectl version` to check). +* The appropriate IAM permissions to debug nodes. +* A valid profile that allows debug operations (e.g., `sysadmin`). For more information about using debugging profiles with `kubectl`, see https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#debugging-profiles[Debugging a Pod or Node while applying a profile] in the Kubernetes documentation. From 8d9e50a6f193f188c744f10071cb363cde6feec3 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 14 Apr 2025 19:39:53 +0000 Subject: [PATCH 401/940] Updated command for 1.30: 46064 --- latest/ug/nodes/fargate-getting-started.adoc | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index ceb264c20..aba2dcce4 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -144,17 +144,23 @@ aws eks create-fargate-profile \ --selectors namespace=kube-system,labels={k8s-app=kube-dns} \ --subnets subnet-0000000000000001 subnet-0000000000000002 subnet-0000000000000003 ---- -. Run the following command to remove the `eks.amazonaws.com/compute-type : ec2` annotation from the CoreDNS Pods. +. Run one of the following commands based on your Kubernetes version. + +* For Kubernetes version 1.30 and later, remove `/spec/template/spec/tolerations` from the CoreDNS Pods. ++ +[source,bash,subs="verbatim,attributes"] +---- +kubectl patch deployment coredns -n kube-system --type json \ + -p='[{"op": "remove", "path": "/spec/template/spec/tolerations"}]' +---- +* For Kubernetes versions earlier than 1.30, remove the `eks.amazonaws.com/compute-type : ec2` annotation from the CoreDNS Pods. + [source,bash,subs="verbatim,attributes"] ---- -kubectl patch deployment coredns \ - -n kube-system \ - --type json \ +kubectl patch deployment coredns -n kube-system --type json \ -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]' ---- - [#fargate-gs-next-steps] == Next steps From 7ff6a567c47ee572ad304bf08e5f6be08313d824 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 14 Apr 2025 20:26:36 +0000 Subject: [PATCH 402/940] Updated approach and removed detail about version number since this has been true longer than 1.30 release: 46064 --- latest/ug/nodes/fargate-getting-started.adoc | 42 ++++++++------------ 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index aba2dcce4..b0c9ded97 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -26,11 +26,11 @@ Assume that you're working with an existing cluster that already has nodes that For existing node groups that were created with `eksctl` or the Amazon EKS managed {aws} CloudFormation templates, you can add the cluster security group to the nodes manually. Or, alternatively, you can modify the Auto Scaling group launch template for the node group to attach the cluster security group to the instances. For more information, see link:vpc/latest/userguide/VPC_SecurityGroups.html#SG_Changing_Group_Membership[Changing an instance's security groups,type="documentation"] in the _Amazon VPC User Guide_. -You can check for a security group for your cluster in the {aws-management-console} under the *Networking* section for the cluster. Or, you can do this using the following {aws} CLI command. When using this command, replace [.replaceable]`my-cluster` with the name of your cluster. +You can check for a security group for your cluster in the {aws-management-console} under the *Networking* section for the cluster. Or, you can do this using the following {aws} CLI command. When using this command, replace `` with the name of your cluster. [source,bash,subs="verbatim,attributes"] ---- -aws eks describe-cluster --name my-cluster --query cluster.resourcesVpcConfig.clusterSecurityGroupId +aws eks describe-cluster --name --query cluster.resourcesVpcConfig.clusterSecurityGroupId ---- @@ -76,18 +76,18 @@ For instructions on how to install or upgrade `eksctl`, see https://eksctl.io/in *To create a Fargate profile with `eksctl`* -Create your Fargate profile with the following `eksctl` command, replacing every [.replaceable]`example value` with your own values. You're required to specify a namespace. However, the `--labels` option isn't required. +Create your Fargate profile with the following `eksctl` command, replacing every `` with your own values. You're required to specify a namespace. However, the `--labels` option isn't required. [source,bash,subs="verbatim,attributes"] ---- eksctl create fargateprofile \ - --cluster my-cluster \ - --name my-fargate-profile \ - --namespace my-kubernetes-namespace \ - --labels key=value + --cluster \ + --name \ + --namespace \ + --labels ---- -You can use certain wildcards for [.replaceable]`my-kubernetes-namespace` and [.replaceable]`key=value` labels. For more information, see <>. +You can use certain wildcards for `` and `` labels. For more information, see <>. === {aws-management-console} [[console_fargate_profile_create]] @@ -131,7 +131,7 @@ By default, CoreDNS is configured to run on Amazon EC2 infrastructure on Amazon If you created your cluster with `eksctl` using the `--fargate` option, then you can skip to <>. ==== -. Create a Fargate profile for CoreDNS with the following command. Replace [.replaceable]`my-cluster` with your cluster name, [.replaceable]`111122223333` with your account ID, [.replaceable]`AmazonEKSFargatePodExecutionRole` with the name of your Pod execution role, and [.replaceable]`0000000000000001`, [.replaceable]`0000000000000002`, and [.replaceable]`0000000000000003` with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first (see <>). +. Create a Fargate profile for CoreDNS with the following command. Replace `` with your cluster name, `<111122223333>` with your account ID, `` with the name of your Pod execution role, and `<0000000000000001>`, `<0000000000000002>`, and `<0000000000000003>` with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first (see <>). + IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you need to change it to `my-role` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::111122223333:role/role-name`. + @@ -139,26 +139,16 @@ IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_iden ---- aws eks create-fargate-profile \ --fargate-profile-name coredns \ - --cluster-name my-cluster \ - --pod-execution-role-arn {arn-aws}iam::111122223333:role/AmazonEKSFargatePodExecutionRole \ + --cluster-name \ + --pod-execution-role-arn {arn-aws}iam::<111122223333>:role/ \ --selectors namespace=kube-system,labels={k8s-app=kube-dns} \ - --subnets subnet-0000000000000001 subnet-0000000000000002 subnet-0000000000000003 + --subnets subnet-<0000000000000001> subnet-<0000000000000002> subnet-<0000000000000003> ---- -. Run one of the following commands based on your Kubernetes version. - -* For Kubernetes version 1.30 and later, remove `/spec/template/spec/tolerations` from the CoreDNS Pods. +. Trigger a rollout of the `coredns` deployment. + [source,bash,subs="verbatim,attributes"] ---- -kubectl patch deployment coredns -n kube-system --type json \ - -p='[{"op": "remove", "path": "/spec/template/spec/tolerations"}]' ----- -* For Kubernetes versions earlier than 1.30, remove the `eks.amazonaws.com/compute-type : ec2` annotation from the CoreDNS Pods. -+ -[source,bash,subs="verbatim,attributes"] ----- -kubectl patch deployment coredns -n kube-system --type json \ - -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]' +kubectl rollout restart -n kube-system deployment coredns ---- [#fargate-gs-next-steps] @@ -167,11 +157,11 @@ kubectl patch deployment coredns -n kube-system --type json \ * You can start migrating your existing applications to run on Fargate with the following workflow. + .. <> that matches your application's Kubernetes namespace and Kubernetes labels. -.. Delete and re-create any existing Pods so that they're scheduled on Fargate. For example, the following command triggers a rollout of the `coredns` deployment. You can modify the namespace and deployment type to update your specific Pods. +.. Delete and re-create any existing Pods so that they're scheduled on Fargate. Modify the `` and `` to update your specific Pods. + [source,bash,subs="verbatim,attributes"] ---- -kubectl rollout restart -n kube-system deployment coredns +kubectl rollout restart -n deployment ---- * Deploy the <> to allow Ingress objects for your Pods running on Fargate. * You can use the <> to set the initial correct size of CPU and memory for your Fargate Pods, and then use the <> to scale those Pods. If you want the Vertical Pod Autoscaler to automatically re-deploy Pods to Fargate with higher CPU and memory combinations, set the Vertical Pod Autoscaler's mode to either `Auto` or `Recreate`. This is to ensure correct functionality. For more information, see the https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler#quick-start[Vertical Pod Autoscaler] documentation on GitHub. From 86f366be8f3967f4016b4394a81e78f62e08eaae Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 14 Apr 2025 21:05:42 +0000 Subject: [PATCH 403/940] Removed paragraph about EOS extensions --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc index 40e6b4fe5..ef9b324f1 100644 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -202,11 +202,6 @@ For a complete list of all EKS AMI components and their versions, see https://gi No. EKS will neither update nor terminate customer instances and will not remove existing AMIs from distribution. -=== Will EKS allow EOS extensions? - -No, but you do have the option of continuing to use EKS AL2 AMIs, build custom EKS AL2 AMIs until the EOS date (November 26, 2025), or build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). -To build a custom EKS AL2-optimized or AL2-accelerated AMI, see https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html[Build a custom Amazon Linux AMI] in EKS official documentation. - === Will the Kubernetes standard or extended version support apply to AL2? No. The EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. From c990fde2576fac1e89d9a8fc6a86375f7909ae92 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Mon, 14 Apr 2025 21:43:14 +0000 Subject: [PATCH 404/940] Small updates --- latest/ug/doc-history.adoc | 2 +- latest/ug/security/iam-reference/security-iam-awsmanpol.adoc | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index 79263b94b..b0e8d17c4 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,7 +14,7 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates -[.update,date="2025-04-09"] +[.update,date="2025-04-14"] === {aws} managed policy updates [.update-ulink] link:eks/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-updates[type="documentation"] diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index 74a681a69..e6c3e90ff 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -367,8 +367,8 @@ View details about updates to {aws} managed policies for Amazon EKS since this s |Date | Added permission to <>. -| Added `ec2:RevokeSecurityGroupEgress` and `ec2:AuthorizeSecurityGroupEgress` permissions to allow EKS AI/ML customers to add Security Group Egress rules to the default EKS Cluster SG that are compatible with EFA. -| April 7, 2025 +| Added `ec2:RevokeSecurityGroupEgress` and `ec2:AuthorizeSecurityGroupEgress` permissions to allow EKS AI/ML customers to add Security Group Egress rules to the default EKS Cluster SG that are compatible with EFA, as part of the EKS 1.33 version release. +| April 14, 2025 | Added permissions to <>. | Added permission to terminate EC2 instances created by EKS Auto Mode. From fd3b1b252808746cc034284b6c739f049dfa572c Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Mon, 14 Apr 2025 22:23:12 +0000 Subject: [PATCH 405/940] Updates to fix AsciiDoc syntax interpretation: 46064 --- latest/ug/nodes/fargate-getting-started.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/nodes/fargate-getting-started.adoc b/latest/ug/nodes/fargate-getting-started.adoc index b0c9ded97..986236734 100644 --- a/latest/ug/nodes/fargate-getting-started.adoc +++ b/latest/ug/nodes/fargate-getting-started.adoc @@ -131,9 +131,9 @@ By default, CoreDNS is configured to run on Amazon EC2 infrastructure on Amazon If you created your cluster with `eksctl` using the `--fargate` option, then you can skip to <>. ==== -. Create a Fargate profile for CoreDNS with the following command. Replace `` with your cluster name, `<111122223333>` with your account ID, `` with the name of your Pod execution role, and `<0000000000000001>`, `<0000000000000002>`, and `<0000000000000003>` with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first (see <>). +. Create a Fargate profile for CoreDNS with the following command. Replace `` with your cluster name, `<111122223333>` with your account ID, `` with the name of your Pod execution role, and `<000000000000000a>`, `<000000000000000b>`, and `<000000000000000c>` with the IDs of your private subnets. If you don't have a Pod execution role, you must create one first (see <>). + -IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/my-role`, you need to change it to `my-role` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::111122223333:role/role-name`. +IMPORTANT: The role ARN can't include a link:IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names[path,type="documentation"] other than `/`. For example, if the name of your role is `development/apps/AmazonEKSFargatePodExecutionRole`, you need to change it to `AmazonEKSFargatePodExecutionRole` when specifying the ARN for the role. The format of the role ARN must be `{arn-aws}iam::<111122223333>:role/`. + [source,bash,subs="verbatim,attributes"] ---- @@ -142,7 +142,7 @@ aws eks create-fargate-profile \ --cluster-name \ --pod-execution-role-arn {arn-aws}iam::<111122223333>:role/ \ --selectors namespace=kube-system,labels={k8s-app=kube-dns} \ - --subnets subnet-<0000000000000001> subnet-<0000000000000002> subnet-<0000000000000003> + --subnets subnet-<000000000000000a> subnet-<000000000000000b> subnet-<000000000000000c> ---- . Trigger a rollout of the `coredns` deployment. + From 988e5bc50565ffc4fa554a90b92fb81a447eb043 Mon Sep 17 00:00:00 2001 From: Paul Gasca Date: Tue, 15 Apr 2025 22:57:48 +0000 Subject: [PATCH 406/940] Updated compliance sections: 46136 --- latest/ug/nodes/bottlerocket-compliance-support.adoc | 2 +- latest/ug/security/compliance.adoc | 12 +++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/latest/ug/nodes/bottlerocket-compliance-support.adoc b/latest/ug/nodes/bottlerocket-compliance-support.adoc index e20d57401..55936ae29 100644 --- a/latest/ug/nodes/bottlerocket-compliance-support.adoc +++ b/latest/ug/nodes/bottlerocket-compliance-support.adoc @@ -14,5 +14,5 @@ Bottlerocket complies with recommendations defined by various organizations: * There is a https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark] defined for Bottlerocket. In a default configuration, Bottlerocket image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see link:containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark[Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark,type="blog"] on the {aws} blog. * The optimized feature set and reduced attack surface means that Bottlerocket instances require less configuration to satisfy PCI DSS requirements. The https://www.cisecurity.org/benchmark/bottlerocket[CIS Benchmark for Bottlerocket] is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/[Fluent Bit] to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. {aws} publishes new (patched) Bottlerocket instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0). -* Bottlerocket is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see the link:pdfs/whitepapers/latest/architecting-hipaa-security-and-compliance-on-amazon-eks/architecting-hipaa-security-and-compliance-on-amazon-eks.pdf[Architecting for HIPAA Security and Compliance on Amazon EKS,type="documentation"] whitepaper. +* Bottlerocket is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see link:compliance/hipaa-eligible-services-reference/[HIPAA Eligible Services Reference,type="marketing"]. * Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the {aws}-LC Cryptographic Module. For more information, see <>. \ No newline at end of file diff --git a/latest/ug/security/compliance.adoc b/latest/ug/security/compliance.adoc index f0a689557..23748cfb4 100644 --- a/latest/ug/security/compliance.adoc +++ b/latest/ug/security/compliance.adoc @@ -7,21 +7,19 @@ include::../attributes.txt[] [abstract] -- -Discover compliance resources and services for Amazon Elastic Kubernetes Service to help secure your {aws} workloads, meet regulatory requirements like HIPAA, and validate adherence to security standards like NIST, PCI, and ISO using {aws} Config, Security Hub, GuardDuty, and Audit Manager. +Discover compliance resources to help secure your {aws} workloads, meet regulatory requirements like HIPAA, and validate adherence to security standards. -- +// Entire topic last refreshed to match the ComplianceResources shared entity on 2025-04-15. + To learn whether an {aws} service is within the scope of specific compliance programs, see link:compliance/services-in-scope/[{aws} services in Scope by Compliance Program,type="marketing"] and choose the compliance program that you are interested in. For general information, see link:compliance/programs/[{aws} Compliance Programs,type="marketing"]. You can download third-party audit reports using {aws} Artifact. For more information, see link:artifact/latest/ug/downloading-documents.html[Downloading Reports in {aws} Artifact,type="documentation"]. Your compliance responsibility when using {aws} services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. {aws} provides the following resources to help with compliance: - - -* link:quickstart/?awsf.filter-tech-category=tech-category%23security-identity-compliance[Security and Compliance Quick Start Guides,type="marketing"] – These deployment guides discuss architectural considerations and provide steps for deploying baseline environments on {aws} that are security and compliance focused. -* link:whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html[Architecting for HIPAA Security and Compliance on Amazon Web Services,type="documentation"] – This whitepaper describes how companies can use {aws} to create HIPAA-eligible applications. -+ -NOTE: Not all {aws} services are HIPAA eligible. For more information, see the link:compliance/hipaa-eligible-services-reference/[HIPAA Eligible Services Reference,type="marketing"]. +* link:solutions/security/security-compliance-governance/[Security Compliance & Governance,type="marketing"] – These solution implementation guides discuss architectural considerations and provide steps for deploying security and compliance features. +* link:compliance/hipaa-eligible-services-reference/[HIPAA Eligible Services Reference,type="marketing"] – Lists HIPAA eligible services. Not all {aws} services are HIPAA eligible. * link:compliance/resources/[{aws} Compliance Resources,type="marketing"] – This collection of workbooks and guides might apply to your industry and location. * https://d1.awsstatic.com/whitepapers/compliance/AWS_Customer_Compliance_Guides.pdf[{aws} Customer Compliance Guides] – Understand the shared responsibility model through the lens of compliance. The guides summarize the best practices for securing {aws} services and map the guidance to security controls across multiple frameworks (including National Institute of Standards and Technology (NIST), Payment Card Industry Security Standards Council (PCI), and International Organization for Standardization (ISO)). * link:config/latest/developerguide/evaluate-config.html[Evaluating Resources with Rules,type="documentation"] in the _{aws} Config Developer Guide_ – The {aws} Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. From 42b616599fed7b01a94a806e3229792e7d2044b9 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Tue, 15 Apr 2025 23:35:55 +0000 Subject: [PATCH 407/940] A few changes to eks-ami-deprecation-faqs.adoc --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc index ef9b324f1..21ddb6e30 100644 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -79,37 +79,32 @@ To learn more, see https://docs.nvidia.com/ai-enterprise/index.html#release-docu === Which NVIDIA CUDA versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? -[cols="1,1,1,1,1", options="header"] +[cols="1,1,1,1", options="header"] |=== |CUDA Version -|NVIDIA Driver |AL2 Support |AL2023 Support |Bottlerocket Support |https://developer.nvidia.com/cuda-toolkit-archive[10.1] -|R418 |Supported |Not supported |Not Supported |https://developer.nvidia.com/cuda-toolkit-archive[11.8] -|R550/R535 |Supported |Supported |Supported |https://developer.nvidia.com/cuda-toolkit-archive[12.0] -|R560 |Not supported |Supported -|Not Supported +|Supported |https://developer.nvidia.com/cuda-toolkit-archive[12.5] -|R570 |Not supported |Supported -|Not Supported +|Supported |=== To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Release Documentation]. @@ -192,6 +187,14 @@ A few of the most common packages that are not included or which changed in AL20 To learn more, see https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023]. +=== How does FIPS validation compare across AL2, AL2023, and Bottlerocket? + +Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023), and Bottlerocket provide support for Federal Information Processing Standards (FIPS) compliance. + +* AL2 is certified under FIPS 140-2 and AL2023 is certified under FIPS 140-3. To enable FIPS mode on AL2023, install the necessary packages on your Amazon EC2 instance and follow the configuration steps using the instructions in Enable FIPS Mode on AL2023. To learn more, see +https://aws.amazon.com/linux/amazon-linux-2023/faqs[AL2023 FAQs]. +* Bottlerocket provides purpose-built variants specifically for FIPS which constrain the kernel and userspace components to the use of cryptographic modules that have been submitted to the FIPS 140-3 Cryptographic Module Validation Program. + === Where can I find a complete list of Amazon EKS AMI drivers and their versions? For a complete list of all EKS AMI components and their versions, see https://github.com/awslabs/amazon-eks-ami/releases[Amazon EKS AMI Release Notes] on GitHub. From 583c086b10bba9d90a701857ae470970710f0a30 Mon Sep 17 00:00:00 2001 From: Donovan Finch Date: Tue, 8 Apr 2025 20:08:00 -0700 Subject: [PATCH 408/940] Update to Managed IAM policy: AmazonEKSCluster Policy adds ec2:DeleteNetworkInterfaces --- latest/ug/doc-history.adoc | 9 +++++++++ .../security/iam-reference/security-iam-awsmanpol.adoc | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/latest/ug/doc-history.adoc b/latest/ug/doc-history.adoc index c079d16d9..b568c56d9 100644 --- a/latest/ug/doc-history.adoc +++ b/latest/ug/doc-history.adoc @@ -14,6 +14,15 @@ The following table describes the major updates and new features for the Amazon [.updates] == Updates + +[.update,date="2025-04-16"] +=== {aws} managed policy updates +[.update-ulink] +link:eks/latest/userguide/security-iam-awsmanpol.html[type="documentation"] + +Added permissions to `AmazonEKSClusterPolicy` to allow Amazon EKS to elastic network interfaces created by the VPC CNI. This is required so that EKS can clean up elastic network interfaces that are left behind if the VPC CNI quits unexpectedly. + + [.update,date="2025-04-14"] === {aws} managed policy updates [.update-ulink] diff --git a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc index e6c3e90ff..5e5a3c5f1 100644 --- a/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc +++ b/latest/ug/security/iam-reference/security-iam-awsmanpol.adoc @@ -43,6 +43,7 @@ This policy includes the following permissions that allow Amazon EKS to complete * *`autoscaling`* – Read and update the configuration of an Auto Scaling group. These permissions aren't used by Amazon EKS but remain in the policy for backwards compatibility. * *`ec2`* – Work with volumes and network resources that are associated to Amazon EC2 nodes. This is required so that the Kubernetes control plane can join instances to a cluster and dynamically provision and manage Amazon EBS volumes that are requested by Kubernetes persistent volumes. +* *`ec2`* - Delete elastic network interfaces that are created by the VPC CNI. This is required so that EKS can clean up elastic network interfaces that are left behind if the VPC CNI quits unexpectedly. * *`elasticloadbalancing`* – Work with Elastic Load Balancers and add nodes to them as targets. This is required so that the Kubernetes control plane can dynamically provision Elastic Load Balancers requested by Kubernetes services. * *`iam`* – Create a service-linked role. This is required so that the Kubernetes control plane can dynamically provision Elastic Load Balancers that are requested by Kubernetes services. * *`kms`* – Read a key from {aws} KMS. This is required for the Kubernetes control plane to support https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/[secrets encryption] of Kubernetes secrets stored in `etcd`. @@ -366,6 +367,10 @@ View details about updates to {aws} managed policies for Amazon EKS since this s |Description |Date +|Added permissions to <>. +|Added `ec2:DeleteNetworkInterfaces` permission to allow Amazon EKS to delete elastic network interfaces that are left behind if the VPC CNI quits unexpectedly. +|April 16, 2023 + | Added permission to <>. | Added `ec2:RevokeSecurityGroupEgress` and `ec2:AuthorizeSecurityGroupEgress` permissions to allow EKS AI/ML customers to add Security Group Egress rules to the default EKS Cluster SG that are compatible with EFA, as part of the EKS 1.33 version release. | April 14, 2025 From 63c248220771b4eebea77d38fa125308eb80510d Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Wed, 16 Apr 2025 21:20:59 +0000 Subject: [PATCH 409/940] Temporarily removing eks-ami-deprecation-faqs.adoc --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 247 ------------------ latest/ug/nodes/eks-optimized-amis.adoc | 2 - 2 files changed, 249 deletions(-) delete mode 100644 latest/ug/nodes/eks-ami-deprecation-faqs.adoc diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc deleted file mode 100644 index 21ddb6e30..000000000 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ /dev/null @@ -1,247 +0,0 @@ -include::../attributes.txt[] - -[.topic] -[#eks-ami-deprecation-faqs] -= EKS AL2 AMIs end-of-support FAQ -:info_titleabbrev: AL2 AMI deprecation - -[abstract] --- -This document outlines the End of Support (EOS) information for Amazon EKS AL2-optimized and AL2-accelerated AMIs. --- - -== General information and timeline - -=== What is the end-of-support (EOS) date for EKS AL2-optimized and AL2-accelerated AMIs? - -EKS AL2-optimized and AL2-accelerated AMIs EOS date is November 26, 2025. -While you can continue using EKS AL2 AMIs after the EOS date, EKS will no longer release any new Kubernetes versions or updates to AL2 AMIs, including minor releases, patches, and bug fixes after this date. -We recommend upgrading to Amazon Linux 2023 (AL2023) or Bottlerocket AMIs: - -* AL2023 enables a secure-by-default approach with preconfigured security policies, SELinux in permissive mode, IMDSv2-only mode enabled by default, optimized boot times, and improved package management for enhanced security and performance, well-suited for infrastructure requiring significant customizations like direct OS-level access or extensive node changes. -* Bottlerocket enables enhanced security, faster boot times, and a smaller attack surface for improved efficiency with its purpose-built, container-optimized design, well-suited for container-native approaches with minimal node customizations. - -Additionally, you can <> until the EOS date (November 26, 2025), or build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). For more information, please visit https://aws.amazon.com/linux/amazon-linux-2023/faqs/[AL2023 FAQs], https://aws.amazon.com/bottlerocket/faqs/[Bottlerocket FAQs] or refer to <> or <> documentation for detailed migration guidance. - -=== Why is {aws} proposing to end support for EKS AL2-optimized and AL2-accelerated AMIs before AL2’s EOL date? - -{aws} is ending support for EKS AL2-optimized and AL2-accelerated AMIs on November 26, 2025 due to a combination of critical technical and ecosystem-driven factors that directly affect performance, compatibility, and user experience. There has been diminishing support of AL2 by key technology providers from Nvidia, Neuron, Linux, to the Kubernetes community. - -Nvidia https://docs.nvidia.com/cuda/archive/12.4.1/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[deprecated] support for CentOS 7-compatible distributions including AL2 and completely https://docs.nvidia.com/cuda/archive/12.5.0/cuda-toolkit-release-notes/index.html#deprecated-operating-systems[removed] support in CUDA https://docs.nvidia.com/cuda/archive/12.4.1/[12.4] and CUDA https://docs.nvidia.com/cuda/archive/12.5.0/[12.5]. The https://docs.nvidia.com/datacenter/tesla/index.html#r550-driver-release-notes[R550] driver branch will reach end-of-life in April 2025, long before AL2’s end-of-support date. AL2 is based on Linux kernel version https://docs.aws.amazon.com/linux/al2/ug/kernel.html[5.10], released in December 2020. Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. - -Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. -The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. -https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#id123[{aws} Neuron] stopped supporting the Neuron Runtime package for AL2 in July 2024. - -== Compatibility and versions - -=== Which Kubernetes versions support AL2 AMIs? - -Kubernetes version 1.32 is the last version for which Amazon EKS will release AL2 (Amazon Linux 2) AMIs. For https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html[supported] Kubernetes versions up to 1.32, EKS will continue to release AL2 AMIs (AL2_ARM_64, AL2_x86_64) and AL2-accelerated AMIs (AL2_x86_64_GPU) until November 26, 2025. -After this date, EKS will stop releasing AL2-optimized and AL2-accelerated AMIs for all Kubernetes versions, even for EKS extended support customers. Note that the EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. - -=== What NVIDIA driver versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? - -[cols="1,1,1,1,1", options="header"] -|=== -|Driver Branch -|Amazon Linux 2 AMI -|Amazon Linux 2023 AMI -|Bottlerocket AMI -|End-of-Life Date - -|R535 -|Not Supported -|Not Supported -|Supported -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[September 2027] - -|R550 -|Supported -|Supported -|Not Supported -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[April 2025] - -|R560 -|Not Supported -|Supported -|Not Supported -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[March 2025] - -|R570 -|Not Supported -|Supported -|Coming soon -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[February 2026] -|=== - -To learn more, see https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[Nvidia Release Documentation]. - -=== Which NVIDIA CUDA versions are supported on Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket AMIs? - -[cols="1,1,1,1", options="header"] -|=== -|CUDA Version -|AL2 Support -|AL2023 Support -|Bottlerocket Support - -|https://developer.nvidia.com/cuda-toolkit-archive[10.1] -|Supported -|Not supported -|Not Supported - -|https://developer.nvidia.com/cuda-toolkit-archive[11.8] -|Supported -|Supported -|Supported - -|https://developer.nvidia.com/cuda-toolkit-archive[12.0] -|Not supported -|Supported -|Supported - -|https://developer.nvidia.com/cuda-toolkit-archive[12.5] -|Not supported -|Supported -|Supported -|=== - -To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Release Documentation]. - -=== How do the AMIs for Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023) and Bottlerocket compare in terms of supported drivers and kernel versions? - -[cols="1,1,1,1", options="header"] -|=== -|Component -|AL2 AMI Source -|AL2023 AMI Source -|Bottlerocket AMI Source - -|Base OS Compatibility -|RHEL7/CentOS 7 -|Fedora/CentOS 9 -|N/A - -|CUDA Toolkit -|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 11.x–12.x] -|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 12.5+] -|CUDA 11.x (12.5 coming soon) - -|NVIDIA GPU Driver -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550] -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565] (R570 coming soon) -|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R535] (R570 Coming soon) - -|{aws} Neuron Driver -|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19] -|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19+] -|2.20 - -|Linux Kernel -|https://docs.aws.amazon.com/linux/al2/ug/aml2-kernel.html[5.10] -|https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[6.1, 6.12] -|5.15, 6.1 (6.12 coming soon) -|=== - -=== Is AL2 fully supported by Nvidia? - -No. AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. -Unlike AL2023, Nvidia never explicitly supported AL2, thus EKS leverages CentOS-7 https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL7 packages] to build the AL2-accelerated AMIs (AL2_x86_64_GPU AMI). -Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. -Additionally, the latest Nvidia driver version supported for AL2 (RHEL 7) is https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550], while for AL2023 its https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565, R570]. -Furthermore, Nvidia has stopped releasing updates for its CUDA toolkit as of March 28, 2024, with `cuda-12.4.1-1.x86_64.rpm` being the last released version. - -=== Is AL2 fully supported by {aws} Neuron? - -No. Starting from https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#neuron-2-20-0-whatsnew[{aws} Neuron release 2.20], the Neuron Runtime (`aws-neuronx-runtime-lib`) used by EKS AL-based AMIs no longer supports Amazon Linux 2 (AL2). -The Neuron Driver (`aws-neuronx-dkms`) is now the only {aws} Neuron package that supports Amazon Linux 2. -This means you cannot run your Neuron-powered applications natively on an AL2-based AMI. -To setup Neuron on AL2023 AMIs, see the https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/setup/index.html#setup-guide-index[{aws} Neuron Setup] guide. - -=== Is AL2 fully compatible with the latest Kubernetes versions? - -No. The Kubernetes community has moved `cgroupv1` support (used by AL2) to maintenance mode. -This means no new features will be added, and only critical security and major bug fixes will be provided. -Any Kubernetes features relying on cgroupv2, such as MemoryQoS and enhanced resource isolation, are unavailable on AL2. -Furthermore, Amazon EKS Kubernetes version 1.32 was the last version to support AL2 AMIs. -To maintain compatibility with the latest Kubernetes versions, we recommend migrating to AL2023 or Bottlerocket, which enable `cgroupv2` by default. - -=== Is AL2 fully compatible with the latest Linux versions? - -No. Amazon Linux 2 (AL2) is supported by {aws} until its end-of-support (EOS) date on June 30, 2026. -However, as AL2 has aged, support from the broader Linux community for new applications and functionality has become more limited. -AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. -Unlike AL2023, AL2 has limited support from the broader Linux community. -This means many upstream Linux packages and tools need to be backported to work with AL2's older kernel version, some modern Linux features and security improvements aren't available due to the older kernel, many open source projects have deprecated or limited support for older kernel versions like 5.10. - -=== What packages are not included in AL2023 AMIs? - -A few of the most common packages that are not included or which changed in AL2023, include: - -* Some https://docs.aws.amazon.com/linux/al2023/release-notes/removed-AL2023.6-AL2.html[source binary packages in Amazon Linux 2] are no longer available in Amazon Linux 2023 -* Changes in how Amazon Linux supports different versions of packages (e.g., https://repost.aws/questions/QUWGU3VFJMRSGf6MDPWn4tLg/how-to-resolve-amazon-linux-extras-in-al2023[amazon-linux-extras system]) in AL2023 -* https://docs.aws.amazon.com/linux/al2023/ug/epel.html[Extra Packages for Enterprise Linux (EPEL)] are not supported in AL2023 -* https://docs.aws.amazon.com/linux/al2023/ug/deprecated-al2.html#deprecated-32bit-rpms[32-bit applications] are not supported in AL2023 -* AL2023 does not make https://cloudkatha.com/can-we-install-a-gui-in-amazon-linux-2023/[mate-desktop] packages - -To learn more, see https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023]. - -=== How does FIPS validation compare across AL2, AL2023, and Bottlerocket? - -Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023), and Bottlerocket provide support for Federal Information Processing Standards (FIPS) compliance. - -* AL2 is certified under FIPS 140-2 and AL2023 is certified under FIPS 140-3. To enable FIPS mode on AL2023, install the necessary packages on your Amazon EC2 instance and follow the configuration steps using the instructions in Enable FIPS Mode on AL2023. To learn more, see -https://aws.amazon.com/linux/amazon-linux-2023/faqs[AL2023 FAQs]. -* Bottlerocket provides purpose-built variants specifically for FIPS which constrain the kernel and userspace components to the use of cryptographic modules that have been submitted to the FIPS 140-3 Cryptographic Module Validation Program. - -=== Where can I find a complete list of Amazon EKS AMI drivers and their versions? - -For a complete list of all EKS AMI components and their versions, see https://github.com/awslabs/amazon-eks-ami/releases[Amazon EKS AMI Release Notes] on GitHub. - -== Migration and support - -=== Will EKS terminate AL2 AMIs? - -No. EKS will neither update nor terminate customer instances and will not remove existing AMIs from distribution. - -=== Will the Kubernetes standard or extended version support apply to AL2? - -No. The EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. - -=== How does the shift from cgroupv1 to cgroupv2 affect my migration? - -The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. -To adopt `cgroupv2` in Kubernetes, you need to ensure compatibility across the OS, kernel, container runtime, and Kubernetes components. -This requires a Linux distribution that enables `cgroupv2` by default, such as AL2023, Bottlerocket, Red Hat Enterprise Linux (RHEL) 9+, Ubuntu 22.04+, or Debian 11+. -These distributions ship with kernel versions ≥5.8, which is the minimum requirement for `cgroupv2` support in Kubernetes. -To learn more, see https://kubernetes.io/docs/concepts/architecture/cgroups/[About cgroup v2]. - -=== What will I be responsible for if I continue using AL2 AMIs? - -Continuing to run outdated EKS optimized AL2 AMIs in your cluster after the EOS date (November 26, 2025) may result in compatibility issues and application impact. -Deprecated support for AL2 from key technology providers may lead to incompatibilities, making it difficult to integrate with the latest tools and frameworks. For example: - -* **AI/ML Compatibility:** Compatibility issues may arise for AI/ML workloads on accelerated instances. -For instance, Nvidia has phased out AL2 support in CUDA 12.5, with critical driver branches like R550 ending support in April 2025, respectively. -Additionally, {aws} Neuron discontinued updates for AL2 in July 2024, which may further limit support for machine learning workloads.  -* **Linux Kernel Compatibility:** Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. -This issue is specific to AL2 because its older Linux base, which is tied to RHEL7/CentOS 7, conflicting with these kernel updates when paired with NVIDIA’s R550 driver, whereas AL2023’s kernel (6.1.x) and newer drivers (R565/R570) avoid this issue entirely. -* **Kubernetes Compatibility:** The Kubernetes community has moved `cgroupv1` support, which AL2 relies on, to maintenance mode. -This means no new features will be added, and only critical security fixes and major bug patches will be provided.  -* **Security Patches:** Without official updates to AL2 AMIs, your team will be responsible for manually applying any security patches that would otherwise be handled automatically. - -=== What do I do if I need Neuron in my custom AL2 AMI? - -You cannot run your full Neuron-powered applications natively on an AL2-based AMIs. -To leverage {aws} Neuron on an AL2 AMI, you must containerize you applications using a Neuron-supported container with a non-AL2 Linux distribution (e.g., Ubuntu 22.04, Amazon Linux 2023, etc.) and then deploy those containers on an AL2-based AMI that has the Neuron Driver (`aws-neuronx-dkms`) installed. - -=== How do I migrate from my AL2 to an AL2023 AMI? - -We recommend creating and implementing a migration plan that includes thorough application workload testing and documented rollback procedures, then following the step-by-step instructions in the https://docs.aws.amazon.com/eks/latest/userguide/al2023.html[Upgrade from Amazon Linux 2 to Amazon Linux 2023] in EKS official documentation. - -=== How do I build a custom AL2 or AL2023 AMI? - -You can build custom EKS AL2-optimized and AL2-accelerated AMIs until the EOS date (November 26, 2025). -Alternatively, you can build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). -For step-by-step instructions to build a custom EKS AL2-optimized and AL2-accelerated AMI, see https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html[Build a custom Amazon Linux AMI] in EKS official documentation. diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 3cb677a1e..7fde5d229 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -20,8 +20,6 @@ With Amazon EKS Auto Mode, EKS manages the EC2 instance including selecting and [.topic] include::dockershim-deprecation.adoc[leveloffset=+1] -include::eks-ami-deprecation-faqs.adoc[leveloffset=+1] - include::eks-optimized-ami.adoc[leveloffset=+1] include::eks-optimized-ami-bottlerocket.adoc[leveloffset=+1] From 9582c96be3c2294dc3d38ec6889d16d2b54d9dae Mon Sep 17 00:00:00 2001 From: Devansh Popli Date: Thu, 17 Apr 2025 04:22:01 +0530 Subject: [PATCH 410/940] Update cni-iam-role.adoc (#984) --- latest/ug/networking/cni-iam-role.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/latest/ug/networking/cni-iam-role.adoc b/latest/ug/networking/cni-iam-role.adoc index 8c12147fe..4814da11d 100644 --- a/latest/ug/networking/cni-iam-role.adoc +++ b/latest/ug/networking/cni-iam-role.adoc @@ -24,8 +24,8 @@ The Pods for the Amazon VPC CNI plugin for Kubernetes have access to the permiss ==== -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Requires an existing Amazon EKS cluster. To deploy one, see <>. +* Requires an existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. [#cni-iam-role-create-role] @@ -264,4 +264,4 @@ If you created a cluster that uses the `IPv6` family and the cluster has version [source,bash,subs="verbatim,attributes"] ---- aws iam create-policy --policy-name AmazonEKS_CNI_IPv6_Policy --policy-document file://vpc-cni-ipv6-policy.json ----- \ No newline at end of file +---- From bb9eee5920b2e4176bb69f8a3a5d3a4d1e018f87 Mon Sep 17 00:00:00 2001 From: guessi Date: Thu, 17 Apr 2025 06:58:44 +0800 Subject: [PATCH 411/940] Update Helm setup instructions (#961) --- latest/ug/automode/auto-migrate-karpenter.adoc | 2 +- latest/ug/automode/old/hpa_scaling.adoc | 4 ++-- latest/ug/cluster-management/cost-monitoring-kubecost.adoc | 2 +- latest/ug/cluster-management/helm.adoc | 6 ++++-- latest/ug/getting-started/setting-up.adoc | 2 +- latest/ug/networking/lbc-helm.adoc | 2 +- latest/ug/nodes/hybrid-nodes-cni.adoc | 2 +- latest/ug/observability/deploy-prometheus.adoc | 4 ++-- 8 files changed, 13 insertions(+), 11 deletions(-) diff --git a/latest/ug/automode/auto-migrate-karpenter.adoc b/latest/ug/automode/auto-migrate-karpenter.adoc index 6f55692ea..bb3bdc530 100644 --- a/latest/ug/automode/auto-migrate-karpenter.adoc +++ b/latest/ug/automode/auto-migrate-karpenter.adoc @@ -129,4 +129,4 @@ spec: == Step 8: Uninstall Karpenter from your cluster -The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions] and the https://helm.sh/docs/helm/helm_uninstall/[Helm Uninstall command]. \ No newline at end of file +The steps to remove Karpenter depend on how you installed it. For more information, see the https://karpenter.sh/docs/getting-started/getting-started-with-karpenter/#create-a-cluster-and-add-karpenter[Karpenter install instructions]. \ No newline at end of file diff --git a/latest/ug/automode/old/hpa_scaling.adoc b/latest/ug/automode/old/hpa_scaling.adoc index 3a4a8e68f..1e7f93842 100644 --- a/latest/ug/automode/old/hpa_scaling.adoc +++ b/latest/ug/automode/old/hpa_scaling.adoc @@ -17,8 +17,8 @@ This guide shows you how Karpenter autoscales nodes in conjunction with HPA scal == Prerequisites * watch (https://formulae.brew.sh/formula/watch[Mac], https://www.powershellgallery.com/packages/Watch-Command/0.1.3[Windows]) -* https://kubernetes.io/docs/tasks/tools/#kubectl[kubectl] -* https://helm.sh/docs/intro/install/[Helm] +* <> +* <> == 1. Deploy Metrics Server diff --git a/latest/ug/cluster-management/cost-monitoring-kubecost.adoc b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc index 3d833d890..5585b05ec 100644 --- a/latest/ug/cluster-management/cost-monitoring-kubecost.adoc +++ b/latest/ug/cluster-management/cost-monitoring-kubecost.adoc @@ -45,7 +45,7 @@ Learn how to <>, such as Kubecost. * An existing Amazon EKS cluster. To deploy one, see <>. * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <>. -* Helm version 3.9.0 or later configured on your device or {aws} CloudShell. To install or update Helm, see <>. +* https://helm.sh/docs/topics/version_skew/#supported-version-skew[Supported Helm versions] on your device or {aws} CloudShell. To install or update Helm, see <>. * Cluster version should be `1.21 (or higher)` and `1.31` is officially supported as of v2. Learn more at https://www.ibm.com/docs/en/kubecost/self-hosted/2.x?topic=installation-environment#ariaid-title2[Supported Kubernetes versions]. * If your cluster is version `1.23` or later, you must have the <> installed on your cluster. diff --git a/latest/ug/cluster-management/helm.adoc b/latest/ug/cluster-management/helm.adoc index 4211faf63..3ed5dd8b9 100644 --- a/latest/ug/cluster-management/helm.adoc +++ b/latest/ug/cluster-management/helm.adoc @@ -57,15 +57,17 @@ sudo yum install openssl + [source,bash,subs="verbatim,attributes"] ---- -helm version | cut -d + -f 1 +helm version --template='{{ .Version }}{{ "\n" }}' ---- + An example output is as follows. + [source,bash,subs="verbatim,attributes"] ---- -v3.9.0 +v3.17.2 ---- +. Make sure the version installed is compatible with your cluster version. Check https://helm.sh/docs/topics/version_skew/#supported-version-skew[Supported Version Skew] to learn more. For example, if you are running with `3.17.x`, supported Kubernetes version should not out of the range of `1.29.x` ~ `1.32.x`. ++ . At this point, you can run any Helm commands (such as `helm install [.replaceable]``chart-name```) to install, modify, delete, or query Helm charts in your cluster. If you're new to Helm and don't have a specific chart to install, you can: + ** Experiment by installing an example chart. See https://helm.sh/docs/intro/quickstart#install-an-example-chart[Install an example chart] in the Helm https://helm.sh/docs/intro/quickstart/[Quickstart guide]. diff --git a/latest/ug/getting-started/setting-up.adoc b/latest/ug/getting-started/setting-up.adoc index 43dafae11..a9a2dacbb 100644 --- a/latest/ug/getting-started/setting-up.adoc +++ b/latest/ug/getting-started/setting-up.adoc @@ -18,7 +18,7 @@ To prepare for the command-line management of your Amazon EKS clusters, you need * Set up a development environment (optional)– Consider adding the following tools: + ** *Local deployment tool* – If you're new to Kubernetes, consider installing a local deployment tool like https://minikube.sigs.k8s.io/docs/[minikube] or https://kind.sigs.k8s.io/[kind]. These tools allow you to have an Amazon EKS cluster on your local machine for testing applications. -** *Package manager* – https://helm.sh/docs/intro/install/[Helm] is a popular package manager for Kubernetes that simplifies the installation and management of complex packages. With Helm, it's easier to install and manage packages like the {aws} Load Balancer Controller on your Amazon EKS cluster. +** *Package manager* – <> is a popular package manager for Kubernetes that simplifies the installation and management of complex packages. With <>, it's easier to install and manage packages like the {aws} Load Balancer Controller on your Amazon EKS cluster. [#setting-up-next-steps] diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 1f4cbe024..33df2b461 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -35,7 +35,7 @@ Before starting this tutorial, you must install and configure the following tool * Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. -* https://helm.sh/docs/helm/helm_install/[Helm] installed locally. +* <> installed locally. [#lbc-helm-iam] diff --git a/latest/ug/nodes/hybrid-nodes-cni.adoc b/latest/ug/nodes/hybrid-nodes-cni.adoc index 8e9861c14..6e4944556 100644 --- a/latest/ug/nodes/hybrid-nodes-cni.adoc +++ b/latest/ug/nodes/hybrid-nodes-cni.adoc @@ -72,7 +72,7 @@ Calico version `3.29.x` is supported and recommended for EKS Hybrid Nodes for ev == Install Cilium on hybrid nodes -. Ensure that you have installed the Helm CLI on your command-line environment. See the https://helm.sh/docs/intro/quickstart/[Helm documentation] for installation instructions. +. Ensure that you have installed the Helm CLI on your command-line environment. See the <> for installation instructions. . Install the Cilium Helm repo. + [source,bash,subs="verbatim,attributes"] diff --git a/latest/ug/observability/deploy-prometheus.adoc b/latest/ug/observability/deploy-prometheus.adoc index 7deda581a..b83752830 100644 --- a/latest/ug/observability/deploy-prometheus.adoc +++ b/latest/ug/observability/deploy-prometheus.adoc @@ -7,10 +7,10 @@ include::../attributes.txt[] [abstract] -- -As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm V3. +As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with https://helm.sh/docs/topics/version_skew/#supported-version-skew[supported Helm versions]. -- -As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm V3. If you already have Helm installed, you can check your version with the `helm version` command. Helm is a package manager for Kubernetes clusters. For more information about Helm and how to install it, see <>. +As an alternative to using Amazon Managed Service for Prometheus, you can deploy Prometheus into your cluster with Helm. If you already have Helm installed, you can check your version with the `helm version` command. Helm is a package manager for Kubernetes clusters. For more information about Helm and how to install it, see <>. After you configure Helm for your Amazon EKS cluster, you can use it to deploy Prometheus with the following steps. From 79fd749d30f4affbf7a59db460dcd0959281988c Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 16 Apr 2025 17:58:59 -0500 Subject: [PATCH 412/940] Remove K8s Version 1.24 (#975) * fixup * remove 1.24 --- latest/ug/clusters/kubernetes-versions.adoc | 6 - latest/ug/clusters/platform-versions.adoc | 180 ---- .../aws-access/configure-sts-endpoint.adoc | 7 - .../aws-access/pod-identities.adoc | 2 - .../k8s-access/setting-up-access-entries.adoc | 5 - latest/ug/networking/managing-coredns.adoc | 1 - latest/ug/networking/managing-kube-proxy.adoc | 2 - latest/ug/networking/managing-vpc-cni.adoc | 1 - latest/ug/nodes/eks-ami-versions-windows.adoc | 966 ++---------------- .../eks-outposts-local-cluster-create.adoc | 2 +- latest/ug/workloads/eks-add-ons.adoc | 3 - 11 files changed, 89 insertions(+), 1086 deletions(-) diff --git a/latest/ug/clusters/kubernetes-versions.adoc b/latest/ug/clusters/kubernetes-versions.adoc index 2100a727f..9b34012e8 100644 --- a/latest/ug/clusters/kubernetes-versions.adoc +++ b/latest/ug/clusters/kubernetes-versions.adoc @@ -117,12 +117,6 @@ Dates with only a month and a year are approximate and are updated with an exact |May 1, 2024 |May 1, 2025 -|`1.24` -|May 3, 2022 -|November 15, 2022 -|January 31, 2024 -|January 31, 2025 - |=== [#version-cli] diff --git a/latest/ug/clusters/platform-versions.adoc b/latest/ug/clusters/platform-versions.adoc index 745fb10e4..7ad7ea49c 100644 --- a/latest/ug/clusters/platform-versions.adoc +++ b/latest/ug/clusters/platform-versions.adoc @@ -937,186 +937,6 @@ The following admission controllers are enabled for all `1.25` platform versions | February 21, 2023 |=== -[#platform-versions-1-24] -== Kubernetes version `1.24` - -The following admission controllers are enabled for all `1.24` platform versions: `CertificateApproval`, `CertificateSigning`, `CertificateSubjectRestriction`, `DefaultIngressClass`, `DefaultStorageClass`, `DefaultTolerationSeconds`, `ExtendedResourceToleration`, `LimitRanger`, `MutatingAdmissionWebhook`, `NamespaceLifecycle`, `NodeRestriction`, `PersistentVolumeClaimResize`, `Priority`, `PodSecurityPolicy`, `ResourceQuota`, `RuntimeClass`, `ServiceAccount`, `StorageObjectInUseProtection`, `TaintNodesByCondition`, and `ValidatingAdmissionWebhook`. - -[cols="1,1,1,1", options="header"] -|=== -| Kubernetes version -| EKS platform version -| Release notes -| Release date - -| `1.24.17` -| `eks.45` -| New platform version with security fixes and enhancements. -| February 24, 2025 - -| `1.24.17` -| `eks.44` -| New platform version with security fixes and enhancements. -| January 17, 2025 - -| `1.24.17` -| `eks.43` -| New platform version with security fixes and enhancements. -| January 3, 2025 - -| `1.24.17` -| `eks.42` -| New platform version with security fixes and enhancements. -| December 13, 2024 - -| `1.24.17` -| `eks.41` -| New platform version with security fixes and enhancements. -| December 13, 2024 - -| `1.24.17` -| `eks.40` -| New platform version with security fixes and enhancements. -| December 13, 2024 - -| `1.24.17` -| `eks.39` -| New platform version with security fixes and enhancements. -| November 15, 2024 - -| `1.24.17` -| `eks.32` -| New platform version with security fixes and enhancements. -| October 21, 2024 - -| `1.24.17` -| `eks.28` -| New platform version with security fixes and enhancements. -| September 3, 2024 - - -| `1.24.17` -| `eks.27` -| New platform version with security fixes and enhancements. -| August 28, 2024 - - -| `1.24.17` -| `eks.26` -| New platform version with security fixes and enhancements. -| August 9, 2024 - -| `1.24.17` -| `eks.25` -| New platform version with security fixes and enhancements. -| July 2, 2024 - -| `1.24.17` -| `eks.22` -| New platform version with security fixes and enhancements. -| May 16, 2024 - -| `1.24.17` -| `eks.21` -| New platform version with security fixes and enhancements. -| April 18, 2024 - -| `1.24.17` -| `eks.20` -| New platform version with security fixes and enhancements. -| March 29, 2024 - -| `1.24.17` -| `eks.19` -| New platform version with security fixes and enhancements. -| March 20, 2024 - -| `1.24.17` -| `eks.18` -| New platform version with security fixes and enhancements. -| March 12, 2024 - -| `1.24.17` -| `eks.16` -| New platform version with security fixes and enhancements. -| January 17, 2024 - -| `1.24.17` -| `eks.15` -| New platform version with <>, security fixes and enhancements. -| December 14, 2023 - -| `1.24.17` -| `eks.14` -| New platform version with security fixes and enhancements. -| December 12, 2023 - -| `1.24.17` -| `eks.13` -| New platform version with <>, security fixes and enhancements. -| November 10, 2023 - -| `1.24.17` -| `eks.12` -| New platform version with security fixes and enhancements. -| November 3, 2023 - -| `1.24.17` -| `eks.11` -| New platform version with security fixes and enhancements. -| October 16, 2023 - -| `1.24.16` -| `eks.10` -| New platform version with security fixes and enhancements. -| August 30, 2023 - -| `1.24.16` -| `eks.9` -| New platform version with security fixes and enhancements. -| July 30, 2023 - -| `1.24.15` -| `eks.8` -| New platform version with security fixes and enhancements. -| June 30, 2023 - -| `1.24.14` -| `eks.7` -| New platform version with security fixes and enhancements. -| June 9, 2023 - -| `1.24.13` -| `eks.6` -| New platform version with security fixes and enhancements. -| May 5, 2023 - -| `1.24.12` -| `eks.5` -| New platform version with security fixes and enhancements. -| March 24, 2023 - -| `1.24.8` -| `eks.4` -| New platform version with security fixes and enhancements. -| January 27, 2023 - -| `1.24.7` -| `eks.3` -| New platform version with security fixes and enhancements. -| December 5, 2022 - -| `1.24.7` -| `eks.2` -| New platform version with security fixes and enhancements. -| November 18, 2022 - -| `1.24.7` -| `eks.1` -| Initial release of Kubernetes version `1.24` for EKS. -| November 15, 2022 -|=== - [#get-platform-version] == Get current platform version . Open the Amazon EKS console. diff --git a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc index 45f719737..3e9e1bb31 100644 --- a/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc +++ b/latest/ug/manage-access/aws-access/configure-sts-endpoint.adoc @@ -42,13 +42,6 @@ If you're using a Kubernetes service account with <>. \ No newline at end of file diff --git a/latest/ug/networking/managing-coredns.adoc b/latest/ug/networking/managing-coredns.adoc index 835b8a058..61a5feed3 100644 --- a/latest/ug/networking/managing-coredns.adoc +++ b/latest/ug/networking/managing-coredns.adoc @@ -45,7 +45,6 @@ The following table lists the latest version of the Amazon EKS add-on type for e | 1.27 | v1.10.1-eksbuild.18 | 1.26 | v1.9.3-eksbuild.22 | 1.25 | v1.9.3-eksbuild.22 -| 1.24 | v1.9.3-eksbuild.22 |=== [IMPORTANT] diff --git a/latest/ug/networking/managing-kube-proxy.adoc b/latest/ug/networking/managing-kube-proxy.adoc index e246e3a62..2cbec439e 100644 --- a/latest/ug/networking/managing-kube-proxy.adoc +++ b/latest/ug/networking/managing-kube-proxy.adoc @@ -43,7 +43,6 @@ The following table lists the latest version of the Amazon EKS add-on type for e | 1.27 | v1.27.16-eksbuild.19 | 1.26 | v1.26.15-eksbuild.24 | 1.25 | v1.25.16-eksbuild.27 -| 1.24 | v1.24.17-eksbuild.19 |=== [NOTE] @@ -80,7 +79,6 @@ The following table lists the latest available self-managed `kube-proxy` contain | 1.27 | Only minimal type is available | v1.27.16-minimal-eksbuild.19 | 1.26 | Only minimal type is available | v1.26.15-minimal-eksbuild.24 | 1.25 | Only minimal type is available | v1.25.16-minimal-eksbuild.27 -| 1.24 | v1.24.10-eksbuild.2 | v1.24.17-minimal-eksbuild.19 |=== diff --git a/latest/ug/networking/managing-vpc-cni.adoc b/latest/ug/networking/managing-vpc-cni.adoc index bc70402df..cd52876f6 100644 --- a/latest/ug/networking/managing-vpc-cni.adoc +++ b/latest/ug/networking/managing-vpc-cni.adoc @@ -37,7 +37,6 @@ The following table lists the latest available version of the Amazon EKS add-on | 1.27 | v1.19.2-eksbuild.5 | 1.26 | v1.19.2-eksbuild.5 | 1.25 | v1.19.2-eksbuild.5 -| 1.24 | v1.19.2-eksbuild.5 |=== [IMPORTANT] diff --git a/latest/ug/nodes/eks-ami-versions-windows.adoc b/latest/ug/nodes/eks-ami-versions-windows.adoc index e58a9aede..8c1ee7659 100644 --- a/latest/ug/nodes/eks-ami-versions-windows.adoc +++ b/latest/ug/nodes/eks-ami-versions-windows.adoc @@ -1011,203 +1011,6 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.1.1` | |=== - -*Kubernetes version 1.24*:: -+ -[cols="1,1,1,1,1", options="header"] -|=== -|AMI version -|kubelet version -|containerd version -|csi-proxy version -|Release notes - -|`1.24-2025-01-15` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.12.11` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.11.12` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.10.08` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.09.10` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.08.13` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.07.10` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Includes patches for `CVE-2024-5321`. - -|`1.24-2024.06.17` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Upgraded `containerd` to `1.7.11`. - -|`1.24-2024.05.14` -|`1.24.17` -|`1.6.28` -|`1.1.2` -|Upgraded `containerd` to `1.6.28`. - -|`1.24-2024.04.09` -|`1.24.17` -|`1.6.25` -|`1.1.2` -|Upgraded `containerd` to `1.6.25`. Rebuilt CNI and `csi-proxy` using `golang 1.22.1`. - -|`1.24-2024.03.12` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.02.13` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.01.11` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Excluded Standalone Windows Update https://support.microsoft.com/en-au/topic/kb5034439-windows-recovery-environment-update-for-azure-stack-hci-version-22h2-and-windows-server-2022-january-9-2024-6f9d26e6-784c-4503-a3c6-0beedda443ca[KB5034439] on Windows Server 2022 Core AMIs. The KB applies only to Windows installations with a separate WinRE partition, which aren't included with any of our Amazon EKS Optimized Windows AMIs. - -|`1.24-2023.12.12` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2023.11.14` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Includes patches for `CVE-2023-5528`. - -|`1.24-2023.10.19` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.24.17`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). - -|`1.24-2023.09.12` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. - -|`1.24-2023.08.17` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Includes patches for `CVE-2023-3676`, `CVE-2023-3893`, and `CVE-2023-3955`. - -|`1.24-2023.08.08` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.07.11` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.06.20` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Resolved issue that was causing the DNS suffix search list to be incorrectly populated. - -|`1.24-2023.06.14` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. - -|`1.24-2023.05.09` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). - -|`1.24-2023.04.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. - -|`1.24-2023.03.27` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. - -|`1.24-2023.03.20` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. - -|`1.24-2023.02.14` -|`1.24.10` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.23` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.12.13` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.10.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| -|=== ==== [#eks-ami-versions-windows-2022-full] @@ -2194,204 +1997,6 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.1.1` | |=== - - -*Kubernetes version 1.24*:: -+ -[cols="1,1,1,1,1", options="header"] -|=== -|AMI version -|kubelet version -|containerd version -|csi-proxy version -|Release notes - -|`1.24-2025-01-15` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.12.11` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.11.12` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.10.08` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.09.10` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.08.13` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.07.10` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Includes patches for `CVE-2024-5321`. - -|`1.24-2024.06.17` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Upgraded `containerd` to `1.7.11`. - -|`1.24-2024.05.14` -|`1.24.17` -|`1.6.28` -|`1.1.2` -|Upgraded `containerd` to `1.6.28`. - -|`1.24-2024.04.09` -|`1.24.17` -|`1.6.25` -|`1.1.2` -|Upgraded `containerd` to `1.6.25`. Rebuilt CNI and `csi-proxy` using `golang 1.22.1`. - -|`1.24-2024.03.12` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.02.13` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.01.09` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2023.12.12` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2023.11.14` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Includes patches for `CVE-2023-5528`. - -|`1.24-2023.10.19` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.24.17`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). - -|`1.24-2023.09.12` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. - -|`1.24-2023.08.17` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Includes patches for `CVE-2023-3676`, `CVE-2023-3893`, and `CVE-2023-3955`. - -|`1.24-2023.08.08` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.07.11` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.06.20` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Resolved issue that was causing the DNS suffix search list to be incorrectly populated. - -|`1.24-2023.06.14` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. - -|`1.24-2023.05.09` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). - -|`1.24-2023.04.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. - -|`1.24-2023.03.27` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. - -|`1.24-2023.03.20` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. - -|`1.24-2023.02.14` -|`1.24.10` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.23` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.12.14` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.10.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| -|=== ==== [#eks-ami-versions-windows-2019-core] @@ -3149,238 +2754,52 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.6.6` |`1.1.1` | - -|`1.26-2023.07.11` -|`1.26.6` -|`1.6.6` -|`1.1.1` -| - -|`1.26-2023.06.20` -|`1.26.4` -|`1.6.6` -|`1.1.1` -|Resolved issue that was causing the DNS suffix search list to be incorrectly populated. - -|`1.26-2023.06.14` -|`1.26.4` -|`1.6.6` -|`1.1.1` -|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. - -|`1.26-2023.05.09` -|`1.26.2` -|`1.6.6` -|`1.1.1` -|Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). - -|`1.26-2023.04.26` -|`1.26.2` -|`1.6.6` -|`1.1.1` -| - -|`1.26-2023.04.11` -|`1.26.2` -|`1.6.6` -|`1.1.1` -|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. - -|`1.26-2023.03.24` -|`1.26.2` -|`1.6.6` -|`1.1.1` -| -|=== - - -*Kubernetes version 1.25*:: -+ -[cols="1,1,1,1,1", options="header"] -|=== -|AMI version -|kubelet version -|containerd version -|csi-proxy version -|Release notes - -|`1.25-2025.03.14` -|`1.25.16` -|`1.7.20` -|`1.1.3` -|Upgraded `containerd` to `1.7.20`. - -|`1.25-2025.02.18` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2025-01-15` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.12.13` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.11.12` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.10.08` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.09.10` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.08.13` -|`1.25.16` -|`1.7.14` -|`1.1.3` -| - -|`1.25-2024.07.10` -|`1.25.16` -|`1.7.11` -|`1.1.2` -|Includes patches for `CVE-2024-5321`. - -|`1.25-2024.06.17` -|`1.25.16` -|`1.7.11` -|`1.1.2` -|Upgraded `containerd` to `1.7.11`. - -|`1.25-2024.05.14` -|`1.25.16` -|`1.6.28` -|`1.1.2` -|Upgraded `containerd` to `1.6.28`. - -|`1.25-2024.04.09` -|`1.25.16` -|`1.6.25` -|`1.1.2` -|Upgraded `containerd` to `1.6.25`. Rebuilt CNI and `csi-proxy` using `golang 1.22.1`. - -|`1.25-2024.03.13` -|`1.25.16` -|`1.6.18` -|`1.1.2` -| - -|`1.25-2024.02.13` -|`1.25.16` -|`1.6.18` -|`1.1.2` -| - -|`1.25-2024.01.09` -|`1.25.16` -|`1.6.18` -|`1.1.2` -| - -|`1.25-2023.12.12` -|`1.25.15` -|`1.6.18` -|`1.1.2` -| - -|`1.25-2023.11.14` -|`1.25.15` -|`1.6.18` -|`1.1.2` -|Includes patches for `CVE-2023-5528`. - -|`1.25-2023.10.19` -|`1.25.14` -|`1.6.18` -|`1.1.2` -|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.25.14`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). - -|`1.25-2023.09.12` -|`1.25.12` -|`1.6.6` -|`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. - -|`1.25-2023.08.17` -|`1.25.12` -|`1.6.6` -|`1.1.2` -|Includes patches for `CVE-2023-3676`, `CVE-2023-3893`, and `CVE-2023-3955`. - -|`1.25-2023.08.08` -|`1.25.9` -|`1.6.6` -|`1.1.1` -| - -|`1.25-2023.07.11` -|`1.25.9` + +|`1.26-2023.07.11` +|`1.26.6` |`1.6.6` |`1.1.1` | -|`1.25-2023.06.20` -|`1.25.9` +|`1.26-2023.06.20` +|`1.26.4` |`1.6.6` |`1.1.1` |Resolved issue that was causing the DNS suffix search list to be incorrectly populated. -|`1.25-2023.06.14` -|`1.25.9` +|`1.26-2023.06.14` +|`1.26.4` |`1.6.6` |`1.1.1` -|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.26.4`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. -|`1.25-2023.05.09` -|`1.25.7` +|`1.26-2023.05.09` +|`1.26.2` |`1.6.6` |`1.1.1` |Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). -|`1.25-2023.04.11` -|`1.25.7` -|`1.6.6` -|`1.1.1` -|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. - -|`1.25-2023.03.27` -|`1.25.6` +|`1.26-2023.04.26` +|`1.26.2` |`1.6.6` |`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. +| -|`1.25-2023.03.20` -|`1.25.6` +|`1.26-2023.04.11` +|`1.26.2` |`1.6.6` |`1.1.1` -| +|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. -|`1.25-2023.02.14` -|`1.25.6` +|`1.26-2023.03.24` +|`1.26.2` |`1.6.6` |`1.1.1` | |=== -*Kubernetes version 1.24*:: +*Kubernetes version 1.25*:: + [cols="1,1,1,1,1", options="header"] |=== @@ -3390,194 +2809,183 @@ The following tables list the current and previous versions of the Amazon EKS op |csi-proxy version |Release notes -|`1.24-2025-01-15` -|`1.24.17` +|`1.25-2025.03.14` +|`1.25.16` +|`1.7.20` +|`1.1.3` +|Upgraded `containerd` to `1.7.20`. + +|`1.25-2025.02.18` +|`1.25.16` +|`1.7.14` +|`1.1.3` +| + +|`1.25-2025-01-15` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.12.11` -|`1.24.17` +|`1.25-2024.12.13` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.11.12` -|`1.24.17` +|`1.25-2024.11.12` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.10.08` -|`1.24.17` +|`1.25-2024.10.08` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.09.10` -|`1.24.17` +|`1.25-2024.09.10` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.08.13` -|`1.24.17` +|`1.25-2024.08.13` +|`1.25.16` |`1.7.14` |`1.1.3` | -|`1.24-2024.07.10` -|`1.24.17` +|`1.25-2024.07.10` +|`1.25.16` |`1.7.11` |`1.1.2` |Includes patches for `CVE-2024-5321`. -|`1.24-2024.06.17` -|`1.24.17` +|`1.25-2024.06.17` +|`1.25.16` |`1.7.11` |`1.1.2` |Upgraded `containerd` to `1.7.11`. -|`1.24-2024.05.14` -|`1.24.17` +|`1.25-2024.05.14` +|`1.25.16` |`1.6.28` |`1.1.2` |Upgraded `containerd` to `1.6.28`. -|`1.24-2024.04.09` -|`1.24.17` +|`1.25-2024.04.09` +|`1.25.16` |`1.6.25` |`1.1.2` |Upgraded `containerd` to `1.6.25`. Rebuilt CNI and `csi-proxy` using `golang 1.22.1`. -|`1.24-2024.03.13` -|`1.24.17` +|`1.25-2024.03.13` +|`1.25.16` |`1.6.18` |`1.1.2` | -|`1.24-2024.02.13` -|`1.24.17` +|`1.25-2024.02.13` +|`1.25.16` |`1.6.18` |`1.1.2` | -|`1.24-2024.01.09` -|`1.24.17` +|`1.25-2024.01.09` +|`1.25.16` |`1.6.18` |`1.1.2` | -|`1.24-2023.12.12` -|`1.24.17` +|`1.25-2023.12.12` +|`1.25.15` |`1.6.18` |`1.1.2` | -|`1.24-2023.11.14` -|`1.24.17` +|`1.25-2023.11.14` +|`1.25.15` |`1.6.18` |`1.1.2` |Includes patches for `CVE-2023-5528`. -|`1.24-2023.10.19` -|`1.24.17` +|`1.25-2023.10.19` +|`1.25.14` |`1.6.18` |`1.1.2` -|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.24.17`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). +|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.25.14`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). -|`1.24-2023.09.12` -|`1.24.16` +|`1.25-2023.09.12` +|`1.25.12` |`1.6.6` |`1.1.2` |Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. -|`1.24-2023.08.17` -|`1.24.16` +|`1.25-2023.08.17` +|`1.25.12` |`1.6.6` |`1.1.2` |Includes patches for `CVE-2023-3676`, `CVE-2023-3893`, and `CVE-2023-3955`. -|`1.24-2023.08.08` -|`1.24.13` +|`1.25-2023.08.08` +|`1.25.9` |`1.6.6` |`1.1.1` | -|`1.24-2023.07.11` -|`1.24.13` +|`1.25-2023.07.11` +|`1.25.9` |`1.6.6` |`1.1.1` | -|`1.24-2023.06.20` -|`1.24.13` +|`1.25-2023.06.20` +|`1.25.9` |`1.6.6` |`1.1.1` |Resolved issue that was causing the DNS suffix search list to be incorrectly populated. -|`1.24-2023.06.14` -|`1.24.13` +|`1.25-2023.06.14` +|`1.25.9` |`1.6.6` |`1.1.1` -|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. +|Upgraded Kubernetes to `1.25.9`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. -|`1.24-2023.05.09` -|`1.24.7` +|`1.25-2023.05.09` +|`1.25.7` |`1.6.6` |`1.1.1` |Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). -|`1.24-2023.04.11` -|`1.24.7` +|`1.25-2023.04.11` +|`1.25.7` |`1.6.6` |`1.1.1` |Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. -|`1.24-2023.03.27` -|`1.24.7` +|`1.25-2023.03.27` +|`1.25.6` |`1.6.6` |`1.1.1` |Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. -|`1.24-2023.03.20` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. - -|`1.24-2023.02.14` -|`1.24.10` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.23` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.12.13` -|`1.24.7` +|`1.25-2023.03.20` +|`1.25.6` |`1.6.6` |`1.1.1` | -|`1.24-2022.11.08` -|`1.24.7` +|`1.25-2023.02.14` +|`1.25.6` |`1.6.6` |`1.1.1` | |=== ==== + [#eks-ami-versions-windows-2019-full] == Amazon EKS optimized Windows Server 2019 Full AMI @@ -4562,202 +3970,4 @@ The following tables list the current and previous versions of the Amazon EKS op |`1.1.1` | |=== - - -*Kubernetes version 1.24*:: -+ -[cols="1,1,1,1,1", options="header"] -|=== -|AMI version -|kubelet version -|containerd version -|csi-proxy version -|Release notes - -|`1.24-2025-01-15` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.12.11` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.11.12` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.10.08` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.09.10` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.08.13` -|`1.24.17` -|`1.7.14` -|`1.1.3` -| - -|`1.24-2024.07.10` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Includes patches for `CVE-2024-5321`. - -|`1.24-2024.06.17` -|`1.24.17` -|`1.7.11` -|`1.1.2` -|Upgraded `containerd` to `1.7.11`. - -|`1.24-2024.05.14` -|`1.24.17` -|`1.6.28` -|`1.1.2` -|Upgraded `containerd` to `1.6.28`. - -|`1.24-2024.04.09` -|`1.24.17` -|`1.6.25` -|`1.1.2` -|Upgraded `containerd` to `1.6.25`. Rebuilt CNI and `csi-proxy` using `golang 1.22.1`. - -|`1.24-2024.03.13` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.02.13` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2024.01.09` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2023.12.12` -|`1.24.17` -|`1.6.18` -|`1.1.2` -| - -|`1.24-2023.11.14` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Includes patches for `CVE-2023-5528`. - -|`1.24-2023.10.19` -|`1.24.17` -|`1.6.18` -|`1.1.2` -|Upgraded `containerd` to `1.6.18`. Upgraded `kubelet` to `1.24.17`. Added new <> (`SERVICE_IPV4_CIDR` and `EXCLUDED_SNAT_CIDRS`). - -|`1.24-2023.09.12` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Upgraded the Amazon VPC CNI plugin to use the Kubernetes connector binary, which gets the Pod IP address from the Kubernetes API server. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/100[pull request #100]. - -|`1.24-2023.08.17` -|`1.24.16` -|`1.6.6` -|`1.1.2` -|Includes patches for `CVE-2023-3676`, `CVE-2023-3893`, and `CVE-2023-3955`. - -|`1.24-2023.08.08` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.07.11` -|`1.24.13` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.06.21` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Resolved issue that was causing the DNS suffix search list to be incorrectly populated. - -|`1.24-2023.06.14` -|`1.24.13` -|`1.6.6` -|`1.1.1` -|Upgraded Kubernetes to `1.24.13`. Added support for host port mapping in CNI. Merged https://github.com/aws/amazon-vpc-cni-plugins/pull/93[pull request #93]. - -|`1.24-2023.05.09` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Fixed a bug causing network connectivity https://github.com/aws/containers-roadmap/issues/1126[issue #1126] on pods after node restart. Introduced a new <> (`ExcludedSnatCIDRs`). - -|`1.24-2023.04.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Added recovery mechanism for `kubelet` and `kube-proxy` on service crash. - -|`1.24-2023.03.27` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Installed a link:containers/domainless-windows-authentication-for-amazon-eks-windows-pods[domainless gMSA plugin,type="blog"] to facilitate gMSA authentication for Windows containers on Amazon EKS. - -|`1.24-2023.03.20` -|`1.24.7` -|`1.6.6` -|`1.1.1` -|Kubernetes version downgraded to `1.24.7` because `1.24.10` has a reported issue in `kube-proxy`. - -|`1.24-2023.02.14` -|`1.24.10` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.23` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2023.01.11` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.12.14` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| - -|`1.24-2022.10.12` -|`1.24.7` -|`1.6.6` -|`1.1.1` -| -|=== ==== \ No newline at end of file diff --git a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc index af80858c9..c3fd23872 100644 --- a/latest/ug/outposts/eks-outposts-local-cluster-create.adoc +++ b/latest/ug/outposts/eks-outposts-local-cluster-create.adoc @@ -69,7 +69,7 @@ kind: ClusterConfig metadata: name: my-cluster region: region-code - version: "1.24" + version: "1.25" vpc: clusterEndpoints: diff --git a/latest/ug/workloads/eks-add-ons.adoc b/latest/ug/workloads/eks-add-ons.adoc index b7f06e1a1..ac1a1a9c6 100644 --- a/latest/ug/workloads/eks-add-ons.adoc +++ b/latest/ug/workloads/eks-add-ons.adoc @@ -59,9 +59,6 @@ Review the table to determine the minimum required platform version to use this |1.23 |eks.5 -|1.24 -|eks.3 - |=== [#addon-consider-auto] From af4071a8c9d276dab2843df8a7dc6535b5ee496c Mon Sep 17 00:00:00 2001 From: Leah Tucker <57272433+tucktuck9@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:01:01 -0600 Subject: [PATCH 413/940] Clarify prerequisites and add considerations (#957) * Clarify prerequisites and add considerations Clarify prerequisites and add considerations based on user feedback. * Update lbc-helm.adoc --------- Co-authored-by: Geoffrey Cline --- latest/ug/networking/lbc-helm.adoc | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index 33df2b461..dc24f4e3c 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -24,29 +24,26 @@ In the following steps, replace the [.replaceable]`example values` with your own [#lbc-prereqs] == Prerequisites -Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. +Before starting this tutorial, you must complete the following steps: - - -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. +* Create an Amazon EKS cluster. To create one, see <>. +* Install https://helm.sh/docs/helm/helm_install/[Helm] on your local machine. * Make sure that your Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS add-ons are at the minimum versions listed in <>. -* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. -* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. +* Learn about {aws} Elastic Load Balancing concepts. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. +* Learn about Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. +[#lbc-considerations] +=== Considerations -* <> installed locally. +Before proceeding with the configuration steps on this page, consider the following: +* The IAM policy and role (`AmazonEKSLoadBalancerControllerRole`) can be reused across multiple EKS clusters in the same {aws} account. +* If you're installing the controller on the same cluster where the role (`AmazonEKSLoadBalancerControllerRole`) was originally created, go to <> after verifying the role exists. +* If you're using IAM Roles for Service Accounts (IRSA), IRSA must be set up for each cluster, and the OpenID Connect (OIDC) provider ARN in the role's trust policy is specific to each EKS cluster. Additionally, if you're installing the controller on a new cluster with an existing `AmazonEKSLoadBalancerControllerRole`, update the role's trust policy to include the new cluster's OIDC provider and create a new service account with the appropriate role annotation. To determine whether you already have an OIDC provider, or to create one, see <>. [#lbc-helm-iam] == Step 1: Create IAM Role using `eksctl` - -[NOTE] -==== - -Below example is referring to the {aws} Load Balancer Controller *v2.12.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. - -==== +The following steps refer to the {aws} Load Balancer Controller *v2.12.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. . Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. + @@ -150,4 +147,4 @@ aws-load-balancer-controller 2/2 2 2 84s You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica. . Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. -// GDC Must Fix + From 47dc83ec9fa75ec11ba528901b3ece5816f67365 Mon Sep 17 00:00:00 2001 From: Leah Tucker <57272433+tucktuck9@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:02:04 -0600 Subject: [PATCH 414/940] Clarify prerequisites and add considerations (#956) Clarify prerequisites and add considerations based on user feedback. --- latest/ug/networking/lbc-manifest.adoc | 35 +++++++++++--------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/latest/ug/networking/lbc-manifest.adoc b/latest/ug/networking/lbc-manifest.adoc index 760cc54c9..747980cf5 100644 --- a/latest/ug/networking/lbc-manifest.adoc +++ b/latest/ug/networking/lbc-manifest.adoc @@ -24,33 +24,26 @@ In the following steps, replace the [.replaceable]`example values` with your own [#lbc-manifest-prereqs] == Prerequisites -Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster. +Before starting this tutorial, you must complete the following steps: +* Create an Amazon EKS cluster. To create one, see <>. +* Install https://helm.sh/docs/helm/helm_install/[Helm] on your local machine. +* Make sure that your Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS add-ons are at the minimum versions listed in <>. +* Learn about {aws} Elastic Load Balancing concepts. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. +* Learn about Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. +[#lbc-considerations] +=== Considerations -* An existing Amazon EKS cluster. To deploy one, see <>. -* An existing {aws} Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see <>. -* Make sure that your Amazon VPC CNI plugin for Kubernetes, `kube-proxy`, and CoreDNS add-ons are at the minimum versions listed in <>. -* Familiarity with {aws} Elastic Load Balancing. For more information, see the link:elasticloadbalancing/latest/userguide/[Elastic Load Balancing User Guide,type="documentation"]. -* Familiarity with Kubernetes https://kubernetes.io/docs/concepts/services-networking/service/[service] and https://kubernetes.io/docs/concepts/services-networking/ingress/[ingress] resources. +Before proceeding with the configuration steps on this page, consider the following: +* The IAM policy and role (`AmazonEKSLoadBalancerControllerRole`) can be reused across multiple EKS clusters in the same {aws} account. +* If you're installing the controller on the same cluster where the role (`AmazonEKSLoadBalancerControllerRole`) was originally created, go to <> after verifying the role exists. +* If you're using IAM Roles for Service Accounts (IRSA), IRSA must be set up for each cluster, and the OpenID Connect (OIDC) provider ARN in the role's trust policy is specific to each EKS cluster. Additionally, if you're installing the controller on a new cluster with an existing `AmazonEKSLoadBalancerControllerRole`, update the role's trust policy to include the new cluster's OIDC provider and create a new service account with the appropriate role annotation. To determine whether you already have an OIDC provider, or to create one, see <>. [#lbc-iam] == Step 1: Configure IAM - -[NOTE] -==== - -You only need to create a role for the {aws} Load Balancer Controller one per {aws} account. Check if `AmazonEKSLoadBalancerControllerRole` exists in the link:iam[IAM Console,type="console"]. If this role exists, skip to <>. - -==== - -[NOTE] -==== - -Below example is referring to the {aws} Load Balancer Controller *v2.11.0* release version. For more inforamtion about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. - -==== +The following steps refer to the {aws} Load Balancer Controller *v2.11.0* release version. For more information about all releases, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/[{aws} Load Balancer Controller Release Page] on GitHub. . Download an IAM policy for the {aws} Load Balancer Controller that allows it to make calls to {aws} APIs on your behalf. + @@ -347,4 +340,4 @@ aws-load-balancer-controller 2/2 2 2 84s ---- + You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica. -. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. \ No newline at end of file +. Before using the controller to provision {aws} resources, your cluster must meet specific requirements. For more information, see <> and <>. From da964bf37d7311b8a95fd008ecae0b8b0ffce57f Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Wed, 16 Apr 2025 18:55:01 -0500 Subject: [PATCH 415/940] Update latest/ug/ml/node-efa.adoc Co-authored-by: Chris Negus --- latest/ug/ml/node-efa.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/latest/ug/ml/node-efa.adoc b/latest/ug/ml/node-efa.adoc index a81f436ab..857c7dada 100644 --- a/latest/ug/ml/node-efa.adoc +++ b/latest/ug/ml/node-efa.adoc @@ -128,6 +128,7 @@ eksctl create cluster -f efa-cluster.yaml ==== Because the instance type used in this example has GPUs, `eksctl` automatically installs the NVIDIA Kubernetes device plugin on each instance for you when using Amazon Linux 2. This is not necessary for Bottlerocket, as the NVIDIA device plugin is built into Bottlerocket's EKS NVIDIA variant. When `efaEnabled` is set to `true` in the nodegroup configuration, `eksctl` will also automatically deploy the EFA device plugin on the nodes. ==== + [#efa-bottlerocket] === Using Bottlerocket with EFA From 3923f1e81c63e84bee8d9146693d0752a6371445 Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Thu, 17 Apr 2025 00:24:15 +0000 Subject: [PATCH 416/940] fixup AWS entity --- latest/ug/networking/lbc-helm.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/networking/lbc-helm.adoc b/latest/ug/networking/lbc-helm.adoc index dc24f4e3c..e2c52cf5d 100644 --- a/latest/ug/networking/lbc-helm.adoc +++ b/latest/ug/networking/lbc-helm.adoc @@ -38,7 +38,7 @@ Before starting this tutorial, you must complete the following steps: Before proceeding with the configuration steps on this page, consider the following: * The IAM policy and role (`AmazonEKSLoadBalancerControllerRole`) can be reused across multiple EKS clusters in the same {aws} account. -* If you're installing the controller on the same cluster where the role (`AmazonEKSLoadBalancerControllerRole`) was originally created, go to <> after verifying the role exists. +* If you're installing the controller on the same cluster where the role (`AmazonEKSLoadBalancerControllerRole`) was originally created, go to <> after verifying the role exists. * If you're using IAM Roles for Service Accounts (IRSA), IRSA must be set up for each cluster, and the OpenID Connect (OIDC) provider ARN in the role's trust policy is specific to each EKS cluster. Additionally, if you're installing the controller on a new cluster with an existing `AmazonEKSLoadBalancerControllerRole`, update the role's trust policy to include the new cluster's OIDC provider and create a new service account with the appropriate role annotation. To determine whether you already have an OIDC provider, or to create one, see <>. [#lbc-helm-iam] From 4d823d678a4d09ac7c2c72e1f40136f5f001d2bd Mon Sep 17 00:00:00 2001 From: Todd Neal Date: Fri, 18 Apr 2025 10:33:39 -0500 Subject: [PATCH 417/940] Revert "document issues with R53 private hosted zones using .local domains (#952)" (#989) This reverts commit 6c8026ab58e41400c0c91ae6423e39ddbb7aff77. --- latest/ug/automode/auto-troubleshoot.adoc | 8 -------- 1 file changed, 8 deletions(-) diff --git a/latest/ug/automode/auto-troubleshoot.adoc b/latest/ug/automode/auto-troubleshoot.adoc index ac65c30b7..72d976c71 100644 --- a/latest/ug/automode/auto-troubleshoot.adoc +++ b/latest/ug/automode/auto-troubleshoot.adoc @@ -262,14 +262,6 @@ securityContext: level: "s0:c123,c456,c789" ---- - -[#auto-troubleshoot-local-suffix-name-resolution] -== DNS Resolution of Route53 private hosted zones with `.local` Domains - -If you configure a Route 53 private hosted zone using a `.local` suffix (e.g. `mydomain.local`), it will fail to resolve on EKS Auto Mode Nodes. You will need to use a different suffix for the Route 53 private hosted zone. - -It's a general best practice to not use the domain name ".local" for Route 53 private hosted zones. RFC 6762 reserves this domain name for exclusive Multicast DNS use. For more information, see https://datatracker.ietf.org/doc/html/rfc6762[Multicast DNS] on the Internet Engineering Task Force (IETF) website. The use of this name interferes with DNS Resolution as it leads to attempting to resolve the name via Multicast DNS instead of forwarding the query to the VPC resolver endpoint. - [#auto-troubleshoot-controllers] == Troubleshoot included controllers in Auto Mode From ddc6c81955d813b6a1f7d801c82c45d5db25ca1c Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Fri, 18 Apr 2025 16:04:17 +0000 Subject: [PATCH 418/940] EKS AL2 AMIs deprecation changes --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 231 ++++++++++++++++++ latest/ug/nodes/eks-optimized-amis.adoc | 2 + 2 files changed, 233 insertions(+) create mode 100644 latest/ug/nodes/eks-ami-deprecation-faqs.adoc diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc new file mode 100644 index 000000000..9fd7ac1f0 --- /dev/null +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -0,0 +1,231 @@ +include::../attributes.txt[] + +[.topic] +[#eks-ami-deprecation-faqs] += Guide to EKS AL2 & AL2-Accelerated AMIs transition features +:info_titleabbrev: AL2 AMI deprecation + +[abstract] +-- +This document outlines the End of Support (EOS) information for Amazon EKS AL2-optimized and AL2-accelerated AMIs. +-- + +After careful consideration, we decided to end support for EKS AL2-optimized and AL2-accelerated AMIs, effective November 26, 2025. While you can continue using EKS AL2 AMIs after the end-of-support (EOS) date, EKS will no longer release any new Kubernetes versions or updates to AL2 AMIs, including minor releases, patches, and bug fixes after this date. We recommend upgrading to Amazon Linux 2023 (AL2023) or Bottlerocket AMIs: + +* AL2023 enables a secure-by-default approach with preconfigured security policies, SELinux in permissive mode, IMDSv2-only mode enabled by default, optimized boot times, and improved package management for enhanced security and performance, well-suited for infrastructure requiring significant customizations like direct OS-level access or extensive node changes. +* Bottlerocket enables enhanced security, faster boot times, and a smaller attack surface for improved efficiency with its purpose-built, container-optimized design, well-suited for container-native approaches with minimal node customizations. + +Additionally, you can <> until the EOS date (November 26, 2025), or build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). For more information, please visit https://aws.amazon.com/linux/amazon-linux-2023/faqs/[AL2023 FAQs], https://aws.amazon.com/bottlerocket/faqs/[Bottlerocket FAQs] or refer to <> or <> documentation for detailed migration guidance. + +== Compatibility and versions + +=== Supported Kubernetes versions for AL2 AMIs + +Kubernetes version 1.32 is the last version for which Amazon EKS will release AL2 (Amazon Linux 2) AMIs. For https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html[supported] Kubernetes versions up to 1.32, EKS will continue to release AL2 AMIs (AL2_ARM_64, AL2_x86_64) and AL2-accelerated AMIs (AL2_x86_64_GPU) until November 26, 2025. +After this date, EKS will stop releasing AL2-optimized and AL2-accelerated AMIs for all Kubernetes versions, even for EKS extended support customers. Note that the EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. + +=== NVIDIA drivers comparison for AL2, AL2023, and Bottlerocket AMIs + +[cols="1,1,1,1,1", options="header"] +|=== +|Driver Branch +|Amazon Linux 2 AMI +|Amazon Linux 2023 AMI +|Bottlerocket AMI +|End-of-Life Date + +|R535 +|Not Supported +|Not Supported +|Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[September 2027] + +|R550 +|Supported +|Supported +|Not Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[April 2025] + +|R560 +|Not Supported +|Supported +|Not Supported +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[March 2025] + +|R570 +|Not Supported +|Supported +|Coming soon +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[February 2026] +|=== + +To learn more, see https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[Nvidia Release Documentation]. + +=== NVIDIA CUDA versions comparison for AL2, AL2023, and Bottlerocket AMIs + +[cols="1,1,1,1", options="header"] +|=== +|CUDA Version +|AL2 Support +|AL2023 Support +|Bottlerocket Support + +|https://developer.nvidia.com/cuda-toolkit-archive[10.1] +|Supported +|Not supported +|Not Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[11.8] +|Supported +|Supported +|Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[12.0] +|Not supported +|Supported +|Supported + +|https://developer.nvidia.com/cuda-toolkit-archive[12.5] +|Not supported +|Supported +|Supported +|=== + +To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Release Documentation]. + +=== Supported drivers and Linux kernel versions comparison for AL2, AL2023, and Bottlerocket AMIs + +[cols="1,1,1,1", options="header"] +|=== +|Component +|AL2 AMI Source +|AL2023 AMI Source +|Bottlerocket AMI Source + +|Base OS Compatibility +|RHEL7/CentOS 7 +|Fedora/CentOS 9 +|N/A + +|CUDA Toolkit +|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 11.x–12.x] +|https://developer.nvidia.com/cuda-toolkit-archive[CUDA 12.5+] +|CUDA 11.x (12.5 coming soon) + +|NVIDIA GPU Driver +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550] +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565] (R570 coming soon) +|https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R535] (R570 Coming soon) + +|{aws} Neuron Driver +|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19] +|https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/announcements/neuron2.x/announce-no-support-al2.html[2.19+] +|2.20 + +|Linux Kernel +|https://docs.aws.amazon.com/linux/al2/ug/aml2-kernel.html[5.10] +|https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[6.1, 6.12] +|5.15, 6.1 (6.12 coming soon) +|=== + +=== NVIDIA compatibility with AL2 AMIs + +AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. +Unlike AL2023, Nvidia never explicitly supported AL2, thus EKS leverages CentOS-7 https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL7 packages] to build the AL2-accelerated AMIs (AL2_x86_64_GPU AMI). +Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. +Additionally, the latest Nvidia driver version supported for AL2 (RHEL 7) is https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550], while for AL2023 its https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565, R570]. +Furthermore, Nvidia has stopped releasing updates for its CUDA toolkit as of March 28, 2024, with `cuda-12.4.1-1.x86_64.rpm` being the last released version. + +=== {aws} Neuron compatibility with AL2 AMIs + +Starting from https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#neuron-2-20-0-whatsnew[{aws} Neuron release 2.20], the Neuron Runtime (`aws-neuronx-runtime-lib`) used by EKS AL-based AMIs no longer supports Amazon Linux 2 (AL2). +The Neuron Driver (`aws-neuronx-dkms`) is now the only {aws} Neuron package that supports Amazon Linux 2. +This means you cannot run your Neuron-powered applications natively on an AL2-based AMI. +To setup Neuron on AL2023 AMIs, see the https://awsdocs-neuron.readthedocs-hosted.com/en/latest/general/setup/index.html#setup-guide-index[{aws} Neuron Setup] guide. + +=== Kubernetes compatibility with AL2 AMIs + +The Kubernetes community has moved `cgroupv1` support (used by AL2) to maintenance mode. +This means no new features will be added, and only critical security and major bug fixes will be provided. +Any Kubernetes features relying on cgroupv2, such as MemoryQoS and enhanced resource isolation, are unavailable on AL2. +Furthermore, Amazon EKS Kubernetes version 1.32 was the last version to support AL2 AMIs. +To maintain compatibility with the latest Kubernetes versions, we recommend migrating to AL2023 or Bottlerocket, which enable `cgroupv2` by default. + +=== Linux version compatibility with AL2 AMIs + +Amazon Linux 2 (AL2) is supported by {aws} until its end-of-support (EOS) date on June 30, 2026. +However, as AL2 has aged, support from the broader Linux community for new applications and functionality has become more limited. +AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. +Unlike AL2023, AL2 has limited support from the broader Linux community. +This means many upstream Linux packages and tools need to be backported to work with AL2's older kernel version, some modern Linux features and security improvements aren't available due to the older kernel, many open source projects have deprecated or limited support for older kernel versions like 5.10. + +=== Deprecated packages not included in AL2023 + +A few of the most common packages that are not included or which changed in AL2023, include: + +* Some https://docs.aws.amazon.com/linux/al2023/release-notes/removed-AL2023.6-AL2.html[source binary packages in Amazon Linux 2] are no longer available in Amazon Linux 2023 +* Changes in how Amazon Linux supports different versions of packages (e.g., https://repost.aws/questions/QUWGU3VFJMRSGf6MDPWn4tLg/how-to-resolve-amazon-linux-extras-in-al2023[amazon-linux-extras system]) in AL2023 +* https://docs.aws.amazon.com/linux/al2023/ug/epel.html[Extra Packages for Enterprise Linux (EPEL)] are not supported in AL2023 +* https://docs.aws.amazon.com/linux/al2023/ug/deprecated-al2.html#deprecated-32bit-rpms[32-bit applications] are not supported in AL2023 +* AL2023 does not make https://cloudkatha.com/can-we-install-a-gui-in-amazon-linux-2023/[mate-desktop] packages + +To learn more, see https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2.html[Comparing AL2 and AL2023]. + +=== FIPS validation comparison across AL2, AL2023, and Bottlerocket + +Amazon Linux 2 (AL2), Amazon Linux 2023 (AL2023), and Bottlerocket provide support for Federal Information Processing Standards (FIPS) compliance. + +* AL2 is certified under FIPS 140-2 and AL2023 is certified under FIPS 140-3. To enable FIPS mode on AL2023, install the necessary packages on your Amazon EC2 instance and follow the configuration steps using the instructions in https://docs.aws.amazon.com/linux/al2023/ug/fips-mode.html[Enable FIPS Mode on AL2023]. To learn more, see +https://aws.amazon.com/linux/amazon-linux-2023/faqs[AL2023 FAQs]. +* Bottlerocket provides purpose-built variants specifically for FIPS which constrain the kernel and userspace components to the use of cryptographic modules that have been submitted to the FIPS 140-3 Cryptographic Module Validation Program. + +=== EKS AMI driver and versions changelog + +For a complete list of all EKS AMI components and their versions, see https://github.com/awslabs/amazon-eks-ami/releases[Amazon EKS AMI Release Notes] on GitHub. + +== Migration and support FAQs + +=== Will EKS terminate AL2 AMIs? + +No. EKS will neither update nor terminate customer instances and will not remove existing AMIs from distribution. + +=== Will the Kubernetes standard or extended version support apply to AL2? + +No. The EOS date for EKS AL2-optimized and AL2-accelerated AMIs is independent of the standard and extended support timelines for Kubernetes versions by EKS. + +=== How does the shift from cgroupv1 to cgroupv2 affect my migration? + +The https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/4569-cgroup-v1-maintenance-mode/README.md[Kubernetes community] moved `cgroupv1` support (used by AL2) into maintenance mode, meaning no new features will be added and only critical security and major bug fixes will be provided. +To adopt `cgroupv2` in Kubernetes, you need to ensure compatibility across the OS, kernel, container runtime, and Kubernetes components. +This requires a Linux distribution that enables `cgroupv2` by default, such as AL2023, Bottlerocket, Red Hat Enterprise Linux (RHEL) 9+, Ubuntu 22.04+, or Debian 11+. +These distributions ship with kernel versions ≥5.8, which is the minimum requirement for `cgroupv2` support in Kubernetes. +To learn more, see https://kubernetes.io/docs/concepts/architecture/cgroups/[About cgroup v2]. + +=== What will I be responsible for if I continue using AL2 AMIs? + +Continuing to run outdated EKS optimized AL2 AMIs in your cluster after the EOS date (November 26, 2025) may result in compatibility issues and application impact. +Deprecated support for AL2 from key technology providers may lead to incompatibilities, making it difficult to integrate with the latest tools and frameworks. For example: + +* **AI/ML Compatibility:** Compatibility issues may arise for AI/ML workloads on accelerated instances. +For instance, Nvidia has phased out AL2 support in CUDA 12.5, with critical driver branches like R550 ending support in April 2025, respectively. +Additionally, {aws} Neuron discontinued updates for AL2 in July 2024, which may further limit support for machine learning workloads.  +* **Linux Kernel Compatibility:** Newer Linux kernel updates (versions 4.14.326, 5.4.257, 5.10.195, 5.15.131, and 6.1.52) applied to AL2 introduce compatibility issues with P4 and P5 instance types that rely on Elastic Fabric Adapter (EFA) and closed-source NVIDIA drivers for GPU Direct RDMA support. +This issue is specific to AL2 because its older Linux base, which is tied to RHEL7/CentOS 7, conflicting with these kernel updates when paired with NVIDIA’s R550 driver, whereas AL2023’s kernel (6.1.x) and newer drivers (R565/R570) avoid this issue entirely. +* **Kubernetes Compatibility:** The Kubernetes community has moved `cgroupv1` support, which AL2 relies on, to maintenance mode. +This means no new features will be added, and only critical security fixes and major bug patches will be provided.  +* **Security Patches:** Without official updates to AL2 AMIs, your team will be responsible for manually applying any security patches that would otherwise be handled automatically. + +=== What do I do if I need Neuron in my custom AL2 AMI? + +You cannot run your full Neuron-powered applications natively on an AL2-based AMIs. +To leverage {aws} Neuron on an AL2 AMI, you must containerize you applications using a Neuron-supported container with a non-AL2 Linux distribution (e.g., Ubuntu 22.04, Amazon Linux 2023, etc.) and then deploy those containers on an AL2-based AMI that has the Neuron Driver (`aws-neuronx-dkms`) installed. + +=== How do I migrate from my AL2 to an AL2023 AMI? + +We recommend creating and implementing a migration plan that includes thorough application workload testing and documented rollback procedures, then following the step-by-step instructions in the https://docs.aws.amazon.com/eks/latest/userguide/al2023.html[Upgrade from Amazon Linux 2 to Amazon Linux 2023] in EKS official documentation. + +=== How do I build a custom AL2 or AL2023 AMI? + +You can build custom EKS AL2-optimized and AL2-accelerated AMIs until the EOS date (November 26, 2025). +Alternatively, you can build a custom AMI with an Amazon Linux 2 base instance until the Amazon Linux 2 EOS date (June 30, 2026). +For step-by-step instructions to build a custom EKS AL2-optimized and AL2-accelerated AMI, see https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-build-scripts.html[Build a custom Amazon Linux AMI] in EKS official documentation. diff --git a/latest/ug/nodes/eks-optimized-amis.adoc b/latest/ug/nodes/eks-optimized-amis.adoc index 7fde5d229..3cb677a1e 100644 --- a/latest/ug/nodes/eks-optimized-amis.adoc +++ b/latest/ug/nodes/eks-optimized-amis.adoc @@ -20,6 +20,8 @@ With Amazon EKS Auto Mode, EKS manages the EC2 instance including selecting and [.topic] include::dockershim-deprecation.adoc[leveloffset=+1] +include::eks-ami-deprecation-faqs.adoc[leveloffset=+1] + include::eks-optimized-ami.adoc[leveloffset=+1] include::eks-optimized-ami-bottlerocket.adoc[leveloffset=+1] From 5c0087fc80cff69545b53189e76c2850d01deaf5 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Fri, 18 Apr 2025 17:15:16 +0000 Subject: [PATCH 419/940] Remove nvidia compatibility content --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 8 -------- 1 file changed, 8 deletions(-) diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc index 9fd7ac1f0..eeafcdddc 100644 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -128,14 +128,6 @@ To learn more, see https://developer.nvidia.com/cuda-toolkit-archive[CUDA Releas |5.15, 6.1 (6.12 coming soon) |=== -=== NVIDIA compatibility with AL2 AMIs - -AL2 AMIs are based on https://docs.aws.amazon.com/linux/al2/ug/kernel.html[Linux kernel 5.10], while AL2023 uses https://docs.aws.amazon.com/linux/al2023/ug/compare-with-al2-kernel.html[Linux kernel 6.10]. -Unlike AL2023, Nvidia never explicitly supported AL2, thus EKS leverages CentOS-7 https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL7 packages] to build the AL2-accelerated AMIs (AL2_x86_64_GPU AMI). -Although Nvidia is continuing to ship critical CVE security patches (as of today), it is not actively releasing general patches and bug fixes for the https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/[RHEL 7] packages that EKS uses to release AL2-accelerated AMIs. -Additionally, the latest Nvidia driver version supported for AL2 (RHEL 7) is https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R550], while for AL2023 its https://docs.nvidia.com/ai-enterprise/index.html#release-documentation[R565, R570]. -Furthermore, Nvidia has stopped releasing updates for its CUDA toolkit as of March 28, 2024, with `cuda-12.4.1-1.x86_64.rpm` being the last released version. - === {aws} Neuron compatibility with AL2 AMIs Starting from https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/prev/rn.html#neuron-2-20-0-whatsnew[{aws} Neuron release 2.20], the Neuron Runtime (`aws-neuronx-runtime-lib`) used by EKS AL-based AMIs no longer supports Amazon Linux 2 (AL2). From 8516867ce77c929afb0b15fcdd2d1ebd1b9acbda Mon Sep 17 00:00:00 2001 From: Suzuki Shota <8736380+sshota0809@users.noreply.github.com> Date: Sat, 19 Apr 2025 02:24:29 +0900 Subject: [PATCH 420/940] fix incorrect information about disruption behavior on Auto Mode (#987) --- latest/ug/automode/create-node-pool.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/create-node-pool.adoc b/latest/ug/automode/create-node-pool.adoc index 97c2cd557..4d45c48e0 100644 --- a/latest/ug/automode/create-node-pool.adoc +++ b/latest/ug/automode/create-node-pool.adoc @@ -219,7 +219,7 @@ You can configure disruption for node pools to: By default, EKS Auto Mode: - Consolidates underutilized instances. -- Terminates instances after 720 hours. +- Terminates instances after 336 hours. - Sets a single disruption budget of 10% of nodes. - Allows Nodes to be replaced due to drift when a new Auto Mode AMI is released, which occurs roughly once per week. From 889fcafd11ae979c254ffe6b93edf90b8e9a0cee Mon Sep 17 00:00:00 2001 From: Geoffrey Cline Date: Fri, 18 Apr 2025 14:56:45 -0500 Subject: [PATCH 421/940] auto mode release notes --- latest/ug/automode/auto-change.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index f4da58d6d..6c28e5939 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -7,6 +7,10 @@ include::../attributes.txt[] This page documents updates to Amazon EKS Auto Mode. You can periodically check this page for announcements about features, bug fixes, known issues, and deprecated functionality. +== April 18, 2025 + +*Feature:* Support for resolving .local domains (typically reserved for Multicast DNS) via unicast DNS. + == April 11, 2025 *Feature:* Added `certificateBundles` and `ephemeralStorage.kmsKeyID` to `NodeClass`. For more information, see <>. From ac660bdccca2824c202643da1bb065cd2650a060 Mon Sep 17 00:00:00 2001 From: Leah Tucker Date: Fri, 18 Apr 2025 20:29:08 +0000 Subject: [PATCH 422/940] Update terminate instance question wording --- latest/ug/nodes/eks-ami-deprecation-faqs.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc index eeafcdddc..fb3119a8c 100644 --- a/latest/ug/nodes/eks-ami-deprecation-faqs.adoc +++ b/latest/ug/nodes/eks-ami-deprecation-faqs.adoc @@ -177,7 +177,7 @@ For a complete list of all EKS AMI components and their versions, see https://gi == Migration and support FAQs -=== Will EKS terminate AL2 AMIs? +=== Will EKS terminate running instances with AL2 AMIs? No. EKS will neither update nor terminate customer instances and will not remove existing AMIs from distribution. From 448479c4b001fb2c2bef39fe69f5f287cce251a4 Mon Sep 17 00:00:00 2001 From: Chris Negus Date: Fri, 18 Apr 2025 20:41:06 +0000 Subject: [PATCH 423/940] Updated migrate-auto.adoc per https://t.corp.amazon.com/V1723052684 --- latest/ug/automode/migrate-auto.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/automode/migrate-auto.adoc b/latest/ug/automode/migrate-auto.adoc index 5006737d3..69a6425a8 100644 --- a/latest/ug/automode/migrate-auto.adoc +++ b/latest/ug/automode/migrate-auto.adoc @@ -25,7 +25,7 @@ EKS Auto Mode requires Kubernetes version 1.29 or greater. EKS Auto Mode isn't a *{aws} does not support the following migrations:* -* Migrating volumes from the EBS CSI controller to EKS Auto Mode block storage +* Migrating volumes from the EBS CSI controller (using the EKS Add-on) to EKS Auto Mode EBS CIS Controller (managed by EKS Auto Mode). PVCs made with one can't be mounted by the other, because they use two different Kubernetes volume provisioners. * Migrating load balancers from the {aws} Load Balancer Controller to EKS Auto Mode + You can install the {aws} Load Balancer Controller on an Amazon EKS Auto Mode cluster. Use the `IngressClass` or `loadBalancerClass` options to associate Service and Ingress resources with either the Load Balancer Controller or EKS Auto Mode. From ee52166f7431d9732094e5e3826abc36181ff54f Mon Sep 17 00:00:00 2001 From: csplinter Date: Tue, 8 Apr 2025 20:32:57 -0500 Subject: [PATCH 424/940] add low-level hybrid nodes networking concepts --- latest/ug/images/hybrid-nodes-arp-proxy.png | Bin 0 -> 158435 bytes latest/ug/images/hybrid-nodes-bgp.png | Bin 0 -> 171350 bytes .../ug/images/hybrid-nodes-cp-to-kubelet.png | Bin 0 -> 227767 bytes latest/ug/images/hybrid-nodes-cp-to-pod.png | Bin 0 -> 256763 bytes latest/ug/images/hybrid-nodes-east-west.png | Bin 0 -> 259759 bytes .../images/hybrid-nodes-highlevel-network.png | Bin 0 -> 145708 bytes .../hybrid-nodes-kubelet-to-cp-public.png | Bin 0 -> 248126 bytes latest/ug/images/hybrid-nodes-pod-to-cp.png | Bin 0 -> 257134 bytes latest/ug/images/hybrid-nodes-pod-to-pod.png | Bin 0 -> 141212 bytes .../images/hybrid-nodes-remote-pod-cidrs.png | Bin 0 -> 72000 bytes .../ug/images/hybrid-nodes-static-routes.png | Bin 0 -> 153048 bytes .../hybrid-nodes-concepts-kubernetes.adoc | 257 +++++++ .../hybrid-nodes-concepts-networking.adoc | 80 ++ .../hybrid-nodes-concepts-traffic-flows.adoc | 682 ++++++++++++++++++ latest/ug/nodes/hybrid-nodes-concepts.adoc | 21 + latest/ug/nodes/hybrid-nodes-overview.adoc | 7 +- 16 files changed, 1044 insertions(+), 3 deletions(-) create mode 100644 latest/ug/images/hybrid-nodes-arp-proxy.png create mode 100644 latest/ug/images/hybrid-nodes-bgp.png create mode 100644 latest/ug/images/hybrid-nodes-cp-to-kubelet.png create mode 100644 latest/ug/images/hybrid-nodes-cp-to-pod.png create mode 100644 latest/ug/images/hybrid-nodes-east-west.png create mode 100644 latest/ug/images/hybrid-nodes-highlevel-network.png create mode 100644 latest/ug/images/hybrid-nodes-kubelet-to-cp-public.png create mode 100644 latest/ug/images/hybrid-nodes-pod-to-cp.png create mode 100644 latest/ug/images/hybrid-nodes-pod-to-pod.png create mode 100644 latest/ug/images/hybrid-nodes-remote-pod-cidrs.png create mode 100644 latest/ug/images/hybrid-nodes-static-routes.png create mode 100644 latest/ug/nodes/hybrid-nodes-concepts-kubernetes.adoc create mode 100644 latest/ug/nodes/hybrid-nodes-concepts-networking.adoc create mode 100644 latest/ug/nodes/hybrid-nodes-concepts-traffic-flows.adoc create mode 100644 latest/ug/nodes/hybrid-nodes-concepts.adoc diff --git a/latest/ug/images/hybrid-nodes-arp-proxy.png b/latest/ug/images/hybrid-nodes-arp-proxy.png new file mode 100644 index 0000000000000000000000000000000000000000..80cf1ce9f5180856270df3b54179c8a79fd15617 GIT binary patch literal 158435 zcmb5W1zeTS76l4O9QqIf0@9rak&0(Cl-$L&A0cSJ$tXU=7g!K$m3#>V<90S;VLS~Xdoe>!okm{5OnYz(G1fj z@EfwThP)I~@gU_-BqSOnMHxvgccZN|v>Hm;@nH6LBB^*5yNhMKKGPO+6Gt~UOULSk zol;a1x08jP;`(mFkieRmn+BJHEW7!gr1Ye8VNua}k93jR6BQSiG5s-(`Bdk^j#MG% zHL@f~sP8|0NpwIeV~{j?stR>cWhDOLivt-GmJFezLHUO-H4_v}e%nD#b$(T40lJyS*kC1UNLr-W!F`l2Rc-O@h#hxH&9i7e;*&r_nZDM_Fx z1tEWY`Oiy=LCO*O$G4gADLlN%0_0P8Z|KLu) zLPEjirIf;#-f0GZzf$HkB-Oc9@@V4OQOyQo1zwPidSpWQ#;eP*SASVNA04b=EVJ18 zA+TFMn;!=ztS(H)h3)6cU&~U9@zwYF@%;-8+wFWLM6~!8vMmF15@o!7`1(Q@-c%y}4F}`$WxbuOxk?+3 zECmsNElDdHMEyqDL{j7%q#Ql9$0&-}uuvNDt9$)4#Vfor$w8z)tYbx*P!kJP82`sJ zScKqRp>MFXVh|gr_3>B`CIhRl1HVj+&fIxvrX_azz0FUxuTc|QrE>}Y@<7ZTV6J<- z@qAMRm@qyeo2h4&sEJz* z}FU4xqK16s6v#^kt zA9$-wz2NVOLnZz=CqWi?UGMaTLoLEvkJP&U*ISHWp*Zpm+hmL%hrp74QS1BlyE-=wI}?6+m6j3c;v=?x*W^9e9z-=i`I5(KY8{( z;#lK5;lDD5-#H@RHFh;ke@Q^n+$P9BJWOC~u7PI5JWCpmvOHElMLSUkVZz)ywki(a zW&H~1>bjfltRl!_H^Q`PF_dm=*L3B2xZg#+F19&Uk*8;s6{K{s^L=1%v28$A{OW0E zBt^o7XPV16&y0Q37ekKTjSyhF-pC{H;x<$sD+I6ntxLXCIWcPt{Kv$P>A{ko|8Oxi zi$En)4k#pKdF(5>CBbs$vA4&xeG<2QV3LT`Hg9MZYb<%w^vUMN=wW>?0eq+7P~~v$ z)$Y`XO1tmVTlKq*7E|U4wqL6gj9&JLod3wFZK7}fwL9NbXqF!*z>O?Z6Gp_GTxC1M zM$BpQix5tTUbyk^G)of%9GmN)wvn$0vYJ)tx5+V$K)mxsRI>SRjDQ_Z@h+7U)@;>{@ zzCrH<<)8@y87av))PcSWD`vv>M6oG5MCKTJ0n6%hqWzkZf)-nEDJYEYoqY zKr=5H@9qO)O>?U$jTs%xYe!*T?@RY@WoBK&XMQoas_nkl1x3k^3O(G$uZ_s=M3yW_ zJnKoUdiL#u)h_oM)^fKCkp>GQ6bly0)|9qcNzv1Wc6+eK3~9m* z*m&>`9+?=hE4W@LaW!2!@xJ_J^{vEM-1$dVNb-7y&s@XJ^~DFb-MKa2TX>~iG#t%$ z99J>}@X8mTgKb>8THZzVDsfE5`1?C))Y{GBdXC*YycR2i7{a~kdG_!7^O!R{zcyU# z)bo4Vef(5)Z%FK-=WACv^@-wHk`jJNat#^LOz`0SVZP(zkYBl`EDIJT8UV z-#KV*I6s!}4B~t&?JIP)68A{}GyF>*S3So&3<&l^88Vy^WD{g(7uv=MN}+o%&=(8? zx|Hi(w@nA2B;{?vxD|Ar@vNFs(Tf$DDncDEwx`FucV7K09lrYYP1U(e2s!vcN$nc> z%n8h_%)6hb>;3_{)0LUy)_U81^v$O6&2uzg@Gp%MMz1AX3 zwLS*f-XE2cdZgBct;>`ef7TwG$yvJ+tF3@( zjqUs+f_KpB#oZW+FiJ(pLzAjmr@o}C;~DPtp8=Vzp6w*MaO6XfX9B6JFAw_k2{upW zeX7@ScvtfVVMrsrI zB~R%Xco!DCBgcsnK;N4^?xDm{)=qe=@9opF)oWj~7(7mo${mhD$G!2)3vU!J?&$Jz~ zi7Wl8>|;q|9sCE@vWDG-pbqV|`!0=?i3)sQShA5?Bnl?N17*g-gzdO@LiSBMZtGOm znnG+Zz+T+y65c8eSdEnM7lOEzmd;!x!oo71Y@w!_{C@JW=Ix(FGO*-yyiM^VLKFJqne=BMg@ko7G#C7N3TKB{JjMXtT|CioM~`L>`Ic>e10`IjT` zyBDf;!_^U2^J(}a2$5vUFjrz2Pm3o@Y#nN8LJSKB0To%)Z(lEoohd_fRq=Nts zU4gEp(mtmxheHTLZ#NQ{b_$}e%dsBzkiz|!ec@7}gli{Z^ZUcJ83e(lRdX*lr!wqo zS4j@1EHm`Ver#0?4SMM9-?=1nn~v@d!AQbpb)tfCMRX781j^&mI!%gQY?*biC<(#I zm9ek>lwnB>pstB)d%~L*i=@db{dORDydG(p`@xm{-f{##`2Qv7*qZ(Lk`I8FQnUh) z0-(#`q9(L-ls^ti1d)S-IA}RqQ0u$}i5Eo!&rVVLx$3t}$3YPxXIuO0>!VNA(uqGL zBADVW?XI{y%gc4{1I{hE%et>5M!_Q3Z&^+9jfZ$xa4W@+B9X77p5b5gxf9hw_X!EGyM4Gy}<+_Xv9bp13tz24NcZqN?oK~;Ipej=SkBxmX`)m(} ze6GK}^r~5@FsFhU9?f}5qrd&F&Uxl=Uaa!zRg3B+RV7ubBSz13{^x#!;^k-=dF&> zvzwKWJGJ*zv>0rn+6TSuNMgCTK?YDxR=H;^@)Sn;WE~r3f|AL-WmCUh6%1olLQ$IR zAD;hHu;_z=<*BuZ^(O(aXKdT=jnBOVn@=iUEt|!U-ljVQ@9uMS95T50#(Y!Ll=sCp z1!v+_d&Bj8ytra&Ri$b=CCNr1Ytp!9}0(b!=bUGU|uY zYa!%LQs}JEYXUginAkMo%Il&CO~VWw`x5Kk*V403^; z>T;(T^=|%k&G8!i9ln=o{;Js9|rYx6z7_~^fpPq z`l6B~vhQ9_>D>Sb?~_;CpKWX22zQ=ThCS)8o4tF6O6Ifw$S5jOU{289ZR!q$0KIRb zDHk>I;b-oLr3B;jN75`fUR@UV zI9M@=HFQm)`xOi=Qb~KTDv}0Dad;;?@;-v8Wkk+I(^9d?;H4BpmQ7Nl=1-NdF7}d!pdG?>tGiBa)2Aq!qP(vT-H$k(2N}K6wbCZNAJ!z5p8rPKMX{&%8BI+1TEvY`GNj)P0SF zC^zfd2s;NgL&@!M6ipwA(XNqoY7aXPiB@0L#-GJkA}xnlIx5FJo%B%hI_P1x0Egwc zvtwz!Be<meYw%ITgekgI)VfI? z%qVyFT%F9@lg0%_q>==(m3=C;f6tMKoz_PRH<*gLD?IJ`pycj!i;A$_qLG4c7M0J8 zRUk=~c)FNZog{|?iBjgY0g4jiw0s)aFtIn~^dy)`JR~=vNRsTbzFASA9PY;muHP2u_v6yaiaOE(1lFP6r(SHtCTDi3;Ix}TBEqV;$M zvvhDNbM069;0RL^+>`zBhBxp|!sZ%iB<_JC+a~AmRMCA(G9s-#wakTo&SKDCKe;PO zfQ|kSz!GBw>YlH{{71w0FkwfqUe+Bm4UjT+{fYTS-2G|dV^RWSasz)tO&3L!lARUO zkSah`n{o?JusJ4V?P9m7dJe4XQf(P17$~Lv;p%k=k6F##K*W6*T=1fVEINNdUbg&Arf zP&&4d_jcrr$RF&2AEe!VixfBLxUbKM%yeazOY+|+UpwgknW&iG79uM1w~K{O%mDsD zM5J{)T+z3H&NJ=Ff6Yvz4va?FQPBGu6hDU+)09;;YNAbq*}$rB%{IMP zX{_?TXFn56*4A6v2)BPp9iH%Q2f^Y!xk zub4zEvOh901F>k|X|+OKj661TvOm5<(!77~?%#m)z(erlily-$6mYUzJ=A(DQGlZK znBuOZ6DI5#Jecf$Q+^ttLVk2AkchH zZhxfxm$3>JB{rj*zMq@32;u;^ zPoTMQX`<(EYZgPm!vAt#YyH-!GS4#47Um`HQzL#P zi)kD+3?H^;+)l<%#vc%(er+hqSbNQKJj=$7h!*fTnjVTw)I{+R4Qv@s=x2#h6m@JG zPTyo_U#EZ1f?xgemG} ztrOVqC1~M)CTIT32miEOU4dqs$h?>TN%+4v{4*xttYmrS3){GVuhiw1($QZ2|11+^ z*jKgISL$PnMHg|8dpE$`*Y5cQ$?c8vJi1 zT+8onawtmQRsA+l6f}Gl&({nL?>(shiy8=(__})vta$$cof?8}>>$)Ulfh*0xTSQy zmTD#cKl6r4jA1g=Ugy8G9Q92`pu%gx9QwE_2k0!wO#05!U;cv`ASgM%T*O#~I@?0- z3&hL$L}-3*10e-=o#^QE)W4RYl_n9p8C~cmhnp`1;`X^+clp@D@3G~40{@M{gNYTA z5o2>_KAe}Uf|oz;5*!m%`n`lP=}(=H!b065$25nRFrKG&}@%b|1&P#NB*ux}_!0yv=b%s!|#lhkwMk_OX+ zQ?9Qr)_a?=?M%iCAG0Gs&Wd3v>?AJ3I+^1Vs^Sp63X7z7occ`nI`@(V9kYK4)Hc1OFtyg9kJ)=QSngUnBBeJI^MH4F`C-D9!3zHc2iL?~|tT+a{lZ zM#_dL!N5teKBg!>&HMbP5HdQ!0szm$3@RHB2Zh&m>UXP@g*J;Sl%lCb*~T~y0e6s8 zF(fuK?$gVfm)Piap}l3GCGz5jn)CMOiDXP7CYkh*j!V}WTg!1nx9?2m3&+6ZPqM6< zeUWR2xB=vQxEw7`Vk7Lo^JOBBS+LMf&GJ@u#{TBqmsd~cea?R} zA9mA6C*EA``c#P=UUK`Kh3lC`@@+M6kBgoEpl6?sq!NAL#^OJTPGJL=Erap=W&i*I zB9P&IUXZm7!A9WUdfsQN0}nQfG;N5Kk~c08j1T~jZG&PTaeo;_K>g}IprODJ8BOK< zqXlpVpq%awDFD^x8lAjEeho{niQk;57E>N^RnIzEtf#rXBh&n)G=fa0CIXI%*OnjX zV-bat(7VC{RFpd8cSy=1p%MhBmuSq`*|1%t#>Mn|<`0Xtdl4uX0;HEsWlfXaPpnz+ z$F^CHda#i{EbF1cd4fi^G3$9au-ydfD?~b6453a2))t*GUz;I(#9{KqZ?D~Cq{nn@ z%C3IfLKbCy2?7Hyvd=NoEvoo&Vmo77%?E7lozpb-^~jfb_{+(h^-P9p?gaqA2L=S@ zDTN{la&%|A_yQ%@EaMkjUVwgAfRGmYyk-z8(uR{|8*g=Pt|=*@X|aFdTJd6)`s8d+fB9WF97a=2hncW*`eLJO$diV_W2>?bU5KFmKk3B zC+cdR`9Yh=lEk#w+?bZ?C^+W(&z)$41G^T^S{s<32J^H;i5}~2Mrw37UY}b#UmZ=% zn7X&oCevVn$1rQhJ4$h$pm$D8)vl*o%SBN>^D#7k`?yF=aw@^td+OyXT;Kl7=P8Fa zTx`A;@ARtk>$4%B>1)cDKe7gR*B%yJZM##TBt;*+wiZS-v)A` z#h$~XZR>u1un6a@3hht~lF2ke9Bm12ilep5^B z;;jg{+_@E#Sw;gs;!7bGzGxaTOG8QYF30~tPdHS7y0yk}8Rv@LfQ^iBVOlE!sf~^V z-EoL|%We2p@DQnyy9tFHVPy>pPAzwLh?E_bl=Tw1m!k=tqjXH~cGDqYW+a4rr7Eo4 z?-mAms{!obD-ER}`(t0nE+Qw_Z^{Bw#{2O?hyA?HE;<`8Lxs7{dcA=6v{7+i9yln) zBS}vZpdba;yzbtJP$MO6{oH@AFEIdLtOm}z3;0e0yKHz(vUv36MF4mHn+vN9uj8IH zj1j*oq9~HvjYKwD(;FA73C8^Zd9*3XV=rm=dadd{o+%lSyfWU)+)RT*_u2$x*(N=c zpxaJ{>y06T0dTqWT;4&!oCVziU&tsCII52BPfzWB1Yl0IW8o_hZewjZo#wt0JlHCA zuQm$u$O9wc*SKP4JVy%w_~axC@s8ND?-PusxoW%?{T+y;AiBC+)$`sKdkZbc6u)St zgD25&=IIV?Pff!)EsS1m^VNsGIAen7FX}IR9)I$&2cotMa+&$e0=E`sI2?Jp-fef5 zClDoqjEC;zlPC&$@fF717csXJVbdodp-xwoHMjo|K9l~T2^(dck9R=9>H6BW+jucZ zG7q@8PddK#L8yt*;@6Yj>^rgNP8{3J7#QgoCPISUn)|cPLw64RnuDv_&Psf)thu;l z9n{mbZtjpWPx9b%0Ti-fi4xn1B&m`pI+8w0kS-+806F+I*(*VK2&Ge~NtCIg5x(L) zmBPIUBti>y6s5+^w=efBS}Od{q;_JZvN$395CM}3@uM`?>1X@`*mFGY1#q`Hk35gv zFDF|=AhQ|8!Q_kWcPMmIVa=6e>oQ!eHGBE3o>{%rC7vh|6dzgq&`OwFdlXc@02Yr) z^ov#oWb{6837@Fvb5CDz{wRkPBBT$GFCTc^g|b+*gkhj!zB=nk3rk?CN>OUiwU>M;9*_(*!n(sIbfZ;iiECIBo3bX zJKP@*Ip>6$h(3BEGxc2GoHX5hocdp96zZ?wc*`@zR(IdS0)V=F>scU2yB`2rdvg4Ik*X1?%`z0m0iD`j2cT-H5%(YzGD#4^8K~DT0syvS z`i3V^b=Y)s>#RpXOo~5$soLf7jJ@rW4ykKf^s%kqX> za)fPWB{s%uzOx;mc3(i&mj%Lt&;B%F+l?1HvsgOx23_18)2Q)#=0Qyx%$bG0=i}&%CeBS4CuFYp5Rn)MV`L37wnsK^%~bT=TQszED>QI*<|kxVaLqK!;6AY9_ZjH@T1#0#Ds(o@ z)r$476IpDDgy?7jy7Xbvy$7J>qha!6n4soSEik2v0i}>!Tvj0}Xk)<{x1qMN!pgY7 zEx3H2U?c#BBBGG`Mi}Ky=g`H%#A-O_3dFbwp(;G@7762djCFtmM*nvAQhO0&g27ix*GUuQT!f6mHRZ*^Y2Tvy<+P9s-2M%ZZh-!!i$BWIi{2pU)r)C zqxDx!wF9-x563xK^~I+_oyr*i%V|e6)b!VSk2O%q5lKMlUkx}wXdc8r@OX$xeBL>~ zUEbze$fXLQ!@$NT(M{}o?+;yaqCu_iGle>bv3aR8ZKb%$;5VWjw?!DFHNqW6WJ#w) zi0$;JS>E`WT?OU<;`{R_u7|#76HV9V(nzpYy4DDpniY@k1l@1qTuQ!+&apom0qLtSqV8#7WVGlgv)osrIGy8`HDJ|=w!6m&PPn&edZrwEe6QG zEO-})wEU_$CX}oU3)n4mBcbV$S}D#U4~L_Zm|PGlnfR`%mN%)-b%;k4+R*MgwG^d8 zSiaBAmD?dGPS+bsW?eQzUat1-5>DJ=Qa+*$T@VeH4XcbYrbQ0^9&I2-y;CwfbXh7V z;seD@^VR9~WIcNM&5=$m8a39yXOv$2s8$5Dj=jryIeiQ9*sHF!%mw^Ta8wMwX(fwS;5$U+W%kE=5!eQ8^4ORr(botz5?t1&dj=;7M^obYT^ zGFPjm3c=3SDa;3Fz4Dl_2;_{insz7|q>Szb#Q99rbBMaZ^D_6#P6NmAY}L3s#T$%} z4q6hWCtFebq_HZ#igh>M#c%RmQKx7h(&8<8tuV(ZOZo20GW!h1zY<-c@R3oPrm}d? zk&lfDTVZoLyvK&xGeo4xf)SAsm?AS2iZ40R9fa{!K2WdqnE_s6K9s>2hn)#S>GP(U zCBLi0LG^4D`3-{8RFm_-IumAZnVTQs9Q1l<4zPtKA_b=_f}0{XRuo*&ep@jC$TC(y z0u%Q5?!z>Z_lP6qnOHq?nHTpOiTL$Wm?u3$;eaIvIn=}xIrx+Qe#HKOM|1macq%Dg zkJFS1OFxLHu7@Daw-)AO;HP=Yd6{6U1a!$@!r~7}``km+jMaSir5_r2CoBkgX5ETL zchVG$CW}o8_Bbs41QVWy|2D@p7dHUki@t9NXDsTi5OT!vc5g%5coZQpZzD>d>$kuv zn?y^KKszv#3sHOw)G6E9aUV$t;hy#^vAQMIb1#(#BS{k;Nf}y^GKlYv6xZ)Ozdo*R z;wu=+=(1}RavVLme}K=x5d&r5801oTRxtEkwd%X8e#Q0q=6c!?h{7tAE@}L5!q&^O z*My@Q=ZWeSG5~5qpc=J#q}&&QLy>V{ege!j8^=Y^No)Pg;zN>M)fBy9bZXE7N?y~5qohBT>>u) zI6)6|Y}@Vtt}hUWP8+V?V>@*>0(IQI{FJiwd;uFtozBlkbn&xHV=Qd(Tgm*8J~6Wh zC+?AQx`+_zbVzd#m)%)W3^>idL_G}Na(-RM%r`On%|nJ}6SeZX8!%h-K7bYx6-%;D zv-3@&HgzfOMSZR3@KvkYa0`pQ2u@^cYUkK8)MDs*N>P7MTGM7w-kXa?W(U> zVBL;yLQ9Q87dgWh+HpS|O+*%orf~c^Pw6X4M3XR9J?04i$*23RXteyxoskvNz6%Q^ z*Vox!hrTo~5ik0yk;P(z*cd_I1xa}Y^v6A`ZHv4j%2?oN4qm>puMI%KX}a*BQ78}h zUFcuUU2qc@56&1)2s)+>p^TmBJVu}+fb2Fc#$#^Q%Dzc$C*54=^-ryBPkhsT1ki@h z`pNa2-EFR~fP4ft1R2?jEbHo90QF=yrZB@Brm2Fa_x6Mn(percqw9_!uU7^Ii5k?o z?b@xw&P-DGNN}D>cGFwpngnr$@ftn7?C0~NH6Hm?d_oq2u`Bbe1O zZ;>cVLMz0vL?D-X*5evS0vE)XsVPtU$lI7^F`|$kQ&F1c3$;$IMzdwcK~eX${WLW< zeFuAj-*$R3sDTLbdWw)g3aPC&Ro+*)rT zi)i~Z=~{Du=cERxaY@ys@>r&Zw$8UYRS1?8EZ`Y?Q?W#?iuq11RVlcxOXM@fO8 zED1J<&AQ0kjriDfx4J1@(;?);^YJdP0o%8C1&CRqkZxh4O1d>IJzzA5qZHbCY1!y> zjCcx9=6c<8$24 zJ4ALJ#7X6NCLd@*utI^Y(0DZu+G|sL>i$+t$=5-w*rP0mUp!cda9UbYmV+tmx;?m0 zk76nlbIUo(z08p18}S>6J-xic>yzb^mQ*(1Kucil){Mnly((zy z))TD+|~2QJ;T;p;t1mF|sY0h$E|7V$Oez{*}KVRo> zIE-KQFgA}~5$AIueMkD(XKeX5L3L^4;qgc955`U27Fj_g_YCV^gxPHT7eSMja0I|^ z%Ts|NkwfBd+wHxB$$Wj4HdFV?&dKD9hd`h*Yg?AxZb|oX9^lg{3kiP5{a#Fu?AQZo~G;bk3UBX;_krU5<3XN z^X%p6ax~hEpRUV-A4YK0RDTlhz=%AxVJV(Yru9VeTB2DL50FoVdnuJJd{Y&-P4_z1 zt5|x?o{SJrms6qEbW!`vdIBMn1#p2jhvey#KXk^gvk;s+rhuOjLp)~%m3gwL^6Nua zydX?;u%?v78qX@=Z#@FeV%k(ufab0N#Iqu#UwF4+?KhKR|K&)j#OTYCb{xCTb1!h) zK>&z}iaxD_8x*`>UY*!E?L6YDZAXatdF!{z!}Wj@=x6vHmt+DY&IW~dS0?Y}Euv&l ziM}NM&W#XEK$Q{4iv0iOSaFeVCWY&UE}1V-gzJe=cNAl z&%s5BidMBm+FynaEoj<%SiFIScU>oGkKO4tW`V=stj<)~S`UgG_A^n5g(^!%wLHWV z{iRkhs`04fc^`P3jgiOd+u`!c#g#Z!u7^b|d5x-KXYH3jS6}YGakic@pQ{X!0n|j* zmGB8{$K0e-Hyt3X%EgL0B(!URL@K4uMocJlF$hIXkAoKHPa41+-Cb6z{`7C6wmKj? zD!iE*)e{+UV+9BI4sHB0@bG=a6_BWz$2x{@txjb=qvw*N;DmdUY)P7_BXB&5PE@lu z80#dQPqc7U%TRFW2(X`%&PgYZAV`$l$j~RHE}hxcuTFMq=RwB_q0=#Nl#TPIZ-tur zSBLSU;s@eeHX>Dk_98{}c#=Mz+N&0jG@sysBMCm2%hY9hZN9@Ffp&LvK`{sr9fP7L z2E0xy3i@_$A8VJH7>7y#YOnmLyBTP!tt&uvMq+ad1=*j<*7tV0oV$f5xMA@Qe@>Rn z$WZ>Si&n8%YiE@Bwflvz4OF2O$39<>iVECe`CJP+HQU?nb1>5L<8A91Klz9Y;bm%O z&%D`lyFY5}A&Nx7<>@7=Gw$Hx#3dMPjQ=he5qJ6Kkm4GJbZ$ogX$LC}RNmKd;Az&`*GJq_#+duM zHf0@juY8$hQqgou{XM((?+D2)tt8O6wF4N_PBz=~ObTdkA@&kDtbAR;hrR%mqQq`& zSx@oY0?K+ULrB-QaSS)MYld+dNr!!n`RCD%7ID@U_LH({g{vIPM5;BYp!#PrRl zSHHG-LDY?AHjMo$@~*8{7j-EP^@j;<``3v}XlZ4+yz6e?N{WKvo!2 z;~BkwAohsK8^o1{>GozxdV!uax49(iTN(6;rLehYd1+4B!w4jH2LUV#=|S{$UyR5O zfZA}z%CY}UPon;klj9Ub$1`>b;)>JP?9GU49BX0B>7}-iVE^{*jG-WCc?i|Z?loz`QZ!Vf{DwZ(MU`uPhl1R=dXjh$PY#C%7wS$7oIP6X__$#6GQQdqW4M5xPownWs zS}M~nRCYPvtOkk%xLC3$DZi<-?ls^)gN4ozx8K+>Z82Z_ub4QctGX8v_sXw?XRQop zZ8v`RI{D7;hUp40y4BbR_11!HGI@z9cdkNiRRPXpx`9Q~c~Ql&{gczCGacy({u&=Y zxMJoE`1U|o_J=^0i&e(P!Vo7OVogl{l%ug&I@?k}lO2S9c@q5(pUHWc2BkVs=6U=d42 z>Sx^AN;k6}1U3pb6z|+nsklfLQW+W$^!)%rRsT`0LDH9PEEWof?%RP|I!xQFasXCk z!eSggx_GU-u&z$q5IUcON+xjJeRndB5wl6B&Ml*9}S07TE{+6CahqWx4>XJJAkIC%n~P4OgYr6JrY_BjG;Zi6O#7L z%^(wk*L)}g?pgT)X+dC7LO(JCoQ~AwX@_z(N-%!Mvj~W1jN;j;KUx6lo@y07i!@LX z7DYSsUL^dk2zxQ~2R;g+fCiX^YDJpnsh=#9KEvUsI^KlS*m(kM-O18nN>I}u-E&m* zypnwa^JBr5a@Cb0rm<;RHO^ECB$FbW{7Sai?p3kNt#$SxB`EH&L1@AEmQ5%zwmFIG zmW4m#)O@Iz|7j!AGR3<~Ormm_Y2PcbuWjIsp1lJvQ$vBT1O5Z$8 zBBf@K5A{%kitt%;3>sjp^rqTpz?^8%5s?eJKMWtU8%{H6y}=V80@E zd0L9a2c21qkpkq$%%Vl#rKqklh`MGOn4sV+FEsdEx}s0r1?q@nRTC5LmhuQzkHA?^ zW=m`%Gl);J_m#3|<3@lzlh`|4RFnQvwH3y{=qSuMvF)5VlFn`|1` zj2G#R69si}WMkI~UfO@1vJGx3gB`S~0S=HXePO*|!E+_Z!33!?po1%%wlx_t(sEhq zSGsM9>9{oG6LCoq%Brh{M<(urhW(0Uu<`7u?3GIDcePX`=?wpw`Gd#{w|TD#7M-9B zf%oy(1YbM+DWoN)t#TsCk6KPtfHO|hg(4(%A-c0+DF7G8rnovk>I-T+MZsC5ZE>Jt zW;w5awRqLqz%q{Aek70q@V3T*>ThqbCl((d?pk7JGkCx-9dcanOR;3CUJqJqwFX-1 zh#i)E^jy94lz;@8ELv?vwKudtBM!FjJy!AJvd6Zi;eIqK2(Z#bA}&eScuOiTR?CSZ z|63msO1Lm6qG3`9&{F)P6m1;bKu>JsQ4g1CCfGwu6x5o`3QBvD`bH-ZN@@enY6145 zQmMG-*I?_WfSY>r*J)4^l0ZN(n#RfI@!sfLHE`@z?M2Em*T3J3{DM8>fV}`OCUB!f z!Dz)<+l>JrXpN!TrSqxnp7SG{(iU|7_QII688uS2@C9iV+y>)PjdS^Yv~0YyC*9_Y z8&2y~Jf?vI^8Vl=*JUl?>{z~ayZh$8(&IFWn+M$9@|32*GkgTv}fS0mnEDTd+Tdh;8D z{3o!dup*uJsxIgyEvA}GenoHm@DK`tX$=VWMJ_$g&aKVQ?>lhi&r zOkK>1vn$Y^tRY+Pf2#;#PICgFN9FK*P@@FWY%gklTOWNU1sr@1LM22i*0(8tEoC=T zUo;%Al^6<3J)?`rc!Wj}Bx^i;>N@SUx#N1YkCs?!-)Sf)rz?iDUMnexgyP>6rz}R> z!YStUhUuZNNtps3t`w919Cxvgoj|6iKK=zqDpH$2Zb?R_BbQW-?iS+OWo`7M?TkKi zaPjd`B7L;Ty%*&BZX|mkBh9lz-Z5}+A@ZyzKH&6nVlZ%w^mF7Q%flVlMg1YtDG!zN zlT`s=|NdarjkWVuCn^E8hUg$?h2#3r|PPRaP(laZ^ztzlm^qTT*cxPHg3{pUK#{4c^>ggI~R-)bJfgonwqc3s* zG#I7$cXL~PC%*U^2tOy>M-8okX1JbKC&W5bB9#*MBE-I1&mGROF-zAmAIYdvt;a&Z zwS*0GPeBc$W^Rs&GhL1pu+wq@7nLXsTH{MuxGBZV92E&wWbmqa9|E2jB`xT&LHI!( zCKWX^hSH=EFb$DTwrl>P!Qduc6xd*kxHD+%McX#|Dum`z-QBf|9GJ+#FTdLfc+bVx z2*JrL18-F)&VkEV$~V_n%XqJHoE)8-WrAqVOf|szbPQeI+6tIb9g?eZ&Mypp4tvx0 z6zF6k$G8u;X)8?(G)?>qKmPbPw3>Z2=23;Fy0q@X8h`7<=sDC4^OHZ?qWqcb8o*R( z`e_NxAWtH!hcBN_uJ$MC-pZDuQ~mNgdGqx6tI(h69{k? zZFj2Ad6ACqh(491zQ2K@0p`lrqVXe_v-WX*@4{&j)Wtq9|Tu ze)-)b>w5nP5-@)vq;pzmpqDQ@{l3lfVxFGYo*u*`OSet`B?kP24%B1`X5$%tqp>fRcbGdi}NzF{$vw1(w0 z;VkEC=i4BcW81Y$qBdv%UPKy?Y7P4kvxUd1QAajwkINXTd!2JxhMJVF%g%h>`{L6P zw8fde-!r-jW-=;{j!!A#2yRp4p^GXfk<<$ zdrw_6oz8-@cRb$r)83^=IZ{CwWXRX%$QVVbs}ioBS?X#(0XOeY=`oNdQBZH5@8z)!^N49yLoYg+?i&eF%b<$YYrt}RY;=ArcN z2|<|N-u1I*d&5iT*n@62buVZYyv0ajFYD6!4Zf_jnWV!kLO+HUo#B|oSl?1*?)`@6 z)5SPn&!VC+ud!jq?%~u2H_3`M21eQv3m^~wjsQW&XucmPX+!)+-jKS zLfC^v7snKQpi3hL^1K0&)3WQ839Z5)`Lr~lS~Wc9F5=!S;;c2@|R@@H&0*>6#E7~GzzE@E|!S> zN&QjI?&YVT@feY;5IWW$mRggfD>ecl;{y5Y>pMfY0)xQCJbLD>K+enX+i(LiZLPs* z!2}DSwZQMnwnyBTy)6N6=N|~1hquI#xL!EbLl!?vbrZPuaaJdSPdMnmR*JQfkyxXl z5}o%vjI0Hq-6xu`THC2B!xE@8!6VF!HY@7o*QKG`b(_U&_C6OWS9hW*63oJ!Z2?du z#Be>n;tt)vGZDt!JYpPcUT^pzwkVqN{z_Dsuq!xEGKkI!CpYF+TTMh3+H21AGrE%K z5jUk`GXChtUH|X&kJ4tH3%jijB>&j|nXo{tg(HXR+7ldD22C zN(EPD7~~?^@TxNgksorq6|Ze-POZ|MM6y0k6mF_xjT zwu}b)Q5EQ_eQKP6ib~O;m`70r*Q^&gfs83%A8 zUCAt{w|Q&8>VceU1gqrZ2JH&-N&^MeUaJ)W`-PAgm#eHg&CKUu9Fo3QrlgS) zJq^M?PU5YOo>?w4F{UVzO8!A-;W_?pYG7p~k6NY_B)Do1@qh=Mi$)8ydfU;`iQ_h! z7ZGQ_8YX7neTE=cm-}>CtH4xV>8_;a&u$~@LN5S@RO5tz){sSEeye@%`Bf>}SD@Bl96$Ynw zx55%C4_^oV%B?^@tgTR_w+L^SRM{Ny-6@;eJa{?L#m9gt^?Y+8X5fo@}#x@#O;l8LHP;k7y zI4Zam0|JVTghLeCeWY&AVXO*7ho4g+Xw)7Cb!@Md{84&6#MrXxZ=PK1dXF&{c96gL z$76ThpYcCV$TW$UBUrk9mfSjzIbt}@3b#% z(=-P)yYqBA*&Tp}RQv-{T%K;Mhlz(3k2{m1C1VLy7HPU;e6n1KHx%|dc{hOmh$?1F z6V)}tyJl)1w-4nt8(S@h_xd{`cbHqlw7MEnzPK?1ZiFr2HkJK2FJuGQo%{_+pu6+kuogT`h43w-G% z2YTa$pQegVQ~!g>8roMn2N}}8K2`p2hR~yg>XfEQmcF=nd)`|<(TaDmdj~)&Q-4tO z^S?()0(9mjeQVd%zZD}2`JXn^|DkvPD@Bl>4%|YQES_GU11PX6@&UA_o(;GKH)U!Rmm2F!Y|gC=aHXuC)4#Lv zzrJ@-zPMzP?>klf9q`5nxcNUMyZ^n$_`g1R`$K}n?czj=Yf#%{0|Oo;b8VFV7j0_n zF)I7-q1ykmID4&|*EP2s$h}y@0;7Kyr=TEQ>c2Tmk^d}?_o}W1;&ySa$qSo8{{_eV zN++cLYki8uZig_jA3Y56yNy2=Q>}k?{R@uS+ZT!a{|>i^!Mw3Y_5T>_6CgQaSIaZ> z3rNJ$@v}-UrYXF^uU{hy73nh00ysi1Sb|;nv*iO~wWEbKpTX(|$$m>czGak+Bl+G7 zoL862|CIY+|4bPeeDPy5J+p{svo1lt&-tE)Tms5>xh6O-TXK`M3apT63An%mya0@EO()>O7?+9R?f2R?b=DkrwA_pNFYa!PU#Fn;i+1aMQTCZ#5tri!GDPIZ}3Eq zNJ~0&DIV(wjUf5-I*Yp_p8X`uzdgyYA~hXARSG!6xtn4Eepsp)cK5oM#R;Kk z6npa;m1THb+ItP3rSs3SmcT@vOKHRGlb+3jv>cLt8Zo6jlf;S1c5&q{0diNa;A(mJ zZI9swVae3`tsow$ER!*Ca9o1kQ<#7D78>IE^MyX01G`{%>*rl1fCBv<^89sm)z2p$ zxUVS8PyE#u1b;qfOLztRz7=3+zF5a9dQ*JM3!Laoy6OILgKscMZ2!niz0(Hkn|fx6 z!9$=83b~S^Ggt!B6yoI{pLB#8_5AG<5A1gYk0e>`*%rEtO;kH9u$^%PoMvz%mdQBN z%Jlc`#0(k(c2`62a!~G-K08;%HUnR!Qlb2lz7%R)yc)T&Nt z=aiR0$TK-j$|}y#Zt<-TtX(2LTVn3Xc;46d6p#q8heozs&-KL)$<-B`tZ@dZ)3Ltx zK1u>c#%`NxmSvpYFgK(}34J++NOk%2THI7>*qUa0WVZTAS^D?ktTWp2?^1ak0Q?WD z>sBn-$N-jrf5phZHI`9)fP_VQU~sDJ$JR)(b*6K&Dd!%n4lot{%vgE}_Q0OhmX(=t zF##-vtC?2T;Yw`+|D*AuFNtR#Q(K%bYs{$uz6F?>$!b5q_Pe21-x;Diz&C7C+;LF7 zsy%4=tf~&SYuo4<1AWyJ_}3deM7%oqkYUg&Za&|Ft4MoyoFGs<-e01RvC7aEyyS~q zE5k{=D@G`Khb&XPa+iulQ;cg-d^S+-K!$H=3Ddb;B)b?{g#GTj3$ z0KL$0gr_<@xr8=II%LTD_GGh)5FyYph9TU-?%yoK6rSN*<0mWjPtw2=4ID z44YJ{d5sn5Sv;~C4>LrJ6F|hvA<{K(GRWtLXIeA1Xi^2%v*Yo`g1EZVXx{+G9&FMbZh#8V-2fi#8W{w>FG{F1Pm}h_3qw zU7v|tBYjCe?saE0@JXJ^`J5~5 zIq0>JG^QqxI{Mg<8>n0`HMh$kipUd-lJOoid;JOwG|BHp!V^UXlT%`QBeen=tE&|T zOJ}-E8($cU9JXcqv?x42j~`HddhAapPN$iUZ($X=ST@A2dOkeyW*=3AjDW-ohqh)~ z?tq+w#m*Syxbj)+sgDybHw*ED<7&O^#ZwG_f*g=rm;&R(yL0yIafpsAo{hvWC&cyv z@~_9QEP>fbmb=ffY>4+0WS0`m$0$7>f(Gjk8K37&l{P3I59PHmz3=Oo^PIwyBVvM)=ymk-tUMVf8z5^=ZtW^$>2OW7(V6zno# z1ga64t0=0gRJ=xU(urbGY(ytZVVd+}ruhYAcWs8oG&SWO&L2byi8wSSd*+4v62o$= z0KGF_6tecfrZ$@Jb)H$X8ENC5xL;gh+>R5?-URvg(@}k$!DX+QN_n`4ohAcm@*h+- z#Scw8a8f1 zs9kslPE(ajeHVD?6mB~2-0VmI9_K`^b;!2TNi76|s}{BQhCsAV4$i(lA*PR^exCBk z6RsphS#xr_eP4&~DF4H!46DtPpxHF*4F@aImH^#d@_fwB*sOYvbt!F6C9+P4jB%ud zqWdv6Vs2SvuuC&m6hxZs%&D2|Qi|x3=MA|O1{R-!5Ze?$GV1$$Q zo(o$XEB^fDwl}Y30;~Wum3+ofa%U>1XK<|baAm1Gr8}b}n`Nqq%mQa{BeXCh>lfX7 z80N?aDSB7D@wmYiQIOIz*DP_)Jem3lBxL|!lfijXk0y2YR)%lN$>L?lxGuK z|H{eiukriKK}j2wPWbc~+{;^_>KbPm<$p0>6MZ)7Y#X8HkSRKj_TBomz>D~q1#I$r z@^{Bic*p@p!X~O0rsISt(vgko5CV;|2<05@Bj$rNjL?aREB zhp%Dl{QjohrFZL9@Ba1ZmnRx;#6oV4w3KQkXkO&jS#(4TRI@f~5iBcdge@cMBRwUZ zr>D~pYgdr?Ofz6HZD46uEXUI~swct&LzoTA^PO*FL!SDv)j2I*p7OkL z5#lA)_$?=dy~UsdTwREOjL}+F>#+YrxWtD=E35RiAfL;zKE#C|y<7bSVmm(Lj!j>n z(_j!&Q(9TM9bp$;g^qZ}(`mz0Eaa|j(mf(~Q;1Y`+CbF32YZm?`bEj-p%n~ar1H!e zZfiylce`j+U)*iFI%VG*C zRZ>~_tvxPVzWcLgg8?*sxIVqoVm#OE*Gdtk-aF}8;`wxAPfPk?Ev5O1%m5{j=or!u z(eJ8##!(*?xBWol`#g5lhmyvAExg~SOahzpXDL`Tj^0wn{z8l$D10+Hyfu9)!|%N^ zJ|hXcml8JR!?xRsm`9A40myEIpfbrZeRQ2j9g|?W>q~F$ikV}k-OwEH@{Gb`LeDc# z)1kN$SQeG}1%tK5%+C^(TF#`+7O)8K$;31|qP2csrYSmZ5-w5~I!$y{J1um~A9dq` zXGHETvH;b~Cz}HPZl$u!7Hg+tSBU1i1xBx0mD)`-fz>h~AG4w_ z-tGiJVkW9fl5K_tPHT;20`SGytIi$d+-Qb@bt z&TNe8eIhicMuwAjaG?vY!2IOA$BWQMEnQUk^5w0 zB#}Nsw3H@WS8Cq`Fe};eTVB^d3g&v1>-L}A;$Pwqz&XQCI>4hI!G$IHTi=!SHYs}Z zg&;;=0@d+(Wi6O{oTiRgd!A?+H?>DT{hdZ5=A2Vf+~oR*y2(pCgMaEFK%;$3BGurM z7xv3Lp+XDf+bV|m#_lIdX&%z28`{LWaNX|>?y6c8Gw_ zUQa>VgV6;`qPv1&1P_nH))`zSUy-}YwV2CwzMYabSr}LR(@NMPI>K5n;fh=Sbpqx{ z80>mIUmuh9bnbd@HymarSyN7Jw_*UOip}$_eUNlp9Y!SFV}KZoSxqul&9hkc3>2P- za%{v3n;q9SHn-0`veRV3*k&iY!BjWrXdoOUq#0ARGD4H{C8gFmduV1=%;Gs z7CC)~WC#u<*moyY|4%Q#+I_G)dX~1H5M@OJXe3^V=V1P-80YX%0qsA+ti6w)1SDm7=?PrTE?=XL;7- z)P6p>&6>x|X=9?KX7=mk9rFT>94oUc&sX~{n#@x@Ph?zpflV)mf zFVZHOT6&tVdiBBFn;bXHK|_Lg_m@mj*IIa-4#Xg>8k(CtE5M}BfC~T`zO6&nC;l0X zJnwc;Z;fH%GA4bUsxN-et-~;G#gty9|7KIVAvxQFx2obZ%<%DZ{yqkCFaY*JD*~zo zaxdC|4v?_>wXp~Tvky0aniyd?Oh|Bhy)QA*6IAoN72mds8f5I%)7M364Aa!Mq1c^H zU;rJ3IZH3ePVK+bSgee0*ew1%IWz&nY9h~H6+f^%+kty0V#ZuVoNNMPJf*NXpBy=8 z1^rgpd;kNwh!D3J%yQ)A|;kSNc3E#SQSy=91+-7zj1T)SiAX>bEG5o$m3 zU721)1fO#nX{HpVFn3S-w8>m7a)7%#M^OGIH|>m~DE^CEj)8}Hwn$u$5%5-(lr8r<@So>!r@_naybz|J>g{Y=w@qI8UA5dX|j zbw^3gDj094P%h0eI}(aQjmf zjpwH$Fro$GDc@N@__gByW3E3QLvg9L8{1hA2JEA&t8hp#((EU}jDq_I7K?%?PpR+z z#A9r33_Gvx3OW;8(v)+Udn~KU-QjB6t?Zsh#5kb`sTDDxYqu!LV|ZS=ciSHTqA~lr zmd|YZ7g2-%qyEw)oFBQzk4-9fb#G&7|Bajs#Zr_ zbv&Srxm!rmMp$XZlW@tbkZV}Y)Q<+iHtx`ORAw$y)D+f@k-zk$NUliH*tfd$behVe<=U0UVwfLw&RdB-8QlpoYpm{MzTw5Ou9#Ado`-j%QfK4K{ zR{b(KhBqu{O;>ED_-CIP3(6m;8#IwM1$^;A?Qp-nVE2zxnjCshX`Y@`J50?%{s;&a zC#O4gV0B`M#ZG!I|0(1itb{ujCcg1;mkWAc4goqcp5rh)((U+9VTUO2r^wu`!S(ak zfj3pdv5-K~j-KV9RnOg$Sm7S=2d?gVOs9@#$*9Ro?C?m>Ngyk^InWp!l5~r# zc;JON2vLfl`lj)K$d-t!eGd1?W=>CvhB{=;B?+}Fe>J@jB4|0@Hxu$$Hx5hDba<@m zw2Me^82kx(r9cD-v-VwgEp6E}O-QBRCQDRH59!SVH_4?hcYSZlYfGsd2IwCRzlt9v`X&nhiz?K|M z?-Db*vkq1YyVHZqH3h>IS^|yWjQ9wm8}kyUu;dwVjN$%Tdu_m1f1)8TDvc{*`)w9h zdvinFR{^cAqeUB$*)HAThuf%0^3OnUvApsAQMQXS71kn^$-Zc})i9&gzQ02V-Qgbt zX}N>!37Gr77F`MqIRB%q=*K&VU!gj;YDwFl9?#uVzq%*5eH&RsAB%B+2}~evK1z-L_)UsKg1ErfuR@p820@$dj4!SPO>jTnf*y)Kx$-`+EPl?Su1io4ccQ ziqHBEcdcymb+fx0Xly4wD=Jf>%{A=mafrCS~!1*Tln0X!Eh3w}vvs*(1U z#@=CHuKFnMd7A~Ww^nh*?W*Lrv0HDGc`?KfH>e-!*8Vm8^!^UT8=F#uqB>*j2llx>}o}V_GoKGGpO+~y=-GPyQ`K@j1+u7Ey2Otg3^xxXos(a) z#(I^xG~Z$T?b>;z^9Y&s=*Az=dRwr4BYOsD0?WqvMqQee0Mkw6?Zf)8q9RD8t$kkO z1;3=gH`R!zZxqzO$q2rQ^adK}U#ds%l{*uPMpoIaXQZ*H3=3kW>Rt~k=Ff{&j15mI z+D;4RKf04>jmSqF5jBrtKr1)1@5hl3_z+=MddXAmgDs_MuDmB8x0^JoU8PaMJV%)<)^ty z`oyjq^J+e9WG04* zy6sSv56%Z^bs6JEJp`sY)2?f8ZZzpfA=~%OAS>M7*ZyThg0%9p1 zPuu}2l=KXCqWZW$pRoefa3GD;Yb(*2lmMb?QMsU+#cKef7~*bQ`u*8OoK2h`rSw2Q z+}DK744tg`g`1=GFTad^M@JqH&~J9hsC%WHYjlg&81eB-xgh`DGY-sXsc6D?Y0qW> zZ0VPLrA*wmvGpy(ibQ{cJ_*nhXhTq%U%OzwdnO(>v3yle5$4bD-Sb{^>o|l8q~7np zQZQ|P%6_3lqzC|U8n39Sf^FCmfGWRDNA4KVnKO zI~$-*m`+!(F_rqyzqxOoNvQLfu6)Od@rZqsXf-aDy|sQJ{`hO`82*qZ0O%vwZ*PoX z|0bdr`b;kPk#iB>UL4YK1X)JUUJ8zScKRP=D9`uH{~628L2*&Chr?fK`d~Js$*Yd)o|^JwzJZP}9Z8u(+o6%Eo5()5?<+r6G@ z7)n>Gj@HA}b=sy9z%%URuB;nT2N85)sDlmwcM+v=uq9piz^s@N;J1165|NZsn1)uX z5oh2VTMRrwx`+(%mB+ZawbJm#+`>3ED7@KpYlOpCK0j&w%8Y9`?jMWES`Xr?6Mv^& z&vjyV7wQuEb_IE~ROhYte(jtI>()$jQqjzG0^pnezx$R>$0w5EV2kJzM<*%VdTL`( z=JA-#u#ln(>?v}1Y;OwR|q5k4SnAFVgHgBI1KNZ(xl$&1JKY%Gc7t!S^*Z- zC$7#5uHom6&sUG{@{A`6Y&jn?0<#Z+O16`DTRJWlJajYp?H8XJL{Z4%+J9K-h2&iw zI?C`8x;j13JtU`@u$2|&tYl>CXbbgCUq`qk@q+(4LDQz7S@xbcbMuIkvZh%m6q!?O z12+yF@RQrVoWhnJx=V~Uq$MbIozxQXJl+j)y4ip?r3Os#&2vG&vjk>Y)YiL)8Tu^O zB7Q0QhG(xfz_>DuL0RUl^uh~)!;|p;1qX3pHaW(cXIY z*{Ld?GwP?XGLRPJ+X-&}=6(;w?)G_ZJs{x`b@yjg=0e3zt|s*Tk1z*L*zK=&Aw z)Af_F;sq1L$E3?tekS^61|V)qIhd54V!Dj1Xjfn&qu8Bo@qO@z$aWvkBSjQZo6SFL za6*O-DDXi?b2p^?-Z|g5m^9voSs`6l8LDqwZidbt0kSyvDM11i(@4+wB^XQPXr z8RIigiyU|^eYxscXQ%gRjme1NdL60?qiiwGP>tKqDp{RwVo)M};+SzXrLn`XgO{{Q z$1r?v)e<*V`|^4OHa56Fg|V+SF3Xd2xpIE%sOa8_212$g=vD3K9D=O*o)e&1!75T{ z;q)>QF@_OsHc<&Wc&{KneF1+`W5NF+R!ku&c26C+F;MFYQA$=+Ue`% z{2o7RUi?7B5LVaWr9dS3k*-*2?-sq5w))zaY@-}x@d222gMIVH{3h3C=lKSp`7`>| z-YHw=msb+!vD@!`pUz#joUSL)v-wW|a)`q|e3;pOu40deX~;*~-GR~*nL{D6i^C%Q zF4Si*F~hx9euK)~`~Br{2P(teb})a&2A%<_iFOam1Zv|cevxiCBppLG173D+Pn_mg zDwo9uBme#ssdGAPjI1PB%&;@Nu#7?-_PqCe69l~BY`h8esPo>kpmEv!h)KPUxUuJS zYMRYzba)RvOS9Qhu&jrP3xipB%gMxj@C8%eF3gK*cC55nE3~2-sM`K{6qmnn)0voFW**WKkseS+nEgp*n@1*W_B4@ z$AkG49W+=BE}fL^a#ezN-^=(}ELvHFI(KhT+76m~X2Q)f3r5vRC0z4kr);}uHUv#NvaE%4HT7%HsekCY9y2Z5dC;W9F39$iwgkoRZ)XVzmzzHEU9RX2ug%Lm3-E*HW{ALd?o4(C}7wj8Ke z3k;X%OxBIqg2=L*Yn$xz0~$E>{~Z3V0x+lJCx3(AvjN1lyjzs9y#Yvm?ls$R%)GUE9pswL z?fUsRS*pn2FMjz(JLb{Dwo>q-;LcmWQB0K=^OC2o9>(lF$N00L1gvj(0d9?h9%P3SOnQ#oz6pLSpv`UX*JqNpU3Lgq>txV;o4q;DaH_^TEt2 zn>wEjAAgeb{h4)Bhe@+5uk&3=@7I#Y7?x+HP57i&i(k~gjHuBTx4@LQS|X<48yzn& zfhDQA#Mhp-ZP&2#!hTat{sb?mji_YVP~2y7w#^bH@f)vJ z|99o0Yhai6yMNw$45ioUBKYig{ZV^-Rmw2a_nd7ezCDbRTjv7(&a0mWU}k3@n>7|> zk*&mqHY@5?OtLk+*1>bShxvVCcq#MCp@Cmo=M`OxfbODz`?CVrlC$e5DkYCWL zse>=7fyLfc2Qx5h;{gxVzjP@YF#jwjL2EWLYsE)eZ-XoXtpa!U1_oX3(MzeS`@6cH z^<<-MyS92Leziif8JjzK+=iD2K;ZqML{ynUm{JgTcciu}`Lm$NPK~~^QSG4Lq{DYx z97BGduWhvJKJ54+>0SpN1E%VoG)uM_E40a{)+Eqtm63cw^c(T<0Z3M7xXDe$bFrT# z-c;afB|h82Z5U+JE8ya|tJ?=7*t&V?B#V1qvG8_iSbs#*7Id}LT)OCqGw1;G7BeQ< zNhv%b*0uiSjGKBb5YXZ^enMk@26smBzKBkKGVq7~My5gd?~YfFQ8_HQZSV3Xn!%=T ziXT#33~XNbrlf@GZbN$JNo{Mn=+^U~@~i$T!_)KZ2`?{oj2PT|vTDYev}PfAuAHrk z_Q{@PW^LVJ-Ud74@m^mVpC5}!$?2Al2nYh3ouPYb{VV>)JAMA}@Veu670?Kf?YpL* zmpKb#&>Uh~fuuXItjtG$eY@k6Vdbj=fzN-{`#F0?R5BN29$+a3aa%d{hXeksjAASm zPG4>>3_T6dmd=778@X>pxAK?D6_m5?l=KeqBkC+EMx}b{Od$6euz#>tWMTnonM+@T ztg)(rX)j2^)jKFz(ORthw0|b<_y$|$U?X8ycIuTcG(D*OAuv&BRbDh6qesK7@n zA!NVU{hUm9u@;-*cZdX066t$uTFG-+fW-=!sWwd_1ik5EE0Tu)C&1w{PM z^ab8wCIuAsgagBh>=IdQN^pinxnlTE4H1>MQ}q^;afu}}pz{C4vIjyxCjT^PxLG_FHt$Q9@>$ZN)7hKOhQ zEwVn9U#}R@NxkcW1vnTY#8=ziR!9w;sf)Q?A%=Z3KhG?#k$LN}hz{g+p0E15)m z6iPNCHsfdmVy!doT?X!-4?w)%@HYf#7-JXoI>?tX0#nC{Awfk#_FU0(x80 z8wXi}kEmePpev`ks6kM@IvSPZBP-u@4Ysl#^Z3-Cv!BThzn&xUS;yz?^IEL)L=gMR z%GJ0||DOB?3XxjhyTc+p-;`sGms)8x4BPWr;8p1*lbb(prrrD0YLqWM?#`8H#`DDV zu-!u$^!u+`fL~4(L+gU^m*+u8Ql@|Fg@QHk9w5Xi5Ov`qx0~{@-k|*6D6KNt(u70R zNatD)i=o%Y>!NehL6`2}GINjQo%oQ~+9Wu#xa8&^@XK+Z+%dPqQ9t0QG48#*jN4}( zQMM}7A7K(KYYiEPE*LXs39wwZSMO3M&kawTe{^2|{*l>NYWdDi?-`evr_G5Rm;?F} zWHmaKHoF(p2Mdz)geD#ziJ!{$YexEKK>ID6`{3qdVRP%^_h~4!)?xr!zaC8>>wY#% zm5j00z#N~S9jN#H`6}*Qz?b-9h;~? z!x9Xg(k#nD19(>e)az-obsA^-c8FBdBw)RJqyMxYc0B@T`n}^YY*{HJTVW`*nj-@UL zzg9$D4jTSMaw96Gl7EXu>}k%3{ttq>G`9Y@G*sDK#8^Gt?Z#q^-M*L#8>poiO1J$s z!fzwTOHD|qGhVw{={7vBk%w|9xbM)Y^UmJv;9O#tjDEyX_L^*Gii|qO#JZtKJ^>^G^|&1O^2%Ai%xlX2 z;KfA53XuP{v14b1vDn&391V7GJuWkURQ7BoRjOoUp>tSLGoU<4nDaL-ChXGwHRq?p z2d@(eIQboU+pdw{e2$ND2f)q6*Bc6J^$22FaE%QsJL8)o@>@U(4O)bm7a{$LA@ zy5~zxVJ>&l`FESs(f+H zX{|g|)GwA>QwnLy*C>1WLsD(M=>Vi!3%pviYNZE#?9*@zN2W8=$Rvm-Q=9k47?Qnz z3)%_D%|BBHq}pwSLEfwM-nESDGihZL z_M>3&L&FPyc_Ck4VixwPIrx&Gr1{b=t(agB<*xAS(Xcmlt~8;Ou_K#d_q-3~$b&Oa5lb z3*W60A%d(c6HfBXtHqis0fwy~IR$~+AG<1NHowW1KWB1nAKw-E+c>a(42#{8>{Qv& zZCCCR47foIdc}TjE^YnnzL>ak;#fGDC41$+H&e>O)$H-w2jjp{zWvmp98*s~X}u~x2D9O1rY+g*JhgkL#gvGF<)B41UJ z$I)ci0_@uy!hXHyL8w?1pL|Iestk$Z%VC$l4xd;@5{RLf#A=InG} zhUUuHzzBgMQut6g8&1q*UisN3DQ(N7nNx(Lq-UynPKy#6IsbjvcIZ!9Fz$mEF50jY zxRKXEx%`%-nD5y@g&9cbFkQirD2!K4@Kqkn2Ik}>7nW%3<<9Vl2HsQi-bsAUU^TxXZJpEiIJp3L&8zH5p( zK@QGl&mM16O&-idj+M5cSD9V}`8f8oNp7xZ@w7nKblnG0D83sQeLu8g0zTPtReRLf z=}T(pY{QP5>X|)oV8zyU-F;nvn+li8f%`)4X=66WwkvMD_G{BOX&1hj*cBQ?KeOAv+y1^Udxz6Y?Ph+(7INy((#~dlA?`D@y1YSS zEp6pq_$qMgJ9`da|#$f>8;ocsy#D8NDv->;U zAC=JU{AIDp<#H-10QG+1o7*1;ecFZPF^tDolb{iSJ9~9bNWNLr^FKyjRa4bQva=0* zy5pB!J*wh-V#`0%cp3YfS2;V^dss}xsdSFjKr^HIb-u)cm(n*gFCnS?m;D+CYIxKE z3wBMe15n)`(%Kp=?|fnHH9kJC=T8~GEFLu0*_V4UG`twwb!1#JKOOE%%yY+QY|hh2RQf*Ps%}K4e&XV&Z|v5K$N-Vn@=X3)S%n~1+kGH?av!6* z0R&!oHPwy31kl;+oa%2^<>h-VGhRU+vn+wjb02*lasBG(MtsE9s!>2&nBig-QpeRP$6bay;6r*RD3 z_djf_&sAqABOHGjwAD?V3UB;2 zg=$&o_C?eU&lu0YmxVrTGcfolrSK5g7g3MwXX6cUQ+c|g)6=sp6m!pTOR2_Z@8CV- z#<>7-o7@k_!hJ_-IMzsW@JHNt_*zOX*?=f;lyj=(*X z2j}Y&ViPv21D6?WTqN(1#gGP90`XNpWnMEk_5hY0QznJE`s>%$c|Ya)+`c(!@e z1?WE|8gAON0+-+jDVa7|+>UH}TRDaS#}&Ba^VlSw7XDXQ7+$~;0gq>h^R0bUG8z(g~KrnYaSl^idJn3Iw9Pa3Ss6d2262!((&h56c z^S1e_m79%rp1-m>+$h`pR#UPU-`14vRrLaZ;6U{pc_Uv5$Wt? znsWB?YI1+{gKuck|6Sr}~f=e$-`2GEO0YeJx-%*Yy{fx{+r{tla9F)ca*7;AOd- z$=dY7+d)PAN>x)N?aoCA7FDN?CQCHsvwy;hueV`EoL*O$G{9w^5@7?=h|!vJ4&9er z&56CLd+p}6`4e1&ZzmL(ugzt9e$p+B0=|69X2v3tJ^s^wl;%E5Z-FI zCJz($oNV@u>D3X4RL|xUcC6^FI~S;9FQVk~(&9#sl2b-ssENzHcY3vhJJARkPZ0y2 z)amMy-t;aq5kX#P##K3*pc0tho-L4Nd>;<0^d(O!F)gJwHKhR1D7ao~WLy-huh z-L1bSU~X5SZP1kCcm@iT!`%@K%9Dma-k{eUlnaI_B>jyOTg15G2h;m)Af>2_=-C>E zoa!^;|EK4BE-u4Yi9y85Gj9EWkc=_D#PpudEGX9+6^bsiA>VAHqCNb9B=J;f%$XWE zy+3nbWqkz9*;CaYE5WVc(k6L+NIi-)RTER@8ve1>zUpQ9RM2q_*@)ZTt+C4dq zwL5bH2c2Hd6h3z8z2A(Zck6u4ablcTvt&x%KwCL=Re}sFb=QtkK)j7haVp1Spr8hX zYa(2pRoMAnqQE(2#Bt6}niyAWYlXCmG5NoTZ3#GRv(HPZba&8iK(n}q(CWP%2lwJZ z)uD?l@0wm>q|#zjSuX?r#i~Xk>hbAy*R3hO@csV2?k-@u^|XErci=w3d$6-q8d{P4 z>~5$}L$0&W4SH_~FEx+f<$mMgQtPLVtWyY^<`6mRFDYA-({yuJMm7zqt0gvz{a{W* z2^RZCXyc-U9s?O}jnz*-7BN53n$tX(^v+U+n4OVJ?R`9}i@_Re+VB|#o(Q#f!!{-R z@VGHnDQ?qae`riZsr3@VcG+6%O#N%%BlPK$g?`ZG)pKAQF6*?eMt40ZVmAX!Xmf4! zw+-$g)qZ2;uXz}rO2@R`-{llDHVc+-iyY9FOrTP*KVT^xopZ)7%I;EM${|mD*i;?4fB`YcyLb|oM~O8# z{gv3P!_X$-yA?RoG?h`N5+B%Ql7ZW3*giSdG<)0-e_hPmXv>7;>eG77dY6RJLf$)v z-x|G&Nur<1IYoJLz&cz`&-T2~Nss>mzo!{_z1^zv>!jsQ)P}sr5a=KOM8*Q6b?Uw~ z(au-OaK8a811@Zpx{GZ|u5?26O)f$8`qxU(xD&(?+re}}4e*vJi_MgH_o-+zBY2^w zG1?hvB@lJJ=A7uEPfaJJw1#S6gAF=<30U9k{+0S&Up#u@Em2JCTBGUs?{ghM<#!d;>}bA-YK5tE)co70#fgCHRstTF$X4W^SL;#c6$8N^N~z7 z7{q6aSNUwFR3fbrA@Hv&a&^h&z@@)+dAR?SJF;+7eWK}eJe<#7X|~=`@e11UXw91LY`^S*cTl$j&=FYSxx3VAvoiK+qcJ|q65Vm|2?#Rvv6vDwX1+;76?)y9zx z4Pyp9nPRcN4z2_YY&$_S6|n3cl;-0fP;`Q{O!HGQpr+?*eJM(E^`X5EMw!@oePL1j z=`ZXQ5<#ft=1a*9&Hd3?*^^VQfU&KM*5(x`F$A+5Y!lm0~NH{#K0R>D9#s9 zgT!&yRFq@wTX4$NAL`h$>KnW-yew1=YtIu!RU`ZZ;FJ5lgCHduJ}3WlBd?MB4ULAo zwXe*N%LzC2b59(!P(KKe+t@7(zaF}|5#+%5g|o>ANWL7d2=E$}0v50WvPtx_>p?NQ z32?OPYhQk|{S8wE(?n(-RbG70$wUwCuXoYbSegF!XoIj;lf}#Q9=GXYPo3imYvCaC zQpiRYJnkft9ZWyCfn?L7&W6~0e?>D>7EbX|DgW|Se;2zPs~>%GIXV%0$IFY6*KK@w zpl=qnVWzb$cmR-H_hr@Bn(I$rQkcY zhOCY5*zvx_Y2BzZXc#%L#I?+hckdb4ni4mYo?Tv-DV_jy2|(#riknAx*ag#I^fZxec( zjUo1anwS?#Qivy+vD!K>P8DXFY~`vTz*-@1k zsO@yU`?_dv8kiSLAb6uYG2&6B=am(op`+uDj4foBLwFCUt3|7LT>72?9=+H7@AyF%H}2Xl|k}%_eML9-MNN+OGGizdUiLbGc4C#TsP}Z z##}`fF;QlJ6tFPSUE1%@lTa@>y8iXM`Ah`cVp6!NjfOH6M{I4lHsptDN-TUAS;oJuQplSJWO$u*+`D5H|CS`&@5eePQXKHKkf4(mz z6+g#?KJqs=PWa=YE08c|^{9Wt1>i3AkeDNk$~u4Eu?}vj5n=bj>);i(DP+V2Wt^On zbYxy$7f^3F(sBgbLKsjR2@G?EN464p5=^N_sY!o4%pLV1lo8L{g^0{xxJd7)Xyd-hJ7!}qi5T?1f}A_r zk@{NX5?*=CH$~}SJ9yekjC5Cr*$E{WZ=&j=S-;SJdA(45PyV_L6B!*oE{upHZu^A~ zy6GpqK2Y4HUTFkKCIgXgM&p|{hsWS;5C%&}Gm#M;JRb0C@-7pc#Fyt*+Ihsw3rp6A z)g9mki;0nB&pQzK*5(sbdP~T{wun*kvO^y<4?`ubryH}Jw`C~E))h&?cS;hz$q+B zRV)E}2;KSq@vqQd{IR*fT{r`;4#vAm=YTg^R9NjM=luwIiLS)Z9mn@PN6;#Km8(ZM zd0G)~KeL=5Nz`MErFxA77oYDuPg$h~s@2^qdc0+YMB7$pq{2^C_RYGO_s~kpi%6R9 z(0fh}ga8A^g$5z$*nYhs+m@yu-tsLP?XIYUWir@q&Ypuv?&h})^5D-1MDAebl3ADR zi6Jv8E09Zb9>EOiu&jhoS9C+pu|+iq)AjA` zT}u#0fm>6Vu|SNj$FozUqE#^H>0JR@z!&rq`?bu@G^K+zF6L0k4*QU)HdyR64P&|r zl+IPDDFvR&g80AtT6*qzREvyySay#7^oCJoGq_taj!|#M$bhLI8~W0&Gp*p=6ZPKU zaZC%4<2xlYU+#CNVEzU}%)Mn()JC9)#to*b(!}d>-GB~RzU?$q@Y?(on^wMs3pz#m zzp1Pu5t*4h@geX5(_2N2WOcVxC7z_WVzj%0s!Ppm;$D|A;Bz&|gHG;sHD8b0JnONo z-AILw*>LwE=LD!EuBa1K73E+0pqDO=XUGc0f^(wWJF zW@CvCGnR+}Xh1pEU-4&EK|zPOQFs#yyP|NXq*by#SZ=tN(00{Y3^}AqK5&Z5&W_ z=S#>|JCG*4D)$_od(KW3alSA7)yLN z&SE)#6eoFEy|)auU^DF{c5N($$Gp;sdEQj8#9@qVJ+W8EbRMdVc6{5gXn(r07~M@z z^R)VL{Oc`jig~#!_@t{r=5HV+aCT?&Q=f(ug6EN1I(0^iflgnsKC?o|b;z&@)e=Uf z@TGNr!7lx0{`6fIljtvgC0Jjn?G&G&c$txc1aWbTLegs=iUO(&F9&QD*?JO*UbR*V zqu>R%z^GXNio2PZg>5F;SmIhGrv@`l#Lmk2wUhn4aAU*E49S|S<2T4Gwa;eKZuau$ zI5$4dFZeKS>|1>zb-v#KP{hFSB$FVJGV1J88VN5#pY}JeW7R5B>t+3LF-iRs<)f%( zqIZXm*e=L2uHaGEqMxt7k(C3PtlObzm;@19H#nq7>(SV(K?z7;sXp%Q<}Iq4dB7oTH)1^aHMRVZLvWk%gZ7U;Sc z>s_PWCV;$d$_AQnTebNzv#yjl@2-jVyZyFJWVvor$OTNod`KQv{ai9Sg;QfEnUfbl zy1G)9lZbb%CU`Mq4AE3>(y|9A$+>x@0dj7*tozogf$>a`PQ06mW*5Jq!Ld$;IcdbM zEBbK;??*)OVpJa0o{C@hQhpV9NLOdARtD5H;QIBr=I;))$i&&L2{1Tz_jfyMfvi$n z65mQt0$U(9*-^|`Q|RQAQ9SR**znsxHvfd4Yq&g{_c==D1vvFq)aob(jNLf8v>*iT zM_7CCOU#Q<;qe(uv8js2FY|>6e%*cQtylsgEZ{+*WAL#x7rlk<{s?QI5@6Vk(^sDl z`Rx4up3WCB_3YYbT^w1eeGNMN@;@=xZ)R(@MptWsxuE>nDhw{z)IG<`#&^Z0UKQlR z><@aD8qI>lsui#~Nwy=eW$wK{)SykLabJv5EpxV9IAjNNe)f1x(Fx`BjSA|ARR_l4WJ*ofSCVJY89AjJ8oW43325dC#M*v^Nce#A#0+H@ zZC`QN%V_6*NrKslOkytAEhNnrbGBxyx%b1Ii=2@L^7`a#%7BmKHW^j5|bWC^pq9_4K#ZV3G3f-~oED%5Tmj z0C$+K#h<^Zd88%+P2Ien8hDhaQZIFISeQyhJ8tx?V^QDe#b<%q?AB$6QsRD6_KvjY zmv6|eN3HzAfSDdtP4;^RDvL>nW2lOk!O>QPVfog2<(v*gasaUZU2n&gh*VacjLWr*l+vikWjUnmOVK_sB;?s>@SlNtoaalEsP@?#5zM zLr!92iF0njc*b9zZMB1y2+y%jq^3d1Kj71<63^yxV5wP|e{)o7lPYqhO}{x8X4g8b zeILfe*-g7ghdz!ze1F|3(XSOY99J;X+6{tIwtgJ9W1#ol8}5^cThUW|E2u@qE8VE3 zib73}saD%-va<5K>r1OoBRRFzSyRVeoZf5iYpNO!jQnv+X#kkIbe76u{za%2r}3sg z-%I+)OtzH`imk20GuE<=(qNk}1+sPjXgl;el&EfNcT$*`ryF(aNhrgfk=eF`wS@iFxF)~#YqdX}XXKqYL&cmo{Yz4p559b%zPL;F_QaTfXnFAtGC zxomw?(!1c2!5fRwPLH4N4;58!Ji*kPD_?X3mYq7~BrZ0_A~KdU&Qcza2t!iU3apZ3 z){!Rt7_Z>%`>Y=c-KRK9@*7rUZ_W_OhxyZZo|8=1r0LnKMU}?romD3Rhn_aaF(-2K zQ|s10FY^emJw5bqTFnC&iW=NQDgjp5VGpr=a3Cz8+7gdf;F*pj$RJ4 z{`&Cn=U9%_B_DrMgoFYQ-`jlVo%+~EG&OMKMd}MSxp2#Ui~8oVkiqAw$Hyx#xtgS66uf#JckX}tDwN_9w$R5>!M)42f)=PZ^W)_L|NR$96!0W$ zjnn-@BLh$K8kE)CDz%>Bc7^t|hSn`igH6WBjM zPX9(X!x>Zy60ksMkyWR!Ug>k9ImGY8SMLu78FDUqn{tqdWBc$#_7M}%&-m$tNG;qtAW z<**_Ke|iH+15eHVM_aYbzz|WQ7CkRP;+lz)GS*Yc4QWFoN4Z~<(W~twmp$%@tS$}0 zFl}(U69(e#QALRw&5;}|vk%5?T5s-6u6Wk$Rrfm(8WJ_r7fmbR(qHDLKhOV2DAt#s zvQ#M>)Xde?zuI0^CfxI}UMi@X|E$J~mGT8Djm3IjrFLm75P!q!lu_u5(Ds(|tIvV{c=vv@P17+|hnXjYys4xV$Bevhk@eu0rZuX+^S1m|jMd&}u5LHnH`W9N}X z(196eI+A=11cuF0TJRJ)#_wAO)>GJ-ICJp4`i$4Dt9NR<_%1SKWL#)Kr<^3-VI%R( zQ&i4$bxOOe0309dz^oMzybDMXm@*+ z{_4=9YBi3|_bXJ>=%Nm@*zKvC5Ywd&X3KoRMl`^+QFQ}a*U%@~IUWvyx6)Rj^?4+f zED#DJ*z#MwTCqLri;dGqO+ua=-{@CYkD`w44RhbWJ&WNU4iwQYgep?RSM}{N7-Mn1 zlqG4{uv*(kbFVkRQ#pG(B6+Lm-ffT3(;&vMHHTpwMxBH-}Elx91s_ zwPHg~Al@SG_3aKh3x!C$z32?n!QjBnPju7Ymk#jVk8xCOD(AtuP{}h%8UaK)?`N~~2YL&pHb1$t z{sWuhMB7c3irlE_C{LCCWeaKJp2d#^UvD*HeV;9i?JPvkT{#D_X!$og=LuknHm(yM z`!TTM*@(o*6BD(1^`Gu)?J#D+6 z%yY6XQ=~do7IB|vU(q@@NI(?zLH5pi*yg8f_l#GeSuzx^*gRd&|8#q3@QhCwVynal zTY0r-ZSHZ@JU(CXd!&nwXDd318naVh*_E*p4Wa6Kq4_sRUw>trUFkCtv$yRyKh84! z?Euy9o=L;FgVLDn7n~sXqsPmPmylF6v~Qfm)E#53d0a^MK60cnqGpBR(B81vEA>f? zdLz|(;XPhpKE*YQ&tN(vg5 zoc$O>5wmApYw%RNH%B*ePX!nxQ9|JyxOysu8RfjZ4DXHOO4N{LY5xjm{fk7?Fr2W} zJH3fcl|(pHhZmE!Ts1u{vK5V~T+(>Bv>)=p+gR3cfoh*#J-J$q&S0k_k>HP~vEd$g z(~HT|Ze9t;-<2fhdBU(-S6=cM3O&VLbM|f9@w^L$#rFd1)=qlgeZ5HKJf~5Fc%gHj z+Ek9hC7;Nea6Sg--Ovza&%{tsLS zC8ggFQwykN%&S%#_o$DyIEOq>jW^)jPFQ}Wnh+%L@EnQ=Sz4DSdXEC);gB=Q#$c)I z@8-SRZpNC}GJyNxIRDQf>`|0_26GSwe{90N=b7;u9nA_~oAtPgyzBHZ&d=RqU-wr4 z6WA}tyA}ezkVW43K@!eCt}8vA8`R5`(WFG9ISrmFj6MnA$?dz(re$4c_lc!6W<>NI zZ0#)4PJ=$dLEAtx@aqLsyZrkG-MalQT76=Ci0xyh5qH%LHA~yDA2aP39e!!HzGJoH ziYuws=sqo!6iT3wP@pEZHDbP0Q|BuxEu)i+M( zYqIzY-#j1K+dyrOSU>pfrIE|&W?gAtoH_b#ImM*5sg3E;?}qT6=&;OVQ4fiuKj-cX z$erRkC4>#_GWnu@q`9`f*`!33*C^d zjD}fF-Oi9hDkyVlPkF%W8?Q=D(0x+rpJ<&6s(dffWjlWfV6C1MRnIPD7`T-u*A~n?vGvO-7H9 zQoLV`ATh~SCur`#a7OJ`>CZA%q_bk;u9R-bJ+u(p^*wz5p_`pQ9jNCJHi7ILUH~0v zY`h9>T6g*>@-IaDAL0ZDqn{biV|2Y9_N=FT+O5=Qa;^V<$G+FB@zX&KHAj{wwWL`sL6p zU9W)Mwlc+?#C^ai?VeWcvOV5Vd3B0S6@)JN?ze@8k65(<_Nwv3VNtHz?T8jUF`}3* z2mwglom3OI06f)}LUmT&_jt=q7_p9VM!mtjrJ9~bQ@V~HdTzs8y}cNyeLwboA@+s4 z@J@hU{b7C)Np*>G^X&|bvxm*8f6U%Of53_~~-tlZO} z8RKrp# zG^?`K)kDfFub6CglNFM>;bPX11hC_HC)UYLWq3S+=la}3i%pH7wV}JFn|lP^Vdi|% zpQgWJZ!huPv2k&!!p<~yY&mSKIP+Jz@GsWa=OfKkB4!Q*U*=L3o=1;ydlF2>xXV1< z^G(g*GgNW4Ei08drc2>z{)OWN;v;5b{avTP(aH3WlcHu@zO@0qbi)5^DQ=Xomkcz$ zB<2Z~*Jrie?f#u*DRm@JcM}M-r!6(wM=<{Ro4A|)P}OpVefOQj`~tn>d)+2bKl?T- zt18N&E4txsLjGQtLcwUJXDoNmtG3d0gV2^}(*1W#-4h|Prxo?ZMP8L0#b=MGcPJ^& z9`@KVy`I6eDR*x%`6xqD>wPdqzxvqg<9Qi;!Ln|@Ixs~0hu-~%$ zTiH8SH0Sg!mua@5cVVWZoo}2g^75-qE2sEC{Y}doTiWf`p#cu~$uwe5%z=0O$2|Nk5PZjt3W_8QC+1lftyC`Vzn4re{?KX5NNDM;d9UU5 z&E#^;m7=7<66$Zue7j9y9-@;-pOkOlX~|&y?J5gXp^>=6i%c?@L7@lrq7O!Y(%lZ@ zNa2bq!G0X$>wLqNBIVJ>`CNaeeyA37@fu4?!!yvuOj?Oz?svqV&qP|e3y6$fz`30_ zdP9P;X%WBXesZ@D(kv5)rmlDUeO>kXkIcE1CaO+1_toARvO&FuP)I<%#5|zlrc&MN z$<94%UH$F8R=$;1!UN;j)jQBVanYmlj(v0D@;3H)S;yX56(&MTjjLfe}Dh#~X-IffiW$Jme-O>;q2Ssv>>@yQ?WpS3PNIecdC z;uS$v-}u)@2!f8k00&UsPDP6dg4DfU&c0w9FEQ5TGO&#;wAb` z-@Ra)g*rAYHy#R_U#R^2+%eIs*+wm$G{?b&p3&*d<7kmF*AYD+O#kyBXx{j%B1@9g z>x~lQ;1iynxY83v(%MaGI0IQ$ z=}#P2`n7j^*4l(dcAS|%(Er4E1Vc=A^Z(FA}kXt+!3(gb`_#mV&<$R zNq#|Uh^X;Y(F_qPsIpg8)<|%@en@<)=Sj8N*HU$2NTybYwb>uQ`B6>)=eOtOBKgdl zjhCs3{1=7~#S>{B<>~&Q^-WWWG3S2jvpUAA(xs?5F|)axXsFpttgfRqkjxX>oe06( z>!A~$%kjh8loQa^>#_J#o#t;@Tu3F3?^IJ~`!P)hQrX#$9<-o>)IqCC7?aLkL4=YnvvH8iIXX?!Ky-KXYus@f=`*c*;Qs)KZB z3&&#d_Qv72BAIHiYJRs}OmSXp=)y!tVjD2kK_NGiQPmcan+OOxiYd3cqzed<$uK=b zfWv8Q%Y?t!BjfI3WHY|1UAf0(M)e0vyYu_=# zC&b$*JFn&OWkrMPEk!{!^+|7B?lSSbU*}6Ct>9pNy8hFFkldnvp(u%mQh<#6{bLDm z_eh+AGN**<0mxL|=og`;`@dN?Z3x%o{NBH6ucippDqeW8`y&QD90)@+#CTXl@Lt>N ztl#;j%}0l><_S~Q7{ux%Y^aQ<*6x2_gxU753FeR-_#GRB*$2J{-yQ&dv-|kswl@3? z=n%L89}j$)t3LvXhbnBSlMdxOeZ~*8C|*br+Z(eXDZ!Bjo5Eo~05wjx7W&|YN02_N zVKr@SB6tJ^acXlW{K~OjtEhAbf>L}GJ$#D#z4w3nDKf+7OZXHqRby8mrnTQ5A-*Oa zou1IyJ&nuWi<}#A=AqsJ5a>|Juc)U)nwV$j=WIs1C>t-xoVj+WMaHHDNbsMVKLcr! z4_f6`qTWfvgseOyau&5>ke56ZtA6-JSs?EQ_zmatFv)g2)#Qz;OXF{i?}(k3%_z4A z3|Y95beHh)+{6QbApXsB-5+T1Q;L?mM7_^3SFEIJm@%cy?X^$c%vV&VOyH)D=k+ez zX0RLh{)RanBA(zk2ip4bHFGvL(2kH5tIg9qB7vrMKCaw|mJWBsKkq*oS==;J7riT%@zm;v>p>9rk9+Y)r(`^?43U(l z+er>j#Q^pa&TFT11wHlCvu@F4=bO3`06NbghX)-417yjO5eOh|@`bR`2$7!wA&Dj; zd5&?E<};sO~r)F;u)ghGF*yV~K2l>l;{P$nB1GtsIY&L%t{roA*iE zqtb8KdA2lEDyKknN<7mf<Vx@$n6nHQHb zc{?|ruXow+{_;DU4O!qnfG$!MHPVVNDQ7qp|IVMg?(rCAE^W>rXItj1-IXh(b6GM-cK3pt#*M{ftsh)azuT*fbgOT8A>Ha^_ziLAq;499RNTv$ z5W?5ZCYms~1$oSSxlbe)sdC9;`RQGKXlXH9#&V1&fTc=GED7x@+%Y3(KVW}1D88wS zzMWX4>-mq;PDVlfd~JAbZI`N(Y$sWe%b86|NqI2rH5&t3ase32u6a9Tq~49z=_YW; z8f4^;@vAhi`k#JV_?!YPPec~YFUX8P*xNpAvZr{ti2k{2)3O;AZAAV!2&r>p2;8d(~NsBdu#a=9CKa&wkL4aSy|D z1&6e3Kb8aj9jt&u4F4`oKl!}x^t+Dd{JvnfK8cCz$k^4MbUv z$4_1eaUL3ZH)jHO2K72daU=d7XrI#;zCFdjy;Xhcu#twmm^OhKI;LB3iqD(LZvKkP zjIc-P&Q995IE}Vnaj?mc+#>J42w!zbVn_h*yR|8bF>2rg-7|834&f}~ zgvI1fgdj=R`x1}A-7R<<5*}E}yQ`5f^;Ba0Qa51lRBF-D7*9K)2E{%Q^jQ=60ZLMQ z14Ph=WU#QN8=W)>VlRJQs5(Ix2fg9)oo7%V1FOhB#v_5P$YxE(V7 z*&+L1J6sDZ-Cl~GGgpUHK9NOHVye>*G#I1Sz$;jZka1bqG!#-$W&j}+_F1}ql zM*vjAG7_Tx7(wY39VIRn5)zp zqhk9h7kC0_vhO|K5GXMv0<72UbQ5q5hPp^mkS6UyjM>Gr$l7;FsL9wy^k`e zkMHrFs)mK_{w(uZ_-b}eYUe9vd4@*d>eEflcV5NDdvrD11am0@= zo3Vy<^bj1(AYfZoir{m*DKoT>$~F0Me`y0L9-d*dAMqS-cHS40fVof$>{Sd(7(*Tci4?#VM_gXQc3oU-JK`IDNW%Wr<(VmW!pe3X|Z6h z$5{1LAouNzGF|q$oZaN}ce_`i{Iq*Fv8s@$6r6$5O7ZtWBWsoGsw|+&=KfB!dT%7> zP}JN_dEbuPep{H4prdrj#Dzj5f zdJo=KFbQ?z39DDXuX!u8- z24ET_(sNGW_aKVaG+xqIuVGP=?&)hX*dGg$?mZ*E!a_En833UXq-L+jJMn?pYZDe^ zfwCr*9-^Q?>*>=WwC6qdYc**umh#TA$z7kr8hH<_ZD6&^)P6^v&SA}Ut0(-X@qA@# zH@jf8Q!XX?H52p4H`h!aZoIE5H;g6Xd6^}mcD&C+ou;VIPzbx;mG8tG@f1pQ0 zXZ>g&bS!*+8w?4_Uf`Hz-d5!Et9 z!=-?V4Du?cX7Z(vp;<50bNy%MuuH63?@CwSl;{4iczo>i#Tz*f4fVeskJ${2`rP?K z&LpwubS|cH*-iDgcL1?l*_l|pM7jr#9$rABCZ()t649$g^cW~os3`*3&CILL6x3Ik zAM9xYBEA1#5Q&|KyOpGL<@>71bhLBz&QgPxeRqPv`D1+Ihole3gzlTf?#ztpv27iF zUiCD>faxet*&*qDAMMrAc7qK1K+|2Y0#U}vISYiPh^=y5b3WOadD^=_79xxVCmI7` znlMn?;cM?xhd{|rS$obWmLReIT+1XBxItiu6qZIFpBwAA^h`j*{LEhdED@!gyM0*+ zUctwkl%tpg29}q>HfNf)=ay4Hxhq|E`tbN{O{uVW4dg7R&Nf7XOGir@J%wWV*$xgs z7tIg#GcbaSJ`%?8Qwesx=olBPNE0O~9CB9ms@4>xy80f!Z27u#&BW?} zoZRnVGf|zRmY(?1wpB9)#=lP*pDs5H+1OKizx?^|)uTLp;#A`Vr7O`Y4a>SQ8^gVL z0=7fR$h|sVqOz;#BQMR210J*dSHAZ@d;uu#g!1JiBPR_I-3NzOmOC`u&8_an{z(+- zp5qgM@x$R=o;wc4R4tUC-E^uJb>E?a0+$czZpxkecvv}RgTjm4V&Jd_sEpj9&$@Ms zQ!>9&4udcA>hB?nEHU^Xc4dB<=!WaVIj39}rbkTL7{i2!SBP&6R{BKfs6o?=(aKiM zbyd^yV83QNf}obY?FAy$-|?wYo=l$`&C-@V%Dz|4H5nMW#X`E`dxMhaF2(&(FlbY= zGt40x;zuuYL4@hE{}4q-SrWG9a^)>KN%af9(2i)``cFkiA&mlZ+KZ5{-dtsieN zaTMLHH9|6LWQKx=QbKLPaZElFU0cNQvkBpwa$3kaG~_Hr4~xncBq2WE%?_n0;q#C~ z)E0YYS8#}(Oe$hVdLBKtHJuw>xz?9yLQ?;7TW9s$yp@XM9 zybv-X54KX6lRzh+?Q~kag0!U#O`SPA{jfHk^wRzeKM@8c|F}bSNv~L+QQ#1=Eot>e zJ7<>kVz#kFi_P0?HJa-X{oNV7{I^20hPd=?4xaN>X@niyQ@5Yk6BNITEb#)WdUnMiSL>#8RLtKgoY*OoO}T z7!Bt|iz23rPQS@E2UBSc6xu&N6yI$gH{Gi>y=b|o!XZ6-$!;D~aWB=aKjASIenS9D z$BlC+ZZ!3DEQtNJHnuL<+-z4pKV2TIj};SbU%k`#8NPD~TH< zpV-BfS|+GJ+4wESa^1PEu-wDrBc~Afp?z~+-&{Rb!W>P%a>-&L*Sl%J=<=Od2i;6h37qC^B&*!*?++tp=q6n+<33R!xVN`;so_8Wy;LG zL4BA}EhfJV0}QBal3=|X3Yg?YXX#tg5bQHZq~MaAVeG8Wr1X=|9JbDh7KMeq6L;)C z5cGtR$dKq=eex}iXX|<*gZ^bzFx!f^_mmog!?+rcg(K$bIETRg<5gD{|4)t_IX?=B z#|B}>&UU=kSqALx)ROO`SYn=zan49lMQ4_p3BjgU3_Q;k-a4-S*u7R8h&Qq&lv25d z*5!QmWMmS2TKbbRM4)$^?8yzvXac~Py!5zlD+-8jXUE)!pgtUI#%Gy{PU+%~$(Iaj zesJi>+Z3Y~#g{p(EPf`RHBs4^Ru~nC>&r$8t zAdF@jB3DmGnda(!?acgle!3r;rf23$RlNtn$!K6yZ;ZB)xdS&>j2SQxM{cg*p)$*H zQ9M5}?~RL4O`bBy9rIRF{%k-wrb?`j?yMc=JowEo<94Nx6MalIe_)7G|7u%jw@wcW zJB!C!Xq$*-_*w32XNF(~LztlhrDSAe?;QeUTPOT>qx$3VGd@Hm2F~tj6eN&ze!WY) zwwxQwM41yiY3WjARiZVlFYWUA4aslHUFU{Q3WwaQlm=6C_#TZ0hzl^-U(zHv=fU4q z81wa3i%i$T7fYlw0|%C=S<+doL$`NB$zh8j4;-p|vwq+`p0QB;bWXYA8houhOP0b} zF28{BCpx;^`LE_w|f3hm_1;Kf?y4F-75s-c0Y- z@0^2ZZHps0!nBY$3b zHf3ks0?(_bM5PGsQ7=8CUYQ9B=-Pn-GC&|{)$Gc&K`w|rpi7wqpWU3{Y=NQe+SDyu z!JXC4xXeP4(!3x&w|Nu$%RYiS0O5`#N#wed--pP^&bgZ{q}*6RZk7m_fmv%gM@|aC z3(iRQ;)h3R1y;m%D!NQ6{QeY}@|6DfCv`gS+nxf}-A3e0(grN5!HGn zq)KN@UvI1)Pra2i7Mb4JMRp$vpe?M@iYOX0jpe??Q376oYoSSeAUmL?0sQ7zgk>B7 zO@RZfUxgR;?Y5^cJTGZYm2d8SBR}b+)7{_ICHv$KmAr_3@DFJEtk+IHfgS*_v_d$S zB}4;aL=g_Mt)08T!>=fuyCdOV^tc#4mEwe5Jn@pw6Xy#REA%Aegx~v%`(clvvAqd; zJhRrPTz&dH&=F5wcv(Wg+V4heHxPeLppWc6ok7zYXy5;=&1J6H;4_^c#6;B+Gs_EH z5_SC{@Eelvu^K}<$mZNCz+Ie`kqC$(+E@_3MlBM`6w;rU#O{U?8}LiJwh9r0a53j`XsQUqvxV@dp4%$&Qg;E<@4 zMOu_s?uLp35)!<%RymFmLL&0NaE!)?vhQN6ovLvHt#?A=5}m>d*XIUTdkipTlzy2) zkmymHiMoWJfB+B!B>*QCj3_#zu?^A8iG?uo(>(Md*#t<<5zm7L8gL@JT;gfRc^X?k z=)_aCJ;apqaY$f4P+=)>kVq?+(wX^Jbk1cgKl!Ro(3nn4hcX+#majmttRg)MQBs`# zVEu)rJLbbRGx{d1Fxu?)DqUT429fH%1R9InUWF$`V>92#aq)k*YS03 z=j9pSRG@=w&?Fvh$qE_cL)-adth2K;o9FL9+LM-Gw&CUhnz_y}?BXUJK^W+TNH zbXh#SQP~J>TejP745FwYXUc0o@Q**RvX*QmChV^S1@KNrZeH>Ln++IwBg(LnDuP1d z=M)jQ`_BJr2QtRFKLUQMXcdt|BD6d@-!;&|8^fPA%kKGYv>(1=GaHKoi#bA^XFJu% zjzJqLAZFmY_;@SIyhR2o1*f;qq~T_^g6Fz<=JU3_o1MPInJUY;*A2WDt~5uz$-u)` zJVQFV`I=#noRGI_g&qlGL{tX!WDsdAbd@m1*=>9X%{6WeT_-cRB4j}D#ShXXJghbW zPbAWShd4rHR;a&qokB|nV;(vK7$%4hgPLIej$F`E%E5f5bn~~_GlrDLBXf zcIxlA2L@$MRG5=w1{H>>-=c}?AjM=ia1u8@3Q2iB>6lt619^^ln{-x#=uaavoAk}J zc45}}CzwTH&P6u;{^Yi0O;D-vJ|(<@Qb)s=kWZJPFt%#&VjTSQPY{5&g{tu ziQ4b0L*E3+`Jmd9-qgTab4?=m2vCCuKR4L>sQlw!75k?TnlE{wQNE8x@Ev~YvkI0f z^q88Sga2Q=orS2Uz7;h*?SNiA|s+ z|JuH|Utk=DS2G>U0I7}U&?h2B%w*+2IOC;DTiTcZ^x_X%HM^8UcV`D^@ChH7r+m$8 zvX)GsQeXwG?;EXm=`?raj7WaUDOtDgp!Ur>%pB4;80^j%_({0@nU?n7>i{U6Px%pe z*AYS|C%fOvUn@|O_lp9in5qAHBZFGSwhTn6y~z3m3o%X?U%O)>OoUI!&jwnY7yIvd z28_5gC5!dEp~FE|=m6i%ZAi2ulz4ps8s&2q>>flz-7`17y$G7I?KvpR1L*Zok1SGM z*SALE;Q$RC(?qN;kJ_%n00bHsfWX(u-}xAC&tC^dAgCX3gSysJS9cK6#jA0b+<*yx z9)m6G5dqUVj(#c?fkQYp1eZfsKa9ddy5-%*BA&o7Hu)>XviYfmJU3$_uU^GN9VUbq z4#y@DqFtf-N$?O-wSePM)yU+u9t5Rk=rk`thPbuj;S+X7dVw@(ganoIL8-dgKq)bb z?4A;Ch(n>7Vt@;5qs};!)y)E@c@NvboILYuM-Jl?I$ZPGXeYm9bCKC=pT;|hmQcd* zFlcPZw!?^QLy!MtDP)j?v4zEX7+1H2%#6T42Gj8tsxKD8WIVzMCKzG>rMnToB>!gr zyCV2ukX!@|lJn8F7d#Of1jRfrK1^_}>GQW|fC^E6<|{;zjDjV2MEbvL8s9;ZPCr-%h9yX70FI>hYh;WY zDoXTFzny@G*g%|+mH^!g)}Uz3`!8>N^TjDzpUXUSkMYoN6_k1P`e3AHdod>Qk(Uxe z<%3q)gyO{6DG)%luQ8{N{F#Ju{|F&)lo0+fan;XoD4T(rN-0KboGoRy_Dt`e04VP6 zVogIJ9%anciQ_Q7A_zEODr|P?k|LKrU z6h2{{3^I!&6i;*wD%zHzn}_Myr2{2c3_2U61gEpFdl9uTIuM}9?n}etj@@>&ve3vD z{g{RZjrL*1>1rQ-zPPDpz`*`LOTYMe;X2qHA9qteArY|f#zU*XB*vQ`o-T&q?+5lc zt(-x<`ImFd;-J%3y#T!V*eqOo_0yjOnD%?-N4{PUkZ}~t_-%%rz+q`$WX74u`2Q%Z zds1!h8G&AC^QbL{CY-`*w52`=zXTi>i!yF#gF+*JXPiVH=*A4A8eiI7$rMF=YOem{5n)E5yw!)VWxRa}++89zNtP0R;u|ue)mr z1?XA#G>k|190=8538V!kjhd~C0~um)HL-!870HHEhL28OKqH%a>U&UFiA=OiI8a`s z39rmW6oFGje*5XL&DlH}CyeP%4ag_>`y?19s~4Bq=y1 zozF<|zwa6MVT9E@6pQ0^c;TdZAMh5uAO|l*@uz2U;vbk%C(genTY?ROng048+FYKa zZy1L2UwGsLZ#=sK^Pzt$=w{+;=ZISz4*3uZs+#x14YoLBz8fJ=oVNG2E;%C%PL6eg z=>ABT=!Uc`$dpR{-N(jPy#m_qIlMPUvA&~A z9FfMc*8(&IG_zo1Pob$_G5)JQi?Qa~J^r!*UVMu0Fn@;ycPtm+^HFj!1(uqhhi)PT zSWT}MNg9AfZa0o3-VBxE02-9}PB7pe=4Ywd@r78*5EnyW?cdA_f-uw}d0A^*(d5Nv zG&gvFM;`GWro(ZSHyplNw&v}<1vKb_52R7YkH~;z3x;=QO5vL2^s6XG?%gyrE~Isb z0k%MtF$@-V3?XYoDbJ~Y*E~Q)GIz~A)oQW%$0=NE+#Th3qo?_QcKlS16yF)!p)A;n z=F;)=9JUn|Q;w`2B~cb%4BoV`}iS5vbN|{9)q;g^i$2{B5b?W zdnJvW67SJPg1Gb;Je|@DN90#=Qmsq`Vj=rZC7lD6C4R*_wKoVni;$m@c=&DqlZ>*G z!J{yAR-xP*PgV7!|3xd5;n}Fy4BUjzYRX_h@PW2~(JIZr3!AJpTOT>x`=pVPdK8R! zt}t{cgy>m~@Dara2MPgg#^db@7Qa0Ocf%a zXV!4{7g%wGWA%y1@G6H>?Hb`hxUVU*1C)PDEl_wge^DN)=TJ?uc z*kGJ@C4sl{G@*fx5*|GEYV6>_$M7JL^m(Gkc+;Wavvt@2mfN}T=GaR->ZfcI{=^{E zAo53W(x*vjxR=i^>n=w0Zf^nH407CTV?rpYcM%k^H<{rs z`4c9KJ`!|HEUj3?9ZEc@JoN7UtDsd5oAx0#2oK*9vVYokEd923MbY z6z^L50km;ABus+)k35QZ@t=%GC8|F%0v_c@H*pxZz+>>aZ8POz@X5WHvDX?n)rRM7 zgkJLHUN+{{kFb}*t9F1YZk!x3a--D0gdzwQex)zM*4{UW)C9t0o<6c6ki@G#R!8P= zpznN`mAiJpp^SJjc?|b6NwTjq0Eo9VCUB zO}XnD{kh|1bcFaj7s;gB4wMq%QwjBD7L>g5-4s6D7N4E>&R}0sd&tXu8NDC}l|hGb zuMhwE-Drk39h{PS5+R{Z`7lXv!if>R&@6H6>g9ujoINXak^9@1Dz53Np-Zo zbbzb|Gk8Dc$U>F!JGu`is&r#PRzw5`&zc|Uqe%ett`q~E$E z@^Zy5lA)~*g^%Iv3eP`0B53}eXI!3sx5h11DIs1obAR)zr%9Y+cUVvL-fDi=ZJm=A zwv(?8UmP#yFkK4{ZEEVbK5JPu+jU{!@^TY_>DK)GvkwAAYoz>VLd)akQd%eLN#Ifi_{o0awO(^_($*209^i{0Et z(=~Fk=Srk4nBKf}(r2hdQpIhabLld-=R1(pYh*`=`Lj(`}P6ar&0M?DxMi z+(M$SN*$r{qp=(sQ}+^DuX-@Lp%XIiUC|*d@|n(m=-cv--1jpA_S2m@ZhLMMKi}B5 zNfUgQDcMS^Fik8m5ocJRw!3K8S{Hwj#V_cYv-KLc&{$;Sr<_D*Ys;E>?6}BM?^lmv zrS~P3v(`(k&Q+>I+e7PjiEBjH2MSC@1F0}kOj3TII+Vn@81^?BM{PZ~b#C9T51aSg z-(CuFu8^u)ip>3VF7?&(UERas)jOjY`=8zfO<7t6`3dgRIzOHld==A4QH<*=q|+m_ zWKeSvnl0@3%^|)SAphz+^|Ie-o3p729%U8#yYta^KKd2SjAJ|&i68#h9_opb(f?UG z5)uwS+3();L{(mQx0Bv`xmM4Lv^ zX>Z@!_e)hM)sGh&Gos1gBGkHQ>9ICV(kiCbfX(~X-MO3_ZYH+cFIJMh*N|<}Y`N7i z=6z&kVft%i@8v7)swSzXR7G^2^Qgdt1g>>kr~iwvw~UIbX}Umh2>}L&;O-tExD7!A z!Ciuc1PvZ+aCe7b!QI^@!3hL+XK;7t9-h44y+7|_*02_w(^6esU0r*3wTjZSn%>;{ zapsX~Uw6m^w98s?XmHbH?k4Cs&Phatg>Bk1OLve0*ZKX=aKqS!mJg`5hg` z)-0nIuFSd4*Kr$h(69pGf_QAOcQA!6x~zC+!-YR75g6XBH24aUybz~^DbCXyC2qRI*+O<2`8{# z*{@0Vq&KueS*wrR??1zhm?i1c%@}%l(ov*4jPR$x)GRqK3}6TzP>2Gy3CdI9`eB+t zA0-jX2%k+anbi?f@POlXEDAzXY_U(JL=c_W;->a-FSlJP&V2Cq=#zoL!{Ona;m;u3 z=KA5g4r$XTztMrh>jSD(gNGOiOq&>q=GD9FMs_o=4~E+&70mYX(PoenKk|NMY0@bT zZ{--t=Ykf+Kn&9PQ!U4ah@-om&F1@~7PCH5m*I@8D9;0vY%kis<_aze>Yl=9)2CimTwrv+FBFC-gZp{UwWk-Y)XM>(s z2XiT)l9?$@Lsnb2iPYgh`={G&bKmG*t|i8|u4ks&CJ{WQhjlYH3%$Pd8A*)W2DHq! zEj~hzA%^nYuv;O&yl9xZTlcEC&31iz=FUIv@#{7#Jhh#oR*(1Qm=5iWBpq_Oo~RcL zR0qhLE|`yu+yNfQg0Oq!YhBxj_Z`Sd3*zrCTW0!WiOx-r^p%F>y_z+Fq%1@DtT7>m zjo|lIB0BjV`%FabJ#Ne>9HY;xNUnQ@h6Bt`x31b|+Y!*U8Ba-kAujd$%+vIYB_Vim z_L{%emO`(@I)lZCI%sUEfgf(SlX*4CWsPud*M(3xh1agBTfQ#n_x?NN3%t+g^k#og zKAmmeLt@Jg4TPb3L;}r^#AN?X07B2&jI_&KE4S19>Z{;7XuvIdKk7mzh54bI#;9t; z{`1j~!*8xv!REwaNwS(l?Ot=5BeS=!`Ca?sYBI~Nhb~PgruY(cF`8)akI~3mKZ@9G z&~KW%KPp5np7qx&RUTb@jDg;6XO7~tI&2LO;QxFvku{op7wpr5hqbD7-*=w(OZcxB z9iq~{uZPT8k}|36NSv0|jKtz7zN55MG8Fu~#K;u92w1)pF>Z@VhTHp<=j91<{mES$ z1U$owaoG<&@!X?As!tEwqUIGWg@g{<=`NqqR36bQO# zqx0&p?_K6S&f+rTIZb*^(IoI7^|Qud-EhOSNqVs%lFj#GE~i$lr@eC+nSgx{v+t)2 zGVP9kr9NoUu;e@hCOWLBzmBl=kX(M)>P>uHc|3B-jte@$!{RmOADo zODn!oD(z^-nRyCicZtiiZmoK2p+2dqfQ&}+eK`xezH^iU|Mj31R^#o820E8rnK<(Ag2>2O(D0qJz~zgu5CUVna`=A}zN={OsQ zUYk|0l(vsfS9fWy&{5ahwAy5Q#bi2;XI8sOw>|SzudXqkb&uL6P8oCrgx`;R;_^5j zvwl=XM8(^7tg2|qchpR{+b45B7;~t2g6a++F;_6lJ;7i94$PxU%9n@u7yd z*4FT*n_v_0kDP$T3sNg$EiE(t|Eq__OhhA+9UfRm-@n!EJ#_> z5w81YjC8fRVJ3Rp1;6OcsvozqbWb{!X34h9@zl2AVM+ar-Ep=2hI%qUM-X-I9Yp!U zq_)wV~rLG0T*Zg$o=T@Y%6 zbzwO`)u3v)i3 zMewakWyj{j474k@vSo?{k)JFlzvXk=W1D|CYL#2K0y37+}r2G<=S3D7zWn zIr^f{7xBHvZI1o?;ZQxwOFhtb-o@OdrHHM*^-l|o!}uZnfVN8}t(V}ct^IGO2$!pZ zHm@JAV|xun)xBLUu2i!HO~_JjlSy38?NU(AgFK%oju#KowNswph6|oAzw#eHoo~i^ zvd2jB3D>6osn)c1>?+C*F=+Ol49I0uQ&$^6Bz&ARi4snHgz6Fmzbsi-Gxna3+ev`G z^{NH!EFkUaQrB=BxG1eqE6X?nxc3C@gFb_$aC36=NjDl4C-VkO_hn~axf#Z=_DhUa zWfu|<>oJaO7s+lhwFfdM{N@Oo zVaPPOWBife(G8<#6mrFVyNWED{HQ}v-s~Vou*vkfsPeq7!jttrJyi9sW%>DOTl6^v z74EQH&wK6w$W{5qc3$qY!9BU_o}XwEmTp8$nT?=$qCzG!=JDm910iHQB{kWpj_~~w zIo*eiS%rAltsUT|E!6td3#XLpRfoC9<_$By8jKiDdJ+ouuPG*8NskH*y+z-0l0xZI zpPEkvLfc>E=~_x#HD$auu>L+BnCJ{($RG$#hHL8%%*cA3;l=4o?rtKv15`~FeOtK#`_J&gVH;m&!@6> zOwPuHxx&H>Gl7x)sj3vFC*8_rxrbb2;HsPfmAnCgOA=;FvSvT4vzlI; zf#<$uS8sV`Q|p`P8q?@pQ(0qtJmpV4!ItkqlRVzWo#BNHMi>-G3Pu_V$<8x8S;i8- z!($O>WJZVvuAe(BENoVqxF?plNeepM$jF-}medQDRVS7%{}ibTl(ye`RYVsrl_oI= zr0)nE39(c7u%NsnP4cj1X6ig?i#WC(FcfTWIBjEfefo7>Ka5#$N&X>0n_i^Y9;^P= zDY~rC*dbyUAf~l9AhLB%x)mi_&9}=YrZ*_q+@JEgIu7QXX*Z1K%0IG&G9x6DYvBGt z9BYD@-|pl_~G>=?yclJxoR_1Sfn_y$EKxgE(Nwzd67f~U~A0)HLFC^1EKpdz|02jTg;TRP8F-GJ_jZH z%2HCnb0`N`8~H=Ai~@tH6u?-nJ_Fpp5y3h%+ncgx-uOnteH0#VpI4cRJWL(5PbW1k zWTk!~kHibikTKKBCB^4qda#7qxJk1rcVma*DS1$O>7V|bozfQxD%C9I>+hGXy;?FfJzae+Uc~RW^Qm??{Cr#295ZBG5hJYb|L3Y_ zKUXb6PNiDnu2p!e{Znj&nLUVv!dN^vS;VtB6h>SP4FM}WK%T7$jEVy?SfvIJ{rm#^ zekO$0GB{0+O(0XI8piK@l~3V_a!b9!K))`assZxoM*H6Q7H$5Qy)cVtcQs*fVA0;- zTl|<71S(}FP7LL@UsTzLe$56l_?mfujB7y&HXg>|+IT1&gat;SZpwd=+M|%kJt{-J z#d8VIz&`s#=4n~>l|~^{+4dAad~vdyIvG-Z`vpplV}KjTvM6TP1$SundaN{cU_aks zr_6trSr_!POccH-Vrhkx9yAy?#+R$lXyQ6(6vz86ho($|#_ za7H&BNPkvcp=G)BS>4V3&e}P-<5YNXnTw?zxYI}!w9NcxxkbqAY~8daUC}Z9B6T}f ztR5jPQog+b56@_L@pd^8f_wI&*1;HC?x}?y8Gxd!zS0*NU{Zyvnq*)SU#VdZ+LT(j4| z-^V_n>|}XfkTD8dWGCHsRvU_PWFsm`!e)&(iVYZG@kgX7l_J9f6Mlh38u}JZ3>U|u z;7>`hI%CCh-{n6o1Pe~ps`f)AvDY&Cib1D#W2Td&CLdj?fNYG|o~G6A{RJUd9OQe# z%m>kyrkbi~zmtO&6A3z($~}d7a5dAQacDd$iP&g*`>+Q0au5W=RT7M0ujZk}#!&r0 zF@8-~zZ$lPmt1JVNI*r%5dvIRt9CRg!OE_4y@q?aFOY2rD&lIGsj0r3I)-}xp~j&? z&es3wKfSvm^+woUaRlylY@o4mO7X#1U0v|$kG1SQ?`@TE);ppH$Ka&v&SyIGlLJZhUc>CqNeWD8;(mQQ~Kl>8i9<>}ZQNj&b zaRe$;5RyV}*2-UTfP6r=W(I>n$GE>SgQ+TE5rM>Ur(coV@r}M2inTGI&;}%DBN95q zhc_vD@L@$DRpDWQ2SQ2@Yoi{PH8 z1j}hwFx-1^i_LYo4b!A7-19rF6gdXRw6Lh!35?YhNA<~eqQfcn(ylCovXgGRr`C{< z+${HA^R_p*(szOn+pPZ(iw>rd6M&^FJ+}4%QbCIzvzmO4ioqdH zXULNyWIw}6Qc`O&;?-*uXG$t6MIcOvN0N^gXq^!!&2*g4{mmu~GP){nZ5V`At@c0v zow-HAk-(&`BG1Q>^}FI)=4VP8JQ5bG);c^aqPz`-meE`ke=$r;y4YJELQbbWH6BiI z`fT=_I2kayk*iXsi09-cVGr<%tPoatAPQDtF39z2&YYa~<~6ZKvO6r!2NpXC0}TBK zY$Fa>e-u+TP%6jm5tgF;L+)`&n_#8BRaQ4yo z8jlp#PY72l-`{FJ&eAZG3l53j(BhhT5vj>&n@yY7BQ3PBtG+Ek5PxY3>DJidf)}zh z1E=r{c{IM64|ipncOn8wC?*Jbn8KKH9TAIAYdi;$5S&RN&Yc)6t|jjO+MfkQU#m9| z(1un9V=Je79&k28w}clDroRcD`0UD9)kq1%;0LNCDykQN&mlVYa{F#*wSO|m{X!4z)ues;tt7P8&y<0jI?r7VgVR_uAQ$~EOWM|Rhtzvza;@hRy+1RRuPgwFfB3QWq1q(J%EHa^ zmei(w{PM!ZnL}>K7yhF+bq@>+v5MZP`|i3%aKjT5nTgEwdW?e3htUg|t@?pvLTYqu zsSMjuqK2OiWEjdymk3g>%EWcTYpl$D8sp!PUqE5AGu1-<7nS6@ZeY@;{xtc z$yPB__(Wfd?%oG^LF_6jCd4b_N6M#PmmsMFT!oQSaw-dsCUEt~V6n&hYt2WA5&X@3 zu`_iA?=gbefE~*8LN)0piUJgW#!W~U0_jiz#jqH-dlL@}4TSm^Bb)CE@aOBokz$Bb z4tm&RWIUSo0&Mg4LJo7U@cLw?;;uh{+a}u&7>dTuKi+Qae3DZxbDC3DsdNe|b$ilH zI7h@8IJ4dh(a@(Xjki|QPZS0&yw++LKiOBPX<$=#HR0fVupT8=w@LXyKt}1Mq|LG~ z`Xf8`fcMRqetvE1hjh*T?8v_%*}i@s*2;5ZLlNULnjx%CM*Gm= zv_HMq5@{CUoJ41KN7h9S`r3)VqPZw<#QvKq_`P$Ih_zv@Mxy9d(}7mo9AQq-+eEn_ zKJ}rS;!JB6FEEuQ3u>`z*IKp7B^~X%+<7-57PGLmsRseOQ;8r;>a{07*KQP1Yk2oFzVr(VkCgaP?yaXm;+{Df zMIAezbJzsp7(*)Ep9FNn5tXJ)5Wi}*gm#hO>UT!{8kO}{M`x z08je19q^_Cx=4zB-r$@YpZMDlegY)AxLI{6={AZgR!EPcCP$Gkho66Pa--+NY2Tij z!tax?Mr{RgMLclzPIl4)g|8Glr`%K|zEN~PfqbUpx=tF}DH4ui+eGMyXVyM2uayP1 z^te(wcl^5tws-PqlN(L0lQw-kC8xsgE4S8yd0%IpmaM(!GDxFTJ*!r_Olg=y6$0FV1Ev2@vG5e9 zMQS+?Ws`D6Jlf8m2i%{$)kL~y?e(MwcdkIJ6RTa^>SRQVxLc3=0l%HzA@fBbU8k4R z1v@lH#qyX$FyK0T3 zT)$vsSad`aB4ac#tUf{F(kI3k#YijOSH?7v`_|KTuUCjr;)6HE#!$at5e2$k-b^~r z;~7ynQn-XFE|(m3CX4wKfXQ)#NeOM6J3tcA=SVBCf*ag8j^~$OuJ4aKG@H~Z*z%Yf z4JnL~oGmkr!X^E?#yLH4M9Xexge!e3U50~&)WNKMG-^}yby(>K@q$TGI zd!;3Dv0bE8SQY8ZP(#PA&p7wT$kuMJMr=3j4e74t#*7=WS;s@`l)Y@)AbVYieFQ5f-u6QJ&gVBdLhs>haQ@Tm&j%>M zLQWpG8}7RK$CNMYQGQ=g#`8&A*^WCgBrRj<&y9G~toy>KU+y|=1UC6L@SqV~_yRjf zd?u(69{hSomM~k012%xdPc|(>NTRTdhOpycpB7iqx{r(Q;L4X4-U-HHm2oG@ z5*-wp-tp*9HI#^bU~ws5p)%XkOc>{R8r##8wlR zu&`PR-ysc#4elLpF>W%$Njx`7HTS59O;T=}3e>$6d)wnuZ@1A~U$3QP!^g5h4bE6| z_diTg#bX&-;5E;Sw=@tuyhd4x!_JeJO%V=b^HjaW!$oNi3kESy{B)bA6%O|8x-KruJ$4Zx=)U?vv~CNgHb)d)=?0 z+hq-0!j*+rt|x7Oj7~=dNgzcmiUlwm*h=aCxG}`ZxKy%ikgUFnwP3M+4J*3=Aq`2m zc97U6GJ-VN*2tBl9bT&&SvfcWVO^1;9A~NVUijcKY9H_~bZ4dM4$u8yRu&$94)bQq zb(U;XBN7rwBP4!IZt!txeyj=0uVlhT@rOxV^Ss+Fko$JIY{*0u#6f-lSm`s{01p3Aoyheb21rC(|kgKNS$*}Ij2rE^)S zMEbA6u-KI}t5bf9)oUneFj`j2J5Moh^zl zk1qm)#YW+IX-3wOBhp5@=hC}(cGu632gu;$U+%c?2X5w^XXn=&U#Cic!Te8-Vub$+ zz(G15|5v?FD?L!Vkld@~zyy%d1$uVbzXn5qK?EAy%Z^$7zd_Ohx*$%5 zSZE{FvICXWQuH@YAnrv?ZG6RPN0y}6i#$sEPnHD#q`S@&Ijj3`Y`lTmDKHBK>wg5C ztiPQ{l=pKSpo=Nz4^rTDHCw0q{o77&{!Ob;$Um7+{~Pm=%Sz*ISzyS$5gw>sB*lK8 zUJJk0BP*fL+D!5Z+c2%xd|NM=6XbV5cN-A~!YQ!(YMypN@;~Xq{A_tBl)izXoB?J^5rpX0tK&s$LKXA)DsiIcQI(T{90$OA-xr0`_-Su8}r{A{+a(2 zeeGJ9mF7R$^uxb2;+J=C{I4akFyJsgWV8BCRv(12TpYKDFOt_>EB3!OHyU4` z33k=XQsBY1H`wV#i(UM0_}i+ChSqP-w};F#J?WS=N~7;C_lHpF(5G$mtK~ zYt?x@MU{9V+`3G)whU8>OBGr*y7}xe38Nm=f*RJb!jZPjJZ@y`!?pT|)w}mi)mwiu zbHQ^eDvt+%f%kC_iD$^#n`?J$D|NGxh!K!iFQceq6O;q&^w*ZMvYMo!Ufb>dUep@1 zW8hGG`-sQ-ol^e54?eH>SiC{G%ZwlyDD{uLvh8EWFthn~$-FgqbGaqrDEYJo%X41s zrxWwN<5;{QxkHGwe29HsO?BU1wzXGT;*<%UY}Zw~%6WIBO1-jEiM$oLi(kQEFN@-0 z`GSs=_C(9*%uZHY zJ8hUVr)_25ez$aS&m2d!XB=B!$)2_S`H`SG+9!sX{HX&yj<}inz(`h~Brc0jc%LCB9}#`_Xj=6}L%^IW*Kfh+hYYbc^e?%rl#Q%3ITWluq;Q+d0U?FW?M$ykv!TQR zU;|wgNe-ZgXOGt_x>r(}CjfAzs|bLeRNFbMwM2o{PZPUbCHucnRo^Un1s?FP-caRR z>o&g6uOp%od z&PR%yIlIjH{3vFehiUGs#M3*AWFTw4#u_2p_xWk3t+?sOW0#aAYtxv0oo68#CbGW_ zX8Pyso>Cf-cRKUzt%ied3lra&_l2T!HI1O}*SJ|!1AGhd+ z(LO(7=h`ln5WG&|pvYN`8w{>HexmZqIE@#Wv{?U8Y{MtVCN%SS&6n~x+Lu7|!Jq|f zalwJmk}&!q`j((0_i1T;qr~j8WChp+(9;cDzk9GMa$l;F8a8~q!>qoUzBb)YOV~R< zW8ELTqTSEE9Bn8rqz(?^7FbM;Td}j-9!ZD(^uve+m^V#66*8n=8CU+LkJp>O%?WWp z*A{8+g=+lGc_oL|H}?6%LZ2HC8myAz%T;@(n$L^40CO+SF-Q~my-J}^F&F(Eg|8vsq9LnF8k83?X-c0sE z1CMQ@Nf8A%YkL8Tz@MSb{XD}G6VbFMKN7urqo$2*!OfA(V_Xz=`nLk&TjiO|qGb=V z6w||^F71;QTB6iZvT<|+JTrPZ{)t`y=VR}MpC*>bZpfx2`dBL#-gMNwzX@;~5;mel z4Sw)&Q{lAVZV}%eHmo4Py@vF(@8+kPZuZC6&wdIT@IfYH5PdlDyTe@nBY50OeZAz8 z`2eV;D%DVerUBzpi%XJXx&W<}JHU%lBW2j1sYv3nobF$CKQ4QMY^9iQ0{Bn;;mk&) zpklsKCY$KvMO-|)p+O>xcJ^L($FGm|Bl?U(fe~@9?s=m-?jmGwDS|p-vOZ<9+eU{X zAG3Nnx&e>qu-#XtGk>pF-Vye?ZsZwcOaL}?U;#7oh z^dquOtvJ)pTUlS0TAEf&+F@y>`gXfx()9W#3qo>}a3+?}@WP{O(!qSQB*gaZ z#}H%?R_xG~**>&E*f##hHYr_%VRL2wC)UolKpl%dG z+xMeNv}kDl!MWw`3D^Z`eIjW90%d~@McW#6u9{JrnD!mwX4r&Tuz>#@-eCd9aI3)6oOF!PS6$UHC3kpxpw4)#KEs1d646_>&a)Y=SP=Yz#OZC z2LQvH3l72F(_uLk2mb+-zHGkrVqD&AvQU}nM;@TM_EYMb17Ym#g$Rjih`gQn3cZz% zgjPQSsAKgRP;NJAivZuNG{R zh;3Vy6WR2c;E^#Dz;JD+y~KkylYW*J0LhB~b~6qdrz8?1c*H?h9K0v~!l9dN(r#)8ryk8fn5zo;xXQ_NyUJQe+>4I@Eiib*Gn&DmqD)1~@H@P?U@eS~G+dtixtax58$2_12%!e`Z7kdTMN} zS`X>FM!pV;5`EH=YOAv_3l;!S#keYyKDnvl-q-@i6{!}nE|Z0asqxR%b`^^^hnb;$ z2Gs6yhs==!J1*gWn%XiFtj{%M0aMLrxZdM_uH+RG&%{{PPWrRAxB63Ne<*#2nn=)% zO0f#RI(y>TRC9kYnLkYZw@$(8r;Q?u12y5VhDBa|qIqgg8!fyY$INHf6=;)0 zkE)m%Gf3Pj{>e%Na2!-6rN5d0kE*(aG!UaHjD3Q8;xSkXgiHiRnNEn zK#x0~HHH!@Sx}8-Q@G4n?!9p!w@`xJv7Df4^gLiu-g^$NClc{!yyLUFJNbnfHW_pd zPzV`P`D`_C+R@nGQZa+t{20h*;V6qu2V(7)UAK!mbnC5Bz92g*rt*F`YCTsZdfQJ$ zoKplu+2BeX!C>vk&Ghiz(QWmfn_dh*=$eNP8PB=Lv5}L&pL#>2N8F=#Lu7RM#=i>s=`## zlgcVTL8490qDXj340!#uYhe6n4TA+N1UE2xI15P@4lXvd^*rF7dl1?7`VdW3jANWh_2jl!V^vH)Ea#GW(2r`3*T6|Qdg-m4>16@iq^*lyU2 zUz1h3=Ej#A9g}?tl8xR5wx-u5O5!LW#U6q`-ON~Ys&69+#zY}E)4MOBi!9BXWsQC+ zi(~6b647^m1WuJNmnXJn#OtX_0YLewJRV&Mz?Y!|*Sw+`ZdVK6?mTLB9aiBK%91Pw z@()u@=Uj(2>&b27qziCl`wk=Sb52>&RM(X_2D zJL#Tdw4vrB(|&!KDi#mOx;VaSMEWNHds2h&C^9H~$|Aiv$=Mkg7>wiajpiF{D-!WM zUZOCC-bSb6^6#HQ)ZkwGzoA*1gaUNfD4i>Ru20z4pTrOnZjLkUp^4W+9UW5KJ&PRCdqY*JHDp+3gU!6MKvCgCikQPi0K;6#&G?gV)_0#WhTmNne7#zRGU8n2TR7bIpH{CH&xDa!{13{% zBm$>&uo35ApKI*4Mh!;5!DcPcV88T#XA`oJGO00hbxqUjRkEsom|nWs)$>tguxZYIZ~zPIGu)LeqKEdKLpP zOjv?JUDZsRKeXSi0#|uTg)wTq;yEw;^!}p%cWSQQP_spB#79Y`#Id`qxZrjL0>=pNc4-cwo4Ec?VGgfdT#hd)wdrdm3+_&=K1RkR?H-rNjocU*YFPiD6 zM0eT~Mk~4#r#`M<0&%AeHXTIUP*2tH`~z)#G1CCloHq#TXD$UGfYD%=>C-4e{&VMT zmzs0ob$4A0xw$hyiIoAWL(Mts#W6|2sB}x>|Ho|TzO0?!;Z99sv~}{7e*_K?CaHJG z%pmETJ*=Nrn{DG0L1w=-mA9RSF}*@ahI+AUKEFRoigXezhDr-0h2yY62w^e1%2g*V!6Q$w3I7D$!&Vnwau8+zRZ`BGvihHK9 zbpFJ67>^Ko+Yg^LByxX{v2^hmiMC7Vl`Z!ky39C(YkHUTz8%7G7|Ni)wsa%aNjxvjmcUPFIantls z=;g24xrL-6s3GlOk}Qi^7o%3WKXCulT>ZDQVSYhRxOMmj(UkEm$M70x5&35F!A8%k zJm~h!z=OPj916!QqeWL;fNMc5`Uk_~94aSBnO)gnmY+bWT)p$2+XO0yb9}>rv^*AY7YPOo{Zj8aXVI!y2fAl<4_T2urk(6(6 z6p}l(wp_kZ-nt+x`%TbFO~bxBav=-^@a+VePX4D?=j)6~p6QAiQHnaKYTmn#uC_$n z?%`>(J77ljZj}AZMvv@4#G18kbd@FrU@6`q;n4D(Tx-MFyUCrPqjl!@g{g6Ywy9$z z$I>3yl9!67ICQENtH~ZhE`VspAaDX8@9Ztjws)6(DzM2526{#5x2SZQGDvA3s+c=zq)#bMZ6n_BU^m%1E=ZF) z#d|zn&Hz`O;L|GH0>@jOdMvBgL)fup$D+gFVu|DK%boXYP#X}#$FKZ72LCQj1Sx@T`E!AR;gDLw_{h}?IJ4^&GHVt_Q z4EQt>BW~WBA%ycc*>;WSTj-8z(+d@6>sQ`u?fwYB(yweA|MVf(z5u_NxT(6<7%OlC zP`2KjW2bb2v@>ykJFfq*(RxQX1;Ed|z(~>JTCiW_+0)*s zeQ`du%Kr;hTmYep-G;G+^OsPC7Ires`Nc&6bP!c@Fj8M|^9tTJDGM1hA!LYd@OEP~ zX>Q*fEs=;4`}68Gy!zzOE$c`UR!~$lk)=5U7Lt5;#=A4ry8W@Aohr;FcMaV{uH5OCcOQdL9WY?d+Rz=WQo_WM7#hE!vQ!_ByE7*Is<6E#f3yD;%#o1 zv3{5$vl?C$J3`M7=Ui?VUz{HKx6^X`DQ02aL3Vz69DtMBK6nTx`0c?P9z*5;Cg8B7 zDuQQ3x}6Z?QwP&b*Pdn;V^7^@T^ZH z3GjtVWH7*&?fDjG!WIzH?TiA;4n)vFFp-O69EEy zxd&QR$`*!@+JlhIZb9dP>Y(0%Gii~e@j7Pt1g}~R6O2dSUu`nYIYzZ@+#s_$VQ(Gj;Nr_9O@ zv|3@T_z(px74*Wj_sLv^+3DH#Gpgj<;Ni6eCM~`Z#*7)SD=F0f6|IW|_Z6C>Q@HtO zfB9MXlvKjr(CSzDIhFP$4^v;8TeSPsv%;-ntB$j&^ocBer?;el_-|(Sv8|H{757y) zlY)i61TFu9gJE~>#2KHs1&R5ws&G^S>My~sz_iP@0`(PcNBiB^y!+R@^uUzsy{`W& z`dXFn%k}L}t*s9#$9+dzhk^l*_8b}~Vu;J}%`OJfSzOExj(mvD!I(sTMS8}~eE~Nl z_KIhINMCd%@2tnsc3!_->rBe{7E7^Ir@nZQUbQ^_vf|e}ui45^7W5SQmGD^Db9;qJ z?<3v}_#&c>+Xui*G&@;-9sfNmE=6GV6`d0SQ9is<*r_?2+Q_EmkhclQAR3x>HER-8 zWLCfw zxFU3+{!AeyJ6)X3OWX&R~mou0zXO)=NS(aSJ6pd}t zzr5?(2-2M_$Gn?iT6$K1^wkN}YF!htaJ-KWLb(lgOmTTS5ApB2v5G1$%Ukm^mkoG) zGgyr*s_g1NjJP6=5)u4fl19ylN36Flj`__8FdR#wF8ZxQJ)<|K6Z4GPEyh6mP3DcsOD%~AyfEx?3b?D~Ca{xA7d4R(5WqdiB z{`8`zQ=JHe1%YQCUZ_TA!`wP7|HlR3b2-w(J2f${-cE4R!uN+#nGw$@EFeJg7*snf zVnV8JO;I?sLbDri70Xd%wOwpxnaqgQl~Ucii_rxi8;VWt$1hc~)ll&$jo6YKjo}t- zuJl#PwGV4Qe0^~PF_>ae#z?i`)(a1qK6W5bsuWI=1#}?n3IN84Nq4(k<<>R&Cy%-h z=|WPe>Z7;J#w?OFlDj(>RV+wc1!H5hwzSe{9|JHjKT5yvG2`(-9j}>dreqq!%pzo( z7k-NS84nS7-m>Z3dQv~Ms|+6Lb3+^dK6bg_Z4gRm41~Uqb<~fZB{C@h4`5q(h<^{! zJ>3&OLhPeRJpV~vguO^7U7>}_G2k1VG?e%D{^$3mwR?sLdA_^U3a6X1(n{Ew-LQ!FnuxsXr?;DWD)NS?q1Zy=c4aG%PS{cCiyTE|qj&Jm#gj!9sQoKI{O zhH@wqCD}wdOiRNVU;*`Nn$}b#9b3=Ugq|NU1fgr2 z4{B5jpo6qok_5ZmTqU6-glsYIW9uik5a8= z*sgMz4LSmPr#!jAeRG;f99=sb+}^wikyDTVfy@0sCtoNGO>TiRasSX^Z}b;v*ZQsX zeZ1PbPm&Vm_D)0u-<9C+`K)#TFpfk%0 zushlvAD`rJwi~1F)y>w~`2=)CE61o?gsrR>KI;FfBY1&`-RL^M!}>VI{%eBRBQq90u{lK;cPDZmJe5ZfFW9IEYc+8bnWOi*F)fliVg? zEMF)e49eO5)%ibvQh+taaIrxl5=R7w1q|TMFS@FB=q9+YJK$-Iq`XJjnI(kCXyMYl zzyrFs=FEu659eQV-F_1rV# zp(}J`)+O*fY8KN+4ECcpDy}H;HhQ!Pg(AWY95KDEbU{T?B6$GkwLC7hkr8)}QTDn1 z&%9mKliQxL7$t;v&;9ha?!ZDwhtTjDq3k6 zhjs!pLN@-RucGt^Z&_OV04I41O(Z<#0eLtN2sBUEWPx!+)Oi2yqhlJJ0>dK6kor4( zc*XI?tV4Te@7Vs@kppg0ANYfJ7fLYI_O~cKoozl?k&Xwtk*ijk&fB0QN9_hY*jF4H z{@)i>;aXwcLX#4L!eI=JB)6iIQ*nBr(#ql9K7aHAanIRx$s99BD}=sLwM0{N-XbGQ zMk6qEBFJW1quF|sAlOj>LVo8e_~03_en$O@V~t$1mO~VfQ9>pp!m{Gsb8yM_uQ6NT zA19JlWvl2M_2p4!eYbGL@(n@t6GaHg`zvT=O{l-J8xc@@9f(wJ`tVs5lz@?qjP#)D zypLLjsfK2&=> zkQb*D{jHh$V>z5c{o&TQrrwYcM-%qur8xHLIkU{2)q*t~uF)dh;9VN%C(H&ghEC}) zw%+B`W&xCRfDk}}^q=z)+a4IS!@p5=Z&Gz`j+YZl(zp`E#z9)fMD{6stX{;z%5OmM z9?)3-G3L{%5Fl5X2kBtO84{sf!(WCdloP~h>dMk-P9F-yWVJEA9dCV3DqUDQb%fA3 zXHrQ;J8@uh8cYo)gX+9MG{uBM-@lcspSoeo$O0n62><^P*+5_?fuRRwABlqkZ&H36 zoi5fdR%#VgG3TCWD=Q`X_C{LoS?GHG3F4Yre>7$Bt*~9J{>3#j*#e-45 zJz*Jd|L%PIii7i;eR4}bu~BlHc$rePCK?C5iRc{@7$l zwhAC*hDGZ0V*qKWBy8@GFvHTt-S{^9G5}t_G2dN(r>Jt$k;u)_fCBRz|z!u&N!I3))rN*z)=1%o9YNqQtzX3 zW4fc3RX!Hv{)EBNUx5Zdfyo{~JcpVJSesddo(V4O%23}b zY-5Jb8_`bSYc!43P0|}KoKH`?qysR{sf+WAZ+kJy#EXdX^wSGDjL$0 zKgutO7m6N@Q6^CAmG-H^HDGuCANJlds_N}+8-*p^B@M!&y9A`Wq!9$9Q(8Kt7Kn6< zgc4FB(w)LmkdP7-X_1ibZq8h|-Ov9y<9*LLpUycSp0OQUhcf4H#&zHKb;q33Er-p~ zQyL~Ljb7=?j`(O~%KdB$@x+#z;CCxXONt3qYq4XAmKFEXHBb?$uACrha>aX)$Bv8}e`SZ>n?W2*qp^qSFj2UJ@ zOi&d=YdWs_Pb>_CvhR7M|v_)z~MB!#n+5337PB3l*A%m>V@GY|!3 zDj19R<6c7GdMk2Q5C#FD9x!!)PP0rbp622=sOe6h)0_}u&g-3~IYCXNu!ju#;1_3sL796}& zz*?e1vc!B+!F@<2&V@6qzy`5EBVP;Ma~1~gvT%L^zmG|Z&4h}M9U;a9Rz=zYESRe` ziV6&(mUu8xzk}8zb5jcXkwDoLZ=r!M#8fUt8e-1Eq>s!z<()O2zBX;_BmJc=&{Xpe z9Dyo)#z3zOY*=W)P`%%+MREie3xQ#P1SfCDkd5+$_Y`=pVyfPwX|Uvir)j*?5m7Hm z7Z0SM6Htm(0o3%J6KHBGz@TbF%{PD?dOCt|(9S$E59x)&sWyR8@Z*lxV>iQXBLtdv zR-CfzN(&a1+P*jV=qJ+tVBrPoBQ!Pw@Q)qng>0Us&q^ld8vAMw1+!oh&x<=ueSp%OCzqkhmgCm|od zGB>W?`cG9Ug330cB#&AvfNg#_?we$UXc@z}j_5aJ15=(2ig{39V9!AsV3&>}V{3JxoZ0)JJ-1oXO-$(`u<2QbX%RP&A~ zPhh);68;*XCrOBQWGH3}QpYsU9MxEDBtmBT0TO=sVk9G>rqiv~IM3lGKD$|)PjYm6 zBsitm59Y@!v3WIoBq>Eb-{Da3Gm1Z>i(^7XMa^wULPK~iFd8tv@!U?2R;V<%dbhfC zj1(+|v&Fp1&3;iK7ePXwgm1dA_CwT!R1<(Dkq8~91*n`xAnKTq!0DO|j?yP}R0g!$ zIlVLzXhzSF$c@F!iRstD4lh_BJ?v~@x}T!O03I}^KhGPX23u1K8Yc;gnyx?qtLB!r zzCA$<6s*5@E6}|#lvXG~Eygo(_LJ>M+Ry%W`Y@S0m74-r`^_i=eSKHju-#1L1$V{Z?~MI~=nu0hmiw<9Dp=I)dVz#&ez!e4`m@GC=NQAW7RcG;Ud z26eL4AhB8NGoF50+OjT3AK!D|codlcaSjMm@v3{T&lHRI^!HHDVYo27rzsW<_?w-v z(!jiULSkp|LfA4JD*41^+ft9r;oe(vpRsslKBd0O*5tSiGM&wk!*j3-^Jq^B_ZH+Dc8 z!ypRk5<`6Y)09pF*eeq6dW4;(189PT4ZVF1!9kb#Z#c-rFju16kPN#n;&8#@3v#-2 zVmf$}W6DS~*h?s4?1Y%Vc*I*jHpKkFeYg7w(v>yCGhhy`tSI+k!f@%`8aKoixIUMD zYa?n0AFxsBg+v)a5@_Z=m(?4GZ0RsPgv5-xrS+Q&-mDT87)pTLK)4QYzd9@kS%FyJ z`aINyFj86)zY>r_G@g^!>{!Idx)Cwu zr!i*`-P0U87&PIF2Fft4=jXbAmC#jX@8>Goh4ISO=1{;`ECegyF z3&NZu3}HH$RD9Ada_^#{a3kPuyzgZdEzjg)l|Jw0S-MpaFnr(R8VSv17teAq3Lcf(ZvFO*IqY#F6L z%F`>JY{rf~gjvsp{L;`kjda2*`DWfOV&Vxm+ls(xr7tww8*FRQtlT$8u&oPNlsAk% z2`X&?r|~g#s}yE;HS}K6@eHeii9lzVBWAIa@TI{hty@@2{6<@OyU}F(K!T3LJqg0vj*ad zlObn!qfz9;5S>%o{7>iqvn>A~qs4$=yv{LA{Q8T*gkB}bX2wenz2qfzD%JhB{;G!# zdJ-1*f!LJ(Kg2cYtSzvmR&vo`Ds!^InMqS3py7M5N#Bv6w?-`o&cz3t7`4oUn)iFZ zZcX*k>akB1OA0L;0Fk7n(%N7JV)PRc@_AxR(Hoxvs@hm13x3}f<-yoNODA)&W&sjw zDG%p_e=pTGq1+y=G}un7FlNFg<<E-vpa!OX!RIW5h zvV+72nvxpa?JkLGIj4^;MMzSm_1+uE&^9j%*-x~pd`eZ3x?;~a^%b;0cUtl6q<0^r zDC(g{ujjGcr`m4i;c35$r*{7pG_pN!%D+-Rw|AO0`*y=@=Vx_296_2~W*|dg;NS=- z!j>3cMZOj!F`r-BO*~BdFHH+WMP`BY51Obv%@JQ+EPj}-qjbZn<%AwB95)`a(`N6`w=>Sy-KZY7A z1FSzWV_>~HFkUx498?jA9^Kjk=!$4JS9@b;YgD~;) z5vsM>oa6XlDu0I;0QX9JTS=Qr*J0)%2 z!v#JKIIoMvTjdqVDhdLCBrcH^gdi9-cDx}1)X7~;aO;qmgmf6Td%JGMLqWG@Ql0)! z;Z5Z)OMdiNT=TlO(vkJw4jl9`fn^9;rC!u@Grj*wmQBs9L>r`BwKXkp;pVsXTX=N& zTkwf4Cf5>1`V+|@)uU3QDZKEn*;Y)I1~mB2-FD;%a#}zS@+%RFfAcE>kbl>WP6V>F zBlm*A-1|$Yf+`B6`~9e+?l#@0fQv0vow7Ar1#iXXCo9q->)(kV5UqUueb-AOc@?ky z{NWgCI(~N`z5dKSgV7jjo?>sav%oJnr%Nq&Mn%j558i&Ct#JVrq&duiSEik<`qRcY zY^sae{eSIJ{f0naHf0t8K=o2W_;Fu1;_6qvta!uLsMUeMlNLA_IQ@}t^A^xJlyvi zP*#f{nvJz7m|^poia`Xi17aKjx^fz+aC-(B<9AqZn_5wB`! zzfmwD2Ed{adW_Bz1=M-2r21uOUiWdQT%}#A{?`3S#F)aOG|glpMy6@p;<2nTvHXU6 zEz@Ig1)Q4>$_Mx36ts`KVS+60{)ppt56!Vu-e7xfu-Qb7#!{iYa-~s~B`Ov#AyviQ zGz8U424UQ}ba@)fs=u`W|3)c*qDHJ2BLN>o1BG1vW3A}Po%a!BIl=MM0W-g=9mlxs z{mdU9Qh3ueAILILb{SXJc{FU1F?A;Oaj)sg!#)b$DsNH?eCxBFAsYBLbFwDktUn&f z>L;@OxJkno`bdsBI*HmLGVwKzgpxq z@Y=!Og4lK}LWP?+wp|aukND7>!!GxvN#pW7)->(CNiwBiDNoMTW3{B22-l0zs_WFL z?I7i>^Rs=1-@k4h>0NL64eRZ747Gy-HSfe_+ThAaB!PfMJHI^&E0shVWZStsCI=2D zk`3E1=js=#vn5YbhuSY5_FH13rbpr$yaMi{G(-jA@G1YhVIZyn)HA>jIf%o=4)%pI ziED~`rmbx@?wYB#JE9i{GazqeHJGv#s-`^*wwllxia9Sa=8m8qH#PO&szS*{rwzKV z_+jVO+4)efS@HFgtMezPcGGF@3(m)kg96yRF=^Z{@-u&K4i3D2K|ZffdRa1t zk$Pu!$dp!47SNcNbO)OSIg1ynajcZ!(B0JbJ4=)S2oBzwbA{K33W@V~wf3X34@-@? zy0a%$qa;`dUJIq79j<>#u@@i~yC;M4)aIZ==e;f)0*)nr;HX0gykIv%MxeT6MjlTg z{E2@gq2JFWF$UGonE$1uK5ojcnWk;6vT(@WlNc;-TJeL+y_?+!u}f0#353 zee%&h$A7pUe(XK~7mEhfD__D`Up+PrFma{|>^s!&QCOxRSiKhanb)R7MH|?`1!H_r6WiLemW$P5Rf)&yj+nRr9cQFL7R3@zH2xPj5xb;jS5;1>7=K%Fjq=hB7qcKcmjeyLr^G%@B34+SzA@Gs6>ZUikMFxZj z84yVUKo6w<26OR6Km*w=x>rgNKWX@yq?MOAK0zfmXwCN=nz?ye@H)_76_E1Md!ptWP%3tJ_G{{ zA>wrAUO82w+2|PKsK8H4NBC*Bc=(1sfMWL3y9q=H!yElFFTG@8#CKR~eYt_v5JD;4 z5_s5MWB=k$YB3SS<1s)T55h1L{EY(3X~2kc62&5ylB8+>ne{D{4G3u7kI3f=L`0Of zfPC&!Vq-=JmHD*z;FTynJSu_s5h&$TrlW#9JfY zL*^eZ(6hj!G<#^|_m%1J|IB(B8R896lytU;Y)3|i+z%5hUV0DZ>3(3>TxcH$XA%7B z?8f9mB)k)GkxR~FM|Yhj7jL531dPD#LnLC^;I23*|HQ+06N!IyvMl1|`7tJ<|C#kZ z5^@WISqgv=b@tEEuXCfOCyFq-EP>pRa6(PH28QcAq814RNqfTo07S@n54^4k-1lTe zI_V#7@HaB)+k@#kPwb99EKUTjkGYw(9}H%Kpkx$aM3zfCiC$?CwH|6BVGj_`c-=i= z#)5Kh*G)EN8KB!*?him-3;E&R#Pt!$QAC~&!GQmUD#RB-1I(spcC?s_$bV)nE)C}f zY_u~LjEK*}x2IVZnb{gI>a_@Pv<4P7Du@Bf@8y0*(64IxKLAmG-5QRd-JzgfO$lVY zg%F1I|5dRFp<|Kk&{V};K0DS49^A*}UbJ%kzsk?|^Fi09Hob4<9x^cyH@iRN6dLsYrY+!yZ_KoshQr`}#h4&lY()$Uk3 zRyFy4^3@cv*NE+o207C=JvB3bi7P4C6con9Y-w_obj8iQ)m+pE{MVt>1E#|c|1{~j z1H6X4?zD}lK=6l+n)wV`L>dBF_hE)G$|pLwXS*t+0~Dt-O&DDp*87?VBKD`WB{2=m zZL!d3f(;wtcF04RfTIY4RAA@lnc>p+dKEWR+TsC<(1iwWa^B#34?cOfr(t_seVilv z%UO*>I{~w%zz9=;g}lop-h{GuT{LV#B(IOWlAb?^T`10b>`Hw|C$df0LVUL7NV#RY zRUoDG!ItlHK%9$!oFb7&MU@A->OvLcfN21sX#0au1O(m^K zHIhH1agMJ6+~bS(~zS4_8*Gv3Pec1}n$@c8SOdg8J1hM4-=f#AYTH#P@6E zJBcmT=&&GaqS{?9x-o6EeF>GGY=%92V^&P?U-zK)jVNqgW|ZDp2-yI?5Y;Ll>52X> zX+JW;S)ss?mjTJ$)nv9a)R_U2rsUR6wg)I`dqj+ZT&UzhWq+E2|BoP?h^qhYM9|HH z=h+KX*>{=z((=Gbs`tkHkq+PlZz@X$gYiy-Axxz$RWo$=KRr9LCRak7W4GK8)7Q@_1=mDflB?4@3Zg6>`>1+nzHD^!{(R`Wsl| z{fEvBlYwE1KvnlIf{JVIMzVk*{`tj0(SRTFi_awE3F*4 z&*tH87P-o3jK4hi=SwgYab|!}D|o473Xr0(5w2Z6@IFmIz(BSr3qb+W!t^6knH$XA zAnyo79jb<+A1~npl$VYo$)1WBeoAEl*s%5JE?C5 zv!L0@1HLiMy|*)Qr2aF%zDMLZ^4GOY%BGRLZSa%Y=@Xz%alj*?;GLGq^nNRNg|Dfl4l~qg!q`{ib~^%4x>0*-{s4>D;^2O) z(>yM(;-IZQ4KcH{G2-Hb%%aqB6lbPG?bsY=5`+Kw z>?*juVUh_t)ex;)O4(MZLt=h$hr=lefxCGPU_ToZVCLtV$jk;;RZp^n;p6zokRE9| zH3*J;TvSEOT_={%R`#1;YwdN58c&Qn;PVRf<4EN%SnidrMsaZu+ij#z!gr_oHGh$83 zxA#7}13>=zjBy+y495^lcgE2x;F(oPn$XUM0yn6IQjm%K4)Pu(Hk z=7*jXY|O6H=03dNJ60o{9NXk3z1>n8&?tCrf6tkUsPsL ziSo=6bbH2X@t*yZ;o?_;xXCsO2L9gc%4)CU<#F2A^1NTjZtrBKfueQ|q5R;nLxuX9=Qa1?tOr-Zn($@XeYc zg~SrYnvd?qKa?mgZEn)(M3J%2rrF>yFsPmxpP) ztb?zKaYLA!Ru-N%ee3avS;`w;_G$kHP8a=#otlUB9Pq?N5{)|#+T>S65O{3eQq)c0 z?zK?JLZn&VkjGd-?BzhlT=Z~t@>-n0{W-9 zKoi$+^$ONXnHD&02o!alM4CfaM9MB-$h={MRgjIbFFOJ+t2YtS1D=NsuRM#4^^5kTN}!~5 zHLP!a{USE_H7faqNlTTR$>CFI%wuxP==kteiT+4DSrsO@lK~U|n&rYhX!I|A`CAqx z>nc{*&*^J%sSN&D{!HRuLf;27cB5B7+K)K!&eI>aYEIm@nwH<&rNz^Ty+2}BOMjDR zX&QK_cj!|O#X%(>n(mI?he?y5r0XVeXXKgvO7$cJt4nMA0#uR3KOKg|PZ9E_pRn*0 z$$ak{F;vtbGa1<0q3A2k!*CfI@Q9Bchx3O!LTUiu> zHfBljAdL|>(DP3I6NCA0$A%r{#W_@=m{_UT)Iss9st?WOyEyNLG6M1vXwwXi{69Sy zjX~=xF%<}7G^uwc^}7(4I|&&_bwl~g377ubv=Wuq-%s$K- zmP{4MXdvT}HhaP+4;@E6PbcfTOM0S-V8fN5ur^j*OPs3$QK7}*(>zAODdsRz5cS>_ zoG^6<=dX)O15S44+&gf)LNA*o4dI$kyPi%fye!b=Ck8O@}A)jlYuhe0zDqb5Z>X(DaxN66nqp#m!MWn8t+4AUbub`fp%zu zXH6W-r)i#B)o=Ha$p-~gfGY)MgTW!TsPB_Ti=iZb&T#9_EyngHEZ)h~EHQao4PK~Y z<#(*UoC6}(%oiH4rj66@MlQko(LDtXv6B_SV+2XbfD&BMK`>AQ)k$GHBB@FAvS_Hi z(Z^!+w!$plH(4HIIzY})BTJ#~fSkz>+FX%O*E<`%bUj|LXisHG5a+kbpAFcL^8{~1 zFfC%=3VZG1Ga=8{Jtj_UKfukyFrU`TULn zoQNoB*UWsJxg3u4%$SW#$}rQL9a)iOU!k0Gu~daS63cHsVBwoFYI^W2M`+o5?aC=a zl+vf?$j7Y@2i(~+V*zKS>4sh-&WH$LCaJVZ;!1yi`E3#rcK`uwJH=}!1Otu~> zAsUmP4|5Cd*0hTgS6nh11g)D8b$`dOtI1h3M%p!m_VVkNI5Z-Y+x%Tj(n^|)61aWztnO@7b9hd8SqhGzl%y{JN#$IK)f z^hI3q=Zr zoOh(3pg4p{iS;Q9{i0#h{L4HjB%Xl`6UwjEA7xxer&Uzku`#1MYT)|~4xILFv{Nu2Jb z_KAx8sS+-_pp1_-qvqf%X|1bK%TIF>)j|>^WYDK9Qy8=?guE-IgMp!uaoH^%Nmken zP6~0M%F)4iBy4(WImL(90tcotoE}10m2q%j(RAY=;`jMpG z&c$a9%pok+={xZOhr}{DY_EwGnh&_9M<`W7u8$KfIO_y49&qG>7q}qwT?D?rJMxBkMbew^hdS!-**8C|BYGz^P{|iB*!mPk7Wr?U?9kNXDKW-vi9th--Vwh|QZ@Pm&r)C&tNuNp zF%vl^0qz=Eooc99L#@x>8mq|h+!)uslmK^wA>OwfJ^IF)uNaps8R)$|wfbhZ6bz({wS7gU=1Djdk3OIc-8KL!29{*0m#Q6yi7Z3>fmX4oGKCYR|Kv zaYwiP)@0>&_>ONSi9~)?Aw%9Dje$zF8hKJV%n+gE4Jk!A8Q26sEHM4F64UjSdNSSf zl~otqlB(e4RnOu~^0f}CIU+f>f3j6u+Ya}A#7UBG@s4cuC?e!~7FuWWs!mZ(fA3hN1f3C-u`8G=I&fo0t%D}r89b>d=ObreGWVyv*23IaGu*uBpViFi5u`@4lJZX5FVMZ${>^sI+c zp@Nk6ibD|bVW1Gg5GN!p_7pFi09%*J5!>QRWuTw@4X%7nv;X$CczvqYo?)ih>wz{O zc#Y57xTp=(z?KddV?X?oGC2aStesuFTi$aZ2AO{bP= z)#~lL=UrQEv%}wiso&u#gQ7*E=7r{s3wk$L%^O&)3v^L?Y|x4+byrcfv``pz%WCU7 zF{bF=PkcH%+3nGUdF=kxKjcH(cHp-Aps9bwWrfF3<8_PW3SMsDU9xy2B^U#o@E3-i zth5>1(8a~a9F;&Q9FsgSZ)j|Zke4V2Igs`%)2qSJI%(;gtJ~Mw-)&qbu_qj=K5z4f zJ<{4f{~?-A%)5%tcN<<-Dp zOvte*-7RVqN`MV7VSWq5x!wJtk<>THL_2LH`Q3uf>s_QI-v1cL-?>W(fVEEVUm3-z zWkC!j_5U;!D50!;gfcwRUyCePcI-PLa{+^tY3##cX1z$K6e$54O zr<7dspX9?aQSJ9hQ-$t~En&E#fT@R+Mj)}6S7#5M#v^OMcZ#GdFkB&ulow~>Z&YhC z9UY&+Bri+YP*rG<^VMQmUvPf$*JC#C3~geoi~AwJ_jTHGjhF>|;Qa~tzgQth1MA3# zBjw5w#0ma%TIIVxnnLgkCAL;cHV56)KGnn7nc!<$@b4+DKC-!&3H*ecnsMaX4Vqpk zIA!^44vG&_a1aZ{HgEOs-oObHm0&qiC;M-}Z3D>png^$ot=P$(kEPAfJ)>+rytoKK zhlNDEYf#I@hSDgQHuoOKnwA7vRa?x3_+D6Ib1gGviMqp!)U96~|Iuj=3YaZ3@jbp< zPeO=!DaQRWK6+k3QkE0~X}%U34%F2tNSj@aK8I;D8+Fb%q-e-P&C>Nb%S)&Q-z4tpc0(*K0#|hF^zflOhC|EYwN@H%@?_!a zH(VE}tOKiOqF{wzIXcF`+AdxbAu}Y?9bB{3y&yeiO=jKWDiB=lZFuvR@1WuB!?8W@ z$gDK^&VJgA6{VUMa&eJ#7~rBTwuBN(@5g{W`N<46l38AHtNCt8Q+++g zN?-dc407kqAIJAJ;44$N0s{YQo47$^i^jHItW-A$Gl%a4?6?QfIR8Hz@1ew!>*bXV zg!5~}R?i8V<9ueA#`~`>&=6ga2lc#v2$r$r=}+mS0ni0??tgXht$mL%w*H869(DX-8XMLZwS`%?Fri83<$a4|JTGp z@f)mnO;h^Ev=l(^+gV)Ou}oOf5*E-#g@%K5buzGXeX5lI0HrGmKNQg>(sV&cRRIXN z4&mZiG6I#1CvYI(I|820TV`^{1Puu{3h$3_)FR}s7TSHt&yQ%_^Ro}7-UFieiue@S zgfb|+eBjb?g?9ev-_3?GB!css$S)o)Hkv9bg0E0a_-DYq5wZ)FdZXGg^tG-j7I}sm8#6SML{w zbpXoADZ|1!FT?h~A3|VP{y(w%8zr`$c7EYMA#aDVv#+GMZ?IIIM$DVhmqXzqjKHJK zf8wzZliXRN^S?k0<~2<4YdIlysjA#&b{lsA#jn8=!E|W@vR1A)bpHq)g>(m{VCGfneU;o%O z)8YW9VQ$_ zls)HCiygTdRP##mqaL4}Lvc}*#1$Mvb2!+RU$KCX(pR0##J3ckRzF0>kRqeRcL$n)A zIi~xL*ELzUgrtu@x7)X_)=}h&Jt+ zXd|&)vS492#-^U0lx&xOPbSAq%wjSusdxX>_*VV*2bt|ZN#5*E->o>EA@Qmmt?M=y zf4Zk;J9t4s{IzLeXm&tcomjv08n zw|1j;Hy-J|em_3!i~ePit>bDds7h?`JnL}|hmn5QY0mSZOP=HIDxYra^@laZ;oyz6 zR=nVWAK-;WlDB#pXi!y3+9#1|b37AX0t^DNWxS-z0Yh`%=6mOQG`lsmOF9Q^qY-7f z18vmqB5$Uz+_4B8UI{lCy2Lh0hFZ`??-@9HIErtdQ9syL`#f3XNTE2NzR@+I-P=s0 zm_ik@R|n7-XH~sBT^w9+&g0hPof7O;2)~vlMqZEtTFy2HrcexF6>pH3m&^Ml zJV!?awfyC2*?1QDQdcdy@c`$idTNdKQC~~tO5#xWosdYhWUMx9i%0U2E|~2*Bs{Om zU~b&lB-!8MCpM(^QQE}!6h2BldeZ~ZpFu|2kvO`2ha{vs{sDy$s-p07y}oLUNB++h zP8Ul}aSETPqr_Gh*9r69L#ca><*zNNyE4x+g8yirCm?*&)?)&vv^&7sHVwV%iELt# z9Fw&G-+f}+0!AXAEYEWKcBZbMT5jxwun$ca4b9ziTY}mS zn&sX`mg`h*2x4#@>Ugo4)zfa|BVo-r7>6BU?wBtbt(k^?wX<78F6B(?zSJMGujCCE zYR7$mABU^3{;kZWGu%W&ES)lAKJdFg#Yg_Od0)==RTypBZSOoQiDWHh$&1Z%zGbfl zU!7$PcvViwG?Mx#)X9zR@E+u<1$$+Ul0Wn&U%OM1fKHE3{!vzk`3Z%5K%Du0^xjIE zQqPm5JA(1wkrc)wQM%wGx8}CC2bC#yA8EYEqk#>=u@c+VoYP=R=!sAmlk2ygnAWXkWQ+5yyzx}Y$}OYUCNcZhVM+>D<~bZn72(?6 z53-z3XwR`8`JhV5O{ZsB^I#U@`RQfGkyjwyGowZCJ7XH1Z1y}vyQpzv5i@WxsFPj@ z(%By))0FbnOCLB8Jk@<%xkw@pv0ZH~=0s&ynD{~NyPnODyniL?>Tr+X0_P2DNM^nC zz--9mf?iQjAo4viMdc^a3CL<5NDAwa;g8bCRxlfSS?YUYq`uzd7{{o|M99S0@N(v_ zLD-2#+$Q&fP@SDFg@S&Lv{(6cORAvsTU9I@G}w?q+ZEgm0BY=s6@OW2Vf^Sb8FI0R zSFsBJ^s}5-$ayx#v0>{=X}Nxh=-KgFUMMl)ZGSx4?!rD{gH8=KCr$=t${%G>xwri3 zpJXp~RF)4xlI~b{KiJmi1Oh3q!XarJ_F5^9k zC@$XlkW**QyhHr#<`J`Vrc?4n|EF;?OBZme2BRX=74r=^Wfp-TFLK)j8a4MGAMBq-OzAEs;!_!?)K@~;JC3*wbn z@O5j;Bi$OhELQUiHz<gYwtou2+QB)rwo?7g{k+H|`xEPH z!g{|aa82tz?ki1j9PZo~ujPC_tUlpI@hd1Jc z)SpvoJw;+Lk5oJTeoXvB!X$!TKjMv5Rs6m07X&d&6Z;McvE%gBk*)+$r1!`2Sm{3v zdAESKIk^ajH6s)0q0w7ec76~kvfFuIKxsrkB|oGcWj^74u=z*L-tEsjk;=NoEU`v) zzNC)?9a(#~!^`_I$r1c`+n)}Q;_VRjoCl5wUrbQf0euhn8y7exug~>gMd*lreIVa0 zH|558R-kioe?r!5_Bp&}+&X=HN%nJss;AJe5=~ZdnlKWo_X(DU-GsURTcJ=ZyRvBd zzQh6D6NP=1iHz7*S3mJv6MdwqWxwsE2+aaJNFwQ-aZgRp_h@SF+(|Q&9`O2rOIE^LU^t?xs-&oI;5f4F=!b8KKAmn{}0v8k~fuzkLcZL2O{X>|5(d%=BrGo>kOTSYL|U8OzJ4o>S7y>K^a) zpdhSu^~M^CBz+xtH7^*n#rZwY&vlc;-H=%+K60@;o7w;CXjRE4CwZ3x_wDCpxTrY~ zrHr!(Z-;!iW%wwu^}u_3U?iD!@zMe|^VbzH$~ahW_E3 zS4_|K@1!0@nDRlkw}Hd(aA+^E5Y*V3pX}%A1GF*V1_eo{h3DitKDND<47eakt0?}V zLKrwdS&zCA{k7uCJ}m|BK;D&L*uplA?Ds6o^;tRrDQ-eQzFs7SN$F0GHwm(bX7M|c z+2K25eU$mTZUMiCeyVzJNQc<;ywFLxuSg|R6_PNAAZPriAm=~L) zljN2xlI@SY#hPb+RW0~V_aiEL{q>7^QXK|!RueYsb=*3SlyPAUKQaALG-#aFNE|E* z7oF4)TbqZ}FXZh$a*Q}UOAy||@#)NY?3NxHBxe?xLlr|l?xn<6<;WciZSJA=(O$b| zq<0MR3Uj|Iq;*0GXsjM6rf+|tp8NSuSUTJC{rUMvl>X%%jLa5a)EBl~mi1c5le1_C z(g$he{pk&vg-covW7GCl+7(BdmAt|cMPnY~{#Qh_*`^!6ilbn;r$3ygL&C!3Q@Bis zo?}hSPweY+mW3}K6*9cHw<;FDO`;+v=&H;*35(7dX*pi$-S2;xTod6_8QLEe71ii_ zDjJ{D7WrU#I^(kJHQ`>>+CcB>o@7Uzm zFC^XSzl5BRyrd$(>z<6o_aYVja=NgDT-5gc{re<^8|f}2P?ylB=pVael~r|ERB5?B zo)|3*zqO;He&T0rgP{U zr~o!_ertSAf8M1BQP3-=mD?a{ruay+Dj%#0Y%Y44c z!nJ79BZRC*)Zkjk(?xQv-&mg;d%r#^-FtJ&f65O;dh=4=CqqAc*jH| zkzIjE{mEjI79KReE^*-?Yj`c{YQz0Y61T?|MePD7-H_R;whHan@tv=~k+c+*ZDc$N zT!SFLf;CSvCGHR`GEL{7+L_v%eng3FyeP=PuDb4F^W6GMx&QbI`TiY;DKDgKzxGcl zZXI7MiX0gGR`;(hJ5MOshx@t(Ko(-la}lGk#7b6rd)7=2?Vz)f@V%h9vKgZ}>*Vi|T@!vwyU}K6gVP~f zMYTBUk+ibHC|J|UwinJ-pnEd`ZwjfR$=k@glhw9WIMDY#mQ9AfTghmcCY5(F2^qd^ zYdmKBTpvEA8y;n^Y_p&Gd0{ZY1_fs{A-6U!L?5kMm+`*G`={^TPm&a1OPQHJcVv?- z2x!|QHwn7SF`fTSa77g=s=$gqy z7kIwWjE(Aew$U+hphx`Ui!xzVB)1oo{di3?D-C}p5dBHeObYa zCyT=V%ib3ddi2HXCvDxbJ7vHO9<&f>!Yh z`C{XgkAhja4V^OQ#2dJmaM-}{1FyK}dlKJg6PNU+v* z&lVA}SZ72Qt}KBJ`Dfq?_M@A02-~D`ehAW@EJ5}YzqlRL?np9zLglRg$x(-tn1L`7`;hg@HH(YS_xjfv#u{wXR_X`~#7>1tqaUc>Mo{^u)f zv?R2gI)Y#wv|}z%^^@^qytTQuAu-YkLvJ%>=(QGjS~|=Txi&5(E(K0ciF9(%{R+T= zr7;9y%YfYAlL!VC6P7;JiLLrOD>$hsXdoptJPsSg2^)-nADX;p?EBh_MNw;uCfIM4 zDE;m8kM^}aGBb7MC9%GM>7TT0A&TWYzxRh6@jv~R6V=TYps!=!i)(+AZXdRW%%)Mn z+s=Lv9$Du2o1(@cc>QlG?1y|T7Hpi)Bww?hImlSo$OyOv%L^mR8ECDg;X2lLDDPNa zIo@w*TATUw!h^Oz)4zW}*jA5u>95LhW>Q{A5r=CI=}tw>Ml0Y}%dp|BJM-`p_q#ii zkDp<+mX3lv^Fh>#?ScTezkg{%5hUlHuR-!`yJN4EQFV@eg_T$x7OphKHd!oWJg zU&YNxl%Tlma_@2ce)A8W+s=Jvs!(r&iX)z9iYuWA5PpCQ-JK(NJ!-@PS~N?@&dkEXQbJ+L!i0Rq36aVZeT2M~8_FqRS6JQNBafR4F2 z^u>=;yLJbvD)7*#W)R%gzVKSU?D+vqVkRw69mjwr4YJ4VocU`O`DWo73FX0CdAS^A zqMQqD{msU`@?}8hPd_qmAfR_U)$IlRANpRMrD}t2UD;T-oxPZ_r^SAKDO#l z?^AN51^PLHTw75Ghl`J{2S_0p7W1WarZNOQ?G@ZLX2G$s0FgLd!O8J75=6UI5fU%x0Zn@E~1R;*^wVy2*gJX?F*>?>=GsH=LfEzea@ zOi3mqWW0Uifxbz0?&r+#fPo(YSKeGTLupCLDC!$pA~W>< zuyX)5gBHoz$uOI1AP1h%<0>TA4f2E`nbY$x$GvP@b-OQ@$~`5a}EkS2-nQ zQzdmuH*|b^bWpV6xBD)=wnA)+zjrW8C(<=H&WyxB8mB<}{tf3?W zJPhcieg=TOf~$dqiDEvmsxw9Up8xU_`I}cDIQ#EwYJ_xWh>rV=fwYJi_Zc_KcxL8m zlow9GfUJ^AP|a7M-EJ3cuwgJdA?^4C4INy_Bmyb?BcuA7dL@eERp>f+KKcl zPEy^(z0z_#rQJ2`o#MQ&8*yhf#vOUc)?%Cr)vq4M;kbaKPFiMKvM$OsEcEypQ#V1o zz6$!whvvKRD_ssfzwMcNW>h4_{JMEeqKB*n*EYZC{&5;V@wH6= zCc;!Tzkj8P=46wQCCTGq7UuPBjS}ou%SEv3Z4@R3a4WOZ+|=4fQ>g*;Bbd+4T>M%o zSSJ`G6p|#p0+VJmmrFl>{))xI(Q?NyY3AJLtX8>R_=`khtrW>bYCC3`$E8Fe{gk0J zEI=F(hNh4tAd24A$-i3f{E5KEc=Pkx6JVJ?` zNL9>W5r{F34-u)npn@y=_O!!L;19falyu zpXHDP&k~VjtzK7^A?2k|Iori-nbj~bASA_e_g+2SSOG4PAi(*0j)Im30kj%c)7?mQ z2{J#hJ4~7>QYK^g+7wbBn3U{Maf{Eb=w@b6$c)KSF5B3hdTVAZOotlQ3|K{LjeHmg zsIU_0lz(qVzxLiPnMYjYZNi)41s`>6DiZ^d&fu<4^yxrlq?O%+ME++=m_U7VCd5_|7Z?A!sAZN;J(vq)QUFaKD7jfTx;NWtr`c{C2$Jy<_v7PQDY{5LzxPLxJ} zEqX1u6Gvzd(qJBOUcaS&GxUND+i;t;D31s*s5f#!olKDwj%AKM z4iJ`^>S&>Sm8Wo)&}biM2kYJE4fCd+JZai3MUz)tw7g~I-ItALUvmatMGMrAgq0^} z^+cNPP}au|4+pEtby50Uu7U#{A#FM|Ee8rDJD+sm5WEZBBfqTr%C^LxDSe&VUJc{a zx=e(5(1Bz4&EpBUuc^hs*e~H}tY@D*shYglzlPl~_W@xJE-<7PQ`lIl$=H-R*IzFW zuYdF9c6`x8A!8Py%j9pup(Y7z#>@M$-b@s(T5Ja?W3&_A&wuS53VJ`cc^LU>{Ge>~ zyJvuWah;teN~qGdf`<>ei^5S|b=-VGf9Kgeg-D0i4x*EBBOItTlm=NpD z_o=7vC)GX%Ba-uHo;pWHuCtY3A1<1rgsc5ukhL_(3UtaNkxNdmZ3ZpU(UucW^=>pZ zT2vjiPD?4j^uvmCPaTI(DlG6p8BgBZu1Wlqa`y5L>huAhY7eDF1!G#nJqMae6oP>Y zAsma##>}){AtI^8A7doFhTNq9TnPL0y%VANTAY3(5}Y2fWDqFUm`a;XiSy&iD6}>>l&yxBZCtJ+}&l z4KZMcI6ukKr|3s%aOw5bEZN5<{Zz&5& zgU>)@TEo7TpAeMRig6!b<#J>}xF$#ignfWp)(n8?;s~CEd&|0o9^xizh}T8zVkwhk zh~}yy66WkP{wHm(;1rH~3E9xRU|Q;--Z>;w(B)tltyHQSmHy!F93x?FvCifdoi~9! zS;zwdwiVTPdW*P02=Wccb876W8ffbboKQjq<`ul0tM8t&g1N&&e!8JT2V8bup4Fz? zvhvTN_v|!P<~YKMa@jo>Tfd1GmX^SON)kw-=kl;6xQNgxG~CzR zvw4H7Ls`Rc>Xo$A)zw3=zV#Ab`;bf@Pr0k%-gLCXLkv$79tOLQ~ zShl$Zy8DH|hrLWv8B`m%5#OYM>KA@13#jp=W-(2hw^TZ5Fhs_OIL9aCSN!@&qBiXd zA>eZ^CY=2S%4F~VsqX^sE2L0=yY67}Kpl5*YM}fLgeV_$ zXp4vdYkzDtw`_hVZ+wTyfBvWcMnimm6JoyOa91S90>F-r=#4H-RVEh8uZ+RJ?VSIs za7Q`w>){cZNYE*|?RvDZ{!l4ulfx0y3Rk&^OL&5o+v~@&JITMUAco)#P8i+ji)eud z|2o?1CP*XqU^;^6zvps^i_nnvvu}eVYX}{8C}>t5oj+3QH5ahDjm`}=2}HENqQ$pz z>(6$>-uqbjTANy&ZNw+Ugv6A8xHve6?rld53UvIufKvQzMIc$NisD8E!+%akp?ZWi znBa%UjIX^i8A74g?jrGr9MH2N!_*H7t;cUwCa?C3c{` z=E41c4{a!QX}!JxO}p?dGGBSIe#Ugf8UpP%! zpc^#aJ7_(jxJu^*xSb@T_$8pgp?A01#*RGsvC3r_rx^73$&9A`-JOP8hbLvrhbp@d zJ0t1Mdea`C!qqB_bc~i7ZG*yo>-_R~xXNUvLmVu8`I&#FJUB-r9uXGk(4IldTU)Mb z6`bwvA4Af3{<~V>%PceE5r2J5e%d$H<|VXdheuKuvX4P@+d=vIeovOOz-=Iagba20 zxTK@qs|Srb9vqVK)-ii0(ZDVktnB=^)irA$=HI#`(^Og z>HOm^H)Osmp0N$|8yEBXA9tP-i-im~GjN?O7@M5w(VB}P1G%_UmMYM-7AK_nT60sk zUC&3zp%HSaS;Ax`T{j)j{HI~~8u;fETa94C;Ctrt)-KHYBW(O-6c;J)sYN)TkFN6* ze0H=z+yUWUjbOofBF_YMC5HDn@)?}^l3IMLOS9aDBkF>poWs&rCEtEWm87tc2%+E2n1$jfRg)@AN=XO_M91qs2_(u2 z;4_#HRkqNoV?2dj@2Ti-kuSwVW>Yo%fX{%+_t32l54O1ELp zve zp2BY|Wd8qPA>U?Dbia1A{a-(JmzIDz%&(@#P`m#LNqp1%UqBL)yXx5N3rfM2k~HE&HaGL z+MK8F|H)0&60(Eq>BM-JVxdGBGl}AqNXa9K3 z?iz2ppl|Endyd)_ST{4-XLgFEx&#JjU`WC zw5%Y>&Y0OOTfuY3jV>DUZn8@2a=?UwUC%emi=(w#TrL4!;XGd!_FA= z?8+8f!G-n~T6Y)ha2TZ|uuv9o(hi-y*-{VG-}(kTUvQxJctMV^MJh`&0o2_fg*T08 zwBbvxr=>6{==wJ?%1uS77wvoZ;3K^P_dY8ll{29E>Iu zv-Hg~4QZlyE(E1*d7pd1cq1A=%;Cg(9q5 zo7#)#hud+`I0XX2;OV;`YtPpi(!|z8AEX1uQ;>|XNwW`pn0hLn#T5RDT8Qpa>a3e- zIPePi7=tQ_#2$2_q>^e<8R**c`M!Z%3W%rihp;ow4{ zX>ZZv77S6iSf*GO#Xy9DH}@sbH@30Q_1N1}+vPJQBqiy`aGL|@qxSk#%Z%4|y!4mw zkJ{W{>-(P>b=n|btyhN7X0OUTEQJ89*aY#FW~gAtFdMZfq0IMZk-VEJk$M6hRr;1n zFz21q6~(cd^S2Xlo}$YBK1{c5v|i6}O|~(_gd?OnO<4T& zk`L}$MjPcGVK5QJ3x!fXynno@Lw&iykWW+=Z}eRN43~{Ui%<&dg=+@SUWI*IPC4qX zGzl^m7MAr=JKntQYT}|^rKM=2SyH*!tUqw@Ws_~7lad;iQ8TUSt zcU+;K_89jyFD6RdA{}Qc`Aiz9O*sOaLXPq zNBk-vHu)3T#)&&Z$|!umTj0>rW22s`QSAX{dhGf3!i>(M4E`sm1)`%7#Y1GC`cj5P z55I@gr6A}itk^yWidUF#v0m|~)TTvp5z8>RhH-6q@^-!5+;*PWOe@<&fxe$8E;J#R zN%+EbwIh`j)OGA$4?kkb*t36`zsQ+>!W98=dAQXFv}J zkxSKKMr{I~CnVRnTHC%r^`Cpj6){qo#}4-8Bb}}4yu86Y886+Z zcoG;L(h0$vnn07?uS;^qvFw)t$xphpZ3VXBdg{YHr((M1W6(#m9Sh2jTd977a^YQKVcDJ#aU3_W<&|Zy~J{?{I8z-_bi8aD3sU z8+&&Bp{vF8+;e~U#_pjwr>DLglPDdPrd-ySk1p@x&Pfd>}iV4nc38L_3vd*THR( zL;b3Xu`t)-!~cS&z=5KfnBxtR3F#|4t(<%^c5ILX8i>yTSe!Dg*Uqh>rMh?~kA0z{ zluViX*M#3qmMdwEX41sGXe+)&Clm)lqVK%H=c?UDgAubiD99J68L02rLHmC%#HouN z=wt$YzpYB06-BJUgsiVl?9M){4Qo7EvLXx$08#{jc3xW?Av{Q|eJU+7VK~%p~}M!T-HJW_BQ!7xE%c zW7_+Oy~yITNT^)8;Sat1I@M&;K__-@kR{LlE#Urq)icrpPvjSGWlKn8fzY7rK(GZv zNGapofoNwdFKUxlS&3pXy}TJO#vg(vUa1iKT=NvbnxL-O#+2-aJ#$wtri`DZu&>-% zKwU05^X9|(p06|AMlHI%Axlgdi{Kwk9LUphc-;)BQ3gK=z+vOVH$?m}=|!JAsyUm* zzT?HZuK>cCa=&>yFBYd!j#kfS+`$1d}d|bo_K#1<0Y_qs?2H9)X!tAH?!&oK3EnX0-yreNY#jLeYT? zTfsI~IC?s9MZe&oE(c?VCX%8i0{-E?LWc^Ts*>?PfeW3;$0+2xQTy=b7o==C0n=?H8M|-Y zwaP66@{KfSh24&#Fn9%t1X>byR++Xiqka{g@m^38Y_#0va5Jgq2D%i^B^TL(Z9|=f zOTK3^dm>e3FN2nQ!ru&dRI>S zstJwKD(1+TkWK0L&k}UqqEy3IEz<-N)#bVLi`0b_iDO#0(Vqm804#Xk?Y{ML^IM%q z(6rf=yi(M8*rd*M;?=L=CKj^FSfsbnphi3-sV2R)P(MnV!u!;@o5fe%?T?Uu+G2kHA$*JEuo|BkLoS24u(6@k zdtWBh)Y06`)Mu%B%9oZ~`TYE}4;4k#CnXJQGNHZ_e^D07e^VCENIIt~U!1}ktb$J4 zzkTSiH3o3>-J*$9e5GF8JhJiGgizdlQC4LJQs)AjXHx0v>(XYdf8jw2gF+Aoe!a>V zf<8-xqk8RN2<5fn z7kD4=m1ztYvVP!w6zUaBdjJ#~YQRxr60{i(vdb_wN`x;(OK}V>4tBv{!ZduN;q}AG zKM0y`OoB35Fr5}+P5{QOG*{~|SY`~4+lTB*_}N^fKIM0&7=IDPgA(NiGTZ+KwZ3|h zl>t=T8YXdhHzt(Mv%g{wAIT@+fjkly*fHE&B##}}h~_*q#1_!@jEwhBVD01apWju{JZo=}(y zqX3|wppOZpEw+klCS)10Vl-QgThVQjj4Dg1a> z`;dM2yPMfsPw({>C!q$1fGo5>kf_#z6VwR?j0z}1r-UxK zwqjUvX{lyM-4;zb9~tD_rq&TdL(P{e;MX1>j5d!$bH;_1B!A7jt$ZNs4@$n(fMEB? z#RANB=cM6NDbFk%EXd>U-QyDEo$Sy>NPU3XJ!2CJkc@X1T-`}pwmx{ygsg-XOqCT( zhVEqhMBa^F%!*|GQ>fNi+1FL#^CmyeGBs52uQ;e|1Xvf;7~gxaaGNH>Q?tZWmOR=| z#*SMxVJI2bJXR>uIf(bJpu0t&(H!Lw7Y^*1 zr8tv3l-=mzE69QkaAr9HzQAt<(EdjLn^hxzt9gcP0*fzHM7YWL!9t&qtGAjA%kkWy z3MFD`eoQjs^y7fAAcesJsz2Q8jy2V3VdsjCg|YKuhA(n|G+K@!li~GU>KA_)#l684 zd3U5!Nxp#ab4BCHqRMP_5<+?m>D83teI{q~Utl2P(;^Dq6BA1-qN_Xi*GuAl+57m| z`MqeQv(^YIaGFniZL6UW?~VFrrn={~0N1RtSoq5n_WnySUaxbfWu;GYhIPN0_5^F5 z#_*VjOudS7HHbPi;!iYWUBUN78d6(^pB^dsX)&48n9KqV!);EXkGzH8$=oHLFbDEJ zf%kEvda(ph#9$6oI(Uld`DlmMd++71miY5{LzE8uI)-}76eR>6n;>;H`;Zv31AzQ_ zwjEuyX+pPT_fZm;N4>m{ox63`@{)x`*6_30`X`o|g*E#zmuGlYZA5!)YFe*U^p^b|jv%gtQ277r;u1lL$ z(QoOa9(No1?rtf`*W!3==af7?B`3`I?^H15EyIdz>VDf*zXwgNslqXGD7dYXe7C#0 zScWaosA#GyIJvEG%{Y0!i8% zB!XYjM#4{p7{i60g+o3Nn#Y5l$3rsGUiH1~fbv*^o`^=I6a97y$t6^+M&mjM@j4Ep zS&6BsOLjDE$a0DzWyYAJ9F)ag z?fX*+oE%;+SAn7IMQT<;(R;jSuv*pI*SEb=@IFU%=tPsV?+2aHg4!psn`0I>HbYoX zk0(29N=;iG-iTvd+`B7oVxopqQ%*3W+%__xp+>DEa(r&Gsfa)=7a22aFA*lynLO|k z;zcm{D`MXr8#LpfK99xq?XcPv3nwnB=^UE|wtT@=sQu0r_7!x@O>xc9&(2 zyw?8p^;~{-?YURsehMrpGRyV2@?1$U&yBn>5~x`I1nZXTlz}ja2jb^Hsf`~xPJ)#X zJFFw$-rx*zJWH7q&6UJ4wKqOP1j)G?Y=XDzO1X8|-d>9x?YqBEpRi6qS#H5O5p&ZGXH^@N78(3z#g&ODq^Ab(IJF zungsmhyal~^ip_A7uUS4cICR1!5K7mjocp10UF4VBr zx$K=5p2VX^fIc9D+g<2i;!Lv=i!1UyBa zlZ31+fj5`CLt{t}^doEKWeW9*?&Ugi>vE+IR7hSOCG{LQ8#sO5?sy9?Sx;@>{a2Jz z(gU(|N)1G8N+kAM&fJ`6TZx$C57@hB%=n)QiA_X`XfJJw`gmA|gGR(ME!yZfq2;pL z0u+2k70Ii54MZ&KJ}pN9-cyP6?yye`99D&}6_1ktC~HLf%=(%3P!*dMvD^E1_~ftk z8O9R15`J^%W}NX>f%sN6WUD!YeU}ZJ837unuRy3>aN^(xGyoJC0&H+7{K{^4p$pU} z#J2PW%b!(F*$E<4`c8{@V`AmiC7^~H`OQ_|EXW^$E_=wC8jR^PR84X$8Mi#OA>=Z^ zbz3d(QRX(EZv&Lf;3O;_WiV~ra!I)r!Yx>yM9|&fdNK!_lz;L8dq;HOoD04MI?P|e z?d#uqUeDiX`JOJkulQjqnu=ZMd7cv5*)?(z-jf`!qdLTs?9esm?JO#=xYnqA8hDKL zz-SuQ328#m471)X?Z{EWMxONp3}L5*09hrE@3W8b9Gh{Q|8PCgkR$;(w*0Tc-C{wR z`kL~bm%czf(#7YlAl&DcPnYO8ik>35dRuMuV+vB|&RKH&l1`!Kk?UoUHAMv;t2hPkG{Em*v(mq3?za1cJ+h_MWZ0pdwqR(|yBPZ*B`3rh%h z~n|&0q-w`w!z;niY!7%Jqiy{ozeRZ<|S?^V?%Pe>B>Vj zwZkps(;%iM8+h6f@io2Y{1X?d_b@1BDl%8mm6ZC#3$C?Xji!)tE24Qy)E?hiYt*K! z=3y6fd;sru>6n3emLkBQIrTzD)ho6g`*lL$Wra zR;=8X7bSez5(njvX<>FsOS!aHX!Kqlm{y#O>nGvuM^~BeD4_OiD#z}eIDSSY6$;HX zAIlIw{+2?q3p>CDp}iY|Mhw)5bFff6;pPS7-mm*!O(L5l}C9nXmLplO_tqGYa^TN#~Kv zFKL#nJ1BJp(k7*Ponjp3)ZZ6LR@)#=M!utWrIiRu8nAnlI>3bFoUmtxGE7`tTue+%jw7pb$&uu2k#Y+AUf=`q-{=SvsNC3ALRz|a z^#1+%!qHFb{IcY6(M^9?w%h*N{Zl5rmdFziG{dRuI_|;h zyb0LZA^VT~A+5)e=irb)RRjEJm_}J90|hS}8E)3+-hw@rp>$|fM(vo_Mz}#!)3}B{ zNGfV7pz)E6C(jc^wVl7grZxr_^db4}#BZG42ryKe=)u|3L z%P8mj!71-J%CE@s0wwE@q=g$&H=~gzj>5^ zfAT0y|HY$}h57Jk6gi~zy`SHdl1BLpNol|R@@rR45~`-e=XC!QPR%tOX1<|82J<_l z3G1?1%}ui`a^nF;Pxs?!?Q5y-W;w>4;@zCYiiU5tEA7Fn@KFZCO`EjpxQKAaVU-Kt z#dWtVB8jYiEw^W0uN25_TK45g|5G?`8gSZLo~LK*EhdT^g6aMnHtU0Wo=YZ_QF@o{ z5HruR;Lb!@)a%Bd3o$mGZEf6Q>~_UH@crzba0icLCwGTLG%d$f)gLI65AO6|&i4(1x0CP}(VV=*7=I8S%OH_0CJw=hu2 z8@9Uyc&7NIF`E4&M#?Pid{Fg#d)_?qHPL~IbULOjPp9-@2?YW5F+kL&nLXme4^3au zYs;Y-%y`V|^G%_qHv69Vs&`<2n%*Y7p|5SjV`0_}?+_b%4He)3z;`ync4=MkyX$px zDKC{#IW}*FHn~jrtZt2;mSOEbzgf9RoIf1dT}MAH2qWIJje5cMMBQR*Y8)in_i6L{ zghW7pP>t1N`l(occclG?eWqr;bHutUI)rv4xf-L83{k5nmd%jp2Dog8c2}+ z7%Nw(6_g1IHqS3UI>Pe}5^y#0$y(`v9jBHu-&W<{B?51AU1YHTT?j`4E`%GKtrr0= z`@KK%|bqx_KJim>u-wjRB~B3*XfpTUQO&Vye2 z#1I^t6o+vA((2$PsegE*xe=9GT0{Pz8i_>EK#Ag!(b}>6gEeU` zPrCGn$n7i1El71%M9nyz^Xj26sxV zf`)4I^=Gv?72ol5AQ`lrb(-DTmLsIxu*y5((sfC4;t?#k;mMzb~v+qJ( z*$6->Ku_``ASMMvG-6?|&g>z(!`rkOKAl9Q{%KZz&zuA{Z)b`*I%XXxU`bp88J0$| z6?Byjo?sulZUJ}HF$Y>&>OFgEWKEAP`LDlUtZfOc46M7v!xN*`hWjn$>Artd zeXBB{CoM)eo9OnbH79i^I$#Iz7|};4xT(mzIuf{?2!w&N3r4RuoNQzV5Bwux+uZ*s z6Z`m9CboG8l+t|bLtFWeJ~V<<-`Ih--{~3J~Y(fK+ zX2KU7mRoG_{s0}$7HF*0dRPUQ9mOB;TxwfIvPN59qSOjbH%RTtn9#A%4Yy_pYC8?X zjDkbHzqtjCA!5c52KQh%^q@Z0D`r0QV{VMELn*{1AgJ%)0Ieb-{7%<_0eSpTMPg8P zD}E_<3Q~pKeqVI_RLdZY*sp2qtWa8=<-oZ!oMoqjXtT9SDgev7aqZrz_&q>&OlKjZ zr5XY|%}W$G_l;A5S6APaQDS6ZXy`Aqe7m(&-oo~HG+P?=($-vj{Eiohx$HvHTc7SK zXkkN@ASyh?*4FZ~@VP22B_QVH1EBdxKt$lm?Cd5`lyycvd>MJEtYM@g!ZN4@xydJZ3?$y>g-#k6)c z2q37d)2iM(_S<))SS1IS*!2_JuRW8-WN?{6z~6NqRR2}y5g`t+AqVGj-5YqxdR>iK;A@VIVyO`m3fWWK^ z`fG1fp9)Q0Vqg4wA6^{~*c#5lHfIc@|BsPs;Bd zHZre#^gU#uslf)a1voT?yktltz*K;MFPVE$mtBl`nf=dh4r);3o!qBkAWK3ZkfT?x z^?(!y$y@VUZn273C9KAZ>L+2cXi0cCbCX44glMO{anF;9m3)amGMe?P*mlEnA#qo* zyU-X4rs{|7|BrwpEX)Sb$?w<=j17?J&!6uXggwREl9B)Qbq91y+N5IUG+X4F2$g z8{a+%tj*vyu$fUy*R*kPE*lSkyi>2Q-W;DP3H#0lW!L#YH~EZ zuXFf%tOM(Yt%k>Ejwx>6xY1Scv9Ca!u1Q^?_NY70DY)u}tUy1vJDy@f%h!q|Ga zZQZmn{m`834A3ZRX8d}uzl}ffk z%IorUBl0^Uj=W479fW9qm^8SpW~RY1zOwlvuG^2YpM% z?-yOkoIxCK__~QDp2mS#k%0t%!QeG$i%m?OWwRzVqZf;NHH=&Vjcw|m>y6#_C3Pvq zOpZBs-f)x(f^vcBb^sBMG?Gwdrqs~ndjw@-0!ci?=)g?pK7{^~D_ICu(QDu9gOhNw z%a}8hQe&?}Xr2tt95utQDu4)qgLeP~U6NWTg3A!ccYiwMt*_fhJP^AZxA4^)b5Pcv zO@Kfp9NZES=}p!of9y#*!SCD(ScN{ZFZO>N*bzI6GdW@Oe`q9c=AkOZpj4JY;$L%G zLExtbiBPP0jGZ3HIPCNa?5{Z5C!ASGojo_r$$s+bttWY|nahV{(VO$`137F=%N zC`8+Da4)}Z;DB;)_bDN{I17AFBYdG#A4W5hrAgQ^2$3THO0NCoP6b5;XzYiE9Sdys zMAq5={P9!YFK)iMjGla4A0#-LDCf*gW!C7Ao_wb{#DbT4#7tK}AbZ$;4O{%rIzmT& zFA0dzpz;=0;~C=}`|+?gEmiW*Pj|aX?<#7$N2f`xu={_tXnbYB4~yeBZxXEA_T!%L z;}=hne2uIH#p7FG+dz!gUHMK}`A0HRPp3X4mvF`H%^)vAN4eN_hvs{2>>j}k)& z=M;E!Y>GaL!ulEnR)-_{uzHLbr>@~2JO+MapMzitQi;)>;14kKnnR8(mNrVL*;JR4tp5>RL)X~jxArmtUHX!$O_{++Mbp>q25}1m%W#gv)`eFSW_2pNrB(p2snB|P z+vd*UHJUc7@FNpfD}L_cRoOJ_#wbLlOPFydhA+i=oV$uCD>@{hswNv;CkBimApqoO z0Yj_KIg|o7I{JkjRR3M&Rt=GLxte;wu%`#rJf;mY1Cv{$m8mCC9jVivWLqk7U;^F; z_Xz128==tJ9o{2fv(VB|T?qxhkc<^oq9$;LpCvH5#Iw#LIZEhdRsTjbk{XqN0GZ54 zYIdBgdI#=Ka&;0SrP68JXr$)t@o)h$kxkl!ORwygpH$jBn#%^Lk*d!WXlZn(;e?Bn z4$JqyNSBI4mKuz1s9^TZ0}F1QsS?7~!?n zR_c+XG$}j&4+i6sKv=l#JRS6@*7Ioz@eGv`5fMfdOT$T8%M1?>S1R#~SOUX?jo7+y zE{NURCnVv52bdfow;>zW>!AM5u}HxeQNj4g&IpE1_zyYKb~!f;(`yR8u9|SadHP%s zH&_@Cu2DhyA8?^qykA~uwVvPQp0L?1;iC|8OFS_s#YHf3u|bG3%1Umoo>{2~&y5mX z><_V1_;+Go|BD3}CBlIS;@6fCfat0eKnMy0o9y^RACn7}VEIs!_TluY%EIX+q-FA| z<9;R1AZ;X_tyAO?#xc&Bo#V@s|Fn9<#b0PCTa%x4QN>aT-c88kcsnSpDw^%&DKxpw`wXt&0i%50V^p7#Z;TOlgZt(DsUv{Ow(q%d1Fa_Hs1ha!Z) z(utkv4^;$jEi{q_)6T!ZD?}f2!|mM72g^^`hgjsL{wqv;fEQQ2P-w(5wk8Rz^)V$s=H`F$<&0hBiXaNtfh@W+W^E3i(LUJWU;b6HO z&+c##6=^=lEPq;gGR^qd#0ndPlXSv#H*p*BA;iGC;-@}>S~FtUsIrdfRN64u8>f>{C9My4n-TnrSpVEhji>_-`< zTR8**5{8*oRaZT~`1C!7l=TVrwms&0#+eKQNmb(v1L-PKkEy_&#`bz{;LqM^SXrNQ~@?RLJN61WHIS2x&^^s2J0Q&7BquO(9dNFgkC`+4>mFsQHR#`N@S@ zJI4{l_j9zD1t9LscrXMgEo*)iZqn!2BkS8hZ;ZQ8_Z5%8l1Bn> z=#N)CH}+|BPPGemu6I?DCfNqDs-)oDe$uD0%=m8ZNvlW}OZHuQAO{3NSotXb${4;< zq^GDxeI%;hFZTaV>av#iJB8CH^ptWah}ARyj10p!CrAHSz>}CEQM*GHHG*_bj(16d zm>5IA+mm8rxkkwjvMz(W4i@d^#_e_uIXt->K*;j+)Ll)IR~pAjBPF?vHyFa(;&I5K z-R&>5;rh%Cb=rYzA=*k-FvLHOtVJP{9JbXGD)fsCZB3{fWhkcES);hGBb+xIcxtpX zGW58?<;Kp2QW`iKpKy6harSJ_4I;Z>|7@7lP)LLM-v8oLsDIn#V{cl0$?~{H6^bJ+ z18i!@AG3&QBGb8g4I$`2lUzI%?SLDm6P%70qXFq=Uc{aWRJ_Em>ea!c*lfzhUSGbi z0lI<=U~_`t3AbXFDHQ%U>fS0WuC7blEedxD7Tnz>xVu|$cefBE5TGEzo#27s?(XjH z?j%5P2=063{kr?>-u++y!9Lq{T&rr;tSMtW&ppOsd5}87la1qrMRKI0N?~DAT4$4y zU^klJ=DV2FpYD$bMe0@dm$oOHR8~d7_$+CG*&G5ie@=>N3hkhZN>Uw ztE>z^pq!C8#{n)9A(*MOq#R2#dv3R4e=|LXgw_X=HS<7lbZwUE-P}XA!(RkXSt_8m zmYmZMQ|s4x(JEV-zw3!Vrzi?@7r_Rk zm>@yRZwLQzbq8^Wg4W?qmnGNlZylO;JgFdyzV{ZOk>dpwq-hkQGlQm)9 z!Cm<^PjZP&9tcI3p|*xmG?czn0G)0gnoQr)&$MgN&{odnYd-K|EVJp29sYB}!q#bW z*A$kKFqxV}^@weY`W_!5#bRZ4%mK21W?-*eY>KjBg_> ziBqO=3)KF2Ol3_NKvmmN0|VicM8b86l+C?BDRuq$Dz5v@T=#~xPw%2#rrvve{>KL< z21jiMAxy}!mi_l4QOSi+F5Q7tZ%*~LWRT)+WTKjt{oAq-C_Rmv znMZ|#YE?#PsN>uW_Yv$l8(CuN_s{D_<=4B_gh1wTKF+MXN!s!P`nB+O1>jM14XXK+ zxarHLbq<$Klzrt#d(G?^^38`!NLh6IwwHr~5~@CvI%wb#mW{Tt$AaAoM)!~z)N$X0 z4s{k_sTq)5QeUm~qeXO<87Y+FWLwO{oD&j>Q(rB_NLelPmZPwMF24v`b3R(AR+36XcL`?E$ej(+=8oH~ax$24YnEUYX&tZV%;`c7COT+!0N z?AF*fV#kPyPf+ycSN?`V)EKwwXE)bckYXcv{agk%|ByhJC#jU4xzDlSIDc~ z7^n?tu*~~$q8$~2sCu`{b+td9B1x&I23{!?YW;q-?}HBBHh?i3GC)E`5Z^hrjSPH0 zeUMpPO$Cz3JX$CTchKcnX7PJV03*nsllNpnFTo#qkROXGv2EC~u5yZ!$A}P%X>P;H z0zM;wvY1hYry&?yTtuH-Gs@E6G!<{8Z6JO6A?y>)LqakXPY*qlAN6$KKqIJl@v|MD z)f7xMl0bwwOFNs7_LeXt3vqOeR`Dkth(LdKi#NoJ^_SD zOW#z?iBSj)A{IVzv>q#ukaPGINsWkNsx^eR!pBGkt&nIao-2a6!Z)cSsp6=X*W3(C zOT-L^N-N6zx`}lfkPsBsxW}#aDYKy18l+W^oHc;6YM|iUmR`0Yh;`vMnjS<`@In@T zO_;-ne}ZZ9cKaug+Gd}W#?iP-DrMMYvZcW#fFg+|Qgm#&lyFLe$vJaen)SSe`#nH3 zTCnHHAA+g3OP{BD%JBc-)#dT-maIl-7a7RN)vh*Ju_NupkU+SVVd>-hZT4d-Eep-} z`ME(f9;c()KND|YZC14g=b+Z#Rn~7LNs|@aXhWMYt&^8$lw%?wBTLB2hR&N6HB8vs z`xo>a3uXOwV$FY(aSeqQ;}eNg#F ze|Y_OHg6k|Zn7Ds8%aoF?*lqIBwb^=tpVUZYL~^6m@&bA0~ZwIui7Y-4`N_POI1 z5EG3hxB0ksc>+Jn@lE}IE%SdayDg?*b38Rm7j`2leMv)w_jy#|j(S(|ccA}%P@l=) z;0o?br4q3@CXm76Be%a}|7SL@!~gqylXeX036$9Oxu9>0Sr1ywUUe~=!V0S`e8;a7 znk-_Zyb*yOaz(V0w)Ui3Hu0MYU1$95in0s|z5(EnQ#vQkUWmoGduq@?GJzfS? z4ApY|6sAvmE;3|)jL99m!G)`YZanumu)W*#4e~S}9Ob~a>l z^?cIL0F6q!o}FiSzl8(~;rI~EOBf-u+QGOhze5eZ;dm(o=z)4r;qJ7EQmme~x%k^? zVs06Ed;cs3&fPx8W*a;$^!X|p4;QYF({J-4)w}hWOWYS6OQxxAL2&&=%FXAbJ)qG) zGhp+2-=!o0zIZiBB0hcs_qx7r`k)rC%Ic>F3gI~;N1lp(-FMGep3h%=<0iVFZs*-L z_hqd!(GY*iJU`B>Z#p_!kGD8vFfu$tgTd?$$L~Mu7f|^^d@_%bDNpV)-(5y{=2Ur-gTT%pM6VSKj{g>fQK(UTEn{w2VJjTo;xNq4d0|3-zsLNu$i(8*w5WEH_=I7R5F9=CFzWV+QNnG+Ss;BCNN zblewFO4_lmlIzu}^N^Jk4v$c$NW5Ino%JsYkkg&2_m4IuZNT98AAQ2k>h$0LoJ@UmnF%7GLTHhxP zTHRu%^YW=v1I;-8)@n;{l2J_NRglN_dpCSM2cu2;P8U1dFkrN^JKF}g_Lb@CcUxH+)!|#(chAvuXR2#AjvI-4F+nt)B15I);wi9phP_c|IdN zKsE|}exCXG17M`iXDtdP#3#cO=U*yuq(7j36m^vHlXweZn_sca5qA1s5+Xp}FRQ`c zwx32!z8O@Bl;$HaU7R&MM>xmGbS$cd(&W_a|8#q4<5$GD_PpM|Ka54)+ob-JZF>f$ z>7nWH=^flt`uzpU2ij5Q6`dLuYg%jU6;)Z*uLA=aMjremUP4_@-!I*dl3dk2own9M z5sb{z6VK@^Nl)bUhIR=`##((64|I<$E$yO-XWzq&JsowBk_Gvgmlt#vrJ+sC z){|_|e1re)XVwTc?|{(51{CS&8R8+@$n00$-q_H&a5nYxW^~*4i3Q7AAqZXOEF4M^ zifvNnv@3#LK+J?L@-0@BeG#-X3NkoO!Jwy0ccjl+6G?+X%b&S#a+Nfp+bd3VK4 zCfjX9orF;6n+Tv#(b)PMt7*hG{8r?!nmoza(n63Ka3e=To5o4!%%?@2ET;xO#_f?*4rbx%D z$9mpy>Y>4Kj=7w>ne16`a{-8<`rb=C`bjGE%GByV7)|TNMH<_ zD^?Fif3pQ^U<7y90i~=A<8>Zc4nk?~Xh8CEgKxURJKyFr0Ygk@k&`R8yL)LMQqW@%_>=LLh?%KUjFQH5_C^TE9NDy9xd{=ms4yztJQcMT zvP^VniS9AU)sm?_NqX&FD#CN2F!5t(j3{Dm$y6)#pD(5+BXDk|<acir_W8gAIo^JzJpCzXpflD*n>`^f()I4gjqM41T=>u+GHN|PvZAm zF1?l<*oheT0!A;Oa{P;&$ylgQ=>1q+c6oTQ)izWWK*1pek)6IV5L#zg{Jstt(;PF! zVv0vfsV_OQ7v}8i7#6v)iQ=L(i+fILZ}k=j>tEs8(p;wi3kE%XIk`dV&|_DsGi(3M zh5M51!p(K_6U`!z?}pja#lF02(Vo7io3u1aDtobBqF8jNKAgRKpO|k)Db2L=2fuAYiO;}jqqN8Bjj6oMW z(8V91HfBx8Y{iKWov(=cl(-6Bno{G@o&S;`|$bu3@+2GL^o}|i+uiswNp=VcY6m!Y- z3zTYu)kMmIgSSt@{kN(gjPHzGakAv%cXXw~GavlE-DWTTINI?Ep7hO$9O+I=YSDb_ zx=A2R`ZV@P>6M-*`OYHsq1K3>Viq^kL!bHwv#>c=f#C)dKimtCao6q=h*xXGeD--9 zyS7E7@s0VhK_|@ppS_u=#aBiDu_k`#d-Y$v%cPSOx;qv-da^nQe>2Jxl?HR!YI1yi zJEoe7k#M{YR?#UlkNf2+g{-R0A+zGf#vgb0A96?O(pu=k9hd^`Nf!I8KYiQpFQ;k5 z5Hb49)Y(dO65Y`2soT-p(eenRK;6CLLYD6naC+C?bCyG@%Vtkn)*tzSbE?tB_(C@g z#})?kv36LgyNT~+2Y)1=HN?RF1LD-aU+v>iA`>2yp*E0u!h$4Xe;KxV>Ui0cw`BYd z&a8Q*f?yv&L*dtaO4`t6=pqL*w;mnix_QHTZePTve3iodMb!WyJ)<9Iued2MfUkWUx4x#%J z!I{6o`04)$#{E!1D4P_hMlW<;@jZo&W?24BCn+VXv_y!z@T?gYVajY$~ouWxY^ z!H+t!QoXc61aiyWqI1Pya`B}i0vhWpxiTM_bf>F98y()KZm4H3Oj7Kcj>k9CT`OVc zo?e(d+8z4A2!0H?rI%`?S}brXxVA}wbG>3Y)yiO5X-R*|T*A|5(t}EQ^9It}8`(PR zz_>L-_LK%AtH`(c%D0t*$t#S;`{(BZ$n8JVl!YXgV+5K;Jm zw%gV#-z4Z=p(Q-!`O7e4W2IH}#enaM6WuYpKkGf$z5h`Sle{N*g3(Ds0H9Sp_$j)3j7~fUu74am&$S-IaM-()t z9U8V??P2MW+D2JwCWTEZIMP!?!WSKlBCsjy>-lD+^Qf=smY^>?G790ls)#j0gK5F{?JN1E6;(>TwQkHtR zer_CF;)mFXl2mAuihTl_nG7V6RJxg%yy0gy7^`3I9E3CzDKTbJNG3nSMHE~1-#IWE zDXVgE+L)ndDsrWIh{f(H2hry+2gSOb{Wev{n4d|JBm}wnqgNf~7RV1^bu~gmz20_J zPb2jPIi&pX3`l5(lrjb|m*e2MEr8@bpf`lnW`ft888TnJ;bk-Myk4=FmT_E0U|iNL zQUj19AU>@DebGSgw1MP@R49B7jdu>qK|u=I$o?;BJg|w33EjPeD%0(o&P}i9>?4UU z(hzD(1^U3rMW>DK6M-)IK|C~5l)n%%4h zH^xVq*PRRn!2T7l8ls6P5=UgZ<6wjjmwiXeA=_@J>|ZCQqtrs3GZ8Fu+c*7SSqo3` z6a@=l__2XN0_$r&Tf-c)Iy4&*<>(lVD1LX+^^Puuebh1c%B-{ix1bKuwcY=v@f7bmnDtG>{25wTip zm?F@w2SynoOV%W$Si+n&8t3PRtvCE@+ruCgwAK4CHGFr|1ds$tqgP~u%u1R?7aKD@ zFOyClvfPvmzw>y@QsJ41ubQB{Yu)fF4H)Ehe`2ZFA*jpdN2kd2mTl*e*7bwo;Wtls zXDX$lS3?IRNL)3AMrb5?J+pp2=Fb8K2zP+}I8y|~_k+Am53i;xrY&E`e&&`|F=CE=Kq=*xDzDr7B$kKR zD2WAlbeGQ&rymae-$l_9-(!PN7`@+@%u3pXGo^5oaF@JiYjz5hkNm&$Ex0(CW)jvp z|6lkPY)@k&Egd#zC&r&_u){xpfDa>8)%_@ztO3>8Use`@VbL)>xpK`tu;tWQP_-gB zN3+iIngW|;3#)rx2tGPzzblRg3g073^?(QCXhS}+F0MaE-?%UQ#u?xoJ zOo(Dls~4-9zm(n-BWn|yY6@cTgBtdzrJeZ?q4uvv5$xYUktVHcq_kb?1l%P>n*AfP zZ)F(h1!$mBVu}N%p}OkMgfVE9Un5?x4}w`v(vA!YoWg!$NquK1Q_#sXr3~fRc|w3v zXR5@)JdU@Oh1J0AyB=6{2aR=~p__G=!!F&qP$CsFFsX;7^q4cj(r0NvWZiOT6kjQx zxA%TpVL{Xc>=C+jYFT=v2n)#G8finb9ohpN1_x@Gc-w8-`t0|ep)mic=KU?Y&Do@l zN7wQUK%}!5c(5#&fi~$Vdk%No_(!C({eSOx5+|YltOo3F!_P`IxpZ&lX6~fmy1qWZ zZ^!pmniXM@BY(^a#h%{P|1FN*vrM0~d~rqmpDe%xJtM{iS)#e2HLvCvC7N-J03Cen z6J7{%d+5-yNAqybU(O|MXyCl_S^d3^*$Srbu#W>|`4h8YE*~hEqA$|C!#@N;O_d;^ zSV37nk*pr0I^C^zVI7~tj^hKbb^iu4V=S59=ZH1apwvR41v<#`f5TxSd!gNaK>Ipa zy~-8>6Du`|P(E)e&2{e(I zI5{~6b8~>~ame4t0Sfk0lT8TBu_yrgN1_{uGQ8k_Xz4Gze`3lit3D?%0O^ zH0zDPOjGLQCx)ItnX)aEg+qbD2eYPXTjE|~WSQnun}blq$O4re_(nixCVh+ChVe*`__NNVGx=RLRn<*nDcu2d~RJ`(WM+5hfoQF8P(rC45S@M>1Wo)Na9c+`TtS!-spY4s?#YW znacXY2a-nmY4v@P$kvB0Cw6YE$=LbFoi3`^#ck}A>Riz#)}%qE`Ja?-6H9UhW+pa# zyc6%xy`W5G@trbxY6?43)i+Ui>yoEz`92A?Kt2)w|pD{rFSWSe=sQf@Q-6#UFU2V%hK!N9e zxmlk5VIP2-$Uk^5rt*av@NI_=)sgLL|AomEzzOGim)^b=gu|9SUFm>@yE!f4QLN9H zmz>Y$+uhHyCYLfWaBSRI53J4Q+_>uuxU{o&4Kr)cpG{ogMn*yvA4q%~#9J}vtp?3D z?k-ibYsXoUpXc29EIIBPLpTu4A*E#GJ=BNa}R@F?98qP0| zgD~;Oukct}cv!`>7YPh+xEizdFFx#$sKxU>j-VlU+zzx8a0aP5`~%9gt9Q#dX8VZ+ zu5YVyMNE;fa}5t=by=MfcT$LrP$7Kq3HiQBN71AhU>Zc-p=3Q0DDe_0yS}a8r%=Qu zjPPTPrS$!)nzo|)q=X0Z;6Id%icvCk)_to*N9?%7W#={6qj`qHRFAs7JI%e?QAd<* zh{$ZMX`;+6E$oZc6IGadPmjZX{Vm+-d@3bcG0Px4g&IGtpk2EpgsoUVS?UJo!HPaCFj%fEZq>I(DcWcKyPrtcO9AqDZ6EP@bxS37Ibh+d{BtQ3HFchpjSos9aP;{Jwxk!!BcAj=KDNV(OF-&H7;Kd-z3CHUmx7<8bUwZpQ%4tYp8hbF z)+u=#XVHt_F@1}UAgZd$2Ar5^N%9rOg>cg7N3yqRL=9C`0*4^r{VZ8nWyzQn|hTo~VRCRE@)%vAu&T<4NE&hLx z&ERUVe*Wv9c@*{m?Sw%zPA7#81b@w*9o4^L)Wdi}qG;qb6`AVqQynVV3L-yflBS>D zr=j#n4%&CqFi=eRX+*|EcbkebZG8{$ysrY4E|i-HhCC#p2*0Q1e!{h1^~^`g6Ce)C zr&FSew?79NAv5ci2M*O1TEkT9xF_b9)uxddo*jC#NH_Ssd!KBt<;m4p(KxF7)757- zC!d8DuBTeuiJeN9zO2PU5uWxn$drOu){$e~RJQZ<_mXrc;1U-q(^911ZcZ!rC1&9= zJ2uJ>-N-0h)Rr|^9G<$q)S}LOd|G(;t}suj4hm*U)Lq6Q>r0r=fKNDtiY@2pWZOEb zsH5WTnE_rnT6LyF7N30ZQjFO?uk|U9>?wi7QxnxI}2uxI;XDMc&p9 z>_e|Xg%{Wn+~Bksm#UOYrfFZs!^ zs%l3ZD9xi>Epa$US6e8>&E7pLOPYJJ}f@)mqYo})V`}nA~sLrtXN)lwH zU+$O##?+;pv3P5JI4*l(1ZGR*)RImux0GyAu>j&=`vstMkl;IY4Qf~yr?6JYziSNWO<|46&8b%6HALi^Y9 zBB4j~>|5fWx|Q`_LbstkO)iO8q6!mBF|DSl7X(+A_;vJZig87(OmZ3v} zWS6^kNn$y+4V&L79X+Z0Wzvejq_!#Fpz87lTR9n$*iQn@gcDo7BU$8BpYA&5@X3dMjJr7}tEzr0 zIuO3H^dm8D=?6-xhDL(=TtJDPOqm~50Dkmv9ZgbGlC5e1*eu7v{UbD6y5Cja@}19# z6;xXKS|d~#)&XZCF0=j@`dVy5Qgf~9&$dh%BANzf;WK9u+7NGznW2(6QIvfhUi-kJ z7R#u6Bk$nCb#3Gf8VPef)uiGmm{~=F>zE%O4H0AJUk|yh?TCVM={v^jBy6A1Mm#-2 z>A1@)Zu+e=CIzEF6F(Oe&Ykp|qLb*!?d%t5Rv+%~a~)8rsU60u{A{LmG?AVuSMw(i zgmqqB+DXoLQijw*_iFetp%7NyoYCg2V3xj>%k>y*IXr@4{JL;uqQRb2=McU8b%{xr z4E2_$FKJL;RlwfS;n|7tL*+QCHmSDZYErYlnPq(<0t)IJ;ve<1eCa&`x{l^1T~L93 zfYV)Wpt^fh8KJ`B{I#SuQ%gM^fHv1OPu~UW_^;+VR_~l5)#`6eFF;ejOYX`=kGVRF zlZ+OJE;R3m{+)jI^ERlYzd1sCy6sCmT!a77=1{63>DoI1S0)=^YF3-P;ldO40rttg z+7N^9s{djOlKuuQOcCG4%X@l6_mH}=TZsxrOFobkpxqn#!LOTJW}UAJx!ol%4jBr~@iGfl@@4 zEQ3a@-@zQxvwxIV7h8ISC`zh=DU_IOx=@r_>>Sp&KB#+ zrIa60N#e-sP4S3vz(+d!bK>{Gn#@oP5{WP2% zgsPvnZm*Wz+AhvTlN8^^vN-;lY~%!Z5Bt^<8kWqy4OvSkE=hpxsswg9=%WS=(K@DHLC zWkPiNdc4eO(DD(H1R#9A^ROae(?PK5)%&(_2G{e0f`Z7&$V8c9`OXIZY(PUpV-gV9 z{b`{#uM!!|rdCeZ`L$CzK0c0md$u|FjaFsr*Dn}rYwKT=nWSiFq}LcsOJF|uSNsHL z8QlRcI=Z2}Gh7r#`Ro<`VCqYqS-^iR3rkwKQHTVMB9Mwav!Xc~M{yNX+8y>SaLa+D zAFLJ2xEdaSZrK*n*eu!#&Y??aT}w3^mCdXQJ=%}iLAva}D*2?@n>`xwDpi}K^CmI^8>!cNUX3E z>l35ldi6K!YO@oXNRky5wotAJAxx9qsuzjD?bVw6shTjqaGm3enKoJikojLxw&|}Z z8|LFfu#3~~|4I@?$TJWC4gb;n*I4SCYF2##D$l(FZ%ENjtyq08B866tQt!C z0<#_ku=Px14Y2xS`1|`O(5ZoWoHwu|Y!@qtfx8Z#D^A4v#AQTzDMgZY&xzifCdCYn z)0^UvLxZ)xvI>Bx}fO2)Rs_opuZNC5^LpT|TBBa<=beu81UvBrg zjTLBAzn0YN4utLZRWDQ~KHg~8|I8%z7AyddP9k|Qlka}g-qtqN>gmj+-=O$enlz2u z9@iE>5{j+SX}t#+Y1pExbm@D2e!p_`~S^R0b1mY2b0r1fM~hei{!Qu zaF7l`vM{|4Hbu-5QH&^6XRAyl*z$v{jLl(*Oq>;c#{*|S3GnpcqBR9Mbg`_Xv!=tt}Ia ziF92yi-)U&FR7f?(k(cETcCfVd@~P9Ii~{FuSc(KJCSNT8QIL4`qA1zf=zC2y3TwKP8ydVU^&c!UZeX5;; z=JUQP;+@kF_`1TbC{*2tfPndnoG`GbQ}CmLAy&a@B#96~zI@^g>h(@Pa$Hh8lP*V` zG^fj!D7#21{?S7DY&|9PmoBJl#S{vO&LYB@Tp9FsZs*korQhK$71B`zrqel6W`baH zMZCkAeB?jBhM`GT4)8SU5bRW~EsvL~;|9)#;wV#iU2|CGBfx`^qfhsj?vYpppy!)a zXYt8jz%cjtS0p=N+Anip{oeMn$b35QMK=>X<@D7eJcFJn+|V{kUSYXP>_WLVK&dzT z&3J8TV{wDcYGe?)GQw3qq+agjeBN;ne411lB`2Uno#C7cEOMIlAxvi+sMD(a!0wo_ zn*0&f8-gB@*?eXJ(yXjV=*mk4n;@WI^8UHGk#2BU{&?F;eOq1bScgrePg!)m_}_uM zI)vYU!K69?3YxzWCHvcF9gf@UqeZnQ7t?K2^p!bec59_HuI^w|LKqVXTofe|+~FFs zb2A$lGZup;vK0J1#e(uG^dQry)CbYmt!`*2qu7k@-fLj0Na6)jt3O)I6{&%n000`T z$wPNnF1%$%8_aF@On6gh4D$|Q4xa%1$igRuqh7VVW&HkfzdyzEbPZD!4T?R@B7LYK zQfRR1>$2PRp(Zx7-usWc!fLZ2_B-B1p5kP(jxf|#<7w0@>;*FjEo@4mV|0OLSWgs` zBNNK>sf<4r{D*_%s2Qn?dVMS(Z%&318Izk&Vy;^93D_*`9G7dP5TG*o+y;K9z}O%> zOaUvC)wn})cO(&(u0I7skP_jtSrHIewDame{pBJ5ld24;r2ZR;*B^g8HYfyU?}YDt znGt4Lk#^;elyC4Jhy#*)FuEl1wkAy6p-jjmzkpqo6%>m`%pbaq;J`*akY3zxFx;Zk z^0631i-7z5XOuP2wdad)kO^?ivUGv#Nf7r7e;}eiTS&#;ix(g}t~I%e+axk&N`#;x z(!fWRB?Tel9X?qQ5}mU|smTK+w(3Lz?wM_DCex~eV zO~YQL#^|l1VsegU zRA)ooJg`aR6kgB&&p9dicW1Eil==s_Hsg4xws0E0$r8YpqOLNXpd(^bP~(*PLQ(mr zN~c_p8_J<5stmi}Sx0Y28?|fbBQD>@&%u~DN*S~Z##s-9p&}^!Knekm<0X9_gLg=IJNsp&-o6E!kV6|7N!sAO>l`w4X&bKLc8Q9oV2fymJc~vW`g!&f6NRZha&J|1dc2^fu_s*37?nqke zwIqKUwPq|8bnxvZFePAYsG<(!$`1R4esxUGfl!vk+N^hlzulYZaF3MbPEU~)fKqH+ z3<-A_!@6F2Y1!Ow#K%(kk?t=KBR=?3lTRfT|L0k$7AdM|J7Eh_#O6^v!e#zTsM;X@ zOcp|@XQ%U%|CzmxRjth-m6uhbC=nMTWv)lcQ7@&XoHH;C9P5-Y(Z$R#yi}lEE2knt zPN|R{Z9Il$K|yp&O&rWtUJC2#=%I8$7cGZ8!b_}_1T(H~lHP<;)-T}C0vm*nmBE@s zo_vd>H1Amg$ednxtOW8q@l2f)xebxbM>!yuE|L;t;>GU3%j|hvGV~&DLEVRCj^p+5 zlH$28A~$;R;`_uZOw{q^EB!Yz-Ey$(qk?6hLOPq>H~-^ZK#$yb@rCnS%^y-Ro=4m8RRmd9es|~Vk)soCnq<8o;|9Yd)_QMT-qmZO4Ta_ly zMu&)=kUq=a0v8J_aK!!l&Mu?p6Sp%GgEn36;@ay3qgQ5A2zrPUrR7g7vo+bl%d7rJ zU!JY{Gn%K0mY(X*EP14=Z^AO7&NBF3y`J|@e3q(dpMpdW;-%E;&G-~r{BGXOMaAGv z*4PR-L4OW}I8g^MEHfXy(JghutJnfcOA$~t`;P1vi@xRrT{CVk3rE~zBJADYKjw<9 zr?GQ%p0jbGh*h@5vT3UK)z+T)h&GzpzgzsA(s75&xZp6b{)oO34JOebZOqM>i`N{aaPqJ{1=MGKk0xx zWKBpES|m&25^%tHnP@^||EZG2mFW-1xo+V!3{ylb7?0)4w$dyjREN|9(H}o(;C-<@ zpU5)Hl`(1;evMbrt6D|+ANWRkkC-{HILlaS;E#3@vimj`e(`hA{P$G0_o4%=NeY}4 zTo`@9)br!5`xt?_N&HG`rvJ-Zm|PozU7kH4&Dje8R#Z;(Ly;K6>?)GzV`oi3!qW^#sa z#MixNmZuyniC$27sSeo>M)q2w%1Qb756W7kZp*}QQ?{tr_QOZAvea;bi_XOoW=DWQ zPjMmbwH&X>&knY0srPuCsH6*H$#1NM< zL6dv}t30f5MH=n@RDm3h26PgF$B|M=d8YBnc(GG7;C~m#_@tgWgl4QfWM#^R3jQ`j(zJ-|bwg5Ai{x?*o^w=o2N}%#j#2xC zzIE_;K8Z5;D-n*R3n*LAKkbUK56~8t_if90M z$m7Z|3QlE(QicW+k5R)H!Zq%+9x{mdg+^e9%tj~AP zUs3IwS>wPdV@0x$O76L%MdTZMD13K0hhFY9AZ8SfGwrkfVk=*UZ|Uspe3WbD?hj05 zehaTPKfbn@O{pD+;`8kyb+IvQP;c)7Knj~?@(6K6*+aG(g=OWY>lZa)jbX2 zlT(N2AAnOPv&4!>wpdaHv-O8#i_Qj%Y<iA!_)wc%_JUSV&GHh$Y)-j z-+L_EUaX5z77afN|B`@sb=XAXTz2i=fi45MW_JD?DqL1yxjb}Uv|hygqghxcX2Nl* zQHFO)={$eT3|2=GOGNs=SO6#VJSA}36&gHKfiL_OEBaF%?vl4Ylu$ek+=hQ&H1Qk8 zIO;CbOpJ5F3J@Q+76^)b`(!D2tXc&7Kq7-rN%f&*a9ip@TpBI2k^d89ojE{5B_Q}H z!POUxlWD2{Fkj2XRulebIn7=adDk!n|9crpB`9c{lGzI;c8fBU%j^lIY@-TQ3Tdx5 z80S*y5OE;!Q5LB68Bw-7s-giRWOJpu9UFbE`|W^aCJggP^j^zMVP8GZ6s?FuJ?O3! zDJ^q$$gSnLYOoak-Fd^ur}irjru zv@8`dQp|>6@aKx9(!X>;ySvz2S?`UdN~bc%(@P{_U7LBm;s^50{n$1l(30ke6q@~v z@No)-+Y@Eg&khv4g`CQ#C=oB3LoYhE=Ie0ucb8@kV2`j-*|#Wh4Kt>xkX;~VE|t3RDduLfKNrAxvx2-j7u{_89Xwu2hi>#NgZ1@u5rP#()W(gGs|jK2tF~UkJsDl+Q#tukWYBPBhbZ?kl|cAuUQ~ z^#L`@Kx>x(-S4Lg$fBX?kuId)pct~9c=eX$hu>>E{U#jIr!pdpPom}mwwo3(Nng$N z@jVch+*zNz+uORD>IERoww@}(ADc;%l^QQ~C8SSg~f5@N8zLwF0 zj3|Nq?RieRw#^G+%?CxuKnF82^2!JVn!tB7qPZ(5J#4Y%0b5uTQUN(+Zz{ z-okgvq{Jt?nQLz&zBN*0rP82TS|>!D<)@HCw6=IU@!`eRO3CKxw0H7icj9TgF~Hm8 zM3bud4V6}`pD0$MwS7g+@yAF>1aj-+OtzIRaBRrYRsC5RC@|267jHpb25%}%_T9;a zTZ!$-iG;P)Z}Dsd-sAngLA%%)d~@Ju%dZKV1+Dvw1fma~lAli#_PNQzgovlcbr_=( zcM;*@qb$AhlpLU?T**_R8qmf8ywN$pr>YN`Qhjh@~)@v9fg zhyBwF;*`=346$`rV1ZIX0v{2So?gs%RkR|Rh;K=P*-fjcM zj=P!GqW7H%`>~Tyudk*>Gs@oV^Dm3u+KXGysI}ftV-96tblfMZhijW`lEglo4J=g7PTjnAE%j zzX3QnBlS3?!Dd$h4_q~QxBK45KtW`KEU>f07Jr~#2X)iY?{Vw%sQrs-F5->E@#P-3 zgEx3|>?%!#k8>1L$UD)KTYQyEPV}n1gQ;P4j+t{D(Gxn23e1IpXly;m@?xVD3L1>^ z>p<}AFotKkHyzs};YFSU5|rdA_FE=eoJdM1cGOC#y~*OYQ0<#Huu zTQtbM%P+K3t?%SFEFra=>DdyRmEOr41v-m+Ne8@>=6X0j5@iZ>5#qwXyU@}`S7d}_*d4*0ZyFykd ze&C9>#s%f%epI{Yy#NJUuZN{PZf}W5Z>FU}CNv_i6}~!rDlOeBTJgzqbZHf9iX14B z>wfHQ!%ratK-8jA%x&xP;&v1<0m-}w9g9riy7*NB;ik$M!dAUVBvqjkWGHyT&Q5F&K2j>23L>{ zrdfQyMCsTFVyyTIO<)J2amOOtrGmWr=eGE!Ie`{7L2!P^>8`NKf@+|lXolia#n}Kn z(idn`cm@<4AgjH{ow6~MbO}WcMS(28f{Lyi!JmbX@YwBOGQ@izmT-;hRqPtoPM6AD z_E*pY&$!%sn(uFayWIjEY$l0a9XpmV{;KS#tr*Ck$%@2I@aQAu9p4~T);zIAIcE$Z znB)^^QDeRSW-?|e*_M3-5YIuaLUOgMI8jUmgIS&6G%_U%5XvgxjVp@f6u^%%&NewE zmC}H^;^!4>vwhLvBC%WZrQ(juwS-3Ta1cX!WujQ8g|-#7ElAG6l1HU6c@x$kp! zT>IMl>~rpjLhuK&L2Q|jsYOPjX*SpqCQ;53lixn)3^0ehmP3RH|0QEU7jDejipM)s zbm%F$FScQ=&n<9vnV+N}NOVLzp{L84R5Kg{I{PpfCBH@YQPxg{+(%|{A@5e2cI>3G zk>K2>B3x#fAUn+QYx~cI`R8;H-h?Pm;c+e`A+LbXDvV(Vbk@%zgPJ24<~@ppgJpWJ zB~v&EX6w1?i!RUKYCByA&wwG%6t@hswZ6BME=O;Qg)MX{DqCVg-RtHsC~HQE5EBD( z&Z}6;`!o-*vuu_iN#~SeY4^HTvJ03tuwlYG)Uv{;8h zzF)Z!E~f4Uo%(4|HQ}DNz3quZwDzN2B_OwM!9i}eRwLFKl_d#qoa`)`P4)E`lj4OG zhrcYXcCl!^V=Z*|Y8}R9TRp>lyLq6WN{h8YkMMMR)0-PQm#)AW9H10^4(Ypj)(aX| z>yOW%m%&k{;42JIu8h7<&L>8(&#o^=$KY8!S)P{gN8sM7xysXNZ}XwLj#u{s@4VGw zny1`C$t~cRTPB)!oj={N?^+H%`<$QhXqCG_tIkCKo9_wna66Vn!1f`(4`q{jnpAS1 zM1p+e8}yY=8g=wk=~esve#zGm=XI9;R8lC7=Y}r|v_9WYnd;MPEQISEbY%@8Muniu z)JqiQ*iSFk$9G<1%hv9pC#l_X`;m#&T)&Uvv2mv23v;>Kt#lND0X5O18NQW|BC$!V zU_Vh1Ni6uBL*82*$u@!Myjb@@TCC6?zhQSox`G4FXASG;Tx{3ERX@C*q#Z(a*bzm< zdz6|GVhAV(IZ!6&cb=Q`duIA8R%wJWg2U3l`8Vvhy}X|p_SxX z3p97dvUNC@GrTb&L0O={!E*hc=g_t@mZ9VAgBr?{PcFn~E%L%6I+Xc zL~V1IkdTlfaddC;E?|)zvuP&QQkwkWls&+ZRYt3EeKnSwBY7B3$8m$JaLkb)m|ML~ zaKbCwK3obJnu*!-n(s1;3VNCpX4(-^=Hi`>2c@~S_%PrUw6vTO)_E5)5(|hiJ34mt zAab#6-j0f~9>JoG^tYo)DgN9Fd@log@u{>oN~61_6b%e#H}Y^XQEZzBN0;`|jW*{U z-{2D^*0~y%w%@1!Z4t_N4p5>x(?qPqqVmjk$#kWHqk0KICjry*&cO!LF<6R}}u9 zqn7AUM$nZ=TO8tyBT1V?A8EU9;QR0$F}E;tOSj59Lz1w_8F0Uu$TH5Yn)oCGC1Ng4Lvefa=!Uw`vyY0R-@1>S_eQM z^Otq!ewGa8^G8jA9vrVlo-`(YL}=xaBp=3xhT1uSE?RtytIL_|=J77{$F}(t_ja-F zACt2^5-NRj7ILCDscUPg25)uC;>HFY!YNNczZ z+np4!xrXrcRsO?j=p-<9WY~35fsNVS=Im^ye{{ z2miY}tRlJ!p}tan>@Q6-Rbu$s%ee|{(<*An#geiIjh~`8fUUY#ktAF$tz(+IGziF5 zd5(`CXJG!|*2GPnXVZBPX}Z`8Cyss6uBgImfz*dOpsL@R#BV)>1oqKnW7;J~P`g9E~*@&7?IQz7nt7$=bJ|RfM>tz~fLYJfKG4oGnulk(GX+&jb-C31QjA(>pvD$^T4f|ZW{BWLA( z&$Or)Q_^@J~{^in1`vv>z48EJffHD&&uwVnTOCe6Unjia$MTW)$+ez$m_dj1$}ycP{X`bCCLawTX|`8SGLvEm3&P z7R$H=vOkZ=Mr{68di@~DB7RwnioP($7|JXdE{Xr?4sW3Ns9DdBu7Cw-_ODl&CVKL9 zNm1lHdWwyJl&{lfiKvGHeu3D_@kTOnRiSw&rivp6qo{B94%c&eTce}~(6o36LNH3bv7qc! ziFe=8a%Fn7$n_#{-LquX?2gb~&$`axC5fpD<$zdxbAtL$jPX3?FlY>dZN_gefXgb^ zuEwf(7WDRI;XMYEn>casEtI4PAGWjyckk-Fm)BWK%22$zIF-twf8N!Z>tc+^rT8UN zt8=QxG4L+yaxSJ!3ZL4!1hnWDBDdM#&ho}Y#jW?UlrEx+DG`wr`1tgX9CdD{1bb9b zA*po;Jt=rqQBe`%TcE-6ysdxJj<2V^iswp^f{r)X<3W85>Pss^ZbT;%z{bw)!Ht;y zv^ELIfo!^6li2a^M`pkt0{EV6GVN`@Rn*GISX2gb#i)=x1bl^dvj>Q@NYdrKwo#SB z_-fKHoNuLqDi=jJW7sGJNA5rp$vv4-O2&s>CNXQ|BZ9YEbGeXW?r!ar4ZlRS`9fu5 z+Vz#jB9{lH8A)WnrOHm8zjkig8Cx{}^G4iy?@p6mhtNHAf;15i3rwiVC?0GbUmk_a zKI9BL(FoBCPbFLWWu{K?J%~j+MaC6rj&JpXST-V5Lj1=7-H#35Gdy5+CUS-}NCuZp zYw|JLc;i!FR*)Xw<(iq>x4+_is~4(4b7iM^Epgujn8WH`jVVp8sX;s-0VHHoR>c)t@?3#BWE( z)#x1t2zfN&OCDRZPZYJTWBZ}AUtZfg@W!Oj2R14Rd%0sB1*#uoF$fYt z$O3NvF@^ukrcU`WxWe__$oY&ngBVsqit?)-BemxjRt^$1VX@usHY|-N9%}H_YMa6a zo^>?7V}Dc=%|uGEMnsP(AcU$W+BP6QeLnjvOk~cqTwdqJ(c(*CMAgUV;?a!Ml-Fy5 zT-Q^aI15LZQLpz&8@B#5?fd^XP5bD>V*TP@nsNJu2FmWt;~1Fff^Si@n~FEYoGS$xvf@vcI!EB|vVv%vk52UiN_A2Y}=`dksp z3p>>CmlpNiZLCK6im67yjcp)NC1JnMlK*)~d2{CF!Rmp^n<5K*eEf*Z;Aqo<5V^cR zZT{oG+WbW>E-utQyon{HQ`b4cHSLb_CcZCi^2*Mz0W}c)W$up7v;Gd;ZM#%kJbr_) z&|VXQ3|D=Qd6SCPSN^p%-AY0I$-x~wIXFXD8hnahuXUsO=js^Oix~YGvaix&2zv4= zBpVof1Y^wiXMeEM_q@W$*H6HiArW8CF?2V3JE)_57{Vqv)7_7~*GJU3PDn_$;o3?d z7#=yw9x2A`r)S+h;On*93Kwd1x>a}HCvfLG5G9cMxUf*UI-T83OtFhAUkNB%QaLfOpv0c1uI^SigUMeo#m%GK>?ycMPU0T=7=x?p)r?dFl&%-Hqs2T}N+*^3|$9 z#j3&cD~^#C`827(qQjf?4QQcbZiuK{k(OO#!+2s)x&E*_sj?6RSm=9_E`9JHhjok} z?V0j(!-!ZL4ms5;9_n8>rp@=SJF_;qegq$L)j#mLt*UkUOm%l{>BL!$W_qvjbqkWx zAytJLO==6$Qxug{%hFFjzK$yM`#vz7)*|;VI!)c*Bm8dhuBr5-hbqvm`@F66d!z`N z+m&kVL6^ypeFMj{31szKM2W|j1w|zar_0^ZLgGt0t~Lv$h@&#?gi#)CH$*Qh&K|Bi zR927TKGtZtd%XI2O7q8nzE&lwqXy~$RbhyM`U^>u)?2w_d8&TW0Uz?L2UXdLCznM7 zXYwFf2ybtO?82(FMYcG3`l+NmHLWIWbY?^IIKpq*s}1WB=&4ATekvK^o01NYvfuVS zKc6Wu)Dd)&9(R znPB0_M53qk1pHYqq$v{y*q ztW|=a-GcJeBa!cC$?I zB}d*B_0a6M{F&REWQN`pqt0?E3#llCVdplU&-^=XYBNNarrXYLt$4T*SPC{;tW~hY zuccvM`>Y#f97(Zv9o)BS5>~{q)tg77Zstp4c2rb>ATSEErrFUVASE$=wqSBZ`+)nn z9y#{&d$izbw)FIK*||8Tf2Jj>&}^H{X=7QYJ6uxH6OFJ8*nvji|nvA;9T*{g6jyJb!|h^uXI|1NC%o z?M}GQK(lJas}aIfEd}V{yo}y^Eq!;c+=t1OqG4A856b5QRU`%Klotx~YZz0b4;&{B zN!JLLIWHnl7CGZ@>aw&+dLLLe#4s4OXrCMG8RS!(8C-MF>Rr!u1f!4dYT0-M3@HSv zJHl3-SlF%fjIPB485=^aI|S_YUkaAbUjK=1l))?tfQEh*pyQE0dkHI<8 zh%>8V{045>R?G$lrQ@X168C}=dBfr1s?_|ir3RG)Y=jM%XX~@-_G5j{MdO1TXoHaw zXWo}T(!b=A7|)2#P#T(*@p^U~Y@%x;G&HoH!lo4}jU^|%7+Rm{>n+5oZvkcc6fL~{ zh-Fh9B~Wok#5dy9NSfWJC4acPoh&n7ZF7;^G^gDGd3R-6zcgVn;q6DlO0KO`W5N>i zDBl{5yCc~yyKDr8!yY{)246?2iunyaN-xgKK8N4Z){!aR_iv)=Uca+9N*{9+pwN`+ zS)$be9p2z-Xl$srW{j}Nmqd)9v|oGXZjQj{*7bqy4h+Dj9{E>5sPYiI6|K&ZYdNpA8@>HdjnC?$9wy*=Wx=rf#aio zjl)ob=dACUHFgIX+}7RebEJGc_Ic@GBP@LRG8T*td=D*FPugQ(ER1XXm7-0T$vq$E zXhSFXc1xOkj^3ihP8Qee^vbPQ)p+Q~H43iYRlh*K&)K_>T)shTQjC$8lCV^#n{+Q*qgh7J3sz2Lp%Z3bo-Ynu z9w!`yv(r}e9?49~ZRB{onH}wy5;<)WAN(G*uiUFFN2(vdbbIUI6w~?I$9%Is=Q(R- zG^O*vM;<*L4O^j}^rry|r*(%~Ff}Utawk5f@RBNr&5NpZi!b$;&uMn_U6f^&BIrV(!BJfa>>L zR&sg7_=d9d-01*Cx@VL%t*TnS81}hnOf%W(>YiDGIic(pZ%(UO{>9#v_EKARGT~c& zi#M*-L;E&WH(9Q|xqv(VD42z- zv)i{sF1C(M#hpV|Mu*UH1#F|{=Wl$xQ@@v7tJCe(6t_e$sx&0LKIE*j??igL3Jn34 zdDmT+8VUO`q7%M_I0W&O4ho3_ZD99Jg#|L&QA$X_=a_Wsp6ctPvg1Cc)j#~&^;Xb; z(0^5_%BiL?xJ$jiQI&ky6#65F79%t3wR+w73 z{?6`v$^7D|?P$^O_T{b%`c0+HPbN_ zD#FqhNhUUGTa3z6-Iyb z2DoC-&YY=aJ|t?09}H)Jtb2Of`R&EoYD+A)rJfz7uGc^m&wTwbrJP-g6Gpr{7@6$K zji*Qrg?uT8LXfC`Fe4xlt55{!V#EIh7On%BPMLJaEkt@K1TSNliv$t70|h}FF{1FA zrYl%Gnc?Sei9rxK(4O9kRXB@?gnS|WZ=Zyu0AiBPxcTR&NJ)wx%J%5>^z;^%(|rZ7 zdW80S_)Bd@EUWq>c>AobLXTBQ8G0XN`!ro1rPd#g>F;&1mUeJ9UC=79SH-i{ZIqX< zWQFUwXHFllJx|qBd{kPjaXx>vS{FOXR?$PN#%0i{v#FoobTl~k8b7t-S(WCp6}yb> z)S9`{S_EX6egNYJ0xFm?HdM?3Xn3J*)JPd0p-rKNuP+arALvNGzOdZ?433v{ngmm5 z?JiRJoMcuy&P;nvH~IRK+zPOmiPnu3D%C zt+HLh$KU9LJr1~zG;Fr(_oE_+xy41!R_MM|+m4r%Pudi|4pFwoP*q#)d$1i(WaRcx zqkf3{xl*O{UC+7DI}1(Mm!)2phvVf#@~kAO3C2FBDRWx2Z;O+s=%R&aQ|-z_H_F;6 zpN(p2EAbu{mNx25yUpLeHy1)@2BuXQvJ`+N@@n==aQ6qN`G^eIkz@6Qg@s6@10cza zUFUG~flImL0RZOuQb^6d4AiN+i8&i|itDyTQLwVagFgR{b4f&oE-~a!n-P|r35>>! zJU2BE6%Rh!S5LGdt?eqtfbPI>bhdusV*{se&&PCSmfpG=xo=jDFMM~MVZSoE{+6$v ztD$H&T_`^A5QTy-65_n`38njVIo;UVi@c^$U*kLMqO;>d0oZ>hqrpnsvMyp;fe9hGnH5H7q9Ro3&H8vT@J1Q~AaR z5*g{h+q~m)M$1gwTio-XR*V~YGWZC%tf+%cAA}E z8*36E*(8+FB4<{EL2_}7$vvp%&If}sM82g$SsS#M=Jd^WVA0Qjoh0@=wAUJ35xqW* ze)IG*+EPWs@w7e%D9Vl$ifw*4nF|kZETV7DdtWiCrJsDfX7FOt`pzlnm6zfb61l!` zRzukMghEx+sT;jv6%aOg7Tec^J2cSkv1^m0|DHM8+#?$*79R}x`!stgFyysiS1R&>LT z4TodAy2c(aH|zKNSb03oH*0#!K1%Z=B}vCD2>-z~u?#T?LeT3Uu@J-vg)=2m&(AN> z%3E+1k_P+kud_L~WYxDuQ@sW5ER{*a(QH*MAB;%>TP=KUdT>elZL4O+=UFF1Vv=P^ z-PZlncF`*npRt}`&~bgI@1%#fpHJplWe(bk{fs`~rKaL4!iO4J#VMWHBs3|^W#EWO z_h!wEkrxNZ$9D2w;LF``C7>iU_Ht628L@Hw<`jHS1cstEr@4vs8N>0~IQp1t*&3*Eg5~W~_FWe$V zijX^cg}d}q016RRv=?ZS$`-DQ%B*_fFnE9LG!GS2NY#~@DT~9VjOD;Qwa?Oe1!uk; z41W}x)F2-Akp6fzKl4`4M`^#76@f9*Ug!^MLXhlGKYV(x>N$-#t}!8A!AT!%~kw4iqg~l>U5cvl6z2( zgH*>B7GcqGaXxchB0qZ6Ab=P_`eI1#PG{$xbUV8d(g$jr(UpKZ)~IF5r}hb>FR&`< z@dihUUY%HrDC0gBIbDc*VxJI90n5qyo;qU{y<%AXSbb7@X(ufunb2Za8f#^J`9Ql2z}A@`2HnkvCwQet@kcei~u zct*ebyg1y|FvcbimVuB4j?&d*=uFFey4-t+xR)z%ZiU#?sgLDL9 z2YJb3eawzHHG2_Rd&_o9FqvEpor{f%{xIbDrqiX=x!WdZ$>>Uxv5iz78j9<6E$d9y zONnFE$=*j3wrB6Fu)wMk$S?ok`_5b7L)(;}8><107$(#Z_R77vYmRS>1RHOI?USxKb zoJQ^)2V43{Yo$~sIworlo9IbR<~q4^mhg9qsVC=p4{Dh7Ex+6rSCsi7dKV`#Mp)!cl=lE?yilxn%cn#e)T2`y7So8vS&boO zZzCJ^QuDjhMO>CM5OORa4h^-5kt7jyLXeLBTJ-)iI)nP?=Tg$IGD^{(R*LWO_VTHJ zmn}f!8dOV_pI}@oUHPC|mBPxxA=OwypJA;;TpWm7dLGA@%=Dn((IpN0lR}wjo6$Jy z&2M~DvK3JU=4&GWW%!1t;tKc)ULDA)4{2^Ze{dR&iON;XAS3!Oi@gIZwl4U6DLddp zmB^YZGx;^+RtReL9-eCSxRS{jdhwd!6>a(k(0qYnCBg3_X7^T46Kn*J>Vb*19;&T+ z>{vCjFk0KcmS^uG9GX{2VSY5tS0Tx(c;MkEOskO(aLU7M{k66cca180?Lus5DKH_c zF;y4d1oWg7W|&NehR$$dcQzXnJCpF^W@u2+b8j?6#V@LRw13tm1d@mOWC^ZZW)M+R z{3oIxRvHCbWLaHevu_mWBJ9q~c&zsVKrmE;4npqZ>SP61LJN$jia$Bmx888;{itJK zHCiBkvY2Qrd7W$$L=skWME~6C*D7_HJiHh`YTd`BKgbKW@N7vPGaa1r=exm-z5qVl zk$2Z#nDw3B%^tu>=3&;K)88c;a&= z+0`LaH-E)_C;G?fu$e%d`4aY24&-4B-YBL`fNU^^jKJE}j=sAZ4^Ek53LmJF2)XU> z5mo_UC6Y?UdffuGdVf+Z?txqt1}+cU^t4ANX0I-2SFZF1oS=2C%^Hb#6OSOLSPQ>; z@?sc&cJzwn2%d{Dls;;dq4IWVUGJF3l9{JJm2|WSbGRP7&lQswXXeT`Baf)yGBpH} z1B;hQ^6V_1_4~ga=&b-co>DapPGW~`mjJAL`VKjcl>oh@5@y#lhssrrwEB;(snaWaiA@*gq~Uf*Nh@nc-uZ<6ntrtT)<25d)hi>x z0c|Zk>zo2JyBS-$=9X|s`>maVPu9r94SwpHCAG0GcZXLhN)(7W@d6C_!2xG_eY&0aG*7$PM z{}2Rp;BPu;9AKFr-fdgi^}2+XL~7wx28EAl$=L`XDk><1-}{I=Dl}+HjY9qu+QZ#W zZo$+`Ie4Fs$k?mw)H%mCtb4QE+mRj6x|ftbC$n?!Q{?srWvG(ps+ZF|OHLcmF&*o7 zrR9{~R3i2?U4eSLAZ)By^mT#^KZ5i*h?#_Y%{Q=;J_@CrmNg^ZO480>!7~)40iE!0kUpFe+3XvI94B!J}`0< zMDJn!{_P1}^GaP6YQY%#plxI}>{D&^Nmb93LtQZjm56~ws(rPFhTSyanEB?=Fit%p zbC4Brxbqc5@FGj!^52lG;9Ii>A(TLjua5CaiHxrcc>|hks)g`sSw>!~chM8^@e;%E z^wq&iS(itjWTSnpX^g#V&eV8w=d|Nw5amvtvfT(H_S6xU;gK3Sv#J548%sJGBbCZ( zE}*PYlQ+sM*bt~7MNT0TzMy3bUbR{HSuI}eoqr6a`srcPk_dCR%Vb;MaLK*u~dA+&NL{xk#3OhTaZXRh5&m{vj z16Y|*fV;kitHf;%Q9|7Gmp4oGzDVg;*?JW!U4W>=O+uxIT~%+*RdT3tz%uWlZ#zTA zDMZehL@J8@+RU;&iozUtd!mT>7-+;;fOe< zbNbB-u;=d>c48AG!{ESTl?Tb}mr~NT{WP^Q23t9HqOzTx?wC0{1s6d`+D^xxD)DL=aVN+wnE`4$c3OfQuecK$7VgBdwz6BXN6K>p1rxu)P!2@ULDAgg zDR5>qA}Lo_j74M=SIWiSb!FgFg!ZO~L+{cfQJK$bd=K9yhDobwDe4)IdGx)8sP}Rp z!VoF0P->g~4x2qfwuykeZmgS3Uis6 zC$okXwK%{YyUAAv6#bbx6fd*NQKr@!imTdleLN1UEb{YIv$Xxz`Dco)Jt9^nEYtb5 zwQXTCE=Bp%uB)5!ddo7rx|K_+wNUl`b5i~qkG2uZ=a?QBih-ny8PA_D0o(8}j$3o5 zLQc{M+QGv) zRBuQ@I}=0$Qg4%GyzNFE*gQF%Cc8e{qS*-eozGMAA+}Iuy0hsY(KefPr+?}Vx;@Zm zjH<>s7-iq#h+-|W6ZHVveq4(3FdYC?wWz<@ybvV*9>a zDzlpihs3e_-V`JQ;!OPiTAYp5^jx!}pQjFIsIGRM`HT*9y)KSe39c$nsIJG-4_ybh zr-rnqZ~wHSS!^K3c5U5Cd<4dDquW->K#qO1f61{_4T<*QVm?`J7)PXs>p>bv1G?z* z%lVl|AJOff=H6;o3pE=sXOmM_ z+c99yz1e=f!N8nN{x;_vh5^|@2BTrA3Z1Mou1IW`gCtyCZtI3FXSh**rUzyQn<;<7 zkEp06M6x0T%#2*-FEcY{M=ZuMqV;1an8-36(U%o8YSuoNk$Gz~LFOHW9hZRL5BC?; zXfS;@k?z=5F#SCXs59IHNdKPxD5{XVsmCnc{hK2RHH7(0c;EBl1@v#y1o2}6=~H_G z|1Do0er53zf)`uEW5o*mR~_vy|5c!UC9p2ln!wbZGmVib{Yu+UHkvaB#}xYs>BBd! z@S^5U0Av>w9XbjLP`TU>>+kGafH@%jJqIU5>%c_m5R%<8(%nYBiTjbn!34hu(iR%F z?}y`uY3!g_UvVs)^Z>jb?{D}BN6n*tw(m6RE=j^!J;5ROL@v7p=Oyvj&$9jo9`#j6 zW3+b~4Pr$9bf=#^upDK^zbr=uZ3LH{l%alvv@nJ?B1*IPsbhBA6Xc&rBeoCT&6j?U zP8m+8L2DuO_5h~n-_uSxe3Ty~PZyY|H>a==DveH8Wz({9;gQz$v#JmIk8XWhRjSpH zD2+~I-I`d9ZDJD{i5fSv4dD$2>SqAzFWD}Cd=F8Pu%38_9H{@zU+P~RZqz$8;$v;8 z?o)VUS4^iYXJl0g8QHkE>}<|$3&*Nn8nKH(^1g^zMR@UUHXcHjLE-ZcNHX~zY2wk6 zdN0VXR!e(@)(=_XNYChRc4%e?=3W$YSYQCGLYgD5R1{M;?4rw-K;&R7i{1p5e8fy6ndIfonZynNpArE6j#mOhH~{>G zUdZxi0Qh`=twr=m^S;Nhq7xm9TWWkLUMQu=L~{D*Cq;N5^4_w8Ob>KFzz#Q7CLoBwH?aS4?97cxZRYcwYt&=s5*es9tjcW+1RxNZ(i~g)=pVeV_>)tku9Z@iG}Foj&jb(fbuY7^}N) zrL+GKiq>tMT#*2PG3Vb#E8O=OiMY>VZGFbpyh0v}RAfQY8>9AOTP?0X!*&!Z_$I9#Rr^Ljq0e1n@<~5Tz4@o7_{{njSI(={(lUH4h`19ASnF0XU(2R`@(kn9)E z7|a*jw|Ie#l|KafCiB5~PKXLxuQ}*mQ~S~EcnJEI^w7@h9Yy;T+-SCK(fPBfx5^yJ41!a@Z5Z$>^C;F|wl zeZdHLYE4ZGLY&^8$4EoV3~nH;BtV3>qkM&3RevnKzQuKj%Dgzidw5XQx}*m!OZE(r zinhO$@`Z<*MtGICm+rJ21%c7{>d2uQPIPJhv7FCUoN_I)tXcFFhL3QCRqXqm=o1kY zb82(Vmxqp?YO^Lt0G43I2F$l@Z^8Z$JS{((NJTIS9LPnlk7NkQE6)$^M2F2hI$MqM) zJ>9g81f4P`SuNh!+LkA@lp?O*K4Ocy(nq0K?!lHR6np1cEbY?Ulc&9d7VAj8A#nm`XeZB(>LF=Lit;@ zLY&7NCxc{&?hLO4 zZUxxp*_OVdPncu{YM2@C5-AX-Re{g=fAQ`Z1k>Q?Y3vSmKd`fhxTo||?mnfa&#-C* zxqj)1KV+D#p9>R?-(BFvIuyUEi2YvyL8?LRfR@e6ID&{NCX5*2NE-nXR@;_Du#xi! zrf4+IxE}BB{qS9U<(T3M&G2g&>%on(F;FD$b8w(>A3E?WPYEWx*C_c#o7|Pdms~!dJm+NpQ zl|~`F2?l=UUARpMWX%2}-~ax1mnCF&cJ>#XS%QEjup$c3N;BZVbd$*is;BPP4gup@ zo=)kZ(@*_f9nOI-8RyTEN8q4^%9Q|F#q=Y`dtV!wYalDjD#nLcqktg2S(EG;3;9AY z5~)K_e*-=X4?w_HK|=SZ4YVi#LiU*AJuaoxZ>c4VovNiAv4&bvBvrEG;-xS*=Gm7Z z13sp{{jFPy)0+rUagw0@XRbyHAUvC!++ATEz9kez)<7x=&lTu@n@vAbtWEL=ON)M= zLMt|bL&}5~_G4O_ytG>N>zw}uj-$pdl7eO;Bw1I~g(R^&e<;vhgTkHF6SW2szQd@_ zeYk^BbFqV3s8-i*Btlaji$FpkTerLgpp$RQx_V{Mk76Gs0P7ZbH$1@p^#*KgG$nFWHR$XK&I}*? z1y=y&cG`*DE0GWwqm7QO`T)xH0cpXFT}+I=a_W^h-s8JIEj1W$uljF+{LiDAu$lS? z24)V0G$kFS_KE`;o9W9IkLYH!2#&yu+-U&--Elk@)J7t{_KIZ<2LSXf@|TT6#r(vE zxao~c-(ku@Y0d*3iQ$~#8m#?fIZjCTB_!^Sqvu_10NlC2%y+YaNvl%7qPJPu_U`dV zlY+|O8pktFaC)u7qxc7q?ae0mPRoE#%bcS>74ikcQ2q?#dM(DJ%SCgG%g`g#WwW*5 zSHUb1NX%f!(hiAu45|(fY$v}Jf}JE!9nY48jYM2-d}0C5WOoul{@v8r8DI`Hzf<1s zYz8PZ<}YPH5Oa`XU*4Fp`Sg;yncf^P=JIpRZMfK|!1DpWHYx^*cj2;dvLMh1-5;?f zB|x|5{I(G>zyb>43pi1No_uklzOvVqwe?P%&i*)iQX{`+r~#d5XLlGG9^3RP^xCLx~6=K&w{-#F7ndZO-STdZfJO{W}gr_qx|I32_ zA-nTKT!)FO!r-MGU30u;c4ZFsoIlPwA&@BqNe_g?Y>;hPgA}AKjmGgkHDCk?Dw2QX znx~X8G?-G2%|B%J9c)IY=r+M(PlkH3^{RwB@P4{H_8q|YJpK?hLIJTlDbP~_2VJPx zeZ*dT6Pr-dQ6%E@4MmxRT)1Y$GA4i~QU*0J-L z6ohi!PeW(lh1Kv1KhF-C)SXVTPLEO={O)2K_VY;}fH%yB3C*(r&>8dlcbk({X(qy9 z?0h1;H_W!1^C%&5a`6lQ_f_GpIQXph;M6k^}@o5R(-`DhjCS`+nTq9*4$G)-l9 z3E{8C&I2{&fWz5eZBr4w{38jrK<&8H-vK+cMXY*>Lm*YjFCLOFpq1T{sP{R%FGtN( z_scT!PerQ=0t@>XGnnZI)JBRLr#-3yz5U+DVwdudrSS!cvE#sEvZRJ|BC#chP&w~o ztu^pj^zQt8`~Pm?qzW0j;);CA**5RrmDQ=4@+aJN{8cCQ0I_*QA!3;f>>a~m_}sO> z!*gV5ts#Uz+G@j-rL$Pci!8xW?^ooTg6}TnWFOPik4Pj~!ddSLF!3+GROS=nNJ(s- zg3wwx5}^GVT}}5&DCR-U{L!lYpFK0DwRR~X^zmeRj)t+D`{>FnZOKZ~6P@XYdz<5mL5 zEI)-K^!tI#(*0lZjux|hnbh&oa=J;;!9Ab4v8ZmSuY7gw(rli6EC$OM&)xYm-rm5i z#Ev}e;M9Isz2|vF4QA_nqOCbrddqj1rKXko!dZBxG%>Xktlp$ge-;qaR?o} zO#KwN*cS%xHfgBI?Yj&BRf4I0%N(HwX()vII70Z*)%lTb`Ptlq?mk|844qVH=K-kVRr%!a3AP%(WFYOQV+)bj$SkyQE4twaeG_^!!s zjwIGhg~-xo6>d{4neg_~%JOvMysZ5CBVEoHuXQc{lZI01PO0p%xWJ_idKtR|z1@iq zKeC!6U3S~IbrAm(GBq0`4i-zTAEYTu!s5uH-?9yNx`ej6&^^qN(t9^<%^M;c?!^Ub zRm3c7HKsEC*>FSz4~eRlJt3ejX8Y+^UF?r+PgKN??_FAgGxJL`qk3RVy@%@yM%MM1 zuhma)gZMoInkhp2w~E$3V>7@dojfl#bV%+!dskHFa7ZVcEgcyPx~*02KVPFSZ4fv_ zjlHgD5&vbI@YKU1#^MbP(4XdCeB5bd& za{_GMq!V(*z2f18@;a20hgL;y7D&e=y>4v(_u-UI_I#(@va4~bhfjy%y z2?rjH{Qo@~p(aAkjXyMgdG_-c!PGvy>;DRLf$&Qgc+g*b44VVtsOhP9Fvz$eNCu$( z^;9ms3Ff39 zLyDipjQ{G6>5!IRWauf{`|H5<2W+79Lk(JLcY}W)1o*SR5CTs%A&9fMkFRfyyXwGk zshI(!T8RfFWC%h0zhf98HawGs?-Mj%5rMmBf7UD%fDLo3@(KX+Z~k2triSx+Q2bJW zUUC}DnB0St)c;By(ZqgodF=nof=h1JpP!D4Q4wJ+ZMaH^AUTIAf}Vd}w@hTSbr6#oZo%t*ND_Hd&Rb$>?=Z_RVA2dk=I_ zru0v7Hs%=!n!RUh{7O4U>`3BNO71d|<^yw@Y z2JwN1mHx3kuGh_)UmRkF`x*x>o&+u?#O(LqmrF3R3B{EZy}k&?5c17ishF%@Z%oDz zI@Ga^K;;@kb^lqGM12P@i{Ro%g9AWFNdlj`6ovr@Ra9U(z4yn3(UBTY_H0+nJCBwu zd+p$7?##z@E#z8;hlXg+DW63Mot?xj?Gwp-XLau5_MEHmc(+XxF%Vra35d+GBOv-WZ&0*>`!2Hsl>1sgQQP-I2Sn zXX_AendY0naGb(jFxaLK5W##UH5^F5+$@TQ^p zio0bcA@{GQ=4O8YVaP%s^?o0IvV#+Zfw(8HMvCyg9@wq|@Hvrx{Q7w{-{)q+R6A-S zOre}n3+0r9xQpj;o4s{oI?v7TUA7<$nRK=;#`QP8x&tH-b#Kvb-=SCW-h2xJk9ilq zn%`m?$`$Lf;s0pwI>VYwwlFrZpr9@&Qdf#DB`7GYw19#U5tId`g`!dy=|~Al2#c#g zfFNvufDl2kECN!OA|j&n7>bIN1i?r^=>bCL&PM>t?!SHRkNZ3~zw%>dzB%)qnRCv2 z-ZP(f#>`;l&NiWo_H|Qu5*2(Bjr?T1L%1*BgaAjXSXSWYyZPYtN}};cDy$rdlN57R zYwHKLKC`#+jQY=8+cmsyevGW#(;(1BH@(#fis58Z%#g3hi6+;B!wBI&e1^qyi}Tb9-}ZDj@o3o}k<50DNeDD%dv7 z5HN6iEMGH6(q@@iPz{a1+9w@%0yy5xXoDQV9uCn z9>3dmzNVAT!y8kB(7cQlhhH*%$lXX|!}s41InRGByLeQ--Huj>&%x*Un&O%Tw;X`# z@BEfN1ehZ22k1UIy<^fCt$N>P^7+TcJ&rxU3&t4pb^S`ek03;Ae!K#a*BK>CiwMWm zz)xOj;=#A1tW{{0n+@lN3h^S?b2<-(4>Pbuiz2w7Z;pa3| zUdjRj6M!W9pp+8K^fOBVstFhCgs2%PY^2TE2a276w$U)1}Q#?VET>r`?7s z9?4e0;8gS@YBVqzb+4>kqt2g>R(j|>My-lgZbQ2Eg-1vlXG#J3;GG-d!bhX*?koTx zxQcI3a&D+RbAEzF&1>mMCYg~v8I|J%x_V;Aq2P8qVOE(~aA%8%T!i?Bh-+z@{_XnF zn(3aA{c&gE3G4%Cso*4^=u4EOS~?$mRu?t+mijs?9Df0I=2yI^pDG~*-I$hVKpkqN zqCjDSGENgg5hC;pU&&_RuSMtJ{h!B&eO&CKpQK|buxc4 z(+gcnJ#vl1x8D#quT=|IvO`V2s}?bC5!|Ah>{gJ9)R;DHPJf2kp-~^%xrEcoYg3l;kJRz?Rkr8uEfYYLfV8Vlx6jkse2ChmM+~mXH4TVPMxwj`F%f{vQ8#{$7Z- z=?0ly@-3d>(G!1cJ5=Q^_M=mZ>fM7yQsr_{pz=bpA;(y@^hLLTKu^@h#0s~Pa9*ts z0jyK=(@l8Ek()YukTNH-_rd0dOY-M^$g~I{P08zgL^5_U!(2lZd*syTc4XiJrSIK2 z-xDS+Nbu$}Z_s4#r&{ydq@w#(EIdPIJ{IIF{*if|wjUJ~y9kqAOunv6h3qj-`!eLH z#vky=B!Hw4=1D+lCFGvt_OC&7{4|gmFiOQv?*Ly^^33wd5Zr_4UEe6`uPK2L2`(MD zcPZ4ysl576IZ`K44c1y2CXry{h53_rZ`QF^ufpSLmgPw(a`1%gVW&Aa71iLkhYJ;& zvBnk{A`vK#u5(q^Hfpy|!+E9m*Obp(IBkkJnQweVPLCk$a^Y3U9@}FSif+w$Mde)H z;4__0_+!z%~;swy46%;MZuSN?8`NO*Tea8>qsDo*4(+iX<3=#_{2$25?Xy5be zg8AiheR7m6ow0kHt`G+akoD`zx9ES)a#jg*%trbQNW@)@eXX@L zE@$i|`6qMN9=n40NJo^Es6&LUF;pWo%gATMs}CP`be3rt7fpaAnc7@qKhHlKuW-ps zos6OL$9e58JipYX?_NH&i-izC9{GHLE>^}oX@SnwYs}F~9L>E_V3@XdEF2*!UpCp1 z#%NEl#aN>TEsGUo^>HPvRGy5b-1{WzWa+@17^=~p(iI%kb6slRvSBC&cw$eqrliRR z;Mqg@&Xf(SSYYC5?ca9@Xrxb##1Ue%U2|Y~`GVVZ8l-6&`{b#nE2LBCW~VqMy9qX- z+dp5vsP=f@Ras{d@7HyGwb4c1hkLW<#BQD-z>un#Hi}toM1z7W7VAIHlh^K7Mk1GG zwY_{D(9A37=C!U`Bn8EYj?GLV2QEstJCH;1tYf!FhP`XyY^C66r{aF{WLWbFe;Zr0 z3N|h_LQmBilh&x#AfHZBq();crZgFe`$MNG`pw%GM{bDQzqwi@Yhh#AWsVnV<>;dV z(8s^#Sz2mBP~st)2_@3GR(;ibyUuy_JlIYBqjRLRVk166xT80{VP9spyw#P`ke^_} zd+a7qOv$s;{<#(OjS~Y*+oaCW0+$OEVUP05*tgVI8Z*u&WzshJdhk~HTTWu47gNjZ zYL9x;rOlGaZ{p$pHabu}c$Xh7qtD;+8vBz0cYUe#Tlw6%1Y4{E-TkgOQrZ6Tquphg zQyzLPoi_`l-#7|+&I?J)PyBpy>#3bQ0&WvwaYcqINHb7M9y7Mvh%;-?w z`*~I_gCpZ%AY;vr+L=+n;I-w-z7NR=B2!L~c2D|t8-g4#drZ$OZGH=-w?Fv3);L9V zw?nytpVC#MY++P%;F)dARR6m3-aSn%cT{8_h``@#OU6#9PnerBw{8KAp6Wi)%}XzOIhxOaN3F{I z@<8EY{11X}dnn_%(-FFby30=j@BM z%G$Us?Lk71Qviw={**_;FCX&epj<4vYw2mqbV^-+AiJCmZVFk596KP22^*Yc4|#E} z0SGt_+=bl;#%tbxKJCD6W@?iN+D;x--mn#Dy^V6pXY9zYI*i z9qOPYx&NZE2}BoM>)nh%GJ&#FSz7?$O!9mjY-4UO?j0ozWCH--Y3Hcd5`NnultD|N zQ|iH#3;l`i$5;9qLgc_78hL*S0a%&A3WrRKTf$En%Dr-h_(BpuPCq$#j0h@D29=m1 z`S+7IpXG$nCXf{sPz@yls>Vfq&H>#0_1ppe0v4Dv&u`PT%bDrT{~f&H|3JQaL1(1VnDWod=6=}+<=W^CQBuu@r`+>4AEK8?*>dNu>ucz48 z$hWX%O0SdWa-0EnHq?Xx5L85V*AUHqr`;1D{inQ_HZ&$wkN{g2!X6-B_wSgd+6ut7 z+N2gxI0(p+&a%4w&jOgSXrUL}iHgC>R;&G?cHaY@z7gcgWq5=02#BZgLcGNLFaJ0_ z+}JDW8Kto8hin%eihW7se4_(eLa759TFarmw_eb{;89djA6oYXGeqp<( z^OP%JKj&{y=}%a02tr+zRvSuqG3se_L&0^`>IsYn36*E)nPiBByf&4;;ix9_yb!*+ z+9U)CDmH3~W#!58>m&VPbqP9Ga5Lko`4D2g`W)Q%AnW~UAqae3Yf=J{2ITyMR4q2{ z9YMw_hQ8xsee`gI*g>n$`5OZJ?-e9{d(*?6-v|S#$g`g|Oi|vTNsq*VrCVmpf^2@) zXVN#?cncijUe~qSHUOSu$HE!0uZ7{r72*hxOc!p4>Mv5R2`teDhV~x9%6zHVTw5z` zWe^@7301oMMe?;ph;aoQsl*Q+_w`F$S;X5yV9Zsf@^^h}kAl61EF;%_tw1Xa+r$gT zq}*=gz>}+Qj58=B2?TuEG%Dk3rCMp?%ninLJm<)}HoGrT@upfdLt_4uL&G63{*Wh)2%!H2z^s3Up}z tZ+#?0y8SYX<-gk5AQAdM@%loRcqE6bw*I;hqQwP%`g%sX*~jgE`wvLU)#(5L literal 0 HcmV?d00001 diff --git a/latest/ug/images/hybrid-nodes-bgp.png b/latest/ug/images/hybrid-nodes-bgp.png new file mode 100644 index 0000000000000000000000000000000000000000..3b86e611aef4b696a697438af0c30cfa620f6f14 GIT binary patch literal 171350 zcmeEP2OyQ*|8FQHSrr;YR%PC6Q@B<#Q$*&)H8QTuE73wEBPyFTl#Gb%QOG8xC?iQx z_MYK?9`4n>QoX&ucm00<_sz?F&U2n~&U4Ope!kyxu8*3EJo$!g8&<7aMXqpAMt#+) zwc)E)5t)#z2PHI>mR8`;YI}8g#H!@l9iLaN^4aSktL0#gF}1Kltzv~sFMeW$@tULU z9a!NqtT33Y70TGb4s8QIf^wu8$_9Hw8GXva$_mK}lM~?P1-Ceqk;WD_4rqIGRyYD& zE7&-otiWGT41TK~0l&1s|9rd#d;$hSd%#C2TU#sCF_e*_g#*+IT!(J#u8Jrsq%8npSk#-h%-9c~VgtD`@0I#_4!nlT^8}`OXD-^bPaRQ9cb|xsh z#UiK^7%N8DKWU-8w&(Tg=PFV}3 zq9w)ijJzGv)?68FvM`}07+m+l3j+YN;<8vG2m`MO^j&E{ zRB*)N6m~$10|(U{Elg1M*wz-GbU>r694u@J3ysk>Hh>BUDkAOd(9VR_Owm@@x5M^o z3tpVyA*kTU*Ez+jcFe-W0T2#Eal!)F*Me#vL|K@b<9g=f#on<-;wobc?9GuTXy?V} z7mDy#WpN&HvuTG$gZA(i4gWT-k~KyeWd%_$ZXU7y0K)n8XO~{nZi#vRlje+#)i8?Y zCRV4cZ53^7_>TdK2IR%RxPDGZD@W{{v%&#Y6(Djx@X^`a!U1)}7HJHvwlk0qpbVOJESK{E z!L)ddU3REdz{d_q&=(}Xpf(m(0%a%b1bTuNWU&qq>bCY4MhnCOmDr(-9f5pwLaC$d z7exqE3OLRd>e?Cu#%gQMjdZr>=QguLJKBPqW_AjouNCha7^CfM(RN4&lz|D-0cl_i z`i2ICum@Vk5=_GaO#*6w3&{wJhzNr_Ks#CC%CQpxB({SE5F}Do7G_XC4rr)bB=*V* zWeQQLJ(wK}8#ASaD;YR6YG{UVO@S_?q!2;~s0$OMy*UaJUQi_~q!G#ru^{Mib+O$p z(y}e`Do>G5ASEa*EC^_AWkOzHWIV?G9@(xW1n^|U5>-RY{w?jUxMWL;41u93wta!*G=Tw-B|1IiKc9kt0%;hhz^~I3H8T9D`eNt)yuo2E$WvC=+1k zVAl_A=U|RDL)##&WWSaofS|N7S&}$k>nNciNwy%JPoNweT(IIC>F9t4YlyeDD2#=J z79_BMZh<49D{bs^&}SJ)m_V{@;R2fW?+7*^1cjyf<>Y`_gOit_vdGsftn`E)|3wOd zCIPeso?2M_A4`-UNklF{8iJ4rgk~8_LQ4jZ9m)#n0F)D6PryxCK?44k{&Ay_va>@% zA{o~X)@1pOa(%HCTwB%{HOSxrtziYc2$q1bZvq2yVByVvE}#h;2K5)m`73Ys?P%cK zB6$A^V|fraxW%>mIurJ2M>}H__Kl$R_|;K=GXOrJ@5~2o@*R+NW+;b0q)S|rXj4;r z6j+j9c>y@^M}c-+QrJJ9b!_bgCHb?OzfG3{Q)pql|A8)r3A8lmiL zP!1@2ZVSL^&zK|4uu&nxSi#;k zv2Y?_7MyhnAUFpuEC>jhpI995Tk{iVV;X(6E*FhXpa4Lm3y%+RO)oQSg|K!l??SmL z(%Qlbtj%H=NDygl3q&LqWS0gGlLY`cfhmo02Hg?d1l7O|Bc!nuki&i}dpV^?eaFP!i9d6vX z*INGm(Ce)D{wog*3LD^j3IRyNfoFL^oDTX6-Gd20S_fRubpd{fItZ4=6hvH?NEy3axFz~7 z2jLBWfi!r5r?)^ai+}idVJo|$IM)-9*Y{SNU~m8^!*SW4Jv4RTbV01W^0**zfMxe( z0|8{b61{@rZv+x3Tab2yl#OLm(?x3)bn_iygDnOX7Q%M8k$!iLz9;2=S&sZ+68gJC z{quw-9--pNU_4Rxi+qM#oaL*4zt#j448$I&OHd@GqN1vyA}zb1W0uGbzlDWR@AnC7 z1tR)>bHC~0AZ5II;{1fP)10uJ`Am$;%!hxKB<37*4v0n7kp9AU=*ngc`! zaEBje?Lc(^!UICnOBnr9%moS|3F87SST72flJ%$fgWrZZ7Uu-lH&`-g)o=*Je`7#` z58_zpC06jzuma#KQR29Lx$s%hK>!4XFCTcnv2%_h&C%A76j)~9NUJD-LYyijWT<6K z@-IqAi2MOt9Lm0e{IvyW@@oPU_wPmtzXFF?akQ9qgu@QO0z!-Oo57@SIh< zYG`{4hsFHqZ)}SN#>cBbn5ef@9ileruc?1ad3k@IgaGM+3(^TEAwWXq!ZluW;lD*f z;LI%im>Ge+{Ew3mKm+}&#g{UOL3|EU%V2K<1hM`rA%G_Snz{S;Nr$~j0vl`j zYOgOikw^aI6h<46_`I0I2vImlR)h+)p+G%E>e%bAsf^HF8ECShIQ~LiHI$tNNS}uC z#}^8Jkr;j+orH4zA)^F8I=ONj6Xy*5e~eG^;id`43Ahw?095=Yryb|IgZlr-_~dt% z9Gj8%w{Z=WT=EBS&F@JihMxKJxo?HsfbT2?7K-@)$bArm0?DYql=*NR`wh;;zic!( z&l=}4|M3aLf{S~`2&aG>Cy#Oc{_ZT|zdH>A%L9L{kO4csoECN`K-rGCd@v9Nv;>#` zfs$Pj1qMd#auvH`J_t7T@Bbrkb)$J&M>(fdpx!xR}av++ztb!Btp!=i(9|f)}@e z#*W`Pzw%z z!AbbP6pUSwVE-0Tjj}NTHuJ*fcPv4IqjCwWEuE0|>~&IeX#{eP6$%fSJD zXj?f%TAc{RQLczsIG+Q8u2+!6A{56b7Fc@~Gs& z?saEqgWz{S%EjUp0{8fh;GX`v2^m)cmT;wtpqQY^f0ZEK4(Z>o1dSc-K`aAhXJCe1 z)nB%7|4?;E=sxk|l-xgA7yigv$Kxc(cmu~VETCynZpnf;#Ixd7G~E6t55icmy9}_| zE#K}YS~55B&Coyg;0s}6evnZP4B#c>_3u3*fRB%m?%^xYJq)*T4L>4}LmK}UBXC8+ z#~M9&gpZT!c+wl3N%0qFuzf%1{vT!SeLYO$TdhTyq6c>AV)f;sa>H}ra5)FdatoF= z4e%{wpa8)EQrihrgBJC%6&f4`gKK^HIG`{Z??TQXFUr9jng)V#fz1^JvCyvq={utW zEkJ1we0cjERvMGEs)~xN^if$T`EjL$B(O_jvHYw4|4WGidm74$V*^u&8y$A7uqy+- z%u>qLcQZNvOq#&WJ`6;xewb|noFH&Q5bia8KoqztznLn3>&AtjT8V!Q9sYDCjvSRb zssQF{#ijnc$q<~cv#{}h#liiDboiSyilGw(eo+eiX4z!o0uBQFdkGP@g9bPZ-jVYvWW=}x`X{z4qiO}=|>swi?8;Jn^b-@ zzGXX3;J_?`#2i0X+zEnBQVRtuZAV#IIpQ%9__#P!!mS6;?9Th;!LDD}VFaCcw|J1$!lnVjBUi9s$O`xf zL=jSRktX_n0|oV=4IgnpTKQ zN&31I?LRtZj&Dgt{Q<;_J+c=pJ+%5*{f)iCBkX_TIddypJ-BZOA)xGE)89+bC;o@! z*wepzwt#axkwa9G~ACmbxm*LbXi3)=j9RP4V; z#R4Dnr%{?^P$KU9+<*AFzj%l%UJzuZoPn>|1o+Auj_%9Dmtj)enS~S&@BEfnGq|_4L^2nmaXfNKlk*egONc)=T@k14>g3N({n&Z!<_}#cons z_{!$LUUMx{#ZNQIaN_ryq`g00HG%mM5y9#ota`%b#r-v>m~-(h?;ZDzd^pPeho5A= z;yD$#&>|kuF0MVEMg@Cz@xHM6Ctth`C8nxE-#+gEtrC>?v6#O~SoSS_{qgCaLXhZy zSO-fkf;eG^7dORK!H=8bVkNj`{Ywv5Sur&hyaeGg~^%I)HnJs@NO)cm@J2V>PrGN8f5jfpwhqN_U2H#r= zELOZa3wKQ{kl@4taI*En4eSGeo58nYKqaAes9#e(3Xq_uPvsg zCyo@LOiinm!@|P$D2J(=#-(S5!rrP^RtFAqT?`AGn}4NAlhnxIYAT+aCf4Q>eW0fH z^~2Fa3{xW_qW3dx+lxHq*w!%bTK=<#>K=P+7`4Kd-OKMV8-l@a4t^Kw%o;t8jY0KRWG^?p734a3X zUeYZq0+$D`o%JxiFRT%|e5BrIJ>p8g8NavWeIgeABTwUtz8OC#7g+yosXFVf*s#4S zTUMCB*m%Bg=9D>b?`qPTqbKk4E+0STYEorC!dHS`=iE^+)p3`Oc=~)ZSg-^em(4%8 z{QeT$==JEFI@TJmPrIy}b0=7Bhr;AFdd5yn8&QV~w64u5Ae=ABDE3{k+GV*}+%Ei8 z)+r4`vGJYw19~a7M&-=a=CoY#@JATlkY>ZAr+Rnp`{E7x>K^dku+JFq{Owz>lnCCQ zV>O@x);iKxhu4wTbl*s{T=rIyl87{=(sLfBVGilxdkBb;6}m?x8Y_AqjBn>vM{%V0lePjR$g>^MydT_bbb8WxMIWB%U)w57{}AypnvfURt-Bok4_!N(+oZF zB_r8WUX}{x*I$~ep$NOk0>tE7m1%M)q>eKzSxuJkZY@n@qd5OC6= zvw)&W9T1L3V?{mU6e;-!Q)yw!>YuC}N0XBY2X#jlOiudrE%QfL>NvL@-@-{SWM;}; zV9adN2r#*#$7?p@6U8}d=-!$rwVfLGHpNy5ve7k13m^G$AMu-F=`~$QYi>HmZ`exE zSPPpsbfzGSt9c5)7`e~%35|5coC&9gn}(`HiH1F;HE0>_epQv2 zQnVq?xXk~vlgFV10iuGLelan@rVMLK!B&U*<44dMN59U=p>tqD_KYF~UV;fRwXPJM zdGE^;eoWtmb>GzVSWm=S3h}zcM-9hc)k){b#8YA3og=O`i*Yk;O1CiP&h34uo}izU z{4DEaM{m{6{#1bmty`Lzve%Y)gao2|w%xl8Vm~7cih1+Lo^*94Q52M)-onN|WXJH( zIYzDW$w;u%)2C((*GB91mT_sNJZ?ENKigTwQ&@evG27m(KGzvtA1h4^xBGB#q>S-Q zXhkr)SwWjguyS>O?tl&BCDcc0uu>Se+0F=b_}v)yCjEEUb!_&$^*s6z$A^-BRDde@ zMqjzMpY~+Cxk+lWtL}=%-d^_E_A1`kiZ1Tk4LpWv956pH^?^p` znw;OZFlmbYFB9{ID>a(NOShv#&7xh{Mnn+yX*GfgZ&m7Fow&M+XM3D-glRax#ZAiY ztF8zH9Cc%_3U-nY1wtg}bcpZ%)qoqf7*x!sqpR*sdnP@A~m(4Mj@Cj%>LQ_ zMorRz4`2GGw>ldNX+bG>rab*>{l2=SC7 zcU2y>M<~=p)#o@`9(kajzxQrU7`)8gzpnOa=d&1eXHA5e=drr1&P44rrIF4W`#rGH z*Qa}qZJbls4o6jPuD>bkTQ_vh&{Jn-yia;&clWlbjEj#-56_;ptwo)Fao2CVQ0<$D zXIin0+2|rA1pIUPi<4NjqUH)jYs1@us`$=VO#JroYRV)vWel#>dGm8K8R25RDHmpW zYLg4+PDN0zZ$=l+R!{dlK+n5%_z8vc8JC70aGMV0*2@WHk2(Ef<4)0+yRs;46}hu- zi%h<|pq!wY^q%|5)Li>TM!~}Qx!nBq72bpQ=SJ&Q!(a+3GCNOGNwtEtKd{e`JL}yV z>FrTv*Bw1oZq!EaZx$aaq3HxvQth!Wc+&jomSgGGB$wnH3%D{~7dZ^PZQZreeQwH3 zhc<}SI{mp^Ms(rabb_^*&oy3;b(a0(Z(Ro>Wi$%L6f5V4t9UYbR#Up(jdD6}9;55r z>S+39awtwdfT8oXae%;sg6aEHU_i=^$$B+Z@;i{vq$HovQ(;~nmVd+Bb2s`_rJcyT zvumq!dXg;zqKIX~kFGFR5y}9VNg3ga227+zw zGfC%Ik?%%}RmA#C@*lqREV#*?XQF-T^PMCi2_*+uGBNo!lSVc5tz~eAMt#@5z4~rV zq&k>L%zK}4eR^?BO1=EsbXP(dOY$tg607$^1)h0*Vse(lmS|y6Tyz*=rfbDrU5nKl;N|}V`*=t7*0IM zA8(Rj*v}A26+!oY!)nj$hm>KrP9s695wbeuq%ZcKA<-}o)GrQ>A4h+;w?!4#fK;F zO}uHbL0QIF%jK{of4mDXQD%-O8$$?~jPzx;)w1v&x43hy`nf!#HN}W0+nL>> z4ccZqo8^M&1gu`yWjMYs@fpX68(1c1$C2C5g14!$e2{M{QI_j-w>FF>Jh{5nskw$T zts2%~JXXFt;OL23AOkJnBmUb2Do+W;^ElNj3qAGHeZk||5McRqsBF9M>(a=;(d|!8 z>57-rMGMGiMbmn*5Q4#kKc!>Uhuo@z=$}awPAgoS6L!dGbfqr7`ve z9Tl&hy;?f}e;-4;fyB~4_dR)=O>SQzo!jR-A&HYElr@T6kFL&UG9Irb^K+YMZ9LUk zLFwx}agotIrHn6myv1I125n%TlUn3_c}r>W<8y1_YbJ}xc&b@irr%wls1_T@Gp>@n z_x{R2Lz2#&lXoPRH2eu6UQ?s9%J~a6neh}vLsr&GBEzhn?AeJ{=Qittsm|^DF7f1ix_P-Va^RhO;gK`?rj%6g5XdO` zde6e?9-pB=>L$OPcI8Z(4#vlCX@FT| z)4HAFT_~fd>syyDjXmpQecp}AT5Fl_X3rVBqGCS$SmhIn_eua`siM~2_V|Lj7NF9r zy|&wE#dA06+WU>^d;09#G`e3M!{+=36>_MLY-H|XL%qwbFOD}NKV7^*ZR8We6S3vE z1i~zM*i4L^Xp`5(RvzxsrsECdM(zhK0V%cLaG&YV>EX^*q2`loE((&*PHk`8A2aj; zScUr(TqDWpVI?gtT~QiM9}1j#ROxswZ*S`uI6yYO-Sv{4a&K0LKiuQvbO-U1OSWU= zsyRK3dASibIq|c{5%3D00Dr1Q6X{%&GEn_a69(^_?y~aJ81QyJ?%ou|dUO;>=FCTx zPj4w?)CH>^coQu@$)sS!%f68$Lj22MaYA~7j~qj(3kUnv7d|iFJ>f2S8AY?v*s*NJ zde_Dv8J>c=jXJKFQhGBjo@m7vG!0xHd`5|dV#DRT_dVjdyd@eYZmMOgx3fnhs!^!= z!nQp3SfDXtdZrym_Lr&%?;fPOsFL!ORM|i{+v&Mea>w-k%M;d_t)|6l*$i$m&oJ+I z010*U9dgvKL_(;=_QGsAMSx>jRtUR?Yp`LZftbSZUDoSbHxIp1*y~Y7W6#tM#^d_D zo$R%qbL%V0x4sJIUVaplI=UEJvEniz&WHA+&b=#uS6p z0Ja&6>7vJ~lpkUkH;0?FoAl|2uJbe%WayM?EFhN4`cy?Fl;{^^~;65W#rnvaHKG5ifzf zfr6Rj{L4KvR(ZFYI=bayci$;)G%$ZJ#cG*|mWowyYSBUG3w%~fjYf;VE2#V6NmkS* zL|RjF(D4S=NP8&){20e%#p3N(uh%8kXq%Cau%y#;Jc%S86*jKA5^!L;oS_qqe(xc5 zl+H%&6Q$tx>#^4cU;7EYeeG3|V}JUY#Y^d29i0$m^J$8y#E53o28;dn5yw@}gU3n^?;*FvaeUl8d;LSSgN9~LQu4Jv- zvaJxo_M~@Nsi?=;Ir+2tgN-TodyoY4352c_P&x>x+gGE|>dTwL=d3eK2|P@tLYHnA(Qpc~UG$c8Y;YL!mp?iAk6@}}{2s1tjF|$<9I2ywz`3!CY_sN3& zXu_RaPF~b2^I=LUm+X#+G31CZ69jL2dHN}-TZRZSmqz>?32R=>6VAe`R|4eg2X3VZ zq>%`eaFm{sZQ$w@i+(X`u1-v=qIi(MM{KGPZNko`$R|f)2h2`Ze#;J%8=_cuS5g47 z)Y<9;+~`SbE-_3F7E|o&TdSaXG|vfRelS#;gH^{{eC*|suzYqZ7Vq^E7t9YZ+{@y7 zhen@27R;-Z+4-VveTgbR4Lkp=K%94VM}Wjze)QWGP0ysGlzP3n-uJSmyA$B_wh6l( zu8VHI<$e+|0!)&O8Kvp1x^3YP>UK!DpEi|Hhs`p-)nyD)B7U&Pc%!lJmFrwO*Du$N z7GKI{Kj`#9{GEZ@*tJ#~8r5FlE!mW@U4I~7&-jdYgW`eB&V`>`ac=av7i_@&X_^f_ z-UkTKLgQXeTJ7{0+flo^8&c!3BDGrfa^76c8k3qqF^%=th0vnKLu1Y75R{+|PS; zZ9wZCHHt~89S&X%Xb7R-nu;lX4J%RA8kwDFivU)CD+6^){fol&+A0d?X*M?|Dzk8g zUQQ@LS;mmXZmbgRL3ae1Fe*FO@b}1vo%}LOc??#wzFC!?;=tsMsSm-biSpE|y{4L5 zJy21OeM9@54jc;|de59yXnp`#AUvG(fsE8{<8RD#0`k#M64Uy{N`$me>aF3N-vO(n z?p7>MgcIG<@jV4h@~~^i^s`?$eld|Wv0}4NgJ+m9oqDWon-B?`ve1OfE<$TJY5_c! zn5L(bjkEw(Mx>))V!}`_6N$E%JYsW^A}P58Lvi;G;J_v4bl>mv-tEtuNHYtp_C%q0 zolKiJ=Yh8x4K*LtB^sDt)FO+$-pFuc60RRV5no3nm3=j$A@z=ap>DH+tJkKTC+01i z(&KmPB<7Aur`U6)<@lRb&rWs4IPIhBUsuY|!D_wx@Rmkq(k<=pVN0}>19`dqqo{`K zxA*W{S~k2%1!m;u-`v}0pb4>uV zOv@P8^&h)lS4|bVY02|nL=(#+KyPn9ooMv&B&m^@V?fUB5M_R~exmXm{WSE zI}gV<$S%j{ZYu&LR4TUlV9ACEx+lqg zRDKH!f5L@_%U~qtT>+-_eh_@uZ6%dwB=+v;(#&;;2mclVB+2Imw{?-e!|Hy59j*tLxU`loUCXbo*R z&zHloLpO%hqB@w4tqYEuD<5kTaLE%7Uso4Wr%R+tQFMy3;X(?7$JmX##QEK)>*_Jk zzXZ{NPcDh4qRZ^AQBa3xQzzUhyZh$3O^|O+yyYHd4IRSC*u}cWqC4Q~{i9q@0q(iV zl(c5eyU#}nM$fSpmT#K_ee&k3hw*BaJ?fSZZL z?$Bu*O1lNjqvz6l39;VpP3QQ>#9`1I~)dta7Y44ZE~tA|Kig%N#JORbe<8|yOkl(y#lIx^%F80Ff!+TlO|K+vFx$0POVneIeu0jU&L1 zZypAgm3;kujf9(eRa?X@8#qTk-;D{EnEz5gM@-xF8X%x)lka^atTWz}rdz#%r86*| z9y~`cWD{voALsYRDy;@q_L$5D*^q*iuD>Nuu>hB5ST~oCUn`#FJu`Q@{)W_rqtkTy z^>NB@uH)&vV?B+kx~Acd?`{g{F%-rCpFU`IXDa}cl{-rPXwtkzDKqNtstWmS6M!j) z^Y6(L-vVikNFc}UG#^cu+x2}q-fD6GbP_W!`mMPAa0NSivVE>oU-h25kw#6K=$Oe! z^#iu!y>Cp*1DP@|0T?&W&5-+gl=E8``dFXW+2CDvGuBE>f7(3)Y`fix+6zBk*Ev4K$R^6J z9BvZr+AlH!s%`J~KYJX2X*Kr~l1~V}F$va9Fgz5WXW%~dv;_=IlTsfndz^m$scTIm zzz7Nh2IgD4!r{t&X&KjMIx5&>_~&QZ=3!-r`}Za!8UfG|?Nb{me@TV%Tni}>>w)s{ ziPW2L0D3&69Ar#%86+DSf0r66Vs9F^*nF#|4o3hFo8>YZomUDx(12bi`% zQ}@gG7b4!&C4T7K{+xt200-OarWw&sES?Met$RslGD4^zOftJCIhXk&-_7k*!7nkZ zizY9_#9siU{S<4e=dOiI%M8(UPblRB_PKvQjX9w z2YQ^HH_QhpLipNE!n;QK5n27&UD4G#PKfREvjbtr>pvluZ$7YxgK zK5`y1x8u}5LAy;=i#=MYbboC0D5+C-{N3XNMv=3CPCGN2ZPG4MwVoB0`Eq*f)iKS} zIkf6u1nUZGxwAh|!%vNx&vYHPOhT=rF9UE+L_^i3zPyoI(}bjqO9|&^3tm==bzFv9 zx%%%P*Geneu+OCFY*&NP5(ORm%t!8L5Wv78$mcnWUqb&8D-Q5N5X` zr$;@s+4K3-9S}0v-XtH2=Dk|;Y7cE}MX~6{Abp9~{Ws);2ST)rNVm_?rQb#bKe9+X zX41#W6szEuku_L)J2uTTqs_(b-tINQkM158w0$QjjbSUzIZPCk23!ZR7`4v;s;i&# z=^8mt#$A3@FL8#+qR>RFe`cUClgIUZw05lzb+|_rvjeX_^AN0po++Gr6m#dACQP2u z&B0255k!-!o7xRSA4&LsX(OJ0y4o_BLgYhWwIk)Rmr=ak_fqN&?;J|X12|r@uH!3> zarc~dukF3_r281eF}Bwp4ZH!1DoHv28pH`~Gy%q{R6o@!?J;b0*0CDI#oVn7KChzU zV23o(Xa-Ibfr+y_+eAX5OJF}fg*Vb)E+fdzP35_Zp1CdDS{_+P|?=NX; zO|J3dRY0_1&WiS?6j#^9N+-#iyiP%mOOZcV_15oBh<+1TX|ZwSn99a)ZU?>HN9ro(voD zgU0DmV{Ykt=x&Bt8;ZnMWTy{-SID>sg#D9-st%pVx-TFikrYzQO8Z{7``I=TaRsF1 z2QB$=fbY{a^gQv(DR#*pYp6=xPIl>HdXs8l7A?)?3;U9@n0pjSJcudkU(!&tkg`Vx zJ~?u)?)I)}hE1>e%61sj-O>u5kZzKIv4|l)d1_y+t9B|>-}F{N9CewtVQZ-PM$0*nSY^Oe!w<>x5uW`|_nE^$f{PaVZ0~11p+qHrQ$JF;d^KmH(7z#8l*flY; zFQU%DZ3`>QkP*##<)Fm<6D{z*_B+EeH#9+rR_X2x3x9q4J#`@F=9mJjE(kDiQ4fJ@pzzo-Qr6sKZR^8T$!Xg&Kyg+t2U)ayvRN z^~I?d?_B0YxLdd|)jsUe=8fd<^;kXXNrO_Rna&mkReHQ?qzxzD=@7U@J*DJA)!Mum zZNZ4T(ft>YjqOrf1}^e!d+4({c|azchrixx{z2i~iTwR^(MmF>3a)$Am55-EXp>gw6n4HK<#1oC`(jTa!<-8ydC1T#4NTRmt~zOoM}^1ekm++dP9=Oj0k=HZm}*i<9Q11x7!yg~oB|FoTtV^+ z3zzstrtnDTB;fix&1~}6z&!M*Q9rG3ta!6qY=yJ8GJ{7&@-zr=Y4gOvJt*l9z6n2n z@evfLa`z0OPW3)aOyoTx`q1gJ=%D16dR2)xMEu;kn;&e5joabNJ_cgQX((H_hWNv( z$)DNxYrFP6O1euq`lO_lFQHQ%5(LO9@j+~k= zzp^{&)2?d8^&nO5-=d#q2qaA5m@aY6nbnVdckAy$!OwhYf8=nO zxW)Lg*+fyfk7mDOm*2Pu@q?2f;?f)-*kUW4_UyonjArc1$`M(ZcEBz1B9$BRq{<~? zWriLvih~^={~~1o{pkL9AgZkNwdTUA4W4Lx{XvRhL^B#@FRUc zIVz}Q9-Gv#ZDr#ZiH2c9DXI=sOkl|M8XBs&bF2FWK9k869n;g|ZF~}}kabIOLx+cH zQ(xD|Rfv-P2Xmb|?RP_y`J`wrymlm{bT&{mVpxP-#r&ZkiKQrCgTcd1aPzzyhLMJO zk)+KkY#9H6b>s<|2Ag;y$|ZeKRh)|HYmNDAlFZ|;b-6cVP8OpzuL59u-o0ziq}43+ z%IApG%7PStQJi}ZU^`BR=AgYI3tmoqvIgpqhh*~1dggwTGsU|twF?WGkC)yvW!mhq*|q95nYXyXa;Kmt{Li zeX;I(CHAH_JVPLskf1JWAS@gk<}{;yp)2p@N!J6Vt=lX}l#|;_lrwEwdz*|o{brbS zW^ZLol(RoM8d*1*Up}X}vCzFBGeRjY(aj&uy!oIL4GM~DDVrAOSLK`tvDy>*vO=P* zH9}_dJ958=fT8`KrdVUX2$qm4QxjA1y}vvpi4iH}`m%}HJStOo??%z&HV8A8w1Zs6 z566=-o4clcRA1}v^ra4;cj_L!ok#Z>SlRSX6(xY>7(X*5vt$KKZPw@lW(1Y>$Dy^4Q z9A!Kz=0VmCNtqufuC>7>b}*`P^GLV&UOHW>STGS$OLNYS1vvd|`O&8G5PE&%Fx;Lw z&_Q|I`4JG=tmwT}F)h)sdRQbjNudTsIp%4~d#%vbR@ywsoL$R36a+%b2z|cHx!Q>j?;ni?6KD4f@9NG_ zeBxRys=;tR)o_@_*?<0VFT_(5jcepy?JnOm7Z35WrqY@ikInUbZ9^sA#^XZDm2ZcS$H(WBNZBW_nvRanzp3W`$EuuZXbGi-Y z4Gu0QMQj~bEt;w+-ZbHJzM&k?9>i2^9d}>f$5MDiR1PHhi9lZLa6-eEE5He@BVL3D z9Is2hAhui;=yuJTiFYEfOM>MgLtWeL{TsJY$a^arm_KA)6|K@1DG!gYbI{ia8V`If zP^}wQKny!%o?~lR`J^MfhJ%Om`Jur`j@XKm1sso?8V>IkPUOSedQ*Htmf6D!w#`2V&oJuV;4?UW*L&rYN1|})z z5lv2Z1SIT0*oA<|jBpnV&q+l6giWxL$C{ywSaI^#KAhD5i4J29-U`l3RtiyiZVb$xq%5(kuY z%yTXtkVy4yiy$!)zlA}45x903M7fwrWEvdT`>7qw3-svsa*Oe;`=G@z=@ME(*);Blz3tMW$`AIJ zrj_p}r{3-HmegZcOP-cysL46-@YMmTd!}o$#kGzIWRgFDQbB0k4f~lcogq#OAEwt< zbMbzv`{HuCXB^MvqM}O59Bz-z18en3fCn_)o^8{5yG%nIgozFiA zGw5qy{Mb;GV;=$ z%sUb1p6BN)E^MF*x9_Y@oypJ1KdfiBw@lP;CN{^WT{u=@e}CSH3f!ceQs>S)x7B2@ zBIYc;gRU7lGZpu4G82C}c_Gv+DbC;-?*mac zzl%>9n%(%Vs>;WZD)hZ7jv6}uj?Kr|-FVhG`bah%2IA1s!okEs5de;14iCb$*AUsc zr8vlWkY4$)hf~ebNID*XW*1*uVRQUv&6qYpR&zA}{WVTI6w+J8XnPEZHQ&h-2 zetbvz;->LC>wAP+$-E3X*myX#jvNxsQ)H7px@x{N`Y}dZTA2I%#o^b*uljg=Lt-2Y zOwNoK-}t<}pY~zZi!v+Mj)zpljk@a2vV-z zwMS?5zM0#4xL2>zjS0j6ATS*s^&Ftvi_jqCSAn^0rhMmS7fHDiaV6?Qm$al- ziH-!%fh^MO_04Njl+VKR$i;Wiyzl1Z9NByGr4L27$|S@4vbMq>%W)-^W=aCddU+Hp>N|Dai7Bty^pHD~>mN)#@LJoJ^CW}5xHIG7^|RgRk@sdb zf`#UODMOTa?^Njp*xMcB3`#j%>nOZQ z2C`~e-3B-tH+uQMkIJ1LZ-&3+DAZ?BWzHryDiUHisvU5#u|jCtYfvGx5y_hes~OMj zfpxy#P~3N9+Ya>0&yZh2f3djQ8b#A${EC8WqZkEMF&QQG07$G6jde|mbCK9QBVWqc zbJ8{VJ!|LWjgzWD>x8og5&^;P&K&a-3*j3ANl340xwA)i7G2q|f1!}V<8WG`rP^qk z(^Wp-?6K&%u@m>j5m!hR;tKNk6^v|R+IXYqrt&_$yA##CsdC=tmBujvVg`&MD_``7 zCZGo^p*&U5e9qXgP4d^6*D$NGtihCOQ79Z_K)1T2u=}2HOlH5i3Gl(A`P6kJ?Rh4- zqxqDn zEL+~6yY3!)=KXY>R^MG+*sY?is_f@441P#)j1YL5&8-)5fZd+cc>NXsK;UJ$y;c6e zz$jvOd*?-u`1&&@B(+X4d^V(y%y#k>Qe4*Ve|9?QWmQ$CUf%2X6JCR;{=->0ZoVU2 zN4k6@^*~%WOl9DZ`F|q9qgJIYG6`vgrSYIBp(!jlu)&O)Rzvlb5n!r z{Rad{|4X8C>9@94X`JD3$Y7IukW84K&a4&$;vV&%w*od2zP}lG8JkJI0LZ)(K#!Hj z)qz)4L#@b(+^S>6R}V6fHzyyDmW8kw(-*fDuK1xF62m?>Bt>Wgq*mE?E7$#XFUWZE z4C7Q|Y@pOS*H&GthD7a7;OYvTnVY&hiv}rnaR5_~v+t@k1?av|vsId(#hZsH^DEyX z?x%s*ZCc_@72CxR((^_?Jue>ZZ*5MuZWerapNy89pQm8*rgn;G?_Z^^}93$v6;=_&-d)?KGgd>Wd%+Eu#MIDBRgc?6%a z7nfHXA`G|;CqaxSu2=&B-|4?s7TARA)~JdPc}T5deH7)?RAH6b>ZCxyGu1IS*+Bt! z|AN_vxvp&*cC#V#%>10`@P~@j#&=BlP)Yzu@437`qi!w8F6D>2j$5SxTsIt~#xkEg zNdU8pq#J`a;UMG6;+ipc!K4w~w3-gYDE7gZVeRKQBtTY_^o-TpJeN)ovG?aH-dP8- zJ?$&^+zlP?Yi2*dj(G=AA`^Z0DO4J82O^3$iE%#Mq0cWq(PG~Tka0mU-H&cko-6FW zpAfDr_=cschhn>6wfOjJ&wXaAFDUlu#)aOh^S4XM z&d<+H6q-VbidUfocmUSdS^?ZBPBDaA!M9>Z2-*eM9(+)m4_8-<{WAf*T&E>O>;;ooxLgQ(w%(tf!rT|otWYz-$KHMifPsdhV$U>0kImuy!Xv=c`ULHu$q3;N>J& zyo5)%ly=P^Xqad_XJurnBSqjxHkUo0pYmo-1~HW`?dSQGdlR%)?=a1)%K{i-QVIo} zXo|tL_exeFl`)0*pyY=k5Xa%8)wPw{62Ns+w46_?JhhC$Qd0}*DdXq@K<;V)l5aW1 z>G-Mffq}}+#K7T#>F#~@1Njq8wDQ1F*S;po{#P53n8Q6x`TNaYbl*b#LWuopiJ$W)x$_uzA zf@_WHUgKETiT(@*jBsn$=$W9DdPG$&Al@3Gw$sM@<9Sb(=08Qh2H}b5p&~Pya46-n zPv>&Teh=sR1O3my=8LE9n+D*u!n-pbIDlZQBy5d^M8`gQHCX?nxqJL#q5z8OX}`ak zS#8%jU;^r$C+-FlT0Ey<{{Dp`&rTOdaUBH)&I{{I!~zDi)`ptQ(pu)SfsE#-wi#om zvq_YThAG{qlF!*Q)NsUp)_Qm43H*W{h{DBEd{Jno{ou1Mi1yX4YS<-yEXk>eQ(X%EulDGD%m1;GV^N$%s!^t+sk>#SjUl_-Q)J zz#(eUf zTm;Nb#k)`Am>%ju-u;+oq>Fvz@p@YB(+~)fSxCIk;z*6=ITFPVLYWI;VNrqm z(dr+bbDmA}FkL+e0?;0m<+A3}Ou-nRLGMYgva>9lEcPd(x0Z0c^)#e=3%W%!xO||R zk@QyxuvyTVbaCY!cW7 z;M8hVryFWRO=V#2qEbCF^CYV@PASX?Wcx?fnF6?_@B!t=C$y%C=#LCfNgOvleC8SJ zzhyNQ2LrH)-=}iL2i5nQlhy=vAJ>T61kF4(%qy^ja)bNuRjZ!+!tM}0c(tW;qWoRE zJ(K4F^@hvL{CZlk^E(+fGwhl*VH7VP38X`LGmG!^7^hluv5q{vP?P2f*is-Q&z8ru z`6}^eD~2P5Uv4An%@nrB^ITV)X>p{AV|h)gLrX%DsmY@NyJ2u<_En2*F?oi$%wB{T zgmDc&d_UfdexM$s>k&7w&R6k6N9LBpA0F7Va9%G21l;3VdRb@pr;xJAyBjw?=QWwK-T!@3O<+Cc|b7plzp-Zh+jDAo@cCxt12 zuHx21?bweZ=MLW6*KnFlVxs3JYyrfRHT^W5dc7h*ecTJc??s@>2&7LX@T zB>p&PKehBryB$Tobxlwl%e1#du|mY7llg`PoZ?e*zsVrWhbsa$SG&ZwJxQstx&X4@ zZ*zO7g_iCt*jZN^BU#s_ABtw5QgB{q;XZe&o5d05-% z=iG3Vdfiz=S&y61L;zy5-XR`HRoAZe4PQ`LsJaPe_G^T!&>1=(~++ z=BK_khWKLvk*CCHEOjJdv6H!$BR$ z!{vbTdhav~#W!$5n6}a*%cG$ruWk2d=2slrmvj^rqr}izv8y|%a2JtFpuH>iL)u;X zz$BmwNxU|)f49lR2ROs3*+B&Z^Yz8uUmQ(z0~~d@Py3x3RC^}P*q-Ha-N-#l=XJ(< zkIwfsPqY{>nwQ)JaA8jsB`*n4+n3>T&2W~P+ce?nd$N+&Fl-*@A8QPn>e)78!5CXk zLbfqB5A2gUcH+W-^&w_{H`RS^lv{HmN3S0OVB8x2Sphw|yFC1)mK(idb70`|h8cY>Uv`tlhsp5T2NMc;;#j+4O`) z#-Yg`M;9jQt#ZnO$4kk*cx$h}$_yNC$vM>hIH%&C`(@znk%rvcxA(>QjLkuJgfomC zA#Jr6BGve#_rf<^kxvVk?16#2qah-@R{7w|p(dpcr8yD^cxo|)L`z~u(+Lgk>6rO1 zWv8b<-yOF{@VE?)d9qQw64w#dXT!TZ(Uf@0T1=Gt@Zgt8yKoYm2Q%JndO~LQjVm(>J-d64suCqJ+z3WTZ_A; zO7+LrKD}9FrM)pcqAawhlvG(fBys<^-%Nx+%_w9!*(p6v)%=FPrnWpEkDd4@|v+|=E)qoz6I z*}VyGGSUaNg@IAJN5AF9NiIZy%RN1?O$u(%)qEhc;qrcN;8~Q^4OMrMTm!bn#Bfni ziNe(JZQ!H%w0@Rw0Gs~g$&OO(=k0mtyp_AJqK!hV017o!lQ9RQ{Xh2JGAgR~{TuzN zs30mOEuGTcogyVDAYC%#Fd*F`AxH{J3?$c^}IUg z?ODEc4fnqH9oO}#9aq5nmqHX*QEE8a5T}Sbtux}E*6@W1r}7mDo}w&c1knP|b5SQh z%8rgJ@|QXaiB)fKxK!9B9943GqSNFey|76D9m>5-$>kL~pnY(^ zf&^MdX&t1901&wy(gozUj+q`D#Q=RzA0eI`DWGA;sKiRT*7IL2z-8OR)j862`-C&S5P#uqk=0W!fVx9{l50v8 zqi|<6^O2wH+9O{;-7*YxM9w$vUmtZwouPRE{s3uA%Ug|$7k=Nec2NXq|V*n&78D`W55xY0V*7Ao+nnuCg_Cp%Y8?a$M~M~@oz_oWTh!dQ>@Pc???0|j>V zhXB5E`dE4LT(vbiB9My*&1Ic>xG$w*Gq^5^>V;3;bb4ZEomQu4FZu=QucU=cn*!;2 zZ8BgDQpqk6>>pQSC3zeTZn;J;##j3n^Ow&AKr4OU+R1}I0A}%2t+@aBs6cgN77chz z>)T4^TSm0Sx-&mWdEbv2m6wVvBXURgjz5F8^F6L$@bEZjGrxuo7L6K`dk&tfNL5(Q zQ^o(p)tRWa?pH!z9Fjt@^#pOxmPU()8{1tpR>nf}@n0YjWs-T@?AB#`psK%~>_BCe zpstf_;b~U!J!^`r&x6ao%V5n2S1a(Xt5@ zr=f?6@-*IGdZ2@I12Kn`iV~_ggBiC-7!%Nx{%ul5-!8?xG5NZd&6ctS?xjv8Q(5kXLPQ~hv8}_D1Y6+g)oz8 z^nC;P5`UC5+gH-;X)ItP^alWO7|`4}M=b%ivXb{So?~|-oH)8qcdu$Gl>PNS z-BTx*KvyO+&&Cfu-@9`{)As+l2JqTDEOGZtGP`z+ZnuYy7M! zK%rYPW0W8W+Flixz3H zggiZY_Gab9Azjr%2<R73qNp1Ly$(t&?H3R`h2xE^zjyU+BIPA;(rt+2JqsPXt>e z3%{-_T6P6)rEkZF@nGUO5)uEi{oxRiNIya*=O|L8X9^Fsxe0P{?Y+$E<#i%PhYJI) zeFbTgi0(Uc(}4?i;0cd3V^5XEx@ebsd_@M4ophCyj#nlkZ)={d+MjT1*>wpw_CCyH z#+mfnYfC1ovb@V?kiFUUId^J}rD<$6w17@UV_r)J`=0a2qUVIpIVu~#^=H4EPU!<2 z)u7dX6?NMkYWlrHPy6U;=jehitH-bFoLlH*hxm8{yk98Ih^ky|7?}OAxNS^kEkd4b zcO3j^79KTm1iI8A`h$knPNre61-9#`2XpG#@u${vYx@-d!WBkBXK8u%k69`D9=2521w_t`0Bjun6;!1wp3!w#~u zX8LUveYQ(Ki^lLt+s-Bs+|LHgO&Bm8rR>3bamB~u+Od%rQsmiczqz~aWz*Q=vf=2C zDw4Aatq!jHoq&4<$u-^qn1MUq*H4s2iIbf)fCosNhkdt+wrg}zG(xuVjF3 zr(e;+?)s|#OF68Eqkwxxi>ILFvmY%Wi)Qbyk{QBN?O~-An99cX-J@LMn%ck;jQ&@* zxs%OP9Uqj5Z~GV%z6dxaZ}qg_PsY|vXmM^$;HS;_R0PYn&0b%~YP+h-*SyfW=y!bf zPZ;9L1Rw9}{SIMUqCUZDH~@hIelo1mqKFe$T3Q<%l`8XCaU{isIKfsEXheygNMVCm z{{H-(tlN}>Tg_~?Ci8FtIZ-E}rql?$l+2US8n?3pP!7yBVVdj z#5;&kqD(c$Sk<6R1UVriWsWP>gBNMIZxj~!(**rkaE6E@@}nHz@_O;E%t+mmu#eP| zeUJ12ghD%dq$)r!af*oG0%*H-+JE4>o_{1~4HZ_U%=GCKvdZ%Kenhz{F+WA`dfYj5 zjv0|Pj*~qlLjMRk)it5KKDAFy9;#ccc3Elv%$wbz7N~yM6blDzt}nB0Md(*^q?JlO zLiiS(|6g_NQ@Ea{|0Dn7)>{4J`K^UOk+*PrjEm&GL&5(6(SLh#3(>O(4ZYv^=BS#i zc3P79fA|Pq1JOIMPy04n`WsIFze(UfCV~HV6p8NM#`?%}qxtxfc3_I@qJPC19GBP# z>wBQ@-hn|pvdRBEAYupKwTD3fv2;@NHM@Q#hkO0I_ZTh%64%VX?ogolvbt-p*%QfI zbWiygMJ`se`}XzD;EY2Nw?xW|TOy@E|CK2;VxoEWO-Sh{r60q1jR^9^G#eR0haxN# z;egx9!+F<6j(!KL3Bca+OaScNKly4*DV^#SDKmhE)5o7Eas6V9#|MVgG&)`ljI@dH zrC(s;=x|uzQ8l2oboz^WjjO9UTwbaD z;>+J}qg*lkl|~UCnQkAU26%*ED_l+BDULqIk_I=c|CmHI+!{ubX9$biG@ z+qqJ@Z-}0S8WH40(;t^OgtIrN%*UA(-Y4P? zJAHCH>+wOR_p`0-ECbJH;R2YC*zX4GW<^Aez9%(QzyahJP{gYuCOuLjcKN&cG97^3 z=kJdfD&K*-TbBrGukp*37VfX$02pZaKj{_Vu4(_6WLvp3E)aCQ7wjJjJlEW4ZAmWf zq!jR@2%xbS)|T{nvNomxFENT8wqfMy!+AdSQo*H3zrs;$H57?Pz=R+-d=q6$Es?VU z8D!c1g~KKm75(cjDsbBGdsDt&Sy zT99J7ib_=!b+k#^T43K33C-}{>R#2XRXHBE@vGOaGwG<(Nkpa@x{*VdGN?dp53ZyF z=k89lSS!Ba^&z(%Oy{@F#s&e5 zp{lY_kceq}YSU_bZ1#Fgir9#gxJBO8Za2PfiYIr1Yz#ug`%4qHZUC9WZJb8ZQ2x6$ zE$%qT|C7%-W)t~sXFi2V6p~Sg+au;gn0GI3`@QXgS;rvwI8k=0Hb8Nr17ch|dpKYQ@;^X1xeY3=!e(AzIR9YdHH}i=G(bos zo)X{Dc6kkKH9Y7KMF)Q1(D^Q@jY&f`I5oI|(-FHtUL^s$A23Wij`OYU;$A3EQ2!q& z`SCR84wieTs8@HIu6OIXk5H7d$jFC8jUL=a|7i0nBTnLXQiW4C-wS@%8wSmvZHCWHN!8)1jkRnT3O0cRYd~1ERG00rBB!SKC@Uc`b>0Rg9ikRUEHZRyWosDC5Oz2ItU`R)r z{gAm$b>B%$IZ1Tuy9kVT(1B`i6zB1%3m1+RS!VjT6pGv5Tf&GoD(PyR;Kz80w4W+K3Hcbf5E zM|g)HlXuds1mz7Ui!-C={8#1!_6MBnpXZwQ4rdi7d_-2aj0{3SJQ-<~qia-^nSWqh zQ`sLP?7<|^tQ(nmsr~D>-8XEocNSw|KAJ>Ek|xsQm(qb|EUvxO*Wilh_F*&m!24}c z4t@KE$80!vm)f!NV8z}PrfbTf5QR7kED*mAc0EB5(9F+<^B20d8GIh*W0MtIsz)`w zX#pvu^7{Jb_-q4BQTdK4`N?kylUPbIIN^BPE^uzQslLUv-|}1>N*oT@d;8vpcA+wD zbBxEY$d$*sCWXYc{dm-8U5(xuK6*xs7H3+zy?F%^$z+7sjFFcO#e*N2}5Ao z_q4RcdT<8bn@iWT=NGKb7*c5Jagu}8uD@FeDGr_aWOwV)pXk?dtX5mu1O=&(&+vLj zLJ^~iV#6j|Yq#yIRpQU^>r!JTLEH9fv!?HU!Xj~5qxs`0Ux=ZyG3kyKzOD&a=Z)ur z*6_RY1vCZ_=h(#$I%y{IWr?je`|m?UpUhjN7I+fRoD6=|Q=-p7Wi}MPtM2oipxvRG z5sg=M9-I5=Om;))-cS8zIHppoVltdB8@n?q4ysI3oks`x*pIxjtPyP$m|egkpS3t2 zkF9cG_VJMvvAu4Q`xtNr=5tzcE!n$0db2K}iUtJOdV7BM$EgpzH4OB}Eqr!J*3+N7 zcFSrR4aP40i8|MX*hU;4^FDXJX$2vkD&zCN@?+GxdieVOl>J>Og2M~K=dO=2zE1~( z^udGc>;n}o7==ld|g$tHO_>J$qtgqN zSA$1SAhqE1w!7y2kyAL@+5B#vt8^&+r~S>uW{PuI!y<$V+#Oh3zUpB`j6^)$u<6f$ zXoZ?Jc|FAJ34f_gV%dolo4GkR#;G9!wo$6qYoPiNRKXbcQWS$R)Vu|*cey6&zQUrG zsnzXpg_poPWXN%8hmmnYpqNAo{s(F)ezl;K-jhf{#)yV)w#IAOsnDPm-skKS$_&jH z3x%>$DomSkNI3`1mEEV*PFH`hCZ&D>nHfLYo9B6>j3efVGi6>-+_V>=)yHyg<>QV4 z*g5ELBU$Dv1&Zn@PecfbJ z?S*!*W+HIo-`mp^p1yAAN=uF!RcbUj=wkMhxx2rJX|`?sET274C)#S)NE-PWJU5u$ ztZ2;nj?lnw=`92MfT!P-78oq;+2;DQ)40VwSp|8bC}A{$@{=7A=wFhZnnI96lchz+ zzF;cAR5Qn4-+x)>UMD(@t+lCQbsaqzqwV|q&ef5zTMBB>@s@~#YFlxT{!Uk4^4nI8 zGvwjm68x`leWQQqlY!1|&75HSTJo8Pq;vI1V$EU2{6IzSb^ZpFUr7uU{eF^Ber|vm-;^blSu4N zvW^?8P-FQZsr=Iwgk}EHk#?ibS_udG{c^yLL<1E zp%Z@t7dcsyI+-Hq4XbUfF>8^g96%(HZnDMHY|9eVsv^kegB=B~nNDkN(`^k5N{+3f zt(7Si6*btI=(NInq}gReRBMU8vq+`Tvo)Q3D&&-1)32!~9eDEaCdB@M<)#w7*>4Zt zBHTsyOOpQ}YA{iRya^&P0fGIE7LQ`{;l?80#WtI10X>M@<6l z0>5~HX+01sKv<5K?X#c{W}LQ_V4#|24w8I^WBskyN7&~tkJ6Duwi>SEzG@ zEDXLv$+SI%7~*FaGF2e2&k+BSZ8rHJ^w()_qxSQ?J6S4^jcl;5BB0!<-RTG!`El5$uq~D31x)jNJK<1lSw0YUT z%IBytG|M{>l*V*Xfds-jpP;mpM#&;X6rFV?GoLx6w9EESP81d%DdFM4|1h)v1 z4stNSoUu)mp#--27ZIwMNbQ0&Ox71O2zrp9f&u0k1;~9WZn{pySbWBi$p*MchI_s$ zyPTU{dLb9_3F)@U)GG7BImTt9!>lnJN4{nAEItX;yq%scflLF$l&3Y61PN7v2c?uJ zd{aqg?Y0+_r)u9vxjONRhD*PJWyUV+?Xv7{Yaj>oCD{oH3ib2sD2FzDExH%zTdiJm zw`$yCNbeRE1f2sweARJ|RA_-|!xAZIylylramVJ^*)0- zJL1!htKqD6fdU?A+3nT_s=HnDL`{9rot_4YS*^>FMh;pSz!jGJJ)XZ9$D0BYRx?!; z?0oLMMEv!k5wXnF#M5$cL8V%cXjbf{@rIxAcc9CQMV<|WJ-q1Gy>>u79twps`og_` zTA^b(PrjV|F0WG}nGjZIFAa(T$VH!jx}|D)6wC1M#5OCN9;R23)gTZ7A~=+;lL5re zoevj9&S>u9k^_Ny2I%jQ$)jgVTWS&jQ_M1EofYWu-IYQSP z?9E*WPc#+Ew}gQ7nY?nx`*?tK3OMbO!hdOCjQ^CE3w3Zer@e9wbkng3B$fdrbP9<| zG0aX};or|MS%K^?Gu}=C^|stv%^qxpxho_xqev;9Q7C=G{e}Qz2Qn_CJau`kkv%Zl zyuTR<8ttDD$c?TGjCg7rI5jKzbkh!ZtoNnAA_eo3qS97{W8Lo;?o-+w*N2pgPM-SF z!pvpGN|$7eLNA7VcuWENvwP;u5Bjyv&~lmZ#~Ie1#)V-`?x!c73^FUY7)7&zAI*C} zFcSU~`mzy^&C!FS9e3DEPWr1W z=7T8#(Cm;K`a8$@SK<6J?)7pWckK#=_R zTQ*1jOL_!0hC>O)21P{QZdGGG7~}wB&yN&Mj*ds+BvS`pcrGhg(_UJXQ0`wcU#K4* zgh^|pA$#$bUmRo0Cy!OX$R2cuW+W2xJMKuJtxcu@t2+Wq9IES=AqRbWSn?Gxs1EF;8RW}5Rr;BJk?$$7-3tU5NOfR})*#yf-9Cn*YY~(BV*9xws|%_I4}3#MQ-N%g3RKPHd3IYgCw*DGAwLzlevQ$q)9_Q22kV{vDvr#{MMDwLF;m(3q@9!EA(fb~=J z6@lVty&ZQqcebK8=b_8(p*VA|rG6NKI|!~Q`~9NRtyiB@L^Ot)>Y{c1nFQX`Kz(<&5@r_x{I>0AA%L+n z7A1d18hEkqQl0#a?1VL%tJIsgyXzf@WX z5QMU!&BH0Rzv4ZnW^Yj-l$6ZUBVk(&D({Jq`S_m2x$T`uKKyyri41Bos3zTlpAs7< zRYud!yHE4Y`=5T?kdTz0VPcYTMQLZo%En7w^G6cRM!;`KOccK)dyfFkBR}f#nD@c% z&W=oGyG9111%2!hGv40)Pt#Mz|;u;W`5|(IZ^FVVg`3wNJRI z%7C~9-sl0cA&vk~ZhqYj_{E(H>LD zxMpGxN5oGgT7MRCC!Hvn7|)gaCOx>t%#TBmqA*AuIIz1`EstQt$XmeA!_F>gcbpw9 zsOs#cd^83uyxYi%=>MQLPK=%k{2We6QL2#=4Wy5(#;?+ZQ@?ErjD3(%5adXGEs~uI z&Hw>y+ zDYTa=V#FPy28{#qrWiP0;%pHH|72T{2vyN6esDKmtiwj#yAWGW^&pIg;qD6nzXu2c zjY4Yx`}~`7LVtw#efHjF9MWw>07z+y={5ezIwMZB1LmjGlWIL(Fd zy|QCHumh2#`J<##1KGD~&;>|@DpR*~e&4J6usu<#5w|Q7R zK#Y|#{p&3fS0ZQ`qk4qg|I##&szKqXyOki% zi}=+9rM3IgX}b%|j1x9#Fi)ohiM9DS32nen;sr1RM5rak44pLG_aq5w$q}PV%x+Nt z_%9^z)_{mT{dNKX*Ls(|o;e<1L;lqaL|*F!AlG&N)FR zQJen)UvLto9zXkNUI@gFuD!hF6`rT%b~{oAi^b(58;qv1ODb@`5#CM(5JPTP^{kd7 ze`(B>tU1+3d!-z~_2s6SQ}11bvbWq>^7|slbJ`{RLqDnA7JNbWxKC-WV}} z^dBcXJH#%Q)MdllrLmjtm_J#yFc7DZpmF8oaNzMR`>@+k@b=b_(08;uIa=2Ij-*z1 zq)%^fB@}I*>GU%68Ay}rk09rXlT$;dVVPpL(heT&(M3vAfpX%x$bha$nt)p{r7Spj zbFn%*d#Q;kP0WqkX#oDG_A6%F2Om~-fYB(NdZK{_9lMp+4CKQ?WHLeRSAMaZr+f7U zHWObQt0Rx;tWnTNL9!GUNnwE1i*DHlOSjL$2j7AA5t3uO94)kOX5HZoG+w{ z`PlNUo@^|4hq2GnWmvc^iBmB=Mj?x4<<-*GYg`A%D<|M<%~#a?A{+W-Vfag%S>(*oB|J2r#^S6L|*sb}@;Utq)kq8+3U zJTCseKo(51s@5O3VVcuo%M&_2dT)f-BWqBs$X1j?1z6>E#Zpkp`oU(e^zh~VzI183 zRv&B{(Q0DpXG*S91i@go99s6#Kj z6bmLI0IKJA%&CYJ?YLG*I@Z;@*MHloEk6zFcmmGaxZj3s*p~JDcTM5?;YEH9P&@;i z#QrdgkAl(VYQhapW#U`AmFjIo0~qN}TNXqsJ}q^Db>}QgiAG2iwj8VE+ce?AE|yXq zDguiY2rFyeS#xR~(DJ;i8udS%cXAsOB)R2JG)oJPVUD(5g5Wd*@6we}q{oHFZ=uhg zjDHE4y)UbbpKjR^TEZ8UT1U>g%TeQ$E1-=~AK)tvf`W-~@Ix=5w92ZD1*ZjXCf_q@ zYp`)nD6$gZ!DOamYkEfsa9OsZymNQ}J}KQJjWYJ))FYR}M}TeQm!Q#dwrRa16Xs~Z zRL~~<+$Bt`yQ{v^2eq&p$*K!4gfxmo|L4+}iVWA00bj3-%mN5#U&`W?y(Q0LTU$W! zuc7#J|ztU{^J+goxBz9VmOs^`Ab6r3uAWk7SrBnXIY zBjpwY{~-0?`LU9wlH=hhVq*W!3R1I4cE8I+`&&8;hUyrpCy;#y$le!dDroI-SGQY0 z_-?&sJ3G}(tZ>136LA5Zo4>uG4^IGY1^iCvqz|B~4hW)aZvr=F;2_u%>0RGsw5s6) zI`f(CpIFsK)ZD2zUk8mue|WWoItL)5!mx~J3B~z~!5&N1ByP?XWY1o2eLWcuWVLJD zaXDrmN)J3T7i;t-HVarBijryu`recFSYG8@%9uqh6xHYu7!^A+cB#LBjS&xT3bzeK zY41RN@b*S(XERd)%JahG8=zc%u?xh?iYffL4B#Q**Xw3F97au8Pdk#$J!bu*9h3!r z+H9?{lJh7dqUkjPt&(c40u%o1G(MQ#^d@XNkxs44-~7t60PDD5GSTY#Z#HaOW@meD z?1%I*a5|5R3O|PT=ft zJo9_kdx*D9O%n$8;`pi+N;asb!n2g zhQGm_8PY#>8#xecw*t~s8K^kGCa;WVp0rEt4d98ak!Ekq_l{@?#RUq%WawLgX7Lr` ziqAiGcBgObgyB=22@@MESygaP=Ld;;YSVlZA`NJDMpPQ@=v8YPn$Eun|St?sb>%9Yl#lfz>$%8Q2iR zZ+ec~j6Yyj*ZV;2a)qX`TL#p#7&Y%u$fh^-eQV*&H=qIsfoirpRN?L%~kWnfp|KkBG+a~p`i2gC#1k41oDcq;Mu)Jbq7*B%*G$uYILd|%Of;XlN@r}SDP zn@2UJzM-}EAN537$ew{W?c%v~P$^l$!FH1~e#`Y&Zo{QZ%K~muEjwrT1Kf*I?E-Uw zYoryRutlXFN#|WFwJvf*DcGXm=61?2=9hl`L+!4R{3Wv`pJ3 zW9yo_Ug+vV|7kx9LuX%dbX9MVn~x2|b{}eNBGcuI+GwFMaC9z!nZ>Imtm2zY@$UFv zvCk(5-lZ9|mfra8=T+sX=VY8i?7YL%1eVNtX?E5I;Jc-{9d?Obk#+2WbV^a;wN-U>$oov}4jZ?`yLT znNU~*BrKk0ihZE^34ZFo>vc61meX8jAvfD3ai$&lmz`LRo^*rgHMu6%8@wD14k7Uo z?K9$MX^uc;tiL@rv*054P?C)AWQlo`*e2fR^wPA3P4W<(S~@yh2Xi*v z=^GLj_M*}Ek!C%nXHJT^C)KSbhX{Phrnn*5H?y?$tWiwb0X1g#e34NZ@#0LZn$6&<;$-_y6({PT#!*bLT`O+I4(`PbTYI+ zmXdsw%a6md(EFZ`7<@XxS17jz{-E;Wpt5$D!7HXNJ9%4&LWm9ivi$?PlLqF1dh0!R zDIC1}ybFTY9fJXyR45yGzVCUP%~3rC?vsQ&UsG_k`Sc@3r9gkhFeh<><+j8GEJ>P2 zjO`|el(7M8jd0L$FF81vc=|KoxiZEq+fI6{V^@NHf6V*}dA+DeJOEkRZrIS|gnaO7 zviwQ<^%nF$F&1fAjd_9WGhm};ok-TIgcgf!EtrIXD!?FZeF4gc)3|Twq^jAZ#g=?W zs~4x7Efd9lI_OtFd5WA`J6yb`<{`%PFPSf2F~9dIXMv`e(NICjG`kSG{m1+WM>-hu zH+PL{+-HnJ#fec1FMb9B+#xQ&_OebR&a0{o-eBf`c@;uS&B|tcW5^q&Myh%W1Bah| zbxafPAU%(I$M>6<|QrQuLkW0Ecs^M7tf_z)mZxZM4k8EbJxg z9iqsHD(0m>FkWg)70pbD)?#~%xE1F8g|e=vNVd;rEeWifP78nWOSesBH#&t|v22Ko znsqzt%BtB^bZE&Oa$K1nEc}})PB>9Q?T1Wr)z(mW(LvU~R@^rKEB)0Go{IF;lw^Wv z2F^oYArU~eBtycuJuPhi?x^mB_I^QCvB{h*Q$}Ek5w2q&w9N7~+H|@mVAuJbVx`5b>Dt zrBX1V{GH$raM!wv8{xRwfEHf}B6KTrD^(J8MzP~*V1Q_TBka{u`0%(~Y_)4r^k&Vl zzVGvc!{A7H+56$=WXBb8)7rX0J(wP6NSR&VFKUHa%l$lj{vhjw4*LOv?1`z%5Wh?A z%dm3xA1q(A8k;mFmo_)-7$QWp2lL~+;T8&mDwJvxr6p>x>g zHHiU2U@LAJV$JjOYKphwnu7&`PHkxXavkWTYSdx8IPxbQGsCqvpCvDYNRaKQQV<+Y z$5yc;jjlV%q&%-5R;Pxva+v9_@xm@;c<9RB-uSMju`HcHG9i^Gnyrb+_yJvPc2psw zkH0*dOO^Xap;oM<2$I-lAonGJ4f<6vVCdkpY)o&~?-kBLdDkKcYmKpe8X+{F|CKWS zPOu7ta|-CXdg&6ZCPVnULx!dyJ@#e?!+G8E>Dn*l(&|#3+!OOOX?Y0oY3Rn(0nOEL z&`^E&YD>D`i;+z4x;N}=1Kq)tw%MQ6>Z=ZpaDW&4;d*cbW4+!GFvsS6zo7w)5em`T zX{&EgpUj@%X)Y}_uR{=ZQhp(lj{eP+@Mar0?9Gx&6>CZG^>Ws& z4Vb^!*K%p0?flDJ(6?=QF|m48h8iL-Ppi`_){}BI)%J1aim<+vL_l zMwhz2~p)j2BP9rhw*Od5>eKwIoc4;o0Y9Lx&T#L$I) z^7c!FljO}$)4-8$2$&Pp%fW;&dov1sUh0_tav^?ntv$}aD&E~@0L?xY-PQr zV%O7>-79A$Ozm3FG2oYWv1#oICvDtbRL<7}P4cMi4s*jBQ;VC))$?ljDY#rq)A6Yv z$1^5enC@`zo~gn=$4`!9h~xsI%n*m#2$ZZdx#ZE_=#G(3mW^USR3<~d7q^0)N?h0* z>AHs!>R~B}uWMc`A+!(HNMhm+WcCgWO9QN{M^BWlS(z%`4+nFDs=dYS&`C?n++p<} z$QX~(d-XCaTi5fhdx4J<1~@(38mmytFvoIc2Q6fing&`pd+-Md*R|8^nlh0dBbtvo3Q=?sJ@xotULMcd^Jka!1d=Y91r%s2@ir^+sacTEg zY}!KSM>o*TAgy8g%Rx`M_0SX+=s*p{r_f8$xu>i3RgXwbpPm8{mY?hFD|--HRakdrel{^g_AT z$p{iosDRiP!vS4}*n3n#`XS0|p{bm0iDIG~OJ(p!mhE6Oerjo-`&R;`2_n0*!^SL8 zz6bITWVME7w`Q~P$`R#;WpCti&%eHvUD7@89T~D;u5s8xG_=BP^*^2UR8t7r+}BJo z+yqCiLu^mbb3gx@+i)7_`Em9|dnAA9TcTtBMC(b|ll%j`0vF#96Pc5@o0Froex~@( zF*k+iYs9Bz=0y(Y3e|wb*q35{HoqFWJKGhp6C>4mf!j{Lli8Mg}1pmuIz%0l5+44;1D8!4-@9=P(Mx;O=|(Z`Q=7OZK|I;NG=38DAql&T|Dh ziH?`DtB$fveQ%2xgskZ~H5G7S6rFMg^#9JRJ-a)1 zJCfqxoVA>kcDR~0onex|ID{fTo+w1`=TqO==UqJL-To+-fNM9xn{dvgmfjs3Lkg>k zSg-p$8hz(q1F@jFvlBKWK~FKt0gPL(k)ML__rHG_q_V*d{46Xw{=o#!-52t5ehgZ8 z!zn66z*M}xhx^Z+H~;?G?q}hw+g8eg4@!W?{H1t1+A^jeZG^@Taqbx@|8rUUNc6$I zyQvCteu2TG!?-kc4~;Hj5{RG{P&xYVxbz))0%dTGN0)A_Z(W|@ihcfga+zZql=4VS zUr3XIdaNRx+Gg`r4r@#VRD?$=(t+{ZhITB6R0-|LzEtsg@4KFo>bYc96rD)yq2{0UasineN*6_|@OSGNJjY4ljls~k1_2qf>2wDJB;m(;0C*{8`| zA(@VsDDq9yC_*TYO#(%`1HsRu7-F&#Iv}m%glNnN9LcljbG(#WK(Z*AP{g7AWVexZ ztUB#G?dF7f0-J!ejgBr5Q5=W$MpEVpx1fED7E>7`uIu49w_>8^3f z@m5F2mT68gek2bftjIul5#dHmcS$rB+EgcN%kMV;7e7eP$M+vlZeeIY^N$!(!!u*a zFlR>oL%qxR&vg^EB)ODV6D_xiygS+@XESPxaj`jlBYj6d=&3zBtzkgmS2!;rRKQDG z|G$eF$0J&K0`(?R=KQj6aHnKe(O5GAa+PZ3;vuC@m|4J17O30OV?5DDlCNOe8v?$R(Hw)2eo|O}?3wU${O>J`MTVq!&wt`r-i=3+DD-KPti z^1M-dQE?}~P~r#EmG{QNBq!@z_Mha04MjdhL~MAqIfjAaM3jQ&g^Nz>cFgG1j}}tq zf<6;LC&)>zc6OSrr^un|`otNhR7Cj8Xiv7SMwN;yQV0p`ore1wtJ1xxr+W>K(!a=a z=>3-)`DU>fzI*AykY@l0Sck;0`T7d!REj7iqwp+mP?zw{ z{1zPL#YNA*_&S8`E}^R~x=;qSb@EN0UzusRAA_9xG+Ua$149%d0{Asj(Z<+106(#O?x?^y*1{KTN=;4m2 zM;m(gEO!t}pL;m7?5Ai(p0#O_l?PEKUECNySg&6>-?KYhmav5+&xa4n5?lyK`E_20 z6G5?=7XxkWqnD=*N_!ggb3U3mxtKIt$?^Yc0hZLSY-Glc_ec&dp0)O}aFU-TM7i^~ zPom_XYrS&e*t}%qe>meperJDVai;074|I!Y6}EB^Z4gmX8VR4xwCmRD%!&U490r$+ zfOYmNI>lo95#o`8pcF`0I!~?0(C$#p4%KS(uJMogcP^Y4Su{Py5LGSsRnmRR4hWyu zi?OjZ;+if#T}uNXSQE2+4RP+)!X9>%h=X_6(U^Ibte zHKaH3^w%1{H|L+RkwNCycT$2DzZPj)wYr2lDdL z^Ms~E%e7qc$lPj8Mc_pmN?QSUCQ;B%*gLD(s%&6~XhWRF|E8jk?G9e$I0llWUcN|l zyZB6=`nO1s`sN2JvwV;s1pxvx@E%wPbLCtgZO@9=ey92J!x#p3ySdIqp zX=Z?1WO4`PaoorU?z1*cnbi7g;Jfx$+}&<_k-H7FV@OkjJ!38%HwLkrhCRC_vG}4z z$m*dveId`|8y@9<21}gpwy$-Cys_1rcm{tVPrrFyfb*cy68BCrnyAvk?8@1>Wt*%c zptNx*G&kT99s~K|w%3qy_1&Jr{W2kMG{^{=WV5JHBH- zf1X3`>zZ?1V~#oEJja|%81wepHr*`b1IE9;EPp>pSJl>uyK`xRd=X_N9qEWNPheX=9&mX1djGjolPcQ}+ zMto!OADTku^vXjC>V2qOqjq-wa^u+Pn}_UjZQJRSD?_OsJHs=(S**``Cck{v1MpGY zFV7mhCM*=3*1y&i4PO3I%vEJuk;?XYPw?DtEkfy1h>o$-=gZGuso%pI&ROX%%Ikxc zV}0ghAW$98-{0;{Og-eNQ8T(!UqzeqH)4ab}!HxUWoI`L@VEpgr{en za-qYHjBBXex-uKbedqR%d{n8bBm!rvj5DK)O@soa@$%QLbMN3?F!WwjATQ!B5( zaFt_Sp*~7$kv~OlW)Ab-oUB+Rr?F_mhJo}MCS?r4LMoP(f_dI#VCugszMO$@_HrP9lZ^M(X*yWmGF_!JgfnHi)j zULp&nF;EfrauME`{W(3&V!Ua^oVLVMzjW7IZg{{Q{9=zKQTvdW9S)!pE`3E7L zuu!O2JVygE<5avW#YP;@d$z!kVU(Y>Qii)i`>Tuz;qrL~;#%gzb@j@fFPTR4(D-^FliS%O&G{f2U z_V5vxcq(Dv9T9M+sQ}A8@g%p2ps`*0m=YJ1#8kGc1^9^LOkO-A@JSCGx-g+C)P>N3x)qBi$-$$Ky)rg7YbNgPuL>zA; ze0x0z8EqtEfDUvSzJ9*xm)NWxhhSvo&lT83889`R5^y`t7t{1I7~$9?8VlA7IUH`6 z8wLJxG_*Yv3cS>4=u{P32GG@WlMvGX7$qwA;v@fxhcp<22#91Lc48n?wWfbQVQJkT zmJ$Ne?;<>(6dh+e3V>X{D~OoG5s;Tmx<)PC{~itJLwfcvRcv(h6my(o6WX69O!dh| zagx|fioh=9nZT76uaIQg<`B*5# zJ->xko>&DAz9hV=f8-J8r&2Y1|Mw+j=N2Ec!~1tLwJ#l~3SYX7l!t6kW2<@_LFFIP z3Dr0f5tL99dveeaEjy3GQ&7dcP%4)wOwsecPueLkf z4Cj38HZ)#t)S-^zG=%t@;pTYdBhrBG_l^FLHU_0s$P~7NJ@d$@G<+N9Ehi2Y%eMV| z?Ieoz8}=>{j%Jy?6BM3P@W|$$VQdS=b&TsOUsN!Jk|jNqRLkih*aWy&R2 z-075UOduBc)Nw| zuR-Kl*ZI&jNiJqtu3kaL-eg>sK5w?~?Fm4AH(sPZT7ALHZr+-dEmuCv#nH^1Vw9T~ zlnE0@I9F6;J{UkgV0TxFE0rA)<(kpBj(buV5`1W{Mwy>I$+t`39*duHX*WIfVYuT= z5S_n@Q;DT{#drG=+js$sdH}?kP>$Ltt{-AtA5^;re6OOpK7T*f5M(4TCh@N#dlkpB z9`5bIeoU6hNx`=(8G3cBXI-~uKzsaniXPz6>uasy{sIM{dHkWb{`yyL^~tuRN5ws7 zO->B2R&d?T;laR)uy|oaKdd2=G!&r;c zZR1gv`g>9HBHKiw!KrRM&#)m{5R)!(jK%qYvs+%R-=tnw|9D*RLsa>?aP5q!{XPqi zNiS0a3m4CD#e>Wq>=#G{LMX7CG$>d2ZpU@4#cGHok<{|67M9*QCVF^Fep}ju;Z^kQ zyB1*gj@_bp=_M%|PS?o1uI~Bvm+mk;Too`?jAuT}9%F`{G{!Yg#$yjw-pdeSu0Z{KUHR?6s;_$opts|A>*Vl%2q7!L6PVE;oAPG6ZSl^>NkmF*l{S}+O zBBc0F9pcpadTNZ;VvU+bjv}TwAe*F2nW{D`A(i9!5mwH8OWi;c^RA*jbeMM&?na{D zU7Y05_8HqY()PLGfsZN37cH|;$mMu?Crsk*g*S2s{Rh;Jg7TOOwsm?EG@x9PvM8Ho z=2#kXcGCxPgN_)=u)8dq;{Oa0DaA=pf1fyxQSU1srPX`{ z&Z}n9G*5ZPmfl=ct3RGKqdAYZue-}kH16P*o_WDeLM3_*M^JtY&2-RYXDxBC1h3AA z>Rb-dmkhdLDTqeiq#Z;O8n+ZE9>4P4JT1J12Ywe4-e9r-+aYp4tb!8k)Xz_caaAY} zdNhqdeq&=nh#^0hr6r0kCYyMO4k(E(Gi$P_B}ckNPJe_?$2$no{NpGbx$cjo66 zzZd@$H(KEGjVcB!sU9oYB7u=j+lQ^(t+RVF!0HH+L=5FLYdQP7ePWGVQ01mM`ix?I z61)nZm9KD61zzcoj?#+3lI4`n@#({C_4Y7=sM$rZ75B30CAiQ z$WtYQ2a0k!$U4QcU7z%|gnnR$jvZ&R9-CCWn+CrjC1K4>*;Y&iVjO>t{VXBKfq+Ia zuZ36(y;D;pIxJvEqOo=FsdW6u&8Ckwe9Gj<3*N?cDMq86Uj5P_uU18q)nLskkBC`Sx;ShdLxKdqLmP zjI5W)-v?qymVi7;QB#mO4QE|lcs&;CcT-~og4b_|GZM#s;21BHAH9iY)q;Ld!}W4} zuyd8xV2y#U(L7Oy-JE|d1*f6Otva|A;YnI{H&UGZkpktPoRUR8r_b~ZeWCN@upoc9 znt^+dNA zF}|kF{NZE=t$Qqig`m0LGzJaWdZ!!_Lu2Z4MASLai%%ArAXjU_L7g6ctR9VnsMlJy z=FTii{0{_7vF3Vw2udkH;k84tmFbq*{rM_}`?u(rW?~x(jnAx!0DKlERTr0$kL}Qh zID&w&2u#io?@5Ti-d2x z%kUH506AdrXh$hHFo8_WYN`{-#j>E2xPexFND5@M<8-5wDIm=qpjef#=tkJ8s}M&q z*Um{97x*S&VLe?mbJidBIVrfE)+`9*dxHXCu%$DU<|Ghq&8n4$bO zc^oosNkq;ULcWkg;uQJjcNP8$3Q1k~9POs)%Fi6;+K>&^y^D4v+|4wRQOq9jM zeiSdLp-p})w=ZE2N=RsQh(8qPapF*)$Ra)_f_{3jskGbW`0P=0=7i#M3!2f?Jn7gA6%6um^sh9-~ic9AKxct zBc+w3#gPE?RNx1pva&69T;L|@mdTa)o7|4!Uv7@%h0^rreUo_(=;Bm~&AehIGw%R7 z^$Cj(3QvO>@HPV@4juQvn-TGUtPzeQF#L-n1l@AndFyY2peOL`h4ZJck6X$0Jw zZpEX^e!HpqD&Wc?4>QhNknMsxT;2)LJ}@@SMoNKxwpK7{N$^f#l-o+I>mM zB8!fN1D$^DoysC#j}_{-`NFhD3D@X#4JOyqQHP#GiL3)7nj%Z(xbdN1^+Ul2XZomV7C$gO$bMZP9+%cgeqwI;BqQt;VyqSN=BP1r)2!s!L4MtSAP7iJn1=4}=Xg&$Lsi@?L* z!V{`?0U6{_P3YPo`GMSn2LiuhtBc8Xy_W6+Ywbq->kHniS zWpOUIP=fe01qv9wNjV@@ellkj`l4fs{r9|LLN9bi7R0$Mp1YRtLYE|J{}>cI4-;Xo z-T)C{K9D^Rov!i)?n1jr-hvmW(5T|-G&pm-+JQ1E>qFeBldW#R{fPcwnOTaeULT8> z&Al3+1tBWGr3`LUO@s~4bZI($lH`MTsPR8+S)X@tI(8{9E-R~Dt9E-+Y&G5ewRW(O zK|Z93v^D8n=$Bg6aClAVBsKB}+F2}&E|wknnfO>V{I|o8%=on*^XokGEp^b z{gt^0P4<cD3=2;`*?La4cen4Hh=y}t2^+9$x{M`uv_MGHI8cyWlK`QE*})zr(qkl*gqy5h zdC4>W3)lm1eRRZSaZ(Heh6C7M=F&{qsFWz&N>s|i4_ceEU2yKqvEK&tM* zhSCOT(Gn7wX@V-}6U7D3|6a$k2fmKE4JR9a(BA3#n$%zf@8v(v#I|BF{jU^nJ| zUFMbJHfb=nHvO^u?Js95g`up8*JO~lh2?LPrBpLVQfjr|q#K@CVj65OZU}2UMf@a@ z@Z|Op<^9*qO(o=-Pl#<^^u4XVT_oG|Yv0diwM_JOB)0N|QD$^|^r=^C(mXrs0BEUT z5!AIv5dcC}OFy3TREzfSVP115nHhV^SpYBjxn~q>+QZE_0`FcK0@!iAIqcac_COTZ zY0aSDgO5l;r^|+!Z_XR*Ae+CN(oT*hR>r*SIE(p$=4{6OgKtfY5Em3ZfX354Y^tgY za*6oN`UO_^3ypKNnOK;LG!>>es{Wzairvs#V`tRhujshvu(Y=LQR z4(;nhUVUsh>`IAuWm5icmq4e3(&^HviA0s#81L!sX=di}vz(Jt>F*W;c*?84?=6ps z+I=NWJ+pm}_TBv%x^8`S_^S_g!F5CpA1hM@TB<9CXJFr#_gniiA~6T5Ki;Pcp*uM9 zhjfjMx05TMNXL1+TS5b+BejDnDaa9r{^tzoS^{??3tAy3VK4sohvSpq1+2x7 zZq3D-acN68>fZ}Ge<|?r*qHKSEhojf(Efno1F;#~KuNy%J>>%}2{-BLE6sS=Y}`~+ z)j6l)Wkg2FOX%3Xq2#Ssi$|zN;Y=k#kks7>lC7sbG$4MwG+AmWx{;*kUrGMLgGJxI zStKJdvbcoWux$FAL5Cjr(CtMR-+pACEXscI$?AU8V?sCXRg4l)5-e^k5sRbe%EZhN4B>I{Bv;VC%8& z1G!buXX*YXwPmm*pRTAPfAdV>NTqN|QP-kyrzx1CPOPosQ5TJ8?5oJ;htK+k2*~)E z=r8Dt-72<~(E)H*;~)q6G7f<;l`yeU97zC{oiO#0$rw3ap0|#8TE(|A)~_1NTB8m} zL;JNIr{r%HfLNCosT1dss;`&EETfz3f{!?ruc)dWup5?#4>O-GMLdx(I<>^ytm~qJ z8k@0fdcEmiQ6A0AXR&(_wt&|xC&O&6_+LEw2Jq-ovu~u%71UE9*JwmNiR?8goEXU3 z;WTr>7dqz=>VDF0+p=CW1dSn2w@@Rl>#ZjP0- z>H1g!hZnDlPKIiR)WN-$ti%p|=4F%5Xvd@9$j1G8K!%2_ih`Q~5C6Q@CH7PYaz>(Y ztch?naL_mu95N$k@aIq-EuDJi2zg!JF2Lc~NGv?s&_~4c~5=KwIRLkqmH3E7CDr0Fr8Tv|AC}pXjo|-;sDnZJK9nm(6unViZC8U#e z87Ivhr1$%sj1igHv;`vT*KlIP$rC=2O~0?+d7Xr5Tl!NOx4&9QA={-(IFe0xhfDDt zRBjsvz|Ql?UT#Z2;N@B*Khf#PB?EhbGq$&au2^<0s_CX5%>?aFKiVO6SC-cJGaAA~ zsRr?9pW5)6dyOf3;_jTV4Bi@f0s$L(cJf&t-*}#rjNTvIP>F3zEA926nBp8eYX{ZQ zl6!n}S4~uh&jMq;yAR+B#@>+`e1aIS1Rvgztn7Daa{+)o`Uk+)9!Y3Z?+4X8Hfmpty)$=LI>Fo%%IB!Vg-UWVjwff4XA?iaF1T7WDWWk|KgF<48~&07)G$!&j*6% zY~4`=?*UFmSWodClubBKhWP`4)RZ_4Od2wxFPPPE>r3DjO2g25F}@faXyEdCOylVb zQM@ZmP<-4&GU{Zo8O{d9IXP~m8EB3i5?G*s;D8-#JUlv~bzLZ(4nuwuYC%nGZWD@m%Y$p>Qb>+hl#1us3GDF@uM-n)Qu{KCR0)AxgUx#iov<8gz$0Q2hwW7QKA*KP-^yOmjOD$u{}9-BjV0yAG0|J!|7ZgRb`N_R=1cWC zUP3daN?M?C7k0oF0vKQc?VtJ`a6*B&4C-vR5PE{q!GEI3vu2%<_WCT9%p;F6ASFnD z{d_yde|cV9a2&Ta#&{0~$dFmk<)FdonZffece#Za@5w?(0BAP}izmP<3r1L{-gPCj z!yac6QBS&VcyxdxT6s{+Z-9E3_rES)*=QmK@Bw-4 zdVlJCBvp&vkOGj}KP|cme+-mlVWF+pJr|FW`&VAl^R^V{W|GEuV4pXr82ztvN!lU$ zwJ?l>UX__^2uS3pgqkM6h9Rr=Eh3b4Za zk}OPq_x@y6bNT6)34%vA^*vhUu=iF@L_3uCt(+tOr<2 zJU;SjXMDfAJNRxhqTZ>y6bHQ|mCl>MlMKRdiwXMz)~5-!S)xvzF-RpgGb1XTAD zr=WW*DjPNA3xbZ4Mi&_QDL%bFPfwB(LcmJL0OFD!y17liqh5X8`1=@PEV($|ox86c z%be5jp6-Z!F+Yw{qi_ zubNjPHZqyJ?}ip*#5@vM{thEQ3`}aAm-YP+Olkrs$9#AX|I`ohg**$mLB|QsOW@@* zs9Sk)bCBfnq1EI7egi{#s5u3?-GyS=3t?3Y8py`T_XER-=S8_ZfSYOkjoB>({|k1R zykfELU6R@y4UoU!ZoDmMupH5+hkMe+-0;o-3o+>=G+!f=9ja{OO~IGZi$q78#AKXH0q_0&3k9T?F>AVD5QGeemuABSl#Y zy!^)r_9)Q;2Ve*)&pp~4i`LpYHQUyRj3U27QE`}BCZ(uNzsR<-Trxxl zv^)a4Ql8=4JDNYc67-M@D#XVa0PfU8NmcX7W|(_t{SwsVoR>=2+VA#^l2D#kkcNnn zQddEO!D7-Qj2}n9_68p=I>e6*RoH+{^B!!P(V^q1p->)D7BF0|LOcP$bh)cpE%oSD zUWseu8Ps5@lzZ|}MIv+qK-iaI1O;Q9KKnKJo+YR5R;&fjSBkU%n08ab))`MV@-$+& zu?S{B_QN3QQ$)^R>6F%G4b$ewyU9IXDs(WxAf3AQ{&Z#p!`%-TcN!eNCiV=x8*bJF z(j;4bh8&o4mOR{`zs-jQy!AW=KmKLt7e&dGEgApLn5A&f47B^|-R-P~xu8 zlgZH#Usj+U@|BRp`xVh`Bljgl!-MrE4O4d&8Ri(E9Wvu1hu7Oe7Kt2Oa9a#H?dy1>boAb=sft>fBTYaDuJM(^+>@o%%d@4Ls%y&KV8{H%xV zdX%0z<~>(I)q`3YFbXv;pqw3@QQqakLazK|N4)b;GDGb<@`?HFl9pNme`387i}S%% zO@*|nS56b1baBm6lyf1;@8P@Mzt0rk|MN%Fmv6|xW$D9tfC}kNY=gpFlpGk=w@{Y? zyM$2N;$MkQx!o>rwiD!b5m{i(fwG@f@E6HN1Wgm#F_;H{ZnpcCc%ws(w9N70y1D5y z2X6O2sZ4utoXWVXSeT4&eyst^K$3+;%2v?139V_Q+AY6)u#;#3Lb$YJF}waN$o&}` z>kW`(`&Uw;IH?vFMm1fYi~g_#J%RZIROox6u}1x-k%UfI%8NUz{Ytl^WskIJj z3Yn2P;fFgG_T_lhe>^ytgDH z?26HLPazy4utM?tF5o#or4NG=F>Zlw*VXeCb8OE~kMa&Apcz5t*GB$>Dxgo7Mnh5r zUSc5qi4eEd@hJteg7NeSM)jaWvh-m`9&vyh>9vA%PVEHv>=4L>1NX4A(A^Xd{;%n) zF(NRxTc8bI+#Dc$Bpf}{@@U|P>1ZkA6vkcOvUx|wyNbz&Lv}`Zt;9VT1VlWvRjK^) zkAayy+?8M4IX3+D&KH;op8Qf$c2)d1op{gqFy5V1s@#~B0I-KR>aWL&!1Jp#KBLX$?%X}z*T|KP(g8W1JnZ&3ie4Bv;_Y_Y{VhSB=fHZ61U zC`OCJyyloEUAJoA=~MYJ15pfxxy1D*2Y-rRjLzbLF#`YWp3{!U31BDwy?dl`yOG0h z;ab}@D)>WQ0AT|E5r*hmn51mDFxlQPyAbeI692976NOQ29rU7pKSWj_@{E=IoX)aH z?l{^00)`Sd4;E^z9>vC3BpUrd(L)3*IU#6q_-{6V+_=1GHq`2ojOG`q*KbORWei+g z)3%P7+sJjQ`?V##c>?Z~p-IwX0$W6nP#)G2*mG6Os;-j+HqG!)g!zXGx{i)6xwTE- z*FQGhwrEA;EPisvI-aYO5+V>WAQYiB67rBMucbvGt8l<*>Eiq=lZe`tcg(x|ntF%b;_ zUQl&5Hl(hek}r=E({birWz4-kb+*wR^B#YDXBGdYs!{nBM`KOS-cjkcxA)@k8o*#l zoklCl*V?_Xum{`}ON#-@64mv6x%SSqCl6ZcJL5%iV=-ec5~NzV8@qkqk7~OAr{Ap? z*@R%r(BGgJx6q!2poc{>Qd+=>BrM2^LN=vrOdBg z(o)8$VspMJx2EMzJ=lr+>6or{S~Lo|xc3jXS`Rfl1M1MWJgsxm4NH-1KM9 zp4|nWrtQ0nH>SuP`3pjq4d!W6kZzvdq?=#B^6vQVZU`AzbkGjmXEuZAN&}QrJbwA{ zSMfr1%8@1X+B~LOJL#cFb}nd-lA$>IRnzZMGlrZs>aDM}JWXD(ms?p`kp?ns=cZ=8 zp@DYIHd!wge(u=l1EEY+h)e-GPUIMf+k`Q>Ot)KqpWJ%c!EG!4J)n=!UrwK}Y?RSM zI~bQOJg!q{CO@FIQ{*|3^67M1!4L81^mM0H2c+>Zx92+@J}x>fLi{%RGImjhx>dO! zte^7_Xuk{px)C$&;_>GgHNW@>EA$(W-qz9Nazv8|!>k;Dqd$JjsdGWG2GMW^hsk=$ zfp2!YE*#A7cs)OW$S2>&TSvngHOXuD`y?%Fs@p?!C}S*0;Mj(L?>#>GDDG7nIR)Vr zjWStk(S;+c==t<*2D^+U&g#nobQuFxd1f`@+E5wiwePnsz$l*xhpx}Z(-L=phzY0Gt7 zyIcQ(a;N}p#j+^;SD zDFk}Y=nbW)vkdtViqG=1x#<^gQVCL}zIf_GDyTpctXMEJ;X4p}92{eVhjBv62Ue2o zGYj6-44f083SkVe7Yj|wUUxyt2hEt}3S1cCzkLR%KO>Em^4#xs$wXLRPbK0-9{LzQ z(S56DtGT!8VK%(-5b}fr`t2b#Sg}RL;(3-CiW8O}2+urS(|`-Orzk+}HnV}Vp(86= z8BlXw*A|20gyDah^eezAy%AjJ@765vuh}+N4mOw>=y3f*^ho|Nkh9n=QoD3?vDI{J z?^l>Q`&wcdR2X&SVZFohc%B3*b5lA$jR3K0S>B8(IxQoolx*%v!yva@e?H&ikcP&v( z)R8;Ir=f~XdCt$DLyZ__wsVanbM!2v<8k-bMiUGhvfr5hO8WMCKZ`Je0lM?bjK-Fs zC9vVkur>vv9?&E?o<5=@L24UM?ZG+GOrBG1!gct#584R-MWfn-cZm-gx0)4^(QvpI zVu4eAay1(D^>@PA<&yMOrt;O9iTwNt32~~mFFxu*hu`sno$aM<9@(sql`i<%RHct| z9Utc-KKQj8Cad&9{OtIkP+wn85NW6}3=!j5cLniHE4!z~3xBhNVodFSQ@WQ!pf9Iw z?lr8JzFGZr=Pk+J*jJZ3F2|6w>H^}IHk&8SPhq4sFP9e4Rz?b?nMy52LcKFIL3^+C_wn6UOi~ubCk_BIr#%11zV{E#0x+$p#`s z*nz7Sje~ri=5|f>|1arWaTaI}J-ws-NV;zsSs{-%mvCaSc4+tD^62yG&{e9uCTer{ z`=zO+{pfh%kEUNhrPTh?Fho}Zoo6P~n$4|?eam|YK{OJ4J0{5J zT9RU?;_nDLdw(8=vc>j%(=&Q{npw12^%&?y5XRKfnG%+N8TvD1vl(8b3*Mw)J^zYC}Je93@&<`Q=Fd%4!@(^`Fo-dM2c3q9kk zODA>uoNsvszaQ&8uFTA{?*!ck%&QwcW+RoPU#jhOG<$oc ztY}vd3z}Q^MSX|w(qL}})$ijBw?9X*h9e14_YLKq?hY+{b%;7b4=l_mp6rDJ8OwyWXds>=tvvfu5fsP3u=njWNB8Svl{>WwZbo@)^DQ zB{m{8u;`cfqWRLsYE#49pF!Y^w}Tl|$-{+X<3v)VEP@rQX zNiJ`7zMOY_AA`Zuhd=|}F{2~SyU-P`id>qCS|+F)t?}#@2P-$II={n%P5rm*8Y_%R zc*f?wTW@vFwG6r3hOxy7>?)?Gfb?E`D5v=bu{kygYnUuG({6+9HDv~?nT~w;B0Ny+ zHYNjwsj%Q)IZ&1t-`!p)6kUyqB3TTWD?lmS(!Xf&&wEFXmj-apNNesgB*ZbGi8?y7 zc(<8L>;6a(RnaC+wUk$q>Z@YL=^VV?f1|sTDlme_od~>sD@i1jBe7Vq+!Bp6U6)oZ z(zj^bLK2@{9FWOtQSs?W>I!mSQxvAf{}dEU9{QC-pMF;^Xco zspTSPwMFvs*uG#R0Z7%DRsF+^EkDQ2EBzE7I!^Rk(XVHg3+Ll(OGFG$%`|R{-Zm9#Jt>bBA2J*0hKmJ4&}1 zP^B{5y1t*_&%Fo#_6UN?cD*r?h`|`e?DEpXPU|2`%mWt*G=l^vx?DpP zeljFQfAtqO9;RQ)L+Xz!Omx%r_-rS%q(tf3U+&WI{m1Qq#7#ewv-jt2a(gZg5@>PM zehX^m|C+R!J@Mh!(0wXl-HoFZ``aAHQqml+l;B<_1TGMj;lG1{QmV7?mT64S(z`$w zHi*71-RW^ZA4R<6hk*Lr3MOAAe57yOmSBq~ zC+C%WU@&)qD*RYqoHja|;cl`teaShIlNRW6Tur8$f&>2~aNwUj?@mO&;MUV%8mbV5 zKr|In63{liuw+X2#Q}N=q_N0!GM7=;t)*8f2C>IB^ml3Au`?R2iw>m@&4l3NO`4vs? z7&?k}CskdIZ&LOw%EW%XRN3^G=JEFY59a%3g&y=R$ubm&)DrYC5TQd>*mhlA`-hn* z!F?EThzMignX9qaXJzyoS=S`Bf7!61`!r_=CyO4 z?_%7v-zA$!{|6!EUS#kMNf?!C?U08>###EE$C2z(B>lnLJf&zMpeJn=epdz@S|$Gr zTIGHmfPnX!T?K7AM8-Gq2VglcL&$YMGiJk);ohH>8^JaCgfZ7i3}MiJk{Ak{FZ8~W zEaCBpTYIa`>M=%6J#3q^Fo1Lj?z&EG)s+pXUeCq-cMm(onB)W+LF?ByU)ub7$9+E2 zx2#61r;3gPu+m|12Rdh`la>Z@Pw(ytZ<$DrX5huev{C~>1?3+r_T+y4xc{poHzN9{ zfegUvQOJi`Ixs92uO|$)>wBzhVCvn6P9edk>2&7-CA`cr3xsNav*sQqNcla34zhO< zx%M%342vbYPFBKQR}z`LXjYW!WpX+u`HLLPqesn8rK?CJaL;Ms_#?-<`!(Nt)VC1S z;WHE7a44}smbxu)7bz8Z)mb5H!4X=FVhJ%vZ{uuwsOCslIv+gRK*`yX?wX&dVSY?n zBhuKxtJfP*$f`@FLy7JAJSHpH&kkooULB z+wdF^8=lG&xF(|@kr7rHhbr4J;mtV+?5J(O@c=m$yL*#p*h)ib|d`hpG~4B!Cy4a zHCb0-q|b2mwb=Nl7XVIBSs?s}aN?oB3i74vQOmexaeq0{5YH8pJc7aZ9LbhB%-0IY zs~X2iL5&dzpI*!&xT8he>fg>gaDq>b9c8rs04wAwFxU4}cQ532M;v95{!b9}&5Faq z3K4Ej{Yhf|mv<~sM)za`MDlp6^ zh$y4mF-Wl-Vkj)EF-8d}jCr>8pMdL$BqAGg!2%P3dkR42nx3oSWX^H}M6Nn~nHgJ> zWU)VvHZu!4Qf?p!IYJPvjP(5sK5U5Bk>@2jd>xn%La=wXy*dH#XaTTL1c<4Df#_qT zkgNQNV&LW)hP$oTndXH7kJARD&n5>;4oEb}ODWNKK*ttZSUj?^hEosw11FtVTkS!w zmB@2RW@Q1qcpf?2!GfX>Hy1_gfVW@`ulZQ6E;4ZHDHj!G(Ng#NgNk9$h**Qt2Oe_ye4N{EH18CIxCp0Hz&R=_@Qivpw|Qx6Ocl zp5P|J(}f@kNfioKD4^-WJ(>e!L^Duvf`nKDK@t^y3p&yXpvLEs0nuFe$7DEglqb7D z3J6PbWJs1)-%hP=GUif*WF(DXL59oJNg6by;=#@lZy0#k?cGls*BrdG zj^GbG@VN}|h=WL$8V-)xgh^rr0Ii(ER~Rtsa0G(!zaS7!|JNe^|7sCFdF%nWzky-J zFrst=wobaL?Xf;+$r*Sp*QQE8&xQ2pK-qmF*X6?a_JZ~ZG{{=2k-d}9Px2n{G)PSJ znxV+}p}}JGTOuO}@LRU%pJE}FoPtJ)n@(Y5do224GD1^qQ)$b0z%tx2*`m5wS0XQ zP}GVwgHcrw5wC|0WEIS&Km>@=Jjhz$=Z1Ln#h=it5r97tT+4%i0=m2pK6e!t^q7OL z>|1CFw6;(|;yy9Ocy1qo}n6A_jes0?JV$ z@%9K%yapX+xF12mr|10$HoVbJ%v~^f-$L}rb3!0$WoAkZ;QgzP+l2{0V;af2)Q_I| zn+FL9!Q`Q>IcW+&k($BMvn6F{y0r4zPKZF;@YCsj*Nc-4dI*f>rQ$HaH39vlm*6mJ z+}-X;u~u&ICBcZnZZ}`T?T@gYM5t{HrAH!2MfAHpf&+K)+K5P?sV7H^l1%WA9t&vI zK7aa1_T|f$RxHpNgaDp;0Z$fyK@>}Ye?8ZpCxM#;0??d4ayaO!t2*4EriZ}`sk9>XeFV(m+TDd@f3isnT_X4kPnbQ?V z2%5s`r$D)xJ&;iBf(VUdnMfKzf=~T;6PJt9!pNfXNOi_bzD<6yuFuZ*PzdU)iifV@ z>H4C#AoIec=n&DT>iF#FW65#5_xEb-2LVGTkqC4%%gF2GyLvh3zw*~%`UQ*t%{eux zdI->*Y}}j=!mjKa4Ok*r{8%-G5>e;bcOK5;llJ1L?tzz%OTw~v7X2qkCHT1fU+oWB zX47Ee&ydI<=tTod5xV)Tckq=VP38$@L8&Z#2>83Orxa)y%zg-1&P2tgN;eOMMj)&| z(MK6EA_mKsnrl3qRE9Q1pU+)R0aVo0=4W-IPc;&-^J18kF`jAq0Ocs(?bi1d69wic zj(IbVJ+LVVc^+C;1Owon32mS84^v`73Ndr8V-(mLVps&ge8mZPf~ao92}?u3$Op5m zlc1ApfN*mCukp7e==TCN0*3qLhO4MnBLm6DI>T87!TWHN}cC zjJ~H!CgbybTF_sNzNE@C#A5VaV6PVm)+bZJ?G*km?*hSk%5+^V@&*v3h-n?5Ye5}|5&TG)d?hj#=1nZ&`hfrI^!38LnLW7If)dkR3ppcp+ay(c z1O@%Z3Dcv3jZ;V;nvA3ceFOei)rpKTa95hzQ91|h&m*nUzz69^Qh9O(!)K`-?Ec7h zc~qB-HcSKG6!U^eXGTAdQRcnHQPk$dK(8H2~Nz;%fT7$nkS zr3A<(1{m4RYvJf0frD#(0FNiSK9jPHQ=uSx3D#4Fv=Ar~@)U}!;=z~VT`;@}>fFVckd(P&UYe*gXc6PFr4~WqZ zilVFhgOG3EKI?$9m`ZmG!YIaQoY3JAia>@r?V{Vi_i6Fcj9O0c|UAo=teJ?+@oSSkbjB5UHPROA|7 z12X*SGLU?lMe%(k| z0hG|RA>cRMN)WAp96ABQv3>+|Qcrub!Qa@$#DuTJEpB6!;*#fsI!lV0;wgM-eSJ}o zdVPr4*K7Qa*Q0RngT32&7bs3u*C#onDcu=#QFJ~^4c!>5)ckBQ>zvkIkBiLa(FmNvZr+g=p!YD6wH9JwIV1=nvIs=@ z($nN0@SI21-M>_QJX=KUd>Crc7spcF zO=T7MyQp09U>AN>XK|SWlTAfz*m;p{9HmRIl&AXKGt8jV#E!Aor?n=d`nt!<6uQU1 zqsKijD#j19Ikny%A+r0Qk|E?LE5j|*tlzhO)IfMxJXG-IiT?Vf>q}L!(wcnW zqgevS#57;e-o-HpuH-qcR@iOrPVF2+exERI9-VqW*3n$M*hnpZo0G}uF&eg&q22S9 zb@N^h@mCSQ%a1>@V673zt7DW|UsHN2zPl87xHN=(E!UnnJDFDxSc7Dp7ZeU?(bVM* z;a!$3&yjn+K>Yq-{m}oi)^aL*aC-56!(oIK_GP9QrSocWoa2C<{pHEZ7|qKW^`aqk zI!`f?&1wyHkwPlfre&7Y7fTWR%M(|}jFum~wuC#Bn~#N3UG{#B*E>7v*4R_>8`WW# zU#)eG*W1`L@Lvv}!G2d6sl^YLhXrvO{qj0~Vp(IVqBQ7pLQU1U6(ju9cDrk-x|^&C zNmaBW>rPRB-d0^B_@%y;vkyO>JW-1na7R1**>p6Uhlq?eyuUV9;TC& zH7?Ryhd#%drmbXgzVD50Im6|uKCi}kkU3C0|wE0xQG#AvX&*}8(6#BSLlr3~=l_PUfZ?BIZwjNhf zEjuLoQ6OvJJTmj@#7(#AODc4yIBb6=aAkFf?lQ&fZiaZs;e&)_&Met26|ae3XXms- zV~AFC!}Hd&>F2DQ2kVC8`DK_Hm2DhOCuB)uT})huomP9@1EAS|E?Zz=YM5v1mZZ_( zY24|{HB|#$Cx+j37E6r6UL9kwyhG{{O1jJ+CrzdkG;42kj7BC=O~X(ZAhH({o1dmf zLMfS6Yt`#U#(rj1?3lO55?gG3weq-nu=R6qb8*pR$Rp;WD4~D7S92 zrBGAtk(E<>BinFb5V6HuLl5=Og`7>^kzMYjzeegpyr=~&?`V}}@9w@3KHu(GYeT2Y zU;3Ohw(+eB_T71+pt7>E)kT57tfJzTb@UTL@{anyYF@j){+R5W0Ku&6^%V&P`5`b%zVT>WwoP)E(TMbZH&( z7E|`YYS=(jkAbY_=R0d@hU6M&Otm@AnZiQD6wLE0ku5FKEtzM~1Ftou(n)h--O~f+ zQ`EO(!)qoypHi^Gxq&Plf7Q`IlCEp8Dub3R7}d8f3}svDP5eZ6G|i@KQ<=j$M)EtQ|9Qm(_8bO zfUD29YOW9Fn%jNR;PPumVQ~oCr_ec5w`cnFv&3%P03?UHwyEtb0|F(_d>5nQc13b} zRPW=lXH0nhJK-g4OzDyQ8uHjk^TKEJGlbhdl0hu_TCmecGC zW0_>#-{@ME*O2ks&Lnd+tTGC3w<3o<;fFMC@aooDQ_^^Byx;G@e>e;n0*S_rO6>1$ zD;eW;c1ERTW%+5g4PlvX%ap0y#{Lsq3lWgQg9)RoR}U{;PcP55nmFq_Lhy@BUkL>_ zU!GdMr8yG1*dIeaS-Y2dwO$8x*=htGON!0sue+_?Xv!~oF~@&QZkAZCDV)BD;w$NJ zxPWbjMB_t)?ecn}(A6g*e74FdDr5G8%$%Q-dVRmVZ>MRy=|i*f?Hm>@0_&TIx2RgH z@wB$!#(bD`!To(&YkVydaaQeh71_u{2G@2i*4u;m_kPR5uG>!=j%Gbz=f^vlz1H7& zk3z!7R79dw?(@{?UY)FDdCa(iQ2J4u)}fQoY1VB8_0qI0Zisa>`G2tWm0?wNUAvSL z1`W~((g@PsASfx_h;&QGCZ)T(LAs=yjY>#^bc2-SCikW}Ys2$??|Hs+uFGFr)|_+1 z9OIt%7;7#Y+ZU-Ma@lbua{;1WOCiynrmbM=x67rr%L zTDo&-xjZSeIC-8vErdUfvJfz-e8_ zXE#UDK3{p3-24^zw_ibEx09`|c8WQl(+60=3%InHBG=zwyP2*_vmh+9v3>~Xc3aWs z7=_jVcsp?|T4d@1a&fYylFt2o`8Bh8h?x*)25r_g{f1qYA$F6)rTE<8E)$aBcX5Y7 z^=S}9sA0j>#!f1}ai#JKdNJYAcoy<#>F?RyW~dwipQn85ky@JP_DS7Eh5(WcYT_Y> z4?A;lFPT#nUEQUi4}ZN7CEZ`(8t`CW&_Q!B0gLY6?l7a_I|0~&<92!Na2_l8I?iR$ zSpxzCb|b@3Do5`cf?ajTe#89xRG2s9i9CU)jd!E)Yqu*hpE6G*3!?qt4gv$|2y)|S}vq0GVVDM10rjZ+0opQ(ygPH_9f zNTp9A>_BFqcO>s%dQWk&a;9i=i^Qf58$heB4#C!uda(H$>OP6JBh#Yh)cRIguKjL^n5zssO;~^4X|C{XSCHZA?*iF& zWW&mKsJ0^S6nJweU8B~6!}u4L9lk?<0>eay7l@e0mei)EkJf3%FnCM?Q)oSOGFtdD z#AU%=+Riy*zDCK=zGjGf-i;}@O(^+_-1G4J()*n$9aP-zJ&iH(>rPb8BgN=(TJVD8 zkjF;XW3X(q=MUyN^Ha6&E5((C_Q4B^C%0E7na~b5J#JIR$fZL@I}k0<{BL!+Z}N=s&ask@E zEGOt^zDpP$8@xlx_2WnR(Ulx%dh-PM&d1Oe%8t(d;&&h445w9}5ZBJb$t#f}#&y(@U<5R{}C3F^nS@2vo3z_MuULO0Yz zgo}$7e>yi-3JIMc9(xvSpWXCp!hv}r*pITU1Ewa;FjaBh_mh>T%U)HYfH^P zGnc-Lk~A#FWD%W4G}c2gy}sD68G^(DX{$W-oz?WlpqmP+TTTKe_U*2eVP&urxtb=Eqo$28P;t4% zTHH^W^FIGW%as}AgQEtoD0{y)n zaJ#&Uy}J&xh@?9zXJk{?{BQo%Xw0z;I_XgY*`SFKKK=IV(jh*sAAFUg*JtHE;}I_* zcuw_0InRohNwz$|Cr{Yy=J&nTSQ_AggN}=KZ$^Sr&Qr@A{vi^4BQv&Kh7UZtrFIwR zhr8HD4eeuB61FQM#L2w=2xsyvB0+sVVs8T<8YE=kAaED_^G7hfs-UizO?rI+*cPhs zry}3=6zo5|xULJyp%i`-;?py4<}Ul1VrK2hkXljsu{z05eSx-b$XR+r6GJ~1BG16{lBI4N{k^-Io+S5qH^Sn^o5o_)<~q)>N^iEiXS zn{SOM_?&VwA(Qrb!oMt3Z7HblPYA0%ACuJ*r^aDv>GrOzPwtce?BsTics=gWabx1* zbQ}UXZpd&Ew&K}w2EIZ=94J!PN0^rXHu6}#;6l6JG7%Papsr)HQK5T#eKInUC-ns4 z+NPFvH-qIgZ+_#-c{BN5UvKZmrzpnf()PBb{mJr$pZCIz3uF{k-~KdklNP+RZWDgC zEPd8Ee3{~?dpuO8~^LwTc|H zqxLbSw`?Fg{HGV-nlGk(Y9ZV^14bkei8T|$wulPNb)=E2-xyL4c> zGt*|YqP1|dznJB=F_LnKD6Sag6-WCzOHvWjbM8vA-_;R(B5d~~`_1Y|>8a)9fKJ~6 zkc^jJz`R_uU5{VGw*0^J3{%Kvk6bS31m0|8ij3{X>lbkZXKxR!+3DOyRxVvyD$X1i zX`MT1FC7njaXJ3e=QJ?ghy^z4FKd-P<@@sZjC7qWsf#I(uH6;qhWAc-&UMJkN+Huk zpiRvUYF}I8<$e|C=zXz~9D3J_`txvVYQJ$gD~;Rcy;-(bgXNAhMzyrqtI_0xzOp{`*&8NGJTh$%zLoD{C6~7khSuJCpHTE>j)X_QfdI&%ciM)$`<2t&M ztvYY{TNUbG)wupr+Q{hEKU$mYilUpodHPi3ja=(3{vZE9H!0S;u-z@p)~8T)_KO|Q zP1`P?wH4P7^Ly2~u9QlnyW@%?XP^3muMeS`OUKv1amJ%;ikbVuOWwOGX$@!!HgFFX zI=X81Y{GTS$qiS;SVwj<6}iS%+pDjpgSr>Y7;j_ z4&P2oFA1bFuczD1L~hjDuPd5Luxr9EVA!1cG{==2r01Y|Ng9= zxVc2O*r>Z$YE-%)n?DOOkX*L$sGqJ}3l;D{MX=9EReXH~J8D=N2CZ5}v$nAhWe-|3 z4{0y$I3=H;ei$dW*_DfL^gU_qy|#56Rs4Yh1U#c4mrE=(9D@m-iN>Im@Jn@_V6*35 z$)+N=4D}+GI#ms?FRqhy$!6_TcCNr2NOTAjJUqK30j3|rS{Ic7{te?OW5cm{z(~)s zLt~rz*PjSXMK{mJ-gZTwHl8yf{)_f_A+b$^wxL8t2O+DqTFWJ~LCD?rTZ#$KU=DNR zV{lQQ*Rf*w%@*d}siZ#eF)Y(8@b<-0bc468m7*qa^+nBbYliE-Tk=-#=7_ESi2|Kn z^F~GIw5Rtoy)$=P9mbK1HDqC^Lfl5Y%}Ler**RHz^GG^Z(GfwqqEc=jU7s*ia}g3% zGnB0F5egh{DIo2F1TW6241WfVb^0N~3E9)r@_;`)NoDr$%Mxlo@S zy~~s)b54Ny4*!YwS*|rxBo=Tfhq)&Pu@Ja2AMY4gJ>P(BI}}wN!y3J3RyWfm^uj6> zyukaBb#Ch;b+>ecDg*mdB}NWYBEmVLMZ)?g9Jidk{LxuT)aIocm3j843u`vWz{MR~ z=P;8E`JI_m&)E~s{UD8!7)<+{b>#4K(ez8gaES0o<`iYrnU9vp?R79h)S_v+&D+KW zhbMZji_S|FxaV^KUfvF+%gU+LbEIqKcA5n8L~n>uz2&X)rR`c-`<;Q$dO_WvX+AF0 z>u*BB0cM$W3Z)ls8N-LOq35l1PcKSOyvA333e*MGJM3Ei=G!k#S=`MRG3#Fl$r41ft~pDnSn%*}xpNm4$b zDTn-gUj5Y}l#bhdGDmocG@?7{4<$I|fp0a(pIeX{Mee~|I&9UUeNs#L( zC!Xv?p3)Df|Dc3<*id$O7$J`UHIp~t596Aev6_(qBUdNTev)&2s6>5yhPW)29`Jka z@80cV*48H1Mgcb0e2)v%q4E}st+B)D1X%42bUqrG_HL}r{p9cYT67VizFTe~ zq-D2q*9%-@0QQCxOZWj_z=7vIBz7-M(FXyWW1%3XU$BOVm{W)Q4gpeQ=XUfR6HfVx zl0HM>OOU2v_R*q+I^zQ1g3DS0Op6-rgn(i>2kXWl;?7|^8IvF0@IzMU1Tf6@$XJq zRUvD~`Hw4?)xTr;?aMc76nBSRn}B|#P|2KPG?V~CAuEpBR(BJeE;x?3BPDh30!ZUv z_F_F=QIKuN=kBn&m;9v1Yqz5D)7xk8@?4B)r|E6{AtCpVmmfLqsjJnQ(5Z*w7^e8R zb=!nyGQ9RDi^%1EY`imDOLw$GQ3ZT0cela`IF@=Wx{)wGdE24+LLq~9Z2oetRE??S zpk?=O%>YY&rpsKP&i;CMAo*RZ&)scSiV-5LSL8M}%k%i1$K4G~D7T+5e83-5ct*#> zI9L0_2Qi*SCtN+JF{vfUh0)0Vd?O5H>k*;u3c9>)@ANaC1<_<(2XsCAZu~6Fwy^#N zcawxi%;82IKyVSno-I+K^8gsdzjxKHv@7cJ5Q;nQ5r#Vw)ZaN`#OA-t-8*1+J}}$tR!H+!MmvmecW-qM;z1rgKWpVS zz2!Bs1OqMCPm%L}rX+V;L9||I!Ui_f_$JK>o`48Ix1tqF1V0z6DK_a(80#^6iHP$# z+IJo%0yFK24e*`6-8hLH;qg9^>10JwUA|M@#RPw@sqrV0XA&ovRzuB8DxmPCc&pR)7h$ib6r-^u}t6*#^BV zb}S*{58(M<&~a(awPdm5HX}@LuP>;H`T=4Px#pExKp}Hx;$SXwB$=SwXBL&pmK{bL zi!wCTRwDV?T?V4@-6}Bor^c6@1$O{ph&A767cHPCVNQ%6(VkgNJeVb%l*_yj%1 z7lg9Vao5bl5%mgX0m_K0V;H37$3^_G)$8x2&(kyHbE z1Bpz@O!*9{zsZF>%+>z9&RlG?%WjxfhJGP-kum7e|NS?j&|N=hlvLQWDJd}#IZ*Pt zzeAo6B{UF4rW1r@yL8uzXG+?%(hM{v zEjd0)>7@;BBRs;(cmd3c_EsnGi48l+1^a`--(iV+L^~sU*woz zYz?L&&jvH(DWPPw5lcdC`gdi%R%S3W$;KKtm!ZiwvwZmwHi64Fmn(s~e@FpbrsdsF z%w^dn=DV5k35@4P!TQ)3dI)SMs@VN6k6$DvTbrI49uy*VOsSN@uepqfcaVLp*B zq?22}EG|!WHUlsfEn?$=5BHEES2xPSG2l_7>br**g}lDAWawW-MbB=cf!-c7l#&ul z>9XftZp^IB>o{_0obOthgKuP@iu#TY%U&>x>`>A8jj9?0l`yoXZ12l=ppn8oJ3#S7 zihN4F#jIW-ZxU3jf!5(^W4n!t#-%Wz(rD#u0$EF8GolJUw4QH}2W4+H*{{{@;xnmF zREEc73VXFc8S(Rff!Iw-%FvYEH$sg$pAaw?qswAvA1laF&oiurXkG((wr<>N4Zn6Y z!P{7?3J<$gDxBb%GVgD795hb2V17Y(AJ-P)a`B1%*wXO@zu^?hM=S2QE19AY^BamV z4a-s{3t>phuWR00W>zg$T34O^J1n){=M#s>m2}L{C91Dj17t9pr&{Fca~&KRk09J z$n6=504fb4&LJY=BuoTDo`QGs8See=Y5DGJ1S}=S7XvBP=}xC!l^Uil8^gR6shY5tmpP}IFx=XI7(i3DitDM#FL1I@PrEZu~ayNhk#Hh z)5(P-)^Qh_lW-@gMEpmYh8H_M==^Ev;nNx)waYlKSOoNdXy2VHia=ADPcrrSYN(%N z7CJ5B5YUYg{BjoWykC?_WILbV*|vywZKm2d)MVL4W$tN;o!Hf!7z^M~BI1PnBQi?2 z5wLUqGEDlVlr>Q^cc}%xWPV{2fgyV z7dxoySq3fe^JA>TlN&`f=xkif|7iPI;(5!FDt!yI%VhpZ#h0wKug<^3( zgw2N_+{268Ev`B ze&{fA#H&zYP;A{d0Gi-2eZ+1*1%80`sC=lgkk|1dNvwgAcSiMvA1)Vx^UeJk=|TIU z^q$tuG8C=e+M#4B1RFcG<~R9Do29f3y?w$dfkG$hMq8KzG3{FjjLzU+F7q#mY+P!p18namC$r3Es$fFSEAK(WqE%_&>_iGwr{gHe{fP> zsaRPbJFR{Tf%|C+k})!VtG@4bHwIrLk65@rD&`-c{3;D(vr(WVQs70BsnruDkyRa0 z7e;0gZ|Pb3_h;qu_#d=vr=5+Pk*Hs)G!uEf%9B-O-?vR%#%1qlN&Y0k=pVr_%RmWn zTl2U6GlHLzpq@+)y6y?>x5juCt_d8>&mp~@9a`76>oI0A*>+bNc9Y)H^KAQycojNC zCY8c$n~<`m?@cQheJ-R%hL*bF63ou0qAgJuRG6@*!O;aBLP zJDb5o{n)!tPM!abzMQDkBLPBY_m@XcVpt7?Nj0x12(oXH)(fq(tZtUGC98YX9M7t6 z3#zIwSEK7ji0yWwzihncZQ%Lf4`j=H$xs~gr8Yj(!Ia!OyX`@RJ>FHK5z(@l57^ly z(A6$TKiO*j^Y*5@P~NM<&@L=hbTJ~DtQ=>fr$$No`-`VPz$F2VnIP5DWv}Xy9rDDT zlV`KDnjYI$Gs4@^ziQw02${<0s5YHg&xd3zL|=H;-Y)(^AE6XkhE~mmUG$!g7Jj^K z-wY^d|L|2^YW|4uH0&M(Nh_VR=cncssiJ-g+tlPvmK%ju-HLYnc*N<4FKb@eboBby z&+`D25h|-?vB9b-Wa$Pze6A(%&l;bSZ+5e9nTyX*7)4wdqP!0n_w=q=Z;PjKHw3tP ztL>J`&kO}aNGiP8=&q7QvMX*2l%akSY35AYWmHqJ>iJAR zWiyJZin%n64MSD$^-rWXKe(WOSdlGD;PKg1RB0yl3mhj%3OFi#Fq=<)ayV^LwSk>h zL+X4GtM_4ZE?&v&ykbsCmX+9d(NQD+=rY;nSvzQ$k(qy6i*#|zQuV+-G-)5VnpoCc zeR~l@O8}Oqxn@Z}e`&nV6tg__V)Om6D2rxpf>Ex;jFy)%D8b70v9ZN&#vfSTLWNo0 zWyt*T%otESxW3%2I)^R$d}wRRI$CHo1}+Q!`a@{T@-9hkcL8Iuj;5)%W0K`}Z|POf zr=M0T_Fedq-)w#e&Jzs*C>{r>FOeEUB0_qxso#nw@yMsLOYL3(hwokhuDr2b;C)KU zt5iluH2pVXbE-mTtR3VEAR_cKjjE}dEY}5l)VcbB>M@pcx9YV7v+|?zPtsBkA!ncc znWYd9#3xkJfIlgDt}i2Od3`iX6=t1wV^^P{UZ0|X2eQ4?*l?x%JHn%-SGziC_hH-b zBo-`*{VY;&%h*}zryA>w_{ORC;8uE6;z(oLDvj)S!t5nfe24(%Xyx5b;95)BQzoW|x&~Nw1H5d7w?QfLO;=|R^$7mD!sc0$GCYvdPwha$y~~p zI7WMluJEbV=*#vxlbRY`_5RCSm2WNcyqrrjn2!dM>&Qg}NCqmsaPPd>=`{3ebLLNa zwaXy_=mjk0!Jp_zBc0p9qdU{7w^;A9yxPuQ6cWFCGGw^C3Q>UMt%|Vbe6Fw2j;`Tx zUJjFYPonEv<&Trstu=jCs@ez2ADU~Y7|_9-Od^%Oo3xu%^FLfRa~%6PHa=${n~5f0 z-G>$GfHt=B-JdI#J`V=;`$>YmZyc(3rYcA-VUTQT^Y;bMNVr$#?ZA_p-)!c&PY)J# zaLeOnos|Cwhmajc2xLj^?Wtj9GhV*gQ(SkYlk?Y}j=ahy{2~kW)o%aNwO8w8ta?Mq zy?AKH|4Af1%dV$Gim^E)k-K?|ADHiBM z5#FH%6#RqAkB|YN=JDQ{vd}zgfAfgEt0wugZFlhJ36<9$Hny4SZY3l7BzC{v_{UT! zAr7#)4C(uIo3-WaYYDbMxMt4QFkU-q9wc!nd8zJ=D@C?PPU_qEhv{i+Mj2Mdl#eFh z+S4GrU$3JoU4HSAn!)ukfo45)d}*9{sv@zpu=+*)$U2y|=IboM@P zeRP4bBkLRK-ZxTX?XnzqHgmP*L3*~nQG7g@*s$deG)%7MM+^T>+V97i8OxV8+UQT@ zh0Yi`o?$DR_peI9&#CPBn^Zs4P|D+RSY7sxrXUSjFyy+&_=rfLgMRepj&_CtfXK>e#hi9d#CO|(jMd5)dQ4fOqrYqj@ zMG{P>`3^Fq>7-5Z`qmnPtuUQD-|c-5J@lNik|j!9>UKn(!sXl2OCrEIn`^%`>SDYl z`ucko@>}v%Pu6T$trm}OM>Ornb=*;ObMvD_7qiJH3+YpHuDhQ|7cxnk-_7P3RLYg= z5%gim^YJ+?jYUf)Q4<9dkeysc0{Z*p&z$H5u$hN|`>b~1Dh`@V`8m&jJB`z*H~B#o zQ}(P0@eP^ft15Xd2Zg2f3I)Z!8-N_O2cGydrDNCqE0)@R;B})pSM}Ghtv!Dh@JPwQfT7;5*F= zCcPi5V;w_IkqnOVMLrdpg$_c0M;iBTP^*ujA7+jZtoOe{wQ&#X>utIR2M=yiMtDHt z<18a`ZXMleKMgcGax+=&9j34-vv2%KR4&Lti|Y3v`7kYd@hEkyPL@$Y=>E`>G~{~I zM5-fltu|2F$F4Zbqj^3<{h@L(HFi3=+-t|thM|l!%<=O8%l;;nR?D#~=fEUbaPZFS zz-KO3M%A|sTVXO#^7WHh);#oTjrq=B^nEx_wfNK9@36R^r$!-{HRO$f zSvPQUj(TF+J@2457^u^B(@R`QRhlnJ-G4G*vFTil$=b{^Bqni!um#Lm#+SY`2trwO zi(cC&!rs1%)d*6p)FqNn;|#s%kD)OGmz%H`sJ1meiou*CANfr$J!ec8L*m{N>ut$I$!eKT%QJO9V>F~PZL~OPgr}aD;;?ZpS{IUfg?T{W}mw_B3ZYPk(c_QsoLFfaC(8LLOU2Z~D39@f1sgqXyyqfqNEFJK z!K#AG>rW$xfNxO6@?;j?DAZm}`%r?xze>xsvzOy5tEwQEYF>BwqomzuD3YHjCHl{2Qinmd*{1cmNj>gNT3{k*@>3YC;U`* zmXnzNpI!h4-Fjx?>sgYE@QppAcg96+td{S_JLdYDl=HTzKraNGcLGL)ubyh?r@EGu z8LMp2U;d>+>e%dUPX5XwT!HCw)23X;=u?mc3*%?NrBmp_*UI0RhwUhpv&f9eiP8%rM zXy~{VZx|W=kwxSGWvSj9)+OaJr`PiM*XlpGwO5E5H0x!9trqdpw}H@~^1^GbS$g*7 z0CeH0bMmYA9M=7g?L%h9O<{%ESJj#p09hva|5n)3JQ_^cnr{d_sf%bidhV2(+_u%$ zlQQpkW5}DiY$9@6anFsM`^A!xq>R-`Fo==e@4NTu1FiAvti{JWF`6`2N(4~WuvxLTqf<1we`n9mc<+c_JPA794*ZO<&-kLVqLA)TZ!U~v0{LWjlMnkI})6x67} zc*KCLb7p8#WN9n5t9W+9I_BNw^g6ko+IkIL{zyY`HJJruGU%<*9hG34T^dO_d8=ln zXW6dh1*^y+@$4w*5h1I%@EnkzWbDBeTCO|SZzihokW+7;6$)S^^FAw8yeD|71hxolWUzHz*~gz##NH&lM|$4HKyG-+9g8Zet7 z?v;|X?+A}G^Q_9|e~1V1jQ^MBVTAbTGfUtrRX?8#9e%5gK4iX{JZ#btK3%u<8e~=mjry9cR6yHG1t{kCPVk zG10?zF2lCEq#u0U0OzJeNB_gNt@iy7+x9;Mj2aBADQmj;3*)Un&UdD@w}b-X<5=m{ zb4BAXtGfyrT}rRhhc9aF;M9=}>OK86D>{SY1%jrw@G)eec*wBlc?g~`sOB~Ym za!V`)i*CC3NoAx=)dGDohXc>^w>kn|>p(zP`{=)|%sBoIx*~0UI+A~~v11FMV*!@%?KHggFR*!x_ z#8vj9X}DE}EDLuGm@3=usV#4s2cqvhQKwGt9+gvLsq6*aQ*M;sP%1rpnzxUhBOL2+ ztC$j~<}x%C#Z9iC47uypJ^~bIiY>EwK@g4*XlmLmwJ=-k!b#Ef5}i~b9z}+d#m|_$ zORUfIv6OjOW@&92K()&%0*sLhQlH>5J*Okun|vau9oAO%7|QX+K+zDZfPg^$R$t$v zXi+SvDY2@5%owM2WH(o0x#=NQIDr`kqA-}fJ3b>AODXd&28J5OP>x%eOPnYU%6X0g z5^?(1Oi?U_G%g9WxKY*2NjcD)&j>gn622p>L2qfXb4CYW+0mxRYLb!Rz#P&(0MD4p zoX3g+FI0Iiq!V>T6wVBm7gFSBar4o1ZY8UHDugvaixzzcLd?(tW z7}=ZPz|Msn6OL{gG2FE3F3-{`esnQ&hcIDk;HeQ(aYtn;EcKi35vK1AfA+juu|x7y zx|$a;tYZlo;P`O`ld^oZBO{UTRGp~K->wt4r+RSG#N2v~u#$)0GuvNS z7y9J0gSkSAqe2))Zt7r@f^~!% z&(!fOCEAth)(|vR%y*<}@Q~Up7dL10>AP0}lVdOKS&N9Id@(J90u0c)aMEnS0^?Zv z3W^`))y!!HY)d=VgojkoYub}h&aaQ-gnQNHDa$W`Qr={2*R4#aG+}OWbzPslGO~h!J5KN-ZQ$ZyMRC{c9Ot@$qQ=cmDE#7KxQ=1`x1T z{P__SFhWE1F@`i}RlnP6IMFb18kyi_MwC%;<^>iqlO)MGlx}PnWly#Iovk%1)vFdl z?|Rj_MTkrtj~1Zj^Cmy_-G{;E7*RY#;bJ13KCBb~EDj677L3z+Y~sr`RZJwAbFDN^ zX^cREu_f>S&TiysuY`B*O_n8dd%CzZ=y7O9qmbgRoD8tBb04xH0+hOdbb*DTbKU!( zJtkg2zUNU@*TyAiL)+s;Rqj*0VzmR$uq?Fgmtw9nd5}~j%d}Aw*QumG0Ly1A4 zm_T$&8?D;Ob=Rzl(tVp(}%;>y=i)zwF4UP|WtYu$6VG@`lN z2Fs)DS19zH`?VNOL*MxMM-}pq-r>FpF#S#T?IrrFcb%T*z!s)OXA3ml*5(J`n`#Eo zBEg{9QwUEPSi%o;1+h-?tziL?^J#3Y7q=QV_3?rH1$eTRw4MK{`IM&Dwyo0#=NB=j zOkYOA&DFmfof0@%3c^2+i&JK z&+;pte?9u-VCdc+IvENc+uJ`+(~@VUN-_dUHYlm0_qGs=(w@7|QY={C;)$YZ-T(^A z43SIqpWKy?aKAj#OH-d+cUz5@`OIFn{UbR_0?6vdcz|z4IGA1c{o|YOfC5*FuUZgO zZ0BkIs1qYQKsc1_@>CO9byOz}^W$d>S~A||RRc93zX;lgDEu~KM^- z>p~Sji~!g5HR4mNn&n$iI?#qK#tV;7=2XeLpumcA z;hu-VgZxio0F+5j_0hOe89yb6uUb-rU6waKQ~&hbMar~>Xvpovh26Hs(OJU0^joCY zJtWe6h+;%ZXj_8!-~`c+;I+2olK*y&)SU*H2UV><>A*1$8Z}_& z7&jrnw?aXD^1x3NxQ9QFXN?b0KA87tbMJODnZ&IQal=Q8vG^y-)X8jm-n(WIuss$X zpC%8r^rle*rL-7de85?m#EBe$0f(_*_Qb$*h;&$88?|DC=8t0?J0;RLo;0#Vm3j+9a#*BVBuXmrujT&=vsDQbEU=$-718DW}EawAuug?y;+F+!vPAn~diTU|Q1tNp%kDT;=|P)3B8OT?7k=W6zN{fQU{;0Ekz4;zw* zY$}5kzR2@r(Q*JUCA&WcZbcg~y}Xe$xO+?Y8t`OFL}x&^lhvoria^$?$`oG%6fXV_ zxV&?S5>4KeL*fGe&sShbB=P&qJ>-i*KLof5rJvj@tbp>u01d83O2iR#x7XYz+4=H2CZk3jcJ*2YMfKc-leiCT;by>a)xV)Kd4&S}|#fVZ>GsxAD13B`o=)cSK0jhRi_QKiR`MT?Jz@mIk;-&Y%O7fbichDKoe#^?8q46kB* zMfn5NsaE>JhK!{QY8t*82{s~)F&bGoFTNJwyLXM^2k>23iuOqazG9&L;pK{Jb?Wo6 zEojF0pC;Z+ZS;3#yS8)v)$rgU3b!FX9`dL(aGF4v9+kY`NwSo&hjBvjr7)YhA?rd3 z;~oJm^%eMJKZoDTXzRJo>qkALln2M*nEYi3dT<>LG|f?UdL_=w#U^taq83U zHR*7L#)#Gcn<<`#@S6(|&^s3-9pN#Vk`|HAPfY=oc-PCs_^61a3a=Wcj(x<5)O%em zL<_!D{n;V=`@htB2rjfFY}WU)zgi*klN^xkrcWHO$Pdh6d}$^9v6Og#L%RFL41Afe zab0tumkR-X=A~$^MX>VY31H`ObUJ4s!GBz*`Y2sof|C&^##K`+KmT1-N&?=3vU^1`d?9&GqBfKE1?Z~eCYN>sehj!du1M^OeUC3WA&nt;`5 zR2~(w*)hEY%n?TMV8vxL;QTQ}ZBav49;JY*;35mRNC)LdGf3gAl3MDpWV|aC%QH6J zGZf0nh!R%PxK6bD=OHKgUU2ha{c|SpCWKoHaHSw$mG2e=ZkuvN@#RI;U#C1pV>1T} zh&&3-*oGYI;p*m~)#SqlV$diS0Cz&me*RDPqC|`oW&grKz+bzPV4a^Z8LZeQ?{r*2 z#uL(%5VuVE>s^C#(p(UqBhkqG{knYeLXzOI&sPZ88BpFw9qNF~ zy7k(_*ZL~vEz%~kSAObbrdXe~h_aR|{8o-_8R*KRXW%)vZ!{6_n4;f7fp~OB9U%G79viu_} ze9jf}hgh;0&K7mgkG#VAh=eC27n;h7!c&(9VPyK>r?tme zIS9&Yl1x$R)03Lt_2J@o3O%@Y3!xEdD15Opl$|K_z7xD7VfmBJT6 zKTH$EuM7lI2B+uu_>@T07fB`(w}Kb2mC+**5Hu+fVGq%ITR+17)%`~IL%@YgAo#x| zz)L%*hB|!(LYB&3()<1@c3*@?F~oG*_H`|lJs41NxU~+jAJSR-i!~XzA^~(l3zxwC ze@Otq8l(Mf86fo*jq>r{2TlaIxfJUDZLSA80L0c4``|}Na&QSw%Kt5al6gz-+;}WN zWhmx4euhi&3*p{e=KnU=!yz2@DdHYW0RTP)F2R=8za;=1J-WV#I&g9<^j27ah>J^$)LXks^WRkNJ-^8G4y; z8;eWB4Qz&lJnRQ}x9)?7KGn!@Y=G+zixclKzC7oZbIt25_WjQ}Rl?+{ z10S*dM%u6Wy;C_TT3z<1D*M>ylae!nD`5*+(udA1cOT028p(O|mN9H}3<@R*V=WV+ z^gKQ;UOxNlW<^rha!s{xvx2L6x>fUwU00feew{6ryzEIuXlusqGiNzV`De&2=r&;xK9Y52&{e0Q}RBkT!dKP z1N|i+OrIu!t@48>$0`vwMd8{9j+MB%?(|Gg=(xbTxUp1Ev%Sl$y3+boz!F=Pie2>z zT}!Cc`XlwIb+g^mtIKC3V;jRdN1cm}Ti9tm&PJ)W;YmE3b4->`xxFVoa$0KT{AXKwl!`MhKd*XXKo|_JN*^fRiNHGnF5=9pddw z3z4gpkp}(V1{AgwQ{;Oo# z_ZZn7JteTv_$V#QTe@3+T&u$IWr{Gca|xJ$ik zlMdN$uMSYNb2PFM=bUG!8LkAl*#5rBXR!IRKPKpQNXgO;$A;_pviuJU&yZSd=Lzt)Q766GN zN)JD-bnXB5h;K~k2lV@-7D<_LVj51SIb*$SbRSTU^bHw$mmMLVO8tI|KNK2R1X^iP zPwx5Zbm^{PvA>~|?L8t?scY`d=T6+>1SvUV0=+THbP@3R{>k%hja567$iORvF_8&) z6=Ki=+L--#>E}JjTS5E`cdlIO2d?C=cqT3_JfnWZ{?;n3l2j;sK2sYDGlzN=qE@ya zD_^%;J{t!Ap|$ya#2)IfA2ff^T?HPQhAKq8_&t&|YVA2yFxR1YA|SB#I+N@e+Uj;u zZ`iP^cxlXOImJs$#c4&V^DJHjH0=TctJlG?+6_PJ9MA(VigX0v#GqH)|2?(+5=8*{s!&@gblwyzQef^!Ae`}Cw2Thy5m4E)#Rcw&;udi z@S_4xK-_WSiefFb1G)YZb8#9yk%?9xi3#-vk5xZHoCDb?O$A6sXoL^h;wS!A#%p*y zLx}=H0E5<0OHoGE&=J&yXJrf(@>X4)z%qM6{7O#2y}h)u3DSCPnzIWEqLT96{P9u9<;1)LwV;I8V^!y3wW;x-@)!aguMlpEl=g z6iv&K=J!O8SPm{ZF`W895&u_y2^~$?p0;#|dYfyrtL}DLjar{wWdSO3VYI0)ReQ5> z!qyBN7M@xZB>i26qnS#+gO9ND|PVMFtlGwAz3o890($hVKjsJeEh<#sRYxb66uedTT59Tw} zm%kpE`>kx6?}e<&*9&Pmf7~86zw|r%?faU5@3+_fQvb%#$U~dQFsUb}8(*XFwP#M6 zHl*y{MR2G!r`EZ2DjQ>YgSaf>m&aNm{?X{B!G}juz6y*X{`|s=)65d4{c}c+w771v zMx=e4$y>mu*B=-&dU9Xb{@`;0|HbE`{18%}52ETUl(ZD9Dq7r|{UC^AQW4cTm|aN= zI$ppKwg`}oql>^Hp6t$J)_L7;7CtPA;q@$>=vTP%-TRAjh)aGN9%q2rV3+x3=Es*% z`%%}_kkP|io3@Y}r^xOu1s&Tr#dXkvc#6Ykf{n7&Oj=jwYd>|dnhswOW4a;H1)3ou za^?fBFebxaU-mP@0I&Abt0I%ap0>)(Fw);L;lw|kb~`TBH4IhdRpWs6hj6GN3ELJ) zGw)rCz@Vw{8u7jR>huSx%?7UHVw)q8NOOA>1?^9a+N1T75fl1SCtCF$BP%Zj;psa) zk0S3p?h3v`#tK@U6@G3QE42|+jzTDZ*URPWj9z>$RxW{zN*k18kQB}^XQ?k@5S?+- zzi#@M3t;3_R5Ed%F`Rw@n7n`|h)dd&^gr+s42l-^^vx32-SyP-k~{NS=M&5Qcbv)% zs?P}EXf=@R8A>aEX>eqm%wnxB9V5tf~>-!Yc{L`5#aG>m06xIt_jO>+z!i4ylYt=;+V??L_`xpa1_KKL7s>GJ&My z|Cd3gt06K$+w!w6Ln2u?Qp_Fzf;Id#K={XD8GePGf&w@!|0}7`jtB(M!~jF)42VF~ zP+_0kY{A;me~}{~tP^rjl0*Y=1i!&I@KU}&-$SNg;9?Z1_8lQ(CqY}Byzfu`$6t)e zY)dR1Mw&bb#^<{+7&wq~l6@zA3ot5ZjL%)BP0K9>MI{>_Qxv^_-n83uz`0Ie|j_` zJn*PS6s-mGlCu0cp^HC2Y!Tqm718XBKLC+-dZWJ?p!MzZ{WM7o@&d(#{BMtF;y>tt zz|Dl`uLlAWsNfaEwiN}2hc~mc5%|a6V8f#72~6u{st zv%11MlPb{q`TlK+(F3*sij|&T>`&;>%L)s;Tfoy$vi;wo)YAKZbtql0QT5x3jXJh2 zEcS-A4K_uE_>j89Y=6Hw0I}BhMO=3#xJEdUW%>B88hDdAh$df}`z)rnTum_k;Xklu zg&W8CDxqAdK+I(%T@)-;}?7JtPl9>VjW=eF);jNjK`NA)7;9mDa8$Z|3gM0%T%5XW zDQ*|8Q%i0qN&dAuYvO6Y0e?}vz{XxUrw+_(YUU+Exq|uv0>``Nei>gBu#(7x-ehj? zF6Y_(ZJbF9^lJ?`@{Rq;+0nk`C;Jk@aCWnjV>+-G$s{=9pYNgr3kCz`2qVKm8vBS5wmcy3`lpl_Q%FYa$LwJ7>jB+0 zC@xm8r1L0d)~M6EgYjd|YdX_r*Px59w-IILq#avR6@GH&_e2vlq5qB)HRfc8G(ET_ zoIgSlu9ae$Hk01)_ZKNFrx+_Rs|P3QPe{S&k6%5uK#r2}_ZVi==<3g%?w&eT$PGiB z1==5w1jw&_226~NZnVA_5Z;`rnjR*Jk^|RqrCrq|=YnVZtF*Q4iJ7$q@3l~Xa@`~q zmej#G8<@?%DM=Byoxe~(p-{p!B?>}<2xfp;$$)9r$2=ZN6&enA3+t>fv$HYnZ00~S zL$S2aPr>U`u3;9i7!iYfNeg7t1;|gF@1(-Q*a3u7E3E^?2jfB-ssa3_r?8lkb zZiMCD%`t(q=j^vjma>yCo-m~+pqcw`EO17%$iskg72``5m>0~yib-|~D}X2>woLfQ zrI>~H9usKP->6BT4e#{#c)q0YA{Uxha5T zfUtH%6beE!HuT33j~mw{qwL*Kg6Q}mY1SXyA6RZh{=26E*y(m< zJyd4=pY$F!APe$b!6j83*abEbl5njw%ef=q3yB+|s6e~Xa#@rUT?qewI|iBx%Kp!$ zXPg8?e-kjkTVlEbX#7EAl<2tL;;V23Pla~5Op6q>T}u(JFpy$TtqP}R{N6{y4FYn0 zM(=(KYTpn}-{+jZ*rurw%lh}c1~B~G@NbD>I2E03bnB&V4h@z!m3%#~eI58=o}tcF z8!k?@*ZKG{ocluaXDvJ4{oQGWPpC?2W-KWkICaEG54*<}P9H^KwJROPHFhD}Z3~8N z+5HwlRujhBl{D(nL*>QZvxgfQvWA;4B9*GV8fdL}(=F%_TTf2v)vk>OxT5pn+qCnmrb zunT#|2mKi<31KC;ctHKTF?Ihsb%i-`g^kP5rs`qBLwoewh5XuW8^g8xn{T7#Imgu_ zcLn$rCoUPk?f9D1p9h*ToJ}V@?Ytjif78iFKY7e$;S!$gQ^yUdf`cSTg~oRH#que> z?}X3Rfxtaq#>`+s*<1bB(Ia;@B({cR%6G_*%*VMS>ZH&2{$!4&+dn;pHKJ61sRe_$ zC|5EN+0V9%uVz_JzvSCaJ5R0(FUqJkkv%jEhLsp;2;a8LuyY24-YY#j zmBK^obiG~;{cQ@aw}A;EfyHIOZc1Iqt-ih7x)tj5Vfs6@ z-~W>P%xsMl5@LPr|Cq*k@qtqP4Awy~K9+|n8Z3iw=yd4YDNJ9p_jDej;RA&=pis4J zn{CDfWX@U1P(yAYVeKOAVK}8BXgTd>Vl70h31`sqJeXjBFUJ7qyXvmv@*Tfl7PZ3^ z**M8`B?`~6y`UJ8-r_#u-h7rpEZ?Cp+(-TR>acogy9`6D<(+On*;-$v^r=g7E(mOj zbLryTrLpfbHQ!amNl-@D949F+mv^HvmV9QBqE$*Zzl~M+@i8H zXMqdINO&Q$dGS=(zaXc08*=93%%9;MI`2#k7>)g8ZrB;Q4;9g-t>;6NoBe+hD^F+z zE>!4brZ1k69gt0yPvOBr#b^1&RBX^D^i&TCFw(ODdV!1%v4#{adKkKxM7xrxT03!4 zr?}|2ZIrgBBtP@JuOZT52cX7qpT?u*tYMaH!sJIs!+{5DhO^Q_*UUClz$ws5pxK;Vsd9k-bi*W_NMPIyddU61C&id5Y$TyJcC}4ghY_=)8IJ*xT9*tG@avgfahq(G z0;P?_HIB-uhoeDCra}Rv_KrzZO+4o{k1>e|t`a1qbR)O<^Oob2W=GwjB;0BK){5I` zi%19RSvs{2_t^`*g5ZqiDkSAvA@Y7Ti8UDwl@Jq*xi-Y*Bm1}cqG}h0AuuUdRg3At z1q@Dp98%k>G}zFt#3FZ`3^#tkq_xnhnmFSg(N>Vnto%XxeY05HXHW-80&YbTXO@ceiV;15y3kFCN zDSb^pR{H%ze&dC0UHr*gt^V#x76O&nP~cw3F=ZX*+hwxyeyUxmN;zz~OuINV>7)US z*vgN(B*mu#USoqpg-gxzC2KaJQjcu1mMDlX)B^eK1fc>J&uG60b?Eh>s@HI?3RNOid%jxGhyfh*{;utrh(A))OK=jjnUTu<8iNU1UFOto0j!0O)COZQXy*Lt?;jM!ryYYd;TeC zC8MeV^?R)GM)9NI*`GMj7~c7+cfwx_WK-wsthC|74vNfaP2I}Es5_a!<=${S2XV~< z)N%}Pqs@t2ks||$H+rS@R*qPJ(Q$++v4{t}+Kv(;SP1V=KUro#r5k?jV<2If)fmb~JCdxHrb?KfLr+Q==h zisMWmz|$n^|1gO3K#)HnOMGgt>p(UtXS1F`-fINKz*VIO*M@DNH25o3Sx|gls~|Au z%|ot;5cB(OdNv#u3mM+eU0TkOz&TkSP21=HpU)qzBO!%o)54WdL71Xee1U_elx4* zi%nixq3eJ~Pm*r$mTYu`B&y!EZi28}ms-dx=&!4osD%_BfD8$Xtt{dzss<~Lq<19= z;ew2a@Lz2<9kz;9n+;+st^lf;Ql}e(weX)Fu2zrw*FGvjMaOCAG*GEw+fWp^Q!%}6 zK4w*B?-uFvC2yV6Py}>c4$P!a|8~9yt74f@4CLruBir63Rhl0;o9l@rbtcD;;Ih+Z z4c!e5nIsPNeW{H363zk;7T;^8R-cL48sT-+sR!omt=z2$8Xn}ldQE28>?&HlD^;0T z-G@@AhQa!bi=$yw)M5S5*W}%Pf`c`@Vnd&`)e}4O2{`@}f1tKvK~GT2?py$Qg8j!Y zvd+$2KuQ$mS~!#&p=Xi!V4IY4Koo>mXZ>8EQcd6MbvZ$_(Vk0O$(&A*QdrB`Lv#7B zsKyO6!@+UiV$$(jX)5sgQRbWat#fr`g_(ZW+vVmOW56j>emx_{;31nGYI2QOJ1z`x z-@PZ1qBJw4qsL7p3dr6{Ep5K5L}a@o^}?_a$fS3OX^_CD%%=BXkO-6g0$|X#Be#NQ zmQ{P&F9c-Oa}*mseAzwvn|>A1e{ww~pFPE9ATuz)l(jQ0`{GIs4kvCSz}ZEZCLeiO zNl$$P)@`cm=YO>xPpyh=3SMtC;Y51ny_DOWtrC!Xw@~`H;^m#MkDlUXxfng@K}1bS zlf+K{c|>3ZZuxfy(gH#0V18vIGgv}Cv>;(Bb$*`p&{N|9(bLhD^#g}Sip=cLbXbPJfCflLqJ$!xOM$VLjz6W+HJ2?F(LtQQf zcpWoiCFq%R+PGCFt6Bn%buM5kI2GZ_+!$QW4i@v;b|gZsYi70bhlq>}IMOk~`gi$x znY9$r6DU4ScrsXxw1H~=kbF2&0fW#@y769wl)ruBNFN0&d86`O2txBo`D^IfLc$xC zm~aIy%3Z2#`mnH;FEM^i$45z!lMgs_vC78xFJaDxIxw>gio7~5sB;zT`Wbp zVDyxKkE#Ztjy`j>?Yp6`K)$R}T;qjmqeomCVO&GV2&l{A@$*AN@C;rX+?eDynL-yX z+Zq3x;ZZ=;sw0m|jmgSXyPPQ~o>zMN?4@#1^MeCZrp03a%$n-GS4tNPHgC#S=tCoV zd?eCrYaGbt;V;Q&*#}s5q_@H4+{e?fTtSzz!PDT#3011)c%PP8P&5Tg?qKS3g&A)8 zTUrUWh3gl}HB`PI4b?RbS7jH#y%As7a7L>wEr-lcc4CXr?FSNDzEI?aQFsy2&OvD{ zUP4bAq60x)jVo^VKh@ugs@-s!pM=?=jhfeumyM*HN?0F%Olh@bvg6#)IUq3Hg}(Bm zzvT+7kIVi5&)xD>6GCJ)=(Ju9u?CDq@GO?znP!P}bi1SH?U@O9(&74JJn0NK0JqUMbpK*Nk@x1_qpXE=oy2M~Fg)VHKC-5SZWSGyp{jb-8RS230Db0%#ib;a^?it#1DWufJ zkmef+A*%)Af=Nt*F@5~H4L9k$w;W~198i!XoUl*K?Kw@CG(|ug$@9JG6v}TV=~=HZ zO-uyJw_g03B*RAuo#rgd_m(ZkHEyT~?oo1w-+dTZ(ETc7#HHb>CRi8?QIy_(8HmJ6?Z-a%d!h~koeg$;P4RFtQJK*b}~!El2m)b z_LtiC_yjawnMLMdVVhObr+40Ta%)G^-vf-GqE>rgSG>KbPX7t)3f4N75VV%{FJTf_`oyWI!1)O9~Ecjvkq zrZl;|#fDHyjkr5GNGj zNUID%?%@n|VrLB^AO!ded+Y{F_hc2;g=s4BE=3w;=&#&rVoA0B0%Gk-PcVlkEts0l zgs{|vl~ysOphZV5q#0Cg+Mn<)q53Ic=mw~^so;u&&;R|fvvS^I`lRm}c)bTQG8b$a z8G}>k9{37KCWXaJunGRo&++>Oi`)qJ7P8N$Vk({hl_y+A08Za(0;TxjD0f7DbBYou zDe3$r_d4sti#=K)Sk`;X`8yrq!tiR}8-Xg_x4;SFhk793NmTr5 z41{!bbyTbnCK&6ThHCY9Egz);W~oUC;AJJcEK8lL1|yK_!vM&J4{!)!*`B0V9*#DX zDckmKN|LNDRk9HueghxEa^8eEsg~F=PkQ%jt*SusXup{j?)2Q+D_Y0H+pn!nTJ1W# z*p3#A+eh4zlh^*sE|Vt5dV)_@{huHYKe9o&*VwMEuwQ)>AHrWk$)Ni0ShW@DKO2G{ zSVfh^GlM0rKc2(27g#PQc&|a5`8qKpPLi00IRo;weWBgK6Y10R#yzUq+v5at6^U}@ z6Nrtk#!d$@4SNUX@B8fE@vhXFx`_Ow`9mcH22cyAVX2|Wx!?=TdzVJIl$c`^ch|y}H8!pU;e^yTZ(F{9PWc1*;nz zioMw)no;BadiVf!6JUBdiZY%z;zA2SXm2s}pGPbET|laUju*#f0N?!`jAUpp#B)@1 zoaY!;e$L^duWe&0 z`6~uIhdDa>OAR=-m(^OLYF%FvpM@u$n@EoD2d}yQjsK}IJ>lL9hQ*13t}1tT(3-I+ z$`m<%`n#spykhm1J3i=dofAk85@heHt?nKOQ7^+RaTE*&R*=5Q3~Hbz*RuR z6Yil4q;rey%QZ#C^m3kmK#A7hy4~w-%e=V1pd`P zj}~l-qCIorFDS0-ORl0Ix`(V0w2*uV?LV!*Dg8rAG-e*5bf*@FLuVH0@>n;h9s#$F zbBJtF%xD~pqQy)>82|Y}PCD@QH-xuF0YLY7p5+0-47W3p!XT(oy!J=L86{lkn+sB_ zKjLWEJtlCTEnk`zO(p-V=WtQb5sN$zuosD2xH*Dz20euQA;MNqw3sJmj64kha+kT# z1K>Hy)o3#=g}Q|ZH>Kj{$Q@v74?*5a8-;6_`n9L(O2ZR2f8`vyb* zg4I9d0a~oyp&9^|^B-la1S2d4qR@&wn$`L60@X`@dO-$GCk2-lB>;OoY>$)#wi&)E z#HWcA*ETIdigi$M~<^J7Eo^ zp#+M8|M0P;$<_X$sug0T=DE31i;saxoQWlXWuXe;!2L@Y2byxk10#~>&h|YB3^atb(HGQUEJe7=q7O+y^->X5)zKUh%iT$63mnH?~K6&P0eed6o8~Bs` z5PI^k;f09;rI+=jGm~am*8Xkai}3r&Zg7KvX?R)>z}Oy&J|7%#er^6Agcw*ap#%Wo zFp&6@F+!l3t!I2#?wJk8uj$YK8AD`*ucMAra!(177k3a~O}S*Uf}r{fSD?A%6q0|| zbd)a{^3gACVb|}^h=J7NTL?Y)ZSLhL<>|*F#s8T+)qm2dJC!&^q<{s<{Is`X z(gMs|UXbGOa;AZ|6@mBFF@Bhv2YCn{GxR%X{ny{$-aReK;YAgQjuuJj^UVKYHi#WF zlf2kan|yAO`12pX>@P8ORf^4K*`C|8zb6B9yPgz7_*?ZpeKHNrKI=SJ$voxl(fnpO zwvyyUhng%k@WUs4;Cm}xvT}{0XN*;ebkrR3LwH zwsJg&Oe8D%I6LdM%dMu5;prAxrTO=FaeTL~aZTs)xWemNaypt1)kOHZGaAL0yJ25= zvK$MgiD@4=h)|~XV_zE0J#H93F6r3*%tcpTPhwO%nbTCuGd{SJn8gG{=p_5)SVRVi zy4MEwN4%FqoBT@q?S=TW8I?C>`>&hyzh{;TKl0&^w?1NNYtKLn6LoF5h`37*8)sP2 zJ#joP4kU{ESo>zhCbUxMp)N-t_xpXot9Ss9H%(mEbu{7aZ71gV(Ar9_99uN zfscXjET`pi*6DB;HGYb5ap{7rOIm5z}K zH3(X;mVa9(`RL~2oOU5~*+3NUp&PS%`t~xs^Yc{R#!X3&-MWg;fm)A2m9#2Xj-|d% z_kGBEY0ySx;lrU4Ae>f&Vzqzm30$yt1k!crq;{>m%#LnUyfX#g9Iobzk7oY`?n9%5B*jK9WIyd?3SC&V@W|)=p?i53UmDIhmoCF z4mW3>1XBiHZnFcSQ+BJ>ES+U~O~)tIk*h@s_zgm>3$TF`%&Cn=?Wjtb5~rY3aO~cF zRQ=L~P`Pd)Tx&Xbv1-?p@u7>8dntEtNjJ@-h~N5KUaqMJKc4uj`li!212@~;^D_@L zj%|-a($yt}A+b$dHpKF}4wdqPsE)+BdWsmdk-H|*WE;pm?l<0k) zbL}nouFoY}t}giexOY9tp?#foG>@|RyL{irA{~FofM9{hsbi|Rt!odR_i{=Lu6~K| z-qvzor`Td!U>+Fr}P16$zu6o;S+65Q2O zpjINn4yK<%&{N#{6k48w6ZrTOBAe`Wq;yd=ih%l(O64BrgWg1LbEFnz}o!R=kIK{X{- zU(|}T4=t`=Z$KlTYcl(LF>+-O zyj6%QH+;zXDnls-(f3%-g}C3yK%6%U>0C@^=I;l|;6J{D8*n3@u6%h^Jc3(HGR;7^ zX|OTSO^eg|W6!`lNK@3|s)@{K=>Z<2LXp_iA;u^9 z*(#NyZl%`=UOKijiHQ;jx)a!MRp@+Pm(12OP*62-A4K3Q`Ct{hluE`%LJdzB2cfP- z8d=au@3{x7cLrp7S6F3*cIb-NSGWTU9Nc3M=hgb%g6Id|XVTNdd6PFGqN=hjRp%AP zk1t9MvIm;1Nf~fUeaD3bNn+SJ1KxEvlCV4Nt1EaCrN`50QH)tneb<}agonNuK`35u zThKmK{6$p!7%dx+GpcmfmTRzbGOZLTvB7vAZcld`#Z{j5EW~Jd-(%!ruFmza{IaJ1 zL^~Qz!v1{W=G!E}gi+i@g9=p{RVxu^L8u*293kQdr>Hy7$o1D{umFi@DbNC*QJN@Zz^)$1;Q3jXfmda7`aS|>hquQ_~Z7-feP9LAk8_@&5Oe}R9BXe!0ySt`#X}5#zs??>{ zAS0;dLUjIG>)LYoj#F!Ti?Gy7Af4~C=?6pPLGNMVOy&i7Ey*;bk`$;GqzsC3cc^bT zZX{AAM9lzaE&v1GPpjWuSM!y@*y*>&IC%CP4=KU|ac>b}{)$)mgzohV`5i>22ZZTX zqMjkR=P#cXrNPz^y?FKh-G(LU_lVMRCGK8UE#_?VPpaFg2gDOjM=cr?9Vxk3c?SFsxEiPRH|m~{KYW|^LA z=A+?2$~~h-sebX7o>j}qVBK=fCK^)jWtROVVlHdZan$k&Z)>M(iLdwlul6@_b|&6L zBJpS6u=5tfB(UiC$(6S#7$2Y0W-Av&J+%1T1o{yOUKl&JY&y@6SEi2BuNSrXJi>z8 z*4#fXR^hdfdWq=pS;kolJBvNK-K*5g>kYJi;F85>Db>SXaU7hQf)MsdB@2Ws=3hwG zvQJc4U-AX>5KlWAic@(V5933w10W!LLB;zRrJC0n*C%r`kU3P)w>IuG1D8ey;;w3L^7sZ zm~t+!xBX~CGhn2*avGhK)nwm~s5{ud%^1$VePo$Vo!WP@nF2tku1D)z3>y}A92YMa z{IW7{PNCKkO`@^Vr8SfY(ih^STWsRgf1Xt-l>69rnn^3R_ zOBzs<|Gxeisrd7=An}oOtklsD3*O7leSYWPIUDXRQ~K^iiTbYAvfh^-#^nzc3YpuN zJ<28qfWw9i@G}^qg!Y3(L7d%G*eo%b$vVfcnUkkYZrgiAZXXxJt|!REzK7(FxZd|i zpie&zzZ?+OFd$;M#g|Kai=)%^0N3l-rxnh9Db*@^V^Hu28Ii-WILAK|uS9%HVLS*Z z*aGsygVetJL@{MScqWWs+dcFICzFSM&_bBBsU0VQULhb`(9U1Z2*dJrYcV9VYh3#)@*uBci< zSp<(1zW?ZY4NH4&`GzN7H7i@LlxHlf2MNzPso^SFdj`)blQ!X29g8y=3+kX|5L$P! znB-cOM8a3uNyqjK7kjUVALD|y`|*hxGS&U|%!Ki#O)+o7Su7v*BCA<@8AWo__PAf2 zY7Du|$e^JSUklx|#<=j-ogFW?xGW#=TaPv-^ZUFmYsq!^QMNe@4FL4ZHn5?i=v3J} z_daBhTkc%>v>OsW7caO(y~Pu*6RGgAom{5d411ylg-SpHQ>mBjr2p04?_uR? z$H8FNTBv4i%!IO=qv@-+cXTB!ZdRn3^jT^@H|I8+!(TY@L1r|8%)0f7(-ovsDoTE@ zqnb=Io02&5aNCO$4B)1oLf+S|y29%>!QVI?JnxbckG^-~i~_|?M|-h1WK5u1fW5V= z{X`#oig?7~4u1sT^q4#j=~W<)w+%N%j>6av;^AlSjK*}zv;ympVoiJmuk77Rbj|fU z&g+rMg{%9XGB<<*9L7nZYr;vv+cp7(4`Bzslr}@X5ljWwJQvJM0iS&?M-v8#IxG0! z`Oa3p);qn)KP9j#{1|?D&>qd5M#OG<-a+>MUd~_>D?{>GFXs6+aLW(TME8}7KaS#e zSx6tp9H2HBJkxDQ<}5n1t5oMtXH8-%>agUz+-dLrvKpej{7Fb;l%svv-?zHkJoUEzLNwt!**lAvVCM25T zYnv^~OV(@Dwqb*U`%ffF5LqApMWS%ApsJCKgJYhZf)K4{lcc&=>V11Q!h=ooGZYL| zAO;WhTY{!nyepd#nB(KbFnx%uRZqZ`uT_Z zNd`SsxjClr=`|Dmv4Y)_vRVBx=h`_y!@14ofyB$_u-Mdg-Iq!XBFm4p&{egf#Cn5U zT2$ZHNu4$_U*m$q5LT2iAvk?Z{(P-pn}XkHz*XQj<{^mp8eWeE{|Pk#aJeVcB%xQ7 z>S#!X%}@T~@GFM!g!gusCKU+lP+YtT5(@}MD>+zSBgFz~Hq7Cy@mokz-vy(+Z6K4Vu%7ks6$o>BTk9|d3SypV;%Ub zZIM3X7r$i@8&~>-WSBX*!c=L%n=PoG_MxqJ=b1i!KX_^Pey3LZz7>X$4z)L_&t4=QpjuM{YA>0#s2aaol!1b5Ctkrx_-0VR|1a6!)L%bS0hQ5Vm#k= z(0Feq@QeD8RKdaqS)o_on}4Mx7{+^lFq(kpibTP8$z{rFRtty>xW~^CQlv+{j5#TpDG zOqb~U-}4V`6)l)|PRFOM{}_EP^#HH4f(9+f*s=ngB+km#Fd= zZ8NRHL}_-wl_!tAXKefUaJD=DEpCnVzUq-aK1TYR$-ba3Z|A`TP^mN$6?_GHaT*#D<>CMiKMR=ieVwXvhFO57x7j zP_HcPmbU3HBVj^LlRX*>bK4pMwk}9k(@zy=#QcuE)sfl>W;?g>H%qAnjgg?BKD;W_>H8V09*^J*ApBPqU(+SOzrZvLdHys?9$a%y~E5$mtx z{N9@PKGC3BE5V1XuWxKInO+WoT8_$Npd=)|tuE}IkkQ%`m3oNhg_AjnzAQuk?u*a` zKy&yz7W3*MY%P&N(#YKotl@=7#;mqT(4hkczYX|EhCjpgS;j5mz4>*Cr`|H@JxQ8f zf9SfOVDkB%d2UyG<)Gib<(X++)!C%EsM^N+U>@Gow+Y`uGMb9TbOam?^1qG)T5MCb zyJ1V4%)fr_bZ+)G3GG^Bo$im4eMssy3D}@iYVnN}nyQvOzQF8<6^e8jZXhdo3H7+x zljs0FMz$2g6f<1^7KWvVmB5m~!h&zo(=*=JHJ+$#TF_f9FI!k3vE+7kDIu{$eM!ym zDMuDn`d$z;-z~Q+Na{6wxnCdYVLmjFlEgn`qgZRU>h5?CMnn5{Xq>O#aWp%FK2CF& z3+7RkwS0FY_)G=L?(>Y{EnUz!Qhl$wm2(+k=mrDARP^TVtG%!o8tOM2Y19};%?&y6 zcfBXHGNWIw2(n}Ic% zyfd5ZDleU(V#b#cce=J<&zip@M9#vcX*BzcTckZUkZ+N{Tz^G@N@d*S!)65Ev9f3c zFw>2j9AKWKtAfSCBE#OllkOvy*+@R2%2~=F7cm`*_*B-wZY1<{Hv>Y756=5q*AFfWPD>yjvIe` z?9$-NDyOlee=8E}tMB>Bc8k0HRygB;fYdD^tBvTWoh1WO&5tt}U>Obr9Y73Y_T6mq zl{0ozpOF>xUBWm9)0=-jaTipCTlbOM;d_S5H;PX;mA1K~3;nj}o(8wa4_g`C9zN54 zFAnMv!uRD+^%dguipPoL${Lcb_B{KA)e;mIZ?V1@ze;CBzl$V2YHVy|WVe1}g?Y3) zUH5E5k!)B<)0mQSYimmc#`tI0omcN6Hw_J9T$S;x0E@pGQeBpPR;0;?DVU^{A>DS$ zY|`0USkB_NM*E$eo!`fIapnbu*lf-8N(usUm8IVCOD8g5r1O36o{E$RK1aO@>#}MB z#cIncQ9#a~;b^!y=)O+e-ok>{I?BAoNPpi$M~b=KSLjty{TAyjPdt3?d{W$PthByd z-Nri6Mz%CjV`+GuQIz14hxA;-Pdk);q?sBmHC-E@)Z8}>TTao}G>Z@)e+zE0wxF#3 z36^gc+eG84Hy5W8u=j9GY{NT=#oD$Rc;^}wE@IZ`-xW1Uab<}hs-$vb_RqIf3apy^ zov#QUqT}Ncp{eDLU4H=>qt9L#|(EsJkb?NE$z&ZtZp6DqCQ~eTW`rlSsppxy9}&{Vpw$QFvb)m(6ST60>(ybWqg4zvOywNJK68Q_)8v zl##d2$ruZFl6y`yQsnyaNtw!V*S9SO2qeZc!6E9(%fl2s-uhnzZrnM}vvu!}8$DyR ziTv2$%EV7Raay~7D}+Cjz2{{VNPV#i4MCFIE~ulPbPQUb-gthm6lteI`6)fm(|?Re zdnMHtl6QtDcGE9e8CO<5Ds7z(xOQ%I_6HU zdr-w8@)_0mB7*O=#G*Vyadx7~iLCcmN)p)9F_C!}QZzcI;|f{dcu&4;u`7Ox@!##P zHins4NQL5v*KUMvMM6>ed@@c3ri2h;2)4_6<`EmyH{M(y7qT(KH5xVJl#T*AUS1Sf z-0I8ADT*&g)_9$O-R7myh)3kk1$tXvSIjmHBX97_ioff`?kuJ983&!P(g+*-kqSGB zmcO1i(dnsWuo`OmxTr13q8cRwqe+r%ms0$ni(0hyqj|`i-gGIM>}=!+8UI&$(TT zV%p<-jLAJjGET5CmO#P^A#{wG7E60C&;z|?v>$25dfXfrm|&9!>QCD-<7qN-dOhC{ zV%TsIdt@G^_c@g0c7LPW+zRsM$MWRst)Kj$;enex_eN44Bb_H}c%-uT<~Iu7uT)mJ z1TrZS6Yp~DnaRq){nqbnHLNjt%+wO$8(q%@X!96~=5e;%*|wRJI$QbZcGa{inAo;7 zjPwV7W+8A~)<1)Dees5n!35(>pqFw$wQO+Q-}E~GI$@LNhQuKTj%60iP5qP{hll7l zy5nTi*q5Gmt~QyTD2`Q^Hende5Um$VY_&KZ5t-N5Yt@;d9?bhtVc}eh+*~8cKBNhn zGTof-Wlg@jx}y$0U->yhRYA!{p27cqz!qGLpP8crLztWP92{Uad*t zCL)<}qMz?kV4;GelUi@|GZhOvV`g=Uv_#MEqx?rL1Z~-LQ8xi4Z=Nq))U(SUcdO}K zzP(xuYEjZagBwwI(fviclPsX(Ee{s}lz_0zvE9|#kK1g!)9R#}z=pqC?7OkRDJW6S zfP1G?Z{{W=!!ky7wL1o~f>e!H>D${c%!dezhnp$tPi(W*4Zu-sv*AYPVxv5r)#e$6 zqoT6XFcuUjV4^rxlG$_;#MR$e+gs24tG?uY>jg_^1cRdxFC+-q6e5f~KfQ^5kItx- zTM!?5jA7b7T_AhB7L=?AoUh@cfa>mUF-IwDt}^+!_DO#-o2;9-V)%wk5w?YYZ=A;P z7}`xIs`Mw`+`w`eaN+R&JMO@6C-!}Wl_M`i@hkW`g@!Ms49_p0d8Wfh8^D4r+kfc4 zjCy`9+5*c_%&di2QS=@DS#ETXeB6nywY;Yv^S@kx*;cYOGD%)0ncJ^#>3OJd4{Vk? z#>PHbkoEq0ODyi4X2K$u*PIZ@Y-pi^d~+jk9>hV>(BirOTu)GMdRB`O-8RR%&B)kz z<>EpxL>n)9ZALvYsOaR9RH)MzYrgzu3G||5xG&g~eF>oj7M5vjqcAIDi@f={duL7D z<(Fg0oBiw8I^G`+7=oN=vr~naHzBA3{B25=G1g zZOY)GzeRr)Ay`;FsHsk@_;Z&%UI`CDQW>p>Ib7 z)Q`fJ>=;~=hkKn^@*)PcFHYfe>}un6?^OErIkrkW4F?83y%$xK&T&w|sC@c)oN>d` zp;QSsXao-&N_c)|FLjV-O86bWQY%EJrDbW`X^=iovW-cijgF3f{TX8~ybFETY@Nlj z)Mky_^<>`kXLlzk4R;{VEf(?JDl11HANJA1T4)lg=6mV31IU#_YRNczC2eq6$d3RE z)R7E*l7unIoU>Tqo5z*vv_l-MQz2FgqGqsIR_6w5vCRlSukkd4>0njhvJk{kg0V5F zqtvLQwDIQ}@O*-a22*aRbH~2{KBVHOL5h!^*Mk%|ubsu>eE<7{kwygZj6$bqnto-# z?_@muxCBKOue!&jX?snz;Yp0vA{75;*UGP9u^?u9W0?QPmOzUHEqI_0?C~fszSnSrdmv5dnR<$WLJrL&7WIFg zorO^4j{t1AuAvxYFi2x@rj-*b*yNUeAckmgVD`%4;^W4^s9u9NQva0o_r`SxY&Pap*vfHQ&uf!3&qH<1gdJ9^Z_Vf)4@1KtH=8@QUOc$Vq2W} zar5&?H+6w=iuSq?+`9yQ(P<~mtt8@(5+@1VhivwfEdbIs0lej_szX=`gX{LQ#40-Q zvN^#NOHy56LX>a2kM--ddAXm6UjEv}A#?&+SSK$Tqi9-HSiF(7Tu4?f1q{_22%b9@ z!k(6Ks;$X1a1ht;!U{i%>`hn5zuq*7D;EB7_>FQ8iaO9VVdNQ`{Vl@=x#5l|GjWOh zB#>KvCs8uGO-HmX=cGZd(jR8=+qc!dPRp1q;fb=(dEwrQ3KM9oV(e|$t3J8Y7g6IP z;%IDDTq8fZI)Br@biMn9!hI+t;wgY3FqzlMTA-0@6mnjp=gY!OmuQ&p%nZu);!3+h z_<0p1T5c$`#x6Z4L>?W<7h7zVY4*n310&6MZqDT^x0isUqa&_60SPLCIE;jXZ*!xz zEsVw1SiW-m4+7=7nyl`Qv&PRNdKvQi-xw;{Nn?GOOa0R1z!A-Z zPDttZGzDnj`vkqN{9alUnu3^q0fJe4m9I5dN04u|y8gjPhbD`7d-pi9ylA7YG5!%k zolOTicsrVoDJa<=CW%hZi5!q&cWrupaaUA}NaSmeu(OW@+r(9~>h7?-(bbBRzmL(m z{b8h)ZQ_>J=1F2qJ1j9u5oovj{LfuzU zFDETcca&Ftqxy)AT3B%s5x>R0p<|iZ5a=)#tEib40fC25)uC5WtBkD1H31ij62P6?4n~8lCvXR3cTOa z3)ly&=4MCj1%dY8FWU_ZJ!FwY0Zh z4_hqLiM4Y1+L$vTBA~<)zj?mVS?D5gOwR7K_0YQgb4*^pA0Z7`a`takcoVSTxcZn; z32|he20{O0I*zhu1GDO) z%NujZLf5aZcc!!M{ONraNo%h^KkTAiCRk=zeh4-?<*z!v9^mZ;`$*8%OCD3}{o42v zfbfm$-4HkltkKUt_;uj!rGZIv(G8QBe({~`wQ67L3&GFrorCZW`QcLO2dPx+LN+b% zOV^vxQ?sww7vG=>&>(?34n3BwlAYwuuKCpi-4cn|$}IeQxLbRc8nGP*!zajejL=~r z8s+b>1REVi20z5BG{%K@-4$fPoQUR~_-AoJj!6t>ISpNz4dsI3c!!!_hqbv4Jdf2TD{Q zhW6yBXiqOa@Kduhcs-VNb0LtpeX2_A=3oq%m(QuR90#Vk+3RSk;(_2&b1ab5Z=iAR z>Y1#!SVjf=GJYDufJO}*%`YTAGC0KsTiZk>GGv)%O3>(L3^loV0h0L8vTtptJ~wCxs9wGv03juacPaR=d013?XKE|mcShl= z+Mm^LvHRNQx5B&G5lC4j9-Z^cjAY~lb7tK@cqygq54k5ijV`fkaIDrTw0Wc zDM@q5p(rJiIh(GgIGNQ_!Rz7Wl$>k#SAQJIC}jn6CLs6K%Y44Gj2~76X1D$7zg;&y z2MuwU&u+86)(T}jV+cD#=?`CzUpyg&@`DDLs`NZ*jUHB&w^|O34Tjt*e|}uBxuiz0 zZT16hp>As#p+e!4=Nn@9ms_&CbCQkjhImeHUJbop9zANeRrlKT6A>@hr0u3FQG?CW&fgWAFM8Y4E&_C&r8Ugv>uGY}79UpH*7X0m5x$xR!>eE}i zm$r84xH~e~UxjacvlUNWoFE3S$W+Sa#t35g$?UI2Z>6`^If zA(UDn9xC;mrg&q#J;}Q4^m=D3&NHjNaP@lOme}EG6svd60>&z2x6;%@w$D9W>+{cF zUb0gNyha^g`jQNgu_?|X`HbVniFp_!gM3zrY=IMX%)q`S8!u8Q2cH&dZa9xcU1|1I z^Ro|(9lE6WqBR8e{5K}f>YBX|M5iG#(z3l%dDv;Z<-uaXSKr-Ww}@zmD)3stU+kLE z-II!nPr;=TCHzN}_0ciREz31H5g1m7Lu^^R*)@J^6Rfsy8+!C6d>7ipn#}B0EazK{ zx9rWn6X8`0qNW4PdmktsZ?wEPJy8FS~p+E4bXZ7b^JM2t3C z&5&4=J&I;SUygkWw{xJ!qlZhX1^M)@)E>D^_ozGT#S2~S^JB}GNL;4Q=C2CbA8Svr zD1^SJqG{!+ihupn>571a6uOHIlluL{6Vs^*;q@^?Lq8VG&hlGMI$tIj<<^+o@KiX( z+op?e=*TH^WpTbmkS*Xu#b?ZC@+lY43s!pn2nrp{n2TxZ74LBQ1{IGhYV|;@jUHkS zv&i7)idQ)7`J2r`EGI;F`DKGnRG3oR^^-gh7C?NUQ@rs>>j zYTJQbT&m)n)IZxp`~Pkaxoy0^!cWkR<;QP9l_YgUoGQ#{Iz7C*6@ObDPUw#L1THDg zcsv4k?=um9`a{lXh!NeDNbt$Pj-88fnc9 z%A&16Gm()}%;#}R2FF*urM01~*TiG0DP!pb)U3lS*zhKd<6b#eZ*Y-_vs@#>U=SMx zn&By~*P94^6Oa{%;<44Wj@r)1P+FVd6g291baKu$Rfv;Xt(cyUrU~Ytsq-N3ZFgW} zvZ*pSx?tHQ7!IyJV0WK`eSk)7jpzX?@RiT=yslqw@_* zXDQAG9ytTyT96)Az$!;~keJg5ZsJ8u@l7^`tRHQaUnqtz@(P4p#e0%lYM7v7K>;Fg zIAA_4Rrw_WDUC71uQHfGoD+lUU5;BHJh&s;=+re*JAu^ipc%oq=}&FCsQo+4?6<*L z213T&N@KixX}{Dymn8pFBaOac{iwJx3Y2Aq$Kkf>F`)NZMnANFH9OzrDxf&+O_0v@ zRZP{(#7%>z{Gu=;?&r3P*Bhj!FcAxKdozS#lF;uz;H45LNpp$vY=(EoGZ#wAq0de~G3Z(%V9)3;a{46l4xiDh} z^PRMd*(#qirTrc)Ske_yz}|}wFqBA#>UvN|jSmSr<4=jag$cgfzpFrt&KVCG3?F~X zZo50J()+xbB7CpX&Oy~R`t>t}__Jt#vsocyLfa(Asdr?-W575*we5C(Ke0$7>T6MUE)c|FHjEAv@ToZ40HYpuThbKz@Ei zXUBwySGOz@lbBm8g@7-~(JnDj13<(x*7crzaqmArd!M_84kg0svyE;ahYdd{9PS_+&$8U)TGre8I|+ym9QDALy+w5qUUjJB9PK$k-mQiu`U>cfKE@m1~>M z4u5*Rj9mWlEqSJQ;#Kz(_Gp)MH+o`y)SJV%&9r!5Hh$V4g<@6Tiy3}g;eL7H*jMat$CaM ziTaFs`qSz0ej$x!37L1Bn|ID{9mB{4HF2yMVf2~id(BqWn8>1miYUv#2Ei&1Nu(3VJ=!@KgV!|AZ0yFGb%3JSO z^e?Pa1*! zJdA|dtsPNXG|c;%H27AOoKF5ZI~)+dkFd^R25TJPzrZTRC(Pbb+?ZyJw3JZaRm-Pi zsz=wu@&?8#XV&4%su+Nppi3ra8ACDG2Zhd(2eMgmzoidY-{p`{;J|WsJAHFQdx4Cj z>lilod^a-?ZBenK{5Wr#eK>~m)><$(Z)kHd$hBemZ{OIEi#i}K~{ zmEbM0iGYDF2@vR0@#wa`Vri+M2&IjxH6c{zUALQQo9c>kSFo zRHH`E37+I^LfZ8+Z>ZFXH`G68V_fxioS}Mgfwkdx;*=vkFu9hn=|Z&ehB5|P zFD!Di^&G*TZ4SkDXcr5xVcC+W01tN=y~G${su`SD(fN!R;hr>RMI)3FX>KxO@y3(6 zI)dWii0nKsH{wdTx>6M0EH__J21RD|e8kH*reCowY;@#jWrQ1x$m9en;F|Ma*A-i4 z0OMnnMS~w4x=<81qY!acXD-wlBdq}!S>M@chwFZ%r8 zj|6cy7x;FH7vc%ob+B{+6OVe#XeGbl3D57GT#NHZ#fep!|2oZe=%RU2IH>=zgO||> zrcja}5iW047Vhqs2y*s2OWic0bmiJ_sVAbIQe{wJGhGobtNKTQE3N8sRUIyEt!a5} zDJ7jr@wGoKi=nSBK{v$_~fO8D^sOwHTWH zNUNxazqgw_LkZVbkgG;0C6^AGo_!+sKH?7vU45S2aJ}h9^9p{7CeJ!C6h-=g_pWW3 za=VHdR$0%d11Y*Yxk?@3f{?s92FBvPnG<_}Ki0;>XF-2&J` zdtDMMIG_ycG#77Cr&;^`GT}pXfx~B`>u2=|k=w=qB^SWv5DTs87W)Qc`P_&m;R!mD z7&bXty;*x;d-xbOPhe43YKCj8s=%&fqd=bI@p7b3S2}0kn`J0igKU0ic5xnK^_G4< zSCNF$ioMe#_I=xBh4)FJ+ZW-K zv4St(mo$M!n!>ZNkuia1s-n-@LR8kmNvg((c2y%pXjcxtZ|1zf5#jL_%#!VHV2{t) zDz@44b>kD#wLU4^k0g6fDc-E~h&AL9Ujkex>y93pE`_>VwUVdhs8P3n4e$m=8rfD+ zt||UOE2I;|5CBz z4P&JhG8n8V3VyEux+rIzIHRhvkEh(#!{MBQuk1jkcs|7%d6gqyLaGDG+ZM}PWXLX* zvA}FV;RPB3&E_;N z!KU@}p;}E>STtE)j~ZP+2k&AT>CBjMvl2YgF-O0V)?mmJ@rM|C{&evac??KxwT9!B zXT2{SMemQ#dxHk`eH<{a>ty69A%Kf2xxXEL62dGR8yUH^o7&QNem}b)@SaGi`$r}| zZyN9MyyiByk;9bX6a~n%iTDo;y~|+9>W9bkL?Y~|d8UyzMbU|b{s5)cz*prz%`fm) zqrZX@X&~WZ_;*14Kcv(c^{I#%1&@22eguJfs{B+!9~6Hbo2K8)f3?v}cVU!E9;S0Z zFg)g3xOaKSn!@QtT^}1I-&-ja+F4{wMl2pv%=N|6O=11+*-!lC)-~Q z|C;=EuTStvA{SJttX2EHjkkKvjIRKJS9=BdxwGd9!qm!Is7Tc%fBu8+s}}cwZASPu+ z*m<|=PZpxCljNtb;O6SrV!8K>6_^Q_h=-dMU)RUYC2H~Ag`%c@mC1NA@qb95bjU_W zwk=Fp#-|FYXWQJED~c%BXu#kt{K|m(X1UGrwKSW#${fB3KLZ1yb|tibQ&(}K#tv;X zQ#8w~vR_7KVscX4%nZNuaa36lae5>rg*ZdlgJgR9OXO+^yuMn?r?@>U>$!*+!I0r3 z(f6WBvx}RmGqbDlQLgh}$pRoE>|z||ZY~wc&eE}=e+FXqJ)WFnj`#p1ZK>OmM#)H5AA^C`8l<2FmSAx#0GOl@2Ibr8JcWU-qvh$|09)`D5 zLuB@);bzHvQ*talhg&&P#LX0=q*_?#jzccvBe!vu5o)2JT~r~%MVtRu~@rU zo3R=N)jJhbr2oVF5;{P`Ji*D&b(q!d1jyzHw=x;PBM!eg2H9Bmivj!A-&|sdQasa! zm6@y4f!AkuZliO=IqqB>3yr33#G%czs1)Yz<_DC77-Ec92}(9bNDjUVFbU^daU6|) z8UcDN%AE!Hyn}0q0%L{tH##?zd(lp=r|dLSQ=}Z5MR%9Wl+WZ$S-Vrm*NEVjWPJ)@ z@-z4tg+MxNIBT_^x?#fU@&9NtZNO9XKQx(;i?ZiO)JcQHS-KdlMLW@p5}LR&>Zn<{x3m{KNqMSzcx)9$;l zrmJA4mBgle2!-OfW|BPmD>@@>!OZWcpZi)X7TTx%w%-0}6lL~}^EBAY2pHb(e*Ptu z!mA|l7U8FuvRGf30;R*AeH!w4_;dpBE=8D|6JGs;GN`7Zh>ApqK(}Xvu|R97r)?q` zheZObw&&@J-yQ&$j4sschC7k}y)34{fEf8s=3WVA6qr7NlViIBfuefHJG~_c@f;e2 z#!r<2{5xwZH)W9LHaN))UThUtH`TE-0b)q}8+vu;XP8!x!5iw5EJ~}xf=grGnM~Gr ztQI1}y39Dt=-Oj~<}p+6#gX(qwpcyT(e-Hb>z2aw<`-HnTVMC*015;Cx{pm#^+*>< zoXK}{2sw9WRo@TS145<}Rn4?uV^F+eZek1Y8AW;AK;*5bVP_bzGdTWHh~yqYF3Y#X zh$|>HU%0)BPt8ab^Cdu6x`vfYw917~PeZP1p16ba)75zdEFIe+%5t-G^@=3{oB2z% zB9mUQT>*+peV0q#3>O0QEDLp*3goX#sZ5nAM-A&yF=gN9>u%gHwDNOFsL=4hf)zHw zOz98ma`qA@D85togmbk{K1}`xzWcuILu_8~+5IogZ^K{|D&+6^iz{Q)rB9nQ_(kU@ zg$J=Gy*P5t*td?RJy59_3dr*mi?=<@zS^O>y$k#X1|k|1I`Hv8#OpzSt1UBJfL;Bn z{2#DM=^G575~Mbq*_iTo^plH2(rgrTC#kCdnIKM*fFQ58a7PaLn;b0-R7s(neRDR! zQc8^+ehz9JJZbI68Y}ypmY$~^B)ultl{qS`Of^MJm|iA4jAq4cq;uh!Vpc2TCy;<+ zMJwF;Iq9`%305H{y7=?8x`{#|i#j$I>bAJX+9LXv-dF&_?Wkby`4fs1gWosVpb;3m zFgm>hqO7&Y)hOrU4`pe?do&e;18WZin5!Co_aC>Xh*M@%rh=xr7cK9ZJy*PpxUrmI z7%I50=-(vZPSDlqqGm|a`G5<18G#CW2_=^@L8o(8bX8HEAM-k_o*`kSz#nnm!PbYt zBZYo~c_tT%5Botd1$*{xr^Z&S_)kDK?72$1XW|bxRcZX1xmbN09vU8F)N-1WY#Ctp z168N!xkN{zyWE%p(hI)WhkFCzPBL@Fg>}F6+4SoW zU5>@#5*Up>14L{HI$UqgTtQvye`@4~0eeuTIG3Xu>`B5b!RjX%rl9OGnk@1nuQQca z^q9~?L4);6j#b`DrjtT$pGTA5N+anAMIu1^-can>4V3G(ZUkN(XX>mkqtmYRNOvBk z{II}*aDbkgBZ7i*n(0CToBnzDw7@H-zDmkg#gjYID;Z8ceOt>ZZ3w2Jad2;o%;{)A z{5;UKO|4RCN-qaSB;h1+%1h2izg}ht;iKMxoK4zj?-qvx*e-sYeygm!J@khRPI258 z*4J|}UyfK%sAes6JBRd7o?rb_0-;=%T%Ek0EG#%q{&@ViCJ=FhXMcwK?!B;oiTB*| z3hLAiW{0^_&KVdt%$YZ)82z^w)-E+O=ecPi+QLU%0s!%g(s|>-BKNC`2Q#f zekrM5cw2F_6DjHtH14Yir%QkFMX3*e%t#9^ktUCyIm?X;HH26U`1-{X$dL;1I?FyO z@8L5EvY%;M1aaJuI{wE6U^R&Dmrm1t!X5hIDHjqdxyeeIBp7&pJ~aK@%gAMUMk;5M z%p2$In23vueb-OqcIia2n#^A_TmJ?Y+z6h+-gqYU2b3gZ+l*qFgii_X^X?+1}bB;+Qe4CL_o7}&-cqUN z@Tq}59`~^ZdTRSIGn+{TXiVoG1;Xh_g=nl*c-fHpsD$xkn$hhyS}^X2k>*F`v*ch; zIG(OTuV0YL>Yr@d1Y~Qqm7pKiOkVpc&iaZq?Z%>I!{h0r%0nOj2weudm7#!`6%$;^ z3KrgLv4K2#(0o4czlS!}enIgbtGBc>tm94W#=v^1 zmKXQgo==m_Z&V&6AMlT~X$qqe99f^S`O^04vK-mw0b2J?D@WJX7+CUvckL%M>TsuE zxT?*u^b|gk@Jr^x&wo5_0fp?WI$p39Xep}4kwK4BUW~(y{&SjjzLX{GLULBHg!mUb zfmaH|KNGuGQf}N}8J*V7@D@5wH13s83<4Blb${D$3#~|8TY&kk&gbli!D1$*ltvf~ zpn(v8Z;owmr<@;YCX}?#EXcS2;r8&ruT($l6RUELJNQ?_C~D@G{+IqBLCWyMo$-Fjyp9K0BUSh1;cOurefQ@w`4jWVtMF665Aa-Gw z{jW+vr9kyV0R&thXN#@>3r&P!Vp80G1|M4&L5H#d~PfOCq``@C1=eNp#{xUue5_a|5;iVhz z?V%1Dt)!$H|9?Jz%m_UdP?Z|M{IBg)PU_JQKnU663`D6pyS+Z7?Xhp6zDz??_oLFG~kwA0k~+s^nhr2hG*P21^gGc9T9$`GaRVN#{oiV#s+_H z`K_-q!t4HB-7b^T{TxQ*`YA4DiJvIdSseC&SrG1fqhTbZ`}tn!giHp*40qO1ZGOp^ zAWt^c(s!pL5eaESttVa0usbrR&(15zDY`#Os&H_i4yOwwo_D09x5Q**CYK?wR_i75 zTfUI-zq>$9avn!))J=iufXII5PmdBf-UFFl;qHVCO#D^(3Woo;vIpPibT3vDwNoRv z#G@}~IFp>E){%L5`rXxeiEz-%1+0?TOX6gPhad+3KOUzDe^xqs+xIqd^Yimj0LiWs z>KUuTK{F<#ZRU5rqj?As}BAhj^AzE?}s05o)VOZGVty$eWUWG zaXW4GRM-SRNAO=zh)ds|SRL!gaJl-BFZ|AE;$J6Gt(O77fb$J?P(&KtS}aF4SH|(# zh+hO9kpNcxiD(L++r}U9glhIA>al71_yPMD-??TG;=`PDiB~(vIsVomT5_u*F=s;2 zzoZb_$a^KoWZ^Fwsg^s|nWnBQ0VQu{R<|s}2NU-Q#c3}|18PzC{g4&O{#xrE#6>{n z=UnSTc@-YJTo-W_p*GZxyFHWk9Z8yOkavsVIIz13X`>QqAk}wvH&&HRnTVzp)YAFx zSL3^I-$9uAw@^6BUa{I6cfrTnX}S4VTWARb0i}2oMN(5;lt0Fex&!vm7Tr4?oQNVK zq*!sBx3wb#%cAOQzbyVEQPlpwOBAMXT8O+}7TJL(?O!?Bv=RCUog@yEUwNiEWsqME zXOI=<_$iIKW3(N^HEoyaPU4oe@z_!NiNZmoG&_=M?9bp1n*fpUi3U$!e&K+4D^T}9 zLFplvz0c%luyvL&-*wwC^0N2u9E?0XRJC zf@sEmGO$C)$BF20Wa-Qi1;zD)7pzdo&WS1kp(JVTfFGGX)nzHq&I1!l0_td&$c_Kk zF~qn=pn7ThW*dI*Y?HS(?yOpz<97aGb?4PbQZ(0c> zT!5Sp)aQOa5KA__7MxT>-Yz7>4Iol2Kj>(4_D?Ojhb9VcB$ZG9$U6KaGY|j|qqoE2 zXCVRik?f6Sno_N2_3P<~BO~wdcbrxGb?9yt=Vi+n(3YK5o*lN|8|4;Hs2x2;uK@K1 zh>jNO6e=(1gr`l#3hX}~Y)m;oRkd9wC!v!?2QaQ~535xsPh7_w-gnJ_tv~9?jkm_N zc4!Y5A%#3r}tfp<4KZ;su^#b)1vfzlG6z__l!v!Tuvn?0 zF;9gQWO3+IyB0uhZ@pjd`AWba^nN1}@S(%o0(=YV{YZ|@2HGhvqZSjg=fzG+WwNIT zyMyFG^l;3cL3o`pYYsPd3_2Tn+gN55QvLa$kyOGZ$S=6b6Hyz3{1(SabSLY1^_JTX zN{5T7D*Kiew$$V)pDEDAIx*x5Jq82A(*gE zS8mXaPWUlGxWagLzf5u)t($p8^yk%6b+SC$y~h}A_4#(lXek4(#^rIIXgY( z+Xy^iK|6I6-hUe^w#wR$S*%>kH>6&#V97q`EIhuiPMdsx^x57#I2W8)kSlMS4GKkndR z&KMHmnDijLBj?}YumZ@C;RRGtFRxX~J*?mGjp$|+R$ma74_oDjaXA|nO#K!DbfmCC zgWgkoPO@>Cz&z<)+3^1HaNF|A$fN4JVgC8#@L`iSC5O(=#!HZ}=X!{!WJ~|mufqIl zmeQ8CKnCvNU(UcAE7MXXvU6uHR7+B7i12?}y`N#y3Ua^JKI+2;c-=huCpS*#SXzZy zKM#-T#i#R~lez20*{luvOcsb+d5T;j6zmmzH)!A}i(#x{_oy0nO7aD#PWzNzvML|B zbcg2K8kN-Y~d>g02-#1dpwJ}-40WaLUaQbv)9;p4W zm^Ew5#>N}K+@vNl>Ml1&Oz5D&sP`QgI`00uYq+bQp1;roJvD(;M!=^V94A;Zn52g)Rqk*r9-=eCJ8x7aH z-<)$PrF8m|Hy7>!I|Y32s>6aX`}|my3zHS+aj^np-XL; ze%{}q44DnL%$58tHSMB|lrgfu`Okj(>!O6pfdjCt6*NFUJ`&$Lm4~w;mC0ppx|VG6rU4S?Y3)yZB%M-MdaK2C|IY53)n;BRSTBpLpc8*IR0Db_ z8+RsN2pr+Nc|E4P-_1oBXrH9amdb^P4ak1{av&JC#shml_WGp`Ckb-mBYMon)^CaI zy?snJQiI8n@FVxYGCeC*E;ekSi8^{>Ts)gFiN%~1m(8knyuM-RF7URJ&s-Q^b2S&p zw8~Y?CLZD~HA^eDo7OEP9UJ6;gyp>kkrE;4u_HR2!_8a56s*zW`W6ik82i{fm#?3I znrMx!^`{&u_J3y26T{U*(Os9}uN&pyikt`F`VL^4h+wh}U>>4CNVnCLPHk+v_y{9qQ+75}c8UfCwKvHdk7U*7dA zrFeb~<_RSjEkgL7r)GwRp^rJnR;x$mt9O`~qIRUP-_77ZTA_i}K_&T&y z{A`jNLC)e!gJJ{YW()yhFB-?At}KLI4^Aa}qOY9quJBp@;L#*5xA@IMv@(4ZkR z?4;TGJ`pRN4z_6uxC5KM$YU@RdeP3-#<4CGjleV(B~*~Wg4Gixf&x=eYzJ?!QG&-J z`Aww)aZ+xLX|&pP{JO8d*W{l?X*f&6q%{ftk*Mfta2VMkOnS?1!q6&7bSK~s#+a_8m|D#nvqLzdI^p&~rV zPuD;3emN7?loA+?`l}_bllm}Nk%v3=viNNWcy(aJ+?lfj$rPcO3nm@Pz4(G4$l< zyT-_nqu0h-aKy>rIE6Hs_4s+>6kIquqzA|+p3j|27H?Dq)X46xX;vqq(kI?Or_t5g z`$1;qeaAoeddJIfpJMok-BPILi6W;mJ}@>YckSsGQovZLY3st9WcwZu_@Ww^|1fni z#WYNWRkn&OtuIP^`zH_Iajug97+l;p z{zkBlUxi{JjD_HcAZg(by-m%@1WF<(o&_75p64T6JpylUZxk3 z?KJfZ=^SfY?x3spTY5*k<_JX28X;cvZ4v7cr>or(v=l*0W`#sHKSjnH32kX>n6Lyj2ooAG}q#Mh%!!wqLJswza>a-=rhXrGHq9w>hXx*K$3#idUe=&!O z8gEi6j2DbK7Cum8@dEA%7lrS{jrEfs^csxGi#TlpH#|*aW{yn>-~R5`m?wtWG(Q** zte%e?mDOJ!Sf<+li;yV#q(7*_qvkq0^YBv`dvSuA0_f}B{@6m}PR>*-2`n!&IQf8s zRfmcSRf-`7do);`eUel=IbejOHYsOt6zGM5xOBTAly`Mk@cYkKcW`w4-SQ9(QS&_n zwVvY+`#cbamR`99%qucpS2r*y!%Y+nRwJi-AWB*LcUHaR(sLL z_@FzRwS@0J&WB= zW}6Tez;$g6M4qC?)3jRBLOylNBX&-Dq!@ac%oCnxh?|R6dM}?Y59@@W@Mhwp1%P}w zQXzyTNC~z-zdxxuP)!vV2~0SNV!po1wE6TS2+m!mum8=q-S>EN`0qNwfKt_7W2hkovWwIWSQMT3FAv!KvUxuwF&(GXJeqE)otU0EG z-~D2(L{g_mj7|#_PSvmW(hKdA<-pD!y>E;$e!f9J|zTIc-%%q^;WSuZ5V;*nd6 zkhr;leq`Rt<`}uRgsXmTavPuKN@*Sm4a`dLSzh!T5{! zXTjeuq^e=*2i+Hh)omy__NYo2uz3=`g`o!(JIs(yyl4gwQ+@}ZcU82vALF{V_Qd6L zbSA)BM`%tf$pw>i(8;h+HBJ;r{{XDn`NJMg^tay*EXe)-L2<*_3-qOYuWz04VuFzy zKNU6OAMp#~-_kM%vvy4JPtaun4758? zczNk$Vm3G(RSvBUwvrlx#zR4taQ?w;OrJY9Mguc#Mdk7Wr-s+D{@*5qE{MzzzOW`}c;rB~)(gbqNbCLU!6eP=0eS z6#+L7qTY&2J*Wa#Xn^9~`^Zg+BrNsf_*9d(f~s@86>I!bdP$TtXAtJ;en&j$`EiYr1vGIl{zybDUb@n2A*-6i{Oi zOSRl@IN#~Uu^{xkYQ~knh&)5KeDwqqv&5U!8FgzM zw^|$6_6LDI=G67Hc~)-L2XSc?lOY@l=q-`N7LsSUasn?=vCcexJLBX?_gahPa*2V;F(j{TWI!oT{E>X zP6a88l>#n$N>!^oe4_bZf)F|*(OJhh56O~5CIT$PDs`E@N|lw5?E!0K=o%iH^e%< z;U9OE^Fm47(pdqDuiZOcMp$OF<60RDy)CXi{`PvJhk$rYw=$3P@%-c(vwO^tseV=6 zUmWlq118SL4|=inXJJEE5$I|rk=n;j5LppreSL+n-tFbCV^%m;uJZ`310MkHyW45 zfw_Q*8e`M-gf55qR!`jo^->bn2Z81Y8b%}U44l_Wr#Bql(&COg!S)g5_JRO8Cc%(? zhBXv9bu|w91GFUwXU{?Br>#&X5ev@5g};pP*`2P)K!%0F3cMY!IxdygE)WZ4;rh%N-}x=e3k~{Z>l(-5-HYqCoJ*-G-(+=;#m8w`Y9o8#elknV8T(?@YG3ee zCBX4L2Qc(8}Vsg9Zawqs|pcV4TuFD{H+= zc0Woee+2E{^Mf6&uZ2&(|2 zCoEb3I6hjgxd^NCc6FLM3-e+z5Ftn2>+^govu$}evp_N(o_g55LQxt1Yo@NqeQHr1 zjE@xK;>!gbsD6&TamvL4AecsD5=f~`++C^6C~vtG)w@-C>_=ECUwNzds0>JAai8RI zOrRd#QYX}=BywL{8PiQa^v+Ee>Unw!XBa@aS9N<@iOJxe7<}2DL>enwVd8 zNDSGiZghDeODFMFn&eMKWHltm`0m~qrOXDH+~uJr3vhcW{CMIt=ueE}oW3>WR6Lr> z#Yh_4xr?2a0P<%COh*|dPjrR!M2jV5WoB+})GIv)qb=R|fjl1$-3vqII}0Zf;88CB z`9E+Yd6Vg%|F{5vrT8~gE{_zm9Je?oAy1`V>3n%L|Le7{G_|zYTsaF0EEx5PjH_6H zA!-ZdXqHAnX#I+E{x;TU^Tr|TTR?sAl(_HAr?e+jG4K5VL&><&`Z@qwd*c#%WUS!2 zp5DH@$K2@LQ?bt;sUJZ$-w^g%V_{Izhdi!UWsBq_HHvg>C6V9m%o!H|+iT1+9<(d2 zI$t?LT=A%51&gsN0E}MND%^C(%7mOxm<#Z*4@*n*f9qM%hQ%)Gh^&%!XKcj*_XBpwzGPXs@AG#dJL;eSx=DO7+#Qxqk-~kW@ z6d%l^U_rhz3qK0;Dt2Jq^B7C+?-&E764XF8S%4t{lUgs*qC<*6P^FEKwmytcAA^LF zL5|sM6k`tR{<35TGia$!_aE3isDbjYoQubK(Y&i4$hpkK!b? zTWQ!ljlwQe_+RK9z~u+P*JW?~%KAL$OgdKnf)XMEd~G*eYz|!Bc#*B5$NwuxPE~s^ z*HxH|{cV}ReY>C2#sDYq1)SlT)q>wD{f@Z{;K&J&!vDp{IhzMl_(wP)kT*>P&1#>A zCA{`~a>}>g&GnpkQ0?x106K|-Kf{`)@Uw^0;OP~mhW!KETgHqSZ^(IZA@xa<3V zPiI@*p8NW#LLd9?y+R&SQ*d$gwVhs$Q;C_QnY#GEGDH!XN|cak_Vul~j9y!;+tpu) zj62=p^e>3akpMket>L*n=Sw-`;^*%HMmERKj6y*EjFp}2knbc$RZDZ z-UiYbI-2r)NV2`XXyZ z*hOhbWi%_)oIbGFNOngNBd$%hI)?Fg+PyZE&801!(w9qiUxRN@J z@lG?~I(W@{mBB&7qIgU+-ngmKY!)Y|cv9T;q>qW)f>QK6JNhXskR55@&gh$N=H;}e z5;rfvn7hjaJdE^Pei}=VDSwa#wvXl`qjB+i`;Qh=lD^d^XJh-XD@!4kph;3I>$|z- zU}A3TxByv;tx2aZ7odmZ@48~2GlW8L=lZ62D`&Kd6d9tS&#)C={7|ne!qp#KjW(Hw z7m3)NlR1rQcZKDfZth3Hdt8+<;Z>)N z%kG8T%wM-THcxUgohbj^w_i@a=6^WYMw@a9MF{8{Jl5@Z?=LnpMEPnxCjLDS!|Zc<5oXZH^yR0IdwzQB^^D4(WHdN;5t!emqfm4x2P~Znx_E!(6Mb9d z1W?jn$7D7;3+wwe)ng;sr5!5GVG)^W4l4M5R1^*BwgZAG|KED?zZ(L*`1rgrC40&X z&P2_8Mq^<~I?I_>4-&sRVPK8(N>>zPn_OY9^5HCJlRtS% zp5_sY{n3y590r$Z!&y-Z?LiCizDb2OfNS4Zw>2gvYa!PIh{Sw%@edvyv&+igs;&S9&Ce>f^( zY)hHsT7&VOYf;Eaje(h$8A)Y`XQN~r;5B_nhJIqNDis}xnP=%*T0YJ6z!d%Zt5)Qf z^;{Lu{~QKU7Qpdb3Kc2a6jbTq5xJJU@1HjP2r%&;%awPV_68`3-es7}{&(0;w_LyD zFDu5>`fNg%YU8S~$)CvWS}}c-o3Nfq=O{Ox*OQ}d3@f`w8F_FhdM|o$jp@QdB0+4r z{4fiPu8c^FSf9F1ZkNT&E-Hv2yhAqrJwbsu$=Jx*_M&m;v63_-5L@rcckQ&deF3?Z z)aXtaX17r#!bmm;RpuupKAG+qy}w;3Ic-54N)!UzW2V2*k^ag;C6>%Nds|z9JLB0K z2lG`-+Lf=!Z$;SkhBKe5p7+6E(u#q{001ux zuq+ozNp{CTq>hm23E zL)qBYd`Fwg)K$WdrDpF*T}2*y{4k91`*i&J3B0sxX{*oS0aNgu^BhL2Zb`9J4t_`v zMc?cv$YQ7xBbnz-y%_dlXVc&ca-w+s(7$x?7=tbEC;wx9g7&lv3{hXoKIj92W z{WqM(KKfJvHtNKDnaCQH#UGIn+Ew z{uJ5(D+|k~jdh(a+wuxdkKq@GwPB3Z9qBi3IDPsNv_78=N8aupv62i-z=}-fROY4f zrBWY@dEx@=UiU#f2Ra72YNZl0`tf{b#qWCcQxZm3r=|h!!;3><^GEnzmcB7p-S}{|5zPoz`y)Y2mgKCK1D7C)7N5j_|$Ir7OS_DhD{yB z4qsu)BPv#>=aHXdpQ}ZTM?l-Lgt8N3mFWd+uph!j2t$-Zq%UK@yPInkE#HujPDKwz zj$K-#v%^mtZUlGvSSTw-y*;kZ{GCOg?FV}qqjq@`Y(AcR6htk{OKa0FrX{mW0*poe z!c^`mCFC?Goorz@?$@thV`Bq{NSWH$*s$r2j+xsyQaPV1QwVd(F z#%J^}JG>Cw-G)N6CNFy;rcXug*Ad=FcAl=!%RoHZgQH+(=d=QWecOYwNEid)}P^+APsmtK4LO=aF}rWxf%lOGQSe|I<%=x*(e zTtd*0soE!f`_)pDzlg0p@)(%2|8J{4iTD4XR=rDC?2+DvU{!^Z?t9?+v6WJms^Ie? ziS<2vevX))Nh_bjeL~>Dzm)?>8`P>tvTVBj_2i*_MNT{~8E}j}AVaU#w$A;qz;xKf z#igvex?{dGiikYkG)gJ>ERJ29w>VBN`DupH=b$>*ZJJ1G;kJdewBbxy!qG^{EFBIl z#Zl$!x2=wsn_vw=?qFfDTQXSmr$xB!*Ci1=7kc+aFAY1(X1vT#EHXSi0Ewg@LcAYU ztE)jjkYr_(aqTb25qpg2>yQ ztT$AgCl8a{C|mHjSTyMWe~l6-Rmy*hVJ+5sAGh)1sUSLwbC5kz*`|f|>h%kAE8uL0 z^d|#n#>3`^4}!1u*l}-Yu#}l>8*vy^Bstp9mrPpN7s7>KrH{L^aJ!`chTLaa#vAY`_K%mN z7djm?ezsM|OS8ItPf}0zuWDVHchuomS3V@!D!3soPg6JoV~KI3N97n5NOinb1313M z=f!5nZG8O>)u}j+%kCn!2?bXuM58vZd{S2xU6&j!mil^ja_zl(rc-V-%kUJe=w(UR=8!# zMZ|*}`4KR+D_6aRLjwhAI-%SnP|`VU!7kWZ zT*QQXGwua0ekT0ES*#~O0%PFb^m;E(|H|8vByQ==IDItM?y-4qG#R^h%u{v4xG3=? z_K<+3i@-3my{fS+t%#QeH->AbY#B^wQ|atl&;9fV7V+z6lfMml_rI}|V}e{I?nHBl ztOfu(sb3mt!41wPL=C-8w*IsHLr?8k33Ne6!YdS#;qF4yE)*r@EW-Q2N4Nt4v{ z8;hKSwTWW7jv5SjcU#yqXMuhtom$&eh|Q$NQh$1>jQG{XzS+*NPZjGWdWDy>{4m~X zp^yD%r$Mu zJOo_DE7If>(9837W}oO?3-qY^nsvGbN+?ZF&kX!m*0f~_R9CYRInX+@Nkb@dVp;gq z&GM_*fha4ezKooD1KH^so<@d!PcQ@w7ss$()T%~SP8HL}&qWB2{uRHADp zSU*>IS=!Q_AyE6O%K2*U%m;R7i<(Gh+E`LKon>zX61_JfT{0OH6Dr4WHqr8-%efF% zLwf$sZ;@fOa5E?jGDRGrzZcr2-YKhQS&BAcuki6Eb89Z`3Ka&Q+$Z{K$Z%z=PugcMwgE zVO^KcrIjMQxE?VCl9$v)lpJST9F4>nmGo4I_qWW#VC`7nx>A%bd@y}bR- z4}Sf$#7C^ifp!8AO73%DM&Q83`L>S+=3&;6joHdaP7iH9PeF4w$f4J6bYF(~%CKhZ zdLe<>lg(Ng1x83E`mrMLotlu=zvLs>Wf#@NZ9RRZtNB^x^Qgbq%ogWVYTaYbJ;eOeJvXyc_6n8f^)H|jhACOf^gh!AcoMpJ2JWu%g z*dMpo=kiomIud=Pd8gcMp)1;9H9J9mu{&RwoP5B5u3acCB3sFq4S0yl`g9A>FMnd8jfDX+Czl+V}5k7@YAZt5)0wNbYa6XWq& z;MF*tW}%iQQ9pZWliF6ZVEKvUj5m}IJ6K~(#nP53mJk^t|8ATxF7LrqPMpRB!x3JL zhIqJ-SQ7A36x(J`T>;{3%LaQ5jf+)dap1ugGh=$05mKF_WQOz`FC~VayVz=K18=Mt z-Q*dO_E)xzb->b8p8VOil{q=_%Y?I*U0EE-h(B}WfYM+b&$Z<6)$PF^j*_6n%2(eX_Sb%yzt^BO|+qYRvu+Y(s<&tX9Prdk(ry1?yh*y?JZl z-IJOeJM_tX6kBSA=jk3BdOz8^M0K8_;;4tO9~KOQ5n$k)6GTtqG?tZaSA63NOWFsP z%Q!+C6-7P}?M~z|(eMFz$~kThW(E%z>uJ*|y`WGFqn|D#+ymUJLihG&?Myt7r^u+s zs#@ac%Y@$}iU5I~4|7s%)y@f8&)C$2N%o}=xPPwXl2@$|4z`mhKUO`&lK5uAQ`1psuT|nul93xJedtFFo=+r%dVMB`0h<_S=jMPX6=@R93zC@m;T+=<+)wHYNm`+ zGnP*0gn@cbe&s|3j)PBuv7|1eTh#K$L6$ra)zwD|)5rRm+fg$Q1A^rqJ26duTiGqxw{2EZ`8rZseC1Xxk|UXmzm0wcJd&J;-h8$c#yNzDs%_1JI!-cy9c5&3 zSLvijroPaCE9T~7G%d=viOy+V3u!}`!E3>>>M%Z4N!i*A=>FDE*t@nc(s8l7p!^9o zwGFHeKagr~^??2()rE;6hUoEi?XXuAMTitDWWCEz5#fy$^^ukttUEJoV@ItD=puD1 z^r##!^7PY&a+Y3h67Zi`BB%%(`a{Qeh6!56P^kY4T#@Kw4Qz$n@dT@QRHtLjH+$FK#+4J+&uq?IZ z;(mmbn_H>qubm^DF-?@QWZl(?cBD3u0-}v?{R8VmxCCp11xaaZ*~V?R`CviQ%2)AN z%VK#!p6GzFY@3lTiZ{BJ;`YNN4m(>|3ULmarU~Ce@azpFe%Z#U(X0sNC`yv9ijgL} zIc+2udb37Q$=)Rn&iLrvqEQUw%zHl^`&o@b^O%#pS!9OsG5A`fUiT&O$x4r^@u%8` zc&KE2DRm3{HfHEk45LKZfQY!8NmAN1$YS76Tn3iaZ*Q`758^mxtY=ya? z4P~_(TD>w8Tp6rn_T)^NKZwkkpoB7r;|QkHlM zlo{eq?vQvsy-}W2DuYbAZ}s@ci>v9jC%{wALO@b^O9g#VKh%tf#I6SHLPf+gpy%kU z(f2=1KbQJ^o2xl4fK=$t_q~74ZK>LJBkK)#FUXNW6?p3L?27L;mxnId%}I;3MYRHB zVV$eb>AbB^v+fbHO`uSm1-afpN~u=!DXqe~_On^aCfLdV6oN+>reS`lm3J8Fze02N zBmb~v@cdxCaOPPCj5#^d6f6=Jw7;>V62fqIPOretM!#B1e2Pg8c-d^iUZ+58`j)5k zgVY;$&pDg&v{%D;dPu$W zR1m!4tT%A)Jad~p%|pV~UZ(TY8(~JWWJ4uT(mhru=1u}KD|dU?YkH=`4mp8$8p5v? zsvN)Za7*-)-6uP}(3}Gqmn}MjWr4pH48t!1JxvumhDT3EJBgjT1a)P~hQ?0oESzbA z*R?|MCo85!l!@|P9kP-)rqI&Utq&cdrX54j@!a}lnxyN9rORc+hqLxk1oKg(zz;Rr z8yGG_GDKMymybl%Hft6SiHwREV(ac0QxsbfMw7@OUXh%B(9W;Rb2;CB8J!m06>baU ziDzCfdQ5m~iQ*=2ikuk|o!+QIm|rsAhdcGkw-XcO5jT6AJ4 z!npNeJKN-#LhJj+phy)D$W*lr=kW|5-9T$S56O&L(*1PVLW4`SR2#kB@EkSASK4u- z^_xo3KBCT_mq(JL;`7(aJf;T>itW6#Oi|qvCyF|J9>9>`$8)h3BSJo2w%1&CBce*t zHu4EEtaHUEP@T)7v}as=p|zV_J`i6NRQpE*(0sOK9{MR8>1b$XNF@6 z4K9(?{aGm`7-94BPSLccHN97kEt3ht>j^pzTP@4ozdqklSnOozZ%W{AP`txW#VBf9 zn@OCsf0_6&B0cJ{$CdLZ!?hI>Y7Y!#NT!m3?NtS&@P}fE;`8X50Dm!;yDP47PODC# zGfWpLgf{^%%7urhxcdN{y-2TEwW4T_fpQUXSV;IDns*=b8;!>XGQgnLHd@{b^jdCS zaimGw3?%Kb5G@;v?a#6`QJEV`2OY?ug9qZ0#j@;eQM8|o+hN=LvrvGO5c;T}-shVI zzwl5sfQQZr?LpGZ3%fgI#kP0YDwNWnTPK|2U zwe098E0tQI*9}F7Bg&wUjcKNA8;h%~$CPrE(@WYpJa75XB?lo=r?o@63zt7sR=(WSWvFoSML0mqM*k$-0aDjK9tj3N`SK4H-oEu|_cXj`J}nu9=Q9noU< zXpcNv5eSOpM2V#=>80@de5m}6)$x?xYSQG@p&?Bb^cKv?uC>(my&4%fI?<=~QnTg9 z@)zQSxrQ$a+u`EAZrlUtLfnd0f)JV~8KpY4D;7!G62zLa{@DJnrGdGW%iIxO*M95a znL+K<$;Piatz**C6n%q5=iOvHZTH693n#T`N1w7ChZgfDzPhZF7!>x-Ukda%6z_fW zf}ci6!KHPhD^VhSbkR6T)DEdXbFNmuqkqNC?JV63Gf;9;{N(dZyZb_>ww?NwVYZ>i zAzdn5fekXa>*Wm7l4-f2(MH7Ca>f=gF(P3{W+5^eVok3|)C*fG!Ce zy3a$w)HtDQJ46?)F5UNm)a~$;PkPCQl_U7{1>x!$KX|;bfa?3pLuzS83Mh$%361-3 ze4G5$6`oG(Th3*}@3Q9J_gFa=$GEob)AZe}1T}R?$z%rKEkz($k9^&!BJ18buBlfH zMSjAwnzdx2?(pxyXw`Bauu{w3jz_72QOA5=4A+bAQteMJ^{(yX84l;6XVm4z^*UNR zchcSpNr$yQ1YGpJ&VweWK>dS=er@bNg4U}C=#3x9*|hH~-!7TNMM=0{UuhpKOQno* zn)d7z8{Q>I5`~pqK5}rG6t#O|y)uvJ3bJ+Epo>zon0kM2KfMv zJ>v98l_K9y<@2SKoj=R>+m>|VE|XTd_mHb%Ik%4K!NHac?cXR2J&E81(u@_}=(7TA z1WDE?v$eMe#9lv`+}0aK%i5CY=-EDKN1auSN+ekdkT0vF=uMf!y}1Ral@5IN{01)T zCr~QL98_RwJz5m)u-KhHFHPrS*R(4W#};16=WOb@F=2^Oj^q(<8AiSqdAovRM93H( z69hhPkS88*cvy77%Wp}!p!&><~Bp=KcvJx0MJp1+m;gsG{+H2LSZidUF&i9oI!RrrY1M{{l$4Y{q zjx>sPA88sNH_ST2c$c*rwVvzFf2uS+Rxr730OrX%S8@`!eCIan=cY4eKloN`g=CQ8 z!{D;b*{j+It{e}Ayp5MrFKGKn#C+Y)U+!%Kb)}}`I&!Z~gW9yLK5%bNHfgf8H@Vvp ze)KkYgf^34PK{ReEw<_Qb}cTvd5oAMbAS-{awTYG=9gH_G~R5me3cM|Rrn7JAeyQAHm-WkdCfD{njj>{3v3QQGvmk?bb6F4f;Dyi12cBqgI?{d*(eKN& zVI-N>o;6)o%F+h19eNrqsaKv)qo2EIM<0EzP3y1E?$pPII~5NZ(PLOB`Ea?HRHR{p z*APVyUwUzEbBS?_$fBtN^O$jCk+0)yL8%I@5oKTc)xSikTKL_u>7si!zEKhYtvvHe z&E6wRGcgme1JdZ$d+OzstQT?*$5cBL%LVP?-44%XBiV#A^Bej~(MJP{pLSsepTaT| zUWRX|%{5Kyd(wdUJ{>e^9i+2KOp6q^J88DR=@C|YnefY7exbj=HIe&4%~Rp zn!aWg){}e=NCWk?6J{mNS10N%ZnTg5l^F8mc3xLYNPc)q&`p zCwx0HXT;?PB*|wSvRRJcV!jr7G7VXc>J^3It17D@)H#o8k8Cc7$8DAZJOj z1bvYu{1#_C!wMPV2K9uRwlQmrjjTT$Id3~yCr!=?VP3J@H@CN!lT2D=OL<50IFoT(D{5lT99C{Yx9C~?J8ZLJk!;~Ean52M96 zryO+6Au~lQ%COlDxFO&4w}$y>SrvN|emuKLOStN+Lk(^FviFbJE~)HAaqJ zdPF;`1SO;r$hdkyJI&79>5CH&x_A)|VAh#XTlNHW#+0z=t#yR@MSV(YM(ty3XM1 z*-ED(Yz;|PdW|lr)T06w+NVp_9$)J%I&zN9C+%9cfifNU?%NNUt7MFC>P83KOx0!E zu?Uw8=yPa8iQ=qB3N(8*q}jY%(!%R6^MdJ7hky zVmy7U$<2{p5oK9C?VletHUK5r|LEBS-$pmiM~Y?{wtDlFnz2KoTfz`8P+i+GObV!I zHHpCu{-uK5W<7V}-uN$au2w-oNkgr6?Gmya7g$HRH528QRKdw!a5fR`4>Ro|NO zGm(w=0fn3x`7HSO$VNVpIvCKyWO*Gt+q9D@oc>LR!dAHCwyM{+KyxA1p*4NtlbuZE z#SdH2l06@;;OyfGgx-#xvx{Td%B@o);wQB^k;?3oX$t16M{r~kSNTQ>H)5b&TefbBoqrbX?-D3bH^skpsgi@|Ol^{ygvA`3dEP{)Y1-Dc>J zUdEkcw?GKW>?_;a-TS<--s_6TVS9_T9f0USC%QMlc?e`kcQeQ@4-|ILcM_!W{5h+D zj{8<=>m_C03h`N#MC13ybh5W%+$s;@#%aT zfjvvzpcrM!Hq7yw{AXdQEbc@cXQTgt(A6tVI_Ax#p9-tZ^*Y?qF40gpS5>;tDZHfF zEu-j?JqGt#xpAOn`2&ijeqnMfzrm>R1ZhJr&f_1`+(w%b&>pAVF@?oGdWMDXVGZ5% zaARcxf-30Hp|0 zn~r@Je$y||tH81hYgzY9n$3BEMAc$rx&17JqIjGN*YJxrD#9Y_Km%K(>O`!3cWg=5 z5^4(m9(tgI4txrpO@H~o;#?%qyav-v0*BQ1<1h_4%rNr7y$<_GA4yCP<_S4pOyENb zWI-2P0dKM4i!1a`7S;+GG^^%1-co!j&@9AUEs%2#IFXDd<8*PLheRibkt%Ep&I=V* z%Ez(EkFTs1ehtXc7MguS@|;t~M>v7V+RJ0eB0BQ6RCuQP!0RTQc1vDl z$huRUMpmD3|AWX)$0*UhEzS7mL+@R) z8+CIW8lF5i`-G<3r$F?w8XDSfMl@fLG#~D;jcmPn>*@knp@WnP1&w z@f~j1o$`r7ZSF%yHlS<94-|{l9VM&EOgbakQc1~F=-&>gK(I|R7N1z6-t?i5XG*_3 z>E5fepC8uAFo+I@D2)en=Z)VA2@*?Y`JNd?5@N^(nnS3Zr@p`MQ#@@=Wf;(@Cy8_X zYn)_zm#!iGy^_e&2TcB>Kx3ZY*7FG?iG}&vopRu{o3n)0N~N{>nyGNtD09!a$>nq( zgH0-#C%318`LKn}pMWL_4pSqp!Fc`oNCZgowgUw031VZAjXbEn(S{|P^6S_6iB^lJ z8`A>FZD^Tm&Dyqpkz8u>C5o+L*K1WQ88In^4F$PVowc*%r+@&WRG~T%p1xs)I$Sty9q;ZS>3k%u!q{d>gjiRaG9er zwFdh0R5OQ#b1YdJ0;*oN261E4!OD*ZOP$w-pQe7D09YH#Zb)0~08|ig`)XlBmwV*7 z&~(u9G&iHuvPkw=<1y*7XIuJN7j-H9nb3m^f^}8xA8@Nz@f0eS<~Z+a-~UCyJ4tFl zZ85k*2&e?|Sm+}Md{15tWcU>*uEXPcvO{z&!Cs^uI6hZsS53w{^Csy(Y#W&**14i> z5GbkFV7Ab7z{zIA%DprC7e8E_eMyR!yWg=325}pR(vcHAl?k;55JYwbDEZP9EW<@gc*q^j{P9g7BtRYIP??RRE@3 zhU7IPFw;KA{1rJVCve**B|n?oDuM27Ye6j#hkOHCDk)VK`e7cxKSU4HkG)%|{15WC zr^<}{Jr75;d4cNk>2~W?mR7NDMZfrYmx0G-+{mk;O;=zJ49I!iJ1~wsHlG-J7b_<5 zqG-=Z?uU7h{EYIbnep~u1)7>#j*GoXBm>qurJFq--7~3xg*EAo{+F&F09{sH{f3^q zfg6CX71Yu{36k5MZYDXp0IZ1uU~fj&z0MAzKlx*Q3#RpE=}i$-ehGii3|~Nnam8%? zY-G2moEa_Fd+2q36bH~WQ=1OVyycf4j7#OFS+x>A-tpD9?;xw#?-Tt7%(-QLe(pS? z$@^;j(afy94UqINzI$>v`WsiHBAa%J{#*lJ|6}zuucL{qC0dtpBZqb(*)Hd?=MTx) zweUqo64$4_j-R^$J>4w8{&lCpHrGpA<5|^nx(FpMGRA8x2cdUGRx<9{KWM*!Sf(&| zBPD*i033DeOngR?{>Z}E_Q=AYG=H=a{wooO}e}5V$NGDIOC~4S!2Tv zShkkOdtD4nIhQM$QQd8Uc#A;yEc&_YPk#F3?Ur+;FHyAI3h^AOhSVP~O`^oKdOMvm z2O#iR^#AO;5&*wnxR%3t(LL!BhIH7=JxTA&ma%9(Rk&I&91cY=%`44&F>v5NXG0#Q zh?$y4U;PrcV0j!9cr|~|SRm)dnN)oh7^W5(h9BiFG4kDnslk6sdhVER>T%iqd zkk>w;9@vgrBw_UF-ZyTAp&YnL2>}>#NN~Q@SlYDL&0cXl?U75(efbtJmtPN7hs=J| z**ko?O>r_^+TnB&_Usl&zj32NA;aG1Z1th=*-GZfS%_Vf#ATh+<|Mz01gLO1)isUS za+knRC7eb~q-?y$$@awI=CSzk4@ZZy)!fd+U7&F;7ssZ#0ECBXs>cn^>t}s<7}daJ zSxafeeLfkl3F8V?%jB%DE&t+8PBH-C4Vxt6{#s$FmKYcpDDym+nI zMm2bGvEOeJK!ozUo-gs(s+Yx~t->K;#>S+eL>VG-UPe2dZ`OXR9y6dKIlNYpYyf*} z?ub%l3A9Fc9D9P((Zo@Tyd~K9cvR0$+U8lKOL3@^U+>|VAuU?;&59+@WnSRY*N5pG z%HpS{J=8Dw+IPdaTUY=DRJw1r;c>?X1D)5hT%%3|5d*3P7>uBQ0kGxG2=|i1m-`l7 zcCBb;#5fvYItKD;(z-NzAzVWpMqPeqV225F^zK&2JxfHQaZA2#t2f&8*GIoKUYIe! z63$=8JD&*)TUW8&3%q$#sZJO$!cI$dtL3{BxM?4(0o|!MV4i@N?JWro9A-RKWtF)F zSopZmIfg^`lbu;r8DP*xwqt9vSWGRWntnkBso zT^SH%GVj0(1l;yaoy?)%-~`<$BxHziGYe1+WKz-9L+mB1qP7ffmzsx58NlK ztlqNlQ@#>fj8z}*2W5c5PN-U9B`K{dg7Q|MCs$BV=1 zrVJ>F6$-Rqnb=6q5yBiHw*wdasWE2;^zP=PBxH`2u7|4RNj*|(2HER~BMQ~wL^o4~ z9nE{p482dYA+|rBp$S?dlo^f;u9cuLkBt)bYka$4DhHmTLCGC(-h4b=2o4L;6>uCP z(#&cxj$)ovm3_dp-L$V1GJ6rg{Jo(%UE+L$@46ppy!APOme0IL<=pNtf&D3k{YMH` z$gQ_?X8(lSk{C#aYtNdnxIqoia#%wn_LRH>ngAlPkX~#Etu}!1K z51`6*gpj7KUwE0Cff0U?Qaqp!BwZTCx|+Sq<()KPxM4uYI*7_vC7L^{x-U&kl!;=4 z_JEx8ZI{$RkFq6r4aX358uF~POWKrIXUI^Aj$b#|;2a0G;Q{l@f)TJ*g52ezzf6yw zpc2KZLTwOR;y&D1)JCiJFmlBgddFK2UYu~uf>d)nHIq{>kEkORP zUWu!>Nt2Ue=Dq%%bAK$K)Pm5NW~<8GIi|RQfF1v`b{bJg zRxemr(0Y_3t|24{qJeg-5&BJCJ9Swnp=#YF`n(YPp)MN|M{9gJcuvl;j_^2l>S){~ zDga7y{z#RMMRoRJ*7r4*F-XsilHq>y9JD2WF!vX z72SAOBKqDy8EHlOP?X_s$Ww;65oqq68qJ3cv7*Z+9F*2@k!H)VovzZM7M&Gy`Fve~ zJ|I_>Vq-YMSPR0k&1wackxKg=q$y(SJh<6Io*Uu~$A&j+tH{0v=6LdvhwEceNo=?S zk{?%s4&WNB9TUl`HKtJYTm*9{O`D-eFaJcE9Kv#Q9cD=SqM!MQ&HZ@stXEpLkz|ul zhUY<6PtN3a(&`V8m<*|~&H{hjKzqWiJgt->DHaB@v28@UlUGq`?m$m0_4fZrNWCUO zELI&E@)F5n`Znlgxi0={7is9{47u>y+rqLWW3-MvJZvws`?cDIqYxJv^f3t=`fX02 zl$Ei7f#E=-CNO*IJiKg~_$mpoM=f&ikM@~_JdU-P3*R+Z4x(1hH$E7%mY{dpVDs4SX0d!)g)BeW`^7mq1QGRC}%gB~g9xJmj9?Fx_6%u!X0e zFN3|423273YxAOf8KhMxw-lVE~j%C>|61X{rf&TeZsnt_Tb3S71m*dB-qcEgPk&hPHh)Sc-$p&kU72AMT8^ zoDC#}!?v3U&Y4tG$%xE2pQ$8iQG9)Bk;D{cIp?X;!>w9QOL{0}O35kizFGZAk5vHp z1!s#&hmd#6bPEt<<)Z3CLeVP-6BJalp;U3H#%WcJj1}%2^hyLeq@1yyXLCWb>~yi_ zYJ&_gM~a_RE_R$h{gb!>-*jX^2n&~H`8-yxd>18|+rL(&ljU)FdA`jAewBY@$;^8T zrK+t?;1K)8DmOJJ@|$EknT7RI#muWf<^T$mj-^3);>#%J64{&gKU8A-rL!$Ui2O~V z`;nqs@2KpWR5wEoMNzlo{8Z`h5m+eLHg49meEy|?^T0;BdalN1D!xuh7FS(*w~9_0 zlR`GMU67QrZI?6OGyUt2cU)m>^}FXW^ESXRul*7$Dlr7Jko?;lS~omFvlD@cX=;G zB=H|w1Cc}V0Bn#VO96#GT}~eaD@X+}Zw+?X$B^Yd6}Y17@O>=-vswL~ZPI`-1B9RA zvpj;+VTVHA;!;fd&uz%gA=PgVEA{#Xqu&jW*Z>93VoVEEPT0+CK0#{1y{*RWg6e4? z!3^-qB~Au)vHXb5d!dTrkK3F|g!1XVZA$;2TW5ht(dFh>Qu5H$sa9c;L5Q-Yp4{&B zCls%17wM6)Tw|agU=2NyM4a+t<7a82-1@T>4|2L{W?lv4)ZUA(1%X}>ut8LJDO5jZ zbf&aB$}vNlQC@THA#df%YprIm^4}DyYes(;vFQ7d2o?ka`WRsLtDt1Q|4Vo+h06!; zv(>f!8SnGr;XG9a_mJaPiXU1-9iNd@J1qyH(}29a;NIT57 z1@d@k0YjfaV;#P^uBd6oKS&IaX|LSqvT1sDu=;X_1MGJ8SRJ9~RTNSCk+7YXtraDu zKU$!vfZjN47Cdx1-CKNX$IZXoPw zI7r*J+Ut3C090;26GC0!e{uPX5y&&C8-D8D!2ZlQWs(pv0Gna?^0wJii0g?U0tDH% zr+t|2SrJYvA--B4X}~yf07SDnP{QaCuP`8~537gd0Y&F|bJzjMSs@pY0mvN@|8hxA zr$Z>ODKvhgNCS~W&Z!IQl^PyuuKPO+AYV;B2KpkWCnH6FKp+7o-V)oB!TWRq(XrDY zxuDaqXJ*4yM|xeJF0-X-3vMusvJRgZOVv6p1r>CH3h!ZcxW`lj*6|ohw~oyd!1LWf z)tTHR0|^2}3O=pc=6^uDZf!%F+@PXz;d!RGn@(RE^_o5%8>=y9z9#bpvf}E`C&(n4(yG$Y^SRe1o+6pGe2=qCqL_3m=ILYZmpLrTlYM$(6n}DO&<`Cc z1ZMadZ`C@DAvfK|IZbLHAqtE@v0q1`PTSMZ>5k^8`Us>$nfmlSmy#@ql`OhrSqo?( zFpx8ZXXT<$yR;+}hu$~=K@~t1KwdILP^9`sR{QIS&+(biWls-0MF8h0>&y9FD7hhi zMp<<210XvDlBZI{jBwg@G8Ag*(dy*;Mtaief~FtHg7FF_P;PEYP>waI@|5CG$YCz>BUL?pI$Yd9y0Oxl3 z%#rcm`iLMfLfB31|JTlaWCAYda!YY!x=FmlB#HbQDD_uOBr(i^B2Dt5m5p7A z$Yksj7MNmmRVD4&m{RKi+uybQc8FhV`n;+Xz8v_tbN1-nVu^?d=)(;PRRpFl>72sK z3`jI8=ii#!v!@?5(NajOMTe>}7F;3^FOxRjvoTERqyH?b2P`U5L8DweidB4fblh1*U-hQBS<1;^`nLoi1oef!k8}x;bQ#J5 zeT_`tbRBA~@jx8?dqKc;@G$;39@z|R_=!G~Z6=6E`g@=EilHbPTKKO_+7y5de;S_H zDVcctOo?6%wBbe-d)Z6%@-FNzn|@&f!VsAx!kB=+hcb$K*UZ4LCb#G(W&d6P5&&3i zwEryVs9|jd-#)G`0@_acRP-F_vw4754E`HXVsqcrKEzVD_}plYXDl2jCsnp=qjDx_ zmnRJRYtDTc0Drn_DT{3?2*-`yIGOMkL|ZooThji$Kyn-aNl>rJ{mJ!$Oulx_IRRWE zb;iw&;LGYE?yAtgLZ@rO)E}W$OeNS(=0q%#f^UCHtCd=vX+kbZk`q6>G;3$MxH{*Q zu;x3oHmEGzrZ_F0jK7+7-QrA31m3S%g%M|8keqH*Mqya#&MC3vr>@YHzlc@e*SWFNNU<`4i`5V*t8dFewe6~$t z*L1eY|5@dk_A9@Q91tt$yqBIF-bD+(H0wPAtUpN>9j^BXs z4F(JY!?#bGvMCPSfe6+Zm!l_FldBZEnlU#5W-0}lA7(NnPRMYhVMtaYxldn5etXak z{XMa>h%It3nS+!B;-8j>l*f>Pc=^dGNPjOTd3i0u zbT=s(CqRTR{vQ$Q;n0O9Sw>|(^-GdBeHo^R`%%L~h^JMl){*~D;X5G0xA4rLsJEPHhx@@+$dqm2#+ENaKG(wNV*10-dVNjlalt@2 zB9Re3rnA~QG}V_0CKCM|bu)Eo67^j^P5~Z+3Js$n4AGH`6OliJngdG8H&5Qscx}RD zRsV-o`;h_-@X&#G2P|3w=uuZuhl=2l^M4D34A}VA@Oy~EA2(YG)Q1^2*U-}i3 zg2{#GgP8|fg#*5o3^6}iAidJtV_k9@hFr3cVL#RgIV8zAts)Fy5g0PiZSuQD{T_f` zzS258!NhCye)u1H!@{(f4Fzw5QgME+nOWU6L21uR~D z!vC17P_7pzXS#$+RAT0^Axjo{OX+ifdufZ;sQ6}|=C^JO{4on*HcZQJ#7V)zcl3X4 zt!BIe7l=T!8vl16NG5% zT*J_bf=39(sX*q@;2CdtO1nExsZn3Vwfxoo;3w&&+0NlT3{r4MGu_I}+)-&nWu;g$ zj=2#iIpoNiH*oZerg92!xjs;UT19j||3AK#Rjcp*c=>J@F%^Z{m- zPVw4tgj)t##p%9a4@BHn>O$fi*xjA2SSQA81NGu7!1$t5Pee15J@>C&t)vk^0C~L6 zw2UjD^f&&a^sF+4ZN$C!?*~jZD(}s(ejouZ=J^9d9sEMUD8~%YSB4D?eCaFl8x5IH z&ZPNlg!qQ~9~eDNg_Dm|#T93MOCJKj`x?;k9EQ8sxBsC)ZycJHiXLcnIm;d|!c~Xx zy&{5-uXiS_R(2e5&3OU@x554xuSBi<+ckji`4vE&EP1sA;%bZ}-VqJ`yoAt81SeBE zc(x}>`<>ijyw;93BEZp6pEpHr0AiQ=kE2t2r4);dDS`;{V8Is~fQJdpQ5Ie+kCrY~fawM&!vw;(8q0)O|oWNVoBiXuTGffak_V zKfcw!|N6i#%}-R|1J0~}bMUxzV!!z}nqH^nKCk3ceJ1MPZk8A*@;RA0|6kQtFE=LJue}_Ks-vVKtxn)I^0eXt3y#lD= zljRDP`_$Z!A)@fz!2zeOUUD^Lpt*n}@KE{eSLi>*l8@I>RgD{??9uhwLahG_PD%YW zy^T5Zo*gLE-+u3zil-xoOtRdPnjrgrWc;l5!>wy8ok;gPgdA#Lv(F>EHaY^=Mu&4@ zgZF28lAPrt-|eaa<6dqy9K$=k z5$GK!c!(T{Bg#vbV)VEXGJu+s{vA#bUkCH{8a3uX==iFB_5A-ObCoo^{Hf_ABZQAE zg*3Ti=kDC~a&3zLU|ieg=Br!~>y3lQcb{G@5!IMHxlNW_6QVd3V9sp(9y(MmNR_Jq z1P>1Yn5^r^Q2AdwtmOaNnNJ0D#t);r+Ama%YE%f$sU;FYq9VAv8FZ>h$_>BgyS=57 zp#JY1u?a$4*Ib2R|2E|dqI8^q?XjB0{n>F~x1vu@>93B{YYOIrysv5>I59DNEAyU{ zC;d-kH+ZdGA_-^8UH=I~G65^+T*cOdc_+O|_{+sfmtGTyU|%24#^Yj;n>0D_2)pwk zp!=!6H4Q$d?VY@zJD^DNtcxpm06*z7)YP_V03RF#g@~;y9%>!HYv)Rx-y@}dv((|5 zrLHej_MbaDsfgzT2VNDW5v71|Pl)8=MAluW8J?QU(248zAk59F-6(#e1^fps!?+Gv zw776t>RziDUn2}D-0zHqLU_9xdFCcObUO#uQlU3zTTCqy$wT=%fqaS%Xi`feb&Ap= zQW5|!wP^59ai&h1&Qc?yGbPJ_!kfcBA-$`8MqT>7dQ=ztHCTKxE9n2^Hz}I)znV#t z?~0_VGvB<0`4%{eX_hj6ps*fMy7BUcY6jPLvLw=Ezp_2>?~sKRh#x=9Rp&ZhyNg@E zK&D&;E%ECxNucN`P;M1A&;v6)!|8=ZE7xi#VUxt^|?*Js*1Kf+`xbep${kuetaqpe-r2NgC#~<>$ z+E0MBn?8D96GP|t2l;%4d`i<#k*ir#!dApx$&v!boYCVw+NNAoQl)D9Qzq# zJ{0%#`oO{+a<6xo-9MY>UiVUL)!q z;tvd49)1S{*)=(rfg%RuFM5#HtV!5_qASm7c5e<95!_YL;7?^#CFYv8!v90tuZQCx zQCqBa8FW~eA1aaH9kN#-}0y|MIy;m@@3}~i>axbRv zbY8~`e#XoI-g>4FdwTyL#xVlhqHX1~5s>&GjC&1e%zqHpwe|~mR2^xuK0ZLm1PI&Y z?A1MnWW^NVZKHbz*P!~Ruwd=s2$(x+=syK`SDb*~evj8?^ye{!g%V&xX#WILN5#^G zoT!1SNij$yCRB><)riGsW=N6%RcP(a2*8`Z2D&CW41F%Y-St0rtHo)T{UOQllaGI2 z`q3-sP?SwN>nW#^3&=_D!c>>x`{`Y3e+1kk@ZoRpSMFGI zYmft3bN6#dJZ2FyC_c|TG0^D%i{hzBbK9&IWC+`}m3 zWssC5Z}Qh;Abz=lGyc0;fXHdK{x1KG1ybyU7XkJgAl@O7tJxgE_a8V2yUUk+f3o&A z!T;CZm4;K zICeBD9|<*X3LTiBGh{Vp2Fek}hE|M0*{*ybkdb*}f6VC~<$+O_n8Ad8ITC7u#Rj|r zK#3Tkmm1B#n_sy>t${y3bjV)JsLwKO$=#Aekz>*bjGo<;=Co{lC%^J8t-E|e5f+Uj zr^2jd&X;l|{NQX$xZ@JOMrO%E!B<;Wr>W`3bxb+T zwyYT@Vg;Jy@G2^=Ak$YmIb|+r@C-$4#h<29QolzXW`6}7imbo|xf)!R5g={duBwN{ zeCbf?kLQkqf~YdH&}rx~;_sSJOj{~k5qF~a!VONa>(rg$P3SIf>#C6m3BWKyIAGz> z(dt$5L&a&$-;E~ao6K67NdiZ2CBcK5ify4*H>D_gJ zvTi*f+8}rJ!+A=k%pu}Z!Y`<0E)?=En=RorB0ZN&(UR=>20b(z?*lN=Msn~zyfC$! zD6#;~NkB#HZ~jn-<|#L2NdjRET}si4D<@lmVp)wiIk*N7xP`=&xq8nZUcqdP-KMRq zL0J2^$?`_)O)8q%X_Ou06*Ab<7<43baix!*n+x{N3741!>k0uoWfIx_fn7@Lo)Mx% z=7)WmU({o-CWY%h5Xu}Tg#15R2J-2sLef7CrB0AZ;Ya2R=fJTlEm05c(8Z>75fs+X z?(o16S27Ejux(jq`KAWo5|s*BN)*wZTG+oQEBq z=B=?mPB;bnSlVsT=-CIn%kI&akRY(;@voDob;A^2Ai-O{<{;C3L;d(NRd+0ukPdq73Kw{NZ<(OXGdqr*Ydnz=XIqua632xSNpLN14nIK$wZJe;J#(A4 z?=u6aMxHQrV}n%l3t#3@_RG4%R_XS+t|8k3Sxr0G9mDm$R`&)vwP#=YJq!wl4jIdI zug0pqxw*3DH*-x2wP^zx4_^`l)AtC0R3sQIbMmWrEqJy<6Cv<@9u6{v$8|82p$B4f zyf<@n#M!Mc=S7$0@f*Iaw!PW;+)v)~fzJXcObT?IW73oCZsj)rfYW0v{Or_+DoyXz zM#}Z+eRG*$zwL#?EYb5TSyieLF=4|ljS{}kXM0f8Kk>n$HT$k}G#4c{VZn!X8LCZSH${O8@ql&{!;pd|2?nuovI*IrmQ!s@vf+-gg zl>Jzxpl7B|I-iK+1W%S~EX6Sssst02qGf>oQ$uMm@Q*0#_YMa-EvT!*Yj4~=%c6ZQ zuT03Q>lM%^=9LLAc79Kkuw5C0qk(HQVBOG=yaQ!OxD!H^nC8Y5333m<%oGq##R9Rp zQP+(lJCEhOxn{plkC#}%A!PA&-bY_kWkbWUaB1V>p;Zm?AA~JgU3uh(EE(0(tmCdA z0Ni;0yrI;h9f*OyY;pwPk;dKdK7KArcg;NHp114Vlb2a)@v83(|B4bVacn8aD3h7v zL5g-!8A`8%7zZH8J&k#G90G2ucb0(O;u?8OCpeqzE9f*9`S`Ba?wNyAWUjsl6|wA~ zU7Dz^?(9pm$HXXHb|`%>+hNfd(*|dE6J-p+g+Kt}z^Qpixp(A!qGfI=7q}YG08KCu_`X1v^7u?2!93G$V z?5>J92dV^G)`oA=^2{T|(7cG<1bh&Aa5Y4H%?HF`bYaYPIQs`QBF}r!2$QY!>mgwzwO99fbZ&?SmCEt45Yek~ zG)nrdg>VCI(fZsSyb}l?(x}fXl7;}u0bm5+;$7uKkBi?yzL4v{h`GVVV;)F&Kk@IvCG0|58b4(2oMo1aUB~;RF7?4e#CR{-y(P z`VESy#rsdZmD$CJQgFUT zUTN!3?Hqj#@##vD-t@baBS5@x{(NMLFK+X(wKDIn&3K{dgu1z7v5ItWD~i2JFS|K=tNzPVMK$vz`-+$hLt)bXE7B2HOepox2oh*!TDF?$rC#KCYjUNH~~o)uOe3ZpVeUIwbQoZd^7F^iD#i8w)GXfab zt6PhM6-bC#|Yn)r}+s#eYQt92jEkwHwQ& zV;D(**y;g?ywo07*~Gr$uXm9XId~sn1}(KS1m;SBfR^-0tAd=zne0?6ImYp*bqa4j z=1Phl*`b#EZ%{9KKIuG2H;-SQs~S?sxm{w>@vC|D(gz*p2?9>}haMf? zXDy1aB3_w3LH%eoKTHzJ)Xmf0I-X@S2kKaN#5B6dV849^gF*@4OXxchoH;{Duc9EU zJN)@NdywVpTBYyc3pcQ>l6|W>4ps@NJH2d|_u(HEI4*P@PqB&DFAk_UzP;`f0du%> z%jaN6)Y?g1Y0`Gbq|;*3n?L@ZM*z=(<=qZfL%7?jXK2KyJ{|@84_jL|O5f2KDt2Ie%5&6pnOa77bT_@gIZk;w; zv)}5!BAC3`kq)&=JCVw>4JY0fKuwL!a?ty$!eal6)AEO*?CWVbrk%@r11mZ1Yg{gi zyt>8XK79kd3n2?zdx^f8nrn&6j;v6oKviyO?eT?}^%A>;49q5R=oD|>45+zbGM3Q+7sqeijhT>U5Sg_mcRzSN?`g;@*ECoOH zE?-St;J?Rn#kEd(Jgnc~V!(_&jmd<8WyhPWlb;%q8s$nZqXmv%V}}$2*H2Gr40p?s zMlr*B%4NJ92QP{{su>m=sJs2>=S_4AUvZtIkd}WfmpW6}ozRzJfMl`QeP*;C1MMS9`Nj7N`}!w31B_B~PX;$Lcds%ICe`KRZr~bs zMKctIX4cQxeRGUQG0(eCaDB?r{eFZbl~!#nk{YPfE*4Yrbgb^{(upTNJ;&sb&bmyQ zyk*DgjdKlA&Ag#I%|(dPkio{~z%T?2g#31mI#6G|JRWD2?aXFhp@ssP@gvPERnyDu z4 zhX=daKeVen3{$4kQi4gkU)RbSOt<#;v`f;z_VCBr(-{RZHmcd(s+#J@)vNTbjM}!M z4rA=Zr1k|qOnXyO&P~(7EfE1BKP82vU-2*SY9plUj~)bhiMadxO5EoZ(0&vXhERTq zoL_RHSGk4r*DfEe8moosP;rIPBu=P) zsu&+ul6X5PYgjI&5vqqjZtH2hy8Cc;6%BnFFj$3m<1^v+4M-pYfjCKmC)}kZKZcAx zJr1M7Q|&iNJkf`}9pr|6@RQeiYyB-sN6)a9ILQ0<)D>j~%Dp9+?ytR{1>c%i5BgJl z!!P)?}WDN z6`W`*Rm)H%yB?}6OT0-LnTl4H;7zaDBdya@wXe1>chr3?1#fra^uc|_SNV$`f@HnN z-5k9IRu%B3U(E!hvBT@ui(#o~bV zEaO=&XZro4`HD$gR+1q|%C+ms>bw~LbVcfrJ-55Yr(t|+Y%acEEJS^6nnrs7Dl0mDN6+T6SQq0m<-n`}uR-dbvBSVJr6QH89zHy>T7nQuRD{W@l(jy0VYe zL!Xm*?4>7~nG(e*-ComKLz&-*-E)VWBHFl%>od|*i#5Y^Gc7P$XwHk6cpYTql6Emc zPUw|GMi0B`Wh{INe97^j^pD<_!v__1$1+O8*ozF2@f7MIJ~lC-wn)~*{i6tjf*%ocDdueuSDc|QtzMjhmJW6sE zSaG*5SG}WVl=wCC!PXR&_;A)m{dD7r+3QtXy$;J(j!hKxY{I)cG|3SrEAQ?RYDEZ1 zxO3{bo{=vs8%j76ps)x_Gk;`tWeWy8DV;}wyjWlqo>Hw@LTemLiWB&_WH@wUh( zQ1{@zK3y~HXUJWRQL@*pmkR_1m}k0cW=cUS&Kehdrx(Le+}%{dGBn|3@XJTn1i2JH zsrx}6rl3OOv-9DQu9%qqQSGSF(zs6O5SiZFok1#B#;&ZUgIDnPxK@vfj4L!bZV0L( ziJSc{F^bA6$D)66)0mg#wUEuUg%EP8}PxPN`l!R8$+<&oeHA)IL!rXTo4>p z!``KAC}Bsg*N9$CpW(f!Tl9^ZrtNENL8e}{Q2&jlD=lLMeDYW+(`-yJcr8uYA#!39 z{d?yxpF^0q23&0lcvc1@7gT7ZODeA2ad=#LIi)k?2Rn8U}LmmZ;^-~JPfX%U#X_P7xK{OgL$4r5~Xz^<0#`hliDYnd`K;(DKyze1*djhBfTPg@0Nj1V zI)^c1(fe5n%nDs;H7kNeR(YK8NCaIV+Iw|h6BY%j34n(O;qYEF2n@;qH^q>{sL}GT za$sNUn5-Fi;FdBdl|2GG)1dYGPwJkjT>Z4ez}E1s{=G-UE<~UEF=8l*(UKE6GhC)} zx!J4qKtp5t8kFxuXD!^J$NerxBsCn_oE-;0oxTk2vT+y{2bofa1rlYv@VV3qwPDD% zW!ur|lpW|4kByJo$hg7} z)8CNgh83l!0b@KP*x3FiaN7+n5RC#WBr}7NC3+lokQ&PT6D4ltonJu|IIVh-+nMd2DO|=rc%=fSaU*G({jA`*tTqx!Z0%bQ-@HQxe#RT z#%1wQ^s)`Yv3`ey z2mQfqbqE@?C8;dTJ#Z~k@Za}C-?&);tg+WMZ6Vog6LT=k zVuh9r_%t|x62$GO^|dP)4XupZ-^@v6moz60RH+mJiC><+@N~- zN4G@8Gfa>>eNUN?)28cYde+iE#^VO!cKLVdmO_AWTF#WR{o}r9SQi05XTn+o`sJ8$ z{_FogB{T|sG2Fd;V8vkg}UjteYI9i!< mYFD%u|K}n9AE#>yg>}~`$AH2ik>d>br=qB-P$Xyi^uGWfNHf;} literal 0 HcmV?d00001 diff --git a/latest/ug/images/hybrid-nodes-cp-to-kubelet.png b/latest/ug/images/hybrid-nodes-cp-to-kubelet.png new file mode 100644 index 0000000000000000000000000000000000000000..b9ccccc6a7c1cbd768db2b2d59437252fafeb869 GIT binary patch literal 227767 zcmeD^2OyQ*`&L$&m5Rzv6dBhndzTd|lI_}DaqX|$d&YB~{XFNq$Fww*sVEsK2?z+NR8v8cJ@Nq3Y>y2ZYDGwtPe=q5Z{4G!tFFc=C=dR& zx3NQlFJ+{;9SVBH!r9cF&jtmm3ySaw@Ckq-d245s1E{1VASB4g&nF@#gy0htfJQVw zbR|$G#3uyGbWANxoo(>CgJ$K1bat@;Q^ZUdZWy}ZVs2`W#1_v1zzpSVfpnfLf;ti8 z6jJ2mmj!j9kC42Djj5HhsROuhGzFu=w5SE3#tViDwP<58SH>^k>MXCMu7}jnQ$ipQ zx+*COSuAc1Zqva-+1b>|S{-G90jPz?ToVXUFd?W-3(vU%At7)D6<9gL-C%o#3Uq9| zu;ZBl=nV}W#;dlp*}jY8R@ZJZVsnxh;Y0TL{zXzJ{Ya$i`@5@nB_9JVnhFz*Eq zK?OSVAjPY8z{Ua%@CHISF<}f?1^J=cDo7hEYq)0te(W6wQ@Ap=z{T3s0_8sUJf;YL zQRcu11JfCW0`1|g8UAg!l7ojl(jG!y7>?L}0N(uP&*G-(jH8{u(wv!>r>ZAXV6Qa- z!MoQ&$5Kd0PLNkfd~W4k(4H{DA}s*0v6m=kv^B~KsGLL!q2Np#UhfMWWH3SZp$NMWaBGHQK=*dl%_pgVuu{=Mx4u zpeud6I|>l)LM=l#6d=5XE?fYEu|vwE>`@S9Ss*PQSV2^24gd!cog5%k zv<*NYS?mo58w(3)zH*i*N3@cugN;4ZqzcmB4GGo5-oTDk02(}0acM{Pre;WcIa6~x zE6n_tR&YU^I-`{Uzr&6g>1ct4n1Un95gGv~!QRJo1FFKUa0&|XWB!3!?pQn*1%J=2 zn3L%|TEIkT>THF?BK@+fEg(GiEVRU6K;Q!N z049&6Yb#v6g{Bmrn1%c%tT#jqHUOk1Jy0ibYP@13-m(0VOJTDfUq3+fMt;9=M)A6ArD>g2?9DL;uS2s4UGnB18yEOJ-}8MUe65>lmT|_ zinh0L1dJ4x*AR0B>WGC6V4yHN!tyITmhEnBgGTB&nVLh8b_c2kcnac^Fy90;G6a)_kV!E(kt|6FY&MR?e!RFVN!ByT+iRvAI3U)xy{mBQF-p5x{rBj}pK~ zFnm0Ij0M1AS%QWH98ToeBP}5bMu#hm{{G1Ucnm=sX$2|m|MCP#)%uqw%yA53=Q*rctW;u@Fj<7G$S-9E z0tit>Ia$yJju}A8;2erBqv-uiT8GFIl8!K~!*q>L>oEP})4Gr-_Q8LI*3HeeJoZ>y z*n2rR?QwKO901lil2=f4ZYp@RE^qJZ0&!D8{{31&krBbLdoyq?Vg<2j0e)clgCC&c z2mlwtzgoh-908|87`r){LmJEygxp`--t`Cq6U;JU!^14x7TTlj$xVgWx8gvlI_ zAK>*m7K`+w})`0IX*B^Lf- z9{}chkrx0~W$|4qFvKC7A72jzB1vAJpI-zLNlTCucjueP0z4Am_Y%O~z~9tM@JlUr zVaW8t6Nf^uc>GBwI?neBy8!-N`~RU)4s`+;$WjN(lIg-837Clgw14Gq^aCtQ``Bgt zdujhiRJ<(Z|IkDDFYQCvi$UODO8X+PsDo(}IDRp_;3v`klJ-UZRQo@R_LmF?o<2t`4KGu&r6=JD6H5o}ZiGAH4f z%6x=n`KSt156|VaOr!;01NnawYr$zw_2F6FzU38Pr1U5%h(b~PWegrm%s+5vfvF5T>D8bB ztrp6~20fRjVTMAZQ4XLsTmg;^mKjvqxfOkJGjk{v8K*hRbqc3Zxx~g)E7cV4}@zMA^tbV%YXuc zMjFpSVHx7X`Kj>9_2NF#u1{6a2yxk!ozVvVL`YSKAOYS@cW=S z!0|3=hgcmz{&|cSIqV8$KLL(}NwtB})|{=(whHnCXCahs z2MIRtCBQGpJ=YAj{!%~toCh9QRC9gIx#1xL3+tQ5c8%=_XjgF8K<6|!$9TQ)im+aM z;JW`tyNl)rqWuf|`SBDXT^=(xLBPx~b6tLl_9&2F1h>9;evnjM9DDd%p)ZCFb9@6# ze>?br!~zl6A7dDdSWsvO0=}TI@bcgXt`(5E1w$FYf362CenIf(ce4RWr=Y<(82lMT zQ#M5--Jx`$Z-DWiU1E?<3q`WNF}DAmC0<1Hzi_=Femc)V1VR1<#3b=_M%XyUW`!(P zI&o=;Kn=9)Gqcxh>!qnMrD`2MB z6c>o9uxW-6VS!9xBv#sEOduNvkW4EJYqoP<1VFk_o+oqxHIGZ5ln1$ZHkeqe1`GU~fyCiUY$gy^<-!kbe^)j8dATicC>!=b0fK>65nrIgRq)06Vq^Gk)moSJF~L!q zMQSSq|3zrIz@}YRb;ZY$dDQr33K%|~f$BIVa9O0pscn$;1{1(PX_hV4pfTix&1hbb zD~8d1L7v**6L$s5CgR(fqCl8J|@FjD^Jh>8s;<1xy=Aq)%h1>G=Nb@8 zdM?D%|IcaTbG!hb&0;w(eh~P3ocA~NUjEWJkT4twfn@}2%Ry$!_p_Ae;#6?73e=w) z=zsFi62~k;?7KPS@ZexW^G^p&;88CbfH1%4chbrci}ODI8~nt}N>n&~?C)h%e=a7x zaM#E}h6Y43E|vi+pg30{EP-LaCr$-jpvwJ%oiK}(2HXgj3wyyb?l10k!KMTLFY+)^ z5v*bh^RS;B%U;|*0uFipGdxlh&RWGy_tylLzsVy7_yxYlrG;Vez+C#jmq{-1BElXA zh=DAyhhfj%BB!AMKh~Fn|Htx99Zg4GCubzIDHiGIW&<`8J3u=jzvbarWcDl@y~BmK z7Dut5pg4Z$3>UG3pTLB)aOv`xE2xbHw?P{VuR#P1zW{H?&i~3DA4vUPY;i%BAV7*= zyT`{IgUEVWM$<<<)AJW7{ha$M=|@t zVHXXy+i$AvKQV$QD)K#swcM5;1e_d*Z*Ss4A~0wB4Ll=%CyUZXI-tUxmciX6h%PKE zA}w~4>ACLn1O(tnilE5yLRZDp z3_1n^htV(^1B{!;U_7@sEast+@XooYq4=NxzZ2Mv2*ukL#R8YXb^*)|96{hH`bO|# z5w`y;+A%piK(zp$U$%W064Q&B0{-^he@wI^%>|8Z9D(8NXpS_7Ml`o~c#&TZa%78% z3L`PQkbllLUTDUP*rJGtoFHa15RUIbV4F|K;f1>Y$JiibuRyeeWrDD;2)3`mO##?) z!smc+n(ptz0I{3%7BIj?OkrvM6@D(?auNz!DU39OmJ5FmJ07-Ru}E>*onW}!v&9UF zkDni7PVk9A2U-Dq=kl_`9hO}`Pq>3_p`Niw zjlIIdX+fYuVfTLFV>L_+zYkW!wD&!0}CTxfqzz@S1 z{)k_C`6B`Z;i3Q6a~1?vPh7ADb85)nr&|GR{Z+aZINJ;u5C7^`K>NiW^zu6#jqO^x41LGF{NA)M1 zfcjMmlmMi7f)9QYlz<>`jVzPBFMzH38|hHk^pbDOZ_7F5e%=$IYif;h0J)&^o{1m3 zGsLmp44_FZNPz|^&p?+3z!MO~<_CW>MRm@zC&-8Kt^P4b$GuGY{%)w-(VKW&mczJB%;@Bws@53=*_bwjCSbFvkIK~wmXA7JHa~=Yng&qPtZ^9B1g;o-m z6Z!-jaTl{0#Bn(p1@%{;7&2y~vC;(?%;o%l+tuMeW ztUK#B!lk9wBi7%6r&;}rOPHgwf7bDY-^V4~;Y9y^xP;ZM@c0r|xA_;B=1!}I0rV3! z;YEB2&H=j`ghkG z3BVKuQy47g@hA*d(C|e+T=x5jegquY!1t*va2)?`hNlSN2{;18=K^!cfJcE#l-dO( ziKqQ8h9f%uid%q;nPB}Q3=}y@HHNTfQ#@Mgy8RFcgpTjaQE83-(1g) z*VaW<6)Ed3sJ_h6^uLhqzU6+vIWFJ|@J0Y^64<|?Z|EfXdD_H{~wgx-?iZ}d181rKGrhEBU@O8tz0YW3sXA(KW|)wvF5uwfbh>?TQ>Cse%}rLZpY;-Vy&gWajOud_x@-*A@=07Klgf+ zWhV;fyW;s6mI$HW0=a+BO>CIWdP+b>VvpMT4`1i>9X~9VTmFmE5M5wCP~y>|x2Y|Q z(lC+Zp)_=U*MH|h2)ON-i`6sS4R}YV^V|#W@J}0oG!N{78z4@*Go2P3ZkYXvl=Zq$6YAlee(!?^rSce(~?E8E)%1-kQPgAbcJ1_ggaotk#ORW)RQ$ z_sl@(?HL$m@jrTIpxE~hYk-}f_y`ZjKJhXB_e;PRSdL50ITP_*`Tx^r+Rb@X@d6oe ze$k?oA&?-1O&R*DM+#z(v_qn;fyT7(*fVg%*8*SkymR*(qXI2p(wKyy9ScAO<6nMv zn7pQjhN8T#BJM!LMIj#WvgNsc=Yv6iD^mPs=N$e~oPeSKpPzF$*TWCbIsD=J|KYPd ze;6`caHQy;#={>%LPu9tR~2CDvJs7c8V$h~Ud*P(Wd{ct{tKxS%ON15!tIv)=5eRr z$>m?j1E80iF6`&WSnx-AlZ7XEPx*oaH~)4-T(U8B5i5e{{#Q7W8SdTAym(w3?QH4@ z_KeNFfEmDeaZ>0XrX@Hf6k^|)SJQoC3ZS#)k4yc}$A@`y${3 zU(6rSO)OV}zqpqd33%uX{+t`?!eoKJIQ)5 zBHxrt|2aZo4ubwkYy(RLe-U4PF|a{^ckyAu-+=O8oW~FF{=3Y45t1#-k^VzEhxsjT zvl^K70;WID!XFm;#Jp|NIeU!b>+Tf#hp(+A6+A z`!{5%{r^tnfi0guoTs+z(qReu$7yOf&S5Chh-N7%UJMo9sY|{ zm4zv@-#lM;*@=G(m;Que0`my~Ie3A8??qo~%Pd*+1$%=2eXr0TPNu^|k8IHJEgQGP0MUcD#SgiP+vDxdO zys|RVR773bRYgt6PDj{5K=D76Cs6Js5(@?_4_N;EyoIM9VygZL-hk~%81cPaIUL(q z0Q+S(Wc)UaW!a_p|0+$EK^lCjT^1I97GoCRz#ND8y%&9{G=bi|&abGU3J1RDgY+QG z1pNrWFSx_=i2N5w99*9E4->etsndAj0VtUEYx1{|_NFf2^{B?+G*@?&vmH1+8RW;$ zZBPE;TgKr;b6_i4pul?_F&V{kNcVT*{C|g7!k9wNDClL$ii=$mSTjl48SF4r2j}O4 zO(b}AFn29%Os$+v!TaekH?R+Yd~R?K5mcg_XUI%Iz(Sy^Agk+P)RRb&f3j+}q!6j9 z@&Vak(90IZyJzLz)YPZiQClgZOCT?sPN%-zrvYR+L_sRXWydR za^Jn)CG_=mfsl)ILv_Z1(YFchyV~>LdEPkN-+rX9;T50Z1GK6&hYZmVKD49(ueKtB zWKYFK5>R~qvz2HK<9#|6f0FNi9&eFJVYNr+NB*FmioYE3=#To0l&K*B!#fqeF8W7R zwX7RAvk=mM|3iMBAUNb^*?`;+>ah?~Qhg%+0qkUmOjjqD(uznJsr(4cGARMxKLVTz zi#>qwW2KUnsz0i_72!nl{lx-zgVg=yro@P6R;M^ip&14`B?Dj_msw2k!o1qC4dg1;brMAeQ< zFT(tD*l=(QxX+c$?r1)I$B<1Caeo@g*(b`(wGd(gN-}=4PLp?bvNIBGM`!wOICZPw z#pn4Ymr(t5TyqKEMKE%MM=d?keGwFU~ym#oimoc!Rew!{TX$g&Z_^c05A!fP1WNS?o%M|c)e(4NXeMQC=J zo?Hvalsps+!|AG`2UTzgIpLu5{LL^zqI7lZtNXH#uHlQUrW-f(rg{Fj)ox?9Yk8Pl z;OgD>@(bX@tqfL%^5&J&NTO2DJ@d^tot3d&&Dhw}klXGrqd;y!%YJ;#>unP!LYQi} z5%*=IeC8Jba3h%^Fx0Tk28EJ3)+&S@`JD48b6<@`n38H`ToyHBy8rXggZs8=TRV9c z-r70e7vNK2NB{+G6W6VXR04E;^gO%|0Tx=cd229foG4=+I}V}{xWyo#u3$I@#xK*( zI}f)8MM{=Nqu*+;E?-1Mq*C$F!@5CTnad41o46yMEZxyJSL}lch8O+ z{BLzPG}tweK+nKJd6G#|A-lqudRWntd8VF8!t5kHUnxzW)!GerRRSi*g(#_xOwFSm z%M3t%T5fIrtb@-Jy{SFc#iqwJ`Jr4$7fyjEAc&6fZZk6h3#m1s%n2IW4UJQx!KA!W z*4CE^8v7-A5gqqB)@2o`m9c8+5(kH9<#5-=;AE3b4_$JpN#T|?jAp1TXN84LI}lN@ zBgTl4T-#YL5@y+z$($hZFjSU|mkSi8WYf|Oido^JV_h@YO|5_1?DPYN&qv489Iw~L ztTO%jzV|k|b+l`^HbXbMdk@2%O>IxIET13Kxl-vJvCAXr&{pw|o=<4A8UmqCu>>E7C$S2qmvT3(+OiWaic;MTnwxn`@DjAQt^Ohs4$%yZJ@rDt z6m?g|&s9h^T`n!nRhAz2dcVuHTkWji%PvLZJrB^GM?waRBf8T(yTiM(MIt1(N=oEt z3RcEknTe#VV)8JaMYouwAIz1DcB7^H=iKYo*zwY<9fgNBd-n*W>)kTTbPx^a z+CY9}qVvjNF^%-|ssqNnS%ouRf}aG2KQ(ofUE2MrSZM#lBjc4qhu_9x=|-C_AZRrs zdV+0=*^F@JD;L5fad@2qFQU=iuvoTQ|K`#8Oz^8}j|REg$14V3#t$@j7|Yj%?57#`RjNWA z%yNIQW5Ug@`>sv2+qxY_v6@oj3cgbV%KhHC&aKgpgIDeu>G{ywSQL2MrCmeZb1-#u zx~nQk$dydXwde{hH1O_|GTXD>SP9~t}7Q5PnOqnp(A0YUVPYVC!a_6lu^ zcFZsi{A#Q$P*V^(L$o&H{iqB5=f*Ro{Jw*tgU*FHM=pE07aSBEIwhrgx#61V(ED!x9d@VY_H z8SS)Pp-8p!(tZz*3|Aefk7GepX6g&Yn%;IuSnXefo*1&pZ92X!UhY+Ec4}#(pq865 zmQM?)u$Tss3JsTCtFk+7O(1U}-+H{Ya<(^!l$_XlW!{Dm&b{)zT$U!cPnSN@PSvab5~aNzTbY9?|@bA%l7xo5s56*4ZfNMmR!$uGa7WM zH_fP58P?o0kF(7|k0|7dX!4*?rlIn5ro%t3Vy0%g>brTm(__QfTe2=IUa6Wl zlff6VUftc`Qe|Kl_a-(&(CT=R@={BPPZt44J=1&6HW z(s=%Ahj+Ozn?wq#;UUlLLuvW&89H{Qt2tTugS$6~IVGp6#ymq!?up}jk>oeSeO4&% zK+9q0@?mHQ76klCzG^$79il@JL%c2C3#g&?+RyU z3z^{+T+%j=eWirZE%>#)4_nCqlQZiecfs$qky;aIh^H)5|OjUGA1SlX`W znLJP@l{4+x%wRM1MW-u!oy0C~P3eKK(dkWjBPs>YBCa(=y(cfDxhdz@o zG5rrabiT*`H?)KC{xYKmThu5BVy)vWvmG>Dr3ZyDXm5iaWQ2A?$0k zoZH{>#%xiKF7O_u+}P*TxQ_Rr?!kNZ+y@L>y&Jhor=Oi-;@aufqcticV5_jtzCQm$ zE!S}!^HrBuZ!n)6YmPWgoaf$Oe^k6HjH+^NDbdppcdU?2PmbNTsn~)#xOL6Lhn<(t zS8mK~3bf0r~`Pt#LM?Q@Rdt?xwJ zc~nbY|3e*{LPlX*jyslbqKCVySL(4*t$&{)8%WB-Lu_7j&~!WPhvVyZ+_>o3qd?Zv zy`ykSyGl#O*g9g`;}vfX$FZ)WT}2GLF8GY-4`;qUFRCfY#2>Z;`RdGRGUg*%!^El?Cn{5YOF)Z(=PtX!{X{@Q~5J2kw0`0K?D&76J@?R-Sc zN^TS&-{+jDv@>|W{fn>Ok=y3(`uEXkl^H&H`O;&;Wsl`At8Hj4;jAd=MJJLCPn2({ ze;$0j*6n4Tx}=(kM`2l=>)MDxq~nNc;Tlm*QZl@?l_gKzl0tYfz|diZpD?4pMzvQd zn}YL7DzU?Lx6GBZk8hpndH2D_&{7OFOfeSCx#yZrEq`xVb#HfN`X!CA=E|uciq-jC zQ>%dOxOHUM}@-_>8`xn;w0R{kUH9Bbqj^ zsj0V7P-+0}q;9%R^;Z#9IG_gjPoltwI)Omyr8|Us=Ew1;{vr{ffou3Yu zY|_4ErYMf?h&=B2$iq}Vl$z?CGg&u%=a^HL$rRlw!dojY2a~waUo8nBr(dt}zL^o+<_N>cL$KJJd zw+=TeRZ&k~)4yZcWu;?XI!V)Snq?w=a)Z#bZT>@@6(t5vKI4O}w><{Ts>p&U6Xq||D+R}f=sk2JjY}6|F629iMlbr62R|yWW${XGrob>sT@j$Ny z>Ivb)Rr@kMvvx=5rfLz6yM45hlCOE_5>Z+BPUl2Q!>b)CUoVfoeA(|8tDH0#M6@Ge zCV0*Bqyy83a^1|=3JgpMIkcSRVvc!Zkh3Sy@_Lmwv6p)cu===O3~8x(mES#k+hl-J zfA*DSZRe$$A*N|BmCo}wG@p|lkHIN&Dw2?ibPp`*fj6r^Xt-@Bp+n31lv-n)?6yitXr-#gxaL_w zMe+NlVf8X=$W~EOLbv;Z%P0EFqhB?f>W3tC~+_bvjsT6tU#V2Xn?JS4l zLsS?Gq{8~H?!6S^bzUworf?U|Wi+79k`ff+p?_Q@2P{;yj`f!}6|0>8`ed~xN6|$^Vlng2v5GvK zc(wJIy4T20FxoM)*VQKwmp3MtW^p5Gsy26g%+8Q_nsowEd!4zw=24{IZ2FZ8gJ+XA zZA*wPIp!HJoF&z@uj49B9yw+AH2bC`otgVt;vzz33M;v2Jy@u%Lw)#DiqHw&o~C{G zBaGa4)&te+;coe$Nz>lq51RLtB535+vaM2+|J?50FkD$DRKeaUa&VXYgB@$ui`sD| zkGV&&DMqi_q?krGKv2P51PD>1LvY2($^Js)$a)H;lp;r~FTz;sOJzI8Qzpqy#|SCE zEJR|r_D3LME*M@Iu({SP_UJ>QZIN#7*O?MzZMdPC!({K{w85dTJ2LDJ?3htn>wQ7O z=SItmM4dBl&bG9SNIAIm*X{5jquSee+u8q#S_G-VCd(N-8_@?{1TrqHm==S;UyhBM9 z5JW3U=3}g5E%VlIP4fE?^c5BFmdYD>eG;fmCuF`>$OU$8tsW&;v<`be#?P?LPf{wA z@crXY#0Pt15|5qXoy`zlr)GVV0WC5bUwD<^t}Imq=bkfHSv#|7T%|uBl$2WY_1h~1pri_qx()mPIW_`5&BvS0 zCw6@{OG@Em>Y>NoQRGyo&PjKk(vx9i+ZpIYAiuXwcy}K0?EhF!zE`qD>nOAR?<>AsB zZBH6`f8r)nwXxqcZ`!rW1E@N~tTU^8id{CHns+ibMakIGF+xsOVN?c-`7`gq!th6ZbRQF^*NCS&i~)jf9eVlO$u zhoT;6X`gbckx6&WYkx)8^C+cQd-|lG z4~{A^X8uS~BCyfk*sfhnfiR41ztE)>=G;)+ z;?62(w(D0q5WjiHo5FgqS-x;4C`8EWt;Y#TQDAtct&;1ynsMX7OQzh5xuNU`YdTir zhewX5R5f}i$5M=}(O%Oj_wsWO7jVbMoG1)q?4j#fyZ(3x`_nbSAtsu_4cOR2K;<5m zKA;`Z?y9|UI`d$`{_AGD$*I=|@{yhrXmk&w;Rnx$kP~Kw%hJW?G_t)MrwIp#E&+pl~JeNVq*=x&?3!fe!R;m1DsZ)MJGRE31Os1RIh1W zN;%GQKkbOkcvG_}Vb1llW}PKzLL9I5oh|4!-Xx~*EIg@cy1=TMy8PNxV$}%)pn2pL zDjM{6t5hMpUtUrDsGcC9<2AG))hP5i|J3z|+Bb$y)mIn;13hm1#F;()g#Fis_S}4t zbShF%v?201v!q5M%t%=3fu|$PCxy`4{^{|xgX8TNiY0D3x4z`QMaXq`FaL&gv|HaN z?ieo3GtDKEN&7xWhE#~DpF`AlKR&#QthN~d zDT=UFnogkJ@YeW6>Gg5$HbGHB|ln; zXAbjzu@sXlzGYsL3LGKV`ZM+K@U#~g$*<8-Dxm2RsCg7X%qh98QxDDsaIt(hdfRCv zrdBTS?0(93B*zWA$>X!_s$a$nnCo&VrN{+W)&~VMm6`Ne@!#GiwW-JR^Ss00mOA7i zG!c19Iz?Sn^mSJA;%!Qab8^*4|C|2awkbtPjdbCqH=R0ndjbPdID)Vs?*;K_-D)Qd z=IQ=D8~De3sw}k{`pR33G`-ksKCRf3=3}LqVpa26HA&?~lVbExsF_1+hNxB(>8hva z_dfaXR_lss+oxbDl%etM_ykFB4Y$7f?ynQw1rJ^Zj(T@Vm*R{U6&523jM_4+dW@0E zt4HPZ*VZ^=o+~!|@^3v;^>)YcC2CeUZ7eS8LsC*bZ~%_sN-@_pq|eH-jHR;zCE`o{ zeYa>NY(24V$9_XOt>=k5a}svCYc#H@w&ZO&e@IRq@hnt|n1X7|r~>FiMTA?|Cwy{p zGvM8rLg=HGD6y~Y&H46Tz5_Q79gS6m?7Puypf0M`J#Z~3484=|iGh({iJVWRY(=qA zu~7g&k-+YLW^(Qa4^{7jMIcpcSV^aVfL*@KTky<3Zfa-(2AQf z_$bX@zM9;RiW8x5D5hh4kU#Z6Em7)#`r$XxozAXjGKl)*QkCR(v+JF*J>7cg^93iv znt|0^t!K`SUQ412_)<5OW$%*HH2qd`;zjkHUCigM4{v@=c<8>z-iK$!HIFe#*cM4V z;yL|tPq*^<@ye4b3ChQWaIqQ{2PiS(UK2Mr!X(uR-K3kxNA0jl@*-0s`N#p8T&s5% zUJ@EyQlfGlthE)(4X>D(q1;(pCU`@vgTeGOi*mqn}YOImCio|sj zErqGoo-^C`Dn?#!qO@Jj!mA7D$%k(xLOM~7%zUE+`szDZr^}a0MKaaTi}08|IhHFf z^=Zd?KcT04U!CENdClx|a?{TJ`>!8NW20~M4`scbuX9DCt6iDdN0;Zo4f~yvU!Oeu zK=7L7kbW+(y@tkmj?13szV*Pp{|1|zT7^xt)~Ai!ckap_Im>T)G>71Ur#j$h`>t`N zs+E%x%2i*quDy3XmS^9~b}37Nj?3!jcfUC&T+n}sR^(#nT`Fd&PcQbHGT|0Yj5RV+ zF3=LiB^KX(v75)5@bQr>=clt$ECz}z?j#yk5_JhBYx+g4`AklA_;wOx9wV#!d~RDc z5PtA$OtyF#zjv_ZEvMqjbzcm0*o@kq9iGoX@mFQZCZ|%QY&(4}XWvcUu~h>E_ngMh zahxY!k-F}>9{bKw58J@ByQRrwVKLLRB#}FrR~(KqB2PC(?>^u1sr8`sR-MZyca68i z9F?F0*6O}1FR}_o4ssv5?-ZRso^p~Vo1Fih&*VtD+(WVJMwxm7g`p?qI%`keyCwBd zt37PIr!McnbR4TZX?6~9YBt9l-Bu|TlOZ|s35wJKo2N_vQGK!R;aaV$8%O2noc-9& z){a{E;arR_Pru4Od?N^F{>)mla~8~cs0**g~{50YcqM^3ec zHjIGZQ0ybc_D$o-c2XS;iHGc}L*(S|w|L;ish>~-)pTI*DhW3?wel#y%Ui2H*UWPg ze-b&?$gUvLonjK@gtIxv$)k=_u3?n>5N^K*c6Q4U4akFpqTmn}_if-8#h@3A2vF1< zqt36`f0S-%LIlL3cWN`HZ&Af61ro*uljPFJGp`c~M?sCMt zQ&C7!bKn*7_L{_{95L*)OKgNS#86>zUgILw{6eK&y^_`QGfBxKqaN)?eK_fq2 z>jI(~OOio2u7P0FmIDt!QVXS$o7{ro?_~!a+geY%tAYNLzn;ON4@aXQWJeHFm2Lt_ zA?9y(Vgn@DFo_t%mgIRK+igWCkVnShLVS@jt7xI5juW8SalNk^^X-Am7g}ijKWm-% z!bnL)N7T|ff0LFNw8zoF29iRg-si7gFt;GE;__mZZ215>K?I)S^EaOmK(o#vU&9z3 zA-pI#<}(-uEp;||R!S)?tBesYTp~jxAOqSPU&RH&C})Fr1t|$_dXXs?yIn@0%ec=pY2&t>Q6!+4HU|tL;E$3!-^2d8)Nwh z0H$!Be{wz(2ZKss>p&w-$TTqxe8Pxl1IuywOkf~RuFM(1Dzc!qHmwv2AE#*xLDNtA zKOSzGUmr}`QXk0MXynrz!B2~d+zlo2aISn~GmrWh6d{2ydMlgAytNHcXewyh>A-^g z8c^FGWc-l!k>HJ(ke(b$ZsJcKpkGkR5)i}z+GUM9J@38(J%mANW@TGm&)~H1IT$tt z%Uok%wE$BNyfvd4? zlqRMM83!_7Tej@V(L8xeDe!zo@xytddE^6-n$5iHdrd^>vLh;AC+_izUzj|=ApV7dioEqJ%nNKVOeV` z+$b31_Dq-1bKMtBbFBg@qexsh3hzx+8CzljHW;0oz4@R-w2*y`kYv zKXba0btxTHJiiW?;)66#$@vbSa1rL%h2^TV9t6YL%r&_n3yqLo#TS6`J+Ip-FODek zgZ5#mG&x%ySE@QjSxCwbZ+m79US=D#7%caobP$1*l=u1Ldq1#Voo%e#3f?2~ z6fZZYaWj}f-z^Kx`NlAe=EWWW^^+7-Wd~=p*f;^7vs+uUV}8(MAbTkwFK`~M=hl7~ z$;HzThHrzM0z>E3w`+}CiCTKDS`1>IRBOL#vtsof+2-lm=i~-75&exo0L(iHU z=MfnI5vW8^p0$O=g_R(UD3Zs?a{fD;=$hrWX=xtxumS?`s?nA#c!ZmJo2C&!XXP&*GnE=FMu+k_o zo+Ogj17t=x4>TzjuFfBPxsB6rW~!@jyZ&vCEnyb%RUiV`GB(iMrLmSrS8LbwhX7)- zmQZG2EmU=uu`!75(q_|L5O+~}I5S~aH7hy#iT!|~>%Pjqw4F1++1m>K#~J3irO!TE z;qv^&WLg>nMd@APjAKRBu*$==ojyf?BWQuOIAFpqRk(? z4Uv%Nw0CegvEM0`t#uF?H7mSho9B()XQeB%Uf1)m@9#UqW$uW>F@b$OB{q z5%qaM)Z7S#dkpy!0u)nU-$|FJ>u{CCygDbGv1@kfYc#KcNJ;e*=i)n7?_P#bF;&u{ z?tdn2_lX^5T@AA0W zQ*(>GqlPs>a=21Q`=Y`z4u|GWPcgrl{CtpP@iO<+@T&`wc@4S!pK^78jm`#gJNEb9 zdY1*f+3DJ8$3Kpyd^{&?7c1u4QzOuyM(f*mznPkIrsfzmmqtP)2$a8g;Mz@M9!gwb zU3O6$M5NP=3cRk$N9uKPj!)JJKvsVY}acb87HAXT-DXX2nPKJ8AQ&LgCms1u>{^G)+m{v#2 z=xnijhvFS8HNmc8zl76uC9{JM!`<#AWpV`HHtIA9=@Us=psd`|fH?WK7MxVjP$Rl* zzBXJsucBV;)>O6etWT0$USD0_p1x1H&6_DT9zj_sZ<=%4FWhmJ$`e)ve*Pr)2A`aX zcW>$US?d*eWgi)Q!Bx*~UU+)DzP6$}%Wa~!`^1ph+16!p;>GGNYzUA}S<%iYmiGCR zNH3s)xR2R(llcsq?}*uUJ{)UWDLf-%RtYi{kd;^W`sN5ItP{JH$VkH9qv;nC77N7N zm{={VN~3t-O)D$f*v%e|gjeLXh?KVvhq^xU(!Hju3Q`zvaeN(v!^(Y)4x#=_--vtwcH6T#5&i2){bXTX$$>-yFIT zH>686Aw51SJ@{CZ3Hk9|sN^hd^)~Kzy1cPH5wC7Zzk4xI_;ybS+JjR1=f`kUU>Kpr-0vR|4atOOKt{WHnI*;8fS*HWi3tA(U zYgepfxVm+vUh}h4X&Q+VMIp)c5!o{j+obeWMq0lq6G}RZTCi4%uAYZ<}NN!c1AA*&J^idFB-(Lmzx}zV(F?-AW zb0lVg{yHT*N-N3Mmv1SeWZ1qHxW~Tkq!25Klp@h+&{~x{dH9qewdc^W{8o*xr;~Ph zYV%8{dfvV)SY}SCXzhQ8VO2tXg9OS>fw+E$c52veKXc(La>ULRmy8H)tynlCb&3z6 zy_l|~$FL<9N)4Y9kTa3#rSKC0xp}f)o7ZpR}Mj&nqxUC8N_bP8c-bYn+|tU^%yRVr>TbXWR$)I)thIqT5zNxl>5 zIc{OXZ_eaKye_1<>=g8obeo#z{Y32@tB8ECP+gv0qjm08 zvr+qP>+?NTZ5v4F8Cm>grvfAgo~+isXRqI1Ip9viMiRtYDbQJ!aiBEYjF?_U9jkuP zxNHLY{QYfvX&KXFBjqU4W94qO&@%F0VC>I|Jr$~%(Ny|M;!~T@lft*gk)rE*BgYFj z?{hFYO=-lQeZnekBxh~(whB((_@Q@C_YBq#)(M(dnCj=v#_ldbR}bf=+H~%^{kf4@ zu)q4!?n>*uQb}E?*EEwBfbvom-l`2+5;q(Qs|}yw-tn%UCu1ZbvchV1Z*Npv=RW41XvyBY?Q!95Zu&k&W2l zCWQcYS_c!SmU?uB`paAP5*<-n$kH_%W$Zw16y%^v46DyUB{^4q*5%g_1u4Ua7wMfg|TtRK%`9AX*t(y2+SMZc0EE4DUzPdt`jAxjt@gc$Yuehu^93 zkw4p-jqjW;n%}6Af z)j?K9A;ujsee@$yk@lcWyuXa;=+vdcIAdS^Dh-*t#22Ye%uB*g@5|Vqo@DIZo6XVr z;meWce$v;f6SwucHBX4ENC%T|i06JD-@R7Fy40>!Q$=RY%5sww6)%u__^IBgCxWEu z98jXy6+V9|*Tvx?YI}>d@-Sy;snh2sPHriuDCZ|RH*{r4>s$)lJ9dUAMwL9&<1+C5 z8bp2Yy4g&|J~|tr$BmT@vnuB)x{+lgvy?1ntBXGP4ZU+2RA?muWQ5mN^Gst$@&&gk--)VQ}dG+;eyDtx^Dn{R*+4i^y=he9{ z=PwtyZT$xdu+IcS6S1=J$7N%FASpanCYdUVusDS3t3l(sU|Tw>6gwFx2R98J@L5=l z>pE$>6-a;DcW(X8I~PhrR0M#UnB+zOzWcQu`oU_u^Hxbd`>UvA&?~gZtV8eCjWrVF zY~!&PHPW&6m>MWK&Aw?nT@fLfW5}x6wD(jTi1;W%x6y!0^jDJ9uN-FK67I`V+@J## z`WYyd^h$wgn1#Q}>KnPN2o{OPKpH6(!Ob}rLY>+fIwVd~y*nk+LzhVUQp4I`FHm7yTSQ9Y3J=gx+{|IBXBocn zDxKt*xIy^tq+Ell?l4FHJI1x$U+=xh+aq~}h4z;J^T3T8Dqdv1DSVL}JiGQL$dj4! zZOhm7a6c(sL*!yOP|%~Q!p?1zy%vxGDm>Fhc>DE+1?m`1Cj)Z{ZY5gyDHP` z*=|}!8Hp7)BC4-+GlBG3l_(-*VTGeW_+9&a&c;?Pg|J`N-k%+z9KP{3x>I}Y(`2gf zFI&{lseFDMeENW1yQ#kT4py3P7a2prrFif*>`NUKmpgjDn%JPY*H| zCzYBojJ!E7nsvPV(Jam8T~`y{ZWUXZp?~Kx!r`Ot^hwvE0@FsqGql=YCIJ0*o?25h zdAYQ)ZR*YAr*3o`i)zmH=dmK;;^F;=9CEW#q9xLAUwq-=`(!!Ml#0~n(Qsl{owX3e} zOY{8N<{L_DH+`1v1=v3^trTP(@GPm6V1U%YL?w;%!c}iV!gcSq&+y6R2N1}9W{tiQ zQoV%-SQP?W5JUQftUTVmz(cXKubK)-$VkT>=ianmShwR?W}RR8Hnv7}1)+T3YS(L| zL_HZ)p)KjEn@O9Qxw+h9pMS0>>DcF;R-zVh$ImmgHr3*-nloS(+HJjQUD>3fZP5|u zPY+NMc=R^+k9w^*Y9c4!FK*B}z4ii;iuA4n>XcSr-&`Lr8}&|`EHoqT+Rd_d_3Jf^ z4{h~judN+N_0jG>PNR4Aqig1VJ+G?l9nrlW0X4V{!7QvGT&waN*_x{INPw{7)-@fX zv+Ig)<=9p8C9RQkQeu1eK;vDY+!ZJi8+Z1Km#eg8-{FLhZ<3@7CC*-FXDp>j7zUQy zP(9<`6(6He>Q|0Fr%2r-cw$Db)IXj;NRyD6+O{mEz)qP=V64dK z3B2ifXG3R@QA%)+RuUa`NNoMyJA{@X_d{~RUud0OaK&fKN}_t@%10x;7vxc3zt4k1 zKEqW~M=8qJb>7vo4pbpc%_~z3$S!RhnPR0bqN5UO@ASCDNCnIewNO{E8z`S^w$5Yo zsbEqC~nz0AHw%fBf@qw!HL4Vfq#(OuS@olnSxcI17C>if={01Jr6PyAWvK+W11-+`y=PRnn4E8+9FA*qz#rA@8KkAIDq zup+IbXrkZ>x)lcz6i-Td5Xsj){k|0Ev*y=OP;H$!8Pm=0*F@_4nO%KlCJ3rsBMoG5 za0KSHXWLn;=v8Itjdm$Tz2od;h2h#o8>5uC4!Ou%KPt#}nfz#%wJ%%Q#Bmo*KwGfH z7B>csfB~=~8x)%~KM7niWJFje+a{3+DQr!txh1`Ae`Y+7h`uKUop9PIX@zIsjD zvt1-Fqn&|dgLm1GO*!A#&p!fr?K~32zmt_*9-YKQB4%k4_!-ynS{u-8%2kFod~Ug?_y!@v@m*UK9p4 z*zIQZ!?%EEO;Sk--^^X_21yjogqlF@=QomQ*ZtZQ#s}+RqM?9d+9e{?kXVDw9u5=cNlJQKL=R^Miu z9^0Ac6(B2nwwj8HJUKz=63Ft_x&0#9$CNn8tlx=h-H3MW-m$>SN=!(>MHXP1Ntbf- zVE3qVOOlKovSY3mQ6~)!W}4}4Xb$j;4PKxmtZdK{LNfb@CAwkO(ScuoJVeBtXyP7t zDn#rsXgV#9f41yF8_$>Rc2<0YAcy_#_A;Rz%0D2rIX&vR2rp?pHLr@6*~3o)Q*Q<& z1iH^$WhMLcrVPL9r$LLTn+W>BP!JabBIQBF9}b{sm{&Lv8ixz38O&A9GT?mGrZ%%r zo44Oek#Qk%_DP|)>Ync}6^TQmUfd}l+$*K5icI=Bxk||n& z)k6t;b=F=?XsY3R8w6;#iq!A3Ji-MauXU+}d6g0Ex}WWn&(LGOXhrfSEw z6W}pfH{Vo4XQsO4#bBJ=lV|3NY~_M4Z^b4^bJ?VQxS^vCB%R?!fl%86!fOl%g82EXT&LOeS0)_4Lk*d}i6JY=IAhI(cnFC%DCD%*2Etna=O7E}ssgQlw043esx9yddl$|0abI5$%wWSs+sqo>;vN zId(>5qYV;Va9=x+NDTPiRI}jW+AZb*Aye6-AbU*|y`=AH#Ei=h$-D}28N_|>AO#Uk z)a_KyL?0XP>NhS_BASSYC*o41;ww_OLW}XOo9pEY+?=iagOef54z&6O0OY19h(1xE zwM&EEvrVBzXkP~4>s_$3*SAYYXSWad+3QTK((ytntA&A}A7d=Crj*(x^TyJDW$g0N z*nm1lck(0O;;m56#TdrRJj(nZ=_mXN%SRW~7j7s4$X-3bw^Xj|g zS|K@Ct1D*eFE5QKF5koz^?h@A-fdUoIt~034wejF{q6}of^?W*w*JNvGdWfI*8KtC z^#SW}ljrLpJ~O8~ z$0B$k!3GOG>QF|YxI~5wRhYazUsH`v#g@T9)MWFxjjWTb2r7?~-~}dB{+FRnGf?El z19|I*grU5*2jAy|A_0*8L3m2#^(Uh+z+n?_EcOpD>D3MqszpCMT>~iOo(MoCDc-Z0 zM!S#}=0s*myv`AZA-cswIfa&8X$GXk`6Lps0rs3EPyj;K_pdfz+piz0i9Dq*IG#W~6zgwiusUk3W19twN7;$z!(~%JB|Lc%FSi1IuO#G64=8JjLo{ zWN&XDKbn|dc9$d@LaGJWmqCZ#U{9@Gn+&zhZkt%o#6-*hi~J@PUtCHf-w=wCCQK?k zQYn+EwwP6S>Xh-S05Rty2l0=JrS8`{rlxQ8t=`{lDLAjQ%Jugv$Vfjb+|fY>Dr|TS zZR=4w2&__s>D@ML%6N98bK8S{m9up$v#B*QGfNSN;&O|bJs25E82j6s!TlBG#a$S|+@rECBYQ{I7IJ|W9tYg~v!5+nls(kr?W z>3Lvjg(B~-agwkY1UpB4Jz?akHnw8VqnHH5Z07I$I#UaRgdI#Rv13DpN?qsJK zl2z{mwFdCbeY){eBj(k4xgTUM&DPoZ9P2db<-XNS!pX}>i# zvG|Jb%uinDD6O;Vc(K~pS~Zm@H|G3WwUKggKG&;ljT0Xr za(~`9skrXAULQ?=C`I424KXa#)*k2! zP_4V{eWaQM$N#0njf}AB=(NdGK_#d8g#!dTLNh^MX3cO?bZ*dgARn0Uo}(M#3185imDC}uTs_TmcvC7w%v{2hOT3fsHs6y)K6 zdNd3QdtLJ_|GrL_FCie|jsuDJ^UkrA-_roN-uQdXuz#6NbNbWvKX~3!{8>Kt`NOzr zn#hf7P_Xf-p>$EFBuzUPTzM}Oc9_tsTr+VKh8yLO_+&COBf};KbO+9TcACkve@a}8 z7lFfLa|1Hx(crfqT1_D-&|aa*(G6&DBj1h~aZ5!N!Ro=JxaYMhyc?NCBVdz{B9KMB zFO0}!)AF6KGXrrJ_O1#C9X-_)`jq5Q2RW$SO z);nZGfav?IX8|E+$OTeI2k{pWd-I`;00Q$>uCk}3n18IY&7}yNo!&Viba_X3zB8X6 zV^B5CwN(``Vd&P6;9I5a>pCH7A=+gxP6mFL+>znAqV@rP`w39Q|wXqu~A|6WT zPa5PCYhRzxC|bVCm{th1_{$v&3UE&rPXPtPCgz@OXEq76V#VSp1JP%|bCw==`;ON> z-{?B#iO*sn&rS&dN&PL=aXX1k+?-t@*Azz%xuN!pP?LLzr04j1lyI0|0%BQ2X~}l5 zRF~PfhQC9cakv&>@I_Iv;{rsmwtP;I;lth4p3uaf?ER&O9RqC!l6h-bXW>}jMRHupt^V` z&ulrd=h?#`!b=TbOq-x+*4ywGYep3$J&S37C@a5S1ib>`5U~9k2Z4W;Pbq`^QGwc% z&u$>)vTh8#p}vcMoc>XvicG#nSGtBEn!n_e&GcLM0xqlHG#Br42$ze0A}sqqJS{Np z>4KGtHJxr@0g}Uyb@6}mqM}ZhJEJ>ai^8m4UtU`t?nbAYU1DI%OY1HKH~(lUY;G)- zF@H%eRq0FEFp2ORh`xtZD+DkSLhPx(egz>^2~t4lHLG-rzp^>adaA?LuX8LGQ;b}f zYh3C5ML7L*?wbk9C&YhQB>umR+!DXgviTwP+fIS9-C!@cd1aB*_|fZ5dqoO~$JRn7 zPP;Ata%jHCfhs#}Y`yQF0$b~hs_SneCEzmY$bk+3B2Tu_uEzX0yX_Cf!Wgr@n9tchmPEw4c2a5 z#9k7qoP4tOfjgF+$Dek5uoQ&qu=W2Y!1>`4^ajCy4vTs~0n;gzNj^lX)F1H={-gMd z&hq&Woh9ivF!Ym>q!$JlQwMX`x0tVlVctp7r45Q7A$)uF$^t+V zqE!>W=;K)EhS<%3h^Tmm)^U4#Wqkn(PQ!_hnw!l4hL#RM#is&V62$^}^1@f8X$Ji% zQ`O&od`tK?lr8aN^FwJo;J~=dTm#C5EpV}zF$abj^q{>J1B_|DfdXjRsQ{4AqQS*{ z>j=Sxsptn#_9BEp<;P+Cw(7=iZo3kZV9T06+0OQ7fns;?(2XK5qOv)pg2ObMSn{QoD zw`r;6(okK{IZYuA9jDnh5`)!I&)zQiPXk+=^YC&&~)T6YO z7x1tE-RSLY7)uH8`LSK;#;n^c`e4xF1vOs-k52Lg_{Sh}-w$Gu<2#AnNxJ#Ph|14! zUxx=$v^dal(*pbD>N$aVI{^B-fq*JUqs|uMLehLAXp;2IGO74=jVu_&Qc);GUc;}k zQJ~Nbbh`uiZVzCh84jfJY3agQd`(~~J&jD&zg~_Iz|p|%Ch@#}^9YBF9Z?jB4r4(} zSw<7$YE}mTt{fm*iRN*#%Ab2X<3F2Vz#{t(z|Lw&xpPCvjLa zf{yM9PxVN?9Ex9U9Q`YoDLpw~lyivoV#WCY8jSxPAimU|i-ilrkp9*%|D^rdKnlzR zqEdkKF#E%EYP>OOt&lscf@@%iv zkC?}o?5G6>om0!2b6Mc#SgCoZwDvpl2FPimgV2KLRKmw)A&xs7^KY}W%U`7Ns^Ktd zn9Shlg924TQuadf^7UuO61U?aiRYYdHzyM@p-93I6NMtJt_9|6hEJ@;KY+hR{L1@L zOL9*8t#O$hXP`#);sK)u;N^;#MDCu{z>vm2+}KD#8t`9!!XcJ`tAIHSxV zDRcy;&Nm?2Z%DY0&+=ugl8Ls8j+UIQBDvn@d%OV{UlUBcEc-OqT`p@+NvAQ; z6guIV6htgz6|LdqDsKi>BFHiJxl@w3ZmmJRZnWuK#H9`U{4ndC@@lD zieACbcwe6rKGSW3wZ@hu%Umj{nO8JN@tq7j)=DHz8vs^JA0}Eq1EQ1A#5*()LQ+62 z45D$5Ea1d#FX__%8#+LKbH;5=lQO(+S&bnQ!5>|I#^_Dbi>jjx7yQb=TKi)W>kmR0)l?wE7~vyu--o zO+p0wiIQom4q%s$)T?fZ!Ma>7Dc5|ETaq(rNzsQ5=WE_ z_5-foJCA}l-sQ>9tY$f1zP|U&WRT4I&6^w4D`^JouiCu5q(nM3v$i2cuXWf{^Lm1V zuuMJGds`RKx6LODmGW0|6SOK);{`HXHRyv_R9dltCO5P#a`Wp~e(V5 zEmHO;XbpR(vW;N<;8RsP-O#BEmIT>C8rz~!s51q8m58WQqo(0#<;m<-`-;czwHg5a zq6Z2IW+*W%bCY}O;;Z` z2`J$F;%)jsdmk7Dk-9}1@Ma>SthbpwrXr1}0R z>F|ztC|;%_POCgGZ=~3CIu2swCZdB-rI1NGuWrGRmodSroQWW&DPmgg^SJ10%Nds| zA<|X~nKpM4h?vjo>Sy@2@qAS-@mC!27A%&?$a@Sr2-hWy7U+&b&~Ic~f(P#*5FW-+ zjv=QMzGpF1%+IOXfG$2KmVLvyzbFs3nbLOzgB>|C#yM4y3`FUWqL_Lm%1UfaLLwc5 z2*3is>+Lz&Aa#{Y;1gNKcA)}F+BCOAsW@OKq|3<+)Y*jW8bJgm2wgmi^zNrq#y<8e zL5eNxl6|mHaCQN{DiMvqsMIHxqx((7?QyV?`E;6Kaw~ve%E=tUW#9O5!%5y@Z(c8A zbPzGWA`bS}YY!6krX*ROxUUmB1^z5nN-`DJe5xY1h!q3EDoUhY{FcD97bf}!X!3-O zAY_;uY^ejwR3E@9YT;ftxo?-E;s})F@=Q~?TjkXqNm>1Y^Lqt_UNmH&)lPnVWCsX| zD7PbdBe#q1pQrOTMzjP@$Y(u z#ky)_rqvty&(N;ufX6__rw(ip$F9y@{hDzLGC?JMz2jSe*pD%_Uju>KFh2i$MnQ9P zJyCyjdpTy1uElGQKiwvFBvqtD;dYP}7pFwzwZ8xCe&uL=pp6J+v+@v_0kVI#S@L=J z#A^iSJGAYOWa@0Wbp8@8Uzouc>H5fM(npM*T<7HxeV&5smVA zyzS;f?OU!S`}{^`nOC|3P3|4N%5Lptico%TgOO}>I??FrBt#|3JR%IU3Jc&3PN7D_ zZ#d~1hen#dHmiZk$~I5h$zn%KUQev0t(w|VgKoU3H+z}1=EG2Lj|IScuwPvJmN1aq z*@aCIIo_ERAcENHQqaYD9{v*%9 zqY$m`1aM&wh5F1FLQilIkJfx$JOs$a&sP%3%1C! zW=X|7-Zb_E=6%REbh8bCT=1-CSHw=UnTjHCtPE_h=7DGA7G!IDS@=3jz38-hz)vX+ z+O}`2>G%enm^)_^t_7q6t6D;rq=?c>Nrb{MyCtbd1v5}h%z$yn!p|A@lr#q&c>)>< ztt*`P270Vp8?QtVRAI*bY z2p9l&Bw*lREyNWI4>0%B44zJZ6G?juh1a~k; z_T94ckjCMUT3O*l*sw%{Z8{2V&Ilk`wvBiTkU6aq)3R|c52*Y*`hw6N5EYVzdF`K0 zk5tR^7JHIqs!#01h$-fhUC0#q|gfUS~hKW=KU zeK@uib1tb5Ex{#g-|mf!vcfzetD+PNGM*ONcSL}1t`}xBcqBqcp4i-Qt#V)8#7qBy z0+C94W26hRY#*UjZR?d|?a@fxDv;gN4)9+U@2qxh*(md167bud>)#T0Wg^0DShKS)}txoBK z!R}>TubBJXY#|9=2-YV=w#$#kU(g6S2xKlf#6Dh7B6KXHq5H;B$N3?4S05f`?%@NZ z{y3h?+FaLan=2<$gbk@zYH8Od9TTK8g}>{2-H&3uC}@S2%Qj8_4k?E9&k3#fAN>3d zHf7YL<;k1x`1haTr6f$_pMgZV=lbG^*w;%0!_*2u4Wj6(aQ7M5$c)_@T~6FCYmm_p z&`Fdx;&g7a==Moc3TWU_jQNN8S^?*SGiyoE-t0Durg(yOG#4p+&$VpiSZ|9AXAcRCcQ%mC1>qhNoz=2NrGe=8KRDnT=^w!aD=Doz;+< zXfqtx4}iYRRmtT`2|6`vy>U%Mm2C3aTQWV0N7$-lmeHEX)O;TSLjjg1D3ckHL-o~% z_hM6&Q>@`QeqoYi4>4`7Seud;1bPhtWcTjbqx`?@7l$AK2}{xcjw3Q!B5lgsAXzVR z%?F!Yy(wHuHwYr{FtHWy8`#K-D1&Cfaux>risTt9YfoG<= zZhr6?EO5oc^|r-TDMvu=@65EjT3!=8!SX4w1R95l&8q!ZclQ+FG2C^$vq<*&PgyQS zR-nwJD}f_b&;EW|xE@mF?Kp~pB!MTEPODi&qGfqaRMS_pRe}r9|DW)iNoV8?qsahn zY>yWeL0_!58S54{9hB#iHCA(@?i5q3t*6)v)ZU}wzp;)9A7K%*nfEDwA(%NV&>i2# zFiv#7W77*&oUr4T%ru==igmQmghRRjMN*G$I8fBW=#2o)fAf#z&Ml=qF#4XkdT*(&XYj%ncw38##81O}`1Q7urV z#R0 zz+Mz8Q<~eHH4Ctt<8hdSGY+N{zAxsIWL1#kO0u<&%20p3+y!Z|Ozvju<*j0I%lC-KR`Fqa~!fdC)- zkc37zDpaWEOG&EMdF2%^o&l23X8{L&A=2@l#q0=$IUDZ;P+y z+!!4;sXl2zzmv&cuQV-qn02?zh+n*r0Xj91K-$xb*et`tS z&`9D)!JD(6T@_aKuz<>LLt>e3T`CDpaVu9T-vma_ivl^kMth&(na?NjfXmd-m0 zomVaqtRZ41xTwc@VBNJ;fkcRZVv&lAXdMV;Pmu8(@9)a{!>96p)t2?3_9TMP;|OSb zOF%>W>kzs)FjKf{{=H!Q&YeEi^>DIg91`;Q@AxG!YZ;u3htHm30XPTi0fc1>ewSKp7^Ef z4k>d^|2NMG;1L9fcBU`(05yLEc%qPDv@Fj0VLhzdTgn(OZ7tMjc>88ADcO1HAWLm> z%E0#)Vw%k<6T!wX4gD~^+Nv0sMcS-!7=FcWm2$MifGLwr3ijXwU9c?Qt`2{SJm)6N69>Yc&_{5w-rHB^Y)S2s$ z8ZU;vy28s_L~p{F{PyuqIqY8Iud13yx)4TJ^*UNpT+B$ z<%;n{8`Ky0lt>8@myyMcE>p*qbq?YJKq-lboFTwI=AYZQWzS9cd1N0*z+yqnEWkSE zw#54APl-WY=isgLNq|!qf+g^^mMr+T6N{NCe7k4FpdK2_QNXIhZ9Q~9Tq0$De27r? z+&mLX%9~LRt3t;cP|Sj-*4lZ@}66=IhKyD-o(Q zsT_06ROmMd9TDZ}WdbGag2L~aC@fBQ=jb_0(8=M=@3o?umR#dg*p=mzpJsf79!I?* zP{3It$a(_I__HWH_K7m@zdKPw&b6+&LisUY&%n7~<^SXDKbP_IV%)%82U$pfEB(V)`eg|5`={t{?iG0Q8=L=eK7wL`e6J<^ zzg7^Nclvw0EyV@>9JdVH6~`6FMbHH0^w0F5=$~bk!#@=dV~8#&7gfM6JM+;C5ziLa zSI!y|6~ZnHfrBkqRCX~|)1m)-cgNE{mFnuWoBE!|82q?OTRV7DcQ(4f<<#GM)_=kO z?{NL>CO5;{FD!4l-GXQ5})1@?09>E!xWgW8D5)LMqsu?Ux{x{qTd7Yt6#7JIq?Xa;L!2FZt>q~g7FyqaT^=q_J3Wf zBE2BKI5cc;)tGw!GLxdhzyKct3s}?)J4v?d;^E|9KbbPn2iB+)Xw1-?#Yy*Ope&*Qp%9 z*x|YlPWr$7<5{G2x7)IctgW2dQljt(*b2c6N2Oeg#KRJcOOqyxTibHw{@0JjzDegg z>gNu*#Ef?+j+UfipY1(iaN2uR0)G-y9k@p$qyEr1)5+r35+pMLLwk)m?wl=`*}9-n z#`f=e08i>ms#pISIx^ZDZ3ZGzB!l3V%U8{@RRbPRwzMuOvT=A)8WLht%9|?%JkCPD ze!}?qUO`T$>MHq(|Iu)zCJN|GR15RFpnSlGxM2Hkr{u$SGiZy|I z&<)be84sy{K>FQzLva#w31;Le^)4-6=l!FdRm9!I_;7cbaXHX}2@vrE z!}jab)gXsgZFNtP{rBU&AS)lzSR6doM^<9Lc+8f=-7~lrg*klT<69-$S0u3zm(Fx8 zk(X=SM-e);7*BTe3wNCabJepb*%pj@{Z-H9 z-vJ-I&XOZ5fGiHEQZ(=brr-ADf`Y9jb!g)AT%;f_Mf<6>#`et1=#kjW9nx@;1xbrZ z)6*00nw?P&54m4YR|ed47MJz*|Ck7QL5zFEMMva#{NZl|0yM@GnS^0bZwTj8lD#f* z_q6dRr23?l-V5ErTg+fk^z~*Z3|`Vw_?XTu`yC1MXGRSSQIJ1o>CsJqH#| z-on1=C+!tUh%3H>WstRI^92j(i%(F`BHJU!r-ap4U31 zEH-e6z^YH~zhx<88{UPr=l4`q8*)%=p%0`cfQC=`v3Vq9a&9z`Y;aU8c49D-UYmdH zdeQbI=2>#G=P+f3$M@dL>estNui<-%Qe&FR6n=(A?@`FAdrka*1ddv)LCA6@5BcCP zEP|tJoLN|lg0`i7qqv&BFAv@GLZ7nXcv#wYIgEqAA&i7iU6$(y_5iB^E`8PlJ+9Q% zveTIcF3PV#fCV$$SD^a;_@e(`g!)d!hJ8Xx(HB8Pc`l$hB@!rk(qI}ENu%#}k@H58 z)icSGq?D*VT3}bW-A9Qe&Vk8YA>#A0nyRj z4xD7PL>LP^GEciKXtD^5Ig4&$(u!2jeDaG1hk*)qw%gjxhM|cYjPKS4PyT0yFD7{H zy1JzfkdBx8&pSjf1a~`J)FPrW1cb-oh;&gc`bEm~n_9FPTOIvy(PFU_=oc2*$$S2O ziu>tgMZLqo#~y$)nRZVZ3pvjh%v`Pj8BVN!;I+PKzvFr4%9P2Nbi?XUTi1eX0i zg7O;JCIc}%DfLbNXBYcV+Q1hZQ4eY{6idb=GakJfVP86ngaw$d@&;j_1|zqh6<&B* zRUAz$YuGifL`xe0PIUDJ^@~I@Tuu9^t@>!z{yEc7Ww%caxBB&RU-2HHKpc7mwH~ZD zcj@TQ9vR7?|2X%pA4313Ge!G9S0M*xj^D9R|Hu=wZlaf&Fq?w-M|Z*0 z@^P5b%6pM%I3g z!|2zMoZZ%7Egrhwa{cX93F<9KhKWrOdO|3c2}O;kOa#9bA>W}dzrclr)~(Iz=|Y(x z{oE!fYZAjab15*p>stWF+PK_><3Kw7qvolu6Nk4zPhDX#RdIQZKx88bIqZwA_+~A? z!sdMWU)R*%c@;ey(Sc6+igT=g4@lu)gnl zmP7Aeiy?9d!$6B?&$oH_T6TmK)G59DG`K%@IwAF=A?^fsDb+}uiNSH_{ef5=aBuLb zMU(XK4>;tKUfG(nD%g{LbH`Zm4V}YimILRXVPJv`gLxB|`hQ0rtXUu1If6@_L0xpl z^-7a$n=JCwJ`qZsx{}Fsd}cfSx&T>2IpUE zX@J!IYSsM~2HV=rhZ0gDTh1=KQaH+0M;K%tkwA7 z=|ks>2hOcFB4ou^g#PfzXjbE;`f2w0co=d*aBi|MqZl)V#?qhfx18znE`hn@{V|5f zlfU;@4jSnLvQJNGk+m?uET`*&_yEDkA06MGaiSs#(fF9Dn=XsGbS`yF0mkVI236tdVk z>VC#W@T!JDEeW)<3E#b5IlTefwcegav}={?|JL4EbSO{`XFD}3*`>&q!A;B-Pu0k zlsD-<-PCoZicIs`y^%TNYwBN%kVHaL(5|fmo|&n7UamP{p%Bec{SY=0OxAVG$2QK? z?HR)|yx57^%y0bG5%_%XO77b^b%BzJs(lYih3z%ZiTj4*nEZzGOfddg*gy00_-7iL z|0@l}Q_Bm$t5LpvE6RiKEc*KW)8=93Nm$dIO!Cg1VrGy(2YOkFyl`~sQ~563vUO|p z5btqARVF6o;m~L=qZ^>+=i0Yq7|Vm&quZLJ7$^8c1kGbILw2v$SKq z>G4tW-<>v>pRg5so=Cs zlrkd$GKqK{=GV785Rsmnc-4BrdPBAOxKLtS2erw=z{mpAVYH{W<8;z7URKccXiw{} zx-P%Vw3G}kQZZ90ef3{#xnY<$2l7A?sJW};U;7X?K}9Y9CvfhneM~ISYKJXC_8%N$ zC8|F=&k*qt(|og{I_aPQWv5E!5@5l^qcAlvXS+P}V3up*+3)wOaJ3?0f>bBUq$t1A zmK9R(TUXR)@O;+e$MX023kcmceI3k$-i&Bfv_$TP$>W*XeAR7>Rb0N~et`Cro2KIa zgFy+w8gg;%0aYb_44dhNGUG9+RPQ#cW?Q{jnO5(sp7S%bP#jci4UE zy+`ia4P=AQ)PDKf3O4*Kfzo9I@bafiT3N=B;5pz44Koyc+Gn&AzK!g~aj_?yx)SKQ zE$Qn%7?g!vu`7a_ZZT5M%tCB;q*b#bxKJeCZFe|Dos>}#e5wy#A5Xai%IcagGP^3M zGSb1U{u!C{h}@ zRr!sB-5O`mkhnIU^}ul&{X$wKK_{zq!DpY6t>7GG9SZe{6>PxDygFRqqb;+QB+rt* zbHAVS0s6o5fo$&f^bDoGdyhoZ6opI;@fG9UsFv|7$uWc>DA(*N%WawWyHQ09yVeI< zABZ%MA(I-C-!pr_2_d7YWH+Bs2P&Z&q7y&pE@hq&_9al}ZY7s2C*Ku@IrsRqCIf1} ztjm*;+b?{%3*X+?@g06fTuVO=Do*G8)RYwOdK?eMDsfd3|Kry-aTp4j)L3c3gBc<^ zlGL0An~K2!c%J6oxl)20P;&uzb2s|#2agwDnv@}jlmlqR;bbIa5W}xUhvU9s!2um7ClZ>q`%A`=CdLH58ix3oGfTq|8xiM{+1qKC z<gxkSyrBi_r%qC+hUCn><34l_z?tQ&C2$y`8l_m8(?mDAU00=GQj$_q}we z&@rq!*lW^!mt*+pIPTmMeWzDjfkAVIJ#M@&+2D({l3}Xb=gQ~PHD(kuj&#v^?_Vw# z?vxSg@uCI1r<5QYyA5cx==6E#H)1z_BZD?7Ya+iOZg4hU4l8q4nI^@Vzl1!>Gyxj0@io{ZqfI%+7z93kA?&-U z&ApUsbZcMYBf^h}ws_e-v1m6?^Eun7D@1Uw*t z-gH|55z@ zXNUI(bAkFU&jVFTJnNWX!KK1zGXlQ5UT4Xw} zL;}B!Op@2xV=dPC?x@44ZZq9HbdRUTl5Q__lhI#>kgzMF*7E%mt=E(hX(MX)=btuq zFFAOrnloE@I=r?n71R7tT7osTR^Oqhrj$?-#$jw7-<2QNGu!b}Jhj6g4qTyKo!wgr zQ3<9ie2jWYSWR_&vF$t4Z75OmNfY6t*XM3*N0HDFa%O2iq;pIH8_Sn% zP#BBW+fsCDVu)@5BN*r@Q<u>Xz53MA=Zz#py!p`xObc;6ZlYlpJ)d7dm|ly<)5q zppdwVmoYd-B3_x~Q-^msLB6^b2gj@I3*rjO$8BK{w2?7;$yEp~?2dXR^9q&s2k_*& zVG?ZXQDUE1SmRy#hEI4^liMpZJzc<7rcEfP@KOI%oB+xFz6+CWQ_CMonGEhUKQtc= z8(f@duAH06*76|TcSoa)P!jB~#naPDE0@aaWk^`qUigY3Hk|vy4}R2XN!Rkn1Hz|N zUxi_0^+VH@lN5UsYqHb><{D>Pkjisiukr#G%W_phYa-Kmo292~uA}x|ojsA`?2)g> zr>1-Xb9;a8ox%6qxy`Np8IsNGk&zFEUtj$YzxjM(YSd6(2n&NKElaJ%uWeHAA+#{V zW=+9!@+4YK;3d8u>hJ-~>mJK|IHxwM?EpNc3G&r25^v?JnF8INALAv|6Qc!X1FA4w za*2v&h%l4Qkz}YKMRRVPjC{gIHbA}XLLls`q$uo12&FmJanqMN2sUuf)0+GR`VV)+ zB3^sL)rD>c`i3_Hdk1zr-=KKb-F4e8XYNDBoIJuGo@e>lcV^`mB-H1ggS2sj-kcac zJCsbad{p@v8u*WDd{0rX(4rt^r&}()l~@xZnpe$b`PoW7N}9|fVtM8s%9_*`%q2p_ zwoSBdtEs0Y6^q5uI{xs+wJ)@3OdO=hyN3jE1#Tr30k~%!20`qA852CFSa1JBxcNo< z2dL4(GZzij$#LMxG!)mq0FBb88%4Xr`TAKQnFUB_=?n$2&CS}6&+jh#s^GalD`7EL zlG?4YTsX_f_`D&eRt;}(f3F+Vys`3ti`HM7VKhVu75CaQZm4rB!70W=Q)WWZdVnE8 z;MTqB;OrBw!_!&S4HN6(ls?-HR`bw<1{bv&mscvwk3YtEdNd5ZH9yKO=Nn;65a6v- zUmP}X_UJhL;+z-h(=>O~>2fi1%#ytwt1y>q9C-XOuc27Vd>+I#7Gm6QV!ncOnXQZ% zl@53ER#(hlqXKJKztpdsqn$I>c|6Q-4Zc4uaad7m>uJXXLK|zxa_ycq!hG2%#$_qV zxR!@gHOV2M=q{)4J9X}gh~oZPA>U|bk5?NQoRKVbaRk7 zQ)M|N9V+g*_r@<`VAr?-k85q|k7+dDtkXwLoZ&D(wK6`2A=v#VqZML!GyV%&&+vw9 zr5GSTToVRnYhE>ta|EKJGwD5ykFmv0ItyO4LW##4q)+y+V)>E7dmMDhF|yCYr`xFL zJ4wG?CbF*5cC>fB*bjW?G9hKD&K4D%ZWZnSp$Ls~H|leBtaLziiIdV%Uo_paOoND{ z8Tr*2eZ0g1Eh}mpX~Y)oU25IbsVGe7#(+nef)P^@n;Qn{dB|#od8v`@kkW@Rj+wby z+39lEC}m5`<&tYnSB@CZn?iHwPG#Ztnr}rv!Y3xay$UHZuzOkZG*AD`f)y+MP90R+blJFA^k409w#mL)o@e4_dKdRLuSU z?sS1-3|cnW>YUzp4&X4K`L9l_E6UVZ4aek!A45|*zhf)46}las0q9ldTHx-$S&cpO zpy&M`VD~xF$LQa{t_e4H1QCThNod{-Td8@-1tbY0`}(t}=KHmTZ{1B_wUg}{aF%1? z3CbcNe|_mU#^=wnNQ3)uLo$1I_=KHh)4z)L6C63)==c~u`X@=I>%tG) z(15%C=_jvvjXPD#9=~jUovAB0U}U>h_{g@cF%Kp4wH*CZpI09YsM#70ei#Xn8MCLw z_a)(pJ5U|pRek$BM!37ghzRfgq1j+X2P@lMDpP4Dg1snTnp%=?6Z~uljHu2u-C+i){ zVjgoviZ46O8#K++^my9ix*T7qN~v#ov>=m$!#jhVY>^5^haZVM3 z^A!)scCt3*UCd%gQT9S1%y~oY5UF%#uF1r<$huOudVc>fWLK=hZor7;vg3=+AanN~ zhf(>`A-wgs2>zxSM%;HB49iPA{=pEOPaHkNc^sb`APt{lBlQ0<_LfmqcHbAMz!B+IQaS{b z?rzBgNJ}@0aA*Xiy95LTq(cxX=`LxJknV1f?!5b`@9+M{{dE1HV>lc~&hzZO_FQw$ zHFri&WPBwe6|yO5jee=n)q`QWu=&&1RUDT2ZMQf@P#!*M)Hn7{jQ5pCJ9Ox^is7qLN9dV6xD96IGDD{)w-FXd8$eF|b?l7|OoDWvnfg{vSRJoB25!rg-t!kQyl35`iRB zVLs$RO5&F!QT-nbk)r}M1SAzp1U39G|7oQsnhljz|J2f+YQbDFfiC&K%{R3|#vQqT zWYa)0w{V;(%9f1bxKU~V@ML~F|`v^L_hhlYVp`3!PM72nH^CZnE}W(Y;|v~ z1gCe4nWm{xs={*uf)2k5Os=~hNwtO(y2k6fbH~CGGchT(=~3h9N42|&-p6~TQC4?wu~jwKnIFSR zZt&_I80Wbz+&uIyWRH->z6DHdRr!TOxSBizSIX%ETGEYU{Pk+hsl#cj#h`5bg4e47 z>%L*6;pb=3EH=Lbk=yn8Jimus#u7`qS~EV>aOSv~KD-<-sBfr$GhVB5UB!EpC(rLG z@fzHhcO8Yz`@52+k>_GoJj`EFj|tv$1|2e2Um>kg zy`dP&mso+eqIB-hQv)NL$njdgja@u&o0y~hfL9a10yR7E+rwnmD^loFYUm?9s--!E zo=ZGwoCL}Ln6LY#Z-+*SPw_Fu(@bQ$=yZRBNqmcr5>MNp!Wzf2H))l!3P{h+HlFF1 z2)&Sp&TA=n76$xtDir=v>aaI4&fc~;f<|2inRwKMsV%~R-M0*fsSxI$^%UcmtV=6* zYCwQf9{Ehu0sr5=xYIZFSKen(Y`*Cx5Z|atAl=Fgt}`0O_a;54j8Scy>iu0(!ux(* z7qjt)^U%YtiiCM=IW7xUJq?Rg7(A9zMy)b!&oSS$Dv~Xz+{)8a;qk8Wi6I zYoDzae{r17J?#Iodvbx3axs2Z#AYHzR;PweV^uSMic^i$T0ZJ7w;TS67c$x8p14`X zq~WK6JXSI=^Ttg4O{gyP8T%UVM$R-2zLU3(cLPe!lrje{X~d14waUf{<=|^kNBndI zxABg@?2%=0$|QNKPTs;-0mF<3J<#_$2t;a*IhxkeX zNTUN^g#IzE(LSU=>6uZHPwndY2D4OAt)#2}q>|2XRjrxcmKuQ8j_MyVyBXy4o4@fH zNe&gVt?L5T1DTf)L`~b+LX5aUws$JlwYTG#rDSZk)lEzZ;pqmm8&dwHnc^M7HT&PH z9OQ=NFzB?+n79^l5cHlbVv7C5gc@iEBA-}@Oi5pjnQ;d#8{d}Zn6 zRJpBoGze*p$KiC^$+MCC@nfrYu?|e%?t7(F8WKNa3}?${LYNW85+2*EbIbod9XlYRRlR zBWdnC=46pitjW!KPveg?9Bt?KP?U|Tp`}bh7QkX;=Ykd=(U-EloO zX`}Q$%BS;Fd(dMW6*p+aKt6N+L%?mfE%F56ePfE1k2radn;_DyC+y>o?7cVL=TbOH6s;w{XINWp2%tj8 zzhBVaHD)DmSSeqmXd<+0G!H&FzTZPa_`P_ZCjI5Jy?6SyD0+5Rfj(Q4ityL8BRCx< z;_D=VB$L2o$9c+FAE4&$!hk&k@u?aktilJ??^DkajZ%UFlfAdK5pL&=QYuqm@ADcj zMX0>hIlz?WgQu-2bLdyMkAO{Vu*(Vs_(SrFxD^4h!``x=mV!f(xsxfG5`=etCSIeK zHHdRwQTm_oh$0Ms?zvA=2cuuT1B*5n@1c>pZ>CPFmC9YU;IC*FsDJD^ZqDGnAEpe& zv4kSFDD;?ycWeR$IRVJmq{T@KS*WPKQH#hAU|JG6eD-^qX?hI#d>CK0Bbn=at5TIr z*-dCEa}nF46qUKYG!?|6Z_R_3%fP;0tAXQV{Q5lLA%~@Ed`bn3xfbvlG&nR7%d(mY z&$)HCR*r);N!;R}Ah=5MJ%l%*Am*HIll|`QQz~Fv6fFZ(^;WprQ!ThA&kBgczl)nQ>(K%&W=ag_qHI- zwc!OTIi4?jl=9+2#!nZtF7vp#hpH7acWNUq%HHG6zT{zMGkN~yboZ@iqtJzIQcK`) zeYVGlX^TKB-|4p28x*ukXX^UMmuAPTvZe}k%qkN=YAQ~9`q%{#DuHxLP;;p8etf}P zZ(@E2Dw9(niHa!>@$YZvro8-dQzX8>cKhh|#^x_Ivz9OWkQ8;hrWm@Cg#BY>?5>d4 z%a0=JH{9;jdulaTs5m;N;j`ioYMse2kW^gv zwf=Z>Vn3)x!>Z+s?e=VEP<<{<*ER%$2@8=t0_-U<{jT|Py(U8go0>Cz<2_B8d-GZ% z(`H0l8oJ79d$W}RB$S0k4Ahs z{FY%gj9aD7*CFh_@MUE4Pz7h7n1QEB_vJG-O3Fx)O#g^;bL(+*q0~Vi`P*BAq?yxC zuimwwM$XX%a=1ZjsYY6EzPEj>d92(FBVkhCw~bR}d7>V?P@L(e>Z^E_OGR`nIL-x$ zJsl#SacC7z7_Gz~`)Tj`EP5c*Fi`J0CaXVgAtLHo-cqn&0jmRTdcaRGr&z6GdM_Qoytey+#8vFO9Rqdcs$% zyqnQtvNPUYSlg~a+PC1BNn!E4{?E^PjgNALIs(Wrrz=>;mMjBTj)wwgDuuN(lQ^;3hYn3U4f!rvkrxGl>Mf|}(8U06Rf zr_M_YRB+4}sv2HtJP$A=b+ITL!92a z?>!BZUjb}7yB^X)(TTcTtq9Rzd6HrS?Jwy7CL~wsGi46{*q4FGDcxc!eb`MUvR}wy zBcje;mTmgc@^8b*JFhM0SQWa_mwELbzbXD2Ut+the>dyhH1Tx&+B))JtWlngWPuAa z0%9<99X}dmJjY}~n^5i87s&s1si8l}Dg)2&<^1(l9V8QBUYxS-w8J^*VEz*&HL%q) zOcuHNFH+3c+w6U3&?0qa=!$M35jgRE*!f8fHLDeqAz>uFNhN(89WyVEh=Dndy(e@r zwM~#jyw6`2FcuJYi!owyu&@2YiU!MbRBmr3Wt166IUW*=J+FOSQD^KR@UZnJ@{07V zT41@I@{~8{;b+|yW#tkcsKQJ9U4&bw9Jf0HGodWNUct?QR`?_wxKBUKvefeD$B?0a zFR1ZF7w-|y9SV`kq!Qva+d=*3DTIe*?N^gK&23n!S^22a#EK2R-G9+ZN(7BI;_9?y zlI6nSV*8eZM+Qzw0$Jb1AVz+EVw3B>9G%ORgWPa3-cFr{SG?ZRl{*vJIya6&fybo*{5z>&oH`K z(i4<-5!HK(04*lxBBu8O)zi?TXLWH5MVz*mY0FIIZpl4C%68iK$zk6RlTOW7nNI{E z$J;Mx0b3)_Pv|u*+5EAvAcobekYmc%>R~+4Rut9w%F>f??U=bTTtYAv#>R+jqf_vp z+n=X`Q+_O6Q37`8x4`NmkW-$$2GE~pA%|kO((Xg1YnR04eC3nh!okCPEx*r<=jVZE zk5-6qY!sosDd#G(^qXjnK#Zelw6a$4N#Cs^1W}`U-n{`0Q$Py&I90-b7;X9NuMdef z+5^$J*>D(cj0BFrn>VPK@=s*fMFrwj4KM0~5;Jatp7;phb`!U9#ZYqPpwXv7tz-%F zsH{MTzG}LwXOTjCzSEiZ!V1-;&|~(S2)NfoBKu>#{k#q?#vNCRb(V)KePTNQU5{u5 zSG6gm02?`pN3!q;752u0n(GUPyt)blVVtq_FR7-Lfe}{#9#`a?r>LJ~B8YhBdFuk5 zHJ?pyLeE`Yuy#QOX6t!fME#N8*9s4%o{IjH`lNL=1U!=@lzX;UCVdHVf;00RRDB$@ zIAs5?6CwtW#4q`9XCwtCAz9YFuugz%5h5Y!GRCO;-(Z6%ym`uG$ok_hMv<|w4DrQ< zz}|etM|FX`=&(`|$)lpB#NP7V@WIC#3#dELFPq3%63od?0|RIzE5y$a4eN3W?7#Yk z0@76&E^Z&vBd|hdK#&ljm)%it9MtS=$m?sv>-qA!S7n{n-X?Kx;DVExJaD=I-KHP zrM$)r3$$EMwBC)`*WlLQyr1s3F{(?HwTik*Hr#rujOdQ~e;h9vuD^4N`bsiqVQ=n_ z@;9IGby$7FC+0w%OTplLBhmKVV_;xu%UJC~F{5k3c*ygo{Y8Y2>7RRaZ6Jq?GX6YP zAH#Mq*yY9SINoJ^ax(FMjePROXYl-K>iGgK$ATFIDm&3=PZCE(kFr}B3pw7F}>rO`?DupC^F zjfMoZCsrW@+lx8=o&<1Uyfk`+H>d=+g1Fvk8#bWUOg0xnI6_mSQCk(K7H>bIzWPYz zyYN3Bg{C#Icu-0s?`IF<%t%LZ2d4uU`2GN{2eA3zV1gd*x=&3&GD4S7e#4iPM)t4= zdDM}Y+TX!GhNUD~1yFHpyX0x&;W;3j7OW*rBP_Uo&mVh(d#x2cvv@P84?y9hgPW0O*U zXHJKGP-QJt;x_`2dF=n=A8C2z?e9~BDCQ5j{q3TBC<#qPtf)hiGTLw|Mgle$s(!f5 z1@6aai2Q|fy5I*@U@vAM!ST-QlUBnID$z9)TLnkECQ)+~CqU%(Y5MQs!=B0TRh#|W zEQJ3kgNNg_wujq((U4d>GOs*;-UQhgseuhjx}{5hY%Lv+z!>%T)Eae;=3}SmI`{2zpr>KXHFW zzrX95t&W2-&GHa%)BTN~dPF?KKPz`hXf4b2SAdhIg2~ndG6_xKi5vg%DYCN6CQm}V zxiJ^`D*URVFI^Zve3YAM7+a_JHdji0YM@4wI?V%At4}qIAELW@6AjPbX8*jcm6y5s z+E`(0Tcx4JP-dr5Sval7>?uen2aE`p`$wNhbjqqawef8@He3(I+H6A(gxH_rFd{;) zbOBfc+@V73m9CxW@TX_aejfNaUix8g_8zCaT)$nDk{vh$?sSZCNsivib`2}pPHkb> zC$V>fsX#HH|8e=}(%m?Va8F=!M1jAWTZ^t99RI0CA_F4AL1oJJ|lQfiS68+eK4M4I9fMRh^-5;y=VRyG)v zcG;dS6dAbhtxLD(rAw7}S5~R#D)C_XD9Y9%U_z;cc3Eb6xb}>{QA8Iw=(c zflA|LxqUd9OD~77?BRKBsy@2OCi3&l){_xV(|eGa9oU!!CnyDS)ts+_0bt_Ye%X6^ z8+6)#H~sp;BD9vGpu+oZ&0&0#uGj#~-hJ#Dr9R?-W2O)a(AMn%_uSkQo`k12@h#Qn;y6F}{e7?g-m6gti zJ=gNYXM4_NuiGBI8g2+xY^tlTfW2xe+NI^1;mk6Nm@F80BZ4*|wqrGp)Vj zU&4CCFI31K{i|9h!Uv;!5=8;++7A@l|C(z_b-$W`3ez*{<-4ulYS+T%>aLrUnFpu@ zKQ}kAi=uTzlVoUtkm_|&$dCY;*@bB_Cf;HBqruj1=Nlo+p>Sp74q1&{FowuPk zxC~VG*glO|`MUMF9Omj#6&@UC)r!Rgw?E+Xk~l9jsZbK+w$|Y%L7@NVYq58XQdX1n3nz~{kxXa;_gSJ@VqKZ4jhBdzI1Kk7;<-W5w9f+n5B85jGPKkVge zqH^PkzynP!2WGC8&n>K7&)6^Rmgb69a@FKXYSAx^-71Z{WiH!*pJgfYcSQ3rDkdA& zJ7?WJnKqs3e9eBhH=m6of{YG;aJe0MA2>u2);DH#d6>dQ$X(Ak+Jy1-BqI5L2}#E= z-E7B3!u!j2RT)EXt;u_!R$`4^Gqs8fo$KemMJrXq@(~RR#{)%9 z_0zM{c*tS0*u>tr(|r0?nhjhBe?-!P43oOMDpz`cKyvL6plaUfCx0q5hI*#KX z^uF1$_FZ$s%YKoX$m>NIh~^V&vu<&~-$)lbeWOEwt+p-B^8oqHSdlqrldM@ML$o z8o9c?z87xCshFtCRl1bj{tXLvTjrrzLrvqXF=b&dC0l%=eYxz8O-$1)XNP)E+!gw3 zdPl?YW*#njR7*(ans$=KYmN4-^PX^cC5$&#jM=$CGFv|VXOj!^-I)C)jMsGKE*GET zbcfa!5>P|YI|f?}4T{i0Ko1J_(aIFB-BL4^ee`%AMr%E|rg%u?{PfFyMU;d05eqQL z43{_SU;ZRX;<7B)bJp_!c19`Q&>Ghk;dWGDmMYRUM3Zeow)5`o(@1b=CeQ78f*JPL4kpWp|>4e0PA>!UyDY}imRw{m=w7Y36) z^tKm4riP3|_|J1c2MPKV1Xm`^-*{8LX}IsT1+@EfABbrox2^A}cI00Cy=Wm9qCVqp zm#|-KOPTS99Z~TPQ@2Itg>9(5D?A(zNmK^*QFEus3QAid2k#NeQoJ*yTE}|DoIqik zRwx_)+l^on9I9Xy?D&#C~a*do4bpD%$858&WZa~m$ zQq$JN=(*;m*55Hf0HJq zVs_+&S(VPdNsAAH*z2~AP5Pj{hG-0Ii@wMCHcy; zmNJS=@l?fcY0*G-dH#EBK_K5n<6JA1H|#x3uN)bEElEE$|B%1bW|a!n9G%%9?e$@E&CPUg@^=2=2l{ zn@1GScs023GS#g6o~v($hCb-!xv}bbk6In7Rl_4+4-PmX-kbXwyg0+s z=q1g&Io{#qak944cerjjPUKzvMw9aD*qVi{zaZlW4$~a@sQy%iEWW2eK5ogMopGsq zap#*CJFB2m@AsDc3#lLa*!5lUj%|p!EQ(iTEFm1xkF)OCz5|oRuPTqOp5S&nd8?U5 zWPw(@=m2f?HrLe~X%XH@FsJL9rd+m*2wi;LeKAqda(W2HfMzw+{)+J1C?JG5c_6~E zL*MFNqFJf9rJWTTCNZn9N814u)tI~B>}v*mBeYeAu@@Z$e3F?8y0QQ3BGKA zctdSj)iM!I2nZi_yXc3lta$2sx7>ci|dC9P*2|7_=E-|0^DD z`s?dnZE66e%;KTea)u#SLYG%MQ53?Bj{9dn4W$yzjJL)3mfn|c=ygY1NqeRid1U56n`8IQJm%k=uOHg)3v{DVw^o4 zy&cc2^9I?h>jYo055!{wDkQ^7-^5?Tip@5JAu{$*&Q!mIqyS~9vQVD}eNTAadHSa; zq8FTCREYjFe9!_S-&^P9_pL)zP5he;5?i_LN$z$2QjGl{FbhTS`#p92)*vwDW`e2h zq(6exo##hZ1R+Y3;9?=Ptc!as`E)Gt-d7wTh+)PKhax}BUi^^xd*yo@-p!7#;5|uB zKXDp1Zm1vS1un_${>tm5Q>9va4g>~*=%G+@wx)uGw(hH$ZkDojo?P5%C16i@l0M+g zS6HMc#KperuW_B^Xk8KqQ(?kIX^omE9^KESgEC!THa!dqvD<(?i*Qp&Ab0cdpApR; zVavTfLtE$0-a2IBdi(h3pI?R^QlV+HOxsB}P{+#*|=gScP zS-Zh_bd02@`MXiS^mteMNm1DE`4`Td16!9%$J0(~gh$anT8Lg}yd}TyC(Up29v@$s zJ8XN8p`TTEmV@2kW$r#ZpZ2a=5iT345<}k2477BZ;s-zT17`#?7_>vf?3C|$0NhIz z_@qC`1=>TV7Z~W$KZ@ypDF;@5EkE#2M2~fN#=()W;*LBa0*DN~KO;D?TDvsGv^8MrRj7s=;A4-l z+6^;ruTW6f7GgWRc@`dvmM8q}JD)S#_D2Io2H5;|LXMNh$&dBqh#KPADen0EaUO_F zRRIQrCgn>?l=J7Nq~S{W0$^5UUtrDHl{LYQ`RnR1sXKiNkMDT^cR&EQ)B64gcS6;% zraI?v=d;bntBJxSOO9_F!9{2L@(~x#cng64jl9y`;$ATKu0KxV=6Lm@LVx?!bppC%f(RwjEL8xKXMEN0na!TDhm$|)(=8;L21y2;^2S%GHUc@HbSDIQ}lKzWrCYq0}wUSdm zR=a55^UwZJWZ=36y>IO`|8UJ6Xh`rO}aS%wewa`io2S| zYrDT7Od~*&RRzvSix=?04~Mp9C4?(rpht(=yUWeYHw+FX@WM>F0zml4Faby%xcA5< z%f}G;3n2qN+F!#wmqZ%WZtxiwZM}oTCvUIxd58#WO$*^YG|Z;`QZ~4lF#;dFhp`Xh z#HP*TRzHjFu(n=lZ`375$kezr^ZJ}}vLU~m&ZOxR*5=a^QeyaPc0W8SM~`h0#xO3| zojoJ8K-&RY=SM`N8h*x*-S`ENCw7u;bE2841=#r90z+-JJ?lxPml?vm68;?RcNTYJ z9BWc%>=;9+n0By=@r@3dH;@{rA37av%`yLOv3U^Hb@8y^k5b+Fin}-BpRX%&WdI*l z=sNGz*~Ywj6d2!`f4`>Z1v|Y8L%{tI5j#?+VMe;F!|(A!NX^^od&r0k+*r-d`M;u6 zn_mMIWmQL1X3gsM5ZD9;y&)zt--*C56H#m4?0e!o;r*ZuX9lO}VeeOIBH}M>*(g6M zHdN@!$573Ni2@A@$lw|>owW7tAY`Ooq`X2D5$3 z+lAd0>j)^QfshtGhJnJ-)$wjy?wK}o94Ly}2Y@tpNEl~pfchtT10}cqI*ghB$KhyJ z`7MG4z#69*Ghw*)u@D7!#$Q{7$PHk_wwH@!Xd#7jC5DbVRZTJrUJU%QY#3(`W^3Bd z$&hzxfafcj>2)OKAQM>ED%g5>i|vRny2g~ugMnAocKOi-U=$CMQc+?+&rD4BZUHtD z>Gd^$mjE|8^UJF?=6%}$WV&M7X8pYiCeWWhxjH-hu~IdzXgK(V6gIwWhHz;UN#naW zT63VuGzXP_!SbVBr8vJ&f*i(*O(J$IKLaBhuw| znX=@^bX+rM)9*Q)v^>V~m?(L+svKG4x4!1DAuja|6S|c4@hlc$M*8{hRoava*&A3c z6Zpv6aoJt?@xF~Z4f*$NlX z@EGHXBQhqeN6b@w-`MM9&vo*Ne8{F?(8pUalKA@rzxR8CMY0BsPucmnMYNXGnRZd$ z-|TLT*fZKqnVt@St}DIX^IE3wrVo^}W_xdi>Smolf2V@Y|7e!sk2CWr-ma6~;vn5a z5^fTB0@gDx`@@Fo#2L7UWg+m%(H6Z}rZ}(a7|6WG(F6 z6G0akeNmVi-`qe&3{HZ-LMG5F9N2d?87#uD(1mxJ|T&e>GX2US$rPz8S zl*0MJNbE@Vhv}+e?oJ|1D0A98Gotx$Q^Fp0t)MBTP0$XdpkkxY^5Nh4=t)|f(<^Rx zHq<0Y-@pcz$RXL1WX5fH#vU?UsLT?NY5W;?Z`?3;$#U?BK1{pd$%2=E$O&%u@!D9`(m}(#;GQRYhPomMZ_zY;{`2eaKA`ii z&<6JeQ9>baJwu1z$iSZJdH+i0JWYgTNr;`DNdIkC&@grM;*9}XSaE_~3li`9OMHYH ziQU^=iN&<-z^yOcBBBWl%FvX!-ugU<)6Bmb0w(TW{5is$H~vJKz}d~2GLWVu<_@1M zUr_=Il--RRI9mUTQB6(%OKs}?v7f{X<~2#=i69U1@G&%1DK)%jQ67wyd95Q}1C{4m zd_~nB4bzQll8gy_;0Ef7T0{^fz2uqy3mi|gRPcenXj`@wxYnPsG_GBS_bNJ&(c*|8 z)|Idlkbo?a`KRj{&%Gk2H6{7y_FYLyTl-WT>G;fsZ0XHs*!DjKOZaPC;jza&?x?+C7HApqT*#k3RtsVes?G zTKvraL-QOw$V)5*W&aW{Z!%&|yXH2F*K&s)RVom^T-`{ssdifLr#^a10OhLTUZP1) zu0gR4K(F!rnkWR_zf)AhK@3te1PdB>=?wm<#rNT{A1K)HWwS=TgDrn6(*@TLYvE6r zWwYF-ShN^E2aJ+|M}S$;r6R}y?`6>p81VGOECc~#U47(s=kvh_&>oR@cm{8ek3qLK6g7# zj4{<0g_aW?(@8 ze1&cXL}O9kPeAgvy(`l0GWJ&akvC7$C68!N1HQ?O1=q{v#mn%qccs;|ICQ}0&;%#v zRqi~{mXtj6D41sms3uXdHk6H45NSJ>V^ydc`-_l zwgnhdNwdD8Vrf2_n&RDo)_j|3nCe!~rJ(-4_L`d%;cz zc>7}_FD__@J5;OiBChR{1Jv2wQmV93Y%kN%4+16plaq|efvVi%4Bl}xJjdre8P1&p z(*YaDELdn(rA{m;KNAfZIUlKaH+d%aHr<3d{<>d9tcKXo)b3mOa^F0m)T=x5EC*((r;tWm1g5b)_@xa{@*z$uw|uhNIv8t`R3s zr%UqF>H@x0x-7|nd^YC}Xr=(!hoaASsKENU#p%u?!W94cb@#z%%FAwn6FgZuwuwrP z!;mThvg4(J0&tOEPr)YEtWoW)1TWnV4r+T4I1SJPgLH;X%lWP`Xk|003?ad6C>UYf zpf_#~x@JLlR!@pB(n3?&{>%mWkkPMF#^gaJ;u5cE8a>?l6{xDeRt;Z;pv$_5r}<~J;$w-cL@K9(MQF*A&4*Xq z{G^}cN)Z%w@ZW(Kf!mf{`r(6nl0v4qGaZ_rWa1KAj;t-e<}pzwFoL^-A%QLaPW;dBZar4 zK_|$n^!4*knEcV)(9pCppA!74UC-P26Xt0kWJ#KG=kMFDxL%^(VI@~2@1W`iNIFp5Be0wE37-b+ICr#{P!O>Q-vY= zo4|XIj-&ruUQw=YKJ8wq%{mqw$)rp8?@opqcp4KDeF%MF7cxgOJh=>zn$!Du=fEg{ z)XvuegsFXNa8RyJq}Pug1O`1Vo&uyjnmErgZ-DS%d9pc3iG(kJ{}%Fv6x`Y}`Clle zRISqp1Q`uW)xhTRk{kpaG{uzVvf*`~UNVliodpI%O{R!#1)cjK*)d@X)>VV~OlwU2uCW%!$6XwIwH{UWMk zE62+2>&i8l+0}<2FM&q6J?F+t9S#6-{!Z>m$y@Dn<{LjDb;+b6^#ivZ1(gM3p|+{l zZUMqfD={(jpXn#<&vEtrZzfP{w-Z>3z#r5D$zoxf=-cR~nfgHyW!2Twj|58YN-J&f z+mJ~;@A(qk+AGNzo2hU;M-|g2hsUU3%`Uq_Rk<8onS zm6Aj6GIw&Ut&4jXzdfv8gg~dJcu^1qFB^*kbH!dsyf{<&QMl02XOwp2_%L+oeu^h$ z3WP_oC7NME`*N@Aw8ypQUF60|+&z4|t>?qV>{K_0ZlsZ&9=V+=#GH9SMX#{Qmz7$M z%0K?^==$b>*0@b88cPyXrix2Kz?{lJmI47h=W>qwTm_qA?6!!Cm0cv$9_OKyW zwk-dL0SLwyUkTczXKYBFEw1e*>{a}=IPqA@>m+=Hz+PY>tcRMde;M;wyivMImxjZ- z7KQ9{n~Ko4U>yTg%*QXeieVF2)HpmlLx+*nrnzBU*00klT3!XPCh(>x)@;ij<;Z-6 zET3G7Cf$6h{rS_JfvfNt;lGyr0WzZ>Q>pKApA-v!AXaOcF9&New(LFDst8PLYsAq5x@ynp;3{ZQ_tpvQpu@ zM#F-~1d`q%e3u}&kK6%59a}^bi8Pcmsbpe%GC}2)N)r?5utG5@D>Dv3&6>9_;-mn{ zM75@5!8OGeXh{dDlU5N=Nw22$DMGHlRrvR#B7j4`5gQ<_VBWepqk`_bx zNo>J~=x|+}TF^yazb#COdb~OIyfJleR}aoflI}Rz-GRI!^ayj7Ps@o_4*y|jw&X*9u1gk9&42}wn*+#kRoZ|7)z zQMXlisjlaH-q{jbS3MKibxZjYqS zzK)n;#nmI^x~!U$)B1hE9LH?fjRj$hWYv-8n6m93C{kXPc6G?f%>IPbIa6H8H+De< z#BeSU`0F#Jb3wuUYGmu1Fp$XI!DV5N1G35dk|M!^iuPd!XRV&Ge3INB=(A$@3JoK2 zoy@Ooo^@i2OW^LKRH4kzZH2;IP6z*`JOV{_kOp7Hjydd)(q+x=ti zIA=Na%bL5Psk8CwOHy@2m|sg=B-%uq@sjFPRx(7WEwz`luJxE4j_RpHND;K4_KM;~ znb=;B+%6T4;<{n3oa49wCCu|2civsNxq_?@vk`o&S?30vR09V%F~9A&U{ax6(7_VF zr3)&OufwUmb**}Dxj;;d#yw3Frb=r#vOZ-a|IeSfFDY+mZ`ano`%$_Ou#}a zhy*%EVNaom{v>SRWKbJW6#DhAG0Xg0-!|Y)YVtMXV|rf%-y~dCgjWC)!*lmQ${ojg zEJ7(l7LuA1D(E+7Yr`c6%4=_55Qi4YjI6YD^}yotOm26TsqYePywJxvgr^b_JLZI? z`X5gi=~bd5&z4B7oOy&gRfJAQ+rFQ_l3SUaw0IMA@VuVz=`|W=)H{n#H$Hcd82qQL z1@>i#&ZgJcTTug0G5|6B2DC3R@efi(857L&+*MzLcROW7?ZEr&**x zO0wdoxq%p7-C%i&`CEME1*&I9XgXf<33|0bf)WSP^W_|5=o>Rm^P|fTJvE18&MzkX z(FK$&fDe*eGsRX+o{mpS7)!E_|MTEN#nMG1bqhYG9{T@*yV4UBao3S7DW8qo?`E@^ z9q0H9TB2u&kL|z54W*!CVGyMrnJ*O}H8h=n@A@u+YUX(JnFFuw8P*bd%Qr!)9x)N) zpzfWA)Xz`x`CsLY_)8m^otJcx&g*WGV3a=bFJo%O!S;W%Z4wiyL47p#$xWA=bC!jw z-#;0ICQMoqIVex+tn4@0$|t#jhh>+4+;;aMUc~EpjA<3jif}j4NWGsHIq+(3oyRiT zTDGH0j0`EoMC|*g>tQd<175oi3oy<;%AbA7VMdRiP8qF%x99ew)#k7)2&Wk$fr4l9 zerHM=^0F;iG^Azr5p-?FOKSNeF4^U3iJJFbRY}rXFX$FxMP2}ET?pTnpB4XkrntBg zJWtVAJTgf_vfukf%q9?#x)mP^g6or_AN=X?R{o-0J_Sj$?$J;LfT_12{`i@C=vY9; zwRkc!4=UB}MX1MK*`IZEP<8SdHq}L=!a%aWCNj5Bt?BiyO1$?pD+6GRndh zav;rSSYMGj#C5GT9+o1iVrGQBPW+s0&3gV(>z(VS2}xEXZL>rhO?uc*J=-u098&d{ zx-1+_%F0~l`jYZyV$qg06@DoDBTt8=abF0GYct7m9tyvW*o5{ly6HM{!Rk*-pvf31wug3`dVVs z=Hj@B2FYD$_e?zX^J9E|{=R(FxL|RQ9j;+f5j_@tHy_vZGp|5oNK?=vvA8Ghj22yk zj`y%r3{RibE(ys%CD{mxpB=;=Aq%&iCSE<-ifGfgP&pn)6oIAX*1@Ni1*Bq);UK<{ zblRRcywiX3_@j3HOXZ&87YB z5e2}tzTC4q2na%wKj2dp5QKl)hwmx^)1|~I5M&gTbe1oQA-z5|C^Xo-$|AH~vfUti zQVr8syEf^B3bYkJWjbD{QbqTjB=pO^J0Q)i|MbgW+C6#EE+Pk`M(gpDp=y6&4We;l zGi8^O9Fs>G1SX;_MIZF*wvl2e#=^1#+@nT%ea6hy z&?vTI=qO!f!^*Lh5p+u}#)T+-_L|vYcHv8*80-e)HRjEt^O3q(naaZ0$som@bsAZX z*EbZXbdG#dF;z-KtwWjTb!5!l!~A^iS)Nu;e7tsynqS`&Z-u_Jp2YG_-8x!=aw7)= z8S>iGtX~SsgMM}AScjVb$7Gw>yQHpgo$>*uhw6Pf$9&V|X9% zB!E;LfSzvmew?Od06UJXH9e*fAw%_%pKM($WRif4(j|jc@fQsa7#%teDeE#oftMdn zJkcg@oV_ODzLuY|A@y(|xSted)GN!(6Do9?bis>J@cUD^5Wm{Wa!2I+iuZ|b%-zkP zT^7P`S1YQau91+)3bX^N+)rSPB4)A}GsTFAx6dh|!qPPc{S^9)W9Gn@@sn81L|dnR zq+upP=T`3=mnr*>#Up?A} zLA>X^D`bx(j*jx02`&~a)sB76V+!KnThVj`@M|`J$fYk|%)|&p#{Nbf9WNmXp=YGk z&l$w|5NgB=R$-Y0JZtvnpRC#Q0`ClN>}p-uVmPB-joW^{j64$$PIZ0(2Y#*ZnGL^zqQ2IS`6N@>?^#KRAHE(FmCmeHyk>|VcZZ%o-+^CcY5{;A|Jb>B z`;EXLy=N%;Aai0+nuF{F+_>H)B$Y`B9O-NdJ2U{Q!IjtRm=U+^k}E0*&G1deN|a`U z!h^@@2-N=5lmlTE8s{nu#3QaiD2?Z}YW1}z$-0;Zg#4$YM+pX&rZ=-EncdjdJE1zJ z96t@H4)^nN7Y#pyUTVR^fDW?W5sE+y@!G8$-H7sOi1M_pi%>;{C8k%zb}xGNDbE26 z5?G>0$U7ELJvuPkOCT1#Gv)IqI>67@`+MnHHE>0J}}r0b=- z1(ohjN$ExrkPb-+k?sa*38lNGqyMCiV#Z_um`>fOydb+XqxF zg8!^l>;kBg0W&Oxvu6EMe75rM6`vIYe#We}Fv{o`+DSv7cQAH35mz}SkL%k0sV0wC zp%P62mGZ}?kHXt*ajjeXc|uv|jlaq6%>QZ;48Og=TzRk}EP1)-gUsUgzQxMwDvrQ* zx{J-|s}(YXA_3q(s&sPSlN`6M4Uzxwa}JE-q+|Q}iKt-32fht|k4Dtvl;GtH@gxHumG+9Pua)DnS-#U;g@9;AY}1fmm*XxkVze^As4sNjbE&1 zG-VQr!!3gfk`z*@1WZ+8r9fN&f5+aJlhXgqr@#?Bt!*``6Ytx@e#J>CEI|+Fm%<01 zr1_Nm-5}^ovqcZ_^lEB>AN<6YOaJ|}XIu;>UHpgQ46l*TqRP*-wgm!NG|9fIH3&p_ z<`G^n?S}?^JB#L|^1RBp3Ic98LUVFYMlyuV>tJ3jJo~y^P1heWhOH9-*8}p z1=Khg{g`F9?X#dheZfm~ENV(|?PJR4b47Gz4JpbQItTBv zmwiq3qw_7s0Y4l7Yxu5Xfb|WMGxRykly@g<2rJS(SezX!)Fg2VjI;LjycdyP0G1Po zNbN8A8CM%;FVLA?KH?CZZR@e_jKN7FXkbqG@h?Ak2$$_QIfWtC_4W^Sp}+aYaU%oZ zw$86NJx=s}8ZsW%D#IPp{bh24Q85m0dhJcYceD-Dkzgd||J9K~`|a2mUBwLp5W8?0 z@QTG!OT;A#1#SH#k=E%^Z$^ltsGnG|{9FYQ>Sq=1U5mp_mro?0IL;6J|HxWD#_jy} zzy)s#>gpsAhqOVj9m>jkw9J2h&tDHnmC6UT{mJm`qm<2RV>aG4+t<_{o`13nI^lpe z3ds?nU$VtN?6NaI@A8fnJ%LGa*~gb1`~rU`q2ww2EoK<+jdTX+voi>w@{6BzGN1v% z(hJJp=T_eil+#1p`m^pCRh~1G-iWwI%*a*0gxwwJ;%&017`0TxM?X6uAQ)+ZpKHT4 zMg#KSY0~|suPDMuV?goXK~|a*`S`(RV8LnyKgt;s!fsb-*zG#@pW9VG;c?&A{zO6y zghxs91?XA|@1e;6iS-klT^DmNvw5l{QL3p|KZ5~^ZuP6DNao?|Z{Oj*@d6tV3RI5& zYTosd_nikr!CR7an3ysLzxo0ky&v&uI!b@-$0y3*dlJz-WKG|_K<`zjqNl{-#8ERK459iBL1*H*4fGjQ3?CiWbztR*ez}lhalN@TMgiH`*vB~ zB`<=xQ-MTxLa#6Y$Gkh}U0cE4c1n(mQcv~$^p&#Q|HN~^>3B2!lz@$i5r!EVA4W;R zmMZ$(*E4kZGjY0V`n@tlw9fB`18M3sSGg|sQWZ;hNsMJrZIap2)e^2MhJq13ij{5z zU&cP1T*P}8zsv5R8MlgHLeb`I*f12f3R(K}jN$ufY)1M&<>tT5u)SYh<^g#h-tHZs?B~j0og7q6*?@70sInAC}=ZrRYDaUl|$C<-iSoEUz+$oK zU@~y$y(FG`k??q@#JjF7xg?LM_)R?WgW-pu^f-^O7|s`%BX@+UK-qRtXVe3nRt_aHdLPKv*#`+c1={1LvArcX3P5U5X^!@`!Dz-b zm~4)l|962J{ET&SpW{7IsmS=={88rq^?IL5_SdOv791YuqmDW+}*)I%YlS&Qo-ywh>I$qt^PH#S@7Nd};83OtE1$-L z$yvPj!db{)o!wCnww*)?Nj%V!k8tQGvYK_$@)oiT)Sn-xS*xti$6|y&3_z@V9zE*` zf@7jjOI-%$u5vne2ba)~PN08{0CHHL9jYA!6a4|F)H41n1$-ZHu;XLjX$@1TCI8nH zw2GhLM!?I?{J2>P|Hf2Crm3Do?MC)7Tm*kK79#`&#LL`pZA1S+%GaE3D1m$KE83zY zzz|WLWhzCC6?_csPi*5Q7C;C>CwPS%YTvw->3{DCSSuJ((b1tBymrbSlS|*#SZp-M zc-t4k8uI zND7XiDy-x2B04Y`-KV{k0E^X$S&|xdB5HI);31i9TsW~LNwP#yp{vnK@uFU0q3D*Z zhDy$+@As!O>|hIzgu>dB6dFh;5eJOT5BLQ z;%c!PFZ|MUaUO*J@FB|LqQ_vz(OT7={A|>yGM{00_&49O)o3H?R9$f}gv#E_(JoWT(>Ptkwl2yu#2TxlHp9G>yr6Er;ZOYqyH4geiD)E!nVqb`=5rb7Q9jp%?n*%B3Xo zGxaX6={l2V=jz?^!C*AY?YoTE6dHjPK8CF3M(@6`>NbsCAg_`*F5Ny`BAg|;%cxtD zS(OZuH{V3i)&Gwd;IW8mY3oib)JN~~vmLLAiK0RxThcmku>FMSd*Rr3=M)l;R z&o{Wh72_^+Ln?@}Mg~KMU-e;QUl4tqVg^R0J%5}Zo3-MQf2U8^qopHfbX6!gGE*>B zxzV`k-I%LnJBM$#4R#R0*$Aih*dgKx@Vxs6+48*{Okw)-I_y=V}R&P>)iuL#{1+6^SEw|!Rn5hqb(Lsh_{}$^lvDQFWx5cc6;A_c1=viYRTHxHy&E6Qssyxr#I% zTydnklt_o8ZRab&yv0d}h_hEss-IvWa#U?IRqWYQK_`nsD zs4(LFS-jTp=Y^0&r)US4J%_q8!$DgE`!~CDA-N?G16L3*~DD3ov0(DBy-)F z_X8u=YbCVBlf93wF^P#A@)ldi-*YbPGct(YuVbQpBATh;sr0??Y&i7F0On;2e&Va% zH;jc5TWA-b{j^)Ms$i!;yzcmnn%h5e{Ccfu%`y7bf<0^5j3ftF!QTCIFp}yF8~d5burW{gy9=)XuxERu>kJFaq*4< z45eQQ7dqVMi;yc;=6H6iUa#p;k)hJK45zGVKJ%5!JaVamSUS(Lm|!vnZrjr7x8B|_ zo1pE;%G~p57F#3D>@8O&1@!8k=i98xHx<|@yfB!=#54h$iUo$10<&3E#SRIbPmWyV zgst6$#;=+F?#7B_(=~%~d8oA@)7u(fyur(7FThkIRlBfB!qXRThxvRZ&qV4bHLz1s z$DXY1oP5NMeHNJ{JpDz(8KN69`G&!Cd?Kqge|@_%Wd|5qKzgZk{i`<8ou*mqytMx7 z{5tk*ZeCuFZbIL*^G`kq?a6R4-!aGK-t_cAe_*3^QxJ{s@`MY{-ZZh0L`f6GC9pqV_C8i0rrL(7Ny^UV*5^Un%BMbs&V z$CDyk?-VGkXIp5Ln_qQ>X1|T=uHOkwtY6DMR{1RYP^Lq_Y0doIx0)!;^I@a|>B-$v zm$4_+vB^=iMZyPZ&z&@MfQ7^JY@8ZQZ4kLSJ^vahaTB-eu@e;`3);wo_byjK4#RGe zpv4QKPq@Y+a0)3pR!2I6Z_`o<{-bPegd%-WXI9qUoVBf_mGccM%P@p+?->%h7i9}P z&gDUBs#Os-_aJjc)wK|Bk;`&$9$9-$T2vq6>3o>s)7`X|ZU%f2b#}++ zTd$!k8!J85u$DV)o;jB&&4Wt@q}5Ob_F9|Q8f|Qu*b<0KDK2NL$DBmm)DL0Pg5M$C zn@S&pKi*DIZ}G_Anh{=29D27eeyT|F#ISwaFzx1OHLD1QPTE>@)jla>uUH>gaKx20 zy>p_`4r*M`Ti51L5|I5wcU*u#WlkGiD^I?6<}tYIXe|%cxQ*cy!_ov z{Xi&%XXNVa8^UBwEA>h~?Yme$yx2=gKhAhTv@*dfUV6pM0PMk*>}i~3lZp5WM*aNg z9AXOocSJ0A+5wq9dLd;kmxcmQji15O=`8)0iu>OAIZ zLH9g!XS{GJm%rwCsz5s{jk^aeH9Z0{UgWV81hx}4_SiP00u-o$?YyrivG()MS+jGg zup`6E5;G%LtZ3W&`V#c7Q!os*hzzQA0v29zyI=-i$y1R!ADJ}$-H4ZH?7t?D*<>B! zL}&K6GMD3CZC--qR&bx=o&5b!i3C5h+t#-<7byqpSio+h6=|3QX)sDn|8d68Wwv>|g# zuKWF>3vOQ`(;lOYU%EkyGF%}_@s(m7<6YSxbb719ZE()~^ySH7;hP(Fk$$W0-NGK3 z_W8#^@EZlrai)T)$(+{C40mczpRceEfOSJ0t0h|YGXsxg4`G0CWF72V~V_A zv2O8{GEeJFKeNld5*o&0=9KlR+W6UVgDFz#%m&x?@ti)#v*Fpa#M{L$4Bk4mYPgSt zQ=ikVyrUpJ!h=DDfnOs56x3{NY_D#_qM|z2>ddX2Gf18y+dOHcwZ3VcwE0e_~u%6 zCnHt6cbHhrwn+1^w)u<&_|s8={l7%^m)pk{Y+QXu(qvS)kR2b}yFmCuNx$Mu`53(b z5!xaQsDh^^_tqpK4F9wP!f4el@_j_@5apwWqD5m*&O0ZY7mnE`b7;zDVeo!IQJuNl z--tNYYY2yO9VGfID1LFXCK8q zPObmSb>SSD!28P2%<=cJvS_=gT-K1WO!7eyEoJt{H2vV3dMw+=cx39OPi#P14jYZz zhAAYvP6!)wJ3*~kGB0dEROCSSTEx?md#VU>67k7+bam?*M^^Ig*wKB^R0_|aH z-ADwdhC)RaLB12Q+|B;YclB;dF$^5XHx0F?Fc6#JRxKi*z#3zaB<{z?t@%gxd;d0q zge-?6v+SfTE`KVnoWgs+${-*`q5U!gA*Th#m<2>JK(3b+rX~z+Z*g5J9U#0s6)W%y zQgwwquk_yy6w-c>JP~1MSYhPMEv*_gTB$oLgz+YfoQ#JXASNz_qs`P;z9E1RJkbqL zeLr7TlgalM9m37aS6o6xlhLF1(%kZ3vcLeBV!%yEz<(t6OY5txxSUF50)I$>Mh?I2 z&fLTF(zjNrW7C!}aQZkZ((Uo?gx$~M+BHw2qa`6MY?|s%mvfViNFL5nY2`EcvYJXd zaEmXTTiWah2w76jUN|b^-?y0%vGKxRq7CB^QY*^(W1%#z(XQbjAkmeI(SY4UQG%Io z5!6BMWyje&IkPt!s1T$jk#+sH-t9vAx^c91=+C}Tg2Rym0>@E~f!k@-y!-<0qSUr+fBL! zFiCaH86Y3eNyF27871(-gY!LT=4UTu4DC20ITxF&c6EeO2d}!+@D|_C-W7&1zDO#k z5x@{mYi`A(OiJH4q>^nf>?u;s97%diW6TRezd#vW2**vma5dE9C`$GfpzwdGZ~ z#XkIcx3ltp0Cl7@z_KeZM3oSNe_$05F%Yddc(gH*qdxwN`9zujCZzu$U#$zSc(1$# zqX8#{Qi-98-|_CZ4qi7}Tt!R5_6$E_ZRq*3{*V%X=>z7(7d^2xLFIS$^gkIO!bT1c zk}`Dhf+Edc-P&CpPEO<`elJSwjY8YSmyS5PJRCI&I$ZC2l){!H$v=!$V3Yjn(q1XO zooM>@{XoG8mk*WyU)Mf0x+JW(8lG&G;v$*!%?TCEua6l!6 z*Y)2OIu4bw`(;3K6kl&W5=wv3p5H)HM54%4nPy0Hs{ZjKkVhb!%jNNZ;+< z#`PRhq(lhyW%+9(#3%1}jK+$iMXa~7rJ^(gka6d`ZM*7<9-EY%+Zq^uyPKyWJJ6#UvGC&=~6WlDMOh>-p$b6GK$xEcdL9 zVvL(E;yjCSaH-Sjo&!}RdtJ2}4A{c5fQu2Qqf7aYg*x*j$nR&_YPl#oCK4cmMd9RO z=PKy=Um#pOq11_3HAKlkC~3;5LrZZx>x5pCx!~W7^qiFk8j&1`3t97$TezNRZ%$De zE_HaC`{kh>+nnF>!QNO3W@9ZYKPMBSyZYX_Pn7XK`;~)gGqr_!&gV1TRC8{Vfkc|b z8-cg)m+TR38_H?FWoYT+^3Z!WAc@?0As_n)7&ofm5nE#;RKkI6)=!KlRtMXh%JF`g zU^rxHN!=oPNRZvD678rpv)zBldn>?B!6)RgR-UHcU$`ANT4O47pJdBY#{P(Yp?odF zUm;fEOMwIaWdi(1Z#b?55T*|Gx|BbHJsnB%Gw$C-PDFMYH(6;@8QKP z8?l+j#>-}fwWDBMJ$|#2Cd0F|^>n_QjWAKPl?4!M^3gA`7ST%!Lof#i<^!H)ZqP<% zc$!P48RlRm+VO@z9<=*4+L~Hx=*ameWQx)a)LZ_6u0)XN6;MUX-fnU&wBR!}m}O`* za!7uzVRixY%6;3mQmGEcE~=(cZ={4?))Cw<3E+Yf3p6EyMKGDYtogW5R}*eHeiJ*o{NX&N58hTG0%DGGhU{^r zN6hSy(b#imtEc|}7dLwP+QdukOprlSp-9fyE1#&yDG|_)Fh!c;X{T|RkbymNzE72GsqZM}iL`;Sxr$6Gcc4JEug2HVdiovp!MKmc|RpRgdfTdZPB1;DP{mdo|1}&x! z`-D0oHz`$ z{y(o?)%^~XW|X*=!`{6(E@%X+MrS0Jt0Ip_f-}>_=Y|t}U&)&IKbTFnq+{KR!ymCX zzj<(7=P9Bj(Zw!B}~n*37scxIl% zO0J9Fg|^wjR%RXT<9~s}3tWt0UHchO z{v%5UH>m$cXwtN=XXzam6E`nimj?(1wgAD{OR(4(Bp97&Ec*YjfL#DN3A!aEorqw5 z)?sJsln?JCBVm1n%h6HJ7|~8RCI&LC2UYt8#p~9*UQ1B@p+pfKgZ`=^o8OwAjXRVJ z&3Vt1giA$Ba|b~?)L;toqOarl72^JZsyvC4)&?BbG`0J}i8ghX$=CJU*DKmJmyBP1 z>Ug4thK}N?BWL;XA&k#xd(43{zoy+InJz_rX~cWTr~CWO@uFR(uWLGDzu?H7b$V-&iKH9vGddo*C`2Z_5wraVV;ymkaY;Srr_3FDr zzN)au?c6(f8yVX^8qWH+dW=30(@5fEQNP<=R&2+Y@&V=u9f3Ol_Wumck-h)YDi(Mj z*9G<@^+y%`VhvQKI8dwoiSC<+{-%}+8s_oUmJN`9`L~f}N4Fh61I7LHluf+AMdnWh zKHF!%23WpdoX93A{)>>L(N!plmsVw7?xa7XpIAwM>;O0 zWS}?8$D;{?N+|2+kS!K0yOr(!C{m(@(|7~(io+i2!sgoHPmW)0`b+xq&AbWa%fV%k z{d%4pd+Se>=Myl?^~JnSo+&_ZpVz0Qdbg;cV7Z(UP7T*pt|P$lx+3GnH?f+JZh6Xd ziWj_A_DYe+3^reGa3>SGG|cfvt@ma!eVxb$D%u!~;&z_{uaIMjdG-K3Hkg09;ZRd~ zS>fb^s8pbdrRPF1D*4)puR;Fd9(-zAB<{m$#v@m0_&w$~N3Vy*fgp{67nySxlGQ4i z=}=D&vOidLa&RV3l{t>A1Kgab>;8jfB`*%XYNx5r{DdJ78gr6- zkDLaoB?G=BROHsW`uIHUDe_R(gxdnG6ox|ANgwh2D8Y| zy9dCd58kuUACfWIwD zq>>Go@i5^udoz=LCrIn+t#0Oij*`7)S?g$}Y`#j?P)GsY%rWN)3JffX}L*fqfI+~x30pkx6+d(9NHvridGRe=$ z_ikn2`%UoWTG4y6kdcp*Ns>ARYozAXSD9MNI{ty@J~KgW&s{9SpdGKr|8#{uvN*jH z?+^$(H~I16<`kt)W9aDAv-};!Hv^StdfN3lQgU;{+41aIzSI)GMU(*@_Z$-n@(GC~ zrHXUZGtiSeS_PiyS?`r&04@oUc(1_AT3S#F`Mq3o?Zlsy;Mc#Y2Q_@1%g)dVqST<}yv1t8j*Ni0!t>0b4ydXi= z^3d>$YO)3t!f}@HEV91rtNIcPSLvsmWm-gJ8H?c~T}LKrWuX_IU1H%WbqZ)noM%<@ zM0c0uP48Xl)S1`WK+^EK=61IWJR};Ioy|R83j#%|c@;iNF7m^`7iv{QnwOC4V6IlS zJF>+mw0vK^6`f z6TqfZz;hM6Jn+^IHA*b8*EeFWZOq1JPGrxkNxo?lw7#@UJ##ufPR&-@OEIx2x!k2- zy;!l@yLmEc7?3R$W;&Vv-1Xt@d=tW({&?x2+7g3^paeO}U>HKu!w1(hXg{PECTY3n zQbifFVHTc1EkRwH()bh!AcJ{pZGmBA+OWF@lmc^FzbDZdU+G*j8r&$zz0DgFUB!;L z;+a#F^}4zAB0t|arE;mR+_K28CZfqxvSCcQGU5iHA#TGR1bFZ%UDB7ljS>HAl##ofZ=~x@PMMxe?+pS_irNirVDm1dOWC`w^oca{~11DQ&{I(bOyCS`aQ=*NZ zBq)5bdId{l8w>|CGXmx5Mk`EuRF(S`mZxxQ^EtCyB@wL1bHrL(@|*5Bl!5Qi`Z}x` zMx@7l7=Me%puF7w)uW!8%1^CEJKfSASA6?>o8Q*xfhv$zvaS7X^y)-`tdgx>5Ubs~ zZ1f`iP`K7+5;vkZ@aAOFNIXj%p=viZAn-XPJ;jQt_FyWc#;2_RbS6w0v+WHVd!@m% zsv(sIHH2BH8jPA;fzenyDFKL=UMhDj^%XDQD+u60NSEJyp}jXDivNcZrhT<*ibry> zW<~9hUH24ekPMFWKVE?Ug2y;eBdBMLjFBU}fM4|{`v=zZu}FdJR$l4#2B1TQ?HpV% zABg;nhGXY+GgRdUkwcak&QSTecFl7MCu&Vv8q?N1h;&qD@Lltt!a!+Be^q6nP@p+% zh&%roqMEx}dj08qTWe;wZo!R=yy-mhH-F%e{aJDZ$J@DMcMb|+Pk0K?YbL1BGyV6< zO5E2c<48Y}ltp$(N>x5*LE*=NBXrCO2ySw$+=@ zmA_EE6mNJnn~GERA}>kiasMcLKp>;f#am&O`!D(NKcM|n9R{?!CN$ya{Kb&@#e^>* zC-`at!iGj;N4Z?C@Ug>pY1ZV8Icv?_Qiun?UyaA!;s}lWcLguO3WPGV-+&bmVU^>c z?T?A9!m zc2aL8>S7z1Ai^qodwnUiY|qTubh4A`cJ}2^mm;%?2ZbxDjG#gUD2Qw3^|?0YK-)AD zXg-`yV`9{;mUX$qg9x$-k;I6q!^qkoje9n&+?f_Ggq8bG@8sBt4UmJJ=KY@Snx3{& zra9)=lj5=0Q6SxPWyB;w{!z7VhZ415s*1hXcjl(3dE9feslgPA- z+j?Ij%uZ6dOUwsZlk{85_;k1+vn68Tf94&P%Aa*7RA)ZI1_)-l+24Np& z73~E)HRYlu0uUMUD1SpyX0Bp7AF(`TNaJu=`++@XH6osBSl@)8v}ucs;i$G0xLfvX z+NxvuvxV#>06`1umxp zMY13$!{oR(=-}Ybu^TOF4SV@LI)7h&4KCc_9EbfgVJEUsblVU*EuhH7S_$FWaQE)} z9A4;sxAMsLLUrs`@KJ4a0Z~|z<(<`%6DPb-!)INdTrR*HWiB(R%LdL+sDF9Nw`%gS}Lp*28Nl9Qya*)n> zN#^>R0Me2y(ot&=g43m%Yrp*4BZ~nN&hwuLe6|Y=Nn%NnT44I)mwr@QECCqsuXqdv zjPY~@7oai(VNaAW%k-YHG3ehkBX&NCywBb{k%}j}`j)|x zWwV=TF;?DkRuxBzQQOVNoc{umjSmt|ZIV;kR4SlZa;flMPBNS#={9iT2GOe3hwI#i zRIA~Y%Z*aqTtJt|ZFUHqlX=VX8)iUo`BGz@;N}<5a^^=aGDi}ekbDvKBH|?iTdoDV zG&ux>CE(+JzGFg^cLFbV8ZdnKEvtMfv_KqWg&RgrrTyBBj1hywgyh^-d?AGcDc%W6 zJ&zlV>@Ko_ZDw4R9CfL~9 z@k>%(S|INPeOOh4$pj*~%&o8%OLYVV3(!R>Cr>I~TYD0ty=mT4WWdePpK8+9n7z1D zC^_A*mZMCBJs6;rOg8#RF)B`;oq?{VpZ!0iM%eL?saceNU8naPNozo}KmU-GlJ#q{ zwqwY5`S{+B5>O&wnU$DZd~G7;k`W*&Fl-!6@@&PuiOc!xnbqtB+n)uQObd}?NxxKO z>Rozjm?W$TqcrYy#Bn`#x!rBFHsa*ho;BvHV>DPmNF39P8B2M3!(KCyT1Drpjf4DG z{Y_>G2*hGX!|1_LU@$cTFLMD!(t~=jVB7*3BMaOPkzH0o3?^xF85YqM{(;Jc`h-&_ z<_oH3)Q_re_xu!tyvG-ss#jj;8=Sy}ZJVw%lCAz(eInE}@|Lcwqv6fLk5V45RkkS? zH?BfFTYr~?%=1thOR{u;_jbpS)7xU{`T)oF7ohV%?IT`_JLvn#x9mH20 z?h=HgytOn*dnAR;5i6HY;tT^b?+9;&F3|e$@w@(>UN5tcYqM(*)b+m`o-^%@*ZuR&v#w1+*j1TW7MCa&}^tcOWzgdaUY_gMQ{y? znnf^|!)2r8NEw_mE{P3`Kbv~MDRvzZSds%~ zB}s5@kJRD=Z}Jx5A+6|L7=zcDB3!ScC`>}?P&-!+MQrPem9q$*G?T!ZhuMRH{2JoASoH+M0OEgn#96Rm6mzZnWX#=$YyrL{b=7O<_-cA z0{mbE5#B`S2HV|olO|c^;+@9=x_Y6u@YVT~`Ky&iibQe$#D?d@{Jq<{<%Vu>hXjz1 zE!+j~vZ)|eS@$w%t|Aw>fAg1RS$=_tx{`)(RmdQE_i`|v05BBqV2i?ofM#auQ_^ZG&1vf7?V#yuU`6L5hEm47Bhc2x^aQEZ%=J;qm~fmhY~SuqF>#tLAo zO(pRl)&`8P5bn9Fj)`HIoj&E=+u6_uW$Y(mZm@G4CwxWkyG9SrG0X=qF(>jA*cw{k zNk#FH-P|FI+Z@^M*<#%5dpKMQcVS;Q$V=i}M(8=Wt1Yv{r13pg`oY7z+%E^6x zH?-f*Qoy3tMMcef(B!AyyqjPLdFXDeB9{(?@GVq~!ppDLk%8I_gr<>*$!;O+7HDc!AAbRW&!hkaD&AmRU*$HLMd)wUHEnX-fYpv;(o|z<4VJEt%39(@GHb_O9r7Lx=P^TbWPv# zWWb9DAj&0r?w?vpcj98i@Tpm-teRJg-}if@dZqzhbJLT1m9J;Q4E9Ty|MN?z7$-1C zr#2Qcbdd)Y0|*bn`IID?N3GVnPf`jS%PwjCn%JedWlAz6HP`>(LDXY%(xdVP2aaAaZaT^Tuv;KAY75m~QDCJYFivNvPrg9px>jv9GexRcg3L!)1j z@GEkZ_do-Ml9NbTQ%?xrW_>P@k?No~uDuYLKF1~BvLl0Urc>Dh{0gNf94{hHIcOv6 z3oAG@BvS{V?DI!zn|dm6rxEcunap?6h~6nQajgc+QK}*XLrA{&C&o7cf!YGmlcqz` zYU=C^c>It1y`W;_Y2fHk%L#~4V-5IsqNn4ze_`T;-;VoU5iM$a|MZ~LPD2aJ1uon+;#)%NkM#ZSucmWPu=QIUMXOd_WD7^c%&~mOWk7%RZ z;e`P{^nID{1b>T?a;Kxjz=sYM7epDlTanB3iW7CjRe{m5(cVNmkACz47?Xx<r?_y83rAXgB*KGV2 zBYbBFuC$5}&J2{eh3-}5*5D^(W$gegqv$ze5H2 z)X($yCBMI>ZF-HLJtpH1XF6yK0%^Soh}$Z~+Nx>e7o2HcW;E{__L=dR^rudVA`pWx zDa7J7Y(V*)x2KRDBC`go-CL`{1ur5YZ))$0Z7rC6TvLXZ%i8{#?d}AzB7~>f`h0IC z^Utr}m=&hmcG`8`IhuJMHO#!{#ob$zbqw-J%-in2t%=aV!K5w&N8iW0@Nde;p90Q{ zWZV-QJzxzF@WxgKUzXd5`66xf9Q=Knmm58_q=9S?jfusQKUyoF#l;25JO;~$8ifx& zcMrJB;3CNo~=-9*o(fxY7&oJZ$|nY9x|Jqw@XgHudET-=gzbIO85fFKu%} z1iXsr9^7A61iPnJ=_u+&nAUnotaq%}V9;bu6VbRee zmD{e1i|6d)wVehO7-wBin|hx@#?MU2>lUA50Z-E}M|47N0g|$CPf`Rl0((Jer!GDx z!lnI(5;aLJX#!*#%vyb~Wt6Dr9L+^oZ{E013I8+74xHXHWU_bexniQvO8bY_bqj~# z?v5RCx^SZ+g6}+2^=9&sg(CLbL9jox5xspN zqb`S+)n;tHrteT2dTSM+@W7__x0Hqb``9&YX++K27F70TDE)>PG-1Mv7No1^Ef@Pi zUv!108SR{V5vCgLGF?6{jk3248~S*vi0DtYM9|053mJ*I(&D>&3=2qsdD==jSPoP_thtEr^vGf z;s~X#_(|z5F1&aa`{FcMS@930Ea+8%C1Lmkp_j%gI>>tq-Jvyc6$e-@K9x9E1SQ?K znUkwSg(bX|Zwa5Bk&nFCWHCfWU``Ux;>TAxskUUCIDwD1c6fG#??ebUc)&|j1B$o) z-@_0{oc=m&#II)}hKvQJY=Y4XdGOwJ43)q27N0IyT9UDd9)P}m~W^}wC-;_i1hW;!rekbudbtv!{neSg$R-$S0PFhe?LY=$N zcVh`Ud&urGyqGjf;i~v>WW*5-qrF+>kd!2u_V@V0 ztZW>njDPk_1~NJD#Y)fqNWzke>lVpmc`?!vb%XiRys0c=>liaHOBWxlhTXIYX6SB& z3Ka$fqq1p=`w8L>R4-^S^Nva$3CWo#ayE*l} z*xNkMi;`)^b)xX{u>bMW?P?yg`rKRzk~0uR_w@equ!UV7H4ZszgYrkU!mr0Ec;2PV zJ)a$nOoq6-?EF)zGuRdJ5sA;FQOP2yMS4veuq>NDYauK@HoDoIWq3dhubp7D`RLei zWRdR%b!mkhI=F$0v4`}q2C`|xW>RQ|-n+edP2yWMvpI%4EY(TKM9opXjfBUILU8mA znE==0QRP>)C#_nTVfbS>JAllbD~Tt}YLoZJaE)jvzEMo!z|sXa9OZCNzAN?bb!cW; zo(*#p@ve(^L^tHbrOByJ9XOQ)z8H3*6xA{?AlmL;eV*848GJ0!zp=TwbC>B%;&7M% zEoekKXnq7(`}Dn!lBnjUbezRNpQ`@0gE+8%!ec1DI;zw=9z@$Hyd54^Gx^ix>x}b` z?;DoeAxEAU?t1}(tI)&E#i2ubgKDCurVmQrPR_XeF2;HROQc?T!Hw@R=l*r&mv2ai z*Yu<}uJGs|-cXNCRZf>E=uX@;ulKq^^FvKB98stv!U6y?)@Xj>Smy&Ne zRNybp*;M-5+M-3(aQe2I94v)7EJ;Qp142=2_pT zbz37}Mf7E9>lh%k#VT9fjq~G* z+-vKcK?Vx}6lM>Nno9K=%TqIu+6q5)(9d(CGG@~4@M1$c7xqiO7wN1>rdRp8Kr7(ku7S*IKUQvj+1H52_~y~`^7s3d z`9G`H-e9Qg6+C8iEF?!{PYlS4dnK3Z1+4D?Ps2xinBR79JYwu{g*5Q;$WpHBPDA6%7k*4gzgxmhEMG>ZxRROsI8kf8e+H zC(652?%?#tLAS+y1#5h2y9}2*uO49YuL%{r#zR@IHV)5-o?)c^IA#H_Kfxfw_-VvQ z`Lne@3bQ)i44Y6Q!`G>GU__tZU)3Rx6Mfbrqrr(*%Nw+WGWjsD7X3qi@?+ z2@Oi>a~wGN+5$&zi{A*RDy27vwc3BlM5^FUYvV0CHy-Z2V{~yTS>TziRcQZhN@`om z76Wy1+yOVN>?B&z(}rZLDuuG)SV27$j3cSy{cXax5)DB9L*L1CW@Uy?tdMiNDlu@l zGtenaK~Nb#%MH_eFY=krw-m_H8-p1Z4dFujkPm|`y14=5u~?F}VQYrbr08nx>lWpe z$w0#es$)kpCdR1J6WL3%TXgke6~ikX$rKuyC~+L&B<5rulZeZcp71)uwzqi`t^)5S zFp*)9i4b(l7A56E2|Qe!D*NNAyxWTKthxP^Imfgg$~aNY9m<*i@ncVtlt%&e%+IJj z{tq2@);+#&NGj}xA-^+PNs+XyQ5C*)|37rS1yGjT_XbLLBO%=%sFac--AaRkbcr7! zAl)I|Dcvm%(kJ-| zr9cDmSzl8?6NJ^;!GaiX94hVikYXt{2pKQ@TYF-SNqi>?f{2hgr?Q;i^l> z)vdqFfSN9M4fE6a)O+;wc>T)%Rpur{rI8h&TKgmuf-B@sbg_+?ar*IU`uv@rnj;;T z4C=->Ms3)XxN>3$kT!IhK3}XOO1!P07|I$gp&2bZupJSlz9abhIsDdD=(RnT8Dof=2_DpA9;2Wm8e9oDrTar5CM7!SbS|!p|-J{Dsxax+u?uvVyRr zqKrq_BPjeqp;(9V{rLOgZ{p(VlfQyRjzLy~9)xDfT5m9@{`k7SV&aExJowU825oW{ zF2_a#nemPFEd7pF{y#U@hy9FrN1FA@+C5i^4d-@3o)o>=_hcyy=jiIJdbV`}0A?Zh zN`Bb=h4CXZMk7ZD;(z$4Q&Mrmf^OHK1*Y`=a@k5+Q(^+K4v62tIE|dxoaRTHulP_) zD~rijLhyZ$mvajqkYTNer&U^=<0(~BMLJ_?{C-G7=M{@-iIAjSvdMxMWjuU;I;Hg+ zp)jR51ZnIpqRjjJ%$>Uz-G{gqG57J#hqX>$Uz%vT%m4H7Atgsz}7g$ z=9oV5C09EHblGhm*(Y0(hL#I(8dQ6{x&1;+cEhw3&cJ1{cuYNPJ|UVsy9^I2C7(=Y zVV$#|;F(}I|46HQvou;>T0EO(2kNBPj70z&Vv6Uuq(2gWWVHnNcI&XD_N}t*W3IqM zS_Bzr)S)z8x5U+_n}a-7r`<2gGw6+y88GgHLc!~fv$`1?K3I^ai;02#?Px-RvQM}< zUw`M-TfG{&80LjLJ2mIimrDlW3>4$t(n~$ViNfomYAeGb);A$8Xy2e9i}RgH?iyhE z;3o>O6WZRQm{}NOk}0K8?O!f{K{g{An^A2LG!XvL@w0?31f#E`PhRwzKTR7gm$gBl z(-iBdpl`FC`t^7PqR{#>^BWqvof&4v>w|gSr{;X+SFVD}XG3o}6~9SsRDluAh8T<_WN- zZ;yB|u?fb$SbR?Lc=pr_d%(LSFQt(#FHl3doVonBw7$tC#qbVR%J}!o1j5X`36q9& zd5^@egqfg0*wP5;Pg<^C?vh!S29bBKK`xLWISO!bH?24P)Xj9H`&*Y!C49_WpR&MZ)j58$>FtAh z1ehvEyRTNiF2yvFj^KDAO%x@vu?1PfFO!}C913rSg_-M6d^JF%E(WV7V*e9{Ap4=w zbH%w5qn1wLTE+eomtqATC8$zE3YQd277UU4K&%YYpK?d7S-2P~M)lF)JZ@+3Fd0Cd ztc8cz+#`t?d_o-_!YoFvUZzH0_Gpz_meHEl+P8%d$kGl9Ai8n#r;n-O%u?ZV-mT-{ z9W75A=x{_LeOCdtk6ax=6=lobSodk`=<#=3ehA{ehZf0$L68nt#EWYG5JgDb%Kk&^ z%!!Ekt?2y>1<&@etCtJOMvVnA+3r>BrQU6MT7h=|udcS@;*=`Z130pp%CC_c2h#Lz z(O|PP80<@;9~BXkg{rEJm5txE2XVZ4Y!R4DUCQJu@ zGPSvwk076&#AO-CQr4`0Da!e)^SQJSCn-KfX??@7W2#x|DCSN8x4Q<*W zW6G%h;*TqYkpeW)`hNlsOZ`#k_MHBmCIg^c{k>5 z83xxU_@UrK#5Ny&3i0(TRKnz2k50*%HZYEdxvU-U;^sWzM$*(3pYUlw;WYm zDe;NlSGZ)}4-edP7}f6f$BPHgX|pY+z68XD@{fH9knu1edA6oTD&(gp`xZh6Z~CA_*RhLO0wTcUYL*jcS!urmJS-1!oCP{3 zW{fknMKYv(KlZQhI1B1kI?onr5oer{*Sos=dR721%UeAZ$!aSMY=_4k=O8fxOnP)8 zObogUooVDi48&xE5X_r8QzbtXdWcvQK^vvj%!rZ=yxZs3ifKtC_+Z$xzOU?4h)-Nj zx1QW6;nVjN0|Hd&@9i#|MS_m6TtS#xanxaPeM!n~>4sCF^h_FR-QQ6eAh+Db=92a6 z>Fd+AiH&kuNGfX8c6@CvNJy`k#3sUr4q`ZZ9$y0NWoE>Ek3jI;FLtALgNSFBwX?=w z%b?BD&T`Kg-QJkjfAoCM7bX996B_oTcBa0IU0;7HN9?xudaM}a4$#GXy%mrMo6LJ| zeyowAa-S18{^o<#P4f6*XK#G9knp{AQq7DNo7VkYcpmHN;11&TnN%&?+oR1CHXJyC zOwkQ?3cA#U1in3;7gwFOnq?tE&Ll+r@qP?pmJ2H;d)(*|r#CS^+~iOCq=9R_#tj)CAv9}*<_fQt-!+Q?lpE-2>I$qb9?Uh1DCdWdmN`BU2$ zq)NAHRzPVeI9;MFgujJyxCq;zUAVH)B(EG>jnt%kl>M|Z*9|X&$<8HXiTReD<-P7_ z!WQQFT{5mITS`(0nHxHGr6@nVMl_=xz$R{PpK%;8HaqsA(jv%1kLbAqOTI67xeIuS zN!ovxQBaV0RCW$ubDKTIAtsG{OJMm~z03T94gtm&G;=( zds!WqW1PKFjE=&CCs)RK9}1`^e)HTkJ|wA`j7hQEp2iWUYTzYdmPKIg%g7x}J|i}p zda-!c)2#rFjKQ!m6z%6dd7okE_v9US5d@vxejpWhxyY&|z*q9>awnq75e1hz2q3-Y z`J5&SWIlyG&VjcZE<6@^xG)q}6(B;mWpcYhwTgFC=8bD>RZ%k%^bj9P#-bGLYNmzY z%G8lc^IzM*MM^6NEi?YONYTJfL^5FZnNAasp8g;$86HJ-nVqy(rDauhfIJ|c;I%Q0 z$%AGO?2gHbpbBHS_hxat(_1a*F|7m0=|~=Z7FFH2L#X zo0-D#j~mR?Go*f%eGgQb5i54Clre-lU{p^0iQ0Y?7qEb0AjMlNt^7@6KDIU5jRh_5 z#E5l^Q1UF9IzsGLPwc@y7v|lcRBhWX3~}1;?%DJ=Td(|^e8Z!&UP7l^s1hQ%-=iBb zWc6LGH=vDb+1$NbPvyYvEgL;tL|Y!QvJY`^Ci6Ynaoo0loC;^>&csB`zm%#GDnYc z;glT%t4u#H)pf@gF^5*lo%%*dk8@hSEtM%MYESQ4?7g4(-DwiP@BW8YbPck&zJQz| z=Hk-eKp?K5B!fP*f@kUW#zP;%^+fLyGON3!WB!PrwEG3Gwg5ccyMq>Y%}<-WOe3Qn zt?T~bPFpPkXCv;7rJ9Q{mRk?@)OJ2w`{&u}@F^tpxK0L|DY{E7=Yz%|{yS)d=GnRG z#A+A-7AIEa7+oJLQ2XD$ntG>LZ+AWZu|2dnA(j)RqM-x2n{uh@P$o(KTDm#?G{)nf zTvo*2a3%_5KV@KlzLshNn{fAjGDlYI4YLSz%kR6cX{7 z$0gmdGXC|cll|mWZ-*CE^L)Y+2dM690WV5&@8D{0a;c3xp8ItQEg)o2uO}C2===0( zZL})<0oJ5m{r<-cO`k&uS&bDO)0V4Mr1h&Q?2$&Zm@D|?JEXyU5;b(}vAGM~=js*g z5Wbw0@5FUm#OAoikGXa)aY?6Carqhhviza~(K02GQorD?ujNN7shzQvQ>l*XV%J{o z10uo4_O67O*OrK1Goaj#!ud(N8k%Q&HNyBhg{cTBJ3pTjmEzVK`f&;aUH8lVc7b62 z$Ft2GFAFE?7j`m)*f~E6l_?M8$ph&8zE-v%Y8+lpZ8@Kd&t8vUd6Mq2StW+4RX2O` ze)v|+yWkDuN4W>msDShltlvrF2=0_CO7DdW=!BTLJ_*VFuJ+iOfS%?Wz(#& z2=chS%GBl;3quf9aV}#9EXi-+mzoi8&a&?sUwrnQbIQ=izdg4W>*!&JYh@kX zsdB|Du&wbR6Vr{scF!gi^WjfX8R{09yA$yib794o*l2-!GSbg7`o6Fw(Nf{l69_5; zex3YOc6{Cu+;43MR`E7aaR4qoe)FIhR;ri=WBW|kC z`42l=Xu0fKYAF421}PnS=kH;87I#GI5n__i^Q2VUJSGNTp%3@l@k`4!LRXy3{O?9L zDqq>iOIJ68b`T=xi?@IUxIw^n?!9m^$g_A4h2M8px?g6!xk%j|$Jlso)4n>voA=W* zyIZs2yL_rZ#>n1+5@1d&3}3W^eW2tnnBmVeNPn8sp{e{p$ zCyn+nQqy~<8cDU7 zkw@5CABfKu^+Bmeq5avOCiqtR?Y*$olq89c?}*TVi%R#3bqRrZdW++OW1;~Ugq}>w zMzaTGyJ$zC+zloHV_2Y@s2*?oj8F+M?rH``WobP&j8~OEn+I#qNOmGz&fKWgyjA14 zipj@WxBmj6`!u0Czfo}sLW0S->Ne?-b>AQ8sf{Uik#4BnEQqV_w!PT^xbKoPXdU9G z3B9tR`#IKlYCL3<^mEtT+eGKoalNwxVq~Mh<{Q3JHQ=?ea5j%8#R>6=KGqNAbvF(nbf5P#o;Q2h(wSsjxUM8eF6`jMyp(zy#ep?pu>t*@eRfW z&0}@3Ke@f#;s8%Q8?`}CbiN$vtiETC=u5_*YujBTDn4v8s{6!@GzO0-TgYDQ4E<{O zd8!uBnl_V!q>}7K%h9Q+jV8TNvIR&y>G%H@1^D{QKhiFHO7?{M=k!*aHzKE79aZ{Q zhrQX0tDQ3CLN%5bmuoSkpyG0PvP4U{#m%|LA@^tHmCr}(uDo5I?`Y{@BHBbWsJQs+ z)qvh@k;a()+rEq$pzd%Uj8(>4Q{bU`eQBCQhyhYOAA?1&;_*-&j9%A^HdvvSpIHfV z+J29ALCdXtZJT!GI3Qstdw(90R+eeUnBg`wFXsJO5Iv~MzJ!WQmO!`P)a#|a7lA?h zJk>nr?jpj2Cxz$uNfvKy7;mm2<({ZYO)so(z66~!v})}~U%5}2=nUeA15oJl>C0dI z?+9D!78q);v2tfoT$>c1F*G6C0Gd;@*UOLJD467rIc0_)vVbNekSQ??Y&H_%oQ8gO zFx23tq{|=vS;cl=1egN6Ys*5#Wz>%jj{4>E6Xa?B13?kwEmY?^RarkVu z4HLWKH)3O$^u#Ks0#l&Q$rpd6%x`sl@kbAjV(IKe^ z6069zGdr`+<+F9qDy&u}$2S$j|MG|x7>rS$lM(=JqOiqVjYFmfm7LJc0=P!8FRNZF^_riA-_MkjW_CZ0?BfBnjY$Ci`e zW;t)!pG#m=WKJ#VuXYSK%>4!_<>r>B+mM(f%l?+&Nc64`9W6hfy0{dOvu>OtfxHT> z#BPS39BJOaImf5atY&mwKJ$F&OPBw~o+}Dh=mPG;Y*kT~bYoKf7b ze@g;?kv@6jC921Q*E)89Nvm3cf@I3^rcvphgc+Dr&7wdC>u(1_Ck|NXWbsV}TK7+( z2sd&8&D^fludWhA?a+94E#&xStG3`SNM^!*U?qdqW z{)DS964b`Kg0X^2QUdAX06h=i5VrrNX7}qyUrp(n87UVu@dNLu9&$k_b+y%u|CF7;pdq8K4^jWPLtd`8XI z6g1IPCkw5ebrXJz?t7i0WYOFBb0w`*AqTtD_{?bdF+Um~5$UIkMB6{jNNSE#)JVue z$zzmwVsxEGkA33$&ko#=%CzN%dnr~g47n`l`A)aK(>J#G$~LTq3sl`;WlOCSBQZpX zmuOZ~%<(+($AEt-^m!*&464LW^;o2;Om$^beN)6ULpY&~@D%k*oa@HmI0X0YUGx6D zYu)-zlhDbPg#*^a9o}%-9Q)_*E~7yZGO;&wRG>v1(#cQ*znk}wM0O0h2kbo6-6m9c zJjGu|X}C3ujuNDwq=6SkN_jz{pQ0bwvyGf@YkPc4zx4@75#mI@Yi%?c0Vb=BG1%?R zawk_acv?;re*S$eP3`VGz~1`ex;cmtlJzQ{O+nay=8T!k+GxfaWrCa}b6Dnjo;hSg z>fvpeSnGvI7MeI$f4ucQd#0Wghw4QjourKzhb)K(GuQGs?4rpvi$Rx zB$eM1;>9tTD56lM^{l_FJqad}3fhBTesgf|pkE|@+l33tAhqi_8ixikaroL)53Jz* z*g^C2r*RkiBuFgWml4md7mk8WW~^x4;g4OQk{kTHF%ak7KwMXvplj6QZD^T zKaHyj#w`o+$_IKP<)%_(rlM&;Aq$zxy6To^nr97_--2!YJMu#AT!DVwrOv1o(3R>( zi55w;r)Yl&drP3eL6hpW^GdrP-~G+W*S*2SXQ=AhAN}YXrE>RFNsK<^f1LU7Qg;&0 zUijB)zrW5qB7OjJF8_mxGvKL#`~9imDMh>)_zO5azgaBF8l<{WWM9&#q?{VhUVPPR zkx_i>NRcOOIt1%iALgYakBy|9CPP zuw5V}P%@or8Uy@nlwfDak7x+W-ITr{lmL!=9{F;{wuC~Nn&rHB|0R5-%rmfNUk zJVi4^43K|E_e$hoSI`K#7ZEfss806P!52nTe~9v;gm2slK}+g;vc~u+P&V`1aL8qg zsQ%_|dc{>?{8#S>rRoo{;{-->%RTQs_Hx=c(>BZU?_b!=%v*^lGEP~04M|+Es+@lw<79rOZV+Y6SeD(2XdZp z*7?l)U^bV8kVDr@LK=iu5fvhR!7G;^ZZR)TU+cRM%X$u#T3gKw+&0aZsTo$uj`xaI8;5FUkOyuoW|`MDO#;V z?CTi)q6%?4{DxXT8_TSW5Cc(^O6K`MG57S*{;dmMCQ+V;jdtNfy2_d_*%4a@5r63+Rka9MMI5L7h_cy% zX4t*kQ7+NLk#l9f2@HutXoz@iXV{LOfK))Zy*+1)k!wsME;y53sQ{+ z#4xf8;Nr4}1|cgCCbb1n1Qstj8+&Ycc_oL?c^j#`(QuYL?*$$9=YwJth29PK@O9cokk_4Vry2Pa2>8h6$rsm50%s8qmQ z{`0Z^<@>9h9$utU%3l_49(&Ex5BaL7p~7ed6MXq2h>hNW{gxg!;>?-?+TIKg@czn| z&e8sXU0{o2eTsM3wbM3R?7C+A9AVSmfu~IE%ez{1y}bv^^E-qw{yGIY#<)bE6NS?`{r$5~D>&R26UPEmq>nd(ogcLMws3CRBOD#9=m5L+$V0NmZ0Aw_QyEf+2( zt{s<<3WjIEhz!2K(t15X3c$Aq2R|!Z;{cR!3>&<>r}+3SR48Tia7snLJKJR_W(2jg zjy?agg@44(m-Ik15+-Il=ht%rbtF#fOoCX-eHd*+>}w!*eT}X^;dsSt>HLscm9etp zvbxrph~vmZ&`xz}`|9329_~Oek)A9;8czYL!G(Px)y@VFoue+8`|;zEDhVxvMC_pS zMptyQ2t$RaS-(kUtOP#AE)t57LeNv{tH25*TOl$t?k7 z<3eg{(2JI<07GD{cxrhfTHYBSMeG${=1TUatpf5X1?~g(_{Mcb>Meex9PM*Hr4rFK z{-T=NpRblXqFmBTt`W|XH}~}v413WrSfYzE-%j@vYw{*KRP9hHh&7I6>-@VMcfQPT z(}!%Y(YJ({*v(I*JjQptYy~8BaVLIngd@bc7oIzBN@Q3cHQfp?DW|V~gdn7*2fq+% z{T+H)y^We;m$n$c<~CjXEPqLFa|gXH7i6Xg3}qFb$l&8=D(@86Bsvqm5;(d0QTn;y zlTXaY9sy%nGgspG=@v+zYP_k8TR`iNPVrMv4{WT6zCV3uA&Akq$u__(QX7!&9JT&pHl`LK+ThPSc9(Ou>}j4 zF~W%Px(**85^i{ylcUV}mw3fFN@$Qy{Dy0?FH1vekU?J#uPwe#bD}PHuBOubB0aes zVx4_zWOa=q;!Dorp0|OsV!Us)9nc24Ej@lC){#W*lW7-~gDpd_J@~)!vV5eIZu)>NQDEm*d9U%h4KrY+0H7{>k}D9 z8R|OCi{g`mbom~A)DQm>8+wo$)STOjaA-l<*76OfCzn&q?4(im)yrIwGj?~DHyc@A z`|Bdhv?Ym{WO4L{Sb$2-25{ovC_W{ok%YMgq2e4 zFI1MC1d{a*LDP7ehOEP&In(A&ajN)oYlYs*K^mbgEq+Dj?uL>`zB;_N87^_Mn<%d-(n-I0s9F zmQc51y_{S#y+=qUT_L|5kFLFO*A@Pn0?vK z$=DVtyZAAHklgU0Sdf^{`I*rx{SL3h>C?3yXC(>x_dc%`P`2xA?q4a}OI#PQ1AM)J z-URipQz{Gk28a`|TSm)=0btI*t^vqb^q9ZN=BrSX%q2-m8dT|nV)wf>iNIJ-gYN7$ zy;rHJ&_gq;10MaslIKO%^>m?rHH2g>X(=%sv;d~7`RFqCKAS=)V?;|#SGNAWKb1;Q zmmoa*C!g2s{#!H#@oRRUl;_dVSEQ_bWo#Z>)a8F8W{6BeDi&ipT8p&RD{lzzK2`$| z;ih?4(j?N|wji>W-qnkdpE+uipd&YC>WCongK0KhidXDpv-ih2CNcYy)vf;xXIwI_%T(4A<0{RgnSX z$vjqyl9!)sepc(4>hRLsr69X>L_$|ZAaiB2z73LXPrjlM?RN2`{3mAf@DMxPdSTB* z7(t8e46`lB@68f!Z2Lh8^V|tW(K(Ex$rQ``r|=$EfR0m1+;aAhR}^^A;$hCj<^GU% zfNC^{?0uM4;D<8y%1-j47%Ztx;My+?@O%F8l0aw%Oh#r;O~v0Dt|zywihB4lqKF&{ zkAGNT*^$ON77#p@6@$nI+5P$k1?0xT%(hu-c<1BR13U9rBdZB@PfBY5FMG3HZw;?7ppJgTb92_lSF{Vny-?0;2Rkl zXS72upQP&0_h?{xnb~CI8#s`}Ghy@Fc`el!ccxry`r(185;AfGd&sGZWYr^Bw7ue4 zv)Wb}HeCzFb{NqM_j%0Y*F_eRf|Z%73eAWI1zs>{%*zp&#ip-D1Jgi}0+mujMKYG0 zI;wAx@hZ(rh&U)V-W_9*GMD`G4OVnMt%~vos}+gmM#odCbqSvo2@Vo`QVD3Jje_)Y zQ}Np5O7~XRA|Uj?(y_O}rkTd}aE{i2NxjNNaTJ*YgE?Fq2?ZIyXr5ZEs1!hwL zlJBCyQL3Wr5@AX*nf26azeTmcC0Ie%NHqzZP`&7@V|$ZNW{3~&koZ#<)te0lgYZdV z4n$xkLi%Z7;nGCfuVn#>nD}qX&_l7X5C5o15pdYN(;}IH)PM_6R5pu_{Yn^tIP`nK z^f8V|JAL9n>|I;;(itJLdmg;0X;gmp?BcMe_tD$F$Q>T!+211z_gSWGye^9$=PxLf zGELTwoGZ?EAZ<+~_EGfO7fiNbE;Wd6V7Yr7f14ge-uLMICgkH(2$SqndiCczuKOSD zD;a)ir_FM2>Tn!$YOEWg4Sk`xByVDhR-p4u!9Yjyhf{o3pcCwrY6j}V94JlYA?5DJ z=hHW*FLw1B6wsry!V0rhTHi3wT|Qy_-9(xRiiOGMU;=~53=mim1!a2$h1RQR6_Q;w-XHT(do-OyX?fE%f=Q31nyxUJT)-b_Mr* z0Z#n)x34rO(05aApVcVd5Ccd4JD8*}#U(XUx(Q1{y{J~7={-1)f5!P{-5UDW!UH@A zjMeh@)hvyrdgA9#$|~%KVm|61=2NA4M#*sPecJD<~7PS}aM2i=?CTxe;&yPI&1(;-iU=JVLy`a}*7jyG+plnM2$J z<#0CDE2W%cL#>#LhMzOk8B{6EKPO{WVwR$&bI8U&bj?=C^bVImID+WgCwb%2UFgMI z=aXgifk^7!J{#E;;o&uo!8znHpo*I9-a8B8l*|UxCp*v@9njvoY95I(E7d>1nE2wA zmH%42A`g;b91;^%reWQZb9s9Q+O{t$YWVzhYn%ZLA+uO5Uy}%GRlf&=l6w@;1j2p< zeijFj8UmW633#=zy+B$1B^`vf0HNPcKu%voI%H7PSX; zW;9AA-i=56)wM3196KLHcy6uImj@F)(=gqhYL?BpV<{Cz+cz3XdnxK6dnCr6yT2`) zblfC%OgS6Y^gzF8RtAka9g(NgkZ$moO;J2=b~Uw*_V}Ja>{4`GYY$YR)~`a(R6lzy z9e@gAl?huutG}ue^!D-g_;d9-p}C+}G+ZjW#aql`tvq2#y)O>?stBd7Aa=e#Ap$u0 z&Fxo@hD;0l3@LFM*7TjIcf3j;Mh0XgUd)_A%8h)4@`J0rvT~a=49SU*ZWaqvp-L4P zRidEcU&HS_XoK*4Q97xPRa`Mt;u#BLfPV-{oh zhu62DN!eIE5(JbJ1K4UA*42%qT!Xt5XqQejVQ@CRO?Vk1*Z#htj1B6_DT2J0L5$(o z7jNpxvg`{%)M7Ci+sq&Y-?{`E;4!q|TBH1ZwM8KA!{KmNqgOP5j9MkD$~Bg#^SsNK z&(A+W-vq)CdHTB*B780k5nASs#u`4{pM z_A7-e6G{RO!av`RcpLQhaDGN-UNn?{7n|Z5i!QNq2S$YDk6mABBi!6Y*O~W3{bP7wdQ27A9@6K1U&_j<06P~B z?NCY(E~Je%(hC*TvbHe3h*V~{7kNr#Wa+U%RCEXi=SBCO@Wn$3me1p%W4Ryx9yr*a zXt1IOQ6PhL=@FWg9esm7%g|VZj5Sjq+(GiXWkRKM3-pmb@xwvlBwgIzjiz*L z7e{&()wzUtjju_`gZZ;8ZS_-)JM3I;DqI9&;DFaM6{j{JUEDI-Po+Hr4Xr;E&47&oVOTvdqQ4`4+LYmzK^DeXR_Bp)87wkNm@4 zowL}yO;U$3&zd(HCYz;_wK1_3E1<9vu8Xze9x#eLs|g-llblP!y~ANK7OVnix2yUt9Pzc)|z{ zJr@OR33HV7IWK7f6OamP-fizD^d1LZ7w+y_Y?&ZridIiVmX4z9->7T}!kwZ1yDBph z0v;Jw^;2II@eBhLq~jE@qVr-~K^iN3>#dMQaU+C;G2%s~?jy`a4+#{5S6vFEZoA>p zHmd>soH7a^unHHSPYBkY?I4is7eeM9Rd;|x7uBbRZyou_drLJc3Wp@}@2{N}@5fEH zHeHm=RyRIEV^#rV#}xaU8WG(b#FW}xmx~RZ?C0IK3|km+W&1>pb$J7w*M@e zm=EnJ2O@&A0vzGl3oCuKkvOj<4{Dw_fGk3cHoG6@Nz1{9?CL-O$ztH)yJQx?>0?RP z3LnfmYsMpMzf)-QSOH3eB4AX>$sL6o<=>49r2exy*8g{PcF=Y!xAsAAh9*s| zmRdY(XNXOzA$2eDn!LTB0K8|V9J|?p9N`fD`97)rvN0)mmKM(TD0IA&H299ku7D z&*>FL@VIuLmJr%ae%Lg%r*%*qjLnh`eP>T%6P%H zLAe<-BJa7ofNOt*9Qd*;H2tj72*#JexUgfho78|$X16D0jZsIzgIVOBxNNvtq?hSE z@Zu=UsdeGN)~LNRHmKJLf+WNsr93(cGQ_pU z`_h`htiF`ku|~d!h6nGnFEdqD2eUY zWwIY4OHe<9C%=(86`1Zk*Lf2s`WDwa9lLOHHv;1F)<;qt*t)3j9{qPl;1Ha}XbLV- zef^7Z43D>RQcprm*N4WT1EI*?cH^4O0!k;SSE>`?LkKL?exKmb_y`Xhmw%afW9-2p zDAO+2E(K`fl4sIRCEqmoqBPowt?L`j4}_!Ciuq8YqG2oVpdUig(a=`BB3`ZzD99XY z>3zhS=iIzzMZf&Nm)efNYc%q`G^E7!itx&`SE5HqC0B>A(Eg=s;bJq<>%Gy~N7cpB zL}u#pc}tDXklO|~#69iu;F^&u@0zCCNC#HUJ&nmbNfH&G#}VT*)XKzYUS7UlOUUYI z*jt7l8DOue^PX24QZGo>`^EC(^!H^+X!+`@i!@@m0><@YcrcvOt2JH}1GC=x$kx|U zNW`x9tAgLJe@+q{T4ywzum1}IvS4Y2{E72cqdEK?y|Gj>tbI}L@DHnn*_PLK=q0Wu zOeN_Y13Y>$_{{|~1sCANzlN&YN?$>H zr}RfH9o?p>Qjs!gcgv7=H__o~Igl#MzhTk^;^-F8;{NY&ZP6>0i}?uonlU1~+l?KY zL&j$z!cSJ^QayCOY*W6!5ZVZgFw(T|Nv<-zN_omdrfW-A?Pi!khL(c>k9R29cJS%3 zFN)qp6h8y(vdLKH4}re_ZuIK&eil(8aYBtA4k1UntF&9jn-096Qa{vM>>|Zap3{+5 z4LeA_^^+9IuhS2!Z)+rwxIv+8mwb@s>^JdDN$Y>wlIGK>egO#*XhybY4CQygH%jT&5l@kLNuKt~RRTk9Fdja2{%MET$EtiM zRVm_53nj)tJDTOxzo%w#hW@=1(#`Md!xxHg9UgO8Q#B$x&wNUZ>7^NXA045(8>lU` zp}8E3&OAdgqpG+xV{Sgk@!~(9e z3r^uA;r4&VOoYY~=~I$t>?;NW^i+;nJAT@?^U?Lx+fODn-io4OyQO?@S8#my!&}n7 z#tQeuT`d|5Yfg9mz1_o#%-gA2WJ|3L@_io>p?~h=qjdf(%Oko!r+scACZxZ~@3Cvh z(tZN1GVYN>xkl$e^>SVVVLL;%ws+yzoo*|30ak{7Vw}`)Ga$CgYJU4lFK8 zdwd>JPyJe;WwBcZM-I*Z?|y!(!hDJS$6^*c9*>a^vD4{l*Xlma^d8^PjEvWk&y8$8 zD$@)fwyT$T@LJ$eh#wx=Cjt7`)v1weX-I0wD4!29L%pU`+qT2`_2M)=^xmEO;k2%& z(IEftYCNF&V@kDaN6S}o*`YHT@1Hf{(lPm9Md%FrBSLf(&e-@=;)u?H-g$uslo&?l zH$*#Q^i+}g>*j?|wZWrp%dd%tQpjW`q)4%Mr7e_n7^;l&lY`tIxyhMUUlujagsZ-S~$JQ9UIy1bbu0C02 z8YoY>LVMwfC-^>v%oyTjvgYnee2pXQT8&QmwVh{aNy59=KiS-YDCYALS1PFvFVdZQ z!2|W(Sxty!hqIl#V!e>tItC4Ph3MqVI^2K#0yu4tDYf z+FHk_B2D=y45XLnYvQdVLMVM9q>(!mHb*9$>`9mI1Jia(gwpwZtSBxz^Ho}%KdQZ0 zNJXI>3tIZ@%n0@2W+zvagX=|uX@z)2?c&58-v&-Jy4c44)4X0HnfP9#c;cBW0k$D9 z6TaP|c^|!R*LLwL_S#Zb79E@Nd2DwW`TOL}K>F~E+C`TTGA?L__C`d!LdF@PN$&WR zU_N=Zi+!MqM=PexODQm+ON2%iP8yO)-x=k#)Jmuf_BO=KBjN~OGk$5*@*9}T*N$`;w~Ig8Yqe@FlNK#SIRlYZ(XcOPeK4|hE1j@Bx|9Th zAJO^rl5{%qggz&cvJzwcKlYT9%#b9T_If(!(O!~LfS+T-uK_`q(+ox7Tdu^-&}YLL z@6+Amcr2zxYUgb*<&$|>btcc3JQY98)x2hN6}_G_oywZnJ}vBlTc zLGxyuo|O2%4kR|h^mn|kl-OPL`QyK?mt@b=q&gJxh$C>7_T?KL_Oc3J7v+tQqzNWB zIP4|e+|F6G<^sZB?m_eKS#!I|x9?fvn}1%hRGFNjZlB6aoo1P2U&)?a>xe{?i6G#? zd2@L)KdH;&7Xc##TRkCJV+THbLVc_QVzLL2iyCq%JhJ&wvDpH=$RMoetMq}-UGX1E zEM^ej*Z9a@!G;sPC-{gAa4XQ@h8a(U&r&pO%ase zT1&=wd66S{+$%`rF3qvltXweg3W~Cpd@+il;VP&`Rgnzw8jlhc4Z_lP1@F~`_`Ant z#+_;Z+TCE_3u8(r%8T^u3C9)ee|4hBDY^)h>K19`SjjRq--rt*}@orC4swCOGicTV!9SbjZV=r4A8*@PP@J8DU(R2os!xD#dM+4ZKtD=1B7UE zNEAF0MuOMUdnx#A@dsB^PI?3&V0%B-Pr9 zw8{9sGjq61zx})l9w!57(V$+$RuuNXuK6}pG{z4sOBr= z-rZii(jjJkBjhngfHy+Qs#-QH9^-i6ig3vQ7+%wq^aMXHS1YXC;)%+Q$bWo%j7O%; zgA*MfMH7l_2gz)EWU)p-X2W`edf7Bsjp*a32D8flp#j!RaGBqf4n`Tdww^!#QdgHS z{Nh9|Nzm0HsZA7>QsT)|yWQ#UghUjnYv|-py}gvdR)zlb=afe}mWP&W^i+ zT^hG>2o_~!JESlwGvJ4c<#sY;rgR#-)ZU5 zNa?|QlbVr^$NF+%pA%=HRj)QeMqdJSvbc@d6Dod)zi1A#pz^-ciab8 zC}H@S$Bk3NTJ$UJ&j#^M9Rv5-?-0{vmkK8u5v$!@6RNaQHw z!r(%468;--#Ox=A`KQXUQc*7#=JQz2CjfSD%&_WL6ZyHDY^kuUqOumv`dy+a#Z2yO zVVQiZr&%Q2DI>|^6f zVN?LTls+Nwf7!O*%b?nbp!R5A3aZ4S=t$Q1J|u`f-);(V-TU7+^zvds5FHZkXCw&n z9e(MQ*t=dyJ(V59)65wWm&VPcQ~i(ad6cbNWAU)sY~m%0Aa$(^{=TaD z!yJql5sEZ+WfHQw+jh4W-x*JR^8a0`COkB=JNQi6B5u1bDDzB9^2U$e7vWpWi5*|M zD?Y@|dd^mv+70t>GUvLVewW^k@Vv=Znf;K?mU-Y3OV!hv*kDO6zh0ycl%v2(+#llt zWU_@=!34YVYJMnB3@;Dj4E9a*4`{hAti)sSu)GTnOqMl!M4@f_U-hpbFOmPfYQ2i! z<`_EI5jb{G53^>4slLy5HNJh-Fb=PbK z0

        y4ADr7y%j^239j``i8?m&!dY zr^yzS7Bt$N>L*9)U|_L<0epjn1;@F%SwQUGA5?ZMknROJ=2t^uBVGh>*{!DK{M)JJ zer_-a$V+KD^#AI28o9;{6H~R@;nqbztZ9CZS=D@=kz|yAQm2qy<7Mp=2qphEKUvpW=%b?L+&M~#H8Mhb@7W0=7m$AuyuqfH+50mEp(7hQ3(d?uP zT)_4u*=Wr>QOrW#{|$m7~Ed7^BkFrmuToItL=4|DKwzV z__8dCh{Fz?W`TC8>NYl`ELIJrMjn?`72RG&O%Tny_~7AAhh{zlG=+bPw3_p6%NXyY z^4YsN;rYly{R>};Uo^E`x|nVt5jNzmEb>&BT4KjnM2-xzL|OT@SDEX4d1uxs2RAf zYxu{)`?Px9bQtFA?CCwh#`v~IV?3~yw>3eVpjgeXALd*d+;pPESyl8-UX_EErOpO| zV}rtCAKyklK2&Xp+_CMrr&MR)^e`~UEQPwtbT9Lbj6>LPsk6_+XH)uy&#tP_WBd}$ z$wZMRDaU|7RAl5+^PP7aqGF0S`u&P_?$f`!{ciYSkeigCQ>MoP23sjz+XI+N*RI5a0c7vT$;CCO(&8eSV zOwc#l@XVuA=A5|#TUCyxgypjX7=m^3`Nh#m9@+jt7>`a55wzwDF#7Clyl?6co_K4Sm#_c_KLW|^ zM-$AJz0yN{^*B2obC50}!nw}2LFY}U9B#8KwZG^rcbE9Enyakn*NDa%TOW|V)n zFPbDj06*jq&}Gi-M5$&1#h*+vtUr&D$j8<*puLuAS4=FZ=lMDO$9i#>{JD*Fbs)Mj zxo0m`{2CvuKqc7eE#2+U`FI7F0;iJ?piz8tr$$!Z=fLCytLJEh%ByA!L%w}Zkm}Ks z0n=}~Bl3OzrFHWRsp*dE#scyrB1-`fDhg3{KI~$^kWjc&b9+qu!WG2Ogcu?6@r9$S za2$ruoOo*t_)&0R&+}Jg2JBxvuM>B2W(1;9ZHsyE9wxyb{l8>@X{$8?#YIf13qc8IMuNvIMe4VQ+v*|cOrK1ghG!&R@yoWaikuFslPR@fcGtz}^ zT7fvbI;NVFA(TXP`bfBs|M&W~)A;Z{)LO)adDDxZi)X$my(qL`BvI*$H3$jVD6-9| zuUsS4g`UIV;&XPmidIZ8ZfzxYoT zX75)_NrEtrxtuZ8Q}gSLX5(TG(IEE-wmz{&|3v7AxyjDjmvu$_x97@lK4zcOQ9mY+ zL*(c4Hc$Pm$ms-={so`y@Yr)SnL=M$1CS1k?rp*h8kY&|msWs1hhl4}Q$K&7^-Vnq zRe8yWgbB+Gyx|poE`{@bmS){^_Y-C7D%(9?5qHJ-w#ZarZul@Rv-=e&qYyC}tGNK-K)f(?oTU)Eh)Z(PvJ*edWx2~~N zh>q`b%{pIdND6t%^_zEt>{71r=o78CL$yz$`S~AoX?J^GSF_{8JP5%i(sr^_-QZj1 zZqL#SnKigh+PRNaWW5}6J(KFU$|I!PMZF|1X=hPy7c72V!?(?+uiyB{SDGDZmb`mD zWb1O2O=oNy=@6kZ)ukauV=Rs?kz?{WA$9qSc0W-BG=XM#%aZ7$fpN2D6I2N4i zkITlz>WG;upO(=sVzm63;1qVq?tQVD+1Xc8;qox9$E>^>GpE0v5fX+elLOTRLVAd* zw}`0@PD5MeY*|chKO9!smi*Obh~Tuh#IkuYq2_R?Ebr(*YA(><9+;O&x2PqFJds93 z$I2lJvP@dYTYO=8#5!eiQt7DAS2nxtTIqjUtD^YswYq5eGRmv|Iq!uSNt}3j%g(2k?Z2uQ zQ5!{J6b-3$Gp4revKG?AG%tKgH5J;|jwcSQA3JA_;74hrVD}wjls?#SFUMp&9hbj! zx?te%`zv8aRMjqpw@(%t0MB#r46lc$4!33xeHMkzCHEGaysAvfnp?ihUa$U70kJb8 zKca8g9EJ9-07IBe9EYc$up8}OAX-&(*qkP9N2;D+W!&54BvdT)8&+lloNt{xfBt+w z--;HfgC0CIS($ZbjQ=josoa`9(`E)wk&9R^?V(==-XYhJq>klZ{Xj1J?ruBYtwmr) z!0Gr0n)4(Y-z&mZB7`XE7yI-zK@fb>?f;AJ*wfj!m^S204^;Vr|QINR%UTF>ryj@uA$598*jCwR)F2vA5!Di^?lr z1$|m_qUmBSMxwooFFt*bd%2O)ch+5xYJuazDtgrV{r!d*KG`}6`y3Kd^H}elg$`-p z{s&enL+D=G&61t*@!Jdtpn!4n+&cxu$D-H5P;h$GDo!0T2#Jq<$>UA#| zP*217%E^^~{OL4xnG8u((ZBWyAKiG2T#Wk)FSLlO!X`eueOw{F!2aNOd{Aomi<;=5 zz85tN^r-iL5F)8!*M*#uJ2&iP(I&(n?HKBAweVrbuc^f@P?B=HIxn?8snq{W9=#B3 zEmM^PbbUS)5ylZjsR>bT-47V!t~=Z`3GtGcTnfDGu_G6Md_gW-cMjhH5aR}9^^xc` zt!o{8i5^MLi487IyU$XE6Oe1#GLzzP4@Z5+zi`T;{R8kx(Kg@&j0JzrB0%^h6`8z8 z+qR#{T>Q2&^qycMmt~m;hB-fhbOhRZt`RlG%^ZHun!Z|q+3anze7%?mw&s45{wD`( zUM7kE(b>3xJ>fN#VLA72FqlffHYs@T(Sn~T_FB#-6uY$XO6wbJ1jAkHi@3O+)eh`z zWpO^3)5#$;_+x`9{*f-<)^pU9*@;%$T^R=u$N}1lydAM}m+KFf+&BO}PjdO>w>LR` zyXhN7Or*{=c#BFY$z_F4I9l$@d-i&n1hlsK+!_%%Lv@xDP0RL4g$*^cCMzV;HuhWk zoFu5@IC;{_Bk%L`XxDKOi2>qJb3jp~R*A}2|CTY&VE+}OMG8c578@5=R~tho2TDgLKXqU07OR<3Z+cui2( z{8s?FZt6iF16oo6ggr-JR6>k0>X7>(c-*3AXcMKcHsC5;Lwks+AdC}eN(1e=pw*8? z1q)ozzql##L^nM&2-vTqx;D48se@4Y^2G-hBQc+=a?`ob3|PI0IrX%PF>@qd*EfYq zs;)=<^{;iF^^V9^{yi1hKB(A^@$Xg(K#vF4W`|14_}JN|;!%I^VuB$nohm*D4-D4Y z9@Vke!{@c+V@WJR{*&eTVdK^EIRIbP%o(_FfslIrEEnsuvoP>bGn?g7lLZvUg_!}H z$0zCl;_74$0=jpO^E9?%#hIb4%)GpGU!Xh0U7tVeCePpvJ{N}G^zE+N7w!waYs)?S z8Xf$zm0F26FzQXqfNi69@3-#tz;tr1?8Cem;(3Tl;#Vg7Fv+ciD3zQV)cFuGZu56u zZN+dS+ob>LhSJ^<2IoBn09BoM7nRrkU@?>N_I+#Ns5l*gC3>mf8W1Bah>(!!!*O-t zB>FdJ9Y2MHzpaX-b&CoauB8_yt+Gvvr8=%FRM>_7_(P{>kjj4QDZE$J@s62N4>syP zl4sX;QlmBU(@yiGJnErErO#}NU9^u>YC*5quSC!MEeuQ&qjqLBATQ6p9n87&HTPcv zKKlu4xMi5LGqoa0m*)`GAm-~EVs?A(ZGxx^bt39fSuByhLeFp3R80qXSJ%3EIj1`M z8QJ@8C%Z^-P1^h_SnYkOEcv;L7)I2tW8V|5tVe#t$qUafC@>VvzcJj!jJlQo)aFX{ z^>v;((L2smxeIqbns?+; zPIO!t#tBg|hnAKO_D0Z*)gz%PHah?wk8z{y^Xzx3y ze7T;I0qY%UStiYAciGq!ipj6by^U_e?Ft4Uzich0ODuY5z`9%IE|YOS`};k%J&^cYa}JIrmPHqpU&Jjyct2&m3pg&OWj)<7mCI`4 zs|c9I9^X3eUEXRsZ*30z6^ti?r88)>uYm(k@ECM`U?QvSAWSyiUtM^8>5MRfAx@Pj z&{qC;fbo@lQCyG#;$Jq1q5$c$XVd=-bj^m}6lMM=d-%cT1p9v&ai%#ZXz95pi$lkT#&_INcyq3ra@YeO%^zU!7D0KU`tU5ikXU zm_qVm&}>`eg_CULEiVGM@3vn5)4_haRfWNj2F3L!5nbzXmD*NM zK%nVyq?3DQ;G@LdKxy(lZ0-;F6luGzb8Z9+EIq#q3@sDkdNP1{-K#)gim|8Fh}eBn zqzW~a(TIF~H4#{<=|~KW#fXP1B}Hg`G@@}Buj!Kh!oQr8=|xG75x`5rc;bI+v=hA? zrsA zfb!KJim@Hi`kzMEKbmRjHete)EqS3_A6oEPnV6-r zF7p{mrbC`lPD(D#W>3kS8uGr@evS*lt?cq37nYowx^hj2&i+NzPqG8{rL>Y75mmgC zMeN1+!_^^=`v;NaSh8G(9rr^Lefc+53CVifQ7)d_@!u(Qc34C?L6|bvuCH<^MFbEz z|KL-NyXF%(n2f6YNB-bD_daiD3I-0Ukc%9pxR?5jXzRJt;_<&5B6+XoLG?@4M8}bk zN1p)(?p`nFgu>C)M2*T$pLR2#XD{24^;}I8KX&hH+{LQSodOqaiN1c%m=2;NU^tug zMFr8qVMkN7L`FuzD`e>kZ62WXec?Yk41)`f(v(^vTx*6sFHL&cUr4tJZ>+$XwGOI;+ua+zw1u&(n3#@3YRrrt*x ze1?ZC=lhfJUi_gd*Yb*VU*c^)2)zu_bya0mVn7%BZgA@5^FrK%5kw3Y1KBPZax&Rc6wXwFI zFWSmtjtN?tB1Yo=)zr|g4#5UqY#opGXy5zJKqTsDJ@!^rtzb2SLIs{KW{cdsyKd#OZe*I#GIQWJn%Q`aUbrPP%xn0P_F!_} zT7EM|m3pzvOva?|44Lxwy99(J`%rJ$h|b*SuQNNl$g9n4QfvIr^^MJjRIHd}z=-L& zi5hhkVZCldr(Q7CC;Q#Z{G>b7mN$r``c@19!^x~r;aS)tQhh9+BMy2Pdw;}00z1-i zOvCVBHL{q4RLR13c*$SnNCuV=w(shE$6%6)s+V9_+5NZa#@-W=?gy$xBqq;A+Au z!_(-U#olTU?30z*@p{g&Kze!I{$R?C3Tvju&)7hsgn4F2-dTRPN{iH78`}kX`Y*HF zb9CL@0Dq1hDm1g&u%fhq)wDyX&ey8x24I%ma#iSnlthHgf=i~}(Rr_Yd~yc4xHxa~ z%h1Om*M>XU=^@9BM%VANA?m)jlhd<fD^kS>h)2Tml;K!Jge8Xx=_$U&dwu@93 zaACiFpkQ8cNza1z%U`UTU{+uNC-W7a{G1-~>qX^NReyzK?k8NRxfd(@!yeZ!@@g<0 zYT0G44ZUY~d}QWQe+?l+TV8^DK_siMk>fe8!4ThdsXx88J8wDYT5d3GD{pwy!CBusHDD zR|`k}Qj-c8l-dezpD|b*PdvUi96P?5wi!=%_$Z6s&#g;Syjm$%YDC|{6ZyOCu?P)l zCgJ+rLGyU;8JC)WtvZywu8#D!)+3<&k@5>%Y55T3%~KWxunSs+0ACKsz1{E?$6Knu zgI~v$7tw>_tcXmDJPs|_eARhe^f9a1yPD{JL+xTEy++NPdQa@jKtw{5H6o^ssO-FR zHsY92pGPNkB`LGlse!d*#cbVUb%U{=;p)41&rMG4T+FlCefFuseSBVUWWI=mgfhFxo_p#dK9TqRNN*! z8;9ZWs)&j`+o9lmq9C7St~B_QEa%y;DL(tX?IbOS{%-{z?~KZGiSFRxuAcbsk;$-# zcL@CQ1;(}2-rKT$J5_{^^%K!u9r-F{T~1;DqH7=y0WlCHDZl6X85B)$iDeV*yjL3y zI|#uWG==+~sDGFDe$4X*eB%k;ONW}bm8t=#Uu|~2L;=g!&Mzj(;rr^5_2&CfcqLOd zp)BCQ#^{1oZht3OIB|)nu`n(cOZ;?SJWONisgpTIn;yB1a>(g>-2=sDaQ#;3wHN~LlrqP@Ie!%4!-}zHb;nPe!y7o zl|X}$#2s9PIXz5ccSx7yfD4xAOUH%Zw#KYp6}-pla6|H^poDAit#-1>(U_+35MmCj z6yDQ313*1wqdt?)NW9aul3{UeG)M0Vp4gc;F5;pl-e>|?4sToKrbc;kos@(1aEB_p<&4a^+10mp%dk7dgyO#({A_S;eW_DU(NZ_;oZu7rx>@<#3$ z;QUHbU7xT_p(y9Y{qr!@><{rfT&=kMkmr-A`?S(E=*#1TVTnp5+WGSB(dCXX&RP=} zs7zKof7fjY=Sg)AJ`L1?*h^;fIT;Y2qw)~pe@+MH(ck4vU z3PJY!z5&Qn3Fp}g?z$P4VxgBjA~Ba6<*IN5;ZU29mqOiq6?r^4>{%c$io#K%afyVI ziel8dm@C^C%ADWRtcaFLtjy&{3$B=kP8I*lJqp^**|bUiSL$00odMxq+ZAgXF)ijC ze&tUBrqY)MKWpFpBh)kn`Y00ib-Ec&ioZypPlIH43j8PsNjnhot)C7Cs*9h)5J;lhqZ z3jh_(^7+iXPp7HG`ZysiX5Q1uHy2fm{9CM7b(Y76RpO%dGH2iKYzAvJ!R?UrbvsRt zvrnNGKP>bbr}a}zVsiXpo7U36W5&HdnX+Tc`GvtdzLySAa2@(3aMqN6NlYf;OHv2} z$!K}bDcrWSN4q9tdg0UBQkwO-JUXrQ#fm00dVy1yKi2!39$zO1KSIw>$dlAUm6_5P zbI_c_?%u5<{^2Erb=CE~ci08z)LgYzXNG*an>2!we?`imGTfS8!9r$h?GDYNP9V3G zWWin?Vi@|`$`N|Q=i+g(@Uq|ZsIWS@%r_I~=GH9Fxl!f{$4*usMjW+~mc}aeM6#T= z4He1jwgNfpf7P`$<99lAK?`!a6m%!wVHKn`EBA}qm5fY3FPoc9ZM}H+j7YlYUIqPQIH1z*P;0LgTP7x*&8!IIbWGE`YDSO-6zCu zgX89^ZH*>dUa@X>XBAxDuMiYm1CfCBjTds95ks|#Edd=CQMI_*WuN%?1BD;ux6ua; zm~!#WUK55#Qhu>p=b1N!>us|kqI14<`3tU3UdFjiz}5TMQna>KY8r|A>tfD-8<>LA zvVfaZ17UP)7T-Vg<@mUyyY5&wb4ty{?p@N#@6YBFR}bR0ifpm(+br_W_uYP<0p3h< zDm)A0qSU$Fcm%WBcP02fih=mgMD*w$y~;Xa%vhG7<&IycU4o!qfcFpiks(9WP{`%T zQu91NpiXmsboC&K&s96aC5+Ac;~;Fbd@oDR)`jI*fxLwRfBD-Cyg_&%m)~^<7erEq zao&-={#KHS%<5kiwM>m= ziB8r4m%SGKTgiLza%_?;R}!fpb(&$i+rQcM-aw=(FxjGUT{VuT_tsWyWIbit2GMSziCxQk$IhHkNw;mYect|e}=ambz6}fN!UUS|u^U*Gjq5H2R z)=CzfQPw(x$Mr)eL;}v_wm+DFhQ%g3{dBLAE3J@sq3J$@`RaJF51-isFX&sXbSnq{ z$JzY%$J`|gR5% zr*i0}J}G*;i?)u=*|6cxMlS;40%^!|8|tq!akWSItg>2H$)GMX7SYY{M1l|J;)Hf5 zTrg&|`C{uVho4|_FULJ3Y2<6cp-}yzjRbBb&OUIv15qm^jzRNK`DRjg?|5k9RZ~o@ z0=l^o)u%H?Ll3pmKW>@&Hfnl&B!lWoqN3NFuk&BYVf)v721d)Z8tJYM%zLHhCeP_) zMj-qh7>ucc%$Tqgs^&!-e$xb5Cqu~WWyY>sL!bFbnM{B-iITP$Q*Rr7&HZ@Fh?4Ih z!c?X2LS;~m@0oqyLsr;%w%@^nohe>?{BhOss2cxyK~ML8cY5=<_8jc`G=bIAbG{Fq ztgpuB(GvFVzq0^NZ}2;4a3OFdNtr@sOAyOGZMX{p`&y?5wSGB&^_g*!UhD0~dsuv1 z#LF!z-++sQUcbzRUZ+Vl<(cIaxK;^Yj zitl}0YEk~wLj`VEnjrp{%9qTsxU{NdaXusKEo`4$7Jx4uK2F6%_+lRzd280@kg7QJ z+bw0j?^D`J^2&E^9EIa3Otsnr9OrLgFiLUr7xlkP@{$PixZOE%<4AAPAAlu1h5O73 zd8k*q>7j1VF)&eedaHTtV&1X5I!0n?R^Qb9dhy;Taj3|6cFux}?$$*c+iHTTs>aG^ z8JQdBBjz{#?s6@s<`p*UU$Mo-k^B)4qCiXp# z&i|52VdMnlexHsJgMXRL|%181f3jqiEotHhNkhgr~=Ie-MkO~GJuHUPOrMBXE; z!|qg$shvp6iFIUMK-<^i&*gtL&*7KPNV_k7`Hc+f4i|2Kr!X0k@ ztV7)ZzXd@7!f2*ful=_uX_B~N7l;SmM!==q4Ejk1yvb<)H*Dd?4&4#L3E+p~0;tC! zZ1&LuNF+QUaFPQ&rS4~7>Rb}DXJ45Wa7A2&4s1%I$q86_z>lJ-&B^xrI9S^H=p^CFO1!q)w#mOowJ0(uO1P@l=Ytu=y-d1CUXdUm~rAAt^(Oz zgU^Elkcl&N9oPz;!u%wZWJhdyf(gX>dBD}&7BaRO|4|pacgNznmduJ8tJKG2rX&m0 zNNrso+absioe`>d^^mwmWtkjQ_5-w-QTF4GRE&jigp#tw#b#-{Q@^@>U{V5{DaY=% z3!{a){6$g*hcE;9Tz19gyiwwR$Zq^-{x_Cnl7(JIkxEM)kV>- z8MSib*;!sW>7Mbe%h!9=;K2Am5fiX!ZUU84_^Hqx$Ny7rB0De3;)Xpn5z+sN@fdirKc_4?i&Ldd(%x=*6Dgk z1_v+X?L3ZLnh@4x;r+d|dH!|XN_z3!TWE;S2eVRuvhx>4Waeks%qIWBrR~ka&O@d| z7ITX*!kF34exnCJ`OBuY3-})gX!;DK-{o9pbLerg^TJ-z{!a*CgS@3k9Hu?tC{%m` z`65FVV4mlTE3tqz=99P7&KM8%MmKV2_17PvSM*m-n@ujH&QV#O_Y z?p>2fd&29tTB(ZMPl~ID@wZ&XMw;?s3d%uUV7GPAC{V$^OyXyre@{irAe9fR8Lso1 zdF7{&E&diO_O29*4xhOIS7=CJGH_Or{-5jD|2k8yszH0&7G4ZXk3)x?f(Vsv{Z&dI zK3RpeikEiH_#Bz(okLrj_QfZZ1W#X)F6I9CoCX}j2f!b98N3#D*5a8ZU{o(PC9qnP zPI;$WjQwd!_u@^#D@Hqf5@iu`v)b8?CjjvUH=MWA6g}Wk<||-B&Z{lgI>^W7xOw3D zoX{5`qL?%yAX6=D>Js&A#?;xG<=C=}^TSi0z!lsvJC@p5Yh8&bpq6Fb^6w|+_PBjB z0}a#Mun$i9oPE0I88K%&>RPb(33?vNSvYwrkBdM$S-`w)a->LHC+S?b3s2bNXA&R{ zbJ|!;YYvwG{$@S4r1~tqZpGgbemBFF4MstowoUfWOWC%feAy|p*P?+m;t!xRa&hCa zukPW`2G5L~CYchWTrZEo8~a-mX>@UN_-__*_@Nhw4M&SA5fC`+#pdoD1aMd*B;gyM ziO_e5p^)o4`k3KB0`gtGgo9kfTkhY+3wlIznMsa@@`H>^Tpr>1t`CElS zJlAt4!wioejfB~237PtF&;V_;m!xmoRTZa}?n|j=5x>2ezCKy`KAaT=LK{VHq!RYrKEL5xn<)kZEfugQ5bFJe0pLKe3Obw@86)s zOA)0Hy(c^3eyhqEQdVDS*kotFmbX+*_gIvkRvCzPN;r4iX~3Z1pfv8@Jsh;$iz`*^~*(I!1w6#nB93Wj*Zk{{lX8wlUpO=I#k%i_GW<{u+^W6L;T37?} z?K+)Iqs#2}+#cs=-a?5>A}@HIPp4n;r4E&2OXbj`suQTYWewX;0!|Rx^P}ZW59ea# zjwtFn{P*$?b18kH4Ohm^sNgU}scDt-YIi-aOoXdxSil}9YGvwP^HG&2@b%&cWzJyjprTNkxbh8ODhd6-z zR{Qvkk^kC3D;zdCpf;hx`R`XS2E5&HRS$z(;PFAz7q#oqqjHUYP87a4rtL80#Y|C& z{VL~0`e7?4M;7J2X~9VHZn&16nPbfK{<;;NcGJaJJ-yo!Ii%=m2k|aOZrmT}(2w=Y z4QrtB2=BLteA!aWyHHx&3Ydi`i( zYQe)Ao(atCnzf*`-44P>T=(E;SWo3ybnI-)*N-(@6HVPu65@ZzeEzbLF|Bz0spsd$ zUZ-!&Wc1tVj#g6lx;I1x#sKk24J~a)zvVq+^f+(dA#OIk$LeQCDW7gtC@=DZJY$z} zDD5j<>(OmN9nER}*sJcRGc19If!F$#*hFt%+@|#9&AiS^-a@X5xO%z>;U*LdLhSq4 z1H86+mD`V1gRSOFeeY3sw*1HoQ=D1JuYYE{_JA}y39+2$T(@Few|IBYNXh2=v|sV* z-lvFk*sQe>ShJLngP({JLE8u{mB((J$dntvpK{ToA7jH{N7VcUQdIGRc8wp-kaICU zYtE2514Q~qp@^U@+r8w=wcWF4BKz6+x#gSNV};c-ks6jIZJtU!2Q`x;6|;M8uM&op53rheWk9nQ(w&E(s8PYwwrz5w725_R|om81M;7TAqzPRj;r)g z7oK%XKPB8ZxrLQu0!fKBN9}2~WWW|Ii!V7@VY~Izi{=6hXT+uggRT}H1QxmNj<9Rp zxHqYO!?26WtB?(-dY@ zR4R)f%jPi#K11`y6&7FIpkqlZtDHuW-6c|wEN!9^xc`r{_YP}1+rEcKL;;m9pi}`d zA_6i3(otz55>!f%l29ykq}K!xFcj%hq)U|=K#KInF-tYXL z_fH@^Je+fOTYK%bIfv(bDoW5g#-AP5&CD%gU_ycSizMeKRR-`#vJLZSB5@5%wpsga z!J^j2q$if5$OLsr(t1ayQextGCrlK%~#Ykxr>vR^JnT2*}I^bV@9Khb&ZYVEE` zRnlAROD9@U=pJlf+BApL@Axra_B9aa}-De#w=b za*pKs#UOZ$4|iZQFV}gFSU)PfN^eY36J`?Asm%7lv_pk89R21)=tWt~7x2j-G~X%u zqg;swOZ8eRR|3uB;IL@mL?wmn>T=OuQMs%!_k>EPhNe3* z$ye^qU`C11#`wpU{KpbuqrcGW@_t+CKXb`(_{|f!A>+m*owY?|5UViebE}$cc*pzT zC{$qi+R>e6x)88P|J@q`ArSZme)*_g4cBk1q{NQJ9#`jW$X@xdE0Y$&*|(DRO^L&; zX@AU3&}~@lfj4Oe$4i$kI?miZfSQ_!Fjyqh2YuhYYaJKy{Z>3FWNctzq0(`EJ9Emi zsGhlW5sBVgf0L6tepjR1!*|)l!b+J`YB|=0HH5Lj-(eF0zm4vR(p6CPJ}uCRtofq; zzLqN|JFg_W;=G&HB%kBa_k;2Eh)ms7wDs1`y6G`#mAyOkQ&I+cJX}k!N7;FUTe>If z(XKaQCh8sG7UJA=Bm`>72Q>IR)C$6uQytME z6wh?0+QUWWz37(Uvi^IM;jTnQwq1B_OZD5$qiw6|L6f!-U8|`4faSXQ(3(I`4_Ha% zw$;0P`VTJZo_R+7Sxzb|e%goa*Y}Sc08$H~QL+I^_NYRN+I5M}eW)$xa8zZ!U^Xzx zLgx089H{29LopZ-m&0YrI1cX{Vjzga$y#BscnRa2e}9c;lFq;~VQ0JOslBO!c(E8p zXvE#n_)L^FmBB|9@s)mx>(ZAOl%4(Ua1dDj& zKrE7w!{TUpKEVP;kni8GX&`p5#q4UtGpz4$SR~G>L|+*JZWbHh1ViR?z|O0 zYOQ52k^O!|9e2kxwtEj$-psKYY%8lT2;a3XD~);$%S_5xEaI>YSfG9lo#iS{JpVl`fkN!`ipdq(sA?ZHJ`Ftb$2UWH5)fny6F@g09OarMSS09HCQ!?+xNTHb`zmiGY4 z`f-omGR4Df504+%VySDd!Xv)#p^q5x`gN-y)>k{=9-Yy73pW zbJlyRG9SU=m9tJ|nS)rrX={`|RX2* zLlapDg(FPkd&YYa9@P(CtV4z{4r<}_1N|c6F2tt6p0DU>cfRt4%z54$hc({6=uwRz#^5gqLs40>6Y`p-P!8ClIvm2Vepicawm#n3bukSD)t-q9G)q>m!n8-B zdySdgp6sSaN+CsoGQ)g!C=_h$dHLqJpDWf3-x(6Ld>^P*U^3ZB%Um$1k{uzt71R(b0h4#xqbN7 zV+!X{{O7{~6_3{w)~7@NW9v-0C{7Z%muG91trELitZL$+<3lTs zTE^|W3Fx_9H>8Tk$vW3+-enzx(r&8vfeMJYAPU|SCv@!vX3z5F8!X2o^lW+zo{>sf zG$lDqrTaVARcVOTZ;f($7-%M-r;KXX6Klsr(5Lw;7goK@9l~S}H7ipkQRA-=b3({* ziLv2Qm5Sa|g}T%h)v`&$vPs0f#_J-(!{>$6YCFdasvQQ{Uxvv1?#&Ol@2o8(jryRc z3J{c(tJf>TxV2sw0Bj4l#_qDQ1dj?d_3(?GIQ=%KX~KT~>d=^!NlVuY$Bd*$7b!we zJbI>;xmLlQXxjN#-kx?KVE6MngUh2C%?El0xyX$B%)D>I`wS0co0WyB34`2g7r#Dy zV)W5|{38on`8B(nwPpd+8fFl7+qW3@LLF)ckpn~KL3-|L_dVCq>!XFwU?ndb)oea! zQYY-ENpxgg!C^GnaoL4U)ff0}3>fR?O70)B+IQPTa~LbvoSCzoV?Ocpp>~DdITLp_ zqYA&czGJ%UE2q{7dA_Dng%ECzl9dmg(hl6nRzn>E!3C47E;Ac;WG0Q_VdSi}$PNiv z^FHfnJM7A`3Q7oK3~OKJgp+$Qo<6XcYf=UTugS&%LBL^x+|}h)2C%PBa#Lx;d>N*r(X!b!bDAJh?9FUunINJ#8q57Y(_FKY*oM>Uo!&~5^s^0}Gl|!M zP}TSBY2fL#=Siz1-b^`Zh+ZalNUWHg9?QZAZsAUXJwt*uy%$y`|^@*PdU|l4FA0GY^X8F1XD+dvpA%w2?}3oUjZFML0tZeHWSV zoD$;ItsL(>57^JLuKtFa{2%EK&C1!|I1Yl1$J8gC2*j|+D#KN=M$bO`GYM(YlO&iZtS#K~ zyPYOOxZiduzZo+})tYjQzm=9eEbwM3kKRSqyjCNihk-xXsn*6~w4V3%_3rqX?>T*^ z!92$!eGf1Ujes{3c5%jr*Ko86c0Bt#c~5p)7>dcIcuA*dxu_V7zsU^@?y1Hu;UBd0 zvBGSHlzPR==0if#b|_(=ryAB~kWd8HY_tg#t}l{By-o3BxpW6WU4RlrGC_h3G4H>; zceQT{<4AD#e-)f4WF9V!nqSNJXB;Y7d3ag8n3n%(U>6g$-#87T+@uj}aY@!IPt3@q zDC@N;+==&{vcTLq0co2BPO4{?c@&Z&euIY$At5cJmve;76=V34)^b{dlh(}n1DX@j z5LU<75sl?}TCg7TCj1eH!i?qVXN#_we#fRTB;oA*kmQ?YCwn}uum<+X$<_IrV`;}} zvCaKciS_B)B$iH#c~#L;&GSQJUAz%_Nz=1;+(&IizrYgccj66}UB<_CbBDKGO!jW; zDXw=(oYr>SlBUj_)GUXoI+Q1+kpUw?Z?hB7d2dOeCF^TMveE1cS91%&ujPp0`uS7% z6uZmZRkvY}Uy`;m4^-oY$717vc>%rJ;1RWY^8?uzmV9i z>3o0KEut4!cDso>rJ(Ev7+iL8`=0aDL$(Gt{j$n~vC+|&5t&bL(=L~Grswh7Zy)|1 z5e~1D{DIF5PFot%{*rEl#o{dAxZ{NTf_^OmBeFfK#I6Ra$A}oGQjVyC z=GfLj>o#ngZJLn6yWm5cq$UAT&HHubbn%`C0r$Xl-i#zpei=gXoMFo^y+uhvC_c9` zdFlG7ZK+8u+Uu9A%sp^;M;Fibzp&9XnvUyJ=>f=*dhiWG=C_ZW0%=k=aWmFH8zf(7r>22#l& zCM{zx(zcFNiP-tTN4?rdXq`e%>`EH?3QNi%Ghb$#EjHj8+?{shW*D_}O2t}w@9`D& zBuQ}yFu9)EhfHtZc3-|+#T_g)dE(r<>F?b>zaC~^$U)hJC$u^gi=RQIe`nSmCq}fW)p)x@ zG&j>Ex4$RxUCQR1A;3PCd_<=Wu6tHwXAhXIujRI!KF&?a7+E`{F0JtDeDT84yIQ)k zKXJeI@zDhQU_zGNxet0!E5;)ArDusiy}+*u-rr+p17rCBH5V_Z1~%iGPoB<7M-5Ch zCT|iP93^m8gheC|$xIQ#-`le+mo~)pzdoj)zloJ0l`$c$nmV}99Pp=ieTDo5RLj1Z zS!g?`FQErIe(r%duJ=AaK2_<_SUPDjPw43BAKgWb3ntXvt5@smP&HS4W_$JdA?wiB7OoafU6r$9#KA(=v0ZUXG3|0D3sUE^G5)N976qHf@l+1wL&#e|?0I6 z+9fW7Pb$&1k481=J=|kD$r9K_-OH&M`)f3kToRE&9YJ8{n_%+@D6T#A5U=GX zCw9hqxU{rXsG{Yr>AYN$oWXdpspAow(`aET!Xg5s`h@yLx-5U_@_VYQCdVvmmdCh} zLQ9#7lDx95@t#%jGf0hoo-CliD7!ad}gy2mqep$7oQQNRx{wg8Y zSJZyxj^tj~SBnYDvab(LDBEW0J5R8Z?8(<=aOG;Lqfh_Q8GR4F4=n3u8+df(k5G&? zBmIUTW}jA0^$vK^JrBJgo176O=P0q5yuI~m!m2twL-Zt)!V&X=N!y(7@>LM>BR+Lv z_ij=_wc{~!W2nprPx_sG>}K^EFrH4l#(rJ;Nf+*#f1D3L`oU=9dqGvM>ZJhhz%*uj zqi%{)CTj_*)*P@C|)N{x6*r5@*{}RlnZ%0##$?z4hZ>8xNRzH!a*h67D`1Gx8*UP7}%g zP>-r$L?PshOrfxR@^dCOI5>BZxgB+7_2aZ^yJGx)W|huenNdxo-sp~8@phGr>u>|C zhGs`=Z?G}HnKNyh>z7YfMPC zl{?NJ@$x>8Kf4I2C>7Sd+EiMWdB{*4VX@V9bwmn%8f0buUgq4;B{@%5K~4~bqS{9v@V|MRcl)R!eX$fS>ijmUFDc}GMwxQIq&Q{bSl6K^d z$(NEyh;Hh#1!iOg-P;o@-AJU7c5@(#xve%YZ(38!n5hvD&c&@lh9q2sX?L9$?JrE7 zA!B`sWW}V~uYE5tlpExA-frasVC93exGz`#xc0xd_I`gm+YhgiJ6Esc0)~HY!IP47 zl6d_FX-K2TGalE84T>_jK`t}hE^e+D{JhkaQ! z*io8A4FPPnnqH4AH{-J>Rv`9jvn;A=i;nf|V$tD;D4g+nxQU$pg{?~i?>+|lDz}oP zx9YPDHGDGPYg)AzXTL@}yi&-EVyAOI6YD$%$aslp!q&q$Tw8`9Y$R9bRp6L;IRu5M z5zR)f0#5T{9ELAxL{7#cfRo8(Ww)Ng4a$)q@A8QnD>^Alfr=11tO=}pQrm!A%}gvE zRFm#!_aHvgMU*dYTueH3KYUmjFwG>JoCLeK4w{SvU5NulWkdcv*Lv9_} z(OcQ;bXQSPd=?3$E72`FU+FgwDcRRZtHQK2W$Sc0bBGZsTyUe(Lw`p-JKaU`rS4cm z^>}hI(?cmY!wph5>@(1u^sZ0!$>Dm7NM-15>GX-QLHra)ETPL%cJF^?BjSY2tzq|rRl*tNgfW@ zSZC!>r7MBc@@lLpV$RB36};3k%sEK(b!iDwc6#wocQZ2m*X7|Y*(hh*XA$C6yu)wu zB?vK-;ZkHZ+3hk{jUjN1nSO)3%dUctn&C)u$nBS=zP{mP1uLevqi#F^-6=jpxJ3nX z_v^fu7i7$&Jzj+w;0v*xK{@=AyOvcm(yb@z>O-X4zzkPta8z4hjDt_K;UCk@4Y=T*mLw-v9WO^$y z{P&9s68Sck=H|FW4>@9@(HrG5iTWRF6-C_+?PW!*V?{)J3V#KSJK$+c3%>9juf1@M z^?1~MSNu%xY2;p|Ne)23GrwZ-3PA!DchG~(l2!$*G3R7w0ceMTwOnphtop80G)%J- zBo_x$>oj#|Ks<-Wp<|aVPN-xBoO-HUL=79v_c5Kuo4!mi0H$&ukJZt!JoQExOjsNU z{m9ONw6m$*XM5U?jkF4j|C71($Nm1d@Z^KvNI^L(`)xAX)nK+%GMA9 zCD5T*n?5UzMw{`1MVsdYW!-rOmcg-?A7nfKh!>WJC6 zk5H;vxoS?C{h77P|3M!oo)7A{_7yt( zvfFRT_XXe^06d^MEW$mYUneq9%mP2JyKVUjq^Ey?po?^;0h#<@PD#bWy^NeoH z$imBSQ5lLM);MHVV@JGmCRt_I^5QE%vn-dcC?R5L{Mf!SxPzH*FLp69QcF|U*a1hW zwM|+lA)A$-T`I8JIf?%2q6$Nn*@6~qG^`}i1BZtbqUt<_fD1db+pOua&Kgy+2;S`+MfCGv+Xteh=7{+Rddl9w)tsgNV) zSU*R|%HSL1!r5UI##l^hbnumyh3CC7hXIBH&yFWy=9&U?*YVsP>Ch6t2f~?|VG+#P z%Zg&i@QKgVaNg;N+G9wv_D%1tPT)Wd379n;f zm3d&f=EJLlSrV6p=m`-mH8!FKU#}Ncm>^>OtaK3B14mbaNiH#6Ce}PDJ0wxab!%B~ z_%w`t6W&Hf>LqTsG&)o^U7DToLJKW=FX1*&nF2gK2B5b}4IqjV#0xL{J~70bM1!08 z;y<7#Ctn7EYvPt&mUOqaKj+`~@BS^PS+8S@L?O zhkgAqa@le*^W3toq|y%si`eZpij;fxBy820+V@hTVO!j?7AqxGSh``ad+C#-R|4tN zofowPuuY5M6T&S$+Afqb6&KcK{rTQ3T=FjWXdziZ2^8ow{Yd82Qh>>CNV zT68-jrAl45uA9`u6W=;-^5%Np( zr_9#j8*rBrn8JEmRWM180B$JbwUQFJ&ipH*tS^ci?rO~EPAB@JM7`{|Skj{?nx!h9 z(*CuFS}2h4`#?BH{xYb)yz9R^;a)|+{YoF<{D=Rqnw^XG8e1rd?fkjb5@6}$Qy`3$0lpA!$$Q<$3^UwlmK zq$s+-IPe-1^r%&F^rk5BoP^`j_=mbC7@}h~dm;MBxYN%6W%OA;uz0cPMn`I_i*%ln zAXPPSm8XM`<)wt#mm5bky8x7k_5i}!C&LRIv)Uu*GMy7jh zJi!MoAt}xC3j9umIyqultR_l*iH2a$_vBU9s$=Uq+Z1W$)qN-cloYOXI34^D^`gG{*VCvJ3Wtv}(FO1uZ zLt2P{CaAgpX7QERV@L3PQ@(TcAlDj$QarI+*C|77bD$2Cf*?mKW=J2 z-QV}mn*yr+zI7l1HUm4~Aytvk2Yg&?@mwu)Ob=+i;z-NL1!x^x{ID29fiT%>><9l$ z|7ah|#PGHG2z0C3Za_U5C-p;kOF4(#esV0{jx24jZh6_S2M4#NE{JrLn~kiOl!Z-HC(vlm zl1lkG`>GQpa?|tLRoO;fiil{&fSG0J66Jtn-4hpzrf{LMGU*L&!Gkb3+z-Sj$Jz3Ft zRpZ4v5Zb>sEw<^7mcXihBqoe3m|jGaBY_By8R26oxsoH}xa!xg%!B`UI2QsvGQ1>| zUR;wCK9ec+A#3{Nx(gLQ__`3k#(hA?f&S?STCYYu!Al0AWX~>1w0JgYzXSi0 zq7EP1BYt2|i;o?7e93rI!Ey0T&!J{gIcB|B62ik)y|K`whTDw{Vt*DQNGQ2slm>JF zX2BU1Q%9lH*GOnqGt`o-1`~WB-$zVJ!0#L{#7E4;&n*G#Q9*SMX{}woaqHL1Y)UM+ z8VL@?@rsZoHFfhi80ESvdp?0xjQy?$K0yPrMOuaV)z2P_=t%7Clu#?RGrlk`$D2e`(=)LjD{R`$x<1eBgc%OG=(a?iE-}j`Z+3C2|VX-#Z zP~lb=Zbb1j80{UYkWRJ+;a1)e~)ATz{BZf&UfA zQ!*iN+gWb`rs3pP#X*@q)1(i$`*#%EGUKuMclX2%?gU{6J6rCDUm(nI-Dw2)>j0h0 zzMNTBH$SBj6@tq=M*^LtO;W3yr!_;mFK?Kh-pLpP{ZZ`@-|Hs=Hp76u+=j@*29=rdBhL ztxUX0voog}k%;eTiv9D1|5pjHB2M1q)-JtV;urbz<@HU_zO`zB)*z#+S1;(SFoxb+ zX$H|j9`M**Wr2nX63tUN7#u5)c(G_5hLU@>JOOlszAh%{<@kZV~*)Smo=92efA+tUy3-_zT^atZGHHfP@u4QhXJtqxyzj^!QLWg+g8{&8}Xeh>&8*HPcj z6ubVS*sO?FUILqbEk#{mOcyq$Pjd-cY7%yr zssrPL3#3&*KqGi)vICMS-Kffh@6TV`O>__+>%9pc(U_<^b2b+yYxQjF6P>LnrwN0#S`yU=ld{CuxrWV zau}Ey|Jcv9If6Q2X(1K5)yi70gnI>n6TUEo1&i6^IoBdpM3(~6K|uUr4t&E?U3uAt zvup$;X(Mcb?Z{#Gu!ub>SZV#H^6+yy!(!jui<@x|UmDM*``oqEkY;H_x(K*XVHY5j z7Da)yoq%$X8xONE?aCxqy3h)5E<>6)7QtcE1GXwT!BSYrMj zg$lcj0KWIYZeL&M#^=dT=ub}mG0_+v5~w-X?1MUQcl4apXnEeNkx|0ceiY1`@-0SR zl`_P-H_{oPUe|~g7X7bx{^u3AULe_p+N!zm7_t5Axv&V*c&E>NCd&k?nWvngYX&BD zYstOJ#$56I*{#u6L^v{>yCpwyHPf%yR}>z zkYn*W87@pJNeqI?1Sv`r7PlMEnJwG7Giq@p@i5Zy=iNk#D$3BV_VpJFxfiaUd-vph zLieCu0$&{$eks`y6om|2hv423?)XC=4c}M(Fh^RjX3X?J0M&ctbLoEA9(G+W$$+ZB%Cm#28nY*-9~%&n-yJ26^zDH`#f(cIWG9Cjrexi7w2j%>Ub z82~ubMUEa%s|X@r5d;e_?PWFAO!R};c^}C(hgIGUcWk`U0oAUGImNB;owue35u4-- z*}Aqaw&vzQWsv_V537cGZ2knaLjXBCME>a993E^(=jX$fyx24R?y0(tUZm@!_}Pj4 z{FMK=mt-<7nr)tgIwqc|%YWVp;H3oRJ>|kB)au-Zqh%}YE&>=MRe#O{G@x8A#Cl_C zj(#??{M(EC$GJ3**hiaSa}_Vn zRe#N@jf;W98HE%#FyJ5$2#{eCw8o)rDJuj(3T{0_pI-alUX_i#}0&eKlJaqk<& z)RL=rGiMR29;cX6*DQ_lcH{LfT6ez)LF48CYac-$D%$0?X!;%ZSoy*y7*-d!JIw~& zuo4nwfi2=ClNd>Xx3_94z*;uQ`p0+Wl-OOz+LKVcW%H?r*{j)e%&+9oJkMqY&N-c5 zyr?C^uXpifFbC!RzV&mFA($^t(F+&Hp2&0rQomz=KwY=ezpC&&J|{p#GpWke&+m^-8%PLhFzpLLoTvEL97 ztS!gj3$A#BgW@s9A53~;4i}m-3aOdee4!2+93J)y4?jwxjiVEVTx=zc?Kfx*VLBIG zG@}#CnQe*(%5%b@gc!lXP-j!$paODWEScO=%T+WvXeRTUJ0-piz(W_%-k$p9eRiy$ zp*J})4)Np$u9y`CPDZcMD3q=Yo_pabzmdX+L5T&_;b?jzQhQFL*4{ch39ZgX%{THU ze!V34JQ}qDK|q&VpU%92R0J9r$lGcgcagx1PxTSI7MIXS4WhZPl2U{_A5ukeR^s*h>? zUH;pf{==XA{xjYmPMw!a=-)Atm0KhT{753ZjOTeoj z;W{p|H)yrqCCWY$mj{whkc5P z_0}495$}6wN}=sj?-GFHm4$M)Pd6S;hER=+Sf-Gu#67(qjudKmjiGGM{74RxHm7~G z(qtyD#{SF9x#ZTGg2|Pgu!ZETeAmTp^Cg!v620k@*(yn`zbg4Xvs%L6jJ8dV4%zqN zz|p!k&md`lp_h8-vZV+}P2ZdAI?c)j5`KREk;zF5EPr0!$XZ@^NU6EG^&a2rP#3;{P{WhmuMF(0RAhPVBw>WZ&)UP+DU#`M18;^7^C4n_oN(p;5V1ZR8$fkN4~J z2^JT3xW;U^>K@awz@=FJGBcmKq>r1x+}_Dr4{^VlN1d?77c4a-SCEtV?PXC;qV1hG zY#kBH4h}YX3sESe7i!VIDc?C4J{R89S$$n>axYzV&G&(taih*fJIf(tyCT^B7ytV@ z>IqUn>phe8LqE4pH1vs4;Vif8Qq#aZ%Hf$hFiuUMdia61**w3hBi$j)TbmR}EAk6R z0;xPkf&`6$*_VWC4tWQFd%e~dMBWs4<2(85v3?ve;p8d*=dcQbg7ntI_zo+ za4@1%S+kKrlMA7$IL!#14|a&l62vT}+_^|O*Lyq<)GmqJdJr`@Sk@n=^*Su{jkopx zFQJ!C|JQ(|i>sw}wLJzzMxc?t^Dmtj{O5>-s!{PCm0g{q6jvvGgX#_1XZkH2A^hmh z_fSG1#O-&L7qpvhNnW1i6WBM*-~k;SIra)EPv{Lw6;q_neq#Zt! z1FS;G-uW}sP?||j^4H9Rfp>j_go1?JQzmarh0PUm?u0*X?J@-3-l_+5 zmOsTPkR=7W2kaTrS#(Ti-5P;NZ{#Ywsb4x-h~RL|OSrPA2`7|i-Nf_Neq4!q{ODV8 zLyNXp%DEJ|nB_QHa;}6$gISc`Xkp|M5A1|QsMq|?4KU#qHwv3eR%t(EkgJEW(+n^S zW~(QAm&i^7bWVgQJx2VVDv5UExH=(?`J(K9XaNuaWecF`Ye6neD!q2FCpr-FxoSj~ z0)FKO%J$v&ewFEf{v*Z2zn#g?3E>YzI~4d~TGMb#<2OH>)@>D1AXA)ZG!Oo9Mzr^o zCpnk=oWb!%AOwR<1-sVC9N%p3mFie(b&IbD;;;Z_E>7B1qRbQV6-^G<2D!@~E?f>V zssVF#H7a?%1jJSv6mg|klsKbi>fw@$*Ic=*rpCvx+q)C#k=1L|tK7%daK5ei#tUIP zexQv&F|(p@AEny2Eb94?Y*y9f6L&|ZM3Z3zhh2+s3;BH2`THsARIah?*EZ!|N;KyL zS7uD&pLuKhhzntXHplg@!e??g|86^zCu-pR5R<%>D|RGPW;W;YQfcVO?eCK8W+>k~ z%e?yUnc9E(YQ_7<`+@H$1o8h2f9=Rz3)O#cR1uA4DCWwn7otP@CBCnF(4lPl*55X6 zZudbGB%JzWfsunkR!n)JS!q&Wn5kBI7k}$LYg>aw6Zf35P^MxHbTQ@q+I(iL4tKSg zp>YUy<+4)JGGAUV^X>x-&P=c1_N)?*UPHmT$w=<$WJZp?D{37O|aLC+U0T} z$NqWi9N?mI~< zB{IA9ei1!L<%Oi>hUCM5W@v?$J-I8fWJKzH$)B^j;>Mc{(>#nk`g3*Rzwj#(w67Si zie#dfMys$gw@JAA{9f6Kiv{#&eB#cIKsVih+pZCl4;RvFYz?$j?S;pNJ0ZAsFB+r) zItD6Ipxo>4IL_p<$BJJlc^UnqwT-55PKC4nW;cF6>?X)S@t;G|;msd*!vQxm*8SOT zs;J37Mn-Nfy#hG{(i?S@bh5ljjhu8Lj~0GiT~HD%Vl%cWOrt;WE4R&Jw7cG$B`!12 zXvl^72F72*Cr79ni)m(mE*wF*mJC`1@7E;r6;yD2JJK;?vV)J*k_ zq8>d0Or`(DREJl%{30 zO-^p7pH&j)a)xJABT2hO*nK4usqJr;En_nTdS5s)(>QnbKKqQ0Q^M>xnRy~5;eo^8>Q9uppz-39P{-p`Rnmw(f9gs1EZSC zAi6km^QJkzx2yeU{MLZpwI)Q`yb-pG9lfkX#Z2fkWa?KHwJ&zp?*b@U&G9Q5^wP$2 z80X>EV2>IOAlOMe+Alm%o1UKN0A{=A;Xh_{?74q)CGW0g{fE8${38ApzE@IzxRUB+ zU--^v4;?$Zukg8fj&YZt&xiUY{OOq*`1DbR_qEXoy>=Je;UF5 zK){*K2*MU$=L_u$Hy;+5bhdV+yLYtfHB?+{PG_pMz72?Qo+aZdh85GAWvUoc^pRtuVV zdduvj)2@@l>MQbuPyk=-gcSp{M4Y>vAn>mabncJ!!i6^HmRMRxU&mPubUIz`{HZRf zdGEe}hn?s0Sk2NWNv9!*FderepSJG&2C(NdFI z)i~NLG2Td{5BUn;pR)TbQ~gZb1#|hRDbuOAv{b8dJ)~^Rj9UrYV%Ze?XNUWKatL>y z3otHK(_KC_1M=@`iFseg@^GcU9yE7B$5|1RsWim&+V{$w35Ex08|E#P5<7QKsCTnN z4z4emg9~MWEs-1hTv=U=Lq~Ab{5DwvXnx5y3u#H)=OVR-pMjgdM58cY4*K%_FF5d5 z&@=GSHbZ|vETXSqC`N&-Qfun6b zOfLJ8DIEn#{oQ8&GgTr{3I6d~#X&Qgnwn$$wUtw%+8)PF7T-{SGWW{H*w>(lR{&mj z8VpDNt}pVhz?$gkY3H%O1{?VYSY@3RV&_!^mR7DVI}+{YXv=9wEzup+zlgQtSHF=;P zC?Fpu$I?$y(&oPF`Gs;eI#BdUZ_5t-XaM*78*ye)BTms=F$-MKnE`qw_Bop2k=O!t zZ?QbsF5cvWY9aI2*FNQ#tQyx1JV5VC(cW-@HydV}syfK9&&uBZurKqY+O44Vn!*4{ zl$H4NpA)1121Wu$aGMi&zSRryo~?{%s2hLfW>j1*K>P7x6QnvrO*gTQsx@pxqKeyc zESMf03PkX#X8;b;u0wMTp!HeNgTQ)U@`lO)nV2G|x_SgKu+Xl>UQ?v0v4ZyhUKrT+ zQxmiLs#g#F4s=)gEeU%(*Ec!gpxI0QQlL2JCsvQ$Z`g#*FwRCC(NhytrFbmxjouIa z`n6q`vZ?=r)&GirZI=^Vj&Tm!HOytk20&msz537Ld0tmyZ7KMM->9aqJ87cj6)G8} zWwY%IZ$Fjr^12s?o;&B`>czuBWV$hGT2;V&@%nu&_The3n7nJtcOb;~Ht zFj`w&Au1K}VQoIJK+)eF=sjx+!nayu4$oHQF_TIuaROEKYrukm>aS|^5!2ru;oshA z0Vz2)>L6U9Zo+*})pBj9%#w(QSk%G~O6h}HO6shpgFFvLYdOkbP?tz);tsbcyyX(h zo#a~h%T9iaB4s+Xr#K!tNrD*B+IP=l4pg`HP)&vv55Vkkmin(SUr|U@p zoTmt)tm7gIVM#58PwtKv@6^&ZbeXW4u-x!#^mxga_ss}%)Ct=z@vb@LKH5Qw7R6aP zFN-rAZIsnYy-mPbp{0LR%T^Od$)^I^_@@3+mm!a3GT6gYSkWs z%_>e40vTh}wXk}VhzJN`6-tS@d;YJ}`oY4fRT>)xL>tP+re-MpZ!b4C`M$ez{tY>M zxY$$dK=eM|-`IzPk}X9@XeS0Eg?|cL5a-AcTTE?*mD@>6*wP7d0G`E8UfM=@xArnJ z*f~$t;Uy^XJ$228AH;q_-;V)1f?Zz8kU(wo8gErG*TbtUp#?V=M@V)fz{z*s+?KA6 zjS22L$1L&-JEx$k-Eb?1w2+_YD*^ozE<=baao13Q!`^jtXHi01{^&V;$%P#tb-`_K z-jkU9ES9J0It&U~o7df>1Xzul$1GT(#l;J%hk#}VDT#_d;F$(r@|Inl{p&yeALa;r z+UtiOdqG;YSvDa`+gwxF$v!eQ^}6=BTk~S*G9Urr) zw|9J@T|NFO#N0TaP-0os-m)EVowQ11Wa?T%tWxmm;G0p`^?YMKl+hgti{azp09Uw0cEtjtgNw?8vK(m&$4egKiMsx2up0t`eyE3wXgcM zI7$t0ig{Ug>7)ehIZke<>{6L>FPR~)2lqQW{c)kkj6y(9QQQKvKeDBh!M$Y!C;NUSW*nztl=Y@va%AYRK5tMQIks}X&qw)(ZN3|!$ zOTu^f@=(Nd90NKXdU5UfTSj^Iy5u)rI#t;G$M2{eEp-IhB`iZ@SWS{L%71AJCU+m! zq~;VL({^>0$F(cT^%-UgNF2s%BPlt|_!K2v^C(zs#*;7|TNy7QY{bG@q{*}k9GmT1 z>&`iowpSAwq(ELOq#lo?9r4O5GxS35 z)#cUX04lwr`z;G{*VwuKFzN@$T2eSvHsl$gYM42K1mn_M-`~u%{S1N6eF+Ixyqyv= z36^ple$M7P_7Sbw9N&@t6I*{NGO+pYY<)kA(bW<|+f~kbreuGJD#r~#O$Y6|fJ`jJ z3~~=OL?14+B8hYsnC2cG4Oq#JCSq~WwGF8%w7^9zErU1iT~Cd;DY)k~_5KJn>+q}M z4<(}S-amXunwulbi~o_W|79sa3h?fS4=MlX*^0}gX+7C%ir7yVL`(_P>|~lAUF4nt zTzO|{V=$~(6Y^s0#I`pwc6Ie>p!s4Nw;e;hV2NaV+C9RGU zEDKH!FXBJ2+?$dqX#|(HtmTYJJ57gyJ0co$=x>a+$`Z!xaqHC{HGEl|d7DK?&{BUi zu^JtE=ox)Z<%$Y%Y~wyH~S?T%69!a(Ps zNLlC^4+J57e~eAWGQOd#S*f(Jgh(ozpQ}K1Qvca;S>I{mV1K$-kqxdf(ENuy=WhpK zOA5?1#T=uY!;93FzG=q7myeS=LZW?QWP&xHJGgKQbQ;r7;rs0HyI zP1XIbE0t>zkafBn9f5-H5^?;I1)=E-jE~tF<+NOGW+M3(*GAsFC!;l~({_CcmDMSwl>N4aJKr;C7=?>@*u9 z0AmBz`e9$~A;$9If}b&Ny?vwbm%8w#AhUvpDFTq1^Jxm=%T&HF_iWm9v$#RWdcGo;B*ET$svu@3A7G4B#2++*iHLTZ}$$ZS?< z_tSM&ia9I-nqdh1<1}Ep=QmQm0>5M3L)I6U0yPB~n;z1(n04(@n#?vW7GheN-Wo`x zq@I5#C_=jtIz!JzpO+g87CnYzY`*}hDor>P$1B$G`>b1)ZfmbFG>)Ui*lwb1)d>77- zZ62~%7a1!i82o>vy>(QSdlxpW2ny2OEhRCcbV|cPKpIJ5M7p~bq+@85l$Oq+OS+q( zyE~)?2Ka6~&-0vf);jO|{_(BFTC-pcEav{j-uv3ub?xi@`fA`;exSSryeaEc4ox%> zt%JgcNP-u8ulC2%ZnLZoa_78OEd*!zMfuy5&=9`dJUr7kK6e!<_A{jCyNkNu=9{w; z%liE)mg3bqU|ek4-HB!}f_WWq5n-^rm^ZP>%lI3nfX#dlcG>}h8tzOE*_H~~>Rx!W zsqJB9vGu-2R%@~DXn8EDY^f~%h5#2|M@$Upl;KN>*6Xyiwn(A~wjd+_yx9=lb4Y2N zbph3E@i#B-^(Q-QB)=NEUa0SD#QqiV7tenb;Q1qH`Q(FKrB1ijAlOYuky%|bbUyGA zd8SnSvSAiRc(6Z6Aec`nui0FkZK971f!m={qFZ>+^v8{%=p_!YD|GFJl$d`AUx{6V zaF{5sBtQD%-~M)NV+(hC%+6fCYo^k3`ytT-W0wZrCtKBZw8jiK~QsB5^N{nsU8 zgsi6}_>m$$0YBmUzr3j70q?F@8%1@stnM4>njISwvMAEFGTVg}m{da=GEpDeoO*%x zVpWHj&yX8ld0cP?8E>X|R8hi$C3OCXKS6c9h-g}LPjSwH&X}XuuVtYBfzkSzz@o6s zeS@>coooN20xxvrV$Lv-+Adc3u2r5vWQ8Z`Q-XZc1!I$q)y2XPme70A**XOa!P;vU z=lM?smO$!KfevaKx2ABe5I(zXgPpBWoxkHVv~48^7fFYcb)28vUQak- zVo}3K=(lj)qt3p96BOJxMsbrGWXXsd5h~PhLx~cBVfol63$aFEFq>j5jJ3)r-9+zs zo&tC;jF2g%fN|x8bfuy$2W*`Uxgh_CE1{%N$He2&TGS6_`aGYhL|X`LccAe1y+M}K z@NWey&E{Y%7Dabovqr6$sUw**uPDFgJKF$%=8~>oUFSS`N?-(AR1%uaG|y6Hw6h@# z29d*Hc1Zf|!#;dSZc^_J;ls~LlFr}%KUb3vDNY=CH(MZglirWnhF`5En$qwa~^RM&PQ16_k$f6(mh6{|?+c^kH9Ibi!;Y(~=>$G8s6#zAa> zXW7Tgem>rv1ut`nbUWwur}SxBE{E24jFv3*V+mzt0@6J4&K_5fLyz}b&8fmC&79k# ze1nWj>(LP5$~kk3g4)wjSca5Cy-&a2`G!SFyUa=xqPGB6Hiiq^&%)oI*)6WNs{9F!$tHk{{MRt!q;PH-D#S!C<*@Q zz#tbht2MRo_D;|QZo=2zA#FGazZ1~GJ^0yy+s%uF-WSLSU#RYK_;a)VXV3oY%MU)_ z-6lQ8xJOg_F-pQ#fbX2q$5j@0!uJQ2+rS~BcZe|_ zizZ_Vr8E(Gp@@sZBdrBRI}w)yU5myuES~+`w7q=Rt0(322haPiPK6f(7DYxQgmXeu z?6gb57M}dIp^p|NXmE~Z0`-)z*spOb=|+FD7_oWddeYU%*@j*|LaTRG9PJCNmAnON zx{tyN4bLo(Vq>Y(xJ13ROSms-+Qqtu_|CwCRI&Kf;oF3Odte1o%1V%n6tF;)hK=?w zWro~OgY3(QXmcD-f&+SQX=K&?NoIbmWTTkJObx#p;?TYg$wcoC$VP8tZZ{OZax5g- zdZ0us?=2ShuFD;P<35q?TKDO6v?tBAH!UK&4?sdgGDE+10&1b{QAF?O@EkATz|J3G z$InU}t^ilAo8<3f3(+}$``4%ZKiC01?c zBu!P*cIn_RMA(69FFge>TONh1UEW+Q7Inm1?LkC8N*PfhH%@5iK!dPjERm?{bWg(F zmV981n?m+WW{vJM$6b^PKbX5xY@>zGFJtTwj(qH;-Z$=c{SelYCfH*P3Igi1*>Yot z+4nbRVKOrj)OYSJwk-8Nr+TpWZI~}_MgH2&pYMo}5V?UJL^@$I!``GbhyL|}^3Qy~ z@hRKJnD$3GhAFyRt|;D+cCK*XVjEKWLM~;=SRaezDIyrwKTv`@qD6ify;*6oqXXhy zj1LLXvPBfS=z13irA0T>Po`O7a`*i}PDH^TLW~eaw8QXCaWVrt$0Usz1|d`Q*QbOy z8@H66aqyehnuVUGTp1s+%Z$H>S;H^HDEi&r+w_?4}yb zLXYaY%R9x4GfY&Cy^!=aBw?DhBm$b=W?f~s+9}gY9kE+dU3|7@SH9mgTg*_r3(HIp zK3bA6J}Bv7Op-BL%%xUhJ8_-u-ALlGO611=((K#(v^CTEusUFQO*mL_wV+Xv-Q#we zDLX>=dQ-W=?=g0GE+V~985}J8vf&8vi;lLW8!7Ft45P&d>vOBjup%0HnsSX>kb`af z63b5|U-@<|3OYWeEudBC_SP8HSR3?`g69kOQ6x@yFoW0=6S>`Egot4LE zrJynEEVE5>x9tV}%7U)YH{nQvWjm#->U)y1 zrk;$kik2OTC4|@ygEP&jwu5>n+g0DVd;Ux!;TA6tG#N}*{)|E%zyTcNNDwkn zJhs9K)Bv*je@&}?KajU>$hVI_Kynw_gg;wYFVH#iB|2QA8bVec@FZdC4(0h)5j z*$SN*$AZd^j5lE6m!Jn<&(xO`faQ62Uebp!kUJD*Gl~2u8St|0SrWILU=rLl-ER8I zDsnr;h26GQa>H3t8TmawgXDRt_%s0>xxWeiV5RbzB{KC!UKZytz5#z}k79{X-H%H- zl0GIqKfSAQYP~Azrtu$$kYIg_GK;&&2Mk+;N=>~{JKTy^d5TO+?4&DVE#!H~3xY@y zuf1`OfM?;CDP#Bld=`sg_s_znsji9l@6UpW4XKCT)Fhyv&QB~Kza&J2Aw1YtLmL9J z7;k-1JgKYu%&t(S@#MV(K;!$FIUy zQ~0pDGY#iIAl8KFI1N|l^}`2ECY6*fZ-@o+cF_p+HA%ZrqB38e)!0mgiOQ9c`MPc&h&=2g%_J~9{SjHA4;7qhQm9?GXJG$I#Qx5{Vpnh%XG0* z``3~Dz5S?>deB@|#p4&zUj=VUmOSo~{leXegZVX7=}X$i%10FSHO8MZt&F#LkR)SD zZ`)X{&~Pe44A397-*Vya+O+oo|1QiSTiKHU91SyX++!&EP2pdm(=LGv?Kh-t z`%A~{x9M_k(Zxt`POvg@a^)~e?vB--XCP+qMM8SC2lD98;vhQ=OwOlaQZ3}9oxd+Q z8Dyfy@%qX7!r~JWGkJtOO<-{i20EIRk}D zB}h7eyWW1$WS54io^djfWJK?{D(NEWE4UKMM|lu5*8k4z?YC^VvlRTGZxxTk9F9AP zD#$)N@;5Uic$j%ls?D!zCU`J(Y_HrVOh=~kz6&Kvn$^p+R#FftrU5nqG$H;>X^jJv z+svD#`NMqGAMOI4a6Tyb=TiJx^tt@GQZ5-=_5Zw69(+D(bi5w+!kxj$Ne^awqKP_) z>%b>D8fZwc5mcji!VmzvXZ{N@;BE#b;2pJcg}`3QfwSOeQUcCs0w+K);&GoQcti;` zH8?@b4+DW$X!9vW9oy3rQZCID@+hg-H3z@8nh<@?SbTEM5&Fae#q|Vi z2g}pK5s|N~N+g|M`z-=AE=rnj>u%DX1-^|8r9ZNfcrWH-I(k>mYI%gotMRn+W@aC( zsp~AK8^g-Ea{6irtG)5b-Vb_6sjA1>54GD60ZR*^;#biZRWwbx=V+IJl|K?J+a83h~{e}n+0&MI8?q)mmO68MS;R8+$!B1B4B}}_3a&N9nr46`-XX8rtuI^brV9|vi)1s z33l3Q!}8}H6MeJ3{jQ|QKEibq#QXmoD}@Ig=ffzLg>1`)k2P4m9W zlZ6|2!{aE&n^ec=UzmQkYEWLKJI}U&RT64y(eC7nhb(Buj;$eR@203smFQb;hEj47f-C~%ZWK5>4!*LucF+{$QK}( z>=P2k7Rg6hW7CdXFY7r)1uvNYr3^vT<7f@1G2GP;|C;|Rhr7p&vQWRYRbyfPQj$m_ zB%{cTecz=;!C0es6tjgJ-VvCQ0CBuzVH9F;mDRo%60H3e67V0(pM@x305s~>WayL{ zXcrI?WM5TcorK)QU9FU8x4uvn6agkEawCWq-SksJ1)W^?78#zkOAoY##y zNDCa{&G^DSuudxgH>5j<`xGyn(2rtV5%Pnn8J5{c#rmYt=&jCzBw9Y%+t+yaf`(Dd z9;PHf&;Uh!=4iy7!G!g|_Tg4p0s%RtNHhW0x_U{C*&r9k>)bK|9k=Z~{yWP4PO`wRAMV2nhf484H`KgZe{rCJL7~xU-dJV|zOmk7ttb z7pkyD5#8~6&ZHLOrJwi9uB~BZZM0IJeTi&A6l-Zf-Hcgd9T`q3xFB+Mx%&EuxwO;p zFv+q!%1IRd3`o;6JU~SogECZBs=1047mSJ+Sr`?-5Tr4UcW&!jA|H-gUKp@eoaUza zRHaMUlm}9|jW=EGSggj@@f7Jy!>qJ*W`$iqQNzm0x?Ms?qV;xD1NWHQ3;^E@*|p*N zMBCKw!vN6r;tl0GW@n(sa-K;lG(q2cf>F_PaR*iePO@x>g3h|w%sM9(g|aEh@x;|8 zpsGw;909mq;U-IN2f}5Zv(>uMsz&(N-mi1m7c`BEjhC>}p8>Fnt{zwhd_&57eC^i| z)9fQ`kq`H+H?3b)MNL=cRZcCe23z zTd2!0J#{xRiG?wF7H2!87=FQcp$|D=npWUlG?!>?oX+UjaGw0J;=`!+@ow9x&SBh^ zTxd<&W8>SV3AM@?577(m(lVre4zF^En}};i-tJ@4eU}0 z!5J(;OU+TDu*tW^wsICd>#6WX3CNV!g(yzR_4pB07j)r=99S@0ruy=$Nl4+A1*ph) zZNGX7`sm4YD5#NO5rn<#_~UGUOt4~8Q=gK&1g*yNctW#kaK=I>CbC+u#X2FyrT|Y* z6GHmWI~TYRTN|7O1M6C+ns7?q1@G${7mxi3VypGmi>uy->a_XX5{0ivik?Mh{MT%M zurbbiq?*StdYS74OnMx?+HBm+i;woc!~34$+K9iAswfQ{w!p z8n}{W=O>`bTDD#Q9gnGqf0SwOTgV@e_oBtj3LwfetJ zb!Uik<`Yxi zjst3*Cc^@9K+z-qA8hXTor3*frM-ziML|bnhMBS8`V0U+m*X! zDn1`Mn$nDC8#Faj2XX5~@GmsMH)g|Z1g6Zo_N}^?c0;1bRj9*>B_n!NbEXUfUCLNK z+iFEymj1kQ-W`yzD&n4G>(Q00?)k{RSG{=Yky9gdeG1m7R!lMd%Kr;nFbmA&alP*n zD)?Aovke>SFa%HfN%*M!MEOX^*auho4dD@Td7PvPJqQ0a#Wu*q_;Fn>gOSmjc>L_R+k%5Yn}!4CP* zLl^MkofmW>?21-9PV%+iGiR0RXwG+b9fbQ$9*33gpR=@5)lT(4e|5DDY@^#Q$ojgA zf;T0+94jxZQui#)lCr(O@qB)<>H6T>G6sN-pTp`VG@@kVAvd{`!CjmX3MZ4YU+yQ)5`$uyUdvP5z&jG5Q@u}-wmmP|+c4ayZ*TexglNqn_LD zMQxg8Kq0RjF-}chHo_v}u)@q#OOlIVcD!8e(k{}(*!E+2>JG!9Khvagoce(qB{G34 z0bNe3z-h?OXbsA4W&XpTRc1%#7>Q6YoO_EVVH?TcuyVwrZ6`ZMl(QRBn(Emu$)uyL z`Bo-ruf1cC#X);WAghup=>$J8Iq2l22BMPcGzi8lvTOb&exr-A-iWh=RD0jHuH(lj zRTAOe?;Pt9(!{bvj4semgnk@Ibl%u*v@9s9D&_YXEF-t6>o};rXbNhbHc7DtKun4* z1atTUTk*+*^X^Q@G?_)Ab;3pSly;S+wSgzx_}Rjo<1Z__8>{L$5+(OOWLD!+8v9d$ z{WtY4r#HvQ#S4ZIohnPiW~DT$9{k%s!WW^68S$(WtbdC{QVNt3{4MY}S zB)4fIRC@PpBSO&9X3c%2C%3I9nAf;lA3o)C?j&&agT5`##bfsLHCw}JIV*j7a3XCC zw;6?E%cu6~S5Sn|cfXPe@h50fe*9vhjjU(RqxhDSzFVpYY| zr<(S$sg89vpVy_3Dq>%s&mOL@1PL9~19!uocGYwpbid+4-|n#BF`eeV?V>$ouXOC- z*xPc#TwYM10ehlAXHws1bwHLc<>*}SxY4+E7rcs=O*oJ;bX}9d@8D(AZBnG$Y&pmO z?JQ_8@Lk16h5db(1?X~{3>kkdb>M=nm#0-J7Vbj`=j7d#?Q`9VqnXu8X?;ILTUGht ze$@Nwv-9JNPNzr3A-U~%2CXa}n<+lZo}!f0vfcve#g&WUwM)>&hk@##AkC^ONU4+A-3wEMJgt9l3BvE9C~ZA8I?mGr<^Wir^0A<`2sPo-_rVU78N=O+Poj@X4A_ zk!I>JZo5$}m!~gF40*y^y*q}-G?>TDnpD1)P>~JM>q2cCq+f2hGHgJf>ZG(bId7Sr ziAz*lo9+fy>Azff5k^i>)tR2l{oGPPTxoTdGqt1I%(O^i7f1H-^0oMHsF(=}$qUtq_`IWS5gI?!_Ke7Jvl|GO5R1awAc}#tpN;|B!k5k#_oZsu! z6<~Zw#5H4D@dFzY-M>YOvs>O*@|73?pobnPg)TxG*1jQV)KX%SNH z)h~+K?Z+2YvtJ%}QHQdjKdbVE&F z^P)VIE}z(&NtgTtCS<3UQM<~@F>$JKF-1&g&YDrBb25yq7t z#F?adh^WfDX4#fSy3BjobW%~}>h$YJuSCgE4;9uLZj~BwEVo0$gsHEUO2+s%&sn2E zkw;G}?`)rHiqV`Alo<#fU1`a$h9?nzxqA^=wjLs{EpL4AZTHE52c^|qrCXE$Gcyk9 z>h+UDi{_hiot(}SeGfBsJ*5L>Hjd9oXgr-FxkGL!4I3)oUM%nTJGt-VnW(6Wxz%oV zdFkr^j?a1)A%cgY+a8Z-0=l|BF3bWK@gZGJKv$V`Kd)t_-NTX#%bxYd6p}zH=MP~X z;*-|XwCGrTH4>F6_B*6fmRIw!x3?X%#0{;hD_|`9?AF7^%X-sa>|jyrxy!J3hxAF@ zi{9hUsBb1<%CHPNNL(K#EGL;nTt*MSbtg_UK;7UQr(yHwsh%TumuV)I;9ZXl_QpmJO${uzO?NEuyXW#d3w}-6xZwuKAj>)Q@EW* zyxN!|WWoqV<3ScR(mojdS=4E)evkN9EAC*wDdJl#EMrbbpX zIh{F36taZ6ox`?km*z-zYQ=_gdBd#PtQk9T4zpG_z=Pr43V+}OcNcF-x63Kr;soaE znYa#bCFavE@_;5o)6;Nqi?>t1j7HJT$6hS3ap_wMf%CU`ttM{S+t3}6iLj9GVUb## zBO2|vXE&fmI&XN>7>5S|XM*&DDWd|b4ABoL-5Bao0G?iW1)%JXbLd&Ey+N{447f*+ z^+owQ=iI8R7y=MSnUGA%m9|(GgAbneKcPY@Zx~%+G|AENw9;{sDs4AoN}{Z;Km>WJ zGMXdH6W5p!q?s7&jHyDWpzXKfc|N^KO3@}~tU`Rc?;K@BTR+2!5w~)7h{^1#qrOFEn7@L~1WXtYwUWJ;}mG0tf9Axp;tB?Kt?HIYMgtkL= zcd9PW8E&lm2|==1Yg6BsJ5gSl4EBjS?Tmk|2U25VU8l28rh%_PBiE*Kk{WQ=!+%7B z|4<3uasrEI(nAQCwfuMY|B1Qgze4gyZt#1A{X@YtDey5bFpizk5CbAB>`4dUd1n%S zE|S>TdESP85M(7Z?`SMsaD$?$?KjCzzYAnE>|%UfX55n{@!(G~*gX*veeJn_$hn3s zYmd+@j*zqs7-1xYKIWBou-s~Y1jc}1q$Zr&c9w=3JQjTep7wp7*~WNF+Jq_)4C@Od ziFRbu%XatGP$ziA!zh02;~$VJ!miS^b==jdWx-`K25{g;p;O;jnY_s?*mpMq7(c~f zFLLp?du|cNkR-~>2q8C~$Vi<$T68Qj%9II8cTF6Np^h>j^W$zG(FR6kgJD=UIP`C8 zfRq0E7Uu^R1hab`w^AtJq?2}%_>nlIr9j=n%Hy~;_vQI0)n}JwshibI3%fPkwAn9R z9@fxxB3O=s#jLI0*{faFms&XdKj<5XXRfI|ai|M=!IEx;MtlRk2h_jbv&G1GG~FE} z5wh@KA!lfKI&S!HUO=(-;ewks{P1bH%Kv%+09uH>vaYnSkhW-<{$B9G96yiIT8f?f zO-q5*#k_O)s;(_11y$~hsL+N3bV37aSJLpEVEz2CiFf3D#^i46VoL&CDE6pkem#`x z)w^kr;O@A_$J?3D45;tQiyH8JN^aO+wbCmlS+*|5OHs#=D+Yx?41~8n-4xz25Z^Y^ zkfI=^ps2iw0+<#@KLe{gX1y{eooB7UPUgQZJ}TE*T{alxk$<^H9LsFX3rY!x4E5G& zM(`iBUusRwJI{7J#%##BT=~v_(_g`!{KaG%V#Yqg&sM?iNo{ZRs@%SuG2tQru51xwm$r_Azvn?A5>&ZXL_ zob!(71|SkK%oj`n>0cU9Y+IBWTO^5i1!Nz>m$?)LOBVf)%VrP)5Pcw?lXIPwLksT=L>GeS9LXbHF(D!0>r;;;0f zxGKqBF>CTEO>LQ7wy?B5xs8GiTNJxqmd4it`CBqRdLtR<2yI9>W{S~^oaLkqRj;+K zK>+|G4?&D+k;EEUl$lJ1V2MGR%@rmii2;X*pc9KC7^g{?&tS%P{wK`3Ka2<3em28NA!1H=M}Qj0ew6jND& zDS2MFyy2gf66Kw@k2(U+O2v2miI=;F>+g>t6%c-@6W7FBEdJ9i45hWRpdma1_`n6s z4v#w|E@u6Dl*pkGvyQu9Ihn7BI3})Z*Xeg zumzds0P_OV;%Vc&NTsmcXnUo?8I5Jnl#+9niKUz3otb4>s_o#cNPcxcIC2 z@HdiMoD2Z8#p}ZJz5M@C>b!Q6q(PY6o~IXs#D5zzWXN#^N<5>A0w!cH7jVYH`EukLo`jeEhpFgUSo7gkrQY=JpSIi3WDDX|581^+A1QZ3(1_2Epm=7yzu9H3mERt#mbyf_2^!_S0t z%W;w~-+Er$TG7gDj$7G1~KIf+dIi+s-e+s5IQ>_V5CYX_wl6<_s5Dsa0V@gL z+Ln>wP13dL%JS6e`^Cztk|I$(69{@A=B;$X zeWM@MMoMX}4Tox;yqhI-)+m(SToBNAw#H2-NVV)bx)OUFXD3+w7nW@2^SVm4X|tg= zyYG~QlX|%Xi{zDqa|h2)Six3ljk7Zon)>mHFIQLVohxLhy&6y-f+lYgTvF_5mw>Xv z4H_%eg3kvuM!x|~3x{LLx}zZ7B;o5JQ*$y!6>_g3%5SQ@y&n5SsJ4JpcX`*oJrv^QEVh4sY8df5igjUJgI{l+?}VbHb< zSpDcJ{63C*^TUAt5Dh-U5v@e6d%W}dR|V>ii7b`J<|vU&6D83*--45foFxApii zmHSZ>ozwpTaXzWL|EYvmi&2cDAoMKU@A*>$*I?Cl zGCpZ81TG@mge?`%i!3yGg^e?Zg~J=w4jRBIZi(p56>5*la(66L<(LT4hksy#tgOh; zTc2y~`m%JsZ#;R$7_o!hW(qFW+KQ}J2vwOH(Jc-qIYv)(6!q?qzZT+NUyVLFcq?xOvot1GCtJ9sQ{iG#$ zWJ6*f-wahmnpp%?X_yL$e%oZ2F`QNyw=K{r5TWgb;;UeE@Ww^vD z3ATG`dWYR>1&LXKN(rQgL%-YQVJ)F)gFO!Iy@A(zzj{#4U=}2^yEYB)K7M*F8{&Om zgJu}GV(3>^FMJH7J0H}G2)?Qq+SZXY7=4z!rgnrt2N79TZg1EPly$kV_Y{4#_TF?o z$;$-`zdvh52NCx9+DltQ(n@TB8tmeMPC%mtr2KVM98D+(_pT%{dfU>G*R_~Liv@h28Yi`&jkd@&i zb~5fu0)ROy-LAZ`9OM4l6%~Ehq1X!-2tqnbd`esRJxyGODLG*iJSSB>OB!&3I9Dx-&;`AcW}E{h#=4b;cH zk1k$a#|d3F2WCd>{QC)=gIZSy!7tk{-DrB9*&KC>Mr z$rT1)8nfJmabo^VwTekig-(cXYq)G9&CS;m!WV(GVp#-5&&}Mzz}xl zV0K94uofVKM}+n(i0jar&2e!#&S}lr){RKEu6`sSg(St0$8}=%hW9BHl7CD3rcqK_ zM1F-So@w)Tip*cX$d2R}QbypXuFyB2N)5xgbh1WbSC)vD=Er{q6{(i%B|mI*z)7!l zo4=!Y8%?ji19W_0=JK9XM=m5<_A$Kwp&d%b!}ffDT>_OwbJ*x-nW~?EIHLa!iR!i; zKzvsu!vm?jpUuE*N|k>Cvp|)fF~y{L-_|abvlfT!uPTWIpX**wC}xM$!sfr*{VZuF znl~tGe-|QrVNN`GP_?RrXKG9aMsjJIU|9q4zLOT14WRJ(p;Cq>8)ON>7h2 z@{Nl{)yK8pRE*E*`9Wx7HZoVT^NiDw>8}0hF^a?H;6UNn5-<%ie3D(LNh9C>8o;su zA%f6`A1bmkr%tPxK552UipzYA6^9+xHuJ(ST1LrCOEd`e;O=c-y&`~6*mq<%X#YXK zG|%HH>8ZrJP3C!e%tYGI+T%*f*Y`V4e0H=s71^A7ql=jeoclKmfOz45z|;cyltq(; zg574L)kc3aTKk&c6zX>PWH-<3Vc2teK=fkoW;2A0?RPY__LVp~!#+-O<)eaJGx>-n z3h3zlVhTh^;5_m<143l;qI-i~$2cgx;V!H7ki^@k7D#*l$G-Sq0;GloEZ;l(_2(+^MDgMBTTtO;~k_*A!+l!A3oj^MN0J3J?Dd z4A6kfLa;>1TFieTeWRkrJ=!wH-;O|k)=EjNq`>=$!?m}&y;G?1b4|MG+?%-%<}7GR zxl1Fv$U^Sc+SVVf%>ncbhF;`tx=R$niz;l@)(WFJjXX*u;OTa$3>ROOl3tb4JX=l3 zUlk0UTth{)0kIHU;g$tyVbZ{dvN>y09?=Hj%YVN!p7*WbC(DNrpzAtkshEEC7u?}_C>9^@B1L5;rO>4b_TYV72^R{9T)_bwKFAYZz3 zQ@wej4S#$aV;P&&ekVuUy_Ln@v35(Z>B?mja4I$T`?`-se+bgl?JdaWLR$FNc-_7` zm>1cgPy3y2305RiVrtP~SAnD$5eooRtR+M%6tG(Pdwe<`CHZl;Xma;Yvk&1sGi(l^ zkHF0EK4DRylCa-6S$OamUd-K*;vwW^jVO_%Q*fO!OJH=Hbh^QztqvxBFQd15;gUNVvZKPdMec&60O-45qj~AJ3&${ zF74m1`HtU+EOALM_dm}GIz7_oN6!F*7@BSu+b=Y$BfK1z0>kKZR21~?e6qWNkFkU8 z8e1Q0vREA@w402gxts?yDkS|UTGMz4m*poBU@X6jAb>#?!6gchp$w#>(GrNCr+v)pyiOSQt_T5e_5140> zt9kn(47>u&makNV;~Bt5Vi&i8}sH1ApZnEZNp_83PU$Te7>c)y3TWV_gSh&SsrJNNLli-g~Hd zkrhbfLambu)%<*~VrVv<607XjbxP7mn$vkL&rU@B%U|4+Yc9pp)qslbTENMCmXh8Y z3WfRN7*zEiQaEhh8haepH!FDF`Du02g>o3N7MJ?ooQ@6IHMvy`un9#B#cP|hc-+nN z_Hpo(r2>o;ATKhJZkyd3QxY;i+nETjdwo=KgC*4Njj%IM231WN-Al}7!bo4Oc#cRB zLoG_0=FaE97jMFJZEsHcN-T5rE=qw;TNmGW*@eE<{thdsubtiE#ZsM^^Sb)vN8J`$ zoKG)*r8v(mSd(xK{~+#J*Y7sv_8*j;Byo1k6*i2f7lH9S)i8)xz!ougynL)2Y4wxxs>y`QouH`WmHR zejhIEx_>NWZ@H+NQLDbx1(5lJW_wwSV#_vt?+YI1Ay0~fs7F}lHqEzJI{nT4FS)Ja z)HTWu+qmJYkawNCJF%(r`|YccfpN_Ri;@Oy)YJRscrepN_nZ!EVQGUxnn+vgcCv;? ziuSS7%?-Bb)VJJ=a&W|f%JLlF#=Dnuc-vQ5I_sA_p6~MscsxOJ>E969woy2 zi3J>*Xl2+Ck9!^+x)wF*3sGp0LJV-`q46S-b9-l#n>WSN;0wL|x`&#%8~rsvbCYi^ zM3aU|yGv1~odU7oz20H6swG-XE!56YkI3hncgv-;1gJ0{%DstoKkzQT6dJr(v@xhh zjE27Aq5jvv7#sfD>5{E>@9F%`KS1r$QW~5ZQA&v-gD*Udr5{~YP#frx7w{(i1R!!nY@aehQ!xm$NeME(;$^u>fP70#9=7 zjG3_9SLnjlODJ~ADiq=CecGPGuW}eW6n-H)S!ej#>j>Kra#rFJ{-7IMd8ka@3L>=n zni{^$R0@sY=9-RuCFo<@^GS{khOX-l!wqx_vM*rVTYI0fGwJTh)tLh&Q+?H{dmL*Z z?2L#tfSR(Ob2Y;ZbMqLd(w$m~59t4^1pLi5!aM2=YwF{f{vz>0o(PxzeBK09zY`)K z${$YQlzS$UYr~1OzzLW7Ha&1Cs68)?gzdDq!-Y@A!C;j;0QGq^05xYz$yUzVo;qI9?~#-Fm3} zEL7HC#0GD^D^TGFu1eFQbXgf$^{3VsB3S4j26|CcjJYJh3~ zlUs;rEC8dir!#__*xP~4$fJ6`q7_-_1grL#k(_6b$ZyNfn54xp+RN+}N>v1k4Q6pDCC^`4$@_3+napnu!;Z!0(`v5#6f+U+l zIcoa@0=%j%N9GPFxOI!m0)IHKDpVt{3|0^+9`;3&*P397?hVTh<}t$~J^_@5R|(Bho@Kl4=!!k~ zlh*V-3?bPfcsrH3U#aRrG%fxPS%`u)^!|)G4cVrh@>d&pHij^x+u7Y)Q0V76R`0iY z=v2j?-ACFEcOcBKI3>PZN6!O>AJ0s=c@33u$WWTZh}`rKZhHk#y0tHp3i_4XgG=_D zJ}9`UXbkH53`M?5gXYvo?5sI?_Z79#M@8$(vz2`Tuw&}o*<6=rnHe!bpIln)x~2e- zQ&z8VXuVNS?4ahCH98YV=XPnjpH<*%JT|%BtNE|2`jPIuKyrf+cJ2Q8WTt}{=<<@S z98dur@H%v)?ItkIqCDdp*I61A@s&pJCGLBs)=Rg4?;&9UoSlj_`#&5j{!xOpi2J_2 zT&R*@cCt53zG_XVu?;jOYa_*TQ{>^3Ir@s@?gj6wMqFmy76u|1Q}K8Z&{S?R`I4{g zzRj_nZPIKo+SA_q$?R*!jqaXWxmw%q_a1H(r`jbVf(Ew1aP>zPrXdW4v1y6ryV&`2 zl5!3@Hy8PPMl64NxM?0Ei8rz=;z?he(7;_OHjUaxEeH5H*jd)$OAxB=NG0 z`-n6g%r3X27=(zpafrHf{^a^?>y3Zy2S`%JX+9#;8v1VQ&leZtYBgz~;w^nZEvPi+ zT|V*XA*ZlmFE+^}9R zq!tf!)#SUX=R8*YC`pr3_pf)h8pXpqw%Qe~+T4F^lGoGsu+^Q%ZQrmrb~vbBDjvP9 z`|n0>CKvxRafZyjsysX-#X7A63?mU}0+T~kl~&x*UlW%^JS z$lm4X(a(f3&n>9F$Z61(TSfC`KKCp~^V73u#rZ)fEsviOWKTWE5#2_9>d-klRuH`1 zt@}MnV(}?%LQd_;DkPQrx0joHR4FUd?d6LEY=L>p%bg_ceR=q|Tssncd3bR8)Yg|k zSRT)ITpC|51T-Wn{hneR%RnGvH1km=4DeovcpZlesPghL(w_iQLvo~;M?Ln}DbArx ztNZ1@B96=YxXt^oCs5ygRO9<>-qIq*d8fdO#c}+h0S07x07yI^I$M+`kxVO1L_<5NI8{jV}k7lEJSf5fO_n#de$%EBeETvRyJ3 zU36Q;`rF<}?eLT4Jw!-aiove^j`~~0&={%qhZycp)s9D>s1taWT8!1XZdHoGvR((8 zC8NLI3u@8SKf_s3`IMb26PxDBg-q#ul98zt>@;-*3|EqsDM>6XQ@mEyo%UmyiF@K> zc}Y9tl1SZXzYH=!bv-1!Rq%5wuG{UkFi4PQG!IG8=T-%Q?JOE_7Dp~nVapG3ob))-Gc%ZEP|vc+&z!FQh}C- zvhD`!mnvsh+y&aq`wAp$57|M_kMgmnAv1ko{>`S5$NS@4ffl5<)*WK6~xG_WSI! z*EsJ7J|yFYkxb^i=2d_H;MJc(*mpT}22qErB<`;oO}k^0S@Xz`A8??C$wL!6n=Vx$ z=+S4ar7U57`od#;CY$ZbL_-f>-K8+Z6GyAdKl+jNBDFD<(vzyGpJf#15n;P#lGIi)2Ae+hrP#95OnKudK?`hjlKUy5{fG_QHwioDqGG-xQ*>5rD^O4h- z+O9k`R~LmO-&y9_q?;newvfaE6C#Rn`_i4Lxd7^2aNR|rj#%NpnZkc2fUW_nSTyq& zy2VvS=orXn`iKN*K}h#?jb342ypQOQfePbR+#w|nj#6MC;gxMPc{$P{L$j9yctW9n zps5i2Pm~Ud4PF>D)hWBorZj({n1vYWWcKxNM~f&{z>Vy?q>gD>9wZi4My;1sTTsw zLmvn*hsZ&)yZs*5K%yRCnlR&Dq{`FP9sWJ;;!NT9aZRTfE?fG`ajgaW0)UsD;x8w# z-dTd@@BEn?DM2dZy(WQRJd0bT`9X9^XM1%NbdiTxxkVm;yP?$(tF`_hDn$$X6drUC zeUh!wq*{|xN3X((Zf~NJasq|~+fpG$lr15MGi;X3@FOMpi&e+_54(jWwB+va+lJFc zfM^k=&N+%5aJsiR5^ujTvu@yhc9cswc^V^rC$urb&}u|W++$ZQ@7YZeDJ0gC`0$w> z-WWjcDV(=BeV6C`80^`+3csD}>W;Vd&)WCZ7&pPsz<;mw|9h?H_p4dMkXoPP;>D}Z zP-XCWj%`)faOt>Jb~DG>)nL#{6q_zU$hmTlBP!PIYxwIf9zQAo#?`u3Us6ZkEqi7- z0vu8av@`=G(3al&>CPHIb&jSF@;((&PGLR@U^pIQymVcbzUDw{L=N~<@ZGNF%HKi( zexkeB2TW-1)m#U=yX@inkF&QK=b3o}-voYZkcA!+cz!f66<;1Ti%PC=Ze-<&Y?kIh z4a!1Cd$R%c<0U}-c=WgWF*+nyYgHTm(rSQG)TBv%B`a9yGife4Jk&+_c3sxv#|Ae@ zl^sg_oVjteX*!zBzzu{=KSA~hMrWB>CR z{AUtY2=~$$?|x}d2{F`ne;~7tS}FwyaY@&Nd&zj2jHUnONj?5xhEELQp=xcdqJVW62q@sd}xCJ;16V zPpCa^SxvlB=x`qaf0So)_E4T^$&{XHI=v)9jh~Df^+s0D_%Yae3H6Hd^p-mg9)&E! z3<0MN;2C&b()IkONs50=EB!gN1i`!ivnNt^MzFbCqzVQ|EsEON0KNT%A5hEQgg{~{ zbnI%tAc=VAjp=|%OITTU9vw-W2O?>_IB4s;0(WsLFhhn<@9eAZ*mv9)LyT)6?-0s@ zkuQ;w7~!fakKu}+AoRx{58=r9V*A(ygeeiUot@RKhgY7&mu74vS8cz;-$B8-Djylf zT?m@Cb}<8NrJp+R2BN}}VZE9c3DC<1<;`hcVroQ>-^hoU8`8B^)`ypyeu4C5LmJv+ zr8A`^{G)GyOnH}$AjRg>Q19P+wH8b9Vtv zLBExihX~nbr|3L?_iQuc-W~{K^_VREds|pbnt}J5a&?u9D*;No<;6<06S{Ejq+E>1 z2Ia|B8q`Q|%4W_o0@LfCmg|rv^8k;|fv473=bfe4==?ELMd(|PxXTIx9X91^16 zdr6f*tE4>f{n&iis$+ThM_&Nupa(Ucy)aYIM=WM6X6KC9Dl6@#CC+)>>El1}V8y`3 z5Q+{<^6AdhK-q2mVQYD|LB1LPyuqgUz11u`8@+BS|FN^qYrJZOd@56W)De=_YcaLd zB|E06^viA6rVr)yS6klihVM1hOubLYEa@-90F0N>%W^5ESl$3WJi*{*8u^yhA1$og zgDFOw+hltr!;IJ<*pEWv*{JnKL)GqIbjI>Ml++HhLJ?}meLy?RUjRu#?EfD?k~Dvo zfa4OUr9;I{d6NvGh{j(=IEs(sj9si`k3-O2y1d3+xW$|HQjfl3uh)OEA~o>D1^(_b_m@k+Lx~F2-ocgy7W** zUo{Qb#ionQ<(L0ht9P^U+dRt6{nh`n^srw+{ax2&g_CW2G>=UeFppOn;BM%RF3GLI z=-dM(5ncknS)r9v6mq=Rk}2SY*^FhIum=iIrNFG%ji)q*%rRV7{X9F!%W11zeGbT6 zkLH*3jn6SCSX@w<`M zE*oG2HWf=Th3PSRs#%YL(N5^eF@^5K$?SVy4WZ{)Le5Wj1|$=O=lFF_ZiTEExPMYSu_@Ab-d@u{xN>oI9ag-BYj6Hf zC;j~=xSwF(lF0hIAH5=UAnGO)dx(`kGdATUB28p-?&Kd9%b2I~%%ylhL|adFPWp|v zkY#n2(^4F12_5=~8s2oM&y>qe4IS9xNz$e18pnq^MeF;fIq?IG&DsgP@R&nD>JeBFaPWi!rw|9VKvoV#O4Nstuzv0O^9@#~u zuMXm@(`=yf7q>G2t@7%41WIo&Bvj@)7p+GfRmbF|G@6g?$AQp7po^gbE?gf zgp~DQM(XpY6Q;#6a}FiN^OQt`^PvYWv11AOHDqo2UrxBIGf=>crjY3I5AyF^^mx^g z^F);HHNcp80a_%z3MjrPU-9&TwmR?)#~AGafRw4gjjR=ze0#1XsSWNIBKeqCfvJ?h zoHWJg6$RM#6@8+eT9UIK_^BR2qT}=u7G>LyNEri+n-w2!#YQ{FiEfoQCLEcM+B1jH z?2HyJm{c#p4ZGbBAHxo9r>wG>_F~V-2+S#tP@Ty>b4_yB79DB#U!J>~?|=%!uS!Zz%3wP0&Et*6YR$-ynBd|^vxT(Y0YHA)yK=OeK%ILr$k(yZj)qi zS1zi0?fMW;3}y~|hlUMlmZiZ&>cj7tDn=~Od7ZTtAPj9r^j(P-vzPcbW}qwj6No9l zh)2gK<#4`}{+l~K*g}2xv1_`PP4{wqP{m9{505dZb7u)zE4>DvXD^JauYoc6UQuH0FbdGMBW7xy-(jPW{e(BXoG-=NRv=Ps2jZqku z%s@}YA?#H_xn*|xqFGK}x@;uu5rVAM)*}Ys&h?ROla=H#69eDHm2^$wBB1}*RMuH! zwA8lP>=#6Ajn8Xw&th}x2z=+Lqq7_lMkQEqeWHXgzxWfwzy5PEF^3Tz@Zw`7yA- z{(lLzrjYwW0%YS1OZT#^3xV zk0IVInKJ(-k4Yi4iY&WzngFl_=vnjGy{~!11D}aaBxK&uZ}hv5-o0%YZ^wBU{(gU*sU{JchLY^9VRz$JQL1W)`j9bt!+H2Wuc>^FdOqVVs@V}NVI`P(%i$xzyc zhB#1-&TimG%l)BnL^QTCx=_{J5{M+1d(**HX2TF&5`+lX_d?%GHLSlm^JMVE(AA7( z2EFR4st3q}18!!1rMa)Z=&Yyz8TuRs)&hDM8*Vv;j!xL4s1NegvSY-Lv66mrnwU1T z5H$owL|`eD=c+hZ8W#Vo^cMMaaAQR}++cjWYK6$U_ie)+8XZYHrBGcilC&#AL<_yw zEB9wRrI_aog+PaIuiW&!6jD)Ox^+4Mi#*?LfbBJwtCY}mC!b9G&{~T(~z?oZxbE^N0Yz#_-$mG9+9?B|lt&R~& z8dwpl@?NBkczbit&Qpm04wHeF6);I1TrzQF|NXvcoumlOePt~mmfF}QnB(6A za)G|SiOGrwD;ubKIM#87>W!`h9Sg_`b#_sW}n6AbbCQ>gr0 zDx1g|++jA%Casgco0(7qPhu+;EjTmgL1Ac?_!xgIZ+P5#9Fd|J?4i zMoHGKSeionSu*nI^zea(sNMvC*l(*$agVM!T*vONP6=M0+cjDESc_gC2^+EKxZjoI z;x1+{Uk}Z%+-@$<@2Q6hO%=`sY)s7iRlCjeCN%(|JjZ(bthy?l^Pta?FC)fWDDHLn zNpb}VhnD5xH+-}g0;tEeYnG?n zdc-arS!AKuy&rOprm)SgvfJAQwi}5B%&03+G!Piy#jQpJ%;^742S9HVZj(TmS}osy zBq@I#ba-Iyb9pyHi3`pfPP(g`+0Dy}g#79+WaZTUXR2JOCi~dhc%gPm-}mVhQhmhGkhW zW1lEL4D(CIw)-i%dM@=zH!0U^f!3%t`wyoM1LCJT8&aHRRBjZY<+ayPOZ9n7zSf}fr3Y_G&+mspNY5uoXXCd0*%(N?p zNMry5jq8TPOR=dupotjM83i++e@9rsv*BYz`jlD<0Stw{oe3cC5OEb6?FR2m-l^LF zV$x8=eC}NWt$gHR;!uVPb2E+m`P-`bc59}%?F+A+qH(`FL6EaH7SY*n7>u?1**l;U z3=(fU3_!9)9(`%P06pJAp0;T97+5sAA5D2#xZ_#a>V>tS=*Z=wLjwnPlcDpZx@=-M z?+aHc8&dP`D~ZmPn`{mm94I-N&|hIKn!~)hJX1V$AfGpn{Dex(Hf(V{vVPX=PO8Nv z0&EuxAT=UR)&*3J_d46Gc-`lS=`?R2Zv$ugv)2Q@6T9mp`%;bB{zo$tnDLrT>p0rm z0C{F&yCA(`!L4V*I|NXhq3Zi2`yEp;`_%u@$Xusn^TH~z z$94`9KAI@OunDbK8Ll2r0$iExxH#bIM03ZZt&A0^Zt=Q;&Oj&*;ISwED z>FI%5%mv>!xHB;_OpfOSoB?B|VmM18Lfrbm~i zGtB&sBUDrMWyIWqvbaTASY;XIc8c=@E>Y2969NsdO{6u8=}^8Q572=;Mc|%T z?|Kj>csH|f!AN!#2<5CSlBYYug)0?Ebum(=l_%(pu?3iz)?&mDF^y8RfarJ+_|k?4 zwd*YOz;1d$w#0lzLW|}pwvvgF@!EE^^@IdjmYMR6NNTq0FB#BV)2{SasE*AGiO&drBn^YUinI*%V55a)QoMY7VX)WM`FPS!*ICe#qUzQTgHj$4fQbR!PpF{b;gh z{nB5|@%$LnMdU~c9ufSgJ7C0e-hD2i!uaiD-Ul%Pl91@T{p2$jQ*r2(PE)d{QI`r& z8^)n*D~VG*l~G@I%ssYmArkeyMKBo+M4w>-Wb^kQ5~V2Qm9uX9?B*BxkWJiVtILfB z!%h|SMCK8NYckZ01qgh+gS>J4cfT zn9?AVF*^8*YqR`Jm-4lI#v@iIT{%-gkf!8*K5N%qYP)f-)qGeZ^mIF}ted~-d{}fl zJVJ1CaGucpht{Y^C|Svp_R3|($&dVkm^wT$#S2>UW*G>uioTpTJIgjyXygHh|hep#g;&N-^HI6XcA*p1F70GwfP6$WW#vA zV;%F0GmzaMVUA?k;@;87eHGMTOL%e#fqR;hEibOjw{U`A2so>YSgG0r9Ok!ppM6Q6 z;L6kzQ2y^15*#G&U^|f&Mq9%Zb}$EGP;|=k8n6LmFMYic0&*F28DX)ss-eQ|pu*YN zZ9qPdr9a-%@!`Zi<6^0>r-!~uG#Qq5s4Xxe!iICpd{M7D6x174Ceg z;W#y?KX;c1;FO2{0h#+mVN$i_W)BxJ?UB^wDwdo;bX4zw~z)Qy)?HxU0*` z#^bp3&_Xu_90&Ks>o!xnrMwrOZj(`{eU1c~dK?hsoT1dXJT2Kuv+)=kYW(4s&lZX)Ei$oMXpq#O*@U5 zH-u!9Y)CdR-=?#O9bd$=uVOJOE1t)?+dsqYtT!T1+jSo<{?!%o#*kl4eM3dS*_P~{ zo!Wbo*JB0ynGXD|bl{u5-$t%~h3&sng11u?#X+Je=<&oq(E0YI4M?i$Wm)m7r&OOX zG9^RrB1Fcs={x~PStg$*D>y81m2_(e0h}js0dr$#B1~3P$78lr1L5Iz)HPV=%*RzO zV51M-^21>Je*m5|)qmgqzNA`Gcp~*xrXcoqMN4uvq@H*ESLKSAG5omGg$?21l0=}_ zTj~cv96mG_Nlwsg0(V(@4|f{qXsY6Vf$&A+PD^Z|poS^GoOKX^JJ%5CvOaXapI$#g zoR*}8$ZJL8*W)LEtjiMfeD#43r6dZ(f&`y^j7>=4*Y`>5%2r+m?T_F`k_>C+4V?}D zkjF{QOIPl7-I?Y}_JlyleL&VHb;N=Yk&@ulF>?ehev3LYceZ8A^sXWAd{)YvMG1f40RQtf4upp|yZxv}{<=%Z)#EPw(|9+_`>29U#7TJg%2pp`Iie{NDxxs^0>E4O47(ZNd z=$&gRm8;e5^{89WESq|8#wmeoEB~t2`qsS-z>uvH5bUlPK=+|3VjWJx;`MD)hNYUj%qYUf4C>!w<{pbgc0kS79)KI`Zjtqvfg4+X5W%ZqQ!)z31? z?<$%6%WR($(kfrO#)XiVdj95roA4{+ep}*OTD1b5_;P@d5w>j)c|;iG;Bz6l^^5ka zZ;P$NN}`L*R-(@8L4l@$gQd#?^~opFT|2-OJ9HK-+;_h|eWWDB&QO)Ke@?z&eY(H1 zMq1^)240Aer3)=g%MXRwS4gK1@c3XG=uKu)PkEl=z{-_v4l>;zg1tN!VmC~N)HT(! z#ycOhrxfJgu2?y8 zP=ofz^q`6KoWjaa^CniR3T(~0Mu<3VB& zWQMZRKGAu8kN=XZY&`EIdJ&5fdmYhX6>$GP*OETvtvoKlS?{+=B@3l9XT)WlgCeu! z@Ck_Hdmu@y>o8N})?}4kgDT?6!GM#Ytgh2bPWK*cb&Em=7MJ<$3dhg~RV_0Ym?P|Q zPjfTS4gq=Ugq24$w)UAUFeljGH<8iTJ(c1p`{eD?!?-uPp!_Su_o%BOJV@8RMjYzg z_Nj2g!ZkA~@J3m1A3lXg^~A_8B@p^^Ii@mVZ%p4USb+x#>|)0QfI`^JcEDFL8RXVt zi~8&W-u3IR*4h}kK+BLdDCIeBUY3ZP?6Q?5^UMI)&4t(nKR zA;5g!FX>5p)IoB&U8hgk`pxQ%mg&1?=a}tLhf~`HYDuK(n~-(#+WciU%Z`=shVRf1 zrTnA(?3-a%{^r|TOkXZ*0&31*gqKlw)Ds)mJ|xqW!z*1Da91qig{AmE9-J`t8W_Y6?lg9r{>v!;XG5GT{jH{2VVN%jLgca#Civ2E=!QI{Zn5hd5Z_6c zB#L%{-s2gO$a@qPa4)P%y|&N2?@aA{Ta6M76hEw`w>IUa(P3&Yp}?g(-?un7tGmKuEDYaAPRkV@S7;`=M zi!u39uNCq_K%!Yk5A5hn1L?hRm~=yt167U3-PpRZLTF@}9SvX6Fc{1;u~Xm_dCKI& zx}C7YR|&2-LF@tI!T0eu!OuX&9X@Yrel1gYFMsW6rSr!674F@n&x;uS`N~@q3fYQv ze`Nn$*KFyi$;0AKJ|OD2f-FBdp?+L6V#x+&+u~3+GXzL|l+bYxUg5n_YuMC$an+{Q z+QiG+s?#H%EKkbv<@LR@j}($AX+sZ=ich2{}Elj znJRK04{k6XQm1+!7$n!jXVGPK4@bGj#~%%%Y#|n{*3d|~A=9UWYoJ?@eGgNA6^Rw# zkbii`ji^y zik#s^CYcITL|%Zg+RzW#{Yd&cxZeBpL3)v)k+D`~alESah}$)rok5NT2;wF7gLY!W zrCQCx!vS+f74eT^Rw2z=@W4Kt%ufcyH^r|fc^c*WFBcW9?OqGsWq5=5EZf46;#eRP zn873d%6N$fjA?wjkdMsBq!$=slR;}Uhl~I!;|hS>oE89OH_b0Okq!iVFLY4hPU{>~ z6srj90vAFCGhp-6syD zzr%dT-bf&Qc-c&{#uT=h%gs7pJR<Kqkj(zpbdfw3I^vcR3L z^|RK{$^kI4@=s3RqmR`I9K=1HVV9Lg&eEUB34koY93W(?+^o63Eb>IpZ0V~>1Iv*3 z@u1pJnExWR#}xlwAIv7tc}NU;#_X^wNSq(!_4IIOgr{441>a$|ZU*?L=CcsHZjJNX zk590G?Z?5*;@H??VPPkZrARLNRPC!j4X`--`8!Mfh_3qxSvX=sZ*$Hcbb*$ch*(_>bsc#FCQMlwqb3r*Y7#r>MqJ^8c_Rq&Za(gK1O<*G@!whUv`o`fF$V8dQgp5(_G*t{DgR@ z-@hR!TegY*;!wh60r+rtvIy*Y&JKJ`x+g343cCa|gLErz73AVouX!}v)4IIqY)`<7 zaE-8Y3-1ih9?7s@o=$!gI!_EW0aT=T-+sDhoa8bbA{a>^cPZzgK<~ZdHA{LdR@ul8 zH+=omvIxoA_Q{R4jYQk4x0bSc3V@&^mQjoacjjXxK%}=*)7+r-=mXG9FS&8sMuRqW=v18g5$n0L@mK#@= z%%;jk+0=#<&&J0F!atPN9R!^*t|j%#M}G*v9&w64xH zj=O#((^_ZP^%M=k67SPp$%PE&=?dQLV6}yxECZ?Y8nv17oAae5Fz-WVhgqD{CL(|E z5R0=>$r7LzN8B8g4J9M~Os%=J@zoT;1;Rv(`k+z^r%ESUZIN+31E7=9g&{6Sl1cab zfL^PI^r|N|^_0Wsf)_f47RVydQ5FY5ku;C6oEyT&!n0Ke&Gm?b;&Ort*UNc3-pyEM zlUiS#ui=KREeK%xY(C2!T{7}m9GPHODWB*t&VG+kxw}U>mV_o92NghDtT!7&E<*9k*kesmt$_tRgr~b2RPd16_C3;3`#sKE*a{a}^d1aEI`X-i_X2%Ft$ydDLh``O#ojA2&X%UW zKw3)rF`I?b)UxO-5nse3S4w7q;lV}UviFYhzQ(w zKg<$6e=-oSoycyJ^B`xA{HuWTZp2*}p&xt@(v|$2=vWPyUdVtRP+4ZpzvPYvAhRn> zDf5onw*;2#-wds1)46)~kKOeL10tLTHRNg4Sv;s`LwG(*aIz`mTem1Qg($0Nhv#}2?0+Q=^49j}cWCFK_DDz2Z}zMBmpHcZsH@-c+9Uvx93Ec( zF63BbKC28Pa4{V)Al62<=j-j8GzYwujAdL^K`Doq>|d5Vd3k9cHu?LOyN9};bZmyt8T`qic89X7u~8Kq!fsU{8>9l=ic_aI+$0e0 zfVMG$ZL)a8`3l$LYR^PF=Pzrg!LNnW;d;`3sQ86*SA@X6y@O5#G{i`ha5h?OULd0d=f6glPcga@Go;#wiVey4w2zWU%^K{HrM{(U9f_RGi-#3h(v_$PrBn8e7v(|KB9DB=Ot|L3!!RN$cKPpqV0nHL3JLE!4 z+02x;vflZ?#(X-QwYgx2=3XG3V{iYv9{#XD-7CNJj}pvR&LuKdGUeMnVZ!hTA*s$g zctoo5FZ~tXjNgS3Ga(}(K*))e!`8_&@qp%CGm%)ukQPneMG2iEQdkgMQ!fIK-Wov^Jy1nP^&=R|XU;CO5ZOpXD-Ig8^XPCzcM@#)?aq9S5 z60ZU*&UUTMO?7f`?mdM>x&TNYqnX`&dtjXbaZ>qmVNser_iDS=QVb8E9Hxbq^p=8} z5kXqhw9X2Sx(k2aa<4Vw#YIck0t*+4DE^ybh6ocb6h4VeUN4fUU7#OZ9B^F@ zFu7NG&pA0@;t(r}W>dPqbS?iG#R238s$1?}D{IL;d#*(8FWv`9(QyRZy-zOS<=gdB zdqcMDsJrmWND~BU)K#THj5e{VT{fD+LZ;P+-rvanhI-Xl`EIOW;cbTWn&)zh-562B?QzaJya{Div;( z>hcUN1AM4yAk}xF+2BPqOWgY zEg=~=bFzVv3?{eubZxPPvxwH(q3{R!QBaLz=6$apotfgG{stqa{Bk8M1NK{#qP38E zR%*$~2-1VwD%B*zl{=em)~63#xZh!Bo6DERT$+-QRiXcMo^}W91m3t4K^%#FIt0!J; z9Sr{(Rx=MA9v;GYjkA}jP4^t1w9EX`gi-~*{VBQecGTrjuA2Iqlrgzcm=@#)H=oEg zl^Q(_>!G1n_E?VO2MP17bqoMNhN-eGAY290WPog4`iG{D!DWd@( zf-K!(r?*p1GF~qLa7Yod4V*wFI0u@FIO% z*xs=%_5!PNi!pxgk6o!h6IJ$-;`9vGx*2_7uk=crV4G z(9*C0(kx$xFUtRfX|gRQ>oL6BpB@}dAdJ2>uJW}R1$Z#81@X@Mf7rbiiTLkM__qe8 zS+_P?Oy9{{1xi0ge2CXAP3MXu5nN^;$etH1ZpsXhOftLUR}JA1aaqR$%FQ%tj^dWe*6vnfqg$$b9P4P<)8O_3&!6dSYir>+qrcMbK}omSri zMkh>7QY07W)wflK_&)1d9x#ys?hqvZWMAd{DaCQS$ase)ALtIIlK?IC!33sQlEGLf z>+wcccy!}=sVOtQ=a5CdmSac;kPHqxQxv+7e^s$SOI}&$z;wR9v(AsNtg}i=PEW}X z(kD3f^32V!>zlat1V%FWDM3JHgf9}z_r1bs zghY}?61n)A8%R&QQ9EPBr0aWR4l1FxNmjJog(YLAD__3#g=)N()N$Ra2P`KYyp>CAQR}qe|yn9$6j$W|;F&#%F!2 zP#dj@eunVM1$jT&{aV1|tsO;Qr*T2@+%t`0Og%*#I5@d&{z}ImW!JKyiwc}Cpkr_7 z>4)&~Hy76{1ok)kX5sg~IT|}L{flRy)la~3WRa31 z%!r@zO?p(6Laqr}Ec=AsMXolU%-7XVF|ff3Xa= z_1WVw^(c3DWs;js!TrK-P@SPDOy{A0fjL7~>H}JbMOijOk`>sIJvqZGoewf<{Tbi2flwfPjy|`LUBlW_W|Sjk-MTqEWj&js$(Uz@gGf|T9Nmeot;Vr;?*1Lj2KgGs50bw6 ztI7PA0r^*(g7a&nk0974k+c?)Wa?>SrBjQ442mk3 zdmp;XejfY}Zp7Sk#>RJC;$B06s5i?EGTied=0g@RTA%g)P;*F-THaFwYlv3%&Ek1} z!F)Kkx;I+lj%3Bhuj>P92N!BX0xEr_(kSwwYHg}$rMI(Pb3@g>y_^M${yqvHlIr}2 zbQo}o_A|mUSf>8s;o~6=fsYT84s}c<-xyji-PI1)=FNifynvA%KVb$^&L{mael)!2 z%9#oN&_po!00;Fflkc07#Xp@8V5j`+%m4Xe)t3OP?}!h{07d>~^Td$h%GXZtDWJZX zSP{8PGIcB!&A)g~>CcBpEKl>ud@Z5pHyYtO?RS3O-Pm?9>}$it3Ox;n_Lk2mN4Tf+ zB8veCNFi>Lb~W+>?J6`PKrVf~RY~kRJwzL5QQ6x!l6fY$IX#v=vg~@y)&FX)=^kmj zknhKz(Yl25Y)KMEJvyG|guJw4x1U*E6MJD0fXRY^J&j3lIt(iJ8I3d*&-RRX=$%iD z8sI&3Od|00VxEHnR``09WJTXC;-*Z&HT4v+ESP;64T0cn?(bAbk_h{+{!ND+E*J$nj`_i}*GXQ3G$1iY`nd)Cl_x2X!7rbgl?e$|CK+6Qbj?0)~bB>g8p4EuM zg#=SD*YQOzzh-`xDf8yV7g%f`d*HrY%1<3{=Rr;IZuJ{5d?;Sqb9j&;fa)Pdh#nI- z6PlF;Y7Ne~5AFXt`E-n9MTY(?enj(P8GUc$r#4{;dpQ9U@!KZ@-{RpQ^{=!3`hmj@ zl8EbMYPd-gRy@}VnQ;wW_$7llaAJ}lsCe)5k~oiMhK5(L3>!5Bj)z2qYl|B(E3K#* zj19aQQ~wP(5OLF{ud(_KIPl-US*;?Zb(Kq{#|5rmFlSQRUyj0GjKrUPJ-sSd*KhcV zsW91hw3$tzbc=9AxP)R~-Q(w!K~=Vq`=|Bgj_zc1Yhu{xfv z;Jh{du+q)MSyBI3R@eKz)0H9mFTP!^7tlI#$bDRMs0Y#b%cH+!@%CphN8QMj4qkEm z%UPZ)VnJq>LsD{ zM2TCQ2b3!fTI8ODuu<@jgj~ex7{=#pPn@qEKfZGIIf!%pO(?WPs`sCAz#M1uLDw|UZw$SQ;b9LLQFv95 zA^3V4ToJlSitc*leJqdqCN3V0-h<~uB?{bn3Wuvb4rC+?3a_pwFy45BLR1-|C&+TZ zqWLhcI8E(>v^O{6&4@5qev18;TW9N}$APf{*?uhJM%T-t>FP7Jbc>_BK0s7*b*fnQ z+}DZqFKhIt>H2d|0t;R1Mc{|o4cYiq?WOOGRMJ}31w6#x znu9q^mS8;J)>%cY7_jSp#(~kzoV0rYxIhy)^u194xIjA_f9N$4<~O)NvwCw7VYojl z+Y^K#tP0Q@{Y3296cGgpQOR$YrV%*X+xlt(G_iyMAw&caLWnRGaH5{YiP(Aq3LwnE z&Q6gMBg~$d)nv`Sec6WZ9o43@iYdH&w;+6x5eP zni$t{nssr;`vh`R2H|JULgrE@j{4*6B}80?=Ds(s`T2z>Hr}Ef`hq+(W4j70b*Bw!|ODwe|fOV|2_bkc0R{ zJ=TA%4_5&SMbh~!(?gO!AClTzEiVaFFY)oDAWHtj2K%>#s;y!!;6y4wkMg#R{(8s@ zIGMiSiGiMrUU^cVcy8!Dx3adc=+U?bbIyc zlIBS(F|{Y!&)~br?$2myYHNq@ck?IPKP8u|zDyV%)#gyH&{SSD3VWoa$2~vJ$)c;L za$pq%Y0thM?M2$!UP*&14)x`jeYUY{nH6l)wNX6s+8fgVf_-NQ0%4(T3ANrSuhw>sD08~72Jy_Hd_doJf?!2nrCq*n8Vm- zE}qV7{lX`h?FVQi`spQ2FuOKj{wn(Nm3vmB_&NW>4e@Vgui!miOo?0D?VaJj8acob zf8ZyBJMA>aEI3=oW6bbA;AKCRr$hEj@bEkhucW8H1xt5?b7q$FW^f&TA01tkBYQI7 zayJ{C@cnj6?s&#!3@hBy2tZxZUUgB^aQt~ziRP@o8?uU^Uo!f@Vbifz06X2 zmfl_5(ji@&y<2!6MF1k5WGR<^A6yW+!cqenRaord6t|vl(v2jH{IH(Jv7x56H~)0b z{|kO9Xrmt{Zt+?X^2=O<`z%8_r@MtJ$uUE4lVC5ajZU0*m2`-VI8>~^4dH0B#lxbl z#~4VI1u^p%VG%goOc3PqS?asKSlbWWqWdH;q#g&pNbNvFq+ynoL*qi=lWd-)f$OF* zN*9Z2=Z;+Z2av3MG0z|~5O68v<>XV1Qi@OjuGd#V&9KgYQ$Tov&QO( zporT%?8Bu`oS?lyHLvB%!>u9a6P_M=zQ0|tcenh^mh>GJYPA2&MD;>RW@pw!-L^Z~ z-Wj&?mJ~W&4Wb8=-w+J0qhlZWpE>kRz0fKt&_^LW`n`x>8bpwnNmvD-(ZzZx5~QxK zv|sD+{pWgGln-~pZb`-`pcn@ar(BocwcHLRtm$r`x==qj$;`q7FBvK33Mh=}=|)8h z4<^bPTfLEJ?d~LbokQx^02I8RwE91~Noy@(%=Mh@T3;q|(+oNs!looyL)M^U5utxP zHh@|$)`U*E!n0nsaEc1=sd+=pOk|!dC_vFtpPluTOLWL~?OOj_xBCY1ui6uU$##uZ zili8lVdRg|ZwmV$RM|1e!9t2zsD)94D2nLi} z=o94hK4zA^PWgjEqYe#|kn-xNb*^`o)yJnzp?3la8E?{&edn*Z8klCMn<+wi)*J3+ zeQ`h3EJsLgdr(CP%|b2Lz+n zQuR8Y1xMreJ}=y0yvAaUC+^F*3S1)B>y+pMtX{k&*X4tMRb-gU$IlQNvfxRWZ%6iK zawBuTDx>4nQ}nRkIHdVw3wfQ1oJH8I&m{_ES`mqz*bjojl}lRI-HE~`kv9?)ekTiF zytM@G#`v;nhugG*y)Ikz_Qwx-idQ=S4|DGw)nwMS538tvC`A-dN?d!K7x``Y{Px_z@$b|0d}lntBzZ%1L;$z6tP)}9@1RVv$F zd0*%biRbuE_aXXbyaapq83~z{OU)y~;ipdU3kA>xL%&_UJg=u1eGqX`#bfMzn1fNY zxklJ?kP25Y-I3EzR)-Y=BZ>@O8m@M#P1v_wyPB-4yl51Al=QT!+w!T2k&8u4jKx8h zFh9$;?jdiZYJT<*ugg{PRQmPa7kxtr_isi!bbr?ylDIg2Nioq=IM=EfXb3=6x0G7mCNqf||0Z0V zaqUm&Z@Bcf3EP7lf%&glExQe502ix7c)c?(f;Yw(b0AVdV+(!@pTZZ&zc(p6PIpGm z9pS8<0p((=ZnzXK?8PtW(+uWp*4y!S&bqRj<1`RXRf_JzG_v=U;7-xJo2dVVuz9V$ z%W%nh@r6#_sUOm;TAuY_nP>f=>d5c3Ufc_=KYIK|)`L%@0!6bAT2=HA zpvBJu>bT!$$}rfg1!(az=rX;^c={=SDK_#jnEl~Z0QYyt0Q*Q^R?p1MO&IK z0HvLSB~)!t$KswJ*LF)msl{s`Z}kUF40Hi=xu})pOD!wiPPu1B`6_26I4|PLe)?z> z2ze2xX8ZWk66|FX3(!ISC#U{v^Lp*x{hA77WcO1^|90}u^Y8j3e3wzCGff?A@} z;7cG@XjMfxBYu66tS1=K*P2IVWNO&Dy)l(=y)RFS(z>niO>J)R|Ve1)U|acoEvT^rwqm&;<`l_ zP1c&i)VwA!x`mBDsZuaeO))YxYCO9ub-5^!hfV1q^co}Fxg&GJ)h}kGXF{&NIet!% z0kr3ez&1uE?B}yeuTSopC|{y}qV;tA+SBo7@N-%1ZScPZ$iM%Grr<6^8o-u3Y%}<` zpXHa`Pq%2rnNIy{^+892`z+IT#Asy~iG} zEQ=k!lnq`hgeuqD%VXBx$!x^hhdH#=VyZf0Q>U|X3RPrBTu)vN8mp6gc#Jt-cUl{$ zO?ynLhP^dz`I4AZ+O)ZI$BxZS!=D61|GK`7PT);SG4ZbnK6{zRyyv#)LBZIXF8hJl ziW2WUa)k*PxUwxm-220x>w=f|S(M$ym)^?Tbt})ra>h8;MG=*<$zWu|K&jBnzqUp+uIFy64Eu@C9TVffSX%{X6ldP ztSu{3%{ir!4J}8l6N!GyUHvh`6(3WNOfB2Z9hpz(_imYTX}LSS=phm)G}=dimsR_I zY)q=Jn2^ZBK~pGNX>dqZ^a;x{H$p+{b3vX5I}ff*J6e9>ieA*2*eO>X{~JXCX71D+ zcU`18wbGEZ$?g{=8bDbfM?b%@vJyQ3jrZDYp&D4wTE4Hs64eb<>D)nGj7hb&g5Der z@>w`R=obj6MH6|A{VxD6Nb$8M_*nO7R+UJ2)j|o~r!PqF{;wa~3gPaXLnn-VXUl_m z9-aU5bLG;m64P%h0XRo*Y+lHqH0t*|`_m@EAdrjGv_fH47~v}WMV*-w@~d=#f2Tf_ z%sSoWDBn=%j4Wm@=oXxse22+zaYnmP&o`P^0pw0s@?lv05uNn~6@en3yJhe<(LPQj zrgOtKG!C2OoM$RyRHhyn6vacSpSX1~Y1~QyUO~S! zn3!aV9t&7x>s_n@9W3&0c7QOj16mnsp{n@!T!l(8gl$nZl%Cz#PlmfESI|8RQ%xI3 zdhajoJnC~yMsQb%Y=M0BIrB0*hxDCuwVdUtgn1ty@q{@jqutnx3d}`+m8HFa`4SSe z9OQWC9mmxk-u^alGgL=m4!v3P(j?c^_v&&b2|`p!X-FN_itU}W%&!b`q}*5YZMD(z zjXd$+%`Ck;Q|JL?!FuuB$Hd$xf0_AFZLv&ko$quA@+wxex{7~8IaOaeAZ#+R@MIW- zD_z(2rewDmL#L;*eo%eA-Jwh;oZvt0nJ9Gv@k~#L9EKuy%FBZ(-sMIL3^E?Nk-{5{ zEDNAdo5y686zMlg3eAq2t7mw}_h^MVFy?Y|IubD)H@@)3Q&x}k?%lg6Xmbl9I)7~C z2qk4Fh|`XctZh0K!BN=qfyQizs0BFTn09rB9@p+Ik=!)!Efe0Sl;Lp#=!&pl~ z>kq;?85z5b>3%^?-Q_qY-lw zoNNT6!GwdT6S~)Xg^nO@DO}Fzl}j*W7a7>LTzH0lEm5 zs2kcZf|>T0{*zn>g6BU?(^cKV2wHtDM-sk^?ugp{ZaDtH$2H==>(aU#|Ys zSE;xLWdZDfy5glsgoB1Gm)Y2koQeuMnR?y$Gy(Ff$e|QUXXOVBgs3d zPkZtZ;u)nuW2QGLyd9T^lay=;YM#7Pt5pb%pMIlh02pBJFSc)L&JFV-O>K&*=#`|8 zy<=2&`97OFdgu#-&hYB$e!tP2k1=ysIk^*&*{iMCQ@60E;i=273+>0F20E5(knHU7 zXCVS#s|Kpx`t;+>%5x-w=66;GUKsLuaQ$Dg;6FUn9y+1a4p{hlWcjUa3qLx4LW#Yv z_tdm!%TI#r5HZHVo>RBEENi0lxm=s`YG^sLo_1NFrag#@+^XtYDkE3WqwP#w-Uk={Rv`(KHjw@_MLyyb_81WJfoL9@+XhK%`DR z%N>BO5)SG#h>Q9lAoF^!_U^TQ&DWg`$pUF%z_;8VU3)RuxzLT%@KJc4zuUe2s^Y?2 zD*MW6y}Zsqk8$7^;V*hpjQh##!5eiaYTjd$mNR`jhpb9p4{5OS$2Cao4(lfhHNy?F zyne{#R>U1&-k%$QVE^Af&bq+QXP6>#4cWB4B<{&>eV8sPkib6dJ-^R_olHLkT!Ae_ zxNt5{dAV=qPffG3chA&3{=24`ef}J4db-duCPED9oRuG9G5MSoIp&D@hR}IAp$A8g ze%1p7%}n}<4mSw0U_yfGymZTZ4m(Dsn6;`nrB6yf(%#SiX|g6VG(U6pMUc|u5v%T^ zg5@{fJw2bp`JeF^A;`|7dB#v=fj-7hLFbA+emDb!vX5U_w(4Yrwy^8XQdRA%P)i9! z$%*%)&~0HKDQ*AeI~u%-*&{ zkQV0kU7ACOn*wWTTHT)b`iyATCJ*iG!Cf*+KkX9cylwKP;IL7yMZ_dR;OFsDwbem^ zpx*{JT7#!wk^};4Oh7C;PFYKXwR~kx-$&?qc;-RFY#grjoCq^}%W5x(TkDS%8$A zbK1W#)*(QE%QsY!DY%4yhc&AvZ^UDt-K+ZeNnL$p=h_Dg10Ha4NkN#JsE-TBzo{eW zJpITn2cx9blINz7>h3N;omkGu%~5y)@!1X1yuH3tIXVe@WCf}JNVB(pO@@XDLQXYC z9{BJCC_x!;_IRJp$D~)KZ5WuvZecWCp}0v!qx=dVfAivdy7A>PPQA<4^XZGPaOjNY zB#ok~seZ~!f298oYS{W*S&e1&MvHsw+Q3B0c#5yiEvC=XiP(+8Kx$E{VwqOJW&e7R zwwL(YDUx=U6>0!S9FcXmyc*oYSB5W1JX2RU-e8hTwBwd+%PHdjuK@%2pK`wZJ!ZUq zhMf8#X6)UqpL*Zdo-pm`-F82;JMs3MAgUfJpJHzSJLvNS7uq!x1PK0US;^f|-o>07 zodvw%VoMaq*pMFfioL<-o|IS#wp~$mfRjB$1;qg*e~F-EcpYZrrXd@W=?yU>9p?Im}y+3)KtBQ|>*h6W8p+-6^K$G|x1h+mtjnM2mWwZFulW{!)MdgF8;Kuo28y4}Z zh+7()c@r##mW7os=c(sdI`{17L)Jf@XaDp0$|=CttQU(PCK7+ZaOaM-RXt>V32=q! zB9KQR`Yb_Z6~TaKy_x3%!YvXPR-{?L2p*mC_^C@DG4WL^-F=SewZuqwhtCh_pY^rv zQxBo;7Eh>(s$wyzsu0JS`T%bj<2oP)4TjKd%?Ryt5*cR-TV;ja0^WT?Bczz4gBGengR(n0`o*o{z zS$=QnPgY6kUFs`#M*2^kBK@38!Jgz3J^j-}GAAcLJb$9?^x!aJIA%fjs(sst|3bw7dZ;~j z>^sJgEiS*i{W}1^K*j+-`A$Q{JO?9525-CG?WMRDkI5P^bkG#nch8I$IjW8Tk$oDDYi)AuUZNx zvRj=QqO_P;Hnr9T&>GIPvMo|2cszJ~D9z;B%oO=vf5pX8jd^E;vuUUzw0>=O6(3D= zD|Da#9=hKW^A$p8M@sVLQx^*h0rkrwN?>Eab3Ii%C^6B-zpHC}vwAtibGdS$M8aoM zrmwrV<>}#5L`wBS9{UjC(|EM6dZwy3u54Vj?6Wy8z*&RwETjxymI&*jj7y>GTWQ7B z=Ar+x>)#)0f0O%eX~);)mOoh9cbAG&vwHPevs>H;{CEhuz%U0?Kp0)Nu>4ALP&2p> zUn**tOfaCgIG$nslGp)(PEP^SM8bDzVh1%L*4cT!B&~f0WLT%I>@R`LdPe zkTw}U*9$IASypBe}_fu9$-$K3-$Gq^g4GIt16?CGY4hp#1DRP-f)NzC7Tj zS9XY3v69qY0k;?SK+0!NWF=MItid0JGH@WpP392nX8>`Hua_m8K5<&HoM0WnSysQ1 z@b5Ol;RXg}6Sj}Bza!;1DIhLYj!o&RmhIm@6{jwzfxj)B18!Ma0RZwNL3qGpdd%Im z#DXQvI+)(&SVkTSI*E!8b6rY<;{+!PLVvXkP9j`cajv5THnR+`HzE(h6<>00m~{2z z4a|n?87FPDvg137(&QUZmZ>V)?n}cu05JCZBq0?Yh#i=_b0&`Ed0#nJBd(qI4>_di zdRudpzy>=Zk$@OE(m-}3k@H&|p~ym0bKw;IF6nl4LvB6 zg-au(b&SOV-}u3w*n-6_yfeIhwg_B1^UEM}b~$#F)9Oo1(m;MmBtdeUQ)b-v$PS*m zHE7nl8M^%1AsU*aJ+**2$rPZvehnNZ!cM{1Unt*cAEtR>R8$MC6>V4^I92F5ugm?K zlDx1uL;tySzW_ykA@5|UWN}SS^MA#40OV701v~_Rb|PL1Qrpn(X3}}|iikjSIv}H$ z%$-g%2&ZL`M?X zlLfM5P|v_iuHfA;`_CBMDi&r!U}N)S1z7bei81kh=HL3BsVyhQ*#yO(s-#Z32d<+dB{H zNv+qey^4uO-6&(lio2Ozw+Ud=rhO3pD|0%(Yp?QRx{3#?>_#&S0jAdT+s2v;JmT0t zW-Q|0GnR^l7W5Api>8nmde`9BfQb_Cw$$4yfU5Jtkl@G2=%8aZx`wIGH=4tiKD!-% zqW+|MOi5J3OqN_+6OKlx2{6$!*a;c6YPt}aM|qm*N}CE*^l|AdyJhY3Fx3N_7aF}J zh>%1c9mV4OlMs{L^%oo>q{2t$rJnUf+*4onn{KplRy=Rj2WUE<&Fhl5<+?@U{PQNP z22e~5ZZ6nkG>w?B&Qr#&_@-ZPUjjf~rjg~BhpR|mziCwj<+W(ddUK&8@wH_26Q8b} zuJL{~0>KJ79$P)>Kh7%Cx+{*VG$%M& zyBA0(8d7?g`#&Ik2egr-Fs9LsO>Sr>8KO3G| z_8AhyI1J26vZA*axy`JMW<2A&?k?rzx>D)n)9Hw-`L$9tJZmoei7x6*RVcHsYNZlR z)#gF$wLbtHcF#e{)%Ar2qy!abciL~v?s~4MGXck+O4!tM1$<`BpJ!ZHDH(YjUoIB( z5gaY{1dL!&a0-yPv12yxo9my4s@M0X@M@`sEv+|v z$8NBL`^jl~M+1kOxc})}0~fdGA-yen$h<7b!MxhuM8me`k``fy@%z!szMrF09+o+^ z^e%=Q2UP^FB8DbYZouEL<9ax0E8u*oz~!Nb+O_KM z8Ihi~AbaT!IhpyXO*Y2^BIcbr;aRIK&=W2z9o&xvM=c;IT1QRipHfs>QDd}@w?>2t zv_3vJ$~Q^?flv~k>xbbgyqFL!<^9N}FYKi3&21? zR8+wD5NrSlQMqXrznlkSy!%HZ-oa-$kncLw07|zYtrDEo;@R9_27*0O`I)UGOZL7s z#KvbrlQj)~--+8!PwJTH*_sLw7-0*<+gGf3>H;!@>N$t*-w#aU(~f zU^A$%JRi8cW_{X};??5KC#vvMD9GndOXWSSnkZFLdGHdekn!}CR$sPapj&yJvVr?V zmOXL)p1J?%wCAMmT5S4}4f5}*$Zdf3_Z@yk=MMxTnk`$M6XXpe-sjg5gh#i7k%Ol3Fs;3jn3S$?BQ zVF{aqOHI}|mx0ZPZ3h*xv6-Gd!Jpt74|##*zWvgQLq3 zQ5Iw|gk)H9b_nltbl^*+zw>pMApAnEO{K~@c~O-x0A18&V1Op+rN%O8g_bJ0aH9kE z@7h@xo)f9^G*c5_e$Qj%kH*%0mYD>k6cf1hyLxqvCa#v*!xeS%J?}9Ar8teWP*a#m z^0$xy!?oe`rHA#!X|&QlK0&Qxfi%qyLCUUMq)4;W!2Q6DVAF3L+{9@G!+Nd`oysUV zmwJDlrMtMyRyWCY{BWq>Tq!gFF^p3@;Ac1u_+zciR#u|EMcND7=%Hqqr-%>M=59`d zuv&!XHO2LNt6xoP278tV;Me_GDyg@k%LlG&G3V6gdwYC0>ed2`t1Hn_=ytxV3Pnz< zmWII>IS1ZB)8{GzN<*f57TG;Bs~3g0gTS^K|KOXHAiVVOxffaTQ~jFTM`b2>=Y~-= zG?2CuKm@8$M+j%4xXzJIG7h%uj727I9QR@fw;(cskH8E^tdYVlMLN&aXOzA6jw^{T%c&?b=Oausg5?%2IP8-; zuy~$2Vmqy#7SK;fx?F4fC9)=xcZ-)(PwcdEpWVjy%}H8PKI6*lF0x zSIQS^i)^s|*TCf@ILF+)z;>hcqb6s%g!YBZ_Nory@8)F9%$)Uz{GV3-k=s)W=cQ-Q zy^vQflz?no{DQ6g?&*+#tM4+2G&56f&Lx&X&&}UV2sZLwEa~#1WNFu`Xlq)}-Jl2ZE zTc#dOF_fcz64fQGHk^>SUG-77sm?C$h{WskG~p+rZ4~vu1(|$8v1p^hX+?J%r=>Wq zVA4)An)wj2h|&=G4E7-(H&F-;aAo5SwAECY%$qeu5cnP1C=RD1-96EX_w(~x`DhI} zlgr*Z2Yq5{Q`lc`&r}>3uMofWnv2z!RXy7^^s7(cit#38f@q+#kbNUqU{XWE>znJB zJ&Kto&3ITJdS8*1a($39^;V4pTBeYi5tOx`!)vV`W#P zeEW5-4-|nzT1L*z(_sdospUYh&ydFe3SQJ+L|h0&nMZSX@My`+)Fq1;71>z>AKCKH zAvk*pjV5>`TvgPgd%n@vMlzH_O%wo9?H53*y@QwDq-gYd=$?aljWe<*IQ6j_DkB$H zUK+?4P5pUunE>j?;`j{|&8<>aRvKSwNg#`JtXnBKD-%`phwe5|YsrjINZxwMGLZRql1P{0}c<`C2?<6Pj9Xc0D2kl`(Dw>>y53$hW%$1+m zv_|Zfkk`}62<}0duO|bzW@p^W`L4Yqhm-2B;u`RX+eNQ7K%FLIm-Ss1VFleiX5pt--QltjgTM8Ms%=PyEE+Ik;q01^F9I7^E?)t3zhZDjQ4a@^7g46#Rour?{R!tQ z%N}6!h$q@cxvf5EpjPirhnH@!>5}AS7y8t(>&9nCXB0j>(P3{0l;>zdil7an5e3UG z9F*tUMV)m)5*a$x+D~PKX0#B}8l>X)Rz=$d@jiHPu)71OJ(*WlpT-%d^!c_wJd1i= zqdKs7D&M9k6KhdY(VVDOcG~KF!TzqAM>F{@y;bGd_a5FFY0z-@jVgk#n)b#&dA8Cx zFMVq6g*&h9pl4ygfz2o4K$`Ohoe{ThH=yZ2MGR(w56@~2%qjr|F@J)ZacxFT*n>8e zPHL#Aqt27ofX#KiaY3%e_fW@mxGEXKJh(^x`My{v1bzt8ww zJk~h6G!u{p8>#F;p6aHTe3avZPcKKPhDjF1-EQVhIFIy?XC0e<&m;QjNlhERX!-2N zdYBIKH>xlP%15zbF~GN4U%q4`VcNH}rg4=>%#h>t!>9+LtOmcTPI;m6g2 z@}jH8ilKNm2}jf3iMs$eb{cR0Q9wXZe%HvnJit}McIeW;P5NGRqxCp&VTJ+wBMCDO@|Wb`(n_93ryL`*MB9xo zx*sH5VjQ$9BV8sy>4!P-T}5(()hApTC(S|DmZ=F1eZ)rs7o;Asv6ecl{tpQ&@14M+ zL7npCHGJvZQ;C!VS{JHRdotwrLhR416}(Hon%e5&8!XcV5N0-=fipV^Te{#ifxH_3 z^&RB}Kym(&c729Bg?gS_Tjw+sTt4! zZ&x(J*1=B^;0WJCcg}JB#ggTX8w#hKFU#4`5nj$U@>8MZ-j=^`r@FElJah)TN#aeZ z75&#v`8)juyy;ecU`h0C(t=tS|7gyb$2&H!>L96CY;;kVBy$Z&MvBi5II%9aC)V3y ziV6oy@>?Dl=N1JwCDh}=vFw~_&ljOm@^>vj$s2%pq(-D< zz6k2$U4PB^L)MU}c)(m;!ba`}+oX#(hzh8Il?_qv@p1qqqn=o={Z6`AMP>J=qeA>B z9WmQy+{%C$SQ>w;jaM+4SyHxYE^eGuS9GwhxAKmf4yx51&7v+l`(EAX zqmFnq#IC1=i+O9mo-XLUzpVH#V@(;x9A;kj%e{p=6)_z%$x4`USL3R3iMczP*)rZ> z;XeGZH!xOyNcDE%KLYg`-u{GY!@&)&_8&8(D{{LsaB0>Sq$(dq|GC!oqKl~qIhPp+ z@ui_*De_))>q=aXjb8i$xXw;5EM0)t!$@I|q|v^H(LVC>l@)P!H0fzn(n>%qYkhKF zwORpXZ!EIWsj9~B8bn_4gp$L2;GTX#Gbwr?#-As|Zm@Lor)HVwtX(#TDnYxX&1ENd zK1oyK4%quJS$jX?Ypqk6leG_6W_XVKP7<>Rp^^^~)ufFOdjrYvQfT?SF6HT#Ah?QK zbFQfu#6#v;ZElKGtZKrWN=B%;4+dVJd6-As%7oH*`g;MNv`&3kRtO$$Nl-09oweqK z_+B%eS?tswoV|=nRCCY9B_~^obY=}*`X}WK0G5otky+M@`NraiA2Q9_y!i7oTz+>U zLyFV$0Flkp4y$+3c}}>&5=?KrIx0xGxi4sP=DK~9x-finrw6tPkLR~%I5>U75b|JU zgcL>Bt=ndh@gyWtk-Q%n!0o`uQy@T3E!q!V$ExDX<>X5axrCuD^X9@FBWn`;B8RQT zG{nv%vC{HV_$-8_!!#Kj!IlV{#PV=eQ5AoNgHeWsIIIi;BA?gS2H{2HUNMgJ0d%M0S zeM{E>xbLcmKIU7*sc%@&v4jq~(VJl2>pF#%Q>Nlmoo%>B>f-K-FHmc*Ep(=3SIl6Q zOr}Ta^JsMv>1c4hRd2UA@k)>rGk>P&2FyCZ>hsKMv2f#^xle=ZD-K9lY;w)ALrvd> z2MbR%w6(d%Z-jyQ2Z!!aFC~}rKa&|dHNFo3W?x@2L4$0y!Sx5 zCiGP{=SBJH>1~L35NCC?t4go{|AL_8DWYanb5F;arUt0F&smB{;C_tje}9gy&0DP; z3%vMmVJ+hP(!O4A<`_7n{Wm!5FtYEQQ(aH1Q((A9r=#fHpgtE0YeDcXNT-+*fL=-@ zRhw}sUI0ek7sP|#Pr_j|nsm{>x4=oSHk#|zV_=&V{h2(9vZRvj zy+}QP@GU(W6umrhnoNmq(JE|cOy~#c)U#zPpTnZwLV+xLad(x7F-nIUUe6dX?3((6Kgt+#j3H|r2}bY;1s?ZZA@mEyd!+l*DN$2)y9u$iX8IXTn7 zBt*1j!;}Hk1^m+u7|6-L(^0-Y-B*yPk=$Zw;vmd_jz<~8EhitUAJ0kv?^?2)}UCnrWAB8Aqd1u`5+K~l|JFF4N|-`U%XvO{dHMDZJTM2*q6iWNT$4x#a`fuG*xZw$Zn-z-%T?n^|%bbiu^- zQx~~*0L9Ku3LsGs3JmLrEy1(IhYeF-L?Ooz;`7s`!VW#f8olfl>F&d{j5<^CA}}&- z^z@)%YR>d(p_Frw*g_ph$7{@ve076$B~KDWvnRn&KUz*VrqEF^tku@ZtbHFCS?j6vlS{KnvbewQZ}A|LN?@4vEAaK zIstT+JYLP%+N~qw(U!W$Om^1%W@=Km6=fV;-e%dzUdfOZwV%D^j;3RqI(p4BMx%L_ z7f+9sD5#*gJt8;ICf)%{_#s!B1;57;_jvfDc|Hre5Yz>#1_}!T{6JfS{uVWEAPq~{AMJSd@n6N;AECmZ&$Yjucm|}H)AEU^?Pay~ z!tVrzG_!9JilYyBw>flzy8#3dZX?f*i4&r*^pt5C{5r_5SreCy! zpuEBUvGel_r|IFJsQ%#wZKIUwKIApZ297KmOu7+EC>pJkZdCykF=SuTk$DqRLKPV< z732psAPnx1A(Q)#r{# zH~+qG+arFAD1SVk{8buooOS^)<%eaE^R|q`#ipHK5&FaqP<>kLXB!#uZni7qjI)Cq z$J*38mQRaw?OfM$OFJW-7n*<)qxUGiM7huO?SB+}dTVS6KCMR~iSV-`!FS_BiVj?< zs`nEPxU*QG|NcBm1I-p6?nH{nq!;B1LHu{ra@R(p4a(bxGm6`=G?&3rr$o^Jk(qs5 zR5tNyD28xlvOA`O`wiaIG2Eq}d#QTIGD37o-#(^1CWz({TlKGc z-M@IpqUb6BQy1eyR0Haft9Az?4uCk_!o`s{VaL6}4A`ktI?+h7Sskx;s76Yx5Jjy`6LkItu8NT&N%u=Cq}N7JSjI;hQm( z(}wb~Z$_XwIoa|niLetD9=yDOrav-7R%&Z%BOy}IMH68+?5;rXW-q7lBWFA`SUg`GukoaMNXUhfgt$sA1A?II%2>}LB7#K`whqmvN$d7Mo;s}wRMyndv zTD~xCyS4ARpqSE@!`P->7X3$udA8*+4?%bH4{a|)-QNPdrx5=CtQ?#%_=rh4zBuCG z9?P6@KPv_M|CMxb@okf>zuXVXvA>_CKs(W@g8$D!IpsIEv&t*lTWqcH-SM~H*z6Ff zOhA~66heGp^1mqgB9g6|`90t0HRq*jXaj=-Gd9C}mU;yAlK{5n;wD&hFHJmxu!#jS zy%iK0{G_NI7#wJic8GEy^;V8l_St_O;HUG=D^W*nv0asLmZy~s+M0ErC(2BL@=>|L zu*d-0L9WlNMjqvS+8P_Ep=2p6saIK4O_t{dIFtd^BGrQIiEy96h$>h9z+Q{quHguQ z1z7^t9{=1-N#tqIr<_vHoF7UhZq#SbAs!)0`pWe^8UcM7Co%J5$*f@Kh%>7I%mhTP<8vj6K4+i8ITpa z&wVoy1pMLnmOuQG(DcK}u#GJLDvI2U+46^kRD|0P%TN!`yVh#ulbQby#d4_pcW|`l zsXVFV)rEz~$-Jy&&CbR~yZtB%&@mPp;zuiz!%X0atqp^IUcaDT3$?fb^Zyq1X^73} z_9v!>bl6hg62yEI$18F)lZ{-!SfL2qz4-Q>^#K6B%A+;+0BX4-i5^>OIm!PwYPtW5 zt+6F_+t>Rysar?L?K&H49|UJ6wlFrl8!QmO+ULQKdRNSB>>)l%1qZe?y3`!<)|U5R zUFZP@^d=AV&ZMX_>Zj(gsTvTz0Q;&krbY}K4BBuIc^YlnJUsllv6mA~e(0>oEryH_ zIg$QNjd->W&=l9iV? z)G#=r`l%79Q7SfmFhkwD`wn?PDcw&9&fs5Xj*gspw?SYs@j;0Zfv%FvY|YU+TTTStlujZt2VSJP-SNhgqKLZ^hT-saGFTqar{J^Ifg#K)haj@HJPFk@>R(c2dX# z+()3yWfZjAa!v1Ihd8|54edmuIF`u?Xf8EnFqzuygAvbQiOdB&RH7gTF{ddaARquU z+myxrNm-5=#^^r3lJa*OY`=-C*u7}I*vWB07X9$@&i9I`1=3uy>Y+%w@xJsq9(?Fi z)u;>8@l$6!F(CA%*@Y9LC}M z(-KjGa%$b0=tsV%Zy>SSK4o|s_?H?ntkSC{7$fbr?l%T+J`Z2gP78Gr5V)xL2zJUQ zECJ2rWTHmfiwK!|5yL zLq%c{ggkc%pC|AHONs$m{+qSg#1?nEgBLKw&W~4ew!h)u>i}_YwhVEIV~fn&Ue?X^ zz3IdMOpEaRn#tdX`FV=K1H)8I#pjNK$YfjaV0n#=_tZ3Mue})c#Ve-9&CS)^yDs+a z_)9~Fx`NI4-(3~+L;4FS^1$t;LN=p!YlR4qOP<|#k)pkC6unOBT|?b+;Zf0K=Hq3^ zzOGjj$K#^#&}ts|ZwxzqEDc-DbTHyv+G;zf`W29xaLH{U>;31ZwjuMsnzjD*V7u=- zvYyv#d9}UFRzT?80l&tsucn>&3V!wzm)E((e9@;*lmnhj>J@T7HAinorb6^rl-p$T z!_zU@Eg=F-*OXkMLTh02N@8VKhOGPoyVJ4E38OCDSg=V{_o_#MX?NsP9tc!pnRZ|s z(3V^Ib_^D=`k0lMR30~;0>AXw`B*Q$k833B>Q8j@T)0p7)MuMJo!@8pp=hI+6tRm1 z^sW-nK_A2jMgWCwTdjMdhzq$?70c`?^EZnjvd5IvH2uXUdO9srwaJaXI8DKn`@Z!+ z$E?E9qi2gdCbp!(9$T&9b>lk?#%ppt?63H3s4?C+ z^S+q>==`L>o3gM61z8v#yc(}%ZibzJc=i5E1k~u{rNX@%=PoN{sD%1=n%=}gHK$Qh z>?$k_NKnloh`WM%QKi5TKd`e|O-=>!nJ``?Xu5as>`d~~JAoh$vtduu9 zMuPtLKQ!-zQ~_nB-5|P6uYf?Z=<&=w)@1`W_q&CLEh+I&-is6jIMuVq9Hb`;Zi-4G z`^-WQfbNQCME9uJ$+oV=o1#>`eQ4h>2XyLDWz2Rq1%sc9$wcOuJ2&ISC} zEC8XEhVi=b!HCd+O*;Vvx$XB%k5ayxgiT=4cT8SlXs2~@IgNo-ezqLyX+*aVv zjONN|9N-JM$FfOLPu-gB7v<6&kB_H-4hHTtsw%CZ*C&vdwb|)#*C3}y7ArSW*H-}1 zOQxbvt34Vqi~yQxq!#T|o>-09HE;*hUC~}o{d?waHrg?DJ__7zmH;GNV!MV2p6~mo zzNHuXuEBN?~uQ5q(`-fqzkGy__~a7M-+Uul7cJ3|7}t23Qwo}x8!RoRyJF0 zlZu5pUsB%WOfxmpi@3uFPom?Fuuiy2SoaOpUy-nvNEX7*gxfb{wS?z)Iq0nrl{5gF z)~VZ77fmL+FWrbCa9~v525JSz&^M8*Qng$KK__QDnRpTIzi_DyS?$5geFS&!+TuMi zr@f($KTSRw-osGcn%aj@ocV<3BN7v1d$g&wL&zQE0P=D_Kq$$MnHJD!yxrROevDG*IGl83{M+MIcf_?TG4elbiyybh_vg%m zz@0d*XL7+VXBzt(f<+R3EhAcQZzJj5atY^WI2w4e)vd;y_Fe{Gdqih6OEL9atPD$L zp+GS~qFa`wT(Z#n*&+2+i?4OtyFqW%Ua~8Cd1MCLv}N^LpHS`!jy(-jN&!) zK}l7?K+bu5$IAw6w4eBFvx&)o1~7;Z#=t^CRGU8xW~zDdY&0OUpc5wqf|8DS=oE@K zJ+_8UM#;*rMlN8f$N0rJR$6mM=YgW^2LQ?+1fab11KKV3Go}OYOC(Tno7nLoS>vZkMf32zuj_)_CcK8&>;;#b z_j}%`+XCspIU5L(Ri^el*QrpBc-)wjw)aKd@OYdMa|WntAr$izRcv=k?+1prUR5Gr z8)6rdZDRYz+Hob7KAHSMB~-4*57CEZOWLMWWmXeet|-)l)PYLx75i{&`3|O{6KtP(#E~w za?#Fi*^c`ZeQ_1gDNf={$G(nNaTV%mJ@M4}ylwH$ zxy1mJl=}w3LR{(acdizC?(QbE#-p&cXLkZJNS{*xNiLw#S7s@e%MV&L+%(p4p|3vJ zN}V;r4SL0v=wF6Z%u^*?jh0uQCtl^J-YQrH9R!=J->iXQb?I@Rjyqg!+nqop7K>hQ zy!8Gj@cQHEWJ0Wv+y*;7BS*7_46;ll%2kR;Ya;!?bSmD-lC-oktVAPW<4na{ygCcy zmJ1g0A>u&SXZZrcd+bCOGrTJ}$a;d;@9>4=yMu1-ex28C@tU$JKk6>|VpDX~{i(;| zc5m6={jc`6Ol{xIATQ=UjkIcw@i25>uw24vwa*&=GBfMY1DG}1RfEZ(c#qHdt@XXi zh?OwUw+uqBl6|WwQz@Htom0!@lsS6#=-b)6`&;>VwbbaMCL5rrWF;Y&urrDyioY}D z+AS|C3i+%hb<*l=+EW3@FfwELRX_Cwv%Q3w?OX-)TS<@Uz9UsI9Y~Vca16o;30w|n zPXHmjsPit}LL+&9jOj!4gkF;JW_v|fuJK)NI5jr^hKdlFJb_P#4+Y=hw2X3pe%u9A zMaE>L(3N0r&2OuA0Ch=FA6d|ggT$_`?}!Jw=%KVSgg0ju>n^2J4+b&Ya}hL4F7Z0l z!tSb1OkO|GJ0zfn`=)mBzFZZ8mb+VovZ>}^W3VRvFzMe!HQR3a2S;)5lzc4$u84Ct z(zs)nFt>N%dROq!&vUD_phxHUJ!3}O*w zb4DTkSxBfQ>Rmtf)Wnsv{?=qq*p9yr|pn(iIA z6VFrCV-l<&rCMnL`~8~a^Y(dZ!qS>Fg!@tvI7K}ae&R`qZ@XI%D`|*LZ<*_u&B^Id zM##$pM7*iE%1ET*DnwX$8W7>zF@w|A4Zjb1sL|b370v3^1XDKI%RMN4bET}8dr&Pu zp_X9o|Ex;1{UT%r+l=>QHsm=npWL{W-)G^}6?{hX&WBFF89F97;Qz4po?%U{YqzL0 zK@kF?f>J_PKtN<-e5OoY>o~sSbT|loV=C%+v|3861VddntJAiXyzi z;QlqDOTw;mYfX3YDlL-z5wD!8?C!6Qk?9=RxGmKcetf)T`MQZ;JUDq!STOn8Lc9*C z{uYK~j@;Up|FD1Z_&%N;gGfdSC!+AWlY!7ucdJ1drP1nc#lzEg%c=&>t3w->5&WBG z5%1kOLpLW6L{Fr^7Ujq!nz84`MD6;047aWLmt@P&S+2!A3t%!P^K#C#WS;ufQO3#p z#Larb+>++@CB&~wC!JLW66Oo#cu=ecS*%3rA7pTGC^ zYc0a^3piUu;D8kvumu9-{xW&LWns_%_*TUl{ld|}Q4{d8Hu0!3QM_~xqvF1`|IoDD zZNJ{B7e4T4ccPdd;JI|sn*mM}F8PZFVeCY6_G=JgxPXg5KTxWMNBO#P+K!HSzxG>tZ|4E+vlb4G-BfCFX`A->t>eAp@?`n!| zAyYNu*vPkCXN8}-=@x>c1BctK05dyvna>CUzRN5Eh8wr4l2hI~3&hHSC;lj?I&_^q zHlcXec}zXK(Ge1lpKpzah&{Lmj}3jimY-Sn213!z^XkYs)v-pm`Ff}E z(h@GbuI?}h>~H_|AW7`cS34Toir4D(Dyo7Tke2(AL8Lqv!`VPBrmHEr({xDQVq(i_ z|IuaGWfjtLH8Ln~J^w7+Ae`2zG`lZ;4IM^D`AhR;F|Lu7=-cUWL;On~W z$WpU8s=|=nMC*OL3hVbZaJyXiZE;1?#j}A#GQ=se%!qhEJCbQ#H(1Zg>~s6^mWOyn ze%iDc#6B%xJnicf})3ckzw*F*pJA7kTNp%>^x_&FaADb$?-az{8_rWhGn^nbY0 zv8GR~u-KoeaG8!bzraSUSBC<1?VMX7Alomiz$mCIs>)Sg{S>dTL4k|2P>XmrJMXu7qczY4wG?Xprjw%zN4zlg+$@sYdtCeaLTb@lPqVs{ z3OIZ@{%0HMf<@v%Lx)}BC(}QvmbIERwObuP{tVp7X1!oKat+LPj;OK6w85Y=7s(zT zzVp~@;N_6h77Hojgi?5+w!mjcFoQo)-%IDWhTbU=v{?T5JM`PdKITdzWH-Zq&*<{& z=D{D5A-_~JJxO@elKunb%aHy5Cgtl;*mF-mJ-KC=@LpR@a7fx)NbQ+kJ@Bo8+X|@_ zMO-J{L*rdDG*rIw{}<;ALzY8ef8=W+>iFM!Z6z(jQqj%+^-a8k)Z-!wdsWYNGdQ>z z@%4Z^FBRA4RO-!uH+s;Tu<&!obN<&!!Pspfp)WTtkCIi3OG}zAguK$1jt6NWIYoMd zDWfmny}ZbKl3szXq)C5!I%AzfZLeut0>YFU4vWs6Gr9Bdi(u~8Cn`egDjU&6z@0CM z_w_OdE}>?<*-WQV2UU@zZfN14+UT9Af7=Rxsj*c3mX}*P`7yxLqVFXu`r(ioW#yVT@e;*o zY9eKMqb`tZXg-r`M^z~@s@0nix%-nB4U>hJuwX57!4^nw!djdlqlxG9>ji2EkW zMsZcsHKpOB16ob;!H`Y40I-12wnVey2~2RYEA6oe00Rx)c_oh#LYm4-eY~Iysv}b zeMlOe{<7xKpG<}KiF7aj7oW()FH^%ms{fiODyjVrH90{2NXGvfYQkHqCVBb!y?$EP ztAp44(Ys$pR3OV%2H7)B2M`-kyf4|@!ApM0{UWFSs+NP3KXNF>?E-caj28EI)pdKP zEgOp%bTXcV`k;0fxi_y?!S2>y7Cb)8k5B6B3E8eJnk(8O8}vlYD~BT|k0tQ$XXbh% zUWTS)h^iO9lm29q|NOD;+xH)2@W0-*$E)BSb_zifs>gaY2j4bYRCJ(OH;`4O1*Hdt z%G5m@{V8xyd&w5unI#x;DkB)uJJgq@0$Ul9q2#t~#0AgChKhw^;qFl6>e06rU+vOz zm_>U8J;r^N+H>ZHDmUP&iL{Qlp`(O0PWB&HtTl%NxuQJ=7A!q?6|KC)xMSfe`Ksl5 zwetqeT31Cri?Tp2>xrWM>Gziq98jVFZ+8WKow8>GxG!K|05v?c1VkWlI;eq~H1&=C zwArwJ(+||&p*3R73-5IpaehPe?|v{eNuMy3Z-&0WCzp1n@=19kCpx%|3O3FrmCb0@ zPrD|K4*sowc%qxMtt2yBQp~4Hz*>-0Y+$A7B)=e?-};E$)|so0EZH_LK=;eL~7(WicW*Xf^ciBeD~6IF?gYDw?iG4sUOi^hM9 zT%dke{=XrZq*US&KVeaDP3qs2m48RD{`{Vko*;ehG#chx0Xogk!M(EVn#+`$3tvnN;_ACKl?b{j&sEu`aRP<1Kbt*}2cz=&))}j=mwuerAzA<}pcan6 zi#U};#1@BK0?p;xAu9iQSp7yb46*_SNwn-05ddb15KzQXE!f9nQsgWeZ!V;-mGM1P zd?OnAI?{Ut=(-EInuW%}phtr9SORpDwx^eEdbSl3e6>ryE(5$ks|==j_5#~SKYR2p zgv>b9pi@Qh&H^5I2Pw%fG=tu7%=*lXLtD#a)8XDIyp5D`N}|c$eacn#=uZT-HHQ$Pap zw^FBbp3_3TqzBV~jhW7R)3#t~?)HhP%0SY!Mi5I6Lc=Hmu&>`W@(M6=$(A7J{ zZSPg29BlrQ{d6NAZtE2{B-oP$wC`bK&)Rb*))KVTgDE-#3B};wp>pmxPr4hJG zW@BMmFDAJyQq4q(GeQea81QB}S%mF=9jXnO6?4lR@v9=Ps zV`YZE6U7V8eWlor8k^}OsY_Bte1~W3bo&+2!WwSQY3IKIV@Wo|hS-814cd7}aka;b zJ}S2LDLRtp82&`GA#(YE8+v)NO0L?aenxsF+=xn>KXs36QuG`!5-;wX_eR(u3QcB1 zU!*#oF2)(@yLnFfp+{)b^$(mjL0<|^&Jjffh+uxGa^1ls9B%l-GOLU-Q}s-kzoXs9HF6 zyc}6JLs{QXu&xaCeVMoMtO|PZ&E3WN0i~6=hAusY_a6uQd?07@Kh4{c8j0U$dUZD} zXrKKc#WazEGsRc)RktVpaB3-&3{H5scu3qJC$X3H+m+87v#biylEhp|YC{Y%_~0}L z9=f}DcevS~J_qDRT!{SAcXA%Z`*0)N+*9a+GKFs%ON$a0Aqt`SaGc!Wf3h+)rLyoH z%YO*)RXAa}A4&l|nfa7W8}{X_%F8*HsIB`)*~5D&n;cAs`o+x>q^SL?559-!$7=%D zf!7_=^Z7vK&E5lkrCt+j&uEWpI~5~&$M;<3uk6OMMrnd)y-X8$xX&4R!`VP`~X{<1N> z1SEw0gK(IX^E)=lgKHT;{|$uar1m%BYxB(PG+(C2YakQ8)!+c0PC{cxUkzC`uT2zh**s}_GJphG^&eNQG z=rXDH%e*&koR9fgA6K12_|kH)7rmFbSLnW4W? zc3#zv0`fO>`}%BtN4a{yR3Wy7H4W`3{imzPh4z821w+!N^JE=m5B%V%l% zGBv^sPYtOrwx<-irS$m8LJ-pzJh03+IJ9x=^|W)DMY(cYtqqm)VJB36IMzP50s_3YSHK^Tr66rUX*>kLA5bXrVgmaDcN zUSZThv8wNKF&BNKhB@9FTnc^}f%wz*dyv3;p>le+{9EWpLzXWSN$2~gkF(@Ha)eAL z)$h5SO~HdAB}9FhA9(*JnE#Ruud7s_l;S;k<^A%gLJrA6+oYBbNJB-i0Z>$X6F(A_ z8c=<0>CQ=c{d(g~KVtNZ%tQy1g1-h*9X%1blYRA+ss2m7BDO8l(!pe~eIX2wOtC!_ zd(P@Z^?%1&Ha71010?4*X`9vX)r)e^Nx3Mrt zC&G3U4TmSj120ZC*Ym*Vp37X4I5q*N7VpJuakP%=Vi$BCi<;+o3%v|8n#jZYw0IY% zQ`(E4pE&ijk?xlf05V#{*YBF6zC1H;!(rAL?Y$VUsBGV3-ul)r$nB_~MjigK)V9i> zjvgr)Hp!R~KdYdXsL{^W)9}vk|JcJq3Y==9Oq?V#Jc)+6*MmXZs=fO#(Rw{J0NmgjLgIp?eqZ={gw_9s8TGz4No=>}tB< z=C#6tl7>9cHeEft#_P@l?4F&HwCrm!b`mLR>07N@cLb;#K;>Hr0|XWy?|;Lf#X7te zJOx|t?3^JkeBB4?&i6zto4TDh8eP%D)}@AL=3xvRI8(xADm`S(qp?w@R93QsUjowP zKc$*KMj7{ef-Lc?9r!2&}oD`||S|I<${Xj29 zCqfAyst#)aXrr5MgCuLAQ0CSEg@6JtnW5HlCsi0tM~;Z&26D#asMZ+fsE_m?Q2b+5 zPdFrj+(MCYpPJ~9`5FL26)QUAwV7LE7ry#2%uypb8@vh0)KVtzqZMW83zJ;+-XxMB zHX9O@#7U!$@PDWKJ~>)s4#Xua>>hH-HdgY9#h6Uv1%5G>Hnq{Slppw?=m@f$7enfYqnqeV3kxWtKkNSv;}K#yTYA9i1$x%q~=O-n24Quf&c6NW8n+ zMY?dStm$Zy_9kIcEYi#;l7$bI1nA0_p**=C=2qY&S=%jwSMqKhQb>b4UjS+M1mwt$ z9Kz8)(N^%Ya9L0#U7+!;fP2IeYp{vJ5=oPj+mJ(H0peT!pFjCgBe^$rEq)07eq^nG zKDqz#Bl9aWa?Dw94Q>y0808=sfF7U$^t{#+whlW29f-s)&kBBl5KvaZMW60%70G20 zE9m^)+jsABwG0|O0;s0%oIGThe95ykzZ03dKjR#glbfeltL48tzOQ06Q|rIvF)LSj zdnn+iVwwbO9z;c8kNK>5lo>{1RcQ4-Z-T8?)hxJ* zei62PJZa>dtWl_|bMLV(w<`GRv!0x(bYskMh*$+tBuS$xtb0B-;b6m`+oPLdUg7mV zVqADJJ_CZ8|5@L3QFV|sA7i}9upj#81$iDU*Q&S9r+ej%@nbTh{3`bIe35AjxhR4| z2e-3LduHV49Jh6J{|ZsYbhmmJt`2w2Tu~C9Y z;Z=!TPjyrUov`vkF+v zIUjAws1k_yP-kwk4taH7yW_&#D8P5X65cJ2?4a9sfJyS5;MWd0Uweh$W5vtY>|aY6 zv%NJa{$aM{oMnwnlv4crwwc|%Z|e#zz|uSbJF zBHuId`>sj@njM5}|LcMIeTulr2-E6O@h2xuB{6d}G;;U8pLTJ0@SN(q4SPD_&AaNk zU7HZV<(~ItH|v-QX8Xe}F;HOx7dOjKYhz5{ZpW=z%J?|2~Q zYsd>|-@HzHKUOP867=zFj$;Sb&X=dKTrSnw`3M9quEI)MUW52Oe<6Qa6lL_sPZE@ z{aoN^CvHu67{3_nihR)s(`1GWjd~dDy@nh}JjK6{GBcF{YF=lPTh=eg883#sRxz91 zI1{47lHdzm^zF-ct+(s%KC!%oAQaW9e0wLjdZ>fRY>Vc}0+GuW%b2IHK&1CZ5aant zFwp4Mj5O(CS4al>XRCyf%Ngd}iNOo%Kd=j*s+5Iv1@dnO;;3dk&04QJZjs|X4Y%Xp z5sSB)n38Ge|4t~5Mxd0s|C~wwnPu)0_@{`uIFE`~{G=YqJ2#M3@x16#9-Ba2k?wZJOr)OsW%&a|lz&$*x9t@Uz^O=X1oVEO?^6ChykDI=GLyuM9Qs+Ssw z17)!E%8yQjjsUPaJw09Fg2|}(&@YxBN5@|b`@n^FV>o8a_1+HN>>W=uB37S{j^Up7 z0=Qk!%rf%0yEjgw4%q|+6%V#X;Pb%og1VDtw8|n~WPci_%O<(TxP0mDyzhC-ha#iW zNPYKp4oTCjK`D^P0J;e#8EY;ktkDwaN9A~W{~;*A_=QL9=(3!A`LU>O_dgSjH0zLk z&m(+68(aBdSPARaa_(pSw#lujZ}RH2Xt7p@XH7H4LiqtUGL5%)JATp<-T;K`M81I9 z^?EEq6~ii?8T^zr1`{Bz8?@;*jhqmwk}j~Ib-~g<>#XQuJ z?u^13+bwCgU2n&oPE~w zThCEfi8q_Aj-M!=ebsS2f}NH1Ye2Kt|Az>331#-<53aFY%#!Qa5UY3|6@#SYynjDA zrqQ;c^XE?m8>N#rCGv3Ji+xy3ktefd2BhLRuPrVw4_*Vt?b&&|?6cd(#c3N7N-ven zH{?3yzHnz>%34`@G}o^eV<7vSL6e@UwUmI|JK;`4JGGM8pQY4mYO18uJ;fuGJGd@C zz)w40E#UFn+808$3*1#7v=U=g#Sb#CBHEyOkT1s#nJe6v=hGFQ>e|%yep(YUsPTIF zs`WM&Uv9!XLfvYtnJudNr6s#3gaiOWJ1UI)g15uR9yZpxaIu*zj%i9?r}FP?Xfky8 zPyO0Z53?gCp|Mq3=}wNx8$wi5&$|Uq+wx5*Peq{%=iSnLTMhy>Zu1PSSM9iEMbJJL zt1sw+L~UdOHdixfB{^;rKLWIMHioUgD1T0Nz*1`oBwx4RBu+!?C(+(I^YlHLxMA8p zn3Ca`1Vrx%f}iIA4XI89LPTnr%a$d&qJjL(BxZd8qZ7xr>%6P2iS4O<0PtEU0ME5| z^R>U$=@0brVCNm~$@#JFdGX;6v zQk3zHq5dR>3o`gXe|%A@_^+PcVIl39n3x>`I;4$sZo*OLno8qn`GPeujHcKo5_gnF?x z@m^itM^RG`>BK|sdY$>11(Bapl`{Dr#SM9xMQ4-XA6RrDF^H^d zD^M~hm1oTi()rB;H6$QuBOtkd}}W>d@oK68a8_i>yG8 z&6raBVn}xGLgwpyh!-A%XGtPt7W#kChB)$l_SF<+l(%6oYNM?trsZ|H7KEwX#rDDP zIR{Ey44Z~SKKhd%W_E~tvSSFOOmsJ_wS??rO{Ke2hq3|SQt+`E!|4L5H4>B6E#mT# zNMeSr=>r#meMmJYK9IkbqCVrNLaM2&t&MA2D%3O}VxC{TBd54A5_8US`|fSl@~pPo zMHj8c9LxETj0f+yZrJBZD%U=gP**&$lvgQ%sWN1kBTF`t|P= zZIFjg(d+b|cx$EC{*dv%v+=BK3q=8OS=(75(iw!Rawfr-MEV=`s%V( zI-C0dUW{5#hi5wg{r*?tNC~~A9YO+^iJmz>7vS6^gq}If_rXNpARB0ntq~)T{zCBkW!*Tfx)6ol+VWVCbG|%qw;;*~^x_wf1m1(yYL#yq0NdS^0*P5|h+<%;*&0cS#mSrr|=kfZzC? zV_(X2G`^W3Kh%8fO>X^J<)PZIxI%2DV6^@*@u$*+wA4NGjCYU(@*&XsRlVN zIjrOOJ1K@^?<33JzfCfHUuAl4CdwFbdI>ejt-da^)DqkZ0AF#2CGsUkqzEb6*`<$t zH`IhJ6msm(R7ZPABn)=`)q!0| zKp9WGzT0DIn0(bB7iP^%9%%AGkUC!-Qh&OfO%vY>uyW;ta^e?5LlO?MZQUDd|?lz92Q%4v% zL)~j1kK;KSaw%w*OV%y4Jw38k~(^#hFby=NhGLxSLg?XV>F9e+P< zy({WwLZW{p+9WcKcZ3UxMi3T!KNP<=annNzOD^>h;u0K6{L07XBYW2iMVl8vFRq8a zdhsqutBrj0N?}90dA8CvWpBKH`SHbz{-GUrZ$XsWQ^OL-*gE$oeib->%TceA=*7t> z&qmmX|I#I9GEh&YBy*(1x^Gz#-e0F1mzI?aQAG8A@~X^bG_gWl|Ce6DzXR3^0{U?LqC<+rYMiBGj#^$KZ}CdqN^G1Eic zBn0+k0r=MXlLIlY$ID7Na+4HjB7z94UnzU5OZwIcOP@T1=AdacJP^l>G6_GHvRSa6 zL=Crxdd+wpn}i48-A2LAjL^`8BV(wy%jw zRq9`R80k&6e}p)KdeL43@jFtSUb`VQv`WHOX4p!Xh?y#=Lj-p;IBj$|q6)Y?A~OF=i-lM-`+bCZa3;hSzX& z69Cp4jt4>7gq8IM4uj&l;ao@~4pj}5SvlWW_h88s<^U+M^zr>8^I@E8gyozr<5Euv+)q!Q&PB-S;%v5MD zKoDkmyAE)a6PD{?+_MObwlQ(sxpTG(G|f;X;2vT6ouEb@r|+2^8G>WkBsCw=WkjX; zFS3v4WMIwi45wvT%=d!4x}@L&Q$Jt{iEh3)?nuFhxHfM>lc>~3C4rbGN0UMC$|L}> zuRhg=F*zfS3Me+yPKzGOhKV}PrO1uv(x`lQS-=>6YzuY>NX>CSx)x0ykfvR0T=|x6 zk4)%dDKN~eZ#%9-j=I7_K>`Tj2)6N4Da%$=|@=*}hklnnu z@wE>5$#gt&f4que+nJ2j9p_ez;MQc9)`^(4}i@;Yvc3&xvm^3sN201LHasF8O_Xk;=8*)m%!n@@jFNh=hx)x2$3V8>0`BPm|hbTta-9vVmz7>z#UM#62>h5sWompMgd zGoQ|_cM{O~QkGlb@teXQCh+N;M(Un{U(peI?mZu}#Q1)N zbx;MWe2-UWgFHi{;oF?c{@sz4kDQWeu9r}JecQO}vc8L&$)@#?VTW5yI%Ykm>k!^v zVu>aSPVl5o|3DnlLav;9obU33< zI$istF3(!{;@Vsu@V)2l9J!$`s~e5Fp9It-IMr0dcgU<#HDo?$sYFd}z5Ns}AN9S5 z>;~m6C%IvZ?Qa&JMWg)#k2#jsvj`U;ZPc?c@uxas zE?ckStNw|R{0|>EOX{ig3PmAK#1N?v(TR)yi(((z;|zn{7Aq5wnmcIjO?(cggKFzB z;&*-icT~T1S<3i4@{YWsYT{7T>wLrF-eq~yH#`i4SobAmvF)ng@HK?0R<@S8mJ~)N zZFjq?QH<*J$#p&bJ3F4LV29`=qSLdlOuR1PZ6ag4QT$++o zq;MJy6{}38>00VW3Gj8h_CyE*_5`kj$R_vu0TRw_>DA0jMV$1D#Yh*buSu0^21(XPL^Dhx}TL_M(tC5LGK>nZ)Uc=anw)rWDh zImODee|z+Qdl5J@vYcGYo&uEKA6Js{1#e_m_C&^7P*qd;-Ipb^aYdp;IqB(0Dn_er z=tVKVAICpY$A3&Kexs$AKsLWn|H`uo)Xg@rrjb(_0!iu~=Q|FckeXt8;ei>%jAt*l z0@Z`=(Gv4^ZOKU9?P4BU{R(!$)ia4rsb``$(AXz`Jtk;J)c(7!$N_D z@MQ{OR{Ab{7wL%M^yl>p0e4sK28kwT9A`0}Yza#0k~y{A!%zc-KB~6S*$PC~Jpntn zB^=&|9ZQLa50jQtk@DK$XI%D>tw-Tu=ORrXcEIi0BJYd;ad1Ov{PWeny{hp>#5X=K zR?7qG`0HNqy#j}12N1Gz2`KEacl93fK2Y>|l}WtL{fo~sV~tquRq@Vvu1;)MOiCID zwC_S0`9e;5{KIX%x-Xp?r5rE`L4%3By*P?lHw9g->X*1(GZ=B>4H`~`Je4%S<`Jdh zUe&I!f`S5m?Yg?&%F5oa?GC~tDD!(Qx9Z1+75eQR9XVF3`2Jn?G`)0)KSO!puU6#$ zc|lUdPR_^gFkdKQ(qgTpmyU2f)DI#I34E!SJ!#m~%Fhb^oXV<+sZ|+@4kSLfV>`6M%FksD&A@S1 zA_Ip2Mnkb%T_R;B8N43KV=|-!up0u7FiBl~+z1fgc0jOf_ncPJar|ADVFIVrDJv2F zjvJj{hPy?M*+@5KmFQ@zskQ`Kp5EY8(`tJ`O&Ti|Mjrc9)<4qNfuJ%MXk$VIMtrSv z2&Z|>m+m^0Q^=O+OVFH*h<#;`Drg7b0u%K( z?ntlp2{aa0Dy{eQ^yClBH2vqDd|`}OXc{T-bk?bHG?T=SovFx(t$xqRvU7B9--6Fv4IJE(Qn#(g5;|vG-|d_v zA8l^zS6IN^vPki3pi(9-* z;%~Vqe;x@giKw($s9Z7@omcig<-lMYGIFdpXLAf@C)V$bx8o+MrmB5I=O*31j}^U9 z?z+{|BF#UzaC{fL{^J+@Ux343*S;0}u@&1t%Wgi&^eK`o5i37_)t3BrM{`#Qp5Amn zhKioIs!;nD(!6>AR5#C{`1n zd^r^pi{qxI=&Tls${E~ktn<|yHdt2sjA~!}#t;9n(lAnyz??~+g0HZleJL%qQ42U!ULj{3;71~>UYFW20k z)XHmrq)lcun_;lCK=bL(nrh0h(1tUpB`u}hgMTaSG8w3b78UKsp6s5?G=Uk;q?cGd z`JG~n37zf-iL>81Z>Qa_4UOtvLv7NnL|Munr8&=(S}uY}Pnz&tF)70?f5uG$Z~I$2 zO^rMQMCDHgYAb`mW~~4(vWcJiC#!V6CaRz*weRSaCB{61ay?GIY8mQ~q+6Wuw@Fl- zH>EOY51PoAI+r(5xe_)6+&sf9q{P)eQUa7}4|I2y0E~NdiVY~fX8~yOO z%&1p4)Cdhd-j|IP8OnZbmo~TTb(5D@j*t5O>c*$Y_*)krGf-_mO|t&-0{BIHbY1~A zpZ?MxlXdt<0c2@qRRw(V2LQYZx%7;zd_P<{*&LC-s{lMjO2LspX zV5e!>&ASiy0kWR4(bb&z)vcis6Q2VpaxH5H)&+jvq*-lg#3QYmNi|u@WB;#kb<4ja zpmiZ!NvF;&c9zIWzce8z#6b~Tmcuid>528*Fat`m=(*WNt5~|niN(j>>|9K4R^KQ! zU@nZEeD(TyrvC7O(+%<)v2}%;y^4ziQ9`KM9@mEk>aBTrTDr|!ZXTi1sI%`LqIJ{q zKPgk<)7aqJ_Eb@W4<_O_it0(dHiXdUVhb#FGgt7 zCFXe(e^^|IUnmNUnS)1GhRoF~=6SnejADaALKG0*h&Z+{LSjpmON;KvSJS__1|z;j z*)W?oJ@)`Z&F9N`!6%nDp-`%obRS5FcSJy7Acr=OoT;5Ak9N#uQ@uib?&fA^s@CAv1=So`4_3{*0n>L&Ho$Wj}%U#yS!LBu^@3 z6d8Sn#MCeI!6K#PEu=(wed4e!b)>9vCQRn(GL4 ztkmmas#hbYNfh%FW4+GLN68!HWxoj8*moYTlqEMNxYp)JDX=VOoD}F)%8O-~wDT9K zJdXS^c+bHZ_`<_m4 zek;Cy{C19(QqXOr?yIIwkNn&8EN_NC#n9a50jayciYWMWn}&vCyTN^Dv_YYa{KoLA zm5lj(wFYLR#`9<&alD=w3^yQY^d-P;jR9T*2<&&ptei%b_roX#q0xRd_^sdD5)MIZ zOB8#~_T}Yg{B)OzlXk?7SM8v&iNDvo|17$mZ&SbhVN$rKpqR-0$x*GzX*rZE>@#jZ z2C=p;`eS|w_0WLF_CY0AuhKo9tleb(bZ4_fM)&;Gv6D{LeT71t6=rbc{HNr=#aA=F zILXA*(_pMKoO>H1%|G4j-JmL5IH(sxm&WX_(x7***eIwU=$XA)Sf8lz(^B0qtxYhr zH<7$0&Z6qeugU>+g*$HW>O0f*W_g`EGC8i+n!M5W^5KFbYHL4e&wC3zNjbAL^GDSN znry$aYgoUI86vS!lxg)w^}Cy&o&yzKG~(vQvziL;)mWpMJP{p(YuSU%F;6&_BOXi` z6=>yaFw@$<#@HQ=S>{5T#Gd*X^B0g;eylM7X7VaL{ZV1QHuWp=ov_#0HFu|Ldu};7 zy}rI7VubU&!uq_Hsa{_}Bxb#%{5QD|szzc(@Ds|0=RI~!q@Wgc)ejG8Q@y{j?_93) z*FVIp@Ywel7Q0R5uJSrbH<3!Ijc2pG;N zq783j^17nc(NuvY2%UuT5~EX7t|Ux4}5Fq#Q+E;1}k4e#i6lX+0eoSTqo z&=FtiH)$EB9)>VQlobr67HSr=3L82nSBlnaW|c#Ahl^)@pStd7+!!)5CqmKO7;Lz{ zrT*0)ySQDu_1bD$ME`0E6rj^s+;{2-m( zo!#>9mBQD8U-oRwTRnCE`M~pP7qQl`cu$1T@Uq+G@^ce$qe_|>Jm>~Z7=^4Ana7kq zd<4HaB=b4&{!`CcO81N;DrnCf$o(M3Wxleor2CEW!OwiZ8eujWxBZ#@k4dDg#-@f; z;sW6hLsNF59}u0p@H_#ofufkZEjSS4C7LqQaX1eVVrSy$TPdX?kvWgJZW_%nzAq}W z4!y!sq{Ll&z;uVX~cGu<~O z7i)TR?E_**kMBE;XR^|YE;q>^C1_~}iZ3j`vC4l}auin#s_CVGRVEhgDQ$Z?0_rOF zIhv7XmatfNi09;djkQneAEop9h4ThH)b$Vlc(aN6HcFHQI{D3aSsXIBOrhHlB&seZGZ z92miVZy!h86vc2YoNqZNAI?0s%IltYYdRKM+|on%JhE@RXa)R$YBW+nV|}mj zlRJkc$nbtRYQ-APb4$HUMobgz-V7giMkZgmHef)VCk?(@(^NJmZo7@kKM&PP%BUR7(eDOBT!M?euOs zhNHrAk}}_*A!IB+B}Z;FbA6JM@VoRLI)$PTh5Zfq?BVVB)P@`B)hp%plLG&Vy=4Su$Z2&>^j0A#~0TpJY5PmoQ^59 z?=rt#zHmC9Z+Zb^K-bgmfW<$QX^e_`k#w8ko26M@TgO0eZn~5+3i`2FkX`ctdaP`+ z`43-)d4Gyub;q>wFD<^2Qx_7$dH60eQuoo4hV?kr`;uN?D@6<9Pqt>tpNokf`nbFM zeyQ_%c3*G>BCM5A6-XDtCY|tDZ(GQanyQo~-Q|=?^w!fk+cfW2$7~NkPAdp!+N}-e zOqbW;Zab-l8L0HNop0ySypd6M?(=-h>1LLnQv%6<(u|I#`|4aKwY+|M;=y9GB4qPg zd&UTwdy7e6po!BgWV19)Qq(J`*O|YGyX8{A=#!s!YQ36tK&qD$sP1Tl{JqvjbuB`U zle^#hQgFWU^6W<`WAq(_Cxdn%1#WiMD4V$ZYvGM0tCLM5h%&5X;n$d2@dtDKa5!F; z$zWBmBJyA0wLi;^yTtysTn+Ekk0^aT1QcREFq|!yeoYva`lSaK;*0GmdzC!zo)ENS zMPx{DW9O(`d*?DdT_x(ZjD=gqG9zEjWl2*5$1~olp~D}Hc`gaL^odMmg!7;Kc{uXb zY~9&y>y*1_zT+9NK{_>DI%=q_#s`|Wb1M$q<7<|trd2Z#I(ubu8LpwJKIUz{fh%Ip zgN5tV%IhcUs!@p+&FklS^xf5lMc#(r+2z_6mkqoroB(ag4+O(M7=box>Yi>N=8;FQ zzJIc*%?Mqw$}jcy?;yRbap(892lvM0-d2oL)9mD10#sM=GppF zo*f1UsD^qUIU7L7bDfqkmUZPMVF|qrK%X7%Gm|vKHps-3yn2r3XxGzBckRU?xeN%G z(RMl$8RRVyQ%VaE?;icSAfUzI{@L{k37MokYD?@5` zySb4xk!*EK=6fE+0avA*q68M%Eo*qYt5w|;GKGg7A}>$;DTp1JQ)?zE&E66@w}<#v zhLeESLit^4H&f{XojXK`FZ(|IMu{bY>Y{)FB4fi{6mch{0dbmCf#l}m2;#a|;ZiW~ zEBVoM$1_6HwlS;88!N3qFZ&FEOd=1T^7nb%89~>yIZR2yf&e7W* z*sM6-EUEJx$Ue7|!mgH@IxM}Ik(TY5X*LI*%jUK>$5TEWttRv9*^R?;g`wUk+x+|( z`a6%8Z^W}JgGcU_EHIk^Q#e5*KRBK|*7#&muRG5ia*annikO43*r;U~6?UABKW-XR z?Jvz@w89Gw3cnT2mc5xMnO)j&Qq9vNkJ@hR?45a5s5mbsAM;htr!)j<%^Kj7I#U%QDrBid2|k@OyE94>Qx3gRT&fX$g}314f}vPD?4}Pvq`qF zCZ{k-M~2OO@lf2<^S+7C5L=jNZ}gy6iEj3>?m@Z@(@0B0GpFMM6~{qf_*{=TMt5wivnbyLryLY-H>9%l+4Q^2wCWhmWY%c7& z91346T7O=F3OcROL>h;9j-QSgwaZH*p@?7fgKe?VoWv!c!KC9XGHEm!QjUprN zJ%mYeLHqQ!(!YSQJqdWQ>UF@;ViCeq)i0>l@p+^|u$XBEzCMnr^_2`|a#l-b0SIVotB4voCV6q%$ zjIzfbSIr-dA>*hj{n~fQHq-UWg=*J-wJyx(IA&wbb?Pw>{vC7jV?n~$%5-5F^Tp?~ z^5cd0X+GrH>59sS4RmQQzKcKTlUqP$rq1o<5SAQI^u>Co50qvuURIut92S9YhFg9Z zug6%^)?P$v>E0jAXq8)4=1O4)3CnSJYdDSXCfMrorKk(Thf$F+wLK#H_R&SDkMr-O zJ$keJCMF^IATn(qC2eo%ZUGluKNYke7015t%w?w);*}}P<`JOsW_w2S;i;y-TSsI> zg}(E%{OL14A(x(hczp2g$#U!7Eh~+tEGFlaM|f6l?twzAYf3D~OITL1J6&X!ukx>G zJ*|rY4u%Q}t*_>rp_>ZNjW5%OSs2By%srU z*n3B_9rpjjrD{}((H1pAQCdY+i4~y~HQOp$TUDvOg-EQns1bYAuBtt2uTVwpReSFl zu_6S?FTL;k`#ksk{oT(w&pA0KpOe3GlIwb3*ZcK;4Lgkk$<0Y3Sq)H(kj0a(b~-!n zUP^w(A)Eq=M}X_Evr_FJ5~wXG!wztLR)_;c8Le_hAS8u|9W1s!B^c>KG$z9iI6{~UaiFq8gJMuW(U-fN~ z#DC1QN-8k8>xr2Rj(9d8!To6(~j$R_>#1^H`*te1FuLUl6EDIbFv^3la3QzW#nJ_(YVYK5w1%GT*+?fn7?T` z=my>h@>|U?)6+KZl-l4m$Zwae8>ZavSXjBl9k5F4FBbVjC({|gBUPIVX=w@M8Em7H zIU-}iU*DkScBlBfJa@7&0z@=6ir&H-({{1}aj9XRX^`dM4X`iIprSca{>a9K2Vze` zdVk)meg!m~dKNsJ^abC!qxnDOtVN@=nIGtT{xQWWciPciul77QysyL}`%bN`k#L;- zuvx~^d5v1t7xnAz6ml18Gc44*X$ZkZ)so{M{5~?|j?3l(QRZW=|ccK-0P%G0wT9)6y1w!!91` zZV-Iz>N_pjPx+x8=0op3I`!#j+mx@IS~cpJOX~40P?0G2Ag5;3Wo0RQt~bJQ0_i@_ zo6lS#N4!BdrA=dQrWD7fLshmmzN5|gpY2199AofKKNI5o*V8nfj>#WJc&(%XeG27KYU=hX?8zd zes}))JeOBPpSLEnpV~swnv-7=uRyh|{_ZZ+Enw0M1L|FLoz+YH{bW4@%?{hDV>?)_ zfv8POs&+Mb%`c7^{fp)N@1l@^&mos0rTd1ra9UfVF=fx}Z?KqEqv!4zL^h}p=elFv zkTR;2csMJ1Gl^rBkF$6&bX|h57q{L@ICQ}8Ulg&xOYt+r~_R`nqr$1vC*{C#@yNSTtb)& zeEN^OdrHJ(g3l`gffboq%w+UrZUbvb_G1#&$SVpztnfck&F3;Rag<%wKQ-Gv%s;3? z`tIfVo}2|&2=EeR3%L37Ox%`6D_lD7oZ1cnWWf0zGLs|n<2r@7g81YJ0Y zljDD+jduCAa?hfS&$TTRz+bM?1)Sn11Jn_`cG+B)B@)kun@_q^0zW$uV5VMPD6=k~ z2CJ1p#0%9fAJf+PLn-Xy&%^$>?b7~vp+zY!zSPW>MxT0|*c)eHZpU5bze>CCuO-p*{w;_=f5qF1>RD98Y?2;Dp2l|K_sUrtVRcULZ@cKb`$fY)s5 z40Ik!C7G9Q5-hT>02Cs};E9*@)>W_ZE^uCZ%Ko2IMnO@Eqce4ey|JzMX2_iow}txw zxfBQ{sM5wZ3$~=xtf=88Zl{eB$8e&sfqYe#otZ&g^=#&X<9|{vFWesjF3+8(#ulUr zcO+-HwX?qYnPArn?qCGU980t4Ne2L=b$|CvupV`&0;_v5oVlE?t^|&CIh)Jy{40vx z_g>vsu()5D#P_S=lF0RCU&c#(c!mu!RtldEe=Zh^<&dB->2e{(>hGSjtcrnPGX=aD zWLH`Rf@#dOG@bZ50PRI4oHEi%4tjr-9(;3+Wt@z2JXC(3VMB=lDK_-;CX`nt&(s48 zZDz|OxBNSaBGOZk^cf}_dC#IWDd~Xgl77#s>=jB;k>Yz9*rQ~p?%)jHO*I+7%)IVW zSl+Xnr8;I6_fk>B#d-*SBKz&o&yVWWBS@g>$;)A6u>$|%l}+7_a-IO!*8I*cF%tfx zy{a6ldz-ny!|I)t+80OPCr?z=MsG>*J&@9bR9?0+&`&R#uGUr2guax-XvP*@x{zvr ze%Cws7KoV5xV>UX?B}&9e@NstQS{mJAUa<>qmRl*%JD_lb1@vscx-P=Qeehyja45x zP#6g0>3bRA2qjBjAY@2Mf-p!_b{-L%>bm4YXnSGI^o3W>qi=q}_wiG!=k<4=Dqd+4 zV@?;m8H$wWcOY@&dGZuOY+aej|p@6=^mt8P+?rLP@#hl$TcA?451L&Stg zgZ1u@yp-!e-Gg(D(k=n@>Ye#RE`w0lBq=Nb@OiDXgZ!<9FUqs5#<)%t^q$w4tZ{-uP=b<52=RsozZrEo0jw(6VLuN(9c;WkE7~l(xfk_6DO@<1?b}xQ} z%6Y6m%2ge0fMuXX!p1~har@8rORn4nxW?&MvHSH%nWe6naG#<}uYEsz#66{`;0k+% zzNK#`$O3T>9f|hGO{nVpHlRhtteAAEJ9f_#r~>F=a&nY71&YSfn{f2K@qm}CdD6Cd z^LL7?6LVdhA?iXGX@e`!L;&Qw&~v9Lfm6FSIMn9D+qdW^28G)n)wCTw^J$J#0T^lSjaIb-G9@^pQ$L6awm1FwN3w9PyPEUVIa^0ipIr*jXP@;*f25+5CHyA&Wb$jNFD5KPcps?w<)|MpMGQMO{1XM+Ar3#kWl06;fk4- z98>iH!vyn%VSF1h>>zMCEzbb?R9xUDc^18oA48Vq{m6Z;=J1a(#_FE0x1GP z5y-711v&9vwg@KyQejT_H+bxmsU!z^?!cwY`WbzWh8{D-;%vMvdLcL688%wK=M|=0 z5>+Irp-8nwjvT24Gew-7jt6P4JX2L!f_A$gHNiI57(T09+sfv*Ic0QzcIe8s<1-H? z!NkmdjC)6xHbD8$ z;3Z~wS)hh5SIwti{%K!tLdLpq!fPOcr@`$qALzl$QtpT^IlvF6#0xCbo{Y!Vedarw z_m6$LT`7bk7opB-^N;KB0Qhgt^Mo}ec(4~Tf;L`@wDkh z-_hmbbIGmZb9M7>{{XP>umwRsK3 zKE@=A1}tzct_!H?iErp{(k+3U%8cU#7G}M*1?n=fL_W!f`oQjMacP?kR~h$GvkA2> zFJP~0;AzI0di(hI9&)AEpR_35kGgP9b!fVWU5TC+xJn%;d;Cq!0IbeZuJFj$uSHe_ z6xrP5`4d~;8IyY$8ao7vj9GiCTHEcVWX5?%10>>cH)YiJ&WMc8KFNpOFQ8d|BF9#* zdwg9X)V1<}^WFk_L>U3k_XW9xDF)PaA0*_82E`jed%!jCO8e!fc#TBJMV&bOIgW(6#W(p#Y^*}n@{aPHhUgE=rP(Eo^$Cy z$St*NmsqYohLaeCkf-0W?+_DlzVyuQN2+q+`&|1`$m79fu0Z)ix75@3Z3)UUCyG?E z)J7dkNg#lG2r|Lvxa-GPQ!U?GZprmd7ZOL2)v&{g78bs5+8{4`q`|NDQs3g5HWzdI zS8k5BUl%mi#)3xouSwS8K7%NaLIyZkm!%BX7Q?Q}Ud31LPzV)2k!_lamme9HF$c~FOYmjH45>qZYu@Ax@O}E2qBg@u7&u2xr)hb+ZPZiWY=(qI5Cp)1;3qiSR zpSBcRdd84lnU~J*pJb5R2Wq9sXgSvB!^;zu$>)9zDVcZ(`*n_6Hx_K7_rWEPOFXFWiCmVcJ~@{p1CS#H_1@Hmk*obsS74(jgeVuUtzde2|GH{eCP1+< zD$1Py#yf%~MdLB&?&y|H^uY(Nfh|!v%GGdPow&b1wHHNk;)Wgvx#?3^bNZq?>u`LE zo6-}|%YZ|Hg$Py>8e}zGl6M?K+dpdQDtga0Z=yb?5vXyP-l@Cqw1L7JISvk>#A*Eq zi?xXo^<5C}8E4!}@ST3TL(k6Ygc7eg{hg|$tp8Yk|3ZN20xFpHh98cs4i63sC`6d}+6R@S^GB&&{^f4=dGi*acqY+oXlJq^BjM91 z`__JiSx=?`rEDyt%)GA0-1Vr#k_`83!fb}_)>UYTM=dop1iaiz`}XV;|He%X@*t&e zhbN~@AHda2S8*uC0;QINR zc2F&5m)_MrCGc$v4?zCDkU=pcv3!YX?_Hy$#@|_#*Fy?z(LEO5yWSe>yUomM_xSnL z1{~8UU~W-B1YVB|cHk|o1++)!0c!EI=fE_4>iJO*#z)yPW_r1;c{S@7H8l9~?+&_u zyDL1P=)O#Lq0NE%RWeFz)zq35=>JmH^oF76`)g){fjaJ)H>>v+b4=C;V6M@>%MZ4a zsVoOa5_~!W(`BlY08p)PDx;&jWkD@0EbBV#9m>~Mf}zVZX` z_PdFIFHiDi^|fFi**ipdEcbdJQl6sDB8>Gq{vl-dZrO5Jn}>x+DyUPeL*grdeeD-M z8F{L=%8b7ap@w3Q03C_G*<*jn|9;m4RvctkyoxXSyb|9i4mT`jB7Ttp>mHepN09ov)+z>H|fvs@glp zOfIFEJ3r)4UdDJ?KaGrBU9>Tb0CL1_`xP_{t{;Gu% z{(V)w3YPXXn!#gRYy9_QZpKbW9h-N{Rj5)W`P`?7=G*|?7oO_lb3uHD<7Y`+*jtr; z&6<*)OV^Vd%%78yHoORoo^`jNJ>Z-wkTHGjN>|jcQqnfkC)62!+F;BnHhd)HsvCbu zOV{e>sVvKItp(4Cdg-XrM_3^SfRwYMO5h=!%o1 zJb$&2Th`un#6l+KvTp1tQ2VZh2E#Et8$4!yxLDq{G_T{$VM4u-x>k$OQ~H%vmBWZ} zQxT%<`n5dYz=-$u&(4_lIy8MBuL-}}kqp`%FI@hC^V~}pq7AM1_K%jO+$ECEU37A^ zfilL*rPA%?TY^g$A1`Q}7e;l$Ik}CkYW{C^f-|6kOEC-!NS1!t{OTk}`J-x&eR0&y zB0#5!#O^IGiXAaJWHe2U+>Uv7S5LHfa5_4u$Yj~GSzd-z2fAhrLW^%Z3BCs`@h|L$ zyatsKRlW6FV1z=J)y;u)&**7M+wFoGF@t(8Az8mZIjnA6OCC2Yuq3fa@=)U-$En+JO7O;x0?Bi# zU0?#I=poCnc02p_N(Jpetfzy~S;x@R**XoMBlho|lK}y6i>MpmNgsiMUaDY>#nC5&)SH19UK44wQ#J?~Q;tAx>IYmP3?eS6WzxdfV%MX6!SvoWAcoFF06L1$vr7 zrg-jjs6A6gbf{>^Rc=!t!h>!$CjpH}QGJ^f%=Z8m9NMg6ViwefTazStLcsUPY68yq z(HjQAiN}qnhZ24lN6mwS!@)Oe*GcMpx!Ap3iWZsrE2kULK z(_rssITfP^h$^tjMKDzCE{-=1EgDR-iYFMr}xv=jpU)(8Bu_s$UVD>t{kvC14)C-TLWu2}7YG}KO?45uuzdZ5~KRfK! zpW{B-wDqccivou6dnNRso~NBaBip~X32uyP27I-EYiZ*R$NEw{TWM3Vj+dW)2&w%+ z)7Kb_=57!5o3^58&)I)H|3fGhMf-2=;2;SfK0xdKI>|t9MwScrot1yXoVIHiY}g%y zT-ST;n#;xMrZW)mqDr0rqL;n*JqC z(tmU-c_GyIFWj2+OM9a4U~M;_f60M8+il>Ve@aZmc=Z6`BT7t#XQE!<$@W>?_-7B| zNVi8+Uw+E!m;LcNLKedJq9w8amqrV_`>2BS`tKjKwFv@bPT#n4&a$}jVS;t&aHA_M z=pOA?f^a?~2TBE6-Qc25o0R0NuGwm^^&w;hkn^o9N~s4;S9XMJG#iw@Iw= zlw_`gQ$lpCu^LWThKpsk8P|$T<#k(!$@_Ab1%Y>1sf0Tj=Vb*}7D+9DwYJ{rSfAL2 zI=`mzz4Z(2IT~>;fqt4LE>8+ZpXSU;3yx}Pz@CC+Hr?`1N^&rT&!uZ%ci-rZ+KX>P6u%=; z>}9w(nC@6GMjMiezIdFy{I+e(;b7R#sVjrMTH}+-)oXN~H};$#UH$#!`iXYZgXc1y zJIZ?HQ=~CNc2e_(B;DDJSK_1he_BpA*T45dFC0!6mPPsQ+%fDB8j5@?gL%gnd9|73 zw!l$GbLj1eFFcqun14#LZ?HPrBWsopPtMfqzA2JGqWxxd+RbDs^Z43_@lpryQS3AA zC5V{aZBx~WQR4>$y!!Cjh2a+~z-{~x8)$<1Zh@hAgUwW#|a1LA^mtsYcg4K`v#e1O5@?4Wuh#xtZ z+V`~jV-Lm#_j)~Tsgj88<^0v?So>JLMHmrf)6JK;$==CuMc8JvM*kwaTWVrk>l75w0vIhQaz3b zPaz{2!qdXK{Z}kIQ;4anHcT5f^Eb$KgkxV>%1PaJU3)Je&6JKZc|Z4exMNArxx2Z1 z&t~Zr>$y>YKQ;cBu4sL>-Cu6=UySyuCbHAV%yZ}z&(+Wpu{eL*x0$%fBE6fGoilAx z!?IV-{=XQ`|FCPiMP3N9kDtYxo4vr^V*;}46>M4yMQ>M#8T{UDYT%d@QK5mBB8Xo; zY?=1%$UB|hYgVbGQK)-OIzl7Bx2}GX`FaT2Hkw2#H$L-X+B3z!`=ojC zwxH+CIMF)3C?3_hbR8db7#0>DPZ~ITFBWc+c&$2hi(Y4_<&faYC$P3}DQ_>1u{kCF zi3Pc!qUqH8Vm=3oO@?|+Sv|!W6{|YlPU-?rM~@XqR!rVCIx*kg32^>iiSoguvm8@9 zjxh7=HIW~8rF&a^_dP`eJ{~tVDn4gK5eI{hc>X+^SBjY1SHhO71~=7P)T4&V6q_Ee zO?!P)8z2B`MO8Z9V`XUO8WhfA6@$cLslc;kG^ zo-)NwC*77?X(p5TQ&MBYuh?V%pN)-r&?N+DT({IYZthmoGcv#ouXD%@=y2+>Gm@5k zj-dcWl24xKoW!L0^5R>$WWr-JKEOJLN(O@Whi>0N4+igX!BWg z?jct!>`T*6#UkaGpq(UV0=p09CaJVb4@C`U4g-NAM3|m5czLn;S73|Pjr$a_Ex&ju z0>g5+Xcr!vt3ogw=1Q;)=}#xVyymIpnVpsazFC#qmoqM9KjCN=-21pt>V;{1e;G!7 z@PNhF0$|o3bli({*)qRub|Qu%P9@E!Aie+eB?954>4z0> z3N4zKJ%S3gUpVBO6xQooOp6qb73sdXK{yk1?Hwv!nG@kmjnF;UK-f=|nLbsb<5Lxy z3IGPvO}1phV;F!!*w_MTa?^|M{o#5SC7N;MxF)~R>PDw-2$yh}fVEOvHlJG8JH`4_ zb}n{N820y+)B5>6l&Ilt4gHdYIPhjSns(UIA^z((KDqN4vI@G$apMAZJCbhi9wXD< zm8Ue{Ius(t^DMxBm02F!pzbk;X_NaLRNF2o z_$vMT>{7-nolWw2%8#PL%NB!|?OcjFraahlD&%QWi|QIF6nDeIS?fl?KhRlUrWepp=8?{+O(3F+6VamVr7u2zv`A~!9p|82xYzYP+tw{Pp%C z$p@#d$}C@xQFPwy2IH%l;kt&*t8a+uIPM6Hp!rL|U;Fh^ru8sX))Idxsc^knx}bhY zV!E8~&LR80NV?t-ODsOu1%+E)xj{ImfzII`L`rv@(d%InHegmT_0J1fphS^h0G-uJ z-~y|86z4vM+VxF?qU(=UVlU@wU}8=r;8I$U-TcHVQ+My)1Ry(sSY?6^^5}3SbWA z=$x6{$8<(X!~yn{@c3wbIHKp<$RAlOX20PJd!%#kVa2g7U)eM5X{ta~Ka>gZd}V zeztv9t+EwqzNv0G>xFOPz&C1_^9SpQSk!_-?qAMTL3sh0MOO0rIfNF}NYpy7r>OJTO3egEJ;g)*1O z>p^^_13m`GFXuCi-$~>bx&h`X&SlBupFba81QT!IbhJ|Lne5hU2z~x2Tk%?`_^ro> zn3P-N#XJqw_E8JH;22gW!D#j04}{BhEca&dbfS?wdAi7Wz00fA&^v?ly_N1HR2E<9>e>FE0M$?Hc=!)e+HVy*EIJ zVSBWnW8I>ybah|!l_gj4iocZ5nIGC7%0+!fvDkQ;sHrNue=s{Dg@qTsf$~go9Yr{g z-EHG^bs8Gi%_r+ylz1}MPdd%Pa<7m^;p1c{qCL1Yu<>$-i zk!5Rli-e=qu5YXHefZ_#6IWs2?7LBEZ5C6f{we6g<`)-tr`&0$ zKg+&n4Sn+@M^Rk;37-G8EOlI-VXYb{*b6haJZ7pvQ<|GTp)DeX(KPD~V%$@q-z-#~ zG%Qg!shJDne9in#OWnn7kW0C1{X6Oo>TZDR`0lKu8_Tyb5^8Mfa|HbUcHk$e*r3vLqGyxaLmN=4t%lm~#4 zeO@h?#qi<_iIFf6upCg18>&P&;JA}$Jz4#BbYm>K6XGl2%dVlLS3kttNyKuS7$+gv=kAY9S9VGl$?Buq@He2BDh1EJx=&EGHD3aH z9!)Lq^q=ABJ&2TCV{ktG%EPG>T)FB|t^RM~6X3xwJBrrJEfW~o)nCh3lY%rsi{-gj zH$K;UBc_z$3sS^+AQvCS-MwezjT4a@T}|I|lInSfUE#<1)N z2xFvA??-M$sumZLGW8O7<0Tt0)0g%neDE1{(M7^?KO6%sPH5Ax}}4jZ;?zs_Y6MAmbGv^ovqa#t}aTP z`GaO+%ybvM_|yFdS!m4gEAAQ9fyqnzRArUUkc76_JSg0!_MI?ISXgXjul;0R=U&Nt z?eoHH;h559yx~njo>G&BWvh;G13r2AX3aAHlgj5p4(JyLEa|&XtR&@!w&;5M)EM^g z*qx4UKQ>I+;JUWAN6J2VQVlI$Q8^F&|Ro7mV&uA0-$<|)Uw#i+ZCN7m+< zv#{l3>eN!_5Kt2D!=LUR_tISluGhYKuUoCBkFVF{8$ZeTBhOGma8Y=0U!*z58tq7C%lZ_xHiV_AjJDZEn*1LfUfB;e7!C}<~Z7O!x2H40*pu3Ff$Pwm z!^wE6^=A2d4YS_dKY`y?c|w9{V}GuqShWp9 zGj7MNd9ao1@RKm!Jn+w`=!)6!KMv<>0VvYl&j{4B)$W#Kn*+UgFpSJ^w5R#q6Ahny zT>)}PuOODU>EukH5s#syKw@ zu5|rrO17%qySuLijh5|S-sUQ(NrR4E8P0r8_=K4+Zy_nW{8UYQEdDP?hkyA45d9b@ z3IUwO#tmKIZ+~h{g=y$okDa=#rgC+ute*3v*xS8E5^j)0a!OE#42JR?}ZPcCi z1k9D7%lmd?eQpMyV_?$)&BV~^RzvnmohCf9M(V}F3b0xSLDWSjTAvq~G%XY?+M{g+ zeb?H&Y-GW%ojw|DC^#a>w_3jG>|=&+`NiUZz$m8QY~DuRcL+i}+tWueBiw#IM3Ffu zHpP?D4${Eqs?J`MZ(@Cxr|*IIdhY%2z!k?UWS%#+#57>0|- z{YU(Fx2ke;sV$t4jNZ%V=7>QwBhkKaX^gubxAGFzK(Dq{+3dh&eg%9~l7 zYF1mi@5z?aHLS-YY9HT_p=nENM1LOb^ZD%%3x{7x)eOGg?LR}TEUsHEu5F+N(*wZk z*L(-}8)z?-hURHy6DOIDCl~>(8NRXv;AsRmTBTLnS<>b5So&(`jLrXPM~bWbFNgsf!n&T+EyD`qCKX+ z*p-fq<$)H8tMRw6paUNbQ;7u=zl*C9<3@)iO$BpT^_^0uoeO>J=5Ez&HVylGr7USz z{MR5P8glD2m_@_Nfwx11-g+e}xnbX-V|B@!rKa$vu}OsUHXy^LsgG$sP?>fcm)2jm zl3Ia_LZo5mz|#?aBeXPN&jV=+9T}2dPah{3n_*s~ znqv+@Mh-(j>wjj?IaBdHGmD(cDS;c(-P${WNRYBS&DXwopN!x_#mBDgoLHU_dYgGK zq?I-_ZkhbBW>A8;T4-<_BG>Y=TLBGO4w*lms1jNBj|x}0Q`!6;OC-JCtXXKyM`Do^jD zjp&S$IN@!x{>a9h3@4#8Qe3J6buVkccFC7<5y(0c3tHWt{)rFY+QIMGH|>>}7@^+7 zOfC|ChTRmgp)E|_{bJi~^eW9msH9fiC|h1p*1BqR`m<2+@VkN69w(2`RkYpJZ+e$v z1%-NT$4kq~`d&L7N)~>>I@&G%$m~RH9Xjm3OR3D2Kh1F3KI&rmZ<&71RQzRS&DWd{ zHm%2V4OprpwhAx%dULx@GfNS_YD{}e=ob*BjvS2~$KDMb*Q`068ODfFyo+f8YRlBY zPxg@dmSar;q5vFoh?C`vD%kw? zuET&q^NN0d!d^{W3#b`8d%TF`oKD}X?W{EM@+Hj_;<1~jHJm5u$GPJDx7@uQV{QH! zQY3pnAQZHKHol}?Sbn0n06MxeDXUz{@Fs)Vsr(1(Dmw&F*mR*j@k0fZx4O`fxz=p< znPZ31Hyo2bc|PG9$&d&p3VfCjtF&}NV0%vt#bM}IyeI6yv?>c#F3k8D-fwAebD)>? z#@RsGDB{oBO$^Ng=ATzW+WGH(X=?wWQhKQ~*ndvr0nXb0v1(h2%Or1yH~^9QzB64S zNaAPx0GXP5hxxmc%PZhAr6UkP=8a`%xadzV;Jd?7SBB%%=(h80vG7h!&0XXxA(=7v z@AmOJgEv3^P0%$9Z}AxKb)pr)yBR&eRN(2le0oeI22Bk5pkZ6Fm1z9O(WDyl6Luay z*_5VXb%(K?$*wvealigO9`^rz z-b>^r8M_uvzqd{^$S-wr15IWYlkPZvp$~Vi|slmW5lX;Ig&|c-?48W7y5~)Z);r53@J6r5h#1Gaohnvwrv2z67M>EZGuoV_|~30VNs#~P2-B|wO+R~vv-rx^^oe6$3soH^ zmvRdoo!C>f(=gBo9ulDG@d@%K<2uas2zx7xW3974b?mpjNPjJ_xXeY;88rJepOO7r z={R;N*6MuJzh|TRL!B6&*6_Y~;)}{BNU(L$l{K!74MvY9(e<6a&@?;v{-K3U82zT@ z@;Kz$vAp}a3LLBoxwqkCW@)E^SYEUPuc%gTTbe6zz{^QGaCmYGrJS=eDc_I~Ls3#X z5OBYCY01+;VrhSK;t968;p3=3s8C+E;c?TA0n}#k13OQ&2FPxIzF&U<#a%McZ)!mN zh`TykThm?7ZgAPOX~s>8s4*v4r$ow6{=Z)fqDl*2HAI}&jh*-RV1g<3WsXJ|Z99V1 z)w&?7rjubI%H8v<@$b%N0vS$?K^N5Lqh>WuEk^l-wvA|FQR`4| zWicHq)Jaxxgis`m`Qwhgnot)9Ae5b`@2&{?IlylZoxAXo=^uq;kA?TakUy^I-a_~- zgRxAV5QuG!caf8O_IjxJJ4(rO9^d%~2Gd>Xcl#rPBm6#;0;^M*!zL9q-9yTL-x zYsld4D*+*r<;j*mXUq42)jApb^459K0;k^gKMM1CJB_j5Y?Z^}=;2gV zqN!BlspCyLFRZ>C!72-p|EckHn-kYS0VV10s|5Wnil6#yH^z?9H~C?II_>uVkutwK zL2-WV-t{pKjEs z?liow+xQwbl`8EvwN*Ip>2%$s*5-M`##fCg885@ap&h83YZrfFRlI>|zHQ^?nK2Aq zg^tk>b=oei>94FagZD{9=wyi4#m-$}F`XGJs;TH_JN2%sYtX`-cb^_kW5Y_E?225r zQ)MGA-^E<<~;d)s=vos`?fv+ve>$ixpGd|C?& z6R~5_6Yu$oZ@ORWSUu!(x`PQH)QXzsC1c;?+VeltbDL;K>-fnufpO9UjxY=ss1XO# zrGr9FHwUJI>Cc?c76Cf;iKd>fjqHjgrh|Y-E!EQ~^c2_rUa&CZ`gh45ru8UXV=3ps z9H7zwWsCD9t(!`u-;yqR$)|@MmE${KT;q6#azGu|jA~Bw{KPMHHvqhKWCd(CI)BRUr%2zfX=qRL?S7BWRz*~#J&y5ZiZC8^?nE zvHu5OOgc|BYgDH9&CTZ{uZh7|$7`TQyvlcs55@w`f;uOm zem~NO2>J4;&wIF49Zp=%agQ0XI?eR{sqR=GX!_ginW>kPtQ5$wA2FPHJ!qFMS{ilcCXjKToJDY94eV{aB zHdx-KtS%>2Y)#r1?`Gym`c|b=Y}V-`??%TFyFTm1pForQGz+FG?0b<#)<;!7`sb;p zX2cY5gX!C6^vI%`h1HQ(a9z>g17;!eY38jx&!UuZ2z9W|;BdxUH@2q7*UqAh6KxqF zZJ)V-g#Di_T$|V;wC^bmdUd3klpIA>)G9+AzPzh~pu!|ucxNw+6&z?|df;y|#Tjw|<$WJ5#!Rs3#LFvg(0DFBpsOmTesRv`#CC|-(6W*>GIaV*O$b|jZ28r~c ztYm;)q2lrkt;qXCz2(a&9=Spp?X{u`SEHP{xLi%w=Sl=SW}WX-iyUm9?DPy6tVl z3Hjq8fas81O(kXHJdpr!2u|~4yHyT7n}P3M;Lsq{#q8cqvAG9cM~uMtxF*aPh}QP? za^v=FaAgp{+icpVjc)ps#dL7jV*sXaIeitKh&snc*&X&t+L;lzSQ4SJ^K)lA(~(kJ zNm&+Q9SuV3Cen|VM$Hb;X;eG&)$@+iDaCHD>1?*}NDvzGsK%j|;N$Q^3*?wf*bMi4 z-NYH8(m0OZkMSI6Afn$+T&9<=ylA{NxLbK_h$f}T8Z>;nb<2+!3>llxxLKJCK|gJ4 zIaz_Ej~&B0Ta}D&4UHLDr)7oirn(K-6_&{4Hl3l4i$P>#etV_|B$JZFby$Et@_gbl`F5FZI%5EgLf0>kOfwhk15W=~qyEV2 zYC#`SnEFhvIur^^0&kJm0V-O3wySF}HRD>%vn1r97(;AwE%h87HK@5fU+)D*(NUTq zlKn>Y(EJT3#L4;;jDDuHSb9I90RUggJ1(|8F6;>MTraL>t=<15^<|dppyjM8vDvw% ztK%1ukYPCmB4S|ZCj-+}-~)>=_6<$vUt$@KW&}J9TDoCpkn1c-m41t$ooMXy+6Y!$ zRq!1D5P#vi)e;imKN%-BoI@{a6iDBMnev^4Y#WH@4TnahKC#Da44lRAx) z^dsn@cl}`Fi?8QOx60Ut8s7dh*|&C?ln+jSKrQaN>qP4iT3*`-Ugn=|4q* z9-)TJK9r566MqEJS#RN`HYSB8q(bZv{i+vIZ8v2HY^B)%X%{b6%C)yGzLT^Qj=P5R z#~s$YXw{4G_rfR3%T0YcB3QWGPOdPYiK*D9c1C2?S^gOLwkQ>=C0h_%TGV+K_nko0 zl9ITjveOC_~Sgc_)DX zvF4nAjh@5;XXtIxo$*2X-_YIk0b#xWo|)O=@MNLD_LeLzFl@T<)L>r!E{4H-?3IJ| zH1xt_y1-4pS!o88*l5YT!M;aW=MAn3n!8B%(U^fvcd$GCX+Fpq066^!8hl9yeWUKaW6fQff ze5;<7B()Pawdp-d$nIPhT?(HIX!0~}q>`uyp(NKZ zmW-tX%ce%w_N+U}j0ckxo$2Ck(MqiyQfrcwFyP8d>t6~^h+{m{hzj`Do@6PC8rjPI z|7)ddnL}fZnwla&eETGiz!D3%Lqqi!p4%D%WiKRl_r_ZEwju)BjGgG-_OoLW`tJ+) z!6`_G_sO+QaZji|DX<(dnO@%)J59=pmooMt{oP+?38ysEm35<)p1u;L#g#FBntFZ@ z4Ks#(hb5=0V|56YvL(0Xs^@$*wO)^eT3(*BJ95=<}&JY16`~&=il0c z2F*2}q3mpI&PqWjM1@Pt2j2s1mD5CNnit`tuH=FP90RK!Z(Mq!@#nbu^85(mu;KrZ z_uWxVrt7}r-~f(PQF;+k&{0H;lmH1LO+-LslqxMsfPe@nEhM0HX(|rA2?Iz6Arv8W zf=D1BEfhm15fW+$5Ze8i*=OI``|NV&oO{>0Yu&Y2i#J*P!S{a8`;_1B_dIXhs3Cz^ z1(}P8eK76vbbZH}XMCBqEKbU-o`9C7sX

        3. 4B5M)ucIocDhIrXArtX3x#xaL0 zV(j=9C+@?dt>^;FVH#?KJ-Uizf_l3QZ`Y5d>UehbPsaK}^P;`_{aYNMFR5{iU$<(o zjiV0*y461Oz1wSYq3kzwc>}DXkp2|7LSI$A8uC2qS`zKyWD=METy{~`}(Qz!Il zlj=P5Aekg7)ERv>x7_?hd~PoB&=oAV+$s@{C{-VTh*lq1IotU8q^{aes#n!J zO_Z^3#*nZiFiLT2K|KsItplqZEY@-o8e;h#z8@j)m`l|(e390PIJD%Jjt?ockN5d< zOJ&7)%j5f<-$>YPe?QjgoUdkNE6Z11t?WMD7JtAJy6_y9>$!T)ROuPXl0&C;1p`&a z_LsV|@TY$j+OHWO1nyz>D=t-LJ_u1X&ifxaYHK8o7pAduz}I$!uLvh{#qhoZbk&Ks z)wZq2FE*4qs~=A_2#m%&gsW`d$qZ0Wmu$0RLDKkPbX(RydiE8tHnVb#7urWlpVJ~& zmDq22XJOEJ&?7zOxziMFsLK%gzT&+zG>eqImw_^ry1zHzbVvaGqykf}v2HNL&%hyd zF~d>JjNZ)E4=@!a85|*E17{a%oQfLR^+jqhVQE~6cn1r6E8*YpLLnGYPPM*>VbwjU z6`V&7D}$l6Qs`ttseG@~A{zziJ%{+8rXqz12rB1Y@B?GFQaA_ONqWr1EM&SoiD)b5 za|5+y@X;av=Lze`UltNWqp>oRnnG=SOCf@q*%yU0Q_ZW2x~4Sqv34`cl8`#FRp$(} zP3UF*lYw*b)3x0WSt{0tu}*^3Y|2)_F&F#mQ)>mGL@Nf{;8dgi(ow((mE>BZZf^eO zy&v|LG`8bI63YmbJBLVtg$ZwbAqNmcZwX^gx)6> zTX~i%l577S=FunT>a z0x{>-FXN_rpI3g*u+E|=bDt8Q9IsO2OWc+n{PP!ziLXz4MsmZW&J7 zGXXMe)E%zN3`O1%org*h-B&O-Cl`e0*G2*4Z8wu>A9I=Ed8`?u;{0|hX zLhXlqn3K-9L>~@_7)h!g7xAc(x4rFs5|P!&UK~5tK>7MJW!AQz{S!ryEgtR>R*Ix7 z2?||=NY6>T7|tBzy0gwSv}12yt3z3aEr+lZD5@8STFW{>2q2Li_79Stnmta4LC@!2m;iddX{ z_U(0e|JD7nr%nbyREvfrs5r*HJWtN=2R<^4XT;md1t|{OiIcitE0o>14T%GiVt2<@ zC_4eJ8__Kl9fF_Bu*JYGUJr|8xd6vsuIOyC1*7k*pKa^qKQvUdZy8P;lF4i|mh{y$ zbXnWw*IBgQt)p_zcQ>#o>Zjqz53m$J*=A{;|Kk5ge`brVfezwXA+ZjW*Bzr)T&#r&n_J`_A96OaH==Y+;2dXN7 z%jE!%vZJ)nns;LmmehAqu~#qI)A$TENoy4u zsPL%j>HOX9X`Un`IGNBUCU_`tprTMR6d8)zHf6z@((vhRK@K~X63t122Q-M!xj{TM5&pU9!hJBY&gATL)cvqO6{OVsG(WghdwAJQr;UjWO(b_Rb3%MH$|4 zVQ=t`=g|53!kFORV-OWR>IgE$Jo~W0t!VBau=2DSj0jr4UDI;@&bRwwd1dYC*m%5U zz=?}`G%{>#c{ecM2W!DyIpl{-f8VZ+L&4kHdlAPb?j-yYm73NT?;CfZq|x)t2@E-KP(5+obScoe*9&!ApNGiIwyyk%aT)*TTtn z%DaGRS;`ZUGtWfu`HjCW2l7w3ix&1F`cwXjW3`5VP+}QNy#J7Cyd}YpV0V#d)@fW# z?L{K3=sg0Oxp(w|sBg*z5%3|z&a4x{xMjBQ9?PmA<>%l*1vBUHi{>@x_9OWdIadHRYe+1K~oVJ=Dh(J!i^uOF5ShcDhfjpb9_(-h<)8LS4;qiL6+F=f;tA4Vmt%eC@p zR1&Z1HV)kZq%Z%eDy@L6^(Ara;>jYY z8*BFg_uN|OY2d+-OFa8=Uur%rgiT76(4t{UlDEe>?ITX1ri?7$xW5L_2%w-_G?4`r zbZMnig_@Z{L%KmaeP>b0Ly$~4`a+=mp%>;GNqVQYq7u#mSgC3t_v)W4_*y`kRDl zydC%A>B`WRpq;*uJSjm6`kuXYkx-9^i%<{rC*TlKXCa2~;l8p0=xjq6CTi&7{^A@w zkgCYW=TIb#sDVc*jx-!u-tbCv9tzo>Q@y`Z^ArWAy4+7;TpXZc^Rrh|t-1yBzBgdp zv&Bk#eQjR_n7gK&Bd{G!Psj3miYr1%b+Np9O0 z8Ovr9mrSpa-NimQn!MG2MqyIs?mPzZ#Y|Jz%^QxK(ON9chhB7nqBK9VJOCd4Ihj<3 z8Inqx@Qy2cgJbv3Mc|~iD6p?`Mi=XebHtEtneo?hFNGUeJYkXhN@dsIU0;z+TtFN# z01MA1$$98>h(-0c=kae-xNAZ2v+J{d{6gs`Kx@2yHS06(cniq$zLuc#F$8(#PsHQrX zUoAeOUC7*cG-*nH0FHxA|md{~ig9vBV=g&yP@e%Bcn$?4k(=?#t(9x3HlvFlFDR3zs ztORJ5(~*pNkV5PtLSTh2QYwim+2j)!ypU*ecKr1 zXyFa+SymQD&>p!B9p4=_(C&UwyI{9%?+a+EjQnyAW14}SWF+Zy8C4t25H+EiyCfP= zzg<_^xQrJ(89McYoGP_LkilUpwDRi`A{huay=+;$T)A0!(!ObtB^N; zC4~R(%ONk;CyTS8E506haY1-!fy`LV0{*INtH@1c*k|otSY=)Z-K9T(duu0#&cmn^TQYBC)l{zG8&R;XXVLGOaR> zTdV#(fu^6oG{D9o=ZKCw%Qs1gl8EUzVjQat;yjf=eo0yQY!<%zNg@nV*w*^~R-tWe z4#^;QG)v(TxCUmF25WoVG7lk?rMMEAtd5=L`2D0BPUIh_DhF*5OYD_}DJIiP4h}aU z#|r(*ibWr5AUk|Tx$!J(oo{07ZsJPvJ@yD^l8GlDxtG5TmAQ<$5r6rt*w%3r#~;hu zpGIJxivlQPG*zW!nGhrqskeFsUgh(X4^-&NZdVXy6Y1rW+9e% zKML|rsamB?1Ia@YA=yXmojX@<80@~Ix_^I)3e*IcW0qAo)NW~60Oj4_m>eL(ms+Sg z9stjO16vRJ@>_ZgooiM@E|{rIlkO|1;lLSADJJ_U{_*+`hq9m&KJc=8!_vQDWu z(2$ZUo=Bn-jDqdq==&uYEd9`R(Z@re5J|hnI_fcbIRz_pY(&=?bwzEUvGy4!NgYIV zv|&r*{?K9|7)EvJuD!Bk9eG*jn@xcGA@J$PHt(jNXYRN^ndrmAZey);=-j=Q=6>EA z!TaaP`!BPufDH+Df<4(5A=xz2qL7|Dpz7+EzS$@(AUn# z0%p)ZCB?rCzyEmA)>_%NuP`jCw_g=<4S}-p@f3K-JZ#{fU)=oL4Ss;bd}CyHNWO>N z0_ktnX63w;ccEKGCQiPds5s-zfP9?L_<6-#)RUC5w&Z;NnkKzhdk+durAOY2RiY&O zVjoK3=l+#)050Li9@wUGGzJn2CMl}(Hr8IoC^XzE+$KIP*F_suB=TL6CsS{`7}x`n zGqRMftqA&J42@>kiRBE_HgwT)T@Vwo8btuSR^#1L#Ul$7rIe^cf2h5gqh)E|hdskZ z=n<(Oj~$87@eAj8ZHUDG(AXdCzt^ARqIIe-7lIq8=AV!$;LeJ{Ha)8ZH>5=Zo^F-DEU4l0dw%!Gef!P{N&gOyASo}z_KRpm z!5Q2m2l#rZU&Niq!6=o4%AN{k8dn@8Y3wUvh>}N}3f+F3l296(BBKp3883u3HM^QG z=FA9+B^3$g==xg@&Z&7lt{ujSw|j*y7PaFOd1|0)`hes1404`hb=##@rv-4z7kl071@O@R063kMGH4(FD6c5}%9lE&_SeFYZH&%WS{r z37c21F`q&_rMBW_VBlEotV_V(QsF=D`M>@QN^vhlUuaN2@J&Cx7=mH*hKLoX>MZ2{ zms+=a|{lx`b1(ebc&GiHeVB)0--l9MIu8 zrt$GEWl=kuW3^4sj~^zqBm!S@D7(|u9KE8%zuxZ!>3;?gn;_$(gx+Yy&N5S7D`~b- zL}r^sLfPca8wf8(?_gAnxCz`KI9StOM)Gt>#Yd?j0L8(MhRzfTwiqpn8?ebzH(=)0 zPr-^H$wXBM+-Jnubzd$#j)HQ`et&>OSIy%XkB+ZEOrhtjayI!bS$1MnO)|CQ2=Ocu zv!JCUcw15WrpEvLJcPFshYPN=N0RhhK7C03t=WNyPx1Y2i}RmfeE{P< zu0KWMgNKYa8UWIm953D|HcQS0cx4bKm})s@p4}l%-m_Bg6t*O@D(1rlvA_GPhL6c$ zc91}kc7+KF*o&=ndBe)-T_LdYC~#zDq%dniDn|Rr`-2Io_f)mI)yaNRBgwBAC=_(m z!iMC~ixVj8-t)%1$v{t%+mJyl`niiomJAE-jAAuD^0T|@Vf=^3dhR-Z^gmQ@)dA|6v ztR?0?;L?IU1fM*H5PU}h@i~g=0~x7w;!LUDEtYr7nKUfxFT^_g8jtk;jk3juAFIbK zgC2$(Nj}pUdO2OK+&m3`ih1briBrU#c-1`5XYs2r;4$&10}>|55(`nul73Q658QpD ziis?{(zMf5zL^!6i&0G)JI|M+o!LGR83#l?<2FqB&=D`W*f=6%SVE~!jze4Lhsi^? zj}Ka4`71Oc&ZZSh`&kie>#qQ$Jt@}z1KTSI{ALASXv(s&wz&EB8buZ8sh(xUM6bAp zl7q~J-I#pgg@LMSFv@jSm)<4@1y@xCSa#XQ?L>PdfQx5+`URJ)Se&kvcO;I-pus2y z+j`V(7?cyJX)@)G2hi)#7mIk-wa#`>0lri`{YCp&wjk8etvp{KL5K6d#(s5S$3qW8 zFdZmciG7@{2-O(mBou4eOw)&gR}nK1Pi#5NTfX0bVQBh9vOm9#xAX*#1u72EJdfdo zbc@!7Kj0X?cRrmniIWYG&t6r9UwY4#daq9p<0{eRji-9n%X093`t}t!{l?91H7!vg zo}mpcgVaS*U0V^T$UtWXY9*P7|KIqyl0J0C+`x_^DH&RlDX%(29t3Ou^;eFHL z9%Iu8(xLHsAaCDCMvT)Z$C}q5}Z$Wj%MWBHuEYMG$ zK*~^g1Y*^?Wh?>W#A_dh)kmQxMtrX2iE+65?88)bDzIbTQX^RLri+||e@K=3tMjmb z=kOoVGkv(Vo5r5j%9+-Vs}J1vPZkI7HT`_=N+kMS_fuYK}`4Thba!KHc zJ|!}4cV9=tJw^OkB~det6hsTPFJeH!;>wgU-jU8Pv7f!(LYQJ8&1O)~yFPL+ z2_cFz=rx?#s2{wQE)!-z!G6~qu|3YIt%6@NSIX5&yu;PJ+Y~!AqT*A^2kc*WIX6M& z;M>lY&jqwn6w02aCte_Ndhh7X%8IzN%yhqKMSn( zqx$zSvxMRb%!NT;rvL5*FkvRTrqHX3ESHq#6x8P|o8pJ|Gtkm+6EDx*XJJSiEaB)@ z17Iun&E!<{0sZdG8U)=0b)~WK(-`#r(AsCbJ}qeNV?cKd9t$Uc#g*u2ZH4M-oo(m_4w5C4(z^{NpK5Tr5&fiA@3*e^@Wjufr#sql1{wft4uT0B8f;AKq(QS(3tt-vC$M&(N&f6=6{8mt# zMx16xC& zMtqoq2EjPx;L~Q;z-JVyhowaFQ=JqbdgkBhxNQCiGK0X0DZ`PA7|?l15*%#?Q92y7 z5e8s}V}pv!|LzU{4?lbGi|NrF`LW4&6%)ag^l78UHx_Y8^RabO#0}Gr02Vx9p_(PD z24Q5XY$AnsqAYe-n+8pUT%(tRcIJ--Q&`xez!? zP!?hT;Upb6piif9Jkn5=+RjB8I8oUB3fL;;?6t(mP85)n6)Ysblf{YiXRDO+Iz*N* zWvcBp;*03}LT@-6Rz%jy8#ku8E>0WtfKg@3oC)CP^Nd4WfEIzUOnpKToeTR24@ zH`Mn=4oWLWv9Fli06&Fq9h+Km5ULg_c|wE#xaD?g@Z-^>ZgE+^!4Vt}C7+Mtr^Q5o zpKi4-+V5a`UG*?U_lO3FgoS6NLy)}<2q{w%cF@41RYa0b1aG4FK=o>t9JCK%eLYUR_m$QK-yEGv4GEF94%r?!B*mLFjD4F4 z_j$`Ol>9wLKn^jJ5wfQkC~km^cVQ^k7#wMEzb^nnn%j+aOoN9~zC&d9o~T+d17>ue z1m1UQvOlifcBo3%<-`7+!&-JEIfDY{=@@nfs5!khw`*~HT0 zAOwD=tkFtud4%cL|H}bha_Qio9pL3GX8rRee6}u6nA5*#{?A>_e@ztr`8=}lNjO=M z1T9s%&|68Qa4~e=SE2!&z_T@)UMmH-Td@*Hkb7ekgjGh2bZIO}UlN_SAEhH3n=Ify zqs}NaqEoiTZIdGaRtioPctbNrt>mFW7))w{uFZMYQR&u=a7{``0l8DxV9+$%HPB(b zL>!e{*wWnEI`MPZGhmJ)`d?N2HaVFWc(&oByMC|s6RpL#Z+8w36Us2Z-wQqMi$3*c zZhVsGJ_AtHz_hzMy3&D(X#|%YoX9H#P}PCs-$ukNj>H5IiIWhiT_dOe{QmyEWFFp5 zb#wg&RP_5}DFo0blS{K{v?&5Lk1tX{zFyH8%p#?MEu+Bok-_6^oCW+C#orw9E2Y&Q1gl1375yDhI~@dI9d3)V?8KP3P=oReS$Yy%4kh?ZMNkb1A`rf|>ZU4*X#+G0CgZQH&V9lVr zw$yl%+*rm<6LlqFbjDXA?`ajJq~y*{#B*#amkxTQ(i)K+-K)g5$JJvvVo*ZRHo1W` z=V|H}Eq#7UbZiv{lhI|Ac3OSylu{VFL#-%{C$$XBMd`D@vSM=a%Jse(COz>Sbq|fj>ci(3s4AY_+ z`e2cQ(BLb%pr1FLoQ(W_|I||Z3G4yKD^e49f27STB>E=0D@zp+%G4jwgA5rSbun`X-AlcEZbl z_nWLKk}S0Ia?y(fZ{Z}YaKfh~d2DU^UUAa{Qm=ei3sQXRW{p@fxNM}^f^jAGUlZ@l zW!REAX~FZk4ID!hM#Vu zh+ZRNofbm31ztZfnIQFYzjrJE_6sVIl_1YuGwPJ(LZ?+&F5Giv-tLQ{Q)*3Db^k>d zQK4HH%5szPe{}%=IJ7MrY{0Uv?$hO%#F4YPxPn(s)_@PGoF*On9%hZMH$RmaLf@U@ z`n5m$wJJfRw6CkysC*JK>ppy4;QU)tlkgZMi8#431Ld;1hnHWJBN_3GJeO(yexpHV zd%NW^oFhL68C7P!DF`;8AF%gqo%YpHhG6j?k(NH|KbTFPsCkH^(75A;84XxC0CJAO zU=4@&#trt4y((h?27jeylnW7NdPz0gW{?LajqevTQ!qUyDH)H7aj!V!emGk#JyBhQ zncR69^Dy$pe|8rhU>$N`jogfjj=sa7EyX*uO^0NV*N+H_{1Bz^^}byL6$#1#;u+~| z+}-xrJpP^GU@Vbx!r55ERoo1(0=-OYm@krKJ~g@ZS$5SFU@d{Ja+rFJx?tnL&%M|X z9QA=3hitm!*K=Ec1Iw%^M6@$Kp{IXE;3JN0;WAVnks&NWrv_oGubnVQ!@u&}>}{~L zz7f(_q`9wY_&%?yA?qW5zNN1{H7Z&A#L!LFH$-S|ca+P?e)OuWVJ?J)LCx&nzx4n3 z%o9F@-NYIwaT)sNt#miSlB1ivxlJR_6yBUY0Z%QF*Kvu6kBoU#A-;!-AbM~AMAv{% zMQmaZ;I^Yk;`x~fNvJf=O%l!w6fYW@3fhd~oY+-`k0}aW)4puxP#>Vq$%I!FirSfk zSH!VJ2rCuII6f$+_Yd)T#`RButtA*0l2AO+0kR`8ZiM2K1CM_j)|}PO7t#b4`Hs=a z239^bTJ>O|BHwI zAMbxl7dws?9leD&I4&L)pgvCH1yQ0?g#3onT#*QSo5w3gh|EshRc5-AQfRppqnFs^A3`wC10IvCPEO1T z>@~vaiKKyZWh|Ffs+uWE$|{KtmqDIYj^qS5DjlPlYG+358jeGciPal42YIt?A|GzL z3;qWY5I785SrtZ4_=?OsIo_c*y8Rd>2eQ>TQ95QIFhz=D38+i6xo?j?G1d-HXP(w0 zvdSwnTpga+wQU)vZt$IM8)-qJD(zj}&nwq8CNrZN z>iAt-X4Y_}Bp6}N=K866sYNA%A zD#?{gS7sPOSE0-P?ATsVvr>@`P3n8h^}V`C+@2cv6C;s5{UtPo2XKfdE4e~tmTzZ( z_km&1(@_D1h5tATDq^SJBLBYfZdLf*RUqM0IGGdBI_cbo#DsrfL5hhZsjnH8f~Gvl z0q$&av8||5^D(^;M^{cl`Wc%1t2sD_%shK*V@>iIS#qLzjBBR<@ldi({>S8`L}BLr z+7>EQwScf2!2$L0u85KU{Bb8rtz9X$Tgpn zM8pMlNXwVpPlXp1Q}!iTg&r`zn@O`Sv%0JbCoYk!9T}*&OigySDeL-#bE%Br0mm*{ zSC-J(Q*XHFRv8yxnK$FuKT)lycNLsU*?#R~SgOV^-!~pjLZ3yj8GnqmppQn}#kI-BGpz>+0SwTRGdrKKid|upZ}DFi7^vQ{VWoMbS?q)t8WOb}art ztZTo@ICPJACaX1Upz4la0F>A_`fN9cXte$W$!doi-cHAy`syZ zOEtDsZl={&P8&BAV-s0}VhIbTQ7=tC>BdKMpAK$4dXlfGb+fSwpW*T=49Uf^KnU>y zW_9IR6o8d2LSFUBD!7I}aA z302!D3*=_3wm@*TsGhWNu_RW^8LEuRL;|I^TvbFjU)+QH4AUsgim2q0l00W4DwLI< z%e+sE9*;91*sN4tvU!0T&lY=qhxgGR1c4a$4Js*{0M!-ZXu7Ly2~C8rLnnD8ffAWgMHv zO$lv|-`K=2Kt8TD!>N9Po)(Co4*)<$e$dxN`>0WM6uhwFW&q<5W|K=eYOVo_m* zq_dJ5oKTe|xy;t91HoV8f{d{N?}%;x)3kY|WILD`5VZB<&p}jiK%pvdJ<{hIpI8?5 zxS5vmNsEcD`64UZBU=Nz#Xwo zK?7CU186LHMTbjuASZ)um3sYIGe1y~9|+>B&GSvY)R74e>}8zS%M1t2bidK;4Bpr= zma#{x`!Y;cb}ZLSzP*xcPz#xRi<4YVp9Pc=;Ku(nR)#S@h=>^~aakQMQk{(}y_2j) z$LxqM`pWobL&UrMqb0g7UH2X{fBHde1q|~T-m6*6FIc-KRMmsg9_28Wn0u6Sn36ng zBeN534bmk#=FpXCRdu}cDp^ zws5nGue0x7t%SIwZKed4+=TW^Qs+6=Od3?KE8B5v44dwyQH1S0qe`eF$xh5XL-rd@ zqRn#ipz!_O&L_N*`U@WhX}EmmY|iyS`6WJs0up|xx!i-(X`?2&|MWC|GXbaZPW4By za}rbnexEe9mbLTE1-Gv~Bk>z}yQQ&zn+nD#nHr-}`zF)1wVcwQz|~&Skhbtl(@C56 zcuqHuYoVIQB8OYA^Q6QY)nIvX95fJZ%V8bF=TnK(6Hl#l`KCsCK~j?fkwe72obyTO z|Do=^pPJmazTvH+=vJvJNQ-n40TJm<1t}s#dI#wpqz4E@L?P6uNH3Az2}OE|NFa2i zgf2+vO$a5BK;XSRXYQGMo_U{{bM|k~pTHH?`hMD4OEpcv;l!0Lja;FU?5pF8cGlJgh&L=3C_unC=-lYVfWQg+6+jG8b%<3`2buqr7FE3NI5d% zUZ z&!-eu%stgySy#Mu_a)Uxsj=cbxiK|kT^DQHh<2XSL@zjZIC)py0lm&?emtH!QFTj3 zB0R9bq~lwY_1WS*VO(mtm<@N`W)|C4L92*#HSdjNUG3{M?U#C$T-s$E8&p)K9*F#% z-QHU;HIcV);V&;eNnEOC2sEk<;V1->z-23lToWCA)&HW@0u+Lj z6?x=w&-Wn)n~QYqbRI=tbD|3{W@8Ng(PloE*!ZoP)h0pg^ea&z>tHu^fFqJIj)(~y zI3#cw$$WjOBC)*rk-m7BA#C644D+i!AL^>skfhS<3e6o#|2tyo!Kn3T)?pKc(46*a zl^uYbgWC8WvQj4@I08R%<|k0RjUxm9_KE4?2BJV@DRLnP0mHe^oe1FW6HGkzFm%9;PQSs(_aaI?p5KtQ zkMa+R=*r*c;PULUKJbAIS(PL$_8gZLt)ViPl|d*%9rFi*d94n8eH}yB|2iC_%YeQD z3bToKGNC6t!Nv1?$Vb8_8rIx5Q``eqD2y%abQZX z`0+Q3&heEZzRGoQ+(7?*vK zberMXw`O29UAiLUZP}2g%?H2XT^{F$$~0D1ze^UJbdFXk1)#n>0b5M56&Rw4_3EJNtKNge5 z!~l%ne$P|-7kA`n_`u^|*E#zpelZe&%2bJRPlAHGq+RS6?!~ThBiG9=9Zs>}6OoR2ZY>v|gZ9o4Jq_Y~#cU#$ehq!S zEGIzKN_XDl3Jv}FLp49o=&yVP#9JExsu#dYlA!&V4+SQ6tv=R2aAC%z z)Qw|1H9%dy6Om=|{W)b)mvTBXDx*CzW+!RyBqqaLEzw^Z)-_;;63p+@jUjfKWJBHz zFIW!MFnzP{FNK!jKuG6%D!xTwbYWd0=AMfsijB^@>e#FA!410wMGPHy5$b^|G<0H! zAnMIM`^{-2|7WV@yP|=h`M*S3i1zoJUv00hVTT5SzWr?bZ#8v*E`I5!Ke`LjJsvpb zwn^c=@DGdMy+gRpmrkCg=d{4#(y~ zH}{z$g>m-`4wAbKw}#_lWfleb03x~8w)Zb%xO)R^? z^MGIyRCXv>{!A<_U3cioGn0io3=#z#!;|%{=Ob!-maI$al76jSypuV#F7mibAMA6k z^t4zr^Q7tBLybcYxvE(@-vv7WH#TnOzWqwto0N)(D5%Mxb#(jWvFYQFi+fC?m&u6K)4OxppEW zN1C{kx7NW+ZT?R7q%_j5(6Cti&1gi5+<{^6QXvyXUj#Q5U7|3>uRtYxYyfkGuZwZ_ zVd%l&$r|({{o@>%F)h2mu{TX5QM1Ke`VRj3M{kQk6q@9|-;=fzc(|#6GHq!6Pu-aR zQCqewfM-1qcUIxnL z`7!zSWif@NsQPf)HsSJ5UWE}KRGX<}m1;&A(ShG!*)*b4Ac>_eVU7gn;#+-u zT;%Ezpe))LiX2!af_+EywlrHRT+WV6cx7Ied~)Ea4EQ$EsTY5}r&HzjWj}U3>Q|cV z&}$zDkCgF*@`I4wRdrV^8=1F+8 zqPvlGj|71E&*2vw*>YWvSNC7C9|*XuRxw6AHp`X(-ZrK-IPgcHpw2__;wN_x9Lf~( zEEsZoSf)V1(jc*rgMxA*?+d*oBjx%>LB|-#> zry5lTWa<13m(X06zNmIXqAEXF+=zQBepl}*h!ACy2&Nq1tqS6ZIjIu~NN0Vp!emjF z6wXRzm7CK-zQTW?Qn|{?L+@L2CNglo#wcKtciES9T=E}D-bm^5Zv6@BT(g-0t5(t~ zgHm!(PASc$H;O!=w&8Ttb83h$H$@`l@V!t{Mf3_UgIVgmHerFoHx@*Zg;kUcrqTdv ztmG%9yO?y`WtULU7{zNTj;Y~F^af1lCmdqgX84<`rOL!A*qWhPw1c?2=Tosz*L>)Z zUVLn&m2#SGqPg_$#{#BeIk{Z1$JTteK$T11z#{!c29=9yqpFk?9D>;gmm8t{Wy4-( z_eKHR7D5hB$niF{@XoHji)3E15; zMg2Vg0TKuur2g|=Ql4Of#KDT3)NH(PH^2*>r%kvZ8&a?GI*E>unp`Q6$!tB(*{v0$ z{O4EGl;d}{($ysEMjN>@z+Xg-l(rNn5;fxB;Nm>vhQ&K3Vq%5rmIoR&ooi3WLn3h; z-P-KdUHWIc*N*H>^&D#%qp8jz)YC>dYo2Uk)Qyr9){66ji!%SZbvMskgs!GiP^J2f zVI01KJF4WcNCsS(r9x}yBPeA)wn{1#wc~%XXgc_2uA%eeK*{9RSSVUuuO>0R*snqc=U_LHhFuSX{_q86?k=ak)X=M;rhRA=^e;qG{)-Lxf+L_T2EC$v`=bFY=OOVh|8#HKUDh#pYduUlaBRZ9by_?L$@K1gybtYN8dZDLK`Fl*V)#KPB9O^+Ve4S z%>q2k1MY#*;Q5F8g)rC7Z90PA;1)VF=XB^R*JzvkQxVd$*YUq@Mee!KOIoWZFr zSG~D9>Hx>S12QROMqMJm7O98xQWniq*#5&fafg>+>s+ytTb_6$D_wTi;;fc=)h z<7j8;&2qb?F_GCEPdT2()W00o4@(|ax$e3y!139+JCjpf_!ecY=ycQoT8s->%3*3G zFC@jXk=5Zvh>i&Jl_wGY`g4k!33LTAtNYG1pVM62=-CTP^EA)r{*|Z&BBk6uA7i4n z=FlJ7?VtkZre>9SmBn2waA$4srCY~phql5O!6akp9xPZBx{fGofRY;M!K9_rof1Vq zBJG-1P4B5wx%FC}{Kq)~?59?G5$%7bbA~p=JT_$@Ops$#M`$#CXJT?5e+e_Ca=21{ zBc02K5ci8M(t*c(!v_bq>tO;w|5F+{9%Y#t-U&37en;eI7d22{LdQ+G$p%E-`-Ek?D zP;H+`YfjV?l&z)$ZZ_QLeE|#JrRT0@bi;Jfh6&;)XR;pIjOaUmguMDvA@)X*I$0272*!7vd+{e;V||9V z9-?CmT?1~d)8)u#CHeZ?!qHD^t?0Yw>j$Lj8xk@`&e3~ZKIg{iM(NKJ8d&7`M{d~{ zX`o&N4|~#Sz3NaDscOy=&N}(5DmL@Ko2iO zpRA*p`?*GkbdOc}fiFQa5==@V_f=^yA)gbk6%AN=RaJC@IdbHfTyTb&V{65DUxl%1 zp-0KAI%7ke6AvPkDiZu$WgMmB+e3Yf@I6zdH^J9h8R$-WmM;F_XKSQFE7$am*$I7sD)2XJm>3(r>cj09n~*s zdL9Mz2~sO}X$N=E4f5ai>_3NXU|t7MB(esGr-*!ZPia@B#R+ZXHu%vTY$ru5=jiRq;x-V$iJmS~22YVHdzP)C8$13Ee8R_}BuK-^#_L58NuoFz{CrfS zHSuGH?p$8rlvK^6-1olDgKU8IgUekpg(}8Pt>Nnlm3HhntcqsKui`Mvr`Pc}G`4g` zb4oecLD?*e!%EVlwwi#MNIv?*zbnQA(Sh*XabBCmK9TQfUha%ey&l3yzb^v1`4~(j zqxT=7m+zuW=l%&Q%UtQvR}VN1yNoiHhCN5OAa1C^d&P0i;&q6L-SI!;F5G_*Xg4eH z;0^$F(|Zn~rYu1yGivAj1c>EE+(6bq_j`D`nLX~E8uxkjgC8Bn&ubW#s_wdc2C@-5 z8Wokau6CLS*aDV`iRgj6mM}KKNe#Hb|9aa9(n>E`v6~A7XxH}pK?eZksav6%; zs(vSfp%-~#h#W3wiQ*3Dd}2tuduMD2#M;1hSfnVrjtX&#a+kgYPLtTmKjE^KAIvL5 zH;jTDPu^V-b)TtcR&g`Detsy=WqdX9f==c?th>KMYZrTXsNvE1#6J0! z%rI60U^ivOZGGpozOw_r^Meli21a!VZ!-zN*a(u;OZEA2CUNUxx=Nm_@UhkX0zQSc zB8j5+=E0*#i0kN6y{4}viXlGhpF@0H)9FJU@>*UR2B#Rie83i378F&LaBNK8`g^d* zae)oqU!g*E*=3U}v3nqtZfWhy1l1iG()ll?IjzMaPuaz?S$0PvWY)pgo6y^G+f65nPuz3(Tb?(ObuVzL_!`AWgO7Ou|MhuL z11&ka!myJ8)$&qR8uOrQBvYqMnNnjBiP~d2VEcDwBtYcnoBVeY2B_x^58#H_ezK@2IcEr$UNYc0o_9x zNcr|*am39@u|OVyLF<2HX{0KBDQkEr1|%=#4j=k;hWru`{dHBe9rRZA;&|a~gr>ss zLyN%F5|g8O?kDApK>X-AQ-Qk6$+{)+OFk4RP;1*9CK+FPdo|zJg{z3J0yg_dAKVv_ zAVAR{F(gf;5p&J(Yk4f2Zsn0QqWl+&IRB~%SkK~Sdw1?HR}0b7O76ai6n(@6n~|$X z=Oru+eXQ}ZVY>6n2&St~9177E@W7|(o1-t;T?6OW@=VsjY~M?n;LPvLaBV7z1KF*q zH``6bZF9oCe8wK>udLiI35$pOGltiGs6AbN=(X6zEbXj!vJy&-_eUSYJdfS#RND8~ zh5|x~Lq$pvt5Zcv`>XYj@BgS&dUXGTEwJ|0CQzv<`Lk`a_RJSack3AB0|8+FnFakp zE2%%jCW75B2Do!0SkI0!L}d;&`ES?08Ib>P+ifU`F7yf`Une(0@itiQz^qxp71Dgx z22W0|r6KXODs;;-KYBf66wt9`-H$UYgIwO5r*ByTKlvi`ub-(Y$lU=#!=WkYexsS& zhfsb8670_=6t0_&|^!*P{{xQJ*l9fO9=0^HLq>6^|Ed@j4iUC-Wl zIRyojn1N+GCaIqBR2ldtX5+`|Wd+w!+Yj7tzK*4rKi5;GswV>x;x)D^AT>&bCTf7* ziH98Ifk>E#qn5d?kMt{}bVZg5g$euHsW#nb23)hi@h)a=)wn3jGxAvdTKLAodk19M zUmKs{ep^3;)gc+#8lMP_z%%DGQqb|$Z!0@XNhvN)RHz%mxF^vZ86W@QaA<;A-d*Q> z;s?pE2)iV6PU3|3;6%WRIYTR8`Jz@w3cz{CVgEg>e*9{)-jjg#pSkHj7X*s|DOx3d zx&HyYYwEux(jh!IAxtI`@*Y=Hxhh<7)Znu4dQ)%YT=&lY|M6Io8<*Qb|9jIN1;`oY zXbFdo(FlQRhunG*ON><8-Ok=Pzm@HQpcyJ~I9#1<(BQs}a!G2wiP8b&nGan|e=LYK3M-=DQZ+7CvZB_91cZOcvJ<2__RGXIlbmu7tb)*X;`0 zN)I`zD1`L<2RVxILDcT}<7=6hRIr$b! z;DO}33l+xp&R#}kzL#6>0@yuJv_b%pBD4Dup_wa%)6~T&5&qK91a5%%0)e*#gz@8I z_kc@2>+>U5FBQc#UORyk%gpdg+~7JO%n#1qd#!@QS@>Q$7!P>1o^wh5=(oZH^kt9E zAGaQ&&<(({MCsYV>CKRX63dPhhm6~R==_|)LK!GX*x*2=<6LItcbzcn_q<8)j$0NF zF5Un7a{u>`tPF2jv-irtkb5Xm{cGASP%JA56pLg&^B<%T230u_hpMsBl5=MdRKUrf zY@6>VV`LR_c4Y>ow!Vs4Cz<<|?J}8FSo(Bff1aKh=X)K$vPe318vc|F?nNdbU`D@N zwm}5ooHCY1)|Dyxe)CSL&gOsV2mH84MI;Z(X#K0{ZTBU7dEH3<)e$3|KFce+ZOc z`p4U8yU8_@&;!bv`ZXP5((GzVKjNNLnv>>tUpn@eVt#I^DdO2mIW`XcZA0gp`sk0G z+|Pf0oWs{J`f^TBun6_+K47)8P?cN~-4$!^84mfXYQHqB)KD~Lapy$F<92l1XYq-(@>D&OLHk@1K_u*03=kwX*4r?_jd*;?|7)uphkfKf3@f zev%rOPk~%u+Poc2T;tdX_FOUw{Pn$34XrR#9fVjNDl_zrXCE~2P~(~fHlElFk2(ch zogF=TJ(F9%OXegjQ|I7ub+eieXS+qU`QY|{Y!cDH}KD$MgL=zW7Lo5+cr-Z(o zm>nFU(X;H5Gg3U6u+t96%1{6Ji3!nD-!u7c;@MHkfly@1Po?0)FG>ppEV6W1OX_rW zg0La0M@F8WBuOn+Y#WjpG_J)pZIg8uaV6EJA+53KkS-7W>@f(ATB7x~oO3U^g|yjE zt|TlVEfT24oIEE&k1=m4zW{LmAk^0vB_}7x5MYK~uWamQ-5owX0!6fn6?(`PdoKNXQV$-(j zSu+o?!|=-X9v2;f&K<)ly_>@m`vM^xaQg>vRP~mIQ00-U$6gpcsPkEp8GZXKq`K$l zLE3bOpQ(rFv~T(j>G3NIZ@V7dfjjuEkF{CSoy&B+LL7W1Q!*V&a8&s6N>{pJVpK zR0z8)R*mV_EMg;GMcAsgI@5D!8~&3iG-Zf zsiwe(VvUPN_tBTn1Oam3Ih+eQ%m);uY6-4QFTs!T=sG}U>R_tOm_R1{s$QI!P%XisUP!% zZ(#^b^&tAjHtYe{+=ela!5RK}C2pA&h7ab<_*-W}@s#qi`Dj=Ww`Hm!Qlkv@T)JsJ zf^z-xfln;yN%Ia~5LoeHO-i$kTn`=tE?S z+2d8&t(j<%qd{;>|!DRW`zv%qPV&!J$ zNCg{EUq?#UBF7%cGku0x+W25 zaS?c$Id0qVzlagon!-+WkKoI+Z5D`%vp3skj~|4uFe}=byfxED{mFO7zEwOW@K%zR zO&7}`E%5w{X?u`K_=05B3p zl^H^OUw>337^ZlnTL0Mgxy9qR_mAJ_;S1Yo3NslDZrej4Qr&KfE%>SR7VgQpqEO#%_%=%@pnj7WmC)>f+ zU!QChUm$P><^plj_;0D(BcC;dTjXY;8)d*@>;voLtyEa?IBUT4Y@Q;;SbzCfSSzc> zHH+q9BxJW}!U~(gx<$=Fhh+~MEvTtNUA)|dctuhlRwg?~*1|61KCr9autT2QTs?CWe>%89VBg*(}u znHgkfo@dY5g)?Q9Da0uh12cw~DR4V*F}EUNQIrl(7tH0j9aRuc?p2iwjN~VzgWBRi ztQPV;)60lr{}N z94fI<`ihhh1u4nOd(>?(L3>Q-GXyr7yEAyS z9QgU>>uSj;5a&FQ;B*wPC{oQi)XH92PKVTir_d_EpWVu=t81)zm4;NmY{>|<7>kBO zj)Pss!6&@B|1JgjTi!16{I+%A-i%2XDcR%GujFc7Y~_DoTzy+%3YDA-=(B!~$=q7#THe?t~*I9Bhw4V;CK zy%ONr>rb4OmzaIsGG)A+_^*;_kvrO1@a!H$#o^*HzCKsg&8l_LWi~5JTpab+x=`=q z^2)h5>GOUb{cwC?t8VR@Yk*yG`qDD4aQMrIuWjg!P7*jBLzWPDPc9)Iy z(T=2bT3MZIqUwX_{j+Et1XI=uPKyjE`pAYD)S#}Wb0LScjAS*mD(PVOXJFRO44qq| z$yDw>+4oAK54#R^+GHkGq6OR7=-p$RcGQ$fHLbEA5SkQ&oWl%rX;lsvbzCh3MpRXW z-)jAdt(WitOQQ_UUCEfc-URNb98e8&z(uobFRHNp(shx2B_6^HSOg;IcLP6h4mP)* zy5vOnAzzY#z_R;%T=@Ek%}Yx-MBe&mLQ=QG?y@+Fdk!I>JN>MH&UThb#<%>ywCpN0hz{3uDlCWYY}i92BBoo7PAua4PHt<738u2j^E*nOUmN_ z1x@&tvF-foaNdET;6?{Tu>1YiF6xDS(hCXS^{%rWZm^h@z$?_#>K;?47z+zvV%_FGXa}80Y{4n z=Ef%+m}Ku=__jI(1UmB)W3)14`X9bG^15Ro+%l?D9fM>&=N*=eW8s>eS)HCCDaOJj z>wo#N6bW@hcN5@J=R8UqiiXA+4>eFQMprEj5eEIaTYWGs$0>FXB;VXr#S0*}u+x6k%r zxRC@%kB$IPKq@i)hxP%Zt{S=2|6H<+nZnJ+hA!(nXktYvG0k-jD$NuPvtg}P^ucX1_Y!b z*K8f_QHVkVZLzBEy!YYvYOwpRuXK}gb5{E-Jbu9SBz4+qTF7RFJq~!KEH24iO-D$@6Jc?kPyRi3A7!FbLju|+Y z1P5z{Uv@VsC{n2kqvBTds7U%V;SlT53VSgYhEl$N0p!wQm4n{xO~u?P)_}P#a!0wD z1)C{RB6(HK1aP{rT|mIoJ9AzRch@?-()W>%~Ps+ z;=`V35v7WyeOJCHlmX5co4gnDwZo_zq-CU@xy{a7d7B(@gSZfL8I_1N#+)pr@zsgow$&NWP$Qp@@3T!m6{`dvJvqJe z;GxVS?LGF!!jPm{fMrP)ad|c4cv2% zq7Z*JjYY5EMC$NNCE|esTYDmwfy7OE+S6lDbxgow8w{sI3SBR@v|v1(Jw%*nq+$0^ zFZlEn23qYOZV$>(MvWY^F1irzigDv9^KptDhX|S4D05*CndXJVGgRVXf@UpTau!-* zV(HtlL|89Db<~Xiq-&ppj`54Wj6bar(0jMOrK)Sl*Q4tBsr)=@ArSYT7)iIXVP5Q}7w|L81}# zmBsY|?pfCNme(?2gao6Yew_8OTWw(s)9K<0VMx^me~{I_=j|W3zcErkF5yg9h_r9oemOaA@qTUGbOMri-s z`aIC!K39-&M1gEZ7KB+UM6?hLS}jI)lfJ&U**l3wX-b%&yJ?#+mc(cm08q{$P;M>8 zrA-DS=-=N5Mg0EwK~T?xo4XOyD68UJo+i(cI}VW5A^u{t@J6DglG$PF0@1YNQy8^C zo$#QXT@ zCp+wlg<;5=1@wnCZWcftW2C8mY0vsim!JPZ?{t)%)&{CV~?xhB( zhYK#j5Wdg~d%cz_*!Uo{Z=z-cyFK){w()nqB~~zC;SNT9cE#NF8&~DAu&f?WZx!jY zfbPPw<(b5sDwJnVwPxMUqIJd9CjQkMG^@Of(oI_Ukn73=?d4J%nR zK4YyF30c5`y9U#WNCCqQlf6MIG0Yz=<5Aczp%;KP_wQ3(&wUp{G%VM)817PzT12E>Cw7>{>|fkZO1db1sH_UP^7=9h%hXDqT1HrJWM6GCYIGQ&}E|6MgM0~kcZDV+A~MB<2*@ea{uI#yj^IV=qBZ(=NvZ} zqqxhm9FZAP*+}mZC~MKGa-_jEYY`MIs3kR@yPg(IQIrsBON2@J{ai3502-V)Yb(yc zGFI`7G|)q>{(Fs|!=1r@o)&gP5sfeAtMww_ge0Pol>Ol;TBBXh>S?W}-ya9Rzzp-j zeRGqrIVlom;hyYSSFlw>f+9Wlg|mA37xhWCK)<38g< zsmUv9Jhz=DyUnq^tQppS#kPhu#8`uT4tKuiWWpAlR%3$RdYq8+?@u`v2N^W2;qZy z1KrtkE(>oIr}Q{2NpmLPu;sbO!@UbDA0s&E1clKr`pe0Js0uUa2Uz8I7i|%`i(sks z5B9J-Wr%~R|DY!yop8QhCMgbJf3&iwvNcA4jc@>Tv+HqVJUfB2x7m#ozrIn3 zJ*G!v^gDl=MdY#cT5`L~wtDdAAi2fD_zPY?^AzPuqE_Uf7Ekjr78xtJ zEL>_YmzM1O@lXTg`Q#=>QWdix-;A_OK(PEC<%GxwobB)3FXP0oZDc8hC|FXeqf;rV z0)u~$b>=HgCiW45~kQr>@dnInRePtL~GiD~HC3}E@qF^t}u%rOvfdoVI_@uE?=BD3Ox@M3e zM6s$qs_yrc=whd3$Fk+m{KnU-y{x6k?MX}XUZsG=A?({j620)oB(z#nuti9*Pq4hN zZ{WjR^x=!S3bxp57?sQ$^Z#0R{yKrKOQcH7W;|7@Ud@E@>PpoA|B&f;NO){b;3ry7 z2QQkFQr~|~nUaic3WVR5Lpq#0!I@-1KqITjspiKC9p^UuA48^McmB3zkEz!&D&e5! ziIWTErhEQ)*qre|*L?SD5?O{PfkM^jRg~9yaBK*(k0kcTWUv7@{TSGN>7nb`QZwlK zU@HzOH#WNc*(UPr5*NqZqW@2~I>-YLZx=}+ka}7{*(xO9f`L-V&qKgg=;^%{rNGW= zUAB}IW49O4CUU=X!6vAK8l)M?WC;-tJX~c7X4;Go(9Kajy{LlakheC$3KNK{m4qV= z6c)7IqWBxOSQG^xzigGAq{BcMGjS=aCr+JEE8HH77OHi$`Q{2;yj3?x*#A4svy>wAC78EZVRr4z$$h@=!9l-Q#G5;K)BnZxX4O|&yR6R@`Sq>^nN6@Z%8uo zGaq-oIoXKcs+*Q*^xwAlNXiUcU+b9_giY8Xyvg+@Azg}l&7dXA#Ab7f*I!OC=*Ibo zOl&5E@ASiX=!Ww`A|2sQizZT{g{*PKdGl+#1kSSZ^@Te;a=AR6l@^p}L2RPBnyKyl z`(n^ODK8q-OybP2ytW@bI&%jzK_tVqiMHh&RN&P(DxPVRf_*oo;e#zu1W`U`TQA-x>Ts>(h(Pc`kEf0ATaN3a+ z25N55ew`w>0z9=vWuxmhzmigZ`pt44ZHTufod|f47ny8r2hI0He$`Io4paV<;oW33 z-H#mGw5FLirbR^A#pLzJa*ag5WH}ve_Y|BiS~2?!W=Z8(S=q8*(zKB4UQ3Q295{?4 zuLP;&IBzQ!|6(aYnS4Cgi*1YYxpX@&nm5tH>-Ei3EsL*SQ_@U^n9`sAQ=ID{+T-sU zD9j|28AHn+p_D1p+smi>@PUI0#s)Pvc$Gusm>1HMZ&lKM&3uBqGC3ATLi4mW5N$)l^I4K^o>Z^eoab1M{&Poh1Y6wXB*zN=?b zTI?K?OHIUn*=_i8RlX3`h7d*+WCn1Ex7Om8+uXu0BaW7|(aoxzy3G@ZL;M*TNoma> zv(8Gauq6r)LF_h1hp;r)rY(<@5RZxO3Bi5~8<7xNxqU~okPcL~caoOp$;XIM1#B@M zIYJAxX$tA=6Fji@Opl*TxL9B)sT(pySbhh`9-sA=S2*jp^57|y%pe=|Hd`{vQx6Ka zYpw8U1(AIeo(Cw$PY9Nu*v&vjga}00ZM|)ey@^GImSa8Xx@!%sQA;XKN;I-uzneEu zIF{23lFF?}F!AZF!Rh-R=&j}THJ{Q!>BG16g*2ghLD4P{N!q@T%o{j0C~rXE$( zaLIbNlqWv~i%xO7MB>jy!Q=^9E+TLGQ;kU`jJ@9qQlqrZ*Y9BN>}nXYk=8B87UScX z{ziH&fpvM;5ok84-qT$xRV;Rf7yIqx+@b-!vzI*B&LY_Rwv4NhYjZcBs2q&>&Aagr zwsLSt^SiCxjWUgha3jyP4(qjN$G|2WBBCugu=CSZ5uh{5bihS*@$XkMqeVfnYP*wf zjO0Ls2?f{}=PuB)%;9gQoV`mG^V}-frSYH4;N~Nf5PtQEy;^y7bxc?@aYb=X-@Ly^ z@me+aLMH-|fUZ}0mdNE%Rx<|Ylr%G>D7B@k*8Xlf3%z+I&R3q^W9vYoR6dRo5s>lskvU4{Uk;S=yfIM z_u5;jK?#^{0UYi6$v2DVz!$oPwH(_aaRmTTyD*o=kI@72d1T(J!R~Yf8Qy?{KHa#u z&}f=3w!9~A`~l<{IsS>Kht~Y$;X^^75wrvn`&?2GC8rE(0nqYH=-7Kg$ms*AyWLeQ z$bh$I-cW9i_w~OsT;??9BVZgs(VI0JlGY_c66HP$eKhpjhp=Wr_kQfc7$axVg@&E& zLx~W#-wo4oIFTH?;C;q8nXiq{=-KC!QgsJUt?;sPW4$FEw3Oeou{5wp|3Ug=S&*vd zP!%F#9o;X{bNGbS8c3boeDe3(TMtWAO`g)oEX;uP!IP6AX+qXX9T* zLAHf^_HrBthNR3TbJG9E*?UGc*=}p2Dk#{fN|6o%Dov1Hf(VMVptK-WM5LF{2>}!o zLJdf-5h)Rn07|b)?=AFBLhlJRA;8JI&feqOW1MluUf=qYfBEs;$usXcuX&ZZJeT)S z1w^xVZ`UfN3>myU>Z<5bn&_?D4WLuc^!?!VsqMK2liCLva%~i8>Kz78-W^}TM%T6C z2o@|=5`jj|B{)lwN2FM(laf5+pJhjqUv`XKn#adE?O zG!+*l7sF~6FgoB^Tsh%B?Yq7VdbjJkd)GF@+r2O5%A4Kbn_?&@b*{q(*}acvLNn*! z3uWsI3L2Cs1?Eb&V@cz$2zq*W8+pya&Ya=z?e&*7_bF!$$;6`jSJwwqqcY{jljaj5 z4Oh^`lxJjdk=93FwVfJU#Ot>5!!Wme(;Oqsyiu7#3 zh{S(|M#3ewoUM|nJPtOmP9&A1+F9O{A^|fYQg;im z@hBgFC#$Mk3*jG@e~$t5iZLntC-iN0vv!$%aQQW-e5vc>Dq4egzqOPl^|z0L7D|(V z!okIJ7Qsm7kH!u~O_z8;N<&vmiAChi!;>d;7#8B^=Ki#_TSTpLffq`+f~>72G@O;q zHa~{cdqVf&n)sBpUwf84SHk#8!pHkU5 zrgh=`RHAp-P>q_xX>cURM3FimztZ0eJq3G>&9Oa3iF03k+Kdl+EpCPR>>ISynKBjl zX>A5+IftGEWCd3x#$o{yxGcv0s09IxwubXk*yPefAt=v)Gv2I14HK+_lYu=62Dh$X1?D(U5tE zVg}+(8u-b3mL?6uaD~OClf$SWvzkXo!wAW9YmnT2%cg2rdwaU{dB~UTU7rj7k|+za zod`u)LA81!@p#4hJ=HSyy;jXp?dE=Hd6f{l($tl;sCew8<%rx5AIB%l#=cyNJa>@A$ignwgrf~HH^4SCZ(#NU zbEKb2EB19MY1H5$=}*P{-;O1jAM4Cv${oxtLBMK-~GnQraceY#Cj##j70l6#eNLG<#-Wi2-=dVIfD(&%W`lrb0__5k;<=&65oO5cwo=sw@gJ^R$cCbwFm`D%-=C;`)8R z(=IjW&Gn?0#3(NI*2kf2&CYW?98mv4cHbXQ8#|9CVp8~Meom6RRJ6Zgy^p)^P8~m< z%$zcU=Pw6{i3%ILOy(8I%<$Yje=@Jt95{GB-+k;omS!Wzc|qLE(KUd_D3Qnd53FL^ z8{xiY-!BpNmO+*!FB7o)QYt~jN#-=O$0{>r8lL_Nu6LIz$P_8VqK>O2zcBc|uXqzx za+lDxS#Vs*8H7(gS>$hm1sqT1)pB3y4T9k0M!&EKW(BGM7Pq%g+W1#NYQKU2d#^~s zT#S*>Cx~G~v8sz5c;b3D)UwzySya3Z$D0e*;$70E)Z^CeCJKK+W;UcG+wNtpUUba) z{h3rrFopg~&wBdo<5O;)tFib$*O+o&-i-^R9)9M3N2QRP-*a7uE_TlUnc=I4dI`ML z5#R3gFw*H!XWq{}K0dQOHv8b}-SR=Ej&6>CPtQy(>Cf;#UfJ2rQfRS7>@&KQ$iJTm zCwQt7R2)nNU1l)?LT&|2F6XsYtsHLx=2De40ybThijL4`YKnczC|4SK*Q$$21(k#l zazTcrvt`JS8=n*CaYqx5i0bU!@Z2Jso)d(nuSV@cb0qfTR~JGok1q=^2JF6Ud4BMI zgRHn<{n}xs+#^*!v*a_`=7kV%V!uD>8c?_6vE~lnr>rXbUR*7qBck9dTo>wWAPMu0 zHGNw%NVl>Fqmz9h>6Ax<;eImLzB~5@|5=uOsw*FVI z-zJPPnHr)HN-Jx8=tkvlvfdP);zRC)#Kg+kJO=TW{7ygFjpY8;4Z+g!=Cwt<- zag!zL#K^jLv@wGlRtj%YIz?U!f*M>&my;#*?xTB38k3r=zGIO^s$xwm`3J4~1LfE0 zcgs&+^nE+|pi@D5+_)}5w$g!aupygxh}e87HN^nc{8~=etYbMlV#AkJtTP z2jxC8Qr^|UF}F5^CMMB|BirehLa-0qb1T&9&wE7D`{kD>GKz>Dd(%7J9a$hmv*33# z4^;m0ohB^s+`b(_f-0;;I-;`Rnir&dMbes=3<6QC0MbH0QF3BeRxBVn!qwZ{?MP#P zqWFL4jsJf&%1j)TC%r4{%F4;IH7*}AC_5^CnL3xfNn;&HTlk&96z6cKrhUJ&S-~tV zx&uv;2)d5TbTerNS&w9NpEBMchgxn8o}pLAjYa&!J-xg9kgGy(dtOo7)b0A)3EZ>@ z=#nF7j)JiQxn%X2NMF_yh0K6%u!^+FFNWbe^t=6ayE;De`%kxA(dF3VCR3cN!=HzK z89VJ24W}1xtDp>T){CZNWP2~Wvw|A>b!82LTll$y*AuDJKfNz`IsVWu8WrVH|AeQ(&Xvk6rMo2?cS|%wBtW#O&SPOzq}jtu6cLEa>F>Qt2|4hTsZ@^ ze;H(P%lzTegL9A#vdETIyhCU@h*QL3TUZUHk`8XIE9_g5e_1#Br`Tq)cvKg~MR;0N z1;DfSZe&*Ix15K}kQHk1NV2jVU0Z@TW~eA>1KpEfpIx|QAX?028mY$S@Y*eaE|N;| z)3*#^J$WWg)j`LcsY@PsJ8ND9PHn?r*K#U6N8mg&XZ?D!nb$kx0$pLpAqeH;MiW}8 zA-*UaznC?2q@xu7=ZR5(1NV{vM{%kJ1X>O(POP00EF+Ivg9TX;x2P)*o$HOO z!pcV@wHnjBv4`jsaqD1DX8+d|;l3%3!BHSK*D5zfd8wT-!3~|BeK-XvT+oVXeDWd?AmE%fx49=}DmDBH& z#p&W=f%R$S9nNwD#W zKw1UN56|)0rv8fOtrWrNi^=O*pGX?2!H54oOTYn#u7*wAC zB#Hm(2n@3^By<>(Yv=wc(_{-A5Ql0a9F2&>8pkccfi`ly-BMvN^}$U(b>wE)d|Z>g zfd<*~ep`(uCf!!p{!!CbEoMSZkq0yPzpjM-e1~5G)w%zmt|D;D%oBSKro*^&=#XO< z?I1RCvhYoeT2&L^Lhl|!7&AMgU@dsq*t$9U4irVLqJw}Z1!e@duYd60uGF6~If!;* zSl`OErqvR<&1z7K^qD{92DU0ZWIW*B;5k-4d3i7J)Vx3|gQjvzLQ7^Z4BCE(h-~w! zZooPi0Doa`n9qi`Y6OODHGx7>+66Ay#>288M_0k7CMBLjHAv}|uQZYI#JOqo)yG^gXbl7xN%v54;n98Re9ozW->xVRGEokJrSFIPpz?>1H$&aU>#w^|>bZ22IR7OqGM za7dhUD2y4=oY|p*$kv=PsQw0dmjq1Bo4}oMMom*g zLg2+od@8If%U9Ge5{5d%8a4a|%H>Zf4w$Lc{{y9;9sI1FFL6LJTN3?=JI9qh8!L1; zH!}0Thw*bgEymBXd&)6L&K$Z(uup9a5ZcIx`7&bs&e|$AXaeL`x1J1p&(G&Gw7l(2 zkr^g)TGPCeEg`R`NT%sVFkiFC({#(T@1L3ku$UE9mp>sdeMj#m=jzBz$_DtPZ=)l{ z8WU&~7sA$IEi{Rab;r(aiS`bBxYH(&i5D-@@7;FS;&`~khcf)}ixWk!!+u{D*vs>` zvpq;)!dA^%TlCPYHC5i_&beD+XSOc{+MThcsU%H_VW>%cl8=mI%m!GGitX#g%aI<8 z+M?u_Q)a$OP&F2IowHbj0`Lyz&1!zQ=byD^e|}MZ)7eai|8Y63T{um^O24omnw)Wb zIW$IAI{b0FW!a@RGwz2}4W!bvyU(M;2cjkcmxY zTuPQzl%4ZD*qY!e2DqgjY*)Mgw#+aYlY;sEZPn^&Jv*4K^XiLQyW`3|7wBV_CgJFE zPdVTNasTFpw$H^;oFv#gOtMa3N4BIO`sb4?d-5lK6ge{DmV|E5u-Eu(if+D1AYqw_ zx_@37Z#?7GXc_Z~g>cNAb^Do4i%bo(In-W$H#qW_F4;BhxbYONqFl(wWaYG_JWTfa zXp>=rtV~FapOnaodM7H*3CCCkEGL5YPbREG^8$|Mp1^y!NP?X~p`BM(Gvh1Icho_! ze)xMN`~H5-?)iK^1ug2-o6qee~ z+2YFH`4@HzrI#4bvYXlZ^J7W@%Rg^2bU=fq$ffRifB}?(k}%0C*qUBatDJW7VPLT% z2(A)%@=G^`5fIo5e{bqBDyPWecO%zUL4s-5fGW~{!?4Mrv1=04@LfO8!=5ceW zx7MxUHyP$X65GeefK*$*{cWy8^!vIX8KvVXGv_`2!zH`^kB=G+-tNUmM7~ScYSrgf z@4DD-YeEK{xz2JK5%bXzAynjz(x{`JJ|VG#TnrcgonjbyX{ici$(A@~?3{RzCnkA+ z&uxQAuvaHty5X;m%2ra#161|V3X}r0I$D*bR91huPt>p=9V4~v6aNCeeb@QFPYWu-5Ap_ z&{+P!gx9NAZFC_OO_eSX$xaBRt?wT`UuWJdEpIYA8s=5cC#z#~vswE& zcPbB^)dCxMjWvKnJfEjYQ|>(<+}DEl@0Uk6A=l4soZd7Y0&N(U#&a^;OvgN&9a zzI?y4ZXrudVuDx-GzjD5f{eC=mAUJw@(x;AFsQ~O-jxF| zdma5LX#73K?dQ0Y2Q=nyxGYyjl4G0H%Rk|`X7@HONK56V|Eg50nLcRo4z5I(>P2Eb znud@~EsL*GTv=koIbd$EE=>w5H?GJMts> ztiM{u8e#|PUK_F=CX<1TUMu12s4#s!Hxdb?m)`Da2wksp^`MKV_o|!K z30=6&`I+>&2y5_ayLC08N?MB@5m_!szYDYK$h9Qlcg(8Fu;AZTJm-T$Q<>Ol0J5X3 z_bgc0r2B_BS*IVhsM9Z~(~5;Fz(SxmSBOIW>0uvFo!N zk_x{tF2ulns9EzEPd%@))+nx{-tb+*G4ZX^Po zUK<^MAx*|9`_812vlIrn7?%i>&p|7$Ujv-C#qvUqr+nrXEWn0J zKAQ0giwLr&Kt*!~p3dT&OKg7;qPV$HuXLX}J!-V`u&~LxZNcv8>3pkHC$G)y>cP#y@S8k-k|ihP;j@akY4;EAp#8x7 z*8l?nY@wJHwk;Bm)YhQl2z&;JcJ8|{k>WVShK?6keo(5K!4+{AoQopuMCHmw$it^- z*X2j`V+jK}IdCPOS?|+Kf)5@cb|%GT*81*wE4Ebu*eGOEBAdGwC;O8cKet^qGqZ3U zRrJ0_FG-(At}|@@5DiooGWVFhZ67FziMyzxRZKWi-cz>^=U(B2E}Rn{&64?}-{)rn zY~M7_cKla&R(F+tx55tnUB%_o#5E*LoRs}5yMt_kxx*05RnH6Y#CK3xTD;8dQ0FB# zNLuQ*tlbN2wFBH2d(6HQ^P0vA%}m6^Px!j?EGiB#NI9kGjFDFjEGuRB0zjh)pLjPq zMY)zK@+@+01WYNC*g+ILv*poyTQ8+QF>Sp-`}lRjxEWMDT`ICXo9v zRxb4@^6p`DeJv;K>Kmb#o|iQ`VluB(pO7UlKV_FhV_wpXD6~EFp-A3Hs+_VrD>taO z8_1MW(m?>k8SCYHZxbzAJvW9$ytbx9bP(q8b7yYuwWsG{=sHH*+&5O~Er}IzP1f66 z>=Z`tHukUWMm_1*Hg#>#34FafTX%d#wcz5`U0F{g$FRKRg^9rYthcF|`kR6K9Tp6@ zl#;_ySA&?K*;Ok4JZt#*TJ(Kngvx!k)0Onf6+mp)6Wr4l$_v2;=vEl|GMqF)-Km?)tWGp~`4^x{I z)4kbig?5>LCukoY-N(%OqW3&8UC3oA;hOgd&+*Kvyvr0D=dYf2g@-1S9d0Ydn8(>J zNFOAH4Ms%9I_!oo z5m(RlNRSE2FehV9iL1|3o7j`p6oD;RTFrO-B%J4zu9!AiWM;C#rXGS|?r_&qOTxYf z0M~@RC`*R6$rOBe4%HXLELxst|2Vm*2RzDjUm?g<5+SqsF!yMB9A}L33E6%-DGBZx z8$h_}_#j~CFib3-k9JZlz^ZTbcVhu*l0{j&m62iRfA<3vo}%6(P=ONMJ6lXF&Gpc1Dre>ne)0>VkXNrKS}{q(P9?A)V#LUPtW!npVMXUiNOu zqAf(Epk*~dJ<|=6#!6NGv{4b;nv<6JVkYE^my`(NH|nh75Wh;CpLyHh*=Lx%I&X6j zMmm9c?gljJs9vMhZ1P__?`~+(Q=m@^u>QtLnveK=Ja)2`gQRKy^}wOv*<20qF7-n)Sj~a+^|FqO*mK-KkfA##lX?{=^p)z$c{4Z0{J-$PpCfNXP<^v| z>1^*Y3w&@u(%UhA`Vjpurz%+l&(aT5I>E*(Yy>9K{Ud@Ea0BY_rnl?THSxb+aH-tSL{FaSnj zqbp(6BK(-XG%1DcfCYNL3!xHO*)zL~2D}N+NB3Xz+di}LLFyB#`f7?!(7G_|uCUg$ zlN{==6J!~2@I&XuE*Z3oY7?Sk|MWEjZqM{o3o(G4#^om{S5|W#g(EkBG1xVyn875s z+#_>vuKdIfnX*lw6)I(wB1V(KCOX&R$hfuaUAJTNO05j&xX3v-VZ6z*FQ^qC&3|6H zm~Ir1Y@x@$58ljpKb}!!U($dZJ2>sQNU`)dP!}#yCS4ARR)!E%(_AIMN)qpQEv`Dy z{_nO;(0uv@ro40)!gI)d8ugEVco)0hpvuhbJGl$oOBlEAJtz`@0^QG+SEaZyxSBN% zpIJ5pRxzoh&al%RH#vy{%d?L6Cb{p?3*Lu0+g{Dyt(5Jfap!Kf_c+<9#Yz{fc4V|7 zp&4@>4+H0;O_RJ~(@BNPWMdYsrf^lGbHZ-&6OHHr=OoL($@0^|?cj_Gy$XK;y05eh z69?S8+;psR6|TwEkSax-Yu19%gMa8SA&QjZUnw4OQ}HhB&(F_EW`cK~`{}Sd@O;Yf z+SaLB8TjtIMGw$gni?*?@ZaxV4Z^SP|FE1reGA#|^TFG~L6%S;pbvPIPh?Y{Nmc%h zeNv@LOH!eb*~W(XZ%;k2iW}J8@!va6p{lB~c_n$xtHpHMH9%Im zBUnhVFQMi`o+%mQjX2*TA&`+`HHzb_<+Y8gTA({g+@8!89LXIAOap!=GVutSo$Z*iR$d(uw)u#V_ z^~<#^dh0_kF@Tr+LF-#pNzj}`3%cVFKoZ(;fE!NJrc?<(k)-}mR2^Ei~!D_#1vD7J^QLfsbfIjq0m z(-j6O)ZlEtl5W!56#{G+dqJ~-X<;?AA?EPsMBf z(^op99m)A}N@a97Vh39pJujxUUMH{E!pt{rrM!v{t|&Yk0AhbAUnS6Yxx&|j#TIk* zx}En1yI5(1{CF-;0JHA2Qzdv~Qe61=2g+)2EeCS(O9Pq7UZ7RA1Ln0j9;vY{Ie0;r z6gm$E5eL|IJBsvAJa`&r_t z@;SYf0Z-npQ<-052Xvre6Sz?*fLZk0Shvl0EUClgd@H2itS1fM43TTppy=6D*_jUP z$VB_AymQjLS69U`|3#&hj~0ms%UkLX`>f}oM?vOEV^P-D{M#C>IV+nbaP8@qJLPw4+%-J>AlxI^rdn7Kb}%Pj@x^g$wHvRR|Pg?D1`>=T@uVbg30N+bI(i zsyVqWw|aoxr(Y&lx45k%%eixC z+3mzy^%wWN37P8$En0Uy4C*ypb=pdotCv%j1ER2SmCq?tQ)#5Id-D(s%dxoiyu()* z)ph!>*f2)HmHD8?zC2~aiBPs=21VT1`8!6+2QFKOnCh6d%bB-G{9D?9coXVZ>c zeZ_pu56;i9`9(Rj3XgXiYH)b${&1vd6Y818vgeDJ@V><2%JV?T`tC(1dk7-S3zB1X z5vA(a_qU#7yayecAZ{_a{(}8p18bZP^XVd*UOM= zw>8x{1MQ|T)9D}*3)!!f>@A%u>ynIhIV?FhEM(gL~pBjB1k4(-I$4R<(UDMS#97;UI>DRy8 zQ|Sz`o6X~rKFUiwvC}RwI|;Y`5+mm~_%LiNl!M1YDm6#&n$mZZ5%o^KOz1Bwm7v(% zisp9}zRt#eJzpGfBdT!ML(J9B`0Fp<+ABEdy=>(m1Gz~Xd1SmzPOY+MGR;Y+ZR0*p5T#UZ$ z+WXcP!L_xkBRwez<`+4Rt}>bnx;Q)NK%U>JaYPq_yXO}Eh72?6lEk+wJLcpLG2mSM z{=iv{3hS8rP+M|ddMMoPX(6_I(rf&UActQooJa7_0nTl}}q0GQ34RC~M3tw3}FJ|^)nriqm6-Qd~t6v+hf7bnNw|8RKi8gZ| zBB;2Lyg4^JN^{^^J~M+#=Q)BITV?oFN|_phW~aLdOdl%Q=>KYmTVIDc>XBTauvOz z_8#lCoW2>T5tZBjz78r>V-a&m1v1J;r@(($V;l($(WA7{Faz|)=!JA20&$pdda+cquh zUrx3Z^>S@@{-lotMh;XfNXc6LHfyHhg2w7jnz_^j=G8vOeid^Y8W@O7-vRJ4R6baI zM(sd$CpyG0ShU)9Due}Umunn)S8MX7g;!Aq!P?m$cC6)gw1=&_#eH}Y;!n8>Bioo# z1J>;C2~h#^fF%CW`=Mp-8eD}LaK#a1{zguG(5-!lO%4+oB@*QjABkVk-;TW9aMZ#w z2l6_5W%F0pk43+zO-~e+r%|3Qk<4^G_KLCfMki30@$J$xO$85WZAGPEF7Y)M3MOkc zxvTdN?Yl*|lw>2QJllqaUf?FW!gUUZq?p7M3_RPCH(OA|wKvMS3d^FKVe+SXT8_Mp zTIGLnTGgEh81rdo$JHiAu>-RHOL#VLvl#r`dYrQ6eV^=I#|lFbP>6Ob82~+v9sv_` zN09nD8=UvKQf8if-<>GaFFmiz7X|Y>ugcPw=*Qy7pQf?6B;yY?2UF?RX!HO8aeg#B zk5;xk_knC5%3#y!DiZbU8ZXYa@%FxSc;YqHI<44TCWE)-^X}6eiKWrfGu%7AT(44} z$dXCTPljT|m#Q~WHD4DMn`QXtSQMlK=mepMQSn{ZP^HaR&XAf_O(QHReyU^NZij}8=% ztX1g&PuIT?9;~idOq-x0FQA0>n}QW8)n+NpQa|Y)CYu!M=De>Wj0UrGR(b!qdu2Kp zReT>~?!R7>TKdDa&rO~ySN>%bmtej0o-<#J!Ac)4xI2NH(0FlPP150Sbgn4v>R&jp zShCFw2zh+nYW&}K{{15ezl0!DB)0q3;Xx2-u~2>Lal(`dcyv$T?`7l0uB&*t%@DBZ zy($x&9CvfESr|vX>u*|7dkMk?1%+Z5vxV=&O!q0)^=O&)e4Y@hJTklIm{Dn2ue3^# z9-f9HNUGJp9@^L;7V{0_vL!P3tM%L>SR#EWS6?dfMN84@e=*MY#U+&TwEj_jCMi%w znJKG}@kua8ke6m-2{poq1G?qdt> z>wu4HaOH+E)u^XQ7INV>X40c#0bUT!8qN8X6(U6MoglER*WN_Pdhyw<@6d>rD%)(N4++!-un`OQwBMqzXz+yJzBRM{Z@)7qQq$qgzWNG~gdV-re z`g-v6lYuinrK1V#dLH*mG2Q(tYq%01U|GmA8odW;v-cHg!k*PlJ0UEfxIEIUTQ`hO zaUGm@?>8G_JyCJ%aq3*UqCM>)as0DGGL6V4T8i^>5qW|G5yN3=EhL zS!ZslRaWVZcSDbMgXQP&XGwiw!P;38{4`yxi1XuR5ZV#!$V^rEvO3!dZtmSF*rl=B zXiqtIv62s_FqyTIVLx#v0gf-e5b7s+*T3C-%hTlI%v)=GahZt7nf5eUOlrLSnC84+sl`qeIJXEzG@t$72AEa z2dE@nIORlLaIN5=1LRFe_A2eMl)9?;Rw4-yO8Bb^{{aF(dn)3pqQuUYO^NYTT*cwy zf!!fl4G-X*-X=}&TKGE(Ko(>x91691dfD=@^25lRKlhI3{KXoGCCPe7Iel`om;~g& zww6fx8*MxmL>1jW9noM!*SR)iw!{6!`cmb{dze%XP~Wvz9P;fI<(c|boRN8=vyglj zm3Gtby7MEB1$mgy^*i=P8TnFi-M-4o4<(;!#e0{+Azr!B?Z*bioTZ&I*u8o$T{1bj`c5rYGNPj%VxQ29^{;4iV7t5fRcbdUi*!wXjx!Y4X28Z9)CYWi*Q$d(`9%!7lrHDX zK!xq<0Qtr09G&_!s?33`;P`vHH5ZGX<0ZSa3_mPxY#vR@W!+47sZd;N0MDboiY7szA zZ3O+$W8z14y-n6D&`~xqQx!>^zzJp@@-A744nazb0OC>WU0)Ioar{8uAgB>Z*j%UR zb_{t)jE>w?NQOPR_@E0>_A0#2JNxrZfwZ>;qg{W7IA33yoKRn?l+r;w`XFV1Ce*wm z#$0cpI<3<2n6uy?Y^2h$3Tm_6%eu%$tE!{(hh1>1FB;jO(I1)TBZ#}B33i`jDDW|} ztSf!*ol!3%fyxP39=*to%XyKPhczJkmY7Nv%f5G8h75l(?C}GfQSS+C^_}Fmk{83_ z@oWmY=RL<-XGz~uhFjVpdHw8^M?+i58q`8vdsW|TMd1z=fF>~I-L%q|?U z6>dz#EU5#WcpvFm0uGw_Lf^ntOI`?X>X+1KJEWF=`@(ZYlThyF{@eF+)|X9{zf^IV z#_M~pV)mf03f?i`^-sI{_ZzvKD8TSWi+H@M7K`haIJ%Z$}6oWe2mg^c{vo%|uS_aQ=* zlV9Z6dDpE|zQ_gBg7G##jUmgQlkZ>QAh1OKzSANcVWYS5U=thiHu+l)pjHC8VXaT& z`SbbdSKS|vPTy+Z3g$XLc}Ux^H6l8$#xc2GAw7D_&?fpq_R>84_Pd!72=N}RYHeY=gmGo)CCp2=?dqut{f8?LqG-EXQy_HSw^!1N!MpYw=x?jN4@_E3ive zF&3>7>yvcfWu5P2UV5)xf9b*g4-`J~l{)-E*wzRSd;=S@V2LsX;BA34l*-HM9h?c4 z9rxb}zG(cVRg&V?^<8!`MA^|GU`3Kr>HOt@-5EC7t<^RW)*&DWOiK_5loi*33kmtR z_cL!YfO>%G8R5PaD)n06Sz&dLcK8kPlF%Zj)k{GyGrq~lpnhhuH#smO$Jgb3)-#wa zp}2BmUGDP#ESJ{rpHjg&8bVR-=y?$?t#pq)=c`=@3k^Nwk5{106n;xKbiF@I=c1y;4i z(lNq{X>>e8YC%ZJ8ea$qC{jyzGW^P0O?h4F=8JMGrr!1nx5>NY)Y;dVGQOY8gWNfn zMR`r-+I1JQ)e9XvfhFwtA;`Lv5pWDev=O!*gFoPszb@^r(wWoo0xnkEo0oP#UG^&{ zCveqHi1PaO*gu8hwC#C%nz;3gG+D4-nxvmz8Y6Pr>$;@;c&|?8_mXWo!TC0HfdH!D zORTXzTWh`SLou3$9_Ojv8haD7=aEkbH(8hJpz8j%3%~!fBW^ z&(VXIKDPCQ$&uAuN)7ljD^JLRb;|Y{&-Wq6GrT?xe(x<$lzm|d)%P?yK_$5as!UE_ zhlj}<*s#IP%gt0gMt*~@;SE1f5W-^+&3b1x%eIt(--US&7mHf`;)5ww^10?gboG%s zTKf6g8v00WohP;%$E8z_bACu5hkn)0tUlb%yzWZ+e;7E&_33D-d&E*lh?f(Dj$pgG z3oG*l#eQftWI$Z6lhul%cWNCJ5(s@02KUuiONl23K%MuJann42csIX-*XSKB?V1;O z3H80ZT$-EYULk@{`H*g_P+j!k7n-m8Z-&5P8GC3xhzws zar!VuHSwxaWU|G=0}Bs4_b|3Z=gEuGY(Bwgmdm*{#K$(TIq4S)&r*Bx174E55c(|> zF)zB63BzPaD^^QCAddJfF<=>K67kxCR4}hJwQ!-URzKmI^yc@6RU)>LG!ddaJ-p{bVxchBu$dE_OTqzqt7SkH&Su`d=5l+sEo{Fw%G=#ZEux zuM&ee4T>JhbGR3Nf4Ikzoo{6#1sxgE%EEj5v%Kd7j^F1^Nfc;S0#pqe%V94Ji=J7E z)j1>^X+*Up>IINk8H;?EV*%Q429sMA30Nd?$<`cpkQc*l!iE!J`dVdF$lPgm^F8=i zj_TTE#=#X3xOI@bZ2c45>iLo``~mzDZ{C7d1b`g4v}HB(KZ6YYwCw zGKA^q(v9Y+hbcFZ5>&+tUyqT~(1x({BKJV(7+9luu9BtMl#QzBzmK8(&ub#>>9>X& z39!^Qsw`pryGm;aA32DANw$5hRpwoPijjNvoiLiYI1Em8f!`3GNX|eab%m5{NE`9> z$|YC7>NVuzfIh;(k8Wz_cPy$O4pvlOF^o)=BN<$+}5>bqpj zgM1U)!%hR~p~lV+Mz$)wqbYf5CI~Lr zvlUjJTombpT?1)A`RQ@b60OM*LKzl^xVD(s-)62|dCmF6VKifrR1qLBiXK;P0WNiZn|191oC4)hl{EeW7gNq=DQ7apgNZNu^LeGVv{HI=`ikH zyloF%f4JW!PzcL~8wRY9ANB)V!$*TTciO0~FdbT!TzUL(DW6HzJ6v+KY-VAYm~{A2 z3uhw8ag@`*^7L*2oPA`$Vd@;G<$E)Nd@@k-$(&XHhbMF6Unj$et4=$LwyRAux-aFc zhM^mZq`gX2a32}|rWns_2d#UG7mW|+hQr~dtWF% z3mDD4hII&X_yGVH7Dx@F>72IWI5RP871B*(dzzrBexfqX`v<$t#|=x z(^D-I|Ec(NqGEnHSzK@BX$Sj5YXi&8*Bsk9jwiHPO8!TC)m-vaRfq6@&SkSfw&_3m z$E0vw+3rd#5X5Y=Z?fKXc9#T)s__b4cja%25C_n~G%;q{zsb58@8uS%Mh1_zw#Nfq zUo4_C*65bo^NIJKbRZyGQ_in8#n1;!T;TDrXuI* zK8mS1`pRL7SJg0OFm1OJw}EF~{jSfkLfs&JojMQEenpqNK#=+4Vi@hdgu1qnRHBx* z6E)oe=m&$K#Tmtuk^(aWDNS71gqO3CrmClwo|O$N`31tQdl{#7`Dg11BXvG!$l+jg`nX+K9HV*%flMY*Fk+95MaJ&}Lcb1z~DQn<-`@YmJyq}29c^Llbm?gn zzPIJf-=XOO$IWhP}IM*{J=$m+aXN)pf zl2Tbsm$KOWeCbudL`RQ?z1&p*PR{6E~iXH=7Wx9)90!G)C2YeKKmmVk7m2Bb+1QYBI8B2@?h1QbG- zCP?o{CrDL5kluT>K_GOMgd$*obFbtmr%!gHU3E!b zfZ0}-1vc|LDnF(fQ^ngLkXT3L!q_6eZA@R+#aBo37cpdk2WW+2*%O+>-(fahNO%%v z7IbJBXH{D{cGMH$+o1kMbo{fJ=+_!SMv1>+F!T>k{%;pe43Ipsdbx0}P$rrj$Tc|7 z=C|{PgsX>6ki65{VR{hDfb`X<=@1d>8FcI%{#@R>59z{z5;>!x%JqZnG zH#~kb2bJB1Zu4qd3F3?cP$t=!4Kk{g&Iw_DMg02pY@*T=%s|4x0O(Z9gNEAO-ut&q)QEuh>|-Hhv_4yL_L>) zK!?n)x83Rxks9EY2HENMNZzXjqnOLi#4p?I{ISz~%E>X(V#zZ!ulCnMSXBKVk-rrX z!hQy*6{Q3%*JwwwX3nQzb`%$|Lfm+Qkm>=S%0ti=G$A%;~7%~!;)FXg{cDW*dmZp*a%v;$R;NmDm)oBN5*hId}Bgb>?Ca>kT zKt_Ul6$?{bk3f_k0VziN^o_9zI-O`Dy+MFenNmx^U}zST`W|4-=?8Ktg&I)eOak_+ zjyffJigjvL07QvZc0Y5n%>KuuKR(NF{?{T_rF63B(?>>WzyM^HMyoGAAMPGU_;TlS z@MGJ#L(0@An1-KgdDXPb(lADVZAn@|N`=b!=L=`E%HLtTV85AaRAnrOG?=V(Xo_N~ zkyG}u>_HneRbU7TA_2^asD;_e>EAY!NFy|x-x z+d=yOdVc(kHPy!dv@J;UUGj^q7W0id^Ee+%l}Ar}BH@TUy~xW@t%4?|2cmQ+9<=Iq zPN#ofO6!{*svy+lDCZzEEjKt3J7#Rl^M>hxEiRwmrb$OpjzBGz&1AOWtZTqVQAyt# zsRnJHE|RNR(&-?zoieQQJsjoU*n9vPs+)FtOH7-3-3wHqgvMD|?2xp#>SQ`%>KuB_FAmS0|xqCKvNpANaQTwrLMC#zH%p?6rop9PGf znZ53Juec{{bYgpqWk69Be02V+A5f3*$L(PpUlt;ZyO!=L{92H5P|mq+m+|z+zW>rh zf9MP6nTksww;2H$Ar^IoS905#on3IsII>`bdWYEt$G3>^r|;B}L-eGK+EUx$Wd(0` zog~WFfHTl%!KUp|5!8_3dEu>302&$|2e~N~1Ke6`U#RQFx|otK?Lq-6f8xTz>t% zWLt?+jR0Jf9j@J!y@HlCB+I)@NlyK69fTxq7Z>eX*uEkhy|P_FL?`Xdg{yD!LA)%{ zzTEd*;sX08*BvL*zZcNM%tgI7Ug7GY_hME@8o!0OA5=G(X2bavfQpodl=16GxOH$1K@Ab`VamV52y3?$nK&d z?DX}JPbFHH@0SBc7o{WSdnLhljoH6O{9$k5Mdn>+03SGdbHu64PdaQzsYi!elGu}}jAZap(y;L#_VRrmkFJ*BOF?3(yV`Z&x)eCW zOrsuiB$2vTZTSIkuXTCn0Uh-)g{D`1Y=KD|*I}6+RtZV{Y!(pjIf$aq6o1t;uWk~f zt$O3+ki|jbvujs5<5+SW2lE_hqzlvL(WnU8yK87fA{l~6PkwvwQi8|m0F~vPYzg=N zcDAuJx?-!dme&>+An!$`=vNEIsaG8^t)ObO4JZ!sAXO10$<<=44) zJ0}Ob?N7B!Y`-X#q*Rr-8mw6l{KBic%gHUy2^5ERGO3KRZ4`~a@cN4_Zw=`%0vF(W zPp{gDJ<#^E1<7QJljkG}%pnjIx3!9}4UPLj3cetKl(r!s7UGUK}a@b&?3QmggPKI38>Bge*% zwP`8u&3Rdil*uOJEBK$*rhFb2t!ZBZtrEeWov4Vjzkd z)8_cS&!FYc20<<*!4zayB)Z^_20_ynCNml9=sFufUc-|}A#l@oA1~HlV&Jt{Xydxs zmOqZI)fS;v45V2p)I;FL-y|9Q*(8YmxQ5HOX%p5A1Zth8ACk!-(>)i1#r~%*K~j+0 zAqV!;kv0f#PWC=(Ea`}`$Z_I90rPeH6}_1|#}mJ>z}m=ANa`oP6HUgz06ewgH(vUm zmKI9DpOj@UWIew^NeyJwV!O{o+JfL%2RnR@Ob(yIF~d2CkB2CRfO8og<79p23hYJM z>t01A`Hc-!?Z!i-cP&Vf5gTpsMh{)07uA#fk}aF6L9knn6HM}m|6Nm16PbgA3kO&F z`5Jib91TfGFYl>GY?ei7RTJTPI_*j?KcqtM+N}x+D2l>n3naiGeGNDtIbI z-+7|%ajC)Q4TZHgP*!S}kCyojzm$9j3UXxJw+%X3nJpL86&lqfNxm6s+o*{>G+pm8 zSKvkVx@|`@l|jRE@yRYy2K)62NFH(A9n#Zljt$0MRo9c)p+ke4x^B&|*%ok#iv%zCo?Tzn=h`7P2W z0k^ECIK{(=2-Xu>Sym~waporV#@j__HcdyiS`}{$WZS4l@3&3WPTmZE&X~u3f}4L; z67Z^MV@YQsBg-7^d%Ofl_3YgUUkv51MFrv)DsFPf+*IR6-K*UwbJTbh>fhP8%-F6M zV#za1i%>^4YDPQK9G;oX5hd}d)$PVc0jU0?13?>!1CC{tS0jzPh+(h^EhJ_=nOxbu zd{mH14mUbq&D~kX=eawn8TZPpZ#6+*$vcbuAd#nno}sMExubs|tnRi*7IF<=VblEN zw$gd+axaNN#E?$92R#2gmmDC2@<>(pMg_Bp)hcOA?Qr(BItZ=@x+hfx8}hiO3}@Xj z4FqbF0sA>e{ZL9kFrgnuMfe6k{WUdqEsucAg zD=kO+;joBe=r;Fdc0?OITA=tzfs$SmE}s;Ne^P0V>=FRW%VJ8D-gIN{uc|BjOPEs$ zBzC*{m-a-k23zn^nIp7Ix@gkv(gpU9TrxV33K!@k7`~GY$NOrsID?CR!|39%f_7@? z;P9sox(~0&xfgYQ7us~zI}o2oy8u1Ts)K;KDH1i&J7SyAp#)YE^Q;FRZh_WxSGTK_h%AmvQwJH*cg46-dEu ze`R)E_}Jv>*4_SVdMmmuFX|>W-Y0769g7}p;yoy2LR~B?@!$?t9OyP*CHs~HU~Jnl zNf%k=o&qiyof3RK(GH!xaam!?`)7HkEC6aGJ3)I0W={{LF-;^H``?a6b?|;aujseV z8fB{I!jfp*T+Os11LU~4ZFfZ&BJ0g+1>4|OAts{cJ{uU{sRwFga;}t?>mycY9NVp+ zsm?g2wtLqCuI_|}gAJ=t78j+v%k%#L*}gqfIB?L59#EK%BA{K0kAMS2LBQ8vQ!qav%A72-Qze)+7(q7R5`b!M`2N9-s2rNR40XPtOSO- zEQO9c!{0;q?!y8OUoqy!rdcQ>h#*|TKQmms{N$PcZzEi@{Mg{6UwdfOWom&l!s!D@ z@Ty1Vfzd8j2!jBPq;24NHDgkZNExqyg7pK}Oi5XhhqoZ5k#Sxdcc_T`xQ-MIkUq2$ zsIXN6YTfvE{V1$iUv?JL-f~LNRn|$-)qkd&W^<%tvd=LZQnLOB-o%7Up*m6M+jhPx zv#()%%(OxrG|gs1=6Ln9NjnL+z2u)v4tN!~I$EOSLyWL*A@fVssReJ98eBynJvi?N zpdu1`A=&f+QWbaI-Tq5~=YLW=f5~eGJ(5UTyk-|A-_&>2W*($eqZ(JNMA&I3+X+Z9 zFfB@*vGlj9E9nP%R%*hOv~0X^3}B?z7sRv`c)gQY9aTHlLwMMQub&i#;=Jq3Th}Je$>~ti?ww)`4={DXo%-C+vmMT^9WC;NW71-AT)j^r}>dn#NLBDueG62WpSC*(#gWC16 z1*T+m`R+&P(GDFNWgs6ZAziQ=53~Ta>Cl8nT9GLt=ORKsYU(*9Bd37>T^vE2pCNr( zM)O41zzK%Zd-xf<63wz4J`tYUgOzlQwcZkg8KY$v}V=bfPrjpN9Z&0qLNlH+DSEIclkCLKwC-*txADHPZcQ{ z6*E_vDPX!v_P4hZwq@(LbDpAR+Y;1fL#g8n~Tub_cc1Wo+28S42(Wb*_t#pz9xZV z8JO7mzko=&ON+m7>DQ!$`BM-XDCOqRK;oVvwVO#@fRe26Ag@^VwW5V?X~wJP(i z{xU%9WRL{m#JpJ=Ud>=F=&T?G6yoCcc9;1&Ef}bcav!Wmf>U6e=kqR=b5WD-D{P^x;O|45=@ zG9@Mu?{FM~ek@G+%P&HYWW%8I1FzYs1>kP3B^41P%N3i@Xp99*gu{3$6B|tquD{6M z+J5msJ+zFcH399L+b@BYcGRyrI)Foa?^HG{8`&8LtglB*rI|vMyU_=x(PNIT%ZTiG zTjnURO0h4}q7Hrftcq9`kfzAr{+?R84d@o=dmuH#x0`cUEp@Z~X0Z&C(5tB+7mrQ4 zVbT;vJpUr2vs7v4EIyC1xhdqaawF#NPO-BNAj|ydy#79 zp;=@PDFDdhfm#7dfVjXL&j?w0^wPwZ$k(-0#^k{fGlz!0s!E%@YxUKDVv1j13P3$r zLShuh^NrbBro$@UC`sW}`j1#RnuBk=1v0AVacRqZ}%;ae%I`0 zTTA7>AHCtMSehT;MRD2=BzD2zA8M<2PybF(`QIe??vAPDWT6{8%TXq^ePf->G!f-I z&B;We?t_~gLJ^)o6Hue(Y%&$(;MO2LV}}AiBT~vEPc4ZxeZzT>&6ZG-C1X684106? ze*C-Xd?0URzBT2n5uVdy>nwukC4EN@QQxC4lUbPuP>?<0G3 zqvd*M9`2H3rBrbK&~>Q!3=3i!ym?eF1mEPK zCL{TUzZjyQoFQyJuWnfDk@t`pQrT-M@Z!_W^V?xG?jzxj*Zh5+w*B-C~=F;9O=4KPfmGFHNktWE|iHHhsS>$)UEAYapMoX1!3s3tGY zN3!Z&G&&kiRtk&)Yf{sEbrL9Nn&86ljtnNhK(BJ)`jut1f|*osP#Rc4ZtGr|1jhGC zf0g1w)ZOryUe7dySiFd5mqsz8=C=VkE_nhdYI@ibrVRT2@VnYCJn~bK_Bjfz#HPANrq%DaSA9i5V?H3xy zW5kMJx!^{Y3k6(7fObvRzAUhztyCGIJ&w;3F7QG|XI7X$Lm+0yyNmN(WxlCmXZH)) z_e||jVUrIbmwUTyYnmnog4x{IK1SsX*;yF#*}Su_63h0p7&BJR-H{M5?&tT zPzk?(qf5&BkR|W}wPp8{XIY60zK?eOthx%IYdd>v3vXQTU2z#?fdmZ$8z;lS=_F`< zrO<%`L~5?YtYS=uK#ZP~_v6^V627lw(>YiD*bhSUOPk=&6(PcO9-tOia8!Fh*@H|$ zkffFRg4-2J(1jmbNcSko9!k-Km06l7S!DO2+&=dA!|La1$gbRx9cSIDFy%n3o&-#v zxM;1yM#q2a=j}jbSC@?^63Z3sh<2IE?=U#LA0;Ne#%xUMIlZHxB%)_>+wrrhjo(#Q zt!JhG2A9m@-do`TxCCfkAS3A#*oP^t;}PXVKQ>sg6fVEGj}bCAkWE}R3q)!IyHN>E zSmlw!a+M206eZ}44>gWxDR*aU_ofxmzOkxWzjz+p=PJm`%Evjz-h=o8-e4b;1T>9RYWCScMQMS$p)s~0OJu9 zgRv`T+a0zEG6O4`Bk1K`rl4>Qt3yIO^$BdOZAYIjwM_7!Dhw|Jj z%@vxti%FG1_scELrOUPufl1WUbjH$=I&37Y>YFSBltDQA^3>)v-`nMVu+7R_T$a;2 z-S8}1=QZZnnj;au)(ePj27Qm}80zIM}9k%%??uKY?2hlhVhewcKf?Ua? zRuI5vtrd!W!*qaIrM$>IyARMkJVCq5j1j}(eP;MIJZ#G`AXpga5-k!4~D8tVM4 zf;hTZHJ=3CoE@)jH}jhu0H7E25paGqIf>Y$Scf7bT}mDDxhgQAD_w%&-E^XvZFZFy z)ENDy=l1ToYW{ixIW;Od5p&Kgu&di(b61i?KF#L#+DqC*&A^D2Spk0MNPfkW<$P#Q zRz$uxa+(^+B3&x+WhtZbI|Dyf_P76oH$e_lOfC(kT0ZHS`!=12Nyw{kD?vQ zadK#XET^4Vyp88!yM__v)}oN0SW6leIkLNdMD9>3+`bT45D4Tta}>YTRPoaO5B&h0S6NA0|}sd<%?a8cLYB)D^8MbLy}#m~GLQ#rKs2Nfc! z6s^&S$ds*@#1ZVybKr7&3=ZjSmHIUTyLRjr7lqL<|+3#iO;wV&(I-W^)J&)%o2`}>JE4m7yB+eJdIKh3e%rzO1-o9I#t z;2|Wo2;FOY2b_e^l+IMP$b5ySSj_G$Cv^&XC<8-?+Efqh?iUM!$Dd7Hz}Z(S9Ln%( z;Ur8TegGb_*>7Mq#j8ulXsO<4GIWcWqT0{dX?RgGM(}LnLO(EZfkF9v7^U*r#08ty zKPE0*ZrL&)*ty1~hIOV%?0q3T6 z8`;qv(=VTZ>#08{;kY3`uom^#epN_){PKUL9J2Ia_KR2ze-OXIdx*j8(ppft@!SA2<{(bc) z&UVni)BFHsWVwV*uR(Wu&!Kqo3qkef5ryv~pBDsFTxdtGoZS9A`uYz?X)YUDMY%ad zsE7j3Iwro?#%FgtVpaW`SEP0z+%8K0LcF%mhG`kR#0I5~GP<@$=pr4<$kNm$2xU`E znBz^v>Ptb8u97~mbzfd5FXJq=@Zok;ikKHNcRNxlky^c3Fbce`?J?4iPjZu}(O{{ve zzmRt4+41(%tC#Gw2qFFM`V;%_qglxR6R8l>mWolHgMEo5Tr3%6u=Z71dNY43((}n5 z@&Tx}i(N8^0Dq%Kagt;n=se#98r*tg!76d1QMEl8-WA#-R&pNkjD1UaDb^3U<)=r> zD0gXa!Q6$j`)2UHURyv%xYM40&py@*@Z4u@*BdcqDg~T*rN{p;stZ$8>E8MVD^M>H^^A;3A zYMp?Tn~$X*V==zB zcAtM)V3sh8qf~)*giEP=`szmVDiiu*rB)uL-CONY)y3y}0PAJIMoLgwVkaXF0d?`U z*=?%ktE6|v-Yek`!U&MI@w1foi%&ykO0|t`% zxSkh)fn+N+{>@Q@@3GL{rPHNUcWK{)ndvvC!j=UCMEYaRC4Y)5zr6j@=+9G@vJksq z(vF0CmiKZGU54j!*Gx1sF4jibvusryI9Y%;7Qhn2hZ>K7d7=?JolNmS{}3WgeIFoA z`IPh&_@);G0p;ZvxV0<>aiPX?EZb*%kg%ufkBI5sjeM3VW41;|nhAd;Jq;ozC(0r{ zfXa~Ys;4%8y3l~;iO%z)-?~ZxPd)d!>fcQ9%W841?)VF;coLr0@k8+#sgW7FL@5@I zJhinkP9$}IxIX?~4@-e8n87<|CXf!oiknHbk=?;;ZC3zs-~Dik!?{p`Fj%57je+a) zr(`ZH1v5V8c;T_#<8Lx4LyD_gSxP*=9ABh1Q6HT2NbG-o1#zjAm79G}K5Q93Bumy?-gjB#46B8s%nCGZWS=R1sa62W$EBbttL|*EJ1fpcuix_Y$@w|2G zE+Jldv-6(b;n>u2mA8IpVvr4Fvp+8Di1U-6Pu7>Iz86-dS5E6cBTWeE%|DdcAJFpa z)jVTN`!YXxOZL~}*0#ZCZBHW-U3#~xT&AZhzBWYpRLrgv0Sz~uw6W<4bpIX7@=fOw z{3Wr=7*5en3Z}`E!0@hhzNC34JW`cbo$`)QW;Tr$tb~1wqmr@{4uUX{K-`PAja{x1 z4x&u~yOPZ_l!fvPW#JP^I-*kP=XGJZNoU+elbv^70to=h!Uv!%3!wrp zh}Af)HyT8lL3xQ+Pp=+1RJ#*b;N)U-Gvj6#wtGRpsDf|1lPvV0e!u72|JG{c8~wm{ z^=3tdIsVUHQX*`eGJ3mM*@$djN?PRfB3pZA!rgFiYdpLL%Mq!v(W8iuk%EyC%WQ+?F@A{cjpr9i;&>Mk*#k&?c2C5uzy96)$p> z@T@?O-u1U?rd1ByCFe{OUDZbyGL_;X%!?1#XWne>C^WTrz{9Bk%cjra>x;S2N#QJ~ zyD<{p%O_1OE;}vMq^wh&GI9AW04n2f*Go(~%CQ!Vx;Ivlp93bzs^ ze-z#WY>eD$pXab8^o;Qdqz-Yec__-cN`A-Nsm)*W@pDFAA1QD2c`YhM2Yxo?%R%B zVBZI@iIe63F#JiNBJaEo8jbXK!5en)&-`il!;Zw+QM9-e0tp~ZxxLBrr`q^x!0?9> zsAqT&XdXszp1{BcABE;7mh!U>YJS+&eLQ4iB}VQbCLB0#%NEqX=gh&VxU$Hf7tLdH z&LHr~PdBY3Q*a#!w7OKUYJ^$qwPD242tUQU>??_#qoL!1p5^gs?mIG-qFZW*9~$)! z@AQC!HZ;&3R(VKsSRjgNf|k5*2N9L6zCU|y#bs8$ZuDaSH9n1X5e@mpH6hN;0lW?y zAjGEra+)g0gicYfy8KwHQ=)r2JGDbOuSefAe$C2sK??KlPB~X>r`JH;SW8EdkvJ+@ zb8bq-7`8|0N#qa~JY9C_FK2e-mw;LDgOgn-S%^d3W$SLftK7~3>&XPbU~=dgw> zfr;gHn84-M<>yoqFA+eiy^`};-r}}1{*4E^VCJ(c@_=#C`ZG*D1PueFa%=x$0;$bQ zGiO{~p?(v{rC~qac3VnC(#GqdgjXJ+3x3$qtdKSH;FCrrUWm28-|Nr>$NENh-67Zk zErxxFE)-3v)7XtHH_NlWrfl2w*#=yR&|fQ`&ym;w`M+qL#9ogU~$=R zQce`s+CU6_rgZPp=e?(gu?l37>+T|}YwRehNl1{vy{V~WOU;5eTAYm7x)QQI7N}(P z#rRNr)oZ++?Uepk5V*d*NKSbd2b%8wU`VGNA-@B*tc2^)JWL)joo@fY^^Qmwus+e~ zZJy&r`wmgM^ZepMp-w$d{YnxvB71YX)U@mqYBRLOohwU5jcYRax4%f4>VG3;M3uM3 zZ~!S2xzrI7hn=8R^Eo4B60=jw9k)810O=n`K*YtGqv5MaoPDN*JHfkqZI=7O$gMhR znBV%#vPGzH)?1-<`Z&M*XKi})^uu8SVX|B|Q}Y=yx=87#y#}lr{O6dL#Lf|9`pXWu zCdarVbG-@FP~i1fk8Hk(*?LKPv0WcOh9T{mk%%Z?;&=2Bh^Rg?m(4FFQc z|DKPV^>I|SEj6A7j5qkj#d4G5HUo)}UT40;>bbAqJ{5oN_76oQ(SBv>;8dj&(^WKsd*&0Hr7Dj&aKYcd78qs`qo-r!5~D z{HIje4)3aU7)Tw8M-ZI#DP{rhh{i~bFFa#>>2y4v!z!wJ?PzJ;cI5N%i2(!WL(MvU zgO(>n#>=CN!edPG!6{WZZ(xlDma6&evIz6}-#+=6BC*FE8Lt1H1;epC_F6MeL?o^d zNRzZ$K%pnnpBeVc9M5FLxD`M4STZmqrdTg0+W`n-Znc@*GmbCl;%Kv8`x3);|4ZCa zd+X`v4^+zYvzUxd7NdtGa$c!JD_PF^>HgoEjMDA1Vu|*)-y}h9avW{O8Fk*y&L4ct zoIe!lIeq%U5si~jSV}9JTUn%~C@=vcb6%NXd_>uac&gXN3 z+f4mj0{&!s)?N97fpS~}o|b=}B?fcso=-AXE56dd!#Pwb>F>bFY?*{Bsu9euPxz>3YwJD?#}DM5A;eBoZZPMy7; z;xjBQP6;ty%Wz$*KhYinw?!gVi#noO%C1*_4hWN50d}Rh(ASrQ#HIIcmos%*==P% z3_ac=X?}h)N0dZU?z~%D+m9_${x8o=z`;!!Nex5~ojZU>jc~TY@6z%Yz7oT?hcj1h zy}KsmU!(Omqj`Fbo8SBDofM;nRtf~;Jxho0_I?SebhtyWcRBu#z(mqsHo@?5%Ax!X z;kgQow`y!CHEFJA2JJGRen!$~d!ZYgZiBPgF1tx;chH|6_H)v%)5~9E=lET%wVueV za(j`ZAp4ku2OVwoc)n@kW5mt5S^E>`hALns^-t9TL+GU{8Vwc9{sTao?z#hyt`4JW zL7`H;X3;56V`U{4we0|v4q*Vwrsfv>RcR=EpYx!>>kc!Nz!YF7j)S5IoaMq0%&2oF z*zoGgWUh>#)tp@!(`G$a(ljgF7oMPYgOR+>Leo8LI{dq~m zQz@^`f<^8plCbYO+H_EoM!5fq#e`CUao{v)+EmPsdZk=g>~I^9oJ6j@CZV~0{ifyo z#@WOmX*Wd+A<*}qke=Dcfi=wO&Qb%{rhTUGRCsTil}J!sA$fZ9ROS2J<|+I0BF`b& zw<0ae@cM-dJ98mBBhKurS;h~>Qb56mUrrskTZ!G8s6AlhcRT-nXiy7RS!Hu`#lq9( z=PzQ~miyk#7W5^$ju-T;PpBmxle(Q4rxoXCKUuRy{7n@i?#a>SUxVm5zUMjox&6WS z(G!^e#qq1!FPz$R%6TUhyZbzpW0_NWL)cf-^3T65{c>-TDxcObdS;6)FmWatpNO`!B}0@XwOo+f zO4ra^>!2>s%}$u8qSc`Qw30szMHfZn>cxa*@u@&{*O`sQ0?XGg>BM&y6G* z2;;SxPSnz7l&{b#qizTlcf0xqUr+a+kI z6>irqvg}|GG>tJ~GEHqm=M^?En#WVsEPs1B{3 zAlEp&V|;a*S#3p45@<9r1TyCBav~$&CsYF~#ysg}L-g|+NkeaG$)bJP4CMz6=0k`Q z#jj_Y+#ca~Wl-Mm8yJ$V z_mh8|7TBe}Qp4T$V+C@YDE>U}t*E#g%1u=MJxKg-eJ8dHR_y)l0-49s8TGCoOhoZl z(@J>b3q8mzjXpKc?0)Tqj7!xOdYtP%SdUSb3$9K45;<+un=i7?jGw;+GyOUAZ0B&1 z%{8PfKB#F*u2K?2B^m>`8>KVuzPtedX%hbgq#5hO5!d7^IxN!`C@K>UZgF9ogxoQI zxEmc}?z3|~uyGqMgzFs^7WcrUgq49n?abZC*tPQvNc#o=Y5YM*3k(3HRcuAMvMBK1 zlzmEZ`ZXoRpNQ*49s3XPA1bTL}$O1N`WkI0N6*)tn zQh;T5CC=?zM#xNVz}pp3S!}~?l7kUkdw6#3cg@(Esi1}s*X9!z5ikDhusH+8A2lrm z&7kyRW9WwmQF>UOftQ>3dGk{fw&Epx6vaK@YW!O+R@gGF2tX@zz&KE*!%j5;jx9Kj=yGeeIVQQXU9>)|lH;h|##V_;l#fC6#zdwKHA2lwH*(9VgEROOd?AisMx zD&hyu zs@b55b3tQw99oB^(;;bIcweU^H=0c2Q&%CeeNQf}wuKj^nu6o4eNd>cyy-CL$_zrBk&^Q`ZX(e_ccb zT%KO|0u6e*gX@^&;c)GHRmf_!B-_?<#+gV;mADqCp#U_1>#?dI;)In~qLU#XG^0YK z=P|u1UCWAmbZC9QKXJWfpFeRu^K)VB(t|rpN+Qc9*D79z<%Hi0e+ReY=HzRu>1Og* zO9i#=7WLpO~#8k92i0WrJNC53zcOhS45DywKKlT~P zg*wjd!5y)=;%utAm}$#Tz(v$GKd7qAPVIZR*YI_H)fS`i_VH_q8B0$&6KcV9+VjAu zo_o!*#EtDk`NuB9CLsC0bD)utq@6$iIT7bH+H`z3>A4Vz1>c?0`!x90A8L@sqI%5t z>+Z>f@(Rm_#u- zGbOH1xwMQrax%AOC1BSMflP2}8iHGqjSt_j9Lg@;Ig{2sS;odv7C3|%LP%&rjUPhz zSbbrWaaCI=b0+7Jwe2C#Ug#d(YFDwL>XV{Kcs28HgEuNd>c&vROm-a#bn59dY4H4+ zRH<`qQ1<}yQO8WFx$0PlN-3{M4HWpQbmv|DxC-!7s);wK)H2a6-^M1YGg~R2PQX^m zVw?LNTtImr@bdLu@$}tXQExsA2-1KC?FBpA`Odz?2}j=wOUIw|f{F>X;w0ZrKAg@0 z8fC8i=Qo$kdWqp)wA9>q2O`_KQ= zaVL)8-fnuw|8}7{6R6ipU-!wSFRv_2C7K6%mTtip6Dh1g#7PdUJ z#9qhhxDkDW^uI`+$eL~s_=IUo0ej}~KU-fRAbe-mSNQfY!1}8459=#1V10#Rp5Opf ztQtT$0oGT&#l+4R%Sf-txELpOpv{k;{}5xCNaY!WTP>x#2+%MYGjSBoYs+zzea6{EAVp^URSJ+&$WZ%D;W_lf)L;Er&#yN%!*-Je^AS&tQWn5q{Bvv!# zR?NmKM20K+kR4VR@^y{L?H`O$Z&9~Uo4nnM$R%2IWVy%k?{7g=M&#sJ)SD{iPavFK_Sc*g(H zsLx0Q^Key+>E37;!@5!1JI>INu-Iy#&M;yzzgf?##GM5#87bi$@p$n1<)1ot1Gt4Y zs1`RCuSOK}1kyT7&dP9o1Ij}8slJo3y2ot~E#=sYwj1c71S{x&f*38gYQrk9V~jfm zuZ+)(xo{nH(54+({MhP#S72m`#dZ($XVFaBuAjn|4#R~MHIr)?lY;Ip&)^UngsTy2 zM*|{OWS5imDtmBK<+w(j0>se@{NM8}>FSe5T%%1sj?bFQt4zuz? z+AX)1bJuV~Fb-CwpQrk6J@&T+Ic@+W$U@=VnexM?@knm%0gZ+358w2i z?v7ivLb=X=I`RK1N&B5J^R~_ndi?x^+qOCW9mg>e6qQN(Cs`?ZO9~|5sMJ#ZRsXvy7)B)jl%{Acyv-9ia1VzO3d3`z8=S?>mwJxaOtCJ}$x2U_|*I3u@OvouJ^@mb; zb``+BDMzWEs{K(FVAFG?9J*4zz{-#1ROxiqPvZ9Zx4oc7eSq&7^BG|OF`M)FOLjLZR`!9x z%&2PRPuCINazHb$tK&wLAlRoZ=Ob!=3^jbwTbh|N==l(o{Rx}Y?D+hO#=qKBgV)F; z8JmiDmyAVq8)Zv>I0m>ZzcSPdL3Hd**IS>|y0%F4n?7!d=y$n&>r>%DQohT>1>e(- zIM@39udZ|V12=>02S?0Hl{t!bA6V{eh;N7iIJcH0X9~DIidLjPH0o*{fx?KE)lur*lTuG8GsYo@C^F0tL|7&)ccswX zjihy-6o|w~=QTwpf1;b2#5o^ax#_}ukpbDdiC8L+><2?TzX5Hl5)VE`_A=*`3@~rh}KIrTI+wTomX!#0mTNBlqfe|#>LlY&4P&I?N zH>_4xieW>hKj&6$6ZGFN6(!KWuq?_FVtMy*wkp5d{?)hh`dZHbtkADN_cKr~59WW? z#;Cd=($1;60M<5$v+>+IPK{^{>yKiqx;9!)Wzwgh~wTbpMw29o*Y*3 zkAo|>{Ih7+=Ovw#t7Pz-MIVlMvnP-c=TC1$O^Sn>HbnJ3mP8)UmAN%Ll8cJJ%k?4D$-a&9i}COw zF<|ED4uXxjl$z{p58wLZPgI(PH8sA7>tJf;3sYwd{LWE>Vuh*jG5U71h16;GX;lz` zIUw2@#JFuh%m_G&kYXL~oPYfJxJ~r!#%1NY((uejgLc=y>ibQHehzR;JNEuI*~eh@ z=)`e1*)00e?-R@cqS7b6kBUxJ3cVGpKHZvOJiHJ*PratRZT*%opFU2&pM+Os>0C2Q zcMRQAKHg1a_xmW=7q}^M;$XQuU(nua$MmmDRyrzw91HhPrKawP>OKIF72qkH-1Z=A zK{v8`hUGU4(m0$GD(RYa@Pc){8BcF)mcO1q|8wi%#V>v{C&$?^;A)kosM(r{d_&2k5%ZV6$yBd zmcqWbOhe$B4Z&$OinH^_qi?RZwne-_wVgU6ddBurxIG;Yh;+-$^&+o3$D#u7?;4mP z64ye~+|Hszk?sBDwWu(RTga0xw4yfRX6@sN9$pdl50jwEczJGNw+{wQ%ojj&6FS2r zyKo%uH>vzRzbh|BFP8`{z1 z%{@Tyo*c$uG2aic%!!yNT-pB}Z77A&_i=lltlSRxH+F}1=dUTB{q zyd;)X-7R*Kw&&#pGhG&kYn?rV2_LW< zO;qrWc>Y{?NuAq}=(~w2Xvxb{zrm0=orm;+TmC>1&14|>27=+Pf~Ka=Tg9Mu$Hp0v zk{chT;&WdH{jUv!bdyf_RLf{aPACmvUg2O(bu6zD?tFt2FM8FzN2%2|7Brp4=^Mrj>bz^O(#EBzK&6c@(ZBxddwa~_ z&xfUSP))pwwoN<2hc-<+_3qm|u)<0_mpaydsj-!3sxt+MpWSD-h#*Wz7|xzijQ{=u z*W|Db&0{=f5g%ol8hwbYzw#+ShLxXD+fKhrT%xgx!YriPU_Y1;w`H%j7 zt?ZlOSFA0PPpdD*R%S~Bs>qSULh-&|)=6gc>vi`#pE zDmore1YkFLwmMh;`l_{mAcMj88q{^619h%y*)F%lYg}GSm&5GGn4tz8Bem7PS%sDu zkrTnFeA^%dMZ$chZShx7RG_6Zw&(K&MhajuF;SgyQk@O7h`Z;T))ZD;$~;-U+aos_ zuetfkeX6ox$Rk)zBGs*S;VuEpR9{JJ%?ZTs5bPe_*|Um?;tIk84bD|Iu!h#VYEQpE zsSkj(Q6{0hI3LtZOlpQ7n@)sH$Ons49xtjIr7_#e zfY|dqbf$e1TPnUKTj_ zX22;dKPRYVGjv|U21ZhLquTj@_X=p#*@d_|)8a6uY%8(`;X2OEzwHwP=V01XXkrgv zly6u_(aipLvd>g!VW2AAawHXRA%9CgSvC8L@=*7KE|BR#FeQRB5v$)OysE!q(XR#$ zjmuihSL#<5%w2u;^jA&tDw`$7U;s`qZ-ucvuB5Z6km~Wc5F%D@4uK7&%yNlc&h)Tr zm~d%A6^u2Por+`GVbl;m1FZl*?`gaBkCWB=bpIelF1WQ#KwFtX5@)hRz z&D!1ptZ<4G{NLdlb6%9s>9?qEfLa zd)m&Q7|-UYkX^ssFILx+q@Yy4{1)gxrbI&%sBoS07vlfwX^}x53|dYy$LMDLqDb zivw2(MPC7^ITR4NZBG)I(*i6ZfDa)KVgsAW`tAw)W*V4zAu8~%D^K04EJ?pkDHKsJ z$xm9{F$Jc{4>6&eECEdkk2 zr~ccKkk0)&F98ZPY#(l*&NA{|hf}*!*6PCL8#ZoGaFi{%@Dq1-=%qq`2`mfJ=kMMt>6p>myD}o=?{EdJn=X zrif~WGuwbbSK6I&aR6pX1($XG33T06vdRg$?`9~fM@~#-4OIY2KTEq``d(#s!i~p@ z+K@6|FW$bWd}}1_KY6ZMQ&Da^K%VRNpFG!%<^SZlIt=#4S7`yUV`swDKW8if@|5Qa znt)jfBPtq<|1R3DuYeTG3$#woIbUvZF*sa{f8)d9P)*njE3QNH1t1VKmcmy-vE!nF z^RNHD+PI_UHgO%xn#n=3X}Pul_rfh+NTtpE?aVSBy=;N3mr{81OxMXj~>`jleY(3w^8?Wrr6{wWJd1 z{XTDIwf1~v5B}Vll)+ZiH=+x54(=NNMpxh%w*=nYrp)sf1PW8`z67SBMmSTyr=;x! zyF=2Dycr{Adc|=+Q#xPA?te>uUw^gsBcwBjGm&6pA|k-C!O&BQZv-hLEg6fPG}YM+ z7=^1AW06}@rmuC+F)OFbuajH5zysfAh&W2HiVnOv*SJUTP7Klc z;;|6kX)#d$bBZC8oXR0j*T*@RjyalY&D=$aCYOAgfl{+K3Y>FP?VYRmc5>hgmm7$) zT(K7CRA&OU88ba{Q|f}Y4QTXF`2g6Gv?p{>`53G&6)!bMr)PzCavN*9RotO(Ylzj}4R){p)Wl#% z9_62vMR@*fVQg7KCMsvM{8YdHD}7$siUj<^V;vFm+6ncud%??9oV?7s2|Dn=lQArX z(IaQp1CD~6>T+f*AkoOIsLsqRK=hoG#M^v2E3dIdEa}z_z0xq)O)sN?i!Hp2X~2cs zzQ=!}-_mfx_qP!KTfN14~`^Kuvqos%Jmr!xc!DWE4H$|M-smt)^y4%*PsKH_Gkv>JT6`FLZOUY&j!s(XzQA;X9d&ks^ua)0+=NMkO>q8yU zMAlKU)B25BYj;TrTAP@fT=Lq`jI-t6=F17Ks7hd+Rgwt={*r?tf!8a^-8WeQbD^tk zQD|23Ep2GXUVu=f%t=$W>sY;|gugw+&T7Oohxsm)kZ%yW*QZ+D#{bTS3%OXwf1?SV zr%f8QD8{}7$m1!cCmWR`{RsNd5zV!ahuycDsN+e>@1r`g8p9J?g=E@?U1jSSv*)cQ z=Wha~fZfKq2#twz)~^nM;JyWqyB87dcoy(81!d1trbuQH%E#penAT741=6V2_Z&Ml z4n>+t*m?FB9CgSzZfShA`uiVLB0}vS-^;R#L^KmBS)+I@a@3%0FyIe3N)j+1S&K!GjylIiqsw2to(sdk@6wR zs)t%%pJU<vGaF%!BcvLON+ZboYw^6KNhFrJ^J0%g;u(y%ODL&MhBW{Gj0ca0Ju=) zEsuIS-DV_CKYKO(KS0kf`&`84oXR>wY`9q9;*AGCZl2lFLdfXUA>9`p_(jFG?K@yE z@vvfK(}uOc1v7T9e8qc_;Q3kZW|`u;^~c(MlK>b9JQ-dV<9eKsQ58mONA=h_5H<2a87 zlE6Qy_QBCCHWg#GXnd`%jZPIyFvVHBm9=j)Gd3$~W`pGt&#}p9gRCpp$-zxl_Cf7* zGST_s5Oc(Ak$GihIhN?5I{iutITEn&cbgdEAdyTM0rd^2E&39HNSWs*VKs9I+_k3t z@|)U>jfx_h8jn0{m5FDEaZt4O3+pxE3=WGrSF<;O5l=KPX{N8ce$_L5u5mE0$4_vq zneneOQ7K?|aO7*I@%dcM&w8&`REi*(l}kyt6<>(nROQ>M6$r*1Mk23Ua-+!OnXpnn zYY77b-w-6dd#2Eou4~pqB{2y-9)Jm-6c4?xK~fU+><+J zRmnXL!BS?N(XNz?kVU6&P&B3`2flffv0pKe9BhxV-%JCGxxAySJ=Y}F8w`)#ZEK)U z5lQ2?O;7&Wn(lb9+bIx_r#8@H<&CIT9+z>sRA*q@xwTQ&DN5Pt%$-QF@o)iUk7_<| z1^WS*m_-g&147KDD}~>$YU4LPhz>TM1ePmj;FB&|G?tc^;Vm};4OHPf+0^w&x3 zbjDZDPFeig>Khdvr3#9p>Kw)5?pr2Skkx`L{6a6Ma8break@h8kp@q(GJ z#LQ@jUj=^oS%LSJZ%gQB_LelaNSmg;FY(C+lnRWEJqgNd;;NT}B6jy&a?um;7QS}` zbjAvRBYe59Q^Z0Jyy}N{ZNXlil*wMbl_vIzChKcM&BhVXki5D6XF07RjbqGV9Angn zb+YfoIQ5s(h@n><&4$G#guL{m*2W6DR$%|_U`btA$>TU5Y(GuWf9SFm?l>~evuZ6# zTQK0pY#`=W&@;&=JA?*O^=zZHwLNw<3mMIQfpSMf5fD?Iu#PyYG$N4kz(x~jbASRU3W5t)6gRmVzQKfbR2kAZkp(1|9}i;hDBN7 z*hVyaE1RqP>U^le=7GBThYXLUdpN&*((u?^do%Da&!+GK;XehdZePgQvh0AO^ozC^ zVZr^hBeG5}mac$Ac3EZ8L3^avgi7PkEy$eLRNqd4q4-ZxEF-qEvbEY~N=(HbBV93g z^uNJ(;)9?0UY)Fy2H~|SYpvBk|F%E_2}Mf`67nPW`Rmt3?(N_)xrIBdcttjKV1U`A zp!4qxa3i=zifvOXa+!IlPnq2H_^^i^al)yyPgeDo=r~c{H;2z3Jd+jsx#U~_@aw0v zX)h{^^6Q;~m2pc|qozCN!%jecioY_67tCHm@@guPxOOjGx@j6-7#$S=Afp$)YJV-k zbY2b%X1iRO4N7|$;?2qEs7l;+VgQQ1iS|^x;sWKA@JL6WQM)VO)4BRA;i3AC226iB zp7>j8*YRmmJhB`6vkb9)>;h&aWX$sMO%F^DMyzyOP6AI_w-H$fDw-FJX$=WS@mWe2 zlRkb?jI@os9tqJ0sJxE`Yj>s``|HR5#QiIFp_aUcdaukJa^LL&Y5#8H7h0ox z7GhjZAnZ)d zxHa_hLmu$9p*Y@e@m79z>%c4`V%?iJ!du+)C0dlFIVkqwaWT$>9En`sd(E$W z-Zdg=4$*)Cz!V9W=GkDP`tz;EUqWGa0W*Eb2khTGYV&{LfQ|4+vGVFy_2|GX$(kNl z=%vr6;NQ1;CZQ!wEjc0Ugvy!Az^A*{uU%M5es219;(5LuNe+Aztul$kgl;U&f*#qt zEv?$~fNKO1i(P|FRET6Q2KEao-^E0~@sz?k6l)t0_B)>dz^hUX^qyW;s(2_oz2mE4 z%mrXOJezH!b_lkSR_2e7MwS)V%+{9LK&?* z`7}AyA&h&xMs+TvV%s`N40FWZ+Yq8jsvOCVwYu|uREQ;8SmYMUpk%LfQ945GR(E=| zuK~@60x`|o0%8)cb>GkTn3u>c*XtvOYIQv4wB44^=JQj1 zn?9S`E-p1{GM&m&v!1nmC|S}4sHH$69<=wtcwGvAc6DLOvIOFOoR1fO@rXv0@9_z* z9)X9AyxHtZAQ`Exjy!Iv!t@z&XYnJ}p7buS6SLi>kO}S$V=vi+&v7S>*TC#0ADsIt zDelX7uY@z1R;Vkx;nQKLvemeEQ)9^;@o@GXB4bhr!^zG~u_AMPM3*-9=+ZYbN-jry z^`p>2-Jf#aPt79!wl;YfV`kzd^cf2LF2AniQmm&q+g=B{jB`2>YQ7WO`e{qN)~h)~ znu+`Glfmbwy*stpLIfvJwx?5YaYaYBTRwx_&z$q_=k{?S`I1UZhNKNQdIv@?BBObRoCAP81Bb3=8#=UNqQv1R}Ke<%xH>V1@1$^f?G z`F$jZYNkorR}yf-+WUMcZVn!M4!T08Zo!q{Oi*8sue^W=c`hKa@Fg!2Qt-Q?6cY$^^)bSX1`_i^! za6WIek5BhCiw3_%o8YQam`Vot6^e!ANH< z06850DGI@)f3`sJJkNd$FfJ>ndCnLkmXbxFzZY(H_eVygNnTyjiLpopjEM+`6?Ns# z_=%9@ynzU1ui__C=QPMm3g?!80&8r-pEWk-kwi>^iHqLSGpXRe_KTjI{d2;{{Ylxo zRrRN)DocPyUGdz+l7s0*-*ro2#jbbUj^pWtkN1PJdlcZoCv>LtgvFBoq&lQ={U50g z%tyeJ%3Qa?37a(AKTb~vW`LURvq%yDdk3~&?PnIeRP*r zg|&wQ%PYL66X}ZrvjZ25#-${XTVkX{w6SJMowdGom+oB4(2SY zX>R{3`}GU zZ=_!hw^{46PW)@bifVD8fHXs$RhUq`B8{IxblUmT(^t>9sZ0j8`tnQV|I}W>Fg-u> zm*Yw_C)J&^6FZjK&UY{2xkYcZU29r;xTvq*%=T!eNrPvglwadeDSUP)Ws;EEJdRM_ zPBaiDfX0iLupi_1AZzyJI2cBX@5vu7*S9D8&GHMaLZ}YY*y1-*X%YS@D;LV_UBnc)` zF>+^bx06N)HxLOhDly7eabJVjuor6IM0r-v**8qxFjh#{scY}{X#)cw_eQnmmT~^? z4~$Xt$|XFhdW6DusaHM)ck*0+D)^OHA^{YshK!L57qh2Bm&!n(hGxMm7m++>;@|C> zTZm_=_I^$B)vp3HcP6Bg;@EZVX1Bw>*LJ@pPR8ThExFAm-xq>^5yQ^ImoKkA#i=l_ zjCuwEB-9fOoa5p1Td^T~mNDU)|B>$-=V!o14-{77-@Zm=b5?gixgSh>@fJXPag3Q) zY{zfm+ieYNNrl57DwX+GH)*)AjvY?IX$dK#&3!Wmovqxq=`qehMN2T$Fgw^3by3SV zjfEKdP+S6i>*uG04g=FbYP~YK2o<%&lu>V<)b|FbwqrzC#tObR&5z2b!eh87U0mdBJgN)a zt7u}bQ;&zo_D{@a#QJGSLk$@DS5qlwHgEqM8h=atdWFQ`8E+F{xO0gfG-QXG<{o*9 zY49*pJ*pT)ZK5(m$FxTnvZpuCQE;uz=h+c+8#fduH!DZt$8o&o2P>H{w`3FeH6eomX|NInua}(=oG|-R-ba@J3PI&NF zd!hyv?|$t>DVj*af%v#ZGpQ6H=_N5)ZEcr1(GAg=5O33c6yVV*#CT}heivn0miEpu zB3|8VQ0A?xqeu%xJ^f3kfuD>ZjSqhhlvz1AfjmC^=+l$4Xl^+V`|mLzv0%4%?*vcB zfW&tI7lKPsP;*{d(a>LfBDYaILtzhed}BbG#oF~;DZO;lJ^K)~spi_!PR8>RynO%V0dZ-Ae}lRcvgPo1;fQ9AVRRXJ5v z+T^9=2*=nvr3+v4ggt6!Q*6Dv3rsEUa)|~ea9>m#M3>l3M+aanHC1R~ygJ*3_PnM} z-yP%Cr~IeO)+_lpcJ%1vhF(KW?L2)Y_+p%D){>7?uo4-#dCl_iWlw|wPKo);DdKF3 zYF9uKFmyn6#l13!tSi2K%Gf_blZ2F9_@+8>hH)vg7dcPIN}=xiEEPK3G?>fMZ#;CE zYjPZCs(oiAC9}lm@0t3z*$z9_W|@VlrV>r}bPu{_IrYs9b-EKEF{KXkyFcD#jr zM7AIHmb@=He7A+T*21+ZAA(=y<6IhCFc3|4qvfYX)l3Ny&y;+bLC!UimXh=MMcCvu z$4$7eq*?XuVjUM5*=pA4G6j-28Q~O00F2=8+XW$4E!zxVeaSl0O%#0U)2Ga`ur#=Q z!~WrYTE2?pEHM9a5J5Jf*Wx_;1-8KS5eDPW>%jU>5J1hS9NyBy8(wuG%H+87~2=YMmr2QDkC(s=nf6+xN< z$)*@U4=NfR{&0j4KK8e&w>Q3E^+4&u3qh)SsF0+c-KS%81y;hwfmELtQpZIrJ5`N%k&4lg;h4WSUEf@U}6X~rGU6i982}`Yvh2EqD`CSbS6u; zma%#0cbJPlwL2R|iIJ>YY9zBZpzBE{$7}K7?a}pC4s4ZPRS+@*BU#;D1u2ZLKf?ct zz5AaXwZqLuUn^uK7iKT4zRuWJ(s#%Hh>5}$LsR#&c7UY15Do4vFk<);=!$o{+}9V) z;~BDjtZ5XOa222_#D=M|Q9f0M08C0{kO2UdY($ctf;mX(?Az1@12NjCE8FJ3W6(V&J;(k` zQdg$X(Er9gV9nduDs)-=5i#}GHcG# z&?$KpYyE}MSbJB~%xiFE?};qG_|e9WT9@n`>7P*%OT^!Yjw266is-DJKYY$nU$N}y zJ#DxD33@8~prB1G>dy7kzOuh$V3mv+S3h=_9TXa4EV@6+ONdv81|f3u&QF~pRsvB^ z2ZGPDqE>G$Ne*9txp5Z7kP275GzLnaw{EZ*V)yc2mTgCZ-CUisyzaK#J(4-c+6?e- zKbtDJFSPw~@vg9Y*6g4bpnuDk*nAc+YzV>us2{W`n7mskWA>qtlW+hM*6@8&WwG^S z)FmjZB%n{(V(TM1I?BowVT#k3|MzeqAFm(YF5h%-LIvmMt~%peL8`*$MBlq-mul-B z4UC96;B8eYtLWDdux$TxsVg)eB$3Lfh=?XF_8Pc2KY2k2$UzP)XOY-Hu-FtEx0k69 zI@VP}?UOr;oAY2$oBDgPItoc&4dVrugFRHpXFeOSX#tpwQo2hRQfDO)JX5kh@|QZF z0=N$)RXQhfuyPX%r%X9OK~{*g-B~0AZ1ZCI!%5}$(CbpCcU*DC13B6whVfaC(vxjm zrSN0txL8uAx3pKYd<4>WCY^I-(trWDq+Rl{Z+XlL;wL#jWavkoVHLrtn>6qGmGluA zVAqCgZq_=ESQkLBV}GZ5Jv5cH_j)RZU>2~(z%9Qj)Hxd#C)?^BH2Y|}dnZ9C?qF&t z?%7P08#cSz*jQ4a+hdV?+$0}PNPl;|lN_F{(Jx;iO^tzfM>tPzh|ITQ<>TryD5C3<3f3_EQ_}HW+cE+I{i(04uTVbl+@<&_i zP;;!$@5ihJ*M=Rbe)X8T>R?oEO-9&}ocvs14GeOR{i70`0OtZ~%GBKQkRAxzjm6aj z)iO9v1&IcP`$1}LJUsrx0uT6d2R3&_XCz!U2%&xWz)&8v9bi4i{1EzE;;U{~Q&!5; z4N}^4 z$=!XAsvS_89Gsih;m6v;zvGm(qSR#5wJ2*+08qJSGuNCtMGBZE-rj1z{ylVC+?DaSNoP#}W6J;9oag~mKfIzw1ze@j|=rC9V z0Pj`UI~{VM6DV8mc3~Ss8J%5Ahzq}HP_KE-I_&rbwC$xvZ)}P7AeQ3iYk^-N=BM-R4Eax1(IlxP@2x|sp8CTaK9HzGI*5UpQeJ#ocJmQZhM{VWW>9zTD zEl=MRwlz4#E=Vb^WGZR<#3=_@?tV(e1RAZK4w;vb5E3wc!_%L{EbH4Vl-^iIGxsMX z+u9z(yNL#o#mvwrr$gG(B~u(66FQw^<;jY7D@$^+en5yn^i>Ps4S`97mvXaCRI23_ZXE4Hi(JcYon6vz5~;LWF_QDu2b~uz`j>i zY?iA-7&%jZwk7XC)~FcC-07_D6ouyzGN2_3py!q#lhU6B{`XL#+QWnZ7d&U$yH}o2 zS!B!G?X=fdbN!wdC_5y{y{`S-4TY?ZD&X>-+UXR_-T$@%GDF*EP6D^^D}X|ZC@$}j zB?wI^^{b6kPdNDCJa8npITpnj^cMg-%FAE@>SY;Qh*;{>%5`m0Db$dxe_*S`n~@x) zI%xR7#=S!CIhU#(GEP7itMFS`W16&Wa4dQ7lO9X(XKE3WbI8z+scb6K@iv7Cz0BNO3?D zAJ=*8EeWt=WwZG^UA($B8#bO1i<|BW?eXd-e_;tIk9zhk3*OheD|bHSdKzC;;OTL? zt#7(OVCo+oTK>4*s9(>F6$I%hrY@5Nc_dDe0BN@5rwv*_w}a1Z!sj^~-Of2RVbnRf z>_#h8P(4C0X)>+MQQ%V&)B>7Bgf+K{tM(I+2ZRZ)k~b%u#-BrC?+paE99`MlDi#@5 zfSrGjw>WN#|0to~*oxY89}OM*wrb`hn+}WxfPHt%7pazcG(_Dc4u9zF6bnrw+lCCi zX;us~MmNsR25lYIBt8P|(G=?BEngn_A2myhjeaB3bsXwZJ2o2v|JbJrbJpzZc5=t< z(z0X=-bF>W&xr-MiH71Y;CvU!?w#&6S$O3||3>?u8OemVHMrnCp?6Jv9J9b7v(pjG zQzvSr`P4J2NHvqc*tOlql+z=w{ol-&|A&wE9O{-ul&(6UQxQM-cMV`g-MKcvBo|u& z=GNX}mS@6i)33tITcNv%USowOHwc3E;v~7NmG^1tH9P)KTM2r+RNUt&+&d0Jr%9}C zq`%=mnko#$-Lhf7TyEpzVOC|M9#6RdJU43=J?WR4&B<-r`?sRvO2a|IUnk@v?EgMt z`Qx~e06|3esCoEbMrRZ4|CSWd)s=Y|zQs6w_MWc3?yZd(&+qQNC(a+RjGNCGOT&$>lqTz?@0c z@bnJlE2Rsv)dXhIW6af;mKNiU-YHbC{nLt@QZ+mX!ulcWFZc1K2Dw#?y_8>ZkB(JU z;uoFUTZuD(&~_iw(yP*HjV5!N&srPDI;1ze2{)JtW=I>zXmyTzbP(_Hiz;i@2V{S# z8jw;umC6hbWIyF?mQURIVHn8Vh^hIuO}@P=128(GtILsr!OEo0vbV6de{zp+CLBDi zI2*j-89#4oxUFXv>-|hGG68k*xK~lP;^kwCyN)mCQB6f+xFYA2IOR9s&$d1J&4g%W zJ$1ih?Om$2yB7veMW#4d3S^EieN8zc{3br+n*u%KPBau~GG2Q2*EydP4<}1E7Ls^> zOkF%)aI9dz)9Oz{=?~&!tN5|&PYY9@tVBkN4i$wQq%;i~T!7GfYxY6BI_uHOh@LR} z(DoYw`)Pjm?VqK1%tPHy(@)Q;s;f1hMs+nDV=Bs>-Z{o|@jTj|Wor!_gnROy)3T3a zj;jE|5)&@b3H>}7Qq8otvBpkYvXNyW)E*9}+67o{Fr|DtMFM`KxyMYN@@j1l1j>_i zX_+sP z+EW8ykb47npmOT2e|;FQhPa4-mo9;M3X#~aLuGE%{yN#4pUK(pT+uC)gOTK-16Lt| z<{FHwy}Uh`$qq@|-x!p=-8%kTnb?pKg%whNk8A|485*HS4*lD?VYkQJrJy$A^iU@Q zK!H+BwaKGJi>TEcKyF>8rSjoOM~v6hXJtuyV+hDq0zbAFWH$pf*dSiUv)0QK2{5X5 zLUY}s)$qAY_nUUc(;fTFQ;tdYXj+Hx;)o(BD}~+(Ys@-_HS*E3k!gHLX1=>-xJ)ud zH`1*&*zc9fahxp9$V>e^F0tU7cD~&(d{v&_F0Au?-MU=>m!zmuRqNaA)2b})Sev6r zHIYd^Z^2)xdPc8ro`KZA*_dE%H6>zLdiAV+_%0L?KwIH?ajy?*pMT2Sd!`DUO9524 zr6cv*)&w!m1~WwOEc(XGf?RHbTj7^$aj0T0K;kNIvFMXKfJ6wmQq)v2pMpA2@x2~Z zZI4!ATg~#o@uwVqWOCRfN(wLCrV0FnHY-(5_WjF5siK``X+(%gCanH>MYXti9OAiK zN66%hw>K+XTH{_siiA3JtPAS?Rm47@2r*03%#5NAN};}iXF_c7!VeNcC6JGe;h1sD z&Kf@jNzu8bH?fiTv(#j=L+As$P}f56z{|UBi$3_-1ED^X&zf8NW7X9|FA&U3;%IJG zaz|{aVxM~FMM9e+>i#K(#(7^>BbzQvND==F-7ua}@NMAG@j1X`T*QpAZ&nYc%XH=i z;m?BpYt!2AnB${*B{I>0@U152>BnOVdN&=~y7pZ|V2CpDc-GDo_&)U=nL`^$CVYQx zuv!yV^|k z9jnf&Di}T|h*IaTOS&k`J|q}~9uXT$6+y1|8u(Q4fb}c932qx_d+#G&5~^0XK3XeD{fd}gN5{7E z3Rmp9c8FzC%8CxkN(@Jzn6%t^kPZ~UKj(@3C`VrN9rTuddw9L{;6vSHub7zIW$}r# zKp-pEMd%6tXzx@d+OoxZm2`@-&Oc)YpwO#wD&zEL-|gk{vUX&Msny;j;hkGQjt&*N z2--U>>_^V2HfcQaXdHLFdqYWbRtlxXkM>~Mn|l3LG{`@6I1jnJz_r867v%JpHrYYUyR1alFh9kI z&KZD`M-zRTfSKWfua-W}Gd+5f!#wN*XSQY_&vVvy%_sdS7eH3WeL>lj3ZVN+p_8Pa zd5jO58N<##AuxPY&@LlKnDxt7^&9JE)cw<@J;F)S9ZD?2g!(`dKENNRUW}QY5;3dslC)C)}eZch8%qln+}h)lCKIWF6QaD+0OShNh?1+n4Or#$BjODGch&#A)$B{jaC2~R0ebp3Kl1K`{Qq0#Ia z*a)EMNLHD1ARegCW)gbLrG`!CCe)EAT8ZXX+NQj|x{EO9m7KJaZ1GY!Zw?TOH7A7z)GKmOcxP>K{cLX zwr;|qIU&$=C<*?u%IJo@bHeubxu;D78++e@rBc$P1Aawb4EC4MIoRJxvGwa2zBtHc zKg{b#^9eJZ3JpG#&pC8n_8A*B!{gxEsI5R}d;W@Aqq3sYh^Gl z(`t{4fKKLTdI}JNo+aUqM&JG+Lj&6O3;7ma36NfBFBgy&|54}Riol_J?B8v#9=o}K zBK3oJD<44+qzuDRzRzJv#&P9u|Lw5XU>;FZ(Y{jRoG3<7clhi2?bzL3E~HM^HuQvA zfBOU0lNIL1pKkL9^`ggwmEYI=7Fh35f0PS_KN8bqw~Z*=7Nzi$!|ce>&-?CQ`&xuj z@ZzT}R=9;6YQFupKLL#jX^?!mw25pp;RNVT0Nnv+(0DMjXpDm><>+k2K6pp<8Q!~t>NB80y(7$qcJZv%BKN-C7bQpC+6d3*d{Do(=y2W zh7CdKOg!h@`)!CjFbI&wD~HCrrNG!4`-6HT{hF$LaBE5YjL(4f&eZC2+9;Sqt8*b$ zWg>a({U?_RpWj_u_m#BQ&c(WiIFY;yQ=_;p(28;)Svhf>g&cXduvXv$>nmMxX3W(B z=DNA>9K8cOoF|Md7{(sv)k#8sUQtm!9wLXXyxk~$(04?Juy}wfoJ6TPabDIuWUY2P z4-X)Bkm;pu?m?#%DsRyPM*n@L{3^QrhItqu4GqVUMPoU9ADBw?@UMF`<;SRjraVkW zU64yMH+JCK{(y<+^x)e@MRp%k_|>~>jSuEaoyK>#!c}KVzj2z=&I*Rbk~fgK15QOO%9M67nKod_d}>Q(5b>%}>?97z zw|(Gh>bdB-YPd8rS4>;l5wRX^kWYK_e#ZQ>)vx}j(*;=QLxI>}%Ncwmq9RW9o-o42 zE~VH={%gIpgEjOcy$(ZPC(_0{@8Itz%wAgdi9FN2dZH%8t6?EV?rNsAX)suuf(Gp> zU4?-yw46RG^=p8U9$sItMsg*m(f(ivwHv{U0C@Wd#rm{FJ<@!=?q$UIn$U|dpEEVL9UKr1GJdQmRU{~^&5ELJAJ&P zd!bV`<>2mL<)+i69i;HFhrQVP^^5M4HFw*jQn2@#J8v@uzG4Lsp8D2Tnt5WPIy<}g zcVN%MmEwfKI&)t;b5I|)Hk%BXD6NJZiTb8wk5q_1!FQewSB0O|h33zz?@n1Gq|VWP z@AiIc00-nUDXA!!%?65GwG@$djsHHdZ)rEy&sF8dBZbztEcJ- z?jTT3V93-0G`BJOxxQ_n=Sn)b7jct#CS)&n#2OkZ!J6aPXSr9ghaTU5c~|_i&XIyn4lCDpj>X$Soz1H(yo{h_ zYz6JPGwfpicNTzAfAu{ZhO`wtD$u2!pYBfSsTck$qTGbLi4L+?Q41o?R2+T2ZrDl_clYX!3 zYvnL1g?A2~cQuS$pN~A}8JVVha1Goj`|=nQMA=5A?Tpw@7d?0Z3A{hi2E)I*;B`>I zqXJkuX$#+7D-?(VdRP5-yHG+}_r@Ng+vLDO1q$FXUdwMfP-c%BEm1)D;*E__D-TkE zf&>tZ7u{a+G)T`fbMS$|@t{`^XrpR%LsA-l{aew&m6-j6ux%cHBfyX6-|rOpy>Rta zgUDRb+TCZV4|u_}q=qwOi(-3C>_mxw&RPfN;5=ntxeRw0pe(!`N(CwV4JGz8PlbWv+|cP2oHX zku)1vlL@QOj`!q3Xs{+T* z8X!$%^F#KEYlis@M3Oga7yDy2<85F@dT;;fXY``aCz`4eMjLaAv2KKN2bQXYyJ@(r^CsWnNxhS5-V?mT#tN9_3JkR zJl4AJ_*3WQWP7jn<(*86-W5M%{lKd5<;) z;ms>^28c!@B9-4$qYQ+nSAg3-C>Ysz_ss1=r%y)(@6AnkF)BOO3k@yPb7OGXCFf}k zwGQm6gHsg*pJeQ4N%guB0q135J=biKEA`>uCrmjH!}=wwR;3oR;CpIJX$yl!?*~iD z%N{QFuxy2|O_Yhtnc@u>0}smN>y$@6sAhZh3e;$Og=ODU@;%l8m5wdg zf<^oa06{>7vBa8vrfD>hQO6CtySrShY6ig}GB4B}aj77XJ96#(mVF1Ql$=lK*s8WG z)xjmpb;*YvCb#9#JZ~r!F1M#&_9)qgl-(H?#M;QY*G+bez1YpcLfMVB{S+f)&OUasLkR@hp zL$>TB`@R*~Gj`d>mMmi%gEAP63H`oZ_j5nb{XWliJ@2Pf&H2!L%H|ErRbW8(aQE=;Z$IZ3jhhRzk6q!0HqXc%`qZ-i$6@fpY5YP^>(Pg( z7#Wg{0Dkw{dKTYN3*4I_j+>QdE}DAd${TOz-62J$UC}bQ;YBm9z|ob6PCDd$SH)P* zIrAr*F)#iE;U@h(f%-lL;>#0V_Z||kuIT?(onBrJoM5dq|2R)~Zbs9$=B}=bWdQsAe3x6JF6=t*5NIt?cSFe*`c}h4X{N z-YeA?4j-uQ!C6OBWYyAvA z-8E`3ugNXFeXpTl(NXP2ndU^pF8&n8KNx96Zw#3}rK6g|j410vR*6M8NtFt&>Wg(1 zQxW2p_d7JoI4{?RDUp`MAC@cRTgk6P(5rtmmqvt|LIXU}1`&QGC=|Zbs%T6}f~tpp zFK9K>K7n50s?0~e8 zNEI05Fwuu&OE-0{lYZj)=O>S`N%fd9R-nct$Hj7iZ#N{lHm)X*%UCrv1^KPSL-zu| zHYDKz@(%xsZAu{>(Q_K6uv)hd41E-3WS-?~BDOU=^#d~G_%XfG>-pa#vmWJLXiE$X z*!by~ZWR<@G3!?7nqMv6`r2!;enWt*i++>~NX|WG!i1*)Ge^BKTnQZ9zu2|isJ$De!R)P9Cnx1y9V#;#Lvy`jH z1&R1hT1Gk4a2!+y9dB083o_|j)A8`~%>V)&*Vnu2P7bYU$*e@U71Kie7)V2j$TU~E zk9V%@S|3w%?Bi#4Ws-ktF!x)x=)>j@sS7meGs0cP1nuU?17Jg)p3Ye_`+48PO~N=Y z{K#XE^L+^+a`hd}PxbzoXM6PQac#zR`~{c6UnVi}l`ZA@s4NBwiDwlJ9WDT_cQR~Z z5cd7bP))kf&k~TeBk|EWX(7PXMq!oo&`o{y%##v=YZ zj`cL}1IjPj7q#T%4dV?sr!5 zGdGkYWxQ^G;A8o!D{P@(U+27Q>XN2X*!%3Vri1mp5Bhvck(jaPPixqYM$KBLe)!&y zdTj5-!>RHEnGHLCfnBp_QB%n+d{MVrbCE%U!AAp(Zts2(MEM=jVdX~3>l6!Q^j}5V z@oOHY_HnCBA`Z%mVR|m+JvC-x`z3h*8Nkc@W-i}~SY0asb99J_mEy_JX^AuON}X|L z=qZ|yxVD*u3TS$XCPuQZtKR731aWPRMwtpIQ{TK;82X0kMH!O$lpQC==wzmoUNsf8 z8kecCq8|WfI2veO`Gi#s9s0U`)2_1V1SX|CdGPs3`VfiWm~?;h z;?5C{c}&)OzJ3>PzA-|9DtYblm@xlw}@Ax841X+F@jF5}iv`fZZzo0-1duA=Y?F%|qo-iTh~ z)JO1p9`|Jjo%dV^?YzX^J)@K3FU(j8%U@6Ea49Tr z(eBec@KrF?Lo`}x{2b)&JKpUJUgvh*=8V1^hH1BbtK=WSJ+rFGkWjO$inI333<&pA|B zT#)zl!-yj`PT`6=8!{$8<(;X+bXDFsQ2J()pj-OTfL*eFhI2W+kj;ST`~LUe0Wf2Y zbk0OM8nfLT_z_OF)XWSdE_q&Oat&; z_+qyXP~{7b_QJ9-2+=dP?Hl-eA+yz$1l>7pVk5=`#^ze5HtV|3a{nkh)Xj|zbGEHP z?h7GBQP_=w{2fLO_Ec@=dA?e=SJAX?AqpbkejL$?X{XSGN24iwh25vDU0XaS;v@2h zE8aQH*hf?}@q%2d8#e3#1OO8*tAfw^u4gXGmP33$i9`VVr~pPOQg{?rw%GAgH3QgJ zbNIe)|2HED>idktH?H#YcK}i1%{0NMrcK1*pb9knn?Lp22ymbr#H8S-0%1g*KA(b) z6sWX!u~NE~7nmGA3a{zJ{&vs?jJ+OGL9Aew+U40(cCoRh>4+)NRfUMZ#h9nS85HE? z+YN00!g@Nlk;B1!Z6SRjJ_uweaQYi5=?PQi@{hL-}BD&ZscN-OLSt4!!NdULO2O5Zy?3b5s5 zN5?E(W#v|WiI}1h>1U1G>5gV$YBRddC0eDrZ2f%_L(~ybaQbqUCyV^@6!9Jd9$2uH zUfIKW<1zAAwFQH&y$W*P6DIgg5SDuiSC_rofRPT;>^1Q&*GH-&7BWuU)~*|o zSK^^mDHDOD6q{`ph3F}D?1~9_jy7)=?sdjqLk@>=sDw#}#9XoOLQ8J$fW*&n_`82h z_?X?|2_!CeP@Y9i6s)Uk+EivUzIg=-j4o;)=NblN#vDzkSCw)$jtmS%U#0dZ-_4S& zJlZj$gJ057k)}oBFS%d$q>+Y(mU&&32A7Bc##0Ep#XO(wzECX`itZC@M|f<;c^k^O zgS5`XTfQ1EN)H^w(}%b-@wU*aQfoZGJd}zN5j`onWFF$nYd`v7^%wJ+NrpjRujr&B zn6H}J%Tu!IqSIGTZLLsziqvS<3onD_%YrJQ%3`w4zYdx-!F%1VpL(P9$IsL(He~_P z=8+IL#hqET_Dx9JljGtbRVv`@{|K2rmizTN97$>lRS)h<9Cn;5%y)A;-R(XgmMIfy zec*z+b76O|sI;QbRp2u`;Q~M;2h=MsiIU&df4dyobk|I0VLQh6;o!6<9yU~*;eOY` zrv|u_1sG#13DKs(IQXGv*EBNf;NT0gyiU=}foL_nu797dV>9Ag)6b5h=paAxxy%#V znZ>ZOcOT=Fo*#fMcqU3sDqU}7R!azUz3}I=VYlEV-Ar3zx($>ha++J!)ee`bkWu31zRxFht>?)pB?&q^7$Oce4q9**)&0W9z4{8TaachsD5!XHBHqKUH5f4>u#zRqdw^oLuucA)zv^i}o zUDK4-R+hh*XEDL7M#ttCPRSvk@1Wa;emG8zz)R+JW}5}}=U%~F-4xcVe@)01rm8I9 z0C}jRWwFwf_RQxf@1Qs5!BhfRuW##yt^hBOiOO02voim`N(WDl-{a&16UG`qBy*kv z+Z%Xi*P^CHp&ojjDA5mEUwmh0pMQC&Ag3l8FvYmn9!g*M9q2EWmhGqBc&7T34sz@B z7=YeCOFnNkaUjm?XG5jbACwPQ#vgokexKTic|tAtR$oKO2^gnyVc%-J!a!K0>2M2q zTp(Rb(wsJx(iTgEk9H^;C;>h`Z}IiJ?YCd4`0ntd+--VHewePcG~C^?Q>V_3ghxi% zU3TeL(M{T0EcBZ$&aV}s`Z-3g9Ed~cTVYIEuN!GNJV;J--k6m(Y_J+V-P?JZ!BZjU z;EcK-ozN>5g>9XnEyO9|z1^G#_SdKb&sYUUGLr^NV0v3))#6~9z=;R;Tr0PB#;GIm zwuW?DW!!t*vr@e1B8W4ledzAb3DtYnGHZbnmuY$Cud=gp1AUJ(c2lQLGZ8*~?+Hfw zeED%W@i`OeL*&8v{BdRWkC9;+q3RIt{Nbwx(d4PH0F$7e_LNnS;fL?7)MIbIFStH` zI6vL~#3$XQF0je={%?<+7eu?f^DB~Dosk>;QYGH7?er7H((isMsIVu_9?kEh%MTle zyGtY954qlU{8X8@zZiBS5+S>-*_^At`|HT#oEX{sHQ4#x3en0o^p#o`yl%xi4x%bE zOQO2S(@Az}P;mgoZXyK$%9f`8v?bTG0iN_|& z-fI+)IXa!3QPvj<{!tU?QX6BYdQIG|zZ^cj-_C`JPYLD_`oVuWXa>QnNvyu@$vITi zj5l)N%DO@f%MN30PV>GCXN*m(sa=od!n*C8rS`tS)>2DwJBd|aOi4MGAutbCM||t4 zFXc#?PQ`1!cs`aLc<}S%N0|RN!lw^=@@n7JAIzn@uD8u4vo&jccOK$k`J+7b-`c)X z8acJVdR39xPchqFk9Jr3HtMGq9#0kfegB%|+Oh2Ln1g?NyD1MpnO^wo;}pLijzxSc z4)8b_`r48_ocB&C;WP!=i@f=G0MdTW@j3`)GHzg6S#at01stx>w`(6P~*w92`{nMJdJs7`>gQ?VW4h`ywXe(W*TBzsaN!*Obvq_$; za~Ffb1@@|adU`f}xgV+r4Kiu1vG=UypBdA^A31~{6-X69?Yj)rtE$VkZII5v3k!_EA9#mnvXprA*KM?GaP+X24z z^?cNV+)PlVYyR1F@O5X7iim9cInw*Fu9R5qy+LJ@*;O{{jio}j9~c_SpVBe@o7H^}>WBDyr5GD}6Z&%Po9sDrqbRSuF! z@`gXe;66_W2ONvLn7_J#-zyVX2n6#@4}2Ml_%-8w6ksYuB_NLW5f2CKQR9=sWC^LS zSxD`o*N`67pZrb?+AH9sb`zV*2Gcd=#u4W@CXP3A(<4IE&VaYAq4E}PMv6($Qlz%G zZSbWU@lsUF2NO>kzaxw@i@GJrlEhU~Y1&oo5EJz2&0A@~*O!az`&pPSyfNfBpsA%h zN0XmDc?QPiD8T$;DT4loB-BM%I!VXdg~m_I8!gNXVRXk+1WTXzX_17ez!;R>*Sw7C zByX235Qdt162_frY>(;e2yL~J|BF%rd#_197rIElyg7(kr|}( zGa&HJtV^EPxSw-Cg|zHu)2U$pZ$WZjyw?}TCDoJfq(9y762rCgD>4PsFFWt2e``)( zLsX82E(eW?{uvzqhZs>EzPWf}aa)XdbhUHqsxYx?_&kRc%EXaNBx zD6>QjYaarpt~Z3jf3D{V46dp4x-Vf_zN;Ly9iX@ES5%Ae$V2+HUzTc{rg^`_EpZ7Yxn^lH#mo$~R1; z>x_TSF5h3XiHXgftsaEzRN%5r54&n=CR0a2_b2a0lZz{K?lgr_5+mK8U11fWFAw(` zaUW(~Y6pylB2si4N1bCXoI>c&n;Lu8*e1|>YxvKM0CSzb*GX}q%2KU<4Aq0)T~#L5 zB*L?SE4|)0&{41GsCf$mG+^~^z>yJ{!~0;b%TyBK!)x;tG2zcUU%EVhhiN|j^;&AF zYg&_QcKH4lk1|s*b9Zy%)5hbk4F=v>`^N#^y0ya`X2_lBY-!Qf-jHqbjz52|e?X}E$T;MwKj0_SF+t9lCEj%at&8zs zlPU{diu1o>vEZgs;w7n@_ee%r4M%2OfnULjCizWbg(OlM(O-Cyr76a!Am`tf4YPvQ zBmGKXPj44P0i|IPbiYJUQMwp~3b&bdE^oNI%8o9DY}N$9t8xvM6y9#--yV-u5xQ6T z%#==DOmimgpynJqN0xGkrOf0s$djkm?b%FGZp3+sazHmMQX({>e~m5(G+T09lm{m* zN8F{i_A}s|Aqd6>FGk=f)LI6z*-OOPPRewY2BD2`iYU>O{O%n^X{~Um0dqY`&jFtn7OZtjX(V)NJ`Gb^c~E%-B*~-g5b-gCikd8PM@l_@Igi{QT;9`? zCgZ1D<-b0e6FYe&ENaIFQIFs8^PP;hqrTQ(Ujz8Ex{FZe3o$6mSEHE{CA)1&*p z@}l-06@5;ND{*=Gvimf;;gef%@bPXJNO=kPV#>TbD`R{#sN>Kbx#2mF`XBPdFo&^G zWtlVt^d~{;K8PUDeHrpf>q!|4qCsmAx5z|rGAC*70z8fEcA5>+wl{^npMQw)q~x5w z`sP@L(!|u}V+?&G!46fWiHNsq#W5W0j&rgRjcAoavazP6oC;)pu}`@r=&Q!9{dp`4 zX>VOx3n<4!dh^r_%e)x2F=a;uFV~9eK!T?Tb{9->jpt&ido0$B^z6eL>rze)_okR) zi;xV3ru!55%$S}6h20BA{F>{J`(Q2o-6BGpwQE}w!0K4`wMgP3SNC~TBlj3c7CVaj z%rvi4*<=0j)OC}&=$>t#z%Dy=&W9+G-Cm$Q^W*2?eZYHtmgv<9mm+Gc@X!C<9 z$i!YLukQs5@XgG9_c^P>-O|eZpdMYHqdaCa=TE~0z^3!!ruW}YW`j?yXg}>pzZlx~ z=yF<+DqbZ!NU?&0VHWex6W@FF2mOgcjyI3aoFvj06a*iyZ%Vu^7&=o^7@r@e4%^zqbSkEq2N9Oudgn^MSEG38$-xIYMc?Xt`3tsX-X{@u@qH|2IfC3$ZOn?f zTXwIf5bNzHxw7O41=FPhgq;d5x=5yck0MCzF1Aux$`>?wUZXW_6jVsw<-ZKxFWW#W zAJpi%I5SD#yYFduFIAn|AkQh;j8BGxiX$+;$^=5!n~P+UJEJCFvTOwN13rIXs^G*- zf#2ZyE=JyA88%T|2oMOu* z>%|3{0_ljYFQq1UCX?|Yi2paG>HE>D$o604R8Z5mj{RdR2`qRq9A9b33UoRO2L&C9T(1gZWq4!~^-tsNH19|)Xwh3j zOZS@|T&1l#+9Y6z4P5}+T)nD{6fp{1A%?XsT==-INYI{@$2uIxt#duE|1P7HX$F1| zfSp7LBHNZAp=doOt)`kwz$b?NEgaoWd_gh2Gf_~h9F za#)rAm!;?tR>0lUvqr5B@ZVywrZlI6s6L-C#E<+_CiLj*i8`jm5M`t9;F4L5Th38WBMqb! zuGFU4PpZ9jsIVF+j7~uLJra*sQB`}^*=^o(O2*&5%NZq3k?!6P_3aB?4DGF`KSBUK z2tlx?(p8tpB;|W%_rU)0*OQ5M>cgyTQnJ_!k!{fxE)&*D9A3Ou`imEpx{wZX{h_A?YsM3rZX zoWU@Y?pA_|hK26Jl*xF|2hL{L@2uNDK!^WP64l-~W4N5MtAeoZ&ED;Z*eGwXbBS#@ z8zq}WL}t_Or+UPaX6So{g9gXso;75tCOd6#k9=p05_!EKIrXYV*z;)6Te~?t*<^Hg zG9PGIot!4Tk(a8D*Lup#s*($uStXqwg6vNRK@{60pSsCZ?I(0oz>1v_ueY7Ep zg~LGrwKX`+U{3|XS1a*;Td}AqoJTOXm^?DDFdFcxKe}~Y{)C6bb;5W`<3FOwQ{>DM zzZCQc#?ZDswy!el(fzZTG`kUdYi8y@pRqrs8$9VLHJsk0_o?;%;G#k++0SP!XZLxd z)+Z7^yjGrnN?pu!lbPZS=NO1jX(bPZa z;b`faM4lntYCPml5*b%i8MtUx94NAvW(FX8b^TDX9fu17U)!yxr%}I?5IZ+J5G!u* zg;@cf)b;^#kap_=CgXv54l7?a9W3umbs6tY)#eU5Z@o4@}(E| zB2wirCV^c=mx)Q@$w?8V3Z&6ON@agciq&B%$o^=juwWlAey>plpK^Gwv}|GjQal27 zoo7Kwf(skdK0>pBVon0CPKeei_Do?o-;85*x-i@7SCfGJ)>_+EYfzM zZUO`MLN`Zh9T1_EJ+~n>$oDt+UCR3MQ{^<=o+X(Ys{7t6oTyIbRH5W#YMcS21MWN% z4&~%XL1yWhPLx5wL5X2SSM6^e`P4^OO8O2>nE+bd$oiv(F9EP*7_aD7aeT|G5n)4h zW7{!}d+BaTacFOf-0ARGIXYxjw{`WYE-Nk}>e{2KB%&EpA^R4H_*QNecu0<3+ZhHZ zEA6l7tMntS2-Sm!j}o%jcMUo1!xR{gj3|^nkGVU-TW->2Dg$lI85+g5f8oLWFFyTm z2c`O4H3#6A)R(txZSK4dKMm)W(_MX`!WaA~e35!Vt1{=3I8yFtz-MM8YMr0aqNpY( zB~iIbY%?Wr!i4i^dZ2BPTRB6B&@}-qa?jZ9Pw`o0nEK6n=q0C$rWdCRX#mxtL1v5? z6Kj(hzHzq__t4Q;k0b2J>6MwE^5YrAc<42H`i=8(uL)h@uJTozOV@cxjJ*0l5C63h zJ$SPJ_64Ns)F)4LA4~#|k~^xdU3=G@tl^-q1c_8Pne0hXCi1VWW9mYeuT3sle4nL} z09AsnHiiF{b1>l@d8yI7j@@cDVT)x%%Mdaa>60jwy&E*2r7#fEUXS*H!SE&S+bERA z$*yg(o|2$@uAv@2f!5lS5pidCyv!;|=a`Wfo8azfEFyt87(DN8U_!JpTk@b8H!KJb<%90S8kkP@|`W6r#^Rr)gyf(L3Vr^`h~Iuk=LcKwkq(Z&8*q z8#6jkQ9O^G)&8zqWF)7$A>GyVtm+`*gOwj&N*(XGvAB&Ds!3Nm+ae$W-&^w$ogoON$07L zNFX}GAJe05H(rD)A3n6DFT5RCUAA%&ToSFH#d26Gh!J!!GxR^|y)Ycrc+mxG{*Xyf zM~YZ_OBzvbmiTs!5>zCBLAc}ZDlkaPAvjM-$sF}@Kdht>eok!V8|VYHm$$_x&!n4g z^@Zxy`teeG5gx{5w)ow$2CRQ~9g-RHq;{OlopRKBX-DaP*2p^H*-MJaB*{7lfy+Ge zISnA!Fjq7!-(S21p}%gyyx8ao?g|EA|8wcSf;L}SQ_7xu8ZQSc18pp^R@-Z>42vi` z?@FOXZAYHOn9KpGOUppJNdrr$HAE1Pst!ERN*eDoA zxd(9!$}|}DLilbcm1AtgEilfDbF~Kw)I`Rg+(lJv?(Z4}9xkZ|4CRpfp>$Tdv>?~F zNT1-au76tQ{m(FHr}1R?^+KGbzDoT1B^{uwVhCUBY}<_(NALVvE_MDus}Wc(CF28q z77syi>s>r#zyixwUXGc|?+AIVs1~MS)r3;^mka<6Qg#}^D<1Ypeivq|H!X#DZy<8B zD6^fcU4Y*|xl>WH8F7skQ1qsmOY6*7l;8HukxWUW)H+=z?e)mPp60qccYdZawLlh2 z2kMGv+36^0z?b|L`TS}!iZd2_+Om2uQeVm2-NrD$Q?zSfD8?sJ{6}X68Mgr*%XCj6 zs%Hii=Vu|lG1)pU{OXwhm3W9&rREuV%)?pUV`srYutG@02hdRdaxY3=)b0?n5uFER z@DifyCLwn&*`#8-fZ~UNg8tlS+8m=N_6~BvXwn2m61E~@gk{_#H;uZP)M2D+kmO6; zni)daM79V?6=z}(YrJKxkI9PK2rcyRk$QPh+}pe`bqa)giP`S>jhrOv?x8F*naQyp z$<0*$X<#*twLN|_lpY-a1vpXFH$B;A$9Ju{bSg9W7jaigtjYKTrGRI>vU9aiHm@(p|Aq7sgzhd`P$XL4CQCE-f(I$2I^{5aEJ~}0G zvE0P-YP*eP$UPYmMdD+tdU+r_M|2vKYf~&w>@vr!r3t*iUI`uWz|qbKZ(0&e`GKu2 z*bcrSzOXB@(g9Vj7Td##^z+ta4wX*R47jBwnVbZ4o&vd2(#0?^5m7%_Z#IY z{r7;uW1`py-RRd0>c2+KpP?8U?$Rjn?qhgvX72CAFno$+X4dv6Bx|b>a(DCtW{j*M zX}5~<3djyIz;cb6Y7-Hu!_@pKbNIE5PX6q+l}EV=nR1%GV!zh3ZFeRfdqEDiFaPEl zmgwtA!@Bm2=7RxBk6P5hMlOyn$~rZ@<%rN>d?v)QTIp0kdv)@Il&jC>6RaWmR?aqN z%bj-vJjZ%!Y;4Qv!}0Yt{VdrvfsVpctswfhe>GEr9^U|=4x#|Jn#gjkhjE+e6r0N? zLdln~sWgueA89?A>Iy>sV@QKf?!r4Xtye*2)tDS zJMV1o&TSU}M<(=wv+a(Z%sa6EycO_=sq*}O~lZO(dqZM>k$v*V26D= z0f)tbMc0UCQLg#G92b2$B61>yzIF#;cNsh4%%BsLmLz+x{@ewxFq*5YhRZ7jzG11| z#Jf9cj|7bs;E8#ImYM2@+6$7X-8|mH->10ZD1M*f!d&%u9CJaR&Zao`ihE5@Hj93s z3yuFIdc?WjQd(myT^ODm3;VbvA*-?PG#h@=1N1L+tNu|W@i)XZ(na%2vlH&cAdB5* z>;eMe3I%68!UcQ3IzpW8Vk1Lr@QCmF=y&Pa!WEofzu)_p|W?c59n>z2;zH(%I5D$-Am%MQ#VN{dZybk z9`e{UrpRp-bGqdF8KxG_GI-VL3Sb){P)CeOI^aC)oMrnfGi@?0hV;?wU%{NZ~SC4ah z|0yr<4>i|+KbGL9VXAoupN`YoE&ks*S)pK#P&NXZg)x`z-rpqhb5s#viWATrFO`4S z5~^ZFu-YWc)Yv95JC%LcHs;3bm2db3iY1f`3&t7;(*`CODuUvT+t^J0>Sxy7D#E;CrIMC0^WFJPvPZY+H7i}k zYir?JCh%a#-VO`&UwTL{(s-VQ+0T|b_Gq$w({(YF86Y&({h_gb8MnNo2O?VBwV-re zxU$^-^>1u@i(J?X&{3L=Nb&12aw&i5LA?^p7_7PXsGudyI|cX9<-C=y@Y9RUypvc< zH7h1S0VS}76{*&&0(F+XHnrz~VEJpH zCACdBT8@{k{UZ0?QdF&;La?rm(D(=EhI(kl4^p!FYn;r|R!NG}|7Ks{&LFtBTIdrz zTn6N5F%IBCy_UsFl497W2_&lmJInfmGo>FvH2m$uu3#L>S*Ka-j;D?B1Ko4t-8O1y zwwLO>Z-raiZ(uDd9{!0q`hS0Mv?*CXC8T=u&X3@h{!lw8_y^j-BwO^8u`Dwpp({47 zcI*9$!9&A@2;}$Qk%LnmXfyy$km@@>`xarudYHBc+bF3__uNbf8+&-Dh#y?rCy{xkGT_uH{e!ZNAS@pD5&F z;LfYwD0=^fJ0;?Q30Q(rFIr3f@4Eob%f}_Vpm`@ube*ay4hqBZOoeIq_|)JB%h7|l zi#=uYRYp^V0uU`T>rDY2#h>>+dWTDUOsRRQe!^jHNcn3-*vDikQ#)Lkwu^43_maw? zWR*wqN8r09b-cvjNW*~Db~E{%_)Iem1vrMc7C>mzrpBBM-kI0A~r6CLmZLEb$EoTMDd$p6gmC?VeOY&RaORLZf9K&jN0olB^Ck0+2ICRl}HA(EA z*$N;x)cHSUb&&s*)lHez*op>Sbrh|(i%t`A*t&tx^P1)zRN&)E3^b=z3VxevaVi`P z*&1N4E}yt3HdD=wu&T5L_|B-MyoEu8U4b9 z?^UWN>6+$SMNh2FZEEN_m4p6#xdW|KLx1?&h)%wfWSgDNh@%=u-L{h4dh!(Kf+VxE z=Xp%5-9hm4TR+kLK=-76C^~k!CfsHM=4EL!%gF_Gv*@1Aq#@^x3jtKUxR01XxVfRiryoLM`6>+~?^_@Cu z5&9H4iGL}F7Y0-)KzggH%@*%|1>_Y#YW{m(S$QD#XG0hNdtUjC@aj-l<(aU&7LL(AeZaB^o1YhDW(G5K8?Yhb~ zW+fAx*I5g#8t7(K4AFZeLnp>2y&uP2kVLdiza@QELAz^7{O0|7uva2|&=CWENe9-? z3oHSWU^rq3;3|54n4nIy>&*5-3Z7(u)leK96aXIx(|cAjL*Z0%-oA_mzRD& zbGBtt;Vqq}iw;lK{pe&+ma(9L)YxtF?A{}rYd7b}5yQO@>cvxd%(yiGZ zNsqdbPT^M^PxTw^hq+=|KxQa7NwP{v#n}^R4=H<3uH39E0JLWaJka{>3swmcmjFod z>|e^IG9#!@m0*^cd@7RpGAa2DEACYKoi=sZ=22YPn9+?p^E3JR_Br?iA&ZtlXM@hi}xU2Vnj# z*q}aow!qn1V`b0%Jc~4SBcy&AJP9h*Dt&tfu6wTFY&;P-khzAopeQe`kX~rOphokuEtaxC2SD%SnuNqgZBVK~i^;%&o(T*M(eUF{Z$n4%gcH+X5Yqa&Py^Z!bNz= zY3*JO9sW?aEG}j!A}syZgmbN?b#jmu%_KN~(I3OdIe!VQ=Jv*u4&z{KbyV*FlrL$) zy(Ur$fWW;KjSbC`R<7=`nnXT%@+RB~(1Tp_z^OXj`y?5KF6hkZth{*8-*a02hT9n^ z*Hx%jGyXP=-5Ddk7pCy}9x650)Mlm92XA5v3`Z?je20HZ0~-x5FfQK z$o`tJ!DNg0{{_qe>T_AMc~qhSM9&Gb;18dC7OwFo;lfZnAV(wdJVWgW9U~(s1+y4s zjxLF}8WdggTjgVJ&X)wsxFZF-%E;A&zJx+CLK=Zvud&~!oba%mbuevQT)|c8yikc!M|%zpzcqY49N6-+5dM%OeJ|b z(Gb$F!$}F&@Gf74HsfoJ^&mK(yVDni{flaPng35k3>omesyHv>BBE&h0ZV&lJ-h$X z-#N{HD_f{~{Qh3B=eXWtwzX|$qlk^u@~9rPxJuGuc)6&C{Eik0AVz~vNRM;Wr)vc? zl?1x-3R|^+3A@(*o;%I%DSnaOVfdwpSRZ16Le26(JGC`tw9M!5 zI&WIKclH(rAgltPq&e1DjjG);U*=*=GrUmlXrU0?Y31DYrgSo8apUwN>?wws3tb}M ze7cO>ubZ(oc%D)v9Fj9qD<~LBX51#|>$>y{DibDbHG5L~col(lMybIlKat^S@qHb# zX0z&F%@Pd1L^Ru%p+4MH8cK3nf0uFu+oIcz@myb#5n*i_e%qI*nQu$)M3lb$Fvwb6 zh6B=*H{O|kSR3Fkrv}GrFM}gLOqg7-ccGCvpplXXVLrkX+?~Z0TeZBbaXUsQc=ELK zW$Ak!A&$XLac~8tnBUMfblz0n99ce|abx?>kPk&a0^;^RRdV2&*g~>e0RjA*qd^*} zK$4-MACb9a4onyWHm zixQ-z^rA{UH5d?ONQ^~6^E3KiS`m>%Q(2e70Z@w({FwIip{S_FrJDvfzuf0t<(&!Fkdxp6(9O5UH>nhhYZlbFm5V zM@+7c+S8^9I#O;3>>_`4LHKTwUa_sHav%+w-@O)4Vqg{Yv+MD~Sr!wI=vB0dGo^Zs zV&@F(=!j6up`K_^p&Se`5j{@qo+#ywFi% z1WRr#We`SnLAE>YL8ldW#86ffkWC!2`wsv4OyeKq8CB_Db^bXXps2OI6Mb%+94t;* zSj@f?!525kaJ0y_aj6c=4~ht45ohxwG;4&=8eQIhRYN^#cRYq7_lJW04^!mdMo96u zz9!Qc#Tr^2GFGx<&6frmN0xhvhC(j{9ag7kS!3_cu1>9`QsFNti+t)Y4vn+cmDH)E z7G-nuySuu?oq3v3s&#rtl-gUF-Ja6ghOeYEn!Xml)M+kX%nibQNR5>{6w*8fMW}dB z&LvO1!ihxoK;3ZtWKvCGYuFKh7k8lGfE!AXbNSyU8i69;6Ca#0_cwNsHMV_oxw{a` z`NQPb9Q^HHn^ikEn{xgQ(MFEw@01}c=vyQ1+wqlWiCpiH>y$x7?6~Sq>5!%{#1uMO z?}W5SOMlxB&bONauJy#q$J1uI8)RFM-Xy3#dX;TYEV00+TmfY#>eSjG)#@DV;}SlU zFc17z7*$X1GErvCQz9{xl2=)(>hC8OeF?tx;srE+%~MMn!KrfY$5=tVd$IT`Q~R0x ziOtjTY%TB`v_4(E^vb||Y?J$vdXN$g&|VSu!=walFs=26LM!DCA52l-auh!X`j)LU z3J4z^N|0+J(nrOMKT{VHv7&CrYGl@lI~Tx08smTPYUFtqot9#{&It z3cLqy%Lol6_VSb`y1KAn$_kwFOBKC84(6Cb)cji<%46AIy-R=}0CdQJaNJ-g@%0j2 z2lLGlWE*88-9r@W=rw4crdA7BR52i+?7vZT%ku4DlvQ9p>ZmH$1dQV^p@3>PR#%5J z8Lb&TUHzzOA(XG{yj6yQHk!az9>!dy%fvgViw4D&SqXXIMg|csH(;H>q%!kq(d17W zkEB$Mqv`I4s4_IJSbrTg)FIZJaJqYRvLCMG&7_F6rnl@WVVbuzmlH6VWf$-gu?>g(s`VB^H z48Q+^nPa#9v<8;r5|#h|XnPN+rq-@&^jMByK|m}Z2qH&OX(G~71Qcw5f=CAeAxOjs zks6YyNK+sxN+%If0qN4DMkRpMfIyHMsR0s7fFzKRUTcSpHx0%mAV6tj)w&Cr~AJTBRl%4acWxUAHYI>Xewv>A!03e zHu?tB(*3?)@nHPlRfGSHixI$2Gylb&ll%ZC{wvq>bGN3%C$pm=Vs)Qv0J9SFWwIji ziNhu5981e32WA~zQ1&=(UE z#97x9obvzFDF;l68D1>Y-E-p&2MtlIC-n?#))ZM)(G>QxudMfM)UyL`4hcLFy}kO^ ztyxS@Z}Jt@bG1f(N~5BHcjCh8y@%=kK&Rk~S%m_RP$9o%{Y=!MPl#j3SW8&}p*))F zM&5nu7V&rCY^qklN`$tTgZLv#@r32&%c>RL1{1v=jx6jdQ~7%e(D9kep(m+>cxDCM zSCLYdhALp*@Jw0%f?+l=>5h2DhLYr>b8-aJPyPOR6TinkTY)g0Ub-%uFXY%ZNZqQn zjyF85rgbY01Q~^{^KACOJE4ti2vL<9?h= zNzLcn(jDEA( zc;;|)<~AvEHIcy!nj%{awFrV9(7^pk<&>JykCeKg@hWwo5xsD>V5sFqITc?sZ$+*& zr>jHx>l$qXG;HWLSD`x<%|1RJXgP?|TnP=@ zgI!B-eYsO3^{RZz>36oxEvB;hwre#JYvO5#RFHCH0OePOPP}2_ILyu(fzxg%yVs&U zv}@C1I-NcmM)#ef*}B+N1b3FUR@=xO-1$&K^tY~v=bxpwGub(+ck?ZU*|+!gW`f;E z=bm;Q%T%*kA<6aNDAD>jFHja{x|epXnIvy;lqc20R_+W#Mt{i(?cC^x){BMp2J_Q}LtyyF<}K&Kq?I7;3Xl0q_GCS_L}B>#DZLX{2GBnSVN<*o+tAa})4 ziT!EX4|xKED!F@0*F38{lhkNot3Mtc_qAXT#0akmc#c#RUhS-yXH8OFaN?M)E7Dhg z%7ZYo)e*SwlYLXUY;%VHjdi|4kw&Rh{t1%OqL`ttYv3r;#y944y2Rp(w)(5}f{w*N zga?Z5f>5=juI5ewqv~cB9zH-m=L#)A(@LIv?hXAbegkbTwdNsTD2|C{@+nplhh5g` zd30G8hT6#BRv&7$C<-~ROB0U>u2sC(&(*0PyHlWjLqkOeF)OR?6$pt4CjVHyJ!M|A z&>Jx-{2V@Yz~*%nFc6MAU2U#2nj;tRO{AK*b89<&MCea-Z4;r(_P+;ly$5_&U_oJ$ zBm7K(6NEoN4ggmShm|f1IJI?jZ2t)7B@oFg(^i^+;b1mGh{bVuL6vDpv*VhOy3rtE zs$Ty|LyaGWHEN$DPI-P;tK3J5#_g*q!0hJ!RIiffL?!3J^zp$o^CX;fQB!D|lh76>xbbD%j3rUJmFC&~-@h zeQ+7XJE2SNnz)jx29y1@=(3@JcqW+QI% z71)5FlGWualN$DfxMkDYOJkaMd5407*XffjBeH|+g0F-kAvwtKn$>8uE=_@vRL_m` zU&mtJF=`uB+GGReT|kr@DOS{H?9uReRqJdEH5%S;;|^47P8nhA>f7f(eZs8L(@UR| zP`QX1a+!)4x}$x^NrmL-lY6wSdCrk?!w$3Va)&4Z%vD%a5s?qQvpz%>P`3BtmnW53 z?kUnZ?*yvM6~)oJH4MAJVN6YDvqEhM^Rnyu;_|u%x}b)ak}dBH^=oU>7Alh9=Y2++ zHgA|H$|KY##Ucxs0}i8wks1EOnVuU4@TBL%d|>2(hHxcAWrsTvC%1;jzs6Mu4F?42 zuPsUK5E7E4;<@(*iZO$gRFDXw(@^j&oL6b)*#Ub2)f!vzd}VV(UBTd|a|3&gKFMoy zW{KU;%l~M_(P?xG=cbE;SMTlHKWYzct6@8B7gZ=2Z*n>az5BP4S^-M%4^54 z)aTckl5nBHyo|oj`x&_J=0R>dSOM9NHVgH)ox8aPj?x@yx*&Z0?a^uVdGVL2@`?IU z+Z<4CYF-omi2EOAa$eZ8Cx*ueJ9;h6VRL|3W+;4@OCZ^)V&c))(}a?m#>=tiu=w-emyQ52JN{cZor@Rd-fu)gsNWMROQ1aNWjoKkUB=<$rWH{BSZ#(0p!k*fQ9>tL-~(`C%?`snc=VhX&dws95_-{ zJN-(7erXT}d?Ghq>|vn>c%LtaP;2I3k(FT~R~>j=Zu`s7ut^SSX83j-?LdVODDJC_a;( zsD|g|FIRJQ8ZlpFjcQp-AIaF<;ou%M&p~STtHuvMeJ7NCfABktO4+G(1{T3J?NkC=t6o%ry3v_}4H_ep z-EIWBqHBN-)~+`sPA(^2y%X1GtD=GVvQmxJ7^(#-t|I*zCt!&OY&J3WlSlHMxK%>c zpc`XHBY)zsu0ZoMPlC{Yy|te>P^E)vdhfXic5(ePI;tZBAy$kOhHc!LHPWbF-4K&cJSp4_Eu#3Ky$v? z9h6RI_jDz*se;+7*rYW;HCO}NW(00FHeH0PL*_i#FiSuA)@ZR0-tL<>g%_8siFiqH z4$|erE+OAdBMFk@9V3=oC5L8dVIM)TQrOGzQBG&oC4=S1J#Avx>fH3J)cX}~=!pRa z1J^Iil|z1S-tqMv(B>d4Fte_%rxQd3+S3!~x3`4KcAQfjRa6)zqS6jQh1NL3{CsEX zU<7L?v!2UByo#~8u5H-8=WCAH+>ihg(s^P;cEL-Tl-1lX;0VdagUni*k6Dc?Q3W1A7mdkmu}s5x=q!5K!%aWT9C?Hn|~$TcwrH&-QeZC%Q%`- zNia)8k9<@W#mL$bP;v7&vWRcg!BD$A;S_XL!8(sM0^s2P7RO;%dQk6ns_Z5 zm_DEj_tFRMv2XLRPhSy5e2?{+0il(A#d~Tv4F9r4|?|tX2^hz)OU5Vn+Ww5Cm4htUX`gWLTOYxMk*Edd(2j z!eC#+MRCaX4#z_!j(6+ooE)M1KsD6cqkjaC-=@8EyjxS3Z{Jwli~aP3i3yyt8L0{k zV+DFv_AmbEoA~u}*_rEQi@vOtuN!CwSb?_TrU{_WaaZH7(UYDlG*DhrLltJVN2QG@ zY))!(#@1&`sn*Z!)0jVp3OfS&P0X=GI(EuCW0z12IsD0Q!))UsE5%8n+-#%yhS1}5 zs?x5E?p2}akQxemJg4Vj{C4CSSG5=LfXlved`)-8Vm&|3@A_3UJPihnwNm5QrL|o^ zoANvRtY?c9NBH^&%E1KQB(sd;?u%Y=>Mu|q<(1%JSzjI%SHvg%{Oq*5p`XhP=??rW zYG;W3_~2lEoN{E{eo@}^@|L9o@l{RrUh{!(>op6g`c>^QV^Z*BLssUHpEsq{4##W_1Y zjG>5(RsO71hb2}fsnH#)BDErd&H5^bM*L_aQwfCnw^AaCd%kibf<=>mf#I~V`2c=^ zIAr|s*EFUDWcu01(X{|CAWpAf*iT)PN;_+cQ66%L_=Yeg`LGIXW81C_w_%^BFmc|t z3YkY&Xlv`-6Z8Epai#DhY5ZxDt?k%>Hy_6!TTs?~r$sjwvM%fei(!qM zMZ4_l9sQd=@*QaTAL;GtYr}dZ^AYb4s_gz z&Q4xUvBWy8-{em&kH6ZtO={~$>kk)}V!7`xoeNDi22C5*P4DyU@1Or%hR6D>lm0x= zM_qIc_)6jsVbcVC#5%93Qc%gevl1>2?%lqR^CKYJzP|6HN;=f|@YdhCReb)OzMUUvA-4H2^kO<#r@ zcBX@|S8Jy_^w{ef3r-SQ6|6W#yzA-l$Suuv!3@`IXEX))%b>@nrBSQJcO9e9i*CZB zAIJiRl;tj3V~)peIJu#o-{RJJK`npYQZ*!%NxI|ISDf@ob8y0LV~f^ckb^Yc3_!tz z))CgcO;}>0ZWx*|nKgY$F7V5Fsa8(CFl)K9a$x{H=x^b?*NA!Sqg1>>u*KMjAcgR$ zcw?j0HA$SJy9%zX&qe6Lf2~`95|=F?^UW}mTc&c;K(~)6jy5K_xCm&5w)YW;3AMWo z18&XfR`6j53lLXnME1*G&H0M9c+ckf%Cr+x)pUfa8R5Puhf<8g-#b@XB!PJUv&pZU zm_C4pRQYxETvr_B+NiF5EvTIH4_O(|zy#P-u__F!wF#|L2~|I8N71id*`8cn|C~AE zxGBW&=e_r$ek(9&>C!q4Bdex3`jQ)2jfAcvrdnN{orNW?Z)@+RsTr0?!|<<00(6PA z=KDv$qpf;1c0QoxZ!eeQIp|L+QOSM)SDk$&VD%BzvNHlOvj;lR+){!HRWK^F85=FM z`NVnS0!mmEE@e+y+Voa-tW+Mi1e$xuuyJDQWTukL{YL+{*ezfj})3-1DOo{L+%R-2Iem7;I$gNJN zqQCw{gCT59^ z2ORU$QCudg!+k?LwGQZp>O1v}Yg$}|4wvui)ED+lDMN*xDI<g$PqZ9U|1z{0%IqE`Gk@WGbmR@inJedE6Vm32qeFAF#B3YQVIse+ITXe^Uf)=R zt|1tMMqhKDZ{cW_$u8D$>X+-oap^|E1}0~zkBA8hU|vFoG){N-Ze?S}<(AXG6%LJm z`dzrGdjB*F=pcRlWy0LbO>~#!iCZQrkEf%x4;}%IOBr~qbik#xMmTbj+mWd#J52 zj3DEB*pzRqsK%UYQF`Or)9l-P%Bgs1`M4_ZHxtQo*s#g(Q5d#zlYpI9`0)-}Ct1gL z@EuD-k$$c67iR6%D3{QQmO!wfdq=MaeEwqgN@Q**uQT^ebybMtK0@G>nnTg(!aGm$ zh>I?7n+ecBT87zT4MB%~6XB@*(uW$@vj@f{?+>QXl3az;l~d?N41BETosfrxE_qQa}=sql{Zf!+woKZt;n-qIUrY=`a z)h&izwzYUTn3&dYS+RR%y;Fc!vR5HZ6x{iRJ)L7(5)_WpoR?Bg-|hAr84}Yc>J$aJ z-frC2>PSUj9TQ&qV^hET({*yrzRT;=K}1*e>Pc!%<&ot;5=OQ|cRT|(+duUc%( zR7JM?*RCbN63-vV=$!s!-8l!LhtBy$iK#54c|Nb!d_h#|T@ec?%KzF~m-qR;-Vln) zNt#M@e4mb`v}pPAP^;e$Ago6P(<3!#Kw=wVq_E;%E+#8RRjMxp{d7a_9S1M{3}>yB zQF92ne3x}ceo!Q}XA8AWmiZoA7!>)&{&z?ga1Ur<`z{A%Ywfcel}-W^b{uOgF4!k> zZ|@g5F-h^r_-Ns?D{|sor7|;6eut90Yo4XMZ-&AAlpW#u!6waSC#`I#_5ji)TdVgg z!0n}QIEUnNMt8 zhLxMEc#~tg*%pRcmJkxslvg_aWl0LhEU0C&G{zo_G7aQ$X;46l<>Ra*$vWhrS_UT` z?WF)J$A4I-F3i;wMiv*m?wz<3l2N(7W-|3UIW*b#jcG_Ka z(Z>`!be|hCQfi!O5A+lOm(y9lh!JLKg1~wl9K9TTd6eSl>%zv;+Bs9mx4Z@HJ>^?9 z-ZS%VNbZ>eqK9Ga+>|Frx3OXW&8WI7HwqUV7S7JV0r7RYFYc_o^x2ff+1+<}u=L}1e# zpu!E}i0l^0wL)Mbv?q?s8UND}q2DvKHZ6K|({G-{IN8nN`^PsG`aEENXkf8I-a@=% z9WoCg&zxK9KALO!p=UH5oFCVnO)!{w(R=mUP7l%|BqVxh=3)^Af%UmbvWo&v<`9=< zO>!T12-)TO#YOgVEi5x$pS1LhmNHkS#jCkd`HldZb9m}k-+sB%_W7}@h{tJLJY15u z@WOk^-gwmf`4QM;?OBu9ZBDUH9r}J>;haI_C*Tv>src?H?W%D8kkfR!La96?4(y}& z&EppCxgEYD5iFzWKhkW5y)H}d*M&OYXny$P7jk^|RPC1e-iwFUMuYZ_hVDyy{&{QCBRZAIk$uT*g~IDM6Zx`I1Z z>!m~UcOiqupj40pREk%Aa(UysE%Dm>D=FW%6Gw|z*dwrz^{oX>!tyQdXGUH6x$Euo zyg5h3b=PM&Y;2{m1uY_Ybwok0Z0UxP9{XuoZp69{Xj*uKx_hmFoA|jdaOhpFPmQl1 zi&0~{Q9OKa;_dQR8p2*DWZ4uo-*Bj+C#3Q0W9QdRShCc~nI!u`CN=Mw$D zmg8Luada%C*BezFi0jsp$-=p`=RVbZ!!tHHk8KAdrL}34*BUSwNp2Qi4_mo1y~k1m zey`$BFBf;r4l9!f^7znpP4%x^{@9J!1>cZX!kE(i+`19LBIElFK6%Hi7Er)^O;!Na<$GesPnlxRl5S2qh$!$sJw+dibMqBL_nvC5xnUb5d^h*W zXy3T=6AuZU{ld??#$9$g;zXHVe5qd~UOCL!ncr`k5bMB9{Zzta%<^!=V}-_uSPQeH_c;!#2?$o(J83{l*g2CUWb)mE-f#Z&dV z+NJHC9fXy9E~N}z6D*LvtSHa7)SG9VEUqmCR8yhT`uyX((vUh{-z(t>1>QNMPiyrj zD^P4L-TAru2wNV5wu3O`jEw7RyR9tevfuX{!eqYn@Z(@McLmHz+%6O}K9b&rGTK*L z2cy=FsAH@`CgOCCn;lwyh<|X`3LQQU@GFP@iPkDu`qe}PDMbM?PV%SE2lbMr7ww?1 zTIZtu2>9gUW^9l{_b_1GURjRWslEVtj#|wWN$k7f{I1QYIApCPJHYrekl!tfb%o8l zs40ueQknJQL4@`UM>o|fq!Nk8(Fl7NwhpHr-vD!e@s~?9P;$%XbrJGAJAx3f0w@~UfouZAOoBy#vq7!p3aUDNg!Z)KanWX zWH08~f5l~LABpNtH<%A26TGZ=tpu0w?pcaqvMQM;JrVYd*tJ{oaR``*H;@f zEQ&`v$-B1)nIF0W)pSYKZ<2@jEI(5^+#es1r$s;hfR2OB<2hY0EL)Qe)JV(bqQz(jQ%@zZV^MGwqQzXv5G~~Qsv3j028k;71I-c_7KK~H zA=f2jmv0Yd1O?mhNek?rr@QzeENx<*F=?f`&suljQ$7@vaT;)yRFemnYrc~C>yD7h zBx|AWTRGbZeC?}yDesch0RWymRg|EdL=}!jo}ORqX}!TJcqnq+Xd-`?;_=OvyGlj} z;YHWZ`&+kRSiS+5HR4=q1>!g6QDco#^lw7d#AOUImo8%B1G-}+XX7T%WYgFUu z?Z4#$0L%iHZgv@i1Uz3pVz8#40)*>K?vjH2zNSoVV~xpZ{DmGw?Lj39qr~faI7tq@ z=aE4eL+UaxwlfVut+*k!n9+QY?SUKYy+;18CfJd=U09WNExaDj znt*iUIx1*`WY?8+o{)=J3eU<#ChsjwG)PyaW5!a=c9Y#r{G4jFCuB6~qS0LTauhrs z>;TnnFWJxE_pKy~VAfz}&TrS(2x0i`4`X|h%s^RwYs?f6Tm>mney&Tcgn4VrEYw*Ikx08^1){MCPIH6fl+_Z)shdrg64g42ID?B6y&B0Exnoob5| zvxyF3xQPTjs@9pwjFMMZ05LvUBoFLhMvsYk(p;BPERt_^y0ffPhw6jVEIya5xo=3F z8QD8tdbRXX@VB`JVD)U|d_gFwAr28%tS-`^0&TPQUfV4rssuhh1MpzhT5O#?^3 zf|hls+bgO$%NM~%Ak&g+tX~ou57ckCPUX1@Z!C(1uZ2jB)=(?@iwX9g3bH#D<LN6o zS!87sFWAEi`fAAJyE?0ppLL=tk6P4jJe_)?ASjbUeKZ?MBCbYw_Gh^Eu;3Fz>sc(V z)+90qB5n;k}9ud zJxAr&EI3Rx4uOhRh5Y4}CPzq6sfG7|&e>kh0!QKdb|ED6t7KgPJx>o=#|?7Vi>!Nn z<#+T_;2wPO)+S?RYaw9B*taIeGK!8e6^)ZJ)}qDE#r^Q;?D5HrZH!v@7B+tB{zX2L z{@U#{-hgD)oXU`*S6kGSI~=DhjG45b1+M@gmz@utoSTz?LD{oYBkhXyaSfJo5dVBQ zmflx@4-qjf$e^cXKW|!ryF4&(`lEsNr}It|Xwvmtk>mhbGUQlsg*x>3%M{9Ci>0O% zjWAQ5bpjflKcpb)w|aB(OU_eCn#L3UKXmvfpDEYvVYCulJ7a79Y@@4_CAqD7#$39^-6hHP38S*uUr0`Z_W7Tjjh1hJ4PI! z2=~{*z~sN*9P8;1I}e|iy%xD(_qf6f1NrEm{qT>v$J^pkY2su zXnHh&Ab*7?zwFguhQz1BdNoFc;Q|9fZpl7LyJh_z;@?icVN3rJ9J{`2=3pRUn^n6JH8!U`QFYf zogQ!Bhu?mFEdajl>VkEGlh2Pz3qyL*dDReh<+d-B!%b+@i2I~aQ&Z%u+uaN{<}3q6 z)k)N+0P@^HIFhj#!k7RjeqhR)XBe=)SA}R<*`gsr=~d{dm5|}LK$bi9$U|M?%9fF| zp6T94mO1qS>Z3RHvJD2rfA<6g4nZTphV<(pao&eEr_HULMfdJHaRmM+qTtw5eNFGD z4r5NvftWH=h9gdT^-_LEUeDcv#HV0+pYewLII5u2Ug|QKmz(15>kJ^U6ehmeg{_;! z7nF`SELFmMkvUQIPo>)h)2YpaHTNGXtv9?;YVk#at{8qKZ(x`g@ z_da*{Ln&UG;u}}ZV3j5E7;bBl1J4m^?q__K!*AmBnSy80T2a!x{@X$EfwziAU^s0r zte%|$QJ>9Wuy0M;S3~F&;^Xx*zJE#rUO;KphbX`g=A`Z9-*U9|^yL+@jq2~|tbb>x z?ex8;qt}7E^znKSsZ^U}$O_xzHd?Kh*{*P}Zz~Ts7D246fCBr#O_D{JR zHvx|(+|-?K)O))U0VJNz%Rz^AL`n`}V)cCBo#34ztCf-bm`W&wZLi@HbfuNtydCQHT2%wl}wxHvI^~>GPx^jdz@e!J%s= zrpXi_9Cb2I+)tmDEP7o4jfYT_@OrTrlK(OKCreNWNZK!%D2g8m_W3~tkEc|EVrT+s z44cV3OprcCjS{&z2ce+8Au&#wbc+ibZ$*Y-(beB?Tzg=KX4@$MKAb1CkT z{(!;TWlLEq{tCX=3}GE6@=EXRaG|8-ViD?e)+Q@Ug_ z=ha6%KL$AedEdgd*JCNS{&L+SqL7k`#H7gw?RBbkv9M0a z&(#nkit&LL68UEN5cimd{KjEvKBJ0!As!v==4)<>sw|HIz`1ll&X+-Mz+mH=4wTZ+ z=few;cTWLwA%I7$E-baeI6C4tj6(lI=l=W%Fi|MV(~5xeB${*6`Hh)XZ&SL6iSA>~ zaT7~Y_U&$28FI9~g{wJP5!Y4v+@tR~> z(ibx)cz!|ipH*iZpldflPCCZ^BSh9T+V%wLcX8T(d?U7ajOroTk5(r>QIV9%XRaQl zK9^q3@0&JMj;sPpcLXsOZB42L_=j@x@Rn9VdaiJzPy2M~?6;5Eun=jDrkPBcx@b(3 zpi0vhuZe$N?ge_iv7v$_Z@xo`ovx_>5_@Nws(Zgge;E$CE4R*u-8IL|t{IiU3VFcc zT*9anPxHlcmb75F=epx@1Rw)P`*5(r!i?H9u8`bKv@!S}EB(K{?f>nce~$fo9cZ7e z>9-zsBJk+prWd-MG6EfruU-(1=rYPhx%X0`d(1$ZkhNcF=4;KjAQ-O7o4g)%N@(n) zV-0H}YxjCn@9iSM>%JV^rFhKpY;!cu&>FBlvrn1IyMsJX&HFxJ>uM#7to{$e!REhCnHtyD&F#DU zLEIR0=E6)yuX~B9+2c&jaknCt;;?npx!U*C@(}Om3?q=kQQm28?`<-9SitC^Y8$8k zXhs*-OLhY9Mb9F{f&UQO&Lg&$#5kW0@u>+U*yRhI)}qTXSS;J@j=VSN&&WOC!>n46 z$UgU>D6~Ag4z#`|@ov50XjIiBL$*DjgcTXgZ~7>%1OUu>efAq7Yp#sbP>!SB5^o?^ z&Ev#NAxcdbEl8q3tCVP)-*}mz7u`Zd|+lZaiBL5PM_U8CKAL0GIx2 z2XX(E=<@{pWvE`{l@H`CCNv}X<7f*L>$j0lo}*XI+PkH4&$~~4ksi>p9Xp7U#*|;0 zzACPS3l@Xo${8*7;4bL3C~0yOS&l!KlYd)ngRN}IKY;PqL=K{tnL}-m*aiE_>gv*g zokSW8ac(-o^d;yeY3w2GOMc5HmfuzRUBm;d&H1?v^0;v=%=5KcxDXPu`d45KcWvj_ zK?o3pEPXr2L$+Q~)z6=8iPlt3tZoNODS2V1+1VmZcyz5)7RDW<42i8DO&G2q66%2% zZ8`daWsd+#UI}^F?ezPrzFoir62yI1{KpT->)5IN1}WUzgSveQ!*+zIx$yc6ZgPN` z+C&;d0r@=Z(vz9MSHC+EfYUFRYiVdVNg}1oQ%Wr99)$$GU1NL7?X@b24$55M>w51S zW%%kfHq4h0IJ)EQ;6XgDei-*0&9m-Dwvehx?*1wD2ge9UIVW>Xe8z7cvV3!UBjPZ-C4mFZwMdt@f$8rOp9`p5cU z%UvN|J2P+lD6EeEsVad^ZhCOm%7_rsx(sukWgoytx9FdAmp+j0T#VqVdh-xr*>fn zjgL*pf%D2i8u~j3`BUEN`pIxpd7tn7n1I2a`@R)Jc-4RqRg{e}hH)~lgd*kC8+A*U3n;BmdIITg)WEv1-gZ~>yZ(NwP4R1!r+{_JOj zo3;)zG|i;?DCHI9Ka`5f1IhZlcCc9u`%14{d`c8q0F)C5UjNu|aBR4&<-Xt-yt_RW zOxe*jcYmApoo%;}wRd(t{L4p%TFC5a6BHJh_>P`31ABndPF^D0nS_F4b+bo$`ti;B z{MnB1Ys~^KC=F3x3Ju`Ve>%R0(EBWVTyFe-hf%Ig5fY0{+$B>`nF&aGFzZHbq^qxu zY_n4a&{AIazG?d*rrTQZH#c!)TzreebT=UL*k#>5U1)*Q?lURZr=&R7!ahQ^hwz0l zSvm$9O_U$j@J4*9su`D)2L5)a#QqlPPoFnYtA{D8RxZ)A!CHF|#MenD*AkF60EN%DB zEE#eRL7x@Ut636d(IOy~@nf{8a_*<*Zmz;cn@Xm4v;S(+&nl0$_J|-GtmTgl{Am7G zsSMv(ZNd%Y^&w}qyh0~If{V}BwRh9U>WTxZibYsUs|}WSgkyiYfsJ0|0a>gndLTKK z!Tdu~p($E?MZ^snM$w7~pF?gG>xp0%Ju$cvz+g8G4CCuX=pQeIJ2#Riir+t#X5V29s$E7n$_F<6~nM>&XN4o$87Gv2xM z;|RbvT>Acab^d_!OWpAi0A)paXWCeKzrVYkFCh-k&zR^T%U3IvUBFSy%=fZREuV7l zHP)}(rdfbHxW>rc-Ri)FU$A_79;gx{3^oDsi3?|@5da``r6|lnO@0Yuj00)!c4l#k z3Ol1qcOygNehfCml|>)$frnf;yW@vGU<#X*lrAq0BxoNvMvzpBmkVou*eF-}{_rf> z!`EYDELr?MQl>+bfcE(a!-h3X)sSVG?Fe#nJ)eohoC~7d<=F-uxU4}wCwRdcI1a3o zz48;0qKiEQzSDZAQ1H5@<l~N7exK+ z5%u|XMDQ~pkvVT3!2Kz4V(WeHrxGt-zcRKaIgLoBDg~H!I`bQ zw{~pE_PT_&9inPUBI@~I6;$tadf#+HLrSzZ(E?=}pL$|B-~6m2p^D}aU$vOC@WenG zqkpi+H+EJ0iR$r*?|+oMk9r6Bf2ma3TLaYP9cD_AXF_H)Zt*F19s-IGR+c`rvN3h4 zA~J|6u=;3;ugVX}iP8M;WlHCr{zsV-b3_GWr(PTEZtpqus#P{Zx))&TLTCsV ziS_osWYolRic?lPVDIrjx3B)gb6I)U!;-ER!1g=3Zz+Jq>?!kp+;v9t1Ja7{E^<3? z9L0B8+$N2gA#RDWm)s`*s~+ZkZ7ts0cE) zKyl>Il68{bCnwZLT6*f-*SWGb4-)K<2NU zp^@;P!|6A_=~e=YDy{(g({G}Qd3*3*MHSJ#UGi?;nWyfXuJO!`GBB&A$yw_@nNE3* zJ`=qrk{(#jJR&yhkwIuEW}4(d@yC@{#rDE_7oEVb1P8y55c_V8AqgNn+a1YSL}M_1@}8o`Whck9awe&`f3q9a3G;{Gt7iX?{``^n zUfuUBL**oWO%S^|8(7DvcE0BfA+0AKh@eAtfq30TOL0*Q;=7X zUD5h)2Y+W*jkDDMYT*B~4(Nzwd%Rg55uz23hOD&ysp+4O*u~s?Q#F?vD{SrRZi)$Vp^MaGM*RpEa$TO zs*&N_d$IalWy%arItJN+A3W-wQkq>KL+<+EW}J0S9Th8$WZhUO=eJ~vpnBaVGeriE zp`LqS>DEbtrU7DgC_g2y@-$g*t|a^Fb3xOo)+`G{C2^v7RXVU80R3R%?9Q)SJ;CA@ zzPoXn{`auQNjDb~@^I4dvT`2Wt|-ozZl|E2&3_1#G{hYw$y}bNFuE!CI_15@{Ab;E zYuihaqwNXcSZ$=g9$Z)t-aD)2?4k1kyIrGT;_MxO3+cHJP zn-IHS3@0Yo8~c{_UTV1Lxqv}4>AYjsyydQ@`bZq|CmcRV0KJ|h5MHbyWjbKH&~@bmfj%C1X4FSTTUN5BERd9BqCfXUW6|>s3cFBmc$kHDVJ1O zWU&47$rr>Xl06DjdI+fu{h}TjpRr0DKc?ACt$nb7Dqv`3Thx%{6oN=y_96S{29utb zi-&;t^trhWiU*i%I<~GY-Wj2{3x4HrK2t@tha7QgrS>>v(`jYbKYS1I99)eKDS3%; zW=#(9q{1bs_#x>Dd+RMqo!qrg;ViWI5#FRUy&i+~xd5APi3;xY#!^7inDLUSIjvuL zLJ38e<_W)*W{sli_hF1-%U>b&Rf9OjbpUY7$m<5Ro&RT>?Ptl^Ulxz#>tbCl0iWt2 zxL%RCYbs?P@sXm?>c3bQ0|wJdqsle8tJWgUFAkpcaf@9WQ5N@;1!k3V=PkuzrRl}T zlECE4km)K1ENVAbh46+8S_1OOOhj#q-T)0}(`e_Y)*Yl~9`}f@4 z9UJ1dn;~um%?ep4KM+88zOuQa^4pk_Ez%-=X|Rqhx1g0u(~tGIf7g8BrcftIpVpio zW$A%)5M7oY@c1h+yTH@ZG}ej3?8e4$^MQ;7%Kksun+gf-ss#XB#$*#5f7LODkPX@D zLmq2gb0ns7^P!;>_iCA;86QE0m&^^@F4ojxANT(uHONk!NG>XgWMdq z_@IKq1;OP$zwnc!n!U~c_6zJ!l&>7Y!1NbhYPC)B6psHg6fMuqyHpp;snLF~Pso4H zf91Uojp(-`0lse*5rzbqYQf;~`)2KZ&WbM9d2jJCXzk1Gn(S|GX8^Cbg67Sc|5Hz~|Xg1h`r(@{eXA%MlW9#C$s|`OY70Q=tfY=(YO)Iu=?ALQI zFv_n=hmlM(*R_3?g13t|Z%RR(5O;OX7^5w5BRuNib2qs$obSLtwsb8aN^VnCV7_C9 zz1b!wEC|l2je_t>aV3i(v*9IP)cRE=fS>VH=JE>FDSD_B59je&;uW+G;ODanmiytl zz=P|v-{M}?2*NBw=GjB9bQeBOO#Hl2W&979kPe{vMcZnh{iXTU*gE{}qIwOsl8&N? z);&`SJz`E|`o!9mHm6<_+k;%aC_1-PVyRj_gz>FM4>@Sp2Fb&J;J`lC4Pf3-f=hef zr2#_l^kgbRj1O4;HVRIWgU1;~rcbx>0WyP++mMuPr1f*fzYT8j*W)nVV$b$#IIVme zGa^lk*IS^xfO4ioo32q^1ot{h%;?#X`jj`s&HC)674Nm2T!KFBDBxW%Vzfo$f=ws# z-QvN6g6V;$&)4438~#@lm5DgmDIUsV`1f>FzVvl13m6DeAa#`dXHER(Hzh~@CHU3N zp%FR11Y%?F^u5iR&A_BiZ6yB2PEUEreY0t)sLacA1V<6`7eJ9WrM`icGvusRel;IZ zY{C0jIdC$7T^tD7O%Ok}hXMhe8zl~(SW0WF512=Qm(PqBP`T+i@6~%sm*g)kZ&t1P zW7??dOp}AOOZw%Lr={^Q5#`P=uwk+#ht4+6d~ng3p44kK`irm~4^HbJrF{SH~G2Jx;j zGV}X@vhC%MNq4lewDNxQA^qpJYl;ArZtnt4|NNw?Oo%A67$YeQzY_Oi@I<*;e)qoI z0ISRALCA?=v$v<;LA+n}s+=GJ>)XsX0dC5Z%Ik_qoeyzT+lONJlP?s)DxiMtnk<`k zW{A$5pXFlz^my}9%Kw7}Mpa3>Dj%*fCLRHfEr;$3o7S{y1}`&DJSn{!5CD!9QPplK zhteys&TLHg*4rcO-R-%}c<8Bf0liah3M<3YdluzG>TPg#>@$lEhYINSb>aNFqBjtq zE}&CSd=YlL^0@S4F|IT>!lEI!K*fQ7s+`%K{bd-E z*)t9h4#!`e3-;w^Dp{G3a^!c2S*ci9YuSusjJEy{cgyAfKin-3N2W#pFV@~Xs_C;` z_it-ktO^lnWhN>rwJ3;80tqRgpd!SP8KNMAgh3`Dgd|mzL565ikSP%n5eY+pFb71C zAX7jf%tU5Ln8^SM3BNDhd!MtvgL_2zmmj<-Gpl1vegIOMKK0_N)*Z{l|i6ST-Q%k$1 zi_He&mM#wUpwVM^9(X5mShk!b_-7gk;7~ZN^w%E!D9r!8XH}jtsMn(7>5&qf6$UH+ zrA*`>?|$j*bDy<9Hq~)sOp2O@Y7G||y&sp&tRh}g221OM7){scSns!Xj<$%95Rckf za*C+Ky?&dtaeAu>&CrVupR0*!Snw}Ik*JokXa9tqH2iZ!kJebGDpcA}!~ioJmjkXLm=&1{4%IOjU=t5)xX7X|>u z652CjsvO$B3K3yGr>bRt*hZws_oV*Tlz!!ZF0MWfTLgykmM6}bsW(M-?iM{=H(YF|mrkewMO=tw0kO*PSaW&u z(5b-G^;ZE$q9l+)ZCbBWH(lJz09tIe%%uG4FdY;Ag(wFO0!EER)zu19!$cGs>pIZr zX>3e_wguB6TNkr8bv4@D-+k&)X`!G$uC9@^c%yEe#!+xBMcGiiiukGYTZ)KXqK)38 zoQrBw_hRF-@!S|SscbMgMDDt7YFcWy_UCVR?~b~cJ`x!Z|eQN1Vf{9W-9)IUE`0S;Mnw$Tyu zMd>PEsf_hLLNXM|19E(}QXp^E#gr>6M*Kfr;z!0W+llYlUC-WmJCQYS!Ec!cs+$n;*Hvjx zQjquRuCn^jL$ZM3>r+r+Y=6AFuXBXhwXABvt+^ZT0I}@zjKHXlH5p1Z?aZbhIGwcm zXQe+ds(-a}n(PQOf-@SA!u0z*12J6(vdkt-dLGragk;`VIJGtRWW>U;x6^+8DJ|v% zBU^^n;GIMA#JMieM~v5QSs7>R%70Gz zfm|@Si@3=MDq3XDbaFFh06#3LVEUNBp&(65&B@eK&{>SjQ%cw4qu;Zo^YL~Qr;%Fv z<}mb<_MdKGS3Ad~?lE8AiGgfAb7k-1a$we`Ro8*%-lGg*3DI^lJ9$~gElt3#wEy3* zE4|t&&1jo!;CPsT+NI1r`$ZBElmI9b0?o+*)lS_Y;rJwk5l8~uB~{H1v}Xg- z_UH}iU*s;mP6S1}E}eHm+f7DYtH~Nwh5ylXM&clL?0Xt0kz9bZGLI*Z`hQE;NOoGA zi+$#)ffWQE6qb5|-SYEOCZSPr>!c+uZ(rQZNT%^_;Z$*OrvDXypuhm^?K=siDc8FP z{vNdoI1&EqL-Ic*O#*j!5(}vFw1Th6g&*EGdO+dGzQt!)%K5@rv$&}=J8yC`y>?X1 z<<#{|Uie&vl-n@VARDwfm6z`73t#JYKCE;@W*WLc_i~vCZ84DE{R^XkP2jtCyF`cuxtjS0WRgSZFA1TIUXw1y4IM+v*oBsn7byE=uta~mVaD- z?zj8n`)0ratGMb%0{J(YSv<0dr5U6hJ|Dc4WpFJH7=K3bVqWSIBF^1oJs(gVi{M`B z>sxnBa+pgV3SYQtnfY_Jh+UR%3Bi00JsJf;QZ_qdZ~KAF*Oi6BzNdxto`<4o4kaZp zPZkUplF;sBSh6s0uhJZ+74BuO`I<<^`CU%;jQ6}#AP@Q#w%s~X`c1lS_GaNCouHdQ z)(AQ6dYYf9Xi+ChbxcASVy`Tuva!JVds4XA=rPQMZnY1(O(ld)=31rms@_Kx^mPA~ z73cWBkosS5@8A98wCZ2$K(cFz`!mp_hy|~tuj$z4W**!FJz#n`_zH_4$K~Ujq~Y-( z;~lB1S1T1y6hE0`mBmq1R5uxZqK$WEby|RdU^(L%M5WB8DJ>cwLH7XjW2X;C*$L04 z`R`MmIg8=qDV~c=eZN9;DTDf%^S=}XNGCK7HX2Cut0^%$J3jR<`;Tw#Iz$-a$?gUK zQ5v^|j_D9SU@V>p+j{(wo|XpT^gGG8!Fi-yVuV0zVzRS0fcOj={|s2QHA*ZUVg_h364;7B89c05~ja>_v zOrl6ST|yz?LDo6Y1*j(7z=Nk^Ris;fJM?loO9mK9Dt6^!fVsW1>@g#(iSM7Ow=9jb;GS zgb(lI^5&r8GgOxJG0?Gqu&=1o$iUw*O3x)4m(NqbL9&Wz*&FeQqsGfa^>7tvtn+JQ zF~CfMXYvHs(@VotzLl|*LWZAlZI8{-2%OSYPnS>-ujM*CtBBUaqL z=xcR@F0voa&8+w?uRLltTa)j0hbivmI-MbFkY75zEi&Iwld#`!t_*%=n}EJCf#;13+=6Mpqzd(eDs|asSv^bN<3I2m}j(;B{Bi z0Ynd!&$-?RkS<+0-7yss;v81#ZNTa1`oRmo<9+sGp5U7OFB9M2{NxpJN0J5{)b#K~ zV7LPbR^ga>r431lo<_CoQ8JmqLs@C$ilFDw8e3fcK17-`~Uvl{;qC%n=vYzH_wTbH_< z3q6{R#dR$`n+3h6LSAbh(mK$lLSAgFgDIKE+XdV8Dnx)iC+Oz014h50P({XNxYLW@hl-T>t3Pr<4#rkxQ zER?m+f$#Bcji`&D7~~Eackx-JI2X%(m)UG z*5W_;<0gk+R*woBCiUrZJW-ApfA}m=M;&a8-tRvONQ5U%Ay5Ae!)L?(9m6N_ZRQQI zu~nSQ9>AF~beLl*XUw&XVV`C+$z|T0@52)MB;YG)!8}9)(7~;2LR)Br43!- zt7j#8==Sb&l#l}7Q@j>r!DvvYaS*+`5GoS_0I9}HaTQvB!hY4OXE0X2#J@x<5q6b& z;3?mg8D=*8oc`^glIF1Kp;(9J3c%M;QjcU`N!M?`N|&R*eey+{@ze!0*>RW8q09zY zE~9!=0uKMD=XG&ED2n&)m!ff7$G&DQ z+uWv@4arRDAd3h&W0k;xMyG7Il4KMI@K7+k(&7Oj)QWq>H!;LRb~$wc-cg>5oOqYe z8AsOT^*WGqkGDM&i#$Mq7Cr~%10JN!9fro}QlHDdmXKYQ_|T%V+S_G^zK!G;Ig&H9 zIHhWomwVG)NO_U;?$WD~bxo%|i4@OIOhS*iS=)OmOv2d85)>g9B0U7m9});-jRc-r zGEG;tYNw6TpRj6CT>b6eZli{?RkoW299)`>iSm%@OhMgl-vdKObm8qt4;; zEKh5UO33Aftm`E(EnnP3yMDA>yrG;ZwIYC26$yTK@dbIR78uEKn zwAMu9mdOB!$c=Xcbt}P6c0OPV?Er7Pk!P8wk$&RHxNCvGk``xHidUhc3;1_TYh!^T z@&Fmov-5i1z9_=Y+PXgz=#Re`_Om&tJd3DO`#H)Vb#SY2b2?rxeoo7CG=()aDj;V!IHl1`yH9<| z=9)M?n28COL&<4vpfVgIUotEtBX~z?A(=d&`pcFQ&EEwEYhI+$Y}p{8Og3K0+k1vW zULYUu6weh3gtoSx&1Is|^jR`=1fm8y7Pk2p+4yT_(u}bx{=>V+6d~!`b9G;VE7-w7 zx3p-aizg3>ZaWUk;m*#;AT?Bl3#s%v*soih|6m(S(*d?IBL{@-#Lp$_qJ6ik7ret{ zc_^U%Hb<$tmJ|7%FSx45HGV*!;9)Wy{AvW z9nikC`v74cSzuym|Le)6v_5)*BPsFF?ew`O5~jSkdzm!TU}Ao#Uqi{-u5UzgfH?S-XL5QDP(u z-ZOS17bMkS{`<~xf573G&iVE}D9|l|r%l3oW$H`+kP?)i6M^O*qS+>WMI>zx=1@w`1E!s%v8@13JsVHWU+&?hR{APUyI~gCyKyy+^iYhK@ShxZM4;_6EQ?Xrfp3+($zg z4swZ=S2Dj{ZIMW$_1=fN6|P~qps=BCYoL-$svnd%a@S4Xvp<=8>aiAi*{agNxr zY~hR--?JRNwZ(UzNWpdiNSt5lHE?x&@mjinrpjR#{H4DY?1JC;Pv8(Xq}1fmq)m-9e>hk2W;G5O!2x21{X9hh_R z%7yjM>(@TGj+uIc7K{y)#>Sj>H_lEEASdl>{3C{Q6DrgKwuw~j2mFZl!VQ#p!l_GF z2d!S0y?$}<*|jfqgW>OPguk)iwYXe(9k%DhDY-Z2FXr2nocs0jHLv&_tKS@xQwi(h z4$O9@kZ3f5_ME|~88iEXmJDWVfUj>ab8B7J7x}6`z9jYayYt7hEHXM~<%`KPO1=^7 zB7d~(+Skccy9!io9Lfi95j8W4H97}t1)A3+btbGn-QIsjdMCMB6k8a;2cYpHDMQlb zbgWtEbHU5*Gj2a3Mz0-ozVoa^RPL`y4;xY#HHLXeSI!d9Z7J;Qt6`_s)AdnU)JEf0 zhyoap|)yMgH|tu%>l)eah2jc?kO(w=XB3$-9%) zW37};l|`>B&eo+F;+ARHcGCx_!@eq-4G*f69v1dxufJZryiazmWP?&Q$i{=p5AMG2 zw)xH0N3u<^`i!6F8oP((EYqd{j^cLb6}1r(D2OOAMQbr0?pRNuupt0D7WAFLbbfA1 zPyKr2+6GPIdU+U|-PS{_Hm?!`ES0-VflJlO1R{l|Q5tNp@QMolULUi97)LTU&kyn< ziB_s(-)&r7Mzx%n9>{|&5N=$^o~r#5AYS0zNBb9@iNzJ+m@i|U*_VWbQT!>y_RQAcyBLC3~{$wP1Zy5k-V{GJOAXWud_DiXYBZN3YdfpB1{AOvF% zcDI2%0Rd(wHHwS$h}4?`ZJEi-SP?tWZt*^zeu29xU;5O`r6ohkdY6JM=gY=VBjyG^ zkZCK}LhZ~iA9ica^h@CC?rbD{pNQ5XAyS;NJce2{_&Gea(Oh!99QD3B6vT!X8nWGJ z#IVk|r_t02RIwvbj?q44IwaUQkUNK`zo#hjzL#7_6Jme>v(S34sd$uc@J?@R^hPRgL3u>Nug$cRDs7QfKV@6u~rTa}FK7jqrrqH#W{Z0idjaqEN4OJhu< zGb`!1XEH+c^=ZkJ>cPy(pEmZrWrhWfqbZ#1l$Y6HqN-_W?_Opx9EHUk8M{kV1};dr zdjMDH`4fu09b&4j0B;hqw2YEvbrQn3-{MC-4S&8?ug33PCT`om+rAyP(HIWLZMAi5 zpOi)LqSxjupsz`yvJ+g~FIxErnVZ=0*k?_NM@0!?#S=9pg6Hn&dVNvAmfwoQ%=v?a zk^Fp6efC!2n(&j1`m@!M(TL{tn#z``XgsUtll zdl*NW1v6@zTy81$CKs^vFmxjpk0`|HM`q1cfHa5UJlhaaw7!WaV2epI}4y z_FE>4nR8=9?Ioj$Xy7`g%It`>r=nIj73vK-?~0SsR-XU!#zd%FdH(hi3I5zdgFN6P z*b4}ss6HF;DSu2yHMcJVnT#>UdRN^SAPiv&N%tfA^INT#2k(?uI*J3(gOk~6A@Gx> zhdr`}T1p3zh%3C|`40D3;oTNRV4K>M-L9(@EJi=Kt({7pwj>Vt*@@Eqt0*M0*xH?P z0*wKgn~Fc7SRp1P%@h7~QWJrLF17~?g|hJ=Fiev?eAQ9et_K=E?8 zp?)^n!)GYc{wcnQ>*d(C@J7?6I^kGJtKo18I@;whw0*z_8z8V~{Y|~o`xW%74C0gp zb{w4$!kbPg8}*aOyiw;^FT@qp zE4HlRals;Ir-}u^Sbwlk3`T6M!P^>$V)OocaS3nRWMR03645Z?DkGfrn`p^x2tON? zYZ6krm^i0^q6=79?iOF9Obj2Qw@C@HywM7Q>w!s^jy27jwPn~{7F zJC~FPf(()f*l^|0UK8-M1Ru_x?w}^Z%mHr5;7{o9!NTWVWWD6U49>B^-!1COrHlNG zw34mTvkUN`ht4K6gRb%X1p9P@u7HEfIq;j@2>T>Z1AsQ`dKPVOv^lIzxgSCD?|9G3 zysB6o5c`<+3*_gf2hbQtResmyRT`uO_G{ObF4j6;bt zXX`IF32$quPXYhnV@ikv)qv9&omE`^V}K6hDp;A^n?>NRlIytd-=B1$wQ}!XR1@?b ze!hPF_ynkZtCs$dAY2I2{M7=tv{CY9Puq)K{85YvY$*c9#M7%t8LN$P=n!k@WbM*? zK#+Hn@YAt+&2%5k1^zh_k|k4TQvh$sZdg>C6_@wFS^w0yom(3y(nTBGtwj&cfKQ~j z1UP49`83KxsVh_DQf$C^esD=jpD5PCkGZ~#XwNr?5C%d!?+W=}i0c5nOY(YX-;c#= z{kcQkTfsd<{}ZtKmG^4{IVmS`f;N~3vPsoredwEDPmDtUam7Msn>=`4Hi|tf>tb)? z#M7FN*Icwwsc+8?*LB*W>K!Sp89NaC$BuhrdM<{i0XDj_Rwo^)5@Vz0ekVALslR3!qbz zx%v6nsNl6_(ITO<4$mTuT+H&v zz&>657qnCBElcZ@^C7Z?fLpf2?U3(_zUHI?>A$3AdN)vW=SfEDGXov@nQC+pU2KI} zo5&pP;nm$=NF0^DEn$6xT`7WPSd>OSFPXCoZ zW>gx%9iC0Wjf7ileigdd8W(potK_ARSFhSggu*9>!$g#7HTyLTO!!c}Ej!tXl)>)+ z(HS?+o^06V)4X1l6ey(DU$M^XC{e8adUtvXPOZ;hqt$OwYv%x;OD<28AHiO)N%n+J z{*;NW)!l8a>JokW?~(0q5v1jUiTnI7J9=e3E`KNc6`YScLV%iatjOkbhg}bGq*ry$ z`s@>v2gXkDn#b{Vi*Q$eLiNHz(@SD16-$!llk(u!K7~N-romy5>q1%{zpUwV1REjO z%I-7fDpgI1FFX$yg`^G|#kg^n^WXQR<3%qYHwCGyWb6%)zGV!Lf?!rk6msx^O> zz;$|Ic>BJGid$4!c3I*B)>f*3br&X|ZgFbcYShM* zF)MnbNR2!UXBGAGF-rh2+R?i^nMp-|mf2w$Jfi`@Ir>6(0PZOK<| z0TVhNsj4!MhHc(NS@;UVSxGi0bHNps%XhJm2hY^B>ZUf~ClJQr(b8@x-Novn;Ti}( zH9y%O6Hp#21-TXS0w8rnu#_-sL|M9JfYa-ave7 z^aUs3HH7B-5#?{Hs=!}tea=IN!ZRiz{mkGX`{fQ{iX&3nW%x$4FDW6c>DO$kkdNcB zOQwa}MMCGTd0XCzI88nFFTMRv{Miy~-?TUOE3HHom*nuH(D~9kY*0jXM2+6k>eL72 zF%%+6MSyS$4B4C`q=yz+GjM)00Ut#b1s3Z?e+Al%76R{i7h)oj5l8+eMiXQ`3$I(wglLM2Gsc6>|%y z@9uka?$se4iB7cpq>KHC^j$P4(^i}{;JDrQwO+a<(o5Ez1ssvq4dxmOYcI)KlWkr> z_DS-GZHx?A@Itqoq4;}&nG#22R)IQD*75fzBLTF`>Ct8ISj&2O$C#Z+G^-%H5#j~WBD0#9cM#| z9$*@q>6w%28nYIvDv}oYRIliz`8&B7zuA(dQk&(>xLh*SJuL!YK7SYKTx*eAw)Ww4B_0K|IB{pI0{*t?Us)eRKz)0|VWIMGMT+U@7e@7XPJUmh> zNV5H7=o{VSpzio`o;qwm_k;5lqM`nu@f7TW(OI&1W8?%Ts9=3Z!UFmUksp?1=DNoxg@7LQO@Y>K$#&!;cgSM z{+RvWN&$Wtk$D+ooGMuU2s~Hu)U)3&1>VjD z$Ick;tTM;zX3C|JO1_f3p_kAkW7fM*X|=nxtwK0gu7bNg_LWWyDfLb-w8vL?#$QX?MqL?e~BkirDYk5t$f1@~OI0P^=$q7$`UCod3RN z`$&jOmEL?tjO%|1P(S4S2rsXm1N4cS<*Hn#`rh~2jV0i! zb4XR)ev}h_v4Qic(Tv=q<+weUHkXx+Z`L^y=NNhu-EYp7e)(c~>T3C5MC5J$S4s|K z-j{s-cnXpZ4Xo2smsE#*tLSoD(4MmBa2$@c+vI|bZ4TPMgpCFz*Na5u0>NY)i+yX` z#mjsPoiO|2wfafnTwr&ol#13pQpdHU^8Tu0dx`6B)+lbF3ad)0Cum<{LO)6`t83y` zwWD&zV|^i21>2!5Oqn#hyB@yo{K&V-fPnVd2j1P|Sr$5bvmI7g^b9*{PCo(1P6S4U zu2EEu)^4SJ#G(NDi>@Q0v!gY$)42Ny|ZO_0$3;L>Ox+DY(=!@o6a`f3c zI3|4hD)&V4?pcGmzE`J}D`K)%z zVub>3UC%153sr@2_b)J1Wy2TSV+;m@q}Iz&+{S*T4TUyT^Qoh0j)x^0EyK=AwG3IJ zHr}(or-JvB_eI2q!d1>eja|}oA4)14$T#h7p$6%OxT+|A6^I6r>nbb~Ub$fjl^0n| z^K)iN<24%vdfb~gXY+}acr8tFFM^bK;_gmL_svJ}fEoVmTi_0`l$4Z$?bjuJ2mP^6 z$ATmJ6@Ue%?y}atmIL?EC$#`Kb~rHXaJhpDt9pZir-D6g%#_mla)iC;ry#$l^2wyZ zcDy-+*vczYE3m@`x4KwS>@5|ELqN@3#})V*8>jo%Pekp-r%m=$3NYI;{GB3laQ$hL z<+jYIU^$RZ)ov~4hJ0ccBzTgfT?%UM`6j~C_n2`zMVxn^8Vn-S57lh~69VG$J@ ziIfQ>2C-GE+iDBkU`f{jHl=>wATNX2kNM%c77hzn5C&9QmwGORxYKcJ!*ZM)5x4VC z*3Er%7lzipMoW^at1@XrM=hv3-L|Nv)Q!Jq*0!+TV{>ABJE)!}hfL6!7}e~Q`&({; zTkXKIh@qKT9JfjaTMw`292moZcaDD=!QJ3^KI_|!`Q>w=l>Ac z06baqt;)w!LFyujJImi1WZVzlt=-kP7YLWg>5w-Y`rY9iPxE%wLu-z0pnf0$7#=9+ zrokFM6fFrgGqJGdk_!iNsh(WT>1Q+HW@2WRSfwR`-O9gRuf$Baf$xuiZq{BAc z2R%~US_N!lO2*p!_Tr#V(KB@)6oySpdv z1Suhdd5UDu4li_8ycrGlUI7m_MO@n+g6JHZgR4Xo7+p*7UJ4xC`)N!tHJeS5KIYpJs~bAGAmc;;qxmq6@wZ16B|Wh(n9cupWLx}6V!mo+2m}g5f8h~ z&_zM&TEa5Iu6!7{B!md6>FjX+bZqG_Tba=(FbSTLP^U!hnWB0%V*Qu`~rvY2*x^}9((0RHF z*|=`%_m#VJODR#YJp!stCj8Yp3-j%=*L^ku;DJMM_mk-Fag(X?BG+x%Isso89}a(r zI_&gEW4Ub5^09AdkL7oxVf%tJKBYp2Vrb2u$mtatHM)9RqObOBi-dCQD37)GOKnr? zaKymYhm91>+L>ZiQUUy=cqm4-SupT3kOt~t+oui-2ziSqKh)VNtM?*4Cb1y<p_1E1~uKrKzw6e z^Hu3KR%c@HLdAkx%5R<#0sTXNa9=Kcv}OFLtq|{Z%ZQyXOjawX9*H>=kDGnVPKmrf zOIa-4nQD|mRv(uVG#Gm7qE$_trhi!f?Z>&dDDWoLM#t^hq-ol$lZ^}Sb#7>fW0D$O z5EMA4m78LgXh>E6QkQn{aRhHf%$>$DH(LRHN5_VWu5fEpfIIm$HIvca*O}g$Ls=uM znqnizRvZ8DfPN0ccV=aBg^sOJ;^1<*q!hv?d95-BJUEOmlS8)K(LX7}g=0TVSDICv zO82ScU9gy&AKO@JY_+eie7#UNibNM_iu#@T&nuRLZ}7_+glOGUvknw2VS^~%bZ%Q` zgu7}kXB>>i%)|$-dbXq^@* zJELCI^012yZ}=|HHUiJBIX?z;(K_vg{I{Y#@QSS=GBDbK2ro`AQpS1lLo3ziea}E@ z^%N72y5*TfD6E>lmUI4F4@o@n!zK4h64R43^-Z`_9=$O<8U6H+dxr5p{ z9bpms6{Olfso;1#vvG^bJ*d0}g3EEY1^*J`y5^_5n{;K<~jY?H&K-HX57I6{q)4K`oSN*z=MYRqt+Q-*Hwu-v#U z_w*H0RWfZc^R>o->IKa215|%@o5J0oS8n(+ zEe0RLSXF_TdS1f())iaJ2;RR_VMJE;JiIcwwO3PvXw0)5l_4BNM3C1wxsa+Y?o9oQ z{GwEw`uJ@P^^+Aon_oMZ^Whzit|n)f9%Vi-S0Fg#L@ayOYg91a>M1-r4$DA%x<)9S zdC!gY(VS=0S5EQWlL|m5irz^YAXsQ9`+wK2V;gt{E!iy=tFUVB6CIJg#r3Z^7})Vr ztF*S7A#n1&bj_=MIAD9SE#6SIz6frSZ4%S}s<5xtI%$T;%L`l{$kY2#wDMXbsySDU z#HkEi(kx=RG;EfxYZ4coYQ1@q%Yv|eCEE2e0&nVuPHKvOPn2JPG)Fptu?nG-*v) zDZ+{(1Rp}nHA)LW8&mzQ&xqT8aGZD^ta05Y!p9%>#g(MxX3&rD6MNbRWskPHB|E%! z;*3T{LqqPpDP5V;C8X)y{epWzA?oFj>{8d1fA`x0E_|+{ow}(Z=xk7Ze80Lvw4B?@ z#|rZOL{md=Hk$;gV?p%z#Nh*~ki~elMXGncnPIce2WV)ATJm}CpkqaUjIuh|Tvk{7 zeQQhsD}^Pq8n#ENg!@!Pw$wBjMtTeD@jd?4RT;R|<(lQ|!b=REaD&0ezTVmxVJ7zx zi+%W+;o>W*<5gTrp$@eGs2khzEEcaIGNJ6ycz*`|Jbwl_w9sAj$9LZkBRETvtsfZx6px{@J42R4GYZN9e4?A~mDjsXcT zZE{lT5P*jxkl)&WLLFKztV1~A)IK+;KiRbAwAs};`Yw3E_=`M9VMcf}YSc5dh2R)` zLd@yMJ(umXRofO3L!akuS6~KL9>e{w^BLI%Cci7Jh7XkdJ<~PH^i~(7}pU8SDQ0C4^O>-yOS5V?*#Af!K$GQrn-`nt8yU}2Myc1*j;fzop0I=6#Ki3Y`* z9~#TFHI(*e0tV!EAiG#VL;~5xRDk0T0`q(ms~7upQttcg4o_Q%(U&#eWAJTUg02{Q zVM9I=&t;bwSs1w?7Y7DZ8PSoO-HL7)x}TLt^Xrh42;5KW-a~sPV9te=EdF%mB>aRv zpgjoOzp}5iegy6Z(Iu|-mUP&p128M)&A!Lm^L&-IP2ZBL`j-`T;hBL`-})~*X>4(I z-FE~dpS3TPwg52mzTE(mo$qK{ROGjaTT`;G7!?N zTVy@(Y^@%y$()QBmzPL>k&LMJ%)PpRzC9E!&y|JMWAOrqkHs5nXTsC#|QHeSM6#G52}8RS>K#j&x=o zW9t62#u`mwIEy`fjJ2M z9IvKI;CJkrc{y7+R9sHKotsR|#GT)4!TZ5Bc^8Wx?{UfH zRQ!sva86}w`$p-M8Q3T%Vx|dPt*qA*!z&d8H`_F?W6GqLjSxfB2v!_(xy}>v13q`8 zz_vcAR^k3CUNvqeisxTFW3TYjGfxuv+8_>?3x^=Dk7wK|V-^5EPZXwl zA{_K^%x9zQ1RU=LCYl<>oAM|0P+#)`+8`xPD+Rmu;yeZJI=b;>Y5yHH-iJ3N`)GuAm6OL?wLsw zFzzjGj`C-ZXc|UQ*d_TE%wJ~JZ0f5Q3aHwKuEPq=VFYn?Q~bpXrz>2gG#bAhwnX33 z99pthb$SWy2HfE~;FJ**QVVAo49!hnXeb91l>w$dBr-QGK06MT| z>itnkioF}TWGfITOVATY>D1ld>2SMF>bcFd3m%o_fLHRoCk-YGDDwb!Ft|vqS8Wcu zbz6L~a{F@a5Dze*4M>D@k?D`4jxU+6tH5t5CaeTgx(S~nYA>yio59s?@P7x0_bPKv z5q@-3pUQMIjCl>axfofUI|%KPFAGXm6o*-k-wlfEo4N4lIP}r+=I$0M_j4@d@H4fR zgyT`m{iC7u3EuBT@06`XRow9{{l469)|^wXuP5u?f{L2!lOH2@4Nj(@p0lpfv#CbJ z2ClxS!1#f`M}L>0LZQxhw_LRom39GsOlkfph%>5i!hF;Y7CPB{26jbKaa9mB#>{_R zzcNisb_PMnu%iiKrP8rS{>F&>Yu1HZM+A3R_0i=;Z*vf>$F;*B%WbLZZU3=Ytzopv zCC$Y)MBip!%Lllt2ZGYu#!k7~YkPTph<;GUwO8diU8M_rdo1&5%&mb z^YNIR7yvEI*!{I=_=LUg^PuL#?#1r~1{?rlubPPH%+H)-wP+7H0)opFJ7 z2t_f;k+30*QQ{1AYk4&}X4R$f-k9hjt(w3u!)X_G>dE-DZzSz=2A&irrbpI@^s@4R^4swzcS z(_Ny07m&6);H_ti@iAd~vDTbzNkEZC4MogR9(P-oCi|*z7Jivf;#uBh<5e~5Htsg| zN3@GDe?jtxHE*Uks~{`TYuWxH;bi-~eT-T&S{r$tIn#(6F`YmiR!MeJ`4Y12^6Q*4 z`l6=!!i6IzVM@FyFLrjLpC7;1thdJFIAL4@F9pLmC&huf1Y-~EzK2C@^&|Nk>Vgt| zO~ZOQ-;?*x!C24Y8r%wO-of`6=5_9R7Q3-?-(t>RuhqXCUj6?KxO8^3-^SsOtj0>O zrkX;)9Qi6G#`tKIq~B8hdv>=e9P#Xac-)XK`p1Cwn2vCc`gq%iW*1m+uYO%eEXdV` zm947M9m-g$Q)19khN2-{yAiEs?E$`skK%MBjKE*j0lect?AinJUNr+BlZc&hQJG1Z2eB zsFsGYt&qXZt{c&sXRZ~N6J{GyC_AFwS6lbYTINPQG zt`gXvR=yHfvBWG*gLZfN0Wsr^T5AYWAH>Bd7t9{k zuUn92?ABs&&qo*c)1i98dQM{$5zSzj(NOKvPB*D?Zd_fwcHQKkyp_pIr++@DA`$Jn zczy(JCyFwy$)iZC{T^YzYcCZ3a5B=(Z#^wZ{KO32})Zoq8SKQxPbbsIGBFUY(?Z>Y1 zxW6Bsfw{g=a1nyB)sY$kvc@F3kIUAmc9QJvj^8;U<`x-T?y-Yl4#_|Uz2KW!txODi zwR)cZ#5*YLFo<=3-4qOug=BvJDF)fddsg(PR>4Da1|_nw@`y)csu2#jiMtO=;Xf&gn}>^T+=NmMKA&e^O9v@d zEhM>?W1a7#R&zC0J2&=w7V3@Z8j}hdd}@PmRMwY1{=TNu?Z?#FL2t$DwtX8-uP5UO zzf9k*l`D<*;2mM53W3@yKoDlmdm{d0jax*5?kyhFRs>q4f%ZH+>T~4RNUzWW@G8U8 z*San^;>tjLpUch6xj3q_+^}G%tF*bfU1rthr9sfl35sI5#w_4O0>9kE<=^-_HO2q= zJ>%aWe+_@j`^MJ+9)MA<=rh4TwF(Lun&T;V~r@|TILjbN~Z;Ug&0b;0e7 z3Y6>nI=`(G*aDl-^)4B0`jC&moeLqE0k#5~wwqqFfn~kJl!FPulX`~-~FhMf8 znW+!H(pL69CO{43du>N1-K>0OuEPN^S9gHtnwMvD)M@RN)%Zo_6q4YV^>ekC4*&DW z{rb}n-|J5J+85n(R@Ry5jyzYNM73L(S2dl}a=nEN(ODXdepLT@j2gf>V!sO){({uD z@UD$Opm538nNW-kqo~cVgG8W+uJq>A>AoZ%20D%QsdJ>qM8m+E{zT0$IE~S+-$56Q|B4zj8ah8LO~+bTTu%c7mpS=XHg>8Yq9}ka-D23@WY64cwu=+Y z{p= zy-lHk%2<;D$6O6G_j89m1pmkCu_&l+sx)Kc&lHNMt2uD^2zq}nwx=0s<IkZwLLPf0Z9Bnaoely5AEBEIscFz1{|>M)_>Jo`FHh;)KYC| znIT<>J8nwU^PGK$=LWSGOkUG2f_-_XMxA|0pQkS?xhi2UlJah=umNiTYt_ul>4-jX zMpX0zoV)^mNY%T~1o5xz(hBPuKgBmgN(6lM2wuL1`okRn}BR zqRT1BE9zqoY5qLtnDwo>n8`nPBexQM_!)gTHPRmD;|qk;QzL=fgW|Pi^|rWf3=a$p z!kJoy%$)O&aK67;mZuhtow;rPF8iy$Bqy$y4BX5DHHqGY!gsa}OzzY_kJn&O`9f^l-&7!7uq*m8!MCtME71wN5ozwHO7NVxhuDQt-XIW z<$n%tn)i&KRh7amkWda|7bcwJX|%J!zLxjd!qPNbdnf6pQ2EvrP9`cvbpKE$i zS@hN+KUL@lW! zpJ2->vc@di_t8{ZQ;4A!BC9iO?1SB#ra=yN>9GV={j5 zkH^kQiv)`^AEVb-O}<)Y)XfzX0R+|#DoBMIAh^Z1>>hH2F&H#i6TnfiMv-2g(wTU0 z^xxP!qjvVrRqvs{DhNT&+;!Ktp)uIQ-)D*}b@~r4tajt&P4K6O%V;V!dfbJ+t8vvA z(q*aG0z7u03oXTY5;FJfjJ_U&bB==Q@CE$LlrKY0Zk~$*_r0xvA|;@72t`DtiIFNKN{fhqN=G0<6r_n%flx$Rs1X5?t{}aH z-lV96UP5mwLTDi%5FnJ$&f}bW?!ERo?>TF^&X@OnulX&>^?b-Ro-xMVe)s>j(*-2) zr75}HH`jcvCGhY@(RLUEXa$ z=UQ8-MG1vtMHC_T^N97u5GG1Z0HqtwXs)FxG@$|TBj*MGx4mTl{kZ?vV^=VA02PP@ z%w-Up2^xqd5Uma>Bkv5`)gilYh+xZN__(wJWt4b5oqZuyVJTD)tjzNgQ-8Op+g~SN zh*rUFoc6H<&`~xLuI6KFlJ<={^7y&A!=R;u&k_m!KJ}$eqomBnM2NJH;XWllk9DuB zDbZy5&E~UdEke+^DId$LWA0kKKfBKON7LKy+bmH4Ws2xYWM`#P{>VE ze8iTk+(<=tXUj5ZZ8V``T~%@V>$*i1)T>8lAf@IjRsZ|W{Z0s|@fok~+Q02Vz2hd! zQG4@ku=$#w+Pc8we5V>`9+1rJqDWJp3N`)gCkGH$!Y<19c+Olk;K z*}$=fO->=0@&J*RIv=m{gEXi<$<>mQ@<@;^Lkps-z-Iz>|OmKIl1-nb_9b^ejx8>KtMk^vXhmDrbHFKT3$ zKLf8ak32KMC}w(D0o{j5@P};zwOV&CD~AHm9>^sD?*eEwopJG^MQ#*IeCO?riTC_q zWM}E3rM>%wR2q&{x90Qd!#udCP(=WQ>1zRDdZX(Uxw?uP=9fL47IpwYHPTo(Kz+ap zvwYER;$!9x=JUdhd8Z!bw(IEw`irTR&jpyEsiAI3tsmdET3uhUvu9W&BzNZ@3J%>6 zn$Y8+5%@)mGH>0E{O7sK{~lK`KLME8znsZGOvE>nkb3yF+&)xbFMUw2bzlR+K1Wxl z5k#=BtG~Pa^MURDQplH9>Ubd*Q^w#nxUpA2hIeKD_wLJ&eqUpPw68lwY??21J0=60 zYOfx=D@A{DE~wnI?gZ_eGhM9#rYF1-B4ygvNf?>4!or}VCj6t3v&UEITTMO}z5STd zj@8M34# zG5k5$96`|^TE92nB~SFb3T`Mkx5tcnuUG{I8W{Hx4p3D7hV_M(ggxrWZ1MO{J}`m0 zI1RB9=&O4r&znqhO@f$7X048N9`)!*@*VZ;7G+mOOEp5b*M*xL&p-PXZm|#KgUhO* z@_X;RJ9uPl-&S?&4%MTK{G5l3!9aS>#XL}P=^Q@bI~7-Kb%DJfNbbm~`FR_3=L5~> zlW!NEPB^R_?~Ih)&t2L(*oysCAfat-b`Jl&y|K+Cc!j852UwgD{X10*?@NKsx|=Jn zB9R3PewI3iAfT}h2ru)@5v(%1NgfP^N_RFcg2E#?EgTx-Dl4HIO&fRQ;iR{J5{^^o9^vhWlJDmZ?mURLV-|y^fys?wKphBcGy8WEZ@+?)l8w z#Un5wVD~)`Vv88?Lg${iY|URmEPkDnf+;vt{gY@vDl_hF2tOAce&SNy68tv6$d*Gz zdvhBiG}jtjY^`<1`e)UHrVI6I`S@6>riUd!R0kXYc{ok+hiV=y6Va{S4R?$mXF7ih zaX0^@9Y6h#SHnO5{7EI?(=VSwgy3MXppBi5QXmSIMtA#)Zf-CGox<9qLL0)M)`+Nz zlCHTAlI=7KYbBM|xf1`_^aS^Db z8Y?i?uZP&G$V!x~R=*5+DOXHOo}8l`+ecZXZv_m|au=WQH%Aw=hZa8#sYp zERD{V?~!CJ@ipo??YY{7uy9B*aAe$HwYXSNc#|j6Z4eGG==K=~Ozm)fUa1GKC_Y(! z9Y@t{^KIw^GX4oG@g^@$_m1s-_FSxRTx@JP> z4HV_r30Iat{>5-dWP+DOAjiB~->Fy9<29ql?gnO0{jB*RFk8Fmc=39}irM3z z(rFDxk}t#mC)@MSzJ^@*)mq5uCH<2UxBXLPa6#9yR}y#UkhxxWgNyRD*9Q4?-^|c0 zp8op&E#S^h(~JK;o_b+xwD89;f3}Pj{sTtAw&a53mpi(=N_vCva?YlLY8hHL`RfqE z9kXerB(SZYv*576DJufLLgD!QykK$?Z z7|A0oH{MDyEMhPfN#_Xsl>)r^&F*Fnxl>a@Jmm042{3oZ;39YoHL`q5x6#{VXUCKM z4byU+nXyI9WA;Gg+?oIKW&d|R?mzy%`idXWR7iMlIPlb9${axpxcjnU4MM}4W_@*5 z*w_1aMt>SxMm`k!f278TME-=v-@M(7_&Koj7c=fOlg; zM@Clg=1E(3t$mj0-0_;cflBU+_c0#coWoVQ*gOTqe!=4iAY*%A>2^m05Xf2Oe^t*2 zz)|kw8*BbQD=*qb+)Ib3kv0QePUU6y`;nqd3eISDrbw0p4)RuW~JrFZ(q%NDKf9j5E+MS=AW2IjjDjB)RPx#-rw$I58 z6PIKy@riw#%A6rl4MNjo6{02ykra}8e!o2c>juxe*KH<&dO!LA%)75QBZQS+EbX-O z1qzXS1tGjCZtWqAHv7HY;os|qWx-CT59S=*idv;n)lMgwPI?}#G(AFoXUb(Ec}B8F z*a1+RN2&U49kW|syV;ju!$>%RO(TD?u7t{$J>ac|Y>WUv4LnDCoXldr^@U-`12AkDy{});=P9%HOJ%+# z9p1}{?;^7AHm(je{;(cIv2@W-9pibEkZd|!AHS;dIk26xMvG;Riz5!!NVX52fCSzJung=6WfV7T zRperL1}BHg|KLjRo>BfKM!@{sgxS`f}P z0O|VH#tj|xQn!*TmR;H||7NxCVFUB81-uIsd9&)@Ga|I?Vz_)%H<_irGO1;2d`-5( z>*+t=H)xp-7^Q!#cra55J`JP3ZVP8Zc_kD$`o)m9xl|Y*o#!Ug0q2lmc>iFq80s{< z5z%$#1o!ht>ef7E)=k5Rw8U+G2cMBLG31`j7pY(dmn}i_Ue5XuD=UnL%`kDy#cBA{ zQ)D1wsOiS3$Yk8>rdqc#4L=F*(6R>kXEL#7F!L4l6D`u z{iBrnTa13J8?~au?(b)Jy_K5AQGJOL9=?Yh0G7MslXg=0@avC{188{7Jl}!#AR;V? z?ed{MZ2E9wDf00?JNA0IW9;u;^32E9qyB@@l)=hY7e#$tEVgdDP+B=v_!Dax$;6=Q zFl`D%s9ur9NlajB+$gtU{P$E-BJYf9$Xo6tidk7}y!UXKby&UUkiNbM6~$*~{KIHz z-&!r?UF(msN~xKQMtU%g+QQX3@zFJEddH%ljH{I5%StJ6x#2o&fw_Xx;4k+r3KBVQ z?R@kM%zLy-o>XZ#U^-qRK(r|pnlRnII5QLQsfEiAc78A7b1T(tEF~kQq{7{P3AEVs zd5;)b(qLV60fOvPc!O;W^ptiuNq!ic0ekK(zx$28!xy!rXW;XtgQ-PyPW$(kruYVM z8in|n4;C8_?8+3hfO?B!;DJCeA=O-n#z##iA-8FSBWbyJEIc!cPk3)MsZ(zAR?>hH zl(b+`>etD!w<^#mGm<>QRixC2^8RXC&?i-37N5f8W0;&~v=6k9ZuSt-4t5;Vp43Ga z$OVDV-@@eoOS0ZN@|gwnEUwcIBI`9WdgMlg=VEF0K$I4E35{|fcB%P7IlS9Gr*a}- zXrTSNrFhG9n>*fYjZPmCoCHGu?8?THDns#flTO}Onm(VT&Y#> zbRg4lo5eEqrJD3qN_%0smn)E+gQQoby4&6dgF~d2%(xBp%@_%V_*y`mZM2sY!)SxQ zstE~BJDd1ms?;>tG-C6{a>c3EPM{IQ4jIXN(;C9fKBCS5d&D*Ht4||TIw-1NZqMP# z;#Nk~&T4DEKV%+ZD&jB2oU6A=_%JOVpSq>iDYl_cdJFt`M;# z1KEqNQudMlsR8U9VKRR#GV1#KWVas4j-#lb_p=J>2>(tR;O&VEIUtPTfHtEk2WS$CrG%0vy2b~qcJe&;{x3ii`&1W9W4a`2J$*gAuf-C+k-=BP0hEc9 z0kI#A|4YgM@EFIB>-|rl35}B0273**vj|SFj zhL=mqF0d04sl;NT;k1g6lC%eO4Y*O!$I!)Tq|fkhG%bpd(A|EgPHfeonTrVMl2=yx za$hG&Hv{!$qohtv=NrT3Z%n9VEsSz*=CA61$=a_^$oR{Q6`kAP8mjgJ*ONAVvS3;&S4rU#U?)A8DX# z==q@d{wk|18aw~Z zn*3)~;cwRDuawi@tjXW3$=|HW->k{stjXW3$sft|zgd$%NWA|~vnFcFlLG1wTOv4T zX{`^?t$lA85Vg>i5I;1i&Fx>(?D@05<>3MAuk@s>t+^J;`uq4#84UE^cH$?fGphk>mt013EGA@h^tYBR_S^M=`rI}v-V?M|Y^ccOzR22? zm|%MA0T@9zyH7Tj#%7(ie;zL6*C+a5fN@uRL6Cnq&fx*s3dv+^uEs00?e`nUte#mKeTA~#mbKr`@SM1luy{QL`taOXI203ut+f1 zpL);rTEl|DH=*k>@l>jDW1bhq_^adNWZ#)4s|-O3#o`Uz%w3tsi?$>gKUSwN4V}8N zu6*J#lu7$3Bj$?BGuT;g=AXE{rdA$@yQ zqs%VMK(U~$ozKq-w>QeXSr9r^uKTUN~rD%-{I!5wH5 zWxWf-i96~GksJ9w|7_W1W!}pw3swik3%#CDzm(-d73N9V47-(i_(^Z(e&oA$?od7V z`R}ZY$shFdwFt#3w1W$dwo!bjW#091=iD1SoNJxB+c2x zsX2N+jT^DE_DeuKd$4y>CHJ=u+=^2~B`b#f;gA-=XJ=M%xn}I0dVmN8P8Niuk0-0`&LPI*;kI zn!l!V9aLerzLXnuFtCBmbP}=0GPd(Oe*fw zS@FI=ZNnFh4MGxbLpnkV&C^>bx6M;=pSV;5fN9Tnec9fQQXZZQU@AUw!rdROt#v{P zLFz6_(1TaRX7kOcL=7;p)_55$v5=VIbtlYxoIl!LjN*86!c3_xzzFVVKNI#X`v8~I zNEO!IGc?ifd?U`?Epk~@fPqY##j<5fO_Hb<6 z*WPm=A%@3?th-ZrL(XuVMQsp4jdja;6~o!kpm;H3mPQT7X1g~B&x!B+`|9NVt`0}t z@!F2wo~w$I208xxw3zpMYmElwT+_MW^ultVG6H_hpOC=jh-03l_O26buhE{{SwL}5QSRLASS-QbrZC`m_A##SINL_aQd5m5E4 zy(n`Ot=({>Z7~N+YEnOXx8%N_iZAspd_Ts7j=b|N?4F{vEk7<7Dzp5K>ZK*<>wH$U zaj8Q?An2mbHZwkggii>1D8e^(zHoCP{#it*$4S1$B^X9=^N}fPn#j?6_=!02vrP1x z(0+8JHt$#LL&v<}+sx!Foiq^bhLRkJT-&-`A}gz()1+E=VVCIR^sjDMU|-*efxqil zRXn1@^X|P(QtEJe`6S1z>UCE+)zK;8(6rdW*HKLE$VV|L3ahVi@6*}7M49=nOvxKQnt<1S7N5{+v!oszeqzJZ=cwH%|HE+C3nMOKT2W|d~F4H=rB zn7c3JwJ(v<=F=gtbg$9#+c_r%FudUFB?WbFyh?>;Ixvw3;{BwzP_63{KhH%6Zy(o< z4wrrw^Fyl|*7C#GF!|ZHzCPrZ8Mj9w@YR8Z{4icfQdrRZhc5!nr{s=t%770Yd0bD~ zSTt)g<(cr>{pmp&GR&}xmvC#yjpADoH#ytQ`ngn%-ZxSR=-}X9ltsWQpNsAugx9HuM8m|NqAH3zi@f{*Bx_B_ypHW zk+Qvkau=2!`Zq|1X#bN4H17fPw@YpGvrzlBl6i7}OifM@7|QbK1Ucrl36XGZAp)_# z&Nmo~F@s!Em+^Y9%We^(M;mhc5#3H~lSFh8*T!Rach&1YaoDkIG0vgc@wQjKaUky^j^p`@Z^y*SdN}iko(e7UTaXv!e^0+Rb&XdrD*3|HrL>kg#b~EG7@l6 z1lO+3F!VW#R!4H^z8`_vU5Ve4*;${Kd%rrIYHN7LdgxUoS4W>&Om4MbXSt!U;KY+N zaj$;8m{63oE2eLH1$}Bu>1>lWRG@OD)Jz34K-|TO3r-N4!;#r3ADeeq)JTrt+cni!$* za5fW6)Eu=>xqnMvzjb@eCcEWe_veGsq0F~vL-wnc-2bu(0N&!KR$l+x>yO^}C2pbv z7n94kuN79`TaD@!xc2GN%eofxWf8{DQJtmcC&iaYU9IW*RDcT?($2xxr<%eYQO z3ft+zqPqc^nos0tR7Wzed0##E(u@gh$|lt@lAwTI!V&w4bWr=jN6|trT!&LlgL0zi zp3RbzX9tuX>H6)_`F3l910lYYOz;k_bP(~O;n8KwbJ^w{_sj?jjZP*hS~$&%1=G&6 zZnDkOI#AyEG*8>Egk9UZYe*}nj1+ew%XRz1+$S|t!He4rBTL(M;pnRK^-jxytU8y2 z&59r1R9p*zBg?vF!p%{e1y25u5Tz85ge2q7cFd2tm1$Sye;Q;hK^S{EYI|ez~+|-&|IF zGS_(<>md^;$9n}4XjyW@?)2z%l%(?}X$X>+mq#GC>)^T)%EGEBk=&5W?kklKa;+S~ zLOm+pTPFS9@jQ9rGO!*z{0+}!e6 zV!adH?~IEI#vK4Rrl$1E3qlgriU-s$6|q@43n)c|Lkz_L%h%{3oxSsjanqwIQ z)O2LilEqG3S5Ef5I|%rMlkkwP5Mo!5Jr+`rC(sR~jjE!F!--FC5Y|46B8m@)AslNQ$ z1;L3Kk< zh8o_&Uhjkm&o8Ay(hqQ9u{Z8OC8f`X=f7Xcg%SjHI#$;vZ>Tt_z2*kwedB*S70z;NW$9 ziVAM%4EO|$S9Aa52h!{8@w^ZnrZe|>-Hf-Rz0I9N<1vc$`jWXp7~VbrNh8@BY}Pee zvE*XB_q-D;eSk0~{5{M41=y9iYF#AJX^0}*`oOV~^*GZ4ciKdWoy~`>c=2!x>!=9h zg+eP4@0ACA8DAxY5xNFkte}jLtxhmS$SkISmHB*K(>$Vka2yYikE|#_q=I zoDr0WwM1vjT=zat7|qo@V_kiRBOqI(h7UfI>Dpl<%;->nQB6NV4yPc4V#pV>B$4y=5z68rgo9~Qi-^Q|nd14q%dVFE%(J)}SFxpMk*oQ9Qmb)tqLR7I z2_~ZzIiU>q9K1=ADUgyuU6@mrTz-*#yB?Y#jq%EDbSB5+!x%nm*I9MD{cuPuH=D2k)UGtyOzq9?vX z78n&6i^iJZZsoKGdg6T zVwJYgQdQsdR=}*RWD-LPYvjKY=>O%bKji%*c$%~wE*JyZB&D#aDxNrC)=Y<(3bEA* zMt40DGLRSiZo$f~DI<3q=VTy0>!iMxsK6?8o#z6%DprL@YA{|$VLdOzwHpg5@f3Hp z7o%v~f{w3*?X>Hg-q);Mj)?qL7vg+P#}nZUeSP<#o0@d>nd5Wu!=GxO_^QLJuP~kL zo1N8lSn4MqJtCi%H27M}*E{SphA0M>8A^vT1#{Rwvl20263h)k$R|s)J1Krsq%Gxj z50taj{9wnnM#OTFbn2+cCj1VojoU5NIw>10`WnFYhnW`mCwcFWveFAqNcPB!n>dzu zM%wtgj08SpkoUg30ejZS)sW?t!vu2t{3S?g$=VuMZsQmJUL^|sImFK`bG7>|*?GzD z;o+$7ZjlpyWu*YJ*$z9nL<9EJ8{BmNDElLsU1@7vM8TEF9K%;#rKbY;1u=YevUv*b zVmpJ+>nVxNF1iOCN%o~0?eU`EP4zm@^*ObzR1|!1_yKMPE&|xL)$AOTw~MbeB{2qt zCe0d$F6mtr%NGbkr^6$EFPCtF`B&aXkT9E;6(lMAn$uK(O;KoDr9Z|54aJA0@K_oV z#An@I$+4sBCWNQa;XN;>RnO43?`8-QO#5{9bH&?#j_RdxbfeAoXR<~1L;LPCS}$~H zW~I~YkT9uuoikATj@ICrGQ9`TFOAns%zlA|CI#O7DYL9{!1R|Bjo!pJ)E8&;OZ;^gO3ab!Qdj`)Pv^QAtObhU7{W(TWoPvIWLm2{7l zdNrrv;+S+7{Sde9H+D}qsLW&_7$;Rve$l+GqPVjy)R)z5km*uW`l$W&sOQLX$&)@p zwc9uGzKq@FS%K!A@6UgT65fcTU`36aq*1>{ANt+?OwDN=`0)Jl!G55eYwxG(hclj; zd&%gniVgX%5N#NPI%+j+%pyAtl+hZ2kw_btxG>@J{8F~*&J{sEGV>{cP2R)(X#yO! zck|v$zAm?Uv*++bU)tulc^ot=Tr#*_k>6U!;`Fn>bl? zH1;ldi*4T)To$hAJ;$_y=5WHabuT`g7ZcFY^uDyyv7VzT=ClUN_gb1&yfincxJ1wt zuE@!l*h!#{u5Yg?4h@RU#AKk#Iz>?Cm~Aimppn2QMz%J$7G|yeUz*iQ0FV78T8y&hpl#_ zQV$JN?&}fU#uJcu3Bee zQPTHYmN4v(8w7VcVCGjqQ2iZ1owD$Ao84dkrax@cP@5h;Tj8n!1mBMrGCf@Pj)){lv>CsnKkxs}3)i78 z=7hF=FRJeDy;c^J0mVHt&~m5r*s%g}Ae~#zXJbl?36ALCn{1aKw>6-MOV5W%k+59b zdp6@IzO<@kH7bf0)jPR%rR-uhCOzvwg|a^sp@%i*QcrF)VmhTq+LZVSWKaDGJ(00m zvyV@H_&(q@9G&m+5svO}U@f!4M`68pdgbN|rbKbE+-yKXYd#s}t0?2?+?6bUz5lDo zz~Pj%W}26eM^M$m_k*M#Em-yMEO^+Vve<)4F`rEeYsv2N_pqw(ZclzRsM~r`9%p*k$!#~6xJM^<4eh(qYyXB(rS#wrpUh!b%5jEH0;;_!$Iq2F6{u1JgpcL89u;0=5zpMPX&oYg{4~)CEgq z-INylc+0-_j10kfs=&+im1ayxk)oxu60c^uZ=NP!Ep^`QR>y8%e5R@MS*-Wm`zmUg z<~7;t?#|2s4p>lA7Uc?RLG={0kM6;!rkpn za9{JN^tF!?g4a*CM;t8S^gX}5oi7Pn@l4khpzags5vUK1%U;JsZ=B`u+h2~Pv`ig6r@#8k z8%Pm?G|OAX;NM&p8nr+6((!9@W?tGRhqvjYUfpuh5U;+w8a>JIIe=v))NFGtMUD{K z_a*q5x(HnH!Yneo@s_KGxTQWO#e1md=V*>fgXL=zAk0ZoWHS}Dj0=hM?#_a)v33du z8&Ud-yqk-E-3s7jX}cPPQ-1j&?U5sghsvf_y?@PgTuPx$Hq)m-CquMJwGphBOe{C-v?%(~EK2UGi%v-K@9`zW=62p7Z;nhp#9EA9 z-LQO?45dT>mv_OAfHqW`&2k(A$|>HB=nC)NXk7|2K@DZ8&l<3%p`%zcc-(rLrxb!z zdCR$-1BEC@wp-r$(cgddj2dKyY;E55crMlLA*7=w7_@C5xH@i!%@o2wB^VOihRd5I zeK!jgGngL#Yn9HwZr;hHs2h%}k6Jjblf{o!#anuxJ?_iwE#g!%+9afm)A(XQf;v`A zb-ucVttU(h=F%KIi+kI5DP-*yIP12L>!2ZQwE!0o_ShVvi8t}SXnVJ@Ab{bX&+uq_ zXbziifAj;?7+EcES2+Z`W;oJ1QJnKWn6;cH@8;UV>b1+voeIa8J~HYkdfl?&iM@HI zjPCj9*mURJLL-AC_j#=ddWfBK876~<4MqkMMWji18q3C#KEi9(TKz4#DJ`)-zwz$u zK@MV0x3CmC|0>6EO^fBY;Dr3u&5du|Om9=6G3&pT_Wvtx^tU~c*d23<@h;c%Z%(q| zQ1up$p>ZZtpk#|4e9zSVUmkTc0r&9o`_9lN2%pR#r@Q{S8Bg_=oE z!lG%xln`yH{&09^az~IkC6x6KT|3L$*U3bEO}Dp?btmr5PUz9sQ(K2$5pOV@tfJ{t zoXnM){cv;PNv!|7k(+KuHfKJ!Fz-ZgFQBCIe&X)2{vacXG!|Hel7c}I+4>yt(FjSY zrQG(2;+FWjf+1E&I<-JQjf+lZs4wAdW-HtW5Vp&AVRMKIKR+8be*$2}rR8#Axc z)~*N*Mo(h7h$0bES4NAiJKtx|Pk4OV*honJ@mv1tUtocrP%pP)0zZKv64)`@#TDRf z&hW$e;YhQE`l_&cxq07wMZoC71Q zw)P}e&AOde2q%#5@zestGL~{B1z>4eDdc=?0~Z@Cuz!pA>lE=Ry^8twPSKwmL=+gC zS-!4uM(#HASDedBm>%QC=oHsyGi98erMifp_i9kcc_k>zPAA4#ft=hHq%EJTBjMer z!GE<~r_4)Vf}$CL*6GMJ288a$A&@o=v!U?EK?BVu`-FVH(0hE|X#M@QGovIn;k@g` zbj+(cgUO7!G=0+|7Krh30|`o|_c5b)v0i5U&KdC-tD{(so%iq=LkB|%Zz6`?U(#t! z4NF~<^!Z|1vr0TC0$!@UbQ`tMYC<8a_1?rSf>rC*@8FKJg#Vt&`;S^9k?(|8=X z-ZD8*zM46CNvetWrDWhcR=-ouykGdhJ5oYKkX7{NC^BBlYqS5C++6~D{oZZxj)e*q z+N-HY8x`w}L^6ovb>)BS2#Tz}e>-V-)HomGj7@E8;=0G9FoX|QKe$<1bUQ&M#7g~9 zh9{R5CbFLHNr}CXVA9c2OV?4B6EE9@51lcoCVANUwO2{9UC}yFl9t$Q3Wr1-*P7uS zo0y^{xE)D1$^R9clBw(HwVpzXsZwC74MpAor)4Qg&Sl+lRD77|e1-it{rUeeF(;4J ze~t-_ce;r~Nzpjs0WrA3Ee2dO^PM_0AAW z?1btg4!T$@U1^|NnhdUVo&w`jh)s2^6cuTGFd}%f3#W|ZW_H9~Z*|1cpBMYB%+z0Y z_FWP)5vZeE^&Nyu<-xQ>m3hAj4GTBYJ!SbO=#*+C)ZZj++5M_5&G?t{9lAA;A@wzB zT6efrhaC2qR)9&_XE+m#>Uo#A{iM6VbUPFor0v;zDa5NOiW&Q-^j*4%aGIvVP6WAN zJ?;ELUT;C-h<{xC@%($zI!YVc2C|a;u{t+cM9sw3O?LaU0PVXMXhsY55TbGppTcYm zSmu_CsTlPJcKsp@nunDxvwdT?1Ns_`UF&25lU!(q457}eHYR9~`9w7PEu+8gyx%e% zH)I8R?FG%By|~}#yYC@1(J2MBRiZH!26f{eyoBK%Vq)!F`;h_9Pp~hna}ZRcnFJU= z!%Z(1#vM<)4`+1EyTljktO1rdC&5O^&85z~@e^}tEWH7LqY;*4}G(htJp}W z;}U-^{_fKqBHB3G`wdp-FY9?!s5g@CS`r$*SeTaObLkDZitpqx-fx0(n$I#P&z7*Q(Dg)n zsGHb6O7s%(F#qG zYc92Z#cCmLioO}E>9noQg=~5A=1rN?li-b(<5`^Z&J6$7qTChy(}X&3Dk*|hfK;x~ ziR@5gMG69;Viu)3+j4Pef%ndYBD++JPECjQnIT-DvmUMerjTs4T z3w30Alaf-6AhEjEcO$%;gwu{Hc_v&B)7P>$iP5bqHky;Oa_ta8Y%tKPeY~u2_F;*{ z&CA?xQh))f<2-aXvzshL_s2RV4okHcu!-BC<8KQxF^?NOh@kF{Y`)@>EX>u0jd({- zwzbKORHJxLSGHNunD)HBec-HIcZcZVsiq^K6&{{MfqL=_o0b~Wrhm(whz0hC2rJLK zYs=NsYc}K2QqTy2Wzc!)YB-(g#S^I@sx9cfw%4{g+NwF6KC|9KGc#@b?siVYQl2EZ zTX686?tWPd_@2brsOX!7y{>*cacJDe)N4G#xwN-knlXL<6b;86l1?3%VT%SJ=8fKvNNkos<`k* z8hU03F5)95Dl=TmnKu%4$=bVvnptSN8|lIS_}?=Y-y?36g?f}D0J6c=UhQ;%sYt`w zvg+F<1qrI3)VX&zLy zwkGp*-{O3zR6#;}P%MQktS#v0O|v^t{<8V^65W5@rGVRzsD%@qKyTeop3E55MaSa` zjy}JIlNw%48*Ku>VjWa8QCWXV+Jdz)6yF=xbOIh~WZy++M=pFMy2z@+U_WDFb@%ww z7+X*if7%)V7O&~<-_<9TvHiI1vrbx*|XWt5(2coYr@Yj<=va><>F4~ z!QEGpnt6nQLDK(3i{FpfezZk@kiEBkCJg+=LP}OGasP!)$9q%Ue;kAxV719k$;LZ? zsvGO!kfw=E^Q>;8FV!#rI$r$s>aV2XHS{Oof!9wPW{1nataWA{>}T6u(cB8&;rv$b zq3};=pUEWjuaK7D7?5<*KnUs0bNo+;w=uG&?Y=!ZIN)1_lkg0f!C~ z#G0>$TaLxbcTl(aM}>*RcGd82U0AYeAhC8n~aK?ziP)KV8o zOIk&L;hu~uL+EMQv){N>n`~7hMX`)`>)GED-7IDU7yyXZ%fBr#nQqZJN2bi{KHu#9 zWLst?d2LzNl3JrKmbJ-{#=r_vtk>)-F!anRyCHr?OI}JJNYpuvG@U`sW6!&$5y9C= zCFNV}`8RO(1Maw0a;J2IF`Zb+#@a$*)x^_*jo}B3T8&?=u`&t{J=YJvZ0sIq9Im_y zd$z)BQ`&wZf2p1bJptXBiE+i(Z)Iv+NR<<>TUGuZKbjD6<2c>M+-DK-@=N$YLnEx% ztj(GZ+E37;<6X`$ z*dro7bCYqLFJ*fn;op3wjm)jv*L^mzDLtIN{~++wmvHg83E$nH3#plvj1cf#i>FAnwxepXHNiby=xQ407NW~emz4fSJx;Y+wg zZs0f9b@2tD)~LDl!v&tLS{J~iq*#A=Kr2s^PEL6~krMp0K|^8Y-SNwwb^ip>_cmmH zA_HPF4LDw|cBcvH&2>ELo<=#6A%sq;?mRih(%2ZOavQwxL4>L9yi-nF(3On%lxj)K zyD=u2=9G5-$qdD%(B>@PQ23x>uH^1JsC0rRVsA)OOtgNw=@UW;xCBUcI!xQQ@riYL z_;12}0v}^P&`I1>)@njC-f7}7jqEIv8|w&Q!SKFE+!%N;)7x%PL}v9MMw7ToA)+DP zgOX*#9U3cnh?deUKh>RHjpAr}Wj=_El{e>OiJ?d807cD9X~jsX>`jsC-X;nD@(?;c zQ}2R+5qNxVmQ=h;(?Gwb*z3x}Q+Pwo&?BmKTN5al((cA|X6--)+5@#*Vh5C8eqN_6 zGBi!>F2xtskw~sBHrXFevcGMVH6cbP)@yi^qK`)kFK7zEv!sVjB*jZtzbp*u9$aO^ z1CzZ-^+Vh~l+Aq)iu6b(9=a>`;|LRUkKsT+`!nLExP;jWkwjhyN+ScqTUr_ToM`T1%>nr7$j_cB3caNmdbID9P)-*umg^Mz2Mg zK7rcTfCA&)?ih^pmzx|%Zmh3aVE8Q5@de&I94QjsVr9Has@JS2lCW8R%z;UF;(KZ> z^QgX#`;Z==x7$>1rfD7q{N;|l=Y`=86&{LQILY=66KeKV6i-;6u}T~sX3+(q0XcGn zS^W`KI~6tPP51km#Yi;lZ=gqcm9o7=^Tzkf> zKQyyHDA$?%%B!^@L;fF}y>~dAYuhiJwveSqqIW?=i{4Fy5IuwMcpQwS|L%sKZT8mmxd)HyAU3fq1)6_=mzrcS zFG^&h^#|m6{Ej!^l~sphmUxJ5BgY9EUdc3(KYUW15ttD*(a&Gx!t_tV>0P(`AE*9$ zEbjD^t*qhtBQY$0>_pWDnkG#kjBmiMD}<7{Tw@XIkBNRhzQ|*9L;i624gXtEFa~%) z%iQXX&lq4a=GE1%BRoMr6BqcEQ;$`Pj^$YhC6P}}mApTt=P(&i9UgpAd~QQnEMq;o zn-~^HZcWlHcrdf<(!qQ}xZl1&=0ij*tm0r#uqr>AKl9G%ZX{@H_a^ZM zad||4B=GdO0NcIB`~I8`tpVNBRA2#<{NQ+7)v}T4dzevF%Z0`^Vg{AvbO)T4D#SoX z->FffDwA7}l%tyv`ZQ{Tv^+MC=Fh+5N2uG*Pq%<}Y%T=8j_s|ZwXjt0f+%`F z3;9t0D#?L@+$vn=@)c~N`i@5DgglfPbTTVw8#4Beq!T%EJ4I)&_ET+=aN7|&_P~6$dF%(g zxabY6vwkj=UzY)Iii7J&$?c?j&8yN>wbc{MPZW=HU;MZ(h^(xfORQClY&tGqa@}de z+km%gCs5_^e#6E@ztx0QnR$p{$kAe?^U%jILU}C>418>^0jp{~1HX(8_G-cuKF^x} z(S!VP4clB|OH9~!^b%7hs=O(yZF*9=lIw8@Pw*M@*4<5!^akCn8*ePi^&348JXrU4 zgNV)%39U!1C^l4&PjRx7r|C|&MW{?_;OI$kb(|D!m0E|(KTo^gCU^kggZ-SvlPK&y zvc9##NTkLP?JN+o4eGmZB@+oeu6G{fr?;P(4FKCJ9PMu+Ig*b$Zp&{S*$ZyI$HoZy zybb1sc^Cf`@hLrKs{68<-c$>RbwuYut`7^SOZ6Vd7zq>h8G@8`gZ27#lN~_-CRnU&2)y+m z?RKSwsDt^VtLH-@u$Q)(@ld2h?(qoqWNOCaLnP3MUm z==(axKe0rp_xV-o!g!fq+!ZzGJxprKIT55<&Z#Hd(DTlDS0@}rIbm&F&E_>KhFNaU zv6u>|F$>74MPa+y$GQ+4GlcT#5d1s`w3uU`WSYtGgYre^;#|ZQP<-^Dg;D%O(K))4 zq3_vO7LO*mlzUX5gO3M?Gaf|_i6Ako#_IDlo4cokd{7M+^_Ycfr+VVq?Ni5{5OI?{ z_4wXp)*jQ7oqBx>e&rD9{e=t^Zo)O&wPgoZX7u@(TA~{p{JBG zUA4h7^_MVid6X0S&D&p%veJ(F*I9i;liDcCyZP#8ecdv>BAB{X_iCld9t5BIxBH&3 z1(-mbU~Z4jeCPGrr$140l@14&_MIE;Sn856MF2@d^1tm*CW&Q>(6OS^XG+;Newn12s0DRY_&<{nyvfP^O4IZ=OV^* z29fTyZcUq&!Khp3Ew=}NuGFn}uV2w+vJsQW&zd!E<$!Z_IcS7gFpE_qBkG) zIeG0d(85&CCdwNLx3lb4;PIdL(gBo$m)Yh&Fe7d3VRH*V5!wNDQG@D;SAa($3ZxUu z+RdDEq`qY?Vb%e<>$bkYCcw^eMYIGwkgGyPFe0}d+b&lB;KLe<;NDn%IpBR6`uYZ@vr?5Fu?(s=lCPse2%DT^yY_k2C6 z1l}>pZ{JD;`M>eIekrK&@jZ$6JZbN3sV~ zGU2!9En=wof*LI)ttiddeHM3TU3moQ2NqFiOMDD{qreNe;wc!aiKZu(g)B7 zE3~c;el7qSnnJm@5fv2~G6N$j&fPxJJjRxm6*4(8Cb5ScV0D-=^Ux+=?AtZ}2cGzYFZY+@DHsG6;EnuuzJLfYUc{6ZW=6e<8Pc|By-64<*f`S zSjr)2VL|7kRZzjLy;{ibr^pfDW=RRXi5G=sh-lU**4IrtHV5|2t~sZfI}WNLWaa{S zK=p;0-ld$w?NbR+6F~hAdX0@u0FBF(Fx`W-Oqan~1`nN(<>79_^FWEYo^)Gh4MbT{ zRoij7OHCDchv2BV*^q#L^$hE&DWqv1OtQF*D@-yLSB7M_y%3Q!EIZ4_afjbj78_ zBy@)0K}k5!DS^uEz!kmiGgbGa7v%1gVqawKk5sOo4=sAaHmJew=XyBfy}3PoaLXgr zCBtnn2=0a;7hRn^3iq5tO7?9Dd$jNCjeD`*ligTf+EbpJOT|aB`adhMQIaD2^M-xF zAf3Ll`A<3zQx|ja)GfGMfw4)|daapHj#z89*XoqvO3=hFXpX}nXg5jv7%Zbg))$11 z_Y)S4XEnc`h?K4q`m&3js{7uRWqcsy-hf>#w|$v$%Tk$Hs?sRpp!T)7P;=!(R`4~=)EoDV{u*wzjnPc61!SL?JGK~VUhazNJ-rs&*g*i;lv z`Fv^(Ps(cLw&B~3?k!vSfS-r98^P2mh(dcp@iHgIKQuy!UVT>kA|E!Db{AA{Da8)d z&+=_9QF;R3G|Gl=P!M;)&>vGRgDKa=p`L^e=@YrqkXATt9=&Uyp7F*Bv|{; zz&|_D-bR$qdlgw*?xtjWZ(z)kNC9N7;YDXIoLfD*8hRHxm!Q0Qq-DFp6zyDdQJ6q^ z0!P>G1Mr@?#u>OulLyb^w~;&-IF1!UhbjXfXw$jYaoz%^I(B_Ch-AVCl;-!6@ayr; zPNz7u(Z;DYUVLz6=L^cFwT+Nw2|wRCoN1q4ZvAKeenBDZK0HXAIKbavIpy=8DHWaYi-h+$tPqeuEC%)NOfBF2)( z15tLZ+a5qHqL7w0?+4|VMr%e5wNneFH+7|F#FaHq?l-OW_U&htYB>4~8TKwA-X@aW|Jm`0v(vH+!yZY8;o<4&WvpE9{!A;a zC|L|flpppk^f<*0wSyk{Tu|P=SV-6g=UC_c8+vKgoqw*lsSi4pwD!iVjBQZiucFy4 z!6m%#?Ulf+F;rhg>ikx~X{~9#b5Yp5b=D}@!!NA@9^7^S!ncs4luv%cx}xXp&s(<8 z5aj#Agz>*hxdb2Tx;%$gY@gYAbu&NP_i4+vXPL0HhmYEvRkxGYgt^OrBvR3*zS`NS z&oXhjOs>ZSLuf!Y0rXq1tC7vP!$5{&cr$WisT6Wa1wKf(w(sVwd&J!e!7$8j4enT@aPo;=~{Z&^2&zb%uTgz zSLEa^0{oGE_53hDoJ|UN2hi%DA9TSJWXgWm^s)asR#&uET?LBzImIS8_j^1r=o8(G z@pyZjTn(ND`{s?)KM&aV-7fCfj`=IEuOc|OZDYjlM#!qR;3x^)5l5ohA}5qffF61&2ib{hI2j_CZ@=k$d1#(TwW_SL5N z7%G*-cCfHRF*y)JuZFu-CVNH zdRmW!##MdDyDbbq`%jo*xg-tw@$|k-`vB~#(gMD{j0T%#W?wD2)jtB?{1nOY{w#C@ zqmtHiXMhbRdhAd3A~h9<`k0#4zZ{73jID<`bfTu1lN6 zwZ=TtK87RTt!~cnchK1u9QoHId6xg1E)jHdxzY=@g9qKok=mM-4$X0^JX+%=z~hn# zoVZgQ5~@>H`PGmG-~79cU)i$RO@VvPWQHgSedjYEWugrql-JJsuvyv6l~Q&Xqkn$J zt$f)^xRyAagLD&V02~O`eh^$}!I98!0siyG&*L2ZC%Db@F976Z?;Ont?^kRS+^bSr__*v{m z94_g8sYAOvvb_hi`z;(Z$9eqVE(>nBxFvKo!)e4ogEdon+VfQF&m3!z%Pm!*H%TU)7r2ZEl-ZWK(;N_e*(VkHd6`x5X*IvuR;gOl>r&L7w`2$> z^8xtn?cDF6nX`0(xhG?*BQ*oS9Y}DC`T>M6xHKKd9IDO7%gk{9f}V%FDPI)Zk2j3~ zA`hTiiW*Az7Bp~yn(jzloFNDJ#L&4cLb(L32eQVPcrqG>-7#j1b5*g8q9zeBzw6hV?)HASd+|lFhIw42Ps!!Y zRUZQyHXG>`^(rapOPuOK4(7u@6Lgg)X}6!N7FjK?{a64(+WU_-9w5YLZgtp%EOvJa zJ8=GM$$^>+?g1m^mJ7#`hi1yEyTKMB|J3Fgzuj(fl-3~sIc$avZ}B_6dH$v%3Iwknrd@{`8 zxb94|X@9VJWF_5d=y%04Y{^v3kKVFc9<*B%!2~l0_{&@}*a9Y%w;Q`Fw;?aN!gkd^ z1BZUTwW~%UPv@0Jd@Nn#yJG%4fhjs7EJTr&$;9vtez93$OB6Ff#q2n%A{zoRNo@NdeI8=(h zQqJ$j&G8EqS`VzSyalJ!G`03(5^+A1?s#dY%rsl~4BzQ_efJT%tfLlp zbg1Bbl&Od9bJRsgSsz%`&VrrpA^aD`thOTbD~Ulb{_s}9|Pc=F(3r% zpSAOh3Kvqw>)dmN!?&Oa7PhNxsgE2z-!ft+TKZK`@^$9QiO?SpALvuC@{pW8Dsd9d zz2TFgJu7T)E|JOrx|U^c2DnWP^l?9h1#s)B92~eP8{D%ZDjatBF-362Er!zU@W3%A zU3MHtpQ}SvpzoupK1SV?bAbmLRNu-~;Haf;X6_8ftvD1(knXYBs!TU+-p={gE|`*w z@~~Fi*1ZhI^&l5kc$-px?hdtt>a(Th4gh7^-_~z)?$4Eyn3s0k{k2qL5Bw0Ym{>nD z;XLN({7~no!yw^s%y`wlpT?nUJgD#kY1aoi5|>qTi|(WkYf;}7EjJZS`{RNf`Z*lh z#&L#X9?Y;pN)a2M{Hggi_rVfyd+*S;|I4W$(d$wr119!kt{?Fi7a>^ap6Rl+a0K;~H)tjf|0@7mq!i|& zu}9qR=w6;Jb{kB9G=FBnVY`Lv=e1Mvm_37yMm;+E0}CTk&)A(cP0{7f2;52P~Go*}=}*Yh}#4|754# z_C<3YaXCfbg5J`5DjSbTIh*|vLL4)-UC9UAAXr3aZZ2m0Kq3K7eO4XGH`kltrb2w_ zq-yZjl{2~y{|)4=RAe{jIi_1VzIBD}w2B3Gv-IqRw*5ixMra9l+LZ@cyITM@Z1~XBFy`{>((G-k7w$A9Zxr3x2aCjE65X#L-HO4RA9x%?0~v|;27bw_A}sHy^P#2o z?Zz(@Ke<))FI9eoyW#<2uGVGoILiZBClO&iIe2Jod~loAqgHDCC)70#Nl_POiun4H zd#)W8D1L&J+IhWA#ynva98wn_4|HUteafb`KGs>_v8+IHt;0N<+O7I?l_`JB^Yi{f z^`8Q`(T_tIr|gW)t|G@W%a?LnQF&i00I@F&GywM8ic-_r$)TN_zJ*cq8XfLlVV*g4 zjr3=~nDxb!Olh&44^{5T%i*VvD8n^P09hpm<_sR3eQOJfV^_p@=Xxi;Zv9zSBc}3WiOE1WGlKQHCbOj` z!UcGxml8GBoG#UJoa5=-jzbnZ8GQ5`*Iq|Wyl;!3-pN8XS)9CF&SfYDE)TY+cXq}4?2Ay{%2-ha{z6_xrzLW&PFX}YsKXI9#Jum-?2}EA=?LZr zxi)+x>DNQ)AbjI3z7&-yNBU^h?-_T026~nt@?JZ1z6vCr_!E_LWXiqpY2q6ndwPSF zXX}te$LWo8Z5LU4i;i0(?4e99151d^ut!MdV7X;}TgR174z9L|0@ug7Wdh8pIki;f zQlvjbKx{Oe`5L5OR^r%DY~bV_!1#E@+1f^J-0Hr_*VVm<1@$4_&*pCw9|cl83bYUQ zUJ`3yYQ(A`0H<+-b6=JjAThZK?$Qx+Ob~1E%jI z$b&b+rG31KW%y_vild{WF)UkYyC#+ zTAzJz+;tADYd#$4)Ndq#B|yFHn?gQ(~@6+6VqGIFIv-%CnUq zpC#S;C)2m*tNiDLVFeJ&J5-i#5~~#%EpNXPl?G-wzb6~qz(!#(PHa*pwm!eCf+N`i ze&$>IW~+MK$*%%>vq_fi|GG5TTat1i-O47fHP<$%?YrH;y*2eVZx@qt$OskQ8? zz5RM*+X-|Vdr>d^D4YN+cuaYE0u1W4h3~S@?2s&u^t6{1Q~h7CZr}chxlF5nTd^l# zAMrFd&+i+*{WsCfT0i=8GQAs{VHH<@8_IFcW4)_^59^tWfZm{`7I{KIi9ZTN8;D70 zh2DY)HJEyS{m?n`I#Up+(dY+k&7}MZV%7DT&-&H-ra8EOeERT83%w^fJ@tBfwSx*QR=L(?j+#S#fGlVGE~5~GW%M}3!F$K zae#U~|KNEdNQxGHGdB15;755&|8kOtkf4}6Y28cESbDs<;kc9T4#LObI;s00(^B<4 zp$ktA_1aWW#Rhzi#paXX*D zD0H!GyEeaTJW_1~s|ySv;`c6uWl~Z%JtDPE&d$Eotg$y20^>nwxfnKM(Dz$dWWHB7 z8~=a;QqlR_t1|)Rjt>qt&{Le`faFNNf=6?SZUUSCtX!w1`B(P~rv6*l)e(S3(b7``Z`KnTl77k|0|i@ z3yO4a)CKRA6pi?f=w{K|x(?sG{S8nK))xd?T1>m8=b#1^PQ_2))UQn}?4vtTUnKOA zO+ZoJJv|*A83Bnl-x*Mv$QDq}%1X0wFSrm&<~t-RbDz8d$R;u}zR(zCOF>y>oAfTT zjBwrh4`(8_8yTo8x033Nh+;tfJ!lP9K>^8+wR4|aUEj=G2Ag{W($5}&f!W@Nwe=kP z#$hDWrCbEx1%j)`dKUpH#ULVaH+_e1Ll21Ywe_c>@tomV2%xs2zD;A-A?kK_gkY% znE-o8c_T>|?{r#rq8it%Y4DfZGYw~}vX+BN1&Xwqw^|%*0uB=Y0yzM#&wq4j()Xa& zj@VCv71foVIxpZ&H{)(SJ)9Akdz}vDGdaPQVvzi&pWeL=2JeI%_TlMz7kSk4yE&lT zl+2R%2I!DvKif{WatgC=?mqN||G%!G`} zOOTaxt64nOVnf1;P!^l6NmYbvba5O=pf;iNM;?Eo?J}WfK_dX#_2J*-;>8W^xPVpPsaeP&pg+1$ zAF0wjV0yN3uL z`5L%Xul6U4sn@>#Q~%E}(Kp{LnfD{7&#~|!2Mycf?+;PzsOycBc}~{TKP_(9_)GfuWlCyi4A15IJw-v)CPGabwqy{pr5XOD)de`JQGD#Z=QMH__>{!}<9 z$7lxi$@d!I%Of_Zgs$|m%70)shWB$W#!ZWlm?~4}i>_ ziuyS{hU@@;UdS|Ok4om|BQ?Z~EEz8geg2IoA(|eo#l&nt`eG%ItAXYRmOZXR%B^i- z-Yg|(VhihZzBLdcTzZpc`#cWk_*2mLbR>t>G7dZsk|T@$ptlhkkbLo2LEIu^;dk(F zT@6-09q>lU`EurD9odb!3pk~z;0R(pElT#5=Hpz@+OGzF&X9q3(z8!n58&H%6-Np2 z+1_LABD!$Wu;p6LTO!q?dvXAGLS2R!w@|%I^KfaTA>$4pZ`!#=yA$mE=`FoZBnSAh zg+IXgn(;dTDl%9E9ci`W*zCmlDTnCe zZ8J2bdE;D8zD8`mW^!tiY3;KVRq9$?~Yv zJjUfVKSw({O}RAIGdHd+4ZOe{NDOX#5mG~JR-TzgN(;DP$manXFb@y-A^g~-UOoY^ z)4UPhbSs-iQ_ey+Ip6)76Zd9>#H;gH4so6ljjQI5XY|%)+#8j3K~L}3#mdf<_%LeS zaKqGZ{%+U9Iu>vaRWPUlRE2B0vW2SNuYH-|q9Rx*Us>S?G%2AC%|!1}*q2Y=BV1qw zo?5{GK}&sa9v{#+`k##@WDxy+aGZ}O#F=yfr;AGnmEVfFhV2EwF2B?dA4v(js-_q9 zo?N8izC0kQ7o7OKbqo^i(qE_Ukpo&mgz4#>uDMf^7I z0G?o<^o;YVGUKx$(RSk9lnO3K7!*L)GdcZC=&(`$=06SP=O%X51Sj4L$@zMN#^YLFLvX zKw}Qy+Ham;JHKP+s;1bJOANlZx66}Q*pVnZt=1A3ac=idv&pvr+Ate#G*&%<;V*j) ztrc&?xMzgg=M>7la3B}qh}$!9SKu^y4N682#O0sGFxUz_xz+0Zj(pBAgPNr=O7#O^ ze()!jXty{*qKqoVfxry2G7>mi%5;J}-O5&prsJ`QUBU6elV4E4nsm!e2&|KuIsE;@ zm?WHvTgeA!q5M1>GRhMiO}zZ)YZmG8jX%CjNdWoJ5T?mgBjsLg_G=t!{uL`4EgR`_ zjhKeVlQ#u}i@z2tA9_C(+U$$Sm6CRxi<03y3xtHi=Ta}mY}us%E%bgqR^v1sm5=qW z!4$3xz|vk`Q$q;ivfP@ymzujPWt=JdNPz4O zZ$2DWpQwC%$KHk-{p*|LT%h8W4Z6AIL-Ur0+rcW1ELAXeCAPJNcz>D>K3H~r%VFH8 z(N)(#IK9Urx+1XlPw3;-3d7SSVQ35O7lmuyR36k>f#_&&(H31j+0*Tvq7@KdRr8<) z=Exy&;|r_Pr=lv0w%%vigOvf1-#-z#E0@xTugZ?H%$Vz88u^y99Wyx!LT!B#??g1F z1q0YkTlsKLQ(9Y(tVY2QT&ELT zWLd$*3oiXp>PyL5ZWTTg(Bh5(UTgAd8k{=<9#` zI`NtZ8T%+BcgF|w;|(Sd5j%E2@{5yhT%b-2zz-&`+h>HlPs|8h5y7qZsJ1}t%}c7J zB)ll1=#TDFv0*oK{hoEFhf%kc=9y#n?9?R_r%pYpY|6Ix%A5;-R>n}>T_qz;9?E|C zLU##uo%PT{klwns?V3KrC8&2<+a)d&DRc6tW2WxtXHJfsM`FIJpPcmd)PL3tvvZ8a zJs&K{UXLzfmjDmyvrGwwjV6Ckat16z3ZkN2Vk&U-*<2_b3L%R zm5~$;_RvSufq9f|)}(mnwtcc)z8<-y?O>X9_RxjjI^(B<;d{cQPXVr1yQ=+6U4FH= zV}xY0DodXnyH`Pq(d1Y`42}+KllL zEFM}(irP%TwV3HK7o_!m;y)R`uKkrI(2jSbU1+;`m75(%?AAluS4V2RiAsD^F{(04 zM|~X{eK0LZCGzg&0=228AJCqd55rADwnit|bKe7Y&Z>+8Ct>BAegNmxKS={@0eAG~ zE`1C0T^_gbha_*b4K0=t$8gm$LNAN|;&_uF@`~|)BEC}jllZgc2KpwUe7&OWgnzL4 zA0CN65lp-F>PcjV?3ih2XE8nQJ&;!rTPD9j$MQP2&6tDjGqImcBJ{|}2#jMWo#nvw zLCTZ=omGQ9z5}@FdnQMGfOG}$vCbesK76YuzdZML44ShmCY`>mZ|AsC2fYy1tcKnEnbCHMnpR67Km0REhIIi>~sy-u3v!!E4 z;^M?gaZfzsIfpeDZhq%L#j%~y${(qrxy2-C99?5*y(oeI{8OOsvg**HsEX~lsKb-1 zXLM3OOU{N$+72dZR-T9)l#kE$d(yL$isih-&oMsk=_lIL*MV0m8luYmFufIkCpyw=x z(w&X(70O*fK0O?d3EC7=Bp?+aNYK_%- z#;r~(RoOs(E?7H#1TVdQvo6oyHEj#!lBb1-$*<+@nqv$1(g2Qd1p?h9QTg zMwOlLKYa>FiHxN`31)Of$IHgHKh%P-58w2Cuns@ZPyS8A7Q-}DQ{)`+Mzy4nirW@_ zjZq#gd;147wDZc%;IMqw{=E(p0GG)2{-QCOf=(r8Iooqc)5ZB=hf*|7@9={=0qb;% zF4((AKj;JP#-m+R$^(dz&(kk<$TU@bB;b6*U?k+)0cF;_`?c5Q+0>I&u+SVxGjekT zm{)dxJzRhzm9>`=kx&l%|3feNI@Mp_l^US5Jn3QNsLQ?FMw4CW{f*<@eR0*@aF2Zb zp_p_v*0bj=uIruqH?E63G4CQ)hx9jXh54DcALO;|Ep*$QJ*UDDRF$#MIjRS|dIfC( zhlQ0OM2-PWWCS*j$8_3;9%i_V+3y?NHgpp5gr#s%#oHKca*u6jKPq}nO~kiXGsJr_ zR_{u(W@zSEnRkh;y&A+&WFUr@WH>iNMQ@|jMo2JQWPF3c7WXJ_Z$Y(uBi-qnN&Ovz zUttelz0xRH^?f82#SXd-3EW ziB1s(kEKH~bgR8@HL7F@PbYK@rnN!irHP`iskm*Zauso`<#V#iX!P&UPl@yjhYA{J@{bMFl76EH z%lA3R!U#4^@kX&!GzUDAwetklG8QzX%j$4^B)J^~Sn0t_mq${=8>9YN(fHq9fWM;! z?))pWD-MW+jui{!VV~t9xq>eSg47x6OAj0Xx>{mcCQ!XxDo=GtEb4p23+hD8#+w>S z1Um=nBF)h1^5vTxrEvzi)r2zsF@7g=qhMkWB_LJ0>58_nqvO|>z?D6eigGhc&0oAm zTg*2W<-PG(o<>SGO5~D+H1Q{wUDZ{=09@PczMqlcQcaQZD_Is>Kg0FlU>;IGtX+Ig zEBK-9Vaf5HQyNX41dulK@}p`G`7qV_SDBX^tfeK#N8&Y3e1Kix6(Hu93+1ulwEI6i z82&y?|6L!y-rNUd3DU8Lws8ih&K9&Az=|mm!b8uL1^VcH1amTbC9O+@+F3se&IeLe zp}Kb_*7a?WpSn!a@$YoRJ{VKs{{4chqBUEdUR`4i;IJF^QDii__(dgi$$pp=oTEX&8iZ727{jgl5+@TN?}4M|F-)SkZ7&&cT0TH1OsKWo z|6%`6gWCU_H}l_)hNkObj&#`9S5uF1o82r}n*^-Err5&W=ofr*H;7y$!TDBsDeNpQ zJPnUv-8B3$5Hc?^W%L8*3f7}kdGC)#y4a7Y+Q*(Hp4G+rx?}wHM2C!%_wg3x#vIMQ zh{yV`^=n0?59Fy`0!_zos_*{*t=Q>SL=?DI4&Ro4oT06ICI8ZRrumkO=QS4F(PDt4cG+&O7W1a@8fuO$q4dYw>|Gq9+}d$Lkml zRE~E#PBkZ_q#!p6#@WT$PAmHO%ik~he|zBnp{;aR`#7bhXyI`xxvgDIY`_6!vOxdc z{I%d8MSz!8!!rRPfwDNcXB_oBh5;C7A5bXXR&(*z9*UOW4K+2lRa&eH95bz&>=CFm zWzwfmS}Z#976d_UD_;2o^+ za)shO|HJ;T)oIFU=18IM5oC-6aU)w9fIn@nHVJv9mI#6$e`>p*W+SKlZCLC{`@z`E zzOPS@%q+a!U26*=kfs!#P3E%rfa0@NOh*8UQKGJ2Kx4uYVJeCw@<&xFyN6SUSc&X^XTb>CEdYZec)bo$zzI;-R;vs#&>f#Nd4`(EZ zN$hspj3>H{OZ0Uye+Lq1R*dEk5SgE{<-_flSwsjF>p%Nu4a#5Ik7Q<}-*$?3i{%-y z6Fz&G-I+EX{&XqU@4DgCm#xvfpt05aWb$lOmKdasKOx;u3p$2KWc>C_I7Dc_Q#J90 zi8Ah0yi`akwxAu-2TuaR77Ec22AQK%KK-RO?CgWQ<{wnwj`fA9dh`>8$?5&9(x^wPBwC!590RvNTKfHMENTTK4MQmX>y?8G5$!A)H(4;U_Y7V>UF;r z)>2UD`V$U?GsKAK1NOrkxNvJ+wB3M?NPc;usMig`lEfsi(?lruAL9l7cgMwjpltvW z%dqM#>F8@5wYd*kZaY#osB$M%N1P+r&uAq=r(@L^O8>07o^_-Pi7;X11C~VCJE)t* zdhlAB!x&#a<)M}cXZFl`63a+JNQJeGro%QOOATSQM9>2c|2|H0BsC{@@FHZ+8TMT2Qo_%owZQZjJuo^q5FP^{ZrUkCy*+j0qhm8iyTre?W3st)iVO0$+@@Xc>9)u&Fmp5z z$`aQw=is>3e2p#Sqo7Zzvh>P*4N>`Y$OB_JQXsZyw}S(?A<}ZDpX-k%=a{#aI2PYk z>W!%6GFXgwZ5jT;EWQ{}LtQS#U!iLiDTjQyoc8LzD2;gvot-t+n4^h)Z=O|*5ha?d z8{^1r!VqizfStIT{>3E6u!?oBBa+Lmf*GMwo~JBt|M0g_2;_+^?!kM$Xt5BGK$DHP zEv0?^HsP}BIOQkiRgkSs`Wpepqq3x*nGT~a*(KT_#4&O-pJmx@=3IKF+j8m7esSeq z?BnjZJCR$XT!|Y?;S08h!W;xRKj~}OUfvQ#Z`H(Ydw%t{ui8}~Jb!+cT?_{)l`035 zyk>_!Lor@ONA9xHVa3_cBL6>aW*e3aLRd-19J9D<5l?<;35p=k;kbBE3iW^ME&kWQ zTbKv;l>t6zN6b!+diY^;aC{v(EjfCLEZHEW1 zst(G3mRa>%-(dTytr@d$r@p(c?$gTTmv4 zTncdXXe9ANt%=^?$K&ThF2@?F)H&B!8abE692~mR4OR_x9p9Ku4FgHpj1q_<=fBkX z0A^gs+W+wHf7X}w{~wMd;;nEZ5BQ6Nq?DyNH3PIkJx}1f;WH6bug^ z0W0;ON^HKnc9@_1uwKyS(?9|*!{MWf-+E2^mBINgm95IVIh+@aIOaoMVh>&=V8ToJ zpIsCe&EovO;D(D)>BKwEpd#>xk^MIY`v}mrfIlk@YAJJE`wQB~KMgj1>Ckv>#UE-2 z#7SoJZC96tnulk96)WQ>Jkk&zUw-(3YwY`{&&u3c_8)jH1WElcIZVSk)}3WCxO_8W zNdfD@xZ7t{UtTV`YacWD0YhW>y-TlFS3200e#GUP6J+nnTOXM@DuAP2^l#XP_NuUp z(Es==Xl3k;EavAY#dY7mgI3DP-%vj&-}{)y?qpy+uxD4rib_@$lXofJBM`J#;;`KZ zc6a_x;sZB#VVrVcZNzul^Nl)kD>t2gNttfXeou3MxKNnop=)a6=Lb-7MI*(DAiZ!W z=F~K6M@&uU&;Zf#v-`s)kJ~4BI{iYxPv=xV;M#`iat2tslA~Gh%r*u4E$Jtqb?z@c|rZ=r?pE>YX1yv-sYzg)1Jlmn7<=HKg#scxu`NMuYdBrZ~qB$+#D zg3hP>op%>9rkBz2E*IL|_yo!$wubYz?E@1@hA?uG7TImwjM&5?KrL#sxPP&!m-L(u zq0ZNpo)=%^@vuz>j6?FjLXaVt1WON{(-Zv()9IHJ-J+q5MooZg7*#W(mqPym+9r9j z1up>PByBmiwoi5`AVbnQFpae-XI4c~~E&*WWa!BxXPqx(CLW#)W+nt)`W5et{f z-7Nh69k!d$GnUmk+ce$btpy_>)5Bnl*=W?CWcq;H{(!~~_&+`zX*3A98+q#<& z-A9P;8nhfPtK@fUL^{SlRn^cV5xepzc)+grvm*C5;}dwg?pl%_u9|0ZOw^C&aMCy( zi~vH9RrVbX6Y;fIjWYKNx9uB?$8v7(u0UR@>5E#pY7 z2XixCMZd%is%{K5F%Gpu<#9VuUHG85Pi@JkQZDd`FJddkco3W7VFQ-|HZC(Lal9#AM*cqa3r)`#;(_`E0+qgiB^XB;YlQTGHEcZoX6<^-rEp8jzruyku zK8ot1Z=Z{Ksz-QV8tJ@@{q)~eMHm~E{&=jfx4r{mw({Biyqc8#}K zI{toFN3V7NgL?BLgYzyE|_0r_`YrixDl&^z&uj4kf#9GJfyiX+3(3_UK{h{HwX@8aHxjkX&{lA=!|8)-h z--|6T7%spo3%_r22TVnC99M3Yllnpd^ia%Wa;#H1 z#55Xa`&ztiLl}kEeB%Y4{YrES=PjOpsP;%6Gdtf+{Hi}FS?^OuVF}OV_j@s1;C*sk zb0CUrR0n8|dByh@bK%ZQS#sfybFwvAv-|ZdOwB#tOuAF8=JHZ8=e&O@tLQ`pD&BtM z=>+>CG@(@-y&d>D+g7#o^S^BMuQoCiOd2d|l#{_?VbaL)jtqEpNAl61G5B_@l%UW^+M>qO9|x|Jt|aYqQF z0@fkyw`GRMgIv8bom=v89Fb?xRCpDcw+}$?- z5xd7UC*kf=OjvSnv@h^0^G!Lk8v@-=3!fH8SnLVmdz6Q4-zaGZo)T2VRhWJLD9n}- zz>CwFga~*oC1uFg_JMUhX}zSzP)=iR{P7(7i1+>cwZMDjIaP<|5?4c~Fy$;-B;nQZ z`aVEdub%fic=?RW<^v5e&jJ2bJlQ-H(1-!$rW|*@MriDa1P8E%+4+~U@bMR zlWVXiUAQRMw!KiZtTQOMNeRZf3#VE{=Xn(N_1}Jcq<&NdOvb2;J7V`Ifk?#!ctos| z#KNEAtv<1A8h{OoCu+4EAFYfEVA~d3S8t{Hj}o#vC@ zYOflFeE}Zo(hMc7qcl-Pp_8D_;>P?Ew+^WTmAg+lHdQdDV)a%+;h6_YTwjgT%t>{b zSu1V0=)cFmgNF6!*ggEQwkq5@@Cgfv(s)C_aJE?3cx#rxV!CyBvnz=m#mOq#`@q?vW)|f$h!k3DyIpo_eFzi`GX~P()0T#$%NOQjM z#lURgbVVp%zkdPU@lyzgkC39!)zmVV{z#FUSmQx^Ltm72fV<~RWo^nNDMycrUdqPQ z^}3FmNr9i)9g&84StBp+i>;ai|MPl>t&Y>TsaNpX&sM&x?WbRl*VtcC&I94wW{*pn z`1bj1V=e=nHI-d~zuCu0-=yI_1-Dwfc1*P`=4-=lnLPE{pR8qw(6r%Df`Nw9mY(O` zrGFETWn~f0*=MC`0P$$i)*;np;yfG;KT=+H$S=3uJ%!R@09T*$zHYnnusfmo79;c^>u0VG)P76LnRP$IZZ|M7u_VsKs zRMng?4Wr-KygQO)mpi#UCBUJcGLMNsWog(cSN8bK{*)0l)&0!n#*N$Z_v_|F-=qMQ zopr$)!{$q18b*&U$==k>D#i0`vk;&ERnbmkKj@I%4uG)DzCt_iiEVrK3aPxVrNB0y z6~Dx=w%=}|IoLkg%15K`?C+>;K|!GYCol2_W7qb3#?3UslI*)FV|g0E9j zelQ|EBNKlN({X3_)e&iBiF%=Ob%|{B_8M{`9-V$HeKl~(Izk_oB2bPSE|inJ>M-&P?jnVL8Z9caO{>(tya}FxU_lq|(UnK1twgXacAZj$yMI zOZH7AkLn&yx6C%f8xVCbgixW~q2Vft&6jHvlG%$WC79giy6!AH7P4)d%yn&7J=Z(A z>$`wcHe_uzR%b|#XOCnXbd+Oj)6%~K7$2mRW4apb=X#498+Cqw$_IGUx|HOFpg=l{ za^+$7t>F0-lXh#us;2kT%q|Zgt2Tg_{jn~qTN={|_N;9%)6UKDP`M^@;Z6{%j1Ag7 ztt2m?7ppV9ApT?kctc}Vo2L29H0}#nuyd9;@>)&r>JzGI#TsiK@mkjio`~#cWnH(0~$pq|cweVTz0Y+)Y)1!~ar`$oA z=@Z;e0;VhY)v$IywXL-Fy-I#m%(C-&Pa%j?PYjcWfxt4WlHn zcJR<+5N9oK4KJ>?tqL7xu@2c!0cYc<`UIl4Zhht)||7@bFG3#+QZ(Q zlwEWI_$=!5SF_^s-3I%x6f|;MXMuR@#jkhO zTI&|+VZ$`k(-PojmhV*#35J$iD%p*3=N$c8ZbV9ypzYdRs}@N}4y{m2tzkpNwy+%{ zZm8h+SVFAPsLhFr=fEzkAT!e8vCZ+8^^96`YH-$7d?z1;Z1K3;V-3B)`WJ5@S8j?M z!?jz@j1xWsH~Z{EWuwq8!ymtfJBDU0q1_-meHuN7F8b$U9c0|F6#=SBm361r@D;Jf zlirKJv4wmQ7W+9N5dVx4q%uB)C95(Xl!+QH`H~Vw`Us7lCa2ZlgGEp`8ZPk%$VF5l z2!iKvveN0#t4TXa+#+>o@|-uqjSGppRY1#0vVNr`dK#!CTNIh%_XQe$vOyqGQl;Bp zBroe0QQ6$J`h)Ubxs9^D{C5?u#YaIHQ$h-Fx-7f+a8f8c>JEqaBANry$48+_9p6PA z+F3tXGP?oZ;?-Yjya$oV9-||bprT0avWbu8B!(ay$6fAIgOE(#5jKf2l1T*Ylf-o{ z{tcNw{%60T&6Tt`2hgq37E7E<)zlj(rQ z?{-%AZ7kVoFCK1PHTmpFHd*_rSgw}i!Yuq5-MHZ4lxQA3yPxr~5=Cp3d7UmbQ{(*| z2bs-z(%~*g(tDm1_3E}GMtwIflZvuao}aFUa-kVv5N7T6S?elPc-ivj zC7*1eomPJkfbF>*l7nnI^RMN$NczYBqC|6AuuDyLyiz;d`Y5NktS%6MGO@@fD_12| zLbyA>{Dq9)(QV33I+5?xVpi{XaA$lNQq>!!6BP5xMBrwzDPAc%NK?+fWHZotu3_Iy z%W0ZDLWS7BpJt|9vQ(XL3C2P6$=j|Kh|7rVJ?HF@WuG$s0EJ#+IK3IMo*uO*DT~U$`r#8W*;-1%6x~5FJbNMvfzT6P6_h5T}2&y*&zb7EKC+vwwikF0?Zo@(Z9$c9%`#-jfew+!hC9&44@R(F;HxZh* zU5qNKYz1GwP?>Y`O-BR6$5Sv{h!5Y?{I)%QcXQu&p@td=q6976DhD>7m((K_x9g9? zl3^nfwl6`di zz)K?1>&~I$flx6(#2ahQV@wxp8k7kgdPn_+PtD9xU&&Ij!&mWA|C0P zfZ@HxNaVVwKKg3o5TQO!vUSw$;)XM+QizOW?`na+50<{R9}qX$$TW%ynHJ!J*>4$m zKlhgtg#2FU5%fDU2uV)yBTr9&$%QXBOLCe^`}?JM(>P^jwsd7Q*ekozIEzS1$YC>lX`BTl+}O9Uv?4O~ z;1M{sMf-@lFZ@+yQ@eku{?XR#c)v08G1$u$>{eJf`>Oi~X6<3vrOuAk$E74Y*BDOI zayen9h}Hb647wCIhBa)uQf0!DZ3o>Skfe_))oU}`F}s!hdj>-HH+Eg{`!-Ul-e|)RAS6f(9{H`v5(#KBkadFsP ze#&J`xGkR`K$BsFgZ@~dMXF)2-*7M?xvc4GW?Ny{^$f9)tXdLMb2eN47kk$y&KQnqCwn z6*NqmFj!LWDhDWUOlv%M9ZJA|@Z1^Oalve%{2JuUy4C;$(d#8Noo#AY-}#ZnHXW`d zD%=A{>riG(=EAB%w-Mx4(^rY1zl|_@l-_-Yj?BSzr%5MvanBMz^?Js-C|EwM?q7Sg3 zm;x@x+IL9-H73Rf-o}8-5i1XfebzwfHZBTc`%QHip5ViVDTilKH3FnXb$7VMi~tF8 z&(S{I(7{NPUeDO3wZOILf-x)qxCY~ z|1m9j(}nKFiyQ$Cdt_XoCoLEzc1Jp%!#03xU&Z`J1Y^{1tgh>1Cbw&bwW(_bC+_Qe zC2cnphDG*lgtsIZj}HXG{uGKf;Qc-o;;fCTjb|R>BIRsz@|F#O(Fx2J#75BKfuP!Q z+UnY$C0!aDaSn|`$Y_eBNXFslMJC2(Dg&E|zHoucQ-*}DZGV^k5iWF0%K4;e?Bk2X zY_8@nYllR4M4QdmcmCy~;gBlxd(m)~>y2gkJ0i1`h2ZB1i66cNLKvoXnKdGaE^zu~ zyFHIqKJYpVp_6xjVHc5VSHGWTX40A!k!kFKn^Rpq><8Gm-}>5$$YiV;YS>5TE9$() z70Jv5z%R9mVOmZL{P1|P_!7l0xIs#C{8VrpuMcUI5KPcpnS2?R^kdaN#%?N|>$38{|lRMZ20-Ik#X)KJ`Z@GsYYbsIB zH{LWF5z5fc?v~nVn(;(3j1qAt>4-I2ztz+vTVU*LT<~qy;Owj!+27S0(NB%2=Cf#U ze?C6^<1sd*(7gS#MF!UQH~aIx?#y{_tC|_(O~q{nDGW)v8p5<)KmBf13^cygg{4ki0! zl~Qb_FI!fGHx89WRV-df$@*g6;3g1tu({*e4;U<8KrYAGB})6d;@r^reo^~#g@x83 zA2Jq!vlTummAxkP7qVFyKFtU_S_%h?2o@>1=y#{`kbVP;Jcp<^+~gHpl|NBFp`tAs zzQaAa`0kCWTPjSU{#?Ff>skFJZ5G7VuGvEWp}gCA6ZSOKy~_+=r5RKZd$aj#$=Utz zQHt}C35M9KSq9BR$L&FGf~GR-@A8d5Y&%L@;k269>M_=n+7!&ww*5?IXlGMG{Y()} zJ2MXv8gqOOJE4f|DWSWxlJB-P)|APDxW&vj8_VILj2v|zSaE#KCzVyo%7()S`m&@b zbO6J&fT6clODCVbF^fYM1Sb}G>chV`LZdyL$S3fkbV+^Q)8CBG)o+{6jA4oRbs~pJ zc@s(T6%;Jwb}#y}1>iBk_mRQo!-9_e(Ibqp66#Wbf3jl9+qUKIdI82~7eR^F@xzvAFfF z(;Tm#h8g05Ryv-?vL{P@aIzBc$KDo_CkT-g`=ge}ehsK^t~)*!)6UfnW>a}Bl#_6?6+%o&)}vRKOBd(+Q&u;4}l?P zJ$IJ6!oF<)IF_!|2nTY6SbWSZFO!R$mrQ4X*&l9g3%4=)dn^?OAw4wkL_3h%#MNLo zMWF#?0h#+JJN5(e!zGLBKz3C%C{mvAp_TlxSyOUZl(ZOkO?4<)IlS&X6<}8l^zO*)Q ze!M-FRZ%rx8)GrktW{h5W1-+!I&J^6>><;MEB`%10sP3lZ{2lkn`L?u@w`;n+h2Vl z7&gn+ovfcBA!q^Z3aelr;zOWn+GSZR7&J5nK8hTk$4)KFFV2?re%2|iGHzMsg4S>g zPaGp4Lf`)*h;(rdW~8`K_J5xHvoF|l?%tk@9De6IDh1M0dui7;RCC9akuuPJxj zol(CYNhqGCcH)g$0}sUM{^3(LB2$KG5cpu%0R_0N=pBFRmXw31KQLKT;9n!b`=9rc zXe_T8z|)uV%R|?nUG(}D$Az$U2+rw7hZ0^3IvM8o*8Q|r77>zu@H{RA3BpZW6CTzS zNlLg-EMM)4B-XjnZ&$h8uyau?l-*7e*_Eb2r5;a6%I~bMcM7w~Oc} z<$~LFaRE|iKTHN(Oqs5Ug+8y%k`AaGLz;Z z>HROP7e7^T)1YI)&_@brZ=F4!=8Q}=&%su>X=j`kV1qQ41k# z-z)$fEL^PGMYsb4Q7{9P?X--!0s>b(R6Eg8^0`2I!|_0mQIX1iu=!fyG~2Uc-DEz8 z$AP;!lJLBs02T6d)wF&*T&srN>MAdUw${hE0B1&cfe|*ux+e4`Zy!a-fhGlJwQ4Fb zjk(u$+_)Ro3eT}>*$@Eq{>V&@^PU@!#7h?$ic3NKP)xGoA2tbWP{WrCw&SPOr=KFSonN7oS%0$K0ZcF2=t#-Z533MO%{t&2uT`C-QM*a6| z*q~k0cW5BIsELvmQ)-AX^_)wrV0nP^5_R*t8;!1PnU^|w6scA1t{~|3PLmP!$0b(R zGk>^la2VV?xoWpe0+dTYg+x}}mXwlL@8j)GUN)+H5FqYMxwgmXfYW=aI%HUsT^iaQ z4q2t>hzaBi@^A5OI|zfX7rkG^BOSKkRaCAZ!)}nfzIZIwGnyZh1PdZ9HRDx;Z?O<^ zvz!R5%5JdhYme&ti(~8tj);(1t7->|1ucUpTKVc(OYqC56K}<4R`fs z<$WHvr`&*kP+j$*<68bgvj`uela~bc(EiP4EJ;JDo#$a_!sOEs|t-(Mp-EPgy7LqZHr1#adr?;9o|KYd{qmdsX%6Pg!}#h-q)TG3*=7``a|{PIv4 zGKrlpNbCnrV<=<5YE+;#1<-R{Jh@> zFz3bsavMcXmLMaTHGxM@m zDuS^a4u#a!<(D$los={7x6zv~^(}@o)@=l}fAD+RDb3P?x4pBl9Pzf8p(sB~*XcQk z6zaHB?>ap`9P$RZE`!tKK>{;Y)yi8boXjVtzd&f@q;|4#tYv+i%I7mWOdEhnfZ418 z;6?nC1+Ym}CUfb-J421QOB1yhO)=NgACiOX5~}(3pH*ecCTcqZF($E3 z9w}?GsQThJu_}KTStv?CYHXZ4W<42te>l*iU=!}>Mtvq`0u2t(1A3rlklKH|8btJKgdt~j~y** z6e4sK(@oPE_s3x4@ey@DRG|Q+FSVZoQVL8=4g!r2g5miaokHJYJ8Bi)YcQRdnBlBx zN;jAq*Qt!Rd49uqFYgVmk}$pLQc0OMi8f`EOrvU}{>I6ea2x&$Y$Q1g zeQ4~D6ykU`YJskkP!SEPN?O7qlMTf4P;9>h2y4W_iLT!Br{S04X@_aECD984RfkWM z`fev3ivVCi{m!oxx|m(hsY8QQw<{M579+2GA^nYma%*=DVT-i^wMljUj)bbjngGuv zER|=U`yK}7_o{FI;M8zxFL(2)6nRR%1e;cUe56^cUav@QyS}zxE{Y(*FK!w*@~rzd z!A(c0T}#T^<)^ezu4hNLp5iHdLIy$ZX)0+N)pBv~!x(vog%3NT81Hktc;_!-SEoiWO6LvCHSafjvAP-yPLq`GdelXfR zj50%g9^!C5ljEvw6{&ex@ZlfbV8Gw1(?>zK8q{n>p|%=jGXBi9#x%$(4Nzg>Jalu! zIvy`ld!N!Jle+eNMn~ak9;aCHEeKhUPA?>(oUb(TT{=Yu<1fQLyzgK ztq&LeM(fx|w*#cubt6rOdBW!QOU)xuLC;3Bvsr*O2=WqLhT<<>Pbz zwG$2==+s0zSw<_Hs6_v2s;L(iwsw(vs>74!!0T#Byo0* zo6$f66l~@f0lD5ifDCVCbn=`cU-*F95MDT~R;@=%+4RZb?aU8y{%+ExXRR_b^TcO? z^?(%0m@-AzE?e`P=(I48ffBSL6RAQclax8~K`<38S=cyBNxg)!bP~5L7vjJ(Sw!2$ zr$ni3S?nezAlFZYg%=?gPmT4hV7~jr^#PgB7d;Aok+)F+GT)eJkh&~D2QeX(kWa$lWMirg|37$h^W{Q9q>G_u!sbR)g zx!~3>7mv^I-kH?-HuQzo-nplx_AbWv_1~Ev8$SS{DF1l&vo7Leg85Uk01-H*U}&J= zm_2M!Zy^S_y%7irxmo3OxO-F|2x8Ey?rR#_^nP8ixwskZrL$piR!v?=JDH2W^H4Hw z<(_wA-=hN8wT!&nTmM^9BBqx*CDMixltghM%p~f~g5rcegriA$fB`M#|QEQ93 z;xbAaLoj`T@d`9#Z#YPsZ*!HuhUd~ObbzK$3iCl%HZ0^}5N{Kbvzr-^At8PJGdK^K z`T4qzsI*VVlLQ8Y7|erW1amVY$dZrpy5r#Try*sd$8WjNJvTsy;hwC?_ljE$CF}QL zL`lz5-S2#pZQ;H)!m(QRVUrqO`%JNlR5)@R70mpORpCN+9b51sGqOt61%UAW)D^fb z|LNUT82nJ{LY?!dC~5%-Ef09yY|?FypMU28@tKS5H0;(m?OYn|H=PY!7)I-|8V>Nx z-v1I!&v)4VTs<^nHp{=?Xy)}Ay5vLFu(s82(M?`G?Bi2lvU{UV?ANe(j|-n@Bjv~i zyW3m<*>4s=>0A9rSh>jY2Eu740i9h4BWHj5yEL;2S&gYlFiUf-MY9^(cJ%_}1>yk1 zZ@0?I3D8r5n2t+4)pF!Cx~m#_bkp5WM!Vsan+azZ8Q8X9ciQZ!Rv>!8JekkR3hZ$a z$<(m(7GAtddv?mbpi1FCm0wV3&TceV?Ln-g59Ft6&^nxh&}OH~mUjX9qrxGPyMN)c z-*N(Xs{DIX8E;{zOVI)i`S(@0`#^(#__Nj2$RmZWwm<`-Vq{3O830~^o6bx;5`Kg9 zvPEb)Rx>g)dZwl;;oe8IC?}qswPOoSU6c(^e_%Y~SFA?)?lb2G@aH_wZwt>a*Tt3- zm2zg}w47>w#XsBc)Ppy>^IxAt$?xtSK&s8_ykwJjT*59uunUDVpa_LB&qvbA!b=xC zZU>9&(^HwM2wIe4`U4vF%h-qBl=L=qU(w3O>y2mMB1k7ntf>63tCdw&Kc8<&EpsNS z9UE>>WneF)a<`f-u{RzwyZQ{TfE;a7G19S9&n>UP##VCfjPN!08z4k)cUob%+ev7l z!kyPG;Vb$q=fTc5g|7=$GnmOKq;M!#vg@|qBT2eAY zyg*}|Gf|a?X(-!gKl)&_x~a`5-)gD`(&9GkV^+Nk35@4*uWve=A%oZ2P??oMT54kZ zr;So984G{yBZ#aS?zBevRdR-q@M0|uvr1U|#oQ_27w+DVH%fsG{Lo;&A8r6Hw0eg{ zd*_b4l)m?5a;=r`^s4+YRVvoSAuk?ZLNMvrx(-KLYt*j42Kwx$S*IstAKIM)3^||u zRrQDUGy&qz9D>`Mw##5p4AM^I+p)wp9XR*ALA5{R!z3Elb#OX zt5t8wJ-fZc?^)xz^L=`jDgi2WfG>G6-qEa|H}~w3aC87xpVZwkhn$c!0-=hxoeTgE zu{_TmxN@AGC6*YbNNp)4r`mK7Ul$*++g~R;mRU7l!V?Ndr)H`x@VlXH!+ij1WhP8; zO_Cn~j*Vp*gid#>EL|@RBD8~Au=QV zue2e$ad{;qYy8va`u1Bh;F^N3WnMya%s6%qf(r=Ml+zpE0M_{G7vGI{u3o!M z>!24^0rGUI_KoCrpN2zH9%gpCKQ2ST)9A&Nu7%p^Q zXYa>Rrv6wCQr!Hm!#nq>E_>=b%30lX(#Ly(C?ipqT~f2JE1ykeZIq2FeY^qb%Xnx+?+S=T)?$y(QbR! z`%&E?Z=!%p5MbskDT4!P(lr&sd~;kT-8z)mZx4<<*?yu4$|e%m$+L%W*HYGcbx)Lc}_Dmv7bq zp&b*m-mu?XLBupGriU1phx{-o=*^5s6rs;FGv*a=8TZMVRhBMYA z`gz?oIW=__^(__knC3UiO)fL|(UI9uUp$B87S$qMm z8-ZC;nFviA>&Q=!J!?PY7rgAF66E~^CO_r$H_E!wCFwpHVCmZ(( z`QyCL>Z$IMm6k^~(NtoMx^IW}oBuR&&r<|is6G-tN~$~>YS{0L8lVWBc$y(c1WD=ml6FzPV<-;73Nz? zTLzK11Ws2+YO57~S(a|W{gd+pk6Tt;vOWi`fpiNT{fhmN+bS8zLId^f_|wKVjSGV6-mwE4|^6fpYz??(^**o2-w%3A9^ za0)-*{#2Zu{9*>1P}<83B~b2B4tn}m*v>)tNGly4abSwy2vjK~z-$WVgrhTqk&Y^Q z`ylqG{B{mo{=-*Z2`dv<{{m7K^$$puC`;lIs-TD?HyFF1U&@C<_Gem!dbgw z8$+sSVPe4S0fZCBJU>HlR60By9*C7zd?sbC4sO~4dMmOoj??n-&nKZ*G%dbXCT z5&v%o^%voH57HS`80{Xt%A8~3S}+$@g=->y_4;TU=veu}stw0!tB*b~4sv#p{|!Oy z&rb@uoZl`9{aRr8axZKwNl(mmvns)oxV62MMi&mxNZKF-`>~~(k41@k^ofRll=#+S`g7g6SlkPf zUkvNGp(KnLzkpFVtWrgz3?dM&`HW8eSy>g!c{#XZHPHAQlTZ$t7)kP~e za)kXbqK!3JC+j8hO{9bXOXOmJ@QCynC#&3cj>m*Ds7T_@1gi*pDEdNA9gVY$vBWJ< z1_61SR4a#JQpf;bADX0hBS9bev&xdRK^B(0YzotJ4CO2N3T4aI@sm{YBXTtaw+Dj zAOHyxjfHo|@}APHtYh_0wiDWjN;||rE!%f1^55%uYRVy9fEPJxC5{}(`5CIHCQhHvFO4Fs_*NxEAo%Z^&@I7s$ zz05HkwYX03+yrra@6jpz5R|wft*LN zFEo@bDVL+fmXVkXsVHSZ3NF38K|tu%p&aS;uFi-$s) zAE}cV2KE?!EhMqvdg4W4+bfiuk@I8AtXN=W&4>4>SHcWGSkde`b3Eyhii~L#vsQT5 zL=G1wfCZ4wsoGrOpQN+01lddbRIAq}oDGe{iv1aTq9!}0{2LqZzy8U)Z+{)>x|%qL z5cE*|!$qu7oLUKb7tE$wPvU#MUYPNoj%{C(=U3V+ufN57#1Z{^X}kzkmcve9AlovM@Z<_2R!cLu6HpKS6e z>)f5-=~bc?XJ?`E`849}9>^oaWp_n6mBBg*YbPDR{2Y#42iY1O@(H!(-`qU^pY1>| z7oT@bxQAz${r41=zY9#>=X$$#@T?NI%6`+J9>Rx;!D_`rOz)+)d zt10jAq`xOT3!X$)>8={ItLGBQ3!Yr8F>Akjo%)sfb3JPabWkbLRxjfrC7%z7JRL0! zwh=AwF-0+WSgMK!+x?3+6}qX+P7ctf+?xAXgxqq6L7#Lkds-(eaSr|Xaakyq{+65X zUv3oxR49Nni1Cs_!+FV<7uV{u@q&u^0dZoQekB<^MrY5o-EFg8L z5H8El#s3dWBKl`ZpqqriL~n6dhi7nUV%5>2h5br4Cg6Uw@z097a_cJ}i!nL{MK zu4sUlzmKtu{m-SG$MN$PJd)i{1;k#!9vX>)ar`Rh)MOP9WSB;I^7 zf#~-S@392dm11;RzU1_y4uy0{68++aaenI6)`>vV%OlLaQ5_Z)0cc zxxzp;S>7tN&K~aC4#A&vEbh&!lO5S?yqy>r?IaT6axN>u%`+mS2|-*>R6~>^#-8-c z2@;jen4=5l4C+eX#`iPdSITXbBwXM=jtj}cZofDfq1uX(H~ZBU=a6}r*Wxzb1n{Sd z0&Nl`Topi(yOlbfex)QiKzM)-9SH>zv;F^{75Ok2^%Qu0jMIE;6C4eV7kp{=aH%#&AloJX{+eRTm>6+ziDsKcY zH?t6`ZVa2=(!V|XdPV5?Z7S_`24Zw<63~=R5O;CJOayVn-`7TIRap~7N3vk{GsZLc z?S7SNH)FpCR>QHY32=6TRv&KoLf^D9E9_O$wYVuZb#=V$^3T57$i!|B2`$t1`(36t z21>2;FqQ81paeB@DCEzMyK+#_UDH(D3!lKI(icU zQV!OUIJg@t{@Mm;xy>MppB^YVDy{uFjVXQ5wjN$*a3$@DR2BkK@c8X_J)?=z}Ee4aa<8_PM!8%Pl z3)p%mI2$N9kJ(k+Z8wBBqj}9IKF)K6Hvy9$1iyanw}b%qB=_}7VTw-#S@ux8T{ ze+TYeJb^cdCPXGHtt|7lk9zj-HKdbxPN%L{bw4RmI2!)h*>@^zLvF}3y=dkKAh zAIN({1-s!O4rI=K+emAUq;*qhA4(JpQXC+$rP+bXOoA@OTf{}7Aa^(@RaU9VL zx#Y13{li9r)S#F1SZSwCr#xL1Wf5p&eP**U8DQYP6~mpIPxr=H`wx$bDe3ncP@2&a z?DYjjIX)vfq%U%9XfVw!&niLUax_v2Thpafy2mTktv5NyG?SO3%kMQBFo^Y>H-1?@ z{Iw954=+?t)vQ>HQ*5k&%#G9^duar?ZG5;Jk!6li~3Z9e#a z&e*sYGvR5iRCtlHZj5Wz0l=g9dH@%o3(==R3sqsOKC#q~$S+BPD+v4)2>Pi9BjMd> zt<1vRd?Q)B%HTxXpHQZmShsHs71&)!jU|5}ppszWuNvo60M3mfSx#?;3i0U?W$90~ zf9B8MsA7z^#i)?=BxA^&z)Fu=QB@y3YI>(HBj;l?^C?l=OcAuIm}H8B%`3-(Uj|b> z!8=;?Z}BPH%7m>(fFT@Dp_3F?dgQ00xQw=`TgyPc0r975edB`r%k@;zcK?V=w^+dE z7Qdf(^mj_&|K=u!^`|mM!HQsNJZPJ1d;8aQ3>cwF3nOfM1&p-?@L*yIk={_%N^qf$`(CG&tzRtXezyA#SEQp0{YohBI@C=^iSlXnRc z4lz1Dd@wOyApFwh695Lgx1T$T6tc6WxS$u}JNtRVM~lnPb`+xp>qLot9fS|Ls1Tnt zk`og#LePF(lNMWv9^Ls zW3P}URS^ z$YPRHP9G)6MT$xkia~Esv`wWEulSpgl~|XfW`#*R!l&b^U4>u;h&`V9%C`uK@KBJB zdV)0PCa#`=gv4#9h#3jsNMiq|A+j;x|G0dK_)FRkDljqfHMsd$M&SH`<3i-*z<*J$ zm9wuZEh-dpiU3^U%sU5>6o|l70zaEKa#3qj%0flLa?=}Cw12QqT`TW5{)v6spdkgY zPip*v=_&O=h#8<_N6Is;ez7=~sSHe@ruKg@f$Z%j(WT;e@CD%Hhk?>0Ws zB;tR#PbcavH__e#0&jfSWKT~iY@gZymA%WzW~-8P-6yb+k2W?s*hh6$SVHhDy?$%8 zU6VJH%3rS%@iXYU1pjLCF|O6?AVo=_x{cP;(O&j^?4?#=I9rjCQc+YhGq#1$IrW5& zH%m)=c_{WvC>Uc=^pNIn7-;{m)9M`!3UD0f0SECyX@pvu4QElU!a*2tX?x-#t4VVh zUm9G|LDDMzyh*Q(b?X3^&w-&=zL|A}TdpV%yf0XG0C<3;N1*&i*i&qM=zArf}M1rASAyxEDklgg2Mu%e< zFFVcTKw_|)Dw8gBF8h^CT&k}eDqtCfXbF^BP0zJ*6Yy9b#1W+dE=}&k>o}POI=mPI zvT~Y#1~nfkF?GIXxtq|Ttn323IK@9g`dqcW1aUw>96oCc#y9V!`B4fl;x0Df3wJ^Z68Sli z+L=zYKJ>4*rvIjnUPPw`Km`Ha3rfW5#%byRl z_EMefaFXad;*%|Lk0yq`O?igs#&pujBNdyDkuOCXt^T^=E5O+m{r~_~Z!R&2b1Dk* z5@cvj5DR0G!4go&d9#cLV1ez~#9|Jcqf7EELaQG`OfydjbJR~R5SV}v;P2Z^tq4pQ ze>XRMNZ%H_Suq@5fmm>x&AxXMr?x5@b#|Do-0gy!?`C84Fx)ryKUf&7-XZ9TtCOy1HMTRhW$D%%*xC9WuwZ)-33e^Hm}$Kf9uTBd^{tHsexjPk|vv)wP0& z?-xXWeoF1U7u0v}{(rUZtR=X)m?<)~3DvGs-6w$crWNgDNM3%Zw!wMyJXC!Qh=z6w3$dfz8QSvKuM^t0png;pEHalA>ydNidx_NW4W0Zi&g zf#7MY#EQulK!E=)X?uCxroIfI@+u_G51RzctBi!K3Zgj?d;R+Zp%SA&{8?Fpo?p#( z611|!E{*$M(Z$GS#niie0drwgvL9>01zy)z;eksvw#7ho*`)nI!zcWnZIp2%zMb4Z zEP9qcKFfA{8qQkW`+V|eM1~&@DRKM5A|5&9YciJ?6HH4x0Z4wb*xOz$m`K{Get1gb z8!|(GsvuHy)dGsER5AOsvl$s6X&zFzmGETJ!7$43UH%(6e_t@tDuSEC0N#(7&`|dH|o1-Ku$_H}= zl8;n<{FsSI#Rl&-=jeAJU(;D-qM*l7L|5nrOHp*8->04*7g(wp0>( zO_KUu$cKR-Z7~Odo_mF>cbRs49;Y_3hzk2Z^jq^aiki?nB+ESR@Gh~RVG>2a91qQd z_X5&=jhmjV4O-M^bAy??Qzljh{%VCVP~q!)lH#AZeR)kC)ur4_Yrs|zl=IB9ju9n_ zj@7w4ck2w+qgKHsfCW*A@Z2+taY!o1_yuO61O=+_qx1ZwVc;fnDe-vo96hhX2)kG; zUSSNpmr1k~IqiAUEtFCStQ09i-1(Q(rXk~N`GvLl#T}22p8vdCx;Wh^t$Vt6v z9UN6e(TCs?kLA7lXKU;5&D2m(aao)|nat0zrLt2x~-|8lWUR@pW8B!vs{bd8^1+4XKmZh@{SJn<%}#oQ|Puzyve03 zDSzm@%z5L-(Zk6ni)%dle-&^J%ASGx7H?pU?Wy-%p0~ zQwfF)Lo zKA2R^pf!ul90iqJYMrwkhP_;~>m**Lq@>#o*6uo)`2w9|9q%;_ZMf_AGsw}!uXx7G zJC(y9`5tfZs#Hi3ZH3R1f+oB_UXtu@`sp2K&YibLO*Q&cN9tP{1WY!B+}Hf&HZbfb z<5{m!qd-(V88kk>q#Rp+Y_D6Q5cx7sxv}$6&OL&9}FW$2_!88{U5v{N$@;P%IQ@NXbhKxgWYb)i^a(s`gp zWlROz{%IA|-oK~}pk$HyZf^BiET%O|6)BC12zm>xLR^|2-TC5L zJ?qPvxBUf?ui&~>bxr${fckmsOQhX zxp0tLASeg$y}8A)1WgcId^iqIo+j|EQ3e z!MpS6a!QiNMx$3^vjS|uj_5Z#j}&cT%t2CQ3`K-q9P(&# zH3ReKgt$!X?33_Vy?{nyddFh3m(ampt@U9sK}xs2K6Oz7u(+#cUb5EF7bBBA@l+;( z{FHn7tQA~5GPiD-KkjHW(Ry2L#;HZEv>Ze#&?O}ah`OVw5iKKEKHgg-Yzk6#w!}1s zeBh!MS!9$T#-X==lG&U``5Wnx%5&OJW% zSH6o{U5D2f#ZXstijM z_AA?FoFd+aLS8Riv>u=xZ}oMo{xu)TBy{` zQPX66))Y<(n7QuQ&y*p6tCLk7mz#}h)&pEv3NBq(u4W!Eg@>#gGwg^T{TkTsBT9m!+eA#tI40@*`&i}N> z&~q``mTaaK%~y6e#*ksYL?J#nzxC=Q?=E70)0&)B8IWYwBb_&^9ROJrvi)3B-&%CD z5?bmHt60m)9brxOpi=SCWlz9609>e$1B8@1EA+lzkO;<196F~xJMYhe{Zs`*4I<7H z9iD&%rTb2b-zHEtmP9t~0>(N?+GYG~d(bGaqO(RnY!J#0;S@g}qibyqB>Y65Eu&eP zv`HAJ6j*6uqa#c`dK>-xBCmOsZ;H4ONq790Baro~KO{k*0uX18PsUjbVp1L zJ&fkBeG6SqilAY;VT3*;R|)2KlSrZ$Z;1gihV#@2dG*W&cNDNIQS|hKvT#VTnwlFrm5qg#o$D)@Xzoq2UA3o2VTu};qkMIYy%On#YF5Ti zlTm`I538T}VwGk->~@iE6!Wx%d?)`F9NZ~ODE~K` zxQB<`d9T#L1Vjh)k(`ns@Bk*gJ>|G~7A4e7?zJEKy)`5RhZHXPV1mG}OYL?xARtiP z$St?9y}Q;+dN9t53c1BxD`Vw@jUTU=hML;ci*l0HId4}ZoFJ0MCMDodiK+*TbkYy;6iH&k02gnji0FF~=Oa?#6U{==Mon@f+RF(x za`bMW6YVj#ve_)Uu;12g3hf@So|*Yr*AI$Vj&Y4Kpc0R_c{c%ovltNeebCgmGt@h+KDBy(_Te8*f=c6hEdUNYJMDUIf6k%EyyV zkdarDp-ZwhjBze!1mci5Qx^6fAbQD zKT^hjdA0?ZfQT|B^bh}uQ+9r>Bluh@U?mu+Iiw7+d%3ixLyETj+}nEVqn;D~{h-Jb z9Aa8Jd7a-gg~)a+fS5V2%*x?BwS>B#N)Q7oa1K(di?eOqa;(63GdX_dODdaAoS)jD z?4Faa+$se`8x_-Ln!127sa2N)6Yo2{BpXy}NbvSD;NY5gw_MG&4(@k=1$^;h#A&?_FCt={!Ex zU;!V(AYA^A)a^e@9E@YAfJ6ZM+M_1X zpK=pS#sgw2-xOhL4MADGp zRsYP@#?&U2I;zM(+^pjTq%6nJd-UPUe65CzhD#lR%G|P4fwbZD*fyD5avh&%T=(gY zBYw}<-huI-g$qtYhOKEGGohzuM|b0N`ZKI_$5X`j{WHHREJF{?$d%_HTSq(^+zB&- z)!3GslB#$|a;$Uuz3Y1GQ^5lU7ZJ+dwtJor=ptEoSjM2~e$r~2~Px(Z8FQ;2FFa*h-b@K~YMHj34^izckx@_iv)i#V8+ z&{Gg)<6g}fzDYT{=|WJ{$&DCs9xt=#YAs8#8nZINuI0a-ZwV@vp;%(i(-Z2pY-pgK zQ!sm@Z>IZ*bi3x+3#-X;soJMbn9oJ!d;PXy-Hx1`!%GGbg=Ean+36@)tU+kNb!2tE zh!rKw&4gRUv+w)}<<%k-UPmN;_)L^tuQ{&6+I<7ejX3R~x#ctHMn6FHCfM}m&jl0j zjmm`x#g_F5O>MWu9KBS!2-849-BxrOWh>6C?t(Dp*Hk*!{Nsw6Y->`8GXTD z*Cc;qq4I$Ka$8{A@KPu!P-3D7Z?mTNP)baUnJR(hP$tgLXyHSOpC+^D#1F@=1X&t! z#$vjoopd8L&z6-el$Haq6ZrDsCDd_*bP&*QM_>24VQ37*q=5!o+@o59gL#r4dho1tt5YJDyJdSlG^@AA4;70-i;t|vH-J#g^m3cK+MGs{j} zcgWDutOe=^M!TZKVB%2C;q%D@ zo%nUi`?^tT6xb>e#y27Nd(%MseY)bYw$4txt_uISa zp&$=0S-4~@ZA}aN#{p9h!1ZbjsL=uNruyFSNCpNV)a0Iy)i;&ZiZ@|v(}CW2ywku9 zTPDx3ey5P<_>?z0q@Zokky1K)3p!uBmnuPf7#Y7Ott>_%!N)ldsXYV0d5{&YQ2T7+oUhb1 z#*4XPYv}x#v_QDVr+^2TEVITj*pg1(X+I=8Sm-K@8{F_5rC=*2bPR~D`kD5!#c#SQ z*CEN|ls*eJ|H$OBcn!78VVeHlf&4&!bXux0y7JHr+Om--LUQt1YVwJJc%hM>FEHT+ z^bQY4wKyq-7xVBp2W+cHMl)$mE%K{mhs?L!W_a9Z!dtBnOY0-6thCYZcNOgL?noi$ ze{m?IUMvFUvaJ?M7B7(NUfoX4fC3aU@LIY9xTmaT`W0$D}=EImO zsZ+D+TVGH-2qF5zfca64#oy zBJJXpb;rMDCYuCPyr+K3?U`!@$lv3f^L~SFSv}q984)?)#0ZpPd-0V+e-u&-wf8 zGS`@sq3H7%hyuvdp;;ir+|F=9QY{{siqR0e0#kz?kp&V%TJrpb_e+((YN(WcUz3TI zOBXI>;8YJx$CdWZ3!aU=?XU>;IV5GZz483E{1a1YY*egJ{zE}xNi*@a{yU0XgWdY| zYXgd<){s5qgPi1umA1gQYT}S)V>Red{xOn=^Oy7sHenyXbZ^B@trwCdc}C|;Zguf^nS7N1Q0zO$y=fF8yr{`go?dl*7S zkWFlF2#Na+Q`sCVFEWzaYRh@umUa*5(6D7z^;OW5O_vsIX{gvSz3A@7?$29Jeq;42 z-RBc9nC76r>-c8xAP|vDtEhq$-I-~cd(#@WJ7nmEsO|KtWWned_#NdfjE%CX84#`0 z&?dJ6wx(9PR%Kr%Ap_WN9o&AVH5RVr3AbJ5vBM^NRX!rK>SF%N6f``Rg=J=HBmAg< zMBueqs|!^|4h*3Gh8xFUZYT4AOJN?MdGzTOA|<9H)nkim`6I)=C%jUA?~rjPct_#P z-|q$htP7mp<*rkG^?t8Ify-6V3}m^$NR*-pT^d1Wa-rAI49ZpguEA)dJgU6_&17Bf zO60N5bsoM&GL0Nmoc%Dp`XKq;d;>?fD2mkJK8wD+G1%T-75FI44%0{VO>u$v70E;) z&ydcQ_}?UGtgn*rVruPz8<#o5Fa`=8U#cng;3ysc9G*#rRN+Ybz2_;8A zCV?>OQ9>rMf=KfDW4)1a4ZPul9wmx9z-J1#yQT~J*$Y@@7{!-PcWLNa@lykIo5Q$j zG|>6pvqW&MfPvM9*}()qM<;yyVeA-S52fP|YgI5$$cj1OYuM#3Y?SgHjgCDi(XZaR zvkL{RbIQ>yw3YzqR)Pl0j{flGcx*(kc~C!eSul+O#;cEtJoB= ziG1HFxC%9*ui4yhbk?q~bH4B)9v!h|oF>0;8yPaMHi@Z$xjvE$_V@{~mQTRR089k5 z4f;QCK`sh4GhP;^$LKsB6SA}Jokn)0US$Lzdr~PbNlvKRvs69JVVkR+*Szz4llD@@pV^ zNRf;A;hiLaGNQ(KZ6x9*L^qE%Cx84g5^Q{3h9@BF14)swpfgzT8X3PcA@FAw;B_5L zcq5qVY(wAJhNtMQ4)G?811Y8!l16 ze2DPV^TKhi$FIA5Y>sqmk2@@iutW8nAVvNlGbS-n7Xy*4nv)RwUG)Q}BmKPX<=4pG z7xkKTq&7LBKXLx|u&00J>6lA?7j}K>f4x-A-0U5dVP+$JwoII2=O_G|^tXPHh&`&5 z$1B-e1ai#hQ@x3dP;vLrU+;t_9W(Z&zn{(Z=t8o)6v)ZZ%`Ha8q#x_>lDB@e_yV8n zC52C^%Q<`8Kb*-GiMz{9Zz8>$HW})U)v=B>Of-p0FzAzPCYyOc7NA^W-DF_V z{DXaXd1m$MjEeOj$>DPM!>u$>6yWPAqgF*u^kCe%pDoM9Q+z8bvm`HEuUQ7XXm`4%~G#;+or} zCmT~PI1*;_r4mLzKWi0@Kjs0j*1*pQ_cJbKQ1%61 z1p(bF#$LPB=?q=V=zU&F_>=R++TECb%gR0zbWcsw?Q093CmV12r-6X8zU>Anh`e?qGNaA9?Z33 zsNJQe=sa6LapNO}(@1Xr{S3#i1~=k>(VfGZyDJq5dgei+3mIjgxESM&5Yp?q1wNI2 zbcVjtkj=ZelnVSie!0jXW#K5f<9Ck-<>a8)>!=slfnqIQMU;-mBlA}ha38|g(4mok zA!Y6WQr2?@POl`rUt>rs>^u&LIFgX zL9&DVFTo=dmFtWK-RlJlqco0QZ7^(a*ndm)n06=`U9&L#^b$7 zegpbr+1KvaK@BDNr?aPYP)m95*+$&`!0X4Gni$hY3ssl1Cgx(z;eyWQIa*PQiZwg% zI7dmT!b0BFqUXc(MLj+YhgKEf?YZ)*QK0u(+?rJF;Mx6>EoXe$%`v zAQjijk7WFiW>7YRxt-2^lag2h^C6r#A?9Ur?k)dPw<%%MC~F$awryjmL@3K#G+j33 zzi#UPIc4gvv9)|;*9HL=u3~-9Wz``2jMU77_voH&@Pj^unLCa2{Xw+XZi*aA&oT1w zl9*TqklGPae@aSmbzG3@o#mEH9!7!Hub-3iw`ZUKPbl2DzZ_gAr->sT!}6vNK;bkm zMyP;9XP-~3xP4+X**uGBlB*x0yuS}iI$hacXlx-l3L+-k7UifQms9c>PfH=jb01Xb zRE63P1Rj$%9FjF9#dYCXc(ixwi1RSzpmea=-fz`t6aBRz9=}*cK39vd7P&$9a*|_Y ztmjM=zYYb5+oDK8of!5OZi9)HI;#bY6YhT*M&HS^u-tW~IZ%?c}V$9VwCITKqsC zUEQsBoa}0^=W-To*XU;28l!tE|1JXcy|DuMx|PN-oaSM&M;*4jzO{^PdL2&8iKi0w zz1qbvyRwn9-ia$T8wEK%M6cphlH*7G%1ri*fw}UwcC5A(tEqr^hO})`v-U*#P_m&! z25&mp%_S6>1+0HvuCt9#Hp~6RT>!@dH+iEo6`}0PFG@t6&e|*?qWf7|R)cTSa)cz# zx=QTE?wdCErd+VeX9{g5$h)#89xex*16h*q6YPeBZ!&CsW2Fyu-dsxlsUls=KddM2 ze0J7jhsicY0@0F&314`(0lGVVczvnS!$4VLe&cX_+M0c`Tu8V2t}T$6r3|+cf4uaP zc{E!=9~7z6@8O_3U~@V0pYpMyS@4WfBdS&`^8G{YiqaDwkvq?ZIa{x-9F418^} z{?I>`V-jzD7^77y)LOlsr@xg1tDn9B=cwB(7ky#sCqG)DvMsbQb3N5+TsspMZmd^b zwY#9E9Lk#PDKh2dB`uk^Fj%i5fp%RnY4kniil_%A%Za-fICO1(sd~1yUXC%pdFx;n zcdJ{;fcmd*{Qo;~?Z1AK5%A1m=UsoUnR}-1lnU6A3b2-zW3UbEH}t}nL?ty+(UH=y z9<{Md^&h?iD{*!I!8FEQGL2OsWdPIoi&fBlC`U#4^KsrAL-fKA7Wc!~IVb}s41d)_ zHzKT@eot$VKDIr#?z2BIn#GG%sKGf;3vVI8e7F)f#Md2W`)Kf&eLi_-AJQVvWzi@5MYrdSuA z6Z2s%4&*CoAgjPeu>FU%D&e}famOz?IWLA+S;X1|CJf58{A7%mz8xhMsXzayTW%7^ zc5yd*VG!dK76m$5h@6XtD@o>j;X!qqhYcO-4Ze}hKrt+oR4p%Yjto$==`qPcN$@!< z-zI{iqQ?o{u$x`}99rY-<|q+X1n3~56AYwHD#Eb{=~;dg(&7hmldhBeUp4^=2s?-! zxYssIJ`QI&hWJaoiJt=fPG=2~d);#KGP3G+B2Tc;S<@*ef zSvSltwQbiY-vhL4aICg^2UZ^vGMzcC2r_kQ&R0!(QGM)5$G%wDgZICDz<;?DU(w%) z^I?rV9~xuD3NZ%5Sq^SrGMb=28BH{2Th{DwM^;*v@ zVCC8via6b+>2LZ*X801y{Dw5M7W2?R7+Ll+)*+=e^mP(0^*IL29S&+`sOW_E@Djd+ zuNawWDARsEHILASh<^Y?PCgyP!~-~CU(wCJHlV`w*(XegOB}R=MlF8Y*#2TIc2<7o zYx;r%q^uHi+PM;QJ94cM^E}E#8FYKu9X~EOVD+64F5{_nmzLbl_!*d-PIW4vpT_XX zUFxEKywf0(8RruBEd*Sd6@*doi#EX3$^3Y~ZFO<)@pvNSAlPocrIphMH%)W2K)vV$ zn1cs|Xi)vviTKL{`|sr5tef6TGwm-~<_Hz7pz$~~4`Ehw!j1GDxIpH6@C+Bj96wKL zqy*^jr&I(Tz5nTAD@UTM^1}1XgkP+bbt}v}aSNH+h{v(Vzj02!OPtf)1m_axG}F$D zRymu?rSpHC^x}MlisSLb%ni0z4Us+`1hlFTfYk#d{r-_oRWCyq!Bvh|_6WML)5TQn z26kD`71E>V@lmjp5H9g2aXX9*{1}6RMpW(1^sy_0MzASun^p7{Ks1#kE-4(!I7j%D zlvtiab|%xmK_*s@!Zg{zGm+@vlvf3Lx_eP-0Pf1S1{P`xr`z+P_yhuz@8&BPe(Yuh z`1!l4eQEgzZ4>Yuvv99<1KAmarA+-ZgQYv^Gi*Ffw4b;?e<%04Wl#H)j{b;;X@%4T z(71qOl_2~5uLG;)lPD3V_VhV*cWDr(-zQY#Oj8S;a^z`$ag>@zmYA%Y z`L3o)j!I8$#{OYAbrPim*9dTGS(IZ;)?x$ANygv4j=*7+_cm7zew0a+e*LwN&&t&& z;HG36vVD<4``B%V;slSZ%(w+(&cf{GB(W8~TtWL+l=MR*qq&-UZpk^^UM9DAM6SdC zjf$e&Q!{!};&MW{rQA)78Rnei1?LF&f?aRj3jAL~LI0-%`GNVeVHsvGyYQr1glF7M zA=)BcPcXb8c*{CmNF|SSb(X5gM1BFqA#Q=;MS_3gs3>63?d$WIuFW$(VYn%v^@&h% z(^pC!r6w9&r^uq`nPMwZQV1hCn5NSHN_H^a>-+@N!$c1jx1n8Dg$&IP8r|y+9i85T zS#g|m9!3|n&5+VeJ8e(eba zs9Tr}b`4{g$|K;IPGb5s2b@7oko}Ii4$M{X8!R@g@bBN)f4P9XWuJc^ldeTxog=iH zfC)Y&M2Hao3lB9el*91hM-6V8Rs{yhHq=Dous!Ar}QU zJNtMc#!H9dtV5P_C?`~3#5jw!F>`{F8j=Xmgt?ew;L->1&^R5!nA$2|mOgKco;lfr zn}tI_`2079hPE#Y&igc9T}^IC821+8a16ohZ_BUoM(KheLIJprK)Agu8fXTUuzha= zViT#+cajhM^s#*d5^17~J?pGavx=Np=~E6fj#+9n*=>q{bR3>s`=iqDh2g2k!{pW@ z4V6U2I9p$WZr>28l(CJOdC|yb%=z2GE~s<}^z8-mX>(xaXF>)XISgn-E;ckxRTs7i)#0%j(wPe zAJR}gi&E>3NY1#*De=U4zpJUkUUGw)@$EwAODObkhjcW!Z0$NTrb6Z5}!x0b32Jl!66brcNHw8E_Hd& zP%YaN{+}L8*ze0i8o3@1ab+b$#8HHhB(RvE6Obq}zgyzYLUOj5%!es{Hfb~?y$s0k z>kJ|M!Y!GSL8o8uAA(WqnN}&LF~R(w01UDtvu@R&UrN{s2cSZ$?wCGPF<5$0l;f{t zVIM#l6C*>zE3z2QeT;)Ild0+WsKGeVCrXe*6#K!TOqk@8vR_jS5aX0k4D??qj55tYu1{PFK-mKj*K;?&}8FOMDmjMc9?qj_dQ@4Zj^a0{XLQ% zGT7*AP}k4;rd>{?d++Ln!qLuq&PHM&r4ITh44QNagYuH6emljebW)Y=ii42R!>yT9 z&wsRpW%CnV4ZgnCdw9#1bg|H`Gyb%2H%^lXMv{7pX-p=*?-~7ZUXNfHfepVRG=VSV(m{zly|xtM_(&yMV9z9h|1iCs(V zpR_XnF5J9ZBrmVZ4cXe+)ff$T#`$WtrTGT(AO5?VLq3MV{S#pb_ zrxnIFMB~X5*A;B&dnT#2!rv366xcI zG+|3Q@<2J)W#+~QWaA%ZEQFlFP!f6WmuCT9Quh&4B8q2D_lazFx$&*Zp8Vm%^q9EpbhWI&rZ zM9X%QvY13mAZp!dkFk%at8x5q3qEqSCn3xwC`G#*NwEbX=vUZalW|NKuEgoXyf>`F?0%;^M)F#@ICdoKS)n0X;U@qH zIjD(93m6?(5we>@UR{k1gGMS|&isy2^cwy_7xbSe7sc?(D(U6i6`A#+{F5|+DHR`T z^l$o;XqJSB#8r9%$B+K{Iq3uwj(hWLDAzJ;k!DgUNAn{IUg3pSs=g$CEbu+IUYZyF z7y7dRpg;54BgeH<=Ys(H6Z_m?@VyCKk|xz7S^bN_(a5l_ycps~i!e!dAwYk+|E52^ zNt#!`1N5f_Kz}CvL4TV3h5oFyIciH57bZCc-X7Cep8Aon#Ct~_TnOU`MTSfIb0BrC z#Pq=mT5d@`RSI}pJ}?@1`+5Bzi;T;YBNnGj^F483&zfq!|06hxd{e85;W;t4!f9G5 zM}84QRj6ZsB(6b(kov;&uYH}$Gz$Xes_etLAYl@ZC_nL{kzd?s*l`Eejs6#<5%)o} zA>tDJd;(KbG1G>vS*Q>nzCgv*b~KCW|BzDFjNlN$y~R(+B=UrCUGfDgPiPe5)6w&? z{$qyjLN6(MAC-i6>^KJW&Qv4eIE=nzsH6S9xeK zAQE;_k+lj1aM7Omn50=j0ADNR%Qr+zjDLSV_?M^lK#8`pUu!5pIN9rc9&`)Dp*?_xKquGSh#-@WD^nH z#gdNRY2xV95zbQF?t+=DJvKmOv;Jm2zgNhT(;7p_BBZY5xM7N9h48Ll`CtIr=ws?y z`4$~|J$1lGrSoS99V1oAacr`En4jO5LX)gII%#1BWgwxRSVY{_oGo^3-tWo!)ma~s zT(Om`R&9075|0sfKgWevK|OKm%}1t64y{12>Bk>bm)-K9P^`sYe$l^wc)V%6&3E6i z)W?-;t{J_fs*Tf_c;qUV*Ie_dmZc!#@a0IewsG)VCSPqHGwqe%Sf~4MtP|mArk(Q# z)=3Cpod;j1P5j`8uhxhY*Vsc&e@PYQ(pB|#_5?k`bw7TUBnCg-c|+uJS5bnHf=me> z=940oB~0}$Un=`3?ePuqZbfd}J8*F~l2!C@iZ;_oZ+N6+(3O4zho^Uch%q)q1Eq)3 za+orTOPrCc}NC10;^BiTrHiYst8JAdeKPl->El*Tfnj&+TOwGy(>rIEctB4i!k& zdW~9RC)^NX22Q(r?TBBY_E~fS_K{KogPKa_MHHGZuxL}Iyt!y8V9jy^s@xSR;hDo7 zLUFZ!S;Rg|aE_XTIoW{CCJaH9COq25(DjiE(eQ?bhd|yEvSX%AcEron!St~Wt^=tI zcpa>#Le%_-5-StdI{tXi~XBo3kl+&#eZ4#{Bw# z-rel|%cHW$DEk&iYUX6SJ`|T8^7-Irt1opPWxnq2T_ZE)8>cVV{Lb6LQ|J0x=|Zu? zx`JaBhH0LS`vU*qJ4yZ4B(lveug~8GnZ(bu{G5%5HtkyT zykCRjV?%c01m>eiT*JY9b*68DdUMZKfHpxY;2ldZ@=UYXVO%y_#l=~O z&_W>-{^HSc(%t$=``tLADSoPJ$sQQ9AV8?_VZdbRt9wBeILU3P;OjUljgjMSv`5|W zynLR^FbtqVFklIBd6Uh!> z;! z91JsTrb>h`(J%ix!f5T`i8S-_cF3G^dn_7msV$4&qLLE2()~0tvdJ7SwUY8yYGmE$ zyBZCz+dC$@M0vZ8cy$@Vqw5^P{%?SQ`m<6_%dTsxZo9mNEc626Pvo5z-oKUmRbh;d z4HlZr@#7Zo?`gUpt%+D8$bs(${E{Ow-!UH}T8-Udxic7M?$xM1|B^Eu$1p=h{KU8x zz%J0qg3}6V$-=3fPZgUVv%3T~iyXFO#b6TReh^#Zh%Wx(otrdjGMGOIg^(Vd5-hH&l!`8F>s>n8;s##0W2HfS0`@3JO(m`}J|_@Dr?|@n8K^wDAv+E9(0#JZURu=GJ zQ|iofmhHXFvp{w^*>vCD;8UBvlg$(|!TRRcg80#rm}4E4;$OR&WJA1pzBNQYuA9rk zGro;7iSSwMZ3qilH1vRPc&ZLxdGS3wQp-NeT8Bb43Eyx|-B8$8gUI8ZDMdJuA+{|~ z%lwf5ry?<4O;7wuu`GsWWrWEsXf2n1uus@T>0B{QlaWZ?a)hxm+e`ffKO-A8po-a* zfh?9?2e(C{C^*j;p+TNsPwlLMFkyaI>Idl1L!6S1huEBQyJ8px6Ucqk5 ziL66wRVEyWJyrDN=WXN0FBCzE&J%TvbP~g+Pd$*Z5x_d!IGRp;ZjGHgAExwhG2RA2 zODuNy%Cff4#yH!MQ@g!cW>xTY_x&GpjNPGm2a34cQuoAY+B$WF|T_u5Szk^+0^)90qHdW^m zD_lhU0Q@}Q2D|q#joUwQUqhQ8hah@Xg#;G-A_SNPLSOS91tsG2WfQr7*7m#cc|yg) zn>CCt62D=m$q$;uWTnU-t>|ot2a$J1vQvV{>@g1ti~fxjnrZKaqekpS1@`}q73R7O zzB4IRN`)Rj1h7JK65iqok8ypwWpQF8O$mzbWUEgwX0zDQjvN3U#AyyBPF=eq+FUb} zY}Gk>t?TX|eceJ_yLP##-6$INESkHmKfhfusn^()W6o5#s4@OqZ{dYF#%Q@DmgVYu z`sN&L)ifFV1Pdri*G7YPlmxq8A!@Y$!EjFqui4rTd`Ws*W3`GD_QSpf7Uv%_9#+rY9`n}T~hI&h#0l4{x{PVI_ zK~ysptyI}S@s78P%muQ8n^Vyu@jh*l8)0)+GNu~&OHuv_;s*_lFV3!1t`RNYbcw9c z6XKhFv+vcc_jJJ5uNX%Oaw>|97PaGw{yZju0ZA!#xs335`G=mL z)USB$F`#pm1BXALe{{lwO_RLXe#>?$r*!x&C6>E^j3qLc^XbW=-skwprFbhH)<>Y@ zZLh##Bd*e!PenUF@zDlYop~1JgnKsW@ij|{E>l`>y`9ytw7kxiUB9ZGY~2|!my7%r zltifVC1)~jZ?_or-1=QZgQT6uMdV!Q$u>DI{RrF_JT>hy4W*nPP;y;-s;hfgS%zOx zhLG@Z1SO^!}H;K z^7eyV>HSSrG;g;lcp>X`^YXj8qYUNKy9V3Lj8n4lmaiukgg!K2A8U6lo?+Zoxp+~0 zYF%Qy7cYmnl#Xh&+~4c|eTmGW@b6*T-ofo^Asn3UokETd^|1#yy=X(&1J>*Oi zi4EIu35ANkFzVqJMN!^;+k_pX2X4?IJbrX)(%LdINH1A0fF>uMt}izUaOHDDgTpF3 z@+;pxwkLrfuW6pmr#i4xiZE}#kI0~txG5|CJi~Uekj7UpsFq>#J-LubEfGv#U}%KY zk+H2anWuJ3e%Cf6r<*Zy0WYMF-!Q;;U}{QpVGoK(QUhDT?d_R^QXMZUw@P= z8y;&Wc(o4}t#wTPmkSb*u5{fxTAp8rvyygE>RR@Vc-C0`m_9%0$p2~xXkd!Y zLJ;5@s|scK=){wA`;Ju}k3-l`0X4?^vtG~Y&&-i46tz?xx8tb`5F(I$z0|@4=+=>4 zUvsR|EEXP{6kN3wXK`CR;8Hq6B!1fFdc11NLb^?+UD(<&IS-Sdr5d+9s9Bjp=$=~H zzNfQ+?&NEEP<6!YzjVYmu(EP7WSe!`4Rw7p|84K+%o_bm4TaQqnWE_A98Z^ZZ@oA| zRvI-Z+07oAwgRlD#t0pB1AW*;cM^4aNKhxdH|@O*(4my6a$W`_$NQ^yS(9u%+P6#k zQt^}J=&8xTEkSI1yWIz!LMtC7T6)?AW6}OA6_&%%xBCqXxD6%t+s^vzikffpGdCDI z8PrWY1h^X;w7bw3qv9XgUX+;{!;pV)5nlN{+95@|@^d1uU(S3U_(T#FRT&(xONjUB$7rXYx$5=3nH}99zHDR zr(ac;Nyms7>O%4Yo5xvJ!~FK<>*~-%Z><{=9@0qzbYA`*qwL%w&?lHbBP($)l|Sy0(j=Tu#_uW)pE+UDTXQ2rLL%jMZle5ldr9vADgQ?0@Z( zc15%%d!lpdv?U23S$b`j%uVOIlQQBytsvN)Uv!+)R|IZ#eM~w4=q6mBsZ#On9DjWK z@Mxn1Wt=%xA6hZx$$G>^kqa+32V`M_l1Z0);X3#2`(7faBvq~W+;w+EPYYD4jV!<2 z6WBnk`~p->fFlvl0=)_g;{TSCqRE(Kq|Wsv)O9rM^BeNi1& z#wlwBGCwm+gBiQgA@yi&-NBVl#`CORec@F&%LadbH_G|dS%viTi75-IruEo zbukjSL|cd4l+depX*p2oQvDAsXk&CRropr`X#-bB@g2RHNur1iS9h9;Uvmv%!s+5S zx{z5!ppEEA?Xum8Ln9`^=XCakn&+h)9**(!CoifnkTqOGV3!uU#*Qmsjobw)C_LWk z4VN7r^m~Z@0^3<=P_qb!>b#KVsnat8H_YgW$2>N5m`HcH@GL=a;(4o;W7}%x`9tRk zqnZHQJj9kSkMTm5(9_9l6$b|HQ63>eYa^Ayq%i`chk|yi&6H7lrU`D!ml5_w8Yuqx zj!teaM77gOub}Zbt@GnHn@bFeBS{_tB$MYIOxtV=ZG`z~QM^mPP6XoEs@e7)c^4Tx z2jszW?=4E;Oz{bY2p4#5)Y}AzJE~e%sidFzQd?2fQaGAR*Vb%T37)$)Fz}39mNY{T zCc^PFXao3aZ#(aDR`{bp)cWheu1>&I+-9J^Y|pf~W6k2GU=i9}r!CGYI>VI(`*3a% zQBVzmG;d`lXABE+YkBm93Z3@$uSdEK7WM1{S$0U^c-+&kb_~(QA$$Z~;;udH7h0ac z|FIlrfg~K(Pt4@XpH@n4B=KI9L$D(!Le3QhFsuUyNnh+2?Ek1{O``ZL8!$K|Ev$kl((IET7q3hF#x ziHR&^e|1T!nr}FB4t*HAqE-81Zwi+#c>H3!?njNM`!+@H{vmp)+{C(Sw9|oncwQ?l+&KzI2Lb1^CW&f?&Y=(KE@ zD{H3af`L%zp-mf@IC}5s2ixzDzYDck_76JkE58*`FjuJRDybQ; zlE0C3=b9m&cf}1qJa2bqM5WBwJRo{@_h@gX6JMVQsjqwqOfDG^m?z6Xt2Xo?NeD(& zoXdjVDfoY=d(W^YyEX0q5fxOVgD4Ps5fBjRH7W=q0@6fUP$Ioa?;wiOga`;o@4ZC2 zKnT6}-diZ4L#PQQyf@FDJ$ujpKePAjdEYPdi4PnH<<7m~FJ&hhTGkQX}Z0I>HbKVU^rtL9Eey7te?Pe`rd$_vW^`&;t{xPXa zLOsQePIX4O#~@Xk-r>HqlHs@(EH?Fx@e{ms z_=$<-2yIbmR=(do|A=Kq)w%bJPBSmORz2Z;MTJdB{1_+x;TjZROcFN(mO4whUP4N*Dup_>jQg54;hl(PaZC;}el%X)5NHDla*u;keW?ub$B zuh%4|Emr(+Aot{C-S6&Khnu`3+1Y#e$h>!HX(S;@)S0GE4^2gS3O+yYGeAbGF>(PW za0sjK$H5IF-F(`5)4l??t;_V(PDS^Q&-0(#i^|Ueb-aN&M!;W8OI+G4do4+1-`oMy zQfX^zcc>c(xT%SY7rz@SSGUB!P(i<;3AGjDi4ZIHXnzivv;Et|agWD0#xAkW+ zbTQ@pC@@M#FV#d?@~ZPCXjE~|5KkU&Q*CeHwczf&ju_G~4A$R+c;MH#&zQVc7sjoU z!L6!wQ!D_rt+|n(6_Tmn_S+eL%3~!;Oksz1+U6Rv7Lwyq&1c z9oE@zyD#H{1INCb4c?VU&?b4a0(x#FU9z87la(cz`0B6u{T{l7^77K|N6Jsyt$?3g z?n~?V67jF}h(BIRQYnedv$Z@f{Wez=pJ!B+J^1|!2-m#T@R@QaNcUv#9)QsrcpUJ{ zOyw^aE${Hv!IE8VSyNP$)L1$j8D{TNNnIEl1g$S`)UjU;)UnHBlS1D1+SLa21jmpG zrMVAox7B*^0a8U(Ar)2lY6@$iJ^9U^+^?g;{E7AN;N`{xQ5%lC2Y>8xRjw108*4|F z|MA*;nN!upl<*Ui9Mk=S&5n)~q`aq>7FGP7lA844&jEYWz4qR3B=1b;(;4@LdZP|P zP81OSjcTuo=&_Yh+kdYKLW(!cGZR1_H7+U2Y_KqJjcT2VH{i&H>+XLH;kq{ni6yrBAIvH^%+td()P zrC;}H*QX9oPP^1+g8-`5{f0ReFEyCZ4Hy-bs}g*;N9 z0{~kDxx^Nk`U5W&fGs*v&PxNYqj6fi@IDFl^?0w+>?;&@Dc@9N#DICCW^yjaitk@< zCKaWaKGE&m4wn|KSccEQ;2a<6_7AYCiP~0b;K;jZDj(DDw47bS&rV)7%UZ+4Ue*Y zo{{O;C(8!#qq-V7jdg)nA<=!b>Si*pF(5q-$uIhy(JBF0kpnL;8l!(6sv;4i_CjpZ zky)%Lk)_zps$(AvP;a${`$`HQ&04|e?%P$gj0zrvUc3~eP;)P;Mhzag>sD$l8eN>Y zTG!6(SaP7&Tv~b)W5Q0ik?GV@g)N4zb5!S~(q)9X<&4A_kx%kmewys0G(s*|#exN@ppfS7$3Kg?UpI>Y?MwS8YB^bd@iUIq zd!3naK z^jX~n{Q@Jhn$^$MLf~~c&ZC*d;kFmw~5=N6{2~|8jC}KPSGFa`hGyenAr34{iau&eFu&me?CO48Y)p zGXHLkv#xnW5&8SxZNDF7Psh9{lKnl9$tqgp0BGopN-3(W4e~Z4}MrsV~ zTw30w4)NZY&VlWjnwB|2wT{I?GUT&C54`zW-(`hH;?8+F=P=kG+gQBxv5lP{c777S zHLYXlXp`X8xpsYT$P<_$A!}NJWHkB!2Cv5lQ@(So=*l%$tGRQsz&6GU#X@;$S>8(@ zAkf>B1;8oLgEv*46yQQ8;C`xo>T0hiGiCeVp19WckzGy;GjxWIRG-%+w~h0hYQVWghmBOAlWR}EVy-tNEZ3N-rAZVn zU{7!xWY0kPF0{`0N^tFC4N_CwyRMB=PF0Cvnpmrh;Umi`Mw)D1ToN(#80vL(Fb zppjRI1;s&WIWY9PZicm23f&!iE+f0dRJ_4-#A9t(!%rLHy7^|>?HJRR-2A5jEcMa= zwya#7?2CW)_@#&UD*g2<7KaCMy#V{X#I0xJvSkajZv{wKD~&qp^yCqqJD$wjzVi(l zh7f_%!?C$$(|B8h>NWW3i~K_|PN>=5Nq=hbW!Jws2uz(kCNla)27f$v(c(Mn#ar#H zFPP+uZ=n-Ih2E1ARh4k2d}3E$-_WADHgxKmnY~{Fat$n6qbaL0aBcdy>f2~Eh+d)v zCJMar0i;`tEiriA-(Cj;ikH3amPk3q4mryL_a4Dyq4&9&J~Ybw6WpBajq8AmkHWEA zP%#zliUz>eypYpx#=}HR&BOu->O@Jtq!S$GcxOBv_F%?VcWbUCP5t8kBOd(goc}-7 z2E6~bmfK0j9fb_c2p|n1Zm{SiI%B!XE_4lyRWR`2WYo~RV~<5+u&k>s`;<3}9=;s4 zN<6NYgoA?+f*q07o#{SH$>>+UAF=}bPMN7(mZJnPoh(H($OK{;Af!WqI;8GwH|jay zINRFG-!Eu%Ce4|DE+m|HR%SfWVfvNk1Proi4OHH0u39Sz5PPu3Z7NdN>@ z9}kr8dq?*6V6G2k5Lv$KxY(HuFy1Y6Rj4`O(S|5ZRqz=oD|1}q|GgXW8wiPnZo999 z<--xe(OZL=5&Ef~sE%x^fz=E*^vpYsWRsc)RF~m|1r_T&KtDJ+lo8Yh@_qVb{B*N) zpaDLnq0C2fS-Wgjo!UC^uEgMR4%U@&@bUMHbIqBwMz5L(!*ixO^J(6v2QdAv{HhZF zA@j1$KT9Yp=i6*20H%GB#yI;xwa;7V|M z;RReop0Rx&BgHP_TU20ZBR6{krv`~)oN4?W(dX&BMP-)DUn7rD#C^Q&@l{u^%?tHP zaup$0s^`B-1;%&rjdApX(FNmfrE?0WMoOR%Dbv_=xu?*!MSCEDBiSz;-iuu4l! zvPQrJ!#|eg7juyEw7!9!fAWh<6}bw)q^i^&#V|^Hv~&>F$Wm9y z9779FfW^U#DhI51PdEX%*fRR-AC=ZU!jVX;Z0{4h!3`h9uoLDxdLJ5odTv)`fxb&C za1u-F;gF7%6%iM{PE;lDs}{!?AgP~ax2=>avS|6fG;_GIQMgB zQ03cPb{}JMRdp-%_4Qq-!nt8V)4=9`Un}&O_*qJ9pc~?rojf3ux`U+l{cZB~?|^4A zvU^a4eztDbt>R1I+2)_XGid;Lw)`jX%sV9}hm?VPxwVx}RVzuSDvFrizG_Ldu(=ZgO6XrH5}#hm?$!pWfG&1+L#W$_fV(%Q(-RP1A=7!&uyVH- z-QVZt?-h@JBYo1wOh}(5Bh9(2!Em?~5Gs?viOV$M&c?oS|F$>00#DLPPHoM`G0sG{l|^LFOT`sGt_)#J&N@B zf302SLkj>+jDOjz{QM2D8Rq!aUk zW8#MBuFMKc5cqJakQNjF$A@y|AC4pFNdBtktF-M2bz>XCdh9)!=Ls_BoTWTtA@pQ7 zN{?iuN3i{VPBlo*73_7x{)Q~-sYM|Jc1hA9MN|up!DkWE>0bDf74XM0|!*V^V!k`xg&2o;;qanLHGMIIj?B^VWk3^h`mSf z&EUDMS)X5!nZhm`A;_xU7%*gg%#f9^PhH>{D z*JhGAzhti=d^Bj0!y0PMeG#pcND6_}w}4nY<@Gh>h0kCe)f&^L-nn%FBk*`enkJ+E zl@o^KPf@T(!kOjdf`x>sLmxSi8w^h1z+=g>1IyhMKZG?44e9|_2#PLh0U!;?|E}Bf zz|p1X6e_b9XGI94N23uY4-P2~r!q?9*kJ;c8ERb-{>ZyHmt$V-eoz**4s?_GtO^*x}s0-O^4LVp3Vbq|jPkTHF1B2)MN zC=Uado(#yT=0!jxf=m+0Ms!H6t7X)fNO4@6>PAd2Hk-MlW#np0?(jD=10+Q+^z-yZ zGVs|4Hqw#rz#u%gwaTFBe02}obP>mxy7KN)IUO;Ni}AFZ8rBKEFGDzC6Wg49h(W%ob5|i)mfqxZ@(=8oJk=8 z0gM9$Uh7xrtxnn(9er^tW-Mf~>p{**ie{G>HYZ3+)-P7o(!EaK(f1z%#mECJ{~W_E z8Wg?zZ{N^9{$20g;aXl#q!L4l`A8lOJPQ=ws$&u8c}W)_-3#PSRg8(Gaed7nm_c{yq{TdOi=X+3uGJX3 z|8Y`Z9Q`)tzN>7ck!%&j%2;=?>6N$BV75s|s~*$Wy>jEdd&vkN+paMr1zE;}e_@mT z+kTP~PH`zjIw}REdn)?jjR5~gpyff4hF)}_8EZ;ZAC@xx$;+b8A^w4nxxfc`pGj)H zGS%`TU`}ysSMia+AXD!X6D$9ZlW5p_q}&-?I{CNuo*Act5N3jv|=EjBN|S{P|dS;zFUkI!@Wa`z!}I{6mZL*!Ay_Nc&@Zn-M!3%@Hxs;BbB*7 z^C%#ct}`C3v_2@IRi|=^x&eZujQpiHIo644)~TA}Vhx@H7XcLeUYnUxUEJ$mZvRT3 z_HSEk=;z1fL2eVFZcRfskx5>+FcCjR=1GIZTj}sro>;|htc3ujp+=OO%6PLKN~8?+ zutA;m4!uyLo)_=L-bwSTtMu+a?+t&P%Ft_m*q(j1l!-jk0_VOs)D5xA6vu^=#Rmot z$B>ooKJR)OC_!SyIjV*_9P( zsxyI#S&wsNW%J-3N;IX}1AyNq=<1*V%PD8frEq9ZuIlgC{eS=Y+?Pw4ysS)uM+^0j zm242ngkq>5A@-*rP$P>m^KRg80JlbXiCepUbctK*RWpW5Tj&O>`ft!yIy-x7Ho55CFU_{qhI`vVWKftD2l_VjeXf1fkw!7NSy}@%y{=5d3MrZ3Hiua5+gub69GtT?$z=E2}SI> zA4n-J=@gva(p{3)bnQ!)iJ}r?eXgifwx_baP80DV5U5=CZtpD+KV$)$7Dh!1<@hjm z#o;NI<+vIY_;0v(kN?D&ELCYm-eY;~;xud**=h^~fPEe`pt;m8<}q|X`|rOJf7f?; z{Pl9~1Gr0E-dirlcNErZ8rRbre+6H2y;Y=MMUrUUT~#-#WVqBw%5>8q@$%Uev{(!> z)~usN+PUdVJ%BxR*jNSPe@_F%z_ZR)!u?e@t=!>N%xo-0&#*SaLsKodC0VcYiCrkC zWb?r#WKC;-2^#u=obZo+gx7ew;?DsgUM3=iY$9NZf@I`{O%DNL6*Czb@w=W^-ZFs> zPZJK7UNJg(><(-2kF=4!8@<{{#PZs`UmaGOQ)G(!r9-;bo_aS?BsX}!FK#6)C{XN= zXa6rutS@~;Y~aI9?ZR$<;i$d&4;(c*fTLDwJXq4dzy_g|JX-SS`U3V`8!XXEzPlWe zSWOqq!MP(?_a{efm`QR(hXI!x@K#60AvGrPo;vB#L8`Pn1hM|eq14VNfRaug;s2@Se^hD-vl5JOqB#Dv z^IB#*`G;G4Q@Oew9%v85ZV+31Rbvl_;8Ayr+gg)!8Q4d6BbkR&o5BRD_C4GY>nl|e zp1DlRuVk#3I0LNn;Bmvod__Oj7yIJgwD1NTbZFf;N%+a-d!}W?z(=Z*mO?B^9j55IhI$or^$0Rh#A&L|1D9oO?`1aCPj!1} z$wGSJ{3^ohYNUf##vT5U2hw%?YwPRuAWM;4b#F5EZ z8PlkdoZY+OaSiPKN(&f(zcnL?B^yY($D(kkn@{MX00G-5ADTductgKXQP`3H-xuS+ zd`SqWfRN1%_|Hu)&6$nKXION$8Ith-3Vz z=0O#p*fY!V9m^80SCb#mx`5Q3!F}6S2hyQH@?WT~*>asj*=>tl@2K?s1x2QoAV6OU zuagzN6!b%5O(feul`|UKqo^ah+H+NF{@T!rr@@i5EpL&>hCC5XpVd|@o2a9M65LQ;CRWSSIn(Rz?L zq{;oDk6*XyVKmyyWfbWzHEY$WE_)!4Unc?s;H!{YgpSh-zv;tNC++qXoGH3O>Wa_q4s9=8(Gt1Lj{xmD%)Aoiql zdDF2E7Q&BwphL3}196jFNi<91K6tG~>z8$MTz%YI(>&BCO{*r2{}59B?04poHh%bc z0&WCg8{{rMDlIQ&d_acP52#LeYFw-IL#Fo6oq&I>703ysQnHE9 zd_>jIYnWdw!g8r>D`$KZrBA2#H4o1h@u$scYrZ#(|4B;1OXACZ-zryaRgq4dLdF#e zGCy$hcXKjszbo+P>_Th1+TE@ed_@s}c?bwL`(NN4dYG3;@jZb~`7%DH*aPm81Pr)@ zi>kM?+-z3kpRI+3RKOxHyqdM9KK^oDE*GO&`omWB6koG5M1&4_^A?XoT~-@ zjJ%;=|62d|p18QBBN2ScZw;6TLCHN|r>%i>&u$5Hf}l(H_-a(3M9-n50sg~H_037E zqHo*0&iPbts5oB+P7M~i)jhwc+!EDS*&j_m8UB5YB>F^uHJsMy#O#S>97T}Zcd66M zC`sR@kHJ3yvXsGXMmMNEoAI-NJ6Q~}#`5;Wy*x4=%|ImOWMj3J#MUluW(P(zI@zBa z^r3PnY%0d9`oYDl`REM3|8ZW9?aw0u;+cnk<|H8>vQrT>v#k#gdtI2@fVXsvu^Nr?;F zS=PimJPrME8ErhHqs!KsWwu*$aGN)r%j%l&+o5TBgbu`;kNKweZbN{k6L`N{sBJC# zoTCB=lI57H*&!u1X6H)w@bEgra1Ce#x`B^(iY`~eq<>|#kD^wMfcN%>6ufeQ6Eo|% zQz_00_3mY%+@=U%qCDNKHS>O&y{136!$P??)5EvBgTO5wtJ{1DlLRi{{jws-b#s!x z2`zjqeMbL@`1vyNFVGE_Z?T{p^qx>B@Jine{CD6E9SG?QPP*%L7sa>iF^b|AL{~M> zuttkq4Wp91%?|IQqd*6H0KIIbBE{@8Y>whV9+#9zE)4e7c-*S+cgCL1PZCF3O$3xW9hfrSaSaiG5mdcyUHo+u`i&ZC`tXb7 z`Vrh@F+0?jEXGnNH7fL;IeFEu4QhjHN(n4Z8uARy*9K>nnv z1D>Vwyo}s0!SO;4*49%wr~N(D)M~1NS$kNa`PBLVZQq}K($>tx*~(w*8hAJgN&l_8 zQIc;Lr~~n2tLCqK$zZ?h!?)yb3$?r<{cpOtmSA3|(7HL7{o(1nBJg~Q+~UP{H5cKm zn++zoD$6`2Rb>0Du4b`bUi|X4oqk{8TlYCce}_~8`*GZOUnN9GMHbu7c13*|0Llf; zxK43|$(RoE`ot3)w|3v0Fa=DGyg-z&*APi)>g30^ z2z=Zd$Iua)M}|UT^@-RR%@79i1|zTSj-OUVRav}d?jPjp*gE%xTOslY_mw26B+nJ5 zE4Y_wJM2f`XRM53e74msqkqQnR$gKB-5eOG+8+%1as1>mD|KyT;UZ9CFcd*H?W*$t z(f{;QW-9_vfRaFTrhr!&znzD1%c{!V*fB1@X~$O%w;+(DAwnL9r^1oaG_Ytma)Y5DtlL155)Hn9se3icu!{D5PO9}6C)vxB zJ=znu#-h0N^`iGudC^J(*(dL^z$08R%WRWy9bD{RolaEgjzV3W-brK^gv3Gga>Ea* zhBHQ&PZ=H*IzId(38=$ zB|(r)w;}M#?YB#+k7cfMQXi@w=lkx+F4mO##ZF`-YaefHZLi;&>7zGAxUcqx4&{VC z=z{rgJ}-CJ7%iP~FVg7OlO%u2eFJO@#y4vc+GlrFZ!96+FgNErGC-Oh9+Y20g!bUe+6z^Hn6I|AnT>7t^YU|NSkuy%9 z#pft6cA}W_J?OwVHzqqc@eh*+*7rQU8|6;{(@TL(yl4f$m1<|#i77dX6*8NoHR}Ck za&C^OLMKVl@=o=ipZZZ@MCTmh%OV$NT&JT&au4x*CXlF4wEZk?Wottuh&%gi!d8?? z$8}iPx?aAIzfrMCm&a7>D|rN8<@9t>?MZN4mWEQYS~JuYVdyf~HS4y>w^5GXc7e>5 z@=hGj?l601TY#{d^1en24tC2Q!v?W&u!hP))!lw6+l4q4Fi`ZHXys% zz+B3@&M@jj_bILKT+c?I5nhV#VkSsvEc6rg3FC`a8sFbybNh)eFYw28I;St++k{wz z1P1gSel9BBj<=0)1U9oK>!qB5Tq7z9__+IdU-HheH>f9G%rRnWZjfTFR4T3_HHnwP zirHOO$kHtn{i*Md_EfKxMEgl@mwJ4y*i{%~z9|&LJJLA$w+qUfH>}FGYn+ zyMMv5RFxGy_{*0fG<0$|PPS3!*i@=p5)mG zlu!YBOSVD&QZWNp8%dOm)Sa!z%;Yz&5%~SrUrYlYL-*ffFFemLF20EGg~#k5c74~M zzDTLJ_+*rU6r)lkmI33f5}4LXY)+`pawx(N0|WTJ2)1O0hMkp-m?el7lb3hE!tCX7 zU7mF<^^6U7nCvsD)o{h?K9ikn(yNPVg+GU}#KhL6X$-4?FNCgZrSIg#~^&*9F*&`=Px zSs_sF_DS$g&-<&nr1}}vZzjCr$STUBnCO>vZnvV$^@tXZIpqRi6@pNsvd>3TLwZHO z5>zg*no_s|Vn7p|=L)MX^fQTYTAB5u~Rsl7axahdJ)u&%PO-Rzqk z_sUNSO1VNRLP3aS@yyho)b_Ki^FBTT399C&DHgl#T(#c(jkX@|Z?m2^(V1KwfPUNf zSf=Yt10Wy#Dm3z6=k_seeTvZ>?!W8R6*^itzG8>f~OwcEB!^ztISE?KtgGqup!;kr&B`6lTJyTVDr9& zpfzHLFF=dS7X#jw)sZ#^UW$Wos|+8vy{r&%xtsd+FI;*F>+>*7qW)s2#UWJ42z4<#Gm~ z!Hc5efg|@ys8=qDyXB)>riFTi=9d=LC=ez%k+wNDQdNR)rfyCOcfIkpe<2{}>#3Ns z*SUD0I{>y~gqQh$^(kTwAw!<`9^3}apaWl2t(l9p8oJCj5E{5WiL$3IWkc0U<7uXx zk0GibrpJTAE^?@^Mi^$7*XZTb=uhruC+7$gvYanz_LZ5ng>|jrrkBNW>0#0j7P9@S z5jCwc#|T65w<)#fN9>=wiGnObMP66p(Z?!d5Q&`1DSO&@aZFFby8j}qxLnG$gqR;O zuH;5FbQ<-K%x=i)22pLnzpJhOmRBrvQgG7A8Cr4(-0h>x+eqPEuO%K58* z8L5~)+feo8G#F>LeCM=5R(xcz+ z51DQ)`HgcijAvP1=kl6fa87@&iFiwA^6v1bKh%^K;>H3MyOjYThy4^2%)#der8AFK z2d62Nl6?i62q7Zvu6`%%Efdy}BxmE3iJGTd$=1ozgb_xYbIUW1;^ zp6*OxF>pN_c?6{P7yvLQRjMXRPG%_WWU#S-PtSxrm!rlsWPQARoZ7Ee8Cr58F1dIm3Bml$HjoXkB<8V0JQYi?%hPMkw|yRdVJ8eX-&=CE$<2%w z4kPU0lI^Jcev--p8~^o=EplyxiW3{=nVgl_d&kHclW;0&{eI78>g7kCdxt-x zEWTbK{%LO@V5e^@sfi&>wjyDZSUu45Ek$MDc0#*$(NXa(m+FXbhAPL}KU1lh#sh0sI`nB-l@O*+gzbx!cQF7b9ot^PyUh^@ZY=R9&Z5Y(C)u}02^cB%<**F+!)jNEu`)C zv+bVj01~z2$N-ST_e3X@{q@2^PPTT2jiOQ)4^jvtc(%1py!XzVw^wTRi##_Eg!+`E zC?K2iqnlxFExp97*eA%VLpkcugfpp18w5sS&GU*P+tV{tVuD(;)i?ADcDOIrHtak3 z{uhwmM6KP;xuBw~(<0eGH{PQ0Mg{5f_n8N$Oit#F`7@R_HtC_F9~|~{TK5TYbgYcW z*%`yGwAh`>iv}cg4yNib)p#?h$EML=Z1W4PQHg0!bUD#>O;<@x?To|5+tYFQNQP1* zl@b%>F2HIIpM9pxU+mAfmOREVblSc8t|Dh=`b~i}wx1lxcGcveV3UFmjUW#aUrvxj z8VZK<&xn@Toz?U;-&`D0H4VkM^EK+Dd#xlb>`Qz_oy+@VPp2W?g=ab1NHQ5zGM5*O zTl;cLd;~X!d**J0&vgmFDh<7}2LO)7G~i~`&CMTf@q*a>Qg=OF8oI!$SHd%QsL3r^ z%KR?ksUS)<`m>I6=PsSOW_11oY@|}`%h1Z1M3;#fAOi;}Ut&9v_GNBIU~*po@dNK^ zvb39RiEw?E_eET4_~yq$=WkZIJE_bl?W!+NDgJR8ND%7(SabJ%LSSW#fL&h94sY~L zwOf7y{`LBw99EB4MqL7e$5f>fM& zNXy3=g_H3er1~_i%<<}Pgg=GZI}IO5$OU_BBR-KxhS_B1gq{;XnBnJzX<4CRvR^=z`WvjyE9^b-pa zQ*z0S(Z(mF!5l4bJZBDvWPZ(_(8nCgTzq;2hVavJNwsN=B70n`x?^M=blv7-8aMiXwvK=A?zy^ zVMNmD0?MyW<}=dq^+c-Tff97snP!gVe#@j!n_*YNcTF36%Ga5~KJxFXb=su&t*f_f zCY>KF;tQ1^zTQtupnTJHs@=SoeD5yV^FCio2X5WEJ|t1r;VM#mGca9q4pv%3>DX6$ ztO8YiRQSkcMHihV$Tjx*o}Bus6e{h?RZWJZ!cFJnnXb-yikDeu8*?Ko_qCLOD7BgN z&4z%047ax-SbkfRt+7>uqfr2Fa}Ibi!ijY^5l&!-^FXcz!*cxB_$=&<*qq+FmRPG} zxi)M|!_E*y)3P z_uBS0gH&NHWTHZ9Ght|1EZE%@a2FkXE5UD$~iW~M*F7CmE$@0=q~9`oERSL^ILPR-TK zUXG4Bmu+^=7vMessdpk?)NZ#FgzmiX68li%tQ#OQraEruxRs(ON4@XP=QZoSb56aV z5vkTS!|RdMCspS=i0kdGLU{Rn02`jed{>-=`}Yyr$3=Z~N2^tGd&g|uLsFVmC88}A zKzUV6iUh~75`i4t^oVvQzW>)3%YVCc20u&Tc6-!&9p&~={K@WTNe@4PYpyqX$qiU7 zT~hpvuJzscGwmKW&sv^$zf5PB0A?W}@F6y5L3BWYY%U0iRa17Ox266v<0DRY1IV?Z zs?Sdo@S!o_{jD?n0e)YX|IRtCwtntYc2wblL+a;^XYqo!yv5&9m!k_-HPgFBKMbsz z5hn<>Jchjucn^T@QlSQ-<07%igAE?xS2WdH_tEVr1T{2x#SZdAa3w;qEPrC>D;u7-G zVtI?E_7!|7vpgn>_ZHc06A^(eL>c^kzGop(Xn^gQhVL2g(efv6pi+Agi{9xlbCE|} zcpW`sodkJyR#{9!Tam9uPv@bX9-#5;&Ejl@AGQ0lL>36Ui@89Ky6i)d5d+iSgjgSG zueHn=;-sg7^3rn_87~aZ`$?YUNOJ!OJO)JN8BABnWX^JU-XVcL7lj?RxDF`~p2e#N zxv|zK%)xnLodXhGl;4b2REW)b<==K7A0Lgu_WE(dch)sDo(H;}r5J$JIp}{CS@pF_ zE@WtGs)mP^K+B%p;PwyHN#5^FZreN|f8W4=agPFXbMQv<&w|y7fLE_{C@5eO!&=N2 zCeN-t3KwFg?B1Ta9(yzGwJ1>re>;%m+WuLbz=G=0*Y?lTOiP=N-IxiE3>PRlhPf%+ z7bpVrmcZFNIE#WT&)>mvB)3p<8U87^xG5j8Uc28ufQ)~C@4c0E3BV6VJ2!<^X52;A z7)9wmrsnXGrGN`2<@0%3$2*)BC26l{=cKU&x{=q`zb_w=it;||;QFGkVD5;h%Q{X5QX$y9vW8=JK}pA-wy%3vY}Q;nF|l&e6U+2t@0vdQy+t>) zeyZe6iGJp`4>HJKnz0UHv{3D?L}v8w@U-;i^N-d3EH}9stZ!H9eQ!>A4;*qURA&Z# z7%CQ3r^)=0O}YzFgEiPqq>m*1BzX?N_4p5Qi&Fg2b6`9u@5hCyzqHiq3B9Ad`RHpM z?n9YoM{;>Ybs7`?A9QOj7uBm<1S$=Y_Wb>}kZO;$`RlBV2o~&9>PZ_!*&zY^1}o!r zWH?rlua<=ACIN(4;6t=|NKNxs!C!=W0RrO zYDodoYeenpHgkWFTHjW*vytv$$7Wd8`BBZz<}OsN@(ZnAf3>sj6eE*l<4UZjEr3Uy ztyrPk+EM|NZZ;}kyaP>^ms7zc%C4B5T!4k!IzY|`nCl>wE{v1aNqCyB#B!NXkLz6N z=0M1VJ;&Qz++~`G`vZb_!^EpY)X?XL{RyjrhE12r#Goq643JL?xXcFYI z!p0~G-u4};`H$22Chpfm17#EUGgs~}nd@DoN`MNhfnLS8^tYvZ2SZIm_Vrw+>QMnF z;ZdO+ax!o#ZW}0A7L!F!NRv3)VSF@!PM(r+C9Nnw51fz77%o3We`0Dn3$9&lTeL4g z9}Cr~Z2=agK0<@>K9>piHXd&9fmLm;(Y~scOWEm8ZE2_5YxQ+RiQp}p(;|IQr`3nx zh@GLbXgefsG$GKWi@)X@(D8ZC|1B)buufm6W-FTB!GliKpp@TGY;VywpD{qUR2|*dX1}@_+4Lc#k8u!CEw-7Em@xFN6 zW>id4Y1R4ubB)b`vb}Wv1JFQ)q2glTXop=bR81Z`wK|#Z z$ipM{Dbp!XK7-2C-M*36Q`RwIkD2!7Yb#FH&*)*O%+#TJI=1z7Jy#TW)pfP0 z*+0_HEQ*QS*uHk|w6sd2V+gGzK{lNnZ&)cFN%SUxWTZhsp6hF76Cyf>ruuf}Cgl?J zsC_-fdf6pKbNGPYMb?Ficw_92bPNf@+bO%T{YpQ{vRmGY)Kc(jgJa|9{SL0=@q1>6 z<-n<*m0lhL@!+mGisQ|H8^cuE-)B{r-lrZwujo{{(LbRof%88|(yjHbaT-3a-mqD1 zOB66y10TNO?|BYpJgxssrjiWm5*VAVn6xC;&v)e7s0PluqUa0XbeA>XffiBhQO#iZ zvX#^7TbrpOOS5F%lhYXMOk@Dcd~y=5{f+P+wUvSIHL>(lOWy;>Rm8wo*#v}Y>z{n; zlYg?>#P)RluKL}sb-aFRTQqAp#2eS}OoMcDfk!=E^L9)4Y=8r9Alzu*&+M7LY#GIx zMF`n5(miN?t5y?iF{rwnE5sZ;v%5{y99EEs$nu%ZJ z{<1c$xE5OQkmQLdun$6$k6;sJ-BI1nhHRoxChJi5S_sFE~#!=sme`sW` zDd#d&vU8eD@L zFY_G(Jv@z`&Fura`z5X86tL4WD0(lko`>VOcc|$r*K`7PB3Mf+`Ord#%cXG8qsI1^ z(xl)EDSZ>yW?mP_?b?y60yV5XA&GYrf9S0EkCn-> z?W4wDAxry{WX~7r97UVakub{`KP*XS|kc^Ck@=pX#2G7=?%$2w-YfhwfYuhuyWY zytVkDB_mtKPoEHeTP9*Tc>zWuxk)|&v_CH_6X?Qi+~Gm^NA~iOX}uNqplJm6YhF3& z$=_lBBbAvzF=bIs|Hy!S?bk9v&MJX}U{(M0AHxRbGk>h!MRTU8EMzTke)_Jc0>0q< z{9Vz{t?jN@x~-PYTn_zRR-iiJ`QO=5W+y;appGSQ1C;w8b+?zI$K#z4hmz zmaZa6)uL1g&&2Q0^G_Ws`1A@h#b&6XBBQSY>lA1jy>uX_=TdkqbMS_)=D0zzblp7W zWBtyTz%~k_v;V`|dqy?6ZtLF`5D}#a2vVhsG!Y1$NHYRLR78YOq_+S9(wibk=)E`T zAiaeS(wp=eklrD*Py+$phjsS(kF&=(XRopMct5TWj`&@GEvjOCjv*|+-Pv<^|1rW+%I9JlR-2$!DU zmTicDQ34dApLdry{k6rxBSlm8Eq~7OrR5=mHu+4)YVM?f`ma7ydS^rCol(OSyi)a{ zp-Vz*+67`n%B%T7L-*2Me$Nf1L_>i3)&uS zqoeo66$s{|gfQq`ZXMh8Wln};whqeuKLr(5m6~>ft*iDW-j$jhAAWsI-9hNDs>N*T z{3_2AnqM=x4Zmuzw?w+%N)@>RQo+N1;*^k33}U`kh}||mSiNu^#lGsxsKQx$Hgnc3 z@+`qMc%k<7vv&p0@!D2GTY~c)>fRaU?l7&~m#cgGhNSUt+RYrIf0V`yIwIS|HyG$r zk0|kh{jbb>h*Cod(5crqyvv*@suP9K-L>KGZUl~;uolZS?sfc`h!ZI3&S!~&;B+5G zHeO20s(0{Dw~7=KlA0>LJTqzf9$4Oy;A@|=d($$N#?wbd_q1Z(qv@tj6wY2eGIW!6??!akq%Uj9lvN_$rigLfxF+6i$N_FQlGUbnny}@kR_(n_l{BsRq+wIJvq}_LR`~C<>LbLMB zP>(;Q&{kAkdEZE$lk2GeP@e@QL(Y-TqeXkn&}fg2y|W(0<`e~Atp4hWYZ;$6!twA2 z>^^Ec6_T9)>^!2s=24Kco88-}5^&i9prUspr}b9LRr^*`#vAftKb_W-?&&z~WgfH` z+lxDvL{q{l6~tpqXY32kt12V=Lq@otyyFL>W8%|+(SpWmV$6!?xa6@~95{mw{I)os zUFKOvfkCi%Nj{{Xekf#A?M7tINl}DjxkUsc=LfbsazEd56}=xbt`O?}$wK%*5xD!e z&<$-QqoLy%Bj9{18VHfWrEs4VX=e2|E%&wa4g!+YqpsmUF5jQpB};#z5zu-7VOfyw z?(DV~{u8`Rg@Mt^DCt;8Dm%-<*-!ff2q6$1GPusYX9(|)A@3kp50mh$ zEi68d(I;Nt_)_cB{1?IKzqIO&pB9D6)sEBk>JEz4$lJ9OqpZOE&SvXZmA0>nQ5{!V zvx%?)R!(AD;H5n3>|P_F2}{%~G0l#Ye_Qiqd~mdlF(_2EnxP+cH{LBQ+;;Dkpb1AD zF9$v}({X$MHOL{&8`rw+6uLV>Sqw5m^l$1DT37TIg_g+7lKofL8R|T4*y89tiEzqv z(@9z1d7g}4>=o%-Y`}Ef3rtKSHvpJz?NFr0>3a47T$Gc?q*(=qv6drgQJ)_#Dr(yiqN8rWTT5 z?{u6bB;h5O;5a4Sodf5ZLL|(|_U7IKt)+MNjd4XE{u52+soV!pB8C_z?U9MM>AnOn zV2jLysoD2*@A5vBfi14B?8@+5Jak{rDTzuFw)2u))M)(kQB|n?<*4S}eZ4e__EMs5 zUO9ucYaz^x`hy*}ehA%qUS2jQiFrWhN=c}yDNWmixtJ{*W%@JU(1Gm)ARyCyL}CowlnjChCs%Xd zBpKcN_9YhnRIjvG&RlnSyb;GoOOE8IZJ^=gI>QCbBB)qigeadHsECPI=8f*?DJx47 zAk;|{Po#rwfguZ(VCF0l*^V!xF`NGNR=V@Kz8jCO(VG^T@JPf-5X*F^JDCpc`F*mlVvJ27f1a_853au&9oz$J%4w)>(h6!lN zyVq5ZKOH#_)A{H6r2qikv-f{}PGVx=#}fUSON&sct}V^DzrLkArNXsmU!|o|F>QdG zss85Asl(S6vGim+Q`U_IM;>!k_P3pu`ZyN+sygeV*jkj6aVnDFhfu%@)%s3GXoM=GH0 z{tQLqNDb2}n;XU^aoV2Gp66uG`Od=%cFyJf(2kK?F< zeoAkR@PcF_LC?NH@yG8ZM~SG9JOOr*x1hZ8@M8i%5`62Xd5BH?9U}TVekZ+ywuiEO zGt^=tMl>A^^gbY$AU)rw-#d|Y$FzFT#i5vYTp9{}lq#>h1^met-gxwm%)F{WdmE+m zqsiKa>L_+%{Q27{6Zj9V#q{#gjs{*&({~oASZ1lk*_;M4Esgm6f+E+VbdOFt+Y@qm zbg^CEZQ2pvR2F|`s(Qf5+L_2f`-~df$p*wV_xP;q&Wa*4&bxVNq)?24EnG#)<&b3R z=!EkFs8j``Cyw(FR-wg|t?QD@wpD!dSjGMFOK|{i?bwW)Ybj6ZuFP1fJM78_w*{QJ z(r4g{v(TF^8kM{j%WjwGdthXr*k`RNH%J0r8;}4n0I2FVlpk;%FZWrF0%_td_Bucw zxIE;7KTp1Ut%K;9fQoqA16?|+0*#`Xv#BbZ{waeH3Ddla<^2s|(M@y%=p?un-Q7c= z*>8!wu>6s>3?7+UH%T^t&^aKIKH>P)+ROZ1w`*rr4y&1H^JjabHEk7WFE{dz=6x?q zS9;@7l8*O~Mls6*McdExn&qa<#wE#hh`5Wt*l&*vuEd!nM*{XO$9}d?&l0f2Jk=M7 zuypv!?;Xp{0%URHMO6Q@S%16UV5B3T)IOI|swk$Y%U3mPg4QFY5{_zqZ>@VSG>@II z57Akl1b&+4vHCOi_4tO9p`If@uxYj3y|(c6s9#!mDKh=V-HHcX z+$o#mnez~WDL@1}^gN@T4eQRFaPBIK zoeY^Nv+I+bE!w0D-r5+ea~80(eSK$dJv(J`NQuvKG5KK}k?2K~x@FAtQ7PaOgpZS) zLR6r@(t?L$W?Mi-$+&kA5!LR$wVO!iu{5}@$yd#K`6%OO;#&XZ7|b$`)^ynFo}EmR z`^ij3VsJaqF~@B)ZRlKZCyyVa1*Hzw=N%@6x6p%u)!p7#jlDJ3vF*e~XQ{s@rm6oYm;fJa?I-F2(Js9w^{)`h^9M7*TuMUV%3 z!8t&8E0u!KCxfTcPI-V7zU5TDc?kIQb%lrZi9p@fk@%EV?KYfB=aWt;r-RPL^lw~_ z@_rJ*aIM+2{aERhCv>_cfUluSIS#`I>q;rolV$AhP32GK3cpvgeXI7*!LBB|rgoQgid$?ZPfY=*$6}(Wc6%~cats{OcyVeWzR}r&t}-~ya2h@5 z1U3c$Lrx?Rq{tw(C>ZT}uWdx>I=-Vj!{a8UZQu5MDyzdfWk+S?*=*Yw?xg?o>|)OG z(ft5EJ;8~s5XuRklB zu`nIPJ)U@}oAWatsR_H1@9b_~gz&>n+gv*d|6I(z7qH~K+$n0K;=1eu?}i7!qoQD| z==8sv;D3Ftd|MD7+AjJW_ZU3d!_7y^f>Td?ceznPBRB@fdjV`AW1ZST3;1s$!~yMl9j zuUYo8OpPZZWNE_~#g?HrGjU8GwApB71F~KSwlBp!b#Gt0`QyQIZ{iQgH4Q1vd^Bau zhtdv+yE(knp`6lp0_XBl0`+>4poDmk&Wy_!y&ORwp@Ky5FN7y}kwUPU!+*LxM{zu0 z8%k9m_(H1P=UG)hwfQ0}%c)7QyLp4ZYt1C3lGdu;0!apVRfcu~6Y0U`my6%05(9+> zJ#Vi*I~xnSNY~hrbSwdu`-z)S1=->i)@?AV6xYl=&@t4j-8;2NdiUmHQR@NYZP%^$ zJCSN?Qy#_#PcPpTIn(UZ|3sro7Vno>M5(6Nc}uUL>dKQ>U5q{K2MUlRRh} zySg=dnH=AlKsukyDBg}yFaes38n=pdClbK(`L=d13pOlC#A#YFIypfZqodzo5hY}S z%nzcuc*pC#^W50uZjNPjn{ku}qT||qHNZvop6PNaF~IbsP{v_56*9JAqj$Lvuhe$v zLp^Uj+wr_K*=gK2R>^J$j7-YMkBiP>RyBQ~KOfHpt3n;|q(YnfBsTxZamVp5awW7h?v-0jPo~V%qkr5y>LG!BW_(5fxIf273B6kw zBpqM%D<37jLDxN!kkS9jdbk`TaNn%JZdGNhQCD~B(_(K>KlRI24YRdX#p+}y4Cg+5 z#ZX-a%+`+$9;5A0z8E4o$-io0Tpfu)U8_FGP*qXFQ%rmQetWDUK-=w&C(Mq=^8pN* zFDKJ_>kq-KM@+(yH9M8Qst?k3z>;fqE7vVzao91G3Q2R@vyuQlo$ajncvI zwC@z>YoAZ{R^BblP$ekE3`3=US|yp!k`0_D&(4-!7GJ|SoDnBUTE!{5Z5e%g$;Y`I z-x*UAYBCtorkv5WfpBUFh@W=aFHl1Spy)EoX>E1dw2t4dB=59MTO=5Rvdrsi+>6sAfT^mOmgVrXef z;GN%&m%n3G`W*M;m%@B^iZCRP%uDaN|4rSDt0ptOll%&wY-cuD0vz1Jm-Z-BVNP6O zAOIFsksegw^fGkzT#K&C@K^x>L(BT7!e?4Gmty>2O+HkHx*FPwUbXt%Et60YkGx@{X!y^p8Jwg zrO_Xus>4(_U#l#4M5jp!HIVMbpOJ7o8hbvq*Z!t(W!r@FHxB*wlzMx^@?|mD4J&k zU>Vs$1IMSG5k3uPk7~@-8&9<@oy!@M=uWm>cf^rkTCi3B=2F;cwEj3T*>|j=<9pT@ zsj=t%J5jp0hXzzdlWu^PSyJ_B3nv1FH7m&Mi^mZ#alD+QuSVs%u;0Dw8Ya?p#xOc8a*aO8~ zoX&mYG>ge!>CKxpQbcBs2$=L8tRAa!%v3zy*r#!GZn&CdCFFJX|CE{4c00m25B+vb z=?(v*sIkg8njLFW!aqI{x^JGpN!)b`gqFaGcvU-rETi(N4WT=b%9>tmOBYR5r zye^9-|AeF*cBs_B#0pgB`Qzj-t?FXdS;$iqf16?84a6F$`DX;LHzrk80>yvJEI6P| zV!%SuKO_i~r(BSTLZWvI`rhvu`QF27e8X@t@K4a(WS-Ful7C_9PZe0i&q{it%JPes z7ftgPk!U+aD0ES!iSV5G=YYrv{q@_%bk}=$?Lz%37R{zvgthP-Lg|HEJ~Q8|G#zB# zLZ7)l`Xc_yL!yjf#GfyCAy zesjd5T5r^8^{Wb4$4@&E_PKjTzyG+#%S}SD3S7r|U zo3ZHs_M2T2+!h3pk#xEV@FJWTov~jVi15U!GY@%-hG3LJSq>ucNk3>%Q$ zO6^4=!768|uQcE%z~-S2YFzQI$3^Md83o2JxEP)9>8VU~&nAdAK@vG}6tv&qZjvvn+3!W3`aU{j+N^?e#DlTEIU!~mpKvfjlOFUjEV-fGD5W=|LR|&Dd;Qhb zkEbnhfG}?xrlU^pl_jTG0tcb=Eh$ zehkuR$|UXn5)}NP$y^xd(sX9t750C09}= zv}Y7Cnis@p34h!jqT*t`(r&tG+-cpz0Rt{ez<_`>fJlViA^hh%=->FSjfa0FInI9% zmY3CWy`^3f+sn*pQ^ObsJF(x;^a$dSdU9fD|0#@=Y|YSD$C+A|54NryRTicqwEyKY z!)anD`lBy`DAT#;1=f%0LLHP`rB(_A&Vc{zonFQ2GI#iHPk)H=pv;fc(0F#@>p}SD zgA;_G$d;)MVuVrref&k-q)m`Lqi>SJ4;@CYcho%Y-sz=CX~2-nQYqH{=6^xl*4u7l zZ$;k?uH1}Fu|e;dG~BjXQxarsk78t;9BGv)#g?=|nO)(UZG+`rY#aaj^#6-9@WX@D z6wa(;45CfA7=~IWuMycNt!$0x$XT^&TzOk%cnTWP5sUC&in&*@yK8(O zH;^~igL}tSn5Rh2{*ICP2L+Uz0~7(tiL2th146X#MG@1sb+-3~q&jI#!Rgu{kXPED z+Vr$!?xGEq(D{!cpzo7`O#WZ_M3-b=oldB-`1e!Gq=2M;3wdgZ$_*v-TWX%lI{A(V zF#|JSvq*XQ@c;N{c|`IxYp&}g*va)oFv|toL?ppXhH9-$Bk_IdV$Gf!@=NJHl#t#M z`<9Enj+JZ;0f8m5S+j@nCBXyX9&pljwzXJ-8u+ValUMu${8R->pu+BgZ^)DP6M7*@ z3$HB_|DZ&}0Iynnf^E$cVMtIamqKI}>*^g2_Iy9n1^+z!rDJ?{7wr$Ir?)=bxKaN+ zL;01r1M;zO#Y%>VKO1=Y7o%;W6}y{#Ne)|U6R|6y<#N{srL4omYu56pn_z_f62!Nt z)4dyb;ki=s;Me)MaHpF^jwiA&8=EpYb)Md9$a(oM&cxqbuS-k=6A}+suc5T;dMjd} zi?cctWY9z=vW-|KI_5h!LJ-q)#p%DmUaoSfd|>pT5mw=VvLiv1u`QeZJKB_GW0)Px z|4?-*Axb}0onaXem`h08`Zl6cY$jW~f`?yp&;UHccp{sqnD~Y}9+9|)yl|bpH7Xvw z!aUOjZba7r1n;){0durMzZWUiEOiabHD-8+v{3Ovc9&e=M_W8dArM+^>;K`l zkW0`aL3L2#QaA9or@jsHmu1v#7u3a(^>XF)_kF`Lqm3*}#&=4)3jaZI@{cd??$yvDS0vsc9=dqupZiNS?H5(rKiGyB)M7zzOtwZH z?ETwB+*mv97dU`1L7Umz6r1J#l}B0aIYJz$mk{2`R{0#J(WX>pa2h}MwbID@yO?K= z=5j*L%SF{@D!>vkE&rxJ8_MN~8a&qT*G887Ahdc+6xTjtN>f7^QeQv|oVclzcY0cAn}>H)T5E60|Bv$IZ}Kt!=iA)L417az{^@4NyP~i5n+MAmUNngV zH5=uUkWEypiM|%lDcm+VdEL{Ipx_(iq_DO|PM%D0bdb4k%nO$C&$Pk(?4(KoY_7E^ zJuWFgYgfT8L) zvICXxT3p@14amg?IYAhMD^EPAnOaQ$?Jn7KU>=dm>d$gRt3lE|$c%o76TEnPF`mzv z^fZu*54#IAq&Vio>L;jfmFlJRs)-0s4?do62*4fle}5W(ci9{wo*R(wCEhf&>l0nw zZtynKF?I$P6YA4xv7E^KoF`Yvh^ZHOaquu5%0qnL@T9fN;;VT zfPzp=UlE#sUFe9lB3;gW;VW5z29`B-hxG!`%(Qk7DLy)7*X;ivpP<3=dN&%?y63Im zSnxU&mP97kT7}b~3E|5!T_p5%ELa2IUrOE9T*Qg2C~^YWasjU|N%n^YnL%}r&%3z@ zh}QCfv47sl0a<&As#NU$Fd!8QBspEbXV20llw{xO!Grh~>)Q2)U(KgI8)6|0BukIB7F-p<@{7&J% z^0?&!B`aS_3kA?^hq~RTb(f=Kv&n9iOanINYH`@)7H9K_2erUXQAAp7dr@+&c4`>1 zN(FawKu)pojzwXOtKS83HXe+enD=#u&|Avko=mO@3NMtX6!2{ZFi3NFnkzOSE`18n z`<8dM$$vc zAm9Pwr3hlWs$2qvNTb#d166U4*(ffO$_+q00D5(-}jyy+bL$>c!Qj%{to{jlYeh4pq4Pg z7C2KxR1YZC#njot>Q~aWy7_e5_gDRir9ANtMMED}HV^)?}%vG1>P zU}8G5#*gf3r`0Gk?&<5pK_$2GbZJ3u8CcZ*nEP;$Wns0`@_%wodotkBBp?V%FT~Fo zbd(QoT#@7C!g5H)5jXxK#}!9~ymVY^Z3`z3zVC2AspN4G27h%}62>6&^#q1#BBoui zcxAbgM`vzvv0;!9Bu`5(UtJ#upVQ{|bTeA*)q+{P@U;f{x(TM>>P{%w@N)7V-wM$4 zLdjb+YnmdVw0ceY&Zc`bs_+AIfm_#39v2GRi3JI;)3%cx3Vl~8LG=4HeWyOiEgALM zHKvInaqlG(=d~ImD5VE3CVi!mF|A#eM*YX&qiz5>a!TZ)(dXyn=yDYd;fsBt@qrcV z8FDRuF9X>xHjAOMpqCS!;$ zmYh=f_!kk>(?Fup0a%)diu641G44Gb1o&-trangmd0v5q&PlG^aEXax**t*iG3J_5 zzxCzZ^>TZap8W2=^~x^%rA(6Vl|qJ_WA1m|EhNQHCc`mR)W^wnl%;hL(E2+mX-Hb` zMdp;1v`#n2fbfIKK@_YBDIn%PN^E4xM0h?!(t<&{XqviIP(%c7BB#^0VG?7f=Kr-3 zGu+q5NZUTp#Yi8Xq*R@SXk`7FSN!3DEVrVA%!b9QInzDh*%1QV^>|60aBeMwr2+Zx z)8V~4)2!W`18=%XT*)ReTb=1n69JO4Qt-Hl1yed#+~eC02rIl^?W5M$9zl9g@c@pa zd`9Vh5wSaRbt?^aquMrt1uT2wQ6}y6A9osr+oCni2{)_Nj!}J>o`<@qMQBhl@UK>6 zS>MKf;RAG)qx9wVqxneAqs=0TtmS7X z(X<7y%EOWK>G9*4<1a~W8xPHrsdPVo-KrZVK73~4FbOk@a!}LXDm&J3*hVd5f8GUo z>8H4pT;Vm!&bF&t#2hutegtNoP*9veKMFcy#F3+*sk6qVr&n`)t1GzMY$vfA!{kh(e?e`IU%0!@!|mw<6yaJ z{hFz!$P0vd=j{bfzu8u5{Dz^+x?g-UracTZWS|9x`GlZv$qjg5%Dqg%=pBd_ykwXf z=?_WjkI=V@C#g7jJM+pWQhbU->NMZIAw}Pu_hd2MUe)5&DO>`r^x($0uW4!P5bJ2) z4iUwHxkZ>Jb;GFNuc5Y7D9|x~4&*|fF3D!7C(wBM^Gb-J4f8-HRbRS`gysT10&1e& zh5=s~k9(VZHZ99$j|j6khAiM&QOt_U)0&?DH|nK%)U~SXW+wc{C8l0zeVW4EXE|P@ zu?$+sPcBzNmfkTrO(LNWzBo}W6+i0ymOo6hWpUv5b%E6Bxc)dP=h+`5z!SU0gmXLF zszk16Zay?D6A~}fyRsZS(E22uaM;2o6M@KrTj{2jPUT9epYMLYBe#cd+PotK6>l z8Ws}uHAY)cU3VWUj%{7MA6DEj*0kCL&?Zop-*$39hG$24fG=n!*=BTPn^<5ej9lOZdvrr#&fWy>xLnEz8c)5imhU5PCgCWd1}L1ytk)E4QJ$$D>VqaL zc}787xYAMiLjsZY^5>^Fv>y@TwY9t#gO|us1R&uVCa)Gp0N6k1fHFd}x~!zcAaLTg z4MJLX4|qKujp_xwqvA?{?l(mvF$U>4|E3Rg%A1dHGu|-^1M>#x8D9n^!*uLwLcd3> zP>(swg8OMoKl&85UFtY<_NA=Ba>jY3L<4+bD&2ZkuRT4v+7kSZfWfWG{zHAeByO(0 zf>wCJG{qpe62j=(yj^$xV6${v>|S{F2wjN8X%)RYnozpcA~X+kc28`rh8Ep?{pMC= zL~x}nvDEId_#o={EAQr0_He1aB~^#kHyv5pJCDXJhYh%30D07MVmEB8=u#eJw{q<8 z%cFiPaJVNV#5g{abWiHyg#2t{vuOCqRmysjekWf*rJ`b7hie^hzAQfx-^u)XLjHGk z&i^PMaSB%oA49R2wVYfXV;vErLI!A(LQad-{PV7#2(Y9r44q3hx?FFoi+fzk_Fdnv z%)8#U+3&5mc%jIW@1Ks?6tOpOtFO?hu4YH*ymt{NLD3mJl zY^5+!1q(UtNY*ZuhKy^JDy?ty-j-L89tvro)T*+ch<{JH)*21^m}L3#?y-b2Lq>jEs;7U(_D>qkKFQKQT# z8hP`0x+R$gG^s;(sY$wLUi|@hB7CG5G+ox&3OdGMqo#y}&vY+NV;U!PFT2ypNbtHx7fRd;2m<0Y^6`N1&sC}6f| z|Kvn#G?404>-<4U`52f$+nP$-EjMXhuJkY5N(wIpfosZ*q^m z%FAcl&OslSviTEs8Te2Dot`_46V(-?kAkr&2>Ej)(`|TH8^CvTTs3Fy`tsY;1V`Bu zER9sNa6KyGhpggjU(TQ4&*x0CoYAe;T3+0@L!6x9!YZQKmUzkLdP6ldU=CToUOo z9}WhG`+{41PlM!M_o>>d1m2z-0`2GS;r=HEfoSxN5#fa)j!7aV_FjoK(ySR}q_lK_`0-k2MjkLag zwM?}R6?ttS5EAo1<@Igmc$W=5+4{M5JmqLDz8N_D zbL|a!`s^C5__io5=zyQr2^9r$If(u9rpfZXc3WYc{zqn$E{)o`TwPVkf0RK_?#ceC zJw#4zos&p?8cJlt=yn9tqj3$Z9{^s^6V!vL>QBGeK)}UkVL#alf`o6C)wj#w< z2VA>6Hsu~uebcS7n%tJ(^f|S*N&P)E5g2r~2Vs2W-KcnLhI6U9`Hip#cX~WkKa6bMCSD+(%l;6^$!@o@EaY zNU3J#jNY(cLL51C%G8wXwh?!Pp0K%NBC$!Q=ROkVyNqzJZh9pvSEqe0Rkzmc5f?U; zkY63aXd{^tLEOMQbinjajyZaL{ zt2;l3ZlWGOW<|WRSrKTy^wM7v-^OCF728 z&Xt}dO*L|@$wVa17-+Fdt5>)iy?sdc8ZK5~uvT|g=~nXlqvN`s=Rx-9IxDMB`@NtF z>2aN;&AjV+%l`!}OLyHlKeoi3s26~kb^c-PhGnbJTMlJ7!dvc*RrX6={?>6`uAp$J zKw6>)nMjr#CgM-p6Rs@M8T_|_%lr@-Q5UaK>kviwg@ewq9Oxl?3_DV$tQv>=j;8k~ z>MgFgbPElOS5ZCV2#!VzC7z0mX}j@{Fg@(D-BBBefd+%PM+y zGoo87n@*=~Yx5{;9UMld^s=XiBu{>?%~L*(QRk~W3EwJFx3-veVRJq0f^Y>5avoIw zT=?LnUsQiwv6}2Tc$(xGyj9&{HTvS?)?bjbw;lfkIWzQZGm4o2FlQM@-$?G20Id=m z*+KBOo!pSUPIjLAx;PVq$6C`BYnEL*#)=jtd~p#gqUUDS@#~yKY~)1{jltG?3kzDy za_O22sMO(SW;dBu@$FauBUc0F3-N4on68hhz?it^7-&xOejCM(W+lvxe{ya7&Q3>4|Kx~4@-HMSGG!ru)r9hfb$Fht-6BN)>XPgK_)qj3I7qvf+EjY=JDLZyL2=OS(MeFDn&SG)*6TerRfQ zFlxNe&Gl(5FNnvBS2qP8N_7pU&((OXNnO;8=;N|F94DxvEM1(w_FV>=5=((m8tHf; z`cPG3eUF1tNNnsCU6884_t&b$g8*T}yShRP4G90Z;7n3xor{BSh?tOpVHfC|wX0WI@o@MuL& zIndVPh63!Q?9BkbP&y3 zz;&Yw0{@C#h2~x!7I{tqRZE;ht*bq5-w&QGdU#+VgbJZ(fX~Sz0Tf3B&7bl0QjbXm z^aZe~0sv=3R{OoH1a`4cMugn!+Ij|ZKkYyog;+-PN5znoCr?FoG?!2?vT0=p?7TW& zj`1kRyfv#tMnEN`9PxO?_ex+4Z@VY$^VdUtx64MSE??X>TCHzVxhAokvFP4WcT*@z z(VnwkE%RE%XB}5}uN@VU-Vg2C{)6+S_9=&j>-JM`htf;&f>6 zxpw{HRUX&H~;BvA%3#|hCaZ!htrx85A>^6Zn zUt@b)M0{*`7(720lYF+>OAS(yIw;9}93yOZjgv&kqZ_cWyy3-gB@5e8sXGfo0gd)I z3=62i&}7o-g8ya#1id!!l@!e!$7w~aKrY}ClP^Kw%}~>sR@g5hxjJ#7i2?g7$EJ(& zJ$f+0>E5^9<5^E@gXD)6N+&9|fWA=ugSCxxuWvtHx(uQl{=Bt(lR(>GT6j7`u}{X& zslRbIZ3|^FEB9+*;&=Wh?q$t}2=y|fmd9Dxe{BKS-rAyEA6MfOoy!>n_Ium zk1K|u;?+Y#K#$`1ZBFfR7iroeKbFY7>E3Ye%pj3%W^Efdtv*QR{$*ca(%S6icN_oqL%{CKh` z#OZ}lCx4bo@^2_&ihr38aYySMn_Ke&$s5aO{&6irUUD2?Rq;Gu3N7x23^Z{7IlFkT z*8=Q}WaHGb1FB0Q!A`fu&}?gE*fOc^>z96sts}SrV7>&nRdPS9MKOZ+8V42wIyuCH z!7j^h8O(z?3-gBlL=x4n^nXxD!;f0hnr~gY4kcH8#r~L{JoC|7#cQ4~Qa04-2)Fj2 z*1baP;z=0!RCWE@t<)lkncvGCAiF^~yr;;M0S*o!8CuxF&{$#)*>ZLPZs|F-Dno&v zrVCsU3asd^P;o264staLtHNmxY4#)?Fwpm_Nechi$bhI9Vtn8>6+|1^0~iPSbOne({qq*lp$9!|4V3Th}3D z5`v?73M7eC?65cf>NH8HPB-j~@#{bVN@pa!BBUqyI9*oP&Do7P)*ZZmHsWzSeGLCc zuf^ zYY)MA{PMH@Z{J-73(4jR|=Y2D7Wk9znn%Y?)}7b7jz zD*%#nJt#)A12}wK68zNvMsXncYg zTwEy>Xj*ZdJ*PPj)jbx>b(-aDO60wjoQql;Uu8&ni#+*~1&YXe`61HQoT;=8`X#j` zM4q|4B!=(#Ak|BMX&&+RQmolxHuV8nuY!kv8}(6X`dBPxb0L)@cqKh{Z5gnyK@9*a zg@eCrP$eK8Lzc$WF4pAguIRElZtKgMdYxcmr`FCl z4py@spiu?0PP&U1Nscqv#A_ffdLtOnIs)xnInwfp?lFLuGMm~e4k)Ocsd4DA6kc6n z3fJP7vVA~ijSDcaENOcX@z?!E$lU15Sk)o+`NQ<*9UYf0A7sl>;}+frHa(WdSt<#} zuISOJ3Dh=F{(q<)oqV4V#o}^CXXkZ~R;t;Qg$^a&FR{-mqa#JO^L93D`)6K}P;hX= zkIQRk%j3FeeGV;KIi8NuV9#aBT5NQaU!8A}xAwJusbjar^W9;n+c8&6Z;iEnc9Ly) zg=vY`J2mrQx^dJ ze?vNXO!rp>dNn_vf5$hg_M4)CG%*YQ70k+cDP576f;Wp$?$6ni-EEQDEaE>{aQ4Gn z1>7QRDA9qwmHx>vb(`X0iQ@kD(2L6nagwLG0U1FtCSwB0)NlNrcs)wXiQSL0yCDg- z6SM1!rQ~1z;!Cz4SLSsiE!OT96i?Ewy-xQ$-o0Z6r4bva?J$_0PjPj@w>n-!(rPSbK3V(PE9r$Zh1w%Sc}uTJz}NX0eX+ph>#Uu z#-qStnDyQ}Z8+1ILRuyU3P&ZO@d~(Z;qsd3_js$< z++ZeKLWHWJt~<4}M>DI}V9uG8TR%Oubp`?u>V6@K07(73Z}V+bK9_c_*B_^S9)}aM zj)}rrw4pDfODNBjg%L-QyLEpcos~eZNcwNhe5s4p2+KLO@kxGbA^as$ZZb0(q8F# z@M@jB3wQ4PP{?S5|_mjx~A@%+3 z{h3Z`N|^kLhs?ShiX-6r6!{1V_}}k&KIQ|A-4=L`giXZEWI|#ngKs?GLZy%(Ip8Ek z6EjY>zEw`ZwKhjL$YJeVd(}z=b=~CL-g1w2`;Y(*7N6Lq*HS=;0vKi><5{HqRl6Cq z1MZL;U8k6Q^}+JW1FD1nrMP#?h=m?GA^ltyLaU$fxx8c^@qUtGviL5BMzSWZ?zv7n zPROD^eBD&_W8)|GCAtcqqePt*fFUeDQeZx{@6?M_8-bUVeTl(ZSX59QTr}%UI+<-| z*2g$hWExnexBvo=iykaVMMuo_t8;U-w33rXDf08Ni##7poUC8C&4R&sy?0P3G8990 z@)7MTgZh%3L&C5Ul6-j@E;Kq`$@ zap6j}`O^uxTf7ZRrGnYl)rsK)=F^A5Dj*W@v#Q`;BEGuVgZlTH1;I0ZW(tjfZkTZz z2Jy|9BWLscEIQ?9<)u{8F26$2#HN6K|G%D@2u<8G&BEjux;+x6gO zv6U)v+v67%o=4T(HBRFcF&66F5+T0}{y*B@Gak-%-NVk4L?T2NL>nziv`F+}BzhMF zi86vD7=~!0lL*mGbWsx}h%kCD(OdL3I>YE=^j_XO&sw`Yzy0pD_S*Y>Kl;Y)y081X z&hvj9r|$AS8y|p*Z`zVrhJNzut(i;rD~P&**GVlgujLJ<5eU%1+vbC{hiH{<`y^Ca ztUN0mq1%5}Mqo5COg--QXf+f*&>e^f4WW4wZe@P#m)S=fCwL#pTG($UXZm<3o>Us% z_UuXmaa-$`rF5O)Q36ZGhp7S(kI3ChZSENb0MW1R~iiA2FvW1Jtx2#Wo`}Kq|0im7cj`E-Y@lIkX!5# z_v0%0TGg?Fqv6vH*O!SE59lSG-5|y&6P%Nt;M2QA6x#)K{SPQmhX`=y@p8+TlqPyRg{9n1vKywaif(vYe0V0RRzU-3Aqm7MRbRJ*=lWvFCM6ls~}+qqeL__fKl4UlF7!x53Wv-P+pg7ezlUvSUO zV(+y>8NANvQj$Hf1wP_J>uU-y+P1ZA)Ovt4py+bshLSE~eFlISORqP!F~DCgC%Y(0 zi+jcMg3mfE!szdU?UJQ;e>nluEEtT^iC=Bsa@>myoHTaYzH44SO$r|0nrGkG1lyPN zhBgPDn?wL%t(v9kC#x&nBx29;hwmpw_dnQ`W<;#oc;c&Sn7sNg_S>8YlmeOOo#e!K zoKvfo%Pmtqdlkby`V0jN-%YQy7xv1?q>!WeD9tkhQAyy}PAd|M`ONn`a`e3*t8z<*m|JzJ)IO`O6juotx?P)_^HjWxw zN;8OU$|YGujKke!2KTyA^~Kq#9urGx_E3i1M)VEjH(Y;xiuVJ=5B`$9L7vf$?6iXn zJKy5eZa(;!vB=MFNf8Do*8x%sd-8T~l_xtjH5pZN(e~_cwax`DY^i5omNgrnLhMZ+ zTOjSqEVU>!X&o;e6>_>BZ1#be4vT=rpBi`83+6GU@&uQ-!QhVA*738CPFL z-?)D+2fWwOBa3A(TYI>^cSe&*m$ydKl811yY{&K{<>vc9z9ocdU!h=<4JRE4cnWb2 z;R3h4OnY0DaML4SX&V>`R+bz4$iAC&R;N5f5Nz9lN(yvnWxw%5JIL*WU(m9$I_tw% zD}(^b|0Ft@M85Wd3zV{P;od)>NqyoG1su_K$yxc#wN z;aPXVfXQAJH?GvT#;m3Irq>3yj|{$=elHsT#xVKWGFczi(bcKlBf@&uC;JdQWLJe1 zWw^XHE0P?%(UJ*RDcU0>)(Dec(}+GeH-WmS|DJ~Fxe#6v$TVdlZys%ZI|Oa`bAnY=f4n>E?i(tp`7sWOOsxwkuOdJ*L)Vg?~nVm%RiO|+$>>- zW!WV~M13?=2n^!d-^#})hxt>^a z8MTw*))&bsP!YvBPS`u~XjmRFfN`fDQ#bNy%KenzrNf70JOJ`9T$ztb*!rjBr7ExK zYDtUKEO^afCk>6~?+06P&QPAQ5_xmjXGEt8xhcJkWFh`3?dK#fbzSBsS5zg2XaRa6 z7hDuCT}6U;e4XE0?E{|)&Ycv5OOmmTIc+0gYZ(8QVrQ82238l9C_1_L>kkPVpnZK{ z)MI}Or4spx_3LqDo(qDOqb>7{rO11+23N#uRyCGMpQic=<&2AM>4hgPRACY~s!wMQ zj{404hT}~f-{+St(FfGilPk4*AAK!@jdZ~z_`v(wm%qX%5JKncumj=h)KCnWp{bDC)RFQjO?!^p2EyJMAaV@OWE zD+K3}ev&A*x}vQPGogb$?xy`E?hOkch?_}L(c(9|P4S>Oi?hKFVtb`PT!vQuovsaJ z(eidA(0zXb7VJu!gdIvvGZu4k9#r$(ZP%*b;{g%|^L}LM&v%;Rc4KJ~vQ1@l!hxkN z#NQrm}yDtL%FjASP=KPgk>3zvWk&wmB3VXW2`e*)JM%E$g9nh;LZ6d&P} z>{g+;$)T~zja{j#I!E(BvX_Iv17F2_ReHvoy7ZF{z7%=7d{Er;ci!5aF<-$!zI@07 zyKdL1Rfg$Gg*&idOps5Ul+|iqCjN<}Cqz+H&ZVnu{3_|?w+Ydbk+3bs{n8t~-o*Vc z>?nUfn;%63EAcl>=>TH@W5Tz0!f73lEV+%+vU9SmTVegQp@c4j&0@08x=oF__gjs+ za4msNipL@aXT{q5vP=>pz7uHnkSw8-oh(jB*&ZxZ3s4_q?k^|vIn%czqfnvsm~Jg^ zkm`XU=sYCgx(2H|BfsCR67lOMz<}$3B@qapa%ignQp5BB{UGjIQ>9ncmFjsbHM)3i z1eD5DvRb3EO7fhtN@c-gz%qo7V3U>RF!lVJ7sbLFvQb1)IVrYENo+ikW?aQ4pG$zAO ztKdVZf6!wt@LpFloyWK;{<~ke^Y_m;&$wEfx;do=sAOAP*O<1V+~dk4aTeV#KY-DRC8=yLTv)}#TLmH&=)LzNKE$)PrHX3 zs{ij)_CjTKAt^Sk*QKjZ{NU)3slWK%y+pEwE+iQoX3pyFW4j&Q!JKpegw$UKOaALm z;P1=AivD_HQcyfD=&&C37<>>EFQ0$aRk=lIVk>Q>Sth+r(>rp-SZ_{5h|`Cvy+5S+ zy3#Gvwj7EHjFB~8ACgRhj-6B_fbnfo3^9mkn>wv>F+OFd=KH5KfI!}fX4=24jjVUzV7!a=?G|QlK-@wp?#7{0c zP=lC+TpI5LI@}T}jOH(L(vFb&Zdw?CQe0r&*KWT%Yvu=N0BQ{4ZB$^Jt4yA}d4 z*^?*2ZEnXi|6?XwN--70;O}rta_PMQGWRTu=Z54`x=Ux9UVuwK%`6dkqezz#79I^w zqjDG4%&+3f&LeUfrmOxgADrh{;9}mC7{pmnY53T|^kw>3KrD&HyL&AC#PSm@@>a_V zRkyw_bj7EZ(>e&u?WJJ4A zUIoRU>-f%qWRA%)8S8nc0ROh%=Z(;i>;KX&`+JW?whV=fhw-^28c2k5K z=63MY_S^I1+T?EX8#e-(2rek5*onN4&5#1iTmuG-_B3A9X^C{j8R0ovKp_+mSlEvS z2SD9pK%UMmvee))z?f1R9F6=hNH*qgNVWmrb-N$`0Lf-na=&BhFA0+u64qqKaLb4i z9vs)cX7@a4d0eRL<^1Exc9{m-!cm9*!eDp1MpTE^(aS!@*fa>i6QuNxfnfeQYb`Lz z?-uf3N<06x(<^-IYL7;X#bECr6TNxbP@lc4?c7`w10Uu5nW0ffDl>egcjX)zRx`Os zYdIWpf&!jqjEVbvn(R<1Fh-pLzos_h$4h{ofPWb}?3w;Y3jq z%Pe2tGzHQ8@^@j)%8pBG+X;XrCmvr-L`2F3qU7Nl*P)QOKDmYAogt}LO8MpH#W%2h z-qw$N<+uA)=-6rerC@D2MOlkQG12sm1`8`4GAZ!^XI2vowRSYtKrO6j328*O8*6xf=33DBrYYDWzwA0`;l()D_DR%|7(~=QhNKSO+ zf%|yB67p$Aw!Rcim?rH^k~O2WyfCcC6cO@-QGiA^DgCUPywzWPHTbLeit~JD)^h;O zl+7phC-FmJzOaLAw4o!#Ur}^}6mk&5yu85^%PkKxE{sWFx>@vX@CY#w3Aq=ig_d?&`SyT7xK!%F7#wJE7o#2 z?*#+14n0o>-Ag`!K&^w~?s|)%T99@xF|ciG;Nb7>|5=b0#NPqSPU8^{s4AYMxpQkW z8z9j4Zmf^Qd55C`(rqOo*q_OP$)oCKgh zGV5U=)pT*TpLc+ROu{H@%Fd&R2L;DbH^25(?nIIK+VXS>>ZIjG$4=V@?^3N5eH=|V~av@r1BJAF#ICn2PDfaYlsHxyS+TMznLHE&u*UR$Ii z_2eXxC3;9)(x1LRi?(v7Iq+(*2Cz^FBBe#r#jge(b!CO}g0LO?EuWC)k*3!r+WK`l zR)Tn>;Y*<)i|Qva@$^gw!^OI{kGYjnO?|o)!q3B?;)w?ys3e8NQ-UGB&=8LQ%N`57 zIzVr}V%IwC06-uk$QijJ7pyXbW}J=CE8{eXb;^&Xc^pr`lE@vZxI%oJKUpE<6=(knd$ED( zJFG+1(+7|4T$A}j5PVGR1;cW2E({K2hojCq-%A4<=*w(|-!R4PHfy;hx#4WZt>1Ii z8^!PS;iqMN!nOO>UPHJr)9?QCvG!l67XM|%bWm8?rK;m1+`PR=GwL3<$c3ob?ol|z zw4_iT20?1s98y}cno`R*gh}mJxdh+Fwir-S^yzgfO>yq$#)6F6D9o33d;WVI`%nS- zC0a%#>v_v%lRl7>eSLVVpStO40-uP`iytS3{sKf6gx)5%0Wg^}qHRlwOD7pqeINTt z`X?ooDKPn{H7ZsAJY&c&2d7(qs{bp44g*j zV@%iYn{FppAF&lkUyUeKLs+wy4?e)X0qirvQq{I z8G3PxD@#adB=Z<>)yJL{J!uJuk~wIh0TF@SR9ad;LX0`Fv<)g3=&nFI5j5@KN%nzqAxqb=lpcw4SQX0yIiW*p$w zS?_5gFgITB0cdRZ+s=EDQ%c7oAnbtTo42RsfSq^U#RuZ-m^$SPyit#;{!cWv&YzoZ zT+rC$@=pD4{}d2Kf1&BteXLhn^!{-S)pBjp-rI0G11Z}%-hucuG2OK1D|$h}q}sM^ zF{bbnG^N&Y%ja}dVu8KuW9XDcC6Xv*2zNGr8&T7cZeBo300AY4YWaN zZ-I|rW&k~f-42_!9f!6R_AWBg5F`}Rg{tD^5_zpCNPHwmr!*u<&icRKVRTu4mnD{@ zN1o}z*GK38w*mQ)9Ch#s(C6Crmdres>Qs08Y?_>K(Udz;WQ z8%2gdlbc$=9+_gF8tobYMG6|YGd1?$P4Roz*0XJ3Is!2~|1ML#JL$0%q}6>pSDCQ? zx%O?E=IgtEV%9U+;e{^+h|*ha)Qbl4dg!jqWmL}atqAuf*wQHtkI_lCvO#EXFqrpe zx9QV1C0QFo_Cy3XDl4nVUV--r5iM~!`BigDKCMrEHex|c3wxH^#b2nl3l6Ja{P}e* zE>x!cU%y7L2urVPwFSE!50q|Y$v^zSEC1dSNaF!*_<`*oE8C49*=BSKviVafU6|FT z_`R%k=futAfLEfF!l9re`>Z8y(Zd<=9WDhykA*cg0alO=bOP({)8n~u(WM1WlMxO3 z8Z9Hqk=A`(gTPm1__E0kF36>e-`9U;6Gv8XMzQ6$$9$nT`X z7;b?C5j2txgny~(PNnNY32j&}yP5Z$Q0#?eWIS%M!6^-q0_GQ{;7^ZVQWAP?H9ltm z+80LNWqR=U1WRfDF1K&~B{}=-!(*@I?>EY}{s+3V1WF1kRyJm(p@{AD4C{G1*6;JT zgR?n&s4S?DRM|EGzs_qiJRySva;s?94c&$y2>KQ3_; zIy7xMA=&wl)v}YV^v-D*n1#pWd3i4MyNTwx*m%mhp6GkB%EbUiBuBco z-L)*#&o>+w9$G}b?@X-!J||dz6y<%A<133lq(ig+8;=VV zME=U-3Us~Kya>rIlJea&LL@DQ-{I#&W+^-b+(3L)ue6dJ-bHH?XA1TcL_K~gWt-JZ z1C}qc>Q?k<6V?nz?z{xFNV&0KWH^&Wi(-)6?UN9E&#R2-vz7Re*ySOw!mRu=GUJiQ4tjGg(TqSh1{k+lq-S6_ zvy|kzdE?yti`4a>u336x>Wh`5#C$L1K%SLS?L_%#2Yig~DKLIJ16MKYrq0zNa_uHM zg!e$lHRQ+Twr>r(->ez8#DFTv^5hdy=oRABW4;QoKV>F}be)kslu#*qJ@%Qazj!2B|Gmz3u*p_Ok1fe$><;*OQu;KK+YOy%%p>S25YB zC?zrY5fGYDm(^^?NTSXL8@Ah$$~SK$9n}o~FhF79znjL=h}jWIgjHISMkIVj%d6M> zVBAvF_K5JbRi=h>%ynJ0L5|61Q7D*t;t-wD)wEgeJ8PyD?p6I{(s#2ikRM&`@?k;f zpWQ5akdK|Hwx55!6yRi=Ih+YVa_BI?iP&VXibx*GGir1rVSr=lnbwNNRx6Ut$ef!- z$cnw|7MCi{%h;iVtO_aA6Np~(d{maZ9SJRWhqQ5oJyP_+4$>iZGV;Av63FViG7@&Q z`Hfn&aRnp6lzPkOHM9=T5~$()%HA6Khz8Fwf*Ue_1o6Xv%J#+S7>ln-{fQhOyOD0S z*lxEXlL>ux6ttjA=|DLMX=|dlH6W=vZe2j15x013U4qzoyg^0!$ivg@vS?irxIGvG zvQ0kXq}wWx-JeI#DbN8CSuC$-lOdg*x0cts}CSww(!f>-y6{OBF1k@ zfRP=Yq%*Fr>*#v;T6@|Wg&PnYNnY71%r7}GjK(S{`BWOgK0}w<6;2Br)lMR0rETM0 zyeZnAMOMHo#$h2Rjg{0PKm}tVup7u6_1%EFSM5Ll?wQMT&gzUu-i=0BuU7qfC_1+j zYUI@`*s${*S2P9@wVMjuUwViu9hz9pPI;ANSF2rD#G@yaH4o0hl=gZsi~}}`>A5{1 z8(`<@cx2(y26lNd=ySHM#IS#`?y?7DQfuLpmVtW$3~t!hZKM_*zq5T8HyLe#A<&PCM0+SNkzL%#w$-#JJ>Lfi2%@;aC!o zBzh^uGF8$>3V#+#d5ZuWG%vRnJ|(Hn##qcqvVVmt#5d6iIs)wmZ`Mv8$ZU~Mn(t}=)Vx-%sCwvWu)imo^(H5qnXYC| zBK|2H?2Iw}Hc?}LegR2DCr5~{q2;aYJC=aVI3RPc78PbZ`A>lSUv4x1R)GEEy5XO` zSV;Y_5O9U0dCwJ~&Jv|Q$KS{*JIAb|6%O@2(s&y=+#dHQUfizm%E^Ti`w8lhBciBY zma9kj4wTFl&dYVNRlq_TLY3w6l-=EUV2YQ|vV3RR!8oNY2ARla z>h(&{cPHBDIQO1A*sebx*b$J4=fa!6? zlhD!pb;{pFd+fu{=`O$modm*v8wEA^vULo(Ms`w}7R2Q1Y)K~*3!DplIOi}5&@H=s;c?bC zwJ}+!oB%RtVp&s01n<6WDOS0OaLwmO^`$K(8wdc>o@i4qkpjs0MF@jZ06N~H@W zF(;?ZXO?yLE7$F!;Jao_>F>pw7)GO*ucB+iI;cxq@jCjnQ_(3?FjD&Q>XE@jBJs6Tu3-UZ@6@{;*ktag8E0a@S-Z}hG={{P_|~~FsJD`8wm!rO57B`? z#6|%o2nnVU@rB!uGEGue8a9>O%N#MCUOum0^2`T<7pvFp3oTAltr&S+e)^ma3%$+` z`{)l^fShf~8D&~1CABS!N-P4E{4y<>(gSxp`uPR#FfVYrWdDM%Mx{{+>Z(Ytlw6~DZtvK1%bN-D}Kn{o7#1ymrt98c|S<(MWwtw z8Fo$e0@OZmQm!J|hxY@VBy0pZ4sU?{>%g#Ql7^M=qyTS&uFt#kvPNU)CR~{O^FxwB z(jYNoR~NHn#oXhLmmL;JuBNH#^@5>SN}pESt%G!sWIpIO$qqNN)Y>bb6k>cJCmqf3 z30N`1leZJ4`)7)8b@deQ6N2iyMfzzw_pQoa(|{xQ)<3a(hPxiF!1zR zc>rFVyJm}$M&vzev(p!waSnygS{nTZJ=eqZhVBBclu^%`%aS_=E3dV}=*;rZ6Y2rI zMj@1YGaBSIBT@ela}suVsI*PzL8PssJ-v zs|?4A0l$AmL(yV<0(SEu8t;0>O+TIqg}fq zW$UjDR$U8VTlYC@9pqP&?CVkpn@CLJz2Ml=DuYj|kXZ&W%CW#x!YM7G=UzP2E<4R3 zj>&0wzI-Txs{We#uhjKNxqX!|{2eU+;c3Q3F1`-`$E0W4Is6poF?q`y*%?SbQm_Q3 zzQqfS#fzSTBkP6)N&xSegCs^86#CBw$Ei#Fd3p8~oNc2x`q^CpWnl;sUhZiL@Izj= z54y~io)1LbD%)!nL7*-29?ts)X{`*kDM@i2XK*zrJI|;~+(9O~g`}(xP~7w#cPsg1 z3WuF>lXDivf+WvG#IOUEqkbgiT^WWKdm?1^oM70kg&^DEv@iKvg3-1=tiH147m)|k zD4D`J3u>Q1}5J5b-SB2nnVt7 z@}n=SUGZDNyf9n`nCIc&u14RzAGhCQsCF#8=$Yu z9>b2Pv^aN0Z$DDE@8+Kz>fP|I?pbY#Hm^FUesU{M(8l#J;dNZY1d(Ry_>im7>RQdU zB}c=C3&iT{YmRz#2b>J{R+eews4uf_CH%Oocqq>v8N|wWy~>#kj4geX?0=|ZNc*8L zg3%6;uUa-1M3pUEXWcoX(mXIZ*;L_>a{feGK4t!>p`BDs{*E(Yjfp^gi%u{H_=)Zb z{*w}@Fo4!DXJ)SMa2hYe2Ku!3X$iQ1D8KJ`+E;m%K)&Cmpl;@1_Au?wJI?NK#2X{K zqTGEjys5}}1k;UNZfA6rogl&O_BAM1vE;ln5Tekd;yFwdzA-zm6{ZZns6Cii4}L&k z{i^d`%|tF&%1hj2#n3Z)JzwCGkNAP|-ul#zJH;O>ali3BolL%Uh)WKNBW|y?E7G%{ z^eWLfd%hup+x=lm*m6hgr_wV ziM|zwGpEQDJid`+)D+b#GPCYEt%aP@Uk96`4WBJI5r;o%$+`|2&lmD^EMCSV6Q$+~U-cu+Grtyg%omlR5UUsUaq`d z+i#Y4)OvguWhngh`?X<7m|x2f=5x;DU%L-9&5T3aK}?y#CdOV?8PR0kK-&%5bMGD?uiDf$GiGI&OsPm_F=S{mgcI6j6v3MqzqDtp>wx{GJJvkWX4;U zlcOSHY&#BoRetA*UmRw|^YXdl%0>&-1na-_8+=HSijdikkx!I8JOJa-kNTu6sn{{_ zie^nwuOq_sfsC5Ei<6|)l~$z8F*?=z;FvlN1i&&ttvzLhp*ZcBSY#jc>CC+kzWZC@5V(AU;rg{*dso?#h*YPe8jQ;~gGbDHXz z@>9HP$!?@;2~n$f+G`2Kd~-hK4VIOhl7Kbq))x5-TG#3iv>>OyQs3%~A!ROJ{TsU$ zAn`d@qG;f<@;Jo@0z!=vzE&`dVz=D)cBp5NP#0OR8# z(&|?HoZ!<9D3iWB>BQidWjoW!6MVH#=}|XK5rY#pc<&(r0mcv2AEUqc9Agb?7J6&K zPS;r)W-qJ8m|b=Z95ueT9_B`BO-6umOW@4&m%gT!Ou*>4(F07V;Hk94AkFiaJ~jJG zPe?Xj=~)(2tri}LB!6n_eJ-^Q#E@e*TMfL%9$u&HP-G}D4chuu(l;JwbXe4y^0>{r z%kzrt+=5(SQb%4q)T>@b#)ii0yR~p!kn8a~-*FzFT3Y~0-1vQ0eqkA~Zfa2Kqy<2N zDPgYq^UU9EMvj>An^*(mky~q~XeTWhvs%Hv6<-7!A5FAWH>*LJ%~%_=`&NBZ%XfFO zCu@^HcK*z1(ZmRy#+2%kdVUk+AzsIRFy(Ck-urZoSmHiBh^5)?!;jb$Ju=Cc4f340 zvO$>WIv+rG^@eh#zta43_ZxQIXG*w1=JTtwVd%I9KCV0m-!K7P@h4Jy*-nYE7E zV=}()qf5RWg1@t~QM%523ndV7`8}^783MxBTsAuU0+yGzm)^ufxl1!mRfDbuB6wUA zN4M1vfW0}GSGp`4Gj)gH9uqe*L{ZMZfVyvwmqss#i_Mw`f*iu0M9g~jO%ELgs5Ut1 zeTXNtR}-v@sXLfpDBn@#MYn@|&HJP;WexAn4sGt?#eS91=N{~4C%Wr-Oy|AO+8nYx zz1(F|Oe>Do+OVmsn3e?HFXcTC%Ugo7zQ~#d5mW7boH_mU1N64oN|$NDu*a2q>5hEu z*_!-6)}b9a0g+^>yFR?Tmwi2(Ad6acG?V#NJRxPuqL}?pkPZp$tqTgt3$Ch41HRG{`Nmn6QG)}dmwE2m^yzrqt_exJs}nb2o3URsF! zcyZwq5vI&s0loY zuJm=^xaXi*_g&}vVFRh1#4TkFqoa)Ls=jfCObcggzrWkEPPD7mtZ|6F~s|F zgEYy$3a*iK5SoQ)XN@Z}o?Yb|2l-+;NhS`D+ao&PjAIQ70KHKW0hnv*&Q9I-k`aOT z%ofvTRCqMEqf6a^>#VQoP{9I51Pm&3UH8t=C`?KstO%|=jQzCC)#c>*h3d; zhK396ZdKJduSYtHKT%$Lc53%dWwz|}p@>C$1aH{;4_;^Da{x6)-KriUgN!{fz-=KA{@By$b)9kq~OuH&&Ic#=1wswa5kU6XR@S@7~!!Nf?3)bav zqb9x!)I%yMRAsy(&u`TOSfn`i4?&rTO7h;|H>>qa<9kdlL>~09P$~%nKS7BO>8&*z zZ0Z^y5aC$$jxUoufk^^|KxK~t(WzIv^fJuFZ>Y#zhnKtQGv4K7&nF>`mRIrDxhgWBYK6HyTm?*2 zgY-T7%}B`o%v@(^HK@u5RexZ}O4`SZ*B>ofnpnTHC;azA)lhy(Z8<*-vB~AU9H+2C^6_!OtRDNza!>c*L570cQCEj=~?6EL$z+RXoXG8@rnGh$ipx zxu!0EO%jTts#;ZaQ1v=9Gff0Jpai zq$w}G|D!#@rK(6W{{*!gG%UE8z&^BG-1P0w;g6>TWa=Uod$|L-Up`oVbC@7J&(*Q< z10j?lnhXr9bnW&b6dIb*I;O-!@-ME48kTM>wpZHbsJ##5r~M!_V*J2_rL4-zm}8IH z$Y_TwZGSJPSG{GHNJx{=5wtla*=AmKt=&bE8bF z?m?ROg*#j2_kX;_6ezuiLTz+=NeXuiogtZAPN&>KC zxJ)1C_y)q8M$ZQHWKPO*705}@hnN_`q1^4~quMo1I z^em!|JxQt;^%siPOe8%n=I-|!4HiKKo<+9R$D`JySm@Ztf?!Nss36DCL8!AP7MSlG zROh70VV3RPn2OCBL&8VE^dyCOh7)u-42X z3nCY-$k8)Tvb$S3F7>k;gXQMkLS-p-7G&0v|LkCeBe zSSHlJk7iax%v)xA`Y4Jtov-f#I9*1cwEFJ(B%x(|fN@BzYW`v}qr$FQz@hntOwZ}X zP3G@n`r+wQeIRoKNmQHhq3USykbozLdZoT)iW5}h;v$DbQ!dS6WQI5V_@bkh)lg1q zY#HsrV5`&Vs5+s4$`s-%Prj`xOW*Ym`w4SeA0Df1y-Fq?p6phIvdnAG-D;%u6XV!n zDkDnHNOm1=JKc)R;hB&Mqi3d?;uNLL`1#szS>EW3OZ+J{Twjr&joJ9Vn;tp-*_>hS zgBzyA5PfK9HUUztRsd$3Gthi3Bj170nR;({t934lwNxa+?!MqKCT$=-g5GG{y@Un* zDE0KtjXZ1eA4N^_WdWcv^I~`!rz*qOI4Fd^8Tp*hqL|=zId7(7HX}Okfu_L7jQZcq z8AgCPL-8F|G$W<$s*~CFS8kM-u*^oG!EL*U|76a{J43U!EOVNmUEf#t_5~`6jb~L= zOeJp+!#-XgVbnNn>PC$NGTOL^5y`br-ajl(%X=OS$@mgQJesy__|PSp7{|^Rzt+1v zj(0qYY)`<~TP~+KeS=pvdNhy?m!I8q0Iwy~uLg-mz-*KSYP{a1cz9e!wYy>f#i`B2 zO^f!4-9D++_LQ9}y}F|c2APP%7oNcI5kvJ)da6V z4SMvs_lRHWjdsD!`ejJ@U%;@Xb zj*l^aS~N*_{VC{`>$Eq@&b(qu`E#sYS?uu94 z8mTL8JXxP$3*GYGbamfq3>>292|N}`@jP-!se0z9v1lMruW7hr5miwpv7Fp|VIPRY zrov{udj%@DD3b>8oxuIKHxct_$aT8-CbL@y(*BHF+Q`&<7;So5 zZ3|3?vop-P?FV=$K^>=4o+d^NZ+dQMyDUAmQ&Jk*xxn>*P06o5ku2{SHJb1~lz9pK zZoh7rxW=wp%>i*~)n#l81dy{D<>MWcCP^m`b00}ZEX};k=viaZFv9IZxsEs_!`*N4 z?k!3tB7l+Y#kA)>%SURPCBWsn*Ta1k{k2Xf{zrFR1^w>k_r*FB$0!nRk!ZmXG8^H6i_UiI@!pX>?8I{j_-AC^To@eMVvVjSz8un|~H7W>OfoRXE`c)krY zoA=Fy8uYm3L5YUwOkwYHkrYQ6-yoCKTL10Ei(l1y#k^$hJg7YzOa~ ztxg%?2&C{MRPnKGUcRq(vQvFN{-z~Q0gCesvhoJl$`hDe)m`wW@3nERIpT@>go^)| z`#*E10Bk8?m#Lj(5*c-8a|98Cg3vkYfsZmVw0mKI>8!^8<;}<-`jm~LMjGa*J+$&G zK`?B!#fgnZvXw)os8E4R`(g^}q{r7o3)-M))yX$LVp-GG4N@V+?!JNXrtVneNnkR> zvo;3Gavo^YJpS6_KXUMf@?=Ht3gP4wRCLfRlC>VEd zQG`fcz0Ax)RVnG}2dW#l!E@GN1$4>;BGS-EsF;@-_&n@}ZeNAIMC#<#eW{>57;IBB z62#S&=J6NOt>_A36u=ml9fYOeMo>j%{Jq*B+{E-GugAEgOvHc+X|$f9-zxY8?eOhJ z-f0SaitB9NxI^CuSox&;Y~s9DT*IW%BR(uyT6*&Ii&A#L(|Y0aDvjoM0wmi+Ap~hT z;#LL5NX)af@|2y@7okT!OpDOh)C@Nxr3}SkpWHS$+6SVC_fo>X=4Km$G1&GyT|ZR_ zJF^cDF1hr+0>hX-(R1}?I$(4QwZMY^TBVeFcWGs`ri@sgny_OSLb4|Znw8aL~;=6StyjA@wo9J(?FL{KGa`C>FV;JF&MKwvr)h2=)NX98Qf*< zqd6+DavyF*D`n1_6=6EotA8A!AKR-2ehS%odCt`A9Am#7;Wi?Lk1c2bKHk_wMlgmV ziOFre&Ss#shGtW4Qz;@Q8Li!m^=T7X`h8M15|7n&I(vv0iReM3>lupSA0p}(gH{B+ zv)?=rUo2#&zirU#S};{*TwA(31r#eIYqCY#k&jTmvp$w}MKEft&joqSpu5OYwLwYT zVS8Ba3p4Bp6@+S1uX3=jvTcfY#K(8h$r6JChd$S4A=^!mqr zRT+G1+oA2|5y7;sSBGJq1f$v4Mi-A zxmqN*fa05-s@=0Yz>(R`+-^m*ECAst2)D7BkRoTQ-TLyBX1}&xS|^`+M; zf_1gF)5)mpe?Jqe2Dt%kPx~I`Q>N62%(}xyC9Zboi)@Ry-Hf+Rz{No|6ojK^`@R~e z6(_zGLcX z+uce#$%L4?hn=Sz+Fodn=aZPvPqdL`&NTK)1ImNKT!dL9J-56q2(I!U9{j$TU#lX& z${-tlfmCi8s+rGX&ekj3ts`S6p4(5qnr?a$ItrnwL4xXEfC2-5PyQ6UIB{o* zq7Vhy*$cr}Dop1uLV^rdYsJ^%DjBtn_ymU`a;<5%r9cjl{J()6k9EwR)veFz{tT*Z&!k)dJ1>vg> zFZRxG^~*9Uv#)f3H)19im}XJjP5%BLzY#o?e=`yhvN0#KMAZ8IGgAz}xi=M+{(q~A zvC&WA%*#A(DYddKC3i*>67H4iInG&S#LK|Xs#vJoTpV8I2?>zWe)92Qt?Dp-7KB)- zx?9Op`69=qq<@(+9mNm~QCI}qNeankEhq*AwfA&||0-}BrY3ZU*OhJ$el6Fi3!-KI zq)^8Po!ne>p%qNAaTzwLbKV_n1`hD$BV;Q*+lsK?Vxk{5j!WF}L5Bg+1qU*FmGVtB z+oRvcJ1raw^0F-CXeOeA=ERb(>u)rd_ zwAuJYDC}p@bi|PvdGXVtvsulWZ$;)0;}9*A_;(*dO<)HzmY0i8JGtj;VdqB+$kp~^ zNmV@KnR1_R05G^iVz>UJt-+uihx$fHma*6N&_0v%LQkt1 zjK%g?yD)e3rO23keTHIeAPSTbKT1jwAwf;t@-vz7xfImS6x;yxr{*LD*o4jpg4{Ol z$8^6oF#i13|H{FVkv;84ASj!bX}K(e(BzE+auCW3-3NwMZaL}ohyz{)%pGkmUrl#| z-3`R*XvWgAsZVZnXy2_iPQ@19Lun2_ht9r_3!2LA^d-bVdk_yCd48B3N)`lWQd6J? z-Op|2Myv}qDh>F4Uq!?3P;KA$o(Wxu8?yfee!k76&;k@%-@D!VBR}EY@!w5ePHeM) z$7>bO^6%G38cpnI`;j+ERgjAnmn!1x!e`03FLJsju$v~Wg3I7|+uZKfJe?+^)QrJ{ z9Br)k1$o7vU!4DkwJ(i_`fb}UDN6RTFCk=|6td0Ow}fnwL`NJwjIj*DFf{i6*Y93F&-1)^?)&cfzpGb$y5@VG*LfbtaUMrP1xo|*ZSRnK z?`&3wv*2+wP~m;@#AZ2FQ9Q2GVvzJF`_Ryxa- zSCNvn9__&n7m-&su1ok`X%uo>ZST#7ms~_fkw_z0PToy!eHqYRxcD;J>)Gqh0WI~I zXI)GlTLUg9%#tif4%Udt2|X;RY27sU#n+TXd$(&U2_sl*Wf9p?(`3hUQDXLiln=c# zDYBxJ${>ssoNm{inmjcVm2rCN`;zovh~kuMB^dP7dka z^LSGKYT?Y*&Rk~XovOV9_~yvd#;rNw`Oxqy+#J-*)Kih>b(gtk5`jcM8$&AE&BM*E zaW>~^yND3a{njw1}sU3^;Mit`fkii^fUHUjM6e+4^UIaP3Uk z+IZ|zWSwvV_=v>IjI!B;A8YbwK2p#0{4N{tm9}ZU&hWv9o?j!P$kz}1CO1FrY=~QE zsH|u62EtJ~3Z=aKynrpop`JQJwXCspHm6U7*8XOIyl9uxTS*#e_cDN0+m_i|-z)Hj z98T}JcdjHxf$CuI&hT6rSDP+ra@JA-ev?P8+TFp1L7OZNWvMO}UiduvG>6j}zy2ni zcS(rwV}6A(T+>e~0rln_-Zh4{U4#y5q2a}{RykL$l!nIJjNY^XuI?zD+$K|p#B4}8t0KaRX3)v zn}+1cumTqXv{wHCO6YpQU)KwltOp7366FP+{>sWIdoke3Ek6|#Dmr_$GX6$1tC&qc z|5&z4<2~!O&_~d*M4|xaXfuOC10+B+8~*z1=}PZO8f^GATVLSAp)dOU0jU!A7xU}| z9}_V}G3t`T{ONS=zg;j$!TqTu-xI^T74{VXuM^h<_sa7?C29jt7tsh-A-;E*<6-yG zp4%L_T0}=6FJg0oy=K%v(fgj}UPw!3T&>x87EuO>qa8833zo}4)1MlVcQ+w0aha>X8v(N7l zTtWGJKWz0k^ZG3%9Z=fpCZkX`6ICYTDDl zi6bVR9JS6^RvWLJ0unY3{XWz!%EPDhx(KyRzo&mvL2OT9fOSk~>Z>Xq-<)t zj+y)u1EQ1K?+l}2eaSvq|B<>gw$}QcxlBw9@FE-n??dVG9jz$|W6DZg{z9#!qHnm| z7pvA5$1vvn`ZHVrpm5`)dwR`bxa+BYbwAeQ!#4mJCZxs8!rT|nJLOw4gOm9#xAU#e z4Y6^i`RA8AAcW1yE2gPfH%EQgkM~+)%gS9J_E|HmPbo?IRlhk?`;NZYer&_yvJ*vS zRDz-7*khZj>#*HBv%9^%jB@?^sbz=1-Pf}zz859%Z>|H<+r93b;Dlmm7uDE|*wKDL z=5h17O~A3xti&oBXOm`!G=r%sN)zMB=sYf}@~|MyJwnsRHoslV(oPL6gNE-d0onjp z|EIq1>yj*X40NRjPqrB$YTpDq7&*5l?WcYX?V#MvUHe9dUHAUx?zSA*cKmxrPwJ6Q=I;5-K|wo{r4G)_%F^ZgWVTPTzG3-d&Ubf;Q0k)wTC{c0qT$ zR@?gLXOG&kGDZzN{&*z^;W*>HTsx1DHzn@?*DQ|tIrd3B`q&FeNe5pQ!&R>V13Scxsz7_zl59Qk=t>OVts1>-8zKj@WLSq1|QkPxf=y$J`@k zXDi%EbhBOYyvQdlCpJIorW~yc(%gK(YZc80llaxe{eX`J8BC^LuYhj3dFjh6@8RCB zNmIZYC;Imo9R$Ij;pLJ|e0RvPo%6M2+c z+$4=Gk@~wNzOq-ep%swR#JqheyZN~QEaL@_VS=ER(!&ETSUtiudS&i^5AxXbqt0D+ zZLmgaZo17(x%NpQV>ph@53YKx1o~WYEhKn@q#g|vF0rpax7hh9N%7bufqruM5cV0z zCwBq-ZuRBVtMM<-3~)_fZB}5cFRiA1rl0hRjNh#d-~Sx~`1%d)0b(GJxsyW%%yNv& zriibgpQq8z%=hI-I;lREyR~E5`8Mg^pPfGA)ry*>Dc0?rcsRrR(H0q z6_3^UvbiyJ=AYfCY%)u)Q&&>nJoX*(G1I9UALia!{44Qr-=MEiuxVqoT+!bjTYF~2 zH){Zp-#i|9zpp?5Ouf*3y|(M6M|T?;O?gl5(B{LNFQ+WO27rWDX36er0vdp+4#o^) zrtN@eOX?B-7t(=K&HGDFQoBySye@CiCccWldzkq$N_42|8E4G@3c=r?vGx8-($99o zf6fcAe5xfsTHhTppA%M0d~;JJm2<#OIr2k(McqO9eaOf*{}?Iv#mURRF3aCIo#A^& z`ouZE8{w2;;rf;1NoP_f%af4g344+Kqd`ldfL9EpoX+|1ya^^O-p;|lhBl^zuVAUd zxldVgrG$aETt;E3JNvwfSkZf7B}&`-FX3 zpp_uN_UUtX`Td0yr07ljPBsu~$kcLB9Z^7Lj+f z^b}r~H#d*^=PtMQduaCnE#Pb)%*RZ}Z4PMnbv)Gfz&~d^twvDK7k0<%MDG23X2o}E z09{TGh^K!qTL0rkX5S?<|0J{aDh5$pp`4&{DJb2<9YVMJe zQ2*ln#XE_!7UL#rd@Xs7gx~}RSVxdAKvwU z^V4dlZyig2I3{8Hd~@b-RYC>nEWeuE`);Pq#vL8*Xzj&Jl+#q5rmLxYQquM6RhF+b z&#TTGn#bcYT>b8dhO~F4dVRG;teg(J-uub zu7R5@{@i_95^UZ`Zjb z-@R@>XW1n_&jDU~!%__mAJZ4H=esjUuRJ#)w*>4GQI9N~lHOXXc=SY|Xf6RNfNqt@ z_6X1ENFm`@HfjFFBDK*AQ*~vFsA^2>Vq^GL-~bH3PxulFYg^HtmO=C+}Jzw&*AB? z?aOs&dxwI42;_om5y89Puh+@=fQljB#tMIL$_*;J6Fq!|Z**GdpO%6+`FM?W(qK4x zS>WakaxA50!*7O@q{c7Bey{F{_v^!E+#54*a4kJ|rtR_kY0WRYy`_AmeAIVYP-lC-^Qsb&jQwnTBCm zM~_ocks`ufs+Rkk*L?+#PrBW`aEr!6vTOgtzL5T_M3Lb(dnD>i?VG8G8o=BSwQ-}9wcfV4PpF}+s+={Vn=MRzv{MM## z;)>?k+S1=X3+LeMcy^UtNzUp9aggtl{K*23to@a}XrPLu5=K~ZVxA#xy~Ehee2b7& z6|23p-#w;1#4}2xWKl`?XY|Q;b^5}aZ8nPQnlNZYksc;iN zxA@lbF610KyH)f?L?B`tiZ>-cYDCj>Vd?5cZ8=?@quF@7K~Ll z;jhLye(amn?-hAp|JK`?{Rf^>-=bk07_*wNH~F(1*JZuv=7(R`{=P!o_U)J5l#_J7 zm}!(W{UqV=rx6uI#L3{Yd7tz+z$F#GH*hucY^K-%+!iBj%cLc1C~RE)JCk;f@qncB zBjvprvtb?5Jyt;PTY1;s^224;K0JHzUkf?79>w>l3L3A>p&s?@t1y)! za&6Eq%R7deV#unh7dngtOGYogxh-lT`sSt7BwZ(OWcoM?saD<{ucc%}nz*WE#RDT2`=>1W_g#LWlr%ndW>%K1RW;azxWqxECb94^$K7tuv zcg!{Dlbe$l;HazN1sL{R+nH)Te=GQDQddq)_dk5?C_HLt_bm+s1MUSCHQ?TK}c^}hHlWFiv8y57)Jc^I(w{en(;vF~X(X;I{Xu?m-h(x$!& z>G>i-kJ6Ag?5Z+wt1M62hn4z-@FAybU*5PC4f$w3P)aIRP`JNz>aV-^KCS6T-}mXC z>5sqeEV;UT_g<6kZ*nbIzw3EG66-f;C?6&*?>fpKPL=qwBs7Kv{bcE~yDMk0yzYu2 zr|b#pqj`wjH(pa}k5T?GF>pg%HKZA(iAD4ewS|FI!{#@>I0rIsfTde#nQ*|uewVzq zI=kNkt=`5ZbZ^-1#tjjXuR3b2hsp}kG=um7@ij#Q>EL0|)Zk9W@JGno?p z?aJsJRm7)GrW1NsqB?^q3=sMk+B>JHadQC;l~H}^u_rf^;vgaD24H4d0w zSjM($(dk}hhjt7J@i*S2UFq&JNy}q;p(mVhNBuD;C+Qbb_B93LB||?)bYN_)t;P0b zBUet~aK2Ip93_UE16JG)*|F;c(^UJg;s&)J1EX};%dbzWr3SpIo1fmcYbrP#by1ZDt)^9|&4Y}g?@a7IDszwRM6gCrVN3R?!Q!2V z)=k@DubybgnGAmYK@(*eOHQ-2qAHw_LCF<4tTuRAp%X>%<_=<2u!Y>60C(xuVc#x< zK*&!PKQHnGEMXP44E){J75Cj!Rn}46#vZuq^rDZi@%wJs#1!|Zg?;Ga^meZi!{3nW zQ)!G2KfU{JT$_KM#6Pc^a*#qngqN_4l){wCJ+aBt>^3pM2#@G_nyhf-O@IBXsZd7^ z98Wp{8;HC~b-jTGMyRGIYlul15!@}-r6T2AwA2xnEJJ#!tO@Qe$`pdWn&YBc#*{cZ z=9GDK93m|lM#s}6=7hk|Z9&H44=Sl_hHtq)kzSUdP^++XuJ8RL=Ty=O7 zJNxc(M4if!_%G%`PnFNkfw=BYGt_@nO#X2y*UqlY@Xm0}?~XeexW`xIcv*b8U_|BD z1#>J$PAkuIK*thP?%zY%A#_+7e1cVS7e?GJ_UUdf3pO#v+~F<4ZN%zIx>+P>m82TlI9!j(PfaJ+3mwf(x1rc-=$Jg|@slgl5z{b4w;;GIhm#Gky0iUvYn zg$|B|t*g3^_J%jOXsALgryuol!!AKpAd!o0~Cy)+*c46oOb#|V^{8K!9 zOXr(ykHpJ9>21X_MR{KI);8nCzpsq?h+=9}yV_)BmF!N0BST`PrRO#0`^`QxNv_f7 zm{l7XYgeHX9fUVugjWzBnsUmF8nf*eg+DU}y8!;>9C}nsrOMvu#_e`v=`ADSwIY$5 zETwV5`P#P5!f{oSc^%<`6fg!*Q>$L%5>_#{%Odqf^fP639TqVX4cA>ubhaFKtI_fM z-h4lef`bX#byJW#&C-Ms5{6pPGVqH(P)hP!EHI7KGe0V7QK)g|!(6<=@b5n||M)I| zqq`kK?v?^)Wcwg)KT=p`Me$qJN0Mclhjw9(rHxUaI#YwY>8L}@DmF&CNlGJno?o$0 zIh@_X1-Xm%8WnL3^>GEGvtSe5+EhObEhLIMOw0sEyE4V9B8{nV?THutG`}Ut`xk>^ z8O{$OWn65XP~!}5sUHqb~FXe$5kXo3Z<0G3`>Cmf5YPVgwZgz`sjU#J+haWl9IJ%a69l>bUoWQwbao z2r+!wE^gkYPaiu+9@Du>Yr zVoqbo82>EWR{%%FEaj$jRyt74X6=7eIue1;gMZjnz43BYnC9RO43`ldtE&nduX6zk zY(-U}VaD%Vv}GeK|6^VR%t=}P7I1FDgbH@Sr*fs6Ru`h!xojF{-fD$v@8%WoKXQ2F zcf`blF&0xRsEtSX*#}q)!${LHI6EWSQwocHV?Wc3glD%xC@W21F4d3wYA>^2b0l|V zzv>p5!;f%8<vV0sN1vx7rXMIToxFPJ{>dXGimHDfe zE94%q%XmOdi^$Axl27qZd3004O9ewS7)5=NtmtMz#NF$w-|F?{An;EQBfB!EG0O8~ zpom7|?eN~*1I#@E4vUVs3%Fi2IVHc*+)E3^@)CxbQlld*I6HF5Jq?78Gr^R#&fd=+ z6P&m!kzr}K6Ts_uw-otBGMlnky+U>Pu6m7K=gRw!&Yf?bc9I`G{7rKILwtgXOX16_ z9}QjSwbE9F$iAZk5$go*q4^StA)$9HkujD#=PbwlwJbU{-d|vM&5hRcD^qu`LF|7G zmgLh)B&g?l~eGR;@<;Y*QH=8jJasefzH!Nf_f z!s{%W|CoB5{LA+I1&fFVj8*b7R;fZw#|`cRHSmjhzn}#frMHP}*uKwLEWAAqGt}C> z9@X^u5nz*dR6BMj%y;X{mZG6WRV1{$>3NsTseoPj#2vLL0iShYn)KD%>MOOH3b&5M z8N5g|!42oG%KIiGrL87Qi_EH_$^**PJmw8s@o@vEqu_5JN{d4yRjJe&n$XIEg7l%L@{I04l#9fTFL?sn2ir#e=V33f<V3o5)vfM_Ia-f^&H4O0$^C3QUp7bs?m|*B77N6|S7F zVJMAx=L$T(OCN4bHaenX%%P6w6r#5~D~l4?Q++FWQhLL58oK)f+rrtt;qaq@aLYQO zu!gZvPO|#wK*w;7HpDbtOf3VZu!5}^(XyJ;{{2W|kb#>JKlw>qr`WgbOdD0*s}OPgyZc}$K5?bj4D*t5Ghv44yB(SF0!FYAPX+X#AnI{UTzu<@0e30PYMQ}h4xi5y9}Z) z+KHyN4lcdtnXraNvn%r7VP!?eu*h`NoK?%d>=Y9AJj@njR@tgL`(it%dFPN1|{ z%&FMUH7OWV1~nUAbp?-tmP;@A;VfbdbbO66nSQ03OX7NcEz3bSIj#&^_2jAAo264+ zBd|CmOfpsZMYImJS?a`ALuA&`WzxGeIEj4zjQk4-D*1i;2clFTRvoBO+{AgF?X)GL z7Pi;Sdk}}Z1+C)Q&f#dV-BD!)hA&z0LF`!r#{MHY>dzW5lCwGybRiM*!i)wFR0=^B zGj1;paVhPsC~<`4l5JMF@lDz3Y?p6oYHVQcYL5M_JWB)r&XvM`6W8_Vo>1Eder^-A zqnTobuM(v0Kk{^U^+jt&`}g3u$hXH(Ucn<4A+H=Y`mtiCpLo6UY!WAw7d>v<+xHhe|x&v&uVS z)w-3bme8E->p5Tc#WsbEAM38QA*)swat_deeL#`8@ux+C=dU6GJR{d>Uzt9b=ZP5U zOb%;hRazNrBz@qA%h?M@R!L?z zFbK6|3`{3UVn}Z^N1vwvdj>7E4kEpi5;(Fzzj#|e?(n{ovgbw#Fo4}3N3B8)*!RPV znREOIiv_i4HITsC-4~l9ffM{}O9=d101=V+zkd@ix1I;V?{U4mEx{tM9o3qkG)KX; z^=^)a>op>mv0lR!NL9Cs1vMn+*qBY?8Ib~EeJn#l)P9dGpfCwc1pTYX275Z{%`2D> zQhJl&tHVN|la%2EM#~4v*b)wQ=VFkB6<)DFSwgJKd@RBaJQ%d9+7B0WwN*APWY7Z9 zrAh`N}SD=abLdcZaN^nj2=NSpVe73F8P9rNw{ZnZepl(^7NL zn(?M|z7A8#PN4iA|4D;D?%AQd~_GsJ|RDJHaQmJI7?fj1?u?E&(~FwDM~|S=PoWYOi&p*A{+-Pt#lEBRa@^_weZc{`f@w6ndAp<1`?Zn! z8Y=9A%}-#g)ANUg06%t-K+_mwaU*0ExzEI7?YGA@__?S4nK<05phs%j4|osTn+meN z2b`!P^AdFSjaVec3kl7?9p8>U_KB(KSDZ~3q1|LXWM@EqAsddJ^5ZM}^4+wL7YrmG z+tpWWX6E0^FW{m6!QUk9KQm_a??T4^rBvKLIvdy8`!WFqtpvnFQeyHhST@9gG(v}@ zK!Z&Xw!Vd6YUih8jK~NZfEtv-9VTc97(szBUvg)n*1&M0mPA#_r6d0Bxt!fBgJ=Rq zPoTgh%h(TtI#tpY&Q2cEk%Nuuv%`KQ-ZS)eDh@SY>w2VBlV#clRutygs=2-RJaDM$ zAxn@s>*%HA1Tt1_>|LFk{xh}q{IMy-@ATUI~a*d2aB1G15jDa6}8r8?@geP7ezPq3Z_n*icJ_Ab! zZeJs=?K9>@fxZYj{cb25{>00u`&)kN;iSW?vW*t%%TngOTtF_&Rd%>n`{{$E@h;#; zk;nd<=mC2%S>yJNmMr()QOo!}Cyqa9VXktL{G97S=?=eSmrY^&^}}{6R3$q2326bj zVt*PR6&)M@emCFD(2gbaf#@!ZD>AqQmCS<9k;#j#A`rRao_6=8Rjnq_X953hW4VUH z9yb5P)w{;&E^-NmcU>uogN6ymVthKgJtgj!=@&Z~X+`h8kT|vBQs$bx2L538J==~> zGB0Hk?i)e>Yy}QYAcq1L;19oDeCsmMOa0_=rkFFjjcqXHT7lWb7Lv2cvA7~QJVVYD z;gW6ad({>413=sWz?&m0mNZ~gLEfUK>WtE$YX9lEKyr85hh_C>x?`iZ;_0oJ4X%+| zCDht0N+3;K`vBLkqoWo5Se*Uy>AeHjk2C-I%~yK{|EsdXz38o24RXMvAK8gYuT#*M z0yIc^uC`G($NL98YP^Zr0xei8gEEjBud~oW=KAG<&W~FNInCR1U1lfNRJi#E5ukkc z5Wy~i3f~B0D(A8-Yl{_pj?vDub_@S+yhBK-M4+fne|*yxN%ao4IHJ~Fp*o~haY2OD zS?1y55?A_pI&kyEmI$i{I~xq>A8!^bBdD8J=i5!Bi@0c4KHp_`-ZqFHQ)fGwV0Nu< zY*z8nlY>Mm8;^A%rFVI;%LR7GG>G3p5&lM^zsccCvu9!M%Iq35fE+jvH#{s~-Y5yg z+YIBvQeSBSF3X6^Cyu5*ef1vCYDF#o;Buck``!pNcs|wri1~NydD7sp96H;<7L(??LqKnyGx?dY> z>`Ki{k=vJ_1?sQ5zv+%Khpb*~w8DmS#9NG(n-MD^RHV(Q9>%8C-WI}T*PYfJ<22vO zwcK03@;ITRU5tukw6CgeVA3tQIpU%p*oDLIIZb}VX?NwbJvD*-=3~v*VP7!s z0RQI$Rjbgov)%_l?urJ9cBVxAt;Cgisy0TYfru8;1}e)~#L)^ZfxJn>=UY`TAJ`RF zsQNVbTa>wf9^$AnYg}eP%aANK(FF><%3u7gWEveB^GW}HYUc#A1N)+x12;8P#d*b0 zo^|y|y}IrGd*#%8_2*E$aI&=I68DFWN+jIzQg`Iw3oROQZsbv~G|axJc?qrja^to- zWZ%}wO3yxKeyEfypd(Qdhu#Gy7yDtF?ZRd^)6@;$f&*;Xl489=O~*okT|c~;XDEi^ zfx4t*wCW@m#u>=}EpHJ35>+X1V^f>=$7j8?V8FgGFc>guSxh+{5)Q_jJeZ7ENB%<= z?XNdO=?v`rqzBC7J%gWkIHtK+NPZXItjJ=lFD5{RGw8tBdtPeMqdCe0gYdR6TPlQR z!!>pAz9p2ZK+|8$ap@XoakO5>k9`O2V%_i6`Afuj)(l2JfeBRYS3aG0uvKGK33!>v zeSKL)Qu}yQxQo5PB#p!boa!7{@~DT)vYb-L)7|{-B32nZdXo_vs4W6O;RWUnJY?>8 z%joomvB+k#g4NzkbEW9LR^4I!3+zhfa1SEVAt!$?E2S6#(sqSeabaR2WHISuMPKsV z7f9%Rd>?Dcsx+>uEllL|Ai$zO-Fko7?Zn*E$b7#QQ5?1WC&$$OM&X{XE>eczHPe_HHxXV zT(oWnrV?E+f%u3KbR$t$fllb@)g63X-(AGZ zFe%r&aa*y(6Wt+wC{lxLqiOj;u=*bzRoEHnHeG2)SQ(tA-E6ki{q121 z8^E{3WN=k&vO!SRSwdo*NM84BgcrF%Dj#&3W)|$yz)_(YFyeU z-VgV7ngAR+xQUdN`x#bC*Du|d2w(3s*#(};6M`xA?!{^X`Y}mtZ2m!B#YRR!f^zeG z#<9D;6~9i^H#@8f69uCc&7wYAb46_3^PEAci{XDK>Be7=F~Q;Lzg}&4dZoZlFW@db zaeN1g=*AqNXH0++T?w zi;J*vNof->(h-@wRP?a**RgXtnt-5&R#mz(OBv2Xro;wyk>iYE+8-R=0zd(T-578R zOl_QcqKm_yAJaoqT0Nnad@+PdhQ@)}_ApNjlCq-a0U@Hry z+t00qcv4*yu*3c8zQsPK&f9;qcD#TybE_8^fkAl}8O?5#eIB}k1Cr-;f9s^N@mui3 zJSK?Xfb`UBo_#*rcV{mA0Yw%#ul!+H?)}`kJiQz>fN=x*x9i%|JR0_|5j3A3lFRWB zjA*lTU_=1T?1-YsYw*&_%OpM|7B;UJgE)7&NAwKVY@+3}&8o$Wg~9u{ym1p>L0miU zW()RtRzkXzX#;2pT_M%io_Jgi7(9iZqYcIqJY&D8Irz6Cb|*lkjDs+-Im?7jhR&oNHMiUA`7Q%aLJ|QFCA~Q~>gS z;hPfR?}hvmdNokz#u>WjBM3mnKawM_U24$r6@WP>Sxwx`hf%G z?OUDnMXYSG2L9Xn7XHPY#V`CiF;4_^{ITtP+1$H}${;zb1K>fFVrdRU#!7X=zz^s>c9oJCqU*2#gr^%r#yPRc>+8QhMzbV|NK8`FT< zQa9dCNEXt)nkt6Y)uq}OQxms&;OAmBEEU!SU>NM9fFWuF4FJml5R#bpeOaj6I&Gj$ zUTvJQJMMi6t$N9K<)mG7SECab{+TL;jk0i4rA2=m}JN;9adHTbIkOhb7;BZ zk|XYsK^`=htb2FP0r3VAx%Lim^giK2o9_N#71`pr6I~TOkHwEX;|HIf>!oeAWl9u7 zTv>uR06%v>b`iV?p#ux3w!mjkj`2hXHzG-hr_TX+WOl8?V>V&o0=%OH(_E0pO@5Nn83mH z$ir9^_zH zo0SmLOc<9Mk!JKDYQ(LfbR#V}qK0#&Jw`zeaR!pGGEK;kUX++OElk7xbzvc*JD&*_ z(TP@kI;MjtEGWm+N|tF>5e>AYO{U@^B*l_LurzN>iE(t-I zGaQJptjh_9t5xjw>PmOFw<$3V8(NTM--jn;u%Ux>$TCdPc?U!;f{X(321<}xX0?iO z)Ck16gyv$GzLwJzCb${Uyn?*SJyUc`hU@32RyQk)^8dV~o+;n%pNU6t`*xG~s<6Xs z;E*wDZL&cBcpWR@oP@IZ3M7LW8~{`6M!WRrJeBC6 zGbpcWOl5DzDBJn17+N@E3pj$F?sfw^E-)48M(rPq-JcHZ(^_!tWy_~v8 zk!eN%pL>k}@Hq!k3k|R@cLZUZu?r52?*z;Zv9L_iEGl*n-=3#qLJLOq->z@;?cNGs zwdA=c{oDZ1XD~pW^9(ryI#Gh=(z(=-4kL_vy>^RhQ(@kRxPc?6Ag$-k!V~4 zLpSERdicPF&jb=wRG$q<1C8vW2GT&;g{aeR?kA90jQ%Q7OLi4? z&PpzU$Pf*&JQenxx0j9lm&iSi45?*hMtM19atX>6ChO>u1GIV?X}}`Lon?Hr_R|?0 zJbBJQ@{MhlBa5Zz?HXrEfw%7!pt0Q+uIC>uEh@BqGo-?hHXdCAZQ+an;b|W9d$LJ~ z!G!>zNVe(nM*>VE)p|774p+)B59$mSZq*T5>#BKdA$bs*-NXy`vY8vWd{#Q>4_zq# zpou-t^YAbAPCq-I55>Z#8VnCN)O7szj~r0xzvqBvRvkSLuP6A51EIP?5pc$0HlCLW zO9TLT@CZp;glUOhmmEcAWSEpa-o-F!ns-=P0Q&bEEoWbmp(3-@k(Fbgm?CVSCj z#AeeE;V2&P?_pW~WO!2h5UEh$eFv-}2Q;iFXR?I&kvZB3Wfc(Q8e8t$G`{bKg?DG~ zYB>oQ*fPG3{)k39C`Fxn924m8o(;ta$QWqXd@dl9Q2#ei%aohui|L zi3uLCOvj*u(?s!ZQ3SRA*tl0%Uf*d_WnZQF#w1*_kfVt~yPs_^pE<|odnfY+4`!Y% z<)0L{0@ZY^da^!?ebes?1vwX2ut^D#L8^zNG{P&!G%8H&Z%KyrT?hdjX8o9Xtf}0- z#otlet>qXUge*~*#Q5U*4t2D9elliY6B6K`wNR_O8T>SkS(qZkoUn zTIgwEb+^Tup2(=N@ZPHFAlC|h+_aZzyKVC;nVw&VU~I$QTlTf1f?Rj2UM7+J^{S5w zZpH0vS>t@?vk1c`K=|h_mgM%)mZkX;-0ow(OHVANB6Ux!*Wy=oB^@eK$xhQ9Wbkc@d;VQ*Wy>k#|u zeUz9?ihbAZ!`3fW$0#%?tgmV>I(DKu%&I2C{;Aa@9o^MOiNSr9tuDi+m6E34nRy(O zgM(~$ss--BVye!c6GOAM=j(VlZnwqSin7Wqa?6ul;&i!P&}B@<9rmM~X~~q)pKbci zrD}En3UbjBA2WsLG`kc+P5@3%c4u7Wi5$S)ovB9u?~Moz9-WyV3gUgsY{tbR$3s+R z>AD@|pK%>5MjSvr5!{XLFvteEMto5fhO)5n``T&%91ZvP>$`@T({F*~+e?aO2ck3$c8L#^nGJpfrD@6NoOahd92WU8|wFxvhqvV9#f$2B-7-Ub?y z3wxgv%3&VA{yGXR=E~wsfOo^N?Z`0gede4T2(+*2E+1pI*zTaEx?w=4;|r=ITHgp- zmoL#GGBwG@dUJ{ZewL@{k2hr04K5?I07!NOARm8}1VEF{H)*YsAo}8X@Z4UDp~@>IS@Z>}@r8ym|8q&C>QT zTPo3FyFDy(DcXpdeN9hvH_N{B)*~QUkz>|WU$psAP{xhz!m3-Hlkg?e(j%CXtMMe9 z{tfZYC1Jw!<=6}A7E4Atu#n~&Sl(5AR!S&Lsp?*XCBV}h(r zxuyNdO$KCEnXi-OJGCyc?v4E4zlqOn34j(m#N_J;uxTJdqI)F}6w>-6NI9ex{MLM$ zyAK~6l`GwhwTjJfw(GJm%V&~w(5R3jSo_7`M&bNAjRH%>nsSXo@L-IJ9cQs_MI+Hc zN7p<=j559g=7uV2_KoNu14GA9Y(9_q^LJG!iW$K?#ow|h?XpaTn=~9JugVRZ%x5OW+}F2j#5#^ezzi3qdTi400Z_HIVH#a z>ArZ(zH*#~TXmZ>pkUyzAl;ya42-h$~czG7rhk%kSbH(Y906UFDQ7y;XT zppy|^b1(!YV9Z=028lKbHpj1)?0)4PA7_DQ2_P%={l*NR1{AJFM28GJ30_k9@mJY^Y`UX(IyV(9hV4^<7NQJQsA42lp}}0*I9ZIUclu{OLJqp z)g1M?a8z5J>^9cwK8M@L7Le6ZztG_BU`E_ToSa1MW|vc{qN&c9#_af|NRfwZ62s{?ZNa@6y7 z$NailzlW0bORzc}WQbd%M`}j&p~Dvg4qYvG2gsuzkRHvvdd|UEQ7lVN{P=5QZlhT3 z0~HAm?&G9Krj~b~*I)KeHXOfN*Q`QC&pZGAxbWFwm=7sBNs_CP_1j-W+o z;#Z15bWg8-tk@o;ub9r`VE2Y20sLndkh8{ia<<`(*kph)el(ulf(1e>j)isfhW{m{ zbSMqXpi0`yQ3jMTk3YGQgg10Xsv3_X=WyrdbYG4#-ar-eLC=>S zptaN13F4&kDLS_Z-+DBK9@C^OjrqF7c9PGM@stI_;4228qQg-y7iXT z=OyS$JJprU!b)`W>zmzc^ZOx(9C7Ae_zpK>7MX-Q%Mq?WK$FqJuZKW;Vo?2N@)-hE6F%!4@ahhYcRhY#z#bYbIR ztTixkCh#NmCgx`s1Hy zB&%jg;5w~xx@wfGluOEhopn7;oGxMOnp1w1d=-q)Bq}NFmUBCJteUK(HwyzR482+t zDbEq(0GRsQ{aIcrUAoR(WSlO4e-fSS>64nMMzTg8$(T=i^7F!KLHP(-1IBlIAiDLy z^oqm->o2|V56O6ja%~_yjrv)8ylll=$#daV95(j9Ny>zu2X_etmX!s6tj_X7Rn7H&#y? zi>~&3v?BWT*xkhG8%v;!e@3;k42VAGV-RkpE-&2?tvBMTv$wxkTs}c2)+qC(?*5r|-f3Oy- zE@nKXygWAuNt@;w!fWh0B%U`MbroI>z@y~sfz$P95SpTw*X!(t_?hbbsvft#SW#N< zP(ul;iP}6Cl<$bHohcbVo}afaG1=v38TuX7l zV4%Q~PZfLHOp^34Gdq0ocvR?btDEqJI+ z3;u;wO`{6CH0mq8AH3!^$=qG+h?JX7ni=rHUG^uS2ulGfk&cb}bFmf!+8>)f52-s1 zN3<6D0{MOpau$FoVLqleADl#l3hR7Zj}0 z1(-*z2OWws&|$wEORork&LjOf_d@k9+0L>3<)=fjVxTg-Mk~P@)3n!6k6Y!aJlKr` zGc-FKzkX$R@c4nPkH;elkn`V)Gm_8QngMj(gMzA+a1r762mb;!m>*c1FlC6pNOeFO z@yrH5d;7cYa=vw6FlU)>Ytlw=Ga5vbSJ{)RiYE80p%-%IVOLn5kM0idhh{9r3N^^X**=onU%PRE z{1<0_YyReAXRu$#q-49MZN z&KqrA(nCe09_vG55W2h_QL+9s>a%BNgdZ;7Gqg9U`+Z)M>UG!iVlv z(;1X?2Gsiq%E^sY{F~ub6$$#qxB-OIYR5-AvnpZZ!4_}(yfx?xYQdREW~?MjR)$)V-`G4-rS$0NFXEM>FEx%=d4-w#duzOu8k+N8R+XUSW7%GMB` zb;&-&?+;HK9uOUJTnV@(=pfNsYS4IfY`!7eS*JHE#U8jaN6U4cE<*=+C@5mLs;q{@ z#lJZBZ}u40!z_Fguyrl@tPMPYks~!#C2o>R(9Nlb(LdewBAz)N?H@siN3UhB8Csgn zMc8aMk9U(LSRDuppOR31DTfdK>Rcyfu1rlA^IFoHAdC}(-Po8+*y82$%F2Q6j$XAl zOTEJnFekHhlmn|CYTHCUeX(oM)QjHO;e;)JP#T(zIu(7MXEGNz{FwE5OM4e+124X$ z3AY}0mkIS0`FZ_P3JVIT=%zu}3#D>g(3kJ-h~>}$3^$VK_RwzXp zLruNToV2EDBkRF~O47Ut~4NR_2?=?u>h8R%LA>Qp0QZZ`=sgF@je^Pl(*Fi;< zKOB)-NrUWJ|Dx__B_81t4$4vg;L;FfLI|)njKLjiH8esB#4nF~w<0Q?NXS^ZsnxS! zfA`Q{!+0&6#F1G(6a|irKD=H;qZLAx+KAsx^Rh(WdBPzWg(EP8uQEM07{^{)vrDS4ps>| zoIG zb=nTg7uWd=&WS%p%B9Vh+YK^dpVQq+HqUzpq$kpi+k9Dv&`hRkRF2r1J+&AK%U6=n!|G(TI%XFQl({ONq z!`QQmMwfIwlRF3MrO#w?)s&&(kNu`c-#1hC-L-O7Ymcs%J2oH3d$Y?t_^@rMiOwZx z;FTTT8-)+M7jLM9i8=(E)rcxP17=O{n4LKQ?J&78?Q8aBH}9d!os7TI|Cu%s#vPjM ze7qPPmzQ{1>rjKa!*^IVG1mg61o~IvJbe`uGbHs$Egmp-r8Cl31>H`Q(h3Q&Oh*!4%}oG zlhynevKWAI*NIy=%g~2B`_Y4U3(qhez#@?M>8B}Z4eXIiu0ZpVKdA) z7P_TTKWOOHS)Mjto)lGt)%-z z)}v7AI?w*_3g{VgbfDv&K8gC;U^R&|Q<5t_=3~cDw0;R|;!D$D~dMm;ya$($!s<4%O zFFZd5+|^>*7OcFDD(ec>5<3aNmaHL!&Tl1k1kOh1{=e(}hN+>&nNR7)quJ2PB!Q+o z=o?->l@AB*^@ci2@8{7Uc~poGkMo9`K77NOe#|cq(Q}0kFg?K=hfJM?&kn8aS$vHp z2j>C#RyQ0h2~IOkMIMnN$tTJuS5p?SZ6B=b^n&SW*>nr{6x_}JV87;s!}ALJCUeTfIU5FgT;PvC#rDNO}}Alg|E&Ht}uRV9Ft)ygh{|N{6L6 zVyqG)0SiL@Y{+6Qo~di+ak-T(YqZqR=~@+}jSC;&QoW_MqL+ANoOhIcJ*Zlg9QVRX zzyXebi(yWi`CF@@J}<6N0Rz_6#~zw25!`ad44o*yo~1I{k!~tV)jMlw zL%UOiD19RwSUE#Od@qDviO%XpQBQX;KU4UQh|H5g-rP`1k{PZy*`GOB=hH1w-LX?< zPhUSptUjqcUHmU-xe$m(pqg^Udot{#1L9ZvFF3OZ7qzhrGcv*5U)%5!rm0XxP*;@i zT4F}4a?6BG!|~RE7neg(NzryYG5-6eA#p8aui_-?g>QKEAq3=;>->_`^M}uQ%Hdr~!aQK}#@2E3&){b(XJ9YQ}atV73 zwaHdmkE?pTBn0FH`#N>xe%k3U|Bv?HXb)WEcI4dEHoh5j-stfYyBj;JQkfe&er%iG z6Y)E2I={hOo?`+(y(@FqcZW^k4vG$Y_N4=PY_W~Ua<#NlQgP|<*Svv z1DN$F5aq{x`d{vkc}L@wk24(78;fl=PpA^>+C~O+i4$G!#%QOH)ak+sX+SxDL+

        3. qIeS0<(Bnw#^It0F;xo=dm-wlVR-GN=V9h~UQ!K3L;kp;Qqy%oBpBy#CI`zi&BaOFXx;zhaxKnOq9P^5eas&Hk?70GDhWU51==_S>Su~qzj5w3+fK6=eBYC# zeUw1g?FSXRnNd6R7~qj(izIe{FRxR%J-8WTaumrId^{%%O0xDnD#@6$oIk&3n^so& zXg)`r`I`OfqHS0ev7APnBgTGAUmG45EIcC6-1*K#aWX?0Z3LjobooHa3w+mheoi94 zUWtDLsNje{ZyDW=#J^05@AGl`(DLV1U}eQjA7(nO@8JwwWUGF6(cW>!`(Vl)SS~R4 z;R+k#WD6^+6w0Ju+%cdooUHP(ikEimdw=O12LawA@`2@Wxue};eeB^J&`%chly=;K zbhH#~9c#*C@YEwKH|6-| z^-1pKX_daiy{|O1wnDk_*Zu@uou-z#gHK_wE@nk?rZ9lVs27*#5$&1q^*wr|P_Co_ zfuYlIV*nK@H7~%EtM9uKGLL^G#ctp+)-gIUr0iqifnYcAe!y=o5`t)}9nY*8FxM}d(?UadC;YS_%P?rk@q&&@((-0YQ zn9T9#lKU7QXs6Ub5(7cQt|%*EtP=y`blcZR7Nr6;cgTl~7;VCethScv@Mh3^hYI!A zX9>_UjP^TqP5mWMK>f_2RFUTwkP{F+BC9tv^Wdi2H*^2>X*RPi zE5?}rmIh|%F%u^h2P0;NJt^*r2c_sRy*WG_TIaW}%tqG89cv=mRZER8YS^D}-|6Jt zMS5{$Y0rJ4r&Ya2jB(i<;v0Q~0y#Dw86^2ODZ-{G9vUconW&}Sp_F-!9eXobXm9F4 ziqsTG0|jzvJFF!$kkT_BZ0_P<#(LQr8|>^7l>y(oX_)%m__qlOES^TdPN0dk{IG7} z4Um0tgMpYM<$|(+ThA8S7|vUDMm*ug;VB5qHD(;}M%~vh`W2d4ocfZ7Ph|@qEY+Ps zx3VOU9cu{tB0Ht+be)x^Aq>ZloTE<7>`q+<1!-xvj$Q#^hv9fOY%41;_Giwf|1D23f?X|bwBh7O8N*_(d#q zDTc$rHF>15-HoK;5U;tpN#P|-E!(meA? zkZ*?KH9MCNNTl&?Lb=B+e(G+>MJlW~6ym00>kt*lqU6x^LhCNtle^-giZ?^2uJ5oR z%Cp~`5MkV4LSRR^s+HU~^c~kvrFp@Ha`)^iB5>=Pfr#CntNQykAlkx2PnKA~eP5C! z2pa-f0DWcERc90S#Y-)~H_bseANMwoiFc$B0NbVALUjsNZ>DxSU6Wotv}i#vh&vcv zXO(&Y0Y=_)H2)oZ@N*oxc|JTrU->z-BRxz^yRW`Z$~@@gO`X@pF9Jupk?XL&WvJK) zqGH5YfW~5?-6qvLrZ~F+7bJj73uMcCrzm(Nj6MBpA;Wn|YsF^Jx&@(ZQQUB#i8=9p zpxIh^db9{Tg(*YbI3_>Q6VP-}DX~$N?hxN;nEl;G_oci=`jv?pF|WOX4kXY4;$-5s z(i)A`lgM5Ba0Qg70aRW9R)(R7;d=IkFnKDpeQ{lyleSlKg_qv$;u8{`LVen|fcAaq z{bYxuQFAYSNY-0X<@-#%61(dRZ#%!{;XW;;GEa?~WF)8`6}>C2j=ATPf~XWI91x^~ z`3~4*NF1!oo{helRH#3jFr53u_}}?M{zK|6fBT!S1MaB`l|Z)FsgO^Aoacb!y)a5n zn@pxfbIKli_zU#H56UG(%SqLYfJ$-{{gN-)y#rz4!m&6jgSqSgX6rgr?=e)Zc z9ATGt%Z&yDkMkTgmi5@P;P4%Xo=2|EZPV?hj$v1RJesPUk z#EbOG?q2D(Qe}`xe1jwfZ<4!{$$llxa^6obt z`R$npgAW@pX9glPTUbJmyXoKL(ga!mrE;PjZ?hVd%QGouor?_gA3>kK3Vzh}e{R$3 z2eI^=mEco?;A42WKvESCA_DJF712t8^_0EUm}}Qt*!M8v&MpKDkDRXy!4Oih+{ps0 z)V^<+ssj)W1!;u-SfU8d(0A3&v{}IwspzjhRS+)wRK=Oxb?=V^ms>rYFLYOPL+`}M zTnGr25l4QeD>iv=Arz+Prwu#oA}!D7UUpWn*GaMa#c2i$*~!J4vAM0j0_P!3k5qdI z^O4C+LAtC;{t#N+@FlOcJr^~rFo7FCXqAcV=Yy>y7MN;qNR7&-%ghSJW)11eXtvVj z^x#Dt0CFgc(4P?RMor(fuB{k9Q*kpgtG1}abks6Z)eGXR0Pa-%->OERcOvBmFtH6Hpf7+@U?E1u4oVSj?%#%jz-IgkU!4>H0~a|fw}XB%SRk0QgX5~ z`C))8+?UXxdF#jZ09$UHn0)?OJT2zzs6gT*2|G`G>ndW%a8?zBbU!O}Y+Dokdk%86} zs2z%tO#ATYmTu#NVXGH_c+0_PZHR);0|v5(=Y8J{$W~>CqghOBTjrvX6W3}6DP&do zdad1nJjV}LQC5#2UDSv&8~(6gQm~l4-z*9mvQrXGL|SY4UM18dxRolrVIu3#{XYl6 zXW(lN5-4Jj-mJC+_83KW|!~UW5~Jt`ok5%ZIn=SQS@f1!GVTn;Ya2t(_ULdckyJYBa`O2Z+mr> z^R((#%`BrJ=R9j&t2$OUD*`q{*u zDBmhOVp8)F(9QTKC)w9O2lYpFBZ2oqduw=)avC_{N zLI zETckMT5 zH_(Os>20AxVYGkBh~>0rXo_--AtLVtc;x2a688^R25R01is&=lTVLJS?$Ty)Q-D?Y zEFMztHw8b}O0g)-$Ktx<=8Mc^+!pvQV~$}QSy-c-0KkwRA~QT#P6EZ-Y))3FbH zph1=~ymQqi$$uZ;4zfv~0nimA@TT-A$dKy;@51EUIZfKM?P$9xSz>1!toNyn-flot zVb!DvO|6na(V*6m?kPODXXo^gj&y@4%xH8}gx$|GvR;VB9W%cP@uQS1D0`R*U^)~0 zVa7LpLuWcX8|#sgLj?uz$Vew!-5JL*k@POXU``d2bZg1{Eldn+w{2ajR5hIMAxPsm z%T3?}30CHBy!;Pju9*d=%%X2Z$+~TWeg_jiCQNenol!k{05l4+=6VJWy!1f~V zcfFFjo(K9(nKC=e9TK=4OJEo=yW0~zojYg&8=}FYUA+$S9CT0;t8oku+y}(ks;1%c zCL)J<4Dbc6M2m5%xCbt@to~&)2h#j+j!s_xRs675Y%~crfaGmyV}5Pa2PvfUajYvS z^Q?9Alyj(V@`U|5TJo`3O$#Ih+ZQ!J+6ma@QzOTz&I2?Z2X3Naqz`6VTR{EL>}<4P zcWz|z4LVW_BB;d6VavBMQ4vZpVlIr5UhIH_-B#q!ggBN&;oLHNa7+OU* z#%Po*e(|y&E<`5RI1FVA>x{G(Rf{UY4omD=$GBI&G3habq>^&VitO@lK?=dSPt{Ug zSeA{IB}Wr-{7`qO5|3?^Eq$I8<8_i1&3C!VrG@&(E>=mi(_u3Di;d>&hnq1H-dp$Xb$bs+Id8tS+^yW)lNP-<<3 zYe`Q^3JRI&qR;fKV412E=^lDQrpCeMuT>Oh3T%Cu3zMhpRH!j1G+t;n_a^Ae?ER33 zjXbqkShJOUy|Gp-+2eBjDgQb90c=CiU-q~MK#VmH#QHY+EtSyYW z)g|LH6jqZGzDsY(#D`QJ+vP8oECQ|Y@a{s`bB;?+rn^J_TieSSC`6;QbL}=)E;o+o zFqqn=`S8qJ=TT_o4>?xcrnKWVVlU2zH+ivgV_$ky8ehUwnBcTC<8!iU+Jn(&6v2g$ z@em#zv--SRFP$uUnmU0#0lD9E8+S#slr8i>#_!UgllK(JAJSir4~QE>TkVuZNLR9o>f-b(R{6arU*NMnbV|Um;O&9 z@PCXi{~warqq*}VnimjRkkT0g-;nNa1Kp{smA8|*###&c=YF*6TFiqA2eBG9iAqFy zaUV9PZT5t3mO6q9{ZQCp+&5bt6CG!WSW6(kv!0C|-Z=7D_se>&By1>PsnzH&2&`}$ z8JQJMsz?VcYQ}n*{eSAD-^%@zlP#V_(eD?!{O3I!X9^ST;zWtvXs>!%lEpG6Wk`;G zY|lcA)q$x(-0nv#gUjjn3WN0psbO<`2(453m7?sdE8_mO)EfxlQ6=bxJa{dQ z6WFD!!of!YSYRMD!rs?HBO(yIA5HpF!1rmWfU{ag#T}Hbn|`|^*|}G;siJ%azN_gf zH@+u+>z5;7H$s~eR}JI0AD*4=+K94YW*#4&@AKR3bWio(e<~GiC-;RKe_LeZY|<}( zL8$gsJA>1KY@UZ@6dw&ffRdSw-ozcIp`y?n$i`$G9iT8GXsR6aU2-W2Hj)a>hs*lY z;qzK~KIOa817pyShkD2Rq+#K?FhAdC3E8S=_EOv%?^enmbRvCE8zMP~8AYt2L2W&^Njj>JK4a0F6mdK@$?( z|9%?gs|zO(lVG(%>Nd$DP-@T(z%ep}M^7(vW69sp{^WqA{Gb{C#gw+Ia-;8#v=qUk z#j^PdRF#P2JE6nC7pVP~LCY&>vo;YMs#Vnx7o}kiEfxWXJU>mq^mR&pwA#rc-B8N8 zs=rfXrK@2&??TE{(f!nFho2}}EqfuT7mNY9S=iGH-`0aZiV%1Ppc;=AT}`;mdj!Rc zmVjl&9FX|1E(;{?LjB#552h#D-WEgVQW>5xwYZMgcMJ$Om9G;4J7zwc*rEy`_X=pX z-2eUb(}w570MoEWZ@eYo`+B!E4g2xGkiUe zmtVwWqN$FhWR`P`Qi~eC|Ao&Sp5O%$Is&21=zJ+t4KUdhANUR=x0*SL}?plNT7y+rw!77zrK@tYL~>S=8T16RCO zPlCa7xtJ6KmFtbTf#t?Urr}e6my46FD_r88z_hQyyIYuHE2gzECC}rpcjqZUuHqa= zP3d-fMuig3y@x0ws|W$~3<`ff+b7rymJyz9tQi^FeJLv`YZ>(0HwgJ*EJo4&`nzCnWGGX)9I z;PkCZ%|ywatC9D6GS5ym!FBbt9$#CRpl;x;M90RPV9%o1;JwYM`$DRiyBtK6438Y_lIx;?1tO1rTraq zAFUQ$pBl(;7M0rw)e1_ovCKDNk!j+Z58LMTjU=C|-W+BZo6n_WCU$Nbw1A)_5Fjo# zgUx=pqI9r1<*Z093xaPy=4pG}!VH1Cb4qEZT%>U|rJ z8yCv_Q0UxW^pYJ%T$$G$r2C8 z_3OyUUyCVTMJ$HuE%~OrkA<;2Y7W)?nQJkz=YXFOgI$386inF@8Kn1nWR~`-f3v)0 z9nI08PXx8EA%jcV`qge#-TYHKTd%gv)>?pBI%#C6-q-YI!*I+qu83ctwFNVo*#U_c z9I*YQFIuS~Zw-a3U+#Pntn9T?FG>!eHtvc7HU@8$sJ~Ua?F3vvEfMN>wX?0gO{5s3 z-gQ5m0Ny=Zy)#MXX$ZyNq~?Ghdq8>awtA}`2m`*>WH!^LHrdr?!H-|a46ka@NS#%q zD3=i7H7-4od`tKE&1JY9$R&>hEmmC5-lk5C3-{h2A_ak@n*xw@V?-+Es21$&6oHsa zy8t)uJmS8h;4shU0(21}4QOW0#Eb}IN75M9LvM+_arwXzex7s_Ei>|``O!r&XVZHJ zRJ*R)aM!oJv)DEo=nRN=Z*&`W@%;a3EXMHbvdI2 zn&K3{`>Jrc`4fvmMU?X0f~?j7S5HIge>Y$Lq<=z-e+gLF;DX!=GReT&#$X_y1k9oB zz+@i_&6{hH0y<3i+uO*+*iT&6Mg;c(PC?_;9xz`uCd7CS$?kr?zk3zlyd zlq9`!qvF#3B=7#r*2BoxFNhQ;E&0U_ka*L8i1&lENcV#&XB(IGYQ$_#+pci+9WAMa zJv*QEe&rS+=`Eukta>iEbbFbT3T=9_X_5sS-b&R~uc2m|6|OcuBnjf8;oo+$NnDC*cKG`N<>yks zz7fmTENM-f#WMqUoZdFoLUHC&_uixLvov_XF7lHd|7Di$S9>q{zXc2Db1p+1$UTN0 zb;x7d{P)5#B$U{2_*mlLgGt5(d1ZvMo;soY4b56ye)j%nmR23*df`=EyJ2E}%2<|e zqzUl20l6qCD5r1UTh2jeCNcLvf=hn~3;DPl^%^c*&iyktgxA2QHP+kigzlR><@0oV zLDe2%D(Q4>0zz=KO{(iu)U4E6#ud?@@B^vKx^8T!bN@q__KCib_zpFpoi|%XGr1)@vke#MQtxz^aFm&8<->~H69!c0QU)iIx1FmK8CX~@6H8a zrx>oV!HuH3Zl+>V;1*)B9O`@Pc>p_H_CJqG+2?-DaBYX=a}iY;%0j*W#%z(w!19c)v!MQmk-G?$lzwO@4Q{E@|vYwRSUBz_&X;fqh@|8Vx!hU3ajY?6sR= zT2~oumJi=Ki;O>q|$pK+SB>&!145hHmHf3_1^D5~31<^97a9k6fXf?>ZDFXeft-aCOH z-Tz(x)Sn56lBWdA6g6xHbP>Gi@Y!y)llS`|^oggy&1^hkT4i{>dim52BDMgK-@ydm z)5zRU8jI?w_CMeC$>!%9IAZ5|4+)MureZ&T+^mhfY5Vnu9>+8=xN+`J+nnX?P)<5B z^Pc{Svoqtzq>z>*4(hM*)4^Ie&mT$0M)sIzZ^rozx`q($Ei%A*(EhCsOA9>?Q7ui% zGvby--;}RNMOY`ij@x1$d~m(fmp8=|uFycY!E^1+*X>`*AjK-N(W@#A&m0N65=T(p z`J5e>7W-mGmV7tUtggkb89(25Mn8}G>I5dEq5#UdVY@lF6p(omb>jIZ9Mwnv5Kb(* z^gr#C|4&rM50`)CDP*2#{G>2FkKs0}%H1AC3b)=Vq6PLOWIv!)N3l7nF`IBHkV&<^ zFa*KJZVGsb>Wh@wT7kDy0T-gnRT#OLN4ZaHj;vVA8UI=uXOIn-GAH3?>JUFAt2Ubm z1)=Zp;EA7H54*0h1lfaIWwf3@4B}V6_ z3Fv3L!)dyc9g0L@q-=`2(@h<-_+xnv+y*JQ5vG7u<-KSpU*T2#Z|v~`3RE~I)_C~w ztPvxtx8h&Al;TtHxOsTSu|aTueCsQ}BYMg$)F%*R+=IzZf-R22M#h&k1v4MduwOY7 zKW9L`pa*9vr(P`a7cEJFEdV0gaMxBpK@Gr|z=1zC7vxfFF0bR|x^CVJ77(9)^^Il1 zL_vnYitosP0h{dS>E=_s_m4DuBB66fOUbOvME6UY7%89Ko~qI=J9{p<%|j#mLNUu9 z*0CC5K5D-Oqtm(Gy7c-Kx9-9!G@#O?K-cRIilkSwHlwtd=O4&e0p|ZsUXW0!`_j2j zqDW-a#5rqgy9&QQxi!C4F2aj5-Hvr$CEVpT87|BZ88!1Ni~}bx+WviG=;w2tus;IW zt;Wd%l#{bto+{|Is#^?QdZ*GN=5h%A{tF~Ri;;xDViAh%?c}^bKDv_=1w=X-Xk74x z^8zQ4@^x1)C}N?Cc7P2LpOZWHtqg8z1<-$t zE1SdR)8|$^T%vE5qZrY=UE#Xvt2D}JYz)HCEZ+D}ZfmtIA3ctoeKW@asR`kdN7uby zsl*$vc#DtU1@LgIotckpk7i4L0@uQ>LP0%XWA@9pHW%~(bq%t09|r90khRQgVjb73 zwx%gQd1EMO*=BA#t-Qas%NGXr95Ge*n!Rw+)_9_k*FBREZD@KwlKd!f=WCen%Zp~O z>9nfmqUvnHG-$e`7?O7E;X&0I3UHJPpJU$Fs(pXo&3Tw|zSt7*I=`2I2_6QL0BcN= zt*3&Op8y%VpCk*%@2I=nb&nuLL!k`2W_8*RC{J!0Va+dhVpX4JtV6GVH2)Y%8bd^* zwIRb_+lnvDquj67 z9!I$iKVcD(p>+X%&w>?jvLvSJ#VRxdQg7c9{RU{;7|J7Iuo?&cg=1t z|EzH?sN1ZKM^yDntyx{10^BdLs_y{F=$e*4&gHjN@Ah0MlNkRre7EPl$`y7hoog4b z2IRk%tguV_bW08MOfUwDedac9eSf?d01+a9<<mqjd2o8QekXnvis^egl3_Hua`W>TYb;NZxP(QqR>K!6nWu8bfOb?2elFPJ;%E zKCsMS2nC)PW+1m%Fi{xTr5s3kEj!<2t6=mb`Q41>d_`zJ-4;0skhB2akJgZ)w!kbo zcCe~s{MIDdNwmfazy6UJu-A*OwAEnJHUW{K-pX1vt=D58Z9HH$ZUdl7-m>LH{Vot% zR=jfNO`;vjX->1M<-!#`NO~zR54XWoYi< zA(omTIveo;A4s>VQcyATeQ3wd`?O(s#5;NKU@l{f#}rxzsFX{!r#2fvxqA>GE#{~( zI?WJE*WS4D-hT6i5CaH>?S>FON9?Ya%T~WM6cde5-Zq%rqy~bXM!f>qT!%Y8+tS}= zYT|7YYNjWGsPq2;m2mN2MxXz)&Y_?%W5deC;Xq@AU920S9j%o-fJTLaIkpSR zZ>{DDb2@|P@k70le3Sa|M?TDO!(>*}Iqw}LSFM1{tWTQplFEQNS#-<07OFo@fiA|MR?^3nRzcoj!ut4qAgC1#x0w3U2VqVMx{`~E+>ls6*;|?W94)}*rV%upqLOI3 z9UhI@p&xr`*>RGKahy``Hj|3$Oku4zEpxMCy8P?UDQ8+X*lD1D{Gl7Wk+|;qC_OeeQvUA1}VmeU_&Trh+gSw*K^9dcDHDq1Pihj2VXbgdz#MrxD^Jx9m?sl_Fpxrv z+t=k-q8>ye9s;azzdaGOq&uAh=uxk60c%Al?px+2g1B|(Gg?e4%s^~rXDQL9p8uO( zl=()3<4-)=mq+6zk{86RO=E|N5LFx%X-}rUBwWWqXF_jUV0ldRl^QY0cxEE`>UjeT z$qbgqUDi7R#+9iH7cDJiVrSO99{mLN`j11vfFN<%lu?<@+oX5SUqOp^{=qk$6wl-M zF)5n;LvJ&eew4`krf<}nwSVxU{Z2@JRcApaN9@~qHmXsvWJJ6Q?3FdP4242Jt2@@c#IEET7a0s);|4;^YF;&z$AgijA>3y6 zs&*A_7Ve1Agop%1qL>XuOBYJZlwji!@hVc2UxzF9_KTNI2=VV9$E$A%VRz;Q9;!in z{0SGCtR8$-oELD#k+HdDRst(B^3oUzW3_AT%G?OT&izki(>=$y4s-rwN7H~fOJ%GD z304Xn(I95xi|xA!MHd?QLj?`~6&LWnSlmGJB>g4%Ney_vf~M+sdzq)|-T@GLQZRDo z_Ai*AAn$Aiu=2oMpzaYz?px8Jj&M%P?b)UkmqHpmtX3+DZkJl+B{kjv5ZuQAlfNh< znr{2{4y=%ii*X+CS@w=jQi32dLN)Ud?#pR`wA!nFt1e==>X#8S?|YM_7Lu}0XVrQN zE63T3y**b8s&Rk8zEv3V?$`JaF?#1Yb#vcJH{p- zi&Qbc3RARNPlSFQuN37MM|V~OF(kXLM1{=LqMre$VR8>A{~zMs!>y^UUHe^Du+XJQ z3q?RgK%_`V=|vI|5u`<$NKtwV0aOqYDWOUSr4ve|iAWO(9i>;55{eKINFWeGfN$bj z@3+5w_CDubYoBvn=O5rAbB;O2GoI(Zf4A)ltlSt(u@jCNl`iN~Y?MRX7@QW!18yZb zeeGNh0z#MSRxpPaDz?j8jD+!_U>fcVwbcFhmgxy(xdTFYMLTCn;rik?j;wmAQLH3@-KH%Fjl&Ty!m-&%aut5?b zxTQ01OrNXy(fJ+y=vTz!JPfg71dnei;v^wYb`4xG3N09Ae0Dq$wnUqbJN8GT>yy(; zInmOU!Xrjjo=ntvbxpfr3Tub%c?QXI1D5+FfsMJ`)46{UPhJV$-$!b2xa??_<6||{ zwlPhdtgV)^_PODn)noSE`@eZ7yd3|Vck)5<;cbDlw?3^5InLd#%sm?>M0-`N^qsnE z)fYJ=qEfrsZCW)he+r0~4vGV3ngfT(kVzrW^@*5-)$)&c^zF_P6()weP(WvjdlO3k zidO~Z9_Cz*8Bq_OJ!?|_ap96O-kp}O%K#)5XD8|$@GY@`wHmq8?5xCAu1M?&ELUG`SDBdu_q!Oa-i zz^DIA_IGpN25D?!ph3$zsujw3$-B_&3ubM_$)5L;{V4$B z|En;rG3(*RNcF`qZL0suuiCjD$)+fv`CuqeKazP;>td(>If)MsORERL}c&AOIPeg#0hYBHpi4_QCdp|nBUshaq@;ENLPg&%sEBNf) zXzbMw5BK0nVy0tqmqMsRq80=@H(2y zjqGB1eS?_j6|8uSkZ>ht|48>l=uz>*=)5mI&Uq(B89)BPb|X&%aHQDP%2VHcba})@ zi@B`>3WQtw?p~tz6qmv`?o9QKEgbx6PsdvwDz-*RV{w^^ZLpOxu4W~2ZEBGTtM~=* zQausxf}7NopTDOB-krM&E#%of3>ZW{9@GJ9`eZNc4kGoCF&wL76b+O!=~p+AH9)5I}?Fv;K0(dmAbz_#y371 z<16xNeIz`o4;$uM-W5=BM`=bG96G1&s&lUBvUZt`vr5J=c@c^^x{Ork>1ch%5h85R z2~4jkZv{GO7@g%@1X6W2)=(t@jFh)kY`gE6AZngT7|u!&Q?}LlJGoIJF=^u)6%v}; zgW7Z?k){E4LV^CTvt#>nVJzSx(=ajnpMaji%pu9d7C2}k+t@6wW?KV=amvgE zWpHJ>!|Mk)V2K%EUl$IYu}=VB7CUzfs{|+(a{<}RuDJ!mpYcyH5PISp0l=ZRf4MQ8 zq2mnSP6eBml?(!oWpAyuH7Ou@p>U{YQQY80y6Rdh!`y^pHp-O6iSGF9T?6rp2I6&^ zie;r%Rir!o<(n^+v80AA${{l%qEB@Pu1YE~h9xupOcP)fsyoiMx@Z_C0oJ{W`SnEq z*JAg=aP^HT4zBeAw+qadHRYOCmYJGNI$hx_%F#^k9C-xbU$cWT@>X%O`yt&wmt}eY zJc&?~{`5>vq&VlVA<|%UT+oi%HRx>jIxzu-LQD+RQnOW z5t;I?^F`&95^GPB9F=SO`d06kIi0@W8#rCmdK$o=zF9o3;S0c_F3NrB@uwpG5L+SU zJbZ*c?Qz`Nqnn)^g@+hYE2Si%v>saz=Wi87G8Qr%`Q1+kdsoQGIBIqp0p6NVeYvEe z699~qnCS9`Mw)s>W&n+x?3iUjmw&go4in)+&TEz}MuZ_?oAW#m^y0(m zdD0-C1LvY|RPr2;vj3{^GwN38>7OO;-)f-`KkD5>&kfLWJYUp!7`>(41xEo%91KpF|x>E z9XcxaO0_OUsDW9-0HB^78IhoWh*UKKgpJgDe&0Ph+CM!%AtELNFl99Nwtv|jHKa*n zP_?5@@{GO#m~Bq66A->(flrjDHG(1gD*Fl3Z@j?RbD%MB2hKc2Cd_Rv2V~^w7QW3WPMctSQMI;}D8gt=}HrzuLZNmYj$jmP^+N%S)R%byy=wENrCm(tQJazcn z1=A;n3qbSeHnzufD8>+DWIFUJ?=*uRw}3VwZiX*uUdE#!USYE=5prGt0IVSk-;?iP zZ+(3uA=Nv3y%T-Pc*rP5mu3p>|-7eEsdvEd3b-4@H!cMee8t(8>0kE=OVYe zRl}nKua!xrbT3RoId(5<KQ%iR++*gQSNc3!;qD?pTFOZ^Tij#*IVkgOmUGq= z7-ES@nOfi7%rGA(-C^O%nFP3Oie9$Gg~7PnQl?fD@uHEq8eY=fkOdsZN=)vg62aUh zRYQerh2_IzEElB4tUVvv1s6TG^X%akFW@Fr-E_sba@!0GAA1{>AhB^WUfcN?hX?kW zq)VRDh;hw)N5sPjdz~g{Cc(GDlE*=c1ehLHG=hT!akkb`z=`dXQv~r0^k|e7KoqMf z5fSWjU4AeQpfs}{BCat>w)Pi+ki8cH-Tf_h!(YGvnMWkU9S+~V7}B>ANgHrZvcX*# zcdOIFdqB%>b-cpkhtF6W(CV{Lv%$F@`9a0sj|(JhA2qq*LcaiFUfd?9z)W1bD14v7 z!}RTG{S(yypbId0%5=dTn9`E_1l)0Yg;*#c7kZRp6aE31yuDb-Jw!EbJ{zjKGIXG~ z{`{o6;oFEi>MXQvrZ~AkDCT`_a@6-KEr(gZ-}=UTd(gB;`%;R-=5!-`4^^V|vUANWv5uqt<*oxM+r&UW!lkCSTFcQ}V{y>e1+&QCsZJmtWLPHTHt%MfCC?ytdtF zji6RK^}8!6Z7fQdw|#`f_)o^dQh+vF$kq{H6{ruBq_>pJ^FTOzo7mkA@G z2%Gm};dP@gK@7D~zcWlx-CAsl#_eL##?@epmv13 z>9BE-r-8nT;zEaxizWtEX`DbI7m0?~wZA%N^7U2&URq)dNRRY>r4y0pvfRHlEArBu zRj%hzriANTx%^~)7*n10HLuN4&Zwf_$`4TiD-cWofSDU? zB2RMjWnBQjhmvNbP%>MwN07vwewR{1XFIGM^Yi?O)(ma{=0Bcf;f3cPbh!;tHe}%C z2_}xDSSsHf8RJE0ZM5plD|{g&cP7^nbA}>~+HG~_byPeD!gbO)3Xz#CznABpX2W*F z@mRvq2?4)81#Co_U)2u%mUo&DgJAPH5U>6oi?De#d6m!CCEDsw5eU!4KrtG ziZTI#Moj5lo6_WN_R|0+tYg~g_FeJ$PP3n1I(5YhDa`qdStSFVvu+ue(bDgH3pQ?A zAIjN?Kem>Kya1fx&pZGPB33y6(PC9lhoU%n|C(><-@ip3wKbp9odPNsiZm0-aRg9^ zHgKpQ3F4ox-!Sd&~`*}O*6QY#4l7-6XA!LIaOwK} z7d3fh+1kvw1}r0!ppK8%^tn8aGeX;+z069O@ps>HuwKa1SuzMb;|^)UGV2(I$+zVc zO1KyWxuON9@0dtU>IkZpnaIKP9%M@e7Sdx?Xa6v8(tl^u_o`|7mFf`PY}0-*M+~mn{6FjGRhrX8pyTr_nUL5`Dc&onBcn#e!hbUr2mN+q@$7= zr|FQuMjj(sowh+pUX%8_;BuSzAh%j4d)l0V#NyJ$WM68V!z&vT4cNk4$rYE|7;R+_ zoS~GdA#T>{7WV}a{k=Ouu!T0L7mO$n<%EEb5wInsCsjPd!J?Sy$Z(Nkz5iV*V5`L`iMD}2||4~4pO)Hdu6MKms z6ceeN5l`BE7iXZ!3>!h&e2rA|L7Ji%Ji1NVU7{H5M&6hjgeCEkoj<*49MFE=IQv(7)d%1+(f4lx1fP4T2CoU zbt&_yr@}_6I`3<7u{uRZ>zZXaKkogU&m!L|d;jXkk3cdZ!yh4@B~5?u-0w)zXH^0W4_MFp_Q9`^DFr;<4~a<#VhE2cA`#)k$T-5?}uEEOV<_n9^!5 zA;0+kd9i2rBC_O1OaUPw8!1ULe5BQcr;LT`MV3#As-ouZG82rtQCP5L4&)M2ilB>j zQHi992+bAY>7vJsgs-nF)V3*nfR%BdupHR;k3W<4qg=xMUCpCh!sjPwcv<_rf~(sy z`~D-BaH#^w;W(eIYk3LAsg5$N5Gc3N=#MPP;~?^5XC-ezj3q{}<(wPYouR1F2(Z*( zq)vVY5I#skvK*dMsX*B3D-o7V41AUxjHm7_)D*M9%0L#zIdrnD-!Ecu#~|m7!EBd# z&gJtj)fhc_rV#LM007l!0ic?Xnexs!C7Cp9#zizsD_XVgLFB05GlEdKg6uL=J2^hN zVpJ1#bchz7eqrcSEdpC63@8rp509uK#aCAF7T&bJxNxm>0R4{M#3f$~-#6a61%PD_ z;RjRyd@r6o3akkc#t|;eX*T5MrgJ@UlKGERLPs#mQ7R$ap2f{cYn&s&K*a-rn-P*K z2qzYSi|wwe1k+-LJf$5=DL6%=>GhEAO z%?a^{*5;^Wx<-F%ftHt7&cXERPPaSk527gDp&+l_WQDv4X`!Z+Q6@BZVFOXfS^)?} zOAdP5fx6!p3j7YK-=Tz)3u7x;r>d{O%Q;!dXkO2)vnm(TS@6hp@dsx+tymw zagzHI6C4>=M6aT{g^pmbTgVI7e6wP&h?_6uC_~9pE2I~z8?s>D>V0Hg`u(t zS;IjC#Z%7oT}ZP*80Jmvpn>}94$cY2HB*=JS^AKcONj}T`OoZ`Cj}Cy!!Bjr`6OmR zT!Lq@=~XGj;+Bl(T~m^+na4*CmqxO4H1;xsDi$4FN8=jACWQBT$iz2eg8dVeHSuPtFA(bQVjn1a~Lgjln`Hj`p$Cs(?WHu}a(O3Feb8I)x5BW3tTAm^xx?I?G}wa10wBfeI|qoJ7;xP6_3f zsP^GPIXZq6-k`8%d0uHm#7%|aW88pn+er0K?P)hH&{10FH`D(?W}w^=`Rn&_8>6Fe zgHr_8!jl8AMD>ZBFpm;_wRW87fJShrBi2ks@gz?)hbv-nBPG$mV>kgMx9FZW&)#~a z5Kxy!5x3?svc;+jJ!xrkI#2zrxAGsdjGaxFe}FHBvXAh+cQT4EV9|U7SmZAk0v35A zz#@OF->x;A`^X~iIrdZN0a$g|*w9moZG6}k%k@LL64r(6<4(X*HA9NFSSqS@> z0Wk8?dD8~)PtHQiqthlMoYAUHGGCUFFA+DSz*wbkA~@h|@MpjJpI`OAs;vK~6*11o zbd3o!S8!)oc9mZ#!z6fW$!f@p!Xk+mw#9WVr>b_6bdIS`|f226a-uXg2j7 zkQiuFLBBPLBF^PfIEP9eDZB<%M8lJy!Q?yHDn(7ixX=P<>h6As+QM_lXf!V(n z?q`Alp|6rf8SI>8#TRgChBT?>Gdz zMfr*$#!q*bW-s&hvl?JH+U!I`M9zQMbh|ayjB@pR3%wcEsTrM z`ZfhHAkJ_AwLBmB9~grFwSa(X^fq?I|FH)LyJkbcz-w<+ZCY>l$eF7xNiU4CW`D*7 zI+X^b0C9mhATBVR5r_*MNcqm}jk}GUHW?jD+c0gwyOfQ0ik6#Rgq(NzY)X(S4dd`A zKo~#e?xsf7sJ0_k@on`23@@zZyG6Lt_HV`eo=HE=xG-$n)t7Uu?E5v}#jQ%I*Q((U zAd)TNv>dyG#!yL+szANe{h()>D7D5>jiBdO8$Dk?%grqgUM?Bh-16+a@x7|qT7MNQ z`dT46gVt_V{d|t)t5!enY9JSjG~DO0gvnvRMNDnA^YZ)8E+ms4*8&rnzs|~kErx&J zs+pO%1<ez6hTPwkO7tOPG((#T9F zQlj!vHo^W&Or-8Y*@t$$irwTvXw!oAQT2!Y(3{(M8P(}KiLn*D+EHw3z01IGLbIXj z_rp0lTUWSdg8nh2nM)C9sc$(7Si3(P1co&VOm4x|F9)zHFY-?B&^|x+@{_bWl${Bm z7vUCGWZLlIPFiH`JqnWHB?{kDP9Yir30<-^!R=(hZXqtOw!wsKYglw!VZ5p(@cBORg`3`qlepw{koGf9o0(v(VIBZE$M19RqcZ;lF2UQBe` zKVJ}Bynp_7UPu`*ymq>+bvD#er0GKA2YsnhgrmTlkw7@oNU&hIMN3`tO#%ou(h_dn zG#G&<#(`BG{BJ65J>gV4CXvG}2M$O8`IZMbgwjfNOM<8YT^lYyY+z1t@OiJ` zMKpw7<#Oirh-l7ki^VfOH4GylPQ{Uq7&SsEJ3oULax~P6gtWO0k;p4WNqR8v&Q;}N z3NjNsq?jO>h`_%)H~x=r$JGqD#j&5vl?C>p$imv9%`>l(H8H0FSBzBq@6^DY4hWDM zsBS_?dxxCH%2wm9wHOJoajASZgNsdcQ?PeVa0M(m4L|#qXO8XfETqooH&O4Y-7^Vl z$61JigXdd?a|B2W8j{MkDKF)>oUxUvq;4+sV%Vt~z!pPvnwrxss>(eVAq!FiF_{~2MollVJK51fT z#6Ygkg!uZ;X|~U6awHqpEY}Dx7)i7hpC-i4ZCz(7iO`bdX9y-6aFl?HP3d=MH4?7f zr^E4$8i9B!1a^v5RnZvOTm9S|!v~Ep(gTmHLYu*&zb_|H)nK>DfBNB!(;kTo)K~~F zP9&bDCI)tveBA0CLFA77eA^9M z0QL@kkCL31Rs3wN+)RAE1CeIJDqQLp3Zrvao<$+q|8U?PF$reEFEK5|W-87b1;H7q zJ-~-~(A)KVrjWWc9!gwE(OkuLn))uYvPe9*AOhcTj7Ilmgum$kUF3OUOJ&Y_B47;| znHT*2CxL6;I|%H zB8<0j6$|L0g=_R1@d+ndbOKUXA`MrBcmX|hP#rx!@|`IKhpCCxks|jahSF?Pv`By) znylZK($K9n4alLzg+yN%#NMfTsLA!H1r|FvBnE!(nOiwjWqor<)N=`u^f)T}lh~65 zMf*b2j8T3ySaec?N>T8|o)nT`cLexFv?U{PsbXNxK+LOHSVg^bb*V^AW^(>R+V=OQ zy|SfHAW<@S@2vmaziNxWI~DnKI_A%=hcd4XBLUc0Z&kPTYRrfZ%$yr&1-(!@HCFUg zLxd}68RJppC9%2@2N*-MFSIJN73z7dqM@UFg|1uX3GlpJHanugRxEzzju9x%P-=@g zIw|yHX(q1`#H!8ZiFtx8q42fmyZ7&ras&G6p0qc`v*1xoa_T4kV3PzbE-}Hjwz@mQ z2bNnpu6-NO(99j9EEICj&)V=uIiWE$Mj}`}2>rsXLK=wp!rdS$BTR)4&S;xN!$TU6 z#G{iLycS|(xL*xeYb5QcDN{s&%iB4vkUuAQ(CPm{D(`szkt+-MXcRF8tbo(osV(}2 zA5f8rb-LiLAp63sGKAV`t_ja9uoDEqVYM0s|Btz_Gnjms;P zztBSoZ>v?kf#7YTF+)o^Y+hYbNhOE7_dx_PF<>DA<2h4eHab)tTV%pdW0>BLGvl*+ zq94g%!nSqQ8umQb|4Ub>E~;7X3r914ybSTLzVaJvp&FaNOiPlSaV-$-$>vae%l%&S=R$|Xu!X& z``l=b@+{(&^Gwi?8!mSQv2ClMTPm*SE%DAycrL76w_QQ7#&T&-tY`7zw)Tm-{& zT^31{KUHtOz#Zj{fuuVCY@%aM=Y^jaivvy$<>Lq{IzOU>W8^Yv{!Wyq5%i>j>yi_* z_k3cO)QS*&x;5iSzD|T%BQ;S&3T-rMn&CV!rzQXl4zm87>;j{+|JPp&00b#mdZZJI zpwXd?N$B*58bG>XGo;Gq)kW!f8U)+sB0d?QQAsr5cxqQD1}}$ZTFfv2^jc^Xy(;T& zXGxk=Z$MJE!V4a?k=7WnPgexJ=zhN#TRjooL}U_af$kb)wi}YnEsa|;Z~eD%ew|Pt z&Tnzy77*u0k2~2wy&$=ImXEohk5Ex9Qrzju%W%4z@Uf4qZ)|K34T5o5qCONwyS5qKmK!+Ng0 zOdg5YOy(VgLW6)uCN}?bb_LZwqPALq(^80#q=`Le62nxh=LMW2>`LliJsX9R&!*!I zAOM@RltPx$#$s%vz%GKIz2Spyvn^W1wxJ=szyW&`5wo`i1HbU4<$74LHE&;)=E4HI z3{(;@j-?Aa5Z(!dj>z2%V)&J@ShY{_31%aX)}tt=_XFp27sPiyrNGCxKJksjC5Q72 zd}NJm23lwLRNxiA)A$;W()cJxX?*ijSb7a|G87mZ4)qMb+qc;GBT(JSQe*EAf zIQa&)WiF%QrJ4RHDocUO@%*?$)F%cX_BSUv6_7#^`1WfCD(p?z;wI0TQf_i5SW7J zhqF!jIj@e<274nsfpD*3;?yTMm9Fx_ojtWYeuh!!#C0tAHj5=6Q@Gn0!sr3tNpY zwyd<%=+~$e1bQoRu?aNKqoodDx@6JQAYkrgtutW<1f{14q8aGBQPxsuKocaa@hzaebg6We#bSkP2dEuD;UU^2qFAos+m3m-tWM`0drW_5YD>27bF* z4>)y|D8XXCOVuFEC(?RI2+V%5H~dTocv||`X6_KzWR~cHv6yMWVbGdaiD#?uZC&ZF zYRzf2*UkJlzbpfl<+@y3)->f2r`p_`r@!)TtjeoOt14nl#jVmLRB?!{;VY^K#+-hi zjyX|kn;Wg4`e~T2z|PFTJ{Bpc9eAX18CGuUiR3@A-cdCCHo3>+ES9liSm{XQfxW-6 zzjILjFc1bwg@VA!R-;5$4^ELX9Gv74R zk5PbXtFVpn3a3vne-j_+ z75FN;WYFi3f*Gkwfv;9L?fErTrC}hUq@Xe}P>Aw@^M<3~0pdJQ8eg*6Xv`;Ry&R%a z_4dySewcE?dVf`PU${25URk%sfcg%4HH$0BIK2iv&vQ} zMR zU`t8JEk)7Sd%Ap8WL%al5XmZ_LD8%2I^UMyeS=S6;i{mugKK6Dafcw`sbZ3fjT{bF zeKmuJ1=*kYS0gWrBaq5wHPy&)X@b! zuZ&pZ;FhoK3mGwj52g|RwLyf)<*Dg?aF0QKrl)=yV_|2R+hDKa&nyq^G_Oggk^9?Z z%Gl7O2ww9qV}&i0hS3EE)s#m~I9686XoOJGK&S+*a>Au6%^Fs3rXLIU%`0uWhQ8-# zB4k-sU$&y=u(uuBE|arQ$NnO_YOaynZw&ruCTsCR zdZ%bEx7k=S5*D>AIOrsplrM2+2$Qt{{f<|4f2&x0rsS<|DKAcsEkq}5zBM`AaQ9+v zuBzRa3Ta{X94XR(jn2JhyZ6F02eeICgjhZtjY8q2@AJ&IWcb4t@FY@KH5`LC%L?P%net8XnHx8gfyEnzC6WTldgjorshD7&Q(R+Lc{h5X_q`ZC>byDFYnH$i zkd%h^y~bn3f4|tdYT(84))TwEf7DNB^3R3!Ya9}j$;rMQYBiXEy>EjoRpou}d2she z_1uEJ*dJR6;mQCOtM@LKb#|8Jha!V1Kwz7Gx?}o7n@8K#!p_%~q!Q~S-`(*JeUp!* z&1}fd{w#x)H{+UiyKKD}Z@{H8!1OEe{#fYgg}&f}xwHRXa`K$S`Y&zQ&~I&*1oHGz zcwxJYCZHPdhEKGxDsDv2LykluK7h(9K~f>nAVY|1!U9fg&$kLFVyI(CAJusJHI3sOKqaT;I zbz`Ju{PLsak0B)OKB@QVxhu<4u46n01-J4WPks=A+9Gp>)iZ1djFW4MROLqE+=|c~ zzjEWUN3U=-=9TuPG#b;`X1jAR&55>ztBC!_i4KT}T;7!?T)vI92sMOi2MOa&^&H~Z zn~Mall#UgCDEsLm%Y>11b2go(tRE^0;sCuwFvPUj`kkt3-t;QgK$bkW;ysO#ht>OB4AxS;*qcfG1#5okic#1NL=d?hq z-U!06Se0X@4|vvf6HrR!g6(SmzKk!8__IcRW``s6qDFTeZZ7H(u>X;Tn0J(gNCmPG zVb< z|3vrPi0!hL?a-tCS<|y#3wEKdY4Xnn8547PF|a|F4l`1Z^4qU+Be{j5uQ_(bvM9s% zgJ628G%8XEeDWnlqQLk)R2Fx4F-2hi3=IrUmV2tiLRdU`UNjYvZ1cDWRl`Jh{UgW^ zHecC;HrKfE?dp>Q>QB>6&yD`+!>s$tRQG(G^MH+otI-!z)dPPR?&AvcShaYTic*<% zlk(AVCIc(X99(i58r&#*kA}-G^&tJ>di$S34*kr%e`Y%E?(cLYk82EVh}Y_;uhl|1 z)$FvX+sk8+iTZ6H=C+RlI1+2bp5zCrZ7w4T_$HgU^3HYQ6};+3qvT*%bsVE>mJW7YUNU-EN#f`{I)1ykV#x@pfI z8Q7TB(4wUOvBRWWA9tvmL&gxI8|on-O#ZepIlVS&&brKfwPCp+Y9ijhFImDYc1#+m z;f9JHKP+6yW*x&@C--Ki15y<<{QBT`(4mVD&q0gWx*-xc*?|gl-CJYsC9+4()Wysss{h6SsoB8*ELw|)ywF-A%PH|oBOEM z)!o5suyeQ!aq^&Msn)sM1fOo`kO6z(!D&{Gsi>dCPNC#Hhn=bP)8~0Jw4XKyO;YRn z3|r^C(UkQN2!PIe+90I@A5a@42Cf-GB&-v|pS}+`2pYd0EW*_oxWEb9q$iQ2Ur>W1 zD1A!znjk--(*q*9Eq6DsA7m}|^^h}pnnxrCHYksQq$UOmduhlZylfx=!!f_{fCu zLQk$SsphK@VrLL73|x)4Hq)~vz)--m#p24QjUc-RZ6jV97~A~+tam)p3JB9O)2=b$Lf2F$vGG3IpXM}q_UAl3HhDx-al)bOcqw2 zZctOD>r>WtNtjJNqY*s=t5O2ZWw1SNKEJDjmn#JM@!(h8azZw(XD_q_p)!|PI8m56 z`ts_PIW_{l2KRHbu1)icd0#)?oKN@d79H8UH)-*}@hgi66wr1&wkUX@A2ptH#cbfXtK-< ze>Ba%@bY#~AidFhiCn)4p!I zXwJ&sosqH|T!T_=C%q5%#iZwd_CR+&I#2b^d;-9&haJaA(_-M>x%q~v?gdOpkhx+= za6}+HoR|BO{RX*)D|IdzJacW#tYQgIVOCc8 zgW6R_IUZ&QL`$xmg(ngqyDP%B8hYzQ;erwW0tIT?obp3o8M4k|tK)mE5FlAhF-@%hv1Yc(8yW4zt;|UPral?CMna6os`h|LM zgyPH^!}^_8_7dZXZY9mL!4VjGoOm8?EiBp%3~*ArP_QDd#>7;DawPaXgF#D?E)a4RPmPM8#Z0lCs{AgVk=`lwU&Qj zLGj+@788-ixGkv$x`B(e%Nk#xJt!@CF#_7A>GF zH#UZqN!|+x8kXEFzW*RQNVoba(PNzr(1kdxq8e2ZfC*|Z>tGV$e-9TX34R}UTNz)3 zcfPSKAARn6Y#7Vi56oVqN(ZM$8J?zDVK?CEPX@%$3#-p%J4 z5d}Zy>_x+-BX4I!yF3<(Rcl{u(rMz|My_Bmy8M;vY$9MhkA|rTuFDOJMaJ1ZG{5c^ zOwETTKz(5dl+(cs+a%l-qFtcpvVLeOKL5Hf`TmhErL}y1KXN; z%vwLEKV2nGNV$_Y;FH|*HGy+#$5U9wdIfyc`AsME*`_=r!|Onb!SJ=Z$_y6OILf*S z6zQ+fWghHqzVV}(>aZZ|+`+?QI&{=*WXV>EMS~7H)X(jI8M2f zDu#rmtu}E*s?bso#UaZ1{8^B5yzz=gA!X1H&h$MFW2puk5dl*rx3B`{I!=YEu#vkw zu!+PQ_X3`vUs|tpj3z$TFg)dV`gcHUV!|o?4s|D5*pqu)55c^yGI4$WaUZ5?o&r1! zGJSLbdsrPF@LWKij^>bPAHtC~U_)4#RMWgesqBCty3dSM{QRLY&o87k3|=?FvHEtn+Cf?XQz2#>(1H1D=bzurn zflUWb;T9}XF5YnG#|^{7+7N>iFKA!7oA>sbHeLrqErgS+r<)H0aTF!{Cz=fp2wMBO z$yWEuNmAzAhkLmp&=`;w3%zWm?Z%cjEQg9;>8;t^w4=u2zBC)2j;`trqbiZdUp zU!B3~(Xz*1Y~Hi-@#Olbxa=7rf5u}_s-v@UY~|9!g|fFUQ?jQCSD0tSc5_Bm8r6hI{Qu zkJu-S+h?CwDD#(t>5Ewi?XNs6z9A8Zl~O4afS5mKGVzzj;XO!+3K zUa;g-3b~^`Hqcu@KyR|*t4pZa7TITPL6#7@;_G+Vojmm61pWD@>1SJ-v6t$?tAgWg z^su2R{)QQ&qR*>8?3p%?E>ssQ&3Qd(QTW*@l#TDS)?WsWB$D*!_1FWwbcLP+*dk^aBPjg5=H+zcSSADgbUIue^4 zvr@ygQKdlqyZ0}p>4}#!$|U1#eT%j;P5Hf%A&}mKgPkhpp2N+M!Sd{VSBIw68jNAj zTAfJW&RNhw(A{LdR7@1~9*KF9vi0fM^+iH>CS#q}KQX3tgm_)zIA1{OA1L{v-a zRBH#815KF!#&=gr^ZUC)`YVT%zY>?07PaTP6`L$yf?jT%;>Zv4#&-4IF}-H zzDbO~Q%lweStT7=OZKvY-2eiN6OnzittOfVi*ynchI~Eu0H|MuaZV;eHW4MG-7L$e zQQQyW=I2Acu{Woz(N!kfJ2QH{hb@S0R*L`>_>1LVMtq)TAf)Hi4y8TN=AsN%{x%&* zv&`-@l5m^<#oBpC!@ah9e<#tBh~9f2B8VtaXNcZL5G865(IaY*84`riMG4U+>JYt? zD8V3zD5Dc$l&I0mFnE8m_jAtsp7*Tv?6cST%d(cWnA=^h^1VJ^KGGy`)EF;inIVgb z74XY8J}+bg`823okNVx&h8wZt%FCFmka_rQkIhw3u={Id?%lOSw+#L|IE5fzR}Dfv z#AXb-H+hVr3Houh8(!s47cCFE^cCVJ{ff zi%-i7Sw5NlarPDkJJ@0jQMlQ7)FJZC7CI}pClaU;40tDc85f>g)+8W^x3`bU;kTiu zX1naw?yLN$*aIF$q;X?**7bAIwwO)08&lQP(;FK`|K4lf1o_v{OuD}qWU}qs&ns3W zP$1wGso%Gg57>%6s#KKAW$>9Z79egW@k8%YT@_}Q*=I_2eq=rhvb<-pIOxA%wKQ-% zs~s+q?;Up?C<-V0E>etLvpNW2gLDjXM|1$vbM) z|E}a2NBzg>O#NS@GlhBJ(1~P*@YMov)9PHiiF6?+_F1~wjC6H6^HYA*0VZN)Q=@Vp56Sj{pqGqhVa#UdO#kSvXtTX#L%}(Dm+He ziLx~Jbph7|C&|r(pn@TFj!~g#Y6qY&eVfGpI_85)BqqZ>$inaPl(2iy%xDJ6e_t6r zZ#uPxJ)Y9f2lxYv;<21W)3jrQnjG|UKZ~m*N{+pOO%mZnb{uiVx{0&C=1RhGxPKf? zeNY0mf9J0TdnPeg)7Y`^`%g03f`7IpmBu#(Yz0@ZfKL`2e{cWI&;&3IPhDgZcmwFs z5MC`>3)f)awCTIH6O>CyS%#{)S-LJ=5l%$uZ74o-Xa+rlEw*(-iM=hoCu5r8>w%1j zM0|`Epn5192$gz1Q%Pt0vfmWH<3A}w={DI7LJ29mtdQ1AtGkio4+90|sI`06Tt%mu z+z&fe{HRL3zT*i+z9=J&#=64;lAD$!G&4e@SkuUaM-3Qlo*9~>nwD#)ZW?N!KM9j$ znm|Vjbr=nh{EgVBwl4o()xLEL zn4JeknBO7p%CcP=BWcqM8Ye;_MDbabfP{UF{MvFuK;gs7N4a0(O8I(Q!nWPJg{6&kUETU>GVKu5YiNx$S zhAq=qYQd3I`_knk6k7$=Qm*>fm1B`1evTNEhHBwO>d%++hSx5=VQzvAU-#|!LN3qM z^3kGU%Nj060t-(N@gGSJT%lfCZOt)Ghn278@o(g@+X5;bMPf>~DFBWEr6ddhsuaj(>Rdvw{i(=8w&)Z5biowxgkKKZQQbtm&H-QMrz zHQWGLJdERb&rnKqa~A04qF$GHa#>!NDj%Prn4Wxf6&=hRO!_d>-#DmaKYN}W%;U;9 zhFx-2cSiLB`?#kosmmN5Mam#2#mclvVjRZheOXydSq^GwdiME>G&|%V(%C^xH^a0~ zVwR^>3p;sFgBz=+>ufkZRDaEHhS8pf-Lyadh`1$`NY=Gr=u80(py~>8$TV^ zwUl^qVQXwN$j|55agz^u!xpYiRK1y|GM4{wj)EBG$0MHOm}dqSuYK)t6bjA&?`2hQ ztXWz4mF%-R&532Rwus!SzWex_j~ufTj`i~E%)B$Q{dLw+x|yt^m>YLiOPs$HL_@Q3 zz{br#i}Yma4K7NtPlr9Drp~1ukDoVBJuLZ27SF_UH>7`m3LB!+J+u7@!Vg_ksgE}Y zEpFd+o%{*?cHFwX8N3rQ2?R4ZHzdmdI`;M5?}??6fp?R5+JL_ILjT;1CFr_hDm4Y} zkfx=I9337&ZgEs6)%xJv6SRmqUj@ZUR+xwVdjX+|{Y5MLlIu^Pk!@Qm&IA)UBMH>Eq zJD+9uH1?F3j{`l=YR9OIic!69HGDg_RcXSY`&C)**m;}{ff0Ric`oKi`_``&qV$)9 zLM@aZizygINty*IP&6!9eH%2;+Lth9^YCnA!7b#}gsT)vglZWooka+^4kfJ(rW_CF z0|60yrCM?iv6@hqNzD3#1sVb96r%q{HTWSoV8+Ep+e@9pp~HIloe<)AG6AQSvB#)} zd^(KyVT|B{zhDzD_B->~zzmRv?i>Ctfi!IeX42IPhx?XbKij+jDns;q|4FEl+i18TO2UF>Y-@#}LiCf4*2&pk)J^!Gm-Nn9ldzCQ z`TL%R{uM}s!D+s+=Z)2c9N><1b><~k#+c2gF2a=d&-93^H*uCBrgCb4Y2$0P^WQw)#yhuSB zWv6hr{onhtxa#cFZJVK7ug@ZZ;f3+Q4vojLe&E>fx!-sf93DAUnzn1 zD~xOA52$h~b2LCxB^v~sd3pVAG}Rjd*BGFZ;cRIYvngg{4T@1El~nfh)dqM(tKHDqHk=98Du!1|Pe*QaSsSl9pb~=6A+;`>!jRo6b!iWM51qyU!e(qxZv%D9#_O&L z&46^^9RG8rbhA`CDO9AB813kgp2|Cc<7U^GYCNb(U0QQ#7_Cj51G?Lt0J)Z_w&N}C zTJ5L6{i5o}-_m>X>XhZa*xU`+%Q0jLE@VIVO>W==Br}c2cT%a{`B>aTv<+K;t!lnD zb&c#+c2j?_|2+3oQEGSB zNO|Lxcnj>I^O}?$#lt^0boiQmp7YFsj}Tx zd@fsw57?2F;D88YQZR`h1%PxqO{o$YL95yNFSf-Vqq7azyn3<#TXKZ4&eC$YT5N$) z_s@7Jm^BlQ*N8Xz(`a|+PorHnf7n_iJw*?QBRoks)UVjj(E#cqE>B=n4ej)&_z(ug zEri_|Vj++8em@qF2(Wd=QrN6=S$bo~RhxT6Ah3ddwg*g|z zl={y3rQW*%^kug$@N_NdBe0pT?4o`$q>{}|?r`G8{Gy*xiHuc%NU+8r7rtKoE;gQ~a z_w>^bvo#Ihi)h{%oJMp*llbg-%yIc>dxWV-@lhNwJIv0eenieEr8n?*3jNBTmF1e3 zOfrDcC3Lv&_3RZ*);|Y^(e#<(OX||9AbCk&wP$aPRD;t9ej;G%UGykcF!tVDzlrpg zfcJs|D)q>TtzEO<#IHbCX9RRtlxpes%>!XGNk{Y6q()PCStYyY!k%~YW|}ztYms;uw75C zIU=tsMrV6`|NVdgyG4%ggtaJtvpI4{pICnF=all&c+atDpL8|-dbRan?cr~B3!ob& zaXlWS=VIe6dolKD=%QO%M9x^}IIS&vyTo_ljogp*0i_`}D~Lqw{ycj>{HeFA&__o1 zjP-J%xl5aRx%9LE(5C<8XodA8T+=}wg_sXr z=ob2~>SqA;6Ld25vQ#+q4)>Ro#Sxg+(l;IB#_i}ks8{V_D8`mkS1??oM|)gq8$B+? z-o$$01=tsD@LhAltL1bk5yALr>S?(1Wlp-cpsYDF5Vpj%=y730QEePg z^c#5+4L1lv!SRU~=O?LgAM=%nl!anp9FosD-&yDauGkn#ZuaWi)G=Xd(((+%&!aa( z2-;>^13z-yU?LQOeW%`*dRWT3)_4o5U{1GL^LUrOkt0Du0@X4UVE7Gj~(69zc+e7R&&fa_k0;3zeaDcV&zR?U92muN7DqXId1bkSsv`>Y?&bpti)V81*ylYeYpWRuYS>5`%CyV%wFm<^8_C*WQpUczlM zAoV)B-J`)dOK9&>&%k4hldBo=pkHzin6)SW&XF+u8i3((kHA%ys7tKaE89 z6=e~=T2K1Fo%`I>=)-?cX9JPmMwgQ7vEYH%lJ`5@%05Vdm2(eI4<$iP9KBXkvWm*wn zU^0XO-krOhDl#p*{;$dN9`g^nu_E`Nu$p9#QvmaG%3yRaO3GkC|Nk01FYLCg;oCC} zgWVfxjLWrX%imY%F6_ATWbmcYQwCX2{|N>y_V!{_@*^dJDA-D2Su#2M%XV_TzXs29 z!dO0NmZhWb2&Y|W4-sDLRw7||rKGjBJTx@j<{hTmsI%=ggK`5+m`K;5w%;m%3yo2_ znEHb3su02(KY^yB+p81Oj`kZ)QJtHAf&yX-0x5-AdEBQaeZ z^Fr6CXi#(R`q~0OC{Jks8c-NbWwJuYLYCjdR!6Aaon|%^zX|HfI`6#(H;n#Obv&)+ zLc|%wKsXoIMCMbqGnz-Q@ukyvjhM~cYq&+xkPkmgtj1lpN-5*CtnqT>yDhi%6Vl5| z&3?!aRa@PV;na(G*nx8(3h& z?xsQZ3m=ryf1k|#{qC$izA@7--;7_Z)`&YZ5;9Hvb#l5HTyS{0Dz34b45Y(ePFCS=@N=Nk&i8qh_O=d z(K2Da&87YqmXmnG{@9k~*ai^@HlPICWCpT@PdUfBmAMK@MZ-iE$;|IDgvwbx9e zSH~MS*yPV)$!(k{P`AXy<90D{#r&`+V@(aT(hst)Zjt@{FPsCZ^U>b*=7JCo=<64N zmC_yDJA-YW6Z`_`-TN;vyYvM=4R@Pcpx_-w#PmT@S?-I#-88vhznHdMqS*KQ4*)gW z;FiB94&%A=0s8zkM{nTg_buK#Q^KWo^cuz=E7?E&%nVOBj`KS|+jKlQY_Uq+wU-zx zR^nOM4X2jfwfCV&;l)Qw-#&N?HQTq`ScEG4+M+;(z#(H_e7h#Y0`Z+HQ*RS1>Rt$Vud>@OZd z@&Pgfvn@fOazmo-+7q29$DTrYe%0o=_`{c$QsNPYIxb8J38qvoBr?F*^>P{=?^78? zg7{z}lRaMb#UMNK?IoeNyJT~wC&m)xnlvekuiA0sx7s&n{O0A|A_v5zyL66^WFDlfW|EN zf!B(b6;(*$PL*81Rn;g2rt&ONS4hyfE4d36Zcg8<{u4NfL%$-X_XUmftn|r91FYX39y6eJ?FdvJfiz>RX*WYR zur{e?`#ltWg?wi@w^CIvJ>Dqun=#e4f0Yr*Ge9+!l#s4D_n@d4cj6HrKc zQ4FM1hEZ$H%FK#td+T+ar)^y3D$*>S#^hWM9XKVm;)wzzuh!rodN?;||A=gHP7uXO zIjxI#Rha0=(poFPx)SKBuQyd6b3@y2FOSE zI={l5co?P!8G{rKX!=`T<#%@1m^I-S^XAB20Oj*MBKJ1Hi zvg-+NL^s&1bnA*Vbz%(wsEgluapbfqaveR`0~ZDOZ;ovF>t&~+n^pJUv+6Gm@|oOD zQyNI}_nLH=pl%PXeu(dx{<;`TUQ0!>9R$;wgm7o@wW>Y8nPG?yD@p5jg zwViEoau(P~dt%;TRK#_09E2sje^H^29m|*3Kes`O6yb(Gf(orF5Nxmse55Gke>yW&2uz(1{7~Go&xgxv&X$)5D)Y?J!QtPP2{nQ~CoFdIa$pQEPeQ zP}$xq#2v{Qq*_^hrT$pBFGD>T_s#bpo!^kEkcf<#ZVhr%2YfIt4C)3FikVVxMf3g_ zKc6>K2i6=_?RZUiA>kk6uB`#F(#C$K)w#@fwuLXMTwH9mpr`em)V-@9iII7tSjG$= z*~ROQEMt%8^g$`>v?ywi4L5=P1oY7<^IcojmH1VV)d4(sGcgw>cvjs~q z#<9+~sJkAO>!eVhwZ_a^)=diU)t0Gc&50#IcXEhdHBR~fMYj*c{Fv$reiUe%{_Ogt zMi67wTB+mV(bxHEneIlhe(kEjqjovgy7Mzf8Dt-)ZpT&s3zfLa&<|PY*}{jFU%7T% zmUtofmRsPOFud+K9ubB~aM#)FL!Np0=O$=>cYVab0o9FsZU;2bH@f>I|NX>O|6gzw zHu9|BfRQ;K&h#jr--MBIWx2J|u4D!Y8%@^VF37knV^){tML~GMP4<=HDz+oto-h&H zs{x4m`=%|h2S^rdU=j{p5)Y9VUF{Y*XYeVs__obiYRQfSUk{(;{4T_DnTdHgf17%i ztH+wz{K%S}D*6T&n!m+ku3szEihFjPUI*YSj(s-Y@6ICbU}#mnu_(0rXbk)y&|&!j zyX@Ifxn+o4gmvluBV)J?1190Rz}mc4y7Jl4`f`!u&&TH4Xw2H6{|{2i&8+JpU#()2 zM-K5zcXz$Z^Puw}dSUH4LV?8#&2bd(Z>=K5Sd{R`(*xMXhrLe$#|DnQ$<4QPrLEW5 zMSK;#hZu}|-8;-Jr1qV@tw1ynt+uQj4b7<^UL%kzMW%VQUHvT}E$pr5<+2nRow!D3 z%CCIAbokR|Y@l}UW(&khx~nj7s%4%vyhugMk&ya}*K_#cCmhY~)x^u9&U?can3zpJ zU2ktoNBhQF@0qg^;0X`-?k>S`cG6K8-bfxzKsCbpLrTKR&OB3&2xs#%7REzuP*3-u z^5@;=H=XRT@_Y;bFQn#WM~^9FLx~)1ADgfAp0sMj(sw0=#cMwc7i4(TT)h8ED&yMa zFY(e!e_>0j#mpJGp5mDaD>&7F{m^BXXJXgoEg!O~)A1xIxe0Zy;=|EB* z88wf~q&Ph>@WT=D!~LSfL%IE7aj?33UUemO(eD;G@YiuG`A}PZ>Bo2}2`3oEmFKYY zlihGcRlD#6FNwHW*GiE0tFO}M#YnZxw6*;DX3wyrbZJp{*4rR`4gV9ent33+y06JR zFN^+!u4>xOO&HoaYFa$>L~%5D%DV~xFUS%8XR1MIsNF3_U~&;B^Q2U{iT_M^4gK(} z^qbT@BMBgFnOYQ+Y}(cHu|a_ zw;46^_)9dyXxyVj@t~!x*yU}EInT%YhK+nK*t;c&3MuU?w%WHO0fkT_@5mF&QBWw; zcsDo1>9ec8kc|Uc5aL%T0vRDUG(?I9*rnsYgy|@&tP0+3+Co^C?AZ28sSi7X>5M(VAhg9*GTW(tl+C0ti2z-+&pp-;|pyw%?Q+Q{8s} z#okOBF~YXetr7b#%1w8x>6*{T>|#5ZYw}=Q%hzb{)aW;Y^ThJi6NImhaV&&OE0~}o z{IODJbgyxSWJXb%LMf+(&t?-VXc$yax09t_8XYl>8PvZ^eO(v;+07jFHW3T0u1kP8lqE=whl|;qQ%dbC?vBMV!xQV6S*3Isqu^Uh z={eqT1vPNz-jO;@Z{t_J(Jtb`EB%vV zFt~xWR$8{>G9r((yvK&$O1^EBpi-8R8pF@1zm-PhxXJ8xZ7`6t;x?=EIjon|lsfk_F( zaMeHJCp$!BvSma|<>U+cyGN{T7F64*cnQp_ zZ$B&{i2sXYbpL{BuY`Z&HplF9hk3uZGvWVk&HwBeDxCZm4AFa;3m{~;7=fGS0*92c zH~||as?|ED6%zD9*|t;)KbVB)S?Zx~zp08_>E?uVB9@{Gb)hayUFBNBdmnO+k8-%_ zv#0Yc_kkfvT}S(Dduwz_hg-U>CV8 zs@kFKn_dzz-gri7!^<=e+R`*@Ae&gBMR|XTwX|J)O#Z>D^Ujk~#73|8EC|=7D#FfN`wflj5H^sJB19&gX5% zl>TuxdKYuVNL-Uxg_`B{T*|$ul~gYuOug{vtsOLYuJI{wTg%bc{9%L~#<@@B)HdfH zu&k>4QcaA1b6F(;{``gU0Xcv0#enwpY@sJ?mvzI5tPpHx6w?Crs@}{p6U$nG(MlPf z)?u*(4N!b8!%~HmPO7c(X(f@gUCvnQ0yk?7LjrwP*dbw9#4*ApA}iUUm}S^*V-MlK zdehPwlS&f_sYwj3snMwpH=>GH`on2^!8WR#lIf3fU)*iA*nu3Bar1fqjNeNQ!^f`m zpVKiPOCtmyk#RivjIj3Zdq^PqX(?S)FhcrgNW@F&66+f&qG3O(orwrN$sVC`{bpi6 zYL21(1J;iiPSSrC7Je`QJ%Hcc%UE$+t$gGqvo#tuzs#Af=X_RaK#F} zOcUQ!n(d?3B}K|_DKvSW9AtG_Jbx`<{}|IB4)Sg}r2_+s517yS>0H-f&K3C8278ld zt+#stIv-y47mY7(Rj$O+hiS`mX^Jh+<$iY-IBm>J?pYG4%YWmG(1qJqjW*iZSE2;r z+n8!J&F`yL-SH`?k*_rVNINRBN}1W3l-&tuBDPviDRPw+ZnLu}eXy5T_2ex(d&iKJ zpW#BJu8bOXNUfZfU2|6nh2P-@<0v|lVojDMpwaw9@TDv%NAn5mB8KsvWZZ*W1RsnL zii2F@(tPS>kwXhQw1n~r$(FNUtl(IVA=@$)j4FeYn)WsDWp((7B#nx@^2^>S%vj1O zXU2|L%6{h(59~yJS643mg$Ck3-cBb%*=rkP-z-xDvDm0-s+& zg=9FIojrg>j1PZ?(Y5Y*_~a@EP)O2txP#O_Q$8bLx%9Wcyy~HN#+CUdVs-T%U=j9$ zImosc??Ct;FsRTA7}NolVbDGbTqC7kJqJ=OQ0kJZMMHP<&U(^1@9esOBeDSUR~iG8 zLBJvpy{mg(BKwQUqaG{K+`26OWdobc^$LRk_v&YH;1NnC&-NA@PT!h%BnMn4uG^7? z_1=x;q3h-VGw&5T|B73m_G8^>{+K_wnmtx#d(@=$Zaka zT`5qC#XQw8`I>baC2-H1rDUXso-HJU)>21ycr}&wI|8oOm?}>QoBJC(<^TJUflf+* z6!!KxdY)pk$g!@*DVG*N>4(fpg|nzJXB?^SIU48-C*lWMW#fU<)0hi0bD!nu&XgLz z=~lra$zmIRUBwDF*oxv}b5Fvgik4zAY7AXa9D^FF5v>%K>$AMrTaUfjf}I1kT5cO; zOwx{|nyY-f0X6-@g6^e5_ARC?k=xbJ=mg^5Ddfa{v4mfG+qtL!5TQu%1dZzpB3p$? z$do88HKb(o4v6@GhCn_j14^@KuPw@ey77)&56RT3hI14oo=+5S@vg!%tSd67*I-=QqCR%>kbxus_M3K6!T;j;HHDiruHDpY3e zx;UBJ3ccX7B(yOVW&eXgwQ0Wn!X$RHPD-2nU7dypQ35S{!$(fvdSY2!mGL(xm&Na5 zE1)GJ`zo>T6Ce`2BG^D{!IMUvZusTukn%tHv~;xTikj)Ng4-DGSrK2!z!!w)h~fvs zX;Ag~5z>#z%h70K+zJX;!rWCrn2XJKey=0f=>=e+D3jZyvi*ALUqsKLEcVOow6pii zRXaw^Yls%d{8d)DiKKlcT!}xCgk=>N4n~iM`_}jq9erf|`={qWe)4?@0MQSl-o_R= zLaOHr{{s!>bb*G-yYQ~lX2lupbP)k)sIzfu01dT1%S%bmeEjTPB7la%*$T4TaCCHT zseLI+UwEHU2MXJnN2RB7OAuN|N$BS!u-7bgnt&nF6^cW6r?J>XoWZ4DFTvYm_o@{} zmL(jWjuCV^%<^zLD08_1`zyEA%K#cm6z~(+F%{DU)72gcwAef%`%2Jlm#Wt5s z{F7aCc7cbQ1B{K}>%IYx?22jKLzTI-uDS`dL`X_fAoQ{6-Z^Zgl=Bf`H(7UE#;W^h*)**da8uI@3QpNfg^}pt}`p+ z76l>4rdr~~3t>S<*tBDZJC1!))XG2%Pw6B?MWHWSLzt>z<^mnToxQ5mRN?3wU-Pwzs1f&}SiCD1dqR zZp=zYw&xKEFoH};bUyd@-lG3zV$L&(t&7A`RblcLm$0>rr616fEKmf6mRpw{i)v5#Mn95Qs z=dM+D?IVQj2!`(1mf@EfP>_TqTomH&pSLb>xm2NEicJ5LZ8CYmc^%$~@nyNkjoq(Z zRT6AWrE5-9fAZ`#|5ns2d7*0`zrVboKfpFZ)FrMuMxvB6I;oytx0KiqFuI4b($N7 zky>8SLhEMJS!vq(L9jhg+wq%h-kG2dISF>B?Yv^fU4g(!d$whRlSZVCO%eXc;rlRC z0yx^fJ?Z)@vwPwXZ5-pBex6(=Y??I9r3-Zvr8JR|+6#ZPq}Ek$Q=|)4_OB`2MlFBN zX@}N2QAb`Wz?)uaCh-|Z$f3XoR1-tS=3X+Q`c|Ek6K`To5* zZ)}gwOV?@{fthylVwfA@1$XD#1$SrFOw8kgyE7y;on5Vi3}Tnys$|Esm~fH!Xf(Q%NiW~Y_&tyk*wJ!)pp$SwoIr_ zHNWz#vXtSTjLyy&Q5$YFClS1(?n(9F(}2Cm4$WOh@c58XfJ>s4D8sHXhKc0jV(tI@ z%>927uKnkObAt=WV1xi^gv$+CEc{WQyU{Fn_^@hP&}Zg*1%s`?o~ho72BN8g(#?^R zS+zGpqBH=OW<3eO(oC+@W8j8K;5a7RS#E%=-N~{A zN90XDcoz$^E0X$9QKCN7ZA|mNHC*bZc0?^*b~B&gC!#TvJlmtI3NDUU==^}^^5rTe43~1eX{s>h5~@NPyO<{%3$MmOEcsOj z_|8yP8}Gi~Nk-9x!Dsqk|Kw(MWdVeu=|ID~jJ0Rb$X7z>vhKB4A|ap6f|No&%g0+z zbM03IN9KZS(b=(?J~A;)_1dFfJ=Dvjh8+WH3JtfqbQ=YZd%_`&f{0+OvLkB`fF&O< z($z5!ktBRm;^YOqp)T7UMDngn%E)c;SZ_gUoq{`?{$=8!bh+V9mBU;Wj-t!uTCbb2 z6$*6G$j_7{5pNES!7JN2C3r^`gD%m=V66{DM({lLiy9JQ%Tq;*r5}MG3G= zh|(C~ExBHud3YA$l>x9X9@~coe-p=ymmLtvlp1lZ-TfSP3a-9g?Oq!Y< zGqKK&%*LalP9jK$=IKahXsyTnUMp`f@*NtVdIe0=L1om_pT4tu*U&CIH_318h2tGl zh8jMdlGp0G8E(CN`w7uY>Q-DYUJk8UIXVl!)Ipk_tqMYHBLtW`c*%lpWV_ecg#j0{ zkv3F@jK+3nq`olw%iHbh+bK(94E~c*dR5$(VLt-TPl-N}lsrrWt`X{Or`@BI5C14g z+qekQHi0ct$J!@q6i|LyO+8oISyh+@#)G)G^&b5q`z_eYHcVdf<}$@`^)_X!#@TYW z2vvqeP6<|TzHGdZjn#cCIa;C$?_@Bq_R9Hn34UO%tU(~Qvm){xJz3L>S`%V#gzb3APacX!716YPNE*O(Jby9RLa}T4H6R*pzAWE7$ zD^zxN?}e3Mf9{G|Ryf?FC3bi=Oc0Lh5Yu~=vSgj!R!XTee1I~W0$%af-?OCAu`I_g_KU~O zb7^;f?Mx63y^K<4x#`q7$36(;#==w*gjr9to4HCwL*LUIYk<*8TkV!Xnb{^i-Sr-y z1G&f~Q`u#3>LP4OHaF?~7rS(U0qP^J9gVJSwKDS_r4rE&3B&X>kE}5~W089G`-pVr z^c1;SN1KRlf;`)78iFRe4}=3CGFzHA{Zemyo16n!ARacdHMAKVdr4iX4+Ct(==;?E zu#F^#d+2jlSMUnE_JuR)1x)tnl7)ya4yG35b*b(uhs7DMq3`yU8UM&uV(4;X65Neu zhn)Sd9jV{XP(&@aC413K-A)eef0~D(bSW>)!(7DqW`;y0Rnts9Y%47gi-b!`)2R9B zv%0QSC~*i=rh#1->BqwH)k#)oXf6=^NDm+#`VIML#%bC*1T5IWhob}`?h+!_+4bXG zZF$YcbGm#(RQFhD6%5ie40vv7O4m?KU_qY;=DN5jC&zo~-!EV1>3IK^)z&d!5@5c< zl|AE;Hlm?T>je_|cp2a2@EjaJpFa+`+%PG7=(r5*eeQ)fkIGn zC(Ds)KgQPo$zv2q1Q1uAaan$9_K{OF!!^&02-sa==&riEOtm_l~vTTvHGTRj<> zM34}eYB8%b)D%~qRg$t0N8+`i9fn+A$idBp$#K1}qQZ$A>^IAxDj= zK4-w?3rAE~=an^>-n9Xuis`IFLfOAlgZnRs?KASiMl2mcAMVS&QGWKAFop^(xt%^s zo<}G@4}iyoIk6IYISKNT<84auY|P=n2NcTig`)4FQWijTwaYvd?;fK}Jq>U5(X&$` zX|!r!+ls@ee2Rp|9{av1jEdQAhmj{*&Aq(U7>AL#ZB)yDe5nWG9!VsmW_+MC-BVUlCa7gUDom+g`#zW|l6RAT?|ozHLd zT{<1w!!_q`)&hIm>gGzyWE5spZm4-lnPn1z9}oy+DOezG{g4C%C_2#&QQczJ$5Dgy zm-3#;o*k)PPza--&t^SXnf_Af&5zo#)dFg6fToDmMXfQbnLG1;BiEb%!_~Iruw=nX zNAMo&H20)H3&~TeX)gCn2kxPEiEN!WUouVoC($TG7n(ticd?7FFE#_e7<}U%O9;N& zK=!y;QMy7e&9tKY!d49X-hi|(+MOV9F*i1I8t~`P#F-Cu=g(ArMG_Pmr4;j(5ef=l zA61s{+sW#Zg!o;`^1V!DwNlJDwTiNh=w=|K0E{P>DOgDsl~BHwwxmNW#F2jQ$NXv7 znHP=IOrsvxkijFGVL-ECmINDeSAa&=OxedZfQ}%x&r2pHc=>IEteMT_Ja~X;j z(;wPw2@}Xq31Z#uG{I%fDYO|<4Qe;?9x2frt4{)>0=8Q*vs|Z6D(U=Kz>$0$FaxT! zd6ckiuz0HEl7w$)B=MOF~F*s!I^syc02UC;i3fW zzUqic^xOB;_L}%o@s_2KCVY~Wr(IME)<5s;=r+h@5vaOvQQBXFbaZk=>zeK6L_3(* z_!^@X2d=A4pkHYQQsm}^s9ZtVI8~zUhhDxFPH{gTX37z2lE}$4ZDZhi^jJ$LAOkjz zSXVW}U80gd7)~X}5mxR+yt^C|lZ`Jd@#)8ObDD|89>@qVcIh_n380l7uG7OPfMZ-M zX8NwBwDgw@sgt1>_nFO9N!si8V^#g)vcH1=%lq-Sdp{+?K<~$b?$@{sb&7T+6J;4v zXVF5?UqXn5Q%YwTD;vHNUaB9ZJ?3%RmxP9ljk&3wx}l)0(*r zRL_BrXIo9VPT8R^*Ow+en9rX-%E3O7s$qV`AFEHlYY6Qe=F9iB9*qhZ2H5?z%Yt4W} zVzI-Jnq=3Hbl68Z(u2@>2cZb=%8XG#E6>P)546Syn8`ns8?zXOKP;=RD>s_TUx9u9 zCrdLh`n#_Y?hBMqHm2(A)fxwln(MfJQSwOCtC5)V6J$~zHzMwXTTl$n*CybugW852`j<9~$4Y1FCQW98tZ=SKd>{)P}f+ z+n^-2?Gjc;I+GVgd4w!$*rZetNW!%;#sD?!gfo~q=%G9ePNW3bQ%H*Q5l1ujTdt7o2 z`s8LI0&KO_yyKkMdyX@edI2_w^Q2DdI?aROqXNF>^^%8ivKzL+R$z#v-StN$fbz$v+)T|^T-PgD6n@QZ4wZz#wli1lOhtc!n8a8 z!;6IO;(iSpWWOjLscnXZa`RhK)m)qAr0jBN56mV%M=;6mt7MA-&fqrMcs@%dK{9F< zUKnGJszan3a6dx83y-3thG{$i5tcBFA8=H}##{OHxP7<Op3HZrVP_Tf z{!AO@epR$QL8!t&FGf6cGKw?em5B6$lJ@bq0e3_{!#$)V_^Sk@l!a?W$6hjHor~qa zD=xP&K9?(Q)Yq*Y$keu9!FUjynUmm;=5^-=yV%ITfAqc)nC4sx8NJaFV6-GhRf@E;4MqQ5hW(l6ui)joB+;3J;C%6CZmKsrFu`LOjt{sU z2h;$oDO5;IEv%51+A^NR3!S4A9j)BFhhcCGaEWVV-&IKN%#D?|jd&H);9yZHYWPIU z3?{f<-UW3pkbvU7pbLXiH9LZ+!b)i;QVW%AG_CYqDN$=3Wolz{A&wvPDa+oE?AjR~ zT_xGO{6LWcZL@?_C)nre?Dy@>w_`Eq&|FYGY=JvV}m3s55?514S;iy?C z+jryi;-BfzZ^#?^;*A^sU1WZ{0jU36+yGHmX!28RBAR`QXX@Hwe6gghX;jiAWR!%j z)X-0#Md{75x5{S^B(onZ>jzN5J1U+mLK5>52kb3G_W+<-g8$Ym1ySG} zvjEMKE1pn+NzIQI&@4GAi;6?pu>257l7p2-JMI_9XoYeEm{+mlHs`P-3ww=347)#| zSct%fkRN>2!>t%l?2U7anXWvdp928>uV;ZlTxj)pY+v0pU*plxxkN#QkJyB5WNk^2BcnYb%8}p^PF{_ED1M<0} zZ=zi+*59Phshn0arMHGL?XDw70y~PClvF03P1M^iwRY4YacH@9P;GMuh*upAoZ%RM>WfPS_*AKTmTa+Bj2V zWe&9nw5?9D&unN%bg?;gPKHfVT^=#Nve|g@^k^~Js!dz$8_iN$nNp5j;PHh0T(3wA zX;q($bIOZf4b0K>22o7=&F~3`F!0gjtVbU{5x6}UuzMVMPHzd{*iWhJjn@hhws`CE z*myS4i-R(XN#dpx-9z6u;XcU8^Uq3c8PC6GJT7%R^Zq8?j^So=&2`h<2L8M-+83p% zH;@6V-PVzPcl(ZOrVEJXonTW`OYHDH_oJmLH$LCfmDIGgvcTwmBUi_0A&D_(V)Cn9 z8NT|<&22l@%id$v4@_b)q?Z#`8?sL{i#oo;beVniCl32-1Ih{x#5S|Fgs-EJ?mn%0 z(=M3k_ID_x{(I-hjOe>lcN%wkoF|4+nf@Q1?HeX1>vR^;&AVK-6UR@yCoMM}s80OR zZgx8(%;W!WH_Yn3eo4K(N{)gfn@VbCs&=YqrBnq5V$T_n5lKJ(#5{wDy75i-6gS3dV?mZL5iwJwSd7#xLYTT`R`Si{JIJGG9AL zO_0dpZ#n*Y$!x`u+89?@L?u-Dfg{}W8kG}YltZg_%4=sVQ!=u1=ry)qsttDO#vP_v zE+(z1@vCxs>fo@>LRuxsRFRs=i0 zpAQ?IJuS;`n)xjP$v})%qFy3=@rV8`&G5=ujLu!x6l)?$TbElFABF4*(kh~fJyNwq znmO>c8xq&6>CL?~q;`uvmFn_7hEDw-#@_O)?XLUwzABWK;_kFK#i6(rFPh>M3tHUW zi&M0?LyJ?~9g4eKaQC1=gXDaYtGM_%ck+SzLlX)weJ-(iD?AH@~>LU{rEv#pci-K_DW z0l`LnSIJ~T8OxWdX%mLuiKCVn@?_| zvC?nf91MIolnAxvo@Qk8cuh0;UC(oJ-N=R6E%YVwpjT&TJ za--O`Ub;X$%a^-Ek)cWGwev2GbANvom!r|45)vkYedg^pD-IW+O^cJ=jNWDRu8~8f z4Y63A?I;DPg6vkU+xRAp^_QNKwOQ`kSH~oozK=bh-9*kBa;Sd$^b(nxU4Yz7{P<-jv~QtkGeSyoIfwQCdNS=IC(ZoY{0^DzZj19D?7$Pw3%&Xz!LdvywJ@|Iktq*34Ey`%XUJ z0D-3i!z)Ki_6f>AZ$6_wD;&Uy=I#`u|L5V>kpWLa$Z*t%k18fH86e5Id;)Ewjic zq-(7GhU5NX3N){Sc)Y&tTy|X{{+1pyB8g~G9w7MVrv^*IY3vWh?kR6d-y`SaY4&u- zD;u+C|lccxShLL@U)kX}OlDZHs|S;UU4DCt%ae;8eT3uiW?;oYsjY zO^(Cwd_YLxZodkZW=%5y47U+B)$IP|NlVB&bZFZHYb2dFkH{kBqqoT(`uV#N~W^^ z5v@-r9KQp^i_~& H)#q}nT)rI+$dZmDR#C}->5#ln7#Toh6 z)Y2=gs49&g{sU;FQb5omatt{Mb1HWyA-|#WDb}Zh;=14TVN}m`R)7w>27Nys3?=R5 z0-wLTAkxq~Uyo*%yp=rQRI5qIa2SxbucQ+>xq@y^89Nqdn70ZCzt6mr z&|o4JtgP;V2Hatp>mBPDrf-*w>UFz*hma;;nm?6#NSUHf1?}mMFF4BCPqeIS_ex}T z`JDyWeSe-UE=Jhh`S`%H1jiY=(1h^u3~5AM)k6@SpXUqGU8KI_hAw$+j#ofAsv80T5$eAOG_sU7P#I3V=5%r*KAh!x+Y+F=WJ7RIk6T#wa)ajL-e zNFrn`Z2e!lS1nS&mLw|b*Snl*^S)bobxg=8qUGmFZAhv^btCp?9Y-cNsg+mif+z>X zjE-%6BZGM`&K|{FIptN_)Rq(e)Oa*TkpZf+Fz?Ea+xGs&wiyNY)QOrO*SsG?fd%dtY*JAM%C`NJJT1}Ugr%Y9>`bU%E+U1_=|6fbHEpiwCN%wVN--|RDz%!K zTb-r1yD&cR!t`A-aM$5>d5JYy*c*m??Ejj9!U zH^j6`)%MD>3vKo-qU|sM}N)~77L7CQB!P$h1V((tHQHL_uTUD(j{#`=}K_Bqlpq|EJ zqhmqUq=sX;StJZNXo6U0!Dx-NPGI|>*vdaUdU_7A=>}Zag&lKfXnmxvh6-3`Zo(uc zz9-46E(yC?@3$lI#w(*f^qR4<)2}7()1tT4B3HATzbhA@DpBNf;-BF#9*#vqGb_?^VM8CHBB7LxVSvj^mCp`mK&@T6#% zKXdx}Pxg;0v%t2$OTcGY^$iYJ94Z!7D zq!6I_eeJ@p6raW3qn}mXj$b_)!2Tv|*5d#FI6e0mRK#g8a$8kAi> z6~{miXRb5z^AVE}jG!QW`~q>VZ_QqvkR~U0S+KwJC%mt`T!OK_juwQwxh;P-$832j z-N$P!lPcEXhe1AzR}2+nu4VPh?W26V_ow@&StjCBiUQUU`#T?lav|5ZoWpG5`5=<* zGOo+gy4EZH!w}aMZ`O*#_ppYeD}gSNIbAv(rw%@(-(&o{f}XYeJqEQi>SzJbTHn~V z2bb4lf_Gkfiv_N{kC2>PbjI?!Z#R26(GkvC`e_ZFs6ZLs^Sb%gXZmN#^sufu=OWrvBCaYkAt4`w!>;6K(Lj{Zg{^#yt!KY*@e z#jW0%ol9DN$dQhILznrH?Wt*5FD`G366YNGXhh9OUa=}{5XHCidBn)GfBZ1=qk|Vv zd~A3AVq`@F^dc{}`yW_-8EKfK;ojFPoTE8}&(0!wR#1QLX1ZTBo<3ZQbhCbc|AyQL z(y`uwOo5_-{s+Mk!P+AmGfTa}-j2qzB8V+y%JqB`HYPX`D$!Mzkfh@x>2`ce0KE(c z_t1z6>-aR9Y!>I5@8)SmOu6O7{>=1%r&PeoJdMjl9{U}ug#LjLT&RGAobwAR`;MD~ zy|3V1b@~%4?DWjfMmN*oeUI1=51C838=24%)mIr;on@ z>0`a)?&L?^libkC!%672O6=U9T|9oxv*ILo)1Cy5GG?{g zx$Iq1Iln%+C;f1w;lLt>EwIyo6VagSMSv$Php$x=zHI4((G{#i(g2cy+teGm?dK&K zC9#(FMekP5J#yywxseE5<+QeHJ!}(XRXaxZ^&}=Km-~H$EnhE@T&-OHW!p{neZ!*% ztnJXM_UUW7v!Y80vX)L!Ro8MxyOY1+)v=$KoG*sDk1&;|Ngm%`ThH&pX_EBF6@?y3 zo*Q0P_F=r9Lnp`nmSK{33Z053py_v9X+?DGjT>aTcMdXM%TE#16w}b)zGTc%L3e+l z^XNTCQNFH5{P_?h{8-Txd63AP%}z&+0o2^d(n=t zIMXA}X{u%UTS4hoqg?H>7ojO{SzGjZ_1nE)NQ@}wl19MJWG|1}CV>o9&(XuyOZD}w zXMMX}-NJqAMFpAYt?FPQ9rxQFNo(4KDw{c|`u>{%U_l1378WU?eXEMllQ8ci9YXWG z$G5$`)ZCw~U$;=TVPd<=E>Xev_Ng|M4M5s1#95tA?V5hY)BsNGmLDbz>2G_K`y+C0 zG{ozV=DkgqxigS_E(eM%-zm9=Oh}z-csZq#ob?AVJ0HkVh|>95$m(??I@Pb-(_-&l zn!Pc2CeN*#4A%-o4?{=wCPQ@^mgKVk7%XB$*~3s)WT@C%fvjmbNsI1sF?ByXqKNve zsNsg8Zi7Al#jB#I2Hf5lr?wlza`yXEC7)huEeuOloe?$5zZ4WBZv@`(K{AU2bOXC` zOM3nVQfi?SSvsL^(L#@bG3!?~Wa>VV;1WHjj>gE(d|>ZOHBHB(OMg9@#YUArGm)Jx z3@ZAc?l#T0@Sn%y$|zXT7!9?Lm6=Cu+=H*brv*=eg!o<%Wp|5)kdoW9=RB%?^y=US zYJo+HKkYxj!uoFGes@8w*Gob$8Ilk(ALE7zy_gSvnpc-|tA!*US5WdYGA9!%Y)Kl+ z5r6f0x7}seu7$(t_Q#U}I&yA~ene2~72iATPkLU*1E29#!aNa-}fX;gx9hV-pN<^b~%%FQc zpbDXvw_SO-RTMKBAY2+*!L_c2RB(rM9f-cVsm z-zXbh&6{F$QF!pya8izZQ~}}KP>MSQj$DGdcU5~MZrR#;mB9B7EZ7v21kIw(oE)=8 z(b1vJ$~AbDnQb-386Zef4?|@Xt6v@0Vc(N^@BXwVxOK?y`9;P42A| zG33lMr{hR;yA6ZFQwYlm%P(|VdPjRUp+E)q2a;6p)y7nDifzv<{t6=ueA5^805L2U zj@c^qQK>y+>RhyKS=r;vWw>*=%+q^euCqK=UpE(&W!ODjd*od8v+y1LiKTIZYD2W} zdA|`-d9X;YO9P1&wbV<>YnKOj@73=s_d&+Ksk_G49E9oaa0Y{F1)iw7g!^PwaPsbM z{@og>$zwj9D^@^)+{-zq#%cn8`$_Wxm+=oS4j1`nyYb;sAZ75umX|8m9 zA1v=9kETE(;YE)&%{xmTQxy^S#rHEyrlB3^q0m73lvx+a2SE0pK{L&;mxVaRy`g|P zu#Nije3ZQudhCw-SAKLG^*rA1?RNP5g7HF=E0*L&I_}BE$+C#O()JH6u*~?81cL@Y z0Cg;oSiC3PRa|k9%+F#eCD`E{a0SBwu)Fp9sk^;%`6Mb{{NpaaWK?rIvals?Ca-ZUE`@v~^feGzPWAFU)$R@Lu$BQ z-J+5Oal>my5;>-{{ANB0Fi-JBD9o`bW-;fh!ZcJCa2Fy*tb(qY3Nx1%T2$<~8Lfe5*M$#D6QSgNFq^#^07?&JEtH^K-|KsX`q##dA7U%WQu&BcqZh=3}H>#{e^Bd_7^nniOIr?7?U!B$ z<5!<%mRlwm+0Xp4+-U6AvMwlVs-68R5}qa!LZU#a1Yr!#$vWCeG}F#+yj5T9hDcL5 zdc{3k^|;HhTG3&RwQaktvneuB4>f9?)#53OVV@Q7y6JMh%2Oice9nCEyy(@Y|EJk` zvnggna;nXp5aP>5+oBSP(ac_-J441nBAkgwS$Wu?oO*P}5F9K?wo9>_ZQM-e5(Upc zh9&5{2rKm%sYMVuLI@I-@k)bUI5+YN!G;~3m%_hh#k{V%W3N;sWn()a@-^&^lXTR` zF4@u9BLAy1SK-)@Y{$Z;Sh@TIMZV!N2rml@a-ox_kv~Ov*&Xjt_H3uad(p)*0#>{H zZFBktYW#@M@!gbCsU@@7gseYAkM>3w6Fc8PTTh;)=w0J3uCq@?dLSN}B=Jv(j|g;( z2lz9eL7flg-S{Fy$bG1X(u9rTadNP=so;GrLuKRDR<52$winygg?vR!}o~dzitu9#4|2DY+W+dxm7v5 z|FApHe_5b=;D}V0Fq(2#7Inn!U0=M(iFAA1e6ry!ZFH~4{hr}cPc(g&pLLQ;6`s;} zQmv1~y%baC4~8i-%YVg`oMY~u0rS;C z?VQ8}W+aS^U;QX*RK?N2p`C|JYgo)SNH$pBHp$L2bYpdsRQxF>j#ruOKo`-$*t{T%bVP=-;bk#1-gEFf1Jns`I z1VgId;^r*mw&l}1{gS@H;<#q53$Kp%0k2$g?fk2XP|#1DE`{eEuMO{Kd_Pa5YA{_N|EbowkWc+qra@IS6A zNCZ7bLrEO&SXj|IS6U5CfE%ubd<#0`EufVc98U_mu@jQtdrQ;L`P0YhI*q^IvB*x* z4jt?8Cnb0xkGj%OLdY}Ei2FMJ_4BV79F+Fq-sW(?`!_zckpr^sU-PTiFL`*r+CB|A zc*9<&tx2u+?FAazVl6f7ZY^K}sVl)y2Q&9~m;DZD)A^s`a5SExO&w$1I!}!_?iqB5 zA~!oSwZOoEWf_jlm!A_>AxcG?wH;nJ9F@uOfV>#4G)k~@&Pq@)r6|H!mU2fmr=@qJ zW03K)Sxfd0A3^c^jXc;~D^BNBZlXi^v*oe(#i0%8N|JMppV77YO6!-&`S1SYV^y=wNo$ZVGzsvZzqOg79=D1|P|uY?t2N zyDiAI5Js-a zbvWq*BuZ7F^3nvBGrlPQFJ4rkGcZ(9=u8^%c6u@F-%y6P9c0RWaxd#&M@@91SvN>; zP%!ITqoh-#bPJp%uCeDy2*Q7!OSA>ty~L1}5R5r{w_5b~w?CMs4Ud%3P2*rH|L=hR zcVy|eZTQ|dIyFU8+&XM1Evy#2`jblG6v3G;gW}?JQA8fSCgPF(de#TiA;SJ;GeI(D zlv-aF0QUKQ>#JTBi$&O3bL{gB~`xH92c>d^V#b&bOim9?9{yItQ z&6dG9PWFnqdlStH?O^IVpe8Oi)yD8C0RRZ(w}WNA8>b?qqA4 zA*2P^lgbCK8>(M|?aM6I5;D!Z^MXQE)yuD zMhk@I!!l7MS*}FBX-MvXsFUCanhiA=be8z~92W-MF<561XHEpFyiQd4sB~G9s+MJG zx-Vv4a#AY`cZM=q;D-xstL1`EVA+C3)1_(ft_IiGY=WRhuH%>HM!v)9H-pntv1#>Aj6zA~BJqYVDr-MUOqu)aIl^qF-D-?M&PnpPfmpTHIYq38?b% zV3ugQd}FT`uug`n$C&xmmRTW4?5s0h==ACU;E?D+tMpi7bD+mw>4O1s^!zVzB7Ry@ zPmn|J_gWGHv%^=4m}yR;-2npB9OU=!?ZYH`1572b5U*LVNdlc~CX0UOqY;79!hnHx zl27I;;fR;F0C>D`T2R=NgBX#LFY@3V)l$ZfPTyF- z7s(Sz2Vm*igXk!Hd8_M|KXwilmlEC0p*9JYG@;zDd9W+X^Il$5cPa|l5JU-|hgQ_C z8*GKyoh;Xf%y>LdT^vs#TpEFUzp0P0_X@WM}h2JYcL>h@+#D*tQr-g3XG&k~I@TbcV05AeIP( z5%=N1w^C_PqDycRNlMgqvoTZwwW z)oD!?pht7ocInX+}kU|AW^O3pECaea^k&0NM-9%*!o)II5&zgz*t zRknLSPZEU?&n&FIY@hx$(ccB$nRsy|Hcfn_KHU=r0QLI@B*@>AJYf90dUv{F357Ap zw(WsCo#V8-;xbX&7*>^G6@aDEHMyLKQorKmonNnO7tlJ$4I!^yztqq}+0FD7ZMdjn ze38Xz+y0<GO9E$_^p|NYDsVshE=s$%*0< zCf_v8^kR}{M`}N)E!%S|`5ztA#)0FCc2dO?WP>90?UF4ve%sXgl$txcpu zxu2*8m_(6~tz!NTv>Sw9eW&?4puCNvq{U&3N!PN>8HlO~WJK1*NjzAfS@JoIv{w`q zC>b}}KAq73hxpNDV0zfLnsCo~8*-#5&E38fch&a@ST6Kzy_Lz!=8prJfBO}|Y*QUV+1yRT=U!Cj2|wA8Ha z_p(bzGCqIiiy|Sn84j|`SSR4-6Ffv$hQ_1}6r*O|x0PVA6;(j5`48U~*nF_~mT;3R zHQ{rkWhu4viYctLZeX^H(Qh)_nS2GY_ne0cO^QN~Z)j9n>QBFm$>!yE=&$d4c;Zmf z*rbzoL|aq?v>`|Ek7sGEjc${G&OtHRS&gk0R%>fB5J=oxrU zPxNu6X||~x-9fotNsP4^?a^AqVtr^a*=;h+qJTzS0Q?OuDf#gk zDagfrDP47X>hDPUDtL? z`}mks>U5ON>bS|Mq-goWfbOw(@b2^0(b~qAxTz?&5*0`8bB1MlD0MgSd6ovTZKPHo zfU~ChUVXL9xZGR{KRVXg|4+Xb0rYD%ROFf;X_gjwd!t2!v;XFD&80p@aeNyNvDa$? zu~xawHB6ax7?bcP2yf|L7OKs%h5qHYqfB_DlK%GLq2XJ~e?tiW1y(4Bic%1zJ|59h&WfF-IY zcXI4m&j$b=IpUO|xeohr>Dj<`y6|6sRxMx*2B`Hq9_P^vA>8UWW5;Fc7qjxb;-{f& z7)q=QU%I)p`r%K#*-;dlx0_7OZaqg9o|`=GjlyY)Sv3{84&7N+cZfeH5-Un3ZaTw_ z>V{HBW%jT!QW;(g<5{^`*O*v2fc&}XY&djWih|2*TZ6ySPN z$<0jsf<4|BH-4hmVVe&B`n3~<0M~?p5%a9@{l;yv`6}txz7Zfyj`>b$Iu%%UmG0-& zRh)Ta^w@Ssp?bct;&ph$|C+~Zg38yB)cv9oiTxr7$4H@d5+^p}vtdiG>T@hbFvsaZ zx?$|2y$=*pi9}2JL+#FEP#>Z!R7+SRP)Wz?;Kh-e)q<4A<4j$AV0k zZ=}IYwWo%aYW&Rx}w;*)f0&&SW?&5IMITYdC)Y)pz&?Mj4StxnVG78T-RX zpm%%O2n@#0WLw+H-gMtyJZXt*ef+6`JI~_pY}<17E#s&YSpR|5m%;XK$5Mupd>7MF zzg6MKkr%f00yY*%f@U_cEjC$0@AoF2sKSqa^xI7>If)j(f=qIIVt!~a|6(Z+;-VuC zKYv()u|#xZRMae!ruqXrr{X=(aNnx_E4?Iz_8pRceY^FctSf)8KPD$W`=BY+QE8V) zqT28raJ70aEAj!aUTv8AVDKTfYTy%&`#)85mMLGJC8;`Lv|U~a8~_-F-13v8AM$=u z6dJ7R38?424L$vz%u5WdvDDuS%SS1ryHklE9NMgsY#VpuMva8q)0%d2#}MNF4$6nT zNgi2zr)yms>>+I3)nw&PWI`VDWaT09U?l!Vth0tW2eiG*nte-iu=`~#ZmhcXA=hLb zr%N?#jY3xw^jJGtq|*5B>kQh}KIZy@hE-lW2aoo((e%BCI^s-N(xy@N+cO{Ht!@Ly zmN3b)wV=%+39h3wk}laDV5TDPRySv=1;?Q3u^MVjs=snqvU=R!ySO8VoMOBik;(hd zd#W3KR6{oQOgP+%VAaX2$~p;V^@SM=^e+C6?_K--BhRJ zm2Z&wIv-Sjqse;5442vCtqV~2k*&#H6#HVrAX9f7Ee zloH{XqCFT>rRM(gnIMu>feJB!|DdR*_OG$M69PMy{Y`T7sS1N%e^ zKJ}`U)+rJyQii%3IyuBn%*xP7(bqz<4I`ApLy_M^b302jW|T6Gf5ETv5M|UM{1E;% z?fDxJ0gm-&w~M68PRY4GTVQB3jd1sqCDz%E!*>1Z!GI3jKSN|^@o;2NFTWN4<8gL? zZ)PFDYG7a|wHY@8xK;K2X759?H_^;A%WIw`H^&PT*P51+_Vs-G5{8Yx0R68ntrO~! zC+ld*j31B@@~-rh#=mv4G+8FU*`~h&HH2rys~DX_PV27}@3w1UwMJ48yQjBCN$uTI z5CK^0R|u2ppHqr|FgfGn5Z}k-7$gKeA50=*juqp20pWxWoiO=NnpHK)bH|PFK|q!% zj9KG}n-6^VvZSXK&XelX2& z)VnZ}*1Dh4?W&=AfBn4oycu7#f7uCEdI-JTFz@&0Ha7QqALM8)Z}acryZ+DN1AA0g z)82@ReU`Zi)35+u%lt(S#@-gpkaG@)={x%fcLiWJqMvGE`5G9|EH}C~+c7VnA7;%N z@ZlS?QFxW|_j{(vyO)(+YV5aro6(%<6mE8I>~T^}%K!Q(nTj>Qha#rbvn*F@-nOaP z$3MGf@kBEb%jNf(Q)b=CtIpERUOsm3|agJPGWF}#`KuM&a}FJc^uXUnW~x_*8K z%$?)yQg6MF^-;=w7h~G`)9I>?thS|q#e5kWI=2*+T=cLt&aylID=*Y-ze(sI#&ab4z5XlA;Df4H8xSSS=@I*FR z&=n<`Cb+Ti}vEU${M$%C`e-wMc46aV4l;T z))cOr|40u(FC*~2(L3n6#YTh!llr*4MiE89JW_r}!BMfhS?p22K-TM}@At5JyG?S+ z?H5XE<;5i9#wGSGW0}(HEP5;C-Wq+Ep2(gs2#87*{;u-YX$CUB^J!mS$!M%2V-zJ< zzygIIPPt)kSn+~9C@v^Y!dmge!gRXbALr+t=rd(*hEWGwd8-pB5-p=>*6W;!jp$3v z>GS8edyq}!?&t3BS)upcN!0NdTva%f8)qSEdRbu<&Bvjng*VVw9gt_pWFOSjVbb5c zflw6ENuoB);7LBL?}CTc6*8nCaLABmo@EaYp575%6*g>5lZTEH3T>NflN`}355>py zRbHR*+tR0_vN*E2+EM`#?1jhdLxh5jw5{s#T*${6ea3`$??0MYfkFY%b!|8#b~Q+* zWALHs^n!CN>g?UzmaEj-Og~&KhvtXdPqBIDpU$UYzgi*yudyKxchlN0v`)%VKwd*fi+0nCuP;y~;0mr6 zTX@RQi-Cto$ArUr28L^5di;WE)?t-Z2Yc)RJTW=;jn@L-L<_BDvR6*m6SBhLRX>d` zW*1L#<)V*rqJiF0q!)lZMLD{HSzEOo>f5Do{)lxX{TPl>hH|EkQ_?!H%Dq8zU3IkG z2}cNBuOy97(;RRn(v{g(I%n+-d6zT9ChG~U7ObLwT^cA-dU`%j{^$8rk@Xl_E&egE zi_;8oIBEqvYT2nmmR;d4&bZIyJ$kNbZ4Pb@R2!9c%f;{V4r>3MucML=V;J;yVZ_hD zC6o9^xB4DOl6{?1k~1jwm6uOjK%oEm7CWUms(pzi*J34%hMnzZ`qLf|X8n z7QIHvJpRQ@yfdJ_`<3Boa-n3WIBQwl4d~~|nuOA%?%BKbj$;30Iv>224-FcW>mBW~ zjhYwlmpiuo3le7S8pk^>vquPngwxr=7LG{Z(|eP|EW{5rfB95UFG6pCI%MgiQ^e4# zJ9Qj|;5TMssUNxG5*1XAoYD!aa0;KRzblH)LVsn%|BiCq{x9z@Tqjbig+1rfDV$Gq zujo*N;zB!RatkO9;MW+v|$-}2zH5DsFi zH+*mU7+ChT~F~pu;=??xs0zJje5P3Q`U+#hR#v)RRL2fmu&~$8O}O$2Bd6NQ99uGqHage zy8B(=BEB@OWjjNy=r-`m!2w=kgYUuFMcO`2qz4q-5#_;8ZDT(jC^Z}+OteK!|or(eJSuL}eU_F_B#-lKqMlk+C zIQPamvUi2}yRJ%391mGJ?6c6Z!_Cm4;^g=5?Yu<=*S&U9zpM;I0`=@z!|~&FJI{t? z$a|T6HS^&V*1GeT#B4K%r#F;WwR4EKFO_)9FMAjcM~AjPb>q1E8F3l!T_Wx3$@wOh zLmX$Ikb?3K;oJBr4x#2SF1l^K7d?gv@F4dCZ5Bn$0)hF~WZ1WI@2luJfwKlvvCb*e z&yUVM=A#aaGwI=8iu;d!t?L08QhgUKovEH7y_z6L3Bk~jrndJsBJ3Lj{QV`L9~XWM zs^75xTAzUwm&{%q_DPbOFnhg{b5l#6l`b8V?VVZZYL32s1B7) zFPqLYBpCHE+Jk*=6F$@KwCra7(JzXO*HoDa|GY!)qFLcOUK5yH; znDTwSzR+|NJ5;qx^!R>f&j{3CR%+Nxr13vSN!pW9LYKOTC6}cDbjp+pYI6&gCL9Z2 zou16{zK@8pkNbhnA{z@Iu8DXeRgNz+;eP-;LXyjI7Dj!zT;;lIb*(QfGPydFx}c`* zm^UjZ+n5AG-<9OQmR*38rTThUDEn`{S&K7>GDZ=WBBlk5lN8h50>MbG? zFJ#y!o#Jw!95dzl^md}q_#_|3bv@3I)+sE@zy7Kw6aCi`X=0w?T5=geLo%u}`pWwl7?*tv0OBFm z9=2+1HUchzIImELod8avhnP4+ z;uHm00I5}k1no)9=RI8$55PLwfW)gP5+ft*U>wU}Z zj<&(_B~R4R<(xK;j@`<9-3gH#%^ zbsDlwN=}#7C`a3ks3q}q4)klS-<|m0P-(`@ew>mg8x`0s@pqgE)ioGvy^5U8>GMi< zADMe*;|wgZfkhcK`*_cc98mb)GnCY?)6RQ!SOMte>s9Y-?|(M&)HPWmDquF3GwN>w z%37FUIR?!iUfvn9Ist>WsJ?3}078;JCdC#C43X%Pc{qXDt1DU00vDS6MhZa%>z1hvlK~ryk*VSD^UBC5cH@&) z7Yt;w3b56oG}qie*NLTf7b=CCj*nD2?Nf?(eL~-WNCz}&3U>+8Aw=QJ0;*_X7F05I z#C(UhW7{o1#Pl!SI?xzKt@E)0ba^l^j&Ywk&Y`^D_}S&opBWPMeqN$MgYXCU^n4$3 zR%66j3Y+oiukmW>>tU8vHf8Y&4IfjB+0j)aY>yzA#6RwppOh5 zWE6FV@iVr}dm@ z;n7ZVuklAyi}+-SCqf%DvQnp#hwzj(jQ&Gip-jnug2QF6175N} zHWpSM6)NKTHUnlgYxOF<`r0pr^X|?^*m73OR`>Ash>w$>wOv<-mE0Y6O^7%SifxBw z-WP#tGF&%AB3hL5Z<|TJa`%p%GlJSHR$n}3c(p%VS%U?)w}eN`ykXi)7B`KL6Bw=S zWOjckqAr-YuXI6z`zlBCW9}V$@^l$D*GE_Nn~3J-Kk_iwC3By45bQe4eAH{MdA0iC zJZX0t@v6o54$6>4@i@FTrtzqwY~y&ST^mh?n5cWWx<`a+4AzJ+a$oIk45rD~!Mor@ zt~)7+Wj#dGTuq-aJVqnUI5lgV%ex}|O6Sfn4))GW=ns}jq>cQ!PQiKsL>YX;Ic@UdXop``VdJKGdLrL0ONvBM zxe8b3I)XK`xLh14XFEY;jmwsO1VkbP{9Yp>dK7ov8-BEkY!rLX26ngk3Ni2aJG+jz ze@KH=hzU$EyR5p%T&`|7O4Nq1-W{^xn0muVjF=D7$`f-!EXnS93;Z)%FK5!Shzxo$ zd@cT5d*u<2N=~68{-f->>A-GcX|KjdlpxI2< z{^9B9lo_o<&D1%eTAfZ?YBbJCik9gpdYBfiI=0dZO;M*rXiJ3>X=}!rR86T0p(&~) z+6vkcLXpIwQKE!ULJoxRJ)Q1(_ulWj-~FF?-?hH)TmQAPEO|UxOYY~oufy;6yRKVn zP5tGJCH1xIVC7{oe7MSdL}(I?5<5MOyeb%KlD?huF59g_jMiV|M)mceE=ALN^@rNm z*Onq*PMdR8$fXUaINsS7cviwJxVgFuevlXUrp)cK*r`&&1FxSi}uz|^w6OLhBAbb1I{y3-_ zFDe-YUs}TbxTY?6p^83;StWvd8htOwo7dKOv#9kCvn9#)dP|BkyI^Z!vs3Pv-%hRh zw{KLYR)on{OH0=4u=jMdE**{OQ6?tTt{*#r$_^GsUYorf-PqAR+&9T*1M^V|KcESt z;80@ZxcQ(jT#%cn?R22ECr0!pcslNl1{nSoMO#=`Pjy`p?IMT#sAt`GBRREx?XB%# zD$%a|9C~-cuAEGuy{QVi7UujD?@eaKz^v?%^I|`C+oi4d>~TzOS9jj}HE+}%Bq2^z zTw*6UJ0FXl@P&n9OY6e>r)7Y{+e|#Ack%PL>)YxtCM=SSh8~@&7!-`eT(zC&CcNRU zbE7LYd{OWaaaL|rXR(-is%bw z!sQkCi2SmxtP@okRMhBkl8KX5_sAMY{SCcMcR!+)Vz83-Qf-r0?A4(ev0BTBAM!q=ts71oqn zKhI;PLDJPsfBBlUsX{;I-7xxCpK0$ZXo)fPmLcWDXR zZMmW6m>eN(L_y@#D^x(uShbcsy=!^z-IbSVCc)$c`SH-!FV~Svo9~sxiZ&!fHA}`c zq0K!TpTn=cv2)Rw?f(+4dod5XOd%rS*5bb7iP{NSaqF1%_(*?t>RLP8y7ukdnkpz* zU)qDb{4I%m2Zh28*(R4>(4o{1-dfKoKh?YRVipHqO~5y&H3`LJ{i|zZBPW*>1J;UT zyf2=wu=KBsrmkR1h#Ina%6hRX^dWS;feF&l>_;&gxWjCk=sh{4Tb(AyCj{Hh($k(! zp3n1)*zdj&JBIjby=J3pl7-3wLM@?)%Kw5{Ik5F(#QekQzv>T7IRXL z+OtMlUToLr`YbPGr~8Ixa@-fao@k2;QR_pJ=ZeGY-$_Rki0f~MMq+E%i`h>SRE}LS zgcG3eb|maFjCw=-hVHh~-17QG!o?*`cZ`#*Skyc8_Ct8Ka+OR+D*rprYH1r0^xG=ziD6}68=Qh`C zIJ>Scvu)r8GnFShj$;F?(~=>-J_Q42rQZf;)D-X4KI zJ&kq`SdsB7eLD;-!_KlfC2Jis1fi-A<-0WlHzV#?{O7BRAA}?+O$x48ZIb4MiH#|f zTO8mk1I+2rgKT6|>&!EBhby*!y89;z6Nd49-+8%NSp}7TrXl=7qY#g>I}i}UpPRfi z_ZvK*JD*Z4j%P!wTy0U$MrXg8EQoL$Dqr)*8Q*eU9-b_W_F3^Nlm>|j?v_tq{DS&^ z4E*)Ql*hY+YjTB0FD(sS$S%|r4NT(EO&bv2Rd~xWJUb_d>FeN8>C;=~f!aMljc+!E zjLtfUA=kv_ffcT@#ip7DlbhK-NI4i6fW%5y2d4*tA z-{0}kId(!cZ?678|3cOjR61O;Z+yUQCAuCjq%|G`ymn8Rfe2K-4e~@?CGU9Lg+Ocyc_@LWYC0N?bPlF$-Ykon*q2 zYM&iBfnTP?6~jwZ;+IMWqnlR}oF^yYn^%6I&fZ;rzUOiL=gJqF*7k}MelwY$dm3N0 zRF`~nwE@z}yme$fIwk?JW~sXFkJz!%!Qh`?_aH0qpayjU(_X&LZGr}!!lwmyo1RbD zNpt8Ya3o z-*oZnP2;;1JnvR--w7DFuJX4Mhwl|B@f?|qlxnVsp_^+XOhT3f?W9f_%uX~ew3|4D zira^a8|=$;gfH$l>N`GPzeyGvJacZHbCsk*v06#A!pEeoh?Y&)-7D6=kM@q~V997% z5yPe{KyvuN@mhVE(D+)|D6(D!p1#i6zV#39uz$-2nw!vG%sNKnF6?%X55NeOiI%R< z=*b6_lAaqMdA9;zvR`?VO?%TNYxQbLxDsC9$bA4E8&!R~gZb>Xqi|CKciV46rBdp0 zC(iN%d2ZjZ@@wsp|CEt_dMnnbUN^$Wbg1lcKn53By5EX7MCZxu*Ka#yYTp3Moti`p z*so`*dVMdbV6t8X60=>e&<*&%tZgQ($f)4RPF}2NE+PhoE}hX_)a#>P_Q9rF;;5&W z!gq<5wA<6Q(wgI!zMICVP|r1QDcaZcVuK)Te7_!Rpg=EO!3cEMi)uEQvS=^PE}Po? zl(7`hQV-^ozxVEVk*(Eg!$Q=7V5H6?TMqMSxfxdSbYUEQlu#%hjz;ze9BoPy=HMOK z?DlNzI??GakzD$=VhzdU#VH?}MYyegOiObyqJ}FsyCl;1RFk@=2lET0!J`| zO_(m5*HRh^@H;n!F&PHCA}c*Qj=O6jnQ3IijyAg`HKcq^g|lt1@tG@rng%gHfx2AK z2SrP}XE6E5h**=wFFn7daup9<7RjuXxmxmWBN=|E^QP(~&;FfD0gYctPMAA6(Ua(m zDu8k1$3zk?p;jzB+})E>e-<)Uc-yIo^(Ljg{qI)yDL7S^t1abE+BIVresx!EAFbF- zSSHS0R2*Ie<^LuO&-j-%^tX$gUzL7UM|}umBtT~K28I1kL@qsL^rLfXat9@wmF$aE zjvQVI*!%{_zwQzN8WlP{P*Jii@(#=tEk}dp)x}ah{x^bdqYIZqNK>iPi+MxdoD{)> z`i8cy!3YtCc?iTx3FDLCTE@#a&-eaFY;iF+8nm)g3?ksETQ1gmJBL^(JT~*G!yQy> z5Y0*X;`Arukt>al{ZqWIKC*Rbc(?CGKt6J22t%e0p8F79RwpoN47oeWDE`kb z?H@gy-$?_%b!To${Y*C+R1rMyWQWFSDN&uVi#ljb1scwh>^AFNbt0-G5m%LLHkonM zq$0E24y)-Y93BdFmGy`J+#CN8)@H{ZpUWk=chO2QtFK&%nh~a)nc9~@?pfyI_EsIb z+g{^bEBi0dKd1({nZCdI@WtV{&lsHfUAUKA<$O%sh-Jr=BNTZzt+u+nwaAWN0M)gA zn5K%HnSt(+trf7?L@&cO+xh+{eFt&3vz=^LS18AOF`m7$rSFH$HC&9iAH+^g-^3dE za8o>pH-Gs1uKN4t`0w}4-Xou1qUU2m`W3GJPk7ULa!?JN3f4z3@ zq_eHLqu;m#+7@GS)Xw|{*o^O~kOm2Gvp+%fzl@EuYEyXY85Ee_?&cQ4a;~Sv%r>br zm)7Dqm4u?j-m8cYwD@vG-{4r|vHGeScfgt-?*}&gwcEabaVfq8mV!I%SdkqDIHPB6 zHx~(aHrb%l_+IxtZWV23N%VUn&J*t-r5AJ{S=uP#R*NJp*=;rU`04He^9u-U;T^VDiTbXb7HoAdH zm>gnXB$)kkit}G>;y+#Sp3>Vg1!NfrS8t)| z&>d?XLWN^yWztA=0&>iG^M0=i^85MuZlkV=#myYghzuA_%C2u#j-3}CC9T+TTkR}{ zVtoVmgrr1Rkk^KOz7F^bE5@Uxk692!_T?+86s@Dp7uH$*J@+8 ziOgYGIhRFVbZYwiz3SM3F=0*WpYe=;zvuZIBLF4bYdI$Ddj?GBeOPC4v&S3J{56I8 zW33*fXyBR!jOUV`nB(JYx-~$dFrHtTxP?lac7ZG$pJZ6`6TS!2NZ$a*(H7g)!&tj; za$hVAQz1eax8<(N*x`kPau9f|O~9l08TJIc>enyWbijoFK&bH)AI^#C$dBhN=Xsc< zs0GGj=O-PLM`X{#Oq0b(>v04M8@_Zeu0zivIH#U@a=HgfYCbhZBIqZKS(`e5B)2AC zT*d}?nrA9c33x6A_u;UWiHb`eD&B8WCfki7{$iZi2gHerO(lCq0N+r=U0!tWrtJt) zq&iw;)ReBLLgmhkrH1;{s-H?|#vu|*A>@fT7X< zu%qQ2&zSq~mJL*9?CqY$QlBsRM!O1TNb?7~w&e*H;!C?e8j)bC~sGUX5)JDw?@}_Hlo5DHeCHHX7N1eAdqu=U8Yxn?$xz!JF9n^5OHb?HwD4Gy(QA_5;{do345q%iwb;` z+*t%NSg z;?%CME+g3~$5wVQxb}L1alVi2Q80<}wyo}aKn2QST9TB5oRa#QqfkwU^u_!9jj!@z zHi%+L$avl99QBBcWh${Gg6fTggv(eF!d+z}e6fV5G9iVea#DLd8qtBjT~OnVC&Cd= zV3vGV@UUm;b~T{JS*!cV1zqvjILPf}-vTA#XW@)Vbpr(ooh zqp)JoZ?0Qb+59jns7v|4$aY+YXDcNBr65#p{lr{%5?Ji0P`3|$a#$8*(wTvCd*NiF zvyf9`#_Qlmcx7rEp0>4_Mx6>|%7OAe;)ykxhujqitjE`y#H?9o8^4b9D$;>Tby-Kwci!`t04jtlF8d zzXV|c)^wUoB)|7_b~nqDByE<|KHZXDz6%%Iz5K5Hf{B2K+rM&c-aZAQ zYBL?CDX%X!d8qBTG5oS1=Rg8U%9G%m<45a^sL;81C;W_;YOKe&u zm)5EifFG8(Xhtl_xt^vV@?H5+&a77e-p?p`Am@yVP27x&Lwiwy=*TG3=iEMLajIE% z)U-|d&Qf^bx`l1rEN&r=PeSP}m*f2EK@HtVgcIXMQAAD|vjR+;c+U3hGOxLP@r%&dwH8&s&6o!{qMftPS?o-9+}H4Zus(f9P>CaSYVTMzP3^KEnap<8JAtXTj752ZkVAWga7 zFILfyihKQ*E#OrSO@1fsiDmdhL&lA97J{>xXGpWZJcg~2QX#;D>NubzqnWuUtddZK zZ5yUB`qp;3LJj5DWxog&9!sz3x!KwzY4fLVBK6ER=W*iZYxPps7%8zE55*&wui$H( z$h&Z66ZdIb!a3dMUtb;niJ7;!71ybn5}DgG$|Mo3(`%f3N34)$yynm?w7jUpo#uPi z47zmxr(xsM#t`>E!LhHRx9AA@>i64UPgt?|GnN6&ydJ58HZFr^#1lI5U37f&aYZ}i zuM^3UY>yI#qY0*%a~7;G|7qNa3<07)1diEg8_#OV=z2Eph!e&0@vWDA1o;H3FA^4| zHf)Vf(B+SD!}NKUvH|F47o(Y*qpc0Ux&}D}68LjIepnyS*M+$g25$2*U}{4UfY3GC zNPsmh(pfSG29w6eA0rVu^*CO=4BS(MQ%VgCiS$E=#7NsmWPB`6r}4BA_sjo%8i`uN z$Kd)YcGOMym{&0xx)?fWC#Gx$8sP4Ghw3IdG0HpxpA`Y%VxrH^m0v>Wd-~M^QJI(^ z0WVG85Rt&8Wq*|~?l;#E^ENc!4$EWVxY^3yV@Ah5@XpNUSPKF zO}?^0rQ@iZiGb^}bgbHN2CKzS4>TrNjP(qBjo_Zx0ud?hwN9;ttW0xysrrW8l8$Cfh)LWRGA_Fm7Je)dfVrsg8X!Wz=~gfu zsHpqh4}Q@913COp1jE04Tiy31XZ?;-(NGmE>gSdMa|ARhHO zHvb}AGLSfE6W|TAxR(Ulj)k$7A|GSH(8zf^TH9>}FCsoBNyhqhlOQZ1*pq05L^}m- zx`DU-zQjCZfa0%9c6W`tO`{2{J3dcDH#=f`SM!mstFPh%nak4}nR( z(~$?i#23)-wmhrVJ8!2+qkE0$S>-E$XBif6Mg`ir_y@@~wR%v48E(Dw0$ya@UE?g% z5@0}r7((c82}IzylGUfOc)nrGwuDbz`1Yf4K<%a4}y2s5IWB)US4uJrmAg}{!VtfQpPlqZd3b_c(bV;HQ03A6kd=1rpB41s<>EU*(NJ`o5x5GMb2cAOV4>}odIx~YlhALHJ$u-SDxQB0sz4V z=em%A$Bx0ZrNAyxk~?m0g#z7zvRfhFpTv>PEZ!DVG+p$eKQ7f+W{1t(ft6w6fOBik zuVh%i}L^qV(S#014* z)oS%-+N!1AOTsHFT6weGMoV|jhRu4Vl+dh6gl2J%KO!Mf2lJB=_tt-p;r+vd|Cd(c zQgBTUrmQ;If&3w3(7IA0>m5*kXFqz>d zDHQT=ukDS<`(pLS;!8I>!nMQAWC{&zV?9$Q=tUJC61B0gGsN3l7ZUgCK&cpTi7Akq z8E>psLoez|OEQ+{+f|D}w1U@mgTh@I*Wclm?B{1>nJu!xdBodAI&sB_UsDp;ol=j% zLS}`_!GlfeWSH`uzZg>Q0wL8>%6arLr8sx8g3xg8dj<_=Gcyt84n0Ig290UM zVy-St3G%${4hk@e0qU#sHL+dLwOh2A&a^I7Cvcj64*@+M5OOk5iZ42Lw>p*=hIZm7M?yI9B@r%LTE{DKd6N`*xX~XPrevbnXKBCZRG6-f< z7$c<HUiy>pe+bDUUW@Rd}g2P2AA5L-G9Vh4Ke*->Pb+ ziNy8=_I4djkDT{MxdkDm4Z;?u%Sm?QeyFuGDll3nK`sjyi|tftq)Gxo+VLJ)_{entbr-Luvl&={eWoOP_+8gflC~1oQOVp!mbw&tMuryw>GEV$gc;pT zv=i4b}PGvWwB=bEX!dUUd=R@@y1im=WO z{yLCEn+R)*-ae%YKYnA`V8P1jYozHIw`JNAY;%-~x7sk)q2tMq)zDMTXka4Uf|45Q zrPs)>vpvTirm7+KqNl^R2?8k@vu`m5Hz21Z$Z3K28a=%10n06?yUJ)s1!8dw*RnxP0(USIzT8ZX-3(4Or*(?j_% zyEN4CQ^)Zw;tBr`g2tdIHTMGS$(hO{c36)CDuWvDp(JLA&+1$AOilmJgQ7?$=K`^K z=Qgm2WUYaj!4?j>8G|l9<~KZq;WQWSfwBgSEld+tnteF=1m*BcV@XCEBhuT?xkaK}^2gWM* zZmtBBThIS8X!~0IBWP=spJ2p&G$;f#3n~0l0Z#!>U~CgA(i=#lr<*#=sl%vn;ei(e zWl38Sc(Weg_5Xl!3-77#n{071S@|{Rqbk63t#2n+8$8D7Z*OeF)k1Rc(IB#ii6fSI zaC3|I7C8&vbXe-qG?5G2_?o!icqiNa(tPLf+|*A@i6UYKou6odtr zDz3>r30}Ob_(HMg!x{KkC3CPKjvsT3liu(1$X?XSRZYiYL-}5TfxvMFjpTEUl0b2O zbrxm!?{b6?*!r-|Ux8`;ratneDEe6m2c3uLvufT1b+G8{59i;!4^DM5l---b1e}J$ zcsMvr<*E{fMd!4iw?j`49rEaS!H#3l^BdVEMyf(tU-(ZW5c9Cj=*oGBioUR@(`Hb3 z;T@2I7vR}A?XaSua}81wFG_B4apHFGEzR0X__S~Jx^$|npW2L8M~Cix7KT-2Dqe#( zRGO*X^(A%!dUbmn3#T&psgQmOo$2!Q8HHmGdUw+ zxHofmEI*n80IPoXmve=!J3i(LIKU~|G@Y(McBeS2Zk4-90&2<#O2zFdfQGT>DFVE8 z?G{?v){}OA%j(pr$0n4LEF*xQ4=kf$WF(Srhkqxjs8)Wg?*R>xQ)9>h5~1-!q?<&W z@J4oq>G$y_SC{eeKt2uaR1g7Kl4h>9r40v@;o?sz|$CKngWk2eYBCGL+2YmrkCfPVVWy0-KgDdm3S} zABtlxFNFFg0w}c(B21zf#!azIbB9O&rK+2wr}Q5|qAqTE!Erjasyyt)YQzI}im}bj zqV1T6IW@fr^t|}(m^(SzO6C@Uq24XY_v$@fYb_YkN6GgPIURYNO8a#U07j4Fryoaw zf3fbo$(7Lu)^8Sh(sQ_Oc4(v*&MQCG1yay?h7X0;rP7sMzqSL@N3T!5V7%V&59*y4 zZPm-^s#|^MY%cH0$XmL6szp@^BLHlTI9$-WsHEi^z&V+z?T7mOKQYDJ4A@({u5)*zr6DmK>LZAxc-&+14wzdODHh|5e1exrJ*Yu{P?cupY zu1k9qy*3*X6fRa-A8;H!!4hqkZQZs1Dn0B-5@fCI^IO#0j29$u9Sw#YW4r(fkGAD1 z>jE4-l0s8eg~r+utb23;KSi_c#>^>{hTEiRDL+&TxeDH~j-#gBijJzV>t2IrvT3v|=<2cQ{Cgk1Ffe`cMRIfe%r{~v zj$1XdiK*vzM(A&y-5IUbk2*yx@+#xf%zV^+B?$pjFTO`Xpoa{Qtmg*!jF_b{eN_xTIxGBdI1j7C1 zc*gWh#CA=ah!aHbrTZr@o`1s}pyYKdZVlvR{{Kxp@qa8X2nTh96Ga279>A18eP36X z=C83oGDIpprb+iG38@n{Nl=)~%!scZlrP}~vP+AoHo?a=rxx$C$+p+7QH;FmDF0qEeSJc6unOm&BF0Pio zoB)kTJHutin0ey?`$B?icB$GRm`*CwV=X$i80IY+yi6=coK6v{07J_m-G<{2dQ{fe zLi$7?))N?Qvy?#xkOB-<9d($Sl5IKGk1+fX)z<&%;eRSOUG9D~0nl0TXZj~9PC?q5 z^H|9?Xo9CyepqDObM`z_19=Fjx=Gr%))>=XnM8lEhK1~B62aXU4CmorC>p9dU|Cc! zpqzG%^ES^{hGR(Gxr&7V8X1)ogM94l9x6(ymBpJx${4XG^B#AP?$KklVEh-u{Z*$& z%WLcWU+ zlI-h&)BOk{#avB77E z!vL>oMYag8se?sD(vP{nKn!c@qUT!jXca=)108^esV-&F-+(W_+2Qk$`QC8DZa;Qk zPZvW?tKl}ct4LXcnf}gsvkmKc06ypB?LI`#Sui+5c+fIyK#NzCsgW=4sWkPmMbXV^ zaB!5M1ZZx5o7+hCoqmyhrYLo(5;>FkdmeR(uKPbjt1YG7(-*vfw7e>8bT#nT>lxhb z=q&y(_sddhvCcqRjTj%q<~rdov<(3%wP7-B2OZMz%~i?KfsuZ;^yrc<3JZvx3nXZ< zkbcED4o`mnLrM+emQ@6=dlE4VjT{~ z@6!xWi_pf+iIFprt>1X)rL~Z5!Bd#9RWo+VJMPG`1Tq-7`L8is zY8)$o$$0v94TCCB2-$wBLVYg9=C^XlYVa9!68};_9rN|tUQAARVA&)<@&Mu||OX!WDWLkZ9TFeV$UHIT{H)I>8`R>u`Z(f9=)UlOFI z!MF_TU#mBk)06A$E7DLtT=tFW7kgRIU)P=wmbZ^qcHUIG>Z5XYj_K35hArfdK<^*HbB&UGzD2BBIeXtot^bS-P1FQ)Ag2 z_Mzjz5(W;ionP%u7R5GgRGbJ`dIq3ZX%cfY?^hjT?8zW99L7N#aPaRpEL{(*^z&f6 zWsbAU*p0?n5ZGox$w}XiJNQ~~var@np6>43TrU;?aMQu%kK&KGkShI#nT3v_!@x)v z-ra`fyDoz$)5Us8?MZVl$9ID}s^4!r`y{k};91-0l4bORw10r$R-%! zMxgP=|2Om!U7LQ_OITTezedIOs@nQ4{`Q4>0E4W$7WZoYEZFKpYjylS-0DoFy9)Sc zRBnsYmPJYIkI-j0as79N;u@a2-Q?j{Ej~g!K#05<85C}a#m1$c6tyEpfZXc0>n=LN z)tJ59qm;Ky=GrM+sikHg?&-RgsSp1ASJz#yKYuI}VoLPuP_`rE(!ngYAYu6OS7jaA ze^!0vx3~)^+=BN%TfoOu2vUjg^}bn`fT(WU^E@r2jK~4%lyo8nL-`RhjeHrDpyBI? zRMmj~NDl~f@*F}vs3f~@hE(6d<=SsS=aUX^PK=w_Whxd^;>(@HUOaaD-;@<2!;FQ8 z?+xg=xLnV!$q?=dS7W`4W`~YVEWR6`c$cC%U;Hld;;z&BunB$yVe&KjQxvg`;TV5) zY593);<;i_yzFkHCbM_)%4|cY{a#4A;V#T-uKHr2BZp#~OvxCk^v~qhy{EX#jqQL* z6yGGMm8qk`;GZ8DkxW=+)Q%~&svxq=YJ^&U2HS}Z0>CEas z6dHJ+?dS|nuj8+@ti)>P`5N~x^^t+Ookx7{Zn-)h7|J}cPth#Pl~_Us^aAJX+pW9B z)|CJQ#Bax|5{*{OYO~cOd$w8N8uLnAKU6ongt26teYs5)^?m4# zjWH`c(*&^~YVBszKz;4G>CPBSs&I?ti_D21{w1vbFD_QcZmnJq%+eJ;QhXR%)4C1U zuiQK-vVfy98oad+sQkMU(4cQLOQ)SyE4!a}sP1)4@mZJtbPLU27yexI3R9zj2e^ zdrNWBK`$A)T}{Fd-FuRGQ;pa3t<8qV#y+26L4v%IWSbzm-e9>S2$0dd8zG(r%Lg(Q zUNBerPZO81uG^ymMEzCVoN#Tr)$%*0b|tgu`n`5=Lp=Viz;g7~fw5XZCOT?vCN`Zs zcg6p#xR>%B^Kr5IC7f>eoc5R32Mp%(7fmi6xW7<>CBKcjY{@CoBsl%qO>D5SD)gg} z*2o)r5XYW=qLbZsul*tFNuaB$IvUV=xIcP-5x->$+gH9z6?;T-?2fX(6S>eTZ|LEX zN*_SSWw4ZkgVu2DOob_v(_*>xLsW~;Tv{{2kYKj7KV|V~tsY(W!CHX^v#| zg71!K4m&z@URO6|T*uy?&c*k#e1EbvpZp>Zb;r?}G^PU|71yol4d&t(^<-v^7Q3RW zJQL;N1t0?gDtd_wdV=1R{gl$k} z5ybqJU=v(pZ2I!(Nqy)~ea=s`TS!kW6eF!|&Bu@yr22Sq1oLn+Ho_uGKu_9@z;b$W83&G8cks;bKVoz*nefF?sXs5K+8 zOA!#6c!A+b1Bywi4y4%b}wij43am-mIunAe7yn;Hp=+mDPt#`}olgpF2Ki6Kz zMy;HJ7=|{_T7;`MAG7G|iZlWNKTuy|ok_Ee_hUN&ZalYoh(gzS;k21zR;zb)iIbg_0kxjWd`YA} zJCiZ35oj{o7pdiPG@)%RG-_#3_5E_U*ND}^N!1sZq2a~suJoKl=;VHPq6a*#^E$bv z01;r=^Ta_VIeY$!-tF4#g?S)nhvGa;^>}YH6^|2|vxD${j?QkI%z(tnyVRZ$s4)B# zjtS*D0^!t%12v6QlW;0spku-do+G8S6I*C9uMVxnF?acF@Jyyt(=Rs-eO+x2=8R># zBw)N&63W)EE}j1nODP=6V)FvEfX%pLeyGC)RgoZB9Ni^ZTbW_i4ZZ=3DX)#{|1=PY z%m+%kY2rij)BF2;X{$A@GQiUM?@3>^S)uWK&G1s<568*PP^X!i8bqC9DgPyR} z%uqx>2RJit(9Lq0I(2ua%|;7_&k=?43Q4}QNr>%iOi5h?{?GRTJg;^Bn9ar;fvyTF zE~%2IL^=n?dW;ScGCRXaJp(9u5u{}9=JzW4Sm!nX`O7{)vrvT|k!33S3aZFXxj1i$ zLrp!*MppjH*$2rAe}#;fC`GN3aQcOjuW>3<@^0O0LY$uL#OIpN{d`40msAq)wT-Idwt&Mr7eZf1ixz7@VwQE;YrHH$_i-@T#(%r=bP{1V;<-P%!GzB zL$Gl*M&mQgA?XQ!3Jo0;0Huh9fq0H@t4<-p2rL!FWA~yr777{ZVKwW@zVddgMU4B6 zRyC97{<*JTUwDi868x1#5>-{9FpM$Y<78)(KgKxws5p7;+Rj}yEW`+#JnI*@?bp~9 z+iGL51z5{9a{Pjyvt5175&$^XPmiX#3Sq-NO-22-o+B%Rea*IeN()1g86Z%MYBcD7cyfq{>h2(Nc! zV{bo>%?BU4vQ3G!n=zwq+NlG@m~`oIu<7$IRF!Xw?__$0d)8+qrcb`iwi4tkAR^uY z!doYsIH(b&rf+{;R*7QL+Z73obO)wrBl!Uwh-C)q&%Ho)NE!eDo=`D|1KmIfHGfZa zpOu-m%O!)M&kg}=)S2?!{j@MTpB1!hiq7xhF;4x-G{VCFbICr&LNl|gS$(b>ef0kp z-HZR2@2bK+e2j+C(RV>V020~!QOC|-{_LV0`M4-RF{v6f@c06*@5%o)GMFjY=ix_< zxL5TwsIebu+zGK=ME;+|AzZVsVU;iaPI&$pht>TETL0`CB>KvXZ+<`FRpdTJp}?z0 zBT==5_P~cZ2-`UU%ch>CKMv~VC8;V*2`El84fl)0uPa69s}t?*=J)H1qJmF=!8o&- zbGjan3>Aee#9Ja59Kug`#)%NQy?ftzeC4{wJFDY%S`YXY)nYUz7Vz?+q#7fBNDyyq z@ZqRqsaYl2cgUW!`|8haqbSFrr{G8i4j!*0o_~LIq9+3$ws|9*u6hH(ChD=+$#6l@ zuC-yXJwaa|Ap70|k%z$a=mpqdu~*KIzgx>m|D*FkP9LphK%q18&svKYU@ZWjqwVY3 zSegth3qgJCDDyVU^n?Z&j$cl*F^fGfph9LSdeJuo0ZI*+3YtKAZH)>lTjpW zLI~U4H5Ch7d-VPoQzkEpxHl(n=P^>r;#47*G1w`r8c8nRldxkGmb$iGTC0bC(%tLvYa#c3d}oopo_PQTv^;;o&m4}t z+J~40*&@RYtI7!~wgK{nx4&4=JJ0WI^Vz-V1qKT!bs2UX4Q7a2(Ab6RC{xx!MAPyU zv3P~E#ph()8DRj{#PszBFN|046jR6cU08#pD1w?o4E?DDJnfa7J;=uUn#am zssN0@*G029IRNtY0U(6sp460N%?}aA{;Dn9}(-Q8v4y8zc^PoM`j|E0TW!QeOYQ0pdN(C~z zp>rS5(hAo@bJM^iq=C!PLql~4*rIl5_PHq9nGvlCrB%K&JQ#TAHG~#~4#uy{Hoo?= z28Nsr<|2x$3lIdTs4k;peoQz-MfmJS(g0jX=;JM79HI ztwpfyNg$(5bw18KpkZ439|SxBP6(C7ho-#`VK&nk&_5}7?#25m>IPt0oY$$I%J9hX zD6+oq`BiWJJY+ovJEM`Nm}m7O?w;ZfV)o=chZ%vAYGd{;5Y+XO_s{m5DgREuGtVpd z3N2xIpyGp)wBf7e<=n+zf~~;fl{nV4AVRe@A``U&6p)qOR%sM?3ea^qRYcP(3#B*m z3O@{1CCF!ofWdRSXKy=#dh3SoW;^&u7aDbhGL6}$#je?$K<Bf`zQIkALDLm+sd6uQ@b8(rsiJXA85{MgM=u3 zn(gDD_aC!;MDRO`U?#3hOUzM=$Wx|@Qz`4p(3%u8YGI6s^;m^sv6vNXm0#P9i4W08 z)y(@g29^Sx-JO`5sqlz*Z}Uc~rug%j*NJ%lMQ!j7o7lElAP|gH1}|;!M->9wB{QEA z1KPlI*^CMP-iRdJX^Ldh(>;l`;_~Z$l#J+r(*(lgA>1)GX6q2!86`iX(vUjztPRwE zMN}hmO^G-DBnS8)>!ORX6Nrxw&D5yLwdn5??pewwL?#+L~rb+rs2D826 zj@ZsV=^d||Vg9#_opAMI#?E^3sO>O> zuld;QBaM1XO*Eq|G3ep_O0ZbTGTEn#47b+6X*rX(B7<|{p$D4)t~F zG2q+ccWFWfdcha464n$OoA?v4W$}3SidkSiEEbx5l#yn-J-gv;Qgit2R<#AIYZG~n z=3kp!a5cSe8uq!PvtITgPabOTJ&y8gJ%-F*AfOm`>CLD!&lfaQkCMR@3&F~KcV_!y zjs{g&tG56gyQ?B+w4@(%eleoMuP?8Oj%)!{wCwHrU6**(-8Um`AZ0T3BE7_r(AFgQ zQRdV{m2xYv3v`0-g9E;oWGT+DXYy%}NtHSc_f=dSlZ)|fRc*bg>BBi)E^voOWrl2Ig60W4x3{0FrE;O`zVVO?D57hu-BX z07{0^go_ivfi%+FjA?w2Q-SKEW;<8J!GJbRU7Gy)hZcXQ`JGNRD&{Z-s|8nUU0$s8 z*0NWAU~R<$0k5M-_SG_=il?%w&S8d2SznJElG6r$Z>hRh;Ca2K@g%u42TkiK&C2cpb*e%MaGC!(TYHffRsrE6OE+egKhLn9weI_OpRihWV@AcEd6S@eSOMj*l@HB29))5b z%EABj11uWN>bUZH+VE4}p(pkx>YL{$q^VY5=I z=4A=NZgQMXtG-;H)@-g{E?hA@smXZjlaXYg(!)A<#~DEgT!1hOm;(dVYfeEVOp{$D)TI~gI zV+60lJH^b=YBO4!4yk&3%aHeg-4i|0t%!_!gfC{C8h9-X#*e6;JLeJy;9P1_%uGClRS_=$dn;_~RMF~U)f zES{tlV%hMbQ95gEw27wdceJy!BENjto{f+VZWkHNpBc{}ZzHg%W{}p-$dHZr6Z7yU4dqjHp-Y{aypt=P<*kq+qMVCAp3?6FQwz_I)`d=W97qtq z6nIPp^H#Z=f%oMV-+(!kh}CZ@y#sMzAZ-Pm~3-lV&U^3owcLxt2<`g&!dLVpA6zoh_5vwX}NS z6G)=u>PkavophO2<=Tp?!AAzMxS+tDMijv_(4E)14W8n=8_c%ZF>8iGeZvMl;(_f5 z(0M*$glenWb`7rDYx}!OuK(_TRLPB*t!80L^wMnn#7felvo+f=7iZc+>TvZ}D{)KYPV^jTvle zT>d7h6!(NYVoE81X~x|~UG0B8F#Q@y5=Yp5Ig5sNS6SC?C36^ zdK6mp#l{4fVb941xKe0eIBksUxzAaC?i(JTg;nl)wM})-t)jy0A%gxOCt7SW88Uq4?zb zX--i^7eYOFy#sJjUz(mOIi)?V+CU2e?8Bv3;C{B#Z}W&Do=D+#h)=fv)xgJY&J&H% zqq8hpCwUeO$`Rqar#qauQ@Q@?=aAA+#Sfl#Y$A7YdlKM`W?GBh?6nFh5tZYerkb!+ zROud(@1*kjp^C%~wP*%Cx-@TQ=86KNyv$_izwJ<7_2!1n$Qu(0C!3{|(=Wy5PqGpm zQ%;m%iSDCXLl&>W@?mP8!*x#T`w`9p5aYYD+e>y53SLb!DMz_glebt8{O(Da`!9JRv(L!**(w+}c0Os~#1;SVp>x3kih--c#H3B@MJ z($%%*y93?=20@7^gkQz{WDW3)oAgEJLmedm^mWexx>B%BM63m-t)n*H48LKw5hbB6 z4~A$4|51CG1Mpe_Mu3NzFBms6HvI%{8-8nyTV*#DK$G=oiyuyn-icF4PVFmf3ry`D z{tmXEddBE02tt@S8gEl?z}1<2n@0%Jo(4%9-8%4*vy~}D{o+Dr!;vv!53SH|Mrl9# zY8E!wJ&oAZio{Or2`TCd$8`T<-wGccWE-5zBgr;W?5mfiViW^H`-;2e?dMBK*&OSqBrTc~J?~6kU)`ozdHFtdKf}-Da$}9>X}iVK7~xLkF9b z!k7cCn5>ncBbb$75cU;QR^HmmLlZynw1`S&`%33Yiuaju!uLrcY~=23pL1>ff#qht znf{xOwgoY`=e-}5q|5!bDf8fH z4yB93nZR%Hp!*V_t6iuD-N;KD-tYL*;faSqd7mxzyQaKp59^Y5P4b7&Prvfm7Xr}B zlkH@63%P(nJ{!)%__Lj6RPQj^;{wc)kSZReYJmt_!A$Me2orTqhEA6h*`-QOUaA!N zL&(Rc2dvmZR^+z5?UgW1zC1UgtfXujE;0!t0@kEaxo>!x*5D0~`*}_3#3}FxmKE7Q zeZ5OphNM$aU`3wVSb6ixRzu#^AVV%VXjz8`%K5f=hNt8eY2ocbqrHi@@Ts@s@4*in zilbh5&6Rrd?9JL^-7jYGNBti~v8L0@428n4@1SFS*G2u{*_2q7l3_L-?^9yc1Q_O} z#D55N1B5O+e6D+MN3(CJj}nROOBGnQV5ugzoyp>EQK} zsP)ne7urAFE!TQk^uGDTI-9Z%Nm+D+>_0M+TtGkMSF@d+bIfI7mX(c6J>I)ut4eox z!7{j}HiJd+`Q;int?Ka@1$Zm#iUd==4He(G5Ro@pV{LB2D;bY(F1C&-j<1|l+RA_J z`(b0kOaBjE{jufmN`X+8NoZ$+^F;D!55>3&25mA?8s3=(0><8@5hvY@&nl{?{WJr^ zqsSS_%#vwJvxBetm&5VFmZa&9?n3)g@qO^vpxr-JhV71_R4(>Y^o73`R5aY50^7To zIPL;F9g6R8YBw1>GcE6h5O0@B?^=bLllhF%@=0}*{9YEfLDToZBeZ*}zT!|;CrP%b zcsa)#UnlkI z2nX`ZJuw=PiSSwey%w)qQ|F5co>+9~iZ}_+FKxI#|H`pv78j0H-&)u6%=7W_AFqCL zVePK(w*}u?_~SNr?X7DqR$VtWtvbDD|My;tu6(`8zk2?s-+XuP)aF;MoHv_WT@$DU zHHR?ulCEhLLK##ugzs=YJR>=jju4a%JFq8*Q@-LV5y82y_I&-R(ZvJ;!%DdzE*6q@ zY~hd5^DOwQ-VlzBR-P!kUr?<3cxjNFb+|->O&?VP4c5H%8209y!<8z3Q^9Gd z1e#iw4gejA=m07$vH_n<_c78=F3Y0}V_X0{gI^lQN&)SG&~N(+qWfTdhGLz`@d3q! zQ&spkpL!heC3O|l945UyY?0*q`tVQ4{LS`#M~SlUYCOs`=60V(ZtO@R3>FNdQ9+AT zbXZx?R7|2`oSObJf;jmw>0tKhBj>ktlnHmyN(r4T(ui_Hd$#kyn}LU#A+F$fk&&3h zN0Y**O1hPkoToHZEX+G~iZonA!cPt5X?_`aSU$0FC9+QWBpV(w^^>3G@<0=kXVb#& zC$*hip;G3}q+&X!rv-#kJy9eZKQ#xr2l->pHovY{T#cW%+M)z-j*;73`oJukhyFwZ^mp^40iT5R*Z84AT?et~lCCtxfBh9dZ5K^1E$`O6}jY(`NM&1`}qTWG82CzE1Nh!%RPDh9oW3 z55psXbea#O(@0HgXX3yRK*-S;`+Er0X{^0xj#*M}r^G&uzqPM7G3LclpO;Xs@I@$ID145!6vrXODs z8aWv)^7Wn0n|V874U;t1IB~@Z;;D9hD<0V?X=c#dw}3Dmp<+K2VKhlFPsHGL-=`16 zC*!6Iy7i7ssvXoKiC)d}! znV@N!X3B1o{irxLNzS_NDf&74)7Sd=-UKBz$y&S1Qk*fp(X2&NLCrZE2 zo!Uqqs7b2Ow3G)Ph4Fo`X51puaJN^vB2LqpA|a?GS30<*_u2+#TttL37H|4^EBg3$lryfOgP;py{uae4xBf&%TX+yr8Q&b+J{$?~!J(L%m(wmE)T3SQa zuxCU}5{Rt-8oWGb+LaI5+^@NLsYDgyaWxNpWnVvJxsm!8bJkZZw(9q2%t-rHd~cwn zeE97!pNAYnC6TAB$h(_x*SlLRDyC8^3dUx7k*b6NHfc<7Iyh}`prs;U%V%TiSM8^( zrf=vIm0_Z?$#VAka)1l}*>Cc^Uy16n75?RVq901G6K zIQn4V?TiA?akj#@C0T-Iez$LnfJZYF*K55D`_D%SSS7d_(8g~CZTvwht_TtkAv(yg zif!92x=O|543YypX7p@GWAwI?OIDcRTIpKxsw4PYt;^%6tNcSMekv?RST{d&g$6FN z6^1-sY0a@mMm_-TKgy|tG+R=YK{jkEzwQ2RBJtLM_05O6XlP)71C0?$89MgjLOn(M zH36E|X>2T>k61y_9j*GMl4Xn?8#VsERh}+cB1wUnkPv4i#}418(8~KWUP@{meDJ5S zx_g(Rs$W6LfmNzjU4UEa&FKiowEpadZm{JcUmQeny~MMp3uXGVYB2$jDhIs~+wooJ zt-LLteoq_L^5goMLCsT;$Z7MLem6_|F2%2n#|tNEyu+loen%BQTTB$wruzoi71Fyk zz}4|Y#SB%I4EU+yV7^F9+-NWr2ObNP7J0-j{0u{t#*P$EB$i`EbrDsB?#Y>FDbcnQ z8)y@IcvM1nMN#CE87>HCSR9&LGH}!Tu*gGkX@)fQ!b+i%SyZSyDj1!(rn(wDSCS#K z>{fSm7ps!l${cr&Xv%!%+|)H#E{5j^l9zE*S{Eg>|!5t}FOi0@TaYBZ;+ zyyxWLF3(IXO zr?9ReLY=iM5&OqUx?1wp(9TldV|c4?qzF%9{=B`q!pqeuY1+e)o~dm%$t)kHS2Qk# zr?S=?t_(O-9SzbYFvGP`SRn=C0w&9S!f)>&90Nke7zhNXh`aymbNN2DT<-bTeA62x z>oumidZIHPz6q3&s_DYe>FJtog%LR2!`nS^O7$v)*uj7GV> zzk@0GXT?dS&yYwnHd8>D^3(i4RU4IShHoA&?Nioi=oYvpXdNz;IPBe>J#7!}oTM4? z-im%bc~e9uUG=g;0p@w#nr>(&8v7iSNQjY2MDUc=%s@qM;izjV*%85*u0*QL5@UEa z`2?Mn$wp#?x(RuHYH~({%w2jRQQIJOuVwM^$S%yx+ar5B{OivP(nI~qg>inrb`mGy z_q@>vT8;N-5Hs68lPkXT|4^&EzlNYr@0UcPm4ceYZP<3E!vNryGfb8DJk6xK*1F0V zoRP8J9{`udvw%xx*m4vpFiglYJj+f|_E+(vEMV6bmz~c^L^_6<@-t){R(*;yBi+_< zET#cH;8l$|8YtK4Gw7JkJR;+x$n`t=D*xUMf&CwD2;`sL5JC5w_QhjHt1|5aEe>1n zLnyGW!wjIF6}wrQ@Fv8tUaD>1*L$hB;n2QkGYaHMur!>;=hb6@c7!&b?Yq@*kclzN zD~^g(duSA18%z0GGgA{OEh@=dP_VGQNn_;cWNP<}IFw9`ls%jghbg5dMkb*b@ozU) z1Wl#-O)eeo=*`ebk#tq6-_%`Dw!W)zhO*Uz=L0LcbeU}kwG9GOEXXKh(rF4Y%sXR7 z1*w#!^>e&Ky)`n7Uy-U_qykBxAw_xgQvWd?Qp39m+U1OvqW<)+O=-8)THP8GOr;5W zd&YF9z@l6A%VEn3<->}?QcX4~>aDugW2QfB;HSg67)@l)1uXzuDFc7u)RelLT=NTg zaBl@}s)Q`?=Eyo@+-&$Pg4E4w<|JXw0Jukw3cYQ_ zl-{$38bm|0iW?Jb;X8#>WJL#U%gt0n%4J>h zMfC3b4x9QeJ8aUQ>}jVq+4uN*l?oh(jtDA2V(*a8VNOZ0R#e zV47ut&(~d`daigfgw2qQ47}MpNG7UYrAKfb5F4j+2ZkQz`6j?7+3YNuL^Cb&JISBE z3W;pTVLKTu9&L!ID*U5KZjI5Iq=Eid*HfQ@&0nD!AP32M>!P=e!6nITpA2#Q`@ zHPyw$Azqy8Qox<*v-YzE1Fy{1?>>#W-U=x?E=(0kv_dQA%d-fNP1geYU&wC2C0DU;&Q zx`VnfMTEpz!EYtCqcIp|238CN*3ZzHZnCq5$n zY`1|F+6E*Gdg>kZ(&Zb5WJRnPxShOKzM6gy8GFU?T&sB9q)%u<(O4ShX=pu4XV~A& z-rmp+- z`H-q#YlY)z4%-;~ExDm-1-HaVhehB8b+*=NqsDaXeSP_Hg&2y%rv@V?=kRu4J)dF* z8iAJfecQ)DR;zvd;7w~Fgm8<2ny2zSvl!hma166^@d;x`WkNiF;8_LXL!ePVO3fkV z9Jn{t-xu4q_$5~<6lSl1MLu%4iSd;%-12#7_=qrPFXCMF2!-o8!Y?SFia9uLKa+zc z-fpWj`4We$UYtKLKSpcdjW*sNch)lKdU8XnnX*K`H7!YN7y6z<%<@tab1|(AT(h|e zfb>nxUZh#F5Pp${TrmsT4(DurmERG!^u#5n(2S|C9(?C z17rHDSzvjv&L(AvejUyo02cx8hn|TVEANb{S~N7$n3y83M!vB8``*Uy=e#jU27b3@ zG)CfFSmMa+cXBCA1vn-7mu*fbM0$AT4dVYGvP0}(D<#J@1pQ3tWjKrT_52gw7hkNsM4fv*sCmBR+i^Z z?7uy`dQn!xEy;r5i&rjcaBp@Qz$I0C@s$Fpdia+h8=zh#kPe-EqcveD4Z zP(M`lg|s?X=N-V46)h`7+U9tq*}~0$4v=Y*+_;K0(v~06lD!^L?b9vG7%-l(?RB^U zf6*0(+m4n(QH)KK9Fz=dx&<)WIEBy z46Ac)R8*`0hnE))l?3ey#g=!#psvsq?68^ z$K~|aBK8kD+Y>9$>8NTqvOXe4Mzu{Si|{gmOeF4sEOTPvZbdTd=QVm!;4enjUDz~T zyfWiz+N)1DsmA@00)q~BcWe;r%I)k|2{>$T*467;7pS%x#9CGSbCwcSoPo-q*M$d< zfG5dwm5@p=M;EQP;q@CN$%5LwwXU3apcne`OwWfyH$MNF`RWUX;*9Sh1siw$zES@6 zm7lox{SJac_~58%p$_7H*~BfA7}%%#PW{km3pb)CYas0E)`^G#}~`<(2E`DSAUnKt@U zk((4(qv1B?h!}8re}JC~{u+KdbHh5&uIQELIOw={AI;?H&vnP+aF z;G-SH>zy6M;SY9@0Tw~QqwI(H)gOlf zZ47JMxQogZ7p{KgPYh8oG9vrfYCUOdBRDKe2!s^*J%oFQk(e3UyMKb&K_(YZYP4<& z;KPG8>&&Ny&Mv#qwf>BVIB8WeSy*HR)QgQ1s*SXgj!nN3=l0a!1lFVclSDAq3Tkgc zDT0nf#p|M@u8bUfT=AJvG-;jDBs1*jut&EZLJrk)5^QJt(vh)kqzxe*XZzoJ7?tx; z+_CF@X&IC@(gV8Buosz&)sZr0!qXgpg4>##>XoW==-veL*-b#aw~BDNAFU$r)b~~q z?3}G4$asejR*~D@LldCup2{p`fT02iEP6_N=H0ES9|%D?%U&f}u%nn1sHIn<9&Wxa zt|MLK$vw|5t6^klOlugd-T$UF|A$@KvtZT{dXzL<^c-Q%dPqu$@g>aLNim4Ei{S23 z{bE>6f!ks@aaa4`*C{O{tE#Nc?1ryF{1(|s7_M$a&KRAsUcWCzDa<$Hba#~5YiYF0 zt6DdnK+O6&IGk%*_`c-2SKpLcjHkae6vo@r3X3(y)3;hyAaihZhoq$b?{ms53Z!VN z$(fT`O(f(( zAM77YB*RTl7F;C9V5*EZ>6k*wr{Oi^vVpo`E75BK9ADhCM^g&9_M}1E_`rM-iS1G| zS~1Cy<&7`SEe&JPv!^3_dBq6eXmdYAg$o?Ky_dlqtE(Nh- zDEht4r1+!F33ij2C}$=how7kaV7Rih^iYusnStr`C{xD}gDhu^~8j@~8ORp(H8RZEs%Ye$b< zbxu+Df=lqZx_7y`vFR<86E|uo76qa**!%MUp4BFPohzC5z$0YXW+N6Vty;~Yr3$O# zW|^)IwL!#GP5-la_AZpqQ8VtN1(lDRV~PT{HX}um!pwo064~TRKAIqGx(Qk3zI)HY zaOyKBH=Ch!k)m>7kNG|e*jbr`6WL;Lu6s^3H!OI*ZQrO~HvqhbpuoILXm;mtY;Ovn zp$ngYKrX9gHsv6(PEo6=YFdZ}pqB&ssZY=U8 zRB`INS!g|5QZbx?PwL>R3a^c{PShgBPX-=%L{3cY@wusOJa0ZI!ZQXSnhsdPbwsJp z`8GyUwsSI)v1d+)yEfrAz(hA1i4%?jkFzzi3)NtDys6VO_fMvkqQ5Y$FvDcFFdIMv zlnJX{N)f2y2cneZt&2c(rXeK(#||_ZRcs!A-r`u#9IlMtDjMaMOoAT18roEA3fbt} ze9zYM&Y7*4r~ICwOO@OLy0B1Y;|%*m(_dJ=Ev8^SW}bIM9)XpuqyC~yPsF*932#Toq`BIhqQxG#jdE##^*C^w4|i+Z|2jb1EV- z8bBrAfiLBq@Uf47I|?A>|ALSW;rsz1s~hkEA&auGkK%Ax`-qcLFE6r1i!CFHBX>EF zq~si9UO9$J+;n|8eI;qAdeqmcyjot|(2LQGDqA5IP~o%Bf>=sMN;vJF`UzM%@CjwlB!YLY8|UwQF()Hrji z@{`5F7mJhPEPp*#t1m6Cm&BC>!;a5~P}x@9Gd(3qT2KStbFHN5G4e47$#`W=ERU5m zTZ8ZzwPl}8M5}gxr9X$h-^eVeIvgNRvb0V*kW`BEyzDbk@pw6T8OSBwncZ;kIOGeP zaAl%rlgI3aUf|CR%%Nghb*1vJR=EJup6Uzf60Fzq5?dj84FmxiD%L}zS(~$q8@y>- zrz;wk#~Ijk#JYukJ-i7s`_4l%Rz|TCN4ND|)>%>dw?JChGFn7eA&8SESQ%Hs0FX9* z;2xs*eVlYve)f8s7lwWlkLBOg#sI`C%@9zlapr+C1#aIt?ek^kbSx419!Lw0L2JW* zkj|;xw%#n+@NU|mLXx@5+?Pr`(H#1rMA#1Avf?&IVR_lUW^@RV_iC5BT+H zJ@udcB&q+-Pl77uH{HuHRwh$cWhPv#ux;>jX1>iblAm`R=^L39gdom%%)oi0{*zsx z=*T}$>bY=vec9UiZa+Qy)O=q~Xryzb_;Tvh9+#xQeJA~CUq6FEz&blsQ&Cg~% z#mww!05IDo=igzr9u4hDJB>BiQahpn7Voy5P`fbln|M1~?x%V%ezPLslt zGjmui@9Pf_T|npn*Row-*JkLj8ufb`aLOFhfUkW_1CFP9@WbqGey}eTa6L~){pyML z1(XPD{&R}wFgxN|czwVftWMheg^8~#BlkdJpvcSWU~Gsb`vhX%;uD^yMnQ_?d z>!CGRU#YSVq4akVIW%nKWV*fXZ1rqfZY!`YD$duluL;Id(+dQ*CNpB4bM$x(USwP2 ze%OyDhxo?6DXSWpy$+l3!6PBtjB4Cs>H=ql`t`cnYmzh)kpG$^;yU;9mty;ySd3Yn zKBeZ~6%Di2?z|+@=OC?p$t7pbVL=-~k}i8ylCIUY4jdeZQMXZ@9Q3hPyT@ zZX_~*dOy1*#@3~g<^{)0*o>fFxYB-i+Hb*->&7+axD85fg~*MJImY zD7kGzL02Z|hPumz52#Q&r;~km9}UjNs*=`HzR(%&Ez6HA&exKSH@hT?MWaC4Jh}GwdL!S6oZj#k<@)~J7t1!SJb3|eCIWYsm^nj@0Tt7XK2o~1?je< z(VLT$y^jZ9-a*(t@;I$#g~9*CuvO z3E_cPo>gD24VU}e!UZlw1~kwYt;AHNUHlnQ*{M{ViP!p-UduE{OiydgNgN9nw?~>~ zh$U0`-Y~czd$7I}tIqT#J{U-jsW=&r0ZA#37PwGx8!u^M|MTc(-ec^{M;5@x{o;0Y z8x@C#gp|g|xt4aYo<_`AzuD#%st4aI{YT@$s&=5lP8hKX8ztSc`zx5O?Vn(_b?;%e zuo|i^ioN12pXp!!LAMJ=L(qj~#xk#^T58H#!QQ7^w$%>$zhY-zu=6u;!UG}b+r)ui z(1-F(FE%D6D>aI7dK9!=SHIOWCm(hl6HJqwMgJX{mAwMWh**3>e zbq;(*n_u^oW&d-Q4Lw7G)0eac3y4$`e@q%9QdWU80R0&~%KOHA(Zh=G$4utBYn~kd zL?#xP=zwYTfI`dzdQYiA1l3=p=YC2GHI?o#m9EO{UTHMc+!T6gt5K-c4gB=YK;(4h zIK4a^xHW@aOl;vu3{d$7p+YTerjp;56w>~oKI0`qP9D!}+GmU^*T+kY1f*Ms$Rd^| z?ectq3*XuI;sUJ0!mb=Q!7f3vfo1;*aVnP40$?*Xx+BbqPgKw8hw?Y_Gtd*mHp54k z*BHXC$QmDjWk)SQUKuU0mc+At$c1&o;BeeFMS1G#OtSlLj>xEw)nvOgsC}Brxwk20 zcqA#H@NkfYJr!+tJA|!R##y?^32U^*8N}J`pZ%As^gkFIFj;IQ0`M0{luf^3b%K9Sny=exV+WsAUrD9pOFp({p-ZJ`V zV-ld#MsAr?gX+CBH)|KD4;qh2x%PcshzxGm^j|0Wp1yBKbZ;FA?X&rFk}v;nl6)a= z?;$YLkK&sW39Z53{#=fzoiM2RF2+T)`liGoHR8U`dSf9W=60>%`K!8Ky+EBY7Z44z zFUOHkYc1f``qU*qHHISMt&B zOVC|~-j(aiu2%|DfRyEdwJ1jcmO*K{`m=N5IrUU#tLB8+HyJo#>BGz{XE?JA)!=sA zELDBzH<_1k@8f@E!~z9CfJLeU%LfKqSaLA|dpi|-1hD8D&aM>QW$zCed)`jk2sjuZ zo}&E$oEGcYo(xa@f35X8nUnP=t(OOs_r6rlyL-Ii`n%pr_=GrOaLykh)#P-GR#X% z@QEo#gA5?XdUi0Hn&7lX>J_oOJ(C*%XjwUsdGyJulX!_$O*#f=3zE zG-FMxwp#tL@B5rs{by;cU-?Cu39GCr;X_whO2ujgTflK6%Rx%64bpM!7|HK?Ou7NF z;Guos)0}`b!nh!wgJy4Q;3fJvG6#T~(g;)KebZ3P>E1c>UsTU#@2Y1vyQuF^8$7h9 zik|^(dL1=9XV4Uciv6hGgDUnyxdg(_5502n`w{+a|BhRY81n?a-Kl?KINmg4Z3N%n z!@`ce*SW7aP)*Po>d3dB?h|=cqn03+^f@?+?XcPkD)}x;PqgC0)cSvUIgXN3II|z)Z;`90;-PW6)n_L7us7zH zk@)kVYv>VQ{N!MZzlF7Am7u7t7lXVZa6uD!)gJJLC9>+vzD_m)I`XtiXRNP!+*Yfc z8J4kNajee9{$se$AS{5;+5ka*`|!44eCRT&6hE5)fZVzxLFI#$E zn9tigR?IaH?Q&>2)1AfwITx;{!%i~FZ6CaB_uVkeW2boX>M}t^upRjxp*q^QW}7<4 zjDj}PJlio*`C9%PLUqYG*$dkQgGKJaKqS=}^T*^~X3k$G_rm^=+{^TNm)uJZ1LIIU z@10Do(?}dHH*a`3rzyp|2UXv@!x0P#wZT(5)S&6>*{&$468G7$=&tArJv=AASpW6b zb5fI4pwHy@M&9l$T|4LjB|O3x8djF_AM5{6CTnc;*oBxlg0*NV<)agivDi_qjb2Fv z;ng-s8NIa*LzL)c_k?P^1j=m;iW86oU)4WW^QkW6^<6#ri}606H|uRO>2A^pt9%D5 z$Pe}3V0F!L>Uezw0}xVoD{K}=^PCy4LTX=7FeU@^A&Hhd+j zH*3*VoP6Fd}Zzrv-7Zyw|?6u6Xset_uT(5-I905M5u8$i{b&G=y6vS6H0e` z#od5UY;8JxJnwqhw+aTw!-=>T0!U9ks{divxAd*y@0q;<0=M|@GJ8`$WcCKX%j~Tf zmE4+KyA}50)2$XZ4#hcmt6rDqSMn$QZ`&k*CV7k-`e0fl<_g<9< z39z~$R$T8OeW?=eU1Nn989ed0TtWdJkC{ZRK)`CNJS6@U-Ahdv&-y7j4< zjU(?C+^BF=*<7WSJY2$Mr12`&JG1iLp5pbagz;P#8-`oy7L0VHcq`@@+xi7;$nE=O zh7PgoDCb#WKaKh*mZ6E*o?soq6Pu3RlsxotyPJm0gaQ6M|H*QO73O&Tg#`F!mS?xb zlZE$jR^@@o6=fe)WVR#gYNE!HpgU}YF~*A?J3{+m*P&~}6U3V&@#zchFm&*j+V;-(mt((n zHg&kZ_?V)%l2mV9n3}?WldyEV$8{4i|Am{WIb^;OMn&AMSQVWp1221)Gb(iyD6%+| z=&42{z;-?D9>{!UZ3)K3Kr&eKPY_p|NuJxde0C!I?3x)+HF3?H!be)qqs~VyF%;{9 zp2H9LD5`<~;rmo#7%Pc(CKVHz5ySLWiv(I!k@_RNLpDBN$CBGxd zuzhhk^2?Z{mcY}}T>8B44I~KzuGuE3h*rJH_J-s*m9qh%`gz7GKUkG#Za6S0S*mbP zu}kX00ZzI4(Nnoa)q!qf4yzl?>lx(N28ZKaOO06X^aVg2_`f|b-ORWJs3-~0j{;Ok zYOU~#fClu=nXAKepO1f5IU&V61&s)ImT7qG#P@WATK{8O0!;zaS1Vgt#A zPR#OzByh;KFb$n9)(6^I=28t2#|@ii55XTk2K9Ex|0<~0<+q?-_#c9LBc{MP;Z95` z1h3@(z9A)tb^wA-)01r0c+(T9foZ*TNn7@D@^au9_=nvXb>LSHt=x<-0$&qeADvMK zjI<2(Kidm=)emWQggRDfm-$NvI0XDTR56F4DHRwC(KDl4v3(d~K&d^$PKGV_M?Af% zAjDACB~i|mmFa&T)#CdmP7iOVcN0Q^JMh7eG_?aR)0O2W$D$QIjlJ1c)*^f-a_CyzS+PM9ki~Ru;im(w-{k-5VfA6ywQ4q@R|F0O z!)V_%%Bu#_EscKtB#Rd4*HY;hLD@woeHmz7R(xxY8-lQ^wU%vYBJ(N%&Iq3v%urTk zf+sn2l54C0k$9-Q8-N*<2qsZ((2-cQow<$p@w14PnA+EGY?a6goq~2{;KnI-b zrKYt)p?M!z3-5TNqEY$3@J8XYyiw$Tj^~}T5QLrDgF91;^~G*Bt7Q-usZN$xEpv0f zv=!BOFo^+B>gS~u<`UOTCSO_1O7vYjsrWGt9>rmpknzbt zJ?>H#c}t+oO*W}oj_zK8$1L;c{(>4U-x&!Rwn^0|PuBMD0?<}sdZQkiNQ`}{1;^A^ zL8pDt!I1S(;ju>i0qmc!qKrRaMOzczV@1jJHq8&~qH33*VjH`0LkByQwXf5(;MO1x zdcEVsn${fFH#*oO-S?0Vn|RnpgTp}UI{Yl(!nW^`fzo^~wu1Ksm9fLDYy&pfirZ$$EJYfHt9wn6`KvKwkoBNxrRWE6suG0VQsq$J$A z&WZUHza;8XaEeh)f&LGqwT734(T_#3UTQfQ;48K^m;%N>3U*yAd=R?4%QF|q>(+BS z8BmkRm=?5!Js__vXWef3+>h6wCu+;dGVxo4P#j^k;fS~N1Z7=#fDY}*?M9_I^!vYz zYk$JrwL%BIw8hvb{S3G?R(2JVt_T)9qjhrhwdtJWUmqJzP2DBJnH6`yPtkD`@RoeB2#E6zU%T?(>-?c~}v4tkj0?1av-0$yA&ZLvu?zdJWk{jBeTPTDc# z$4uV(zs}_4c%J^mi;@g@_uU4V1Kk8vapY5uI1OkG(mIqvU5SlZt)kb%U6v7gpCdUy zu4fr0zlVB?UV)cSL>BXCn%ZUd86_T!5X`w&&d~nwjQY@L2F{YmSpfuXW0~ug#tqUH zZ7wh4(=}!s>2eTRUAyfTeHDghXt%Je>>tdlU`#{)6kh4WsXDz>Nvn=d1TX3MsOkH) zL6%aEdA-I;TD68*8{XIGUE^5WUhDMja9hr0t_0f-Q<2tLTum0eUUT{Rla+4iLMSDhkx;?t@xa2R70EdLLw7~`Gs4+9H=~^)>k1tAPS9s68 z=^}mCbfMy$Ujk)kQsQ8t^_Wrg{|^F(|HUeq6*0?rkr_~4u3GSq3NVk6+$QhNe6{3x zBFPN79pks`tb#3WZ|D%5Sl$V&LcYoDXHmJx=>y%)3VI8<{sXv@wg1td)e9&mh@DD? z%DYc-zdKNdI2lqkb(>$)bZ*hwKmxtj2{M8(4qWILuwr-< zuQC`;@JzjK_(KEH#^kJW6>lo066S>A-i)vlTQYel<6nWl zL+bjvca?(xO4OhGk@?vUpu7cLOV?6wCaR3QBQwc3gqrWsA)+6qFECpdn}l3oO<<3Z8A) zHh$kZElK*lP<*hJZP&t|@Zm4d-yc{8iRl!|&aN!AR%W_MI|@@5!|GYl&yuzh8@>Hz z+R(S`A<(k3%43sm)*WahP=M)g2Q~i*&~M`#if;no0cqubHV?;Z_v z;0taBe8KLK|G^go)y^zmkWu@dFBth7U+{3{c8zJ9|B3qEyUBVX#u*D3EGBo+6FT8i zYw)7usM3)o7gmQ2B1Me{Ym{SkE~mMh+z>?P)T1{t&OQx3B@C?%K4?#4*~%W&ZL3BR z&u7%xcYD!FJ0cs7Zf1V*f7y1Ol`EDJoL_e^d%#7ZV-1wBe7>zzeyEO=GkP%K-V_yK z#;F(To?8--Z#p)J+MIN@xd~!~k4ljm)wu7Q&g2_NoKq^$j}Z=nlrgcHJ<+$8ag5RO zc`DqizPWoPMi+m~`qhQy@!KGS+iM5!mg?F*je&f>%1G0{zZLHfVDy4Ohu_(F*R|3a zXfv(zVt;CS8G09z)}&P0Y^=g*0dv99bJ~$XPb$d>Bik~H?W07iO1KTMksn2XngJDB zHB80vimv`QUH3h+7bOdH-E)l|b}(BtTOKVvFNM-GrsIU}cZ#Yr%sDYpQB+Tx73$=- zjP=M$#QI?A1}_+`7(rqhMMHK#FDY}-NO|Y;6vfj(JAIPeGt&m*h{f5BXp1?=6EoU{ zdYC%3&yciD;>;rN3G?jDhjJIECN0MAhj_rHiqkM(UHi9@%=d>(cfdmly09cVdQdHhz=pp#G%2f3GpTN0n9Sh*J75J*3SVF zOv$NPVjAkO+Y;FdLLrf!If=*_ENRaLJ>?!Wl+)~(UrTX1xy)*dVB+fcEAlabN)V_W z?^7L&W?zm)yN;VJGQk|9yVh>lJ!Dh+4w!b^s3tgG3}E7QN@4xVymb4%RY)47MAnEU zrHs|WTVO+P-(~N{F`wRhS1bYX)ea$T&K1I%GYdZh|Hx#+N4o)j5@xpa9LS?*?95vM z-<31!bVpE)Fl!m31T}dE0>oJBpAlo&_lU8{oYv}~ycT1RCFmC|plPgaE&oOjecG6> z%7Mc$J4+bE!~NSEY7Wreo@pTO4lBR3cR^Je^rp(#@TBB2oq^^skElI!e-GYG{GY+Q z^|Qgd$l2gsvau4-`?_K4!u#S+uveSEIAU3~n!j16doSzhP%i~WGSMmdN@H3sxsn9` z>LOe9sGIODo;mk#qI&@e1v)lD?c!Vw&*2&G=b@8T_?KH>8@+2LXg4-h1=Fspz2uuR zS^L;}Wd}be2?y;rYuTOCKHI-72IZch#aiu(3|ypX6@c!?5CEvTj=R;KK(OnQJ#A_S zP2w9Pp5{bs^YG;}ULIMViV17ix4VfkwsDjQ<3KOIvGRwc`74LtL9v>7;~f4DZAU9g zh#Z}Fbf&m|B-C9sOU06*iV?r(?!KpDeaPK)_$_x=uaN1GdUz&|asjlK&VDc|mnatt zxpUqr#^=GOcyGi#k^n>2e?Ujcp^ZPgiu86^t=K`+Q-;tp_rcY!F$}SMM{!YTkemVg z95#$8Do51YH6LjDD{z!dgMA;mJ4=oNp}UkI*(7O%?e*mu#PNFGx~-d%TpH@4&iS6p zi0$3syRyQ;9|p-B^g(0hkaLJ2ite)ydC%z0;>neXA9`Qw{e=TFuOti{fK?|biSU;DZyQGj9P z#-ARId@`0%&OkdI>#o21Jt1l-0FcEPR_QPbhyi8%jjsjxjdo8jI7>ZHb^r_kX1*vvrLF4KQvjT<{1VA;3#H7?_x^=xkb&<{C!J*HXX#_U|RIF4ZKFSp9}pD6r*%_oQdS>k6h)^iFrsi~{Z0A#?GHZ*G7&v- ztHM3kHI>OUaXDHh)ln3I4ZMk|H8Ha&}j zVpHW?Ae;ncaSMOg#z=NfehXd}DOGv{qp@S%^IOd+TfNWasj@RF;CnWK$Z| z@HS2HH&xtL6yhDZkLvjP-d>swiC5|R9?1^?msawnT!a#o)MPrSpJxOS0;?QU8Mz(q zRY;pV>4_~LV|tQto;G>5Q7d>ex*-XICMlt30R#Ctf`>ZLJra}|)AjyQ?qnmNoL_Eo zB2O0zsV06z31&M+_b6hKR*M+RPQaX2{&*lr3>(rm+C*5-;843Qd+Tm(}mVXiv znMC}LA|g4U2THkiy^}$fsL9gnE0^u3vAV`%qNP1DiE4_ub_r_mJqZ!E{Yi-Y3tZol z9Ss-eqya5+_w~&16={%`cMi$1c*+1UvJV5l);c0ZV)(Lk9 z#7)re9{xuakF?PLU#WQfi;p7%*r?x|H_$ZNoB@8P7_gnG`z`TkiP9Z_K0vy{D;<%+ z2HAf9lOQVU`Cubg4_K(#B1PR%bmXr+C7o#J70X{vQ*%{*MV1ZS=}^lt!WmB!0pit@ zR{19BsZNlY!!TNWN)eep2929gSDVlSK2Kg1ZM%nIQv|fx z=9;PGc!!hg&8|)6N><|{7@0Yva6|n3$8X9Ed?0j?Zx&!%tU4eQ041a$@a01ttqS%o zGNT~z^KiTs+6bG~>QQn74V1FBP z7SjG}X%~!p32aXXNDW-w0~}e~#-2Lxp38>~MKvY3Zb100uA-F1Ro!zXa^PVwY z)m4njkZM9pxF>ZRLHOy9#)Yz>b@t8w?Bg2!Pd=`Rj#;23X(PZAypymee9}>w=<}!M(h3FvSXx!K z#8@Z;&Je1>z-;HRA`;-##%}dSB`VZ90AND1+`m4W|1Dw@;?jjfxi;>J2lQzHVg>FW zDDmIcvB2gsO`+$GKO9ZZYcE(G=3c$jll@d^@Lr}AO{NHyuUy{EVc#+p@1B-pU!wl=2_I z^ABMLruYrXAug|EYNDOLl6kfcN5qi~6Y0j@R(ia-0?mp;KG4ma&C2KLLXw9SM~gyg z%y{j}bwOrUZ`VgcC)e_`R&slq0>L<#f-83wieM1zlCQFC*1cVpD=ME;YLsW7zdM|8e^bIm^=+9} zx+d*Tx|6HXnh=!BOyd*UN%CU)H}h3zalM`ve@Q#CEKAE|rKVzT$g2(DuOidTDf%{G zcBe(f?Qa^BeAB?FJa|nB=U7@-Q@tC50lQ6iY$&htlm_ko#oO@M8j%0n*F^NtUrSPq zWh%@TGL|4k0j%AuY+PcuGxW#Q4!8Bo$pW-)Qz6P^HO5PrRtwB%MY-Hq^!>#yz4vXd+DMB0T5-%6d%COc_A?mK=9XkIBX?6{;*#b$RX4Y zVcsN4ZRi8tyhD?8eottK62en13Q{ITUZ;?sTEy{C*8uXsjCzNo&{uL{`ZkEX7v1W#DX29!;G$6*xf zep+F`Rk;4Q=vGy}wPthA9boxWaXU5Gt_I+~|D|gL3~B%6d{@9XQO~ZoqcwsF}f+4-+Pps)e8$}YR!Vn0rfNbjN zv~=r5b(cp|pXYbLJ094IanZMT zz1h|0p7f{lyl@#e0mW&)`La74nT2C3DH?bPy1y6`?GgY2^LuR-i*SK{ZVmeAGr>Kq z5*%<9pCsK^KCNJ+>JXZ%$>1VxE}Y%oQmEEn%Bi-bzWp~=$jBkAtlR4d>QxC~;|?;G zB{ePl2^6TJ!%4rfP-j2i1`vP4oZNyYq3+CfP1t6)@oHf6eFxumKauE8!8iC9rYI{= zuxo&9b+ZrLS5k_08xTU>0H}A4<5dYR77kZAC69Zc2*6{|oC7(r^<1 z5gzySAupO)b%_0YaH!Y0JuR6qfO@$yXd@XQ7f?QaB~t0mhEaIJg|6HISjW0UUIM0n zG_ZNuQYr((>#6Kk!xpL1M5!~4YYuNzboUDdisPbZW<>Pxx z3p#r_ z;D70Wszb}aaMMFlm5G_H_$Jq%oPPS=HlKtfeE}B3_?6T(>#gnG9z~Fx zV$iZRs0zpS_|f@mD)%pb`lXKllePPc-`jJab_nLl-Nyyqe(gSeR0Zy3VOAy|0d^+e>+GzDR0RIk4-eUV*r@@MJ^hNKCWdwrmJTT$Z+${%qd% z$+Kf%1F_n}A8_6`oF!j3$Mkq~(dtlINIXEF=2ovLwj1w*48)X97v9@w>NL}e=MJji zm+NC}) zWI62jNlH>nE%7KD+R=fq)@QU-dVut>k8wyfOR4QhH-jvq1D8H57&>zNm?GNp>U4IY zNNvIfJ~iHBOA0yG)X~-&3^KQ19|QMEXFZ-rPlUSUUOG`EWXhsizVFkZ^5ob#_H%R->0jErn>V7pF%8_DYl*tlpEf2xg-h0-@Ft5{;|qmuV3%rW;`@Ye;m9dZPC=7Yueg4SNLMV(I3qesO|IcJm5(RXdl1Y zP`3|@I?F1p>>!*qqL$OBdllox>PiypK1=>4>g8VP{fSL#0Te6WJ8|Ej-LQLJCt*jD zGJb9{&uf{`*QngIg*Va~7^L_Q(8qXh!hT+Fa0u^)4HrqFzo}STeeij*{wMe~)Nx7b zd?HnKl$u5NTAsc|v3J}!WNw|9PTP7ITUH1;C=$U(UVWl2gc9TkqLoNhyK^0b6(?n|bGlMy=Y{u>;o}Wt#8F zeNa-u62^~m%Ph;C_th>fI#6Ty4qs)(SDp`7a3wzpDHL77`{P{3qSktbf-vz43xFMQ zbGD_PPNI_~H;Uiljq))nt+HH|f9|mirSK>ga3oV*T|X z&30_smVZ>AcZmFx4RyObYWr)7L~C*Fd)t#mk4g3t6q3}|+_2D~9QiHn42Epmf3DT) z34XN3K0k#esXX>6dBLBonZT8<1p6#~9mv@b!hGdojkyL^Sd##fmTIC2F%QJ7-eVe2 zY!5@l$uHnwqts-Fg3>TjZj?^2Yj-b$^ev@A)f22$(h?`{pq*uN4RWY;%ggI`LP?@%`Pe&bqcPDcT3fx@=}OvM#oNMUrT0jF zL_N{lo!KM#%<&Kf!Yy`}yEZLq#VQoiMZ8gBF|j{#jY!k{jEh5Xbtre& zV!;_H3huayxN9w7=}llSZM$Pf^~@`H`eo0hXD#jq2^`RlO_G>GHfOZ zr=%;tORGAAncces;`uzVXqUU>t2nRP5#-6#hQf5G&5n1V&PjcgIdwcnhwm5dmDUO3 zh^thAuTIu!WqE@Zvb6(6WuX!g=5xG5U3NwTKa&JwSCYeWy*>+}`kHmx%==^xRM<4w z*Zyox=uqLZawDX$$)MIXPSR9PD0q<=rZ1c9_->Hd1U9MeL$`R}q=;at%2uVn& zPN0cKjKoA6V_l@@_^H|r{M6e=IkL-n&T;M?Z%$@U9+rL7Td(q4PyIs+z_;?jYv4~* za}n%c)9}4t99Q8nk5&2mg;pcXm}HOIgvE)zQdcw$#+2eBzSYo05yk2iS+`rXo+fuM)hRTsL$N(YD&5!4h zr)B0Qm2w>Ab9fzBR;#tGb|;T~cRO?|D?i<-c#e$H@;Gsw6mSKpR?1GRwon>dQi&Nu z5I~fKx-C+-S$t1IrVU?_P>tb`9AdilEX7vIa_PAt)+IFn%XQAw^Rl`KJ5WZ7u0OaRY<=Y^wHFSSb1H)wT8VO;$_ zNDw5bA@QLYihW_-QE8#$dXN0eRL#v;e5<{k(IHcwKH#<1c6@-bK@3xa`$sYKJ-U@Z z3Z)qgMrX%SJF-e@SLH7oo1f>vUo$5}4nBC@Ig^|iE%>BE)ew$myQ?g%$|v9b^WbrQ zLdx}DiRRYGQn|^)#YIh%QMkmI4GPZsvj@GOqjks0dt)9KPgg6>b?U2#DbaT;5?zkW zMwa#ORpWx{rEG6JqOSmnAoj|1yWHO@#Q$+?A`St+##@eEvoL0-N@O5u{f)hnTzu^Z{?%EZMHwR#`So39Uzszgw?z4ZEqlsIh5=>uZQmOs`k zR~pQ9NHJ!e3GakZZ((T8pJYvE?`fxyv}Esi%A9;Y z??cVCAY-!1(&OU|sxYjFL! zc}ZfBOW13<3D_4A@s*Gm7Xa>Xx9+Sy>iP5O^M_J0b{O9c2HIAh_s(n`i{hJNFw%k@S21rE3H(bC1yva0@?4QE?M+Kg3hGK-H_xy5gNlyPnm>r5 z%8r&lj%Qd#)&(~!)FL4I&lMh1@4faP^zE?Ghts=D%jDU8o2y6AV+M1w<@4>eec^KU z2RKdKbxVRU{C4>X?vy1tG-@7+|Uc2_lqA9A1pDK|(7N9T=R(as({-)Aj zb@;6LBG*yJ-Vt8GmdQqc`^&azA>p7K!Spr2sSb72arM>iG)aj3tFG7BVpbZh7pe25 zEa26Yt-L|^YIxoA)|%d}$)c<*iNO^DnE3Mv>~rRrVD}Y_S`N|43Y-_;FmfFnQJ61- z9t*7MI^;WKEb&@W?$wbB#Jp2Vxm2b}yzwgpH?1zEEL{mwEE(W65a%S4GC#CssN_t_ zxbBawYZSiP#`*>;+omT#-&c+Gj#||>1|oRYdP1Dc{L%L4>ikc z*6He2fJW5ME$TFV^;aDeJl-qEbd7B~DUkDJp#4T+W31hVYm*p@dOe|BinMZ0$maa8 z99K0%cOD=tz@er02A{D(l<;Ruly;`w6BS!&EugYBqPo_*Btg|HypS(QlJFWK`tY)VV_G0`fZLM_@k zjEd6S!$?MLPeqIyy=}rM8pXG^bnDUQ3aO^i`<>eL)e8cVba|tK7-mkHYv6PD$PQy2 z7AvgMyz8IX{ia3rc%{hC(d%6~ro4T?;9kbktt!*cEQ#5!_Cd*M_dI9^Rgf$Y37)(c z4y6K`byPuoTZ4Hv-OK&vFC#)NUa#V)PS#4^M<8wXnr_{4Tmr(;IZp_ zLvbX-nbenS8QCRO!seoWs%PAY5TN!M$YVJg!@>;@zX#Yz?u3vC z%Gc;i1=7s`Bgo!NzgeN0T%# zj73($eE~v-HJI9M=yeJ`_lOt?$iZ21V?qlxQsGc)nx10<(5xc8M+x_j6P(ZmaIaUh zd0wxq;y8Rz6Q*C$W)@_&Wp4VM-YyNFRGgW?R#7X*UQYbx81#7!*9Zbci`LLrrt>S>0ng|D6zIL|DM*HLp2}Tu6 zQ0h&D9F*d(C#I?7%OhfYqV#Ly4_svmcInrh4SwmznmvAzfk_ z14!ci`1x7GF>+7A2i=AI+eO=Di^}Q!D!ytYUMAxBJ_~wo4FUC1bG}O~&lA&4jO#KT zE2S(0ou*%6bE@yWPkhvw5DI#M%zKf_R(f9kQHN?2VNMie&#N@k**mXu@(uS~jtE!c zwlKubEVFEYg)U4X5=bRnvr%d%{9x;kI<+Z_F-q(i{PD$P1UTHKUh4FV_eSro3KzrO%WJ;8!4?$0(;C

    7M_D=W6ZRHg%&E18Gve-%jL(x*(L%?ir)@V>&cI{U0jWDO-}kSQ2u>4w`GLI>WG0EE`%Wf7z1qbAPAEZsqnmXR%7nm#hCd zUA2+ZRhy!i@tp&oWu^UtgSPp|o=mzbWYz(@&r!Oy2qgJ(#A?X!ZDvS&X%3c+Hv-(~ zNFO`%y=zSqo64O#Kaj+ERe32niG5hpQpSxzTaW*UHHra$xl)85d?rXN)eNN+N#r{mDNh-$qI?PCaSJUj7cU=I>H3WXxhAIZc(oU* zuyNXM*Bo9T94_aHCCQa5Beg(;T^JtA-oQ%}6b>F2uQ1-m$zo1Ih@Zp#NTOx*h>tUM)_6Gq?0``CT zXF<&WNAu4f4!*ndf9Yp`L}frfBO~*~rNK^+C%VoUIi1m=vRR4)TN7uWc4eElIIH=zI$a~vb=D=Ed8zbtaVFbUcW`$F za#_)@jS)m{RCj!X;u?pQwvNzmPKPF1>MMO);t*TBcOJJQ-0cqNEe(Uk@ z=}|mswh0P-berKQqfMDHJ($%z&*0_?uFb=ScgYW3e3LvXyL5}z+R<-FTjWF<5;${Yv!!m6u~jM<%68+*{1Xg31qY47Hx3D05u~Q9|OiXrc!!It&o4b0?-yd zb$h&ots-hi80UvB=Rk=k-J9QjP*##ANF#bpsZ+drC9a@sQO*;6ap$}sH9Y?x*@QgD zVQfH)+L_-Z^I5ZQ)25#HHhi)~0K~EZr-dmcEfn05yFwqeICp&!n`%@EW`(3zA>#M^ z0C>L1VG6iAzOgyV@}bWc0S zN@I;$SJnlaHtiF*aSC)vN--8E%4H6Ii=+Q#)ee}RBGPveKQd}rKiyXtR@u;ZYvND` z=iI@G^H-KJYw+lqg($Qo&Sfs_Y7+KZTmh0 zf&`H!N|6$Zib@yh9YjX{VHCvA&kN%EhE@wu7@ zNC!#1VlIf=(x#&k(kxr9a)sBoZ6*dw?vP)Me-W)IUy+)bp(J}rl{VGe9#xP=-?(IgombTAY(+MmsfReAcgtS5)N7jQTejZo*74cM z)_p{&nkiYRj5|*YT4U@M+x055_HY}l;VL$wya0R~^9z0Hqwh7Zw9^hsJClszUoDpZ zMgA*$opw;fQf{94>!4iH{#RvDGm`9Y{d6ORgV}8x+}HrfFs|yP<-!iZ@61$M{Xf;*aLp>36_9XN7f z*Gr7m*ekAr38tnGkuPRB=p5`NyBp%IeH-cMWUq&1&KklS&3*j0f6$-8@Jut`t8KL^OPhMUmJvW`Ed%xf?ErTnI;(^f2SDTen%(C8e?#LOOFKr_Ws@%dHP0~( z`&$fl5Ay#Ig9Sd^>%@p2*9e@sAvc1Y+PmTsJ1s8LL-r{wowY6Dw9Mp(ydV$h0Yrv{ z8??c7k6h5`LQq$cT{X9>=@)xRN4MT(623p?X@IwPt3iL<#&phkm&Wj**1cN3gVGsS zb-)>S?8)9QF;a%Npo=;Jl*_6`{6Lgz*!x*(((0EQrM&u@7_>I$*f`=-)V6G(iO&V( zI#_c58eV6>tsRe^;jUSMg;#l{(p5M7{dSa7rO@9*I}cc zB=y(Vkrdy2jsx_l$YNO179~JG{qk1;gY4A#w2b^KZa2MG=3rfkKa76~IBxfzd39&o zD=Q6J z5tmq5!U@#SR-Rovhok0-y%ILiq*8Nzz-sB0fo(}<090A=B{lKUSL0LLV{zxNtJ5}X zYLD6J*ms|2XuhNsW{&u)X8SAM_&co1(Nu9MVYk!%^A!n$Z!`a+ifat=t8g2?0uJLz zuKM~t4Si0Iz5gC&dyuV~SrC5dAVa<*f5BzuSoMj}G!%(fuykrUme(s%tno!TadfJUFPDZ;kUD3=g|th zG8_(@rlsb#f+WuEv0W)v`sp-v`Wj)mc0l5O8qy%C@z*c=ugLIMhStnWJ43N{7yd4D zKZ9rz_bkA}t`Atu2U-ZD|NjtfDL0~}CH@<)iV^Kq5l`#-`&H@sSNZ`62`h3cQQzY} zwHQ9P)hF;Co@%)KVzcVkoOw&r8`}pj-6b2JL;R_|j;w(Xhjf=nWvGVBt3%>EnoE4S z^4K8#;SoQZ#kPehK>ELx5~G4xKqt$&=96Zd%m*6g912lcJS2hD6m}`@v#O=W+Dbf7 zKew>Jwk}J+<0C`=}~9aAUu?# zDfz{(nsUw_4qZnmW) zVa_+NhbzdkcC_-CTc!k9*#Sn2=skDK#EX@h@LV~xsjfZ5Z3nYT!0ZQ|FQWD8Mu z`cl^ihvFU0Hd~+WZj?X`6IJYUy{Ji8FKPA@|D{k#AN^-V)kPj;^_x? z{9&|XA;cd(I4A&Q=f)brexBRw$>fpGQT*4D*7in1FXSBJQ^&ztca(LPG7^GBJnlYE zw;SenTz$!qUw>(PsnbBZ`FHh6OS$9qIV@RB@5sd^ELVflloJO0at%s3T@a+Px2iAY z96UpOk_^7?E}*vMj@z!71NFkL)a*Mz>Td~~jgyr6pDJH~_>pT@`Qa)!?DfI<=$mhn zmS&^}TcO{&yf(4{Mz&&yit53c?YSJempslVQA@-228EuIP&fyE)O%&gTnQ%P6gwSd zh70*1CLZKF^fA8nC!Zb?+mUg-!F436Chh2@P+4|r+{SO#I6zqTLS4F{o|zjt1gwWm z2`f4wf7OW}uLYhHruf>bIz%R9OF%_AY>vrl)CpCm=}4U98O}Ini7&zx-4tB0$PO`q zguV)keU*CwRXlL8y~OF)cEy7^4Cu$YZh`Hl{|6S%fb7GC0O}MAley#$1yc1nPr3K5 zi~~#Ob~^pz+seWA4dO>q}%TQ$Y)Xwp2*#_c6W zPD4?}y!Vx}N66Ma+(9hoPP@g=S;NBp&hTh<|AQ6P*iH09{3gHo?W?rKUWYCnO^e2h z3zAdET57NvcByEAZP4t?R~7Hlt${p!W0whm_wtS#4~ zinA=URZj%=URq`cgzlE3Xk$P+u;y}fMbn44(C2#h`ae1wpe2Htc!(ekKT>*R<*i>| z1PrKZQ~=X8Pj|~+gue(q&Gr^Rm%#Ij0;1HWKB&wk==s}|-mXM7KX_z4>^5HhNddFp z4_jZn;*S9^pKBdzXCQ#zmE(ZclOHr@QQx~qHsf_rX&^nMZ2vM$2R#3#mNO0k#I-xkTuY_yHgJQ1W-i?LXhErITxt3B8HqH&)))mW zsT@pc7U4z^uV%Us_t}SJYS?aeJ!Z{g)+ie;$k447uXu>DKcen>(s&E; z2A^|9y)b^G3Zph^ME1=Cwnntj!7ESidB8>4qhtYqISsA?uB$PYUbo7Tvs5V@?DL$R zORCPa;&a+)De+jQ`|NNbKw4`j*Y?~FomH7U> zjx!G=ddp@FTL-Rdy3ZB1tH><`fQcKsDs}m3Wv2R& zi{Og2o`zCYP33bWKJ5W3&iu(mT~8 znND=;g5W$!o!g?*kUs>Usn8cQCN*g`MhpYv>dPd1Z^viI7=(`al> zcY(!Ii}#(La_-e;Q);pLM>OOsaL4ngDiDLW8BNQguDU2S9rQF!4M^4L z>rMkuL61Xx(_uj}6&-qjhIKJ+*|f;9e}1Z!fPif0F!jYWH&G{>SbZh2J5|*R-w{4L z<1R`xh9@QUBjBDE2g=JV0T^3rXK5DP3v)@vSz{!`Au-z%@Go^CS>tYsXAU*YuzD`J z;xF%OE@ahLY3(OzJ*Bw<7YCUvByCacOca&EZ)$CXvtKO<>~o!Xr!mVn@C5LL7O%b5 z5#9{AVQww7LJqysS7zeZ)FKCw%Fsm^B7Z+QbU#_KJsrFKc>!>jx4Kbhd1qA_ zi`xoWdge`geZp&O*zD`!(s!Xib(E1NVuU(^5K1ciG1s zET3+b4z;@KZbbPqdEVNx=BsjaDCO515U_prv!H-Ddhx%PuiZM9ToajgHL+OxjQdBG7O`svc>xX~l|?ETvS^+!GbPSB8vfdU}_t#+NP z&P(`qeL(RJWgK{_iOo!!Uf4diTcC#N=PYSTsLi+#Vn&ERI4mT*Hcotx+uq8T&Bc-dDrR&}_T^&h{ydlE8gy zJyy1R_LZ=B17J|?4pj%(T%K76bK8D->JoVfJkZaar$(+B4`(Rs#K<>M# z!4P6?8|*5u6Lm8x4o|Ky3HRobj6LueikK77g8vjFy&U|#A;%;ooP+d2!v2@9@p7teOIE<1;84)Q(%|4q?YWkZ9;A*dCD0iI*3tS$ zd=OJ1d}T)r$XO^=7bvwQWnOQ6O90Y91Y|QNe<1jrh$se-AZLyqzEnDT0GL|a4pn6P z5V+C-ZH_K_2R0cen&a*H|J=9y~~f>!v4vt8Z-1kZhx{Hg8guQ}dLwn+X4%T|K)Y==|YRwPLIj)8>h-!<9~+75wm zL++2^0JrfzKps-$&xpR6bw>S?it&R0*{Es92$skj<+%nfLefHx*K@#*`V+ogDEa($JGu}%e_ZKP|6b6_lMT$sXdWS^xWU{dG1Heo zLOI`lx8E07!Z>}e*>xba>xRK*@T0?=eGKmCx6P`I#@u2WQ}LlzW1z;E#SPiubrYhe zE8ZOnv_5?yyTI=-qz`h?0{Nako!AKQl(9eg$s^UMVa;!;&1zFKY<;+cKHSyd_1eXs zfncC(c5dv#l_w%R3V@2DQ?JgDr#-hhP)j@Dr0iV9)AyFGz}?SSkoO82K_v{tw_~06 z#p_-g90rNsUeBRDrha8T@d}|pD1NIb6p2Dd>4qo8%C5c7{9XlV+o`n%7&-*re)=>Z@9!a zsb56z>4ERb7iAN z;$W{X3$eL?MhA2#I@p~^jJl41S^&Eaiw;I?a6YkE3=7nUQx5^R&aQj~2>GjYPaZvl zU#p${J;CpffmLw=goKF49x)3 z{Uc!hi~5Dt*#sQPJ)Q(_ix_X&(!o`}&I6>*(O}rMu-hYzV!E|)8~)Yu3r7BtQ&Wb= zykBTx#gIWmxf5!vq}YmMLQ+%bzj=EnzkK3y*mOi`>I1;?V*=i7oP8JqV)rqC_DJt5 zC&rKB&nH{`3S)*%0BBtR1XLM#JfvZhRcT6gQSSA9!N;uBhh5f~fV^CoZxAsZHo1j+jL|#R!dta>I4?;nZtm*A2}g_A1(1@1FX1r z)Mq){rq1}9&6FYLK6oz<=&@^jZ{+{e!USpfeSZ&{e7bZFxi9c2UOsqo7-m=t*z=|x z?Pni7RVKu%t=GKIXtus9a#&&XVjs>sBahQ!-VSDEVO!)vKcI`UrBvFw<{Jq5-6y() z?zp4{Y3$dPc*at}VGXE2LBygO?&&&wQLUQt$M0(PH1Od8c2eMOPcV8lR9sb3|g+sbBibQXF>zmOmvc^4P+?p|lcr>Jn06Q&S=OB!xWFFzxqz1KUOU zMWbp}*O?lrd@4f5K{+(`h*>{eeR%D)T(SZm^OqA)6h-ytUJ1Lm;%DcRZLuhEtHAkp zQru_(=xvI{lu3wYM6^De@^n}gWC!jVv9K?cuRJOdzcC#$@YjmIvKK& zh8+)nvv@U-+=%*_G&-RAjMWF$Zh4HZ6p{T$V5i{^ai1R`5mOFBD3dr;2*D-$I(~d2#;cJ?w1b)rix&0C>Z;LuNPhm55QbS1x{xmqQ)S z4DY4Jz_SF7>=osADDwiI;hvsUvvh6tGx{0(|A5hVpcx8VZF-ov0#PyY6$Q_nA zRGxs%iar}egUduF1FldbEo7`D%jL&n=K;1=G#+T#xn^es&E0e4`Qj1c-jSL_uH=YH zNS5o1FlJ+S0_+dL9eb7$86z;r7_XSaOxDj@X?(6@Y>5Iel*ae)wxAw8HF&3W8`%93 zHI=mD)qdIdMYG)!>#=NAV0)3y%W^;B57E{KA+rn3-k*CsKhw&2Ca9%)P$xug`>AoT z1$3)Ryc(&ObpL{+)#?m#`5>{D8Kuu5&yiW_ADu~d-#ZYYFC1i=lX)IAN%s`ghgiK z0A0iF6_-UTINlOBAy(uc5|EAPkk69a2&&tR=ns@?Ty>Ul)ufCMc<}ff?k`r))xsKP z1&h{bq(>;gRtQzoI$iLvXr;hlzsnfmV>3zn{E7{qUnXW#$Ftp$j!K_V%}1Na(1w3{ zB5#`O5Yyd(zX^X#n_@CB0rAvXz%2bC6(~7Ncc0v&)-h;H?`#KWmLhTFBHY=f=Sj6Z zzx1;9TD1;Z7xWNrbjk4#R0S|*qVrW3~Ms!qeFo2mJnp*d- zb`3ZgASDp9KXQ)(NZ1=RfuC<(P;8AFgdI>ehGzt>wK}o{8mAy-RpW_8#iN4kb=f5d zQbC_-HhD<#;QMbQSHyBM;%oc&dU5HY!*#;px;7=1pkSFjN&BzT4b=Z|Vw^pdniM!d z_}xqEb31@ZcEt>J1He{J`%~tLOMq{@AM&(?n&cc@Yyh4e2}f+!q9X%FB4v{~CNFm* zy&IZRV-O!G;oDoZqqF7`ybG^n3)sSf1`FPkQ-;Wbaf_5y;l~+3oK)C29MDqUIDB=m zoPGF|l3Bg8tn{*>8J1PuFfT>zmE!yZxTrtT>LGJ_i`=L2wmc6vAxCAN2T57mc{>_D zE_19A$!|cN6gHfTNc4cXOQzq$R>~oq@)cKt12}?84WXOnHY_E%I7%bVbv+nI8ChBD z$VG7bb9tW>{vyILBBBJ~pGw>Y+9#6zH1OsF&w%bk)b`{ z%?U}~A-LuBD1w3Y_&AJOtVJXTPkuovmxK;zQdTR{#WgoyQEy456>EAvEVdfo*bB13 zdBSJ;tAjOke`o^yGmGc$Fr5U(mekP4tKIQ`p4r;;G>F4+OaU@;1n{A>e-i~$LY1~f z`yY)AQ8n{QvRNAj{Ev+C*s01p@+*YHSwxdfC#>Xb5@MFDAiG3xpl)5O_60-&HNIo{ zK7Y;6-_z3}nC2j5$rg{9!w%>J*H$g2FSa;77mrka+4{oBb}w5 z#9T{#l0l~b+QSliVz zvHd9uH(X?k{$nhFTIul$@aAka*g@LaN82Uh^n*YtELo~brW8Dr7si`4r}nia`whQ^ z)(+mU&|$paYTA;9a=dwrKXmk;EfOQ^KM5YvThmAx-GRe8#GaSK6I+uGgSSWOR;~K6 zKwp-F-cDtvhtHM^G@!P-KVPh;^-SiQkWZ)1F^zA#-GrkYm7_{|08j`>o4HOf!(GP-c68$Q8k82T5FZsTNGa(wD+WO z9~_pw-|J#=#dud#SLqVZrCPIEv09)5Ho+pIw$-9&TP$dOu?XtpJ*yN-RB|0QLuce$ z`L4peJ9J6=z1A@`!6sVcgDMJ;)M)kDhA%Vv0$aMbpI?>D*1j0Hqz9?X3`~f5ZpE;b zf#IVo)l{mMcz8NtJwQ-uN5%q(IQbK!gZ=%XH%8U7$|YC=sY49S9@xyj+9eEf>Q~&X zRWW3jMXms{+@jnm*T7B`sui1oM#R)i34W89RmRn+WU^Oelb!huc?wZzeR6%M-)4#x}Seqv$dAr<wU_nQJxvo{U|l;{%Fz=p3O7nDM6DL{Z+_OFG%1j_p(VuqT@Rsxc2} z?C?vrQ^FcZ5MUP7in&n0pnrkopB82n&E8>0O;utClV7{Yj8aXYGBku-uH)hb$o6DyPdY6BHx>y3zbZwz$?;rkc~11+;w;syCB9j1M5>5{f_+T9J_IL zp)%Gh5$j!$LT$;-WdlZ{7Q^v)mV=AR{l);XnP2*px5@Ju?^B|keeLJt&822*E}G%a z_f0h4`d zPyY~eqLaavDc(rsxF-xI+C*%ix&)j3FDRte-<(!B$)~r) zy2w7}OOR9mGOl{*MH1P+3J6*?o70_H0j#C$>nFtJ66$qz5UaNuv-fQ(6l(ue-2%;# z#NN~Jw82VB*d~<$k#9uu`Y8~8mU%rl!*fccx1N$1F(A0!*^N&cNMFZ*d6GcN@zjl_ z2P0o(7ZkwW$p)*NolQvioY>mpT`l@)Wi7Q1DyBzcQ)3?J{;fAApWI^SwaQqG&mv(W zYmc3tQ(S+^+O=efBR?e4u-VjxRRhqRMiuI}gi|vR7P8jFEcV$KAb9(BuuLh zJyum;YG`&yZq`)_=a>0)^@shg@`7b|g@f_V3~&5xb{| zh!85q%cZG)I|k`-g|>}%C0_3#=U;kE>qwgBbU-o~RYUVF2e1HK8ls#=8mjIqON~Fp z(J=y7+l2UMohur>mw0pY4Pp}qB5kZO@}JFdq!rWK8fw?HUZ_TUFO&ivK>aQsA0yIm zS>!!Sh>Y99k9by{C_4i})*!3Y1%B1i6T(ak3hY9T+>1Y+ZJk9)o~`dQi*|2&0<0-! zlm))hn^JF7DP1#3tL;KhRZd$jqLFn1QyPZHobaU&SGTVoq)053p_rlpv%?|+wyPuo zkT~pKjuRLu)7&qzec8xm*K|b_-t%4xUz5O@YQu0&6_A3Ij4kU-xejQgi)WCQjz713 zq)8o@QKY$yJPi5OX!Jz7;YkRzuX5B66GY5D8fUtybtJEaNq71A9a%m9=N zdqx5$vbw;Qlj48Y4i;vEs)U;ZPn65+%q2dPa z&uGmw{uVsf0il#Z@RnIIItO$pew?4st{|vZo4|NaT2^aGhkfP!)Uv?y^E?+g*Wc2; za?+gn^MJb4fZ*YD)jbhNwzuUHui*gKE>1_VufLmruC|!#q}(YVx@{0TRG~I4dXDFu z`asPMmcb&N_uh8C7KR+C!~xximVvNzMBeFqNzyl`)|fTxKkYP#5h1n1x1f(?IzvyS zc!d{U;MCSk1^QHIpl8y_K?RHFA#;(M z6B|_!w0?^;9mm$C7r!l5fEZoODc@ANW?@>G%s4tN@yPpv2y$WFvu5vyfEb9ruHOF{=?4DW|elc`zQs>5FE8YSbP2KllV7ctl0W$Hp=pUf=%T`(E&=8K= z>+C|{dC~id`Ae%#V^m+6Xrk&u@f!tZRIpqnuGW^|f*N(BA|~0B5R|XXoEf`RtPG`n zxQnnI{#EWPa|d? zn28 zf4!G5bC{)$6SE7JLqiG3drWvaUx=DHd2s0tTNu^6NO@+eK&q-)`1< zpl#-0Med?G$#$t-FgN)tiR0#?DH_U~d_qq9H2+t-!O@0Z>Hp9wkSc$}Dl()U%4S?7 zH?2BL0Ba-6*^L6gKOgEAP2$TXbSxX(!B?pGw z`QN^bOFq{DQ$;;C%`c6HI0U8WB8;y7TkYI0!p{0M+GK$}O(t|xrH_t+^RZ{8YK1I0 z_B8>9WatB%N@cv^sZBG(y+X?L=MN+W`+dk{QEUw${5O%O6NJvB(}JNup2s17_n zCb`93f?+jWcOL~5{xJY%4G%E{1;zN7=hpPXJU`fhiGzyajDupEw#=KgrNjs*eN=`o zA^KQZP=eaZuroKA{FOP3gVYdXa%Vz$?Yrd-EGdnWD7#WAw;-L95Oky!yh!Kr$b`E2 z0R|2i=A}0eN{kPC{e|v~!RYVlTsfJ7S+;medFW7wv9cgY84kPn9D+MD)e#x)DHFl%h$PL9Q!8JKU^q` zNwK>#>&Q7QS+&3VO8r{AxGhJ?>!GLNInIeHs{!AN&6z-K{bs`-{m0=W-YCv9?=O0A z3`TG6|*-RdiM zHOsl*_PcOlRiykVlHcn(EkmqEi$HQv!MN_Q)(yrs>M>dWGk#F&+vU~cAn<(fuOWskeLyO1t>?}r2t&r8KvLT`Jd1C{Z1E_*^4A& z-7Q8bMuG&gv*R+ubOxSp4Wd5B2`WIGPTox~r)KoJSQWRb|5EjV`!A|-YT#>jSBTU? z^NN@15_E;{=rY%+6|2y~Ms9u$Lw5 zxn>1(kewtq+)2duhWJ)_6ygTyvKY(2M78rOi$JvI>J1t9A(?x@IT2NP0^h?s^}auV zqj@4P|hlIzly`fxoh_XC;=?=y70~J zpmgth_hW9kKWTE9I|%!jek11689~^TT;4tzUt-Ir?;LISP#LHWk6Fs=IVUPz+59Cs z_$qpj{!Z!@_6^g^0;!6(SO<4DjQPr%`y9mX9|sL3Q-&%)OkriQX2N%0v|jPz<-89% zu4|g_&mGzQJnLtxsQBV-^V8ZZ2CrBDJQCaB5=d6B=GWSDQF zBMB;XGr0wQrjsJ+K=56iBTrR# zvCE_jH}$Cm$jjVGO~M%aJj5(V#?tIQ|2nfM_r_{)DdSt;Ak@w3Uq&5{JZ*G|9BXAK zGu(5>-nq*^LH`~AX@_|Q33ZmN<%Q`IDP<(VI~1;4ZVk~Z|G@7L-J_Q#Y+R+yLCJhOVeL}9n3N@gpKEv4_NHf ze=gq@`T8p)6aU7g_>*c!1gcJp0)sXcQ!p``ep};_{zi?sn18h!Ss^ZjVo%!QSsf)#Q7Yy%*(m#<<0>=GDKn!0iAPC zoz9!ve<_twSrM)@!Tn_ZDl<0>b5gl_+-aD{>0*JP^9|>T`JgX6*$5M3zI!&L%SryX z?_tZHkKGm2Wr}|%e^GDcqL1pdNIn;xft;Pn$uNQVyevhZG=bY1d5S*tTWNPEbl%SB zeUC!I`yXk|88{2to8>EJ>HQI@2H|>;=^_w0%uwPgS0(End4B z&k8EM(sVaB*!0xJ{YPk$BVE`I`8#|a7xqzv<@wV&EvKRq{_v8-$Y{9!cA8PNe#L`_ z=AWKCqdT9OZN6?T1P(NHBt`XZ_Q&UE(}i&dd@8F&e1S|s@dbs28bUom?O?e z9S|Ptz|UbD-SXr_>F5z2*LSAeeWjFs>1{tN_WN>T>3U|!A&CA%Q`{5a@__VfsxiL5 z@5I%mu7G;BjGVi$xaf0_Dl<#tn!%;lCmBXJCBIWeJn6z7Bw7*`t8Ra{Du%fSyW+Rt z6<-#BTU;yEjRAoQ;P%x{eFNt8m>qy4`|x1wA|ZV^5!bUuxrZ$_PldRLEXZfyB=BA% z&lxatM?VSu`9j(q;~Khp-S_c2sgL%P0FO5HV8{&~sDb0$u%^2Yyx!FVKN^sik;g%I zaqqscujOTU2HxK|ut8UR9OvFFf2t+_di2(_&;;jDFOxIv+?fseTPkd4FM;d?XFr7c zh3*g*5Z1f(JhS+@3YN8upx?*XK&yR$n>Mvff8A2vOY9qbUa8Jw48Fck*SVW_+iW=K zINZ2E>fqa_(G{DZ)^o9M_vq>G8LQp9Q6sYw`R<;OMt3fg)#<#`fh^5Qv6V=5`1psS zRWSptW^)r6%GqPiB(=vZ^-B?jSvvhWn#(#`Op4A?RYR>wAsf~ssFgfh@-$4JclCW< zt7;3|t-yQpWvT4kS;s#&yc1_nJOMU%wm%dj&L?5q=+>D!A(nQyq#eJLFwg1(C@nua z*_J;OS1SkN!r&!}F!Jj7pWL36aQ3eP2@JzaN89FVA!&8$6}_G|+s{eeB7>47(8T!%Ss%^}81{ z*yXuFW>q(&l9vqE%59wuuRkpTf%xOl*Rujh1-8~?*myPOT$h6iXIoBrwA+q= zD`RuY>30W?iP`P4;UZ8@P`KpC0;tWZIKA9@?zna>P-`ZCQv;yot(BuT=__Pr(AcH0 zt}Oh6Y3BN{UeXPILw^ycm7$dziHfSWxs0v_^_T{XMezfU*Oex~y$nZOBMJZFbmA%9 z0ld!~V!Z3Aqs8^>XU)PSa$OvTY>IEX7uZxKq*hm$1Z>qkp1%%iHX2ZJtw`GZiIt8{ zmU`a(lBCqoFu*OGGE635xB1Peu24b7E-*ZRqMP-ily~zV(4mccz_}!7%ZFeoo}32j{%4IH3g3|`eSYB zo+K)YeGH{r54WJZD&Df1-5CEWp^b8lk1lWa>`Mzep*U_(0zrs|%dYwul;t;K&dlL} zcBlSY(sZJGyMyNRQ)h7x?X(05Pl^|pb)2oe;XIDzl8C&mpS!lsiC-YgJ$~(`1bj4X z?bK})wX+7LMQ~} zr`NY|k-0rImld??gt$%*8tbE7PTfBJtat^GodmAQ3^KN>(c}4kkvuKLI$nh0rz(FN zulE$hDGbXA#WnU19AdB~c=+zhc16s=pQnVtX1cIOC2_3Se^TZe;8Kb$huZ)zcB9)= z-xGpzfAH*PfI7pqQ+BKg>3s#76~V*ukmk>6(&u*c`cI#^3D5Zs`lxdUUDDW zL3BAGWTxMCRIC*>?B%T_H6xZ1LgvpKq^h42T&mnLb*?`u zZ1JD82xL8*wI)n1s_?p+`7*(gLpkhzh>lSHH|yT_Rf*EuIZ5~P4m(lgJmzEpe>%{c zZ*duyGrxaAE{T?0*_kmNNx6Ewd+A&s>DHsdTUS7!^Aea9ap%q|lT`m>azVeHt)h*n zcpy2b(uAQi54tw?xUQwgS@xjj@660wdYW84B(8g~|L*gd)mflE?T_O&e z4xErbQj?h9oum|b<7bjjo=Gt_^n+hYukU|eVKJ_I$ThpeeNk^^PgO0KWjFAG>{c9R2^FTk2^EytaB?()-l9{<#HWLauhK@qh~TsAi?E|RN0`NFZ} zf#`U-pRdII(S84eO>`8#q)9VXeXCQf70}S!dxk~D#4>$73Zptd41+HiOJSUSj)pXXz=A~ zmV~lqX^W%~q_6M}e8ZN3#!f$E_PbAudhw6Yt1FY*JRxm`7r6$=PO11B+fmZGGoi7rWLz#7bwsQF4%6icW&bX6X*YH~+(Z2* z3rL#`5d*FBB~fNYK*D3^wR!Rq04sve44pYb)2ASp8SO+XeLBO!@A0q93|>#%yMH}i zPjyDG^G!0gg}p4or}IR?nToF(q;1o+pRZ!Kb7RUkTrL-6y{$US;y)~2nJ5Y8t~pmw zwITz*5%N&20Ahnaho%+1*P=4cyZpMeC$RE;MYLeLCvgKPlw0VQ&aroepA9JPnLrC| zb=Kwdl> z;U6$Jh&~mZT}?P^Q`df>wi9k%JZm^U<-KEQfr{;I`bj%V{+pGiAiG?5MR%vt>poSU z@Gip_U~Z;y`a46s1OM$)$2zO1J0kq&@jnA4+Svt!Pcn_0h)J2Fr@StGqN zK~y8~M9w|S<#+DM;(^+Zs)U6oa2R)n9naA``#qM7C){+UCJbsUZexLqnWpz|xS|(& z5MhIE@lTD1RGZ~FEbpFTEEW7VOXgz+2_Fgv#e?*UveLg-Sb~)5QD^tN>D_%~Gbbv~ z%9Z@yv_nfjSDa8BqBrZFle}B57L9^ooI@)l)7I_Q`J6wpfJ$w zv8>8iH{UtW5WJ=R{JTd+4#2|+4fZeoKbU*VuqfNMUHBpgr9nXjhLmzh6^Wr+l#vEe z8c_l1Zjn&BQMztYz@d96Ng28uq+{sTb)p-MKNY{_`bVn=-6IO)= z8m4lby)pg8JKD?J4aGC7kzt2KozZBeZ7Rvor30bi*ThD2@(m=w>nq)3f1<-Fp6Z@V zhEW0NR;=2iw5x3og7}nZhJA?`Y$yM-R5L{d$I({rgD%2Zp-!2CQsLXN>q* z2Xbrl0d#QfZ#r_!W8Z0fqmYRYAylcvMbwa6oUZeUuR8Fk0zbh;BmGh%Am$q*s&CA4 z+~cC8ORVx{Clwj@JB=8bnC0|Gx}ct}gB(}c7^V#e2`7x1V&yQqc8>FS2aTM;@j9Qi z$oxmXy2qwk1+3e_{LdiyS!?PY%D4GbENtx`_tIqhMac~M*C#V|j4OYDbWy(L(2vy$ zdWmu>*Qrb7v0~2kMg>J`_~Zv^#*?~6x26(7t=nR})HmigBYD*)GF06cqJoA~;qYVF z7kXB}pe4vN_t%jx9-yC82WlQAJl9xrZ?yc4Gg*dp$)D|Yq!D$b*uPSf_<73Og6x64 zjJ5v$4##u+A~&$B@ax;c)u~G*Jm4dH+2P<%hr!Nu8Xys`>rO?Pn#&z8y&ujdavr|p zqh$RiVr}mkiG7}B5%8{?(bej|tC4Sy-8YA;X*_4H%rh6z#P_uW8!zt4Nc(xkB?lDef2li3F3H2i6P zQyRb77|w4$Munl=^2*g}f?FrXvvUO_3XPXO$IMfpPG#g2+I4#Ur=8yfO4KF1T&-B({f z)>am7I}MWo6tYgqHZ+}6of1+WQajK7gGI%NjxRIr^3s&{Y9Go?6lA_jWzZ6Bw^^O( zY2+v;uC1I(Gp*YY)okikr{mfGK&`4o+0ngReX_?&OcY6_$hvqxn*~87pleN6!Buzx ziZQ7hueNP+xl^;ILkc({$p$VnPR8HbY3SI)r$NQPZhhecJb>z(2M7;A{|X{9m%DX? zGERNqaDKwWn*%Mgt~JR8^#AhBqU`K^CpJX}l+L*Dg?0SJ=ZG&wmvV!N{J6)P=#@{f zR)_F*VqApe7gEs4?Zr(M=Q8y4(bL^KxRX2JeYV~~>9BYq zvAJR5)OmGs*h-ntTc1zK~9ict7HWp-uGpbCZ zGsADT1v<8nC6g7Dt+f-H%cEFJq&ag`nHfen2o(&@?XI(VWrI)?EZ^Gl=UrNPbwkdc zZ`tEx_!@!x0?c^%lE}Lk!>iU@g=uditb;|5LPS%THmbH%$Zk8TA!gL~5^pr!NTX4! z7T6pvf!YE_miJG}45x1tSD$~8IW4D-xURw@;yAFk<-kYeGIyV~YwLJrEJ(+??kRIg zZ|DUhN!t0e8+TxYqPWT{_fOqtu=`Yi6iwaDyZDha1%<_vl{(uAsn7G?$bTdNSPW^p zmcWroq;hzs8IS^8+MMoBJ|}ZNKHma322_Gg27|W}=Av0eo52wRg(j`TyzY-eo@wW- zfsq5&xMJ#PZCSu%k@#iYDMe#grnI~sct?6n8wW9bayAE~h^0U#2~T6WG_!e{#7LR= z{kM#<0*?Z@d#MLlS9ZKR$7>(Xr0w&WE>6HLWcE~fme&X{f z5sPgZx0}M<$9iX{rvCiq-LaZxJ$xwVuj==Nl5mh#!^)YSIF()NpxK8^F4gx74iLo^ zA_R_cbu3%Md-y5Vn6>KeLe1~zBEPMM*}uf$=zr})dRF~?8(_)yAW0Af$glfR9Od~$ zNQT%bf*JuApna47qT`HRb|w_$k{}dMHS>~Tt|e9i!wMH{Z*R;KsZ3kCkr7c$a|8Vf z&(<9`9f@I_czl!I;c~OH#B?~AZmTi7#tEfIF!ck^QWV?Pq`XJBIe-$~v2h9w`c)yL zH89>i>3p!oIb`AXwbA3JLq8GQtD~vy~S_K_JG2W-8d9zu>XUv)qmx1W(9&QW}m z3j*ff&g~F4gT;N0AK?L`URU+~0O~Ti*qyIbf{_bgIZPo4?9N2HJujl4ZUv?as09C&=vkvgi4s5_!Bikn0*5! zK7nUN9R(1WWs->yLEUKnT97Tsvf9kYqmyTxFEkkE?q1GO%-L_#AUWMt!-x`};31;n|9T5MDn*;++6sWeDl6WEND+Ve1sa)?Sj5xmjHqi5_}VAlk=V9!7Z$xA z=SLF1)grE|RBPmX{IU>`l7a#>1jk09g-TdjcW7U{F%_6o{dIszH8_G^NxUC<1&a?ebyV zl)j`pHNYzv&ZyhzLQpH#oNWw{EeA`i~YQtRoAK z`fb{IrIfP6D8A!|+M$gUfYjD_Kv03TYgA7@nN<7?O;o2n46cVNc=@cw`yL?G=f@fW zM`C!kix~QpS@d9c((alMlL8c8LW9>r++sOYlZAVS57&o=#2-XN4{RT4JOcW0{q>CS zv!nbo0!jP$VTlmu5nMqhxnh#({JWG=EfB9`0_m3h%Y# zx%jR7eM^ei5e8=q%bGhlaJ}^iE z1owgz1wA1lVJG{dK?GDj=nC{o#}#5n(p@8*9#K^|o97AL|XY>|O+Psb z*BvnG+xiA-5uf*f5`5=t z>a|k6#M6X`Q=WZakq>q14EshkAG|VCk6UyH0!1rwQjwD=#h@(>i|r1R7Io$hX5{`_ z3-p8chFOfzaPye7-tmI5;Z?uuuuu0}zR#W9=kFONWNExWSyt~~^;Q}?iTwRM0|LRS zG8^ThMM%Ilx(gDa@!Ax^ZlTWMmh8_P>~5KcG&4s}=0d3=V)14=V}i_FN*~HyWpZW@~W zp@bUPC@#!o;cd;&cw(1nJH<~_&9~&g!WvhIyUML^0HQn;f>rwJh?QEgCxtE zIk7x*Rv&n!ECJaXLY#@cfW{nT`?Hm}U>)3%0b0=grbzRgIFsS-f3g6ILA>~Z;-E%F z!_6b1$86?+7VH^y3V@-H!e6H~EKQJKWPMBK%X$v@nl>Dbs?2ACUM@HVPn7d>UxmPc zGh_g@m23(w@Wzr=>lvYDx3f8}__}C188;rVI7MeuZ}$v!3EAT6&f?{V_U&;~M7~Uy zgLt>0C;P$(=qoj`w-*gck+`Ut159~RtPR)ODg`*Vs&E0ha01v4Bs8Vd3DA-EB@+%R z$OCclfd|#^@K?;Eh?zQSH;a>KvT)px!tH0zDl1H@#t<{$#rKu&T{Uw};fBHUpDKF} z^ZW;8GtN^v2P71{OdK>))xXjOOZ7osy|#`4(a038Dy5aIaj&G_-rXBu8@<$-L0iX) zI09xJ999;c+KIv76sc2>OgK(Petso0>mG zu^jkeR`|gWiI@T9LptB(7in;gk7lO%B!F(m6)BxlsG={`j)>JmNq+uFn$?yHAsQgpdrrHgs3F&bYhh%5tB4Rar%GKIxgYF3YV11Mcj zk#(>0qIn!KsEXrT&#}M5u_*E5g)J#gGC`3S7-du_n)4L^#2UO^6$d=K*PcF_(S%F7 zon%DBuN4xku6z4F84;@v3)Mc}i8J)?Wv#4v=c>B+NQLzpP_A!k5@R8_^uC&GJwe>2 zFmun2Z~4IQu7tzB#C5wgbVvf*yqq^cjooehEzEpQ3b*bpNdi`uFvSQgTZV0(>vp1ZL?X^!9)b{A(zM>rwB6GE?!MQ2UCg z@6m+1DVbwbmzlews-(osn7ST6;yN!?(YIvO+fy2$anlcPZ;|jyD5j?mrqA}y3abBJ zD9W#okzf7>Q3ipS7_yC=5O=em_wM<>n93$ApW(M;f(!_V-fieE9C8NieJ4Acxmi^_ z#B^P?U101jHRTCK%k~$;g?t5ByUPo*+^e;DvL&Z)$qi#v^pylRAhr4a2(gLu)Jlvn zQ(TV!4Uyn_D+(OjiqnA62aTnU8;0N`U<(CGdGmE^lLZ5$Xz$Ejz=Prte3d}3O-3ec>ugAS2?D={3-`<4Wa7=N9jFH%=I*% zW!DMzXLM2PiG|vEBwN}YXWAXETknPEZ`Y-NjtE<&9>`L1SoB6+X`Bq!LuahA z0?`?QY0K7{l~Y|Ix#e3D`JzeohDLjp8}uu;zilCVCfO@~))4@pjt}RZaq|(FI#x_i zOFXrYxD7-G&dkpBt97`R6NNP@v?aPi^4$%_D^n!IHe62@gYdDj0vmnU6fpe6Dlbb8 zw0O)#1p$tB1s@)OOJ!DgUT|W(o|!iO=I}BK#m4UbdF-!z?25WLFjdplEI=3l2j z*quvE>#FMv=mn!%49q+|B-d^L!KAYZ*eI*+gP)+W)`;@To(;$MOz1CP+Y=CPX(4s4 zhwGPs>f_A5S6d<`XJPwmD>LPxqE|&$7gIkjV~_F~3_$v0ya?3(jGp`(WLW{3N|2wh zk%XwdlQU1timaNNNT{fqs{#w}HyX#{!6W99=!fU2c~g5tz-w!rpZaH8h$+?GvE%2( z8+exry9Q34&Tq`7HWkJ|l$HMF?>eVH(Ux+o#;3E=le}%IX%EO{ zjNw&R5=34zbdNP57cpas>uRm4?Q}pT>?Cd{XV*KB`tz(mXiK+(rgq;+q%RTerlEi^ zienz=#yzw>9i%M_AaxYDP2pxH966?IZYY{9_KEF1Ihc-dH{vDEfr-$1rYalV+aNMk z&h<#1<)|n)SM9@55PdE9`u)jm8QPA)JtN}zp3|0zd>?U;@2MuhR25%u`rVpF_x?C| zxN243B|IwX3m=>0`FJnpXNfBDeW>f}@sHA)DDk;UhjEjku)vWYyCf`i7y>rOwTz&@ z)-=r}-dGSDO_r55zrUq#I^%t@EsHV;qtUgWf-&K2EYWUQ@x78ZHJ^H*2QV?+2OMF# zQ_kZ?ln3elWCi#;-+T#yD1vZ76B4VBJ=(!?G*$|3u@uYtAHf<%#L~QQ0qH&d)#X&Z zVPreD$8m29$2I`rfP1KnpRg1z#;f%Z7eo0oz_2#~hZDo&P&cBj|C9Z3PiTbvir~u! zOqrCF)nKU}SUy%Gk6(6q8Oao-ehV^R_XW63R|reADOL_6@L7cP>40uY z^9kpAusq8)lv`zDxgN3&yxm@uoKnL3(6!EElcBs^l(F>J z>xbVf`b3C1zlDl6c*B6m&A2uH$d^n(iVXPuZ-N+{mE2g6NFzRE)Yl^3k*XxB34i%{ z?tVG|houAeIEml5h2jWAUY)S`E#kA_T|bK&#!1V-@cSjcNIJh|R|Ndm=~Bp=%pHDj zDUPY)hjre=>r=UsSL^X}8Lq{Y?U5G=R|6yinZdngA5U!iJThZf z+AgS0*k=)rFERBqo(DgIf}f*=(5l{RF?cYy%7cjyYt>XV!H8QD+WaW_+O;w|1kg_Z0Btd-e3&f9lrV8NCcg3&-1ahQGTU~;Kx;gH3x_O%g_w12Kcd^Ul zI9fv+vifLVd?({s7D(%Qa`--|!@;!DsO|}T!YoXqo}QcK)4f01L`;=&7ZJ|T->h@)C<|E=bde}U5 zb0CkH*tW{6%x#um<`)`MEJY7NUVp3=nLR$T62kc-Rd9V-Rn|GqyLI*$G3LO&U zE20|X3(p@L3L8#*xhX|?K#IwTBhp_hIyleYFug4q;XJ?#AfM#ACZG5MpB;+dcs3si zM~|7jTht}j$pA~>b{3BBu@i313kP7DH*<|e*3a&P}4@G za$~jYYt`&?pxS|AQTM1>_m0lYuGr~ceHIJ4`%W)S7aRz8W2UpJE%s}YJb2I<1T?RI z$=}{3@}yZx339QoEL#=#v-sjoKLWn!!lyVl_NV!35c`*FhquRnxVo>G`Q(D-fR}Ur z=B2&(kq3xV9$gGSto^5)aLt??^K$96&o0^`=ky8+@(iq?^mmIYh#w)4BxSdFZSHR9 z4SU=lQ9%ejHX~{-Mmeo`34pnCC|vY3a=9x@XTQagnOv=dIXPZ^qe#3v@-U_&a4V*} zanjho{=2OB@c>R5-qc{$4X9IO1q5N8U$!4B#&UZj&rY7z(Y{|=$CDU+hdXpu+6>@lw2>_EbF;kF7u`00A;%0SJq9iQzVF7Ud0qnbTX(362XhJ{s8jjyB4O1e`yus->Hz0&bdCJ~z3 z6Ir0}R=Mg>Nzy(#M->I%FAs=~P7vRVeGD;Y=!^mRb^T?z;jTv4@t}DPwD)rW;5!19 z*c|7HAVbg*v-)!P4SDEYQ2iIlwK%0Jwtb@#6d+W3p@m*fO2n(49==LM zaC*Q@SmO6c5p%3#!Prvsts)md&M!o(_p`TBEvm!0Oc<=PRt7IC% z(eVtp)z8arT6?N}KQ5=xCjtlBERe<8wA=A6L2u!Zmp&Dz4EsoxO1(>NwNT7cfrCdS zKbY?WpWhX`y061JqX7ZJ%Y%B3#*QX(Ueq~wG-Cw|0eTpT|A`o4eKW2Le`|?s6$REh zXYGbhzAxpwf=}WQ+jN4I)8l4dH5>9tA~AwFlTJ1WLU1iGPnOYq-zc-6AYZk%$ZObd^BXZYFI zSFSi!!pr?!It1kd4%F2bUJPbcC`@`+B};yKp&ArU=l_Eq5GLdp2^yxxLKKK6{w^(l zKorC)SS6<5_$?gUw8Uw;2#!S@-fNyW^Y`ZyP+HQGn-BL+AXAyhL`f?+|DzaN5CK&2kK9(5Q;-9CeY9w1B`^fF+sSwLOO7|kN zpWm8v;e@Zysb1GS?EWo}ZgK$S8rFZq*Q*^KIy*QxK#%3BU4;1YI41B>y)m@a0lYY* z(5@)jHjh`_3Jt7a`**~JA;a$3tTph<>70yXo(f&V<`vv}^zH?#K*^>wc7e%NyE&b@ zaD20tT_1_9VB07G$#w~;KiWpwe{XeSp7O{_fE_p8RyCVte?AGA@-tMwPVsDD6AJJ$c$dlgHz7am1_it_cNF6lnhTY5HKw654HHKYR#f^Rt1)xwBUC*9fPd-^D zI6|E?{l2mV!(cg*cEM;3jSpkA<#_LU|K75pnGo;25W^3a#Wn1uH%l|G^2Ow8*e8!b z!RO+XV-J^C{P~4y+S73&=Mzu?{#4)H)MWE(6&VPh7oZij8;)PK3#>svj@$s zS%w5MO7#cZbUC7`YP;?O0WaGABK&T&?0QO~B>IzRFNgZ}x*R#%MQj}6<{s!_uNG-j)#`~?db}x zyM_x`N-v-mmj7O%6-9Dv_qYJk+bTv)aoW$jqhAoq6Eju7*@3=%ptT^4!qF--UIvegZIRv;>;dOOhzTpA9c1Y zJ(GA9Be8e8@Vi36o{3?la&usmI$vfeG#J!<`{$7TQZa@+4SMj6VE`bojVaqgby`Z< zt4eU5V)}!4lQ||5pJodU_pIBevfsSeFx+{4O23bHK5TPJ;Zz>uy_ZitA+*e#gN%50 z7`!$9fVV4;6geK_wLe&A){FRZ-=eSFA}z;K^=bp_2ixooOYyb=FJMy(ehI2Sj{m<) zl70wO*W}|}nM*Yb#>3&dwSVtF(;s+SUj)1_PrnHj2|R>?k7xe+Ve=nvjQA-*Tlk%ncbJ^|S@t>+B#tVowGZuLwJf&vuY6bgoAEOlR|^n> z7TYli-Z@bZ%}jUWv@L9!73y8?*F`U{F`$$MPuuUD-kEaXcrxI(*Mt= zOezJsMgYuD6Zu-eCa7twozL1Ss(J> zTTH1FQU^fE))k>CpkXK9pS-IPV_{URso1ceJ$x-j{&QulIb*|kg7-efQYIfJD(CBA z241vJo?_o5a|GNeKH^0On>@q4VA2si$MlF+=TCwRV{(yI{xN0QilRz(p@dJw7zC1% zVR{o;q4kr@5b{B}P6_)+_5k;a80e7(viv4KYbESroH9dEl;AuIdI6diqGGIi zX_oZZS9E+f@^g6u*8gsNjehr~oJ{}oL;uHz{KuC07eDLd4z?{$?n6$0xS-a&$PXz1 z+qAW>bxV6~FG~EZahD<2_z0laNvO^FRb#avqsp#a6(L1(vH6Pecp?mI8VsU5`A_K9 z6TB)CKm$}R18BL}QVBYj;!citE%%G8aGzIBjcpyxf?OQRdLA{$j|hFbE2D7rrRS|= zRK~G>pCvP-yLmXzVfi+FO3*EsKh>>BQ6+GBRmf5>k<`AbwaXNz_Dt~gOddA6;cI3b zFNfp0EY+2mCvk_%@X4dSx-t=0>~UWA?!DZ2WIYUR7?p5BmNaHsesq2E2|$%-*#1pR zl=`gpdF=e3Tj;-7nH@h->;);>uwMJ;Mb(JCsDcv~X;8QT6%GYFrd`ZW9~XUBqMBX4 zrOeazDaF3;4(jPOPuemr^1e^*>nu5;u-Xq5?=6n>+_tiG5_#4mJ&U*ST&27#x)((`8zDT0x@rcbxhM{WsL<^bcx(uUWEc0Y{6Vp~h+yh4Zn zMf9V@`Zq#@&UCb|`(m<5e$ z<%IZVw9~eXG-}NmpU@!bakZ2o?(I4+&A<(k4Hq0Oo=gWht;b^B7_ex>H$47our8zE zxo;h#HSBCUgd+Q18uX-`J>^EnGDA=ho?Pq*Ve0u~vD4Tb#o)e9?&VIEG;7w2@__7w z`orj;2h5#$d>aXq8Tu%BSJB9_s9*i^Dd%h#gDMPeai*1#S`1ttdO?lh1B<@oo>Z^V z)B{biqZsT3gDCsyg)P1R*bV>nA5ooHM-%I+{@B((_gXrwIMy9;N#!50O&J4O6u1X9 z`ht?>BFL44_NSDp2a!>${b7 zxqpeMBe4(rOQINB?@*x)VlJSy#Q}MN9p>MfyHG z!w_$TEkBfA5W_5HbV}c;1W~OFXXBesso?YaR{J`HY$C>Mxzvv=xc*Wa3Q7}v&q}$V zZmz@48o#@;I`+9*gF1|RaIYyiFM_W{A+d;6UQJD-)0?kxl%8nqt0ToisMNns<_I7d}uG~Jelx>IUiz$mJ_Qq`X|z&3lU z^9|-Fk-Cy;=95(a`V`n6i$^fYxj8MJHsngn(9F=iEkRs;`62WWm>*L1hr@&6`xI`I zc|3vzwB&kbgEXiz3v}aQ&1#FDc=l| z4}No-X;SI?XjH2ZIj1 zl}^|$cMRd+7%=vmF16l_qEw0$C4#Dc_aiab?vkzXG8-Ugl#xVkAoM)e6&1F-Hq%J~ zi9_3TLs9dz*w&5AP%^VF+2w~c-D{bo=TTa}&61pvjAb8Rm&w7kJ+QA8o!QxMZ>(Vd z!fB;`?hjDrkI($a3CqLov!b!I;vfHf-=s=Buo}oy&UZNVh$lPY9Wi^puR2;yQs(_^ z-lHTykPTphZ;XJ^C~!|Q+h-Wm6F+|$ZQ=aHr)*FHvt~uH}`v@6`8rx8;cVSsaG z;;iH`Io=peJHR(7b0@7Eqluu~Z*f%1{RUe9Sgs1dS5Buv-Lc|nWsLQs)G3rRz1L{X z20Zf)YWh_`>jNgU+i+NA{ZU44vL`q>NX|i4ip{i##}6>zDg(Rlph$ znLz5;-S}Oa!A+^LKXE?a5J?Wo?T~M_S^4z#DUPgg;1f8$)mcqo_jo1lGwbokS^2*& z+3-)W-W>g@JobkQD_s)aZwjC;GRMjZ_;1~{ebQpdMILx9wN$Or;FO);kV2Q!_d|;q zbD?ZC-y!ICWQX74f}3RM5OfW>F`N=kg&D1>UTP25Uueb0sjaF^l>=-&FP> z&vc@hal``O46`1m~{H&=?|5x%`_L-Va@9qxv5e~Tk!UL>&u+$>Tj^#;<5ak+fY z@bTnp!6%yjQVE24nkm{MHYAMPbhkW@BHU9nqjSFg=#hYrba|WIjh46`&5=V2p;o;9 zF@l%ffa9iHMTJ|1#wQZ99?VvTHw!CWHiiA$LQz*=KzRZ;5p=12AI^{XyRl1!@7De| z7v}9D_9=J#tI+X87Z& zKW1<%MP$Ftg?qY2P7Q|E8W$P@+7WRR@jDVC1*^6!KBn3 zc)sJaDkZp*NWY?o%#iwnxRQ{$p{ZgMk=L+k z8jsfivlueM8!WIE@pVO4biBa!HP^4r>AzbJK1+jm+a26r=(ao(zl1jwB3|&*BP9*f zME@?B{l4vjM=ktHYD2?Di*UctC6CYY?&)>cN+^+p* zD@%y&#kS!c%ca|4pItG{kPruxiVfD zfi=Gls0VBsbSLJpn$C_H`dkgxCc8~pR|RmS8l8kMl=q2lelSmX>FgTdfPGIXk5F3^ zW&Vw{&tH8uZy8hpgEG&OBz}+Nwsxg?y-lR9oOR5=ToKPmw$cwRh2}!tgnK`w)nwe& zdCmo^S^NOq-MbuX@R>ai;`bPxKQROKn^vdMrQ`NX_Q$3B8W9pyzr3c>g7%DIcXqAs zS(hunNx5H$J%(@RT*Ll(3jMyV`9X0(bL^EEE7bEN(db865aM7G-P2+xn8H6L6QKzN z2K*eNi%vUbFget2-SjOA`3B}@T8Qftg2x18a*WQ|v+rnwS?0L!UgG{Ro_B3y2mT|JM{=*$K-?$sJl`C2Nd6KyvI8j~5-fnY zeRXv)_ZxaV=kq)J1pG(l!dHhwmQ@Sa73c7(rtMXP5Bp_R#E@O=NguFt>dJX7uw$oq z`nu|Oz+_F&ajUW)_LT`U*xhoB9V2=ZJ2!y+UJ$*#(zpYn(ITy>3l|uBY1+*1HaM@7 zu}K2Er3!aEji^XXy3f&Dy_c|1V{z8~$Xl;=rmz*4cztu|Y$~CF|9q;+$?bIAPBFK* zeyh{8<<+i4HEr!rFMepXNy$vBf74aiLT}HG{oYt>+tLSCSwS?}N1)`Db`o5nCZ2&i{`yg?8_+UF|+1*F~YvR@3I}+hPqE zR(0vnuTR0EC~M(pwsd_AadJSBr4}?+zw$8d({lpAz`pD5LWtp|Nq%a+1_PkGk$9GT z4YLh0tRfD=VW2SrGa(&q=)Wt0Qf^o z9M?+6nNkN4v*@@Cerv5`5Gkw^U_9{!YDOAV=9Hm zo;WxG+bjVeE;0>txqc30!QD~v(vPF60C<<~MQ3XQ!{ngq6&rzte8W~@IP#pKEa2s# zv^JW_0_q$lcr}muYpXxr8I$Kv-q?yB53CiQ8|^Wnak&OU%TKl`pZYj5DSCA76N(&c-B&~M=~cuqOn~6)TC7)N`=D7! z1aBckBD?Wf2f_eiG90Ip>SItqX}9qR+Y-&a>b;oSh2FCCP5UO4Iw0Hx5>a;yc1e@G zuZHiFTS<3oqcTATh83IHkU!21L>{kEQpOz=mGwPt$NmR%Ho1zT@sjm9l5J&7C~$Vc z8FlFTZfNJX_EY`Y{dkkQ5vq4n)`JOI_}7`Z{K}?uoyxfaXE}PboJhG z0n9EXIp6wiH2qjDig5}Dz@1#7NO4>Fj3v^Z%0qzed#TUK56>G$k1Grhz#3A*0sLhr z#(M?)2qzX1oL|u2w>#y>(p;^o4>s;;eA5D$S{zbc>vg$4i!3$Tp7n{bGk{LEZwl{f+#MVb%PNe)EHGiAthohQjwIhxjIB65(zbh`k61f zRl)_`ltlY2w{yFlf9v^gS61xbc>tf1KGe5Zcr8lG+`(iE=Vm0+xxu6jF>s*NIuO8px+6bs)2~hevGLeF#Yoax4Gyn*1z#WJL5uKBhpGRi$( z^B*z6NA=tw@V%b<>j2x7+w|3UfEN&Id>{N%$EfG|YlS&%`*bCe$mrhRlOB6|o2T?= z35zk36!XQhScGM05kOJeS)%WOusa$tkhpHdH)q)q8so*(ifz=4dDkrivETO`gwp67 zK&o&y5waWbM{NXBL*n=V8}59l>*XWpd>l}74MkISjrJ~_7R=1#f7T+*RbS1o`Ry&y zGm5Pk!0m1B4ZRI51&F&j>nn|h3O+Y8l-ipM>d6AtW0re+*@$y%!#6PpQ9+7Lojo-9 z!T+yhf>OfApgw&NrNq46eB1s#y(tGJlua=&#Y#<^!5L?4z+fAMQv#CDaTsM(ue8#% z;z{oXiBnp?VNKnNQHK}?IYxDpIgLuVDQ$PP>I*_+Oz}}Fa9k$dbwhgq1m$ORw?)!T z3bmeq!j&xT{!lK09Nh0s z>JR)Mj_R_)K$VR7;>Sl0E4`VZ!6<=e-~2NuU=xD>5|)%AG9Hkp<(Z)g_h7R(FUPbH zAE*Q(3)Bt7mOh@Wnuw`fwhwTBBW2%SpAzhW-Otv0w3NYfKqO$J!c(EyeSgjeoF%Q% zR*Vg#q0i^N_TaR`*%9j$ss_UpS~dzxpkRnlg9)^}oqkm<>mb|jJiOr65;&MViEPCi z8=c{$4|V`5N1#7_Zv=c<8Qy_203AtzX{@wMWtBK&-%96n*XOrb3ZC2^>XFv5b#5Xt z&V|!22j2N5Fl+JNOP51)ka8^j!F}NL1AQM2r^b5dhar84KI(91me=-Q7d2Q~#la}g z_30G@-_*UO4xR9fzEAIp8PC;DE*(XMQ1bK?Q^xkcvwGcHuAH%r2Pj^1w)J5;hw0Sni^#!KzlxgxqE6p_Q`av=iz$wC; z`Wo3vBU~d#8TNYJb;2i)R*pY%q$=%lPMg*Qiq5=?4}QBbB{XG44bF8&#C_&ZPlQtMZWhtWy{( z`2Ii}@I9_w5y^H4Jow^5C_!txQ(Q6nd_kViJu1-f%j5w~LrP;IwzIlc-y_D8=EAg- z)q7X-_)Plb*~X@O>Zm}f>W+=G>Mg{}ljn|3vh{P8WYx5G;sSiWtkux!5=>uHGa=oB z1|2)YrO(|W;6O37#I#M}texwtb-iwj>{n@)hmA^%Jv&L$n~8IR+#c}>U3vzEOU*v# zuuk2C7ttj*^;s_rG=KW5_Em9jisJywpAS)23kzbu@4RZ?eek_~b^o+tj8vukRAlSS z)my@TY_6pU{QXynPawhK+`eV;&F}38*5Aw%3h$gh^WJJ5y3a_r%tJ9Zu;MK#DCYg@ zvV+l^@!}CHtbE+WctVRKfY!QJPuDghV|P8@dKibNa=JQJf==@Ob+EdZsrcmKe@sqQZPq&K-#=5QPQfvyp2*NZK)r-h95XASK>K4`5h zTN-=Lapp3x1zt%4D;BADJWC8;e`{}T**nlEe6ZTZ(c-Z8i>is}wb$%(&0mM65oC|= z%*g%lSUYJ7xpxyCbd9c&4OVr&TqZ|pMXP`oG^k)EqBwHZjXJNN7(l^NX3MxZGeCiT;e zi1T8JX9}t0^OY&v{*ww(a>MyepdjtLg1Bd}=pmRrIt*ryMyihc4M{uEG>oT*Qfub^ zGXf%jKT1MXJZriTN49EMeVlnM=hs~FhpU^KjLf*nBmLarA(9F=NR z&w}Ag?4Z-wOIlUa#&whkKG2B!MdYS{oHLL$^EE^50c>QZrSr@ zlYX#?-75vZo@`+Xm(MSm8U!sqo9AAFQ_QF<$4x>o8RTAhoK0Y-%D}Gk$iLkLp!GfO zehumfh#~a0s8R=R2!O<3hw74vxnO532ZD1D+=+ChopoLR2Vrj=6;=GMk8VN%=~Sda zIz~}Ja!4r!>5`#4q@_XW?k)usq`OPHyM}I%W~ia>=6mj0=lt$k_uju|&HOP7_MXqX z-}iZ+0N*ty488SvVeF@C4i@COL{;X+UD!o^+rhBcd4(hHLo?LAjt^$Vl!ADQ3M$cV z3Juxy5cK|L%=NeO>B@sCE7@M4(;IFL>E;_mfBUaQm{u5P;vA@AYZEV{ zrwC8qI0`To3k)f4_b^0$2(5bvVS4>xe@Nhv5)XQF)OT67cKL8C3WdVJ6k7W9!1YLw ziB>vi(-3VfZHNLO3v_SUD4ix0&C?|8ufbG6f`|D#0DNd%w|5O)x_6PAzWAXEgCA5d zd>O8~0kh3nb)eM|*H{;-KB%YISp&DzN?zV*wVAPxqMA0}mataChBjEf3S`(EV5F_h zOU=@4M(zFx1Llr1e(o#u8@bp#aOL8sKWS2k(7W$fsiSCJw>@np-~kO#xku5r*ZJ;2 z0HYRh_s$iuJ`u?F<4-zt(Z3e*+NL!u!ED&|iOBB|;1@VvEMZzb(teNhy$HyMWN{po z?Rmt>FSx&p^ghj|2~KbIcEjLI`p8`u!L(|vI&D`nxYXpr%au(m|BlYON>+!RkfHkt zFan$Q`0dgw2a8!$IQgo4Qw|pX0DNy`yHVgLszWx9yA`kArX?b%%5r+ru-G)r-8w&O zc>aR(Us}NQ{z+xTv7>``g@Zx&49n6sY%Whn!0FI!x`7DD4ER1pj^~N2j~%|*hw$6Upd}}?{(y>vf1=x#Fcc#ebJZpO00qM zWzXg5LvXgrqeGkXRWbDJxBI_%bu0m|yHNdK;TRj{ zj(3|BWcC3j(a43Q-iELE z)pw{f|HTdZ2TCP<>|>n`{HLCbH;B_nO`B-lwW<>Ql1n6WpwHPs{dwR@ia4GuH^t$_ zQ0cy%?-Ctp_;aJ;dGABp`+Hnriu23SGpwj-k;bBYhw1dR^{2tDt4((o-77nPuKlI% zoVN(50Qn``gGAz12kFlFw#Z09!JD&ucBOwsiMonx7nuTgL|jX*M~l^)5npgh?)UhN z^8=2+8MuQgTMd*jzlJSA@evD=NVsb zhgEb9VkdK!K|!D@k<)Q5*2g)&;>sxUoWPim%vJhUB7h&+qsZiMlqpzkMd4B@PS(6v zAY|+>7WKi1)Q@tFQIagiGd#GSarG7Jd&ZOnd{vcm2B^K-fOzxe zq(1>tr*yqNN#(}nyTv=iQH+6CsN81$0AAycYKd$XavPjm$cf7Sq#n;mnuRw!;gG^e z!tlZ1D|?A`L=HzGXTLEz^(Q-~b)oZalr-JcEB{K@n%6d=_~+m|@1bWZ4g>pWi)>Dg{ly;@$~a z763j@VYzeHqRc-?ie0}^6@EdXC(?}ARv6p{`+A#ab??4>sp;=nLN6yIXSL z^uN6TfYNdIBF~G}?x�X|d}5@cs^RY3%g~uy0}LGbBgicLQB(Zj~zC4Npd)_@Kgb zwP|ukoqBF|tO4{xWFH>q?;78~EgEt!x>1+109~m^lPV~;IRt#hPsKToZR-F1KE>0W zd~e^VeX>^yt=yQM*wSBgzr@j$dMs zGGF)8lO#9|G>gyC{Bv?|j)#Be)dIaKdUd>SUV+sJziE2?7QM7;w^KKga5mukw`jDm zM=S-TvnvC`eooHCcXl7~0QB1PrVGkXf86^1Wj@($GQP-KL0!sD5l#<6Qju((pflbg4EeErW z7SiNYU#<|6tXZ_Ak@ssqZAYEwUXW+)H0=v4QPAtE(v~ki<<($UeZ6(qd^y#J>8{HE z{P+w{qxK?4#+?}J$2doKX&UA z2M@~#B9x;$mw_-07sgV#D5WDs)SAC&g&l$K5X&j(u>VhIj&B=cYDOEQ{z90y6TM8< zdA=pS<$LYz%~wB<^X}s&VcgO2>oR2w?mb!feBcHyF44M=iuiFoBmd)38R>MjKvk2m zq7T9@X<`%tFF^up?;52iwn$Tzf@XQS>Ao_4uvFhSoAqAtasiF!g~STw`LUk=rq*M` z${%ej@V}AY>B)|D>x*Ibm;Og#JsH96?(`u>@04kyR3|qA1Co-!UVM5f;UG%x(AxGdz=9Dzg z&gh(a80f?S+atOwJqCOgPQB8Xc+V6%+G@ydv{3-(*VGh`utki>0jXQ1KAsYQ=BIk& zDk)ZNHvgCnn9=a_SFBl>1WU)X6;0pwc(Sg1`l97sWd$KsHl?@_R^{J0)(j}xZ2W%c z@1Fx^Pd7@jN>NflUD&^Q{ds^pXdX0>$rJVlV}(DA>Hy0GO+(+Q_?S;HWl;h9CIV}V z2fDe0^COZA5Sb3lyjf=!r&mWo0%ozXkBk(%8yi7#wA}O)T8Kymsv2tfi|1r>p_=)I zUce5ee|v#J z?~3}}l@9O$9p1x=A})J9C%|Y6DuAjwWM)1BUe$AFiHb4Bj;=Cypq%xi62ZyjzEhtI+Tbg zbAP1%6u2V_y`an*d$OlC1p`Dfo`O-?aJbc>z@G${ zVUnW|yLD|9G}wwOlt`t!X{y=%VF$ngcMolvMhqCt>24-oP!~)2^njk}(+y8r#jo2L z={3+0t0!nbnkb{BGX;Wy8PL&V+NHj!Wzw~TN_Z{ZfdlyD^Ic^+CzW5479 zI;(?#*ne;n$*4FdVP8Z>f0OT5_=6z|W*)>_0fRQ2s_6m&*8{hrO1v+sZr3wZ$rRHa zLYqTeexC^XX#M9Wy2wtVLrJju;09o$@>_5Y_+fb?!8*NlVKZFAmYw|wXgnTJ@LTe9 zU5xDGfo^*eI-b>+b|8<<8{nx!cPhx~%=@_dk0dQZ#aDkzt-n43&_}9PGTggaymxbh zoUJCWmyqzS$i&YicV2^yL1WkVH}`Ey5UsiiQZgV2pna1?RK5U-KIpp?X z!*{fWm-XpwZE_scDBq_2m(m3ANv>y~QQ7VD;=M136J#C5E`hEvJhF^M`yEi_?4~?X zCV||_w83q8x4(|6@y;$aF;Isq1fYD^z;k6IemiYO!PnYU>C2m zR>GLINqYOk_Z=ql80$Y!O70cQ4HfH$KGc@~te-utzHmwEr>vYg4>h+2>A6Zn%DYX?zD^TNAALbWyK&5`+~tJYPrVzi`8d(e9;T_*wmpmVEN52 zw)Wx(it>6e|J8qR{n(4rKaQ!JG|ha86Lp_D3xc>gzrZ;x?>RlI{n7vy?d)R;t53jSy{Ge! z%nSF1a4T|JK;$JY`l$4Sy(hkB;kB0@!#;}hn(G7`9J5Uoz;#3!S*Bucan9eftZ+~Sp&x8|zV?XoSma8YA(P<5KiRo=?) zi0~ykh`dZ#2jx>5Ny462QAJ?JJ-5$kZibr$s@7aHoQC9hQQ`&Eoo1u?2|kJ)^%&nQUb>!iR1F8*L3q-z5M%QJFMGX@j!G~89@0D(G}_hJ3#ZV?9x-MB%H#K7OD#Mc%{R!byWU#P zbAQNE7R%vf6Ah{2$rBUYWJ&;8&HyFiala51f3t-A^SbSDh~@@`_($_}`mI0R8S-vy zx;Y;>wm$ipjS75}b1u+EHt3uWmiCcBKGH)kdji{an@@`3N@m%3Ra3ls#_`y8D+u>l zz?@Oza3A2?eHN~%> zy>(`kW4m5A4i&Ut&U*pTG@{)p)Y+js?#b4^{f2KMcePv)Ze&Eej8C2%XgVJrOHh;J zt-n=+C*u8!pbuVd7st2mHB@hH1cS@+hVB#COFz6tmp8SbLWm{q~Dz;V(QShzVn$5qBmyvTlOQ1)2yFtdJ<+X zuvQj2QhD!vK7_Uyk#)5uj_N1kBYj99!awGY?+43~Q70h4WV=%5mnM}&e-s~KK#Lxq zMS`Lz;)bjGk3d$86qAz<>nQV3&@0v9V&C&H!Lzq1(g6YI1t|q-uTSQh8ZL~z55pFk zW$tK^*3FljP_cfxEEZm4h0?`p) zK7_Ar!nQ^_~e65lsifWSjI!AGyjWS_AZ|g*S+hkZlb9^{fsR!LO zIICl&q7lSTjs2*(n~%okLUbaD0ZwkZbu1srj)FeISnWY!fg|)$e-0JQ3+y4g48L>O z0Meia1>7BcIsD>kAZJhQ?O5~3mVB2^4SwNkBF#$BeaZ0ng*VN|zQ^7oByQlUYit`# zQ(_WQpm2=Gt(ZpDERqK$X@!v?xAKw{2$GJZMq9{qH6m(*&RTl!47LxC;B1a}wGZX2 zmY(bA$M|)-sO%`zr>03*AcSo!1(!u{eGk^IhD2guKY2fI3(Mz5zV+~Nl{ER1YLAwX z)l4Z##4zr(3v6%8w>g6zNGPM;R6oBhN_OWwVU^=RiE_tS619XkPsL0pVYf64kX6)? zVqNTms3fP8X!#bt^9!C(PIT2fX=Vry1x#`3xUp&Wi~va0iELut@IIuA74Tl~q(Mg0 z!RBaBu4$K&3GY~B;XCGuo=q#n$PxIO!1DjQD@ zPVfg(cN?L~;r!MVQG1RY2-g2KZeK{lkd?_T_CSTxQ_BUU>)G9-R_Js+G|8;pK-M zx>gWStDUx8aEyFMO+WirGvyh+UA!5C8ibm}`6$zDe3RMo*zd!a6)2x>=x+!oFq{20b(Gj9g{oDAemwakc$GKD!&7;g86z4k zXwM39(V2aU!VFX&*6kL(9wr9h+==^mmW0=+0D?%nOpO?ZBiCbPSo3PqIsY{F8ww(R zP|37LX!Q{RBn{40LiQ){XnfDDNBAcWzjy!+78sQIIfZ`iN_0Rp2}%yF^rCpJ&@6{$ z58cs>^jsOAl=~XQ)#r@i+Hb-F;z_UwF+o01u5JH%$LwxLy+u~rcC?Qe;9H`Hk>DMO z^;Vg^#vboBzv>A;i zOd83K@jGHhNX?}haS4Axc6u#HcYfjKmti&zV zQ4k;o=-Q4EjfyM6MTzr>Xl9Qn#WFSfvZhGhD~`%_t@4Bz&Kl{5-9Rh0drpw8@!^+n zBA{Ob|HSg#%Lku*FiOd)D+}~!;uOlnz@s!pjEgyQ#Q>>( zu_;I|2{$}J7qRV)l_VFiU+-!41bV-qS(WfsD>22|M2pz?tp`P!M_KmCvJ(LPjWls~ zB~?pJv*`eG;Pr40Cuo~kQZ;mvv}F(5bI9Mm8k#H6nfgkas(%7{&0~VoR+*TQ@g2Ul z+jl@?$}Pzeeo+G!9b>QQ>EKfIR&cKZxz!K8s%Lwkw}c%H9KP}RTFex6AE(KC-^6+! zNP5XJkF3<(Yv_OTW$P0@N-6woX5Zta1^)oNQ*fGynSn)~HQS75n&)RspMO6_vF%V3 zN7Xzfz%+2+YDoJX8}G)W+oaunh;XDlUD_%zxysJubcec~guguS{t`G0U26$2eBwX- zKG2(L>Nt@4q@>wo<{&0w$y7P_GMX8rw#7jGFV!G-?HsQ;3bas{ZM^SIXRmm7Z?fzU z|K$cmZ+#^o;Jxc4*YDkT?n!;KP`%zzVpE~>4AK8u;PS=Xf`5Ud9-fSCW`n@p53zu# zQyb_p^Pjps8+Sk4i2FbFY<;5_i&S^#MG+jX3DU@+is6oZ58jW}&UiFo7;%*i#phSaHqR4)+7s1jQkX+#A#2p_bt~mRX)@RABJVjcMmV0aKEY10*HH>V^2Z!*3o0+OX?f?e!3y$LMEj&$JMXF z4F2iT4ilr}2|+Uwy%1iDewxoLd*o6yZW8Ac$L#LMRi#qfYps!-h86VG))IGrh{cat zNp(+NJa#Gy^jcj*6T*14A;rjlML>a{-UVt_&3RuunHX7S^F8YQi~i`%Z!N${;ubZM zhbL^b4MjYM&r!>8xT5@b5rCL6EwT>;cHab`L z8YZkV{cI{wH@Hc9WW1y-jF8$2rLoi$2xFLTNrw7+5K!y7)K6`&fD4?|&Qv#b{i>NxbNuZ7KW*ttz&13(qu^WUDy-3?y3V8r_P8aF5QMRlY_UAu1U&*uDANe_D*` z69un|cluh~@8V3*9%E2Hi#HPU!~H*}QA4@n0?k9i+%GQcn8&@)F{+|Ru*-R9KGlNJ z!$NTQ(WakB41>E8C&J64te=MeNJlzZy&#;OenAtJcAd;vXYl%&keg#)ei-%l)rU;E znGff+asmd2k~?Ly`}6lGnJ?)r32TZ0-u#*7mWQo%#6|zhB(5arKU5aDl{Ruk@cM33ZFV1u`vtdh;? zxN`fLz`m0CC$WAaK>cn=RDY0$3bw84_b$lgIx?;CjKAw5?Y!dX$e+sFWn|L1(NNcm z)tYqRncRyT!Mmja{{pT|%w&+$!s~IebfHI-QICMEBxK`#bn@DB>|AR5++RY#L1(uZ zuZ}wxSxaBRT99?NdN_9xQ8<$U?<(Cop1TmDGMJhlgzgsx)MPj@PNAhIxICbV0C!Jafg?!oi2z9#&mLn^WAxS0jo-trpDob%hCj(>91^5T^up|CSZYWoyw|c1g6erkJ%sLsXPvkzuuO4p3>^05)mevuxA-!yjJvK?!*Sj1_Q&o&{!VMF<2dVV94-2vo`Aybp zc6K87I|RhB--Fex<}t_YSgo0jYdRyqlR}4$VA58NrOH*)$JP@zR7>&v_8C0YFy;)G ztaP=HXY{DFXeWNtjju5|jWmA_$Z7i3HR@LFUf#U?4L?zya@*@)q903~GS!`ZYE3n} z=SIS;JB!0T@RNl?)9XVsE{dAw@cBZ`?p}s5k=GmiR218z<-c#enflzEXSUGE^Ff~? zgtJi!!^Y7{J2APx+i2Cu-fdCg*-L0n^0jDSU@vt443|#|e!--zQX*<)q-}+1Icby~ z&Lb<)493x9r^x)S8CE~oCAdOdTnx;p(1zJA#*t4slB$LFTqii9ev2+Fl0@ha6t>ea zO7}Rv-LIr-G0;NLJKeteZl%hta6l3B;C=p6x5dli+yYf^bW0AqX4>Em2KwnR1I{0T zb^K4rA>GipGo4Oh47zt*rLCy`E4^)QOP&|MnlosDgeqz#jq}?<*izM^W&cfa2{G74 zTg^3YXNBe$^vAdhwIoikgR_OT9+esrji!8+o}ies_pl8cg7Z|@!)~X5S)2}S@9<-S zOJdrFS6msj*M(YuO*8XR<67OLGNm?}C4F%w8{;kxx5x3GO{{luOu#IMZHjo2aRz{F zG0k|QzF%)hpE9|MR!*K%L0^X6O0V>J^jSegN7+w>$Z{Rc1tMS?dbeIWZ$mZhV)99> z6MWBq8dN&wg+b;^-F#7kvw>vGq%J6>DNO&Vht?IhQHvaJkvZs)~WfHopaQkAC{ zzb?|4q&XDp)rkBy45y)fuEuw?{BrZ#b-V7x&HM6w3%PBhk!Ad%#1#yoOR*#-n--lH zi8ke4F8A??%1^a{3ewUJEFZC~uL<(NUi#Lg`o@1f+yC>37kP`W^$oy0WI4d>(hWS3 z>p{ARB>9fNSWJ|5V(av8dyiq*kuGM+XH+iAOyR+Bx)RCbmN{Z-aQQE_;$$~Fe;%WLx{br+xkUb13l;tril^2(V)Au4SgD!SqM(Z=hS!9^LYLOXB)6iSRGrJHj2+L*i$4O7n^iRlY~~2@^y?DxA*vsEkE29v zj#b5hqQ;GWo1Fw(WS0-%YluTeobC;6#RzEio}%T7N~_rGr!w{|FA*J@Rhaa^2!yR4e?09wnjl7RqepRI z;rFyWBZ+%fL-HRZ9IGB%z1pBXCe_2nLF3ZWSnGc=Yy>9(Yx?@ksABKjRVfE~bS?*?cEM0Acj;tnA1HISmE6KA=khV@v$kS3~ zx|nge3G%|^VLHmGVfvR=OE{I}fTTozr@rQrD#xo9cGMq(5ewi&ET1wgW8b}->S?MT zIK0w|WdwF2^CzZN%@2n?@VA7uLv8PCE_lPs;IwBA825ZbUmq-DodLXB$F8qbZ z5ldA%a+%GZVlA2&Chs#n`B^{nyEGlG?3OT6C2y+Df4zTs$X3v4<>=t|uem4V9ZyVM z@r>P^kup1q?J~V@+X3%FN@xDBF-t6;+zjf3o2v+af|&u&XOu@X<3GQ&c=et~FX<8- z2%qKtX`Xa#!N)GH@tTKy^_Q6XY%sUq{(AZ|Rop)0OT$rs?|3b@w+aE!Fe3{dgqGtP ziZ)6)&h(G%|NoDA6JVZ!4AQ-}=F%$nU03oC{|%#yD&|@6F~RVYyLhB(SxT3ZY-zTx zGa~!hswN@!&$#f_P<2V@@v%Ry+s^hI*l`wHr|R5Qj)HZkRN%5yvza0D{fv_70j1;( zZ)dEohhpMlb#^_fz^qd!>ZDMqp2*@;>wg+REC#USgO6GH=*cfqlweM$E_1~@#* z&zBMT98A?A3N0e)9+%^vNu&(dw$$Q*g7>xK~5p!)oZ2mXE@FfoDY3i{-`8*t&Y@rdOe*nf4%PvH1(RRQS%Z&7v z{jG$Q*jK=wxitJ$4vybbbpoJQuSbrtTq0;dT1{xGM~(-*Z4DI2r0nS2<~a!=S=JaU z2YJp0zj(cNr;E!3DQ(DZtI(BV7}-YmqS|y2qhd^8Dv9m_$1`giRh*z2tRmlWTcvudw?M$7ex44+TvQm>;iICJfnm1yyz1=nYHA`Ls zQNf9a5Pay3?Ud>%yqDk5-;T$U9Nk4urKY<24&*JGOp~rdt8F3AFGj@ie|_)^+m8Td zCdpcz-Mc-y)a2UO=wmDvr!X9<<}eKnUw>6QF_iK1c)F@N6R(j4eZfk|(C}PYO&9F= z#Rm%f2mh42})@{*4r8LlBQTNZ`G=HCE%?q+it^?7C8}HF|OL> z@2BK);q&-%S8Vl(vs*BRhan&~)p^S5^e(`+{ICk1vr`Bnx_)&BL2&yo_pSNVVl7=; za@Cqp(DyG!t7UD5GcELB+?D3iSqLn-Q?Kn-J5C!-sc*{gcULYWqZFy=->o}%@p^&@ zc5VN1Gc&G`**`#XDP*$YYINX?sYN*j=s7Rl;%Lfi!!Qo)CwZ#|Yq}n?9TawFvh48| z&~?(84d8)#oHl(8Z1D{BdqQW;t1b7q6(WFglrio_T>}X7>QAYX{VjupKWXP(cnODd z`Y1Nu9f`9FFq};`U;CDhxKa4Ae}xN2+1Vya7y6n7?p?QLuT&dG_HpAmR|$Q24t4JTQ{^=bLeOD$ibo1Fp=;}x$K+-6%zXa!`uu?V`-so{{y;6UBA%E4$v&3fQY+?tp zXh*IV4r2P-ZwgAx8!Yp^UtUex_AWcc?l%?`Q&-d6ZKZV8jT(W^(s$(8CI1^6I5HM_ z7zi5ix94g~KpQpN`K*{(kvxh2bs3C?R5(z8(1bSJ@Ok&*^v|uG21t_o;sO zyNJdaq_d#mdaRP+Mxc@xd2U@$#V=Ql2D1coZ$$46iMm5P^im})VwB1Bc~BYI!g)2u|~0Q&LI554Z1AUYTT|iq3Gf*cokWoo2nnj8-H_2Wd2NKXUg-6OCm;Iu-Mmg4aNd!RFe7DD%F+o7Ub6Dp~ zx@$JN$WbYzyWTBWjota&pBRqW^T|+mLiC3==%i=ql(@G;cLTPHa#vc`Rg-NY?8Qm2 zmz&dQuHm2uM_@sqqw26*A1yG8!w7ofnRKcto=ePFiMjEaT=(bCJ?%~_ajW*3piCKz zGM35EY4T&frpS?zQ2=4GchJL@d#_ICY@_`G#?;&?RR!~4&aehB=^0J)`|r33aD109 zk_P;q4PwvIm#x37)+Afes7}y8!vdvqrfTYH8MbX${~CYf#RJmL>FO|7#!H`d&A5%X z*q?qG9NvSf56fyHH`0@_Nf7o+mL?y@YY@^^N0+F^Xa*s*@vBfwbspuYpi|dUtF9?Q zl+wbpbwjeM-6onD%bdNffrkJBi5|m@g=oG#hoCU42c7OHg8v_fzB|~C<34z4GE$?k8f`=A; z^L)Gy=2+@)kNm6_nACOq_bW~^SFauWCAA~-*|Mbi^f?D*M1L~5w;o)B9X?cJH#0hT2V=Rt)r~d3M z07?>o)w!$Il$!;g{@MJ}(RA#^tkx!b>U(gN@rvAACBX5FPc7}BuV&GW{n`*SXe6o& z?xvG-Tg;uKexd`SiG^oJg{yU7%V4@#7+8078+~^4VQqGTMs`xXaYAdiY4MGXEHMy# zoomgDfA4 z$sqPwRAlfRxYcBb>PpsS3fcMSXU&`w3i^l8u3jLF%wA7*DT4bTMpUWSYg?R9A2;4Hl9CUX*2E)A% z7mlvqs`Y)w_1x)1n)s-rQMEaBocUR~9!Tm(hw~h4zl7djC-%2ncRPC26vP8A-7?+& z-H?6cQ27Sm(*ViGUkn7N)NYYQyzQO4#TjAn>ZJWpogML3ET6NLjj8_)98?OR7Ks4p z?MWyEsLSB0f`ytOdYLIW3Y{-pSJrGdF}5*$mcDXy>fJwD?6yoXs}_S5Z6~WdhOofb zozFUR6{HGHoUB%~Msw{#N~)*6LyxNwPJ@!w7KRZ0Fw()mw@T9rTVyTL0A}Bwfz%uaAVbsCuax zwJ^bb6HFhT@sTJx@ix0|s%a7>tF>xS@@^#j!0P8%`)7BYz0OT{hrcCqrb`imbGh8?S1;6wcei#f|iQeQJBlYJTVdxB1M4K^oR8S69e|<@a5gkWV{D&E` z=#~eezH#zU53(F|^;Q}9?tTOYZl+dqIM(3$x<}$M-=&k8S7*20hH}yavsQ&hulznFJx#T)33}+I5w8lWcI#*~+I~o% zP2Nlu(13s-?FmiHaDu7l#<1w<>(SY{dLiD)azO;&CO(ZsUXeclX3eU)Q=crowjz_> z)Cdo=&P)WefQ@~8Ec|go3LnwQsf>~#qGTn63;hAJ7ICL4$%1q#%`@(Us#vCvedV)d zu%4;o5;OMS$O&Zy<2k``MQoH2ldTTOlK1o8YKw~C;}0WFy089HTfLD5jAV^H)XO9; zv#x3EIF93;2~kSJw#>^^m{$Ru3ol&Asl)Kb#jx2w(`Z@kImrrVZ=o6 zdWUDupRPqvdHheE$9CFMz_r(HzfsE&VYeUYIlN?CqZ+H(qn~c2NfGi}m>G}{koK#k zM_ul(Q5Z7l4!WheQ%JITe`ndKw3kpTw_mFK?4}~(gs!0A>l|w%5903x`ZX_&_Zu9( zHQtp1ZENCQA5%Y!VPW=xmd)939N|6o4g2I%AWESExelBPT_QbS-Ko=a0cOB;@YvOV29@SE&o>K z)hOu_o*QPz@h;zbJQw*eUx@#YM4Ezbyl8m|mhkZ;yn+ag@}C`$>X1mGz?(h=6-Mo% zNV^GRDQNZfJC(@Ebp^Mn{3=C@rVe#0**o#17%wdA8(Q!TZ=1b6QpTfrruC{rUILrs z??*kjzvA?Fba^ku?a>u{T_5H-jgMKcPO%-o<;Kc-3_|eVxZ$n%KnE#=#Aw#mb=|IB zIO8};{90Y3fD$$E6v^>C_vJh$$*jK_dbW$*RV48K$e`z!=R;|@&S+TVcL0Ui86O;% z_3wQ%oz>^i%dFYZSzt_2GQ}xrph5)B^Rv-!>k+z=gk#=j`_Arvszf;*f_u8}K?(I3 zk1{FfTVdxD_zCUn3Hr0bTpUzdhjQ}V9*Z76r74~a86zA+cXb&BBEXduMAF@j*D+y> z+|WTOhaY~Q+J&Bq#gfXInHga(e_eECKIxTn!9;Tycom2n-6UPn2hJI*Enz2y74M>P z(aYagCH}G!?>YN0l_y9ZSNO`q22@39Hk=mTt%gE=pD;hN%UwT@IP>sIGAtkh;A439 ziMQDVsc*v^qytI>`TPd5qZFeA=`g9*jW9i8w6J^TH3J-p2{s^}Xd*eLWq#=wFbL=O`sF((~!FdEWy5czF^Cb5)1O8-=9f6iiYgUvd8 z$4%bY%mDMGWM;@>J_Obm^L-J-ZXj~ciKZaX^s!mPYpQR&L6ec>uOOE2T|E{T8=7yVAW%aN7?})BW z-`lTYY`t0CZN?L1^lv=)BXc;DA=-r9$OgKK%Wq#ujXJxdWO zm{xrnZ{H2op?Zg})`P?_9}1~n@_&XYI?~6Kd&|aAwtudss-?5rNoTou*=O0_DjMs( zbZNBbzS8%_Dl=M=SMYL6KRNwtQPBN_s=A+c#EspUr}1$~7l%8q%4Y||gBHk*Q%MBW z;%}ZB>T;g84W2jD?0!9Q_XZ5lbWieX^_eK%3LGq~TM5qfGj{$rb5&1GqidoKE@P92 zn@bk{i!SlNnrIHg1eZ$$^K0%*UdPX<@G*UejuUB_g3~0hzCKv!dvL+f6$9@(p5g60 z&*tIZW85b17NvrM2i@)8wiJo3p}Co<`pIfBOROt&yj+ zK7%8tp!eh7@#SgnP}Ch_pcG(9DG19CA+|gV$&8etTxAp9r58TGTB6wrV_>RI$-Gg{ zlFBjUIFkT9?g9J@PM>eNo}E}e`|byBy923o!1v%mCJ_om_tkDmW_4A#rW~VZ<%@xjcYAdv_d)=cruk0>mDbM6glKjkkW-pY zR3yk?A?ltslf;^F7Nq2JGY$4>I$Y9!T2(wwzqB2&B;jF*o|WX!z;3 zAKG$WRl+DnvyKbH6pumGesMoWnO?f_If~O_B_8T(*GXsJ zQ#whIS@fyv@v5)wnx+|6#_3Z+U=+MYU}cJ$>e=~G zPc^opV*6>DroR;goss?}8@!U&T3>Qm3zsOIIv+xS zT?v79xvSW!Z>4K6RC+W;id||UkWCb`*ae$Q6DYw4b7Wf&DLrIlaN)fL(uparu1-32R<22Y5 z0_9j(}1y$GcQUfUEN0>ZgK-mlN|Yjl01!fj zqt-9pMJBYw%UR+)*cDuYEFYd<*gd-*%R9PaV5s0!pN1afl+GWx8=up3LBpO`uV`sf z*e@x~9VS($-0BT%A5Fx2<3Z*d z|Nb|AoPw5_aGGZabEaKJ7il5-AI4ZKA<~|1=4F+!dDp4e!=K-s}tl zm`nsxE~BnzlT`P?vsCg6gt8%+_E9n}ms9C8PbC-N`OwVdUtwqKH66D@Uz>?(m1QJC zehgy&0T(-JI;6%GyJb0P#oQ`U|0I&l@|*kuJd~_MO<^gbLCRBE8BAbY_2`;pvASdTe&k z&%JjV^zsUt3qcp@d4Bn{myDr2Ejqq}rGnmDqHRlgE_BvzqK>94oH^M%>fm6ycRQ5E zD0)n&b?47hPrMVJN>@63S84Q;M%;C|ZxCVm8 z2`M_(_gvRmV>T^X6Oj=o`Gz3~0CZlS&NkKmq`Ik%B+@xzlyA}v>-y+xO+2^4R z{Xfi0Tm`BN_*=wpKt)sGOOV^c6KWF{ zGQ~*g=D_Jz_7u|qUx{ZE%N9;*v^7HkQNq$X*Y@KV}#PU(IXBn zVjOS1KSoW`-jfpccePyDAa9??R-hIiw~M#4VNj=iY_p-m>9x*mpy|8nD>iFFZt#0t z)R`6p%v`lW1N^7vew5xnAVkqhp*TGW?+}d@%IZbvB4H;+GP@0C0tRy>{5gHQ7fZ~I z_R~~Ks&U#G4*D8KM@*#rUp~AC!I;>xqm=(1u38o&cW5FXt%d&WH?OUPpvnVQOAgc8rXZJh zuavaBHsVG&`DQ9wZxCbQ+Ejt)`Z$EtoS8)T5WsGGXzpM&}8;k0OY zpHKLQpZCjkq&v^D5n_h=vQb;GSY6Qr=!4~6QI{2Ebn^J z2VELHugKc7B1m-<&RGe)N`EGfQsfTG2sDTJcMC&Y*L+Ue_!uo;UQqk(`CJJyN#5x9 z-U`mqIf{f#%p29rS`;v@-nD*1`^CoLN=-J1VaTm4Dz;KL75^E`a7u4Bd>L?vVYSvT z7_BAEGxLo%Q>Hp)-OFJ3)mHv2jr_}Ma@G@A|3y$cKD2Qa)-zALZI@2%eRI43LV}}O zwE;b3eP=g&6~k(JXmE$KNp;BcDVgrCPlLQXm`;TrWz&zD=l=c3!a*M5PHr^o_6vT< z*1@37Hr#kq5oH;7*zdvhKpuNj1#)<(jD-|ZbrdQtYASoa(}d4kV$Z)REC*-Fd%$Pl z$RoGtJkTQT5KJhiHU7I7A=v*KH>Npf>ciA!SpD-QRZR(?qZxi?Te9^PG!7BR`$Nkn z{+^Kwl`D#(w=g3yqkeIR5!ifvxUr>Kq{G?pe=+vfQB}TM*YGA3lZ$mj{~mzTI*VCt~uwL z&O4hSc@MowwB8=QLcUDU;bd=USGBO3NLowFPQN^I)q`#QX!H|Qcv(UpLoIinY>*7&IU{PbdvM8L^q_*^efh-lg zchk)+x6hf zeCBRk#r3m`!l1lkt#ct*q{q(ZP^HtJD)^N`JHWsX<$QouIE|MCSw(IT=3w_Pv;bXZ3PE3bFfyx;|2$+=z6p!m`nhTY3qYM! z1>fBJkZ)=~&_i}p{LZsOF@`|X?%!Sjof0SMiCY=U)a_`VpB)FBj5C~MCj;I=xfa-$kTqIBgYihEWvrbjvFCX z6To3d20aO&WpNX{t)8141AGULUoh)rpihF9h~ZRi?~5i+-s~5U_?p6LtVc1b1N#TR zzWOwD8f)DvO`5rf>66URzX%Xv=ycfbJVh_Aa*O6llTONqu6=Hm7i%!6w(z6rBtF<~ zZvm)R{_6pt?l{`=FK$V*j{Ksv)*>8dCg~zp{}AII&NK7Z@ynCg->TBg9%%_5V6UdN zRIj-&HVlzGK4%q?^;PaD`*bNhZZiX+w;dbW1?I~&r<0nM-nTcKx;^U?SwiT^=Y=io zbAYR^7~gtYQ`y^bjwHug2GFyHoplSIZHwcZ4gvRCyEG&q*cy`AycFCc_Fh9S;+ z_KX!hVGUe5eP@=Xk*~o~Xl_#~?G~`VI!?MUELt%dWgrgM^^hIfbgI{l+l6ZG6>L3m~$p4bS!GMi8~4u4{NDeABe-(GLeTe zV5bTr-ZB+1(?^`!dB96BN;h4#>NJft z+y@S44R@_ZguG#0m9Vqj{U`!p{>~aodHpfB=yZaQCX4Y)y8t>#O##FPu7`$+tgl2F zaNmpq;L&==^9FWF{Sbz?!0L^T5U&qxKzG)&~gFq8R_A_RecZYo{>;iH4 z`>-ir-9hKS1s{W_nMjS65C%dE&zqeTA1DM1tO(dA81fFk>!khGcHbjhZTeKBG{&gmsLnygSd2~t`@nx3Iyeq1f=uF1Z*nbzwXB3u5~cbvM9=2sFJLCU<@= zfMWN{XpeyAKa#5^g2d!I1o0pg+ox8XTB36q?GuI{BO)K^uk(f35r2(wXn2h4bYjB? z%Rk7NnI3+1AOl@qaJH!H(Es%I39ge>U|I>LyM56P`Gt9Fdnw-tiJsTHxN{}hb_QJ7 zik9c|4*CrecnPHf*r|Ph-|;Y5PL#fwlG6IVg`z~zu*RCf7CSg$%iGFeVTI3fs9 z-n0{#Z`?y?O6MK?-uG%YjeRq{rse)^hz$1jr*lir5H9Et8!gkRCLZk3!Df0hEzN5h z4?h8;=cH68GJza?7FY`ph#q5`)#CkqKX#Hj91{OuKgDWf*rYZX8#zNZkPkURcp;cQCR;Yo^a z5D_RPV1VY2qGSPc1s|A@;NsglzXm>7>LYvqzuS{~N?%e2Py=Q24GZl-+#`l}AxP4^ zTwF6LbO^uf2*Hkp5f^Rj){~MFr=2$V=d{WQ_1>kPs-;kcc78wZ(h{$cRVu-?(1_}{ z(#79wjE1wFa^IiZ4!xsqOVAs&2@by^=Crhq7xFW8JjOvf~lg> zjd&jjh};(;EkcY$dwNGMS3`%buPn5 z1?d#h5c{TN^olseJ_MX6MLrCr#R>;QZ%T3FZmresu63bV-})}5XEgzSb3PlfGhj(% z*F_iTYMNOnvh@uDg$kovhyHX@ln(t8M4A{t1kzeyL=wAmpu&oFE3zy1{9mFJzwh$= zN0cM-;_mUL@~IQ#M;YKk{X01{X#YXC+m=b2JlYJEg*w{NlJN0*oL*xzKJdL{ge745 zY;24t2J4LsIy8NHjbZkXmbh|Bs@;-s(_9}5`f$({fS&o)x>;^SBt5S}HpucwmMM(Z zrFB~B$V1J&EHjj#MmeFw;_$I_WOC?Lo*sf%_xcG!rD{TIOc)u8;=F_`Td+J#v_#Rv z?g0&dEH**JezDfUEPq-4c4w39?KyI5nE#xyfuw^DC~UsPMB=4(smpoAVxEThDzuLa z08arXR>6bRwJhXDj!|ABALO(&D`KFZv?-Jy1)qOP3pmTU^?oy8XS4$%_UUTN?li3sNbE4-z?i znoh>`z=_Nh|pToJh2^)?r?>-OZvqG1@m6|T}1AybN8vU;+ zRPqQyp~r{{<-k@y`5BgJE*Q}lE_6;}vDb*y;!(OeG8iwXDiJu0kcRKDsAfqfl7rrR z1R*86#6#AeJyKVaJs*()=SzodZ6Jcb0u#=2Qd`-|*n`?b#IE{S3%_+%AujqiE`0gnvEAq%)L3pw$BEdPc7YFNQ(S3F#1nhtoIDg{j-2Eg@u zidl>!tS8+WK|^&Pn;hRX#fEQqdo=g%fz0)~FVw&=P=@JwbH2U^bjeb$z5`8f)8f)U z@-j};E4a*6W5S9fuqfngXKb})d+xt*pg@LlDo>Dim@)8Ahj@mPhfWOGk2P%6|1v6x-*GFu})4MgfvvjLQn z)7X$Aff+V*4@XP{FW2UZp3Rb?8f#;isM&Ql=MNrX0qbJ5RKgO6{ecmLlKd9=P`7eu zQvzv@VvMRFlw4S`{ONHr__`*?xJO+}&C_v9=_*H>-upR#fso_MQ!~*EH}E5Ba&oNl z3#`6KTjNhlnBnyjQMG>+D;`!q`L40PU9p)FZ?qOuiU>!jz`0?$besfW2F!Jl3Mi8kRl>6Au(2RCLR5Av)%fjX0WL5&q+WIi0o0&zM%w=ZS* zz7*Oh4#oh;2yOA+p7!SXJH(RLgN(srO!Zeejo&^$h@(4fUBRCkLP3p*(-#FZg`!fA zny{rz#HGI7+90q}(7NHpy&YOqT3{_)3rK@?Y@&C?BgP_W@{qAX*11+;((P*CthMjJ zwvX5MuyjNYgK<7W(S=WWI*ojP;`CwyrVjLj9e}cn58?)K`a7ilzAb;0<^L9#i`^X; zed6A)zq?~Tk+1%kKD81*b;B{VK&?(oQB6vO!Se1Etc!fF8d`C60e*dl>Gw|3=0H!w zBG)B}Ts<4>!NKoh)+tDOjHO8a!yfY9&>>o+K06bJ5&jmY5iiEMv5=vR=Rl;qlV|s1 zRh|Yir%hH~g=3u1$CJgM_}>zBk~yV{2}+@eQKJM1^HGoN(g{~0#di3oC=(*_z9L_v z6Y`a2!z=Gmdh`x%QHZ9%MoqFSmomtL-$Kl%c^3lt+$X;-H{qpMD>C1=Y0u^qtOV%- zqcvy)`(7(e9_MbzUCDRy`@HV&Qt$7h_~%6a{NwxKj^k17TJz%XL)4`4C8Y;e&6K!v z13FV|0$_}S?+U;MZJp`iB1odn2e6on&5UsUo>ySVXb0GEdZX=SE9vbngbxX)-TKNTl11#SXfcph}m?kUJq~y1623pA9;EAt;yuHVq(@TLd-_;ZNxR5AL4X!214Q z0rDSh@PBgCKXqN~C*Tl!ng{Fu`T5U3KmIOt5g@u%XCR)0kr=s`Mu+=Lctnl*VgazaUsy5pJrQKp}nc;ixDWaS!7o`&`n z-Izk4=`)vbzN3Xl-DLN2N;(wzS!*AKzglYNlSV{yT`j~Yrk}Gk ztYs2$3NF0{WsZ>hK7ogsL?F`(`4Hluk>v9GQ^?HUmvKcCan_GOzf>D|6{dn{GWeG7 z%OyTtdMm z`}jw@)zFp^wb#ZyMu9C%FOZMI7G`Kxf&aSKBof(9OV$34U0MuQLPtvf41OY>%1v2R zxwIUJCd|Ex=HWPDQFmbsu2qCC;|B$WWQ0Bh2OT3tS-L?#-~I-fk2QykIgW2$?oBF8|vl zez_ngG3qB<$fo3e2P=4Xd5$h%MGhvw?vde#MvwW;c z&O{HLz(PkcQlJ+Q6EXi{IH(G?ryJ+iT{h$m^-o>%rEQi!$^yUB;vVRZa3ypMiQ zZi*I(0#IfkSIP>)4{Vj71;pvwD9GJYzJZb~^W^5>Hk9!a6xY{H4!S0&yADz&bX9Ra-RpX&xf*+npD@o zUd4my;;whCxJx3B4aoY?c{PB2vz5;l-i^~M4`s(jBokp}aNhcS>;f|_4;sl>bZUA` zipM-Bn?jBMj1*`tkG@JSe)SyOuIPDjWMpBLMyX)!2k8xk=sZfUTI#{2@*Gr{mqn=C z&HS`yFr@5Lce41aqx|0-&|O6Kv=7(+j|1BJ(zF;7Z0L!;2FV^91b)rH-G3mQ4w$nipbTQc``M!Dw(yU)j;ZudDGr59fHj0 zYIM~K@#T83%T^+463W2Eef{SF590`;5yIWE!f`=_+N02 z9r~}kqS+*Uv*GV5$lU90O8VwLV0qyRrCkz0c|`pf9TwYVv$60rcp1G&s*df%053si zhWR3n8keeLAiLyvc#QlQ`PTEo`fB3$Pwffm{QA|;i*QK0F?Jp2v4A-nL}1B^Rx^^{ zu$)(y?_JyuYjB3^#1ft$P|_-^Sx@0$p(K+$4tOdh7Bl8Ix|XSxa`7%SrOgNj1+)uW^;H* z`+ctFR$VqPyLa$$xihknJ)YAh>@GngSI$TNR|%T%EcM9~U&>>iKe@P4O z0LUZss8md^S#<%~fAXW>?}pZVru}ko=7R<31-IhOnfv0bOAky(k+bVFRc{xF^iqj4W{N?6Xy@n05FU6&N6Qdmb?4s!SL`I5- zc{Pu1$R2^7OMvpiIhJ<~2Q}tPlF;oaxU?o$mxqh0b0VviBqMWD&%^-~dEE6_pgK(4 zIKyor1#%pwgndB~8iDps3&K(&n!|RV0z{U~Z@(0z05#eCU(|kInF;v!OBGriGLH3} zV;F4e`pONCaLSuIjO)k$eQA8>e1MbnXw^98{W~h(3f^Vv8Qwm3Ss_Reh7eP9^a9T& z)LiT|Lk}IYnf}BcZq9R`Dm+73>nbNl`g-iXd@RxkXvIUMy6MsqcLoh)JkcZKJafcs zwDDxB_w2;d!vT(zjpw1~);}-P z3Bv)<<9{0O@au^Pd|KJgSUKtUbf0wM`ot=mUsPV$%W(~t>oqvqA zVk^(GI0|EaYK6Uu)YCn9n~=IR@I6AGSvP(u)JPn9vrD~M)==^)sEABDgcVv&F#SEE zD`9Jc_eC$+JmCe24EdlWc6gRN*k+L^FLi2Ti&U;~&$k*y;AIZNf=r(*ES2;Vjn{;w z5aSESV|#s>;0Zn_LHXqpG?o(sX77!194ftb$tD#6`NnZf)YnB+-L_ z1>~vHEsm`)!j=4NPtahYXj6x)dQCzq2fblB(V{Fap?pQYkan@NJ-v;se$o5p_Pa_gbT?rdgfM?fQ@ zt94Vz@_Cz1S5TDNW$&}R5nVptru_gf!adq>?6jPU@Sdf)UEC|=ivCAbN+k{-fpnO!Bo$SM`JxZq5VZh@ zfGS%P{?k~blIIrYZk@giyAE+VK}Q!Du`%vik?~~G-0RRk4Y9F1L%{|9VTHZjTGXb? zxUo5|-hqh+biormAPM3rZJ_8{V;;!f$CSN?{@C;2l`FEvL1{&URFj{*e)+}s7IvXb zh5>R^B|wQfA)7syL-xLbbp|<$HUuC9{O3aIug73`5Zdo>x3%t6Ai$(0^euI5>wQ5J z8!mBkvLHW})3a}v_nwWb#Hip3@#lLs4LqF<<5A)1KJFD#pc00faaF$|^-i#|#V+G2 zQ68&|TerRN0Lba0F(F|Ewb~9DyPR2bPtcpTPv-^iRIL71^r5TTJ)Ge9NvFtz(Sl0W za(fdmOl_~>w&GiYD-?H3c~Cx{V3qT~V%?nU4u{uW?=jo{tCbZgyQ_nuc-x@wfgVf| zz{^_?6UBaiDl^8L%mKeA5 z`4@%_&4dy&X^Z*}<1uT4W1Hl_Fw{us5eOGxfHM%MOAYmAnW5= zXz$DATgxwGW7eXeDFvKQ1k@60SU2iEcVEP%Gd1%Iz(G8 zI^oo&$yV?4PTf=Q&^Gy|nVElqMqh32iiqhn0r=0q2R%4{c&M(DUKhuc!ki1Mu3?cF zelPjumb`+MvlX>jtR0_9%&hbU3;EQqdL`@wx|5w^2oWP_A2X9GscSsA_RVhsYCI9IV5_XA8t6B9|~$Z4G9 zzI;Y&(qQ!COZDWCW;$9La7D?1Nu#HDUX38c;Z5R!93pIxq~jniLof`z;lyhF8_*Vy z5eGiLouGe`OGMPHO2)km%z!E{SZq8ySl{PA7MuzO@x!i=J#YU5NZwVS-$_x!8_H8P zk4}C@_=qpWl4ZoIGSao}q= z-Y+lB2hfF6+|u~mVP8OrsU7)-JRr`po;`zRr!gFG-G!y=e%3o++Ak4sD}1eNDkIS} zYg^YYQ0P*X_DKOau`?!$Scy?|Hz{o%st?+COCQ_25c5=*$Vk&t@D65y)Z_L{{c1G%I!sNm^o@F`6|AY833 zN7{b060)hJg&3qmMsrO~bVDmgk_06QZsiawWO^f6Rl7NbO%cws=^{>e?Br2r;#vZv zO)Drq0t;xUHomVd#6=8cQtc`6EFusB)rT}H8nV_TaF}l)@-VxaC8DD%VJ(Y1Hl$yw z4NsuMs`tqt-LVmK>9;@D5Z}q)#i2vT0=L@s$s%77J(m3$TmSQaJda9Pz7l#<@&)Ja z+Q74rgLgNISmxz@pwZ6r!NyjisiM@8P4Op7UN^Mc=rxDx|3t zy8H+tVCT9kac-PeB3q{dX*87XH(ep!r^3^~fW48#Bq6B#plas52Vf750~)s z275bx*Mb$*x4L&y!z=0)!9azQkH__&JoeX^{J(Xk2*aO#ZtmTDgIC49rxc)ehxFLD zf%E8-xHq4rgM5}$2l2+Gw4ZEaPytJ|0%}e^K`)ApzJ$}HNLhOdrg0xi<(3?Z0^^Ti z?Y7Awp?sa^G9RJm#;}mQ>R)irC-R*e5xnmb(#Q`bwa+uG)$P;+h~*SxRJt>n*gGED z;1aB$6K37hYA9Cut=_w(s?d1VC9&Nu@3bAGj=7x3jplh4zF1vr(eQ6}9`a%vqU>mQY z=+%M&_Ip9=#pwBTZFHbYukmRQD%Sl<`0lV;RUfKIdJ$en81BB%r7ZH`WW2QrFw7|P za_S!NKApr0%gafREa8fLXbU}`=YQW9%V9EgbG@8;aC9)q*nlRs$s?ETHgLA-r=aLE zzxf@{>-#6cSq;ebN=#GFB$64&pyq~AZTGdbI$p_~+r?&3XX3#im2H5e_P{@Df(_qnevgLfMrOst~T&%z%_DWZs$#;*# zsS;9c#|n<*#^PMy-kf2P8teCe3o8Jc0+SY>^R?{{Ci>TV4*mWvX&!t!+rUdIM$T_u zGGI2vS$M)JJU0K5cbsRj6|Z&O^KrWD3w@F7epMLnCX4_|HGI68QmV3gX_4J;S-#15 z4?Zi;_fouIef>xQibDjsdKA9LV{;`$9L4dWu|5z+EG=3qU!_l(k<=hdKNQ7Vt=&DMLWH>Dm-!TrqbE3oqm2E1&ug)cpv34Mdl zy^gmf0^J4`E~z(pu8${=a9ako6mFR9Zg+3viZVTDrk$LbNZ`#IR+U8`BDJ3%ho8`w zxXKbW^2mbs*>oQCuSzXbwr}m{^qgQ=gZ7Jcy}=d%uyVq{PV8xnjv({NjB*Bo{fej z{35WQxTuIv3e@yBEskSCXMCJC8UQj+pPRsRb{8jh@#jZ4!QK zkE)O7v&H!j#GpxdH{o2dKuG;vO%E9TslD3Uv3>ACdf^yc-xpaCaMxJOmFI{gmgxUj z0=VWf-X!j-v3usx=25^y5Ow$lVM|8Y460=Um30$Y3d_WLHU;;*muyzIlS8dXE4fU` zjl_=#)@6^xi_VpPC4>jdwSH_h6=&}FC^mcXy${tjh5b?aQ&NTnBi>ZdIWhiF4|8a| z!nu;?)DIrqSAq4TL}<6jAu2ClDe$Q!8)w#W>;x;MVPvdsRI>Y(=lS{^eG&ynVtP zf@;xf{=ykKT$z$x^6y@X1U3QLAIrc~sHwmerq3^*_a(Wu)CRh+Zs^L_YsnkQEqN1) zZMU_l#(>LyA%-5*7`zsl`U*U#0J}iurf+TKl7qxrd4|47iw21uVZp*5a6 zfif&xr~|$rQhxYFST0+RicYz1%*^|fy|1CGBh!;0eXwqv5u<<;YFq8}&c%Q4&c%kd z;b10ndMDqZMTo6{`o_Mid9flIPjzBY-MLD*<$mXFc}!YDMis4t7-*k2jCWQ%xBgV22wk_D$DrL6Blq*m?YEp8Y@x!% z)k;0Ptg9*3**~W^YrOS`=GRLfW_f6QTSjFXU-N1d;5Y#iF;}ai;EuAvi78{{_0a&B zShrSZmTVQhrLW%XOT13mkWyjsS%X1ZoLab;@2Ai1S=V?Et*(DA>zeNV%4u{zOGQDw z=htdk+O;6pvH(vdy>rKW9pg=V(R%QkS1r4N=GM`P-fG@!iZyj_dM1WXXw!@Wk>53W zo96ap=IOCu>Rz;dja*&lyldCMn?5f-oZ0>6&OAc-P|xunpFEGdz?|6qx@T4LR#A9e z$|)U}M!f0NnR#~>KS^8-?PCU$IxcwL;2Ljc@2HI`D^M7+UW~kGBM1l5Ndps$tLkm## z!sWfF4ZS)O+XN3S;P5dJkW5K~*DZ=u?B zWT(aWE*g=^ws>!BoU6KSi_|Qt`q3*DB204nkANC-)#Gv{I78emF7BsdRdp<1E2d~z$LW#i3FRF>I^3-?fuC2$ z>(Skr+OngQoOA|ULuSs0iDC*VOMGR8yeAD(LhLO^q=7E>O1q}}f+8t@I$tJPnf(?v z05cfjxRp(|)%NmAG)giln~PqD6YYijZR{Bzux9&bInPwbP-rCn9MioT?@hhPT%aV8 z`pW#kCn~d+9@Pqhe^AMPdDU`R!326;cn$dWP>$vPaoPhE?muE^+wWu-g_9nUEs$7J zqA6iRdU?&e6FUk^Es@t9S}d=*>OTBsr#fEVg!e=21&2X|2OoXD ziIGfKrg0g&)()>~-abH_?=8%pymTtq&M}qbt2v6-qu;){VDf%=RL~$XR#AFQ4_dB0!1W5-TOEnp10Mt?rCe3r>hL#s)z;@grFpMCYeQL7o|J z)lMF}o6&LX>Gt_ghljsXUHqsTz4e{(exK#lFIAl>ct6i{ZjfzkyjsaQ*r^z8Y_<3u zzpjl>N-=YOKKOf|^Kh2v&XXKf zkKecSH-v4B(J?HGobOs3KK9>(2Mb&=ci6ohC$AVZ;Cj{1kGq8&B)1-vk%XorDP^dr z#1Omun=DB$G%#}+Cg?(noW2bw4-ka%ANtE1u?%j1?QM4L)!+*=x*p@>D|35m`v&NN z79@%KxjuF?oT6i5azsIlYg|{juss1cVy7kZy#9`=8@m3*Peei9O`~5{`a7~YZ=YoR zSZdR(Us^XJ4E!0=UlSB5EZ`@w928uz#(W#QL9j_KBTN7S$eXQRSo#YVdO#WVFC!5d zka0LYS5$6LzMZxIMYqSk|2VDtBNJR;HvxxzFoLZ!pYRhO;5+5UuQl`j)ZcEt$eW^S z&HZCxInykVR|kS8?v+FWoHOIEn$8KcO80*Zp3M^Rm|eft$=#7c)d!qy1jmomv;|Ul z#8^vz;3T@-l=p627Bvv+Rv(=nAP)=-lHNS+F+(??>T*f*=A^>o-ssq;jhZs%n`SXx z|AjRj)kj=a*W1%|)Yo^gY_bWwLsV;8CMV@2+*&#fL{+<2{i_MU?_39sUMb#uK!6gp z9qJ$m*k3Yz?7>FE2#B1Au?e}f&bPLb$v)1ub{?BF03^=&0wf-3j=hH1Zg!_XclVEZ z`l&k_jtw=bxWqY7qHG@C{+wGOJB*SUzgqlep(PU}m|-Z<1XMc0q4kqVjaZ>J4Ju=M z!M{ed6*$nT3(mO&ty8_ys;*nJ{FAbN-gFAt!2>cmnonLglA`MKtgi!Jdf2zuM?u6M zwFV3=S5}V3Y`-5XDF=HmIyOJ)G2xoWyV`e{6n>)cbs-HiDWu@IE1=6va`M2g9@q&I zkhE+z_;7Og{maA7B+Jon^LU^5CZAVA@wl#*J7Ot#w!`9BUx65xr$0~clUG^jJ@0e5 z`Dt?0=9-pI_pNZKtvgo|iotEjNmf2j#dq;H9{%s-S9BL);PKBoz10YEBBD z9(f-1JdZP$sBv6AAq-$aVi%rdv=XuI)sw;TT;T4~%u5;yz#fR1=xWN>vF;kcT}qCVZrqNu47RJy2#|KFovEXAGdXx#JSTLhBB)#vl$@zScdb<#i(MV z?v20PnuxW>dbWTTE&H0??{W^}BCO8a8dvYUEBqPT|EQqSJ$XE^C|s&-L~XBz0WcVN zaf^(4NZ)+{eaUUAsl#Nme?8P_i-UJ{I&MLGrOq%1RResB^X1wJrG7;Fmz1F!H@HNp z3`z5xp`BY~ZOb`OdfnD94kMOFf4`Yv*`fpeLP?5mJni)Y#4gEhg0S_P z%)F~o#=2g|y-*%`(0cIxs^NB`IFv}^Cm`$C+2<5@cp|e7ctb@wLjReY6+{5T2CZxC z^Q(W)67R;-EM#}X23YhT>QpestpQHtgEXQm#x1+AZK28d+ja>XWa|%ZhytxQ$p#}z z2oV_rn^`e5p{a(3Y_}83L|W}?P+;uP9_ZbE74)qEz-2Zz${Yq}h{26*3Eo?n+lHJQ zCG81Ui)aLpVlC{(^T!&UFHN7p=U>suIn;gL z(TBwpEDd(t@jK9Dm|r7GL>(13#`(_&g-r4$!di75%A7Z>sq`@I8IjQn(Kj2+4P#8u zSfE_77Ut=^XaUC1;E18WOp=a-P@m0;oE#fWZyDpZ)Rf&4}^8CJnjPN$4J@0ekX_AST!az6b;>!U3PdXs5i zB-6BtmLx2~xpv5ZZ2qaWS95!}pT~F*$BXXL;sRJ#WXliH#sqL$DcX}VO0jpC8K3(h zsl=Sq)^=;3I2yZ`jM@ol2hJE#@LxMMCYj}S*_p4SqQvuth8>*9+wEAzcrPRGegY`rwf}x-2Lp;Vxy=Y#-6f~>Z@t=?S zQ5J*NwW1HM1}nS8$6uv^`1gP0WpjjO1K`Z>+1lt4oXXESMVFHFGCvZ+B zh^QnOr7^DO_qAY=Jht;YeZTuS%T~VhukQ+<%_!|%*H6Bv6>O|01IwiOwb`Gg)n;~v zzIVQ8D%NCFUYCl;_Q%TMezeuxtnrk!SR0v_v?|<_aFw6gUYxZ*7SFZ;#zXZRQoBC#;{{RQV?3L8I>gi>%WXx|r#H2(9*&HjA+p3AwX{4@#AZek)^ zqiibQz99CnT`(hrjqTNF_BUO|k_e7lUhNq=yijpL)mI`ocKv6LIri}`we+MOy8TT) zd`p9F83gJAuS#}U4dur*+k6xY4C1;6euzut#V>!%dmk$8$=WWiL=PAMKw&jqlKCGb zcu6cDg|Rknu|e#E^osK!_DF{EA4Sy3Xa%mCr39ZAtd8_!pd1M_%y=hBfjh~ccG>u9 zm_A0X@%AXgGG4Dr_C?_Ppe7Q?;ik58yZN=3vfTU%4(ArTDG%$3{4#MctS1pCK~zh0E`Iusx4UH?Nqv6EF9NNm-zV zM08fYW4js4zjQVo%|Q69gVH{mJ^I5guCOyRkIdthOV{jXmleX7kE-U5d-O6Tk(%j5 zwVt!nw^iNLu5x8WCh_RvSMx8l1!oKLUOw<)CC6deft~*%Nq9`Vb1_ynKX-2~9+cRw z9zl(DHInNsU9;o*bB;jLip64ouS!e$;rszIrX~3jto&4dy|+IweV#zLS#ywN~ClcLr2o zT)k?=sXTR44l_pQ_BWapANswAE9;8^%yGjaYG>)GiL|SZOorqdj9tF`q7|JVS@(TX z5iqW$gz4i3eQ}L!#aoy$)a)^1yJt-exv>K zu4}U1;R{(W`m%Tbo#K=)Ff#V@?QuZt5g*G^i%GKTQ*QMR|tl)bb zg{#fTZdXx3@6AuYg+6NVj)E)#l~Q9Af;Yw|b!7d3%-~OnmHrY3iZUOyHM?})t{untE$-; zYTAY>@ZU$S%4|oV_A$6?J|mXIyWRTS^KeL{IKVu7g#ahzN+?mKAYRY5>^r$Mon-eo z;aX|`%kzP`5}A2N=03xDv$4ip_bh0hvXStptL_V@>o&Z`P4Hq8kAk?I^W(XrL1sc7 zz0!W(NvfL2!*3kx*CQR@{=B}y`$rKnSBxnFn~@$KuKJRKnM^!PE6T0gKXRD(W-{QtR@UV3%~Wt<|r4JH%{wh(Ri_kNipt2 zl$vum@B|~@WG)+RKM4@p&}6eeF3E%Nq1SFr*ZuO3+}SV*l~Z;GcG!ntj=%vi9+P~Mb5P;D_{AWReIlv`p~|>uqyH7!m$&H)mZ+PzA#CE1W+ZkI}PT6FW#LZU$B|R@E-$kRv&&_bv>A=dAqNJ&H7*v5Fz$ zDycg!2V3#{)NY-{YuF4#t8qP-Q`0-|X|-s-^kWT@~+HX*=2&FvPdq| z${pP<&VV4MZffMkv_S*zRTqg1m!RD|D7rw~SNURi*G0C4{ne95+3cAjJqHul#g8@P zYA=h-+7pI9wo}==2s>|D$pX2^O$*ooWGFc6b-qTm*f;C^rlqNc&}I^Gu*It?rDPf@ zHX?GGH1h?$DK{GPT(xa^{)H}_kcc=an>11E)=l0Xf@$GNdud${V#j5rTqK@c@|sYRxN-wW_CYvh|IK2%qhM`Oc3hoFC@Chs)*dl*{M`4q1kH)vxX<=VQo1z7s{6|WW7a{ z1w^1c-}Lo=L|NuIcTgbj3==%#@Aw-P{YnZzfsfxqDm|0|v&yzpcGimD7a0t+fxsEuYXIScJ_i!CA@r zHhzc3llS_^SKDheD?lcAy;n17Kho%&@b;-sre~U9n4+rx%O2tU|6}Z}qoQoLu<;R5 zP^5*SK~khdrC|mE1wlXs0jZ$`q;seNM39D|JEWwfySt^kJA|P@hM|5B?|I*IJm2>_ zYkhzChvHf;pZnhX-uv3uzOJ%2v&_f)EjS{8JVGKK{pz(mf-wK;8`sqU$xoa@%8JMP zOi?tr)qCR75djbbh)Jh+a1gIq98}opMA4y#za8jRB-$D%QN5 zyJ+c+LpWFPFczC+RQM(VUM{LOSHd4CXtNX~AQXs$D}{SR%mH0@UCZ&QFMdS~Snsp= zS3R4AY@hA6)VW;oPtq2R7$B_rOrI!n>RJpd_213iZ6X*A!c#N$iEFPjaw+VgtV!gH z9%**we9I$u;PQ(H+@`O46~~#ptT}lrOS#C2n(;KOfa(N?WW2;EG3mACR)aRN$^>To z&ZNBb(35XzeOy8h<(YY zb0_H<4J;jAn;5`02{DP`iO$Ss3#22v-L^~_+CFEC>ND>JAoqxl{c+T}s=on@t@YXO z%k5w11r4c-m>Wjh$|7cXs%+xl;)<6s>MgsV`_g?{Kr^ zlLD32EWT^snJ~F3N}aGCjGGDoCxW#Du0%Zx;~!k5KUk!IYhQ)6C($4DnC70=$Z227 zngjHq`$EXSDbL2{*HKe8%bQ&AXVl356*VPr&`L~Z(LSc{2X1hKO^<=U z4oG`}TDnCAzwtc4SpI0x+|?$_`#74gOc@M~_dNZ?onyJYWTj46qebY%u=kdprZWw* zfo9rRQQ?G8MdQN|VN9Ph<>UD`d}P+FKGj|SUytW%s_fSQ_tOCzF^S)m#d=$pmxpMN zVZ#!r)zo^d`&a(MgAG%)sZw*&DXz*ln@3~cs9T0Jlf#Zw=d9NY+l0X1^;L@KbJkoJ zW=Cj2xn*=BMz{p@bMA^ZC{)aPQjui#+yG9DP0o>|M%%F4)oBtj7}M^ zsNOJmd|H3HR=DPd!@nTrVtnbVI1RVjkCz5YX@&fbo%6Du#FMXWF294JP3II1;{vZ? z0;@aB?|}}I>SR6Fy@7IPqRi4JZA^F}q%m|s_-_2{21C<>+WL0)^S5I229Mo}m~+j! z8-&l9NfKm3f8%jetbNirNlRmS%qK-sD1A!+4A`i#(fd5uKa<1K&0W_%^LnA8$u15t z7JzeK1ANO*q%!)qa&-1q!HeGV zZb{##P9~!zeDVV_U2|V!oHfxMJY({&gT(O2RQt}d^+r^#k)7;OB2cewW{Od9A$tWE zAa~z&F*#p^3N8e^RCq)MYT?I`UC&Ay1SZb>Jy|HDYPipHk89*u$^zPeJ4o@w;_pqQ zm}vl_SeSuJyNdm}&-W})Jct+s4J!E^359kXaxHS6^N86fp5ud_f}-h(J+P+bn0Qtu@C05me5v4=9ZGxQ7Rkr_>+FR&YVO zrD-+jUD_l7OaJX z3(f(L4lOV*;;t+m_W?)d=CIAA=24dikMNiLvH>A$yUiTBl*luf$z7TsLP1lVvpXS3R` zK6JX%gy$|(ZfmyJqY;%3$zr5Rb0?oK=sxY?E}SeAH%^b!-bh$C^5e&+T{iC0YYV>1 z%>ep6FJOi^$cDed->ldz)vDGoEz+WUrPIaLCWD~iaJuLpmz_VfGbmyixGy4G{ixrQ z%DIjYySgq@0aVKiesmVsMKTCHZGBwo-+9kwz64I__rO*SPhm`;DJ`mix^~zzsS44d z^J`GWx!-Wz2>!VbkgYcfrcKy3<+V(T8zyzf=vUu#`0YS*b_Tx0-^Q3YkY27f9^yF= zBCpb|+a8H2KS7<%aJ)Y=O8S1j(+oxK)x7uk`BZUGKN#=)2`wN-58BWF*TdDQdA-=U zKBcjR_wRKcpfzIvd#E#jo)kG^KbHOx6ga-(_+WVHW0k_hg1`f-PvR0@|nAyuLcA^?kkt<=`{zWfvxo01Mge~)fmVpi3+{;mwwQuAKY?&*iSEPw?Rbi zD^g&$Gb3cTHO6JPJr#*VYpk!k0 zmZI1D#W=)r_5oy-W(sUB6iUL}dN=(_{LJC?>i!)yw|kXjd`*_}^7(TLEws%zOW zN>*4KI{B`F)xo&d1x21qqBjXT7iqI=jkENzC;LQeX)*^jHjOODvoLYtDK$@6!YVZ2c zg=Ds9zl9p-_$>JsZwR~gqX z|CxT0U6Vt{MAi@g-qiW4zx(zC+awSq$eJ%94U+8i=wPmovJ-qg(Hc~|yd=mWz1V}2c9co3Y zFqc2iCOo>TD>{l$wD{PZ^Rji3!$r9VET4Mbd5+8Kjmvpp8diPd=vI=Mdf;(1ed9-a zyl*xyD(=fnMj(0ZTGxsXBlCp@H`ip0xT#bvG~{eYokudct!4PZPJ12Tl#i|-pa@4@ z<68ZZ=vas==3DI3Sc$C&>*e;ZsxVi+T0pJp&OTu?EPJTl^~?*m@}Qf;2e57t;RKYc zGQ7tkl1V|Pn{c!NBbNLF&{QIq3PyguaP*daja=kSv#6hMP%UjD@L$yRRF{Tf!bnhO zF#H5nrtw4@byHOa+Mnq9aw%LI^rPKbR;y;VSHB03`wsM?m*9n@(M!FfdFO(JKmqt` zwL#_=w^^@SC-bsTPr3=zT%gAi#Qoj9$qfhZDr;b~b)S6gjF2wr>b69nlJrzDIvT18 zKT`#{4D7}=H6%;_ahn-5PR@ZM5(} zWChia7iQvpw{##|b@5DlGu`g~=Aks_X=LTic}F%nj_DMJwxh1_WTVi*M z`vvaw)rH;bN~eIJ;i_lg8v|j)?rul>9>O1rY8ao4(Euu11+|>#TVZ%%LryFAZchwu z0bn9oJ*^PqKF3#3%&h#AJAp9HDi&mx1u&3+8@R5QKk!J)2z{Zd&4O~9XYxzB7`hKw z&wkCN=(??GG2sYMy9?W@z}}G#6G9?E>HWk<4!c#Rso|CxFiY??2AfVu?2rb%5E95& z@Ap)9s$1o@i5evF@ZS#pjy54$i^z>L|2JN#iWh*gO+F!?(=Q$ZTw!H*k*?fiXOxL$ zK=oT&ab-EIl{p#YP&BH-^V#6#xlv=om0qG<#XvjmXY9kL9J~E06ZSjbd)-6nw(E~! z+=LuQlVjD-K3E2VI%ya(Hj~-VlXX}6{oYQ?PyzL#hUp*fBi6dxl5Unhq_b}BI-Md> zi6_`|)I@N|oOLIypY}G->iN#W25|!+J@i1Q={~UF1M+eBhiKs8eBC0^Fdwky$0m3}I5!Nv?bKA$0uew8jTd$Upwx0aQgIBG#KWqN-?{*3XI{kFT*{)Us3 zkVwAJq8y!Zuh&uHH3SU0Ek;#$D z;dP&r`EUeo^-tD#GLV@=!WWs!RVOf*hL~?{(kP6!_I`vkDB-b*0mV`7q|=Gp(&@mb z?2P+is8ok(f(C`IyH0=Mp0nT3I^bfBx%`*IZ1RCM_!i+blHJ%2GIAW}e+|;yec~JOF$j1? znHyNBiq{~~+OajH`1Lb#a7okPw9qb|>y#xPF==wbhJgB82 zi_Zf;-y5>_OMdetbQg-ON#7B5iB=B0e*3-1f>r0O_qM;D2+TF8=A%ukNdQWKW)k5@OsO%boOiQQ*|wq^S1Tk&&XMcZRg>IEQ32jGq&5Grw52zRLh<;`6Fth67 zlk7wlZZoe~a{8zWfNLV!X4fkEhed4;^x0@g=NiuXnA6vjE?QXKAuZnHVy0I%Z%wXK z5zVd(rV%|(a;f=_?Y9v{65lywpj=A?Up1qwpzVuO`^mk|CB;N%n`%7XTLNO{I%*dc zE@Qdo4tEUmMdr!f6`w#04y);$e-g8Y2G1uu(iySHMa?ZtK-*^r2-zFIQut0=US3oe zjtFnvnmhb)4U@8g)a|tXt$HDQtyGk;xT5`MulbV;cZBFhA*|I-xmFO1qMj^)Rb5I- zaI)yrYku|pgw}mV9B^tBuia&gbgtm9iAW9JCEIKjyH|&cX>!MWu(qCLYhO3t%NSom zH~?+-@=UX-q@J5}c{Xe=cf{E6_ECJn*QKc$3(PZnTU>lo9wfw&^=mEVsgV57u<^aJ zZ;P2~5HXgQ%Wvh+HoE2RrM3+}!qGo$3y2Cp9Pxn>=5C0rp5BjmU~v`NwQfN!u-g$! zcN(Vp`G};l(s3F5K(4bx@c5MDnUJ#daaRH6tvn2rm^#N5_RG7m)f}Is%YU(pE%_cG zSdB-@reIdiUh;GS5F{iopU?{!$R>R}S`H+<^4!>&QwxUyr^V;1JNPc7-M(Vk$5@F5dZKF49Z-Cy%#lcAF>M>xiJ8 zE)Q9-7fbq|UOi$?oM`JC+Q!L@nRua}vKob~@hepn73LY`;w;;7E~zyVz!XLk;;U{P zZWRs`_W*+c9+LJtF;N7j+17(lmL)#X8otmnvKG>$VVM-BQYk=`A2n-t2>N9VfSNeL zOFw0S*}YKI_8OOffg-4EN1McvTkd>V2!$Hl$bi6W2X)KeYuC6%IaS$MttF9E=6 zar=0}=!=$;q_ju3BevjwXoUgHxt)67sqe93uAvs1x=&D&vnsV3x5E(g|AAI;LQSVCXsbjs$w? z>v~43Qg5aZ?q?!=%Netqkup2Gk3@D7h>9D|%*-5lAU#k@jInU=ySq1lvmrCxad@LS zJfu6LVcC{e+Ao_d#9>w^KY=MYPIihimLy0LLj_k%Jj!MDvJRdmi;Y-Uk!+0uO8IPa z2j|rO9cAe09ecCAnUus4iUGV8W3_p6b6utxv|N&PPhl6r^%^47YG(`voQ zSAg~Ol(VoiwX46q0CrY!BouvO`;u=?v1BWI<#J;E9l)RXEn~ShYFgkLHVo@BXFW;d2_E$$v3F`Y-3g>az0ypxw6jOAlxC zx#%~2M{~DJO5^yROY*7KWXj^^LmjJR*!L@Ps)5YSb(L>_JtS|a_TlK|EYK0$+H>ys zhtmD<4$u-rVTX(Sxi0p2{Cct~-k4yN`Y1yE|s+6B>lA7k}vWyU6a&-8TYTG~@q z>T@t+;Hy?NYA|AiIf{3`LOB`wV-nLEs=*giut}PBD$N(mbcy@hj7Esa zB&Qy&5y$3wz_{|x&BmHt#VsdoeMD3q{?mvqE#;q+B#*e^G+B5+y1QRSiBm63y%zkVRGakH94OAZ;r^s9T zuD-JP^)9*d4FCnlJtab+5B=;b9I^L8#;mX(cbpSYK1qMLZ>bIGR5y$r5F^p6j8fC{ z8%UA#DHIna$C03~xvdb~0kW2Q+;JO8`INQlWe^qFclmholq{a@sWLo~?NX&;CY_7H zsp}P5_|DhgR(COmD?khI`t=SG5LzKPj9<{`!=hF6N) z-1$6sx#)S~0}MW*&?~MUKbwofWafPGCUT4DTzy~Gx2NyQS6~M}G=I&IW|jVdmmQ8> zg8R8`$za{H83waAPm_{5jh;4y-s=xoZ&@I2xr}vVnA5}-H?cK1D%3~Hn6CCpm+KXf z1*xW)-@Orn8P!&t!>PDt55zPOr;5=lA2vA(g`Lb~w>w+R)+@?Jb?;c5?$B1;4nB`U zQ95M&-04f_O)^*Pm_^8jiefQ{?1(xY+&S*V=clLG@SOx|5pS6=x4n=H+b-!iynMQpnU&?Jii{7&ZQPxSumMmTet%YZ!X+U%nL= zSyu^oJg(Dp7l#7~@VKo{n}^lSAJ@J2~v9s(vjjoHL{tO_? zlt^ic@Yp3Kij~g@*OJ~jmeI!+KdX-g$kcnb+hgu^se?vJtUuE8fnhSL&rVNCxs2tCr08!sH ze+7I@4w4%h4ASN&S-Ra}TbZUF|Agrhd$7*YgWxvP_%S}{?#A?v&HQ(hy*(pMnA zW&iii>E+(R8m8UO6Dhxfw(<#*@41w2;5eh|%M{KZBNG#4BVWPXX^}hCtdon_PtsXp ze^eh@=pK5kkIJ?6IVVfKqh0Y4UA(CZH_(@^cVfCxBXo-dr$fl_71vDi+{Fq07QK^M zrBkl_Fkug&^YUzE%L7aI<2I5tH`h^n-73eQ)>X~H4~Z0kopZ&Q@q>mx7O8c>+=ly|N;Q7g-mHRTW(xhl`e2^1T~5ehUgN4}RyMl*CXueoq2T4g zegik8VQ#`%nkF38eA21AUs?Y!$h8y3^PJNAm$kGZ9N=D0EsTbQ9KK5 zr@6s~=LryD4z&B%Y-1Soa=47w0SG)_OI} z62yn~1M^GV%RdP<bOFr6mnc+k-)@Nm}@me!maLwNv8nHZT>E?#7_$&d!}~ zlDg2{7`RL--0#X{g)*&))l7bJXd%5EF}oT$=%gpeuMpvcDmrM{AFpT^OFAIAD(=!& zb0_5&J@~k!3iIv&w3h;%c4D0^R%Q=sAYq(VSPwGhjg}Xno-#^8th+4_~o+n8l(l8-^prZsp zkouCw?|rI|_@c@>QtT|sA=U?@7>Zq@f;b2kI^MGW4q)wUeyw$%uxa*by4-w1#}mJq zf7*?)X&jMeS*eGCQkXvML(k2pX9SsP+lR75@HRT;nK70T57)3M-mphB)8-0RS7~c7e^7RoPG1S^#4oxPKw8OS9D)TcA z4|xZ35wVVcav8s(woT9E7qOlJ_uz<16GC;_x~z1r*!P^>>UeoL_x90#L7Z()`(Ylr zw&iGRtL-Y&z{tA2+gNvANNxS;f~VuXqa(EK!aIBEu8M_zSY&@~btq83CkNlTq7@T< zRqMDr=aGEKK?WyZp>W}zQw3lAdc=jXHP1Ng3s`nF21fF2?%$~>g@&SKJ-N*S96)kT(zyE-sW z^Qo}H(;SXdbrsYJ_kGJoKNya$zs#;jkYx(z@Ic$UvN466b|oL#qI=VXK5+-`0~OoS zV5Pv}4V}EMY0C!M%gd97agl=xhjY(Mz;{^t{SpkmElM+Kzt;waaZ>2vh{LfAq#M;q z*g#`LvwKygtk~BKiHDJ(iMX*GI!)9^sGl8ONazp{mZ=sp_f7%q|ZCun79X-c` z7nf!#4;4V1tt~Ep11+{-fa#r3vy)lS{?FeA5LSG_66P0n}akICHrGAxO(p^1E@__z1``cv~+}LZMoYMwH>fV;f&f=!3+HoQs%!k zpOJv(bKcq)=(k7QIaR#fFX(KBWS`NGjwjf)tV(O)elGPV&gy=}Y0C_*#*Bb(yfGc3 z+6WKlk5{c)db4!%#+&-?Jf|UPGr*4O*jIXiV2!#cYQ+PG4wq2u=uKg(RPfpMbcN-F zNp9Yfx8Rp-C!>oQK#WGivaW2ds4?EG_?3jjkI1y}M9@TS!Oeci$+fm|)yW*D`>%^= z-1`@$Z(c09=3g^j@w^9nn|raktuYw)6LqIk{*>`Y7+cM}-l_HFe=5;u_&~GBj}Jxu z*Z8RH!F99vI6yOLzTMEQRtn@*gWcpq9;$$6B)dZ2etI)_)oHN84c+MR?%wi*@1Oz# zK(8_qCWsM(kE4Hn5E?G0_#-<0lundY;B!jks0pOM=FPH z!Nz_5X_opVnX>h`6S8__k^~+sk7KjQ3tpK93bq&G$(U{6>Vw1;?7Z5B#+ys3%v=wa zkjTv}a<0@`^cy_l*#0#MwwL=riRx5YsH7yc*WsPK#K(Fi7!gS7BQB*(TbI@8(WwCO zilPNY`-y-E%B4hZucwRdw~{WFPg`)rNJMjMH3LTWL@Mf^GO%3a>>z+Ov=v}h=mX50 z$RehlxAIyDL{M*Z;+25uc^~^qorS41@OtK55Ma*#l4pq#0YttQW}INI@Bc&z|JIf& zy??#3z@Ag9Ic=@DYnupd2-(S!Y``k^W zK{Hq-Z#>NxEE|jn%taD9y_Z}rhn((p;LwptNqDIRWz)gUx--v9Cy3fh;O&Lk!6xji z1T5AgndD#cF+Zc#xXp@l^QVB%F{r|PKg-)Vb!Dja(}&05M%Gv?IoZa#rM?FXJVe-m zb$$~>H&O&gQww-ECGwfHfsvr;Vy2Uh^xiOnQhG!c-|QeQ37eX?I2*#HKVi=f&f9$a zy>?=NxGhb8i>P3AiQu!qcsIdkrk8=ZfQOuJj1Xzo7WNSR3RLFvYA1SsnRJMbu(~Up z&4++i*sCv5#D^tHEfuBNI&am2zt}4<|2ngg+w11-d$@JZ$FkTl*4EMpak;xxjy@c*$KS<|v7&t^fQPU_C~Cy&qyVM%?HkCDq;< zKnq%Y_`w60c`j1M{vhS+Nkm;?iwg-aftJ(4%amdNrz}uRtG@=>Xe*c+!9LnS_;yxQ zi;of@6zq?5cn|1}Bc3_*dO$ACE)ADaH20~sNOWHxetdmg#@}AV6c}2e_cryq)B0P> z`rw^sJ-ktJoN?sIcP?5!HgfO$^Uq%%(sKdDOh#GJ7|d;uB^J;1hMb)1tPVy7E{|r2 zLz-kmmM7IPahXfmL65&X@qP#UuH|74T6{DEpN{cr&oWh+%gE7YQ*V()`jN7EdjJdI zmi4Es#~&=~j+-H8C{kH5lasB21_DK~W95bDX`XsCW3N8hST$gl=aVGn;(hH*#aTKa z0k6#Jt~NG_C-n!|A=sPRwieIV{f68~bS5;Ow#1%{TzIzYC9d6BKZ%DPZRAwUE)h)%*2)IuJqxCaY*(R* z&ik-QRbqW47nC=qsgbj0Xrz#$%$Si+ye>Qb;ge=joCD1ycWjM2KsZDkF5)akZM#Ks z>SUO^la>P;5&q=1z5ObL!^`~>hxRB60>t*Vzl~$apYilh;E8Wt1NM2lNvDB-sxuqk z#VQjA8C-@Uhk5v!miQvw?mNDYy3ZEx_&Tu3r5HTJ3db7psR>;4(UJ54Y)J+wTt)gQ zW*%C1JmadeWM77G>BzdL#VFF`ou`Uh zxAgp2N2cC`4}4y2A40lvUp%pHUumJhyZsPo#z*rS)-oN>{ggz7AuD46%sK4Ffs=?F zX;BGSV;J6`=ss|f(vi?q%tlT>O=PqnqALUApV=Sm<%`&KwukL2aU+P&mBXDk@LF?S zM6nz@6ChYIm}r=rljGU;B>ihRKwY5${8x4BPfJGxrx}}DQ1xd!c>T~T#6u$iNgK=B z{q}1ICwVw7XBdPp{0x}r;RAM0+9n$C$&W2X9f0OQB3NcUQ1FIT-@?xObpmX|*M3sT z=zDPhCv>1ZG2BqSMa$Lph)_4^JgH?*e(t_ZwXl2NC$v#&0_FgVR5 zbwF>fsw@rUU&sH7{*ze{T3NkhsIuLJKqOm?yXsv~ob&dZZ)J;z(RI{rdFx-+UjA$6 z^1r0T|9aM9Os_eAnzkIS5B@pmYia)ouYV;`E3?{5Y97eI*BY;^uLaCD)cpGu1B-lq z4jH`Xi#ESnbld&FJOLE#_j?3g+jQ7`HlG@9byzefHzVcrF1Vrt&jYhrd4Jxj;Rf)G zAWWRkSla2ZYAqs_JrU1dnGklcm_)%Cir#$7Zf+%F^)nudE5tnh@k0^5|5+kX zE2h!l_2p-#a&jOwyPoDG<@F0PQgeZ;_NAqjEAmwZSmP0V-!a{J@p1uK+*D)be{F4UZg&lOF9c%v_BM=EX zeGG-GjqHm*wblutuveDJCF|DH0Z*IBTF_39yxMAhlJ?D**INyg4U=Gj%Wak*n57P@ zxtqh(fq$K%EjtT8az#Z}Gka^sA>4^tOF!GTH}^wtl?@M9xzlmn6IJTm@!-4;$1>AC zb_D!P2ztBv&kX#h^#Fi+UDM9SM7Fm66bWLWzb>AC2Rx;rE!bVYg}g)T0WdJhc<|^2 z;V^*tvxBcW6WDt68S}Y*}FEz(VWhP{r|nWROY`dfE;3{W!M9<}GZ7do;RW z?0N37Ng&}?Dcxii8?E~&TLE`_WPtT(qlN26G*_JXq(>}>6<7RoXL^L{wJiGQpn5&* zLQEjBBK=$L_!^7!V1`T#K!_2|+YFbhKHzn*L-}HIay0`}dh#7n)m5#G2X8s6C|eW~ zOdcz6@^eeMu6}DHe6ETQ2Wc8&j($lR_8I)LeF;G?cv=BQ@vZok&n}1vfZrCb#hLO8 zr@T#j$x;;B3hc3I&2*Up<%Xh+7wvM95zOuMW8)RzYSJ^yQV1BEECT9Wu4>k8WLvA< zRFF&bven=VFxkqa`_)AY;P4!7Zys6?tTkX8@?7h0^L+tfH&X6v?e~lHg85J-){#B{uC)1zp zktKcYV``h4C43w~`dk^UhFg(TJ}~_v0es`=TKHZf^}f@=%2Ewmu_5?>g{<-HbtP&) z4^6K7Gf%HFzLCUkoNupkCokAtx~2HafEoAslCmGFqY@WU{6eYOHC6E*#6Ru5JAYG_ z#SCWeMlo97|E=q2`YMUy>&uC~37okjAbC8um=Z0q3 zOf#}2E;xN8;6@g}s&4(|gU4$s-M1~T^iFh`6WRtV8UBnRzD+rv+g#H~x@n)^}VE5@_bCm?2@6k5hg;ldY6#)qID|>jhY=v@vO%5_pg+5Bo%h zQ(lmNU`}wu{7Ny`uz1k}yviEnmIZ6TaodvLAO^*@?N9fD-Rcadtw!~qHgoZeT+ozv zhuN<*voozgED zU8(U_9<>sQJXiLqhcLGjDv+gOmeh2aDiWFW`2`@pf}b{4*5A?Dwf-I?UJVP@vK>Zr zap`K7#l%Y;`#v{%eY_IA%~AeCC7grfVaEpnp9k{l0Tp=diUCbXUh*tQ8OsTZ<>qMe zB3CqDMbiy`m#;bXp^uU1>DgOs314=3?=<-_8oz_y9br7&E|EFd{QIxA4uaP4 zu>O@1O>nl`;QmVbG?*R=nYk``FHYupItTMKDpt^o@7AnNSEF$*80EvxZ3f0Un@9;-5b>*tD6H_2{XyY+t@xUIl-Vddp;U*P8#kRZP{&5e5wesT$! zS*+=TldZcX(s!YuYXe2Y(Y_N>cJF!-se`;fr?4b%rZF9reBmiOO8tf;N<)n3YwmAKD=noR zvxDJFMblNJ1vEosEtpP@A|4V{AV(C%ViR#=PhS@;s9$J3VMT3D5Gh3fJ>M(b%*oBs zD5VvFo9V2JyV&gmgA8H5xTw=TMDKl|wsRjfxt*s4{B4PlHRGEXx}6YXqi(p)2@5BWRh*DZ9TJSC*sw25CF^F$U)}E1)7TGSg!X9!Vmo9$Va7= zv1@@4=&MaZa84*Bi>)sO#ugr{GTF($6k;+`w2dL*+=TAY_#CpGS_+re}2 zL$sVS40J~gp^W4`Ud^28PCG|;Me`CL4*0zoNzF|%GXW&Jxz7i)zY+x`d-0A&%l{Na z1v>bGu^XS;F5xaHLQa_z+%He#G}PQqS6i$*Xrq4zu>U*;Koc$o0{E{XmIRw__7we& z;I?M}sbvf)$$X{t@;my2MC*1+-OE$z`3LKpxdj9T4VTVTE(6bTzLt%tb8J_50Um!* z;*+NTNooJnvrQ1I3<(r8rdM>Q_x|iTvRMBLjUH0PshOwwrgpX8Tk)D{5?J@^rE-)w zxbH)%eTg0J#;=BS;lv|4gC4(xU^c8$JHHyg20)IW+_I{oPdilOG@VF`j`x7)OrXAzcF2ixpjDStU-0>5L@snxo<~UYwU(rkOK{MSf(!hC41-6H+L*Xs;0$ma z-p{WYymlS!@D7o#+E~s!N2fmZomi;`{jCMykS}@}zsb&1HSn?G!kD`;*ljXZ;v>!) zwt?+nbkMEGP9Sj{g!ng}H^zCmGKfK-$x9bnvbT*Ci5rST=RlURw2mVcZQs(iJp?q> zsY-MD<(Ucjm&y#w0OV$$bn=b$%FFQ?Wu`ci2gu$BiJ0xBQGI|sDxk5XK{EOirgM2c zQ3Xs$?!01w?}+Ty9_ri_P(KCC(eFz75XfJsXqcB-P3Zb$T*yXJTh{W{?lt3mLVHtN zP+$PQ|8MGdg1=7!cTqKd=59V2*vGaBMfE|JwEQ zAI#fhlkplObd)xqE*~XsM1dYAk>+93x{(@)pyf;+VEI386$FOb*=BSI3Zr}UcJb0) zkaORXGJOGJjrn%cw1iUs_jKy3EDE;7MskORZi8IJ2kdONs#g{~= zt7-WMgDRZNKfG72CDVJ-S>P!XfTSlNnVxq`qiRo8eknskgnu;@ITny?7ay*UYyA@p zRqvJL%^~$6Nr{rGMvSr%@=uOF0boGPgt@C(4w7dX?clF^A_JnC0Vu{OZZ~T4(zhGq zgp5|pHbCC~stCP!W{(1p*p1;##i;^iC%}BS1prMVyd8jE?7A5H)bL>Sp9g-kncy=D zd*a=7()d5Hr$0NN|4JccLDxy+>=KRo=W|}){Ve{!fC_nQ9C3ha<;>cSmqaqdtd4CH zhkm^z^3in!oDx*OWZ=n(>wdRrIfq5zzP>M7xwR#>IUf`F%iknt8E@R5w=KIKqmFml zI^De)7l0V;fTcR+6r2{mwCe?H9cI4g)*wyx|LP@AHcNp=Qr#QWhgG`D$X9kP=v-97 zuzH`Un1c<{{fbWN_?MjG?Io}oT0?}dQ;~a<2`ilUd{k9See%=3lB-R2fs<)qQ~;)1 zK7d~0!c2P_0M31!>;uPb{#G%eH09OBfx-{MY246@x})z^-&ZvKj?oXk6V6(sVVp=~ z-Ab$*`CjF1#S$DfQMCB;Y5(hG5&O;iebB4(()p0Epjo{Du4e8U)X*E5_Z>j|zZVpX z{eQWy118tL3%Pan5bHl1lt&WRwCn_ID#eQ#4sIR0+WLTKLAkwJB1hS!H-pi%v>sPp z_?M*B+>Q#ZP0+el25@3dF_zPGAwF%f9F1uh2! z$vG>BBZ^B@@`6;hGU`o+oAJ{=YDy%F;tHqI*w@{yf24aW<<67IEC`@2NfCUNlo~~;%Zf)QREL{NFhx_DeIv%C4*M7G6A-7nF zz&t=U2-71|`tcFm%7hes^5$kN02emHt}x?zJGbC;2GX?l$}z(BCVH?>8IjF{()3yj z!wCS~&CgbyH2p`!|IhSnEOwnBj%PTMv;RDwQSraD1ek0b-KgV>_P>B061(5g3+sGU zY87p~DD>e8%{iN19-$t+FCD-OdFn=2W#J)%l05nA*tsgF_;Zo*W1z!r(-&}v`mBH4M0G$Khx*J#$ zcn0@kd9)|Nx2u5iqT2e1&v0w{JY>DI37;9dV4~1%w3WuuFlGFxvS=(HGZ{CMlD}EP zy}8W8$RKPz(hBTox~Zdl&0160up0rM*|#WQq&%Xeh!6DXEVg$8xXRT8mjj=Y)D`hO zHT;Q-LT8?;go9+vYie}Pes8w`L$aBPh#_lVUwYT0w?jTZWg0TzDt1^p&eWRL|IVZT z^Q&56UuIs<7OsxAPul+Db=i2uaGfO*%5E}9gOGmX5sppzB<^@xnjDS_!%Mdu{H(2$ z3T?Zht%M0hTvng{J+=Jnq5DSlFRr&{f2X5-Tp73T^N{lp;jlNf ze`~$%r9Hbn{_0<1Z%33J(Rfg;m0=2@ye!4QgWUS1RixIjUkiQ8d)L(g8soO%upkO- zSUgVr`KKzBpi@@AsKGdm8LS9+`4Gyw{@VnPZ z!RW5uzACL?hV~QB)WpKB0kwYDY-P-8ijjeLx2YvHSls23;FJ>Mm>?RB<~e<4sSYUP zbZ0n`ra2x=VFI)3*JQc-X13|>e6ASy#C{6Ei+|P1QD>_>?v(IZ`|;BG7@IaSRj7cfq6pa#hNlO zp-I?qw)ivG{`so?r(^(n+2dhHzw*uNt<&OQN7?VVpHU#(z17UfF5^o^hMcpLJ2aeI@v|s zmW#VdfELRgNmz>JH~BsG`AwZt|FpEhp+eq~yuaWRW@!o#lT zFY{NICz~oWbHH@*nr;7j`LBJNdAGBSi}nbhFJrw&Cn{(!g4sxGk>$vX_#LkVpaHbi zS8iLgkM(cQC*jM*^P4xv)v4yLAN8UwTRPt+kCg}*Zp_+_0)6RkjfNsz`hPDm{I8?9 z?grzoZ#_R@e$wb4Y2HKq#dY2;2?ot^=smmEU?TcLo4|sdPnrr5{!4*rS<@=Xw?$zd zlWXakCg*`<2~yLlGKY*3g9CU+eXu29%##=OCA0HsU%a~A&xgwMDfsa zwi87SC?lpiu?NpEa_bF$O`iRQta|)iD7*gPiFdx6vJxz4kP&ScsCx2iIFoQqZ7wPd z09?P?_6f0ZRrGMzcyX0aFm4Nc4+J>CR<-$n^fl29j>vw<8E33gE2F&iMv9NOb{$}7 z&>o?x?Zl!949K#lKi{}1u{&2c>}LB2aM_vf+^<>8B30m^T$Ag&uoat^_7Nkaqr(`8 zx#)WjD?(W9e$8a_3j9Bw0`2uFh_q_|X|d`N_gA?BA`zgU7UNHD+d6Y>`t*e`gFJ~u zI9t7iSN~T2t00PssRC`( z{q?EvVJgc@+mw$MnkswYgz#RNP_~aw#W7#fy{NMnuX=)dFePtpq`i2|dtjPU{c3aB zhY;S%O(6n?bl>PCm$4(>1q6NqTK*Q|NxLmXWVh%M{1EKgi5Q8%r=`}Pc;;?*peEvq zny55`F*g}2p!_o|Z5O5Sdn>d?qLYQ~HyL6oxmcK_gYT^;xmc)M07)AUfKQyJ{y*xz zGpfmT>o(XxQHm%uL(nK~L5)?5i2qG%ID^YsyAt+r+#6po05fu>-BGMrUgeF}O zLhnTggisPlNVsqO&UfIPyU(}3KljHSBg2uA$d5elv(}nx&bgjPMym|y9%}*iEVX>6 zYlkVtPB#P3=;+EQ9%I}6?X!7Bc(<-sa~TYqYj( zC6)_82DrrKR3Mq8jQPP+r&K`-v+P6vn;P(vd9$l__;=ymZG4i%Z_7!pFo+Tvd>Omh z4q_L*t|sAodqT}R zfHZ#)NcT5s@6YuQlOv5C@``@DAx_?ZbzUu4iAu@NN=xcWD{&fBa4cmEtT$9|%`Yt1z|cK~@FScMs&CT8 z2lh4=0c{o;+ajtD%q#!lrTUKz((mff$_=#rN-!(R+ug;YRhBv1yzywCjZNj4#HFim zkCUW6MRCBd?}I4m%&{@nNLgC%a_SrBH}v<$r(vc09|6b0)n}dJ5WNcVK5Sk_vc=+) z*z^A8w2!A6qKRo=-CNE+ODeeL+*3Tc5qY`^n9X{|@~mD$M7X)PF>wpey)v1zIaMzK zg*=7zX&v4NS#gcGRKAN&XqkDd#}U}Y?U@$_DT@?^Vqc@}d6+_CXwv?PqE;r_=}R`5 zk+@&SggcR*r8NfxL#rqw6}b~!l+We!pO%Tp?TVAmKv6zSTP(2zhK<7534Up$$wuHT z$nrlbX-gIR>(u?%*kE9U=TO&?NbN-6BN?@=<+?|pMj;u1j(JqA4BV97;PQ0C958kU zl19>yz3A8bS00g)=6H0K#SwH7S*z+!+cLmE*z#ic0k{A0sZ28sNABDn$lbNx7?hvb<_A@2hpBC zt{>;7IAb?wmH|TYOceg{(w7!#i3PTCf?CTjRc5NHCw@ve3Bqpta2QWeCF(irW$6mn zC2#vUDwljm?9M~GG1R|Q2|MPUNo|Mn#dp{HH#1xxW%rCFu|10eg=g+VT@RG{<(gCw zCHSDR-sQ<^n8w!QYv-^$*m4~0RQ?1obx`vVGoHEiXsDi*1 zuPCyZd%S&RUT$*-`d`EUh89IJ5`4-%a3R&rLV417SOzIh-;$}JhS;_DILMfo zXtV=-*999~1|~ZfInlKm>F#ajQJbj7Hi>VBIRSQ(@&kYuRAoqFACSt|8ZD1RmY0_^))grAnkoj{*BvLuc;eKJux$RV{+4k?s&obw2L)f z9@?<}_PGq^o*}~VgaI9pGdJe|8IxbySxD-XYFR1CUq3^lcmAnCG^Y&>Pk8S)k$K`P zThP;={0i5CzY4MZ*8uoiccvY#&l0JgeUP-oq;$W&VhhD;%T)cTlXM~D`SNKyK$Jeh zD(rd7$S(Q8`F55l{VQtMLK}sB%<9X&AGtI9KEdSEP-j^KR2!tW+R+#WJQ@Y%PbCh0 zT6J5;u~|Mc3&v{AN#h}N6Z3|MGWrym+k+6X=S&n zE?v#Yh=XF)Qr|-pVn0-2K{v&W> z?lz*$khB69dJDcRybnzHo&j(&#dhv&NgOOdnce)|vD@Q{flD>Yg;n(@oM0%yG&uqD9lawK? z=)>@3`7(dOu;CGKRH2N%$j`nbM|pJR?^-&DSBD117@)-v%^516^n!qmK;1KUY~9%a z$P9aUO3qA=1Q3s))K;#UxPJ>~$?zeLJgOE78{S$1QqcuRe1UuIp+M#EQp@Tf>v%2R zKME2Dti@{q)FkCK%JjVhf1O57F$LO*t%j#E){CH|2%km{_R#d4JRxtq^8#QxSzI+c zQ8et`Gi_8|7Cl-XHQvZSBPYaWr~wp@v03N^?llu$5YLZA+Y@HN1DHH+N5e$z&P z2dTY2Zuqa`hk2+tbwLV(0@r(Pc+F0D(`2G9^wVWbrm(RxIs0A zd+U$5H{VKJ&6{_Kx#wXZwX%G9KYLa1OCE4&Ae;AAe|fGc;KI5#5?|_;+kby;u4|l7 z*rB`XQaT=`~D*8TK|9oZmGW%TuF`ikrbcmO+Qm#{$e-hwi_tzPF$V0nH1goXJnP#|D)%?9^g>KEvG9}|Cm9OKB#s^>85Mq zeM2;_GtZRj)|mXI_5$pe$>?XA$|OT|x6D63L$G*9-N7tu)8na3U;-_Z`jvc&74y{$ zcXEym^E$-+|H%YeJR2Ydn(y_SvrXhwkX||YT0%vBE(cP+rL@Pl|N4uwN8)B(VMPz7 z0cPmnWJ9d>Q*Yofr&K_aEqJW``pQtz1v4aleH>`Kee{v;UVt*_T1k8YoZEL+FFjR= zM-8}omIlQ%z3!{_KyTUw) z;MDWT6F}#)FAAjve!R>|+T+ZV*pT^p?Gb6(CMI=0+Uh0eH$Vt{`F+5_O`z}mI+U(oID9^x&u3^M*wvAASJ~hk> zU{;YsnXqM}*c@^bv%v$LX>wP1{zsotuSmp?G9ap(4Hs-HH7jSDxW8eXONm%oZ5<~x z=5-U(lX%a_dcRk6ardeC1pq#=gM&7#)zRd|!3co#h8ARw-PV?RrCmE&IvFnpJK)V3 z2vjQ%A5KC~wt*6pKzXh$ZJd9#7lc_Zos452(8Bx}K3wR>#9sv*dDeOmL7(Y`3QZ;G$DD_rsxfP7kU*6og$e884}D95sqW{jX?6 zso!_g2)WDb)-AsYX}tjgT!=;OyahmZl^on7vPb->cHjlKclY_YZw*PCT&a|4sDJgG zgYSll-y`qNqmVFHNY)~QNuFL=|BPkzdmrM~vL(_KEL>6ot4;<$7IG4G*o z;1zjBcNND`-O}5aw9m>|e1|rh+Yj1n0 z;|himlN0`}N1&?}#utPW>%9k0Hb)D-r>@*ho&Sj4;up`F?*MxZJN7p}Sha%v$=5K@ zm;)QSNwmA>CMAVNkd2u%_>V7D0Td3v!+nkBcSG&7k{KXK{Pwx<+htV)nGlj&*shXc zUg5pp_K25};^}X!;J^YA?q{h?{b8e7FX+dur^}t1oMC`h2D+{cbTW0Haz4K%n_dRW z)uVHqWs}(D{6tH=v<~IP&`vC3GCy%UaMej^a;W;9Tce1Z>s;}jy8P&#{^S3vklN1- zDfTCe?{^2?N0xo|k3qnl2~gLkr}lm8BE9C9;f}vz6f*k2D;DN4(W0bwZbR=x=Jb<= zcSa`t55#yyj^#BR%erSf^~IlX_N~w-ne^kNR_!9!tFVWF>k}`}+Td8Zo|tye<7ht$ z_|`mV4e%|U%m>u?1X?|>q+&1Cp$kvg*X&ZW=i%AdvBp!N;Cmi5Xu-_Vk24MD`23o# zOLPU^vGn+HBoXW-3i@&W>YMZ8nAUi+xp@Q2eHwY!9p32a4mes&Kh=!l+^4a5zGUV) z7$ZB+(zrzzh2)y@g#+_Xoyq+ zHNnGv(4vJ!!!9u?#0J*WpPXz1TUPa%2Jr-dVTa{z&5SiR=)4-m%_b`)$OGB$t!bj% zWuX>hDaWbF+4LD}u?A|-1Ys)~PVarApl&?UEM$w38+?#kHo~Vmk=8ajG<*1x#3rmj zqFFxTMD5YDeCs3&6R_V#0sB!wl_#8_o+~h4NjMl{kweropNPVss_@(kM>S<|)>tgB zit^xf2(N;qC zfTR1<-5XFN@D+2P#YZlmGHT4%yStl=x99s8k;n#vB{}hSF1E-2)5}O=j{wL_V&#|M z9#O7;yc{&Go*n>g9{48cFl-X-cP89L$V$R1DcU_f+E|=d?pC{!)M2|Jb zLiAq@%#jgPcK~#HA9f=;@bRs;f>*A;F8HYJ8(dRj!;v+qW*)$&u7kj46FlahT?QQ5dDi&zU)P}$2qEA}fafNaS zfQEd0T@W;vVpHcTr)x^IT(onC?>uT4zGApNyWPiFMi9aEm6Lh-4uXm+Xx-EQQ`i7O z^#KJ$P8LzFId&()#x#yHLuUp#FCJ`phgg}xI|^!wxh>ObrtC9)D@~Trsvau?{G-et z;Vc{;*4dwyd@)Y0Y(wb$DPFv`_IQ~uW`;ku}COi8zU%=Wzg7s0)yUX`b=2Q^|Bta zQTJZK@U)D~l1UABn_T(YpFGH_248^R-@1uAInroBZiJ?{^as4wbJ>Tc)Xst65L(tv+gwD|W|C|N1V=X-PJEg0XJ4tPrd31- zQ4`Tqi0+h;9>7NEs(H2?Ikp%45KZmLx+*_jm!{w{qK4l9e;%b(jXGG;2Kuhb%J?;F z54=cUd)MVB|LQPkNze(~M*QhQ{i(k!VL_hoo^KY9YuEl`dwd(=LTdmz#?Rg0pc}OM z#PsSrMvngshrfPv;rPCbAf@AAO=<3($jP~Cb>aZX&#|p{xy_`nXP~|;RQW^DIo%Ww zosFb`dA`D%fjn>I?rubC7G%gV=VBVmD3i7d-}`0h?f2ZSmc&)i%f!}WB)pUic+g+& z0Otg@E>1R67;}=ef^PJtA}vv6=*6(og4+^}r_d$?e>${r{aN;cSeX*Uc9~?QAz(0n zjW}6_-o(9tLsVpY$f$Qc+mW5Mpz(FOD%so{j50gEF%39}R2| z6ce>+t$j3ZIgzU+c{x@6S48{T&(Ob3s22L0MW$HitdCZ)X0`3!LB?)V8Gl7~cX0U#rc5 zsTi?Q1l^N#ZVq%F2pGlEM03U_ISa{1%pCJE+n^ScA_Ksu=rvL$#q6Ub)69)T>_#d% z38rr28FzGNo&WNYbYDHWH@KS|H3ixE+STfyP8aAT5G8uSBez?O#YH*}^VC*8uXDnu zj$Vd;ZZ4BR;N)7S2|Pj7LhV9XfGiEa&#JG zW#pJX^(ObHiYz&cEs_YjGdn=t z3MW^v@*c8|oi4rQMZ6w2 zIK*T-rgUD_1#JkAb>I77O^%XN#w9f_^>2Q>c!U87Pd+!>*ovuE?>BCb5z~ zjO&C0@_C4e0#&4)lsAq)z@{Wll^!W}fD{u~l^@n#>%4f|P@31$FDy()I(GS^MdM6= z#6b)2Y|u##Rj-0gqYj8r#rh55^*6lW15b1hNBfT2BOQz?E*}7fNmQoZcK6j(-i|QY zI2MouJHmLAYb`SoC7Yf$fGz6L*YiNg!9z`Q#T-aH-%R_c;=v0d!0q;#U?(Jr4>?W} zQH37a`fi9_5h3q=Pzo3>1{)z{On}sOsJL1Ny;f#xPql4OzHH8T6KHIBZ!oQvrquz> zNh7@zAA+A7<=>zoeM#qLZsz;>(fAsL_e6mC+MTtIVI+W)7!Gd&d0+~V>>8rWwLKCdpEHDvo>*%l~biAD~bJ*;Rfb;;6 zRZr3{HnDQ*OsvbesZ<$tK4;KntHDLGKh7GLSiLp9_$Fk7t?%ANkP(z+t44b;5xZ4X z>=4ATfW|Ouuj;HHyoffsJr@w$MQSvK_Ar)Owr!Od(YB~ZF8+%xUJp3`X0fx+0E?YX zf9Q_cwb%fdvIadX%RC~eZ~;_W#S2s@!qJxGtlJS8N>1%Q%3@lnnjUj_Wr@~%qJ&m8 zzhV)OJGd7SoT@fzDqgWZ7SX=@z%9yBK7j~md*pi8FKeVXEd|EuIU0fnjC z*Ny~xp)VCX4faB4{T=>7i}^w8IfKl0Lk0ZseUM056}c$iN&a-%$DdK+>3ECvPliPR z9qJj6$O9m1Wy%&5F+1bE>Qmk4T((|3o+7}h@=#NiQEIy|8-&WXzPaszRfU-RO*-GY zzzswPXLnX|$v>JpAl-k1>M_wz*#o-&*}cJiKL?C+(6;UuP|5Fu1TxV8Pur@^Ju8rw z6abK;#eTL?<#ViDnra(7F7DcBxq0R zk{lala}vs!B$ss{bh`_{-gxUpz)0%|CGkMJdh=%wvg$Gz#BD6S8NGF#MlPwY`q&%- z-Wnsn?yLOZ1X$_f5mKB$OQlWyCHyz(w_B45SXPav&hDh&f)l^@sxtcZq;knf03xr< z>fD27alO|8mN-e{HO0J~%=)b?AX7CB7nNZaIvbsu6BbsoA6`@<}kPbTKbaCBiI zs9j9p;c6X4e`zTC0T#4gD29unfQ14Owe?pe-z;`0{^}a7fy}d2=MRq7(eR^+cjs@R zjc~$g>1-GV_X`)KcRLkNV@&mz^oYi-UH~a6DwZ6d{Cd!m(;pbuDn=o7Yu&1U z*DOUao2A*prkgv>l9fE0P95kZG1mp8mS4Q!u=ugw?C9!U!hEZYtYO$2;^*nqDgL`y*(Xg2J>|^Ejti51Jf4)mNl+Oi3g6b z=_*ro$OiDZaiYoG0L>$r4>MWmi0S&mlX#6kzus7ob8H0|Ux08av4>UhT{;@Ao4$Ft zEuI+Ruy`@n|EL3U>vBo;dSx`C6_Y^u!dgM!3@7~i{!4W^E2UFtqM=WM=G87*fzl8MSGxbzWzbIIA#bD@AzPH$1GOcbuB04F=< zHDYZ5#CAVh+uztnI&Y1$erB)mGoGUXoP#E~!54w+BXMmi4I35{J+#+rmzyTBI7|Si z2f^U;rMdSX1s9T4@Lww?vqUZ<2?(SkS)3P23XC28Z~`=>(zZ9)tC0*u>l?&I9oQML zqD`xZuP%fA=Q8R_SknFHvljui<57yD%M8-URqBt!8+0HQ*j4}|YvJ{sVD*IOOsKH9 z*?|mFCF5-q-Sxtx002djojSS`!T-&o{L3c=GeEakIs?8Wz3c0o8^60nSHxZ*4=DDQ zR{?0N^(;p0aF%k%RAsks44id9DJ3h``V#9C|LUsLsM-i6JuQfw0e%tHad-Zjc!IG+ z;7tE$p-V=(hv{Uwk8H0T=_zH6fbbP7r)W_agx>jpqd=cH#&`${de z^@50)FF~#8^^;ELn>M-Eg>j73pR6!?NbJUlF6X>KG$Zl?iJRDuB@FaO6+(;D0$dOT zNvdf|no=lZ(u*diVk5i+oV5|P-sW#Q54{{{AOl<`;8ij8TzkL^a9*N))aTxW3;@1& z^{qR^hFHPD@d)sU_u{}$=ZeK*Z@_+|$Y?~ZBAQ8!VCYusa;C`oN7|v3LzX}cPuMn{ z*@@x5k4&Dd3wn3km?fUxOt8afE2CZnB0eva7S|kXOXX>C_h)dmH2K{Ho0MAYGYVpS>!^I!hWu7Ega*zVPx<;Ovnj7F)8N@H`#g!Hr7j3#3k%4{U!W}r!o!*g#l=v1(;@I={1x(MT3ccQs5gTaI0v`Y^hzFPG(DXnao9{zwN&x=uErJwn={U+D zmn3fajlExKaB39t&A;&oS){^N63E4KTfzOY(S~Ur#t11Wzw0jHxHSNz-(FaH0*S zY!H^$G2N|S(7|!3MGL; zF|8-#^LN0!nTZ&uj6U4nftIa%9{+IysLj6SrVfo3&aDcvQxQrs^=ilDbW)SuCUQ~6 z;)lP(Pd)fm{;qW96f(EvU?fK?plG6c+kJ zz2-X9zXn7w9G%0CT#lg(IG8Z(GN<7qX`&h|lO*>!wYU~BwFH>*;Yd!|bm3}XD&=bG zUeDg6Y~Cz3g}h~v>dVUa;ZlLx^|Xuvv8jt6``8t5jE37C0fmFrsGSJ*bYCRtd}4><4fJwVOp((~%Eqc+|2KXCQb zh&7eOudKmbBH<8@!xdonY_W5_Z=`|4I8IJ_?F$(;V<{XQ4Oqy;KGPOnuW^=|=dKeF z?PJVqulF=MgJ~~N!vk|{-n`zF+pJepfe2_@U-V^`146t2vkMcTkGcOX(6|8bLc079 zzlZ&kFZ%Y9DGz8DH^8hH>^73*aztt&D)mg}h2iR0J z+9v7OZU5l`faL7#9w5WdMjIt)-tB$!*&FfTL@2*jS`s#2x#tokZ_2H~8L)nN(h540^G_BWef-cD+-oC_gq!dY84>M<-DMw% z>2j|wZYY;cWi;g?YJfx9#)G>L*$pmQ_7kU>@`1}|Z^JNDJhzQP?*KD{=lP8EZ?{dx zwH^h2V*8J*R~6y^{EdJ4=G$X2VAb|ED!kg2o=+TPVpy~JmPQMsK}Cn*d(p{fXEKJ8 z4KBmy+WX(%hADVXaC_TC0=**pOU%vE-tb_;sC1IHaA z{0khDrWGR}JQQ-pXZbVHrOF-Uo^1`K@xVCkPtL7qz;f%8ts(yQnvLO{DHK?iuFGtU zuwV{U^|aAUjkEMDme*}<85@xhv;x@8i!Ve8CYv)OV7NnC@$YiR^`k(}IQ{6uy`7w) z1AY96A2dWe5-fAxWYA%FK;QOcv$Dj@yHvm0hHt5F)8yRPWTovgxFQHbQ-!)v9y_cu z?j(VHi8xuHnjb#gp99Hi)jVQ{q4Imu7Q}k}$zQ?V^Cp9Sf4T$ghIn6K;2ik^XNr83 zaXg!YRB<0(D6|e^&acs4(N#qjOZK=xDzxeci4g{)5YV310}pVla1YjQ37W@ zLw(zEs;uvqbanE1X188?w|~A3qvtsxXS16$n`A#wGE7sHmZD=T3M6o@O97Ls=JWKe z6b0{4M(?COt2~dD$8+jLbHHHAXsfA(DQyJ z6w}if2eg93!aLaYC|U5Z7RTPe9&7#4*JL<+y-3L*#K?2saEa>&UgaL~URr;O8X#k^ zDM$1Tr~xgaSItW#{1p?JtiNcf+S&R4L@2x8SbbrNF2?EEygRLRw=NS!Ti*flg@sdJ z?|?CTa{kW_6>D4UL2GjJrZg)EGp-1ySO}{|E1z?0)sbb@%JsPYp5txoUQ8=YbcRCj zN-I0@WFG9emi0L#=)LrJ@vLfz^4h8s3G^3)jt6r!jDX(Q#w5;=y{Ypp!~=rob;9L|Zz8 zcYf+$mX;T%fUI#nUMFp5*CZX;W1s-?)zn`V4^GwxK#8A}mt9hUvfxiznv2a0yEQK$ z&d#PqdMQ)1%vWy+&(z>C+_nfWngcKoB%&h!>pF7D2I)<_sm6eCLg81yD&F>|@QZEE zPO}X$58zmbN+i0)v`Oqs8p{oWHsRdiz?Ao;=Cclvyyd%9BI1q-9 z_nja>2TV)8&~#a`^*(6*IcoabQ90eYs_MARLd~EVE>sc<+w;bZNYTaJX01UD3rNr= z<W@)G&6gOY)R&l-0ijej z`%MiWnMFS}0o5-(bp-*?Erz~;wsZakutb2 zQ^pgr26v>dq~q`*!lLbF2t5Cu`@p^c6nUv4m|YSxST^cfe*RssJYfdQrKCTO@9ZEs z4W_i;Az{|{a{|~KB{mOC6c)Ng}%Antvz z$4aA(lQXTw4-@1Yix)ZJHggewHI8u`2KQWe9dq72l{t4lOghbk8_(_RcfpOd-)@w1z`;RFLj%Qq*uv_f9gyBQBTtW^#e5XN z4@IkNWz^O}PdXe8xy4zdyQN|LwG zvd7?0kgx7|IfhA<=kjP<>o$w3ET;D-JK1c+Db2j5vV2pCBj8T;6r3fIJrr(K!)-8b zb}*_OU6|vY2qITIj$%XPlW%$ej}LhxHs#Oi@Eo}lI&o4bpy^{9r#pbu>>kUQed>@Pn?RT7Ibo1bjDXPBBzpFcEbqwC2%ihWIq(X zsw9@)ESMi+sS1#P-d^9sJgmjqq5CvQR*z**vR>PoV!Qcm zgWDriqY`}1j}1;>+r&qKOMnIJ$%2nYoS@U^m3nIIq)Ah@n)pRc%XVtR;`E8(JfdDY z2Ftn4U9`gUZNGKznZ3d6=rKb^<7kQM(ipUY#(Tg5yp4wq``q%|?z`JpoReSn89_rk z+m{UaI|PjFT^fy3B`1-aV5tKl)Mu01{agEX*#5tUu=YFvNU`V9tKL~`BU9#XYSIH) z8UiM%`^8Z#YN5&Jc=rmoo0Zx6aCP=evqDp8wZz<)Dx32?R?>&u#IfLSat&Al0M(yq zr&I1T8y@<)8+qh?9Q8KmuLVh?rF8R29VD;%qNcPTe%Tt1%^~J@Pzh{g`q9S(J#L3J zE-Ea$FsIvP3xf|#@&}{h3RKw|M+Qj_avxBQE}Yg>!LFf3Euqb8F2IS@!)VU$jE2{6 zFb$x5UX!8kJfV(@J@X4zuu67poqgI@hrZ9z6awZ?(RgDfM5m%YGD4A?v3!fGFv@o2 zLTy0ogE5yD^wy&aMuW?UL#u7j)Y@-%R-B6aWK{!hmqTQyOzol=a&7{pE$5~heTVq6 za$*AiG2rTtp8((b4K%i1GZ|FcRkb=C$GcbLHN*9P<6giMB}M6sxlkLI8AM z5%#h7bfW5Q_F*9AL2Ea$kLBe18y8G+%rp=04Q?RE>W}dVS0o~#e9>=62 zHhlB2P_HQQ1_;>(maBcZiYsE1Y65fw#C}GPwRKjOd}JfgLsMg9`o_dLt+~1&41N8* zUApR_X)d54vr$l~{3wX+c|Txd>IM7K!&HHQ+F}qo)MhQ9ov&3~^pq!IiEG=5PGD!t zjUR?EY+(oW7x}9=^b!BcAfi!t(H6YzN$Yullv~+u-QJWL)Pt;MXL`Kc3DdvKiALH$ zck*viR*v4kxdVs(-5t1@r_+Axl|$E?lZAR5Q^~Wsl0h9kZ$7Kv5Z*!{C;!bFNF+W* z4(X~XEQLACc!#M`yV)<5Kq+Su!){g}h5^4N-thFFNuj>__I_^OA_UE@GT?T!7-0;@ zh0v2p3{6}(Tdi7vTQAHqe4$A(zeitYqLS4+REfBdraqX7%0yq5RvsX9#Bo-%m=MS{ zeH0k171ro|C68x85G2#C2zqkg8_0|6U@JP`7-+19Rk$Z;QrN|!iQK>o|^sRB$%77T*~-QL_1s5^;#9OSoI02T!NQ9uT5Qf{Lz#M`EyHUt?dJtVMHYg|BBqwJlDiK&j_$I& zfdk*{(U~MFQ_zL1@fBhtH!d(I@JF~^ddyaV(Hq0eu_I-7_K{iwiDxu8&!NXqF0VDAZ~LNPKd3x*Df zRkOhi{)^wvS4I^RNk_l~Z_{%<4!4LZ<8xB+n4&@a@Mkx`a!s!OGXRpd4oFkQ5A z>6MHFC!&dzS@@l=daHxU?38IuLt0rsv7QX)-)^oVQ+=)-2yZQg0|1ijvR`p61 zrFuPKmD6Ec)#oU&wheC<5TALiBu0&dC$#j7Z%wJ%YH>h3NFEBTs`3O>KGCwVOOg+B z13cRCTpx^9ZyuM%o2M?KVi_ZK6klZfjG(~>(eyM3SuDXH2Q1~K62;l$>_^CkrTn#L zxMdc@)K@bovXdy*L(25J(5MdIv0Lmlqm)_4TsoDp!RNYlinHhI|SacHDn?-NZ(|4l3z?*6BS+0ERipU$Zmu(DH`qltIkVLJ+ayJjR zVm$0*2Sa`BMh*(ga#Vr8iXD(m@U_i`S+*mPHbs~e?Lg$`$&XN{gG>1nzkDuFTmqj2dF&%38?De9Z5AB* z+_=V`yX3k}(n$e)h#_HN)d{~!UdX(?BDex9T^1=j5;Cw+@B+@cHDzNfnx0pqEA+&f z6U*Ydx-?u-GVCX=hiW|!VB%gdFz5wDbI)v(;<`FjAN8<9eN}mJxsKEH{QUx1d}A=! zeNHsuYae!H^s6n(uhVq~os(aMrMDxuGP^d9%LKTou21p6X3y;`&|l`vf&`{W`mbvL zJ@mI@M?mQY`P+7YpeLI(b>Zl$PWv5YLc}Nw#Oc8aJG9aZ%@{vII_VEQjoR51~r8l2Ws@m0X19wk1RXp}!^;$B&a!ApEpZ?%l@p*^cPNngU|XRQfZHs2t743w(2xjLa&5ZPl!n%KX3qqB9T6)E1}>upc#y$w@uTW?F{w#UTf*6V>>+VnttQ346T ziX!)|8wOeK4GyY2yiVWRlz9l4FSB3sF8T}?Wzm5mZg08uz3(dd1#r~mZ}Z=W6zrfg zo{<+%w`AbD2a=)dFa8(B+ksiU7xYfjcNHG5-{B5$Wwv?3MMCqoc2VeIuX|B)KL*o6 zR%Q`tg{K<&rQ8b)5(WP7ocwrG67CtQH2Z}>j5!`OK~tSraNr5)LX?fx z>cIpk61AQ7S67v$T;}xXBDvWqI&YbMo{mm54Vsxa3>C`lA%HufNlIW%A&5;Iyy=J_ zgcn1&hP+B#Z58LZK#eREQ9y<#^7BIcePtG&MOc!CM$`O<`Yc9XsZD-_BOMuWe|R%n ze%nSN?+p`IB4wd3PW)z*bGNPLt2tOfn+@2>c{mcK=5AZDIdfv5f@JE{ zx3x95*P=QIL3_m>R3?l#CRd={G8)KWUwqDq^n3(2UTs5Co}P{SpP`UEvrU!{MfdLP z;erGIx2-IO=dWyK910k@)v12}*2~;_A`n6(X|6|p#7}C1J5X|dEkKxWeKN)fxMPeA zFR7-yV=X7v=ppT`;9cD+OZa6`1k`b6VqsD_|C;01w^ISv-=2+TKlJ(*I5=*OPXun$ zL>m9*`j8_9CGEw1xTe6M1DHaabrVgnVCcJEZNiAqms5ykI+`)WLSDeAPw^2SJuyGC z44FSq2Osp_nt3k98MJ33G;pt#ev(@=XsniXBdWt}gi+F{{y}}2g<`rEwS=9FBPW8l zb!bx$3}Xmc(5;u`Xc={+=hCYd>1{JwH*`B^#FH~kv=$8|ZZ2X_K~w61vVYepnlSZ1 zlX$(+opm=7WRi4EEq!^Wji52FBJbY$*(9M>Tf1z_hBc>nnc z;|8*dLc+SXc@MfgvM9GvfE445^bDAwsFR7rSg`7P>KO?yu7E-Vl#xxY`MgyjL{&Dj zn8d&vN}72h>ra@)z&ywkK^Ian6>5b%V&}G={NZ&PClDfiY~nbL{aOJI&xwXl<~j*4 z@W3S@tgD^PT0>onS#857Qq6Ih-Rz=?O8e3DqAqYv+;$`&oI5xFcYH4mMwBduBo=pA zZr1BB=Uc8d04}nKxb}0%^{AGCMg~<*Y|x;6ql-ML=YJVtI;OukLqz1$*RvR=G%D0g zex?}5kRdXmU z>{NqRT%iFzQW#Zdcese#CTcRKUFTR47ovBbw%|i_uw7lEW$6qtEaqE6QvYPyeEzxoGemum}D^%0nL45-2=}kpq#p9)7318&QM;VyXKjH z(ATqBL|M*}OVWKXDCOQ23$j%S6nx67AfA{qj1k?4^1yeh*=GhQ2E2U4HNPg`^Q*%U z{X1=9_UdU~Wh5&DURSaW8TvD7CXWJo#q$9{fqZ~~o`%VSQjj1B1k8FWo zE_GpTXU!_c3`gWus{aY)m2d1U(qC@V+~WXz_s1R%*G8*5#2a4|W=tZ6 z%cuPK;Kh|Nu%UIxt&Z12!`QiAYoZq|(GLLBK}5h!Yl1@51K_CXcH-KXB{P#>;HPb@ zDksHHlSPV)B1^&w z1MoEB33`%26TktA*#|%+cA$c5tp&g?8HK80$B7B1E`moJs>gu~+!w?L#APaMmeYJ| z>jrWd!`j563!|r-6c3%6MXwevM(Ozysu~*pmJHGYKzfdr3St)-r1IOzczT{afgh0j zdKZh53~Uslgsqj@{Lap%HQ1`Db~f~@IUQ!d2n|~c3Q*<=<8(`Z8ff>SU=WPX>512s zEWEeTT38Jqy{tZ4+~7sD$%RiGC;sZEEnoE{MlaF(^L|oJ11(Ms{Wvs9fVj ztLU{gYqhJ(c)w@z`!j}L7w9&MRPZEW-&jgJ3sD;CFu)a ziGd!(&66<(V>nc7x#SDAr+~@N$n%!euy_|UzdF;Ae($yp&KWd48ExMYI3O@7s=PB& z`qyOSCng#BNldS9SBWv$tplyH;{aMMZ@TrUhXtF*jrLn^y>W3DwnJk##Xb2vbf;ux z!mLVkUBo%MW>R1J%}8F6TDusYR*oA$`zCnh0o_e6B|gGgD98qb>CqORe>9tijUA@^ z7#$(BhGQlTl?+%f!E!N7*AuVVrTMon8K)qfEQ;3aoSKwNwF1av-i|$)yvs3CUR)l_ z?B>2fAJ-^BlW#DEQyS{TSm7F2`g+l%0aeHoH_Yhy5ci|H%}2nN1G82LE%!p5Lv;TG zrW;28hUrU#;y(S;Xcr`P7O8wFs4*}U>>d~LzX`SQ6 zkVH8-{T^#$w68sxzCQVX*n88UCetlk6x0@MkwH{I8AMvq78yE%jEPDsZ6l&hx6E@( zln4mO7?NnCfHFiITc$u%6i~t>0y3jSq7o7j4D%Qu3<)6&NgyQLH}>AbKIOSxb(7%alZWzA;HRJ*P9-_S3aLu;4vt<21pQc-- zP@ha($`3`SqvspLiHeLz>XkH|kniS?&NvQ;#^fXyR_3q$F^F)fP{xZFccbNd zI$rsho8|NDVnw}{)nVh*vGbj~iQz@HIimqaPUx{dm37$52%9?xRM@?U4Qh6P_77tY&BHZM-_Q( ze72zdgw9=+S*2Q*eJ75{ntGqZ|K-z(6Wo9KbpPek{g+R-ntJ8e{h!LG`!9#?zZ|;% za_Iicq5Cg~?*Cm5U8!i(m}qUm_{y`s3b?@IWJtfR(S~r;6w94}Np(mWf8$Y~4CMyP z)LULAa$^biLZu`#SzcEEV!@T3oox5~Hw`YvT%d^c*9dwym&GJI4pr1cDgD*$=iDbX zQJLQ~_mv`Wl~VCpT+I~o%lu-%(h2K0KXk7Oq+K|J>Bf!Hf4+k6-Gm3SqRD*WL%%xUPZJo20x_2xK&28=6t5>fyzv$9Zmi zue#is`gAsfZ>~sszAyBK!_}#vlX2cA`8N}zmV4XGFB2W`PPk0i9ARK*dyaOqS(>*_ zs84l*VTZuWs-`poC%|c5+`A$jy0>!dtfj;2kw?&e>nSZcjnHFWmR2*8*V4zOv7^jJ z5@G>hLgohC5+yS)SFiD##^jEU|9~atA!Baw9B4Iy#Qa!QS2( z7dolQj9Nc92ISTX7B?QfLoNirYACF_*Zd#&d;3m-i(vBOG^aHYBK)k55+KI93(8XM zz23G+mj4o4xt~#)8scTJel(#iY9bEu>v;R_jbc3-^jvTAVZMc;r7LorEwICed!=T3 z-I3R{#|w+SOS8a&s3xDp;um+3+{W%9-e$vU<*y2Y-GdxEU-Wd;x+ z@fsW@Sv+Yz_3?DUDjt}M{)}4l#G-F6{PW%%k@z9IeKW+K;%f3MaGnabrEdoR$TmH6 zj_uliH58tcKtEkr`r8w*r<l(0?GCL5Q%a66QQy)FOH!YtfllstzQl3=ZzNZF4+aHD&lu z=zA-#MtFkUK1%8@R*@QPAz3@i{8~v*e7ETCJ<~rdl@Ya-nIO5V*uwjdZRB%?6PaYms#%5GU%F{`gQ z&0K<<#|sNsvCT=H@eg4L{+X!pb|SSaJoH9p^<9KI9K9~Qt+%(A)~y9O4e|qId1!R< ztDnp2OZ{WwqPv@XZ_Q?{%I?n^W7`X-#H*7g`-qZY!L6@S$1C*`7>Q>>;=A?{A#-QO z;{wNp4>BS4OgKx2^A*u_EY1&Q=+3#dI{a}l#4 zUHAnz@#c;T2E;?o`;9j#$Scu*q5a1DC|tk6Bk7ujqBVNO;WCP4D!a~QHqp?(28L!o z!d7Q{TbW}!UR$}c#=LordzB2DkY{&kgw8Ur<6SQ65K9d^Z&`j|y#jwi0GIK~&DbLo z|2wuAf^UBU`=d_rCVOM=row}A-h0B9WoIrOY||GI(^S34-aKa1uW1`G8jYv#&3TV? z4rDQP7{mn9Ngbhr4}mb0RNHZj2kp#+mF_U}O0Xz#CS{_*erWhfQh&#BxMxM^(}PO! zMK!OF?@Kuu{%eu<9J6sl5jGemADd~~8AX6=B=toC;m))1a_f(2$DF7MD62OlxN1gw zkWQ)vwN6ZVxIMKz6m{EzoV^iqmR799Au3bP_zgHs=H*t_r9qA#qTK~c7=s01(RhzR zBbd*qh-QKoR+HpcCn>4BL1{iC@ALDTr4AW+u+(uBuwI&+%zRDSN#w1t>M6oj_~QyQ zsZpxH6n-M1)Oo}sR~Pcj_-E~{ap^$Hg{}dWgUdu-7_p;c-^Pb9p*+$l7V;XnU5E^3~MNFsO*<}=^W3@q%@$r3)z%!0XgWs)nuA!6ih4M&PSz;0XF!<}`^oeY z8Z8>Go*w@8e>pT_fSzd5-#Z3eCy;(ht##m8KdZ$Izc3j94M?DD%R_Gl!MKx1At%G9 z46II=1N~gBrfj>8a6q56nkm7x1(7;Q|-S89y_Kux&DKK@HPFkj0sd#S+>P8}4I>4vfQhnvT1yfBiR z?kfw1<}TyP3cOLn32zu4>ZX-(W>vx$mCn(n@!?k^HAlAQ4wlv%EopUfG|t6KHXQoj z@m+k51zM3i#($`)j^=V`<5=pYpy}p^fTr>=F7Pg$xvd->Lsq`rbavM(D+|gv`Nwmc zTj2$D^=Mw5krBIa!0fC>Ew2afAP}6S^nU_+n#!@*igUY$F6&Xc|39V;abl0vEffTl z*`g-x1k3kw%|{Qg9w(paX7Ddtu_zxvnzGBjBGKoB?fg}Usko7W5w_K61w z`g#AiqEcj2h4?!?n*;fYrAZcG1*~+JH-_;nF8lvKTp-NFg5)s^|y zKbUBTev`SlFNT%s9s~z_U*9j2O--ynb!cvcLA^c*Ol9X4tlS2wlcMK^f~X+EJO9Fv z&I0SKut1+?%Z(wm|@`AhV$ zGwQ+mpyOU_Pv`h>SEl5eB?giGb6KIl>4;X!wK-$4&@NVa^BMRf*Z6y&`?NeX z;=9^@tZCs_Ul!jMlU;5Xw|&2+alIyPT>p4jCkYyTAhGQRO0rLKr$S5{4j$Bh$-Jp_ zy&tZnt*Q9IoOkVj8|B9#OI+?AeA)pfm&Eu!WxM1%VgNYYUOcF z_6nTs;$fKo9#Vt5K4b)#*p+W(5_0;#Epf|Jcv9}v>YMoF&~2H+=kpWOrE{EY&N)pz ziMwrNxbx%T^A|SmcewRvWB&P?>rV^f3<@e_WfC6j|NeEaY)T;&1ZlE?ngJG)USj42;5f= zf}?;Ow11hOXLZQk4G9l6R;rqbdit3g#DNe_0d9~6J;8ixig6kd?BEUbf{a35aJ$A| z={Ko*O~5fUnniJ;{TUk@*YFNk7r)dd%y;OSXpMWo7mo?m3kT|3DIGOqhFS(Bb>wBo zI-HzZKO#zVhGMp8ms&1Xavpsphc50>VL1C&J|Q@i{6YPT5?=R#A}yh`wB<48A9AKl z^wAC18pGu(PptkRS?Ri_v_u4LiBn=X`JzO2!?pCKy*EzXPEJ)A)Xxs~ee)Fkdi%e% z0Ipobzx6COB3aZSPr%v&+dW>?PL_9^d-&HQSw^a`E1BeWC`HK0$i=21=e8fGDF>zs zQMyqhbdr_clEY@a37N0PR2f0Sz271h0{8}uiM|ahOGgzSCp|t(ipRn>q>#Fmc1vsA zfm|LiZCcUK^TU-*+$`Y{SOYXGbE_?GyBDrcWfD5La6c4da%V(I!GMTvF=6R0m~)xe zcGKLAm>oYw;FUrl=+hdN1T#qw;ikbdOW`IDB1XyO$}zF#X)`2?lQ7GK!;raqY68%6 z8KV~L2svt3k6Aw_Dd@wosPP#$GhT0S^U}f;k~EQvcT0ka_~-%M@s%zry4(fGWRDKX zVZtN2n%&CVM1K8IMOqTLfZ++H)lL4@uVqc*Y5Y!Ja!`N3+JDW;Kk{~i{Dx~i_2L!W zfwQFhrXLKR4tN#NzRheaH~pX+SU9!`*62Xl-hJSY{6aU4Cpq7`XEdwZYzt8qYgGAR zs3wirE_b0y`a!C3SPMBVU57jJyaE<75rCp8Q{TAGC|VaTdR%+w%AgAoKvmfx$#^)fpD_&d()2V|_@uu3ma-;~YZhAqrg^%$RpXDuwslp9 zY|*pH&FO}SrP|FuhG_5`q}~G|N;TKfBWU`OjR)2xNEBmEIIiskzVh7QX0v-;L+#Q6 zW9SPA%00er{Z@%Rb(MulHa+g^yZ8NwPK`V;fA(T(XLg_$Tg6Fx;g_-B?BPrk?fb`Y z(UDo_N)34<4uB=J3p*ehQNSAX4D9T`?wENW8l>;lW6Do}`@CSZKZNl)C-ORWLdl;Mtsp)1iT_fxDi@lR)`vZzNrn&z>l)%aWm?2;;Ilvl z)gP!G?Jsi*E%s+>}lN7DN18r0nERKFUzt1pY~x5i0aDT-o6jDM*YwW;D59xU3a z{>`;0NqGyq{IKH{H~N2uRpmT2ZTFn8m;TZGk=a$d+w95b&dH6HCS>NVC$UZkqx@=( zvPA8_m0s9FpE~CrpT2a<4u3%w#l%uYAzg?M4t695-(q-^mHJ5yWJEt#nZ)mEaYyC!0;`}|K<4aa+)q_{ajfo^9n z!%%(pPV80p^-&+9)!X0Hju{pms2D&a@xdQYY5%2YYhE%?-T5+*{x(H2MaS`%e&KXj z3X0cPu{@s(W1)jyZr_^TL9tYnJSovxmr3{%iC<^Ad9e3_1ko>;o*Vgc;7Dz8a;{j} zFmq{Pi;I1%yTp$ku|AtDr*2fj6D8z@TboSQwF?ra=c?oS%{-|-M{s=zE$Fw z#3AYdv4~QWEG%eNLGVJlNRdqm3c+X94(8_M(E38`1xKiy*IgGrElekcCqpjudO ztALF#_)fuN!!_PQPS6^;p)cpQ_5mq(U0Q;d6_%;JN`8}+mN_Qz)?$)G%5u+Tcf9JT z{&4tVY|zPE;?CC0?k81D6yX*r^_FIT6p!V2F!Z@m`u750d6NIcSFGFxc|-SBc223i z8#@5;%?FsvE5ax2UAk*(<*sbQ;lx*LVZkYw45nvbZu(03io@0N2s+0+&m&4&_asWA zJ!K@z*lWg{wVn=__ujI*Vz=YL8ic^PNS#;NUW^ys%9b+Jr_FjKI>uXgK_e%<6S0t} ze!O9b6AZb`S7y20^#}<=2X|GJ#bw9x`icrQo`+1)%Jv7wdT0p8t(vuAi|^D5#RaZf z70n+SeH5>|bMZa?`oZ&r@eNVaX#w?y@YU%>b?9^;_Mk1Y zyY2lV1MiLoH;swuv4?RIS`w-ehq}I!W7pm`8r-bK`Ih^M@#;&IbAMT9DKFu_vTktm z z^;?ErpX-(v4t_ES0rDhafq4nG++J25c{s>mS*!*|ap-9@kD`6&vqzEk<2#!_Q+!?e zo^%P$HVl6=yPF^G(SkybH5zzddx8Bhv-uB|xwOtwpJIRa`*oA*w;tA^CR%BOb^UKd zwAKKa&oD}Ta`)gIHYPku88K`?6U%`ymg4s22!PK55-P-+A4dnb$!rh8;}#4pUi^kvn(si+)rGt?z)-!$DG?mSD6wCB^QH$&=j@ zME|OZoLNd(U2v@42H9g9lqCn><~Q$Ky?=Z)HE^BQDM(D06+z{`%qNOdwkoGe%rq_S z!jh zilUyl1ijm97RLeGquv_MZnJ-;yzKM*QpVJlP1QlHr`XwAl$j4o%6<6M0;ZMw*^wR9 zKVL8!w%Wj-O{uTZaU4Fl)1;rC0X~1@;lpdLHD7Ai+J_UzKnS1UqzAoQeVYmq$MCHF zg7&qJ_K7M}qmJu-`IeenoU~<7icM~)lyyg=a2b#?R3iSm?6(@}2dU%?>ueve8}+60%i;@5DH{W z_?9kL)Q;%b31+y%?TDesh(AygiY(Up62?$kM3+dj7|wq{4A#x#h_ce)HcJ&J)la(8 zWZa>KQFlYSG7Y?mJ<;i0o{6z{;=9-I*Nj>w7He3-y(~}+&_N^w188*|loS}RlKNM? zUR^43fm#QeZ&obJEnpLmli!Pl>Z?xDb{+A@aW-FH{(a`1 zHr^#`=7x3xu_A*SH3k_4KE-~nqn+MZ)`n|Zl!)FRC5*BEajE`lP;Wfluu}g{!AkYq zd4hw%V8+;gT-Sq-d3daA*fj}RRBX6-4|K&HL5VS&@ZEV_7nEYUp3I?b$B!?ZA)2bfwS9zzf2*WT&b_QCgfM82VvrP$9R>`PmOaDKXI+cZ)6<=h9j+qQZ`5_l z_1~cTBN%_N(Y$ID@0pA)JS)QIm~^;17x-LNDvtQ|*Hr2_mlMpz{tV*tY%W@UU&K6| zh&LBuSNPc3n|e_XfmsP`d^pKuEcLlhOS*uZ4@+_B=QkYz3r@9VMJ=}9fSX~F9&i}E z!p>ly*l=y`KlEzWQs}=td!%mIBcVEmd{?mg=kc&rQ2s+gzRyCVP^asZt|vBa9y*Aw_Fa}52hL&VD_P||?*oLi0O9Kw@w!!cF2FNTD-a`MVBFMsFG-2~ zF{Gm8VAOv|D19}pDDMM3N9>|oQ2uHz>9pIh@jD3@J3ME}6bM$$pTC&C?a6@~ZSL45 z2#P$3YY#sMtaXB$cCr*pBMLe6M)Eo8g(7Z(a;&hnXt61{u=o~K*??c*iD4h9)3z$D zgM`FYzyfjLzD3cGQfBZ`K2fDc@hzq$ryc;KTX%JYF5`_8XJ^Tw!^7kgK;DfJ(#3Xk zPEjSt!pk?p1+-V>2kJ=n@ypJ5<)zu6luwes3$EBx(o~2g9RzQTySz{z**yTytvhK! znV{M({n7~K=GF4Na0Dl@h1@X7oSu!qP!vIUBZI0d?T-!^otXmawf>qt-z z(19Dz?-q@m>ro%iXWGglDf)uaCfH{kxFU2sWFvCYL#zX*EY^XeB7TBHQ_xf4&{p!z zvDbvgQGM>xwT26ZUdG;I53kX?9lR&ctsHlxle)vXVj;MtzlGqIamkF$KnSkD5jc8d#%~e*;QOv4~6qkZu&5vng24-T8kSF7#k&_hA3mka<^q*Ef;^P6< z6F-F-E&pqq-$n}^xzK)Gax>fHL_qm!+qs*!NLvCy;8E*c48{98OO6^O@W1#=Hw z9Io}A(vG!Y6eb1-V3u!77rd%NZJaD71;{`*hUl~3r>iqr)NW%?yz*=^j0*DW8(mWx zi!%c1Dr-g$1ssT*ejx>&x!z|h$*x}!RgHzzF`qZT-)`?>@NsT?QTPdvH@#0rZ7#bd zapmFL+<;Z^>#J?8jQHdlBQ+{*R)3IrNemujoyUiu)W96>_+!5ik8#|GLr+OwSWUhi z{YKrpU`nSq@dxAV9OR@YOC6sM@p_8IrgAE)svHb|orfer$g1p|m+!0P8&#qmVyH(6 zVMDmu2&MsVB(Y=21qRgS&>dOT@T|`L<<(<1^VU0fI&{QuWi(jfFw)nCuYVJBRQ3)o zS?jQ5a8jDqhGEph5l<$^dxWly?qyqW?C@DYn&Jg7zo!uBz}(W-&;ZxmrRTiMy&%6- zmkHlNXbk#tgXzWv#fAlFCYZb6zt>oNYt!L0FYKexQ%uWI(j zp%)etr)vOtKiQ)UiC7GSR^L8ZeR=_vmO`Rz!jRBvjb>wk^ zF&MBiYr|Z*!l$uiAvqR2-;T~U{4rY~L8lI-%w)5D1xO#1kIagH+R@P5I726CmSv?+ zs7*a5_6;Mt(x2|=P5yQ$)fvWEO1K2PTVnNvi5I8oyOW{_3pU7U7B&8PeaToCNz@d0 z#zvr*k8m$X`<8{wc=z9gKyxc1r)ULAGi}wDKM+G1SxEm%(bAMvq2Yu*FYm}Zd)dWH zBf%7t+}?0{qR;{~Gp(q^EA>L|6l!xV081VY99{Y+293Tn=$R6Dcbr$_u_5YnDR!lN zd}6I2;h#rOGTpZ4fP*EOR%lT)t$RQC>e+F;xwp@QkRMVU>!IIVC1<5Em?~x6A$_4f zTLg-+cd50^n^?mpri!VKuSfs&Qlt9B4k|Nqn^Eu9OAG9yj z$vOT)2#zfdhOd2w2x7-Gfc$WxrPh4QbGPt5w(nw+nc+A`~Qabylwa)1djG zJox+U57@(7Q^OZE^*2cFwvDV8^s(=m`VlN8cX#i-dX}7u@HuQpR%T2VrW%YHB`F_1 zJ9Z^W&gL)o;b2?U#&o`c7bvY3Csi#Ac0gxMfdB1~*#Fk6NJOq>i2ZL>#QwJ&t)oBC zT-fm%bCj`?fZ(bJr$h?O@4hhpYErlf=9HPuTQv{~5Q($NhE0vnd9O%_vVT+lAU`iY&we)R{zo7tqfafES0oFS$U z$3*`dC#RnAmfxcuF>?2tbG!d&_>^y-0_>~qt>m!|!);Z6lz6F~m*caVG*_c}4OXB7 z1(#Xfy0H7ZR=2(b(VD0wDlFO0y>&nuJzaXR|+FcJkgT$!xwecIU z)2BRD5mOHmy;=x9?~S=5&kCM3>+aBqJOI*3S6EJ&g^9NfVR4=mYXGLZ{e5P|+F988 zvIv$Mxj-{Ba0~@NYHE`SIsr0y=JJkoQ2$4^vZ8~J=~=r*7V|cT6HwA{%JO4iPW#Hi zSz~|dLh3t`txj-8Ptz`Y%c|;PB^`(m^@>@-f$!NkC*~55Z%y3pNGSDtU-#Om++Wbf`O#?PMv00Nm=T^!jO@AhjFkaBa4>lNOSmI%Xpe*e|b zU47Z0w;nY37?pmntThstp_yVNytmvJNo&7^QgiOIwdJuK5_XZFE}v-has zZ#ae6A@9WLO|UT)0T%~(an6@yZtwgit1JY^qN+WGySRoT%N&>`X~3WFhl=f{ciBQm z2($4tW zl@|UN%xuTFV=L6X!AqQ++W~b^!Qx_H{KlK^Uf3Q5akv*GPw<2Vx9I2hK(c;KOytRC< z0>_=Zf5@38SiCfdMKQfcZyziiN9nkUW>ZqUu@<33Uc6D1!WDq*X70a}#&`zH?ae(Q z(V6{r&p!Z-$33#dorvv&wl$FC#^WAG*EJY!e-~rwU$kCLG3Q#MiuZXSmp8n7Lok`C zaxp`nH=gO>-BjX#Gt{>*VQ;^~WNQiv5RFjev8@BsQ{`-GUxA@6U}?_vw|lbYB6HLe zEyi43Kg;C}_B!E`weyW)UOMjjhVgm>@y*M7A+E>?uB4cz*#~Hvf?|GmcSw)QzpP+! zNG0k^GsJSLfa8QaXJ5a_M^%n^HHFLh2FKvdkyp;>LN|`}?<5mF39MI2681J=)*h$t zUw3(*jTW(L^$#F!e; zISSSonZ&;gahwXoaIGAA0Z#L3N+{7rPZ_sijlJ}F1WrYn17yazT37o>ysew3X|lDq z`LESYjD9J_8aUJWm@0a5aL%(&Fvu^kPeIA~a(>XK5%uGEj;w$!h>kmy8G5#CC1E08 zzeu;*33rLBkKMU^%(2mpsOW7D@J(736PZ2*DJA8-ad49YLgv$T==bGK9&jK^*iUF*iZZ-4y-69F-m;v^H*eHwC=u?K3xN`pGR@K$A^ws*M zSu6$O@TJs)oZnZw37J&!0fHT!#E{F+EYE4A??s2&7i>im7V^dFc%K{iQ0n6v-u7VPxuseP$IQGp#+Mreelic>WZX=5~eG z=i-UJY%47RvcM+b6cRBlt8om5qEo zN}_;3!W;lcR^bVooXU2r0L;|$s_nFQ0g-dIPxp#_tA88bKjs+%!{1177~ z2NfYWPGC%#a3-zUaTgW6r?mCQcV<8hFZypaJj1cdnNCH^Bsp1`6T$qb@ha8pn#w+t zU3kMLbZ^{~6wEfJK@hXOkocg`NM^3zPPzplybp!PNF z(gpsyK{!m%1ttV3?WDAF?u-uy7Uq00u^rn=(|Ka~Mq$q|&f96#W2<0W*+(~1mPHM@o%@13%^qYcT z*zi99~_?@cj@eT8~D;eoNzX;0Zu69(=hdf`e- zy5T7Jre|eKs)w)jVbSy1v)ARK9z?N`15^jUn(3)xS%5V(R8D&LC+!`;^B-%Hmm3Agion2U_=KqH|qT#9~jqum>=bq!uc9WiLnXJHKD(aCZj?&4(=; zZe|#9=0>x3NDl7DGXG~?)0g*Lb8-7*PQSV)*fl@n3+lh|N^{QanmqbrwC*O<_EN;W z_4qS=nq5d<>2b`Hx@Wr8E3yTEh`{2_o ztXy_dS*O^4)iF4%>GaZP|5d_5gbZq$u~oviyAZDT2^MsY+PDaAgAAp(e#5l|{9FEDN1Q`M?3lO*~+97~4&# z&9Hcu51D*n=+cI%H$5NFQ_lK>iwJk6sV~Ff>l)IW${#hvS};9F`E)G)0AUU_deHsA z%BEYtK2d3ISiH1x2h@s;tIE8i33Wik+lAWHF%NpQ0;b* zyl=ZZGjioh9xRn`d)<5=88^1u-NpI@ee zp6D0knatJkYhk5j-C4xbm$&u0&b@hY$DyLkaZUmqbT7ZrAk|IB)7QyV~1-v zz-~5*zIl2v=19%MIi;FeA>OFu$2b=cQ2qY>X30B{( zqA6=yfwfs!1}}!SF;`I3E{E^&GjPA1lemPrugR+^3qD#2fZ$Lz6 z`J8iDr@9(0W$cRX)uF{-CfLHJV|2Jfa%BH5Sd&Twt%I6I17k-V%hqr5BCE7D+B3m~ z_>n3i6d*lZiwKV@H?yna^AF*`pkpE@<-BzTpHF@dH z7m6)(*l@YsqxhuQ(v`munAA1k!X!0D0p4;Go6hI7#zSeZ;j$34 z6msKYf0y#ClW-TB93ehw=!XqYwGOm%hUs#zMoYNgNWYdEk?E;O;=p8lcftMKRgnM) z@Iw)U+Xuh-+tSq!kd(s;3-2oREdATkm3jg*ynWsCeb_8O;Q-(oY5s0=m7)Yqk6j=< z;r>!9qK@^aweA7DkO{Zy7B{blwDD21aqK!Hm~g_jnODcFJ%g)Y*9msqh?I*OT+cpu zVT5_#+5bR5WE*f6-qEfu=p@}wsTtYpFJ)jQVI0?S$9iq(e&xC04@GdcuiXE`w0Z95 z&ls1xc-Rn-2P}TaQ`-Yd&LeJ8ZsDa*R1+)HwU=eQP3$jP73M&Hw%IN+O0h`aKfH!a zJLHWO-4;BooF(WA4547RyhJ;tR`}EsGgaCY4oqM1pG{v+Lve~7Tu&Qwcme+9t(N18 zN_n^3?(b~(ev#rueS=aU^u#LO4elhaW5O5iY%_og zG&{mGf0LhW$wdLmr!E-1##%Xvxwg9EZpw-d9fWsI*M1I3q+TRi0Xt z5u~n5Zj$I|XVi*mviMzoihE2?*KUj4fA}=B)wqNwQ;-~aVD4Fd>G=dJ^FZ0jyNH%5 zW}><>TP?FMOw^?p2Dz4FWJi10%}2FNQpZz)c=e^F)C z>plen?(33sB%jtELL4%yixBYHGf)D4gE{7RBaMuzxf?G#0ZcDAoVrZ4dp-E(|{J zhh2BHP9iSr=_j*?&c~@wG+dM2Un7L$>H5P8eGfB!iLy`W+nKqYLG$vl)hTOt8bVB! zae&cby4WxlyX4f~Zi`#`Y#18_kUuxOrgYP$U!pA_&{_SZ&gQvtSP8dc$DDtLO<1nH z5<=s#Yw#(ggf#t?19p8Q+q$q>{kCCVbGM6EF~{_eR{@3B(pc`Wqyz92BnDY)WCgn;BplZ#} zT4Cm`wCWand#|?Hj1~l-5aMw{1 z*-#@7E?ifDQ#Ag(2EWR5dEM?kyAE3`J86?G5F4(Ir|45uq=A+mwJtGipoweq<4^Q7!Vp+pC0*hIW0(9J`R9qBZuw^gLMbD4^#fEsMA8GP+k$%kmqY zu4bdkVl~j=ytaDll%>wi!ENG?brg`{H7=o-CUR5gSQwgEArIJUN`FK~t{NtNwVXH1 zh)=F2?9W|mE>c;aOAFN=2IVfBqUw`+rjEAV;FDA`w<3NF^G%t2&MP^uLp&|R8LJMU zI+Y}sDJXR*X*9VV`mJXmotAb$U8AuRe9Y#{S?8REX=TzrEw!odIJ)HC#MYgGO@p5e zX=CbH?1(Vq9*mA@PYowr{a1bH2Bqvexk>9FTU7%-sN@_-T*<~e&UXmg`^$s{_E>?7 zZzokmY>nQjjEE?1BD_&I(6Cr2X(FjW+0=B?0=xw}Dj~G!r{XHJ`buVx6S1{XFm2x< z*9De6o$kHd>=!35?j`Fk_r5Ht2f)7ddxX27`?>F@XZ;nWCs0Yx2hippnF;WsJ#U|1 z?s_gbJ%R=x-kC~H(=Nfw^|Hnf1P2DUA3Q%_chdo2O7bAu{{aP!u>!5=P;GMW{?#Ak ze)pM(jgg%BX2C>3xLgzAw&Bzy;lrt?5wBxC&a_dpj1!cloc5o-n|T~M_2A|nIlq*} zG5KhNp4bpzT;?KE-<@w13*lZY=~kw3L1-?C&23S6-hK-gN4)qf+rmX$NqKAppKyx& z<37TzKQq45`}DHPx|H|u+MCTI$7VPU=>je}*1JjKlE%X!r45iVNC~{fqpwZ}^~qwZ zB}(uyyWkb7HeOheJ%Aj&>C!dZ2uzxUJ#%77j6IKdmkev z4iD93^y;iR>41=_7ShG5C>MURyBmAg`!uqtyPFv39@Tr(Q7Z=3lL5guhvZ}0NC~Y2RfRoi%2Tbm zEG)(=``vW<*}P9~-Q7z!h&Q)awpLqcpS-&pt_yrEG)-eHnX%CjZ#(hdwP z5mTw%$7I(*C&6~9jQ|4ac49s~1_+g9)Yn-~BVvbLc)%>vJtgyQ@KLq=auA6A-DOu+ zW;1SoV!-)T_|Ay9u?l6#+q_piFB;+cNO!^POfv~zgD`hZ9cR~t1fh|6fYzQ zf(A0fmIm%j*aeBL+yMlzY&uKkiud>E(yv@rIqYgl}o>9%@t zT63*heW~vPuq|0$--yrZyJGFXE7d1Cc)`=QkdVuT>wC^y<%hhEt=nWNcwA@Ak%dxP z(z@%Ks7Ix4%4sT??)Un13gA~uo$~R}Zz1(8s#D8vO24kWvcgOT>9IeKB{%jv(020n zD9tVQ(&uohw03w?)D8i*gV!q>>luis>egBD(=%yqht|{@FF3t)%kt1@_z@{M%8Us2 zaVy72GgYAbIXJOBFMP}~8Mvy%o=Y)oOtIbK{<|v|BTu+hA!W#72VZI0nS7IagNp3Z z&_H;xy13fl|5auzyG^$O!Y+Dny~ciUtuo|I`Yq0mj*=l%90!5UF!K8zEWNywHQ9&1 z@_JLBlCT#`9RM`S_s9W3e_&Vz3~&*eFXd*Q7c(u@C<-!QKSAWZ2s$r|ppz8m{@MG_ zuTJpsZ-44k?*X}l^daZUYUi|C!q#MLo$tld?q?l;HLoW027g5{cROb3sAz-!&b?Pp zPnNl4d%n&!dS+oiaARza|y=wOzF?u)G=dem*8_1|)=M+7rr{ms=&=Fj9{nA^Bu!nW zo=5M6eeeCwuLJA^rwQ}(AyXv=S!t>p^^#QDY!A8BV16aE_;rk#C`OkdqgXRyD`6Ea ziVJl{bKUP_VytMe+f?smpEwf(gRHP2#x-ZV4dHJ!WA9n()xLP{U$u94 zDJ}Mc>(yU~qT0}=URtHso7+L+W&*%iL!&}A2D2ze#JMkfS42EJG5aW}Wfd?_)e=+T3ZG)Hex|}j9z1Mw`{TCP6Gc|SG^kI=8Q+?` zR}DB5??mpcF7pmP$8#)?@!TGHGNDn_-w{POu^NwUmD1W+Z^#7Kd)~-JT3C)OhpU|g zK?G7%V&njin3@nk^C@xEHrmvF^ubuOcgtvv!$CK#@|!1dmC`+LIW@Wh3&j6L-FpBv zy{&u00Tfi4l@3u+id3Z|5ET&t0Ra_|E=@qXl+Z1JNRuX=h*G6@0-^V=lpwtar6;ri z0p1nQ*+=)i=ia^Fx$k`Q-TBXGMo`JhTF-jQuK=IoowZK%Bw&ihF!md->bfJUqeWtWN5R1ITgyRznKuY0kdDROR$wly z|K_yIG3OEMvM86TMLi<$f(=P?u@>M1q5#0!sjO+R!o=vg#O34`mPLEnLwlDj)u~Yug@fQC6i=?%_7ZKIJ z_Upgj*u2Dzz34eB`s*9>(~0AoR-s3pU71e9S}oR2852+LbfhF@o?CtBlKyG>p69t; z&gZI)$xas$LQh6N#n-QXG0;m)3)JoIw;h6dJ{&|YSJEhLr=`vg0 zlU^|3vLa|P_l)mi)C`~^zUBt2eh5dL2T61I1lq!JxhIIRW0=K!&%JqRY)Ovw;J(om z^qojRU55V@=fQy!i?%l@zTWrX_@rCt_({wKQUahff7vs8+^_2Yo_M_p^thpmPLSTI zZXA?pAx2|7BQ_8^qH73qD?G2_#n|tRBUwGx>gFEixjmEswXqAE za4093;;=6j{}sEPgxEr;72wqTO+rHY265W0u`n~H1;(5~=z!#84fWgU6VgJ%9E~oG z$ySy}eVj)20-7?6l&6=|McW;>8>fwXf=b+XdH!XuY(oL;mCfD(5_#(;4f+z)%G}Z} zq(`JAD6>OjXiR~aEeduc z)Ax7)!;FOa#7mCx>!n@}-yBzl#kaRw^4@%5S{gC`K;uqmo;1Esv7Vd#qi*~lJ9q{R z$cBq8`Xn2l%N8OCvz&>?)%4X%#RDjI>KEA9{O%Ay4FDUQP7`@gAJ(*EmHV zIxJR=4aR|BQs#0I!>;*h8>HVA0;CI8=C5DAIb_@TKvA-CR8JmK{sG_jSF&;BvLI~K zq2B6V`jymSe1Fcr2PpInC=AAKy(!M2p-Mbcad}f~>FN>hr!ikduS(^0*!0}veI;aB zk>4nl(0v$`#bHCm~0t-W~ z&RF~-A9E`B7H3k4XY1u2_iOAb)1wDT1>55wyG~_8qhq&5v-Eri8=L>o0x<58X4ojE zMb1vmP{DR{OKZ&0=FMxX@4wo)bTRS0-b&ULs!W^5H%zbB>6T%$ubTPVb><)(J)4WM z2_v#G2X}1q4X10@1Fu##a({MFU^p#!Jvaj+SW z5?-&Iq&6D44iI1Unmb;bn%*UQ3lp-?-7k!JZp4NzEs#>!A0l?kiA>zp^JhIkTBn&? zwKXiWLVLJI`;+<)nEZI8;cH)FeY4$EBh({R1auTWQZqJ!#N#H)Pxr4tGIR-`Yeso+ z!r_1D8&Is%EQqQu?+>7sdO0i9DuTQ(fJ=gw&WR5Rru zt7LzXuR6X!I4n5%Aj!7Et`DWUMM!Li%esYdNSPq5|`$IIa0e1k4p?~c;OvEFxVc*D?C)ytX znBAignceU8J%==3L2GPUr!Dc{cgO!l`7k^n4uuap`>y_q7Ifi6D4mq|{==T1ZStc& zPouxwylR{q`}N*cL)XU4v z1K~{%qVVR@00Ox^N)+B~APR4K73(#}EqY>&$A_f0tX1fR+h8vf|K$A_!EA%Rrxpk?9&gw@UtghC3`;ULBhKS1`;d(e+-|c+M)E( zb=C|<5cbh!)g@U|#IYlfH!*B>U}dR;Aa)tH9NT|&!S4`>M1(&}A3gmCEBW{&{R29& zeqwCoD)GZ8jzxWxG>-Wy9ZXC3o^-akpp<5q3*Bj%7G$iNJN&s~=?ONOsMZr*b_`&hIQKnu-^YLh*y}f4%GcDquRvOKciI+V8SDAmx zb-LI1v<&;(VLDYM-8k8TN;Y4-)DDgHAT(Yp183S^B&Cwlz3y7y1brtPvp2^R!Bt~{ zJx7_Oj&b)mRoft;)uveQ^Wy+YbV`=5TjF{~NYrK^oE~=>Wk9~yDlel>oV_gLKKLhUcmzZD+L@Ll#v+)NTd@Sbm7T6;zstOb{`ghnG?zZ0h5Um6gBJ6<8;>33rSW zReoK%f=7s@5$gYpQ+#gwR+>HIrY6pB-EeXkEOeF zE}=>SpK0U`K&eh6R>(I4!}v!^cRah76lf~=2{cRz|SVr!G>n&Bges)8-6J;#tA z#%A~9UC}X~=`MZdyFr_s2k5Q2YsOo*Hq5CJU_;)u42xe+B1%8_zNCz_sXjOepo&R}D`QVf}W>O(n_1UUbWAZbRedm;uvMuhNd! zu?V@74|8-%yK$mp?6Y-}6XSS{1H|6DZI}XZ^CM^xvaxKhVtLQe#VRTgLa>$k-naDiFn_ijFQbP z_p(9yCp>6w7OEClfT96Yp)r9DRmkA{5D&Pns&FOq$$tUfHlzUc?26B&-#mQrsT_jm zNr+x)#;oxR_xt^cM#m4c8riJ&7d{Z+22PI}GsZ4bz?{C`Ef5VEZY(qpK9$bjabTG( z&RJc>4hA<*1b6#ri_)FG880V^nDGtbtKzp)OPi6v==ct;qqbvn(oi|pQ#!5+jvO)% zF~d8osTXTB@7d&@{GaX*fWi36%BNQW zB2P1s8(geJC8Fvy6ac6LtLp4>2_GfU_#vwk@iAYekY#L=SEk!Q%55fPwZN38ALtq+ zpeJ5n|dkb=B1(adf zoort)DO?_FEAz8*bOnax%h2Oq-CdXE*+9@x+aWbf&2I%eL+*goasSsD_;*L;Bxodo zI{j2@Li7oR%aJF)(Sx1@og=d0+HtbkmCJG!xWm-oq+ zN2huOOZ8@qwQBg~fzW5s`^|60E80MDL0V!PzBDl&5BioGN{^xwhvH-18c!Q9S1fs; z%{j>X#KxhAjm>f{gV}XWu1~l0N9h~bY8s@4uD+bs6?7V6wr|d-JAsYcKYB^)$x=(K z`yW2T<|o#*A_66fN)a;VR{1U`d*bvNkc}1zLk7_OtAqro76oZ-36T0!d~!+$aBuN* ze=Upb4+2YqYz+5rnqYxG#MJkD$a`LG2TNk;{NE0TY^D;9b zuWV;lD`H4@Q4n;rS3d&r&SHC@TehGbQ8@x6onl5x_OmM8_077gLN~u#Nn-+nUpg8I z>GgI7F=e>uX^;FX^mOM{aE#^|p0@us@~ z+oTV(qS`+rv!R;J`aPjl_8+>KoHTvuC)=eQ(*RYSvEiQHlVw$@h6;3MET}Ag((EBgq^M@&b zn$>Z0LNXwcu$B0jKhtwIqnW=&pCk}S3|RifmH_=f7NpjP}08x+grWhtojDexNbHQ5z! zS+eDKeV|rGWdi=Y9Moz`$e*$1mGmo*)n`=joC9hYMv4e3 zhdzDTA9i-Z6^r$s#A)r39+@I@@LSet!9&SQf{RK8LaG3yw^U|Y!g7r?lU8@tq^cBV zwRl}~ur<(ne+x|3pu59}`HwK{2@>rHdDSOXfD?c<-hE^KoV0fLOsy5rG?~;!0jT%1 zrwbDP7X!!tlKfG=Pe~-tP&+-#Bnyt%tX>*rL z zwksQL&uv#zZP7)+W{KY}9lKx4qBb~;666oX=1WCBxzQ~+6DuJW5{G}IK{Siy0#e~6 z-;B4;Cu!}ui)x?*d>Ps4ll85}8~!N+iO@C9oZAl;YcV%XmIHW zID&A&>Nl(DOkI@OcN*FmIwQ-6UQP@WYl(3-(5R4Fz2iMi^VxW=zrVi%_%eNFzql8JE-0{g<9%KA6_cAz9Jk6y9tltla4xE$?c6TJB-QTJ}n@qunqgw6OguT2Os8t?i-kUGtsdma+al zagFy(>f^YO3OM!PtV&^b=n1XQB3J+bb2lvCnu;mdn)3BCIN8Yn`d?@&^m0e9<{10c zjY0wGVW!c+O2M*{&Bd&i{VMTKA*8ofUi8qbgk0TtHaJ_r>F0`wXBtz50J@Cz@|a5* z*P_BRH6l}0ttwYn^e_55TMQuk*k%|$`&$d-=08LTPy7gxJb5u$`w7=ioR+i2XPS+B z4D-!}nzT)ELc*%(^EAs0$mXerpod2Wb|uPa_H&X$9jC{#NQ#5WV*Pc;ekOFLtK6f^wArI4 zsTDQ&HnR`E(BBfO25?x$MEcCa8DkkM3W)^c*^-jwo=!o8$WAB7J1o`u92etP^@bgf zypGwS=->QIY;!H5cFeyL1L@c53f;e&ZDJycf%L6V({F)vjTlIefIvDa;soxLE~gL5 zmU5sR7gl4Crrgx|2MftM&J0hfa8)8-?6$WOfBTorWd?wB%mmM?4%l zHT&eK(%uJ_^xWd>a>QvztnLT&&FhWqCXGyJSsHcsRcarM=sUd6^c0WYobKe)6;REm ztz{}IqwPoEfDBgO?e@4oEir$z*BzjzW{X9BOfbP2oN{J5(*3L~?Nk!BKhSL(me%xq z-I}L@!SPqo%O7%`JUAM?mZ7Je1os@fRUuGTlJi=0Wpa@6@(BYQ=wI-39p#9{$;DX7 zUoFsl@ncl?Ag;2h7(g+7c&jo+zoXx*A5if405v8y&fT}_e9Wu)M^z>j0!MKlVV;dO?S;{ z7SP$UTn}h*Wh3+(HwUdJZ4|@iiA@Y5z=_BsX`29e;@ew;|T8Wq-23@>3yl z5dgeAomabXb|-3p+G*|R4JrUeD(hA|yjl5Lf~Qz^^))TY8LOseGxnPqS(*Bu&q;Ad zYRH;;FIb?RN)bR$@6>8y3^Kif7YzVzyBnHCsXe!5mP8y)~fn`O}TXijalPzX$f`swa!=cJEuB)Fv+f23`m+KljA3mkVYi@U2O<1ky zbdfM;C(D5e`k4`Q|$OFA5y=E3rj0x5&9R ztTyu)h|}I&TqaDbCzTg^V5dS+<*sTb?a{k_oK6?mY0uT*d5Q;1(WH~ikIQ=L&^L}k zY^LHhv-Cyo|IH`=HuVF@7UPBOT~p-CrteQjNr=gP8zmhMGJ&MdVX#@cS023_T(bnLSoqC~HvH_JUY6Nqfmdknjr&f*kIC@u(IxLdsz)`DPu@IEwD z*P+)Lb(cw9X3SUM2Oj&bCsg2)N9xw_dOf9p6#410Ui1KQfyUf5t^O|-=pJ!_u9aw; z{&|72tH~dcK<+9t$b;F;_h*01vh>?N6UV_a#L%ZFrn_j zQHmzz>Q;+Sl0j#ElAhx;*HS!kh2gqk4G*hP3jwNHUYCNP0ju+rh-(9SF$rsz@6lZ3 z!C}k8%XncHqbIAc$vA||M8`LGMIl?yN@V8SO>^Bem32+A7r7z^1YoDYKb+LcH?}qt zK$vBR*_+&fbBj4C?U>AxzZTo^RSFjq6Wy$1j@8wiUb}tAH6=ikL!0Yhjl;XXjd{D> zI!Stj-6u3t9^$e)Qh0a;&~e8r9%Dbh_`6T4>7 zAG=GCifiS5r)}mwFDcGBHJMm0s6x_RClLjy75#>7xPCd05XPP7N}rTsuQnYC)yGcF zzg10~p|!ANdi1ALnZLlKbpbMITUN2_0G5YAg5=-Zb3jf>quR{n*5;#?V&t+9zGt^XE+gd3w$z8s?2jd9ki;m$I`PS`|jj4amz|M z#>k^o?xKmXg}I=mgT|X^0DUQ25Tz44bd~M$U4iT4>)z3BVLuazYJB}$#Kac zw5rk6gAX$`-2-c%Q&7bLDS3V@Df((`Q4W29XLw$eo4A zt=lv*_BamZgnZQKyN%gE9zI}oAnzx7WQo(Z{cVD%C0__^j%ORUT(S(pk4HnOx9%en zoz$F^7bhU2iY{5`lHcC(@9+LUzc$<#2K#3*edG%APk+booJjr&NG(xt71?RZzh3(Y zW?-GSTB7M=X+QPZk3hmpGE{emWHaEEZGEU>O>tv1Zua4w*d&kq2i&lO$gdnu4_@wv zH_PEtc&ETNO7-}GL#8xEwVXR>bR5vwC*88Dvcl)$8#p^dFTNTrB=Fm#y{{BdDSm3Z z!gJS)DX$PYHPv_Q#AF&jo||LmvF+e}{-L%r+S9EVzwqcq#YBgO26}CUP~N!+Zq`iW zjM-C&{Eb5Du-J;!eTer3srspN2!{yO1c!^);j<%Kub_lU23Vt_jwbPhIj!pD!2jm? zx-n3D?dJ*WH;a1s=M%Qeq;(W>o=TUw64iUf(o12c{=ZC9%M|Pgg_O3`jO{vo=apkS&qT{VO#OG#AN$m2#HGg%0)G#Z6?;cnoUt9egx4*war->`1^uX-ge^{ZT!XQN7po8>0 z%Udm`*F7VpA*h^F*6`$LPm{0jt-7a8yU@`H;lcX{hB>oJ5;!04)->q|O#wjf>vP8%Y%Z%VF5?1}cIuo{t##>lGK;{+T$s|Od_s#n z^`lAZv~JXcI$?b>Ma72RH?4ID|MPFT&k4}TU1*CgRHra9fX#8?3l+b8XBL9@h0Rf>d;F*@9hAvAS}XQ|(kF+b zRPZ5WlCBzFvha}X?>M2Jq1u1$N#c=&->k*)VEj@rd4?9J5PHe70X^N5~Ytwm0Nt@e%B_RrR zm(9MOV6U_KcqfxqMyft{R>Lb+z|=mXY}5IY%8rHY!o5eXNUqHxwzwJZBVA!me1VFQ z)Pp_`=pwGY=DuKI+K{RgsL;|MP>*LvsNbKp|HO;x?LgsY{QpD&iDpJ^s|1IVACGULY-qvH6VQ|6w3Oo%s zab-Z*g}y9rr()ojvhI&lS3Kw!*dfYQ6YhRf?oke>70^ya z^`C+%?%>&Ztm`6h*g5hvg6L;E`~7^6fSEKFLVa>8Jvlxwq`W=^ zGQR$yrDiY2v8N_~^U>qmWC*tb0fF!;Ob%1V-*~35GoPM?5pQ>~m<49)Hr zsJH@O>$-P@|JBE5=K^201;gHQGoL(qDKwr#+Q@6Cqxr4l1&cS7C!;B3bzP?gIzsR9 zSGTsjDo&kMs1QD=euhONO~=>TB5*rx{5yEHjj((IvfU$-jMB%Q^*KJkR&pCfIh$AP zLk^N7lDUEG|L*Ag@im>t#0xNCL=)tUUyY;G|8%4Mqpr&@VERS^L3!&e3@vXavZgj% ztrJf+tay@`7Zl-Vm@rF{P07Kd#l?RbB(P^N_4kfGiz!56)7fz3obPe3a>AigVFGiP z62zs#Sm_UVOgDDc(mU1D+$hrtUY@gy9rXriik@4yzg@e_{_akcm;Lc*YGvfKu#``E z<9u3L!EyPiX?9iJ8;&MOMy|Wc9(X0~ugR5==05>MG+5(TSQ{nh!TZBP3sx-Z0-`vDdAcQPVFB`adi=(qI-TLJ`_|Y>Ay@>^q`qS{vqbn{0ZmJo6cTSt;bdE z)J>Y9o%BgQG^xIgGsj_KreUwv)*5s!9IRbZ_RxlUMdD`Y5jYJF?F&Crml}D5;5$(~ zolePKuI@`ghZ;!6BE6uhBcH>xML#?ftQICm2&39)O*mEJC<&&GAA+<-(X%%VyR-yk_f#;bvv0!zu(F2PrANo-7PZ!xgN|xGY%Sngm zN?pg;4qbA{TK3ixl9PUI=QNU95iPZ5QrM*mTNF(q}L)V@wCbRV{r|mJ&_lkh# zd2l0OxW=P-=Xj%v`?DfB4cbADEiQ4)WYMnc7$G*z^dq{0Mp zX6cgxkLih~+FxOi<6)=13s(rmy~egi_-Wj^;W*v<9bK6gw01`ZPQa;)pT3hyx)bFK zE5u%AVdSn+UcjgLw^uX^BpT>Nsj3kFHzU*OF4?e(C|uipFWiiRr?d6GyC%5r>E7P} z$L7f8N2mTcNdMjMI_m#8WRL#aL&n7mN&5QURDW0`gWwNO61D*w>iQ1>qZJy+WM!zt zHi6QYhwsCSO$a2(zL~KrGd*cI0Z2D>0TF`nC17CI<&@_>cGOb4=+WOeh!3cF4TzhJ zCGinBj~iO4|L(*-%O-c$f=CtfZDuWRR&AXqJyG3uPB78+2-(p~T%EMuP0Er7;jK3U zXrW>jb;hZky~+|(%CU8NnUtu9z3ebNpOF`VJAE^EAlkr#%aoJXV0K2Mx;zp}i1p~z z&^Otd>9Fgl)<}G9o_1E)vH1m+r*?fnpI}r^SK3*{lOgKmm#5^XcRC0pJ#s4ea_$J` zSloLt_MLLqegRb5#2u&CoOA0l4`t|GLv=4vw;>AKW?PuO3TMx}XJaHGO=GiGj}~*7 zQ_^#`*pIf&vj#zZnz>s#bhAq_@Tp-eq?V|#(#2!2(~bdpVz&Ght=8iz#D-ZM(ZCSi zY0TE=3V-zZZzK*GppN?))>dx)y|9KMvCcFvrl<6&<*!pL84r1FltStpNa;bJ9kDT) z5)P}4ZS?o2EBZdR{p=p_#)$%+38lIh(LyB552azLg*VSdh zHQ{xkm!V}F(K~ZD!+7|XFL2_@9W}0qm-(D~y{Jt>xcp&95{&q}SLGMLM zTWtMs2Ns0SsVL69bxy? zDi=pgthp!@=mEtMJtDitR-DT)MDmVUdU8qsuM~^A-)D6k$lwel0R6(QLEwM0a{bsz z?=CC-q9Ml~>3Be7+3$Zj4O@Fb`&<&)z`F9~#}hK!j`p*g09#nL1Ng?h2|#wEi%8iN zPNI&#v^C*CJendmR>;resJc0_>{j1QfHrr ztSuGwSa$F14lUnyyY4$4a%Q;3d9>KYvCB%&s$t`*?agx#@jQ%W^{=1*k5>ceTCtj) zE)3v}>AH}nY~}%>uo9gfABy8ZU3p>=-B?YS6L7IIBEG};G3OD!HlF2`e8@2fz64x% zf`-Kq`0J^J*T}Vd$ohtJ^f%(|VrenlkSg>@+gsGEG9&odH2CScDWTKy^|^*Q_^5cv zqf%P$*;%2Cgs^zra0b7$#ppYa%WaD%9^G@BO<}Q_RlV{5{ccJ*xDRj#*_t2|dWo6dkXY&)me9O&C3!}vN>#HiN<=9Kz4;12AK7Ya}5 zAFQQ%Oce+6$VBJ6U8WUVrd-PdeQvGl;s~f5M-97A8S4h#rN*8IO5zdEtX~A5i=cTb zvp%;T?=N*Y3xEQ0NXBAb$WN(H%yCuMTV*~#UkX-<++Vh>K_?J()vbY*tGO^xpAC%z zblgJZK#onx`$y8hF3jjl)E6Sm_(BwUo}ha3l-8q7`ls6uEYzkk3aZKKQ`KQWIz zy)dHf+ERO9c259FC0cqRVXb*Iv@=_Qr`9O7GsR4J8U*S9YDMmwmo$Wl$+G z=|fhr_`VD^r^U$y}^XtHr3+6mUzb+Y;fI3K?@sfV)QxCf0QfL5!S349w3K{UN0nt zi0#qzeE^ZX5gH7?haG9P=n4Jj?GE9A~1+D{`2FIHx2cwgW_wX2Sl&z8URR$|?qE91RhLI!;s zw45w)kdAXS8RJ&c4igrHlyNDg_T>u;zn$7*juOxHNPRhCC?6*KLP3?$9+>5EAzYDvn5Q?b2Iuh{pU-_1lBX{8Om2zOqFM}yYm5g5B)yRL}6{u{DzSzw+)!Y26X`Q{Tz4~OWZJ17$ zLdA#B$SHHR@VwOpQ8dxVh^4J)==gPB$aqaoOYHJd$g#d7@n;EV?>(xu)BSeYB6qUn z@#fPJ(0GWNuG0n6Q?i7 z?#h|znqDw!Kg-|2X&`mtdx)+V=#MTgxA#yFrBcr*B}T0(B0)nwyOC3QhrmDgF2En5 zWW!4hQilG=RXb5o>EjXH0@Lyfm=ln-V4YKta>YrQq8=SYkaD-y^M;q_6Y3v8Yuw%u zsOLM=Y3%+G(fwx`obM!J_f?Kwgy>lq7ojSH+$rIPD4j`Mc@OG?6umgcMT=#dqdn!Vs7rHMe$aLn*K=s6p%A0A8`E~Xf4R}5Mw z?R1)prXn|vH`yRfK71kSb0>z_xKxffS&L1&6OF6qhOa64F1zi4NVmt|0X&kLR>W#| zXR7yBtmKE9ZYRPqv5BcS424?AbRYzxk}~Edt=s+d%0SbMQ_LSpR!fL(!okK=S`}V^ zA=($Um#OM$Icw|rpvlLl%z6Y}#Y4=QT(;r;9C2#bED5T@5GnWR08UZjZO>f0_#c{d zMV5v_5Ffhs@qoQ~*=6K~d zAf8+BUox=MC^#J>`~z2eGk}r}l;KmLkp`hoC= zvIml;8gvJ(0aP|{#}PwLd9O{Yx7m_s>8ot;s-%cr0_ z)8VS_jnQzde`GZ3t5T-Fx(cDKBP#lMausnjI%Fvi$z#HY-ikg7G1(oswMjI)6A1+= z?3?ib{k`EqQCrsrX34ddh@_2_#NOQ(M2*Zu5tj3Bl6|o<-qe2-?$45dk;)HM7f5cO z%603U)6OLO^#X)j=3ke9c|i>m9i`VA+5Xqk^{+2ueGoqS&+%oFKur^Bb$|~&EH7Yg zKY#4L72Qebmv)1LIRobp7s(JUumdcm&N-cjiNi;mPqSrNkOvY&7wNM?!kD2gA;CJQLMqHQrF0?BA^=L}3D zItO3>FmxSwyJG|nrUjUK1n*A@n`m?*4tEe@0v=P8*C#(1C$n-cF&bUQ?Sd>z_{o(X z8fpSj_(!bHM7_OieyxFab-d}}%|GAWMNbVsk@$qPx-DnvkAoyMy26spZiFme)@xs^ z0*fnm>)1ZnPWp!0mgW>DWJ6>ozfgpB6ee4MN-B9F*Y`hnVzUFuv*B0u3xE%gi1!+W z_m|O)G%;4*mR)GWQM5o>GEvWXtm2C>in*(Z41%vM9qk)ge7SXkh9_95ywL^QV4ggg z3v$75Ri@K4)hF^$$jQ|E(_jNtCq%Lf)Zi{gCqyFL6lAAnqI=FUavQ{zze9zw=kju1 zQ$$`~;lb|X*kupiiEC;*_og{(eCcN-XBZQYnoN6{$+E>21Z$`H&KE@si#}a1&rwg2 z7@*$NZ9oEn+<++DzWLxzWI!}*F1ip8y0Gbl)^M?%NC8%ZX$_gAS&OPfSfRS6R9j1w z*jeOo_^v+;t`5sBO}z)lpBkiVmDYhw7U&#@l)s&XodA(@?GtqW={iwjkh()Ogp5B_ zkcpSg_I35)Dz)$C@`e1j)0>ZX&O zc9Xf5>;R;LgjK;HJpGi=xgMA5^+X%_xyw7Q_7yJAofU3ih(=rnIVA5DGY_1;`mB0a zXU*Y_^iE{m`XkXqKO|$OhDgn^Lv0SQ)+6&YtMI&uXErXAtY(%I^fhZcm`(YbQlsF* zFB4vO9V6n$pQRBNn{-Kh=m(eFf+Ym>duJJD9vB~)X$vk!;fO~svB^dR)uwFIYi$#+ zJJMcok6J751~YsjTKn*dl{s}eq8aLB^VGbm|31iHY8Rdwj>avP7Y|s}sk$gXbMpog zNW+X)Za~#r0{yOqXk%rw{N!=4_I4qE`P&pkzn1|Sq#yn=abf0DW8F2RVS>*(FaPmq zLY;&HtwAlt^vj~RymPlX=mpADx!FLe%S4E95P}^FdDlU8t=y`z!q7I zj}qwiolf)k5q9eGiRifw_K{gB3;-cQF z8?}Z^ zN3zfRTR!JFKHVzNy1ewJPYHL?Z5X9(Gq7o9;Z^N$xS@JjOm?WZRT#bOBfvYMm+W%y z>$_QE91TVtVxfm$s}^5alwQ2QI|Ds*orx`(oPKIt`N6N+R#uYXE!o92*8Od;S!q7Z zyCX+zDya*)&r+0we{(~XI?EUcP~C~9pImMhtF|xe`|L5%b;Z?-zz_#xlS(_Wj>P&epTt>NqQGTTVA?J<|tBq8(- zTB)^KKI-OOK$`EBnqlnuzFST-gWc8{tl0xj)T5h>S{sXp2S19S^08hKD|0{65#uH; z#$JZ)ikSLjU4>ACLJMo`FWh$DlxC-gS!!$m{)pjvw+lhzItCw$ z2~c&jEV8=ZJ@V`^E#!mpYtF>y>Vv}TIs4T9@naaT9cB^CQuOsJ&&K-_Ae8*EfM23t ztJ_H|jk+%$e)(n^*{MAfe5S|<2;$_fcMYL2Zn1?U2}; zC4XwFKkR+D?;@#Io5_N)NlPWFfF_>Hw%AFZ+5`2)*D>1~({=0JBbeumY)Ie=ioCp9 zDPbq?U^HyyV(8a0E~ZAs;xC#o{86E6~z zFwKhID9Hv=FWd1KpLW~WkM_R~U=m;N6sqitC){Ctp1&m$!m_`3Y|`Sm-z*d;;H8;P z+?T1{Mc-{owoXnj8{G2!v@Cu_i$m*j%oUq_4c%Hvdj-`v{A9xE!8=aZ%1!R%+O@IE zO!Xqf33tVvUM5e|V$%tYne6a4i{YwL7xQLM(R&@FtaGYrd%32j5(>M+Sj8MJDv4ji zo2RLN>5L7eioEvV6!z|8f^P8AdY~iOEr3FaCWNJ~xN?O!q15$zdmTd^!1O9860zkE zo8y!*ZEq2%<~2a&JG4e7p+Ie|n$${T+lG*Gy(sJEs^N@(o!77L&h{MdKK^_KzO!6% zl}9m)>flqMDJg_x!skNo4!><1AUsPdsnLnLVbZEQiG@Bq-Sq)F#PgW3k z523$6=c;{1=qa<@<@2^@dp=@$FU#x=^{mh_Xzd&CU!BFP$e(8}E}|+=s*IL)S&3@f zS2H=)SfuSmaR(dn)_iLm+YB`FXe*T=qGY_USjw!wEbnNE8urcxdc8mT?hDbJPfXRd z{>*8XA93YmK4fng4+bzqsK4{M)D3;Ye ztY*LWjf{G+Pa*TA`Rnq=JAWyYbT9Mitjb-ce0!3$!99o5+Hc?(Aq28-+eSSp z?ho{5K9cF%U64iDx*0nzaKe5zBA$8G99^L%vD>gn@@_1WOqH64%hTZQdMsxdeD(MN zJE%e~FWXEIc5O#1XC^wm7fB!{PM0X_1b`V{g$9LaQSeOrc*fQFa>+|wF-@2=>tYda zN_Nww=D4lS$0-ns(gesLPubBOAO>azIuF;5yRS;O+BPupEX|pP$b6EBO$W;F@eVI< z)$kYjZEAK|nK({l5JdC7PlS*uhP3O`Bwq8fO5<{*G=%Oh>+7vr)F5fnif$yZh zvU)1iwNb@*-rh+N@kIaV(4-aFdD7=wBT3Ofrgl#l!*EN*^O&os{mdvhw7Wu8>CJ7| z(w|nhRzc-4I;(d6*Mp3;k;0xVj)tumV{!?z)Gm}*5!#87fYBp?$olO2*kvjHJoOf; zq6(@brNlDChDLhh3npB6P{Mj-FtBH|P{PbnM+Fjpd%Ph?N?8fL5eoDyEr!G*ZT*kd z?v?r`jpB z<-TX{>=KxmE~h7}#hqZ6A{>`Ts)gelQ;otdQ@7?lFv)Zk`@jnmQ#y!@#(m0fr9;HW z;zlx53QQm0@M}w#vY(YJ6+XB>8wO2E@l_q`*yTvnwRi&q2<=1MveVc<`}2EVi({@1 zl25PuCEd-UIq35Nr@pQ4sws7oeYKAdog1H<#1-qv0QecI8|SmhnjF})TYUz)Z#b}i zDr--STNbg2I{^veK)3Kwpvc{UQ@S)Af9vg!dMVD;!y=E^WRZ#=iZ`F`)wk<>^m*93 z`LV0w(ge?Wkx4NV^|=tx5zt*AWx963;{JAE4L)$}eDaaj&dbkVT`Q3Ju;R0rjf(OS zeJJ=f_pL~Upvns@ zpOJRo9=&wJFu-?6;gK*27oQ2FA1g5P{mBF@!kR8iF^(K^tQ<3z7@)bM?7DDBa%(tI zw_W7L0cWfsn)kE^(HIY4pUCa zCX4Um^PX9hKuBihuBX_NL+rG-&62kG&w5t|&j(pN4rXm26AF3?xJPW13I z|LV##-Y%q1Cdj(`HkJa~GxmJlXqT<;^eZNeon{yqU7Eb#_&+?IWk6Kn*0%T1ND2xf zr6AoQA*qOTccXxSbmssTC?Fvv4bsxxCEeXI)C^rS)R5oyeD68``8lk;p0%#~T196S z12m6W^>bHB>bUh;f3fLZknwPuE@vx+ak?bTMKh~DUZMAot?G4bwtG~u5!rO~O)rgC zs{Ze)+6zh&1{s6?2ML$`)KuQ;;2jq-p5ZtoID9(_8^|eU^|!Sfp9tPJcDq)C{AUgx ztNG^7vwoF9q74MIC!uVeveLSy+&x86jil?fuUct!y*>0&fXV1@=p25Ye}yImWsd)C zteU5H7eS-?8Y2tbFN%!v_Ddg}2jum5T#9S`9+l2E{D;-y0*)|Ts1^P8J#!GH#H~80 zlq{(U|7%#QXvLmHNwpnnm~ydx4(^)Zn0EU|?Rii7Np*Bna$=c1U_SpYB=chp$=4;Z z^(|1hwX1Av)az+%oL-TIJNwQwL%|H;8_WSXOH?noH>N2oXIMdio+ss0>zCeJ4h z&nJH0(6FqaRUgFi!|&wF$NlAYJ;)G44nOdYnPR>hSeK?r&@i0FmN)1gtGzix)V5VM zwzQMB?Ss>Fr#znN#-pN;?SS`igAX#ybxY}F-*9;QJ{VERXaA_oo_4bS8zB%d`k8JL z`_!(=kA_WH`pg!mRa&Jj>GCm9$N79viTOL^PPr~vyfX213Jzd1f!junOo5cfO&#-N0?$JS(DJH_OGm-bpmA`b3GuuX-)Qqa z!(2HF5QE04Xpldz9L1(I9*s-(>#5*tdmHqf0!O*XlFzPiIpk^T##H4`2B19t>;2e59%GRn$_hEfnIE0}*Qu8rk(1Mn#BIyv&P-7gSJ(gKD5{58 zFfv{0c*wLWdg{N>nm#>|{e%C%i!?o>~Q;FhpM0U3;w->otA>K?AYGl=fu5Hr%~ zE5USlBmegzy|#~K2O>npNGLlHWL@KccJym!ZI`IW_-5CfN?*eUG<1FyUNz6_U5zC4 z?*r36cqGfcJ3S$|2cb-_PNfTW&qmL9MN4AuCk$55{Nj8@7wHTV8MI%ekRZW8g@b;z z`ZUDM^fngeI|CxD=W`xAya0#k65y84Gp68{nOO*Ro-2H@u9#u=v=eZB3|68--()&A0`N02z1I(7%XXa!% zAfB~0O)_)tIK(Wmf?E$B1oL`c^wvRVerwaca7Uq8px`Z;S94^LNpKqf*86$_{o)j9 z>tc$n?q`2Kig38fOgkC$dVDD~NpAV*sTJ4BklYl6t(K;JGT-bPZMse399iDwJGPmV(=ppDu}nYQlcvRp z#UL%0PqY}k)Wxy3{ZK!fuL_hf@qXuwv53eeHW1{1nSF80jc^m8d3s-VDP`PKF_M8Lb>&|5XD^HDgao z%t4llZTBjb7qt_3>a+(p+M;~=5pPg!2eFua-Vn*EQKtzGK+1Xuj&m*+du0De6&fJk zkvh{1tjhTES)+dSi07^g)Nn+a>@nz_q}Nlr(LY_!)JP_~T9?s90MZ=A@i_L=(9=S* zC7nMcUlddvE;xj366Dr`t#y{}0W>WFOi^Bo2-qNF^gGFNCniVzOGHmRkYz;!@mIhF z3@LF#Wx}y9D1H}XUGA}q!&_Z|wiY~Up&MfUgu~<;a3bFlFmf51^wb~JnhRfknszt| z44$qD?wm7TS+bJ!q`CR`>RQ+C)nVFqxC$n*-#w2zb0sXmf!D#nBvAd4mb~wg$=Ywg z#aZ2kH4wRyK*D{GnLSoym26{1EukleliSBq76hzNd5#Jp_3S7mwSeObbv7jt4>$g%yyzYv;C1d-!~~EH64-BJv_~v zQY4xiRedI=*E_XJehv$qfVq*U8_W#E+=e^OlJPM7$8Q{G#gS3aRowZSmBH#xPsUIZzM&X!s0+j$+`v-3ua#8<-;GlsCD)9Q{VaY zYIK%ItjTQjmOXu^N{`q1?E5+a7tY*Q%p(nMcQp*4EW>K`8YCeOm<@Z&6lkk~zvnErg;xy0@6PlP1a8NMK zl{ArV@|~i;1(bGs$O+_swjjSE=jHtHE1chU<3i;Nj~MAcslzn}uTA zck7c{YWq6}bhN%(nW^>u*Pz`uq`?nZy8HKXzCTtE|7|91`wtIlP{o_x4<~w%wM0=;!d=mv&cG(gYmWDzmpx5I8SL@L}8MMJHJ=b+&xte|G7)MbH0TJSBZD1Y8agL zb|^yl_-}tY?TP2yS>KI0a!~;92t3*+w|8O`L)^5Ny4m=&nZz@Wl6SP$iSDRz6Qh^t zMFJJjvbudp|RzeL5ACBhwF9)Vo z-U>7G8xT*N;~f_D(9b3AFNhrSl@#=d)TT`0zDA`chx~gwyTf!~CL>`^iHv@MhvxyM zXG(lWhUF8m2P#M(o_aTH9p6uQx#bi{Po(+6vTf ziK2AI{vARxDd&uuPffkD%xa60ot!Mc1Hp#rz?sqsW+(&2mZN87GLzEz(%aN=k*>d` z0UJb)&Yy#2BVEWnFGDU*FRNQL(gywwzD?27XuZ>1O;-Vj~5G>sEgx!F;yf+Wo*>@f(n8^5ME(4+~gyd^g*2+Rrr#SS`?AuZgDF1?uM>+ zDELYN6*#x@x<(wa64Lu<)c>1HR=ujFs(!l0ov(Jf8xoN{IADV;_iAG-`b9ya zz~eQ+R*N)TNI7EC&Jy%hrgX=8k`~ z-FFmI%Xd@}OQew-ZGsR1puQlXMgrZEnGxb2#a{|%aJy^4o!%HqO{^@ZD5bY3ad@0$ zz3=w8zOc>Wb~2^B{vX-onaiFSbE3*$D)RbYe^SdWR8{h#vz5x_5_kVP6}z&uhEhGU z530{Ro3l@TBXt}W@>S7)aiwNHo7k;{vVm`3+SNZy%@Dlx!90e%8Q&)A_C0;adOEYM{k5=B~}s_a1gOX|^|U-?s0Y$LjovvuOXaxM}>{W%38 z2Kw3quMSwlzEHSv?hr<+{`!jg^`0IZn6!Nt%@&^!Y*{}3ihcmg0uZ4ZrRI!ei2va3 z8H|@9@9U{ec)Vp_;1?J@up&;Y8LviICTAd5F^h|*Nf&0o?MM#M5lXUDq&AvHXC1zzP(XC{3!Cyu{e$ zoNI2=pqNMAEuu<&;#U=2EGVe=PY0CiK};v~gFE9J9Q+;Q6ow|t91spx;f&H7`^!fDiOHz6U|t zT!z8+C&%3XPD%TK1saO$ny#ciOR8U9B!h-pAAi*8$-MPy%b}=&Dur~52Ca+-w+N@n z!hUPq$llOGGc(WMFYj74_n=j<;x}5#Y{sPM8aKwQ{mv@WmsC^}j<0hf7LDG9xylG` z8;QiqrNA~dT9=44K0NwZ%PRAE2Irb>_ir9HCoV z5~xw33r18f;@*2E>hekOnD--dI*_oQN_3I_>l&V8a#O$N)4%*pd|H2t(u!~#8*z~! zitCowosXcdOf2AWG&Wm!H1mk+!u0_k9^Z$`DDm!>2MeRuMeYvI-&0{P{)&YO*bVaC zW4*dPZ*7e!Eqbcy1vF(I$NOkYQ(B39e>W|v+A5Zu9iD3cnvPv2wcq7fx8lqU5+tLh zJpu6%sG$|sv*X;K^|UPdFxc?0*Y9awr!uB4-3P5{RJO@aE+A>(@?U49ij9aaT1b)_ zG>%a@SzqQrI7qM{xaIB-)J;bP+eDvkEM{dMZq-#8K!SFl$UYXYh1vKNAs*L5B;| zD7$@+_K3^Bn%KQHjDI@#jyrfWgBHvaSMtbsc*ugk-b)t=xL$+fV^@KZ2*<<-DWqn^ zN$))=$=kZ(+8D+?cGPRS+sUwWv-WILUh)%_gA;mqR+58L3uKvzj62h>`Xjuky=a|*b^9g<1A zTSZ6>8`F}mfB{*yle+bYh3#+LnA`*`y*&{9p5KTjtk+u?HLe+3jKd#PDc<)^uPSf) z;sN>xe-umz`3({X44zcBg(_DNeq7wkcAvCT*opZb---F4f}x6#G~=s0IUnEsRQ}+8 zj|Yq^DhfdyZ7Me}&K7tgzuFM|VTxN}5A*RH_}Xh8R~oy73+?t*!pGA(55h8-9^fP1 zc>fzCGSbuMFo$}!^2xVu4-qAGLmwyjL?UN8y^G9rLqE3HziJ8=oZ)%TR$9zYG|%&j zo=TJj*#6XZk&7`rfm?eD@EId^g=+*F>Jv_IILjD^YfV(#zHgUFHK1|Bm<0$0t2#4EP1iw z$WPifB-X)g^<>JWRRY#bt}3$nPA)uxy)>MMfOa*xmLH4=ez1{n+HQpv0Ydrl@^b3pIU8xqaz?q zi?(Gw9FRRo#2229R7!dX=p$(1!uPE|VV4tU92os@<@B;8>JS@zrCSfgT`ANuKNmM! z_Tv23HJ@99X>0%-JB~UXwH!58WB%-_Gib~5Iq02IJ2rVF3oT4HvU+N#4Wf1gv@y~i zmlZ7&+q-fl_}b=MvfYoPAJ*VK*1H84Efb23(Fse_-V>V$FDoVK1`^a*WK@0?e5 zonK9@^YTlJ{f|eB-%dFq?QSn~LG}SD~ zs(|Ga1<2e;zIXx$pID0b$#38&c;g`ZYE^cmO?ViRP&v64`CqimzUklW|6)u_)iEM) zSE?%h4LAZiI7&acX@zksrg`1^*b$u*L5Dc*Y6zsx&eKMXb5mJ}Os?jo8p+kMVYYeD zg8CkbLvUX}>_xbcTUSU77?(%)vc2-izdn*#9sDsu!A3^!_qkug5T9-W`p@&xHq@y~ zhVBxgt@N$cxBjDbRX#vaP=s`jZA>*@-KVIUUp+&$oX0Y5_RAo6GVNRvy*(<-Icn5#-7EO#k9Mno) zgsj)CDw%R;m>p>@ZiKb|*cn&SLzih5sBNsh{LTWyw&{@dMr%a~x@=@-qt@G#MYt80 zztr|PZmz3|C*B})9|5!kY%=sl;uEB!#Jq-*2NYvpR4%tfIA+>d2?V3( zaDj>_OBY^C^ZwsId<~DLYQ!&9QG6?17A@HNNv;qKF)_xW6}2)cQI(@l_w6fCF{uA`+O`t zrU*DyjDX~y{tRmK*wInqJk7v$Pa&({3>Ad&oa3NVuek9LF70g`BJd=v*QIse-ZHhv z&9*EDliJScg7d;>_*EDNz-T>RlOT7!UG|5EG(xCxW?Vo%H*jR1Upm+7X3}Tcy0O$w zjCv_KNF3ss26C^(9~YGwutl=ON1_xmucsw20ZL|!=&z0=OiG^lt&O%@R92!tXmk$= zpDFV`*3Tg%S8Bt$iLfsSa~awGeg4PzdYXBJme!d_ax2?^`gl+gdSr&=!NAB?0$z|y z;H`{za!L5ni?oaiY$yJj`m4TEOILCz>-k5`EgNSEa(+SVV|Jl?!F4%(`cd!Z5=VN| z)HiSNRS_{ZFTuBI-2V8Aeg&qOd*$Xv$iba+Be#<;XOf3LBMW^PZ6ZL1D<=gY6S?q1 z$_|PoG|1q6ii1TK76dhr4q}$eO~l*VBwFdgcokv1gF5MmIT_nj6KP9S=z07l(9kOp zkRHiMMQ&4H1pM*BZ%V5%O&+p#)ujL1$PxB>*SXzj8E#YVVRV2z%-52w_73Xhvog4aA@=5xU z*fyPQc%9xUc~jzcZBq5@J|-t6#>crnGl?@d145~g<9 zdZ2RY;Hi9S_J0A6w%iZqSwN84#dYiR(yPW9!2~BYNgo8gl(nUq@*N5-Ctf(w=a%NR z(S@M-%?VB3yzUcd2pF=U^YX6TH1%V#)mqfS1vLA8PpE`G42o{&&Ih^Az6~iZPb}oR zQnSMs@E+8mhFNQvr1v+;7ZtO`Ol|zTw3n)FVS58}UCfiJ`G(!*D!|+p7C_XDuQfm8}NfE>bwZ4NNm=Ry_J~{LbgY&w3?` zDpIH=Cqsl||8qJNZuxS$_<*xOp!{@&+NA!Qo9@1RpzZCxx97)O{&=e?m^bXbl!eDg zi;Alc509UtbDi!$STWGH?QYOw(Jz|ln(Et2s+7GDyZwxOL+rh2H_bC7@o7Xw$=9Ou zOV3T(J=*48U;f1Z&?Ip%VrtH&+Puv1-j}x5vdfark&yeX9J|3nxW8KCSOia!*=Mef zh8oVO<_ZtE$$`2Z2iiaB&zsJ?obQD8i_S1M@B{EELeu@`&h80;vK4)1+xnH{psT;Q z>(7V+Lc=bOnIfGp44o1vf}UJ!U&IF1pDCh|bsLe_vGkIw{LMt359$><qBkxfj0ax3tV&F&pf+dhKc=>u8mVnV^+1$8_zQX7&zm<)Tt6Zh6qk>l zl{#;%b3FVT`IB1>8AeXbG#JODsBFR@%-`Q+8O5RISXFoQlg*?qJS==t;SmoN=wGU0 zLa)~p(K7L9G0li>9g#;$oHyyi7Te1ehQa0<)r$IzSd|ONM%N15TE~32j(Mkt5A#owUk=LAlZ;ahzCxV++P{Nj>Fd3sAhS4@ zt0O6SJbyp5v`EIsK3h=Rv#J|X*#G@rBRx^Y#K$G>ZI-(p50R^kD$eV>XI@vDcIoMi z5hCv#{0^{a1movP;54zJ=>uiCz7 zCfs~AJ|vA%!Ql;9myy%J%>E_^Rnoq(p2T{Rp-aDrd$KM0K8k3s9m7h2+M~3;%PGc% z^F;r`j3RDDs!d$F<|hRNVz?q)hFmACJ^vci zB|a0Tj&?+vAni}NR?py=XGsqdJy0Llxl~M(rF*dy%{-;V73iV2Uz(GHG>FCa${h6q z*C;(GA;5Tb7y04$79BG&dPueSh*6yKnOFmEnWJ-*~OoE?o_ zcw!rLz@-i>_@?W-mpwu(OyLfyW^tJ7hKb{SV}AnI@EN$h56tO+`6i7bBZdH7!2B`x z=)PAPzQ^&vrG$Yr#v|Dq*?eTO`dPIYV$Ezh>vxmZWHpS1oonb3&zA7%Rl{YL&*mxD z3c6;tbKT%<@9g6?kkvoxHJ+COzc_GJ<~=cvhf2bVTw`=5M{6aQ51ry({I=fKvuS_8 zgqC2Z-=>bI_H5|oySolJ-5x92PYB70@gF&{Tk7~^ES*&H;hFtLWpp`c0QZml5))qUXK0#%&cl<#ev`M8M*fUnSiOs-KCXa<*{) zOtj2y4I-_n_WB?MQC5s^88DxsHr?4@G02si@EQ?_@qnjwVf?*`T6~ZHH=pR+Mi0&T zCP4a$J<7DVwl9g7{mS-lmJrF+d%k<56)g#(xh>&83}@6#gvN=|Ffyc)gEzV8^`|QB zTKJ%SK2{FeEufdEcTQko*KZ$t;DNZ7v*zF94soVbf&r}SZj$p(`sL{b4bT;-XNorV z?gS^Ub}kB=zrP&kf^-d!s>p-6zd3~0fS>nq#)gu9ig?c8k+Tw&ty+IrxQ0(hX?Q)` z*Fmm~pODQ-xw+T9+)MGrjKV~-+^(;Y z>#}_vYTSwAN`cgSc%>Yt;oKm}i?;lh5(|pLR1HY>WyU)RViJx@iUSWn)7_N_r~BOw zOMejxn6S|$U8!xk>Oj1eOI!3mI2po*lwbg)-ij=kc=)qlrXJi{agkL9ygdrpOL<%E z^zD-VSP~e0wVbW`upTF?Jbnxph)+#$kqaFAPK;v?@RGExGH82Jcr?9%jJmgY5JoGc z8ZE9-q_z$^si(*eahG3Mm+gv-fd5f1t?7-iZA7XFrm((#e=I1-CP-AKxa|7-9a)=$ zv2~Sk2F;(yiYTGvLFqR4e!@6%=k=3T5D1f&>8Hbu8gvQ12#(;QkRtd`jg)Y#C|NX+ z7c-kV1un=uV^QpCgS#m>vdw>>Q-2|0`A5Pbx#!gMjL=7TzI{iO z&l`gR5<%$fWFt3O1^2NAFcZXT^&Vd5sRV4|L@tl5r$tu5RK+rIVuCY)&t!CP972iR z>}CaEMOTo>Jkww52S#n=pLO-7@9r@zJACd~gMvY|G=Y26Sd$HSaq$?6qRX3}ZGL7~ z`^mAxPLI=_1k1WP$!&Z{9Kk`e!{1C!w_d3qlEFwTtxuaAu(YQw2I~|M;KjI~jd0_p zI;^d-b*~S+I8=)l7=e6_Pkkg%#z>la#Fm#b{_(o0!{2B;^0Z`>rPpbW0l%!_D=>^zxjmM-$sw{;I@M%4wga_4SMn|c2wi_e45g*ST zYYnOJPr$$f51^hOR3zaE=?dIZ|3>x}OUgG-M$3{MCO$=~gfhJh3lkDlmML0dB|p77 zo7liD8T?g9f|be~2>)-=cUJ%3N=&_Q`I4ju^fJt7B{iQd=lPsi&`ZsZg5^+-{&WWs zW_IE4Hq*ESUb8D{6=$_$WYnVt>gb@sKWN-k8xn%#g}5`V!VmlUQrPZBb8U|Ev9?dI zRGFg87Z-Ot6)5juwR8@{hEfZU1}?(2=~99X9adR+O4ttS*X}zP4)bpT zm+T=!)l|EX%C3ebb?A?=)D(XA53fZ_iH$ohCrRU|tv+%Kc$oszBWd3WJ-`>`)#CgR6Ka1tDoi93`07hNU1 z7kzX6M61%2-yDpABk%#DS}QX~)aj08ME~L}E0TyHXxV>u-zo4aqB^!bdiOGGr#|gC zaU$6YYM~9qV8;4WY1;5`S?fQVs9Qz9@>e){on-W%{Kyat7fh5daZY_U=&QyU0lh{drfhud~eR;+?#RNSXOiGjM!mm#%sK>GR3bmI#_a8d3jWlwxn87Y{KMxv9azky%oiWKYeu^`Ts zGQs&L@^TP^sN=V%_f06~mb%zU#$Dbr2Rwk(TArKX1Dsqw;q%826N?)3w_ZWP$&_8i z-j`>G&k_#0_b(L!$Z7s<3_mR$YemROQw;Pk+1M#th%@mPIzhA29UeI0mprznEm-ui zW(jK#P?!J;kF0;c!ku`vS2x^MH*7OUXHH6vpT+8$ozU|o4oG&PMSygiO1~vW7>sX7 zrc=}WMI%%KGgtJl8_gVKjf$A-(mqCO$Csw=k8$sili2B2W1F2cTY%W0j~nEfdf;la z|CP&l>N=1cwCDyRx%0H8~i6LPgp)qhYxBUIq z6e9z|Eoe~NztURu51N17p-3B6og+Jw-Gj{z$>_BEO(Na<1?NbezB5WZC;4zpT-O}) zClkr6*WwjV&-B{!`cw;_FPl$e@R=XIA*s{p?C(vv24GJpCP$<_|d z$qB0%7mYVeaeARdpVcd-m(F&>)M^4N9~B%?@_GFu;Pcrj7eRb{*A+#FmhPfUQ%*!T z7v7G=uOitA@FzG>Q6;M(Sa>S!qqzGyraSWDf1*VD5*#5i!26&cW^=p7#Iq+9zl1Vv zom)I;6EiM4ZW)Lmcq81>r-Iw#PA>sx96ENAC|MHmha>vb{4O(26TfcqkF7uzZl~98a=F(WTbhrU!lp~=XUBK3Zlnpbh1l4ej)NAt+Z#=^M8=>E)?JkLW zGm@yzEO+zI_H7?yE(gfI3*ME+>sJk8*}NQt$mLk zG4`pq4ect@r#un=B`lCz(Qch2n!eA(dDp6<6Je>kbbSV9ee$?kGd$w;F=7X6F|t)< zx(lX_qKK^Yns;8tASdN6#rSHU z27Pl;95=0#6QRV>?pZ|EO}3lu>M$ArS`4Pk<4{@fh8)qc@mDTp2-ao(fHaSr0MSC4 znr@p)G(Vxh?9uS$GX^)1m@|UsdU-7TlMPafG&ghGfT8|6Cam?1PkLl#Wa8wK`m6!l ztK=k`Sn{m2U6GMyzHG^aZ?8AL{AEm&I$co{Mds3h>JznqaV07wi)7PUuQW1;7Ma<* z35ulrZRK`St9tK8_C`^(@S9#PzTW!%fXcS4|JY5Z>7=&3IytHv^eJ-@g_$k)Qidq{ zAm5-(-d*wVgXW}`bmfF((lV1ZO;aB?!G|ADEa_A}kR?J0RNXWHZN z5`HV|vcqJB&8Pf{eGkMlic=?pCYEKHO+JpRyiR&O2-wJXgKz29gV|9H=F1S|Gj3^> zRRxOV{`PW6wG*PL^FubiJULzfIoKOE{>n$zV&-q@Pd>$Xf82ce)$HP{<6r1vcBlGn zXFVk!nkQmP>PeTz2{NIzDfv21a@!A<02%zlxl((pkqlk_k~bxHQP1oko>S4ZUC>UP~+Ws6gdf7!#FalKf?AtfZAa=#XfA< zNbe>h6={;uRo>6_fQ{y#4+_H0$pDdi@*?0^<_|WVMYVp9{L<9{I3ZQ=hbD8rz98OW zJT1UVi~JCXj3vOl30M$(!O-)IW7_;Z1n4)qH4VN@@z&n>d;32ZfQIJ_rNhXfH}Hbv z|0)xb^ZsR7Kfw8%yiHJvYJq<+v&E4bk^4oE;qgl_X?JJ;4_LPie|g|C;`h9^wS(5W zuf?$m+&Iw)JMlaHU-2}qH<(&W{DrD(d9S_4EG!dcW(oPyl%>z7Bu~w{RxA${FAtqT*L2%Q~F; zX{3dO;+v#v+9G2jw75~69ZtkkDHh#MLOO|dDbwR<{+%*TD$s0TGl6(Uo6N|w$ph9z z$YS-jIE%2p8God$X?^y1)EDp84%get4U^}AqQmsq(`nk9NI!v*=EP@#l@lMMn+v1Q zk4F&~kLue5KHRoeg@*8KG&@C%+mg3I5#5UH=}SJ-F@60KJEe@Oipi9K4Ywp}WZJ%H z=?Ti}O8AF-_lgN;MJ3bi@xP2TiN|t|W)uLO>9(ajkCP+y z-kPRVQ$JCp_+PfxQ_t&Y1=Ee(;bu?4;-x=aNlxX%j8%wW$q(*hzc-|D?w${_K><{0Cv1JKQwk`v0 zg70Tcyud#WyerAl{M6H={&imjukD#nJUm`5^%VE^hF`ziyqzQtkPdtE0ykfZbdMn{ z5NCo@0-R5h;yr7m)sM)GG049*j~JMNo$4IuQsWjqW~!t)iCoxc3-ozFE3Fs7+4v0X z74^O2o~9p9b&Q zgr?}Y=0SiD!gf4~;wm?%flZ}O&Y!8DeRwMj>$Am9#H*H{uBGD}I)`ci8Mg)2);4^0 z`M2xc8q534`WDTYb&Xgfamb+6^z)`o4~>}RxE!X$fIz#)v}~5kUH(1;e3Mmej%amT zllNq!E`AZ0t^el}G8cGWHU>!FbYz*L`Vrw1t>ccbW^?M#otA3nobHU2b3Up0@0o#0 z!<&n4{ZF!mQoe}vDj+Q#@X95tP*s-t0n$lyZV`m)Lthye^Q1|=TuMQdzLxi&v zVt+WS^{a#;3?K>ilWD<OUn$ z9xI_+syy3gal*7^v<(N-yYafC!iT;Yftj5&ze=k8w3Ah?BbeO!@r8C(qxz`X0vhWm@p7*X=;MO5+BqDsIb|FmS| zJ^PP=;TmO&dL{cjnhuAaES7arE#-yEh}Mi>c|x_%J)J8PG0z#ABZedhD48~z$FNmzYVoBfK*l!A=W)30aM z=RVb}snRSFFUY$vpEW#G^@&jvmr`uWj!t(K3pTjBU&fjfeM9|J@?p59;G-Pl{tWvE zOiGMOj4@`C+qT||z4zl;`jveY)NWZhjxGB`FxJ92ZC8~7T#gee7+CoK%250b3sHK% zcANkQTR@>T5;LS6j-HeC2qwM9HAkyYdrrymI(^K+I6fp3kCb8HKz){vdJcH6XPT}Au#wDrs`6{T$i{!6IC7k!aPRR0QiN;_5 zw~C0F?at)^S0F6g-9()I!~XcDthmkW)G-Lovblm?{uT3W+&UW?z`6I2SwWC1!-rnO zl{ZU;wv?>{4LobsY~SKU2#B)M+6~~C_P(VN7@vmNotn{VQa2}vf6>EGzG(bs6t2oK zn~y|#Yn`?pJ#6A6#m;|m!Uco_QQ+!NqQR-VNP1xWv2ANaf!*TX4%z#He#c9nZ(S-G zQcoxjF&1--58!&5gyfFhUj{Ke zE2>D}$*hK}WaRn|dBZtgnFMUFsjw?SckJu`UaCcDI6{vBc}&Wh^&P#|9r%!ebwIHe z9v{+n@|5Eh$0&@xc3>Ozi8HMWo;-GIK2q!}k#M30#eQ*cQWkKs3VD;=7>5 zIfwD;y{6BWEzvs9-9ha~VR8?><>KFHI3nlv`c?fK{=QI8{0D5s*zrN?Ze`v0S9_Ie z!nh7as}%|aM_AzXq}xhd|Ac@uL3W-^!z0j$>XgQ8bWTTW^>#dkJ}d~4{zG8sJV9_I zNhvY#C+u*+>4h}Ki|Xy!>j~YQL8d=lHEQ2VVe&j;l>mpAg2`N&Wi-44i_@^1A61LWf!T9W-8piQ15u~k z-b^t8CBRSf%r7w%i`u-J<+m&*H1~i=DKvPM!~WQ^enTbgry1Q_J@5{aI87Wf`XpOc z_u{A2YMn{;HN6n+?b83s3VktfU7$BlswZjd7V|3pr7f#Lfry^W z_^3D*m`v{ET4!Yzei8bVgJ|>jPoB^y1p5HVC~+VweC@}lm|z~^k7fK1TS zlE|FC>$)F@`?|$=oI%RPVe)ZQwEs3M8r?;exbLxY*aFYlG^ra%qcnLvi5S;0Jc8M! z`7R)GXPOOBBlL5`w^w8LChZ;<7vTb7Cmk6WZ1$-io`>^&;Q6Hi?H| z(p}OUG#V~7UY@>`xlv4Livaf+A;Y*Nw4l3c>DcAwdiTC32}W#^^~^h4sI07Hz1epeO_)os!c`MPEe3lxVPoB8GA>xb&CvIQ2UF7ESdn#CUB_Zq|NhqlB zEHyiv-rNjWyo%R>okm$`j^7WSzn!0H@yuJd29`gbH|?TsssDUl*AcH=F3q6|1OzF@ zmG`LZN8J2BTT|kZ#vyjDPI>cDMt#HxSLek|T1wrSe@;ds=douiA%_JYh3CCsP_Ybu z%10M@rbU2Z(=R>B&YhSGp)45^33sBlIoXrjxEM|pFs1xDiN^W*LeOJ4$nd%H7ZQU= zj>2EEc+yHY4-U(%#zA@bRw<1`W?>PpmQVU;ppO4 zx3KN)?P=gl->lssG${lEiGT=tB+j5=|4l+VzO{u1&hr)X)$+;a?={XECyQdPf7hV? z)?+|z_5iRU{&@Pxa$-tk#T4I=l}lt{^g|`_&d7pibaS8;ETAy_ZE7e+MsScO%g~Hf z0Hn2^rGX$WgW-w5&Gl2Hy(MPjkLI~O-*#+DcRTt%fqU}mpGcK}41ai~o?}(ypn_v! ztA8#FJXvVzI+f3ilV%+KneHURwsK?;x9uld(44k`o6B>E(;1sT1(dcgRVMw31;#s1 zmt2?oA34lt4G)y>SB=Qj4_9jdZAd>Ps62AXgK3yi{>|aTa~uCBxDA=rWe4|zJ+KI* z7$VtPV1xCZw2Ci!h`KA?+YLQkJD9LRZRYq`-(A8$6r8FdE{Ea-xr9F zFAw;Zw9dmzlGs#p&HvKxGVx2BB0=Qs4@DWn!^fp3cO%P7J-#zJ*iflK-VwqmvTlj8*cl4Wc_@Z!5JBRFwcmc z%6WR6OHV`t-3k)N<9YaG3!|81Tb(76<>nZDGZcB30=t#C+iyjW_B7o>5A%?7pY{G9 zUEdzhbpQT8B$cv`R1VYKL8YuzPO&MKO01HU!&b?mB*HT6;Bc4wPOMVt#FV6Rn8-0U zl5@;?&WA?Bu#IhYe*fM+pYP}MJ^ubl^Wbf}Ua#xAp4ah7lW+GO<_js2A_v5HIzyQZ z%wtj&(MUeDsQG1?bh?mJ_KJG|()v17`_CPATE|9mR5VR6j(MkqC0Ahzpb#S~jEjmZ z)F;H4`PvU|hI}kHS!?1hj#ws$Br>>`1&}55S*DFxy|Qqx9?S}@m~w^rF-d0Im#pd? zn4hn=+-cnGI7d=Y0pS4*OU)G=i7jnI1us7h!n9yBxKnRo3dmt>12&dJ4_@rRr62 z>JW7I!Xe!F?!(_Ms&gPmTyqP)RT4bR&F-5m_Ml0;t!p$z+DzOx+ zXK@9;?rRt0#jN?q)@+q1@|=g~!f3JCpw6UX`}WxO{xU<3&W?&~Z&{A-4}+X72~{k`yQ z2}JuRH78l!m9VHkJwbyST#a86bM1|q57lc`8L!k+!5%s*IUE?LTgdzY z4j`YW&AJjMGb@zCma_I?o_9a`SDpS@@sKot^y^Gsvk|e~C`I8LDDiY%YQLR*E(6{P zsqBK`^!!`0T88_yL-8N7(A`H_#!c#NymK=F8XS0qN8t%H#;lJjWSV&vp-&Be`kI{E z*(>90SJ=!Tmfcx3$1kAC^KB{A6`wD~Ladn+HM3$${A8KQSKsk_<5`sjs*IJD%7G$k z?(A;T#nvq(gKT(OF8s%vh|$T)JVn9%mcSt{wJ$xNvFdAGgmgXbZAtPv^(FyUSV(f6 zIqYWMM^Pgdl~tZXZuJ-`glAAzSc7XsbEnv!?hY?0UP{4z7*kVSC}f5v-5oHWA$sC_ z(fEkLy3|s^yJ2OoduV1mmU~5C*QxEkKh$1w2V9&6`zvVgLUyiM&LpvUc2iH%>h)G& zchP11KDu&648ITXzr@XR!MXI^wp~T(1#$<=cyJbtu2ZiDJqENuP z5n?MlfzIzHU!f0|_I1*pkuAmJ@ix3IKkrqH++gHjzJDY8QX&bAntb-*)cJC7VV))a z*eIfJ;_{=4gN(LZR?<*hOMhb!`4(GhZ-yB{=_m?jR@1ll9M67w>BFz*?_-jdlz&W0 zjyeCu5f!N6W~)_ZsB9cl3&lOflm zubN88Qu<{G3Ml1j*I!Res5CZE6>$&x!XVHi33(Qr2JMW`$m@3 zubr|dRNSgM?qa0OEMl<`GGky2M&vqRWThxN<)g0#;`atr3PHvMrV1G1F)~8tPXYiN znF3%z5$CE%*>@=_QT|VD*q!&|Dy^UaXMPY(ZS(31RA@J^uhCmJHs^A*Y6a~ID{GHG z4^~Eiq(%J^_&U1DASg%EIW$vyive2rH%@nz-jhR>u{nEA7cL+0@fxcvk+Uwyrp^(p zh1i3d_dy1My=-VncY`>Ei)UYb;xzWjtb(P_wZIEMYFx+gH(>4WzAb+UB#zL~4w zbskRB}b5=un|-DX2z`C zlk1ta_c>g4s-Q1;P>{2axzf)I}joJijsZx|GVfi%lh)M<*Alfl&3>$ z!I`g1QP$JGcd7lIF@vpCq)UjW^4aad_vSjw!P=!%y8v7ClV;uV9uWr3-iKfYeOS|E{eNQ*|O|luTm&|QO0t`La zzMZa{#{2z>&KWLi^{Ml$WICvS=fQ44_~&k~TPevi8`uVUw1-{G)T%;Qu%iZ)y<#>q zG^e-xmL1}i(IHRFqkVMi=?MOz1G>$sf2w~KJ^A4&1HhfnEH*sg(f0bT{#VA?#Az30 zN8|jqF{UFvuuf)~WU#i2=)V@aBEgaj4rkyiMyxOwDyEv1oS)pV<&dw41MnzkVyT8F zO}aPDvPT2b_rnV?=MEF1Pzh42@aezoRd^=Qh? zCuxD4$8%!rrYbp9^T9)6`PemNUzX zX@5Akwh;$c0Q*)OvXWI|nnXI;#p)WKPUP)p~3nxO(efe5nkQ^okYsx0A4f* z>Zy`haA#6(*z|lKeS}55(!58UMg5Yp!p)uH*|Y9zGIr|T1UAK9gEYsKzrqxJj&%CX zOirCS(xY3EJ;>1a!iv|FK8awsa0@Vv4cz20qMp9e>DrJM5GQ_@fX zT%~NWz#4R829FpSw!xoA37PIsQ5CptBh@;cWnBDm<*GoO+MM0lGe@>hPe?B>bhY}? zY0(Ph2SgtrcPDWI^+mQl0<(qr&DT$o%_I+G^XlE$9E7L#m_M?2bC4$&V^)-s-&_{P z^8g2$FhyNZ#^{pyS!%_Mu}hqPd#dif9d5qdNv&s$FQj!4oMicBx*$Boc9tZhD!X2? z^D2iP5MI~56khKC}eFip}7J}5Ojut8x_}Vg2 z@2LuYO+n19QA<~P=LdrUVK4h!W5@y>Vk7fJ@1B!;1LgB3dl!B-4UH!8&P6pBOZxlc zO!1BlD1!VoXmqz-T>e*_YEVr7gV>lPd!2-l?cTd0zIa@tJaOG*vl-jwns{PUS`EF? zfpY1yAWNg`vEy^I58whB=hW2D9P1!)JH0z2mKfR>bQ)=mz_#tGRtv|~r5KKft$DXU zt+s1ovqx!CqM3)3@53u}9`9;M_dPa#<(W$IkW+A(snx3>{u4(Z!YS9u&lvZH6&DRG zyz!G+HtLGDO-^p^t;Vr}#;oC{^V$$`AnA9Y^!Kph9foI2n;zuO^!4SD*Pw;xQ2I3a z!X!n|SU^|CBJYS~Kpf0E63{4HZ{TG&`*Dh<3X$zWXv~w9ZAfV)>c^{tj;TA^uxqe& zABJBL2qE0{1%CsJ+hj*apGZL~ySz2F#%!&{g~e6Uq~BXUn}6SvpXH$Z1hGAGa*^ic z4@>KMori`STa(rHPDwqGe^i|a9o!(&jGPfUyX^>$_nzU-+;`S$k)EIwiQS%3dnKXN z1UXN)&ewcf0Nl;0kfNiXET$;3#EN#mpO zVKh0*qv*@qy?Wl5&t=8~!alUl_F{?Z2+^x9xmPe)nzzgQ&Tx1;lLH3jWVn0pz*qjP za*svw!^NefNW6*@@m?J^H&@03SH%#<11hb2XJ=>v>2}QA_P9HOr&{r+7vgJ@=2ad( z)_%o_;jHI|tTB4jd}$WF_6I9Twznj(W9X3h=QV$Q_U)}G2+i?bWyO{1dL3l*{+Ra7 z1qtc78U3~)v3G`d+>888tI{dF#RK!EaAdgz_nPuRJFSGc!I3h&xSU=!=AozAb@lKi znP$aV-<%qYrUM_EEBoqcGZy|P>uil|hj72Iwp7zbf>O*<-(5E6Q44l1ge=4mRaqJS zjw9*KC+8y8!4fD=`3-a1Zk_DT%xX6)$bDCuok;&lDurLd9K8cuF$;Lpr;}5bx6ffq zX=m&yGQ~MhyM-d{HdZ#q>cSK>Nd7Rc9@I- zR;Km80I-dwwW}&5(ElY#$pCtLi$Ob#r!#4ybuC00S3C%n-%AFe%c1~Vy*AgSbs19+ocd=wwjd+#JB7)QfLEA}&QF#w4 zV7Hs!t!jz$XT&?EFcfvm>MxNJYB0!Si3a2*mG7XdRunX-c}cq@0K?r)u$acG!EL%; z4~j(? z7g=OCLdI>^ZMpWc5BL1R+w<_ERk#)Svt!N2=$v;vGucGVNBiBui zGtWPF6uImmdgG#&UT|XUc0gFCz+{s^6--XXC>t=m!$ZQTTkqwY zoiig*;+v1-uEgj_8;8LXd(NrW9qm&d)zpzAC}@-gmDW=bCrl_OczVywRo=t~eg5Wn zb8ar&s|xKJt#R34^{n}+9)^xLp1|5Y@-^h(0w(pc`4=a`jcqTXGS#%ZJwGRAK8SA} z?ODI9?_&uAVymLp(%@~YqnjfA^Q(WYPuI|XPwyKclmWyB2yT#;bYopDA$&tg?ULIA zZ1>o((jrjfb{aZd`B|n?$fX~DS`$Bi#|4s>U<^&$Yhe=GG_><5un42g^WmIoPk!w& z&8$Oyy*|kaJF47r_rDGvT3YZ#kQR=-Bg-Mq-S2x zA$#pNA-$**7}ufG#h3{yc6?BSb`<+M%?g^lq-(h#KkD1GFRmTi->JB6J?|s>M7dAT z^$1*&kA3|unLl_)3@CM}zqJatyR{jeXlSeA=o)=UYuKL-kASH}(ar|Y34~n> z7u-!WmGRy2ZK5!$mrm7Mbaup(?!4}MB3yO{RZZ1Uc!%pxl}*X{v_Hd6|NexrIO-cP zl`-5Tx-z}#$zZ_)g$|^ll4Du3Id2(Vqv{^5C3H8>OL1e&2IGB%p!!h+znu%ea6EE1 zmU^RlMQyCm@_RLL=SP{l&UN%_gPlz>ukk-L?77(OLHwdM4#2S zW~xDK>cI92Ks~<@Ic^g_|1M{w&q%!+jQfguUu^T+voq>UFKz+9406z?&s;qd(Hi{G zf{)twk*~Qi?xB6<0S(NICw&?IV~=9q;Xv)M;!r4)-H@`?OA(+333IIYdNSFN=ZrXW zMuxefNk^d)*lh#jy}qWYO}l{0Ft{50R7tLh8f?i(T#72~DZ$OFJ7j|g(*0pQWe9D$ z<`}=Ae+wkZnw{5Pm^xYe*?Nb|8?*L^3q5Xa2l!WP4YLr_nKe%PeK%WM;e`&JdLtA#njNTH8jfZ$IKY zlZ)xf$^ZWN-0Kd{!wr9Dif(;WOAEhw7%lmm{>xk;qe{By9J=yl7)bWXiY0NE&+vgBQKsVfw7W3}GZ z>XF{1N0w+m(q2xxq9Z=~Htwoz-kZ3%$kh{XZxiO%BsgkmF0WcoILFF|*a}n!t&jDQ zB+W}Ej^x``6IL70zQw2)7#1i#B;3{9%{!EsrH#^qKp_h%I6X^@QalF-=8}*h+i^$q z^GX(K$9Lht_}w6IgfP577_Pdr=S2t%(!*Fg8(Z!)`E!$ZWFRfOQqnxRCT*+5cU{9w znyCIRhjBeScuf7sufn&*w~0X$>UO0jnj394Ku*?TrHNX8#UTOd0qX3=L%X8_DwM9T zzKsP&25rIWYv-wC~klYzMgj&0LCLclTGRKE;1`8&vl7Xng9Ej|rrbBq9C_ zY*Q|~sqZA4W#P(UXw1TX`d70c&>HpA(zP$B`>ZsQqZ7WGS4=v_6=y72hJaNTZkZ^x ztlD@b=@Jr5+ZFU)jc&O;WLmt;G+7!vPKYV(b*~4}W^wULt=BQd`Wm7@#-Q&vc#^kQ zuSJAA?|%9fzVnguwaY`egr%mhWJ_iw(v0KpIp0Uw&*71OjTo%m=O1!xb>_XoggwfR z^p#34=ja<|KowRE(l$lW*(uiM;65dywyv&qFk~35mfxBVVXP?sX7Yj)a5_AFu2VOI z`7Go?;!JZiXb;*GnPN)4zxZE<#E* zbZfsUdaeeHM~`_kr?I!*4=${MoYWerb~pAA#?*t^f+sIEGRW6#lK-1^1Xcce0t_G# zr>75t*;U_|D1?%Q2@$UyVR=L%K~yRM=bU?+v~=oOqD`~;zsJ@Ig}-IE{Rt#*pwn$8 zKiMRkiQnK0jF3oS;gj9Ud+>72ckWfy=*WlNc$!vm9F|)-q=%e0OIsy3CiKY?$0RYY z3D4pP+uNHSB2-73>}3j1r8TnCiV>%kdSNwhOWtgL)NTgIbK+5?QMeT1hH*1rcA}pW zDO-xj4(g>n!9edgaw&E_TZ8uY_;S@n&MHyUfv6t{Dy3tPQ*3`7%KofaD$jK%%FA5O z6!|mz;vP1o#`Um8-{}Ohuq-48*U%Ai&lxjms-?NDEevB-9QGG`2k+=|$n|w1(~Fxl z;JQ?gVi7Bas_2`$de?J7Yoes3bmHZj-q}x_+<92{b56HAm`WVA92nYhYm}KMm;R;r zX|(+II>>~2C}CCVOo;R0*#n;3g{IU3N_%lJTj?hJ`JH)|3AK3SMQJs7{6)MQ!!KHd zg_)_PXcu34O)AHGWT=qwP7xD5v&pkd>5@nYjC7azKJc?{GG7S47`b6U)XR1;r98D# z{!&`G_1{JSZy1s{8-zc`i^)($+YDMhTzp^l*Y$G z)5Ao9b$ar;3t;4ZX{6;7DyM^0_2iy#k?PCXDDdmTDucWgKUB1XT`hmaw6A!czq9;7 zH_CVU#{3=}xP6uoVB|H7jMohWc@LyVTfH@Z+YEa)>Dfi7Zw`8Xd#+}88LL?GM}3V> zg~7rfC;KZ@R#*^S)xGrpn&nfJ{Re}T0ed`s+g?P>X!BSD{eC@k&y9mFla5lfyZTMZ zlX(B>5AkDJeZiLp3$Ou9gM|wJ0mAf9#3jmtO4QKLCAVfW2kV1V4*QyycBlRs@~nCG zRo{f@zHz^1@ST~`*;^-j))z!Y^n{oA>!z+EvM;qJlsXw~gsS_$TzCkrJ&o)b$%|&? z99USkZ|Of!+E&@$TI@M zL+G3jNw;jl2H4H*V2y{oRWNVFQeN>+RLBO^KE5WNDu#O@chfJOea7i8EOuS#+qmq(&WsH(-8v?rDaH>i0Nb!?K0tCaUE288UaJ_+- z4Bu5=DS5=V605T8=xNEN5J==h(PkJMO*Xr90GI$n{;T9_njn)nl{qw3qglkyM~&b%TG4o92|yVyWLm6${%$*gm=6o{^#8RlTv=wqZ%^mu}Zn4=&xT z8F)Am`6_kL<0fNo!hTW6PYq@Yqy72AI)w*P!8oz|(Nj{y3hP)!E?1hX+nkj-X8pP( zfEFGxPbSrg$|vlL?&5-sMsgtUujL**XMlElliaf%!d~5R!7Xa!zSR$>QS8VX-3`a+ zAG+SUV@KkQTTZ9M=JLiqq5$;pMeIfG6k#Kr;8J8xOAu zi3gT{Q|DytIfPbY8k(*2k25`{qaG2JnP_@{#0tWm*j5Xp(XJ1y{Il5V>v$F_HNUK| zIY>~Q$-a;`e34+1Y;Ah;@KEUOUOPni#1q$ko`!&a{qQgQB%6`)?+bS*3U@$YPUC(e z11{X~SB-TVfkc*3Dq(n7q2tRXP<#-*LExUep?7olwm>6omI)!-@^;Q^N7p>2&}Hx7 z(s!Q?9Hy!s9`_IGjqRH$9%RU`>$EDJF{o3u?-v7!d4?)Tf{6ektZX7KXipgX4P7YM zNZi=thX?!j@Z#@n0jklk9i%CWyEf1HIPKVI7SXJNs`|Q3RiAKt6y#ZBxx9B?*mG$F zOufjUNK3BK`HC8n^Mpe@?cxXr47DciIuqbaA~1)s3~N}d9%dPvE9ta{Q^MWp)ZMf6 z3q1T3N8k-+_%~`=Q}*!iDKWz^_wEDaChxzr6|Z zitMij^FVfOX0Ad`)xg)B4d|VR%c>T5D1vv@>1!{3*j5>5#Tuv8+r9l&(E0Xn#LM;x z*6>;O*SWUb(7DjZsN2|}whm1Bvj~ld8)fes`8QyOAqnG0lRbpE)*VorsCcJW<>D+? zC-(CS{nbIPC-2{%JeF`Cy~>VUR){ug-4|nBzpo*OW$cLEq&AGk+;^mOu0fejggiOm zH`9BT9q`NunznUocu+&mjNeV}XVj2NJGm%+3^8{uvg_(2zQA#QF)pbOLn0_Sf}?*@Fg$IVf6Z(0km(o&F94}4M>DSy zXQ+z8IP*7LXKsBNM$>{kJJU~md9IR2z&FnkBM-GN9+)gIs*t+hK-?FHW&g9<1Kx$= zy*#`o*9XVXfEU3tJM1pbvel}Z@mWb5UXac1xK&c8 z8kSeN1Ts{GtG4?0gmMwC*K5c$P{P;*4@Y4DMNj38T^N1u&PoSt^xf8AZQTJv7*8prafBjW;xbkxON z(kX}Z4BbwH@RCFU2znkC8oY&lY_owxsH z&x%7EP3$^%eSP?TPg+0%FZ;lGdwn#&A*-V;U`*re3AJCwL2$QnEoq^5PF$vW-`>c2 zrjihj%G9f8GWrJp)z%S)l7)hpT4!p%2d9!{Q{rNb5Nh3#vOnqVOUH0Qm8~pAA zY&!n=HgvRMCw(b*ySx6$%!7KRo-5~^BD@b~O^eM1Dy_f%hUQSlpWWqO&YXLz-Q9b8b;7HGinmy5~T;#PPVHmi}(|qa?(j-hWDSu}b={W6>#J6gSZX)Z+3A z{b5m2aSEZCiElnqiIF;xCVw^w)V!j7n^ZAE7YtTh7()icWTb4CtDN=C+LRvlU!L@( za%*8_JX-Ls0NlusGb~wbpCa9L798m3&(5rN*nZ-Z#jYFUdm}&UOz$xGTw?5fFmcY9 zF5a1jM(Ec#Zm>2QI0)NA3Z>rN$x4bDh zed@Tq!7_{ztZYA?{1GF#pN{d&Z*Z3t{Py?y+La?U7ug+d?KUt~7ex2DyB&VA!C>zI zh{xAZ;@nNZ*UyN8_)bUgcX0fhE$(E zKm{cRoK&)XYcHZMlx~DeCaO226}#w9 zj3(&>1mD!`E7USbbH`R^I6riijQ!RB4zpP+p(HExIcEHXyQkE=C`2)rW_CR5A$mnJ zE$A7m|Kx2A|Mc5NqkrV(COP^T?R*&&X&vix>pt~BdsmM;AHr*>GGbV0JtB?^(pB2- zZgJU>v?n@jayTD4fm(_$yBUA?KIi?;WU@}n7xYOXC0i9JnpRnH>&}!E@u*lm_!!CMo|TgloHPD3-Z(~KdT0z`cvNO{@-`|ze~=b3@G%RWLK)ag zJoRAs%hI90Q`UC;Nj2ONj?4R9V;k+)5c-~OWsz631}@1$gy*-@r~WiDQp|y$Rpaur z2FJ{@If4Dw?ZfAQ1}EUT4YvRZHkK zPc}F`KmlD{-R-Ne%OLoh4j9EIVALExZcqHBOP?F$h7b43Zs?W#!_K<-Y<~A&#Pm-| z{QExr$IFp$zeV#vNdjA|7QE^noBrE+{QFm}H*1O;`Eew197S=D&eKs&yArxw6{U_% z{l)1N<=%^@@oQI8w_QA){iIXn``fUcI@Q}&!7=)Jh6f~#*D|eI-#e$^EpFsrRN$Vq zsalO*MBps2lgS!9!&K>K#O0bhkC!JCt@Ya++Nzk!v6BtEm3!s)tpelZIZ=5sNbpT@ z-}3xJ2G@i1SH)>ltLT^JJ%tiFr>*q(0Wfh z<)ET4+8R4~ED4Okm$ld#OAFzvK41tl&r!(Bww@8EyK=;R_ZPMnaUavA1;lw6&<6#2 z7~*#e)`}`HpGnURC{#;cbbatc%@_U!DgUSR{?pnrLNw1nMig&GKw-iTCqDhR^#1*; zBW;%|nSiooSaO&&v&iiSjCG)p;Gh$`$nMJHo=nw;Ka3got7E;bULJNXMpYeCs6(pl} zv{I!hj!)t=DvhXC;<oHQzG6yZ|DCW>ZO0+-9`)d{vKV^#>x1r=qP5#^)*{VTZl|`I6dH+HwA^_Yp zO0m+AOsK2SetpVB^Y2jjua&QdC8JcS0FLL1oGVfEKpTDCno33iXabeiNh`1YH;?jv z$r2ZR36waOeGCQ4vggkGe+%zF1-;-O?MoE7@`i_TU~D4K9FnwzDdQchzZIn$+N`KC zSiW!f(iKjt^`q8NE_ft$o~!JCZbME!TKuakXFPP9UHQc*6VD)HO1>5UT)VhDuljRf!$r03%FXt7 z!FlsOCv*a4a?_UdG>wUFNZG?Jd!tO$jIu(zP$m-9ao*?n+g*iIu4FCLS>&^}-F5WF zBv&0mKn|Q2DV4s`e{zIweKOVha$}!LYsEEVnsgOr4x{|-N}FX8YP6S#uW|=tAV~3% zcN$KYL5ZL)dk6g=X6=87P_s&P(FFR2gCeX;-1^UO>c5Gw1g43fu!HpxPYP;$-KB4l z02`1~WK&e-6g^L|l6Tl_67V^UKZPOnEKuqUR*)#C~^v8g^pcn}Z&6W}V@~%p&aqb&YP( z4u{RD15%3CWXcxxur-|x+hWTLoj1QsY_}?6hrAn^+8DcodO`oybubcJX9$In!h@so zV+~4N=%#q19d2UbpSNn%;MSX0C(I$J#Ag|23|Bl)2sJufMAW zBZ3d3h0E!3bG*oi*b*4o)Zq)`_bpTacD|^9O|G4fXB~-@dkM2k9`P@5o#?<>2=_Wt|Z>j(5OaTu&!jTh7_O zB<{cLmmWtZKGUSfSgj^V#`JbmB=!b_i8e4j1Ka0nj+4)A>Y8G&>p7UqQ9MFr-%A$* z>yPW^u=$DKRmLZvfB81HbzSrhkF)Mo9lB_Df&FKrZ>Yps>MBhb^SGGD*u>?7JbI>K2d<@@Q5yW1S=3P zjfE+9M@MmoztRDC`rk7APcZrqgUCDj4>-hlN%{YZ^tP|c5t0^twRDlM zT%W{;D{JU-ugvdnmcQvSuEWvjm1}oSpi+9? zj~#P&8+1d*J{?&YuTUn8m4ikrTz=kEuQ57UFiF;S46rl8SSomiFWawG^enacsNV+r zVo&oM;n`<-45CTW)`5*{BfM($V-vd@y8aqtwmrNY%kenz*=x#m^XE?N;|=TWG0~*1 zHv8PC58L-f-u~H_q<3Q`+i`-=G?RqBRT1dm;&MesP}JN_oi~d^5A~kHYL(EeJ!KP7 z&PEhv-w7vccafpHF1kn`rg)M}_*qA6_XX_fzg(y?7mBRimH3^C12mA++qon_qv%Q{ zG{79#5fl#*-KnhBP%TzDa*U@r?jH?iU z%k~Z@KtkUKW_${mq*hGucWeb)iDz7)Bjd(K?5D~;TBBP)&d`w)b4An5Thz_j_($n2 z**%5p=KM7#atu(lTQc#rISDJ@q&~c#tnw7qQ2qLG*`?O+R6*N?xd#c3Lk$aaA{~zB1?6 zv|X8Kr5?{+5;Yuj<08U*|IiF^`&6ZS$2%jP<^#dd{Pug=gXvv>x$+y_V&wx>gH=zL zp1h&*$hhUoP2Q5xXKlH-@v#a(!9~h*txC1%Ukr|^(SO?mJ;OpsSzeh&3A$zbmz@<9%_mvo7Gub1>vp~Fo@RF1H z^p)%3p+Ja~v?ggEgT$6_rEj>O+4TOxx#$JjLIpPhWUoVt7ysvplocRlA;|dy$oZCk z#5SK6d9jcZJEXu4sdQB~VkG>9Fk-E!H>3;Udq693gEVl8D!Prs?|dht?n zF6-qLgKg|PsIh?fGPM!4Iu+%~g6_7*D-UKFgc@VOHsAKZ_v|n3($?C*85c4IAI!u{ z%>|{zeE&@ASA9v!RoKd;aa+4UX?4IywQQ@bt?MYJJLywUl3__R{mAi%}5{lOMcjI3Tx%zdF~B> z?U%wwmLY0^%|L-9L=IdAeoDF5ly8L0JE?Dk>};g3!jgmH_`4;LsA z0|o^^#mmvo`M7kfkHUt-WeNAopasAqVBg{w@E;weol=+$-bzBRw7;ue9NsI{bd=9s z;gWb=A{Jb)EEg%9GbG-ScCmr<1|SJVT3B#{k@DY7O2IQaYa^LEKNn4vEw2w*Cf#aR zL6HqM)l~z3ov6UijmI9UhwGK5nfYM?Vv?!Np$$fnO^7S&zWU3?s*k_k<9!w!tC6@S z!pL}O@wDY54AAhIz^@)v7cX#tzBq#b@Vn7)qG@B6+9>Y_g(wUvzQ38^ucGU9KPzeT zZs^T&dEZ3id3~p)tkJ8}CfmI2^^a3i6UFbdhzGB9QB+24gWEnk&yIoX56V_yAv3o0 zxeSb3Kkr_0T-|GHtYLWLYcxTs(agc@o*%;F9^q(N!_g)+KU5 z;_b_OeX^`NGw8HR=F;%F`l$Gek@+>xZJ1!Yhalybi^h{(6vcS7Rpmutv=i>DC&^tD zm9BGrL6BaD=`YyY2R_2|bJ7RcOn@-c-bzYl#{?9_%X>(<^ip78xqVPz)FzV2Z^|Z8 zpgC};rA2;Vo-2m2NN?uob>MOP%c<#%aX^f*cYg?2Dt#j@SR^tK;88xQ?9WE}0Cz+f zvR7R;-A8eVLro9tEl)ehVO%D)Nat}FF_Obb-|GWj4e&b#b+JYPihz}zl1~7sTm~m8 zciFaJRVMsq(~Mw|IVhxulKI?*QEg<`Cyu|ElK*1eF3C6uzIhg#sqL9-QS8J$5?ce9 z_0ZThV>fRr6@?U|JNhfbl_2emZkz;@;mH_bwVGH;eM95`&eFDH@Ge?k$rQ@>Zk0Wf zQ0S0SPTX$fo-Kp=y-T3Y!zfRk&Zb!7O-DOCQ@+mcqO6p1pm^zcL;Z7O^k71Clx)c= zH7oUc>SKSm%)`4<{=}JD#qQG^I)t%_xPMgbqGIxSj39lBL*J>(<6R%XR-A-6ULlyW zYWjnI_X0G|pfm9qQYzq1E?9MtQ}qPG?56knp(%ccH(= zC1>GS8uLS=yGW%>_$HGyLn)ufz&gkmQ__h|zP`dp#Z=WUtCCw65mFb@%q1apP6U>j zL}jOuFQw*Ecy6F*vkc<_geXe?Nc4Ild!H`L{VF5P(&PEbIZ>g3MkR~>AVuQ)8{<_q zMg1v1JReB3pA^$|XmwVUS#}p6SqlU?X0s+ED#kJsfkR5RczE%YZIlb*VQ5Qof%1jW zo|D*qne|AU8h(Hksh(^4;YU*t3Putbn#OqmT@pgUN5&1%WOaC#mbVCGWAA zgDBEMpCu86ZB05KFZE~m+q~jTFrN!fP>5Ln*RGOGDaHozXyClCH(zu@SFtOF--#$M z)Wn$9CsQ9f(GDt7;Bzt0Ol*SYA{Drc=yBa6tIF4OB$ha3ucD?Oa+B=-=(WkDuP-z8 z?UAq78#O@bw!;z*zBJa#Nne+)<@vR%s)>q|6z=W1XMSU8kiSiNu#_pfZ*O{^9f80OPn^L=Y!UbpwLxDV;I^;vQh^YnZ(V)2Aw zOsDy5fA4#|13-)1KX=nVoGsGiL_MEg3z*s`0$7PM^P4v}?4kh>0^$K=9dJA4&i(>} zkkLhCKwdmz|87bFXxiB|dqBmFqar1%bIe7P-W;+#vAqIVLkuM0zNVFTt_i?4))vSy z2aiZ_Nq-|w`Vb~KxUm>s!?H}Y{z>{A8sxEWI72c`+MYo-tI>o7l$^(oZTF%gX)eD% zQ}ogjuH%%6W|7~MQFp&)HjZ|GwU!iyH6b8=6Aj7~W1MxG{4-|I4Y7JwnbJ-<^L}oU zVb&Fw$?ATT=dRhav7tx9?}o=J=VCLW&5a4^z}xknLJ%--jZKOjQW-fAWc5TRB?9T| z?tar>=-%~q#%b2M{|G6fbqA8R3Y!Z{i2(JeL!+}T$-}g@n*ye#slddOOf4JYCpAw9 z=CG?`s)KyLd~AmXCd#J^19YWRZRR2o<5Njr-nR6AN|bjg{edo(;EOV<=oB&ZJYFlb zy{{W`1ZItn%O`dL;wK@e=~huNn5_=^>6^Yx6UD8!L@LQn|GMV~`rV6UrImC+0aJJZ zrOMyR*L*f^)xq2r@!@%LX}+Yev|K{xyqCTtEutmPsFEwD)D>2VLG&N_PaUfREiZUl zP^K*rbe{h(y_ZQvv{d0j8|sZBjx|sD{dX>T5!WUE1Kc6hN~R^8X=Jmq!w#_{tsNWQ7Dq&eH33_;mb#0qZ)e=C-FiHE zK$_S7_8h2%wxlWd;2*GX($4a52DneQxHBlW(cwVz?sbYccwx!q_;;EK^TUjwbL z$-KQNzsE__0teP7Qp4pLaxT~a<3~4bH8Hhnhi{LaX(xX$yAG_vKB`DgKLg*?K2)D*!%f0XiRHKdta#ISKCQV>VJZoYnqobh6;@|p+|zsW z+05J4K`G9=`lLqC)(k!6#F!H`@%%e-Dxdxe)Jf3qa_tfpE%8(c zRg(LxmfXmZn=YDT7Ks5`TF~~s5ia}#H(er9xTuyzz$IZ6D8Va0Ty==UWdl-~#a2D$ zGU#C-CzA=ut|jL_!zw)AG)|G`tMv@g;RmxG7G`^1&yl+JycV|M0d+oE( z`a50hPel7S#24MYaANpz%KM(gi;U=f(BW6X~vYrsF5e_y(p_^ zh-ExU;BU&J`dTDXSwI4C81$%=NaWE?*4sS24Q(3r zd4fl3^$A)u#>FQZ?~Zd-9e_Ub&`Be>LWm*|qSB!R;d$X?@(0-7l*GQHMC4>@I&MQ zWsAIHI&zfsA1cful`gFXtSgk8fk-)*Pp<=tz#yBa@CF2$}!1-ylF{NMBPX!oT=e6%3}1w@5=4y)b?@m#+SzH1NnmcI3uNjISb&dvyW$ ztP#M68K>&yO%(^WN!1Kip(S0wEz(x-Gbcyj)2x+qJU^99S_)SRS$+ zQ`v&FtU-6tz}-;G`uMv|2DYW5n{>4RoJ5e-kvR6l750?XpU)0>PTz1A2X?U}LJ~X< z7yjjOdN$oRqs6e^33WN-CYJI!^!HX1OtG<*rIyi{@yFaw|{c*2Dd)LXp8{(wIX<&=*2W4neEjmQS}-)~ zmK6K{!kIUV`z=i88TYUV=>+0kxlw$^giv* z_1~0qo6Q&|KeTo@oy<7e3qJQZL4~_h@Wm&rc3(%SEQdogB{@@-`0=({@O)m)o z_T5nNE_e&v?< z={u9vo)9WRUg0(;?J7%(inh}|_%$AN)EBsFQy!-i9H|_j$|PlW!zac5yVxNV__Vwi zvDf`@V*kcK?f#_lTCXe5{;rLtOcRU3G`M8@iq@Os9wA^?kY2aRYN|IvwitCA(I4{f z=(3ihfD+w5GEa3FQSUwbu7CLxlK!jBJC{xABy4a0wlmY=r+rJ@b$R2bM?T*+{Ji$0 zCT!m=sad(jqgfOhFgoswJU8LsF#&rA{3oY9&ZWD!{EC-xs_zlQ?^mO04wV6mZf6dC&D`#HSz$iP?2-RK2Ks;Yk=)Gi6E zp5a$xH_OlcvQ?X_0@cFE0Ptozq8T$uy{GW#=b0aJSw$ zviU@vtkp|&&#G)z?Jv6{vqmO~ggLL#t!f|11)1|x*Gg@^dQbyoue@F)7fZ*xouMA$ z4SK=MmuZ?aZfal=smw=L76E6J@H3of=Tlk~k9c(99O>1iL|0KMAPmVvJU7!x1 zK=Fh$Vlc59a*lA>VnFWGO1wjH_9b&x571JxV>q!-@-)}bq&7#JyQGy2g=zfg;Rjg6y|>WObV+1}$-8(< zcvzE9>X}2;S!tp6#0-q0jcNuJgKSlYH}6Obtujy08uj_kpqZ>)RzhB%9Kiw-pj4)7 zL``55|3YgC5Iv-X?!<{#(E-;e zHEP5Z<6z(Fim~jvD%m>sD2L@Xt}&)*vPX4ODFyY(U(1m&5+ZJ^n*aXx*>t-tUADM% ze@fwI{(h&9;9ls;w&-#6tX#R{Ew0#` z0k6teuD)H*_$7x*k`~>tgX0piiudG&e0vw!w1F1)9W5V;48NK587BPf*_z^L*|p>{ zF!}Tl7k%!7Y&|o-AmqON@{#fD1A(^O(&zC1x33X%-$2PPsv74n6AbLPyvflwvE*Q3 zu5qJ}D)2k4eh|qs%L~-*4kgKafrwXRU;$Ynu;_B7W%%F22L`Eim0Wy#pgl)dr9adGv4u*O0I^-y3FlAO+-b$ z_D|FMi7L2VVY#$TNL-0-*~Gc9K03L+cI*ocr`jV$y{_E7Vj88S+^I@RBSMR^>3Snr z*cXEg6zg!*(X4=AF&ZRKl8atq)Vir2E-gvaTiZRnU*PloxD4=x8s`a36Q$LXgLJ4w z9gF$9`k;(qW#hsz)SMY|g5VfAHQfh)e;uQ^7-?{`OJVLTX4ElUM&oi_@G;v!8uMo(zf{I-A`Ub6aB zxlbRFczw%h#_If;EzX;v9h53q+8R3BF=U86vT*7t7BEuErxEUcu2RPPQMw+7@EHZu zdo_nzQI%|(Ri~`z!pULd1BT$!!%!eJ%#<8p(Gwsus9k}E=@bmF6QGMaZ46T4^w7 zg9Ykgne-M9{fdVY4Hq%`q@{}R%cg~EET#aW7#)tn|whP zSIf9(l-#A6<%Y^GqaNy5i`y(II!Let5Tq6u(89B^N+XXClCICWxL+RvhpV}NKWpot z3i6TdMf%gN$W(4ZCnz;N)51HJN^IR(j7%tjnE2SMIkunF?L3VL zlDcwmv@bVX&KQ0`5aoz6s7txRMK@DW0LqqQ>#U4)yJZN{2rT=xEESRMN*8YJ)NAE9 zA92yD6&NX(?U@rN6OqKfT_d|JKMp>Ng1QQ2)94zTv+_;G1HSI&Z=fq&=r{=#JP&IT zpL>#vWgF{IM;TQ!QCtN@Ho-6QbN0A;M(Nf!d;5<3cKNOSR_7;H9Ytnzyu$hPV$v_# zFWx`BoXc4{z7>OtDkmp9U}P>HVmNDt_?V9#=-L)LcN#FXtSZ;JF>w-7dsy+)xnNPh z=4_05K|5t;zB|Xn-MdKE*Q4H?w~H$H1NW-~2Los;eUV2X zju5>-{Xk&L(&he5r1;8D%FZxb7VnmZ@5oMf_B*BGfRMQJ$|SJZsamQ3Sq%mIUzG&F z%@&>TO95}sG}9GQNzez7?}9O$LbUN@yepu)ct*Omm>8_#s0Rrzp~;pZKX?{uM6)T; z6*%8!ICBxd>3{5N(rzO3SrQbr*CPp1eicyLaUXR;)s=qOdEx)_7P1F*y0u#+8#BIN^APv46+1dD$r~2h_;a=rp0OCDyBzeEJM; ziBp)-^OoeF-hjNTy-UMP`Q6V)xHalLLr!5wz1fJuW^Ryg9EmyeV>fTxa?%@-B#+4Lb}IxpT?j& zn_A1)>UAugPepIZk{W)X#Ba(ENuj`d&bWcHPTLcJU;b>^ozF5PVnCt-ez|CAjxR8= zGgRYMCVcXtw(MqB^D*>DN23ueq1Sp*WZei-v<(LrKFXpV2UMGqtHuZ>NR+Z0Uc5=A zJ=aQ0AbwTA>W}SS$H$=siC~&cftf(i{y&&Tj zs$Ea2<<$9Mb2JRFs}rETASUqoVoL=5Zy2bnuBjj0futJQ?Z{?k-K?xWI7kyR17IG2 zF?(&P~kt*6koS+R85@P^Ei5+c)jkIX@WDu(pjVV4aC7B zGY7M5CV~pzSwVfHhvJXu!I$Amyz-zSF0%8_3hp!YT#-xYacWiA6Z;M$r7zT#0J17C zR9w&4J&-HJ4S#{yIM{S*S2AqPSVTwG3NuiT-4qO_OWBv|Zl%H%zDS(>(zI^jxpXls z(JNhLGwq>OVa~6-ppv~do6#Vvk@cWT;nDbEqk|hD$Ki)Bt2;M_x0DxY5|vZDGE&orqy|)k-4DTlpj>;c_2kW=YGZow&#|$^kWF-Jr`*2N3MmcL)`JNH*ja!&q*b zY=Cn;r|qH?+@6tef#AUy&69plo;)wy9l0dvW}nMbtGU(JnxlUCgK~rsQ~POpl~r(S z!qdlQk7VVgTEFPQd&=hdMY7S(4GkD1OxIxZP@LmZ)oMp1D!5z&t@$Myu&GiNRh{B% zJt+D&<}@ax0LS&MfN#FNnDcR_s2F5`PF7En>joVwL(qi~_tPNou0_8-8(F?GN_=xm zW-Ip~9=?9YFSA695wAa=WjKinP^O=*AtqAmgiBzQels;XxW%aU1iEt2c-cT{A@-Mv#Nw?fTwkrZfqb@`HcuzZ23wUo3ynt&j%`6$P`?X*0t!nk>5g*0+)TEO6o2r&j zItM-X)y5qE4$n7rDPQhIeYp$^DZ3L4Z=bvjK8JxjNu74TsjFLs z=l2u#F*jQu@-{k4d8Yb0*menn0L!cxx0+K*1S5uJr3@`9WF4!Sq>e6ew+bL{p)v{aL~p`2Qt$d?_5T4=O0xQSaq^izciV0 z2=61U?yG0DI}EPu?ISu_)NC1U`HO5EJ^;Og4LrmZ92n{s8(28&RGd`@AMAKjAZaE7 zpY_7X^>%ulmxG*UPZKHv1Tf0`Nz__ypvZLkcTT&x@Nwo;P@!(VnHI&$X2R^aBDIf3 zDX#gAN?u>>jhKC$ukI_iGV+RTz0!QMtCqp!NuWa9P-M)pBmbA{{A9&q1pP3 zYx%tsQW+H{dGF7VqRTjh_#3lo`Y^xb2|2Xt!C!%ZiI%Fk=o&IKCc8lFkftH!$XQbc z^DAHmUXN|~$qe+^&Ltvxp8+{ znoD*Q{JrlkWa8uhd<|M$fJ*o5z^18eENtlV^fvJG3>ALjdz@X&=vRCnTJTDOyZ65pdx&o_An{#f z!(NbfZ#S%Od7n?n5wL*sg>X~y|LBV9i-Y92Dr3BuLcat^+lD;J)+RIACqf5An7;VEYK~#1#hAY>O&^} zRw(Pb$DDRf(j*0Z7(8pM*s)VNy1Gw5F=VP7FP1HMTOCo+VRY!f%i5Hos?s?SA(cY`=Xvfy z)r)3=oePrk>nU+_ml`VPp>L{ymyg(ANQH$herOX@3m5`i*{PGiarCH9+fBM!)vw%n z4ygJpdkmE(UHkxx7yt2U_!@`>V{YvwT~kov!_8p$6<&k-q83!71783v0CzSvvk9vC zKvXU79%1NWqXfqSY#pG_d5X7uTKPam$aBc9BN}vL+eljzAtymM7Rx~EM5x#cL9j#p zM$S$I@?(*DZ41VLKFI-?W)?OtqFa2i6Z?xY3qVOuS8I(-d3*H~DOdKkkFiD3-#T7z3huOl_1$Bc*=W0LI z@fWv+t$*d&!YHvaIPKyyVb<`}mSB|;)A=k^Q1zkeN^jAN8ZM35c;;bKNo!K>LjE(# zu#+sgf=hJa=B>U$rct>#p<7>g`b12`TR|?`I*({P%yGf6v(WOrdO6G!#*#rw)KjtEnkJjUX zpH*-Be=Pa``J`P)U|DnqGB8pFEMuzxRx~JKE|a?-07vV1Q2JD^+*H~4_^37{Se+C) z(+KR{vcyl+wIdzdnc||E;zHToD(DuC(N@B~;b*<69$kMWMYok>f^|?D6OW8Ix+Ow< z*m}h@oolM*QiiWQF>0*fG9R*|9H?-}r51&U6M3FW4`;EjTX*6!y%&0Vxc67Uc$Zq6 zqss?4usHz0B9rmR?#L_zwf_xOGcRWG_v?mtuO}M!J-)zv-s(`OxK`-!zHH$Pv41T| zk?)^FMn?x-*j;Z~;-ns-$h>~_T>wga+x@?kErn?&R99$f?$u?L+4Bo-TH94 znr?o9g03RKT9xjYqlceIR@Rj#_LS(}r1_miGTDxk(VRhuJ6#%J)o)`fDX@p`TTMM# z-ZG=ettdN0eoqN-$rNqLJ$U@iG|qV#dlu;JnLFWe7>!|)l_I-=*lD_by>R<&Sw&}y~{4+MHdv!XfxMb|eg z&izsGlw~J!_ri*c|gL#0e%W zE|#`eZufS@-TVB-%aVUv12ZA|n~-Z0KKNXtjH_Fa6;vOpUvJcNkFF`cZF=;Ew@45+ z-m^hhC$qI6I&2C1C|YOmG*Fdqk2U=^QE%w{>osR_SH2w?hWPft!kLg>6H}KhYOi)y z-V`Gf@nzicu5OcMP60Z@5*LokvlBKgs~DCpbqHnpKXyZ}z7@;Lr?)9{ozbyfKn1K{ ze6Qm)k=m501#FJ;QIJ%C6JInW!Kt!U-_3W1JCq1hPlih8zZ|2gi4G(TJCFcH36;$M zS6sZM5&lJZ;BUC3esGo&esvPuGLcOX9+Z=ss^vP6yX65swYVFHCs-CnnhvybUB2|> z#rB{vB^I2&m$$@({yeZ1_Y)i*tC? z;=S(~2b;7{DG=ub+39k7l1F5e#IAg`^7NV{*()8yId8m}xa-l0aIwg6=lO`2C#fgFE> z@81w8yuNxG(%~Ux+C*_*7B1^+gm3+DQ^4q>zL%mz$$MogXUF|(=^Wwn98?JzH??U2 zb0}ChRQY$X-te7(>~E^?N2-+JPd+y@zdNkqEMt|Ilccg(f7C_w39}Tmkg1hIk>_z` z{Wsl3g*(3fNL<1BxOSQFQ%QjK4vJC%^fN2mfC@weiG_I1-~(1vm8z6)XfJOdEfKOG z79hI0y_%H6sM~=-MTJJvJB)?0sg~hs+%3_!uBd+WOoaaE?T~8dkeEBBUm;Tv zx@X=k;6@yQGtVa~xPeLr2VglzOi$NA<&_J)_hqqYJqz*87G?!vwL3o#QL*5xmuV$k z5@o}^2HV?pGjO;Mu>$CQ!M`2DJ%7LRqF?itWf9p0H{k8mW{)CXBs@z9GZpO!EI@rd zIL>kvvwF-Wx$k4Mlc|HbHCEy3dIUv2^;^a2s1)Q|Pb1iC zNw6SQyxv`wY_e=HfF$b)UQ?$Wnx=yyYgyGrB}I=K;TIeKR5=YqeLbaa1*<0BHB($b zko*R^{k6kh&;xK4E`*Ajl&ry=8tyY#KCT7PC(v%e%A7#EVOO-)5BH`~$pN`~(;!JD zA8G+6lik5t$)VJ*m%*Vgm%)MS-;sX2`kYT zRdG33zi(e84cnDM)~XE;|0oFqz=yCpi)o%KAT05LE-oMwmX$(+uYt1&a{Ek=ACF*~SHweu~8lo0rhk5azT@Bkkl)W!etFKKPsXpjfSs=IP? zPP{tN!1E8!iAHrq#?K$$?!;N(IfUs~EfmeheCqn+BN6}3KO&eYTem1%T#&1kFHnEG zRL_su-!EHe&L!_tju*hNe8BvP8q#u$mSoJ(WCc;9fw0j*nGg6O@e`7T0QjZ}wVZsY9P{h^<%*k5qOR9i zOC=W$z95<%lPW|Pl?;utoPy}6JmP$7cR9pmn7Zl?m}#{h!uK8HU#0w3wC^@fOy)H^ zv=$_V@iNva@?NYj3$gH|G`*l|d?ve4gi}j1Zks*gze?)6&Hc2)r0Pn`2F{xdM^4Me z0yhlV? zFn3yoIeXU5s+<{eCoa7d?e=fq`#ukt_gl@TeVCTQyq^N=yT(n6mC*MsBI$R{;V{e< zwfFx>VYhU$g^&KaHgpjNm7Af@`#YodPs4ea#2;}70w-9(YhP6gh16`kth_a92+zry zZI>b8nAFZU&Iz?ue!d){c2~i0=09102HAALbWs(bW6~loDtIfQYTq$O3CYXDN8y)c z4E}-BpeRP5*dd}1|HX#!_cCB-EuM{ZM|mr;4ppgL+k0H2LWWMMhtI2yaBG31n+j2~ z(aFm-+T4%pagx-h#iHB;vhmBM^IgdlW_jQ&TIYe`z=VkAA6W zJwcBElXEqS0@xQ}FDseZvkhIDJC%GI-HBRv^b>ha)}bE9)-8hICpRV%@=9BEyL^t~ zleTzxOA}6`ES)-kIV=85K(FzG#tLkmX!+>0!Mu#j`P=Alf#jg9 zFNXWX&L>(C|<<|*K?Y7?Xd(cNJoPbH)$K(}g^_t)O}fikDNW`O6RH0T2C zwyE}%srGWA&#SQj-Pd>Pzgqm?AxdW&H~r~*KO77>Z(X~Fgsxhr*C*u-zO)11Ni|XD z7PnFV(%SBln~@r|GQX6gh5^F4rj4d}<+!nOu-S|{=Df2WF>4C#Vk z{t;$ln%A>Aj!R^btVf-FR{qi9yux4rs;q|CRi5 zl?~rWpD%VBGs8-bjn((~^wQ@W?Uuh&YDpx`l^Y<5beh*Lg>UJ`q}cW-4}>;g#&9ew z%b!lFBu0P>iis1Jt(wCIg}(_OXQ2a`BE|FQFuIb=_NU`K?dhZ}v@H+;nnVAv-#}^p zMYEH*9)ou3Yh)VG9y&^?fo^~Uic%>%0ohJX2M)kr4l9OEL_Te&F6t~LP7whqcrhss zjgo_h9MWDU9T2G`0B0`Q%b!y0j-@kK;`Bh4Uvkok33! z8?#KO4vIMAK`&M^m#xThpxu|Gj9Kex(sr1bZ?zg+9g;wMwxo)7hr}Fh?3FY8Kl@?VP@EuV?)i` zu_Vtw@8cHYmJ(6(qPVEBgyNG&U|Y_7lVVFr!^hWxF>9BghEpc|l2JupmtIxU^shL} z5~Fglqv9fWR1psa)2Sd&=4lcNk!Z{&QWJ?{1!#YNM1ms4tn~Bdd7E!Z6H1B{BP32D zg|%_KEi&+8)32B6F(c3>{|NY19I4sjZzVZwfA|%+K=eN7`u7UvRvz#c@@&n`p%M77 ziNUZ59zCpthn9mvY&8&|cQ`>_x=8hzB`cC^L+%reqf(-w(SN$g4%Cv2i1(x9okv;= z&{fO}o$6VV8Nb0(Sz2F`DYMr-)x-H1@fj>WXdaCeTqK~-Hm``cI`5YeR;394T37+! z$u6mjZ=oq`AP`Q5r;L$F5?E;d=8Vw{(3?6eYEdI0{Z{BQNT$v8WbBa0k78dX&H^X zhv;96!n5gT^QvPq(Gk;OQRbq(H~bQ~lYsIBDMcdKUd~fAVpmP*8oc9J`)y$heNOB| z`ALp(ugTY<1h{*|*)b*$!2dpBMz5l;sU+G!GU_x%PLZ1kiA_i{Px*XEVjZX%5R-+D zO!^`WrN`mg(docG=nB}SAWLZ=m@9RO%9t4X-&p`c6Wd3YKK<#ye&~|zLDg$zSryX7 zuj>`|3B4xPq15Wl*mS`BdrgHiJpZP(tYv$1q%K0rBu@CZA6UuOYNsxo`1~PUtXyge zTml=@pnN6K&xoE;$U4Be0*wj{pwG08=%5~mT*+}fKA7zX-zspp;8F4vf*FssUq<1}X*U_lp zZ*f@NpPqpmNalY^T_s;E>wO9@6oCZxc}#GDnM=5=&F3}rI2c3$VI8Tr4mMk$xm;($ zI;5qjF&Ak$n~RD%wNOC8&eAIjB~$Ew==1JoTu*J;F8quINS0~>vMQK;c)H=;fnmUN z^(JH@k{1Ugq7$jbaGx|Y+|m?Lx2Rf%=T!BJJ-bBojMV4`2SB^YU66Nz7V}MMv{b%5_^3QZ3tG?IPm-kz zC_sbZ<*gk037-mTmu+(>TfFQThQ z0Ik+vK3(dzN__tXwPw)f=n9|e$5(oCjRiKlyrQmfodz-PVBQV<@fL6c5+yPIV|?^j za}V#Z=wdxa1J7L(W$Yk9U6F4e)u+)d*$Q3u)X0i(ekRo-#YNKdua4onN0M(AXF%V3 zmVlS8e5a81y6(dHV`DwoOr#KF$VR7W!_Bi?#w;1i^%(QC`$^rZ-Um!t>l*x6Gd5Z# z$sDaG^h+s{vOo|Q!_(P><@5gq71K~L70v}}KA=F9N{#B6K*dHVC zftoF#TA0^B@c<7Ve&$fGnrh;)Vn)!DmOXM89I5F~&xXMPJij7Pz7^?TB zXJfETe>OX}c30P-je6rYZ^&wKajVclXE*gad*Dm9yXdk0q6>b7j&_usZ^tQ?23i6% zwnEFfg8=FnvK$FgX9krVk-jt7OMjA}gJ#?5R;S2lbq0!*(mBO?QsRzc?=iz-$=Fs@ zz^PX24tf*g2A`eQ%yxyS!-npF*=2k`$OF^&mhyA?G$Cn|+J4X+Of%FnR1Lz5yG5{n zu~*o)_!a%t#TJN!VNNYT>V#V=JQwAQUhUL0xPxAU2Vb@HfX^WwGEjHEE`N~%pR?2_ z_hACUxojR%2EtEs^d3N}j9t88PmiN~04@oiOJcunh>p&CVB1Wr==DaO>hNtOty^y& zK1oRwEt5V=ku)D}KK#Di=Z$+)d{G%;WCuZa@=p+vQzMz0!m^3Gs+xVIdWsCH?29I; zN|=Lunfbxeq$y44a$sV8kJJaf$TLpyRcl%(UE;4WF|AXq_D zzq87->sD*NeH>YzyQYfEdAo~KUy?GGz`bwxOUvS=X*E)9^)7RKXKzlS{96P0XXMb> zl)wG#1K#1cI5&}D-P!rA!S8+!)in^b=0)D8=$Oy1{$tzwqI%33n^v-Uz@w1Iu?=)K z@xTl|Xs-hsl3tyZb@U_OS>l4X6Z??@r?H(_qpQ=^^F2^PwnUx= zCc*I!UP-oU$f+t5SjP{&ylniZN6{s79xZ~t?+XgqPaHpY4V2nSfkhnrAa&(R{aL&$ z_C6?G{!+>m*$J7-VdJ_zXS@a!(5xI%20bsiXCC=0RaLV_t4Ck$YatQXqwt)2IEm~* zw4>92agX`J=6CR*GwEMZGWKBHpuS4#BEYi!q}G#&1vAOqXsHlqUCApiC^ntm`~n#O zUbvus*wF7Gb-^HB*ZZm=xE3vcjJZ#eEcCD~rpR*@Hc7C~`zb-+^^;_PA9-9W5(tqAq1&^I4*cR--F5PO2sjb=STkC|el-)8$Nf&hS z_*;aw_1=#(cMUz8ZRDQqvlV4P(6EkuCfIA|px(p&X@a_rpc9p%U=C~puVLIL-tN3g zg3I9f;v_myfF9TmuRfi-v%%3*?><2OicPt!`Ws``lusi~TTlym@l8Df0XwRM`&>OFKTVHA|L`OUlx*)8RT(m_-7$lmF&L7$&qK0&ygocPV zvN3~PjU0&xH)>7M4~e6k=jW36E=s1Dp`4; z%4+$a&|BR11ttSyGCLO$Q4su;_5AyXDCjL469vu7N_B}3WV1LZW_u6q*HZS^K7zr(Q~MSIQC%GKb1%1JIox&zIHlJ~(@RsEdU zhKkh)ykx9rlCTO-^Kly}+uLyCedArsa7p)(XUu$iq(yT)*7j6=6JlXnoa5*8gyb7+Mm7#A4{TNK)AN4L58tew z+2I@K=cWI71JV_~XDhe9G%N6ETj9?5)l(~w>4L5eIC)t)xiG5L`H}$%;zC_f_1Q@p zcia1*`B_b*-omF6Vt2_^&$l-$790;J-FlCb;trt(X0!t_8aH2BHI)28LIvp~y%wBv zNhq%I74L>}o!^JlMm~aQeC;w|&es*wT~{?nmk zEP%y}z9CYK{x&NeQm`x_gXqK0anA!ksa~j}0@uJkMf}-LMS;|%4!8nVlG5AJEx)U3 z^L-7b3fH$P1~atl#51`g@Wcxh@+O%LcP5!C0K@aS!b3)mbjsCT|K=fU0TFm8YsuR6 zlE>EbvD+si*)RNT<$czz=+uhd$trM)(UEr}ZGiB=R?P( zrz9KWRO?j|(HKMu(g#y&A=nvvcCmMMSg3EkG19dySk<(TaDR4maT zSjT3%x$-tf{C<0$9XHzmZkPDz`Gyjb(=L?P=X;mj@v`g;H9v8KW79GM2xAvKzl1{w z+L^TSM4i=B5lk{gaVv4V*yytdpdQ+JCH?*-L}sZp-Z#$X-IvD=xtWr|yTlq+htv~s zhp>u@2gjTakHxAv=KE^v!5kgs_lW_GS?6wG?j?=JN_W-0f2gX~Fi!|?5R~||T~X+F z*Cj&pn*sLVC(Vo~A2!MN&HsR;DSb{lBwU;VC!WI;p{HC*i-4L8Re)rz^@~YTJ2eur zh=!(I2me1v$!N=M(T;#-;QQs!E0>!Z|6?WsPo_*Ms~36UXKvCSeea`5Bj`<-xJ;3@ zJ#h}#?2(C{Iy?>5FI0h#Vi6jGg?Pl7NvQP>y{h9@f!#0qvF^Mt^KF@Vb|QW1Sb-r5 zDcFnRchyG==<|dxM>>%1&FkufACDvr-ReRh1Fn}P^J+@eb9BQ8b62CN4Y^qn7c!+d zyy7QIfTJzXkW}yG@$Of@|+AyrZuCBZzrp|NK>!!(V!Y z-(e;oV%I;#{L+Q6^q{>=EQ?>|x1uoRnB{cyRut>@y5y>m_Z<=%s$}Z$(_2^UwDyXf z7h zmm@R`JyF#v1s%!3XHKZtwiNule=qr%5X-tEao4lQBnsTTu2ofDhvGcyW-V1m0uk6w!TVQ822@>AHQnHb-ng1nma$ScVPqY*4zn+KZ^I8vc5ITKy5W` z-I;5vOh*08c5C^BSI=ADxOYv`DEs%zyR25yq)Uzj7Yq>%dY<|Pr8+)?2hzK5o%g=+ zg$Aa9G<5cjeqTmIVajTT80zam%B zM619Z^%igSE!hnOcFiNZk;=V>UiuSd*{h;@#neyr=22_5R;7ID)yM&ned)WS@-)1Q z(KCB+530fj-@)w0XmY2dIp0k&Opv?+kq(>gnw=PVDbJR&^$a4R%;}elL|fvFk|k3*tC*d1?&Tug z_J#-?ko)jRkvF{S2IQC@?b6$3N*PFeTnj9KEp=1MNIE$Zs-ps>D2Y@_Bg+r)Q%QVt zp$R_nH$Yv!u=}VC?H5Cjf@!MXs`dVF%~yF@E;={a9Mrm=4PUNVR`XhF@7E!9$8`~Y zeBDwB_-sjE2}z)Z_e1|n)APL3d$BGKFbA4O&%Q0`Kt{%yYz*v0%)doAhSs%qz9ylz z``u2=JdLsR>mgp}{w|#Oc`EdA(h_>hn1#+ST|~919{pC%Ccm>9U5Qsb352*}4Hwe; zC~`zSf%ft?{=wkOKat&fHngAU(UP)~LvIq43!eyO$wHr9B66&aY3m#Rp@0Y11u%Uc z+ld(}xyZb=6&1XlpBiX0_%>rR>>AI1a`M0r(j~wHKgpNFp|CvQcU(Rik02pEvzh$y zeluTs> z?RgVPsqn1b2X>UcX49j=MTH+MuM|jqguD@S1dJ!bJ~?|%yFWgfqxvBez4)Vis#1NgV=WMny9c|Ev@mk<+`7hPviu} zX4KD2Yfh>3fYqF}{q;klOes>Qqya-XPnVO#ZP42mL>4r z^RiqRJ5X%x%xH}$zGI>f+JN1|r(+}B`y)NxypL=+RdYhj9TJvL``Sdtqa^bhIFML5wy z1aD#8wznj)4$n8rgz`q(nI#u7cyU9U)DQt!ddzGg==xownOC_8(E_TKtA<&HrG?4c z3~E@)l;aL~4#KLsB}qTPU>rH>$ysE=t*wDkWFu1Wlq{z|#A?6%15ziJJcqWS@DETEoq^XEdM2MO#&vx?ir*Y}ayal_ z-3F%3^;Gh1R766|dtsbF9Dag*lwx|c-<09^6XUGQaVQy*KYKEEQAy9vE6rVyLTd2$2eSJY7g^v=mgk(04Zn{? zqQ#hCUr(IU46po0<|3&CKdv74)B>Ua0<;*Z^gaGLr|*QI%~MhBtWz zC_iM)_$q!hNCJF@InEY{duj^^VZ`61V9mftvp}lpvz-5vDXmSi6mA|rD*D4jfVrOV z`uGViv2UG*IO5B3XV5dqA})w8zJiR{mdNMZ-IEtj4J z?I|5NFZ3UjDp!8!d`LeV0O_-2ZhTIll0TcWh!kk^%i)GGVGth`1YgECQkb4OD8a&2 zj1BDX$TO*u+h3qvp!r)q!u+EX$=rNP*iMx273m2nq63Hm2ba`aUIpIH&4(M0S#P5e zu5&##+fo(aQ5zX?{7fyPVyVLTUq^?Bzf7;9T_6Rdh>Q$@x9+a})%cPQppkaDgJh20^CBfT$=1)nZb<4(_=pyw z&1dR0&T>78=C6txa(OGzQ89B5dHC(5Mi?0IRjOr$oC?PWS9+dd(e+sTV=P`2ir*$> z2nopw6f_0nOqIyYgc}>Ie5v2cmNG)T7C`H-7n1s5&kinDEg-p3!h;szyMKY@i}diP z3rb-$^E@FjolkN7wG|+ z3)`d$!zU1@A9TeLGiDu!=SR1q@DshcCo}m@ge&p-ChYoZquF)Zk1-C<9fz9^A49Va zFF%}QE^8LT)m^U^?srNc9Nx5b)&M{AvS7E@qkFut?T=l>SJ{d#yQfZ(DFOvZTbQbn z9)=}h^lSziAH623W33i#H_GBm4q_e7HEbbAM`5ycxy1dI+9!MUuBOK)bfT@ybqh3s7gIN6lktTG>eQ()uARTL7r?HfJEFJ2k~%VP9Q2i556Tsvf;ox5K*bo{duz0&jJ!u()x9l`vSj@S$z z+<-Zww{=`{B_08-V6y#zLHLBii~hPo1N``pHYqQb`~Q6Jke2;s;5B-FR=K=6zjP(-3lBHm*ii)QFO?4c#4e2Yw(V^9chcwo@-h$EK)@4D!t`8eBi4l+!M}7) zGD~u^ECFSw?*rrrP%;{xC26`TO3BtRGGTszB`tT^dYnAAHtN~9a53Qp^5wXEy<|;D z2HI+@$MEvgu^ytH@2bN`?qJhV+^GlIQOCV9*m*a8M%qe5J@@nAx?UY3XawCQ>Xvlh zuQ_>35v!vVl&p4rT^v}7!(ZQmP4AAnV(s^UTr6nqo?M(5Us9)YWy$SE1STgi&&*Zw z$f0>1%5*-3aVW+3hJ3qzaM+dkvSYe6WrlU;Q?a{BQq9XUB{p8tOO94P;bYDZpGjh) z>NnuB1Y-|O?gym6OHKAAc7AP2;EUR^p(D8CP`$m@3{Hx(;b)S(2VWZF@bF=T4~a=I z$XuVZ(CNzO^k778&w%@s^IV&MF}aek>p-3C`MPe3U>X`Wsf0w%vchS9;xGnYc`Ai7 zv}rxvg>{|9)AQlqi{?m6dp$;!;J*5-loPREj7&iHaH(6_x%)$`UmqQbYt~lO$IQg2)mO z5RoM+Dq0X^5oAl0EyxxTB`iW9EMZSVfb92v=c0YTcfR>1Gp#d*jGWwap6B^(CpyG} z>%n0%%+r{@2P~AgypK>PWLfySQg4etO+O;Lo=4Mc1km`Ie`^R~&8uEC zCrjjHue^B5rN7BplyGu-DYxvbErPFhBvg#9g#ZM#5Bh|-Leq&r*0NR@XPV_yYcu3)*?&6!nNs&QF6G^;EKO@h3< zuK5gEuHu$VY!?-zPOvSdqdoP1T<^R)>JJ0N!j@hRKfJbV^pqyCNB&VpvOQHF$n#3U zdF!>%ahK{MS!V`p4RIxL!i#h1YYva{;mc@Qk=Z40}NVo0?wGEQ(Nf^G> zcLBd{>NG#9##@SCnnfd8R+mt=(lX!Gw40-Ef8|q!}fB_Q5M%b2xIYQUKI9`)k$m%xox`h% z6~gBekZ9{`Oo`O#F$?1qWqRR7r8xVgUVw3JBuj}M(9h3UL!Vy*kM_ywb!zHPWOpYe zpwE5sZcZ~-uA{E>dJOhoDWCmiMTpyV>c=o3Q^BPG617vD=VFge<=6XKFBK`WL_ya# zO6-8wSU>m~Kw-G(V4WF)d;*P33jet~7ilpmmT`I{Tnb_W!gNnhr=WY#33CF4$#QQ2 zk%Upa{T}HBmBK^JR_VMKhp+pHGD!%0Xz2bB^T*Tpy`t z-HKJbQd>J!6!Oqu{%OLoq@c7Lz) zp>A!s&J&FQ?4Y3m{FJRNDttSya$i=+)}A^B?< z8-4Bshs&_{M}mN-cNaX(4?s87h)x+e6;VD_<^pq-3xM%;u6a+$2YzS1pS}Cn^si_uvET6v-Mv`5xAH|p^hzG*>jhi z-|uS4#@B!M&Ot+)3N2=vB$w~>>Q!2aXcu&uA~Vt4t>DF1#2E5$!F%O^yDs^VYr%jg zhsvkrQslp+=E(H(C+}deX>sm9Jv71v3~dN*d|QKzZ(u3C^QFQ8Q9Jy+?@+}b zNuTKrkd^TV?q18oglFvmF@qmH8$0Qy@lWY$OR!qqxF3!TPi2RXiXUA}vkc!(En9Kg zx#66?i1I2bTW@BjU^~v5byW8;_EbbUMP5r44m;(UetvrGO1GPPK?Se9-t@`#ap7q) zzfg`15w#;xv}M=Ajq*&l)TI!dUF_u2y^WyP>TadYkL!2mEFXe5lKFc8^+i;2E8uZN zjs(>+^A=vI&ax}s&0Ind%%1bejRC>WlXuo5k@OPquO`Y z;OXiFagEJTyqW`pc>kH}P|`65CW>J~mIGd0T}@TXXHKRN$NtvT8dp9XveGjiwRL-( zL5W#SKI9bKiZ{at_8Vru93u71Kfe+%v@zgv^x&J%$pU5j4pZez^3+4jhRBwU7d8&f zG7E)q!m&srQ+M9WsWwXD(;d1%(}p9ta)@z)9AO4wp*a_DkzObk2$gLRRA&dUd$9yO zrf5&_pTK89rPYET;r=+IGU1cB%xOWfC^96A`hI?tDp!?WN40mTWUF1A&Bs6~0$C^` z@nk!-_Mxp}bDE207pysB1Xxa8u|0EhUpY28>*zkh`7cA2-S3qt0$dyqTV95E=8Fv? z|2b_D+;GGYH#0(v%BKXpu9(Rn@S+bKW{R`-V|AwffJTm{NfE9{tVlUo_5LPilV0WJ zc7b_axJSk*a>y9Orjv1T{;v(OR9!+Ne#dRH?9a;9Wra~Dcv&Rf zW#i*fKH9DgG6RP7g=9ypjhrLP!E6q=0MvrCjE%F!KW+}5P|}32eZy(wI4=LjHp=0% z;HDNlKPHp$Hts?Ob$m2m+HFxyFcrPq)8~6z_CM)_a-rW20O!sZdPppj=nv0`!17Ef8_J)4e~%A@67$~v9jw4ViT&A_|!uq{{>;3Pa(TQ!&)Tw`Qh z`%tx$Ng)S+$i50BW9#{W7i4gqn2?ZH)S)2A5IDTknf6P6dJ{`RP2^=UEu z_be%lJqG98;DxE#lhe;G$_6CM7K}Isb&*0>(LdSgGWq~GXCb4I>(C> z>yQr-Nl#<9`4=-<>GN6)#vVs4k*@a6yV5Q<(HvHOd8U>fa&GWvE+fC%W5;=&7A}J) zezKV|0?@t+_zS5Q@)^u$cq)zMlYF{PM@uLh2pj9Mk~4t8WIsU4O@D=AOF%aj_2g?i z^@RzocjF}zBnbKqT9dvqV7tYJTxPl1187^itv#cair`Oj=7Z@=zH zeqEcn5q5HhQ&N^q2d&hoOE3>B*C@6*&@DEMtiFv1I)$0vDqK7qHhe!$NRS+iYnRo`%1BMI0Bwa#{(voNg2+58`y+~6102Z@Hl)fCed#!L zGtRUfX%$_9>*#vV5x$!=W)7wOIZ_izBLCOW$07+15xG>Gq3vugs#0Vq`;>{QPtqP~ z6Lnl>!dVphm@i=H2@kM|r|X`4z5 zj>P_P^^-n)D4?~(q0{uqH*6fF+);NwFd1NT%DD8gv1r6G>eoqgd8xSefz z$3b4jcT+(QV3kJ}S?stVi#mYyW*r3;jM?}ROq57Qw6u5w>lOgy0@%VaK7pAQZM=_X zl~POKFU3+@=_O(gH7=P-HDp--fm7%5iOMnYKzEBo-p#KOCps<=!Y%6}u(us1ms5*l z`Srg@Jy1?Vev-J{v6tK>g&(j(IW|0OEc=H zDntTv6-bOa_=AeTMJ6r$xzL=7$c6ft4r2 zsV7)e2Q%llYD*+ArmvO ze(h~+-SED*YwtI}TxpARd6NWf$9OWkc~3#Va0`|vmiks#d_(AL))o*uq*>6YKTUTEQbcqf({Ph; zLx9%8Q|SwxEF_jA5v!M^B4b!GDF%FFj0UA0x8G_a3Egq2DMj>VeYz% z)fU$W$dtuVG1n&W)ea$n%~gm2msN$g4%!|HPlrC|V+>km3Depkxv6NCi_x`#B%PoW z2ZF_XFpe?>;+AIp%9`uc`}S`mA3(?O{j^za7YYX*ViiCnE;b^8=@cDYnRq1KV7^BH zS=WelB+JaGX~?C)-;uosL*`82#2`HzXtsmN+>pJT7cqE5`6)|d6RuGC;npfTM%1rp z3OoI&?OtC58z_{F?4r4;9nFzbl{#e?a!*+;d;V}3f-QBqmU zX?-TFK+e6z-@K+ndKa?e2rGN>80ThEd|}eZzwLGPOryh$YzAZxPlpT_N9kby-H^S# zNqJ+rUU()+GYmKNcyU)`?wJ@G^+?F*zxqp_k|)>O^^~3Ym{QoCVpeXZTQJH#wijoq$q%0+nIQSYI4kkc%1-pm*4f%w&F2`qxLI z3z-JBR-Nth1UjdY1ON?imlqz{N&hWyr!z1CG4>>Nfol$11biwvm*f$D$UE8T1hfyc8)SKEuXbIE^8P!@pihCCT1NU z|2^6j_xGo@fg3K!Hl#>9!)vqSmU$l;T}lj{#lGLEF|}UYbI3qdvPk(o!|ykZ3+YKG zEIB2V?gUz5M%GhIaB^~foVg+HdiN2X35&JfZIOCEXarDaZ9BsR)k%@fS`5;|KQF$F z#t=jJFT7tpZz2Y~dby4ANp{%qnOM_jdtKY+!1x4uV7qBxzOc=quiXF9)ctq98WyKT zZ8u*%wXqX<+ReAQO+@7%Uzm!@mXsqGf7xKV3vRB>7X=YlXBq%{>EajRwmJv-$n!pN zket9hVfxJhq2~2arn%C$z5#9Z$j1B!f0VwujH;d9fMZN|=liO?UN6m%KF%GlXJ2Ja z=&GY*DkswxRmlTcwuJk`eS7C`jISbNe6%&yW1KKe_f&MLB3t#zxII=)$biYkrAK`| zNoEqLG3tfR)AFPhn=C_+CmL-A_^FSP-rgsJR8P}M4ske9q0Z!THN8N;FB39a?);W9 zRvsuOuah5nQ|d}F4DnI&RE_PDf3m?ZZg!K1bQ1huT4^Y@%o&`C87^J57(Sdd*w!W6 zvo1$tKd?-=9PPegzi*N3!wW_HYjw=W*2^tW^3&wN7typSjNexa+NBhuolZiz%!l&PV4i=_g7X_Rf2tP2tGFd#W=D=N zXI~2FW1grD;&q!iviH?$oG5My$8-~VAbvpGN4I`f-{{v3C<^HY5Q7#4sp7BAAL7=Z zsgzdCV8peKLJLi)>r1F(|0*!Gj!zg4&DK4Dq{L$X^oDaXHkALMlSq>2x)P3LM$^QK~$!u3b^7=~qcvrONYk+ z@#Xx7Ha*I?m-vughR-Ioxt9;s&RTEDc;c|qpDc{`-LN&xq^$@Og0O;5a?4w9@q%JjH46Pwn z6``h+6pudtzudx(v)L0tT-s!7EK`gX+>mwuaGAA`bc(<%kb03>=9XwLzh zCK32v(im5X1#cj~k-fxZB$zJxZwU%w;@-mB&ANS~eTc^j~{${Nkk0bK*>J z_rv1p??=wPcj%a3$vCqEr@6%P!yP(#TnPvqj_6r$@e3QFYi?W=L%$2e`6MqQYR?pV zTTvEAlz<0?aQui?NRqH1Cxam79FIGo-DyYWW3XDPea@#GLk)4NyE{8y#~t%tA9Rc6 zhO-~~{JAejDql`{E>+-&bZ9{qZ8jK=n8M9x`lMFu$C-HX_lXv9p>?~fE$#+LR`{Xa z*aMGU$W?xG=VM~v6)}+%DS9F*6{ToivVrDJI)VrE#$*+WCB${MLI+d;mRXdv%4Y>(kt_PR?yycvx$!S$nM{R6yO@>St^m$G3UM;$u`H#aJ-8dRatoE8 zX^8wFDdJ!uf9kw4G~9>kS-Fu_U2=iR{YfU7u1$%I6LGHB6GM{j2ENs_)9y?r=xS|s zAKIW#1S%r?kRC61`Li=XpcUZluo*ns@;mvJ;zw1y?B%R~lqNDGzZHYot>Pe!)}U8Z zqp>est2?^A2k3*3Tf^SoH2qM9iuT))^GEP$0J)|4_Y5A(zy`8*w1vfrL z5_Ci6US`p@c{fl4((U536g+2c5({sLd(*uyLY}%^{w^ptjxMr!0L5{E?6S%b{90BT z^{?by3w;vhPqVwFa&X}zjAQCBRjowwh2nhVv%R8~s7lAnyR-9v3Q6%9I@S*S|K>j5$dZE-;BiPAJTL$e0eZ*J} z;08(+sN)CgH;1C1PHHQB3sJ`i14<2jr##oAQvk3#1_dDT4O|y6{C_YK z>Lvl&S`~Q`s93F=_`YKq zWl%V3tOCXPA#SLMSvIP201LZpgWw7rtBJ~lydWAEmExgfK<_vEfP%|a!0zk}1^iS1 z%mwZYA8Dh+9?=RinY7KX$Ib*VwdqseLy$lWHH!+wWx!+yvvg4yJxGmHf7ZL0r&#{8 zPUsE}&(AEmL=v|t6C&fQW)Ll$WwVtk;-x-W+Nz~X z@v%6=Oj*}&|66?xMs3VG#Qfur*WKXO(_&x9Z$8R-JFF zj;swbHh1&gI^gL@RupWYHomisj0S}yNI!181o1eM zR)gwF*|JWbu{ZInu~v-^n$dECs9@11hH0J0HlBXaF6hFB3mK$)t?E6UANrp6z1KIu z?fkSF0%Y-#E$*K50n!9v#bTvr66ta4;_3p~39TaXMB~M%tgc-RdI`!bwdl%{(V$0) zct^5S_~}t)wd0lBx;wT>8}T7qXgPMd`jor$z!w zc7h+Xfo?Cp>+zH55nlk_R`&I6s8w8)9)P|rBA{KW2&yOY-maw714kk=#;SxP)z2gq zWK6JeN4!7UD+!sF#T~;h2CpA<({bOjLDulQ{ZDNK*K~cQe%B{=xci1tl-F2#+&mrU z!p6%wn+yIi$lJ+t8ORE{Wsgnr5B!2+m&$-`?c+Xj&U@u%slypoa_fvOE?9Y$fw9D& z0DbjsS z`1ag3r54!9+%N%f)Ca0Q17Scf6k2_50h5`M`KKcTDUPiOU|66B$Zo_NOmqq$7ez(g z=t(ciY*4%qyh7pSX%#6G1F*QvoUC$i5UKv<1Fbho?n@{<_$)J+aRLm5T8=T=V3?n4 zQ<9K9k5SX_`TeN%z6CF-{72`!3J#}yR4O1i5~*+%Y{j-Po7*#^@C`09y5My1#rVJ$ zXhxwUSHkPPSj2tG13KS5^M|f zHl3H%^yZy29i?i;9$zMu1&g+_)@|tSR3+5bNM8(f&fM$|-h%zk+kGl~J56oCcJEp( z`4)<~ljCUsQ4YO|-LW&i1e{I|2akH2uXU#h&EiEg|Ht8<0G52b;dfitqpa$E|1%XO z+=>sY&2BLgjS(F63O{{*`U!Mpgj-s89*s|adJ`?nt{AI-LY=p<@fg!1KhPCVPDUeAKidc5L;#k zwhg8r@%~RCxYbs%^xT!Ce|N@$T0PU;0xU~&q@LHdU4Sb?pM2(jOxtH=V(xQP?&hzH zw!+zx>^`OfK38QcQQ2{sLslud6{lmc#ZepL`4ff$Vh649m2WZp_Hb7%fyI5!2tl%P z2eY=<|B77dNr51s!_I`)eePN32X~j!SNR>Cx1u)IvM~}rI4wcM)+e)WTc24m5ANHr z-7I=n8^Ks%uhnBaG_R~XS~&^EueD`ZTgx%lvMoz^i?7D)(28P=z zcRS{#7_6q6Ou{ocJ$Xr;JkFzy*C+_Bp091S@6s7JjWSgwb&*g2(uQ=(jfb8<%{T7d z?00F1%rA1pVHWcity^YVFJ-A6(6+%oR8OEv&%c%6)uL>c>g`m1d7E{;2zV)c3ZnIX zu!mRT{CLq}VCp8bwlN0Rl5Srnxrh=7DY9X()gl`<+hOsnWU|N+v8vYxlZ~!CqsbDI z`@=7?TeWcI4d5Vbdh>d2DU^ZtS8jm~L03d}tC=eGIE@U(4oW59+H83b=adAoMs~Jd zP#$9#7lDWf6if_iLC&nUf%N$F1wG3>6c!mk;^TsU-i17gpuK&+y|*>C8IqHv|Fl$)-9RV^hypX0&&y9IYm-J^5rmIBVi6FjB$h)f@1s z7R}~M`yX^5(#@#?Ey$&a}qxSbqI@OG_kca(rH}k!q4~FwmPxsAkKd$^0r>C zqWLA2f#WICTQrR6*p9gJC(i(hq{yh?w3R1R=i#=3e26)wKLx}re~E@q-g%T~ZRc$T z$&v_CA+%BU2X(0b{0ZDHz1x^bwMMD8!@iO!$+?q-XM!)S@N0PWUGo1lE#?l+#m1%8 z|9B(TkUTZQ$>E6?^{r%-Bs3ZKblmg5fjMaz*qED>#r?DfOBn*9G!k`1zy*I;c*$X3 z()oV|t@}anikY(<+(qQ5OhP!>uTELIGf(9iBcipP`VCJdH`JA=E~JfmnulV zwBkC#Q8Hza80mw)DlSCx+vWsBw1$TSp}lH*WtmLUbN@Z1rs#=;1_|KgvLOK#t{sJ zx*_=xZszjOm+G=#rqAop20MRY;dx%RvQOFe>IAU`D7w8 pN~<*FmhBL*uqnJczJI=uk$p4A@vZmaFp>1K^tf7PF_!brFqQQ zCAfiJN4)l#lR00f{hM|dSO!a7CPi30p&aP4$I7Dw{Ot|?h~uuoEPfs`xl0ey)No7)U9> z`&hn7xo!+3J|N|DCdWQX~N{EM}fQOA(nDs zefK=j9C?2fxPVp5AsmK)J>KBpIA%WW07j#*6{{tBkUIDV>$fibt0{WIiVHZI zuilhz4a$EOb$=xE8UmNI_P46RJC?6BP%3ODZdpDRh0UZgnG)DoXZKQQPT9+0cS$hP zpB^h)=hQkvI}j*B&)@e8Zcqmq?Q39UNkhSe!^~0z-NN*>!8IK@FsoxFgG-E^j!h@E z5^WT5BN!U(H)0gNxdpRz4(}g!DVh{o$H6rI8?6Kjt5{fA>l3GEv3$5(R)XGvckojdNji3!g`>RR@q2f)zi9LWgFol zG4`1$Vgb#j8w9+%WJL&J^O%;%8fXt>$zZ1y-1JDZs8SREbsRE=SRj&&10;5sd z?uFv@<;8X6LCAgqodqE~xeEX?iYlAxeX~qfK~#<^v0}<26aOWQ_#UFa3&IDpo-L0k z+Z3RPn<;Y@$n3EfffkJ~m)@ zAGys4fIIJjou_K6-Gl6}Zd-wQXCb{xzSQuxsO9ltEyWT=$@8RubI$+T;W6D9>1lE| zul!KkBK3?l+>o~fY8^H=_OvqTfLb*OdwT)s6RT&R4rGcRHem`styMLH04b>Z;mh2o zX9TGL@7peVfgQ+3QYC9}ln<#0V7e4X$v|RK`}!!+5@FY?Wl6=U<3UYwXnJJ_fx`_@ zDjWvwB@j4Sp+USyCO^}i&CG;GKH4Cm@M_F@-eQj>wep9(N)M)exyKf82#-~uM;8~lNJNd3L@$d z7gtQvzmRqYDcZS^FrXiQ1_J}QD zl&w<(^LpJ@oLe4J0bi`VO1uVAVIG4}647*Gj8-gDobE2L4u#7>9_OTD8F4hFp56-t z6S4UEPH=~Tey6T{A9sZnu;V*@Qn2S#9RG+_e%s#*7R(v|?Iq|YvmHS_?3{}fcV^oYr7!jc^7Aq)?k;6FJ<$HybX!ozSIJHkru~9?BUkA z3m#w1SI4e0vjfF1+eq|!F~VA%sC0O*#tM6+A-nq0p_{+BMQuOb5_dKreoqLuy4jK_&E#S2KQ5<&G$|g_bSzClLblF+4Qo5F4`2NOG2-WW+3VO-;IG= zM$aS-D*SD8NFOc@+Mq@mf-%o#m(o4vnq}-ac|5!-PBtnt(W~bL$Dh=2?KywR>zaxU zu`mouqc-&6slD!$Mn?nzYYAdevuv5`x_`}ePA>v@MdYXhUZk5QE!mp9nv0t}H$nSt zv((@&CeH3I#+9%55dY{nbI7&{hg~o4%-T<*V?zJ*@s`HVbn+LM6Qr|U1>~?R4n_1DBjimIw{vaEtOt^2f*Dtq$IBCMX6s3<0lg%t3*o`n||@!EZ`0aF9o z{8SGUa(5I>4^IK{i>Bl)!>`k39L6J&i3?QeANG-@xQ#yyi2PT+O`KVDlF%9%XmIaf4~4Rm`CnQ!_K5^j&baF{|ts+|^R z45VfG6P=A;+eP8Ld?`p)>u5LV>6e$qy&z^l4TjO)6X3{P9ae7XD6!{fReB$p+lrj2 z_Jnp0pMTo=&-+{P(cvKjBr#&m_)EZ`%a z#-CUJB+lnUVtSdTlw-nKceny%deMTG{?&rC3b-JiByYR26G#An2;lgApa)>DC++`= z*Im4P2`=C|ql#Wjg~DFU4!O9(C`Rj^w7w|$`8OA1VD%HUNp@OX-+-!0`zOP#ZC{un zO7V=nUxuI=I%ANh)#M>^B4!?-bEBfyn2CUU5 zYg`-eV(;7A3Z#GmveCBE9b1Mrx?j@w;KfUYve6ji%QGz9)A8~V@0Y_M19U~<$2)>_ z;IvZ1Lgq_+2l&C4Y#UoUl#(pz`TSslw>us9wuvpoG(zwg=8xp<@bt|b5TVAt-#%B$ zV(y0DWCPkv3ay3aJ~I?~gCN&Qg0-+mxdWNUprFUx%cX_vV?(=L*0>v<*1H6kD*iD~ zQ{EJ&Q2b-%@#kU1&|s5LVrfZfI;<~uU72^;_{mh zpMig`d>a}exl`%$w#n4#nI8y(-;D(J-IESh$;`@gn4FTGGoH3IVaN!LhYu{a8!LZX z;yqEExQgzg&*7Yef3kPxolWF60+{sFm68!=6ir7u4y-HWddbh!IFILj^@minCqQVJ zkSN_f8nC0x{LFVa>mz#d@+~e)na#bXch%R0%$Zxeeo5;7Gi8+%D?D%JlfTGQyo|`W z4iX{H=YhGlAk3RO8)fpZwz0uzvMf5bPoHdDr>W+8h|C%e2F=6Y_(;q%DepO=D?Pgw zxvrAAFnHh4=UyoDKs~wjyNOtQJAe^PPE#+!ZQsyiJb4#MmN-3KVNDTjjCnNp2-4Bw_DuKlIUhbO7jam>T==&uz>0A(Ggqz7LJ6ZL4j1y4^R&<6(Qg7A=T=!Ou znRrq{KFzHKuTw#KT)R2Y?VUYEpfuO{@R?^|+)019#Ex!N0%Gu^`aF_XZu*cR-q3 z8vwY=^Z0rC#)CVup1y06%o&ra`<)qulN9`M|SXIRR^$`C^#fK8Nw5O@v| z!4vWcxgt*517z7j*I+YHbaugC_+azl@rVFOptAYw9z_tkW6|GsM8QIJ^f-me>%VDs zPGF?qHc8X|{7NsO!k#{66&jX7qx&KKX=|eb4r{2dEPA1E{i#wyMtCwdxj-ODmW3_1 zi5BQ&zQ<=~;0NIhDM1`*VC+GS@y)=KpwGyta?KMH_|ALfgCEp;BFC4IGKG^(YKQ2m z#y9Ug+gaZa%i*@mv@T+bUr2RKBkHkx{I-^?T z$vXm_tsoi3Y9zm!<3qp6J_CxFh%f&a!870rxE%Qvnr0J~?-)0%?QZYR1cN*96f9U| zaSuR|LH$vsd?Sx2;OkhZu5rtapUWhfUSJsaztzW_-`%G4@7rr`0xD|h|3~a+t^O?@ zYf28Bf%#U!2s~GWz^uPjxe82)TQ8E|AL=MhFKc9`t|op1=X?XWO71vO(tW6t7nc)cXUoCn^ zIG$UZ5c!2@dt8{G`r+Mv@>SUfr$ejAYrl)Gi3IAE%UOxn%T~DV$>}>$w*46h`5Sd2 zU(j8=>3X+$wFh~{&c+;CWjW7bggnMBDZkec?Hiu2@(>otazT7h42_qCEQM}Y4neH> zW+ea<`tH#(AyLSAHW2=@iA?7XBy^c9PL<8wK7q)&>o}mAT9SEXy;6>ps~jv-mhurj zvoj`I1Q*-Pss;Ug;f{xy%y!HK-8nxqw){xtg?%9e8E(_&=4-@f7u%vHhsj7XxszkRp+tHAa#Th=wdeW0BTkI z8=5VXFoGDrBYkU!@^^z6T>7B=68xST=2nIri!Iwhe@CdFn|SjsY&2{YpfnD|oT?Kz9a~u?$=(@IrI|yCV%Ro90MwIoN z@OS^~Q=g+Fz7el7eE$=ioT%8nm4E5|_YbFS55|}(vkpA5-V~l&a=BtpaU$7$yK62G zTHT_T6nh-T78bwu;GXra)G?UZN&t*2L)+H5J1`ftHcy&Q+5njffZAdt{m~$+vO-k% zdK>IgleabVC&oJ?j|m#JV=gq4NiEGqCZG;Ca9^rJ&6-}QM(rzZiOvM#J1}5>^;V&~H&yWWe`9uH`pVykyGo1EEuB{Rt|EM5BRe4%MJbNZzot=x zxn$uFnaTg(Z2?$hOpS7`D)C1RmXUba{@# zUIB726?G3k8BEA9SbzbM8bf@VnN!%!($YjscbPoib&Cb$-e0gH>8Uqe{kG}O9G$`y ztYaPz%KENV(X;iOJtVP|0$C=YXhGel7~La zmXZIcGlXYvz~erpg*zT>#2|@CPL+Pp#GYHehZRGVNQKw`0*k zmpZFb=N}R0%dTh;_sCI23>ebJA_1fZ{__7gH@_xDeO7Qlus&V#GSyvzDr4c7%e;6# zm5}_(Kv4(sw;)+Sd&6PKRm&{}7RZOel%eY>9z7N>*;osClJiuXfIR8|R)R3o7&C2G zF^jB8S`8a+zP9tHk@sQzNBn;tPjB{3cx#v1_NBX_pwo3v!=-lI)nbs)r1_u_v}hqB zHLsd>oVWbY&Q*A`OzBx+nALk=nP_zUZ#+_;K#?YC?y?kDo2qnCsg=ZwFTD+D9C{v7&)qRR3dA{ zMpQb)LA*qzATOFvW0-)c9__QhfPWYH)fW82F2WpX`?psSH!3P8-l7{sXNpQ?MqZ1r zgH$)5uSQK9MrG29&Ai3k41TA6^E_hi%RL&WB10x@=~J79 zb_cEIU*tCvopyFXQ7+52tEVe{ z%mufgm0O7k$juN*eg~Wh+Is>7RA6KS@&D@op+)(R{5sM^RY}HG`QKz89BCVv)YAll zH%)%6-yRue6K%V13SA21&q}Xx%sLh-%Q!!L@(g z*iuFR6%VeRIChjh*VMToSkQvp7ZCXDb&Ox>{6Xcr$2%;b%v82uTq$( zH(=cF7r)NaUSzf7)KJ|+WF>>N*Wf3c(KX~@ExPvH8ZzZ}hKEqsq;Q;i0qzb4<2C+z z9fZhp5U0I~nNDDsuBfjcjh&~m zR0~re5Q67@5C=_zO81}ir~qlZ8+2G2_OWVjagx0*!(-_b1FBXRC=`jf&GW}S2Ald{4khAF~A2wC(#)Ax1<(CVzQ7~;xU71%@8!;JL&WUUlMmWdeoom_uXS*DlQK~y2TCl)R>L0hFxFa@CzIMf61=l^$*p5NVH z)pJ+%Em%U9x1DR?&KSqtB=ky%TLlV(84cx6bILA~y}SsxS?dBmgF%Uv*${kJQ5WzL z?AQh7R7?w@UaY(fzvgGO;7eyKWRk0kEyD2PD|X^LU-d1plgw=8v_U!)vsj)h4*Dz2 z*elk7-3Lsmw|(kyN2Z)`tC3e(^n$$^!JZkb{xJ%H8*L-#Z|-%w4jQSzGSz}*QcDat zS9W!cujqq4_6hsUwjJi09e2wq3^VFKT;KJGAfnmv2gF!t8pbnJ9x4XT*oX z>7?oC8bWo(7 zN)i*2zO%QiPVPhyqVCMs7lKFuQRLD@OOg~S^SC?un+Mo5NJ%J_Ru^WheqK82I`pr+@Cz=MKl$`}@A+Wc zvCtbEyf1f8pH5Nsh8IhQUdWqH)QvsmiwTNgjffD%JMc_e(F6&muOza)$rau!z`e8w z?Er_<`n(ZNSaef0d+g1UKx0Zhdm$2!j6e>JKfhTUufxK>wP{2}X9F-vmlolvXB8KSo14d|(AcmXb&n*^bVLS9j zlZ5uNT&@P77z{dE?w|*3? zN-%ZiKE4<2{j_a5vN$Q*Io9(C=cL>tku$bKd>wU@S95LU@~mF2v)o*KUtVeuBR&)+ zLMHvcB7rP+E`(kMRaC)_gL>KCL&cH!OmrBMvI+2Mg&|^d0$mka7*DNd4+iqdJ9aq^ z)Hs>iJ%F09!<1o7NuyMIRltvjVjJ|l1^is$h8UwMP%{+_nzPItzPFPpdn&N!g28Dv zP!7&_MHO-GjnV21s`LeA7&VgFgg|!cF|u|pF8p?I`62V(x%c_AEpg7Z=%Mtm3z(=9SAW!sKc+R|Lbg|N1uE~$qiz6v6vi#*jxN3&q8Tu=#7 zA+-x=QamI@VSc6LB=BAfY6gDVXJVVE!)y{Anh6Gd_&#zFdV)2f2y$|-AAkDkVNG}l zX&a73%m|T&)}M0mbf(@wa5G;w8CqEPA%4#}@FoQ;%+zCA>N~N%WH3a&3j+QC2RaO0 zUbH)4+vUHVHi^FnP6|9GOW|ch#Z*Dk6q*_j?y7f6EOSk_2s_S^CAJ5W5<4RU5u)z* zK-_I)Vt2-@frBaw65?-WAN95t`#bhqR{33du@{SxT~lG2A1f(FbvBM256858=$#Np z)Rt4_FBglesnJ&^={=N59_c)`sSk=ol9-g>URnpjN*qG@A__bV)$8R3@~I#pj$@S5 z*)uE68m?|LO|pZYP&;s=#X_>m%s-5&J3>5|=u~79g#B{?p6i4p_DD&i-fi>09Z(GB zB1jr=G4JP>7`*QoB$Q8;!xWN0V~ozz=6i(QdG9YuH!s025Sx-CwlK1&?ReA``pnyD zSDBq;Q6;L?X=U&()|O+v>-7A(|D{;F_ED6=ah7*_L+<_K=K0xv#}Y{tA}2iLepSQM z67%iqaNk%sgED3cVxEMN|3I#6tT&06+|QzWvGqlv=lr@OM2G;)wxX2El|e}5pdWZ* z6b_`mGN|cY>|r+8IOh#W`hU-Jhu&DyD$d7;x>$}BFEfH4B4^j6%tXLUbx_4^&i+et ziymLh1wn5Fm)mTCr-P@-L2=AS2h#_8c;RRx$(5^+Q%I)Bh$Ox{R}%IVUYJZPBc^vn*C6&pVoY|ug_#^#fUPRFmb~${mSu7}!%cXS6M6aCA)}$1|6uCSJ%?reX%r+ki zM93(36c8PGMI8?u<%5Z{hRKKns;kP^!v|3;!@C5rzuaEC_}4r;%f|Lco>RbvaJgcS z?ct2a$I`7O=_v%iRNYqR6a;RiLZ%qFq-q%iN(63QL!$PNttnbi3Zw<$9G@tNo?E$* z^@?Uvu4l1i5F1AnafI)#l?9XAhd4U(F%``RSN@Q1!n2_z1WG3F+>W(0LV zSFD{SY+|WwbM(9SiD_Nc@W&OE1Z{8cIHYB48yX9bbnM4bO*?v)AK@#(v;tDqkq9>Ir;5DF}1p~MLc!be*q zWcVT&q3#{SD3$?zd_bCZ<`>N5|25<+o;~FR9?gKAzNcSU$2l##YztYj=@uA5JaZ2O z%Ea?~m-J6kt?sn;%p?wF*?xYER8cLd9=gqc0y5~!@(w+t%RkIP*f>H3)Gs{^2ZOgW z5|?1coxs~p_VtfbNz@~dAkq-pi#S&cA}LFto(~ZN*ZiTWjWIzG`mtF6yI0?tZl6B! zI!nq3evSX$Wl>EjR+)85YB77!VvkiTLN8qxb=tF5G||#po9ig-TBPhMvY^dFrI0Qn8dA7=9a_mg54bX(%3* zLNi%mgcd*@*o=D}Q2gw(_Za$Zlu@=Ykgj(F>5vB2N9(_+vxyy3^h!%X>eJgOnOJLZ zA;wf6EM1LzJgyK3q_Nz&lz&jpnjwueVLKZ-PgrmkZ-+h(oTR%9 zFPd{R-23p}TTz2IR(%cMw8&}U8d|ck1!G6Fx4j_ehw9R~sp24wdW+uJ_vLb8q2|jv zqBcc9mkaDN99j_+4$@#~i3gbSQ7*G&w2xAb;vqzY6Mg1E@-A~2BX34tRw^*4zGZT9 zJeJ;xooQ*6V2YGIt5XkDHDyM$Rz;anC`(sgPdQ8|dWB=jU9JOnvsc(mwyu*vbg4g;`;3+4K^(c?2vmaDpy>U4g}!2yLgV(Ju&N z&H}MujVn9C_vGsk4RIx>c4xyIIulnhp@)w1qyWMcx;W2tn>Z}J8wcFNoUNV#Gs=oK zX5~oN%MvIIes(QthZ4a2tl8r{u;Wpwz?oZ&4@Vy>XAt=D$!bA*omg(EM?mYyL&mj{ zm3PG>;z$lcmm!+Gys5==b{rfQt2uh(e_NO}=VZpN*y*&npEGiA>3l5~WH!TE{=ADB za+ma+()KL>PN**Si8Z$czGM!XEPQpq6fS^!8FaWCY4gH1m5RyUavE0NjDj=2ht{)) ziNh3-Za<-zjX-f4%*|5bFA(;#9^3Gwp)*DJFq99{XOt%lodH@$p=5Q*;zgLaX@yCv zejOwL5!kO;@;wXetj3f4uu?315!6o!;&eK(=!A*degGV46AwxAXO&HHRkj|Z4#%}O zeW{48z4TV()zUJQ_Fjiqn$NBna(A2T#i@2igE&JB>-5Cg`F%`EWSzUDn;V)?-d~OO z_D0}95A8=wv5;Kv0Pz9+6;<-fDTnk25E=6X8{#232sZJq|-8~ z@l;k@92GdN46Ag|R3>U3frcryT%#C#p{<*X)O6L)j*n7A=|8d533*G#QeiEBz|oIPl_Ai2r8XPK__ODBD=YPs00s5as1eXS1}j)P)XGM3jT56j}lKS zLvSB+ie5^G{$pw%DDy3eYX>>~8yhG)=ffGOkR^qauwN+O3hg7&Z@nTO+lrkINp<;Y z6t+L@E;oTRu|^z;-jy5nacy5*48lrD6OnDtk-c+f71^Y`-R375yt_Q}4%74=3sXD# zI>FqBpO$9E6%5-H877RKD&zIC<}%v6C(kRh_*fUGD*m|m=NRe-)@?C=k9#}hKnMVH%gnF>6u>vEFbpu|U z-Oc4Kf6khRZQka={2~5vd+xDoOPM=k3B}K9DL0mPXRHfPY^~~t2oSH`u*#>7QC5rg zao|#HbV51at0<=Y5s3hCtMtU5xzk}zMZL*ylpG1*K+0gClzZ@Q?q7Pw!)y?DMgZ!0 za2E{z@f&69(Hs4bDR#w|1XC@htp6#Jxk|vVe<*QJR@qNBH1k25-nTg(587~<*e~<5 zDofO5HTkX21>(W2u0ln&vR8~q_bS`Ul}O}q!_E_2e|Me0yr5K-tc#Kh^VANU`T(jn8yRb|=+ zBP^Q5(V^+~@Jl2@1P|GGcxQkZ8WMu^RK@H_LyiJC zp!^L`(x}IwWOj?Z25Kr-&{rapI({72@z6FM%UClq-%ZwRfn0#tPSbPex8Q_x$%JP{ zDp!8bREZtfmGoi6MPYKSr!=>xSP*n1sQ=AbZ1DCXU;4COEp{xE;5$i|3*Y@F=mR%+ z>0l7-1hJ1k%1xt?>%t=3ktsnXx`8dhP@0h`>Yx+9QbA1BYofZH%$RPF?u1KR-@X4E zN&eU&ILXcjh(1I5AH5_)wid3n7JD7Yr&2Pw*vAS&!l>eMCG1xeOG*c$OvyX^R-=z?hw#ABlgJV1X)c&qy3o>K!<>wMHMRc>wZEhb*ikl=1|MG>BJg(So zmu6WEf87Mv3e++>D4PmT517V>Josr!o}obx5gB88MNs0^BlhihoA6>}UCIr5v5@8r znD?=;b+Z$4r=%)cbtlyXMGF^}1^ckNc9c{1QtMkR2%yn8$om34y}nW}L3XO{PuX&* z)S!6L?a0XPLF&^7wKj=G=?d0NiFQ`>hHgv2*f#H zpPDQz*oc5q`6I54A`b{2Q&`ErusP{K_PA&=TuaB+F_9Wdlflxh+0dYy@0jN7xpS$j zbu!bicYpkdtAOnV7c-cofYqmL21pu$h1**4S}e4Q#=PvyD4ch=>g~~#AEvLH9@TxK zY>(*QYfNG&bdkPJgil9Ou)~m1gBFmehA9{4eq&4pf_9>05`n8n6eV;|W<7~cRXP;{ z7`QS@Ev043z&oaS4SaBKk+QgAY@zSclXQxxRQ2iwy59C%S=cSC5ovR`qf9Mms9TKf zO3TDz=oIFCnflSJR$sS--9jsT{|AYi!j)DV0BFR^HuvXns3P|ChB-^F-->$or(v0) z%95Mv7^c>(u8h(HBKM+9UTsTdQjpBBXs<0Rp&a$uY`yZ`(KDhC@sU+bx&?v50_qmG zYVmY{d91W(w6-OiUM12yS4_ObVk3Oo@|PN&m)$kms-PxC=R9w!h4^t*IC909TQ?2k7 z+PBi}@~{s91nIe5k#o)y!(2d+kLI?9%M*P>s<(3+@81A6WXFrN3`yXbtI^~azARzNaod&E<(=eLWpK5#bSgeDSb1sdD43w>Ag#8>QLMaq25*>$<8@a%s!U44>8Xc*XV zve(oANq^`*u)&Ba0&qyLB8u&+*`pe=d**yiap_b2pzz!};%mhGO_Wpk8QiDNY^mh= z`arvO#OXZ4r<-2?bSk9fPt<3_itC?1)BpeyYdm1dR1rm=JC;vx-R|AO$gi;WQ#n7)eQ^pOi+_=j(^jF{tRIC+NQgSD)%$K zC8Nfxt!U{2ur%R-RE|HBloswu@3F1dgY&^u*X9oaO;7LqM=N$#@jd;9Gu{NL{krDF zjT#5OolzJg%b`l_h{Z1qN9tb9^%p!1(udonl<=L?DciH}9rL#Y6v|oVFTZ8?H>d#j<%IHj9ME&qY*yZPo5A+I$YaJ&2@$Npe&>F{{S`I%O}(zXzhlvyyJ~3F ziTo?ASaUyYgu(;RHIo$9|SqCAEeC?Ths%1QAZfUZ^GLpF!Et&U(3cqM}lS%XDKN_eLrjNJQ z9*X*C6Ehw#lz=1_Y8Ma&?9wm{Ax?d;jWYJ8yGDGr8XhVxbn$oUWz!?mQFu#E8F^4+ zNl3kB#HX=OJ{3xtg;0MM+6*QH|KjmErDPpt;PJ!E!_mz&OFj)?6CEZy{DNozTw?L`VVP5&k;=|uHhnsrG zRP8%T45$D|T?70g=`e8F=fz{#^1B9hZpq6j@{+Ba;ERFPl_Z1Na~9M;*~?l>Yz-=~ zUF(t29FbVHoY4~0Up~#$yUJ(ycxE3tSGt0b5XM|)QE$pJ|;FTPzP+2UmG-u({y9<;aYDZ++A~-eA;eoxQB{(foKY ze}X^;r6&kfHi^30+O9A@=C{p*VXTVL(1dRnsKgqd#TVO-5A0}gXLz>+PlOtGg9kem zahYwYf{}D0Q*T|oxy6fb+UPh2b+gOHt#lAB^MhkbwB0g>Y+G_$tm-NC`?g=@ya963 zyTvc(Pwc_H_X{wmg>_bDm~-1Lx!<7QT@_DHXj|4WnM5Dz*=k>E@ z&CfryZ}%x#Ovyf6_Al#$K38(U8L`0`F0TksdTC3oy39h& zn({Io&@CRN+X*5Cb;v@z!vuF&PQzKJRXlF>T3=C09p2katoS+-C<41VDA!(;+caDQGoA>IkrQj`e!KN!C#A^VK*26G;PuG3QbRhlbM zt?*I;ZgtX+nrG*(fBjEU3amU_ntYnLOQlYG_U#;1b!OeTesoX1T@rZ}|K98GIo+l=7siaCil@4{6tn&D-bLOyXU!R_%2K)REFp>FJ)!YX z;;qrk&STfCY~bsoEcb-f4fhA>OPiPr?Dm;*jqBAkT ze4V9LQ{ot45%zBFN6WP3<*R8*I%TTj2IBP}v&0c=;h3fD{`hMX#N+C%6~FnIJxJGy z$JXmbr~!*zUh-z4u55ZWd@$rE3GE2{v7$-%2YdjV(;fTBO%eTmgZ(3ZPUDfpS3|NC zxVEn+NzHN2s;=?py3yl(IG|51>o3gF z_ZUrbSlsaNm)O4bzYhqIYwZ8wfKrAqHu9KmbhX;beY~{3Cu)k>(f$<&&gX0zmp~8b zVH+_GV1>D@cB6uLQ*gF@#15mLpeL$C2Unp4+@nLH%8%ZNQXnk)cpP!nY0MmEx4w5b z9TU=CEeY<`Q`2A;tBS}^2Jc}L$1DWk!()Bi%?pF|# ztxUHdC9~I0b+>TPOgZ67#H*-v}5y3e_fki~1N|W!>-5fsRoS zr%Tns^H}&_z6t~H(a<%7IMik{fwS{y`rzww(vCVGI27r(AdJ_M%U3Y^E&A^^EVuYBO%~VYW zFo?HpSXKmT*#BdLYD?q>6s+`HO>s-*;Bs@X&l`6?TJNaSRSI;nal!dS|K8AR zwQU8q@>V*0e|gbefEe0N$36Nc2hV;G%jY6GOW3u^R<-KZaK7Eov@drTn0_p@PGLPlH#!b z<&g(K5xcuBWc0a1#G5F*lBM&(he1_T8}hzf#; zfOL@(kzS;CgeWca5JD2tX6{6v=Y5~`y?@>HTX(H{*ZO7~Gfd{3GiT2^d+*O@Z-}^X z-gxV#-J1ji1h$%*oVp|+uyIU4KDQqP+C|+f8Np9VSQ-)`!%|&Ck8=l>ue1Ang{H)2^zqUJ`ypW$3wJF!`)Tg)E zvXRoF`8O@a>lUwxZ$5Zv&Y?QDLTc@FL0&K=n3TdI6J5Zdwj^CI@>)YI`P@70_xlCP zp6OYeeL}g}UQ&?=uvXKmieQ+6;^HC zT{+xZ0qd0Z1ZRQQom&I0R>=y^cHAuaYAV0uoGc@BK=HU=f#_J7=&&JDYrkDq`+3d@ z#c}LQ*U*>2xO&;ElU*(o0{ONtYX~6lVjQsXc;-eF>HHuOwcU6q0!4BfEOGcgA^6Ym#dw5_9}b{ zNBHLL8Pg@)hfo$HQ^#ccLO-9~i-=xeYRe_>(KxdB-CHuDyB$StVLM!y1uUEzye_j7 zeKW%Q^YGf@PWAgvnmy8zwSOhLCSRy_+w%OtCmbREp_xbReZ1MWwAQ+{4oN24=kvN6 z&UQPWP~(BRUXy}lj*9Aa72&wxW2zb|r>-2DkGM~gK((%)6F1eO3hKzSJ}*76{p;<0 z!z+tg)_WuHSE!#;kG7-E_^5g)evg=CHt;ixehp{{H62$ z?MFJEezESQrWJPaMtcXf40YLlL;Fo5{ruAdYv%X(ZZE%o>?ZyGBk6|SpTy_iZ%4F! zRt(YbxKWf?btT+4ZY>SwAi$zuRkEX5}bkaYuCvR*$Ae{X5>V@^bp}f~JM<2xfJp6fG?tQ7BDzEgVf3BYvqI`8(cfw@D z)|;~I@Qn@;0}5>$q^Kv>#@^j4WP0*a?3Pmx55y!j2B)vHj)+&ViMiv1ythj`!q#vo zMz_%@T`b^9@JY4H(!D31TsY*txA~0r?OnUW&KqiUDBWK3MZhld#hd5TDn%mt5!X** zUoT8=E)o_@++AO5rY0Qy#53RIu;jT0rvdkmyAIVI%)j<=n*rI)O1JM(NNt3cpvy0j zyFy_%cPfK*NR?RVREk}4P7s$-9hvk zd~nMi&hqND=-D}YuGjB9;Q}!Ye0(O&x|4gmsYq|=(zRm?I~LX~gbEqeTnx>W>q$(z z_~v4!=aun&DJM(Qy{5%x)~{S*uVFg}ChR}meKsz;ssB}u^_u`I+KXFwaU-|*tLayB z`?lw#T$3nDb&D&?DH1GxG_<*>^bVm5*ZOtW)D{(^uZisg^;$L49dff)b4%U@-e%=kCmXnchErzB{Kw|HE)wZQ@lk8I7>A=rTe;9LqJa^GMr~&QEnUcf#zX8P~C& zQwgaic~)5b=+;U!`!LUt=g!;7rn8w_?+WUM-VV(YlG@s~%X@3TyE&3Bl6jg2w|=;OJ3>|4mi$pu+hbYy zTteN=$xqEznbsp2k2B;lHgzj!hvLmxbTEzgs3BPxiA(w2CfH zbiL?EP2N}c43p$q*0=m>GU$+7_NnYgSLs*VbLbxf`quXy>tnj#)~wRBa6gF29o~)^ zEEz13a?cxh1Vc}xX@t}O35T|6@U)y99_9`4S{&DYu-%qUx-5xDHZzr9{ zy5c&0x>b8z)zkwfB4f#Ca9;O(nmvc6y#3-C?>jC&O51H*>09C@u4SoZk2IH(J{s6I z{kSvFcHZukijt`7Zq=eFK>2galco#&zyJZU9^uq1s9c5^VC80CV?sIzZ%p^ zy}i6TJu{U=E+f%YRfY51^HQ$2H(24fJsH%T$}deiP6~?hD@U{__PP|J%k#2SNu^!P zSV9@016xkgc&e-zRTxF6Pxpi)tEET6> z3iAs2D(wfUG0!ffEE%ZDdOACBKF5yVdQu+m6tnmI9h3e06!&7$i;_q!-1pU|JNo0_ z#wUw?R5VMzd-H8|?W+i5#ZE=4qO{4r^!*u&X1s6s3Crc6E`Qg#?l0?YtFKjWenYrh z{K;ZM`I=JTi^Y^GbzZ<@zxof+ZDyp_u2vN_OIsD(^PSI%mF7ZxofuE&M_<*x(l49% z(etBbJI1tRV#R5^se6B^>B76yT@0mEi$1fN7mu1sTDGy)1sJ7@a67RV2M*va>9sPO z@*1Hd$8OF(aJ|;OxBFVgu(`b+&-%oLYE_LT$%m5PHOyVwl391fUHV=OHqI9fe)no6 zA5QF6JMQn%t2bLQA3zk>*_nGdSQq7q8(*8Y-b+FcR9ek^DgQ*?x-;j|_07kXzez+$ z6syQo`j3oZ>%NUe?K{8k-9Gyl8(!FQ1A5w>QA`zc`=Kwbn8EtV+R0~=$1PWL-(Slr zF1Rr{e#OzUH|JK4%5|Ra_w-{DXYI}&&v}=7tLyV8d zZHfLo&em^REswJ?A4i;uvYfgz;r&%wx(=I_UG(Ab$k`t+iS(J0zc6InP3ThP$c>;T zMxO3o-JxuU59ck*EiEZWf0TU`%DLF%y?A!e$Jy`e;^S*!L&`ykL1!5cDyLrI5xp_>gP(Og2?Qgs@%{kRoOR>tO3 z2@!iI`;Wv4->lra;>nJ@T%yb!AGe(Hd0g4A$cE?jC2E+4T=sSS0Og-UgL4&g2_C0@ z+%A^{XpEeAn}yOxr36w_8Ev+dOEMs(1mW-ItyWF(x`ZDi4g#gT5Olc>r!#B~!bYaf z;0woUX|+y_6{jk_IkhYGg@H!ERo)L)fQ8Ei@^e%@)JZ+b9`my7BwPb>0ax1cPkS6t z?2VsW^xqfM%L#0f;vLr={ZfHhjF=5rQelpenRUn&)a4K-K#!?J?JjJ$AjVY1hZOUM zR+Z<6D@T8fURScOr*L+Dy?@UwPUP#Hv_Qu*fg4{#6nrY~00S=JchJLOUx9BQ^qmN0 zYc6btX41-klD;boFgygmZkp}35D0&}MwGm!qccr-`0MptEGg@#{0}Mjr|g$6l7+x0 zS&Vd4t^UfE_zx;KrdjqDb)lk#j~eg6=pxeD%Ji1GxxhjAc!R*YHM<4Y!$)i2x4{~z z{~VuLb3j1w_xZH~0%5KK>;AsxJp9Rj#lUZVn?Ij|&mId1!#{0@-~O-H{&V%lvDbqC z91GorzY{oNVPt9we_A-+b9VOdx{dWts~Xz^pV)ZU#M(Nnif9xA$EgRaHMfKNUX> z73@71RW)sGZPg>{s_N>>@D<8l0Uq8r{gpku6#jJbPd}%ey&Uhk-t~6HddTwoz3G7U z@z$4@=MVIs*Pr`z_ILg7NFH8)PYa%)D*qc*HI*Z(|LGfUs>eU8bHUZ$+1>h-D+bmX zJcfaq=20!Z-wpn6U;TH;e>JuGZ&USS8b|)!^j}~7&!$(robMT7G4PeX3 zmwz|ZQ{~V7U%L3C=-+2yO&e^|Q~l3VGuWgl^@6_~_qd)yUxq*7WyXIAYQg^<`11)L z3mFbS3|o9BAYdq9dg{bw|26ZKAs_SH0{e^GlC;UK-fczQj8@l7<$)k-1PzS_GA)SV!po)4ldw6Yp`eB0eglrzzV}BrMFuok9&@x zhqhy@j;%2e9rz0pi5$VZIu7mFI%q$K9eOMt2U#zCD}Dy`s;jVv8H6bR@Jk#t2TKjh z{xv3(jeb|WIxep%-v3TTZr&A{@;P=n{2hI1 zs9mR}`4hgPqy`BF+19OpReRpdG@!OC(0{=t#o2kl`1tRL5Bef4q3M6oouL>fP+@^i1R!`Wtq7kxEu zsJX+3Y7CZ#M1WO_=T3>c+jZ6UO>R3k_p6xT^WynUWB?`%#pO>&Di%-+AJT0JSgLa zp`tmII~%>)Q&_IL6T`sOiXmVa7A9zj$~Paun$Qo;ZMp_b0hW7y53^Hux#$Fo0C(g< zl=Zzu*U_KPdbsYx zLVHS*KG;Y%ngFZlpd%e$Fb)UK43cnLBTeV>=*L5%;il@~X@UlAc@kJAE}%Ha zzJ0kr_0kn`g*t_bo-jxZQdz^xeuKm9`hHWBZcxZF!+zB6cPMfEseshlWZ^YJ5SsJD zNizs&K93$oyuY+L20Vp2Ih#h29a$y=Dr4(j z+}N8MFQ?WDO#w6_|ISBMpLN@pK=aH<2B{bQ+3(r1;n3!p+6Ya5_slIyp=>S|JPwuH zh%<9C;fpQJi1I2dLa)b49*e{vl%4n283x6x*{g-C<*Uj1f&wyLVts@}*9~kZs1B{DIB1FUGY1!yJmvEbj5wHS3Pf z3YuThci!;xy+OI2&f!exL(;x|`0qb!e@;G_RzPN{H`-{Tf#taOEvyX`N2 zGoCeSg74H z4&RcVTnTNB+^RHSctaspLc?OHwdLHbk?vkZ!0^YkJ)mr1gOt1Mr`X1*Bqhw$1SaTn7)f5K+NFyR!z|XlZm?4cum^!Gj@kalhLT=+<`Du<2+SJYJ>aUWrtg5lLG=w zLvDvn$YGOx;%ksj4FAxr>om6qsA;_WUQv;5P-L_mQ~F(}`4>VxsG?eEtyDxsVp7+w z>;JmLCE+Cf(Hnvfo}9YgYUZk;s+xsZh|!zC6h6JT8rmv@{q*4L8F|%P8AVA62|Z!H zCNj$<*2dc06Swfk|94vdA9`BLc69{m8T7WbyBt@B&KL?$ECjT8_0b-$R-6z~eLAPn zVx<2xO3x?W)i_t(w3J?0ag;!NmhdyS5zYGBj@UOs6R??AS;Q|8If-xK{p?nsY!f6~ zfAs1;)tx|O?HyDdiR075N`rS7z73gz;_s_@?jWm>Mvlho0+ja4!?eDVR;4sre`GaS zTU>wjMTAC1hz~f;?fiEuZ}9Ujq`o<|RL#K^_Ge=E1;UPtRKzGHYdM`AHOg1w-6rP~ zlrW;s&hHyQ-N%z*^!NoV(qef2+)Hq&!N9*rs(T*4vzuKbvm(cqoGlVNQjl6fXQ&l_ zuS$m<5rR>jHj+36SgEm)^CysR32)Bpu2Gn4viZ9Y*nr$X>J2?{1;cj6LDm2N>BO%E z`lvAL0;|l?_-98(cDJ`<%H)jIcjUPlvS54gE3JiL&;ofrRrVzbPKFp$ZFHj0q{CiVDo!g!{~k;V1D6debRs_)sK2y^T@*6f3{%wJ~mj6 z3W^Zs+@c;o@bNOY5`Qd;Xqi0C%`c7M?@?QXM%%4--hcZ)^2+8EqAoxP1T{x(({gbz za?v}w*1a+AfYjHEXqjjD6?*y0;`7&sT?_C594pnl5K6@GzM}7J4AQw;FW|XpWk~CA zLtsFrjQ<;@xaAUjK}kjPEBKttp+mf&^0kK!a0{U_l@ho5;-cc`eIyUoJT6>veSWQr zjq25s1)UL2CwtgYXs=Cc0g(ZX5qho7?BAf1-0CabZk4}SM%AIZJw7G4TEL0kj2u+V z=kVUzP9Gt>+eaP*R@%CMHEjkNnu7a>o-s}jv2Ajkhay+aT3e$A#arg{c-Wz>40X&| zPX1^SU3j}h{!6VdZ9hGq6hkAFmO7zV>GN2u#*MeiuJ-9U#NKNeIpOWKtrdxw{8n%X z${4w!+MQ8^oHMrpWIeZKN2JYdk?FVMka$)9r^C(-5qM{fWY^_J+y{Q03OhY`+ErS9 zvb!m^O;2yBCUeW|&o_rDS2OPAl&W(3lm}M?znvU2(V-PR0vHW!&#gDb1~xcjoXazA zhkoQ=(WyeXXW}B03h%|5^F?y*Yo*?N%yGw@EiV|YTCyp1DnuDtnd~ujNiFHKpTpC~ zcYoXeXeLf_RAw@A%K{ut5=%SvJ1Q@@(P z0@VB|slR8~mr-@nzRs^X|0Ka z4d6gT$wTu~ejC}M!G<*W+xocN@#Yl;8q^X+$_S);Y~_Mq}-+n=7l^IwV&O?rzeNd1%~>i|@QS5Y}m-NKp6QTNKB9 zb67Piuw?mT0yB5o&(^EL{cSWpo_g}e7$MAOF{3*c`OKIEX9b-u`fY$#!T@-xEx+T2 z7v{^O27_R^!_C7tuW|G7*467?Qf>LsvhATd(w|_VR?!aW%1LinmTgPn=d#~Mfsop9c;&twVN<&#* z`4%pySzD7HYwST)XV+oI=M{~o3sxfENeHuH7H18+fYp757?uREEw|J_W7oceeK*qR zrGb4j?JI6@WP$z7D>ck2u(Ggv@eTHo&t2gON*ENufXFNLN)$1Q$TOV1J~rxb?KhsN z#An$mcH`TEsr@q9W9X00Ky^Nhp4`}xV|jdO0idf~Ygo$gS>cL$$ACI*kTNHZYNJfk=%%CRT<*o*u z&fp`!;trOhewyEZ!PPN?B^PpDn|%tgueSqUoe9LKWwU_W#2Ddhs@~a6KA^4V^zVSt zg-qcufd`fO6jcPss~d0_v1Y0XOd`Jg3Ug?c7gL?0jZ*HJ$_>X)vJ)r= zdD-zegL~_OFXC-4ZfZk)E9|fm*z;N2eObgd_^@cRif91&n>^*_$oexQ6V{RC1v)Vb zcy&zBE?#3gvA{HCv*UPsS>Wr8?*YlFI>4$N+0z~5N55FRLw`>@ljny#zRNFB9C*d& z`*MQrP|2X}8u@|KRDeuq1A?Sr&&oaB8wy0aWgr10k* z0L3w{3S#nzt3mLVhSxEXGz;Mkaw`a}( zPtY@dVoYoayECYpEeWiIZ(Dk&?{ExV>@V>_c-_|STQ>23y;$*b%Zu+L{| z=nn4>FR?(ZLoRMyeETAb$S7GOUN8FdGQ1)q%wGk9UB0$9b@u-VNB>30&Msqdz_#|A z{<`Q$m_&gEwqus4`{=)xVsoSH>MD`!^UN1xlz${7I*Zr?H=*RO*~}EZdk`F@6y8uM zh88`yiCw}p6kp*|CmN6yEf(Y0Rawp_%Cu2YgmjI*On)rK21?T(`3vWC8oy!9^&2bG zqBrF7H`pHWdQ)a%dn&yOZ*7c}coy}*cXmGQqMF`tMMhfsU}P%rS92C ztdIL%Mp%O0#Hz{UmA;aZ-wzw#n{SWGP3j}fMqTx080>@MARp*9%*rT(R{BoV{@v$x z0*lPEjuDdf_wgW~=_p_2yoJ2K?*JqK$IZ`3N8xCUiT^XhUL*clv2%QkbMxbk!x3SL z;2T>1>>(Y%7sf^bYPb#;@82NF%T8*M@G+u|ltO$$SnOg7yL;C|8hN~H4XXjWpdZkC z8dsKbsaRp$*dfDW3Jb7LFckIEfrcJ@vXS9W?0JW0wU-ryV#{LQGjA5kwm+0ZT=cCr zC*PD(S}3Y^LupEbbP*p>rNB2WD+(^z_DL!eDKV2_1(`UXx6t#+6Ea8XHF+Wp=A3+1 zCUTu+Yj7A$80=6P0vM%3r{`2*C179`*fGP$@F84F?iF|mR6@c=tB>Iz5++b`=L|_- z+h)GVl2`ySEOM(W3B@20bO1lF-sRtxJY2L-zZ%Qr2bofiOirE;#=lK=r&PZ=5fY4m z?E*>{_!3qiv$XR9nbJmDOv`&tL9_~ftIx-VYhQPU7M~*mA#w*86bX(9a6C0OOb>XR z8R}MEf7tGnMqbU=&viCN!fHcubMq~0_hRn=5}D3ynXxpH)EwL_Z+-1E{eCz$ut;UQ z8uwjcPg)?Vcd)dt`zZI8W{?72i)A+G$yzjcOVQAf40FkT;RwfucWRE($sxhyr7_X% zC5#NGgG`?!nB^nfABBC9Y&XZT-YWnHK)#Dx(anHe0L*e?1=)5MygML_hNY|)@QQPqKgZN^b3Qb_P7At9&f6(5{-KS)*Mcwjidwspz>Y}P z0kVwCj{gFF%xUQwJmpb#@Y;rX4a-+(2?%ae4K{Vh+w1qhzUrE^>lTw9^llmby=$uy z!*7#UXiU!5XB`}Vyy>!BY z+={Lo`_zkQPoHar_OGBvCc268--0GaY;OT@QXq0qiI*M6e&0NB3pgYWr&j)~32WYc z-M`d!g84i@qGgO5yh&ibt$&@{3468f1(w_7D0CRK%|8Gh{*TlmOcvk$@%TB}4)s4Y zDA$r)spP;j8f|@fiP!AmmDTh`3GU{r$legw-?^5CF9&b6s?lD{o3VWw(<^kzEZ1Mu{8hy|)ZZZeIjNzd*-%KJs&jf}GWMv_Y4@EisSBupKW zE!_?84Mo_FG(kVwSZMxk`u-37tQxeIv_+07TqVusiAqtE-|7`rMy3zWJ|c7EBIXCCh|C74PcjPvq#CO@Oo?3anx{A7___few`A?=S@DvE$F=6@;$JB4}Ho- zmj#0`1mU6b1d#g_^@obD3lSn!3_)@pa#*GtgEkjwn1&UeGB5BX7HcGd4(qd0Iq zT7#ORC(4f*$Z2dI8m8!zp~`6&8k|j7AeJws!NzAU3y)&;vEGm6Ig&1xf(>d`?fyS9 z^^g~;7McBy_j-&z1P3I1u#n`AhkJ}lTvvtz zoeUYt6o=g!bUh0cF9Wx-Og_qb{YbAd|LgHN>3(PSFVBiu%M7a@CAj*z2Qgf`&UP&i zL8u(|g=s7lo8HeMCeNWbSRNT#2JkvyGem|c4%}g||8Mc5>TY&>h!xa3PUXGh5n%y% zRZZ7EA0k1Kz(1l=uU&_#1L}x%Pzs>Jt`p|*g2==+z>mdksElEyr11bc?-fE(r8FO; z?wqZL*eWmP1N8MeLVuu!Qi+}K_N<(+;kjW@2>JW5rz{m@&!=}!m*}gVjJ}L}60%!G zC~8ZiFDJH3ll99e6%o~JM8KrS-19g|9QQulXuOD-Avt&^;mAR8G~!cSz0f;oY5_9+ zM5He;!9r-BK>vW+k0^UQqMKI;4N7SH`9L?_FE9u^7bpkfl4cP!C}@u!+CTU0>EIv7 zCp_DeT~4eHLyJ?aI6py_j16>1W{6oto`(WSK&{9r8@N^ZDi33~z#?)1GK%ZNfo8W2 zK}@Y(!xGRAXocrRRB0^3emN5zpbIS$Q$j7M04&hL4`6`(wvRMIN7W}SD)?!GeYu}9 z7d~Ukn|KIoi&39(^ulPozNF;p8)du4(2LS#L&H$%E6x--0nJ_FLdKh1dvuQ_82axYPRQZA(wc5u6R%_r-x zLOt3vhV>V{74CDNBpgXs5AO)h*n9p?&iHZQH5$hcB*tIC=Aa=lAGTH;%{F+s{*e?w z7vcxj;=m}R%sD{>qMS(p9spGT<39d4lB2g~IW8oW{W%hfifI*=KQ>jiuqrW9`UYr2 zhor|iGq?-fO3S^-iXS7f{Z-2s5pNK0?PP|1xAF!Q1g1NA8}7IC`G2IHl&Z9CEpkm< z?j%%f{_34Iw9Q#{u+tJ8v=7Y;rT64(pPX1ApNv5yO<%~HfrBsd8xfWZFg$%j-v{x5 zkbicVMS6_$Hkl#bhFxUt&V@aC9z$Ru%90dGUjg_83fhC06BG#By02~@VO(ll{up`xE&vPtc=m3KU99|hzfn~J8 zx{ee?y1=b0jp7HG!j-_i5t=YKU{Ffu2>0nQon)RvG?6wJ`)SZNExt~ zR5M$OTJFexnnlPTJj1D(H5NzQD`h8q;7kGC>=Z|K4T@vapFBsTCqUK5QD-3n93;9y zs-O~h@V7Xq9sq3@UjGh}f5$yMW_uNsV-V{_GY7Iv>vqcjl!T3Z;wC6_A0K*?BLa9)wKW&Q=cx zu)kAPbLcc1ISPJ*mg%r3=eWV9jlsDGFL2H$I7N=;v^!J%II5k{NH`Srw*}Jy@`8M+ zSXd}Hw3EJQ%ZYh0*xnVdVui^mt1z4{Eu~ihFf9CI04ZX_{H73tdW}l?f?BE+IBdeh zoeFH`MU6r0-#_{~cVZm-3AnUGU_P)#A#@>Eps`B?+XdDpGS|iG;OLay^@x>rR@W(H zIJlAwdUL>E??w#HF=qBX00OsJxrm7DMrH~3x*ph-dPd1(cWiKaQIiYrQgNKAKH{%9 z#*tGaS5aqF5E#oD%NLG?t-E6JA9HX%uiipsLA=<^r`iC$^RZsb@i)jlc^Xi1A7IDr z1_~)CnB?t)W-XCn5C-Pg_$=SpOK$r@13%TwPb4S*1``-)pUnMF>%%FIIBZ%D1s$aK zb%UM^gX6-%{!1tYZ&WUG^T#g0S=myU{DP6ge7_MH-vEGP(t5cxBzZa60LU$G`%WQ7 z?}Qd`XJ%!9UY3NxDjj;UfR@r)G91Oc)aiSXxsA*`m+?=%$ukQIAha2dLG& z&iLheBZEot5A;nY|*jU1S<@&lve*u;m2 z`NHq{%ve&;Z4zOzjj2c!l$_I#gcT8y91O8{Fr~Z027&mjEzJ&N1I0GY6TNPC>^TpV zPnD}r4L0L+Gcp&#?(1P_skA!749`TrYBQsPHUk@@hyCF65p1RNC2{RFFAIVtmIr(z zL8TfnYC4piLz*>yjG5LujneCY_fIk{49b`SB5~fN(>(5@6KV!4ZSIcq1Cm-E3l!5- zs1Hn3+$;Va2q9NO^F%rUYJp0jVkj^F74;UieYZwLnCGJAi-OdFO$WiMB$_3RF)bLS zs8WBNXG%Wf8gR&fMewPdfNK*%plMD5>9fd!WJ$iCH%Q@O=Y>NI7F>As)wpyL+7 z)oQ{u4YBaTG~j*aNP*6gGtt}SRgung8*~bLCiL*el%6b70sCh%JM%n^YgxRcRpQ8& zruCpf9d_@VkMB5(&?_8luoA!tWn?mx)&(2{XUI?TGyyRNnIrN?Ro%!5i0QdD=qX%s zGG9WlYwZOK9jHgBgt;6TLh!{B_=yV*Vqt_z0F-%x7hW zjHnWaerIYSPJb1kze)i{uzaqGFLdF0srlmLlEA^uWif1zVdw~II%7ox=cuvV=z`ym z=$uN;@tDoT4Jq3T19UT9+2OdBjn`jBSv%kVD-u}y- z#@&haX>y$^u6GN~71D^yG1W%Nd#f_y2sq0bWAWfw$1Ps5<^c^W-Ily&T_3QKY=8be zQhVh}n-3igT95$~;yp9TZY3Iln>ihZ;xUPU=h3bFA{M^^2o34>p99IWJXP42cEiPb zkO*D91ponAz@<>bATkdrWQEI9AS0{)1g+u3X|CCn#5@13{>$*nW{UY5|SOy zlC|%!P#X-2b873hdfyj*e3I-)s0=8MQH-{ejjlDZ-kQ|HJ(^h_7w3B8d%M9ZUm+n6Momx2yx{O3wBSaHFpD&^E;Q{QKC~b`|kiYHlZ+?Q8Q2Bb*aYQl-=INq{ z{d~rjH@WTh4Y5CEG1vOn&Q+5FTJ<=J^bp9Vzj=Zfz`U!NblJ~EKZe&MTsM3hh7F*yN87#N_Xo{GRUR%2mDQ~jh zy?KHlelItD*ZRMz@2=)QEvVm*z?3APAHVj}Z~1oex^{-Z*>d$p`waWEzeoldMM_fI z%g@60lf03nORH6~xX$ zqXsq5XQ&DE@a5ZR)Ssj(!+v}m#?g33G7$z=s*Fv@_D|`Ed;cTWv}Hd0L+0^P8v~bq zz}btkhK5QwZk;7T`3S4p6W181aF`((ql5x!2!Sbv<L1>u= zl#|?B_@o412EL|Sj8XVSXncY5G4A6}Fp`9Bc zRjbn+9e6>_TYi?H1BIW0qaaEh-Dj2p*;;@gMoU~1oBk!H>5Tq z5bTi26$7+z-4^Y{`oP&AZ3H#hIduq~T-1xUKKuh^HskdiMmW-WP2QVp-7wE~#Xf$0 zk$NxSXdkO!^4KHehuCM%0r99O;%OEy7FNcS*xze(S@D&Z3HAjFs?{xPqyiWUy#u9e zC1e+67k;KRWCnMBR__XwuWgaXb!1=ML`t`yN9C+`;2Q#$@t24N-M}{55-IOAX5!)i zv4CH!kz1D3f2M%QGnke6m1-2Q-MOzPi(}8Pi|qf=S_<}69)VF}67JbC`AOikgE^o5 zfon2h6V*RZ9TK`Sz|52M`X0>Bt#SD5M<#Av5R5b&&2jupf+)<4{T9{sv3ZF)0-p+F zB>3yweE-}$5E*Zr%HPediW*=B?wJAeB852pz^uOu*RFdS{B8ktq@&V>`Fb4 z*`Y6HD4iH!gl>!smM&O8&l;G(#wMU-CKzg*3^3m=2IO=FXSH@Fy!X67&hhYXLhChR z=Z+n5x_LiF$U!nK{dSg04cy)lpNZ$_z$Dy|e`1R-SVhoAFE7E-srjt&3rCv*GK-(Y zhvTmz(4!5S1Q-Tz9dN^2IJLnSm-;%qJm>)pa(*xf`r`jMj|J5Hrfhq6$gW=yx8|@v zSG)=5InPnR=nZr+I57Jyle|9F>(w7q$R|Unkqg9mVSXsL8Vc{+_AyEu61~idDtybd z*OOAYa@-fB+RpN}`@Fgbdhf}sCpGKQxh+A-OkhuPAeGwl#{O+^Gl)QbzOD&4$$TSJ z=~+O|RK<$L)8`n?9Lq)rkvz%mulk$+IpuebIl^h!&G^0Lo%Oc>GInFEQA=trqJaNRaEB>M<((zi}3X%j(*W#W3JR( zBoPa89}tDyrf)9bNi@5D$le$=u1n|E1t<0wDJ-+4EhbDe+mHtAxX2MDs%l`*IhlLW z6QykB7Gsh&(EN<;l7c}y9sGoz_<20EzA-a@RsN;|#mM^lCHtv9laC4g=UjKUPPklj z*rU?6uUsnXxQ$Xa;j)oVIBupk3%*>$ktYpd&F#a$9sisEL`G7;X-asEB# zA3&qk8aSh!xyWB{rMdZiq=i+!j({OUSWiaLad5g|Oyae%B!DIv8NlwL>33NPKPlil zjO9=&cda|h21`(R+YeDgXdO(F1rcTu7pQ!`kPo8&Rh260$%G*xA$#kM&3+5qI{RDY zPiP3QFc~Lse&4HZ6FDb;ILF93H)_Fc&!RC^1r1bqZLYJVwiL}HI{Uzv6}9t?Z;=y$ z#T9)9Z&3P;s5dnzWC<-%HLOClDNxsact27#*|#y?H`-XRU~5gc;YSP2tTQGk=ceO6 zFT*G?xUIIl#<4Ob-t=F43LTGKAqrasKOsI3c#fNB z$`*lt86v(kfQ3=GGAa(tx=2@`_nO~LZQOV`G}WtP+C*+RI5yrj4$oGmI=mSS(_y=_ zo(rPjA``oYmBI_3m9zC&(+%~Ts>iK*(44(+Z4$tW*Cn5nDqs=c^%57**1X0GkQ}bz z{gwbF`wXDX{(1v^Zh}8LyX71)dnHP&q60IBI!b66h2+2p$Oi_N*V&dfpSN;0Lp$Ao z5>SN+h0VXC=h1C{09lpI5b~P_R63Rfm7_o%CsjCvBW&0K*r|dBMXAd~mc1xH`|pX} zS63>tEU|n;1Kz-SB@gv?K%w8hczk^rcI+W`1P9oBV1vasE^r_0D}uyfjqkGgoVf$| zSXE7^w;5KaUw{ig1bw@Im(1|9=Ogfn?Eghm_KVe+u++}K6hg^=kehdhRMT6?RhAAwnzIflH_N}3;w01e1PpfAqIYM5M zdTMK+hL!y@)o

    • BFBGP$=Du8Q z;aCm`B|mlbP6l+<(Vxqa0mvWpW(+XG30MJd3@XhXNhv5i?|d7|8Keg9k<9iabWTmo zyr*7zoMh*tVyO9Q%`*a>a!zI61L;lBFC24Rutb|jZtC=fkW@JuP;guvc`l-&)ose! zR{s>Y)U}-x1Y(T#@7<=;=Gy^=f`!^!WpZl4F>AOQ3wVQDO^72`B zpyS8olE3)dNzt_VQ@%$6og>L zrdaq`ZbYs`ui?#wmVkCko3id~^gb!zB08(2z5jh{PDibfKQ!WaDg0tCYW}`~O->Zz zO^>DI^UP!EFGqfyBde5_UB%wtXR#My53heMq1^K=VFyMPcJeM^x`(>_nsEM&j{??j+6=pumI|XD8?(h6 z3o+tFrAIvF4?K<}KsUerW}{J#?(OUxcYPJLfJmkeK(^lfZ-cKdoC|c$KZH1orN{mO zO;_aJIIFA^baN^2(Yo^BHiY}Jnz+3uP$uS$L&DL(4X_Lfp>O4*YF$hXxaQ@LgMx++ zl}g7+d|%te*|GJ+xlb*>((1h7R0HLao5gD342okz=K&o_OV(%Emq+qJ@J2kkFW_97 zH;?@CTZiZtpQQfhC;XdaeD{~0{`e$Py-NAs_-XEqz1F*ncotUx`>n-c?Ym8VP#|U$ z@XD1$%VF&lKtKB_ z-<;97@>osQtLyY-fhTo93}0{C4|>`Bo1pzGPjzdp4H$XZV4~3G~Gh_omjLx_NMNjEA;r!>;@Y`$^d_y2c1?>v-Y4)@;IzScU|=R7aU zsAMCoa_1siEi^4sBz&zU<_sfqXq*%s0+8V(ql?8CH;k4RUy*Au;*HYjMGpiY=y+~B zPrpzsF%A>i+62Cg6NaQuro>_NKwL57lU*V5lQp$|aKq=j9GicICqw71HxHYZ{rUS+ z+maW{)X}*jL&TIq!TK4F9#u`iPHVO%FD3c(%6Q&j-QM(OQKaK^DZ-lC@8%+I-Q9#K zQ{2bHQL%u@#zbr7&sR*=T>So&g3G(WWm0jUi&$QUqtonV>GGpVCH`RlkJ=Ry?z_{O zE!nWJj@u1hN;Tx^5SMn8l%(;0=8NxJ!8*wxrS&%9w?GFs%}{TxJ6&thpSk0g?{_hX zE9A3;8K@58+G1G32i^k#*ni}4v6`Ph>hE%n%mWf-z2kL=IHYY-yeU@kWGL^6Ou0~= zm34*{;yDt#_9i@h@~qIzgHG@?WUiV()SdznNo`Q@uf+ZpfP_fOWbPckaw6Zi1J0ZD-wbC?I;$!#o# zB{H2jJ#Hd##I`uy$!spia}jU9xSJg5?oAfi^ANn2Xz0AbVzvAs{0wt9uA%c*pT0*3 z>AVDsWFeUb!=OXl)v5fcSn_JNWWbJykN-sdY@;ro;TI0{$G2OInsj01ZtEyAiampx zUD~jzs!Hzcj?RnS*6O@3d-7rWCjaR05B24yVqgSnB4XfnEenwy|27?U00on#Fy?5& zZ8$9-=#Ymjc1a$d9b?o1G4v>O0Uc(6izM>RhX%VihqJ2L+&Cg```6YAY5P%_fgs(v z&5|(AgD$-XGc_Vba-OZwNB2_m07mL=Ye;S!_#Y;p3qw)XkS+kjvF1E7i62cS?c47z zJJT$4Uf>hJD_cE#yYGFKC;v*gm<$R3gp}MzjwiA9$>+T5fxbV$EDz#et(iacFe%!D zgI@;-qtECaI`rGx_kQ2wFS6!Cy< z+2rQ4NmU`Cbateg`4*WdSlZonSRQL|Dg)?59AgP8DK{USbDCo1tTGp*Zc*hx0BRu_ z=qf)|&e`|U7oaIlgt3VG&jvn56~jEWx3e=R>6}L2LMwE9)tuhkr}e{pj`ehYRNr$D zmx;t&Y3nqPPgQTjd%%%^n=;iFeK5zVy=6B`Zc?x9Hy~*3;UQlyEM$WNZ`;=XytN2j zb^%-jW9ATw_Il~{96@V!i|29-5|WZR42ggI0mBf5eio%H@;Y;rq0^U{fsx_cnmZ%y z?>AI`k062s@IO33O4PhGjO^gO@+rzZ`qMX%#2AAk-#Z%>0k;ExV>pM%IZBd96Oj`G}{8Iv<_@yb>;mqwlC(sru827CM11#^@7h6&o zK9TzqWtlq`R5yvF<--9VNb7^+wQiWo{03tZGwD7C~e0d47>mIMN}?r+G*Ce!}Y9Ry}jP zdrRO~r6{sb=yRoZV+sX$IM3uSs2J(DO!RDD3zy|l;e#>5O&b>R$W_-aB%wS2u=YnL1zshL8(q-#sK39Wnk zAL%S!s)WF7_!-Tcy7PA_h#|$de)LEpNHw>v2P6-;#%pjawJ3zpYv2)vS4DZ(n65yu z^v56_z0sU=m?_q=aVSS!P!fHmZna5m0?g3Xs*`Kt12Gc*>KHI{dO-)A8-pWY#sO`4 zb~Y|+L0U{#_toLc`E2dCFG&%!{__J=AyTuezvNW{V^HF5&2r|R;6`ddNxLOOpDG35 ze-6dij3EHk_lOHDN+a+6{PJ1);uaWYkT)r6dFCDhqQ1sAz0#$V>Q_#E>Rb5S}AVx8lOR{Y!*bpazoE(SGyeun*&?ZYGhiE-%u%1iqR^t%R0HlnBdB zq}`DPn6l*_?l)-@I9jr;VZ>X;3&_t{7a^G~v3c&Z`YxYL7LADTyC29QCC5;mJ|S5J z}QzZ%C+n$3=}Rct|SYf%SQt73f45fD_*IS3egOf44V8 zm0DPO9YMW{@R}WZ=D(HqmLa`@H0ZtZX73YO#wE@a2kkW&1}1shc@VRlq9vo{{X-ku z%-c&oFo5EDX~fxw66~ZJY2(k5I^?MbtNQaWDgg}1{`U>&$SYl8SZnF+w_-74*c8qN1K1xjSha#% z>OTK`Xtv?Khq(Uer+(NBUKU}?$1vsZnuIGab&VgJ`mg*Um+UydE3Wl7UjAF=e=mlb z9Rkubk^3h4&zAe>Vao-0l?YTLmIw=5;guI9V%4d8s0hs8gnmaEW_6kooyc3!9yh*u z68y$8jqep{EdcG>ttLwRb~xcSg2#{scfai3Qse%YbrhmxUPd<-Ek9e8nthX&`pTLr zU&$`R1z7*jz;`{>=OzAR)y)Iay*RAsjhSu}Tt*Bv!a)XNu5}Jbr7f|pbjXQbR1NF| zDx1y>&=8kzX$WH9&EorVd&dtX`-2hYDqDl?n?sVP+K5)R4cfbkJahk6v@exi-!}XC z^c=DTe|s2Sjf>BIF}-JF+TV;Txp)2O8ea!LS$*bO+5Mtl ze|b%Pv|Q-;G~~ExVYj@=pt}9b8^gWLYWyU`dVqtDy?y!cK(&Rc*{F)JEY>Dh4J1UP z(L^*i`=d~+|5)hK{?9*-P4DPmN+Y-U2<7U zCpC58{R!xX|A>r1=HR11v2V_A0B~p#n3|hDZ#4H4Q{rx9HtWruwun6B`IZ$#k^Bf% zbO0ZWSL&7dPQs{~wa1Fq1KF%zb{`k`J#+~mIaehUu;GZ6pvT6{F8BNi=?OvBSI^Fm z8H2lddU8lz`EWk&G&HVnnTjN&1JGo1RH?ejqeT6l0xiSXx|xq)|6XwLW%FVC4a18_ zk)@T3!{vOt6tvaiI(XWU2s&osC9^)VSvEOdp4PeujYJ}vde^H~@4yb&LY+a+lSmlD zl5&3X^91O)^ySY^l6t~bLa#@4bWc6BUoS~0g(u<;V0+#k_m_2_&rZ1-#&%{>cy6TW zGAIYNSMcZsvuCY!(h!37E&+2IshSih6dc(G07QLn`9doLT99~^{l+uC;j)PjcqTI7 zE73BrOpX$QRP#jLlDL3(6~zKuS|gzVF9M@};qmYnxHd9f^Kk&a43q;}5IS-Vz-s-D z176m-E(+3NWcdJ4FpsVZ_SXNkxJn^g=ULjLHjv(dxI3J?`Z&G9=X-kzBH4O}<>)nI*#2qXeM{X}H+J8THM|E}5T0!P_QFwt zKF?>cu29Tle?^b7h*-NX-*7TPo}PNQhQIU(O{!MxhXGg+elcNtr5#v?1=4dm!}3Sj6?T}?v*W(&M$2%ao zmYvZkOS$}*l>7Z^c!+c!T~Ih4iE>WunVikn0?~NY1j5(xzc2YTFf7;u&xX@ySysqo zNfRwqEw+a;`q+0Yp5K?3wU@_qmR%Km;?r=QkR`U?rKQIGmce^llrWHRt6hh7H152% zk4gNId#d`r)IIMuzVVR6Gt$NVR}mPAuc;yNju$l(f|ADc#c-q@yJ}o+{d{Ji#Z-R3#>ZlG@p@!gG7aiRJZD#KcOv;yIDnVeXZ{VVa~E6 z>yjIyw%o30Z%zy$uv@)cu zpL=; zL&2H_z(8o)qSEyqozfx;FZ_`6wfjID8GsKWPzv3ERd$D1)m73bIyGNab|_m|pU}%_ zK{yRn2t%X>AYWk294E9{lb+kg&$WW7)*&>6)=@gWn`u+5lT>@X0oje*jjHLCG>ME4 zYg<3A(#r{G72WJAMYfc(RtExQS;SEV=;T;JBT%8%oGjlB12g3zLNvRyt|RlMC7D(8n;6?+!Re6r)O21(oIdw~l5IY9Z6<)6yf@*QgE2 zW#4luz}WsQ&LWRGI|MQ(pM7ji+~tg}DRo(m(6eUc`FHy3S+Grw9nBL$ z9CBWQds;kdktef*Gy`K8p%@85LPE9g?#%q~{RjjoaH)j(J`pO%58*16BSiPuyd(a) zN0`Xh$ZmoL3R-#JPK(JZjT2if-B}?m(RMCD0mGy94e0-Z4@+g}tvkMY59HBy@W*mb( zGhZr+mL%dmS=RIJ+EPR0HQO#0*Y!qz>zRA7Hez}vKd%UKPvG{9sg990TK9gsTFXDP zOs{-uOr9lRTQx%Dj><@k3Lj+Oh4Z6d{K;d8{fr9bMauG!X3CH)UanQnA5#*19L*pY7_Y6QP9Tj z${gH*PP59$@nEZ=o|ZPuk3R>QiM38>dfK088+bh8 z=Nu*tg}}?@wJ7l?2hLcuDDdE3AS0Fey2phnp|MY)u{qjV6sC9cvk2{zkU@kOiEHlTbzLf>!!;?#61rPzhy zXC4-)8-?9%dm$a^bMEjtJDHkZS*AucDjpw6A%TXvo7pF?j&Z!74EgKt+Wt2=7BzQn zWADT*Bx#L8pdxZ~q&3`5?Cd2ugrNGZ#!PMk&{yKRDsz;*Vcw25rrLsB`y62{WHX4M zDFv$}sT^!D*;QM7cU$IqV`U2;qo*C1IrDrh-C}JVHmk)>anXuO*!QiP(qh7ogtx}i ze~RSG&StTn1+s_+=j9dHEqkB4|J8TKOOXW4N`aVsDkB#cE)AkVN|1ZjeBZhW-U2rN zx|?HaCROBhd5nRR+xSqUpV@WyoF2S?O?T$!0gM!&NhFq|S} z$w9A|l;nyCEW(mq<~dizlr#K~^NPnZJ#|y5w)srqvW@SHS~tr?vKb}I1Nx?`pPkXK zy1p2y>LV+A7ym+WJHvl}AYg#zUfX!rK=R{AhC|w!t`6V#+^%4J?(9~Q^4=-d7h!n|)mrc$0ZI?7nkk%G1wV&id z_L^pa?xn6(=lnz`9{egOkS$nNB+fx^Q1k6}L4-kv|J`H(`rH(^*`6V*LVp~k?mW%) zUv&TBlzVBW-|BS;T=z6k*`8T(wNsD}a$5!a(cm0ijbnKO-c7YHYWtjBG;N5F*5asFO9k72L6t05*^YNZNvX0W0lvEwgbWJ10kZ zcQgfVADHIGfbD?T4T&w0Ok0f01QcqQi!p$l+)nHXv%!`GpKgS}Z-?<5+%i82*WXXg zi=c{MfoJr}@O+}0OW&#AL5sYdZk$qttcn8WzZ-&*B9Y$bIfbR zua^n2eTO4n{v3J5FT&t3Tdn9|5w-J4*CPLnU5Q-}$&o#g0H|)fCBoU{p=f#zn7Bm+NhKoj!z_xI*==B#F*OgcYYUPi|zGyBo%UawzowE%$DhIB8c z#^7ZP%R)l9-xzbqQCs>{T3^~2qe=-R*KR(EG2}Pp?YMpOeKY+)G6r)2{VOXS#fQ7*ZmdE+V$m1H|t2C3T5@*zw@P(hvfsbWIKdI7vh=u`y7S>Dp)_IQw zrIMe$0cM3!&~UeV6g)9AT_YFyeFjE`xv07}ep1Tv;$mT?T6b|x2GJz=OBO>aIjv$X zR4EvNU>4F|a;eeM{FDK`q6|Z&>ioN`gKUDT5CB;15wZWWo~*ih(NbIVE+G|^X~oAh z#XwF<$>{rsXfrOWf9xsz?WhXHm^218aTC_quIJLj5(wf#t_%VV+@U&9=f_nOBPA{; zcn>0-k1IBe_|_!6OrqA z9a7i2w*ZLx!MBzgAyop*ApEd`jCj2>qT@3rJYA})Iu=yEahELvlgI}?YoyN*H$EKNxnd2{!-$6x2^+OKEv=d}`ufw4LD#hbNHTa+)x|>mTZ99z18sk^OzQLPHQ}l5j?+Vr8AGV6x)hBn(<_o|8`>R39jAztVD??<3iUGZU=;_X?<_E+ zHWq|w3dWFqk)EOU6WdsqXV|E}P%ALkTa`dYEgUeU@BA<%UqdSU-F~lxFz&#c2<|}9 zCr~W2Li(R=#cFg3x=N9}uorE1^7F`^9`neTM<=T(oPQS#e=WfG{-|_F$@)>1Xaoaj zIP_%GPF`!11IY-_4;q^tvkLcX6~ai)YpoE!#&{`JdZ|)DC1o(w)$(Yq?-`!Qf_cia zbT4%Ly>yaNZ}$%s2_0t6%*fvWpkf*_7>M60`t~=K>^DNt;B}YCGJqQhkB<4nhbuWl zvSyzv80<@D2V;NWjv$Y?#c07yhH8gB7h!$pX`VZZf*I*s5;`Kn@ZJ(LFp)q$@*^*i zk;)s!shW0esp~0{o(Irs@Bm4*SGOYIWPLEn8T{<`1Kq%#cD-6rlIvs^;^0UifOc%w zAwl4RGfB2C;ehl_^|5b<3Ny32^uRh*{S2QLEXMR`?OMt+@ujvl(O$0vok6sw3S8Ks z-WV4NpJ5Aw)>o4*;9_TrmC%SX`E_mW9NZb|urLy}a2{NHUtPR_Jm^~hD@wF^h;Utc zW$0kpgYz{rq_V0p&rt=$Bzp#cv_!_zGNERAbLrm~GSj*A&2OJ4iCx=tn_zElMZ-zw zjE0^tvd$I2x77ci+V6J6T0;9$KliVNcgPC;mFDcka7Tl-fQ$SdwT`ams$yCmBnHeo z8TlDS%W56!$ccDS?>Vd6>RxnkQtS<%|5Xnd<^2S0!j z$GyF8Vo%<(ke>m-!O~@+r60UG;OpB06kMBg)Xwg1gVNBDri9*|;DSQ$4uko+GmfjAQE^cc@h%zH~v5Y6e7j0qXYG=em7aRHhup-qC z-w3;XMGg3`fXAl^Rc(3m|&Z^WB+GncfS2?B%8N>7Q_15(z<;C<27` z(*5*!5%{owPvrEL97^sr5^{aJ!cI%q(aSYVaD zA|>a0Nod3&bU<1!1{|3v;iVa$C{)d!MYgt1Nb9;e!VmvtNof#zfVc3jnm^ew3;Tsm z7WQ6Uk`*L0(HY=$<F77e zX2T{v0BWy)8{;+RgmfFlci|zNzV7}ilu(^0l^D#O>YUB?i~j`>VZ~lh^(=cVbF+IV z7}4YFQmIvk?FW|7O3vG~&xN@AmIIV0KR+#^hc!v<)?UKzM1$HeRjHL^ai@6`m$=BjFym8E#SsJ9HMI?w`rL*KlQbN7^ZzFj}O*n%UMSHSpFV zx4>0oN9=?#Atw9NH`&pRQG2S~l_cFBgJaL=M`Rmlu7#>)KkUgAo4T?ccMDh7;Muby zujINkEq#pmU0Zc*Wu_bJNL^d< zca~?)4^eTL{dBcPByYYne^2I?CW{r;i}h;(HM+PZgcjW1{?vM`Q3F?GA)eC2#8(+) z;{IRlADw~E>1Ue~a;~t8dG6QlK6Arlq4DnuMd{24X@elxivw<23Y2DGfrO;*J=nS| z2m;5SdhF|A1spB`$hZS^!|pjtW#6@Ztb|-K;LjTQ8GyJG#?e|_`5F?FZRVp3J^?$) zk`99|!+3oQj^IzT`t?4Ajs#w+gmK$1^x=vPJb#5vT89xmtrPX!3tHd<;O`b>4|p+b zeIUtJsdlu5VJWwc%nCD5yG)%M_EHtn2-KyY*_4T7ShENkaD=o$8;Xm~}QlKw{Au>f@xt=}Q7&p(HoL^guqkRy{_N9~%H09uIJ@$^eX>}Hn zV@|#^^q1IgxWl1pN|N$m*QNVSzw=C`=^YK=Ba>zoMT8Qmv%#qIm_ag{Gw>AKi=hgf zds^uuxdE$^kpSq8=X#Q&xg=aqoBtPuF1l=89tk5y>C#)>)h(%7;kJja3L^Hmj)!yj z@#67cjrF)N@Hfr+d4b1;$tF)IB>jE$|5R_GtE2w$#lKhQ^r$WvH5(#Z|B1qTNB=!U zLl7h5HT-U{S*Opf9zbg9EjLwE>S(9`e&izf&_gKE?<>4u52^-RVV0`p6g+ zcjm--oLBVd9sb#d>?!gM^L6pG-Uo%QB-jwiU7fOVTV+LDYC!2TU@@#((O@{J#D&=v z=;86 zIgwCVLt!@`@VtFW2^RlmNtHw+^3m1&gFW?h{e4MJU#Nsb+6gOS7mq{!JX3Y#GK1PA zq*A}uytn)NZ55m=Pxxo4iA%XdyRBzVlLMIjHZi_a4n2o%NTCtlp&4@9|2+DL?$?(r zLD)c3RqbeZ)0n!Wj?Y!@+`*SJ9yq&X z50{=^d>IY@^P}MYs_K6d2OcX1N`9w*6bb6Y2?`gxt@5PXi~4$=bc@lT4l>f<;lrCE z0K85sf54$+k**I;5NRV@htO>|(Io($Vn{xyg9^~R&-b?b-TOqzII#t?5E_TgWhE0r z6$+@;iw~ot1HkG{Kf`9r0udPnHk!HOG}YUUyR3-iwqP-!JJb6Wik{5n>d->QOxuR}(n zpxv?qN)-`A>|bLlT^Br9a@Yl!yKpEWT*=r)1?c`#ZWf=QatqXZIYS{4FNzdqv^W(K zQ)DQLu2l%yE(6>EgP&?83C(V3Dh7f2dK>IwPz4`!oVKb#S+@kRXR1OfEf1Sfj~V}S z6F|Oi&hs2Cl24|EN;366T4kGyQ2HF}>Tm}*0IM2%p}-E>nB~Z>zmG7@&cgfrAl_8^ z{Q0e8fv(}eul`w&MYbwq46yQ`ePUogK_$v%=5m zug|Z58y@ua=3@d-^_Po9gMge@YaEvL+YcHFUxgO(vkF@59JN(%uj~;O;k&4($5!-im5C-&QLkvYlx>20gC_+`!&9= zGOInFF)m<@37FJ1l5R|Izpj^<_!Mc@+!ESb3*xTJq|LK&YZ!RKvb)WPJ08h{e7@yv zk5X1!ftUt-#OC?3tP0*7LM+C;C3@Q#js_gKeMxRyb18eO08UQh&UBujvH1NNE6PfD z0gNE)YKpSrt^;A2=Y4@~&CZoJLt;5+`-}~W`i7?amxXO}RFnB!!hEMIN4@dS|G~j> zDkm;ljR>T7hfoJRnPv$bBjYY-QF}7D^q{IfR5o`Pw;UXn!(*ncqwh@5a@`LeD@9*% z1tx(aHyAWGL{9YxNktsWLm6O*&)XqraNW7P{rw+29HNk?|C8CGrWjbk1j87itp($; z^8!f+rIg>LtgQwE06H1|U`wuy-`2wRX9bbS_CC}a?~PC&8V8u)DL{fP0ymZ>DsTf9 zr0*zJ0;Jmf4kI2e+Im8cbI-tK-9)LU;hkLj}p#vce#rYHXc!TQ-`te+ba4su$9TKToQM+ljB>;k0 zn;nK(7V}@RD}bIWCv8jD+|2h&SOJVvqgwWp!FS%fTERy0}jSRctmh4vDv^-H^*FKUhBgAdTxNl?w%+UDxWv1tK4^PM1>uhu4CA1BIuCoKLITe zV27)?ISj|)M*$T5ocn<68{O{-W^*w>Q(9vpdy6yb_bGk;ck9oUlSf|2D+C44*r{Mh z*a43SeB@E#VtXw8_(SEyyW8mKs$z2Ar+jsUM#fRuBM_X7>rx6UwT@1 zPcDo18e5dQJL!6CQFs5+I==5%)sPh9uG|ePj=MWo<6bnD>!vABErq zJTXx0!XtE?B@!0v%+-t%-;H!|yp`_4Ld&QBwe={c(XIsNc2$1XQttPrwLpRLOi8^- z?ZQ~VGUTvhWU;}CR4LF)FjYD6Dss(?XU{Y;%SGanbhI-&?bH631?ozKiABX}pmCvN z3+>ugoB7i(o^h4?O?`_lvSNwEVTQkQNt{P~hQo-1qmlY9J#(CTqc>(>s~d{G{lgC_ zG__pieCsFi5Bme$^h^Re6kPo%&-V#OfhkS<#&5t!##=!4QFITcx97^JZ2D~a#>eTa zNfgTgqQ7sm4lX@Wa z+hogvxA9VbGXKFR)5@D(Ii&>2%ddEk46g?y^tb07bwi(?TdPKzLCx)l4lQpvT} zTL?_@6C1aI$Yg!#gDmTJ!M_G(vd;>zj9;R>c2sjh~bo@yI%jJNGd(Q_2q;& zig)CDjT^yoBuqkA?orkc&wMgw2e7CD5I4(=wV&tTK8LS<22@YGq~@$)*Ia;yrZDXM zkKg_BU%&g1ILZpr@kW!K*$=(H=gI0g{lU(i6+vZkgGh&%{zN5_Quw-LMQWHGm~ZmV z$gH2Q6;SNeee&Oo((NUKkQJ#9l3mcVd_9z@$!n}`IY}_y9LBp=S_B;M9hcT8)j~r& zkeXhxxYrnd<}cYL3po3v7GQBr#+E986)dn$!yQsm{6$%!Zrj+ zcHtbQCwnFQbP^2kOTnRdBK&@kFnC=b#&5>I_=XXQ-20U9(=Wyz$-5urkd;{1%0IvQ zZ5kLhf}bANxA1 zH?#Il*5z`6313{Rf1I4e&6Zi24XlzLVI9k#nBJ=t(J&4*Vb+0Oli2`*e-&=e;2%~X zXYk<7J8Fsjlr-?L!~aZ{(eMMgIxiwpST*8j=}=EPy)81#*ChoIk9{I13~GT^+Fo3c zCW8_1l^?~J-ZEJAttwC&hTu|*G|cd#6OxmUL=$|XBddMPmNjc0eg_q@Wod(XNR_MQ zK)yYg_>c*r9JU5Na9#nYV-Px}?@E8UroTU4q5S-#)n%#p4KjTa%;Hkr@#oquUaoI_3X)x7aK)+wGj*0Ha0xZRN`6|I1;@_^R;JgJ8PQf3(h=M` z0cSHr2%P7P-^ShlS#pxp$zi&UXS$)79Onv#(u%Fc3a(O((#o~9GBIn(2sjL= zlHjur(qLc;JXUg;U-6-kYpY0HxT@)%zw2YTasX1h^wSIu0CSZ%T-CBH#Oy14WQZbb z#(uXkj}Y__uVwKik-tnM--J^_KrYYkVxdt$w)By&Q`pGI%2J`eS6^>Cf;)#VQk814 z1J7Imlq?#ylXpHghAyB{n#Gls^5}H%7W3H~AhcvBQQBDy@cUVWbNZW*5Y>b+h1ATt z8LpaN|J?e^(vLs>=TTDR%rYS}lN5OWSYMhDv`p|240h>SLl_`?>aznBCGZE)B#iWI z9rva!Rcmexw&T6?*QXh4Ueo>Kc2xlYyHBhje_$M~-Bo}ch*qis1XZtPBp8eXQbF*;E2NgV&SrTR}y4l|{lvOF$aL=dFDp7FWCT&6U^U%|4cRkd?(1*A7Wq=p(j=SRq+uL>z_)~ysL+t`xy?T(dYOyb>fHBV)twZ`_j1#3T*MqQ;fGLDi z>$&(&N5yiPx^(U8$=Ayz*iX);`NV=R6>1ns`!ZyqY)q8XnT;7~CW(^E>K3hh43l(D&+D=w0Cn5LIDce#;RUR$n}R zFu86nNk87i05+pE)d#rFu0Fi0P`ah7&^Lf1k?up98yDvbcRhGZ)5zhd4a5mIhdtx z9CwN&U}=pZ{NNmYcFjt9hQ@LpPjr@LtL7+>$KkpNDCbCUZidPNc&IR9`mM5;M{BqAfI&XI5HZ|sBEw{~WcJPmSyXQF> zw}$1UAIQiJU62Md@C1+al1p@}_4U&7z`bZMuzNZ*UW%PAFAlsB5Q80J99{o8%*Cshy*ITFo& zvI`phrx}1gfUIv^FG2`WCmjL-7Q$LK0{4f~tDkR%x#U5xmPms>!JffxJV~)+eY*F_ z@->7#v+4SAK7cL>*v-cm!GRUD3{OQd6Yt=uQZ|y???Ym_KH;OdpZ)$JdN0P5!|{ii zZLk&VYr(X~p;!o=;XaW1Xp%yLBZPi$S`rfZ!;ZK>s_Q@JgV2 z>CqcpeTO|FlaW>CciGw5*E*aczfq;?0h{h@yg0m0ly3HIaxQ3o7c)>X-1Smjm=1() zr4kfK`Z1{r`EAs_l5v3`*l*SLMZ}Vv;c0JuA#ISWe4Yz9Jk~-3&Q7o}*f_g8o_}4& zgP0}{gggTg2~d-g6}C)U8v4z@R<}#Ql4n(1 zn=C8FdtvOlk>4^uE??w7G_7uovpWE z-6Qt@)pR({Pxri88t`DIai%X#mZ-v{J-3%EIsmA!|F2M%jlP^K*PRO8{ciREI3BB{ ztvIq`t?E|%EIpJ9HYJg}>ufa}niI;I&fV0jsvA0jW@Q{f0}~IYG0#Ka|2~qmF_Msf z8Z9n(fa&A0m}2!~NxwhPG$N6phWj{7)#-fbG5y-IiXllI>U`Hr`11P~a73c4gIvcs zr>NY^PB+$nU(HgSvVr>|u=5N@)A=Ep3IpLpkQa&@V6Zf*hTo|n0R>NV_#AN8-Ra{Crr{0f z;YxwfN36hcoi?h?dNI{Ye1(F|737QkOLMY&;0W zW_c{<^V49o{9s%?tK^*v&0i%#zKx!ZjXBkf3%=YW3C!I z%cRO0-z1Ol>P>II3g^y&^u8L+dfa7iad3U!qy{8N#Tz#C014}tS{l{ zs9N`?{N(L<+PtN?R5}J;s$Ev1{8?tXYEPi~z5MSx^Y^Y^2@WDP@uZhZ5*HJ6`$&@y>0P z$znfqwlifx(g~zSeH7F5g9E<_<^~3cLzJIDj>LrBoP^7&+zr6FlL2veTgEK{uz5bw z^+eg#7&h3XMG7Uew3!oTGXR1jVgag^a=ZiMDXsaSS z#VIf#av1QNf7UNk&)apAwKDm_R|B9Py@xpN>K`od3z`39VgSK=Z?HJzuL^?&pMRe04w7* zd(d_Lu2a3k%wbW>CaxC%`p3_K4GO;yQkN1VKYvVh)e2MLCkd~JN2L~vSVDYgMONjN z@$QMfb2OHq97c&mxIM{$tclokH+F^ZYno>~n@n*~>DwtIM#LsdY|;VP2)t)U2Cv}x zo%UEC*BA49A>GsQl6W)2i!4KU&AiH^PJA+HbHn#mA+IE_L6MqsVtJq)OtzrHWUuY< z*{H;TYckm<`NKCAM{qug^;Mw2e+QazwhQDw#!TsbNH% z_9wtI(8sE&Ho!b2~;T|ih=uBzkEEI1Yvc9ER?t2enG%{W?T$hb57v|rUi!e zv+d#mo50(E5*HcP3kY>(3dx*3!9ZGxcelO~r_tbqA}w{4(?e3M_)#ZHC12Mj9y@cM z1i%#>2dSU>xZ?r8ucm;m20BQXBVeiGd(?3{I;ws6Rd|x8o%|p*5s+0>U3=Jg7ZjMs@%oTP1$8 zU;pyYH~7Q@BMt*B%jK<3RI?drb;kP$gW6Z)srA)@w(TNzs7A%$1-MH+B6f(2zvuS;pu<8hKX4jrt!vq4GsUKZLN zU*At^)H#trM{!#*ExC45{cK)&E6mD>((go?UHp8w+S$xRKR84s61g`WxeWRhmG=l! z>@hdj600AK4?`SQ0t&SP0-sJw$ky{kcXpI5tK?kS31G$7`iR)6i1twbjWq=uli{UuM8|Q#-DOQL2Vt4mY~>)>%Zane>Vl-8V4~*^;O|XTy|mxQf^YxWXk8xPV2f{jW{4*Y0{!hQte$T88cN@Z@pcF*^_BO1=Qqini(QGvLS>MDb zUEU?D9EaJ@XuJju16HHC`g@s@0sbQ_Ps}<4m7;$FA(Iw6ytS2Y%jQr#{vMm!SfLJh zC_!57-tY{FJSS;Rr$b<>*Wo|>DBPJ|ta=xd7t_>S z>ZxVKU8KQ~#F(GYl610HV~!?!s;0(%HI?a!E7TC@h{ew2H9&g*k#c~|Buu&I2+e6!oFPEkFZy*nh)Y8i!{ zX2~R}kHyM{HjFQU`mt|Y11*^9`SS%c?Dtupt^y;+XUQBk$4QRk+xL}|1NuG?VR+!H z!1j>4X&5MDi+FENc*U>!(cLSPL|RiXp}G9Hq5PpPR~mkNil(G!b*%pq*K*-i}BxX z-~VP_NuZvPgAy>kox&`r1BTrvxQCecx++k@T0HUN&*O>_{Gkw! z-XG?%5{)JKqh;!ng)TsjCd>wBn}An@Fpl5!zV}C=#@e=p#wmFbPe*Db5W@L}u1o27 z1*3rbCYu%``-I+FEh}gA^)ae^q5&0Fr-UEHRH0mW3a&Rria&|w=KB!8zRBLH&0=ka zI>oH`!Tej!S382Feyj2k{%)CylJ2Hzte@Z0i!n?l1@v+vMlu2x ztZ3XXD3&IhKGe?*Hd%0jYEGorwEGghGz!?`8|% ziBGGz-{1eA3qL+YpaciKBat!2$31=*Nrg)!lb`&#T*HW?aiR!!4%3g|vL}YHiF1a4 zm*c}+wyY#_(<9}B!Te^O2JLv=j~cNj2{aC{H*Ee_$$0028t^IpbIUu7bA#j3Hoi(C z(Vgt=jDXFj%HRegdOo?Yn3`x6aFASv#MwrE7$1)@_jBezWm8s0H~A!-KFbJiZvh)D zH`z}d1)3(bBN>bJBp!(vg{LR&Tmqq=81pa+2ZE$E3hzx$|NjLp( z{K|hX!ux3O^IYMHd98BO4*%m1h4ybZ{uW98XEp>pcAE64sdv@DWWH|}_U|;{-#0~P zU!+trlJgrqNkdS~3QIf*Gs7q`vk|MX8buMeBhlS-Z;2NB&&O*F7~yu)MH&z&#?tC* zWeta`42QTi#zuL`)<{p?lLT%#_oz`y>k%`q?gx_V4~*HYhz5eRXk++M5Fbz8 z{KPyS_A8kNJ!D3@g_qQzZB^3u65I-;a&{qC6dBwwP2C(qXZOh&+SbDNV`Lt}M>*Gt zeplAq^NI0&vbwKvrnM&q)2e2p<7Z=yd#i||+ixw8*{otD7Q#WoPximvcYb{NNc^n% zKO4or|3RsG#u~G)$N+36bJh*%gkkLer`q`6pRKv4lk)h(u3g#_2s~?sdlNfi@4p{#uVy5H4i+pG;P5mrmQSmCDM4QXKFA@XbJ{gI5bQwk3@_zH1%TQMC} zw3GGFGM)bQf*-FSp5~Mwj=*sC6-6~nyX#l7@i$Ck7m1R-%mmXbv*-7ZHD-AoXNVlnad$1|=o)VJdcJ#EY|j28-d5Zm-82@bnpixXzV$V*cZ3WDTdTrncylh_^B|%VwDyYQX&A(J4Kn(Oc|~mVeP1gw+-&n#K}ycF z5ZQCvT0u{|&8=h}0i3PWE|*^6`zd~s;;U5T$d*|4J{YALT`#8F;GU#8jH)qyuOn8jg0?~wl|N5y5aiAhZHVl zEo2+}kZgr4)7VY2FHyo+>ar$#$k=z2QBz2E*|QaeWF33iCz52Du@^JQm?pj-)%85j zb>H{v_uRkd`+WbB=7ZOqIm`Q;^FHU8!+`(_|508>=|q_L_g;%8$^r#G`?f z3MS{v?x4te2mB9$IFyIwF`D}a5(movQz`!O@A}RTIpeSEn8U1WI+^#>WUHonFP}#@Wcgf5 zo@~w|vL))~f)?6`PMx8MT0RclPJE)&p&URd9Z*+Fz?|c^P^<5O?lA&|Pz&L*u&NTq z+;i_^%EU?>FxrAolg?Uc@n4LLg3&6E7NRk6!zH>NS$pFur6RP}O^q{C5yeDDupKky zv24D{{z@l$z9_pplTrd4Ihf$~vrL!%Fvf!iU)(cUk`VaDUBP%7w6S$OqHXmbt;`Zk z^IW&))MnBtDJStZU|SeDunnhv;_JvEGyFed+fQAKJSNok+55$x?~-JFiK&>%a3Pw1 z*vSmw&-1jv6nqceaq(DS4JmzzVtHjSu zgjDD=MFOA7Bt=I0>MAjybfqMwY@TX37%rSSeS~gB4xY@6lPF^jxHoX@^0jbUPW}&1 z2P0jpJeNZJn%?R@)wV+d2RuggO!jdlihaj^j4}a36NW!r0^CHFm$jbW16GY}1kehm z{*%*^js~%$&V+scLIx!=Ou~{n|MBj}FP8O=pq$Gf--3qV4`4IAmGQpE#gZP8ziXGP zCLOT2|B}_Zvo-_f@V*R!8-NZH~ZLEvAdb4;p_VJnb#U@l~oVK;*@93@f;(Wd9bt2l4HGYSAEuHybYNvwB$x?fZsU|vuW?b9V`cUi}|(W=Vm;?9t* zj*@Sscxb;VM=@tH>(w(h49J!F%~+X;F_z_VMMQG`c>W%3s*>}=gl*r-fS!zaFx{td z^%zwd?*4HW)iS%iLY?vA6fYiiB>PHVtA8S6xF`MDgSU=Z@+*DdTa{{-O#4kSl;I+S z^ci@`Kigs*A1y$C;4}}(&=D1;3H&mJ1D~m%F7p}sCzGtXFWfd@lW=aI@z}oAN8bTy zs(E7v?8SYbVxCU9%T3~v6p?s585NeT;4@-pZl zm;@3`ez>V+ByUd?BIq(_rEZZ-u}VHqtPkA*IS(5?mG*Afu0f)vkb9Ug`?N%C;rZk4YVI2%rKjE} z$Wrh8(PK4`E(`AI)cZ$x1pv)pI?l6K9nSyxwg#9PTB6BX@odR|{ zRsuPAEUfy!#?7BdLqkv~;HLu(yDs>yo+n1VSq9KQxb!mABdZW<8>I#dLk9Iaj(19xPmW<<6)!0&${_vhP;ZP!_H%f-;0Q@1yy z4`2P;qckGJ9~gixiP$Fhd4V0Z30uEdfK@Z0_TrAx^5E_N{FO8!rmq+jzJM5jV-wIx z8rB?6S_Gp#2hwJz&}Q@XHi2Gxf!tC1006+emA!Y(jEMaeS3?sl_z8pG-yU%^grCEL zldd2stAg6_R(h7B5y4fi?ypm8Y}neR z>GdI(8p}HGe@t{1;saH84WEHHXNr9Dwab%uMG3Y&ZqPQ5L0lp~;6NnYDF@>$!3QMh z9`CqS|PaC>V!OyW0P5n%f z-J<>4V1BcdZhN(`b7d*1p~B0Csk*L_TFL4kCcfuQMgdZ>hWhKPBa_A5~tbVGk=_UM7bFl0+JY4SCc zq`+$mHW4cE+Qz5IH!Q;wTftn}V26^ru*2%fS8iee7D}OB@`BLAP#Cad)pNqmNY@vq ztY}-+hX&kb%$2JH=~s1bIal+m>rb+22^eMR>q9PJ;Gj!^ALydmqL;-d=qd2Q9qr<7>(F#64dG+aCv}-*aQbx!9EtQCSIM^rIpI z!AMe6CAA>a7ZaWmw8=1goyy?gQ2URT@^6a6l#$j*4divoc_y(ZCaBGaJv>oqNy`X@ z3^L(~-x8hSQ1U0X&O%4HcJ;&Xo#O3P@(t$wB6d5(p|#}PBA%q^+%6tV>&n%6Sz{|p zi(3R!BMQDmEJbnTfps9x+J04Ja^#A&$0P79`&?MSl=PY5uXOUMjBf1s1yl9%E+>+% zhbD^YBuyzF0qNu~VZ7CoB9TVn5n)*v*Bn0Glj3T>eG2|;b?l6_r3F;lherx6wP9iL zRNd)HZu8{Ik}^JcM5V5~w0Q3=|HrTsCr-R_sQDiX!h!CLrr=$=%~b9SG6M4w1W{G< zMXIny2X`HLba7{-{^fK!AKqF9m#!|)GXX7-BtYVPNJ8$l82DBjWC)^ev)7?e zG-UR*y1u-{ojqE{k-iOf9~AWDxYxb^)bxK-1AaetOE+(Yt?i@Efe_I(fqq&{*@)dg z$nbe*@~CkT52iK97_|V;@?7>V*}NiCPb%sXH#_^%7vWRin~ZNh;~8v>vqVx zZa{K<%U^~LOt9NAA^fRzoCHDH09IUHrHy4?rVeccAKsaUK^0?pq8?S4-a~U-N%}bJ zCPrP_nJi&#$y77!7w%8(iymGYW*l5wi&+yLu!d+!2M?=kYAWcp+FBzCg*W-fyVHqK zW;Nj_q`q|dP@oz2jaNO4`p&Lt)=U0pQ2A#c_}|Kk=9u&8!iH8#Yu@Wxa7iYSwQ z?J2#8CeqXPVlci?2_DR+RB5n7)Eq)?QJ%xo`^8KwgSW>MLgg(gElkol+cP-JV*7Jp z&W*iXPZrOZt`uUftF7tQV_6FL!f5&JRJJJnk2p5DOL8YV(II$K0bDwQ@62LbGi&I> z>y@h*3=prHD0QTKT=OC-Bv&6J{^?xs^D1ZCe-%CdEscm=5gD#KGAmoK)Ek6Kq=!Pt z`l{IbQMM3!4(YJeG&~pX21jdIGa9UA@GJ(_ICo7F?A&jF)Oo7CKG~b!sHez?+*=}+ zm+V>4+xcBV?y)5gC#@B6uXpI|PqI?4Xe0MVC%Aork+{whC$rI{BLlQoOF17$UkZ~x zsn#U^tcy`p8bzFj1X^SnpW8=Su<(Z1Blc=4{SYncFvEMx8XfaZ4l5 zjlQk2a4jJS<@E;}fF(}Sy8IEvJ}vIQLx|7zS)aFI8@P{dzuS)-uI)1s)%F#f93g5y zRNL^dM=hWo7EJ9uu?Y*h0`II}hI*Bw(e8Tn!&l%Q9J$Fn{YGaWESaC^nv1RqC0n08 zW9s8@EkgX!lP%r6C8l95f(atRpa=Y9kwIfzbG(2lp;_P?DU@}&;ZpCDBk(Y0!brwy zMH)$W;$*e*I+HPR{eX5 z@lqs}4HVx~>O+i3pu3YO0-4J1bjdu)LM&5Ak$tfBdU#GJaWV!SNbKz9jHC6wVq7CUBaHbWhqTKUr6-Cn&vh%w=6!+lKP=Z za*ypxrDt_}ETLM^SGa_+%C%zZ;L3BO;mzizd%}6Sf(HfYy4B8UOce*WktA4!jUv?W6oFNE>RG z6y{>)8Lm^M(B}jO>6ktt`~-f>D!DuNsH?o0H1#w`FSfwXcdM(%Yc6^)Bh(GYKSQ!sO9^r`*@ zqnx)V|8H#LP&q1{u$w`s+etA4qN8@0ve`TBj#}LDpG8wJ>sVoTzXyn_0WjkJx8Xh@ zFQW99C@pz97NTXFrb;=dWmddvSyusw+0|F@Zfg#+WD$l-4{s6J8!J!orxuL~2YVJ4 zMde;L*SvJzS~|+sCeKE^ghv(E9x;3^LtLC>qadbnlm|&YIq)^G$)N_5&X-w8(zBpx0a-E62SKZV>4rwvs!0{r zE_OH)XNJt?Ta3p8(I-1^n&qvU{^ccbGWv1wW#kCCL!A-KT9J1LPD%=12l0jWQqZ2F*;`o0Xd3RN2~_?a6qb z@qMnMxqL`pH!#(UaV#p!YXzOflsXg}I+vtV&)T)PQ!j4QHFAcl9cX_AGrx55MloFf#!zW*O5U*dECoA9H~(j1YSi{)^ezcSXMUmrPQo4UFg zOMleIm`~b&9$S&*K4NWe!$#P&5LhSpJSV6SN2W_nWIO>;7*;mel!NUoj_+fAW}|!K zuQKZ_)G@&ND>Em1BhlR_t0_JbUFDC|e*`8c)v0M79~bV8t-@r;mWQ&D`^7aBxNJNV z+6H!@%-Pypr|~K{NSwT{Ts0Je#En5$))L%FLp=}SKIA-%0mN7owpUtZvre9eAJgh{{ujY{_%y@z`Uea@=uSc- zeNQwT)QK4Nx-qYl_(T^RnJd=8uJj@C)CMDOlT*=>4@rz!J;sM5f;z7!Lm1q0Jv+o< zhjAD{%9}@1gZY}=3p#O5KbEoQ^^o;u(iBoVi`|2dTkBU$nX0JbbAv7RW zxBimEu^#Jvkcd+j$O#q1w!#gkgCUJ;*87c;C5!`V%9vFH-RG)Rm+@nX9aXoa`r?6= zIo)pc%r=bsB!D0AE`5sc5=^%HalCi$8b-UNe2C0PT)qgwKS?l#6j=J-H11S#b^gkcpF{YH7e~U>8GH+XlU#Pii2JrfyV!fBv0cC zg9319n{IPB2!*D%Ey{|3*=+*x~ zFe;IN=xlN}c=P_fw4fl{^3ymVdLKWSu9~h(AYZ%praRXrcQuvX4tma?wCG_bP-zi> zPygub`aQPKQmVgQi&eZtSDt9=V!LmHY8&hsrir||=d4W%6`t-(sb1x%rVv#3gOP3U z8lirXH=)es`IJ57de*%>59zo3c6*O=d&8cO_)4HDBbE-Dc7Z^#haGfVfriy})tWkI z|073jX!_9FOqm##17a#0{}a}0+!EXb=sU%U8CWykrOp>Wt7+p$Xq#SbdB87bNe_+u zla+4nXypMjk@>&{I-ptKX^=22%Q{eBbXxJ zPkN2aPi5yxnqrEcn50r^%>{=qU)3=#uy`hOJW^_uZ^5R)IER8VGf^3zn07tIffFs4 zMWD!z)_gCUVJ+K_Mf|MQ%VXtIvibU>jdo(yV631m#o6>-=L@)e-IHS?s|H5EWcu(! z$%gBzr)a_(tgBrHx0GlBJsLko8^SM7Q=>E(@8bB|bA#v%LE8bpUH2p5yt`@~ASvC! z{eNL=rqVylA-r2Zt3#>xXD=i^jA6D;dKtP4BWCG1Sv;eks3|9CAfVR}`rpox6s58>3)M}jCxkdzkADyv{ighM}qIBvaP zs#JjnFEE4%ppB5L5?o55Dhgm+Dw?`-{(?=Hj^YRZe0S(jY>GrKY3%tChtCa1W(7Au z3_3ef``*=IL)k7~hw>;rO1G`*MC%}(bz-Rfw}xnl(29d7mw(q|FS8B5$!3grBb&Y#7O8>u9LOn#`Ilk34%`A4=)V0b0Z_Me3LiPp=5)T z+EVvZa*b($d~r=kd>82ASkt%g35(C0oWKF;MA5r1{RRU5F?)GZpZUxX=e~l1qVIrE zm&R+!oo`fO!8uKb1?jwFtix*wj1h|7=b%UbdizEU89?9ux3tda{`5jtNm)PsMX@E% zhOQp~LNbdSE(T>Q$#=xevz5*2fFz;*dHdZCM3zK14&IYeO)aqTt~(ih06>2E`gl`yEAb_0W?B#&n33tf4r&sBnXwx#0Wh@;Gat7m}|~Oxc#=G^(3# zI~&1xPQ^xA57Tvm7kPhTm~C&AHuYt^D2p)YB$`DF;k->OF$wbrnX8xg0Y5YnP(UY6 zrp|OWkCd4pw(@oTpL1IyaZ>1>+{}deL^EV%r2PA~4Bzq=%A5JCxx|H@&*MeO z=DNv6Us*Tf?*`oIhdLfgMZ-uaZ-R{j8bncfO$t8<8(9WI>qY2vk>CXcNe;V3H znjGzak#gmo`B{b)5(wq`VJ;zJEg9*TZn9R+Frq!Gc_!HIY(xmy6?X zZ5Ai4gC^Brv}AF0T4iCgo_Qd$k@3N+KPADV@hh^m^=+Q~OB4!14zzi)zcmclZU5=x zW6)Je-)|QVo!H-_TckUit1!rmYYTCN_oi?-IDxdqQ#F;Lq#mX ziJ2_SW5I9J-J4#m5@_+J8TK+TG3k|5gJeRYup#@%(|XpOfKfj%4wB~MM2gK9LFF&7 zm~M*&Gkf;uhh)ZU^uYZJ2zjuD{vsRqE4jAg>9Pxxto}LyS4_6da(SNX1NAy#^rDu* zSy)ox5Oc&EULKxfUGL3%82*=y?m0gY&}^OOY2b`(aD%5Wn`LuODm55k6F#2A70BB0 zN$n-SjkjyuylEReJa^d*RyTi>P1}x82vkj0;fgEUr;?2tM;;l-*OgaTd7O+-R*uO; z2@!VsqD!v;@8Cj5L+FG2QE;Y4kq=?t(6miXi14VYYmsS~J6Usr(F}~((@|tp`k<)C z)POzDLQ&CJ&g5-svubv#5n1&R=f5&mLx-2XB#7aj3te`2_$p6C! znwpKL`j}%zIfiZqZ-fs)(azi8nV+gN^;>ni_cqV|r8*J7E%6rSU*F}K)A`?ap>-(g z{qXr8)P@GI({kNBPx`hId2lm?SUPL1A72NVIeA0OzdorQo^{qI|75joeJj+Ttmq3@Y1`lxgP{fG{7KzX3$JXH^26>^ z+F&!I)qD&BXvJkQygU8Gy%(*#>b#UUWc!ebpVv7l(VZRlw8bf*P_`ZB0;OQ#pwG*2 z5K|h(^T(V$GUvk3)ZzOyl>*=p7C42fB9asTyOBu40YaYmWjY#!LqrYSfvNS2`Rmoc zoH-y@%XkeA8t?BJH-n(vJ=$nWY;_ECx_)SJsd$xz@wl@gR658MOW-S;G@{D+U^nlB z`6PC_Fzid0cWN!Pqb^nt1qpO27ldF7Ea0}%fN$WiQ#{FKbd-}UM4nAX$H;e?Y8Ozk z__eOVNc;}3^cQkj;wzClQJqFTkaDaPvJGAghZM1|&1}O72T2b2#${LiIEc#;%e&uvTU=FmhhtClH!_ zC>eA0-vUC-NAjwV{F20f>vWc9-rQY&U&%|?#zy4kWnsIIohzWDQ)@7q^v$tcFP2~5 zeC#@RGf|lv_Yi%RImn{l1Z?NyPAH*ZO~HL@K-tsc6BO(`A9SC?3~8g|Q->d$_Eq=q zX6wGzx>zc|{!DGChdbUKUcc-NCpG99sD+)mrlxiM#0dUzUPPK-i=cn^HE0VT)(Hd7 z17+$Y|7lAkiCHQ6G7P7^PcYgV(=CI(rRN9xYVcTkt)mP`jh9_)cM^3ImNdrCq|5w) zd%JZWj)QQ5seSTyp_E|ywgj#0WcBHaEso_C-b3T~^W0CU=q;Yhkp7q3O$FSt!?Cz4 zzeME90ifygG&M%vANu}tXkBa8xM|p?qnOBf-T0xi zsY=4YnulTIcsXn#lYVcDLpRqJwIrMy3auV$kU29?Qj|Ov&aAU{+WA((;!~Ucp^VVs z(;KJIEkN5S8ccIs^nV>C0?UqKfYaw+S+|ZS)6;1LZfMV5Z@bI5 zAyO`BGPCMrMArsXj(Jbljmy&hFC%H7;dBQT9M|P+3!Rm1cPr4vZm=VmfM)#tuY$)r z0@!o^xGU2y@|rY!P7g+B*TU0TrJ7X8xwF#w8Ym5QAf_uz)9_g1ESqjNO1Tk2ReFEk zV-AjV_cle4CG_@)SL|&*5G{aAiY4TA%ng1qLgVs4H?2ajO}4*Hq}G#UjrNqB9s*va zO@|bOvob(3vu&Os+kR|90YnR>|wW+WT{vq zXc-i)z!kVR+)>CLobs|+K*dtMTo>73iLH3IcD^L*k{Ew(sL^DZi9jViZ%CsnGpeF0 z^i(xpIZ*u6;pP%2jZksoJ>RIqbRRjM^wcTn8(G~l07=GkN%{>mxZj^F`=Htg7TmmgzSyUp)Jg9I77n*rd`bzXOF`;|}+u!>o};#@Tratl~0z!>g2 zko>O)ev9X~3{TJklQay6tQVEVAc%nTbKA{lsaY1fx$v)AR_xV``y4G(cvMS+g_%*P zB!SiXa-fY*^(NaZDR7TWe$}e82q%m)c+P1q+4%Yly7)$k?xsjCGr;({*WB1^0vpeR z0YeDk18Z@2_UZ@ zEP%`m{H%>wMn-)70;nCWPCUDtNSzV`SQsE$U0^qKL3^p^cu~8YKzU1SSXPy)w9T$c~{&m(7_r6rd5@=3|gH zovr1_l{tP-*Mg?h*MceE1V$-00eA383y<;#-z*X1bo@#l-C$#(`WN)}HLQ-FE2fwk z0mK14SRI3hQx?-zwG-~fKskyx+ov+VW!0dhh#4*n>V|_@wnZW$i^2}AaHDbS?N2ML z|80e_FXmMK!wPi{t&s7z2K}2>$cbhoMyMT4XPRM`wiPE9i0kpsV8~ZcK7y0Orzd2P z^ClzxEc`O3q6US&X1I@*h)XX3lq!GUxdCp~y;2|zceZslllJd&XWjDqkGt4z38GgErSzm*Q0G~60u<@@|q+B%$pPaJJE>LJ1jRo`fXnSeYp`0;sh4oFGjz3xRpITcfOCghw%YF zv~*hFb*yU%>^`wqNQToGyW)V#LXA1ea&^}%wah!pi$_|-x`x%^bv6f7obmI5)$bon zSXU|Aj(39*zGW?o$*oQb#!^q53MFv>lkrO8AC?#$P-=AOUO`5wJKmun{YY9gU%W*Y zX~cabsf&Ij!++IzLE{iT_G=o)gxTkEd)C=#f32`3Ss1N1BGx&BPj)Id$wWcp6Cx*- zV=AXyFLMbK-^`D=P$#FXsDJGOAQO+g_HW0TS0Cp0As78}UL8s$Pw7`tt=)ceJd^iQhKuVVn=?`wGWhV4=RDkztCnSyePP}pF(_V|Ylk5995cW9h()zt zp_o%m3y?!we*eO-U(S_vadnbV9Uqq9r;%=AY2d%wXMM{a;e#p*gSil_48r`G6Mah& zW=|mH5;bp6o7!YD1jfj()SZ1k4d#VtXdzlAfkgQ&KRCkqPBS#OTc?zxVWd)UX0Cc? z0I_q^+Gu{bwgMnqAl6O01LQ8OCkb6pm3HPM73tzJyF`myxTo3Y1>Qi6GW|R8eP@UM zp9tr5#?mK%t`i?*(AXBfl7yHD_<{PkR9k5e6Lrtd9|zs zWZ|{0`nViyqz}}HMYX%`r#Im(klhbiUc0;7Pbx1=GllunknVfK(>7K9kq<=Zpm!Ox;fd zJsj-$luHmRTPc5_!VlvqIR#GUn-7|cZe2YSzbbL;HAz>I(9xYwsT+sm(MI${pxT(f zd7fM3SjJOu~YQLQKna4(2 z6wBQxvp)1jZ*o+IKK?9<@ct@_OeuqNV*e_8umXO1BJ#iS(~+xeLFBpk&a#pmolP6zfErTOI2GwF1t0y>sh0zyk66(l`doIaJD{1Ll4Bq zw$vpOAtc;>ZJt#~ru^tNFZ1!a^FpYBbXcuwA1c4%=Gh5Ci7MXmODX3Lp@-Y{?CO|s zV=E<-*BM(bT@AEG$iqVu?612*A3>H{<&Cp+VEFqvugC;HGvo)ik76gwtTIsI=_WRf zH#shmec9Z<7H@B(LP`PVA3cU`)UclW|sL#)^XY@Pl z&HD$j{}uMw4;v*~|6QZRl%F>Bz!;d<-z20@`9Et4y_E=@>~8D?R@n&rDbC1B`g}Mp zZXYxk`_iznGgRrr4U9J+{wH*kjtPN=1;udC2H%SliEyB2f%lf{b~F zR1irns3XiLm3)d5xJoV)@sCmsY^6RZ7!R~7SCT4P+#hWXaF@XLGu4~s`*hD1*xq}i z_qrQk>n>;m?9Jf)P+PwTvW=|u_ul*w?ml`d?oq>$VsYaEoojSjxr`z<8qU=|$L*N< z{Xj2e=t8+MvqKFLPKI13o4N~ZCPxBjA0?+nhrT^wr$WTVinh9*p`M;-E~})}@rW1) z`mZODXAyIJX=)3Fz)ezTM?QblmriR`s{Q({sS;1~)%jxZ2?-G577`ZI;73(38NB_f*zC zaCDX7!c34eX#?22X9K?;E!(tQuu1Fz$44`(N_f_Gao#%d;`4D0K@kvhGGUv+q2aQ3 ziH;#Ag@5p5;JuL~zf(ZdxFB{{L0(`pTQupBdS$m;Su|@!W@9#xm=ADE2aot68f?ZP zdQq}kcJ8GuPAeij7WbyB_;@-I&~vzwA{h08e~c3PR9fRj6)TGN(KGiv-XS7tC1R+V zPmMuHjeObbVeI(a@A(Ty8uo(Li!t~3g>vUzar97J!4>2@_ZXuYib}LFTJ>|XL^L)| zTB`5fw2dd}T0D1??$-oL16ohMm$h`??IN}u<`7||8+OhyxO5bc;u-2z?!j>c@~93! z1UT`+1dMP5XLwXKs>--QZj$2fX45?z`{h4;0TTXBqSY+V{+{y(GyL)RrDIt;<&?P;`I1U%x$Lexkd-|>x z_%L0#l{~Lb0(Vk6fx~K(i^^(&Fj^xtXa;7*BY-9vof0A?peAlyhKlpPh&LiteUrA$t7lx0&SS^{uwPo?lm#riOE3{2We+7i} z`iHXRvFc6h*n$PwY|i!>FS7@Mkc3DZy2h)9Gw!3$(}y*g%%4E5K{a~@hNL!%c9v)l=2*|4Trg%th~Zoqne(y*%0x9s}4 z5TR^?(5<(?f@H9NKNa|v=nedP0?IfH{u{P_EX|Gw9nKZwFo$68FgJv+&#V zpXbG9z^EX_&~GD~H`ZQvWIBFRX)!zZb?~kBY$scFtQq)(0mt%-X&%QEl_lUhmk%LR z^H*o;tz=n{aH0Bv94csS<>Z9N*FEje1S?tJO%wL&i+*>4wqg%rZXdX=4d32VOs)+v zYvJArBY*x8e&XW7T3`9v7aOkd*RYU{%1z?y+u{jJ*Gmys8+Ko<9{rm6c&R}?H|~yo zxbVA@iRrDbwUB$6kFUcGZ}dNu?OYq0v3^Q<&!QylFQs?brGNHSHDl(YLBI$8Pn>kc z0SMrPqD4oA$>&or?tS;GU)6YHyV5E4*Uhcg&#Sh?2iVfC)j=OO}u{xJ=9zB#`cT6_P9=5 z55Yy-LQ4l`?t1>(Ud3Ts5#9|jAs)gPP-eM40%(JQ49arCV&;+=a(;7+N-P=*WpfwA z3O9nCpPB7&Tb~fXRqSArl@qCr4R^bbs8?cuX`1LNAR$J+e0kjoz)%8O>CN-4Cv&_ZF%B( zmoM1h>a)+U47xu(4rZVdc6oJaXVu(jU-PTVovnRae*X5kD%izI?dbd1C3ymF@2bE0J;s!Um^)gqRLqbkE*giPs*pv?lM1 zJN6ursoZm8f$mPs?JV*1*{ylbsC(Az%qglb**uxW9JHuX7p4|Q>(cDqvTHu(PrRQx zS&_*S^U%O}8cN8hygTGQ-F4gQ(NH@={ihOT8E@niHLa(3G0~1S$%d|kzlv`?*r^dV zI-o(vG%j8%UB2^>G_;n&G;}f4`SPo;obfT>Ta=F}moHjuP2XKeoLix<()YXS@#06P zDsX?Hc(A9-gZ`ImQ(MBG|GR6W07a=hMqq7tMe{8w&k(vz;}Kr=AueJ>D_tw&%*iHz zAn|9rv(~Jlyk7E&eGaNPb(v#`TUuD)B=X)IoY_X%9PfaF)}hLBC(aBFg$7T{Qe_E+ z0uOeHV_6E|d*{2Sub_Rpm!)o7CO10u#B0~SeZu{|K;9;C)#JE2$x@+e;kjhmaKg)UjtE^ohP}wz(jAtomEQ2X+Ph0z0J#*SD5{IAw>M*=S zEKOU9V9vY~P|IGzq#Jz71gTT&zLfG(Y+fYdcIhiP2tMkh3@k(HNEOl^?NI#=uf%}X zzI0v;^x`884l}FVvU}~%Sn;g+ay*`5BcAvghCF>|MY}2R3ujZ{!jSfk?;x8;oKK;; zBs;%9Wg(KkM0AW&0Ee9~{NXzqWBJmc*{kW@u~#AQG1n47WI{SeM-0(92?PD;d2!*Z zWBtL^U8j!orXy>Y-mn6fPuE{;E`Gcnz@P>E(G%+A{arQDiMNKnU#`85e`OykXyn*= zE9JPyf#-pf>K(hgq2$l4)n_PAHug*ElI&K zFB``7{?q)Lu2&GXWuWuZk%Np)7nebVfJ*6~L%MKd&kpiP*LMrTm-m%-Gu~J)ZE(L^ z<41GteHaQW9{u8e8#q?KeKoCdadmq4)Q%n~bm85FPV%vf9}4Y;IW?2Jds@!cIRxCO zS^4zhWY?dLMK3ncfG^D8P*6E~ox1wAX4GAMWAlY0twX%Fss+0e>Ic*?Wy4zR&0^+- z76h&*`+3vRpUS$t_7}nD_wdVGH;a3QG9G>P zhgojg6C~TxtXlq3OYQaTK3(Q|a)p5Wb9lYZX1g`u)^e9pt8Cr3t~y!9H&(!43BDW^ zL7pg%c>Jv#?U1j@;WIyVTw zNfsw?OHU;()b>ZJ7r=bV0oV0>sb!h`fJL3Lg)ftLp=owA--HjwP)qKZzb{>`Uoxaz zxtKZeP^ML-0P(p2Gt*XOw`DnEvp@pqmvI1^E65;#56C@oLr|Q0H|e2;F(VkcZFc{H zwfkebtGB^l?*U+^d4G{trTNQyA+KjGQ|@0<4w~pm4HE+o4U#>db*3REloYwJb~eWVL6HeM1O6uqAWwcCBZO=e;^Yp0snU_QX*Dv*9 zwm!C%M~_d27Y(!OEB5BVKUtDW$3xTQyIItiKFGP~O?4|RcOW~ZOg_c(D19LA&c*X? zJleL|^VvDA7TaD8eNgriQPEkoKh(zPH6+UiE7E?&g@Y$0b|aIF|6UzPNqrFGk;Qip-yU zKsuHQQeLQfIaM{T1DX~a^t}WnKj7SFS0f5-W-TY90g5bG{E#Ahnqxyh(8kxnI;XU_ zWxiL}Sajlai3wjN&{=Pu?7f%6q=XaYwAy71j>} zOKAXp4&@d3NVL%X$Yv9R$FS1K3_UU7drei5SJ5;EImZjqr=k|BF%l7{;R$^nbGaY6 z3(@@f)fgeQEek&9$-e5nG8l~SZL-h0&2>u)^`Xv&&>9i^l7=OHwvTTa>^03|fPyul z1eW{kJwYS_II|7xeqCmzodxf2#vejKovT{?J%b6(-G-komRspZ?0lP>S(Y#COkfjX zAH?l1vol6Woox-RcWZe`RG~?gy^_*AThDxbE#Xye%Ik`I%m!5rfm3#JCeTXR5Z~6* zl}iZkAC$?~_}H|oj(R4J#S`C~I6y){u&vK)9c#q5@OwXIGZLe)o=U7ug4bUS-euLpc2#K-Al zcruIZy+>|#3Lg|v&bJqG;|xyG+N%W^CLHopSc0=@v>tOF*rOS zz+{~>h@sWWxSJE(k?(R5x2Nmka8$r7e05)n^Hl5C*E*y-i{CEo^QtY5IlXIqPFhvJ z{mqpW+Fa;=DPnz}{(crb8zAJ&IVMZLbhQWx%$tzeW|FQmRo-acqCF6N|JeLCUE3hG zqfw1MaKxLUxvrMU|M!{$rDb}`v$!E$$SX!pKp z?sTy8a)NKF^_t0%FMIc+M{3VY}NWz!Ev#{(8#Ii?Ch!33T=jnx8YPSH+Y#659C?vHM2 zP(zO}Tv)pzkQq-QlRlkPvuIeH?DKm0_2Nh1mViEoxo2?7H+B$20i~~&bmjFoeU9#U zuNMInE8!09Aha@j0=5;~u-%fpD7vYO!-6= z@9Oc}T~=B0U$VM)Bp~SBvp*-4<#H>(ufGdy%ART7S9SQfImmlp;PqtPJCr;pe%C}+ zbTGiP#QEGOeg6XOqP6cE*-NqEpD9ZUg}&@!)%OwIc6inAJW)?4{8Cl}`KhFVMB=e$ z1|eSt=8)eB2XP+zw*SkdT^~%^F*H~T{S@$}c5Y!ezHaqp zyH$KVY@ljtH3-h!yz~CL8>DSW{Q&yo;zeM2Whbx?750w(@TNoqa6T9_B%FNqL2r1n zOw+Q0v#JxIvMCz1NR=Sjci(5ewYdB^W50`WN^uu(8{i|qk^PK&bx~?Qtm^KrO6Cvg z@^AaDA%2e+k#pNoCGyNI2;phjulosweQb+)R#^{~kb= z6bA)vD_*JI1NJ`P)xX2LwdpkO-*@fuh`Mt$m$4u>$O_dNKc5_AL&r ziC~4x^LNe^`_uue9}bEA4zG&_{zuT#y`E0zI|x2K<}h(K`b*P5J*RWt zAnZbzd}9c?J><3G_xY#IWXMJxaJk?`hsQS zb}Kb?bAL0Pqupt{bT?UbOS<_+et39xcBeZp_1w<&^1bQK3vm-UjcUik*ZRnW{+R6s zTY)FZ&EMXtcShgIdbABS0T!?j5Zh;`?hrQD!|CG=J{?SK?m|HIc?Ml}Kcf5V_CU;u)I)Myk01nC-~A|PPV-QCT`hSH6sw2FXIqZ>wd zcX!ud#0DGenZMutzt4R?&pFSlz2F5qoQv=Ey*`OXEDw_^8u|XI^{U%S#!khy-<@Zq z-pcY`9nreAQd_Gy{F2-VkOe)MPh$rffxbJPU>a7wYt-ulHJIj ziHTkIujo0&!(1W%5HKApJibx`Db=MJl|8SrMm%dKVE^|eRAMPX8zuK6g1881-V1;F zkJ00$&77l&cC%O(Mw^ZX7Xra9%|9Ey70I8;+=^KQI0I;+r+3bR1g^88XH#hU?7y}N9Qr|XNN}yu6t9a2Rj<=(x-g%UO)$v zNZ+jJeJHx*{`gFr>Z^Cqd89qUUo4XzJs(+gU2(h3dwNcE_v*vp6-&44A$#0YZQWB^ zSMAQzb}1O}(eip@{6R(}bu(Of=4o@+U_%RKuht;B5r(<;un4`h{r7kj~!f4&P1X@$ueU~k+X7T4}sndUggs!WeSoupnir`UlJ zAJkn2?w3-n6`owvO|KKP8)?9$E|7g>#=X*);x96a%dg$^Q2MvsuLwbwGQlV#0;ql1v8P?3J)ypGrWdZB;n~8sc-)Q zYS5r5kwuhaz3ncdZ0kRGJ^s#k>dAUtb_(EVdBVy?pcRTdJJRKs@;!YO68x^Q`;l0% z29S~7Sh0j$aSc&ͥaV73bgiuOkP`w7StKk*kwRvk~kVG%IT;qK*Yu>@Y!!~1;A z;CgQz_w^?I#_e8rH-W3S3-VqYan_O3k09E#hYc#|RSlGyuN%%lz?dB6I@|@S{|S@* zxRAi?zsj)s_bt6W;`)OTjL+}Vf7R@|*)YieX1B+sy$+Oj)20gM#hSs!pe6yeVh4k7 zgs!JR*|b|RFhg7<%2Lq?#L)=ALFD+imMmJs1W=Ny&(E*fyh|#B2}tCT$&nYlUX;cr z-z?iiF`~^hTXl24;DBXw83=;&i`Rq_;y1-suRjxv)7}Z2UOSF#9DmojKe~=GqBrt6 z+ge-LmDGXmvyWpUswoLr!SFMkNp%=Dtbzm= z?;6l1aG$37V*@HwYkZcQoE!78pbmGPN9C8y`8B&DbtK<|AOE{1#qVc&2u%K;dS;Wn z|6-Ugui1*eky_w|g^%)uxtI;t2(wAmsf|6_z1Mz_O9TjBg^BBdp9VaHI)tr_mOWB( z!iz$wCLgOB3-Vo>e}dROBNttx7^KbgJ9~tk?B>eM&{M55JpUXjyPuy#5vg`QDpCV( znz6`_apR>mKcwOMPdXBjA#p-SN$33u8$MP-X0C0_Fv;8xQbwBi!wk$Y8jytBraAOdLzi{?3hInI>M_mo7)v%WbTSuR{Tj z_rG~A5x!u1lq+(J#k}g>t)d!o)SK8ROd;gk&NpY4tHHGQPKU*CXG~Hpw||W>L1ly? zrl4uz3i+s+%N6_E8%4=PYs+wFnd01^l=FEF8IPMW>rAQ+9xQ|g*V~5)nF1AJa~Csj z$7W!u*$=?asBg%yh);qj18hr#zNNW*l_jF)}&m)q`e(=&JDt38<0DU@r5* zwjRb3*Pj-!j}ZjbFp*>J#}M#Kjd1Xkv{^y0`&Bv>z4C+dnCOlu`=OaK^w^sVB+Y}@ zzn=r_RRL>*Oxnyecg4Oj>P7C>w8gf0!JB?Rnf-J#3>12LSds%#J*>tUC3^La(|-6L zbbrv`(#(3~5=3n*De7(`R7B}bKkrcUN&mW>gl)YFS2OM*XkdHJcS}mV(mRwokNp;l zF-38G>yhcKv-9_6j|N=wr^wxO0v);0cmE5%jg56;l=OI8;aO>+<1pIU_Vs=>7FExQ zvvZ`#b8f(TpF~c*Y4fnZyb#BRydAp!VBdbyzck!_ZjBRq0LAQT`6ov~X}zQl>Rph| z$!fn@7*SFuO9Zy6NNi3`5Zut~?cPNUQHU`BQ}bJ~t6{rq41OBXJAeD;EW5OYO?5jj z;yfj*mVLo*x3!Z|U!^6(TVkVtK)Jx+27HWan-QSzMGRznzGb=lm8$K?^!{tgl~3db z=~tUT7PUj)Gd0eWI*s;Pfw7##(B>N-C;m}Z*PFc^{Wdk)8_{pbCktgb%WrXT*Hy8- z_0`o3_9>pLZez*XCuR2(aGutOf`jl1)#6&Mj*T>{ve#=~Put=Ju45a}gH}&itg@DH zQsGfOCiYU}uChIx5*tz7s?9-&u=9s_V9<;iIDfu@zVg%?)i$h(Q$|VcHpffY6czKq zE3ijMsfDxv297yPcHbt>FO?uv3owNHW)jW(n-lP2aXSdwr576X4<|HW5l==?l9t^; z?pL}!dhpk!;hNvB`lXFgdgkNV53YJb%L>|}n)>-S=hUZ5!IAojkn`eq450p7tG=SH_-w0yy8j;douJpu2fVhiE z?aJ3KDA$TBJPzlBMMTB>;i+?GA@L*d(iI}kCD5a;4cT8fZ+nQp1JoCtXMbJ5VlklF zy-G*@Ylaq}z{&7iRi!aM)wXpNMB`pha>zXf3*M#SnpZko-m;64vgfgFa8AoQgcDFj>KplNu}=JIzec1 zwn>0rP-d~>)KqJsILiUxFgCJg=dSB<+Dk8+b3G25!R&)1ukRU4WC6xeegX#GTSL15 z1-<7}78`RL&4xG@?W6e**-44pj>Q7ER(lb#YvGyZr~7penLpL|{IHL5CF`P?Teyn| zHy{y=;$=4UJ#LRN+3vagys;7>5DYM%kjKjd@Y>x|O@A}IO-q|$QkeXz@8{K-#ABsv zY4s`_YKBRU8Mj7ZYqws!RRv5B!n>DV9g^@V5K$C!{pno`ik4+56+Z*7M!gh$#{AsC zowBrVnC=(2a-+BVRA*2L(yk7BdMqPxFwLF3B!1h}eDhxgHdAv(cZ# zbY;@f8vd4e@?$c9=Po)fb&=W4wEJ!|mhOC2suQ~Oawz2%DBH#R<*&9JZ{tMSvtjpR z%Tcf^svb-%5smZMPH00-@pBSxSx8_0wIqf+Rh*M#cNp5Dzsko`EtQ^ZK8k&nDO|=X z_bZ{4rdKch2*6^*I$qF=ZT+%%bs@gCwE=7r7)J{Dg=JEBi^P|nGDu-gbh->?9y+1g zi8u3vQFf#O1LvtYqZA~PGl8hh0>xaB&yTk4mU|#gv)i^lE#Rg9`JKJH^R6_HmEWPK zYpCL(1FP}S%Z8OwMa7s;s`w})zXjWaDOGxJ#dKhv<=EUS~+0Sx=$SL5vfDQGuwrq zZ_Dvy1Pu`@iBq@nl~%8l2^7Bfr?!9iyw|_D)_zx`T1s*^?u(HP+onyZ!reck#h}=Y z_8fPV>uM2@y-6$r*$XKXeoDU^$(_E`Ioduw6d2bHrNJ{YPwrF?L!br|8E9#IY?V@Cj4N7 zFU^$fSw#27CJYb<_i2P7nIS_JrbB4U=8fRDZ{g?hfge-gnb)|pfRK;CnFgX2UVRu2izr zUqoZ90qQbT1@P9YIDx_9!&6;T$#isZtqwa0Cw`cEZ6ajfYmHPX)etwGI!n+wVZUqLLi+waF1HEhsxEiWt^a2)HHb{5>7zIN8Q(Wux@ zKZ!vXz4DwJTk>dK+O3Fi?#$=jIaQ$|nEz^!6Z_AM;UHyoA^gw2@jniP7q=$a{v#-u zG*UE9LH~1z#q2+!{9h({QhsXVTjNTvAm;zI$%mt{k>+l1A8W{hg_BXMuUTj4Xf^IJ zcusJqYz1e6T`K;-7(b|;{ z3M;KWn(Q_Rd&=_wJh?#szWT%ZdI%J-zfR zwr1tl{mR}N`g|}-94S|MwL8R}ml>3pqEv~rF~lp75Jn30{oXHHLdi#JE(b54(Z<$n z!nZ=<*Pm-I+x#QQS1;MtYq)`NvO(HQ$vr;H#@;EVH(E-+1rm-o_8~-ShJ;nw|qnm9o?v zb57^r8ehnk!%q6GO_TGsoOyx8e4FJ8J5m)?%Nv~%0U zr*e_su@%4xg)NFE>skh`&6y8*8@fCAATntaxn!8_>k!!AJ2`R+{t~iwDs71Su?=g2 z9VEtYW$}#6iC~&`o-D9>9yfOObfoS57a`j<^eclNK!U?9lX=34|EMy2E!On|mz~CM zfdrag>G-U6?U$$#YKm{hKIeRB(I5gr?!VCIaAKE^K?!g>d^|9_OS;{2YRuC-(-FEn zTS0~~CDn~n3Mpw`Wj;Zi)cIN~7jL%?quc8NNI8oq8-oj;Q(jk)CnMOd~96Wv7hg+aJU@ zznbiI0G!_l5lL;b#+{Hc9xwmiCyuQgbPY)CED3A$V%=zR9?5PqM;YbCl^!ZOkEI7JjUDbBbJ z18LXedT-p?G$Lgia0ieb&+yXdZ*UCx0z?a(fti3~He)^czs~=}pD?XE^3hBLtSoP9 zFIX0BYhKUxhkuPTy?X$6a~&d+y&g3aD~!eqj{B8Mf?Xx=q2#xjnwJWKmBq+;;Su;xkz6fFgZ%=kVmSyNdLF}C&a-+^L zq$}1sNopN)M;Xs!wQGU0nR?^y|6Y6vXk2G}7>oy;+;uFY`66$kv_i-M%vUG`K=uZ` zUP;B$(56TtjXCI25=MpN;)ou(e0k!c@v-^h-xYH?m2L`FRJ;^QJD(+V*`(ICvqIRk zkXVgb?@BzkS2UJmYbo$%bCi1am&9p z2>P+t+hcjtd%DxmUVGZ50=l*8kL8lO`B|&9(R67z&Bz3ZyfJxH;SXLmXl5|I^kWHg zH7?bGBOb%7Uw`GwEk-GAx;h?iqk<y02w=9x12+FE>?^WHd{s)%(U3U;;y(M>e zCKUA836OqWC9!@6FFAT;V(a*hxEg#O&1+dAQxe){LyPqmwoiTAE{F}Z+?Km8%~L#k zr{Hxg&$AC%qM9;ny49hD&S!;dX;_ZMr5&`Lr>)*n*3q5B{QWTfVud8Pe5ZC@1@`BDYAHfKkTJqZV`2 zpa?T+Y71d-qO;0wIy0(fl*JsO_Dn7}kH#jcaXOoM}u*!C~@UFkxic; zIU12a3L!$3DB?Q>)Lel!ZfTWVMY2KF3&e)!qlCF&(_0CGm$%vKD7sFs&Ng}D`uE3E z)Xu}%t(S)Vg}sZz7m%9%ZY+AY1=9e0zh$OcYTdRaZ}3?vY`|t;ez&+tB?6R_jSU^$ ze0}_rvfCz{0i~)PqVo=)l;4J4;c4%^)dBeTfZ7^FIF6^s$oGO6A);;(o4O9I z7Sc*dIW%|MhMQ<}M5uu9Vvi1iV&5WX^}N1Qbwqz9qsAI~&FtDCy03HHS>WnAWaz;yllI!-cHL0*#cx3ZX!I|b0SnT=Z%yMqcKY(N^^1TJ&m(5)3k9$=cN?v4 z9EW~yT0td>v4>G8+0RJeYzMYp8a?FEl*Adj$|xTGy2H$qklRCe2%AHPUz z)UINi68>_2H9XS)OO|@r(UknW&FzZ$1 zcohU(l6AN&{A(fLz>TPIIPv~2@C7BYT4L3JNup}(Q}#Xh=!I8eCGab&zEZy1bNi>z z@<%pYiyBY@o?#tyDdgO1$?dEgS3NU$sI9b|<^`Uto!cLttzcnLn43ez zdfWdg5FG~1=xWez2*)?0I}TTqBlFE*3f%^0cBHnaqagn9SJesQFQkU$|0H@$T=__g z#Qse#YV4xFf5X73q#o8Qq@tQS1}CahP<@YwBJzD!^3 zXm*}b?EWM8#*9Ns0-K{V=S3b+<1zoMSYo2NaVWjWFi(QK`QTF4*+p zb<=*pNk4E8D(H7(>D<_L2)Gf}!Wq#8S^%V(sDYd)_$?(k3H zgu9h9HQ)?g1|(l6O?mlkq^-*)Vm>HK5V|bvXsp?{q|uWV`{xC;x42)BC>nz*k7dpd zwpB@rE}Q&8K;CEZ+CTB2kk|2l5`N|dEAs!x)Ahg17c^f|=;<>T15OqHsnfg0(U;P zzFXho+v~QfX`}f9D6`bdb9|_YsVlSjI_p;kyq{Swh-T<9pTW~t=4YcPh_T=1>nnl! zb4Y`;O{&S?yftornAbOc!oWz=2dyPn$Zwg+f(ISp1GJN$Q)o;Ld~Gx}%)zT)48N+& zzPdT9;;+I>me$ci01lLGsebucq~7mNWNMhu@*zX~=H-9(|ttOI6T3KfZ`sf))N?skv|#MV;RL znB74VFl(*qjP-ICU`PS$?u1{vr<+iS4->YylB(sFfpLA`M=bM-3cD zD&827#|f+V2@Wr>8bJ=OewfWKjSCECM9$>Voo^%HY`UqeYI#xG;XPGruQReWAL=f? zkLMyNXA9P%QFi9#10*f`m5(1Y#Av>34Dsb-KiR+i>!5BLo_S93%oUlGI-Xyvt)k^@ zmOiLh{~)ZP@Uz%0lbhpRcl_Vv(mc63O4*p=g5@ZQ^R@t5wOsA^hDqR*V>co28LzGp z^r-r#BFLU?n@4ZZVc@>^*T+;|=}vf-aNc@@EW!s8j&$r7!6R&SBpt5!2VjQg`XIx=~UFvr@x zwGWcqKC7>&QPC=s-cFm2pWKL$fdABHKFCXqbJUqE>wf5*a+wqK{ROf7alBNQ@2zRd zG_6q;ts~5KPrpLrxfrgHdz4(m47ZM8YPU;%%ERUWL6Bb8T+DKxs8M}fucO+p?9bwN zm))hlS(~J1wN;pU`)6|dOSy`-eXJDQXmh2au2=^ zh#+;xvP1%`Hsi^S;LF$UuePLwEi_ApIf{@F#~QWC2OY4%U&Cv^bE5hNvh#wdYbO^E z_on+feyW`o_AD*p-lx_x-(DWR8r74|_K!JQ*ZI=G_E&(Y1zF5C$`|5gNH`TlNsya$2JbdD?Y8vn9nyIS}Cn z=wje20&g31O?N0)PF9cBHuCK>^xaId3vpX%`QlVqT-`VJ_oR!#xfX9e{5<&H2y|Fg zqLwbITVFr*l$8L>IupEyd%MKO|lO1g^b;|;M_|j@jNK~wi4L`jNt^Ge?Z0& zKx;pYVeCF?t8aFyU;d>szAXD$EN!Q{-Jk$;48m6hC$c++KJ?!RH(yiIzZ_pbG3*sz z^OI&i)1>@Lt@xd&?f06bWYu~&kANiC5NXsGb}~tPh>e3qzK>DT1`7@M?bRU4+fr*C zWfNMEOP>l8C0P$7D|eY$_}fupmrqBv+YwDX z(SWsPCtZ$68OaAE&FPf!CHGMf_{z1wZu%3@UldA0Z3PKk8WyD*{G|-EtZL5+o+xGd zhAz8#4VxI_Q_8pzN2{_->Aruu#pyJ3g--fwur%Oq?nT-~Eyk~JC`Yt)GS_AwrEr*k z)uD$y7XPz-(W?S>pnCYI^0_jQQ5AopbT(y(I3ZW2+utCC6%T8i7(P}+uoRNAIXHKT zT34~YAs7I7%5VtbXWjSCWQW1-slSwAHufbo(P@#1vCFgU4vwnbLzv913z@BWlhaZC z*m|WL+b+OIy>hv#n2!T@@_q*pn}(egIELx^Q?Sufnm6mF zdmZh(bk^SaH5j`e&#Pew)UD&6P99YLX#7PSH2EaA&{5Na%zPQSS5!{=?CY>81l_7N z7RUGvjT61bLC0RlqKBIg`yXU-g?AOc$}{(DT9cSA*L+s?lqnIXR_&Q=;IfYCy=)$W zk%@Q1Dx(fOJMQT6+V?d}_N4$A@Xf9uDbl9hY}D!Rf`oWc{Q@!!$Qp$K80<;bVDA-P zYSKEtyRxr99=DTo&)*19{W`ZITWp=C{Lj~h1XQL4CgnG&%_UiZb%$E@RpPm-H9A2Dyb zD8@P_B%O^DwV?f;XX{X?1}lTFjiNxD^v;^9_*oeHqvSA(;5*RD%J%=7geD}PslV)T z5x5O|ob8M{P5k-bG*@YBS_|G@2A>WZ;@jpI?lL&MpM3Ut4qiq{@UMMd())e)>l)-k;x~4sWaSNfSo1Hb-QQ!Fg2>BYuaJif zTj)_Y!(^NLE4`2m_v^9|z}oWjol{1s4@sjnms=CG5>BOab=Vbwf`yIo zy%%rmGe>FA+JU?yj*m|1t zbt)=>i5SSPesia+tti2f<6Ckg>}QWO>MT^@9tG>XpiZsqGoF*&*xMhRswQg^5&GV( zU+=J2c77-=2?iFGzra_7TZB(2guZ`%%cR-&i8ErUiOQXwfb0E+W~z*Jb-JX;=_ZFj zs9O}eRNr~gv%l<5?S3?LY47H+=Hm63eyY|%W|>J+E~dmW`#Y-svcgSU$aH^R9)dCI zed2G7B)8EEwR%Tj!CO#K;-_g9ndmG7Y5;A94@B5@vJoIDe(xs<2*mSheLj1^2N@YJ zafjBN^DA{8MNZ6Sg*isVd1bwGefuk7p~AMlx(NF3h5x@k{*Aj(B0R zpsCm+cy{Aj7xY4JhRpkB!MMFW!vk!FzqC&Ro5{8p)^+M&?@nk*ir)XKwY_D6B`965 zLs>eiCG&Fq*6xAz+%RDztIHHZuA2hW50pvY>gqoY9kRPICu+eGPAUGnQXtq+y8Wq{ zmve0!IR2V%b`PBMP|Tn*hhQ*BV95<-q&?H;bq@eT61VO=#5Kok%pGaT@^pg~+We<2 z@jfdL>%u7==EltjsM&^8;(o{2gF`PzZ>t3+{&)CgQCIuAzqtJBuCAysGaWb$gKe^= z9nGh9Xq~^la`?59Z=UT%zBnb~NUzm7Kj-|dagjNbvhCv>$r$p7krc6rMZK&de25Kg znQ$fP`*C@4mqHm6(@b2C-~uzw362WNdKU?M-?VsBW*bn4`4%N|@49zS>t>@)cwFs$ z*?OO)NV9$t+d$r4z;XGfRo?$=;5FT0afE1=9Fy@h-bIZd*Up%+%2PD$uxRFk8LcO# zcciq+6=#~09UXj`&g(A~QA=>8%SjhZP&1X^B4UbfwgA~>)KHrZ#ft6>9~sxzvqqQ= z3M{FMWgptG*2#M%7`SyquLqO!?6x$Kby63brcP@q<_q3bzmr#nukEx}aJswLGT8ks zd`NP?R>FNt+>v-8UjtAxEQ^`w8`)zZbU`NeI^AIJyl&mofXr`}JAL0u|MAN{84dFA z6KN9f#&JOoj?U*1Y;`07g7Pme%+Cj_q?N(##TQ=s2R?tGK&MCEp?+YQ&|i)A$8PUpPK$<3ncmm45MN+?cXU&pWSVnatqX|mTlqLIUTIYO2F(o$LF*TM5I$o zIdz;qjU}MNydU09<39Xk#PCs)cLBN%+izw<#c-QxkaM{8KyC3m=KZD+df6X2mS3GbMx~SUc`R8_~gVG^X zXE2bLd2R3lU*7gAgLjW&bw%`NsCt z=H%MXXW#IpwkI8RV_>j1#b!P$&Fr7^FaQchaY z2?>g-lMj%+@=@gutJzOCUCzFrnKXhxI*qDcs{Tu?P0zHWsIt}Kgr%!kZVu}W- z3GmJBOg&KW3oR}DmBp$)nUW3y;;4%(zIwN zAQ)p5r^Vl|j7_eM!3SYqxH)*E%6M1`qmsDIap&Zyvt!k-y?*J3YcU83o_??#O7tit zb(z?(M6(wk(Ez;$wHf^c(zdF%>afNpA$j79y(Fc#RgB`kGB;E-^q(K6e}~Q@CIW6- z4Cu%*pVoplV%)#l4SLpi$(DAXpO@v5?XNi4hRh}5C`Zl;lUHXNgYYT?T#W-7#%%^6F3 z_c+I`m_3`qE}hO#R=j>*e(^>M?fB$nP>{H`L9BKwuYKYEjI5z`?z`%KOUq_(?)DGV zLU})oabP`3bb8)F8wV9HUw9#CE8y>Bers2yuw-5PH`cqZZ0+=M0;jo|y`)kdVc|$B z*M*4V+&~rZ+NvA1rqk?$lOVQ=XS$GNby$43YkR_3`>xn`HD!FENRb7%=rOM5bhJ=c zf-lopCAI^r8-Pzbo#59(zlYNpP5s#kAlTk+r)q8u8b!StyUi(`CM@C?_2#o60v%@4 z61H0`>n4`RqqrTW65~Gl>AU&|t7MX^lG6h)J>GEG>)iet>0`7#*4h};(a1_gFmBOp zF~*sMo~y@OJrEy?l4roPNn@<{oiwsVm!j!rddt%6W!q3;#JoG^i(J<|4|18axO6dRqn$v3GJopq)KIxQH?{*razD&g|KzEq*INyy zZ3ZtC=~lE|+AlTw8ePD#NL3v^msHE--u~w5XcaAj4cb#GY-{98E|@D-7O}ibvPX;c zN5krw_uFwjA#}$-ZPxq0H0`au9eqV+rr6%50{u>C{ zEqnBShbRih^|i_2ak}~eXP*GUog(CWd;%QjrAK^tF51=MtRtbL?Dr?x&PkuiyosNT z=#ScvwXrU339v|*gU!fr0|h=5yXrN;#_jN?K|KE2@tue74MCAHQOlE;*0nJBW!~7f zl-I_Wh3p!BPQVOGuf(uK#{YR`f93 z-pN#|j&M7vM9Y27a`9?VKjlyj`HnAt9d{oLl~vwJC%7@`=-rZUyMA(NX#rPnZd=oBN^4O}lr*378M9Q#zTl2BHYzw4 zdFu_etIM))UQjXREwJh@+POJx8!5fR8X`y-=Y{WhKnuQ#9wVR&PSM~GggUXYuBh=>QZZOA#N(&7) z{u;a|ouc}Pg(W6PUyBZPPjnk~Jd6Ig%Gms$EYKo@Q)iO?U#UXuYJ=-hvg!p{z3{(9 z?y{&}d@HzNp(3Y*q^$aUUW$2av%bjSMB>2ZBGV}$elmh)08hpCD9?HB71{-Fj`df% z#PM<#QKH(tso^)ey5iUL5!x2g=pg$AuLeMR(E_a&u3jzyV83=Bw@$KX6&beZ3eG6uECxDMZuAM_e<=+A&1&q1&yV>kw^ zp7Tssas3uo*2uDuLu=E-SpOB`PBsV5UT~BQUGz>>$%UGvt!W$tc0U|)`c&*3UKS#H_i_xX zJ9$>|2Ea{i(mg0pq^IfRT}VKL0(=DOkb%9{AR16A*W&S$zErzHsvkq)mZ#yNBm*h>mLyGvO@TO?{@!P z@d_g3JRcF{ze`fft%FueZm05ncb2Rr^%owd7Ac`p9bprX2@w|+G6Jg+iaCOJ3D(ck7(J^_T8$i& zjHo@%wkZ#e*<}^d>yZ`ZSxAf>9m7ROd$JHSP?Ce0+>dW%Y%rPpFa$q!ZTf!#v06UU8CA+(Ut?Xkxd@Oyw%YWY-yV!5;Tm1?G1EDz0@ZjN z#jDn~cbjmUU2(|G*#8*pvN%S?ualcoZ(+0S1?lf}WtHaTE4|uqyCM9bx0XaZrca>A z5&S;l05p&bks4edJ5mN+6ag00Xp@_V^GE~4&Spd%WEjmnYX_(lCApg;KV!Yxw6p6z z{IWVIy7xs|^vnVEy4UNcWoBeY89hGWY5-s$gD<+mzY?sqUM7<-Ly|EYhXZ>a`Ufs9 zI=aO|shF&Cqw;&YjWYHnIye;cKK9-ZEN+-=u}HFO&ph6zN;J%sVq@%bFwc!|KABp04R#a7w9m6jjW zWehu!#8@i7^Dr>aQK9xRq_diiEsAUj0HlxZ-Z_+2d^%nKle)$ zoL%M*+$_wJxmwGvmVIU% zQzoDq_=tH$Xv3njX_Q0d`O?vhdj-%uQUX|A$q6jCZzzdzP3AtCYInpYk8L{MVd`Fm z{#mwV;NYoNlwGT2aCcI^MvRJK5Ok?Y-&hX4j&5Q*VkfC|Uq4c&(xl4y({?W&3uW8Y zWK&w2>GVHeRsHGQpGoF^sL}9jqW{W$S~FBiOYRkmJDx6Cn+BI0wg!IqhHG5IWpjhi zvsIJ~t=Hjbz=I5JTU?*`5bafC z!W1cd1j?l0p(TE~(~@Gj!}aIkEfeWi%{kEZUL&0ENl8%DYaD)td4Z}BOz)Oag;}yv zd(1J(;oz$|Pe11v-&?5FPx6?8}t7crhW@+>3G#;f9xzBIxw_%66 zi1a1~YEfI*uTD-cxqTDIU2jmM-uDg>?(ziy>aO46o*XM2&$d9hCH4lSXij3O#V+Q0 z2QN4Cf8d3s>-KYCvrgd3oYl1X0%7J=aP7a@6Ky76lC9Ce68V)n=D9qNRSjw&40 zIehwiB-iCXqqFf-D^t+51!MNS53v2oz^wDC_OL<0ID_0!{@1HJ5=o{RF|YL{15ADp z$Ym<;Z;(9h(-9UV zP}&-4|KP0O=!PB$i8w6O#jlOnKKa?o4V_^G0}zW^c7^%Yt%fix;PFd^HNKjKu}t5s zRNseY2Rd+`-bHWjYW)B2!dX>1s8{vZ50%DTsu=4t|7Z4`!5%NP+`j`+w7Bf*@AK$k zOmNaI2<{Na$XmEeiwpI5vLd>?8dqsQ76W)AVpvdT9(-3>5wFD3C$Wujy=>z4Uhvf1 z4V?HcE#Z9hT&%R)E8O?L%!r8Uoa?47d~-_4S%&hn<+mZTTPw=6z+JtPDqBXj3EhYB zNn{jnGotb(Ib>?iv@~6ZeD3F;-3vHTdDOV&bC|@rE(;!&0fVN0OW}Kd0a%B!bxpub9IG86dXbUkE-E8DMevZUIKuOER&Gq;R1r~4-+HJ(rv$4J72t*D;n{dZ0pnYL5{mToeqRUS}Q$JAf)plzz4jRc7s!v1P8mMqUW!w*( zX)cl!A4n6dDmuD%E_LAf%lN$Xar!-`0-Khq-zD62&-_jY#TqoV4MnUcNU6ALD~4s~ zud%1Yt8eUvvt$;3hBBv(SI?;6r`5wzbejG6;apw2dYvGzNpnyg+RwF)THAf`3Z6{O zo!!;*rTY>!FWBlqjg$54Gn$}wUVgjQkbIyq z6zHn$jhdB8J#A@ZAy6PHit6CaIh9;LPgY$6c;#vnL}>>Wg*}jjF2RmMj-cuv|3Sxn z{?wgo?lC%bkk2&m3uUcT5N9t-q0YaDD8b&`(9xr<*i>Em|AV3Z$Jc7U{!vd7;PNaB za%I~+M2%W-*BCNI-k#z&tPhesa&@epwURh2P{mW&dkWQ%F2}Loq(Pd@iSLfP!BDwZ zU$Z+{f09j;mNS5#?j=^z@=8q5VhUp(dR~T$1(TEeJl*Xk`*2gM20t)|o>YvO!d!Xp za*8IpLYVnGT+O7Gse^nX{+_%v+7l#m%@n6Rz$0WDCt*3*#3Y(qG>UEyKL%>{{@^@$ zH9ERQpri8T)sw(totdZkFs^eQ4ftBmo6}D9bMd?^`qlh|V0A|`Haly*RIIBEbLf_u zGXG|$tke4KvPVB-WO9+8c;GNe(RX(s3x|Gk5OWy)0dP#IP#1qdTdK|{^a=JcFA`tIP*uP@Rc(B^mn%&UpF1^6d!QIN^ z_nii~)7t!8fuo~W3d6JmNxOPzWvW_qRzQ1F;GyKjRNmtif*wqNIlj06N+B8tlLT~o zH1rp5Yh#q}n}2cPme}~su&_0sV)j&Kv$8jvxSYYW+GYW6Zd{-%gr^s>DrXkt&!U3) zT7BMgJlkKuV%s^KYib4z{O-tUJ-(b~pXRvE1VwoiVyI7(B}r-ZbEpatzMdP7T+_QOj& zu8Z(>OQ(E)b@jP|C=A+CY_BWfw(dPVj7Q9BpwRfrt(c2$xJue=9#4-Tc~xYetUYgj zMWx;2)!Ose~9Z{K6}w!}A>43|%L zYAzymL(btaJ75qqmWWBucbVqXiLRBzj9ET8Lf- z5oHLY6I~DzT?Em4jV{qcMsHz;U>Lk#a^L57?&mz`{jK$$_bh){v67WF+y3lw?Q38A zNr4#=W(C|tX_D$y(J}mVHp8Zqy#Ly1WeC4RN0R*2I1ijqe9oD(u5G+(l_ot@r+%lU z>{~Tm!_ipe>6v#x%CF7SQb{$oXK$r_-t)7vFT+kxq}IY=2<59tgnQBtYH8AvXV`E4 z)irCav#|{FqdXJ0za(z8O!CQGYdV=zlvoTWm^sjEBsZ~%2_A)inTi&jT(6UPE46m3 z>nzqf@^kfz4X1J++mglsgA(jbNI~IaO@ot#@gdT}p*cY2*(Ubvb~JFOl7w#l&DC4@ zWM!&I_Fp?~nr4L+5chLh3+LluF<_ncOEO`?>5t>$xtk}W`Sa%3mIho-tJ!Ab*c7 z=ubX65gA9Ocp|OG1I(VD(#(uPK=903_oo!*Ronf%=>4WWpi5n|>-YSz<|!gOGuLo3 zB8!k}>k1_vEkR@*l(Cl5_R*3~Go6f43@5#sJ;`GR?5JDp zOUR9htfb8yhCO% z+*Wz0K)qk|-gSnEx>gL=WRDF8d#}H-P)mE=*H&DdJ)w3R#R;j?RnhZ35#GBcPP^_>oGfwF zXbOiTgR#}WsaHpg);p=gJ!{&OG7LG&D36atA5o71j-_~m)pxk0XM^tDPeH$o9`75U zUz{2rG|$K3G;}5lWAn)1&$w(#45LFP-fy-^uxo_W9>n-lw6`n&gy2NlR~EDAOMVxc z*o4VeXwpA_IoVxxGY^QPs#=-czk@-NPX|~f+@>mV{8t{8RR5~gEtJ%+f;TJ|U88ro zQiw?RUej|-_$Hx7Cx6QFtNQe^ATnx?+~w~OiS;mkmH1@^Tq*0>sZ=P4S$K%S6f;H;<1wGR|PEw;7_AM=@t*dkr z+j-in&1%PGZ=ptp5`MTaECu{>m=U?vM19hg;ZZtmTiBo|dlDMDb)r3YL-&&u_v;=* zVzc_EjDmJaCxbiN&-gt@COG{+%FV9Bo;zxCclR7XF_u&1S* zq{4r;!rnIXc*7}m;sJK9T}K96Yy$8n-l?7>cIVB#T~#ZsMEr89_KQ(j&pbU*Zc15p zbR~N9?3)|TBZ1_Eaj;OGK`q?F$1=zClj|Z^RVPHmvhD0E8PiN=@SR2I4^6{eDLgW;H*3P7TdUk8V9ZE7W5@os_#l14<^C46ls~MxDG_$6l12d zosVz%L7%w1h0*JaTZ1*IM^>=Y%d$IR`u!%IbiO-QASy29&6H`T6Cz#Sg*OdnN>Z_p~%$IDLYrlm*^$OXkq z5xzMh`)D{aOiYt5vqy*G*rRX_%#Z86a`_hJZEvcMu`5eTsc@Vt#x^GjSsH@FAa+qEO_yI!5i*Di|9^j?F`_R@YKIMF*WotMMv z?2FtmuxkkR7pRNzzkmGU7{H8OsBKcd23OGBH1)kD2P98Vd#xf8=1Q-c)_Uju=FwNW)_f0~w{dU1fy%_t*cPp*iSX@J~_~xZ0Pp;jm$N!YOO;GlLI=N`{lZcEl!p ze^D%My8ur|H}KO&^-DPw89Qra4nNv$C3&}0oU|EZLqS}>Kk>^0Be88$HPSgjK|Sqh z2>bp$^=e`3DKk)f)bHJSU`84MJ>82t-utApn`v(S<=D|b@^MGu`yLI=c~^i7$(ffNOAj#teb+q3BDsXNPmEZ2n$ z1_VP`dP*BP_StIQX9b@3*PERng;~$N}CsT<<*(vspRU zB`)J(Jkx5^k?;Mx)W3HVW~tVf_vPNf620yvZ;TvsHn|w>doYr6czCwHH7II(yIVKV z=}(qvRljW~rhL?EbP{#i8*Z>4=YPF|%MSqHc6>b$?ugR(VQA^sxw^kI=3oPNRdH?Rk%~i~bK+ekX%{gy6 z&eX``QpM~HURbgGj1=$vL01>;$uRjHP|gKpBsQP;#KN;HmYMBp4eS!&$m?TG!pGqy zk1)Jn6I4Mw2mK8m+6HbpvlZW-{PcHNd(u~D_Vi?4&U^Q#bujcuIuk17Tm3#tzPsUf z?CdAYoyPI!L0bgs_D2WwGp`5dx{pl#4nIhI(W;W=pwC)#0?O}nOoLpwANhx_@nE+Y zP`9yRhw~w27vCtV&L}B@eX#br*Xs9C+|!Xhgw}M<^`6ID=$vYHXB|M&aAZ&{vgB41 z%UPgR;Zu{K9swr2ojNk`m*bLtU#A$hado@nZStnGIsCKPwa+}-zUk=^pk!0^49{>C zzgK71-#hp}yS4o3sHv*^V_iorOfl-?d3UL*^Zz~?dh~DwxJctJ96nU<^^&C8vW-&W zQri-s??Vv5;W^{n^@UzXru?Ix;KUqh0Fl!7EVlEie4f9j-;KSt*%^hGP;)<;K$#|M zvE_~*Yvn@dqr-Qq{NO24IK>I4&)!5|DBLl3bWi~*BZLy5=9R*ZbW+DqqlbD(jE;69 zcCA7Mnq0Emzzr@PbTv#ST$SEBPgdLgfqw?cZyLApU83 zZbv-`+1+-&s&G>UA6$9cTtZA=DizVpj*u_VIJz@K~4O=qL!3>?jgNYt<6b4)`i z!9$|ad)7(UIe*%hEt%rIJOU;|BtB=nnIv4`qtJ+@9@8zKx`Q)Wp`N4&P}rHjY0c=# z#;{!<1;Y`?ncKQt(bv!eJzQH!41si#&o8oeR%tgdZCD5c-?irX(Cx-vE~KI*Zlh&| zfhHTByv`Xz3o3LU7&XF6VsNONMgGoh=wp23OzETcu-dHgjH^9I^7~z*Z8kL(F8*}) zwbdd9gN20O22KrMq)#yZoxjvi&~@IDooR{25aRa^LeF3B{`{Oza(ocG0lE1ba zC1X{_uaR_m6CJYaaj9Jj1hs zKMyR-U5C1<-9O*^!`FD4Eh)Dq2|I|xo37Iha0@J|zB5YpfL$z(?&j=?L}qN|Oa1S& z)+^Ra1J^vHzM>ziQIsBpI&Q4X`K-Kkg^h&Bkha|44U{L3xt&yhFm-ZTrx#L?SO{i& zx&2~)Xy;5Xk<#cH^_EZB+4VLX>&aH15xg!_+OR|$BmIWZ1O@-&NX_T|y3^KcJN^%U z7X+(Z0fyl|Yk5hnz5c*~q$d^wyx-0Ie(Q7KWxQx5D^Vi(Wuu>Y&KsXFaP5y3xnTLs zd4X$}#;k32D(?2XwbABNy0aXCak)0jdxG$UW~vC>s<4AZ(%BFzX=<}Rh}|mn7sj%OoN<~s?m)?nKi|w|u1B5^j3(xFK5GsACoUrZGEi~e zHz8~WaF@DYvvqZ5@E)A!Y-!Ola3G+rEUpzey0yJ`(qz+@_zO6<^^qgYe3tl;s#^@jZz!)M4Y$4-0sh{jQa~vX=I<#ygb=H-@;~k-jg9og+p^`!zl#>^24GEtuQD*=i*;crhDd`;)eL3HM~EpV=f&m|ER`f^hf zebmyfVcM@TR-vo8Ln6?QVM&_^5k*91C*yPnmVpGk$$L23#c6EG8rGs<{LN2{7MHl& zHMP6k&k|#6S7QmV5=dV7)r{w-`XunCV>;eT5#i7Io7VR!q>O$q>Fp|A8sCFl-txCM z8@J5EfUmfWo&pn$!N@sE!CI1aQJ)HH!p1%CGmGn!!>dm_xA;M+9p$3WC8;M3Nx^qG>aS{n!TBDjWwMDP}ztrVCI zd*7R3TQ6GP-7EXyIHM|Z4Pzei@@QOXV0ZdDrFs?7wAWdQPQQ;iwqeC#Eysu&2tF64slbcdxulv~!?sUY_>hwkKH3ea@jv)y z{#t8uyf!44Ew^2F2Z^FvFMF`NUj`q;{fL~(-Bb=p!OyKW;VA~ZlKGUD;1LA)EpEaEGp?)&j9$EGJ9+jU*@<7#vqYbZAp$d6u5-LCck;==LV3_G_cPeYsL4TMn~Z_1P+j&`y$<7B zdhqGEQORfLFoHW(qCEhJJ3|gxG!?sT#(JnQdVXP~)GKcb026jR&eCOP)&yR37ClHc z{ZQ3RbEh9t`=lr7#=*kb=|)fG+i&{@#x@QfcjuUxdb*AWDB#~*N?;Rw;*2HS;~2i+QGSNye?hS+lukl6z0EZ zUah^U_|-A|Lq_`;jkwAVlgm#Hxe?K>g=G>W6njiOlIygan@u4^$x-{o2-@(`6U zBRZe*4B6&=r0;~>o%>nhQj~}UfWTbpw7DH<@1f^ctJB>ziHC?6>9zfiY⪚PmGVS zBBDYcE^nBsOO|CM;2qLL*=8W4Tvy}!9ulhm=_D8roz^*`mJ zpY~cwCs2QpmtgQXx0LTPK&2sz-_VJo!#C%LqR38@7pT!W9OazPk6938nTT4)$3xVd zuf_9lzG7-Kozy-W9YG|)RQ?)MYOLV&O{+8W)wAd%_~wq@B@K+8i#fNy#^K}Dyxngc zt0+kU8=W57gRXj!HAG;$1NMn`MHjD0OCBA==9N37@*2bl8dy0It2bX?uCjLyb&M?U zNd-5b)aH&tyi!0`z8RJwLi`=;gjFGKz0amJP7yIrA$^-MQVDCr(v@>v+Sf)?c#n1B z#`itrs}iCN1mJa2n_K>s7yuv7SpKPReU2P}fYE(Nizp=AtY--zNY`D3!da@Ej`jL} z_s*E!=o9&te7rH}*r^kDLXbA;_#rRpB`^a?M2>RV=)crr=ed?FAuVGb^mQI0mNfJ9 zl|5#(vUFCasa1b>$p8as`g}e4Pz)I0ALPt^cSQ51)+WG==A1|jYb_sg##soze0s)O zW?S_&JOUsLb+x*`hax}uV+9LfkKG(}42^lk1wT2ZF!{`9tKU50DdMpQA$S><}I4c+CJNBQw@GQaFTHude{b0j)rHckA(bU0<9|K{yz z)9&uEoO#1X{}+kWd>?)qeoCPkT2b@k0vXU>R-xz%H;4L43;<)hTSbn&RZGF-(=Dfm z&?diaR77w>8;Su#9;qKA3#nEpL&+xSn}1Y#f|HyaTxmLOXiAtHd0}!U{;qWDTTF3{ zDAapH_n?5^hKr_b0DP#eOD8Xtw!g(x((|BS=I0Bg>fAGXJGBR2u?mTcyVrcHu-i78 z5@wBx1&82Q4`Zpz!?vH>k8eCv3&eeS_{j$HCbKW#TFIkqQhb^@J&rn3p ziU%%oy8{W-!thfI;993QgAV)0b@90`F3BZ_q+`I^IhwX0lNNi5YXj~H&OdtQyS5x` za)w^u|FQk#Xi%&1rAT$_^HV98$meG>!iz@*@Qk-YQB(fasT)n>=r0dq0IAT1)a@Wh zX`@13lMyY+tE25xZ&$A~X4`TUGm%;7v!b^fqW%qc7JU4<(a6~GZz-pEv5tUp_^a5B zey$nF2VfTvhKFY|eHE{aoFk?1@73bJ7LD(7;E%r7dfCP9W4}|2>4lhZ4n77bfg8Yu zs8ww_>>|(Id#6G7zm=LntJmJA*22vEzBQa4Z8!o&rh8#gMffzZeK+e^w`DMI8({|r z&RzoYIz9uRpN)39ZB2=7&jW`^vg_8~e|3aJlfKny1f(94B-N7gGvVG7TzAZ%p9_Uw4=T+$;e zA4?jTOi^XSwuU9Go^x5mEq9wqool~B?-JIsus&X&k+(pD zgP1~|6pfM!dPoIQbgdW($X;o;wLEkd2+?MQhc6ZOAo8#KtSuE9#`l&w7mCRBV8*Wq zB02&yF$)luZ{-TsN+0AjmJ~|Sg2cP3)*>tkdoh_o`E|u7KhWG5FM(x;i0gMj!c@8L zFH0pQA78$hdND(Q8bEOIU1hnY&90*)X_+OMx+TUPZd3i8rK;!7mpPe0Y+}TLhC$f$ zR`aKsA6p_{pV?_#{L^qm04*p2@xJ5cIgK;RnIp?inj0h@wd?RN#Lfa~(i#7=lXH4l z0`rhXDBJRYob;!@N7pgn>C^A}SU|mG2D_5E{r=wD2RTYJ&kKuZzQN4cx}(KXCSnsJ z*Vw=P?%WT|hMl1Z8f&Nc@IcO~^+LM{j~ijU}t7^38f zq*bZV)?99iudJdcIO0KZ?2=NT=%GYvsYv~DTS(NE^l~=0jtIYau$i*+hf$_#H^rf6 z!pupVVb@SxQfw31`H__61zlFL*Lb;7Ya%nMI`0~98j2TwYYnDQJ>56L9UV+D({TeO zu5H~H7%S_w@C#RuWWe)_0(zeEMttU#`oF1o78v_!pXZtRIP(0->ETa8Gi}u#nwvL% ziOxeEu?#S$w5-V@AWdc61r$xpBU>GMF1Dm>X-HS621o-aQLa-wfA3BG;nuES#ZTbG z`~DP@sjZ_G2a3e;FK(DVs=%KYgI7hwL)FVBe{0}O64rv+^`@2E#&?e$0UrNk=| zz&7{X-(5qQrcD>d;l>g&Yh47WL}?K$7MF-MpD z119wKfl|*#X*6$$B?Rie$U&@V;(1^7a)h|iPOP5P`cyAddZ$jh0$-5;k`pk=v&2 zX8hrn?>~w&^ZNaJ_I!Dyy2I$($!)j#W81G*7IxNGxBQevs;3oZ$0|q88@IscD$T%* zfV`AQ;=V(lWN4?WPFr2j~Epne49B?gzd6+D`*gef`Oz zZO^9XYU?p(-cJA#3Fli+2ksRX=Jo%ky7G2RmhfVTtlAkH-E^ol!>4fte`51*Er1iN z=D64l?-|CYLRG5yO1{D|o63thW>Tn@)OX5@L6nLgaAQ`|dnn`VE|^se62@C!I1y4S z`Rql-Wf*!9ywOvNHV>t21YBNK#Q(@zRT!I{6J?gCVy-VGkH{fr=&}e1<0CRmyG=WR z3bay^{x!NN5aWr#r)&ra+f~<@k%WrIb5|u%eu-z2w!a*Neg=>XkFmen8U19ys4#g_ zs&-&GEnLa?w_wu|!(i%bCR1RTf4>DL@x|j&XqMt3&e}> zF!_b_gDxv}59I7*+g$Wdx*Xr~V*kFbF7I;(KLm6=%MOztEB^^sQuwu1xA4uCprhi@ ze~j$|Lqb3l;wFHA#4jLtxSbsRe)$`L8y^}7?$5`NDib#M$o1O$18UFX?VPC8(hw=% z_ra$DgRcv~;6t5CLE3Nnmh|HtN#PC&uzI0Q+73P_b!dD31L%GQ;;Q(C|D;0aE3PPiCYYLd2rOPxAcKQXk^@<#DWf2stXjROFbMg-N)&OoT57&|UpvokzEP8C2I49)N& zeSVBKWv*thyO*b8`i~ud7{j9zucg}8Wm+vY>3^TNQP=kP;ypaPg%6agPXeyhUqm5F znm-vBFT*%B_8%!&K1dZrH-Cs;nDyQ$9-m)%PH&$~3bZ&gJ%f&~F6gUz_b@q;%}$E8 z5p#J!fFBlt$K!@yHU}w^JSAtpT!m5xCAse$%16&vbCk4V&d^qS_4f58RaG{lr8m1)BIn#$pk0fi1qJ5Zu)t3JXz=0J2KZubThmXSIFnqz z%Xc{b`UdJwY`w5F@tZ%E4$!I4x+X%nj63?23h->I+het6fTg&tM2GT^M)sn9eglx# zSFfJa@b2Fx1Y*%`fosu!qCN2+I}fM1q!#?c&VMvj+=v6iK!?TPcmv~kP6`=5^yi16 zZLhUw3Tn)7e3E9Q#sx&DLj)}LZea&1##rq0`5@hQZFkZ7FkmZ7YOJJEqDeD@wc9tMy?571@(W2Zu@dZ}u7Qv>AAtT{FHN)++nbXZ1CyFv>1k z3a^qV!!_ley@+&x=C~DzA%d1xr|RSAT@)P{Wf`=}bALQpAP;6D*PA(zSN>e?Iiy76 zh#}(2^HF5R;ab|nPV4=%n~gubf3^m5!;iH}WlKLOlrw-L2&(=YXBBt)^MnIy!+=s^ z1NEp}^pDM|X@}02fH(HNDuyq9@=w*7AsSkNN&Ler(CVJ^9?SWyviE4^&+D8!DU!;D zuNIVLe;xGaUW?82EmK|8k!8}o{%btBjF(Cg>g`+KL!m;iNAXLSYVWOd##KA34*h7I^t6Q2!el7Ju??RFJZGb+>!pIg|T_3c>Xpbo{uYSuMx5q7xh4f z-?=`lC9ohDDK*2df&CE0&c+2se~E|uYP%bXv8%@<$)3=h&|o+wvS62%#t%mve0jo4 zV-9H?T_1NCcS>b>Sc;6ib&`zobnN(PKB!nPtIm7UpnRFb9hh zckAdN8D11*2x{az&06GOcZejKmXs4;Tv`(GU#b6_}oKj2b; z+~1y)iL+nRytJeXM?soO`9uP2{QQcsyDLabDE53|j*-OezbT;XfBYp)}${=ZSIKqFLh-oVg-(66(UkWhG!yOL2rv~!i z>L|Q|J0BC#qyi>!KyfS@_*y!5!`ypw;7)YPyRoLuV`d*>@fegYhqiE5<`EDQLs~-Q zH28=lKlT}jH$v`Yj}3E|%L42{FglO>eY2ivB&F=h;TmB#F~4Y96K# z`M^r=I%-Feh@v6jGCj*{Pg3vAq}{H^aEf`|Dxxygcc8a-UcTR$t@A()S2-AsH~Jmt znv604<{J$&lDn`1Gb7Le0DjmeRVvQ%$1Z_Kz>Rm%#sT)zFv~>@WBF57ehzG0`q!PU zi_)L_z9KMZ(@ox_t^$Q@v~vdL^U$U5J=be>c;y?)R{uU3w3>=wH+p>~9MOP5u;jr% zm#e6z(jlf7neIe;F6tWl-oD;@$U)o~&w9u)M(Zm^+|dq3Xj%>-wcRXxI$`vUOm1s} zV%mENjFc54c=b8N+QREn2s8%~jThmS{fQU%k<@GDynJ-W!--~6&;U9LTD6Jp4EU7j z(1hKaa(3|4Ug34=&k5iLwb$Va(isHK0BwR&iVDTS3~_TAG62@J*$gI?;rG-;SqX%~hqvoN|P5Ub(pvAiKhvLQus_aZhz0x8h;|_ zegVJ}4CZ>W|M$bYig&TxU?Qg}F8-G{b%p@m#4>%g8hb%ZzwbtP!Myxv^^Eqvyu|Z& zNv^~(h41<9z?w+DMvG>LMpBm*6@=jCZ3qiMx$APF{DwtJ;@4kfKjf#X7f|Ni7sb;N zKNN)Sk0p?p;cjbdcpB_MnvQJkW*So#dD-c@dTcem*i~L7A-Qw@7lwvI+2OD>Grw>h zL{@2RblJyuS42tCxexOnrl+m-yc=zQh}`UEWGXK9l<{$iAo)lv@3#2#_~X2HFcZbkRieg-r^k|2#RjW0}d- ze`6)vFw)!4M%u5Hx6^eUebK^n+53lu@w75qSJjljOR1{%+Jau4<;rPL)o5e#;!UM! zR|UTDLlf4y4U7-^Il{AXs7F5sYvL)a)=Be@<}GLmhOewfoLKn)uZ%C|BrF^Eu`f#8 zO<6RIWraFD_!L3UxXv0cCn^}6>E0KRxnTkU({aJPm3 zbaf$arViqNx!`Y>^Vq+=`!wfIrzTEwQB2qo`1Sp(WYhUCW8rR=HBmDad$8as4Ia%e zIvD{CWj75;Jz#a7+F5YfYdC7FERcW~d^G$sC*crS22~Or=AL)}GoB)KXGJ~FZp(ys z3PN2c1mwzXBmCc29Wew=EG`ZuFLE30y{NN>m_;(lz7y?3x^L3I5!zL4Ht2-OwbK~l z#|1veFjpS!GxBkE__rh0D#B=89>Sa2f=^ikv9k{Xu_&M8Jp5@G>I>-nj=>kP@bwF28qTI z1XS^o+7!NQw4vcrqGby6a>MV<;6e>Tdxepd&Iw8<&Ty0kl2S$}>@{iQx}MzL>SZ0Y z;4tT2{_nkPJ@%zo&-dN(bI2Nwy$ zOZna*bh*NV8suqipw*Q_NlAfA1`fYtm|WOSF}vS*nB193ya}Zvliha7*ch8`6|4e@BA9tgiEX|JREpe-K1lQBZ#?Wx1nsS9JR z(H#@)cpJ;+;M-A*`DPwL)ff-VT?L#Z9%E(}kI5l>BgIyBm3LMk-= z;34&67V+yX{W6SX&qmfHFcN)q1#Ne8pb)p@DHCfJvx*sZ3hd~F)<$EanCa(L`BSI5t zgtZB!EMLucy6Rt(Bkkr(nwb?;1cYVmD-D`KJ~k z{8NhrNv4aF{gpk4U!7-e8P!RnI&o5Xf9DL zUr+N|9Oa$2H{2`G-*VZf?R+s^>`*L(seFM65569;AP7Dsb-;^|edlbc1oqyv)#K{b zNjEO1mco^(0G)1rfB5S#`8;pyU>1W;|`Pfwa3lvmnMj(i3pq-7g(Sy`%&7^ouePg#oxyy|m|Wj@Yc@2|4A zz~lT?|46^dQg-2tpQC_R4Roj*`K`qN?6NNYB%h;{^%~So9`L6ymI@?d8aH^OpO4<>i+1>qSu4 zU*D6mJ=a9CV@*LyT2?NJu#}ST$1m#2*&{;Jf&KUbh{To#1=&ZTOP4I7!-$LV3j5WO z4kK|SmwizPvU^9?)ROIrtH|Ba#9~Ybc1<-mXOTmEe~fmizw)NvNRI*F*b`D;;=^1N zj`S||$H}d?=Vn%I3eswHhLqxLKM}ns^x9pH+_NcG(}#hI*0TUn&Sw(dd#gNOmy*nW zaqNGSC{OkIz4d0&^I`^AU_`olF3Ib*Q9oh(SIlFU03Ngb%*xyor;B86^C!JPf-sg(2?mH3RXf#i4MNFeS09{qtzT6N^C7AMbBm8{55joT zPGe9`=}r_ue80@9R{3*u=s!M zB(J0lc-chD;1;0wilX+^;Not1N|&!;4Lwqsj~gh&KR}4fO>`q4IG}Uth4#9{U%YDv z$00Ege%??|%L>)dYgk%IgYaxRKjSXb1qG4Qx0bqG6}sAc;W@Fs6Ba=QT5Nu-5mF@H z9sA#UBVNJe6g%S-xbF#-5v2*)5+uPG%;;41CJF+9&9oEAvKSY^Y zjd~)kWt)AulKPqzlcx=K(3s4dZY+E;JWqb`b$_TwLG!C8KKga}sC8KmwGmdyMM?EP z3qJ# zDN6b3$Ilr7*N^q=)nUs{XSDChVY`G%`#RWOpxzvI4%+*f2x z?4io53^*3WEdyZc4n}w{DnmKBlg!{>>?SMnQhvX$1Y*|m!%6u+F)Qw`n1$J!$oe~G z37*HST>c;LFCZm(hCeZ@5cKZLzwQcO6e17F&tn!suG!eXU51Z#cV4(7)P9V*nvBg? zaC7W^l-Ae5R$@nneb$P|jaA9ZbFfbsdL~`rj-1E>EfXM(@}Hz2Fi-%cEJJss?q7aVAye>o^n^w|`1jrJu6KxpNC`(62A5p!QL+D&UE zlPq%)T{s?(dAY9K(O6=-B_s-E#cy<^{52;^$ z;jWpm$RUI4QzM$HEN05(H;XlJ`dJz^eAh1tGg4k*bE8a)C1`%j^IAOJS4)F;0TtZ@ zdI;rxr6uLRDzHXhvsy-EyY!S-785a{${GmnitNfp3p6b+ngBBd+Jvzlgn1#8=xMKx zx{)8Sn2n1chXt{1$%E1)oPMaqf99+rdf|Nke*=bufZQ=JQx}nUP6Lt%o5CNs9cu1; zq*({())@>q2)Ym;KtIqZ%Q15g&tXM9ilNAkkHkd4RG?TyFeR`}vsmhD%7FRE)|IPs zK6jx}Ew{DGKb&~*bd&YVp;K>uP5Zm+elz>)!ke~C!Ws|Dtf)d=g{MYD@rbEGV|ZX1 zTM9tqf{>?b3>^o}y@PXeVVEwAO`8ycp5U8c8FZ|4*|7qNoq4SBy@TpJz?lxQrwIVK zSx!HBAKw1Hq+Bo*M#QPjs^o?d0nSb_2^-!3WG=`|cF%`d=8peK&b`z+6C-U>z85g`k%}FztZ4sWx|x(&rpemmWZee=$1SHbw^jDpv~!( zJ&C_Mud=*z;cDmx&vkuP5|*R2wh(Vt)z@;HI}tCBpF~UgZz7SF4|-wF0t`&hNR_l} zk=#|gPZYxPli!$leSlEe7{dTqU^g$UC)gRFIUm#iw?)w$^9Kam!G0WpP}5Wj1-gA&V_b}J@?&I!^1?%- z1=^K+3o4~(Jt2cM`cw@Hyh0%<(LW2eZvzsIdGh%>tqEnk`Erx-6}>y!?}{RV1fUMz zltRyfsE!SFs8I9~xUlA2;J{@<(gSae&G<~i=XNveKv~*ksb?7)4P}#X)Kk42>U?bh z>9!0k*IJf$j76&VBZ`3mbS#+M#9-Iu zVAi9q+^Q?2{o3Qo7c35yx{*|`NQCs>-y^$Y!F{kbJ$?-kNfeU`vE&);Z?J5yxbl~u zMKa;}sEv6JHuTT@^)P>NnvZ+AZKq9y{Y!lRr#11EI3)0eZ=;yN8}mM#KjlI3VNHah z>We%YHJb4|X_hxxas0lL1%0Xxt`nL=^g%&V^#WM)2veye+NC5B2YZ?&{Vio5|}kMY^xR@J3dDU{j|s3(oSC#ar3ty*{ET@+)TGJ30MOE{?Whb8PB8LVrcVvVd(&Q zfIS|r7`lulV2?XA8teG{Y6ZZ&UnH$Et&quv+OIJUYx78!Y8>jK9%e`QJ!?a7QH7$c zbiPV99jz%L1)2_@z9<<}ZCa1tL&T}Dm`(NS7-JxEZm+#W8TTeog`Vy5uc=QaI=l+3 zbj*snN=DwvCs56^i5XhbAi3EuI}n%9E68S~H9uhO$RfO=bp^`S$Se=Ej>Da%@QG|C zSFU)lv@(A%94i>rDQM)&J7H&E&Q@Dfj9ZMMQ597=0wz)Ik-I?EVWzeGDXp|r*6Bw* zt$>~8^Hf5^xgP&C3E3+Z#VmFk`u1LbMY{isNBuLV0T^2vDWC@krU6M~Cv|qZ(&#SF ziz{H1+LK;U6NMtgS^1~dgEn{?<8k#uqz*^rOU>FO=rPr=hGU(o=mfLV3e{5Fp#}23 zP?M$YrFhgc^-$_p4y+{Un}T;xa8z`rvs$SrKo<4>#4%xO%=@vGf>&tf)0h&7+}!)N zWE8fU@jkxBOBFwt`i9Pd_#P~29R>T;UQPALZ+H~xQf|zpY+Qbgl1vh zxK@HG&DyDt+Nd7BH4xVn8PoV^`Gvd>Ltw0rG@KPQ_1g;fWJsz$^Wv0iUt! zpJ)C}w);Q5-+$Z^`BzW6?MR4YY~});LVcd%J3ZC?ai*?FhfhXGDoys~6+V{$>18}T zf*SpfJb{P@8{fhw9_M}k-X!oi=kxR82jdz>#l*r7s<{~2pQ|Y631nquRj4L%Xu5p* z;S+b}yRz)z`D@W+&}*>gjzz}t9gnJ~8E?IQcs)I7xRnMX&FDd;H(v`}iG|kirN4f9 z(jum?Lr_Z~!Ml@QO)M=5Y2~G$m#FWi`%Vsp3}WKsT!JTKFQJdK5{0dM!E!%8T@H1P zmxF7}85t$t-0Y?mx%mRPJ0cV28lTweaI_=j*VDS09B<42syq2w*ylL)yueo+A0G8qw?>Qb`q)9(aJ&>=JM$r7g?l!G8hRGV z8mepbVE>*@s-J_@{%?OUyS`3^1TYnuHh3fa$(oC0uW&nA?*M)h#tMu<$ztPs?V^YqfWja^I5YhA>UO^ zuOdM%S=bXx_K^2#cS2KZJ&eOsxuVT#RG)Rx9QFti%Hp4g1ix+?sdnL|V8>dOY8l+$ z>gIcO?F~9(FYEV^sP4TqXWab&(rVOvemxzv|4b~ma{j?{v_+B(3-IBYVvRRrfjugM zKvgf@#>>=`_}5YSVBh^*s5R|-89~1u-b-~eKc-OnSNI4At4<~SU0wHD(auIIWZJjY z&W)qs{aCQ{e_|SS0;5D?+)u009p0n#v&chmGT+Yqn=OJCB(D6MvDH<$vNmdqR)Qu} zpF^AQgnC8GLqQW9$4u*k$vs{@mkNMc!*A;3K#SgiU8x9$#tA2vQ$X*sE)m7mqdyTg zdG5eYdE@pta1KZ0)PZhi>bA3lLwp$?QmZ>2&bNRoh&nUDGO>ZN#a!hS zo=-=UWWY1w5ts7v_kMCyTFX!5QEx_D|0MpZnu2MI0$Usko=wD9oj5Nb!O#sxwILr8 z|Bem^n-*2(-tBu%{;!(g9%O1W%0Y#JgdoMKYZw@F$ve78D3q4 zdFdX-a{K3nk~Q@Pv4VU*-riXtu?PjXYO{6(tNz3UF=f0U+NpKhNGvkbx&Kb#n>;>< zYCTR9tIZ5J)BoqMEB2IEK=ZPVJdhLWdOCBSdw6s8ViPUGWX&WYWYUCC$HU;DSQ9>( z?^KyPdYG=_%<8IOxO83r^5Dy%ESBFX-+TLivHq(?~Ym?~}|l(fls#s|F@w#N%| zw`=A0%C#EpYI5L;(N@<`NbIk)?$goWYQz5$Q$-o7%AwH8fxCZ`Ja;D?$re5u%7i^s z>JEird%}SmpaOF4Ct(Bu)OT>vB5yUoahVChELV3dL(2+_)YZf8;8t0Fi_@CP3O?F;va@7Za*pw`RiLG z6wEVUZ_|Njpsfr~U31v{;qzHL1hR$wWFkN9x_tQX(W&>EZX>H_ywx0+D$Jzf3fc%U7B7n9=A37I&KH5hP3hmZ?WS@!Q zMmaWhC`H2-mLDnraiIGrP54qv^mmVWdX!-@=I4X+3QnK%4iZ^rHAhQZV*z>vpv3bH#FyXr7B)CLE5e_LAK6> zRl=?vEsaQH6M1(#(0*r+ z$pz{;mgu2P+Hti75vK*-?K#iEM~F((2m`_CT)kze1n4dgO5zs(yD5u7NfrM?Fm9ut zBmzV_XqJ?2R&E)hGz`Ds$x%`$UBe3RftazB7Jz>5Rpd?HHwuIGNM3GEMdO?!i=#I ze`oq5DMkRi5Ea=qQKG9{eBn_tvZ$tuwCz-_tF4)x1h*}sZ$)v?1t^}u6%f50B~5MC zYv8V*$SmD;5a`e8`G_$N>Rl%ln{#}Elp%lnMb5xfx`oIyAP%N^abIHVvCk@}kG-ur za%#S1V!GOzcUel|c^&=aTL_XtpxE6w$9gW5@WA@_`t>~Tojf53Cnx^~TurDoG&TT0>b81e#>UW|Ywzz^w*bA|`C zTc#w4nqACCO(nK~D` zaPzwa%HXb6pyW8S`y+McsLi}i4}$ai%U-_1*mu4*az0a0OP2r7D=V7-YsM7k&a#K#+$*zkin2F)WBvsx334Qi3}TP*fse$aDbE-QOD1^!{+0M8zcQHR-SQ< zWb`^(Tvq|n>GwmTQ=R!?947ijjJOb};gc7cpKkXuN`mJfhWO6pD%5bdNx$ok3DhJ1 zWA^seeI}0E2oH==E&RMAOrf{Cqr}7U;xUzWbUa=ZhPcP}9%<{L#Z`!Zs>4(ld+kV% z0n6*YHroLt<18kO5RT~ei`U%E_0!ohrU5VhpxJ8d8%Y5hMS^D6;s^^afPcXN)!EP} z)7>9OF?c>kUMDWNCoyVKSn>bdXc>AB ztQAXyBXjEzEJ5Ud|3eK2Mv#QyP>{6g_76$;6nC)XI2(9&vL0Ns6i9d*vtcTRV^+tX zfl?n4z^Z1qDn1^O$!Ctb4~2Vt81=%}_fwQH@D30U%>ffS-s=D0JU|_)(JiX$Fa9j? zsAH`Up&4M+yOzxS-%qEv2r0$rNH7&PEaavBX=Qh*RLUgo}HoMSf@8idl95w%_vha?az`K*%*RY6TiAv1(>Ed5Y%CcpGp=VO z4M637zxI~1o+x#NpZ6)xPEIBZuSQGE&el7#n?A4RjQguP6|?PSs&4D{MydQ}tPFAQ zkl*XnruJ;!OSylvgB-qFTE9*&2>Q&qcixe%OL=ClbPI~tqvt-iX4kOARts*!HTaXg zDr7f~RXTp{HU@zV7xse$=ofdYHC1SgAt`_+@r$QPZBHIN6Y?lEZ zY5~maTyvW=3d(qb0xz6&%V*aZ>a6V9ulDiF>53@-_Qa6ywewly!qsn4@Z#rlBYeP6 zF_BzYw4)FvhVbg32)K~pGibwufHQ6zcvv$L_>YX`y5fpcMg zT8_puI^o&U5v?1k;Q1nm!$EbO9Z`JPpYBt~_t?&pDXy9B5WC668YLKl@0Y)uOGiTu zzo+0f5XIC^ML{-tLCFJ0Ya!YbKF1dcXZJ-RPi)D3@yqx1MX%Kv` zZ`)6FB*H6-8L_NufqcXG5{TDmDFRdofhMj$4lw)Ur~mbviF38BW3pyyNxIg@qmF6S21H2jpHXix&)ak6R@iZ#E}F-j>^B~qo~P_9iJ&_T$?PILv8&!7 zDQGlWWfwBV5=o=2_3KX~ftYpUUJWPJ08Lmcc8ym@1axh1KH3E?W+HY>`o|?|r9M`1AtxWcQ@{l%Ov@?Lkho)?gVPZLbGtZhf0(F~@(hqL$>2z@k zw4e5Cwv5a<_Ao77!B)bby^1AnTbi~mBXynv4Lt(SPX%UdD8(WG$;|8H0(OejKd2$Z z>9aF*lyB3TgqQWiqigWyjOw{fnX;yB92c95e(y@<0!an}wDyrWuC zgkGu|bC|-kGV%ch)MK||fJbUKuHCK){f3Z;@x!1K1>7#>T^1Q57QR$NqUIJM0gWH|l4k>!iL)oblf*1UBith*4*dD7T%Aoy;vR8reWr_q#3mKsvd8fA7NO)bZ0q{-NJzHjP_9V zePTW$Hqu6&<#%#TQD`}u4*{A6ZZs}3kuo^N{DswSfnEn~@Q(h)msL4~HV1j|0kcpn!F^Ta%YOj9M*UsR?I=`LCdH>XhB3 z-g;wwBbY30(_BJ`Q|hYVeRZy5*Bzd6-Pz`9xBB&R?$A_z?#sQX3qkW)MKn9k=h1pB zPA}CB{japf?=w4nLk_}23loE1L?>|ZPpqnMyz4bKGOxEX-{Va7evsf)y|G40y(oS2 zOf!6{F0!+gD2Ihvwu?6Z7W~px9j+44WStCI%`tEmPU*B^Y zT?g@jbaT(E9fM4gmLRTIkboLF~nt#Z$uDQOMdhv#(zMGBsUyj2oK zH=LuB`AgxIFUIW-=Zr@)DGenzGJRWS+-7XoT$(L3--nF-7?uwG;$8NrlF~VP`%l!f?Vii~Oyxn3^pxTMrHol7aO$C)zmch(^ zyTSy~Y%B!XOm6`C(bbi(g@^GpACK^Ln>benXI##1G$b|en&R@itG;X)Yn_aO%Wx8W zKI42`tmFJ@tC6V^dL;SsTV&kji8hUBSnGLet0UmE^Y*sO-bQu(6VuBH-z!abF!-Br zyg^KF{N9+^Nai?%T%&J>1qB>8uExr@b1ayi<8$4_CN%{NZaf{2Y)@sZJbM5*oFA@5 zp3w|nw_NTsz*M%WF)k`SLT-AnYrc}4{%U-w{RxDia+lQ6^b>1RPp2IWJ7CCU`)EGb zFV_$87ujQ%wtZCn_XZEZYs4eFMH$N!M~Z8dOGL9T2e2s&5R%hA?qX$x3y8Yj&74J{ z;}o#09_8|-0t!nj?8S+-pD_V(%3Ts{BH$b`i!$slaZp&kpZffqLpk(;J{B?@tm&9w z0M;OFbg?&fnvJ8z76QBfG?$AbPN4|ZU)3%X#)r+5!Tyj4_zIYO2+9?^Cz5D7D$RpM zJ!Z-aB$nk7$;DS>NnuOEukTd#u1|nDVK@w8A#enWqouv`!2fj}^HVX&yd1f}+cMX^ z{(LVX4t~%kgTg^qoV%nM1OyPE_oTV?`lsgXwyAsF*mc;Dy7hSAphKG%q;2E-=Eqjn zU$0TWUOLas&YikBZ|tqt9I^vX&-FHx$EdpEg1F^E_Xb96ZkFX+5njb4{y= zwooHQ;co=Nj=!Q_@EhF4#aVrlXQ#p|;C24=V%B+xbZP-K3YjB>q5SNq@>EmO+IltT zRPGSf*kw0+*SH>y+hc8B{~@0TmDyk6Yt}AG#1J)d!)9Ze$#yhuoMvom>p^(% z`6`r#hs$TxeY<5ZBMX5a=xVK0;8bgTYMk*{dd$(O6}FRY{>K_vT-QqFeA3!}7f|_9 zXz$c@4##%Dg#b%+;x>Bdq4NW|+QL45FE|eHhvA3^CbUYW3}f4n_-=;;{#$%TTU1X| z$IGtl-0bv({(jvwxvZ%EEK=`^r38LN*4(uROO6=as?8WK1VJ(1=q&jzCII!sZR;hF zuty>^TI>kJtN_Om^itRWUuF~dv;%2JP~&6-3>49u%fNCRh%V+i3Qi-o}5*PZIg zBOOq9U!1qXS^{b^lMfpoIr5efO0^mbvlO39fSo_$fn!(8Tud*rC_Yb7$B0qphToT` z>&b01$!M45n4i9X?>1#DBPI`zqZ=lPW#M>@j;FQ@jNw^)wal3T(zu_L&)cBjk4KEL zI+ly6r|*cgoY*DZ5y+S|p~(Dr=aBQ7c`gZr7v;5AD_U;0SsJrHgJF za{6+kUJ0)I1*B1T*w0OmF%x-|F?gb2f;DCjbxC%~@49eml!7PjzOAYJUWD%5sW-m| zXFqDpkSBcCULkc2aAdlV%#yq+@uLN_PPPRFsD)UE-j0=pLr#2lbQY|nMAzcg7z?O7 zO=xV0aidS#X{1{QUqTGIS!cQ3WmYy9OdtOpcNgam z^ac%WG>#Ij;U7EOo)So08hjkg>k2<9QhwQDv$5kzJxu;`HF_{P=cn8>4sf$be%*Gp zm3eJxjK6r{KJ8KZGF16wSE_MDNqo1P&2zQ?5|J%lbWnSJF>yUrW+&+i_PvcWT~QJQ z5&Z!2m!t3AiDYJy>)Z1DyT^o4l^{3lvTd($T9UnOeUeX-n z5}CDLozCES8%@w|XK>|j{2{Gu&@%A^05L#TQv6-2bA#K_Oq6FfmwHd%)kSewMi4&W zl=EiHkrb+;on;L#8@!ibU_=Z&R{Z^gJ-dzxRp)m{NFkS0V=JbVJl z#F7`QeI+Z(jqP;+eY`97)tY?MKe9omhQNaT3N~Wd67PNqWd}Z~R^YA6)p7c5cls0W zb6hWx@5{Cc?Z)B?+!D^`Q(Nv()NRLzqm~Kv<+eHqIp(+;M;_i5ZVHW3z_KV{6QFB) zo^7P?pw=l50rJotZJay#*t_}1>H_WPAR-C7nTO)GB&a)m0o+1#@62N4>FZo^nBDHZ zW;1#y2INs&eFR#fZrFlGt%j$AMI$ql9D1qF+2TFYlN*YGqji zb}zGvwLPA<{hfHceI75&BO2r}XYUC3o@|fNC?d<6IRA)Q8Bzd9MBc>QY2}Th`vL~H zb}YQ)D$7*^Ku0)z$%HqX{KCa48dS@FD^=jZxcJd`?VvEVVa%m=Z&q*iH%Z-yyRhK? zTCq;$_>m3D$*f@u<~{c%VgFj#-qn5Xl;P|$2ucdHRa0k1ex}0f=6B3il|$O zZ!0ci_hDdCqQdidu>8@;%gP`hZ;zvTs3jpPZz z4KceYUg0T5(2w`Bl`nEOSizjbT|0fA+gj{RIN$4?0%grqRPie)T zd<+EMx6cOc5tUuOn_q)!1YYZ8_*hKoUdgw9YHtuNur9cD{D0RQBM1^%UIF|4IJE2s zLjT{m^a~H*8c}kiz52OubG4w16PV<~BIny99iEL#Ce(JdW^ldMjZ3sT<7)=T1^!S& z*?f+3prjKJ+}Vxc05)-?|EunzN}dJZ>Qcd%+hEsLc6`NGrUP7$P2V5E`)J?@|99+hdMPAZ-4Jr&zg^v*4x^e1{K)8 z)}oYL>ZMANg!HPjq8})T1gIKfI#)`#8`m_isi25u4$zmP=1E9xP5c{gPUWpT&~`AX2WgQ>-OBHM)&Gw^g*7|%&Tp&PG{?UqEv4~+)r(8&V6nlaZ+hL zTSrLs`^(Ew#VNk^)5#6sEOx23af|u!BoDWKlTg~1H{R5>NnF}@CHJZ)^!G&%Je34LY ze3zZ>$N8gneHR?4!THUY!BxWKoX*09M$d9W;r?sfA>6F{23?`R6CAB#IT8P@YbKuW zt)_={uuqhtGYJyfbrt1(_yxrx|0X2}UauLM!MB?egBw?&YW}cVCiu+waLsUcysF-u zYr~zfPA}av&yx>+g)>7nyD#1DD$N!6uIcUKqp`4~lp!JNQBQjapS1a3-?p7Zf_s3>OaxCdp-WuuncJvEL6oI?PHuYDG`D8i%GjRo#n(NyA?)VP z%%cnrssRfcVDjC}LT7Szs8YkrmR%EP-GUQu@T*t+He4aY4TAKZ>=sEpWn6y$X1&gl zDTERnsO0A~TQ9~E&%nNRgPKcg*l9!i%eL>s%!ZESMmdA=ttNTPY|fG5X@hvbc8{oJ zK}`<-!{LCbt+djjvxUUGQIRp*8QW>8({C%Q+2)FK=2sWiaXiIF?G%QA)kHc5}W4r7iCkcP&5bYnCrxvZHlK`6U|=DRC+f%ui|)SQ@MP> zRq2>^V)|1QCxfP0*WjVGyMF2;&eQMHJUQ~+_`_M=z0jl=_5Z%w%nS6WBPH-SZrgX@ zN?D6N9_KSL4%vMN2E<}ffFsVt!`X!PMe}mmN%r;--tc>lL~6S2j+|uIy($+0Q^(EE za>=3am^JA{YL^)0t~n-!3bWw3osvJur)kg+Up%#bJxBLZfg0eSKfigVQ&#@e{4lZGl@2R({SpXOzK;yC;jW2TP;G%+8M@2 zVHa{Od#84nb3wBjIzw(}yqC>hy#_<|MjceOW@}Don+JAi#RZST%^d5Ay5=)@XF7Jf z_970)T;?73D9V-lpAaR8?;%$jr|WWu|A zXBQK#Fq&MWR>`&g2h>Xan;_|JSJzDgJFW$Z?&|ES%Hg)$NrbpO?6Cy%j{r3iPXdsf zBxgDxIKj^*Q{jb(9E$V@yOgzFe?0qF4wvSl8Rv0J4?GUzGIxcDvx9{~qDCL=qu7-< zFCLewtdlrVXV$R^lrc&<4YYeCSrFE}NwNL{f&5MtEaQ5ghw2K0;xcShb8kkvhgu7I z)FyH3P@CikyZEAh5)xi@5$n7Bky@hXrrro<&sMynTCi+gM(hRtZVv1pZUWR6;+YTl zQ|)xSIye|j!#G_tX*3NCJeC4kt#xnmUS+!^mYcQYstYTJcEomK%%I_*tH=7^7k3s<%|%w|jJO7p z>w+g)nog&!J3OKt`6YewT8(Xbx71AmF{OwPzeuOtOX3jxMAj=%V<{z-Jg)7qKZFO+ zD=<%qIhiBDJ<2_rloec->!>P1S18tv!t#H=A#O1I-LC70p#2~s$I$nz#x`%zSlDd@ z13q)i+24EyV>>veY^+}Mdi*4Lnn}V?`Hv~bA$N^c9HLbi?ZXrm)d-vX=!Rd=Z&RJ9 z9dNtGyOX8!D}@ixh53SXFe7{Rv+;rhf7%?rnwt)A7Dsu1#{n)a_wOWCerwcO8TgjE zQkBE+a2sIR;d9-%s`<5t1MD%dZAEYG zGfr?zdOhTCUs|b-ajVjyWXh`)9SV5VG#z`-(3cb1ahc5nTIiqaAE({KdR0G*@5QUK z`)H=vw0l8-*;#96_2Xe%fW=m1#bF!ARpUtI!fD)*)_CfqvslFakgR(}ZJT*V>#uw_ zy~-SU^xkCfOE&g%bygSj{8>xwi&L|`t9xZ0Qk+(lN4mtE^p#?ok&)t_D&XYBfC21M>1WJsyD;w#9Rwo5C`MA{?Ay}n24C9AnO`_zV<%O~2QI8!IqOI}dahVVaf@@V}A0A(PT zB^xA?=G4z&6opS0^4~)-fdT?7{RkcGsu647dDF%(j`PFlb#lAu&u3jXK!D-$I$;fQ zEJG8en~e7)_b?f=OcN@M#xpl;CZD_v%Xg0kv2*%c<6>2>LdIZ{Cy!S@0atBJoi>Xu zK^l?EE{v6f)?eJ=(GK7w#d4GHPv_qL8%Zn0;{TZFQ7lJaf?i4uej9o1vdm8>$~WG# z(I(ncl&n0!DyV}3HD&oD(uupV((~mjhmVXlV5+qF%BoBau$JoIX$A>; z=gYm?%rx#e()ZLSVcYk9{X6bzf2~iA3~-=!f?cDdHd=5|Vof9p8kMUk7;*5^pUqpo zV#tn;4yG*^wIWK`CUPTi-)-8m0KnQCWqA$-)#fyS1)GTzk z^uS=_$ie*kI90MU0wBMjP~(1uffC-mP9ijVQww>YRbX;?zH(VVeiqw(C%@^tMTf-S{n%3AUG1EDr30w3O z6!Y^Z{q@lGe1hW?CT-^ZpdbABrzoRO?E?zkjNZur5T}=Ba_Z+kP+a}Nvge+*rh{3 z_>S^LUY-0^o0DZvkEfgc{mPoFaP&gWb+_H4f?=moanRsHvzGf*lYo5*gibM>BSsA$ zpq(H*{iBavrlAy7{l{L9w3&g)mhQr1=AU@CG%!%1M}9GF&xqAt)bNKp?5YWVsblp( z_jD?w`PSGJ0$SG~l#j5<%a48XLi&`2_|Yo`AW5*Q_|#R2 zd0#&LgYS(Jb25%Hy<>2mV1t=vGp(|PFg%F041TRGjBxsH_%^=X;Rvubit*39#VIJV z94B%xCWosna+^q41e+^lZ!7v3OB81Vs)o@Lk?pdSf^4~Ul%+i*DkAMg!?8x^OR5=s zF+~+0tvMCD9_emTMsgu4ucA1SylH^3r)IX_-!>KiDEdS`i>Pc|`&Je}2~0VBoyQ-w zuTe;^FPX7hcrd3Vyua9;c-1ZHw2;0ew-}S~eYS)1&1^*wv*UoYM!hS@k-Ze&Uv|^+ zK*Fc&t$m+n`6~L@>R4rfwTDo%Y7;HjL~soqzzD>{GC(~&`(PP z<7%c?IfVHmyeEm7Qx&IG=;`V2dr&=$x!?C>J@q&_p(PPQ zvu%UU(F`qIaSDfS*XJ7pDb^KVS#YWVkDnt2@T)C{4`C;x#BfLEMTl7Ma`mG|Lz9!w z>2bHUb%(oSmQA@W+!%mfVqD~lUFWrT6-{NE2@@XvF{BREz;1r2$MlzB!2NFs z$52R{u)N!d)fL1_1(Cl0l~2IB{z8aN;LC7=62FSj0chE)^lJF>4Q-gT&BMt-ZEAj7 zraVL?YnNue4bj$s+46&=SM#LHKFcP&$K7v;4#ehV@2Za)Gzme0-p{xv{oB$9ID3x| zK5esXl|z15{K?iB(LMY1K}hqq7Vs6{3#VcAA&Khv2Z{@VUD{SJ8-!}qa$t*FCe6n& zn(S2_(;TLljF)Mw9^=^{Xs9vE_joT}`Z; z;xxYiZy{%sKVZL1y4+BaYQZj338MP(gDl2WYO72S7>+2!%IGMtfpo39HsDSa?9-Vd z!}_V{S~@Qd5c~NMDWZfl#M0I-rEM4ShA;VlnWSYcdj%Ped|>e%-(xx8F078?kD22K zf2G+NU;X*Y?l+;MMN<(M^OhNGOr__I(^vCRn0iBO={Qm}jXN6+BN{nML%H(U>lUG2<>OcK?T0E$np2MA z*eCCl7tuw%07g-|Uop71W_UR5U3-+>6eeY7N{$D96~p3QG8=PuZ`5S=Za;_~5@OWr z>eL!-xvU}tEwHTme$nTwo&=^EgDrW1p8M#^K*gYAo22*c*Nrkhrr|6A*AeITD_e>c zo;Et1_&*c;JVq@*Z=`t_<7Ht^NVmCmbs zkIQlddep={B~Zx(7z#T#*hO7U_ffv;vtqZ*{Np(Gg6I3psms_mqGb{$+6;yxUy zZ2NK2(mpvAuvx}keuC#gkwq$bwZ8I$4Mrxe4+8e8n3S6 z7hqU6uRX&1V4AKQ2~-H}#k9cm8Mxw%I{w>kXV$_yg@0-VR;SeY{{B){)%e@Wbyo7K z=#`sM$v=?RzH*v74;zzBY_`$Yxd+e=l)lP;$n4WNzG1<;jC*I7unyJZtcJb&i1Z=& zvQZ+%oK%f^Uz}kUp4{Lbt^Q$zls#|w!&B?7bVx&X3x-mz3v|8fHsFQtyBaF(9UI0V zj0a7ABC|ze90)zMWhSnySn`v}JZ4!vieuc3b~O%qDDQ?%5L}~~y5F8a?McZYx@^d< zuoc4V#%af`mh$}`hrc#?5R2*iz*_vz%7K1Se76cQ$a&O*aA;F9`1iGFDkyA3oz^=x zXu;)1?E-b@v(9-eQQy1 z%*TXiobZoXi-;iDsOUjB+4#y9`UML&_E_4gOZr5*zkrD0GhjT=5pKwOwLaJO}T4r4vw+ zi@_UrE9Aq*KIx%WbBS7B-6c=G&GpJ>TP@S7%jiL7pjcylVznXOqMzbz?&B;K?OS4;(L3C^l0XYP(q$)rJ2X14Q@R-J|FUhF`n`2 zANLWogI@N`NIJBu;_|@L0c!e+<=!YtOP5FV>>N(7BZ(I2Tn$_ae37BZ=XjF<)qrL( z*Xv+ls9TIhK*FVg&O1%O5nKli!WWy(Jpq-u)+4e}Ht)2f=_i;}HG&(ux?>LgGD|>l zLNq5r@eYHhu4mhuI|mFbVgkVQqsA!)1BeZcNQ`p&I^AYEgkm5hg=<+%yWr2Fy&s)6 z2_Z_%=Ba8@b%Nv_##G@EoeuAW<9=9m?Fsv}X{*m(IYl5u`zn?|oO<_m?@~}o; zv5Hb-W7XLCOk(wChKvNlBeUYM^-2oD&zjQn=J+>fsa~C4RUs`zCD>=T(>NeU8 zFE3`Ap|WKYc%g4s@vmnO@%!-0l2&5#0jQ4ef)y_D;aL_NH>$nFZ-hJ_qzkb zUp#;F(_jU%{q!X5Is*MEU9F8KO7+5aUz|BLo2@6wG<9VbCH}F={@2T`o-s2V;IDUD zguD{52_xX>L+dO$t+)QNN?m(`s1_H<&6xCLGt?R6el=E(-^Chs!l1;G0ry3Gzk&Sf zPZmcCZS!RbR*QBH&R`uOtn`8 zknh%`Hy>WdVOGCPb3HUu^GP~XF>xaSCY7z7rPegHY5}D8^ON81EoyxMFP?1s2g4Fy z7)2NX)_>M@td^O6(Pxgdpwj-5O+6pjbsKz2pqJFeO=9nqq4V43hqg&2W$*Yjt zewiMqMe-1+uu~Ur6E&8?2peszc#sy)Y$tPA9`|{q2VC%Fw=~rBBx3h5SsaRb{z#e) z5g;xgils{88;EM;e*4;1>UT(h0>VTk^s_o>R>`5;-$6?5_|74ob(j(Hq^efw?Pn_g z5D?Fq+LOZ+3U7u z4wlHg53lWJ=+tI;%Ub^GUCrINaZVJwR+{}LLU)Vy+OO}{+wHs*{y4mlV>j2EbNzAA z6$F59soSmh)1nCghic))AI5Xe%3e8{3Og^zekNQ`;nPt+*-Z*z94%Fh&W`ZDTR|zp z<_>uAad(jnrWHrKRwP_~V<&htl7a(t229EfyjL+-tJ&;-l3F&YBx)S@hVl5RvVj}0zZbG!1P5u|LbXW0f8+| zml0OS!_tuK(xYD|ev;lePaIQo^S8a?Jhy4IPgm#;;|ZrjA%_1*U))~twI4`aF^aUN z^cRWYkd7-Npo+bpA2#?(F|u43DY*Ug;Fas-C#|smw8=99p&P@pP_-J>b`eRIKj5~( zW1#EUF=`tyChE@go`kHWzhb}smVc%4&{`s*{LxT2f5f^l`b5Xgn=;C0x2|vwO=((g z{Cak;X0DU_!8+@Omj77%?`;|P4AE};Q95+U^V*DJ&9A}3P>v??j{EWp{ zQBCbXy>d6z9S7DsXE*fWEk`gkODsqPPD)gn7wZ1`iBhQYiW=1 z^l$z+*<_lqjE#BaYF zgP)0r%!a;t{+z1R_t&VR9$=_1JmB#;iX-KFFh*wdw6+Frw}B_t*H!$qVCQ7AOfI9> zOU;?YME&cN6_eFYP(I*DgEW|T4=$I%{;^T>(Ui$r&BO;{lb%?!&%T8?{CW$jdZxVB zr}jQR+v9L<`DU_1X#B*7MZ(+bwd1%DA@g(zug{je(H`y9=(u(1)L&uRDCMJW{MCY6 zkcM%^m)ZrUnlUjwqpKpd7QcQof4VR_jIGVEoVZFbFPZ3{8*taK)Zo{qF>UJA3UakM zeQ_)Ho9z1K$A z)^As(n4@28>%5*7CB9QlHDth#Iet@SfG^|O*q*%2%een;gJq@CqgE6Er2EB!)lH=k z8|0{sYbw)&itG~}9Q78}7s14gQVCf3Ot?sFhghz5!(wDxYL(=mFQZLlLDaO{m4kvx zAx1iEd`mTDB>WI4eJpBkJB5~DZbHe_)DpnkPy7ih?51Q1y=DTCO0rLT9|vmWJM8?7 zmc^dLF;FsdggS6^>*(NRdi;>*K!wG_@-ZvN#1A4(3_~Y$a5;XhCjd|G8%2*Kg=8}4 zVoj!xQE~A6)jNVbVIybaelpPZ%(@v26liXSq+HX9!I;*s9SxGF@T~kKq^xG9L&l^_S zbO`P3!~@t=tsgAj5*{3&s?}B5ds=n>yx@`&5X8atF?>|vZ+*WrESqx&t_*Et-W;o^yF{ z?YtKpu=msV{@R%&cfZlFvy)bIJw{K`BrbV$ND^Hc>zmR?Y>np7aEsyRgq@pol=k1x zUw-Df(TU$kk;`ZObPJ5pTh&SlG z|4j4pHFa+LYuaAIvCS5_|zzEsui5mRCH3WUO|Npe*LNof(-8HwiW{eJMhvY7v~ zt!9PNOtsU?l);)Cq&?niD<|WC=X>4vJi{Sps7d#NVx{u7tAm^C14)vCj2|2eidNYz z?$3Nv#mc?k3IMI3}`r(RPFgfw2zoh4hzk^cVhZRXE^!Ne5$IMX9A>h8R zd#@~3yDDY!uSb0!EZ-vMA#+j>bYCm5lRXdM8{NuGEQ_4`?f-!SFEt^Yn|1r)p1^qo z+^Rh5cb%yH2dw0UV)b0FRp_pn(QTQkg5jQ5A)~d<)a}dsa_~XX#Li!YPei`UGvYyHBvi_jKe4^SmQfGV5AmOE6Sr0<}@bBvE>xReAzK6%f zfGR9Uy&6kYq)M42TB{Sb;kI!dt7kS{-S|{L(7Z%+`b^n-d^XM6Spe$kHZw7XZ##K$ z2N$rt>~47Moc*fc$BPrPX*9=9PJWKQY|Pki(Nm{= z^j0S-ta||M-M2sUy!`j{yQ`vSZmLX$BL|_i#FZA;Z>11_ni4Ut0CF#qV~;uSv}YGa zc3$Ykg75gh34r6*xZ!@->-{ZQ33%2PaRb=|!a*sBnCnw^fSFPRg?Ycvw{dF zgm8+&sJA1+=i3b{$=hTTaHEW8w7*-~Q?u?6>AfqUyVddiSpCgx|Mz8ze4*tB;T5b5 z?Il$X0|tn?5E9w(fbS7EcmKZmt3mbDOqQ;jyzyydA9k@6gHtij(y!BlHCKrs$`;b!D@-^z)T}p#3<7Exn zd~gq04un7GJ^&o!hLE8DZBqYJg>0{p*JmP*a0CS!#&IXuzMcFnQhU!*Q#7-?DPRL% z7@Rl#np(LhuphH<-8qNqux|`XimIaKMxNPf!S`>x7NLvcH>n=lSoQX=UzFcnyI$W~ zEPx%6&t=oJHr#C+g!wdnWzGy{gHiLj^lSaOUzxtR2Dyy3q-j4yI-}du)A61dNU>2$ zv5}oVtO0?+wff(RVLP!h+LGz?m{3tJ^sqw~H_Zd5>thYc8`A>B4`dM~hmdEeHJ2p1 zQ~TP~Y`l*heP1E*c0YvZ8_#C^_ZU!Taq;72PK8Myl%C#+>q%D_1|(p$D^|^0`69%r z-HftqVxH&+|6q~3tmf2Y%yb>smTO706f6wstxlF^_FT>7q_iToL8gQVvYP|zyQ|hF z)VS05z=(iKkWjjq7!kGCo+~d^b^jYGg8;Q2NvTv()TH^{%qG*0McWO}laGGE-l1PS zYTWKL$58@%ADrf8)A|Kn{mM$D(CZD@)aNh9f*RVlctEM;&_h6Z%;k#(`$ai48@mSp z-)#~n(f!#{sR$FpnS|oOXO}k1Wqr2r$<=Nm%jpQt!(@D5)g;v3_i~0c%=91qdVv4m0 zPAcXoy4|Ax#o1d&McKaJqYquuDK&Jr(lIC^C>_!;($Xae(p}Q2l%lkB3(`4sNK1z_ zLk>ushxh$_zi0h&t#kgG#iC~2>zRFD*S_}N*Efz_$nvmlG*<%2&E_7Gfewf1S{{ZRfxj{oLpT|z!1?<wY^_9ae2`%UJOw(H3 zy$@gf=rqnqR^N|!NNlFxu%Up`CxzP*ZE_t;2uWN|m&@}|aOst+C#;U6;M-Z2QbAPl9e; z-fp3&1w>H3=dAix*K-PyM%#{^=Tg4~_A%*YUx^HvzqbGNRv#Vw$F8U-hr&>iF|j8h z-GUV8X7{7xSDp5_5rtdw786#c*%Udfi9 z>DOo9n_uqd%P+u4M-qQ~_DhOSo%4E~&7SY~@!Lk*OQM(m9_;d^i*LVUj(v^TC_YxPtff7z$ECz(?_rdh)gmtG9SG{}77 zQLeJe@v(Ld=S^va0rtG=>**Szo+qE(}D434|`Gi{lS$$k-g z?ln1VX;jko4+!!0#W|Ne@-{#<_fjQgRkN>gc~vW`k!jyeMOp;H&-ZF$7h29kXRspIZGE zJ(ru7)xWK7fbS$Mpa+c4P)Iiil!FRKqzvbv*^eY@rqz!9G_btReI|R@m}MQ5P=R9& z%5yF4EyGApHsZ-zO{uRwZ}UYZYI6PX zQq)vK)p7iW^?ZA?ix2{YTx?}jeqTm6x4yb2m2=}Kp8e3K1Dg{K5{IN^P^CZ5QvHyg zVzfundVcxA`3sXezbT{wl_a!{amu97;tu76ZAfk=VZt{}<6oLA6 zd`=hPNasMW*YvX&QkZ~8)$p9fP378Mv9EIqXv<{Rzs(wiRjqgX$)6Z_Mo&?HqSg{x z{35fS-~c)HO!WVEWWPBMm}@~rr^(xRUVEb};t}TAuVA&{RL~(=KLRKidknPSNk<8h zrL>;d><{SobO?^IgVkJqx|7VFI{2(Avaul;``eR^Ryp}Q>^UK+aY&+LmZWP=MYv7KK@y2S$`X% z6zi#Ng0!d?dV$A8e;G=sb*WC9w-$_=kgDi`fXC2Yuk$B4uRr+~*Qx@6<`MF*9F3f} zUeW`ejQnP~?Z4Vy13;Ex{rj$)y()jV5?v{>GGMCqCn?sY!}npD>$A3r{HBj?9=HlU zcblmh3x|-apHLL%ALTW-BTm#25rGfeACr;PmKi4fy{>I1F?u9?&qsEXG9i4M%Ea7sqzeODd^LWG|vk9w6ERLHZ@ zSclWPDk}NRK9!3W>@-vRy*f$#OR#JTt&6=XBl9>~#XB#@IAoIrO@!$QTiS=cg%ewrOQls>91x}2M}|owbu=KsbK8?T=NR#>s?p5SYL=G@ zR{(FhwYb2b`}jY_UFHn{eAgt@Yxos5R$_8iJawk1;`re+Vbf=o`813-wP%51?tR$} z>g*;Dos!Oe@|1F|Okc*KKi7%XHs#%TXdt#uF_;5`r}YxWJv>HMUGHyqx-Xf^8eE~a z++%!_pZU37GKb`ut-pFWC9`7tvJ5PE z&79G6Xf+YhEKRq3~@HwQmf_ZO)J-08`EUOX9m zH*1-u5)}eRYyrpf0Q?U3udJdmzmQ0?@f(R+-C&bnwj5)Ch<^ zE+G0mc=jAtc*ZhcK6Al7tng9N?f^#7Tjo9IliVHMX$}gBN{70=hFss_0g48vd6W1u zwtc(PC}9(6y>_W8KZD(S3iPicZ}vXHN7ZG-XaYnTw$mF}gAu4?{@?$_8^@(;uA5}K z;6&>t9Y;%Io$xs?>k@eVa;uiAIBTYqzOdt<=zagGUdIP>_s7<+gMgl{kou;3+!GhM$*?z{9v%ZU)sW%Rn>8Q zX1tYth)07*$@f6F&zXt(HAh+Oh6GH57#tIbM!Wiy63%J~ku7}!2Vi+ke{!RPC<8cT zZRNYj;YQ+U-O&Q>6dy#e00Eh^vHGtBqp8OB@FsYpBDb+4JHmaigd2YL+ z&+7KRe*KzMHhW;<)(wx@r+Co432q%%4Yy1C7pI;=K%DZK$XFy(rRIJwQ%Cpy_pS+L znO=Bne+=>ZEQZ7QAS#dzZXYY4Ua)*(0?Ho;Oo^@r1c@|PwyW&!0d^UApFc+J*D!SbV5@G zsG_$VMmr20bi7vZ|DLq^9qQ30k~umQ+4muEo6`I#VY%N~340dioB2Dcg}F)3+59n^ z`?}05hu@N)#{AFEur%)Vw=XFfWIBq8Zdmt&Sj(a|ylihx)eI`9Ib4FM*H9g%<^(l; zR&(*0ORK8LV{+^b7hcRe3}jkw6`OAcr&5`_=JGEK?mRZPDU0xbLgP@t4@gP7j&W-GYQ$U;T1U1O2ZTOUFHjix`wfL{n)zakVF7EN$`$ z7&uNgK%3`~tYsbBw71(23NqNQSm43REzrhesE$NCL8(?>8uT#cvTZeb_?Y+ZA-r{_)G7~@{&H6V zZF)NOOZppM`f8S2RULgasQ;sN+%=Z}EBB}U98DjP-7Y?muuD4YjhzKS*WT=wiH_nU zSSYQYp#kwe6%W!&7jX8m&-&Z_j^BfD>4b(5$lQcI zxZAjVUaJNGHv_1sqZ8oRIJjvy+xxc=8W0cnDjYK-os)*eT(|NDA|xX`7d9-^ut`{ z1SlTw)#ftFZ7zWs7}@W4iZTL-8|p58ANsxHwgyJUW?%Pwc*qOY7xM~4A?n)vD&4Ok zRcX^+gkUQ8a-;kGcRhzXJ z9#1mr`0;=@qUUc;fH)_i?-{F$><$QzGcVxWq zr02i516CY9&2;50t%SgUH%#79_d%b(a&4oPzb z6g89^6rbR|e!anJ$A*=#sa{pYbESX!zrAn!1fd+4y}f#XCgbMM%v<;ZOa8sT>R=ak z_x>n0&=6IdL{CITCZ^-RvH)Na?Rfv`1Vy$Mn5WbdnrPMrp8TfWdhE7YL&UC*2sBLb z61X z_p8(Gz+XGHNtbE9gsUFin?=Q0abbH{o9=4q)$Cq9>~$jIBSSRRy@&exP;!{1JxW03 zcgOG3uYCEA^p9XtGT)hdj|q0Dde15KPsWQuXzDmelLur=>bZ8mgDy`AbIJ{n*5qDf zss=qY2|l48pD@YC4VTdaTSjra#0beq>VK^m{gwp}+TGp-gDzZ0luJd2ds5tmL0Q~7e)ag1 z7seDOS#i!HPrLE&}6D)M&udb4#Pgi;gJ5;5{Lv$~}^pb1FOJYiI0JuU~B@wwH!7sza z!~h!nd9!)1@vWk{iMY73Mdu49LrY*z%?uWG|FnRa%|i z{E-i=3HioHkzxp1`9lW9s90|)37J8)T5 z57%HGilk^&SoO3?7rXf{eSsZHfWZhA`>zqmcgS}Y|g zoPwIA^OJqseG;3!FV3Kw%*BEm@4&Y!!*fd^yr^b0Cd0UW@)rT2VssjZHAqWTO-trP z6=~Jdg?CH7faxo|xNcFaw|@`IEvQ8Y{*h@|K0KVNu7zc2rR__SZ1tPW)1U!sT1m$u%6hb0 zH{(x#P{lEQwCOH;&Lu6U~xq*qHaL9kQ=aFkU7}?m1gF2cE zY7H90M(Vf$Nj=43<|YmNIET(P`QF?iwx-4<9AGrNfh2hG1U`y?=lJWwaoyc*z+!=i z=(e9dXV2s`m-5%JrVm#jhPfq9b%B4kIWsbvVgslCtmVN1uD@u63!!hRs#PQk41}!p zyds2alCSdE^B31X(Q}E8e+-0Bjw?-Z1qtpzlM$87`>1(iNpPij2d6~w+6UMkRYgBS zOUt1io?+eN;5~-<^(TeE;&LrJX37vHvf+bWkUWS=!&w6svs=MZ^G?Eo`ReqNf=$9L zw39+gTtH`g0jUsD(|u5f$mO^;~7Qzl0HvGbwRo^HUvzi6U$ zMmW35qY@M#`^8*5I@Gp!Ywd&)xXg?`anfG*B%%V$fn4}bZ0?Hfr^aM=bA zY&LqCpChHs=@OELPx{IZJHN`{dGmnLZSLPbDo|YahQlojh&THqZ~j#uJM}i4n-4Tx zH#k7mYkezRkEirAzC+!6_~3>qe!9(GR@cK6+XZiK6WN!pK%#zy+rX}3E!;EKW}?mH zasG#alJfvBB5$k^xd7B{^J)S-><8Ph|F}j*fxk_Dgz4M?hv!gg9xw>p$&_*m_j8}b z9a__~1_3qX2`T>y>YTnh>58mENYU{Wk(!H3aAZ(i&U$B@az;xBPA8;;u>Q#UTb{tZ zpaK*Whh#J~fPr3$u;WU(Au`HmO*iOdhvIi6#%W&15sC-a!(h12+T2NOaS37>*-FWX;;$~+Ul`b4EQ zFd(oD}m=wg!k=3>n6EaKh=0TDy3T&UtT==QBcY&vyI!`Txj21 zjY3H0e~nm~L?1A853;80*xL+E3H9~#Y}l}D_ddss^jxbTZ#Ue-Q9>F%T&*tXsH~{+ zM6AA?mKgt1jr_d(1+<7)eC|Y&Jspn>j4(29x3SHYzQhD#cu1$k@yIVSoys@W$g;~vLlmnz0+k1I`yVL3_1#cCelGp`!) z=dmf2@e$C$Zb@ID8CA9D-?7Jp`B|8v;FyA#ul3p$OBNG#uk%sxr}rjxF)^ZKE zcQ>nJcKsGtwS8=13y#jV9Qz>@W%@_=*_luOeyIztOKS-@)`NRH@v6N7>HGbf3DuSL z)?6)}Vt6S3)GNtv!SGYI}PnqU!_5!yYY|LK$ zmCtableC=dZ^okc{ERmENxp_K87r#S6U4-$|0sUvI3nl&@Qgm#2m-DvD*LFYa@9Dl zDmVmQU0bUqnhw7MB?w{Z_u?zMf;|Jxd4-$Y7>gv+}By#QIHXzyI+kaf1S z41QXi(umC8y#--PP{nrjox24^dfZwLjPo)&PB0J%In z&U*C;tm^%JPURtEWcXmISJrPeq*QW1_(fr!a7MU`4Mfr6dlW6EIhT&uB33gBcHx5LYYfHX$2iitmJg3~vX`VKJ zoM1Qk6y$v zMRS>PHf2U#X4L&uR7RRw>lxwyU~@ScUBpH}z7I_IXx-s!+7t4!45Ht63rfIW&A(i*JXRCG`IK$1h?AHiL#l1Rol|8fSh`|7CaZTa8fyllM2H_p?(mS1jG>lMyaE6r)fIH~MOI=5 zF`5VupZMCyH?33o_-4VKj%C&D9XJiB;|$Pp{JH{TnO*%6*8*_e^|yCVz07?=51yTe z;9epYosTmCR(YD=QCi)5^1kJXaZL1!e{1O{wbDG&CEsa6O+@|Zq3!{MPae0t_UU~T zEjqimZPypoyKrvsxTCr!vGw+>oKCmO06zDI(;%7M@t5CNzEOvDA=>W%p|Mci3o zQ#0wf;leHDKMo2uf0Z*q59S~Q+M2LZjc}$dZ|;362Pu1?)GQU&Xs5ypA_tw>UZF(Y zUp4GcIaGE0y%61$k}@6@Z#O?$hsC(>hX0I2kh<=r6TM@15OqU;`{G6d%(v~JLjTBw zhbjhMIvv&ORBR4=_i3C{>8P!qov~Zp>9X!(b}ayqfN$UPJ=HAhVq&3lv%2i({6DR- zLL7p;dGZhpY8XHSzIt$O#nWWbpZMZzGlDtRx!nI|mt8us;U*UCmx@VgUBVhg{s0D;~ce{nI$By#fuDrsdO{$-P1o ze%C1cyUGDT^_0YFBg?h^$qUsP%Ti*vBtBP*iAd^1*FC96Eo6vT%1bkmu(^puFoIm9 zxS1JW?;JybgvR2PuGYyyu3*#8+2Cu7Gpztxan|WF)=uy-1a)zVe##Wr7eSQG3?J~! zvsD-VCHTsJKtm4psBZnAfy0KsJDK`6JIF&H{-i_hqo%>Lh#IQTjUnGWK=A0T6=ivsK!z zO8f6lwQr2y$^CS)H`smGnUuhV2j2A-j9RYCtbE_zMi!hRKqnhmuqH5@SSD!|;p7r*xr;*Wg^t09D+En@D8dqJtu&PQq9^F0B-NkWUNG~}JEOj6jsW5?08I*tm72&{ zdN>5)a?gIyjf{We9PL8;tAK!`8Tl6rnY8U@k4D-}(%e@< zDSsULY)MwsL_GF7|MMx7=x?)_V0e-nk1(RStmVqK*L@{*<}>QDPtQYZi=Z$br-Yxn zBO)dX3gMaP@{rCR3E&{z42b9eqf{g=`qlh2hn183BFgV-kxL*ZlT^IsSTvm5r|M!_ zR2^iSi}c$KAH|Y&3{X$~lLK-LBcmg>kA9ugHE*4FsnY14O8~NXxOq9IAAmM0fmDaI zZK&rvUd5DCdxM6AUMnHCv)~wuKvkUZWAJ(;GeT0aADMi`0=Ajf$5ZulhjM@BLi3=b z?wLmn;dPTilMV~T=O(`{iZA=unud3MEH)HPoXhSOZzsQndh-wBAF?o%#H_ODU)lD2 z1Vcof=x8XJIy`&oT2RPxm#S~XM^Yz%ZGW5jN%pz-Dp~n)b=ox?{4M|3-O>@rOxJid z)v{a&S{F`*EC^2`!NJt518>EWpt2S-6+hyABg6uE%ZrYnbX1ea(Zw_?j^B%qIx|SQ# z!~APbGNY#ULx16VocUCMqNmRiF1nv?$Or-k^u5+HuKp(R&EQzb!uJ z2a`$=J^_z=D4~zRu|c^%mW8bneO-sFfCT3#{a|RXpzGJ4m+JpR7}xM zW?7nfYq6KDtt0U+%ZRai<^mZwz~};>RrjsiE>7mAgBSkhy^``Smu+2s%L^m-F189& zAF)o)zOo{svf8@F+hDq>aJ|FGExqr-JO(v=QF!MKch7ojN@{|?kBsG4d2qm~B}EYg zQx9{v_+KecwNjO!GbY4F{k61BIwO{Q~ISykag|#zM3E`1|?wd;*H^+f{y-QdrM1| zm48>q{2rAR>$BOJ)O|nu4!KkuV*^y6Rig*G2d(!I07Ta$&%~gg8M`_m^&4sP$L~{L zNWK2?Y>IDICwrVxrC;ajb=C4lIE3Y&y^pA!&$DL;;#729;)9JXS?L|YQrVB__9cY0 zBQ8hr)^%E_^s@mmvy~wgjRmA;FP(#JSj>+@HpI~7NXsNL9O~FloIBxNi>y$}jsfu+ z?**Sne>cH)VB6Pb4p>yUJqjgaf>6eL98!g?m7UzOP7-G9=;VOldO#XvZFrXfm5_MP zh=;f@gzs{Go&ZV35=+Pe>>!473i)>2b87EBYHx)->X<9hO1r(Du$dUPPct;11#v_s zXYBTViasU&HY@v$>oRA_cyZuk(>o7qE9*46>z1uX@8Qc~-C?i8EN^S;Me%|u>;Q(L zZb=9DGnz;1<}}As6Q(%@hx-NMo4AmdlMWbzSV{IMQa+P^)}v3v=h3BOSLC99n8jA? z^v8*~!!34+bbw5MM4rPLeqEj8@9BzRJRUQLO;PeKM)yu=RZvaqagCd6Fzxt2&wab*!iiTAI%l>JHD|2H6wU$Q?z z;U&ChbNcUf6qI|z=QWvs#5fg-Kt_R{q?2TptBeJU<9W1zV*K?4n;ETB05Xy3?}kF9 z;Fm2qbU*S;*4=K%w}oeIH|8#tC-8&aH3);;k52 zMMG#xOe%v4S_*le13n<8CpzF(oecZoU}^;aYDNa+3kISOMw$MovxLQ*U=WA!hgU;B zBr&)6b6OW!DrFmPwo#fQqL^o0T!&8b*h<`(y0HUJiNn1W&IjJgELiVqDQbi7_N2v# zUA1U@+@dglkv(14?mYp{mejbYFT$=ilMn|H)B1hJbs(%Buo__L86EWvv4(u}>bvnG zxigb2&++D;zk9>FY=$lyQBG7--Qk-`$Zft7O=JQUL}574&03iKh5t)eb#{E(TikqL zuI@Q1gZa8lPhDWli+ac3iKWe}5QV<*t%nvNJ!R8B&*!*rh@=jqQ^RDEb;~q!qO17p z*E>CX#%6>c&^PmM;(gGgz7nc5I80mfQSt40d@hgEICFgS$qr1>{QB9GwwTheRQ@I< z6>*bFm0@4?;&^YUXYJvzw;|3Jd(+joD~=MxEvKK_OtQD=ot-o6!;+k3fAsZT@14Wd zxOjH-PP4*_f~Y-Zl*Q7cTxLp(WKh{2Vx<9QWy^h-&O9dfjvF_)z2J~YV4~wayA|>Y zOZ!ewc!{g2d)^C^57QMEzM%Je-D79E79(25;kcOAhL5ot9_fAf^W7N4=6G%m&-50{ zNqNRLYfB;Zh-Qhh;eh6f@i`}Yn`RDwIGu-{#JVjBp#Lk$yXqFIoMge(e6e-* zUKpHMyHT5SvO-DL9)-2%A$wJf5VsR9%W++75^(&M zx#gIpaJyuCbC(G5&9AGxv!l8C{>9*slZF`(GO%Yz-fbc|aIdL`?xl-ADi=qM4PYL1 z#SS^dyTF-kd4SdWI-CL(@{(1GbtnFy%NX~UwgR1Z2no&JM!ClVWl|OyjcUqquH2hw zCGss@IPD3BON`s;-zjimi3Ga_Wn?e$lx09v#c#$8Qft*fC2lWA1&g6o-t zU@C0)l_zu>Jah4veVlaeZ%@BWAd5)ZrzW1q#WFjR$_1IU{8`nTNswE!voMCZcJ9FK48m(IL1&F+tJ+bNsHONX+$eX<|xLVvqevmY*6s_$q3Xb4tnd^ zo~HV8FwLGQRquvF4Sv}c@vHrrCOliRMQl?p-4%n00H)YYQqI*DU0>(~HXiDvfnc4GHOCRN^?iKi)o9EfaxX-vfB8M7PAaLVLb zCBy>D-^HV^d$TiDO2dZHagt3ah%|d;xNEAu7i{6Y*}NM)Cq@M$+Xt1E{czPvnKIoq zpC@Di%Y(j*x2*4c?xNgMHJ$q120W3W&~mqmxGh--B>Q;RrseUp&YS|R%d@IE_M7ey zw|-xm$X22+bTGB<7Ng!WvXxHvy7?7h4E-2T%%Y@qNcy3?Rw_J%oSVY=aKNNjg%LQu zT8}of7~rL01D^7PY2Pdd6S7^vVw6~?87>f>?)Ya#>z~#PmOmyL4^g6`!Uj*|Q+51i z?W>1AlnR}M5SDr6w4E4UJU-x*>aFg$iL=Ip?F{IM_%!qv2NIzjM_5#G*JhGWdl!N5 zi@?xh?f4tfd_j`Z#kJWP#rpk-%n66r@PJWD($i7+R3^k5T2g~}0LMLyY0+kw>N)YM7Hvbl(A`+UJQ7- z6`nqvn4x5acS}>F;)k5?xe?PWY6ZQhOgSej7*D)JbaMRGiZX_DZAsTDUgSAGT1>uB zLp*9Ox^V1aM76Etw-cwdANb&q`gXwEb#t(Bd}`=AAYw~CyCRC^aH84*^R|BVj(t%} z?&;)Tc-Z3Cn$$b#<4t|#>BK{Ruf?hz8;V^s^OCykyBLNsVR=1_6mO|RtSFq32eFFI-bXnW2cd=Unp?gHHbbCEPXetlq z2T1+#EzZw_cU4>BgD1%&)YK#g_)<=uVci`kc!`YVP6q|pIpTjBY3DWhxBP#kzCY9* zPXBb(Do+s?Hka3|Hk@te;laU%i0kBQSPshFYUUg%Gix-Lh5|v$dSwc~@|B_c*7iBIYMc98lP@ z={LkhXufeKY1$F8F3oU=k)dUakXF5J^jW;i%kzVxmkEA+eCUfZ^3~RdZ!vkdAoGF` zQL8!ZCVD znAjPeHgNM3&#t;_YLVUHCne14(Y8FeJm}q`}Qh{12YQ@&A}%f1D%&i|Q4bOo92%aAmu4LEf)&i8$DwT1vj( zP~g8)SJ{tXg)~Su72FE3KxHaA($qq_3meyDMJcbqFcVpI zrcX)0hZ9mcaWn7PcqOmOXmbIR82L-{*3qo>=e>cxnRuv>%l1GqxEgr1NXQ&_Kff6_ zjaI3`aQ5t+EFb5OfBGOzCqR~$6bOvNYM<;Uby&A{ny+}5T`QiiRxOT};B&?(CstT*gQs&{Rv~Gyb$cF!FM< z6FTdoF;GnCqcL=u366UP*hmFnoBe0)MwBogL@u`k84bI+sT~vgF=RgFl@>CT50ZJj zq2rc#2Y>jeoU@G7WbM85tC#Bl^ne&iTJlAVXa-3{1;Kv$ohVg7`^_6Z6=~RDmP>`L zAjIeKhKvyR2rsu{0BgD&+~LDxy!^q3*F@Nl@QveUo-!mGfs5MYb>Akb$gwt@NW4w~ zObU28e>JGp^lTArMc93uRN8@ksPKk1tUznK}TS{N>9=tQMTd3x4)LEsxKaD_eF;qk7ZKcAGo$|N^A+wlLd*))PgwkxYx{5 zskL<-&(%+{5E4R0qg#6x|AO(Awo(KCQ`}WI-kq2f!grKGfagS)NG?$p?m zfkxAXg`^B26SKN5JBlh+=xM;|B8gB_bFYo#cTfMZ$&qfu)vNwhbr1k{GaPi+?$Yd) zoh0wevSsYYbSMXBD~}kl!LU?>oY*pVyH;+2 zp6ih(U(59r$F)rbsEwrFbf>B^m~to5G_LvC1E2hGBxEsV+4%i;6h)wQ$gc_!aiu*; zTjj`^zMLNfJ`6|1;laqLqU&T@aBV|ZTdKrUW4A9VJU;h7Rx7Ej z>}ucE>kt>ZqkeY2+b*y<|D8_UpW2qxdfSm7&Ks!UcUBsMbbVH}x|F#ReQfFd-Mr*` zYl{1JU1F`>5~GxCL$Wa~ibC5zm^Vv_qJte%A82Zc-_kcoTK8vdx(ypvTxs^yEy42m zxal8cL{a!$M|5PZ?2yF|DFu&G?B5gp-@J@|BF2WwtfU3YbqLz@i0Q8|ZAyFzTMB9O zC25T&d7{wjlRs4Wbt?cXlwg=lio?D;3HR5tZ(jpT6De5KSEqqqTl%0e$|4?Om=VQs<~620K(s|t2A8y( z7vl^%E1{4w%m{hCRITGfpQHW6aej(dXzzE{uO`?J!Slm*DRTR>PAbPPq@5)565V@) zA^+Hp{!~LDBy=-GbxqUn?PTSvVKL}=RbK4q2t}K57JyA#%Ug|y5?>8)`@p~9h^($n z+as~~=hK*5ACv&GwFkTQwk2itdAy5xhDh?I1rY^3mA3Bt^SwW2WFrHBqHY)}cWaKP zqJ#F@ovc)|Ej0rn^4nfvO0#wJwlNbcr{JGst!75O{qT`)q9BdE3-Lt6YdG?N`V!!`3SsxJHyek z1Lv2ni&)iQXA|!q(M!(JTMQpjPw17=Qr~b zQoIq3snKHH60RE2#?*pYL@H~z{Gy=0>%0oB!Co3uy^@L;VNoLCz`}=MZ?MXUFCsU8B6Ef!@hQWuB*U)8C-PNxdxf_7YNKUUhyb)o z{ykxJp}vWNyEk9MeH}ZY-b)hvKWcbej}3Zo12!CW)m@*8zWw(=ozV>hQ6YZFFUBt2 z}ECs;?!j^jkv#Zj~t@c*&%zxms%st@a`LG(z>oEe-!v*Q;sLtyVR+Di`r8D$zE&9_>b0P=e9bbRsh)s*zphePodU_aN`@AaXh>046?BCMlPW|is`02c^KtDQ$Lt$PGtKnt`u<@+(X7G{;0Dg|@|5tI)k)FYsC%Zv5B}@(S%Zn*a(%3H zZ%(y8T5iWD09&c^N{9O2bx&vx|NAV>(61koeqC|@7ZCn~3;*j22W8+x^tPMerBUY! z3;`c*F%_n~NHF*6&&$8xzLJf+pyfAnX5iZXN^lXW=~w(!A-qq)hi@b5Z^hV`YwGfA zOEu^-XowWH$RBdKOW_uK8c5`72@AnFJdVycN*?NqEfL~(`svY+D*1M}#|PR7lqV|e zaT383ZDz;Rb%JkZ`YFw5WOfLD)u(JVL?Hyj>(V4&O_>alZql z58kP_U9jF3TldT*8O9#r6XD9$x~b}egZRS^HM}B`^GeP^!Xd@m7^9q%X`h5F;l|BG z#cU8CD zKjJs3aKznLA|!OFrKzHIH>| zKSceXwa+TFAq!DzJOr0;Rj)~iGRau;H(lB@U2UPywh^lWVj*>J1KM7*&WtMbe*+ZU zXW?vb^VpLm-m}ydlp>FrTi$k&dBRI7zZ5{AS-|Wnq&LzxC5I$|*Zs0k+wV-n)*dcT z%cos2it#OdhM`Mt)Ew$0mWpc#ENvJ9SS+@BnSfp=`^f+M^!;ychyU~8$i^@eVF&!| zAPWl*<_%bpa8X?5jC{uab1vCAgJH=OtDKV!2(v2grCi;vXvS0tak#WRLF1?-3Ji(a+b*C(i}~3@wTt+o z(z;WnWq3Ij{j89xW=)(ZT;%=i=QRd`+)7P$EQgH(KFK=3#A>xG@@6YjOAePh?UP&^ zPJr+`xKG#RO9M5Bhs3C90UpZd^a>!D0W1D= zjd>JZ;3mQc9raw|3zD&Bj2Zd0SEgiIY>YG~(}muwYYlIRg+SucEDkCWqUqJAWaz68 zB1135R38! z(WTH;$-ebibUhb)rj;}ZcD=VgU3m`Z?scFW0FX+ z$#3B0GIP}L3iG`p!@FE|9zSZdt9gipC7yx>yB-}2r}xv%g!x9PMSgZljISulr4qzO zeA6z_&dQwa&z{^mS2U)8k3zCVxQ^tkE&f9Ela z7Pvi8V3;A|aE@2~kRle+!N`<|Z5Kbg`r|5CqB0LcPj=0Irs3M=p2(kfIvy#jP$Y9% zqz$QDegB3nmkQ3GO@8}9sZk(5R=t>zo1*HJVXv%wn6FWGY9c6&K2cIX8Bf6 zT_ypI9*>!}z(m5EKg-%StTMHgYwF6U*maZSX(B;%;SC0VjtX*I;DmG{AePRp<`k9s zbu);Fi$7+&?4yug;G2c(uF1!}89e?<_m|~)$~AFC3KAYpg{t&gNL|GwSO?;F`h_z7 zPa*Ru3Lsd-tejfMmK{UB#m;v=!x87I!4wsZ-$;~jxvDpbNNAmdtI-mi{y(g}by$>N zzc)G{2#U0T(jhG%N=Xca?bV*ZQw#`>Y(Lp{(g z&C1>j5nyYHP;n_AQDI=G9hscchh)&Wm%o zgGhCz_NU_@gih}~nt@Ix#BdStfNoEq%g*$+s1VZiO^-+~1Pm`?jGQtUBxD#IxG8ae zh)CI+lkB%XOuMb9@7OuUWh4e`J{6+G{#SBz^0VotZh91 z>4#z=^Bhj&TL~wy?Z5fUF!(h}Oi2DVwHL|${gqHW`|JInw^M9q%15g0cvEaz*!RE4 zyGqBd?fIPs(x->_w?lws_3{gG-Nhnim;#b@(BZ|iMY0ea7R%9`T6?wtBUL{)M>Mpn zB(u;noXp|$)R77zv*vEEb;?km|6Yy9Y;Ox&MrU5)F}gwMY{aRtuqa{5UduY(SH z$#ZTh_th?FV-FMtGBd7G+t}bd{^bm0Vxl-Ld!pK5U=!x^(1CV6$}jtNLdc!h7v{twtukwf!=bpsgSPW^NM^2jgX z$gw=T-Z5u`>E@Ceb2sj~3crBLMJ{(hs@oO^~kvV=Q<`Pxrm<0=yTRC@{X<1=JRZ77Vd&#*hr5W_(+pX16 zJSU~B^zK$2=g8OywR&{NcK_?cXRdACQMZt?0=5fp#=J(@!PGE0Gfg_rWy{y1Yub-5 z_Q|!7gsv6@SouuY!G8Q4ZJGuF5$uehB^KY2cFG&K(zOM2`ZxT!1wOrTi^HK}WG(`! z4ngE5hreKO$cmTrNY?iv9e+>TnoTSL@0OOVUlSpzpa>un3;gL=0_?T`F|FCmN&Wis zf4z9PAjU^)1F>S-T~5e0$}%a?7Dco7!-(A$EERe4M`y1WG(xr@4ftMzxSGx0-@}Q8 z4l*?KFu7?87iKgfstbrN$a!pZl&m=act%Sc2A`I@?M(={$gFrjjq2t#l7n=dgWaP| zRUW)mB0ZcP0giZ)e5=kh$a?wvTr4E_(7Yc%I&^bwc(fI#_Tqgi3uzh?b=`(;l`kF}*V)_3B5Zp~<`r|5y8LJU)NdIsW_p28zrb;Q*Yg03-_SgcJp z2j+&HPeagB$1lu58sxU!wpz_|zU?lA;GJYq3VKSO;3?CBXFRUm2N&Z4Bpm z=criX^HzlZSyjis&#V5;RYmKEH0yX9LIFQun*F@9F?;&3#m4{tLg2}shS`dyw^y_)!B=-+Qypc(-E@bJh4Y@ z=kHlURg!7DRq`+gEO;(GLGT0eTM~HH6cAR?i%1a$(epv7$)TcGF}cjE%*w4x#=h9p z>Po(%-{F1`8X7MFhei@BqGUF@AGpT&4-|l3!6ndDtAsV4_wEEfI1~cD0DSH@tU?K? zrs*9F-r}wp3R#!)Cz1;a3t>1CR|jnnx4jLcc5To-j^Qc*+O(^r5&xUa;4aD8MtT?Iegz|S|D2L3-*sJEBql}@hmyP<{9uRrL{RllN=!zs41LM$UeVhH4>%|=}13I ze;b)v6>Q2$50is!bgLLVUmx>|k)#&}TNQ)VHuI|zK< z83A5-2@OO!4#XLXPMk4^YL5MwE5_EGOZfSuL`T5bd05b1fe2(7MKa-hAjlc}IZXB% z`^{AhzR);EzT-34FN{dfR|~E+$kGt(-Aa1qFy%%|jX1DTZW0VZ@O+OFeNGB>AzduS z#FURf9s*3#T~-j8kxT+&2hJ*nEFhHtV4MF1>f?GbmuOf2Eel7geY)P;QwuaDsS)(i z%v5BKwW;{K2HiDTEmz=0xqYxD?u`QG#~URtPFC~)pIDnJ(SAYa$2Z+C&)f39r(#;0 zZ%ep1A86O7DIENu>&R4rEklAxAjtP-IcI1!%Pm@WjPSC$zNu0_>=6l?Ewoc-xRp3Ku65aD&+;WHiwe*R4_ER z!$EGXg{VQ~!+SQeRm9c4>T88_E~2c3g&bsXS(ZbqYtv)W1x_|IZNrUF*@t7XlDX06 zYJ_9`L!wPzQO%usgHL@P=%ZY9@-TWopYy?vos3APzIs;n4MtdUcVXIM~KFskgB9 zfOttIdx~50Z9-~ua<UKJeAlKcQX`yj*^3Bmgy_WW}s34P0*+(C+3T2Bqc35k6Yqbih<5rfAlk0F zS(Wd52cK!2wS1E)#vHBVkCaF7=yP8z&r!e%TwV? zSGM)#y8^{L!?1CT@|Y+#DK-#DdPiPQZA0F0)t-IRs@Er~3(eXQ(iWqPbalW{fG}Pb zv^wp_dgvtXNlPjII#XrYzC@Z0mOE9zEW=!Ozo6Q%T@6gFFPAA6LDGxKiIS!-v8RgW z|I{x{f5eLdgsY$hF6B3@fP@Agwtz^Y)ixM6E+r11v}LIcI}I>>=K{EL^dv=+-Z-PD8ckEDX@D9Dv7tNO`mS6gE*_0}rjA zBK$cnGvjrr@$S*xQ z=Ss7OZByK#)k<*9xW2{sV`K+k9mnyvT`I+iZ@XSes6(!b*H3;W_HAY7FCRL=5fC*q`(NCurG^i|I)|zVH5C%Z5(@sFSkMC=dWRbNnFX5HgX3_|r`cTL{xwC$RK~j+D$x)lf7T4dUoMGb-Y4HfRH{}njlyQ#T z9I+K0?gx+=3z%S>1Ff-3p|J>|lYoltoOIBX!cXt=VJKW4^KA7`V2kRv;5Z^1q^|UTVX>= z!W9(S`pC3mod6xXy5l$rpw059jWF_T5`MW212)%BP5Q;fSrp2k0^WsLZ{eBSgb%Ha z?lC+JPG8)_}x`&ZOrU(gr)$^bEusE0EkBNj~19fVr}P;Ad+ru9H|21j=aL zU2p4TDx>fJ@26&etd&SuX)qsaLz+UM&=uOzI48hugXP_0>&1+- zZa$y!3~e~31i}$(#4m7LVZS`H1rKln1C&pI2!*6WXP-#s*nSAZ@v`n~=$jb$nY zjr!Hs#8@1@>jQJS&z|2#Jke!ieah$^yv4a5Psa~Pu-M6_cSw$~Ns>+H!#MD~na4RP zz1>elIb-naNsdjWgE$(XAvq4}Tt3iz9cp3l0r0p00cT7nWQ2*<02^!1mb!vBnoX&c z#nd|hRK*+Vbkfo{TMfFAY;8?~v^J~a=X_B!l28PPVPXhpj%hHv}cBI4-p3H?M4 z$`A5L{Z(8sU`EjAB;>K`E;c?>v->{3a8P1$d0We0%7zVeu(Dc*w_C=L^ICpjqjXdh z)p@|3x&4U?I4kj!vrh$&F#_H=v5*HB6Wq9CBP?}&6(+?Eakr0neAPK>qof%TXFprJ z^C#XlNcOJiEl}kh4{jD&!X^(-2HHqD=l~NmE+SU%e}n~N8TYPEXDdapp3Gdw^UH$n z5xfrpb>8*e`(|2CUdwu>KiFb3sNjaAHzfC$$P{x^XP*6NtrleYqQO*kusu#^;ca@@ zV%y0Qdy$Ae&1xZp;qJ(p-2Trq`c6D4!gOcBLoye}B-L#cKqOgwkRK7}jHdRXZ27Jtj3` z46;tZt1~4frkTL6?=JQ*R6bVaLL4k243T*(YtQ@h?~UNFOhB<}of&(NZ3y$x{3Qw> zc|P;i9jVcXI=`p(Py7X3VQ>DYF`HkiFxwhJz75<4TnUVx5$=(;7&G{wFXvFm;8f|`Njy;G{&#*YaH z)P!H3e$)Na7yHkE<3B(1D<%0#fz#;b8;Lbfhnqsg{hshn5P%|$@htE7Z3gBl(P1-U zSOeiiA}VL;Idqfxbd$HEv1vpMqN<9}4&uv9Ii}o_Nspn=`&N3wfIs&}sqbHO`hOb>GPJ+g)9^^;e@4u4~40D@Ki!1}1G$+5!cm zk!=o+K&?oqt4?uOm7IxPvsZe zIhE90zxrH%cgm;4vY*Hd5n4IygC2D-JT%jDKL2^BxU&*d>omkvup$PjI=vQvC3x?z zYZ3*{bfo{l3d&RX#)vNysuTbi72+1lU{mfyGllJYc#m!p$;-;8mu zb-N@~23&wI>&)j18tZ(N=+l)|u*o-OXAduUDIzqb_tN`F+HqIUD~lerrZ64u`8LH^ z@;T;*QnSl*@Kik5bLXL+{knxrJz>=0#o{pMe1bcRJIq04jcjMJC;V`!WC~ntQ6#t% zJ=OPcwl?gswZW*NaGlEgtr3oDa2I#TE@W^yR+lzRLbl`&rd@(J)>audMZ?y@rY&ih zL5>aAn2(m^&^UcF9zFBw8e zz|A+xCQ@a+^jew89K%1gnR({5KT0#24V&~Ga-2^p9-5nipRH`#Py4(#Yq@d- z_6~x+&#}=qU#oQIy}J<4W)Oopo@S%GlPeX?&*dIaohBD(T!(l3~ zhFw+^ zPBw4pmfeQe8=f7t+-%VeG)oNHn9rwTvHt5;CfaMisCJEH;-XQaxA<#lv?U@!7L}fG z7rr(Ef$sO+CotRi97e_v{xJ&a(CVKI?YF^%%7bydlZ>w9EvtR*m+LnaNRU%JNx-?q zQqT4yI#b9Mod#LBld;StX#H5xvq$PoQzcY_N1wI2PJ16t-bEDO^9;s z^FI8!Rp)m)nH)qPIXM>TxJtl>QbJ%1WZ5W=rPDlC67sj|g6N-U5puH`BM))Cp~nWU zeDBmKBo^H-Hn_JXg|7GLTK>XQ`f>6^OQZGvpCq|~s= zWtX#Pj7sj2Ojh(+2#rmh_Yu5u72YoMlz=kvZ@ae%y0&FEd~O*}zq+xKKz)-R3>8aM z0AZLSJ#Qy@c{vicJ7`*pp;N{%JWO5++C60czjO_#`0(BPVOQIi0~uR0>MD=>htL2i zXFq!<#waI!c0M=n_lL5TOpv@gUe|X;H>3TWXV-^ce!G#c^Pp{58D1P3ra!6rpA`)3X3$%au!T-?2 zr$Lx$rOo42vWlU5Ufbz#mCwhX%JLKwO&LQY5Xe^ z9q~9}&92U#hrZ*n;P#%+lqDUNK1W5N*7COJjaBjNNFUhyBILGgQQZf=$#qOv!BBIU zzP4Jyca#XBf#9c-#j#Gl3 z8WVXM9ga<1s?uZal?%_PnASObko@>cVS)DK6s!H*il~bPM1Qz8|g%4@JopOZ9zr8L=xpV8o&8(f%E?%u+ z6&2>dH^7XlX7?z1yDhOu#iiAtz;p5DQXkdyc74+qy^ml?xDX#P{^8)W_^rE4vs8x> zi{W&b-~?fYKviD5Acn1~CzNX@{3=hBCJi0_8MFK+i1_~kjJefMAe=_`u*cc`YC3z< z9y)R%e0Aq!?kgLFF0|}b3i#rj0O6AU8vRNIxGt?-(9D2x>T7#dE(fFb-rnG0_+pR&vQH26@RAjmN3;HM6pCP zxd~D(YtydBBFH>@f<#EpoCk~%MClO{GIR{*rWx?{lD1FF7I8$a)o^IKUj9LR1EviO zj5u{Z18yJ=gEd^8Sk*k|lKd3=3>dO?;Lj6OIpwH02{a}XSqw7xlR;<>IZeT;6}!p_ zA3S13Q``FWPbfV(@m%Zg)OXu|2o@Y@g#4aHM)TBeImT8|9_LYF?J;!F!HSO?%HF5g z(m>4vjNts+tG}**CU9G@B2G~ZsOn00b)2$egk3%>ps?iW+Q-$c3#m*_&6D$A$EaTL zWvsPf-1Mp0%gG8cr~$$_h6;zQpOddavpD}gwz2GLkgqN_<4<0j!sr5woCLQXtxpup zXQf)#MTVo!Vb@^e%S-dl<5*S$`iWhJQL{;-UzuspyMXk$np$xUp-m`wt3@J^Gw=ZX zoR>B40NRkf z3MJe|tq2L3)&uZeI+KBsg>gMhu_PcS81jeVV|ScJCHSS!NprYQc+cGpyy=NPt!b-x zjSd&@RTDh6Vn2;<>V75VvxJotk-tlE8fh!P|A47T457f)`%bC?QePq(c4`fp%F=^% zzrVx%scv{Lzm=g#|EiUS26@Ng+Y^(MR_5S$%pfdoAIyGU)q`>h+;o4aB+Kpepl{w*JT> z8BH6DN)m&2n@m)8s1%dd-@6R_#>$^=)1R8LL>U8J1foc+$gW?hqES5vp8Wxq)()-3 zu0w4v=#q*79+>1TxJBBlO#`kFAwmf=HCCicFRJcmqXhr?Gj&@`jHCv6Q;w`iT#C56 z1&v`q+$ccJWKK(&*EQ111n{0V>6Z>GEkZMNIPcHY3e>U<5KsmEV5+DquBlms!5+-CX!GEA+GOc)CHXd8T%?NMPwX!@YjkS7SKCb>GoGp=Sky~wgN@xN3kSt zxM?qHVr;ugX(IswR~EC>sK3}{tZ}~j#?4)-@FX9XWyCE->+m{`71aAxX5c&eS$%H6 zhyP9>|J!Fz5}Ep`wLmz7C1&hKB=_!gWZE;Tw~#s|_cz(e%z;B@UxcJ(7=ef04G%aq z2FT!9-le~fT9E%}%{(~JND05sd?O<1;!s4Ev4;l~Mt)TZ#G!#ubZHi^iT)XLLh8iY zFoM`+L7h1v?7(s{-{^d~7{j&sJ@#Cf-uzopp1ZjHLff46-UAzKM-5x0V4>)oCG$<0 zw4U@3Q8H#axRD@UNlG<%31U{ zL{Z&5e0%H5H;=@Qq%Jq$i4%=B@PhKbT)6 zk=dD;9R>6f(&1{EWOm52A2$4{J1W1>R-7^gRFUo>99j@U8BAw{7k9YDz{pcpOnBBQSLdO^qVLM!@ zqnhLDscaSE$v#6D_a>2bvln?qn|7}Rzlbm3a7%2v+1hPBne~#7sNJ?n3;=a*I2SD3 zC&;HPs?#o(lC!Z)l{oz@;k@$=7e^Y!^iFKST7e&%v8trmq9%fFd%dJ$7cHGil{vk0 zR0hi@zlq$C1GU-($P$%lqGr1&*Gipb$ddL(bZ9VxJ_WOO#PZvDB^F0J@%rC3emKD0 zwvFmWvT-N9o@OWW0a=jQC2b*>1>zGAwCGXwW|91%+W7tyL3CjVL5${msguFG{p8J_ zd2Tc|&2}EcyDbvtBmS?UWnEv*y7aK#Ttzx+p-s8}(9CuPq^yxQtL`xmpqQR)4Y@8F zKGVL{8t=I-Esm{C-aQQpk4z=5N`6aPg zJ~nHk){B0wm?C;y@d1`zG;JE~;ZmeDZN_LT3zD1hS(C0=jJ&$L)#R8Tt*nIap8>w; z-;rF5!G67e)52|+^JoLWNk|IPH7MS^pb4aSRx=@NbgzP#!M*dP&jAt;0iSIYo8YdW zQL}PRwiZ7yd^Y=WReMGuU7uZ_Z+y%E8LPM$V%{+(9T?$e@s z!Oz8B)Nq20UQq8L>#msL_Ju2;+G*rG;P`j=UE+;s^S~1kJ!&2 zh8?I|PoakxE(cU-R2f{3TIKq=g|ke_XEpRF*7f2~E~-IB$j+!uV644S}J z5mjPC#nUxfZ1VetQv6n9%u*M>$YpUTaI5`c^EyWK`HyFm$K0+-ie@8T!)$!;S3;By zB^{LM=5SpxXw{S9S^nYp6d~B#hE%vIeg$j5Z9)aq{7CMYzLS#JK_|-y^ot|VFL1qB z&(TA_eBLE&#Av1OJn-VqL*$FwPgp{LUF7!mmyC9u*%~}_@Ry9}z({32@zwi@IkJ~= z52d(!pVp9qa+DI@Tk=Xc;qs@g5}Yokcrh`V4Z!zTXtwHyl)on^&|^K>PEws$JQ#}8 zNt2o;!76EdA^`R}A~mZh(CPKq9h%y{W0q(=!VbTL$&i^Ww?A*TVdVb3J4iUn#TXD% z`czd&nR9#V?mOs}LQw&R59&mW#BG)`Q|meh$WHsC@>QC? z5k8o@iOtJbkMOIE>IX!Rg9As{KoJZQ-MsoPA0OphOQA&8P|a=r3=K!$J>>dow@oNA zqDmiN?R_AYH2GCf2`6)$>f|HWFQ4Y@e*Eq3_a4Z+OIh=~M7>F(!zH5S)Q+1X-=kX( z*Y-T$*$V21A4WqmC$<;3p&2a^91qCzJ=!wU)ONUWvAEt#3DmnK%aqQV_%M**t4<0~ z^C-$i-CC-wE3O}1NvPR-c<#;^>1yb8N6)z}mQ4N2@)E@TB9YlKzwn=kU8gHOjKCmWr5UqR2D zerNRQ#8-^TPyAzfLjW-C_r6!F5&4>0n0IQC0af9-Lz7?kA7!=w3NSSG-Sr!l0wp1F z_rO?Z^YdRH5IKC4^B8*WR}_-I>`RJHlAD3X z@G{NVat;~IBioEH;&5`BM2yxDJ;^@Tf!`n zf)E~av+FKBTmd;Z-|bx{BzPMpghbAS*Y`>@i)#zzQ}1y<1bYme=Ml$RlY|?Cb=yI?M`YY_UJc7*0Wq6r}5n6_n4KjjU3|p796-8$s(v)>rRKsx3lzYANLzP z_0X5_=i?e`tqCPy)RcSR7vV3{@muM2m)RWk{W8l>n=KKEk@e& zdAzRU+q#-^BVDsTcB$YiIq3vzvT8`}X@o)DGMkl`Npsvf^q7m(YHO13lWuB-_7_oI zX>zh>ebvw6-aZ;pH*rzAFrBYI2NbW&!wkDbb!8PThs+d!elApzN5_hp(Yf6|>?*)_#W`;<#pp5ldiYR*V~!!jv| zxOQ1t54JizxbOKN&F252P65b9#%$Py!JsOi2P6IVukYghsf)%02ip&3r~^@mh36rQ zFYXb^v3d{BgH^j#T#iC{81}1UxW8uZ|8MJ}?`=%c?P(_LM!~SNTuF@~A(yr`yn!W7 ziU4q&PudbAJuDn|QUoltw7k?TV4U>d)J1Qm<{3W$X5@Y>@NWowC8py3Ru}bJ*RmnA zyQygO4P={V znu+WxsBr*6C9H6`u4zAcZ|m1OWutrk4lSU^ndnUm-Zd?WeUwir4=2KrLha+sy5aKl zH0V^f7kQ$ug{KV*YD~RdS&N~JT1eB_y4aSu;_X$Q?c=vR*mECcA?%a!*00A$VoL)D zw@$+J=zU7BE`CdPOK={(dIP-YrN^xK^P0?_h7L-lFI-vc-N68FKz;nEbN^Qj@stgq zi*RVMPR5rKayD$_gIHapJ$`t|Kxq*ck_Fm3=Od%`-2LCed`0;RB&No82pzGD*G z8mm%q$Jc#TzIq`F7`%<7CF?we^3y1~eiXfs``$BCJWl!*`VR6x5ZW}aW0eX@sHyYKWny?VmA!U=5_(5>R)X;Rc!M^r{PtrpjIrnHH5P7t zfv?Efa{OJC$*A=QGs&CZyptvSvFZfaz3&UEFAY(EV#HP`j-7`84Y^zABhqB}^Eg|h zO|Y-R=+DWwLJBPltlHY}`pk&{xwZQGwTJqL%e&?uvuYWRD7&3xdDu?X(2MRCXfVts zmS&3K2NqCzE*FogZ0EgyG4ZuC$$+yWuW!hDb{2Sgbqx>9V3Qv>z9tI)S1Rehg!(o} z-V@?Ty?hGT3tLp7r1K9L0KauFmSg^DNZQ94wIq#m=}mQh}&@=;vORMP*e_AjXE z|IhX>F^y?n3GSXj1qyeMSQ2B*p6ccJ0G}$z(s@8WSm*gcY^SQ3 zLMFlUF_2TB5A54KWTz3n_DrPjWYJw0w__Ju$(6nLG)-|+mQfM(x#0<)MY($*Gfep5 zrDf%vq-kKppu#n3lc+rowfxFeY{b!vrqp7jNpZ}m%y=YE+_P6w4_*3J$4re7+j!v0g9^O65u)XeqxIr9O9BNAHq{StqCFS5A~0$2Pqjq;j^wEylK>paB-r4!kS2 zOA82hIRM;xTu|@kN8@MMYu#_W-21LMM@VX#{8GVKklRN7E?QpfIrCV@Ma{ewk?Qq$Tp1O`Z{;HG1#I8! z;8RCN@m_rwlA7AWwqw!E2I?qQ(8_di7kTvZ`(o5kk?UNccV0Fi?tI>r$TLx1M&0sY z#k?+P&r4yH@VFc6p1TM2u*fL6i9p!9#kO)E=#BC#8=b#Z zwa0tQ3E?(ru+b+L{r+17U&AJ3t)jKuQUX|{%_7V@#Hb!?%vMJNf^|? zp7SK0vHWno(&*3h9IJl=mdELPW|~5QK))=T7N^?=TqoUru;>mQMz=Qc3XZv$j0xydl$0KTx$Yq0}4smLH zUz;&@(7P_1pEGaCu_9sp;|d?9;xQ$KZx~N`%3lj_mNa4ufuVT6ou0)3s}H!Ffb?WV z;sYyZ6}!VtjeP~hVvKz9>Ta$IxRlE7CwP1F*}|qd!Lhi%p7ro6i>{Hea)6tHkw1V+ z#|J*xBUr|CEE!09*5ZTM+=|%Uh1Ged37XwWe?>lZT517gb{F38 z-yRI?!eLm0*cU7^nf@D6N%CVm_P&@{o6I;_Q~IQ$VA{@%a8Yv|xRmy1Pu%NX}I zOzu{jGM?y`Gt=55f+zTnAbCkJwi0Lv0U{Ii^Q}|nfaAk}%JLerZ$nV|sFmF^Dd@re znas103`}bqy^k|~)YHRn~X|{WW zXI~#0dTv*YMrA6ngR=XDJwNjJ@l`EZCyKi(L~X`z7MNTfPZf?IqE2v%PwJ+x-J5s0 zso7fjQNQ!E1!6%WM-|#z6Lcuv2T^udP}fW8x~%{RJr^K{M5~k)s)&xP+zZr^cU{h0 zc?9BGB{uT00H{Ww!w#S>e9_151-#SFlZ&AW$1WaAT&zexePox1&_y(2h`(^i#%FT1 z&qr}mgYo%^|WnbPI8q_b14BO+=K7rOk>lpyTlu1uuLSZs znJ97Ds+DPsW)w@QA(1p`ZvoZIoPDjSZB_qV%niQm4LRkNXaRA?K zE3R!_uJ(VBd5>i55B*zb?@#Rmzw!3u8YRMu$ z$ngyCe<$-^fjYWf#^}=CIT4737-?1JvAP2q+jffQJ9r2jxV>URO_4|N zSGN6b-RT4{e>`rbVXO34fx6t|S7HfyKqBNFHtH2xd)BSv0wA)3VjpT;UAu5|sF0ZR zTuWi>Ibqo#blWB+*|!CXNs%&1*Re|%!0nc0!3ctuejKx)a)Wq=Y!IG>2xuleter* z_mys6;o~U@Xx2H7L7srzLKP4NAkaGI`Y6T!H{*Dkpi7&_#XBoHLG_OexAbUy7LeXf zE~c-BUw13Ef3AGK^0lSZ+*lMr#9i%b;M0PA2@hg`?oLUjNl^htn*%(h3S;WI6*Xf; zv_oZCdz{`ga97JDMH5G=v9l!iwr)nAp<&|AvS z!F80m8i}B@E_K9Y&*j#am9>jsgis*I#SYWzti4L}j=o%E{>778kSS`>9GGcWcSR)7 zX^Q`MHk`Mq(kJ!$lYmYHpe|WHq5N&~p52(c#2b-UI)jUr<_mXuyTFm!)S{>Um=?BV9W*i)s908~E`m=B|p< zU-d8M^`ur#iyPDlfIFbNwG+HGS(*D)#H&MwK7DR%G0a)we=w30wlODgZ{A;G{;wfY zHjE(URPZ#AS-gd1uOkA-4+?(8Tp;}}Y;%Knqcslh_GT}27}A9`CSM;jsK|~@mjyI* z)Vy0mH`Bibn{oh`>i!wd(XR^O7{MbBdl1|%WwgaGsi>0257dV5Eo&RNmgljAN>7RS z4C?NrikMUb(*oGSdFdJV%}PLTTZOj1;(*>*KStmBfsqj$gCK)tUn_*PXJDwKm8-To zfpKPPU~EnPeT&b)ARM9dfuYeP0lbOU%-`*r1^uz;@ z)ut<4rtyaMpDJuRU~{Y7yI^~}x{)%47iMiem8F0kQ>AejwN;v#>eiN|hW$EGysLMs z^t~UaQ4GWB62YiR{W;lHnDDIeX|h(8w;`|^&Y4sAFlOUdgZa=FSz?4{kD6toW+7P? zj%D3xo(rJO3T|Kd5u@pXD5GQ(!a!$DEw{pXGQ$c{M?g=34d)4AL~K>>`C5bZN?che z=xocV+1g+=S@TJDY~|$4A89(#X6K|!LG{*++dFB=@K5-@0G!K`aGYl#@Sxzf)C4=cYKT|D75q{lg9oiPk6D_juEz4UF3AGytnMr5`+{zeV%N?&DK@rJP!f z*5J*OX8d>tRdVX^@oJ;qPWgyyO10x=RSBKV?ufS9hqvuGjR3peiT=aF!&N?d&Spcd zi==XH=iAqLbriM>R`+oBC<>&;;xy8n&IsyOygtnST)BDeuyMcUd885E)#^FAwb$e3 z*=8+zp)eE#FlDOkVlg}IC%u4fH|V2&xP@##y0_gh(aM*M8!9{H8NO3J zN`=6T0tv6Ax<3}rRn1BDZy_)ySHoxgw#_(Tyyd`BoY=var7m9^>|eaR_Z2veCCqNB z_lw(|?&txdT05P-9Tu#1c;4Er6eE^kM2@9Cb{!PX`pp88c_i_7z1d}Vc}Mc<{$-!i zNA8k$yELEEIdP;qzeZk~n&h8L6jiY?@n!V2gkQeEq}*ZV3>+*lF54gy8)JFey%ROC zcz0+0?@ICtj#M%y-(NOEI0*l!#^#wOei4T04@ikfLG!##0pH~`asr>RM%=#|YQd5W zB}@OjUE+6(mEmGw{uvLgefDsBge?C63tCNEe*)i?wlz)e@55k{t8|A$UeM4iBQ7Zd zzAi1L6;&a5E~?)h0p4}E_Tu2z_4x3Gp(34E6BMNJa zat8V{45l@+M_Pi0yH|yG-29N>aT_a9HHk9LmBZtWHIWicz4MS3zm%lVbP;ryk#{Mv z0q)_P9{2LVi#>v*37bK(>dHZ?|fZ z$a6g_ey~>Cz$LcAj<}YG1z3p>lVUCQBKfv98fLy{AA?u#1Bnp23WK)<*t)=Gw%A=n z6kqw{fzUt9PB?U~h!aT{&gT@+>#Uz>;C2KUkUoAp zTk?bE(F6GtTJ24Yh8b=nkW?OjVdGjHL}wPnkug#&Kotvkl1$E1@V)w{N{U)KdL_S} z&QIgnv2PgJ6ezT9Xdp`tX4)Z`RG#4qz3Gb=2GZQ9Fre)w zBKfCW=rduO;nB*6sxh!B_J-E8!cC&v5oLCt?(w6dynzZ-mp!_@Y^*}KRW{$lTMNi{ zaG&u%FJjjU-h6U{eezOgnqTocO#Y4TjRfyyv_p7<#2mxuP3LT;4jrJHb=939!}wlT zHe{70aO)qu6=~=w1v*u=aNWX^UvD?jwMF1?FnM^I);@g-OEB`^C|L!2^ zSE!a&4A_nawo*P4lJlw1S6gwVBh=mK>O*AR>D*PZZp8SNn9XwV*I@FKGQ?^*+Jj(WA%{-ygPwTNHN zjLm5Dn~=EU^iR$yRS^gEM#)We!KvxX!knVw-=-G%^LgX*Z`7j;7QqAAMsThGuKAaF zfHo5=d*uMH(mK8E_dREwckg%aectbH{r$>g)LTLurYaqw`klcd5Akv)7Rwwv-qzI|ZW`fa+jVEV!1ZZjX6(2mc zdA0Ca<4cE_^lRGUqL((G!xAEOa^5V z!H3Tbyw-xQ#AkM?%B&XTQng&~$<}8(yTQQftwfj@JrFXSswB3aH#H;L|6Mo#ZM&i^ z!|!(WeDL`+K!7T?i%c@I^veqZ#9V4~&}ZtXl8V+w0A2gL@S_2h5nD z%`X@Xomv8OyssKQFSfsN!>Nqyb$&|RFWvjml+XCo?>~ik(t#2Rsyv#;5!Z7QAh~t` zV;{)@x?fmu;iW9^@lpoGl>nqf>iehx8Qw>0?}+FsV}WxrTj?+{fDTvOLI{|p04@wy zHVK%1>h1ak1+}Ad(VX97=&2v+>WWi>!vJOh6(81~yXxNU^4QLYn8VZlg_0q)fHH?| zI^jF11mX<^?^+qaBM4a%GFiqxfVMck z$GOCe+TT6)1vs=@Wn*8^gWuFSL3Tk)(8NmCQ*mG)5eW5EgRGZ25?B*PyZ{i5>q;bM z?=gRS8ITG|({U9au{r%5sS^0Yvo>{h_Y8J2O!9M}*y$pMBQu0M^b%JncTrKYZL%Tz zNrK{s6kfX`!2B^$G2TS_`O;Ht^6I{}0OOAb<3E1z7d-HkSSM0?s-&d!-4k@Neaf~w zG?N;%kTyhg5_{fI-s3+hR&g#*Z1J;YZz?*fxBT4JL^J&S9Oq@6tVz;-f0^rg0xW}e z=BHrf9l9Yr!H#$#`)Lh=>=qHXHAz$m%{^k3_J8@I@*Xi7n2uhMThD17nwmEMajz2o z-|khSJNp@T8K8gMtFlV2|GeV`Jv@{eUin~_Fu_I79LSI6yRI|u(CELU$Y+Q>?tNd_ zwl=zx@>=Ymd6W+^X#dpZDnAK)t*3y{$Q-;w2Hu(!ysPi|`g0#OwukX)mu?bU8v2Ty zmxY2XxMfU7%w5zANqR#Gjq2~!5)8;l?G+GyccaFQzH;Yy>e5=2{#?W@rK7^6v*n5( ztEJKj+OEK7cNVZy50w!Er!7xs zWEte#k6RRyi~;;DpKdzkfvI0o5OYWtoiGB_2HF8TIFq@GsR=#F!?UA^p23rOvmE_j zNmqzIspLe<%J^=ZIp(qfXI(C)X?1v`andwzbo(Qy&pP3G=UAoM;&>WPW3BoQF^4+> zhj(>H+62cG-v-5<4qQ5A=#K4)C5=!{yh-$_PG0!Ko&35saZTj0fa_S($y-}by~yJy z#2jkQ2Z1R8wnm;R(bLTT#|uDFT=ml{;a2+d!@x@%M+$6gSagMO;`8r_=@9{7$#lQ= zX(`ZCrXu8-8FIC8!cQHwq4zH6^xCA(VZm{+N9rNDKf!0Gy$jOQ`)ivyPY zr~sjIX~LIxbKUh%t?i6ih}^=m!i0|V<@3aPb*ARN%sDi*XgGf}q6J}-XRNoKBkTGN z9jk}!Qc1ti81bt=0p-r+Ohtdt>18u8@y|Ls2@B*u!B1mHUl|ZC%qX6#oXxXC=1S*@ z6~}xBH>X@1Yby`@tig0?gG6l@gAkZ-87Ii_{7AocX6sav4)m_j=YKfUz-fOtNL@%u z%n{GKJ38|9qn4w@`tAKM3%U`fw^MyJFbndl6fShGfcY3XyE~bL7ceuS!Ah+M2fF2S zv&LKfygR&6oMVCaY^8T6L-+LDy|$U;fbN;qrE*Z~o5F1fZqW{E!7#2{@QG~FrX~Ft z&pG&)ly^4HoaWJ4w{(-nc&ZllqJ%ZlY~oDEj(mp-0+;$P-GidDzXd;zGbR3rYtA@} zjdA-P^ORyVt$U$Mi^U$Qgdg3EUAN|rG2Yp#2pn#XrPk3HFWNL(suz*13P0O!#TaUq zxSo;h_nn-OTMK`V-~EQNiIgH>mPJK8lfgm$X&wXooYw$D{B^0F%C5vs7GBUd%AYX& zIjj4*#p%tSNs9ub<5{=R4W#GqjmE9wgOe4XrQ~(XC`n!oK}YBSd9M;2Jtb6wt;EsP zN+U3DHhj(pd8Hk`H3tCCSf^1$Q^6`TN z__LqqKRj)w9_WcPp6|n!^3HdotEeFQ_2-6G(pKR3Oqmcuj zotihd=jP4Rw(teVe#3EM{LQc8B()5$!UbBEJCDW?)2=B!Nlh-bQ|q>aUoqFb&7Rb1 zgV;T$6GTN?ruPx^Sm?CI5BHItq@Kh8L%#3epur*cE+1{vjW)W&6X^hBFAZ1EcRy3q z#fdox-+aM(-(w=%G6;C(I7aN=tCAK7`|LI8duL9y-eA+zZ9Tqb8hhv3S0=x>D;iok zq>~s+SW*JCW_NrZCTy%}QjhIo(HA${3JlNp7!TKjyM&`$&x0EQ1{ zgrO8jCN!ZJ`Yis~y|IGAsZyDNNT2zeN$i!{$rXukJ}~^6TC(JZ!PV}rAVfHo8(8WVk!Avy~ms-n6|1yAq_GdrWY=_2x_9XXAs5pF_19Fwz2~ zvhqlFt2qd(y1B3okDpxaf(z$FZ$ZY&LRWc@3BGF7$}_Ws&09*qO0-|UyJlP!AD+kN z4g>)OBiCVZ3d%(NTi2dFR#J4dPWRjJ(^y?4dY6W?A*O>b5rvtO5t<}(y z*~pph9PX`IFNeead}Hi{RV~_Wng;#mxPYmV5A5Zzv|j29eVabrXTWA}$vNsXS!%*P zHn;nHqEN^E^p_8Vr_aU+=dj$-590vB`aYbn>{xmn|d)C&$ynNQHm&W_* zizxRT8{We-Cr7bBYm@THZ1>i7d7XKFvZTG%fm42)Jb#OtldjhWO4M+7Ebj~H*u(X5 zock0Zk12Wm>qYCWl8TyRwZ8GW6l3cj>#sYS0xB$fn5!nYnx1(*UTMhVjO0ob?W*Tv zi{W3k5(rn2Cv~|Ykk>{b_ylwNe)qImjum;|N9rikxVplWhKj^>G1uLnZ!|6w6}qqe zFy_balqXhNl%2{DW%(-KBvYcx2;jvq8rzQ#<=Fd&+V>uxYXs1edG6&0?5|%T8MI_} zrQHsG8M#zb`g@ZNX_t#s8w3)svvBnq{?hGRs`ZMmF#je<8$dM z2ouQ83R6rGXX)XsB~u}$Ok~7Oa^mogTTi_695-;pC@BF|&~{V|4p)sbCIgc%#8nvg z7@YK0n5@`By>`Nf6KeN$jG(KwQ(Zg^I#Fwx65yScBGO=wsw(PqgV1y-5({}>q2Bi& zKYrw1&xeJ$xE>ylYxnjrSeY{g_yu110{bbCKOVQ$Ycc;6L6&);Nj(sZRx&h``S0-SCP? zRw`LJ2}1YoUEcoF z3;3%FZeRKn8WuWUO-_ybiwOBX;o|PFr!9E$9D?K8?@!dYd>SDp-F+v>@ z5fhYwY*B6GhbhY}{`f2!;e>6J*JKY#b6}dM0t6eL$#_C%6 zq`VNANKOG>p}7v__8gmqX@RjTkB=C{eAMA$p@CDc7+X2l`uX5dRu}#q1%uya97?24 zP_{|Z?}6Gte#KQggH~@2F!o44vuuX!;g3CQJ&t#(pj9$HE>^Cb4gp@~qhz;U=K-5G zH;+CZzxc*aWa%Y@xPTh5WnbIVo`d5eIa^}UkW*+vEXSpPCCLBS!raH(V z`d@V$|MEIWufCSy0v(bsxW5{Dtey*&QV)b0nez-kc446UAcfIhGNIw#HPoe$^}d-S zJ^O5_CU44U3M8t5ii%d?m>nI<7bG}43>S-`@Dfsb8K`&HpDR1d}cGk`*ELxA1A zIE->F=8P^Zre;l-^>AO^%dq@Rtiu15;o%Kcd2}!D8VwY!?XVf9=~>7QKE`QWTQ?YE z8W|aJLpS?HjSyBo2$Y8d3l(!8U_Nmw+5npq@{Y#z+jnqBh?vpMqog?3;G^T81ihd@ zqs<21311p5D)Bw24OiW-DvaOTG@gtR%RbvUehP!4r_zoeP6h3c!J z5T}8jq+ZW*wTZ&~6}z~?ew&9xnuWq4(S0KOQgn*Z!q;zc4Luvri#NUUKIBgR#bLXz3QKj90iT?0mLrRE7EGdLDMrd&+{LZaz4mNEv>dm_M#1 zTjph%2&BJ3TIbXIe+3p+64NIj^Cqi{TOM;FHsjjC{+riy`3z zll&i_ZYTFsDw2n6olgYHNQm~4U+wY}j=m`U2(9@n($hy(M-FtxOI|8`yzBNfm+C(F zCfaziGOMHGO()@v;SNP?_Dc3%XjLO^Tw~1Hy61AQmb`m^oN2g!jb4ngjlOKrJ5BU- z#G~gWJ25SG&qjD|BCYQU51E8+ces5o&l8gsCBE7gqUN9$u6M2RA*W?Ff%tJdZB8)8 z%P`HMBzlXkz&Ma=Eh|3qrK%BR`fJG*d!eP#&3B*F(@5ZFgDNl*Swi`%MzhTa%;!H+>1F69B8qxh=GRb3tbR zIgw<%q>O*!=@!%L&G`A~^}Tu_%OFga?{b@V&x9mj_s{R&zs!zMw@A$0_CIE)W_GCy z3OxR#XuCRWv2`ZwENZ@7n(Y2P^R;LI(*JT5GJL)3I7T=t#N`X~M?sWycl7joF_ zy`*#|6jt=gn%i(QM>D7gO}LcTXB!Px_y_~ouh<$pgX`ecJJ;ELawIxUTBHVrne9Dj zkPb4){gSK5Po__vRhmDzC*egoJWT8+OrE7lWtB8GY%aJ;@en&rV{`YMAsP!9Q+_lK zF@(+Ks={c_3%U1?8nG-Xs(9~$&!!W6^rO*Q+HZ~V)bSOBowQY3#Cd!{tD4Y~6az{7 z@kukyt=Ss$z=NIxAiE}&SN8L!cDwhoGFUWzm49T@`IcN1;1qq4rt9>G|3kxY2UY@a z*Z=UL10_kXxV-%L!oxqE=GUvy59O&rM4T;hjxT4v=ZkX-`Ks-gpz^w`-Wa{hl+5SJ zxQP=uD2X#&sa6l~s*pnJP#u(RysH#Y!S|GOYQr38LRnc;50N6tA6kL!VF#O~1QhjF zA-(;QKHS*L&fZ|Ttq8uQOJQ+>OZ)Kxw0k0`m#+~aHY}AB^|@}har-+U2xZ+atFuhC z`28m%mXtRZmm;n(J3Vd2yT1BFX(m%o9wMYX;Ql`saevPIe-09u1&%-Qz*m)37CONf z;&&<2S8IpX3#0kz_kzf)FtR%?H~;djT=fp`h>5v%+#F37)E%32s@1D-Nbmzo7x$N& zBcB;r96pGYGE3o(QGfRCskV5sMbM~0nEVtHk{o$ny*wpXtZId{tuVQRqStkPOj(ki z#e-F@+I+*+M}GT+#RZR2INl)Ekt-1*+-?kdOYtA*MgHx)!8yn41Y zSe>dJd$r}?5>Q73)CAlZ*X^TS;>rbzez`}|F73J24VWr20N%iwMy4F;vOdCdKk5MQ z3Xyx0nFqyVsVXDxqN|Lq6a;e?eNcK1A|ooVzB-iTp|Qzm@U-0}R-=6gkoZ|75e0=T@m-xAb^3N*vPUuqq!>WOAoIH=8s* z^liqJ$~v+CDwn*ss4(|Jl_w|i26c4_uV}Fvs}f#XU4&(m!Kr&4>i-mOdaO#q3tsXz zw1Q4gN9e&EHcJ~;ZS6;`YNsO^w~AvxT|UFN^Ww&36wvT}IU@Cu8oZ=2@{Cv||A z9F?T(MdqVW8=zZ@5vuzc=Nc`^Y_yqqB8HHotDEz81gz{MU+eqT??dIK9}JsHSGEI!5%BJ|Rz*~73nYFDzTyUt1 zs?v!u_4md880Zigxtzgv7cXwbGlDWHR+At4$l9Tru{9X29k-szJ%fbLOvJAE?{*tG*>MR4s#%_mRkTN)tq>zPe? z|6Zf;&*wBz>`#^!4)S~q2bE$gmmCBKX95IO{9#m0> zLKs6H%R%Auu9(6$4{5s4LJ0aZAG56I5xs)fTPY>Hw}{hDs$yxA{W$n)X_6fdi#{1p0wG^=jO__>?&vmHhG3eoM{QATpXtKv2|S|CV!1 zGvxt)zE--akes2V-zo}VFxepFPo0pdBqj8Yia7wrK$frmS3U5bW8*)a(SLrR|M<1c z^gn^K9qS5Op=+evNxSRhCu|So z?`K8egNYyKgE3UH*@XRyFI2+`foeeMzaJ6blWab`rEPIm0+#7)`EpsdYNeP>oO&@7 zUf)b5bAa)Xbr+AkiZtioaWHmx8k0cPliY#k7&#gw7ewk%LPJL1^^ZSsAgZ=O#)usZ za9?N6Ce0#rbNb)GBoxS`=vA#e37>NEWBG(Yj8t>Gi|oOIPsO@ub_ zc0(x!! zjRE56q^V8OYBH#PBGdcXf01VX$4A*tHX%gptps98dB_w$8HKg(aDJl{7A|s`{pxi( zdnv87)zIzRt)CC$iaw=9smi&VPH-EE$D7jnb71tX@CjBVxmJ}W5WjA20DNXjd2Jyl zG~M?od}!NRPfk|gR46$m>>YJZ!&<6oTanJT7{hb2heT1TU0I&e?^Wvs zlV};K*|UA2xDPqJ5=%;%dO}2REI>ATLLM~ecD}fDhs6^5im=Y;PZT;L3{K%^0*U@9 zsTTMnW8~P+l{@f8KUm;ag$ZE6<9g0Zym06GZ?*3qnHd0D(4*XGb=xD8dE02|_eLKQ zopd=U=76H;0BER^Xs)cfy6nx=IywOsD?QAY{nV{nfU+Nb_FOLM|HDmZ`*YJ*pb-@S ze)yaXqai&{K1UlUJiREssp;Ebk;}fs`Ku$97Asuz?mFUXn?sc+Z=&gv>9fJ@)q~># zz>Bar3$t<;nVrAW9Rbf{IV*%n0Igz#-g_<99^FteS&2jHv%(}C0O}yEYEenX6JBap zMU8`F&FvqfK^$)*vy6z}TTn?C@jTTJZQK~(xl&ZhZCxo~1gH<%))HgRh^342z$k-A z|86&xJ_Fb$(tn`09K59sh9Xr|D{CqpwH;p5*n^3h7lBDwm=X67jd9H3uD+2~rIaY1K zRX_!L1CB2?Mc53bW{%%o8>v5W}iOz!L2`le|tnIW3 z-O|7vGEpGU&!SLLHoHG@_G~^uS4mm{31-_)d@J>dmOOf51JG~fYX5wI$8_jsBXSce#KZ{2A)|WaHCrx5X2O{`XpPom$rp2BxG>SD*7C z-|OYIqNsDh#kFmZ8pJr&9B9qifKiij-r; z%60szNLm?QS=lVrh!LTDIZC+0dSXf${mF|r`qs|l;AcC6Hu{%7d2);@HxHhdSb8LR z6lDc(X|u=|zRske@=~gmQe4X^aN0oaKO4twO!WUwtFpCSwT~rSVV^0bVU@_#ue zti~=CaI&*_&wblsZ77ui*v#xMcfM1Tr^AU)2j*0xO+I^Z&dT~gMy7!`?m7KSP5u7} zcBLEtI8V%=wl5hyn6Gn#8RTzoACxYrMI61Q>`YUF4tH~QzwCIYpj1s4tL^Qf_2n=@ z@mgm&c*BncdVs8q3`khN?WuD~*pMx>oN!1};=ffCj4CRbS;~oxv^IiyB*aiz$bSyg z6ptuUBQezMH;H>cpwTmu<_&m85qZ!!nHy(&?vAgbXhQVaU%$6_SjpW;XYWPtPpEvZ zzE*u}t3*Wpkm*N>32=y>8$qB;-t1cs7sjb54^Y%zOEg{{pVgyq)imlF2jmOy-@jk{ zw7q3f4)opi7ldXK!;7$gwRILXa@KPxwkAmD_}1qZ?s>P zC`HrTTf=^?fsIMWX&1cAvI;O{LdITqAzRQP0p&=aB3MLr!(mmidxlg zXr!=rh*b=-5r_N77ZB8h-liFh&)f?#^ihg03Wl`+J4lzlGrI~>ez9a`Qf2klcLGKp zJhLB4zkuqwAVKrL{)O4_ubtX|I90|ve}QBuK4AnfAy#v=GkvURDm_KcjN>KQjmKDU zfo!@e(!OJ5p!C3=VYmE+M>GN%`nnXcA1_ty=TNV%<41cM?!FllL2YPT(BR`t6ScL# z0*!AQ`jovO=~eyO*BhlQFkTGkDZyfqwle{%;NKGtwJVC>Wc-2^z*1-rH*vYF#&+CS zTI)vYD)Wr=urhX%VL^+}zBuCI>NcRO(L7sMU{kR0N@N3zA9KW;Vo)?o$k3Fnihu=0 zVA=5QTTRa*h=i97QfyDV*=Cdm7f4(WYoP?zaPd_>9tk!iQ=sL=7lzyB_t%S z!)1*i0sXqFhf9$n-<26GZg{S3w7tF)4x+K7L>O;zV5%Z*^9Yz5h;qW%q9tdyt>Q*S!*ji$ z^v%d}3vchb=8Pp>-y$jroA9LJ=#?5t6Vro|4_~=nWIeTbW7?Prr7ZJ&aUYsH(^KgP z#+_y93N|#96HqI97til1p{4F*q_fadMYG1Ho67m(pJoY2P9+qi-?|O49ZXugts)Pc zw9f+U5|2Z60*Sv!g05=^{OW&8PPf#2G#tq&h6&12!>owF39EGNiI>TM8wjFsRLLx( z4gnM?IWdCf!gxZ>le59`V#iX(UjgV3yYc}-EVhHR+;06Dp|(F1sS>w#?j2W3Eikm* zO)vW&`APrz7C*G00fptSA2^r>65ndQnZ_GCrt~&mzTpXY8r9=T+Z)Lws3Z&a>Qmeq zh>vDv&Sp7im=HLn$;l(67-2v3QjJp4_(j~>Db6CKR2*uQE1_%k!h8WD6Wn33H_Tdb z-*zg!s@7D$6d7ScEY4B5xtJxEc4e^Nv3o6(rocShd8H3NF~(@&-T%nT4~lG`;unI_ zqoo|_ZH~^mN0P#3rG*|EvfK3_hPk3^l)NXbsKSH8{fpanwSvge0C=u_rmGk<0Y3w# z#$!|uPjg-G0eLbOyY5YHJa^xFYvK(~^3_=G*quwH*Q4mPvDM&%9r%(H6p;q<$Zk4zkgzlt7r2gx3XmiHOt?gsv2v9J=0Ip5&{O^#SI|Bh)jpI*l% z7Xut)wnepgXHT207I`T+;Viz3kv*HRff6{np{k8$fKjkVig{D}mw;=H2Mp5A`rryz zM_Zm7v0@!(7z>4zyl-7!6lCVOSNir=;EwrKw_E{3(S8H}%nekmTt>~7K+IXSj^091 zgv4729TIEA@<0_I}X z8DOHHBO}xdmcGxL&$dclHS=!%YVt_~QvGNdvz5>{eJ*QaYaT9&;fjv|^7)7m^NipH zqiwdJNi+M`H6J84fA@=?)J~Q7(o3K>Yg|glOV&HDn}MmxzJ3N34njBQWS17i z0Yh&u!RZL)!mO0;5_rAN;kJgL#4u2z<+t^{p2&&Wipyz09Vt_KOq;B5Y>+jiJQD9$ zJxpi9RH+pt0>q=GfULpca_OomL8j_8Vt$=aJqimdQFdL>sA>p}_B9H5t7hyIYEkf&W^LKS_CeUG`L%0XR0`h=~MQC0yAT@v`6LMMyfOg_z0 z0b9w?dsp%&`5snr?rbSq4IdiJ#FsoUn}f^sYz1SQ@(qmOAi^^H#Vwy--bPF%YBD~% z=D`R5}O zno4QMd0TGU67Ub3Pf*+xH?fC%D&OhhvyPlilx2$TB<+)nt1th3IKoil56hvCFT_eS zQWDhZ{3ax6L4QIG-s0B zQ2(E{`fRY*#FMXfBFX=;WkG*+NYnRZY2#ykc8~t9_f)dD^5(X{VnnpH6<5|`+y{ph zj+LaiVd3Iwd4 zi5yx7*0WfUf99jr$o6e#Vqn`^^#MgIFv8}})33NLC=|iN-6(1$l{FAoGhm6;U zlIixEB_w!Tk8PUe&sL3Jpv6BBw)6dg9PGkd@>6a(-N$B$0@2gWU_}NF{TVPml)WDE zIx-DXaqo9ogy?R6ukF@b^36F}-@=_Kb#}zfp*fB>vUM%{BXtR@thOh1ia#WF-DW zw$1LMN%wI1@U6gre>*Rx(+zWT~dd{B=KhC8SSzAqOa7n|3}qpI`W zCJ{u{jHW9cD3uL~ZEJq;y#<^l<)xNec){8nprK8YIlI?bQCXV^s^7DONBr{nRrCwT z;ydz9IgZ6C~uog z{twdF-9ATxIrWl9?{U9tulGDb1$VlZ>fxz&fzh#wL1Yl(H@;rA@^!VG({5XbxUJs& z!(?=jcsVG48m*n-rhEJg+Egs+Du>sPk~!J%T~59*M8l33vZ_v#A(3m3U26(7BV(;( zxiT8iiPbnuW@i?wmJ^YFpXZN0eD(xb!94(FHz8VdGa<^d!^us>(Y3#RHB28 zYPhnI#W0z>pnGj)Yz$mFA?)KVWC6Xs4az&wO1w~0JJC)z+NP@Ow{EG2xCm59Od!TH zLyrV`7#UK=0{~If#>DZDy!|MJ*!?h-6px)Y$iSdXUYX7p(%VZ3wTFZWo{U>)9pDeW zBeEDeL)+m~3cdM(=}5SY;Lfo=C6ZGMd&m!N_`uk&$iY<{6I@sr*{3D{HeC|r@?{Pr z#l<(bXr6fA|9As~MZnlTMm*+bl=F4F#&};zbuaP}5TkiRI6$pptG_TiZ1AXbACz#_ zplml}x1Nu164UenL*6n9AvET=@O`ww ztj<)oWbNx)(Bmb>&@1$C5<{9f8=sw_x=rI9B$?eO^llSw>V-RYu~HzcH!9DvP4^Qpy)YV7oaugc_xhXd?l+fsqV*KVXxs}&iXL4f2B=}dtFN^4J1fLQCk&{t zM}!IPj9b3?T*9#e@G~C0XL|BT``-7T^j`IbX$DQGOZOYBjKVF+8qdT;8U&rHODaxQ z?gs9NlT*$pJh)T)KuVUu&R3Z4X`CsoMHH(J>k_ciyq}#*Lh0chZGd^8YSrhxA|O(f zXW9MgIuNE(7$Dg-{?>Xd_}i$ySWW!&!Lun{At<_|pb<4fvzlYOd>)4%X9iVRTDpSL z9=y`M#w;O-8G2m(3p(2qtIB3__8@;}E>-o2bi+=A|i-!Fk+x zKsQZJxj>Bp_m_mr`qC>T5AR9)oKw|>o2&58dHLYx_o5PHHe%jgrX;vwvW8l-TpsDi z8-4_lx$ln!L5vt@cKm(^zc_ClldNV9M{CP<#K2n>6)~2c>Nf)+6jV{YC0a&^=3EG-YWU|nqoN4h( z_DgF$D|vd$VtW+nP26%TNJdO-mD<~!C2HxCmOz{BZBU=N**-vybGTL zKKq?Egd@cae^d2Z?f&wzfk}}4aGLb}miJ;sgOIYVj?d&1wQL z9vvLu0x*tBKexnV$`JNBkEa^yD0(`vZyBiHt(z=TCb z30bfnH}(mE>#@Ac9qND0HI%s6H|j?q?W>0pMaV-^HY6C zr$!#&Hon>++DPQ`({6;B{8@32K^pkEjh4WMr?`Mc0`1BP z|0OfgN}}IrydAo%cTK+Gp8E%Y4u)73haX1pX=AsPf8)YJq_~NdBzn zV&_(kjsk{3Jpg5f<=4zUU50s}GBpq_U<2w3pwiMA&KAuwp9;1r#QK%qFo_C+A95h= z=4x{`HOQ}t9nQEW*61pCG=EAB0|rbiZ!H8I=BfCsHl)DQOpLU)s9s zKMK^M#Mz6l@KY8G8ceR3^O=uzN(BZOXSu8Qf4ytkHC8EJ9t!wF|L?4@5}x*Si}Kre z#2SfTP#2DgVexfK{s^JVXxx1NMZ(=?=MZW8r1fGhQ19&80cW1rKr5t)11f#Eao_9( zTzqnm4&uAi!1Z2x)l%YlMKz`j0=a#?0av^it9R}vNN^=g+ zRO3!Vg-(AqVXk=wzn*=Mf8Zj!m-h3vxKy5_#op_uK-N2saM2wcS8I)cNdNR$w-nS0vPA%-hp|KEjQ z#zDz#XyS;dy3yJM{d1E2C5I!!I+2UTl#LOcwjjwD`hfSWT|@i@`Y{r5ycWd4LJ@oy^t!fcC!YTAK767OY8^KN;HidbbT(00Ge!?a8(b&f6rzf*S;@k}tV( zt~kGKz^(L5*&xNIerO)FyNbj>VC%ClB!&+A#JQJJmKi=>B|lqp_UXMc8<=|ovU{Mq zoZZosFnnh)1%w(~*ZUpcXN6y;ta{~NVk?ZySRS4Fb%PmZb1L_v@ox-iG7ZQkXo%ci zG6g!Bj*q?ReH-5XJ-YIUY71lHmcsF)YVb-OFdl8ClgXAkPJ5|(E!!ArSHKq3KXgtf zz}(~!fk12;Zy|Pym0`o-XE}~8TbbLfhY>N~8AnUUB8*^L4vR)YxJKp^x%ZwW@7_3b zUL$*Go{^<*)cAf_gah=MJH(qeF>pBCVYN0@PLo6$I7Cs0(@41Km_f|+Xcf0iNrl6r zVv+?Gg?8&#zL8_@u-v7U;lIGp0FW+f94hI;GD}D+qGu}qLDm6?P?j`6iox<32@q8R zH_v;%bz3#2b~5VycWKdQo!!1iWoj=zf)A=#ZTi4)Kxek!@hGzvaB%RlI{S^Jh+TY` z%S7}EL2}fv(4$scw~NQTs~Yt#s~yno1>@lLm>T%qnsl!{#j4@8(5q&(l1Ns}pt{Yu zVyk{)O<`A|ZOqljDYboSr+B_Um1zAD!+P&Lf}my+@yxZw2)gFxP=Oq9`o|0G;>*17 zT5^9;^X<6u;xa=|bQtU0m|O4PVX)9EfQYSoKO{{E-uU{N(xM5v8tEG7zl;8gA+`P^ zDp*as8;jqMZ09q(e>3gQ@REK+WRKSMCX9}n(6HaNv^!^a6D{z__;h6!xw}0AfT*Cg zStM9V!pp&tZO84KK2?*)jhqaWfvPM%ocqcsV@owXR&b{{ePTvAbn-un3O@h;EGpwXKliCCKRpiunS-m+S zMs4uo7nC*r5K)tuW;i2G41foR-#Wz4ov4Gp%}Ib0!SRFkeyQ;eB<=X&mU~d}QsJ8J zlal}uyunYe86S1~&z^i*Lg1uS=6OG7r?jJ3ArCzkFmC47*WL^IZ${(HOfYoA1^-dq z38hyX?zmi((BC`g@b%bjMSQ9kkm0gO2JWq3rfw!Bjui(L-&*&Rb!K*L!Rhk5m;iYA zSs($rwt0Yv47N54cI7oYww!T_mY83y$xgG@Qmqpy*wC;|HCzGdKFtP^p9J2`iS8mAhx_ zVoQULbfF{gU^28xacK04Juq3%wViTGNt&U>ZSh3y7qLrkU?#NP6V`8x`H#AlAp{X4 zT^+?)-dJ2`_vZcX#pO2xVJq(`*&~giw;?&}egk~bt%o!P{wT~`!GEt^$lv>DV|0<5 z7>s%lcDAU9Kynnk4ck|mye0FW&pa8J^LQY$7_l5xXL?vs^~3Kv5=)yvR> zcbox2!oM%=tqXbk;1A!V>`vQnJKOa6wcYU$0pvNN+rKW83{Ku)@gRs~1Etq1%>gdk z5*mK!op$1?;8x{rl7~apg5)8A@4p~u)F;nJ5)aCn*hi|qiu500XBi<; zFoM-M!nMenBH>q?yG`Kkv6$Jd-}nA~_%f=!^A93LeO=j~f|I2E;MD=SwUm~idq$k; zr={m~ZR#xiOG+tXw{WW(#3kRytrXG6ZS=#tRzT)COSm-GBv%@^~=w zNrWrwDRPa}_>mly1-=P0UKd@l`7Kc9bYuI%bcNv7?hnxOVGJ)@0`d7~wg3qK6s+GJBpSpa=hUjK!T(8TI@@xQa*z!1nOeIga8s z@aKks>zAN&Jd?B8XR$f$?TXBi6sir28+$@zheI zfwW!KT?o~sNZqQT3+*$UW)B$Z%v8Ty++l5=QgdZ0bTP_8-5zQ~awC{1ej<*#;Fi~G zg=QuE2o+(y>Q=&B+WXS#CrOxT?Ewg4 z2KRv7Jcc|ZGWZ)%)2Hq4jJq%LLGL;~{g`$VenR|25UyJ8kA_N$hXq%4ZAlLhHum!@QSY*suw3of+U91Xdo!J^lBQ;>PJ79DFex#*B?PnM(5~Re?}BdtS|-sjP*ctY#2}^%QacV zNSFV}?>esI>j`aZyI&}Y`Mh^?&4{fY5?q70xSNZrBj7$stsItMU~jw6H<2UU(O|g@ zjQTjt_G;;Ekc0-DtpIIhv}-eucI@q)v(M1mSZ0Gg5N2vNONPCo1{G-eau3fqj8}ur zb{l+v2EfROM`bu!ULd1>@yz!uvF!?^hW_sa{kXq?<2CJzIoSu!zz`yqzWFxBU}tPm zq@zS(gn676ag~sOF;ElonC9tTG)mhl4D&TSRzTg%AuJgz7C>slJEEgCv0F(R%2w$| zDS#FW=0xVLA1UTutSu;0Q&W5}KcVei^iDV+SZnS6j#QoLL?JT5fcCDVd*Vlmdvc)6 zOJEK+`a3%fWRGn|`}M%N(uZg_1KH#!@_;G{M{I#N(5@+r@z7WIEFx_>JEATER#p5m zk(D5UxN|YzjhWd<(UgxXqTX5&&mC`5H@(Ef#8kd!_A~J$@~?E>1egE-V^`VbZ?bzr zDdkOC6`0++80TP6z>E+vS^-4T-W2Tq=%>d?%wXkC({E_ia#BpVbd6n)1%rk0C(se7 z?*;X!2jkHm=~7(FNuTCB@XLLBn;Pvsnv&91|7L8b=fO{i%SXu!EU>wBdp^8n81srh z*u~Zsw-n#hor-`MRcARJOv~HOUb_B4e9{bJrxhg08^cJq3=fneh%Hem|5R<=?~%e7 zCEb*H-tPHr)+5W$&vQN>eg^kl9G<ms6x;i^+tJ2%ekU=#UBIP`0HrireA%&kddUEi$s64g* zSK5QKNx49N_5FXUd#FBlaxPw8uI-_Bm=yE`SNbLeJ{4)kmtu-Kq@b6v6(;xVwMGy_zA zlJ2|RPCK>2D!x3f+UnqDvi{&X%ib$6KPb$zT@{?STW0*?^`OQ<+x z@V>6;LrksUKFo_u5}=NaOKYDe9|iipl_s80xYu=VWV;h>36AKaJD4JjDLw22C_I8PlVge=ndb zaA;r7-M*hre*Pe1wrjYrD6kS`@rm1_bG65MH=ye$ba-BKB841y2#3d20`o4D3c1ff zKmb$2#cqq39zeoUVQZPi+2~K!s`vSbHUWH}DK2#G$lNd%gEY4lEytjky@omi9d)qC z(*qNI%m7$u4TB!KuFOZ9;Qzd!3KF{$Cha%fy4wLa@$hTFX6}E}CM6U8k2Wbl%z%*K zy>qWg;8#QzQ2YW)!1i(_Rr`os|B35vF;xn8z0%T5rpg>90mq5|57H!$?5RwWbP51h z7q`+zb&i$MLy{OMarjdb{1I0cwJ~~8VyxHWz_7NCvB6Sb zf2F&|mTcg!afek)q*v-W;H2~3_sx9llXCK>fwtMvs-Y0K-)zW_p+bm~&A9*$J;^!S zTQTeFkY7Y7j~h3AuhYq(WTD@38|V7136>pgVGyzqTaqiXic=M@eiML#AI+c{)=q;C4Y%3-Vx;WezAjycr^6B-7IZnf?>Wl5Ig<@2V zHbcRmVz^o5`G$T1EylZ)!m1xNQ_lHI++A?CEszu+AxbGZEW!Znz8 z{h;jEeqpJ5%G7z{@k)p5E!l1D@~FbXI;MyDDXe;ok~Eq0T<0*M%=!JjXFeMh6WS?Z zY-6ZlBS=Esf3?6-54kJn$oLyzJBt;EokW-(j}K#L7y}a9aUBCFlNIHBy>7*Ev9NNa#_a>$_rogEkhuL^L(2Th$ zVJFy3m6}?A2``Q#7SkStw}l#8-pSk8mBhZPJ+y!Aw8rp+s)yRcWBC3d?Mr87_{*F^ z-ihB{E3ANBOfjBw=u<%v#I`3xCD;j=>7P~-2FY=J-EaU{snXP_JmK?n;X^v~JSw4p zi96m3Wq63@$v03ez)=J0^9RXiEC38TIV@a{482d;(9$*67B~;ymxy6c3i1Hrn_%xE zjT-D-yRdYG=~UFR`j$m^-=Ld^HrI=bC%r~RI~^m9?sV0902hSV@+yDLyof9NL%=U> z7tVRAyj> z{=azRxb43lI*6U23G7n*aXHb{>=kv#gb^mYF)}uteJyC}P`R7clLV^$_BFAT{SX_9 z3&HC@MkK#nDuma^m5R~PYy3Amd-J~vb)en)4h1#+_+3!3$QjV&!(K!z$TYv)E*!t? z$KpdRAX9oFQ9+2s9`{gK@VRwf$y!a~lDNEI7OGv5Yo9|Ha4tXv!QXKp4`htGnB+)| zZ20np?YD|io0#W%Bs=X9`7Yxk-gxfIN080-mA>8fiN86~<$TV4E2IJ;G6H%qks%JI z5+zCQDYSQ_jKE!SzdKM_c(9!%jMvPc${U!dY^E)$CL@gHIwDwTwaeG6r;f@|W0Inj z6GU5hKyROL4m4=eY=4X@GtU#aO@CVj|E>DMPX2@E{)+YIP;5(ITI>v+g+D8uOu#8``!6^&e<#SwP~I77;L65O-s!($d}qNu zcmz5RAw(36gI0;WeHhqcuor6#inNJ`gne{!K`uw~T%<`o@@}W9jmxF~f6;zbepPoP zM6)8okhzoq_S98w4zO1jr;`i8j@gZ*W1|TjwMDgG3#!zAeadz${^VAHjJtPEI=b?=~?su%C(hU`s4W%+5jl31j^nZZQ@u)hK2Ci|~CwF>z3EkWV6D zq?gN3L|j#`O$7-40?V_W211Jz*uM74C0?lYriG#Ofo;nVUc=3Cc~)-Ta(#Ndv@n;R zlyfGPYvmxf014TcOnk33(jI$XB|MO5^%EBc-Ko>>k?QCY+&Mu-ntI=R`OzQL+1!6w zhcdN5=5PQ%LU?Ia=14v=^42_!(Jst}?I1F4R`pfQ?Z5)qb!V9*PpsDoo5_LYudNeX zN=W8+z?={m)9$Rr&U^!U*z^|4AW*R^v%|Q!n zC6c?_2KmA!`NCvr4LPl9pVbu2I18N;kYcBx+Ij#zKew`1ZCOx;4>j#Ox}+z|483W% zwR?dnT!2{HS6B76zUV6fy?{$T1IIXGm6f*X!xwhfVVBJvkRl&159qs<3NFvUdn$*) zJoG)c9XCgMU$YQ_cUf4}2rdK`rpyyf~Yi zjg43KAg!WJQPj_lX-`2xh6j-GIOzGSHV)QsFbU-HBr>0N_*#*~Fz*+~=P9yLk;?#J zfaN^3mQi(Klqd1B_CkNvn8e|W{+ejLUWuvuL?-n&p?wbclG!c?^UO?ruM<17t{v8c zj7Ii6zf3Occ3sIMY<(kwjHe!n_X60LwdQqBBkH1La84EB%bRa;z*8N^%zApl7lDK3X-2$Lj4PV#f~BsOIT%BRszVQhK9lO;)K#lG%e^AyUesIT+(d9tm*!b+BGNuJgB)X0zj!p*v{#EGp^0@uA-7 z<7g#e&$4|q>{hKa5JFO z@LctpBo^x%wRp8YxQpQ~U6uyMqSL(i*uoFx-GPcJF`w@F^|z3lapDn=k-`50Nk)oNE7<8dt>jgo3 zB#A{8d7(bK^zt*|8|L$%1@H#8C-(jDk1!^^%J$3jq9cHD)-qK}kbxSV&~eZsm=Mcm z6xteMMGO_y1azfrENujL`-LXO18>O}Rdb;H?Za)#FM}udX?4@9oMl#NzZT!-$~W5d z#AHR7N(q4m(V;wAjA5!2&B_QqkGu}?am50=L8-<_F)clOA+X&*JA0koS`OThV<7Kx zv!Hh7FrS3m4wzS?qJ;vMFvM;wq!;eix)*absA(AznYue3xWjq3V99^p`27#O{CINb z@X-k98b{K^{JcgDJF@_jnZFWPh5nx^sG!wsie-Swrb^$t<~|_KYL9<4)lsSdhXn#l zlr5`b{N+;GlS$38+{VEZiOHhcRX}$Af;~>g!K@vhBZ;!d$g-?rS(VsCqE|Gn7F=of zcK50JMz6t+RAtcTN!Z1ySk@;STR<<|lYP^p?H5yW8CG3dmfyqf5rF7+0-t}553~veKbyz&i}~I>IV+~6BW@%5C``AyrabVv8&8N zAMJLesD{)|qb1#@b6y;btCoN6f+kaW==BV3uht-jLZ6dp@y$%=KpX~sYL72r5VM}# z%ZzWQ85b)dY*JSz&xC@)PMAChAMbtwLf9=EPW1qSd&{vwmJvDNPQ(e&_4Gb_?Yw9; zLJj<)T$suDC%RP9ywtcYXJjZ&y!kQ3c|BkyhnoF@G8Lu0I!)z*C-fU=qZ0HpZaR~8 z*akA%mu>P-O{J+g*?P?T)DpI9ss(sr{2FTJrmu$jp0U-?TSuSowBEid`M;2pnjZ#u z+~Vl^z;+rd{_##9po!AlUQ*PD0=99Ty)4C=1%pWfKvj|Sko@dq`cEtnEM8FclqhwL z#pJiw7C6STU;JjzW&l5%lT~qpLLhi z6L8XgCL#qWK`Uu)KM!Gf?4EZf&;6qX%OUox*|LlnGiuVoAId4UL7CEkn?<2;nVsLx zS>Nn_8>k(a7CI{#vy%b=eAgt=e#Hzm`vc3xt!z#7r2_-%<7(~omFsMIMlyR-bLE=l zEb!}J|F=gH=nuN3@;I;*b|+{KydYc@_~*HxCIVm7Q3N$jzCH80$i7dDFOdJ2m}y5c zyMxJt_D;-nz#)It=5z7s_|`Cw=BnlMGPT{OBc@8;a>Bk=N!g@RJX$1K0Nj93^t1-RLOFFF z^qfxj=1jP>WA?H^sOcXk^dmWX$d+Z#3ghu)o6XjOz;&BQP4148DV0Rt8heqBt@D&d zgn*0Q_I~v-By<~@}8Ya_NIEtI5L7qS=xHT{_O?~~rs zwZ7$TeOu)9MVvpDlRX4+HR*c2etfZa>Uwsw+gEOMc5~ghFu9E^oON_-GIdKf5*{jt zZX5c(J64ODMBxVK&IUrTZ4MPOJVBb!O z6(o7aPp(Un-BMgcQKLq~_-Atb77VZRWzVDu5CV_UMgs_@OK7H~UqJH&Z;pBtvIAaN zp7zjZ(zS-qxXdUsQRYMIV3;3v2?m_(QYGQ-zj4Ov*HZ`?Zby}ck>T*I5nvgn^J?9` zOgW6r)Xzm+Kg~SX=|i9nn8QKz$?!?>Cv=((g;|j4wvGaV_nG^kk9T&c$Ny`jVrcWh zTaWv?cP_}DY|EPe9-)Q8Lz99(Cb+J^DRJL?E9BCEkA@F<|Llb*2u4T6(J4m3MDUxY ze7b%{-+nZUl8WexsWRLK^N);GqtZHW0h9N8cQ(Ud1*%!pxmn z{QUXe$P?r8>%vBaG&f`TbqVcluT0o0XK|hq)9dU`mD^8#g=dwh_}BIh9#g+`(JK7S zH#xCDG!vhOF_cb&rbi)VK9pt=?_X0PCu8kev;1^0Ju(sW9}OcLg9$WNl{=d-J>nzR zMaU8|YqX{VWu^TrEk~oxLn2@4UFLjfl0M!TO0fv|{JQpp6rB#BAI*I2;Au)!Ouw-f z0TFS2^QjGInO;;LOEy=Hsk)WWmVg=WO{{VoSB`}7Anrf2UnQ6Uff7~;7-iH5 zhs@P(rzEH;k>MN);tnG%q;#)RDkYL3h~ly_q!*6rlvQH zo!N{guZv2w_g7;8C;FltlNXxwZD3=67_~4&R@6XP%7Z^=Y@~_nG+Y4vKRJpb^x!W; zUk13niB&$)ilEzBga7q7Zt8$(Zni!?6UiE<2M*$Q>-Ix@G%FQBOlce)tcV0mGtPv+ z5@_s~bssPD4um<2Q!pP*J&D}}od>+yMP$ELVX%nm-PBcuj9Xl{Wriu)uvcBSX#FA$FS7w!_m+j zR_bwSJosb8W(Gf!DJ#T^j<^UaLsXy! zak+F1|AoR)7!_TUp))cwM6ebS21np4Ah@YQwDePhAuS7L!U7LYLztzF$DB+e;R7KK z2!ffC*{bf3vk&wnAADvS1aW`bS@tTUTMVCk7B%|wd+1X_LVAu%k8j;nFRpVXW5xjx z7!6`JVU4=a`r^j^+Y5SR;_zGGt&f1u95+UB%bj+;5l!fnNMOeg(YVR-!>uyT4oPv7 zbwaMi7;X9z^s&47i;$sxH}Sv9u2)F13`fs({P$z^zrEs~H?(Qw@ZO!EUkub! z5yLtwOhcYpcG8Dqeg7{v7a6l z-$VsS`AZq4zCIuoT9*lAr@M{kFqi4l7o9_Q@+EBX$bok}2F3XZrSKG!DHu^>=AHjX zsAvU7k$Yb5Hwnw?PAIG5uoPA6!J(a!`%mTUqp#p}McrHN6`jK?_iBE*DvR#SMkg-Nj4NoybH zThpQ4>1+rOaEA%aS+49aJty)a5TY7NTZJDD0RY zJ^K9J|3M*Ie!uiDe&i~e55z$aJ(6eZ9&Q!>Od-5?G+KB&1&|kJQcS%|5u|Inm*vSb zA+2hD#4*cXlj#q8i;Bb4RC(h9O{9 zWEgo9+xelL+va})f*$lAF+5%O8{Sj`c6N|pGOnMYKUDu6KTojH`4+_5g%8DC{6W>w z_LBgo{vZrNMsYBYg11sVtKH)3x3TnD{b;|ia`v$)GD+lX8u%T_vv*3ME)*=bl2 zLTZB4O(V3URaif!FpoY-x(rqk)cy{u% zuX87RvN-4{L+;I1$U}vZsY#9F)-=q04_>%nIwNV&7u$jA&%Sfvc5qw^MT{l`8mF+! z_+@zHf}b<5_;0v{_P_lNxPW=ltS%B|QUd<9+Ie_lP(#H>o#}_^;o8Y{W+15Tj{&$r zgfDUhC^D2$@6sLQva2xc5gMXWGu$(ogQ$t~73wBD2^nr;QQb|j2pfMUMmNN8hcJ5A zd!8r-%i~Q`!SNtCqeiB`-D;%Ew0xlO$?#hxMrZ?YO?tUZhfbeKbk6>IIUMGiH996JnxGFJFv8fLxH$vs&L ztprllYYzIkhB8OECbj1VSEr3qa1QwrI=eZFNGq=Z69h~_u4cKi(f2I&YcY%0R_@+! zi?d+Tmt!e6QNERc>%GrNhO?oq35F-~cq7|1xe>TV%ogTMJF^C-kDD#Cn34K-m(MamvRf3a>P4?U6 zPa~mj0`F!D%GL1<5@JhMKvvj{kXizo!K1pVmuq7+%x4e(G9=qf_oRk zueVK{{HWcXE{6RemS8n$8`xQQue%KXF)aJGW{l zkbIQ4Uy)8d2+g+LQMm>Dd%3O_F@&Yon@|(QzJ_a93>6bfJOR)pS>*k2?v zMH>PncGO8mh>JLCwUou}uyR<^c%?a1R=>29+EDzgXGQErdQE4g9m9FR&*4hn%LNzK z8>)aX7Ap`&jK}cgLu=T=GphI}x4dO>A3RT$p8$8$e9(!W2H3WKS=tN` zJSW?G(`}NSL^6L?_3N~~8fA?i6kqc3^t38xV=Qd4S&GsYNW+rhXn5V9B=Cl{@nU(& z;~uUt3-h5=$DfT|%!;69;J_)KcL~UW3M3|g@HFkhM-T6?S?;kaZ2mLS`xK))FhMGguC}AUQV9(3 zwsHVdA^U@@VZ}H>{vRnmxO2=We3_=laQYWpflXm$X_cz zlU#NJWJt=TR}+X_H`D27ITH{DDMXaw_BC+CEXjkJ-0lbW^hcw(t&*Pfj&FaABceo; zsPhPz79Ebnb@u$$D1HO5*Cixxj1|>f%GdPon&#da$Ur6R;Q$8R9H_O1V7yZSlg9t%l)u(3*eq=GXnYrb>?i0~%q__grcAUp? zO;?t@NYe$X(ZR>oZ%@8^o#UCxYU)dAsRH*ag-ti@Qc>MrUL3ysVBXZ%Nh}ZU5+3DE zKTO*s{Fm|QX;=*8WD$iqxcr-`CBM~88T2szO!F6#&nliGkjMc`cfwGivnlU6AQyoe zSMZ>j@uOxnGw^V5_a$Uw^HDAuy{p(g zE$9!9`ZzGIE!UxNl;Wb$eQR`Gwj1dN_@bVx8xo&7)NC6F_E(mz8sOZIiEj7DE zQxm|=2~<~-yz6C1F?5&R7|E6v8o?XFLnj6*{Po4x0p|<~Neb066|-KDWjT3EK7-K= zIsU14#%)xFM^@=2J~^^g1@KCi%BtM4sfi*^-IRLs7`WY$Q}qvKgsD zII738pHZkc0CWLNl|N*UX2I`Z3)6AV8CtzLO6_y{JBf(L`S{)E%ENqb;usysV@(ol zcxYy0esKfs+--APhjjAQkcOYue3O{G%KEI44nCFp$)Qp(UUtdte4XDL^NP2yj}7dC zH(k>&UMm=-<&FPZOfDGe?;sO&m8mT0}(fGZ* z#PF}Rq_4movR@5w$^gRA6#rA;NW7prh*(q&XU2nLX%mYk4}V)$Yiatn?aeN#!?HQT zE;JpEH-mr56digMr0PR;Q|g0zx|*v9M+PbP6!-pSG-vJ;w#RfZ2zupG7RK(}IVj%= zj})HnAaS0UwJ9iS3AO2?lVo#b-TFS8Uck@Tyolx@xOflU&{OoQgh;wfvO5CLB=m;A zri?QGVajH&@GiR6jUiM&occ7JEkp()wU!d;Pl?zp=3~jiO`{YF$C<#JUFGIM`YTJ9 z=$k(eyOlqTeGR|43Yw-G{@by*vbtKiT|NvGzsPrF9BR5avYHe+&srx|{RE+ak1uiO zl_$fP6VC?9gKE8m8=+HH*Y-iL;+#1ei9!=lr>j9n8+bx5KYY^XE@QXHzZ>p4?UZ)4 z0+BpVcxH?<_|-%5HwF@7==Rxw{KU_FY`<7T=BK7aHwuBsYvqec`1PcLzXY!Y`kc#l zVVf#&$%j(%qLtWVx<>2%Mt!KAU1=wTKDuiJY;1slUB5StharFLtD9YllT-4r)c%0R zusr^V*pE!@_-&hy(5z^?-og0U(ez)k1OxLBmi~T(nWvwTL4ev-b5()dn~Jr;7&?wGMi#h z&X|b#)mPGsQoEd#H|lc+oLXLvN%BZfs5(d)#<)KPawVSnO$2?FE@4Ut)^hLZ!_6J& zgBQphGh}J4gbQ8uQkl$tYhlhb`~I{*;Q?DIVU`>r_|p-3!1y;djm>VOeiCO5Xx)yK zCwS8TVts?trBPpW-0p6@owbW-ENJe)zT8B zH9CtZOz>%dR9K~(m?U2RxY?8xewdx&?s7NaxQBFDUGk&G#h|bfL7)Hxepyh~%e))A zm4m0@E4nJu2%xxcMkqgX{mEltP0S_WAu8*dPNaFWHB2e&19Or`hw};kpMcOC{w8nC zLcrjO>d}WUfQ)4muQZ~YvB;V2@$fY;b4WTH8lbdk{q+@_d_->A3n!t3= zY(ghBZ3kYuUpZ;-@t6Jiu<_~}*~r<=fuFFqB(>XX36wgp_G<;kRkOi0`1H#^kH5Wg zVlM@2BJus5&;#rN>uru1Kc)x!@LSin_;N`D)YDwbIOTVx2;fI|(e;|NlLxSZ zw0lIn=1mGSr}p!Tl;eK^jLFz~CV{ds0%v<_aN@UPd@x3HB45*i~NRjro{~ov4Af)4z8H2$Iy`?RERj)9krFo4=m0q8jwKwJ$AG~ zHp+9xd-0(F$P?X~Z*~|9@gCx^eH-gnMQQk9?oG{PK}qXF6N}*d4*>0cCkpGFA^no) zF=PYt-0+V8&F48_c95HVEKbzo;*i%kKa+%4-E^@m(yq5IOEmhfl`Ei>UT|o~==r{C z$LWvRoy@ttQ(x%8TJ6Sh+s1d>z6M}!SZeQQP^?(u0=$cDNsjYzFX!#XWZO1JU>$+N zmcf&^Ky?*aH2tPwOZGGJNt}ACP>?mf=C)?}Rf$LK0M9I|kg0JS&uJnw`82;!p!j=go?AYe(j$DhcVN>o&>$@8m6nq>2*z2JBx!`;I{gIc9`)}tqc;>9y zUVbHNGR@~W6BIt~=h_mqOjX|Gh1ss7jso+>+t<3kQBVp@nFZGXl}s?YUw}$e2CY0$;6Ak2anL- zSS{It*DEf2_v_F3b(_OUMV6?V#J8kr`JKcA8}?9aLyln;r*j*ycuK0M7^!&cslM62Wz z3)P=p&dV@bO=?{!;cgbqp{XUVfn$-OnO6eJzd5Pq39Bufsn;5Z%0Hd=&yk*|G@O5l z$-uvBXbw(`;X-S(4f6+KmV-ez`@ev)ENdfWUNO=uLip_JIB~o@!uh}*y-M?v;&f2U zqAJfwl6XHN2?9N?ah@i4Qgk;|sZLf)iTPLjT*ExLw$0fOS`+dsGIzjUyiWk41q}vb z1QEfe{SsauWWhZ$86lB3)-l^TK+25a(Pn-qTyQIeqe`oBSQ+vK8$x`o_B=i8DkGcz zOORmgcWGlqVWcV<`P4GLCCiX0>!|WH`=^nvz|J;`o-vEd9zTSVim+*Zmf!;c;-n|o zkDW~u1VJU~Of*t)n0_8%(_jy?QAU9eJVW|oXR9e?N1O@X{HPfhm@ajl9znRIv6zk_ zl0jMMh09SGTQs)?u%24fsgfQMJ4l(WG(7U(dC9JVJ{frHRFgR({9$W#bQW`y+B1aY zzN_m4Y$H49Es|r2MJGjtS75E3qXRAy#@wrVbA_v=O}og3C{MFSFLodE(w1Eod5-Xh{kBC9Mq$oEq~ixYTO_UPFwDKFM`HP6== zZ;xX2L#1!$vUl&g?XC0&*dTGMy447of`F*oZb``Fc_1x}NkGXi5`o%iqrOOAXvwpo~BOZ~0aT9}^(Waa~40U{zr`Q2l8s(U^Mfp_hyPwy6MxAVBxg>5w-H#&eNxx2g z{j@r+a8GRw7!{F0j^l<5Dw9a_`Gp-Ir!OlSApp7B4{*UMjP(#ImRQ4&v#^Zrk0~LP zw5+;ACF(Q+6mZzW4t9BHQ&*sS~m<^LGyU7jqjB)wzU;unwJdH4@o! z#CG8yWPdz&ek_YE5^#Q-|32P@&YeQP3d9RRFH9TX=U2}g0H)7l+q-A8mUysvn&tJ@ zWqx@$lWcs{o2(7$6rEKd5eME~JOo@amrJBg7ZTMcqcV}Wa9)g!L|eIL_SR(quz~l` zef`pN^LbL5NA6oPmHV;5TUz@rs)(4|k;;Tg#UjW3%#h2GP=P(EDwEHUtBbU+wCP9D zs<>BAjDRofp_x8w+{@3RwW`)(__Q%R5Wj_s&Nqk~d@o1tBFms+vobc`^PYF!P=7_? zix#}m%eQejX4b;Xns1Bpn3CpAkua6Ry$&Q~uX?4`{MR2I;~b_Gm<=7bmeZ0?ZpiW5 z%P z(HaN5=Htp773`oTSJ3%r^}rJkmb&gIs<5hl{R@8i%Xc!tPI{IWB%1e`YEsKl>jl-6 zVNpHl>^{%<#^~O$qysM#s;K=u26%YSVH*MqWG8B7>q1FGFKn3!_X-U+RBQQYgB)G= zN|BdB)mH96DT!@Q8D+zEFsO7EI_OwD@Mb}<;mvR<`9g<9^^)&vhn-`=C84bFgSd5P z@4FWDb8*9iTX@DFBU+vs$!$sQtAk*^n1J~;KNp9Cq8>a5e)9c90rze&a^Rr@uE0*o z$)l=M<#pOOM@b3$28OM5H2YC7j&kAn9E3|7?mofX`L>X2^#iA{-1CgstE&V0`$e}D zP?Rkdl0Zi&7cnj0QD=}nH0EM^;v%VAO$XGTODmfl2XdqkhF!li{Bm$_{ZY9?BD)?O zTi^9awUCl2Vh)B(Dhyf!VeYG0k^;5k*3YTSdy)}x`RniUkjpxa(o4SKqwHzHl-`1L z9sX)E+8T%lUyj*(R&%u-Zz)pe8t25@F ztPq9+!H&t?IDN$k^h_C=(0)c6_BXN}R`Cr4br&xOP>t+xOcw5b zIr?r#LrjZ*O>;HP=1B`G`K|>0^wJzx60J%ld-oj}f>A(!9rSlEfbdU1|aq27Iw$Z-Btm0>*(hL*b?7QQ>-$=Ate@NP0Qcf*+{wKUtca`2=+b&18!~6 z&LWxLKKgt@*Ja@u_5thnJU}e$9cQazdBm%7nM@lcIKG!^O)P%bdi{eM4?m5Kv>O7{ zDlh^xe#>8m{$k(x`Z5Du&58H5zeAj;%}=hD+_YA|y9}i;&nx#@ea$YK9(uLEHMe2o zDcE~Sg&ux93xu_$QWtC5jYw=^@NOPxUd*32sve6`%77|{EKh9F7JvXjdWrqs*&`bP zu*fXaub7x=1i8YehUfN4g75=FERQRz^)BHXYlwIHRq}Z~Q^Ob$v6}D3s_dITQ4_dC zw8n?pnow3+85b9xAE!(4%MDDV$2mxOzLo+iw2wnf5bBWbl^?*h8hLKmkg#eCTezH86>l7x z?H{spNDm@k`jxjma8sNX4xhPzG#fo9b#vRV>)Mq92@SFDhmnZImHw#JIAlA z8Ujc_e}@F_zHaXSiUi|y!`R?vpk4}SeCcoUjR`N;R`_~nLDW+HSQ52 zK^zDp`nWsX5y&PQ6YUi&9{20 z-3Q+z6uyXtulvAHa>WerQZ~QB z%AoIs()m#lP;hfKTRQ`*#oyn5*d9&w{DICdAL?5(8g=p+fe-VH^|wNiru;XXy*izR zZW!sD=11!xtzBn-GJb0LxbDMW!p^^uG5f*=Zi2!us_f*c0?4XxP$${KNm4Rb8Oa?F z%)>r~fx3merr*cF!70G5%Cj)?Q!}m2p!?-6DFihVMxtRo0k|R2wY6ekKTWybF}jDX z_6MJwYztfGLNsuv#X+6*3oYvxe62Jyw2)1-V40v?*5?GYp7-fqdQ@ck(1kPvgQQLv zNn#kpNA%Ljc8Z&BP(-_8=9zc+;l?Iv2}EDLSf&h0Tj>muk@wzfyxg;zcitfO?z9N+ zdlJMDYhsp2NLMaGL05}|UGtbE`l$qGc{^pDM<3EFvsXniF+b&Ml_{V={T;}FT*_P` zNQa!EgvwcVWku}+n2hcHs|Qjz;&iJsdifCYjvT5g@z&CI_w+*lZmHK?RdJQ*ahy!@ z(`OFH%1J45SRVM*Cy55^;`~cbB|fo^ZSX3yUWh$=bg=I`Wz0I|7bT)ZBh}1WzxHh5 z6}oT3t*+PQ!^y!+>B!O6dEnO6BrMIGZ)IzTN_c*|cxl)hWdQsf%upoJ+0J9j`goGC zDz<8pKWJpm>j~Zv`kuYGTmxY3uUJ7;wEe0SEOJSfDClfM^A&5hiHrTE-W-6oRp%98 zbr>_cJel-!YCn=(<)LrS!!c_ZtA7j%-(Jz7p6EXl4GCdaKRx~313S4gWDgE^hFn=)ulK;wJHX;e89^^iES`Wi*<$EAmH<8K!vbpsh@8ZTd zRKngqSt;*xh^T+FNx2wrS|qJ;um;=~7a||Kd|@jon+D=h-!e0$QUvoa>eqon!*ApM z5Dp74GO#$@^!*FU#~&w#JVw zdct@w`a&6+lX@gK##6Vd_KcG-|&Qf zKk_l=ae`Ty^h_g(&5yn4uN<`UL@awr^~KYC(FCbebdfo| zwIohWU$D&r7|!LpF2&?X2JDAdP;2okjo-|R%>Pi&15uYuHq0&|?GZ>`C@M{i%dHw? z7bv8+u8xui@!n0<9?zH-v!!e4XU|`vnFEMvFuM$;T$rqedkPrX%KWTb4rF;x|8g|U zm31Zjz`fYjkOeGqx{+MkMdg}#+@{h9W12uNH4Hb7<=`z00SSb8dM+tT*WQ=(?aX^G zRBBJP`sZgaLeYO3>NN@c_(R`P9BD)gVQUG#)Q<*>TvrDT;jd~{8LvBcRDw*-llEao zs+b-~p-^Y{9erx-s}k9BlAAXzmo)o(A;A45F;g>tv2%c2J(f|DZwy*aakQy=_Tb)p zAp>lG`LdeW)m>>w=<$x-A8o6a`(NJ+TP$9>u`3G-s6#`2q0LrzBiy#@N0(Rs zN(al4NF~Mez@`K35lfzRIn_VLy9+uDC!KtlJa*;8+L-EA8apZ{Ix-j$Zw%KG zY|jmxj&F=w5>M-*z1-9vL#YawkJFFK`@%ae4zsEN3eEUPr{~9?9EQj)+#ACb!PfdG z*r%JLs%IshnA9^Ps0BU7s-|;yky-zyFFP{8UCyo(amp z8iPvqGk(uvfk%y~3ZLYN+0m_13yCxNIGjdOhA7saM5h*)stF;?)NT&xTSCnOPb39y zN=>gbnEu4Ft(Tki7nA+suJwKoY<)%AAKdV5K5nI^f<3#s$}=S-;^=qf?2o$?EqOMH z^IL-nrgz)0T%2$kP9?J2nP7>ndgY`mZ+4Z(;zu9mWZp8g>@rbYjMr3+s!d1a3{gK; zQFG2p7ktdcYNn<~3`Qp*R*ND<^Mubw8nJMb*r*vtmxy!-+nR&vZnna3Zr&ylf{+_L z*sbEPNA*H>`o1W?n8dxcQ}u?(@J_>Tud&myp5@=U;(phVA<_-TCovZn+>wiWl|_T0 z3-BJxrdoc;28t`c(<>zyE*UA5U@|M88W3H5&l0V3jywgS8Es|dGxe;4xiBg4?F&j? zqRWFmb4Ee%U-h=L=ZxS=M`G&W-z&g(TXAf<)Y3(Bd~V`f&q(g@Iea_CCyPR#M40ba z?H-b1V)jhhfi^Zk>347=%06Dj-aWo$So_u)+zg{Si(llL`v9(=dsk;z7aJA=o8^aW zo7rX```~7J!m!`f;Y-er=PHhUqd`5EiCA{|cA*>abuMU^PRD&AoN~`|&TCsD_A^1s zeS<$K)nVmU+9ct`t#4c$g1#VW2YM*R30m@Z${&PBvfW;2zIlx4qU#^^N8q^e2grXH zCesacprthRV~#ny>A(_0Jr3G9#eAd&F_L+|Hn)~J#a#4j&ZusUx#&%|gJ29kM7V!J zyZ9;+Oy||jfI(^Z5heev(=28COwAO|+RQ!JfJyu6CuT)0h6XxK3fnvm{vZLtPyG39 z+C{pvW5IDDc6)z#e2wG#H&EK>O|AjhZUg;fVVN10$JsnUuELTDwCORLco+R`@z?ph zE2)^*C*+S`^;yp&m(*}u4uJLE`%}Ye8*Mua8@*WWP9vP2l<9G0`{Lb`KP>PY5yllQ zxz+|Mv(xF+`Q&?B_S;$#X9===aM+Dq640Z480v7pnSvznt)s_{Tj1f5Jwm5GM>h*> z?hAWPqqiPG2x^JmfBu6vA+qp-{WUOyol}yXPA>lfRC|~{&(mft>dgNP6*eX;JyIYf zc$pBck}N!R&r}BFtvTQ*jwQ^qc#}unxGAaf)iUa_PqZuHC^Oo3$A`(LKMqV6gpV$< zAQv#JhAl}A!^wmWKgbzUq=wn~>aZ))e1}s-O8a}O4Q*}4p5 zl%Ew2tx(t^1W=FMktR=8@K5rHfKYcGsRKie54P|{$zVJs067xGt0h;YuUaYkSU69Kyj zUWLJmp|O9`RVX~sz<<%VC`R-TolJBM0y6Fg;Qn1*-fNZkJRhfs&`<&3IzRgn><4k- zFOj644xSc0@Em5m1bBPWv^QzmH(P#?^uzDHzMUe>$v+UAUa6+LADP?~aA!j)uefk0 z^zW4#o>Cf<9b{PN7Og3Ts_z-|1M#9C2ptR)dN`fDdtSZhwiqArl}d?n*!mpFeVVhlk1*E!|veAl|U9#7SgDx-{&b+bAlE=yw%7wNh<8IL8SW# z2o0YumAIQsGUZ_6U{cEIJ8XUNx~^1@MOBF|`< zmE)#-W?v}&%*-J&bjjN$M%S&|$R>Mq=>x*dRUE-s0O$-^muZ8MqcGF_M2~Pn;$Ew0 zwr+2LR8MlDwi#npIBgz!d>MM;`~KKx^xd=BG_&dZPIi4HTz+NYzh>_vRe%WAy$pvz ze5;zSiAV`)kim!V@if|Wh8iRrLAioDPCPPswetqWW8->5$0ZZnA#jg_LE0Ya>O9p| z%HGA#^o{BOaB!NJO1-9%NGlg75%`kKCEip979md>dA!L4bvLJ-PsT_tu0MaoFfb>u zJze5mCm{i<(2&=N@M4ftJ7Ru@8UBoQ1W>CKd~k9kHYo_!y>I;y7-eC47*;8(PBf^T zJ^{9qQ=X)E)%jP* zas9%vGov0=D_#VRd_&QyjDZ}8H7L;^$F)I}cQtNYiuLg44$5r&mwZCQzAbg->h!y7 zb+=^T!;Fw2HP=N~r4K~ak-_$&pjB6sn~VpT?sI*oLd;G3YYQFCbWHCEPm?Zd%*I{) zx;c%r&6;%NlK8o`QhtZJeTi~&ELc|a7nXUM9}nuTMh@!t*gJ&&>78}e%;1|iP9X%% z*32WO2e*-LpSBx#yAn-)14@?aVgf_1Tk2MT+@gNfoyPj`|8V!#QB{8L+V28UL68=Z zX3Anp1PN(S8lyqaw{UU8K+q(e?3qwL~5!*ADsjRDB%BQXqx6{&Y! ze6H0@&`5u(Q5ZOW^j4s)Ri$Zyd|mw9_a*&-!S7rFPs=w{D&6Z#zG_ZmsiU33&h3-k z2oqH!%;ZX6N>4n*&)Q2>#+&s4Mb8RaJ(v^wNvFBkw9iB-UKtkp*YLq zaCMB~I4s~+0mhSaRgUQuyiMNxH>6bGPtBX&ZRCIb zeVei1i}#ZP=dt<)g&Au~zO@`IM*1G(JPD)FME72e{T|@J zoNawZ`^e+OscNuzx$;_ar?`^A&*H=a-h<|J`J)(P9tyLBG>Xr6GjWnu*P1KGrs z6z3^sNlHK63AV+wV{&vINm1h%&Npmxt1BWK6Ow2|Q9V#6Z7AgGJrr99Q*=gzT3l?M zg@EYoSs>p~uO#CZnF?!Yp+s(#&U~e&T_?o{I`ytF*t}K^XpuCv!#t+^L#3u6I-p;I zr%c*gq=kAfij}7pzbnuTbF!MiQzA59B9>ZAn|9+asv+Zl>~BlrRA@OhbFeawZuXgMk@RC*0Pe$x zt=?DaJC$l;csC^X3Dht*rorv$w!L=Trp z==&w){2Nz*E>1#*B1$#*UZ6;-k4%d6U4^iR*J@5>HSANaCzT}JZr6L_k0g0}(u8L{ z-c%e~GxXOD9EMrKK_t5StSzo5jUA1d&S_y*Qz|u8a98^YR?r;6%hD9X=jfuH!%LY! zPvLmyd1>NFEepDjg#4=a-5K$3wsbQ(FTQV;eQ$Pb98#a!JnYnWKxD2?t>=a{FI!^0 zng)fU*Crn2+2F_K?|K17`X8pDovw5syZjbuK zIxI2F!@AzP)xPx;K0Zyohex@1-z8FvI2WlWi{e?0w)THo3q9tYvuqA4t$pV0p?^kx z*py85jiymtIsgC9|7>w17d^srOxL(+SSy^T#_MY!4NU z##815^J%B=r#a2Fb0NS%5X5x6?a)6Cqi4z9| zY+nj>Xef)lOq+DZBa@dCgAw9weUW3A#Zy`z2B*MwRb;ovBdw5nw-#OjeFg;)%G;Q)~N0cOUpAoV#lpJycvWLh`#FD)qc#kgiPiYdoWhH;PI0 zXYg}@nl>8uvg+k;yUiE)e@5)}Nw4yM9$Uvlx-8-jwHS_*Do;EdX~M+{#YsJht9G-F z=TiAJPVax=qqC3VIaA1X$2$@6GR-R~>Va0g*=IH7i!;>VLMfl)Ql!5D2GzM$vxE>iIS$G zk-QK1Pm^%bnCLD*usH)7Emrne1V?hEYOW$hprZ*K_guM*8zzn(d6OV7=G`IriYm;X zP!Idbx@@3ZSehG}H#%bM`;@9lk+*5}s8^j3!6VKjv^%ZM4299z&)n9PA|^0Y`#*-m zAeDE&2sl;J+*A@Lhcr(_3ZF?wG*5_hVd5MF!IT4j2jYxI<%M%^zVJGjs6fONht{3mjs}?qksXzCRLB|DABCyW@j2Y{cTLN(Bk*{PXtIu_dBVmz^ELa{pB5p zES-2JJGI%3lHxP7#m?-7Z zhr?I_&Od7gEzo?57))#44{fhC!bCOT+uR>{QCjhhvgcpF%?g&i0T~>MgJ_bk)S6WO z>dd_3@s?w+%PzE5ks~Z5ep;3*?)ynEGF8CUuDbr7-WGSwE6o8Y)4fAW!?EC$4_OXc zpaZ(;K~hEkO7n|>0yf>|Ul8bNlLwTGr!e*I(pn9hm<^p7aLL?uFv+)6<>tdtUf`bh zIDA1Tcf`N^`FRVG4lHVOrw*Q`L$>(pR3|fS_IOC@d>V*+TJwajHcY2epQOqQWCeUN z|C@qD}V)%?qcNq*- zG4E#Ma>;JV=Ka&p1ebQI&&73rl5$!F_uB|U(PxhNr0SA)S#o@>l+J$Qc$HK0a4C_E zm}WU(zy16uE>g-}>!`XhjUK`s;sO(%pCAcIn8rqlwA4qA=kX-jsI0Z>CYdZsguGc% z_O`3~*{?opHquBB=RL0IugO49ii;dwzXZ3gYu(yiGmpH5Lp27XEL%_FXoFN?2?o;gHqQw5Y<^eO%Pom^t#MDO9T6am-fEb1!;v$m z+1=;#Xe}?qBG3~)PUfxUIr-0+_L;E$8amboWF^u)1M#^{WgHHy4E>oW z(}CRGb`{0gu4iv_idnXQ(YkBIL@tK!a3-lSc9s1cRSuqQ5QeA>fNi$x~`!{ z_gaowULFIEO`~tt6(YZgI9R*hUX;5zm`8o`kE&dMg?p{ZM9NZ6ev=@4y5M`~`v90k zv`3k5i_4h)#cx2L#XuRj9&W^|`^B#E!Fur57pz3aX^fq3%i%_`>Keg*Q;$MyID@AE zdcsth0K!(V4*UbwJ~B!SaWd&l@@8%&BV2Mn$}tsmrKb*DnG7N;zrjgmIV2!opXCUN zI^-kw?v)s%+Rxv^elk_O!7`PA^Av{n5N*++&pE6YeO&f&aKr}@_>J%OJuNsa18<2H zEx*#HfK555WcuZVp|5#>YN1KlUATkkR-ZyUd&e5x&a>$qTnNXvg-_+cIu(~#^wn+( zY}}akQCohiTHIn{*8(6NAcQ+2HS&Q?3KKy`1B8{o!&L_9AI)iECr%{Q0LJo=Rr{m*3exN3O) zY&ZyFS$0)8ul~L`T`V}(Y;OSMSf-RGE^4nh& zQZ2#N(c_NVUsGYy*+Eqt#-1zE1P$Ruv4g}(fw>LqB~tw25Wy@G_81zI3No4t3U%h& zS0Z+MV2PpSIf6RI-`THKKlR_4$B1$>Z3nw-qU@7l07dXD>M5h}nQXo7D4bJ8Zl!it zuH>}z6Qm294LGx;Mc)U^^j%zckiGi~&oX#hkTVo{S^*UYTHVa$0w ze8cNbJQ7i)k_;^cmR5LMNrv~45(J@!h(nX`J?Oh+vZ2lGucYHYaYS|{+s%^dARqub!pK}Fr6TrKIyGhJ*OlPSR>O@kf!++)$(u5G zmp!Ei+>+AAdnQ+^^YDdiRXnDNO5Zq}Q4G3!tY65QZTR_!=%xzpm_kesHWev~V7vh` zGa{uL?NYB?+fH@f!q5}-}M~*;`Mz>1q$jLQB;_EYKYE*wD;#fjzfDIy*BI) z_6=a8ZRI21L2~J^a}(<)+0(!yd^y%A8T-rSBuTDol;U<(qR}9aRx!4lE{37IX!tT1 z_~_>3u#3QQbVWa+paA^LMZ>(orLT@UvNUN-^#)Z})E2-aT5j_q3U~gj?*oyZmKr2N z_muGlT!VGg)T&3!cAFdWZC6F@kcj)n;JV!hO(R$koe!eP~|+~M=m)QlOKo*UOU zz{S~adhMAk&!!x=NU9eO7t5^=5;~2BB{~Uoho)vNV}bHTD$`pm0$ao}vz+n^6KTSXW-OCuMWTPEPjAW-9Wug zk#Lhyeis1*_&k>Njb&88{8rGcgZ6_Zm15Q-9)@t`LzgJCLz994c@8-W<7D1H&bEKi zKtz#dn6s#`qn4h57}B1J!LnuPkjvNyjVucHPG7U#KAK-UL8b}oF*H z{~GfbNfalLOmjwwy?B#+{)^$dWB}(UyDN5z2W(xU1NN3yav&ZD*8TmDD4DB-rlrD& zmF|Heg{$N0@VT@>Jz!c)qPnm#LQti>f!!%t*n2*~+1BMUc(R~XLkC8BJhgnM_k(^q zFX&9Sme?m7`sMrFryS5d%DFomXm;@94o)^3l#AEvX}@q*uvB{ci)&YTN)>Wu2_cL& zv>^1j^dBuGH+JTOJ3uY3fF^w8ecDQuYw5tMTTa6G>A?*l33*eoi-aO$Xrs?Ljy3Xc@SJ z0rhjl7j01-ED3Hc5-@N#r#n|jEVq1reYTdz0Ob=sXF)cAzw&>ur6!H_V-g2sw=Z5< zBlzZ|lD3wnSt;CPdfCy3CbWtZB~&{Ju(nK~CYn9{I$^)++K_Srr1*LceK|d1L~TN| zs_#()W`}?^qgFwuy6{~rb9M!X=Z4%}qwKj)wO2Eaukx!ghd{SN0LU9#q{wVuppOCF ze)d`{DRnl1Q{HRV#p;l)5_QyojyBJPe!3RHkJi#UB$d=SQ3cznRpq5G!yNK~p0XF; z&V^$!C3Aa5s|D4ha&TRW6ou29@$n|P(~$mM6x^GcP@Zu>hVW&`;l9y4xXaKDAEfL) zQaYI`oNI!iF*NAqQ&8=$H-@fXvHeqjwufgWUe*F@frOfLEgo|vP^n!m;&?Mbt(5=p z-#d|)d~q|;DWq|zcb_7d9-{JQ_rCCD(8o2Fq1TR2o0q*8?%bJIr*YoL9+&xBx0YIM z#>9sl<)0gABwmBgE~!hdoB-+q1V4^2?K{Wxg^;PMkfPap;Cms$qbqXx6Mt6j#Jxl< z4F9-?v5#*>xC##eb8=R8=V`Yox(MNG7g4NjCs4;{mYg(+J3NsqqK0UCZ zM=x|13eni#*3{hnA}*-d(-#klPFfW38435R+IDcfRdg8sz~G`1bYPc|Pw=uE{%`tWD8PW??qW7<5?2M|NWG%qt1N50ETYttIPNkbNISJ) zJy0yP&r)pIk>)p(uvsbSWDslei0@4jS(&!85f{vNug5xDSGA%sPu2J0uFDvjj|(8(=yHq(y(S zo_TEquE5KEh3e6n4|@;;i!DkQ&z=fDy^dbN&s41YmvFE*`NWv#@5*p!iTj7y4Z+2f zX{>PP;jSsn!H)fojy0jfU{3p%&9M5<3EWVPeHfuPlB zr)C^G#8CPO51kWA8-oX_5J$s==HPKf%1}#uD0;w?81i(=%+GZ%JdPzbNkSl&7-R^zV2Qnw(NFgE(P;+Go5nS?&tExTw=ts+ z&*I7nl@bdQEd7vWOi}yx#<4Cl)BklD9z^&cDgv$ayDlrnJ0=yW(eY%&?1K&eAhSp> zT=Y5#@1-fR33CNJQx*TSD$cT(%Wzxx@D`iF%uU~i=4kjx55<(t!$T^P35yxKFo-2> z-{g8AuY!7f5fqa8zMI*~`c;QC;l^@=aPwvc(J?H$3vfH2NFR!%PF14RKO1qItJj@v zjmtZ*>cp@k_207{GS|-^gyF($p_Q|r<*%PUuu|I%aWkl;W8NMK{hB}k*^>NSBdn1x z9ap(rvjSwx0tRHg`(Wn$AdvjM%(KDu`>1gPzLf-!`%3SCew2>8I#@~=^rJq8V_yFe z#?~Z3`*E4r!T(HoJJM=6mma$QX>pX!^}BPbKglJKW2d2iTdAEiPp-b=bbaE%9qbl% z#D^03bjqC^4}(`b3iOk?znC_C5WEfqz32-fx>Z{|NRf*(>+cW0r22<7`m(n8P+KvO zEuXxq4Tsx+7(+{BZ735Ndg|R7(Kgr@(kZu(8!wyvQXcIuK5AL8xF0=_!itSME0I~$ z<;Z6Sx;>!r>qy4 z3*ScHXvRt$Gl99S5cyXg6$!+|QrlK06vSPWdA%AGg(dR2TYg>dy3hP6^}H~QPsS%3 zhVmNtfQ>hYI>CLM(-zZx>}+vI#|Dpk)+K9bCsE&HW7Y21l{k>mTu|%lhDn3~>t_np zh8ilI9BFeQys^Y;^Uvt2`MJQRb2e|+QGJLCkK8XRB@Y)^Qf1!t7IOg~CRM*ifmiy1 zsOg;Upw|%6J_N`R_cQ;l=m1eMr2C$!*!jqGlAK#fwsTZCx+zk#x8+DhKD$ctLg)EMa`Nf&7at8z0#2`t4$OFoVwG zqF`@2ma>SHANRLFA!17BEyT@A1iim(Z!oVV+_m5TqQ9#uU!RZR6Q|aqsl{3(y^U%? zWa>O+l_!cB$rT;quMYyx+`T3=;?T*vKnp4k>YLm0NtjsIP85n#WXl9XxwWcVfc+tH zL@Q{8lFRML(rNeY+pM#NAesDku07y(KXZrIU@A8%0O;=Y8UugdHFBCXi)Y)Oz-mK- z7yb^0%{Wl+i=h?0^meBz1{?bQgEn(XS-0_qxko`jJ~`BAKK1}lkU%)N*Ap=(QslbW(DG+?N}lF)a;v zDry*7cB}e@$b`;*DH7oY99mi(>kH}vMX?u*Sbm-y|ktM_nI z*nYgA_cp>{wIO8hEqCwk-Nut=X_dRE>jxf-voRK-kLD_Zi+c}o7gP7b-g#tEOHWyL z2oO*oOrN-%gCO%D9*G<&1LInvoKmfW<}h>Kk%$zYK)2>4cVIp-%8At&!c}=&OQh}# zj)F)_35bO62Qodz%OGEi;5jF1ll{K7i@0o1#F`ou&J*vG=<6yAn&I#nzKC z8ORLdxw`;mB+G)%Pb;XTgrBOQ(_2-F0wjOd$oG!&D>7G2itNoi0Yqhq(2~QiH)_n= z8Cl}jT>6N3p&i^S+)L_pB@VKKvi()Fa~V?uX6J!;?<31-Hef={7q`sQcgQU@i>ip@ zPr{z?NzaXzPW@?R7}pq3diS9q0x)Q)YC2&6CDm{w`odLZGTkQFCGx#tL}kaP(wYct zFWx%N2M{eUk|#Ua%Yu4PRZlQ=e=&JIZ(y~ZVmoOf7AtFM-^_Dm{N;V~u z4e~RVjbepW1?emD(LgG{c^vk>#Ci5GQ4SU5=K~WzSUS3ZKxpv6k8ePh3g7P_V?;#_ zrDUzH2CbHv1Imk?uT%{-gxo>cud?N#K9wT(ehqgkp^5Z8%GUS%OZ@@& zXRw;Gw3b9wHiz~1VS%*!Htiv7UF{OEkA5u{Tc9{EvNzggeCuP^OHPQu#lJ^q1TA3y zetCdm%!L_=%SeMA&-QKV?kn^=xOl)AjX0V#it^doj?)3+;{emUWUJxW1Prfb(zr60 zD^5Ri^wFA4%>S|TT{3iNdk~Oif*?ofT@s0z3 z#IxiZ&QEJNY2JSoIlf=M_o3@*QaA~$w79SA8~mcP>GRHuIs>FVxd1q@PQ3HD@pLvN zNsE{Ct=IZ%CjK@ME8k4;y+NIP2#uDBbYm}^)$c3>3Y3uT+An`jP)n6lDZZMND)&8| zr}>u4qu5wv?XGr4^OiQv1P$geM1ELy6` z6>6KQ>g<)jR@H&iR&19Vl<-;PM0X`HocZdBY)?4vb!W8Y-Y!GNFP=T5d;KI82I#BGMqENzOp!{Ui` z&#+RAri(FtVdNOhCBAyX`Fys038`fH-?$k>qzG?5)O>htjs&*>*wP!Qe-E8dH2rS- zW?NRK{3Xk&Vrb_b!EXvjc@HUKiFK3|$pSY4$S#`$v0lJ&6(1CcP!yh8_1*6lJ}345 zO?3TBHSMJJ-Y3N~3(BFalxNO(9z8;Q<5#mShXQOQ?xo}^5ueN{Rbq18yM+%BRzRu7c_$oQR<3{gF-$S6{ORO<{gIAfH| zmeco)0ire;z)NVsCT7uGNBtu2h`UWQlBJlRzy-B83wVb@9<^>_kGf!u_QPC(cI8Ju zm9vuOdkmpxHBeMT8yg#p%05x5X?|Gw9AC{teHO`dDh!{qPsWoinnGG+kDvx$EsO%# zzSQi+pO{6pvDe4pLFyC! zH6rj?Xd37Wlms8dY-vGJ>RAi9pTvC~gi#$)Q%i~g#_p7SuX(zWPtu*x&(1ts*eKw-mE#%!K1u5Pj5<5GE0%Otc&%7-?~#N;(m?^`CFsjR0M^NIyipJL-0_>e}U?Y>c7V7%ii?!@U|Pf{QJi zj3*S@_>{^l zvp9}EnDciSD@U+@dN?UzaNQQB($KxGVsSP7>{=4Ljnd0BUWk;qK(JiYKn44pdIj(N zEmozhcU$g6dJ5la1wEicp6aitgVJAR9&QSqf7Ab7duVvA)GuiKcBq9qfUA_9g9z61#JBs zqmK)} z_Q;SA)iRqh?NRgLj#oF?A}L9P``w#w64z2Y#;l>gy1Cm>de@LP>d_hRZ#c0Sc=q2E zHt}>dEkUc_vp|DqT>qfi_9bfCo1K_Ck(q_f4bz1I>DxXBe!4!%!6K! zWBLOIp&+boHLhUpI^Sn2V2y4CwN$XpwoDMHtO-9RxOF8})66`F&wE|OFly68iPNhK zd7DNPF5#ugLbLZDm!HV|Rc|~|V{6n|z@f>^oIClUmCYrmQJDrtRCs$9TcTGYP^#xA zys0@7qdm3G{&ejEKQmHA-u`Lk2J8xz*g|loG`sJM6F|u}^?NU9$Df?&%{`TbtTY9o zCjvor!>hyy^Q~{hxb#uzAIw_ZdDEz{`(CyndM`3$j$n^H*E0g+oD`idIele@@Z~J4 z(0(A5-AsN0Jq}RnU0V-gP20Lv)7%2WVsJS*Alwh#6+f=B+~s<9?^l5J+}xJca-9_2 z^S@7izd32H+@(0KqHhq-IXfJ&l@Ap(dbgvAZ>}&9LrIr+d8KHBP?3YIRJGPgo&J=e zjMCu-u2&|(juw7W9*6Kcs`s`Zrfq5o_YHqxNIWeL2;P!9(}9OIYBx z&lfaTO#}j$sq%tn$GAGV3SXZ)Rwz>Nxsn!rDdkZ+jiY`NpL50W4`a3MqaJFZ2@Q)M9cUtcKc!1R%bT1?odvjpeAENYH z(?>M&j?B~s?Eo6*PS80z+L4pkMxatIWri?feGNg%h?wZiL-;=AZ`OS6oUaP{oQf1; zEW)Qb#qdTU?nfq7*Bgw$UG02adBEmFi+;tf0P)ztx^}w01enYlvOmq79PDb}W8h=D zUT0>luS`1qR+o)?wvGzCO607bS&2V=XtWx40nklcTi=<$zO8* zHpcjdPKF)_#eK0pRwW-P8ssc;^tjyrD?sF&R{M-q`Py=pEA-)bYN?sX3AfowPyR4d zd>K6R+alQCo`|5P#Nf%D`($uBci@A#qw_`l!D!9UZ-k-&{2>D$&D92`(Wes3>Bl(S zJc_taf?6bFZK`Ot!?#&^h9rrB}>27viqlKSIS~GT&ji3}vKUW-01>t;-3A zMH8kz+BqoW?k4^4o5-soP?P@-SDF1d({pTqg2eIMkfyL1Y2B^79%Z=5Mn_O!VDmrv z&j10T!~Zcr;24CvwI;lvI;Vx(rvKr(`O0(_UwZy4;!-Zc8Pojgy11gdo=-Sn7^PS7XkI%sU zxFq!-O{?K4R3xSd&_!y3oZF9AX|LR!pIbCgqLe2#mp*UAQ7|>4STI#?c36=h!M$Q2 z@Z|hC`kBg7J(+T z;2d3TGMmGsjmR~2p93}hPd2Yo2ZNRE8@RFR&_@W9-sBh$Gc7!#`zV<(OG$psccQ4J zENC*bYz{7eS(wHKn>)&ViP$8p7h-3GI8zvZxCJt#MWPMEeWJHj9nqwiP$mA<|Dzr=cCHS1w#R6}bQL>2e+$3ySD$`UK22G8zvF)(ifPcqS_Ctml9 zcb$`BP~~Suo2W+cE%x`t5&GtiJ$n!&@gt3b_MrMAI}i`q`jTQC&Re?O`XWF-LPd!* z>PX2s{){p08vMTm7`#GbP$>$;CTBuqr10^mhqUEAb0e>m75v2RI+^o1y_2St$mu9A z#lDcrX}wDb&J^mMTRCNRXZmzyAYnwhex!BhOX>OB#t~Z5s&i$y=NA=zZ!{Rc=jeSh zR5`(v%qwA?31^MwKyK`!jKf2)(1hD5^84q$x3l2MzR4OJ`*x z>l)DboO$v)^I++U6mFYk+#8*_BMQQ3(9FyA%$9qZZre23Kv_g`W5v@11daHsyTIOn z^K!;ceCA{9;>$QB(F%yygxG9aM<$GKssW-8Zd5<@iZM!3R8 zV6dNhOzbrJD`3+a0YRi{#Zb(SA<~#$J&GvvLKH!b85NRd;SED5brnVtKEnI~SIoy4 z*bc~|;P9mAt=XhNA$_DyL* zi^$NT{Jw(;FVt6zD>K zxB}kMHNZ+DwRNFH-Y0)=ZH*r-QvZ08;gGo}eOLe6AcY{&e+4NFF`(krkNk}P;(dgB z#@5rrXtOe??hR83j8rMxx7;SZV|IjbZGJKNH2g`4rFUa(I&ezcr9;1F~ym*ltUX)|d7>HP&sVm(6JCdAktQ16bswr+p)1}oXN z-s*IPQ8=;r-S`W)3>wtu7JXQ-rVto7$`<_y6l7d)o?qf7fD+~#z(2K6e3(&w&O7&b z%)tA~?gz?!KR`Zc%q`jc1XRGId!TcgczqxKiy>KUr+bGN6$8cF`P6>_{pck)ar<;j z?xk$nHL0*G_8CpP@a4<1h)GjlHMeS-n35Z{$-h*e)oETUL=&wi(cQ_D=S$*r8w#F; zzC&;cA*9p1AW|#_6JwJ2Rd+3qYL8bUuF=gbP2n9ObCq(;^=Lz z8eB0GMBzsDiC8Ugxc!bN)RVa8GMI`B@AUh2cki<~e4@RpB~nHPOPbQv)CHj~Ifk|P z4{{d_rPMcpF!b*Oz%jHn>@h@pw*0h{JQ{Aoyu*q0Bn85QrC6x=>(;0FKbZU<*{Oeg zSgUhb3vfOB;}5im0cLTFwI7j>cK{3Z@=J<$et+U~#?O?3e8@b5MBCD3^dmv=)nC6* zT_+&-24mMChz#0~$^8T}9QzcWmv#xbr^?V;<@tC~DOoSX>Q<=ZDAKnO={UUipyzVj!1q14PJ}=`h9*fD#Fm5~k|8hPAiPgJ*;vw9{a~0Dl z{{erIWS#*BfC1SvD9ZOALYw(nDuj3VD)sgN{BDelKpQ>F4s}5cGO73PPr<*GZ~uP5 z{`2oVeZbOPEYO|dQrueJd|c$$^Y7z4#Q(2?BiyYp7ort~cmV+K2{xM_$b#@k0#H{2 z&!5{&Ri|^*WJ!fRu=r}@7G7{?Dbl{c`<3e@H=-Uh`#CL#Ma4co$uE zcl+PxeYl7>vPB>QfcbleDgqLlzPB?Orsm!VJaKHB&BQ@W_|r=2yG=;NKXXMBZZCD8n6+nhZww5i2r%M;^=8zz%x;qb$A5N(%mC zk}?lqh>NBKI7z-s+L4~`-LFb0HuueLgl~+Y>xhuAKt`|_B~2;Ys)fYT z;z^SajtsB^7`@%F{7d>-@I_+(3KZA!2r}$f;3J4_F}QZ?CjUP#rDHgFANe~6*lw@z zfFknJjXO7J9LjbN#m-q^0+r-1ejtzH(_|TtH1u7LocTy1iB?h2EI3F$+b&ftPS8bd zeHg@i;cY~BmL9c_i&15Si3_mhRBL(1;7u|{;G8kWdLvqIr4RJ{pQR7sj~1^p zGKI)g=X)CrQfIqf7|c5zPN!Dw3Z10x15#Y-+TrAf5=60u=2mV0FKA4rKkwkGi!47Us4yUtVgF=wbq>mPex_a~OE|-Is=xslgxk5bHTAyMQ*x@{pJ&P=&MtW_jGX;MHRO0Y_iP^>>sHoyI_ic{H9R^C4rPj4dMfoIx9svL zHrjPZ`fR5@QCd;J{+IE~;P=D$I65#we&=X~eX9!5?4C90`SS7sbIGTgB+2H*{#zZK zQe|=`+AuW2LsSOm=RXy=kM2G=#$P2CK_wzvHBm5`WQH#>2{~7qDYOZkpF-bmJV|qW z`^dL~eS0Gs^CvMshC??8#TnkwZw^Whbf4&MN3=bp6bHnCP{fZhFLy@Z#1!l*nD-_< z>IfqvHs)$Ig@gEp0C60_YW{e3hc=g^L1}{Ey?5RhI+~Ul{w?5bCDPDy8ZEy*-wHHp z4RG3L4sF5kF{>kJ#=ebUzuj86oyV2_4#~8iU)r6#eKxP#AlKLLL-h|-%+KNO-n{x% z%Xf{i6{1}XprZx;4Q-80dw3rnG_6Md!cKt&g>gy?bQ~>8;9(AaHJ-dodSh*pH9W;t z#)X^KobtvC7Hi;cT3pi|$a~fm&U-8c^Q(COG)|wd;}jY)%KLVq43%pksji&!i8d$S zxi$|Qu}>8s_}8CJ#b}SU(|e=jyK18)dtASG`c7dXvy~`4Htm($3UNgQ59)kJ&DMZh zjDdSdDYFnfNc((6qI@)z#CtW*te96jnM!yyY}T}s2P9whrwTqc(=wf^wtA#~!^g+h za?*Svn9!mg?*ha`{@|WQmkg#&uc13;A+~$~RDyv-a()9hg_ee0F){YInlbGs$P%@H z#i&AZ-YNw$@nOQ<{Qqc$Un5&CuRpYo|Cbv70*~nqN~E5Ye*avBE3f`;8>T+~C5tv< zk>h8P*m{3(Jn&|fQQtEPU9i5(|Hmwkr<+D4>e9+A>vBmQFaENv<({CYI2#%mts)Gp_j{s_09&6IHBC*oN#c^Vh~u-pZb zj&thsLo2mS*|uZ={~KgB^J>B;Vs{Yh*MXbuBNdgs&08T*8`KegAVObjI+j{-I9 z_lLFHCWrWn^wH9WfrQv<#kQ z;=rgg6(huCwRO|2J%&x8+8Fxf+T%B%byL$xg6IA_BIr~`972LKBMU8 z_dGvRL+r-B(GQ+J73ug~P;x#$Q|HhMBBv-)!2`khx`qhAdW?VXAt|9man-#@+z8M! zXv169tFM zE4ye*ye_My=fS%%wS$^|+#Lte*p=z0CeHeGZNbLacxey3c~sY9(|GkNk`WdD*6m*} zV+>4o{9Tr8Rxh+eVO$;hnNDwu5kU^Qh|KYGt4BS5+H#F(468E9Ohhx^nG9RpDd)Ni zey=&2$967RdIGALTf6CSNP$atzozFUuH%G`Aa9T&>j5olH19T-hQ9WORfVdTu~o5? zb$DFpWr%zzh1j)+E`M$W6ZRGt~g8cC*~T)L_2_hd&_%SHt`aj)FM(Y%nU4Zx3XU@riu`j?A#$Up1%U0zf! zqy1=>n0NTEIdiuc@YdaBRTM1nY8`Pi{_PV6QwKVKfQ*;lB0ZPyXL zvCm|geCvHW7*BCHk-4lQ?5rxVF6_eE4#P zlkCK-6T`(G3nPw>s^wR?P82n+DG*y4vS@6J@yS*jtY~{uQmw)Rs=$!f z?s{uzKlB4<2yPE3Z@sy<7m^1xM*_UZIgM=1Ot;_TsQ{73=st%mkoRbNM=rhL!~zWa zwdwjfD(ycVpm*9_D$YfcT4p#N=JAW2HAW6>N-kF-f{ryj(cm&h; zQwzJ&7oCmg)xU$I+er*Mx)pT~o(OsRc~%e|O)M3;w2AoP98OFM993BKZB|%o66P;L z29-nU@9lrv&LpX_n?*l&c0iT0C-fyUtTwuIY_~<#f_Hb4xStsXVh@HXd2Qp)68>4u z;+GKSw-4X{tI`z*>bz_ltFx>;@7&0R5uDQ6k zsXL?mDCJG3ZjQHC?7w|`!4K2FBm1w{@AEuTZZCZGy^r|F!5P0Bv;OYy>Bln+GG0Na zDtj3VoKHcdnx=zYN?ZIF12uZ1-vV&mi4AD#pCBtq6AwazvsDiFqwWZ*WAu`PCjnz3 zPg3I?PpK!Sc-Bo7d(75?#l6O8n#K$}55ml4%LnWK6l}hW$@l8V5kO0am`jCb_5aZn zXfdB8EPmqno2D|)Oy9XpA}}REJA__j08_*<#GfOR{I^ljWzv(%arq3%J^y@*yA+w1 zmGr4&@>O@!NF$*4w}4cl zxFy#5^~^|*{VRTnun)9sEVJ_(KZ57i8{v zylCA=9@gz2V*d=-y}SJ)Y$CtB2$MgQw;%VB#Xn!(?_CXeD3K3*_7Yj=G3M|+o@^{~ z72v0ihBo>NX7hWQK00G}R;5aPbQmJpL!x6GZ2f;R_LfmmaP7bFfJiDSA)TVYfQTR{ zFf<5AcS@(Uba$7e2q+;r(hUP5EjWavw4{J^4{-L}&wst=e%8CrS?3cUz_na3d++P| zW!R6Nnv)gwFM|5fOqYVG-OQhlrlNA$7!Dr7p06g%#fHe_3RbgWo9VfoF|DX_5B)+- zakQI`2teg$6d5TjpP62AsR==FP0WrC13yi^il4i4ubYwE@7y$GMZaPYM}`@_*?tg9<%+de?Ai6VK(EhH z@T9Ib8iH;ZjsU_S!8bTAz4xs?sE$n(Q{&>PxD4|4hLW(zSWj8O{riHC7Dvg0PL~t> z)N{QBvd;EgzK4>_9-+Pg!Hvi>#Vk=4;nT_VPP>XLmRM>b=JNUhd6O>uZ@-DQy|XM# z+W0z1JVB;-CtBK%E{gdnaeZ~x3!~QplHfhyb!#-8Fd#&3|{X{;|dy?RCT_ZFOeWf;*WpDEzz@Npl|-Ghx3%Lf2O*Se*| z6euU?L|gc{y|tf)i|OV#!Y{szQsMty{WpH}8@;1AZ_oZ$dg3+cbq4ozJY=4I`Bbe{ z1A{o2?gJav7qUEFKit5*bmFxpMzh6;oT|FXsTrAf_%wosq`$Q7X_USCN~Q)tbdo+d ziPXK2#!)-&(&X1Hsthz)+M->bD%zHNsoD(yf;~znWn6vdg-W0keu|~ zaH`}EnLwARlAW4=w?#anrz&gOHlE_ErBka+Pw9(y>p$u$ygq+_1ZRdQy?vVKFRb|F!D&|j#L+|-| z%45Or@K1f*&BbJUIJ!!+djT!4Yu@_uOM_bhQXpXqCEtB7uk&Ob2Cj^ytOb>gGT`X_k%y?r>u6WA%k(e9o{gay|ilc-S;JZ%?SZvtogDD3mO zurev^3z3pX{3d@v{pPEiJ_w^bcy20D2j8ECy)@n}D(PqNyfN%J4J%PEqWCh5 z7Z_Igw4CevAzX7olN!5|?%#NTH8EJL1aLpJ{8x{oGJ1t2-Z0&-5-~k&@EnS!{O|ym z(st?5NQ4{vU$t$^=NHV@!=@o^DE@lawC#eaM9&mTx=tMfjx1wd@}fR^x^#Q9XJn{h zyZEW)+(#5WN4k_yQ9S~v-S6t)Z2MumtLT@aSZzZU=TCKa8E(TTc^r{4w_^pqc1Bjj z{dr&$ODC{F(qeLCF!d0dQJ--$#?$JM)9Aww->6T%0||6OkwL?h^hYG!rgt(EK8%jY z_R>Cw=ZZR)=kR*F8Mt#Lzt&)H^S%E|XDUf@i|*cKSr^BXcdwUEaBRpi_RxJ>+D2X$ z^{ePgmpv9;kItJj7~sStgr5jy!W);PO=cUN=bDaYK9E7mB(IihHEna~|9e*M!9GOtW6K{W_cDznp^c9r-m7QQedYl5QQrKg zm-QB*Up2E-XtR8ozeer? zZXn}kMZ=ehqH|Ssir_)94nzf>D-49UcY=91@uM)%r+*8lahSSS?$?(4nPTC=I>>`f zdZMATU}{YQrV!}GWIU` z?y4+Lz?!)%*ZC)PMSE(}pz*{S=h3`a4(R(Tf!jK>Vo5Vol~^=A?n+tt(%Wmdsl748 zW2}{9H-DkJR0!>OXj~rgxC>x!jp?N9&zyyh9&w&$fn7!V&YNXX| z%Jf}4#Q)~%lwG$|;%B;+o;1Ywa;M=NfS!{`_$iD$mpYsgrJp}jBg=4^P2Gh{WtCL?5-N1+Ndam!e$1MyeV1rOLIwpo3+FW0@-@IrAkl@Q5 ztPbJl*}t`}ibY|hki*D}Eoed?ikF)}+>-I5AMoYil-hy$r?EGH>Sz2_{d>sN*>Um*XtR%bgSfYZ8*{rcjK0Q;z%zw(*KJS>x5=wdZ zG#3VKGck30*|TW&7$9xRTma{hA##DY_bNKs_58W1f2S<)Xe@X1~wu zFyB$9wj=zOlq^Ml_p~%;y&EQ;e$s58-Fg*<^%~m-X4=7UgrFKFy=C?6B`u-^$SIubY|$B5i{t+m7Dg}ucuxG6WvKrtqLAo zQPMoWsRy+wNQWk|Ba<{5| z+sl?D!e!AmU;^VHCnoW#5kMl`22VgZ|Md7r>>;#kl1y1RDSq}dGvVpyXI-Q_#Yder zug~_DbZz^_G=iIe3pY8Q<+ZZ#ewRJMkgny6mIlOr^7*Bm0g!RbXWNY@`~mv$uXurN zr_E6H&(*}{1EDVi3>C`o0W|({Z1fiSn&7JTL#L3lxuOh%*kI1lUix(`elf+ zqtnZ!t^dvE2VF;?IlcvvL-KzE9DtifuhQ3^SbG5F1j|Sdffvl^!kOU<8D=}4370=5 zG&tVtd@yrT7I~WppYFpWPnD@?cJh{&1!jRz)I+Ij0hpijmt<8`NIa^Ge1ylH6SZGu zSIA>xc*Z=F+q3aBfymEggn1_Bzz!N+;kBCHzBcYIQ+8NkXrBEgv&m3!pQ}+%xMwDi zHdUX-ba2h4Y1*6V@!F_Nm6eg$>Y<&IfAmX#&NHU2LS$i<@}0T9saLMGxF-YRimQ{N z8Tkpg1Uq=y6NRXa4YRTj0)!L1&Y7Tr`L)NBiLKvZHSd|*b_1Q=j~_RJeac6 zswVIJSq@N#$Ov!|@H82LfzM>B(j+dlGmoW2??9}$lJhgpWE!dFLQ&1LWZ06Cm0Z|?;?ReUQF8N!1&Gwtx$EKDZ^^^)F!ItH%<|GcveO$MbP>}VFw zrV$8F!g$SktU2re(KAvhCtTVr*N1G54mI0ermV>;k)V@ZucnmCS^0e*z4_APjh^k( z$`sevE(Q}kFo?XxEg60Xuk1^+Efue+)T^x}T_y5wAl06QE>2!EH&sioMBjkm*}YUh zaY(_yO8dGdfK=*|1`Iw(^zc& zQX*e+p6Hq!51n{r?|F;sG|V%UI|2-U^QuqJ)@ygF?&+m4BgNUl^{N;0GWo4jkTg`S zeqEmvQTDUivEko5-p6O?bW+EU+d}`wEFKbJqHa39{afrN2S8v_QSaGv%nXK{CElot zLQ&cWZWj#4?nbE3KN#M6A_KBSskXKhsVh8wPV zIg-(O#&oXJ^_5;fH0^42r*bLmlb1hmpam#qcM-{4iRT|vYHf6s$P{A?l)k_~XxAXs-QzY$JbGV-eVJ?0UHRgLj} z)xbib)?vAs``@;MaOg970IXzjwoKWcQHnia6i)nH3ACt6BoCt7{vO+mvSv>FboY2l zC!4eIcG57+8BL?BC=|-{VOV9q)j9(O;_6iE0oUsRnB#b5Np8g{o*=B|fpO`ESbYxg z%7^C%I{-NvI{0xAS8Q~wIviXS&v(KYa$`aV;?5kwhg*6qtQo-w$pP}4C6JqFqlcvT z*(L$%!QsxjPocOSTeweX)wVWWOX`(24WZ>4b}J@fXSM~ji8JI~M&4IAix%mM{|%=2r9 zhu2G9`)DX0mKxUpd^_9xE?^kKDb1M9AF=T4V~W5s`ZbQ*)B5FHNx;ixvhyc#$tx&|MSub|trF&~=;L=TB6kb#4oLwwoF=Je~n2iUKH(*8B1~kZ;lnS~BMB zX9oz)Ux;eEDYlqOmae--wTa0|`Gfx32f=TsSFVMRf2x;AycwxU*4eHqvbq8LHw8D? zGr8?lIS>&pxh+0zeH6@>L?G5^Tj)XC3_1v?5G0600`~k)80(UXj**MUo*2cEz0cA$#(DB^zO42shd?GveWxUbed&NKkSeV9LCs^INO&$f{>IEdc&2AA9!3PpQmp85{y0DAq+e~o7e0F765HHanKz26=li^ z)6vo0QD6gGPb*!3@7~B>jq&V%2szW#;Ur{h5QG1N;)552}KG@ zOOetLbrQm)%GBbrYp}%n_|Ut|j+=AVkCW7YGa z@yLEVfv0h9BlU;LTpTm#PVnCIPxu;jlZWUqC$zBF{JY&6z%aZLG-H#U=>iy4#=SrA zOJV(0O%gL$J=TB4cqeK~BM#D6V*x6V=MeMTK4pd=MX|ZKo?&y#tF6Cix;|$z%LUvS zl2Kw4bFO&5{>nkq7;Au+9xSnq;!7>HvUG1XrhvGldE=ZL8&4HE!i}ve{?<~&wG;&L z-4Oy)4w-Y^!*I7&BgQ#3zq)b2qrO35@frCO!`f+1@=t-N=y{uMdOg`f{2(HZ? z7YpTN_DX#pzchVA)!a$Z)ao+4(+wQhnYeqbE&q!njb^xvtzGw32}RZ{Sgv*saTZ!N zF6|vdA$@$Qf9j=22mK=_qmd_C!bH(06UBt4g5;(#1$0SF z{o@5M@~k;?aQG|-anYS;<6>oS3=zAqSoojHiF!q_Qh`u+pF_mIHFOqeD)9d&=kUh) zAA~=LqQc|%?FD?LcXBpPpBZ1vF|DtT2t*w7RVW~ce{H{t1Lxb=d0(>DORxL2!;s}ClcL$GtZr5RImQE~ffCfri+wgdo^zb;7^;DM6mSPmz4Du3+SlWy zcl3cO&R#R_FhXn>&=enQG!SP1X-P z3F${<;o3{89gft*ySbVFL2Dc&p8 z*L_@5n{9bc8*z}jeO74;p65O%^M|ZPxH!Z_dThWRo6AvJ`BoNtvG-My5o3pwTV)q1 zq%edEr-@jR(O*2A7-O9;_gs;=vM-GyIAwl4)=Oz$Sc=g|{Nr~5&1puqdwAs9f~4x` zAUZ4Z0$V1Cnlrj7H{FN%)ZN5-Xog*-U>q1*BT>)?Sz(-Z9UWOVD-nD zalj)JyG6k}ybjSNlDH3hs=jpmw#2K z(j@%6v{YNH4z%JC-SM9Jh?R}QQo=WQ)_E5+WxKk~yn@&tZ^2FXU)}iwUhL+42{PFx zX5oZl;pvf)q?~7oE;}NhCD<1t4ovZ2(cjiFGzTK@jwp4B$oUdO4|*LW4DvCvLnns- zYjz)q7gG8LG@5GFfYJ7)$<*NobQtxRT|AO@xp-XVjy;L=t@1(6~AC|5S5C6RX~eP19TBQ(%EV{>%Mdw$syUAY=uhiqx{YuTR( zTl~Q9^+rqOGi?E(bcZ-Q{4Pz}$qzoVCy#PZiG^EOAbJLPa;e(f@#O2S#0MfspT1Xh zq!5}mnD39?8^VDTi!wp?)64`(PSIap&>56Q`_IEWF4RaN&Q{0bQ5|@+CEq2JGWe$c zzHp_FLp{>&!>%wXqGjXQhyWu|-m6|s6e&&;bRI!WE9rP!&EcA%YU*6(G7VBprNKAn zcRDv#lVvt`t_0sr9xqLOtaOCqC(-KSYBw~LJ0+3jR>$f{4Hz0`nqi(Az^}{Mc4mg}Zo68x@nN zzaQ1jW<32UVJ-h9>5hVT_lU0~l)yIZAz_Rpl>!bimsapy*IIjgr=RI?`(+Jx$<2J( zauKucbcX#xmd_pPM)12Lhi9AEeG~ySy%!uXD6{^>fhwRB^T%gWVgy@NzDn>gc6VVj z(FfCC5_Q{kpWWK4JBf%Z1|;@7NFNbNBF7mC*%Hnj4g^=rc6DL5Bmo&OZe9yj>yk0*TP zVY4$MXn7iVi*UnKJt5eNj+`(l2lN8gQ6vQy8+m{@u+N^T$Afl|>ey6a4B|V`X$-YT zE8V5<-}iqT@M|MO5sPKUUaYntO`{vilb@e$ufIrsVo zEa7S-SynRbKFG3{Xeb>0GO1riq057j=yOX8w}Pp%Zo!MuORR%*`rh&rtaq(CokU3a zQUz6hT};(6EtVnJLf@@V%I5WXlgWmh&M~-wUcq-X+eME{lx^;pgdO3&yozGakuwuD zV|+vTGN%}OKYpEBN|>`N6xHKXpW4ZnX~oxh6{K_5OAGUhSx;;~Zt%t-me>TgR%x|v zDAZpAX9dBOSa3KFdsE0QHzRx+BWLZ4kR<+LmV(&}8~gl9VQZvuM)kP0!mEB?agnb^ zZpJxa+pft700yGJc3=+{eK3&=mIXOiwSQ{n*6dfjh6nxa_Un+zdf*R`K|Flybt@<% zzQ8}^DX9<=ubb+IHYFXy9bPnfY0wFYO5Mb{d`^~KzT{FdUgEIQ4o19 zDMk|(pSAn?AFC#*;q(kWgJnD~;!+u|B=)PHeW;qdC zaI@|kURcvi!lg4pW0V_{aRug|xQ1hZ7fPz%BzN(o9{7Y>If-u=AcnT|_76-^v52&_C#Gb4>}3CFyvfa+2}Y|XZ4T&LIhbkQdYhak4<5M^ zBX%?{21W>nP-#anoo0?q0{z_TnMt>GL0uPb-yLSzd);|?R?O?fo@_Zr{YS@@IXW9|F&^xi{HyPO(6%Fa_=5k$liXkCn2bn`8#!sT)(Mw z17|w)ud}9pPg|w*3%IDFUi6f z!=gNA_NL0x3+GG?2ZIw|J=t3gZWIDhSafi=2+t0m;a0Vu8DF6k@uZ@EP6 z{eNcXD1AR(G$5@scDXOHDD+jIlp%%}bBTzMZ1w^7P_F~^nCW*mZji1fxlNTVXtlyF z`rQ8DjRu?k0n19dp;{O0U}PpT${Ko9=WgFri(_9$VNdlvfj5uW|6FiT0oj~k65~$~I*gv(gN5>f zdXl55^m|e%z=+I`Uyg=IFkL z9%{RS0Z)O39nkre(*;8P6ZHiLernmP(&{%A>K#9uK4HTc*76HUu}KK~d0~C-{GQ+u z^R6!D>pBhan+E2a&<~NbaB5KD&yxG)?^P+S;|UfA+6KaaCCB@l~$dLfZVY zV;NwGyo*n9I4@sm{_u{0OqEV%&B^jzfrEr**lXNob8V5T@!8}{&z0v{0@+YvDcq&k zmYjpDyZLac0lur^{P=+hix+4d?YTF#A<*D(lxpxwGSaX1^V*osGn}vn&1y+S*Mt_M zw)7D@_RxN8HDA?KtND;Lr%ZN;+J4IKpCmcs69Vn-kvxgKBytUC5Z*Gm;(#D2!Ae<` zykoHB<1LWIUsWyO^hV=9PZK@n>oU<_m&xG2i*%1MVL^t-7!%c9+{MCt?Xlw0w|8-! z9pC_fo_|U=6I?={b#3IWvma`_9f#@k1yn%)!}EtmH2nKyq})ZTr+4Ddy#Ec}TJvDC zF+<|xUu0A8aQr8RVeb|Tr7(x{m!El*Br3DqdQz=CYu%}83<1Yc7(Do@;FBsqjU^9Y8&LPv!}3#S z7JHAEM@50v^61!RoSnhny=J49_ZTkX7pf&irS^3g0uh6}loHnv)GMu6KmJX9 zm60HxS(t_&h*I#swz|%8MCiWdL|GFhErn4U;Rc+4H|E%;(6j!e!EXt#nKx!lSsLt zRed=eRAb+Mh}Ibs38smxY=mY*tz!V|+D5Nk#ZEc5Zc1qWkl=I5ellq;jLH`I;Cc>n z*#VN8_ebC)kqRF4p3EH2u%Mf|S|FPs5YSz-?8DJdb>%{{zpd6N+zpaNqG=$Vv z7>>qSjY*37zVLu7)8o!9!r*2(0b;Y$sr;JiM_7)i3|Zyr8B3CRKX1*cFkx#@4Gd@h84RFLP@h>SMQ^Vk2ro|<$K!RpZRt3PGKsMO5eq4*|~ zgL8}^{8QJkuoEqJBGS$Ijih7lD*xVP&iduIV%7X==ya2!u4Jz$(Y8klwE-X5B@qT% zqc`r6YM(#S<-fTO-Q@ZYE+bNy342hgkf8y^AWqd zgSr8BJRUZ7#ec7Ah>*2-j68X4PFyvna3U`5;}_^A6dm@W$f(SzUi zafn5kHVn&FMM^5_MNQU9sy#iRQH1hD57?|kciCM$%RB|I-z;Ex6qGm-F-PKL`>1?d+Bo;q_@;EDL#R8hms zn0iwTc_@V1ARFT?itVKreo!uKEB(rghGel(CZ0N^GJn7h6PuY*wuyp-+dTgSI0Ny> z*p==OW5C4(mLv2dadwhHY16YZ!Cuww_6yB*yZna?b}JED=2>s*f!9Q_Z*V)IaE{Ik z_mNk+p?g27nS}v;TCN*&E4bf5Mcoa#%Epi8; zSPBqmvq!W^*)G5v-lQ_hRVA9mbkTpB;|A(fBS+~=8!2rfaAMQMwxtjCS0>+mp}=J9x_{~W_mO4I zp;t8z5^ig{z~Tk^=U!gTWE`WRC<%KP(u8@$-bNV$Y1HXxfmn!FJWxg|(uDhui`y5>jh5RU7&NajCh2 z1{?h)RA(Q*DP6yR=l4PW@QjI=q-y-VbySdC0^z5^l(;7Gr6^?Cuv;OOCc;BTd>F#Om=#&tA;dzyn!*R|l z&JT+}lNMMw8e3v1`|{!9q;a7jeF3ZwI*g70wGKmhUj znTZkBXWK@!=RYYUngc`PEW|A@+GyO=32O;3f;yfn=KQ&O$MsL{i;nyESrT@VAelq) z-z1K*rmNV_X9EQy*KQd*~<~u<^bdGFAeB#B*zj{pk?MRV2tNC z1O#|zB9mka$ELL2CJ~q&E80bUvc*z@A9uS(u+%V(Fw(wg8-s%^Q*%MB4QRBVTnUU2?QvnjzZFB-&$pO$dHN|>LlONg( zU(gyhb&)EpjN91bS+*iP=}yyhB+NW|{i<^Sjd)^hAAhGJ^(oN<>0a+2z?r=_zvg-k z`bD@y^Edc|O|JRksY)I6sETncUi?*tR#-sG=s=+<6GY%}+K3=r3G%b7_~c|Y-I&nV zQHGigf`;74SAWO9;D(2+;~`V^%#)-k`mgt;(G=Rn7c~NGhyS|#jnNbuLTt|UzbG^h z+>}U2-_76$k_rH-AxM3>Nv2Gn?dNr^2XA%V#=)l({(Sm7Y>|`u9&e@iqA0JWk-u#| z$B)kTx;m$0rZ+B(XwKDKS-R zeFRN}0q5NgX#_9ew?u-oC%y~kRk?h8M|aM;v6rNDZj&ilp-^R=8X?pzEeq&9KerSy zJs~Yf>t~o2WTp3||18CM+^ccUL@Ghkq-b-Eds`LEcZv~DV9{)liIy9ln^Pr|cX1O6 z4tz%EK7zkzV>l)DZV8g#F5!CUwYpmo#*pLpDSQb{rAggt8+vl=JLz@M&ra4K!_du^ z7~+|GASuGiT#7G#GOP+GrUCGHyVTj@mE3Bb0#Dmh%_EIF9Dkfuy>NvzLP;10#N(*ZPHjO-PKaR^6&#s+TH@J zzL2GU)$SKC_WruhR6>W<;ST6A(f6B^lHhcZbc{!i&XM>t)*Rdq@?GUL?vKCvVTOUB zAq!u}3-nE>lZBv-P*J!a5>$~>q=V=Z#>(@xtjXW=DNs$fHwfEMrM_nH4C&L8g&}uIDt8DpHRF|k>*-F5C=T9J%)}#4 zz;jpsr>2eKPKysc?t**Wq3i7qza%G!Om3v$LDeN?*efXOXDQ`Stxg#!5ne#^q0G&AvrhYG>dft6%FLpI^DEGk?&h?Qu;&0_vd8BWoUjM1_&FmHPsctu^h;nSCPCS0#=`YUJ# zsrq;EXr#7OxmT@3cfadwrNEj<)@r%erfxll>z`Xh+^x#6asX0uaO<^93aAIM^lb1~ zkwapV)uN*Dr9t(T0hMsZ4mp8TKJaLVDqQ_vld&pGWL5$N zU4N>|7Cv4qlGl#5(+3C_nMt`J-0uXt|4z{BTbX6=(Ki1jz@y8Lp@q#W2xk3du_^KB z_`7e?Al6Z4b0mX6M;j)^F-mR61UXQ=LTgqGiV4g79?HPsA_J5X=5_LB();L~H7784 z6+QY(RL~06GoiR9oHUfq%0lc9(rQoRbxy=1fdU=eHn|+|TAclE!`sZ;Xz2m##Cy6O z1AvuD;k);tZ5Wl{p8kxux>Xg4k0_0wBE)?C!uTHv$(CQ6Zk|$|nUgM&rk3=!D7t*f zd+TlTTAdb65eeo;_`^C7PH$E5s9XE{VYn58+R^OqGhGfEW)YFzWL2Vo8S%$kOcvd> z@a<r!JSnpr z>n@4T1E(u(vN~-n9_bEZN~Z@dKiw~}g26BBE7*!aqf2`kycjYSz5W#}Uz+h2u9l(UD$o;{=L*65&omW96R%2Om#7eo%D&#?=Y(_5ZvrC zGbNmV*G3U-#(~l4D3S4vP+XQ_p3GayHFihX)hS=+miJJMes>09xmeSG;vsCCxM$gv zO&X*I9t68xZGw(QRgbXf{?!Tu$D(rgJX_3$kqcZX@H} zT~~Xm7t>u16AdSNxu`1OHXo3-Z<8~9cI$2cjq>@PEEQh@F~P|5DiftG^H`BQ)KR~Q z-|$id)O$4@X2wCvT)j#A_PRU%YSc95b7s$xf1GZydy>t++t(hSdy5%%QG@GUr*On_IqL_5b}b;%Uq8ufDA}{Hh*(ElQ^vWCwBrqWT&@l$H6z6}-Uri-KbQ9T5;Wkj53Esin(? z0-0GaWpC7u2_zEyHMl?sT*My-RHEXz7)RDN*sJjul22;Kl)lSpOKWb+VUnnh>aES2)jHd)Kg&Pk^5`)?iV)soCJz1Bs*)OA z8p|AVk7VLK8$=Y;#V##|5Gj>-wSi_bQlHj`hjqk|H~dw3K6)uda#m$Kd(`lCzCTsH z^aTG@X6i&bmo`UYnl6G;J(79)s?>?nr0~Yx%k3Iv_n#g)5UMhQ2xtRpak|f^tym%- zKC2B{fy}#XWv%sH=p$=GAX7g8iSyUAt>Rg!pz09bIWVsniKmRe=i0Fc}Bu~fTUIB4(Uy8BH zT90dww~N5CUbo_g`C7!IYHUI@hDHRlQ4@Jf|IG=ylDIcyxIQC_I- zs!kAK@dT+Ox)JpWH8_oO&NwjZWve<#Q;_jpOCe*J2sWZLTa}gdhf7|LT-^U|ETEbS z4-+1UfbLhKRpfrFma~@qFP#jyY{Q3JR00v z_g-#;aA*&qylHw11*HP8@4DB&*U4W|(|>~_K}tR-sMSgl6xz4-lAL?>R#mcX=FUBi z3$Ym~Q83{|M3J#;wKkl|-a=b>o>S{=^^rkFeqBlG1b(#Wmrd)7_9FqfvsqX8EEdcXi!i;5TEU-Ac{}U1o;^JSaIyMivheY~i9zQAK4dVtmd+>J z)H-lJ`V7maN-Jj>B26?J(^ksZ*R$2b*$@xDy=mBEVfS!yQ zlLjjBo#=AV6@>0TmgUU$*BGZlkoifuA3;ZyK5$NR2tfDyVk(9b;BK`C-ShFkAAd*A zkjJ2yA3bchPfgdl9H;#NJtDnWkuGyyPy<;h+Nq z>CvhMpqI3L_N#}wGj73^MRW3D2d%^lw*0B57;@pG@s!!ugvX*QOpT zri|5LS|R@ie39Rpi1QQ?%kc!F`|6L0)f0MlaL9Bhi>`EeN1&}D&>Ut$v%&G93&oD# zTAA+N?@wfNJKA5%a?D9`sf3dHcdbsz(s{{Su*a+CYmQ6d>VjOcKg&uMLUL(Zj7V{J zDMs^^E5Yz-(mQVo*?k#PREDCEq`0ia5H^h`p^HiBKmp%XBb!t0;r}|kplg4KxU-l( zJzWnJc}0rHf5nuRkNZ$rrq z1Q^G@p?hNBAW?>!gVn4qc<&GmYOhBo$AKJ_wsmyA$zPzB+{QH>q9lQ2){y_Ck_<(c zG*d?6yo_5HfCY-l%M?r00Y%|w|7+zJxR&R%b8$=ZYreZ!=2K>cZydt6bMD3{Imvl!|4 z{`aXsN0Rr}hT z43eqS=?|}DnBXAwcp>`haMuJkQKRv;`cgkkqB6I)yo&siN$Edwq1RA2vC%tk#3TBJ zyGPgSu5s%j+q(YV{~LM!FM5JnY(H?FaXy-rAwoKl5*RMfbmvyb~4` zX3WJL=Z1io$@b;j$}i1X&lHz6qPBZmaeYUnHJ3$sdvIvZM{K$LH8cvn>~68kqj=9B zw!4hFM6o~cahpnJ2r?_AvK{#)dZI_<4gBX3IT?}mDP(QS#cZHymyvo5+1qKnrD?xS zO#!W4f*jK7KJEN$&yd|SlMy&dYv%BAj>~!2riR*##w?$IgjC%pZjP(SH&fexEvj3(>0vx1 zXYi(vr)=*QM%O)m`z0LHmI<(@6-Kjwb7*1cUs3)YFHq#00VilQySZE&bm|eJ3~N~M zYOq}-`4$o8NOuG?8D@^rsN0WH!n)wYNTl1levaDv#^)kgcj>*BX%!C4n3dma+3@yQ z5b@nRrc~s_96v-aw|`O$>C<6x;SP@%=#4+;xI6RPyzE?G#9Ty*{?8FyfFzBo?+nQD?alaU|TNxPLg#Scq)UHgJ}fE);%Ytie0_ zLw!0qI)K!OL8F@#PxZpRR{gW$ro`~~^&l>MJe)_RkVtwplF(LLOfQM9Pe8@Uk>JeJ z?9(O=85eP&#Hh@!Xs|u|Sypj+j2-kFr1=`jh9~I;sF{90N!x24!+ZP-~;I!Or|gPY*T|?3{Sn^%0?8SNtYRbfKs>{M8m) zeW=%}=^N73ZxN!d1MDp*9mLx@Jp)6f+da)fiZ&xNt#gmvXYRNUR*9cWdQ0}wQr6c- z(v3CvAN0nzzW=7QKMbYiS?!G%>d{MIUhHj^GCSvhZE14D$zjtZ%I6@8Tf72AT~_Bj zoTLCM6Ea+%zgXV)niQ+%%vaf21g@0rw8!6?neM7w*#e6O=Wl@-!~+1$-`Pj{JG-9! z4#^&8d1m04{rKWLL!xbTs}`+RipbP9*dtXTmNhYt$$K#I~fuRq*Fi_ zs=itXk}%(TeNolj03sClmY{2-y2ft4HyM?FGH&mX18{AeuYSf4C_S09sE%d^f4|s# zZ6WFtw3__WByeNXo`8Q>uBSGSYl=gDkAy=a$jr!Ivyxd2{{(H_fBs-Z%SMXGB$7iL zht^3}GhKVY?j@itGWmJvZH}fi2{+e%zk!y$BBA`$dO6L|-a()0VQkvnOu5 zwQorJ{<&+it0BJ9XV~KCA}M7KZC%rRlqj#MQO!kKN|Nn+&`<8u8_yBls^q@lce)~D zAxVON=FY%2`i~V)(ZP$-!mWY1O@|$4N=GuF! zx@uAm6W(5TBYpd;;-%HLl5$%oN*M8fBo_7~YmzwpeA$IJ3*M=n<;)XkG%cTLXd=H? zM6C}2vXh*VbK2}JJe!TEE=I%lP;*QDWehT07=z+~3#p3x!Tb8{sV~b9bSIy)LH!V3 zrW3kyTKn3o97)~x^L#zXRORK}WNY|Bw@@CPn(2th^7)W!kbHvzcT<6yM(xmSt`_my z%=z>WtJ}G7;mLy=>%dbS#Pa^U4;+cK%{f?r-alADr8r+ z^dd);^BIuiY9!V4RTSX|9@wmTeWdbLUTnF012@`f>Nw2Wbrg1tLHMLDoqxWnU2cgs z_4==;Mi>3m=>83@`1bFoW?uZ`9Y7qnn+T5phdJl|GVbd}1%qYbZU^S>mpI1JLe2#n zF;Ce=%s?t_4lPHCVPOvG}oO7W+`tZ}}k%e(*hk z_Nb0wtzY@hk->@*!Ai z-zf%XwiD^#9Ix|b7GXh5&%$anI?faSEdRX%w3FA87>^NW$Z;8~<793>;Ks+nb943n z(s4j5iA+2dy-fLIVbb?U?zYB82?k17#rV%age*u1=P5Az!T9pt)khocTy{Ja-rGTm zJ^Sqn&^nE?K3UPxRXG?<{-EFEpbiX-+sW%dmGdE9V1hTQt;&6(Bcab=U*}TlDIG|p zaV&7Ki*K0s=G+D)PP&BpejMucO}F+5m&toWB?f}JzT4Fsee&kP!j4R#HSXW$aiNa%{AN{2){ljCzYkOwh3@ z@K2E`2DO6mR~9ghq?Kv0V}VlH(^W+DglE~FM_dhUF?AnPc4{%*i8?CkcwksnKvdqB|z(Lv} zIQQDZ)-k(m5fS@spC}%EJB)i<|EEPB>f=uH@4dzQ7Mh{N9?1Ex58J^%45f9~0yQH< zDTcBasz?7W(#t7rn~i2jvPTTZ82?4wrkUBf?oiWd=1kJ9CfpO* zbCjBkaCuU3^|0OW+2KYMJGbuk162pTWs{gV(_V*BkjNzv>2{9VprN3cDSwDfU^W(8 z=QKyvv+>qOF(xk1)TpD&;lWgYI6~~JQ636YuER9nchH9GMYk4hcdt_YU{r?e|6=Yv zgPLsHz28t26zK{GgkD6cBE1(yZkmcWARU6D^j<@k4go}^HxWVUQl$ixu5^$pH4u;v zp#=i$Gd|C{AJ)8U&AcD>?Ad-Z6Lh$)vmE7r{Qj(FssetCiQ2`M!Xu$_elF~Xmb@0) z*gQ@Ju*gp1WQm*A_YI~BR$YVG6fdv>+p-7S(X7WGE1N0FaM>DSSN$blE4I!RX!}d1 zXSH4m#0*XCH||Rie@Y-env{n(HpT_Yh1JwYDKs|S?pr3^l_zBW@$qJ8lCg`rv`5{6 z{@itFkTx-{V#@5&`6A;Vp~C|Y{Ph36%);s)&ys&5U9+q3lVYTsH|Qd-Lp}FFM%Y32 zjX9lX8>tF;1bSQIb$FC0wAx$7?K8W0uz*L*@0Lgox_44-pRr=4BklL{t86n3qI7JR z-mn@ij!s;+E#9%vmj4VxG*UBJ#FVz%ZCBRIG0jq53j)v#6h%c=9Q z=z=^QZDOOwh;4m;!}iqND(trI^q7`M3@w4M-dS?YXZ~+0LAl}|l{v42X=Z6X{(yyR z9hQK?`u9hUD7%l6PJn}ZV9=(zPn6?MIICD2jSLTp3QQ!vxRPPNi8S@w``JwWRa!4D z_qN2u^W1%&y=8P!%){>Jl=5LU=M*JHvYN6(DX%UhsFO9ur_BgMBaWc94MGV}0|ET8D@4>Y!xIJLL=-9TyE`A^jw9MRWcK&x=X#+xGif00_|+>UM5rj=YoIdB|U^A@%%CR@!}Lw?o@Ln*sK281LsCT!faH ztuCVAFJ)#X6~7(ID19~Azt$KLyEmh80DJiz;RVxT<`V~4z)u}^$_%oo7}3Fm^a-NB zEeq%*n<8i-OGz^8$7^wfEit3tplZ2e_ zpFr-YxdXv5#t?v-^|zlh(GgZFN6~$3`}A~xrv9NDKsCA$Mvep*8;srJJzX)9lWt3h z-H*;V66g6sg)~?4C2>=yabF9Q^yXnOqyR@hQuzZ zASIPqw7)}_6I+gZAHq)>aJd}wom=~=YsBH>LkuUa&!V-q{@OD?yE#Jf~;V((;|bzjUHAc4#$V#YV1` z#tZs(hHF$iOQ;DEKUHUg(OIuz94K69M>#5^|6&JXB~oBY<74;()HxV?0mUcv6H5l5 zP0Rreg0?>h*Q_MhD~J9n&zd%P3Cg=fPy6Ob?}Rmjo0egJ%5!F+VQ<7J9As!E<%%0( zv($mh5-$edSL%E^wFk-%f^S1xb1fveX}=IeGnlDkV)2>{+5%;Ey})u%s|W|Nz1&F) z0{j!Dmc1khMKktUpwtd+SUNvL^siT9h<_!;_rGMEe6`s=ZJ$J|XWL*K}ApPGJ4mL&C46_HjW$Nk-W z(fF3}nsTKQ^)KSLQw)Cg_h%O*LRp~O5f{8Z$4+tWSeRy$$xc1qvGw!L9&o)xGXG*~ znHs&N3;&&xXux_DVYtXE?#$)kIFV$x5F&tmorRniWI5(s0)@c!Utjo(nQw!0c?&SL z^4b&w4>vrUjE26I0FyKP#4zt9_ge#wbdXhuVabU(!CrV-zwCQ%6@Pk!Vf~0VSiz$( zKzH5!!FiSKxi6|^YvV6cUUP@@JYGcwHGC+{7SqbYl0JHZfINfZ$#sF(V~YOG)cQCxlm+bO zgaNmPwyPV|U2+yN|Hqa0KN3fUslaNSRct6k@}56}KXLvWPQ^?hD~AV}$Eo84j^+)O zNPQGcosyF2moCXA*`?4AXmiyTd_R0R|2U@t83SnM;TqfJydQc>z0v)g--S-Er{C%k zDU}y+owpKcPb%M`O~OU#uv(ZEU689jyvZU$HP<5RAx`PHmQvvZ>Q)zQ@Tz~yNF`ap z`Wx;1#uCBEsr2SY%x&2h80;Ao0P$E6bb3VEP5sAmRNOdUv&yJSgnDE75F>m>aPBc% z`w@x^=q&|ruGWW|38%@t3eNWaYgSD4fh(WW90EN`P+aAvG@&)1N0~U2uwM+97u%LJG%G3t-625YyaBVAMn|j?$(!z z^Benw;$Kt8vyE3vJ<&m=HJ4toav-n5Z%As!%t?xjFdOr3=Pl6xtq%IR0`wkr5&2S< zh64<&ZTkM$A1sYKsBk&uLR?giSbtPLH&mXqTAV_99B`Ms=i{^7@0W^=mBVwN(AZU$ zcz-%#;{G&)A)+L>5tuSCzg!_j7gzQ~`~v3{sB6U9ir{}qUQ7(aSq z+tO8h{%JGZ_!A1h-6l1shJ1vOW_9gk%nE$1dBtLycysQFTmuiW?|sj$530!Mso`*I z(B&Ao-Tu~K-Y}ppDUv^J~Nf6x?iO?`Zjr+s5~@-96!_ivU(kk48Usr9?&=rh${;%o;SX$9Oe z8CPdsE^Dv@Gi~yvtN{ONx=&}ZP#N)}x|L5Uy&iZT(H3w$62?2B=(76l4pCEbK5mxWZkY<5?^ z^MR6p>Xhc2EIly~u3xlzpV4UY`6COWd=1OvD0>tirPMVe?3|Uw5AH{AEUEN;dhY&B zW5=}ugJHghOYTAq)i_@xWBUDjR6zW}RB!uNhxUS74wVkl0?iBb2nq;S z%wmYPZ5t&ROQp^g{d8OAD9YOJHAu~zf8P@HQ1$|6hkCV=sL%h;^eU*V4`d`Oa_U|MqBo@IYoc<%Nsq zPt+?n{_tb_4d8ZhV>kiR$6LWe#H@b_$Z{XWZ?u|3O=+sJ`o5%NT3akFCZ41-Q zYgh(qkVoUVsE?9&_m^wIxs);+ZtB`fccxh`{6XlH;lDVJjsM?s92-C%1b`ghs(VRh z0H41gaUnp_G%x^c&s#T7yPg4R8>t$zv+6yX*Z$cx|1WK7$x^~uQ|cl8`KMj-{~P-- zBLW@;ld{-Jq7(;s<^CFvs2i;C1z;V5Ht5!W_+{V?yY=*S01G*joj{&I`Re{l~XkGzTh0Ux>!)JSO5 z6_k{*BX?f4w3{~?M(^B0?0#2^ZroR4CWZS9m;?QCoSZT%E7mgC`*&Fz50rqpa7pW^ z=?wPCcn5f0gyE}#@yq&^gGwP6Lt7{n;7I8seMw1z2lxM5ljvXB&-n%Q@3DvO8Bl6> zIz^r#&#A+c&!}!(CvdvgKmP_CXRMfSHQm6jU3@djo09TuuFV-Z}P%)u1#1o1sTvgBX&#R+T=aJF{nt@7>Y z!|fJy%;@E*4kKFb!rLDE8wxT-i-?rv#r2PxGSHH-&cgstUBdr6YrXo`6Moa&XTVS7 zi|*gZCSXjYmwe~NBQGFMtvC6FX90tIBMFaM^|Y0EzzZzh9&8qEp7*u=ZyWOb^-w^G zKkLGijQ$%!Z{`nW^$Lo*8RYSKUX4sb3nyMrN`S?U7U?hE?RwBx>1cqXyH|6Uf=NOt zdaugfuxm?zYzLfT6F`7eq(l;s;^O0*CzPcVac1qW3IJg)@D1|h6wZPc5@}W-MFlPgpm+& zyYa-0{cf@XxPMQVj!2i|1%;QjyIt6uyuBlW6zZvIW}042Dhc8MkN&~T;2 zLYdd$bq0OYrCxeM`pXi!qxm;v>+RiQkr zwfc~Xo=H_A2sxs9s}Ud!PT_x$V+PJYZb6)2 z^t#-jqs4LtD{A`j#Jo{WPh77EhW_tc?YX&fV)9o7nZ@2^8W?*y-kdlZu|Fv)S6Y#; ztCQ5R>sE?2&o6~7vk^RUB^H)}l-zK)ilQbZaEcN#{lG#TtVl&lsKiD}9K=TTKmEl# zh7=Se?g`W0Jogpdz-D4<2<1(u4Bg9Wkd~U@Auc{Gj`XA3!%Vtr0)6TTdXXCuVzA0N z`G>34OmfnytXO08r;f7nVSU zAE@Gxu3xJWapc}#YMI^;cA_mxVsv%Oa!VOHaHas(gTB*b%ZpT&ZSU$!K(-3UVIv(+ z2iK+`Mz8nxf#vShwy-njP_!ax;E?b7ZOs4tEY3eAlqwr>v-7(YgLBU=8BWXtO2mJG zX4Q01US0O>sP@5hZ z(=~Hj0ryE-!M|0U1a}jIQppl&#Z?Y?o>X$?V;3Do?&at(zx>tCOLy07y&L5v@}kZC zqXYuQ`BU>bvn4Z6c)vagsixl7FcBNN3zF4UKR;aA6TD%+d*5DX=J1Hx3@UP=uc4P* z4t3~FP}$am&^=DgVjOr|EkAfP`L% zQbx^nJ!{a+SMdjxodFk;c1bL&d@0;why!B!yQC^pZDSlF013RF;NGJKAQ zozmE5EJ#W}@<84?=-`%AdM2I=h_FiOf=p&TjLq@7C`Y@$xAyPz$e>=k%9E z``ATB4*T!!t)fXDSh5GdjNOkJDh+C%mKyPaFN-=D$sD8Agd+PHc2~uy!sUJJ`yWPx zNa{~4WIOs#OgIy7X#?@#-gg%Y&lmSTTnhqEWAFRZX(jVhQUI|Jc08=*%?xtWptu2C%V}Ulqe5?Q z0w~J8U2E#6ibr)g&uvlgsx%o1*&*5!*Sg^6UPf8%pO$!2}8Wu6h`;p5#C zoFIgaBt8bk`JAv@@?9L8`R0W-%A7csudH(WCXE)$ zm!;GF?!4ZU%d%Gx#E0CkDivdL=)6~!@UH{GAdM7vGIQqFB6{8X?09D8Wq~-daC@vn zzM3zfVfZ3$zotnJ*}UrY-qCN>s0WC_rb~9RLnv%aw}R=5P`6A^#!;A2owq_})3U2i z`c@?FsCa^SO9E7mI(*=j#L3BO=LY+%7b$!HQlwKOB{IP8L7N2 z1cfSQu7pQI)DIl!#W*&joxeP)o>Ly@p=h|#%6Oa_m{0DH?#Qh6-fHXf ze$-N7`3r{_@SM&Y2czuo5fz56w4Sl@nC$o=*~9s8gvjnz{R$3oJ&RGPiH&_uxs5@L zbnl&=?j(=3XZf;m^7=%kxUv8>qHaXAL_2LF)7h2ugSDzCE1Ab3XO%-0`UB4R2FA89 z%e%W2ifX-cb}w(eO;4vtn!=~`i*UOK*N@8|7itww2l|s$KahhRW!+@ik#(4YK30&; zv#wlXsTU*JsL?4^C~!Uvr5DRO>npvJpS7(ZN9$qWi&;HIj_Sas)Uufqr|}l(uE>Q( zU@UA@3Jr=vFAA?J;*6V&aM3S+328WhN<3vclb4Pxmg2Vw( zIyz$$Zf(~5Rw#>=V9Q$JcwF(b6=|SfPV8s4t%NxE`!8UGBGu^EJY5gI&j77+)&I}! zYK#A6M;Uk3ng4y;-aEcz2KhG&0Dr+$1vdkAqtrl&-8&+JtzVByZrvXSrGhJ9;8>uc*$Xu9%?(H^zP_D&(4z8~Z@!ng4EY zQ29htwZ6`JI@d9E3$D5@@w&;KI-lUy(yxTid1B2wI3R%& zU(EYL2TJc8A2CErw!YU(kHcmp(i_X{C_~eoBW8TLN%kOU+Rondh^af7#uRArQbn3}c`Y1DI|DaDeIT~{KqoUVd{y59b zp;!92;kv(@GQ^nZmAfH<6eCB+CFA2a)c z7d(*Lo@FYhE2XEOyn9_UhpI>070z~q&IaK-iCK2KcoDI~J}||p5{X?fRwd^7?Qhij zlxNove`mK5DG)aglr>7xK(LLin>>rrW;n|hPub6KERHmA%oJ$5V*~gP3e8SFon!>d z6DvN5*i|tHKq*_v%PiQPq^5M(>~YXllYcg285e%Ba0&CO|ML+QG0(*ybv6iLyU%K| zr{YJ!8+QrWesOy}7>=;Fk<@j0&k$bw7}Kyk>M_leN3l zYd2h~`sey2F~gKlad7ARVXgO}5*N$6)Sb1Do=3AdBvl_to9#xpjsS3f#2po6wE)pgD#-B!~ zqibPIr~SAgCd3QDdR)}?ixt$6rk&U`8~Ni2y-O=v#Nk?`hWo( zHtWp0#UY@<0DWT?e|K3VrQo}9+~op11ZB~ZuGprt<0d^Qp*elVz!5tH5jJ_pI}{?R zrEe>}#7H&us{fZSaP~2Xr>h#dZ90gtV#kZo%b@N+2Z|S+S$VzB0P`qZ& z|2r?XGv}Sw6+5b0o!#rBeRTyB&c|a^qs)j=Y-G5c_*MZM4acGMGx^=+7;CtV8!5^} z4z}D46ZHH3U{%fEg}t(;55Aq3t?OvIdV3i0Fpi6hAzbpIrIfP`UH8J1^z7Hqbc`9q zESc9XD4DNBM^I3co^;=x5!q2LX)$XWTwDCs>z%Du=8BBr-0um}mf7K3-g;>5Z`0my z6m!>}r9CDZA^uLm-YxBoOUGxTS?4{(qbv75kb(2%*sSzS^0#ddebY{l$CkK}<4@fF zs~;2lcErtnZ#V;*a8-^q9`PqEyMc14CL0Y!-e=)D%fDTSoygi6&b|QDxuMIiVsM9{ zL2Kx^;l!o|7;Ai%0zlyL+qF{(v9=Xgzd5)u(?>PTUJ!aNDPEejb>#$nb@JC7h3E4P zuMU}g(I;0;NCQ#fV#LkcFzFZ6Dv7_h|p8OoxtqdrX`9@jIHQsx{-?cETMj75c#c* z`z=v^bp*=@HQ1^YJPOzQ)`T^x5F51-LR@LrNngz*p}5I2_ZH>e^SI?Twk7o;-R+(kxb9LE_(;cSQ*zV)?uwF6AbqCG&Ec*7!W=L#B_Z$fDx0pJ3a03K7Om>*`RpXGQQ$3H(M ze+nG-pdL5L`*MJ3Q%x*>*6a@GGnmwu^hhifKKtOrWyYR$@S2L&6u1V}_<1}rM#8-v zyDy4#1T}3Ju_uji9RdfmYAi_LXDC?RhadXIL8gHl@C2$kcA$9Gwwof>80OU2WA88| zX7X8nb>Zj%-r4;b_&@9c(LWzuUDLQ;|5$m`mna9`5GJm{836TCVhQHHflmktY=?_Gt5pu zJ$Sew8bGF~jQ07p^R|YWV{rKc!0OAW&#dUx*boIB04J{jQ=!ZYznEHnoiTsu5`9(W zJhL5RrBzcKsu1d!>ez&nh^24{f@YDuJhra(eeU%7l=Fl%aAAItY;>j96X_b=1$Q0k z+vbJLVp&Qd0D#;-py<=z@GDEzI+|)CdqO!HHKPgluVwi~3(pqZAwXvaK!r zgv>=J{Zxvai%9qnGkQ0ftw2ufP(A)EZ9ipd6VuIzWggvGvsS40Bo;oK8ay#E36QsG zstoy0F+$h@oZ`$9?;`2XRVBLa1)k|Fo+X*2i3*&ZMMK?tZ$8~SBR1}VeNuPU)N!DN z^R^ePej{Ty<`?}3O=w$-a4IuFy}}!3 zyV09ugqEo~zPJnp`^(N5tXOXm*y*4h?160ugK|^v%uThEaB~zD-O@Xg*U?t0&a(^TusQ_j`2$*0zUcj9W__331GYs1(Y8m&j(zI8b?EP>BOsEJ)(J{yxrbp)}e> zk7gkql`Hu^Wtw;Rd@R4)y_w1oGFPsG&D!iZR#*~=(PSk=?k*V&cG?i1Vv{|^mdv~! z9=}`usm3w^N0XVQ(i3cX>YM(wGcXl*_}rys^@<8Y@1d^+^!yoTV+0TI(TQv+efPvc zAuuDMaK$IBj4k-t;WRwtS0%yf9yesi@&aNAR{K`SyGtV#Pj8odWwq{F>N{2F-NH28f1l9RF6V$Ld53w0^T<_RSx#0!&h2CHX&22Lpt!G%Cq=U`Xem6c%J~WiE6|ZOizg8p$Mb32P~N6jyt7ZZMV>SCQ{$QcJAC*B4d~)Tp$~N2FDIA2gqVc4XC3}hm^Ao$r4vR7wfVRx~aw=y0rIc|6tN~li2Q*gY{yV@wpyWV}pkf`#@38=;{SuEtQ*(^;Ndw8eSx7qpa(u+U z1j`v;vPA+0O8j=y>pd_XoOmwJaX72{m6Fv}(}TMGarD6u-feH&vvUc^z7r&OJ3O=y`J&R zO*t9sY=-|NKuYEmU}vWjWnVd$=bA%R%!5e-b%gp&A6yO)p)k9&L1Woy`a;7&g(O@Z zLEFG{6afPhtgnt+B~M+7wk$Nw+JCQxWHO+wi+auKfTG|A7)RsZVQ;nWPCpb5n^vB| zEq89p8pmPsOPj>+{!AnD?#2(WiUz!>ws#$3eR99-frTY$qH202ZFS$>Qv14SlB@8Q z&`Uh92_lMes`gdfZk3o>MwYWGR4jCCZ0KHheO--@W=1t4WoFFO*rwGu{xoJz`g*RG zX8Uhjo!AGW67aoTP%e{sosoPbs`%a9N}38(S<&uCy$3oD+J~)6hKusP3f1GQIRO(z zvU9o^4oGiIWgR`Cxx(X-;d0%JLX~v^PlV~gX0{n4zhtq*xMA(F`{`*36w)VHuUbB& zl_FCu$HW|c8cj5}SQIW7LOYO*Pv_QcWdD&Z`E zB+MYo_MW3m%d}Arp7ln@%GDa^!5A?m;#D=9f%a7TlUIcOvC5snk9Xel%5}xV3RmfW zW5_Rm4W7!VBODJ(>Ttbem8vE?Pwko_-~~rw=0e3)-}?`8Lq7kYaVEL+zVZkogE)>o zCQ4)^1F_!WP5?TLLzCr6ZOi8bZaX;8+>h_m19qD&+g5 zWg{2$Dz%bu`~{U#DjYuwjsZs>d}Mgfb!BSP-xD*Kgmh!mHo1*bR#4C^0_oz6j^Bzd z(bA8`_9K!mWu#1mRLQY@KQ3%wbmnUXcIp6mU@u}-Gh7k_lZ$_KHphCJgB__s{v@AS z9X*(PLrvV`7Q{E=oYxBA3( zAyeb4Lm1xq*%nW(6I)|!82%i;MBtjS=@^3VKweC#HC^iB&HD8!*4AVyEU?$n_32|m zw!U^yp76C#RsyBvqHu**fdw*2WhEPq*;J4vWdYPb<=5s3d?s5J>F;uW5B;W2W+R+c zdb+pt_M3?2Rx;HkyJ6C*27bGdTNl1Di}_vt#nUPe=beb~sI+|t6_2PMv(=E@87#%X z3K528Ypedh_jg1+VF_jqN!TiP=y1uXh@?@88Wd{>11X{*g9IH4t!Osc&uW<7+>d~g z@Q^A7cD|3Xom3wsQ&cl!C8+LWINha&{VdmyE8^))VTFnx>852FRL6GwdXcNPmNse- zGoV+h;3Fi6j1WJfNfX&UObKy@4?LtgZqII~$g!vJfcz?NxFem3O62%cjF&K}zx9K{ z|7x;9n7wp zM88ph7ww3*T&S)e+zyU|qB61F*87NVMnH!R?*{I-r)U`Ku>nRR03*@kf4nX+viDO6 z?VUjG9ZHX-(LtvbX((FyHSC66flyFMOKM-6TjXHam3dZ_R?5Q)U$-?&ON4Y$DE0YH zV|?nrZVxigkAjP}Pkctme>?iR%vI%xAci5GI$O&n-pd_s%CmF#r92wv^K6nJr0mU0 zbmikYE8u0DrCr=1B~C0Ui@uJ5)&$mf^i!vqP;);F1iPJM!xr&)ZJMZI`B^@1DAaz; z{n8^wuxCUQg<77FWJN2fxiiAp#e}+TA5qKTl#UFl?VcQuFCbBwLCsQTglw3%>3d+1 z;xo7rHilR_$g%X@{=kt1JP&mU^XLgrP$aZy>}j}f46GTu{>^Vch!UQCfE~98hfdfU zm}NOnIid{vluHVcG*7$){2J>L>|e@eE~ec&_ehpBz%Q5QL9QNT5!to}ru=Du=Z6G8m!=5Y6 z=;O>1^-n8n;hM31r9k4Bg@DPK9e$%v9R-EnMs9qfL|$LNGZ|wdrLdbrx!3-j{~AHO z@vr<}$MA3rKiYfUxf!0nCAG{lBQpbq0H9H-MHY$J$E?*Bzi%5zcz`i{yR8Sr55K1! zvSKjDspW=j=`NeTju_*mag83=h`w6bkpLZm6Z5JC0ynZKapjw9?B3Q%i*>||B<`&o z7>}IT91|pnUlNj`8u=z_aOHH*?94ru6M;QZ!`(lZ3DYrwB%hvXu9cGTKWBm!yRZ^) z;**~*Z3)o-?vr=_UT_~*{$HP2Q8b6c*Z%(D_b!f7{OI9i66@cO*S+kCc%vF79;Ibf ze|ZigiTlgfzFdi+5OW(*kgH|46vEQ`cDsKyH&$wZsUsCWW)U)$KNTCQaG|kW!`03C zU9OtJde?huy1#1%#yu?v7a2}cslqcQmyL`3=n>Oipr)+EFL+UziRtow$xmFnu!qQt z3v$x)vl?j)G?>3CV%w4}DNZ83l0UuTY7rN^Kiuk341VTgsqKe2s_4&m`IreBZmU7) zxjqM z9k`5)4xoWx%Spp!C^Of@8+$QDDVSPFERrB42f%4A$aFL|f&$^jIObJ~G3u%*T)Dd- zRJJ>k{^i=~?NR4Ms$yAmj3mB-p9aKXjTGZsx3A5=?;!o`;4zr0!NqDW!Adxbx0tH# zsI#C%HbgY7+dFF1@HRlgm}lLWYf#^%mePkNmhUWknVLqqXw_0S+r$fdddAF;En?Tc z-M%rRytn6I`O6Hr(k(S8y9|G-XO~}AqO>u^q>gs8S?%PeWyEk1$RB*^vsW*{T$X=N z{gSyeVxysT>GEy!Cg^SUSxbp!|5c>1_06?sT?zFjL7kVR9=$`?Zq(odT7f4n{UU9@ z3XAAJU*7@QaWOZq$C7ox@Ugw|sxu4O$MMMcZztp2L)YmEgWvPZ>+U6>Ct|=J)0EX` zQ?vWB__nb>o^54H#`{#rsJci(n`noIi|1uu-+&tH6peskTkP5Jd%c}4c$g$H1xv2X zvg~u1=?APzrhTUmWb}>z&N-`Gcj^%^(Gd)U8zd@~ z0u|phYfPYW(+nj$WZErY*EaS@cD9CRbb97u2$FuR%itAL{WT1>G>^vwGm|Mx>BVzP zHZdi)iE}{cB7u|f>Rgis+xAWP=)o}&`6+4O8O!xuBh>(#Q#SSV@soNDmty-NigVl0 zl7otH*79B2*grc{kt$i1m$CjMYbD0qNB4`9NJ61F-lG`Z1&24! z3VBP!C#ac>jw-3wW*@Vo^W&h(CVdIz(&FNz*sgG@EKBBz`&0R`3_rwumeBCXVqpit zrOssRR!&bcwsLhpx@&8GA?zUi_gtIO>U$G-qxqWg6_1#5#S?E|(9yYEJq&)@$NN!M$dE^w%}yi{x#0I&0o%QUc}5*N*`CrnfYfV*U|rY#GTn~LA*(PSAy^9 z6ZXr@9cTRrO(A@}3hD6&aDRYYD(NvhTRbf!`QF41+0QnpyjbtQMML#1{#ywLGy4xg zKdL1PkPwA&GIE=2eTz5A9Qzp!-RxJPut*}mU`b5;Ar~S2>2GH%=K4y&sa6kkvJh*%h@24tp&-izS7TNu6e$;9hv#8>Y7q16otII;FS2 zd0&ZNH$uXDpj9hkEqVv1I_6!fvFkuWx22;6v64{fy5rvIL$QpVX4(yB z7Mlwf+lkpwd+-rOIh47I(FKMZw|AiZ*AN%b$50EBI(+ZRB=P!8c&@)E|E|9g>``>l zEV!FCkEmDZ>oS2gc;1vn+*2pVt;WxQInifut^U`}^@RAU$HdJ_-Yc6oJT4L^8RDzu z1{HEEnCx~ap^(fTwy3DWscGwYYG#GXWYsrnhTxSS7In?8esJoys|cv-8d9zoa?~pGwT#!h`WW^}VOPBkM`C_rmpR+> zwU{xwX=Vy8{T^~LiCGNGd<)_TG3oYrX;x{!>xJvTCXN2H|b$W*rRK{l_b0v%K+{Dcvn3X*Jq>c{Ez7P0}RtZ%gr01XZ z6gzbBBo%TKD<&A=j(8QY>h(i0LL?+l;injohTU1Kxz!F#F8f)!mJv1~mTQd%)9Zqq z@nrP6URW%?b9nHr!c36VeC^k$38hTpmsO^PvU$`D|UkK;=A4+ zSX?br0m_{m8;5$9a5Q$1YHrXs7wZUzZ5B+WG8iryFI&IQ%vw){bh<)09xHecM4Jvz zV%@7@fwtc$Tct@oaytvMvVe=TV~05U(Pn?AXY6QY<`TFL=zN-fVy;`KDKN}pIt1&e z3a)xg$YB=}Cmoum)amP35Q%6?&UmF-QM~}Vi`1AhqXI8}A!l$c_&0f%H0*pwgXt}} z(6y|Nqp^J|h;RR{eGIq`WSWWbBI(5^o^$3axIqbL`{Uc#|I=>b0tF6ZE^}J(e?B55q>aM2 zb%Q?O&P+)ImtMPQ@rlK$Te76*)jdZ^{^D`l$}6kTVMHDhVBf zYrPxuRQ4#sZvvffuib7Ehh6m+MPz!pbp2Iv%~h9{(#S5xB(=EraCnSur4Bm~$FJ#@ zV|j(A{oQXFXQ3;8yL89HW29G6gu1D6U$vPgf`c0^{RwCc?7BOW{nlgbnNhHO0T>PD zIV##;5u9Id=iX7vMNil^)3@PUqkW>o^%4F8=?6Sd@V7{@pRR< z&=c!DNXs%MYg0H>cEZm=^_2@j zi^s5VaCvPNIpu#)I$hgur6`VO7YhPqhD!P1UEp16%jS3sPBDGDUo)BEsddGYeXk^s z<_eZ&-pjk(qDJrj1JVUL1kc?%8JgzpU<2xpR_BZ=by7Wm$K&S zExv<^x^`;q#Zj?-X}v8y;q02{U_oC9-sVu?q38axE#gS?>HB(=b5g@c z&!js|4ETaV2X>^-(rxWSm+M>9FuTH|Fex6;-cHbh{!?Kuvd6F7Nqsi#xk`LlC8;JM zLA2@=#CLwNdnUKXSj%8B`l_jnkmOo@Mz`dKnK0Z$jUV78RK)} z(M&Sh!nRAfx$CVT`5?UHn zvWS|5@|7S`12U_(^ng;@)3^cHX^rpgJ&xzvfa!@xw=Nr>J&+67AAp(172i9l)fGQc zJdjKP&BtFf?vD1}1ukiBBPxz)?hZQ4%8 z-$Lfouuvw+dh?x`F);$Xwq&7UGY915-4*iE-tw5t^#XgG+LxL3FPYdP3qdB2Su5)= z8yNTanW+trnlP9ty^0M-U-ps`h%NF#)ot%%!Ov8Y-#l+h@0^SFn4vFB=fY{TEQ{%nGH%Y_fA6)YV~ z`8*J1u0@&JTVe!M-#F!~Vpi*6Ip8YE53R&zF*y1RrTNHc_VUur&@%fO|4<&)rA?~K zDwfvqGhP7;*m|<7_B3;aC6<}c+;4HjF78OS;Ox0oPeF*-TG@BMsNue!cs1O5!qACq z{mYpR&lccGKFRFGc1BtDLV@-)Y^D8^y8qO%74xdd3|>pOVR%%Lb)xw*hEbVq#^^^< zpQCm2(WztDq4IMxvnbhHhx$8(e^u<|>6O8ZWl+f~nb*Eh+1Pgrl}0)5(2_CjRu24jM831Z zOq9ZIKLaIbs(FTJd5`vvx8kn(yQrp=zS`Dz#mEi%y(??Wlma}A6XkI#5_Ep<{DECW z5c_5l;-g??lW0Xt4JL&X_MW-THZhNfdoGr?{_Pj0aP6*w=z$J{-XF}v=p_ys66k5k zI3x6%q{l1rJx+1^rDuqDHldR4S0)!`YF|Gs)GL-ooT;;>nEqMleF58rpmT9lyiW*P zN9{csZ`Ui^+hmW^F{y=IYx7fEeJj>*O@PLj7w|+tY3` zSnV?s>mH!cx%;eiDO9pPr~&kZl9i%XNv;T;dR>}w^knE{j=zGQco?41GxoD&CL!^} zMKBDJyOw#nn}6Vu^2zhB-!v>^#kTS?5l&fCppBa9TDSK@=e`!u*yT1hZ4vGO4;mX1 zc5NRk^MKW~O6H*UXq`~ly@PRU*826mlDLgk@+$)jq48p>hdG+`e?jmjnq$n)t<*%W zBgD-$z^J|l=s@KAJ%)ph+Ask2H2n-{d!b^F>l3rNZbkl$xg=h49BU%st$pKHeK!o> zzg{3x&{=?a3RwLKY~xl9?vrDar|x+p+2Y;2FHRj#A2^6?Gwgs#&N6Nzm}nQVqQ`4j zYqb(F+myI18tpd(g z80Z$EFX?zGyVg%ml}ue5-MqW8S?a%6X#cj24KhMJF-{t|_wZ}tJqXB16vlpmp4x^< zB#3Mt{E2J|0+_a#oR9&kEt?PhlQ?8Gsi+{@e=r7n9FecR*~GJM|UU zbh_GfM6-rHo%OvdYjaj-(ib~J=`S=Y{^ES0`F{`b7tSj1QcD(sZi>L2^nz;>TWM^Q zU(G&;k=7ms+$&)TU*$^rga{!&jj>RvN2tiQm$j7k0^Qm$);0hhqh4I9UaBVT|*!VxN_KKf{$#B$lXWpeeA+2hk9? zKP)!Z{;fS7-?>`UD8 zDsH(uP5?FL`0zUgIQ4H6HwU*~1*%dBYDjov%<&0!x+jFCtfR;Q1UHv;9OGfmQYA^b zx375|g}lDVPW9??eZ@CLM4 z>FEH-UmU;LU6WQC3Q^)0SoW3r(-Wgz52XZm*lHK`LhK z`p?y7*K09smTsZBLzEzC*OLPaUY=y_W%w19+xE~;0c;BDjNwjS6Y9X;I!ML$9;d1< zzhZCYCADIvja_RxJ0-6tKp5EorsOKV>guQKq;S>|fK!vv+x+}f3{-MkWL-P834i+<2C&EOx_b64{z#I*UHr|9-$cG0fk4DS^~Wja zr=#@xQa@C)UJWu@uNTaUS^o|=7(ZFWVl!u6tqn>i4Le)6*i=j6v_k`9*FXbieRFzz zjUHwE!4FCmGmE-nS5`s3%NTo3s8AIN1n;)ACky9mK!cpZmxvYhOimS9KnE_* z`0vZI+_mb%qziYjn#1=;+mSEDkB&b6VL5#4=;7v#5+RlgR!HaDMO$}2N^KOcb}D8V z>cj1ukZmv6yHEDsH98)<)jNd5Sj1Ll2-z>`*cVCjigS_?(BCvoX5^Z1x0~RHRDV#c z6{h3d${Qy%*9>~#s7Yt9iAu>r+T*C)#zuWysIm+e)QA&B*4ERK4CTZ;(7bQ`mev`> zLUHXM+9}urBpmRirEqV1)9=vIFX+^38;^pNtd6K^ztBROoCZfz6OlVT34*`Opu3f5 zuZ*j8TofsO9Pho9GmUs7;neJlUS zjJdl`X5q0H(*MD1Q1ckd^>|5R%Q#CFQQR@R~IMFnG5sQ8g7lg$EVg&Q-7)VicPL7arI=bE5ySf1FpFmQDq z1C%F4Pr<77hA;@t{ruaNAXZ9y()Ug_l7aPE(yz^dK~X`&-{uFv+823H{|wwt%oaU< zF=a$^z%OXLy8g_mPo+|Y4&%FzmjVdw)z6%4;N^P0rH(K`nkS8@oAq~_wnBx5tMo_f zje5cARybz2Q~t%Qcj#D>FT2QBJejfKmLIm%`$*$NiV^MofK^JK>4kgsUUyQb5$g}_ z20?2Ceb6i)n*7gc3@Hi3t&efOORQpdIR?b#Y1T z#NMl!U&Br<1=sbLX-RTo8DQ>?F9XOWgIBL4`EUq62u?HqNtU}FOq^eTV|O`1jlX%Q z`i{{+xU&+ytk6v`h(!N<_o_2nCgxt8a9Gy%Ptgy<@|D!K7}_*RkT{O!#mbMp>cdsW z)<1c%`QS8vf18N~2qyW-DSN2LD9KL6* z@j0-QBvR!!4dkaQGaDD3hZVLzTz(jjS&x+&F5{$?QSxrERv=_^2A%_T9=tLh-WkN16!Jnwn#_xY~tJAV$&AGp|it+m(sh09eOQfovu z`M!bn20M`%vG%gzXISqG$&1bbbE3ofgRNKiIn7=ty)XvauKWEiE_%xsI@4iS@m}=K zR!)w7iu!qmPVrry3)SbR{PedVN$tWUsJgk{oo|dY5c;zrXqN zLJjDEib+`%wKJeaM*sWSTy-t^bXy{+iXSAa&E$C;yI5%aFW9XMJ=vUJ zKKXnOmNx+Um4$jh3q_vZI7WIjO|Mnd+}mpj;UCwqrvvY*9SeLR{G8F;dn7O_4&C=M zT(U(zll-PTsn@xa?)&sdPfqCFo7{2N!KjxwU&t_Iwy7rEbo-VU9>HhA>p`17Q#Alv zUM5sd6IG9JIuVzi6EnBN3nj1Y{_5)FJ>F8m|B;TSd^n*YAzE_orpyYf%pMh<)ht}Y zCMjhryN_*oGvhlj(E`4>u5T&9odEEjpW^_!Euu_XRtfYd#u1)k?GGX2JG z*37#NQr)a>y-&spxpF3rN&0(ia1`o+!i}kUp#WBA_EoN%+2QuY4*{}KwFmQ@l;0Bd z_AYFq&y3{ksyX#ypNLi9F5==wiZqnh^y1GeQ8okibp8&!(-)(>rXOQIz zzgaL%(rW(zN2RR%453i#-1k`~f0uE|Uq?G0tz6rzaUPGu`9w3kmjaV6n*1CeDGwEU z6U8`Ky|OIA>$$1KOe=RSONJCD8@B@xstpwg4v8y%W9GyH!&Md>KK7lHlyHVVo9d+x z*6$JfH|rJ7zOt`ViUriiX!jGjcVPuDk8`vd>NHXfl(50*ZQJi(GJF%hqX|!{jN(2iWM+%(CdvK?KZ?psV2?J zuecM**7qFF1^_eMBAPef@22e6F7DQ+V2@$)#}O@kNhudT+e$}?*JJus4KBGY0E%gY z&Y^nxK`YnZBA6UhHXqDJS1rK6a^dHM?@!;P)#VLx2SmsI)%}fuh1NTUsY(ob~7 zCdaicMEKPb?z4j&khEFUo!THt#4=mxm=j9o^Crr=aDxgrd|iNq?rWjk2OB4o3*3it z;sv~xRMpbI-y1VZF;GhJS)ToVxJJbEH(iSux0cJjfSYO2XK`7aTA&Xz;T96L_C&H# z5b1&#YgNBicAxNaLta;n92LKsrpiPv%ta(!tfgLb{2V+rn*83+%T67kpQFq@S3~bF zx+KCd#Nyb^f;gxc18d|31f#)>QgyfC%k8T3P-rK2LngH`)RDpzBiXiC>gI|!M5zEu+Q*yCl{O{mxE?iVt~nLt4q z=Mb7e`{RgN$+Bj>Pd}=LoYBkmhhNhvTH{`w&;li$m7`HBgZR4L&Bsoe+uNRm?QIy` z_VL@uQ(F8fk^1Ahg_x9+S{h7oN4_PFr(ygnN&-1)Jutf1!!+XPBy|4iLQ)m6?~b1Z zNbH{G5#~D77eEt|6KoT2q{ z^DB3e8_(b$0?O>EyzopR9hhSu6A(J2;k%Vwd4vVp=t zpC~~4QLk2Z)X2(}g|?o*F6l!l(&P24hS;Ak!`g~QB_OY6`E1=(!3pm=ZmVT}*8h01 z7>Bm3`$-0wUBxqu+$d!BwknurYBko!C@y64{^)Q^TgWEwFi3PpmqUe zoD7z@zo`R1>pVMQtr+i~rIC%22frvuosXpFU3e$$ztOBdy|3CZnGPa+T!V6218!4Y zjO%v6Z)m^TI(QQeDK;IhYERU`nSK4s6mJ&>+0l~VZZg4NyjpWM+=87g@!-FI1QzVq za0_wBbnK~ud7d)#t39HoD&cN_~)I|$L@exXpZZWVu=G)tX z)gSJTFx4GyePK!!Zh$48DU;-LI$$0h2BPem>e;QK3f>E;Kg0&Tyu$DEj*1r0-}|D+ zdF96rCpq3lQ{_Yk}ReAS!#AwIyWf>ClQDvNQm9>6fLfKQUa#(*KYlY z-ID#ZJ8TC}N6VjLi9nr3hA!4-cbQCF>2RA($6e!yx06*=;d#E!+`p)Qu{r()eseIX z0mA^O=sKb+TSfx8{!Zk<(XPq*$hV)#E(sOKU0rrYU?}1A-PNx%e9ZvN)2!p3-GvE= zi_O?eUkC87BHUBIb95;uY7#X{C>JtoW=&1(Pi+bn7S{l#)wxyWZnzR80Non(YF&OJiRc(BZFm(d zO3y2d(z73L_Ll#!zh`8$llW^hSmxWuvr^r524l5pss(2Xr|%Mj*zfg?%IXg9|P{q9{#XsFuVM z)fI&VM;>lvL`JT8i!r7PqYk&=wl?F$?&sWB`fXroJ;MqTZ@y>hb}qUqFtA1AMj{R- zvDDIARSOc6GF3OfIiSABpV^hqRv zU$E`W8LD$uhXkzR+nej(M<2I%HHQ0;csqHAAaSsJj~)gtzFg{+kVSb|f>rvcj%yE50~fZ*v~H zr&rdKA@|TKnTOox;L8MKIhNAqi8)tmg~OaXpJe!vjXcv8$H@`t^iu233^lLq^8h%N zFPO>Qvc_TAPz=nYJ&9GEY5^XL+1`O&@-vzDE^L2690+u}Pm1{8QW)1pVZXz=f956k za3kw8NALABI;_yH>b94VP~|JSNf)g0>vmKQpBanxi2u%BgHK6vooPp|GKD*wWqq&X zxNDK=742kZ*=B@00MAaWpVMEdK}NN$dk2M*PA4Gl9Y(OBLH}5|b(ms$v_;UcHJVX* zd4|H4f12*72<4S~9ND%pfZbQA+d&)JE7O^@?KFBG37gV%;MQ~>9}gaBb)-X&(dC$* zwTMm&rsv-K`>_2hw1ce>a_m#ui~fre4Y3EtF8g)h9kNjTV%JV)({R>db^i>^8t;tV z{z-o8*)kTqZThguSDt5=Jp#T9jB!X%{dvCmH7kRqQM0n>)~V&F;Qimr(O-IXfPf~G z&g|gKvkoEtMAl7(KSENZNsrHb#1UX$rE`#)X)-ZUfDHe7o?g^Q<-4#mV~^x!ZiG6$ zRN^%o9yA4lLaz>y_bF2NyRfj6u~&$~MA-}+T6fsTg6`6ce3#C>yheU+#4qUCD(y&k zcJMMOGU1A8H8q?Fa?Z=E7l5{U2SlPGy3>}&`h<Nrr)1*f6VD)&t7S`7iRZg+TxR8TpmL!hBn>cLJJZ@%To zCwCn7-K`E%kU1US7z}j*pO7`PclIqC#x0DV`t!Cj`x8ARG7jkpzFVjtXSd1?|7i~` zVdL0mkia;it{dkbwHUP>e-NnI+;XexFj~LPD>jrEeqSOp(A!%%iEYl(Szu=TnU7rY zk0&{K$`?dn-jWVtkB<`_x~)=PzIfp!%y$XT^PA~rl>|^#9^ashA`K)qJYjSFW_7k@ z$2jSI4|%i^O}#{8%!XrBu`v!iT?^fF`P4`%G6(sk-kR^>`O6MvkKu2Pv5T9#2ATV4HZh$7|E5y{F4_Q7q3Hr{XcOLB4KQugUzu-s|9kNQw-_ z-2DrO8m#j;X!tOVEMY}*=`A1qd=`o2M$xO)New-!Lp z;g9Kx6VEMEsnf3+H7cB@NB>Zp;h)hObK$}7LwN7auZl{aZ2oKW?b=f}J~3THFhNSGU*&VjI>Jh-a~Vbzj>^=sjxv?G@n98 ziWu(&qAL8qoFID5j;r^s-8D5Npk}Kl-DMqXC8NjO zsx!r0w28oLyZNG&v7(M>KREmZP39yuqkwB+M z7rw9wn&3}uzMQ2zbx)ZEO>iR!0qr8vQ*C4Q?@^2GH@wXy!ah=!L!-cJ0qkzNoA2i& zQ~d=qvjEugc_bnKMb@txtSRoJ_ueJNQK$J0n*qBPkguoW zxKFnl#Nhbw6Vx4?{i88rilvAX1ZxVyPvGfWKtLDzV8#HDq(oJz4nX&;T$qWfljNQl z9vwuk&S_?6+VXT6dm|D|q%V0BOOFpCN+Tl~ca&NUvo6`7N2=%?jLNM~62zYb9JQ1g zjf~QwB%Qo5Y^1j@Uwtm0>)zj@%XLc)Aa1Kx>}}Xdt_Qt4^APfI3p=1(eOSaH?H+J2 zDxTtf($cEzGk)2Vd6P0&-V+g@60hBwrg`4RimlX$)XRKY!4nLgswWx#{<0;P3auXB=SB?4bFNUH~!v zKoD*&_bHbF&+|@pH~)OR_KSNNgN9&2odCoDwrkiSX$ZrV6+=Hz*v+~X=9Zl9# z?^cWu=b`l{au$AM7)=VTaa+GlYZm2dmz>&84OxpNoB4Enub9A2dU|A@7#I;)tJ0e# zviWWR=%Afi1yJ+)J|a+ZiaCIb(LfaF*#^7`TSa~WkX!I0R>D&UwmRLJ-zOap2kA?$9>itbWJ+PERcwZCjEFBEv)C-olvD9|9Aoc|@r z^7qjh<{@DBLITQi*KMw(QjI*ma5^$SE~%y4T^X^)woG;-HyEZ5$zxg_KhwzN zEHE?h4@#=1nAo(hz2V_C-qK8DzctumYV$=qi>E1l!>}-K7NKCwzpk7CDRztFogKWm ziso&BHPD23hKO}-jE5FbpzOCD-V4Aw5#BQi4L3YQ8ZT$m9Xo-!nWWmcf6UB(<(oeg zcc8b|D2l6biI$wYr-qZ9zgK0?`*GSara(JpK1_SgR_n{7S3P&5_rt2^wP2hL=T4|= zxmKsdr+a9H_omfTE3yPWz8MGn8P;VA|lXESMoY{OEgyW)bm9cu`1X8IM98 zsS3T6_QZfly?2uyT~P)LlcV#Mz_AD#{jEl%`` z>5i#*0}evIqNp{+b30APHs#7w>N$zkshdLtjs0s&MM@!NYO7sbfT{L#G%Z~-a?opA zm5iOqEg~GXla@~k+sybd<=?Bk=|tAj1kJWK7mVr_E-K~eVwwyucYm@N>iy9E6&n$E zlt!X{XLtn&OMXzGQps&E8Ro)(0qZuNI`W z1ps|xc)uIfBp zcupmb(>2N!cT8$sIUk&k1|u#S(&?s7x_~crp3>?b53wYdtLk0dq=(A=};4G!}hhXtW$zp?9y(b&+Yo2uGh7!{`htZF#4 z2xTHdHoN>bR;+iz`J41^n|xtl7&R+d1vMgLbMG!??2CamV(lllM`n zlNZ1it3*Ngnbm5*(OAQ- z4u6-i@eGSo;!u1-r8VX)QDEZ2C!o(6ks3UCZ_%amV2~I~NJ2t$wIxd~i{??nxUg7F zxYFWhn~}Xz$|s?AgJsF~PUC}n5eW){Qf%>u`h{Ph*-kk(Mdlaf-%%5Y4qkZlv`MQL}qrxGbw`^Ce0N0x5I&#B^tux2s;dg_R7JeF>m*7v~5^ zqG~B1*}If?5i=bOp-L0dha8Y<&Jo#^xWVt0EmsxtE`Tjzc}{b z(x&KR=2OO8zR@;uay5%BrSrL08jUZnc=iFyIvH%4ruB_>8GMPb0_i4-Yo8vb@&C9j z5d=k`38@&70Wb(NCo-V9-(~u{zLWQiIV#evQz?>`hW;7LtHWje(ycy#oe5Qt)6_r! zWowCJ#)10tWwQq?6qH@F>PqJorM4)Z;8@at`*>Xfg8vnx^8Z`16vvtNU5wqX(VpU! zdlucO8_y@8B28n+b&i2s4D7?`Un(di(2g?OrJ#lKQ-BQQ>|PN|z8FKn4mG)l&6JiL zyW*x(rzg6PuIFG7sJGU*xAeYkHN?iG4x^6dDkQSwYaY(qH;W4$(4dnnnXuQpEnNDP%^SoVBdzN`^M;2we=t&0{ zf> zZQckmla|hnaauS^Q2E=-W?5XZQA;xxrFJZC;vn*JX-r>Z&82ftg)cUJwxoyNp_tX0 zMKKvHk5`nBxGpnmWPtMYRny6DqDjM->MiXTGC4T?4{G-&7?K9tV<+3)2B5qC#D;RG#<)e856Ey4Y;K9+(}sM|12cmk*0FC-;WPf_75V1_Ef;u2 zM^Se*ojcXc&avU>*Uo_6hLinWA@H?}qd3rdHPQRY?A0tm!R;Tf{}wQ*O!#8vPmaJ| z*D!%%ngnG4;-Y`ezN+xvlb`Xb%APHqq2#svn9JA&INW=2+I=phZ^R@a?a5m9SA?`p zXmHY@Y6&tS;iOIedEhx}g*f(^_eq6b{O-sBBguDDIs$5fbOTIwA%TL%iO5-Mo6%-lc#g3+Kk}6pX%2oBk0$}~Rns|8FVLh+1N4B= z{pGfcxJ}zdlUg;Y|6GS?aUDv8Dd*i&9m)sD?|$v>lz2r9FIce$+%ip9&YFJ&d@M-* zhag2#A}_LN?Cyw(&(Q^u zLd^eCuf}wzu(~j2@->h@zE0)IDR%GGF>P#PCeW!`r}pwJ>_d&$A7!OIX|<*o)!J^w zz#7D|dA6HM;lX@|l%l#Vg~}!sMK024Frf>-($|uRjzp+SuNKO!4k(+nrm4%>uJ$t+ zod-jdp=7lyW?D}4NnSLZn^AoQB=+b~|L*2-muYmQUVI%x(~LQDX;G@_#)B@~^9Y(~ z-QILIvij1mys&~B6Z#Q63%w}XZ+BV*Y4%1fHPvlK9>murVyhoxiHo=ma4$7p2Ld}e z^DsbywfAl{wIZ=B3lsn!EmiE?I*RYQ$JP1!|5*q72h4zs_Kikz3kqII_u?A zdA%R*@ZWYdanl`b`~I0o%6|G*-*D9EXn$s;DVIRU(X(9I*7{^Ngp-X8#db6~EYlv% z=9D6Aer*Dsl(555{<*R$EJF{34R^%LFK%>1GA);W?tTkx_3WBA+!}~- z#ob4Oy2CYt5#UlhaWvjL`Tj4K#X7l<>A9CyO5p8pRrlX1Ty(xcE4?j z1R=fjq4uw_oN_&t^#>tDaL7gsBZTyv4nG)F9};$APHjv6t-?GraRdn%E3^_k{Cujx zHC6e&6ukqa)ZHl{Jv?9p_k=0BNm5kRsjtPpQXM^|YG#olEPPXjl)m!bs7`6#1e&`= zpo{J>G@Q1>6{t~{c4>ktT*I_8vh$chYHRM*>&LtcA2^xHM`>$r7$j|F7s(Ae?W9BR z$D!q$Y1JZ>23%&0X|ZU&z3d`N?iNB&Xr3ntml6_sG#}x!7mmiEU_Zy{CPZ6WH4IwV z7y4RgiasEvorYW9*?vkEuA=ZP(xDY<5Z`7)(@o}HB=+S6dYXUTk}-iFPC2?aWn|VG zJd}NkyO8l~8-+#%lgLds(b-ND;l*SZIfpG<0W1DGO!2}S1Die@j~e8IhMJ9P)x()( z_YCN%-sIGgIUTMwT&^B(09qHPj^7(99O(9Qi9Q%SkzZSpuD~Ik1c@?l|A>7rZmmxf zF+vEf(m`93y>&*HvIu{s-9irpQ7c_*f+2m` za#^<0TC)kuPa0x|a?()(=D9<4lqWXQ0g;* zFlH(jE-ly+J!POabR5MmJsi7@I-&xWr3X&m+?l#tkMgrC%eRV@a;>7NKMg0)`t0Zo zxI|QUqf*>dOUlwGsUQV)d*iRU|JqQMnAFT_9;xjdLzDZ3#{b?fXO2`9En`;_dOS~5 zyT~`V*?!s{wnv8EqxceK;CE-Y_tELMYKvCKM$$cmE}6>Tt`^ z_D6u#Dk_xIq)$3o;Qc6Ea4gP=*y}=(u|yT25f+{{RzfZ+GA9X#5vtd~Gs0V|r!nfJ z*E}ti@u#RGqED|CKMvTCp7oS{C%`>eM$BGbx-|gpXE-r7M9|z5;3{9RFzoHJm0UDu z@`{+R?UX}$^RwFbPH)8L^|3@CxW?|tm=A!_4EIOf5S`XS^^-`|`#5#xSvgz> z@L)X2soSj!X6y6oyg$&M>foN0tHZ|a8<2dcvqc=Nh2vXR^T_ZW%jTj;(7 zIWxlLq0R?GRjL)Q#eLRLC|LIHO)@a-bl`tho(Mh3rK*mokc)`%%RsfWXiZOw4HP?T^!jl_hL8ZaD& znXG0d1xqjRDCE6REy~ODngLS1U7}kQ+vx>6=|VE)5r_sQ9tj|#)=mK-rP8?ulrB7p+85`qGKrhu(w~n5xy@_~_>{b2XWr z2^YSm=!zkv1PyWxQ6Q@Mvm4(1c1LOBC_D1rV$)+lt&(ph)$v!XiBeA>tej^RGolTr zbj4h2i^EU-5jRR3EgEvTH1U+ET?SoPusg>rUDSpm=0uE6h=5VTlhsbmYd^aufI|6U zq&jG&PM&_N2Abn!JL9!65;%2j-uB=ZMQt&l1e*RL-G_2{<-td5x`qvIHq^}(58DB! zh;3f)k=n&Gya`;Adz4*L>*cDG?_?y_A{M-UoxB7qgOn4RuJ!#Yi-Hv8|9m3s2kdJp`@BCTX;SW5AROH4J2BMl;A~1@kq(t+@Uh98sqJRgey;JZ_b|cnqe-b zMC7hVZWiFd?UJUoHJb=k?5K0y%}R}4OgYm0?d=J6u)J77e)RK2C60!j75vC#Rfm(C1yNW*c|C?P7Ti$1>-KAR$B7sb9ahhTNsIz77jVImT?;FOfVw0VjE>ya4|xMgfcN!wIQxKV(+9^ z^kzRH=&lgIO`eF42$x%%wfC@+_bLZ|e+w#cR9t3OCmlXG zty;qYdBf(bH%Dwb_12gKM9O-Rd=>FwSHA(MmtQDWZ>_g`TP7@?C) z^>z)v92DC^TW$f5Y^TiDLB zN=G2{7E>do5M@j?e-9lr-q1Fs4@Rf;G}Td*t~8Upv5%0uAjnTEqiR*oY;7%#9bE}# z6mKFm1M=Ad=Vq~Vt!_`k3!c|G4Cz^Cz8sd{9!;kZ^d zk}pg57Zbp3t$yb?Ispd;)2-_HfkN)Nqf>-=HGyCSu`j%CkFV=dtVv(XuaZ`&Vz*8< zsJH|E(y2w`>B4*}zWS=T{lFVv&GA$9JeT7y6sX_SZxrY`fC4@GUq^u+{aQ^TiDOrK zd!q0(Zd#er%ok6NjPRv`tQLW!zMR(6$GUPCweHH!74U{UbM@t7UO#s(znd`McLnbZ z6Zi8l)-=?NUt^2akFZcAT7bo$fg~xj6Owl+tuo^xR^kwAFp|$f^EP zsy)!kFyYqvncN{o@DB0;?w{U0M=SaH;oF!tUkpoe=6jRhpi^SUFb>&XQd!5aK!G#{ zOz6W*eaz6<%KJO42l9jA&&jmB$EY-CKioaB%+bFhBE8M^v{N%>+d8-DfeEG{UlkaC3o_hCeYG zc#5{hNCIV=CBQ>Bu3oQR(dLAG06RhvM&MFn6>H>7r?Z1@F;#~cM$J4jiGSb!v{Ny z!R}0Se`3+#%=(#RndGSAn@z^R2)Sk1L6p=I26Z0~V^g-!eeFDWNdU_&Qy(&;t!KC# zqCqTtCA@`0#yq?-M1#oLK10U5FB8VoFw+k=S~KKB4#7iBg;=1`Z}^SGXR|YBtdrM& z#Qxl9knzH#Lm35olU#m?F#;^56@a7B_lg)_;)Lua-4F4hfV@mft}${SXn>B5y!_?t z4>?$wJmUA->d<=w({%f}W!1qa%sY|)AI>c}(X>bcH3-9+(A3eXlTCY{z#X(@5j!)8 z7dM#NTM>u8INwnYNseWl?`ZpwHk{ETfC}e3>bx5M-@c>cGuq8K-%+PMwCKZxoDASQ z>h-tpC_nHWy+X=?m<@T3^Bp}3yDd%N)md&);E%y%om-?V4)m=1RgJf) z_yrNjCrA`f1c`Zb?S6d4$?-$u3(xF-Y`bJ&QukBhhwposhtA(2@%1@e`IUk4T6Sn2 z{!H-QB}Hn0g{ZDLVk7LIlEQzd3qNDoMuJ9TQBo%VQ{Po4^D}0K@EhQ5q9s>|cD7K0 z9>lk2?thA=S|ni%5DUeW7AX|=v23GmIkRr_Xv_tCHIW`=j%inr8c(G$xlmWB*Tr-p(DH76 zX?)0CG~x*mT$%z`R{K~6i{M$aY$i5?0*vLO7Y!f+_lqB5Wq#cr8GZGbK(^~)PF}eR zFdtS=uqh6`J6n7MPcWmvcqh-XL(|(hanhe$l6kFRBOIHwk_tpWk7kP;y*YnLoiu%B zUHFh-llbGfo4R(_Rwm&4shj?9v%)_{mWd70-6iBB2?Z`FY+7LlZ*r6vyI&D|+QntD zjSjRJOL7n0GpAk|4VB@LLNZo8SkSYXr%5>{LjWCXl3osrWSmuM)#v6I?TxBh8mPUC zIucpprrhSuUoL7=-fE-XN#D@Fb^R_ScT0c5oDfHr9hg^3% z)PaBeF96sRNvD%AROC_iN+S_I)Lt~CAg*2WDq7WtzWBb(D+WF}1dZRFC-}OOBt)dP+t`jdi?`c(Gja0wOO0p9)pBz2ZDuuf z9r35mI6zfWY7dHMn(`~w#g}sTlMHk5X?q+q0n>n#CWBOZ$7E?^XMtvV*u?fb=7-MY z8@;y=@zldl9m@Ycv;R`>{C>!T1N=iA$`pC(yFv801AM);R$(#5@LMdZe(3e~pL1$&h+-o3Lj8{I`{MFMHG0?$L4M4uF_M}>cz-o zcn|X8L*Gq2ExBh_vLWq}fh_;=%vUOmLpAn;rq3Sf(lq=;8$Gt` zw(s`4e3+I>LA7U0L%b?t$a7HF@HK|_GHmbzRB9_ntY|tg^@OCV{;)qoHB)9c#@OS& zkn;O#d@ypssb|n018MQZ59$eTfUs<`cga_q*-~I3&1ExU7)?mg8XO0y1O}?>bW$_B zL>YA^l`D{n%w()Z^}&wb`=1M)d|2iS_50s#Rq2tHpCAUj|NeBJ4m0K)KB%zmZ#P9x zeOK^0F$N!R6HwG?ByKXjwK)HECe$;egS|hY(YGd`(Rzl$j3kPBcQhs8kpa8Rp(&~@ z#hp=$f6rQNl!_=7S|_U8u9>pR^V-CzQjd5KO|fll*w0fxK9`ZN4e)L>vtRjhRHeji z3iXnxLJ=DSrCWM(<92kWA8%8rQs2#%%Q13NMh&W;uWNxf7~d^!78!mGO~S^=d6-{^DS$$1dUqE~8Y~9(Y$z*T}4* zZR+gX&8%XRoL3h+tQY%vAHT2h_Hjw=fod<6x+J|2{{C>*+xh8#Za2_3LA$Y9CN#5k z>bs_{lxP(m)Xci||q zm#727_Deqt`%;gt6dXO$l=&MtcS+&!X8jX-Xy{B1JK0`4a4QK@lJNq_Id4q7P<6S| zr*Y@=WKF*BK19QlK3SQ*1O}`G7bFgW0W18t>OpxnFTZpMr)D-SCNG{`g>0s8SidlG ztB6H_%caZ{QoJpwi{%k3Oy|>Lm>(fwg{CF87gSN3$V+0s_PnWYy2CWjRlmLXLUI7eI&kl zi6wM;MhQ=A>Nai`w&qJ@BBDg!r%w3v9Hcn5CN=P2S$@^6G|l#dY5H*Q55`mN+CP*@ zcS7(g@t9Y0WjOU+TDsq@o!U-*V(Z+@C(mnb!3PF0c5j<3!shC7`Cac~LQM#Nk^G=` zwoBT~B&RO}P`nWqFWpOt{GLnHKB|Y)dd)`%lm=o`dOR}HrArDiDdO0VDXVSSM>Dp4 zt#S#X#8sD4^cl8aCv9iRBwS2$yImlNZ}~a`9{R z^{blPPMBMznRy4>Z1s*!7hT(Pic&M7GC*)@20E)~GM}mVP}NBK>T46Pm@5g-D1&LP z>Z1wY$Bi;KDfA*5oTY_33?MxWwg!+zw+kchpl+U>1Q>rEsKZRzrY7jzVjY7qFJp9I8RtbnepwM-=47eB=lngniBYt zbuF~J2fZImoW`>Aj?hZ1ch8U8lQpGA8VjREL;Njs2fxZ09A`VAl&|i)w)pPy7 z)@f{Zx{`+qjF2`*5t02dY$kg5YLI`TbUM?XzW#S91o72}SisxT6s{VZZ<<=uB4rP#TS>g5u}kTZrX6xn*bpZZNO(xk7u*I%P*nC`Pc1-cdS( zg9Dy#9+E8@@FSC`qkx2wkmB%ww`HX9)gc3@HaN3s0d*Kuo*pP0xv%E9M^Z~|eWlx> zV2ctE2^U4rg-e~FDOBcJ1dzM;cB^t23_4LMHaBIkBkiq~llY=N_P*Z$uh|NVSy}>$ zH%lW#l-od~(9IoaYbEI#y(YZW8U$Xr2X0RSAqNwa$1o%J=7>-JgyFj*1|nXYG8!aT z^dkRl8+NRM#G zW<;x(W}1i*eAo+lEGZ7)grU{aUE4>A+@QTXih&dUT#Fcih+OZhlG;ttWQ~K?Hb!UoF?E@(%7+h1XSx>Hi#5)4LRCLVRXwAK=L4e3zf86P!=G*eN+J){i=$-%`QD zytncdP17Q9cA~GykI_?itvIC1ie~SqVTj8IFU10JnBd9>=*`R&`*vU`8m4(|eDu!8 zJnv>^VKK2AoQG|frM~fxwd>6)p)5PM(;2b%N!ApVI zP-?CZY*C`DIB|fE*HXGdctBe#BpC7Mp8g5X>F_C=#^CZ}jIYasQ?ZVq!sW+@gpE~) z2XJW|%#qrUPmk0%=D^S{Npwm!bheazgwj4Mi~0;b!8$b(JD+(yC(OGH;2fW2$t-X& z?Tt33Kfe_+l_Nc`fYR8ym_o%U?{iNRDn75pe>j)_83%OC;+2_gjy;ovY0tUta>*-( zk%Xk0g}SkfObav^@;R7g z+5^MS0oNt?pe~tXFGX@p<;&UeSM<(+XDO?rZgdM9r!D zs(j`5SQyo>Fr3&;T{P`jL=#ldO-gp5G7YX_MQTJ!x$T5;*buN zl84$$Tqax=m34kdVLx;Jjz0&#n58wL<}i4ujJpj_x@~E! zkuXn-yg{S(D-*6bVeKSp;gFVe!*)%dq1f^k9)O3$SQ%oL2-EC&8&(1J^%zrBu=c)o z=6h%Dd5iogzNO*IjZP)?z~piu_kKx#t=kUPsh}RayaZgkRer8jm^`rJNc!l_ncn|D zYwkbXU#Vblf2CYhB$-d0zw^BKb+V9$&)<67;Go%GK)}|nZN{US?=lxb1yl+n$o6M5Z#v!?YF$O^6CK{Z7G2BgdJ~`L%H=`hu4l?YoE3Igg~q ztv$C}nPd)iT7yR2U(P)tx#9&&-kwJFUM_5szoB7+9uT!cptxn6<}D(^!lC6&+TMo) zkCo&Vg}w6X8%B99mlHd;-~@=n8}E4vPkQd$ za9SR`Vb%X0&pSO8gzm;27mZWl_=nKd;X+sEq9Mt8>bvK;{=T|IJ4MXU8F84Cs2Z^+ z$IFS{&;}(&<7ijC^H8oS$xMNk_wT z$_X^*Cv?K-wgP)g>6zDkZyIchKNe=P2W^|FO0LGp=!I858(7!BC3x4&l-OVKhUEo) zq#u96@*EyviYUzQcFHPVus-oIAk>UqHR;rpVP)hXDk{p1;1(%$$%@C zN{j!NPgts3KNuEZ2Hr?<$bTK(d<{jGLy}`cp9(z_TX-l68b(v#P%ULOUTU=jggc{_ z%?TTi_a__lDeZv1`O1h${{^rmxnjTgpX+RI0=T!M35(6?*Z+T|#A?!7hQKY+6DK{t#}YD1#NF7&8|zn0XoN+=>0h3qe9k1)>j#-V6<~D<-oF(GV-3&>gyEP(mRtPbgQPm68-A>pXOXvA(v9SRL$Rd!mQvgBvc*ql~#| zOcaH$5EU&cpi-Xoq6Ear6p_vEn#fY~89;@=O*$;3cQ5Kd4X$egD{i;#uUrGGVKbL-g-W*g}Wc9*E%CDNZ|IKXrWm;iyT4<8GyJ3d>_V}Fl zJ)X7B`Of#(_or*Q9(;c6z3= zOr2cEp=anpwg;ctI9|!)TbSX>?0IEX&q+!`6dQyf6xdC$Jxzs)PJzxE6beT7jVNNV zvzM^Y#JPhmi&H{p!x7he#C3 zV-?$&*}Em1g;k1WQQxRZ6emuD&EAJq>7c%F+@rs<_FbKEe2{FTwOb8tm%qZ{Owa1c z`%lQt?QG<4S>r^ZbnV=XkQ1 zkAw6t889u*Akjff*-ObmaVuiwt<)pnd+o%Ag8|9Nv;qFwQQO~Ox1nUWlVOnVOfS4k zQ)F+RkLnC}>52$H1Mt6=&Z|(r@X0P7x^c?|6HH6@^?W~-(8#Lu4RGhf`@R6&ouUgt zT`04iYleS$`td$9Fy}Qg?-f1X$cAo#A-N^2c>b@3?Z0#+|M>?RI!uA({}m%={-1q} zj}0?s_30w_Pdkje-$d1DoA9`=$)*nSA6@{hu3baEH#m|}dPsRAj(&QlgEDp&e${4I zHJ#mARig-~=L*@FI!ECKVx*ZdEka6!JMIACQAUQyRwiD|ehx=R`PD2*iJ^mhQv4=^ zGsqb{<$ne!*B{8Zk23_3J1tB$27RO_d?s#^i~me+kZ0$OiC@GmVj7m7w1G^AawrY< zhiI2B6^1lDN~_K+>Z{f`Py{RVd{0X_kASX61rwJ73uo{`Jkx{yjHrr6u}G*ick%XayQ{wmR1mlnvm?H#aByJyNU^1m&OLmNji zuzHD8y~y8<9UgZ6?8p#mBIAMMgK?=f_WecZ+g|hn=PN-R_g)lIrBBATwouW5dnyTr zv{9yh4a^dQX62a-FAYu1*8-pQ*59&4Qr3!AI5*C*Z)qttDf16rB{(8qq!!1fqFc;R zu^ziqfxHcK{+^}MDzb)R;mqMmb>yV#7Svu`#`3Tu^>(OZ6 zAfjP#B1($B()fwZpFi2-sUrJ4GO_{kT#ViKDW6wgNxsT#dJEN;xYW3V4jyBu9S%H{ zu03t{cEeJvUI>VB;LHJJP)#1=v$)jgij&(W@UvI}t?R<$SFvpS(q$e#3+KC8!0ny) z7;Jp3S3$Ufh1&+N=KW0y3dnnZrN937|A!(VYsd!BDOYdOcucBQbk9+^U)xy+hWG*Bcrjbc?8VLp=m;Bt={$pcBS|yCOlgux0Dj@ zJr$U8R6hav<1tiswIhi|4}Lo~V&R64KEn7FKQd_xbp$$Qq7F33P<@2ire8T|$=V_C zZh4I{hT%e8Kt#*TNu-etX<1#$~FBR{aDrUGgG4)wR|j@6{1;I(4jnE zPV_vOm9B?cc*x`r2~>aMHXkwiw#pW#zb^UEt2}#=pUX@0yB>||zKPO7 z;>r}M3Le?HVdE@ieetP|q)x5Skn=8f#7> zE!a^s8av9oP}CM?y%vbPUx<$$wV!K#Kd_$|3F~IU`}yf1$J0c9%#yY;l^s>Lz|Nx( zKyNSq(j<%zfX>n_IE_)_V}k#E`|sj z)!Qz%$NY<2ga;=j`tkF!tnBbcFG<|Xpc-NqWmHpw}MWyTq3y*4f{Fyc&h}USM-gn z%@$!h&yM%96H8OvXnJah2vQyK$5D1tTj?W<(Dvq-(B+nf9b9+x$&OKkhZPY#awDD- z7YU;Sb1yuYN7OTVMT!9odabv@*?v9Uj}G%FW>4Ky*P1N1_f*qI*et25@Rm(eXdeFn zRkYua1on{;j+!fT*+rHC%Y_^5`zgn@m=#Gx$Cu92!y>P`QTvY}nz5KfV)L%pJLZ6A z5WGfKkO+C4ZY%uhuiovy|Ij`um_9E>l#lV_Uw`+*)jtKdq}F9vwc6!AloY~_%zh(w_v^3H>dM*d5=^*!EcfH9OR*Pf1QJ{cJBQj41uAPen+vt%uVe zG=QXwBelQDC`5(qqvT3{cLtEx5s%ZOEPsA);@O+|&B}TDlHqK~U&wZIS(2WpRtW!E zL@Nao(<6zKNR53}Pa{$t=imYgIUP@4uTT=#aGE4>2wJZgo@hi#8I|Si9TIR#~FIIu!n0rH2USW-e&`#r(kTX~4KHQUaic~g| zjQfAXL_s6n7>pS{xVEZ~fByT}`cP8*fmw90BDuYx9qs90U?cYmsj1T3Ns3>%vPFK5 z6iHi-8$N;&kjw;7_`Zw7m^jprPm?6{wpu8X@NAkOe!@$j($rx;u{Q z*MuXZ4R&)_e}R)d;=zba4jUj&Rz$yn*dxxH5@8>(b96 zVkoqOGiYKV8Tj+rtXkJ2U*&m}l_Wr&S4flb7TbyY6w(af!5Ma4R0jA*v^r%{)DvAQ zjQDmp)HB6SI#nh=LWRecECf@_9Xvy1La3g~jd3;0%z?O16;g;!R2cvG?Yd>rZ3Pg_ zY{Rw0J@GSDOia&dNMn^6q$xpCtt+Q0v=6s$_PVrr*Y`aG#f0{oaQ0sZ@P9b0(^BBD zP78A|{*5(%puh|z%ANbQJW!Rpi9D0Hp*QN+!as1d9hG zL=MRw29Kj|*Y9;39IeDb#Wu(k7qtk(eAGm^S9c_e!|Z-{rbM$IQ3RZYO1XtGS1cy> z5H!iozx-;^@GSjEG{GHD9P3HMHM!(YUKjt)2X~^dR;5f;6dE=HgNTL6R&FSHf1&nX zxpCb1W^BQ`(;9ob_pzJhJgv0N*kdwm704RQ~!; z0lG_@!ECkrql?q``&*ocX1|_@oz0Qp5(ZFSJ_e&)36^KR$GdU!?5y%(W7QUzk9<|A z(OnHCb{J-PU2-zp{QmkW`Uz%saa&0<2XdOVZ0IJKT{1kcCH?P>rTAMWLu|vhNw^Ws ze>I`3@5OmYA)hR#v9&?q1;oGi1{$oLW*rnriWIo!WJGIk;ke7c+xaS851=dJzCbu4 zJu{5Eq_tdCt}@&3%}jd;X>;p0Ei9>`n4~=R+rbjLYkP=mIc;S3R~EUv z0fk^*6S{lVzA)bPHy71zaa!1H-dXO*;&W)$-fgjq70N^*-;^tLUAo-&(}{F!_Mg}% zVpyAU&zaCujss6u7h+WIX>I>ljMwQeGau-(yI%im-t zU5BS#3y6N_>||%fx9$@Y!TdV3UW;4?3Z$rM5PzGgS-IkgnhO{>SRKG@U9uk(a)SM; zyAU#vwZAopB5UnaKX_*aDH#L*_hYV#d6QM&&vgF#<-lUSkHj!8Y{#(m)b|&*y924v5SEw|%EThn+PY%5+b0eV!sV3(rS=^`n=pLF(r&Y#Ls5pe{ zoGb(urhukQfUQ|9TbSp;6mb&q(I3kkSNm_Oh*BEtJCYQMUnKHbYL-Ysbx@MnleR5H z17l{X$rr$cow}3xG#RX3@r@0V&(62KRDiiMNB<0nYUH{W_CrnpGXG@N8lgV|$1Xgz`X8&Rcc-wIAl^0#v|* z$3uJ6Fng6po~z(S10(+U#pX0QYotr-ekTw4xT&ntmB-z2`@pCGCs|Kjs7SK!1*8N40UV zFv(iex|k#Jl7IO6=j}_fJY~k%O^{-QSpaZWFvizYD^WlaQ{xbyyblv+F47*kwG9Y7 zNwgkEHEq?pUhhxcN{nIrcxnrN^Aaa=@L9YdtcIrouCK>et0$Imb7~9jN*ZoWR9Cfbj1zrzkOoebyLzZFR)R^m;Mb2M*Fg;Z0f@%1pX}+Qcz~VEa{ujgEz*I? zs{@Y|#myQ3;o<s@d<4RmR8=DQh>81IW?s;C9s_U66qar~>uNxU44KonZMw=mbGduID?Ec%o_n{N zm2h+rQA(Q}(l;D2G=h3FzjRg?)~H>RaJD4S@CkNQ5<%&0Ps0C-;K!WyzbY^x6m;Lj z(2DTCm*@J@U#RiCyEP#qLi78EuoHOS6fTuN+iw1>LeRcHadVQi+xRH+=nAQV6ab+e zgRf8%h*jzBC6MsrW$itSa9-J!`8^+U?_}Y1--iZD>u+2QC&d~fi_c*Ptr}M2qq8Aj zwBQGO*(%Ph(NG~o>sMAXZ3aPH4kFHP!4d<*nUD~Q4*x!0qoDB;m6!}^4$mSulxp&~%%tuuvde`wx$sdfYSFL8MUcDq1Ux219i%rgGDrfZHrQVxWY7DJ zLY|gfwbf6y5aN;x&D_ab1{rYoOM(qp1wnX(&P&%1USEEFdYH{mxF8lNfXM>EJrKJ< z&0`#%l)-qo?p+U7nj%k=h4`L+eq=6gz{B|jVg=WHebIaQHT5F@t&IHL<58z&$Dd>Y zgF>DM6bYGPmxq1husb7wL@jjYRHWQHVJDoUiHhE=?G@SoNgl8|kS(Cs88Rd{jcOB! z=bEqEc*Uc%oZ@b?Dwe_tcnsO4f=5gC`#l02QAh(2CZA~r+y5lWhre}&7>1fPeggi= zS&rc0p!z^B{HS!iwSXMLOu9$(?U9 z07TXNv4LxxB|%Obt*Ox|72&$v`&<=!AQBMj8)0P(bwad-@1~pFjU~5w(>{4%uAeJ+ zk?0tUho;mz)Hcp=SqMS{{tw&DT)Z2`2nntVN9-UhhX;>#Mk9#C2Y4iKJ0Kkkiz*B` zOYKx%2Y90zou1WYK>3K8#s>2=KqzGmszRKM~zf4B#oFx{P% zo{;bSw28~if_a?oKIL@kO}GW&hshlOa%Iv(Rd=7>1a!j`yQ8bCyBt(UrEdpax=ZA; z87gNgRF4U=0(veB-__+!y1A!%9w`8;V>vqG9Z-pcJr`J^cTO8lhKjzHluhXi?off# zPyva4`hf^bGih+GCiP@6o1AO$C^|GNprX!Sr?L&(E>LO@L?Mezxy*;jlxkozwdHT+ z4`q&xQ}_xPV;f@mT@EtYwvx$Z0)OalD@GcXe8buqZ5E~)CZFiz8hW!(eubkl2r3bPB|VNrod3c>$|5k` z<4vcfvEt1pPc-SOu|lC-p}Gy#*)7E?738}hNFeb=jE76441*}HG^3;K*I5Z8u9WA6 zR4fccR&#R9d)ZLcdv=8^2u&?I6xbd9lI#! z^9<0hl=iC-erypkO{Yq3LPi9JZRIP7mss9d3sw<7pRbz^loGxEo0 z1JAvI5Wh3k9jU;)$3p1V-$AXi6@w*O#KxQrOA=5gY3=(|2Z3#rCTi`Pf+p~dS4s?N zsel!3m{&GKzw-o4*t+<_&3v;KIYXf$ z618=5p4wkocxhv-WaMw1-Yd9Y_Q(!9#QfzJpiUT5LYa3#);+)ICAwFu^scLX&(XBo z45QcC?kdP?;yP{DK>(LnXW8~)4*)UiEL)bzb?0`8B*~65L)z@5APck+A0aeRcA_l5 z@A%wlTX9Yvf%%W(Q`}+;R5N*@56V(D2p#4@+-SRwwFB}j%@t@phw}8}fPQS|d%?&4 z)zfy69ld|}VA{+YcwUILq@@1GgMi^%2Kc6U{@uwQk*@FpYW__LYb-)Je8w2m%iIzo@aP38FuslthXkMw+ZXQ2L+HDgGbT*756(@n4J&*7=MS+l zkXrML9h!g2{1+_@fm5qDwEfjzfbN_Grpj+n#ZjvYJ?OQyfu(c=R6Sv-GvE8;XiCp= zx5+M@@zkNzDrA8Jx|)a{Ds)fmyNy*%P$0!-0`hbajmv=VCv zH8}6VSByo*UODB+1rQzOsYkYfbFiG$Q7p>V7I~X&H3$(j5)xeFVWJ1;ERis#(-Q&whFCxHCgu7y zDO~)>=vNefINowkzpA9BfM_tN6W=A66cSwmr{tL+FaYhCZ`U0wg9mWsqk%*-PNR?6 zNm0aw!O2d$n2zJd_knP8V7aeQIR!WCvyp|+)0lr*O24dOnR3`Zmuas*-H0O=d}CEa z{?PVAvgJ}wVuH)<&fuVq0N6nq262zYx;(0E$Ql88ov%&-72qk4`&f6Ev)=mxcJO1T z9cMg`vxXiBI_xcUnuD6&yBw?6OV=I!Wa&orCk>ewB_+z*QMO|}^38=4{lLQQ>F8Vd zexmVv#-*|$O&!WSVxss|?u$m>IM0LW8T)ST>raOD-8VmMMTlLv1mWh<71Vx*ajxmn zq}qN0ICh=tuyG4#VNyoJ#bJ?oX%9cw5_Yx2BODJJ5}I>#uh%{Kuf1-=rTxP?Z$(#< zT)B5@B(z`17nOhjTNRmFOxIv0GJkUwyfn_^prRxy7oF5Bp6%7>y`qHq;!nz;W2 zlh-5Od$v=?A>944bk>7|XwZ$XR}!(|oMJK#-ji&%*Km6aHiS(>75N9zJNgTJd%(kx zIVwWq-3z;Snb2|PlM6E9soSm$%=w!6$9I<#*Rj5DR!mSW{}>azS-3vo0^Y1+AN`ry zYpy7);o0M#X0V5wAg&OxUIM9ag2F~zHto5W&)eN^8vHWgYUbN(!i7HZI-7@vtoMO2 zPAhV{PYi83qebz{>G1PUOD76#kR=&j zLH(=yf;3@-4%cMiaJcJGtnCd5Sfno!DBQ+4$cKy&jFbc8;jfKrAVFMFOV3GzcTxpJ z9b?wbp;A2Sp+V>o{M4+TX}=abcvZmp)HYme(p_{}u=mb37xJ+y_oE-qBR#L~>j}(= zIpK&G1|(&Jc8vowc_M20!7SbMLF34Q25q4 zpUQSx6D%OGH=Nc(bI0{(^)0bf>RRQ*I@#StkCh9F8KUZxU4}J~h{!p8#ls7^UpICb zuZ=f?U3g`3eV=xYQE3ME(6xKrrr2&*pMLF~(q6fHQNO_TOFj%SAyf>b*7RB)eE1hH zM*JZT>ar|Fn6H%X7p#6_`4a0%r{K~8ph}=QM3QcuKh&3gyy~De#=(%qxDf&@h>4}y zJqKM4rS6Cg^<_vcu)-4T5il#q+YN18USk6!eI$KXSgn3@eE_}B5Pv;6LQ8>uBMvHj zaw7zOLJC%LD|}{-)*-&-n>6%+SQHW*5kh_gjV!K26L_@Fdy6?ju(jTy?@#sYb|oIU zDk8p+XyUWu?!K|SJKBaCjZBE?{%+)*FA^FDS0vteqjWb6r4_Wx+^K!{xp>Ar1=*Y>JApi{9ZUugoZQ{m%QWlk!vjgCU!6VAaB&j^f zzvOmD;pFsr-+{Z%4Trf}CQ@mX2P5&#wbSfG6Sv(E16}`lUEgyMowkKEvi#Y!PWeE8 z%IW%#xtjVgYHULf=-Kw=#oJxmGmvj_Cs3Zu>{k<5L?&S}JLQ~I19q@}MKb0#o6(Kn zG1>@F=%1dgWV(g1K}}sfFLuTn%O5EomS&9e=uGP@NL-vYT>dyZQ85r$0!@cNCXdJ5 zb#}XmD%C2IS68)ol{)PNlVT``Mz2bC>L#ziF==7}v6hV-|6m=T<;P#fgSBdfv<|mz5-(9_i_@ zm|xU?U<}#a!o+RY?6%Qm)Z~|v!)7jX#T@g5^;D@T|$BnB`g$ z2TJk3NRcFTeJ61Kh>^;6F(QYX6H_Q()MVKkDYfpe)n0={Ti+Z9pQmYVkp zzP6GFZx#Qy7^&+2uNbLUO*L`RYr5B}tVVJR>YPIkLCaZWXefUsx~4|fN@IE-+pzSp zNl7nGUA@7FEJxF0|p z38sAm55aZWW;gc@2qg7DwrDdUeaK0$*8C|yGa&}ac+y2lD4BZ97n4V|Jin>RW%`iX zHRE&Kuwj*eEEtjYugt+b!#cD@NR5;W@JMP5&|O+b56=NYr$#f-X~?PdJ*<;C%F2;z#eyiv{4(K;a!<9&UPT|`iv{ReezSHFP$0@4|6qKMu=p&%Ub zj_V$UgHe||@4p;|z4gd2py?nsG+;kHc-R%@M=bQsB~sI~_}6+0_o@zAhZI05`@I9) zqELg1^j0YP*X5D9gif$vqQWqoW>S)zs3t}N{@}h~__ys;P5Uy74BWHPcJv5Zig6zI zy2hWDhz%lnLkJVaThFszXr~*%>`8blvULZCXO$8bBNfkec;o4p^qYC0X7yA6DjU3DNcIu|@mm!DN^Bcz+ex0@;YS+E4B$#r$ z^7ZlCBppv>ejO~*@27w)rzWhiW#sRkEKv)(R*qx+NP8xHfkYD1`%&*c_hj276|B^t zFM@CyN9wkm@X1wKT|u0@)@0G(p~KA89Nd13hgj|%nd|wb$`4D!PiuBva~H_W@Vt|b zYoKl&DefjPF}5kxR(}C{5_D}>n^d+RhLybJ|B5CX|K-Yz6bN}ZZ$nS0KJCo!YpqDSY9_>tr=>W=YzEs0s9)F<52Lr>zC(2u_B@T zdhVO$SFAE;-PvdC)^NVx`9FXB zhub0Uj(0$c6&WXnQMg_CN8#3F?)!u7KQ(UnRgNY{4bw7KKOY z=bUuK?oCDlkq|MGiI&UB{phg^{ zmGUA_>k=aFJjr722NP@(ngg8A7Ut5nFdaL=#HvenCU!C zfHIS+gPR;LH8R$vs?~#eGB6ak^L>DU6Bk~W*KKwkjk?2vx0`agB3o7SB`BG06Y6EK@dWmX3mrtmL z<>mPXLgZ~Kx?aaU`6WQ|Ys_s2;}=sc$?Upj?ERyH2=O7#)utZ(I`^u1rlS9%P#foK zjR(d8OIIYs^G>6@z?AqjfWcXNS7;9AZ7CTmOL8^iY4%}Sy_Zmr&N4N0XQ0<<79@e1 zmDtmn%IoKi6Mr1R&U>h#rT4GbLD7&)&31{lBi?VEHhle7QMbJP>%(7{$Cnodu4~#; zfg=Tl9JQCOq6#RFyu#mCjC|wXvGD+ppx|}>g?WQBBz2I6c?KZ|Rx#ba51u_{u$B67 zV84Sm#f6u)_L_b@p0WLNEPnecDvaL+suc2 zb9LGq3xCVDGO+aWF;J!%U+89_br<)OPt#xfGXTavz39T$4=m+py}esbYv zQYl5hq2G+3^0<`7W}2U^L4h&6PWvhiIjh(>=@=O~{juB7CB^gYAE+eX*e*|@V>hc9 z!c~>yL|razSGUKRbg9|2S|9;vz>}%S0ERo-AII(H1!RfrTkODn!p7s>YMY1lr>G%n z8O0&dYa{9xW{vCoa05d`WwP_Q!u{Aqj2p#XX>hOVmb%NPgBW&S!ZAx~K)(1$Ams7% z7CRO$A)4{loKrK2{V4ILZHdWK-yl4651w~$ljyZ$7NB91oK2`dV0WU-%W3O1a9W{N zffmu#^X$|`jPMrqVO9}~W>y);hP4ULbzu#d#AZqzx_v#>nW@!FOqXk{Ui|53l=e;vDV~?@$60>6Z$M1J&t5@)K&EbuWG)F)PI_n+6hWM5 z@k!%-!Q6m+8AI|Lzl6Q{GP)`rkgSgfLHJ*#!4dS%ghG98d9TVXu#y&!;3G)V!Wf&N zqDLBaZ9yrhg;3W(vi5{T8G6S(1f!QD*fK>XRGj1jwR|}DQoBmUXXv@*qDgBd-eO~ z(&-nFlN2Jq;ak=29DoVjK3z2lt@?hIO^$I`fP%5s{5@228+kYo>(8wK;YPj^qbTC7;l1%#XTk z^=8^wu}CLf&h0$&?|Jq{sBHlltd+_GZ`(Rh>t)>cEumnByer?0>C`IS?v4<_vPlD3 zlZsq=mW6s;*qr?HTnY--6W%_Q)T~@`0PrYvo>3HqF(kEHqyN6Ah(|!Ae%5 z=1)VW^X0`B!fKoH;T8#y(N(k4=-Tv0$0E(x(VWX=;l=F{UyCgl_n$A27Sr9q{vy92 zWH4my#{9ix^9>tTMd_=1T>BP_bI$nQ$w{ee9@=vR*s(Y)^xK;#zc}ZmjK|5b$@N}H z%cN7%LK8a;)4Z0wwQ|WG3~A+cs!_A+BQ+g<`B+iwx!b~gyhmi5iaXK*Rl%Zf*5z7 zGwNKG3!0Gw%9#eoUxLf6Tj>`7Nvf=399nGizO3H$yN5q=2hK*vKCP5q1UI-CX}HkH zk1ZNfR}niufG@~-Fo{|&ig$QTUbc>47e$~v%eM5zrngB;2e#u|?24LQ?qbLXJ|*FR z>}GOK==Qf|)*BKGF>8+`0$5mF6|Z_qx`oqaS6i0d#Kjei!!TPv~RuteP*FaB(xoA&TXHG)KxNo|!`vuu8jGLQX@Q^*=8{b*YN?GP?) zFdr>WV@*NCr`|mM!`wXy^K8?=sy!Ai1@Wrj=3GnCOHw>qmSX9|Dx}<$qSUStW8On) zY^_iVC~Bv%c5L`rU(u8hNp5-Yb5=EzJl=UrlGL@93t79|A}2-^X75zK6bWTQGe;gX z?Uu9JIfclY_R$nkU>gc7QM7lu3t5wIn2H#Yd5gTaE#?On4-n=y*Vn3&Z~RvR2kVG~!*6-D&DWVa zDJQ*?-`xa3&XQkVX^2jVfk^n{N%cY-vDjYS`V4cKRUvYl+JuF60+04Qf(4jfHzvy0 zSm({y^X)^rxu)T!mrmce^c!?$xC7?(WgMLT2!&|6F|7Ld-jsHmzm_mZWEfHSC3UaZ zxAzbiFBoHQK%hKJzQpSgr$aL*BPB7B+bET_j0Nv?HUq`gtQKm<8(Dw|uIAYqd^mYm zniq(3alG2Hbb+Qgc1<0AKzqfrPi$OCC5Ja?Lym9}%m-yTtickK9~)Mzj#ZwF7QQVT z$?QX5k&F3W{Y^;Q6s`b)WVQKxRgr1cE#R_0q-((|hDFa-`>=Y{tW`8!ab+>fXS zvc{@fiDxV3mdc;6SR1Qp&U0#Raau7!x-?7pl*i={ROuQzT^ECH){@C70=pYn|1HRp zlS#te9-T}0ckQf*fJ3O;WsZ4rc|sB12tL-%Mg;s;kHJoavGCm53s!zELdk1ok7St& zqx~tlawYETyrR6Pa7eCIGH>*DszT0X?|#CS99X0{HPqq&9F3bsA-KqwMn06}V_i9) zigO8cEG5Lrf)cr_KMJT-3ek_8$S39Nj4iHYMBJBk;SZjF(EilJpEJLXuW z@&g%kXCz9kL!CX!P8k_&+2Z6$7lG3#(17kim`QUjlc*I=r}`Bz66M5ko07?^^t%3X z2o}-_-~Z%qD?00@&$04i@mdZmwUZy_=iIMfQbC*++s$M+xFF7M@R!LdwQnuV zVCA!A-$H3B_A{bTw99f#PI*pk?#FAcrbEv)b7FU-f@F`Kt=R8Ml5yQn@w!0UufH4% z>s2TEst8%A%Na6yHSld?_+5g{PmZ?P=@9o~p*hB6=rv|1oCaVAFk$Ak;|H~>a&y-^ z+jZgTJgUvNjc`1f|0)mhKzAGH&%Q)N#C>r(_h;*%>hAI1#`A!hEE^xopFT;M<5C+;^W)6|tq8rbX$$!N@Ry&Z=4Hn@U?<1yr{A@1`$^d&Aq+-4C z_y#5~$_bGbX4uYLNF{W(YL>Jo6%dA`2&q7sS>ze;20m3L4pV@Amm!Igtk@fJ>0_lW zJ$oaU+Waj>47-BD08J`oi2vkTZl~q%wU!9j0X8{EBQjRXGl?^0?H;^ede?G{Jt!XG0vPlNzC9|MFYV{kPx31;-p=l-vr9 z%?n^vQxcZ7Cr*F{%e}(ayI;J$94ola{9=aOBcJk*vF)ln!8gr#?aw+EHUuaMvGr~} zmHpgetL_X89`>D_{Oag=Zu9N_eNeT{wWAcGD{q-IyVl52GMH#!Qw%Y z;~FWZeZfUu)KW0oeJk1&8NU^#>Dx@=`)T^JMF#Vqqp@`2GII2gEzWwJ2i=`c7IA&B z7N4b#t=^3v8jPk=Xsd|4FW;S5TDxpIKp|sI`xb7M?g}PE^PtVpC}%u}WO9hG zs93=-j{4s5PZ2vSnHvY^6bAF9X1#@a*7i$3KP~3==w?)DMHPS6&WKBWrLM)#iaRt` znY-S$oMW$n@9ok1@v$8`qSI7M%X$4r_p@d7WT{f8~7vAo!&@rw%5ec|G59;=lw{JY+PKbiw?QXVGsN^3GS*G3e`2=MaUl=+p zUF?;KrGRuGPT>8gz);>l9nNo&F&L zVHnIMZc8FIe-VKkKZui%L0(`1Cc#A%2}&_?a+asbL2_20k4i3>-*aV__b`e#{@6@I zES+hRgKTdhn_TB)=oYSB9IIBy#Ycmq(MTu@vv1K!EQzQPLfxZB=3GPcXoZH_X)!&P zG~s_S=g1FIGn-ZYW6c4PV#53ALf*%WEeY?E(eeC~LUv|f{_}lun-61?^8C=pA_OT{nl`W*1#SQgQDRPxcVo(4=^MQnmoJ3K@7=~wvVysXGyOuFi+)a! z;f0Ebn;_^-i#2q{gG8yUwEk^FSrzfTe7a^mv-H88q8eHRfMa+08si%=6rhrRrV~-; zDM1E@R_4CeLjvqwBNJ8@eaE1q9?j-?BV3XwGCaJ<%JkL%+OWMgT=G9Gf}wrmq_pAr zH9RLa5<~<^8H6-b9iCSK4Qr4_ANxOG+;k!R<-UH;mD!22sz}> z?yR6<+@g3u?Le;oxe{@A=;(u(-g|5|3GD<~`GguAQS$1?W52_C!)<=bnFQGO)H$>6 z38r#H8s@T*qqVwGCyb#Tx`zyf&b60s0wCJ&E*`Zt!6sOV!!&U;@}0X}wqAGwh6b8* zLc3;nBm>xay=z=gj zN3MTOK33r>0#um=*r`*IyPlxrmLQmylDd>`lG; zc8t3lAmUd*-~NsjZsq&ji_|~-l4SS7zj#=_szDfdLJt7`!=px1k!dB#==q0?M$-XM zILh0V~c>Tz(UxrYhW!hGG$7MYXWE4~$PG#8q*h-sLl8t_oF+})jB1zDp%M~Cv zKhCGVPXIh@xlQPw%Y{+FlsLDE=>K)O2#GM#qCKxHpmpkVy+yL%2mG~f%lJ63PshnS zeNXd0elGgE-5An|sQ~w3hiP6)Cj{Z*{MkBwX?ZQUAEpimBIm z>Gl6%JNo@w<;ilz#P$G=vzwK1C}{LTnsK7 z#OBj?3*vlwp0Ph1!CidfrpzcT|INWD|U#?#ppt$q-IZMtpN#2D$ zP5<>oxJzSvNPd|gz00f*W@q`0h?g8QsBsXdK*x8cUt6|gmbfK(`Otq63Maxi?W{IQ zKhh%BKftEFLa$*xOKqR}*bPdY$uBVExty=P0^95`{>0v3X-KG8?d%E2;^L_qnM=u@ z=m#xg81VkXY;l<+D>!$@d1JTlNhPZY<1|(cIh3yRiw!TxF?ekEA4djWUyh601-b{n zZ_4wV`q7;T=+KTIgC>@hR*eKCv{iUds(v1BG9M;zuflxz^5`*cK4&=i9QXA}j;7wt zI8M7RQCeI|nh%>Q^Lu&t5nU^ju0Pu!=%h{Ert@I{RMC3H&u<4-S}dMVaa#JJtl zZan^CmRCkC$q~uhhr4};(Kb;VpA=33l56mU)^<{Uv#w<@oUZ!Ov2T4mK@_9|e#di8 zF%!0w4g2ypAt5q!IUzjL@g70!O$PJXztTiv7XmK70=xQ!FR{tUzHoHOsy5y*k&!)_ zDbgaEFbOvHyWJm4k-z%oa7JAlhu6k#jF^*EU;(v4Vf>dq>iIj+3p{Xv?n=+Met-dM zvZFwt8-=%ht3nwm-Cax&v*w;>O3dfHDvW5RYEl;Ll=JKXR|sPS*~#tg@C&P1jBOjR zMJ0Q$U^B)`+M3H4l6jpBq~1G62XO2HD(7ke4Tu7;$2R<7b{04SjXi?T6nN$T4H>G$Bt$1cqXmGhC#FUbtzirCm7KZkWuG&nIdWyJ}(^8df*(05-cUu><0^wdgqYh4XYEBqN91 zZFMMQ2!&2fITwl8nQb+va;d|N&7||j{4!pigJuwZm@#5gdx9CO-6e8>Px`D|>ux z9WvKJTLmuUQhtJTSiT=2#Ku3%;_);m8sE%gxmgrP3Hh<>=11BRA1hzFj++|A5_$9h z>%NVKZl&kfUy4cZg!iMoI9_FMr=qI+0~f}vu8J4(={iK(Ouln^aJ(`At`q`5BKP4- zgo~IakYc&9_Vam%VKKM&d!@Tjp!sh-XBcs*8(A%yAbwXnrSw2W^I^kI^Yt96W5Imv z(LzT*2u&r&vi|9}jPP6r*)lp}Y{S}sw+B;EK8S6cAxcQV>5s){TN)^+`P8Mtps>b-U-Pa>feS=v8nYR#RPzg*G@j&b0L}xC?i_~O1_K$H_pB&gZbYckKp5b z2~RcSOqe77FLqAKZe=;jjL&w0C@4N2bYg-se?#{N;tTc=X9ukPs`jLG?rVX2N989c znK1>xmaN3d{tnrquTdt=XAaN7AO&Fkq|Oo>N@RfUTQWn%>=AeXKPQW3s-!b)&sDW) z6VLBJFZgvpMXXNusmw_YIr(pa`rRzDg`{mU(8$tkyOV67apPL~)r31usx-d0dDB zjzrNw^t!?2OPkd;0$-7iA3!!lo)^!w4L|;IT5zCsJK;Pi57(Z!57P|G=oITFwo}tWug;*nFZ-2vo(gXiw|GYaUzqL6I8L0jz!?Dl zqa+X`^+)B#BD!=hUX<$1r7U2!w{sPT!#W8gtIqR;2v{^P;H3lcN-DSJ1D1EC0c$;N z!<@V~lbYyqSWyTKyU%kpVkVd^+|TSW-Jy1Ev{ipsW>1IOUJ%YL%>>}skX|EO5US13 z@_*QS^KhsewtsjmMVIVXAB^?tdJ|nD4d zDtIQ8yt4h9*Yh=>dmjas*myN>RIOV*EV~l`*jz%?@rnjVuEh^J@8b%&Rco{hcX}m$ zoDG}tr2wppprv0npBSX)ah5H0=D8&o6EB49eOf!_t`D*-v(?3{f2Kb=b4IuFLaE;p zv!(wMND<|$Q5F+cHHyf9WT_%195d4%vsUaL0$ZH{KYKFbM?lwuu~wd~M_PGPR!V8z zioh^1V;;DGm?=3R4Nw{#rh{B-fjyJ9&(BeTR=p~dn9ddxF0L*275z{Rs2RK?pG#Ix zeEqQDsl#NYuCiJA_)>SIHwhmJLC>r1703+wA8oe51BD)9iPjF8Anu_G( ze{KzP{1;opqSXIkYnYb661FNm;;g z5Sz_-guZC6*&Uqqwn!?^&XI)B-KaaCno3-yY*jCT6we)eSM>qbgx?J~x+y@9kDiEF*_Q$8AkeQwQI@by}~d_UKdFAK7gPSXTKS4=|Fm22YL#@kXlhS?X;Q*62tlDcAHjV;=0g&%>e>qykA zt;RZMCF>Eu8q1!qx4)=&AtWrKNZmiurFkB<77xsgxOW?=5_VJHAeN#O)Rq$sJM)#% zzf1FhF9G2#(c;$Xxoc<6UOHFpC=TERWro8z+&wqXyGUKsxuIvI{{5NHkX`JN&8^t} zv;dvx4ZvpuazA~*u*#7b4kxr!srlb6wr$mk>IZ3WHSxX(P_d{#UBcJ)!elGyJ@!sA zG49n;;#mR3ZjI8-BcS0&8L_J=0HH`GZgHs{ICPR>bm7O_=653T=L7`KNdOFy?eA%_ zJW1-$IYJ=dXb7;tQ6T8zRY6JYUQ=1jww?nFkdZ z_sdiE0%>@wy6^hVQPagAK0&ox9+@1?Mb=fs54-vgW&xhB?TNP^M}B*|;D@u8arY`w zi@g(nhT6{$k~;eE$Ssek$-1@AHPOon6acvsa4?K@!J>I9dz z*zkOC+}fW>u2ov+|B*mFBYhd5mxKbf)U)-%5{kLsC-eA1?TU|R4^?aTr!Mt0a%~#> zpxVY2Kj;LHof|+Wdz!yq*4@p8efsP$mLpUyIph%!ig*@{QrQTMs0TND{6cE8}nV_+rc3qoa50`7d6Fqy}r=f0(0(=U(67PyR1EPrH`KF%8U zTB*#Uwjed3RkpP3NymGBo;$uSC0gl?B!{j8MX~RARCq}vkq(vCCLCJ%t*tse@pgR6 z=1cC}u*xUaWe&MK)e9TX(+B$+jzU@`=59s`JyTx1tf|pmu3QP%-eA~o9MXHk>9u!u*A(`=_Oy#a-YV?%R6Y3eB6;uXqC;d7I0v~BCF_HS zGuDL&%1&x?SIlBTRl9dAfhofB-l{jD60=@U-bF%6gC+~|66JPU_bA`VTBf14lR=%i z;9)v(9jRdkt(Ilo{L=QE4^-(oTCs3bKbL&(F4*piko4Gga`m;4OXu#(#qmGaya|S0 z8kZ9URk!?d0ve@ZR0s6WEPalSx9n{g@A-Jh@=U*w2Hg$bnoh1gE}0v5s(z*syve0) z=pH;HTDy+d#>5=2n+crQu58!CJR=qu!RqLcp8>XkwUB~OHgBsZ+UezK=xh}qP zP*Ble2J8#O^kSmTQs9tHJx#cNJEAnDfGAxU58iwyN$LN5Z+ExI(KxigfV)I__N5YD z)B8rs;BWqOPdhap+ukfCou8PH)T*C8Qo2BG#-H`y8ZNVIv2{Olhe)uLJia|*{gB~2 zLrm+M8Dn{(Ft9y#iW02I8~%nt_Hf5uWK7k2r`vX?O#(N``QB{{R13rc1XcWo|2_1; zt>s!iSY6@xigbLnx5`^J1wnbf6656oh-vT5{MwMEAyn>6rrwrLRj%CL(|OzG z88<2A<4h>hBUW0|G;efisI~fS_Qoj~)`_2-Gd~eTtlsA33ZAp+z?+2ZiEkb&^6fXJ zJu39ydwX)PdQuj?CVO^5_wc-OP?z%HVV81%pX=YTyeC1#OD=QQfwwfCArHmT8f-lB zJ-d}acB~J+B9YJQ+R~&!19+>ksWhCH!X{Ee(oi?x5kUQ{p3Po3sm73ea13L7w&ED; ziF!$QoA`9 ztE4Z9kho1du}pj3V?)Oxc8au%F&0L&a=;f@qOJfZGNG)1FOWE7s_3-uE@9(m{&Xo; zNd#zoppBw3so8WrqWsf*7`f)G(C~L%eqcQk+ETXKqN{JT0G8-E@E|Ff4>-Wh@G4p{ z!I1fFimxBO2;Y(Fb28%)FM#=A?-7RxS+sW*5fj#n*HK{gg{?)Wv6YcAl%uNZ-LG-B z3Ow?vOH-uq`1NzxshO}jJ+GD+gsz;@t-%FleDL%_AwrF0H*@qPMV1E)qdpK{TRBtG zh1RB_(}HC1YQ$l1R^^Q*x4ri~)-L3h(5)U)rtko+5`_v8@&2B#v7kJW*>P$O{Pu;c z){m=n?OW@--|lR^iH2X9O;{t9Vj5s?TZv@fhOvlq3%R7juTJinP_Mk;1EpbV&Pah6 z{WkC-ngVj`w#{M_?*+65sqzOa1qDmky*n6Stv^VtTVF zExdjif$V>|hSN9q{2{OgkMCqVzA!0E9nkF;kK`<5Zu5UhGZ_<)!kzHsICe$#jw4Xx z38{^FUJf6lCOT>6%9;fO%!VHr%kMmVcL4V=pl|^;-Xu}$Vp(4(rZNs^?zZp?=0C_E zrQo#%)sM?)H?Z0H+9Vwt)bi_I*lxQOe|2OIs|bgHq|Lpxsu`v$(PDXqvlU+?Un`UX zjRV9lx)ms-@2E{p1F&aep&LS5BsWm&-Kjtd3+$0P!)HCji@_7cwT6P|7ZD1*Tg@*O zHYKHW(kIE+T0V-gcx=flJn^b(k));eVI8bv!5H)E!fe07mihX<$>f*3@U500)+6_=t))2!wiug_@KxnHEr?dU;*0Jik7U@dby2pL$saMAcgL8I<*DJF*u+T$d93kU1Kpl8j0^Y_@gD|R+50h&k*uyr` z*05d3WcSnE&K|Bcu>bLUKM1iz#zK?RsZfP$&2zrz4PPMJNJ)b#dshtt0m{diAY_Y| zrOpv>*LWgv{vD@xT}eR5op9l0n8fdUD?#nR9UqN=(hu`CU7H2|mmequznCS*FgRkb zl{I1d0#~k^oTP6TAUo2ISIa{|Vw=?owVhgXiijUui_Ns-QEEV3OIvzpO)G4@4>%=) z9^JANFR7L&{cWrE%lYmW+NeyLxSRp>VFhtTnPB{B9bFufPNWCYos&EY%DpF~Z*>F<$q zkY&Xc0H#e&)Ggrg%E-c=?cgr)(*z{V`V6Zi96IG4P9I`}L%%QEPM!{7?MNqMfA%85TCM|%^6z740W<3)*RkG%VzMzW^WIb5s=2P! zCZG09nQL#d?$Gln9$9qMc~oiR5)p^|wjF#d$|??bP21c@v?{PYN1rm&Z$ zn(dX$mbuqiHJpdT?cV3md-(@iF3Qyh-z?K_M@i6EvX*Nyc7*XxXBTH3N`qu4juGcP zAjID`FGq-Ds%PUk5FiNY#som|ZD*o+a!!2Rp|Wlx;OTQ;AY_k?acV>5jKRY5U-rzp zwSCrQMEqrhPqM7Z@Y`GyD-Zzgahm#B0zZ$`l0POW5JQP$(o|oxz~Q?BCKwk>qQU#A z3r{MlNJmaQjy!bfq(rv=?&?a$^65=^Zt8{~Jv#^Z^VH3fn!b z;s}?`6JSU6_M1cvjJTm>ADu8kC%nRW0a1!O^+F6uVY7X@KPMKl$)ng3V!r-8AN%@U z!>?k`RZCpcv5LRJ$B@XI%6IJxZC1PoPcR%>Zv9T=vTztA(z)$HZ{OYgo%m((rsorM zfubQrk<#TJ>J4|28vK@Hst3BSP*=&Fy76LU<`zbSC@ls3ezD})AJxC=KHTz*Z1I)U zTupm8L3?q0xQL<|S^yb?_hr_Gqe{O=4RRtrSQ4qb`PBCB&Lw@kfuwmjW8U-_BrbAj zA=^A}vz9P@re6Py4Cq#xMnD6=fB4w?Ch&Il!@6-v+4XWvpYH>~&5{-a{y8Fk|kS^0eS*-`vZ4`B<5S%@euG;q>L8z8vZ;{ z>DzhEu)4e3l?uy7#0Fv~rc`S|m-pCMQb6DQ)p4cmAn?b&iQa8Q?JiXFegR%1IC(F7 zVmn)g%EtdvgYCFM$N;i!;%pw>{6XJDDwIxMqmxSR7B#i0 zorkHCqwSIiQ<)jU;mr!?u8VVew!Px|W%V)rz!lqg6u{hVGatP$Alq#gEU@0wartHM zQeM~au_AG7?l&%}G_?arI=UC!l)Q&kkp#J2=tF>FW*dcacX>CjF<`VG(Hb(kpSOWc zHU$r7JH_|5pjA@}$IcvDDKHKpzR}=Ik~=@&#>@r6miN{%M8;Gmo*F){MR`e1nYRo; zyd_n-kRXf>%yPpH+TE{q#NqP`0SQ{rloE2Buoo(;a6}+T_f_a{`yP27%rHH!`CGDr zRUmu+si|K5v0i-bYU1PYD~GoqrvKWRh96VsV{P-YaZdc8kz5@5x;xh^cKNsa#ox&S z*tDMDrcR+#;}4oFyIBI`sV2+6wr7tA9G+=nKW<(>!|z{Ev%B_%_r=F{oK=FPR6lN_ zA5^03?=h|H0q`I14)*!3gzGd3nYC>7B-U1I0({^f%ePQ{Y0ox!!cs%y@!|QKx`UV49-4uk9Njp``TVPHWwO;IX9b} zSr?<<;f&Y2&iO#I#G^_hDN@GwcV2HsO`O^XO@MrIAdcNlk<( z$ro}mux&;giMRP6axl0Ug?P@FKu}1BPqKj*sx*E8h|~E{~r&%S{gSUC4Lbv8)sk{v@ zL%U$sN>y3kny#o6s`J{Ay{XEfPKl4;50GOAUaX5PDjQfHStfp24h%i$>`K1332c0- ziZQ;9Jjmj44>L-7U8Voz{EOq=%)LnTY!+3wF|%(xAH0QB;u0n;Z1l!ZU3hJD<9TcM zG5*I?1#qNmNXhBFLx~f5;~m?N&y*}Ie{f1vLO!e;MOJ*Dy9Rnm*_=Xs;CoP~@}x45 zH!`Y4`mPLUO(SvQLF~no+uKu0Z}zU*DYNTzkO zhrF|q0VN-IE52`BNC#py-W%xoZX)Z0y9Vg%#a$+um`oOk1?*9ZM;=G^+n ztmw90Z-ZYHIa!ho$Id>}s9saL5l!VEFXSUL7M&)KMOxc%wd~n(YA<`b!)c=&{=?Y! zE3|a#y>Y~r$mJMtNAl8j_eUmhp}>uIjN}FZR>|$U@qAC3CKm4jj z_kfCD#n1KAbqZH~yFJoY26dCiPA@*!a}-l?$WNNgm4NxE-R!%#VO~fXT(*QccrWh| z*fx6$Cm7g~38jyIrE`-?IJMxHNh6%FAk;ufl5%w%`siK3-G{Fa-QqayQuJ7~Er#5d zAp+`_lKK?5s`X5XW}mJQwv)kcA48)ivq73#_2qO%ks3dGks*DMzCvFTB(WUhGn;RTmj-Rigt>O zhRlDmcHgaAshM|*r7Cxqr64oVkO^nvIxPdQxp_}#I{Z^aU+txm_xQT+fZph+3b1x`+V_6>NDG|!EE%$leClu~FR^?elg+UC~L$OZW8zx5T?=T7T z*C2SFnLwsp%}*QFnXd25Q_n1O@5&~7LU8?$W{7ndFW2o_-oY0bS%pn-c3ZL5L(LOG zkiseid?yc1+?x^K+^Vc*lB&PFu$uL=Fqn zz7!ts&cWK|$*Zg{4I0uLEC(~UEJwkj7sX+ylifSmH|73qrx;oEB7?I&OTL88gfa)M zilILivHXWx&}Oh1kc$MU2Ut69#`TN$k?<2ovo+W4R-P=kqWzS(9|^$VyAf`1Qne5* z-Qg_t0k0#?o4+73DHy+)$lYZ8^1j}BeiC_nvDdKvM&7`UJng+ZK@Kz|(R2-Q|LOK+ zN%qF=dcWa7pc4T&2r(TlpP7x4|`{zn6!@E0k~ z89nH4Esr+P66@HDO%L1iuh*D6sT6yp|5hX-Fv}ia9pQS`erdQb+tIxCT{H5P7{;DU>L+fwQJLlxw55;CZf1sJ zG>L1#-d$uyJ(ycm{c9*v;^DmdG3!Wmhe7Ru>{^MO(48NEW2rr`p6}ECmGiz1`IhjZ zKc%S`3+QGn56S13KVLI*!$vttrZ_$R@CN~+E>6-I4a;L!jTZ@jc@h~fB9iQR_H`0E za72>pGq^A`s3X2P))v|xs}xOOY>8bLU%)n_o1Jp#RzXLJ9iztv2nnc?c+;^w7*%?{ zlWy<7*E#S(D?Y>QRMoxJ=G#wtV6HwqAPW;oP2pJnt@jk6#!S}NgiNuK%z<)knC}{& z3)WOaE8qC+j&wvkB4Cj6V4&OZCB5MLNC?Tnv1ekW6Dzd=F0mL~i1Qs9j8Tyoktjty z90%jDP05Zx`}dEA9rd6;6|z&1bvpu{Q!+5Jq|DxkZc%w2+4zZXvbP}3`q4vNt_yOr z$Y~St``l{9lY0z+?p-mH4FAjlSqV?Zz0v0pXN8U|f0JI)j3qyRViYSF&KzM9fS^do z2DYvcw&#%(f-Kd7MBhQHLBY2&dsaTZmkG=!PD^$F#!uZ9dk&~>z-?=a*abk3|IEVG z9`mOkV4Y;pX@S>1KUn(R#dU_FGAq}#esS`2$7}myaq;lIC~k&e4O@<2;L1C`#eo99 zX+GDrx1CB(QqHf_6g&H51{heSB3QN~(LoCwxX?BwdsI}fz92+v>1BVpVvzODXqJeZ zuu^EWvM-+x_83>;A;zak_JV|4M19Ry?5a&4IP|DG5lX?Q7KieoXB(9&3hL7%ZF&yi z6RyFjs)x_}#i-rDhd4l2o;rmrZ9U73Oja93j`ZCm4r`_<&hZ&&({e4S*!M`36F#Sq zLVf^y8p!knf%RU){(pG_SI${3M()yM1jL;)EY~w$nX^-XRREMW`VGiGKa(T47%>1}V$@-KR>P zYvJrB7moeM@o$nsc+j&hnI(*u(zuA~_~9Elu#_vEgpXFc<8Zp@JrzSfK|z zs3G(ebkSWNX3s|()O77!%&O&kBaM}!P%Ve@|GZ3o@<(8M+WEs>l zFQq^$8@!dy)|Bxuye_4y3(@1#IOB{YwBmi?15Rzpe@F|}%YrJPAotJGVc|}p zGXJ+v)m(aLOae!@i397udl3>=vG|7^oGyeKG+a(12B$^#Bv=5uDZ&-50kSU-2kqHX zfHq)hEpXGghS@btQ1Qjk2&J@mb#L9qd+sk4j$*1cXOmIkzQVE-#4Ic|JvekE zSc3IL0T+Th0q3$RIii_IaBZ||R+vAe(PFkMuymqH`CAxRChr%Et_NM(S8l}Gg-jQi z(@3~jaTI1(NzHU;rBG=mHMKR)NpS?(D2{`g20zfRCn* zJedE}M>Bn8Z+v5kRc#F$T!cJOY6JI)cw)j4uC6-??5iQV)h<<#fh&Cr%qg*3OANR7 z$8{GartN$D!B+)TLbVp|^=Mg|)=D_<;UCLAjXCl^|8V4SKGsRysra9d0{=t@_$r}d ztV)+ab)Uk6LPSS-!wy#-N&z3Y`33T;*vSEpmu93$fc*2h&XE|c9BMCuRnN~uWZtn% zbqJwlxoi5-QlXm7E^t^ChhyNqk#^mIF45_M+D>9ht+?{egSrf(~kw~c-D(QXfpM_)7jwM z>H1ThoYj1rA8hp&-Q_mNRLkkGBJ`N5`kYB61?L2(UMm(HQOo5A?Im8mAIi_k;t^VE z%@POzTSj@LMeq=alV2OPC$? zxT-Jcv2uQbo4jJXhj@6CTM0;MbRvY5+aRgx+rv?d&W9d`MOo4c5yS$-FoYrtu0{9q zFCJd(zP_Yr-z6P}A456d-c$7Aw0_THe#Sf@`O&{JoPA~lsLEg8|DSR>_kjH(=;iOP zP7Cc5oe0$SC}$W)&Lbc5NaBu49h)S(hMEDVr7TwY0=v$Z0cYqz_LFO69S?h&-#Ti(;)eyZcl`3?){X9! zXFXDc4l8G3V~mkzv*F>@x!RJ3YknV9Uj9b2*E9R_?gPE}VfM|{A>lR^U&&d!L8$At z)4*|ID~7N-IXa_W@dKaxVLz(-^&P1p7@S`3J*F*p!EM|_ljDdmZ&O?TvTpsAl6dKZ z8n<{8vvm`dLDj7B@~b73N^5UkuL3)5njn4vmP#nH;V?%GeVcQ zB`4h+OkvNeuFU#UGjKdvf=nI1t{pU3VwGh({ja>vKN|`&GX|vaJ|0NtzFks6|MVGu z=?sk-6;~R?LCC?L8dTCKmos0=ta(#v%6b%c^UF8c%ATBxJXJU1PH4mj4-~vSx85an z(5`~_QBsS%4R`HWVdl5a5bi27<%0yqP8>Q%YbiFnX5a-vUmnnn*-Qj4L1NCX{G_5_ zyzTX8mMLSm6*sdSmtKPsxY~8gJZ)QjHv`oi*(H~x{}?(DA+l;%)GM;EY5x#5cUiHo zQbEg^n?kZ)bQfQuIGh|`zrn$ZR5&(`l3Kt@FU+PJB!;?T1-@ys22ja_EXq>LkqlF& z1q_}^3*q>`Y~ycg@s}t738c#dEeazc{O!MT2Bw-c7D=CTU~hEgE(KyzDZ5C#`Lu;e zka%|rJ4DTJfpfJeK8@oY+0d{*K2`f&HafQ;k}*($3I1)3&nvM2;sX=Jg`!YGj?uyc zXjKUQo%Oc+NIL(Hg=u{^)(inbGn<_!3y4ltVWpw*%2#Sm! zpB=^&)IagQD9T*2=e-_r8s2?|*?l2B|I)B8|M_PL{Pd@W%&?W0;Pm0Z-z8={z|1=( zh0#zDP=As}hk6fwtWEmt+k6mnD4cczW56n@vOBk^{>s6rF|zrf(=QUgqSoGKjwGlY z#Wo`@c9zn6zguqVF7dhm4)qe|z5Hj{Jn|7MJDb_#Ie29i`s}MOKbq&w7niMzN+%d| zB>(pVL$_4b{no;xYCMT|JP4YvB_?%7K<9Wb$;CR&+0!oCcCEa^&IsjCF?Kr3PtpsY z#NH6fo@&jD5&BqAj}Va>m+1S1nQx3uj*E6`o@-b{aA%tZ0jaNOLh|H1emCh! zRX6w!eb?Y8J)vHBvaKF+}Ac_;wHOG}GE5ezzi>X^14k(YWRMkt2CeO=od zpQDvUA#b7w<(^jS0jY6y?fqeoe~PDnw~fCdt+FmNjSg47yibkJl`|cN#~y=DP{fI? zj~)D4p;A#Pm3H-O)>f0%#Yttw6TsTni=~VTu_Br63_VSI$j+%ZmYcP*_63oXIC